]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/esp_input.c
projects / apple / xnu.git / blob
? search:


549b37d410e39bbea4c44db0afa13c8f3f440a04
[apple/xnu.git] / bsd / netinet6 / esp_input.c
1 /* $FreeBSD: src/sys/netinet6/esp_input.c,v 1.1.2.3 2001/07/03 11:01:50 ume Exp $ */
2 /* $KAME: esp_input.c,v 1.55 2001/03/23 08:08:47 itojun Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * RFC1827/2406 Encapsulated Security Payload.
35 */
36
37 #include <sys/param.h>
38 #include <sys/systm.h>
39 #include <sys/malloc.h>
40 #include <sys/mbuf.h>
41 #include <sys/domain.h>
42 #include <sys/protosw.h>
43 #include <sys/socket.h>
44 #include <sys/errno.h>
45 #include <sys/time.h>
46 #include <sys/kernel.h>
47 #include <sys/syslog.h>
48
49 #include <net/if.h>
50 #include <net/route.h>
51 #include <net/netisr.h>
52 #include <kern/cpu_number.h>
53
54 #include <netinet/in.h>
55 #include <netinet/in_systm.h>
56 #include <netinet/ip.h>
57 #include <netinet/ip_var.h>
58 #include <netinet/in_var.h>
59 #include <netinet/ip_ecn.h>
60 #include <netinet/in_pcb.h>
61 #if INET6
62 #include <netinet6/ip6_ecn.h>
63 #endif
64
65 #if INET6
66 #include <netinet/ip6.h>
67 #include <netinet6/in6_pcb.h>
68 #include <netinet6/ip6_var.h>
69 #include <netinet/icmp6.h>
70 #include <netinet6/ip6protosw.h>
71 #endif
72
73 #include <netinet6/ipsec.h>
74 #if INET6
75 #include <netinet6/ipsec6.h>
76 #endif
77 #include <netinet6/ah.h>
78 #if INET6
79 #include <netinet6/ah6.h>
80 #endif
81 #include <netinet6/esp.h>
82 #if INET6
83 #include <netinet6/esp6.h>
84 #endif
85 #include <netkey/key.h>
86 #include <netkey/keydb.h>
87 #include <netkey/key_debug.h>
88
89
90 #include <net/net_osdep.h>
91
92 #define IPLEN_FLIPPED
93
94 #if INET
95 extern struct protosw inetsw[];
96
97 #define ESPMAXLEN \
98 (sizeof(struct esp) < sizeof(struct newesp) \
99 ? sizeof(struct newesp) : sizeof(struct esp))
100
101 void
102 esp4_input(m, off)
103 struct mbuf *m;
104 int off;
105 {
106 struct ip *ip;
107 struct esp *esp;
108 struct esptail esptail;
109 u_int32_t spi;
110 struct secasvar *sav = NULL;
111 size_t taillen;
112 u_int16_t nxt;
113 const struct esp_algorithm *algo;
114 int ivlen;
115 size_t hlen;
116 size_t esplen;
117 int s;
118
119 /* sanity check for alignment. */
120 if (off % 4 != 0 || m->m_pkthdr.len % 4 != 0) {
121 ipseclog((LOG_ERR, "IPv4 ESP input: packet alignment problem "
122 "(off=%d, pktlen=%d)\n", off, m->m_pkthdr.len));
123 ipsecstat.in_inval++;
124 goto bad;
125 }
126
127 if (m->m_len < off + ESPMAXLEN) {
128 m = m_pullup(m, off + ESPMAXLEN);
129 if (!m) {
130 ipseclog((LOG_DEBUG,
131 "IPv4 ESP input: can't pullup in esp4_input\n"));
132 ipsecstat.in_inval++;
133 goto bad;
134 }
135 }
136
137 ip = mtod(m, struct ip *);
138 esp = (struct esp *)(((u_int8_t *)ip) + off);
139 #ifdef _IP_VHL
140 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
141 #else
142 hlen = ip->ip_hl << 2;
143 #endif
144
145 /* find the sassoc. */
146 spi = esp->esp_spi;
147
148 if ((sav = key_allocsa(AF_INET,
149 (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst,
