1 /* $FreeBSD$ */ 2 /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ 3 /*- 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 18 * 19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 1999 Niklas Hallqvist. 22 * Copyright (c) 2001 Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 #include "opt_inet.h" 40 #include "opt_inet6.h" 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/mbuf.h> 45 #include <sys/socket.h> 46 #include <sys/syslog.h> 47 #include <sys/kernel.h> 48 #include <sys/lock.h> 49 #include <sys/rwlock.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/vnet.h> 54 55 #include <netinet/in.h> 56 #include <netinet/in_systm.h> 57 #include <netinet/ip.h> 58 #include <netinet/ip_ecn.h> 59 #include <netinet/ip6.h> 60 61 #include <net/route.h> 62 #include <netipsec/ipsec.h> 63 #include <netipsec/ah.h> 64 #include <netipsec/ah_var.h> 65 #include <netipsec/xform.h> 66 67 #ifdef INET6 68 #include <netinet6/ip6_var.h> 69 #include <netipsec/ipsec6.h> 70 #include <netinet6/ip6_ecn.h> 71 #endif 72 73 #include <netipsec/key.h> 74 #include <netipsec/key_debug.h> 75 76 #include <opencrypto/cryptodev.h> 77 78 /* 79 * Return header size in bytes. The old protocol did not support 80 * the replay counter; the new protocol always includes the counter. 81 */ 82 #define HDRSIZE(sav) \ 83 (((sav)->flags & SADB_X_EXT_OLD) ? \ 84 sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t)) 85 /* 86 * Return authenticator size in bytes. The old protocol is known 87 * to use a fixed 16-byte authenticator. The new algorithm use 12-byte 88 * authenticator. 89 */ 90 #define AUTHSIZE(sav) ah_authsize(sav) 91 92 VNET_DEFINE(int, ah_enable) = 1; /* control flow of packets with AH */ 93 VNET_DEFINE(int, ah_cleartos) = 1; /* clear ip_tos when doing AH calc */ 94 VNET_PCPUSTAT_DEFINE(struct ahstat, ahstat); 95 VNET_PCPUSTAT_SYSINIT(ahstat); 96 97 #ifdef VIMAGE 98 VNET_PCPUSTAT_SYSUNINIT(ahstat); 99 #endif /* VIMAGE */ 100 101 #ifdef INET 102 SYSCTL_DECL(_net_inet_ah); 103 SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, 104 ah_enable, CTLFLAG_RW, &VNET_NAME(ah_enable), 0, ""); 105 SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, 106 ah_cleartos, CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, ""); 107 SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat, 108 ahstat, "AH statistics (struct ahstat, netipsec/ah_var.h)"); 109 #endif 110 111 static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ 112 113 static int ah_input_cb(struct cryptop*); 114 static int ah_output_cb(struct cryptop*); 115 116 static int 117 ah_authsize(struct secasvar *sav) 118 { 119 120 IPSEC_ASSERT(sav != NULL, ("%s: sav == NULL", __func__)); 121 122 if (sav->flags & SADB_X_EXT_OLD) 123 return 16; 124 125 switch (sav->alg_auth) { 126 case SADB_X_AALG_SHA2_256: 127 return 16; 128 case SADB_X_AALG_SHA2_384: 129 return 24; 130 case SADB_X_AALG_SHA2_512: 131 return 32; 132 default: 133 return AH_HMAC_HASHLEN; 134 } 135 /* NOTREACHED */ 136 } 137 /* 138 * NB: this is public for use by the PF_KEY support. 139 */ 140 struct auth_hash * 141 ah_algorithm_lookup(int alg) 142 { 143 if (alg > SADB_AALG_MAX) 144 return NULL; 145 switch (alg) { 146 case SADB_X_AALG_NULL: 147 return &auth_hash_null; 148 case SADB_AALG_MD5HMAC: 149 return &auth_hash_hmac_md5; 150 case SADB_AALG_SHA1HMAC: 151 return &auth_hash_hmac_sha1; 152 case SADB_X_AALG_RIPEMD160HMAC: 153 return &auth_hash_hmac_ripemd_160; 154 case SADB_X_AALG_MD5: 155 return &auth_hash_key_md5; 156 case SADB_X_AALG_SHA: 157 return &auth_hash_key_sha1; 158 case SADB_X_AALG_SHA2_256: 159 return &auth_hash_hmac_sha2_256; 160 case SADB_X_AALG_SHA2_384: 161 return &auth_hash_hmac_sha2_384; 162 case SADB_X_AALG_SHA2_512: 163 return &auth_hash_hmac_sha2_512; 164 } 165 return NULL; 166 } 167 168 size_t 169 ah_hdrsiz(struct secasvar *sav) 170 { 171 size_t size; 172 173 if (sav != NULL) { 174 int authsize; 175 IPSEC_ASSERT(sav->tdb_authalgxform != NULL, ("null xform")); 176 /*XXX not right for null algorithm--does it matter??