1 /* $OpenBSD: ip_esp.c,v 1.159 2019/09/30 01:53:05 dlg Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001 Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 #include "pfsync.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/mbuf.h> 43 #include <sys/socket.h> 44 45 #include <net/if.h> 46 #include <net/if_var.h> 47 #include <net/bpf.h> 48 49 #include <netinet/in.h> 50 #include <netinet/ip.h> 51 #include <netinet/ip_var.h> 52 53 #ifdef INET6 54 #include <netinet/ip6.h> 55 #endif /* INET6 */ 56 57 #include <netinet/ip_ipsp.h> 58 #include <netinet/ip_esp.h> 59 #include <net/pfkeyv2.h> 60 #include <net/if_enc.h> 61 62 #if NPFSYNC > 0 63 #include <net/pfvar.h> 64 #include <net/if_pfsync.h> 65 #endif /* NPFSYNC > 0 */ 66 67 #include <crypto/cryptodev.h> 68 #include <crypto/xform.h> 69 70 #include "bpfilter.h" 71 72 #ifdef ENCDEBUG 73 #define DPRINTF(x) if (encdebug) printf x 74 #else 75 #define DPRINTF(x) 76 #endif 77 78 /* 79 * esp_attach() is called from the transformation initialization code. 80 */ 81 int 82 esp_attach(void) 83 { 84 return 0; 85 } 86 87 /* 88 * esp_init() is called when an SPI is being set up. 89 */ 90 int 91 esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) 92 { 93 struct enc_xform *txform = NULL; 94 struct auth_hash *thash = NULL; 95 struct cryptoini cria, crie, crin; 96 97 if (!ii->ii_encalg && !ii->ii_authalg) { 98 DPRINTF(("esp_init(): neither authentication nor encryption " 99 "algorithm given")); 100 return EINVAL; 101 } 102 103 if (ii->ii_encalg) { 104 switch (ii->ii_encalg) { 105 case SADB_EALG_NULL: 106 txform = &enc_xform_null; 107 break; 108 109 case SADB_EALG_3DESCBC: 110 txform = &enc_xform_3des; 111 break; 112 113 case SADB_X_EALG_AES: 114 txform = &enc_xform_aes; 115 break; 116 117 case SADB_X_EALG_AESCTR: 118 txform = &enc_xform_aes_ctr; 119 break; 120 121 case SADB_X_EALG_AESGCM16: 122 txform = &enc_xform_aes_gcm; 123 break; 124 125 case SADB_X_EALG_AESGMAC: 126 txform = &enc_xform_aes_gmac; 127 break; 128 129 case SADB_X_EALG_CHACHA20POLY1305: 130 txform = &enc_xform_chacha20_poly1305; 131 break; 132 133 case SADB_X_EALG_BLF: 134 txform = &enc_xform_blf; 135 break; 136 137 case SADB_X_EALG_CAST: 138 txform = &enc_xform_cast5; 139 break; 140 141 default: 142 DPRINTF(("esp_init(): unsupported encryption " 143 "algorithm %d specified\n", ii->ii_encalg)); 144 return EINVAL; 145 } 146 147 if (ii->ii_enckeylen < txform->minkey) { 148 DPRINTF(("esp_init(): keylength %d too small " 149 "(min length is %d) for algorithm %s\n", 150 ii->ii_enckeylen, txform->minkey, txform->name)); 151 return EINVAL; 152 } 153 154 if (ii->ii_enckeylen > txform->maxkey) { 155 DPRINTF(("esp_init(): keylength %d too large " 156 "(max length is %d) for algorithm %s\n", 157 ii->ii_enckeylen, txform->maxkey, txform->name)); 158 return EINVAL; 159 } 160 161 if (ii->ii_encalg == SADB_X_EALG_AESGCM16 || 162 ii->ii_encalg == SADB_X_EALG_AESGMAC) { 163 switch (ii->ii_enckeylen) { 164 case 20: 165 ii->ii_authalg = SADB_X_AALG_AES128GMAC; 166 break; 167 case 28: 168 ii->ii_authalg = SADB_X_AALG_AES192GMAC; 169 break; 170 case 36: 171 ii->ii_authalg = SADB_X_AALG_AES256GMAC; 172 break; 173 } 174 ii->ii_authkeylen = ii->ii_enckeylen; 175 ii->ii_authkey = ii->ii_enckey; 176 } else if (ii->ii_encalg == SADB_X_EALG_CHACHA20POLY1305) { 177 ii->ii_authalg = SADB_X_AALG_CHACHA20POLY1305; 178 ii->ii_authkeylen = ii->ii_enckeylen; 179 ii->ii_authkey = ii->ii_enckey; 180 } 181 182 tdbp->tdb_encalgxform = txform; 183 184 DPRINTF(("esp_init(): initialized TDB with enc algorithm %s\n", 185 txform->name)); 186 187 tdbp->tdb_ivlen = txform->ivsize; 188 } 189 190 if (ii->ii_authalg) { 191 switch (ii->ii_authalg) { 192 case SADB_AALG_MD5HMAC: 193 thash = &auth_hash_hmac_md5_96; 