xform_ah.c revision 1.15
1/* $NetBSD: xform_ah.c,v 1.15 2007/03/04 21:17:55 degroote Exp $ */ 2/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ 3/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ 4/* 5 * The authors of this code are John Ioannidis (ji@tla.org), 6 * Angelos D. Keromytis (kermit@csd.uch.gr) and 7 * Niels Provos (provos@physnet.uni-hamburg.de). 8 * 9 * The original version of this code was written by John Ioannidis 10 * for BSD/OS in Athens, Greece, in November 1995. 11 * 12 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 13 * by Angelos D. Keromytis. 14 * 15 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 16 * and Niels Provos. 17 * 18 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 19 * 20 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 21 * Angelos D. Keromytis and Niels Provos. 22 * Copyright (c) 1999 Niklas Hallqvist. 23 * Copyright (c) 2001 Angelos D. Keromytis. 24 * 25 * Permission to use, copy, and modify this software with or without fee 26 * is hereby granted, provided that this entire notice is included in 27 * all copies of any software which is or includes a copy or 28 * modification of this software. 29 * You may use this code under the GNU public license if you so wish. Please 30 * contribute changes back to the authors under this freer than GPL license 31 * so that we may further the use of strong encryption without limitations to 32 * all. 33 * 34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 38 * PURPOSE. 39 */ 40 41#include <sys/cdefs.h> 42__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.15 2007/03/04 21:17:55 degroote Exp $"); 43 44#include "opt_inet.h" 45#ifdef __FreeBSD__ 46#include "opt_inet6.h" 47#endif 48 49#include <sys/param.h> 50#include <sys/systm.h> 51#include <sys/mbuf.h> 52#include <sys/socket.h> 53#include <sys/syslog.h> 54#include <sys/kernel.h> 55#include <sys/sysctl.h> 56 57#include <net/if.h> 58 59#include <netinet/in.h> 60#include <netinet/in_systm.h> 61#include <netinet/ip.h> 62#include <netinet/ip_ecn.h> 63#include <netinet/ip6.h> 64 65#include <net/route.h> 66#include <netipsec/ipsec.h> 67#include <netipsec/ah.h> 68#include <netipsec/ah_var.h> 69#include <netipsec/xform.h> 70 71#ifdef INET6 72#include <netinet6/ip6_var.h> 73#include <netipsec/ipsec6.h> 74# ifdef __FreeBSD__ 75# include <netinet6/ip6_ecn.h> 76# endif 77#endif 78 79#include <netipsec/key.h> 80#include <netipsec/key_debug.h> 81#include <netipsec/ipsec_osdep.h> 82 83#include <opencrypto/cryptodev.h> 84 85/* 86 * Return header size in bytes. The old protocol did not support 87 * the replay counter; the new protocol always includes the counter. 88 */ 89#define HDRSIZE(sav) \ 90 (((sav)->flags & SADB_X_EXT_OLD) ? \ 91 sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t)) 92/* 93 * Return authenticator size in bytes. The old protocol is known 94 * to use a fixed 16-byte authenticator. The new algorithm gets 95 * this size from the xform but is (currently) always 12. 96 */ 97#define AUTHSIZE(sav) \ 98 ((sav->flags & SADB_X_EXT_OLD) ? 16 : (sav)->tdb_authalgxform->authsize) 99 100int ah_enable = 1; /* control flow of packets with AH */ 101int ah_cleartos = 1; /* clear ip_tos when doing AH calc */ 102struct ahstat ahstat; 103 104#ifdef __FreeBSD__ 105SYSCTL_DECL(_net_inet_ah); 106SYSCTL_INT(_net_inet_ah, OID_AUTO, 107 ah_enable, CTLFLAG_RW, &ah_enable, 0, ""); 108SYSCTL_INT(_net_inet_ah, OID_AUTO, 109 ah_cleartos, CTLFLAG_RW, &ah_cleartos, 0, ""); 110SYSCTL_STRUCT(_net_inet_ah, IPSECCTL_STATS, 111 stats, CTLFLAG_RD, &ahstat, ahstat, ""); 112 113#endif /* __FreeBSD__ */ 114 115static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ 116 117static int ah_input_cb(struct cryptop*); 118static int ah_output_cb(struct cryptop*); 119 120/* 121 * NB: this is public for use by the PF_KEY support. 122 */ 123struct auth_hash * 124ah_algorithm_lookup(int alg) 125{ 126 if (alg >= AH_ALG_MAX) 127 return NULL; 128 switch (alg) { 129 case SADB_X_AALG_NULL: 130 return &auth_hash_null; 131 case SADB_AALG_MD5HMAC: 132 return &auth_hash_hmac_md5_96; 133 case SADB_AALG_SHA1HMAC: 134 return &auth_hash_hmac_sha1_96; 135 case SADB_X_AALG_RIPEMD160HMAC: 136 return &auth_hash_hmac_ripemd_160_96; 137 case SADB_X_AALG_MD5: 138 return &auth_hash_key_md5; 139 case SADB_X_AALG_SHA: 140 return &auth_hash_key_sha1; 141 case SADB_X_AALG_SHA2_256: 142 return &auth_hash_hmac_sha2_256; 143 case SADB_X_AALG_SHA2_384: 144 return &auth_hash_hmac_sha2_384; 145 case SADB_X_AALG_SHA2_512: 146 return &auth_hash_hmac_sha2_512; 147 } 148 return NULL; 149} 150 151size_t 152ah_hdrsiz(struct secasvar *sav) 153{ 154 size_t size; 155 156 if (sav != NULL) { 157 int authsize; 158 IPSEC_ASSERT(sav->tdb_authalgxform != NULL, 159 ("ah_hdrsiz: null xform")); 160 /*XXX not right for null algorithm--does it matter??