xform_ah.c revision 1.20
1 /* $NetBSD: xform_ah.c,v 1.20 2008/02/04 00:35:35 tls Exp $ */ 2 /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ 3 /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ 4 /* 5 * The authors of this code are John Ioannidis (ji (at) tla.org), 6 * Angelos D. Keromytis (kermit (at) csd.uch.gr) and 7 * Niels Provos (provos (at) physnet.uni-hamburg.de). 8 * 9 * The original version of this code was written by John Ioannidis 10 * for BSD/OS in Athens, Greece, in November 1995. 11 * 12 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 13 * by Angelos D. Keromytis. 14 * 15 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 16 * and Niels Provos. 17 * 18 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 19 * 20 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 21 * Angelos D. Keromytis and Niels Provos. 22 * Copyright (c) 1999 Niklas Hallqvist. 23 * Copyright (c) 2001 Angelos D. Keromytis. 24 * 25 * Permission to use, copy, and modify this software with or without fee 26 * is hereby granted, provided that this entire notice is included in 27 * all copies of any software which is or includes a copy or 28 * modification of this software. 29 * You may use this code under the GNU public license if you so wish. Please 30 * contribute changes back to the authors under this freer than GPL license 31 * so that we may further the use of strong encryption without limitations to 32 * all. 33 * 34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 38 * PURPOSE. 39 */ 40 41 #include <sys/cdefs.h> 42 __KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.20 2008/02/04 00:35:35 tls Exp $"); 43 44 #include "opt_inet.h" 45 #ifdef __FreeBSD__ 46 #include "opt_inet6.h" 47 #endif 48 49 #include <sys/param.h> 50 #include <sys/systm.h> 51 #include <sys/mbuf.h> 52 #include <sys/socket.h> 53 #include <sys/syslog.h> 54 #include <sys/kernel.h> 55 #include <sys/sysctl.h> 56 57 #include <net/if.h> 58 59 #include <netinet/in.h> 60 #include <netinet/in_systm.h> 61 #include <netinet/ip.h> 62 #include <netinet/ip_ecn.h> 63 #include <netinet/ip6.h> 64 65 #include <net/route.h> 66 #include <netipsec/ipsec.h> 67 #include <netipsec/ah.h> 68 #include <netipsec/ah_var.h> 69 #include <netipsec/xform.h> 70 71 #ifdef INET6 72 #include <netinet6/ip6_var.h> 73 #include <netipsec/ipsec6.h> 74 # ifdef __FreeBSD__ 75 # include <netinet6/ip6_ecn.h> 76 # endif 77 #endif 78 79 #include <netipsec/key.h> 80 #include <netipsec/key_debug.h> 81 #include <netipsec/ipsec_osdep.h> 82 83 #include <opencrypto/cryptodev.h> 84 85 /* 86 * Return header size in bytes. The old protocol did not support 87 * the replay counter; the new protocol always includes the counter. 88 */ 89 #define HDRSIZE(sav) \ 90 (((sav)->flags & SADB_X_EXT_OLD) ? \ 91 sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t)) 92 /* 93 * Return authenticator size in bytes. The old protocol is known 94 * to use a fixed 16-byte authenticator. The new algorithm gets 95 * this size from the xform but is (currently) always 12. 96 */ 97 #define AUTHSIZE(sav) \ 98 ((sav->flags & SADB_X_EXT_OLD) ? 16 : (sav)->tdb_authalgxform->authsize) 99 100 int ah_enable = 1; /* control flow of packets with AH */ 101 int ip4_ah_cleartos = 1; /* clear ip_tos when doing AH calc */ 102 struct ahstat ahstat; 103 104 #ifdef __FreeBSD__ 105 SYSCTL_DECL(_net_inet_ah); 106 SYSCTL_INT(_net_inet_ah, OID_AUTO, 107 ah_enable, CTLFLAG_RW, &ah_enable, 0, ""); 108 SYSCTL_INT(_net_inet_ah, OID_AUTO, 109 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, ""); 110 SYSCTL_STRUCT(_net_inet_ah, IPSECCTL_STATS, 111 stats, CTLFLAG_RD, &ahstat, ahstat, ""); 112 113 #endif /* __FreeBSD__ */ 114 115 static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ 116 117 static int ah_input_cb(struct cryptop*); 118 static int ah_output_cb(struct cryptop*); 119 120 /* 121 * NB: this is public for use by the PF_KEY support. 122 */ 123 struct auth_hash * 124 ah_algorithm_lookup(int alg) 125 { 126 if (alg >= AH_ALG_MAX) 127 return NULL; 128 switch (alg) { 129 case SADB_X_AALG_NULL: 130 return &auth_hash_null; 131 case SADB_AALG_MD5HMAC: 132 return &auth_hash_hmac_md5_96; 133 case SADB_AALG_SHA1HMAC: 134 return &auth_hash_hmac_sha1_96; 135 case SADB_X_AALG_RIPEMD160HMAC: 136 return &auth_hash_hmac_ripemd_160_96; 137 case SADB_X_AALG_MD5: 138 return &auth_hash_key_md5; 139 case SADB_X_AALG_SHA: 140 return &auth_hash_key_sha1; 141 case SADB_X_AALG_SHA2_256: 142 return &auth_hash_hmac_sha2_256; 143 case SADB_X_AALG_SHA2_384: 144 return &auth_hash_hmac_sha2_384; 145 case SADB_X_AALG_SHA2_512: 146 return &auth_hash_hmac_sha2_512; 147 } 148 return NULL; 149 } 150 151 size_t 152 ah_hdrsiz(struct secasvar *sav) 153 { 154 size_t size; 155 156 if (sav != NULL) { 157 int authsize; 158 IPSEC_ASSERT(sav->tdb_authalgxform != NULL, 159 ("ah_hdrsiz: null xform")); 160 /*XXX not right for null algorithm--does it matter??