194 break; 195 196 case SADB_AALG_SHA1HMAC: 197 thash = &auth_hash_hmac_sha1_96; 198 break; 199 200 case SADB_X_AALG_RIPEMD160HMAC: 201 thash = &auth_hash_hmac_ripemd_160_96; 202 break; 203 204 case SADB_X_AALG_SHA2_256: 205 thash = &auth_hash_hmac_sha2_256_128; 206 break; 207 208 case SADB_X_AALG_SHA2_384: 209 thash = &auth_hash_hmac_sha2_384_192; 210 break; 211 212 case SADB_X_AALG_SHA2_512: 213 thash = &auth_hash_hmac_sha2_512_256; 214 break; 215 216 case SADB_X_AALG_AES128GMAC: 217 thash = &auth_hash_gmac_aes_128; 218 break; 219 220 case SADB_X_AALG_AES192GMAC: 221 thash = &auth_hash_gmac_aes_192; 222 break; 223 224 case SADB_X_AALG_AES256GMAC: 225 thash = &auth_hash_gmac_aes_256; 226 break; 227 228 case SADB_X_AALG_CHACHA20POLY1305: 229 thash = &auth_hash_chacha20_poly1305; 230 break; 231 232 default: 233 DPRINTF(("esp_init(): unsupported authentication " 234 "algorithm %d specified\n", ii->ii_authalg)); 235 return EINVAL; 236 } 237 238 if (ii->ii_authkeylen != thash->keysize) { 239 DPRINTF(("esp_init(): keylength %d doesn't match " 240 "algorithm %s keysize (%d)\n", ii->ii_authkeylen, 241 thash->name, thash->keysize)); 242 return EINVAL; 243 } 244 245 tdbp->tdb_authalgxform = thash; 246 247 DPRINTF(("esp_init(): initialized TDB with hash algorithm %s\n", 248 thash->name)); 249 } 250 251 tdbp->tdb_xform = xsp; 252 tdbp->tdb_rpl = AH_HMAC_INITIAL_RPL; 253 254 /* Initialize crypto session */ 255 if (tdbp->tdb_encalgxform) { 256 /* Save the raw keys */ 257 tdbp->tdb_emxkeylen = ii->ii_enckeylen; 258 tdbp->tdb_emxkey = malloc(tdbp->tdb_emxkeylen, M_XDATA, 259 M_WAITOK); 260 memcpy(tdbp->tdb_emxkey, ii->ii_enckey, tdbp->tdb_emxkeylen); 261 262 memset(&crie, 0, sizeof(crie)); 263 264 crie.cri_alg = tdbp->tdb_encalgxform->type; 265 266 if (tdbp->tdb_authalgxform) 267 crie.cri_next = &cria; 268 else 269 crie.cri_next = NULL; 270 271 crie.cri_klen = ii->ii_enckeylen * 8; 272 crie.cri_key = ii->ii_enckey; 273 /* XXX Rounds ? */ 274 } 275 276 if (tdbp->tdb_authalgxform) { 277 /* Save the raw keys */ 278 tdbp->tdb_amxkeylen = ii->ii_authkeylen; 279 tdbp->tdb_amxkey = malloc(tdbp->tdb_amxkeylen, M_XDATA, 280 M_WAITOK); 281 memcpy(tdbp->tdb_amxkey, ii->ii_authkey, tdbp->tdb_amxkeylen); 282 283 memset(&cria, 0, sizeof(cria)); 284 285 cria.cri_alg = tdbp->tdb_authalgxform->type; 286 287 if ((tdbp->tdb_wnd > 0) && (tdbp->tdb_flags & TDBF_ESN)) { 288 memset(&crin, 0, sizeof(crin)); 289 crin.cri_alg = CRYPTO_ESN; 290 cria.cri_next = &crin; 291 } 292 293 cria.cri_klen = ii->ii_authkeylen * 8; 294 cria.cri_key = ii->ii_authkey; 295 } 296 297 return crypto_newsession(&tdbp->tdb_cryptoid, 298 (tdbp->tdb_encalgxform ? &crie : &cria), 0); 299 } 300 301 /* 302 * Paranoia. 303 */ 304 int 305 esp_zeroize(struct tdb *tdbp) 306 { 307 int err; 308 309 if (tdbp->tdb_amxkey) { 310 explicit_bzero(tdbp->tdb_amxkey, tdbp->tdb_amxkeylen); 311 free(tdbp->tdb_amxkey, M_XDATA, tdbp->tdb_amxkeylen); 312 tdbp->tdb_amxkey = NULL; 313 } 314 315 if (tdbp->tdb_emxkey) { 316 explicit_bzero(tdbp->tdb_emxkey, tdbp->tdb_emxkeylen); 317 free(tdbp->tdb_emxkey, M_XDATA, tdbp->tdb_emxkeylen); 318 tdbp->tdb_emxkey = NULL; 319 } 320 321 err = crypto_freesession(tdbp->tdb_cryptoid); 322 tdbp->tdb_cryptoid = 0; 323 return err; 324 } 325 326 #define MAXBUFSIZ (AH_ALEN_MAX > ESP_MAX_IVS ? AH_ALEN_MAX : ESP_MAX_IVS) 327 328 /* 329 * ESP input processing, called (eventually) through the protocol switch. 