*/ 161 authsize = AUTHSIZE(sav); 162 size = roundup(authsize, sizeof (u_int32_t)) + HDRSIZE(sav); 163 } else { 164 /* default guess */ 165 size = sizeof (struct ah) + sizeof (u_int32_t) + 16; 166 } 167 return size; 168} 169 170/* 171 * NB: public for use by esp_init. 172 */ 173int 174ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) 175{ 176 struct auth_hash *thash; 177 int keylen; 178 179 thash = ah_algorithm_lookup(sav->alg_auth); 180 if (thash == NULL) { 181 DPRINTF(("ah_init: unsupported authentication algorithm %u\n", 182 sav->alg_auth)); 183 return EINVAL; 184 } 185 /* 186 * Verify the replay state block allocation is consistent with 187 * the protocol type. We check here so we can make assumptions 188 * later during protocol processing. 189 */ 190 /* NB: replay state is setup elsewhere (sigh) */ 191 if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) { 192 DPRINTF(("ah_init: replay state block inconsistency, " 193 "%s algorithm %s replay state\n", 194 (sav->flags & SADB_X_EXT_OLD) ? "old" : "new", 195 sav->replay == NULL ? "without" : "with")); 196 return EINVAL; 197 } 198 if (sav->key_auth == NULL) { 199 DPRINTF(("ah_init: no authentication key for %s " 200 "algorithm\n", thash->name)); 201 return EINVAL; 202 } 203 keylen = _KEYLEN(sav->key_auth); 204 if (keylen != thash->keysize && thash->keysize != 0) { 205 DPRINTF(("ah_init: invalid keylength %d, algorithm " 206 "%s requires keysize %d\n", 207 keylen, thash->name, thash->keysize)); 208 return EINVAL; 209 } 210 211 sav->tdb_xform = xsp; 212 sav->tdb_authalgxform = thash; 213 214 /* Initialize crypto session. */ 215 bzero(cria, sizeof (*cria)); 216 cria->cri_alg = sav->tdb_authalgxform->type; 217 cria->cri_klen = _KEYBITS(sav->key_auth); 218 cria->cri_key = _KEYBUF(sav->key_auth); 219 220 return 0; 221} 222 223/* 224 * ah_init() is called when an SPI is being set up. 225 */ 226static int 227ah_init(struct secasvar *sav, struct xformsw *xsp) 228{ 229 struct cryptoini cria; 230 int error; 231 232 error = ah_init0(sav, xsp, &cria); 233 return error ? error : 234 crypto_newsession(&sav->tdb_cryptoid, &cria, crypto_support); 235} 236 237/* 238 * Paranoia. 239 * 240 * NB: public for use by esp_zeroize (XXX). 241 */ 242int 243ah_zeroize(struct secasvar *sav) 244{ 245 int err; 246 247 if (sav->key_auth) 248 bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth)); 249 250 err = crypto_freesession(sav->tdb_cryptoid); 251 sav->tdb_cryptoid = 0; 252 sav->tdb_authalgxform = NULL; 253 sav->tdb_xform = NULL; 254 return err; 255} 256 257/* 258 * Massage IPv4/IPv6 headers for AH processing. 259 */ 260static int 261ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) 262{ 263 struct mbuf *m = *m0; 264 unsigned char *ptr; 265 int off, count; 266 267#ifdef INET 268 struct ip *ip; 269#endif /* INET */ 270 271#ifdef INET6 272 struct ip6_ext *ip6e; 273 struct ip6_hdr ip6; 274 int alloc, len, ad; 275#endif /* INET6 */ 276 277 switch (proto) { 278#ifdef INET 279 case AF_INET: 280 /* 281 * This is the least painful way of dealing with IPv4 header 282 * and option processing -- just make sure they're in 283 * contiguous memory. 284 */ 285 *m0 = m = m_pullup(m, skip); 286 if (m == NULL) { 287 DPRINTF(("ah_massage_headers: m_pullup failed\n")); 288 return ENOBUFS; 289 } 290 291 /* Fix the IP header */ 292 ip = mtod(m, struct ip *); 293 if (ah_cleartos) 294 ip->ip_tos = 0; 295 ip->ip_ttl = 0; 296 ip->ip_sum = 0; 297 298 /* 299 * On FreeBSD, ip_off and ip_len assumed in host endian; 300 * they are converted (if necessary) by ip_input(). 301 * On NetBSD, ip_off and ip_len are in network byte order. 302 * They must be massaged back to network byte order 303 * before verifying the HMAC. Moreover, on FreeBSD, 304 * we should add `skip' back into the massaged ip_len 305 * (presumably ip_input() deducted it before we got here?) 306 * whereas on NetBSD, we should not. 307 */ 308#ifdef __FreeBSD__ 309 #define TOHOST(x) (x) 310#else 311 #define TOHOST(x) (ntohs(x)) 312#endif 313 if (!out) { 314 u_int16_t inlen = TOHOST(ip->ip_len); 315 316#ifdef __FreeBSD__ 317 ip->ip_len = htons(inlen + skip); 318#else /*!