xref: /freebsd/sys/netipsec/xform_ah.c (revision e8e8c939350bdf3c228a411caa9660c607c27a11)
1 /*	$FreeBSD$	*/
2 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
3 /*-
4  * The authors of this code are John Ioannidis (ji@tla.org),
5  * Angelos D. Keromytis (kermit@csd.uch.gr) and
6  * Niels Provos (provos@physnet.uni-hamburg.de).
7  *
8  * The original version of this code was written by John Ioannidis
9  * for BSD/OS in Athens, Greece, in November 1995.
10  *
11  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12  * by Angelos D. Keromytis.
13  *
14  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15  * and Niels Provos.
16  *
17  * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
18  *
19  * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20  * Angelos D. Keromytis and Niels Provos.
21  * Copyright (c) 1999 Niklas Hallqvist.
22  * Copyright (c) 2001 Angelos D. Keromytis.
23  *
24  * Permission to use, copy, and modify this software with or without fee
25  * is hereby granted, provided that this entire notice is included in
26  * all copies of any software which is or includes a copy or
27  * modification of this software.
28  * You may use this code under the GNU public license if you so wish. Please
29  * contribute changes back to the authors under this freer than GPL license
30  * so that we may further the use of strong encryption without limitations to
31  * all.
32  *
33  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37  * PURPOSE.
38  */
39 #include "opt_inet.h"
40 #include "opt_inet6.h"
41 
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/mbuf.h>
45 #include <sys/socket.h>
46 #include <sys/syslog.h>
47 #include <sys/kernel.h>
48 #include <sys/lock.h>
49 #include <sys/rwlock.h>
50 #include <sys/sysctl.h>
51 
52 #include <net/if.h>
53 #include <net/vnet.h>
54 
55 #include <netinet/in.h>
56 #include <netinet/in_systm.h>
57 #include <netinet/ip.h>
58 #include <netinet/ip_ecn.h>
59 #include <netinet/ip6.h>
60 
61 #include <netipsec/ipsec.h>
62 #include <netipsec/ah.h>
63 #include <netipsec/ah_var.h>
64 #include <netipsec/xform.h>
65 
66 #ifdef INET6
67 #include <netinet6/ip6_var.h>
68 #include <netipsec/ipsec6.h>
69 #include <netinet6/ip6_ecn.h>
70 #endif
71 
72 #include <netipsec/key.h>
73 #include <netipsec/key_debug.h>
74 
75 #include <opencrypto/cryptodev.h>
76 
77 /*
78  * Return header size in bytes.  The old protocol did not support
79  * the replay counter; the new protocol always includes the counter.
80  */
81 #define HDRSIZE(sav) \
82 	(((sav)->flags & SADB_X_EXT_OLD) ? \
83 		sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t))
84 /*
85  * Return authenticator size in bytes.  The old protocol is known
86  * to use a fixed 16-byte authenticator.  The new algorithm use 12-byte
87  * authenticator.
88  */
89 #define	AUTHSIZE(sav)	ah_authsize(sav)
90 
91 VNET_DEFINE(int, ah_enable) = 1;	/* control flow of packets with AH */
92 VNET_DEFINE(int, ah_cleartos) = 1;	/* clear ip_tos when doing AH calc */
93 VNET_PCPUSTAT_DEFINE(struct ahstat, ahstat);
94 VNET_PCPUSTAT_SYSINIT(ahstat);
95 
96 #ifdef VIMAGE
97 VNET_PCPUSTAT_SYSUNINIT(ahstat);
98 #endif /* VIMAGE */
99 
100 #ifdef INET
101 SYSCTL_DECL(_net_inet_ah);
102 SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_enable,
103 	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_enable), 0, "");
104 SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_cleartos,
105 	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, "");
106 SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat,
107     ahstat, "AH statistics (struct ahstat, netipsec/ah_var.h)");
108 #endif
109 
110 static unsigned char ipseczeroes[256];	/* larger than an ip6 extension hdr */
111 
112 static int ah_input_cb(struct cryptop*);
113 static int ah_output_cb(struct cryptop*);
114 
115 static int
116 ah_authsize(struct secasvar *sav)
117 {
118 
119 	IPSEC_ASSERT(sav != NULL, ("%s: sav == NULL", __func__));
120 
121 	if (sav->flags & SADB_X_EXT_OLD)
122 		return 16;
123 
124 	switch (sav->alg_auth) {
125 	case SADB_X_AALG_SHA2_256:
126 		return 16;
127 	case SADB_X_AALG_SHA2_384:
128 		return 24;
129 	case SADB_X_AALG_SHA2_512:
130 		return 32;
131 	default:
132 		return AH_HMAC_HASHLEN;
133 	}
134 	/* NOTREACHED */
135 }
136 /*
137  * NB: this is public for use by the PF_KEY support.
