CoCalc -- xform

GitHub Repository: freebsd/freebsd-src
Path: blob/main/sys/netipsec/xform_ah.c
³⁹⁴⁷⁵ views
1
/*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
2
/*-
3
 * The authors of this code are John Ioannidis ([email protected]),
4
 * Angelos D. Keromytis ([email protected]) and
5
 * Niels Provos ([email protected]).
6
 *
7
 * The original version of this code was written by John Ioannidis
8
 * for BSD/OS in Athens, Greece, in November 1995.
9
 *
10
 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
11
 * by Angelos D. Keromytis.
12
 *
13
 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
14
 * and Niels Provos.
15
 *
16
 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
17
 *
18
 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
19
 * Angelos D. Keromytis and Niels Provos.
20
 * Copyright (c) 1999 Niklas Hallqvist.
21
 * Copyright (c) 2001 Angelos D. Keromytis.
22
 *
23
 * Permission to use, copy, and modify this software with or without fee
24
 * is hereby granted, provided that this entire notice is included in
25
 * all copies of any software which is or includes a copy or
26
 * modification of this software.
27
 * You may use this code under the GNU public license if you so wish. Please
28
 * contribute changes back to the authors under this freer than GPL license
29
 * so that we may further the use of strong encryption without limitations to
30
 * all.
31
 *
32
 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33
 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34
 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35
 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
36
 * PURPOSE.
37
 */
38
#include "opt_inet.h"
39
#include "opt_inet6.h"
40
#include "opt_ipsec.h"
41

42
#include <sys/param.h>
43
#include <sys/systm.h>
44
#include <sys/malloc.h>
45
#include <sys/mbuf.h>
46
#include <sys/socket.h>
47
#include <sys/syslog.h>
48
#include <sys/kernel.h>
49
#include <sys/lock.h>
50
#include <sys/mutex.h>
51
#include <sys/sysctl.h>
52

53
#include <net/if.h>
54
#include <net/vnet.h>
55

56
#include <netinet/in.h>
57
#include <netinet/in_systm.h>
58
#include <netinet/ip.h>
59
#include <netinet/ip_ecn.h>
60
#include <netinet/ip6.h>
61

62
#include <netipsec/ipsec.h>
63
#include <netipsec/ah.h>
64
#include <netipsec/ah_var.h>
65
#include <netipsec/xform.h>
66

67
#ifdef INET6
68
#include <netinet6/ip6_var.h>
69
#include <netipsec/ipsec6.h>
70
#include <netinet6/ip6_ecn.h>
71
#endif
72

73
#include <netipsec/key.h>
74
#include <netipsec/key_debug.h>
75

76
#include <opencrypto/cryptodev.h>
77

78
/*
79
 * Return header size in bytes.  The old protocol did not support
80
 * the replay counter; the new protocol always includes the counter.
81
 */
82
#define HDRSIZE(sav) \
83
	(((sav)->flags & SADB_X_EXT_OLD) ? \
84
		sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t))
85
/* 
86
 * Return authenticator size in bytes, based on a field in the
87
 * algorithm descriptor.
88
 */
89
#define	AUTHSIZE(sav)	((sav->flags & SADB_X_EXT_OLD) ? 16 :	\
90
			 xform_ah_authsize((sav)->tdb_authalgxform))
91

92
VNET_DEFINE(int, ah_enable) = 1;	/* control flow of packets with AH */
93
VNET_DEFINE(int, ah_cleartos) = 1;	/* clear ip_tos when doing AH calc */
94
VNET_PCPUSTAT_DEFINE(struct ahstat, ahstat);
95
VNET_PCPUSTAT_SYSINIT(ahstat);
96

97
#ifdef VIMAGE
98
VNET_PCPUSTAT_SYSUNINIT(ahstat);
99
#endif /* VIMAGE */
100

101
#ifdef INET
102
SYSCTL_DECL(_net_inet_ah);
103
SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_enable,
104
	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_enable), 0, "");
105
SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_cleartos,
106
	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, "");
107
SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat,
108
    ahstat, "AH statistics (struct ahstat, netipsec/ah_var.h)");
109
#endif
110

111
static MALLOC_DEFINE(M_AH, "ah", "IPsec AH");
112

113
static unsigned char ipseczeroes[256];	/* larger than an ip6 extension hdr */
114

115
static int ah_input_cb(struct cryptop*);
116
static int ah_output_cb(struct cryptop*);
117

118
int
119
xform_ah_authsize(const struct auth_hash *esph)
120
{
121
	int alen;
122

123
	if (esph == NULL)
124
		return 0;
125

126
	switch (esph->type) {
127
	case CRYPTO_SHA2_256_HMAC:
128
	case CRYPTO_SHA2_384_HMAC:
129
	case CRYPTO_SHA2_512_HMAC:
130
		alen = esph->hashsize / 2;	/* RFC4868 2.3 */
131
		break;
132

133
	case CRYPTO_POLY1305:
134
	case CRYPTO_AES_NIST_GMAC:
135
		alen = esph->hashsize;
136
		break;
137

138
	default:
139
		alen = AH_HMAC_HASHLEN;
140
		break;
141
	}
142

143
	return alen;
144
}
145

146
size_t
147
ah_hdrsiz(struct secasvar *sav)
148
{
149
	size_t size;
150

151
	if (sav != NULL) {
152
		int authsize, rplen, align;
153

154
		IPSEC_ASSERT(sav->tdb_authalgxform != NULL, ("null xform"));
155
		/*XXX not right for null algorithm--does it matter??*/
156

