File:  [DragonFly] / src / sys / netproto / ipsec / ipsec_input.c
Revision 1.5: download - view: text, annotated - select for diffs
Sat Feb 14 21:15:33 2004 UTC (10 years, 6 months ago) by dillon
Branches: MAIN
CVS tags: HEAD, DragonFly_Snap29Sep2004, DragonFly_Snap13Sep2004, DragonFly_1_0_REL, DragonFly_1_0_RC1, DragonFly_1_0A_REL
Move <machine/in_cksum.h> to <sys/in_cksum.h>.  This file is now platform
independant.  If we want to add extreme machine specialization later on
then sys/in_cksum.h will #include machine/in_cksum.h.

Move i386/i386/in_cksum.c to netinet/in_cksum.c.  Note that netinet/in_cksum.c
already existed but was not used by the build system at all.  The move
overwrites it.  The new in_cksum.c is a portable, complete rewrite which
references core assembly (procedure call) to do 32-bit-aligned work.  See
also i386/i386/in_cksum2.s.

    1: /*	$FreeBSD: src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $	*/
    2: /*	$DragonFly: src/sys/netproto/ipsec/ipsec_input.c,v 1.5 2004/02/14 21:15:33 dillon Exp $	*/
    3: /*	$OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $	*/
    4: /*
    5:  * The authors of this code are John Ioannidis (ji@tla.org),
    6:  * Angelos D. Keromytis (kermit@csd.uch.gr) and
    7:  * Niels Provos (provos@physnet.uni-hamburg.de).
    8:  *
    9:  * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
   10:  * in November 1995.
   11:  *
   12:  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
   13:  * by Angelos D. Keromytis.
   14:  *
   15:  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
   16:  * and Niels Provos.
   17:  *
   18:  * Additional features in 1999 by Angelos D. Keromytis.
   19:  *
   20:  * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
   21:  * Angelos D. Keromytis and Niels Provos.
   22:  * Copyright (c) 2001, Angelos D. Keromytis.
   23:  *
   24:  * Permission to use, copy, and modify this software with or without fee
   25:  * is hereby granted, provided that this entire notice is included in
   26:  * all copies of any software which is or includes a copy or
   27:  * modification of this software.
   28:  * You may use this code under the GNU public license if you so wish. Please
   29:  * contribute changes back to the authors under this freer than GPL license
   30:  * so that we may further the use of strong encryption without limitations to
   31:  * all.
   32:  *
   33:  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
   34:  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
   35:  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
   36:  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
   37:  * PURPOSE.
   38:  */
   39: 
   40: /*
   41:  * IPsec input processing.
   42:  */
   43: 
   44: #include "opt_inet.h"
   45: #include "opt_inet6.h"
   46: #include "opt_ipsec.h"
   47: 
   48: #include <sys/param.h>
   49: #include <sys/systm.h>
   50: #include <sys/malloc.h>
   51: #include <sys/mbuf.h>
   52: #include <sys/domain.h>
   53: #include <sys/protosw.h>
   54: #include <sys/socket.h>
   55: #include <sys/errno.h>
   56: #include <sys/syslog.h>
   57: #include <sys/in_cksum.h>
   58: 
   59: #include <net/if.h>
   60: #include <net/route.h>
   61: #include <net/netisr.h>
   62: 
   63: #include <netinet/in.h>
   64: #include <netinet/in_systm.h>
   65: #include <netinet/ip.h>
   66: #include <netinet/ip_var.h>
   67: #include <netinet/in_var.h>
   68: 
   69: #include <netinet/ip6.h>
   70: #ifdef INET6
   71: #include <netinet6/ip6_var.h>
   72: #endif
   73: #include <netinet/in_pcb.h>
   74: #ifdef INET6
   75: #include <netinet/icmp6.h>
   76: #endif
   77: 
   78: #include "ipsec.h"
   79: #ifdef INET6
   80: #include "ipsec6.h"
   81: #endif
   82: #include "ah_var.h"
   83: #include "esp.h"
   84: #include "esp_var.h"
   85: #include "ipcomp_var.h"
   86: 
   87: #include "key.h"
   88: #include "keydb.h"
   89: 
   90: #include "xform.h"
   91: #include <netinet6/ip6protosw.h>
   92: 
   93: #include <machine/stdarg.h>
   94: 
   95: #include <net/net_osdep.h>
   96: 
   97: #define IPSEC_ISTAT(p,x,y,z) ((p) == IPPROTO_ESP ? (x)++ : \
   98: 			    (p) == IPPROTO_AH ? (y)++ : (z)++)
   99: 
  100: /*
  101:  * ipsec_common_input gets called when an IPsec-protected packet
  102:  * is received by IPv4 or IPv6.  It's job is to find the right SA
  103:  # and call the appropriate transform.  The transform callback
  104:  * takes care of further processing (like ingress filtering).
