1 /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
2 /*-
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr) and
5 * Niels Provos (provos@physnet.uni-hamburg.de).
6 *
7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
8 * in November 1995.
9 *
10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
11 * by Angelos D. Keromytis.
12 *
13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
14 * and Niels Provos.
15 *
16 * Additional features in 1999 by Angelos D. Keromytis.
17 *
18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
19 * Angelos D. Keromytis and Niels Provos.
20 * Copyright (c) 2001, Angelos D. Keromytis.
21 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
22 *
23 * Permission to use, copy, and modify this software with or without fee
24 * is hereby granted, provided that this entire notice is included in
25 * all copies of any software which is or includes a copy or
26 * modification of this software.
27 * You may use this code under the GNU public license if you so wish. Please
28 * contribute changes back to the authors under this freer than GPL license
29 * so that we may further the use of strong encryption without limitations to
30 * all.
31 *
32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
36 * PURPOSE.
37 */
38
39 /*
40 * IPsec input processing.
41 */
42
43 #include <sys/cdefs.h>
44 __FBSDID("$FreeBSD: releng/11.2/sys/netipsec/ipsec_input.c 322741 2017-08-21 09:03:20Z ae $");
45
46 #include "opt_inet.h"
47 #include "opt_inet6.h"
48 #include "opt_ipsec.h"
49
50 #include <sys/param.h>
51 #include <sys/systm.h>
52 #include <sys/malloc.h>
53 #include <sys/mbuf.h>
54 #include <sys/domain.h>
55 #include <sys/protosw.h>
56 #include <sys/socket.h>
57 #include <sys/errno.h>
58 #include <sys/hhook.h>
59 #include <sys/syslog.h>
60
61 #include <net/if.h>
62 #include <net/if_var.h>
63 #include <net/if_enc.h>
64 #include <net/netisr.h>
65 #include <net/vnet.h>
66
67 #include <netinet/in.h>
68 #include <netinet/in_systm.h>
69 #include <netinet/ip.h>
70 #include <netinet/ip_var.h>
71 #include <netinet/in_var.h>
72
73 #include <netinet/ip6.h>
74 #ifdef INET6
75 #include <netinet6/ip6_var.h>
76 #endif
77 #include <netinet/in_pcb.h>
78 #ifdef INET6
79 #include <netinet/icmp6.h>
80 #endif
81
82 #include <netipsec/ipsec.h>
83 #ifdef INET6
84 #include <netipsec/ipsec6.h>
85 #endif
86 #include <netipsec/ah_var.h>
87 #include <netipsec/esp.h>
88 #include <netipsec/esp_var.h>
89 #include <netipsec/ipcomp_var.h>
90
91 #include <netipsec/key.h>
92 #include <netipsec/keydb.h>
93 #include <netipsec/key_debug.h>
94
95 #include <netipsec/xform.h>
96 #include <netinet6/ip6protosw.h>
97
98 #include <machine/in_cksum.h>
99 #include <machine/stdarg.h>
100
101
102 #define IPSEC_ISTAT(proto, name) do { \
103 if ((proto) == IPPROTO_ESP) \
104 ESPSTAT_INC(esps_##name); \
105 else if ((proto) == IPPROTO_AH) \
106 AHSTAT_INC(ahs_##name); \
107 else \
108 IPCOMPSTAT_INC(ipcomps_##name); \
109 } while (0)
110
111 /*
112 * ipsec_common_input gets called when an IPsec-protected packet
113 * is received by IPv4 or IPv6. Its job is to find the right SA
114 * and call the appropriate transform. The transform callback
115 * takes care of further processing (like ingress filtering).
