1 /* $NetBSD: xform_esp.c,v 1.22 2009/03/20 05:30:27 cegger Exp $ */ 2 /* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ 3 /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ 4 5 /* 6 * The authors of this code are John Ioannidis (ji@tla.org), 7 * Angelos D. Keromytis (kermit@csd.uch.gr) and 8 * Niels Provos (provos@physnet.uni-hamburg.de). 9 * 10 * The original version of this code was written by John Ioannidis 11 * for BSD/OS in Athens, Greece, in November 1995. 12 * 13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 14 * by Angelos D. Keromytis. 15 * 16 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 17 * and Niels Provos. 18 * 19 * Additional features in 1999 by Angelos D. Keromytis. 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * Copyright (c) 2001 Angelos D. Keromytis. 24 * 25 * Permission to use, copy, and modify this software with or without fee 26 * is hereby granted, provided that this entire notice is included in 27 * all copies of any software which is or includes a copy or 28 * modification of this software. 29 * You may use this code under the GNU public license if you so wish. Please 30 * contribute changes back to the authors under this freer than GPL license 31 * so that we may further the use of strong encryption without limitations to 32 * all. 33 * 34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 38 * PURPOSE. 39 */ 40 41 #include <sys/cdefs.h> 42 __KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.22 2009/03/20 05:30:27 cegger Exp $"); 43 44 #include "opt_inet.h" 45 #ifdef __FreeBSD__ 46 #include "opt_inet6.h" 47 #endif 48 49 #include <sys/param.h> 50 #include <sys/systm.h> 51 #include <sys/mbuf.h> 52 #include <sys/socket.h> 53 #include <sys/syslog.h> 54 #include <sys/kernel.h> 55 /*#include <sys/random.h>*/ 56 #include <sys/sysctl.h> 57 58 #include <net/if.h> 59 60 #include <netinet/in.h> 61 #include <netinet/in_systm.h> 62 #include <netinet/ip.h> 63 #include <netinet/ip_ecn.h> 64 #include <netinet/ip6.h> 65 66 #include <net/route.h> 67 #include <netipsec/ipsec.h> 68 #include <netipsec/ipsec_private.h> 69 #include <netipsec/ah.h> 70 #include <netipsec/ah_var.h> 71 #include <netipsec/esp.h> 72 #include <netipsec/esp_var.h> 73 #include <netipsec/xform.h> 74 75 #ifdef INET6 76 #include <netinet6/ip6_var.h> 77 #include <netipsec/ipsec6.h> 78 # ifdef __FreeBSD__ 79 # include <netinet6/ip6_ecn.h> 80 # endif 81 #endif 82 83 #include <netipsec/key.h> 84 #include <netipsec/key_debug.h> 85 86 #include <netipsec/ipsec_osdep.h> 87 88 #include <opencrypto/cryptodev.h> 89 #include <opencrypto/xform.h> 90 91 percpu_t *espstat_percpu; 92 93 int esp_enable = 1; 94 95 #ifdef __FreeBSD__ 96 SYSCTL_DECL(_net_inet_esp); 97 SYSCTL_INT(_net_inet_esp, OID_AUTO, 98 esp_enable, CTLFLAG_RW, &esp_enable, 0, ""); 99 SYSCTL_STRUCT(_net_inet_esp, IPSECCTL_STATS, 100 stats, CTLFLAG_RD, &espstat, espstat, ""); 101 #endif /* __FreeBSD__ */ 102 103 static int esp_max_ivlen; /* max iv length over all algorithms */ 104 105 static int esp_input_cb(struct cryptop *op); 106 static int esp_output_cb(struct cryptop *crp); 107 108 /* 109 * NB: this is public for use by the PF_KEY support. 110 * NB: if you add support here; be sure to add code to esp_attach below! 111 */ 112 struct enc_xform * 113 esp_algorithm_lookup(int alg) 114 { 115 if (alg >= ESP_ALG_MAX) 116 return NULL; 117 switch (alg) { 118 case SADB_EALG_DESCBC: 119 return &enc_xform_des; 120 case SADB_EALG_3DESCBC: 121 return &enc_xform_3des; 122 case SADB_X_EALG_AES: 123 return &enc_xform_rijndael128; 124 case SADB_X_EALG_BLOWFISHCBC: 125 return &enc_xform_blf; 126 case SADB_X_EALG_CAST128CBC: 127 return &enc_xform_cast5; 128 case SADB_X_EALG_SKIPJACK: 129 return &enc_xform_skipjack; 130 case SADB_EALG_NULL: 131 return &enc_xform_null; 132 } 133 return NULL; 134 } 135 136 size_t 137 esp_hdrsiz(struct secasvar *sav) 138 { 139 size_t size; 140 141 if (sav != NULL) { 142 /*XXX not right for null algorithm--does it matter??