__FreeBSD__ */ 319 ip->ip_len = htons(inlen); 320#endif /*!__FreeBSD__ */ 321 DPRINTF(("ip len: skip %d, " 322 "in %d host %d: new: raw %d host %d\n", 323 skip, 324 inlen, TOHOST(inlen), 325 ip->ip_len, ntohs(ip->ip_len))); 326 327 328 if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK) 329 ip->ip_off = htons(TOHOST(ip->ip_off) & IP_DF); 330 else 331 ip->ip_off = 0; 332 } else { 333 if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK) 334 ip->ip_off = htons(ntohs(ip->ip_off) & IP_DF); 335 else 336 ip->ip_off = 0; 337 } 338 339 ptr = mtod(m, unsigned char *) + sizeof(struct ip); 340 341 /* IPv4 option processing */ 342 for (off = sizeof(struct ip); off < skip;) { 343 if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP || 344 off + 1 < skip) 345 ; 346 else { 347 DPRINTF(("ah_massage_headers: illegal IPv4 " 348 "option length for option %d\n", 349 ptr[off])); 350 351 m_freem(m); 352 return EINVAL; 353 } 354 355 switch (ptr[off]) { 356 case IPOPT_EOL: 357 off = skip; /* End the loop. */ 358 break; 359 360 case IPOPT_NOP: 361 off++; 362 break; 363 364 case IPOPT_SECURITY: /* 0x82 */ 365 case 0x85: /* Extended security. */ 366 case 0x86: /* Commercial security. */ 367 case 0x94: /* Router alert */ 368 case 0x95: /* RFC1770 */ 369 /* Sanity check for option length. */ 370 if (ptr[off + 1] < 2) { 371 DPRINTF(("ah_massage_headers: " 372 "illegal IPv4 option length for " 373 "option %d\n", ptr[off])); 374 375 m_freem(m); 376 return EINVAL; 377 } 378 379 off += ptr[off + 1]; 380 break; 381 382 case IPOPT_LSRR: 383 case IPOPT_SSRR: 384 /* Sanity check for option length. */ 385 if (ptr[off + 1] < 2) { 386 DPRINTF(("ah_massage_headers: " 387 "illegal IPv4 option length for " 388 "option %d\n", ptr[off])); 389 390 m_freem(m); 391 return EINVAL; 392 } 393 394 /* 395 * On output, if we have either of the 396 * source routing options, we should 397 * swap the destination address of the 398 * IP header with the last address 399 * specified in the option, as that is 400 * what the destination's IP header 401 * will look like. 402 */ 403 if (out) 404 bcopy(ptr + off + ptr[off + 1] - 405 sizeof(struct in_addr), 406 &(ip->ip_dst), sizeof(struct in_addr)); 407 408 /* Fall through */ 409 default: 410 /* Sanity check for option length. */ 411 if (ptr[off + 1] < 2) { 412 DPRINTF(("ah_massage_headers: " 413 "illegal IPv4 option length for " 414 "option %d\n", ptr[off])); 415 m_freem(m); 416 return EINVAL; 417 } 418 419 /* Zeroize all other options. */ 420 count = ptr[off + 1]; 421 bcopy(ipseczeroes, ptr, count); 422 off += count; 423 break; 424 } 425 426 /* Sanity check. */ 427 if (off > skip) { 428 DPRINTF(("ah_massage_headers(): malformed " 429 "IPv4 options header\n")); 430 431 m_freem(m); 432 return EINVAL; 433 } 434 } 435 436 break; 437#endif /* INET */ 438 439#ifdef INET6 440 case AF_INET6: /* Ugly... */ 441 /* Copy and "cook" the IPv6 header. */ 442 m_copydata(m, 0, sizeof(ip6), &ip6); 443 444 /* We don't do IPv6 Jumbograms. */ 445 if (ip6.ip6_plen == 0) { 446 DPRINTF(("ah_massage_headers: unsupported IPv6 jumbogram\n")); 447 m_freem(m); 448 return EMSGSIZE; 449 } 450 451 ip6.ip6_flow = 0; 452 ip6.ip6_hlim = 0; 453 ip6.ip6_vfc &= ~IPV6_VERSION_MASK; 454 ip6.ip6_vfc |= IPV6_VERSION; 455 456 /* Scoped address handling. */ 457 if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_src)) 458 ip6.ip6_src.s6_addr16[1] = 0; 459 if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_dst)) 460 ip6.ip6_dst.s6_addr16[1] = 0; 461 462 /* Done with IPv6 header. */ 463 m_copyback(m, 0, sizeof(struct ip6_hdr), &ip6); 464 465 /* Let's deal with the remaining headers (if any). */ 466 if (skip - sizeof(struct ip6_hdr) > 0) { 467 if (m->m_len <= skip) { 468 ptr = (unsigned char *) malloc( 469 skip - sizeof(struct ip6_hdr), 470 M_XDATA, M_NOWAIT); 471 if (ptr == NULL) { 472 DPRINTF(("ah_massage_headers: failed " 473 "to allocate memory for IPv6 " 474 "headers\n")); 475 m_freem(m); 476 return ENOBUFS; 477 } 478 479 /* 480 * Copy all the protocol headers after 481 * the IPv6 header. 