157
		/* RFC4302: use the correct alignment. */
158
		align = sizeof(uint32_t);
159
#ifdef INET6
160
		if (sav->sah->saidx.dst.sa.sa_family == AF_INET6) {
161
			align = sizeof(uint64_t);
162
		}
163
#endif
164
		rplen = HDRSIZE(sav);
165
		authsize = AUTHSIZE(sav);
166
		size = roundup(rplen + authsize, align);
167
	} else {
168
		/* default guess */
169
		size = sizeof (struct ah) + sizeof (u_int32_t) + 16;
170
	}
171
	return size;
172
}
173

174
/*
175
 * NB: public for use by esp_init.
176
 */
177
int
178
ah_init0(struct secasvar *sav, struct xformsw *xsp,
179
    struct crypto_session_params *csp)
180
{
181
	const struct auth_hash *thash;
182
	int keylen;
183

184
	thash = auth_algorithm_lookup(sav->alg_auth);
185
	if (thash == NULL) {
186
		DPRINTF(("%s: unsupported authentication algorithm %u\n",
187
			__func__, sav->alg_auth));
188
		return EINVAL;
189
	}
190

191
	/*
192
	 * Verify the replay state block allocation is consistent with
193
	 * the protocol type.  We check here so we can make assumptions
194
	 * later during protocol processing.
195
	 */
196
	/* NB: replay state is setup elsewhere (sigh) */
197
	if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) {
198
		DPRINTF(("%s: replay state block inconsistency, "
199
			"%s algorithm %s replay state\n", __func__,
200
			(sav->flags & SADB_X_EXT_OLD) ? "old" : "new",
201
			sav->replay == NULL ? "without" : "with"));
202
		return EINVAL;
203
	}
204
	if (sav->key_auth == NULL) {
205
		DPRINTF(("%s: no authentication key for %s algorithm\n",
206
			__func__, thash->name));
207
		return EINVAL;
208
	}
209
	keylen = _KEYLEN(sav->key_auth);
210
	if (keylen > thash->keysize && thash->keysize != 0) {
211
		DPRINTF(("%s: invalid keylength %d, algorithm %s requires "
212
			"keysize less than %d\n", __func__,
213
			 keylen, thash->name, thash->keysize));
214
		return EINVAL;
215
	}
216

217
	sav->tdb_xform = xsp;
218
	sav->tdb_authalgxform = thash;
219

220
	/* Initialize crypto session. */
221
	csp->csp_auth_alg = sav->tdb_authalgxform->type;
222
	if (csp->csp_auth_alg != CRYPTO_NULL_HMAC) {
223
		csp->csp_auth_klen = _KEYBITS(sav->key_auth) / 8;
224
		csp->csp_auth_key = sav->key_auth->key_data;
225
	};
226
	csp->csp_auth_mlen = AUTHSIZE(sav);
227

228
	return 0;
229
}
230

231
/*
232
 * ah_init() is called when an SPI is being set up.
233
 */
234
static int
235
ah_init(struct secasvar *sav, struct xformsw *xsp)
236
{
237
	struct crypto_session_params csp;
238
	int error;
239

240
	memset(&csp, 0, sizeof(csp));
241
	csp.csp_mode = CSP_MODE_DIGEST;
242

243
	if (sav->flags & SADB_X_SAFLAGS_ESN)
244
		csp.csp_flags |= CSP_F_ESN;
245

246
	error = ah_init0(sav, xsp, &csp);
247
	return error ? error :
248
		 crypto_newsession(&sav->tdb_cryptoid, &csp, V_crypto_support);
249
}
250

251
static void
252
ah_cleanup(struct secasvar *sav)
253
{
254

255
	crypto_freesession(sav->tdb_cryptoid);
256
	sav->tdb_cryptoid = NULL;
257
	sav->tdb_authalgxform = NULL;
258
}
259

260
/*
261
 * Massage IPv4/IPv6 headers for AH processing.
262
 */
263
static int
264
ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
265
{
266
	struct mbuf *m = *m0;
267
	unsigned char *ptr;
268
	int off, count;
269

270
#ifdef INET
271
	struct ip *ip;
272
#endif /* INET */
273

274
#ifdef INET6
275
	struct ip6_ext *ip6e;
276
	struct ip6_hdr ip6;
277
	int ad, alloc, nxt, noff;
278
#endif /* INET6 */
279

280
	switch (proto) {
281
#ifdef INET
282
	case AF_INET:
283
		/*
284
		 * This is the least painful way of dealing with IPv4 header
285
		 * and option processing -- just make sure they're in
286
		 * contiguous memory.
287
		 */
288
		*m0 = m = m_pullup(m, skip);
289
		if (m == NULL) {
290
			DPRINTF(("%s: m_pullup failed\n", __func__));
291
			return ENOBUFS;
292
		}
293

294
		/* Fix the IP header */
295
		ip = mtod(m, struct ip *);
296
		if (V_ah_cleartos)
297
			ip->ip_tos = 0;
298
		ip->ip_ttl = 0;
299
		ip->ip_sum = 0;
300
		ip->ip_off = htons(0);
301

302
		ptr = mtod(m, unsigned char *);
303

304
		/* IPv4 option processing */
305
		for (off = sizeof(struct ip); off < skip;) {
306
			if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP ||
307
			    off + 1 < skip)
308
				;
309
			else {
310
				DPRINTF(("%s: illegal IPv4 option length for "
311
					"option %d\n", __func__, ptr[off]));
312

