Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netinet6/esp_input.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* $NetBSD: esp_input.c,v 1.47 2008/04/24 11:38:38 ad Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * RFC1827/2406 Encapsulated Security Payload. 35 */ 36 37 #include <sys/cdefs.h> 38 __KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.47 2008/04/24 11:38:38 ad Exp $"); 39 40 #include "opt_inet.h" 41 #include "opt_ipsec.h" 42 43 #include <sys/param.h> 44 #include <sys/systm.h> 45 #include <sys/malloc.h> 46 #include <sys/mbuf.h> 47 #include <sys/domain.h> 48 #include <sys/protosw.h> 49 #include <sys/socket.h> 50 #include <sys/errno.h> 51 #include <sys/time.h> 52 #include <sys/kernel.h> 53 #include <sys/syslog.h> 54 55 #include <net/if.h> 56 #include <net/route.h> 57 #include <net/netisr.h> 58 #include <sys/cpu.h> 59 60 #include <netinet/in.h> 61 #include <netinet/in_systm.h> 62 #include <netinet/ip.h> 63 #include <netinet/ip_var.h> 64 #include <netinet/in_var.h> 65 #include <netinet/in_proto.h> 66 #include <netinet/ip_ecn.h> 67 #include <netinet/ip_icmp.h> 68 69 #ifdef INET6 70 #include <netinet/ip6.h> 71 #include <netinet6/ip6_var.h> 72 #include <netinet/icmp6.h> 73 #include <netinet6/ip6protosw.h> 74 #endif 75 76 #include <netinet6/ipsec.h> 77 #include <netinet6/ipsec_private.h> 78 #include <netinet6/ah.h> 79 #include <netinet6/esp.h> 80 #include <netkey/key.h> 81 #include <netkey/keydb.h> 82 #include <netkey/key_debug.h> 83 84 #include <machine/stdarg.h> 85 86 #include <net/net_osdep.h> 87 88 /*#define IPLEN_FLIPPED*/ 89 90 #define ESPMAXLEN \ 91 (sizeof(struct esp) < sizeof(struct newesp) \ 92 ? sizeof(struct newesp) : sizeof(struct esp)) 93 94 #ifdef INET 95 void 96 esp4_init(void) 97 { 98 99 ipsec4_init(); 100 } 101 102 void 103 #if __STDC__ 104 esp4_input(struct mbuf *m, ...) 105 #else 106 esp4_input(m, va_alist) 107 struct mbuf *m; 108 va_dcl 109 #endif 110 { 111 struct ip *ip; 112 struct esp *esp; 113 struct esptail esptail; 114 u_int32_t spi; 115 struct secasvar *sav = NULL; 116 size_t taillen; 117 u_int16_t nxt; 118 const struct esp_algorithm *algo; 119 int ivlen; 120 size_t hlen; 121 size_t esplen; 122 int s; 123 va_list ap; 124 int off; 125 u_int16_t sport = 0; 126 u_int16_t dport = 0; 127 #ifdef IPSEC_NAT_T 128 struct m_tag *tag = NULL; 129 #endif 130 131 va_start(ap, m); 132 off = va_arg(ap, int); 133 (void)va_arg(ap, int); /* ignore value, advance ap */ 134 va_end(ap); 135 136 /* sanity check for alignment. */ 137 if (off % 4 != 0 || m->m_pkthdr.len % 4 != 0) { 138 ipseclog((LOG_ERR, "IPv4 ESP input: packet alignment problem " 139 "(off=%d, pktlen=%d)\n", off, m->m_pkthdr.len)); 140 IPSEC_STATINC(IPSEC_STAT_IN_INVAL); 141 goto bad; 142 } 143 144 if (m->m_len < off + ESPMAXLEN) { 145 m = m_pullup(m, off + ESPMAXLEN); 146 if (!m) { 147 ipseclog((LOG_DEBUG, 148 "IPv4 ESP input: can't pullup in esp4_input\n")); 149 IPSEC_STATINC(IPSEC_STAT_IN_INVAL); 150 goto bad; 151 } 152 } 153 154 #ifdef IPSEC_NAT_T 155 /* find the source port for NAT_T */ 156 if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL)) != NULL) { 157 sport = ((u_int16_t *)(tag + 1))[0]; 158 dport = ((u_int16_t *)(tag + 1))[1]; 159 } 160 #endif 161 162 ip = mtod(m, struct ip *); 163 esp = (struct esp *)(((u_int8_t *)ip) + off); 164 hlen = ip->ip_hl << 2; 165 166 /* find the sassoc. */ 167 spi = esp->esp_spi; 168 169 if ((sav = key_allocsa(AF_INET, 170 (void *)&ip->ip_src, (void *)&ip->ip_dst, 171 IPPROTO_ESP, spi, sport, dport)) == 0) { 172 ipseclog((LOG_WARNING, 173 "IPv4 ESP input: no key association found for spi %u\n", 174 (u_int32_t)ntohl(spi))); 175 IPSEC_STATINC(IPSEC_STAT_IN_NOSA); 176 goto bad; 177 } 178 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 179 printf("DP esp4_input called to allocate SA:%p\n", sav)); 180 if (sav->state != SADB_SASTATE_MATURE && 181 sav->state != SADB_SASTATE_DYING) { 182 ipseclog((LOG_DEBUG, 183 "IPv4 ESP input: non-mature/dying SA found for spi %u\n", 184 (u_int32_t)ntohl(spi))); 185 IPSEC_STATINC(IPSEC_STAT_IN_BADSPI); 186 goto bad; 187 } 188 algo = esp_algorithm_lookup(sav->alg_enc); 189 if (!algo) { 190 ipseclog((LOG_DEBUG, "IPv4 ESP input: " 191 "unsupported encryption algorithm for spi %u\n", 192 (u_int32_t)ntohl(spi))); 193 IPSEC_STATINC(IPSEC_STAT_IN_BADSPI); 194 goto bad; 195 } 196 197 /* check if we have proper ivlen information */ 198 ivlen = sav->ivlen; 199 if (ivlen < 0) { 200 ipseclog((LOG_ERR, "inproper ivlen in IPv4 ESP input: %s %s\n", 201 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); 202 IPSEC_STATINC(IPSEC_STAT_IN_INVAL); 203 goto bad; 204 } 205 206 if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay && 207 sav->alg_auth && sav->key_auth)) 208 goto noreplaycheck; 209 210 if (sav->alg_auth == SADB_X_AALG_NULL || 211 sav->alg_auth == SADB_AALG_NONE) 212 goto noreplaycheck; 213 214 /* 215 * check for sequence number. 216 */ 217 if (ipsec_chkreplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) 218 ; /* okey */ 219 else { 220 IPSEC_STATINC(IPSEC_STAT_IN_ESPREPLAY); 221 ipseclog((LOG_WARNING, 222 "replay packet in IPv4 ESP input: %s %s\n", 223 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); 224 goto bad; 225 } 226 227 /* check ICV */ 228 { 229 u_int8_t sum0[AH_MAXSUMSIZE]; 230 u_int8_t sum[AH_MAXSUMSIZE]; 231 const struct ah_algorithm *sumalgo; 232 size_t siz; 233 234 sumalgo = ah_algorithm_lookup(sav->alg_auth); 235 if (!sumalgo) 236 goto noreplaycheck; 237 siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1)); 238 if (m->m_pkthdr.len < off + ESPMAXLEN + siz) { 239 IPSEC_STATINC(IPSEC_STAT_IN_INVAL); 240 goto bad; 241 } 242 if (AH_MAXSUMSIZE < siz) { 243 ipseclog((LOG_DEBUG, 244 "internal error: AH_MAXSUMSIZE must be larger than %lu\n", 245 (u_long)siz)); 246 IPSEC_STATINC(IPSEC_STAT_IN_INVAL); 247 goto bad; 248 } 249 250 m_copydata(m, m->m_pkthdr.len - siz, siz, (void *)&sum0[0]); 251 252 if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) { 253 ipseclog((LOG_WARNING, "auth fail in IPv4 ESP input: %s %s\n", 254 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); 255 IPSEC_STATINC(IPSEC_STAT_IN_ESPAUTHFAIL); 256 goto bad; 257 } 258 259 if (bcmp(sum0, sum, siz) != 0) { 260 ipseclog((LOG_WARNING, "auth fail in IPv4 ESP input: %s %s\n", 261 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); 262 IPSEC_STATINC(IPSEC_STAT_IN_ESPAUTHFAIL); 263 goto bad; 264 } 265 266 /* strip off the authentication data */ 267 m_adj(m, -siz); 268 ip = mtod(m, struct ip *); 269 #ifdef IPLEN_FLIPPED 270 ip->ip_len = ip->ip_len - siz; 271 #else 272 ip->ip_len = htons(ntohs(ip->ip_len) - siz); 273 #endif 274 m->m_flags |= M_AUTHIPDGM; 275 IPSEC_STATINC(IPSEC_STAT_IN_ESPAUTHSUCC); 276 } 277 278 /* 279 * update sequence number. 