xref: /freebsd/sys/netipsec/xform_esp.c (revision 8cbde414199b0d2fd91c8eb770e74ec23852a9d4) 
188768458SSam Leffler /*	$FreeBSD$	*/
288768458SSam Leffler /*	$OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
3c398230bSWarner Losh /*-
488768458SSam Leffler  * The authors of this code are John Ioannidis (ji@tla.org),
588768458SSam Leffler  * Angelos D. Keromytis (kermit@csd.uch.gr) and
688768458SSam Leffler  * Niels Provos (provos@physnet.uni-hamburg.de).
788768458SSam Leffler  *
888768458SSam Leffler  * The original version of this code was written by John Ioannidis
988768458SSam Leffler  * for BSD/OS in Athens, Greece, in November 1995.
1088768458SSam Leffler  *
1188768458SSam Leffler  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
1288768458SSam Leffler  * by Angelos D. Keromytis.
1388768458SSam Leffler  *
1488768458SSam Leffler  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
1588768458SSam Leffler  * and Niels Provos.
1688768458SSam Leffler  *
1788768458SSam Leffler  * Additional features in 1999 by Angelos D. Keromytis.
1888768458SSam Leffler  *
1988768458SSam Leffler  * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
2088768458SSam Leffler  * Angelos D. Keromytis and Niels Provos.
2188768458SSam Leffler  * Copyright (c) 2001 Angelos D. Keromytis.
2288768458SSam Leffler  *
2388768458SSam Leffler  * Permission to use, copy, and modify this software with or without fee
2488768458SSam Leffler  * is hereby granted, provided that this entire notice is included in
2588768458SSam Leffler  * all copies of any software which is or includes a copy or
2688768458SSam Leffler  * modification of this software.
2788768458SSam Leffler  * You may use this code under the GNU public license if you so wish. Please
2888768458SSam Leffler  * contribute changes back to the authors under this freer than GPL license
2988768458SSam Leffler  * so that we may further the use of strong encryption without limitations to
3088768458SSam Leffler  * all.
3188768458SSam Leffler  *
3288768458SSam Leffler  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
3388768458SSam Leffler  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
3488768458SSam Leffler  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
3588768458SSam Leffler  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
3688768458SSam Leffler  * PURPOSE.
3788768458SSam Leffler  */
3888768458SSam Leffler #include "opt_inet.h"
3988768458SSam Leffler #include "opt_inet6.h"
4088768458SSam Leffler 
4188768458SSam Leffler #include <sys/param.h>
4288768458SSam Leffler #include <sys/systm.h>
4388768458SSam Leffler #include <sys/mbuf.h>
4488768458SSam Leffler #include <sys/socket.h>
4588768458SSam Leffler #include <sys/syslog.h>
4688768458SSam Leffler #include <sys/kernel.h>
47eedc7fd9SGleb Smirnoff #include <sys/lock.h>
4888768458SSam Leffler #include <sys/random.h>
49fcf59617SAndrey V. Elsukov #include <sys/mutex.h>
5088768458SSam Leffler #include <sys/sysctl.h>
51a2bc81bfSJohn-Mark Gurney #include <sys/mutex.h>
52a2bc81bfSJohn-Mark Gurney #include <machine/atomic.h>
5388768458SSam Leffler 
5488768458SSam Leffler #include <net/if.h>
55eddfbb76SRobert Watson #include <net/vnet.h>
5688768458SSam Leffler 
5788768458SSam Leffler #include <netinet/in.h>
5888768458SSam Leffler #include <netinet/in_systm.h>
5988768458SSam Leffler #include <netinet/ip.h>
6088768458SSam Leffler #include <netinet/ip_ecn.h>
6188768458SSam Leffler #include <netinet/ip6.h>
6288768458SSam Leffler 
6388768458SSam Leffler #include <netipsec/ipsec.h>
6488768458SSam Leffler #include <netipsec/ah.h>
6588768458SSam Leffler #include <netipsec/ah_var.h>
6688768458SSam Leffler #include <netipsec/esp.h>
6788768458SSam Leffler #include <netipsec/esp_var.h>
6888768458SSam Leffler #include <netipsec/xform.h>
6988768458SSam Leffler 
7088768458SSam Leffler #ifdef INET6
7188768458SSam Leffler #include <netinet6/ip6_var.h>
7288768458SSam Leffler #include <netipsec/ipsec6.h>
7388768458SSam Leffler #include <netinet6/ip6_ecn.h>
7488768458SSam Leffler #endif
7588768458SSam Leffler 
7688768458SSam Leffler #include <netipsec/key.h>
7788768458SSam Leffler #include <netipsec/key_debug.h>
7888768458SSam Leffler 
7988768458SSam Leffler #include <opencrypto/cryptodev.h>
8088768458SSam Leffler #include <opencrypto/xform.h>
8188768458SSam Leffler 
82eddfbb76SRobert Watson VNET_DEFINE(int, esp_enable) = 1;
83db8c0879SAndrey V. Elsukov VNET_PCPUSTAT_DEFINE(struct espstat, espstat);
84db8c0879SAndrey V. Elsukov VNET_PCPUSTAT_SYSINIT(espstat);
85db8c0879SAndrey V. Elsukov 
86db8c0879SAndrey V. Elsukov #ifdef VIMAGE
87db8c0879SAndrey V. Elsukov VNET_PCPUSTAT_SYSUNINIT(espstat);
88db8c0879SAndrey V. Elsukov #endif /* VIMAGE */
8988768458SSam Leffler 
9088768458SSam Leffler SYSCTL_DECL(_net_inet_esp);
916df8a710SGleb Smirnoff SYSCTL_INT(_net_inet_esp, OID_AUTO, esp_enable,
926df8a710SGleb Smirnoff 	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(esp_enable), 0, "");
93db8c0879SAndrey V. Elsukov SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats,
94db8c0879SAndrey V. Elsukov     struct espstat, espstat,
95db8c0879SAndrey V. Elsukov     "ESP statistics (struct espstat, netipsec/esp_var.h");
96eddfbb76SRobert Watson 
97c2fd516fSJohn Baldwin static struct timeval deswarn, blfwarn, castwarn, camelliawarn;
98c2fd516fSJohn Baldwin 
9988768458SSam Leffler static int esp_input_cb(struct cryptop *op);
10088768458SSam Leffler static int esp_output_cb(struct cryptop *crp);
101bfe1aba4SMarko Zec 
10288768458SSam Leffler size_t
10388768458SSam Leffler esp_hdrsiz(struct secasvar *sav)
10488768458SSam Leffler {
10588768458SSam Leffler 	size_t size;
10688768458SSam Leffler 
10788768458SSam Leffler 	if (sav != NULL) {
10888768458SSam Leffler 		/*XXX not right for null algorithm--does it matter??*/
1099ffa9677SSam Leffler 		IPSEC_ASSERT(sav->tdb_encalgxform != NULL,
1109ffa9677SSam Leffler 			("SA with null xform"));
11188768458SSam Leffler 		if (sav->flags & SADB_X_EXT_OLD)
11288768458SSam Leffler 			size = sizeof (struct esp);
11388768458SSam Leffler 		else
11488768458SSam Leffler 			size = sizeof (struct newesp);
11588768458SSam Leffler 		size += sav->tdb_encalgxform->blocksize + 9;
11688768458SSam Leffler 		/*XXX need alg check???*/
11788768458SSam Leffler 		if (sav->tdb_authalgxform != NULL && sav->replay)
11888768458SSam Leffler 			size += ah_hdrsiz(sav);
11988768458SSam Leffler 	} else {
12088768458SSam Leffler 		/*
12188768458SSam Leffler 		 *   base header size
12288768458SSam Leffler 		 * + max iv length for CBC mode
12388768458SSam Leffler 		 * + max pad length
12488768458SSam Leffler 		 * + sizeof (pad length field)
12588768458SSam Leffler 		 * + sizeof (next header field)
12688768458SSam Leffler 		 * + max icv supported.
12788768458SSam Leffler 		 */
128cdb7ebe3SPawel Jakub Dawidek 		size = sizeof (struct newesp) + EALG_MAX_BLOCK_LEN + 9 + 16;
12988768458SSam Leffler 	}
13088768458SSam Leffler 	return size;
13188768458SSam Leffler }
13288768458SSam Leffler 
13388768458SSam Leffler /*
13488768458SSam Leffler  * esp_init() is called when an SPI is being set up.