*/ 143 IPSEC_ASSERT(sav->tdb_encalgxform != NULL, 144 ("esp_hdrsiz: SA with null xform")); 145 if (sav->flags & SADB_X_EXT_OLD) 146 size = sizeof (struct esp); 147 else 148 size = sizeof (struct newesp); 149 size += sav->tdb_encalgxform->blocksize + 9; 150 /*XXX need alg check???*/ 151 if (sav->tdb_authalgxform != NULL && sav->replay) 152 size += ah_hdrsiz(sav); 153 } else { 154 /* 155 * base header size 156 * + max iv length for CBC mode 157 * + max pad length 158 * + sizeof (pad length field) 159 * + sizeof (next header field) 160 * + max icv supported. 161 */ 162 size = sizeof (struct newesp) + esp_max_ivlen + 9 + 16; 163 } 164 return size; 165 } 166 167 /* 168 * esp_init() is called when an SPI is being set up. 169 */ 170 static int 171 esp_init(struct secasvar *sav, struct xformsw *xsp) 172 { 173 struct enc_xform *txform; 174 struct cryptoini cria, crie; 175 int keylen; 176 int error; 177 178 txform = esp_algorithm_lookup(sav->alg_enc); 179 if (txform == NULL) { 180 DPRINTF(("esp_init: unsupported encryption algorithm %d\n", 181 sav->alg_enc)); 182 return EINVAL; 183 } 184 if (sav->key_enc == NULL) { 185 DPRINTF(("esp_init: no encoding key for %s algorithm\n", 186 txform->name)); 187 return EINVAL; 188 } 189 if ((sav->flags&(SADB_X_EXT_OLD|SADB_X_EXT_IV4B)) == SADB_X_EXT_IV4B) { 190 DPRINTF(("esp_init: 4-byte IV not supported with protocol\n")); 191 return EINVAL; 192 } 193 keylen = _KEYLEN(sav->key_enc); 194 if (txform->minkey > keylen || keylen > txform->maxkey) { 195 DPRINTF(("esp_init: invalid key length %u, must be in " 196 "the range [%u..%u] for algorithm %s\n", 197 keylen, txform->minkey, txform->maxkey, 198 txform->name)); 199 return EINVAL; 200 } 201 202 /* 203 * NB: The null xform needs a non-zero blocksize to keep the 204 * crypto code happy but if we use it to set ivlen then 205 * the ESP header will be processed incorrectly. The 206 * compromise is to force it to zero here. 207 */ 208 sav->ivlen = (txform == &enc_xform_null ? 0 : txform->blocksize); 209 sav->iv = malloc(sav->ivlen, M_SECA, M_WAITOK); 210 if (sav->iv == NULL) { 211 DPRINTF(("esp_init: no memory for IV\n")); 212 return EINVAL; 213 } 214 key_randomfill(sav->iv, sav->ivlen); /*XXX*/ 215 216 /* 217 * Setup AH-related state. 218 */ 219 if (sav->alg_auth != 0) { 220 error = ah_init0(sav, xsp, &cria); 221 if (error) 222 return error; 223 } 224 225 /* NB: override anything set in ah_init0 */ 226 sav->tdb_xform = xsp; 227 sav->tdb_encalgxform = txform; 228 229 /* Initialize crypto session. */ 230 memset(&crie, 0, sizeof (crie)); 231 crie.cri_alg = sav->tdb_encalgxform->type; 232 crie.cri_klen = _KEYBITS(sav->key_enc); 233 crie.cri_key = _KEYBUF(sav->key_enc); 234 /* XXX Rounds ? */ 235 236 mutex_spin_enter(&crypto_mtx); 237 if (sav->tdb_authalgxform && sav->tdb_encalgxform) { 238 /* init both auth & enc */ 239 crie.cri_next = &cria; 240 error = crypto_newsession(&sav->tdb_cryptoid, 241 &crie, crypto_support); 242 } else if (sav->tdb_encalgxform) { 243 error = crypto_newsession(&sav->tdb_cryptoid, 244 &crie, crypto_support); 245 } else if (sav->tdb_authalgxform) { 246 error = crypto_newsession(&sav->tdb_cryptoid, 247 &cria, crypto_support); 248 } else { 249 /* XXX cannot happen? */ 250 DPRINTF(("esp_init: no encoding OR authentication xform!\n")); 251 error = EINVAL; 252 } 253 mutex_spin_exit(&crypto_mtx); 254 return error; 255 } 256 257 /* 258 * Paranoia. 