138  */
139 struct auth_hash *
140 ah_algorithm_lookup(int alg)
141 {
142 	if (alg > SADB_AALG_MAX)
143 		return NULL;
144 	switch (alg) {
145 	case SADB_X_AALG_NULL:
146 		return &auth_hash_null;
147 	case SADB_AALG_MD5HMAC:
148 		return &auth_hash_hmac_md5;
149 	case SADB_AALG_SHA1HMAC:
150 		return &auth_hash_hmac_sha1;
151 	case SADB_X_AALG_RIPEMD160HMAC:
152 		return &auth_hash_hmac_ripemd_160;
153 	case SADB_X_AALG_MD5:
154 		return &auth_hash_key_md5;
155 	case SADB_X_AALG_SHA:
156 		return &auth_hash_key_sha1;
157 	case SADB_X_AALG_SHA2_256:
158 		return &auth_hash_hmac_sha2_256;
159 	case SADB_X_AALG_SHA2_384:
160 		return &auth_hash_hmac_sha2_384;
161 	case SADB_X_AALG_SHA2_512:
162 		return &auth_hash_hmac_sha2_512;
163 	}
164 	return NULL;
165 }
166 
167 size_t
168 ah_hdrsiz(struct secasvar *sav)
169 {
170 	size_t size;
171 
172 	if (sav != NULL) {
173 		int authsize;
174 		IPSEC_ASSERT(sav->tdb_authalgxform != NULL, ("null xform"));
175 		/*XXX not right for null algorithm--does it matter??*/
176 		authsize = AUTHSIZE(sav);
177 		size = roundup(authsize, sizeof (u_int32_t)) + HDRSIZE(sav);
178 	} else {
179 		/* default guess */
180 		size = sizeof (struct ah) + sizeof (u_int32_t) + 16;
181 	}
182 	return size;
183 }
184 
185 /*
186  * NB: public for use by esp_init.
187  */
188 int
189 ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
190 {
191 	struct auth_hash *thash;
192 	int keylen;
193 
194 	thash = ah_algorithm_lookup(sav->alg_auth);
195 	if (thash == NULL) {
196 		DPRINTF(("%s: unsupported authentication algorithm %u\n",
197 			__func__, sav->alg_auth));
198 		return EINVAL;
199 	}
200 	/*
201 	 * Verify the replay state block allocation is consistent with
202 	 * the protocol type.  We check here so we can make assumptions
203 	 * later during protocol processing.
204 	 */
205 	/* NB: replay state is setup elsewhere (sigh) */
206 	if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) {
207 		DPRINTF(("%s: replay state block inconsistency, "
208 			"%s algorithm %s replay state\n", __func__,
209 			(sav->flags & SADB_X_EXT_OLD) ? "old" : "new",
210 			sav->replay == NULL ? "without" : "with"));
211 		return EINVAL;
212 	}
213 	if (sav->key_auth == NULL) {
214 		DPRINTF(("%s: no authentication key for %s algorithm\n",
215 			__func__, thash->name));
216 		return EINVAL;
217 	}
218 	keylen = _KEYLEN(sav->key_auth);
219 	if (keylen != thash->keysize && thash->keysize != 0) {
220 		DPRINTF(("%s: invalid keylength %d, algorithm %s requires "
221 			"keysize %d\n", __func__,
222 			 keylen, thash->name, thash->keysize));
223 		return EINVAL;
224 	}
225 
226 	sav->tdb_xform = xsp;
227 	sav->tdb_authalgxform = thash;
228 
229 	/* Initialize crypto session. */
230 	bzero(cria, sizeof (*cria));
231 	cria->cri_alg = sav->tdb_authalgxform->type;
232 	cria->cri_klen = _KEYBITS(sav->key_auth);
233 	cria->cri_key = sav->key_auth->key_data;
234 	cria->cri_mlen = AUTHSIZE(sav);
235 
236 	return 0;
237 }
238 
239 /*
240  * ah_init() is called when an SPI is being set up.
241  */
242 static int
243 ah_init(struct secasvar *sav, struct xformsw *xsp)
244 {
245 	struct cryptoini cria;
246 	int error;
247 
248 	error = ah_init0(sav, xsp, &cria);
249 	return error ? error :
250 		 crypto_newsession(&sav->tdb_cryptoid, &cria, V_crypto_support);
251 }
252 
253 /*
254  * Paranoia.
255  *
256  * NB: public for use by esp_zeroize (XXX).
257  */
258 int
259 ah_zeroize(struct secasvar *sav)
260 {
261 	int err;
262 
263 	if (sav->key_auth)
264 		bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
265 
266 	err = crypto_freesession(sav->tdb_cryptoid);
267 	sav->tdb_cryptoid = 0;
268 	sav->tdb_authalgxform = NULL;
269 	sav->tdb_xform = NULL;
270 	return err;
271 }
272 
273 /*
274  * Massage IPv4/IPv6 headers for AH processing.
275  */
276 static int
277 ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
278 {
279 	struct mbuf *m = *m0;
280 	unsigned char *ptr;
281 	int off, count;
282 
283 #ifdef INET
284 	struct ip *ip;
285 #endif /* INET */
286 
287 #ifdef INET6
288 	struct ip6_ext *ip6e;
289 	struct ip6_hdr ip6;
290 	int alloc, len, ad;
291 #endif /* INET6 */
292 
293 	switch (proto) {
294 #ifdef INET
295 	case AF_INET:
296 		/*
297 		 * This is the least painful way of dealing with IPv4 header
298 		 * and option processing -- just make sure they're in
299 		 * contiguous memory.
