Home | History | Annotate | Line # | Download | only in netipsec
xform_ah.c revision 1.73
      1 /*	$NetBSD: xform_ah.c,v 1.73 2017/08/10 06:33:51 ozaki-r Exp $	*/
      2 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
      3 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
      4 /*
      5  * The authors of this code are John Ioannidis (ji (at) tla.org),
      6  * Angelos D. Keromytis (kermit (at) csd.uch.gr) and
      7  * Niels Provos (provos (at) physnet.uni-hamburg.de).
      8  *
      9  * The original version of this code was written by John Ioannidis
     10  * for BSD/OS in Athens, Greece, in November 1995.
     11  *
     12  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
     13  * by Angelos D. Keromytis.
     14  *
     15  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
     16  * and Niels Provos.
     17  *
     18  * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
     19  *
     20  * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
     21  * Angelos D. Keromytis and Niels Provos.
     22  * Copyright (c) 1999 Niklas Hallqvist.
     23  * Copyright (c) 2001 Angelos D. Keromytis.
     24  *
     25  * Permission to use, copy, and modify this software with or without fee
     26  * is hereby granted, provided that this entire notice is included in
     27  * all copies of any software which is or includes a copy or
     28  * modification of this software.
     29  * You may use this code under the GNU public license if you so wish. Please
     30  * contribute changes back to the authors under this freer than GPL license
     31  * so that we may further the use of strong encryption without limitations to
     32  * all.
     33  *
     34  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
     35  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
     36  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
     37  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
     38  * PURPOSE.
     39  */
     40 
     41 #include <sys/cdefs.h>
     42 __KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.73 2017/08/10 06:33:51 ozaki-r Exp $");
     43 
     44 #if defined(_KERNEL_OPT)
     45 #include "opt_inet.h"
     46 #include "opt_ipsec.h"
     47 #endif
     48 
     49 #include <sys/param.h>
     50 #include <sys/systm.h>
     51 #include <sys/mbuf.h>
     52 #include <sys/socket.h>
     53 #include <sys/syslog.h>
     54 #include <sys/kernel.h>
     55 #include <sys/sysctl.h>
     56 #include <sys/pool.h>
     57 #include <sys/pserialize.h>
     58 
     59 #include <net/if.h>
     60 
     61 #include <netinet/in.h>
     62 #include <netinet/in_systm.h>
     63 #include <netinet/ip.h>
     64 #include <netinet/ip_ecn.h>
     65 #include <netinet/ip_var.h>
     66 #include <netinet/ip6.h>
     67 
     68 #include <net/route.h>
     69 #include <netipsec/ipsec.h>
     70 #include <netipsec/ipsec_private.h>
     71 #include <netipsec/ah.h>
     72 #include <netipsec/ah_var.h>
     73 #include <netipsec/xform.h>
     74 
     75 #ifdef INET6
     76 #include <netinet6/ip6_var.h>
     77 #include <netinet6/scope6_var.h>
     78 #include <netipsec/ipsec6.h>
     79 #endif
     80 
     81 #include <netipsec/key.h>
     82 #include <netipsec/key_debug.h>
     83 
     84 #include <opencrypto/cryptodev.h>
     85 
     86 /*
     87  * Return header size in bytes.  The old protocol did not support
     88  * the replay counter; the new protocol always includes the counter.
     89  */
     90 #define HDRSIZE(sav) \
     91 	(((sav)->flags & SADB_X_EXT_OLD) ? \
     92 		sizeof(struct ah) : sizeof(struct ah) + sizeof(uint32_t))
     93 /*
     94  * Return authenticator size in bytes.  The old protocol is known
     95  * to use a fixed 16-byte authenticator.  The new algorithm gets
     96  * this size from the xform but is (currently) always 12.
