xref: /freebsd/sys/netipsec/xform_ah.c (revision f6a3b357e9be4c6423c85eff9a847163a0d307c8)
1 /*	$FreeBSD$	*/
2 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
3 /*-
4  * The authors of this code are John Ioannidis (ji@tla.org),
5  * Angelos D. Keromytis (kermit@csd.uch.gr) and
6  * Niels Provos (provos@physnet.uni-hamburg.de).
7  *
8  * The original version of this code was written by John Ioannidis
9  * for BSD/OS in Athens, Greece, in November 1995.
10  *
11  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12  * by Angelos D. Keromytis.
13  *
14  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15  * and Niels Provos.
16  *
17  * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
18  *
19  * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20  * Angelos D. Keromytis and Niels Provos.
21  * Copyright (c) 1999 Niklas Hallqvist.
22  * Copyright (c) 2001 Angelos D. Keromytis.
23  *
24  * Permission to use, copy, and modify this software with or without fee
25  * is hereby granted, provided that this entire notice is included in
26  * all copies of any software which is or includes a copy or
27  * modification of this software.
28  * You may use this code under the GNU public license if you so wish. Please
29  * contribute changes back to the authors under this freer than GPL license
30  * so that we may further the use of strong encryption without limitations to
31  * all.
32  *
33  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37  * PURPOSE.
38  */
39 #include "opt_inet.h"
40 #include "opt_inet6.h"
41 
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/mbuf.h>
45 #include <sys/socket.h>
46 #include <sys/syslog.h>
47 #include <sys/kernel.h>
48 #include <sys/lock.h>
49 #include <sys/mutex.h>
50 #include <sys/sysctl.h>
51 
52 #include <net/if.h>
53 #include <net/vnet.h>
54 
55 #include <netinet/in.h>
56 #include <netinet/in_systm.h>
57 #include <netinet/ip.h>
58 #include <netinet/ip_ecn.h>
59 #include <netinet/ip6.h>
60 
61 #include <netipsec/ipsec.h>
62 #include <netipsec/ah.h>
63 #include <netipsec/ah_var.h>
64 #include <netipsec/xform.h>
65 
66 #ifdef INET6
67 #include <netinet6/ip6_var.h>
68 #include <netipsec/ipsec6.h>
69 #include <netinet6/ip6_ecn.h>
70 #endif
71 
72 #include <netipsec/key.h>
73 #include <netipsec/key_debug.h>
74 
75 #include <opencrypto/cryptodev.h>
76 
77 /*
78  * Return header size in bytes.  The old protocol did not support
79  * the replay counter; the new protocol always includes the counter.
80  */
81 #define HDRSIZE(sav) \
82 	(((sav)->flags & SADB_X_EXT_OLD) ? \
83 		sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t))
84 /*
85  * Return authenticator size in bytes, based on a field in the
86  * algorithm descriptor.
87  */
88 #define	AUTHSIZE(sav)	((sav->flags & SADB_X_EXT_OLD) ? 16 :	\
89 			 xform_ah_authsize((sav)->tdb_authalgxform))
90 
91 VNET_DEFINE(int, ah_enable) = 1;	/* control flow of packets with AH */
92 VNET_DEFINE(int, ah_cleartos) = 1;	/* clear ip_tos when doing AH calc */
93 VNET_PCPUSTAT_DEFINE(struct ahstat, ahstat);
94 VNET_PCPUSTAT_SYSINIT(ahstat);
95 
96 #ifdef VIMAGE
97 VNET_PCPUSTAT_SYSUNINIT(ahstat);
98 #endif /* VIMAGE */
99 
100 #ifdef INET
101 SYSCTL_DECL(_net_inet_ah);
102 SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_enable,
103 	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_enable), 0, "");
104 SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_cleartos,
105 	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, "");
106 SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat,
107     ahstat, "AH statistics (struct ahstat, netipsec/ah_var.h)");
108 #endif
109 
110 static unsigned char ipseczeroes[256];	/* larger than an ip6 extension hdr */
111 static struct timeval md5warn, ripewarn, kpdkmd5warn, kpdksha1warn;
112 
113 static int ah_input_cb(struct cryptop*);
114 static int ah_output_cb(struct cryptop*);
115 
116 int
117 xform_ah_authsize(const struct auth_hash *esph)
118 {
119 	int alen;
120 
121 	if (esph == NULL)
122 		return 0;
123 
124 	switch (esph->type) {
125 	case CRYPTO_SHA2_256_HMAC:
126 	case CRYPTO_SHA2_384_HMAC:
127 	case CRYPTO_SHA2_512_HMAC:
128 		alen = esph->hashsize / 2;	/* RFC4868 2.3 */
129 		break;
130 
131 	case CRYPTO_AES_128_NIST_GMAC:
132 	case CRYPTO_AES_192_NIST_GMAC:
133 	case CRYPTO_AES_256_NIST_GMAC:
134 		alen = esph->hashsize;
135 		break;
136 
137 	default:
138 		alen = AH_HMAC_HASHLEN;
139 		break;
140 	}
141 
142 	return alen;
143 }
144 
145 size_t
146 ah_hdrsiz(struct secasvar *sav)
147 {
148 	size_t size;
149 
150 	if (sav != NULL) {
151 		int authsize, rplen, align;
152 
153 		IPSEC_ASSERT(sav->tdb_authalgxform != NULL, ("null xform"));
154 		/*XXX not right for null algorithm--does it matter??*/
155 
156 		/* RFC4302: use the correct alignment. */
157 		align = sizeof(uint32_t);
158 #ifdef INET6
159 		if (sav->sah->saidx.dst.sa.sa_family == AF_INET6) {
160 			align = sizeof(uint64_t);
161 		}
162 #endif
163 		rplen = HDRSIZE(sav);
164 		authsize = AUTHSIZE(sav);
165 		size = roundup(rplen + authsize, align);
166 	} else {
167 		/* default guess */
168 		size = sizeof (struct ah) + sizeof (u_int32_t) + 16;
169 	}
170 	return size;
171 }
172 
173 /*
174  * NB: public for use by esp_init.
