📄 ah_input.c
字号:
}
if (nxt != IPPROTO_DONE) {
if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
ipsec4_in_reject(m, NULL)) {
ipsecstat.in_polvio++;
goto fail;
}
#if defined(__FreeBSD__) && __FreeBSD__ >= 4
(*inetsw[ip_protox[nxt]].pr_input)(m, off);
#else
(*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt);
#endif
} else
m_freem(m);
m = NULL;
}
if (sav) {
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP ah4_input call free SA:%p\n", sav));
key_freesav(sav);
}
ipsecstat.in_success++;
return;
fail:
if (sav) {
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP ah4_input call free SA:%p\n", sav));
key_freesav(sav);
}
if (m)
m_freem(m);
return;
}
#if defined(__NetBSD__) && __NetBSD_Version__ >= 105080000 /* 1.5H */
/* assumes that ip header and ah header are contiguous on mbuf */
void *
ah4_ctlinput(cmd, sa, v)
int cmd;
struct sockaddr *sa;
void *v;
{
struct ip *ip = v;
struct ah *ah;
struct icmp *icp;
struct secasvar *sav;
if (sa->sa_family != AF_INET ||
sa->sa_len != sizeof(struct sockaddr_in))
return NULL;
if ((unsigned)cmd >= PRC_NCMDS)
return NULL;
if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
/*
* Check to see if we have a valid SA corresponding to
* the address in the ICMP message payload.
*/
ah = (struct ah *)((caddr_t)ip + (ip->ip_hl << 2));
if ((sav = key_allocsa(AF_INET,
(caddr_t) &ip->ip_src,
(caddr_t) &ip->ip_dst,
IPPROTO_AH, ah->ah_spi)) == NULL)
return NULL;
if (sav->state != SADB_SASTATE_MATURE &&
sav->state != SADB_SASTATE_DYING) {
key_freesav(sav);
return NULL;
}
/* XXX Further validation? */
key_freesav(sav);
/*
* Now that we've validated that we are actually communicating
* with the host indicated in the ICMP message, locate the
* ICMP header, recalculate the new MTU, and create the
* corresponding routing entry.
*/
icp = (struct icmp *)((caddr_t)ip -
offsetof(struct icmp, icmp_ip));
icmp_mtudisc(icp, ip->ip_dst);
return NULL;
}
return NULL;
}
#endif /* NetBSD 1.5H or later */
#endif /* INET */
#ifdef INET6
int
ah6_input(mp, offp, proto)
struct mbuf **mp;
int *offp, proto;
{
struct mbuf *m = *mp;
int off = *offp;
struct ip6_hdr *ip6;
struct ah *ah;
u_int32_t spi;
const struct ah_algorithm *algo;
size_t siz;
size_t siz1;
u_char *cksum;
struct secasvar *sav = NULL;
u_int16_t nxt;
int s;
size_t stripsiz = 0;
#ifndef PULLDOWN_TEST
IP6_EXTHDR_CHECK(m, off, sizeof(struct ah), IPPROTO_DONE);
ah = (struct ah *)(mtod(m, caddr_t) + off);
#else
IP6_EXTHDR_GET(ah, struct ah *, m, off, sizeof(struct newah));
if (ah == NULL) {
ipseclog((LOG_DEBUG, "IPv6 AH input: can't pullup\n"));
ipsec6stat.in_inval++;
return IPPROTO_DONE;
}
#endif
ip6 = mtod(m, struct ip6_hdr *);
nxt = ah->ah_nxt;
/* find the sassoc. */
spi = ah->ah_spi;
if (ntohs(ip6->ip6_plen) == 0) {
ipseclog((LOG_ERR, "IPv6 AH input: "
"AH with IPv6 jumbogram is not supported.\n"));
ipsec6stat.in_inval++;
goto fail;
}
if ((sav = key_allocsa(AF_INET6,
(caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst,
IPPROTO_AH, spi)) == 0) {
ipseclog((LOG_WARNING,
"IPv6 AH input: no key association found for spi %u\n",
(u_int32_t)ntohl(spi)));
ipsec6stat.in_nosa++;
goto fail;
}
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP ah6_input called to allocate SA:%p\n", sav));
if (sav->state != SADB_SASTATE_MATURE
&& sav->state != SADB_SASTATE_DYING) {
ipseclog((LOG_DEBUG,
"IPv6 AH input: non-mature/dying SA found for spi %u; ",
(u_int32_t)ntohl(spi)));
ipsec6stat.in_badspi++;
goto fail;
}
algo = ah_algorithm_lookup(sav->alg_auth);
if (!algo) {
ipseclog((LOG_DEBUG, "IPv6 AH input: "
"unsupported authentication algorithm for spi %u\n",
(u_int32_t)ntohl(spi)));
ipsec6stat.in_badspi++;
goto fail;
}
siz = (*algo->sumsiz)(sav);
siz1 = ((siz + 3) & ~(4 - 1));
/*
* sanity checks for header, 1.