482 */ 483 m_copydata(m, sizeof(struct ip6_hdr), 484 skip - sizeof(struct ip6_hdr), ptr); 485 alloc = 1; 486 } else { 487 /* No need to allocate memory. */ 488 ptr = mtod(m, unsigned char *) + 489 sizeof(struct ip6_hdr); 490 alloc = 0; 491 } 492 } else 493 break; 494 495 off = ip6.ip6_nxt & 0xff; /* Next header type. */ 496 497 for (len = 0; len < skip - sizeof(struct ip6_hdr);) 498 switch (off) { 499 case IPPROTO_HOPOPTS: 500 case IPPROTO_DSTOPTS: 501 ip6e = (struct ip6_ext *) (ptr + len); 502 503 /* 504 * Process the mutable/immutable 505 * options -- borrows heavily from the 506 * KAME code. 507 */ 508 for (count = len + sizeof(struct ip6_ext); 509 count < len + ((ip6e->ip6e_len + 1) << 3);) { 510 if (ptr[count] == IP6OPT_PAD1) { 511 count++; 512 continue; /* Skip padding. */ 513 } 514 515 /* Sanity check. */ 516 if (count > len + 517 ((ip6e->ip6e_len + 1) << 3)) { 518 m_freem(m); 519 520 /* Free, if we allocated. */ 521 if (alloc) 522 FREE(ptr, M_XDATA); 523 return EINVAL; 524 } 525 526 ad = ptr[count + 1]; 527 528 /* If mutable option, zeroize. */ 529 if (ptr[count] & IP6OPT_MUTABLE) 530 bcopy(ipseczeroes, ptr + count, 531 ptr[count + 1]); 532 533 count += ad; 534 535 /* Sanity check. */ 536 if (count > 537 skip - sizeof(struct ip6_hdr)) { 538 m_freem(m); 539 540 /* Free, if we allocated. */ 541 if (alloc) 542 FREE(ptr, M_XDATA); 543 return EINVAL; 544 } 545 } 546 547 /* Advance. */ 548 len += ((ip6e->ip6e_len + 1) << 3); 549 off = ip6e->ip6e_nxt; 550 break; 551 552 case IPPROTO_ROUTING: 553 /* 554 * Always include routing headers in 555 * computation. 556 */ 557 ip6e = (struct ip6_ext *) (ptr + len); 558 len += ((ip6e->ip6e_len + 1) << 3); 559 off = ip6e->ip6e_nxt; 560 break; 561 562 default: 563 DPRINTF(("ah_massage_headers: unexpected " 564 "IPv6 header type %d", off)); 565 if (alloc) 566 FREE(ptr, M_XDATA); 567 m_freem(m); 568 return EINVAL; 569 } 570 571 /* Copyback and free, if we allocated. */ 572 if (alloc) { 573 m_copyback(m, sizeof(struct ip6_hdr), 574 skip - sizeof(struct ip6_hdr), ptr); 575 free(ptr, M_XDATA); 576 } 577 578 break; 579#endif /* INET6 */ 580 } 581 582 return 0; 583} 584 585/* 586 * ah_input() gets called to verify that an input packet 587 * passes authentication. 588 */ 589static int 590ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) 591{ 592 struct auth_hash *ahx; 593 struct tdb_ident *tdbi; 594 struct tdb_crypto *tc; 595 struct m_tag *mtag; 596 struct newah *ah; 597 int hl, rplen, authsize; 598 599 struct cryptodesc *crda; 600 struct cryptop *crp; 601 602 IPSEC_SPLASSERT_SOFTNET("ah_input"); 603 604 IPSEC_ASSERT(sav != NULL, ("ah_input: null SA")); 605 IPSEC_ASSERT(sav->key_auth != NULL, 606 ("ah_input: null authentication key")); 607 IPSEC_ASSERT(sav->tdb_authalgxform != NULL, 608 ("ah_input: null authentication xform")); 609 610 /* Figure out header size. */ 611 rplen = HDRSIZE(sav); 612 613 /* XXX don't pullup, just copy header */ 614 IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen); 615 if (ah == NULL) { 616 DPRINTF(("ah_input: cannot pullup header\n")); 617 ahstat.ahs_hdrops++; /*XXX*/ 618 m_freem(m); 619 return ENOBUFS; 620 } 621 622 /* Check replay window, if applicable. */ 623 if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) { 624 ahstat.ahs_replay++; 625 DPRINTF(("ah_input: packet replay failure: %s\n", 626 ipsec_logsastr(sav))); 627 m_freem(m); 628 return ENOBUFS; 629 } 630 631 /* Verify AH header length. */ 632 hl = ah->ah_len * sizeof (u_int32_t); 633 ahx = sav->tdb_authalgxform; 634 authsize = AUTHSIZE(sav); 635 if (hl != authsize + rplen - sizeof (struct ah)) { 636 DPRINTF(("ah_input: bad authenticator length %u (expecting %lu)" 637 " for packet in SA %s/%08lx\n", 638 hl, (u_long) (authsize + rplen - sizeof (struct ah)), 639 ipsec_address(&sav->sah->saidx.dst), 640 (u_long) ntohl(sav->spi))); 641 ahstat.ahs_badauthl++; 642 m_freem(m); 643 return EACCES; 644 } 645 ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl; 646 DPRINTF(("ah_input skip %d poff %d\n" 647 "len: hl %d authsize %d rpl %d expect %ld\n", 648 skip, protoff, 649 hl, authsize, rplen, 650 (long)(authsize + rplen - sizeof(struct ah)))); 651 652 /* Get crypto descriptors. */ 653 crp = crypto_getreq(1); 654 if (crp == NULL) { 655 DPRINTF(("ah_input: failed to acquire crypto descriptor\n")); 656 ahstat.ahs_crypto++; 657 m_freem(m); 658 return ENOBUFS; 659 } 660 661 crda = crp->crp_desc; 662 IPSEC_ASSERT(crda != NULL, ("ah_input: null crypto descriptor")); 663 664 crda->crd_skip = 0; 665 crda->crd_len = m->m_pkthdr.len; 666 