CoCalc -- xform

GitHub Repository: freebsd/freebsd-src
Path: blob/main/sys/netipsec/xform_ah.c
¹⁰⁴³⁹⁶ views
1
/*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
2
/*-
3
 * The authors of this code are John Ioannidis ([email protected]),
4
 * Angelos D. Keromytis ([email protected]) and
5
 * Niels Provos ([email protected]).
6
 *
7
 * The original version of this code was written by John Ioannidis
8
 * for BSD/OS in Athens, Greece, in November 1995.
9
 *
10
 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
11
 * by Angelos D. Keromytis.
12
 *
13
 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
14
 * and Niels Provos.
15
 *
16
 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
17
 *
18
 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
19
 * Angelos D. Keromytis and Niels Provos.
20
 * Copyright (c) 1999 Niklas Hallqvist.
21
 * Copyright (c) 2001 Angelos D. Keromytis.
22
 *
23
 * Permission to use, copy, and modify this software with or without fee
24
 * is hereby granted, provided that this entire notice is included in
25
 * all copies of any software which is or includes a copy or
26
 * modification of this software.
27
 * You may use this code under the GNU public license if you so wish. Please
28
 * contribute changes back to the authors under this freer than GPL license
29
 * so that we may further the use of strong encryption without limitations to
30
 * all.
31
 *
32
 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33
 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34
 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35
 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
36
 * PURPOSE.
37
 */
38
#include "opt_inet.h"
39
#include "opt_inet6.h"
40
#include "opt_ipsec.h"
41

42
#include <sys/param.h>
43
#include <sys/systm.h>
44
#include <sys/malloc.h>
45
#include <sys/mbuf.h>
46
#include <sys/socket.h>
47
#include <sys/syslog.h>
48
#include <sys/kernel.h>
49
#include <sys/lock.h>
50
#include <sys/mutex.h>
51
#include <sys/sysctl.h>
52

53
#include <net/if.h>
54
#include <net/vnet.h>
55

56
#include <netinet/in.h>
57
#include <netinet/in_systm.h>
58
#include <netinet/ip.h>
59
#include <netinet/ip_ecn.h>
60
#include <netinet/ip6.h>
61

62
#include <netipsec/ipsec.h>
63
#include <netipsec/ah.h>
64
#include <netipsec/ah_var.h>
65
#include <netipsec/xform.h>
66

67
#ifdef INET6
68
#include <netinet6/ip6_var.h>
69
#include <netipsec/ipsec6.h>
70
#include <netinet6/ip6_ecn.h>
71
#endif
72

73
#include <netipsec/key.h>
74
#include <netipsec/key_debug.h>
75

76
#include <opencrypto/cryptodev.h>
77

78
/*
79
 * Return header size in bytes.  The old protocol did not support
80
 * the replay counter; the new protocol always includes the counter.
81
 */
82
#define HDRSIZE(sav) \
83
	(((sav)->flags & SADB_X_EXT_OLD) ? \
84
		sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t))
85
/* 
86
 * Return authenticator size in bytes, based on a field in the
87
 * algorithm descriptor.
88
 */
89
#define	AUTHSIZE(sav)	((sav->flags & SADB_X_EXT_OLD) ? 16 :	\
90
			 xform_ah_authsize((sav)->tdb_authalgxform))
91

92
VNET_DEFINE(int, ah_enable) = 1;	/* control flow of packets with AH */
93
VNET_DEFINE(int, ah_cleartos) = 1;	/* clear ip_tos when doing AH calc */
94
VNET_PCPUSTAT_DEFINE(struct ahstat, ahstat);
95
VNET_PCPUSTAT_SYSINIT(ahstat);
96

97
#ifdef VIMAGE
98
VNET_PCPUSTAT_SYSUNINIT(ahstat);
99
#endif /* VIMAGE */
100

101
#ifdef INET
102
SYSCTL_DECL(_net_inet_ah);
103
SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_enable,
104
	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_enable), 0, "");
105
SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_cleartos,
106
	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, "");
107
SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat,
108
    ahstat, "AH statistics (struct ahstat, netipsec/ah_var.h)");
109
#endif
110

111
static MALLOC_DEFINE(M_AH, "ah", "IPsec AH");
112

113
static unsigned char ipseczeroes[256];	/* larger than an ip6 extension hdr */
114

115
static int ah_input_cb(struct cryptop*);
116
static int ah_output_cb(struct cryptop*);
117

118
int
119
xform_ah_authsize(const struct auth_hash *esph)
120
{
121
	int alen;
122

123
	if (esph == NULL)
124
		return 0;
125

126
	switch (esph->type) {
127
	case CRYPTO_SHA2_256_HMAC:
128
	case CRYPTO_SHA2_384_HMAC:
129
	case CRYPTO_SHA2_512_HMAC:
130
		alen = esph->hashsize / 2;	/* RFC4868 2.3 */
131
		break;
132

133
	case CRYPTO_POLY1305:
134
	case CRYPTO_AES_NIST_GMAC:
135
		alen = esph->hashsize;
136
		break;
137

138
	default:
139
		alen = AH_HMAC_HASHLEN;
140
		break;
141
	}
142

143
	return alen;
144
}
145

146
size_t
147
ah_hdrsiz(struct secasvar *sav)
148
{
149
	size_t size;
150

151
	if (sav != NULL) {
152
		int authsize, rplen, align;
153

154
		IPSEC_ASSERT(sav->tdb_authalgxform != NULL, ("null xform"));
155
		/*XXX not right for null algorithm--does it matter??*/
156