  105:  */
  106: static int
  107: ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
  108: {
  109: 	union sockaddr_union dst_address;
  110: 	struct secasvar *sav;
  111: 	u_int32_t spi;
  112: 	int s, error;
  113: 
  114: 	IPSEC_ISTAT(sproto, espstat.esps_input, ahstat.ahs_input,
  115: 		ipcompstat.ipcomps_input);
  116: 
  117: 	KASSERT(m != NULL, ("ipsec_common_input: null packet"));
  118: 
  119: 	if ((sproto == IPPROTO_ESP && !esp_enable) ||
  120: 	    (sproto == IPPROTO_AH && !ah_enable) ||
  121: 	    (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) {
  122: 		m_freem(m);
  123: 		IPSEC_ISTAT(sproto, espstat.esps_pdrops, ahstat.ahs_pdrops,
  124: 		    ipcompstat.ipcomps_pdrops);
  125: 		return EOPNOTSUPP;
  126: 	}
  127: 
  128: 	if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
  129: 		m_freem(m);
  130: 		IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
  131: 		    ipcompstat.ipcomps_hdrops);
  132: 		DPRINTF(("ipsec_common_input: packet too small\n"));
  133: 		return EINVAL;
  134: 	}
  135: 
  136: 	/* Retrieve the SPI from the relevant IPsec header */
  137: 	if (sproto == IPPROTO_ESP)
  138: 		m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
  139: 	else if (sproto == IPPROTO_AH)
  140: 		m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
  141: 		    (caddr_t) &spi);
  142: 	else if (sproto == IPPROTO_IPCOMP) {
  143: 		u_int16_t cpi;
  144: 		m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
  145: 		    (caddr_t) &cpi);
  146: 		spi = ntohl(htons(cpi));
  147: 	}
  148: 
  149: 	/*
  150: 	 * Find the SA and (indirectly) call the appropriate
  151: 	 * kernel crypto routine. The resulting mbuf chain is a valid
  152: 	 * IP packet ready to go through input processing.
  153: 	 */
  154: 	bzero(&dst_address, sizeof (dst_address));
  155: 	dst_address.sa.sa_family = af;
  156: 	switch (af) {
  157: #ifdef INET
  158: 	case AF_INET:
  159: 		dst_address.sin.sin_len = sizeof(struct sockaddr_in);
  160: 		m_copydata(m, offsetof(struct ip, ip_dst),
  161: 		    sizeof(struct in_addr),
  162: 		    (caddr_t) &dst_address.sin.sin_addr);
  163: 		break;
  164: #endif /* INET */
  165: #ifdef INET6
  166: 	case AF_INET6:
  167: 		dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
  168: 		m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
  169: 		    sizeof(struct in6_addr),
  170: 		    (caddr_t) &dst_address.sin6.sin6_addr);
  171: 		break;
  172: #endif /* INET6 */
  173: 	default:
  174: 		DPRINTF(("ipsec_common_input: unsupported protocol "
  175: 			"family %u\n", af));
  176: 		m_freem(m);
  177: 		IPSEC_ISTAT(sproto, espstat.esps_nopf, ahstat.ahs_nopf,
  178: 		    ipcompstat.ipcomps_nopf);
  179: 		return EPFNOSUPPORT;
  180: 	}
  181: 
  182: 	s = splnet();
  183: 
  184: 	/* NB: only pass dst since key_allocsa follows RFC2401 */
