1 /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
2 /*-
3 * The authors of this code are John Ioannidis ([email protected]),
4 * Angelos D. Keromytis ([email protected]) and
5 * Niels Provos ([email protected]).
6 *
7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
8 * in November 1995.
9 *
10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
11 * by Angelos D. Keromytis.
12 *
13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
14 * and Niels Provos.
15 *
16 * Additional features in 1999 by Angelos D. Keromytis.
17 *
18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
19 * Angelos D. Keromytis and Niels Provos.
20 * Copyright (c) 2001, Angelos D. Keromytis.
21 * Copyright (c) 2016 Andrey V. Elsukov <[email protected]>
22 *
23 * Permission to use, copy, and modify this software with or without fee
24 * is hereby granted, provided that this entire notice is included in
25 * all copies of any software which is or includes a copy or
26 * modification of this software.
27 * You may use this code under the GNU public license if you so wish. Please
28 * contribute changes back to the authors under this freer than GPL license
29 * so that we may further the use of strong encryption without limitations to
30 * all.
31 *
32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
36 * PURPOSE.
37 */
38
39 /*
40 * IPsec input processing.
41 */
42
43 #include <sys/cdefs.h>
44 __FBSDID("$FreeBSD$");
45
46 #include "opt_inet.h"
47 #include "opt_inet6.h"
48 #include "opt_ipsec.h"
49
50 #include <sys/param.h>
51 #include <sys/systm.h>
52 #include <sys/malloc.h>
53 #include <sys/mbuf.h>
54 #include <sys/domain.h>
55 #include <sys/protosw.h>
56 #include <sys/socket.h>
57 #include <sys/errno.h>
58 #include <sys/hhook.h>
59 #include <sys/syslog.h>
60
61 #include <net/if.h>
62 #include <net/if_var.h>
63 #include <net/if_enc.h>
64 #include <net/netisr.h>
65 #include <net/vnet.h>
66
67 #include <netinet/in.h>
68 #include <netinet/in_systm.h>
69 #include <netinet/ip.h>
70 #include <netinet/ip_var.h>
71 #include <netinet/in_var.h>
72
73 #include <netinet/ip6.h>
74 #ifdef INET6
75 #include <netinet6/ip6_var.h>
76 #endif
77 #include <netinet/in_pcb.h>
78 #ifdef INET6
79 #include <netinet/icmp6.h>
80 #endif
81
82 #include <netipsec/ipsec.h>
83 #ifdef INET6
84 #include <netipsec/ipsec6.h>
85 #endif
86 #include <netipsec/ah_var.h>
87 #include <netipsec/esp.h>
88 #include <netipsec/esp_var.h>
89 #include <netipsec/ipcomp_var.h>
90
91 #include <netipsec/key.h>
92 #include <netipsec/keydb.h>
93 #include <netipsec/key_debug.h>
94
95 #include <netipsec/xform.h>
96 #include <netinet6/ip6protosw.h>
97
98 #include <machine/in_cksum.h>
99 #include <machine/stdarg.h>
100
101 #define IPSEC_ISTAT(proto, name) do { \
102 if ((proto) == IPPROTO_ESP) \
103 ESPSTAT_INC(esps_##name); \
104 else if ((proto) == IPPROTO_AH) \
105 AHSTAT_INC(ahs_##name); \
106 else \
107 IPCOMPSTAT_INC(ipcomps_##name); \
108 } while (0)
109
110 /*
111 * ipsec_common_input gets called when an IPsec-protected packet
112 * is received by IPv4 or IPv6. Its job is to find the right SA
113 * and call the appropriate transform. The transform callback
114 * takes care of further processing (like ingress filtering).
115 */
116 static int
ipsec_common_input(struct mbuf * m,int skip,int protoff,int af,int sproto)117 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
118 {
119 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
120 union sockaddr_union dst_address;
121 struct secasvar *sav;
122 uint32_t spi;
123 int error;
124
125 IPSEC_ISTAT(sproto, input);
126
127 IPSEC_ASSERT(m != NULL, ("null packet"));
128
129 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
130 sproto == IPPROTO_IPCOMP,
131 ("unexpected security protocol %u", sproto));
132
133 if ((sproto == IPPROTO_ESP && !V_esp_enable) ||
134 (sproto == IPPROTO_AH && !V_ah_enable) ||
135 (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
136 m_freem(m);
137 IPSEC_ISTAT(sproto, pdrops);
138 return EOPNOTSUPP;
139 }
140
141 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
142 m_freem(m);
143 IPSEC_ISTAT(sproto, hdrops);
144 DPRINTF(("%s: packet too small\n", __func__));
145 return EINVAL;
146 }
147
148 /* Retrieve the SPI from the relevant IPsec header */
149 if (sproto == IPPROTO_ESP)
150 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
151 else if (sproto == IPPROTO_AH)
152 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
153 (caddr_t) &spi);
154 else if (sproto == IPPROTO_IPCOMP) {
155 u_int16_t cpi;
156 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
157 (caddr_t) &cpi);
158 spi = ntohl(htons(cpi));
159 }
160
161 /*
162 * Find the SA and (indirectly) call the appropriate
163 * kernel crypto routine. The resulting mbuf chain is a valid
164 * IP packet ready to go through input processing.
