1 /* $FreeBSD: releng/6.4/sys/netipsec/ipsec_input.c 176951 2008-03-08 18:56:22Z bz $ */
2 /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
3 /*-
4 * The authors of this code are John Ioannidis (ji@tla.org),
5 * Angelos D. Keromytis (kermit@csd.uch.gr) and
6 * Niels Provos (provos@physnet.uni-hamburg.de).
7 *
8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
9 * in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis.
18 *
19 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20 * Angelos D. Keromytis and Niels Provos.
21 * Copyright (c) 2001, Angelos D. Keromytis.
22 *
23 * Permission to use, copy, and modify this software with or without fee
24 * is hereby granted, provided that this entire notice is included in
25 * all copies of any software which is or includes a copy or
26 * modification of this software.
27 * You may use this code under the GNU public license if you so wish. Please
28 * contribute changes back to the authors under this freer than GPL license
29 * so that we may further the use of strong encryption without limitations to
30 * all.
31 *
32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
36 * PURPOSE.
37 */
38
39 /*
40 * IPsec input processing.
41 */
42
43 #include "opt_inet.h"
44 #include "opt_inet6.h"
45 #include "opt_ipsec.h"
46 #include "opt_enc.h"
47
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/malloc.h>
51 #include <sys/mbuf.h>
52 #include <sys/domain.h>
53 #include <sys/protosw.h>
54 #include <sys/socket.h>
55 #include <sys/errno.h>
56 #include <sys/syslog.h>
57
58 #include <net/if.h>
59 #include <net/pfil.h>
60 #include <net/route.h>
61 #include <net/netisr.h>
62
63 #include <netinet/in.h>
64 #include <netinet/in_systm.h>
65 #include <netinet/ip.h>
66 #include <netinet/ip_var.h>
67 #include <netinet/in_var.h>
68
69 #include <netinet/ip6.h>
70 #ifdef INET6
71 #include <netinet6/ip6_var.h>
72 #endif
73 #include <netinet/in_pcb.h>
74 #ifdef INET6
75 #include <netinet/icmp6.h>
76 #endif
77
78 #include <netipsec/ipsec.h>
79 #ifdef INET6
80 #include <netipsec/ipsec6.h>
81 #endif
82 #include <netipsec/ah_var.h>
83 #include <netipsec/esp.h>
84 #include <netipsec/esp_var.h>
85 #include <netipsec/ipcomp_var.h>
86
87 #include <netipsec/key.h>
88 #include <netipsec/keydb.h>
89
90 #include <netipsec/xform.h>
91 #include <netinet6/ip6protosw.h>
92
93 #include <machine/in_cksum.h>
94 #include <machine/stdarg.h>
95
96 #define IPSEC_ISTAT(p,x,y,z) ((p) == IPPROTO_ESP ? (x)++ : \
97 (p) == IPPROTO_AH ? (y)++ : (z)++)
98
99 static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int);
100
101 /*
102 * ipsec_common_input gets called when an IPsec-protected packet
103 * is received by IPv4 or IPv6. It's job is to find the right SA
104 * and call the appropriate transform. The transform callback
105 * takes care of further processing (like ingress filtering).