13588768458SSam Leffler  */
13688768458SSam Leffler static int
13788768458SSam Leffler esp_init(struct secasvar *sav, struct xformsw *xsp)
13888768458SSam Leffler {
139fcf59617SAndrey V. Elsukov 	const struct enc_xform *txform;
140c0341432SJohn Baldwin 	struct crypto_session_params csp;
14188768458SSam Leffler 	int keylen;
14288768458SSam Leffler 	int error;
14388768458SSam Leffler 
144fcf59617SAndrey V. Elsukov 	txform = enc_algorithm_lookup(sav->alg_enc);
14588768458SSam Leffler 	if (txform == NULL) {
1469ffa9677SSam Leffler 		DPRINTF(("%s: unsupported encryption algorithm %d\n",
1479ffa9677SSam Leffler 			__func__, sav->alg_enc));
14888768458SSam Leffler 		return EINVAL;
14988768458SSam Leffler 	}
15088768458SSam Leffler 	if (sav->key_enc == NULL) {
1519ffa9677SSam Leffler 		DPRINTF(("%s: no encoding key for %s algorithm\n",
1529ffa9677SSam Leffler 			 __func__, txform->name));
15388768458SSam Leffler 		return EINVAL;
15488768458SSam Leffler 	}
155a2bc81bfSJohn-Mark Gurney 	if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_IV4B)) ==
156a2bc81bfSJohn-Mark Gurney 	    SADB_X_EXT_IV4B) {
1579ffa9677SSam Leffler 		DPRINTF(("%s: 4-byte IV not supported with protocol\n",
1589ffa9677SSam Leffler 			__func__));
15988768458SSam Leffler 		return EINVAL;
16088768458SSam Leffler 	}
161c2fd516fSJohn Baldwin 
162c2fd516fSJohn Baldwin 	switch (sav->alg_enc) {
163c2fd516fSJohn Baldwin 	case SADB_EALG_DESCBC:
1640f702183SJohn Baldwin 		if (ratecheck(&deswarn, &ipsec_warn_interval))
165c2fd516fSJohn Baldwin 			gone_in(13, "DES cipher for IPsec");
166c2fd516fSJohn Baldwin 		break;
167c2fd516fSJohn Baldwin 	case SADB_X_EALG_BLOWFISHCBC:
1680f702183SJohn Baldwin 		if (ratecheck(&blfwarn, &ipsec_warn_interval))
169c2fd516fSJohn Baldwin 			gone_in(13, "Blowfish cipher for IPsec");
170c2fd516fSJohn Baldwin 		break;
171c2fd516fSJohn Baldwin 	case SADB_X_EALG_CAST128CBC:
1720f702183SJohn Baldwin 		if (ratecheck(&castwarn, &ipsec_warn_interval))
173c2fd516fSJohn Baldwin 			gone_in(13, "CAST cipher for IPsec");
174c2fd516fSJohn Baldwin 		break;
175c2fd516fSJohn Baldwin 	case SADB_X_EALG_CAMELLIACBC:
1760f702183SJohn Baldwin 		if (ratecheck(&camelliawarn, &ipsec_warn_interval))
177c2fd516fSJohn Baldwin 			gone_in(13, "Camellia cipher for IPsec");
178c2fd516fSJohn Baldwin 		break;
179c2fd516fSJohn Baldwin 	}
180c2fd516fSJohn Baldwin 
181a2bc81bfSJohn-Mark Gurney 	/* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */
182a2bc81bfSJohn-Mark Gurney 	keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4;
18388768458SSam Leffler 	if (txform->minkey > keylen || keylen > txform->maxkey) {
1849ffa9677SSam Leffler 		DPRINTF(("%s: invalid key length %u, must be in the range "
1859ffa9677SSam Leffler 			"[%u..%u] for algorithm %s\n", __func__,
18688768458SSam Leffler 			keylen, txform->minkey, txform->maxkey,
18788768458SSam Leffler 			txform->name));
18888768458SSam Leffler 		return EINVAL;
18988768458SSam Leffler 	}
19088768458SSam Leffler 
191a2bc81bfSJohn-Mark Gurney 	if (SAV_ISCTRORGCM(sav))
192a2bc81bfSJohn-Mark Gurney 		sav->ivlen = 8;	/* RFC4106 3.1 and RFC3686 3.1 */
193a2bc81bfSJohn-Mark Gurney 	else
1940c80e7dfSAndrey V. Elsukov 		sav->ivlen = txform->ivsize;
19588768458SSam Leffler 
196c0341432SJohn Baldwin 	memset(&csp, 0, sizeof(csp));
197c0341432SJohn Baldwin 
19888768458SSam Leffler 	/*
19988768458SSam Leffler 	 * Setup AH-related state.
20088768458SSam Leffler 	 */
20188768458SSam Leffler 	if (sav->alg_auth != 0) {
202c0341432SJohn Baldwin 		error = ah_init0(sav, xsp, &csp);
20388768458SSam Leffler 		if (error)
20488768458SSam Leffler 			return error;
20588768458SSam Leffler 	}
20688768458SSam Leffler 
20788768458SSam Leffler 	/* NB: override anything set in ah_init0 */
20888768458SSam Leffler 	sav->tdb_xform = xsp;
20988768458SSam Leffler 	sav->tdb_encalgxform = txform;
21088768458SSam Leffler 
21116de9ac1SGeorge V. Neville-Neil 	/*
21216de9ac1SGeorge V. Neville-Neil 	 * Whenever AES-GCM is used for encryption, one
21316de9ac1SGeorge V. Neville-Neil 	 * of the AES authentication algorithms is chosen
21416de9ac1SGeorge V. Neville-Neil 	 * as well, based on the key size.
21516de9ac1SGeorge V. Neville-Neil 	 */
21616de9ac1SGeorge V. Neville-Neil 	if (sav->alg_enc == SADB_X_EALG_AESGCM16) {
21716de9ac1SGeorge V. Neville-Neil 		switch (keylen) {
218a2bc81bfSJohn-Mark Gurney 		case AES_128_GMAC_KEY_LEN:
21916de9ac1SGeorge V. Neville-Neil 			sav->alg_auth = SADB_X_AALG_AES128GMAC;
22016de9ac1SGeorge V. Neville-Neil 			sav->tdb_authalgxform = &auth_hash_nist_gmac_aes_128;
22116de9ac1SGeorge V. Neville-Neil 			break;
222a2bc81bfSJohn-Mark Gurney 		case AES_192_GMAC_KEY_LEN:
22316de9ac1SGeorge V. Neville-Neil 			sav->alg_auth = SADB_X_AALG_AES192GMAC;
22416de9ac1SGeorge V. Neville-Neil 			sav->tdb_authalgxform = &auth_hash_nist_gmac_aes_192;
22516de9ac1SGeorge V. Neville-Neil 			break;
226a2bc81bfSJohn-Mark Gurney 		case AES_256_GMAC_KEY_LEN:
22716de9ac1SGeorge V. Neville-Neil 			sav->alg_auth = SADB_X_AALG_AES256GMAC;
22816de9ac1SGeorge V. Neville-Neil 			sav->tdb_authalgxform = &auth_hash_nist_gmac_aes_256;
22916de9ac1SGeorge V. Neville-Neil 			break;
23016de9ac1SGeorge V. Neville-Neil 		default:
23116de9ac1SGeorge V. Neville-Neil 			DPRINTF(("%s: invalid key length %u"
23216de9ac1SGeorge V. Neville-Neil 				 "for algorithm %s\n", __func__,
23316de9ac1SGeorge V. Neville-Neil 				 keylen, txform->name));
23416de9ac1SGeorge V. Neville-Neil 			return EINVAL;
23516de9ac1SGeorge V. Neville-Neil 		}
236c0341432SJohn Baldwin 		csp.csp_mode = CSP_MODE_AEAD;
237c0341432SJohn Baldwin 	} else if (sav->alg_auth != 0)
238c0341432SJohn Baldwin 		csp.csp_mode = CSP_MODE_ETA;
239c0341432SJohn Baldwin 	else
240c0341432SJohn Baldwin 		csp.csp_mode = CSP_MODE_CIPHER;
24116de9ac1SGeorge V. Neville-Neil 
24288768458SSam Leffler 	/* Initialize crypto session. */
243c0341432SJohn Baldwin 	csp.csp_cipher_alg = sav->tdb_encalgxform->type;
244c0341432SJohn Baldwin 	csp.csp_cipher_key = sav->key_enc->key_data;
245c0341432SJohn Baldwin 	csp.csp_cipher_klen = _KEYBITS(sav->key_enc) / 8 -
246c0341432SJohn Baldwin 	    SAV_ISCTRORGCM(sav) * 4;
247c0341432SJohn Baldwin 	csp.csp_ivlen = txform->ivsize;
24888768458SSam Leffler 
249c0341432SJohn Baldwin 	error = crypto_newsession(&sav->tdb_cryptoid, &csp, V_crypto_support);
25088768458SSam Leffler 	return error;
25188768458SSam Leffler }
25288768458SSam Leffler 
25388768458SSam Leffler /*
25488768458SSam Leffler  * Paranoia.