175  */
176 int
177 ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
178 {
179 	const struct auth_hash *thash;
180 	int keylen;
181 
182 	thash = auth_algorithm_lookup(sav->alg_auth);
183 	if (thash == NULL) {
184 		DPRINTF(("%s: unsupported authentication algorithm %u\n",
185 			__func__, sav->alg_auth));
186 		return EINVAL;
187 	}
188 
189 	switch (sav->alg_auth) {
190 	case SADB_AALG_MD5HMAC:
191 		if (ratecheck(&md5warn, &ipsec_warn_interval))
192 			gone_in(13, "MD5-HMAC authenticator for IPsec");
193 		break;
194 	case SADB_X_AALG_RIPEMD160HMAC:
195 		if (ratecheck(&ripewarn, &ipsec_warn_interval))
196 			gone_in(13, "RIPEMD160-HMAC authenticator for IPsec");
197 		break;
198 	case SADB_X_AALG_MD5:
199 		if (ratecheck(&kpdkmd5warn, &ipsec_warn_interval))
200 			gone_in(13, "Keyed-MD5 authenticator for IPsec");
201 		break;
202 	case SADB_X_AALG_SHA:
203 		if (ratecheck(&kpdksha1warn, &ipsec_warn_interval))
204 			gone_in(13, "Keyed-SHA1 authenticator for IPsec");
205 		break;
206 	}
207 
208 	/*
209 	 * Verify the replay state block allocation is consistent with
210 	 * the protocol type.  We check here so we can make assumptions
211 	 * later during protocol processing.
212 	 */
213 	/* NB: replay state is setup elsewhere (sigh) */
214 	if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) {
215 		DPRINTF(("%s: replay state block inconsistency, "
216 			"%s algorithm %s replay state\n", __func__,
217 			(sav->flags & SADB_X_EXT_OLD) ? "old" : "new",
218 			sav->replay == NULL ? "without" : "with"));
219 		return EINVAL;
220 	}
221 	if (sav->key_auth == NULL) {
222 		DPRINTF(("%s: no authentication key for %s algorithm\n",
223 			__func__, thash->name));
224 		return EINVAL;
225 	}
226 	keylen = _KEYLEN(sav->key_auth);
227 	if (keylen > thash->keysize && thash->keysize != 0) {
228 		DPRINTF(("%s: invalid keylength %d, algorithm %s requires "
229 			"keysize less than %d\n", __func__,
230 			 keylen, thash->name, thash->keysize));
231 		return EINVAL;
232 	}
233 
234 	sav->tdb_xform = xsp;
235 	sav->tdb_authalgxform = thash;
236 
237 	/* Initialize crypto session. */
238 	bzero(cria, sizeof (*cria));
239 	cria->cri_alg = sav->tdb_authalgxform->type;
240 	cria->cri_klen = _KEYBITS(sav->key_auth);
241 	cria->cri_key = sav->key_auth->key_data;
242 	cria->cri_mlen = AUTHSIZE(sav);
243 
244 	return 0;
245 }
246 
247 /*
248  * ah_init() is called when an SPI is being set up.
249  */
250 static int
251 ah_init(struct secasvar *sav, struct xformsw *xsp)
252 {
253 	struct cryptoini cria;
254 	int error;
255 
256 	error = ah_init0(sav, xsp, &cria);
257 	return error ? error :
258 		 crypto_newsession(&sav->tdb_cryptoid, &cria, V_crypto_support);
259 }
260 
261 /*
262  * Paranoia.
263  *
264  * NB: public for use by esp_zeroize (XXX).
265  */
266 int
267 ah_zeroize(struct secasvar *sav)
268 {
269 
270 	if (sav->key_auth)
271 		bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
272 
273 	crypto_freesession(sav->tdb_cryptoid);
274 	sav->tdb_cryptoid = NULL;
275 	sav->tdb_authalgxform = NULL;
276 	sav->tdb_xform = NULL;
277 	return 0;
278 }
279 
280 /*
281  * Massage IPv4/IPv6 headers for AH processing.
282  */
283 static int
284 ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
285 {
286 	struct mbuf *m = *m0;
287 	unsigned char *ptr;
288 	int off, count;
289 
290 #ifdef INET
291 	struct ip *ip;
292 #endif /* INET */
293 
294 #ifdef INET6
295 	struct ip6_ext *ip6e;
296 	struct ip6_hdr ip6;
297 	int ad, alloc, nxt, noff;
298 #endif /* INET6 */
299 
300 	switch (proto) {
301 #ifdef INET
302 	case AF_INET:
303 		/*
304 		 * This is the least painful way of dealing with IPv4 header
305 		 * and option processing -- just make sure they're in
306 		 * contiguous memory.