106 */
107 static int
108 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
109 {
110 union sockaddr_union dst_address;
111 struct secasvar *sav;
112 u_int32_t spi;
113 int error;
114
115 IPSEC_ISTAT(sproto, espstat.esps_input, ahstat.ahs_input,
116 ipcompstat.ipcomps_input);
117
118 IPSEC_ASSERT(m != NULL, ("null packet"));
119
120 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
121 sproto == IPPROTO_IPCOMP,
122 ("unexpected security protocol %u", sproto));
123
124 if ((sproto == IPPROTO_ESP && !esp_enable) ||
125 (sproto == IPPROTO_AH && !ah_enable) ||
126 (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) {
127 m_freem(m);
128 IPSEC_ISTAT(sproto, espstat.esps_pdrops, ahstat.ahs_pdrops,
129 ipcompstat.ipcomps_pdrops);
130 return EOPNOTSUPP;
131 }
132
133 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
134 m_freem(m);
135 IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
136 ipcompstat.ipcomps_hdrops);
137 DPRINTF(("%s: packet too small\n", __func__));
138 return EINVAL;
139 }
140
141 /* Retrieve the SPI from the relevant IPsec header */
142 if (sproto == IPPROTO_ESP)
143 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
144 else if (sproto == IPPROTO_AH)
145 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
146 (caddr_t) &spi);
147 else if (sproto == IPPROTO_IPCOMP) {
148 u_int16_t cpi;
149 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
150 (caddr_t) &cpi);
151 spi = ntohl(htons(cpi));
152 }
153
154 /*
155 * Find the SA and (indirectly) call the appropriate
156 * kernel crypto routine. The resulting mbuf chain is a valid
157 * IP packet ready to go through input processing.
158 */
159 bzero(&dst_address, sizeof (dst_address));
160 dst_address.sa.sa_family = af;
161 switch (af) {
162 #ifdef INET
163 case AF_INET:
164 dst_address.sin.sin_len = sizeof(struct sockaddr_in);
165 m_copydata(m, offsetof(struct ip, ip_dst),
166 sizeof(struct in_addr),
167 (caddr_t) &dst_address.sin.sin_addr);
168 break;
169 #endif /* INET */
170 #ifdef INET6
171 case AF_INET6:
172 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
173 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
174 sizeof(struct in6_addr),
175 (caddr_t) &dst_address.sin6.sin6_addr);
176 break;
177 #endif /* INET6 */
178 default:
179 DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
180 m_freem(m);
181 IPSEC_ISTAT(sproto, espstat.esps_nopf, ahstat.ahs_nopf,
182 ipcompstat.ipcomps_nopf);
183 return EPFNOSUPPORT;
184 }
185
186 /* NB: only pass dst since key_allocsa follows RFC2401 */
187 sav = KEY_ALLOCSA(&dst_address, sproto, spi);
188 if (sav == NULL) {
189 DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
190 __func__, ipsec_address(&dst_address),
191 (u_long) ntohl(spi), sproto));
192 IPSEC_ISTAT(sproto, espstat.esps_notdb, ahstat.ahs_notdb,
193 ipcompstat.ipcomps_notdb);
194 m_freem(m);
195 return ENOENT;
196 }
197
198 if (sav->tdb_xform == NULL) {
199 DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
200 __func__, ipsec_address(&dst_address),
201 (u_long) ntohl(spi), sproto));
202 IPSEC_ISTAT(sproto, espstat.esps_noxform, ahstat.ahs_noxform,
203 ipcompstat.ipcomps_noxform);
204 KEY_FREESAV(&sav);
205 m_freem(m);
206 return ENXIO;
207 }
208
209 /*
210 * Call appropriate transform and return -- callback takes care of
211 * everything else.
212 */
213 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
214 KEY_FREESAV(&sav);
215 return error;
216 }
217
218 #ifdef INET
219 /*
220 * Common input handler for IPv4 AH, ESP, and IPCOMP.
221 */
222 int
223 ipsec4_common_input(struct mbuf *m, ...)
224 {
225 va_list ap;
226 int off, nxt;
227
228 va_start(ap, m);
229 off = va_arg(ap, int);
230 nxt = va_arg(ap, int);
231 va_end(ap);
232
233 return ipsec_common_input(m, off, offsetof(struct ip, ip_p),
234 AF_INET, nxt);
235 }
236
237 void
238 ah4_input(struct mbuf *m, int off)
239 {
240 ipsec4_common_input(m, off, IPPROTO_AH);
241 }
242 void
243 ah4_ctlinput(int cmd, struct sockaddr *sa, void *v)
244 {
245 if (sa->sa_family == AF_INET &&
246 sa->sa_len == sizeof(struct sockaddr_in))
247 ipsec4_common_ctlinput(cmd, sa, v, IPPROTO_AH);
248 }
249
250 void
251 esp4_input(struct mbuf *m, int off)
252 {
253 ipsec4_common_input(m, off, IPPROTO_ESP);
254 }
255 void
256 esp4_ctlinput(int cmd, struct sockaddr *sa, void *v)
257 {
258 if (sa->sa_family == AF_INET &&
259 sa->sa_len == sizeof(struct sockaddr_in))
260 ipsec4_common_ctlinput(cmd, sa, v, IPPROTO_ESP);
261 }
262
263 void
264 ipcomp4_input(struct mbuf *m, int off)
265 {
266 ipsec4_common_input(m, off, IPPROTO_IPCOMP);
267 }
268
269 /*
270 * IPsec input callback for INET protocols.