*/ 177 authsize = AUTHSIZE(sav); 178 size = roundup(authsize, sizeof (u_int32_t)) + HDRSIZE(sav); 179 } else { 180 /* default guess */ 181 size = sizeof (struct ah) + sizeof (u_int32_t) + 16; 182 } 183 return size; 184 } 185 186 /* 187 * NB: public for use by esp_init. 188 */ 189 int 190 ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) 191 { 192 struct auth_hash *thash; 193 int keylen; 194 195 thash = ah_algorithm_lookup(sav->alg_auth); 196 if (thash == NULL) { 197 DPRINTF(("%s: unsupported authentication algorithm %u\n", 198 __func__, sav->alg_auth)); 199 return EINVAL; 200 } 201 /* 202 * Verify the replay state block allocation is consistent with 203 * the protocol type. We check here so we can make assumptions 204 * later during protocol processing. 205 */ 206 /* NB: replay state is setup elsewhere (sigh) */ 207 if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) { 208 DPRINTF(("%s: replay state block inconsistency, " 209 "%s algorithm %s replay state\n", __func__, 210 (sav->flags & SADB_X_EXT_OLD) ? "old" : "new", 211 sav->replay == NULL ? "without" : "with")); 212 return EINVAL; 213 } 214 if (sav->key_auth == NULL) { 215 DPRINTF(("%s: no authentication key for %s algorithm\n", 216 __func__, thash->name)); 217 return EINVAL; 218 } 219 keylen = _KEYLEN(sav->key_auth); 220 if (keylen != thash->keysize && thash->keysize != 0) { 221 DPRINTF(("%s: invalid keylength %d, algorithm %s requires " 222 "keysize %d\n", __func__, 223 keylen, thash->name, thash->keysize)); 224 return EINVAL; 225 } 226 227 sav->tdb_xform = xsp; 228 sav->tdb_authalgxform = thash; 229 230 /* Initialize crypto session. */ 231 bzero(cria, sizeof (*cria)); 232 cria->cri_alg = sav->tdb_authalgxform->type; 233 cria->cri_klen = _KEYBITS(sav->key_auth); 234 cria->cri_key = sav->key_auth->key_data; 235 cria->cri_mlen = AUTHSIZE(sav); 236 237 return 0; 238 } 239 240 /* 241 * ah_init() is called when an SPI is being set up. 242 */ 243 static int 244 ah_init(struct secasvar *sav, struct xformsw *xsp) 245 { 246 struct cryptoini cria; 247 int error; 248 249 error = ah_init0(sav, xsp, &cria); 250 return error ? error : 251 crypto_newsession(&sav->tdb_cryptoid, &cria, V_crypto_support); 252 } 253 254 /* 255 * Paranoia. 256 * 257 * NB: public for use by esp_zeroize (XXX). 258 */ 259 int 260 ah_zeroize(struct secasvar *sav) 261 { 262 int err; 263 264 if (sav->key_auth) 265 bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth)); 266 267 err = crypto_freesession(sav->tdb_cryptoid); 268 sav->tdb_cryptoid = 0; 269 sav->tdb_authalgxform = NULL; 270 sav->tdb_xform = NULL; 271 return err; 272 } 273 274 /* 275 * Massage IPv4/IPv6 headers for AH processing. 276 */ 277 static int 278 ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) 279 { 280 struct mbuf *m = *m0; 281 unsigned char *ptr; 282 int off, count; 283 284 #ifdef INET 285 struct ip *ip; 286 #endif /* INET */ 287 288 #ifdef INET6 289 struct ip6_ext *ip6e; 290 struct ip6_hdr ip6; 291 int alloc, len, ad; 292 #endif /* INET6 */ 293 294 switch (proto) { 295 #ifdef INET 296 case AF_INET: 297 /* 298 * This is the least painful way of dealing with IPv4 header 299 * and option processing -- just make sure they're in 300 * contiguous memory. 301 */ 302 *m0 = m = m_pullup(m, skip); 303 if (m == NULL) { 304 DPRINTF(("%s: m_pullup failed\n", __func__)); 305 return ENOBUFS; 306 } 307 308 /* Fix the IP header */ 309 ip = mtod(m, struct ip *); 310 if (V_ah_cleartos) 311 ip->ip_tos = 0; 312 ip->ip_ttl = 0; 313 ip->ip_sum = 0; 314 315 if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK) 316 ip->ip_off &= htons(IP_DF); 317 else 318 ip->ip_off = htons(0); 319 320 ptr = mtod(m, unsigned char *) + sizeof(struct ip); 321 322 /* IPv4 option processing */ 323 for (off = sizeof(struct ip); off < skip;) { 324 if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP || 325 off + 1 < skip) 326 ; 327 else { 328 DPRINTF(("%s: illegal IPv4 option