1 /* $OpenBSD: ip_esp.c,v 1.181 2021/10/24 14:50:42 tobhe Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001 Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 #include "pfsync.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/mbuf.h> 43 #include <sys/socket.h> 44 45 #include <net/if.h> 46 #include <net/if_var.h> 47 #include <net/bpf.h> 48 49 #include <netinet/in.h> 50 #include <netinet/ip.h> 51 #include <netinet/ip_var.h> 52 53 #ifdef INET6 54 #include <netinet/ip6.h> 55 #endif /* INET6 */ 56 57 #include <netinet/ip_ipsp.h> 58 #include <netinet/ip_esp.h> 59 #include <net/pfkeyv2.h> 60 #include <net/if_enc.h> 61 62 #if NPFSYNC > 0 63 #include <net/pfvar.h> 64 #include <net/if_pfsync.h> 65 #endif /* NPFSYNC > 0 */ 66 67 #include <crypto/cryptodev.h> 68 #include <crypto/xform.h> 69 70 #include "bpfilter.h" 71 72 #ifdef ENCDEBUG 73 #define DPRINTF(fmt, args...) \ 74 do { \ 75 if (encdebug) \ 76 printf("%s: " fmt "\n", __func__, ## args); \ 77 } while (0) 78 #else 79 #define DPRINTF(fmt, args...) \ 80 do { } while (0) 81 #endif 82 83 /* 84 * esp_attach() is called from the transformation initialization code. 85 */ 86 int 87 esp_attach(void) 88 { 89 return 0; 90 } 91 92 /* 93 * esp_init() is called when an SPI is being set up. 94 */ 95 int 96 esp_init(struct tdb *tdbp, const struct xformsw *xsp, struct ipsecinit *ii) 97 { 98 const struct enc_xform *txform = NULL; 99 const struct auth_hash *thash = NULL; 100 struct cryptoini cria, crie, crin; 101 int error; 102 103 if (!ii->ii_encalg && !ii->ii_authalg) { 104 DPRINTF("neither authentication nor encryption algorithm " 105 "given"); 106 return EINVAL; 107 } 108 109 if (ii->ii_encalg) { 110 switch (ii->ii_encalg) { 111 case SADB_EALG_NULL: 112 txform = &enc_xform_null; 113 break; 114 115 case SADB_EALG_3DESCBC: 116 txform = &enc_xform_3des; 117 break; 118 119 case SADB_X_EALG_AES: 120 txform = &enc_xform_aes; 121 break; 122 123 case SADB_X_EALG_AESCTR: 124 txform = &enc_xform_aes_ctr; 125 break; 126 127 case SADB_X_EALG_AESGCM16: 128 txform = &enc_xform_aes_gcm; 129 break; 130 131 case SADB_X_EALG_AESGMAC: 132 txform = &enc_xform_aes_gmac; 133 break; 134 135 case SADB_X_EALG_CHACHA20POLY1305: 136 txform = &enc_xform_chacha20_poly1305; 137 break; 138 139 case SADB_X_EALG_BLF: 140 txform = &enc_xform_blf; 141 break; 142 143 case SADB_X_EALG_CAST: 144 txform = &enc_xform_cast5; 145 break; 146 147 default: 148 DPRINTF("unsupported encryption algorithm %d " 149 "specified", 150 ii->ii_encalg); 151 return EINVAL; 152 } 153 154 if (ii->ii_enckeylen < txform->minkey) { 155 DPRINTF("keylength %d too small (min length is %d) " 156 "for algorithm %s", 157 ii->ii_enckeylen, txform->minkey, txform->name); 158 return EINVAL; 159 } 160 161 if (ii->ii_enckeylen > txform->maxkey) { 162 DPRINTF("keylength %d too large (max length is %d) " 163 "for algorithm %s", 164 ii->ii_enckeylen, txform->maxkey, txform->name); 165 return EINVAL; 166 } 167 168 if (ii->ii_encalg == SADB_X_EALG_AESGCM16 || 169 ii->ii_encalg == SADB_X_EALG_AESGMAC) { 170 switch (ii->ii_enckeylen) { 171 case 20: 172 ii->ii_authalg = SADB_X_AALG_AES128GMAC; 173 break; 174 case 28: 175 ii->ii_authalg = SADB_X_AALG_AES192GMAC; 176 break; 177 case 36: 178 ii->ii_authalg = SADB_X_AALG_AES256GMAC; 179 break; 180 } 181 ii->ii_authkeylen = ii->ii_enckeylen; 182 ii->ii_authkey = ii->ii_enckey; 183 } else if (ii->ii_encalg == SADB_X_EALG_CHACHA20POLY1305) { 184 ii->ii_authalg = SADB_X_AALG_CHACHA20POLY1305; 185 ii->ii_authkeylen = ii->ii_enckeylen; 186 ii->ii_authkey = ii->ii_enckey; 187 } 188 189 tdbp->tdb_encalgxform = txform; 190 191 DPRINTF("initialized TDB with enc algorithm %s", txform->name); 192 193 tdbp->tdb_ivlen = txform->ivsize; 194 } 195 196 if (ii->ii_authalg) { 197 switch (ii->ii_authalg) { 198 case SADB_AALG_MD5HMAC: 199 thash = &auth_hash_hmac_md5_96; 200 break; 201 202 case