150 IPPROTO_ESP, spi)) == 0) {
151 ipseclog((LOG_WARNING,
152 "IPv4 ESP input: no key association found for spi %u\n",
153 (u_int32_t)ntohl(spi)));
154 ipsecstat.in_nosa++;
155 goto bad;
156 }
157 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
158 printf("DP esp4_input called to allocate SA:%p\n", sav));
159 if (sav->state != SADB_SASTATE_MATURE
160 && sav->state != SADB_SASTATE_DYING) {
161 ipseclog((LOG_DEBUG,
162 "IPv4 ESP input: non-mature/dying SA found for spi %u\n",
163 (u_int32_t)ntohl(spi)));
164 ipsecstat.in_badspi++;
165 goto bad;
166 }
167 algo = esp_algorithm_lookup(sav->alg_enc);
168 if (!algo) {
169 ipseclog((LOG_DEBUG, "IPv4 ESP input: "
170 "unsupported encryption algorithm for spi %u\n",
171 (u_int32_t)ntohl(spi)));
172 ipsecstat.in_badspi++;
173 goto bad;
174 }
175
176 /* check if we have proper ivlen information */
177 ivlen = sav->ivlen;
178 if (ivlen < 0) {
179 ipseclog((LOG_ERR, "inproper ivlen in IPv4 ESP input: %s %s\n",
180 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
181 ipsecstat.in_inval++;
182 goto bad;
183 }
184
185 if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
186 && (sav->alg_auth && sav->key_auth)))
187 goto noreplaycheck;
188
189 if (sav->alg_auth == SADB_X_AALG_NULL ||
190 sav->alg_auth == SADB_AALG_NONE)
191 goto noreplaycheck;
192
193 /*
194 * check for sequence number.
195 */
196 if (ipsec_chkreplay(ntohl(((struct newesp *)esp)->esp_seq), sav))
197 ; /*okey*/
198 else {
199 ipsecstat.in_espreplay++;
200 ipseclog((LOG_WARNING,
201 "replay packet in IPv4 ESP input: %s %s\n",
202 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
203 goto bad;
204 }
205
206 /* check ICV */
207 {
208 u_char sum0[AH_MAXSUMSIZE];
209 u_char sum[AH_MAXSUMSIZE];
210 const struct ah_algorithm *sumalgo;
211 size_t siz;
212
213 sumalgo = ah_algorithm_lookup(sav->alg_auth);
214 if (!sumalgo)
215 goto noreplaycheck;
216 siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));
217 if (m->m_pkthdr.len < off + ESPMAXLEN + siz) {
218 ipsecstat.in_inval++;
219 goto bad;
220 }
221 if (AH_MAXSUMSIZE < siz) {
222 ipseclog((LOG_DEBUG,
223 "internal error: AH_MAXSUMSIZE must be larger than %lu\n",
224 (u_long)siz));
225 ipsecstat.in_inval++;
226 goto bad;
227 }
228
229 m_copydata(m, m->m_pkthdr.len - siz, siz, &sum0[0]);
230
231 if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) {
232 ipseclog((LOG_WARNING, "auth fail in IPv4 ESP input: %s %s\n",
233 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
234 ipsecstat.in_espauthfail++;
235 goto bad;
236 }
237
238 if (bcmp(sum0, sum, siz) != 0) {
239 ipseclog((LOG_WARNING, "auth fail in IPv4 ESP input: %s %s\n",
240 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
241 ipsecstat.in_espauthfail++;
242 goto bad;
243 }
244
245 /* strip off the authentication data */
246 m_adj(m, -siz);
247 ip = mtod(m, struct ip *);
248 #ifdef IPLEN_FLIPPED
249 ip->ip_len = ip->ip_len - siz;
250 #else
251 ip->ip_len = htons(ntohs(ip->ip_len) - siz);
252 #endif
253 m->m_flags |= M_AUTHIPDGM;
254 ipsecstat.in_espauthsucc++;
255 }
256
257 /*
258 * update sequence number.