crda->crd_inject = skip + rplen; 667 668 /* Authentication operation. */ 669 crda->crd_alg = ahx->type; 670 crda->crd_key = _KEYBUF(sav->key_auth); 671 crda->crd_klen = _KEYBITS(sav->key_auth); 672 673 /* Find out if we've already done crypto. */ 674 for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); 675 mtag != NULL; 676 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) { 677 tdbi = (struct tdb_ident *) (mtag + 1); 678 if (tdbi->proto == sav->sah->saidx.proto && 679 tdbi->spi == sav->spi && 680 !bcmp(&tdbi->dst, &sav->sah->saidx.dst, 681 sizeof (union sockaddr_union))) 682 break; 683 } 684 685 /* Allocate IPsec-specific opaque crypto info. */ 686 if (mtag == NULL) { 687 tc = (struct tdb_crypto *) malloc(sizeof (struct tdb_crypto) + 688 skip + rplen + authsize, M_XDATA, M_NOWAIT|M_ZERO); 689 } else { 690 /* Hash verification has already been done successfully. */ 691 tc = (struct tdb_crypto *) malloc(sizeof (struct tdb_crypto), 692 M_XDATA, M_NOWAIT|M_ZERO); 693 } 694 if (tc == NULL) { 695 DPRINTF(("ah_input: failed to allocate tdb_crypto\n")); 696 ahstat.ahs_crypto++; 697 crypto_freereq(crp); 698 m_freem(m); 699 return ENOBUFS; 700 } 701 702 /* Only save information if crypto processing is needed. */ 703 if (mtag == NULL) { 704 int error; 705 706 /* 707 * Save the authenticator, the skipped portion of the packet, 708 * and the AH header. 709 */ 710 m_copydata(m, 0, skip + rplen + authsize, (char *)(tc+1)); 711 712 { 713 u_int8_t *pppp = ((char *)(tc+1))+skip+rplen; 714 DPRINTF(("ah_input: zeroing %d bytes of authent " \ 715 "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x\n", 716 authsize, 717 pppp[0], pppp[1], pppp[2], pppp[3], 718 pppp[4], pppp[5], pppp[6], pppp[7], 719 pppp[8], pppp[9], pppp[10], pppp[11])); 720 } 721 722 /* Zeroize the authenticator on the packet. */ 723 m_copyback(m, skip + rplen, authsize, ipseczeroes); 724 725 /* "Massage" the packet headers for crypto processing. */ 726 error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, 727 skip, ahx->type, 0); 728 if (error != 0) { 729 /* NB: mbuf is free'd by ah_massage_headers */ 730 ahstat.ahs_hdrops++; 731 free(tc, M_XDATA); 732 crypto_freereq(crp); 733 return error; 734 } 735 } 736 737 /* Crypto operation descriptor. */ 738 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ 739 crp->crp_flags = CRYPTO_F_IMBUF; 740 crp->crp_buf = m; 741 crp->crp_callback = ah_input_cb; 742 crp->crp_sid = sav->tdb_cryptoid; 743 crp->crp_opaque = tc; 744 745 /* These are passed as-is to the callback. */ 746 tc->tc_spi = sav->spi; 747 tc->tc_dst = sav->sah->saidx.dst; 748 tc->tc_proto = sav->sah->saidx.proto; 749 tc->tc_nxt = ah->ah_nxt; 750 tc->tc_protoff = protoff; 751 tc->tc_skip = skip; 752 tc->tc_ptr = mtag; /* Save the mtag we've identified. */ 753 754 DPRINTF(("ah: hash over %d bytes, skip %d: " 755 "crda len %d skip %d inject %d\n", 756 crp->crp_ilen, tc->tc_skip, 757 crda->crd_len, crda->crd_skip, crda->crd_inject)); 758 759 if (mtag == NULL) 760 return crypto_dispatch(crp); 761 else 762 return ah_input_cb(crp); 763} 764 765#ifdef INET6 766#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ 767 if (saidx->dst.sa.sa_family == AF_INET6) { \ 768 error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ 769 } else { \ 770 error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ 771 } \ 772} while (0) 773#else 774#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ 775 (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) 776#endif 777 778/* 779 * AH input callback from the crypto driver. 780 */ 781static int 782ah_input_cb(struct cryptop *crp) 783{ 784 int rplen, error, skip, protoff; 785 unsigned char calc[AH_ALEN_MAX]; 786 struct mbuf *m; 787 struct cryptodesc *crd; 788 struct auth_hash *ahx; 789 struct tdb_crypto *tc; 790 struct m_tag *mtag; 791 struct secasvar *sav; 792 struct secasindex *saidx; 793 u_int8_t nxt; 794 char *ptr; 795 int s, authsize; 796 797 crd = crp->crp_desc; 798 799 tc = (struct tdb_crypto *) crp->crp_opaque; 800 IPSEC_ASSERT(tc != NULL, ("ah_input_cb: null opaque crypto data area!")); 801 skip = tc->tc_skip; 802 nxt = tc->tc_nxt; 803 protoff = tc->tc_protoff; 804 mtag = (struct m_tag *) tc->tc_ptr; 805 m = (struct mbuf *) crp->crp_buf; 806 807 s = splsoftnet(); 808 809 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); 810 if (sav == NULL) { 811 ahstat.ahs_notdb++; 812 