root/netinet/ip_esp.c

DEFINITIONS

1. esp_attach
2. esp_init
3. esp_zeroize
4. esp_input
5. esp_input_cb
6. esp_output
7. esp_output_cb
8. checkreplaywindow32
9. m_pad

    1 /*      $OpenBSD: ip_esp.c,v 1.100 2006/12/15 09:32:30 otto Exp $ */
    2 /*
    3  * The authors of this code are John Ioannidis (ji@tla.org),
    4  * Angelos D. Keromytis (kermit@csd.uch.gr) and
    5  * Niels Provos (provos@physnet.uni-hamburg.de).
    6  *
    7  * The original version of this code was written by John Ioannidis
    8  * for BSD/OS in Athens, Greece, in November 1995.
    9  *
   10  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
   11  * by Angelos D. Keromytis.
   12  *
   13  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
   14  * and Niels Provos.
   15  *
   16  * Additional features in 1999 by Angelos D. Keromytis.
   17  *
   18  * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
   19  * Angelos D. Keromytis and Niels Provos.
   20  * Copyright (c) 2001 Angelos D. Keromytis.
   21  *
   22  * Permission to use, copy, and modify this software with or without fee
   23  * is hereby granted, provided that this entire notice is included in
   24  * all copies of any software which is or includes a copy or
   25  * modification of this software.
   26  * You may use this code under the GNU public license if you so wish. Please
   27  * contribute changes back to the authors under this freer than GPL license
   28  * so that we may further the use of strong encryption without limitations to
   29  * all.
   30  *
   31  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
   32  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
   33  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
   34  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
   35  * PURPOSE.
   36  */
   38 #include "pfsync.h"
   40 #include <sys/param.h>
   41 #include <sys/systm.h>
   42 #include <sys/mbuf.h>
   43 #include <sys/socket.h>
   45 #include <net/if.h>
   46 #include <net/bpf.h>
   48 #include <dev/rndvar.h>
   50 #ifdef INET
   51 #include <netinet/in.h>
   52 #include <netinet/in_systm.h>
   53 #include <netinet/ip.h>
   54 #include <netinet/ip_var.h>
   55 #endif /* INET */
   57 #ifdef INET6
   58 #ifndef INET
   59 #include <netinet/in.h>
   60 #endif
   61 #include <netinet/ip6.h>
   62 #endif /* INET6 */
   64 #include <netinet/ip_ipsp.h>
   65 #include <netinet/ip_esp.h>
   66 #include <net/pfkeyv2.h>
   67 #include <net/if_enc.h>
   69 #if NPFSYNC > 0
   70 #include <net/pfvar.h>
   71 #include <net/if_pfsync.h>
   72 #endif /* NPFSYNC > 0 */
   74 #include <crypto/cryptodev.h>
   75 #include <crypto/xform.h>
   77 #include "bpfilter.h"
   79 #ifdef ENCDEBUG
   80 #define DPRINTF(x)      if (encdebug) printf x
   81 #else
   82 #define DPRINTF(x)
   83 #endif
   85 struct espstat espstat;
   87 /*
   88  * esp_attach() is called from the transformation initialization code.
   89  */
   90 int
esp_attach()
   92 {
   93         return 0;
   94 }
   96 /*
   97  * esp_init() is called when an SPI is being set up.
   98  */
   99 int
esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii)
  101 {
  102         struct enc_xform *txform = NULL;
  103         struct auth_hash *thash = NULL;
  104         struct cryptoini cria, crie;
  106         if (!ii->ii_encalg && !ii->ii_authalg) {
DPRINTF(("esp_init(): neither authentication nor encryption "
  108                     "algorithm given"));
  109                 return EINVAL;
  110         }
  112         if (ii->ii_encalg) {
  113                 switch (ii->ii_encalg) {
  114                 case SADB_EALG_NULL:
txform = &enc_xform_null;
  116                         break;
  118                 case SADB_EALG_DESCBC:
txform = &enc_xform_des;
  120                         break;
  122                 case SADB_EALG_3DESCBC:
txform = &enc_xform_3des;
  124                         break;
  126                 case SADB_X_EALG_AES:
txform = &enc_xform_rijndael128;
  128                         break;
  130                 case SADB_X_EALG_AESCTR:
txform = &enc_xform_aes_ctr;
  132                         break;
  134                 case SADB_X_EALG_BLF:
txform = &enc_xform_blf;
  136                         break;
  138                 case SADB_X_EALG_CAST:
txform = &enc_xform_cast5;
  140                         break;
  142                 case SADB_X_EALG_SKIPJACK:
txform = &enc_xform_skipjack;
  144                         break;
  146                 default:
DPRINTF(("esp_init(): unsupported encryption algorithm %d specified\n", ii->ii_encalg));
  148                         return EINVAL;
  149                 }
  151                 if (ii->ii_enckeylen < txform->minkey) {
DPRINTF(("esp_init(): keylength %d too small (min length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->minkey, txform->name));
  153                         return EINVAL;
  154                 }
  156                 if (ii->ii_enckeylen > txform->maxkey) {
DPRINTF(("esp_init(): keylength %d too large (max length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->maxkey, txform->name));
  158                         return EINVAL;
  159                 }
tdbp->tdb_encalgxform = txform;
DPRINTF(("esp_init(): initialized TDB with enc algorithm %s\n",
txform->name));
tdbp->tdb_ivlen = txform->ivsize;
  167                 if (tdbp->tdb_flags & TDBF_HALFIV)
tdbp->tdb_ivlen /= 2;
  169         }
  171         if (ii->ii_authalg) {
  172                 switch (ii->ii_authalg) {
  173                 case SADB_AALG_MD5HMAC:
thash = &auth_hash_hmac_md5_96;
  175                         break;
  177                 case SADB_AALG_SHA1HMAC:
thash = &auth_hash_hmac_sha1_96;
  179                         break;
  181                 case SADB_X_AALG_RIPEMD160HMAC:
thash = &auth_hash_hmac_ripemd_160_96;
  183                         break;
  185                 case SADB_X_AALG_SHA2_256:
thash = &auth_hash_hmac_sha2_256_96;
  187                         break;
  189                 case SADB_X_AALG_SHA2_384:
thash = &auth_hash_hmac_sha2_384_96;
  191                         break;
  193                 case SADB_X_AALG_SHA2_512:
thash = &auth_hash_hmac_sha2_512_96;
  195                         break;
  197                 default:
DPRINTF(("esp_init(): unsupported authentication algorithm %d specified\n", ii->ii_authalg));
  199                         return EINVAL;
  200                 }
  202                 if (ii->ii_authkeylen != thash->keysize) {
DPRINTF(("esp_init(): keylength %d doesn't match algorithm %s keysize (%d)\n", ii->ii_authkeylen, thash->name, thash->keysize));
  204                         return EINVAL;
  205                 }
tdbp->tdb_authalgxform = thash;
DPRINTF(("esp_init(): initialized TDB with hash algorithm %s\n",
thash->name));
  211         }
tdbp->tdb_xform = xsp;
tdbp->tdb_bitmap = 0;
tdbp->tdb_rpl = AH_HMAC_INITIAL_RPL;
  217         /* Initialize crypto session */
  218         if (tdbp->tdb_encalgxform) {
  219                 /* Save the raw keys */
tdbp->tdb_emxkeylen = ii->ii_enckeylen;
MALLOC(tdbp->tdb_emxkey, u_int8_t *, tdbp->tdb_emxkeylen,
M_XDATA, M_WAITOK);
bcopy(ii->ii_enckey, tdbp->tdb_emxkey, tdbp->tdb_emxkeylen);
bzero(&crie, sizeof(crie));
crie.cri_alg = tdbp->tdb_encalgxform->type;
  229                 if (tdbp->tdb_authalgxform)
crie.cri_next = &cria;
  231                 else
crie.cri_next = NULL;
crie.cri_klen = ii->ii_enckeylen * 8;
crie.cri_key = ii->ii_enckey;
  236                 /* XXX Rounds ? */
  237         }
  239         if (tdbp->tdb_authalgxform) {
  240                 /* Save the raw keys */
tdbp->tdb_amxkeylen = ii->ii_authkeylen;
MALLOC(tdbp->tdb_amxkey, u_int8_t *, tdbp->tdb_amxkeylen, M_XDATA,
M_WAITOK);
bcopy(ii->ii_authkey, tdbp->tdb_amxkey, tdbp->tdb_amxkeylen);
bzero(&cria, sizeof(cria));
cria.cri_alg = tdbp->tdb_authalgxform->type;
cria.cri_next = NULL;
cria.cri_klen = ii->ii_authkeylen * 8;
cria.cri_key = ii->ii_authkey;
  252         }
  254         return crypto_newsession(&tdbp->tdb_cryptoid,
  255             (tdbp->tdb_encalgxform ? &crie : &cria), 0);
  256 }
  258 /*
  259  * Paranoia.
  260  */
  261 int
esp_zeroize(struct tdb *tdbp)
  263 {
  264         int err;
  266         if (tdbp->tdb_amxkey) {
bzero(tdbp->tdb_amxkey, tdbp->tdb_amxkeylen);
FREE(tdbp->tdb_amxkey, M_XDATA);
tdbp->tdb_amxkey = NULL;
  270         }
  272         if (tdbp->tdb_emxkey) {
bzero(tdbp->tdb_emxkey, tdbp->tdb_emxkeylen);
FREE(tdbp->tdb_emxkey, M_XDATA);
tdbp->tdb_emxkey = NULL;
  276         }
err = crypto_freesession(tdbp->tdb_cryptoid);
tdbp->tdb_cryptoid = 0;
  280         return err;
  281 }
  283 #define MAXBUFSIZ (AH_ALEN_MAX > ESP_MAX_IVS ? AH_ALEN_MAX : ESP_MAX_IVS)
  285 /*
  286  * ESP input processing, called (eventually) through the protocol switch.