  185: 	sav = KEY_ALLOCSA(&dst_address, sproto, spi);
  186: 	if (sav == NULL) {
  187: 		DPRINTF(("ipsec_common_input: no key association found for"
  188: 			  " SA %s/%08lx/%u\n",
  189: 			  ipsec_address(&dst_address),
  190: 			  (u_long) ntohl(spi), sproto));
  191: 		IPSEC_ISTAT(sproto, espstat.esps_notdb, ahstat.ahs_notdb,
  192: 		    ipcompstat.ipcomps_notdb);
  193: 		splx(s);
  194: 		m_freem(m);
  195: 		return ENOENT;
  196: 	}
  197: 
  198: 	if (sav->tdb_xform == NULL) {
  199: 		DPRINTF(("ipsec_common_input: attempted to use uninitialized"
  200: 			 " SA %s/%08lx/%u\n",
  201: 			 ipsec_address(&dst_address),
  202: 			 (u_long) ntohl(spi), sproto));
  203: 		IPSEC_ISTAT(sproto, espstat.esps_noxform, ahstat.ahs_noxform,
  204: 		    ipcompstat.ipcomps_noxform);
  205: 		KEY_FREESAV(&sav);
  206: 		splx(s);
  207: 		m_freem(m);
  208: 		return ENXIO;
  209: 	}
  210: 
  211: 	/*
  212: 	 * Call appropriate transform and return -- callback takes care of
  213: 	 * everything else.
  214: 	 */
  215: 	error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
  216: 	KEY_FREESAV(&sav);
  217: 	splx(s);
  218: 	return error;
  219: }
  220: 
  221: #ifdef INET
  222: /*
  223:  * Common input handler for IPv4 AH, ESP, and IPCOMP.
  224:  */
  225: int
  226: ipsec4_common_input(struct mbuf *m, ...)
  227: {
  228: 	__va_list ap;
  229: 	int off, nxt;
  230: 
  231: 	__va_start(ap, m);
  232: 	off = __va_arg(ap, int);
  233: 	nxt = __va_arg(ap, int);
  234: 	__va_end(ap);
  235: 
  236: 	return ipsec_common_input(m, off, offsetof(struct ip, ip_p),
  237: 				  AF_INET, nxt);
  238: }
  239: 
  240: /*
  241:  * IPsec input callback for INET protocols.
  242:  * This routine is called as the transform callback.
  243:  * Takes care of filtering and other sanity checks on
  244:  * the processed packet.
  245:  */
  246: int
  247: ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
  248: 			int skip, int protoff, struct m_tag *mt)
  249: {
  250: 	int prot, af, sproto;
  251: 	struct ip *ip;
  252: 	struct m_tag *mtag;
  253: 	struct tdb_ident *tdbi;
  254: 	struct secasindex *saidx;
  255: 	int error;
  256: 
  257: 	SPLASSERT(net, "ipsec4_common_input_cb");
  258: 
  259: 	KASSERT(m != NULL, ("ipsec4_common_input_cb: null mbuf"));
  260: 	KASSERT(sav != NULL, ("ipsec4_common_input_cb: null SA"));
  261: 	KASSERT(sav->sah != NULL, ("ipsec4_common_input_cb: null SAH"));
  262: 	saidx = &sav->sah->saidx;
  263: 	af = saidx->dst.sa.sa_family;
  264: 	KASSERT(af == AF_INET, ("ipsec4_common_input_cb: unexpected af %u",af));
  265: 	sproto = saidx->proto;
  266: 	KASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
  267: 		sproto == IPPROTO_IPCOMP,
  268: 		("ipsec4_common_input_cb: unexpected security protocol %u",
  269: 		sproto));
  270: 
  271: 	/* Sanity check */
