xref: /trueos/sys/netipsec/xform_ah.c (revision 5868f7205430cd67aa3b655419d3f15f83b70119)
1 /*	$FreeBSD$	*/
2 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
3 /*-
4  * The authors of this code are John Ioannidis (ji@tla.org),
5  * Angelos D. Keromytis (kermit@csd.uch.gr) and
6  * Niels Provos (provos@physnet.uni-hamburg.de).
7  *
8  * The original version of this code was written by John Ioannidis
9  * for BSD/OS in Athens, Greece, in November 1995.
10  *
11  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12  * by Angelos D. Keromytis.
13  *
14  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15  * and Niels Provos.
16  *
17  * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
18  *
19  * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20  * Angelos D. Keromytis and Niels Provos.
21  * Copyright (c) 1999 Niklas Hallqvist.
22  * Copyright (c) 2001 Angelos D. Keromytis.
23  *
24  * Permission to use, copy, and modify this software with or without fee
25  * is hereby granted, provided that this entire notice is included in
26  * all copies of any software which is or includes a copy or
27  * modification of this software.
28  * You may use this code under the GNU public license if you so wish. Please
29  * contribute changes back to the authors under this freer than GPL license
30  * so that we may further the use of strong encryption without limitations to
31  * all.
32  *
33  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37  * PURPOSE.
38  */
39 #include "opt_inet.h"
40 #include "opt_inet6.h"
41 
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/mbuf.h>
45 #include <sys/socket.h>
46 #include <sys/syslog.h>
47 #include <sys/kernel.h>
48 #include <sys/sysctl.h>
49 
50 #include <net/if.h>
51 #include <net/vnet.h>
52 
53 #include <netinet/in.h>
54 #include <netinet/in_systm.h>
55 #include <netinet/ip.h>
56 #include <netinet/ip_ecn.h>
57 #include <netinet/ip6.h>
58 
59 #include <netipsec/ipsec.h>
60 #include <netipsec/ah.h>
61 #include <netipsec/ah_var.h>
62 #include <netipsec/xform.h>
63 
64 #ifdef INET6
65 #include <netinet6/ip6_var.h>
66 #include <netipsec/ipsec6.h>
67 #include <netinet6/ip6_ecn.h>
68 #endif
69 
70 #include <netipsec/key.h>
71 #include <netipsec/key_debug.h>
72 
73 #include <opencrypto/cryptodev.h>
74 
75 /*
76  * Return header size in bytes.  The old protocol did not support
77  * the replay counter; the new protocol always includes the counter.
78  */
79 #define HDRSIZE(sav) \
80 	(((sav)->flags & SADB_X_EXT_OLD) ? \
81 		sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t))
82 /*
83  * Return authenticator size in bytes.  The old protocol is known
84  * to use a fixed 16-byte authenticator.  The new algorithm use 12-byte
85  * authenticator.
86  */
87 #define	AUTHSIZE(sav)	ah_authsize(sav)
88 
89 VNET_DEFINE(int, ah_enable) = 1;	/* control flow of packets with AH */
90 VNET_DEFINE(int, ah_cleartos) = 1;	/* clear ip_tos when doing AH calc */
91 VNET_PCPUSTAT_DEFINE(struct ahstat, ahstat);
92 VNET_PCPUSTAT_SYSINIT(ahstat);
93 
94 #ifdef VIMAGE
95 VNET_PCPUSTAT_SYSUNINIT(ahstat);
96 #endif /* VIMAGE */
97 
98 #ifdef INET
99 SYSCTL_DECL(_net_inet_ah);
100 SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO,
101 	ah_enable,	CTLFLAG_RW,	&VNET_NAME(ah_enable),	0, "");
102 SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO,
103 	ah_cleartos,	CTLFLAG_RW,	&VNET_NAME(ah_cleartos), 0, "");
104 SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat,
105     ahstat, "AH statistics (struct ahstat, netipsec/ah_var.h)");
106 #endif
107 
108 static unsigned char ipseczeroes[256];	/* larger than an ip6 extension hdr */
109 
110 static int ah_input_cb(struct cryptop*);
111 static int ah_output_cb(struct cryptop*);
112 
113 static int
ah_authsize(struct secasvar * sav)114 ah_authsize(struct secasvar *sav)
115 {
116 
117 	IPSEC_ASSERT(sav != NULL, ("%s: sav == NULL", __func__));
118 
119 	if (sav->flags & SADB_X_EXT_OLD)
120 		return 16;
121 
122 	switch (sav->alg_auth) {
123 	case SADB_X_AALG_SHA2_256:
124 		return 16;
125 	case SADB_X_AALG_SHA2_384:
126 		return 24;
127 	case SADB_X_AALG_SHA2_512:
128 		return 32;
129 	default:
130 		return AH_HMAC_HASHLEN;
131 	}
132 	/* NOTREACHED */
133 }
134 /*
135  * NB: this is public for use by the PF_KEY support.
