1 /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001 Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 #include <sys/param.h> 39 #include <sys/systm.h> 40 #include <sys/mbuf.h> 41 #include <sys/socket.h> 42 43 #include <net/if.h> 44 #include <net/bpf.h> 45 46 #include <dev/rndvar.h> 47 48 #ifdef INET 49 #include <netinet/in.h> 50 #include <netinet/in_systm.h> 51 #include <netinet/ip.h> 52 #endif /* INET */ 53 54 #ifdef INET6 55 #ifndef INET 56 #include <netinet/in.h> 57 #endif 58 #include <netinet/ip6.h> 59 #endif /* INET6 */ 60 61 #include <netinet/ip_ipsp.h> 62 #include <netinet/ip_esp.h> 63 #include <net/pfkeyv2.h> 64 #include <net/if_enc.h> 65 66 #include <crypto/cryptodev.h> 67 #include <crypto/xform.h> 68 69 #include "bpfilter.h" 70 71 #ifdef ENCDEBUG 72 #define DPRINTF(x) if (encdebug) printf x 73 #else 74 #define DPRINTF(x) 75 #endif 76 77 /* 78 * esp_attach() is called from the transformation initialization code. 79 */ 80 int 81 esp_attach() 82 { 83 return 0; 84 } 85 86 /* 87 * esp_init() is called when an SPI is being set up. 88 */ 89 int 90 esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) 91 { 92 struct enc_xform *txform = NULL; 93 struct auth_hash *thash = NULL; 94 struct cryptoini cria, crie; 95 96 if (ii->ii_encalg) 97 { 98 switch (ii->ii_encalg) 99 { 100 case SADB_EALG_DESCBC: 101 txform = &enc_xform_des; 102 break; 103 104 case SADB_EALG_3DESCBC: 105 txform = &enc_xform_3des; 106 break; 107 108 case SADB_X_EALG_AES: 109 txform = &enc_xform_rijndael128; 110 break; 111 112 case SADB_X_EALG_BLF: 113 txform = &enc_xform_blf; 114 break; 115 116 case SADB_X_EALG_CAST: 117 txform = &enc_xform_cast5; 118 break; 119 120 case SADB_X_EALG_SKIPJACK: 121 txform = &enc_xform_skipjack; 122 break; 123 124 default: 125 DPRINTF(("esp_init(): unsupported encryption algorithm %d specified\n", ii->ii_encalg)); 126 return EINVAL; 127 } 128 129 if (ii->ii_enckeylen < txform->minkey) 130 { 131 DPRINTF(("esp_init(): keylength %d too small (min length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->minkey, txform->name)); 132 return EINVAL; 133 } 134 135 if (ii->ii_enckeylen > txform->maxkey) 136 { 137 DPRINTF(("esp_init(): keylength %d too large (max length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->maxkey, txform->name)); 138 return EINVAL; 139 } 140 141 tdbp->tdb_encalgxform = txform; 142 143 DPRINTF(("esp_init(): initialized TDB with enc algorithm %s\n", 144 txform->name)); 145 146 tdbp->tdb_ivlen = txform->blocksize; 147 if (tdbp->tdb_flags & TDBF_HALFIV) 148 tdbp->tdb_ivlen /= 2; 149 } 150 151 if (ii->ii_authalg) 152 { 153 switch (ii->ii_authalg) 154 { 155 case SADB_AALG_MD5HMAC: 156 thash = &auth_hash_hmac_md5_96; 157 break; 158 159 case SADB_AALG_SHA1HMAC: 160 thash = &auth_hash_hmac_sha1_96; 161 break; 162 163 case SADB_AALG_RIPEMD160HMAC: 164 thash = &auth_hash_hmac_ripemd_160_96; 165 break; 166 167 default: 168 DPRINTF(("esp_init(): unsupported authentication algorithm %d specified\n", ii->ii_authalg)); 169 return EINVAL; 170 } 171 172 if (ii->ii_authkeylen != thash->keysize) 173 { 174 DPRINTF(("esp_init(): keylength %d doesn't match algorithm %s keysize (%d)\n", ii->ii_authkeylen, thash->name, thash->keysize)); 175 return EINVAL; 176 } 177 178 tdbp->tdb_authalgxform = thash; 179 180 DPRINTF(("esp_init(): initialized TDB with hash algorithm %s\n", 181 thash->name)); 182 } 183 184 tdbp->tdb_xform = xsp; 185 tdbp->tdb_bitmap = 0; 186 tdbp->tdb_rpl = AH_HMAC_INITIAL_RPL; 187 188 /* Initialize crypto session */ 189 if (tdbp->tdb_encalgxform) 190 { 191 /* Save the raw keys */ 192 tdbp->tdb_emxkeylen = ii->ii_enckeylen; 193 MALLOC(tdbp->tdb_emxkey, u_int8_t *, tdbp->tdb_emxkeylen, M_XDATA, 194 M_WAITOK); 195 bcopy(ii->ii_enckey, tdbp->tdb_emxkey, tdbp->tdb_emxkeylen); 