1 /* $OpenBSD: ip_esp.c,v 1.123 2014/01/09 06:29:06 tedu Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001 Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 #include "pfsync.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/mbuf.h> 43 #include <sys/socket.h> 44 45 #include <net/if.h> 46 #include <net/bpf.h> 47 48 #include <dev/rndvar.h> 49 50 #ifdef INET 51 #include <netinet/in.h> 52 #include <netinet/in_systm.h> 53 #include <netinet/ip.h> 54 #include <netinet/ip_var.h> 55 #endif /* INET */ 56 57 #ifdef INET6 58 #ifndef INET 59 #include <netinet/in.h> 60 #endif 61 #include <netinet/ip6.h> 62 #endif /* INET6 */ 63 64 #include <netinet/ip_ipsp.h> 65 #include <netinet/ip_esp.h> 66 #include <net/pfkeyv2.h> 67 #include <net/if_enc.h> 68 69 #if NPFSYNC > 0 70 #include <net/pfvar.h> 71 #include <net/if_pfsync.h> 72 #endif /* NPFSYNC > 0 */ 73 74 #include <crypto/cryptodev.h> 75 #include <crypto/xform.h> 76 77 #include "bpfilter.h" 78 79 int esp_output_cb(void *); 80 int esp_input_cb(void *); 81 82 #ifdef ENCDEBUG 83 #define DPRINTF(x) if (encdebug) printf x 84 #else 85 #define DPRINTF(x) 86 #endif 87 88 struct espstat espstat; 89 90 /* 91 * esp_attach() is called from the transformation initialization code. 92 */ 93 int 94 esp_attach() 95 { 96 return 0; 97 } 98 99 /* 100 * esp_init() is called when an SPI is being set up. 101 */ 102 int 103 esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) 104 { 105 struct enc_xform *txform = NULL; 106 struct auth_hash *thash = NULL; 107 struct cryptoini cria, crie, crin; 108 109 if (!ii->ii_encalg && !ii->ii_authalg) { 110 DPRINTF(("esp_init(): neither authentication nor encryption " 111 "algorithm given")); 112 return EINVAL; 113 } 114 115 if (ii->ii_encalg) { 116 switch (ii->ii_encalg) { 117 case SADB_EALG_NULL: 118 txform = &enc_xform_null; 119 break; 120 121 case SADB_EALG_DESCBC: 122 txform = &enc_xform_des; 123 break; 124 125 case SADB_EALG_3DESCBC: 126 txform = &enc_xform_3des; 127 break; 128 129 case SADB_X_EALG_AES: 130 txform = &enc_xform_rijndael128; 131 break; 132 133 case SADB_X_EALG_AESCTR: 134 txform = &enc_xform_aes_ctr; 135 break; 136 137 case SADB_X_EALG_AESGCM16: 138 txform = &enc_xform_aes_gcm; 139 break; 140 141 case SADB_X_EALG_AESGMAC: 142 txform = &enc_xform_aes_gmac; 143 break; 144 145 case SADB_X_EALG_BLF: 146 txform = &enc_xform_blf; 147 break; 148 149 case SADB_X_EALG_CAST: 150 txform = &enc_xform_cast5; 151 break; 152 153 default: 154 DPRINTF(("esp_init(): unsupported encryption algorithm %d specified\n", ii->ii_encalg)); 155 return EINVAL; 156 } 157 158 if (ii->ii_enckeylen < txform->minkey) { 159 DPRINTF(("esp_init(): keylength %d too small (min length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->minkey, txform->name)); 160 return EINVAL; 161 } 162 163 if (ii->ii_enckeylen > txform->maxkey) { 164 DPRINTF(("esp_init(): keylength %d too large (max length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->maxkey, txform->name)); 165 return EINVAL; 166 } 167 168 if (ii->ii_encalg == SADB_X_EALG_AESGCM16 || 169 ii->ii_encalg == SADB_X_EALG_AESGMAC) { 170 switch (ii->ii_enckeylen) { 171 case 20: 172 ii->ii_authalg = SADB_X_AALG_AES128GMAC; 173 break; 174 case 28: 175 ii->ii_authalg = SADB_X_AALG_AES192GMAC; 176 break; 177 case 36: 178 ii->ii_authalg = SADB_X_AALG_AES256GMAC; 179 break; 180 } 181 ii->ii_authkeylen = ii->ii_enckeylen; 182 ii->ii_authkey = ii->ii_enckey; 183 } 184 185 tdbp->tdb_encalgxform = txform; 186 187 DPRINTF(("esp_init(): initialized TDB with enc algorithm %s\n", 188 txform->name)); 189 190 tdbp->tdb_ivlen = txform->ivsize; 191 } 192 193 if (ii->ii_authalg) { 194 switch (ii->ii_authalg) { 195 case SADB_AALG_MD5HMAC: 196 thash = &auth_hash_hmac_md5_96; 197 break; 198 199 case SADB_AALG_SHA1HMAC: 200 thash = &auth_hash_hmac_sha1_96; 201 break; 202 203 case SADB_X_AALG_RIPEMD160HMAC: 204 thash = &auth_hash_hmac_ripemd_160_96; 205 break; 206 207 case SADB_X_AALG_SHA2_256: 208 thash = &auth_hash_hmac_sha2_256_128; 209 break; 210 211 case SADB_X_AALG_SHA2_384: 212 thash = &auth_hash_hmac_sha2_384_192; 213 break; 214 215 case SADB_X_AALG_SHA2_512: 216 thash = &auth_hash_hmac_sha2_512_256; 217 break; 218 219 case SADB_X_AALG_AES128GMAC: 220 thash = &auth_hash_gmac_aes_128; 221 break; 222 223 case SADB_X_AALG_AES192GMAC: 224 thash = &auth_hash_gmac_aes_192; 225 break; 226 227 case SADB_X_AALG_AES256GMAC: 228 thash = &auth_hash_gmac_aes_256; 229 break; 230 231 default: 232 DPRINTF(("esp_init(): unsupported authentication algorithm %d specified\n", ii->ii_authalg)); 233 return EINVAL; 234 } 235 236 if (ii->ii_authkeylen != thash->keysize) { 237 DPRINTF(("esp_init(): keylength %d doesn't match algorithm %s keysize (%d)\n", ii->ii_authkeylen, thash->name, thash->keysize)); 238 return EINVAL; 239 } 240 241 tdbp->tdb_authalgxform = thash; 242 243 DPRINTF(("esp_init(): initialized TDB with hash algorithm %s\n", 244 thash->name)); 245 } 246 247 tdbp->tdb_xform = xsp; 248 tdbp->tdb_rpl = AH_HMAC_INITIAL_RPL; 249 250 /* Initialize crypto session */ 251 if (tdbp->tdb_encalgxform) { 252 /* Save the raw keys */ 253 tdbp->tdb_emxkeylen = ii->ii_enckeylen; 254 tdbp->tdb_emxkey = malloc(tdbp->tdb_emxkeylen, M_XDATA, 255 M_WAITOK); 256 bcopy(ii->ii_enckey, tdbp->tdb_emxkey, tdbp->tdb_emxkeylen); 257 258 memset(&crie, 0, sizeof(crie)); 259 260 crie.cri_alg = tdbp->tdb_encalgxform->type; 261 262 if (tdbp->tdb_authalgxform) 263 crie.cri_next = &cria; 264 else 265 crie.cri_next = NULL; 266 267 crie.cri_klen = ii->ii_enckeylen * 8; 268 crie.cri_key = ii->ii_enckey; 269 /* XXX Rounds ? */ 270 } 271 272 if (tdbp->tdb_authalgxform) { 273 /* Save the raw keys */ 274 tdbp->tdb_amxkeylen = ii->ii_authkeylen; 275 tdbp->tdb_amxkey = malloc(tdbp->tdb_amxkeylen, M_XDATA, 276 M_WAITOK); 277 bcopy(ii->ii_authkey, tdbp->tdb_amxkey, tdbp->tdb_amxkeylen); 278 279 memset(&cria, 0, sizeof(cria)); 280 281 cria.cri_alg = tdbp->tdb_authalgxform->type; 282 283 if ((tdbp->tdb_wnd > 0) && (tdbp->tdb_flags & TDBF_ESN)) { 284 memset(&crin, 0, sizeof(crin)); 285 crin.cri_alg = CRYPTO_ESN; 286 cria.cri_next = &crin; 287 } 288 289 cria.cri_klen = ii->ii_authkeylen * 8; 290 cria.cri_key = ii->ii_authkey; 291 } 292 293 return crypto_newsession(&tdbp->tdb_cryptoid, 294 (tdbp->tdb_encalgxform ? &crie : &cria), 0); 295 } 296 297 /* 298 * Paranoia. 299 */ 300 int 301 esp_zeroize(struct tdb *tdbp) 302 { 303 int err; 304 305 if (tdbp->tdb_amxkey) { 306 explicit_bzero(tdbp->tdb_amxkey, tdbp->tdb_amxkeylen); 307 free(tdbp->tdb_amxkey, M_XDATA); 308 tdbp->tdb_amxkey = NULL; 309 } 310 311 if (tdbp->tdb_emxkey) { 312 explicit_bzero(tdbp->tdb_emxkey, tdbp->tdb_emxkeylen); 313 free(tdbp->tdb_emxkey, M_XDATA); 314 tdbp->tdb_emxkey = NULL; 315 } 316 317 err = crypto_freesession(tdbp->tdb_cryptoid); 318 tdbp->tdb_cryptoid = 0; 319 return err; 320 } 321 322 #define MAXBUFSIZ (AH_ALEN_MAX > ESP_MAX_IVS ? AH_ALEN_MAX : ESP_MAX_IVS) 323 324 /* 325 * ESP input processing, called (eventually) through the protocol switch. 326 */ 327 int 328 esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) 329 { 330 struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform; 331 struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform; 332 struct cryptodesc *crde = NULL, *crda = NULL; 333 struct cryptop *crp; 334 struct tdb_crypto *tc; 335 int plen, alen, hlen; 336 struct m_tag *mtag; 337 u_int32_t btsx, esn; 338 339 /* Determine the ESP header length */ 340 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */ 341 alen = esph ? esph->authsize : 0; 342 plen = m->m_pkthdr.len - (skip + hlen + alen); 343 if (plen <= 0) { 344 DPRINTF(("esp_input: invalid payload length\n")); 345 espstat.esps_badilen++; 346 m_freem(m); 347 return EINVAL; 348 } 349 350 if (espx) { 351 /* 352 * Verify payload length is multiple of encryption algorithm 353 * block size. 354 */ 355 if (plen & (espx->blocksize - 1)) { 356 DPRINTF(("esp_input(): payload of %d octets not a multiple of %d octets, SA %s/%08x\n", plen, espx->blocksize, ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 357 espstat.esps_badilen++; 358 m_freem(m); 359 return EINVAL; 360 } 361 } 362 363 /* Replay window checking, if appropriate -- no value commitment. */ 364 if (tdb->tdb_wnd > 0) { 365 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 366 (unsigned char *) &btsx); 367 btsx = ntohl(btsx); 368 369 switch (checkreplaywindow(tdb, btsx, &esn, 0)) { 370 case 0: /* All's well */ 371 break; 372 case 1: 373 m_freem(m); 374 DPRINTF(("esp_input(): replay counter wrapped" 375 " for SA %s/%08x\n", 376 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 377 espstat.esps_wrap++; 378 return EACCES; 379 case 2: 380 m_freem(m); 381 DPRINTF(("esp_input(): old packet received" 382 " in SA %s/%08x\n", 383 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 384 espstat.esps_replay++; 385 return EACCES; 386 case 3: 387 m_freem(m); 388 DPRINTF(("esp_input(): duplicate packet received" 389 " in SA %s/%08x\n", 390 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 391 espstat.esps_replay++; 392 return EACCES; 393 default: 394 m_freem(m); 395 DPRINTF(("esp_input(): bogus value from" 396 " checkreplaywindow() in SA %s/%08x\n", 397 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 398 espstat.esps_replay++; 399 return EACCES; 400 } 401 } 402 403 /* Update the counters */ 404 tdb->tdb_cur_bytes += m->m_pkthdr.len - skip - hlen - alen; 405 espstat.esps_ibytes += m->m_pkthdr.len - skip - hlen - alen; 406 407 /* Hard expiration */ 408 if ((tdb->tdb_flags & TDBF_BYTES) && 409 (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) { 410 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 411 tdb_delete(tdb); 412 m_freem(m); 413 return ENXIO; 414 } 415 416 /* Notify on soft expiration */ 417 if ((tdb->tdb_flags & TDBF_SOFT_BYTES) && 418 (tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes)) { 419 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 420 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking */ 421 } 422 423 #ifdef notyet 424 /* Find out if we've already done crypto */ 425 for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); 426 mtag != NULL; 427 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) { 428 struct tdb_ident *tdbi; 429 430 tdbi = (struct tdb_ident *) (mtag + 1); 431 if (tdbi->proto == tdb->tdb_sproto && tdbi->spi == tdb->tdb_spi && 432 tdbi->rdomain == tdb->tdb_rdomain && !memcmp(&tdbi->dst, 433 &tdb->tdb_dst, sizeof(union sockaddr_union))) 434 break; 435 } 436 #else 437 mtag = NULL; 438 #endif 439 440 /* Get crypto descriptors */ 441 crp = crypto_getreq(esph && espx ? 2 : 1); 442 if (crp == NULL) { 443 m_freem(m); 444 DPRINTF(("esp_input(): failed to acquire crypto descriptors\n")); 445 espstat.esps_crypto++; 446 return ENOBUFS; 447 } 448 449 /* Get IPsec-specific opaque pointer */ 450 if (esph == NULL || mtag != NULL) 451 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); 452 else 453 tc = malloc(sizeof(*tc) + alen, M_XDATA, M_NOWAIT | M_ZERO); 454 if (tc == NULL) { 455 m_freem(m); 456 crypto_freereq(crp); 457 DPRINTF(("esp_input(): failed to allocate tdb_crypto\n")); 458 espstat.esps_crypto++; 459 return ENOBUFS; 460 } 461 462 tc->tc_ptr = (caddr_t) mtag; 463 464 if (esph) { 465 crda = crp->crp_desc; 466 crde = crda->crd_next; 467 468 /* Authentication descriptor */ 469 crda->crd_skip = skip; 470 crda->crd_inject = m->m_pkthdr.len - alen; 471 472 crda->crd_alg = esph->type; 473 crda->crd_key = tdb->tdb_amxkey; 474 crda->crd_klen = tdb->tdb_amxkeylen * 8; 475 476 if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) { 477 esn = htonl(esn); 478 bcopy(&esn, crda->crd_esn, 4); 479 crda->crd_flags |= CRD_F_ESN; 480 } 481 482 if (espx && espx->type == CRYPTO_AES_GCM_16) 483 crda->crd_len = hlen - tdb->tdb_ivlen; 484 else 485 crda->crd_len = m->m_pkthdr.len - (skip + alen); 486 487 /* Copy the authenticator */ 488 if (mtag == NULL) 489 m_copydata(m, m->m_pkthdr.len - alen, alen, (caddr_t) (tc + 1)); 490 } else 491 crde = crp->crp_desc; 492 493 /* Crypto operation descriptor */ 494 crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ 495 crp->crp_flags = CRYPTO_F_IMBUF; 496 crp->crp_buf = (caddr_t) m; 497 