136  */
137 struct auth_hash *
ah_algorithm_lookup(int alg)138 ah_algorithm_lookup(int alg)
139 {
140 	if (alg > SADB_AALG_MAX)
141 		return NULL;
142 	switch (alg) {
143 	case SADB_X_AALG_NULL:
144 		return &auth_hash_null;
145 	case SADB_AALG_MD5HMAC:
146 		return &auth_hash_hmac_md5;
147 	case SADB_AALG_SHA1HMAC:
148 		return &auth_hash_hmac_sha1;
149 	case SADB_X_AALG_RIPEMD160HMAC:
150 		return &auth_hash_hmac_ripemd_160;
151 	case SADB_X_AALG_MD5:
152 		return &auth_hash_key_md5;
153 	case SADB_X_AALG_SHA:
154 		return &auth_hash_key_sha1;
155 	case SADB_X_AALG_SHA2_256:
156 		return &auth_hash_hmac_sha2_256;
157 	case SADB_X_AALG_SHA2_384:
158 		return &auth_hash_hmac_sha2_384;
159 	case SADB_X_AALG_SHA2_512:
160 		return &auth_hash_hmac_sha2_512;
161 	}
162 	return NULL;
163 }
164 
165 size_t
ah_hdrsiz(struct secasvar * sav)166 ah_hdrsiz(struct secasvar *sav)
167 {
168 	size_t size;
169 
170 	if (sav != NULL) {
171 		int authsize;
172 		IPSEC_ASSERT(sav->tdb_authalgxform != NULL, ("null xform"));
173 		/*XXX not right for null algorithm--does it matter??*/
174 		authsize = AUTHSIZE(sav);
175 		size = roundup(authsize, sizeof (u_int32_t)) + HDRSIZE(sav);
176 	} else {
177 		/* default guess */
178 		size = sizeof (struct ah) + sizeof (u_int32_t) + 16;
179 	}
180 	return size;
181 }
182 
183 /*
184  * NB: public for use by esp_init.
185  */
186 int
ah_init0(struct secasvar * sav,struct xformsw * xsp,struct cryptoini * cria)187 ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
188 {
189 	struct auth_hash *thash;
190 	int keylen;
191 
192 	thash = ah_algorithm_lookup(sav->alg_auth);
193 	if (thash == NULL) {
194 		DPRINTF(("%s: unsupported authentication algorithm %u\n",
195 			__func__, sav->alg_auth));
196 		return EINVAL;
197 	}
198 	/*
199 	 * Verify the replay state block allocation is consistent with
200 	 * the protocol type.  We check here so we can make assumptions
201 	 * later during protocol processing.
202 	 */
203 	/* NB: replay state is setup elsewhere (sigh) */
204 	if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) {
205 		DPRINTF(("%s: replay state block inconsistency, "
206 			"%s algorithm %s replay state\n", __func__,
207 			(sav->flags & SADB_X_EXT_OLD) ? "old" : "new",
208 			sav->replay == NULL ? "without" : "with"));
209 		return EINVAL;
210 	}
211 	if (sav->key_auth == NULL) {
212 		DPRINTF(("%s: no authentication key for %s algorithm\n",
213 			__func__, thash->name));
214 		return EINVAL;
215 	}
216 	keylen = _KEYLEN(sav->key_auth);
217 	if (keylen != thash->keysize && thash->keysize != 0) {
218 		DPRINTF(("%s: invalid keylength %d, algorithm %s requires "
219 			"keysize %d\n", __func__,
220 			 keylen, thash->name, thash->keysize));
221 		return EINVAL;
222 	}
223 
224 	sav->tdb_xform = xsp;
225 	sav->tdb_authalgxform = thash;
226 
227 	/* Initialize crypto session. */
228 	bzero(cria, sizeof (*cria));
229 	cria->cri_alg = sav->tdb_authalgxform->type;
230 	cria->cri_klen = _KEYBITS(sav->key_auth);
231 	cria->cri_key = sav->key_auth->key_data;
232 	cria->cri_mlen = AUTHSIZE(sav);
233 
234 	return 0;
235 }
236 
237 /*
238  * ah_init() is called when an SPI is being set up.
239  */
240 static int
ah_init(struct secasvar * sav,struct xformsw * xsp)241 ah_init(struct secasvar *sav, struct xformsw *xsp)
242 {
243 	struct cryptoini cria;
244 	int error;
245 
246 	error = ah_init0(sav, xsp, &cria);
247 	return error ? error :
248 		 crypto_newsession(&sav->tdb_cryptoid, &cria, V_crypto_support);
249 }
250 
251 /*
252  * Paranoia.
253  *
254  * NB: public for use by esp_zeroize (XXX).
255  */
256 int
ah_zeroize(struct secasvar * sav)257 ah_zeroize(struct secasvar *sav)
258 {
259 	int err;
260 
261 	if (sav->key_auth)
262 		bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
263 
264 	err = crypto_freesession(sav->tdb_cryptoid);
265 	sav->tdb_cryptoid = 0;
266 	sav->tdb_authalgxform = NULL;
267 	sav->tdb_xform = NULL;
268 	return err;
269 }
270 
271 /*
272  * Massage IPv4/IPv6 headers for AH processing.
273  */
274 static int
ah_massage_headers(struct mbuf ** m0,int proto,int skip,int alg,int out)275 ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
276 {
277 	struct mbuf *m = *m0;
278 	unsigned char *ptr;
279 	int off, count;
280 
281 #ifdef INET
282 	struct ip *ip;
283 #endif /* INET */
284 
285 #ifdef INET6
286 	struct ip6_ext *ip6e;
287 	struct ip6_hdr ip6;
288 	int alloc, len, ad;
289 #endif /* INET6 */
290 
291 	switch (proto) {
292 #ifdef INET
293 	case AF_INET:
294 		/*
295 		 * This is the least painful way of dealing with IPv4 header
296 		 * and option processing -- just make sure they're in
297 		 * contiguous memory.