259 */ 260 static int 261 esp_zeroize(struct secasvar *sav) 262 { 263 /* NB: ah_zerorize free's the crypto session state */ 264 int error = ah_zeroize(sav); 265 266 if (sav->key_enc) 267 memset(_KEYBUF(sav->key_enc), 0, _KEYLEN(sav->key_enc)); 268 /* NB: sav->iv is freed elsewhere, even though we malloc it! */ 269 sav->tdb_encalgxform = NULL; 270 sav->tdb_xform = NULL; 271 return error; 272 } 273 274 /* 275 * ESP input processing, called (eventually) through the protocol switch. 276 */ 277 static int 278 esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) 279 { 280 struct auth_hash *esph; 281 struct enc_xform *espx; 282 struct tdb_ident *tdbi; 283 struct tdb_crypto *tc; 284 int plen, alen, hlen; 285 struct m_tag *mtag; 286 struct newesp *esp; 287 288 struct cryptodesc *crde; 289 struct cryptop *crp; 290 291 IPSEC_SPLASSERT_SOFTNET("esp_input"); 292 293 IPSEC_ASSERT(sav != NULL, ("esp_input: null SA")); 294 IPSEC_ASSERT(sav->tdb_encalgxform != NULL, 295 ("esp_input: null encoding xform")); 296 IPSEC_ASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0, 297 ("esp_input: misaligned packet, skip %u pkt len %u", 298 skip, m->m_pkthdr.len)); 299 300 /* XXX don't pullup, just copy header */ 301 IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp)); 302 303 esph = sav->tdb_authalgxform; 304 espx = sav->tdb_encalgxform; 305 306 /* Determine the ESP header length */ 307 if (sav->flags & SADB_X_EXT_OLD) 308 hlen = sizeof (struct esp) + sav->ivlen; 309 else 310 hlen = sizeof (struct newesp) + sav->ivlen; 311 /* Authenticator hash size */ 312 alen = esph ? AH_HMAC_HASHLEN : 0; 313 314 /* 315 * Verify payload length is multiple of encryption algorithm 316 * block size. 317 * 318 * NB: This works for the null algorithm because the blocksize 319 * is 4 and all packets must be 4-byte aligned regardless 320 * of the algorithm. 321 */ 322 plen = m->m_pkthdr.len - (skip + hlen + alen); 323 if ((plen & (espx->blocksize - 1)) || (plen <= 0)) { 324 DPRINTF(("esp_input: " 325 "payload of %d octets not a multiple of %d octets," 326 " SA %s/%08lx\n", 327 plen, espx->blocksize, 328 ipsec_address(&sav->sah->saidx.dst), 329 (u_long) ntohl(sav->spi))); 330 ESP_STATINC(ESP_STAT_BADILEN); 331 m_freem(m); 332 return EINVAL; 333 } 334 335 /* 336 * Check sequence number. 337 */ 338 if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) { 339 DPRINTF(("esp_input: packet replay check for %s\n", 340 ipsec_logsastr(sav))); /*XXX*/ 341 ESP_STATINC(ESP_STAT_REPLAY); 342 m_freem(m); 343 return ENOBUFS; /*XXX*/ 344 } 345 346 /* Update the counters */ 347 ESP_STATADD(ESP_STAT_IBYTES, m->m_pkthdr.len - skip - hlen - alen); 348 349 /* Find out if we've already done crypto */ 350 for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); 351 mtag != NULL; 352 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) { 353 tdbi = (struct tdb_ident *) (mtag + 1); 354 if (tdbi->proto == sav->sah->saidx.proto && 355 tdbi->spi == sav->spi && 356 !memcmp(&tdbi->dst, &sav->sah->saidx.dst, 357 sizeof(union sockaddr_union))) 358 break; 359 } 360 361 /* Get crypto descriptors */ 362 crp = crypto_getreq(esph && espx ? 2 : 1); 363 if (crp == NULL) { 364 DPRINTF(("esp_input: failed to acquire crypto descriptors\n")); 365 ESP_STATINC(ESP_STAT_CRYPTO); 366 m_freem(m); 367 return ENOBUFS; 368 } 369 370 /* Get IPsec-specific opaque pointer */ 371 if (esph == NULL || mtag != NULL) 372 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), 373 M_XDATA, M_NOWAIT|M_ZERO); 374 else 375 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto) + alen, 376 M_XDATA, M_NOWAIT|M_ZERO); 377 if (tc == NULL) { 378 crypto_freereq(crp); 379 DPRINTF(("esp_input: failed to allocate tdb_crypto\n")); 380 ESP_STATINC(ESP_STAT_CRYPTO); 381 m_freem(m); 382 return ENOBUFS; 383 } 384 385 