diff options
Diffstat (limited to 'sys/netinet6/esp_input.c')
-rw-r--r-- | sys/netinet6/esp_input.c | 613 |
1 files changed, 222 insertions, 391 deletions
diff --git a/sys/netinet6/esp_input.c b/sys/netinet6/esp_input.c index ef55069..48de49c 100644 --- a/sys/netinet6/esp_input.c +++ b/sys/netinet6/esp_input.c @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: esp_input.c,v 1.25 2000/05/08 08:04:30 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. @@ -25,8 +28,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ /* @@ -35,7 +36,6 @@ #include "opt_inet.h" #include "opt_inet6.h" -#include "opt_ipsec.h" #include <sys/param.h> #include <sys/systm.h> @@ -63,49 +63,57 @@ #endif #ifdef INET6 -#include <netinet6/ip6.h> +#include <netinet/ip6.h> #include <netinet6/ip6_var.h> -#include <netinet6/icmp6.h> +#include <netinet/icmp6.h> #endif #include <netinet6/ipsec.h> -#include <netinet6/ah.h> #ifdef INET6 #include <netinet6/ipsec6.h> +#endif +#include <netinet6/ah.h> +#ifdef INET6 #include <netinet6/ah6.h> #endif -#ifdef IPSEC_ESP #include <netinet6/esp.h> #ifdef INET6 #include <netinet6/esp6.h> #endif -#endif #include <netkey/key.h> #include <netkey/keydb.h> #ifdef IPSEC_DEBUG #include <netkey/key_debug.h> #else -#define KEYDEBUG(lev,arg) +#define KEYDEBUG(lev,arg) #endif -#include <netinet/ipprotosw.h> - #include <machine/stdarg.h> #include <net/net_osdep.h> +#define IPLEN_FLIPPED + #ifdef INET +#include <netinet/ipprotosw.h> extern struct ipprotosw inetsw[]; +#define ESPMAXLEN \ + (sizeof(struct esp) < sizeof(struct newesp) \ + ? sizeof(struct newesp) : sizeof(struct esp)) + void -esp4_input(m, off, proto) +#if __STDC__ +esp4_input(struct mbuf *m, ...) +#else +esp4_input(m, va_alist) struct mbuf *m; - int off, proto; - + va_dcl +#endif { struct ip *ip; struct esp *esp; - struct esptail *esptail; + struct esptail esptail; u_int32_t spi; struct secasvar *sav = NULL; size_t taillen; @@ -115,19 +123,27 @@ esp4_input(m, off, proto) size_t hlen; size_t esplen; int s; + va_list ap; + int off, proto; + + va_start(ap, m); + off = va_arg(ap, int); + proto = va_arg(ap, int); + va_end(ap); /* sanity check for alignment. */ if (off % 4 != 0 || m->m_pkthdr.len % 4 != 0) { - printf("IPv4 ESP input: packet alignment problem " - "(off=%d, pktlen=%d)\n", off, m->m_pkthdr.len); + ipseclog((LOG_ERR, "IPv4 ESP input: packet alignment problem " + "(off=%d, pktlen=%d)\n", off, m->m_pkthdr.len)); ipsecstat.in_inval++; goto bad; } - if (m->m_len < off + sizeof(struct esp)) { - m = m_pullup(m, off + sizeof(struct esp)); + if (m->m_len < off + ESPMAXLEN) { + m = m_pullup(m, off + ESPMAXLEN); if (!m) { - printf("IPv4 ESP input: can't pullup in esp4_input\n"); + ipseclog((LOG_DEBUG, + "IPv4 ESP input: can't pullup in esp4_input\n")); ipsecstat.in_inval++; goto bad; } @@ -147,9 +163,9 @@ esp4_input(m, off, proto) if ((sav = key_allocsa(AF_INET, (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst, IPPROTO_ESP, spi)) == 0) { - printf("IPv4 ESP input: no key association found for spi %u;" - "dropping the packet for simplicity\n", - (u_int32_t)ntohl(spi)); + ipseclog((LOG_WARNING, + "IPv4 ESP input: no key association found for