196 197 bzero(&crie, sizeof(crie)); 198 199 crie.cri_alg = tdbp->tdb_encalgxform->type; 200 201 if (tdbp->tdb_authalgxform) 202 crie.cri_next = &cria; 203 else 204 crie.cri_next = NULL; 205 206 crie.cri_klen = ii->ii_enckeylen * 8; 207 crie.cri_key = ii->ii_enckey; 208 /* XXX Rounds ? */ 209 } 210 211 if (tdbp->tdb_authalgxform) 212 { 213 /* Save the raw keys */ 214 tdbp->tdb_amxkeylen = ii->ii_authkeylen; 215 MALLOC(tdbp->tdb_amxkey, u_int8_t *, tdbp->tdb_amxkeylen, M_XDATA, 216 M_WAITOK); 217 bcopy(ii->ii_authkey, tdbp->tdb_amxkey, tdbp->tdb_amxkeylen); 218 219 bzero(&cria, sizeof(cria)); 220 221 cria.cri_alg = tdbp->tdb_authalgxform->type; 222 cria.cri_next = NULL; 223 cria.cri_klen = ii->ii_authkeylen * 8; 224 cria.cri_key = ii->ii_authkey; 225 } 226 227 return crypto_newsession(&tdbp->tdb_cryptoid, 228 (tdbp->tdb_encalgxform ? &crie : &cria), 0); 229 } 230 231 /* 232 * Paranoia. 233 */ 234 int 235 esp_zeroize(struct tdb *tdbp) 236 { 237 int err; 238 239 if (tdbp->tdb_amxkey) 240 { 241 bzero(tdbp->tdb_amxkey, tdbp->tdb_amxkeylen); 242 FREE(tdbp->tdb_amxkey, M_XDATA); 243 tdbp->tdb_amxkey = NULL; 244 } 245 246 if (tdbp->tdb_emxkey) 247 { 248 bzero(tdbp->tdb_emxkey, tdbp->tdb_emxkeylen); 249 FREE(tdbp->tdb_emxkey, M_XDATA); 250 tdbp->tdb_emxkey = NULL; 251 } 252 253 err = crypto_freesession(tdbp->tdb_cryptoid); 254 tdbp->tdb_cryptoid = 0; 255 return err; 256 } 257 258 #define MAXBUFSIZ (AH_ALEN_MAX > ESP_MAX_IVS ? AH_ALEN_MAX : ESP_MAX_IVS) 259 260 /* 261 * ESP input processing, called (eventually) through the protocol switch. 262 */ 263 int 264 esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) 265 { 266 struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform; 267 struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform; 268 struct tdb_ident *tdbi; 269 struct tdb_crypto *tc; 270 int plen, alen, hlen; 271 struct m_tag *mtag; 272 u_int32_t btsx; 273 274 struct cryptodesc *crde = NULL, *crda = NULL; 275 struct cryptop *crp; 276 277 /* Determine the ESP header length */ 278 if (tdb->tdb_flags & TDBF_NOREPLAY) 279 hlen = sizeof(u_int32_t) + tdb->tdb_ivlen; /* "old" ESP */ 280 else 281 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */ 282 283 if (esph) 284 alen = AH_HMAC_HASHLEN; 285 else 286 alen = 0; 287 288 if (espx) 289 { 290 /* 291 * Verify payload length is multiple of encryption algorithm 292 * block size. 293 */ 294 plen = m->m_pkthdr.len - (skip + hlen + alen); 295 if ((plen & (espx->blocksize - 1)) || (plen <= 0)) 296 { 297 DPRINTF(("esp_input(): payload of %d octets not a multiple of %d octets, SA %s/%08x\n", plen, espx->blocksize, ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 298 espstat.esps_badilen++; 299 m_freem(m); 300 return EINVAL; 301 } 302 } 303 304 /* Replay window checking, if appropriate */ 305 if ((tdb->tdb_wnd > 0) && (!(tdb->tdb_flags & TDBF_NOREPLAY))) 306 { 307 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 308 (unsigned char *) &btsx); 309 btsx = ntohl(btsx); 310 311 switch (checkreplaywindow32(btsx, 0, &(tdb->tdb_rpl), tdb->tdb_wnd, 312 &(tdb->tdb_bitmap))) 313 { 314 case 0: /* All's well */ 315 break; 316 317 case 1: 318 DPRINTF(("esp_input(): replay counter wrapped for SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 319 espstat.esps_wrap++; 320 m_freem(m); 321 return EACCES; 322 323 case 2: 324 case 3: 325 DPRINTF(("esp_input(): duplicate packet received in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 326 espstat.esps_replay++; 327 m_freem(m); 328 return EACCES; 329 330 default: 331 DPRINTF(("esp_input(): bogus value from checkreplaywindow32() in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 332 espstat.esps_replay++; 333 m_freem(m); 334 return EACCES; 335 } 336 } 337 338 /* Update the counters */ 339 tdb->tdb_cur_bytes += m->m_pkthdr.len - skip - hlen - alen; 340 espstat.esps_ibytes += m->m_pkthdr.len - skip - hlen - alen; 341 342 /* Hard expiration */ 343 if ((tdb->tdb_flags & TDBF_BYTES) && 344 (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) 345 { 346 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 347 tdb_delete(tdb); 348 m_freem(m); 349 return ENXIO; 350 } 351 352 /* Notify on soft expiration */ 353 if ((tdb->tdb_flags & TDBF_SOFT_BYTES) && 354 (tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes)) 355 { 356 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 357 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking */ 358 } 359 360 /* Find out if we've already done crypto */ 361 for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); 362 mtag != NULL; 363 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) 364 { 365 tdbi = (struct tdb_ident *) (mtag + 1); 366 if (tdbi->proto == tdb->tdb_sproto && tdbi->spi == tdb->tdb_spi && 367 !bcmp(&tdbi->dst, &tdb->tdb_dst, sizeof(union sockaddr_union))) 368 break; 369 } 370 371 /* Get crypto descriptors */ 372 crp = crypto_getreq(esph && espx ? 2 : 1); 373 if (crp == NULL) 374 { 375 m_freem(m); 376 DPRINTF(("esp_input(): failed to acquire crypto descriptors\n")); 377 espstat.esps_crypto++; 378 return ENOBUFS; 379 } 380 381 /* Get IPsec-specific opaque pointer */ 382 if (esph == NULL || mtag != NULL) 383 MALLOC(tc, struct tdb_crypto *, sizeof(struct tdb_crypto), 384 M_XDATA, M_NOWAIT); 385 else 386 MALLOC(tc, struct tdb_crypto *, sizeof(struct tdb_crypto) + alen, 387 M_XDATA, M_NOWAIT); 388 if (tc == NULL) 389 { 390 m_freem(m); 391 crypto_freereq(crp); 392 DPRINTF(("esp_input(): failed to allocate tdb_crypto\n")); 393 espstat.esps_crypto++; 394 return ENOBUFS; 395 } 396 397 bzero(tc, sizeof(struct tdb_crypto)); 398 tc->tc_ptr = (caddr_t) mtag; 399 400 if (esph) 401 { 402 crda = crp->crp_desc; 403 crde = crda->crd_next; 404 405 /* Authentication descriptor */ 406 crda->crd_skip = skip; 407 crda->crd_len = m->m_pkthdr.len - (skip + alen); 408 crda->crd_inject = m->m_pkthdr.len - alen; 409 410 crda->crd_alg = esph->type; 411 crda->crd_key = tdb->tdb_amxkey; 412 crda->crd_klen = tdb->tdb_amxkeylen * 8; 413 414 /* Copy the authenticator */ 415 if (mtag == NULL) 416 m_copydata(m, m->m_pkthdr.len - alen, alen, (caddr_t) (tc + 1)); 417 } 418 else 419 crde = crp->crp_desc; 420 421 /* Crypto operation descriptor */ 422 crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ 423 crp->crp_flags = CRYPTO_F_IMBUF; 424 crp->crp_buf = (caddr_t) m; 425 crp->crp_callback = (int (*) (struct cryptop *)) esp_input_cb; 426 crp->crp_sid = tdb->tdb_cryptoid; 427 crp->crp_opaque = (caddr_t) tc; 428 429 /* These are passed as-is to the callback */ 430 tc->tc_skip = skip; 431 tc->tc_protoff = protoff; 432 tc->tc_spi = tdb->tdb_spi; 433 tc->tc_proto = tdb->tdb_sproto; 434 bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union)); 435 436 /* Decryption descriptor */ 437 if (espx) 438 { 439 crde->crd_skip = skip + hlen; 440 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 441 crde->crd_inject = skip + hlen - tdb->tdb_ivlen; 442 443 if (tdb->tdb_flags & TDBF_HALFIV) 444 { 445 /* Copy half-IV from packet */ 446 m_copydata(m, crde->crd_inject, tdb->tdb_ivlen, crde->crd_iv); 447 448 /* Cook IV */ 449 for (btsx = 0; btsx < tdb->tdb_ivlen; btsx++) 450 crde->crd_iv[tdb->tdb_ivlen + btsx] = ~crde->crd_iv[btsx]; 451 452 crde->crd_flags |= CRD_F_IV_EXPLICIT; 453 } 454 455 crde->crd_alg = espx->type; 456 crde->crd_key = tdb->tdb_emxkey; 457 crde->crd_klen = tdb->tdb_emxkeylen * 8; 458 /* XXX Rounds ? */ 459 } 460 461 if (mtag == NULL) 462 return crypto_dispatch(crp); 463 else 464 return esp_input_cb(crp); 465 } 466 467 /* 468 * ESP input callback, called directly by the crypto driver. 