tc->tc_ptr = mtag; 386 387 if (esph) { 388 struct cryptodesc *crda = crp->crp_desc; 389 390 IPSEC_ASSERT(crda != NULL, ("esp_input: null ah crypto descriptor")); 391 392 /* Authentication descriptor */ 393 crda->crd_skip = skip; 394 crda->crd_len = m->m_pkthdr.len - (skip + alen); 395 crda->crd_inject = m->m_pkthdr.len - alen; 396 397 crda->crd_alg = esph->type; 398 crda->crd_key = _KEYBUF(sav->key_auth); 399 crda->crd_klen = _KEYBITS(sav->key_auth); 400 401 /* Copy the authenticator */ 402 if (mtag == NULL) 403 m_copydata(m, m->m_pkthdr.len - alen, alen, 404 (tc + 1)); 405 406 /* Chain authentication request */ 407 crde = crda->crd_next; 408 } else { 409 crde = crp->crp_desc; 410 } 411 412 /* Crypto operation descriptor */ 413 crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ 414 crp->crp_flags = CRYPTO_F_IMBUF; 415 crp->crp_buf = m; 416 crp->crp_callback = esp_input_cb; 417 crp->crp_sid = sav->tdb_cryptoid; 418 crp->crp_opaque = tc; 419 420 /* These are passed as-is to the callback */ 421 tc->tc_spi = sav->spi; 422 tc->tc_dst = sav->sah->saidx.dst; 423 tc->tc_proto = sav->sah->saidx.proto; 424 tc->tc_protoff = protoff; 425 tc->tc_skip = skip; 426 427 /* Decryption descriptor */ 428 if (espx) { 429 IPSEC_ASSERT(crde != NULL, ("esp_input: null esp crypto descriptor")); 430 crde->crd_skip = skip + hlen; 431 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 432 crde->crd_inject = skip + hlen - sav->ivlen; 433 434 crde->crd_alg = espx->type; 435 crde->crd_key = _KEYBUF(sav->key_enc); 436 crde->crd_klen = _KEYBITS(sav->key_enc); 437 /* XXX Rounds ? */ 438 } 439 440 if (mtag == NULL) 441 return crypto_dispatch(crp); 442 else 443 return esp_input_cb(crp); 444 } 445 446 #ifdef INET6 447 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ 448 if (saidx->dst.sa.sa_family == AF_INET6) { \ 449 error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ 450 } else { \ 451 error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ 452 } \ 453 } while (0) 454 #else 455 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ 456 (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) 457 #endif 458 459 /* 460 * ESP input callback from the crypto driver. 461 */ 462 static int 463 esp_input_cb(struct cryptop *crp) 464 { 465 u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN]; 466 int s, hlen, skip, protoff, error; 467 struct mbuf *m; 468 struct cryptodesc *crd; 469 struct auth_hash *esph; 470 struct enc_xform *espx; 471 struct tdb_crypto *tc; 472 struct m_tag *mtag; 473 struct secasvar *sav; 474 struct secasindex *saidx; 475 void *ptr; 476 u_int16_t dport = 0; 477 u_int16_t sport = 0; 478 #ifdef IPSEC_NAT_T 479 struct m_tag * tag = NULL; 480 #endif 481 482 crd = crp->crp_desc; 483 IPSEC_ASSERT(crd != NULL, ("esp_input_cb: null crypto descriptor!")); 484 485 tc = (struct tdb_crypto *) crp->crp_opaque; 486 IPSEC_ASSERT(tc != NULL, ("esp_input_cb: null opaque crypto data area!")); 487 skip = tc->tc_skip; 488 protoff = tc->tc_protoff; 489 mtag = (struct m_tag *) tc->tc_ptr; 490 m = (struct mbuf *) crp->crp_buf; 491 492 #ifdef IPSEC_NAT_T 493 /* find the source port for NAT-T */ 494 if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) { 495 sport = ((u_int16_t *)(tag + 1))[0]; 496 dport = ((u_int16_t *)(tag + 1))[1]; 497 } 498 #endif 499 500 s = splsoftnet(); 501 502 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport); 503 if (sav == NULL) { 504 ESP_STATINC(ESP_STAT_NOTDB); 505 DPRINTF(("esp_input_cb: SA expired while in crypto " 506 "(SA %s/%08lx proto %u)\n", ipsec_address(&tc->tc_dst), 507 (u_long) ntohl(tc->tc_spi), tc->tc_proto)); 508 error = ENOBUFS; /*XXX*/ 509 goto bad; 510 } 511 512 saidx = &sav->sah->saidx; 513 IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET || 514 saidx->dst.sa.sa_family == AF_INET6, 515 ("ah_input_cb: unexpected protocol family %u", 516 saidx->dst.sa.sa_family)); 517 518 esph = sav->tdb_authalgxform; 519 espx = sav->tdb_encalgxform; 520 521 /* Check for crypto errors */ 522 if (crp->crp_etype) { 523 /* Reset the session ID */ 524 if (sav->tdb_cryptoid != 0) 525 sav->tdb_cryptoid = crp->crp_sid; 526 527 if (crp->crp_etype == EAGAIN) { 528 KEY_FREESAV(&sav); 529 splx(s); 530 return crypto_dispatch(crp); 531 } 532 533 ESP_STATINC(ESP_STAT_NOXFORM); 534 DPRINTF(("esp_input_cb: crypto error %d\n", crp->crp_etype)); 535 error = crp->crp_etype; 536 goto bad; 537 } 538 539 /* Shouldn't happen... */ 540 if (m == NULL) { 541 ESP_STATINC(ESP_STAT_CRYPTO); 542 DPRINTF(("esp_input_cb: bogus returned buffer from crypto\n")); 543 error = EINVAL; 544 goto bad; 545 } 546 ESP_STATINC(ESP_STAT_HIST + sav->alg_enc); 547 548 /* If authentication was performed, check now. */ 549 if (esph != NULL) { 550 /* 551 * If we have a tag, it means an IPsec-aware NIC did 552 * the verification for us. Otherwise we need to 553 * check the authentication calculation. 554 */ 555 AH_STATINC(AH_STAT_HIST + sav->alg_auth); 556 if (mtag == NULL) { 557 /* Copy the authenticator from the packet */ 558 m_copydata(m, m->m_pkthdr.len - esph->authsize, 559 esph->authsize, aalg); 560 561 ptr = (tc + 1); 562 563 /* Verify authenticator */ 564 if (memcmp(ptr, aalg, esph->authsize) != 0) { 565 DPRINTF(("esp_input_cb: " 566 "authentication hash mismatch for packet in SA %s/%08lx\n", 567 ipsec_address(&saidx->dst), 568 (u_long) ntohl(sav->spi))); 569 ESP_STATINC(ESP_STAT_BADAUTH); 570 error = EACCES; 571 goto bad; 572 } 573 } 574 575 /* Remove trailing authenticator */ 576 m_adj(m, -(esph->authsize)); 577 } 578 579 /* Release the crypto descriptors */ 580 free(tc, M_XDATA), tc = NULL; 581 crypto_freereq(crp), crp = NULL; 582 583 /* 584 * Packet is now decrypted. 585 */ 586 m->m_flags |= M_DECRYPTED; 587 588 /* 589 * Update replay sequence number, if appropriate. 590 */ 591 if (sav->replay) { 592 u_int32_t seq; 593 594 m_copydata(m, skip + offsetof(struct newesp, esp_seq), 595 sizeof (seq), &seq); 596 if (ipsec_updatereplay(ntohl(seq), sav)) { 597 DPRINTF(("%s: packet replay check for %s\n", __func__, 598 ipsec_logsastr(sav))); 599 ESP_STATINC(ESP_STAT_REPLAY); 600 error = ENOBUFS; 601 goto bad; 602 } 603 } 604 605 /* Determine the ESP header length */ 606 if (sav->flags & SADB_X_EXT_OLD) 607 hlen = sizeof (struct esp) + sav->ivlen; 608 else 609 hlen = sizeof (struct newesp) + sav->ivlen; 610 611 /* Remove the ESP header and IV from the mbuf. */ 612 error = m_striphdr(m, skip, hlen); 613 if (error) { 614 ESP_STATINC(ESP_STAT_HDROPS); 615 DPRINTF(("esp_input_cb: bad mbuf chain, SA %s/%08lx\n", 616 ipsec_address(&sav->sah->saidx.dst), 617 (u_long) ntohl(sav->spi))); 618 goto bad; 619 } 620 621 /* Save the last three bytes of decrypted data */ 622 m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); 623 624 /* Verify pad length */ 625 if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { 626 ESP_STATINC(ESP_STAT_BADILEN); 627 DPRINTF(("esp_input_cb: invalid padding length %d " 628 "for %u byte packet in SA %s/%08lx\n", 629 lastthree[1], m->m_pkthdr.len - skip, 630 ipsec_address(&sav->sah->saidx.dst), 631 (u_long) ntohl(sav->spi))); 632 error = EINVAL; 633 goto bad; 634 } 635 636 /* Verify correct decryption by checking the last padding bytes */ 637 if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) { 638 if (lastthree[1] != lastthree[0] && lastthree[1] != 0) { 639 ESP_STATINC(ESP_STAT_BADENC); 640 DPRINTF(("esp_input_cb: decryption failed " 641 "for packet in SA %s/%08lx\n", 642 