xref: /freebsd/sys/netipsec/xform_esp.c (revision c161c46d4cda2a52a43337ed9c11be84e3d701e3) 
188768458SSam Leffler /*	$FreeBSD$	*/
288768458SSam Leffler /*	$OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
3c398230bSWarner Losh /*-
488768458SSam Leffler  * The authors of this code are John Ioannidis (ji@tla.org),
588768458SSam Leffler  * Angelos D. Keromytis (kermit@csd.uch.gr) and
688768458SSam Leffler  * Niels Provos (provos@physnet.uni-hamburg.de).
788768458SSam Leffler  *
888768458SSam Leffler  * The original version of this code was written by John Ioannidis
988768458SSam Leffler  * for BSD/OS in Athens, Greece, in November 1995.
1088768458SSam Leffler  *
1188768458SSam Leffler  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
1288768458SSam Leffler  * by Angelos D. Keromytis.
1388768458SSam Leffler  *
1488768458SSam Leffler  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
1588768458SSam Leffler  * and Niels Provos.
1688768458SSam Leffler  *
1788768458SSam Leffler  * Additional features in 1999 by Angelos D. Keromytis.
1888768458SSam Leffler  *
1988768458SSam Leffler  * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
2088768458SSam Leffler  * Angelos D. Keromytis and Niels Provos.
2188768458SSam Leffler  * Copyright (c) 2001 Angelos D. Keromytis.
2288768458SSam Leffler  *
2388768458SSam Leffler  * Permission to use, copy, and modify this software with or without fee
2488768458SSam Leffler  * is hereby granted, provided that this entire notice is included in
2588768458SSam Leffler  * all copies of any software which is or includes a copy or
2688768458SSam Leffler  * modification of this software.
2788768458SSam Leffler  * You may use this code under the GNU public license if you so wish. Please
2888768458SSam Leffler  * contribute changes back to the authors under this freer than GPL license
2988768458SSam Leffler  * so that we may further the use of strong encryption without limitations to
3088768458SSam Leffler  * all.
3188768458SSam Leffler  *
3288768458SSam Leffler  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
3388768458SSam Leffler  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
3488768458SSam Leffler  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
3588768458SSam Leffler  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
3688768458SSam Leffler  * PURPOSE.
3788768458SSam Leffler  */
3888768458SSam Leffler #include "opt_inet.h"
3988768458SSam Leffler #include "opt_inet6.h"
4088768458SSam Leffler 
4188768458SSam Leffler #include <sys/param.h>
4288768458SSam Leffler #include <sys/systm.h>
4388768458SSam Leffler #include <sys/mbuf.h>
4488768458SSam Leffler #include <sys/socket.h>
4588768458SSam Leffler #include <sys/syslog.h>
4688768458SSam Leffler #include <sys/kernel.h>
47eedc7fd9SGleb Smirnoff #include <sys/lock.h>
4888768458SSam Leffler #include <sys/random.h>
49fcf59617SAndrey V. Elsukov #include <sys/mutex.h>
5088768458SSam Leffler #include <sys/sysctl.h>
51a2bc81bfSJohn-Mark Gurney #include <sys/mutex.h>
52a2bc81bfSJohn-Mark Gurney #include <machine/atomic.h>
5388768458SSam Leffler 
5488768458SSam Leffler #include <net/if.h>
55eddfbb76SRobert Watson #include <net/vnet.h>
5688768458SSam Leffler 
5788768458SSam Leffler #include <netinet/in.h>
5888768458SSam Leffler #include <netinet/in_systm.h>
5988768458SSam Leffler #include <netinet/ip.h>
6088768458SSam Leffler #include <netinet/ip_ecn.h>
6188768458SSam Leffler #include <netinet/ip6.h>
6288768458SSam Leffler 
6388768458SSam Leffler #include <netipsec/ipsec.h>
6488768458SSam Leffler #include <netipsec/ah.h>
6588768458SSam Leffler #include <netipsec/ah_var.h>
6688768458SSam Leffler #include <netipsec/esp.h>
6788768458SSam Leffler #include <netipsec/esp_var.h>
6888768458SSam Leffler #include <netipsec/xform.h>
6988768458SSam Leffler 
7088768458SSam Leffler #ifdef INET6
7188768458SSam Leffler #include <netinet6/ip6_var.h>
7288768458SSam Leffler #include <netipsec/ipsec6.h>
7388768458SSam Leffler #include <netinet6/ip6_ecn.h>
7488768458SSam Leffler #endif
7588768458SSam Leffler 
7688768458SSam Leffler #include <netipsec/key.h>
7788768458SSam Leffler #include <netipsec/key_debug.h>
7888768458SSam Leffler 
7988768458SSam Leffler #include <opencrypto/cryptodev.h>
8088768458SSam Leffler #include <opencrypto/xform.h>
8188768458SSam Leffler 
82eddfbb76SRobert Watson VNET_DEFINE(int, esp_enable) = 1;
83db8c0879SAndrey V. Elsukov VNET_PCPUSTAT_DEFINE(struct espstat, espstat);
84db8c0879SAndrey V. Elsukov VNET_PCPUSTAT_SYSINIT(espstat);
85db8c0879SAndrey V. Elsukov 
86db8c0879SAndrey V. Elsukov #ifdef VIMAGE
87db8c0879SAndrey V. Elsukov VNET_PCPUSTAT_SYSUNINIT(espstat);
88db8c0879SAndrey V. Elsukov #endif /* VIMAGE */
8988768458SSam Leffler 
9088768458SSam Leffler SYSCTL_DECL(_net_inet_esp);
916df8a710SGleb Smirnoff SYSCTL_INT(_net_inet_esp, OID_AUTO, esp_enable,
926df8a710SGleb Smirnoff 	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(esp_enable), 0, "");
93db8c0879SAndrey V. Elsukov SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats,
94db8c0879SAndrey V. Elsukov     struct espstat, espstat,
95db8c0879SAndrey V. Elsukov     "ESP statistics (struct espstat, netipsec/esp_var.h");
96eddfbb76SRobert Watson 
97c2fd516fSJohn Baldwin static struct timeval deswarn, blfwarn, castwarn, camelliawarn;
98c2fd516fSJohn Baldwin 
9988768458SSam Leffler static int esp_input_cb(struct cryptop *op);
10088768458SSam Leffler static int esp_output_cb(struct cryptop *crp);
101bfe1aba4SMarko Zec 
10288768458SSam Leffler size_t
10388768458SSam Leffler esp_hdrsiz(struct secasvar *sav)
10488768458SSam Leffler {
10588768458SSam Leffler 	size_t size;
10688768458SSam Leffler 
10788768458SSam Leffler 	if (sav != NULL) {
10888768458SSam Leffler 		/*XXX not right for null algorithm--does it matter??*/
1099ffa9677SSam Leffler 		IPSEC_ASSERT(sav->tdb_encalgxform != NULL,
1109ffa9677SSam Leffler 			("SA with null xform"));
11188768458SSam Leffler 		if (sav->flags & SADB_X_EXT_OLD)
11288768458SSam Leffler 			size = sizeof (struct esp);
11388768458SSam Leffler 		else
11488768458SSam Leffler 			size = sizeof (struct newesp);
11588768458SSam Leffler 		size += sav->tdb_encalgxform->blocksize + 9;
11688768458SSam Leffler 		/*XXX need alg check???*/
11788768458SSam Leffler 		if (sav->tdb_authalgxform != NULL && sav->replay)
11888768458SSam Leffler 			size += ah_hdrsiz(sav);
11988768458SSam Leffler 	} else {
12088768458SSam Leffler 		/*
12188768458SSam Leffler 		 *   base header size
12288768458SSam Leffler 		 * + max iv length for CBC mode
12388768458SSam Leffler 		 * + max pad length
12488768458SSam Leffler 		 * + sizeof (pad length field)
12588768458SSam Leffler 		 * + sizeof (next header field)
12688768458SSam Leffler 		 * + max icv supported.
12788768458SSam Leffler 		 */
128cdb7ebe3SPawel Jakub Dawidek 		size = sizeof (struct newesp) + EALG_MAX_BLOCK_LEN + 9 + 16;
12988768458SSam Leffler 	}
13088768458SSam Leffler 	return size;
13188768458SSam Leffler }
13288768458SSam Leffler 
13388768458SSam Leffler /*
13488768458SSam Leffler  * esp_init() is called when an SPI is being set up.