*/ 161 authsize = AUTHSIZE(sav); 162 size = roundup(authsize, sizeof (u_int32_t)) + HDRSIZE(sav); 163 } else { 164 /* default guess */ 165 size = sizeof (struct ah) + sizeof (u_int32_t) + 16; 166 } 167 return size; 168 } 169 170 /* 171 * NB: public for use by esp_init. 172 */ 173 int 174 ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) 175 { 176 struct auth_hash *thash; 177 int keylen; 178 179 thash = ah_algorithm_lookup(sav->alg_auth); 180 if (thash == NULL) { 181 DPRINTF(("ah_init: unsupported authentication algorithm %u\n", 182 sav->alg_auth)); 183 return EINVAL; 184 } 185 /* 186 * Verify the replay state block allocation is consistent with 187 * the protocol type. We check here so we can make assumptions 188 * later during protocol processing. 189 */ 190 /* NB: replay state is setup elsewhere (sigh) */ 191 if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) { 192 DPRINTF(("ah_init: replay state block inconsistency, " 193 "%s algorithm %s replay state\n", 194 (sav->flags & SADB_X_EXT_OLD) ? "old" : "new", 195 sav->replay == NULL ? "without" : "with")); 196 return EINVAL; 197 } 198 if (sav->key_auth == NULL) { 199 DPRINTF(("ah_init: no authentication key for %s " 200 "algorithm\n", thash->name)); 201 return EINVAL; 202 } 203 keylen = _KEYLEN(sav->key_auth); 204 if (keylen != thash->keysize && thash->keysize != 0) { 205 DPRINTF(("ah_init: invalid keylength %d, algorithm " 206 "%s requires keysize %d\n", 207 keylen, thash->name, thash->keysize)); 208 return EINVAL; 209 } 210 211 sav->tdb_xform = xsp; 212 sav->tdb_authalgxform = thash; 213 214 /* Initialize crypto session. */ 215 bzero(cria, sizeof (*cria)); 216 cria->cri_alg = sav->tdb_authalgxform->type; 217 cria->cri_klen = _KEYBITS(sav->key_auth); 218 cria->cri_key = _KEYBUF(sav->key_auth); 219 220 return 0; 221 } 222 223 /* 224 * ah_init() is called when an SPI is being set up. 225 */ 226 static int 227 ah_init(struct secasvar *sav, struct xformsw *xsp) 228 { 229 struct cryptoini cria; 230 int error; 231 232 error = ah_init0(sav, xsp, &cria); 233 if (!error) { 234 mutex_spin_enter(&crypto_mtx); 235 error = crypto_newsession(&sav->tdb_cryptoid, 236 &cria, crypto_support); 237 mutex_spin_exit(&crypto_mtx); 238 } 239 return error; 240 } 241 242 /* 243 * Paranoia. 244 * 245 * NB: public for use by esp_zeroize (XXX). 246 */ 247 int 248 ah_zeroize(struct secasvar *sav) 249 { 250 int err; 251 252 if (sav->key_auth) 253 bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth)); 254 255 mutex_spin_enter(&crypto_mtx); 256 err = crypto_freesession(sav->tdb_cryptoid); 257 mutex_spin_exit(&crypto_mtx); 258 sav->tdb_cryptoid = 0; 259 sav->tdb_authalgxform = NULL; 260 sav->tdb_xform = NULL; 261 return err; 262 } 263 264 /* 265 * Massage IPv4/IPv6 headers for AH processing. 266 */ 267 static int 268 ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) 269 { 270 struct mbuf *m = *m0; 271 unsigned char *ptr; 272 int off, count; 273 274 #ifdef INET 275 struct ip *ip; 276 #endif /* INET */ 277 278 #ifdef INET6 279 struct ip6_ext *ip6e; 280 struct ip6_hdr ip6; 281 int alloc, len, ad; 282 #endif /* INET6 */ 283 284 switch (proto) { 285 #ifdef INET 286 case AF_INET: 287 /* 288 * This is the least painful way of dealing with IPv4 header 289 * and option processing -- just make sure they're in 290 * contiguous memory. 291 */ 292 *m0 = m = m_pullup(m, skip); 293 if (m == NULL) { 294 DPRINTF(("ah_massage_headers: m_pullup failed\n")); 295 return ENOBUFS; 296 } 297 298 /* Fix the IP header */ 299 ip = mtod(m, struct ip *); 300 if (ip4_ah_cleartos) 301 ip->ip_tos = 0; 302 ip->ip_ttl = 0; 303 ip->ip_sum = 0; 304 ip->ip_off = htons(ntohs(ip->ip_off) & ip4_ah_offsetmask); 305 306 /* 307 * On FreeBSD, ip_off and ip_len assumed in host endian; 308 * they are converted (if necessary) by ip_input(). 309 * On NetBSD, ip_off and ip_len are in network byte order. 