259 */
260 if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
261 if (ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) {
262 ipsecstat.in_espreplay++;
263 goto bad;
264 }
265 }
266
267 noreplaycheck:
268
269 /* process main esp header. */
270 if (sav->flags & SADB_X_EXT_OLD) {
271 /* RFC 1827 */
272 esplen = sizeof(struct esp);
273 } else {
274 /* RFC 2406 */
275 if (sav->flags & SADB_X_EXT_DERIV)
276 esplen = sizeof(struct esp);
277 else
278 esplen = sizeof(struct newesp);
279 }
280
281 if (m->m_pkthdr.len < off + esplen + ivlen + sizeof(esptail)) {
282 ipseclog((LOG_WARNING,
283 "IPv4 ESP input: packet too short\n"));
284 ipsecstat.in_inval++;
285 goto bad;
286 }
287
288 if (m->m_len < off + esplen + ivlen) {
289 m = m_pullup(m, off + esplen + ivlen);
290 if (!m) {
291 ipseclog((LOG_DEBUG,
292 "IPv4 ESP input: can't pullup in esp4_input\n"));
293 ipsecstat.in_inval++;
294 goto bad;
295 }
296 }
297
298 /*
299 * pre-compute and cache intermediate key
300 */
301 if (esp_schedule(algo, sav) != 0) {
302 ipsecstat.in_inval++;
303 goto bad;
304 }
305
306 /*
307 * decrypt the packet.
308 */
309 if (!algo->decrypt)
310 panic("internal error: no decrypt function");
311 if ((*algo->decrypt)(m, off, sav, algo, ivlen)) {
312 /* m is already freed */
313 m = NULL;
314 ipseclog((LOG_ERR, "decrypt fail in IPv4 ESP input: %s\n",
315 ipsec_logsastr(sav)));
316 ipsecstat.in_inval++;
317 goto bad;
318 }
319 ipsecstat.in_esphist[sav->alg_enc]++;
320
321 m->m_flags |= M_DECRYPTED;
322
323 /*
324 * find the trailer of the ESP.
325 */
326 m_copydata(m, m->m_pkthdr.len - sizeof(esptail), sizeof(esptail),
327 (caddr_t)&esptail);
328 nxt = esptail.esp_nxt;
329 taillen = esptail.esp_padlen + sizeof(esptail);
330
331 if (m->m_pkthdr.len < taillen
332 || m->m_pkthdr.len - taillen < hlen) { /*?*/
333 ipseclog((LOG_WARNING,
334 "bad pad length in IPv4 ESP input: %s %s\n",
335 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
336 ipsecstat.in_inval++;
337 goto bad;
338 }
339
340 /* strip off the trailing pad area. */
341 m_adj(m, -taillen);
342
343 #ifdef IPLEN_FLIPPED
344 ip->ip_len = ip->ip_len - taillen;
345 #else
346 ip->ip_len = htons(ntohs(ip->ip_len) - taillen);
347 #endif
348
349 /* was it transmitted over the IPsec tunnel SA? */
350 if (ipsec4_tunnel_validate(m, off + esplen + ivlen, nxt, sav)) {
351 /*
352 * strip off all the headers that precedes ESP header.
353 * IP4 xx ESP IP4' payload -> IP4' payload
354 *
355 * XXX more sanity checks
356 * XXX relationship with gif?
357 */
358 u_int8_t tos;
359
360 tos = ip->ip_tos;
361 m_adj(m, off + esplen + ivlen);
362 if (m->m_len < sizeof(*ip)) {
363 m = m_pullup(m, sizeof(*ip));
364 if (!m) {
365 ipsecstat.in_inval++;
366 goto bad;
367 }
368 }
369 ip = mtod(m, struct ip *);
370 /* ECN consideration. */
371 ip_ecn_egress(ip4_ipsec_ecn, &tos, &ip->ip_tos);
372 if (!key_checktunnelsanity(sav, AF_INET,
373 (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst)) {
374 ipseclog((LOG_ERR, "ipsec tunnel address mismatch "
375 "in IPv4 ESP input: %s %s\n",
376 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
377 ipsecstat.in_inval++;
378 goto bad;
379 }
380
381 #if 0 /* XXX should call ipfw rather than ipsec_in_reject, shouldn't it ? */
382 /* drop it if it does not match the default policy */
383 if (ipsec4_in_reject(m, NULL)) {
384 ipsecstat.in_polvio++;
385 goto bad;
386 }
387 #endif
388
389 key_sa_recordxfer(sav, m);
390 if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0 ||
391 ipsec_addhist(m, IPPROTO_IPV4, 0) != 0) {
392 ipsecstat.in_nomem++;
393 goto bad;
394 }
395
396 s = splimp();
397 if (IF_QFULL(&ipintrq)) {
398 ipsecstat.in_inval++;
399 splx(s);
400 goto bad;
401 }
402 IF_ENQUEUE(&ipintrq, m);
403 m = NULL;
404 schednetisr(NETISR_IP); /*can be skipped but to make sure*/
405 splx(s);
406 nxt = IPPROTO_DONE;
407 } else {
408 /*
409 * strip off ESP header and IV.