307 		 */
308 		*m0 = m = m_pullup(m, skip);
309 		if (m == NULL) {
310 			DPRINTF(("%s: m_pullup failed\n", __func__));
311 			return ENOBUFS;
312 		}
313 
314 		/* Fix the IP header */
315 		ip = mtod(m, struct ip *);
316 		if (V_ah_cleartos)
317 			ip->ip_tos = 0;
318 		ip->ip_ttl = 0;
319 		ip->ip_sum = 0;
320 
321 		if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK)
322 			ip->ip_off &= htons(IP_DF);
323 		else
324 			ip->ip_off = htons(0);
325 
326 		ptr = mtod(m, unsigned char *);
327 
328 		/* IPv4 option processing */
329 		for (off = sizeof(struct ip); off < skip;) {
330 			if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP ||
331 			    off + 1 < skip)
332 				;
333 			else {
334 				DPRINTF(("%s: illegal IPv4 option length for "
335 					"option %d\n", __func__, ptr[off]));
336 
337 				m_freem(m);
338 				return EINVAL;
339 			}
340 
341 			switch (ptr[off]) {
342 			case IPOPT_EOL:
343 				off = skip;  /* End the loop. */
344 				break;
345 
346 			case IPOPT_NOP:
347 				off++;
348 				break;
349 
350 			case IPOPT_SECURITY:	/* 0x82 */
351 			case 0x85:	/* Extended security. */
352 			case 0x86:	/* Commercial security. */
353 			case 0x94:	/* Router alert */
354 			case 0x95:	/* RFC1770 */
355 				/* Sanity check for option length. */
356 				if (ptr[off + 1] < 2) {
357 					DPRINTF(("%s: illegal IPv4 option "
358 						"length for option %d\n",
359 						__func__, ptr[off]));
360 
361 					m_freem(m);
362 					return EINVAL;
363 				}
364 
365 				off += ptr[off + 1];
366 				break;
367 
368 			case IPOPT_LSRR:
369 			case IPOPT_SSRR:
370 				/* Sanity check for option length. */
371 				if (ptr[off + 1] < 2) {
372 					DPRINTF(("%s: illegal IPv4 option "
373 						"length for option %d\n",
374 						__func__, ptr[off]));
375 
376 					m_freem(m);
377 					return EINVAL;
378 				}
379 
380 				/*
381 				 * On output, if we have either of the
382 				 * source routing options, we should
383 				 * swap the destination address of the
384 				 * IP header with the last address
385 				 * specified in the option, as that is
386 				 * what the destination's IP header
387 				 * will look like.
388 				 */
389 				if (out)
390 					bcopy(ptr + off + ptr[off + 1] -
391 					    sizeof(struct in_addr),
392 					    &(ip->ip_dst), sizeof(struct in_addr));
393 
394 				/* Fall through */
395 			default:
396 				/* Sanity check for option length. */
397 				if (ptr[off + 1] < 2) {
398 					DPRINTF(("%s: illegal IPv4 option "
399 						"length for option %d\n",
400 						__func__, ptr[off]));
401 					m_freem(m);
402 					return EINVAL;
403 				}
404 
405 				/* Zeroize all other options. */
406 				count = ptr[off + 1];
407 				bcopy(ipseczeroes, ptr + off, count);
408 				off += count;
409 				break;
410 			}
411 
412 			/* Sanity check. */
413 			if (off > skip)	{
414 				DPRINTF(("%s: malformed IPv4 options header\n",
415 					__func__));
416 
417 				m_freem(m);
418 				return EINVAL;
419 			}
420 		}
421 
422 		break;
423 #endif /* INET */
424 
425 #ifdef INET6
426 	case AF_INET6:  /* Ugly... */
427 		/* Copy and "cook" the IPv6 header. */
428 		m_copydata(m, 0, sizeof(ip6), (caddr_t) &ip6);
429 
430 		/* We don't do IPv6 Jumbograms. */
431 		if (ip6.ip6_plen == 0) {
432 			DPRINTF(("%s: unsupported IPv6 jumbogram\n", __func__));
433 			m_freem(m);
434 			return EMSGSIZE;
435 		}
436 
437 		ip6.ip6_flow = 0;
438 		ip6.ip6_hlim = 0;
439 		ip6.ip6_vfc &= ~IPV6_VERSION_MASK;
440 		ip6.ip6_vfc |= IPV6_VERSION;
441 
442 		/* Scoped address handling. */
443 		if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_src))
444 			ip6.ip6_src.s6_addr16[1] = 0;
445 		if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_dst))
446 			ip6.ip6_dst.s6_addr16[1] = 0;
447 
448 		/* Done with IPv6 header. */
449 		m_copyback(m, 0, sizeof(struct ip6_hdr), (caddr_t) &ip6);
450 
451 		/* Let's deal with the remaining headers (if any). */
452 		if (skip - sizeof(struct ip6_hdr) > 0) {
453 			if (m->m_len <= skip) {
454 				ptr = (unsigned char *) malloc(
455 				    skip - sizeof(struct ip6_hdr),
456 				    M_XDATA, M_NOWAIT);
457 				if (ptr == NULL) {
458 					DPRINTF(("%s: failed to allocate memory"
459 						"for IPv6 headers\n",__func__));
460 					m_freem(m);
461 					return ENOBUFS;
462 				}
463 
464 				/*
465 				 * Copy all the protocol headers after
466 				 * the IPv6 header.