280 */ 281 if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) { 282 if (ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) { 283 IPSEC_STATINC(IPSEC_STAT_IN_ESPREPLAY); 284 goto bad; 285 } 286 } 287 288 noreplaycheck: 289 290 /* process main esp header. */ 291 if (sav->flags & SADB_X_EXT_OLD) { 292 /* RFC 1827 */ 293 esplen = sizeof(struct esp); 294 } else { 295 /* RFC 2406 */ 296 if (sav->flags & SADB_X_EXT_DERIV) 297 esplen = sizeof(struct esp); 298 else 299 esplen = sizeof(struct newesp); 300 } 301 302 if (m->m_pkthdr.len < off + esplen + ivlen + sizeof(esptail)) { 303 ipseclog((LOG_WARNING, 304 "IPv4 ESP input: packet too short\n")); 305 IPSEC_STATINC(IPSEC_STAT_IN_INVAL); 306 goto bad; 307 } 308 309 if (m->m_len < off + esplen + ivlen) { 310 m = m_pullup(m, off + esplen + ivlen); 311 if (!m) { 312 ipseclog((LOG_DEBUG, 313 "IPv4 ESP input: can't pullup in esp4_input\n")); 314 IPSEC_STATINC(IPSEC_STAT_IN_INVAL); 315 goto bad; 316 } 317 } 318 319 /* 320 * pre-compute and cache intermediate key 321 */ 322 if (esp_schedule(algo, sav) != 0) { 323 IPSEC_STATINC(IPSEC_STAT_IN_INVAL); 324 goto bad; 325 } 326 327 /* 328 * decrypt the packet. 329 */ 330 if (!algo->decrypt) 331 panic("internal error: no decrypt function"); 332 if ((*algo->decrypt)(m, off, sav, algo, ivlen)) { 333 /* m is already freed */ 334 m = NULL; 335 ipseclog((LOG_ERR, "decrypt fail in IPv4 ESP input: %s\n", 336 ipsec_logsastr(sav))); 337 IPSEC_STATINC(IPSEC_STAT_IN_INVAL); 338 goto bad; 339 } 340 IPSEC_STATINC(IPSEC_STAT_IN_ESPHIST + sav->alg_enc); 341 342 m->m_flags |= M_DECRYPTED; 343 344 /* 345 * find the trailer of the ESP. 346 */ 347 m_copydata(m, m->m_pkthdr.len - sizeof(esptail), sizeof(esptail), 348 (void *)&esptail); 349 nxt = esptail.esp_nxt; 350 taillen = esptail.esp_padlen + sizeof(esptail); 351 352 if (m->m_pkthdr.len < taillen || 353 m->m_pkthdr.len - taillen < off + esplen + ivlen + sizeof(esptail)) { 354 ipseclog((LOG_WARNING, 355 "bad pad length in IPv4 ESP input: %s %s\n", 356 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); 357 IPSEC_STATINC(IPSEC_STAT_IN_INVAL); 358 goto bad; 359 } 360 361 /* strip off the trailing pad area. */ 362 m_adj(m, -taillen); 363 364 #ifdef IPLEN_FLIPPED 365 ip->ip_len = ip->ip_len - taillen; 366 #else 367 ip->ip_len = htons(ntohs(ip->ip_len) - taillen); 368 #endif 369 370 /* was it transmitted over the IPsec tunnel SA? */ 371 if (ipsec4_tunnel_validate(ip, nxt, sav)) { 372 /* 373 * strip off all the headers that precedes ESP header. 374 * IP4 xx ESP IP4' payload -> IP4' payload 375 * 376 * XXX more sanity checks 377 * XXX relationship with gif? 378 */ 379 u_int8_t tos; 380 381 tos = ip->ip_tos; 382 m_adj(m, off + esplen + ivlen); 383 if (m->m_len < sizeof(*ip)) { 384 m = m_pullup(m, sizeof(*ip)); 385 if (!m) { 386 IPSEC_STATINC(IPSEC_STAT_IN_INVAL); 387 goto bad; 388 } 389 } 390 ip = mtod(m, struct ip *); 391 /* ECN consideration. */ 392 ip_ecn_egress(ip4_ipsec_ecn, &tos, &ip->ip_tos); 393 if (!key_checktunnelsanity(sav, AF_INET, 394 (void *)&ip->ip_src, (void *)&ip->ip_dst)) { 395 ipseclog((LOG_ERR, "ipsec tunnel address mismatch " 396 "in IPv4 ESP input: %s %s\n", 397 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); 398 