1 /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
2 /*-
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr) and
5 * Niels Provos (provos@physnet.uni-hamburg.de).
6 *
7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
8 * in November 1995.
9 *
10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
11 * by Angelos D. Keromytis.
12 *
13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
14 * and Niels Provos.
15 *
16 * Additional features in 1999 by Angelos D. Keromytis.
17 *
18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
19 * Angelos D. Keromytis and Niels Provos.
20 * Copyright (c) 2001, Angelos D. Keromytis.
21 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
22 *
23 * Permission to use, copy, and modify this software with or without fee
24 * is hereby granted, provided that this entire notice is included in
25 * all copies of any software which is or includes a copy or
26 * modification of this software.
27 * You may use this code under the GNU public license if you so wish. Please
28 * contribute changes back to the authors under this freer than GPL license
29 * so that we may further the use of strong encryption without limitations to
30 * all.
31 *
32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
36 * PURPOSE.
37 */
38
39 /*
40 * IPsec input processing.
41 */
42
43 #include <sys/cdefs.h>
44 #include "opt_inet.h"
45 #include "opt_inet6.h"
46 #include "opt_ipsec.h"
47
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/malloc.h>
51 #include <sys/mbuf.h>
52 #include <sys/domain.h>
53 #include <sys/protosw.h>
54 #include <sys/socket.h>
55 #include <sys/errno.h>
56 #include <sys/hhook.h>
57 #include <sys/syslog.h>
58
59 #include <net/if.h>
60 #include <net/if_var.h>
61 #include <net/if_enc.h>
62 #include <net/netisr.h>
63 #include <net/vnet.h>
64
65 #include <netinet/in.h>
66 #include <netinet/in_systm.h>
67 #include <netinet/ip.h>
68 #include <netinet/ip_var.h>
69 #include <netinet/in_var.h>
70
71 #include <netinet/ip6.h>
72 #ifdef INET6
73 #include <netinet6/ip6_var.h>
74 #endif
75 #include <netinet/in_pcb.h>
76 #ifdef INET6
77 #include <netinet/icmp6.h>
78 #endif
79
80 #include <netipsec/ipsec.h>
81 #ifdef INET6
82 #include <netipsec/ipsec6.h>
83 #endif
84 #include <netipsec/ah_var.h>
85 #include <netipsec/esp.h>
86 #include <netipsec/esp_var.h>
87 #include <netipsec/ipcomp_var.h>
88
89 #include <netipsec/key.h>
90 #include <netipsec/keydb.h>
91 #include <netipsec/key_debug.h>
92
93 #include <netipsec/xform.h>
94 #include <netinet6/ip6protosw.h>
95
96 #include <machine/in_cksum.h>
97 #include <machine/stdarg.h>
98
99 #define IPSEC_ISTAT(proto, name) do { \
100 if ((proto) == IPPROTO_ESP) \
101 ESPSTAT_INC(esps_##name); \
102 else if ((proto) == IPPROTO_AH) \
103 AHSTAT_INC(ahs_##name); \
104 else \
105 IPCOMPSTAT_INC(ipcomps_##name); \
106 } while (0)
107
108 /*
109 * ipsec_common_input gets called when an IPsec-protected packet
110 * is received by IPv4 or IPv6. Its job is to find the right SA
111 * and call the appropriate transform. The transform callback
112 * takes care of further processing (like ingress filtering).
113 */
114 static int
ipsec_common_input(struct mbuf * m,int skip,int protoff,int af,int sproto)115 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
116 {
117 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
118 union sockaddr_union dst_address;
119 struct secasvar *sav;
120 uint32_t spi;
121 int error;
122
123 IPSEC_ISTAT(sproto, input);
124
125 IPSEC_ASSERT(m != NULL, ("null packet"));
126
127 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
128 sproto == IPPROTO_IPCOMP,
129 ("unexpected security protocol %u", sproto));
130
131 if ((sproto == IPPROTO_ESP && !V_esp_enable) ||
132 (sproto == IPPROTO_AH && !V_ah_enable) ||
133 (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
134 m_freem(m);
135 IPSEC_ISTAT(sproto, pdrops);
136 return EOPNOTSUPP;
137 }
138
139 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
140 m_freem(m);
141 IPSEC_ISTAT(sproto, hdrops);
142 DPRINTF(("%s: packet too small\n", __func__));
143 return EINVAL;
144 }
145
146 /* Retrieve the SPI from the relevant IPsec header */
147 if (sproto == IPPROTO_ESP)
148 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
149 else if (sproto == IPPROTO_AH)
150 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
151 (caddr_t) &spi);
152 else if (sproto == IPPROTO_IPCOMP) {
153 u_int16_t cpi;
154 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
155 (caddr_t) &cpi);
156 spi = ntohl(htons(cpi));
157 }
158
159 /*
160 * Find the SA and (indirectly) call the appropriate
161 * kernel crypto routine. The resulting mbuf chain is a valid
162 * IP packet ready to go through input processing.