     97  */
     98 #define	AUTHSIZE(sav) \
     99 	((sav->flags & SADB_X_EXT_OLD) ? 16 : (sav)->tdb_authalgxform->authsize)
    100 
    101 percpu_t *ahstat_percpu;
    102 
    103 int	ah_enable = 1;			/* control flow of packets with AH */
    104 int	ip4_ah_cleartos = 1;		/* clear ip_tos when doing AH calc */
    105 
    106 #ifdef __FreeBSD__
    107 SYSCTL_DECL(_net_inet_ah);
    108 SYSCTL_INT(_net_inet_ah, OID_AUTO,
    109 	ah_enable,	CTLFLAG_RW,	&ah_enable,	0, "");
    110 SYSCTL_INT(_net_inet_ah, OID_AUTO,
    111 	ah_cleartos,	CTLFLAG_RW,	&ip4_ah_cleartos,	0, "");
    112 SYSCTL_STRUCT(_net_inet_ah, IPSECCTL_STATS,
    113 	stats,		CTLFLAG_RD,	&ahstat,	ahstat, "");
    114 
    115 #endif /* __FreeBSD__ */
    116 
    117 static unsigned char ipseczeroes[256];	/* larger than an ip6 extension hdr */
    118 
    119 int ah_max_authsize;			/* max authsize over all algorithms */
    120 
    121 static int ah_input_cb(struct cryptop *);
    122 static int ah_output_cb(struct cryptop *);
    123 
    124 const uint8_t ah_stats[256] = { SADB_AALG_STATS_INIT };
    125 
    126 static pool_cache_t ah_tdb_crypto_pool_cache;
    127 static size_t ah_pool_item_size;
    128 
    129 /*
    130  * NB: this is public for use by the PF_KEY support.
    131  */
    132 const struct auth_hash *
    133 ah_algorithm_lookup(int alg)
    134 {
    135 
    136 	switch (alg) {
    137 	case SADB_X_AALG_NULL:
    138 		return &auth_hash_null;
    139 	case SADB_AALG_MD5HMAC:
    140 		return &auth_hash_hmac_md5_96;
    141 	case SADB_AALG_SHA1HMAC:
    142 		return &auth_hash_hmac_sha1_96;
    143 	case SADB_X_AALG_RIPEMD160HMAC:
    144 		return &auth_hash_hmac_ripemd_160_96;
    145 	case SADB_X_AALG_MD5:
    146 		return &auth_hash_key_md5;
    147 	case SADB_X_AALG_SHA:
    148 		return &auth_hash_key_sha1;
    149 	case SADB_X_AALG_SHA2_256:
    150 		return &auth_hash_hmac_sha2_256;
    151 	case SADB_X_AALG_SHA2_384:
    152 		return &auth_hash_hmac_sha2_384;
    153 	case SADB_X_AALG_SHA2_512:
    154 		return &auth_hash_hmac_sha2_512;
    155 	case SADB_X_AALG_AES_XCBC_MAC:
    156 		return &auth_hash_aes_xcbc_mac_96;
    157 	}
    158 	return NULL;
    159 }
    160 
    161 size_t
    162 ah_hdrsiz(const struct secasvar *sav)
    163 {
    164 	size_t size;
    165 
    166 	if (sav != NULL) {
    167 		int authsize;
    168 		KASSERT(sav->tdb_authalgxform != NULL);
    169 		/*XXX not right for null algorithm--does it matter??*/
    170 		authsize = AUTHSIZE(sav);
    171 		size = roundup(authsize, sizeof(uint32_t)) + HDRSIZE(sav);
    172 	} else {
    173 		/* default guess */
    174 		size = sizeof(struct ah) + sizeof(uint32_t) + ah_max_authsize;
    175 	}
    176 	return size;
    177 }
    178 
    179 /*
    180  * NB: public for use by esp_init.
    181  */
    182 int
    183 ah_init0(struct secasvar *sav, const struct xformsw *xsp,
    184 	 struct cryptoini *cria)
    185 {
    186 	const struct auth_hash *thash;
    187 	int keylen;
    188 
    189 	thash = ah_algorithm_lookup(sav->alg_auth);
    190 	if (thash == NULL) {
    191 		DPRINTF(("%s: unsupported authentication algorithm %u\n",
    192 			__func__, sav->alg_auth));
    193 		return EINVAL;
    194 	}
    195 	/*
    196 	 * Verify the replay state block allocation is consistent with
    197 	 * the protocol type.  We check here so we can make assumptions
    198 	 * later during protocol processing.
