xref: /freebsd/sys/netipsec/xform_ah.c (revision 3b8f08459569bf0faa21473e5cec2491e95c9349)
1 /*	$FreeBSD$	*/
2 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
3 /*-
4  * The authors of this code are John Ioannidis (ji@tla.org),
5  * Angelos D. Keromytis (kermit@csd.uch.gr) and
6  * Niels Provos (provos@physnet.uni-hamburg.de).
7  *
8  * The original version of this code was written by John Ioannidis
9  * for BSD/OS in Athens, Greece, in November 1995.
10  *
11  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12  * by Angelos D. Keromytis.
13  *
14  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15  * and Niels Provos.
16  *
17  * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
18  *
19  * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20  * Angelos D. Keromytis and Niels Provos.
21  * Copyright (c) 1999 Niklas Hallqvist.
22  * Copyright (c) 2001 Angelos D. Keromytis.
23  *
24  * Permission to use, copy, and modify this software with or without fee
25  * is hereby granted, provided that this entire notice is included in
26  * all copies of any software which is or includes a copy or
27  * modification of this software.
28  * You may use this code under the GNU public license if you so wish. Please
29  * contribute changes back to the authors under this freer than GPL license
30  * so that we may further the use of strong encryption without limitations to
31  * all.
32  *
33  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37  * PURPOSE.
38  */
39 #include "opt_inet.h"
40 #include "opt_inet6.h"
41 
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/mbuf.h>
45 #include <sys/socket.h>
46 #include <sys/syslog.h>
47 #include <sys/kernel.h>
48 #include <sys/lock.h>
49 #include <sys/rwlock.h>
50 #include <sys/sysctl.h>
51 
52 #include <net/if.h>
53 #include <net/vnet.h>
54 
55 #include <netinet/in.h>
56 #include <netinet/in_systm.h>
57 #include <netinet/ip.h>
58 #include <netinet/ip_ecn.h>
59 #include <netinet/ip6.h>
60 
61 #include <net/route.h>
62 #include <netipsec/ipsec.h>
63 #include <netipsec/ah.h>
64 #include <netipsec/ah_var.h>
65 #include <netipsec/xform.h>
66 
67 #ifdef INET6
68 #include <netinet6/ip6_var.h>
69 #include <netipsec/ipsec6.h>
70 #include <netinet6/ip6_ecn.h>
71 #endif
72 
73 #include <netipsec/key.h>
74 #include <netipsec/key_debug.h>
75 
76 #include <opencrypto/cryptodev.h>
77 
78 /*
79  * Return header size in bytes.  The old protocol did not support
80  * the replay counter; the new protocol always includes the counter.
81  */
82 #define HDRSIZE(sav) \
83 	(((sav)->flags & SADB_X_EXT_OLD) ? \
84 		sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t))
85 /*
86  * Return authenticator size in bytes.  The old protocol is known
87  * to use a fixed 16-byte authenticator.  The new algorithm use 12-byte
88  * authenticator.
89  */
90 #define	AUTHSIZE(sav)	ah_authsize(sav)
91 
92 VNET_DEFINE(int, ah_enable) = 1;	/* control flow of packets with AH */
93 VNET_DEFINE(int, ah_cleartos) = 1;	/* clear ip_tos when doing AH calc */
94 VNET_PCPUSTAT_DEFINE(struct ahstat, ahstat);
95 VNET_PCPUSTAT_SYSINIT(ahstat);
96 
97 #ifdef VIMAGE
98 VNET_PCPUSTAT_SYSUNINIT(ahstat);
99 #endif /* VIMAGE */
100 
101 #ifdef INET
102 SYSCTL_DECL(_net_inet_ah);
103 SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO,
104 	ah_enable,	CTLFLAG_RW,	&VNET_NAME(ah_enable),	0, "");
105 SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO,
106 	ah_cleartos,	CTLFLAG_RW,	&VNET_NAME(ah_cleartos), 0, "");
107 SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat,
108     ahstat, "AH statistics (struct ahstat, netipsec/ah_var.h)");
109 #endif
110 
111 static unsigned char ipseczeroes[256];	/* larger than an ip6 extension hdr */
112 
113 static int ah_input_cb(struct cryptop*);
114 static int ah_output_cb(struct cryptop*);
115 
116 static int
117 ah_authsize(struct secasvar *sav)
118 {
119 
120 	IPSEC_ASSERT(sav != NULL, ("%s: sav == NULL", __func__));
121 
122 	if (sav->flags & SADB_X_EXT_OLD)
123 		return 16;
124 
125 	switch (sav->alg_auth) {
126 	case SADB_X_AALG_SHA2_256:
127 		return 16;
128 	case SADB_X_AALG_SHA2_384:
129 		return 24;
130 	case SADB_X_AALG_SHA2_512:
131 		return 32;
132 	default:
133 		return AH_HMAC_HASHLEN;
134 	}
135 	/* NOTREACHED */
136 }
137 /*
138  * NB: this is public for use by the PF_KEY support.