116 */
117 static int
118 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
119 {
120 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
121 union sockaddr_union dst_address;
122 struct secasvar *sav;
123 uint32_t spi;
124 int error;
125
126 IPSEC_ISTAT(sproto, input);
127
128 IPSEC_ASSERT(m != NULL, ("null packet"));
129
130 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
131 sproto == IPPROTO_IPCOMP,
132 ("unexpected security protocol %u", sproto));
133
134 if ((sproto == IPPROTO_ESP && !V_esp_enable) ||
135 (sproto == IPPROTO_AH && !V_ah_enable) ||
136 (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
137 m_freem(m);
138 IPSEC_ISTAT(sproto, pdrops);
139 return EOPNOTSUPP;
140 }
141
142 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
143 m_freem(m);
144 IPSEC_ISTAT(sproto, hdrops);
145 DPRINTF(("%s: packet too small\n", __func__));
146 return EINVAL;
147 }
148
149 /* Retrieve the SPI from the relevant IPsec header */
150 if (sproto == IPPROTO_ESP)
151 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
152 else if (sproto == IPPROTO_AH)
153 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
154 (caddr_t) &spi);
155 else if (sproto == IPPROTO_IPCOMP) {
156 u_int16_t cpi;
157 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
158 (caddr_t) &cpi);
159 spi = ntohl(htons(cpi));
160 }
161
162 /*
163 * Find the SA and (indirectly) call the appropriate
164 * kernel crypto routine. The resulting mbuf chain is a valid
165 * IP packet ready to go through input processing.
166 */
167 bzero(&dst_address, sizeof (dst_address));
168 dst_address.sa.sa_family = af;
169 switch (af) {
170 #ifdef INET
171 case AF_INET:
172 dst_address.sin.sin_len = sizeof(struct sockaddr_in);
173 m_copydata(m, offsetof(struct ip, ip_dst),
174 sizeof(struct in_addr),
175 (caddr_t) &dst_address.sin.sin_addr);
176 break;
177 #endif /* INET */
178 #ifdef INET6
179 case AF_INET6:
180 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
181 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
182 sizeof(struct in6_addr),
183 (caddr_t) &dst_address.sin6.sin6_addr);
184 /* We keep addresses in SADB without embedded scope id */
185 if (IN6_IS_SCOPE_LINKLOCAL(&dst_address.sin6.sin6_addr)) {
186 /* XXX: sa6_recoverscope() */
187 dst_address.sin6.sin6_scope_id =
188 ntohs(dst_address.sin6.sin6_addr.s6_addr16[1]);
189 dst_address.sin6.sin6_addr.s6_addr16[1] = 0;
190 }
191 break;
192 #endif /* INET6 */
193 default:
194 DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
195 m_freem(m);
196 IPSEC_ISTAT(sproto, nopf);
197 return EPFNOSUPPORT;
198 }
199
200 /* NB: only pass dst since key_allocsa follows RFC2401 */
201 sav = key_allocsa(&dst_address, sproto, spi);
202 if (sav == NULL) {
203 DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
204 __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
205 (u_long) ntohl(spi), sproto));
206 IPSEC_ISTAT(sproto, notdb);
207 m_freem(m);
208 return ENOENT;
209 }
210
211 if (sav->tdb_xform == NULL) {
212 DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
213 __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
214 (u_long) ntohl(spi), sproto));
215 IPSEC_ISTAT(sproto, noxform);
216 key_freesav(&sav);
217 m_freem(m);
218 return ENXIO;
219 }
220
221 /*
222 * Call appropriate transform and return -- callback takes care of
223 * everything else.
224 */
225 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
226 return (error);
227 }
228
229 #ifdef INET
230 extern struct protosw inetsw[];
231
232 /*
233 * IPSEC_INPUT() method implementation for IPv4.
234 * 0 - Permitted by inbound security policy for further processing.
235 * EACCES - Forbidden by inbound security policy.
236 * EINPROGRESS - consumed by IPsec.
237 */
238 int
239 ipsec4_input(struct mbuf *m, int offset, int proto)
240 {
241
242 switch (proto) {
243 case IPPROTO_AH:
244 case IPPROTO_ESP:
245 case IPPROTO_IPCOMP:
246 /* Do inbound IPsec processing for AH/ESP/IPCOMP */
247 ipsec_common_input(m, offset,
248 offsetof(struct ip, ip_p), AF_INET, proto);
249 return (EINPROGRESS); /* mbuf consumed by IPsec */
250 default:
251 /*
252 * Protocols with further headers get their IPsec treatment
253 * within the protocol specific processing.
254 */
255 if ((inetsw[ip_protox[proto]].pr_flags & PR_LASTHDR) == 0)
256 return (0);
257 /* FALLTHROUGH */
258 };
259 /*
260 * Enforce IPsec policy checking if we are seeing last header.
261 */
262 if (ipsec4_in_reject(m, NULL) != 0) {
263 /* Forbidden by inbound security policy */
264 m_freem(m);
265 return (EACCES);
266 }
267 return (0);
268 }
269
270 /*
271 * IPsec input callback for INET protocols.