157
		/* RFC4302: use the correct alignment. */
158
		align = sizeof(uint32_t);
159
#ifdef INET6
160
		if (sav->sah->saidx.dst.sa.sa_family == AF_INET6) {
161
			align = sizeof(uint64_t);
162
		}
163
#endif
164
		rplen = HDRSIZE(sav);
165
		authsize = AUTHSIZE(sav);
166
		size = roundup(rplen + authsize, align);
167
	} else {
168
		/* default guess */
169
		size = sizeof (struct ah) + sizeof (u_int32_t) + 16;
170
	}
171
	return size;
172
}
173

174
/*
175
 * NB: public for use by esp_init.
176
 */
177
int
178
ah_init0(struct secasvar *sav, struct xformsw *xsp,
179
    struct crypto_session_params *csp)
180
{
181
	const struct auth_hash *thash;
182
	int keylen;
183

184
	thash = auth_algorithm_lookup(sav->alg_auth);
185
	if (thash == NULL) {
186
		DPRINTF(("%s: unsupported authentication algorithm %u\n",
187
			__func__, sav->alg_auth));
188
		return EINVAL;
189
	}
190

191
	/*
192
	 * Verify the replay state block allocation is consistent with
193
	 * the protocol type.  We check here so we can make assumptions
194
	 * later during protocol processing.
195
	 */
196
	/* NB: replay state is setup elsewhere (sigh) */
197
	if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) {
198
		DPRINTF(("%s: replay state block inconsistency, "
199
			"%s algorithm %s replay state\n", __func__,
200
			(sav->flags & SADB_X_EXT_OLD) ? "old" : "new",
201
			sav->replay == NULL ? "without" : "with"));
202
		return EINVAL;
203
	}
204
	if (sav->key_auth == NULL) {
205
		DPRINTF(("%s: no authentication key for %s algorithm\n",
206
			__func__, thash->name));
207
		return EINVAL;
208
	}
209
	keylen = _KEYLEN(sav->key_auth);
210
	if (keylen > thash->keysize && thash->keysize != 0) {
211
		DPRINTF(("%s: invalid keylength %d, algorithm %s requires "
212
			"keysize less than %d\n", __func__,
213
			 keylen, thash->name, thash->keysize));
214
		return EINVAL;
215
	}
216

217
	sav->tdb_xform = xsp;
218
	sav->tdb_authalgxform = thash;
219

220
	/* Initialize crypto session. */
221
	csp->csp_auth_alg = sav->tdb_authalgxform->type;
222
	if (csp->csp_auth_alg != CRYPTO_NULL_HMAC) {
223
		csp->csp_auth_klen = _KEYBITS(sav->key_auth) / 8;
224
		csp->csp_auth_key = sav->key_auth->key_data;
225
	};
226
	csp->csp_auth_mlen = AUTHSIZE(sav);
227

228
	return 0;
229
}
230

231
/*
232
 * ah_init() is called when an SPI is being set up.
233
 */
234
static int
235
ah_init(struct secasvar *sav, struct xformsw *xsp)
236
{
237
	struct crypto_session_params csp;
238
	int error;
239

240
	memset(&csp, 0, sizeof(csp));
241
	csp.csp_mode = CSP_MODE_DIGEST;
242

243
	if (sav->flags & SADB_X_SAFLAGS_ESN)
244
		csp.csp_flags |= CSP_F_ESN;
245

246
	error = ah_init0(sav, xsp, &csp);
247
	return error ? error :
248
		 crypto_newsession(&sav->tdb_cryptoid, &csp, V_crypto_support);
249
}
250

251
static void
252
ah_cleanup(struct secasvar *sav)
253
{
254

255
	crypto_freesession(sav->tdb_cryptoid);
256
	sav->tdb_cryptoid = NULL;
257
	sav->tdb_authalgxform = NULL;
258
}
259

260
/*
261
 * Massage IPv4/IPv6 headers for AH processing.
262
 */
263
static int
264
ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
265
{
266
	struct mbuf *m = *m0;
267
	unsigned char *ptr;
268
	int off, count;
269

270
#ifdef INET
271
	struct ip *ip;
272
#endif /* INET */
273

274
#ifdef INET6
275
	struct ip6_ext *ip6e;
276
	struct ip6_hdr ip6;
277
	int ad, alloc, nxt, noff;
278
#endif /* INET6 */
279

280
	switch (proto) {
281
#ifdef INET
282
	case AF_INET:
283
		/*
284
		 * This is the least painful way of dealing with IPv4 header
285
		 * and option processing -- just make sure they're in
286
		 * contiguous memory.
287
		 */
288
		*m0 = m = m_pullup(m, skip);
289
		if (m == NULL) {
290
			DPRINTF(("%s: m_pullup failed\n", __func__));
291
			return ENOBUFS;
292
		}
293

294
		/* Fix the IP header */
295
		ip = mtod(m, struct ip *);
296
		if (V_ah_cleartos)
297
			ip->ip_tos = 0;
298
		ip->ip_ttl = 0;
299
		ip->ip_sum = 0;
300
		ip->ip_off = htons(0);
301

302
		ptr = mtod(m, unsigned char *);
303

304
		/* IPv4 option processing */
305
		for (off = sizeof(struct ip); off < skip;) {
306
			if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP ||
307
			    off + 1 < skip)
308
				;
309
			else {
310
				DPRINTF(("%s: illegal IPv4 option length for "
311
					"option %d\n", __func__, ptr[off]));
312