    199 	 */
    200 	/* NB: replay state is setup elsewhere (sigh) */
    201 	if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) {
    202 		DPRINTF(("%s: replay state block inconsistency, "
    203 			"%s algorithm %s replay state\n", __func__,
    204 			(sav->flags & SADB_X_EXT_OLD) ? "old" : "new",
    205 			sav->replay == NULL ? "without" : "with"));
    206 		return EINVAL;
    207 	}
    208 	if (sav->key_auth == NULL) {
    209 		DPRINTF(("%s: no authentication key for %s algorithm\n",
    210 			__func__, thash->name));
    211 		return EINVAL;
    212 	}
    213 	keylen = _KEYLEN(sav->key_auth);
    214 	if (keylen != thash->keysize && thash->keysize != 0) {
    215 		DPRINTF(("%s: invalid keylength %d, algorithm %s requires "
    216 			 "keysize %d\n", __func__,
    217 			 keylen, thash->name, thash->keysize));
    218 		return EINVAL;
    219 	}
    220 
    221 	sav->tdb_xform = xsp;
    222 	sav->tdb_authalgxform = thash;
    223 
    224 	/* Initialize crypto session. */
    225 	memset(cria, 0, sizeof(*cria));
    226 	cria->cri_alg = sav->tdb_authalgxform->type;
    227 	cria->cri_klen = _KEYBITS(sav->key_auth);
    228 	cria->cri_key = _KEYBUF(sav->key_auth);
    229 
    230 	return 0;
    231 }
    232 
    233 /*
    234  * ah_init() is called when an SPI is being set up.
    235  */
    236 static int
    237 ah_init(struct secasvar *sav, const struct xformsw *xsp)
    238 {
    239 	struct cryptoini cria;
    240 	int error;
    241 
    242 	error = ah_init0(sav, xsp, &cria);
    243 	if (!error)
    244 		error = crypto_newsession(&sav->tdb_cryptoid,
    245 					   &cria, crypto_support);
    246 	return error;
    247 }
    248 
    249 /*
    250  * Paranoia.
    251  *
    252  * NB: public for use by esp_zeroize (XXX).
    253  */
    254 int
    255 ah_zeroize(struct secasvar *sav)
    256 {
    257 	int err;
    258 
    259 	if (sav->key_auth) {
    260 		explicit_memset(_KEYBUF(sav->key_auth), 0,
    261 		    _KEYLEN(sav->key_auth));
    262 	}
    263 
    264 	err = crypto_freesession(sav->tdb_cryptoid);
    265 	sav->tdb_cryptoid = 0;
    266 	sav->tdb_authalgxform = NULL;
    267 	sav->tdb_xform = NULL;
    268 	return err;
    269 }
    270 
    271 /*
    272  * Massage IPv4/IPv6 headers for AH processing.
    273  */
    274 static int
    275 ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
    276 {
    277 	struct mbuf *m = *m0;
    278 	unsigned char *ptr;
    279 	int off, count;
    280 
    281 #ifdef INET
    282 	struct ip *ip;
    283 #endif /* INET */
    284 
    285 #ifdef INET6
    286 	struct ip6_ext *ip6e;
    287 	struct ip6_hdr ip6;
    288 	struct ip6_rthdr *rh;
    289 	int alloc, ad, nxt;
    290 #endif /* INET6 */
    291 
    292 	switch (proto) {
    293 #ifdef INET
    294 	case AF_INET:
    295 		/*
    296 		 * This is the least painful way of dealing with IPv4 header
    297 		 * and option processing -- just make sure they're in
    298 		 * contiguous memory.
    299 		 */
    300 		*m0 = m = m_pullup(m, skip);
    301 		if (m == NULL) {
    302 			DPRINTF(("%s: m_pullup failed\n", __func__));
    303 			return ENOBUFS;
    304 		}
    305 
    306 		/* Fix the IP header */
    307 		ip = mtod(m, struct ip *);
    308 		if (ip4_ah_cleartos)
    309 			ip->ip_tos = 0;
    310 		ip->ip_ttl = 0;
    311 		ip->ip_sum = 0;
    312 		ip->ip_off = htons(ntohs(ip->ip_off) & ip4_ah_offsetmask);
    313 
    314 		/*
    315 		 * On FreeBSD, ip_off and ip_len assumed in host endian;
    316 		 * they are converted (if necessary) by ip_input().
    317 		 * On NetBSD, ip_off and ip_len are in network byte order.
    318 		 * They must be massaged back to network byte order
    319 		 * before verifying the  HMAC. Moreover, on FreeBSD,
    320 		 * we should add `skip' back into the massaged ip_len
    321 		 * (presumably ip_input() deducted it before we got here?)
    322 		 * whereas on NetBSD, we should not.