298 		 */
299 		*m0 = m = m_pullup(m, skip);
300 		if (m == NULL) {
301 			DPRINTF(("%s: m_pullup failed\n", __func__));
302 			return ENOBUFS;
303 		}
304 
305 		/* Fix the IP header */
306 		ip = mtod(m, struct ip *);
307 		if (V_ah_cleartos)
308 			ip->ip_tos = 0;
309 		ip->ip_ttl = 0;
310 		ip->ip_sum = 0;
311 
312 		if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK)
313 			ip->ip_off &= htons(IP_DF);
314 		else
315 			ip->ip_off = htons(0);
316 
317 		ptr = mtod(m, unsigned char *) + sizeof(struct ip);
318 
319 		/* IPv4 option processing */
320 		for (off = sizeof(struct ip); off < skip;) {
321 			if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP ||
322 			    off + 1 < skip)
323 				;
324 			else {
325 				DPRINTF(("%s: illegal IPv4 option length for "
326 					"option %d\n", __func__, ptr[off]));
327 
328 				m_freem(m);
329 				return EINVAL;
330 			}
331 
332 			switch (ptr[off]) {
333 			case IPOPT_EOL:
334 				off = skip;  /* End the loop. */
335 				break;
336 
337 			case IPOPT_NOP:
338 				off++;
339 				break;
340 
341 			case IPOPT_SECURITY:	/* 0x82 */
342 			case 0x85:	/* Extended security. */
343 			case 0x86:	/* Commercial security. */
344 			case 0x94:	/* Router alert */
345 			case 0x95:	/* RFC1770 */
346 				/* Sanity check for option length. */
347 				if (ptr[off + 1] < 2) {
348 					DPRINTF(("%s: illegal IPv4 option "
349 						"length for option %d\n",
350 						__func__, ptr[off]));
351 
352 					m_freem(m);
353 					return EINVAL;
354 				}
355 
356 				off += ptr[off + 1];
357 				break;
358 
359 			case IPOPT_LSRR:
360 			case IPOPT_SSRR:
361 				/* Sanity check for option length. */
362 				if (ptr[off + 1] < 2) {
363 					DPRINTF(("%s: illegal IPv4 option "
364 						"length for option %d\n",
365 						__func__, ptr[off]));
366 
367 					m_freem(m);
368 					return EINVAL;
369 				}
370 
371 				/*
372 				 * On output, if we have either of the
373 				 * source routing options, we should
374 				 * swap the destination address of the
375 				 * IP header with the last address
376 				 * specified in the option, as that is
377 				 * what the destination's IP header
378 				 * will look like.
379 				 */
380 				if (out)
381 					bcopy(ptr + off + ptr[off + 1] -
382 					    sizeof(struct in_addr),
383 					    &(ip->ip_dst), sizeof(struct in_addr));
384 
385 				/* Fall through */
386 			default:
387 				/* Sanity check for option length. */
388 				if (ptr[off + 1] < 2) {
389 					DPRINTF(("%s: illegal IPv4 option "
390 						"length for option %d\n",
391 						__func__, ptr[off]));
392 					m_freem(m);
393 					return EINVAL;
394 				}
395 
396 				/* Zeroize all other options. */
397 				count = ptr[off + 1];
398 				bcopy(ipseczeroes, ptr, count);
399 				off += count;
400 				break;
401 			}
402 
403 			/* Sanity check. */
404 			if (off > skip)	{
405 				DPRINTF(("%s: malformed IPv4 options header\n",
406 					__func__));
407 
408 				m_freem(m);
409 				return EINVAL;
410 			}
411 		}
412 
413 		break;
414 #endif /* INET */
415 
416 #ifdef INET6
417 	case AF_INET6:  /* Ugly... */
418 		/* Copy and "cook" the IPv6 header. */
419 		m_copydata(m, 0, sizeof(ip6), (caddr_t) &ip6);
420 
421 		/* We don't do IPv6 Jumbograms. */
422 		if (ip6.ip6_plen == 0) {
423 			DPRINTF(("%s: unsupported IPv6 jumbogram\n", __func__));
424 			m_freem(m);
425 			return EMSGSIZE;
426 		}
427 
428 		ip6.ip6_flow = 0;
429 		ip6.ip6_hlim = 0;
430 		ip6.ip6_vfc &= ~IPV6_VERSION_MASK;
431 		ip6.ip6_vfc |= IPV6_VERSION;
432 
433 		/* Scoped address handling. */
434 		if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_src))
435 			ip6.ip6_src.s6_addr16[1] = 0;
436 		if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_dst))
437 			ip6.ip6_dst.s6_addr16[1] = 0;
438 
439 		/* Done with IPv6 header. */
440 		m_copyback(m, 0, sizeof(struct ip6_hdr), (caddr_t) &ip6);
441 
442 		/* Let's deal with the remaining headers (if any). */
443 		if (skip - sizeof(struct ip6_hdr) > 0) {
444 			if (m->m_len <= skip) {
445 				ptr = (unsigned char *) malloc(
446 				    skip - sizeof(struct ip6_hdr),
447 				    M_XDATA, M_NOWAIT);
448 				if (ptr == NULL) {
449 					DPRINTF(("%s: failed to allocate memory"
450 						"for IPv6 headers\n",__func__));
451 					m_freem(m);
452 					return ENOBUFS;
453 				}
454 
455 				/*
456 				 * Copy all the protocol headers after
457 				 * the IPv6 header.
458 				 */
459 				m_copydata(m, sizeof(struct ip6_hdr),
460 				    skip - sizeof(struct ip6_hdr), ptr);
461 				alloc = 1;
462 			} else {
463 				/* No need to allocate memory. */
464 				ptr = mtod(m, unsigned char *) +
465 				    sizeof(struct ip6_hdr);
466 				alloc = 0;
467 			}
468 		} else
469 			break;
470 
471 		off = ip6.ip6_nxt & 0xff; /* Next header type. */
472 
473 		for (len = 0; len < skip - sizeof(struct ip6_hdr);)
474 			switch (off) {
475 			case IPPROTO_HOPOPTS:
476 			case IPPROTO_DSTOPTS:
477 				ip6e = (struct ip6_ext *) (ptr + len);
478 
479 				/*
480 				 * Process the mutable/immutable
481 				 * options -- borrows heavily from the
482 				 * KAME code.