313
				m_freem(m);
314
				return EINVAL;
315
			}
316

317
			switch (ptr[off]) {
318
			case IPOPT_EOL:
319
				off = skip;  /* End the loop. */
320
				break;
321

322
			case IPOPT_NOP:
323
				off++;
324
				break;
325

326
			case IPOPT_SECURITY:	/* 0x82 */
327
			case 0x85:	/* Extended security. */
328
			case 0x86:	/* Commercial security. */
329
			case 0x94:	/* Router alert */
330
			case 0x95:	/* RFC1770 */
331
				/* Sanity check for option length. */
332
				if (ptr[off + 1] < 2) {
333
					DPRINTF(("%s: illegal IPv4 option "
334
						"length for option %d\n",
335
						__func__, ptr[off]));
336

337
					m_freem(m);
338
					return EINVAL;
339
				}
340

341
				off += ptr[off + 1];
342
				break;
343

344
			case IPOPT_LSRR:
345
			case IPOPT_SSRR:
346
				/* Sanity check for option length. */
347
				if (ptr[off + 1] < 2) {
348
					DPRINTF(("%s: illegal IPv4 option "
349
						"length for option %d\n",
350
						__func__, ptr[off]));
351

352
					m_freem(m);
353
					return EINVAL;
354
				}
355

356
				/*
357
				 * On output, if we have either of the
358
				 * source routing options, we should
359
				 * swap the destination address of the
360
				 * IP header with the last address
361
				 * specified in the option, as that is
362
				 * what the destination's IP header
363
				 * will look like.
364
				 */
365
				if (out)
366
					bcopy(ptr + off + ptr[off + 1] -
367
					    sizeof(struct in_addr),
368
					    &(ip->ip_dst), sizeof(struct in_addr));
369

370
				/* Fall through */
371
			default:
372
				/* Sanity check for option length. */
373
				if (ptr[off + 1] < 2) {
374
					DPRINTF(("%s: illegal IPv4 option "
375
						"length for option %d\n",
376
						__func__, ptr[off]));
377
					m_freem(m);
378
					return EINVAL;
379
				}
380

381
				/* Zeroize all other options. */
382
				count = ptr[off + 1];
383
				bcopy(ipseczeroes, ptr + off, count);
384
				off += count;
385
				break;
386
			}
387

388
			/* Sanity check. */
389
			if (off > skip)	{
390
				DPRINTF(("%s: malformed IPv4 options header\n",
391
					__func__));
392

393
				m_freem(m);
394
				return EINVAL;
395
			}
396
		}
397

398
		break;
399
#endif /* INET */
400

401
#ifdef INET6
402
	case AF_INET6:  /* Ugly... */
403
		/* Copy and "cook" the IPv6 header. */
404
		m_copydata(m, 0, sizeof(ip6), (caddr_t) &ip6);
405

406
		/* We don't do IPv6 Jumbograms. */
407
		if (ip6.ip6_plen == 0) {
408
			DPRINTF(("%s: unsupported IPv6 jumbogram\n", __func__));
409
			m_freem(m);
410
			return EMSGSIZE;
411
		}
412

413
		ip6.ip6_flow = 0;
414
		ip6.ip6_hlim = 0;
415
		ip6.ip6_vfc &= ~IPV6_VERSION_MASK;
416
		ip6.ip6_vfc |= IPV6_VERSION;
417

418
		/* Scoped address handling. */
419
		if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_src))
420
			ip6.ip6_src.s6_addr16[1] = 0;
421
		if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_dst))
422
			ip6.ip6_dst.s6_addr16[1] = 0;
423

424
		/* Done with IPv6 header. */
425
		m_copyback(m, 0, sizeof(struct ip6_hdr), (caddr_t) &ip6);
426

427
		/* Let's deal with the remaining headers (if any). */
428
		if (skip - sizeof(struct ip6_hdr) > 0) {
429
			if (m->m_len <= skip) {
430
				ptr = (unsigned char *) malloc(
431
				    skip - sizeof(struct ip6_hdr),
432
				    M_AH, M_NOWAIT);
433
				if (ptr == NULL) {
434
					DPRINTF(("%s: failed to allocate memory"
435
						"for IPv6 headers\n",__func__));
436
					m_freem(m);
437
					return ENOBUFS;
438
				}
439

440
				/*
441
				 * Copy all the protocol headers after
442
				 * the IPv6 header.
443
				 */
444
				m_copydata(m, sizeof(struct ip6_hdr),
445
				    skip - sizeof(struct ip6_hdr), ptr);
446
				alloc = 1;
447
			} else {
448
				/* No need to allocate memory. */
449
				ptr = mtod(m, unsigned char *) +
450
				    sizeof(struct ip6_hdr);
451
				alloc = 0;
452
			}
453
		} else
454
			break;
455

456
		nxt = ip6.ip6_nxt & 0xff; /* Next header type. */
457

458
		for (off = 0; off < skip - sizeof(struct ip6_hdr);)
459
			switch (nxt) {
460
			case IPPROTO_HOPOPTS:
461
			case IPPROTO_DSTOPTS:
462
				ip6e = (struct ip6_ext *)(ptr + off);
463
				noff = off + ((ip6e->ip6e_len + 1) << 3);
464

465
				/* Sanity check. */
466
				if (noff > skip - sizeof(struct ip6_hdr))
467
					goto error6;
468

469
				/*
470
				 * Zero out mutable options.
471
				 */
472
				for (count = off + sizeof(struct ip6_ext);
473
				     count < noff;) {
474
					if (ptr[count] == IP6OPT_PAD1) {
475
						count++;
476
						continue; /* Skip padding. */
477
					}
478