IPSEC_STATINC(IPSEC_STAT_IN_INVAL); 399 goto bad; 400 } 401 402 key_sa_recordxfer(sav, m); 403 if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0 || 404 ipsec_addhist(m, IPPROTO_IPV4, 0) != 0) { 405 IPSEC_STATINC(IPSEC_STAT_IN_NOMEM); 406 goto bad; 407 } 408 409 s = splnet(); 410 if (IF_QFULL(&ipintrq)) { 411 IPSEC_STATINC(IPSEC_STAT_IN_INVAL); 412 splx(s); 413 goto bad; 414 } 415 IF_ENQUEUE(&ipintrq, m); 416 m = NULL; 417 schednetisr(NETISR_IP); /* can be skipped but to make sure */ 418 splx(s); 419 nxt = IPPROTO_DONE; 420 } else { 421 /* 422 * strip off ESP header and IV. 423 * even in m_pulldown case, we need to strip off ESP so that 424 * we can always compute checksum for AH correctly. 425 */ 426 size_t stripsiz; 427 428 stripsiz = esplen + ivlen; 429 430 ip = mtod(m, struct ip *); 431 ovbcopy((void *)ip, (void *)(((u_char *)ip) + stripsiz), off); 432 m->m_data += stripsiz; 433 m->m_len -= stripsiz; 434 m->m_pkthdr.len -= stripsiz; 435 436 ip = mtod(m, struct ip *); 437 #ifdef IPLEN_FLIPPED 438 ip->ip_len = ip->ip_len - stripsiz; 439 #else 440 ip->ip_len = htons(ntohs(ip->ip_len) - stripsiz); 441 #endif 442 ip->ip_p = nxt; 443 444 key_sa_recordxfer(sav, m); 445 if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0) { 446 IPSEC_STATINC(IPSEC_STAT_IN_NOMEM); 447 goto bad; 448 } 449 450 if (nxt != IPPROTO_DONE) { 451 if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && 452 ipsec4_in_reject(m, NULL)) { 453 IPSEC_STATINC(IPSEC_STAT_IN_POLVIO); 454 goto bad; 455 } 456 (*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt); 457 } else 458 m_freem(m); 459 m = NULL; 460 } 461 462 if (sav) { 463 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 464 printf("DP esp4_input call free SA:%p\n", sav)); 465 key_freesav(sav); 466 } 467 IPSEC_STATINC(IPSEC_STAT_IN_SUCCESS); 468 return; 469 470 bad: 471 if (sav) { 472 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 473 printf("DP esp4_input call free SA:%p\n", sav)); 474 key_freesav(sav); 475 } 476 if (m) 477 m_freem(m); 478 return; 479 } 480 481 /* assumes that ip header and esp header are contiguous on mbuf */ 482 void * 483 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 484 { 485 struct ip *ip = v; 486 struct esp *esp; 487 struct icmp *icp; 488 struct secasvar *sav; 489 490 if (sa->sa_family != AF_INET || 491 sa->sa_len != sizeof(struct sockaddr_in)) 492 return NULL; 493 if ((unsigned)cmd >= PRC_NCMDS) 494 return NULL; 495 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 496 /* 497 * Check to see if we have a valid SA corresponding to 498 * the address in the ICMP message payload. 499 */ 500 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2)); 501 if ((sav = key_allocsa(AF_INET, 502 (void *) &ip->ip_src, 503 (void *) &ip->ip_dst, 504 IPPROTO_ESP, esp->esp_spi, 505 0, 0)) == NULL) 506 return NULL; 507 if (sav->state != SADB_SASTATE_MATURE && 508 sav->state != SADB_SASTATE_DYING) { 509 key_freesav(sav); 510 return NULL; 511 } 512 513 /* XXX Further validation? */ 514 515 key_freesav(sav); 516 517 /* 518 * Now that we've validated that we are actually communicating 519 * with the host indicated in the ICMP message, locate the 520 * ICMP header, recalculate the new MTU, and create the 521 * corresponding routing entry. 