13588768458SSam Leffler  */
13688768458SSam Leffler static int
13788768458SSam Leffler esp_init(struct secasvar *sav, struct xformsw *xsp)
13888768458SSam Leffler {
139fcf59617SAndrey V. Elsukov 	const struct enc_xform *txform;
140c0341432SJohn Baldwin 	struct crypto_session_params csp;
14188768458SSam Leffler 	int keylen;
14288768458SSam Leffler 	int error;
14388768458SSam Leffler 
144fcf59617SAndrey V. Elsukov 	txform = enc_algorithm_lookup(sav->alg_enc);
14588768458SSam Leffler 	if (txform == NULL) {
1469ffa9677SSam Leffler 		DPRINTF(("%s: unsupported encryption algorithm %d\n",
1479ffa9677SSam Leffler 			__func__, sav->alg_enc));
14888768458SSam Leffler 		return EINVAL;
14988768458SSam Leffler 	}
15088768458SSam Leffler 	if (sav->key_enc == NULL) {
1519ffa9677SSam Leffler 		DPRINTF(("%s: no encoding key for %s algorithm\n",
1529ffa9677SSam Leffler 			 __func__, txform->name));
15388768458SSam Leffler 		return EINVAL;
15488768458SSam Leffler 	}
155a2bc81bfSJohn-Mark Gurney 	if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_IV4B)) ==
156a2bc81bfSJohn-Mark Gurney 	    SADB_X_EXT_IV4B) {
1579ffa9677SSam Leffler 		DPRINTF(("%s: 4-byte IV not supported with protocol\n",
1589ffa9677SSam Leffler 			__func__));
15988768458SSam Leffler 		return EINVAL;
16088768458SSam Leffler 	}
161c2fd516fSJohn Baldwin 
162c2fd516fSJohn Baldwin 	switch (sav->alg_enc) {
163c2fd516fSJohn Baldwin 	case SADB_EALG_DESCBC:
1640f702183SJohn Baldwin 		if (ratecheck(&deswarn, &ipsec_warn_interval))
165c2fd516fSJohn Baldwin 			gone_in(13, "DES cipher for IPsec");
166c2fd516fSJohn Baldwin 		break;
167c2fd516fSJohn Baldwin 	case SADB_X_EALG_BLOWFISHCBC:
1680f702183SJohn Baldwin 		if (ratecheck(&blfwarn, &ipsec_warn_interval))
169c2fd516fSJohn Baldwin 			gone_in(13, "Blowfish cipher for IPsec");
170c2fd516fSJohn Baldwin 		break;
171c2fd516fSJohn Baldwin 	case SADB_X_EALG_CAST128CBC:
1720f702183SJohn Baldwin 		if (ratecheck(&castwarn, &ipsec_warn_interval))
173c2fd516fSJohn Baldwin 			gone_in(13, "CAST cipher for IPsec");
174c2fd516fSJohn Baldwin 		break;
175c2fd516fSJohn Baldwin 	case SADB_X_EALG_CAMELLIACBC:
1760f702183SJohn Baldwin 		if (ratecheck(&camelliawarn, &ipsec_warn_interval))
177c2fd516fSJohn Baldwin 			gone_in(13, "Camellia cipher for IPsec");
178c2fd516fSJohn Baldwin 		break;
179c2fd516fSJohn Baldwin 	}
180c2fd516fSJohn Baldwin 
181a2bc81bfSJohn-Mark Gurney 	/* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */
182a2bc81bfSJohn-Mark Gurney 	keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4;
18388768458SSam Leffler 	if (txform->minkey > keylen || keylen > txform->maxkey) {
1849ffa9677SSam Leffler 		DPRINTF(("%s: invalid key length %u, must be in the range "
1859ffa9677SSam Leffler 			"[%u..%u] for algorithm %s\n", __func__,
18688768458SSam Leffler 			keylen, txform->minkey, txform->maxkey,
18788768458SSam Leffler 			txform->name));
18888768458SSam Leffler 		return EINVAL;
18988768458SSam Leffler 	}
19088768458SSam Leffler 
191a2bc81bfSJohn-Mark Gurney 	if (SAV_ISCTRORGCM(sav))
192a2bc81bfSJohn-Mark Gurney 		sav->ivlen = 8;	/* RFC4106 3.1 and RFC3686 3.1 */
193a2bc81bfSJohn-Mark Gurney 	else
1940c80e7dfSAndrey V. Elsukov 		sav->ivlen = txform->ivsize;
19588768458SSam Leffler 
196c0341432SJohn Baldwin 	memset(&csp, 0, sizeof(csp));
197c0341432SJohn Baldwin 
19888768458SSam Leffler 	/*
19988768458SSam Leffler 	 * Setup AH-related state.
20088768458SSam Leffler 	 */
20188768458SSam Leffler 	if (sav->alg_auth != 0) {
202c0341432SJohn Baldwin 		error = ah_init0(sav, xsp, &csp);
20388768458SSam Leffler 		if (error)
20488768458SSam Leffler 			return error;
20588768458SSam Leffler 	}
20688768458SSam Leffler 
20788768458SSam Leffler 	/* NB: override anything set in ah_init0 */
20888768458SSam Leffler 	sav->tdb_xform = xsp;
20988768458SSam Leffler 	sav->tdb_encalgxform = txform;
21088768458SSam Leffler 
21116de9ac1SGeorge V. Neville-Neil 	/*
21216de9ac1SGeorge V. Neville-Neil 	 * Whenever AES-GCM is used for encryption, one
21316de9ac1SGeorge V. Neville-Neil 	 * of the AES authentication algorithms is chosen
21416de9ac1SGeorge V. Neville-Neil 	 * as well, based on the key size.
21516de9ac1SGeorge V. Neville-Neil 	 */
21616de9ac1SGeorge V. Neville-Neil 	if (sav->alg_enc == SADB_X_EALG_AESGCM16) {
21716de9ac1SGeorge V. Neville-Neil 		switch (keylen) {
218a2bc81bfSJohn-Mark Gurney 		case AES_128_GMAC_KEY_LEN:
21916de9ac1SGeorge V. Neville-Neil 			sav->alg_auth = SADB_X_AALG_AES128GMAC;
22016de9ac1SGeorge V. Neville-Neil 			sav->tdb_authalgxform = &auth_hash_nist_gmac_aes_128;
22116de9ac1SGeorge V. Neville-Neil 			break;
222a2bc81bfSJohn-Mark Gurney 		case AES_192_GMAC_KEY_LEN:
22316de9ac1SGeorge V. Neville-Neil 			sav->alg_auth = SADB_X_AALG_AES192GMAC;
22416de9ac1SGeorge V. Neville-Neil 			sav->tdb_authalgxform = &auth_hash_nist_gmac_aes_192;
22516de9ac1SGeorge V. Neville-Neil 			break;
226a2bc81bfSJohn-Mark Gurney 		case AES_256_GMAC_KEY_LEN:
22716de9ac1SGeorge V. Neville-Neil 			sav->alg_auth = SADB_X_AALG_AES256GMAC;
22816de9ac1SGeorge V. Neville-Neil 			sav->tdb_authalgxform = &auth_hash_nist_gmac_aes_256;
22916de9ac1SGeorge V. Neville-Neil 			break;
23016de9ac1SGeorge V. Neville-Neil 		default:
23116de9ac1SGeorge V. Neville-Neil 			DPRINTF(("%s: invalid key length %u"
23216de9ac1SGeorge V. Neville-Neil 				 "for algorithm %s\n", __func__,
23316de9ac1SGeorge V. Neville-Neil 				 keylen, txform->name));
23416de9ac1SGeorge V. Neville-Neil 			return EINVAL;
23516de9ac1SGeorge V. Neville-Neil 		}
236c0341432SJohn Baldwin 		csp.csp_mode = CSP_MODE_AEAD;
237c0341432SJohn Baldwin 	} else if (sav->alg_auth != 0)
238c0341432SJohn Baldwin 		csp.csp_mode = CSP_MODE_ETA;
239c0341432SJohn Baldwin 	else
240c0341432SJohn Baldwin 		csp.csp_mode = CSP_MODE_CIPHER;
24116de9ac1SGeorge V. Neville-Neil 
24288768458SSam Leffler 	/* Initialize crypto session. */
243c0341432SJohn Baldwin 	csp.csp_cipher_alg = sav->tdb_encalgxform->type;
244c0341432SJohn Baldwin 	csp.csp_cipher_key = sav->key_enc->key_data;
245c0341432SJohn Baldwin 	csp.csp_cipher_klen = _KEYBITS(sav->key_enc) / 8 -
246c0341432SJohn Baldwin 	    SAV_ISCTRORGCM(sav) * 4;
247c0341432SJohn Baldwin 	csp.csp_ivlen = txform->ivsize;
24888768458SSam Leffler 
249c0341432SJohn Baldwin 	error = crypto_newsession(&sav->tdb_cryptoid, &csp, V_crypto_support);
25088768458SSam Leffler 	return error;
25188768458SSam Leffler }
25288768458SSam Leffler 
25388768458SSam Leffler /*
25488768458SSam Leffler  * Paranoia.