479
					ad = ptr[count + 1] + 2;
480
					if (count + ad > noff)
481
						goto error6;
482

483
					if (ptr[count] & IP6OPT_MUTABLE)
484
						memset(ptr + count, 0, ad);
485
					count += ad;
486
				}
487

488
				if (count != noff)
489
					goto error6;
490

491
				/* Advance. */
492
				off += ((ip6e->ip6e_len + 1) << 3);
493
				nxt = ip6e->ip6e_nxt;
494
				break;
495

496
			case IPPROTO_ROUTING:
497
				/*
498
				 * Always include routing headers in
499
				 * computation.
500
				 */
501
				ip6e = (struct ip6_ext *) (ptr + off);
502
				off += ((ip6e->ip6e_len + 1) << 3);
503
				nxt = ip6e->ip6e_nxt;
504
				break;
505

506
			default:
507
				DPRINTF(("%s: unexpected IPv6 header type %d",
508
					__func__, off));
509
error6:
510
				if (alloc)
511
					free(ptr, M_AH);
512
				m_freem(m);
513
				return EINVAL;
514
			}
515

516
		/* Copyback and free, if we allocated. */
517
		if (alloc) {
518
			m_copyback(m, sizeof(struct ip6_hdr),
519
			    skip - sizeof(struct ip6_hdr), ptr);
520
			free(ptr, M_AH);
521
		}
522

523
		break;
524
#endif /* INET6 */
525
	}
526

527
	return 0;
528
}
529

530
/*
531
 * ah_input() gets called to verify that an input packet
532
 * passes authentication.
533
 */
534
static int
535
ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
536
{
537
	IPSEC_DEBUG_DECLARE(char buf[128]);
538
	const struct auth_hash *ahx;
539
	struct cryptop *crp;
540
	struct xform_data *xd;
541
	struct newah *ah;
542
	crypto_session_t cryptoid;
543
	int hl, rplen, authsize, ahsize, error;
544
	uint32_t seqh;
545

546
	SECASVAR_RLOCK_TRACKER;
547

548
	IPSEC_ASSERT(sav != NULL, ("null SA"));
549
	IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key"));
550
	IPSEC_ASSERT(sav->tdb_authalgxform != NULL,
551
		("null authentication xform"));
552

553
	/* Figure out header size. */
554
	rplen = HDRSIZE(sav);
555

556
	if (m->m_len < skip + rplen) {
557
		m = m_pullup(m, skip + rplen);
558
		if (m == NULL) {
559
			DPRINTF(("ah_input: cannot pullup header\n"));
560
			AHSTAT_INC(ahs_hdrops);		/*XXX*/
561
			error = ENOBUFS;
562
			goto bad;
563
		}
564
	}
565
	ah = (struct newah *)(mtod(m, caddr_t) + skip);
566

567
	/* Check replay window, if applicable. */
568
	SECASVAR_RLOCK(sav);
569
	if (sav->replay != NULL && sav->replay->wsize != 0 &&
570
	    ipsec_chkreplay(ntohl(ah->ah_seq), &seqh, sav) == 0) {
571
		SECASVAR_RUNLOCK(sav);
572
		AHSTAT_INC(ahs_replay);
573
		DPRINTF(("%s: packet replay failure: %s\n", __func__,
574
		    ipsec_sa2str(sav, buf, sizeof(buf))));
575
		error = EACCES;
576
		goto bad;
577
	}
578
	cryptoid = sav->tdb_cryptoid;
579
	SECASVAR_RUNLOCK(sav);
580

581
	/* Verify AH header length. */
582
	hl = sizeof(struct ah) + (ah->ah_len * sizeof (u_int32_t));
583
	ahx = sav->tdb_authalgxform;
584
	authsize = AUTHSIZE(sav);
585
	ahsize = ah_hdrsiz(sav);
586
	if (hl != ahsize) {
587
		DPRINTF(("%s: bad authenticator length %u (expecting %lu)"
588
		    " for packet in SA %s/%08lx\n", __func__, hl,
589
		    (u_long)ahsize,
590
		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
591
		    (u_long) ntohl(sav->spi)));
592
		AHSTAT_INC(ahs_badauthl);
593
		error = EACCES;
594
		goto bad;
595
	}
596
	if (skip + ahsize > m->m_pkthdr.len) {
597
		DPRINTF(("%s: bad mbuf length %u (expecting %lu)"
598
		    " for packet in SA %s/%08lx\n", __func__,
599
		    m->m_pkthdr.len, (u_long)(skip + ahsize),
600
		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
601
		    (u_long) ntohl(sav->spi)));
602
		AHSTAT_INC(ahs_badauthl);
603
		error = EACCES;
604
		goto bad;
605
	}
606
	AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
607

608
	/* Get crypto descriptors. */
609
	crp = crypto_getreq(cryptoid, M_NOWAIT);
610
	if (crp == NULL) {
611
		DPRINTF(("%s: failed to acquire crypto descriptor\n",
612
		    __func__));
613
		AHSTAT_INC(ahs_crypto);
614
		error = ENOBUFS;
615
		goto bad;
616
	}
617

618
	crp->crp_payload_start = 0;
619
	crp->crp_payload_length = m->m_pkthdr.len;
620
	crp->crp_digest_start = skip + rplen;
621