165 */
166 bzero(&dst_address, sizeof (dst_address));
167 dst_address.sa.sa_family = af;
168 switch (af) {
169 #ifdef INET
170 case AF_INET:
171 dst_address.sin.sin_len = sizeof(struct sockaddr_in);
172 m_copydata(m, offsetof(struct ip, ip_dst),
173 sizeof(struct in_addr),
174 (caddr_t) &dst_address.sin.sin_addr);
175 break;
176 #endif /* INET */
177 #ifdef INET6
178 case AF_INET6:
179 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
180 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
181 sizeof(struct in6_addr),
182 (caddr_t) &dst_address.sin6.sin6_addr);
183 /* We keep addresses in SADB without embedded scope id */
184 if (IN6_IS_SCOPE_LINKLOCAL(&dst_address.sin6.sin6_addr)) {
185 /* XXX: sa6_recoverscope() */
186 dst_address.sin6.sin6_scope_id =
187 ntohs(dst_address.sin6.sin6_addr.s6_addr16[1]);
188 dst_address.sin6.sin6_addr.s6_addr16[1] = 0;
189 }
190 break;
191 #endif /* INET6 */
192 default:
193 DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
194 m_freem(m);
195 IPSEC_ISTAT(sproto, nopf);
196 return EPFNOSUPPORT;
197 }
198
199 /* NB: only pass dst since key_allocsa follows RFC2401 */
200 sav = key_allocsa(&dst_address, sproto, spi);
201 if (sav == NULL) {
202 DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
203 __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
204 (u_long) ntohl(spi), sproto));
205 IPSEC_ISTAT(sproto, notdb);
206 m_freem(m);
207 return ENOENT;
208 }
209
210 if (sav->tdb_xform == NULL) {
211 DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
212 __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
213 (u_long) ntohl(spi), sproto));
214 IPSEC_ISTAT(sproto, noxform);
215 key_freesav(&sav);
216 m_freem(m);
217 return ENXIO;
218 }
219
220 /*
221 * Call appropriate transform and return -- callback takes care of
222 * everything else.
223 */
224 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
225 return (error);
226 }
227
228 #ifdef INET
229 extern struct protosw inetsw[];
230
231 /*
232 * IPSEC_INPUT() method implementation for IPv4.
233 * 0 - Permitted by inbound security policy for further processing.
234 * EACCES - Forbidden by inbound security policy.
235 * EINPROGRESS - consumed by IPsec.
236 */
237 int
ipsec4_input(struct mbuf * m,int offset,int proto)238 ipsec4_input(struct mbuf *m, int offset, int proto)
239 {
240
241 switch (proto) {
242 case IPPROTO_AH:
243 case IPPROTO_ESP:
244 case IPPROTO_IPCOMP:
245 /* Do inbound IPsec processing for AH/ESP/IPCOMP */
246 ipsec_common_input(m, offset,
247 offsetof(struct ip, ip_p), AF_INET, proto);
248 return (EINPROGRESS); /* mbuf consumed by IPsec */
249 default:
250 /*
251 * Protocols with further headers get their IPsec treatment
252 * within the protocol specific processing.
253 */
254 if ((inetsw[ip_protox[proto]].pr_flags & PR_LASTHDR) == 0)
255 return (0);
256 /* FALLTHROUGH */
257 };
258 /*
259 * Enforce IPsec policy checking if we are seeing last header.
260 */
261 if (ipsec4_in_reject(m, NULL) != 0) {
262 /* Forbidden by inbound security policy */
263 m_freem(m);
264 return (EACCES);
265 }
266 return (0);
267 }
268
269 /*
270 * IPsec input callback for INET protocols.
271 * This routine is called as the transform callback.
272 * Takes care of filtering and other sanity checks on
273 * the processed packet.