25588768458SSam Leffler  */
25688768458SSam Leffler static int
25788768458SSam Leffler esp_zeroize(struct secasvar *sav)
25888768458SSam Leffler {
25988768458SSam Leffler 	/* NB: ah_zerorize free's the crypto session state */
26088768458SSam Leffler 	int error = ah_zeroize(sav);
26188768458SSam Leffler 
26288768458SSam Leffler 	if (sav->key_enc)
263a0196c3cSGeorge V. Neville-Neil 		bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc));
26488768458SSam Leffler 	sav->tdb_encalgxform = NULL;
26588768458SSam Leffler 	sav->tdb_xform = NULL;
26688768458SSam Leffler 	return error;
26788768458SSam Leffler }
26888768458SSam Leffler 
26988768458SSam Leffler /*
27088768458SSam Leffler  * ESP input processing, called (eventually) through the protocol switch.
27188768458SSam Leffler  */
27288768458SSam Leffler static int
27388768458SSam Leffler esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
27488768458SSam Leffler {
2757f1f6591SAndrey V. Elsukov 	IPSEC_DEBUG_DECLARE(char buf[128]);
276fcf59617SAndrey V. Elsukov 	const struct auth_hash *esph;
277fcf59617SAndrey V. Elsukov 	const struct enc_xform *espx;
278fcf59617SAndrey V. Elsukov 	struct xform_data *xd;
27988768458SSam Leffler 	struct cryptop *crp;
280fcf59617SAndrey V. Elsukov 	struct newesp *esp;
281fcf59617SAndrey V. Elsukov 	uint8_t *ivp;
2822e08e39fSConrad Meyer 	crypto_session_t cryptoid;
2835f7c516fSAndrey V. Elsukov 	int alen, error, hlen, plen;
28488768458SSam Leffler 
2859ffa9677SSam Leffler 	IPSEC_ASSERT(sav != NULL, ("null SA"));
2869ffa9677SSam Leffler 	IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform"));
287a45bff04SVANHULLEBUS Yvan 
2885f7c516fSAndrey V. Elsukov 	error = EINVAL;
289a45bff04SVANHULLEBUS Yvan 	/* Valid IP Packet length ? */
290a45bff04SVANHULLEBUS Yvan 	if ( (skip&3) || (m->m_pkthdr.len&3) ){
291a45bff04SVANHULLEBUS Yvan 		DPRINTF(("%s: misaligned packet, skip %u pkt len %u",
292a45bff04SVANHULLEBUS Yvan 				__func__, skip, m->m_pkthdr.len));
293a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_badilen);
2945f7c516fSAndrey V. Elsukov 		goto bad;
295a45bff04SVANHULLEBUS Yvan 	}
29663abacc2SBjoern A. Zeeb 
297a4adf6ccSBjoern A. Zeeb 	if (m->m_len < skip + sizeof(*esp)) {
29863abacc2SBjoern A. Zeeb 		m = m_pullup(m, skip + sizeof(*esp));
29963abacc2SBjoern A. Zeeb 		if (m == NULL) {
30063abacc2SBjoern A. Zeeb 			DPRINTF(("%s: cannot pullup header\n", __func__));
30163abacc2SBjoern A. Zeeb 			ESPSTAT_INC(esps_hdrops);	/*XXX*/
30263abacc2SBjoern A. Zeeb 			error = ENOBUFS;
30363abacc2SBjoern A. Zeeb 			goto bad;
30463abacc2SBjoern A. Zeeb 		}
305a4adf6ccSBjoern A. Zeeb 	}
30663abacc2SBjoern A. Zeeb 	esp = (struct newesp *)(mtod(m, caddr_t) + skip);
30788768458SSam Leffler 
30888768458SSam Leffler 	esph = sav->tdb_authalgxform;
30988768458SSam Leffler 	espx = sav->tdb_encalgxform;
31088768458SSam Leffler 
311a09a7146SJohn-Mark Gurney 	/* Determine the ESP header and auth length */
31288768458SSam Leffler 	if (sav->flags & SADB_X_EXT_OLD)
31388768458SSam Leffler 		hlen = sizeof (struct esp) + sav->ivlen;
31488768458SSam Leffler 	else
31588768458SSam Leffler 		hlen = sizeof (struct newesp) + sav->ivlen;
316a09a7146SJohn-Mark Gurney 
317a09a7146SJohn-Mark Gurney 	alen = xform_ah_authsize(esph);
31888768458SSam Leffler 
31988768458SSam Leffler 	/*
32088768458SSam Leffler 	 * Verify payload length is multiple of encryption algorithm
32188768458SSam Leffler 	 * block size.
32288768458SSam Leffler 	 *
32388768458SSam Leffler 	 * NB: This works for the null algorithm because the blocksize
32488768458SSam Leffler 	 *     is 4 and all packets must be 4-byte aligned regardless
32588768458SSam Leffler 	 *     of the algorithm.
32688768458SSam Leffler 	 */
32788768458SSam Leffler 	plen = m->m_pkthdr.len - (skip + hlen + alen);
32888768458SSam Leffler 	if ((plen & (espx->blocksize - 1)) || (plen <= 0)) {
3299ffa9677SSam Leffler 		DPRINTF(("%s: payload of %d octets not a multiple of %d octets,"
330a2bc81bfSJohn-Mark Gurney 		    "  SA %s/%08lx\n", __func__, plen, espx->blocksize,
331a2bc81bfSJohn-Mark Gurney 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
332a2bc81bfSJohn-Mark Gurney 		    (u_long)ntohl(sav->spi)));
333a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_badilen);
3345f7c516fSAndrey V. Elsukov 		goto bad;
33588768458SSam Leffler 	}
33688768458SSam Leffler 
33788768458SSam Leffler 	/*
33888768458SSam Leffler 	 * Check sequence number.
33988768458SSam Leffler 	 */
340fcf59617SAndrey V. Elsukov 	SECASVAR_LOCK(sav);
341fcf59617SAndrey V. Elsukov 	if (esph != NULL && sav->replay != NULL && sav->replay->wsize != 0) {
342fcf59617SAndrey V. Elsukov 		if (ipsec_chkreplay(ntohl(esp->esp_seq), sav) == 0) {
343fcf59617SAndrey V. Elsukov 			SECASVAR_UNLOCK(sav);
3449ffa9677SSam Leffler 			DPRINTF(("%s: packet replay check for %s\n", __func__,
345fcf59617SAndrey V. Elsukov 			    ipsec_sa2str(sav, buf, sizeof(buf))));
346a04d64d8SAndrey V. Elsukov 			ESPSTAT_INC(esps_replay);
3475f7c516fSAndrey V. Elsukov 			error = EACCES;
3485f7c516fSAndrey V. Elsukov 			goto bad;
34988768458SSam Leffler 		}
350fcf59617SAndrey V. Elsukov 	}
351fcf59617SAndrey V. Elsukov 	cryptoid = sav->tdb_cryptoid;
352fcf59617SAndrey V. Elsukov 	SECASVAR_UNLOCK(sav);
35388768458SSam Leffler 
35488768458SSam Leffler 	/* Update the counters */
355a04d64d8SAndrey V. Elsukov 	ESPSTAT_ADD(esps_ibytes, m->m_pkthdr.len - (skip + hlen + alen));
35688768458SSam Leffler 
35788768458SSam Leffler 	/* Get crypto descriptors */
358c0341432SJohn Baldwin 	crp = crypto_getreq(cryptoid, M_NOWAIT);
35988768458SSam Leffler 	if (crp == NULL) {
3609ffa9677SSam Leffler 		DPRINTF(("%s: failed to acquire crypto descriptors\n",
3619ffa9677SSam Leffler 			__func__));
362a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_crypto);
3635f7c516fSAndrey V. Elsukov 		error = ENOBUFS;
3645f7c516fSAndrey V. Elsukov 		goto bad;
36588768458SSam Leffler 	}
36688768458SSam Leffler 
36788768458SSam Leffler 	/* Get IPsec-specific opaque pointer */
368c0341432SJohn Baldwin 	xd = malloc(sizeof(*xd), M_XDATA, M_NOWAIT | M_ZERO);
369fcf59617SAndrey V. Elsukov 	if (xd == NULL) {
370fcf59617SAndrey V. Elsukov 		DPRINTF(("%s: failed to allocate xform_data\n", __func__));