300 		 */
301 		*m0 = m = m_pullup(m, skip);
302 		if (m == NULL) {
303 			DPRINTF(("%s: m_pullup failed\n", __func__));
304 			return ENOBUFS;
305 		}
306 
307 		/* Fix the IP header */
308 		ip = mtod(m, struct ip *);
309 		if (V_ah_cleartos)
310 			ip->ip_tos = 0;
311 		ip->ip_ttl = 0;
312 		ip->ip_sum = 0;
313 
314 		if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK)
315 			ip->ip_off &= htons(IP_DF);
316 		else
317 			ip->ip_off = htons(0);
318 
319 		ptr = mtod(m, unsigned char *) + sizeof(struct ip);
320 
321 		/* IPv4 option processing */
322 		for (off = sizeof(struct ip); off < skip;) {
323 			if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP ||
324 			    off + 1 < skip)
325 				;
326 			else {
327 				DPRINTF(("%s: illegal IPv4 option length for "
328 					"option %d\n", __func__, ptr[off]));
329 
330 				m_freem(m);
331 				return EINVAL;
332 			}
333 
334 			switch (ptr[off]) {
335 			case IPOPT_EOL:
336 				off = skip;  /* End the loop. */
337 				break;
338 
339 			case IPOPT_NOP:
340 				off++;
341 				break;
342 
343 			case IPOPT_SECURITY:	/* 0x82 */
344 			case 0x85:	/* Extended security. */
345 			case 0x86:	/* Commercial security. */
346 			case 0x94:	/* Router alert */
347 			case 0x95:	/* RFC1770 */
348 				/* Sanity check for option length. */
349 				if (ptr[off + 1] < 2) {
350 					DPRINTF(("%s: illegal IPv4 option "
351 						"length for option %d\n",
352 						__func__, ptr[off]));
353 
354 					m_freem(m);
355 					return EINVAL;
356 				}
357 
358 				off += ptr[off + 1];
359 				break;
360 
361 			case IPOPT_LSRR:
362 			case IPOPT_SSRR:
363 				/* Sanity check for option length. */
364 				if (ptr[off + 1] < 2) {
365 					DPRINTF(("%s: illegal IPv4 option "
366 						"length for option %d\n",
367 						__func__, ptr[off]));
368 
369 					m_freem(m);
370 					return EINVAL;
371 				}
372 
373 				/*
374 				 * On output, if we have either of the
375 				 * source routing options, we should
376 				 * swap the destination address of the
377 				 * IP header with the last address
378 				 * specified in the option, as that is
379 				 * what the destination's IP header
380 				 * will look like.
381 				 */
382 				if (out)
383 					bcopy(ptr + off + ptr[off + 1] -
384 					    sizeof(struct in_addr),
385 					    &(ip->ip_dst), sizeof(struct in_addr));
386 
387 				/* Fall through */
388 			default:
389 				/* Sanity check for option length. */
390 				if (ptr[off + 1] < 2) {
391 					DPRINTF(("%s: illegal IPv4 option "
392 						"length for option %d\n",
393 						__func__, ptr[off]));
394 					m_freem(m);
395 					return EINVAL;
396 				}
397 
398 				/* Zeroize all other options. */
399 				count = ptr[off + 1];
400 				bcopy(ipseczeroes, ptr, count);
401 				off += count;
402 				break;
403 			}
404 
405 			/* Sanity check. */
406 			if (off > skip)	{
407 				DPRINTF(("%s: malformed IPv4 options header\n",
408 					__func__));
409 
410 				m_freem(m);
411 				return EINVAL;
412 			}
413 		}
414 
415 		break;
416 #endif /* INET */
417 
418 #ifdef INET6
419 	case AF_INET6:  /* Ugly... */
420 		/* Copy and "cook" the IPv6 header. */
421 		m_copydata(m, 0, sizeof(ip6), (caddr_t) &ip6);
422 
423 		/* We don't do IPv6 Jumbograms. */
424 		if (ip6.ip6_plen == 0) {
425 			DPRINTF(("%s: unsupported IPv6 jumbogram\n", __func__));
426 			m_freem(m);
427 			return EMSGSIZE;
428 		}
429 
430 		ip6.ip6_flow = 0;
431 		ip6.ip6_hlim = 0;
432 		ip6.ip6_vfc &= ~IPV6_VERSION_MASK;
433 		ip6.ip6_vfc |= IPV6_VERSION;
434 
435 		/* Scoped address handling. */
436 		if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_src))
437 			ip6.ip6_src.s6_addr16[1] = 0;
438 		if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_dst))
439 			ip6.ip6_dst.s6_addr16[1] = 0;
440 
441 		/* Done with IPv6 header. */
442 		m_copyback(m, 0, sizeof(struct ip6_hdr), (caddr_t) &ip6);
443 
444 		/* Let's deal with the remaining headers (if any). */
445 		if (skip - sizeof(struct ip6_hdr) > 0) {
446 			if (m->m_len <= skip) {
447 				ptr = (unsigned char *) malloc(
448 				    skip - sizeof(struct ip6_hdr),
449 				    M_XDATA, M_NOWAIT);
450 				if (ptr == NULL) {
451 					DPRINTF(("%s: failed to allocate memory"
452 						"for IPv6 headers\n",__func__));
453 					m_freem(m);
454 					return ENOBUFS;
455 				}
456 
457 				/*
458 				 * Copy all the protocol headers after
459 				 * the IPv6 header.