410 * even in m_pulldown case, we need to strip off ESP so that
411 * we can always compute checksum for AH correctly.
412 */
413 size_t stripsiz;
414
415 stripsiz = esplen + ivlen;
416
417 ip = mtod(m, struct ip *);
418 ovbcopy((caddr_t)ip, (caddr_t)(((u_char *)ip) + stripsiz), off);
419 m->m_data += stripsiz;
420 m->m_len -= stripsiz;
421 m->m_pkthdr.len -= stripsiz;
422
423 ip = mtod(m, struct ip *);
424 #ifdef IPLEN_FLIPPED
425 ip->ip_len = ip->ip_len - stripsiz;
426 #else
427 ip->ip_len = htons(ntohs(ip->ip_len) - stripsiz);
428 #endif
429 ip->ip_p = nxt;
430
431 key_sa_recordxfer(sav, m);
432 if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0) {
433 ipsecstat.in_nomem++;
434 goto bad;
435 }
436
437 if (nxt != IPPROTO_DONE) {
438 if ((ip_protox[nxt]->pr_flags & PR_LASTHDR) != 0 &&
439 ipsec4_in_reject(m, NULL)) {
440 ipsecstat.in_polvio++;
441 goto bad;
442 }
443 (*ip_protox[nxt]->pr_input)(m, off);
444 } else
445 m_freem(m);
446 m = NULL;
447 }
448
449 if (sav) {
450 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
451 printf("DP esp4_input call free SA:%p\n", sav));
452 key_freesav(sav);
453 }
454 ipsecstat.in_success++;
455 return;
456
457 bad:
458 if (sav) {
459 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
460 printf("DP esp4_input call free SA:%p\n", sav));
461 key_freesav(sav);
462 }
463 if (m)
464 m_freem(m);
465 return;
466 }
467 #endif /* INET */
468
469 #if INET6
470 int
471 esp6_input(mp, offp, proto)
472 struct mbuf **mp;
473 int *offp, proto;
474 {
475 struct mbuf *m = *mp;
476 int off = *offp;
477 struct ip6_hdr *ip6;
478 struct esp *esp;
479 struct esptail esptail;
480 u_int32_t spi;
481 struct secasvar *sav = NULL;
482 size_t taillen;
483 u_int16_t nxt;
484 const struct esp_algorithm *algo;
485 int ivlen;
486 size_t esplen;
487 int s;
488
489 /* sanity check for alignment. */
490 if (off % 4 != 0 || m->m_pkthdr.len % 4 != 0) {
491 ipseclog((LOG_ERR, "IPv6 ESP input: packet alignment problem "
492 "(off=%d, pktlen=%d)\n", off, m->m_pkthdr.len));
493 ipsec6stat.in_inval++;
494 goto bad;
495 }
496
497 #ifndef PULLDOWN_TEST
498 IP6_EXTHDR_CHECK(m, off, ESPMAXLEN, IPPROTO_DONE);
499 esp = (struct esp *)(mtod(m, caddr_t) + off);
500 #else
501 IP6_EXTHDR_GET(esp, struct esp *, m, off, ESPMAXLEN);
502 if (esp == NULL) {
503 ipsec6stat.in_inval++;
504 return IPPROTO_DONE;
505 }
506 #endif
507 ip6 = mtod(m, struct ip6_hdr *);
508
509 if (ntohs(ip6->ip6_plen) == 0) {
510 ipseclog((LOG_ERR, "IPv6 ESP input: "
511 "ESP with IPv6 jumbogram is not supported.\n"));
512 ipsec6stat.in_inval++;
513 goto bad;
514 }
515
516 /* find the sassoc. */
517 spi = esp->esp_spi;
518
519 if ((sav = key_allocsa(AF_INET6,
520 (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst,
521 IPPROTO_ESP, spi)) == 0) {
522 ipseclog((LOG_WARNING,
523 "IPv6 ESP input: no key association found for spi %u\n",
524 (u_int32_t)ntohl(spi)));