467 				 */
468 				m_copydata(m, sizeof(struct ip6_hdr),
469 				    skip - sizeof(struct ip6_hdr), ptr);
470 				alloc = 1;
471 			} else {
472 				/* No need to allocate memory. */
473 				ptr = mtod(m, unsigned char *) +
474 				    sizeof(struct ip6_hdr);
475 				alloc = 0;
476 			}
477 		} else
478 			break;
479 
480 		nxt = ip6.ip6_nxt & 0xff; /* Next header type. */
481 
482 		for (off = 0; off < skip - sizeof(struct ip6_hdr);)
483 			switch (nxt) {
484 			case IPPROTO_HOPOPTS:
485 			case IPPROTO_DSTOPTS:
486 				ip6e = (struct ip6_ext *)(ptr + off);
487 				noff = off + ((ip6e->ip6e_len + 1) << 3);
488 
489 				/* Sanity check. */
490 				if (noff > skip - sizeof(struct ip6_hdr))
491 					goto error6;
492 
493 				/*
494 				 * Zero out mutable options.
495 				 */
496 				for (count = off + sizeof(struct ip6_ext);
497 				     count < noff;) {
498 					if (ptr[count] == IP6OPT_PAD1) {
499 						count++;
500 						continue; /* Skip padding. */
501 					}
502 
503 					ad = ptr[count + 1] + 2;
504 					if (count + ad > noff)
505 						goto error6;
506 
507 					if (ptr[count] & IP6OPT_MUTABLE)
508 						memset(ptr + count, 0, ad);
509 					count += ad;
510 				}
511 
512 				if (count != noff)
513 					goto error6;
514 
515 				/* Advance. */
516 				off += ((ip6e->ip6e_len + 1) << 3);
517 				nxt = ip6e->ip6e_nxt;
518 				break;
519 
520 			case IPPROTO_ROUTING:
521 				/*
522 				 * Always include routing headers in
523 				 * computation.
524 				 */
525 				ip6e = (struct ip6_ext *) (ptr + off);
526 				off += ((ip6e->ip6e_len + 1) << 3);
527 				nxt = ip6e->ip6e_nxt;
528 				break;
529 
530 			default:
531 				DPRINTF(("%s: unexpected IPv6 header type %d",
532 					__func__, off));
533 error6:
534 				if (alloc)
535 					free(ptr, M_XDATA);
536 				m_freem(m);
537 				return EINVAL;
538 			}
539 
540 		/* Copyback and free, if we allocated. */
541 		if (alloc) {
542 			m_copyback(m, sizeof(struct ip6_hdr),
543 			    skip - sizeof(struct ip6_hdr), ptr);
544 			free(ptr, M_XDATA);
545 		}
546 
547 		break;
548 #endif /* INET6 */
549 	}
550 
551 	return 0;
552 }
553 
554 /*
555  * ah_input() gets called to verify that an input packet
556  * passes authentication.
557  */
558 static int
559 ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
560 {
561 	IPSEC_DEBUG_DECLARE(char buf[128]);
562 	const struct auth_hash *ahx;
563 	struct cryptodesc *crda;
564 	struct cryptop *crp;
565 	struct xform_data *xd;
566 	struct newah *ah;
567 	crypto_session_t cryptoid;
568 	int hl, rplen, authsize, ahsize, error;
569 
570 	IPSEC_ASSERT(sav != NULL, ("null SA"));
571 	IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key"));
572 	IPSEC_ASSERT(sav->tdb_authalgxform != NULL,
573 		("null authentication xform"));
574 
575 	/* Figure out header size. */
576 	rplen = HDRSIZE(sav);
577 
578 	/* XXX don't pullup, just copy header */
579 	IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen);
580 	if (ah == NULL) {
581 		DPRINTF(("ah_input: cannot pullup header\n"));
582 		AHSTAT_INC(ahs_hdrops);		/*XXX*/
583 		error = ENOBUFS;
584 		goto bad;
585 	}
586 
587 	/* Check replay window, if applicable. */
588 	SECASVAR_LOCK(sav);
589 	if (sav->replay != NULL && sav->replay->wsize != 0 &&
590 	    ipsec_chkreplay(ntohl(ah->ah_seq), sav) == 0) {
591 		SECASVAR_UNLOCK(sav);
592 		AHSTAT_INC(ahs_replay);
593 		DPRINTF(("%s: packet replay failure: %s\n", __func__,
594 		    ipsec_sa2str(sav, buf, sizeof(buf))));
595 		error = EACCES;
596 		goto bad;
597 	}
598 	cryptoid = sav->tdb_cryptoid;
599 	SECASVAR_UNLOCK(sav);
600 
601 	/* Verify AH header length. */
602 	hl = sizeof(struct ah) + (ah->ah_len * sizeof (u_int32_t));
603 	ahx = sav->tdb_authalgxform;
604 	authsize = AUTHSIZE(sav);
605 	ahsize = ah_hdrsiz(sav);
606 	if (hl != ahsize) {
607 		DPRINTF(("%s: bad authenticator length %u (expecting %lu)"
608 		    " for packet in SA %s/%08lx\n", __func__, hl,
609 		    (u_long)ahsize,
610 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
611 		    (u_long) ntohl(sav->spi)));
612 		AHSTAT_INC(ahs_badauthl);
613 		error = EACCES;
614 		goto bad;
615 	}
616 	if (skip + ahsize > m->m_pkthdr.len) {
617 		DPRINTF(("%s: bad mbuf length %u (expecting %lu)"
618 		    " for packet in SA %s/%08lx\n", __func__,
619 		    m->m_pkthdr.len, (u_long)(skip + ahsize),
620 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
621 		    (u_long) ntohl(sav->spi)));
622 		AHSTAT_INC(ahs_badauthl);
623 		error = EACCES;
624 		goto bad;
625 	}
626 	AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
627 
628 	/* Get crypto descriptors. */
629 	crp = crypto_getreq(1);
630 	if (crp == NULL) {
631 		DPRINTF(("%s: failed to acquire crypto descriptor\n",
632 		    __func__));
633 		AHSTAT_INC(ahs_crypto);
634 		error = ENOBUFS;
635 		goto bad;
636 	}
637 