460 				 */
461 				m_copydata(m, sizeof(struct ip6_hdr),
462 				    skip - sizeof(struct ip6_hdr), ptr);
463 				alloc = 1;
464 			} else {
465 				/* No need to allocate memory. */
466 				ptr = mtod(m, unsigned char *) +
467 				    sizeof(struct ip6_hdr);
468 				alloc = 0;
469 			}
470 		} else
471 			break;
472 
473 		off = ip6.ip6_nxt & 0xff; /* Next header type. */
474 
475 		for (len = 0; len < skip - sizeof(struct ip6_hdr);)
476 			switch (off) {
477 			case IPPROTO_HOPOPTS:
478 			case IPPROTO_DSTOPTS:
479 				ip6e = (struct ip6_ext *) (ptr + len);
480 
481 				/*
482 				 * Process the mutable/immutable
483 				 * options -- borrows heavily from the
484 				 * KAME code.
485 				 */
486 				for (count = len + sizeof(struct ip6_ext);
487 				     count < len + ((ip6e->ip6e_len + 1) << 3);) {
488 					if (ptr[count] == IP6OPT_PAD1) {
489 						count++;
490 						continue; /* Skip padding. */
491 					}
492 
493 					/* Sanity check. */
494 					if (count > len +
495 					    ((ip6e->ip6e_len + 1) << 3)) {
496 						m_freem(m);
497 
498 						/* Free, if we allocated. */
499 						if (alloc)
500 							free(ptr, M_XDATA);
501 						return EINVAL;
502 					}
503 
504 					ad = ptr[count + 1];
505 
506 					/* If mutable option, zeroize. */
507 					if (ptr[count] & IP6OPT_MUTABLE)
508 						bcopy(ipseczeroes, ptr + count,
509 						    ptr[count + 1]);
510 
511 					count += ad;
512 
513 					/* Sanity check. */
514 					if (count >
515 					    skip - sizeof(struct ip6_hdr)) {
516 						m_freem(m);
517 
518 						/* Free, if we allocated. */
519 						if (alloc)
520 							free(ptr, M_XDATA);
521 						return EINVAL;
522 					}
523 				}
524 
525 				/* Advance. */
526 				len += ((ip6e->ip6e_len + 1) << 3);
527 				off = ip6e->ip6e_nxt;
528 				break;
529 
530 			case IPPROTO_ROUTING:
531 				/*
532 				 * Always include routing headers in
533 				 * computation.
534 				 */
535 				ip6e = (struct ip6_ext *) (ptr + len);
536 				len += ((ip6e->ip6e_len + 1) << 3);
537 				off = ip6e->ip6e_nxt;
538 				break;
539 
540 			default:
541 				DPRINTF(("%s: unexpected IPv6 header type %d",
542 					__func__, off));
543 				if (alloc)
544 					free(ptr, M_XDATA);
545 				m_freem(m);
546 				return EINVAL;
547 			}
548 
549 		/* Copyback and free, if we allocated. */
550 		if (alloc) {
551 			m_copyback(m, sizeof(struct ip6_hdr),
552 			    skip - sizeof(struct ip6_hdr), ptr);
553 			free(ptr, M_XDATA);
554 		}
555 
556 		break;
557 #endif /* INET6 */
558 	}
559 
560 	return 0;
561 }
562 
563 /*
564  * ah_input() gets called to verify that an input packet
565  * passes authentication.
566  */
567 static int
568 ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
569 {
570 	char buf[128];
571 	struct auth_hash *ahx;
572 	struct tdb_crypto *tc;
573 	struct newah *ah;
574 	int hl, rplen, authsize, error;
575 
576 	struct cryptodesc *crda;
577 	struct cryptop *crp;
578 
579 	IPSEC_ASSERT(sav != NULL, ("null SA"));
580 	IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key"));
581 	IPSEC_ASSERT(sav->tdb_authalgxform != NULL,
582 		("null authentication xform"));
583 
584 	/* Figure out header size. */
585 	rplen = HDRSIZE(sav);
586 
587 	/* XXX don't pullup, just copy header */
588 	IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen);
589 	if (ah == NULL) {
590 		DPRINTF(("ah_input: cannot pullup header\n"));
591 		AHSTAT_INC(ahs_hdrops);		/*XXX*/
592 		m_freem(m);
593 		return ENOBUFS;
594 	}
595 
596 	/* Check replay window, if applicable. */
597 	if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
598 		AHSTAT_INC(ahs_replay);
599 		DPRINTF(("%s: packet replay failure: %s\n", __func__,
600 		    ipsec_logsastr(sav, buf, sizeof(buf))));
601 		m_freem(m);
602 		return ENOBUFS;
603 	}
604 
605 	/* Verify AH header length. */
606 	hl = ah->ah_len * sizeof (u_int32_t);
607 	ahx = sav->tdb_authalgxform;
608 	authsize = AUTHSIZE(sav);
609 	if (hl != authsize + rplen - sizeof (struct ah)) {
610 		DPRINTF(("%s: bad authenticator length %u (expecting %lu)"
611 		    " for packet in SA %s/%08lx\n", __func__, hl,
612 		    (u_long) (authsize + rplen - sizeof (struct ah)),
613 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
614 		    (u_long) ntohl(sav->spi)));
615 		AHSTAT_INC(ahs_badauthl);
616 		m_freem(m);
617 		return EACCES;
618 	}
619 	AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
620 
621 	/* Get crypto descriptors. */
622 	crp = crypto_getreq(1);
623 	if (crp == NULL) {
624 		DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
625 		AHSTAT_INC(ahs_crypto);
626 		m_freem(m);
627 		return ENOBUFS;
628 	}
629 
630 	crda = crp->crp_desc;
631 	IPSEC_ASSERT(crda != NULL, ("null crypto descriptor"));
632 
633 	crda->crd_skip = 0;
634 	crda->crd_len = m->m_pkthdr.len;
635 	crda->crd_inject = skip + rplen;
636 
637 	/* Authentication operation. */
638 	crda->crd_alg = ahx->type;
639 	crda->crd_klen = _KEYBITS(sav->key_auth);
640 	crda->crd_key = sav->key_auth->key_data;
641 
642 	/* Allocate IPsec-specific opaque crypto info. */
643 	tc = (struct tdb_crypto *) malloc(sizeof (struct tdb_crypto) +
644 	    skip + rplen + authsize, M_XDATA, M_NOWAIT | M_ZERO);
645 	if (tc == NULL) {
646 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
647 		AHSTAT_INC(ahs_crypto);
648 		crypto_freereq(crp);
649 		m_freem(m);
650 		return ENOBUFS;
651 	}
652 
653 	/*
654 	 * Save the authenticator, the skipped portion of the packet,
655 	 * and the AH header.