272 * This routine is called as the transform callback.
273 * Takes care of filtering and other sanity checks on
274 * the processed packet.
275 */
276 int
277 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
278 int protoff)
279 {
280 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
281 struct ipsec_ctx_data ctx;
282 struct xform_history *xh;
283 struct secasindex *saidx;
284 struct m_tag *mtag;
285 struct ip *ip;
286 int error, prot, af, sproto, isr_prot;
287
288 IPSEC_ASSERT(sav != NULL, ("null SA"));
289 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
290 saidx = &sav->sah->saidx;
291 af = saidx->dst.sa.sa_family;
292 IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af));
293 sproto = saidx->proto;
294 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
295 sproto == IPPROTO_IPCOMP,
296 ("unexpected security protocol %u", sproto));
297
298 if (skip != 0) {
299 /*
300 * Fix IPv4 header
301 */
302 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
303 DPRINTF(("%s: processing failed for SA %s/%08lx\n",
304 __func__, ipsec_address(&sav->sah->saidx.dst,
305 buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
306 IPSEC_ISTAT(sproto, hdrops);
307 error = ENOBUFS;
308 goto bad;
309 }
310
311 ip = mtod(m, struct ip *);
312 ip->ip_len = htons(m->m_pkthdr.len);
313 ip->ip_sum = 0;
314 ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
315 } else {
316 ip = mtod(m, struct ip *);
317 }
318 prot = ip->ip_p;
319 /*
320 * Check that we have NAT-T enabled and apply transport mode
321 * decapsulation NAT procedure (RFC3948).
322 * Do this before invoking into the PFIL.
323 */
324 if (sav->natt != NULL &&
325 (prot == IPPROTO_UDP || prot == IPPROTO_TCP))
326 udp_ipsec_adjust_cksum(m, sav, prot, skip);
327
328 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE);
329 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
330 goto bad;
331 ip = mtod(m, struct ip *); /* update pointer */
332
333 /* IP-in-IP encapsulation */
334 if (prot == IPPROTO_IPIP &&
335 saidx->mode != IPSEC_MODE_TRANSPORT) {
336 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
337 IPSEC_ISTAT(sproto, hdrops);
338 error = EINVAL;
339 goto bad;
340 }
341 /* enc0: strip outer IPv4 header */
342 m_striphdr(m, 0, ip->ip_hl << 2);
343 }
344 #ifdef INET6
345 /* IPv6-in-IP encapsulation. */
346 else if (prot == IPPROTO_IPV6 &&
347 saidx->mode != IPSEC_MODE_TRANSPORT) {
348 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
349 IPSEC_ISTAT(sproto, hdrops);
350 error = EINVAL;
351 goto bad;
352 }
353 /* enc0: strip IPv4 header, keep IPv6 header only */
354 m_striphdr(m, 0, ip->ip_hl << 2);
355 }
356 #endif /* INET6 */
357 else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) {
358 /*
359 * When mode is wildcard, inner protocol is IPv6 and
360 * we have no INET6 support - drop this packet a bit later.
361 * In other cases we assume transport mode. Set prot to
362 * correctly choose netisr.
363 */
364 prot = IPPROTO_IPIP;
365 }
366
367 /*
368 * Record what we've done to the packet (under what SA it was
369 * processed).
370 */
371 if (sproto != IPPROTO_IPCOMP) {
372 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
373 sizeof(struct xform_history), M_NOWAIT);
374 if (mtag == NULL) {
375 DPRINTF(("%s: failed to get tag\n", __func__));
376 IPSEC_ISTAT(sproto, hdrops);
377 error = ENOMEM;
378 goto bad;
379 }
380
381 xh = (struct xform_history *)(mtag + 1);
382 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
383 xh->spi = sav->spi;
384 xh->proto = sproto;
385 xh->mode = saidx->mode;
386 m_tag_prepend(m, mtag);
387 }
388
389 key_sa_recordxfer(sav, m); /* record data transfer */
390
391 /*
392 * In transport mode requeue decrypted mbuf back to IPv4 protocol
393 * handler. This is necessary to correctly expose rcvif.
394 */
395 if (saidx->mode == IPSEC_MODE_TRANSPORT)
396 prot = IPPROTO_IPIP;
397 /*
398 * Re-dispatch via software interrupt.