622
	/* Allocate IPsec-specific opaque crypto info. */
623
	xd = malloc(sizeof(*xd) + skip + rplen + authsize, M_AH,
624
	    M_NOWAIT | M_ZERO);
625
	if (xd == NULL) {
626
		DPRINTF(("%s: failed to allocate xform_data\n", __func__));
627
		AHSTAT_INC(ahs_crypto);
628
		crypto_freereq(crp);
629
		error = ENOBUFS;
630
		goto bad;
631
	}
632

633
	/*
634
	 * Save the authenticator, the skipped portion of the packet,
635
	 * and the AH header.
636
	 */
637
	m_copydata(m, 0, skip + rplen + authsize, (caddr_t)(xd + 1));
638

639
	/* Zeroize the authenticator on the packet. */
640
	m_copyback(m, skip + rplen, authsize, ipseczeroes);
641

642
	/* Save ah_nxt, since ah pointer can become invalid after "massage" */
643
	hl = ah->ah_nxt;
644

645
	/* "Massage" the packet headers for crypto processing. */
646
	error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
647
	    skip, ahx->type, 0);
648
	if (error != 0) {
649
		/* NB: mbuf is free'd by ah_massage_headers */
650
		AHSTAT_INC(ahs_hdrops);
651
		free(xd, M_AH);
652
		crypto_freereq(crp);
653
		key_freesav(&sav);
654
		return (error);
655
	}
656

657
	/* Crypto operation descriptor. */
658
	crp->crp_op = CRYPTO_OP_COMPUTE_DIGEST;
659
	crp->crp_flags = CRYPTO_F_CBIFSYNC;
660
	crypto_use_mbuf(crp, m);
661
	crp->crp_callback = ah_input_cb;
662
	crp->crp_opaque = xd;
663

664
	if (sav->flags & SADB_X_SAFLAGS_ESN &&
665
	    sav->replay != NULL && sav->replay->wsize != 0) {
666
		seqh = htonl(seqh);
667
		memcpy(crp->crp_esn, &seqh, sizeof(seqh));
668
	}
669

670
	/* These are passed as-is to the callback. */
671
	xd->sav = sav;
672
	xd->nxt = hl;
673
	xd->protoff = protoff;
674
	xd->skip = skip;
675
	xd->cryptoid = cryptoid;
676
	xd->vnet = curvnet;
677
	if (V_async_crypto)
678
		return (crypto_dispatch_async(crp, CRYPTO_ASYNC_ORDERED));
679
	else
680
		return (crypto_dispatch(crp));
681
bad:
682
	m_freem(m);
683
	key_freesav(&sav);
684
	return (error);
685
}
686

687
/*
688
 * AH input callback from the crypto driver.
689
 */
690
static int
691
ah_input_cb(struct cryptop *crp)
692
{
693
	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
694
	unsigned char calc[AH_ALEN_MAX];
695
	struct rm_priotracker sahtree_tracker;
696
	struct mbuf *m;
697
	struct xform_data *xd;
698
	struct secasvar *sav;
699
	struct secasindex *saidx;
700
	caddr_t ptr;
701
	crypto_session_t cryptoid;
702
	int authsize, rplen, ahsize, error, skip, protoff;
703
	uint8_t nxt;
704

705
	SECASVAR_RLOCK_TRACKER;
706

707
	m = crp->crp_buf.cb_mbuf;
708
	xd = crp->crp_opaque;
709
	CURVNET_SET(xd->vnet);
710
	sav = xd->sav;
711
	skip = xd->skip;
712
	nxt = xd->nxt;
713
	protoff = xd->protoff;
714
	cryptoid = xd->cryptoid;
715
	ipsec_sahtree_rlock(&sahtree_tracker);
716
	if (sav->state >= SADB_SASTATE_DEAD) {
717
		/* saidx is freed */
718
		DPRINTF(("%s: dead SA %p spi %#x\n", __func__, sav, sav->spi));
719
		AHSTAT_INC(ahs_notdb);
720
		error = ESRCH;
721
		goto bad;
722
	}
723
	saidx = &sav->sah->saidx;
724
	IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
725
		saidx->dst.sa.sa_family == AF_INET6,
726
		("unexpected protocol family %u", saidx->dst.sa.sa_family));
727

728
	/* Check for crypto errors. */
729
	if (crp->crp_etype) {
730
		if (crp->crp_etype == EAGAIN) {
731
			/* Reset the session ID */
732
			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
733
				crypto_freesession(cryptoid);
734
			xd->cryptoid = crp->crp_session;
735
			CURVNET_RESTORE();
736
			return (crypto_dispatch(crp));
737
		}
738
		AHSTAT_INC(ahs_noxform);
739
		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
740
		error = crp->crp_etype;
741
		goto bad;
742
	} else {
743
		AHSTAT_INC2(ahs_hist, sav->alg_auth);
744
		crypto_freereq(crp);		/* No longer needed. */
745
		crp = NULL;
746
	}
747

748
	/* Shouldn't happen... */
749
	if (m == NULL) {
750
		AHSTAT_INC(ahs_crypto);
751
		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
752
		error = EINVAL;
753
		goto bad;
754
	}
755

756
	/* Figure out header size. */
757
	rplen = HDRSIZE(sav);
758
	authsize = AUTHSIZE(sav);
759
	ahsize = ah_hdrsiz(sav);
760

761
	/* Copy authenticator off the packet. */
762
	m_copydata(m, skip + rplen, authsize, calc);
763