25588768458SSam Leffler  */
25688768458SSam Leffler static int
25788768458SSam Leffler esp_zeroize(struct secasvar *sav)
25888768458SSam Leffler {
25988768458SSam Leffler 	/* NB: ah_zerorize free's the crypto session state */
26088768458SSam Leffler 	int error = ah_zeroize(sav);
26188768458SSam Leffler 
26288768458SSam Leffler 	if (sav->key_enc)
263a0196c3cSGeorge V. Neville-Neil 		bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc));
26488768458SSam Leffler 	sav->tdb_encalgxform = NULL;
26588768458SSam Leffler 	sav->tdb_xform = NULL;
26688768458SSam Leffler 	return error;
26788768458SSam Leffler }
26888768458SSam Leffler 
26988768458SSam Leffler /*
27088768458SSam Leffler  * ESP input processing, called (eventually) through the protocol switch.
27188768458SSam Leffler  */
27288768458SSam Leffler static int
27388768458SSam Leffler esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
27488768458SSam Leffler {
2757f1f6591SAndrey V. Elsukov 	IPSEC_DEBUG_DECLARE(char buf[128]);
276fcf59617SAndrey V. Elsukov 	const struct auth_hash *esph;
277fcf59617SAndrey V. Elsukov 	const struct enc_xform *espx;
278fcf59617SAndrey V. Elsukov 	struct xform_data *xd;
27988768458SSam Leffler 	struct cryptop *crp;
280fcf59617SAndrey V. Elsukov 	struct newesp *esp;
281fcf59617SAndrey V. Elsukov 	uint8_t *ivp;
2822e08e39fSConrad Meyer 	crypto_session_t cryptoid;
2835f7c516fSAndrey V. Elsukov 	int alen, error, hlen, plen;
28488768458SSam Leffler 
2859ffa9677SSam Leffler 	IPSEC_ASSERT(sav != NULL, ("null SA"));
2869ffa9677SSam Leffler 	IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform"));
287a45bff04SVANHULLEBUS Yvan 
2885f7c516fSAndrey V. Elsukov 	error = EINVAL;
289a45bff04SVANHULLEBUS Yvan 	/* Valid IP Packet length ? */
290a45bff04SVANHULLEBUS Yvan 	if ( (skip&3) || (m->m_pkthdr.len&3) ){
291a45bff04SVANHULLEBUS Yvan 		DPRINTF(("%s: misaligned packet, skip %u pkt len %u",
292a45bff04SVANHULLEBUS Yvan 				__func__, skip, m->m_pkthdr.len));
293a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_badilen);
2945f7c516fSAndrey V. Elsukov 		goto bad;
295a45bff04SVANHULLEBUS Yvan 	}
29663abacc2SBjoern A. Zeeb 
297a4adf6ccSBjoern A. Zeeb 	if (m->m_len < skip + sizeof(*esp)) {
29863abacc2SBjoern A. Zeeb 		m = m_pullup(m, skip + sizeof(*esp));
29963abacc2SBjoern A. Zeeb 		if (m == NULL) {
30063abacc2SBjoern A. Zeeb 			DPRINTF(("%s: cannot pullup header\n", __func__));
30163abacc2SBjoern A. Zeeb 			ESPSTAT_INC(esps_hdrops);	/*XXX*/
30263abacc2SBjoern A. Zeeb 			error = ENOBUFS;
30363abacc2SBjoern A. Zeeb 			goto bad;
30463abacc2SBjoern A. Zeeb 		}
305a4adf6ccSBjoern A. Zeeb 	}
30663abacc2SBjoern A. Zeeb 	esp = (struct newesp *)(mtod(m, caddr_t) + skip);
30788768458SSam Leffler 
30888768458SSam Leffler 	esph = sav->tdb_authalgxform;
30988768458SSam Leffler 	espx = sav->tdb_encalgxform;
31088768458SSam Leffler 
311a09a7146SJohn-Mark Gurney 	/* Determine the ESP header and auth length */
31288768458SSam Leffler 	if (sav->flags & SADB_X_EXT_OLD)
31388768458SSam Leffler 		hlen = sizeof (struct esp) + sav->ivlen;
31488768458SSam Leffler 	else
31588768458SSam Leffler 		hlen = sizeof (struct newesp) + sav->ivlen;
316a09a7146SJohn-Mark Gurney 
317a09a7146SJohn-Mark Gurney 	alen = xform_ah_authsize(esph);
31888768458SSam Leffler 
31988768458SSam Leffler 	/*
32088768458SSam Leffler 	 * Verify payload length is multiple of encryption algorithm
32188768458SSam Leffler 	 * block size.
32288768458SSam Leffler 	 *
32388768458SSam Leffler 	 * NB: This works for the null algorithm because the blocksize
32488768458SSam Leffler 	 *     is 4 and all packets must be 4-byte aligned regardless
32588768458SSam Leffler 	 *     of the algorithm.
32688768458SSam Leffler 	 */
32788768458SSam Leffler 	plen = m->m_pkthdr.len - (skip + hlen + alen);
32888768458SSam Leffler 	if ((plen & (espx->blocksize - 1)) || (plen <= 0)) {
3299ffa9677SSam Leffler 		DPRINTF(("%s: payload of %d octets not a multiple of %d octets,"
330a2bc81bfSJohn-Mark Gurney 		    "  SA %s/%08lx\n", __func__, plen, espx->blocksize,
331a2bc81bfSJohn-Mark Gurney 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
332a2bc81bfSJohn-Mark Gurney 		    (u_long)ntohl(sav->spi)));
333a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_badilen);
3345f7c516fSAndrey V. Elsukov 		goto bad;
33588768458SSam Leffler 	}
33688768458SSam Leffler 
33788768458SSam Leffler 	/*
33888768458SSam Leffler 	 * Check sequence number.
33988768458SSam Leffler 	 */
340fcf59617SAndrey V. Elsukov 	SECASVAR_LOCK(sav);
341fcf59617SAndrey V. Elsukov 	if (esph != NULL && sav->replay != NULL && sav->replay->wsize != 0) {
342fcf59617SAndrey V. Elsukov 		if (ipsec_chkreplay(ntohl(esp->esp_seq), sav) == 0) {
343fcf59617SAndrey V. Elsukov 			SECASVAR_UNLOCK(sav);
3449ffa9677SSam Leffler 			DPRINTF(("%s: packet replay check for %s\n", __func__,
345fcf59617SAndrey V. Elsukov 			    ipsec_sa2str(sav, buf, sizeof(buf))));
346a04d64d8SAndrey V. Elsukov 			ESPSTAT_INC(esps_replay);
3475f7c516fSAndrey V. Elsukov 			error = EACCES;
3485f7c516fSAndrey V. Elsukov 			goto bad;
34988768458SSam Leffler 		}
350fcf59617SAndrey V. Elsukov 	}
351fcf59617SAndrey V. Elsukov 	cryptoid = sav->tdb_cryptoid;
352fcf59617SAndrey V. Elsukov 	SECASVAR_UNLOCK(sav);
35388768458SSam Leffler 
35488768458SSam Leffler 	/* Update the counters */
355a04d64d8SAndrey V. Elsukov 	ESPSTAT_ADD(esps_ibytes, m->m_pkthdr.len - (skip + hlen + alen));
35688768458SSam Leffler 
35788768458SSam Leffler 	/* Get crypto descriptors */
358c0341432SJohn Baldwin 	crp = crypto_getreq(cryptoid, M_NOWAIT);
35988768458SSam Leffler 	if (crp == NULL) {
3609ffa9677SSam Leffler 		DPRINTF(("%s: failed to acquire crypto descriptors\n",
3619ffa9677SSam Leffler 			__func__));
362a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_crypto);
3635f7c516fSAndrey V. Elsukov 		error = ENOBUFS;
3645f7c516fSAndrey V. Elsukov 		goto bad;
36588768458SSam Leffler 	}
36688768458SSam Leffler 
36788768458SSam Leffler 	/* Get IPsec-specific opaque pointer */
368c0341432SJohn Baldwin 	xd = malloc(sizeof(*xd), M_XDATA, M_NOWAIT | M_ZERO);
369fcf59617SAndrey V. Elsukov 	if (xd == NULL) {
370fcf59617SAndrey V. Elsukov 		DPRINTF(("%s: failed to allocate xform_data\n", __func__));
371a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_crypto);
372fcf59617SAndrey V. Elsukov 		crypto_freereq(crp);
3735f7c516fSAndrey V. Elsukov 		error = ENOBUFS;
3745f7c516fSAndrey V. Elsukov 		goto bad;
37588768458SSam Leffler 	}
37688768458SSam Leffler 
37708537f45SAndrey V. Elsukov 	if (esph != NULL) {
378c0341432SJohn Baldwin 		crp->crp_op = CRYPTO_OP_VERIFY_DIGEST;
379c0341432SJohn Baldwin 		crp->crp_aad_start = skip;
380a2bc81bfSJohn-Mark Gurney 		if (SAV_ISGCM(sav))
381c0341432SJohn Baldwin 			crp->crp_aad_length = 8; /* RFC4106 5, SPI + SN */
38216de9ac1SGeorge V. Neville-Neil 		else
383c0341432SJohn Baldwin 			crp->crp_aad_length = hlen;