638 	crda = crp->crp_desc;
639 	IPSEC_ASSERT(crda != NULL, ("null crypto descriptor"));
640 
641 	crda->crd_skip = 0;
642 	crda->crd_len = m->m_pkthdr.len;
643 	crda->crd_inject = skip + rplen;
644 
645 	/* Authentication operation. */
646 	crda->crd_alg = ahx->type;
647 	crda->crd_klen = _KEYBITS(sav->key_auth);
648 	crda->crd_key = sav->key_auth->key_data;
649 
650 	/* Allocate IPsec-specific opaque crypto info. */
651 	xd = malloc(sizeof(*xd) + skip + rplen + authsize, M_XDATA,
652 	    M_NOWAIT | M_ZERO);
653 	if (xd == NULL) {
654 		DPRINTF(("%s: failed to allocate xform_data\n", __func__));
655 		AHSTAT_INC(ahs_crypto);
656 		crypto_freereq(crp);
657 		error = ENOBUFS;
658 		goto bad;
659 	}
660 
661 	/*
662 	 * Save the authenticator, the skipped portion of the packet,
663 	 * and the AH header.
664 	 */
665 	m_copydata(m, 0, skip + rplen + authsize, (caddr_t)(xd + 1));
666 
667 	/* Zeroize the authenticator on the packet. */
668 	m_copyback(m, skip + rplen, authsize, ipseczeroes);
669 
670 	/* Save ah_nxt, since ah pointer can become invalid after "massage" */
671 	hl = ah->ah_nxt;
672 
673 	/* "Massage" the packet headers for crypto processing. */
674 	error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
675 	    skip, ahx->type, 0);
676 	if (error != 0) {
677 		/* NB: mbuf is free'd by ah_massage_headers */
678 		AHSTAT_INC(ahs_hdrops);
679 		free(xd, M_XDATA);
680 		crypto_freereq(crp);
681 		key_freesav(&sav);
682 		return (error);
683 	}
684 
685 	/* Crypto operation descriptor. */
686 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
687 	crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
688 	if (V_async_crypto)
689 		crp->crp_flags |= CRYPTO_F_ASYNC | CRYPTO_F_ASYNC_KEEPORDER;
690 	crp->crp_buf = (caddr_t) m;
691 	crp->crp_callback = ah_input_cb;
692 	crp->crp_session = cryptoid;
693 	crp->crp_opaque = (caddr_t) xd;
694 
695 	/* These are passed as-is to the callback. */
696 	xd->sav = sav;
697 	xd->nxt = hl;
698 	xd->protoff = protoff;
699 	xd->skip = skip;
700 	xd->cryptoid = cryptoid;
701 	xd->vnet = curvnet;
702 	return (crypto_dispatch(crp));
703 bad:
704 	m_freem(m);
705 	key_freesav(&sav);
706 	return (error);
707 }
708 
709 /*
710  * AH input callback from the crypto driver.
711  */
712 static int
713 ah_input_cb(struct cryptop *crp)
714 {
715 	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
716 	unsigned char calc[AH_ALEN_MAX];
717 	struct mbuf *m;
718 	struct xform_data *xd;
719 	struct secasvar *sav;
720 	struct secasindex *saidx;
721 	caddr_t ptr;
722 	crypto_session_t cryptoid;
723 	int authsize, rplen, ahsize, error, skip, protoff;
724 	uint8_t nxt;
725 
726 	m = (struct mbuf *) crp->crp_buf;
727 	xd = (struct xform_data *) crp->crp_opaque;
728 	CURVNET_SET(xd->vnet);
729 	sav = xd->sav;
730 	skip = xd->skip;
731 	nxt = xd->nxt;
732 	protoff = xd->protoff;
733 	cryptoid = xd->cryptoid;
734 	saidx = &sav->sah->saidx;
735 	IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
736 		saidx->dst.sa.sa_family == AF_INET6,
737 		("unexpected protocol family %u", saidx->dst.sa.sa_family));
738 
739 	/* Check for crypto errors. */
740 	if (crp->crp_etype) {
741 		if (crp->crp_etype == EAGAIN) {
742 			/* Reset the session ID */
743 			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
744 				crypto_freesession(cryptoid);
745 			xd->cryptoid = crp->crp_session;
746 			CURVNET_RESTORE();
747 			return (crypto_dispatch(crp));
748 		}
749 		AHSTAT_INC(ahs_noxform);
750 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
751 		error = crp->crp_etype;
752 		goto bad;
753 	} else {
754 		AHSTAT_INC(ahs_hist[sav->alg_auth]);
755 		crypto_freereq(crp);		/* No longer needed. */
756 		crp = NULL;
757 	}
758 
759 	/* Shouldn't happen... */
760 	if (m == NULL) {
761 		AHSTAT_INC(ahs_crypto);
762 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
763 		error = EINVAL;
764 		goto bad;
765 	}
766 
767 	/* Figure out header size. */
768 	rplen = HDRSIZE(sav);
769 	authsize = AUTHSIZE(sav);
770 	ahsize = ah_hdrsiz(sav);
771 
772 	/* Copy authenticator off the packet. */
773 	m_copydata(m, skip + rplen, authsize, calc);
774 
775 	/* Verify authenticator. */
776 	ptr = (caddr_t) (xd + 1);
777 	if (timingsafe_bcmp(ptr + skip + rplen, calc, authsize)) {
778 		DPRINTF(("%s: authentication hash mismatch for packet "
779 		    "in SA %s/%08lx\n", __func__,
780 		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
781 		    (u_long) ntohl(sav->spi)));
782 		AHSTAT_INC(ahs_badauth);
783 		error = EACCES;
784 		goto bad;
785 	}
786 	/* Fix the Next Protocol field. */
787 	((uint8_t *) ptr)[protoff] = nxt;
788 
789 	/* Copyback the saved (uncooked) network headers. */
790 	m_copyback(m, 0, skip, ptr);
791 	free(xd, M_XDATA), xd = NULL;			/* No longer needed */
792 
793 	/*
794 	 * Header is now authenticated.