crp->crp_callback = (int (*) (struct cryptop *)) esp_input_cb; 498 crp->crp_sid = tdb->tdb_cryptoid; 499 crp->crp_opaque = (caddr_t) tc; 500 501 /* These are passed as-is to the callback */ 502 tc->tc_skip = skip; 503 tc->tc_protoff = protoff; 504 tc->tc_spi = tdb->tdb_spi; 505 tc->tc_proto = tdb->tdb_sproto; 506 tc->tc_rdomain = tdb->tdb_rdomain; 507 bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union)); 508 509 /* Decryption descriptor */ 510 if (espx) { 511 crde->crd_skip = skip + hlen; 512 crde->crd_inject = skip + hlen - tdb->tdb_ivlen; 513 crde->crd_alg = espx->type; 514 crde->crd_key = tdb->tdb_emxkey; 515 crde->crd_klen = tdb->tdb_emxkeylen * 8; 516 /* XXX Rounds ? */ 517 518 if (crde->crd_alg == CRYPTO_AES_GMAC) 519 crde->crd_len = 0; 520 else 521 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 522 } 523 524 if (mtag == NULL) 525 return crypto_dispatch(crp); 526 else 527 return esp_input_cb(crp); 528 } 529 530 /* 531 * ESP input callback, called directly by the crypto driver. 532 */ 533 int 534 esp_input_cb(void *op) 535 { 536 u_int8_t lastthree[3], aalg[AH_HMAC_MAX_HASHLEN]; 537 int s, hlen, roff, skip, protoff, error; 538 struct mbuf *m1, *mo, *m; 539 struct auth_hash *esph; 540 struct tdb_crypto *tc; 541 struct cryptop *crp; 542 struct m_tag *mtag; 543 struct tdb *tdb; 544 u_int32_t btsx, esn; 545 caddr_t ptr; 546 547 crp = (struct cryptop *) op; 548 549 tc = (struct tdb_crypto *) crp->crp_opaque; 550 skip = tc->tc_skip; 551 protoff = tc->tc_protoff; 552 mtag = (struct m_tag *) tc->tc_ptr; 553 554 m = (struct mbuf *) crp->crp_buf; 555 if (m == NULL) { 556 /* Shouldn't happen... */ 557 free(tc, M_XDATA); 558 crypto_freereq(crp); 559 espstat.esps_crypto++; 560 DPRINTF(("esp_input_cb(): bogus returned buffer from crypto\n")); 561 return (EINVAL); 562 } 563 564 s = splsoftnet(); 565 566 tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); 567 if (tdb == NULL) { 568 free(tc, M_XDATA); 569 espstat.esps_notdb++; 570 DPRINTF(("esp_input_cb(): TDB is expired while in crypto")); 571 error = EPERM; 572 goto baddone; 573 } 574 575 esph = (struct auth_hash *) tdb->tdb_authalgxform; 576 577 /* Check for crypto errors */ 578 if (crp->crp_etype) { 579 if (crp->crp_etype == EAGAIN) { 580 /* Reset the session ID */ 581 if (tdb->tdb_cryptoid != 0) 582 tdb->tdb_cryptoid = crp->crp_sid; 583 splx(s); 584 return crypto_dispatch(crp); 585 } 586 free(tc, M_XDATA); 587 espstat.esps_noxform++; 588 DPRINTF(("esp_input_cb(): crypto error %d\n", crp->crp_etype)); 589 error = crp->crp_etype; 590 goto baddone; 591 } 592 593 /* If authentication was performed, check now. */ 594 if (esph != NULL) { 595 /* 596 * If we have a tag, it means an IPsec-aware NIC did the verification 597 * for us. 598 */ 599 if (mtag == NULL) { 600 /* Copy the authenticator from the packet */ 601 m_copydata(m, m->m_pkthdr.len - esph->authsize, 602 esph->authsize, aalg); 603 604 ptr = (caddr_t) (tc + 1); 605 606 /* Verify authenticator */ 607 if (timingsafe_bcmp(ptr, aalg, esph->authsize)) { 608 free(tc, M_XDATA); 609 DPRINTF(("esp_input_cb(): authentication failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 610 espstat.esps_badauth++; 611 error = EACCES; 612 goto baddone; 613 } 614 } 615 616 /* Remove trailing authenticator */ 617 m_adj(m, -(esph->authsize)); 618 } 619 free(tc, M_XDATA); 620 621 /* Replay window checking, if appropriate */ 622 if (tdb->tdb_wnd > 0) { 623 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 624 (unsigned char *) &btsx); 625 btsx = ntohl(btsx); 626 627 switch (checkreplaywindow(tdb, btsx, &esn, 1)) { 628 case 0: /* All's well */ 629 #if NPFSYNC > 0 630 pfsync_update_tdb(tdb,0); 631 #endif 632 break; 633 634 case 1: 635 DPRINTF(("esp_input_cb(): replay counter wrapped" 636 " for SA %s/%08x\n", 637 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 638 espstat.esps_wrap++; 639 error = EACCES; 640 goto baddone; 641 case 2: 642 DPRINTF(("esp_input_cb(): old packet received" 643 " in SA %s/%08x\n", 644 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 645 espstat.esps_replay++; 