469 */ 470 int 471 esp_input_cb(void *op) 472 { 473 u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN]; 474 int hlen, roff, skip, protoff, error; 475 struct mbuf *m1, *mo, *m; 476 struct cryptodesc *crd; 477 struct auth_hash *esph; 478 struct enc_xform *espx; 479 struct tdb_crypto *tc; 480 struct cryptop *crp; 481 struct m_tag *mtag; 482 struct tdb *tdb; 483 int s, err = 0; 484 caddr_t ptr; 485 486 crp = (struct cryptop *) op; 487 crd = crp->crp_desc; 488 489 tc = (struct tdb_crypto *) crp->crp_opaque; 490 skip = tc->tc_skip; 491 protoff = tc->tc_protoff; 492 mtag = (struct m_tag *) tc->tc_ptr; 493 m = (struct mbuf *) crp->crp_buf; 494 495 s = spltdb(); 496 497 tdb = gettdb(tc->tc_spi, &tc->tc_dst, tc->tc_proto); 498 FREE(tc, M_XDATA); 499 if (tdb == NULL) 500 { 501 espstat.esps_notdb++; 502 DPRINTF(("esp_input_cb(): TDB is expired while in crypto")); 503 goto baddone; 504 } 505 506 esph = (struct auth_hash *) tdb->tdb_authalgxform; 507 espx = (struct enc_xform *) tdb->tdb_encalgxform; 508 509 /* Check for crypto errors */ 510 if (crp->crp_etype) 511 { 512 /* Reset the session ID */ 513 if (tdb->tdb_cryptoid != 0) 514 tdb->tdb_cryptoid = crp->crp_sid; 515 516 if (crp->crp_etype == EAGAIN) 517 { 518 splx(s); 519 return crypto_dispatch(crp); 520 } 521 522 espstat.esps_noxform++; 523 DPRINTF(("esp_input_cb(): crypto error %d\n", crp->crp_etype)); 524 error = crp->crp_etype; 525 goto baddone; 526 } 527 528 /* Shouldn't happen... */ 529 if (m == NULL) 530 { 531 espstat.esps_crypto++; 532 DPRINTF(("esp_input_cb(): bogus returned buffer from crypto\n")); 533 error = EINVAL; 534 goto baddone; 535 } 536 537 /* If authentication was performed, check now. */ 538 if (esph != NULL) 539 { 540 /* 541 * If we have a tag, it means an IPsec-aware NIC did the verification 542 * for us. 543 */ 544 if (mtag != NULL) 545 { 546 /* Copy the authenticator from the packet */ 547 m_copydata(m, m->m_pkthdr.len - esph->authsize, esph->authsize, 548 aalg); 549 550 ptr = (caddr_t) (tc + 1); 551 552 /* Verify authenticator */ 553 if (bcmp(ptr, aalg, esph->authsize)) 554 { 555 DPRINTF(("esp_input_cb(): authentication failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 556 espstat.esps_badauth++; 557 error = EACCES; 558 goto baddone; 559 } 560 } 561 562 /* Remove trailing authenticator */ 563 m_adj(m, -(esph->authsize)); 564 } 565 566 /* Release the crypto descriptors */ 567 crypto_freereq(crp); 568 569 /* Determine the ESP header length */ 570 if (tdb->tdb_flags & TDBF_NOREPLAY) 571 hlen = sizeof(u_int32_t) + tdb->tdb_ivlen; /* "old" ESP */ 572 else 573 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */ 574 575 /* Find beginning of ESP header */ 576 m1 = m_getptr(m, skip, &roff); 577 if (m1 == NULL) 578 { 579 espstat.esps_hdrops++; 580 splx(s); 581 DPRINTF(("esp_input_cb(): bad mbuf chain, SA %s/%08x\n", 582 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 583 m_freem(m); 584 return EINVAL; 585 } 586 587 /* Remove the ESP header and IV from the mbuf. */ 588 if (roff == 0) 589 { 590 /* The ESP header was conveniently at the beginning of the mbuf */ 591 m_adj(m1, hlen); 592 if (!(m1->m_flags & M_PKTHDR)) 593 m->m_pkthdr.len -= hlen; 594 } 595 else 596 if (roff + hlen >= m1->m_len) 597 { 598 /* 599 * Part or all of the ESP header is at the end of this mbuf, so 600 * first let's remove the remainder of the ESP header from the 601 * beginning of the remainder of the mbuf chain, if any. 602 */ 603 if (roff + hlen > m1->m_len) 604 { 605 /* Adjust the next mbuf by the remainder */ 606 m_adj(m1->m_next, roff + hlen - m1->m_len); 607 608 /* The second mbuf is guaranteed not to have a pkthdr... */ 609 m->m_pkthdr.len -= (roff + hlen - m1->m_len); 610 } 611 612 /* Now, let's unlink the mbuf chain for a second...