656 	 */
657 	m_copydata(m, 0, skip + rplen + authsize, (caddr_t)(tc+1));
658 
659 	/* Zeroize the authenticator on the packet. */
660 	m_copyback(m, skip + rplen, authsize, ipseczeroes);
661 
662 	/* "Massage" the packet headers for crypto processing. */
663 	error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
664 	    skip, ahx->type, 0);
665 	if (error != 0) {
666 		/* NB: mbuf is free'd by ah_massage_headers */
667 		AHSTAT_INC(ahs_hdrops);
668 		free(tc, M_XDATA);
669 		crypto_freereq(crp);
670 		return (error);
671 	}
672 
673 	/* Crypto operation descriptor. */
674 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
675 	crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
676 	crp->crp_buf = (caddr_t) m;
677 	crp->crp_callback = ah_input_cb;
678 	crp->crp_sid = sav->tdb_cryptoid;
679 	crp->crp_opaque = (caddr_t) tc;
680 
681 	/* These are passed as-is to the callback. */
682 	tc->tc_spi = sav->spi;
683 	tc->tc_dst = sav->sah->saidx.dst;
684 	tc->tc_proto = sav->sah->saidx.proto;
685 	tc->tc_nxt = ah->ah_nxt;
686 	tc->tc_protoff = protoff;
687 	tc->tc_skip = skip;
688 	KEY_ADDREFSA(sav);
689 	tc->tc_sav = sav;
690 	return (crypto_dispatch(crp));
691 }
692 
693 /*
694  * AH input callback from the crypto driver.
695  */
696 static int
697 ah_input_cb(struct cryptop *crp)
698 {
699 	char buf[INET6_ADDRSTRLEN];
700 	int rplen, error, skip, protoff;
701 	unsigned char calc[AH_ALEN_MAX];
702 	struct mbuf *m;
703 	struct cryptodesc *crd;
704 	struct auth_hash *ahx;
705 	struct tdb_crypto *tc;
706 	struct secasvar *sav;
707 	struct secasindex *saidx;
708 	u_int8_t nxt;
709 	caddr_t ptr;
710 	int authsize;
711 
712 	crd = crp->crp_desc;
713 
714 	tc = (struct tdb_crypto *) crp->crp_opaque;
715 	IPSEC_ASSERT(tc != NULL, ("null opaque crypto data area!"));
716 	skip = tc->tc_skip;
717 	nxt = tc->tc_nxt;
718 	protoff = tc->tc_protoff;
719 	m = (struct mbuf *) crp->crp_buf;
720 
721 	sav = tc->tc_sav;
722 	IPSEC_ASSERT(sav != NULL, ("null SA!"));
723 
724 	saidx = &sav->sah->saidx;
725 	IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
726 		saidx->dst.sa.sa_family == AF_INET6,
727 		("unexpected protocol family %u", saidx->dst.sa.sa_family));
728 
729 	ahx = (struct auth_hash *) sav->tdb_authalgxform;
730 
731 	/* Check for crypto errors. */
732 	if (crp->crp_etype) {
733 		if (sav->tdb_cryptoid != 0)
734 			sav->tdb_cryptoid = crp->crp_sid;
735 
736 		if (crp->crp_etype == EAGAIN)
737 			return (crypto_dispatch(crp));
738 
739 		AHSTAT_INC(ahs_noxform);
740 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
741 		error = crp->crp_etype;
742 		goto bad;
743 	} else {
744 		AHSTAT_INC(ahs_hist[sav->alg_auth]);
745 		crypto_freereq(crp);		/* No longer needed. */
746 		crp = NULL;
747 	}
748 
749 	/* Shouldn't happen... */
750 	if (m == NULL) {
751 		AHSTAT_INC(ahs_crypto);
752 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
753 		error = EINVAL;
754 		goto bad;
755 	}
756 
757 	/* Figure out header size. */
758 	rplen = HDRSIZE(sav);
759 	authsize = AUTHSIZE(sav);
760 
761 	/* Copy authenticator off the packet. */
762 	m_copydata(m, skip + rplen, authsize, calc);
763 
764 	/* Verify authenticator. */
765 	ptr = (caddr_t) (tc + 1);
766 	if (bcmp(ptr + skip + rplen, calc, authsize)) {
767 		DPRINTF(("%s: authentication hash mismatch for packet "
768 		    "in SA %s/%08lx\n", __func__,
769 		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
770 		    (u_long) ntohl(sav->spi)));
771 		AHSTAT_INC(ahs_badauth);
772 		error = EACCES;
773 		goto bad;
774 	}
775 	/* Fix the Next Protocol field. */
776 	((u_int8_t *) ptr)[protoff] = nxt;
777 
778 	/* Copyback the saved (uncooked) network headers. */
779 	m_copyback(m, 0, skip, ptr);
780 	free(tc, M_XDATA), tc = NULL;			/* No longer needed */
781 
782 	/*
783 	 * Header is now authenticated.