length for " 329 "option %d\n", __func__, ptr[off])); 330 331 m_freem(m); 332 return EINVAL; 333 } 334 335 switch (ptr[off]) { 336 case IPOPT_EOL: 337 off = skip; /* End the loop. */ 338 break; 339 340 case IPOPT_NOP: 341 off++; 342 break; 343 344 case IPOPT_SECURITY: /* 0x82 */ 345 case 0x85: /* Extended security. */ 346 case 0x86: /* Commercial security. */ 347 case 0x94: /* Router alert */ 348 case 0x95: /* RFC1770 */ 349 /* Sanity check for option length. */ 350 if (ptr[off + 1] < 2) { 351 DPRINTF(("%s: illegal IPv4 option " 352 "length for option %d\n", 353 __func__, ptr[off])); 354 355 m_freem(m); 356 return EINVAL; 357 } 358 359 off += ptr[off + 1]; 360 break; 361 362 case IPOPT_LSRR: 363 case IPOPT_SSRR: 364 /* Sanity check for option length. */ 365 if (ptr[off + 1] < 2) { 366 DPRINTF(("%s: illegal IPv4 option " 367 "length for option %d\n", 368 __func__, ptr[off])); 369 370 m_freem(m); 371 return EINVAL; 372 } 373 374 /* 375 * On output, if we have either of the 376 * source routing options, we should 377 * swap the destination address of the 378 * IP header with the last address 379 * specified in the option, as that is 380 * what the destination's IP header 381 * will look like. 382 */ 383 if (out) 384 bcopy(ptr + off + ptr[off + 1] - 385 sizeof(struct in_addr), 386 &(ip->ip_dst), sizeof(struct in_addr)); 387 388 /* Fall through */ 389 default: 390 /* Sanity check for option length. */ 391 if (ptr[off + 1] < 2) { 392 DPRINTF(("%s: illegal IPv4 option " 393 "length for option %d\n", 394 __func__, ptr[off])); 395 m_freem(m); 396 return EINVAL; 397 } 398 399 /* Zeroize all other options. */ 400 count = ptr[off + 1]; 401 bcopy(ipseczeroes, ptr, count); 402 off += count; 403 break; 404 } 405 406 /* Sanity check. */ 407 if (off > skip) { 408 DPRINTF(("%s: malformed IPv4 options header\n", 409 __func__)); 410 411 m_freem(m); 412 return EINVAL; 413 } 414 } 415 416 break; 417 #endif /* INET */ 418 419 #ifdef INET6 420 case AF_INET6: /* Ugly... */ 421 /* Copy and "cook" the IPv6 header. */ 422 m_copydata(m, 0, sizeof(ip6), (caddr_t) &ip6); 423 424 /* We don't do IPv6 Jumbograms. */ 425 if (ip6.ip6_plen == 0) { 426 DPRINTF(("%s: unsupported IPv6 jumbogram\n", __func__)); 427 m_freem(m); 428 return EMSGSIZE; 429 } 430 431 ip6.ip6_flow = 0; 432 ip6.ip6_hlim = 0; 433 ip6.ip6_vfc &= ~IPV6_VERSION_MASK; 434 ip6.ip6_vfc |= IPV6_VERSION; 435 436 /* Scoped address handling. */ 437 if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_src)) 438 ip6.ip6_src.s6_addr16[1] = 0; 439 if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_dst)) 440 ip6.ip6_dst.s6_addr16[1] = 0; 441 442 /* Done with IPv6 header. */ 443 m_copyback(m, 0, sizeof(struct ip6_hdr), (caddr_t) &ip6); 444 445 /* Let's deal with the remaining headers (if any). */ 446 if (skip - sizeof(struct ip6_hdr) > 0) { 447 if (m->m_len <= skip) { 448 ptr = (unsigned char *) malloc( 449 skip - sizeof(struct ip6_hdr), 450 M_XDATA, M_NOWAIT); 451 if (ptr == NULL) { 452 DPRINTF(("%s: failed to allocate memory" 453 "for IPv6 headers\n",__func__)); 454 m_freem(m); 455 return ENOBUFS; 456 } 457 458 /* 459 * Copy all the protocol headers after 460 * the IPv6 header. 461 */ 462 m_copydata(m, sizeof(struct ip6_hdr), 463 skip - sizeof(struct ip6_hdr), ptr); 464 alloc = 1; 465 } else { 466 /* No need to allocate memory. */ 467 ptr = mtod(m, unsigned char *) + 468 sizeof(struct ip6_hdr); 469 alloc = 0; 470 } 471 } else 472 break; 473 474 off = ip6.ip6_nxt & 0xff; /* Next header type. */ 475 476 for (len = 0; len < skip - sizeof(struct ip6_hdr);) 477 switch (off) { 478 case IPPROTO_HOPOPTS: 479 case IPPROTO_DSTOPTS: 480 ip6e = (struct ip6_ext *) (ptr + len); 481 482 /* 483 * Process the mutable/immutable 484 * options -- borrows heavily from the 485 * KAME code. 486 */ 487 for (count = len + sizeof(struct ip6_ext); 488 count < len + ((ip6e->ip6e_len + 1) << 3);) { 489 if (ptr[count] == IP6OPT_PAD1) { 490 count++; 491 continue; /* Skip padding. */ 492 } 493 