764
	/* Verify authenticator. */
765
	ptr = (caddr_t) (xd + 1);
766
	if (timingsafe_bcmp(ptr + skip + rplen, calc, authsize)) {
767
		DPRINTF(("%s: authentication hash mismatch for packet "
768
		    "in SA %s/%08lx\n", __func__,
769
		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
770
		    (u_long) ntohl(sav->spi)));
771
		AHSTAT_INC(ahs_badauth);
772
		error = EACCES;
773
		goto bad;
774
	}
775
	/* Fix the Next Protocol field. */
776
	((uint8_t *) ptr)[protoff] = nxt;
777

778
	/* Copyback the saved (uncooked) network headers. */
779
	m_copyback(m, 0, skip, ptr);
780
	free(xd, M_AH), xd = NULL;			/* No longer needed */
781

782
	/*
783
	 * Header is now authenticated.
784
	 */
785
	m->m_flags |= M_AUTHIPHDR|M_AUTHIPDGM;
786

787
	/*
788
	 * Update replay sequence number, if appropriate.
789
	 */
790
	if (sav->replay) {
791
		u_int32_t seq;
792

793
		m_copydata(m, skip + offsetof(struct newah, ah_seq),
794
			   sizeof (seq), (caddr_t) &seq);
795
		SECASVAR_RLOCK(sav);
796
		if (ipsec_updatereplay(ntohl(seq), sav)) {
797
			SECASVAR_RUNLOCK(sav);
798
			AHSTAT_INC(ahs_replay);
799
			error = EACCES;
800
			goto bad;
801
		}
802
		SECASVAR_RUNLOCK(sav);
803
	}
804

805
	/*
806
	 * Remove the AH header and authenticator from the mbuf.
807
	 */
808
	error = m_striphdr(m, skip, ahsize);
809
	if (error) {
810
		DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
811
		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
812
		    (u_long) ntohl(sav->spi)));
813
		AHSTAT_INC(ahs_hdrops);
814
		goto bad;
815
	}
816

817
	switch (saidx->dst.sa.sa_family) {
818
#ifdef INET6
819
	case AF_INET6:
820
		error = ipsec6_common_input_cb(m, sav, skip, protoff,
821
		    &sahtree_tracker);
822
		break;
823
#endif
824
#ifdef INET
825
	case AF_INET:
826
		error = ipsec4_common_input_cb(m, sav, skip, protoff,
827
		    &sahtree_tracker);
828
		break;
829
#endif
830
	default:
831
		panic("%s: Unexpected address family: %d saidx=%p", __func__,
832
		    saidx->dst.sa.sa_family, saidx);
833
	}
834
	CURVNET_RESTORE();
835
	return error;
836
bad:
837
	ipsec_sahtree_runlock(&sahtree_tracker);
838
	CURVNET_RESTORE();
839
	if (sav)
840
		key_freesav(&sav);
841
	if (m != NULL)
842
		m_freem(m);
843
	if (xd != NULL)
844
		free(xd, M_AH);
845
	if (crp != NULL)
846
		crypto_freereq(crp);
847
	return error;
848
}
849

850
/*
851
 * AH output routine, called by ipsec[46]_perform_request().
852
 */
853
static int
854
ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
855
    u_int idx, int skip, int protoff)
856
{
857
	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
858
	const struct auth_hash *ahx;
859
	struct xform_data *xd;
860
	struct mbuf *mi;
861
	struct cryptop *crp;
862
	struct newah *ah;
863
	crypto_session_t cryptoid;
864
	uint16_t iplen;
865
	int error, rplen, authsize, ahsize, maxpacketsize, roff;
866
	uint8_t prot;
867
	uint32_t seqh;
868

869
	SECASVAR_RLOCK_TRACKER;
870

871
	IPSEC_ASSERT(sav != NULL, ("null SA"));
872
	ahx = sav->tdb_authalgxform;
873
	IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
874

875
	AHSTAT_INC(ahs_output);
876

877
	/* Figure out header size. */
878
	rplen = HDRSIZE(sav);
879
	authsize = AUTHSIZE(sav);
880
	ahsize = ah_hdrsiz(sav);
881

882
	/* Check for maximum packet size violations. */
883
	switch (sav->sah->saidx.dst.sa.sa_family) {
884
#ifdef INET
885
	case AF_INET:
886
		maxpacketsize = IP_MAXPACKET;
887
		break;
888
#endif /* INET */
889
#ifdef INET6
890
	case AF_INET6:
891
		maxpacketsize = IPV6_MAXPACKET;
892
		break;
893
#endif /* INET6 */
894
	default:
895
		DPRINTF(("%s: unknown/unsupported protocol family %u, "
896
		    "SA %s/%08lx\n", __func__,
897
		    sav->sah->saidx.dst.sa.sa_family,
898
		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
899
		    (u_long) ntohl(sav->spi)));
900
		AHSTAT_INC(ahs_nopf);
901
		error = EPFNOSUPPORT;
902
		goto bad;
903
	}
904
	if (ahsize + m->m_pkthdr.len > maxpacketsize) {
905
		DPRINTF(("%s: packet in SA %s/%08lx got too big "
906
		    "(len %u, max len %u)\n", __func__,
907
		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
908
		    (u_long) ntohl(sav->spi),
909
		    ahsize + m->m_pkthdr.len, maxpacketsize));
910
		AHSTAT_INC(ahs_toobig);
911
		error = EMSGSIZE;
912
		goto bad;
913
	}
914

915
	/* Update the counters. */
916
	AHSTAT_ADD(ahs_obytes, m->m_pkthdr.len - skip);
917

918
	m = m_unshare(m, M_NOWAIT);
919
	if (m == NULL) {
920
		DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
921
		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
922
		    (u_long) ntohl(sav->spi)));
923
		AHSTAT_INC(ahs_hdrops);
924
		error = ENOBUFS;
925
		goto bad;
926
	}
927