*/ 613 mo = m1->m_next; 614 m1->m_next = NULL; 615 616 /* ...and trim the end of the first part of the chain...sick */ 617 m_adj(m1, -(m1->m_len - roff)); 618 if (!(m1->m_flags & M_PKTHDR)) 619 m->m_pkthdr.len -= (m1->m_len - roff); 620 621 /* Finally, let's relink */ 622 m1->m_next = mo; 623 } 624 else 625 { 626 /* 627 * The ESP header lies in the "middle" of the mbuf...do an 628 * overlapping copy of the remainder of the mbuf over the ESP 629 * header. 630 */ 631 bcopy(mtod(m1, u_char *) + roff + hlen, mtod(m1, u_char *) + roff, 632 m1->m_len - (roff + hlen)); 633 m1->m_len -= hlen; 634 m->m_pkthdr.len -= hlen; 635 } 636 637 /* Save the last three bytes of decrypted data */ 638 m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); 639 640 /* Verify pad length */ 641 if (lastthree[1] + 2 > m->m_pkthdr.len - skip) 642 { 643 espstat.esps_badilen++; 644 splx(s); 645 DPRINTF(("esp_input_cb(): invalid padding length %d for packet in SA %s/%08x\n", lastthree[1], ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 646 m_freem(m); 647 return EINVAL; 648 } 649 650 /* Verify correct decryption by checking the last padding bytes */ 651 if (!(tdb->tdb_flags & TDBF_RANDOMPADDING)) 652 { 653 if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) 654 { 655 espstat.esps_badenc++; 656 splx(s); 657 DPRINTF(("esp_input(): decryption failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 658 m_freem(m); 659 return EINVAL; 660 } 661 } 662 663 /* Trim the mbuf chain to remove the trailing authenticator and padding */ 664 m_adj(m, -(lastthree[1] + 2)); 665 666 /* Restore the Next Protocol field */ 667 m_copyback(m, protoff, sizeof(u_int8_t), lastthree + 2); 668 669 /* Back to generic IPsec input processing */ 670 err = ipsec_common_input_cb(m, tdb, skip, protoff, mtag); 671 splx(s); 672 return err; 673 674 baddone: 675 splx(s); 676 677 if (m != NULL) 678 m_freem(m); 679 680 crypto_freereq(crp); 681 682 return error; 683 } 684 685 /* 686 * ESP output routine, called by ipsp_process_packet(). 687 */ 688 int 689 esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, 690 int protoff) 691 { 692 struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform; 693 struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform; 694 int ilen, hlen, rlen, plen, padding, blks, alen; 695 struct mbuf *mi, *mo = (struct mbuf *) NULL; 696 struct tdb_crypto *tc; 697 unsigned char *pad; 698 u_int8_t prot; 699 700 struct cryptodesc *crde = NULL, *crda = NULL; 701 struct cryptop *crp; 702 703 #if NBPFILTER > 0 704 { 705 struct ifnet *ifn; 706 struct enchdr hdr; 707 struct mbuf m1; 708 709 bzero (&hdr, sizeof(hdr)); 710 711 hdr.af = tdb->tdb_dst.sa.sa_family; 712 hdr.spi = tdb->tdb_spi; 713 if (espx) 714 hdr.flags |= M_CONF; 715 if (esph) 716 hdr.flags |= M_AUTH; 717 718 m1.m_next = m; 719 m1.m_len = ENC_HDRLEN; 720 m1.m_data = (char *) &hdr; 721 722 ifn = &(encif[0].sc_if); 723 724 if (ifn->if_bpf) 725 bpf_mtap(ifn->if_bpf, &m1); 726 } 727 #endif 728 729 if (tdb->tdb_flags & TDBF_NOREPLAY) 730 hlen = sizeof(u_int32_t) + tdb->tdb_ivlen; 731 else 732 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; 733 734 rlen = m->m_pkthdr.len - skip; /* Raw payload length. */ 735 if (espx) 736 blks = espx->blocksize; 737 else 738 blks = 4; /* If no encryption, we have to be 4-byte aligned. */ 739 740 padding = ((blks - ((rlen + 2) % blks)) % blks) + 2; 741 plen = rlen + padding; /* Padded payload length. */ 742 743 if (esph) 744 alen = AH_HMAC_HASHLEN; 745 else 746 alen = 0; 747 748 espstat.esps_output++; 749 750 /* 751 * Check for replay counter wrap-around in automatic (not 752 * manual) keying. 753 */ 754 if ((!