    323 		 */
    324 		if (!out) {
    325 			uint16_t inlen = ntohs(ip->ip_len);
    326 
    327 			ip->ip_len = htons(inlen);
    328 
    329 			if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK)
    330 				ip->ip_off  &= htons(IP_DF);
    331 			else
    332 				ip->ip_off = 0;
    333 		} else {
    334 			if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK)
    335 				ip->ip_off &= htons(IP_DF);
    336 			else
    337 				ip->ip_off = 0;
    338 		}
    339 
    340 		ptr = mtod(m, unsigned char *);
    341 
    342 		/* IPv4 option processing */
    343 		for (off = sizeof(struct ip); off < skip;) {
    344 			if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP ||
    345 			    off + 1 < skip)
    346 				;
    347 			else {
    348 				DPRINTF(("%s: illegal IPv4 option length for "
    349 				    "option %d\n", __func__, ptr[off]));
    350 
    351 				m_freem(m);
    352 				return EINVAL;
    353 			}
    354 
    355 			switch (ptr[off]) {
    356 			case IPOPT_EOL:
    357 				off = skip;  /* End the loop. */
    358 				break;
    359 
    360 			case IPOPT_NOP:
    361 				off++;
    362 				break;
    363 
    364 			case IPOPT_SECURITY:	/* 0x82 */
    365 			case 0x85:	/* Extended security. */
    366 			case 0x86:	/* Commercial security. */
    367 			case 0x94:	/* Router alert */
    368 			case 0x95:	/* RFC1770 */
    369 				/* Sanity check for option length. */
    370 				if (ptr[off + 1] < 2) {
    371 					DPRINTF(("%s: illegal IPv4 option "
    372 					    "length for option %d\n", __func__,
    373 					    ptr[off]));
    374 
    375 					m_freem(m);
    376 					return EINVAL;
    377 				}
    378 
    379 				off += ptr[off + 1];
    380 				break;
    381 
    382 			case IPOPT_LSRR:
    383 			case IPOPT_SSRR:
    384 				/* Sanity check for option length. */
    385 				if (ptr[off + 1] < 2) {
    386 					DPRINTF(("%s: illegal IPv4 option "
    387 					    "length for option %d\n", __func__,
    388 					    ptr[off]));
    389 
    390 					m_freem(m);
    391 					return EINVAL;
    392 				}
    393 
    394 				/*
    395 				 * On output, if we have either of the
    396 				 * source routing options, we should
    397 				 * swap the destination address of the
    398 				 * IP header with the last address
    399 				 * specified in the option, as that is
    400 				 * what the destination's IP header
    401 				 * will look like.
    402 				 */
    403 				if (out)
    404 					memcpy(&ip->ip_dst,
    405 					    ptr + off + ptr[off + 1] -
    406 					    sizeof(struct in_addr),
    407 					    sizeof(struct in_addr));
    408 
    409 				/* Fall through */
    410 			default:
    411 				/* Sanity check for option length. */
    412 				if (ptr[off + 1] < 2) {
    413 					DPRINTF(("%s: illegal IPv4 option "
    414 					    "length for option %d\n", __func__,
    415 					    ptr[off]));
    416 					m_freem(m);
    417 					return EINVAL;
    418 				}
    419 
    420 				/* Zeroize all other options. */
    421 				count = ptr[off + 1];
    422 				memcpy(ptr, ipseczeroes, count);
    423 				off += count;
    424 				break;
    425 			}
    426 
    427 			/* Sanity check. */
    428 			if (off > skip)	{
    429 				DPRINTF(("%s: malformed IPv4 options header\n",
    430 					__func__));
    431 
    432 				m_freem(m);
    433 				return EINVAL;
    434 			}
    435 		}
    436 
    437 		break;
    438 #endif /* INET */
    439 
    440 #ifdef INET6
    441 	case AF_INET6:  /* Ugly... */
    442 		/* Copy and "cook" the IPv6 header. */
    443 		m_copydata(m, 0, sizeof(ip6), &ip6);
    444 
    445 		/* We don't do IPv6 Jumbograms. */
    446 		if (ip6.ip6_plen == 0) {
    447 			DPRINTF(("%s: unsupported IPv6 jumbogram\n", __func__));
    448 			m_freem(m);
    449 			return EMSGSIZE;
    450 		}
    451 
    452 		ip6.ip6_flow = 0;
    453 		ip6.ip6_hlim = 0;
    454 		ip6.ip6_vfc &= ~IPV6_VERSION_MASK;
    455 		ip6.ip6_vfc |= IPV6_VERSION;
    456 
    457 		/* Scoped address handling. */
    458 		if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_src))
    459 			ip6.ip6_src.s6_addr16[1] = 0;
    460 		if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_dst))
    461 			ip6.ip6_dst.s6_addr16[1] = 0;
    462 
    463 		/* Done with IPv6 header. */
    464 		m_copyback(m, 0, sizeof(struct ip6_hdr), &ip6);
    465 
    466 		/* Let's deal with the remaining headers (if any). */
    467 		if (skip - sizeof(struct ip6_hdr) > 0) {
    468 			if (m->m_len <= skip) {
    469 				ptr = malloc(skip - sizeof(struct ip6_hdr),
    470 				    M_XDATA, M_NOWAIT);
    471 				if (ptr == NULL) {
    472 					DPRINTF(("%s: failed to allocate "
    473 					    "memory for IPv6 headers\n",
    474 					    __func__));
    475 					m_freem(m);
    476 					return ENOBUFS;
    477 				}
    478 
    479 				/*
    480 				 * Copy all the protocol headers after
    481 				 * the IPv6 header.