330 */ 331 int 332 esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) 333 { 334 struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform; 335 struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform; 336 struct cryptodesc *crde = NULL, *crda = NULL; 337 struct cryptop *crp = NULL; 338 struct tdb_crypto *tc = NULL; 339 int plen, alen, hlen, error; 340 u_int32_t btsx, esn; 341 u_int64_t ibytes; 342 #ifdef ENCDEBUG 343 char buf[INET6_ADDRSTRLEN]; 344 #endif 345 346 /* Determine the ESP header length */ 347 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */ 348 alen = esph ? esph->authsize : 0; 349 plen = m->m_pkthdr.len - (skip + hlen + alen); 350 if (plen <= 0) { 351 DPRINTF(("%s: invalid payload length\n", __func__)); 352 espstat_inc(esps_badilen); 353 error = EINVAL; 354 goto drop; 355 } 356 357 if (espx) { 358 /* 359 * Verify payload length is multiple of encryption algorithm 360 * block size. 361 */ 362 if (plen & (espx->blocksize - 1)) { 363 DPRINTF(("%s: payload of %d octets not a multiple of %d" 364 " octets, SA %s/%08x\n", __func__, 365 plen, espx->blocksize, ipsp_address(&tdb->tdb_dst, 366 buf, sizeof(buf)), ntohl(tdb->tdb_spi))); 367 espstat_inc(esps_badilen); 368 error = EINVAL; 369 goto drop; 370 } 371 } 372 373 /* Replay window checking, if appropriate -- no value commitment. */ 374 if (tdb->tdb_wnd > 0) { 375 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 376 (unsigned char *) &btsx); 377 btsx = ntohl(btsx); 378 379 switch (checkreplaywindow(tdb, btsx, &esn, 0)) { 380 case 0: /* All's well */ 381 break; 382 case 1: 383 DPRINTF(("%s: replay counter wrapped for SA %s/%08x\n", 384 __func__, 385 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 386 ntohl(tdb->tdb_spi))); 387 espstat_inc(esps_wrap); 388 error = EACCES; 389 goto drop; 390 case 2: 391 DPRINTF(("%s: old packet received in SA %s/%08x\n", 392 __func__, 393 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 394 ntohl(tdb->tdb_spi))); 395 espstat_inc(esps_replay); 396 error = EACCES; 397 goto drop; 398 case 3: 399 DPRINTF(("%s: duplicate packet received" 400 " in SA %s/%08x\n", __func__, 401 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 402 ntohl(tdb->tdb_spi))); 403 espstat_inc(esps_replay); 404 error = EACCES; 405 goto drop; 406 default: 407 DPRINTF(("%s: bogus value from" 408 " checkreplaywindow() in SA %s/%08x\n", 409 __func__, 410 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 411 ntohl(tdb->tdb_spi))); 412 espstat_inc(esps_replay); 413 error = EACCES; 414 goto drop; 415 } 416 } 417 418 /* Update the counters */ 419 ibytes = m->m_pkthdr.len - skip - hlen - alen; 420 tdb->tdb_cur_bytes += ibytes; 421 tdb->tdb_ibytes += ibytes; 422 espstat_add(esps_ibytes, ibytes); 423 424 /* Hard expiration */ 425 if ((tdb->tdb_flags & TDBF_BYTES) && 426 (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) { 427 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 428 tdb_delete(tdb); 429 error = ENXIO; 430 goto drop; 431 } 432 433 /* Notify on soft expiration */ 434 if ((tdb->tdb_flags & TDBF_SOFT_BYTES) && 435 (tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes)) { 436 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 437 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking */ 438 } 439 440 /* Get crypto descriptors */ 441 crp = crypto_getreq(esph && espx ? 2 : 1); 442 if (crp == NULL) { 443 DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); 444 espstat_inc(esps_crypto); 445 error = ENOBUFS; 446 goto drop; 447 } 448 449 /* Get IPsec-specific opaque pointer */ 450 if (esph == NULL) 451 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); 452 else 453 tc = malloc(sizeof(*tc) + alen, M_XDATA, M_NOWAIT | M_ZERO); 454 if (tc == NULL) { 455 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); 456 espstat_inc(esps_crypto); 457 error = ENOBUFS; 458 goto drop; 459 } 460 461 if (esph) { 462 crda = &crp->crp_desc[0]; 463 crde = &crp->crp_desc[1]; 464 465 /* Authentication descriptor */ 466 crda->crd_skip = skip; 467 crda->crd_inject = m->m_pkthdr.len - alen; 468 469 