  287  */
  288 int
esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
  290 {
  291         struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform;
  292         struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform;
  293         struct tdb_crypto *tc;
  294         int plen, alen, hlen;
  295         struct m_tag *mtag;
u_int32_t btsx;
  298         struct cryptodesc *crde = NULL, *crda = NULL;
  299         struct cryptop *crp;
  301         /* Determine the ESP header length */
  302         if (tdb->tdb_flags & TDBF_NOREPLAY)
hlen = sizeof(u_int32_t) + tdb->tdb_ivlen; /* "old" ESP */
  304         else
hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */
  307         if (esph)
alen = AH_HMAC_HASHLEN;
  309         else
alen = 0;
plen = m->m_pkthdr.len - (skip + hlen + alen);
  313         if (plen <= 0) {
DPRINTF(("esp_input: invalid payload length\n"));
espstat.esps_badilen++;
m_freem(m);
  317                 return EINVAL;
  318         }
  320         if (espx) {
  321                 /*
  322                  * Verify payload length is multiple of encryption algorithm
  323                  * block size.
  324                  */
  325                 if (plen & (espx->blocksize - 1)) {
DPRINTF(("esp_input(): payload of %d octets not a multiple of %d octets, SA %s/%08x\n", plen, espx->blocksize, ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
espstat.esps_badilen++;
m_freem(m);
  329                         return EINVAL;
  330                 }
  331         }
  333         /* Replay window checking, if appropriate -- no value commitment. */
  334         if ((tdb->tdb_wnd > 0) && (!(tdb->tdb_flags & TDBF_NOREPLAY))) {
m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
  336                     (unsigned char *) &btsx);
btsx = ntohl(btsx);
  339                 switch (checkreplaywindow32(btsx, 0, &(tdb->tdb_rpl),
tdb->tdb_wnd, &(tdb->tdb_bitmap), 0)) {
  341                 case 0: /* All's well */
  342                         break;
  344                 case 1:
m_freem(m);
DPRINTF(("esp_input(): replay counter wrapped for SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
espstat.esps_wrap++;
  348                         return EACCES;
  350                 case 2:
  351                 case 3:
DPRINTF(("esp_input(): duplicate packet received in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
m_freem(m);
  354                         return EACCES;
  356                 default:
m_freem(m);
DPRINTF(("esp_input(): bogus value from checkreplaywindow32() in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
espstat.esps_replay++;
  360                         return EACCES;
  361                 }
  362         }
  364         /* Update the counters */
tdb->tdb_cur_bytes += m->m_pkthdr.len - skip - hlen - alen;
espstat.esps_ibytes += m->m_pkthdr.len - skip - hlen - alen;
  368         /* Hard expiration */
  369         if ((tdb->tdb_flags & TDBF_BYTES) &&
  370             (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) {
pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
tdb_delete(tdb);
m_freem(m);
  374                 return ENXIO;
  375         }
  377         /* Notify on soft expiration */
  378         if ((tdb->tdb_flags & TDBF_SOFT_BYTES) &&
  379             (tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes)) {
pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT);
tdb->tdb_flags &= ~TDBF_SOFT_BYTES;       /* Turn off checking */
  382         }
  384 #ifdef notyet
  385         /* Find out if we've already done crypto */
  386         for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
mtag != NULL;
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
  389                 struct tdb_ident *tdbi;
tdbi = (struct tdb_ident *) (mtag + 1);
  392                 if (tdbi->proto == tdb->tdb_sproto && tdbi->spi == tdb->tdb_spi &&
  393                     !bcmp(&tdbi->dst, &tdb->tdb_dst, sizeof(union sockaddr_union)))
  394                         break;
  395         }
  396 #else
mtag = NULL;
  398 #endif
  400         /* Get crypto descriptors */
crp = crypto_getreq(esph && espx ? 2 : 1);
  402         if (crp == NULL) {
m_freem(m);
DPRINTF(("esp_input(): failed to acquire crypto descriptors\n"));
espstat.esps_crypto++;
  406                 return ENOBUFS;
  407         }
  409         /* Get IPsec-specific opaque pointer */
  410         if (esph == NULL || mtag != NULL)
MALLOC(tc, struct tdb_crypto *, sizeof(struct tdb_crypto),