271 * This routine is called as the transform callback.
272 * Takes care of filtering and other sanity checks on
273 * the processed packet.
274 */
275 int
276 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
277 int skip, int protoff, struct m_tag *mt)
278 {
279 int prot, af, sproto;
280 struct ip *ip;
281 struct m_tag *mtag;
282 struct tdb_ident *tdbi;
283 struct secasindex *saidx;
284 int error;
285
286 IPSEC_SPLASSERT_SOFTNET(__func__);
287
288 IPSEC_ASSERT(m != NULL, ("null mbuf"));
289 IPSEC_ASSERT(sav != NULL, ("null SA"));
290 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
291 saidx = &sav->sah->saidx;
292 af = saidx->dst.sa.sa_family;
293 IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af));
294 sproto = saidx->proto;
295 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
296 sproto == IPPROTO_IPCOMP,
297 ("unexpected security protocol %u", sproto));
298
299 /* Sanity check */
300 if (m == NULL) {
301 DPRINTF(("%s: null mbuf", __func__));
302 IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr,
303 ipcompstat.ipcomps_badkcr);
304 KEY_FREESAV(&sav);
305 return EINVAL;
306 }
307
308 if (skip != 0) {
309 /* Fix IPv4 header */
310 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
311 DPRINTF(("%s: processing failed for SA %s/%08lx\n",
312 __func__, ipsec_address(&sav->sah->saidx.dst),
313 (u_long) ntohl(sav->spi)));
314 IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
315 ipcompstat.ipcomps_hdrops);
316 error = ENOBUFS;
317 goto bad;
318 }
319
320 ip = mtod(m, struct ip *);
321 ip->ip_len = htons(m->m_pkthdr.len);
322 ip->ip_off = htons(ip->ip_off);
323 ip->ip_sum = 0;
324 ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
325 } else {
326 ip = mtod(m, struct ip *);
327 }
328 prot = ip->ip_p;
329
330 #ifdef notyet
331 /* IP-in-IP encapsulation */
332 if (prot == IPPROTO_IPIP) {
333 struct ip ipn;
334
335 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
336 IPSEC_ISTAT(sproto, espstat.esps_hdrops,
337 ahstat.ahs_hdrops,
338 ipcompstat.ipcomps_hdrops);
339 error = EINVAL;
340 goto bad;
341 }
342 /* ipn will now contain the inner IPv4 header */
343 m_copydata(m, ip->ip_hl << 2, sizeof(struct ip),
344 (caddr_t) &ipn);
345
346 /* XXX PROXY address isn't recorded in SAH */
347 /*
348 * Check that the inner source address is the same as
349 * the proxy address, if available.