(tdb->tdb_flags & TDBF_NOREPLAY)) && 755 (tdb->tdb_rpl == 0) && (tdb->tdb_wnd > 0)) { 756 DPRINTF(("esp_output(): SA %s/%08x should have expired\n", 757 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 758 m_freem(m); 759 espstat.esps_wrap++; 760 return EACCES; 761 } 762 763 switch (tdb->tdb_dst.sa.sa_family) { 764 #ifdef INET 765 case AF_INET: 766 /* Check for IP maximum packet size violations. */ 767 if (skip + hlen + rlen + padding + alen > IP_MAXPACKET) { 768 DPRINTF(("esp_output(): packet in SA %s/%08x got " 769 "too big\n", ipsp_address(tdb->tdb_dst), 770 ntohl(tdb->tdb_spi))); 771 m_freem(m); 772 espstat.esps_toobig++; 773 return EMSGSIZE; 774 } 775 break; 776 #endif /* INET */ 777 778 #ifdef INET6 779 case AF_INET6: 780 /* Check for IPv6 maximum packet size violations. */ 781 if (skip + hlen + rlen + padding + alen > IPV6_MAXPACKET) { 782 DPRINTF(("esp_output(): packet in SA %s/%08x got too " 783 "big\n", ipsp_address(tdb->tdb_dst), 784 ntohl(tdb->tdb_spi))); 785 m_freem(m); 786 espstat.esps_toobig++; 787 return EMSGSIZE; 788 } 789 break; 790 #endif /* INET6 */ 791 792 default: 793 DPRINTF(("esp_output(): unknown/unsupported protocol " 794 "family %d, SA %s/%08x\n", tdb->tdb_dst.sa.sa_family 795 , ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 796 m_freem(m); 797 espstat.esps_nopf++; 798 return EPFNOSUPPORT; 799 } 800 801 /* Update the counters. */ 802 tdb->tdb_cur_bytes += m->m_pkthdr.len - skip; 803 espstat.esps_obytes += m->m_pkthdr.len - skip; 804 805 /* Hard byte expiration. */ 806 if (tdb->tdb_flags & TDBF_BYTES && 807 tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) { 808 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 809 tdb_delete(tdb); 810 m_freem(m); 811 return EINVAL; 812 } 813 814 /* Soft byte expiration. */ 815 if (tdb->tdb_flags & TDBF_SOFT_BYTES && 816 tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes) { 817 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 818 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking. */ 819 } 820 821 /* 822 * Loop through mbuf chain; if we find an M_EXT mbuf with 823 * more than one reference, replace the rest of the chain. 824 */ 825 mi = m; 826 while (mi != NULL && 827 (!(mi->m_flags & M_EXT) || !MCLISREFERENCED(mi))) { 828 mo = mi; 829 mi = mi->m_next; 830 } 831 832 if (mi != NULL) { 833 /* Replace the rest of the mbuf chain. */ 834 struct mbuf *n = m_copym2(mi, 0, M_COPYALL, M_DONTWAIT); 835 836 if (n == NULL) { 837 DPRINTF(("esp_output(): bad mbuf chain, SA %s/%08x\n", 838 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 839 espstat.esps_hdrops++; 840 m_freem(m); 841 return ENOBUFS; 842 } 843 844 if (mo != NULL) 845 mo->m_next = n; 846 else 847 m = n; 848 849 m_freem(mi); 850 } 851 852 /* Inject ESP header. */ 853 mo = m_inject(m, skip, hlen, M_DONTWAIT); 854 if (mo == NULL) { 855 DPRINTF(("esp_output(): failed to inject ESP header for " 856 "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), 857 ntohl(tdb->tdb_spi))); 858 m_freem(m); 859 espstat.esps_wrap++; 860 return ENOBUFS; 861 } 862 863 /* Initialize ESP header. */ 864 bcopy((caddr_t) &tdb->tdb_spi, mtod(mo, caddr_t), sizeof(u_int32_t)); 865 if (!(tdb->tdb_flags & TDBF_NOREPLAY)) { 866 u_int32_t replay = htonl(tdb->tdb_rpl++); 867 bcopy((caddr_t) &replay, mtod(mo, caddr_t) + sizeof(u_int32_t), 868 sizeof(u_int32_t)); 869 } 870 871 /* 872 * Add padding -- better to do it ourselves than use the crypto engine, 873 * although if/when we support compression, we'd have to do that. 874 */ 875 pad = (u_char *) m_pad(m, padding + alen); 876 if (pad == NULL) { 877 DPRINTF(("esp_output(): m_pad() failed for SA %s/%08x\n", 878 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 879 return ENOBUFS; 880 } 881 882 /* Self-describing or random padding ? */ 883 if (!