M_XDATA, M_NOWAIT);
  413         else
MALLOC(tc, struct tdb_crypto *,
  415                     sizeof(struct tdb_crypto) + alen, M_XDATA, M_NOWAIT);
  416         if (tc == NULL) {
m_freem(m);
crypto_freereq(crp);
DPRINTF(("esp_input(): failed to allocate tdb_crypto\n"));
espstat.esps_crypto++;
  421                 return ENOBUFS;
  422         }
bzero(tc, sizeof(struct tdb_crypto));
tc->tc_ptr = (caddr_t) mtag;
  427         if (esph) {
crda = crp->crp_desc;
crde = crda->crd_next;
  431                 /* Authentication descriptor */
crda->crd_skip = skip;
crda->crd_len = m->m_pkthdr.len - (skip + alen);
crda->crd_inject = m->m_pkthdr.len - alen;
crda->crd_alg = esph->type;
crda->crd_key = tdb->tdb_amxkey;
crda->crd_klen = tdb->tdb_amxkeylen * 8;
  440                 /* Copy the authenticator */
  441                 if (mtag == NULL)
m_copydata(m, m->m_pkthdr.len - alen, alen, (caddr_t) (tc + 1));
  443         } else
crde = crp->crp_desc;
  446         /* Crypto operation descriptor */
crp->crp_ilen = m->m_pkthdr.len; /* Total input length */
crp->crp_flags = CRYPTO_F_IMBUF;
crp->crp_buf = (caddr_t) m;
crp->crp_callback = (int (*) (struct cryptop *)) esp_input_cb;
crp->crp_sid = tdb->tdb_cryptoid;
crp->crp_opaque = (caddr_t) tc;
  454         /* These are passed as-is to the callback */
tc->tc_skip = skip;
tc->tc_protoff = protoff;
tc->tc_spi = tdb->tdb_spi;
tc->tc_proto = tdb->tdb_sproto;
bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union));
  461         /* Decryption descriptor */
  462         if (espx) {
crde->crd_skip = skip + hlen;
crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
crde->crd_inject = skip + hlen - tdb->tdb_ivlen;
  467                 if (tdb->tdb_flags & TDBF_HALFIV) {
  468                         /* Copy half-IV from packet */
m_copydata(m, crde->crd_inject, tdb->tdb_ivlen, crde->crd_iv);
  471                         /* Cook IV */
  472                         for (btsx = 0; btsx < tdb->tdb_ivlen; btsx++)
crde->crd_iv[tdb->tdb_ivlen + btsx] = ~crde->crd_iv[btsx];
crde->crd_flags |= CRD_F_IV_EXPLICIT;
  476                 }
crde->crd_alg = espx->type;
crde->crd_key = tdb->tdb_emxkey;
crde->crd_klen = tdb->tdb_emxkeylen * 8;
  481                 /* XXX Rounds ? */
  482         }
  484         if (mtag == NULL)
  485                 return crypto_dispatch(crp);
  486         else
  487                 return esp_input_cb(crp);
  488 }
  490 /*
  491  * ESP input callback, called directly by the crypto driver.
  492  */
  493 int
esp_input_cb(void *op)
  495 {
u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN];
  497         int s, hlen, roff, skip, protoff, error;
  498         struct mbuf *m1, *mo, *m;
  499         struct auth_hash *esph;
  500         struct tdb_crypto *tc;
  501         struct cryptop *crp;
  502         struct m_tag *mtag;
  503         struct tdb *tdb;
u_int32_t btsx;
caddr_t ptr;
crp = (struct cryptop *) op;
tc = (struct tdb_crypto *) crp->crp_opaque;
skip = tc->tc_skip;
protoff = tc->tc_protoff;
mtag = (struct m_tag *) tc->tc_ptr;
m = (struct mbuf *) crp->crp_buf;
  515         if (m == NULL) {
  516                 /* Shouldn't happen... */
FREE(tc, M_XDATA);
crypto_freereq(crp);
espstat.esps_crypto++;
DPRINTF(("esp_input_cb(): bogus returned buffer from crypto\n"));
  521                 return (EINVAL);
  522         }
s = spltdb();
tdb = gettdb(tc->tc_spi, &tc->tc_dst, tc->tc_proto);
  527         if (tdb == NULL) {
FREE(tc, M_XDATA);
espstat.esps_notdb++;
DPRINTF(("esp_input_cb(): TDB is expired while in crypto"));
error = EPERM;
  532                 goto baddone;
  533         }
esph = (struct auth_hash *) tdb->tdb_authalgxform;
  537         /* Check for crypto errors */
  538         if (crp->crp_etype) {
  539                 if (crp->crp_etype == EAGAIN) {
  540                         /* Reset the session ID */
  541                         if (tdb->tdb_cryptoid != 0)
tdb->tdb_cryptoid = crp->crp_sid;
splx(s);
  544                         return crypto_dispatch(crp);
  545                 }
FREE(tc, M_XDATA);
espstat.esps_noxform++;
DPRINTF(("esp_input_cb(): crypto error %d\n", crp->crp_etype));
error = crp->crp_etype;
  550                 goto baddone;
  551         }
  553         /* If authentication was performed, check now. */
  554         if (esph != NULL) {
  555                 /*
  556                  * If we have a tag, it means an IPsec-aware NIC did the verification
  557                  * for us.