494 /* Sanity check. */ 495 if (count > len + 496 ((ip6e->ip6e_len + 1) << 3)) { 497 m_freem(m); 498 499 /* Free, if we allocated. */ 500 if (alloc) 501 free(ptr, M_XDATA); 502 return EINVAL; 503 } 504 505 ad = ptr[count + 1]; 506 507 /* If mutable option, zeroize. */ 508 if (ptr[count] & IP6OPT_MUTABLE) 509 bcopy(ipseczeroes, ptr + count, 510 ptr[count + 1]); 511 512 count += ad; 513 514 /* Sanity check. */ 515 if (count > 516 skip - sizeof(struct ip6_hdr)) { 517 m_freem(m); 518 519 /* Free, if we allocated. */ 520 if (alloc) 521 free(ptr, M_XDATA); 522 return EINVAL; 523 } 524 } 525 526 /* Advance. */ 527 len += ((ip6e->ip6e_len + 1) << 3); 528 off = ip6e->ip6e_nxt; 529 break; 530 531 case IPPROTO_ROUTING: 532 /* 533 * Always include routing headers in 534 * computation. 535 */ 536 ip6e = (struct ip6_ext *) (ptr + len); 537 len += ((ip6e->ip6e_len + 1) << 3); 538 off = ip6e->ip6e_nxt; 539 break; 540 541 default: 542 DPRINTF(("%s: unexpected IPv6 header type %d", 543 __func__, off)); 544 if (alloc) 545 free(ptr, M_XDATA); 546 m_freem(m); 547 return EINVAL; 548 } 549 550 /* Copyback and free, if we allocated. */ 551 if (alloc) { 552 m_copyback(m, sizeof(struct ip6_hdr), 553 skip - sizeof(struct ip6_hdr), ptr); 554 free(ptr, M_XDATA); 555 } 556 557 break; 558 #endif /* INET6 */ 559 } 560 561 return 0; 562 } 563 564 /* 565 * ah_input() gets called to verify that an input packet 566 * passes authentication. 567 */ 568 static int 569 ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) 570 { 571 struct auth_hash *ahx; 572 struct tdb_ident *tdbi; 573 struct tdb_crypto *tc; 574 struct m_tag *mtag; 575 struct newah *ah; 576 int hl, rplen, authsize; 577 578 struct cryptodesc *crda; 579 struct cryptop *crp; 580 581 IPSEC_ASSERT(sav != NULL, ("null SA")); 582 IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key")); 583 IPSEC_ASSERT(sav->tdb_authalgxform != NULL, 584 ("null authentication xform")); 585 586 /* Figure out header size. */ 587 rplen = HDRSIZE(sav); 588 589 /* XXX don't pullup, just copy header */ 590 IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen); 591 if (ah == NULL) { 592 DPRINTF(("ah_input: cannot pullup header\n")); 593 AHSTAT_INC(ahs_hdrops); /*XXX*/ 594 m_freem(m); 595 return ENOBUFS; 596 } 597 598 /* Check replay window, if applicable. */ 599 if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) { 600 AHSTAT_INC(ahs_replay); 601 DPRINTF(("%s: packet replay failure: %s\n", __func__, 602 ipsec_logsastr(sav))); 603 m_freem(m); 604 return ENOBUFS; 605 } 606 607 /* Verify AH header length. */ 608 hl = ah->ah_len * sizeof (u_int32_t); 609 ahx = sav->tdb_authalgxform; 610 authsize = AUTHSIZE(sav); 611 if (hl != authsize + rplen - sizeof (struct ah)) { 612 DPRINTF(("%s: bad authenticator length %u (expecting %lu)" 613 " for packet in SA %s/%08lx\n", __func__, 614 hl, (u_long) (authsize + rplen - sizeof (struct ah)), 615 ipsec_address(&sav->sah->saidx.dst), 616 (u_long) ntohl(sav->spi))); 617 AHSTAT_INC(ahs_badauthl); 618 m_freem(m); 619 return EACCES; 620 } 621 AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl); 622 623 /* Get crypto descriptors. */ 624 crp = crypto_getreq(1); 625 if (crp == NULL) { 626 DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__)); 627 AHSTAT_INC(ahs_crypto); 628 m_freem(m); 629 return ENOBUFS; 630 } 631 632 crda = crp->crp_desc; 633 IPSEC_ASSERT(crda != NULL, ("null crypto descriptor")); 634 635 crda->crd_skip = 0; 636 crda->crd_len = m->m_pkthdr.len; 637 crda->crd_inject = skip + rplen; 638 639 /* Authentication operation. */ 640 crda->crd_alg = ahx->type; 641 crda->crd_klen = _KEYBITS(sav->key_auth); 642 crda->crd_key = sav->key_auth->key_data; 643 644 /* Find out if we've already done crypto. */ 645 for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); 646 mtag != NULL; 647 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) { 648 tdbi = (struct tdb_ident *) (mtag + 1); 649 if (tdbi->proto == sav->sah->saidx.proto && 650 