350 */
351 if ((saidx->proxy.sa.sa_family == AF_INET &&
352 saidx->proxy.sin.sin_addr.s_addr !=
353 INADDR_ANY &&
354 ipn.ip_src.s_addr !=
355 saidx->proxy.sin.sin_addr.s_addr) ||
356 (saidx->proxy.sa.sa_family != AF_INET &&
357 saidx->proxy.sa.sa_family != 0)) {
358
359 DPRINTF(("%s: inner source address %s doesn't "
360 "correspond to expected proxy source %s, "
361 "SA %s/%08lx\n", __func__,
362 inet_ntoa4(ipn.ip_src),
363 ipsp_address(saidx->proxy),
364 ipsp_address(saidx->dst),
365 (u_long) ntohl(sav->spi)));
366
367 IPSEC_ISTAT(sproto, espstat.esps_pdrops,
368 ahstat.ahs_pdrops,
369 ipcompstat.ipcomps_pdrops);
370 error = EACCES;
371 goto bad;
372 }
373 }
374 #ifdef INET6
375 /* IPv6-in-IP encapsulation. */
376 if (prot == IPPROTO_IPV6) {
377 struct ip6_hdr ip6n;
378
379 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
380 IPSEC_ISTAT(sproto, espstat.esps_hdrops,
381 ahstat.ahs_hdrops,
382 ipcompstat.ipcomps_hdrops);
383 error = EINVAL;
384 goto bad;
385 }
386 /* ip6n will now contain the inner IPv6 header. */
387 m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr),
388 (caddr_t) &ip6n);
389
390 /*
391 * Check that the inner source address is the same as
392 * the proxy address, if available.
393 */
394 if ((saidx->proxy.sa.sa_family == AF_INET6 &&
395 !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
396 !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
397 &saidx->proxy.sin6.sin6_addr)) ||
398 (saidx->proxy.sa.sa_family != AF_INET6 &&
399 saidx->proxy.sa.sa_family != 0)) {
400
401 DPRINTF(("%s: inner source address %s doesn't "
402 "correspond to expected proxy source %s, "
403 "SA %s/%08lx\n", __func__,
404 ip6_sprintf(&ip6n.ip6_src),
405 ipsec_address(&saidx->proxy),
406 ipsec_address(&saidx->dst),
407 (u_long) ntohl(sav->spi)));
408
409 IPSEC_ISTAT(sproto, espstat.esps_pdrops,
410 ahstat.ahs_pdrops,
411 ipcompstat.ipcomps_pdrops);
412 error = EACCES;
413 goto bad;
414 }
415 }
416 #endif /* INET6 */
417 #endif /*XXX*/
418
419 /*
420 * Record what we've done to the packet (under what SA it was
421 * processed). If we've been passed an mtag, it means the packet
422 * was already processed by an ethernet/crypto combo card and
423 * thus has a tag attached with all the right information, but
424 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
425 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
426 */
427 if (mt == NULL && sproto != IPPROTO_IPCOMP) {
428 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
429 sizeof(struct tdb_ident), M_NOWAIT);
430 if (mtag == NULL) {
431 DPRINTF(("%s: failed to get tag\n", __func__));
432 IPSEC_ISTAT(sproto, espstat.esps_hdrops,
433 ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
434 error = ENOMEM;
435 goto bad;
436 }
437
438 tdbi = (struct tdb_ident *)(mtag + 1);
439 bcopy(&saidx->dst, &tdbi->dst, saidx->dst.sa.sa_len);
440 tdbi->proto = sproto;
441 tdbi->spi = sav->spi;
442
443 m_tag_prepend(m, mtag);
444 } else if (mt != NULL) {
445 mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
446 /* XXX do we need to mark m_flags??? */
447 }
448
449 key_sa_recordxfer(sav, m); /* record data transfer */
450
451 #ifdef DEV_ENC
452 /*
453 * Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP
454 * packet later after it has been decapsulated.
455 */
456 ipsec_bpf(m, sav, AF_INET);
457
458 if (prot != IPPROTO_IPIP)
459 if ((error = ipsec_filter(&m, PFIL_IN)) != 0)
460 return (error);
461 #endif
462
463 /*
464 * Re-dispatch via software interrupt.