SADB_AALG_SHA1HMAC: 203 thash = &auth_hash_hmac_sha1_96; 204 break; 205 206 case SADB_X_AALG_RIPEMD160HMAC: 207 thash = &auth_hash_hmac_ripemd_160_96; 208 break; 209 210 case SADB_X_AALG_SHA2_256: 211 thash = &auth_hash_hmac_sha2_256_128; 212 break; 213 214 case SADB_X_AALG_SHA2_384: 215 thash = &auth_hash_hmac_sha2_384_192; 216 break; 217 218 case SADB_X_AALG_SHA2_512: 219 thash = &auth_hash_hmac_sha2_512_256; 220 break; 221 222 case SADB_X_AALG_AES128GMAC: 223 thash = &auth_hash_gmac_aes_128; 224 break; 225 226 case SADB_X_AALG_AES192GMAC: 227 thash = &auth_hash_gmac_aes_192; 228 break; 229 230 case SADB_X_AALG_AES256GMAC: 231 thash = &auth_hash_gmac_aes_256; 232 break; 233 234 case SADB_X_AALG_CHACHA20POLY1305: 235 thash = &auth_hash_chacha20_poly1305; 236 break; 237 238 default: 239 DPRINTF("unsupported authentication algorithm %d " 240 "specified", 241 ii->ii_authalg); 242 return EINVAL; 243 } 244 245 if (ii->ii_authkeylen != thash->keysize) { 246 DPRINTF("keylength %d doesn't match algorithm %s " 247 "keysize (%d)", 248 ii->ii_authkeylen, thash->name, thash->keysize); 249 return EINVAL; 250 } 251 252 tdbp->tdb_authalgxform = thash; 253 254 DPRINTF("initialized TDB with hash algorithm %s", thash->name); 255 } 256 257 tdbp->tdb_xform = xsp; 258 tdbp->tdb_rpl = AH_HMAC_INITIAL_RPL; 259 260 /* Initialize crypto session */ 261 if (tdbp->tdb_encalgxform) { 262 /* Save the raw keys */ 263 tdbp->tdb_emxkeylen = ii->ii_enckeylen; 264 tdbp->tdb_emxkey = malloc(tdbp->tdb_emxkeylen, M_XDATA, 265 M_WAITOK); 266 memcpy(tdbp->tdb_emxkey, ii->ii_enckey, tdbp->tdb_emxkeylen); 267 268 memset(&crie, 0, sizeof(crie)); 269 270 crie.cri_alg = tdbp->tdb_encalgxform->type; 271 272 if (tdbp->tdb_authalgxform) 273 crie.cri_next = &cria; 274 else 275 crie.cri_next = NULL; 276 277 crie.cri_klen = ii->ii_enckeylen * 8; 278 crie.cri_key = ii->ii_enckey; 279 /* XXX Rounds ? */ 280 } 281 282 if (tdbp->tdb_authalgxform) { 283 /* Save the raw keys */ 284 tdbp->tdb_amxkeylen = ii->ii_authkeylen; 285 tdbp->tdb_amxkey = malloc(tdbp->tdb_amxkeylen, M_XDATA, 286 M_WAITOK); 287 memcpy(tdbp->tdb_amxkey, ii->ii_authkey, tdbp->tdb_amxkeylen); 288 289 memset(&cria, 0, sizeof(cria)); 290 291 cria.cri_alg = tdbp->tdb_authalgxform->type; 292 293 if ((tdbp->tdb_wnd > 0) && (tdbp->tdb_flags & TDBF_ESN)) { 294 memset(&crin, 0, sizeof(crin)); 295 crin.cri_alg = CRYPTO_ESN; 296 cria.cri_next = &crin; 297 } 298 299 cria.cri_klen = ii->ii_authkeylen * 8; 300 cria.cri_key = ii->ii_authkey; 301 } 302 303 KERNEL_LOCK(); 304 error = crypto_newsession(&tdbp->tdb_cryptoid, 305 (tdbp->tdb_encalgxform ? &crie : &cria), 0); 306 KERNEL_UNLOCK(); 307 return error; 308 } 309 310 /* 311 * Paranoia. 312 */ 313 int 314 esp_zeroize(struct tdb *tdbp) 315 { 316 int error; 317 318 if (tdbp->tdb_amxkey) { 319 explicit_bzero(tdbp->tdb_amxkey, tdbp->tdb_amxkeylen); 320 free(tdbp->tdb_amxkey, M_XDATA, tdbp->tdb_amxkeylen); 321 tdbp->tdb_amxkey = NULL; 322 } 323 324 if (tdbp->tdb_emxkey) { 325 explicit_bzero(tdbp->tdb_emxkey, tdbp->tdb_emxkeylen); 326 free(tdbp->tdb_emxkey, M_XDATA, tdbp->tdb_emxkeylen); 327 tdbp->tdb_emxkey = NULL; 328 } 329 330 KERNEL_LOCK(); 331 error = crypto_freesession(tdbp->tdb_cryptoid); 332 KERNEL_UNLOCK(); 333 tdbp->tdb_cryptoid = 0; 334 return error; 335 } 336 337 #define MAXBUFSIZ (AH_ALEN_MAX > ESP_MAX_IVS ? AH_ALEN_MAX : ESP_MAX_IVS) 338 339 /* 340 * ESP input processing, called (eventually) through the protocol switch. 