tdbi->spi == sav->spi && 651 !bcmp(&tdbi->dst, &sav->sah->saidx.dst, 652 sizeof (union sockaddr_union))) 653 break; 654 } 655 656 /* Allocate IPsec-specific opaque crypto info. */ 657 if (mtag == NULL) { 658 tc = (struct tdb_crypto *) malloc(sizeof (struct tdb_crypto) + 659 skip + rplen + authsize, M_XDATA, M_NOWAIT|M_ZERO); 660 } else { 661 /* Hash verification has already been done successfully. */ 662 tc = (struct tdb_crypto *) malloc(sizeof (struct tdb_crypto), 663 M_XDATA, M_NOWAIT|M_ZERO); 664 } 665 if (tc == NULL) { 666 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); 667 AHSTAT_INC(ahs_crypto); 668 crypto_freereq(crp); 669 m_freem(m); 670 return ENOBUFS; 671 } 672 673 /* Only save information if crypto processing is needed. */ 674 if (mtag == NULL) { 675 int error; 676 677 /* 678 * Save the authenticator, the skipped portion of the packet, 679 * and the AH header. 680 */ 681 m_copydata(m, 0, skip + rplen + authsize, (caddr_t)(tc+1)); 682 683 /* Zeroize the authenticator on the packet. */ 684 m_copyback(m, skip + rplen, authsize, ipseczeroes); 685 686 /* "Massage" the packet headers for crypto processing. */ 687 error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, 688 skip, ahx->type, 0); 689 if (error != 0) { 690 /* NB: mbuf is free'd by ah_massage_headers */ 691 AHSTAT_INC(ahs_hdrops); 692 free(tc, M_XDATA); 693 crypto_freereq(crp); 694 return error; 695 } 696 } 697 698 /* Crypto operation descriptor. */ 699 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ 700 crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC; 701 crp->crp_buf = (caddr_t) m; 702 crp->crp_callback = ah_input_cb; 703 crp->crp_sid = sav->tdb_cryptoid; 704 crp->crp_opaque = (caddr_t) tc; 705 706 /* These are passed as-is to the callback. */ 707 tc->tc_spi = sav->spi; 708 tc->tc_dst = sav->sah->saidx.dst; 709 tc->tc_proto = sav->sah->saidx.proto; 710 tc->tc_nxt = ah->ah_nxt; 711 tc->tc_protoff = protoff; 712 tc->tc_skip = skip; 713 tc->tc_ptr = (caddr_t) mtag; /* Save the mtag we've identified. */ 714 KEY_ADDREFSA(sav); 715 tc->tc_sav = sav; 716 717 if (mtag == NULL) 718 return crypto_dispatch(crp); 719 else 720 return ah_input_cb(crp); 721 } 722 723 /* 724 * AH input callback from the crypto driver. 725 */ 726 static int 727 ah_input_cb(struct cryptop *crp) 728 { 729 int rplen, error, skip, protoff; 730 unsigned char calc[AH_ALEN_MAX]; 731 struct mbuf *m; 732 struct cryptodesc *crd; 733 struct auth_hash *ahx; 734 struct tdb_crypto *tc; 735 struct m_tag *mtag; 736 struct secasvar *sav; 737 struct secasindex *saidx; 738 u_int8_t nxt; 739 caddr_t ptr; 740 int authsize; 741 742 crd = crp->crp_desc; 743 744 tc = (struct tdb_crypto *) crp->crp_opaque; 745 IPSEC_ASSERT(tc != NULL, ("null opaque crypto data area!")); 746 skip = tc->tc_skip; 747 nxt = tc->tc_nxt; 748 protoff = tc->tc_protoff; 749 mtag = (struct m_tag *) tc->tc_ptr; 750 m = (struct mbuf *) crp->crp_buf; 751 752 sav = tc->tc_sav; 753 IPSEC_ASSERT(sav != NULL, ("null SA!")); 754 755 saidx = &sav->sah->saidx; 756 IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET || 757 saidx->dst.sa.sa_family == AF_INET6, 758 ("unexpected protocol family %u", saidx->dst.sa.sa_family)); 759 760 ahx = (struct auth_hash *) sav->tdb_authalgxform; 761 762 /* Check for crypto errors. */ 763 if (crp->crp_etype) { 764 if (sav->tdb_cryptoid != 0) 765 sav->tdb_cryptoid = crp->crp_sid; 766 767 if (crp->crp_etype == EAGAIN) 768 return (crypto_dispatch(crp)); 769 770 AHSTAT_INC(ahs_noxform); 771 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); 772 error = crp->crp_etype; 773 goto bad; 774 } else { 775 AHSTAT_INC(ahs_hist[sav->alg_auth]); 776 crypto_freereq(crp); /* No longer needed. */ 777 crp = NULL; 778 } 779 780 /* Shouldn't happen... */ 781 if (m == NULL) { 782 AHSTAT_INC(ahs_crypto); 783 DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); 784 error = EINVAL; 785 goto bad; 786 } 787 788 /* Figure out header size. */ 789 rplen = HDRSIZE(sav); 790 