465 */
466 if ((error = netisr_queue(NETISR_IP, m))) {
467 IPSEC_ISTAT(sproto, espstat.esps_qfull, ahstat.ahs_qfull,
468 ipcompstat.ipcomps_qfull);
469
470 DPRINTF(("%s: queue full; proto %u packet dropped\n",
471 __func__, sproto));
472 return error;
473 }
474 return 0;
475 bad:
476 m_freem(m);
477 return error;
478 }
479
480 void
481 ipsec4_common_ctlinput(int cmd, struct sockaddr *sa, void *v, int proto)
482 {
483 /* XXX nothing just yet */
484 }
485 #endif /* INET */
486
487 #ifdef INET6
488 /* IPv6 AH wrapper. */
489 int
490 ipsec6_common_input(struct mbuf **mp, int *offp, int proto)
491 {
492 int l = 0;
493 int protoff;
494 struct ip6_ext ip6e;
495
496 if (*offp < sizeof(struct ip6_hdr)) {
497 DPRINTF(("%s: bad offset %u\n", __func__, *offp));
498 return IPPROTO_DONE;
499 } else if (*offp == sizeof(struct ip6_hdr)) {
500 protoff = offsetof(struct ip6_hdr, ip6_nxt);
501 } else {
502 /* Chase down the header chain... */
503 protoff = sizeof(struct ip6_hdr);
504
505 do {
506 protoff += l;
507 m_copydata(*mp, protoff, sizeof(ip6e),
508 (caddr_t) &ip6e);
509
510 if (ip6e.ip6e_nxt == IPPROTO_AH)
511 l = (ip6e.ip6e_len + 2) << 2;
512 else
513 l = (ip6e.ip6e_len + 1) << 3;
514 IPSEC_ASSERT(l > 0, ("l went zero or negative"));
515 } while (protoff + l < *offp);
516
517 /* Malformed packet check */
518 if (protoff + l != *offp) {
519 DPRINTF(("%s: bad packet header chain, protoff %u, "
520 "l %u, off %u\n", __func__, protoff, l, *offp));
521 IPSEC_ISTAT(proto, espstat.esps_hdrops,
522 ahstat.ahs_hdrops,
523 ipcompstat.ipcomps_hdrops);
524 m_freem(*mp);
525 *mp = NULL;
526 return IPPROTO_DONE;
527 }
528 protoff += offsetof(struct ip6_ext, ip6e_nxt);
529 }
530 (void) ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto);
531 return IPPROTO_DONE;
532 }
533
534 /*
535 * IPsec input callback, called by the transform callback. Takes care of
536 * filtering and other sanity checks on the processed packet.
537 */
538 int
539 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff,
540 struct m_tag *mt)
541 {
542 int prot, af, sproto;
543 struct ip6_hdr *ip6;
544 struct m_tag *mtag;
545 struct tdb_ident *tdbi;
546 struct secasindex *saidx;
547 int nxt;
548 u_int8_t nxt8;
549 int error, nest;
550
551 IPSEC_ASSERT(m != NULL, ("null mbuf"));
552 IPSEC_ASSERT(sav != NULL, ("null SA"));
553 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
554 saidx = &sav->sah->saidx;
555 af = saidx->dst.sa.sa_family;
556 IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af));
557 sproto = saidx->proto;
558 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
559 sproto == IPPROTO_IPCOMP,
560 ("unexpected security protocol %u", sproto));
561
562 /* Sanity check */
563 if (m == NULL) {
564 DPRINTF(("%s: null mbuf", __func__));
565 IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr,
566 ipcompstat.ipcomps_badkcr);
567 error = EINVAL;
568 goto bad;
569 }
570
571 /* Fix IPv6 header */
572 if (m->m_len < sizeof(struct ip6_hdr) &&
573 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
574
575 DPRINTF(("%s: processing failed for SA %s/%08lx\n",
576 __func__, ipsec_address(&sav->sah->saidx.dst),
577 (u_long) ntohl(sav->spi)));
578
579 IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
580 ipcompstat.ipcomps_hdrops);
581 error = EACCES;
582 goto bad;
583 }
584
585 ip6 = mtod(m, struct ip6_hdr *);
586 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
587
588 /* Save protocol */
589 m_copydata(m, protoff, 1, (unsigned char *) &prot);
590
591 #ifdef notyet
592 #ifdef INET
593 /* IP-in-IP encapsulation */
594 if (prot == IPPROTO_IPIP) {
595 struct ip ipn;
596
597 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
598 IPSEC_ISTAT(sproto, espstat.esps_hdrops,
599 ahstat.ahs_hdrops,
600 ipcompstat.ipcomps_hdrops);
601 error = EINVAL;
602 goto bad;
603 }
604 /* ipn will now contain the inner IPv4 header */
605 m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn);
606
607 /*
608 * Check that the inner source address is the same as
609 * the proxy address, if available.