341 */ 342 int 343 esp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) 344 { 345 const struct auth_hash *esph = tdb->tdb_authalgxform; 346 const struct enc_xform *espx = tdb->tdb_encalgxform; 347 struct mbuf *m = *mp; 348 struct cryptodesc *crde = NULL, *crda = NULL; 349 struct cryptop *crp = NULL; 350 struct tdb_crypto *tc = NULL; 351 int plen, alen, hlen, error, clen; 352 u_int32_t btsx, esn; 353 #ifdef ENCDEBUG 354 char buf[INET6_ADDRSTRLEN]; 355 #endif 356 357 /* Determine the ESP header length */ 358 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */ 359 alen = esph ? esph->authsize : 0; 360 plen = m->m_pkthdr.len - (skip + hlen + alen); 361 if (plen <= 0) { 362 DPRINTF("invalid payload length"); 363 espstat_inc(esps_badilen); 364 error = EINVAL; 365 goto drop; 366 } 367 368 if (espx) { 369 /* 370 * Verify payload length is multiple of encryption algorithm 371 * block size. 372 */ 373 if (plen & (espx->blocksize - 1)) { 374 DPRINTF("payload of %d octets not a multiple " 375 "of %d octets, SA %s/%08x", 376 plen, espx->blocksize, 377 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 378 ntohl(tdb->tdb_spi)); 379 espstat_inc(esps_badilen); 380 error = EINVAL; 381 goto drop; 382 } 383 } 384 385 /* Replay window checking, if appropriate -- no value commitment. */ 386 if (tdb->tdb_wnd > 0) { 387 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 388 &btsx); 389 btsx = ntohl(btsx); 390 391 switch (checkreplaywindow(tdb, tdb->tdb_rpl, btsx, &esn, 0)) { 392 case 0: /* All's well */ 393 break; 394 case 1: 395 DPRINTF("replay counter wrapped for SA %s/%08x", 396 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 397 ntohl(tdb->tdb_spi)); 398 espstat_inc(esps_wrap); 399 error = EACCES; 400 goto drop; 401 case 2: 402 DPRINTF("old packet received in SA %s/%08x", 403 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 404 ntohl(tdb->tdb_spi)); 405 espstat_inc(esps_replay); 406 error = EACCES; 407 goto drop; 408 case 3: 409 DPRINTF("duplicate packet received in SA %s/%08x", 410 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 411 ntohl(tdb->tdb_spi)); 412 espstat_inc(esps_replay); 413 error = EACCES; 414 goto drop; 415 default: 416 DPRINTF("bogus value from checkreplaywindow() " 417 "in SA %s/%08x", 418 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 419 ntohl(tdb->tdb_spi)); 420 espstat_inc(esps_replay); 421 error = EACCES; 422 goto drop; 423 } 424 } 425 426 /* Update the counters */ 427 tdb->tdb_cur_bytes += plen; 428 tdb->tdb_ibytes += plen; 429 espstat_add(esps_ibytes, plen); 430 431 /* Hard expiration */ 432 if ((tdb->tdb_flags & TDBF_BYTES) && 433 (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) { 434 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 435 tdb_delete(tdb); 436 error = ENXIO; 437 goto drop; 438 } 439 440 /* Notify on soft expiration */ 441 if ((tdb->tdb_flags & TDBF_SOFT_BYTES) && 442 (tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes)) { 443 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 444 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking */ 445 } 446 447 /* Get crypto descriptors */ 448 crp = crypto_getreq(esph && espx ? 2 : 1); 449 if (crp == NULL) { 450 DPRINTF("failed to acquire crypto descriptors"); 451 espstat_inc(esps_crypto); 452 error = ENOBUFS; 453 goto drop; 454 } 455 456 /* Get IPsec-specific opaque pointer */ 457 if (esph == NULL) 458 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); 459 else 460 tc = malloc(sizeof(*tc) + alen, M_XDATA, M_NOWAIT | M_ZERO); 461 if (tc == NULL) { 462 DPRINTF("failed to allocate tdb_crypto"); 463 espstat_inc(esps_crypto); 464 error = ENOBUFS; 465 goto drop; 466 } 467 468 if (esph) { 469 crda = &crp->crp_desc[0]; 470 crde = &crp->crp_desc[1]; 471 472 /* Authentication descriptor */ 473 crda->crd_skip = skip; 474 crda->crd_inject = m->m_pkthdr.len - alen; 475 476 crda->crd_alg = esph->type; 477 crda->crd_key = tdb->tdb_amxkey; 478 crda->crd_klen = tdb->tdb_amxkeylen * 8; 479 480 if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) { 481 esn = htonl(esn); 482 memcpy(crda->crd_esn, &esn, 4); 483 crda->crd_flags |= CRD_F_ESN; 484 } 485 486 if (espx && 487 (espx->type == CRYPTO_AES_GCM_16 || 488 espx->type == CRYPTO_CHACHA20_POLY1305)) 489 crda->crd_len = hlen - tdb->tdb_ivlen; 490 else 491 crda->crd_len = m->m_pkthdr.len - (skip + alen); 492 493 /* Copy the authenticator */ 494 m_copydata(m, m->m_pkthdr.len - alen, alen, tc + 1); 495 } else 496 crde = &crp->crp_desc[0]; 497 498 /* Crypto operation descriptor */ 499 crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ 500 crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_MPSAFE; 501 crp->crp_buf = (caddr_t)m; 502 crp->crp_sid = tdb->tdb_cryptoid; 503 504 /* These are passed as-is to the callback */ 505 tc->tc_skip = skip; 506 tc->tc_protoff = protoff; 507 tc->tc_spi = tdb->tdb_spi; 508 tc->tc_proto = tdb->tdb_sproto; 509 tc->tc_rdomain = tdb->tdb_rdomain; 510 tc->tc_dst = tdb->tdb_dst; 511 tc->tc_rpl = tdb->tdb_rpl; 512 513 /* Decryption descriptor */ 514 if (espx) { 515 crde->crd_skip = skip + hlen; 516 crde->crd_inject = skip + hlen - tdb->tdb_ivlen; 517 crde->crd_alg = espx->type; 518 crde->crd_key = tdb->tdb_emxkey; 519 crde->crd_klen = tdb->tdb_emxkeylen * 8; 520 /* XXX Rounds ? */ 521 522 if (crde->crd_alg == CRYPTO_AES_GMAC) 523 crde->crd_len = 0; 524 else 525 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 526 } 527 528 KERNEL_LOCK(); 529 while ((error = crypto_invoke(crp)) == EAGAIN) { 530 /* Reset the session ID */ 531 if (tdb->tdb_cryptoid != 0) 532 tdb->tdb_cryptoid = crp->crp_sid; 533 } 534 KERNEL_UNLOCK(); 535 if (error) { 536 DPRINTF("crypto error %d", error); 537 ipsecstat_inc(ipsec_noxform); 538 goto drop; 539 } 540 541 clen = crp->crp_olen; 542 543 /* Release the crypto descriptors */ 544 crypto_freereq(crp); 545 546 return esp_input_cb(tdb, tc, m, clen); 547 548 drop: 549 m_freemp(mp); 550 crypto_freereq(crp); 551 free(tc, M_XDATA, 0); 552 return error; 553 } 554 555 /* 556 * ESP input callback, called directly by the crypto driver. 557 */ 558 int 559 esp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m, int clen) 560 { 561 u_int8_t lastthree[3], aalg[AH_HMAC_MAX_HASHLEN]; 562 int hlen, roff, skip, protoff; 563 struct mbuf *m1, *mo; 564 const struct auth_hash *esph; 565 u_int64_t rpl; 566 u_int32_t btsx, esn; 567 caddr_t ptr; 568 #ifdef ENCDEBUG 569 char buf[INET6_ADDRSTRLEN]; 570 #endif 571 572 skip = tc->tc_skip; 573 protoff = tc->tc_protoff; 574 rpl = tc->tc_rpl; 575 576 NET_ASSERT_LOCKED(); 577 578 esph = tdb->tdb_authalgxform; 579 580 /* If authentication was performed, check now. */ 581 if (esph != NULL) { 582 /* Copy the authenticator from the packet */ 583 m_copydata(m, m->m_pkthdr.len - esph->authsize, 584 esph->authsize, aalg); 585 586 ptr = (caddr_t) (tc + 1); 587 588 /* Verify authenticator */ 589 if (timingsafe_bcmp(ptr, aalg, esph->authsize)) { 590 DPRINTF("authentication failed for packet " 591 "in SA %s/%08x", 592 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 593 ntohl(tdb->tdb_spi)); 594 espstat_inc(esps_badauth); 595 goto baddone; 596 } 597 598 /* Remove trailing authenticator */ 599 m_adj(m, -(esph->authsize)); 600 } 601 602 /* Replay window checking, if appropriate */ 603 if (tdb->tdb_wnd > 0) { 604 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 605 &btsx); 606 btsx = ntohl(btsx); 607 608 switch (checkreplaywindow(tdb, rpl, btsx, &esn, 1)) { 609 case 0: /* All's well */ 610 #if NPFSYNC > 0 611 pfsync_update_tdb(tdb,0); 612 #endif 613 break; 614 615 case 1: 616 DPRINTF("replay counter wrapped for SA %s/%08x", 617 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 618 ntohl(tdb->tdb_spi)); 619 espstat_inc(esps_wrap); 620 goto baddone; 621 case 2: 622 DPRINTF("old packet received in SA %s/%08x", 623 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 624 ntohl(tdb->tdb_spi)); 625 espstat_inc(esps_replay); 626 goto baddone; 627 case 3: 628 DPRINTF("duplicate packet received in SA %s/%08x", 629 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 630 ntohl(tdb->tdb_spi)); 631 espstat_inc(esps_replay); 632 goto baddone; 