399 */
400 switch (prot) {
401 case IPPROTO_IPIP:
402 isr_prot = NETISR_IP;
403 af = AF_INET;
404 break;
405 #ifdef INET6
406 case IPPROTO_IPV6:
407 isr_prot = NETISR_IPV6;
408 af = AF_INET6;
409 break;
410 #endif
411 default:
412 DPRINTF(("%s: cannot handle inner ip proto %d\n",
413 __func__, prot));
414 IPSEC_ISTAT(sproto, nopf);
415 error = EPFNOSUPPORT;
416 goto bad;
417 }
418
419 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
420 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
421 goto bad;
422
423 /* Handle virtual tunneling interfaces */
424 if (saidx->mode == IPSEC_MODE_TUNNEL)
425 error = ipsec_if_input(m, sav, af);
426 if (error == 0) {
427 error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
428 if (error) {
429 IPSEC_ISTAT(sproto, qfull);
430 DPRINTF(("%s: queue full; proto %u packet dropped\n",
431 __func__, sproto));
432 }
433 }
434 key_freesav(&sav);
435 return (error);
436 bad:
437 key_freesav(&sav);
438 if (m != NULL)
439 m_freem(m);
440 return (error);
441 }
442 #endif /* INET */
443
444 #ifdef INET6
445 /*
446 * IPSEC_INPUT() method implementation for IPv6.
447 * 0 - Permitted by inbound security policy for further processing.
448 * EACCES - Forbidden by inbound security policy.
449 * EINPROGRESS - consumed by IPsec.
450 */
451 int
452 ipsec6_input(struct mbuf *m, int offset, int proto)
453 {
454
455 switch (proto) {
456 case IPPROTO_AH:
457 case IPPROTO_ESP:
458 case IPPROTO_IPCOMP:
459 /* Do inbound IPsec processing for AH/ESP/IPCOMP */
460 ipsec_common_input(m, offset,
461 offsetof(struct ip6_hdr, ip6_nxt), AF_INET6, proto);
462 return (EINPROGRESS); /* mbuf consumed by IPsec */
463 default:
464 /*
465 * Protocols with further headers get their IPsec treatment
466 * within the protocol specific processing.
467 */
468 if ((inet6sw[ip6_protox[proto]].pr_flags & PR_LASTHDR) == 0)
469 return (0);
470 /* FALLTHROUGH */
471 };
472 /*
473 * Enforce IPsec policy checking if we are seeing last header.
474 */
475 if (ipsec6_in_reject(m, NULL) != 0) {
476 /* Forbidden by inbound security policy */
477 m_freem(m);
478 return (EACCES);
479 }
480 return (0);
481 }
482
483 /*
484 * IPsec input callback, called by the transform callback. Takes care of
485 * filtering and other sanity checks on the processed packet.
486 */
487 int
488 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
489 int protoff)
490 {
491 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
492 struct ipsec_ctx_data ctx;
493 struct xform_history *xh;
494 struct secasindex *saidx;
495 struct ip6_hdr *ip6;
496 struct m_tag *mtag;
497 int prot, af, sproto;
498 int nxt, isr_prot;
499 int error, nest;
500 uint8_t nxt8;
501
502 IPSEC_ASSERT(sav != NULL, ("null SA"));
503 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
504 saidx = &sav->sah->saidx;
505 af = saidx->dst.sa.sa_family;
506 IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af));
507 sproto = saidx->proto;
508 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
509 sproto == IPPROTO_IPCOMP,
510 ("unexpected security protocol %u", sproto));
511
512 /* Fix IPv6 header */
513 if (m->m_len < sizeof(struct ip6_hdr) &&
514 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
515
516 DPRINTF(("%s: processing failed for SA %s/%08lx\n",
517 __func__, ipsec_address(&sav->sah->saidx.dst, buf,
518 sizeof(buf)), (u_long) ntohl(sav->spi)));
519
520 IPSEC_ISTAT(sproto, hdrops);
521 error = EACCES;
522 goto bad;
523 }
524
525 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE);
526 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
527 goto bad;
528
529 ip6 = mtod(m, struct ip6_hdr *);
530 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
531
532 /* Save protocol */
533 m_copydata(m, protoff, 1, &nxt8);
534 prot = nxt8;
535
536 /* IPv6-in-IP encapsulation */
537 if (prot == IPPROTO_IPV6 &&
538 saidx->mode != IPSEC_MODE_TRANSPORT) {
539 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
540 IPSEC_ISTAT(sproto, hdrops);
541 error = EINVAL;
542 goto bad;
543 }
544 /* ip6n will now contain the inner IPv6 header. */
545 m_striphdr(m, 0, skip);
546 skip = 0;
547 }
548 #ifdef INET
549 /* IP-in-IP encapsulation */
550 else if (prot == IPPROTO_IPIP &&
551 saidx->mode != IPSEC_MODE_TRANSPORT) {
552 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
553 IPSEC_ISTAT(sproto, hdrops);
554 error = EINVAL;
555 goto bad;
556 }
557 /* ipn will now contain the inner IPv4 header */
558 m_striphdr(m, 0, skip);
559 skip = 0;
560 }
561 #endif /* INET */
562 else {
563 prot = IPPROTO_IPV6; /* for correct BPF processing */
564 }
565
566 /*
567 * Record what we've done to the packet (under what SA it was
568 * processed).