483 				 */
484 				for (count = len + sizeof(struct ip6_ext);
485 				     count < len + ((ip6e->ip6e_len + 1) << 3);) {
486 					if (ptr[count] == IP6OPT_PAD1) {
487 						count++;
488 						continue; /* Skip padding. */
489 					}
490 
491 					/* Sanity check. */
492 					if (count > len +
493 					    ((ip6e->ip6e_len + 1) << 3)) {
494 						m_freem(m);
495 
496 						/* Free, if we allocated. */
497 						if (alloc)
498 							free(ptr, M_XDATA);
499 						return EINVAL;
500 					}
501 
502 					ad = ptr[count + 1];
503 
504 					/* If mutable option, zeroize. */
505 					if (ptr[count] & IP6OPT_MUTABLE)
506 						bcopy(ipseczeroes, ptr + count,
507 						    ptr[count + 1]);
508 
509 					count += ad;
510 
511 					/* Sanity check. */
512 					if (count >
513 					    skip - sizeof(struct ip6_hdr)) {
514 						m_freem(m);
515 
516 						/* Free, if we allocated. */
517 						if (alloc)
518 							free(ptr, M_XDATA);
519 						return EINVAL;
520 					}
521 				}
522 
523 				/* Advance. */
524 				len += ((ip6e->ip6e_len + 1) << 3);
525 				off = ip6e->ip6e_nxt;
526 				break;
527 
528 			case IPPROTO_ROUTING:
529 				/*
530 				 * Always include routing headers in
531 				 * computation.
532 				 */
533 				ip6e = (struct ip6_ext *) (ptr + len);
534 				len += ((ip6e->ip6e_len + 1) << 3);
535 				off = ip6e->ip6e_nxt;
536 				break;
537 
538 			default:
539 				DPRINTF(("%s: unexpected IPv6 header type %d",
540 					__func__, off));
541 				if (alloc)
542 					free(ptr, M_XDATA);
543 				m_freem(m);
544 				return EINVAL;
545 			}
546 
547 		/* Copyback and free, if we allocated. */
548 		if (alloc) {
549 			m_copyback(m, sizeof(struct ip6_hdr),
550 			    skip - sizeof(struct ip6_hdr), ptr);
551 			free(ptr, M_XDATA);
552 		}
553 
554 		break;
555 #endif /* INET6 */
556 	}
557 
558 	return 0;
559 }
560 
561 /*
562  * ah_input() gets called to verify that an input packet
563  * passes authentication.
564  */
565 static int
ah_input(struct mbuf * m,struct secasvar * sav,int skip,int protoff)566 ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
567 {
568 	struct auth_hash *ahx;
569 	struct tdb_ident *tdbi;
570 	struct tdb_crypto *tc;
571 	struct m_tag *mtag;
572 	struct newah *ah;
573 	int hl, rplen, authsize;
574 
575 	struct cryptodesc *crda;
576 	struct cryptop *crp;
577 
578 	IPSEC_ASSERT(sav != NULL, ("null SA"));
579 	IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key"));
580 	IPSEC_ASSERT(sav->tdb_authalgxform != NULL,
581 		("null authentication xform"));
582 
583 	/* Figure out header size. */
584 	rplen = HDRSIZE(sav);
585 
586 	/* XXX don't pullup, just copy header */
587 	IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen);
588 	if (ah == NULL) {
589 		DPRINTF(("ah_input: cannot pullup header\n"));
590 		AHSTAT_INC(ahs_hdrops);		/*XXX*/
591 		m_freem(m);
592 		return ENOBUFS;
593 	}
594 
595 	/* Check replay window, if applicable. */
596 	if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
597 		AHSTAT_INC(ahs_replay);
598 		DPRINTF(("%s: packet replay failure: %s\n", __func__,
599 			  ipsec_logsastr(sav)));
600 		m_freem(m);
601 		return ENOBUFS;
602 	}
603 
604 	/* Verify AH header length. */
605 	hl = ah->ah_len * sizeof (u_int32_t);
606 	ahx = sav->tdb_authalgxform;
607 	authsize = AUTHSIZE(sav);
608 	if (hl != authsize + rplen - sizeof (struct ah)) {
609 		DPRINTF(("%s: bad authenticator length %u (expecting %lu)"
610 			" for packet in SA %s/%08lx\n", __func__,
611 			hl, (u_long) (authsize + rplen - sizeof (struct ah)),
612 			ipsec_address(&sav->sah->saidx.dst),
613 			(u_long) ntohl(sav->spi)));
614 		AHSTAT_INC(ahs_badauthl);
615 		m_freem(m);
616 		return EACCES;
617 	}
618 	AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
619 
620 	/* Get crypto descriptors. */
621 	crp = crypto_getreq(1);
622 	if (crp == NULL) {
623 		DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
624 		AHSTAT_INC(ahs_crypto);
625 		m_freem(m);
626 		return ENOBUFS;
627 	}
628 
629 	crda = crp->crp_desc;
630 	IPSEC_ASSERT(crda != NULL, ("null crypto descriptor"));
631 
632 	crda->crd_skip = 0;
633 	crda->crd_len = m->m_pkthdr.len;
634 	crda->crd_inject = skip + rplen;
635 
636 	/* Authentication operation. */
637 	crda->crd_alg = ahx->type;
638 	crda->crd_klen = _KEYBITS(sav->key_auth);
639 	crda->crd_key = sav->key_auth->key_data;
640 
641 	/* Find out if we've already done crypto. */
642 	for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
643 	     mtag != NULL;
644 	     mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
645 		tdbi = (struct tdb_ident *) (mtag + 1);
646 		if (tdbi->proto == sav->sah->saidx.proto &&
647 		    tdbi->spi == sav->spi &&
648 		    !bcmp(&tdbi->dst, &sav->sah->saidx.dst,
649 			  sizeof (union sockaddr_union)))
650 			break;
651 	}
652 
653 	/* Allocate IPsec-specific opaque crypto info. */
654 	if (mtag == NULL) {
655 		tc = (struct tdb_crypto *) malloc(sizeof (struct tdb_crypto) +
656 			skip + rplen + authsize, M_XDATA, M_NOWAIT|M_ZERO);
657 	} else {
658 		/* Hash verification has already been done successfully. */
659 		tc = (struct tdb_crypto *) malloc(sizeof (struct tdb_crypto),
660 						    M_XDATA, M_NOWAIT|M_ZERO);
661 	}
662 	if (tc == NULL) {
663 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
664 		AHSTAT_INC(ahs_crypto);
665 		crypto_freereq(crp);
666 		m_freem(m);
667 		return ENOBUFS;
668 	}
669 
670 	/* Only save information if crypto processing is needed. */
671 	if (mtag == NULL) {
672 		int error;
673 
674 		/*
675 		 * Save the authenticator, the skipped portion of the packet,
676 		 * and the AH header.