313
				m_freem(m);
314
				return EINVAL;
315
			}
316

317
			switch (ptr[off]) {
318
			case IPOPT_EOL:
319
				off = skip;  /* End the loop. */
320
				break;
321

322
			case IPOPT_NOP:
323
				off++;
324
				break;
325

326
			case IPOPT_SECURITY:	/* 0x82 */
327
			case 0x85:	/* Extended security. */
328
			case 0x86:	/* Commercial security. */
329
			case 0x94:	/* Router alert */
330
			case 0x95:	/* RFC1770 */
331
				/* Sanity check for option length. */
332
				if (ptr[off + 1] < 2) {
333
					DPRINTF(("%s: illegal IPv4 option "
334
						"length for option %d\n",
335
						__func__, ptr[off]));
336

337
					m_freem(m);
338
					return EINVAL;
339
				}
340

341
				off += ptr[off + 1];
342
				break;
343

344
			case IPOPT_LSRR:
345
			case IPOPT_SSRR:
346
				/* Sanity check for option length. */
347
				if (ptr[off + 1] < 2) {
348
					DPRINTF(("%s: illegal IPv4 option "
349
						"length for option %d\n",
350
						__func__, ptr[off]));
351

352
					m_freem(m);
353
					return EINVAL;
354
				}
355

356
				/*
357
				 * On output, if we have either of the
358
				 * source routing options, we should
359
				 * swap the destination address of the
360
				 * IP header with the last address
361
				 * specified in the option, as that is
362
				 * what the destination's IP header
363
				 * will look like.
364
				 */
365
				if (out)
366
					bcopy(ptr + off + ptr[off + 1] -
367
					    sizeof(struct in_addr),
368
					    &(ip->ip_dst), sizeof(struct in_addr));
369

370
				/* Fall through */
371
			default:
372
				/* Sanity check for option length. */
373
				if (ptr[off + 1] < 2) {
374
					DPRINTF(("%s: illegal IPv4 option "
375
						"length for option %d\n",
376
						__func__, ptr[off]));
377
					m_freem(m);
378
					return EINVAL;
379
				}
380

381
				/* Zeroize all other options. */
382
				count = ptr[off + 1];
383
				bcopy(ipseczeroes, ptr + off, count);
384
				off += count;
385
				break;
386
			}
387

388
			/* Sanity check. */
389
			if (off > skip)	{
390
				DPRINTF(("%s: malformed IPv4 options header\n",
391
					__func__));
392

393
				m_freem(m);
394
				return EINVAL;
395
			}
396
		}
397

398
		break;
399
#endif /* INET */
400

401
#ifdef INET6
402
	case AF_INET6:  /* Ugly... */
403
		/* Copy and "cook" the IPv6 header. */
404
		m_copydata(m, 0, sizeof(ip6), (caddr_t) &ip6);
405

406
		/* We don't do IPv6 Jumbograms. */
407
		if (ip6.ip6_plen == 0) {
408
			DPRINTF(("%s: unsupported IPv6 jumbogram\n", __func__));
409
			m_freem(m);
410
			return EMSGSIZE;
411
		}
412

413
		ip6.ip6_flow = 0;
414
		ip6.ip6_hlim = 0;
415
		ip6.ip6_vfc &= ~IPV6_VERSION_MASK;
416
		ip6.ip6_vfc |= IPV6_VERSION;
417

418
		/* Scoped address handling. */
419
		if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_src))
420
			ip6.ip6_src.s6_addr16[1] = 0;
421
		if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_dst))
422
			ip6.ip6_dst.s6_addr16[1] = 0;
423

424
		/* Done with IPv6 header. */
425
		m_copyback(m, 0, sizeof(struct ip6_hdr), (caddr_t) &ip6);
426

427
		/* Let's deal with the remaining headers (if any). */
428
		if (skip - sizeof(struct ip6_hdr) > 0) {
429
			if (m->m_len <= skip) {
430
				ptr = (unsigned char *) malloc(
431
				    skip - sizeof(struct ip6_hdr),
432
				    M_AH, M_NOWAIT);
433
				if (ptr == NULL) {
434
					DPRINTF(("%s: failed to allocate memory"
435
						"for IPv6 headers\n",__func__));
436
					m_freem(m);
437
					return ENOBUFS;
438
				}
439

440
				/*
441
				 * Copy all the protocol headers after
442
				 * the IPv6 header.
443
				 */
444
				m_copydata(m, sizeof(struct ip6_hdr),
445
				    skip - sizeof(struct ip6_hdr), ptr);
446
				alloc = 1;
447
			} else {
448
				/* No need to allocate memory. */
449
				ptr = mtod(m, unsigned char *) +
450
				    sizeof(struct ip6_hdr);
451
				alloc = 0;
452
			}
453
		} else
454
			break;
455

456
		nxt = ip6.ip6_nxt & 0xff; /* Next header type. */
457

458
		for (off = 0; off < skip - sizeof(struct ip6_hdr);)
459
			switch (nxt) {
460
			case IPPROTO_HOPOPTS:
461
			case IPPROTO_DSTOPTS:
462
				ip6e = (struct ip6_ext *)(ptr + off);
463
				noff = off + ((ip6e->ip6e_len + 1) << 3);
464

465
				/* Sanity check. */
466
				if (noff > skip - sizeof(struct ip6_hdr))
467
					goto error6;
468