*/
{
int sizoff;
sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
/*
* Here, we do not do "siz1 == siz". See ah4_input() for complete
* description.
*/
if (siz1 < siz) {
ipseclog((LOG_NOTICE, "sum length too short in IPv6 AH input "
"(%lu, should be at least %lu): %s\n",
(u_long)siz1, (u_long)siz,
ipsec6_logpacketstr(ip6, spi)));
ipsec6stat.in_inval++;
goto fail;
}
if ((ah->ah_len << 2) - sizoff != siz1) {
ipseclog((LOG_NOTICE, "sum length mismatch in IPv6 AH input "
"(%d should be %lu): %s\n",
(ah->ah_len << 2) - sizoff, (u_long)siz1,
ipsec6_logpacketstr(ip6, spi)));
ipsec6stat.in_inval++;
goto fail;
}
#ifndef PULLDOWN_TEST
IP6_EXTHDR_CHECK(m, off, sizeof(struct ah) + sizoff + siz1, IPPROTO_DONE);
#else
IP6_EXTHDR_GET(ah, struct ah *, m, off,
sizeof(struct ah) + sizoff + siz1);
if (ah == NULL) {
ipseclog((LOG_NOTICE, "couldn't pullup gather IPv6 AH checksum part"));
ipsec6stat.in_inval++;
m = NULL;
goto fail;
}
#endif
}
/*
* check for sequence number.
*/
if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
if (ipsec_chkreplay(ntohl(((struct newah *)ah)->ah_seq), sav))
; /* okey */
else {
ipsec6stat.in_ahreplay++;
ipseclog((LOG_WARNING,
"replay packet in IPv6 AH input: %s %s\n",
ipsec6_logpacketstr(ip6, spi),
ipsec_logsastr(sav)));
goto fail;
}
}
/*
* alright, it seems sane. now we are going to check the
* cryptographic checksum.
*/
cksum = malloc(siz1, M_TEMP, M_NOWAIT);
if (!cksum) {
ipseclog((LOG_DEBUG, "IPv6 AH input: "
"couldn't alloc temporary region for cksum\n"));
ipsec6stat.in_inval++;
goto fail;
}
if (ah6_calccksum(m, (caddr_t)cksum, siz1, algo, sav)) {
free(cksum, M_TEMP);
ipsec6stat.in_inval++;
goto fail;
}
ipsec6stat.in_ahhist[sav->alg_auth]++;
{
caddr_t sumpos = NULL;
if (sav->flags & SADB_X_EXT_OLD) {
/* RFC 1826 */
sumpos = (caddr_t)(ah + 1);
} else {
/* RFC 2402 */
sumpos = (caddr_t)(((struct newah *)ah) + 1);
}
if (bcmp(sumpos, cksum, siz) != 0) {
ipseclog((LOG_WARNING,
"checksum mismatch in IPv6 AH input: %s %s\n",
ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
free(cksum, M_TEMP);
ipsec6stat.in_ahauthfail++;
goto fail;
}
}
free(cksum, M_TEMP);
m->m_flags |= M_AUTHIPHDR;
m->m_flags |= M_AUTHIPDGM;
#if 0
/*
* looks okey, but we need more sanity check.
* XXX should elaborate.