677 		 */
678 		m_copydata(m, 0, skip + rplen + authsize, (caddr_t)(tc+1));
679 
680 		/* Zeroize the authenticator on the packet. */
681 		m_copyback(m, skip + rplen, authsize, ipseczeroes);
682 
683 		/* "Massage" the packet headers for crypto processing. */
684 		error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
685 		    skip, ahx->type, 0);
686 		if (error != 0) {
687 			/* NB: mbuf is free'd by ah_massage_headers */
688 			AHSTAT_INC(ahs_hdrops);
689 			free(tc, M_XDATA);
690 			crypto_freereq(crp);
691 			return error;
692 		}
693 	}
694 
695 	/* Crypto operation descriptor. */
696 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
697 	crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
698 	crp->crp_buf = (caddr_t) m;
699 	crp->crp_callback = ah_input_cb;
700 	crp->crp_sid = sav->tdb_cryptoid;
701 	crp->crp_opaque = (caddr_t) tc;
702 
703 	/* These are passed as-is to the callback. */
704 	tc->tc_spi = sav->spi;
705 	tc->tc_dst = sav->sah->saidx.dst;
706 	tc->tc_proto = sav->sah->saidx.proto;
707 	tc->tc_nxt = ah->ah_nxt;
708 	tc->tc_protoff = protoff;
709 	tc->tc_skip = skip;
710 	tc->tc_ptr = (caddr_t) mtag; /* Save the mtag we've identified. */
711 	KEY_ADDREFSA(sav);
712 	tc->tc_sav = sav;
713 
714 	if (mtag == NULL)
715 		return crypto_dispatch(crp);
716 	else
717 		return ah_input_cb(crp);
718 }
719 
720 /*
721  * AH input callback from the crypto driver.
722  */
723 static int
ah_input_cb(struct cryptop * crp)724 ah_input_cb(struct cryptop *crp)
725 {
726 	int rplen, error, skip, protoff;
727 	unsigned char calc[AH_ALEN_MAX];
728 	struct mbuf *m;
729 	struct cryptodesc *crd;
730 	struct auth_hash *ahx;
731 	struct tdb_crypto *tc;
732 	struct m_tag *mtag;
733 	struct secasvar *sav;
734 	struct secasindex *saidx;
735 	u_int8_t nxt;
736 	caddr_t ptr;
737 	int authsize;
738 
739 	crd = crp->crp_desc;
740 
741 	tc = (struct tdb_crypto *) crp->crp_opaque;
742 	IPSEC_ASSERT(tc != NULL, ("null opaque crypto data area!"));
743 	skip = tc->tc_skip;
744 	nxt = tc->tc_nxt;
745 	protoff = tc->tc_protoff;
746 	mtag = (struct m_tag *) tc->tc_ptr;
747 	m = (struct mbuf *) crp->crp_buf;
748 
749 	sav = tc->tc_sav;
750 	IPSEC_ASSERT(sav != NULL, ("null SA!"));
751 
752 	saidx = &sav->sah->saidx;
753 	IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
754 		saidx->dst.sa.sa_family == AF_INET6,
755 		("unexpected protocol family %u", saidx->dst.sa.sa_family));
756 
757 	ahx = (struct auth_hash *) sav->tdb_authalgxform;
758 
759 	/* Check for crypto errors. */
760 	if (crp->crp_etype) {
761 		if (sav->tdb_cryptoid != 0)
762 			sav->tdb_cryptoid = crp->crp_sid;
763 
764 		if (crp->crp_etype == EAGAIN)
765 			return (crypto_dispatch(crp));
766 
767 		AHSTAT_INC(ahs_noxform);
768 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
769 		error = crp->crp_etype;
770 		goto bad;
771 	} else {
772 		AHSTAT_INC(ahs_hist[sav->alg_auth]);
773 		crypto_freereq(crp);		/* No longer needed. */
774 		crp = NULL;
775 	}
776 
777 	/* Shouldn't happen... */
778 	if (m == NULL) {
779 		AHSTAT_INC(ahs_crypto);
780 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
781 		error = EINVAL;
782 		goto bad;
783 	}
784 
785 	/* Figure out header size. */
786 	rplen = HDRSIZE(sav);
787 	authsize = AUTHSIZE(sav);
788 
789 	/* Copy authenticator off the packet. */
790 	m_copydata(m, skip + rplen, authsize, calc);
791 
792 	/*
793 	 * If we have an mtag, we don't need to verify the authenticator --
794 	 * it has been verified by an IPsec-aware NIC.