    482 				 */
    483 				m_copydata(m, sizeof(struct ip6_hdr),
    484 				    skip - sizeof(struct ip6_hdr), ptr);
    485 				alloc = 1;
    486 			} else {
    487 				/* No need to allocate memory. */
    488 				ptr = mtod(m, unsigned char *) +
    489 				    sizeof(struct ip6_hdr);
    490 				alloc = 0;
    491 			}
    492 		} else
    493 			break;
    494 
    495 		nxt = ip6.ip6_nxt & 0xff; /* Next header type. */
    496 
    497 		for (off = 0; off < skip - sizeof(struct ip6_hdr);)
    498 			switch (nxt) {
    499 			case IPPROTO_HOPOPTS:
    500 			case IPPROTO_DSTOPTS:
    501 				ip6e = (struct ip6_ext *) (ptr + off);
    502 
    503 				/*
    504 				 * Process the mutable/immutable
    505 				 * options -- borrows heavily from the
    506 				 * KAME code.
    507 				 */
    508 				for (count = off + sizeof(struct ip6_ext);
    509 				     count < off + ((ip6e->ip6e_len + 1) << 3);) {
    510 					if (ptr[count] == IP6OPT_PAD1) {
    511 						count++;
    512 						continue; /* Skip padding. */
    513 					}
    514 
    515 					/* Sanity check. */
    516 					if (count > off +
    517 					    ((ip6e->ip6e_len + 1) << 3)) {
    518 						m_freem(m);
    519 
    520 						/* Free, if we allocated. */
    521 						if (alloc)
    522 							free(ptr, M_XDATA);
    523 						return EINVAL;
    524 					}
    525 
    526 					ad = ptr[count + 1];
    527 
    528 					/* If mutable option, zeroize. */
    529 					if (ptr[count] & IP6OPT_MUTABLE)
    530 						memcpy(ptr + count, ipseczeroes,
    531 						    ptr[count + 1]);
    532 
    533 					count += ad;
    534 
    535 					/* Sanity check. */
    536 					if (count >
    537 					    skip - sizeof(struct ip6_hdr)) {
    538 						m_freem(m);
    539 
    540 						/* Free, if we allocated. */
    541 						if (alloc)
    542 							free(ptr, M_XDATA);
    543 						return EINVAL;
    544 					}
    545 				}
    546 
    547 				/* Advance. */
    548 				off += ((ip6e->ip6e_len + 1) << 3);
    549 				nxt = ip6e->ip6e_nxt;
    550 				break;
    551 
    552 			case IPPROTO_ROUTING:
    553 				/*
    554 				 * Always include routing headers in
    555 				 * computation.
    556 				 */
    557 				ip6e = (struct ip6_ext *) (ptr + off);
    558 				rh = (struct ip6_rthdr *)(ptr + off);
    559 				/*
    560 				 * must adjust content to make it look like
    561 				 * its final form (as seen at the final
    562 				 * destination).
    563 				 * we only know how to massage type 0 routing
    564 				 * header.