784 	 */
785 	m->m_flags |= M_AUTHIPHDR|M_AUTHIPDGM;
786 
787 	/*
788 	 * Update replay sequence number, if appropriate.
789 	 */
790 	if (sav->replay) {
791 		u_int32_t seq;
792 
793 		m_copydata(m, skip + offsetof(struct newah, ah_seq),
794 			   sizeof (seq), (caddr_t) &seq);
795 		if (ipsec_updatereplay(ntohl(seq), sav)) {
796 			AHSTAT_INC(ahs_replay);
797 			error = ENOBUFS;			/*XXX as above*/
798 			goto bad;
799 		}
800 	}
801 
802 	/*
803 	 * Remove the AH header and authenticator from the mbuf.
804 	 */
805 	error = m_striphdr(m, skip, rplen + authsize);
806 	if (error) {
807 		DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
808 		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
809 		    (u_long) ntohl(sav->spi)));
810 		AHSTAT_INC(ahs_hdrops);
811 		goto bad;
812 	}
813 
814 	switch (saidx->dst.sa.sa_family) {
815 #ifdef INET6
816 	case AF_INET6:
817 		error = ipsec6_common_input_cb(m, sav, skip, protoff);
818 		break;
819 #endif
820 #ifdef INET
821 	case AF_INET:
822 		error = ipsec4_common_input_cb(m, sav, skip, protoff);
823 		break;
824 #endif
825 	default:
826 		panic("%s: Unexpected address family: %d saidx=%p", __func__,
827 		    saidx->dst.sa.sa_family, saidx);
828 	}
829 
830 	KEY_FREESAV(&sav);
831 	return error;
832 bad:
833 	if (sav)
834 		KEY_FREESAV(&sav);
835 	if (m != NULL)
836 		m_freem(m);
837 	if (tc != NULL)
838 		free(tc, M_XDATA);
839 	if (crp != NULL)
840 		crypto_freereq(crp);
841 	return error;
842 }
843 
844 /*
845  * AH output routine, called by ipsec[46]_process_packet().
846  */
847 static int
848 ah_output(struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp,
849     int skip, int protoff)
850 {
851 	char buf[INET6_ADDRSTRLEN];
852 	struct secasvar *sav;
853 	struct auth_hash *ahx;
854 	struct cryptodesc *crda;
855 	struct tdb_crypto *tc;
856 	struct mbuf *mi;
857 	struct cryptop *crp;
858 	u_int16_t iplen;
859 	int error, rplen, authsize, maxpacketsize, roff;
860 	u_int8_t prot;
861 	struct newah *ah;
862 
863 	sav = isr->sav;
864 	IPSEC_ASSERT(sav != NULL, ("null SA"));
865 	ahx = sav->tdb_authalgxform;
866 	IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
867 
868 	AHSTAT_INC(ahs_output);
869 
870 	/* Figure out header size. */
871 	rplen = HDRSIZE(sav);
872 
873 	/* Check for maximum packet size violations. */
874 	switch (sav->sah->saidx.dst.sa.sa_family) {
875 #ifdef INET
876 	case AF_INET:
877 		maxpacketsize = IP_MAXPACKET;
878 		break;
879 #endif /* INET */
880 #ifdef INET6
881 	case AF_INET6:
882 		maxpacketsize = IPV6_MAXPACKET;
883 		break;
884 #endif /* INET6 */
885 	default:
886 		DPRINTF(("%s: unknown/unsupported protocol family %u, "
887 		    "SA %s/%08lx\n", __func__,
888 		    sav->sah->saidx.dst.sa.sa_family,
889 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
890 		    (u_long) ntohl(sav->spi)));
891 		AHSTAT_INC(ahs_nopf);
892 		error = EPFNOSUPPORT;
893 		goto bad;
894 	}
895 	authsize = AUTHSIZE(sav);
896 	if (rplen + authsize + m->m_pkthdr.len > maxpacketsize) {
897 		DPRINTF(("%s: packet in SA %s/%08lx got too big "
898 		    "(len %u, max len %u)\n", __func__,
899 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
900 		    (u_long) ntohl(sav->spi),
901 		    rplen + authsize + m->m_pkthdr.len, maxpacketsize));
902 		AHSTAT_INC(ahs_toobig);
903 		error = EMSGSIZE;
904 		goto bad;
905 	}
906 
907 	/* Update the counters. */
908 	AHSTAT_ADD(ahs_obytes, m->m_pkthdr.len - skip);
909 
910 	m = m_unshare(m, M_NOWAIT);
911 	if (m == NULL) {
912 		DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
913 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
914 		    (u_long) ntohl(sav->spi)));
915 		AHSTAT_INC(ahs_hdrops);
916 		error = ENOBUFS;
917 		goto bad;
918 	}
919 
920 	/* Inject AH header. */
921 	mi = m_makespace(m, skip, rplen + authsize, &roff);
922 	if (mi == NULL) {
923 		DPRINTF(("%s: failed to inject %u byte AH header for SA "
924 		    "%s/%08lx\n", __func__,
925 		    rplen + authsize,
926 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
927 		    (u_long) ntohl(sav->spi)));
928 		AHSTAT_INC(ahs_hdrops);		/*XXX differs from openbsd */
929 		error = ENOBUFS;
930 		goto bad;
931 	}
932 
933 	/*
934 	 * The AH header is guaranteed by m_makespace() to be in
935 	 * contiguous memory, at roff bytes offset into the returned mbuf.