139  */
140 struct auth_hash *
141 ah_algorithm_lookup(int alg)
142 {
143 	if (alg > SADB_AALG_MAX)
144 		return NULL;
145 	switch (alg) {
146 	case SADB_X_AALG_NULL:
147 		return &auth_hash_null;
148 	case SADB_AALG_MD5HMAC:
149 		return &auth_hash_hmac_md5;
150 	case SADB_AALG_SHA1HMAC:
151 		return &auth_hash_hmac_sha1;
152 	case SADB_X_AALG_RIPEMD160HMAC:
153 		return &auth_hash_hmac_ripemd_160;
154 	case SADB_X_AALG_MD5:
155 		return &auth_hash_key_md5;
156 	case SADB_X_AALG_SHA:
157 		return &auth_hash_key_sha1;
158 	case SADB_X_AALG_SHA2_256:
159 		return &auth_hash_hmac_sha2_256;
160 	case SADB_X_AALG_SHA2_384:
161 		return &auth_hash_hmac_sha2_384;
162 	case SADB_X_AALG_SHA2_512:
163 		return &auth_hash_hmac_sha2_512;
164 	}
165 	return NULL;
166 }
167 
168 size_t
169 ah_hdrsiz(struct secasvar *sav)
170 {
171 	size_t size;
172 
173 	if (sav != NULL) {
174 		int authsize;
175 		IPSEC_ASSERT(sav->tdb_authalgxform != NULL, ("null xform"));
176 		/*XXX not right for null algorithm--does it matter??*/
177 		authsize = AUTHSIZE(sav);
178 		size = roundup(authsize, sizeof (u_int32_t)) + HDRSIZE(sav);
179 	} else {
180 		/* default guess */
181 		size = sizeof (struct ah) + sizeof (u_int32_t) + 16;
182 	}
183 	return size;
184 }
185 
186 /*
187  * NB: public for use by esp_init.
188  */
189 int
190 ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
191 {
192 	struct auth_hash *thash;
193 	int keylen;
194 
195 	thash = ah_algorithm_lookup(sav->alg_auth);
196 	if (thash == NULL) {
197 		DPRINTF(("%s: unsupported authentication algorithm %u\n",
198 			__func__, sav->alg_auth));
199 		return EINVAL;
200 	}
201 	/*
202 	 * Verify the replay state block allocation is consistent with
203 	 * the protocol type.  We check here so we can make assumptions
204 	 * later during protocol processing.
205 	 */
206 	/* NB: replay state is setup elsewhere (sigh) */
207 	if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) {
208 		DPRINTF(("%s: replay state block inconsistency, "
209 			"%s algorithm %s replay state\n", __func__,
210 			(sav->flags & SADB_X_EXT_OLD) ? "old" : "new",
211 			sav->replay == NULL ? "without" : "with"));
212 		return EINVAL;
213 	}
214 	if (sav->key_auth == NULL) {
215 		DPRINTF(("%s: no authentication key for %s algorithm\n",
216 			__func__, thash->name));
217 		return EINVAL;
218 	}
219 	keylen = _KEYLEN(sav->key_auth);
220 	if (keylen != thash->keysize && thash->keysize != 0) {
221 		DPRINTF(("%s: invalid keylength %d, algorithm %s requires "
222 			"keysize %d\n", __func__,
223 			 keylen, thash->name, thash->keysize));
224 		return EINVAL;
225 	}
226 
227 	sav->tdb_xform = xsp;
228 	sav->tdb_authalgxform = thash;
229 
230 	/* Initialize crypto session. */
231 	bzero(cria, sizeof (*cria));
232 	cria->cri_alg = sav->tdb_authalgxform->type;
233 	cria->cri_klen = _KEYBITS(sav->key_auth);
234 	cria->cri_key = sav->key_auth->key_data;
235 	cria->cri_mlen = AUTHSIZE(sav);
236 
237 	return 0;
238 }
239 
240 /*
241  * ah_init() is called when an SPI is being set up.
242  */
243 static int
244 ah_init(struct secasvar *sav, struct xformsw *xsp)
245 {
246 	struct cryptoini cria;
247 	int error;
248 
249 	error = ah_init0(sav, xsp, &cria);
250 	return error ? error :
251 		 crypto_newsession(&sav->tdb_cryptoid, &cria, V_crypto_support);
252 }
253 
254 /*
255  * Paranoia.
256  *
257  * NB: public for use by esp_zeroize (XXX).
258  */
259 int
260 ah_zeroize(struct secasvar *sav)
261 {
262 	int err;
263 
264 	if (sav->key_auth)
265 		bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
266 
267 	err = crypto_freesession(sav->tdb_cryptoid);
268 	sav->tdb_cryptoid = 0;
269 	sav->tdb_authalgxform = NULL;
270 	sav->tdb_xform = NULL;
271 	return err;
272 }
273 
274 /*
275  * Massage IPv4/IPv6 headers for AH processing.
276  */
277 static int
278 ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
279 {
280 	struct mbuf *m = *m0;
281 	unsigned char *ptr;
282 	int off, count;
283 
284 #ifdef INET
285 	struct ip *ip;
286 #endif /* INET */
287 
288 #ifdef INET6
289 	struct ip6_ext *ip6e;
290 	struct ip6_hdr ip6;
291 	int alloc, len, ad;
292 #endif /* INET6 */
293 
294 	switch (proto) {
295 #ifdef INET
296 	case AF_INET:
297 		/*
298 		 * This is the least painful way of dealing with IPv4 header
299 		 * and option processing -- just make sure they're in
300 		 * contiguous memory.