authsize = AUTHSIZE(sav); 791 792 /* Copy authenticator off the packet. */ 793 m_copydata(m, skip + rplen, authsize, calc); 794 795 /* 796 * If we have an mtag, we don't need to verify the authenticator -- 797 * it has been verified by an IPsec-aware NIC. 798 */ 799 if (mtag == NULL) { 800 ptr = (caddr_t) (tc + 1); 801 802 /* Verify authenticator. */ 803 if (bcmp(ptr + skip + rplen, calc, authsize)) { 804 DPRINTF(("%s: authentication hash mismatch for packet " 805 "in SA %s/%08lx\n", __func__, 806 ipsec_address(&saidx->dst), 807 (u_long) ntohl(sav->spi))); 808 AHSTAT_INC(ahs_badauth); 809 error = EACCES; 810 goto bad; 811 } 812 813 /* Fix the Next Protocol field. */ 814 ((u_int8_t *) ptr)[protoff] = nxt; 815 816 /* Copyback the saved (uncooked) network headers. */ 817 m_copyback(m, 0, skip, ptr); 818 } else { 819 /* Fix the Next Protocol field. */ 820 m_copyback(m, protoff, sizeof(u_int8_t), &nxt); 821 } 822 823 free(tc, M_XDATA), tc = NULL; /* No longer needed */ 824 825 /* 826 * Header is now authenticated. 827 */ 828 m->m_flags |= M_AUTHIPHDR|M_AUTHIPDGM; 829 830 /* 831 * Update replay sequence number, if appropriate. 832 */ 833 if (sav->replay) { 834 u_int32_t seq; 835 836 m_copydata(m, skip + offsetof(struct newah, ah_seq), 837 sizeof (seq), (caddr_t) &seq); 838 if (ipsec_updatereplay(ntohl(seq), sav)) { 839 AHSTAT_INC(ahs_replay); 840 error = ENOBUFS; /*XXX as above*/ 841 goto bad; 842 } 843 } 844 845 /* 846 * Remove the AH header and authenticator from the mbuf. 847 */ 848 error = m_striphdr(m, skip, rplen + authsize); 849 if (error) { 850 DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__, 851 ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); 852 853 AHSTAT_INC(ahs_hdrops); 854 goto bad; 855 } 856 857 switch (saidx->dst.sa.sa_family) { 858 #ifdef INET6 859 case AF_INET6: 860 error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); 861 break; 862 #endif 863 #ifdef INET 864 case AF_INET: 865 error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); 866 break; 867 #endif 868 default: 869 panic("%s: Unexpected address family: %d saidx=%p", __func__, 870 saidx->dst.sa.sa_family, saidx); 871 } 872 873 KEY_FREESAV(&sav); 874 return error; 875 bad: 876 if (sav) 877 KEY_FREESAV(&sav); 878 if (m != NULL) 879 m_freem(m); 880 if (tc != NULL) 881 free(tc, M_XDATA); 882 if (crp != NULL) 883 crypto_freereq(crp); 884 return error; 885 } 886 887 /* 888 * AH output routine, called by ipsec[46]_process_packet(). 889 */ 890 static int 891 ah_output( 892 struct mbuf *m, 893 struct ipsecrequest *isr, 894 struct mbuf **mp, 895 int skip, 896 int protoff) 897 { 898 struct secasvar *sav; 899 struct auth_hash *ahx; 900 struct cryptodesc *crda; 901 struct tdb_crypto *tc; 902 struct mbuf *mi; 903 struct cryptop *crp; 904 u_int16_t iplen; 905 int error, rplen, authsize, maxpacketsize, roff; 906 u_int8_t prot; 907 struct newah *ah; 908 909 sav = isr->sav; 910 IPSEC_ASSERT(sav != NULL, ("null SA")); 911 ahx = sav->tdb_authalgxform; 912 IPSEC_ASSERT(ahx != NULL, ("null authentication xform")); 913 914 AHSTAT_INC(ahs_output); 915 916 /* Figure out header size. */ 917 rplen = HDRSIZE(sav); 918 919 /* Check for maximum packet size violations. */ 920 switch (sav->sah->saidx.dst.sa.sa_family) { 921 #ifdef INET 922 case AF_INET: 923 maxpacketsize = IP_MAXPACKET; 924 break; 925 #endif /* INET */ 926 #ifdef INET6 927 case AF_INET6: 928 maxpacketsize = IPV6_MAXPACKET; 929 break; 930 #endif /* INET6 */ 931 default: 932 DPRINTF(("%s: unknown/unsupported protocol family %u, " 933 "SA %s/%08lx\n", __func__, 934 sav->sah->saidx.dst.sa.sa_family, 935 ipsec_address(&sav->sah->saidx.dst), 936 (u_long) ntohl(sav->spi))); 937 AHSTAT_INC(ahs_nopf); 938 error = EPFNOSUPPORT; 939 goto bad; 940 } 941 authsize = AUTHSIZE(sav); 942 if (rplen + authsize + m->m_pkthdr.len > maxpacketsize) { 943 DPRINTF(("%s: packet in SA %s/%08lx got too big " 944 "(len %u, max len %u)\n", __func__, 945 ipsec_address(&sav->sah->saidx.dst), 946 (u_long) ntohl(sav->spi), 947 rplen + authsize + m->m_pkthdr.len, maxpacketsize)); 948 AHSTAT_INC(ahs_toobig); 949 error = EMSGSIZE; 950 goto bad; 951 } 952 953 /* Update the counters. */ 954 AHSTAT_ADD(ahs_obytes, m->m_pkthdr.len - skip); 955 956 m = m_unshare(m, M_NOWAIT); 957 if (m == NULL) { 958 DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__, 959 ipsec_address(&sav->sah->saidx.dst), 960 (u_long) ntohl(sav->spi))); 961 AHSTAT_INC(ahs_hdrops); 962 error = ENOBUFS; 963 goto bad; 964 } 965 966 /* Inject AH header. */ 967 mi = m_makespace(m, skip, rplen + authsize, &roff); 968 if (mi == NULL) { 969 DPRINTF(("%s: failed to inject %u byte AH header for SA " 970 "%s/%08lx\n", __func__, 971 rplen + authsize, 972 ipsec_address(&sav->sah->saidx.dst), 973 (u_long) ntohl(sav->spi))); 974 AHSTAT_INC(ahs_hdrops); /*XXX differs from openbsd */ 975 error = ENOBUFS; 976 goto bad; 977 } 978 979 /* 980 * The AH header is guaranteed by m_makespace() to be in 981 * contiguous memory, at roff bytes offset into the returned mbuf. 982 */ 983 ah = (struct newah *)(mtod(mi, caddr_t) + roff); 984 985 /* Initialize the AH header. */ 986 m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &ah->ah_nxt); 987 ah->ah_len = (rplen + authsize - sizeof(struct ah)) / sizeof(u_int32_t); 988 ah->ah_reserve = 0; 989 ah->ah_spi = sav->spi; 990 991 /* Zeroize authenticator. */ 992 m_copyback(m, skip + rplen, authsize, ipseczeroes); 993 994 /* Insert packet replay counter, as requested. */ 995 if (sav->replay) { 996 if (sav->replay->count == ~0 && 997 (sav->flags & SADB_X_EXT_CYCSEQ) == 0) { 998 DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n", 999 __func__, 1000 ipsec_address(&sav->sah->saidx.dst), 1001 (u_long) ntohl(sav->spi))); 1002 AHSTAT_INC(ahs_wrap); 1003 error = EINVAL; 1004 goto bad; 1005 } 1006 #ifdef REGRESSION 1007 /* Emulate replay attack when ipsec_replay is TRUE. */ 1008 if (!V_ipsec_replay) 1009 #endif 1010 sav->replay->count++; 1011 ah->ah_seq = htonl(sav->replay->count); 1012 } 1013 1014 /* Get crypto descriptors. */ 1015 crp = crypto_getreq(1); 1016 if (crp == NULL) { 1017 DPRINTF(("%s: failed to acquire crypto descriptors\n", 1018 __func__)); 1019 AHSTAT_INC(ahs_crypto); 1020 error = ENOBUFS; 1021 goto bad; 1022 } 1023 1024 crda = crp->crp_desc; 1025 1026 crda->crd_skip = 0; 1027 crda->crd_inject = skip + rplen; 1028 crda->crd_len = m->m_pkthdr.len; 1029 1030 /* Authentication operation. */ 1031 crda->crd_alg = ahx->type; 1032 crda->crd_key = sav->key_auth->key_data; 1033 crda->crd_klen = _KEYBITS(sav->key_auth); 1034 1035 /* Allocate IPsec-specific opaque crypto info. */ 1036 tc = (struct tdb_crypto *) malloc( 1037 sizeof(struct tdb_crypto) + skip, M_XDATA, M_NOWAIT|M_ZERO); 1038 if (tc == NULL) { 1039 crypto_freereq(crp); 1040 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); 1041 AHSTAT_INC(ahs_crypto); 1042 error = ENOBUFS; 1043 goto bad; 1044 } 1045 1046 /* Save the skipped portion of the packet. */ 1047 m_copydata(m, 0, skip, (caddr_t) (tc + 1)); 1048 1049 /* 1050 * Fix IP header length on the header used for 1051 * authentication. We don't need to fix the original 1052 * header length as it will be fixed by our caller. 1053 */ 1054 switch (sav->sah->saidx.dst.sa.sa_family) { 1055 #ifdef INET 1056 case AF_INET: 1057 bcopy(((caddr_t)(tc + 1)) + 1058 offsetof(struct ip, ip_len), 1059 (caddr_t) &iplen, sizeof(u_int16_t)); 1060 iplen = htons(ntohs(iplen) + rplen + authsize); 1061 m_copyback(m, offsetof(struct ip, ip_len), 1062 sizeof(u_int16_t), (caddr_t) &iplen); 1063 break; 1064 #endif /* INET */ 1065 1066 #ifdef INET6 1067 case AF_INET6: 1068 bcopy(((caddr_t)(tc + 1)) + 1069 offsetof(struct ip6_hdr, ip6_plen), 1070 (caddr_t) &iplen, sizeof(u_int16_t)); 1071 iplen = htons(ntohs(iplen) + rplen + authsize); 1072 m_copyback(m, offsetof(struct ip6_hdr, ip6_plen), 1073 sizeof(u_int16_t), (caddr_t) &iplen); 1074 break; 1075 #endif /* INET6 */ 1076 } 1077 1078 /* Fix the Next Header field