610 */
611 if ((saidx->proxy.sa.sa_family == AF_INET &&
612 saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY &&
613 ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) ||
614 (saidx->proxy.sa.sa_family != AF_INET &&
615 saidx->proxy.sa.sa_family != 0)) {
616
617 DPRINTF(("%s: inner source address %s doesn't "
618 "correspond to expected proxy source %s, "
619 "SA %s/%08lx\n", __func__,
620 inet_ntoa4(ipn.ip_src),
621 ipsec_address(&saidx->proxy),
622 ipsec_address(&saidx->dst),
623 (u_long) ntohl(sav->spi)));
624
625 IPSEC_ISTATsproto, (espstat.esps_pdrops,
626 ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
627 error = EACCES;
628 goto bad;
629 }
630 }
631 #endif /* INET */
632
633 /* IPv6-in-IP encapsulation */
634 if (prot == IPPROTO_IPV6) {
635 struct ip6_hdr ip6n;
636
637 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
638 IPSEC_ISTAT(sproto, espstat.esps_hdrops,
639 ahstat.ahs_hdrops,
640 ipcompstat.ipcomps_hdrops);
641 error = EINVAL;
642 goto bad;
643 }
644 /* ip6n will now contain the inner IPv6 header. */
645 m_copydata(m, skip, sizeof(struct ip6_hdr),
646 (caddr_t) &ip6n);
647
648 /*
649 * Check that the inner source address is the same as
650 * the proxy address, if available.
651 */
652 if ((saidx->proxy.sa.sa_family == AF_INET6 &&
653 !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
654 !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
655 &saidx->proxy.sin6.sin6_addr)) ||
656 (saidx->proxy.sa.sa_family != AF_INET6 &&
657 saidx->proxy.sa.sa_family != 0)) {
658
659 DPRINTF(("%s: inner source address %s doesn't "
660 "correspond to expected proxy source %s, "
661 "SA %s/%08lx\n", __func__,
662 ip6_sprintf(&ip6n.ip6_src),
663 ipsec_address(&saidx->proxy),
664 ipsec_address(&saidx->dst),
665 (u_long) ntohl(sav->spi)));
666
667 IPSEC_ISTAT(sproto, espstat.esps_pdrops,
668 ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
669 error = EACCES;
670 goto bad;
671 }
672 }
673 #endif /*XXX*/
674
675 /*
676 * Record what we've done to the packet (under what SA it was
677 * processed). If we've been passed an mtag, it means the packet
678 * was already processed by an ethernet/crypto combo card and
679 * thus has a tag attached with all the right information, but
680 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
681 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
682 */
683 if (mt == NULL && sproto != IPPROTO_IPCOMP) {
684 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
685 sizeof(struct tdb_ident), M_NOWAIT);
686 if (mtag == NULL) {
687 DPRINTF(("%s: failed to get tag\n", __func__));
688 IPSEC_ISTAT(sproto, espstat.esps_hdrops,
689 ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
690 error = ENOMEM;
691 goto bad;
692 }
693
694 tdbi = (struct tdb_ident *)(mtag + 1);
695 bcopy(&saidx->dst, &tdbi->dst, sizeof(union sockaddr_union));
696 tdbi->proto = sproto;
697 tdbi->spi = sav->spi;
698
699 m_tag_prepend(m, mtag);
700 } else {
701 if (mt != NULL)
702 mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
703 /* XXX do we need to mark m_flags??? */
704 }
705
706 key_sa_recordxfer(sav, m);
707
708 /* Retrieve new protocol */
709 m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &nxt8);
710
711 /*
712 * See the end of ip6_input for this logic.