310 * They must be massaged back to network byte order 311 * before verifying the HMAC. Moreover, on FreeBSD, 312 * we should add `skip' back into the massaged ip_len 313 * (presumably ip_input() deducted it before we got here?) 314 * whereas on NetBSD, we should not. 315 */ 316 #ifdef __FreeBSD__ 317 #define TOHOST(x) (x) 318 #else 319 #define TOHOST(x) (ntohs(x)) 320 #endif 321 if (!out) { 322 u_int16_t inlen = TOHOST(ip->ip_len); 323 324 #ifdef __FreeBSD__ 325 ip->ip_len = htons(inlen + skip); 326 #else /*!__FreeBSD__ */ 327 ip->ip_len = htons(inlen); 328 #endif /*!__FreeBSD__ */ 329 DPRINTF(("ip len: skip %d, " 330 "in %d host %d: new: raw %d host %d\n", 331 skip, 332 inlen, TOHOST(inlen), 333 ip->ip_len, ntohs(ip->ip_len))); 334 335 336 if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK) 337 ip->ip_off &= IP_OFF_CONVERT(IP_DF); 338 else 339 ip->ip_off = 0; 340 } else { 341 if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK) 342 ip->ip_off &= IP_OFF_CONVERT(IP_DF); 343 else 344 ip->ip_off = 0; 345 } 346 347 ptr = mtod(m, unsigned char *) + sizeof(struct ip); 348 349 /* IPv4 option processing */ 350 for (off = sizeof(struct ip); off < skip;) { 351 if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP || 352 off + 1 < skip) 353 ; 354 else { 355 DPRINTF(("ah_massage_headers: illegal IPv4 " 356 "option length for option %d\n", 357 ptr[off])); 358 359 m_freem(m); 360 return EINVAL; 361 } 362 363 switch (ptr[off]) { 364 case IPOPT_EOL: 365 off = skip; /* End the loop. */ 366 break; 367 368 case IPOPT_NOP: 369 off++; 370 break; 371 372 case IPOPT_SECURITY: /* 0x82 */ 373 case 0x85: /* Extended security. */ 374 case 0x86: /* Commercial security. */ 375 case 0x94: /* Router alert */ 376 case 0x95: /* RFC1770 */ 377 /* Sanity check for option length. */ 378 if (ptr[off + 1] < 2) { 379 DPRINTF(("ah_massage_headers: " 380 "illegal IPv4 option length for " 381 "option %d\n", ptr[off])); 382 383 m_freem(m); 384 return EINVAL; 385 } 386 387 off += ptr[off + 1]; 388 break; 389 390 case IPOPT_LSRR: 391 case IPOPT_SSRR: 392 /* Sanity check for option length. */ 393 if (ptr[off + 1] < 2) { 394 DPRINTF(("ah_massage_headers: " 395 "illegal IPv4 option length for " 396 "option %d\n", ptr[off])); 397 398 m_freem(m); 399 return EINVAL; 400 } 401 402 /* 403 * On output, if we have either of the 404 * source routing options, we should 405 * swap the destination address of the 406 * IP header with the last address 407 * specified in the option, as that is 408 * what the destination's IP header 409 * will look like. 410 */ 411 if (out) 412 bcopy(ptr + off + ptr[off + 1] - 413 sizeof(struct in_addr), 414 &(ip->ip_dst), sizeof(struct in_addr)); 415 416 /* Fall through */ 417 default: 418 /* Sanity check for option length. */ 419 if (ptr[off + 1] < 2) { 420 DPRINTF(("ah_massage_headers: " 421 "illegal IPv4 option length for " 422 "option %d\n", ptr[off])); 423 m_freem(m); 424 return EINVAL; 425 } 426 427 /* Zeroize all other options. */ 428 count = ptr[off + 1]; 429 bcopy(ipseczeroes, ptr, count); 430 off += count; 431 break; 432 } 433 434 /* Sanity check. */ 435 if (off > skip) { 436 DPRINTF(("ah_massage_headers(): malformed " 437 "IPv4 options header\n")); 438 439 m_freem(m); 440 return EINVAL; 441 } 442 } 443 444 break; 445 #endif /* INET */ 446 447 #ifdef INET6 448 case AF_INET6: /* Ugly... */ 449 /* Copy and "cook" the IPv6 header. */ 450 m_copydata(m, 0, sizeof(ip6), &ip6); 451 452 /* We don't do IPv6 Jumbograms. */ 453 if (ip6.ip6_plen == 0) { 454 DPRINTF(("ah_massage_headers: unsupported IPv6 jumbogram\n")); 455 m_freem(m); 456 return EMSGSIZE; 457 } 458 459 ip6.ip6_flow = 0; 460 ip6.ip6_hlim = 0; 461 ip6.ip6_vfc &= ~IPV6_VERSION_MASK; 462 ip6.ip6_vfc |= IPV6_VERSION; 463 464 /* Scoped address handling. */ 465 if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_src)) 466 ip6.ip6_src.s6_addr16[1] = 0; 467 if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_dst)) 468 ip6.ip6_dst.s6_addr16[1] = 0; 469 470 /* Done with IPv6 header. */ 471 m_copyback(m, 0, sizeof(struct ip6_hdr), &ip6); 472 473 /* Let's deal with the remaining headers (if any). */ 474 if (skip - sizeof(struct ip6_hdr) > 0) { 475 if (m->m_len <= skip) { 476 ptr = (unsigned char *) malloc( 477 skip - sizeof(struct ip6_hdr), 478 M_XDATA, M_NOWAIT); 479 if (ptr == NULL) { 480 DPRINTF(("ah_massage_headers: failed " 481 "to allocate memory for IPv6 " 482 "headers\n")); 483 m_freem(m); 484 return ENOBUFS; 485 } 486 487 /* 488 * Copy all the protocol headers after 489 * the IPv6 header. 