928
	/* Inject AH header. */
929
	mi = m_makespace(m, skip, ahsize, &roff);
930
	if (mi == NULL) {
931
		DPRINTF(("%s: failed to inject %u byte AH header for SA "
932
		    "%s/%08lx\n", __func__, ahsize,
933
		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
934
		    (u_long) ntohl(sav->spi)));
935
		AHSTAT_INC(ahs_hdrops);		/*XXX differs from openbsd */
936
		error = ENOBUFS;
937
		goto bad;
938
	}
939

940
	/*
941
	 * The AH header is guaranteed by m_makespace() to be in
942
	 * contiguous memory, at roff bytes offset into the returned mbuf.
943
	 */
944
	ah = (struct newah *)(mtod(mi, caddr_t) + roff);
945

946
	/* Initialize the AH header. */
947
	m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &ah->ah_nxt);
948
	ah->ah_len = (ahsize - sizeof(struct ah)) / sizeof(u_int32_t);
949
	ah->ah_reserve = 0;
950
	ah->ah_spi = sav->spi;
951

952
	/* Zeroize authenticator. */
953
	m_copyback(m, skip + rplen, authsize, ipseczeroes);
954

955
	/* Zeroize padding */
956
	m_copyback(m, skip + rplen + authsize, ahsize - (rplen + authsize),
957
	    ipseczeroes);
958

959
	/* Insert packet replay counter, as requested.  */
960
	SECASVAR_RLOCK(sav);
961
	if (sav->replay) {
962
		SECREPLAY_LOCK(sav->replay);
963
		if ((sav->replay->count == ~0 ||
964
		    (!(sav->flags & SADB_X_SAFLAGS_ESN) &&
965
		    ((uint32_t)sav->replay->count) == ~0)) &&
966
		    (sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
967
			SECREPLAY_UNLOCK(sav->replay);
968
			SECASVAR_RUNLOCK(sav);
969
			DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n",
970
			    __func__, ipsec_address(&sav->sah->saidx.dst, buf,
971
			    sizeof(buf)), (u_long) ntohl(sav->spi)));
972
			AHSTAT_INC(ahs_wrap);
973
			error = EACCES;
974
			goto bad;
975
		}
976
#ifdef REGRESSION
977
		/* Emulate replay attack when ipsec_replay is TRUE. */
978
		if (!V_ipsec_replay)
979
#endif
980
			sav->replay->count++;
981
		ah->ah_seq = htonl((uint32_t)sav->replay->count);
982
		SECREPLAY_UNLOCK(sav->replay);
983
	}
984
	cryptoid = sav->tdb_cryptoid;
985
	SECASVAR_RUNLOCK(sav);
986

987
	/* Get crypto descriptors. */
988
	crp = crypto_getreq(cryptoid, M_NOWAIT);
989
	if (crp == NULL) {
990
		DPRINTF(("%s: failed to acquire crypto descriptors\n",
991
			__func__));
992
		AHSTAT_INC(ahs_crypto);
993
		error = ENOBUFS;
994
		goto bad;
995
	}
996

997
	crp->crp_payload_start = 0;
998
	crp->crp_payload_length = m->m_pkthdr.len;
999
	crp->crp_digest_start = skip + rplen;
1000

1001
	/* Allocate IPsec-specific opaque crypto info. */
1002
	xd =  malloc(sizeof(struct xform_data) + skip, M_AH,
1003
	    M_NOWAIT | M_ZERO);
1004
	if (xd == NULL) {
1005
		crypto_freereq(crp);
1006
		DPRINTF(("%s: failed to allocate xform_data\n", __func__));
1007
		AHSTAT_INC(ahs_crypto);
1008
		error = ENOBUFS;
1009
		goto bad;
1010
	}
1011

1012
	/* Save the skipped portion of the packet. */
1013
	m_copydata(m, 0, skip, (caddr_t) (xd + 1));
1014

1015
	/*
1016
	 * Fix IP header length on the header used for
1017
	 * authentication. We don't need to fix the original
1018
	 * header length as it will be fixed by our caller.
1019
	 */
1020
	switch (sav->sah->saidx.dst.sa.sa_family) {
1021
#ifdef INET
1022
	case AF_INET:
1023
		bcopy(((caddr_t)(xd + 1)) +
1024
		    offsetof(struct ip, ip_len),
1025
		    (caddr_t) &iplen, sizeof(u_int16_t));
1026
		iplen = htons(ntohs(iplen) + ahsize);
1027
		m_copyback(m, offsetof(struct ip, ip_len),
1028
		    sizeof(u_int16_t), (caddr_t) &iplen);
1029
		break;
1030
#endif /* INET */
1031

1032
#ifdef INET6
1033
	case AF_INET6:
1034
		bcopy(((caddr_t)(xd + 1)) +
1035
		    offsetof(struct ip6_hdr, ip6_plen),
1036
		    (caddr_t) &iplen, sizeof(uint16_t));
1037
		iplen = htons(ntohs(iplen) + ahsize);
1038
		m_copyback(m, offsetof(struct ip6_hdr, ip6_plen),
1039
		    sizeof(uint16_t), (caddr_t) &iplen);
1040
		break;
1041
#endif /* INET6 */
1042
	}
1043

1044
	/* Fix the Next Header field in saved header. */
1045
	((uint8_t *) (xd + 1))[protoff] = IPPROTO_AH;
1046