*/
if (ah->ah_nxt == IPPROTO_IPV6) {
struct ip6_hdr *nip6;
size_t sizoff;
sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
IP6_EXTHDR_CHECK(m, off, sizeof(struct ah) + sizoff + siz1
+ sizeof(struct ip6_hdr), IPPROTO_DONE);
nip6 = (struct ip6_hdr *)((u_char *)(ah + 1) + sizoff + siz1);
if (!IN6_ARE_ADDR_EQUAL(&nip6->ip6_src, &ip6->ip6_src)
|| !IN6_ARE_ADDR_EQUAL(&nip6->ip6_dst, &ip6->ip6_dst)) {
m->m_flags &= ~M_AUTHIPHDR;
m->m_flags &= ~M_AUTHIPDGM;
}
} else if (ah->ah_nxt == IPPROTO_IPIP) {
m->m_flags &= ~M_AUTHIPHDR;
m->m_flags &= ~M_AUTHIPDGM;
} else if (ah->ah_nxt == IPPROTO_IP) {
m->m_flags &= ~M_AUTHIPHDR;
m->m_flags &= ~M_AUTHIPDGM;
}
#endif
if (m->m_flags & M_AUTHIPHDR
&& m->m_flags & M_AUTHIPDGM) {
#if 0
ipseclog((LOG_DEBUG,
"IPv6 AH input: authentication succeess\n"));
#endif
ipsec6stat.in_ahauthsucc++;
} else {
ipseclog((LOG_WARNING,
"authentication failed in IPv6 AH input: %s %s\n",
ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
ipsec6stat.in_ahauthfail++;
goto fail;
}
/*
* update sequence number.
*/
if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
if (ipsec_updatereplay(ntohl(((struct newah *)ah)->ah_seq), sav)) {
ipsec6stat.in_ahreplay++;
goto fail;
}
}
/* was it transmitted over the IPsec tunnel SA? */
if (sav->flags & SADB_X_EXT_OLD) {
/* RFC 1826 */
stripsiz = sizeof(struct ah) + siz1;
} else {
/* RFC 2402 */
stripsiz = sizeof(struct newah) + siz1;
}
if (!ipsec_tunnel_device &&
ipsec6_tunnel_validate(m, off + stripsiz, nxt, sav)) {
/*
* strip off all the headers that precedes AH.
* IP6 xx AH IP6' payload -> IP6' payload
*
* XXX more sanity checks
* XXX relationship with gif?
*/
u_int32_t flowinfo; /* net endian */
flowinfo = ip6->ip6_flow;
m_adj(m, off + stripsiz);
if (m->m_len < sizeof(*ip6)) {
/*
* m_pullup is prohibited in KAME IPv6 input processing
* but there's no other way!
*/
m = m_pullup(m, sizeof(*ip6));
if (!m) {
ipsec6stat.in_inval++;
goto fail;
}
}
ip6 = mtod(m, struct ip6_hdr *);
/* ECN consideration. */
ip6_ecn_egress(ip6_ipsec_ecn, &flowinfo, &ip6->ip6_flow);
if (!key_checktunnelsanity(sav, AF_INET6,
(caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst)) {
ipseclog((LOG_NOTICE, "ipsec tunnel address mismatch "
"in IPv6 AH input: %s %s\n",
ipsec6_logpacketstr(ip6, spi),
ipsec_logsastr(sav)));
ipsec6stat.in_inval++;
goto fail;
}
#if 1
/*
* should the inner packet be considered authentic?
* see comment in ah4_input().
*/
m->m_flags &= ~M_AUTHIPHDR;
m->m_flags &= ~M_AUTHIPDGM;
#endif
key_sa_recordxfer(sav, m);
if (ipsec_addhist(m, IPPROTO_AH, spi) != 0 ||
ipsec_addhist(m, IPPROTO_IPV6, 0) != 0) {
ipsec6stat.in_nomem++;
goto fail;
}
s = splimp();
if (IF_QFULL(&ip6intrq)) {
ipsec6stat.in_inval++;
splx(s);
goto fail;
}
IF_ENQUEUE(&ip6intrq, m);
m = NULL;
schednetisr(NETISR_IPV6); /* can be skipped but to make sure */
splx(s);
nxt = IPPROTO_DONE;
} else {
/*
* strip off AH.
*/
char *prvnxtp;
/*
* Copy the value of the next header field of AH to the
* next header field of the previous header.
* This is necessary because AH will be stripped off below.
*/
prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
*prvnxtp = nxt;
ip6 = mtod(m, struct ip6_hdr *);
#ifndef PULLDOWN_TEST
/*
* We do deep-copy since KAME requires that
* the packet is placed in a single mbuf.