633 default: 634 DPRINTF("bogus value from checkreplaywindow() " 635 "in SA %s/%08x", 636 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 637 ntohl(tdb->tdb_spi)); 638 espstat_inc(esps_replay); 639 goto baddone; 640 } 641 } 642 643 /* Determine the ESP header length */ 644 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; 645 646 /* Find beginning of ESP header */ 647 m1 = m_getptr(m, skip, &roff); 648 if (m1 == NULL) { 649 DPRINTF("bad mbuf chain, SA %s/%08x", 650 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 651 ntohl(tdb->tdb_spi)); 652 espstat_inc(esps_hdrops); 653 goto baddone; 654 } 655 656 /* Remove the ESP header and IV from the mbuf. */ 657 if (roff == 0) { 658 /* The ESP header was conveniently at the beginning of the mbuf */ 659 m_adj(m1, hlen); 660 /* 661 * If m1 is the first mbuf, it has set M_PKTHDR and m_adj() 662 * has already adjusted the packet header length for us. 663 */ 664 if (m1 != m) 665 m->m_pkthdr.len -= hlen; 666 } else if (roff + hlen >= m1->m_len) { 667 int adjlen; 668 669 /* 670 * Part or all of the ESP header is at the end of this mbuf, so 671 * first let's remove the remainder of the ESP header from the 672 * beginning of the remainder of the mbuf chain, if any. 673 */ 674 if (roff + hlen > m1->m_len) { 675 adjlen = roff + hlen - m1->m_len; 676 677 /* Adjust the next mbuf by the remainder */ 678 m_adj(m1->m_next, adjlen); 679 680 /* The second mbuf is guaranteed not to have a pkthdr */ 681 m->m_pkthdr.len -= adjlen; 682 } 683 684 /* Now, let's unlink the mbuf chain for a second...*/ 685 mo = m1->m_next; 686 m1->m_next = NULL; 687 688 /* ...and trim the end of the first part of the chain...sick */ 689 adjlen = m1->m_len - roff; 690 m_adj(m1, -adjlen); 691 /* 692 * If m1 is the first mbuf, it has set M_PKTHDR and m_adj() 693 * has already adjusted the packet header length for us. 694 */ 695 if (m1 != m) 696 m->m_pkthdr.len -= adjlen; 697 698 /* Finally, let's relink */ 699 m1->m_next = mo; 700 } else { 701 /* 702 * The ESP header lies in the "middle" of the mbuf...do an 703 * overlapping copy of the remainder of the mbuf over the ESP 704 * header. 705 */ 706 memmove(mtod(m1, u_char *) + roff, 707 mtod(m1, u_char *) + roff + hlen, 708 m1->m_len - (roff + hlen)); 709 m1->m_len -= hlen; 710 m->m_pkthdr.len -= hlen; 711 } 712 713 /* Save the last three bytes of decrypted data */ 714 m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); 715 716 /* Verify pad length */ 717 if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { 718 DPRINTF("invalid padding length %d for packet in SA %s/%08x", 719 lastthree[1], 720 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 721 ntohl(tdb->tdb_spi)); 722 espstat_inc(esps_badilen); 723 goto baddone; 724 } 725 726 /* Verify correct decryption by checking the last padding bytes */ 727 if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) { 728 DPRINTF("decryption failed for packet in SA %s/%08x", 729 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 730 ntohl(tdb->tdb_spi)); 731 espstat_inc(esps_badenc); 732 goto baddone; 733 } 734 735 /* Trim the mbuf chain to remove the trailing authenticator and padding */ 736 m_adj(m, -(lastthree[1] + 2)); 737 738 /* Restore the Next Protocol field */ 739 m_copyback(m, protoff, sizeof(u_int8_t), lastthree + 2, M_NOWAIT); 740 741 /* Release the crypto descriptors */ 742 free(tc, M_XDATA, 0); 743 744 /* Back to generic IPsec input processing */ 745 return ipsec_common_input_cb(m, tdb, skip, protoff); 746 747 baddone: 748 m_freem(m); 749 free(tc, M_XDATA, 0); 750 return -1; 751 } 752 753 /* 754 * ESP output routine, called by ipsp_process_packet(). 