301 		 */
302 		*m0 = m = m_pullup(m, skip);
303 		if (m == NULL) {
304 			DPRINTF(("%s: m_pullup failed\n", __func__));
305 			return ENOBUFS;
306 		}
307 
308 		/* Fix the IP header */
309 		ip = mtod(m, struct ip *);
310 		if (V_ah_cleartos)
311 			ip->ip_tos = 0;
312 		ip->ip_ttl = 0;
313 		ip->ip_sum = 0;
314 
315 		if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK)
316 			ip->ip_off &= htons(IP_DF);
317 		else
318 			ip->ip_off = htons(0);
319 
320 		ptr = mtod(m, unsigned char *) + sizeof(struct ip);
321 
322 		/* IPv4 option processing */
323 		for (off = sizeof(struct ip); off < skip;) {
324 			if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP ||
325 			    off + 1 < skip)
326 				;
327 			else {
328 				DPRINTF(("%s: illegal IPv4 option length for "
329 					"option %d\n", __func__, ptr[off]));
330 
331 				m_freem(m);
332 				return EINVAL;
333 			}
334 
335 			switch (ptr[off]) {
336 			case IPOPT_EOL:
337 				off = skip;  /* End the loop. */
338 				break;
339 
340 			case IPOPT_NOP:
341 				off++;
342 				break;
343 
344 			case IPOPT_SECURITY:	/* 0x82 */
345 			case 0x85:	/* Extended security. */
346 			case 0x86:	/* Commercial security. */
347 			case 0x94:	/* Router alert */
348 			case 0x95:	/* RFC1770 */
349 				/* Sanity check for option length. */
350 				if (ptr[off + 1] < 2) {
351 					DPRINTF(("%s: illegal IPv4 option "
352 						"length for option %d\n",
353 						__func__, ptr[off]));
354 
355 					m_freem(m);
356 					return EINVAL;
357 				}
358 
359 				off += ptr[off + 1];
360 				break;
361 
362 			case IPOPT_LSRR:
363 			case IPOPT_SSRR:
364 				/* Sanity check for option length. */
365 				if (ptr[off + 1] < 2) {
366 					DPRINTF(("%s: illegal IPv4 option "
367 						"length for option %d\n",
368 						__func__, ptr[off]));
369 
370 					m_freem(m);
371 					return EINVAL;
372 				}
373 
374 				/*
375 				 * On output, if we have either of the
376 				 * source routing options, we should
377 				 * swap the destination address of the
378 				 * IP header with the last address
379 				 * specified in the option, as that is
380 				 * what the destination's IP header
381 				 * will look like.
382 				 */
383 				if (out)
384 					bcopy(ptr + off + ptr[off + 1] -
385 					    sizeof(struct in_addr),
386 					    &(ip->ip_dst), sizeof(struct in_addr));
387 
388 				/* Fall through */
389 			default:
390 				/* Sanity check for option length. */
391 				if (ptr[off + 1] < 2) {
392 					DPRINTF(("%s: illegal IPv4 option "
393 						"length for option %d\n",
394 						__func__, ptr[off]));
395 					m_freem(m);
396 					return EINVAL;
397 				}
398 
399 				/* Zeroize all other options. */
400 				count = ptr[off + 1];
401 				bcopy(ipseczeroes, ptr, count);
402 				off += count;
403 				break;
404 			}
405 
406 			/* Sanity check. */
407 			if (off > skip)	{
408 				DPRINTF(("%s: malformed IPv4 options header\n",
409 					__func__));
410 
411 				m_freem(m);
412 				return EINVAL;
413 			}
414 		}
415 
416 		break;
417 #endif /* INET */
418 
419 #ifdef INET6
420 	case AF_INET6:  /* Ugly... */
421 		/* Copy and "cook" the IPv6 header. */
422 		m_copydata(m, 0, sizeof(ip6), (caddr_t) &ip6);
423 
424 		/* We don't do IPv6 Jumbograms. */
425 		if (ip6.ip6_plen == 0) {
426 			DPRINTF(("%s: unsupported IPv6 jumbogram\n", __func__));
427 			m_freem(m);
428 			return EMSGSIZE;
429 		}
430 
431 		ip6.ip6_flow = 0;
432 		ip6.ip6_hlim = 0;
433 		ip6.ip6_vfc &= ~IPV6_VERSION_MASK;
434 		ip6.ip6_vfc |= IPV6_VERSION;
435 
436 		/* Scoped address handling. */
437 		if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_src))
438 			ip6.ip6_src.s6_addr16[1] = 0;
439 		if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_dst))
440 			ip6.ip6_dst.s6_addr16[1] = 0;
441 
442 		/* Done with IPv6 header. */
443 		m_copyback(m, 0, sizeof(struct ip6_hdr), (caddr_t) &ip6);
444 
445 		/* Let's deal with the remaining headers (if any). */
446 		if (skip - sizeof(struct ip6_hdr) > 0) {
447 			if (m->m_len <= skip) {
448 				ptr = (unsigned char *) malloc(
449 				    skip - sizeof(struct ip6_hdr),
450 				    M_XDATA, M_NOWAIT);
451 				if (ptr == NULL) {
452 					DPRINTF(("%s: failed to allocate memory"
453 						"for IPv6 headers\n",__func__));
454 					m_freem(m);
455 					return ENOBUFS;
456 				}
457 
458 				/*
459 				 * Copy all the protocol headers after
460 				 * the IPv6 header.
461 				 */
462 				m_copydata(m, sizeof(struct ip6_hdr),
463 				    skip - sizeof(struct ip6_hdr), ptr);
464 				alloc = 1;
465 			} else {
466 				/* No need to allocate memory. */
467 				ptr = mtod(m, unsigned char *) +
468 				    sizeof(struct ip6_hdr);
469 				alloc = 0;
470 			}
471 		} else
472 			break;
473 
474 		off = ip6.ip6_nxt & 0xff; /* Next header type. */
475 
476 		for (len = 0; len < skip - sizeof(struct ip6_hdr);)
477 			switch (off) {
478 			case IPPROTO_HOPOPTS:
479 			case IPPROTO_DSTOPTS:
480 				ip6e = (struct ip6_ext *) (ptr + len);
481 
482 				/*
483 				 * Process the mutable/immutable
484 				 * options -- borrows heavily from the
485 				 * KAME code.