crda->crd_alg = esph->type; 470 crda->crd_key = tdb->tdb_amxkey; 471 crda->crd_klen = tdb->tdb_amxkeylen * 8; 472 473 if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) { 474 esn = htonl(esn); 475 memcpy(crda->crd_esn, &esn, 4); 476 crda->crd_flags |= CRD_F_ESN; 477 } 478 479 if (espx && 480 (espx->type == CRYPTO_AES_GCM_16 || 481 espx->type == CRYPTO_CHACHA20_POLY1305)) 482 crda->crd_len = hlen - tdb->tdb_ivlen; 483 else 484 crda->crd_len = m->m_pkthdr.len - (skip + alen); 485 486 /* Copy the authenticator */ 487 m_copydata(m, m->m_pkthdr.len - alen, alen, (caddr_t)(tc + 1)); 488 } else 489 crde = &crp->crp_desc[0]; 490 491 /* Crypto operation descriptor */ 492 crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ 493 crp->crp_flags = CRYPTO_F_IMBUF; 494 crp->crp_buf = (caddr_t)m; 495 crp->crp_callback = ipsec_input_cb; 496 crp->crp_sid = tdb->tdb_cryptoid; 497 crp->crp_opaque = (caddr_t)tc; 498 499 /* These are passed as-is to the callback */ 500 tc->tc_skip = skip; 501 tc->tc_protoff = protoff; 502 tc->tc_spi = tdb->tdb_spi; 503 tc->tc_proto = tdb->tdb_sproto; 504 tc->tc_rdomain = tdb->tdb_rdomain; 505 tc->tc_dst = tdb->tdb_dst; 506 507 /* Decryption descriptor */ 508 if (espx) { 509 crde->crd_skip = skip + hlen; 510 crde->crd_inject = skip + hlen - tdb->tdb_ivlen; 511 crde->crd_alg = espx->type; 512 crde->crd_key = tdb->tdb_emxkey; 513 crde->crd_klen = tdb->tdb_emxkeylen * 8; 514 /* XXX Rounds ? */ 515 516 if (crde->crd_alg == CRYPTO_AES_GMAC) 517 crde->crd_len = 0; 518 else 519 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 520 } 521 522 return crypto_dispatch(crp); 523 524 drop: 525 m_freem(m); 526 crypto_freereq(crp); 527 free(tc, M_XDATA, 0); 528 return error; 529 } 530 531 /* 532 * ESP input callback, called directly by the crypto driver. 533 */ 534 int 535 esp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m, int clen) 536 { 537 u_int8_t lastthree[3], aalg[AH_HMAC_MAX_HASHLEN]; 538 int hlen, roff, skip, protoff; 539 struct mbuf *m1, *mo; 540 struct auth_hash *esph; 541 u_int32_t btsx, esn; 542 caddr_t ptr; 543 #ifdef ENCDEBUG 544 char buf[INET6_ADDRSTRLEN]; 545 #endif 546 547 skip = tc->tc_skip; 548 protoff = tc->tc_protoff; 549 550 NET_ASSERT_LOCKED(); 551 552 esph = (struct auth_hash *) tdb->tdb_authalgxform; 553 554 /* If authentication was performed, check now. */ 555 if (esph != NULL) { 556 /* Copy the authenticator from the packet */ 557 m_copydata(m, m->m_pkthdr.len - esph->authsize, 558 esph->authsize, aalg); 559 560 ptr = (caddr_t) (tc + 1); 561 562 /* Verify authenticator */ 563 if (timingsafe_bcmp(ptr, aalg, esph->authsize)) { 564 DPRINTF(("%s: authentication " 565 "failed for packet in SA %s/%08x\n", __func__, 566 ipsp_address(&tdb->tdb_dst, buf, 567 sizeof(buf)), ntohl(tdb->tdb_spi))); 568 espstat_inc(esps_badauth); 569 goto baddone; 570 } 571 572 /* Remove trailing authenticator */ 573 m_adj(m, -(esph->authsize)); 574 } 575 576 /* Replay window checking, if appropriate */ 577 if (tdb->tdb_wnd > 0) { 578 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 579 (unsigned char *) &btsx); 580 btsx = ntohl(btsx); 581 582 switch (checkreplaywindow(tdb, btsx, &esn, 1)) { 583 case 0: /* All's well */ 584 #if NPFSYNC > 0 585 pfsync_update_tdb(tdb,0); 586 #endif 587 break; 588 589 case 1: 590 DPRINTF(("%s: replay counter wrapped for SA %s/%08x\n", 591 __func__, 592 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 593 ntohl(tdb->tdb_spi))); 594 espstat_inc(esps_wrap); 595 goto baddone; 596 case 2: 597 DPRINTF(("%s: old packet received in SA %s/%08x\n", 598 __func__, 599 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 600 ntohl(tdb->tdb_spi))); 601 espstat_inc(esps_replay); 602 goto baddone; 603 case 3: 604 DPRINTF(("%s: duplicate