795 	 */
796 	if (mtag == NULL) {
797 		ptr = (caddr_t) (tc + 1);
798 
799 		/* Verify authenticator. */
800 		if (bcmp(ptr + skip + rplen, calc, authsize)) {
801 			DPRINTF(("%s: authentication hash mismatch for packet "
802 			    "in SA %s/%08lx\n", __func__,
803 			    ipsec_address(&saidx->dst),
804 			    (u_long) ntohl(sav->spi)));
805 			AHSTAT_INC(ahs_badauth);
806 			error = EACCES;
807 			goto bad;
808 		}
809 
810 		/* Fix the Next Protocol field. */
811 		((u_int8_t *) ptr)[protoff] = nxt;
812 
813 		/* Copyback the saved (uncooked) network headers. */
814 		m_copyback(m, 0, skip, ptr);
815 	} else {
816 		/* Fix the Next Protocol field. */
817 		m_copyback(m, protoff, sizeof(u_int8_t), &nxt);
818 	}
819 
820 	free(tc, M_XDATA), tc = NULL;			/* No longer needed */
821 
822 	/*
823 	 * Header is now authenticated.
824 	 */
825 	m->m_flags |= M_AUTHIPHDR|M_AUTHIPDGM;
826 
827 	/*
828 	 * Update replay sequence number, if appropriate.
829 	 */
830 	if (sav->replay) {
831 		u_int32_t seq;
832 
833 		m_copydata(m, skip + offsetof(struct newah, ah_seq),
834 			   sizeof (seq), (caddr_t) &seq);
835 		if (ipsec_updatereplay(ntohl(seq), sav)) {
836 			AHSTAT_INC(ahs_replay);
837 			error = ENOBUFS;			/*XXX as above*/
838 			goto bad;
839 		}
840 	}
841 
842 	/*
843 	 * Remove the AH header and authenticator from the mbuf.
844 	 */
845 	error = m_striphdr(m, skip, rplen + authsize);
846 	if (error) {
847 		DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
848 		    ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
849 
850 		AHSTAT_INC(ahs_hdrops);
851 		goto bad;
852 	}
853 
854 	switch (saidx->dst.sa.sa_family) {
855 #ifdef INET6
856 	case AF_INET6:
857 		error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag);
858 		break;
859 #endif
860 #ifdef INET
861 	case AF_INET:
862 		error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag);
863 		break;
864 #endif
865 	default:
866 		panic("%s: Unexpected address family: %d saidx=%p", __func__,
867 		    saidx->dst.sa.sa_family, saidx);
868 	}
869 
870 	KEY_FREESAV(&sav);
871 	return error;
872 bad:
873 	if (sav)
874 		KEY_FREESAV(&sav);
875 	if (m != NULL)
876 		m_freem(m);
877 	if (tc != NULL)
878 		free(tc, M_XDATA);
879 	if (crp != NULL)
880 		crypto_freereq(crp);
881 	return error;
882 }
883 
884 /*
885  * AH output routine, called by ipsec[46]_process_packet().
886  */
887 static int
ah_output(struct mbuf * m,struct ipsecrequest * isr,struct mbuf ** mp,int skip,int protoff)888 ah_output(
889 	struct mbuf *m,
890 	struct ipsecrequest *isr,
891 	struct mbuf **mp,
892 	int skip,
893 	int protoff)
894 {
895 	struct secasvar *sav;
896 	struct auth_hash *ahx;
897 	struct cryptodesc *crda;
898 	struct tdb_crypto *tc;
899 	struct mbuf *mi;
900 	struct cryptop *crp;
901 	u_int16_t iplen;
902 	int error, rplen, authsize, maxpacketsize, roff;
903 	u_int8_t prot;
904 	struct newah *ah;
905 
906 	sav = isr->sav;
907 	IPSEC_ASSERT(sav != NULL, ("null SA"));
908 	ahx = sav->tdb_authalgxform;
909 	IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
910 
911 	AHSTAT_INC(ahs_output);
912 
913 	/* Figure out header size. */
914 	rplen = HDRSIZE(sav);
915 
916 	/* Check for maximum packet size violations. */
917 	switch (sav->sah->saidx.dst.sa.sa_family) {
918 #ifdef INET
919 	case AF_INET:
920 		maxpacketsize = IP_MAXPACKET;
921 		break;
922 #endif /* INET */
923 #ifdef INET6
924 	case AF_INET6:
925 		maxpacketsize = IPV6_MAXPACKET;
926 		break;
927 #endif /* INET6 */
928 	default:
929 		DPRINTF(("%s: unknown/unsupported protocol family %u, "
930 		    "SA %s/%08lx\n", __func__,
931 		    sav->sah->saidx.dst.sa.sa_family,
932 		    ipsec_address(&sav->sah->saidx.dst),
933 		    (u_long) ntohl(sav->spi)));
934 		AHSTAT_INC(ahs_nopf);
935 		error = EPFNOSUPPORT;
936 		goto bad;
937 	}
938 	authsize = AUTHSIZE(sav);
939 	if (rplen + authsize + m->m_pkthdr.len > maxpacketsize) {
940 		DPRINTF(("%s: packet in SA %s/%08lx got too big "
941 		    "(len %u, max len %u)\n", __func__,
942 		    ipsec_address(&sav->sah->saidx.dst),
943 		    (u_long) ntohl(sav->spi),
944 		    rplen + authsize + m->m_pkthdr.len, maxpacketsize));
945 		AHSTAT_INC(ahs_toobig);
946 		error = EMSGSIZE;
947 		goto bad;
948 	}
949 
950 	/* Update the counters. */
951 	AHSTAT_ADD(ahs_obytes, m->m_pkthdr.len - skip);
952 
953 	m = m_unshare(m, M_NOWAIT);
954 	if (m == NULL) {
955 		DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
956 		    ipsec_address(&sav->sah->saidx.dst),
957 		    (u_long) ntohl(sav->spi)));
958 		AHSTAT_INC(ahs_hdrops);
959 		error = ENOBUFS;
960 		goto bad;
961 	}
962 
963 	/* Inject AH header. */
964 	mi = m_makespace(m, skip, rplen + authsize, &roff);
965 	if (mi == NULL) {
966 		DPRINTF(("%s: failed to inject %u byte AH header for SA "
967 		    "%s/%08lx\n", __func__,
968 		    rplen + authsize,
969 		    ipsec_address(&sav->sah->saidx.dst),
970 		    (u_long) ntohl(sav->spi)));
971 		AHSTAT_INC(ahs_hdrops);		/*XXX differs from openbsd */
972 		error = ENOBUFS;
973 		goto bad;
974 	}
975 
976 	/*
977 	 * The AH header is guaranteed by m_makespace() to be in
978 	 * contiguous memory, at roff bytes offset into the returned mbuf.