spi %u\n", + (u_int32_t)ntohl(spi))); ipsecstat.in_nosa++; goto bad; } @@ -157,17 +173,16 @@ esp4_input(m, off, proto) printf("DP esp4_input called to allocate SA:%p\n", sav)); if (sav->state != SADB_SASTATE_MATURE && sav->state != SADB_SASTATE_DYING) { - printf("IPv4 ESP input: non-mature/dying SA found for spi %u; " - "dropping the packet for simplicity\n", - (u_int32_t)ntohl(spi)); + ipseclog((LOG_DEBUG, + "IPv4 ESP input: non-mature/dying SA found for spi %u\n", + (u_int32_t)ntohl(spi))); ipsecstat.in_badspi++; goto bad; } if (sav->alg_enc == SADB_EALG_NONE) { - printf("IPv4 ESP input: unspecified encryption algorithm " - "for spi %u;" - "dropping the packet for simplicity\n", - (u_int32_t)ntohl(spi)); + ipseclog((LOG_DEBUG, "IPv4 ESP input: " + "unspecified encryption algorithm for spi %u\n", + (u_int32_t)ntohl(spi))); ipsecstat.in_badspi++; goto bad; } @@ -177,9 +192,8 @@ esp4_input(m, off, proto) /* check if we have proper ivlen information */ ivlen = sav->ivlen; if (ivlen < 0) { - log(LOG_NOTICE, "inproper ivlen in IPv4 ESP input: %s %s\n", - ipsec4_logpacketstr(ip, spi), - ipsec_logsastr(sav)); + ipseclog((LOG_ERR, "inproper ivlen in IPv4 ESP input: %s %s\n", + ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); ipsecstat.in_inval++; goto bad; } @@ -198,16 +212,14 @@ esp4_input(m, off, proto) ; /*okey*/ else { ipsecstat.in_espreplay++; - log(LOG_AUTH, "replay packet in IPv4 ESP input: %s %s\n", - ipsec4_logpacketstr(ip, spi), - ipsec_logsastr(sav)); + ipseclog((LOG_WARNING, + "replay packet in IPv4 ESP input: %s %s\n", + ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); goto bad; } /* check ICV */ { - struct mbuf *n; - int len; u_char sum0[AH_MAXSUMSIZE]; u_char sum[AH_MAXSUMSIZE]; struct ah_algorithm *sumalgo; @@ -216,49 +228,37 @@ esp4_input(m, off, proto) sumalgo = &ah_algorithms[sav->alg_auth]; siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1)); if (AH_MAXSUMSIZE < siz) { - printf("internal error: AH_MAXSUMSIZE must be larger than %lu\n", - (u_long)siz); + ipseclog((LOG_DEBUG, + "internal error: AH_MAXSUMSIZE must be larger than %lu\n", + (u_long)siz)); ipsecstat.in_inval++; goto bad; } - n = m; - len = m->m_pkthdr.len; - len -= siz; - while (n && 0 < len) { - if (len < n->m_len) - break; - len -= n->m_len; - n = n->m_next; - } - if (!n) { - printf("mbuf chain problem?\n"); - ipsecstat.in_inval++; - goto bad; - } - m_copydata(n, len, siz, &sum0[0]); + m_copydata(m, m->m_pkthdr.len - siz, siz, &sum0[0]); if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) { - log(LOG_AUTH, "auth fail in IPv4 ESP input: %s %s\n", - ipsec4_logpacketstr(ip, spi), - ipsec_logsastr(sav)); + ipseclog((LOG_WARNING, "auth fail in IPv4 ESP input: %s %s\n", + ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); ipsecstat.in_espauthfail++; goto bad; } if (bcmp(sum0, sum, siz) != 0) { - log(LOG_AUTH, "auth fail in IPv4 ESP input: %s %s\n", - ipsec4_logpacketstr(ip, spi), - ipsec_logsastr(sav)); + ipseclog((LOG_WARNING, "auth fail in IPv4 ESP input: %s %s\n", + ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); ipsecstat.in_espauthfail++; goto bad; } - /* strip off */ - m->m_pkthdr.len -= siz; - n->m_len -= siz; + /* strip off the authentication data */ + m_adj(m, -siz); ip = mtod(m, struct ip *); +#ifdef IPLEN_FLIPPED ip->ip_len = ip->ip_len - siz; +#else + ip->ip_len = htons(ntohs(ip->ip_len) - siz); +#endif m->m_flags |= M_AUTHIPDGM; ipsecstat.in_espauthsucc++; } @@ -267,7 +267,10 @@ esp4_input(m, off, proto) * update sequence number. */ if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) { - (void)ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav); + if (ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) { + ipsecstat.in_espreplay++; + goto bad; + } } noreplaycheck: @@ -284,10 +287,18 @@ noreplaycheck: esplen = sizeof(struct newesp); } + if (m->m_pkthdr.len < off + esplen + ivlen + sizeof(esptail)) { + ipseclog((LOG_WARNING, + "IPv4 ESP input: packet too short\n")); + ipsecstat.in_inval++; + goto bad; + } + if (m->m_len < off + esplen + ivlen) { m = m_pullup(m, off + esplen + ivlen); if (!m) { - printf("IPv4 ESP input: can't pullup in esp4_input\n"); + ipseclog((LOG_DEBUG, + "IPv4 ESP input: can't pullup in esp4_input\n")); ipsecstat.in_inval++; goto bad; } @@ -300,9 +311,8 @@ noreplaycheck: if (!algo->decrypt) panic("internal error: no decrypt function"); if ((*algo->decrypt)(m, off, sav, algo, ivlen)) { - log(LOG_AUTH, "decrypt fail in IPv4 ESP input: %s %s\n", - ipsec4_logpacketstr(ip, spi), - ipsec_logsastr(sav)); + ipseclog((LOG_ERR, "decrypt fail in IPv4 ESP input: %s %s\n", + ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); ipsecstat.in_inval++; goto bad; } @@ -311,145 +321,34 @@ noreplaycheck: m->m_flags |= M_DECRYPTED; } -#ifdef garbled_data_found_on_mbuf_after_packet - { - /* - * For simplicity, we'll trim the packet so that there's no extra - * part appended after IP packet. - * This is rare case for some odd drivers, so there should be no - * performance hit. - */ - - /* - * Note that, in ip_input, ip_len was already flipped and header - * length was subtracted from ip_len. - */ - if (m->m_pkthdr.len != hlen + ip->ip_len) - { - size_t siz; - struct mbuf *n; - - siz = hlen + ip->ip_len; - - /* find the final mbuf */ - for (n = m; n; n = n->m_next) { - if (n->m_len < siz) - siz -= n->m_len; - else - break; - } - if (!n) { - printf("invalid packet\n"); - ipsecstat.in_inval++; - goto bad; - } - - /* trim the final mbuf */ - if (n->m_len < siz) { - printf("invalid size: %d %d\n", n->m_len, siz); - ipsecstat.in_inval++; - goto bad; - } - n->m_len = siz; - - /* dispose the rest of the packet */ - m_freem(n->m_next); - n->m_next = NULL; - - m->m_pkthdr.len = hlen + ip->ip_len; - } - } -#endif - - { /* * find the trailer of the ESP. */ - struct mbuf *n; /*the last mbuf on the mbuf chain, m_len > 0 */ - struct mbuf *o; /*the last mbuf on the mbuf chain */ - - o = m; - n = NULL; - while (o) { - if (0 < o->m_len) - n = o; - o = o->m_next; - } - if (!n || n->m_len < sizeof(struct esptail)) { - printf("IPv4 ESP input: assertion on pad part failed; " - "dropping the packet\n"); - ipsecstat.in_inval++; - goto bad; - } - - esptail = (struct esptail *) - (mtod(n, u_int8_t *) + n->m_len - sizeof(struct esptail)); - nxt = esptail->esp_nxt; - taillen = esptail->esp_padlen + 2; + m_copydata(m, m->m_pkthdr.len - sizeof(esptail), sizeof(esptail), + (caddr_t)&esptail); + nxt = esptail.esp_nxt; + taillen = esptail.esp_padlen + sizeof(esptail); if (m->m_pkthdr.len < taillen || m->m_pkthdr.len - taillen < hlen) { /*?