DPRINTF(("ah_input_cb: SA expired while in crypto\n")); 813 error = ENOBUFS; /*XXX*/ 814 goto bad; 815 } 816 817 saidx = &sav->sah->saidx; 818 IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET || 819 saidx->dst.sa.sa_family == AF_INET6, 820 ("ah_input_cb: unexpected protocol family %u", 821 saidx->dst.sa.sa_family)); 822 823 ahx = (struct auth_hash *) sav->tdb_authalgxform; 824 825 /* Check for crypto errors. */ 826 if (crp->crp_etype) { 827 if (sav->tdb_cryptoid != 0) 828 sav->tdb_cryptoid = crp->crp_sid; 829 830 if (crp->crp_etype == EAGAIN) 831 return crypto_dispatch(crp); 832 833 ahstat.ahs_noxform++; 834 DPRINTF(("ah_input_cb: crypto error %d\n", crp->crp_etype)); 835 error = crp->crp_etype; 836 goto bad; 837 } else { 838 ahstat.ahs_hist[sav->alg_auth]++; 839 crypto_freereq(crp); /* No longer needed. */ 840 crp = NULL; 841 } 842 843 /* Shouldn't happen... */ 844 if (m == NULL) { 845 ahstat.ahs_crypto++; 846 DPRINTF(("ah_input_cb: bogus returned buffer from crypto\n")); 847 error = EINVAL; 848 goto bad; 849 } 850 851 /* Figure out header size. */ 852 rplen = HDRSIZE(sav); 853 authsize = AUTHSIZE(sav); 854 855 if (ipsec_debug) 856 bzero(calc, sizeof(calc)); 857 858 /* Copy authenticator off the packet. */ 859 m_copydata(m, skip + rplen, authsize, calc); 860 861 /* 862 * If we have an mtag, we don't need to verify the authenticator -- 863 * it has been verified by an IPsec-aware NIC. 864 */ 865 if (mtag == NULL) { 866 ptr = (char *) (tc + 1); 867 868 /* Verify authenticator. */ 869 if (bcmp(ptr + skip + rplen, calc, authsize)) { 870 u_int8_t *pppp = ptr + skip+rplen; 871 DPRINTF(("ah_input: authentication hash mismatch " \ 872 "over %d bytes " \ 873 "for packet in SA %s/%08lx:\n" \ 874 "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x, " \ 875 "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x\n", 876 authsize, 877 ipsec_address(&saidx->dst), 878 (u_long) ntohl(sav->spi), 879 calc[0], calc[1], calc[2], calc[3], 880 calc[4], calc[5], calc[6], calc[7], 881 calc[8], calc[9], calc[10], calc[11], 882 pppp[0], pppp[1], pppp[2], pppp[3], 883 pppp[4], pppp[5], pppp[6], pppp[7], 884 pppp[8], pppp[9], pppp[10], pppp[11] 885 )); 886 ahstat.ahs_badauth++; 887 error = EACCES; 888 goto bad; 889 } 890 891 /* Fix the Next Protocol field. */ 892 ((u_int8_t *) ptr)[protoff] = nxt; 893 894 /* Copyback the saved (uncooked) network headers. */ 895 m_copyback(m, 0, skip, ptr); 896 } else { 897 /* Fix the Next Protocol field. */ 898 m_copyback(m, protoff, sizeof(u_int8_t), &nxt); 899 } 900 901 free(tc, M_XDATA), tc = NULL; /* No longer needed */ 902 903 /* 904 * Header is now authenticated. 905 */ 906 m->m_flags |= M_AUTHIPHDR|M_AUTHIPDGM; 907 908 /* 909 * Update replay sequence number, if appropriate. 910 */ 911 if (sav->replay) { 912 u_int32_t seq; 913 914 m_copydata(m, skip + offsetof(struct newah, ah_seq), 915 sizeof (seq), &seq); 916 if (ipsec_updatereplay(ntohl(seq), sav)) { 917 ahstat.ahs_replay++; 918 error = ENOBUFS; /*XXX as above*/ 919 goto bad; 920 } 921 } 922 923 /* 924 * Remove the AH header and authenticator from the mbuf. 925 */ 926 error = m_striphdr(m, skip, rplen + authsize); 927 if (error) { 928 DPRINTF(("ah_input_cb: mangled mbuf chain for SA %s/%08lx\n", 929 ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); 930 931 ahstat.ahs_hdrops++; 932 goto bad; 933 } 934 935 IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag); 936 937 KEY_FREESAV(&sav); 938 splx(s); 939 return error; 940bad: 941 if (sav) 942 KEY_FREESAV(&sav); 943 splx(s); 944 if (m != NULL) 945 m_freem(m); 946 if (tc != NULL) 947 free(tc, M_XDATA); 948 if (crp != NULL) 949 crypto_freereq(crp); 950 return error; 951} 952 953/* 954 * AH output routine, called by ipsec[46]_process_packet(). 