646 error = EACCES; 647 goto baddone; 648 case 3: 649 DPRINTF(("esp_input_cb(): duplicate packet received" 650 " in SA %s/%08x\n", 651 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 652 espstat.esps_replay++; 653 error = EACCES; 654 goto baddone; 655 default: 656 DPRINTF(("esp_input_cb(): bogus value from" 657 " checkreplaywindow() in SA %s/%08x\n", 658 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 659 espstat.esps_replay++; 660 error = EACCES; 661 goto baddone; 662 } 663 } 664 665 /* Release the crypto descriptors */ 666 crypto_freereq(crp); 667 668 /* Determine the ESP header length */ 669 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; 670 671 /* Find beginning of ESP header */ 672 m1 = m_getptr(m, skip, &roff); 673 if (m1 == NULL) { 674 espstat.esps_hdrops++; 675 splx(s); 676 DPRINTF(("esp_input_cb(): bad mbuf chain, SA %s/%08x\n", 677 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 678 m_freem(m); 679 return EINVAL; 680 } 681 682 /* Remove the ESP header and IV from the mbuf. */ 683 if (roff == 0) { 684 /* The ESP header was conveniently at the beginning of the mbuf */ 685 m_adj(m1, hlen); 686 if (!(m1->m_flags & M_PKTHDR)) 687 m->m_pkthdr.len -= hlen; 688 } else if (roff + hlen >= m1->m_len) { 689 /* 690 * Part or all of the ESP header is at the end of this mbuf, so 691 * first let's remove the remainder of the ESP header from the 692 * beginning of the remainder of the mbuf chain, if any. 693 */ 694 if (roff + hlen > m1->m_len) { 695 /* Adjust the next mbuf by the remainder */ 696 m_adj(m1->m_next, roff + hlen - m1->m_len); 697 698 /* The second mbuf is guaranteed not to have a pkthdr... */ 699 m->m_pkthdr.len -= (roff + hlen - m1->m_len); 700 } 701 702 /* Now, let's unlink the mbuf chain for a second...*/ 703 mo = m1->m_next; 704 m1->m_next = NULL; 705 706 /* ...and trim the end of the first part of the chain...sick */ 707 m_adj(m1, -(m1->m_len - roff)); 708 if (!(m1->m_flags & M_PKTHDR)) 709 m->m_pkthdr.len -= (m1->m_len - roff); 710 711 /* Finally, let's relink */ 712 m1->m_next = mo; 713 } else { 714 /* 715 * The ESP header lies in the "middle" of the mbuf...do an 716 * overlapping copy of the remainder of the mbuf over the ESP 717 * header. 718 */ 719 bcopy(mtod(m1, u_char *) + roff + hlen, 720 mtod(m1, u_char *) + roff, m1->m_len - (roff + hlen)); 721 m1->m_len -= hlen; 722 m->m_pkthdr.len -= hlen; 723 } 724 725 /* Save the last three bytes of decrypted data */ 726 m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); 727 728 /* Verify pad length */ 729 if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { 730 espstat.esps_badilen++; 731 splx(s); 732 DPRINTF(("esp_input_cb(): invalid padding length %d for packet in SA %s/%08x\n", lastthree[1], ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 733 m_freem(m); 734 return EINVAL; 735 } 736 737 /* Verify correct decryption by checking the last padding bytes */ 738 if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) { 739 espstat.esps_badenc++; 740 splx(s); 741 DPRINTF(("esp_input(): decryption failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 742 m_freem(m); 743 return EINVAL; 744 } 745 746 /* Trim the mbuf chain to remove the trailing authenticator and padding */ 747 m_adj(m, -(lastthree[1] + 2)); 748 749 /* Restore the Next Protocol field */ 750 m_copyback(m, protoff, sizeof(u_int8_t), lastthree + 2, M_NOWAIT); 751 752 /* Back to generic IPsec input processing */ 753 error = ipsec_common_input_cb(m, tdb, skip, protoff, mtag); 754 splx(s); 755 return (error); 756 757 baddone: 758 splx(s); 759 760 if (m != NULL) 761 m_freem(m); 762 763 crypto_freereq(crp); 764 765 return (error); 766 } 767 768 /* 769 * ESP output routine, called by ipsp_process_packet(). 