486 				 */
487 				for (count = len + sizeof(struct ip6_ext);
488 				     count < len + ((ip6e->ip6e_len + 1) << 3);) {
489 					if (ptr[count] == IP6OPT_PAD1) {
490 						count++;
491 						continue; /* Skip padding. */
492 					}
493 
494 					/* Sanity check. */
495 					if (count > len +
496 					    ((ip6e->ip6e_len + 1) << 3)) {
497 						m_freem(m);
498 
499 						/* Free, if we allocated. */
500 						if (alloc)
501 							free(ptr, M_XDATA);
502 						return EINVAL;
503 					}
504 
505 					ad = ptr[count + 1];
506 
507 					/* If mutable option, zeroize. */
508 					if (ptr[count] & IP6OPT_MUTABLE)
509 						bcopy(ipseczeroes, ptr + count,
510 						    ptr[count + 1]);
511 
512 					count += ad;
513 
514 					/* Sanity check. */
515 					if (count >
516 					    skip - sizeof(struct ip6_hdr)) {
517 						m_freem(m);
518 
519 						/* Free, if we allocated. */
520 						if (alloc)
521 							free(ptr, M_XDATA);
522 						return EINVAL;
523 					}
524 				}
525 
526 				/* Advance. */
527 				len += ((ip6e->ip6e_len + 1) << 3);
528 				off = ip6e->ip6e_nxt;
529 				break;
530 
531 			case IPPROTO_ROUTING:
532 				/*
533 				 * Always include routing headers in
534 				 * computation.
535 				 */
536 				ip6e = (struct ip6_ext *) (ptr + len);
537 				len += ((ip6e->ip6e_len + 1) << 3);
538 				off = ip6e->ip6e_nxt;
539 				break;
540 
541 			default:
542 				DPRINTF(("%s: unexpected IPv6 header type %d",
543 					__func__, off));
544 				if (alloc)
545 					free(ptr, M_XDATA);
546 				m_freem(m);
547 				return EINVAL;
548 			}
549 
550 		/* Copyback and free, if we allocated. */
551 		if (alloc) {
552 			m_copyback(m, sizeof(struct ip6_hdr),
553 			    skip - sizeof(struct ip6_hdr), ptr);
554 			free(ptr, M_XDATA);
555 		}
556 
557 		break;
558 #endif /* INET6 */
559 	}
560 
561 	return 0;
562 }
563 
564 /*
565  * ah_input() gets called to verify that an input packet
566  * passes authentication.
567  */
568 static int
569 ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
570 {
571 	struct auth_hash *ahx;
572 	struct tdb_ident *tdbi;
573 	struct tdb_crypto *tc;
574 	struct m_tag *mtag;
575 	struct newah *ah;
576 	int hl, rplen, authsize;
577 
578 	struct cryptodesc *crda;
579 	struct cryptop *crp;
580 
581 	IPSEC_ASSERT(sav != NULL, ("null SA"));
582 	IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key"));
583 	IPSEC_ASSERT(sav->tdb_authalgxform != NULL,
584 		("null authentication xform"));
585 
586 	/* Figure out header size. */
587 	rplen = HDRSIZE(sav);
588 
589 	/* XXX don't pullup, just copy header */
590 	IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen);
591 	if (ah == NULL) {
592 		DPRINTF(("ah_input: cannot pullup header\n"));
593 		AHSTAT_INC(ahs_hdrops);		/*XXX*/
594 		m_freem(m);
595 		return ENOBUFS;
596 	}
597 
598 	/* Check replay window, if applicable. */
599 	if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
600 		AHSTAT_INC(ahs_replay);
601 		DPRINTF(("%s: packet replay failure: %s\n", __func__,
602 			  ipsec_logsastr(sav)));
603 		m_freem(m);
604 		return ENOBUFS;
605 	}
606 
607 	/* Verify AH header length. */
608 	hl = ah->ah_len * sizeof (u_int32_t);
609 	ahx = sav->tdb_authalgxform;
610 	authsize = AUTHSIZE(sav);
611 	if (hl != authsize + rplen - sizeof (struct ah)) {
612 		DPRINTF(("%s: bad authenticator length %u (expecting %lu)"
613 			" for packet in SA %s/%08lx\n", __func__,
614 			hl, (u_long) (authsize + rplen - sizeof (struct ah)),
615 			ipsec_address(&sav->sah->saidx.dst),
616 			(u_long) ntohl(sav->spi)));
617 		AHSTAT_INC(ahs_badauthl);
618 		m_freem(m);
619 		return EACCES;
620 	}
621 	AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
622 
623 	/* Get crypto descriptors. */
624 	crp = crypto_getreq(1);
625 	if (crp == NULL) {
626 		DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
627 		AHSTAT_INC(ahs_crypto);
628 		m_freem(m);
629 		return ENOBUFS;
630 	}
631 
632 	crda = crp->crp_desc;
633 	IPSEC_ASSERT(crda != NULL, ("null crypto descriptor"));
634 
635 	crda->crd_skip = 0;
636 	crda->crd_len = m->m_pkthdr.len;
637 	crda->crd_inject = skip + rplen;
638 
639 	/* Authentication operation. */
640 	crda->crd_alg = ahx->type;
641 	crda->crd_klen = _KEYBITS(sav->key_auth);
642 	crda->crd_key = sav->key_auth->key_data;
643 
644 	/* Find out if we've already done crypto. */
645 	for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
646 	     mtag != NULL;
647 	     mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
648 		tdbi = (struct tdb_ident *) (mtag + 1);
649 		if (tdbi->proto == sav->sah->saidx.proto &&
650 		    tdbi->spi == sav->spi &&
651 		    !bcmp(&tdbi->dst, &sav->sah->saidx.dst,
652 			  sizeof (union sockaddr_union)))
653 			break;
654 	}
655 
656 	/* Allocate IPsec-specific opaque crypto info. */
657 	if (mtag == NULL) {
658 		tc = (struct tdb_crypto *) malloc(sizeof (struct tdb_crypto) +
659 			skip + rplen + authsize, M_XDATA, M_NOWAIT|M_ZERO);
660 	} else {
661 		/* Hash verification has already been done successfully. */
662 		tc = (struct tdb_crypto *) malloc(sizeof (struct tdb_crypto),
663 						    M_XDATA, M_NOWAIT|M_ZERO);
664 	}
665 	if (tc == NULL) {
666 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
667 		AHSTAT_INC(ahs_crypto);
668 		crypto_freereq(crp);
669 		m_freem(m);
670 		return ENOBUFS;
671 	}
672 
673 	/* Only save information if crypto processing is needed. */
674 	if (mtag == NULL) {
675 		int error;
676 
677 		/*
678 		 * Save the authenticator, the skipped portion of the packet,
679 		 * and the AH header.