384c0341432SJohn Baldwin 		crp->crp_digest_start = m->m_pkthdr.len - alen;
38588768458SSam Leffler 	}
38688768458SSam Leffler 
38788768458SSam Leffler 	/* Crypto operation descriptor */
38888768458SSam Leffler 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length */
389c0341432SJohn Baldwin 	crp->crp_flags = CRYPTO_F_CBIFSYNC;
39039bbca6fSFabien Thomas 	if (V_async_crypto)
39139bbca6fSFabien Thomas 		crp->crp_flags |= CRYPTO_F_ASYNC | CRYPTO_F_ASYNC_KEEPORDER;
392c0341432SJohn Baldwin 	crp->crp_mbuf = m;
393c0341432SJohn Baldwin 	crp->crp_buf_type = CRYPTO_BUF_MBUF;
39488768458SSam Leffler 	crp->crp_callback = esp_input_cb;
395c0341432SJohn Baldwin 	crp->crp_opaque = xd;
39688768458SSam Leffler 
39788768458SSam Leffler 	/* These are passed as-is to the callback */
398fcf59617SAndrey V. Elsukov 	xd->sav = sav;
399fcf59617SAndrey V. Elsukov 	xd->protoff = protoff;
400fcf59617SAndrey V. Elsukov 	xd->skip = skip;
401fcf59617SAndrey V. Elsukov 	xd->cryptoid = cryptoid;
402fd40ecf3SJohn Baldwin 	xd->vnet = curvnet;
40388768458SSam Leffler 
40488768458SSam Leffler 	/* Decryption descriptor */
405c0341432SJohn Baldwin 	crp->crp_op |= CRYPTO_OP_DECRYPT;
406c0341432SJohn Baldwin 	crp->crp_payload_start = skip + hlen;
407c0341432SJohn Baldwin 	crp->crp_payload_length = m->m_pkthdr.len - (skip + hlen + alen);
40888768458SSam Leffler 
409a2bc81bfSJohn-Mark Gurney 	if (SAV_ISCTRORGCM(sav)) {
410c0341432SJohn Baldwin 		ivp = &crp->crp_iv[0];
41116de9ac1SGeorge V. Neville-Neil 
412a2bc81bfSJohn-Mark Gurney 		/* GCM IV Format: RFC4106 4 */
413a2bc81bfSJohn-Mark Gurney 		/* CTR IV Format: RFC3686 4 */
414a2bc81bfSJohn-Mark Gurney 		/* Salt is last four bytes of key, RFC4106 8.1 */
415a2bc81bfSJohn-Mark Gurney 		/* Nonce is last four bytes of key, RFC3686 5.1 */
416a2bc81bfSJohn-Mark Gurney 		memcpy(ivp, sav->key_enc->key_data +
417a2bc81bfSJohn-Mark Gurney 		    _KEYLEN(sav->key_enc) - 4, 4);
418a2bc81bfSJohn-Mark Gurney 
419a2bc81bfSJohn-Mark Gurney 		if (SAV_ISCTR(sav)) {
420a2bc81bfSJohn-Mark Gurney 			/* Initial block counter is 1, RFC3686 4 */
421a2bc81bfSJohn-Mark Gurney 			be32enc(&ivp[sav->ivlen + 4], 1);
422a2bc81bfSJohn-Mark Gurney 		}
423a2bc81bfSJohn-Mark Gurney 
424a2bc81bfSJohn-Mark Gurney 		m_copydata(m, skip + hlen - sav->ivlen, sav->ivlen, &ivp[4]);
425c0341432SJohn Baldwin 		crp->crp_flags |= CRYPTO_F_IV_SEPARATE;
426c0341432SJohn Baldwin 	} else if (sav->ivlen != 0)
427c0341432SJohn Baldwin 		crp->crp_iv_start = skip + hlen - sav->ivlen;
42888768458SSam Leffler 
42908537f45SAndrey V. Elsukov 	return (crypto_dispatch(crp));
4305f7c516fSAndrey V. Elsukov bad:
4315f7c516fSAndrey V. Elsukov 	m_freem(m);
4325f7c516fSAndrey V. Elsukov 	key_freesav(&sav);
4335f7c516fSAndrey V. Elsukov 	return (error);
43488768458SSam Leffler }
43588768458SSam Leffler 
43688768458SSam Leffler /*
43788768458SSam Leffler  * ESP input callback from the crypto driver.
43888768458SSam Leffler  */
43988768458SSam Leffler static int
44088768458SSam Leffler esp_input_cb(struct cryptop *crp)
44188768458SSam Leffler {
4427f1f6591SAndrey V. Elsukov 	IPSEC_DEBUG_DECLARE(char buf[128]);
443c0341432SJohn Baldwin 	uint8_t lastthree[3];
444fcf59617SAndrey V. Elsukov 	const struct auth_hash *esph;
44588768458SSam Leffler 	struct mbuf *m;
446fcf59617SAndrey V. Elsukov 	struct xform_data *xd;
44788768458SSam Leffler 	struct secasvar *sav;
44888768458SSam Leffler 	struct secasindex *saidx;
4492e08e39fSConrad Meyer 	crypto_session_t cryptoid;
450fcf59617SAndrey V. Elsukov 	int hlen, skip, protoff, error, alen;
45188768458SSam Leffler 
452c0341432SJohn Baldwin 	m = crp->crp_mbuf;
453c0341432SJohn Baldwin 	xd = crp->crp_opaque;
454fd40ecf3SJohn Baldwin 	CURVNET_SET(xd->vnet);
455fcf59617SAndrey V. Elsukov 	sav = xd->sav;
456fcf59617SAndrey V. Elsukov 	skip = xd->skip;
457fcf59617SAndrey V. Elsukov 	protoff = xd->protoff;
458fcf59617SAndrey V. Elsukov 	cryptoid = xd->cryptoid;
45988768458SSam Leffler 	saidx = &sav->sah->saidx;
46088768458SSam Leffler 	esph = sav->tdb_authalgxform;
46188768458SSam Leffler 
46288768458SSam Leffler 	/* Check for crypto errors */
46388768458SSam Leffler 	if (crp->crp_etype) {
464fcf59617SAndrey V. Elsukov 		if (crp->crp_etype == EAGAIN) {
46588768458SSam Leffler 			/* Reset the session ID */
4661b0909d5SConrad Meyer 			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
467fcf59617SAndrey V. Elsukov 				crypto_freesession(cryptoid);
4681b0909d5SConrad Meyer 			xd->cryptoid = crp->crp_session;
469fd40ecf3SJohn Baldwin 			CURVNET_RESTORE();
4700a95a08eSPawel Jakub Dawidek 			return (crypto_dispatch(crp));
471fcf59617SAndrey V. Elsukov 		}
472c0341432SJohn Baldwin 
473c0341432SJohn Baldwin 		/* EBADMSG indicates authentication failure. */
474c0341432SJohn Baldwin 		if (!(crp->crp_etype == EBADMSG && esph != NULL)) {
475a04d64d8SAndrey V. Elsukov 			ESPSTAT_INC(esps_noxform);
476c0341432SJohn Baldwin 			DPRINTF(("%s: crypto error %d\n", __func__,
477c0341432SJohn Baldwin 				crp->crp_etype));
47888768458SSam Leffler 			error = crp->crp_etype;
47988768458SSam Leffler 			goto bad;
48088768458SSam Leffler 		}
481c0341432SJohn Baldwin 	}
48288768458SSam Leffler 
48388768458SSam Leffler 	/* Shouldn't happen... */
48488768458SSam Leffler 	if (m == NULL) {
485a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_crypto);
4869ffa9677SSam Leffler 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
48788768458SSam Leffler 		error = EINVAL;
48888768458SSam Leffler 		goto bad;
48988768458SSam Leffler 	}
490a04d64d8SAndrey V. Elsukov 	ESPSTAT_INC(esps_hist[sav->alg_enc]);
49188768458SSam Leffler 
49288768458SSam Leffler 	/* If authentication was performed, check now. */
49388768458SSam Leffler 	if (esph != NULL) {
494a09a7146SJohn-Mark Gurney 		alen = xform_ah_authsize(esph);
495a04d64d8SAndrey V. Elsukov 		AHSTAT_INC(ahs_hist[sav->alg_auth]);
496c0341432SJohn Baldwin 		if (crp->crp_etype == EBADMSG) {
49708537f45SAndrey V. Elsukov 			DPRINTF(("%s: authentication hash mismatch for "
49808537f45SAndrey V. Elsukov 			    "packet in SA %s/%08lx\n", __func__,
499962ac6c7SAndrey V. Elsukov 			    ipsec_address(&saidx->dst, buf, sizeof(buf)),
50088768458SSam Leffler 			    (u_long) ntohl(sav->spi)));
501a04d64d8SAndrey V. Elsukov 			ESPSTAT_INC(esps_badauth);
50288768458SSam Leffler 			error = EACCES;
50388768458SSam Leffler 			goto bad;
50488768458SSam Leffler 		}
505fcf59617SAndrey V. Elsukov 		m->m_flags |= M_AUTHIPDGM;
50688768458SSam Leffler 		/* Remove trailing authenticator */
507442da28aSVANHULLEBUS Yvan 		m_adj(m, -alen);
50888768458SSam Leffler 	}
50988768458SSam Leffler 
51088768458SSam Leffler 	/* Release the crypto descriptors */
511fcf59617SAndrey V. Elsukov 	free(xd, M_XDATA), xd = NULL;
51288768458SSam Leffler 	crypto_freereq(crp), crp = NULL;
51388768458SSam Leffler 
51488768458SSam Leffler 	/*
51588768458SSam Leffler 	 * Packet is now decrypted.