490 */ 491 m_copydata(m, sizeof(struct ip6_hdr), 492 skip - sizeof(struct ip6_hdr), ptr); 493 alloc = 1; 494 } else { 495 /* No need to allocate memory. */ 496 ptr = mtod(m, unsigned char *) + 497 sizeof(struct ip6_hdr); 498 alloc = 0; 499 } 500 } else 501 break; 502 503 off = ip6.ip6_nxt & 0xff; /* Next header type. */ 504 505 for (len = 0; len < skip - sizeof(struct ip6_hdr);) 506 switch (off) { 507 case IPPROTO_HOPOPTS: 508 case IPPROTO_DSTOPTS: 509 ip6e = (struct ip6_ext *) (ptr + len); 510 511 /* 512 * Process the mutable/immutable 513 * options -- borrows heavily from the 514 * KAME code. 515 */ 516 for (count = len + sizeof(struct ip6_ext); 517 count < len + ((ip6e->ip6e_len + 1) << 3);) { 518 if (ptr[count] == IP6OPT_PAD1) { 519 count++; 520 continue; /* Skip padding. */ 521 } 522 523 /* Sanity check. */ 524 if (count > len + 525 ((ip6e->ip6e_len + 1) << 3)) { 526 m_freem(m); 527 528 /* Free, if we allocated. */ 529 if (alloc) 530 FREE(ptr, M_XDATA); 531 return EINVAL; 532 } 533 534 ad = ptr[count + 1]; 535 536 /* If mutable option, zeroize. */ 537 if (ptr[count] & IP6OPT_MUTABLE) 538 bcopy(ipseczeroes, ptr + count, 539 ptr[count + 1]); 540 541 count += ad; 542 543 /* Sanity check. */ 544 if (count > 545 skip - sizeof(struct ip6_hdr)) { 546 m_freem(m); 547 548 /* Free, if we allocated. */ 549 if (alloc) 550 FREE(ptr, M_XDATA); 551 return EINVAL; 552 } 553 } 554 555 /* Advance. */ 556 len += ((ip6e->ip6e_len + 1) << 3); 557 off = ip6e->ip6e_nxt; 558 break; 559 560 case IPPROTO_ROUTING: 561 /* 562 * Always include routing headers in 563 * computation. 564 */ 565 ip6e = (struct ip6_ext *) (ptr + len); 566 len += ((ip6e->ip6e_len + 1) << 3); 567 off = ip6e->ip6e_nxt; 568 break; 569 570 default: 571 DPRINTF(("ah_massage_headers: unexpected " 572 "IPv6 header type %d", off)); 573 if (alloc) 574 FREE(ptr, M_XDATA); 575 m_freem(m); 576 return EINVAL; 577 } 578 579 /* Copyback and free, if we allocated. */ 580 if (alloc) { 581 m_copyback(m, sizeof(struct ip6_hdr), 582 skip - sizeof(struct ip6_hdr), ptr); 583 free(ptr, M_XDATA); 584 } 585 586 break; 587 #endif /* INET6 */ 588 } 589 590 return 0; 591 } 592 593 /* 594 * ah_input() gets called to verify that an input packet 595 * passes authentication. 596 */ 597 static int 598 ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) 599 { 600 struct auth_hash *ahx; 601 struct tdb_ident *tdbi; 602 struct tdb_crypto *tc; 603 struct m_tag *mtag; 604 struct newah *ah; 605 int hl, rplen, authsize; 606 607 struct cryptodesc *crda; 608 struct cryptop *crp; 609 610 IPSEC_SPLASSERT_SOFTNET("ah_input"); 611 612 IPSEC_ASSERT(sav != NULL, ("ah_input: null SA")); 613 IPSEC_ASSERT(sav->key_auth != NULL, 614 ("ah_input: null authentication key")); 615 IPSEC_ASSERT(sav->tdb_authalgxform != NULL, 616 ("ah_input: null authentication xform")); 617 618 /* Figure out header size. */ 619 rplen = HDRSIZE(sav); 620 621 /* XXX don't pullup, just copy header */ 622 IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen); 623 if (ah == NULL) { 624 DPRINTF(("ah_input: cannot pullup header\n")); 625 ahstat.ahs_hdrops++; /*XXX*/ 626 m_freem(m); 627 return ENOBUFS; 628 } 629 630 /* Check replay window, if applicable. */ 631 if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) { 632 ahstat.ahs_replay++; 633 DPRINTF(("ah_input: packet replay failure: %s\n", 634 ipsec_logsastr(sav))); 635 m_freem(m); 636 return ENOBUFS; 637 } 638 639 /* Verify AH header length. */ 640 hl = ah->ah_len * sizeof (u_int32_t); 641 ahx = sav->tdb_authalgxform; 642 authsize = AUTHSIZE(sav); 643 if (hl != authsize + rplen - sizeof (struct ah)) { 644 DPRINTF(("ah_input: bad authenticator length %u (expecting %lu)" 645 " for packet in SA %s/%08lx\n", 646 hl, (u_long) (authsize + rplen - sizeof (struct ah)), 647 ipsec_address(&sav->sah->saidx.dst), 648 (u_long) ntohl(sav->spi))); 649 ahstat.ahs_badauthl++; 650 m_freem(m); 651 return EACCES; 652 } 653 ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl; 654 DPRINTF(("ah_input skip %d poff %d\n" 655 "len: hl %d authsize %d rpl %d expect %ld\n", 656 skip, protoff, 657 hl, authsize, rplen, 658 (long)(authsize + rplen - sizeof(struct ah)))); 659 660 /* Get crypto descriptors. */ 661 crp = crypto_getreq(1); 662 if (crp == NULL) { 663 DPRINTF(("ah_input: failed to acquire crypto descriptor\n")); 664 ahstat.ahs_crypto++; 665 m_freem(m); 666 return ENOBUFS; 667 } 668 669 crda = crp->crp_desc; 670 IPSEC_ASSERT(crda != NULL, ("ah_input: null crypto descriptor")); 671 672 crda->crd_skip = 0; 673 crda->crd_len = m->m_pkthdr.len; 674 crda->crd_inject = skip + rplen; 675 676 /* Authentication operation. */ 