680 		 */
681 		m_copydata(m, 0, skip + rplen + authsize, (caddr_t)(tc+1));
682 
683 		/* Zeroize the authenticator on the packet. */
684 		m_copyback(m, skip + rplen, authsize, ipseczeroes);
685 
686 		/* "Massage" the packet headers for crypto processing. */
687 		error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
688 		    skip, ahx->type, 0);
689 		if (error != 0) {
690 			/* NB: mbuf is free'd by ah_massage_headers */
691 			AHSTAT_INC(ahs_hdrops);
692 			free(tc, M_XDATA);
693 			crypto_freereq(crp);
694 			return error;
695 		}
696 	}
697 
698 	/* Crypto operation descriptor. */
699 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
700 	crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
701 	crp->crp_buf = (caddr_t) m;
702 	crp->crp_callback = ah_input_cb;
703 	crp->crp_sid = sav->tdb_cryptoid;
704 	crp->crp_opaque = (caddr_t) tc;
705 
706 	/* These are passed as-is to the callback. */
707 	tc->tc_spi = sav->spi;
708 	tc->tc_dst = sav->sah->saidx.dst;
709 	tc->tc_proto = sav->sah->saidx.proto;
710 	tc->tc_nxt = ah->ah_nxt;
711 	tc->tc_protoff = protoff;
712 	tc->tc_skip = skip;
713 	tc->tc_ptr = (caddr_t) mtag; /* Save the mtag we've identified. */
714 	KEY_ADDREFSA(sav);
715 	tc->tc_sav = sav;
716 
717 	if (mtag == NULL)
718 		return crypto_dispatch(crp);
719 	else
720 		return ah_input_cb(crp);
721 }
722 
723 /*
724  * AH input callback from the crypto driver.
725  */
726 static int
727 ah_input_cb(struct cryptop *crp)
728 {
729 	int rplen, error, skip, protoff;
730 	unsigned char calc[AH_ALEN_MAX];
731 	struct mbuf *m;
732 	struct cryptodesc *crd;
733 	struct auth_hash *ahx;
734 	struct tdb_crypto *tc;
735 	struct m_tag *mtag;
736 	struct secasvar *sav;
737 	struct secasindex *saidx;
738 	u_int8_t nxt;
739 	caddr_t ptr;
740 	int authsize;
741 
742 	crd = crp->crp_desc;
743 
744 	tc = (struct tdb_crypto *) crp->crp_opaque;
745 	IPSEC_ASSERT(tc != NULL, ("null opaque crypto data area!"));
746 	skip = tc->tc_skip;
747 	nxt = tc->tc_nxt;
748 	protoff = tc->tc_protoff;
749 	mtag = (struct m_tag *) tc->tc_ptr;
750 	m = (struct mbuf *) crp->crp_buf;
751 
752 	sav = tc->tc_sav;
753 	IPSEC_ASSERT(sav != NULL, ("null SA!"));
754 
755 	saidx = &sav->sah->saidx;
756 	IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
757 		saidx->dst.sa.sa_family == AF_INET6,
758 		("unexpected protocol family %u", saidx->dst.sa.sa_family));
759 
760 	ahx = (struct auth_hash *) sav->tdb_authalgxform;
761 
762 	/* Check for crypto errors. */
763 	if (crp->crp_etype) {
764 		if (sav->tdb_cryptoid != 0)
765 			sav->tdb_cryptoid = crp->crp_sid;
766 
767 		if (crp->crp_etype == EAGAIN)
768 			return (crypto_dispatch(crp));
769 
770 		AHSTAT_INC(ahs_noxform);
771 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
772 		error = crp->crp_etype;
773 		goto bad;
774 	} else {
775 		AHSTAT_INC(ahs_hist[sav->alg_auth]);
776 		crypto_freereq(crp);		/* No longer needed. */
777 		crp = NULL;
778 	}
779 
780 	/* Shouldn't happen... */
781 	if (m == NULL) {
782 		AHSTAT_INC(ahs_crypto);
783 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
784 		error = EINVAL;
785 		goto bad;
786 	}
787 
788 	/* Figure out header size. */
789 	rplen = HDRSIZE(sav);
790 	authsize = AUTHSIZE(sav);
791 
792 	/* Copy authenticator off the packet. */
793 	m_copydata(m, skip + rplen, authsize, calc);
794 
795 	/*
796 	 * If we have an mtag, we don't need to verify the authenticator --
797 	 * it has been verified by an IPsec-aware NIC.