936 	 */
937 	ah = (struct newah *)(mtod(mi, caddr_t) + roff);
938 
939 	/* Initialize the AH header. */
940 	m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &ah->ah_nxt);
941 	ah->ah_len = (rplen + authsize - sizeof(struct ah)) / sizeof(u_int32_t);
942 	ah->ah_reserve = 0;
943 	ah->ah_spi = sav->spi;
944 
945 	/* Zeroize authenticator. */
946 	m_copyback(m, skip + rplen, authsize, ipseczeroes);
947 
948 	/* Insert packet replay counter, as requested.  */
949 	if (sav->replay) {
950 		if (sav->replay->count == ~0 &&
951 		    (sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
952 			DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n",
953 			    __func__, ipsec_address(&sav->sah->saidx.dst, buf,
954 			    sizeof(buf)), (u_long) ntohl(sav->spi)));
955 			AHSTAT_INC(ahs_wrap);
956 			error = EINVAL;
957 			goto bad;
958 		}
959 #ifdef REGRESSION
960 		/* Emulate replay attack when ipsec_replay is TRUE. */
961 		if (!V_ipsec_replay)
962 #endif
963 			sav->replay->count++;
964 		ah->ah_seq = htonl(sav->replay->count);
965 	}
966 
967 	/* Get crypto descriptors. */
968 	crp = crypto_getreq(1);
969 	if (crp == NULL) {
970 		DPRINTF(("%s: failed to acquire crypto descriptors\n",
971 			__func__));
972 		AHSTAT_INC(ahs_crypto);
973 		error = ENOBUFS;
974 		goto bad;
975 	}
976 
977 	crda = crp->crp_desc;
978 
979 	crda->crd_skip = 0;
980 	crda->crd_inject = skip + rplen;
981 	crda->crd_len = m->m_pkthdr.len;
982 
983 	/* Authentication operation. */
984 	crda->crd_alg = ahx->type;
985 	crda->crd_key = sav->key_auth->key_data;
986 	crda->crd_klen = _KEYBITS(sav->key_auth);
987 
988 	/* Allocate IPsec-specific opaque crypto info. */
989 	tc = (struct tdb_crypto *) malloc(
990 		sizeof(struct tdb_crypto) + skip, M_XDATA, M_NOWAIT|M_ZERO);
991 	if (tc == NULL) {
992 		crypto_freereq(crp);
993 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
994 		AHSTAT_INC(ahs_crypto);
995 		error = ENOBUFS;
996 		goto bad;
997 	}
998 
999 	/* Save the skipped portion of the packet. */
1000 	m_copydata(m, 0, skip, (caddr_t) (tc + 1));
1001 
1002 	/*
1003 	 * Fix IP header length on the header used for
1004 	 * authentication. We don't need to fix the original
1005 	 * header length as it will be fixed by our caller.
1006 	 */
1007 	switch (sav->sah->saidx.dst.sa.sa_family) {
1008 #ifdef INET
1009 	case AF_INET:
1010 		bcopy(((caddr_t)(tc + 1)) +
1011 		    offsetof(struct ip, ip_len),
1012 		    (caddr_t) &iplen, sizeof(u_int16_t));
1013 		iplen = htons(ntohs(iplen) + rplen + authsize);
1014 		m_copyback(m, offsetof(struct ip, ip_len),
1015 		    sizeof(u_int16_t), (caddr_t) &iplen);
1016 		break;
1017 #endif /* INET */
1018 
1019 #ifdef INET6
1020 	case AF_INET6:
1021 		bcopy(((caddr_t)(tc + 1)) +
1022 		    offsetof(struct ip6_hdr, ip6_plen),
1023 		    (caddr_t) &iplen, sizeof(u_int16_t));
1024 		iplen = htons(ntohs(iplen) + rplen + authsize);
1025 		m_copyback(m, offsetof(struct ip6_hdr, ip6_plen),
1026 		    sizeof(u_int16_t), (caddr_t) &iplen);
1027 		break;
1028 #endif /* INET6 */
1029 	}
1030 
1031 	/* Fix the Next Header field in saved header. */
1032 	((u_int8_t *) (tc + 1))[protoff] = IPPROTO_AH;
1033 
1034 	/* Update the Next Protocol field in the IP header. */
1035 	prot = IPPROTO_AH;
1036 	m_copyback(m, protoff, sizeof(u_int8_t), (caddr_t) &prot);
1037 
1038 	/* "Massage" the packet headers for crypto processing. */
1039 	error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
1040 			skip, ahx->type, 1);
1041 	if (error != 0) {
1042 		m = NULL;	/* mbuf was free'd by ah_massage_headers. */
1043 		free(tc, M_XDATA);
1044 		crypto_freereq(crp);
1045 		goto bad;
1046 	}
1047 
1048 	/* Crypto operation descriptor. */
1049 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
1050 	crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
1051 	crp->crp_buf = (caddr_t) m;
1052 	crp->crp_callback = ah_output_cb;
1053 	crp->crp_sid = sav->tdb_cryptoid;
1054 	crp->crp_opaque = (caddr_t) tc;
1055 
1056 	/* These are passed as-is to the callback. */
1057 	tc->tc_isr = isr;
1058 	KEY_ADDREFSA(sav);
1059 	tc->tc_sav = sav;
1060 	tc->tc_spi = sav->spi;
1061 	tc->tc_dst = sav->sah->saidx.dst;
1062 	tc->tc_proto = sav->sah->saidx.proto;
1063 	tc->tc_skip = skip;
1064 	tc->tc_protoff = protoff;
1065 
1066 	return crypto_dispatch(crp);
1067 bad:
1068 	if (m)
1069 		m_freem(m);
1070 	return (error);
1071 }
1072 
1073 /*
1074  * AH output callback from the crypto driver.