469
				/*
470
				 * Zero out mutable options.
471
				 */
472
				for (count = off + sizeof(struct ip6_ext);
473
				     count < noff;) {
474
					if (ptr[count] == IP6OPT_PAD1) {
475
						count++;
476
						continue; /* Skip padding. */
477
					}
478

479
					ad = ptr[count + 1] + 2;
480
					if (count + ad > noff)
481
						goto error6;
482

483
					if (ptr[count] & IP6OPT_MUTABLE)
484
						memset(ptr + count, 0, ad);
485
					count += ad;
486
				}
487

488
				if (count != noff)
489
					goto error6;
490

491
				/* Advance. */
492
				off += ((ip6e->ip6e_len + 1) << 3);
493
				nxt = ip6e->ip6e_nxt;
494
				break;
495

496
			case IPPROTO_ROUTING:
497
				/*
498
				 * Always include routing headers in
499
				 * computation.
500
				 */
501
				ip6e = (struct ip6_ext *) (ptr + off);
502
				off += ((ip6e->ip6e_len + 1) << 3);
503
				nxt = ip6e->ip6e_nxt;
504
				break;
505

506
			default:
507
				DPRINTF(("%s: unexpected IPv6 header type %d",
508
					__func__, off));
509
error6:
510
				if (alloc)
511
					free(ptr, M_AH);
512
				m_freem(m);
513
				return EINVAL;
514
			}
515

516
		/* Copyback and free, if we allocated. */
517
		if (alloc) {
518
			m_copyback(m, sizeof(struct ip6_hdr),
519
			    skip - sizeof(struct ip6_hdr), ptr);
520
			free(ptr, M_AH);
521
		}
522

523
		break;
524
#endif /* INET6 */
525
	}
526

527
	return 0;
528
}
529

530
/*
531
 * ah_input() gets called to verify that an input packet
532
 * passes authentication.
533
 */
534
static int
535
ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
536
{
537
	IPSEC_DEBUG_DECLARE(char buf[128]);
538
	const struct auth_hash *ahx;
539
	struct cryptop *crp;
540
	struct xform_data *xd;
541
	struct newah *ah;
542
	crypto_session_t cryptoid;
543
	int hl, rplen, authsize, ahsize, error;
544
	uint32_t seqh;
545

546
	SECASVAR_RLOCK_TRACKER;
547

548
	IPSEC_ASSERT(sav != NULL, ("null SA"));
549
	IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key"));
550
	IPSEC_ASSERT(sav->tdb_authalgxform != NULL,
551
		("null authentication xform"));
552

553
	/* Figure out header size. */
554
	rplen = HDRSIZE(sav);
555

556
	if (m->m_len < skip + rplen) {
557
		m = m_pullup(m, skip + rplen);
558
		if (m == NULL) {
559
			DPRINTF(("ah_input: cannot pullup header\n"));
560
			AHSTAT_INC(ahs_hdrops);		/*XXX*/
561
			error = ENOBUFS;
562
			goto bad;
563
		}
564
	}
565
	ah = (struct newah *)(mtod(m, caddr_t) + skip);
566

567
	/* Check replay window, if applicable. */
568
	SECASVAR_RLOCK(sav);
569
	if (sav->replay != NULL && sav->replay->wsize != 0 &&
570
	    ipsec_chkreplay(ntohl(ah->ah_seq), &seqh, sav) == 0) {
571
		SECASVAR_RUNLOCK(sav);
572
		AHSTAT_INC(ahs_replay);
573
		DPRINTF(("%s: packet replay failure: %s\n", __func__,
574
		    ipsec_sa2str(sav, buf, sizeof(buf))));
575
		error = EACCES;
576
		goto bad;
577
	}
578
	cryptoid = sav->tdb_cryptoid;
579
	SECASVAR_RUNLOCK(sav);
580

581
	/* Verify AH header length. */
582
	hl = sizeof(struct ah) + (ah->ah_len * sizeof (u_int32_t));
583
	ahx = sav->tdb_authalgxform;
584
	authsize = AUTHSIZE(sav);
585
	ahsize = ah_hdrsiz(sav);
586
	if (hl != ahsize) {
587
		DPRINTF(("%s: bad authenticator length %u (expecting %lu)"
588
		    " for packet in SA %s/%08lx\n", __func__, hl,
589
		    (u_long)ahsize,
590
		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
591
		    (u_long) ntohl(sav->spi)));
592
		AHSTAT_INC(ahs_badauthl);
593
		error = EACCES;
594
		goto bad;
595
	}
596
	if (skip + ahsize > m->m_pkthdr.len) {
597
		DPRINTF(("%s: bad mbuf length %u (expecting %lu)"
598
		    " for packet in SA %s/%08lx\n", __func__,
599
		    m->m_pkthdr.len, (u_long)(skip + ahsize),
600
		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
601
		    (u_long) ntohl(sav->spi)));
602
		AHSTAT_INC(ahs_badauthl);
603
		error = EACCES;
604
		goto bad;
605
	}
606
	AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
607

608
	/* Get crypto descriptors. */
609
	crp = crypto_getreq(cryptoid, M_NOWAIT);
610
	if (crp == NULL) {
611
		DPRINTF(("%s: failed to acquire crypto descriptor\n",
612
		    __func__));
613
		AHSTAT_INC(ahs_crypto);
614
		error = ENOBUFS;
615
		goto bad;
616
	}
617