  272: 	if (m == NULL) {
  273: 		DPRINTF(("ipsec4_common_input_cb: null mbuf"));
  274: 		IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr,
  275: 		    ipcompstat.ipcomps_badkcr);
  276: 		KEY_FREESAV(&sav);
  277: 		return EINVAL;
  278: 	}
  279: 
  280: 	if (skip != 0) {
  281: 		/* Fix IPv4 header */
  282: 		if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
  283: 			DPRINTF(("ipsec4_common_input_cb: processing failed "
  284: 			    "for SA %s/%08lx\n",
  285: 			    ipsec_address(&sav->sah->saidx.dst),
  286: 			    (u_long) ntohl(sav->spi)));
  287: 			IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
  288: 			    ipcompstat.ipcomps_hdrops);
  289: 			error = ENOBUFS;
  290: 			goto bad;
  291: 		}
  292: 
  293: 		ip = mtod(m, struct ip *);
  294: 		ip->ip_len = htons(m->m_pkthdr.len);
  295: 		ip->ip_off = htons(ip->ip_off);
  296: 		ip->ip_sum = 0;
  297: 		ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
  298: 	} else {
  299: 		ip = mtod(m, struct ip *);
  300: 	}
  301: 	prot = ip->ip_p;
  302: 
  303: 	/* IP-in-IP encapsulation */
  304: 	if (prot == IPPROTO_IPIP) {
  305: 		struct ip ipn;
  306: 
  307: 		/* ipn will now contain the inner IPv4 header */
  308: 		m_copydata(m, ip->ip_hl << 2, sizeof(struct ip),
  309: 		    (caddr_t) &ipn);
  310: 
  311: #ifdef notyet
  312: 		/* XXX PROXY address isn't recorded in SAH */
  313: 		/*
  314: 		 * Check that the inner source address is the same as
  315: 		 * the proxy address, if available.
  316: 		 */
  317: 		if ((saidx->proxy.sa.sa_family == AF_INET &&
  318: 		    saidx->proxy.sin.sin_addr.s_addr !=
  319: 		    INADDR_ANY &&
  320: 		    ipn.ip_src.s_addr !=
  321: 		    saidx->proxy.sin.sin_addr.s_addr) ||
  322: 		    (saidx->proxy.sa.sa_family != AF_INET &&
  323: 			saidx->proxy.sa.sa_family != 0)) {
  324: 
  325: 			DPRINTF(("ipsec4_common_input_cb: inner "
  326: 			    "source address %s doesn't correspond to "
  327: 			    "expected proxy source %s, SA %s/%08lx\n",
  328: 			    inet_ntoa4(ipn.ip_src),
  329: 			    ipsp_address(saidx->proxy),
  330: 			    ipsp_address(saidx->dst),
  331: 			    (u_long) ntohl(sav->spi)));
  332: 
  333: 			IPSEC_ISTAT(sproto, espstat.esps_pdrops,
  334: 			    ahstat.ahs_pdrops,
  335: 			    ipcompstat.ipcomps_pdrops);
  336: 			error = EACCES;
  337: 			goto bad;
  338: 		}
  339: #endif /*XXX*/
  340: 	}
  341: #if INET6
  342: 	/* IPv6-in-IP encapsulation. */
  343: 	if (prot == IPPROTO_IPV6) {
  344: 		struct ip6_hdr ip6n;
  345: 
  346: 		/* ip6n will now contain the inner IPv6 header. */
  347: 		m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr),
  348: 		    (caddr_t) &ip6n);
  349: 
  350: #ifdef notyet
  351: 		/*
  352: 		 * Check that the inner source address is the same as
  353: 		 * the proxy address, if available.