*/ - log(LOG_NOTICE, "bad pad length in IPv4 ESP input: %s %s\n", - ipsec4_logpacketstr(ip, spi), - ipsec_logsastr(sav)); + ipseclog((LOG_WARNING, + "bad pad length in IPv4 ESP input: %s %s\n", + ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); ipsecstat.in_inval++; goto bad; } - /* - * strip off the trailing pad area. - */ - if (taillen < n->m_len) { - /* trailing pad data is included in the last mbuf item. */ - n->m_len -= taillen; - m->m_pkthdr.len -= taillen; - } else { - /* trailing pad data spans on multiple mbuf item. */ - size_t siz; - - siz = m->m_pkthdr.len; - if (siz < taillen) { - log(LOG_NOTICE, "bad packet length in IPv4 ESP input: %s %s\n", - ipsec4_logpacketstr(ip, spi), - ipsec_logsastr(sav)); - ipsecstat.in_inval++; - goto bad; - } - siz -= taillen; - - /* find the final mbuf */ - for (n = m; n; n = n->m_next) { - if (n->m_len < siz) - siz -= n->m_len; - else - break; - } - if (!n) { - printf("invalid packet\n"); - ipsecstat.in_inval++; - goto bad; - } - - /* trim the final mbuf */ - if (n->m_len < siz) { - printf("invalid size: %d %lu\n", n->m_len, (u_long)siz); - ipsecstat.in_inval++; - goto bad; - } - n->m_len = siz; - - /* dispose the rest of the packet */ - m_freem(n->m_next); - n->m_next = NULL; - - m->m_pkthdr.len -= taillen; - } + /* strip off the trailing pad area. */ + m_adj(m, -taillen); +#ifdef IPLEN_FLIPPED ip->ip_len = ip->ip_len - taillen; - } +#else + ip->ip_len = htons(ntohs(ip->ip_len) - taillen); +#endif /* was it transmitted over the IPsec tunnel SA? */ - if (ipsec4_tunnel_validate(ip, nxt, sav) && nxt == IPPROTO_IPV4) { + if (ipsec4_tunnel_validate(ip, nxt, sav)) { /* * strip off all the headers that precedes ESP header. * IP4 xx ESP IP4' payload -> IP4' payload @@ -457,11 +356,9 @@ noreplaycheck: * XXX more sanity checks * XXX relationship with gif? */ - struct ip oip; /* for debug */ u_int8_t tos; tos = ip->ip_tos; - bcopy(mtod(m, struct ip *), &oip, sizeof(oip)); /* for debug */ m_adj(m, off + esplen + ivlen); if (m->m_len < sizeof(*ip)) { m = m_pullup(m, sizeof(*ip)); @@ -475,13 +372,21 @@ noreplaycheck: ip_ecn_egress(ip4_ipsec_ecn, &tos, &ip->ip_tos); if (!key_checktunnelsanity(sav, AF_INET, (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst)) { - log(LOG_NOTICE, "ipsec tunnel address mismatch in IPv4 ESP input: %s %s\n", - ipsec4_logpacketstr(ip, spi), - ipsec_logsastr(sav)); + ipseclog((LOG_ERR, "ipsec tunnel address mismatch " + "in IPv4 ESP input: %s %s\n", + ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); ipsecstat.in_inval++; goto bad; } +#if 0 /* XXX should call ipfw rather than ipsec_in_reject, shouldn't it ? */ + /* drop it if it does not match the default policy */ + if (ipsec4_in_reject(m, NULL)) { + ipsecstat.in_polvio++; + goto bad; + } +#endif + key_sa_recordxfer(sav, m); s = splimp(); @@ -497,8 +402,8 @@ noreplaycheck: } else { /* * strip off ESP header and IV. - * We do deep-copy