(tdb->tdb_flags & TDBF_RANDOMPADDING)) 884 for (ilen = 0; ilen < padding - 2; ilen++) 885 pad[ilen] = ilen + 1; 886 else 887 get_random_bytes((void *) pad, padding - 2); 888 889 /* Fix padding length and Next Protocol in padding itself. */ 890 pad[padding - 2] = padding - 2; 891 m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1); 892 893 /* Fix Next Protocol in IPv4/IPv6 header. */ 894 prot = IPPROTO_ESP; 895 m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot); 896 897 /* Get crypto descriptors. */ 898 crp = crypto_getreq(esph && espx ? 2 : 1); 899 if (crp == NULL) { 900 m_freem(m); 901 DPRINTF(("esp_output(): failed to acquire crypto " 902 "descriptors\n")); 903 espstat.esps_crypto++; 904 return ENOBUFS; 905 } 906 907 if (espx) { 908 crde = crp->crp_desc; 909 crda = crde->crd_next; 910 911 /* Encryption descriptor. */ 912 crde->crd_skip = skip + hlen; 913 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 914 crde->crd_flags = CRD_F_ENCRYPT; 915 crde->crd_inject = skip + hlen - tdb->tdb_ivlen; 916 917 if (tdb->tdb_flags & TDBF_HALFIV) { 918 /* Copy half-iv in the packet. */ 919 m_copyback(m, crde->crd_inject, tdb->tdb_ivlen, 920 tdb->tdb_iv); 921 922 /* Cook half-iv. */ 923 bcopy(tdb->tdb_iv, crde->crd_iv, tdb->tdb_ivlen); 924 for (ilen = 0; ilen < tdb->tdb_ivlen; ilen++) 925 crde->crd_iv[tdb->tdb_ivlen + ilen] = 926 ~crde->crd_iv[ilen]; 927 928 crde->crd_flags |= 929 CRD_F_IV_PRESENT | CRD_F_IV_EXPLICIT; 930 } 931 932 /* Encryption operation. */ 933 crde->crd_alg = espx->type; 934 crde->crd_key = tdb->tdb_emxkey; 935 crde->crd_klen = tdb->tdb_emxkeylen * 8; 936 /* XXX Rounds ? */ 937 } else 938 crda = crp->crp_desc; 939 940 /* IPsec-specific opaque crypto info. */ 941 MALLOC(tc, struct tdb_crypto *, sizeof(struct tdb_crypto), 942 M_XDATA, M_NOWAIT); 943 if (tc == NULL) { 944 m_freem(m); 945 crypto_freereq(crp); 946 DPRINTF(("esp_output(): failed to allocate tdb_crypto\n")); 947 espstat.esps_crypto++; 948 return ENOBUFS; 949 } 950 951 bzero(tc, sizeof(struct tdb_crypto)); 952 tc->tc_spi = tdb->tdb_spi; 953 tc->tc_proto = tdb->tdb_sproto; 954 bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union)); 955 956 /* Crypto operation descriptor. */ 957 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ 958 crp->crp_flags = CRYPTO_F_IMBUF; 959 crp->crp_buf = (caddr_t) m; 960 crp->crp_callback = (int (*) (struct cryptop *)) esp_output_cb; 961 crp->crp_opaque = (caddr_t) tc; 962 crp->crp_sid = tdb->tdb_cryptoid; 963 964 if (esph) { 965 /* Authentication descriptor. */ 966 crda->crd_skip = skip; 967 crda->crd_len = m->m_pkthdr.len - (skip + alen); 968 crda->crd_inject = m->m_pkthdr.len - alen; 969 970 /* Authentication operation. */ 971 crda->crd_alg = esph->type; 972 crda->crd_key = tdb->tdb_amxkey; 973 crda->crd_klen = tdb->tdb_amxkeylen * 8; 974 } 975 976 if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0) 977 return crypto_dispatch(crp); 978 else 979 return esp_output_cb(crp); 980 } 981 982 /* 983 * ESP output callback, called directly by the crypto driver. 984 */ 985 int 986 esp_output_cb(void *op) 987 { 988 struct cryptop *crp = (struct cryptop *) op; 989 struct tdb_crypto *tc; 990 struct tdb *tdb; 991 struct mbuf *m; 992 int error, s; 993 994 tc = (struct tdb_crypto *) crp->crp_opaque; 995 m = (struct mbuf *) crp->crp_buf; 996 997 s = spltdb(); 998 999 tdb = gettdb(tc->tc_spi, &tc->tc_dst, tc->tc_proto); 1000 1001 FREE(tc, M_XDATA); 1002 if (tdb == NULL) { 1003 espstat.esps_notdb++; 1004 DPRINTF(("esp_output_cb(): TDB is expired while in crypto\n")); 1005 goto baddone; 1006 } 1007 1008 /* Check for crypto errors. */ 1009 if (crp->crp_etype) { 1010 /* Reset session ID. */ 1011 if (tdb->tdb_cryptoid != 0) 1012 tdb->tdb_cryptoid = crp->crp_sid; 1013 1014 if (crp->crp_etype == EAGAIN) { 1015 splx(s); 1016 return