  354: 		 */
  355: 		if ((saidx->proxy.sa.sa_family == AF_INET6 &&
  356: 		    !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
  357: 		    !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
  358: 			&saidx->proxy.sin6.sin6_addr)) ||
  359: 		    (saidx->proxy.sa.sa_family != AF_INET6 &&
  360: 			saidx->proxy.sa.sa_family != 0)) {
  361: 
  362: 			DPRINTF(("ipsec4_common_input_cb: inner "
  363: 			    "source address %s doesn't correspond to "
  364: 			    "expected proxy source %s, SA %s/%08lx\n",
  365: 			    ip6_sprintf(&ip6n.ip6_src),
  366: 			    ipsec_address(&saidx->proxy),
  367: 			    ipsec_address(&saidx->dst),
  368: 			    (u_long) ntohl(sav->spi)));
  369: 
  370: 			IPSEC_ISTAT(sproto, espstat.esps_pdrops,
  371: 			    ahstat.ahs_pdrops,
  372: 			    ipcompstat.ipcomps_pdrops);
  373: 			error = EACCES;
  374: 			goto bad;
  375: 		}
  376: #endif /*XXX*/
  377: 	}
  378: #endif /* INET6 */
  379: 
  380: 	/*
  381: 	 * Record what we've done to the packet (under what SA it was
  382: 	 * processed). If we've been passed an mtag, it means the packet
  383: 	 * was already processed by an ethernet/crypto combo card and
  384: 	 * thus has a tag attached with all the right information, but
  385: 	 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
  386: 	 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
  387: 	 */
  388: 	if (mt == NULL && sproto != IPPROTO_IPCOMP) {
  389: 		mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
  390: 		    sizeof(struct tdb_ident), M_NOWAIT);
  391: 		if (mtag == NULL) {
  392: 			DPRINTF(("ipsec4_common_input_cb: failed to get tag\n"));
  393: 			IPSEC_ISTAT(sproto, espstat.esps_hdrops,
  394: 			    ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
  395: 			error = ENOMEM;
  396: 			goto bad;
  397: 		}
  398: 
  399: 		tdbi = (struct tdb_ident *)(mtag + 1);
  400: 		bcopy(&saidx->dst, &tdbi->dst, saidx->dst.sa.sa_len);
  401: 		tdbi->proto = sproto;
  402: 		tdbi->spi = sav->spi;
  403: 
  404: 		m_tag_prepend(m, mtag);
  405: 	} else {
  406: 		mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
  407: 		/* XXX do we need to mark m_flags??? */
  408: 	}
  409: 
  410: 	key_sa_recordxfer(sav, m);		/* record data transfer */
  411: 
  412: 	/*
  413: 	 * Re-dispatch via software interrupt.
  414: 	 */
  415: 	if (!IF_HANDOFF(&ipintrq, m, NULL)) {
  416: 		IPSEC_ISTAT(sproto, espstat.esps_qfull, ahstat.ahs_qfull,
  417: 			    ipcompstat.ipcomps_qfull);
  418: 
  419: 		DPRINTF(("ipsec4_common_input_cb: queue full; "
  420: 			"proto %u packet dropped\n", sproto));
  421: 		return ENOBUFS;
  422: 	}
  423: 	schednetisr(NETISR_IP);
  424: 	return 0;
  425: bad:
  426: 	m_freem(m);
  427: 	return error;
  428: }
  429: #endif /* INET */
  430: 
  431: #ifdef INET6
  432: /* IPv6 AH wrapper. */
  433: int
  434: ipsec6_common_input(struct mbuf **mp, int *offp, int proto)
  435: {
  436: 	int l = 0;
  437: 	int protoff;
  438: 	struct ip6_ext ip6e;
  439: 
  440: 	if (*offp < sizeof(struct ip6_hdr)) {
  441: 		DPRINTF(("ipsec6_common_input: bad offset %u\n", *offp));
  442: 		return IPPROTO_DONE;
  443: 	} else if (*offp == sizeof(struct ip6_hdr)) {
  444: 		protoff = offsetof(struct ip6_hdr, ip6_nxt);
  445: 	} else {
  446: 		/* Chase down the header chain... */
  447: 		protoff = sizeof(struct ip6_hdr);
  448: 
  449: 		do {
  450: 			protoff += l;
  451: 			m_copydata(*mp, protoff, sizeof(ip6e),
  452: 			    (caddr_t) &ip6e);
  453: 
  454: 			if (ip6e.ip6e_nxt == IPPROTO_AH)
  455: 				l = (ip6e.ip6e_len + 2) << 2;
  456: 			else
  457: 				l = (ip6e.ip6e_len + 1) << 3;
  458: 			KASSERT(l > 0, ("ah6_input: l went zero or negative"));