677 crda->crd_alg = ahx->type; 678 crda->crd_key = _KEYBUF(sav->key_auth); 679 crda->crd_klen = _KEYBITS(sav->key_auth); 680 681 /* Find out if we've already done crypto. */ 682 for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); 683 mtag != NULL; 684 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) { 685 tdbi = (struct tdb_ident *) (mtag + 1); 686 if (tdbi->proto == sav->sah->saidx.proto && 687 tdbi->spi == sav->spi && 688 !bcmp(&tdbi->dst, &sav->sah->saidx.dst, 689 sizeof (union sockaddr_union))) 690 break; 691 } 692 693 /* Allocate IPsec-specific opaque crypto info. */ 694 if (mtag == NULL) { 695 tc = (struct tdb_crypto *) malloc(sizeof (struct tdb_crypto) + 696 skip + rplen + authsize, M_XDATA, M_NOWAIT|M_ZERO); 697 } else { 698 /* Hash verification has already been done successfully. */ 699 tc = (struct tdb_crypto *) malloc(sizeof (struct tdb_crypto), 700 M_XDATA, M_NOWAIT|M_ZERO); 701 } 702 if (tc == NULL) { 703 DPRINTF(("ah_input: failed to allocate tdb_crypto\n")); 704 ahstat.ahs_crypto++; 705 crypto_freereq(crp); 706 m_freem(m); 707 return ENOBUFS; 708 } 709 710 /* Only save information if crypto processing is needed. */ 711 if (mtag == NULL) { 712 int error; 713 714 /* 715 * Save the authenticator, the skipped portion of the packet, 716 * and the AH header. 717 */ 718 m_copydata(m, 0, skip + rplen + authsize, (char *)(tc+1)); 719 720 { 721 u_int8_t *pppp = ((char *)(tc+1))+skip+rplen; 722 DPRINTF(("ah_input: zeroing %d bytes of authent " \ 723 "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x\n", 724 authsize, 725 pppp[0], pppp[1], pppp[2], pppp[3], 726 pppp[4], pppp[5], pppp[6], pppp[7], 727 pppp[8], pppp[9], pppp[10], pppp[11])); 728 } 729 730 /* Zeroize the authenticator on the packet. */ 731 m_copyback(m, skip + rplen, authsize, ipseczeroes); 732 733 /* "Massage" the packet headers for crypto processing. */ 734 error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, 735 skip, ahx->type, 0); 736 if (error != 0) { 737 /* NB: mbuf is free'd by ah_massage_headers */ 738 ahstat.ahs_hdrops++; 739 free(tc, M_XDATA); 740 crypto_freereq(crp); 741 return error; 742 } 743 } 744 745 /* Crypto operation descriptor. */ 746 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ 747 crp->crp_flags = CRYPTO_F_IMBUF; 748 crp->crp_buf = m; 749 crp->crp_callback = ah_input_cb; 750 crp->crp_sid = sav->tdb_cryptoid; 751 crp->crp_opaque = tc; 752 753 /* These are passed as-is to the callback. */ 754 tc->tc_spi = sav->spi; 755 tc->tc_dst = sav->sah->saidx.dst; 756 tc->tc_proto = sav->sah->saidx.proto; 757 tc->tc_nxt = ah->ah_nxt; 758 tc->tc_protoff = protoff; 759 tc->tc_skip = skip; 760 tc->tc_ptr = mtag; /* Save the mtag we've identified. */ 761 762 DPRINTF(("ah: hash over %d bytes, skip %d: " 763 "crda len %d skip %d inject %d\n", 764 crp->crp_ilen, tc->tc_skip, 765 crda->crd_len, crda->crd_skip, crda->crd_inject)); 766 767 if (mtag == NULL) 768 return crypto_dispatch(crp); 769 else 770 return ah_input_cb(crp); 771 } 772 773 #ifdef INET6 774 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ 775 if (saidx->dst.sa.sa_family == AF_INET6) { \ 776 error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ 777 } else { \ 778 error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ 779 } \ 780 } while (0) 781 #else 782 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ 783 (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) 784 #endif 785 786 /* 787 * AH input callback from the crypto driver. 788 */ 789 static int 790 ah_input_cb(struct cryptop *crp) 791 { 792 int rplen, error, skip, protoff; 793 unsigned char calc[AH_ALEN_MAX]; 794 struct mbuf *m; 795 struct cryptodesc *crd; 796 struct auth_hash *ahx; 797 struct tdb_crypto *tc; 798 struct m_tag *mtag; 799 struct secasvar *sav; 800 struct secasindex *saidx; 801 u_int8_t nxt; 802 char *ptr; 803 int s, authsize; 804 u_int16_t dport = 0; 805 u_int16_t sport = 0; 806 #ifdef IPSEC_NAT_T 807 struct m_tag * tag = NULL; 808 #endif 809 810 crd = crp->crp_desc; 811 812 tc = (struct tdb_crypto *) crp->crp_opaque; 813 IPSEC_ASSERT(tc != NULL, ("ah_input_cb: null opaque crypto data area!")); 814 skip = tc->tc_skip; 815 nxt = tc->tc_nxt; 816 protoff = tc->tc_protoff; 817 mtag = (struct m_tag *) tc->tc_ptr; 818 m = (struct mbuf *) crp->crp_buf; 819 820 821 #ifdef IPSEC_NAT_T 822 /* find the source port for NAT-T */ 823 if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) { 824 sport = ((u_int16_t *)(tag + 1))[0]; 825 dport = ((u_int16_t *)(tag + 1))[1]; 826 } 827 #endif 828 829 s = splsoftnet(); 830 831 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport); 832 if (sav == NULL) { 833 ahstat.ahs_notdb++; 834 DPRINTF(("ah_input_cb: SA expired while in crypto\n")); 835 error = ENOBUFS; /*XXX*/ 836 goto bad; 837 } 838 839 saidx = &sav->sah->saidx; 840 IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET || 841 saidx->dst.sa.sa_family == AF_INET6, 842 ("ah_input_cb: unexpected protocol family %u", 843 saidx->dst.sa.sa_family)); 844 845 ahx = (struct auth_hash *) sav->tdb_authalgxform; 846 847 /* Check for crypto errors. */ 848 if (crp->crp_etype) { 849 if (sav->tdb_cryptoid != 0) 850 sav->tdb_cryptoid = crp->crp_sid; 851 852 if (crp->crp_etype == EAGAIN) 853 return crypto_dispatch(crp); 854 855 ahstat.ahs_noxform++; 856 DPRINTF(("ah_input_cb: crypto error %d\n", crp->crp_etype)); 857 error = crp->crp_etype; 858 goto bad; 859 } else { 860 ahstat.ahs_hist[sav->alg_auth]++; 861 crypto_freereq(crp); /* No longer needed. */ 862 crp = NULL; 863 } 864 865 /* Shouldn't happen... */ 866 if (m == NULL) { 867 ahstat.ahs_crypto++; 868 DPRINTF(("ah_input_cb: bogus returned buffer from crypto\n")); 869 error = EINVAL; 870 goto bad; 871 } 872 873 /* Figure out header size. */ 874 rplen = HDRSIZE(sav); 875 authsize = AUTHSIZE(sav); 876 877 if (ipsec_debug) 878 bzero(calc, sizeof(calc)); 879 880 /* Copy authenticator off the packet. */ 881 m_copydata(m, skip + rplen, authsize, calc); 882 883 /* 884 * If we have an mtag, we don't need to verify the authenticator -- 885 * it has been verified by an IPsec-aware NIC. 886 */ 887 if (mtag == NULL) { 888 ptr = (char *) (tc + 1); 889 890 /* Verify authenticator. */ 891 if (bcmp(ptr + skip + rplen, calc, authsize)) { 892 u_int8_t *pppp = ptr + skip+rplen; 893 DPRINTF(("ah_input: authentication hash mismatch " \ 894 "over %d bytes " \ 895 "for packet in SA %s/%08lx:\n" \ 896 "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x, " \ 897 "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x\n", 898 authsize, 899 ipsec_address(&saidx->dst), 900 (u_long) ntohl(sav->spi), 901 calc[0], calc[1], calc[2], calc[3], 902 calc[4], calc[5], calc[6], calc[7], 903 calc[8], calc[9], calc[10], calc[11], 904 pppp[0], pppp[1], pppp[2], pppp[3], 905 pppp[4], pppp[5], pppp[6], pppp[7], 906 pppp[8], pppp[9], pppp[10], pppp[11] 907 )); 908 ahstat.ahs_badauth++; 909 error = EACCES; 910 goto bad; 911 } 912 913 /* Fix the Next Protocol field. */ 914 ((u_int8_t *) ptr)[protoff] = nxt; 915 916 /* Copyback the saved (uncooked) network headers. */ 917 m_copyback(m, 0, skip, ptr); 918 } else { 919 /* Fix the Next Protocol field. */ 920 m_copyback(m, protoff, sizeof(u_int8_t), &nxt); 921 } 922 923 free(tc, M_XDATA), tc = NULL; /* No longer needed */ 924 925 /* 926 * Header is now authenticated. 927 */ 928 m->m_flags |= M_AUTHIPHDR|M_AUTHIPDGM; 929 930 /* 931 * Update replay sequence number, if appropriate. 932 */ 933 if (sav->replay) { 934 u_int32_t seq; 935 936 m_copydata(m, skip + offsetof(struct newah, ah_seq), 937 sizeof (seq), &seq); 938 if (ipsec_updatereplay(ntohl(seq), sav)) { 939 ahstat.ahs_replay++; 940 error = ENOBUFS; /*XXX as above*/ 941 goto bad; 942 } 943 } 944 945 /* 946 * Remove the AH header and authenticator from the mbuf. 947 */ 948 error = m_striphdr(m, skip, rplen + authsize); 949 if (error) { 950 DPRINTF(("ah_input_cb: mangled mbuf chain for SA %s/%08lx\n", 951 ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); 952 953 ahstat.ahs_hdrops++; 954 goto bad; 955 } 956 957 IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag); 958 959 KEY_FREESAV(&sav); 960 splx(s); 961 return error; 962 bad: 963 if (sav) 964 KEY_FREESAV(&sav); 965 splx(s); 966 if (m != NULL) 967 m_freem(m); 968 if (tc != NULL) 969 free(tc, M_XDATA); 970 if (crp != NULL) 971 crypto_freereq(crp); 972 return error; 973 } 974 975 /* 976 * AH output routine, called by ipsec[46]_process_packet(). 