    565 				 */
    566 				if (out && rh->ip6r_type == IPV6_RTHDR_TYPE_0) {
    567 					struct ip6_rthdr0 *rh0;
    568 					struct in6_addr *addr, finaldst;
    569 					int i;
    570 
    571 					rh0 = (struct ip6_rthdr0 *)rh;
    572 					addr = (struct in6_addr *)(rh0 + 1);
    573 
    574 					for (i = 0; i < rh0->ip6r0_segleft; i++)
    575 						in6_clearscope(&addr[i]);
    576 
    577 					finaldst = addr[rh0->ip6r0_segleft - 1];
    578 					memmove(&addr[1], &addr[0],
    579 						sizeof(struct in6_addr) *
    580 						(rh0->ip6r0_segleft - 1));
    581 
    582 					m_copydata(m, 0, sizeof(ip6), &ip6);
    583 					addr[0] = ip6.ip6_dst;
    584 					ip6.ip6_dst = finaldst;
    585 					m_copyback(m, 0, sizeof(ip6), &ip6);
    586 
    587 					rh0->ip6r0_segleft = 0;
    588 				}
    589 
    590 				/* advance */
    591 				off += ((ip6e->ip6e_len + 1) << 3);
    592 				nxt = ip6e->ip6e_nxt;
    593 				break;
    594 
    595 			default:
    596 				DPRINTF(("%s: unexpected IPv6 header type %d\n",
    597 				    __func__, off));
    598 				if (alloc)
    599 					free(ptr, M_XDATA);
    600 				m_freem(m);
    601 				return EINVAL;
    602 			}
    603 
    604 		/* Copyback and free, if we allocated. */
    605 		if (alloc) {
    606 			m_copyback(m, sizeof(struct ip6_hdr),
    607 			    skip - sizeof(struct ip6_hdr), ptr);
    608 			free(ptr, M_XDATA);
    609 		}
    610 
    611 		break;
    612 #endif /* INET6 */
    613 	}
    614 
    615 	return 0;
    616 }
    617 
    618 /*
    619  * ah_input() gets called to verify that an input packet
    620  * passes authentication.
    621  */
    622 static int
    623 ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
    624 {
    625 	const struct auth_hash *ahx;
    626 	struct tdb_crypto *tc = NULL;
    627 	struct newah *ah;
    628 	int hl, rplen, authsize, error, stat = AH_STAT_HDROPS;
    629 	struct cryptodesc *crda;
    630 	struct cryptop *crp = NULL;
    631 
    632 	IPSEC_SPLASSERT_SOFTNET(__func__);
    633 
    634 	KASSERT(sav != NULL);
    635 	KASSERT(sav->key_auth != NULL);
    636 	KASSERT(sav->tdb_authalgxform != NULL);
    637 
    638 	/* Figure out header size. */
    639 	rplen = HDRSIZE(sav);
    640 
    641 	/* XXX don't pullup, just copy header */
    642 	IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen);
    643 	if (ah == NULL) {
    644 		DPRINTF(("%s: cannot pullup header\n", __func__));
    645 		error = ENOBUFS;
    646 		stat = AH_STAT_HDROPS;	/*XXX*/
    647 		goto bad;
    648 	}
    649 
    650 	/* Check replay window, if applicable. */
    651 	if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
    652 		char buf[IPSEC_LOGSASTRLEN];
    653 		DPRINTF(("%s: packet replay failure: %s\n", __func__,
    654 		    ipsec_logsastr(sav, buf, sizeof(buf))));
    655 		stat = AH_STAT_REPLAY;
    656 		error = ENOBUFS;
    657 		goto bad;
    658 	}
    659 
    660 	/* Verify AH header length. */
    661 	hl = ah->ah_len * sizeof(uint32_t);
    662 	ahx = sav->tdb_authalgxform;
    663 	authsize = AUTHSIZE(sav);
    664 	if (hl != authsize + rplen - sizeof(struct ah)) {
    665 		char buf[IPSEC_ADDRSTRLEN];
    666 		DPRINTF(("%s: bad authenticator length %u (expecting %lu)"
    667 			" for packet in SA %s/%08lx\n", __func__,
    668 			hl, (u_long) (authsize + rplen - sizeof(struct ah)),
    669 			ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
    670 			(u_long) ntohl(sav->spi)));
    671 		stat = AH_STAT_BADAUTHL;
    672 		error = EACCES;
    673 		goto bad;
    674 	}
    675 	AH_STATADD(AH_STAT_IBYTES, m->m_pkthdr.len - skip - hl);
    676 
    677 	/* Get crypto descriptors. */
    678 	crp = crypto_getreq(1);
    679 	if (crp == NULL) {
    680 		DPRINTF(("%s: failed to acquire crypto descriptor\n", __func__));
    681 		stat = AH_STAT_CRYPTO;
    682 		error = ENOBUFS;
    683 		goto bad;
    684 	}
    685 