955 */ 956static int 957ah_output( 958 struct mbuf *m, 959 struct ipsecrequest *isr, 960 struct mbuf **mp, 961 int skip, 962 int protoff 963) 964{ 965 struct secasvar *sav; 966 struct auth_hash *ahx; 967 struct cryptodesc *crda; 968 struct tdb_crypto *tc; 969 struct mbuf *mi; 970 struct cryptop *crp; 971 u_int16_t iplen; 972 int error, rplen, authsize, maxpacketsize, roff; 973 u_int8_t prot; 974 struct newah *ah; 975 976 IPSEC_SPLASSERT_SOFTNET("ah_output"); 977 978 sav = isr->sav; 979 IPSEC_ASSERT(sav != NULL, ("ah_output: null SA")); 980 ahx = sav->tdb_authalgxform; 981 IPSEC_ASSERT(ahx != NULL, ("ah_output: null authentication xform")); 982 983 ahstat.ahs_output++; 984 985 /* Figure out header size. */ 986 rplen = HDRSIZE(sav); 987 988 /* Check for maximum packet size violations. */ 989 switch (sav->sah->saidx.dst.sa.sa_family) { 990#ifdef INET 991 case AF_INET: 992 maxpacketsize = IP_MAXPACKET; 993 break; 994#endif /* INET */ 995#ifdef INET6 996 case AF_INET6: 997 maxpacketsize = IPV6_MAXPACKET; 998 break; 999#endif /* INET6 */ 1000 default: 1001 DPRINTF(("ah_output: unknown/unsupported protocol " 1002 "family %u, SA %s/%08lx\n", 1003 sav->sah->saidx.dst.sa.sa_family, 1004 ipsec_address(&sav->sah->saidx.dst), 1005 (u_long) ntohl(sav->spi))); 1006 ahstat.ahs_nopf++; 1007 error = EPFNOSUPPORT; 1008 goto bad; 1009 } 1010 authsize = AUTHSIZE(sav); 1011 if (rplen + authsize + m->m_pkthdr.len > maxpacketsize) { 1012 DPRINTF(("ah_output: packet in SA %s/%08lx got too big " 1013 "(len %u, max len %u)\n", 1014 ipsec_address(&sav->sah->saidx.dst), 1015 (u_long) ntohl(sav->spi), 1016 rplen + authsize + m->m_pkthdr.len, maxpacketsize)); 1017 ahstat.ahs_toobig++; 1018 error = EMSGSIZE; 1019 goto bad; 1020 } 1021 1022 /* Update the counters. */ 1023 ahstat.ahs_obytes += m->m_pkthdr.len - skip; 1024 1025 m = m_clone(m); 1026 if (m == NULL) { 1027 DPRINTF(("ah_output: cannot clone mbuf chain, SA %s/%08lx\n", 1028 ipsec_address(&sav->sah->saidx.dst), 1029 (u_long) ntohl(sav->spi))); 1030 ahstat.ahs_hdrops++; 1031 error = ENOBUFS; 1032 goto bad; 1033 } 1034 1035 /* Inject AH header. */ 1036 mi = m_makespace(m, skip, rplen + authsize, &roff); 1037 if (mi == NULL) { 1038 DPRINTF(("ah_output: failed to inject %u byte AH header for SA " 1039 "%s/%08lx\n", 1040 rplen + authsize, 1041 ipsec_address(&sav->sah->saidx.dst), 1042 (u_long) ntohl(sav->spi))); 1043 ahstat.ahs_hdrops++; /*XXX differs from openbsd */ 1044 error = ENOBUFS; 1045 goto bad; 1046 } 1047 1048 /* 1049 * The AH header is guaranteed by m_makespace() to be in 1050 * contiguous memory, at roff bytes offset into the returned mbuf. 1051 */ 1052 ah = (struct newah *)(mtod(mi, char *) + roff); 1053 1054 /* Initialize the AH header. */ 1055 m_copydata(m, protoff, sizeof(u_int8_t), (char *) &ah->ah_nxt); 1056 ah->ah_len = (rplen + authsize - sizeof(struct ah)) / sizeof(u_int32_t); 1057 ah->ah_reserve = 0; 1058 ah->ah_spi = sav->spi; 1059 1060 /* Zeroize authenticator. */ 1061 m_copyback(m, skip + rplen, authsize, ipseczeroes); 1062 1063 /* Insert packet replay counter, as requested. */ 1064 if (sav->replay) { 1065 if (sav->replay->count == ~0 && 1066 (sav->flags & SADB_X_EXT_CYCSEQ) == 0) { 1067 DPRINTF(("ah_output: replay counter wrapped for SA " 1068 "%s/%08lx\n", 1069 ipsec_address(&sav->sah->saidx.dst), 1070 (u_long) ntohl(sav->spi))); 1071 ahstat.ahs_wrap++; 1072 error = EINVAL; 1073 goto bad; 1074 } 1075#ifdef IPSEC_DEBUG 1076 /* Emulate replay attack when ipsec_replay is TRUE. */ 1077 if (!ipsec_replay) 1078#endif 1079 sav->replay->count++; 1080 ah->ah_seq = htonl(sav->replay->count); 1081 } 1082 1083 /* Get crypto descriptors. */ 1084 crp = crypto_getreq(1); 1085 if (crp == NULL) { 1086 DPRINTF(("ah_output: failed to acquire crypto descriptors\n")); 1087 ahstat.ahs_crypto++; 1088 error = ENOBUFS; 1089 goto bad; 1090 } 1091 1092 crda = crp->crp_desc; 1093 1094 crda->crd_skip = 0; 1095 crda->crd_inject = skip + rplen; 1096 crda->crd_len = m->m_pkthdr.len; 1097 1098 /* Authentication operation. */ 1099 crda->crd_alg = ahx->type; 1100 crda->crd_key = _KEYBUF(sav->key_auth); 1101 crda->crd_klen = _KEYBITS(sav->key_auth); 1102 1103 /* Allocate IPsec-specific opaque crypto info. */ 1104 tc = (struct tdb_crypto *) malloc( 1105 sizeof(struct tdb_crypto) + skip, M_XDATA, M_NOWAIT|M_ZERO); 1106 if (tc == NULL) { 1107 crypto_freereq(crp); 1108 DPRINTF(("ah_output: failed to allocate tdb_crypto\n")); 1109 ahstat.ahs_crypto++; 1110 error = ENOBUFS; 1111 goto bad; 1112 } 1113 1114 /* Save the skipped portion of the packet. */ 1115 m_copydata(m, 0, skip, (tc + 1)); 1116 1117 /* 1118 * Fix IP header length on the header used for 1119 * authentication. We don't need to fix the original 1120 * header length as it will be fixed by our caller. 