798 	 */
799 	if (mtag == NULL) {
800 		ptr = (caddr_t) (tc + 1);
801 
802 		/* Verify authenticator. */
803 		if (bcmp(ptr + skip + rplen, calc, authsize)) {
804 			DPRINTF(("%s: authentication hash mismatch for packet "
805 			    "in SA %s/%08lx\n", __func__,
806 			    ipsec_address(&saidx->dst),
807 			    (u_long) ntohl(sav->spi)));
808 			AHSTAT_INC(ahs_badauth);
809 			error = EACCES;
810 			goto bad;
811 		}
812 
813 		/* Fix the Next Protocol field. */
814 		((u_int8_t *) ptr)[protoff] = nxt;
815 
816 		/* Copyback the saved (uncooked) network headers. */
817 		m_copyback(m, 0, skip, ptr);
818 	} else {
819 		/* Fix the Next Protocol field. */
820 		m_copyback(m, protoff, sizeof(u_int8_t), &nxt);
821 	}
822 
823 	free(tc, M_XDATA), tc = NULL;			/* No longer needed */
824 
825 	/*
826 	 * Header is now authenticated.
827 	 */
828 	m->m_flags |= M_AUTHIPHDR|M_AUTHIPDGM;
829 
830 	/*
831 	 * Update replay sequence number, if appropriate.
832 	 */
833 	if (sav->replay) {
834 		u_int32_t seq;
835 
836 		m_copydata(m, skip + offsetof(struct newah, ah_seq),
837 			   sizeof (seq), (caddr_t) &seq);
838 		if (ipsec_updatereplay(ntohl(seq), sav)) {
839 			AHSTAT_INC(ahs_replay);
840 			error = ENOBUFS;			/*XXX as above*/
841 			goto bad;
842 		}
843 	}
844 
845 	/*
846 	 * Remove the AH header and authenticator from the mbuf.
847 	 */
848 	error = m_striphdr(m, skip, rplen + authsize);
849 	if (error) {
850 		DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
851 		    ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
852 
853 		AHSTAT_INC(ahs_hdrops);
854 		goto bad;
855 	}
856 
857 	switch (saidx->dst.sa.sa_family) {
858 #ifdef INET6
859 	case AF_INET6:
860 		error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag);
861 		break;
862 #endif
863 #ifdef INET
864 	case AF_INET:
865 		error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag);
866 		break;
867 #endif
868 	default:
869 		panic("%s: Unexpected address family: %d saidx=%p", __func__,
870 		    saidx->dst.sa.sa_family, saidx);
871 	}
872 
873 	KEY_FREESAV(&sav);
874 	return error;
875 bad:
876 	if (sav)
877 		KEY_FREESAV(&sav);
878 	if (m != NULL)
879 		m_freem(m);
880 	if (tc != NULL)
881 		free(tc, M_XDATA);
882 	if (crp != NULL)
883 		crypto_freereq(crp);
884 	return error;
885 }
886 
887 /*
888  * AH output routine, called by ipsec[46]_process_packet().
889  */
890 static int
891 ah_output(
892 	struct mbuf *m,
893 	struct ipsecrequest *isr,
894 	struct mbuf **mp,
895 	int skip,
896 	int protoff)
897 {
898 	struct secasvar *sav;
899 	struct auth_hash *ahx;
900 	struct cryptodesc *crda;
901 	struct tdb_crypto *tc;
902 	struct mbuf *mi;
903 	struct cryptop *crp;
904 	u_int16_t iplen;
905 	int error, rplen, authsize, maxpacketsize, roff;
906 	u_int8_t prot;
907 	struct newah *ah;
908 
909 	sav = isr->sav;
910 	IPSEC_ASSERT(sav != NULL, ("null SA"));
911 	ahx = sav->tdb_authalgxform;
912 	IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
913 
914 	AHSTAT_INC(ahs_output);
915 
916 	/* Figure out header size. */
917 	rplen = HDRSIZE(sav);
918 
919 	/* Check for maximum packet size violations. */
920 	switch (sav->sah->saidx.dst.sa.sa_family) {
921 #ifdef INET
922 	case AF_INET:
923 		maxpacketsize = IP_MAXPACKET;
924 		break;
925 #endif /* INET */
926 #ifdef INET6
927 	case AF_INET6:
928 		maxpacketsize = IPV6_MAXPACKET;
929 		break;
930 #endif /* INET6 */
931 	default:
932 		DPRINTF(("%s: unknown/unsupported protocol family %u, "
933 		    "SA %s/%08lx\n", __func__,
934 		    sav->sah->saidx.dst.sa.sa_family,
935 		    ipsec_address(&sav->sah->saidx.dst),
936 		    (u_long) ntohl(sav->spi)));
937 		AHSTAT_INC(ahs_nopf);
938 		error = EPFNOSUPPORT;
939 		goto bad;
940 	}
941 	authsize = AUTHSIZE(sav);
942 	if (rplen + authsize + m->m_pkthdr.len > maxpacketsize) {
943 		DPRINTF(("%s: packet in SA %s/%08lx got too big "
944 		    "(len %u, max len %u)\n", __func__,
945 		    ipsec_address(&sav->sah->saidx.dst),
946 		    (u_long) ntohl(sav->spi),
947 		    rplen + authsize + m->m_pkthdr.len, maxpacketsize));
948 		AHSTAT_INC(ahs_toobig);
949 		error = EMSGSIZE;
950 		goto bad;
951 	}
952 
953 	/* Update the counters. */
954 	AHSTAT_ADD(ahs_obytes, m->m_pkthdr.len - skip);
955 
956 	m = m_unshare(m, M_NOWAIT);
957 	if (m == NULL) {
958 		DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
959 		    ipsec_address(&sav->sah->saidx.dst),
960 		    (u_long) ntohl(sav->spi)));
961 		AHSTAT_INC(ahs_hdrops);
962 		error = ENOBUFS;
963 		goto bad;
964 	}
965 
966 	/* Inject AH header. */
967 	mi = m_makespace(m, skip, rplen + authsize, &roff);
968 	if (mi == NULL) {
969 		DPRINTF(("%s: failed to inject %u byte AH header for SA "
970 		    "%s/%08lx\n", __func__,
971 		    rplen + authsize,
972 		    ipsec_address(&sav->sah->saidx.dst),
973 		    (u_long) ntohl(sav->spi)));
974 		AHSTAT_INC(ahs_hdrops);		/*XXX differs from openbsd */
975 		error = ENOBUFS;
976 		goto bad;
977 	}
978 
979 	/*
980 	 * The AH header is guaranteed by m_makespace() to be in
981 	 * contiguous memory, at roff bytes offset into the returned mbuf.