since KAME requires packet to be placed - * in a single mbuf. + * even in m_pulldown case, we need to strip off ESP so that + * we can always compute checksum for AH correctly. */ size_t stripsiz; @@ -511,7 +416,11 @@ noreplaycheck: m->m_pkthdr.len -= stripsiz; ip = mtod(m, struct ip *); +#ifdef IPLEN_FLIPPED ip->ip_len = ip->ip_len - stripsiz; +#else + ip->ip_len = htons(ntohs(ip->ip_len) - stripsiz); +#endif ip->ip_p = nxt; key_sa_recordxfer(sav, m); @@ -553,7 +462,7 @@ esp6_input(mp, offp, proto) int off = *offp; struct ip6_hdr *ip6; struct esp *esp; - struct esptail *esptail; + struct esptail esptail; u_int32_t spi; struct secasvar *sav = NULL; size_t taillen; @@ -565,19 +474,27 @@ esp6_input(mp, offp, proto) /* sanity check for alignment. */ if (off % 4 != 0 || m->m_pkthdr.len % 4 != 0) { - printf("IPv6 ESP input: packet alignment problem " - "(off=%d, pktlen=%d)\n", off, m->m_pkthdr.len); + ipseclog((LOG_ERR, "IPv6 ESP input: packet alignment problem " + "(off=%d, pktlen=%d)\n", off, m->m_pkthdr.len)); ipsec6stat.in_inval++; goto bad; } - IP6_EXTHDR_CHECK(m, off, sizeof(struct esp), IPPROTO_DONE); - +#ifndef PULLDOWN_TEST + IP6_EXTHDR_CHECK(m, off, ESPMAXLEN, IPPROTO_DONE); + esp = (struct esp *)(mtod(m, caddr_t) + off); +#else + IP6_EXTHDR_GET(esp, struct esp *, m, off, ESPMAXLEN); + if (esp == NULL) { + ipsec6stat.in_inval++; + return IPPROTO_DONE; + } +#endif ip6 = mtod(m, struct ip6_hdr *); - esp = (struct esp *)(((u_int8_t *)ip6) + off); if (ntohs(ip6->ip6_plen) == 0) { - printf("IPv6 ESP input: ESP with IPv6 jumbogram is not supported.\n"); + ipseclog((LOG_ERR, "IPv6 ESP input: " + "ESP with IPv6 jumbogram is not supported.\n")); ipsec6stat.in_inval++; goto bad; } @@ -588,9 +505,9 @@ esp6_input(mp, offp, proto) if ((sav = key_allocsa(AF_INET6, (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst, IPPROTO_ESP, spi)) == 0) { - printf("IPv6 ESP input: no key association found for spi %u;" - "dropping the packet for simplicity\n", - (u_int32_t)ntohl(spi)); + ipseclog((LOG_WARNING, + "IPv6 ESP input: no key association found for spi %u\n", + (u_int32_t)ntohl(spi))); ipsec6stat.in_nosa++; goto bad; } @@ -598,17 +515,16 @@ esp6_input(mp, offp, proto) printf("DP esp6_input called to allocate SA:%p\n", sav)); if (sav->state != SADB_SASTATE_MATURE && sav->state != SADB_SASTATE_DYING) { - printf("IPv6 ESP input: non-mature/dying SA found for spi %u; " - "dropping the packet for simplicity\n", - (u_int32_t)ntohl(spi)); + ipseclog((LOG_DEBUG, + "IPv6 ESP input: non-mature/dying SA found for spi %u\n", + (u_int32_t)ntohl(spi))); ipsec6stat.in_badspi++; goto bad; } if (sav->alg_enc == SADB_EALG_NONE) { - printf("IPv6 ESP input: unspecified encryption algorithm " - "for spi %u;" - "dropping the packet for simplicity\n", - (u_int32_t)ntohl(spi)); + ipseclog((LOG_DEBUG, "IPv6 ESP input: " + "unspecified encryption algorithm for spi %u\n", + (u_int32_t)ntohl(spi))); ipsec6stat.in_badspi++; goto bad; } @@ -618,9 +534,8 @@ esp6_input(mp, offp, proto) /* check if we have proper ivlen information */ ivlen = sav->ivlen; if (ivlen < 0) { - log(LOG_NOTICE, "inproper ivlen in IPv6 ESP input: %s %s\n", - ipsec6_logpacketstr(ip6, spi), - ipsec_logsastr(sav)); + ipseclog((LOG_ERR, "inproper ivlen in IPv6 ESP input: %s %s\n", + ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); ipsec6stat.in_badspi++; goto bad; } @@ -639,16 +554,14 @@ esp6_input(mp, offp, proto) ; /*okey*/ else { ipsec6stat.in_espreplay++; - log(LOG_AUTH, "replay packet in IPv6 ESP input: %s %s\n", - ipsec6_logpacketstr(ip6, spi), - ipsec_logsastr(sav)); + ipseclog((LOG_WARNING, + "replay packet in IPv6 ESP input: %s %s\n", + ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); goto bad; } /* check ICV */ { - struct mbuf *n; - size_t len; u_char sum0[AH_MAXSUMSIZE]; u_char sum[AH_MAXSUMSIZE]; struct ah_algorithm *sumalgo; @@ -657,47 +570,31 @@ esp6_input(mp, offp, proto) sumalgo = &ah_algorithms[sav->alg_auth]; siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1)); if (AH_MAXSUMSIZE < siz) { - printf("internal error: AH_MAXSUMSIZE must be larger than %lu\n", - (u_long)siz); + ipseclog((LOG_DEBUG, + "internal error: AH_MAXSUMSIZE must be larger than %lu\n", + (u_long)siz)); ipsec6stat.in_inval++; goto bad; } - n = m; - len = m->m_pkthdr.len; - len -= siz; /*XXX*/ - while (n && 0 < len) { - if (len < n->m_len) - break; - len -= n->m_len; - n = n->m_next; - } - if (!n) { - printf("mbuf chain problem?\n"); - ipsec6stat.in_inval++; - goto bad; - } - m_copydata(n, len, siz, &sum0[0]); + m_copydata(m, m->m_pkthdr.len - siz, siz, &sum0[0]); if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) { - log(LOG_AUTH, "auth fail in IPv6 ESP input: %s %s\n", - ipsec6_logpacketstr(ip6, spi), - ipsec_logsastr(sav)); + ipseclog((LOG_WARNING, "auth fail in IPv6 ESP input: %s %s\n", + ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); ipsec6stat.in_espauthfail++; goto bad; } if (bcmp(sum0, sum, siz) != 0) { - log(LOG_AUTH, "auth fail in IPv6 ESP input: %s %s\n", - ipsec6_logpacketstr(ip6, spi), - ipsec_logsastr(sav)); + ipseclog((LOG_WARNING, "auth fail in IPv6 ESP input: %s %s\n", + ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); ipsec6stat.in_espauthfail++; goto bad; } - /* strip off */ - m->m_pkthdr.len -= siz; - n->m_len -= siz; + /* strip off the authentication data */ + m_adj(m, -siz); ip6 = mtod(m, struct ip6_hdr *); ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - siz); @@ -709,7 +606,10 @@ esp6_input(mp, offp, proto) * update sequence number. */ if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) { - (void)ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav); + if (ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) { + ipsec6stat.in_espreplay++; + goto bad; + } } noreplaycheck: @@ -726,7 +626,24 @@ noreplaycheck: esplen = sizeof(struct newesp); } + if (m->m_pkthdr.len < off + esplen + ivlen + sizeof(esptail)) { + ipseclog((LOG_WARNING, + "IPv6 ESP input: packet too short\n")); + ipsec6stat.in_inval++; + goto bad; + } + +#ifndef PULLDOWN_TEST IP6_EXTHDR_CHECK(m, off, esplen + ivlen, IPPROTO_DONE); /*XXX*/ +#else + IP6_EXTHDR_GET(esp, struct esp *, m, off, esplen + ivlen); + if (esp == NULL) { + ipsec6stat.in_inval++; + m = NULL; + goto bad; + } +#endif + ip6 = mtod(m, struct ip6_hdr *); /*set it again just in case*/ /* * decrypt the packet. @@ -734,9 +651,8 @@ noreplaycheck: if (!algo->decrypt) panic("internal error: no decrypt function"); if ((*algo->decrypt)(m, off, sav, algo, ivlen)) { - log(LOG_AUTH, "decrypt fail in IPv6 ESP input: %s %s\n", - ipsec6_logpacketstr(ip6, spi), - ipsec_logsastr(sav)); + ipseclog((LOG_ERR, "decrypt fail in IPv6 ESP input: %s %s\n", + ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); ipsec6stat.in_inval++; goto bad; } @@ -744,145 +660,30 @@ noreplaycheck: m->m_flags |= M_DECRYPTED; -#ifdef garbled_data_found_on_mbuf_after_packet - { - /* - * For simplicity, we'll trim the packet so that there's no extra - * part appended after IP packet. - * This is rare case for some odd drivers, so there should be no - * performance hit. - */ - - /* - * Note that, in ip_input, ip_len was already flipped and header - * length was subtracted from ip_len. - */ - if (m->m_pkthdr.len != hlen + ip->ip_len) - { - size_t siz; - struct mbuf *n; - - siz = hlen + ip->ip_len; - - /* find the final mbuf */ - for (n = m; n; n = n->m_next) { - if (n->m_len < siz) - siz -= n->m_len; - else - break; - } - if (!n) { - printf("invalid packet\n"); - ipsec6stat.in_inval++; - goto bad; - } - - /* trim the final mbuf */ - if (n->m_len < siz) { - printf("invalid size: %d %d\n", n->m_len, siz); - ipsec6stat.in_inval++; - goto bad; - } - n->m_len = siz; - - /* dispose the rest of the packet */ - m_freem(n->m_next); - n->m_next = NULL; - - m->m_pkthdr.len = hlen + ip->ip_len; - } - } -#endif - - { /* * find the trailer of the ESP. */ - struct mbuf *n; /*the last mbuf on the mbuf chain, m_len > 0 */ - struct mbuf *o; /*the last mbuf on the mbuf chain */ - - o = m; - n = NULL; - while (o) { - if (0 < o->m_len) - n = o; - o = o->m_next; - } - if (!n || n->m_len < sizeof(struct esptail)) { - printf("IPv6 ESP input: assertion on pad part failed; " - "dropping the packet\n"); - ipsec6stat.in_inval++; - goto bad; - } - - esptail = (struct esptail *) - (mtod(n, u_int8_t *) + n->m_len - sizeof(struct esptail)); - nxt = esptail->esp_nxt; - taillen = esptail->esp_padlen + 2; + m_copydata(m, m->m_pkthdr.len - sizeof(esptail), sizeof(esptail), + (caddr_t)&esptail); + nxt = esptail.esp_nxt; + taillen = esptail.esp_padlen + sizeof(esptail); if (m->m_pkthdr.len < taillen || m->m_pkthdr.len - taillen < sizeof(struct ip6_hdr)) { /*?*/ - log(LOG_NOTICE, "bad pad length in IPv6 ESP input: %s %s\n", - ipsec6_logpacketstr(ip6, spi), - ipsec_logsastr(sav)); + ipseclog((LOG_WARNING, + "bad pad length in IPv6 ESP input: %s %s\n", + ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); ipsec6stat.in_inval++; goto bad; } - /* - * XXX strip off the padding. - */ - if (taillen < n->m_len) { - /* trailing pad data is included in the last mbuf item. */ - n->m_len -= taillen; - m->m_pkthdr.len -= taillen; - } else { - /* trailing pad data spans on multiple mbuf item. */ - size_t siz; - - siz = m->m_pkthdr.len; - if (siz < taillen) { - log(LOG_NOTICE, "bad packet length in IPv6 ESP input: %s %s\n", - ipsec6_logpacketstr(ip6, spi), - ipsec_logsastr(sav)); - ipsec6stat.in_inval++; - goto bad; - } - siz -= taillen; - - /* find the final mbuf */ - for (n = m; n; n = n->m_next) { - if (n->m_len < siz) - siz -= n->m_len; - else - break; - } - if (!n) { - printf("invalid packet\n"); - ipsec6stat.in_inval++; - goto bad; - } - - /* trim the final mbuf */ - if (n->m_len < siz) { - printf("invalid size: %d %lu\n", n->m_len, (u_long)siz); - ipsec6stat.in_inval++; - goto bad; - } - n->m_len = siz; - - /* dispose the rest of the packet */ - m_freem(n->m_next); - n->m_next = NULL; - - m->m_pkthdr.len -= taillen; - } + /* strip off the trailing pad area. */ + m_adj(m, -taillen); ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - taillen); - } /* was it transmitted over the IPsec tunnel SA? */ - if (ipsec6_tunnel_validate(ip6, nxt, sav) && nxt == IPPROTO_IPV6) { + if (ipsec6_tunnel_validate(ip6, nxt, sav)) { /* * strip off all the headers that precedes ESP header. * IP6 xx ESP IP6' payload -> IP6' payload @@ -894,10 +695,14 @@ noreplaycheck: flowinfo = ip6->ip6_flow; m_adj(m, off + esplen + ivlen); if (m->m_len < sizeof(*ip6)) { +#ifndef PULLDOWN_TEST /* * m_pullup is prohibited in KAME IPv6 input processing * but there's no other way! */ +#else + /* okay to pullup in m_pulldown style */ +#endif m = m_pullup(m, sizeof(*ip6)); if (!m) { ipsec6stat.in_inval++; @@ -909,13 +714,22 @@ noreplaycheck: ip6_ecn_egress(ip6_ipsec_ecn, &flowinfo, &ip6->ip6_flow); if (!key_checktunnelsanity(sav, AF_INET6, (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst)) { - log(LOG_NOTICE, "ipsec tunnel address mismatch in IPv6 ESP input: %s %s\n", - ipsec6_logpacketstr(ip6, spi), - ipsec_logsastr(sav)); + ipseclog((LOG_ERR, "ipsec tunnel address mismatch " + "in IPv6 ESP input: %s %s\n", + ipsec6_logpacketstr(ip6, spi), + ipsec_logsastr(sav))); ipsec6stat.in_inval++; goto bad; } +#if 0 /* XXX should call ipfw rather than ipsec_in_reject, shouldn't it ? */ + /* drop it if it does not match the default policy */ + if (ipsec6_in_reject(m, NULL)) { + ipsec6stat.in_polvio++; + goto bad; + } +#endif + key_sa_recordxfer(sav, m); s = splimp(); @@ -931,8 +745,8 @@ noreplaycheck: } else { /* * strip off ESP header and IV. - * We do deep-copy since KAME requires packet to be placed - * in a single mbuf. + * even in m_pulldown case, we need to strip off ESP so that + * we can always compute checksum for AH correctly. */ size_t stripsiz; char *prvnxtp; @@ -946,11 +760,28 @@ noreplaycheck: stripsiz = esplen + ivlen; ip6 = mtod(m, struct ip6_hdr *); - ovbcopy((caddr_t)ip6, (caddr_t)(((u_char *)ip6) + stripsiz), - off); - m->m_data += stripsiz; - m->m_len -= stripsiz; - m->m_pkthdr.len -= stripsiz; + if (m->m_len >= stripsiz + off) { + ovbcopy((caddr_t)ip6, ((caddr_t)ip6) + stripsiz, off); + m->m_data += stripsiz; + m->m_len -= stripsiz; + m->m_pkthdr.len -= stripsiz; + } else { + /* + * this comes with no copy if the boundary is on + * cluster + */ + struct mbuf *n; + + n = m_split(m, off, M_DONTWAIT); + if (n == NULL) { + /* m is retained by m_split */ + goto bad; + } + m_adj(n, stripsiz); + m_cat(m, n); + /* m_cat does not update m_pkthdr.len */ + m->m_pkthdr.len += n->m_pkthdr.len; + } ip6 = mtod(m, struct ip6_hdr *); ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - stripsiz); |