    686 	crda = crp->crp_desc;
    687 	KASSERT(crda != NULL);
    688 
    689 	crda->crd_skip = 0;
    690 	crda->crd_len = m->m_pkthdr.len;
    691 	crda->crd_inject = skip + rplen;
    692 
    693 	/* Authentication operation. */
    694 	crda->crd_alg = ahx->type;
    695 	crda->crd_key = _KEYBUF(sav->key_auth);
    696 	crda->crd_klen = _KEYBITS(sav->key_auth);
    697 
    698 	/* Allocate IPsec-specific opaque crypto info. */
    699 	size_t size = sizeof(*tc);
    700 	size_t extra = skip + rplen + authsize;
    701 	size += extra;
    702 
    703 	KASSERTMSG(size <= ah_pool_item_size,
    704 	    "size=%zu > ah_pool_item_size=%zu\n", size, ah_pool_item_size);
    705 	tc = pool_cache_get(ah_tdb_crypto_pool_cache, PR_NOWAIT);
    706 	if (tc == NULL) {
    707 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
    708 		stat = AH_STAT_CRYPTO;
    709 		error = ENOBUFS;
    710 		goto bad;
    711 	}
    712 
    713 	error = m_makewritable(&m, 0, extra, M_NOWAIT);
    714 	if (error) {
    715 		DPRINTF(("%s: failed to m_makewritable\n", __func__));
    716 		goto bad;
    717 	}
    718 
    719 	/*
    720 	 * Save the authenticator, the skipped portion of the packet,
    721 	 * and the AH header.
    722 	 */
    723 	m_copydata(m, 0, extra, (tc + 1));
    724 	/* Zeroize the authenticator on the packet. */
    725 	m_copyback(m, skip + rplen, authsize, ipseczeroes);
    726 
    727 	/* "Massage" the packet headers for crypto processing. */
    728 	error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
    729 	    skip, ahx->type, 0);
    730 	if (error != 0) {
    731 		/* NB: mbuf is free'd by ah_massage_headers */
    732 		m = NULL;
    733 		goto bad;
    734 	}
    735 
    736     {
    737 	int s = pserialize_read_enter();
    738 
    739 	/*
    740 	 * Take another reference to the SA for opencrypto callback.
    741 	 */
    742 	if (__predict_false(sav->state == SADB_SASTATE_DEAD)) {
    743 		pserialize_read_exit(s);
    744 		stat = AH_STAT_NOTDB;
    745 		error = ENOENT;
    746 		goto bad;
    747 	}
    748 	KEY_SA_REF(sav);
    749 	pserialize_read_exit(s);
    750     }
    751 
    752 	/* Crypto operation descriptor. */
    753 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
    754 	crp->crp_flags = CRYPTO_F_IMBUF;
    755 	crp->crp_buf = m;
    756 	crp->crp_callback = ah_input_cb;
    757 	crp->crp_sid = sav->tdb_cryptoid;
    758 	crp->crp_opaque = tc;
    759 
    760 	/* These are passed as-is to the callback. */
    761 	tc->tc_spi = sav->spi;
    762 	tc->tc_dst = sav->sah->saidx.dst;
    763 	tc->tc_proto = sav->sah->saidx.proto;
    764 	tc->tc_nxt = ah->ah_nxt;
    765 	tc->tc_protoff = protoff;
    766 	tc->tc_skip = skip;
    767 	tc->tc_sav = sav;
    768 
    769 	DPRINTF(("%s: hash over %d bytes, skip %d: "
    770 		 "crda len %d skip %d inject %d\n", __func__,
    771 		 crp->crp_ilen, tc->tc_skip,
    772 		 crda->crd_len, crda->crd_skip, crda->crd_inject));
    773 
    774 	return crypto_dispatch(crp);
    775 
    776 bad:
    777 	if (tc != NULL)
    778 		pool_cache_put(ah_tdb_crypto_pool_cache, tc);
    779 	if (crp != NULL)
    780 		crypto_freereq(crp);
    781 	if (m != NULL)
    782 		m_freem(m);
    783 	AH_STATINC(stat);
    784 	return error;
    785 }
    786 
    787 #ifdef INET6
    788 #define	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) do {		     \
    789 	if (saidx->dst.sa.sa_family == AF_INET6) {			     \
    790 		error = ipsec6_common_input_cb(m, sav, skip, protoff);	     \
    791 	} else {							     \
    792 		error = ipsec4_common_input_cb(m, sav, skip, protoff);	     \
    793 	}								     \
    794 } while (0)
    795 #else
    796 #define	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff)			     \
    797 	(error = ipsec4_common_input_cb(m, sav, skip, protoff))
    798 #endif
    799 
    800 /*
    801  * AH input callback from the crypto driver.