618
	crp->crp_payload_start = 0;
619
	crp->crp_payload_length = m->m_pkthdr.len;
620
	crp->crp_digest_start = skip + rplen;
621

622
	/* Allocate IPsec-specific opaque crypto info. */
623
	xd = malloc(sizeof(*xd) + skip + rplen + authsize, M_AH,
624
	    M_NOWAIT | M_ZERO);
625
	if (xd == NULL) {
626
		DPRINTF(("%s: failed to allocate xform_data\n", __func__));
627
		AHSTAT_INC(ahs_crypto);
628
		crypto_freereq(crp);
629
		error = ENOBUFS;
630
		goto bad;
631
	}
632

633
	/*
634
	 * Save the authenticator, the skipped portion of the packet,
635
	 * and the AH header.
636
	 */
637
	m_copydata(m, 0, skip + rplen + authsize, (caddr_t)(xd + 1));
638

639
	/* Zeroize the authenticator on the packet. */
640
	m_copyback(m, skip + rplen, authsize, ipseczeroes);
641

642
	/* Save ah_nxt, since ah pointer can become invalid after "massage" */
643
	hl = ah->ah_nxt;
644

645
	/* "Massage" the packet headers for crypto processing. */
646
	error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
647
	    skip, ahx->type, 0);
648
	if (error != 0) {
649
		/* NB: mbuf is free'd by ah_massage_headers */
650
		AHSTAT_INC(ahs_hdrops);
651
		free(xd, M_AH);
652
		crypto_freereq(crp);
653
		key_freesav(&sav);
654
		return (error);
655
	}
656

657
	/* Crypto operation descriptor. */
658
	crp->crp_op = CRYPTO_OP_COMPUTE_DIGEST;
659
	crp->crp_flags = CRYPTO_F_CBIFSYNC;
660
	crypto_use_mbuf(crp, m);
661
	crp->crp_callback = ah_input_cb;
662
	crp->crp_opaque = xd;
663

664
	if (sav->flags & SADB_X_SAFLAGS_ESN &&
665
	    sav->replay != NULL && sav->replay->wsize != 0) {
666
		seqh = htonl(seqh);
667
		memcpy(crp->crp_esn, &seqh, sizeof(seqh));
668
	}
669

670
	/* These are passed as-is to the callback. */
671
	xd->sav = sav;
672
	xd->nxt = hl;
673
	xd->protoff = protoff;
674
	xd->skip = skip;
675
	xd->cryptoid = cryptoid;
676
	xd->vnet = curvnet;
677
	if (V_async_crypto)
678
		return (crypto_dispatch_async(crp, CRYPTO_ASYNC_ORDERED));
679
	else
680
		return (crypto_dispatch(crp));
681
bad:
682
	m_freem(m);
683
	key_freesav(&sav);
684
	return (error);
685
}
686

687
/*
688
 * AH input callback from the crypto driver.
689
 */
690
static int
691
ah_input_cb(struct cryptop *crp)
692
{
693
	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
694
	unsigned char calc[AH_ALEN_MAX];
695
	struct mbuf *m;
696
	struct xform_data *xd;
697
	struct secasvar *sav;
698
	struct secasindex *saidx;
699
	caddr_t ptr;
700
	crypto_session_t cryptoid;
701
	int authsize, rplen, ahsize, error, skip, protoff;
702
	uint8_t nxt;
703

704
	SECASVAR_RLOCK_TRACKER;
705

706
	m = crp->crp_buf.cb_mbuf;
707
	xd = crp->crp_opaque;
708
	CURVNET_SET(xd->vnet);
709
	sav = xd->sav;
710
	skip = xd->skip;
711
	nxt = xd->nxt;
712
	protoff = xd->protoff;
713
	cryptoid = xd->cryptoid;
714
	saidx = &sav->sah->saidx;
715
	IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
716
		saidx->dst.sa.sa_family == AF_INET6,
717
		("unexpected protocol family %u", saidx->dst.sa.sa_family));
718

719
	/* Check for crypto errors. */
720
	if (crp->crp_etype) {
721
		if (crp->crp_etype == EAGAIN) {
722
			/* Reset the session ID */
723
			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
724
				crypto_freesession(cryptoid);
725
			xd->cryptoid = crp->crp_session;
726
			CURVNET_RESTORE();
727
			return (crypto_dispatch(crp));
728
		}
729
		AHSTAT_INC(ahs_noxform);
730
		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
731
		error = crp->crp_etype;
732
		goto bad;
733
	} else {
734
		AHSTAT_INC2(ahs_hist, sav->alg_auth);
735
		crypto_freereq(crp);		/* No longer needed. */
736
		crp = NULL;
737
	}
738

739
	/* Shouldn't happen... */
740
	if (m == NULL) {
741
		AHSTAT_INC(ahs_crypto);
742
		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
743
		error = EINVAL;
744
		goto bad;
745
	}
746

747
	/* Figure out header size. */
748
	rplen = HDRSIZE(sav);
749
	authsize = AUTHSIZE(sav);
750
	ahsize = ah_hdrsiz(sav);
751

752
	/* Copy authenticator off the packet. */
753
	m_copydata(m, skip + rplen, authsize, calc);
754

755
	/* Verify authenticator. */
756
	ptr = (caddr_t) (xd + 1);
757
	if (timingsafe_bcmp(ptr + skip + rplen, calc, authsize)) {
758
		DPRINTF(("%s: authentication hash mismatch for packet "
759
		    "in SA %s/%08lx\n", __func__,
760
		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
761
		    (u_long) ntohl(sav->spi)));
762
		AHSTAT_INC(ahs_badauth);
763
		error = EACCES;
764
		goto bad;
765
	}
766
	/* Fix the Next Protocol field. */
767
	((uint8_t *) ptr)[protoff] = nxt;
768