371a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_crypto);
372fcf59617SAndrey V. Elsukov 		crypto_freereq(crp);
3735f7c516fSAndrey V. Elsukov 		error = ENOBUFS;
3745f7c516fSAndrey V. Elsukov 		goto bad;
37588768458SSam Leffler 	}
37688768458SSam Leffler 
37708537f45SAndrey V. Elsukov 	if (esph != NULL) {
378c0341432SJohn Baldwin 		crp->crp_op = CRYPTO_OP_VERIFY_DIGEST;
379c0341432SJohn Baldwin 		crp->crp_aad_start = skip;
380a2bc81bfSJohn-Mark Gurney 		if (SAV_ISGCM(sav))
381c0341432SJohn Baldwin 			crp->crp_aad_length = 8; /* RFC4106 5, SPI + SN */
38216de9ac1SGeorge V. Neville-Neil 		else
383c0341432SJohn Baldwin 			crp->crp_aad_length = hlen;
384c0341432SJohn Baldwin 		crp->crp_digest_start = m->m_pkthdr.len - alen;
38588768458SSam Leffler 	}
38688768458SSam Leffler 
38788768458SSam Leffler 	/* Crypto operation descriptor */
38888768458SSam Leffler 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length */
389c0341432SJohn Baldwin 	crp->crp_flags = CRYPTO_F_CBIFSYNC;
39039bbca6fSFabien Thomas 	if (V_async_crypto)
39139bbca6fSFabien Thomas 		crp->crp_flags |= CRYPTO_F_ASYNC | CRYPTO_F_ASYNC_KEEPORDER;
392c0341432SJohn Baldwin 	crp->crp_mbuf = m;
393c0341432SJohn Baldwin 	crp->crp_buf_type = CRYPTO_BUF_MBUF;
39488768458SSam Leffler 	crp->crp_callback = esp_input_cb;
395c0341432SJohn Baldwin 	crp->crp_opaque = xd;
39688768458SSam Leffler 
39788768458SSam Leffler 	/* These are passed as-is to the callback */
398fcf59617SAndrey V. Elsukov 	xd->sav = sav;
399fcf59617SAndrey V. Elsukov 	xd->protoff = protoff;
400fcf59617SAndrey V. Elsukov 	xd->skip = skip;
401fcf59617SAndrey V. Elsukov 	xd->cryptoid = cryptoid;
402fd40ecf3SJohn Baldwin 	xd->vnet = curvnet;
40388768458SSam Leffler 
40488768458SSam Leffler 	/* Decryption descriptor */
405c0341432SJohn Baldwin 	crp->crp_op |= CRYPTO_OP_DECRYPT;
406c0341432SJohn Baldwin 	crp->crp_payload_start = skip + hlen;
407c0341432SJohn Baldwin 	crp->crp_payload_length = m->m_pkthdr.len - (skip + hlen + alen);
40888768458SSam Leffler 
409*c161c46dSJohn Baldwin 	/* Generate or read cipher IV. */
410a2bc81bfSJohn-Mark Gurney 	if (SAV_ISCTRORGCM(sav)) {
411c0341432SJohn Baldwin 		ivp = &crp->crp_iv[0];
41216de9ac1SGeorge V. Neville-Neil 
413*c161c46dSJohn Baldwin 		/*
414*c161c46dSJohn Baldwin 		 * AES-GCM and AES-CTR use similar cipher IV formats
415*c161c46dSJohn Baldwin 		 * defined in RFC 4106 section 4 and RFC 3686 section
416*c161c46dSJohn Baldwin 		 * 4, respectively.
417*c161c46dSJohn Baldwin 		 *
418*c161c46dSJohn Baldwin 		 * The first 4 bytes of the cipher IV contain an
419*c161c46dSJohn Baldwin 		 * implicit salt, or nonce, obtained from the last 4
420*c161c46dSJohn Baldwin 		 * bytes of the encryption key.  The next 8 bytes hold
421*c161c46dSJohn Baldwin 		 * an explicit IV unique to each packet.  This
422*c161c46dSJohn Baldwin 		 * explicit IV is used as the ESP IV for the packet.
423*c161c46dSJohn Baldwin 		 * The last 4 bytes hold a big-endian block counter
424*c161c46dSJohn Baldwin 		 * incremented for each block.  For AES-GCM, the block
425*c161c46dSJohn Baldwin 		 * counter's initial value is defined as part of the
426*c161c46dSJohn Baldwin 		 * algorithm.  For AES-CTR, the block counter's
427*c161c46dSJohn Baldwin 		 * initial value for each packet is defined as 1 by
428*c161c46dSJohn Baldwin 		 * RFC 3686.
429*c161c46dSJohn Baldwin 		 *
430*c161c46dSJohn Baldwin 		 * ------------------------------------------
431*c161c46dSJohn Baldwin 		 * | Salt | Explicit ESP IV | Block Counter |
432*c161c46dSJohn Baldwin 		 * ------------------------------------------
433*c161c46dSJohn Baldwin 		 *  4 bytes     8 bytes          4 bytes
434*c161c46dSJohn Baldwin 		 */
435a2bc81bfSJohn-Mark Gurney 		memcpy(ivp, sav->key_enc->key_data +
436a2bc81bfSJohn-Mark Gurney 		    _KEYLEN(sav->key_enc) - 4, 4);
437*c161c46dSJohn Baldwin 		m_copydata(m, skip + hlen - sav->ivlen, sav->ivlen, &ivp[4]);
438a2bc81bfSJohn-Mark Gurney 		if (SAV_ISCTR(sav)) {
439a2bc81bfSJohn-Mark Gurney 			be32enc(&ivp[sav->ivlen + 4], 1);
440a2bc81bfSJohn-Mark Gurney 		}
441c0341432SJohn Baldwin 		crp->crp_flags |= CRYPTO_F_IV_SEPARATE;
442c0341432SJohn Baldwin 	} else if (sav->ivlen != 0)
443c0341432SJohn Baldwin 		crp->crp_iv_start = skip + hlen - sav->ivlen;
44488768458SSam Leffler 
44508537f45SAndrey V. Elsukov 	return (crypto_dispatch(crp));
4465f7c516fSAndrey V. Elsukov bad:
4475f7c516fSAndrey V. Elsukov 	m_freem(m);
4485f7c516fSAndrey V. Elsukov 	key_freesav(&sav);
4495f7c516fSAndrey V. Elsukov 	return (error);
45088768458SSam Leffler }
45188768458SSam Leffler 
45288768458SSam Leffler /*
45388768458SSam Leffler  * ESP input callback from the crypto driver.
45488768458SSam Leffler  */
45588768458SSam Leffler static int
45688768458SSam Leffler esp_input_cb(struct cryptop *crp)
45788768458SSam Leffler {
4587f1f6591SAndrey V. Elsukov 	IPSEC_DEBUG_DECLARE(char buf[128]);
459c0341432SJohn Baldwin 	uint8_t lastthree[3];
460fcf59617SAndrey V. Elsukov 	const struct auth_hash *esph;
46188768458SSam Leffler 	struct mbuf *m;
462fcf59617SAndrey V. Elsukov 	struct xform_data *xd;
46388768458SSam Leffler 	struct secasvar *sav;
46488768458SSam Leffler 	struct secasindex *saidx;
4652e08e39fSConrad Meyer 	crypto_session_t cryptoid;
466fcf59617SAndrey V. Elsukov 	int hlen, skip, protoff, error, alen;
46788768458SSam Leffler 
468c0341432SJohn Baldwin 	m = crp->crp_mbuf;
469c0341432SJohn Baldwin 	xd = crp->crp_opaque;
470fd40ecf3SJohn Baldwin 	CURVNET_SET(xd->vnet);
471fcf59617SAndrey V. Elsukov 	sav = xd->sav;
472fcf59617SAndrey V. Elsukov 	skip = xd->skip;
473fcf59617SAndrey V. Elsukov 	protoff = xd->protoff;
474fcf59617SAndrey V. Elsukov 	cryptoid = xd->cryptoid;
47588768458SSam Leffler 	saidx = &sav->sah->saidx;
47688768458SSam Leffler 	esph = sav->tdb_authalgxform;
47788768458SSam Leffler 
47888768458SSam Leffler 	/* Check for crypto errors */
47988768458SSam Leffler 	if (crp->crp_etype) {
480fcf59617SAndrey V. Elsukov 		if (crp->crp_etype == EAGAIN) {
48188768458SSam Leffler 			/* Reset the session ID */
4821b0909d5SConrad Meyer 			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
483fcf59617SAndrey V. Elsukov 				crypto_freesession(cryptoid);
4841b0909d5SConrad Meyer 			xd->cryptoid = crp->crp_session;