522 */ 523 icp = (struct icmp *)((char *)ip - 524 offsetof(struct icmp, icmp_ip)); 525 icmp_mtudisc(icp, ip->ip_dst); 526 527 return NULL; 528 } 529 530 return NULL; 531 } 532 533 #endif /* INET */ 534 535 #ifdef INET6 536 void 537 esp6_init(void) 538 { 539 540 ipsec6_init(); 541 } 542 543 int 544 esp6_input(struct mbuf **mp, int *offp, int proto) 545 { 546 struct mbuf *m = *mp; 547 int off = *offp; 548 struct ip6_hdr *ip6; 549 struct esp *esp; 550 struct esptail esptail; 551 u_int32_t spi; 552 struct secasvar *sav = NULL; 553 size_t taillen; 554 u_int16_t nxt; 555 const struct esp_algorithm *algo; 556 int ivlen; 557 size_t esplen; 558 int s; 559 560 /* sanity check for alignment. */ 561 if (off % 4 != 0 || m->m_pkthdr.len % 4 != 0) { 562 ipseclog((LOG_ERR, "IPv6 ESP input: packet alignment problem " 563 "(off=%d, pktlen=%d)\n", off, m->m_pkthdr.len)); 564 IPSEC6_STATINC(IPSEC_STAT_IN_INVAL); 565 goto bad; 566 } 567 568 IP6_EXTHDR_GET(esp, struct esp *, m, off, ESPMAXLEN); 569 if (esp == NULL) { 570 IPSEC6_STATINC(IPSEC_STAT_IN_INVAL); 571 return IPPROTO_DONE; 572 } 573 ip6 = mtod(m, struct ip6_hdr *); 574 575 if (ntohs(ip6->ip6_plen) == 0) { 576 ipseclog((LOG_ERR, "IPv6 ESP input: " 577 "ESP with IPv6 jumbogram is not supported.\n")); 578 IPSEC6_STATINC(IPSEC_STAT_IN_INVAL); 579 goto bad; 580 } 581 582 /* find the sassoc. */ 583 spi = esp->esp_spi; 584 585 if ((sav = key_allocsa(AF_INET6, 586 (void *)&ip6->ip6_src, (void *)&ip6->ip6_dst, 587 IPPROTO_ESP, spi, 0, 0)) == 0) { 588 ipseclog((LOG_WARNING, 589 "IPv6 ESP input: no key association found for spi %u\n", 590 (u_int32_t)ntohl(spi))); 591 IPSEC6_STATINC(IPSEC_STAT_IN_NOSA); 592 goto bad; 593 } 594 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 595 printf("DP esp6_input called to allocate SA:%p\n", sav)); 596 if (sav->state != SADB_SASTATE_MATURE && 597 sav->state != SADB_SASTATE_DYING) { 598 ipseclog((LOG_DEBUG, 599 "IPv6 ESP input: non-mature/dying SA found for spi %u\n", 600 (u_int32_t)ntohl(spi))); 601 IPSEC6_STATINC(IPSEC_STAT_IN_BADSPI); 602 goto bad; 603 } 604 algo = esp_algorithm_lookup(sav->alg_enc); 605 if (!algo) { 606 ipseclog((LOG_DEBUG, "IPv6 ESP input: " 607 "unsupported encryption algorithm for spi %u\n", 608 (u_int32_t)ntohl(spi))); 609 IPSEC6_STATINC(IPSEC_STAT_IN_BADSPI); 610 goto bad; 611 } 612 613 /* check if we have proper ivlen information */ 614 ivlen = sav->ivlen; 615 if (ivlen < 0) { 616 ipseclog((LOG_ERR, "inproper ivlen in IPv6 ESP input: %s %s\n", 617 ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); 618 IPSEC6_STATINC(IPSEC_STAT_IN_BADSPI); 619 goto bad; 620 } 621 622 if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay && 623 sav->alg_auth && sav->key_auth)) 624 goto noreplaycheck; 625 626 if (sav->alg_auth == SADB_X_AALG_NULL || 627 sav->alg_auth == SADB_AALG_NONE) 628 goto noreplaycheck; 629 630 /* 631 * check for sequence number. 