769
	/* Copyback the saved (uncooked) network headers. */
770
	m_copyback(m, 0, skip, ptr);
771
	free(xd, M_AH), xd = NULL;			/* No longer needed */
772

773
	/*
774
	 * Header is now authenticated.
775
	 */
776
	m->m_flags |= M_AUTHIPHDR|M_AUTHIPDGM;
777

778
	/*
779
	 * Update replay sequence number, if appropriate.
780
	 */
781
	if (sav->replay) {
782
		u_int32_t seq;
783

784
		m_copydata(m, skip + offsetof(struct newah, ah_seq),
785
			   sizeof (seq), (caddr_t) &seq);
786
		SECASVAR_RLOCK(sav);
787
		if (ipsec_updatereplay(ntohl(seq), sav)) {
788
			SECASVAR_RUNLOCK(sav);
789
			AHSTAT_INC(ahs_replay);
790
			error = EACCES;
791
			goto bad;
792
		}
793
		SECASVAR_RUNLOCK(sav);
794
	}
795

796
	/*
797
	 * Remove the AH header and authenticator from the mbuf.
798
	 */
799
	error = m_striphdr(m, skip, ahsize);
800
	if (error) {
801
		DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
802
		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
803
		    (u_long) ntohl(sav->spi)));
804
		AHSTAT_INC(ahs_hdrops);
805
		goto bad;
806
	}
807

808
	switch (saidx->dst.sa.sa_family) {
809
#ifdef INET6
810
	case AF_INET6:
811
		error = ipsec6_common_input_cb(m, sav, skip, protoff);
812
		break;
813
#endif
814
#ifdef INET
815
	case AF_INET:
816
		error = ipsec4_common_input_cb(m, sav, skip, protoff);
817
		break;
818
#endif
819
	default:
820
		panic("%s: Unexpected address family: %d saidx=%p", __func__,
821
		    saidx->dst.sa.sa_family, saidx);
822
	}
823
	CURVNET_RESTORE();
824
	return error;
825
bad:
826
	CURVNET_RESTORE();
827
	if (sav)
828
		key_freesav(&sav);
829
	if (m != NULL)
830
		m_freem(m);
831
	if (xd != NULL)
832
		free(xd, M_AH);
833
	if (crp != NULL)
834
		crypto_freereq(crp);
835
	return error;
836
}
837

838
/*
839
 * AH output routine, called by ipsec[46]_perform_request().
840
 */
841
static int
842
ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
843
    u_int idx, int skip, int protoff)
844
{
845
	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
846
	const struct auth_hash *ahx;
847
	struct xform_data *xd;
848
	struct mbuf *mi;
849
	struct cryptop *crp;
850
	struct newah *ah;
851
	crypto_session_t cryptoid;
852
	uint16_t iplen;
853
	int error, rplen, authsize, ahsize, maxpacketsize, roff;
854
	uint8_t prot;
855
	uint32_t seqh;
856

857
	SECASVAR_RLOCK_TRACKER;
858

859
	IPSEC_ASSERT(sav != NULL, ("null SA"));
860
	ahx = sav->tdb_authalgxform;
861
	IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
862

863
	AHSTAT_INC(ahs_output);
864

865
	/* Figure out header size. */
866
	rplen = HDRSIZE(sav);
867
	authsize = AUTHSIZE(sav);
868
	ahsize = ah_hdrsiz(sav);
869

870
	/* Check for maximum packet size violations. */
871
	switch (sav->sah->saidx.dst.sa.sa_family) {
872
#ifdef INET
873
	case AF_INET:
874
		maxpacketsize = IP_MAXPACKET;
875
		break;
876
#endif /* INET */
877
#ifdef INET6
878
	case AF_INET6:
879
		maxpacketsize = IPV6_MAXPACKET;
880
		break;
881
#endif /* INET6 */
882
	default:
883
		DPRINTF(("%s: unknown/unsupported protocol family %u, "
884
		    "SA %s/%08lx\n", __func__,
885
		    sav->sah->saidx.dst.sa.sa_family,
886
		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
887
		    (u_long) ntohl(sav->spi)));
888
		AHSTAT_INC(ahs_nopf);
889
		error = EPFNOSUPPORT;
890
		goto bad;
891
	}
892
	if (ahsize + m->m_pkthdr.len > maxpacketsize) {
893
		DPRINTF(("%s: packet in SA %s/%08lx got too big "
894
		    "(len %u, max len %u)\n", __func__,
895
		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
896
		    (u_long) ntohl(sav->spi),
897
		    ahsize + m->m_pkthdr.len, maxpacketsize));
898
		AHSTAT_INC(ahs_toobig);
899
		error = EMSGSIZE;
900
		goto bad;
901
	}
902

903
	/* Update the counters. */
904
	AHSTAT_ADD(ahs_obytes, m->m_pkthdr.len - skip);
905

906
	m = m_unshare(m, M_NOWAIT);
907
	if (m == NULL) {
908
		DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
909
		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
910
		    (u_long) ntohl(sav->spi)));
911
		AHSTAT_INC(ahs_hdrops);
912
		error = ENOBUFS;
913
		goto bad;
914
	}
915