51688768458SSam Leffler 	 */
51788768458SSam Leffler 	m->m_flags |= M_DECRYPTED;
51888768458SSam Leffler 
519d16f6f50SColin Percival 	/*
520d16f6f50SColin Percival 	 * Update replay sequence number, if appropriate.
521d16f6f50SColin Percival 	 */
522d16f6f50SColin Percival 	if (sav->replay) {
523d16f6f50SColin Percival 		u_int32_t seq;
524d16f6f50SColin Percival 
525d16f6f50SColin Percival 		m_copydata(m, skip + offsetof(struct newesp, esp_seq),
526d16f6f50SColin Percival 			   sizeof (seq), (caddr_t) &seq);
527fcf59617SAndrey V. Elsukov 		SECASVAR_LOCK(sav);
528d16f6f50SColin Percival 		if (ipsec_updatereplay(ntohl(seq), sav)) {
529fcf59617SAndrey V. Elsukov 			SECASVAR_UNLOCK(sav);
530d16f6f50SColin Percival 			DPRINTF(("%s: packet replay check for %s\n", __func__,
531fcf59617SAndrey V. Elsukov 			    ipsec_sa2str(sav, buf, sizeof(buf))));
532a04d64d8SAndrey V. Elsukov 			ESPSTAT_INC(esps_replay);
533fcf59617SAndrey V. Elsukov 			error = EACCES;
534d16f6f50SColin Percival 			goto bad;
535d16f6f50SColin Percival 		}
536fcf59617SAndrey V. Elsukov 		SECASVAR_UNLOCK(sav);
537d16f6f50SColin Percival 	}
538d16f6f50SColin Percival 
53988768458SSam Leffler 	/* Determine the ESP header length */
54088768458SSam Leffler 	if (sav->flags & SADB_X_EXT_OLD)
54188768458SSam Leffler 		hlen = sizeof (struct esp) + sav->ivlen;
54288768458SSam Leffler 	else
54388768458SSam Leffler 		hlen = sizeof (struct newesp) + sav->ivlen;
54488768458SSam Leffler 
54588768458SSam Leffler 	/* Remove the ESP header and IV from the mbuf. */
54688768458SSam Leffler 	error = m_striphdr(m, skip, hlen);
54788768458SSam Leffler 	if (error) {
548a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_hdrops);
5499ffa9677SSam Leffler 		DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__,
550962ac6c7SAndrey V. Elsukov 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
55188768458SSam Leffler 		    (u_long) ntohl(sav->spi)));
55288768458SSam Leffler 		goto bad;
55388768458SSam Leffler 	}
55488768458SSam Leffler 
55588768458SSam Leffler 	/* Save the last three bytes of decrypted data */
55688768458SSam Leffler 	m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
55788768458SSam Leffler 
55888768458SSam Leffler 	/* Verify pad length */
55988768458SSam Leffler 	if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
560a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_badilen);
5619ffa9677SSam Leffler 		DPRINTF(("%s: invalid padding length %d for %u byte packet "
562962ac6c7SAndrey V. Elsukov 		    "in SA %s/%08lx\n", __func__, lastthree[1],
563962ac6c7SAndrey V. Elsukov 		    m->m_pkthdr.len - skip,
564962ac6c7SAndrey V. Elsukov 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
56588768458SSam Leffler 		    (u_long) ntohl(sav->spi)));
56688768458SSam Leffler 		error = EINVAL;
56788768458SSam Leffler 		goto bad;
56888768458SSam Leffler 	}
56988768458SSam Leffler 
57088768458SSam Leffler 	/* Verify correct decryption by checking the last padding bytes */
57188768458SSam Leffler 	if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) {
57288768458SSam Leffler 		if (lastthree[1] != lastthree[0] && lastthree[1] != 0) {
573a04d64d8SAndrey V. Elsukov 			ESPSTAT_INC(esps_badenc);
5749ffa9677SSam Leffler 			DPRINTF(("%s: decryption failed for packet in "
575962ac6c7SAndrey V. Elsukov 			    "SA %s/%08lx\n", __func__, ipsec_address(
576962ac6c7SAndrey V. Elsukov 			    &sav->sah->saidx.dst, buf, sizeof(buf)),
57788768458SSam Leffler 			    (u_long) ntohl(sav->spi)));
57888768458SSam Leffler 			error = EINVAL;
57988768458SSam Leffler 			goto bad;
58088768458SSam Leffler 		}
58188768458SSam Leffler 	}
58288768458SSam Leffler 
5833f44ee8eSAndrey V. Elsukov 	/*
5843f44ee8eSAndrey V. Elsukov 	 * RFC4303 2.6:
5853f44ee8eSAndrey V. Elsukov 	 * Silently drop packet if next header field is IPPROTO_NONE.
5863f44ee8eSAndrey V. Elsukov 	 */
5873f44ee8eSAndrey V. Elsukov 	if (lastthree[2] == IPPROTO_NONE)
5883f44ee8eSAndrey V. Elsukov 		goto bad;
5893f44ee8eSAndrey V. Elsukov 
59088768458SSam Leffler 	/* Trim the mbuf chain to remove trailing authenticator and padding */
59188768458SSam Leffler 	m_adj(m, -(lastthree[1] + 2));
59288768458SSam Leffler 
59388768458SSam Leffler 	/* Restore the Next Protocol field */
59488768458SSam Leffler 	m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2);
59588768458SSam Leffler 
596db178eb8SBjoern A. Zeeb 	switch (saidx->dst.sa.sa_family) {
597db178eb8SBjoern A. Zeeb #ifdef INET6
598db178eb8SBjoern A. Zeeb 	case AF_INET6:
599f0514a8bSAndrey V. Elsukov 		error = ipsec6_common_input_cb(m, sav, skip, protoff);
600db178eb8SBjoern A. Zeeb 		break;
601db178eb8SBjoern A. Zeeb #endif
602db178eb8SBjoern A. Zeeb #ifdef INET
603db178eb8SBjoern A. Zeeb 	case AF_INET:
604f0514a8bSAndrey V. Elsukov 		error = ipsec4_common_input_cb(m, sav, skip, protoff);
605db178eb8SBjoern A. Zeeb 		break;
606db178eb8SBjoern A. Zeeb #endif
607db178eb8SBjoern A. Zeeb 	default:
608db178eb8SBjoern A. Zeeb 		panic("%s: Unexpected address family: %d saidx=%p", __func__,
609db178eb8SBjoern A. Zeeb 		    saidx->dst.sa.sa_family, saidx);
610db178eb8SBjoern A. Zeeb 	}
611fd40ecf3SJohn Baldwin 	CURVNET_RESTORE();
61288768458SSam Leffler 	return error;
61388768458SSam Leffler bad:
614fd40ecf3SJohn Baldwin 	CURVNET_RESTORE();
615fcf59617SAndrey V. Elsukov 	if (sav != NULL)
616fcf59617SAndrey V. Elsukov 		key_freesav(&sav);
61788768458SSam Leffler 	if (m != NULL)
61888768458SSam Leffler 		m_freem(m);
619fcf59617SAndrey V. Elsukov 	if (xd != NULL)
620fcf59617SAndrey V. Elsukov 		free(xd, M_XDATA);
62188768458SSam Leffler 	if (crp != NULL)
62288768458SSam Leffler 		crypto_freereq(crp);
62388768458SSam Leffler 	return error;
62488768458SSam Leffler }
62588768458SSam Leffler /*
626fcf59617SAndrey V. Elsukov  * ESP output routine, called by ipsec[46]_perform_request().