632 */ 633 if (ipsec_chkreplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) 634 ; /* okey */ 635 else { 636 IPSEC6_STATINC(IPSEC_STAT_IN_ESPREPLAY); 637 ipseclog((LOG_WARNING, 638 "replay packet in IPv6 ESP input: %s %s\n", 639 ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); 640 goto bad; 641 } 642 643 /* check ICV */ 644 { 645 u_char sum0[AH_MAXSUMSIZE]; 646 u_char sum[AH_MAXSUMSIZE]; 647 const struct ah_algorithm *sumalgo; 648 size_t siz; 649 650 sumalgo = ah_algorithm_lookup(sav->alg_auth); 651 if (!sumalgo) 652 goto noreplaycheck; 653 siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1)); 654 if (m->m_pkthdr.len < off + ESPMAXLEN + siz) { 655 IPSEC6_STATINC(IPSEC_STAT_IN_INVAL); 656 goto bad; 657 } 658 if (AH_MAXSUMSIZE < siz) { 659 ipseclog((LOG_DEBUG, 660 "internal error: AH_MAXSUMSIZE must be larger than %lu\n", 661 (u_long)siz)); 662 IPSEC6_STATINC(IPSEC_STAT_IN_INVAL); 663 goto bad; 664 } 665 666 m_copydata(m, m->m_pkthdr.len - siz, siz, (void *)&sum0[0]); 667 668 if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) { 669 ipseclog((LOG_WARNING, "auth fail in IPv6 ESP input: %s %s\n", 670 ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); 671 IPSEC6_STATINC(IPSEC_STAT_IN_ESPAUTHFAIL); 672 goto bad; 673 } 674 675 if (bcmp(sum0, sum, siz) != 0) { 676 ipseclog((LOG_WARNING, "auth fail in IPv6 ESP input: %s %s\n", 677 ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); 678 IPSEC6_STATINC(IPSEC_STAT_IN_ESPAUTHFAIL); 679 goto bad; 680 } 681 682 /* strip off the authentication data */ 683 m_adj(m, -siz); 684 ip6 = mtod(m, struct ip6_hdr *); 685 ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - siz); 686 687 m->m_flags |= M_AUTHIPDGM; 688 IPSEC6_STATINC(IPSEC_STAT_IN_ESPAUTHSUCC); 689 } 690 691 /* 692 * update sequence number. 693 */ 694 if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) { 695 if (ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) { 696 IPSEC6_STATINC(IPSEC_STAT_IN_ESPREPLAY); 697 goto bad; 698 } 699 } 700 701 noreplaycheck: 702 703 /* process main esp header. */ 704 if (sav->flags & SADB_X_EXT_OLD) { 705 /* RFC 1827 */ 706 esplen = sizeof(struct esp); 707 } else { 708 /* RFC 2406 */ 709 if (sav->flags & SADB_X_EXT_DERIV) 710 esplen = sizeof(struct esp); 711 else 712 esplen = sizeof(struct newesp); 713 } 714 715 if (m->m_pkthdr.len < off + esplen + ivlen + sizeof(esptail)) { 716 ipseclog((LOG_WARNING, 717 "IPv6 ESP input: packet too short\n")); 718 IPSEC6_STATINC(IPSEC_STAT_IN_INVAL); 719 goto bad; 720 } 721 722 IP6_EXTHDR_GET(esp, struct esp *, m, off, esplen + ivlen); 723 if (esp == NULL) { 724 IPSEC6_STATINC(IPSEC_STAT_IN_INVAL); 725 m = NULL; 726 goto bad; 727 } 728 ip6 = mtod(m, struct ip6_hdr *); /* set it again just in case */ 729 730 /* 731 * pre-compute and cache intermediate key 732 */ 733 if (esp_schedule(algo, sav) != 0) { 734 IPSEC6_STATINC(IPSEC_STAT_IN_INVAL); 735 goto bad; 736 } 737 738 /* 739 * decrypt the packet. 740 */ 741 if (!algo->decrypt) 742 panic("internal error: no decrypt function"); 743 if ((*algo->decrypt)(m, off, sav, algo, ivlen)) { 744 /* m is already freed */ 745 m = NULL; 746 ipseclog((LOG_ERR, "decrypt fail in IPv6 ESP input: %s\n", 747 ipsec_logsastr(sav))); 748 IPSEC6_STATINC(IPSEC_STAT_IN_INVAL); 749 goto bad; 750 } 751 IPSEC6_STATINC(IPSEC_STAT_IN_ESPHIST + sav->alg_enc); 752 753 m->m_flags |= M_DECRYPTED; 754 755 /* 756 * find the trailer of the ESP. 757 */ 758 m_copydata(m, m->m_pkthdr.len - sizeof(esptail), sizeof(esptail), 759 (void *)&esptail); 760 nxt = esptail.esp_nxt; 761 taillen = esptail.esp_padlen + sizeof(esptail); 762 763 if (m->m_pkthdr.len < taillen 764 || m->m_pkthdr.len - taillen < sizeof(struct ip6_hdr)) { /* ? */ 765 ipseclog((LOG_WARNING, 766 "bad pad length in IPv6 ESP input: %s %s\n", 767 ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); 768 IPSEC6_STATINC(IPSEC_STAT_IN_INVAL); 769 goto bad; 770 } 771 772 /* strip off the trailing pad area. */ 773 m_adj(m, -taillen); 774 775 ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - taillen); 776 777 /* was it transmitted over the IPsec tunnel SA? */ 778 if (ipsec6_tunnel_validate(ip6, nxt, sav)) { 779 /* 780 * strip off all the headers that precedes ESP header. 