packet received" 605 " in SA %s/%08x\n", __func__, 606 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 607 ntohl(tdb->tdb_spi))); 608 espstat_inc(esps_replay); 609 goto baddone; 610 default: 611 DPRINTF(("%s: bogus value from" 612 " checkreplaywindow() in SA %s/%08x\n", __func__, 613 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 614 ntohl(tdb->tdb_spi))); 615 espstat_inc(esps_replay); 616 goto baddone; 617 } 618 } 619 620 /* Determine the ESP header length */ 621 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; 622 623 /* Find beginning of ESP header */ 624 m1 = m_getptr(m, skip, &roff); 625 if (m1 == NULL) { 626 DPRINTF(("%s: bad mbuf chain, SA %s/%08x\n", __func__, 627 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 628 ntohl(tdb->tdb_spi))); 629 espstat_inc(esps_hdrops); 630 goto baddone; 631 } 632 633 /* Remove the ESP header and IV from the mbuf. */ 634 if (roff == 0) { 635 /* The ESP header was conveniently at the beginning of the mbuf */ 636 m_adj(m1, hlen); 637 /* 638 * If m1 is the first mbuf, it has set M_PKTHDR and m_adj() 639 * has already adjusted the packet header length for us. 640 */ 641 if (m1 != m) 642 m->m_pkthdr.len -= hlen; 643 } else if (roff + hlen >= m1->m_len) { 644 int adjlen; 645 646 /* 647 * Part or all of the ESP header is at the end of this mbuf, so 648 * first let's remove the remainder of the ESP header from the 649 * beginning of the remainder of the mbuf chain, if any. 650 */ 651 if (roff + hlen > m1->m_len) { 652 adjlen = roff + hlen - m1->m_len; 653 654 /* Adjust the next mbuf by the remainder */ 655 m_adj(m1->m_next, adjlen); 656 657 /* The second mbuf is guaranteed not to have a pkthdr */ 658 m->m_pkthdr.len -= adjlen; 659 } 660 661 /* Now, let's unlink the mbuf chain for a second...*/ 662 mo = m1->m_next; 663 m1->m_next = NULL; 664 665 /* ...and trim the end of the first part of the chain...sick */ 666 adjlen = m1->m_len - roff; 667 m_adj(m1, -adjlen); 668 /* 669 * If m1 is the first mbuf, it has set M_PKTHDR and m_adj() 670 * has already adjusted the packet header length for us. 671 */ 672 if (m1 != m) 673 m->m_pkthdr.len -= adjlen; 674 675 /* Finally, let's relink */ 676 m1->m_next = mo; 677 } else { 678 /* 679 * The ESP header lies in the "middle" of the mbuf...do an 680 * overlapping copy of the remainder of the mbuf over the ESP 681 * header. 682 */ 683 memmove(mtod(m1, u_char *) + roff, 684 mtod(m1, u_char *) + roff + hlen, 685 m1->m_len - (roff + hlen)); 686 m1->m_len -= hlen; 687 m->m_pkthdr.len -= hlen; 688 } 689 690 /* Save the last three bytes of decrypted data */ 691 m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); 692 693 /* Verify pad length */ 694 if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { 695 DPRINTF(("%s: invalid padding length %d for packet in " 696 "SA %s/%08x\n", __func__, lastthree[1], 697 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 698 ntohl(tdb->tdb_spi))); 699 espstat_inc(esps_badilen); 700 goto baddone; 701 } 702 703 /* Verify correct decryption by checking the last padding bytes */ 704 if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) { 705 DPRINTF(("%s: decryption failed for packet in SA %s/%08x\n", 706 __func__, ipsp_address(&tdb->tdb_dst, buf, 707 sizeof(buf)), ntohl(tdb->tdb_spi))); 708 espstat_inc(esps_badenc); 709 goto baddone; 710 } 711 712 /* Trim the mbuf chain to remove the trailing authenticator and padding */ 713 m_adj(m, -(lastthree[1] + 2)); 714 715 /* Restore the Next Protocol field */ 716 m_copyback(m, protoff, sizeof(u_int8_t), lastthree + 2, M_NOWAIT); 717 718 /* Release the crypto descriptors */ 719 free(tc, M_XDATA, 0); 720 721 /* Back to generic IPsec input processing */ 722 return ipsec_common_input_cb(m, tdb, skip, protoff); 723 724 baddone: 725 m_freem(m); 726 free(tc, M_XDATA, 0); 727 return -1; 728 } 729 730 /* 731 * ESP output routine, called by ipsp_process_packet(). 