485fd40ecf3SJohn Baldwin 			CURVNET_RESTORE();
4860a95a08eSPawel Jakub Dawidek 			return (crypto_dispatch(crp));
487fcf59617SAndrey V. Elsukov 		}
488c0341432SJohn Baldwin 
489c0341432SJohn Baldwin 		/* EBADMSG indicates authentication failure. */
490c0341432SJohn Baldwin 		if (!(crp->crp_etype == EBADMSG && esph != NULL)) {
491a04d64d8SAndrey V. Elsukov 			ESPSTAT_INC(esps_noxform);
492c0341432SJohn Baldwin 			DPRINTF(("%s: crypto error %d\n", __func__,
493c0341432SJohn Baldwin 				crp->crp_etype));
49488768458SSam Leffler 			error = crp->crp_etype;
49588768458SSam Leffler 			goto bad;
49688768458SSam Leffler 		}
497c0341432SJohn Baldwin 	}
49888768458SSam Leffler 
49988768458SSam Leffler 	/* Shouldn't happen... */
50088768458SSam Leffler 	if (m == NULL) {
501a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_crypto);
5029ffa9677SSam Leffler 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
50388768458SSam Leffler 		error = EINVAL;
50488768458SSam Leffler 		goto bad;
50588768458SSam Leffler 	}
506a04d64d8SAndrey V. Elsukov 	ESPSTAT_INC(esps_hist[sav->alg_enc]);
50788768458SSam Leffler 
50888768458SSam Leffler 	/* If authentication was performed, check now. */
50988768458SSam Leffler 	if (esph != NULL) {
510a09a7146SJohn-Mark Gurney 		alen = xform_ah_authsize(esph);
511a04d64d8SAndrey V. Elsukov 		AHSTAT_INC(ahs_hist[sav->alg_auth]);
512c0341432SJohn Baldwin 		if (crp->crp_etype == EBADMSG) {
51308537f45SAndrey V. Elsukov 			DPRINTF(("%s: authentication hash mismatch for "
51408537f45SAndrey V. Elsukov 			    "packet in SA %s/%08lx\n", __func__,
515962ac6c7SAndrey V. Elsukov 			    ipsec_address(&saidx->dst, buf, sizeof(buf)),
51688768458SSam Leffler 			    (u_long) ntohl(sav->spi)));
517a04d64d8SAndrey V. Elsukov 			ESPSTAT_INC(esps_badauth);
51888768458SSam Leffler 			error = EACCES;
51988768458SSam Leffler 			goto bad;
52088768458SSam Leffler 		}
521fcf59617SAndrey V. Elsukov 		m->m_flags |= M_AUTHIPDGM;
52288768458SSam Leffler 		/* Remove trailing authenticator */
523442da28aSVANHULLEBUS Yvan 		m_adj(m, -alen);
52488768458SSam Leffler 	}
52588768458SSam Leffler 
52688768458SSam Leffler 	/* Release the crypto descriptors */
527fcf59617SAndrey V. Elsukov 	free(xd, M_XDATA), xd = NULL;
52888768458SSam Leffler 	crypto_freereq(crp), crp = NULL;
52988768458SSam Leffler 
53088768458SSam Leffler 	/*
53188768458SSam Leffler 	 * Packet is now decrypted.
53288768458SSam Leffler 	 */
53388768458SSam Leffler 	m->m_flags |= M_DECRYPTED;
53488768458SSam Leffler 
535d16f6f50SColin Percival 	/*
536d16f6f50SColin Percival 	 * Update replay sequence number, if appropriate.
537d16f6f50SColin Percival 	 */
538d16f6f50SColin Percival 	if (sav->replay) {
539d16f6f50SColin Percival 		u_int32_t seq;
540d16f6f50SColin Percival 
541d16f6f50SColin Percival 		m_copydata(m, skip + offsetof(struct newesp, esp_seq),
542d16f6f50SColin Percival 			   sizeof (seq), (caddr_t) &seq);
543fcf59617SAndrey V. Elsukov 		SECASVAR_LOCK(sav);
544d16f6f50SColin Percival 		if (ipsec_updatereplay(ntohl(seq), sav)) {
545fcf59617SAndrey V. Elsukov 			SECASVAR_UNLOCK(sav);
546d16f6f50SColin Percival 			DPRINTF(("%s: packet replay check for %s\n", __func__,
547fcf59617SAndrey V. Elsukov 			    ipsec_sa2str(sav, buf, sizeof(buf))));
548a04d64d8SAndrey V. Elsukov 			ESPSTAT_INC(esps_replay);
549fcf59617SAndrey V. Elsukov 			error = EACCES;
550d16f6f50SColin Percival 			goto bad;
551d16f6f50SColin Percival 		}
552fcf59617SAndrey V. Elsukov 		SECASVAR_UNLOCK(sav);
553d16f6f50SColin Percival 	}
554d16f6f50SColin Percival 
55588768458SSam Leffler 	/* Determine the ESP header length */
55688768458SSam Leffler 	if (sav->flags & SADB_X_EXT_OLD)
55788768458SSam Leffler 		hlen = sizeof (struct esp) + sav->ivlen;
55888768458SSam Leffler 	else
55988768458SSam Leffler 		hlen = sizeof (struct newesp) + sav->ivlen;
56088768458SSam Leffler 
56188768458SSam Leffler 	/* Remove the ESP header and IV from the mbuf. */
56288768458SSam Leffler 	error = m_striphdr(m, skip, hlen);
56388768458SSam Leffler 	if (error) {
564a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_hdrops);
5659ffa9677SSam Leffler 		DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__,
566962ac6c7SAndrey V. Elsukov 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
56788768458SSam Leffler 		    (u_long) ntohl(sav->spi)));
56888768458SSam Leffler 		goto bad;
56988768458SSam Leffler 	}
57088768458SSam Leffler 
57188768458SSam Leffler 	/* Save the last three bytes of decrypted data */
57288768458SSam Leffler 	m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
57388768458SSam Leffler 
57488768458SSam Leffler 	/* Verify pad length */
57588768458SSam Leffler 	if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
576a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_badilen);
5779ffa9677SSam Leffler 		DPRINTF(("%s: invalid padding length %d for %u byte packet "
578962ac6c7SAndrey V. Elsukov 		    "in SA %s/%08lx\n", __func__, lastthree[1],
579962ac6c7SAndrey V. Elsukov 		    m->m_pkthdr.len - skip,
580962ac6c7SAndrey V. Elsukov 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
58188768458SSam Leffler 		    (u_long) ntohl(sav->spi)));
58288768458SSam Leffler 		error = EINVAL;
58388768458SSam Leffler 		goto bad;
58488768458SSam Leffler 	}
58588768458SSam Leffler 
58688768458SSam Leffler 	/* Verify correct decryption by checking the last padding bytes */
58788768458SSam Leffler 	if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) {
58888768458SSam Leffler 		if (lastthree[1] != lastthree[0] && lastthree[1] != 0) {
589a04d64d8SAndrey V. Elsukov 			ESPSTAT_INC(esps_badenc);
5909ffa9677SSam Leffler 			DPRINTF(("%s: decryption failed for packet in "
591962ac6c7SAndrey V. Elsukov 			    "SA %s/%08lx\n", __func__, ipsec_address(
592962ac6c7SAndrey V. Elsukov 			    &sav->sah->saidx.dst, buf, sizeof(buf)),
59388768458SSam Leffler 			    (u_long) ntohl(sav->spi)));
59488768458SSam Leffler 			error = EINVAL;
59588768458SSam Leffler 			goto bad;
59688768458SSam Leffler 		}
59788768458SSam Leffler 	}
59888768458SSam Leffler 
5993f44ee8eSAndrey V. Elsukov 	/*
6003f44ee8eSAndrey V. Elsukov 	 * RFC4303 2.6:
6013f44ee8eSAndrey V. Elsukov 	 * Silently drop packet if next header field is IPPROTO_NONE.