525 ipsec6stat.in_nosa++;
526 goto bad;
527 }
528 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
529 printf("DP esp6_input called to allocate SA:%p\n", sav));
530 if (sav->state != SADB_SASTATE_MATURE
531 && sav->state != SADB_SASTATE_DYING) {
532 ipseclog((LOG_DEBUG,
533 "IPv6 ESP input: non-mature/dying SA found for spi %u\n",
534 (u_int32_t)ntohl(spi)));
535 ipsec6stat.in_badspi++;
536 goto bad;
537 }
538 algo = esp_algorithm_lookup(sav->alg_enc);
539 if (!algo) {
540 ipseclog((LOG_DEBUG, "IPv6 ESP input: "
541 "unsupported encryption algorithm for spi %u\n",
542 (u_int32_t)ntohl(spi)));
543 ipsec6stat.in_badspi++;
544 goto bad;
545 }
546
547 /* check if we have proper ivlen information */
548 ivlen = sav->ivlen;
549 if (ivlen < 0) {
550 ipseclog((LOG_ERR, "inproper ivlen in IPv6 ESP input: %s %s\n",
551 ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
552 ipsec6stat.in_badspi++;
553 goto bad;
554 }
555
556 if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
557 && (sav->alg_auth && sav->key_auth)))
558 goto noreplaycheck;
559
560 if (sav->alg_auth == SADB_X_AALG_NULL ||
561 sav->alg_auth == SADB_AALG_NONE)
562 goto noreplaycheck;
563
564 /*
565 * check for sequence number.
566 */
567 if (ipsec_chkreplay(ntohl(((struct newesp *)esp)->esp_seq), sav))
568 ; /*okey*/
569 else {
570 ipsec6stat.in_espreplay++;
571 ipseclog((LOG_WARNING,
572 "replay packet in IPv6 ESP input: %s %s\n",
573 ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
574 goto bad;
575 }
576
577 /* check ICV */
578 {
579 u_char sum0[AH_MAXSUMSIZE];
580 u_char sum[AH_MAXSUMSIZE];
581 const struct ah_algorithm *sumalgo;
582 size_t siz;
583
584 sumalgo = ah_algorithm_lookup(sav->alg_auth);
585 if (!sumalgo)
586 goto noreplaycheck;
587 siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));
588 if (m->m_pkthdr.len < off + ESPMAXLEN + siz) {
589 ipsecstat.in_inval++;
590 goto bad;
591 }
592 if (AH_MAXSUMSIZE < siz) {
593 ipseclog((LOG_DEBUG,
594 "internal error: AH_MAXSUMSIZE must be larger than %lu\n",
595 (u_long)siz));
596 ipsec6stat.in_inval++;
597 goto bad;
598 }
599
600 m_copydata(m, m->m_pkthdr.len - siz, siz, &sum0[0]);
601
602 if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) {
603 ipseclog((LOG_WARNING, "auth fail in IPv6 ESP input: %s %s\n",
604 ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
605 ipsec6stat.in_espauthfail++;
606 goto bad;
607 }
608
609 if (bcmp(sum0, sum, siz) != 0) {
610 ipseclog((LOG_WARNING, "auth fail in IPv6 ESP input: %s %s\n",
611 ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
612 ipsec6stat.in_espauthfail++;
613 goto bad;
614 }
615
616 /* strip off the authentication data */
617 m_adj(m, -siz);
618 ip6 = mtod(m, struct ip6_hdr *);
619 ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - siz);
620
621 m->m_flags |= M_AUTHIPDGM;
622 ipsec6stat.in_espauthsucc++;
623 }
624
625 /*
626 * update sequence number.