ipsec_address(&sav->sah->saidx.dst), 643 (u_long) ntohl(sav->spi))); 644 DPRINTF(("esp_input_cb: %x %x\n", lastthree[0], lastthree[1])); 645 error = EINVAL; 646 goto bad; 647 } 648 } 649 650 /* Trim the mbuf chain to remove trailing authenticator and padding */ 651 m_adj(m, -(lastthree[1] + 2)); 652 653 /* Restore the Next Protocol field */ 654 m = m_copyback_cow(m, protoff, sizeof (u_int8_t), lastthree + 2, 655 M_DONTWAIT); 656 657 if (m == NULL) { 658 ESP_STATINC(ESP_STAT_CRYPTO); 659 DPRINTF(("esp_input_cb: failed to allocate mbuf\n")); 660 error = ENOBUFS; 661 goto bad; 662 } 663 664 IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag); 665 666 KEY_FREESAV(&sav); 667 splx(s); 668 return error; 669 bad: 670 if (sav) 671 KEY_FREESAV(&sav); 672 splx(s); 673 if (m != NULL) 674 m_freem(m); 675 if (tc != NULL) 676 free(tc, M_XDATA); 677 if (crp != NULL) 678 crypto_freereq(crp); 679 return error; 680 } 681 682 /* 683 * ESP output routine, called by ipsec[46]_process_packet(). 684 */ 685 static int 686 esp_output( 687 struct mbuf *m, 688 struct ipsecrequest *isr, 689 struct mbuf **mp, 690 int skip, 691 int protoff 692 ) 693 { 694 struct enc_xform *espx; 695 struct auth_hash *esph; 696 int hlen, rlen, plen, padding, blks, alen, i, roff; 697 struct mbuf *mo = (struct mbuf *) NULL; 698 struct tdb_crypto *tc; 699 struct secasvar *sav; 700 struct secasindex *saidx; 701 unsigned char *pad; 702 u_int8_t prot; 703 int error, maxpacketsize; 704 705 struct cryptodesc *crde = NULL, *crda = NULL; 706 struct cryptop *crp; 707 708 IPSEC_SPLASSERT_SOFTNET("esp_output"); 709 710 sav = isr->sav; 711 IPSEC_ASSERT(sav != NULL, ("esp_output: null SA")); 712 esph = sav->tdb_authalgxform; 713 espx = sav->tdb_encalgxform; 714 IPSEC_ASSERT(espx != NULL, ("esp_output: null encoding xform")); 715 716 if (sav->flags & SADB_X_EXT_OLD) 717 hlen = sizeof (struct esp) + sav->ivlen; 718 else 719 hlen = sizeof (struct newesp) + sav->ivlen; 720 721 rlen = m->m_pkthdr.len - skip; /* Raw payload length. */ 722 /* 723 * NB: The null encoding transform has a blocksize of 4 724 * so that headers are properly aligned. 725 */ 726 blks = espx->blocksize; /* IV blocksize */ 727 728 /* XXX clamp padding length a la KAME??? */ 729 padding = ((blks - ((rlen + 2) % blks)) % blks) + 2; 730 plen = rlen + padding; /* Padded payload length. */ 731 732 if (esph) 733 alen = AH_HMAC_HASHLEN; 734 else 735 alen = 0; 736 737 ESP_STATINC(ESP_STAT_OUTPUT); 738 739 saidx = &sav->sah->saidx; 740 /* Check for maximum packet size violations. */ 741 switch (saidx->dst.sa.sa_family) { 742 #ifdef INET 743 case AF_INET: 744 maxpacketsize = IP_MAXPACKET; 745 break; 746 #endif /* INET */ 747 #ifdef INET6 748 case AF_INET6: 749 maxpacketsize = IPV6_MAXPACKET; 750 break; 751 #endif /* INET6 */ 752 default: 753 DPRINTF(("esp_output: unknown/unsupported protocol " 754 "family %d, SA %s/%08lx\n", 755 saidx->dst.sa.sa_family, ipsec_address(&saidx->dst), 756 (u_long) ntohl(sav->spi))); 757 ESP_STATINC(ESP_STAT_NOPF); 758 error = EPFNOSUPPORT; 759 goto bad; 760 } 761 if (skip + hlen + rlen + padding + alen > maxpacketsize) { 762 DPRINTF(("esp_output: packet in SA %s/%08lx got too big " 763 "(len %u, max len %u)\n", 764 ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi), 765 skip + hlen + rlen + padding + alen, maxpacketsize)); 766 ESP_STATINC(ESP_STAT_TOOBIG); 767 error = EMSGSIZE; 768 goto bad; 769 } 770 771 /* Update the counters. */ 772 ESP_STATADD(ESP_STAT_OUTPUT, m->m_pkthdr.len - skip); 773 774 m = m_clone(m); 775 if (m == NULL) { 776 DPRINTF(("esp_output: cannot clone mbuf chain, SA %s/%08lx\n", 777 ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); 778 ESP_STATINC(ESP_STAT_HDROPS); 779 error = ENOBUFS; 780 goto bad; 781 } 