6023f44ee8eSAndrey V. Elsukov 	 */
6033f44ee8eSAndrey V. Elsukov 	if (lastthree[2] == IPPROTO_NONE)
6043f44ee8eSAndrey V. Elsukov 		goto bad;
6053f44ee8eSAndrey V. Elsukov 
60688768458SSam Leffler 	/* Trim the mbuf chain to remove trailing authenticator and padding */
60788768458SSam Leffler 	m_adj(m, -(lastthree[1] + 2));
60888768458SSam Leffler 
60988768458SSam Leffler 	/* Restore the Next Protocol field */
61088768458SSam Leffler 	m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2);
61188768458SSam Leffler 
612db178eb8SBjoern A. Zeeb 	switch (saidx->dst.sa.sa_family) {
613db178eb8SBjoern A. Zeeb #ifdef INET6
614db178eb8SBjoern A. Zeeb 	case AF_INET6:
615f0514a8bSAndrey V. Elsukov 		error = ipsec6_common_input_cb(m, sav, skip, protoff);
616db178eb8SBjoern A. Zeeb 		break;
617db178eb8SBjoern A. Zeeb #endif
618db178eb8SBjoern A. Zeeb #ifdef INET
619db178eb8SBjoern A. Zeeb 	case AF_INET:
620f0514a8bSAndrey V. Elsukov 		error = ipsec4_common_input_cb(m, sav, skip, protoff);
621db178eb8SBjoern A. Zeeb 		break;
622db178eb8SBjoern A. Zeeb #endif
623db178eb8SBjoern A. Zeeb 	default:
624db178eb8SBjoern A. Zeeb 		panic("%s: Unexpected address family: %d saidx=%p", __func__,
625db178eb8SBjoern A. Zeeb 		    saidx->dst.sa.sa_family, saidx);
626db178eb8SBjoern A. Zeeb 	}
627fd40ecf3SJohn Baldwin 	CURVNET_RESTORE();
62888768458SSam Leffler 	return error;
62988768458SSam Leffler bad:
630fd40ecf3SJohn Baldwin 	CURVNET_RESTORE();
631fcf59617SAndrey V. Elsukov 	if (sav != NULL)
632fcf59617SAndrey V. Elsukov 		key_freesav(&sav);
63388768458SSam Leffler 	if (m != NULL)
63488768458SSam Leffler 		m_freem(m);
635fcf59617SAndrey V. Elsukov 	if (xd != NULL)
636fcf59617SAndrey V. Elsukov 		free(xd, M_XDATA);
63788768458SSam Leffler 	if (crp != NULL)
63888768458SSam Leffler 		crypto_freereq(crp);
63988768458SSam Leffler 	return error;
64088768458SSam Leffler }
64188768458SSam Leffler /*
642fcf59617SAndrey V. Elsukov  * ESP output routine, called by ipsec[46]_perform_request().
64388768458SSam Leffler  */
64488768458SSam Leffler static int
645fcf59617SAndrey V. Elsukov esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
646fcf59617SAndrey V. Elsukov     u_int idx, int skip, int protoff)
64788768458SSam Leffler {
6487f1f6591SAndrey V. Elsukov 	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
64988768458SSam Leffler 	struct cryptop *crp;
650fcf59617SAndrey V. Elsukov 	const struct auth_hash *esph;
651fcf59617SAndrey V. Elsukov 	const struct enc_xform *espx;
652fcf59617SAndrey V. Elsukov 	struct mbuf *mo = NULL;
653fcf59617SAndrey V. Elsukov 	struct xform_data *xd;
654fcf59617SAndrey V. Elsukov 	struct secasindex *saidx;
655fcf59617SAndrey V. Elsukov 	unsigned char *pad;
656fcf59617SAndrey V. Elsukov 	uint8_t *ivp;
6572e08e39fSConrad Meyer 	uint64_t cntr;
6582e08e39fSConrad Meyer 	crypto_session_t cryptoid;
659fcf59617SAndrey V. Elsukov 	int hlen, rlen, padding, blks, alen, i, roff;
660fcf59617SAndrey V. Elsukov 	int error, maxpacketsize;
661fcf59617SAndrey V. Elsukov 	uint8_t prot;
66288768458SSam Leffler 
6639ffa9677SSam Leffler 	IPSEC_ASSERT(sav != NULL, ("null SA"));
66488768458SSam Leffler 	esph = sav->tdb_authalgxform;
66588768458SSam Leffler 	espx = sav->tdb_encalgxform;
6669ffa9677SSam Leffler 	IPSEC_ASSERT(espx != NULL, ("null encoding xform"));
66788768458SSam Leffler 
66888768458SSam Leffler 	if (sav->flags & SADB_X_EXT_OLD)
66988768458SSam Leffler 		hlen = sizeof (struct esp) + sav->ivlen;
67088768458SSam Leffler 	else
67188768458SSam Leffler 		hlen = sizeof (struct newesp) + sav->ivlen;
67288768458SSam Leffler 
67388768458SSam Leffler 	rlen = m->m_pkthdr.len - skip;	/* Raw payload length. */
67488768458SSam Leffler 	/*
675a2bc81bfSJohn-Mark Gurney 	 * RFC4303 2.4 Requires 4 byte alignment.
67688768458SSam Leffler 	 */
677a2bc81bfSJohn-Mark Gurney 	blks = MAX(4, espx->blocksize);		/* Cipher blocksize */
67888768458SSam Leffler 
67988768458SSam Leffler 	/* XXX clamp padding length a la KAME??? */
68088768458SSam Leffler 	padding = ((blks - ((rlen + 2) % blks)) % blks) + 2;
68188768458SSam Leffler 
682a09a7146SJohn-Mark Gurney 	alen = xform_ah_authsize(esph);
68388768458SSam Leffler 
684a04d64d8SAndrey V. Elsukov 	ESPSTAT_INC(esps_output);
68588768458SSam Leffler 
68688768458SSam Leffler 	saidx = &sav->sah->saidx;
68788768458SSam Leffler 	/* Check for maximum packet size violations. */
68888768458SSam Leffler 	switch (saidx->dst.sa.sa_family) {
68988768458SSam Leffler #ifdef INET
69088768458SSam Leffler 	case AF_INET:
69188768458SSam Leffler 		maxpacketsize = IP_MAXPACKET;
69288768458SSam Leffler 		break;
69388768458SSam Leffler #endif /* INET */
69488768458SSam Leffler #ifdef INET6
69588768458SSam Leffler 	case AF_INET6:
69688768458SSam Leffler 		maxpacketsize = IPV6_MAXPACKET;
69788768458SSam Leffler 		break;
69888768458SSam Leffler #endif /* INET6 */
69988768458SSam Leffler 	default:
7009ffa9677SSam Leffler 		DPRINTF(("%s: unknown/unsupported protocol "
7019ffa9677SSam Leffler 		    "family %d, SA %s/%08lx\n", __func__,
702962ac6c7SAndrey V. Elsukov 		    saidx->dst.sa.sa_family, ipsec_address(&saidx->dst,
703962ac6c7SAndrey V. Elsukov 			buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
704a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_nopf);
70588768458SSam Leffler 		error = EPFNOSUPPORT;
70688768458SSam Leffler 		goto bad;
70788768458SSam Leffler 	}
708fcf59617SAndrey V. Elsukov 	/*
70916de9ac1SGeorge V. Neville-Neil 	DPRINTF(("%s: skip %d hlen %d rlen %d padding %d alen %d blksd %d\n",
710fcf59617SAndrey V. Elsukov 		__func__, skip, hlen, rlen, padding, alen, blks)); */
71188768458SSam Leffler 	if (skip + hlen + rlen + padding + alen > maxpacketsize) {
7129ffa9677SSam Leffler 		DPRINTF(("%s: packet in SA %s/%08lx got too big "
7139ffa9677SSam Leffler 		    "(len %u, max len %u)\n", __func__,
714962ac6c7SAndrey V. Elsukov 		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
715962ac6c7SAndrey V. Elsukov 		    (u_long) ntohl(sav->spi),
71688768458SSam Leffler 		    skip + hlen + rlen + padding + alen, maxpacketsize));
717a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_toobig);
71888768458SSam Leffler 		error = EMSGSIZE;
71988768458SSam Leffler 		goto bad;
72088768458SSam Leffler 	}
72188768458SSam Leffler 
72288768458SSam Leffler 	/* Update the counters. */
723a04d64d8SAndrey V. Elsukov 	ESPSTAT_ADD(esps_obytes, m->m_pkthdr.len - skip);
72488768458SSam Leffler 
72547e2996eSSam Leffler 	m = m_unshare(m, M_NOWAIT);
72688768458SSam Leffler 	if (m == NULL) {
7279ffa9677SSam Leffler 		DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
728962ac6c7SAndrey V. Elsukov 		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
729962ac6c7SAndrey V. Elsukov 		    (u_long) ntohl(sav->spi)));
730a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_hdrops);
73188768458SSam Leffler 		error = ENOBUFS;
73288768458SSam Leffler 		goto bad;
73388768458SSam Leffler 	}
73488768458SSam Leffler 
73588768458SSam Leffler 	/* Inject ESP header. */
73688768458SSam Leffler 	mo = m_makespace(m, skip, hlen, &roff);
73788768458SSam Leffler 	if (mo == NULL) {
7389ffa9677SSam Leffler 		DPRINTF(("%s: %u byte ESP hdr inject failed for SA %s/%08lx\n",
739962ac6c7SAndrey V. Elsukov 		    __func__, hlen, ipsec_address(&saidx->dst, buf,
740962ac6c7SAndrey V. Elsukov 		    sizeof(buf)), (u_long) ntohl(sav->spi)));
741a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_hdrops);	/* XXX diffs from openbsd */
74288768458SSam Leffler 		error = ENOBUFS;
74388768458SSam Leffler 		goto bad;
74488768458SSam Leffler 	}
74588768458SSam Leffler 
74688768458SSam Leffler 	/* Initialize ESP header. */
747fcf59617SAndrey V. Elsukov 	bcopy((caddr_t) &sav->spi, mtod(mo, caddr_t) + roff,
748fcf59617SAndrey V. Elsukov 	    sizeof(uint32_t));
749bf435626SFabien Thomas 	SECASVAR_LOCK(sav);
750fcf59617SAndrey V. Elsukov 	if (sav->replay) {
751fcf59617SAndrey V. Elsukov 		uint32_t replay;
752fcf59617SAndrey V. Elsukov 
7536131838bSPawel Jakub Dawidek #ifdef REGRESSION
754dfa9422bSPawel Jakub Dawidek 		/* Emulate replay attack when ipsec_replay is TRUE. */
755603724d3SBjoern A. Zeeb 		if (!V_ipsec_replay)
7566131838bSPawel Jakub Dawidek #endif
757dfa9422bSPawel Jakub Dawidek 			sav->replay->count++;
758dfa9422bSPawel Jakub Dawidek 		replay = htonl(sav->replay->count);
759fcf59617SAndrey V. Elsukov 
760fcf59617SAndrey V. Elsukov 		bcopy((caddr_t) &replay, mtod(mo, caddr_t) + roff +
761fcf59617SAndrey V. Elsukov 		    sizeof(uint32_t), sizeof(uint32_t));
76288768458SSam Leffler 	}
763fcf59617SAndrey V. Elsukov 	cryptoid = sav->tdb_cryptoid;
764fcf59617SAndrey V. Elsukov 	if (SAV_ISCTRORGCM(sav))
765fcf59617SAndrey V. Elsukov 		cntr = sav->cntr++;
766fcf59617SAndrey V. Elsukov 	SECASVAR_UNLOCK(sav);
76788768458SSam Leffler 
76888768458SSam Leffler 	/*
76988768458SSam Leffler 	 * Add padding -- better to do it ourselves than use the crypto engine,
77088768458SSam Leffler 	 * although if/when we support compression, we'd have to do that.