713 * IPPROTO_IPV[46] case will be processed just like other ones
714 */
715 nest = 0;
716 nxt = nxt8;
717 while (nxt != IPPROTO_DONE) {
718 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
719 ip6stat.ip6s_toomanyhdr++;
720 error = EINVAL;
721 goto bad;
722 }
723
724 /*
725 * Protection against faulty packet - there should be
726 * more sanity checks in header chain processing.
727 */
728 if (m->m_pkthdr.len < skip) {
729 ip6stat.ip6s_tooshort++;
730 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
731 error = EINVAL;
732 goto bad;
733 }
734 /*
735 * Enforce IPsec policy checking if we are seeing last header.
736 * note that we do not visit this with protocols with pcb layer
737 * code - like udp/tcp/raw ip.
738 */
739 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
740 ipsec6_in_reject(m, NULL)) {
741 error = EINVAL;
742 goto bad;
743 }
744 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt);
745 }
746 return 0;
747 bad:
748 if (m)
749 m_freem(m);
750 return error;
751 }
752
753 void
754 esp6_ctlinput(int cmd, struct sockaddr *sa, void *d)
755 {
756 if (sa->sa_family != AF_INET6 ||
757 sa->sa_len != sizeof(struct sockaddr_in6))
758 return;
759 if ((unsigned)cmd >= PRC_NCMDS)
760 return;
761
762 /* if the parameter is from icmp6, decode it. */
763 if (d != NULL) {
764 struct ip6ctlparam *ip6cp = (struct ip6ctlparam *)d;
765 struct mbuf *m = ip6cp->ip6c_m;
766 int off = ip6cp->ip6c_off;
767
768 struct ip6ctlparam ip6cp1;
769
770 /*
771 * Notify the error to all possible sockets via pfctlinput2.
772 * Since the upper layer information (such as protocol type,
773 * source and destination ports) is embedded in the encrypted
774 * data and might have been cut, we can't directly call
775 * an upper layer ctlinput function. However, the pcbnotify
776 * function will consider source and destination addresses
777 * as well as the flow info value, and may be able to find
778 * some PCB that should be notified.
779 * Although pfctlinput2 will call esp6_ctlinput(), there is
780 * no possibility of an infinite loop of function calls,
781 * because we don't pass the inner IPv6 header.
782 */
783 bzero(&ip6cp1, sizeof(ip6cp1));
784 ip6cp1.ip6c_src = ip6cp->ip6c_src;
785 pfctlinput2(cmd, sa, (void *)&ip6cp1);
786
787 /*
788 * Then go to special cases that need ESP header information.
789 * XXX: We assume that when ip6 is non NULL,
790 * M and OFF are valid.
791 */
792
793 if (cmd == PRC_MSGSIZE) {
794 struct secasvar *sav;
795 u_int32_t spi;
796 int valid;
797
798 /* check header length before using m_copydata */
799 if (m->m_pkthdr.len < off + sizeof (struct esp))
800 return;
801 m_copydata(m, off + offsetof(struct esp, esp_spi),
802 sizeof(u_int32_t), (caddr_t) &spi);
803 /*
804 * Check to see if we have a valid SA corresponding to
805 * the address in the ICMP message payload.
806 */
807 sav = KEY_ALLOCSA((union sockaddr_union *)sa,
808 IPPROTO_ESP, spi);
809 valid = (sav != NULL);
810 if (sav)
811 KEY_FREESAV(&sav);
812
813 /* XXX Further validation? */
814
815 /*
816 * Depending on whether the SA is "valid" and
817 * routing table size (mtudisc_{hi,lo}wat), we will:
818 * - recalcurate the new MTU and create the
819 * corresponding routing entry, or
820 * - ignore the MTU change notification.
821 */
822 icmp6_mtudisc_update(ip6cp, valid);
823 }
824 } else {
825 /* we normally notify any pcb here */
826 }
827 }
828 #endif /* INET6 */
Cache object: 6f15d55343337a4058f51eab48deb991
|