982 	 */
983 	ah = (struct newah *)(mtod(mi, caddr_t) + roff);
984 
985 	/* Initialize the AH header. */
986 	m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &ah->ah_nxt);
987 	ah->ah_len = (rplen + authsize - sizeof(struct ah)) / sizeof(u_int32_t);
988 	ah->ah_reserve = 0;
989 	ah->ah_spi = sav->spi;
990 
991 	/* Zeroize authenticator. */
992 	m_copyback(m, skip + rplen, authsize, ipseczeroes);
993 
994 	/* Insert packet replay counter, as requested.  */
995 	if (sav->replay) {
996 		if (sav->replay->count == ~0 &&
997 		    (sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
998 			DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n",
999 				__func__,
1000 				ipsec_address(&sav->sah->saidx.dst),
1001 				(u_long) ntohl(sav->spi)));
1002 			AHSTAT_INC(ahs_wrap);
1003 			error = EINVAL;
1004 			goto bad;
1005 		}
1006 #ifdef REGRESSION
1007 		/* Emulate replay attack when ipsec_replay is TRUE. */
1008 		if (!V_ipsec_replay)
1009 #endif
1010 			sav->replay->count++;
1011 		ah->ah_seq = htonl(sav->replay->count);
1012 	}
1013 
1014 	/* Get crypto descriptors. */
1015 	crp = crypto_getreq(1);
1016 	if (crp == NULL) {
1017 		DPRINTF(("%s: failed to acquire crypto descriptors\n",
1018 			__func__));
1019 		AHSTAT_INC(ahs_crypto);
1020 		error = ENOBUFS;
1021 		goto bad;
1022 	}
1023 
1024 	crda = crp->crp_desc;
1025 
1026 	crda->crd_skip = 0;
1027 	crda->crd_inject = skip + rplen;
1028 	crda->crd_len = m->m_pkthdr.len;
1029 
1030 	/* Authentication operation. */
1031 	crda->crd_alg = ahx->type;
1032 	crda->crd_key = sav->key_auth->key_data;
1033 	crda->crd_klen = _KEYBITS(sav->key_auth);
1034 
1035 	/* Allocate IPsec-specific opaque crypto info. */
1036 	tc = (struct tdb_crypto *) malloc(
1037 		sizeof(struct tdb_crypto) + skip, M_XDATA, M_NOWAIT|M_ZERO);
1038 	if (tc == NULL) {
1039 		crypto_freereq(crp);
1040 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
1041 		AHSTAT_INC(ahs_crypto);
1042 		error = ENOBUFS;
1043 		goto bad;
1044 	}
1045 
1046 	/* Save the skipped portion of the packet. */
1047 	m_copydata(m, 0, skip, (caddr_t) (tc + 1));
1048 
1049 	/*
1050 	 * Fix IP header length on the header used for
1051 	 * authentication. We don't need to fix the original
1052 	 * header length as it will be fixed by our caller.