  558                  */
  559                 if (mtag == NULL) {
  560                         /* Copy the authenticator from the packet */
m_copydata(m, m->m_pkthdr.len - esph->authsize,
esph->authsize, aalg);
ptr = (caddr_t) (tc + 1);
  566                         /* Verify authenticator */
  567                         if (bcmp(ptr, aalg, esph->authsize)) {
FREE(tc, M_XDATA);
DPRINTF(("esp_input_cb(): authentication failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
espstat.esps_badauth++;
error = EACCES;
  572                                 goto baddone;
  573                         }
  574                 }
  576                 /* Remove trailing authenticator */
m_adj(m, -(esph->authsize));
  578         }
FREE(tc, M_XDATA);
  581         /* Replay window checking, if appropriate */
  582         if ((tdb->tdb_wnd > 0) && (!(tdb->tdb_flags & TDBF_NOREPLAY))) {
m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
  584                     (unsigned char *) &btsx);
btsx = ntohl(btsx);
  587                 switch (checkreplaywindow32(btsx, 0, &(tdb->tdb_rpl),
tdb->tdb_wnd, &(tdb->tdb_bitmap), 1)) {
  589                 case 0: /* All's well */
  590 #if NPFSYNC > 0
pfsync_update_tdb(tdb,0);
  592 #endif
  593                         break;
  595                 case 1:
DPRINTF(("esp_input_cb(): replay counter wrapped for SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
espstat.esps_wrap++;
error = EACCES;
  599                         goto baddone;
  601                 case 2:
  602                 case 3:
DPRINTF(("esp_input_cb(): duplicate packet received in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
error = EACCES;
  605                         goto baddone;
  607                 default:
DPRINTF(("esp_input_cb(): bogus value from checkreplaywindow32() in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
espstat.esps_replay++;
error = EACCES;
  611                         goto baddone;
  612                 }
  613         }
  615         /* Release the crypto descriptors */
crypto_freereq(crp);
  618         /* Determine the ESP header length */
  619         if (tdb->tdb_flags & TDBF_NOREPLAY)
hlen = sizeof(u_int32_t) + tdb->tdb_ivlen; /* "old" ESP */
  621         else
hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */
  624         /* Find beginning of ESP header */
m1 = m_getptr(m, skip, &roff);
  626         if (m1 == NULL) {
espstat.esps_hdrops++;
splx(s);
DPRINTF(("esp_input_cb(): bad mbuf chain, SA %s/%08x\n",
ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
m_freem(m);
  632                 return EINVAL;
  633         }
  635         /* Remove the ESP header and IV from the mbuf. */
  636         if (roff == 0) {
  637                 /* The ESP header was conveniently at the beginning of the mbuf */
m_adj(m1, hlen);
  639                 if (!(m1->m_flags & M_PKTHDR))
m->m_pkthdr.len -= hlen;
  641         } else if (roff + hlen >= m1->m_len) {
  642                 /*
  643                  * Part or all of the ESP header is at the end of this mbuf, so
  644                  * first let's remove the remainder of the ESP header from the
  645                  * beginning of the remainder of the mbuf chain, if any.
  646                  */
  647                 if (roff + hlen > m1->m_len) {
  648                         /* Adjust the next mbuf by the remainder */
m_adj(m1->m_next, roff + hlen - m1->m_len);
  651                         /* The second mbuf is guaranteed not to have a pkthdr... */
m->m_pkthdr.len -= (roff + hlen - m1->m_len);
  653                 }
  655                 /* Now, let's unlink the mbuf chain for a second...*/
mo = m1->m_next;
m1->m_next = NULL;
  659                 /* ...and trim the end of the first part of the chain...sick */
m_adj(m1, -(m1->m_len - roff));
  661                 if (!(m1->m_flags & M_PKTHDR))
m->m_pkthdr.len -= (m1->m_len - roff);
  664                 /* Finally, let's relink */
m1->m_next = mo;
  666         } else {
  667                 /*
  668                  * The ESP header lies in the "middle" of the mbuf...do an
  669                  * overlapping copy of the remainder of the mbuf over the ESP
  670                  * header.
  671                  */
bcopy(mtod(m1, u_char *) + roff + hlen,
mtod(m1, u_char *) + roff, m1->m_len - (roff + hlen));
m1->m_len -= hlen;
m->m_pkthdr.len -= hlen;
  676         }
  678         /* Save the last three bytes of decrypted data */
m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
  681         /* Verify pad length */
  682         if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
espstat.esps_badilen++;
splx(s);
DPRINTF(("esp_input_cb(): invalid padding length %d for packet in SA %s/%08x\n", lastthree[1], ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
m_freem(m);
  687                 return EINVAL;
  688         }
  690         /* Verify correct decryption by checking the last padding bytes */
  691         if (!(tdb->tdb_flags & TDBF_RANDOMPADDING)) {
  692                 if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) {
espstat.esps_badenc++;
splx(s);
DPRINTF(("esp_input(): decryption failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
m_freem(m);
  697                         return EINVAL;
  698                 }
  699         }
  701         /* Trim the mbuf chain to remove the trailing authenticator and padding */
m_adj(m, -(lastthree[1] + 2));
  704         /* Restore the Next Protocol field */
m_copyback(m, protoff, sizeof(u_int8_t), lastthree + 2);
  707         /* Back to generic IPsec input processing */
error = ipsec_common_input_cb(m, tdb, skip, protoff, mtag);
splx(s);
  710         return (error);
baddone:
splx(s);
  715         if (m != NULL)
m_freem(m);
crypto_freereq(crp);
  720         return (error);
  721 }
  723 /*
  724  * ESP output routine, called by ipsp_process_packet().