627 */
628 if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
629 if (ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) {
630 ipsec6stat.in_espreplay++;
631 goto bad;
632 }
633 }
634
635 noreplaycheck:
636
637 /* process main esp header. */
638 if (sav->flags & SADB_X_EXT_OLD) {
639 /* RFC 1827 */
640 esplen = sizeof(struct esp);
641 } else {
642 /* RFC 2406 */
643 if (sav->flags & SADB_X_EXT_DERIV)
644 esplen = sizeof(struct esp);
645 else
646 esplen = sizeof(struct newesp);
647 }
648
649 if (m->m_pkthdr.len < off + esplen + ivlen + sizeof(esptail)) {
650 ipseclog((LOG_WARNING,
651 "IPv6 ESP input: packet too short\n"));
652 ipsec6stat.in_inval++;
653 goto bad;
654 }
655
656 #ifndef PULLDOWN_TEST
657 IP6_EXTHDR_CHECK(m, off, esplen + ivlen, IPPROTO_DONE); /*XXX*/
658 #else
659 IP6_EXTHDR_GET(esp, struct esp *, m, off, esplen + ivlen);
660 if (esp == NULL) {
661 ipsec6stat.in_inval++;
662 m = NULL;
663 goto bad;
664 }
665 #endif
666 ip6 = mtod(m, struct ip6_hdr *); /*set it again just in case*/
667
668 /*
669 * pre-compute and cache intermediate key
670 */
671 if (esp_schedule(algo, sav) != 0) {
672 ipsec6stat.in_inval++;
673 goto bad;
674 }
675
676 /*
677 * decrypt the packet.
678 */
679 if (!algo->decrypt)
680 panic("internal error: no decrypt function");
681 if ((*algo->decrypt)(m, off, sav, algo, ivlen)) {
682 /* m is already freed */
683 m = NULL;
684 ipseclog((LOG_ERR, "decrypt fail in IPv6 ESP input: %s\n",
685 ipsec_logsastr(sav)));
686 ipsec6stat.in_inval++;
687 goto bad;
688 }
689 ipsec6stat.in_esphist[sav->alg_enc]++;
690
691 m->m_flags |= M_DECRYPTED;
692
693 /*
694 * find the trailer of the ESP.
695 */
696 m_copydata(m, m->m_pkthdr.len - sizeof(esptail), sizeof(esptail),
697 (caddr_t)&esptail);
698 nxt = esptail.esp_nxt;
699 taillen = esptail.esp_padlen + sizeof(esptail);
700
701 if (m->m_pkthdr.len < taillen
702 || m->m_pkthdr.len - taillen < sizeof(struct ip6_hdr)) { /*?*/
703 ipseclog((LOG_WARNING,
704 "bad pad length in IPv6 ESP input: %s %s\n",
705 ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
706 ipsec6stat.in_inval++;
707 goto bad;
708 }
709
710 /* strip off the trailing pad area. */
711 m_adj(m, -taillen);
712
713 ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - taillen);
714
715 /* was it transmitted over the IPsec tunnel SA? */
716 if (ipsec6_tunnel_validate(m, off + esplen + ivlen, nxt, sav)) {
717 /*
718 * strip off all the headers that precedes ESP header.
719 * IP6 xx ESP IP6' payload -> IP6' payload
720 *
721 * XXX more sanity checks
722 * XXX relationship with gif?
723 */
724 u_int32_t flowinfo; /*net endian*/
725 flowinfo = ip6->ip6_flow;
726 m_adj(m, off + esplen + ivlen);
727 if (m->m_len < sizeof(*ip6)) {
728 #ifndef PULLDOWN_TEST
729 /*
730 * m_pullup is prohibited in KAME IPv6 input processing
731 * but there's no other way!