77188768458SSam Leffler 	 */
77288768458SSam Leffler 	pad = (u_char *) m_pad(m, padding + alen);
77388768458SSam Leffler 	if (pad == NULL) {
7749ffa9677SSam Leffler 		DPRINTF(("%s: m_pad failed for SA %s/%08lx\n", __func__,
775962ac6c7SAndrey V. Elsukov 		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
776962ac6c7SAndrey V. Elsukov 		    (u_long) ntohl(sav->spi)));
77788768458SSam Leffler 		m = NULL;		/* NB: free'd by m_pad */
77888768458SSam Leffler 		error = ENOBUFS;
77988768458SSam Leffler 		goto bad;
78088768458SSam Leffler 	}
78188768458SSam Leffler 
78288768458SSam Leffler 	/*
78388768458SSam Leffler 	 * Add padding: random, zero, or self-describing.
78488768458SSam Leffler 	 * XXX catch unexpected setting
78588768458SSam Leffler 	 */
78688768458SSam Leffler 	switch (sav->flags & SADB_X_EXT_PMASK) {
78788768458SSam Leffler 	case SADB_X_EXT_PRAND:
788a8a16c71SConrad Meyer 		arc4random_buf(pad, padding - 2);
78988768458SSam Leffler 		break;
79088768458SSam Leffler 	case SADB_X_EXT_PZERO:
79188768458SSam Leffler 		bzero(pad, padding - 2);
79288768458SSam Leffler 		break;
79388768458SSam Leffler 	case SADB_X_EXT_PSEQ:
79488768458SSam Leffler 		for (i = 0; i < padding - 2; i++)
79588768458SSam Leffler 			pad[i] = i+1;
79688768458SSam Leffler 		break;
79788768458SSam Leffler 	}
79888768458SSam Leffler 
79988768458SSam Leffler 	/* Fix padding length and Next Protocol in padding itself. */
80088768458SSam Leffler 	pad[padding - 2] = padding - 2;
80188768458SSam Leffler 	m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1);
80288768458SSam Leffler 
80388768458SSam Leffler 	/* Fix Next Protocol in IPv4/IPv6 header. */
80488768458SSam Leffler 	prot = IPPROTO_ESP;
80588768458SSam Leffler 	m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot);
80688768458SSam Leffler 
807c0341432SJohn Baldwin 	/* Get crypto descriptor. */
808c0341432SJohn Baldwin 	crp = crypto_getreq(cryptoid, M_NOWAIT);
80988768458SSam Leffler 	if (crp == NULL) {
810c0341432SJohn Baldwin 		DPRINTF(("%s: failed to acquire crypto descriptor\n",
8119ffa9677SSam Leffler 			__func__));
812a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_crypto);
81388768458SSam Leffler 		error = ENOBUFS;
81488768458SSam Leffler 		goto bad;
81588768458SSam Leffler 	}
81688768458SSam Leffler 
817a2bc81bfSJohn-Mark Gurney 	/* IPsec-specific opaque crypto info. */
818fcf59617SAndrey V. Elsukov 	xd =  malloc(sizeof(struct xform_data), M_XDATA, M_NOWAIT | M_ZERO);
819fcf59617SAndrey V. Elsukov 	if (xd == NULL) {
820a2bc81bfSJohn-Mark Gurney 		crypto_freereq(crp);
821fcf59617SAndrey V. Elsukov 		DPRINTF(("%s: failed to allocate xform_data\n", __func__));
822a2bc81bfSJohn-Mark Gurney 		ESPSTAT_INC(esps_crypto);
823a2bc81bfSJohn-Mark Gurney 		error = ENOBUFS;
824a2bc81bfSJohn-Mark Gurney 		goto bad;
825a2bc81bfSJohn-Mark Gurney 	}
826a2bc81bfSJohn-Mark Gurney 
82788768458SSam Leffler 	/* Encryption descriptor. */
828c0341432SJohn Baldwin 	crp->crp_payload_start = skip + hlen;
829c0341432SJohn Baldwin 	crp->crp_payload_length = m->m_pkthdr.len - (skip + hlen + alen);
830c0341432SJohn Baldwin 	crp->crp_op = CRYPTO_OP_ENCRYPT;
83188768458SSam Leffler 
832*c161c46dSJohn Baldwin 	/* Generate cipher and ESP IVs. */
833c0341432SJohn Baldwin 	ivp = &crp->crp_iv[0];
8348cbde414SJohn Baldwin 	if (SAV_ISCTRORGCM(sav)) {
835*c161c46dSJohn Baldwin 		/*
836*c161c46dSJohn Baldwin 		 * See comment in esp_input() for details on the
837*c161c46dSJohn Baldwin 		 * cipher IV.  A simple per-SA counter stored in
838*c161c46dSJohn Baldwin 		 * 'cntr' is used as the explicit ESP IV.
839*c161c46dSJohn Baldwin 		 */
840a2bc81bfSJohn-Mark Gurney 		memcpy(ivp, sav->key_enc->key_data +
841a2bc81bfSJohn-Mark Gurney 		    _KEYLEN(sav->key_enc) - 4, 4);
842a2bc81bfSJohn-Mark Gurney 		be64enc(&ivp[4], cntr);
843a2bc81bfSJohn-Mark Gurney 		if (SAV_ISCTR(sav)) {
844a2bc81bfSJohn-Mark Gurney 			be32enc(&ivp[sav->ivlen + 4], 1);
845a2bc81bfSJohn-Mark Gurney 		}
846a2bc81bfSJohn-Mark Gurney 		m_copyback(m, skip + hlen - sav->ivlen, sav->ivlen, &ivp[4]);
847c0341432SJohn Baldwin 		crp->crp_flags |= CRYPTO_F_IV_SEPARATE;
848c0341432SJohn Baldwin 	} else if (sav->ivlen != 0) {
8498cbde414SJohn Baldwin 		arc4rand(ivp, sav->ivlen, 0);
850c0341432SJohn Baldwin 		crp->crp_iv_start = skip + hlen - sav->ivlen;
8518cbde414SJohn Baldwin 		m_copyback(m, crp->crp_iv_start, sav->ivlen, ivp);
85288768458SSam Leffler 	}
85388768458SSam Leffler 
85488768458SSam Leffler 	/* Callback parameters */
855fcf59617SAndrey V. Elsukov 	xd->sp = sp;
856fcf59617SAndrey V. Elsukov 	xd->sav = sav;
857fcf59617SAndrey V. Elsukov 	xd->idx = idx;
858fcf59617SAndrey V. Elsukov 	xd->cryptoid = cryptoid;
859fd40ecf3SJohn Baldwin 	xd->vnet = curvnet;
86088768458SSam Leffler 
86188768458SSam Leffler 	/* Crypto operation descriptor. */
86288768458SSam Leffler 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
863c0341432SJohn Baldwin 	crp->crp_flags |= CRYPTO_F_CBIFSYNC;
86439bbca6fSFabien Thomas 	if (V_async_crypto)
86539bbca6fSFabien Thomas 		crp->crp_flags |= CRYPTO_F_ASYNC | CRYPTO_F_ASYNC_KEEPORDER;
866c0341432SJohn Baldwin 	crp->crp_mbuf = m;
867c0341432SJohn Baldwin 	crp->crp_buf_type = CRYPTO_BUF_MBUF;
86888768458SSam Leffler 	crp->crp_callback = esp_output_cb;
869c0341432SJohn Baldwin 	crp->crp_opaque = xd;
87088768458SSam Leffler 
87188768458SSam Leffler 	if (esph) {
87288768458SSam Leffler 		/* Authentication descriptor. */
873c0341432SJohn Baldwin 		crp->crp_op |= CRYPTO_OP_COMPUTE_DIGEST;
874c0341432SJohn Baldwin 		crp->crp_aad_start = skip;
875a2bc81bfSJohn-Mark Gurney 		if (SAV_ISGCM(sav))
876c0341432SJohn Baldwin 			crp->crp_aad_length = 8; /* RFC4106 5, SPI + SN */
87716de9ac1SGeorge V. Neville-Neil 		else
878c0341432SJohn Baldwin 			crp->crp_aad_length = hlen;
879c0341432SJohn Baldwin 		crp->crp_digest_start = m->m_pkthdr.len - alen;
88016de9ac1SGeorge V. Neville-Neil 	}
88116de9ac1SGeorge V. Neville-Neil 
88288768458SSam Leffler 	return crypto_dispatch(crp);
88388768458SSam Leffler bad:
88488768458SSam Leffler 	if (m)
88588768458SSam Leffler 		m_freem(m);
8863aee7099SAndrey V. Elsukov 	key_freesav(&sav);
8873aee7099SAndrey V. Elsukov 	key_freesp(&sp);
88888768458SSam Leffler 	return (error);
88988768458SSam Leffler }
89088768458SSam Leffler /*
89188768458SSam Leffler  * ESP output callback from the crypto driver.