163 */
164 bzero(&dst_address, sizeof (dst_address));
165 dst_address.sa.sa_family = af;
166 switch (af) {
167 #ifdef INET
168 case AF_INET:
169 dst_address.sin.sin_len = sizeof(struct sockaddr_in);
170 m_copydata(m, offsetof(struct ip, ip_dst),
171 sizeof(struct in_addr),
172 (caddr_t) &dst_address.sin.sin_addr);
173 break;
174 #endif /* INET */
175 #ifdef INET6
176 case AF_INET6:
177 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
178 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
179 sizeof(struct in6_addr),
180 (caddr_t) &dst_address.sin6.sin6_addr);
181 /* We keep addresses in SADB without embedded scope id */
182 if (IN6_IS_SCOPE_LINKLOCAL(&dst_address.sin6.sin6_addr)) {
183 /* XXX: sa6_recoverscope() */
184 dst_address.sin6.sin6_scope_id =
185 ntohs(dst_address.sin6.sin6_addr.s6_addr16[1]);
186 dst_address.sin6.sin6_addr.s6_addr16[1] = 0;
187 }
188 break;
189 #endif /* INET6 */
190 default:
191 DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
192 m_freem(m);
193 IPSEC_ISTAT(sproto, nopf);
194 return EPFNOSUPPORT;
195 }
196
197 /* NB: only pass dst since key_allocsa follows RFC2401 */
198 sav = key_allocsa(&dst_address, sproto, spi);
199 if (sav == NULL) {
200 DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
201 __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
202 (u_long) ntohl(spi), sproto));
203 IPSEC_ISTAT(sproto, notdb);
204 m_freem(m);
205 return ENOENT;
206 }
207
208 if (sav->tdb_xform == NULL) {
209 DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
210 __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
211 (u_long) ntohl(spi), sproto));
212 IPSEC_ISTAT(sproto, noxform);
213 key_freesav(&sav);
214 m_freem(m);
215 return ENXIO;
216 }
217
218 /*
219 * Call appropriate transform and return -- callback takes care of
220 * everything else.
221 */
222 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
223 return (error);
224 }
225
226 #ifdef INET
227 extern struct protosw inetsw[];
228
229 /*
230 * IPSEC_INPUT() method implementation for IPv4.
231 * 0 - Permitted by inbound security policy for further processing.
232 * EACCES - Forbidden by inbound security policy.
233 * EINPROGRESS - consumed by IPsec.
234 */
235 int
ipsec4_input(struct mbuf * m,int offset,int proto)236 ipsec4_input(struct mbuf *m, int offset, int proto)
237 {
238
239 switch (proto) {
240 case IPPROTO_AH:
241 case IPPROTO_ESP:
242 case IPPROTO_IPCOMP:
243 /* Do inbound IPsec processing for AH/ESP/IPCOMP */
244 ipsec_common_input(m, offset,
245 offsetof(struct ip, ip_p), AF_INET, proto);
246 return (EINPROGRESS); /* mbuf consumed by IPsec */
247 default:
248 /*
249 * Protocols with further headers get their IPsec treatment
250 * within the protocol specific processing.
251 */
252 if ((inetsw[ip_protox[proto]].pr_flags & PR_LASTHDR) == 0)
253 return (0);
254 /* FALLTHROUGH */
255 };
256 /*
257 * Enforce IPsec policy checking if we are seeing last header.
258 */
259 if (ipsec4_in_reject(m, NULL) != 0) {
260 /* Forbidden by inbound security policy */
261 m_freem(m);
262 return (EACCES);
263 }
264 return (0);
265 }
266
267 /*
268 * IPsec input callback for INET protocols.
269 * This routine is called as the transform callback.
270 * Takes care of filtering and other sanity checks on
271 * the processed packet.