755 */ 756 int 757 esp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff) 758 { 759 const struct enc_xform *espx = tdb->tdb_encalgxform; 760 const struct auth_hash *esph = tdb->tdb_authalgxform; 761 int ilen, olen, hlen, rlen, padding, blks, alen, roff, error; 762 u_int64_t replay64; 763 u_int32_t replay; 764 struct mbuf *mi, *mo = (struct mbuf *) NULL; 765 struct tdb_crypto *tc = NULL; 766 unsigned char *pad; 767 u_int8_t prot; 768 #ifdef ENCDEBUG 769 char buf[INET6_ADDRSTRLEN]; 770 #endif 771 struct cryptodesc *crde = NULL, *crda = NULL; 772 struct cryptop *crp = NULL; 773 #if NBPFILTER > 0 774 struct ifnet *encif; 775 776 if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) != NULL) { 777 encif->if_opackets++; 778 encif->if_obytes += m->m_pkthdr.len; 779 780 if (encif->if_bpf) { 781 struct enchdr hdr; 782 783 memset(&hdr, 0, sizeof(hdr)); 784 785 hdr.af = tdb->tdb_dst.sa.sa_family; 786 hdr.spi = tdb->tdb_spi; 787 if (espx) 788 hdr.flags |= M_CONF; 789 if (esph) 790 hdr.flags |= M_AUTH; 791 792 bpf_mtap_hdr(encif->if_bpf, (char *)&hdr, 793 ENC_HDRLEN, m, BPF_DIRECTION_OUT); 794 } 795 } 796 #endif 797 798 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; 799 800 rlen = m->m_pkthdr.len - skip; /* Raw payload length. */ 801 if (espx) 802 blks = MAX(espx->blocksize, 4); 803 else 804 blks = 4; /* If no encryption, we have to be 4-byte aligned. */ 805 806 padding = ((blks - ((rlen + 2) % blks)) % blks) + 2; 807 808 alen = esph ? esph->authsize : 0; 809 espstat_inc(esps_output); 810 811 switch (tdb->tdb_dst.sa.sa_family) { 812 case AF_INET: 813 /* Check for IP maximum packet size violations. */ 814 if (skip + hlen + rlen + padding + alen > IP_MAXPACKET) { 815 DPRINTF("packet in SA %s/%08x got too big", 816 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 817 ntohl(tdb->tdb_spi)); 818 espstat_inc(esps_toobig); 819 error = EMSGSIZE; 820 goto drop; 821 } 822 break; 823 824 #ifdef INET6 825 case AF_INET6: 826 /* Check for IPv6 maximum packet size violations. */ 827 if (skip + hlen + rlen + padding + alen > IPV6_MAXPACKET) { 828 DPRINTF("acket in SA %s/%08x got too big", 829 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 830 ntohl(tdb->tdb_spi)); 831 espstat_inc(esps_toobig); 832 error = EMSGSIZE; 833 goto drop; 834 } 835 break; 836 #endif /* INET6 */ 837 838 default: 839 DPRINTF("unknown/unsupported protocol family %d, SA %s/%08x", 840 tdb->tdb_dst.sa.sa_family, 841 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 842 ntohl(tdb->tdb_spi)); 843 espstat_inc(esps_nopf); 844 error = EPFNOSUPPORT; 845 goto drop; 846 } 847 848 /* Update the counters. */ 849 tdb->tdb_cur_bytes += m->m_pkthdr.len - skip; 850 espstat_add(esps_obytes, m->m_pkthdr.len - skip); 851 852 /* Hard byte expiration. */ 853 if (tdb->tdb_flags & TDBF_BYTES && 854 tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) { 855 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 856 tdb_delete(tdb); 857 error = EINVAL; 858 goto drop; 859 } 860 861 /* Soft byte expiration. */ 862 if (tdb->tdb_flags & TDBF_SOFT_BYTES && 863 tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes) { 864 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 865 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking. */ 866 } 867 868 /* 869 * Loop through mbuf chain; if we find a readonly mbuf, 870 * copy the packet. 871 */ 872 mi = m; 873 while (mi != NULL && !M_READONLY(mi)) 874 mi = mi->m_next; 875 876 if (mi != NULL) { 877 struct mbuf *n = m_dup_pkt(m, 0, M_DONTWAIT); 878 879 if (n == NULL) { 880 DPRINTF("bad mbuf chain, SA %s/%08x", 881 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 882 ntohl(tdb->tdb_spi)); 883 espstat_inc(esps_hdrops); 884 error = ENOBUFS; 885 goto drop; 886 } 887 888 m_freem(m); 889 m = n; 890 } 891 892 /* Inject ESP header. */ 893 mo = m_makespace(m, skip, hlen, &roff); 894 if (mo == NULL) { 895 DPRINTF("failed to inject ESP header for SA %s/%08x", 896 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 897 ntohl(tdb->tdb_spi)); 898 espstat_inc(esps_hdrops); 899 error = ENOBUFS; 900 goto