  459: 		} while (protoff + l < *offp);
  460: 
  461: 		/* Malformed packet check */
  462: 		if (protoff + l != *offp) {
  463: 			DPRINTF(("ipsec6_common_input: bad packet header chain, "
  464: 				"protoff %u, l %u, off %u\n", protoff, l, *offp));
  465: 			IPSEC_ISTAT(proto, espstat.esps_hdrops,
  466: 				    ahstat.ahs_hdrops,
  467: 				    ipcompstat.ipcomps_hdrops);
  468: 			m_freem(*mp);
  469: 			*mp = NULL;
  470: 			return IPPROTO_DONE;
  471: 		}
  472: 		protoff += offsetof(struct ip6_ext, ip6e_nxt);
  473: 	}
  474: 	(void) ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto);
  475: 	return IPPROTO_DONE;
  476: }
  477: 
  478: void
  479: esp6_ctlinput(int cmd, struct sockaddr *sa, void *d)
  480: {
  481: 	if (sa->sa_family != AF_INET6 ||
  482: 	    sa->sa_len != sizeof(struct sockaddr_in6))
  483: 		return;
  484: 	if ((unsigned)cmd >= PRC_NCMDS)
  485: 		return;
  486: 
  487: 	/* if the parameter is from icmp6, decode it. */
  488: 	if (d !=  NULL) {
  489: 		struct ip6ctlparam *ip6cp = (struct ip6ctlparam *)d;
  490: 		struct mbuf *m = ip6cp->ip6c_m;
  491: 		int off = ip6cp->ip6c_off;
  492: 
  493: 		struct ip6ctlparam ip6cp1;
  494: 
  495: 		/*
  496: 		 * Notify the error to all possible sockets via pfctlinput2.
  497: 		 * Since the upper layer information (such as protocol type,
  498: 		 * source and destination ports) is embedded in the encrypted
  499: 		 * data and might have been cut, we can't directly call
  500: 		 * an upper layer ctlinput function. However, the pcbnotify
  501: 		 * function will consider source and destination addresses
  502: 		 * as well as the flow info value, and may be able to find
  503: 		 * some PCB that should be notified.
  504: 		 * Although pfctlinput2 will call esp6_ctlinput(), there is
  505: 		 * no possibility of an infinite loop of function calls,
  506: 		 * because we don't pass the inner IPv6 header.
  507: 		 */
  508: 		bzero(&ip6cp1, sizeof(ip6cp1));
  509: 		ip6cp1.ip6c_src = ip6cp->ip6c_src;
  510: 		pfctlinput2(cmd, sa, (void *)&ip6cp1);
  511: 
  512: 		/*
  513: 		 * Then go to special cases that need ESP header information.
  514: 		 * XXX: We assume that when ip6 is non NULL,
  515: 		 * M and OFF are valid.
  516: 		 */
  517: 
  518: 		if (cmd == PRC_MSGSIZE) {
  519: 			struct secasvar *sav;
  520: 			u_int32_t spi;
  521: 			int valid;
  522: 
  523: 			/* check header length before using m_copydata */
  524: 			if (m->m_pkthdr.len < off + sizeof (struct esp))
  525: 				return;
  526: 			m_copydata(m, off + offsetof(struct esp, esp_spi),
  527: 				sizeof(u_int32_t), (caddr_t) &spi);
  528: 			/*
  529: 			 * Check to see if we have a valid SA corresponding to
  530: 			 * the address in the ICMP message payload.
  531: 			 */
  532: 			sav = KEY_ALLOCSA((union sockaddr_union *)sa,
  533: 					IPPROTO_ESP, spi);
  534: 			valid = (sav != NULL);
  535: 			if (sav)
  536: 				KEY_FREESAV(&sav);
  537: 
  538: 			/* XXX Further validation? */
  539: 
  540: 			/*
  541: 			 * Depending on whether the SA is "valid" and
  542: 			 * routing table size (mtudisc_{hi,lo}wat), we will:
  543: 			 * - recalcurate the new MTU and create the
  544: 			 *   corresponding routing entry, or
  545: 			 * - ignore the MTU change notification.
  546: 			 */
  547: 			icmp6_mtudisc_update(ip6cp, valid);
  548: 		}
  549: 	} else {
  550: 		/* we normally notify any pcb here */
  551: 	}
  552: }
  553: 
  554: extern	struct ip6protosw inet6sw[];
  555: extern	u_char ip6_protox[];
  556: 
  557: /*
  558:  * IPsec input callback, called by the transform callback. Takes care of
  559:  * filtering and other sanity checks on the processed packet.