782 783 /* Inject ESP header. */ 784 mo = m_makespace(m, skip, hlen, &roff); 785 if (mo == NULL) { 786 DPRINTF(("esp_output: failed to inject %u byte ESP hdr for SA " 787 "%s/%08lx\n", 788 hlen, ipsec_address(&saidx->dst), 789 (u_long) ntohl(sav->spi))); 790 ESP_STATINC(ESP_STAT_HDROPS); /* XXX diffs from openbsd */ 791 error = ENOBUFS; 792 goto bad; 793 } 794 795 /* Initialize ESP header. */ 796 memcpy(mtod(mo, char *) + roff, &sav->spi, sizeof(u_int32_t)); 797 if (sav->replay) { 798 u_int32_t replay; 799 800 #ifdef IPSEC_DEBUG 801 /* Emulate replay attack when ipsec_replay is TRUE. */ 802 if (!ipsec_replay) 803 #endif 804 sav->replay->count++; 805 806 replay = htonl(sav->replay->count); 807 bcopy(&replay, 808 mtod(mo,char *) + roff + sizeof(u_int32_t), 809 sizeof(u_int32_t)); 810 } 811 812 /* 813 * Add padding -- better to do it ourselves than use the crypto engine, 814 * although if/when we support compression, we'd have to do that. 815 */ 816 pad = (u_char *) m_pad(m, padding + alen); 817 if (pad == NULL) { 818 DPRINTF(("esp_output: m_pad failed for SA %s/%08lx\n", 819 ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); 820 m = NULL; /* NB: free'd by m_pad */ 821 error = ENOBUFS; 822 goto bad; 823 } 824 825 /* 826 * Add padding: random, zero, or self-describing. 827 * XXX catch unexpected setting 828 */ 829 switch (sav->flags & SADB_X_EXT_PMASK) { 830 case SADB_X_EXT_PRAND: 831 (void) read_random(pad, padding - 2); 832 break; 833 case SADB_X_EXT_PZERO: 834 memset(pad, 0, padding - 2); 835 break; 836 case SADB_X_EXT_PSEQ: 837 for (i = 0; i < padding - 2; i++) 838 pad[i] = i+1; 839 break; 840 } 841 842 /* Fix padding length and Next Protocol in padding itself. */ 843 pad[padding - 2] = padding - 2; 844 m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1); 845 846 /* Fix Next Protocol in IPv4/IPv6 header. */ 847 prot = IPPROTO_ESP; 848 m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot); 849 850 /* Get crypto descriptors. */ 851 crp = crypto_getreq(esph && espx ? 2 : 1); 852 if (crp == NULL) { 853 DPRINTF(("esp_output: failed to acquire crypto descriptors\n")); 854 ESP_STATINC(ESP_STAT_CRYPTO); 855 error = ENOBUFS; 856 goto bad; 857 } 858 859 if (espx) { 860 crde = crp->crp_desc; 861 crda = crde->crd_next; 862 863 /* Encryption descriptor. */ 864 crde->crd_skip = skip + hlen; 865 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 866 crde->crd_flags = CRD_F_ENCRYPT; 867 crde->crd_inject = skip + hlen - sav->ivlen; 868 869 /* Encryption operation. */ 870 crde->crd_alg = espx->type; 871 crde->crd_key = _KEYBUF(sav->key_enc); 872 crde->crd_klen = _KEYBITS(sav->key_enc); 873 /* XXX Rounds ? */ 874 } else 875 crda = crp->crp_desc; 876 877 /* IPsec-specific opaque crypto info. */ 878 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), 879 M_XDATA, M_NOWAIT|M_ZERO); 880 if (tc == NULL) { 881 crypto_freereq(crp); 882 DPRINTF(("esp_output: failed to allocate tdb_crypto\n")); 883 ESP_STATINC(ESP_STAT_CRYPTO); 884 error = ENOBUFS; 885 goto bad; 886 } 887 888 /* Callback parameters */ 889 tc->tc_isr = isr; 890 tc->tc_spi = sav->spi; 891 tc->tc_dst = saidx->dst; 892 tc->tc_proto = saidx->proto; 893 894 /* Crypto operation descriptor. */ 895 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ 896 crp->crp_flags = CRYPTO_F_IMBUF; 897 crp->crp_buf = m; 898 crp->crp_callback = esp_output_cb; 899 crp->crp_opaque = tc; 900 crp->crp_sid = sav->tdb_cryptoid; 901 902 if (esph) { 903 /* Authentication descriptor. */ 904 crda->crd_skip = skip; 905 crda->crd_len = m->m_pkthdr.len - (skip + alen); 906 crda->crd_inject = m->m_pkthdr.len - alen; 907 908 /* Authentication operation. */ 909 crda->crd_alg = esph->type; 910 crda->crd_key = _KEYBUF(sav->key_auth); 911 crda->crd_klen = _KEYBITS(sav->key_auth); 912 } 913 914 return crypto_dispatch(crp); 915 bad: 916 if (m) 917 m_freem(m); 918 return (error); 919 } 920 921 /* 922 * ESP output callback from the crypto driver. 