  725  */
  726 int
esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
  728     int protoff)
  729 {
  730         struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform;
  731         struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform;
  732         int ilen, hlen, rlen, padding, blks, alen;
  733         struct mbuf *mi, *mo = (struct mbuf *) NULL;
  734         struct tdb_crypto *tc;
  735         unsigned char *pad;
u_int8_t prot;
  738         struct cryptodesc *crde = NULL, *crda = NULL;
  739         struct cryptop *crp;
  740 #if NBPFILTER > 0
  741         struct ifnet *ifn = &(encif[0].sc_if);
ifn->if_opackets++;
ifn->if_obytes += m->m_pkthdr.len;
  746         if (ifn->if_bpf) {
  747                 struct enchdr hdr;
bzero (&hdr, sizeof(hdr));
hdr.af = tdb->tdb_dst.sa.sa_family;
hdr.spi = tdb->tdb_spi;
  753                 if (espx)
hdr.flags |= M_CONF;
  755                 if (esph)
hdr.flags |= M_AUTH;
bpf_mtap_hdr(ifn->if_bpf, (char *)&hdr, ENC_HDRLEN, m,
BPF_DIRECTION_OUT);
  760         }
  761 #endif
  763         if (tdb->tdb_flags & TDBF_NOREPLAY)
hlen = sizeof(u_int32_t) + tdb->tdb_ivlen;
  765         else
hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen;
rlen = m->m_pkthdr.len - skip; /* Raw payload length. */
  769         if (espx)
blks = espx->blocksize;
  771         else
blks = 4; /* If no encryption, we have to be 4-byte aligned. */
padding = ((blks - ((rlen + 2) % blks)) % blks) + 2;
  776         if (esph)
alen = AH_HMAC_HASHLEN;
  778         else
alen = 0;
espstat.esps_output++;
  783         switch (tdb->tdb_dst.sa.sa_family) {
  784 #ifdef INET
  785         case AF_INET:
  786                 /* Check for IP maximum packet size violations. */
  787                 if (skip + hlen + rlen + padding + alen > IP_MAXPACKET) {
DPRINTF(("esp_output(): packet in SA %s/%08x got "
  789                             "too big\n", ipsp_address(tdb->tdb_dst),
ntohl(tdb->tdb_spi)));
m_freem(m);
espstat.esps_toobig++;
  793                         return EMSGSIZE;
  794                 }
  795                 break;
  796 #endif /* INET */
  798 #ifdef INET6
  799         case AF_INET6:
  800                 /* Check for IPv6 maximum packet size violations. */
  801                 if (skip + hlen + rlen + padding + alen > IPV6_MAXPACKET) {
DPRINTF(("esp_output(): packet in SA %s/%08x got too "
  803                             "big\n", ipsp_address(tdb->tdb_dst),
ntohl(tdb->tdb_spi)));
m_freem(m);
espstat.esps_toobig++;
  807                         return EMSGSIZE;
  808                 }
  809                 break;
  810 #endif /* INET6 */
  812         default:
DPRINTF(("esp_output(): unknown/unsupported protocol "
  814                     "family %d, SA %s/%08x\n", tdb->tdb_dst.sa.sa_family
  815                     , ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
m_freem(m);
espstat.esps_nopf++;
  818                 return EPFNOSUPPORT;
  819         }
  821         /* Update the counters. */
tdb->tdb_cur_bytes += m->m_pkthdr.len - skip;
espstat.esps_obytes += m->m_pkthdr.len - skip;
  825         /* Hard byte expiration. */
  826         if (tdb->tdb_flags & TDBF_BYTES &&
tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) {
pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
tdb_delete(tdb);
m_freem(m);
  831                 return EINVAL;
  832         }
  834         /* Soft byte expiration. */
  835         if (tdb->tdb_flags & TDBF_SOFT_BYTES &&
tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes) {
pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT);
tdb->tdb_flags &= ~TDBF_SOFT_BYTES;    /* Turn off checking. */
  839         }
  841         /*
  842          * Loop through mbuf chain; if we find a readonly mbuf,
  843          * replace the rest of the chain.
  844          */
mo = NULL;
mi = m;
  847         while (mi != NULL && !M_READONLY(mi)) {
mo = mi;
mi = mi->m_next;
  850         }
  852         if (mi != NULL) {
  853                 /* Replace the rest of the mbuf chain. */
  854                 struct mbuf *n = m_copym2(mi, 0, M_COPYALL, M_DONTWAIT);
  856                 if (n == NULL) {
DPRINTF(("esp_output(): bad mbuf chain, SA %s/%08x\n",
ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
espstat.esps_hdrops++;
m_freem(m);
  861                         return ENOBUFS;
  862                 }
  864                 if (mo != NULL)
mo->m_next = n;
  866                 else
m = n;
m_freem(mi);
  870         }
  872         /* Inject ESP header. */
mo = m_inject(m, skip, hlen, M_DONTWAIT);
  874         if (mo == NULL) {
DPRINTF(("esp_output(): failed to inject ESP header for "
  876                     "SA %s/%08x\n", ipsp_address(tdb->tdb_dst),
ntohl(tdb->tdb_spi)));
m_freem(m);
espstat.esps_hdrops++;
  880                 return ENOBUFS;
  881         }
  883         /* Initialize ESP header. */
bcopy((caddr_t) &tdb->tdb_spi, mtod(mo, caddr_t), sizeof(u_int32_t));
  885         if (!(tdb->tdb_flags & TDBF_NOREPLAY)) {
u_int32_t replay = htonl(tdb->tdb_rpl++);
bcopy((caddr_t) &replay, mtod(mo, caddr_t) + sizeof(u_int32_t),
  888                     sizeof(u_int32_t));
  889 #if NPFSYNC > 0
pfsync_update_tdb(tdb,1);
  891 #endif
  892         }
  894         /*
  895          * Add padding -- better to do it ourselves than use the crypto engine,
  896          * although if/when we support compression, we'd have to do that.