  560:  */
  561: int
  562: ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff,
  563:     struct m_tag *mt)
  564: {
  565: 	int prot, af, sproto;
  566: 	struct ip6_hdr *ip6;
  567: 	struct m_tag *mtag;
  568: 	struct tdb_ident *tdbi;
  569: 	struct secasindex *saidx;
  570: 	int nxt;
  571: 	u_int8_t nxt8;
  572: 	int error, nest;
  573: 
  574: 	KASSERT(m != NULL, ("ipsec6_common_input_cb: null mbuf"));
  575: 	KASSERT(sav != NULL, ("ipsec6_common_input_cb: null SA"));
  576: 	KASSERT(sav->sah != NULL, ("ipsec6_common_input_cb: null SAH"));
  577: 	saidx = &sav->sah->saidx;
  578: 	af = saidx->dst.sa.sa_family;
  579: 	KASSERT(af == AF_INET6,
  580: 		("ipsec6_common_input_cb: unexpected af %u", af));
  581: 	sproto = saidx->proto;
  582: 	KASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
  583: 		sproto == IPPROTO_IPCOMP,
  584: 		("ipsec6_common_input_cb: unexpected security protocol %u",
  585: 		sproto));
  586: 
  587: 	/* Sanity check */
  588: 	if (m == NULL) {
  589: 		DPRINTF(("ipsec4_common_input_cb: null mbuf"));
  590: 		IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr,
  591: 		    ipcompstat.ipcomps_badkcr);
  592: 		error = EINVAL;
  593: 		goto bad;
  594: 	}
  595: 
  596: 	/* Fix IPv6 header */
  597: 	if (m->m_len < sizeof(struct ip6_hdr) &&
  598: 	    (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
  599: 
  600: 		DPRINTF(("ipsec_common_input_cb: processing failed "
  601: 		    "for SA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst),
  602: 		    (u_long) ntohl(sav->spi)));
  603: 
  604: 		IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
  605: 		    ipcompstat.ipcomps_hdrops);
  606: 		error = EACCES;
  607: 		goto bad;
  608: 	}
  609: 
  610: 	ip6 = mtod(m, struct ip6_hdr *);
  611: 	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
  612: 
  613: 	/* Save protocol */
  614: 	m_copydata(m, protoff, 1, (unsigned char *) &prot);
  615: 
  616: #ifdef INET
  617: 	/* IP-in-IP encapsulation */
  618: 	if (prot == IPPROTO_IPIP) {
  619: 		struct ip ipn;
  620: 
  621: 		/* ipn will now contain the inner IPv4 header */
  622: 		m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn);
  623: 
  624: #ifdef notyet
  625: 		/*
  626: 		 * Check that the inner source address is the same as
  627: 		 * the proxy address, if available.
  628: 		 */
  629: 		if ((saidx->proxy.sa.sa_family == AF_INET &&
  630: 		    saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY &&
  631: 		    ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) ||
  632: 		    (saidx->proxy.sa.sa_family != AF_INET &&
  633: 			saidx->proxy.sa.sa_family != 0)) {
  634: 
  635: 			DPRINTF(("ipsec_common_input_cb: inner "
  636: 			    "source address %s doesn't correspond to "
  637: 			    "expected proxy source %s, SA %s/%08lx\n",
  638: 			    inet_ntoa4(ipn.ip_src),
  639: 			    ipsec_address(&saidx->proxy),
  640: 			    ipsec_address(&saidx->dst),
  641: 			    (u_long) ntohl(sav->spi)));
  642: 
  643: 			IPSEC_ISTATsproto, (espstat.esps_pdrops,
  644: 			    ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
  645: 			error = EACCES;
  646: 			goto bad;
  647: 		}
  648: #endif /*XXX*/
  649: 	}
  650: #endif /* INET */
  651: 
  652: 	/* IPv6-in-IP encapsulation */
  653: 	if (prot == IPPROTO_IPV6) {
  654: 		struct ip6_hdr ip6n;
  655: 
  656: 		/* ip6n will now contain the inner IPv6 header. */
  657: 		m_copydata(m, skip, sizeof(struct ip6_hdr),
  658: 		    (caddr_t) &ip6n);
  659: 
  660: #ifdef notyet
  661: 		/*
  662: 		 * Check that the inner source address is the same as
  663: 		 * the proxy address, if available.