979 	 */
980 	ah = (struct newah *)(mtod(mi, caddr_t) + roff);
981 
982 	/* Initialize the AH header. */
983 	m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &ah->ah_nxt);
984 	ah->ah_len = (rplen + authsize - sizeof(struct ah)) / sizeof(u_int32_t);
985 	ah->ah_reserve = 0;
986 	ah->ah_spi = sav->spi;
987 
988 	/* Zeroize authenticator. */
989 	m_copyback(m, skip + rplen, authsize, ipseczeroes);
990 
991 	/* Insert packet replay counter, as requested.  */
992 	if (sav->replay) {
993 		if (sav->replay->count == ~0 &&
994 		    (sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
995 			DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n",
996 				__func__,
997 				ipsec_address(&sav->sah->saidx.dst),
998 				(u_long) ntohl(sav->spi)));
999 			AHSTAT_INC(ahs_wrap);
1000 			error = EINVAL;
1001 			goto bad;
1002 		}
1003 #ifdef REGRESSION
1004 		/* Emulate replay attack when ipsec_replay is TRUE. */
1005 		if (!V_ipsec_replay)
1006 #endif
1007 			sav->replay->count++;
1008 		ah->ah_seq = htonl(sav->replay->count);
1009 	}
1010 
1011 	/* Get crypto descriptors. */
1012 	crp = crypto_getreq(1);
1013 	if (crp == NULL) {
1014 		DPRINTF(("%s: failed to acquire crypto descriptors\n",
1015 			__func__));
1016 		AHSTAT_INC(ahs_crypto);
1017 		error = ENOBUFS;
1018 		goto bad;
1019 	}
1020 
1021 	crda = crp->crp_desc;
1022 
1023 	crda->crd_skip = 0;
1024 	crda->crd_inject = skip + rplen;
1025 	crda->crd_len = m->m_pkthdr.len;
1026 
1027 	/* Authentication operation. */
1028 	crda->crd_alg = ahx->type;
1029 	crda->crd_key = sav->key_auth->key_data;
1030 	crda->crd_klen = _KEYBITS(sav->key_auth);
1031 
1032 	/* Allocate IPsec-specific opaque crypto info. */
1033 	tc = (struct tdb_crypto *) malloc(
1034 		sizeof(struct tdb_crypto) + skip, M_XDATA, M_NOWAIT|M_ZERO);
1035 	if (tc == NULL) {
1036 		crypto_freereq(crp);
1037 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
1038 		AHSTAT_INC(ahs_crypto);
1039 		error = ENOBUFS;
1040 		goto bad;
1041 	}
1042 
1043 	/* Save the skipped portion of the packet. */
1044 	m_copydata(m, 0, skip, (caddr_t) (tc + 1));
1045 
1046 	/*
1047 	 * Fix IP header length on the header used for
1048 	 * authentication. We don't need to fix the original
1049 	 * header length as it will be fixed by our caller.