274 */
275 int
ipsec4_common_input_cb(struct mbuf * m,struct secasvar * sav,int skip,int protoff)276 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
277 int protoff)
278 {
279 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
280 struct epoch_tracker et;
281 struct ipsec_ctx_data ctx;
282 struct xform_history *xh;
283 struct secasindex *saidx;
284 struct m_tag *mtag;
285 struct ip *ip;
286 int error, prot, af, sproto, isr_prot;
287
288 IPSEC_ASSERT(sav != NULL, ("null SA"));
289 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
290 saidx = &sav->sah->saidx;
291 af = saidx->dst.sa.sa_family;
292 IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af));
293 sproto = saidx->proto;
294 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
295 sproto == IPPROTO_IPCOMP,
296 ("unexpected security protocol %u", sproto));
297
298 if (skip != 0) {
299 /*
300 * Fix IPv4 header
301 */
302 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
303 DPRINTF(("%s: processing failed for SA %s/%08lx\n",
304 __func__, ipsec_address(&sav->sah->saidx.dst,
305 buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
306 IPSEC_ISTAT(sproto, hdrops);
307 error = ENOBUFS;
308 goto bad_noepoch;
309 }
310
311 ip = mtod(m, struct ip *);
312 ip->ip_len = htons(m->m_pkthdr.len);
313 ip->ip_sum = 0;
314 ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
315 } else {
316 ip = mtod(m, struct ip *);
317 }
318 prot = ip->ip_p;
319 /*
320 * Check that we have NAT-T enabled and apply transport mode
321 * decapsulation NAT procedure (RFC3948).
322 * Do this before invoking into the PFIL.
323 */
324 if (sav->natt != NULL &&
325 (prot == IPPROTO_UDP || prot == IPPROTO_TCP))
326 udp_ipsec_adjust_cksum(m, sav, prot, skip);
327
328 /*
329 * Needed for ipsec_run_hooks and netisr_queue_src
330 */
331 NET_EPOCH_ENTER(et);
332
333 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE);
334 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
335 goto bad;
336 ip = mtod(m, struct ip *); /* update pointer */
337
338 /* IP-in-IP encapsulation */
339 if (prot == IPPROTO_IPIP &&
340 saidx->mode != IPSEC_MODE_TRANSPORT) {
341 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
342 IPSEC_ISTAT(sproto, hdrops);
343 error = EINVAL;
344 goto bad;
345 }
346 /* enc0: strip outer IPv4 header */
347 m_striphdr(m, 0, ip->ip_hl << 2);
348 }
349 #ifdef INET6
350 /* IPv6-in-IP encapsulation. */
351 else if (prot == IPPROTO_IPV6 &&
352 saidx->mode != IPSEC_MODE_TRANSPORT) {
353 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
354 IPSEC_ISTAT(sproto, hdrops);
355 error = EINVAL;
356 goto bad;
357 }
358 /* enc0: strip IPv4 header, keep IPv6 header only */
359 m_striphdr(m, 0, ip->ip_hl << 2);
360 }
361 #endif /* INET6 */
362 else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) {
363 /*
364 * When mode is wildcard, inner protocol is IPv6 and
365 * we have no INET6 support - drop this packet a bit later.
366 * In other cases we assume transport mode. Set prot to
367 * correctly choose netisr.
368 */
369 prot = IPPROTO_IPIP;
370 }
371
372 /*
373 * Record what we've done to the packet (under what SA it was
374 * processed).
375 */
376 if (sproto != IPPROTO_IPCOMP) {
377 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
378 sizeof(struct xform_history), M_NOWAIT);
379 if (mtag == NULL) {
380 DPRINTF(("%s: failed to get tag\n", __func__));
381 IPSEC_ISTAT(sproto, hdrops);
382 error = ENOMEM;
383 goto bad;
384 }
385
386 xh = (struct xform_history *)(mtag + 1);
387 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
388 xh->spi = sav->spi;
389 xh->proto = sproto;
390 xh->mode = saidx->mode;
391 m_tag_prepend(m, mtag);
392 }
393
394 key_sa_recordxfer(sav, m); /* record data transfer */
395
396 /*
397 * In transport mode requeue decrypted mbuf back to IPv4 protocol
398 * handler. This is necessary to correctly expose rcvif.
399 */
400 if (saidx->mode == IPSEC_MODE_TRANSPORT)
401 prot = IPPROTO_IPIP;
402 /*
403 * Re-dispatch via software interrupt.