1053 	 */
1054 	switch (sav->sah->saidx.dst.sa.sa_family) {
1055 #ifdef INET
1056 	case AF_INET:
1057 		bcopy(((caddr_t)(tc + 1)) +
1058 		    offsetof(struct ip, ip_len),
1059 		    (caddr_t) &iplen, sizeof(u_int16_t));
1060 		iplen = htons(ntohs(iplen) + rplen + authsize);
1061 		m_copyback(m, offsetof(struct ip, ip_len),
1062 		    sizeof(u_int16_t), (caddr_t) &iplen);
1063 		break;
1064 #endif /* INET */
1065 
1066 #ifdef INET6
1067 	case AF_INET6:
1068 		bcopy(((caddr_t)(tc + 1)) +
1069 		    offsetof(struct ip6_hdr, ip6_plen),
1070 		    (caddr_t) &iplen, sizeof(u_int16_t));
1071 		iplen = htons(ntohs(iplen) + rplen + authsize);
1072 		m_copyback(m, offsetof(struct ip6_hdr, ip6_plen),
1073 		    sizeof(u_int16_t), (caddr_t) &iplen);
1074 		break;
1075 #endif /* INET6 */
1076 	}
1077 
1078 	/* Fix the Next Header field in saved header. */
1079 	((u_int8_t *) (tc + 1))[protoff] = IPPROTO_AH;
1080 
1081 	/* Update the Next Protocol field in the IP header. */
1082 	prot = IPPROTO_AH;
1083 	m_copyback(m, protoff, sizeof(u_int8_t), (caddr_t) &prot);
1084 
1085 	/* "Massage" the packet headers for crypto processing. */
1086 	error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
1087 			skip, ahx->type, 1);
1088 	if (error != 0) {
1089 		m = NULL;	/* mbuf was free'd by ah_massage_headers. */
1090 		free(tc, M_XDATA);
1091 		crypto_freereq(crp);
1092 		goto bad;
1093 	}
1094 
1095 	/* Crypto operation descriptor. */
1096 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
1097 	crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
1098 	crp->crp_buf = (caddr_t) m;
1099 	crp->crp_callback = ah_output_cb;
1100 	crp->crp_sid = sav->tdb_cryptoid;
1101 	crp->crp_opaque = (caddr_t) tc;
1102 
1103 	/* These are passed as-is to the callback. */
1104 	tc->tc_isr = isr;
1105 	KEY_ADDREFSA(sav);
1106 	tc->tc_sav = sav;
1107 	tc->tc_spi = sav->spi;
1108 	tc->tc_dst = sav->sah->saidx.dst;
1109 	tc->tc_proto = sav->sah->saidx.proto;
1110 	tc->tc_skip = skip;
1111 	tc->tc_protoff = protoff;
1112 
1113 	return crypto_dispatch(crp);
1114 bad:
1115 	if (m)
1116 		m_freem(m);
1117 	return (error);
1118 }
1119 
1120 /*
1121  * AH output callback from the crypto driver.
1122  */
1123 static int
1124 ah_output_cb(struct cryptop *crp)
1125 {
1126 	int skip, protoff, error;
1127 	struct tdb_crypto *tc;
1128 	struct ipsecrequest *isr;
1129 	struct secasvar *sav;
1130 	struct mbuf *m;
1131 	caddr_t ptr;
1132 
1133 	tc = (struct tdb_crypto *) crp->crp_opaque;
1134 	IPSEC_ASSERT(tc != NULL, ("null opaque data area!"));
1135 	skip = tc->tc_skip;
1136 	protoff = tc->tc_protoff;
1137 	ptr = (caddr_t) (tc + 1);
1138 	m = (struct mbuf *) crp->crp_buf;
1139 
1140 	isr = tc->tc_isr;
1141 	IPSECREQUEST_LOCK(isr);
1142 	sav = tc->tc_sav;
1143 	/* With the isr lock released SA pointer can be updated. */
1144 	if (sav != isr->sav) {
1145 		AHSTAT_INC(ahs_notdb);
1146 		DPRINTF(("%s: SA expired while in crypto\n", __func__));
1147 		error = ENOBUFS;		/*XXX*/
1148 		goto bad;
1149 	}
1150 
1151 	/* Check for crypto errors. */
1152 	if (crp->crp_etype) {
1153 		if (sav->tdb_cryptoid != 0)
1154 			sav->tdb_cryptoid = crp->crp_sid;
1155 
1156 		if (crp->crp_etype == EAGAIN) {
1157 			IPSECREQUEST_UNLOCK(isr);
1158 			return (crypto_dispatch(crp));
1159 		}
1160 
1161 		AHSTAT_INC(ahs_noxform);
1162 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
1163 		error = crp->crp_etype;
1164 		goto bad;
1165 	}
1166 
1167 	/* Shouldn't happen... */
1168 	if (m == NULL) {
1169 		AHSTAT_INC(ahs_crypto);
1170 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
1171 		error = EINVAL;
1172 		goto bad;
1173 	}
1174 	AHSTAT_INC(ahs_hist[sav->alg_auth]);
1175 
1176 	/*
1177 	 * Copy original headers (with the new protocol number) back
1178 	 * in place.
1179 	 */
1180 	m_copyback(m, 0, skip, ptr);
1181 
1182 	/* No longer needed. */
1183 	free(tc, M_XDATA);
1184 	crypto_freereq(crp);
1185 
1186 #ifdef REGRESSION
1187 	/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
1188 	if (V_ipsec_integrity) {
1189 		int alen;
1190 
1191 		/*
1192 		 * Corrupt HMAC if we want to test integrity verification of
1193 		 * the other side.
1194 		 */
1195 		alen = AUTHSIZE(sav);
1196 		m_copyback(m, m->m_pkthdr.len - alen, alen, ipseczeroes);
1197 	}
1198 #endif
1199 
1200 	/* NB: m is reclaimed by ipsec_process_done. */
1201 	error = ipsec_process_done(m, isr);
1202 	KEY_FREESAV(&sav);
1203 	IPSECREQUEST_UNLOCK(isr);
1204 	return error;
1205 bad:
1206 	if (sav)
1207 		KEY_FREESAV(&sav);
1208 	IPSECREQUEST_UNLOCK(isr);
1209 	if (m)
1210 		m_freem(m);
1211 	free(tc, M_XDATA);
1212 	crypto_freereq(crp);
1213 	return error;
1214 }
1215 
1216 static struct xformsw ah_xformsw = {
1217 	XF_AH,		XFT_AUTH,	"IPsec AH",
1218 	ah_init,	ah_zeroize,	ah_input,	ah_output,
1219 };
1220 
1221 static void
1222 ah_attach(void)
1223 {
1224 
1225 	xform_register(&ah_xformsw);
1226 }
1227 
1228 SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL);
1229