1047
	/* Update the Next Protocol field in the IP header. */
1048
	prot = IPPROTO_AH;
1049
	m_copyback(m, protoff, sizeof(uint8_t), (caddr_t) &prot);
1050

1051
	/* "Massage" the packet headers for crypto processing. */
1052
	error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
1053
			skip, ahx->type, 1);
1054
	if (error != 0) {
1055
		m = NULL;	/* mbuf was free'd by ah_massage_headers. */
1056
		free(xd, M_AH);
1057
		crypto_freereq(crp);
1058
		goto bad;
1059
	}
1060

1061
	/* Crypto operation descriptor. */
1062
	crp->crp_op = CRYPTO_OP_COMPUTE_DIGEST;
1063
	crp->crp_flags = CRYPTO_F_CBIFSYNC;
1064
	crypto_use_mbuf(crp, m);
1065
	crp->crp_callback = ah_output_cb;
1066
	crp->crp_opaque = xd;
1067

1068
	if (sav->flags & SADB_X_SAFLAGS_ESN && sav->replay != NULL) {
1069
		SECREPLAY_LOCK(sav->replay);
1070
		seqh = htonl((uint32_t)(sav->replay->count >> IPSEC_SEQH_SHIFT));
1071
		memcpy(crp->crp_esn, &seqh, sizeof(seqh));
1072
		SECREPLAY_UNLOCK(sav->replay);
1073
	}
1074

1075
	/* These are passed as-is to the callback. */
1076
	xd->sp = sp;
1077
	xd->sav = sav;
1078
	xd->skip = skip;
1079
	xd->idx = idx;
1080
	xd->cryptoid = cryptoid;
1081
	xd->vnet = curvnet;
1082

1083
	if (V_async_crypto)
1084
		return (crypto_dispatch_async(crp, CRYPTO_ASYNC_ORDERED));
1085
	else
1086
		return (crypto_dispatch(crp));
1087
bad:
1088
	if (m)
1089
		m_freem(m);
1090
	key_freesav(&sav);
1091
	key_freesp(&sp);
1092
	return (error);
1093
}
1094

1095
/*
1096
 * AH output callback from the crypto driver.
1097
 */
1098
static int
1099
ah_output_cb(struct cryptop *crp)
1100
{
1101
	struct xform_data *xd;
1102
	struct secpolicy *sp;
1103
	struct secasvar *sav;
1104
	struct mbuf *m;
1105
	crypto_session_t cryptoid;
1106
	caddr_t ptr;
1107
	u_int idx;
1108
	int skip, error;
1109

1110
	m = crp->crp_buf.cb_mbuf;
1111
	xd = (struct xform_data *) crp->crp_opaque;
1112
	CURVNET_SET(xd->vnet);
1113
	sp = xd->sp;
1114
	sav = xd->sav;
1115
	skip = xd->skip;
1116
	idx = xd->idx;
1117
	cryptoid = xd->cryptoid;
1118
	ptr = (caddr_t) (xd + 1);
1119

1120
	/* Check for crypto errors. */
1121
	if (crp->crp_etype) {
1122
		if (crp->crp_etype == EAGAIN) {
1123
			/* Reset the session ID */
1124
			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
1125
				crypto_freesession(cryptoid);
1126
			xd->cryptoid = crp->crp_session;
1127
			CURVNET_RESTORE();
1128
			return (crypto_dispatch(crp));
1129
		}
1130
		AHSTAT_INC(ahs_noxform);
1131
		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
1132
		error = crp->crp_etype;
1133
		m_freem(m);
1134
		goto bad;
1135
	}
1136

1137
	/* Shouldn't happen... */
1138
	if (m == NULL) {
1139
		AHSTAT_INC(ahs_crypto);
1140
		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
1141
		error = EINVAL;
1142
		goto bad;
1143
	}
1144
	/*
1145
	 * Copy original headers (with the new protocol number) back
1146
	 * in place.
1147
	 */
1148
	m_copyback(m, 0, skip, ptr);
1149

1150
	free(xd, M_AH);
1151
	crypto_freereq(crp);
1152
	AHSTAT_INC2(ahs_hist, sav->alg_auth);
1153
#ifdef REGRESSION
1154
	/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
1155
	if (V_ipsec_integrity) {
1156
		int alen;
1157

1158
		/*
1159
		 * Corrupt HMAC if we want to test integrity verification of
1160
		 * the other side.
1161
		 */
1162
		alen = AUTHSIZE(sav);
1163
		m_copyback(m, m->m_pkthdr.len - alen, alen, ipseczeroes);
1164
	}
1165
#endif
1166

1167
	/* NB: m is reclaimed by ipsec_process_done. */
1168
	error = ipsec_process_done(m, sp, sav, idx);
1169
	CURVNET_RESTORE();
1170
	return (error);
1171
bad:
1172
	CURVNET_RESTORE();
1173
	free(xd, M_AH);
1174
	crypto_freereq(crp);
1175
	key_freesav(&sav);
1176
	key_freesp(&sp);
1177
	return (error);
1178
}
1179

1180
static struct xformsw ah_xformsw = {
1181
	.xf_type =	XF_AH,
1182
	.xf_name =	"IPsec AH",
1183
	.xf_init =	ah_init,
1184
	.xf_cleanup =	ah_cleanup,
1185
	.xf_input =	ah_input,
1186
	.xf_output =	ah_output,
1187
};
1188

1189
SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
1190
    xform_attach, &ah_xformsw);
1191
SYSUNINIT(ah_xform_uninit, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
1192
    xform_detach, &ah_xformsw);
1193

1194
Product

Resources

Company