770 */ 771 int 772 esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, 773 int protoff) 774 { 775 struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform; 776 struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform; 777 int ilen, hlen, rlen, padding, blks, alen; 778 u_int32_t replay; 779 struct mbuf *mi, *mo = (struct mbuf *) NULL; 780 struct tdb_crypto *tc; 781 unsigned char *pad; 782 u_int8_t prot; 783 784 struct cryptodesc *crde = NULL, *crda = NULL; 785 struct cryptop *crp; 786 #if NBPFILTER > 0 787 struct ifnet *encif; 788 789 if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) != NULL) { 790 encif->if_opackets++; 791 encif->if_obytes += m->m_pkthdr.len; 792 793 if (encif->if_bpf) { 794 struct enchdr hdr; 795 796 memset(&hdr, 0, sizeof(hdr)); 797 798 hdr.af = tdb->tdb_dst.sa.sa_family; 799 hdr.spi = tdb->tdb_spi; 800 if (espx) 801 hdr.flags |= M_CONF; 802 if (esph) 803 hdr.flags |= M_AUTH; 804 805 bpf_mtap_hdr(encif->if_bpf, (char *)&hdr, 806 ENC_HDRLEN, m, BPF_DIRECTION_OUT); 807 } 808 } 809 #endif 810 811 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; 812 813 rlen = m->m_pkthdr.len - skip; /* Raw payload length. */ 814 if (espx) 815 blks = MAX(espx->blocksize, 4); 816 else 817 blks = 4; /* If no encryption, we have to be 4-byte aligned. */ 818 819 padding = ((blks - ((rlen + 2) % blks)) % blks) + 2; 820 821 alen = esph ? esph->authsize : 0; 822 espstat.esps_output++; 823 824 switch (tdb->tdb_dst.sa.sa_family) { 825 #ifdef INET 826 case AF_INET: 827 /* Check for IP maximum packet size violations. */ 828 if (skip + hlen + rlen + padding + alen > IP_MAXPACKET) { 829 DPRINTF(("esp_output(): packet in SA %s/%08x got " 830 "too big\n", ipsp_address(tdb->tdb_dst), 831 ntohl(tdb->tdb_spi))); 832 m_freem(m); 833 espstat.esps_toobig++; 834 return EMSGSIZE; 835 } 836 break; 837 #endif /* INET */ 838 839 #ifdef INET6 840 case AF_INET6: 841 /* Check for IPv6 maximum packet size violations. */ 842 if (skip + hlen + rlen + padding + alen > IPV6_MAXPACKET) { 843 DPRINTF(("esp_output(): packet in SA %s/%08x got too " 844 "big\n", ipsp_address(tdb->tdb_dst), 845 ntohl(tdb->tdb_spi))); 846 m_freem(m); 847 espstat.esps_toobig++; 848 return EMSGSIZE; 849 } 850 break; 851 #endif /* INET6 */ 852 853 default: 854 DPRINTF(("esp_output(): unknown/unsupported protocol " 855 "family %d, SA %s/%08x\n", tdb->tdb_dst.sa.sa_family 856 , ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 857 m_freem(m); 858 espstat.esps_nopf++; 859 return EPFNOSUPPORT; 860 } 861 862 /* Update the counters. */ 863 tdb->tdb_cur_bytes += m->m_pkthdr.len - skip; 864 espstat.esps_obytes += m->m_pkthdr.len - skip; 865 866 /* Hard byte expiration. */ 867 if (tdb->tdb_flags & TDBF_BYTES && 868 tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) { 869 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 870 tdb_delete(tdb); 871 m_freem(m); 872 return EINVAL; 873 } 874 875 /* Soft byte expiration. */ 876 if (tdb->tdb_flags & TDBF_SOFT_BYTES && 877 tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes) { 878 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 879 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking. */ 880 } 881 882 /* 883 * Loop through mbuf chain; if we find a readonly mbuf, 884 * replace the rest of the chain. 885 */ 886 mo = NULL; 887 mi = m; 888 while (mi != NULL && !M_READONLY(mi)) { 889 mo = mi; 890 mi = mi->m_next; 891 } 892 893 if (mi != NULL) { 894 /* Replace the rest of the mbuf chain. */ 895 struct mbuf *n = m_copym2(mi, 0, M_COPYALL, M_DONTWAIT); 896 897 if (n == NULL) { 898 DPRINTF(("esp_output(): bad mbuf chain, SA %s/%08x\n", 899 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 900 espstat.esps_hdrops++; 901 m_freem(m); 902 return ENOBUFS; 903 } 904 905 if (mo != NULL) 906 mo->m_next = n; 907 else 908 m = n; 909 910 m_freem(mi); 911 } 912 913 /* Inject ESP header. */ 914 mo = m_inject(m, skip, hlen, M_DONTWAIT); 915 if (mo == NULL) { 916 DPRINTF(("esp_output(): failed to inject ESP header for " 917 "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), 918 ntohl(tdb->tdb_spi))); 919 m_freem(m); 920 espstat.esps_hdrops++; 921 return ENOBUFS; 922 } 923 924 /* Initialize ESP header. */ 925 bcopy((caddr_t) &tdb->tdb_spi, mtod(mo, caddr_t), sizeof(u_int32_t)); 926 tdb->tdb_rpl++; 927 replay = htonl((u_int32_t)tdb->tdb_rpl); 928 bcopy((caddr_t) &replay, mtod(mo, caddr_t) + sizeof(u_int32_t), 929 sizeof(u_int32_t)); 930 931 #if NPFSYNC > 0 932 pfsync_update_tdb(tdb,1); 933 #endif 934 935 /* 936 * Add padding -- better to do it ourselves than use the crypto engine, 937 * although if/when we support compression, we'd have to do that. 938 */ 939 mo = m_inject(m, m->m_pkthdr.len, padding + alen, M_DONTWAIT); 940 if (mo == NULL) { 941 DPRINTF(("esp_output(): m_inject failed for SA %s/%08x\n", 942 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 943 m_freem(m); 944 return ENOBUFS; 945 } 946 pad = mtod(mo, u_char *); 947 948 /* Apply self-describing padding */ 949 for (ilen = 0; ilen < padding - 2; ilen++) 950 pad[ilen] = ilen + 1; 951 952 /* Fix padding length and Next Protocol in padding itself. */ 953 pad[padding - 2] = padding - 2; 954 m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1); 955 956 /* Fix Next Protocol in IPv4/IPv6 header. */ 957 prot = IPPROTO_ESP; 958 m_copyback(m, protoff, sizeof(u_int8_t), &prot, M_NOWAIT); 959 960 /* Get crypto descriptors. */ 961 crp = crypto_getreq(esph && espx ? 2 : 1); 962 if (crp == NULL) { 963 m_freem(m); 964 DPRINTF(("esp_output(): failed to acquire crypto " 965 "descriptors\n")); 966 espstat.esps_crypto++; 967 return ENOBUFS; 968 } 969 970 if (espx) { 971 crde = crp->crp_desc; 972 crda = crde->crd_next; 973 974 /* Encryption descriptor. */ 975 crde->crd_skip = skip + hlen; 976 crde->crd_flags = CRD_F_ENCRYPT; 977 crde->crd_inject = skip + hlen - tdb->tdb_ivlen; 978 979 /* Encryption operation. */ 980 crde->crd_alg = espx->type; 981 crde->crd_key = tdb->tdb_emxkey; 982 crde->crd_klen = tdb->tdb_emxkeylen * 8; 983 /* XXX Rounds ? */ 984 985 if (crde->crd_alg == CRYPTO_AES_GMAC) 986 crde->crd_len = 0; 987 else 988 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 989 } else 990 crda = crp->crp_desc; 991 992 /* IPsec-specific opaque crypto info. */ 993 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); 994 if (tc == NULL) { 995 m_freem(m); 996 crypto_freereq(crp); 997 DPRINTF(("esp_output(): failed to allocate tdb_crypto\n")); 998 espstat.esps_crypto++; 999 return ENOBUFS; 1000 } 1001 1002 tc->tc_spi = tdb->tdb_spi; 1003 tc->tc_proto = tdb->tdb_sproto; 1004 tc->tc_rdomain = tdb->tdb_rdomain; 1005 bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union)); 1006 1007 /* Crypto operation descriptor. */ 1008 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ 1009 crp->crp_flags = CRYPTO_F_IMBUF; 1010 crp->crp_buf = (caddr_t) m; 1011 crp->crp_callback = (int (*) (struct cryptop *)) esp_output_cb; 1012 crp->crp_opaque = (caddr_t) tc; 1013 crp->crp_sid = tdb->tdb_cryptoid; 1014 1015 if (esph) { 1016 /* Authentication descriptor. */ 1017 crda->crd_skip = skip; 1018 crda->crd_inject = m->m_pkthdr.len - alen; 1019 1020 /* Authentication operation. */ 1021 crda->crd_alg = esph->type; 1022 crda->crd_key = tdb->tdb_amxkey; 1023 crda->crd_klen = tdb->tdb_amxkeylen * 8; 1024 1025 if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) { 1026 u_int32_t esn; 1027 1028 esn = htonl((u_int32_t)(tdb->tdb_rpl >> 32)); 1029 bcopy(&esn, crda->crd_esn, 4); 1030 crda->crd_flags |= CRD_F_ESN; 1031 } 1032 1033 if (espx && espx->type == CRYPTO_AES_GCM_16) 1034 crda->crd_len = hlen - tdb->tdb_ivlen; 1035 else 1036 crda->crd_len = m->m_pkthdr.len - (skip + alen); 1037 } 1038 1039 if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0) 1040 return crypto_dispatch(crp); 1041 else 1042 return esp_output_cb(crp); 1043 } 1044 1045 /* 1046 * ESP output callback, called directly by the crypto driver. 