*/
ovbcopy((caddr_t)ip6, ((caddr_t)ip6) + stripsiz, off);
m->m_data += stripsiz;
m->m_len -= stripsiz;
m->m_pkthdr.len -= stripsiz;
#else
/*
* even in m_pulldown case, we need to strip off AH so that
* we can compute checksum for multiple AH correctly.
*/
if (m->m_len >= stripsiz + off) {
ovbcopy((caddr_t)ip6, ((caddr_t)ip6) + stripsiz, off);
m->m_data += stripsiz;
m->m_len -= stripsiz;
m->m_pkthdr.len -= stripsiz;
} else {
/*
* this comes with no copy if the boundary is on
* cluster
*/
struct mbuf *n;
n = m_split(m, off, M_DONTWAIT);
if (n == NULL) {
/* m is retained by m_split */
goto fail;
}
m_adj(n, stripsiz);
m_cat(m, n);
/* m_cat does not update m_pkthdr.len */
m->m_pkthdr.len += n->m_pkthdr.len;
}
#endif
ip6 = mtod(m, struct ip6_hdr *);
/* XXX jumbogram */
ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - stripsiz);
key_sa_recordxfer(sav, m);
if (ipsec_addhist(m, IPPROTO_AH, spi) != 0) {
ipsec6stat.in_nomem++;
goto fail;
}
}
*offp = off;
*mp = m;
if (sav) {
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP ah6_input call free SA:%p\n", sav));
key_freesav(sav);
}
ipsec6stat.in_success++;
return nxt;
fail:
if (sav) {
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP ah6_input call free SA:%p\n", sav));
key_freesav(sav);
}
if (m)
m_freem(m);
return IPPROTO_DONE;
}
void
ah6_ctlinput(cmd, sa, d)
int cmd;
struct sockaddr *sa;
void *d;
{
const struct newah *ahp;
struct newah ah;
struct secasvar *sav;
struct ip6_hdr *ip6;
struct mbuf *m;
struct ip6ctlparam *ip6cp = NULL;
int off=0;
struct sockaddr_in6 sa6_src, sa6_dst;
if (sa->sa_family != AF_INET6 ||
sa->sa_len != sizeof(struct sockaddr_in6))
return;
if ((unsigned)cmd >= PRC_NCMDS)
return;
/* if the parameter is from icmp6, decode it. */
if (d != NULL) {
ip6cp = (struct ip6ctlparam *)d;
m = ip6cp->ip6c_m;
ip6 = ip6cp->ip6c_ip6;
off = ip6cp->ip6c_off;
} else {
m = NULL;
ip6 = NULL;
}
if (ip6) {
/*
* XXX: We assume that when ip6 is non NULL,
* M and OFF are valid.
*/
/* check if we can safely examine src and dst ports */
if (m->m_pkthdr.len < off + sizeof(ah))
return;
if (m->m_len < off + sizeof(ah)) {
/*
* this should be rare case,
* so we compromise on this copy...
*/
m_copydata(m, off, sizeof(ah), (caddr_t)&ah);
ahp = &ah;
} else
ahp = (struct newah *)(mtod(m, caddr_t) + off);
if (cmd == PRC_MSGSIZE) {
int valid = 0;
/*
* Check to see if we have a valid SA corresponding to
* the address in the ICMP message payload.
*/
sav = key_allocsa(AF_INET6,
(caddr_t)&sa6_src.sin6_addr,
(caddr_t)&sa6_dst.sin6_addr,
IPPROTO_AH, ahp->ah_spi);
if (sav) {
if (sav->state == SADB_SASTATE_MATURE ||
sav->state == SADB_SASTATE_DYING)
valid++;
key_freesav(sav);
}
/* XXX Further validation? */
/*
* Depending on the value of "valid" and routing table
* size (mtudisc_{hi,lo}wat), we will:
* - recalcurate the new MTU and create the
* corresponding routing entry, or
* - ignore the MTU change notification.
*/
icmp6_mtudisc_update((struct ip6ctlparam *)d, valid);
}
/* we normally notify single pcb here */
} else {
/* we normally notify any pcb here */
}
}
#endif /* INET6 */
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -