1 /* $OpenBSD: ip_esp.c,v 1.88 2003/12/10 07:22:43 itojun Exp $ */
2 /*
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr) and
5 * Niels Provos (provos@physnet.uni-hamburg.de).
6 *
7 * The original version of this code was written by John Ioannidis
8 * for BSD/OS in Athens, Greece, in November 1995.
9 *
10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
11 * by Angelos D. Keromytis.
12 *
13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
14 * and Niels Provos.
15 *
16 * Additional features in 1999 by Angelos D. Keromytis.
17 *
18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
19 * Angelos D. Keromytis and Niels Provos.
20 * Copyright (c) 2001 Angelos D. Keromytis.
21 *
22 * Permission to use, copy, and modify this software with or without fee
23 * is hereby granted, provided that this entire notice is included in
24 * all copies of any software which is or includes a copy or
25 * modification of this software.
26 * You may use this code under the GNU public license if you so wish. Please
27 * contribute changes back to the authors under this freer than GPL license
28 * so that we may further the use of strong encryption without limitations to
29 * all.
30 *
31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
35 * PURPOSE.
36 */
37
38 #include <sys/param.h>
39 #include <sys/systm.h>
40 #include <sys/mbuf.h>
41 #include <sys/socket.h>
42
43 #include <net/if.h>
44 #include <net/bpf.h>
45
46 #include <dev/rndvar.h>
47
48 #ifdef INET
49 #include <netinet/in.h>
50 #include <netinet/in_systm.h>
51 #include <netinet/ip.h>
52 #endif /* INET */
53
54 #ifdef INET6
55 #ifndef INET
56 #include <netinet/in.h>
57 #endif
58 #include <netinet/ip6.h>
59 #endif /* INET6 */
60
61 #include <netinet/ip_ipsp.h>
62 #include <netinet/ip_esp.h>
63 #include <net/pfkeyv2.h>
64 #include <net/if_enc.h>
65
66 #include <crypto/cryptodev.h>
67 #include <crypto/xform.h>
68
69 #include "bpfilter.h"
70
71 #ifdef ENCDEBUG
72 #define DPRINTF(x) if (encdebug) printf x
73 #else
74 #define DPRINTF(x)
75 #endif
76
77 struct espstat espstat;
78
79 /*
80 * esp_attach() is called from the transformation initialization code.
81 */
82 int
esp_attach()83 esp_attach()
84 {
85 return 0;
86 }
87
88 /*
89 * esp_init() is called when an SPI is being set up.
90 */
91 int
esp_init(struct tdb * tdbp,struct xformsw * xsp,struct ipsecinit * ii)92 esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii)
93 {
94 struct enc_xform *txform = NULL;
95 struct auth_hash *thash = NULL;
96 struct cryptoini cria, crie;
97
98 if (ii->ii_encalg) {
99 switch (ii->ii_encalg) {
100 case SADB_EALG_DESCBC:
101 txform = &enc_xform_des;
102 break;
103
104 case SADB_EALG_3DESCBC:
105 txform = &enc_xform_3des;
106 break;
107
108 case SADB_X_EALG_AES:
109 txform = &enc_xform_rijndael128;
110 break;
111
112 case SADB_X_EALG_BLF:
113 txform = &enc_xform_blf;
114 break;
115
116 case SADB_X_EALG_CAST:
117 txform = &enc_xform_cast5;
118 break;
119
120 case SADB_X_EALG_SKIPJACK:
121 txform = &enc_xform_skipjack;
122 break;
123
124 default:
125 DPRINTF(("esp_init(): unsupported encryption algorithm %d specified\n", ii->ii_encalg));
126 return EINVAL;
127 }
128
129 if (ii->ii_enckeylen < txform->minkey) {
130 DPRINTF(("esp_init(): keylength %d too small (min length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->minkey, txform->name));
131 return EINVAL;
132 }
133
134 if (ii->ii_enckeylen > txform->maxkey) {
135 DPRINTF(("esp_init(): keylength %d too large (max length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->maxkey, txform->name));
136 return EINVAL;
137 }
138
139 tdbp->tdb_encalgxform = txform;
140
141 DPRINTF(("esp_init(): initialized TDB with enc algorithm %s\n",
142 txform->name));
143
144 tdbp->tdb_ivlen = txform->blocksize;
145 if (tdbp->tdb_flags & TDBF_HALFIV)
146 tdbp->tdb_ivlen /= 2;
147 }
148
149 if (ii->ii_authalg) {
150 switch (ii->ii_authalg) {
151 case SADB_AALG_MD5HMAC:
152 thash = &auth_hash_hmac_md5_96;
153 break;
154
155 case SADB_AALG_SHA1HMAC:
156 thash = &auth_hash_hmac_sha1_96;
157 break;
158
159 case SADB_X_AALG_RIPEMD160HMAC:
160 thash = &auth_hash_hmac_ripemd_160_96;
161 break;
162
163 case SADB_X_AALG_SHA2_256:
164 thash = &auth_hash_hmac_sha2_256_96;
165 break;
166
167 case SADB_X_AALG_SHA2_384:
168 thash = &auth_hash_hmac_sha2_384_96;
169 break;
170
171 case SADB_X_AALG_SHA2_512:
172 thash = &auth_hash_hmac_sha2_512_96;
173 break;
174
175 default:
176 DPRINTF(("esp_init(): unsupported authentication algorithm %d specified\n", ii->ii_authalg));
177 return EINVAL;
178 }
179
180 if (ii->ii_authkeylen != thash->keysize) {
181 DPRINTF(("esp_init(): keylength %d doesn't match algorithm %s keysize (%d)\n", ii->ii_authkeylen, thash->name, thash->keysize));
182 return EINVAL;
183 }
184
185 tdbp->tdb_authalgxform = thash;
186
187 DPRINTF(("esp_init(): initialized TDB with hash algorithm %s\n",
188 thash->name));
189 }
190
191 tdbp->tdb_xform = xsp;
192 tdbp->tdb_bitmap = 0;
193 tdbp->tdb_rpl = AH_HMAC_INITIAL_RPL;
194
195 /* Initialize crypto session */
196 if (tdbp->tdb_encalgxform) {
197 /* Save the raw keys */
198 tdbp->tdb_emxkeylen = ii->ii_enckeylen;
199 MALLOC(tdbp->tdb_emxkey, u_int8_t *, tdbp->tdb_emxkeylen,
200 M_XDATA, M_WAITOK);
201 bcopy(ii->ii_enckey, tdbp->tdb_emxkey, tdbp->tdb_emxkeylen);
202
203 bzero(&crie, sizeof(crie));
204
205 crie.cri_alg = tdbp->tdb_encalgxform->type;
206
207 if (tdbp->tdb_authalgxform)
208 crie.cri_next = &cria;
209 else
210 crie.cri_next = NULL;
211
212 crie.cri_klen = ii->ii_enckeylen * 8;
213 crie.cri_key = ii->ii_enckey;
214 /* XXX Rounds ? */
215 }
216
217 if (tdbp->tdb_authalgxform) {
218 /* Save the raw keys */
219 tdbp->tdb_amxkeylen = ii->ii_authkeylen;
220 MALLOC(tdbp->tdb_amxkey, u_int8_t *, tdbp->tdb_amxkeylen, M_XDATA,
221 M_WAITOK);
222 bcopy(ii->ii_authkey, tdbp->tdb_amxkey, tdbp->tdb_amxkeylen);
223
224 bzero(&cria, sizeof(cria));
225
226 cria.cri_alg = tdbp->tdb_authalgxform->type;
227 cria.cri_next = NULL;
228 cria.cri_klen = ii->ii_authkeylen * 8;
229 cria.cri_key = ii->ii_authkey;
230 }
231
232 return crypto_newsession(&tdbp->tdb_cryptoid,
233 (tdbp->tdb_encalgxform ? &crie : &cria), 0);
234 }
235
236 /*
237 * Paranoia.
238 */
239 int
esp_zeroize(struct tdb * tdbp)240 esp_zeroize(struct tdb *tdbp)
241 {
242 int err;
243
244 if (tdbp->tdb_amxkey) {
245 bzero(tdbp->tdb_amxkey, tdbp->tdb_amxkeylen);
246 FREE(tdbp->tdb_amxkey, M_XDATA);
247 tdbp->tdb_amxkey = NULL;
248 }
249
250 if (tdbp->tdb_emxkey) {
251 bzero(tdbp->tdb_emxkey, tdbp->tdb_emxkeylen);
252 FREE(tdbp->tdb_emxkey, M_XDATA);
253 tdbp->tdb_emxkey = NULL;
254 }
255
256 err = crypto_freesession(tdbp->tdb_cryptoid);
257 tdbp->tdb_cryptoid = 0;
258 return err;
259 }
260
261 #define MAXBUFSIZ (AH_ALEN_MAX > ESP_MAX_IVS ? AH_ALEN_MAX : ESP_MAX_IVS)
262
263 /*
264 * ESP input processing, called (eventually) through the protocol switch.
265 */
266 int
esp_input(struct mbuf * m,struct tdb * tdb,int skip,int protoff)267 esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
268 {
269 struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform;
270 struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform;
271 struct tdb_ident *tdbi;
272 struct tdb_crypto *tc;
273 int plen, alen, hlen;
274 struct m_tag *mtag;
275 u_int32_t btsx;
276
277 struct cryptodesc *crde = NULL, *crda = NULL;
278 struct cryptop *crp;
279
280 /* Determine the ESP header length */
281 if (tdb->tdb_flags & TDBF_NOREPLAY)
282 hlen = sizeof(u_int32_t) + tdb->tdb_ivlen; /* "old" ESP */
283 else
284 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */
285
286 if (esph)
287 alen = AH_HMAC_HASHLEN;
288 else
289 alen = 0;
290
291 plen = m->m_pkthdr.len - (skip + hlen + alen);
292 if (plen <= 0) {
293 DPRINTF(("esp_input: invalid payload length\n"));
294 espstat.esps_badilen++;
295 m_freem(m);
296 return EINVAL;
297 }
298
299 if (espx) {
300 /*
301 * Verify payload length is multiple of encryption algorithm
302 * block size.
303 */
304 if (plen & (espx->blocksize - 1)) {
305 DPRINTF(("esp_input(): payload of %d octets not a multiple of %d octets, SA %s/%08x\n", plen, espx->blocksize, ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
306 espstat.esps_badilen++;
307 m_freem(m);
308 return EINVAL;
309 }
310 }
311
312 /* Replay window checking, if appropriate -- no value commitment. */
313 if ((tdb->tdb_wnd > 0) && (!(tdb->tdb_flags & TDBF_NOREPLAY))) {
314 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
315 (unsigned char *) &btsx);
316 btsx = ntohl(btsx);
317
318 switch (checkreplaywindow32(btsx, 0, &(tdb->tdb_rpl),
319 tdb->tdb_wnd, &(tdb->tdb_bitmap), 0)) {
320 case 0: /* All's well */
321 break;
322
323 case 1:
324 m_freem(m);
325 DPRINTF(("esp_input(): replay counter wrapped for SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
326 espstat.esps_wrap++;
327 return EACCES;
328
329 case 2:
330 case 3:
331 DPRINTF(("esp_input(): duplicate packet received in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
332 m_freem(m);
333 return EACCES;
334
335 default:
336 m_freem(m);
337 DPRINTF(("esp_input(): bogus value from checkreplaywindow32() in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
338 espstat.esps_replay++;
339 return EACCES;
340 }
341 }
342
343 /* Update the counters */
344 tdb->tdb_cur_bytes += m->m_pkthdr.len - skip - hlen - alen;
345 espstat.esps_ibytes += m->m_pkthdr.len - skip - hlen - alen;
346
347 /* Hard expiration */
348 if ((tdb->tdb_flags & TDBF_BYTES) &&
349 (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) {
350 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
351 tdb_delete(tdb);
352 m_freem(m);
353 return ENXIO;
354 }
355
356 /* Notify on soft expiration */
357 if ((tdb->tdb_flags & TDBF_SOFT_BYTES) &&
358 (tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes)) {
359 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT);
360 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking */
361 }
362
363 /* Find out if we've already done crypto */
364 for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
365 mtag != NULL;
366 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
367 tdbi = (struct tdb_ident *) (mtag + 1);
368 if (tdbi->proto == tdb->tdb_sproto && tdbi->spi == tdb->tdb_spi &&
369 !bcmp(&tdbi->dst, &tdb->tdb_dst, sizeof(union sockaddr_union)))
370 break;
371 }
372
373 /* Get crypto descriptors */
374 crp = crypto_getreq(esph && espx ? 2 : 1);
375 if (crp == NULL) {
376 m_freem(m);
377 DPRINTF(("esp_input(): failed to acquire crypto descriptors\n"));
378 espstat.esps_crypto++;
379 return ENOBUFS;
380 }
381
382 /* Get IPsec-specific opaque pointer */
383 if (esph == NULL || mtag != NULL)
384 MALLOC(tc, struct tdb_crypto *, sizeof(struct tdb_crypto),
385 M_XDATA, M_NOWAIT);
386 else
387 MALLOC(tc, struct tdb_crypto *,
388 sizeof(struct tdb_crypto) + alen, M_XDATA, M_NOWAIT);
389 if (tc == NULL) {
390 m_freem(m);
391 crypto_freereq(crp);
392 DPRINTF(("esp_input(): failed to allocate tdb_crypto\n"));
393 espstat.esps_crypto++;
394 return ENOBUFS;
395 }
396
397 bzero(tc, sizeof(struct tdb_crypto));
398 tc->tc_ptr = (caddr_t) mtag;
399
400 if (esph) {
401 crda = crp->crp_desc;
402 crde = crda->crd_next;
403
404 /* Authentication descriptor */
405 crda->crd_skip = skip;
406 crda->crd_len = m->m_pkthdr.len - (skip + alen);
407 crda->crd_inject = m->m_pkthdr.len - alen;
408
409 crda->crd_alg = esph->type;
410 crda->crd_key = tdb->tdb_amxkey;
411 crda->crd_klen = tdb->tdb_amxkeylen * 8;
412
413 /* Copy the authenticator */
414 if (mtag == NULL)
415 m_copydata(m, m->m_pkthdr.len - alen, alen, (caddr_t) (tc + 1));
416 } else
417 crde = crp->crp_desc;
418
419 /* Crypto operation descriptor */
420 crp->crp_ilen = m->m_pkthdr.len; /* Total input length */
421 crp->crp_flags = CRYPTO_F_IMBUF;
422 crp->crp_buf = (caddr_t) m;
423 crp->crp_callback = (int (*) (struct cryptop *)) esp_input_cb;
424 crp->crp_sid = tdb->tdb_cryptoid;
425 crp->crp_opaque = (caddr_t) tc;
426
427 /* These are passed as-is to the callback */
428 tc->tc_skip = skip;
429 tc->tc_protoff = protoff;
430 tc->tc_spi = tdb->tdb_spi;
431 tc->tc_proto = tdb->tdb_sproto;
432 bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union));
433
434 /* Decryption descriptor */
435 if (espx) {
436 crde->crd_skip = skip + hlen;
437 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
438 crde->crd_inject = skip + hlen - tdb->tdb_ivlen;
439
440 if (tdb->tdb_flags & TDBF_HALFIV) {
441 /* Copy half-IV from packet */
442 m_copydata(m, crde->crd_inject, tdb->tdb_ivlen, crde->crd_iv);
443
444 /* Cook IV */
445 for (btsx = 0; btsx < tdb->tdb_ivlen; btsx++)
446 crde->crd_iv[tdb->tdb_ivlen + btsx] = ~crde->crd_iv[btsx];
447
448 crde->crd_flags |= CRD_F_IV_EXPLICIT;
449 }
450
451 crde->crd_alg = espx->type;
452 crde->crd_key = tdb->tdb_emxkey;
453 crde->crd_klen = tdb->tdb_emxkeylen * 8;
454 /* XXX Rounds ? */
455 }
456
457 if (mtag == NULL)
458 return crypto_dispatch(crp);
459 else
460 return esp_input_cb(crp);
461 }
462
463 /*
464 * ESP input callback, called directly by the crypto driver.
465 */
466 int
esp_input_cb(void * op)467 esp_input_cb(void *op)
468 {
469 u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN];
470 int s, hlen, roff, skip, protoff, error = 0;
471 struct mbuf *m1, *mo, *m;
472 struct auth_hash *esph;
473 struct tdb_crypto *tc;
474 struct cryptop *crp;
475 struct m_tag *mtag;
476 struct tdb *tdb;
477 u_int32_t btsx;
478 caddr_t ptr;
479
480 crp = (struct cryptop *) op;
481
482 tc = (struct tdb_crypto *) crp->crp_opaque;
483 skip = tc->tc_skip;
484 protoff = tc->tc_protoff;
485 mtag = (struct m_tag *) tc->tc_ptr;
486
487 m = (struct mbuf *) crp->crp_buf;
488 if (m == NULL) {
489 /* Shouldn't happen... */
490 FREE(tc, M_XDATA);
491 crypto_freereq(crp);
492 espstat.esps_crypto++;
493 DPRINTF(("esp_input_cb(): bogus returned buffer from crypto\n"));
494 return (EINVAL);
495 }
496
497 s = spltdb();
498
499 tdb = gettdb(tc->tc_spi, &tc->tc_dst, tc->tc_proto);
500 if (tdb == NULL) {
501 FREE(tc, M_XDATA);
502 espstat.esps_notdb++;
503 DPRINTF(("esp_input_cb(): TDB is expired while in crypto"));
504 error = EPERM;
505 goto baddone;
506 }
507
508 esph = (struct auth_hash *) tdb->tdb_authalgxform;
509
510 /* Check for crypto errors */
511 if (crp->crp_etype) {
512 if (crp->crp_etype == EAGAIN) {
513 /* Reset the session ID */
514 if (tdb->tdb_cryptoid != 0)
515 tdb->tdb_cryptoid = crp->crp_sid;
516 splx(s);
517 return crypto_dispatch(crp);
518 }
519 FREE(tc, M_XDATA);
520 espstat.esps_noxform++;
521 DPRINTF(("esp_input_cb(): crypto error %d\n", crp->crp_etype));
522 error = crp->crp_etype;
523 goto baddone;
524 }
525
526 /* If authentication was performed, check now. */
527 if (esph != NULL) {
528 /*
529 * If we have a tag, it means an IPsec-aware NIC did the verification
530 * for us.
531 */
532 if (mtag == NULL) {
533 /* Copy the authenticator from the packet */
534 m_copydata(m, m->m_pkthdr.len - esph->authsize,
535 esph->authsize, aalg);
536
537 ptr = (caddr_t) (tc + 1);
538
539 /* Verify authenticator */
540 if (bcmp(ptr, aalg, esph->authsize)) {
541 FREE(tc, M_XDATA);
542 DPRINTF(("esp_input_cb(): authentication failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
543 espstat.esps_badauth++;
544 error = EACCES;
545 goto baddone;
546 }
547 }
548
549 /* Remove trailing authenticator */
550 m_adj(m, -(esph->authsize));
551 }
552 FREE(tc, M_XDATA);
553
554 /* Replay window checking, if appropriate */
555 if ((tdb->tdb_wnd > 0) && (!(tdb->tdb_flags & TDBF_NOREPLAY))) {
556 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
557 (unsigned char *) &btsx);
558 btsx = ntohl(btsx);
559
560 switch (checkreplaywindow32(btsx, 0, &(tdb->tdb_rpl),
561 tdb->tdb_wnd, &(tdb->tdb_bitmap), 1)) {
562 case 0: /* All's well */
563 break;
564
565 case 1:
566 DPRINTF(("esp_input_cb(): replay counter wrapped for SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
567 espstat.esps_wrap++;
568 error = EACCES;
569 goto baddone;
570
571 case 2:
572 case 3:
573 DPRINTF(("esp_input_cb(): duplicate packet received in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
574 error = EACCES;
575 goto baddone;
576
577 default:
578 DPRINTF(("esp_input_cb(): bogus value from checkreplaywindow32() in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
579 espstat.esps_replay++;
580 error = EACCES;
581 goto baddone;
582 }
583 }
584
585 /* Release the crypto descriptors */
586 crypto_freereq(crp);
587
588 /* Determine the ESP header length */
589 if (tdb->tdb_flags & TDBF_NOREPLAY)
590 hlen = sizeof(u_int32_t) + tdb->tdb_ivlen; /* "old" ESP */
591 else
592 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */
593
594 /* Find beginning of ESP header */
595 m1 = m_getptr(m, skip, &roff);
596 if (m1 == NULL) {
597 espstat.esps_hdrops++;
598 splx(s);
599 DPRINTF(("esp_input_cb(): bad mbuf chain, SA %s/%08x\n",
600 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
601 m_freem(m);
602 return EINVAL;
603 }
604
605 /* Remove the ESP header and IV from the mbuf. */
606 if (roff == 0) {
607 /* The ESP header was conveniently at the beginning of the mbuf */
608 m_adj(m1, hlen);
609 if (!(m1->m_flags & M_PKTHDR))
610 m->m_pkthdr.len -= hlen;
611 } else if (roff + hlen >= m1->m_len) {
612 /*
613 * Part or all of the ESP header is at the end of this mbuf, so
614 * first let's remove the remainder of the ESP header from the
615 * beginning of the remainder of the mbuf chain, if any.
616 */
617 if (roff + hlen > m1->m_len) {
618 /* Adjust the next mbuf by the remainder */
619 m_adj(m1->m_next, roff + hlen - m1->m_len);
620
621 /* The second mbuf is guaranteed not to have a pkthdr... */
622 m->m_pkthdr.len -= (roff + hlen - m1->m_len);
623 }
624
625 /* Now, let's unlink the mbuf chain for a second...*/
626 mo = m1->m_next;
627 m1->m_next = NULL;
628
629 /* ...and trim the end of the first part of the chain...sick */
630 m_adj(m1, -(m1->m_len - roff));
631 if (!(m1->m_flags & M_PKTHDR))
632 m->m_pkthdr.len -= (m1->m_len - roff);
633
634 /* Finally, let's relink */
635 m1->m_next = mo;
636 } else {
637 /*
638 * The ESP header lies in the "middle" of the mbuf...do an
639 * overlapping copy of the remainder of the mbuf over the ESP
640 * header.
641 */
642 bcopy(mtod(m1, u_char *) + roff + hlen,
643 mtod(m1, u_char *) + roff, m1->m_len - (roff + hlen));
644 m1->m_len -= hlen;
645 m->m_pkthdr.len -= hlen;
646 }
647
648 /* Save the last three bytes of decrypted data */
649 m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
650
651 /* Verify pad length */
652 if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
653 espstat.esps_badilen++;
654 splx(s);
655 DPRINTF(("esp_input_cb(): invalid padding length %d for packet in SA %s/%08x\n", lastthree[1], ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
656 m_freem(m);
657 return EINVAL;
658 }
659
660 /* Verify correct decryption by checking the last padding bytes */
661 if (!(tdb->tdb_flags & TDBF_RANDOMPADDING)) {
662 if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) {
663 espstat.esps_badenc++;
664 splx(s);
665 DPRINTF(("esp_input(): decryption failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
666 m_freem(m);
667 return EINVAL;
668 }
669 }
670
671 /* Trim the mbuf chain to remove the trailing authenticator and padding */
672 m_adj(m, -(lastthree[1] + 2));
673
674 /* Restore the Next Protocol field */
675 m_copyback(m, protoff, sizeof(u_int8_t), lastthree + 2);
676
677 /* Back to generic IPsec input processing */
678 error = ipsec_common_input_cb(m, tdb, skip, protoff, mtag);
679 splx(s);
680 return (error);
681
682 baddone:
683 splx(s);
684
685 if (m != NULL)
686 m_freem(m);
687
688 crypto_freereq(crp);
689
690 return (error);
691 }
692
693 /*
694 * ESP output routine, called by ipsp_process_packet().
695 */
696 int
esp_output(struct mbuf * m,struct tdb * tdb,struct mbuf ** mp,int skip,int protoff)697 esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
698 int protoff)
699 {
700 struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform;
701 struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform;
702 int ilen, hlen, rlen, padding, blks, alen;
703 struct mbuf *mi, *mo = (struct mbuf *) NULL;
704 struct tdb_crypto *tc;
705 unsigned char *pad;
706 u_int8_t prot;
707
708 struct cryptodesc *crde = NULL, *crda = NULL;
709 struct cryptop *crp;
710
711 #if NBPFILTER > 0
712 {
713 struct ifnet *ifn;
714 struct enchdr hdr;
715 struct mbuf m1;
716
717 bzero (&hdr, sizeof(hdr));
718
719 hdr.af = tdb->tdb_dst.sa.sa_family;
720 hdr.spi = tdb->tdb_spi;
721 if (espx)
722 hdr.flags |= M_CONF;
723 if (esph)
724 hdr.flags |= M_AUTH;
725
726 m1.m_flags = 0;
727 m1.m_next = m;
728 m1.m_len = ENC_HDRLEN;
729 m1.m_data = (char *) &hdr;
730
731 ifn = &(encif[0].sc_if);
732
733 if (ifn->if_bpf)
734 bpf_mtap(ifn->if_bpf, &m1);
735 }
736 #endif
737
738 if (tdb->tdb_flags & TDBF_NOREPLAY)
739 hlen = sizeof(u_int32_t) + tdb->tdb_ivlen;
740 else
741 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen;
742
743 rlen = m->m_pkthdr.len - skip; /* Raw payload length. */
744 if (espx)
745 blks = espx->blocksize;
746 else
747 blks = 4; /* If no encryption, we have to be 4-byte aligned. */
748
749 padding = ((blks - ((rlen + 2) % blks)) % blks) + 2;
750
751 if (esph)
752 alen = AH_HMAC_HASHLEN;
753 else
754 alen = 0;
755
756 espstat.esps_output++;
757
758 switch (tdb->tdb_dst.sa.sa_family) {
759 #ifdef INET
760 case AF_INET:
761 /* Check for IP maximum packet size violations. */
762 if (skip + hlen + rlen + padding + alen > IP_MAXPACKET) {
763 DPRINTF(("esp_output(): packet in SA %s/%08x got "
764 "too big\n", ipsp_address(tdb->tdb_dst),
765 ntohl(tdb->tdb_spi)));
766 m_freem(m);
767 espstat.esps_toobig++;
768 return EMSGSIZE;
769 }
770 break;
771 #endif /* INET */
772
773 #ifdef INET6
774 case AF_INET6:
775 /* Check for IPv6 maximum packet size violations. */
776 if (skip + hlen + rlen + padding + alen > IPV6_MAXPACKET) {
777 DPRINTF(("esp_output(): packet in SA %s/%08x got too "
778 "big\n", ipsp_address(tdb->tdb_dst),
779 ntohl(tdb->tdb_spi)));
780 m_freem(m);
781 espstat.esps_toobig++;
782 return EMSGSIZE;
783 }
784 break;
785 #endif /* INET6 */
786
787 default:
788 DPRINTF(("esp_output(): unknown/unsupported protocol "
789 "family %d, SA %s/%08x\n", tdb->tdb_dst.sa.sa_family
790 , ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
791 m_freem(m);
792 espstat.esps_nopf++;
793 return EPFNOSUPPORT;
794 }
795
796 /* Update the counters. */
797 tdb->tdb_cur_bytes += m->m_pkthdr.len - skip;
798 espstat.esps_obytes += m->m_pkthdr.len - skip;
799
800 /* Hard byte expiration. */
801 if (tdb->tdb_flags & TDBF_BYTES &&
802 tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) {
803 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
804 tdb_delete(tdb);
805 m_freem(m);
806 return EINVAL;
807 }
808
809 /* Soft byte expiration. */
810 if (tdb->tdb_flags & TDBF_SOFT_BYTES &&
811 tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes) {
812 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT);
813 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking. */
814 }
815
816 /*
817 * Loop through mbuf chain; if we find an M_EXT mbuf with
818 * more than one reference, replace the rest of the chain.
819 */
820 mo = NULL;
821 mi = m;
822 while (mi != NULL &&
823 (!(mi->m_flags & M_EXT) || !MCLISREFERENCED(mi))) {
824 mo = mi;
825 mi = mi->m_next;
826 }
827
828 if (mi != NULL) {
829 /* Replace the rest of the mbuf chain. */
830 struct mbuf *n = m_copym2(mi, 0, M_COPYALL, M_DONTWAIT);
831
832 if (n == NULL) {
833 DPRINTF(("esp_output(): bad mbuf chain, SA %s/%08x\n",
834 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
835 espstat.esps_hdrops++;
836 m_freem(m);
837 return ENOBUFS;
838 }
839
840 if (mo != NULL)
841 mo->m_next = n;
842 else
843 m = n;
844
845 m_freem(mi);
846 }
847
848 /* Inject ESP header. */
849 mo = m_inject(m, skip, hlen, M_DONTWAIT);
850 if (mo == NULL) {
851 DPRINTF(("esp_output(): failed to inject ESP header for "
852 "SA %s/%08x\n", ipsp_address(tdb->tdb_dst),
853 ntohl(tdb->tdb_spi)));
854 m_freem(m);
855 espstat.esps_hdrops++;
856 return ENOBUFS;
857 }
858
859 /* Initialize ESP header. */
860 bcopy((caddr_t) &tdb->tdb_spi, mtod(mo, caddr_t), sizeof(u_int32_t));
861 if (!(tdb->tdb_flags & TDBF_NOREPLAY)) {
862 u_int32_t replay = htonl(tdb->tdb_rpl++);
863 bcopy((caddr_t) &replay, mtod(mo, caddr_t) + sizeof(u_int32_t),
864 sizeof(u_int32_t));
865 }
866
867 /*
868 * Add padding -- better to do it ourselves than use the crypto engine,
869 * although if/when we support compression, we'd have to do that.
870 */
871 pad = (u_char *) m_pad(m, padding + alen);
872 if (pad == NULL) {
873 DPRINTF(("esp_output(): m_pad() failed for SA %s/%08x\n",
874 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
875 return ENOBUFS;
876 }
877
878 /* Self-describing or random padding ? */
879 if (!(tdb->tdb_flags & TDBF_RANDOMPADDING))
880 for (ilen = 0; ilen < padding - 2; ilen++)
881 pad[ilen] = ilen + 1;
882 else
883 get_random_bytes((void *) pad, padding - 2);
884
885 /* Fix padding length and Next Protocol in padding itself. */
886 pad[padding - 2] = padding - 2;
887 m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1);
888
889 /* Fix Next Protocol in IPv4/IPv6 header. */
890 prot = IPPROTO_ESP;
891 m_copyback(m, protoff, sizeof(u_int8_t), &prot);
892
893 /* Get crypto descriptors. */
894 crp = crypto_getreq(esph && espx ? 2 : 1);
895 if (crp == NULL) {
896 m_freem(m);
897 DPRINTF(("esp_output(): failed to acquire crypto "
898 "descriptors\n"));
899 espstat.esps_crypto++;
900 return ENOBUFS;
901 }
902
903 if (espx) {
904 crde = crp->crp_desc;
905 crda = crde->crd_next;
906
907 /* Encryption descriptor. */
908 crde->crd_skip = skip + hlen;
909 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
910 crde->crd_flags = CRD_F_ENCRYPT;
911 crde->crd_inject = skip + hlen - tdb->tdb_ivlen;
912
913 if (tdb->tdb_flags & TDBF_HALFIV) {
914 /* Copy half-iv in the packet. */
915 m_copyback(m, crde->crd_inject, tdb->tdb_ivlen,
916 tdb->tdb_iv);
917
918 /* Cook half-iv. */
919 bcopy(tdb->tdb_iv, crde->crd_iv, tdb->tdb_ivlen);
920 for (ilen = 0; ilen < tdb->tdb_ivlen; ilen++)
921 crde->crd_iv[tdb->tdb_ivlen + ilen] =
922 ~crde->crd_iv[ilen];
923
924 crde->crd_flags |=
925 CRD_F_IV_PRESENT | CRD_F_IV_EXPLICIT;
926 }
927
928 /* Encryption operation. */
929 crde->crd_alg = espx->type;
930 crde->crd_key = tdb->tdb_emxkey;
931 crde->crd_klen = tdb->tdb_emxkeylen * 8;
932 /* XXX Rounds ? */
933 } else
934 crda = crp->crp_desc;
935
936 /* IPsec-specific opaque crypto info. */
937 MALLOC(tc, struct tdb_crypto *, sizeof(struct tdb_crypto),
938 M_XDATA, M_NOWAIT);
939 if (tc == NULL) {
940 m_freem(m);
941 crypto_freereq(crp);
942 DPRINTF(("esp_output(): failed to allocate tdb_crypto\n"));
943 espstat.esps_crypto++;
944 return ENOBUFS;
945 }
946
947 bzero(tc, sizeof(struct tdb_crypto));
948 tc->tc_spi = tdb->tdb_spi;
949 tc->tc_proto = tdb->tdb_sproto;
950 bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union));
951
952 /* Crypto operation descriptor. */
953 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
954 crp->crp_flags = CRYPTO_F_IMBUF;
955 crp->crp_buf = (caddr_t) m;
956 crp->crp_callback = (int (*) (struct cryptop *)) esp_output_cb;
957 crp->crp_opaque = (caddr_t) tc;
958 crp->crp_sid = tdb->tdb_cryptoid;
959
960 if (esph) {
961 /* Authentication descriptor. */
962 crda->crd_skip = skip;
963 crda->crd_len = m->m_pkthdr.len - (skip + alen);
964 crda->crd_inject = m->m_pkthdr.len - alen;
965
966 /* Authentication operation. */
967 crda->crd_alg = esph->type;
968 crda->crd_key = tdb->tdb_amxkey;
969 crda->crd_klen = tdb->tdb_amxkeylen * 8;
970 }
971
972 if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0)
973 return crypto_dispatch(crp);
974 else
975 return esp_output_cb(crp);
976 }
977
978 /*
979 * ESP output callback, called directly by the crypto driver.
980 */
981 int
esp_output_cb(void * op)982 esp_output_cb(void *op)
983 {
984 struct cryptop *crp = (struct cryptop *) op;
985 struct tdb_crypto *tc;
986 struct tdb *tdb;
987 struct mbuf *m;
988 int error = 0, s;
989
990 tc = (struct tdb_crypto *) crp->crp_opaque;
991
992 m = (struct mbuf *) crp->crp_buf;
993 if (m == NULL) {
994 /* Shouldn't happen... */
995 FREE(tc, M_XDATA);
996 crypto_freereq(crp);
997 espstat.esps_crypto++;
998 DPRINTF(("esp_output_cb(): bogus returned buffer from "
999 "crypto\n"));
1000 return (EINVAL);
1001 }
1002
1003
1004 s = spltdb();
1005
1006 tdb = gettdb(tc->tc_spi, &tc->tc_dst, tc->tc_proto);
1007 if (tdb == NULL) {
1008 FREE(tc, M_XDATA);
1009 espstat.esps_notdb++;
1010 DPRINTF(("esp_output_cb(): TDB is expired while in crypto\n"));
1011 error = EPERM;
1012 goto baddone;
1013 }
1014
1015 /* Check for crypto errors. */
1016 if (crp->crp_etype) {
1017 if (crp->crp_etype == EAGAIN) {
1018 /* Reset the session ID */
1019 if (tdb->tdb_cryptoid != 0)
1020 tdb->tdb_cryptoid = crp->crp_sid;
1021 splx(s);
1022 return crypto_dispatch(crp);
1023 }
1024 FREE(tc, M_XDATA);
1025 espstat.esps_noxform++;
1026 DPRINTF(("esp_output_cb(): crypto error %d\n",
1027 crp->crp_etype));
1028 error = crp->crp_etype;
1029 goto baddone;
1030 }
1031 FREE(tc, M_XDATA);
1032
1033 /* Release crypto descriptors. */
1034 crypto_freereq(crp);
1035
1036 /*
1037 * If we're doing half-iv, keep a copy of the last few bytes of the
1038 * encrypted part, for use as the next IV. Note that HALF-IV is only
1039 * supposed to be used without authentication (the old ESP specs).