272 */
273 int
ipsec4_common_input_cb(struct mbuf * m,struct secasvar * sav,int skip,int protoff)274 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
275 int protoff)
276 {
277 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
278 struct epoch_tracker et;
279 struct ipsec_ctx_data ctx;
280 struct xform_history *xh;
281 struct secasindex *saidx;
282 struct m_tag *mtag;
283 struct ip *ip;
284 int error, prot, af, sproto, isr_prot;
285
286 IPSEC_ASSERT(sav != NULL, ("null SA"));
287 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
288 saidx = &sav->sah->saidx;
289 af = saidx->dst.sa.sa_family;
290 IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af));
291 sproto = saidx->proto;
292 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
293 sproto == IPPROTO_IPCOMP,
294 ("unexpected security protocol %u", sproto));
295
296 if (skip != 0) {
297 /*
298 * Fix IPv4 header
299 */
300 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
301 DPRINTF(("%s: processing failed for SA %s/%08lx\n",
302 __func__, ipsec_address(&sav->sah->saidx.dst,
303 buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
304 IPSEC_ISTAT(sproto, hdrops);
305 error = ENOBUFS;
306 goto bad_noepoch;
307 }
308
309 ip = mtod(m, struct ip *);
310 ip->ip_len = htons(m->m_pkthdr.len);
311 ip->ip_sum = 0;
312 ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
313 } else {
314 ip = mtod(m, struct ip *);
315 }
316 prot = ip->ip_p;
317 /*
318 * Check that we have NAT-T enabled and apply transport mode
319 * decapsulation NAT procedure (RFC3948).
320 * Do this before invoking into the PFIL.
321 */
322 if (sav->natt != NULL &&
323 (prot == IPPROTO_UDP || prot == IPPROTO_TCP))
324 udp_ipsec_adjust_cksum(m, sav, prot, skip);
325
326 /*
327 * Needed for ipsec_run_hooks and netisr_queue_src
328 */
329 NET_EPOCH_ENTER(et);
330
331 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE);
332 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
333 goto bad;
334 ip = mtod(m, struct ip *); /* update pointer */
335
336 /* IP-in-IP encapsulation */
337 if (prot == IPPROTO_IPIP &&
338 saidx->mode != IPSEC_MODE_TRANSPORT) {
339 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
340 IPSEC_ISTAT(sproto, hdrops);
341 error = EINVAL;
342 goto bad;
343 }
344 /* enc0: strip outer IPv4 header */
345 m_striphdr(m, 0, ip->ip_hl << 2);
346 }
347 #ifdef INET6
348 /* IPv6-in-IP encapsulation. */
349 else if (prot == IPPROTO_IPV6 &&
350 saidx->mode != IPSEC_MODE_TRANSPORT) {
351 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
352 IPSEC_ISTAT(sproto, hdrops);
353 error = EINVAL;
354 goto bad;
355 }
356 /* enc0: strip IPv4 header, keep IPv6 header only */
357 m_striphdr(m, 0, ip->ip_hl << 2);
358 }
359 #endif /* INET6 */
360 else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) {
361 /*
362 * When mode is wildcard, inner protocol is IPv6 and
363 * we have no INET6 support - drop this packet a bit later.
364 * In other cases we assume transport mode. Set prot to
365 * correctly choose netisr.
366 */
367 prot = IPPROTO_IPIP;
368 }
369
370 /*
371 * Record what we've done to the packet (under what SA it was
372 * processed).
373 */
374 if (sproto != IPPROTO_IPCOMP) {
375 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
376 sizeof(struct xform_history), M_NOWAIT);
377 if (mtag == NULL) {
378 DPRINTF(("%s: failed to get tag\n", __func__));
379 IPSEC_ISTAT(sproto, hdrops);
380 error = ENOMEM;
381 goto bad;
382 }
383
384 xh = (struct xform_history *)(mtag + 1);
385 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
386 xh->spi = sav->spi;
387 xh->proto = sproto;
388 xh->mode = saidx->mode;
389 m_tag_prepend(m, mtag);
390 }
391
392 key_sa_recordxfer(sav, m); /* record data transfer */
393
394 /*
395 * In transport mode requeue decrypted mbuf back to IPv4 protocol
396 * handler. This is necessary to correctly expose rcvif.
397 */
398 if (saidx->mode == IPSEC_MODE_TRANSPORT)
399 prot = IPPROTO_IPIP;
400 /*
401 * Re-dispatch via software interrupt.