62788768458SSam Leffler  */
62888768458SSam Leffler static int
629fcf59617SAndrey V. Elsukov esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
630fcf59617SAndrey V. Elsukov     u_int idx, int skip, int protoff)
63188768458SSam Leffler {
6327f1f6591SAndrey V. Elsukov 	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
63388768458SSam Leffler 	struct cryptop *crp;
634fcf59617SAndrey V. Elsukov 	const struct auth_hash *esph;
635fcf59617SAndrey V. Elsukov 	const struct enc_xform *espx;
636fcf59617SAndrey V. Elsukov 	struct mbuf *mo = NULL;
637fcf59617SAndrey V. Elsukov 	struct xform_data *xd;
638fcf59617SAndrey V. Elsukov 	struct secasindex *saidx;
639fcf59617SAndrey V. Elsukov 	unsigned char *pad;
640fcf59617SAndrey V. Elsukov 	uint8_t *ivp;
6412e08e39fSConrad Meyer 	uint64_t cntr;
6422e08e39fSConrad Meyer 	crypto_session_t cryptoid;
643fcf59617SAndrey V. Elsukov 	int hlen, rlen, padding, blks, alen, i, roff;
644fcf59617SAndrey V. Elsukov 	int error, maxpacketsize;
645fcf59617SAndrey V. Elsukov 	uint8_t prot;
64688768458SSam Leffler 
6479ffa9677SSam Leffler 	IPSEC_ASSERT(sav != NULL, ("null SA"));
64888768458SSam Leffler 	esph = sav->tdb_authalgxform;
64988768458SSam Leffler 	espx = sav->tdb_encalgxform;
6509ffa9677SSam Leffler 	IPSEC_ASSERT(espx != NULL, ("null encoding xform"));
65188768458SSam Leffler 
65288768458SSam Leffler 	if (sav->flags & SADB_X_EXT_OLD)
65388768458SSam Leffler 		hlen = sizeof (struct esp) + sav->ivlen;
65488768458SSam Leffler 	else
65588768458SSam Leffler 		hlen = sizeof (struct newesp) + sav->ivlen;
65688768458SSam Leffler 
65788768458SSam Leffler 	rlen = m->m_pkthdr.len - skip;	/* Raw payload length. */
65888768458SSam Leffler 	/*
659a2bc81bfSJohn-Mark Gurney 	 * RFC4303 2.4 Requires 4 byte alignment.
66088768458SSam Leffler 	 */
661a2bc81bfSJohn-Mark Gurney 	blks = MAX(4, espx->blocksize);		/* Cipher blocksize */
66288768458SSam Leffler 
66388768458SSam Leffler 	/* XXX clamp padding length a la KAME??? */
66488768458SSam Leffler 	padding = ((blks - ((rlen + 2) % blks)) % blks) + 2;
66588768458SSam Leffler 
666a09a7146SJohn-Mark Gurney 	alen = xform_ah_authsize(esph);
66788768458SSam Leffler 
668a04d64d8SAndrey V. Elsukov 	ESPSTAT_INC(esps_output);
66988768458SSam Leffler 
67088768458SSam Leffler 	saidx = &sav->sah->saidx;
67188768458SSam Leffler 	/* Check for maximum packet size violations. */
67288768458SSam Leffler 	switch (saidx->dst.sa.sa_family) {
67388768458SSam Leffler #ifdef INET
67488768458SSam Leffler 	case AF_INET:
67588768458SSam Leffler 		maxpacketsize = IP_MAXPACKET;
67688768458SSam Leffler 		break;
67788768458SSam Leffler #endif /* INET */
67888768458SSam Leffler #ifdef INET6
67988768458SSam Leffler 	case AF_INET6:
68088768458SSam Leffler 		maxpacketsize = IPV6_MAXPACKET;
68188768458SSam Leffler 		break;
68288768458SSam Leffler #endif /* INET6 */
68388768458SSam Leffler 	default:
6849ffa9677SSam Leffler 		DPRINTF(("%s: unknown/unsupported protocol "
6859ffa9677SSam Leffler 		    "family %d, SA %s/%08lx\n", __func__,
686962ac6c7SAndrey V. Elsukov 		    saidx->dst.sa.sa_family, ipsec_address(&saidx->dst,
687962ac6c7SAndrey V. Elsukov 			buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
688a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_nopf);
68988768458SSam Leffler 		error = EPFNOSUPPORT;
69088768458SSam Leffler 		goto bad;
69188768458SSam Leffler 	}
692fcf59617SAndrey V. Elsukov 	/*
69316de9ac1SGeorge V. Neville-Neil 	DPRINTF(("%s: skip %d hlen %d rlen %d padding %d alen %d blksd %d\n",
694fcf59617SAndrey V. Elsukov 		__func__, skip, hlen, rlen, padding, alen, blks)); */
69588768458SSam Leffler 	if (skip + hlen + rlen + padding + alen > maxpacketsize) {
6969ffa9677SSam Leffler 		DPRINTF(("%s: packet in SA %s/%08lx got too big "
6979ffa9677SSam Leffler 		    "(len %u, max len %u)\n", __func__,
698962ac6c7SAndrey V. Elsukov 		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
699962ac6c7SAndrey V. Elsukov 		    (u_long) ntohl(sav->spi),
70088768458SSam Leffler 		    skip + hlen + rlen + padding + alen, maxpacketsize));
701a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_toobig);
70288768458SSam Leffler 		error = EMSGSIZE;
70388768458SSam Leffler 		goto bad;
70488768458SSam Leffler 	}
70588768458SSam Leffler 
70688768458SSam Leffler 	/* Update the counters. */
707a04d64d8SAndrey V. Elsukov 	ESPSTAT_ADD(esps_obytes, m->m_pkthdr.len - skip);
70888768458SSam Leffler 
70947e2996eSSam Leffler 	m = m_unshare(m, M_NOWAIT);
71088768458SSam Leffler 	if (m == NULL) {
7119ffa9677SSam Leffler 		DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
712962ac6c7SAndrey V. Elsukov 		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
713962ac6c7SAndrey V. Elsukov 		    (u_long) ntohl(sav->spi)));
714a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_hdrops);
71588768458SSam Leffler 		error = ENOBUFS;
71688768458SSam Leffler 		goto bad;
71788768458SSam Leffler 	}
71888768458SSam Leffler 
71988768458SSam Leffler 	/* Inject ESP header. */
72088768458SSam Leffler 	mo = m_makespace(m, skip, hlen, &roff);
72188768458SSam Leffler 	if (mo == NULL) {
7229ffa9677SSam Leffler 		DPRINTF(("%s: %u byte ESP hdr inject failed for SA %s/%08lx\n",
723962ac6c7SAndrey V. Elsukov 		    __func__, hlen, ipsec_address(&saidx->dst, buf,
724962ac6c7SAndrey V. Elsukov 		    sizeof(buf)), (u_long) ntohl(sav->spi)));
725a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_hdrops);	/* XXX diffs from openbsd */
72688768458SSam Leffler 		error = ENOBUFS;
72788768458SSam Leffler 		goto bad;
72888768458SSam Leffler 	}
72988768458SSam Leffler 
73088768458SSam Leffler 	/* Initialize ESP header. */
731fcf59617SAndrey V. Elsukov 	bcopy((caddr_t) &sav->spi, mtod(mo, caddr_t) + roff,
732fcf59617SAndrey V. Elsukov 	    sizeof(uint32_t));
733bf435626SFabien Thomas 	SECASVAR_LOCK(sav);
734fcf59617SAndrey V. Elsukov 	if (sav->replay) {
735fcf59617SAndrey V. Elsukov 		uint32_t replay;
736fcf59617SAndrey V. Elsukov 
7376131838bSPawel Jakub Dawidek #ifdef REGRESSION
738dfa9422bSPawel Jakub Dawidek 		/* Emulate replay attack when ipsec_replay is TRUE. */
739603724d3SBjoern A. Zeeb 		if (!V_ipsec_replay)
7406131838bSPawel Jakub Dawidek #endif
741dfa9422bSPawel Jakub Dawidek 			sav->replay->count++;
742dfa9422bSPawel Jakub Dawidek 		replay = htonl(sav->replay->count);
743fcf59617SAndrey V. Elsukov 
744fcf59617SAndrey V. Elsukov 		bcopy((caddr_t) &replay, mtod(mo, caddr_t) + roff +
745fcf59617SAndrey V. Elsukov 		    sizeof(uint32_t), sizeof(uint32_t));
74688768458SSam Leffler 	}
747fcf59617SAndrey V. Elsukov 	cryptoid = sav->tdb_cryptoid;
748fcf59617SAndrey V. Elsukov 	if (SAV_ISCTRORGCM(sav))
749fcf59617SAndrey V. Elsukov 		cntr = sav->cntr++;
750fcf59617SAndrey V. Elsukov 	SECASVAR_UNLOCK(sav);
75188768458SSam Leffler 
75288768458SSam Leffler 	/*
75388768458SSam Leffler 	 * Add padding -- better to do it ourselves than use the crypto engine,
75488768458SSam Leffler 	 * although if/when we support compression, we'd have to do that.