1040 */
1041 if (tdb->tdb_flags & TDBF_HALFIV)
1042 m_copydata(m, m->m_pkthdr.len - tdb->tdb_ivlen, tdb->tdb_ivlen,
1043 tdb->tdb_iv);
1044
1045 /* Call the IPsec input callback. */
1046 error = ipsp_process_done(m, tdb);
1047 splx(s);
1048 return error;
1049
1050 baddone:
1051 splx(s);
1052
1053 if (m != NULL)
1054 m_freem(m);
1055
1056 crypto_freereq(crp);
1057
1058 return error;
1059 }
1060
1061 /*
1062 * return 0 on success
1063 * return 1 for counter == 0
1064 * return 2 for very old packet
1065 * return 3 for packet within current window but already received
1066 */
1067 int
checkreplaywindow32(u_int32_t seq,u_int32_t initial,u_int32_t * lastseq,u_int32_t window,u_int32_t * bitmap,int commit)1068 checkreplaywindow32(u_int32_t seq, u_int32_t initial, u_int32_t *lastseq,
1069 u_int32_t window, u_int32_t *bitmap, int commit)
1070 {
1071 u_int32_t diff, llseq, lbitmap;
1072
1073 /* Just do the checking, without "committing" any changes. */
1074 if (commit == 0) {
1075 llseq = *lastseq;
1076 lbitmap = *bitmap;
1077
1078 lastseq = &llseq;
1079 bitmap = &lbitmap;
1080 }
1081
1082 seq -= initial;
1083
1084 if (seq == 0)
1085 return 1;
1086
1087 if (seq > *lastseq - initial) {
1088 diff = seq - (*lastseq - initial);
1089 if (diff < window)
1090 *bitmap = ((*bitmap) << diff) | 1;
1091 else
1092 *bitmap = 1;
1093 *lastseq = seq + initial;
1094 return 0;
1095 }
1096
1097 diff = *lastseq - initial - seq;
1098 if (diff >= window) {
1099 espstat.esps_wrap++;
1100 return 2;
1101 }
1102
1103 if ((*bitmap) & (((u_int32_t) 1) << diff)) {
1104 espstat.esps_replay++;
1105 return 3;
1106 }
1107
1108 *bitmap |= (((u_int32_t) 1) << diff);
1109 return 0;
1110 }
1111
1112 /*
1113 * m_pad(m, n) pads <m> with <n> bytes at the end. The packet header
1114 * length is updated, and a pointer to the first byte of the padding
1115 * (which is guaranteed to be all in one mbuf) is returned.
1116 */
1117
1118 caddr_t
m_pad(struct mbuf * m,int n)1119 m_pad(struct mbuf *m, int n)
1120 {
1121 struct mbuf *m0, *m1;
1122 int len, pad;
1123 caddr_t retval;
1124
1125 if (n <= 0) { /* No stupid arguments. */
1126 DPRINTF(("m_pad(): pad length invalid (%d)\n", n));
1127 m_freem(m);
1128 return NULL;
1129 }
1130
1131 len = m->m_pkthdr.len;
1132 pad = n;
1133 m0 = m;
1134
1135 while (m0->m_len < len) {
1136 len -= m0->m_len;
1137 m0 = m0->m_next;
1138 }
1139
1140 if (m0->m_len != len) {
1141 DPRINTF(("m_pad(): length mismatch (should be %d instead of "
1142 "%d)\n", m->m_pkthdr.len,
1143 m->m_pkthdr.len + m0->m_len - len));
1144
1145 m_freem(m);
1146 return NULL;
1147 }
1148
1149 /* Check for zero-length trailing mbufs, and find the last one. */
1150 for (m1 = m0; m1->m_next; m1 = m1->m_next) {
1151 if (m1->m_next->m_len != 0) {
1152 DPRINTF(("m_pad(): length mismatch (should be %d "
1153 "instead of %d)\n", m->m_pkthdr.len,
1154 m->m_pkthdr.len + m1->m_next->m_len));
1155
1156 m_freem(m);
1157 return NULL;
1158 }
1159
1160 m0 = m1->m_next;
1161 }
1162
1163 if ((m0->m_flags & M_EXT) ||
1164 m0->m_data + m0->m_len + pad >= &(m0->m_dat[MLEN])) {
1165 /* Add an mbuf to the chain. */
1166 MGET(m1, M_DONTWAIT, MT_DATA);
1167 if (m1 == 0) {
1168 m_freem(m0);
1169 DPRINTF(("m_pad(): cannot append\n"));
1170 return NULL;
1171 }
1172
1173 m0->m_next = m1;
1174 m0 = m1;
1175 m0->m_len = 0;
1176 }
1177
1178 retval = m0->m_data + m0->m_len;
1179 m0->m_len += pad;
1180 m->m_pkthdr.len += pad;
1181
1182 return retval;
1183 }
1184