781 * IP6 xx ESP IP6' payload -> IP6' payload 782 * 783 * XXX more sanity checks 784 * XXX relationship with gif? 785 */ 786 u_int32_t flowinfo; /* net endian */ 787 flowinfo = ip6->ip6_flow; 788 m_adj(m, off + esplen + ivlen); 789 if (m->m_len < sizeof(*ip6)) { 790 m = m_pullup(m, sizeof(*ip6)); 791 if (!m) { 792 IPSEC6_STATINC(IPSEC_STAT_IN_INVAL); 793 goto bad; 794 } 795 } 796 ip6 = mtod(m, struct ip6_hdr *); 797 /* ECN consideration. */ 798 ip6_ecn_egress(ip6_ipsec_ecn, &flowinfo, &ip6->ip6_flow); 799 if (!key_checktunnelsanity(sav, AF_INET6, 800 (void *)&ip6->ip6_src, (void *)&ip6->ip6_dst)) { 801 ipseclog((LOG_ERR, "ipsec tunnel address mismatch " 802 "in IPv6 ESP input: %s %s\n", 803 ipsec6_logpacketstr(ip6, spi), 804 ipsec_logsastr(sav))); 805 IPSEC6_STATINC(IPSEC_STAT_IN_INVAL); 806 goto bad; 807 } 808 809 key_sa_recordxfer(sav, m); 810 if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0 || 811 ipsec_addhist(m, IPPROTO_IPV6, 0) != 0) { 812 IPSEC6_STATINC(IPSEC_STAT_IN_NOMEM); 813 goto bad; 814 } 815 816 s = splnet(); 817 if (IF_QFULL(&ip6intrq)) { 818 IPSEC6_STATINC(IPSEC_STAT_IN_INVAL); 819 splx(s); 820 goto bad; 821 } 822 IF_ENQUEUE(&ip6intrq, m); 823 m = NULL; 824 schednetisr(NETISR_IPV6); /* can be skipped but to make sure */ 825 splx(s); 826 nxt = IPPROTO_DONE; 827 } else { 828 /* 829 * strip off ESP header and IV. 830 * even in m_pulldown case, we need to strip off ESP so that 831 * we can always compute checksum for AH correctly. 832 */ 833 size_t stripsiz; 834 u_int8_t *prvnxtp; 835 836 /* 837 * Set the next header field of the previous header correctly. 838 */ 839 prvnxtp = ip6_get_prevhdr(m, off); /* XXX */ 840 *prvnxtp = nxt; 841 842 stripsiz = esplen + ivlen; 843 844 ip6 = mtod(m, struct ip6_hdr *); 845 if (m->m_len >= stripsiz + off) { 846 (void)memmove((char *)ip6 + stripsiz, ip6, off); 847 m->m_data += stripsiz; 848 m->m_len -= stripsiz; 849 m->m_pkthdr.len -= stripsiz; 850 } else { 851 /* 852 * this comes with no copy if the boundary is on 853 * cluster 854 */ 855 struct mbuf *n; 856 857 n = m_split(m, off, M_DONTWAIT); 858 if (n == NULL) { 859 /* m is retained by m_split */ 860 goto bad; 861 } 862 m_adj(n, stripsiz); 863 /* m_cat does not update m_pkthdr.len */ 864 m->m_pkthdr.len += n->m_pkthdr.len; 865 m_cat(m, n); 866 } 867 868 ip6 = mtod(m, struct ip6_hdr *); 869 ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - stripsiz); 870 871 key_sa_recordxfer(sav, m); 872 if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0) { 873 IPSEC6_STATINC(IPSEC_STAT_IN_NOMEM); 874 goto bad; 875 } 876 } 877 878 *offp = off; 879 *mp = m; 880 881 if (sav) { 882 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 883 printf("DP esp6_input call free SA:%p\n", sav)); 884 key_freesav(sav); 885 } 886 IPSEC6_STATINC(IPSEC_STAT_IN_SUCCESS); 887 return nxt; 888 889 bad: 890 if (sav) { 891 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 892 printf("DP