916
	/* Inject AH header. */
917
	mi = m_makespace(m, skip, ahsize, &roff);
918
	if (mi == NULL) {
919
		DPRINTF(("%s: failed to inject %u byte AH header for SA "
920
		    "%s/%08lx\n", __func__, ahsize,
921
		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
922
		    (u_long) ntohl(sav->spi)));
923
		AHSTAT_INC(ahs_hdrops);		/*XXX differs from openbsd */
924
		error = ENOBUFS;
925
		goto bad;
926
	}
927

928
	/*
929
	 * The AH header is guaranteed by m_makespace() to be in
930
	 * contiguous memory, at roff bytes offset into the returned mbuf.
931
	 */
932
	ah = (struct newah *)(mtod(mi, caddr_t) + roff);
933

934
	/* Initialize the AH header. */
935
	m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &ah->ah_nxt);
936
	ah->ah_len = (ahsize - sizeof(struct ah)) / sizeof(u_int32_t);
937
	ah->ah_reserve = 0;
938
	ah->ah_spi = sav->spi;
939

940
	/* Zeroize authenticator. */
941
	m_copyback(m, skip + rplen, authsize, ipseczeroes);
942

943
	/* Zeroize padding */
944
	m_copyback(m, skip + rplen + authsize, ahsize - (rplen + authsize),
945
	    ipseczeroes);
946

947
	/* Insert packet replay counter, as requested.  */
948
	SECASVAR_RLOCK(sav);
949
	if (sav->replay) {
950
		SECREPLAY_LOCK(sav->replay);
951
		if ((sav->replay->count == ~0 ||
952
		    (!(sav->flags & SADB_X_SAFLAGS_ESN) &&
953
		    ((uint32_t)sav->replay->count) == ~0)) &&
954
		    (sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
955
			SECREPLAY_UNLOCK(sav->replay);
956
			SECASVAR_RUNLOCK(sav);
957
			DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n",
958
			    __func__, ipsec_address(&sav->sah->saidx.dst, buf,
959
			    sizeof(buf)), (u_long) ntohl(sav->spi)));
960
			AHSTAT_INC(ahs_wrap);
961
			error = EACCES;
962
			goto bad;
963
		}
964
#ifdef REGRESSION
965
		/* Emulate replay attack when ipsec_replay is TRUE. */
966
		if (!V_ipsec_replay)
967
#endif
968
			sav->replay->count++;
969
		ah->ah_seq = htonl((uint32_t)sav->replay->count);
970
		SECREPLAY_UNLOCK(sav->replay);
971
	}
972
	cryptoid = sav->tdb_cryptoid;
973
	SECASVAR_RUNLOCK(sav);
974

975
	/* Get crypto descriptors. */
976
	crp = crypto_getreq(cryptoid, M_NOWAIT);
977
	if (crp == NULL) {
978
		DPRINTF(("%s: failed to acquire crypto descriptors\n",
979
			__func__));
980
		AHSTAT_INC(ahs_crypto);
981
		error = ENOBUFS;
982
		goto bad;
983
	}
984

985
	crp->crp_payload_start = 0;
986
	crp->crp_payload_length = m->m_pkthdr.len;
987
	crp->crp_digest_start = skip + rplen;
988

989
	/* Allocate IPsec-specific opaque crypto info. */
990
	xd =  malloc(sizeof(struct xform_data) + skip, M_AH,
991
	    M_NOWAIT | M_ZERO);
992
	if (xd == NULL) {
993
		crypto_freereq(crp);
994
		DPRINTF(("%s: failed to allocate xform_data\n", __func__));
995
		AHSTAT_INC(ahs_crypto);
996
		error = ENOBUFS;
997
		goto bad;
998
	}
999

1000
	/* Save the skipped portion of the packet. */
1001
	m_copydata(m, 0, skip, (caddr_t) (xd + 1));
1002

1003
	/*
1004
	 * Fix IP header length on the header used for
1005
	 * authentication. We don't need to fix the original
1006
	 * header length as it will be fixed by our caller.
1007
	 */
1008
	switch (sav->sah->saidx.dst.sa.sa_family) {
1009
#ifdef INET
1010
	case AF_INET:
1011
		bcopy(((caddr_t)(xd + 1)) +
1012
		    offsetof(struct ip, ip_len),
1013
		    (caddr_t) &iplen, sizeof(u_int16_t));
1014
		iplen = htons(ntohs(iplen) + ahsize);
1015
		m_copyback(m, offsetof(struct ip, ip_len),
1016
		    sizeof(u_int16_t), (caddr_t) &iplen);
1017
		break;
1018
#endif /* INET */
1019

1020
#ifdef INET6
1021
	case AF_INET6:
1022
		bcopy(((caddr_t)(xd + 1)) +
1023
		    offsetof(struct ip6_hdr, ip6_plen),
1024
		    (caddr_t) &iplen, sizeof(uint16_t));
1025
		iplen = htons(ntohs(iplen) + ahsize);
1026
		m_copyback(m, offsetof(struct ip6_hdr, ip6_plen),
1027
		    sizeof(uint16_t), (caddr_t) &iplen);
1028
		break;
1029
#endif /* INET6 */
1030
	}
1031

1032
	/* Fix the Next Header field in saved header. */
1033
	((uint8_t *) (xd + 1))[protoff] = IPPROTO_AH;
1034

1035
	/* Update the Next Protocol field in the IP header. */
1036
	prot = IPPROTO_AH;
1037
	m_copyback(m, protoff, sizeof(uint8_t), (caddr_t) &prot);
1038