drop; 901 } 902 903 /* Initialize ESP header. */ 904 memcpy(mtod(mo, caddr_t) + roff, (caddr_t) &tdb->tdb_spi, 905 sizeof(u_int32_t)); 906 replay64 = tdb->tdb_rpl++; /* used for both header and ESN */ 907 replay = htonl((u_int32_t)replay64); 908 memcpy(mtod(mo, caddr_t) + roff + sizeof(u_int32_t), (caddr_t) &replay, 909 sizeof(u_int32_t)); 910 911 #if NPFSYNC > 0 912 pfsync_update_tdb(tdb,1); 913 #endif 914 915 /* 916 * Add padding -- better to do it ourselves than use the crypto engine, 917 * although if/when we support compression, we'd have to do that. 918 */ 919 mo = m_makespace(m, m->m_pkthdr.len, padding + alen, &roff); 920 if (mo == NULL) { 921 DPRINTF("m_makespace() failed for SA %s/%08x", 922 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 923 ntohl(tdb->tdb_spi)); 924 espstat_inc(esps_hdrops); 925 error = ENOBUFS; 926 goto drop; 927 } 928 pad = mtod(mo, caddr_t) + roff; 929 930 /* Apply self-describing padding */ 931 for (ilen = 0; ilen < padding - 2; ilen++) 932 pad[ilen] = ilen + 1; 933 934 /* Fix padding length and Next Protocol in padding itself. */ 935 pad[padding - 2] = padding - 2; 936 m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1); 937 938 /* Fix Next Protocol in IPv4/IPv6 header. */ 939 prot = IPPROTO_ESP; 940 m_copyback(m, protoff, sizeof(u_int8_t), &prot, M_NOWAIT); 941 942 /* Get crypto descriptors. */ 943 crp = crypto_getreq(esph && espx ? 2 : 1); 944 if (crp == NULL) { 945 DPRINTF("failed to acquire crypto descriptors"); 946 espstat_inc(esps_crypto); 947 error = ENOBUFS; 948 goto drop; 949 } 950 951 if (espx) { 952 crde = &crp->crp_desc[0]; 953 crda = &crp->crp_desc[1]; 954 955 /* Encryption descriptor. */ 956 crde->crd_skip = skip + hlen; 957 crde->crd_flags = CRD_F_ENCRYPT | CRD_F_IV_EXPLICIT; 958 crde->crd_inject = skip + hlen - tdb->tdb_ivlen; 959 960 /* Encryption operation. */ 961 crde->crd_alg = espx->type; 962 crde->crd_key = tdb->tdb_emxkey; 963 crde->crd_klen = tdb->tdb_emxkeylen * 8; 964 /* XXX Rounds ? */ 965 966 if (crde->crd_alg == CRYPTO_AES_GMAC) 967 crde->crd_len = 0; 968 else 969 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 970 971 /* GCM & friends just require a NONCE (non-repeating!) */ 972 if (espx->type == CRYPTO_AES_CTR || 973 espx->type == CRYPTO_AES_GCM_16 || 974 espx->type == CRYPTO_CHACHA20_POLY1305) 975 bcopy(&replay64, crde->crd_iv, sizeof(replay64)); 976 else 977 arc4random_buf(crde->crd_iv, espx->ivsize); 978 } else 979 crda = &crp->crp_desc[0]; 980 981 /* IPsec-specific opaque crypto info. */ 982 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); 983 if (tc == NULL) { 984 DPRINTF("failed to allocate tdb_crypto"); 985 espstat_inc(esps_crypto); 986 error = ENOBUFS; 987 goto drop; 988 } 989 990 tc->tc_spi = tdb->tdb_spi; 991 tc->tc_proto = tdb->tdb_sproto; 992 tc->tc_rdomain = tdb->tdb_rdomain; 993 tc->tc_dst = tdb->tdb_dst; 994 995 /* Crypto operation descriptor. */ 996 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ 997 crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_MPSAFE; 998 crp->crp_buf = (caddr_t)m; 999 crp->crp_sid = tdb->tdb_cryptoid; 1000 1001 if (esph) { 1002 /* Authentication descriptor. */ 1003 crda->crd_skip = skip; 1004 crda->crd_inject = m->m_pkthdr.len - alen; 1005 1006 /* Authentication operation. */ 1007 crda->crd_alg = esph->type; 1008 crda->crd_key = tdb->tdb_amxkey; 1009 crda->crd_klen = tdb->tdb_amxkeylen * 8; 1010 1011 if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) { 1012 u_int32_t esn; 1013 1014 esn = htonl((u_int32_t)(replay64 >> 32)); 1015 memcpy(crda->crd_esn, &esn, 4); 1016 crda->crd_flags |= CRD_F_ESN; 1017 } 1018 1019 if (espx && 1020 (espx->type == CRYPTO_AES_GCM_16 || 1021 espx->type == CRYPTO_CHACHA20_POLY1305)) 1022 crda->crd_len = hlen - tdb->tdb_ivlen; 1023 else 1024 crda->crd_len = m->m_pkthdr.len - (skip + alen); 1025 } 1026 1027 KERNEL_LOCK(); 