923 */ 924 static int 925 esp_output_cb(struct cryptop *crp) 926 { 927 struct tdb_crypto *tc; 928 struct ipsecrequest *isr; 929 struct secasvar *sav; 930 struct mbuf *m; 931 int s, err, error; 932 933 tc = (struct tdb_crypto *) crp->crp_opaque; 934 IPSEC_ASSERT(tc != NULL, ("esp_output_cb: null opaque data area!")); 935 m = (struct mbuf *) crp->crp_buf; 936 937 s = splsoftnet(); 938 939 isr = tc->tc_isr; 940 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); 941 if (sav == NULL) { 942 ESP_STATINC(ESP_STAT_NOTDB); 943 DPRINTF(("esp_output_cb: SA expired while in crypto " 944 "(SA %s/%08lx proto %u)\n", ipsec_address(&tc->tc_dst), 945 (u_long) ntohl(tc->tc_spi), tc->tc_proto)); 946 error = ENOBUFS; /*XXX*/ 947 goto bad; 948 } 949 IPSEC_ASSERT(isr->sav == sav, 950 ("esp_output_cb: SA changed was %p now %p\n", isr->sav, sav)); 951 952 /* Check for crypto errors. */ 953 if (crp->crp_etype) { 954 /* Reset session ID. */ 955 if (sav->tdb_cryptoid != 0) 956 sav->tdb_cryptoid = crp->crp_sid; 957 958 if (crp->crp_etype == EAGAIN) { 959 KEY_FREESAV(&sav); 960 splx(s); 961 return crypto_dispatch(crp); 962 } 963 964 ESP_STATINC(ESP_STAT_NOXFORM); 965 DPRINTF(("esp_output_cb: crypto error %d\n", crp->crp_etype)); 966 error = crp->crp_etype; 967 goto bad; 968 } 969 970 /* Shouldn't happen... */ 971 if (m == NULL) { 972 ESP_STATINC(ESP_STAT_CRYPTO); 973 DPRINTF(("esp_output_cb: bogus returned buffer from crypto\n")); 974 error = EINVAL; 975 goto bad; 976 } 977 ESP_STATINC(ESP_STAT_HIST + sav->alg_enc); 978 if (sav->tdb_authalgxform != NULL) 979 AH_STATINC(sav->alg_auth + sav->alg_auth); 980 981 /* Release crypto descriptors. */ 982 free(tc, M_XDATA); 983 crypto_freereq(crp); 984 985 #ifdef IPSEC_DEBUG 986 /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ 987 if (ipsec_integrity) { 988 static unsigned char ipseczeroes[AH_HMAC_HASHLEN]; 989 struct auth_hash *esph; 990 991 /* 992 * Corrupt HMAC if we want to test integrity verification of 993 * the other side. 994 */ 995 esph = sav->tdb_authalgxform; 996 if (esph != NULL) { 997 m_copyback(m, m->m_pkthdr.len - AH_HMAC_HASHLEN, 998 AH_HMAC_HASHLEN, ipseczeroes); 999 } 1000 } 1001 #endif 1002 1003 /* NB: m is reclaimed by ipsec_process_done. */ 1004 err = ipsec_process_done(m, isr); 1005 KEY_FREESAV(&sav); 1006 splx(s); 1007 return err; 1008 bad: 1009 if (sav) 1010 KEY_FREESAV(&sav); 1011 splx(s); 1012 if (m) 1013 m_freem(m); 1014 free(tc, M_XDATA); 1015 crypto_freereq(crp); 1016 return error; 1017 } 1018 1019 static struct xformsw esp_xformsw = { 1020 XF_ESP, XFT_CONF|XFT_AUTH, "IPsec ESP", 1021 esp_init, esp_zeroize, esp_input, 1022 esp_output, 1023 NULL, 1024 }; 1025 1026 INITFN void 1027 esp_attach(void) 1028 { 1029 1030 espstat_percpu = percpu_alloc(sizeof(uint64_t) * ESP_NSTATS); 1031 1032 #define MAXIV(xform) \ 1033 if (xform.blocksize > esp_max_ivlen) \ 1034 esp_max_ivlen = xform.blocksize \ 1035 1036 esp_max_ivlen = 0; 1037 MAXIV(enc_xform_des); /* SADB_EALG_DESCBC */ 1038 MAXIV(enc_xform_3des); /* SADB_EALG_3DESCBC */ 1039 MAXIV(enc_xform_rijndael128); /* SADB_X_EALG_AES */ 1040 MAXIV(enc_xform_blf); /* SADB_X_EALG_BLOWFISHCBC */ 1041 MAXIV(enc_xform_cast5); /* SADB_X_EALG_CAST128CBC */ 1042 MAXIV(enc_xform_skipjack); /* SADB_X_EALG_SKIPJACK */ 1043 MAXIV(enc_xform_null); /* SADB_EALG_NULL */ 1044 1045 xform_register(&esp_xformsw); 1046 #undef MAXIV 1047 } 1048 #ifdef __FreeBSD__ 1049 SYSINIT(esp_xform_init, SI_SUB_DRIVERS, SI_ORDER_FIRST, esp_attach, NULL) 1050 #else 1051 #endif 1052