977 */ 978 static int 979 ah_output( 980 struct mbuf *m, 981 struct ipsecrequest *isr, 982 struct mbuf **mp, 983 int skip, 984 int protoff 985 ) 986 { 987 struct secasvar *sav; 988 struct auth_hash *ahx; 989 struct cryptodesc *crda; 990 struct tdb_crypto *tc; 991 struct mbuf *mi; 992 struct cryptop *crp; 993 u_int16_t iplen; 994 int error, rplen, authsize, maxpacketsize, roff; 995 u_int8_t prot; 996 struct newah *ah; 997 998 IPSEC_SPLASSERT_SOFTNET("ah_output"); 999 1000 sav = isr->sav; 1001 IPSEC_ASSERT(sav != NULL, ("ah_output: null SA")); 1002 ahx = sav->tdb_authalgxform; 1003 IPSEC_ASSERT(ahx != NULL, ("ah_output: null authentication xform")); 1004 1005 ahstat.ahs_output++; 1006 1007 /* Figure out header size. */ 1008 rplen = HDRSIZE(sav); 1009 1010 /* Check for maximum packet size violations. */ 1011 switch (sav->sah->saidx.dst.sa.sa_family) { 1012 #ifdef INET 1013 case AF_INET: 1014 maxpacketsize = IP_MAXPACKET; 1015 break; 1016 #endif /* INET */ 1017 #ifdef INET6 1018 case AF_INET6: 1019 maxpacketsize = IPV6_MAXPACKET; 1020 break; 1021 #endif /* INET6 */ 1022 default: 1023 DPRINTF(("ah_output: unknown/unsupported protocol " 1024 "family %u, SA %s/%08lx\n", 1025 sav->sah->saidx.dst.sa.sa_family, 1026 ipsec_address(&sav->sah->saidx.dst), 1027 (u_long) ntohl(sav->spi))); 1028 ahstat.ahs_nopf++; 1029 error = EPFNOSUPPORT; 1030 goto bad; 1031 } 1032 authsize = AUTHSIZE(sav); 1033 if (rplen + authsize + m->m_pkthdr.len > maxpacketsize) { 1034 DPRINTF(("ah_output: packet in SA %s/%08lx got too big " 1035 "(len %u, max len %u)\n", 1036 ipsec_address(&sav->sah->saidx.dst), 1037 (u_long) ntohl(sav->spi), 1038 rplen + authsize + m->m_pkthdr.len, maxpacketsize)); 1039 ahstat.ahs_toobig++; 1040 error = EMSGSIZE; 1041 goto bad; 1042 } 1043 1044 /* Update the counters. */ 1045 ahstat.ahs_obytes += m->m_pkthdr.len - skip; 1046 1047 m = m_clone(m); 1048 if (m == NULL) { 1049 DPRINTF(("ah_output: cannot clone mbuf chain, SA %s/%08lx\n", 1050 ipsec_address(&sav->sah->saidx.dst), 1051 (u_long) ntohl(sav->spi))); 1052 ahstat.ahs_hdrops++; 1053 error = ENOBUFS; 1054 goto bad; 1055 } 1056 1057 /* Inject AH header. */ 1058 mi = m_makespace(m, skip, rplen + authsize, &roff); 1059 if (mi == NULL) { 1060 DPRINTF(("ah_output: failed to inject %u byte AH header for SA " 1061 "%s/%08lx\n", 1062 rplen + authsize, 1063 ipsec_address(&sav->sah->saidx.dst), 1064 (u_long) ntohl(sav->spi))); 1065 ahstat.ahs_hdrops++; /*XXX differs from openbsd */ 1066 error = ENOBUFS; 1067 goto bad; 1068 } 1069 1070 /* 1071 * The AH header is guaranteed by m_makespace() to be in 1072 * contiguous memory, at roff bytes offset into the returned mbuf. 1073 */ 1074 ah = (struct newah *)(mtod(mi, char *) + roff); 1075 1076 /* Initialize the AH header. */ 1077 m_copydata(m, protoff, sizeof(u_int8_t), (char *) &ah->ah_nxt); 1078 ah->ah_len = (rplen + authsize - sizeof(struct ah)) / sizeof(u_int32_t); 1079 ah->ah_reserve = 0; 1080 ah->ah_spi = sav->spi; 1081 1082 /* Zeroize authenticator. */ 1083 m_copyback(m, skip + rplen, authsize, ipseczeroes); 1084 1085 /* Insert packet replay counter, as requested. */ 1086 if (sav->replay) { 1087 if (sav->replay->count == ~0 && 1088 (sav->flags & SADB_X_EXT_CYCSEQ) == 0) { 1089 DPRINTF(("ah_output: replay counter wrapped for SA " 1090 "%s/%08lx\n", 1091 ipsec_address(&sav->sah->saidx.dst), 1092 (u_long) ntohl(sav->spi))); 1093 ahstat.ahs_wrap++; 1094 error = EINVAL; 1095 goto bad; 1096 } 1097 #ifdef IPSEC_DEBUG 1098 /* Emulate replay attack when ipsec_replay is TRUE. */ 1099 if (!ipsec_replay) 1100 #endif 1101 sav->replay->count++; 1102 ah->ah_seq = htonl(sav->replay->count); 1103 } 1104 1105 /* Get crypto descriptors. */ 1106 crp = crypto_getreq(1); 1107 if (crp == NULL) { 1108 DPRINTF(("ah_output: failed to acquire crypto descriptors\n")); 1109 ahstat.ahs_crypto++; 1110 error = ENOBUFS; 1111 goto bad; 1112 } 1113 1114 crda = crp->crp_desc; 1115 1116 crda->crd_skip = 0; 1117 crda->crd_inject = skip + rplen; 1118 crda->crd_len = m->m_pkthdr.len; 1119 1120 /* Authentication operation. */ 1121 crda->crd_alg = ahx->type; 1122 crda->crd_key = _KEYBUF(sav->key_auth); 1123 crda->crd_klen = _KEYBITS(sav->key_auth); 1124 1125 /* Allocate IPsec-specific opaque crypto info. */ 1126 tc = (struct tdb_crypto *) malloc( 1127 sizeof(struct tdb_crypto) + skip, M_XDATA, M_NOWAIT|M_ZERO); 1128 if (tc == NULL) { 1129 crypto_freereq(crp); 1130 DPRINTF(("ah_output: failed to allocate tdb_crypto\n")); 1131 ahstat.ahs_crypto++; 1132 error = ENOBUFS; 1133 goto bad; 1134 } 1135 1136 /* Save the skipped portion of the packet. */ 1137 m_copydata(m, 0, skip, (tc + 1)); 1138 1139 /* 1140 * Fix IP header length on the header used for 1141 * authentication. We don't need to fix the original 1142 * header length as it will be fixed by our caller. 