1039
	/* "Massage" the packet headers for crypto processing. */
1040
	error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
1041
			skip, ahx->type, 1);
1042
	if (error != 0) {
1043
		m = NULL;	/* mbuf was free'd by ah_massage_headers. */
1044
		free(xd, M_AH);
1045
		crypto_freereq(crp);
1046
		goto bad;
1047
	}
1048

1049
	/* Crypto operation descriptor. */
1050
	crp->crp_op = CRYPTO_OP_COMPUTE_DIGEST;
1051
	crp->crp_flags = CRYPTO_F_CBIFSYNC;
1052
	crypto_use_mbuf(crp, m);
1053
	crp->crp_callback = ah_output_cb;
1054
	crp->crp_opaque = xd;
1055

1056
	if (sav->flags & SADB_X_SAFLAGS_ESN && sav->replay != NULL) {
1057
		SECREPLAY_LOCK(sav->replay);
1058
		seqh = htonl((uint32_t)(sav->replay->count >> IPSEC_SEQH_SHIFT));
1059
		memcpy(crp->crp_esn, &seqh, sizeof(seqh));
1060
		SECREPLAY_UNLOCK(sav->replay);
1061
	}
1062

1063
	/* These are passed as-is to the callback. */
1064
	xd->sp = sp;
1065
	xd->sav = sav;
1066
	xd->skip = skip;
1067
	xd->idx = idx;
1068
	xd->cryptoid = cryptoid;
1069
	xd->vnet = curvnet;
1070

1071
	if (V_async_crypto)
1072
		return (crypto_dispatch_async(crp, CRYPTO_ASYNC_ORDERED));
1073
	else
1074
		return (crypto_dispatch(crp));
1075
bad:
1076
	if (m)
1077
		m_freem(m);
1078
	key_freesav(&sav);
1079
	key_freesp(&sp);
1080
	return (error);
1081
}
1082

1083
/*
1084
 * AH output callback from the crypto driver.
1085
 */
1086
static int
1087
ah_output_cb(struct cryptop *crp)
1088
{
1089
	struct xform_data *xd;
1090
	struct secpolicy *sp;
1091
	struct secasvar *sav;
1092
	struct mbuf *m;
1093
	crypto_session_t cryptoid;
1094
	caddr_t ptr;
1095
	u_int idx;
1096
	int skip, error;
1097

1098
	m = crp->crp_buf.cb_mbuf;
1099
	xd = (struct xform_data *) crp->crp_opaque;
1100
	CURVNET_SET(xd->vnet);
1101
	sp = xd->sp;
1102
	sav = xd->sav;
1103
	skip = xd->skip;
1104
	idx = xd->idx;
1105
	cryptoid = xd->cryptoid;
1106
	ptr = (caddr_t) (xd + 1);
1107

1108
	/* Check for crypto errors. */
1109
	if (crp->crp_etype) {
1110
		if (crp->crp_etype == EAGAIN) {
1111
			/* Reset the session ID */
1112
			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
1113
				crypto_freesession(cryptoid);
1114
			xd->cryptoid = crp->crp_session;
1115
			CURVNET_RESTORE();
1116
			return (crypto_dispatch(crp));
1117
		}
1118
		AHSTAT_INC(ahs_noxform);
1119
		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
1120
		error = crp->crp_etype;
1121
		m_freem(m);
1122
		goto bad;
1123
	}
1124

1125
	/* Shouldn't happen... */
1126
	if (m == NULL) {
1127
		AHSTAT_INC(ahs_crypto);
1128
		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
1129
		error = EINVAL;
1130
		goto bad;
1131
	}
1132
	/*
1133
	 * Copy original headers (with the new protocol number) back
1134
	 * in place.
1135
	 */
1136
	m_copyback(m, 0, skip, ptr);
1137

1138
	free(xd, M_AH);
1139
	crypto_freereq(crp);
1140
	AHSTAT_INC2(ahs_hist, sav->alg_auth);
1141
#ifdef REGRESSION
1142
	/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
1143
	if (V_ipsec_integrity) {
1144
		int alen;
1145

1146
		/*
1147
		 * Corrupt HMAC if we want to test integrity verification of
1148
		 * the other side.
1149
		 */
1150
		alen = AUTHSIZE(sav);
1151
		m_copyback(m, m->m_pkthdr.len - alen, alen, ipseczeroes);
1152
	}
1153
#endif
1154

1155
	/* NB: m is reclaimed by ipsec_process_done. */
1156
	error = ipsec_process_done(m, sp, sav, idx);
1157
	CURVNET_RESTORE();
1158
	return (error);
1159
bad:
1160
	CURVNET_RESTORE();
1161
	free(xd, M_AH);
1162
	crypto_freereq(crp);
1163
	key_freesav(&sav);
1164
	key_freesp(&sp);
1165
	return (error);
1166
}
1167

1168
static struct xformsw ah_xformsw = {
1169
	.xf_type =	XF_AH,
1170
	.xf_name =	"IPsec AH",
1171
	.xf_init =	ah_init,
1172
	.xf_cleanup =	ah_cleanup,
1173
	.xf_input =	ah_input,
1174
	.xf_output =	ah_output,
1175
};
1176

1177
SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
1178
    xform_attach, &ah_xformsw);
1179
SYSUNINIT(ah_xform_uninit, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
1180
    xform_detach, &ah_xformsw);
1181

1182
Product

Resources

Company