404 */
405 switch (prot) {
406 case IPPROTO_IPIP:
407 isr_prot = NETISR_IP;
408 af = AF_INET;
409 break;
410 #ifdef INET6
411 case IPPROTO_IPV6:
412 isr_prot = NETISR_IPV6;
413 af = AF_INET6;
414 break;
415 #endif
416 default:
417 DPRINTF(("%s: cannot handle inner ip proto %d\n",
418 __func__, prot));
419 IPSEC_ISTAT(sproto, nopf);
420 error = EPFNOSUPPORT;
421 goto bad;
422 }
423
424 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
425 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
426 goto bad;
427
428 /* Handle virtual tunneling interfaces */
429 if (saidx->mode == IPSEC_MODE_TUNNEL)
430 error = ipsec_if_input(m, sav, af);
431 if (error == 0) {
432 error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
433 if (error) {
434 IPSEC_ISTAT(sproto, qfull);
435 DPRINTF(("%s: queue full; proto %u packet dropped\n",
436 __func__, sproto));
437 }
438 }
439 NET_EPOCH_EXIT(et);
440 key_freesav(&sav);
441 return (error);
442 bad:
443 NET_EPOCH_EXIT(et);
444 bad_noepoch:
445 key_freesav(&sav);
446 if (m != NULL)
447 m_freem(m);
448 return (error);
449 }
450 #endif /* INET */
451
452 #ifdef INET6
453 /*
454 * IPSEC_INPUT() method implementation for IPv6.
455 * 0 - Permitted by inbound security policy for further processing.
456 * EACCES - Forbidden by inbound security policy.
457 * EINPROGRESS - consumed by IPsec.
458 */
459 int
ipsec6_input(struct mbuf * m,int offset,int proto)460 ipsec6_input(struct mbuf *m, int offset, int proto)
461 {
462
463 switch (proto) {
464 case IPPROTO_AH:
465 case IPPROTO_ESP:
466 case IPPROTO_IPCOMP:
467 /* Do inbound IPsec processing for AH/ESP/IPCOMP */
468 ipsec_common_input(m, offset,
469 offsetof(struct ip6_hdr, ip6_nxt), AF_INET6, proto);
470 return (EINPROGRESS); /* mbuf consumed by IPsec */
471 default:
472 /*
473 * Protocols with further headers get their IPsec treatment
474 * within the protocol specific processing.
475 */
476 if ((inet6sw[ip6_protox[proto]].pr_flags & PR_LASTHDR) == 0)
477 return (0);
478 /* FALLTHROUGH */
479 };
480 /*
481 * Enforce IPsec policy checking if we are seeing last header.
482 */
483 if (ipsec6_in_reject(m, NULL) != 0) {
484 /* Forbidden by inbound security policy */
485 m_freem(m);
486 return (EACCES);
487 }
488 return (0);
489 }
490
491 /*
492 * IPsec input callback, called by the transform callback. Takes care of
493 * filtering and other sanity checks on the processed packet.
494 */
495 int
ipsec6_common_input_cb(struct mbuf * m,struct secasvar * sav,int skip,int protoff)496 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
497 int protoff)
498 {
499 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
500 struct epoch_tracker et;
501 struct ipsec_ctx_data ctx;
502 struct xform_history *xh;
503 struct secasindex *saidx;
504 struct ip6_hdr *ip6;
505 struct m_tag *mtag;
506 int prot, af, sproto;
507 int nxt, isr_prot;
508 int error, nest;
509 uint8_t nxt8;
510
511 IPSEC_ASSERT(sav != NULL, ("null SA"));
512 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
513 saidx = &sav->sah->saidx;
514 af = saidx->dst.sa.sa_family;
515 IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af));
516 sproto = saidx->proto;
517 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
518 sproto == IPPROTO_IPCOMP,
519 ("unexpected security protocol %u", sproto));
520
521 NET_EPOCH_ENTER(et);
522
523 /* Fix IPv6 header */
524 if (m->m_len < sizeof(struct ip6_hdr) &&
525 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
526 DPRINTF(("%s: processing failed for SA %s/%08lx\n",
527 __func__, ipsec_address(&sav->sah->saidx.dst, buf,
528 sizeof(buf)), (u_long) ntohl(sav->spi)));
529
530 IPSEC_ISTAT(sproto, hdrops);
531 error = EACCES;
532 goto bad;
533 }
534
535 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE);
536 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
537 goto bad;
538
539 ip6 = mtod(m, struct ip6_hdr *);
540 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
541
542 /* Save protocol */
543 m_copydata(m, protoff, 1, &nxt8);
544 prot = nxt8;
545
546 /* IPv6-in-IP encapsulation */
547 if (prot == IPPROTO_IPV6 &&
548 saidx->mode != IPSEC_MODE_TRANSPORT) {
549 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
550 IPSEC_ISTAT(sproto, hdrops);
551 error = EINVAL;
552 goto bad;
553 }
554 /* ip6n will now contain the inner IPv6 header. */
555 m_striphdr(m, 0, skip);
556 skip = 0;
557 }
558 #ifdef INET
559 /* IP-in-IP encapsulation */
560 else if (prot == IPPROTO_IPIP &&
561 saidx->mode != IPSEC_MODE_TRANSPORT) {
562 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
563 IPSEC_ISTAT(sproto, hdrops);
564 error = EINVAL;
565 goto bad;
566 }
567 /* ipn will now contain the inner IPv4 header */
568 m_striphdr(m, 0, skip);
569 skip = 0;
570 }
571 #endif /* INET */
572 else {
573 prot = IPPROTO_IPV6; /* for correct BPF processing */
574 }
575
576 /*
577 * Record what we've done to the packet (under what SA it was
578 * processed).