795 	 */
796 	m->m_flags |= M_AUTHIPHDR|M_AUTHIPDGM;
797 
798 	/*
799 	 * Update replay sequence number, if appropriate.
800 	 */
801 	if (sav->replay) {
802 		u_int32_t seq;
803 
804 		m_copydata(m, skip + offsetof(struct newah, ah_seq),
805 			   sizeof (seq), (caddr_t) &seq);
806 		SECASVAR_LOCK(sav);
807 		if (ipsec_updatereplay(ntohl(seq), sav)) {
808 			SECASVAR_UNLOCK(sav);
809 			AHSTAT_INC(ahs_replay);
810 			error = EACCES;
811 			goto bad;
812 		}
813 		SECASVAR_UNLOCK(sav);
814 	}
815 
816 	/*
817 	 * Remove the AH header and authenticator from the mbuf.
818 	 */
819 	error = m_striphdr(m, skip, ahsize);
820 	if (error) {
821 		DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
822 		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
823 		    (u_long) ntohl(sav->spi)));
824 		AHSTAT_INC(ahs_hdrops);
825 		goto bad;
826 	}
827 
828 	switch (saidx->dst.sa.sa_family) {
829 #ifdef INET6
830 	case AF_INET6:
831 		error = ipsec6_common_input_cb(m, sav, skip, protoff);
832 		break;
833 #endif
834 #ifdef INET
835 	case AF_INET:
836 		error = ipsec4_common_input_cb(m, sav, skip, protoff);
837 		break;
838 #endif
839 	default:
840 		panic("%s: Unexpected address family: %d saidx=%p", __func__,
841 		    saidx->dst.sa.sa_family, saidx);
842 	}
843 	CURVNET_RESTORE();
844 	return error;
845 bad:
846 	CURVNET_RESTORE();
847 	if (sav)
848 		key_freesav(&sav);
849 	if (m != NULL)
850 		m_freem(m);
851 	if (xd != NULL)
852 		free(xd, M_XDATA);
853 	if (crp != NULL)
854 		crypto_freereq(crp);
855 	return error;
856 }
857 
858 /*
859  * AH output routine, called by ipsec[46]_perform_request().
860  */
861 static int
862 ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
863     u_int idx, int skip, int protoff)
864 {
865 	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
866 	const struct auth_hash *ahx;
867 	struct cryptodesc *crda;
868 	struct xform_data *xd;
869 	struct mbuf *mi;
870 	struct cryptop *crp;
871 	struct newah *ah;
872 	crypto_session_t cryptoid;
873 	uint16_t iplen;
874 	int error, rplen, authsize, ahsize, maxpacketsize, roff;
875 	uint8_t prot;
876 
877 	IPSEC_ASSERT(sav != NULL, ("null SA"));
878 	ahx = sav->tdb_authalgxform;
879 	IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
880 
881 	AHSTAT_INC(ahs_output);
882 
883 	/* Figure out header size. */
884 	rplen = HDRSIZE(sav);
885 	authsize = AUTHSIZE(sav);
886 	ahsize = ah_hdrsiz(sav);
887 
888 	/* Check for maximum packet size violations. */
889 	switch (sav->sah->saidx.dst.sa.sa_family) {
890 #ifdef INET
891 	case AF_INET:
892 		maxpacketsize = IP_MAXPACKET;
893 		break;
894 #endif /* INET */
895 #ifdef INET6
896 	case AF_INET6:
897 		maxpacketsize = IPV6_MAXPACKET;
898 		break;
899 #endif /* INET6 */
900 	default:
901 		DPRINTF(("%s: unknown/unsupported protocol family %u, "
902 		    "SA %s/%08lx\n", __func__,
903 		    sav->sah->saidx.dst.sa.sa_family,
904 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
905 		    (u_long) ntohl(sav->spi)));
906 		AHSTAT_INC(ahs_nopf);
907 		error = EPFNOSUPPORT;
908 		goto bad;
909 	}
910 	if (ahsize + m->m_pkthdr.len > maxpacketsize) {
911 		DPRINTF(("%s: packet in SA %s/%08lx got too big "
912 		    "(len %u, max len %u)\n", __func__,
913 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
914 		    (u_long) ntohl(sav->spi),
915 		    ahsize + m->m_pkthdr.len, maxpacketsize));
916 		AHSTAT_INC(ahs_toobig);
917 		error = EMSGSIZE;
918 		goto bad;
919 	}
920 
921 	/* Update the counters. */
922 	AHSTAT_ADD(ahs_obytes, m->m_pkthdr.len - skip);
923 
924 	m = m_unshare(m, M_NOWAIT);
925 	if (m == NULL) {
926 		DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
927 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
928 		    (u_long) ntohl(sav->spi)));
929 		AHSTAT_INC(ahs_hdrops);
930 		error = ENOBUFS;
931 		goto bad;
932 	}
933 
934 	/* Inject AH header. */
935 	mi = m_makespace(m, skip, ahsize, &roff);
936 	if (mi == NULL) {
937 		DPRINTF(("%s: failed to inject %u byte AH header for SA "
938 		    "%s/%08lx\n", __func__, ahsize,
939 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
940 		    (u_long) ntohl(sav->spi)));
941 		AHSTAT_INC(ahs_hdrops);		/*XXX differs from openbsd */
942 		error = ENOBUFS;
943 		goto bad;
944 	}
945 
946 	/*
947 	 * The AH header is guaranteed by m_makespace() to be in
948 	 * contiguous memory, at roff bytes offset into the returned mbuf.