1121 */ 1122 switch (sav->sah->saidx.dst.sa.sa_family) { 1123#ifdef INET 1124 case AF_INET: 1125 bcopy(((char *)(tc + 1)) + 1126 offsetof(struct ip, ip_len), 1127 &iplen, sizeof(u_int16_t)); 1128 iplen = htons(ntohs(iplen) + rplen + authsize); 1129 m_copyback(m, offsetof(struct ip, ip_len), 1130 sizeof(u_int16_t), &iplen); 1131 break; 1132#endif /* INET */ 1133 1134#ifdef INET6 1135 case AF_INET6: 1136 bcopy(((char *)(tc + 1)) + 1137 offsetof(struct ip6_hdr, ip6_plen), 1138 &iplen, sizeof(u_int16_t)); 1139 iplen = htons(ntohs(iplen) + rplen + authsize); 1140 m_copyback(m, offsetof(struct ip6_hdr, ip6_plen), 1141 sizeof(u_int16_t), &iplen); 1142 break; 1143#endif /* INET6 */ 1144 } 1145 1146 /* Fix the Next Header field in saved header. */ 1147 ((u_int8_t *) (tc + 1))[protoff] = IPPROTO_AH; 1148 1149 /* Update the Next Protocol field in the IP header. */ 1150 prot = IPPROTO_AH; 1151 m_copyback(m, protoff, sizeof(u_int8_t), &prot); 1152 1153 /* "Massage" the packet headers for crypto processing. */ 1154 error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, 1155 skip, ahx->type, 1); 1156 if (error != 0) { 1157 m = NULL; /* mbuf was free'd by ah_massage_headers. */ 1158 free(tc, M_XDATA); 1159 crypto_freereq(crp); 1160 goto bad; 1161 } 1162 1163 /* Crypto operation descriptor. */ 1164 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ 1165 crp->crp_flags = CRYPTO_F_IMBUF; 1166 crp->crp_buf = m; 1167 crp->crp_callback = ah_output_cb; 1168 crp->crp_sid = sav->tdb_cryptoid; 1169 crp->crp_opaque = tc; 1170 1171 /* These are passed as-is to the callback. */ 1172 tc->tc_isr = isr; 1173 tc->tc_spi = sav->spi; 1174 tc->tc_dst = sav->sah->saidx.dst; 1175 tc->tc_proto = sav->sah->saidx.proto; 1176 tc->tc_skip = skip; 1177 tc->tc_protoff = protoff; 1178 1179 return crypto_dispatch(crp); 1180bad: 1181 if (m) 1182 m_freem(m); 1183 return (error); 1184} 1185 1186/* 1187 * AH output callback from the crypto driver. 1188 */ 1189static int 1190ah_output_cb(struct cryptop *crp) 1191{ 1192 int skip, protoff, error; 1193 struct tdb_crypto *tc; 1194 struct ipsecrequest *isr; 1195 struct secasvar *sav; 1196 struct mbuf *m; 1197 void *ptr; 1198 int s, err; 1199 1200 tc = (struct tdb_crypto *) crp->crp_opaque; 1201 IPSEC_ASSERT(tc != NULL, ("ah_output_cb: null opaque data area!")); 1202 skip = tc->tc_skip; 1203 protoff = tc->tc_protoff; 1204 ptr = (tc + 1); 1205 m = (struct mbuf *) crp->crp_buf; 1206 1207 s = splsoftnet(); 1208 1209 isr = tc->tc_isr; 1210 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); 1211 if (sav == NULL) { 1212 ahstat.ahs_notdb++; 1213 DPRINTF(("ah_output_cb: SA expired while in crypto\n")); 1214 error = ENOBUFS; /*XXX*/ 1215 goto bad; 1216 } 1217 IPSEC_ASSERT(isr->sav == sav, ("ah_output_cb: SA changed\n")); 1218 1219 /* Check for crypto errors. */ 1220 if (crp->crp_etype) { 1221 if (sav->tdb_cryptoid != 0) 1222 sav->tdb_cryptoid = crp->crp_sid; 1223 1224 if (crp->crp_etype == EAGAIN) { 1225 KEY_FREESAV(&sav); 1226 splx(s); 1227 return crypto_dispatch(crp); 1228 } 1229 1230 ahstat.ahs_noxform++; 1231 DPRINTF(("ah_output_cb: crypto error %d\n", crp->crp_etype)); 1232 error = crp->crp_etype; 1233 goto bad; 1234 } 1235 1236 /* Shouldn't happen... */ 1237 if (m == NULL) { 1238 ahstat.ahs_crypto++; 1239 DPRINTF(("ah_output_cb: bogus returned buffer from crypto\n")); 1240 error = EINVAL; 1241 goto bad; 1242 } 1243 ahstat.ahs_hist[sav->alg_auth]++; 1244 1245 /* 1246 * Copy original headers (with the new protocol number) back 1247 * in place. 1248 */ 1249 m_copyback(m, 0, skip, ptr); 1250 1251 /* No longer needed. */ 1252 free(tc, M_XDATA); 1253 crypto_freereq(crp); 1254 1255#ifdef IPSEC_DEBUG 1256 /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ 1257 if (ipsec_integrity) { 1258 int alen; 1259 1260 /* 1261 * Corrupt HMAC if we want to test integrity verification of 1262 * the other side. 1263 */ 1264 alen = AUTHSIZE(sav); 1265 m_copyback(m, m->m_pkthdr.len - alen, alen, ipseczeroes); 1266 } 1267#endif 1268 1269 /* NB: m is reclaimed by ipsec_process_done. */ 1270 err = ipsec_process_done(m, isr); 1271 KEY_FREESAV(&sav); 1272 splx(s); 1273 return err; 1274bad: 1275 if (sav) 1276 KEY_FREESAV(&sav); 1277 splx(s); 1278 if (m) 1279 m_freem(m); 1280 free(tc, M_XDATA); 1281 crypto_freereq(crp); 1282 return error; 1283} 1284 1285static struct xformsw ah_xformsw = { 1286 XF_AH, XFT_AUTH, "IPsec AH", 1287 ah_init, ah_zeroize, ah_input, ah_output, 1288 NULL, 1289}; 1290 1291INITFN void 1292ah_attach(void) 1293{ 1294 xform_register(&ah_xformsw); 1295} 1296 1297#ifdef __FreeBSD__ 1298SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL); 1299#endif 1300