732 */
733 #else
734 /* okay to pullup in m_pulldown style */
735 #endif
736 m = m_pullup(m, sizeof(*ip6));
737 if (!m) {
738 ipsec6stat.in_inval++;
739 goto bad;
740 }
741 }
742 ip6 = mtod(m, struct ip6_hdr *);
743 /* ECN consideration. */
744 ip6_ecn_egress(ip6_ipsec_ecn, &flowinfo, &ip6->ip6_flow);
745 if (!key_checktunnelsanity(sav, AF_INET6,
746 (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst)) {
747 ipseclog((LOG_ERR, "ipsec tunnel address mismatch "
748 "in IPv6 ESP input: %s %s\n",
749 ipsec6_logpacketstr(ip6, spi),
750 ipsec_logsastr(sav)));
751 ipsec6stat.in_inval++;
752 goto bad;
753 }
754
755 #if 0 /* XXX should call ipfw rather than ipsec_in_reject, shouldn't it ? */
756 /* drop it if it does not match the default policy */
757 if (ipsec6_in_reject(m, NULL)) {
758 ipsec6stat.in_polvio++;
759 goto bad;
760 }
761 #endif
762
763 key_sa_recordxfer(sav, m);
764 if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0 ||
765 ipsec_addhist(m, IPPROTO_IPV6, 0) != 0) {
766 ipsec6stat.in_nomem++;
767 goto bad;
768 }
769
770 s = splimp();
771 if (IF_QFULL(&ip6intrq)) {
772 ipsec6stat.in_inval++;
773 splx(s);
774 goto bad;
775 }
776 IF_ENQUEUE(&ip6intrq, m);
777 m = NULL;
778 schednetisr(NETISR_IPV6); /*can be skipped but to make sure*/
779 splx(s);
780 nxt = IPPROTO_DONE;
781 } else {
782 /*
783 * strip off ESP header and IV.
784 * even in m_pulldown case, we need to strip off ESP so that
785 * we can always compute checksum for AH correctly.
786 */
787 size_t stripsiz;
788 char *prvnxtp;
789
790 /*
791 * Set the next header field of the previous header correctly.
792 */
793 prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
794 *prvnxtp = nxt;
795
796 stripsiz = esplen + ivlen;
797
798 ip6 = mtod(m, struct ip6_hdr *);
799 if (m->m_len >= stripsiz + off) {
800 ovbcopy((caddr_t)ip6, ((caddr_t)ip6) + stripsiz, off);
801 m->m_data += stripsiz;
802 m->m_len -= stripsiz;
803 m->m_pkthdr.len -= stripsiz;
804 } else {
805 /*
806 * this comes with no copy if the boundary is on
807 * cluster
808 */
809 struct mbuf *n;
810
811 n = m_split(m, off, M_DONTWAIT);
812 if (n == NULL) {
813 /* m is retained by m_split */
814 goto bad;
815 }
816 m_adj(n, stripsiz);
817 m_cat(m, n);
818 /* m_cat does not update m_pkthdr.len */
819 m->m_pkthdr.len += n->m_pkthdr.len;
820 }
821
822 #ifndef PULLDOWN_TEST
823 /*
824 * KAME requires that the packet to be contiguous on the
825 * mbuf. We need to make that sure.
826 * this kind of code should be avoided.
827 * XXX other conditions to avoid running this part?
828 */
829 if (m->m_len != m->m_pkthdr.len) {
830 struct mbuf *n = NULL;
831 int maxlen;
832
833 MGETHDR(n, M_DONTWAIT, MT_HEADER);
834 maxlen = MHLEN;
835 if (n)
836 M_COPY_PKTHDR(n, m);
837 if (n && m->m_pkthdr.len > maxlen) {
838 MCLGET(n, M_DONTWAIT);
839 maxlen = MCLBYTES;
840 if ((n->m_flags & M_EXT) == 0) {
841 m_free(n);
842 n = NULL;
843 }
844 }
845 if (!n) {
846 printf("esp6_input: mbuf allocation failed\n");
847 goto bad;
848 }
849
850 if (m->m_pkthdr.len <= maxlen) {
851 m_copydata(m, 0, m->m_pkthdr.len, mtod(n, caddr_t));
852 n->m_len = m->m_pkthdr.len;
853 n->m_pkthdr.len = m->m_pkthdr.len;
854 n->m_next = NULL;
855 m_freem(m);
856 } else {
857 m_copydata(m, 0, maxlen, mtod(n, caddr_t));
858 m_adj(m, maxlen);
859 n->m_len = maxlen;
860 n->m_pkthdr.len = m->m_pkthdr.len;
861 n->m_next = m;
862 m->m_flags &= ~M_PKTHDR;
863 }
864 m = n;
865 }
866 #endif
867
868 ip6 = mtod(m, struct ip6_hdr *);
869 ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - stripsiz);
870