esp6_input call free SA:%p\n", sav)); 893 key_freesav(sav); 894 } 895 if (m) 896 m_freem(m); 897 return IPPROTO_DONE; 898 } 899 900 void * 901 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 902 { 903 const struct newesp *espp; 904 struct newesp esp; 905 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 906 struct secasvar *sav; 907 struct ip6_hdr *ip6; 908 struct mbuf *m; 909 int off; 910 const struct sockaddr_in6 *sa6_src, *sa6_dst; 911 912 if (sa->sa_family != AF_INET6 || 913 sa->sa_len != sizeof(struct sockaddr_in6)) 914 return NULL; 915 if ((unsigned)cmd >= PRC_NCMDS) 916 return NULL; 917 918 /* if the parameter is from icmp6, decode it. */ 919 if (d != NULL) { 920 ip6cp = (struct ip6ctlparam *)d; 921 m = ip6cp->ip6c_m; 922 ip6 = ip6cp->ip6c_ip6; 923 off = ip6cp->ip6c_off; 924 } else { 925 m = NULL; 926 ip6 = NULL; 927 off = 0; 928 } 929 930 if (ip6) { 931 /* 932 * Notify the error to all possible sockets via pfctlinput2. 933 * Since the upper layer information (such as protocol type, 934 * source and destination ports) is embedded in the encrypted 935 * data and might have been cut, we can't directly call 936 * an upper layer ctlinput function. However, the pcbnotify 937 * function will consider source and destination addresses 938 * as well as the flow info value, and may be able to find 939 * some PCB that should be notified. 940 * Although pfctlinput2 will call esp6_ctlinput(), there is 941 * no possibility of an infinite loop of function calls, 942 * because we don't pass the inner IPv6 header. 943 */ 944 bzero(&ip6cp1, sizeof(ip6cp1)); 945 ip6cp1.ip6c_src = ip6cp->ip6c_src; 946 pfctlinput2(cmd, sa, (void *)&ip6cp1); 947 948 /* 949 * Then go to special cases that need ESP header information. 950 * XXX: We assume that when ip6 is non NULL, 951 * M and OFF are valid. 952 */ 953 954 /* check if we can safely examine src and dst ports */ 955 if (m->m_pkthdr.len < off + sizeof(esp)) 956 return NULL; 957 958 if (m->m_len < off + sizeof(esp)) { 959 /* 960 * this should be rare case, 961 * so we compromise on this copy... 962 */ 963 m_copydata(m, off, sizeof(esp), (void *)&esp); 964 espp = &esp; 965 } else 966 espp = (struct newesp*)(mtod(m, char *) + off); 967 968 if (cmd == PRC_MSGSIZE) { 969 int valid = 0; 970 971 /* 972 * Check to see if we have a valid SA corresponding to 973 * the address in the ICMP message payload. 974 */ 975 sa6_src = ip6cp->ip6c_src; 976 sa6_dst = (const struct sockaddr_in6 *)sa; 977 sav = key_allocsa(AF_INET6, 978 (const void *)&sa6_src->sin6_addr, 979 (const void *)&sa6_dst->sin6_addr, 980 IPPROTO_ESP, espp->esp_spi, 0, 0); 981 if (sav) { 982 if (sav->state == SADB_SASTATE_MATURE || 983 sav->state == SADB_SASTATE_DYING) 984 valid++; 985 key_freesav(sav); 986 } 987 988 /* XXX Further validation? */ 989 990 /* 991 * Depending on the value of "valid" and routing table 992 * size (mtudisc_{hi,lo}wat), we will: 993 * - recalcurate the new MTU and create the 994 * corresponding routing entry, or 995 * - ignore the MTU change notification. 996 */ 997 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 998 } 999 } else { 1000 /* we normally notify any pcb here */ 1001 } 1002 1003 return NULL; 1004 } 1005 #endif /* INET6 */
Cache object: 54f76b0ee40c3ca57844edc377e8ac92
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]