75588768458SSam Leffler 	 */
75688768458SSam Leffler 	pad = (u_char *) m_pad(m, padding + alen);
75788768458SSam Leffler 	if (pad == NULL) {
7589ffa9677SSam Leffler 		DPRINTF(("%s: m_pad failed for SA %s/%08lx\n", __func__,
759962ac6c7SAndrey V. Elsukov 		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
760962ac6c7SAndrey V. Elsukov 		    (u_long) ntohl(sav->spi)));
76188768458SSam Leffler 		m = NULL;		/* NB: free'd by m_pad */
76288768458SSam Leffler 		error = ENOBUFS;
76388768458SSam Leffler 		goto bad;
76488768458SSam Leffler 	}
76588768458SSam Leffler 
76688768458SSam Leffler 	/*
76788768458SSam Leffler 	 * Add padding: random, zero, or self-describing.
76888768458SSam Leffler 	 * XXX catch unexpected setting
76988768458SSam Leffler 	 */
77088768458SSam Leffler 	switch (sav->flags & SADB_X_EXT_PMASK) {
77188768458SSam Leffler 	case SADB_X_EXT_PRAND:
772a8a16c71SConrad Meyer 		arc4random_buf(pad, padding - 2);
77388768458SSam Leffler 		break;
77488768458SSam Leffler 	case SADB_X_EXT_PZERO:
77588768458SSam Leffler 		bzero(pad, padding - 2);
77688768458SSam Leffler 		break;
77788768458SSam Leffler 	case SADB_X_EXT_PSEQ:
77888768458SSam Leffler 		for (i = 0; i < padding - 2; i++)
77988768458SSam Leffler 			pad[i] = i+1;
78088768458SSam Leffler 		break;
78188768458SSam Leffler 	}
78288768458SSam Leffler 
78388768458SSam Leffler 	/* Fix padding length and Next Protocol in padding itself. */
78488768458SSam Leffler 	pad[padding - 2] = padding - 2;
78588768458SSam Leffler 	m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1);
78688768458SSam Leffler 
78788768458SSam Leffler 	/* Fix Next Protocol in IPv4/IPv6 header. */
78888768458SSam Leffler 	prot = IPPROTO_ESP;
78988768458SSam Leffler 	m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot);
79088768458SSam Leffler 
791c0341432SJohn Baldwin 	/* Get crypto descriptor. */
792c0341432SJohn Baldwin 	crp = crypto_getreq(cryptoid, M_NOWAIT);
79388768458SSam Leffler 	if (crp == NULL) {
794c0341432SJohn Baldwin 		DPRINTF(("%s: failed to acquire crypto descriptor\n",
7959ffa9677SSam Leffler 			__func__));
796a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_crypto);
79788768458SSam Leffler 		error = ENOBUFS;
79888768458SSam Leffler 		goto bad;
79988768458SSam Leffler 	}
80088768458SSam Leffler 
801a2bc81bfSJohn-Mark Gurney 	/* IPsec-specific opaque crypto info. */
802fcf59617SAndrey V. Elsukov 	xd =  malloc(sizeof(struct xform_data), M_XDATA, M_NOWAIT | M_ZERO);
803fcf59617SAndrey V. Elsukov 	if (xd == NULL) {
804a2bc81bfSJohn-Mark Gurney 		crypto_freereq(crp);
805fcf59617SAndrey V. Elsukov 		DPRINTF(("%s: failed to allocate xform_data\n", __func__));
806a2bc81bfSJohn-Mark Gurney 		ESPSTAT_INC(esps_crypto);
807a2bc81bfSJohn-Mark Gurney 		error = ENOBUFS;
808a2bc81bfSJohn-Mark Gurney 		goto bad;
809a2bc81bfSJohn-Mark Gurney 	}
810a2bc81bfSJohn-Mark Gurney 
81188768458SSam Leffler 	/* Encryption descriptor. */
812c0341432SJohn Baldwin 	crp->crp_payload_start = skip + hlen;
813c0341432SJohn Baldwin 	crp->crp_payload_length = m->m_pkthdr.len - (skip + hlen + alen);
814c0341432SJohn Baldwin 	crp->crp_op = CRYPTO_OP_ENCRYPT;
81588768458SSam Leffler 
816*8cbde414SJohn Baldwin 	/* Generate IV / nonce. */
817c0341432SJohn Baldwin 	ivp = &crp->crp_iv[0];
818*8cbde414SJohn Baldwin 	if (SAV_ISCTRORGCM(sav)) {
819a2bc81bfSJohn-Mark Gurney 		/* GCM IV Format: RFC4106 4 */
820a2bc81bfSJohn-Mark Gurney 		/* CTR IV Format: RFC3686 4 */
821a2bc81bfSJohn-Mark Gurney 		/* Salt is last four bytes of key, RFC4106 8.1 */
822a2bc81bfSJohn-Mark Gurney 		/* Nonce is last four bytes of key, RFC3686 5.1 */
823a2bc81bfSJohn-Mark Gurney 		memcpy(ivp, sav->key_enc->key_data +
824a2bc81bfSJohn-Mark Gurney 		    _KEYLEN(sav->key_enc) - 4, 4);
825a2bc81bfSJohn-Mark Gurney 		be64enc(&ivp[4], cntr);
826a2bc81bfSJohn-Mark Gurney 		if (SAV_ISCTR(sav)) {
827a2bc81bfSJohn-Mark Gurney 			/* Initial block counter is 1, RFC3686 4 */
828fcf59617SAndrey V. Elsukov 			/* XXXAE: should we use this only for first packet? */
829a2bc81bfSJohn-Mark Gurney 			be32enc(&ivp[sav->ivlen + 4], 1);
830a2bc81bfSJohn-Mark Gurney 		}
831a2bc81bfSJohn-Mark Gurney 
832a2bc81bfSJohn-Mark Gurney 		m_copyback(m, skip + hlen - sav->ivlen, sav->ivlen, &ivp[4]);
833c0341432SJohn Baldwin 		crp->crp_flags |= CRYPTO_F_IV_SEPARATE;
834c0341432SJohn Baldwin 	} else if (sav->ivlen != 0) {
835*8cbde414SJohn Baldwin 		arc4rand(ivp, sav->ivlen, 0);
836c0341432SJohn Baldwin 		crp->crp_iv_start = skip + hlen - sav->ivlen;
837*8cbde414SJohn Baldwin 		m_copyback(m, crp->crp_iv_start, sav->ivlen, ivp);
83888768458SSam Leffler 	}
83988768458SSam Leffler 
84088768458SSam Leffler 	/* Callback parameters */
841fcf59617SAndrey V. Elsukov 	xd->sp = sp;
842fcf59617SAndrey V. Elsukov 	xd->sav = sav;
843fcf59617SAndrey V. Elsukov 	xd->idx = idx;
844fcf59617SAndrey V. Elsukov 	xd->cryptoid = cryptoid;
845fd40ecf3SJohn Baldwin 	xd->vnet = curvnet;
84688768458SSam Leffler 
84788768458SSam Leffler 	/* Crypto operation descriptor. */
84888768458SSam Leffler 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
849c0341432SJohn Baldwin 	crp->crp_flags |= CRYPTO_F_CBIFSYNC;
85039bbca6fSFabien Thomas 	if (V_async_crypto)
85139bbca6fSFabien Thomas 		crp->crp_flags |= CRYPTO_F_ASYNC | CRYPTO_F_ASYNC_KEEPORDER;
852c0341432SJohn Baldwin 	crp->crp_mbuf = m;
853c0341432SJohn Baldwin 	crp->crp_buf_type = CRYPTO_BUF_MBUF;
85488768458SSam Leffler 	crp->crp_callback = esp_output_cb;
855c0341432SJohn Baldwin 	crp->crp_opaque = xd;
85688768458SSam Leffler 
85788768458SSam Leffler 	if (esph) {
85888768458SSam Leffler 		/* Authentication descriptor. */
859c0341432SJohn Baldwin 		crp->crp_op |= CRYPTO_OP_COMPUTE_DIGEST;
860c0341432SJohn Baldwin 		crp->crp_aad_start = skip;
861a2bc81bfSJohn-Mark Gurney 		if (SAV_ISGCM(sav))
862c0341432SJohn Baldwin 			crp->crp_aad_length = 8; /* RFC4106 5, SPI + SN */
86316de9ac1SGeorge V. Neville-Neil 		else
864c0341432SJohn Baldwin 			crp->crp_aad_length = hlen;
865c0341432SJohn Baldwin 		crp->crp_digest_start = m->m_pkthdr.len - alen;
86616de9ac1SGeorge V. Neville-Neil 	}
86716de9ac1SGeorge V. Neville-Neil 
86888768458SSam Leffler 	return crypto_dispatch(crp);
86988768458SSam Leffler bad:
87088768458SSam Leffler 	if (m)
87188768458SSam Leffler 		m_freem(m);
8723aee7099SAndrey V. Elsukov 	key_freesav(&sav);
8733aee7099SAndrey V. Elsukov 	key_freesp(&sp);
87488768458SSam Leffler 	return (error);
87588768458SSam Leffler }
87688768458SSam Leffler /*
87788768458SSam Leffler  * ESP output callback from the crypto driver.