871 key_sa_recordxfer(sav, m);
872 if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0) {
873 ipsec6stat.in_nomem++;
874 goto bad;
875 }
876 }
877
878 *offp = off;
879 *mp = m;
880
881 if (sav) {
882 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
883 printf("DP esp6_input call free SA:%p\n", sav));
884 key_freesav(sav);
885 }
886 ipsec6stat.in_success++;
887 return nxt;
888
889 bad:
890 if (sav) {
891 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
892 printf("DP esp6_input call free SA:%p\n", sav));
893 key_freesav(sav);
894 }
895 if (m)
896 m_freem(m);
897 return IPPROTO_DONE;
898 }
899
900 void
901 esp6_ctlinput(cmd, sa, d)
902 int cmd;
903 struct sockaddr *sa;
904 void *d;
905 {
906 const struct newesp *espp;
907 struct newesp esp;
908 struct ip6ctlparam *ip6cp = NULL, ip6cp1;
909 struct secasvar *sav;
910 struct ip6_hdr *ip6;
911 struct mbuf *m;
912 int off;
913 struct sockaddr_in6 sa6_src, sa6_dst;
914
915 if (sa->sa_family != AF_INET6 ||
916 sa->sa_len != sizeof(struct sockaddr_in6))
917 return;
918 if ((unsigned)cmd >= PRC_NCMDS)
919 return;
920
921 /* if the parameter is from icmp6, decode it. */
922 if (d != NULL) {
923 ip6cp = (struct ip6ctlparam *)d;
924 m = ip6cp->ip6c_m;
925 ip6 = ip6cp->ip6c_ip6;
926 off = ip6cp->ip6c_off;
927 } else {
928 m = NULL;
929 ip6 = NULL;
930 }
931
932 if (ip6) {
933 /*
934 * Notify the error to all possible sockets via pfctlinput2.
935 * Since the upper layer information (such as protocol type,
936 * source and destination ports) is embedded in the encrypted
937 * data and might have been cut, we can't directly call
938 * an upper layer ctlinput function. However, the pcbnotify
939 * function will consider source and destination addresses
940 * as well as the flow info value, and may be able to find
941 * some PCB that should be notified.
942 * Although pfctlinput2 will call esp6_ctlinput(), there is
943 * no possibility of an infinite loop of function calls,
944 * because we don't pass the inner IPv6 header.
945 */
946 bzero(&ip6cp1, sizeof(ip6cp1));
947 ip6cp1.ip6c_src = ip6cp->ip6c_src;
948 pfctlinput2(cmd, sa, (void *)&ip6cp1);
949
950 /*
951 * Then go to special cases that need ESP header information.
952 * XXX: We assume that when ip6 is non NULL,
953 * M and OFF are valid.
954 */
955
956 /* check if we can safely examine src and dst ports */
957 if (m->m_pkthdr.len < off + sizeof(esp))
958 return;
959
960 if (m->m_len < off + sizeof(esp)) {
961 /*
962 * this should be rare case,
963 * so we compromise on this copy...
964 */
965 m_copydata(m, off, sizeof(esp), (caddr_t)&esp);
966 espp = &esp;
967 } else
968 espp = (struct newesp*)(mtod(m, caddr_t) + off);
969
970 if (cmd == PRC_MSGSIZE) {
971 int valid = 0;
972
973 /*
974 * Check to see if we have a valid SA corresponding to
975 * the address in the ICMP message payload.
976 */
977 sav = key_allocsa(AF_INET6,
978 (caddr_t)&sa6_src.sin6_addr,
979 (caddr_t)&sa6_dst, IPPROTO_ESP,
980 espp->esp_spi);
981 if (sav) {
982 if (sav->state == SADB_SASTATE_MATURE ||
983 sav->state == SADB_SASTATE_DYING)
984 valid++;
985 key_freesav(sav);
986 }
987
988 /* XXX Further validation? */
989
990 /*
991 * Depending on the value of "valid" and routing table
992 * size (mtudisc_{hi,lo}wat), we will:
993 * - recalcurate the new MTU and create the
994 * corresponding routing entry, or
995 * - ignore the MTU change notification.
996 */
997 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid);
998 }
999 } else {
1000 /* we normally notify any pcb here */
1001 }
1002 }
1003 #endif /* INET6 */
mirror of XNU