crypto_dispatch(crp); 1017 } 1018 1019 espstat.esps_noxform++; 1020 DPRINTF(("esp_output_cb(): crypto error %d\n", 1021 crp->crp_etype)); 1022 error = crp->crp_etype; 1023 goto baddone; 1024 } 1025 1026 /* Shouldn't happen... */ 1027 if (m == NULL) { 1028 espstat.esps_crypto++; 1029 DPRINTF(("esp_output_cb(): bogus returned buffer from " 1030 "crypto\n")); 1031 error = EINVAL; 1032 goto baddone; 1033 } 1034 1035 /* Release crypto descriptors. */ 1036 crypto_freereq(crp); 1037 1038 /* 1039 * If we're doing half-iv, keep a copy of the last few bytes of the 1040 * encrypted part, for use as the next IV. Note that HALF-IV is only 1041 * supposed to be used without authentication (the old ESP specs). 1042 */ 1043 if (tdb->tdb_flags & TDBF_HALFIV) 1044 m_copydata(m, m->m_pkthdr.len - tdb->tdb_ivlen, tdb->tdb_ivlen, 1045 tdb->tdb_iv); 1046 1047 /* Call the IPsec input callback. */ 1048 error = ipsp_process_done(m, tdb); 1049 splx(s); 1050 return error; 1051 1052 baddone: 1053 splx(s); 1054 1055 if (m != NULL) 1056 m_freem(m); 1057 1058 crypto_freereq(crp); 1059 1060 return error; 1061 } 1062 1063 /* 1064 * return 0 on success 1065 * return 1 for counter == 0 1066 * return 2 for very old packet 1067 * return 3 for packet within current window but already received 1068 */ 1069 int 1070 checkreplaywindow32(u_int32_t seq, u_int32_t initial, u_int32_t *lastseq, 1071 u_int32_t window, u_int32_t *bitmap) 1072 { 1073 u_int32_t diff; 1074 1075 seq -= initial; 1076 1077 if (seq == 0) 1078 return 1; 1079 1080 if (seq > *lastseq - initial) { 1081 diff = seq - (*lastseq - initial); 1082 if (diff < window) 1083 *bitmap = ((*bitmap) << diff) | 1; 1084 else 1085 *bitmap = 1; 1086 *lastseq = seq + initial; 1087 return 0; 1088 } 1089 1090 diff = *lastseq - initial - seq; 1091 if (diff >= window) { 1092 espstat.esps_wrap++; 1093 return 2; 1094 } 1095 1096 if ((*bitmap) & (((u_int32_t) 1) << diff)) { 1097 espstat.esps_replay++; 1098 return 3; 1099 } 1100 1101 *bitmap |= (((u_int32_t) 1) << diff); 1102 return 0; 1103 } 1104 1105 /* 1106 * m_pad(m, n) pads <m> with <n> bytes at the end. The packet header 1107 * length is updated, and a pointer to the first byte of the padding 1108 * (which is guaranteed to be all in one mbuf) is returned. 1109 */ 1110 1111 caddr_t 1112 m_pad(struct mbuf *m, int n) 1113 { 1114 register struct mbuf *m0, *m1; 1115 register int len, pad; 1116 caddr_t retval; 1117 1118 if (n <= 0) { /* No stupid arguments. */ 1119 DPRINTF(("m_pad(): pad length invalid (%d)\n", n)); 1120 return NULL; 1121 } 1122 1123 len = m->m_pkthdr.len; 1124 pad = n; 1125 m0 = m; 1126 1127 while (m0->m_len < len) { 1128 len -= m0->m_len; 1129 m0 = m0->m_next; 1130 } 1131 1132 if (m0->m_len != len) { 1133 DPRINTF(("m_pad(): length mismatch (should be %d instead of " 1134 "%d)\n", m->m_pkthdr.len, 1135 m->m_pkthdr.len + m0->m_len - len)); 1136 1137 m_freem(m); 1138 return NULL; 1139 } 1140 1141 /* Check for zero-length trailing mbufs, and find the last one. */ 1142 for (m1 = m0; m1->m_next; m1 = m1->m_next) { 1143 if (m1->m_next->m_len != 0) { 1144 DPRINTF(("m_pad(): length mismatch (should be %d " 1145 "instead of %d)\n", m->m_pkthdr.len, 1146 m->m_pkthdr.len + m1->m_next->m_len)); 1147 1148 m_freem(m); 1149 return NULL; 1150 } 1151 1152 m0 = m1->m_next; 1153 } 1154 1155 if ((m0->m_flags & M_EXT) || 1156 m0->m_data + m0->m_len + pad >= &(m0->m_dat[MLEN])) { 1157 /* Add an mbuf to the chain. */ 1158 MGET(m1, M_DONTWAIT, MT_DATA); 1159 if (m1 == 0) { 1160 m_freem(m0); 1161 DPRINTF(("m_pad(): cannot append\n")); 1162 return NULL; 1163 } 1164 1165 m0->m_next = m1; 1166 m0 = m1; 1167 m0->m_len = 0; 1168 } 1169 1170 retval = m0->m_data + m0->m_len; 1171 m0->m_len += pad; 1172 m->m_pkthdr.len += pad; 1173 1174 return retval; 1175 } 1176