949 	 */
950 	ah = (struct newah *)(mtod(mi, caddr_t) + roff);
951 
952 	/* Initialize the AH header. */
953 	m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &ah->ah_nxt);
954 	ah->ah_len = (ahsize - sizeof(struct ah)) / sizeof(u_int32_t);
955 	ah->ah_reserve = 0;
956 	ah->ah_spi = sav->spi;
957 
958 	/* Zeroize authenticator. */
959 	m_copyback(m, skip + rplen, authsize, ipseczeroes);
960 
961 	/* Zeroize padding */
962 	m_copyback(m, skip + rplen + authsize, ahsize - (rplen + authsize),
963 	    ipseczeroes);
964 
965 	/* Insert packet replay counter, as requested.  */
966 	SECASVAR_LOCK(sav);
967 	if (sav->replay) {
968 		if (sav->replay->count == ~0 &&
969 		    (sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
970 			SECASVAR_UNLOCK(sav);
971 			DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n",
972 			    __func__, ipsec_address(&sav->sah->saidx.dst, buf,
973 			    sizeof(buf)), (u_long) ntohl(sav->spi)));
974 			AHSTAT_INC(ahs_wrap);
975 			error = EACCES;
976 			goto bad;
977 		}
978 #ifdef REGRESSION
979 		/* Emulate replay attack when ipsec_replay is TRUE. */
980 		if (!V_ipsec_replay)
981 #endif
982 			sav->replay->count++;
983 		ah->ah_seq = htonl(sav->replay->count);
984 	}
985 	cryptoid = sav->tdb_cryptoid;
986 	SECASVAR_UNLOCK(sav);
987 
988 	/* Get crypto descriptors. */
989 	crp = crypto_getreq(1);
990 	if (crp == NULL) {
991 		DPRINTF(("%s: failed to acquire crypto descriptors\n",
992 			__func__));
993 		AHSTAT_INC(ahs_crypto);
994 		error = ENOBUFS;
995 		goto bad;
996 	}
997 
998 	crda = crp->crp_desc;
999 	crda->crd_skip = 0;
1000 	crda->crd_inject = skip + rplen;
1001 	crda->crd_len = m->m_pkthdr.len;
1002 
1003 	/* Authentication operation. */
1004 	crda->crd_alg = ahx->type;
1005 	crda->crd_key = sav->key_auth->key_data;
1006 	crda->crd_klen = _KEYBITS(sav->key_auth);
1007 
1008 	/* Allocate IPsec-specific opaque crypto info. */
1009 	xd =  malloc(sizeof(struct xform_data) + skip, M_XDATA,
1010 	    M_NOWAIT | M_ZERO);
1011 	if (xd == NULL) {
1012 		crypto_freereq(crp);
1013 		DPRINTF(("%s: failed to allocate xform_data\n", __func__));
1014 		AHSTAT_INC(ahs_crypto);
1015 		error = ENOBUFS;
1016 		goto bad;
1017 	}
1018 
1019 	/* Save the skipped portion of the packet. */
1020 	m_copydata(m, 0, skip, (caddr_t) (xd + 1));
1021 
1022 	/*
1023 	 * Fix IP header length on the header used for
1024 	 * authentication. We don't need to fix the original
1025 	 * header length as it will be fixed by our caller.