732 */ 733 int 734 esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, 735 int protoff) 736 { 737 struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform; 738 struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform; 739 int ilen, hlen, rlen, padding, blks, alen, roff, error; 740 u_int32_t replay; 741 struct mbuf *mi, *mo = (struct mbuf *) NULL; 742 struct tdb_crypto *tc = NULL; 743 unsigned char *pad; 744 u_int8_t prot; 745 #ifdef ENCDEBUG 746 char buf[INET6_ADDRSTRLEN]; 747 #endif 748 struct cryptodesc *crde = NULL, *crda = NULL; 749 struct cryptop *crp = NULL; 750 #if NBPFILTER > 0 751 struct ifnet *encif; 752 753 if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) != NULL) { 754 encif->if_opackets++; 755 encif->if_obytes += m->m_pkthdr.len; 756 757 if (encif->if_bpf) { 758 struct enchdr hdr; 759 760 memset(&hdr, 0, sizeof(hdr)); 761 762 hdr.af = tdb->tdb_dst.sa.sa_family; 763 hdr.spi = tdb->tdb_spi; 764 if (espx) 765 hdr.flags |= M_CONF; 766 if (esph) 767 hdr.flags |= M_AUTH; 768 769 bpf_mtap_hdr(encif->if_bpf, (char *)&hdr, 770 ENC_HDRLEN, m, BPF_DIRECTION_OUT); 771 } 772 } 773 #endif 774 775 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; 776 777 rlen = m->m_pkthdr.len - skip; /* Raw payload length. */ 778 if (espx) 779 blks = MAX(espx->blocksize, 4); 780 else 781 blks = 4; /* If no encryption, we have to be 4-byte aligned. */ 782 783 padding = ((blks - ((rlen + 2) % blks)) % blks) + 2; 784 785 alen = esph ? esph->authsize : 0; 786 espstat_inc(esps_output); 787 788 switch (tdb->tdb_dst.sa.sa_family) { 789 case AF_INET: 790 /* Check for IP maximum packet size violations. */ 791 if (skip + hlen + rlen + padding + alen > IP_MAXPACKET) { 792 DPRINTF(("%s: packet in SA %s/%08x got too big\n", 793 __func__, ipsp_address(&tdb->tdb_dst, buf, 794 sizeof(buf)), 795 ntohl(tdb->tdb_spi))); 796 espstat_inc(esps_toobig); 797 error = EMSGSIZE; 798 goto drop; 799 } 800 break; 801 802 #ifdef INET6 803 case AF_INET6: 804 /* Check for IPv6 maximum packet size violations. */ 805 if (skip + hlen + rlen + padding + alen > IPV6_MAXPACKET) { 806 DPRINTF(("%s: packet in SA %s/%08x got too big\n", 807 __func__, ipsp_address(&tdb->tdb_dst, buf, 808 sizeof(buf)), ntohl(tdb->tdb_spi))); 809 espstat_inc(esps_toobig); 810 error = EMSGSIZE; 811 goto drop; 812 } 813 break; 814 #endif /* INET6 */ 815 816 default: 817 DPRINTF(("%s: unknown/unsupported protocol family %d, " 818 "SA %s/%08x\n", __func__, tdb->tdb_dst.sa.sa_family, 819 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 820 ntohl(tdb->tdb_spi))); 821 espstat_inc(esps_nopf); 822 error = EPFNOSUPPORT; 823 goto drop; 824 } 825 826 /* Update the counters. */ 827 tdb->tdb_cur_bytes += m->m_pkthdr.len - skip; 828 espstat_add(esps_obytes, m->m_pkthdr.len - skip); 829 830 /* Hard byte expiration. */ 831 if (tdb->tdb_flags & TDBF_BYTES && 832 tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) { 833 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 834 tdb_delete(tdb); 835 error = EINVAL; 836 goto drop; 837 } 838 839 /* Soft byte expiration. */ 840 if (tdb->tdb_flags & TDBF_SOFT_BYTES && 841 tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes) { 842 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 843 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking. */ 844 } 845 846 /* 847 * Loop through mbuf chain; if we find a readonly mbuf, 848 * copy the packet. 