579 */
580 if (sproto != IPPROTO_IPCOMP) {
581 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
582 sizeof(struct xform_history), M_NOWAIT);
583 if (mtag == NULL) {
584 DPRINTF(("%s: failed to get tag\n", __func__));
585 IPSEC_ISTAT(sproto, hdrops);
586 error = ENOMEM;
587 goto bad;
588 }
589
590 xh = (struct xform_history *)(mtag + 1);
591 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
592 xh->spi = sav->spi;
593 xh->proto = sproto;
594 xh->mode = saidx->mode;
595 m_tag_prepend(m, mtag);
596 }
597
598 key_sa_recordxfer(sav, m);
599
600 #ifdef INET
601 if (prot == IPPROTO_IPIP)
602 af = AF_INET;
603 else
604 #endif
605 af = AF_INET6;
606 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
607 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
608 goto bad;
609 if (skip == 0) {
610 /*
611 * We stripped outer IPv6 header.
612 * Now we should requeue decrypted packet via netisr.
613 */
614 switch (prot) {
615 #ifdef INET
616 case IPPROTO_IPIP:
617 isr_prot = NETISR_IP;
618 break;
619 #endif
620 case IPPROTO_IPV6:
621 isr_prot = NETISR_IPV6;
622 break;
623 default:
624 DPRINTF(("%s: cannot handle inner ip proto %d\n",
625 __func__, prot));
626 IPSEC_ISTAT(sproto, nopf);
627 error = EPFNOSUPPORT;
628 goto bad;
629 }
630 /* Handle virtual tunneling interfaces */
631 if (saidx->mode == IPSEC_MODE_TUNNEL)
632 error = ipsec_if_input(m, sav, af);
633 if (error == 0) {
634 error = netisr_queue_src(isr_prot,
635 (uintptr_t)sav->spi, m);
636 if (error) {
637 IPSEC_ISTAT(sproto, qfull);
638 DPRINTF(("%s: queue full; proto %u packet"
639 " dropped\n", __func__, sproto));
640 }
641 }
642 NET_EPOCH_EXIT(et);
643 key_freesav(&sav);
644 return (error);
645 }
646 /*
647 * See the end of ip6_input for this logic.
648 * IPPROTO_IPV[46] case will be processed just like other ones
649 */
650 nest = 0;
651 nxt = nxt8;
652 while (nxt != IPPROTO_DONE) {
653 if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) {
654 IP6STAT_INC(ip6s_toomanyhdr);
655 error = EINVAL;
656 goto bad;
657 }
658
659 /*
660 * Protection against faulty packet - there should be
661 * more sanity checks in header chain processing.
662 */
663 if (m->m_pkthdr.len < skip) {
664 IP6STAT_INC(ip6s_tooshort);
665 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
666 error = EINVAL;
667 goto bad;
668 }
669 /*
670 * Enforce IPsec policy checking if we are seeing last header.
671 * note that we do not visit this with protocols with pcb layer
672 * code - like udp/tcp/raw ip.
673 */
674 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
675 ipsec6_in_reject(m, NULL)) {
676 error = EINVAL;
677 goto bad;
678 }
679 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt);
680 }
681 NET_EPOCH_EXIT(et);
682 key_freesav(&sav);
683 return (0);
684 bad:
685 NET_EPOCH_EXIT(et);
686 key_freesav(&sav);
687 if (m)
688 m_freem(m);
689 return (error);
690 }
691 #endif /* INET6 */
692