in saved header. */ 1079 ((u_int8_t *) (tc + 1))[protoff] = IPPROTO_AH; 1080 1081 /* Update the Next Protocol field in the IP header. */ 1082 prot = IPPROTO_AH; 1083 m_copyback(m, protoff, sizeof(u_int8_t), (caddr_t) &prot); 1084 1085 /* "Massage" the packet headers for crypto processing. */ 1086 error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, 1087 skip, ahx->type, 1); 1088 if (error != 0) { 1089 m = NULL; /* mbuf was free'd by ah_massage_headers. */ 1090 free(tc, M_XDATA); 1091 crypto_freereq(crp); 1092 goto bad; 1093 } 1094 1095 /* Crypto operation descriptor. */ 1096 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ 1097 crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC; 1098 crp->crp_buf = (caddr_t) m; 1099 crp->crp_callback = ah_output_cb; 1100 crp->crp_sid = sav->tdb_cryptoid; 1101 crp->crp_opaque = (caddr_t) tc; 1102 1103 /* These are passed as-is to the callback. */ 1104 tc->tc_isr = isr; 1105 KEY_ADDREFSA(sav); 1106 tc->tc_sav = sav; 1107 tc->tc_spi = sav->spi; 1108 tc->tc_dst = sav->sah->saidx.dst; 1109 tc->tc_proto = sav->sah->saidx.proto; 1110 tc->tc_skip = skip; 1111 tc->tc_protoff = protoff; 1112 1113 return crypto_dispatch(crp); 1114 bad: 1115 if (m) 1116 m_freem(m); 1117 return (error); 1118 } 1119 1120 /* 1121 * AH output callback from the crypto driver. 1122 */ 1123 static int 1124 ah_output_cb(struct cryptop *crp) 1125 { 1126 int skip, protoff, error; 1127 struct tdb_crypto *tc; 1128 struct ipsecrequest *isr; 1129 struct secasvar *sav; 1130 struct mbuf *m; 1131 caddr_t ptr; 1132 1133 tc = (struct tdb_crypto *) crp->crp_opaque; 1134 IPSEC_ASSERT(tc != NULL, ("null opaque data area!")); 1135 skip = tc->tc_skip; 1136 protoff = tc->tc_protoff; 1137 ptr = (caddr_t) (tc + 1); 1138 m = (struct mbuf *) crp->crp_buf; 1139 1140 isr = tc->tc_isr; 1141 IPSECREQUEST_LOCK(isr); 1142 sav = tc->tc_sav; 1143 /* With the isr lock released SA pointer can be updated. */ 1144 if (sav != isr->sav) { 1145 AHSTAT_INC(ahs_notdb); 1146 DPRINTF(("%s: SA expired while in crypto\n", __func__)); 1147 error = ENOBUFS; /*XXX*/ 1148 goto bad; 1149 } 1150 1151 /* Check for crypto errors. */ 1152 if (crp->crp_etype) { 1153 if (sav->tdb_cryptoid != 0) 1154 sav->tdb_cryptoid = crp->crp_sid; 1155 1156 if (crp->crp_etype == EAGAIN) { 1157 IPSECREQUEST_UNLOCK(isr); 1158 return (crypto_dispatch(crp)); 1159 } 1160 1161 AHSTAT_INC(ahs_noxform); 1162 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); 1163 error = crp->crp_etype; 1164 goto bad; 1165 } 1166 1167 /* Shouldn't happen... */ 1168 if (m == NULL) { 1169 AHSTAT_INC(ahs_crypto); 1170 DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); 1171 error = EINVAL; 1172 goto bad; 1173 } 1174 AHSTAT_INC(ahs_hist[sav->alg_auth]); 1175 1176 /* 1177 * Copy original headers (with the new protocol number) back 1178 * in place. 1179 */ 1180 m_copyback(m, 0, skip, ptr); 1181 1182 /* No longer needed. */ 1183 free(tc, M_XDATA); 1184 crypto_freereq(crp); 1185 1186 #ifdef REGRESSION 1187 /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ 1188 if (V_ipsec_integrity) { 1189 int alen; 1190 1191 /* 1192 * Corrupt HMAC if we want to test integrity verification of 1193 * the other side. 1194 */ 1195 alen = AUTHSIZE(sav); 1196 m_copyback(m, m->m_pkthdr.len - alen, alen, ipseczeroes); 1197 } 1198 #endif 1199 1200 /* NB: m is reclaimed by ipsec_process_done. */ 1201 error = ipsec_process_done(m, isr); 1202 KEY_FREESAV(&sav); 1203 IPSECREQUEST_UNLOCK(isr); 1204 return error; 1205 bad: 1206 if (sav) 1207 KEY_FREESAV(&sav); 1208 IPSECREQUEST_UNLOCK(isr); 1209 if (m) 1210 m_freem(m); 1211 free(tc, M_XDATA); 1212 crypto_freereq(crp); 1213 return error; 1214 } 1215 1216 static struct xformsw ah_xformsw = { 1217 XF_AH, XFT_AUTH, "IPsec AH", 1218 ah_init, ah_zeroize, ah_input, ah_output, 1219 }; 1220 1221 static void 1222 ah_attach(void) 1223 { 1224 1225 xform_register(&ah_xformsw); 1226 } 1227 1228 SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL); 1229