849 */ 850 mi = m; 851 while (mi != NULL && !M_READONLY(mi)) 852 mi = mi->m_next; 853 854 if (mi != NULL) { 855 struct mbuf *n = m_dup_pkt(m, 0, M_DONTWAIT); 856 857 if (n == NULL) { 858 DPRINTF(("%s: bad mbuf chain, SA %s/%08x\n", __func__, 859 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 860 ntohl(tdb->tdb_spi))); 861 espstat_inc(esps_hdrops); 862 error = ENOBUFS; 863 goto drop; 864 } 865 866 m_freem(m); 867 m = n; 868 } 869 870 /* Inject ESP header. */ 871 mo = m_makespace(m, skip, hlen, &roff); 872 if (mo == NULL) { 873 DPRINTF(("%s: failed to inject ESP header for SA %s/%08x\n", 874 __func__, ipsp_address(&tdb->tdb_dst, buf, 875 sizeof(buf)), ntohl(tdb->tdb_spi))); 876 espstat_inc(esps_hdrops); 877 error = ENOBUFS; 878 goto drop; 879 } 880 881 /* Initialize ESP header. */ 882 memcpy(mtod(mo, caddr_t) + roff, (caddr_t) &tdb->tdb_spi, 883 sizeof(u_int32_t)); 884 tdb->tdb_rpl++; 885 replay = htonl((u_int32_t)tdb->tdb_rpl); 886 memcpy(mtod(mo, caddr_t) + roff + sizeof(u_int32_t), (caddr_t) &replay, 887 sizeof(u_int32_t)); 888 889 #if NPFSYNC > 0 890 pfsync_update_tdb(tdb,1); 891 #endif 892 893 /* 894 * Add padding -- better to do it ourselves than use the crypto engine, 895 * although if/when we support compression, we'd have to do that. 896 */ 897 mo = m_makespace(m, m->m_pkthdr.len, padding + alen, &roff); 898 if (mo == NULL) { 899 DPRINTF(("%s: m_makespace() failed for SA %s/%08x\n", __func__, 900 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 901 ntohl(tdb->tdb_spi))); 902 espstat_inc(esps_hdrops); 903 error = ENOBUFS; 904 goto drop; 905 } 906 pad = mtod(mo, caddr_t) + roff; 907 908 /* Apply self-describing padding */ 909 for (ilen = 0; ilen < padding - 2; ilen++) 910 pad[ilen] = ilen + 1; 911 912 /* Fix padding length and Next Protocol in padding itself. */ 913 pad[padding - 2] = padding - 2; 914 m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1); 915 916 /* Fix Next Protocol in IPv4/IPv6 header. */ 917 prot = IPPROTO_ESP; 918 m_copyback(m, protoff, sizeof(u_int8_t), &prot, M_NOWAIT); 919 920 /* Get crypto descriptors. */ 921 crp = crypto_getreq(esph && espx ? 2 : 1); 922 if (crp == NULL) { 923 DPRINTF(("%s: failed to acquire crypto descriptors\n", 924 __func__)); 925 espstat_inc(esps_crypto); 926 error = ENOBUFS; 927 goto drop; 928 } 929 930 if (espx) { 931 crde = &crp->crp_desc[0]; 932 crda = &crp->crp_desc[1]; 933 934 /* Encryption descriptor. */ 935 crde->crd_skip = skip + hlen; 936 crde->crd_flags = CRD_F_ENCRYPT; 937 crde->crd_inject = skip + hlen - tdb->tdb_ivlen; 938 939 /* Encryption operation. */ 940 crde->crd_alg = espx->type; 941 crde->crd_key = tdb->tdb_emxkey; 942 crde->crd_klen = tdb->tdb_emxkeylen * 8; 943 /* XXX Rounds ? */ 944 945 if (crde->crd_alg == CRYPTO_AES_GMAC) 946 crde->crd_len = 0; 947 else 948 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 949 } else 950 crda = &crp->crp_desc[0]; 951 952 /* IPsec-specific opaque crypto info. */ 953 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); 954 if (tc == NULL) { 955 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); 956 espstat_inc(esps_crypto); 957 error = ENOBUFS; 958 goto drop; 959 } 960 961 tc->tc_spi = tdb->tdb_spi; 962 tc->tc_proto = tdb->tdb_sproto; 963 tc->tc_rdomain = tdb->tdb_rdomain; 964 tc->tc_dst = tdb->tdb_dst; 965 966 /* Crypto operation descriptor. */ 967 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ 968 crp->crp_flags = CRYPTO_F_IMBUF; 969 crp->crp_buf = (caddr_t)m; 970 crp->crp_callback = ipsec_output_cb; 971 crp->crp_opaque = (caddr_t)tc; 972 crp->crp_sid = tdb->tdb_cryptoid; 973 974 if (esph) { 975 /* Authentication descriptor. */ 976 crda->crd_skip = skip; 977 crda->crd_inject = m->m_pkthdr.len - alen; 978 979 /* Authentication operation. */ 980 crda->crd_alg = esph->type; 981 crda->crd_key = tdb->tdb_amxkey; 982 crda->crd_klen = tdb->tdb_amxkeylen * 8; 983 984 if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) { 