1047 */ 1048 int 1049 esp_output_cb(void *op) 1050 { 1051 struct cryptop *crp = (struct cryptop *) op; 1052 struct tdb_crypto *tc; 1053 struct tdb *tdb; 1054 struct mbuf *m; 1055 int error, s; 1056 1057 tc = (struct tdb_crypto *) crp->crp_opaque; 1058 1059 m = (struct mbuf *) crp->crp_buf; 1060 if (m == NULL) { 1061 /* Shouldn't happen... */ 1062 free(tc, M_XDATA); 1063 crypto_freereq(crp); 1064 espstat.esps_crypto++; 1065 DPRINTF(("esp_output_cb(): bogus returned buffer from " 1066 "crypto\n")); 1067 return (EINVAL); 1068 } 1069 1070 1071 s = splsoftnet(); 1072 1073 tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); 1074 if (tdb == NULL) { 1075 free(tc, M_XDATA); 1076 espstat.esps_notdb++; 1077 DPRINTF(("esp_output_cb(): TDB is expired while in crypto\n")); 1078 error = EPERM; 1079 goto baddone; 1080 } 1081 1082 /* Check for crypto errors. */ 1083 if (crp->crp_etype) { 1084 if (crp->crp_etype == EAGAIN) { 1085 /* Reset the session ID */ 1086 if (tdb->tdb_cryptoid != 0) 1087 tdb->tdb_cryptoid = crp->crp_sid; 1088 splx(s); 1089 return crypto_dispatch(crp); 1090 } 1091 free(tc, M_XDATA); 1092 espstat.esps_noxform++; 1093 DPRINTF(("esp_output_cb(): crypto error %d\n", 1094 crp->crp_etype)); 1095 error = crp->crp_etype; 1096 goto baddone; 1097 } 1098 free(tc, M_XDATA); 1099 1100 /* Release crypto descriptors. */ 1101 crypto_freereq(crp); 1102 1103 /* Call the IPsec input callback. */ 1104 error = ipsp_process_done(m, tdb); 1105 splx(s); 1106 return error; 1107 1108 baddone: 1109 splx(s); 1110 1111 if (m != NULL) 1112 m_freem(m); 1113 1114 crypto_freereq(crp); 1115 1116 return error; 1117 } 1118 1119 #define SEEN_SIZE howmany(TDB_REPLAYMAX, 32) 1120 1121 /* 1122 * return 0 on success 1123 * return 1 for counter == 0 1124 * return 2 for very old packet 1125 * return 3 for packet within current window but already received 1126 */ 1127 int 1128 checkreplaywindow(struct tdb *tdb, u_int32_t seq, u_int32_t *seqhigh, 1129 int commit) 1130 { 1131 u_int32_t tl, th, wl; 1132 u_int32_t seqh, packet; 1133 u_int32_t window = TDB_REPLAYMAX - TDB_REPLAYWASTE; 1134 int idx, esn = tdb->tdb_flags & TDBF_ESN; 1135 1136 tl = (u_int32_t)tdb->tdb_rpl; 1137 th = (u_int32_t)(tdb->tdb_rpl >> 32); 1138 1139 /* Zero SN is not allowed */ 1140 if ((esn && seq == 0 && tl <= AH_HMAC_INITIAL_RPL && th == 0) || 1141 (!esn && seq == 0)) 1142 return (1); 1143 1144 if (th == 0 && tl < window) 1145 window = tl; 1146 /* Current replay window starts here */ 1147 wl = tl - window + 1; 1148 1149 idx = (seq % TDB_REPLAYMAX) / 32; 1150 packet = 1 << (31 - (seq & 31)); 1151 1152 /* 1153 * We keep the high part intact when: 1154 * 1) the SN is within [wl, 0xffffffff] and the whole window is 1155 * within one subspace; 1156 * 2) the SN is within [0, wl) and window spans two subspaces. 1157 */ 1158 if ((tl >= window - 1 && seq >= wl) || 1159 (tl < window - 1 && seq < wl)) { 1160 seqh = *seqhigh = th; 1161 if (seq > tl) { 1162 if (commit) { 1163 if (seq - tl > window) 1164 memset(tdb->tdb_seen, 0, 1165 sizeof(tdb->tdb_seen)); 1166 else { 1167 int i = (tl % TDB_REPLAYMAX) / 32; 1168 1169 while (i != idx) { 1170 i = (i + 1) % SEEN_SIZE; 1171 tdb->tdb_seen[i] = 0; 1172 } 1173 } 1174 tdb->tdb_seen[idx] |= packet; 1175 tdb->tdb_rpl = ((u_int64_t)seqh << 32) | seq; 1176 } 1177 } else { 1178 if (tl - seq >= window) 1179 return (2); 1180 if (tdb->tdb_seen[idx] & packet) 1181 return (3); 1182 if (commit) 1183 tdb->tdb_seen[idx] |= packet; 1184 } 1185 return (0); 1186 } 1187 1188 /* Can't wrap if not doing ESN */ 1189 if (!esn) 1190 return (2); 1191 1192 /* 1193 * SN is within [wl, 0xffffffff] and wl is within 1194 * [0xffffffff-window, 0xffffffff]. This means we got a SN 1195 * which is within our replay window, but in the previous 1196 * subspace. 1197 */ 1198 if (tl < window - 1 && seq >= wl) { 1199 if (tdb->tdb_seen[idx] & packet) 1200 return (3); 1201 seqh = *seqhigh = th - 1; 1202 if (commit) 1203 tdb->tdb_seen[idx] |= packet; 1204 return (0); 1205 } 1206 1207 /* 1208 * SN has wrapped and the last authenticated SN is in the old 1209 * subspace. 1210 */ 1211 seqh = *seqhigh = th + 1; 1212 if (seqh == 0) /* Don't let high bit to wrap */ 1213 return (1); 1214 if (commit) { 1215 if (seq - tl > window) 1216 memset(tdb->tdb_seen, 0, sizeof(tdb->tdb_seen)); 1217 else { 1218 int i = (tl % TDB_REPLAYMAX) / 32; 1219 1220 while (i != idx) { 1221 i = (i + 1) % SEEN_SIZE; 1222 tdb->tdb_seen[i] = 0; 1223 } 1224 } 1225 tdb->tdb_seen[idx] |= packet; 1226 tdb->tdb_rpl = ((u_int64_t)seqh << 32) | seq; 1227 } 1228 1229 return (0); 1230 } 1231