1075  */
1076 static int
1077 ah_output_cb(struct cryptop *crp)
1078 {
1079 	int skip, protoff, error;
1080 	struct tdb_crypto *tc;
1081 	struct ipsecrequest *isr;
1082 	struct secasvar *sav;
1083 	struct mbuf *m;
1084 	caddr_t ptr;
1085 
1086 	tc = (struct tdb_crypto *) crp->crp_opaque;
1087 	IPSEC_ASSERT(tc != NULL, ("null opaque data area!"));
1088 	skip = tc->tc_skip;
1089 	protoff = tc->tc_protoff;
1090 	ptr = (caddr_t) (tc + 1);
1091 	m = (struct mbuf *) crp->crp_buf;
1092 
1093 	isr = tc->tc_isr;
1094 	IPSEC_ASSERT(isr->sp != NULL, ("NULL isr->sp"));
1095 	IPSECREQUEST_LOCK(isr);
1096 	sav = tc->tc_sav;
1097 	/* With the isr lock released SA pointer can be updated. */
1098 	if (sav != isr->sav) {
1099 		AHSTAT_INC(ahs_notdb);
1100 		DPRINTF(("%s: SA expired while in crypto\n", __func__));
1101 		error = ENOBUFS;		/*XXX*/
1102 		goto bad;
1103 	}
1104 
1105 	/* Check for crypto errors. */
1106 	if (crp->crp_etype) {
1107 		if (sav->tdb_cryptoid != 0)
1108 			sav->tdb_cryptoid = crp->crp_sid;
1109 
1110 		if (crp->crp_etype == EAGAIN) {
1111 			IPSECREQUEST_UNLOCK(isr);
1112 			return (crypto_dispatch(crp));
1113 		}
1114 
1115 		AHSTAT_INC(ahs_noxform);
1116 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
1117 		error = crp->crp_etype;
1118 		goto bad;
1119 	}
1120 
1121 	/* Shouldn't happen... */
1122 	if (m == NULL) {
1123 		AHSTAT_INC(ahs_crypto);
1124 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
1125 		error = EINVAL;
1126 		goto bad;
1127 	}
1128 	AHSTAT_INC(ahs_hist[sav->alg_auth]);
1129 
1130 	/*
1131 	 * Copy original headers (with the new protocol number) back
1132 	 * in place.
1133 	 */
1134 	m_copyback(m, 0, skip, ptr);
1135 
1136 	/* No longer needed. */
1137 	free(tc, M_XDATA);
1138 	crypto_freereq(crp);
1139 
1140 #ifdef REGRESSION
1141 	/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
1142 	if (V_ipsec_integrity) {
1143 		int alen;
1144 
1145 		/*
1146 		 * Corrupt HMAC if we want to test integrity verification of
1147 		 * the other side.
1148 		 */
1149 		alen = AUTHSIZE(sav);
1150 		m_copyback(m, m->m_pkthdr.len - alen, alen, ipseczeroes);
1151 	}
1152 #endif
1153 
1154 	/* NB: m is reclaimed by ipsec_process_done. */
1155 	error = ipsec_process_done(m, isr);
1156 	KEY_FREESAV(&sav);
1157 	IPSECREQUEST_UNLOCK(isr);
1158 	KEY_FREESP(&isr->sp);
1159 	return (error);
1160 bad:
1161 	if (sav)
1162 		KEY_FREESAV(&sav);
1163 	IPSECREQUEST_UNLOCK(isr);
1164 	KEY_FREESP(&isr->sp);
1165 	if (m)
1166 		m_freem(m);
1167 	free(tc, M_XDATA);
1168 	crypto_freereq(crp);
1169 	return (error);
1170 }
1171 
1172 static struct xformsw ah_xformsw = {
1173 	XF_AH,		XFT_AUTH,	"IPsec AH",
1174 	ah_init,	ah_zeroize,	ah_input,	ah_output,
1175 };
1176 
1177 static void
1178 ah_attach(void)
1179 {
1180 
1181 	xform_register(&ah_xformsw);
1182 }
1183 
1184 SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL);
1185