985 u_int32_t esn; 986 987 esn = htonl((u_int32_t)(tdb->tdb_rpl >> 32)); 988 memcpy(crda->crd_esn, &esn, 4); 989 crda->crd_flags |= CRD_F_ESN; 990 } 991 992 if (espx && 993 (espx->type == CRYPTO_AES_GCM_16 || 994 espx->type == CRYPTO_CHACHA20_POLY1305)) 995 crda->crd_len = hlen - tdb->tdb_ivlen; 996 else 997 crda->crd_len = m->m_pkthdr.len - (skip + alen); 998 } 999 1000 return crypto_dispatch(crp); 1001 1002 drop: 1003 m_freem(m); 1004 crypto_freereq(crp); 1005 free(tc, M_XDATA, 0); 1006 return error; 1007 } 1008 1009 int 1010 esp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m, int ilen, 1011 int olen) 1012 { 1013 /* Release crypto descriptors. */ 1014 free(tc, M_XDATA, 0); 1015 1016 /* Call the IPsec input callback. */ 1017 if (ipsp_process_done(m, tdb)) { 1018 espstat_inc(esps_outfail); 1019 return -1; 1020 } 1021 1022 return 0; 1023 } 1024 1025 #define SEEN_SIZE howmany(TDB_REPLAYMAX, 32) 1026 1027 /* 1028 * return 0 on success 1029 * return 1 for counter == 0 1030 * return 2 for very old packet 1031 * return 3 for packet within current window but already received 1032 */ 1033 int 1034 checkreplaywindow(struct tdb *tdb, u_int32_t seq, u_int32_t *seqh, int commit) 1035 { 1036 u_int32_t tl, th, wl; 1037 u_int32_t packet, window = TDB_REPLAYMAX - TDB_REPLAYWASTE; 1038 int idx, esn = tdb->tdb_flags & TDBF_ESN; 1039 1040 tl = (u_int32_t)tdb->tdb_rpl; 1041 th = (u_int32_t)(tdb->tdb_rpl >> 32); 1042 1043 /* Zero SN is not allowed */ 1044 if ((esn && seq == 0 && tl <= AH_HMAC_INITIAL_RPL && th == 0) || 1045 (!esn && seq == 0)) 1046 return (1); 1047 1048 if (th == 0 && tl < window) 1049 window = tl; 1050 /* Current replay window starts here */ 1051 wl = tl - window + 1; 1052 1053 idx = (seq % TDB_REPLAYMAX) / 32; 1054 packet = 1 << (31 - (seq & 31)); 1055 1056 /* 1057 * We keep the high part intact when: 1058 * 1) the SN is within [wl, 0xffffffff] and the whole window is 1059 * within one subspace; 1060 * 2) the SN is within [0, wl) and window spans two subspaces. 1061 */ 1062 if ((tl >= window - 1 && seq >= wl) || 1063 (tl < window - 1 && seq < wl)) { 1064 *seqh = th; 1065 if (seq > tl) { 1066 if (commit) { 1067 if (seq - tl > window) 1068 memset(tdb->tdb_seen, 0, 1069 sizeof(tdb->tdb_seen)); 1070 else { 1071 int i = (tl % TDB_REPLAYMAX) / 32; 1072 1073 while (i != idx) { 1074 i = (i + 1) % SEEN_SIZE; 1075 tdb->tdb_seen[i] = 0; 1076 } 1077 } 1078 tdb->tdb_seen[idx] |= packet; 1079 tdb->tdb_rpl = ((u_int64_t)*seqh << 32) | seq; 1080 } 1081 } else { 1082 if (tl - seq >= window) 1083 return (2); 1084 if (tdb->tdb_seen[idx] & packet) 1085 return (3); 1086 if (commit) 1087 tdb->tdb_seen[idx] |= packet; 1088 } 1089 return (0); 1090 } 1091 1092 /* Can't wrap if not doing ESN */ 1093 if (!esn) 1094 return (2); 1095 1096 /* 1097 * SN is within [wl, 0xffffffff] and wl is within 1098 * [0xffffffff-window, 0xffffffff]. This means we got a SN 1099 * which is within our replay window, but in the previous 1100 * subspace. 1101 */ 1102 if (tl < window - 1 && seq >= wl) { 1103 if (tdb->tdb_seen[idx] & packet) 1104 return (3); 1105 *seqh = th - 1; 1106 if (commit) 1107 tdb->tdb_seen[idx] |= packet; 1108 return (0); 1109 } 1110 1111 /* 1112 * SN has wrapped and the last authenticated SN is in the old 1113 * subspace. 1114 */ 1115 *seqh = th + 1; 1116 if (*seqh == 0) /* Don't let high bit to wrap */ 1117 return (1); 1118 if (commit) { 1119 if (seq - tl > window) 1120 memset(tdb->tdb_seen, 0, sizeof(tdb->tdb_seen)); 1121 else { 1122 int i = (tl % TDB_REPLAYMAX) / 32; 1123 1124 while (i != idx) { 1125 i = (i + 1) % SEEN_SIZE; 1126 tdb->tdb_seen[i] = 0; 1127 } 1128 } 1129 tdb->tdb_seen[idx] |= packet; 1130 tdb->tdb_rpl = ((u_int64_t)*seqh << 32) | seq; 1131 } 1132 1133 return (0); 1134 } 1135