  897          */
pad = (u_char *) m_pad(m, padding + alen);
  899         if (pad == NULL) {
DPRINTF(("esp_output(): m_pad() failed for SA %s/%08x\n",
ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
  902                 return ENOBUFS;
  903         }
  905         /* Self-describing or random padding ? */
  906         if (!(tdb->tdb_flags & TDBF_RANDOMPADDING))
  907                 for (ilen = 0; ilen < padding - 2; ilen++)
pad[ilen] = ilen + 1;
  909         else
arc4random_bytes((void *) pad, padding - 2);
  912         /* Fix padding length and Next Protocol in padding itself. */
pad[padding - 2] = padding - 2;
m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1);
  916         /* Fix Next Protocol in IPv4/IPv6 header. */
prot = IPPROTO_ESP;
m_copyback(m, protoff, sizeof(u_int8_t), &prot);
  920         /* Get crypto descriptors. */
crp = crypto_getreq(esph && espx ? 2 : 1);
  922         if (crp == NULL) {
m_freem(m);
DPRINTF(("esp_output(): failed to acquire crypto "
  925                     "descriptors\n"));
espstat.esps_crypto++;
  927                 return ENOBUFS;
  928         }
  930         if (espx) {
crde = crp->crp_desc;
crda = crde->crd_next;
  934                 /* Encryption descriptor. */
crde->crd_skip = skip + hlen;
crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
crde->crd_flags = CRD_F_ENCRYPT;
crde->crd_inject = skip + hlen - tdb->tdb_ivlen;
  940                 if (tdb->tdb_flags & TDBF_HALFIV) {
  941                         /* Copy half-iv in the packet. */
m_copyback(m, crde->crd_inject, tdb->tdb_ivlen,
tdb->tdb_iv);
  945                         /* Cook half-iv. */
bcopy(tdb->tdb_iv, crde->crd_iv, tdb->tdb_ivlen);
  947                         for (ilen = 0; ilen < tdb->tdb_ivlen; ilen++)
crde->crd_iv[tdb->tdb_ivlen + ilen] =
  949                                     ~crde->crd_iv[ilen];
crde->crd_flags |=
CRD_F_IV_PRESENT | CRD_F_IV_EXPLICIT;
  953                 }
  955                 /* Encryption operation. */
crde->crd_alg = espx->type;
crde->crd_key = tdb->tdb_emxkey;
crde->crd_klen = tdb->tdb_emxkeylen * 8;
  959                 /* XXX Rounds ? */
  960         } else
crda = crp->crp_desc;
  963         /* IPsec-specific opaque crypto info. */
MALLOC(tc, struct tdb_crypto *, sizeof(struct tdb_crypto),
M_XDATA, M_NOWAIT);
  966         if (tc == NULL) {
m_freem(m);
crypto_freereq(crp);
DPRINTF(("esp_output(): failed to allocate tdb_crypto\n"));
espstat.esps_crypto++;
  971                 return ENOBUFS;
  972         }
bzero(tc, sizeof(struct tdb_crypto));
tc->tc_spi = tdb->tdb_spi;
tc->tc_proto = tdb->tdb_sproto;
bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union));
  979         /* Crypto operation descriptor. */
crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
crp->crp_flags = CRYPTO_F_IMBUF;
crp->crp_buf = (caddr_t) m;
crp->crp_callback = (int (*) (struct cryptop *)) esp_output_cb;
crp->crp_opaque = (caddr_t) tc;
crp->crp_sid = tdb->tdb_cryptoid;
  987         if (esph) {
  988                 /* Authentication descriptor. */
crda->crd_skip = skip;
crda->crd_len = m->m_pkthdr.len - (skip + alen);
crda->crd_inject = m->m_pkthdr.len - alen;
  993                 /* Authentication operation. */
crda->crd_alg = esph->type;
crda->crd_key = tdb->tdb_amxkey;
crda->crd_klen = tdb->tdb_amxkeylen * 8;
  997         }
  999         if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0)
 1000                 return crypto_dispatch(crp);
 1001         else
 1002                 return esp_output_cb(crp);
 1003 }
 1005 /*
 1006  * ESP output callback, called directly by the crypto driver.
 1007  */
 1008 int
esp_output_cb(void *op)
 1010 {
 1011         struct cryptop *crp = (struct cryptop *) op;
 1012         struct tdb_crypto *tc;
 1013         struct tdb *tdb;
 1014         struct mbuf *m;
 1015         int error, s;
tc = (struct tdb_crypto *) crp->crp_opaque;
m = (struct mbuf *) crp->crp_buf;
 1020         if (m == NULL) {
 1021                 /* Shouldn't happen... */
FREE(tc, M_XDATA);
crypto_freereq(crp);
espstat.esps_crypto++;
DPRINTF(("esp_output_cb(): bogus returned buffer from "
 1026                     "crypto\n"));
 1027                 return (EINVAL);
 1028         }
s = spltdb();
tdb = gettdb(tc->tc_spi, &tc->tc_dst, tc->tc_proto);
 1034         if (tdb == NULL) {
FREE(tc, M_XDATA);
espstat.esps_notdb++;
DPRINTF(("esp_output_cb(): TDB is expired while in crypto\n"));
error = EPERM;
 1039                 goto baddone;
 1040         }
 1042         /* Check for crypto errors. */
 1043         if (crp->crp_etype) {
 1044                 if (crp->crp_etype == EAGAIN) {
 1045                         /* Reset the session ID */
 1046                         if (tdb->tdb_cryptoid != 0)
tdb->tdb_cryptoid = crp->crp_sid;
splx(s);
 1049                         return crypto_dispatch(crp);
 1050                 }
FREE(tc, M_XDATA);
espstat.esps_noxform++;
DPRINTF(("esp_output_cb(): crypto error %d\n",
crp->crp_etype));
error = crp->crp_etype;
 1056                 goto baddone;
 1057         }
FREE(tc, M_XDATA);
 1060         /* Release crypto descriptors. */
crypto_freereq(crp);
 1063         /*
 1064          * If we're doing half-iv, keep a copy of the last few bytes of the
 1065          * encrypted part, for use as the next IV. Note that HALF-IV is only
 1066          * supposed to be used without authentication (the old ESP specs).