89288768458SSam Leffler  */
89388768458SSam Leffler static int
89488768458SSam Leffler esp_output_cb(struct cryptop *crp)
89588768458SSam Leffler {
896fcf59617SAndrey V. Elsukov 	struct xform_data *xd;
897fcf59617SAndrey V. Elsukov 	struct secpolicy *sp;
89888768458SSam Leffler 	struct secasvar *sav;
89988768458SSam Leffler 	struct mbuf *m;
9002e08e39fSConrad Meyer 	crypto_session_t cryptoid;
901fcf59617SAndrey V. Elsukov 	u_int idx;
9020e4fb1dbSPawel Jakub Dawidek 	int error;
90388768458SSam Leffler 
904fcf59617SAndrey V. Elsukov 	xd = (struct xform_data *) crp->crp_opaque;
905fd40ecf3SJohn Baldwin 	CURVNET_SET(xd->vnet);
90688768458SSam Leffler 	m = (struct mbuf *) crp->crp_buf;
907fcf59617SAndrey V. Elsukov 	sp = xd->sp;
908fcf59617SAndrey V. Elsukov 	sav = xd->sav;
909fcf59617SAndrey V. Elsukov 	idx = xd->idx;
910fcf59617SAndrey V. Elsukov 	cryptoid = xd->cryptoid;
91188768458SSam Leffler 
91288768458SSam Leffler 	/* Check for crypto errors. */
91388768458SSam Leffler 	if (crp->crp_etype) {
91488768458SSam Leffler 		if (crp->crp_etype == EAGAIN) {
915fcf59617SAndrey V. Elsukov 			/* Reset the session ID */
9161b0909d5SConrad Meyer 			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
917fcf59617SAndrey V. Elsukov 				crypto_freesession(cryptoid);
9181b0909d5SConrad Meyer 			xd->cryptoid = crp->crp_session;
919fd40ecf3SJohn Baldwin 			CURVNET_RESTORE();
9200a95a08eSPawel Jakub Dawidek 			return (crypto_dispatch(crp));
92188768458SSam Leffler 		}
922a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_noxform);
9239ffa9677SSam Leffler 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
92488768458SSam Leffler 		error = crp->crp_etype;
925fcf59617SAndrey V. Elsukov 		m_freem(m);
92688768458SSam Leffler 		goto bad;
92788768458SSam Leffler 	}
92888768458SSam Leffler 
92988768458SSam Leffler 	/* Shouldn't happen... */
93088768458SSam Leffler 	if (m == NULL) {
931a04d64d8SAndrey V. Elsukov 		ESPSTAT_INC(esps_crypto);
9329ffa9677SSam Leffler 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
93388768458SSam Leffler 		error = EINVAL;
93488768458SSam Leffler 		goto bad;
93588768458SSam Leffler 	}
936fcf59617SAndrey V. Elsukov 	free(xd, M_XDATA);
937fcf59617SAndrey V. Elsukov 	crypto_freereq(crp);
938a04d64d8SAndrey V. Elsukov 	ESPSTAT_INC(esps_hist[sav->alg_enc]);
93988768458SSam Leffler 	if (sav->tdb_authalgxform != NULL)
940a04d64d8SAndrey V. Elsukov 		AHSTAT_INC(ahs_hist[sav->alg_auth]);
94188768458SSam Leffler 
9426131838bSPawel Jakub Dawidek #ifdef REGRESSION
943dfa9422bSPawel Jakub Dawidek 	/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
944603724d3SBjoern A. Zeeb 	if (V_ipsec_integrity) {
945442da28aSVANHULLEBUS Yvan 		static unsigned char ipseczeroes[AH_HMAC_MAXHASHLEN];
946fcf59617SAndrey V. Elsukov 		const struct auth_hash *esph;
947dfa9422bSPawel Jakub Dawidek 
948dfa9422bSPawel Jakub Dawidek 		/*
949dfa9422bSPawel Jakub Dawidek 		 * Corrupt HMAC if we want to test integrity verification of
950dfa9422bSPawel Jakub Dawidek 		 * the other side.
951dfa9422bSPawel Jakub Dawidek 		 */
952dfa9422bSPawel Jakub Dawidek 		esph = sav->tdb_authalgxform;
953dfa9422bSPawel Jakub Dawidek 		if (esph !=  NULL) {
954442da28aSVANHULLEBUS Yvan 			int alen;
955442da28aSVANHULLEBUS Yvan 
956a09a7146SJohn-Mark Gurney 			alen = xform_ah_authsize(esph);
957442da28aSVANHULLEBUS Yvan 			m_copyback(m, m->m_pkthdr.len - alen,
958442da28aSVANHULLEBUS Yvan 			    alen, ipseczeroes);
959dfa9422bSPawel Jakub Dawidek 		}
960dfa9422bSPawel Jakub Dawidek 	}
9616131838bSPawel Jakub Dawidek #endif
962dfa9422bSPawel Jakub Dawidek 
96388768458SSam Leffler 	/* NB: m is reclaimed by ipsec_process_done. */
964fcf59617SAndrey V. Elsukov 	error = ipsec_process_done(m, sp, sav, idx);
965fd40ecf3SJohn Baldwin 	CURVNET_RESTORE();
9663d80e82dSAndrey V. Elsukov 	return (error);
96788768458SSam Leffler bad:
968fd40ecf3SJohn Baldwin 	CURVNET_RESTORE();
969fcf59617SAndrey V. Elsukov 	free(xd, M_XDATA);
97088768458SSam Leffler 	crypto_freereq(crp);
971fcf59617SAndrey V. Elsukov 	key_freesav(&sav);
972fcf59617SAndrey V. Elsukov 	key_freesp(&sp);
9733d80e82dSAndrey V. Elsukov 	return (error);
97488768458SSam Leffler }
97588768458SSam Leffler 
97688768458SSam Leffler static struct xformsw esp_xformsw = {
977fcf59617SAndrey V. Elsukov 	.xf_type =	XF_ESP,
978fcf59617SAndrey V. Elsukov 	.xf_name =	"IPsec ESP",
979fcf59617SAndrey V. Elsukov 	.xf_init =	esp_init,
980fcf59617SAndrey V. Elsukov 	.xf_zeroize =	esp_zeroize,
981fcf59617SAndrey V. Elsukov 	.xf_input =	esp_input,
982fcf59617SAndrey V. Elsukov 	.xf_output =	esp_output,
98388768458SSam Leffler };
98488768458SSam Leffler 
985fcf59617SAndrey V. Elsukov SYSINIT(esp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
986fcf59617SAndrey V. Elsukov     xform_attach, &esp_xformsw);
987fcf59617SAndrey V. Elsukov SYSUNINIT(esp_xform_uninit, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
988fcf59617SAndrey V. Elsukov     xform_detach, &esp_xformsw);
989