1028 while ((error = crypto_invoke(crp)) == EAGAIN) { 1029 /* Reset the session ID */ 1030 if (tdb->tdb_cryptoid != 0) 1031 tdb->tdb_cryptoid = crp->crp_sid; 1032 } 1033 KERNEL_UNLOCK(); 1034 if (error) { 1035 DPRINTF("crypto error %d", error); 1036 ipsecstat_inc(ipsec_noxform); 1037 goto drop; 1038 } 1039 1040 ilen = crp->crp_ilen; 1041 olen = crp->crp_olen; 1042 1043 /* Release the crypto descriptors */ 1044 crypto_freereq(crp); 1045 1046 return esp_output_cb(tdb, tc, m, ilen, olen); 1047 1048 drop: 1049 m_freem(m); 1050 crypto_freereq(crp); 1051 free(tc, M_XDATA, 0); 1052 return error; 1053 } 1054 1055 int 1056 esp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m, int ilen, 1057 int olen) 1058 { 1059 int error; 1060 1061 /* Release crypto descriptors. */ 1062 free(tc, M_XDATA, 0); 1063 1064 /* Call the IPsec input callback. */ 1065 error = ipsp_process_done(m, tdb); 1066 if (error) 1067 espstat_inc(esps_outfail); 1068 return error; 1069 } 1070 1071 #define SEEN_SIZE howmany(TDB_REPLAYMAX, 32) 1072 1073 /* 1074 * return 0 on success 1075 * return 1 for counter == 0 1076 * return 2 for very old packet 1077 * return 3 for packet within current window but already received 1078 */ 1079 int 1080 checkreplaywindow(struct tdb *tdb, u_int64_t t, u_int32_t seq, u_int32_t *seqh, 1081 int commit) 1082 { 1083 u_int32_t tl, th, wl; 1084 u_int32_t packet, window = TDB_REPLAYMAX - TDB_REPLAYWASTE; 1085 int idx, esn = tdb->tdb_flags & TDBF_ESN; 1086 1087 tl = (u_int32_t)t; 1088 th = (u_int32_t)(t >> 32); 1089 1090 /* Zero SN is not allowed */ 1091 if ((esn && seq == 0 && tl <= AH_HMAC_INITIAL_RPL && th == 0) || 1092 (!esn && seq == 0)) 1093 return (1); 1094 1095 if (th == 0 && tl < window) 1096 window = tl; 1097 /* Current replay window starts here */ 1098 wl = tl - window + 1; 1099 1100 idx = (seq % TDB_REPLAYMAX) / 32; 1101 packet = 1 << (31 - (seq & 31)); 1102 1103 /* 1104 * We keep the high part intact when: 1105 * 1) the SN is within [wl, 0xffffffff] and the whole window is 1106 * within one subspace; 1107 * 2) the SN is within [0, wl) and window spans two subspaces. 1108 */ 1109 if ((tl >= window - 1 && seq >= wl) || 1110 (tl < window - 1 && seq < wl)) { 1111 *seqh = th; 1112 if (seq > tl) { 1113 if (commit) { 1114 if (seq - tl > window) 1115 memset(tdb->tdb_seen, 0, 1116 sizeof(tdb->tdb_seen)); 1117 else { 1118 int i = (tl % TDB_REPLAYMAX) / 32; 1119 1120 while (i != idx) { 1121 i = (i + 1) % SEEN_SIZE; 1122 tdb->tdb_seen[i] = 0; 1123 } 1124 } 1125 tdb->tdb_seen[idx] |= packet; 1126 tdb->tdb_rpl = ((u_int64_t)*seqh << 32) | seq; 1127 } 1128 } else { 1129 if (tl - seq >= window) 1130 return (2); 1131 if (tdb->tdb_seen[idx] & packet) 1132 return (3); 1133 if (commit) 1134 tdb->tdb_seen[idx] |= packet; 1135 } 1136 return (0); 1137 } 1138 1139 /* Can't wrap if not doing ESN */ 1140 if (!esn) 1141 return (2); 1142 1143 /* 1144 * (3) SN is within [wl, 0xffffffff] and wl is within 1145 * (0xffffffff-window+1, 0xffffffff]. 1146 * This means we got a SN which is within our replay window, 1147 * but in the previous subspace. 1148 */ 1149 if (tl < window - 1 && seq >= wl) { 1150 if (tdb->tdb_seen[idx] & packet) 1151 return (3); 1152 *seqh = th - 1; 1153 if (commit) 1154 tdb->tdb_seen[idx] |= packet; 1155 return (0); 1156 } 1157 1158 /* 1159 * (4) SN has wrapped and the last authenticated SN is in the old 1160 * subspace. 1161 */ 1162 *seqh = th + 1; 1163 if (*seqh == 0) /* Don't let high bit to wrap */ 1164 return (1); 1165 if (commit) { 1166 if (seq - tl > window) 1167 memset(tdb->tdb_seen, 0, sizeof(tdb->tdb_seen)); 1168 else { 1169 int i = (tl % TDB_REPLAYMAX) / 32; 1170 1171 while (i != idx) { 1172 i = (i + 1) % SEEN_SIZE; 1173 tdb->tdb_seen[i] = 0; 1174 } 1175 } 1176 tdb->tdb_seen[idx] |= packet; 1177 tdb->tdb_rpl = ((u_int64_t)*seqh << 32) | seq; 1178 } 1179 1180 return (0); 1181 } 1182