 1067          */
 1068         if (tdb->tdb_flags & TDBF_HALFIV)
m_copydata(m, m->m_pkthdr.len - tdb->tdb_ivlen, tdb->tdb_ivlen,
tdb->tdb_iv);
 1072         /* Call the IPsec input callback. */
error = ipsp_process_done(m, tdb);
splx(s);
 1075         return error;
baddone:
splx(s);
 1080         if (m != NULL)
m_freem(m);
crypto_freereq(crp);
 1085         return error;
 1086 }
 1088 /*
 1089  * return 0 on success
 1090  * return 1 for counter == 0
 1091  * return 2 for very old packet
 1092  * return 3 for packet within current window but already received
 1093  */
 1094 int
checkreplaywindow32(u_int32_t seq, u_int32_t initial, u_int32_t *lastseq,
u_int32_t window, u_int32_t *bitmap, int commit)
 1097 {
u_int32_t diff, llseq, lbitmap;
 1100         /* Just do the checking, without "committing" any changes. */
 1101         if (commit == 0) {
llseq = *lastseq;
lbitmap = *bitmap;
lastseq = &llseq;
bitmap = &lbitmap;
 1107         }
seq -= initial;
 1111         if (seq == 0)
 1112                 return 1;
 1114         if (seq > *lastseq - initial) {
diff = seq - (*lastseq - initial);
 1116                 if (diff < window)
 1117                         *bitmap = ((*bitmap) << diff) | 1;
 1118                 else
 1119                         *bitmap = 1;
 1120                 *lastseq = seq + initial;
 1121                 return 0;
 1122         }
diff = *lastseq - initial - seq;
 1125         if (diff >= window) {
espstat.esps_wrap++;
 1127                 return 2;
 1128         }
 1130         if ((*bitmap) & (((u_int32_t) 1) << diff)) {
espstat.esps_replay++;
 1132                 return 3;
 1133         }
 1135         *bitmap |= (((u_int32_t) 1) << diff);
 1136         return 0;
 1137 }
 1139 /*
 1140  * m_pad(m, n) pads <m> with <n> bytes at the end. The packet header
 1141  * length is updated, and a pointer to the first byte of the padding
 1142  * (which is guaranteed to be all in one mbuf) is returned.
 1143  */
caddr_t
m_pad(struct mbuf *m, int n)
 1147 {
 1148         struct mbuf *m0, *m1;
 1149         int len, pad;
caddr_t retval;
 1152         if (n <= 0) {  /* No stupid arguments. */
DPRINTF(("m_pad(): pad length invalid (%d)\n", n));
m_freem(m);
 1155                 return NULL;
 1156         }
len = m->m_pkthdr.len;
pad = n;
m0 = m;
 1162         while (m0->m_len < len) {
len -= m0->m_len;
m0 = m0->m_next;
 1165         }
 1167         if (m0->m_len != len) {
DPRINTF(("m_pad(): length mismatch (should be %d instead of "
 1169                     "%d)\n", m->m_pkthdr.len,
m->m_pkthdr.len + m0->m_len - len));
m_freem(m);
 1173                 return NULL;
 1174         }
 1176         /* Check for zero-length trailing mbufs, and find the last one. */
 1177         for (m1 = m0; m1->m_next; m1 = m1->m_next) {
 1178                 if (m1->m_next->m_len != 0) {
DPRINTF(("m_pad(): length mismatch (should be %d "
 1180                             "instead of %d)\n", m->m_pkthdr.len,
m->m_pkthdr.len + m1->m_next->m_len));
m_freem(m);
 1184                         return NULL;
 1185                 }
m0 = m1->m_next;
 1188         }
 1190         if ((m0->m_flags & M_EXT) ||
m0->m_data + m0->m_len + pad >= &(m0->m_dat[MLEN])) {
 1192                 /* Add an mbuf to the chain. */
MGET(m1, M_DONTWAIT, MT_DATA);
 1194                 if (m1 == 0) {
m_freem(m0);
DPRINTF(("m_pad(): cannot append\n"));
 1197                         return NULL;
 1198                 }
m0->m_next = m1;
m0 = m1;
m0->m_len = 0;
 1203         }
retval = m0->m_data + m0->m_len;
m0->m_len += pad;
m->m_pkthdr.len += pad;
 1209         return retval;
 1210 }