87888768458SSam Leffler  */
87988768458SSam Leffler static int
88088768458SSam Leffler esp_output_cb(struct cryptop *crp)
88188768458SSam Leffler {
882fcf59617SAndrey V. Elsukov 	struct xform_data *xd;
883fcf59617SAndrey V. Elsukov 	struct secpolicy *sp;
88488768458SSam Leffler 	struct secasvar *sav;
88588768458SSam Leffler 	struct mbuf *m;
8862e08e39fSConrad Meyer 	crypto_session_t cryptoid;
887fcf59617SAndrey V. Elsukov 	u_int idx;
8880e4fb1dbSPawel Jakub Dawidek 	int error;
88988768458SSam Leffler 
890fcf59617SAndrey V. Elsukov 	xd = (struct xform_data *) crp->crp_opaque;
891fd40ecf3SJohn Baldwin 	CURVNET_SET(xd->vnet);
89288768458SSam Leffler 	m = (struct mbuf *) crp->crp_buf;
893fcf59617SAndrey V. Elsukov 	sp = xd->sp;
894fcf59617SAndrey V. Elsukov 	sav = xd->sav;
895fcf59617SAndrey V. Elsukov 	idx = xd->idx;
896fcf59617SAndrey V. Elsukov 	cryptoid = xd->cryptoid;
89788768458SSam Leffler 
89888768458SSam Leffler 	/* Check for crypto errors. */
89988768458SSam Leffler 	if (crp->crp_etype) {
90088768458SSam Leffler 		if (crp->crp_etype == EAGAIN) {
901fcf59617SAndrey V. Elsukov 			/* Reset the session ID */
9021b0909d5SConrad Meyer 			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
903fcf59617SAndrey V. Elsukov 				crypto_freesession(cryptoid);
9041b0909d5SConrad Meyer 			xd->cryptoid = crp->crp_session;
905fd40ecf3SJohn Baldwin 			CURVNET_RESTORE();
9060a95a08eSPawel Jakub Dawidek 			return (crypto_dispatch(crp));
90788768458SSam Leffler 		}
908a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_noxform);
9099ffa9677SSam Leffler 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
91088768458SSam Leffler 		error = crp->crp_etype;
911fcf59617SAndrey V. Elsukov 		m_freem(m);
91288768458SSam Leffler 		goto bad;
91388768458SSam Leffler 	}
91488768458SSam Leffler 
91588768458SSam Leffler 	/* Shouldn't happen... */
91688768458SSam Leffler 	if (m == NULL) {
917a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_crypto);
9189ffa9677SSam Leffler 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
91988768458SSam Leffler 		error = EINVAL;
92088768458SSam Leffler 		goto bad;
92188768458SSam Leffler 	}
922fcf59617SAndrey V. Elsukov 	free(xd, M_XDATA);
923fcf59617SAndrey V. Elsukov 	crypto_freereq(crp);
924a04d64d8SAndrey V. Elsukov 	ESPSTAT_INC(esps_hist[sav->alg_enc]);
92588768458SSam Leffler 	if (sav->tdb_authalgxform != NULL)
926a04d64d8SAndrey V. Elsukov 		AHSTAT_INC(ahs_hist[sav->alg_auth]);
92788768458SSam Leffler 
9286131838bSPawel Jakub Dawidek #ifdef REGRESSION
929dfa9422bSPawel Jakub Dawidek 	/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
930603724d3SBjoern A. Zeeb 	if (V_ipsec_integrity) {
931442da28aSVANHULLEBUS Yvan 		static unsigned char ipseczeroes[AH_HMAC_MAXHASHLEN];
932fcf59617SAndrey V. Elsukov 		const struct auth_hash *esph;
933dfa9422bSPawel Jakub Dawidek 
934dfa9422bSPawel Jakub Dawidek 		/*
935dfa9422bSPawel Jakub Dawidek 		 * Corrupt HMAC if we want to test integrity verification of
936dfa9422bSPawel Jakub Dawidek 		 * the other side.
937dfa9422bSPawel Jakub Dawidek 		 */
938dfa9422bSPawel Jakub Dawidek 		esph = sav->tdb_authalgxform;
939dfa9422bSPawel Jakub Dawidek 		if (esph !=  NULL) {
940442da28aSVANHULLEBUS Yvan 			int alen;
941442da28aSVANHULLEBUS Yvan 
942a09a7146SJohn-Mark Gurney 			alen = xform_ah_authsize(esph);
943442da28aSVANHULLEBUS Yvan 			m_copyback(m, m->m_pkthdr.len - alen,
944442da28aSVANHULLEBUS Yvan 			    alen, ipseczeroes);
945dfa9422bSPawel Jakub Dawidek 		}
946dfa9422bSPawel Jakub Dawidek 	}
9476131838bSPawel Jakub Dawidek #endif
948dfa9422bSPawel Jakub Dawidek 
94988768458SSam Leffler 	/* NB: m is reclaimed by ipsec_process_done. */
950fcf59617SAndrey V. Elsukov 	error = ipsec_process_done(m, sp, sav, idx);
951fd40ecf3SJohn Baldwin 	CURVNET_RESTORE();
9523d80e82dSAndrey V. Elsukov 	return (error);
95388768458SSam Leffler bad:
954fd40ecf3SJohn Baldwin 	CURVNET_RESTORE();
955fcf59617SAndrey V. Elsukov 	free(xd, M_XDATA);
95688768458SSam Leffler 	crypto_freereq(crp);
957fcf59617SAndrey V. Elsukov 	key_freesav(&sav);
958fcf59617SAndrey V. Elsukov 	key_freesp(&sp);
9593d80e82dSAndrey V. Elsukov 	return (error);
96088768458SSam Leffler }
96188768458SSam Leffler 
96288768458SSam Leffler static struct xformsw esp_xformsw = {
963fcf59617SAndrey V. Elsukov 	.xf_type =	XF_ESP,
964fcf59617SAndrey V. Elsukov 	.xf_name =	"IPsec ESP",
965fcf59617SAndrey V. Elsukov 	.xf_init =	esp_init,
966fcf59617SAndrey V. Elsukov 	.xf_zeroize =	esp_zeroize,
967fcf59617SAndrey V. Elsukov 	.xf_input =	esp_input,
968fcf59617SAndrey V. Elsukov 	.xf_output =	esp_output,
96988768458SSam Leffler };
97088768458SSam Leffler 
971fcf59617SAndrey V. Elsukov SYSINIT(esp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
972fcf59617SAndrey V. Elsukov     xform_attach, &esp_xformsw);
973fcf59617SAndrey V. Elsukov SYSUNINIT(esp_xform_uninit, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
974fcf59617SAndrey V. Elsukov     xform_detach, &esp_xformsw);
975