  664: 		 */
  665: 		if ((saidx->proxy.sa.sa_family == AF_INET6 &&
  666: 		    !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
  667: 		    !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
  668: 			&saidx->proxy.sin6.sin6_addr)) ||
  669: 		    (saidx->proxy.sa.sa_family != AF_INET6 &&
  670: 			saidx->proxy.sa.sa_family != 0)) {
  671: 
  672: 			DPRINTF(("ipsec_common_input_cb: inner "
  673: 			    "source address %s doesn't correspond to "
  674: 			    "expected proxy source %s, SA %s/%08lx\n",
  675: 			    ip6_sprintf(&ip6n.ip6_src),
  676: 			    ipsec_address(&saidx->proxy),
  677: 			    ipsec_address(&saidx->dst),
  678: 			    (u_long) ntohl(sav->spi)));
  679: 
  680: 			IPSEC_ISTAT(sproto, espstat.esps_pdrops,
  681: 			    ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
  682: 			error = EACCES;
  683: 			goto bad;
  684: 		}
  685: #endif /*XXX*/
  686: 	}
  687: 
  688: 	/*
  689: 	 * Record what we've done to the packet (under what SA it was
  690: 	 * processed). If we've been passed an mtag, it means the packet
  691: 	 * was already processed by an ethernet/crypto combo card and
  692: 	 * thus has a tag attached with all the right information, but
  693: 	 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
  694: 	 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
  695: 	 */
  696: 	if (mt == NULL && sproto != IPPROTO_IPCOMP) {
  697: 		mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
  698: 		    sizeof(struct tdb_ident), M_NOWAIT);
  699: 		if (mtag == NULL) {
  700: 			DPRINTF(("ipsec_common_input_cb: failed to "
  701: 			    "get tag\n"));
  702: 			IPSEC_ISTAT(sproto, espstat.esps_hdrops,
  703: 			    ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
  704: 			error = ENOMEM;
  705: 			goto bad;
  706: 		}
  707: 
  708: 		tdbi = (struct tdb_ident *)(mtag + 1);
  709: 		bcopy(&saidx->dst, &tdbi->dst, sizeof(union sockaddr_union));
  710: 		tdbi->proto = sproto;
  711: 		tdbi->spi = sav->spi;
  712: 
  713: 		m_tag_prepend(m, mtag);
  714: 	} else {
  715: 		mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
  716: 		/* XXX do we need to mark m_flags??? */
  717: 	}
  718: 
  719: 	key_sa_recordxfer(sav, m);
  720: 
  721: 	/* Retrieve new protocol */
  722: 	m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &nxt8);
  723: 
  724: 	/*
  725: 	 * See the end of ip6_input for this logic.
  726: 	 * IPPROTO_IPV[46] case will be processed just like other ones
  727: 	 */
  728: 	nest = 0;
  729: 	nxt = nxt8;
  730: 	while (nxt != IPPROTO_DONE) {
  731: 		if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
  732: 			ip6stat.ip6s_toomanyhdr++;
  733: 			error = EINVAL;
  734: 			goto bad;
  735: 		}
  736: 
  737: 		/*
  738: 		 * Protection against faulty packet - there should be
  739: 		 * more sanity checks in header chain processing.
  740: 		 */
  741: 		if (m->m_pkthdr.len < skip) {
  742: 			ip6stat.ip6s_tooshort++;
  743: 			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
  744: 			error = EINVAL;
  745: 			goto bad;
  746: 		}
  747: 		/*
  748: 		 * Enforce IPsec policy checking if we are seeing last header.
  749: 		 * note that we do not visit this with protocols with pcb layer
  750: 		 * code - like udp/tcp/raw ip.
  751: 		 */
  752: 		if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
  753: 		    ipsec6_in_reject(m, NULL)) {
  754: 			error = EINVAL;
  755: 			goto bad;
  756: 		}
  757: 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt);
  758: 	}
  759: 	return 0;
  760: bad:
  761: 	if (m)
  762: 		m_freem(m);
  763: 	return error;
  764: }
  765: #endif /* INET6 */