1143 */ 1144 switch (sav->sah->saidx.dst.sa.sa_family) { 1145 #ifdef INET 1146 case AF_INET: 1147 bcopy(((char *)(tc + 1)) + 1148 offsetof(struct ip, ip_len), 1149 &iplen, sizeof(u_int16_t)); 1150 iplen = htons(ntohs(iplen) + rplen + authsize); 1151 m_copyback(m, offsetof(struct ip, ip_len), 1152 sizeof(u_int16_t), &iplen); 1153 break; 1154 #endif /* INET */ 1155 1156 #ifdef INET6 1157 case AF_INET6: 1158 bcopy(((char *)(tc + 1)) + 1159 offsetof(struct ip6_hdr, ip6_plen), 1160 &iplen, sizeof(u_int16_t)); 1161 iplen = htons(ntohs(iplen) + rplen + authsize); 1162 m_copyback(m, offsetof(struct ip6_hdr, ip6_plen), 1163 sizeof(u_int16_t), &iplen); 1164 break; 1165 #endif /* INET6 */ 1166 } 1167 1168 /* Fix the Next Header field in saved header. */ 1169 ((u_int8_t *) (tc + 1))[protoff] = IPPROTO_AH; 1170 1171 /* Update the Next Protocol field in the IP header. */ 1172 prot = IPPROTO_AH; 1173 m_copyback(m, protoff, sizeof(u_int8_t), &prot); 1174 1175 /* "Massage" the packet headers for crypto processing. */ 1176 error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, 1177 skip, ahx->type, 1); 1178 if (error != 0) { 1179 m = NULL; /* mbuf was free'd by ah_massage_headers. */ 1180 free(tc, M_XDATA); 1181 crypto_freereq(crp); 1182 goto bad; 1183 } 1184 1185 /* Crypto operation descriptor. */ 1186 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ 1187 crp->crp_flags = CRYPTO_F_IMBUF; 1188 crp->crp_buf = m; 1189 crp->crp_callback = ah_output_cb; 1190 crp->crp_sid = sav->tdb_cryptoid; 1191 crp->crp_opaque = tc; 1192 1193 /* These are passed as-is to the callback. */ 1194 tc->tc_isr = isr; 1195 tc->tc_spi = sav->spi; 1196 tc->tc_dst = sav->sah->saidx.dst; 1197 tc->tc_proto = sav->sah->saidx.proto; 1198 tc->tc_skip = skip; 1199 tc->tc_protoff = protoff; 1200 1201 return crypto_dispatch(crp); 1202 bad: 1203 if (m) 1204 m_freem(m); 1205 return (error); 1206 } 1207 1208 /* 1209 * AH output callback from the crypto driver. 1210 */ 1211 static int 1212 ah_output_cb(struct cryptop *crp) 1213 { 1214 int skip, protoff, error; 1215 struct tdb_crypto *tc; 1216 struct ipsecrequest *isr; 1217 struct secasvar *sav; 1218 struct mbuf *m; 1219 void *ptr; 1220 int s, err; 1221 1222 tc = (struct tdb_crypto *) crp->crp_opaque; 1223 IPSEC_ASSERT(tc != NULL, ("ah_output_cb: null opaque data area!")); 1224 skip = tc->tc_skip; 1225 protoff = tc->tc_protoff; 1226 ptr = (tc + 1); 1227 m = (struct mbuf *) crp->crp_buf; 1228 1229 s = splsoftnet(); 1230 1231 isr = tc->tc_isr; 1232 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); 1233 if (sav == NULL) { 1234 ahstat.ahs_notdb++; 1235 DPRINTF(("ah_output_cb: SA expired while in crypto\n")); 1236 error = ENOBUFS; /*XXX*/ 1237 goto bad; 1238 } 1239 IPSEC_ASSERT(isr->sav == sav, ("ah_output_cb: SA changed\n")); 1240 1241 /* Check for crypto errors. */ 1242 if (crp->crp_etype) { 1243 if (sav->tdb_cryptoid != 0) 1244 sav->tdb_cryptoid = crp->crp_sid; 1245 1246 if (crp->crp_etype == EAGAIN) { 1247 KEY_FREESAV(&sav); 1248 splx(s); 1249 return crypto_dispatch(crp); 1250 } 1251 1252 ahstat.ahs_noxform++; 1253 DPRINTF(("ah_output_cb: crypto error %d\n", crp->crp_etype)); 1254 error = crp->crp_etype; 1255 goto bad; 1256 } 1257 1258 /* Shouldn't happen... */ 1259 if (m == NULL) { 1260 ahstat.ahs_crypto++; 1261 DPRINTF(("ah_output_cb: bogus returned buffer from crypto\n")); 1262 error = EINVAL; 1263 goto bad; 1264 } 1265 ahstat.ahs_hist[sav->alg_auth]++; 1266 1267 /* 1268 * Copy original headers (with the new protocol number) back 1269 * in place. 1270 */ 1271 m_copyback(m, 0, skip, ptr); 1272 1273 /* No longer needed. */ 1274 free(tc, M_XDATA); 1275 crypto_freereq(crp); 1276 1277 #ifdef IPSEC_DEBUG 1278 /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ 1279 if (ipsec_integrity) { 1280 int alen; 1281 1282 /* 1283 * Corrupt HMAC if we want to test integrity verification of 1284 * the other side. 1285 */ 1286 alen = AUTHSIZE(sav); 1287 m_copyback(m, m->m_pkthdr.len - alen, alen, ipseczeroes); 1288 } 1289 #endif 1290 1291 /* NB: m is reclaimed by ipsec_process_done. */ 1292 err = ipsec_process_done(m, isr); 1293 KEY_FREESAV(&sav); 1294 splx(s); 1295 return err; 1296 bad: 1297 if (sav) 1298 KEY_FREESAV(&sav); 1299 splx(s); 1300 if (m) 1301 m_freem(m); 1302 free(tc, M_XDATA); 1303 crypto_freereq(crp); 1304 return error; 1305 } 1306 1307 static struct xformsw ah_xformsw = { 1308 XF_AH, XFT_AUTH, "IPsec AH", 1309 ah_init, ah_zeroize, ah_input, ah_output, 1310 NULL, 1311 }; 1312 1313 INITFN void 1314 ah_attach(void) 1315 { 1316 xform_register(&ah_xformsw); 1317 } 1318 1319 #ifdef __FreeBSD__ 1320 SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL); 1321 #endif 1322
Indexes created Wed Sep 24 15:09:51 GMT 2025