569 */
570 if (sproto != IPPROTO_IPCOMP) {
571 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
572 sizeof(struct xform_history), M_NOWAIT);
573 if (mtag == NULL) {
574 DPRINTF(("%s: failed to get tag\n", __func__));
575 IPSEC_ISTAT(sproto, hdrops);
576 error = ENOMEM;
577 goto bad;
578 }
579
580 xh = (struct xform_history *)(mtag + 1);
581 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
582 xh->spi = sav->spi;
583 xh->proto = sproto;
584 xh->mode = saidx->mode;
585 m_tag_prepend(m, mtag);
586 }
587
588 key_sa_recordxfer(sav, m);
589
590 #ifdef INET
591 if (prot == IPPROTO_IPIP)
592 af = AF_INET;
593 else
594 #endif
595 af = AF_INET6;
596 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
597 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
598 goto bad;
599 if (skip == 0) {
600 /*
601 * We stripped outer IPv6 header.
602 * Now we should requeue decrypted packet via netisr.
603 */
604 switch (prot) {
605 #ifdef INET
606 case IPPROTO_IPIP:
607 isr_prot = NETISR_IP;
608 break;
609 #endif
610 case IPPROTO_IPV6:
611 isr_prot = NETISR_IPV6;
612 break;
613 default:
614 DPRINTF(("%s: cannot handle inner ip proto %d\n",
615 __func__, prot));
616 IPSEC_ISTAT(sproto, nopf);
617 error = EPFNOSUPPORT;
618 goto bad;
619 }
620 /* Handle virtual tunneling interfaces */
621 if (saidx->mode == IPSEC_MODE_TUNNEL)
622 error = ipsec_if_input(m, sav, af);
623 if (error == 0) {
624 error = netisr_queue_src(isr_prot,
625 (uintptr_t)sav->spi, m);
626 if (error) {
627 IPSEC_ISTAT(sproto, qfull);
628 DPRINTF(("%s: queue full; proto %u packet"
629 " dropped\n", __func__, sproto));
630 }
631 }
632 key_freesav(&sav);
633 return (error);
634 }
635 /*
636 * See the end of ip6_input for this logic.
637 * IPPROTO_IPV[46] case will be processed just like other ones
638 */
639 nest = 0;
640 nxt = nxt8;
641 while (nxt != IPPROTO_DONE) {
642 if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) {
643 IP6STAT_INC(ip6s_toomanyhdr);
644 error = EINVAL;
645 goto bad;
646 }
647
648 /*
649 * Protection against faulty packet - there should be
650 * more sanity checks in header chain processing.
651 */
652 if (m->m_pkthdr.len < skip) {
653 IP6STAT_INC(ip6s_tooshort);
654 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
655 error = EINVAL;
656 goto bad;
657 }
658 /*
659 * Enforce IPsec policy checking if we are seeing last header.
660 * note that we do not visit this with protocols with pcb layer
661 * code - like udp/tcp/raw ip.
662 */
663 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
664 ipsec6_in_reject(m, NULL)) {
665 error = EINVAL;
666 goto bad;
667 }
668 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt);
669 }
670 key_freesav(&sav);
671 return (0);
672 bad:
673 key_freesav(&sav);
674 if (m)
675 m_freem(m);
676 return (error);
677 }
678 #endif /* INET6 */
Cache object: 50c4ab3b049a444dd7c522b5f689756d
|