1026 	 */
1027 	switch (sav->sah->saidx.dst.sa.sa_family) {
1028 #ifdef INET
1029 	case AF_INET:
1030 		bcopy(((caddr_t)(xd + 1)) +
1031 		    offsetof(struct ip, ip_len),
1032 		    (caddr_t) &iplen, sizeof(u_int16_t));
1033 		iplen = htons(ntohs(iplen) + ahsize);
1034 		m_copyback(m, offsetof(struct ip, ip_len),
1035 		    sizeof(u_int16_t), (caddr_t) &iplen);
1036 		break;
1037 #endif /* INET */
1038 
1039 #ifdef INET6
1040 	case AF_INET6:
1041 		bcopy(((caddr_t)(xd + 1)) +
1042 		    offsetof(struct ip6_hdr, ip6_plen),
1043 		    (caddr_t) &iplen, sizeof(uint16_t));
1044 		iplen = htons(ntohs(iplen) + ahsize);
1045 		m_copyback(m, offsetof(struct ip6_hdr, ip6_plen),
1046 		    sizeof(uint16_t), (caddr_t) &iplen);
1047 		break;
1048 #endif /* INET6 */
1049 	}
1050 
1051 	/* Fix the Next Header field in saved header. */
1052 	((uint8_t *) (xd + 1))[protoff] = IPPROTO_AH;
1053 
1054 	/* Update the Next Protocol field in the IP header. */
1055 	prot = IPPROTO_AH;
1056 	m_copyback(m, protoff, sizeof(uint8_t), (caddr_t) &prot);
1057 
1058 	/* "Massage" the packet headers for crypto processing. */
1059 	error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
1060 			skip, ahx->type, 1);
1061 	if (error != 0) {
1062 		m = NULL;	/* mbuf was free'd by ah_massage_headers. */
1063 		free(xd, M_XDATA);
1064 		crypto_freereq(crp);
1065 		goto bad;
1066 	}
1067 
1068 	/* Crypto operation descriptor. */
1069 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
1070 	crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
1071 	if (V_async_crypto)
1072 		crp->crp_flags |= CRYPTO_F_ASYNC | CRYPTO_F_ASYNC_KEEPORDER;
1073 	crp->crp_buf = (caddr_t) m;
1074 	crp->crp_callback = ah_output_cb;
1075 	crp->crp_session = cryptoid;
1076 	crp->crp_opaque = (caddr_t) xd;
1077 
1078 	/* These are passed as-is to the callback. */
1079 	xd->sp = sp;
1080 	xd->sav = sav;
1081 	xd->skip = skip;
1082 	xd->idx = idx;
1083 	xd->cryptoid = cryptoid;
1084 	xd->vnet = curvnet;
1085 
1086 	return crypto_dispatch(crp);
1087 bad:
1088 	if (m)
1089 		m_freem(m);
1090 	key_freesav(&sav);
1091 	key_freesp(&sp);
1092 	return (error);
1093 }
1094 
1095 /*
1096  * AH output callback from the crypto driver.
1097  */
1098 static int
1099 ah_output_cb(struct cryptop *crp)
1100 {
1101 	struct xform_data *xd;
1102 	struct secpolicy *sp;
1103 	struct secasvar *sav;
1104 	struct mbuf *m;
1105 	crypto_session_t cryptoid;
1106 	caddr_t ptr;
1107 	u_int idx;
1108 	int skip, error;
1109 
1110 	m = (struct mbuf *) crp->crp_buf;
1111 	xd = (struct xform_data *) crp->crp_opaque;
1112 	CURVNET_SET(xd->vnet);
1113 	sp = xd->sp;
1114 	sav = xd->sav;
1115 	skip = xd->skip;
1116 	idx = xd->idx;
1117 	cryptoid = xd->cryptoid;
1118 	ptr = (caddr_t) (xd + 1);
1119 
1120 	/* Check for crypto errors. */
1121 	if (crp->crp_etype) {
1122 		if (crp->crp_etype == EAGAIN) {
1123 			/* Reset the session ID */
1124 			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
1125 				crypto_freesession(cryptoid);
1126 			xd->cryptoid = crp->crp_session;
1127 			CURVNET_RESTORE();
1128 			return (crypto_dispatch(crp));
1129 		}
1130 		AHSTAT_INC(ahs_noxform);
1131 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
1132 		error = crp->crp_etype;
1133 		m_freem(m);
1134 		goto bad;
1135 	}
1136 
1137 	/* Shouldn't happen... */
1138 	if (m == NULL) {
1139 		AHSTAT_INC(ahs_crypto);
1140 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
1141 		error = EINVAL;
1142 		goto bad;
1143 	}
1144 	/*
1145 	 * Copy original headers (with the new protocol number) back
1146 	 * in place.
1147 	 */
1148 	m_copyback(m, 0, skip, ptr);
1149 
1150 	free(xd, M_XDATA);
1151 	crypto_freereq(crp);
1152 	AHSTAT_INC(ahs_hist[sav->alg_auth]);
1153 #ifdef REGRESSION
1154 	/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
1155 	if (V_ipsec_integrity) {
1156 		int alen;
1157 
1158 		/*
1159 		 * Corrupt HMAC if we want to test integrity verification of
1160 		 * the other side.
1161 		 */
1162 		alen = AUTHSIZE(sav);
1163 		m_copyback(m, m->m_pkthdr.len - alen, alen, ipseczeroes);
1164 	}
1165 #endif
1166 
1167 	/* NB: m is reclaimed by ipsec_process_done. */
1168 	error = ipsec_process_done(m, sp, sav, idx);
1169 	CURVNET_RESTORE();
1170 	return (error);
1171 bad:
1172 	CURVNET_RESTORE();
1173 	free(xd, M_XDATA);
1174 	crypto_freereq(crp);
1175 	key_freesav(&sav);
1176 	key_freesp(&sp);
1177 	return (error);
1178 }
1179 
1180 static struct xformsw ah_xformsw = {
1181 	.xf_type =	XF_AH,
1182 	.xf_name =	"IPsec AH",
1183 	.xf_init =	ah_init,
1184 	.xf_zeroize =	ah_zeroize,
1185 	.xf_input =	ah_input,
1186 	.xf_output =	ah_output,
1187 };
1188 
1189 SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
1190     xform_attach, &ah_xformsw);
1191 SYSUNINIT(ah_xform_uninit, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
1192     xform_detach, &ah_xformsw);
1193