402 */
403 switch (prot) {
404 case IPPROTO_IPIP:
405 isr_prot = NETISR_IP;
406 af = AF_INET;
407 break;
408 #ifdef INET6
409 case IPPROTO_IPV6:
410 isr_prot = NETISR_IPV6;
411 af = AF_INET6;
412 break;
413 #endif
414 default:
415 DPRINTF(("%s: cannot handle inner ip proto %d\n",
416 __func__, prot));
417 IPSEC_ISTAT(sproto, nopf);
418 error = EPFNOSUPPORT;
419 goto bad;
420 }
421
422 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
423 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
424 goto bad;
425
426 /* Handle virtual tunneling interfaces */
427 if (saidx->mode == IPSEC_MODE_TUNNEL)
428 error = ipsec_if_input(m, sav, af);
429 if (error == 0) {
430 error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
431 if (error) {
432 IPSEC_ISTAT(sproto, qfull);
433 DPRINTF(("%s: queue full; proto %u packet dropped\n",
434 __func__, sproto));
435 }
436 }
437 NET_EPOCH_EXIT(et);
438 key_freesav(&sav);
439 return (error);
440 bad:
441 NET_EPOCH_EXIT(et);
442 bad_noepoch:
443 key_freesav(&sav);
444 if (m != NULL)
445 m_freem(m);
446 return (error);
447 }
448 #endif /* INET */
449
450 #ifdef INET6
451 /*
452 * IPSEC_INPUT() method implementation for IPv6.
453 * 0 - Permitted by inbound security policy for further processing.
454 * EACCES - Forbidden by inbound security policy.
455 * EINPROGRESS - consumed by IPsec.
456 */
457 int
ipsec6_input(struct mbuf * m,int offset,int proto)458 ipsec6_input(struct mbuf *m, int offset, int proto)
459 {
460
461 switch (proto) {
462 case IPPROTO_AH:
463 case IPPROTO_ESP:
464 case IPPROTO_IPCOMP:
465 /* Do inbound IPsec processing for AH/ESP/IPCOMP */
466 ipsec_common_input(m, offset,
467 offsetof(struct ip6_hdr, ip6_nxt), AF_INET6, proto);
468 return (EINPROGRESS); /* mbuf consumed by IPsec */
469 default:
470 /*
471 * Protocols with further headers get their IPsec treatment
472 * within the protocol specific processing.
473 */
474 if ((inet6sw[ip6_protox[proto]].pr_flags & PR_LASTHDR) == 0)
475 return (0);
476 /* FALLTHROUGH */
477 };
478 /*
479 * Enforce IPsec policy checking if we are seeing last header.
480 */
481 if (ipsec6_in_reject(m, NULL) != 0) {
482 /* Forbidden by inbound security policy */
483 m_freem(m);
484 return (EACCES);
485 }
486 return (0);
487 }
488
489 /*
490 * IPsec input callback, called by the transform callback. Takes care of
491 * filtering and other sanity checks on the processed packet.
492 */
493 int
ipsec6_common_input_cb(struct mbuf * m,struct secasvar * sav,int skip,int protoff)494 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
495 int protoff)
496 {
497 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
498 struct epoch_tracker et;
499 struct ipsec_ctx_data ctx;
500 struct xform_history *xh;
501 struct secasindex *saidx;
502 struct ip6_hdr *ip6;
503 struct m_tag *mtag;
504 int prot, af, sproto;
505 int nxt, isr_prot;
506 int error, nest;
507 uint8_t nxt8;
508
509 IPSEC_ASSERT(sav != NULL, ("null SA"));
510 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
511 saidx = &sav->sah->saidx;
512 af = saidx->dst.sa.sa_family;
513 IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af));
514 sproto = saidx->proto;
515 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
516 sproto == IPPROTO_IPCOMP,
517 ("unexpected security protocol %u", sproto));
518
519 NET_EPOCH_ENTER(et);
520
521 /* Fix IPv6 header */
522 if (m->m_len < sizeof(struct ip6_hdr) &&
523 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
524 DPRINTF(("%s: processing failed for SA %s/%08lx\n",
525 __func__, ipsec_address(&sav->sah->saidx.dst, buf,
526 sizeof(buf)), (u_long) ntohl(sav->spi)));
527
528 IPSEC_ISTAT(sproto, hdrops);
529 error = EACCES;
530 goto bad;
531 }
532
533 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE);
534 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
535 goto bad;
536
537 ip6 = mtod(m, struct ip6_hdr *);
538 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
539
540 /* Save protocol */
541 m_copydata(m, protoff, 1, &nxt8);
542 prot = nxt8;
543
544 /* IPv6-in-IP encapsulation */
545 if (prot == IPPROTO_IPV6 &&
546 saidx->mode != IPSEC_MODE_TRANSPORT) {
547 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
548 IPSEC_ISTAT(sproto, hdrops);
549 error = EINVAL;
550 goto bad;
551 }
552 /* ip6n will now contain the inner IPv6 header. */
553 m_striphdr(m, 0, skip);
554 skip = 0;
555 }
556 #ifdef INET
557 /* IP-in-IP encapsulation */
558 else if (prot == IPPROTO_IPIP &&
559 saidx->mode != IPSEC_MODE_TRANSPORT) {
560 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
561 IPSEC_ISTAT(sproto, hdrops);
562 error = EINVAL;
563 goto bad;
564 }
565 /* ipn will now contain the inner IPv4 header */
566 m_striphdr(m, 0, skip);
567 skip = 0;
568 }
569 #endif /* INET */
570 else {
571 prot = IPPROTO_IPV6; /* for correct BPF processing */
572 }
573
574 /*
575 * Record what we've done to the packet (under what SA it was
576 * processed).