1050 	 */
1051 	switch (sav->sah->saidx.dst.sa.sa_family) {
1052 #ifdef INET
1053 	case AF_INET:
1054 		bcopy(((caddr_t)(tc + 1)) +
1055 		    offsetof(struct ip, ip_len),
1056 		    (caddr_t) &iplen, sizeof(u_int16_t));
1057 		iplen = htons(ntohs(iplen) + rplen + authsize);
1058 		m_copyback(m, offsetof(struct ip, ip_len),
1059 		    sizeof(u_int16_t), (caddr_t) &iplen);
1060 		break;
1061 #endif /* INET */
1062 
1063 #ifdef INET6
1064 	case AF_INET6:
1065 		bcopy(((caddr_t)(tc + 1)) +
1066 		    offsetof(struct ip6_hdr, ip6_plen),
1067 		    (caddr_t) &iplen, sizeof(u_int16_t));
1068 		iplen = htons(ntohs(iplen) + rplen + authsize);
1069 		m_copyback(m, offsetof(struct ip6_hdr, ip6_plen),
1070 		    sizeof(u_int16_t), (caddr_t) &iplen);
1071 		break;
1072 #endif /* INET6 */
1073 	}
1074 
1075 	/* Fix the Next Header field in saved header. */
1076 	((u_int8_t *) (tc + 1))[protoff] = IPPROTO_AH;
1077 
1078 	/* Update the Next Protocol field in the IP header. */
1079 	prot = IPPROTO_AH;
1080 	m_copyback(m, protoff, sizeof(u_int8_t), (caddr_t) &prot);
1081 
1082 	/* "Massage" the packet headers for crypto processing. */
1083 	error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
1084 			skip, ahx->type, 1);
1085 	if (error != 0) {
1086 		m = NULL;	/* mbuf was free'd by ah_massage_headers. */
1087 		free(tc, M_XDATA);
1088 		crypto_freereq(crp);
1089 		goto bad;
1090 	}
1091 
1092 	/* Crypto operation descriptor. */
1093 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
1094 	crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
1095 	crp->crp_buf = (caddr_t) m;
1096 	crp->crp_callback = ah_output_cb;
1097 	crp->crp_sid = sav->tdb_cryptoid;
1098 	crp->crp_opaque = (caddr_t) tc;
1099 
1100 	/* These are passed as-is to the callback. */
1101 	tc->tc_isr = isr;
1102 	KEY_ADDREFSA(sav);
1103 	tc->tc_sav = sav;
1104 	tc->tc_spi = sav->spi;
1105 	tc->tc_dst = sav->sah->saidx.dst;
1106 	tc->tc_proto = sav->sah->saidx.proto;
1107 	tc->tc_skip = skip;
1108 	tc->tc_protoff = protoff;
1109 
1110 	return crypto_dispatch(crp);
1111 bad:
1112 	if (m)
1113 		m_freem(m);
1114 	return (error);
1115 }
1116 
1117 /*
1118  * AH output callback from the crypto driver.
1119  */
1120 static int
ah_output_cb(struct cryptop * crp)1121 ah_output_cb(struct cryptop *crp)
1122 {
1123 	int skip, protoff, error;
1124 	struct tdb_crypto *tc;
1125 	struct ipsecrequest *isr;
1126 	struct secasvar *sav;
1127 	struct mbuf *m;
1128 	caddr_t ptr;
1129 
1130 	tc = (struct tdb_crypto *) crp->crp_opaque;
1131 	IPSEC_ASSERT(tc != NULL, ("null opaque data area!"));
1132 	skip = tc->tc_skip;
1133 	protoff = tc->tc_protoff;
1134 	ptr = (caddr_t) (tc + 1);
1135 	m = (struct mbuf *) crp->crp_buf;
1136 
1137 	isr = tc->tc_isr;
1138 	IPSECREQUEST_LOCK(isr);
1139 	sav = tc->tc_sav;
1140 	/* With the isr lock released SA pointer can be updated. */
1141 	if (sav != isr->sav) {
1142 		AHSTAT_INC(ahs_notdb);
1143 		DPRINTF(("%s: SA expired while in crypto\n", __func__));
1144 		error = ENOBUFS;		/*XXX*/
1145 		goto bad;
1146 	}
1147 
1148 	/* Check for crypto errors. */
1149 	if (crp->crp_etype) {
1150 		if (sav->tdb_cryptoid != 0)
1151 			sav->tdb_cryptoid = crp->crp_sid;
1152 
1153 		if (crp->crp_etype == EAGAIN) {
1154 			IPSECREQUEST_UNLOCK(isr);
1155 			return (crypto_dispatch(crp));
1156 		}
1157 
1158 		AHSTAT_INC(ahs_noxform);
1159 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
1160 		error = crp->crp_etype;
1161 		goto bad;
1162 	}
1163 
1164 	/* Shouldn't happen... */
1165 	if (m == NULL) {
1166 		AHSTAT_INC(ahs_crypto);
1167 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
1168 		error = EINVAL;
1169 		goto bad;
1170 	}
1171 	AHSTAT_INC(ahs_hist[sav->alg_auth]);
1172 
1173 	/*
1174 	 * Copy original headers (with the new protocol number) back
1175 	 * in place.
1176 	 */
1177 	m_copyback(m, 0, skip, ptr);
1178 
1179 	/* No longer needed. */
1180 	free(tc, M_XDATA);
1181 	crypto_freereq(crp);
1182 
1183 #ifdef REGRESSION
1184 	/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
1185 	if (V_ipsec_integrity) {
1186 		int alen;
1187 
1188 		/*
1189 		 * Corrupt HMAC if we want to test integrity verification of
1190 		 * the other side.
1191 		 */
1192 		alen = AUTHSIZE(sav);
1193 		m_copyback(m, m->m_pkthdr.len - alen, alen, ipseczeroes);
1194 	}
1195 #endif
1196 
1197 	/* NB: m is reclaimed by ipsec_process_done. */
1198 	error = ipsec_process_done(m, isr);
1199 	KEY_FREESAV(&sav);
1200 	IPSECREQUEST_UNLOCK(isr);
1201 	return error;
1202 bad:
1203 	if (sav)
1204 		KEY_FREESAV(&sav);
1205 	IPSECREQUEST_UNLOCK(isr);
1206 	if (m)
1207 		m_freem(m);
1208 	free(tc, M_XDATA);
1209 	crypto_freereq(crp);
1210 	return error;
1211 }
1212 
1213 static struct xformsw ah_xformsw = {
1214 	XF_AH,		XFT_AUTH,	"IPsec AH",
1215 	ah_init,	ah_zeroize,	ah_input,	ah_output,
1216 };
1217 
1218 static void
ah_attach(void)1219 ah_attach(void)
1220 {
1221 
1222 	xform_register(&ah_xformsw);
1223 }
1224 
1225 SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL);
1226