577 */
578 if (sproto != IPPROTO_IPCOMP) {
579 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
580 sizeof(struct xform_history), M_NOWAIT);
581 if (mtag == NULL) {
582 DPRINTF(("%s: failed to get tag\n", __func__));
583 IPSEC_ISTAT(sproto, hdrops);
584 error = ENOMEM;
585 goto bad;
586 }
587
588 xh = (struct xform_history *)(mtag + 1);
589 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
590 xh->spi = sav->spi;
591 xh->proto = sproto;
592 xh->mode = saidx->mode;
593 m_tag_prepend(m, mtag);
594 }
595
596 key_sa_recordxfer(sav, m);
597
598 #ifdef INET
599 if (prot == IPPROTO_IPIP)
600 af = AF_INET;
601 else
602 #endif
603 af = AF_INET6;
604 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
605 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
606 goto bad;
607 if (skip == 0) {
608 /*
609 * We stripped outer IPv6 header.
610 * Now we should requeue decrypted packet via netisr.
611 */
612 switch (prot) {
613 #ifdef INET
614 case IPPROTO_IPIP:
615 isr_prot = NETISR_IP;
616 break;
617 #endif
618 case IPPROTO_IPV6:
619 isr_prot = NETISR_IPV6;
620 break;
621 default:
622 DPRINTF(("%s: cannot handle inner ip proto %d\n",
623 __func__, prot));
624 IPSEC_ISTAT(sproto, nopf);
625 error = EPFNOSUPPORT;
626 goto bad;
627 }
628 /* Handle virtual tunneling interfaces */
629 if (saidx->mode == IPSEC_MODE_TUNNEL)
630 error = ipsec_if_input(m, sav, af);
631 if (error == 0) {
632 error = netisr_queue_src(isr_prot,
633 (uintptr_t)sav->spi, m);
634 if (error) {
635 IPSEC_ISTAT(sproto, qfull);
636 DPRINTF(("%s: queue full; proto %u packet"
637 " dropped\n", __func__, sproto));
638 }
639 }
640 NET_EPOCH_EXIT(et);
641 key_freesav(&sav);
642 return (error);
643 }
644 /*
645 * See the end of ip6_input for this logic.
646 * IPPROTO_IPV[46] case will be processed just like other ones
647 */
648 nest = 0;
649 nxt = nxt8;
650 while (nxt != IPPROTO_DONE) {
651 if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) {
652 IP6STAT_INC(ip6s_toomanyhdr);
653 error = EINVAL;
654 goto bad;
655 }
656
657 /*
658 * Protection against faulty packet - there should be
659 * more sanity checks in header chain processing.
660 */
661 if (m->m_pkthdr.len < skip) {
662 IP6STAT_INC(ip6s_tooshort);
663 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
664 error = EINVAL;
665 goto bad;
666 }
667 /*
668 * Enforce IPsec policy checking if we are seeing last header.
669 * note that we do not visit this with protocols with pcb layer
670 * code - like udp/tcp/raw ip.
671 */
672 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
673 ipsec6_in_reject(m, NULL)) {
674 error = EINVAL;
675 goto bad;
676 }
677 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt);
678 }
679 NET_EPOCH_EXIT(et);
680 key_freesav(&sav);
681 return (0);
682 bad:
683 NET_EPOCH_EXIT(et);
684 key_freesav(&sav);
685 if (m)
686 m_freem(m);
687 return (error);
688 }
689 #endif /* INET6 */
690