    802  */
    803 static int
    804 ah_input_cb(struct cryptop *crp)
    805 {
    806 	char buf[IPSEC_ADDRSTRLEN];
    807 	int rplen, error, skip, protoff;
    808 	unsigned char calc[AH_ALEN_MAX];
    809 	struct mbuf *m;
    810 	struct tdb_crypto *tc;
    811 	struct secasvar *sav;
    812 	struct secasindex *saidx;
    813 	uint8_t nxt;
    814 	char *ptr;
    815 	int authsize;
    816 	uint16_t dport;
    817 	uint16_t sport;
    818 	IPSEC_DECLARE_LOCK_VARIABLE;
    819 
    820 	KASSERT(crp->crp_opaque != NULL);
    821 	tc = crp->crp_opaque;
    822 	skip = tc->tc_skip;
    823 	nxt = tc->tc_nxt;
    824 	protoff = tc->tc_protoff;
    825 	m = crp->crp_buf;
    826 
    827 
    828 	/* find the source port for NAT-T */
    829 	nat_t_ports_get(m, &dport, &sport);
    830 
    831 	IPSEC_ACQUIRE_GLOBAL_LOCKS();
    832 
    833 	sav = tc->tc_sav;
    834 	if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
    835 		KEY_SA_UNREF(&sav);
    836 		sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi,
    837 		    sport, dport);
    838 		if (sav == NULL) {
    839 			AH_STATINC(AH_STAT_NOTDB);
    840 			DPRINTF(("%s: SA expired while in crypto\n", __func__));
    841 			error = ENOBUFS;		/*XXX*/
    842 			goto bad;
    843 		}
    844 	}
    845 
    846 	saidx = &sav->sah->saidx;
    847 	KASSERTMSG(saidx->dst.sa.sa_family == AF_INET ||
    848 	    saidx->dst.sa.sa_family == AF_INET6,
    849 	    "unexpected protocol family %u", saidx->dst.sa.sa_family);
    850 
    851 	/* Check for crypto errors. */
    852 	if (crp->crp_etype) {
    853 		if (sav->tdb_cryptoid != 0)
    854 			sav->tdb_cryptoid = crp->crp_sid;
    855 
    856 		if (crp->crp_etype == EAGAIN) {
    857 			IPSEC_RELEASE_GLOBAL_LOCKS();
    858 			return crypto_dispatch(crp);
    859 		}
    860 
    861 		AH_STATINC(AH_STAT_NOXFORM);
    862 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
    863 		error = crp->crp_etype;
    864 		goto bad;
    865 	} else {
    866 		AH_STATINC(AH_STAT_HIST + ah_stats[sav->alg_auth]);
    867 		crypto_freereq(crp);		/* No longer needed. */
    868 		crp = NULL;
    869 	}
    870 
    871 	/* Figure out header size. */
    872 	rplen = HDRSIZE(sav);
    873 	authsize = AUTHSIZE(sav);
    874 
    875 	if (ipsec_debug)
    876 		memset(calc, 0, sizeof(calc));
    877 
    878 	/* Copy authenticator off the packet. */
    879 	m_copydata(m, skip + rplen, authsize, calc);
    880 
    881 	ptr = (char *)(tc + 1);
    882 	const uint8_t *pppp = ptr + skip + rplen;
    883 
    884 	/* Verify authenticator. */
    885 	if (!consttime_memequal(pppp, calc, authsize)) {
    886 		DPRINTF(("%s: authentication hash mismatch " \
    887 		    "over %d bytes " \
    888 		    "for packet in SA %s/%08lx:\n" \
    889 	    "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x, " \
    890 	    "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x\n",
    891 		    __func__, authsize,
    892 		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
    893 		    (u_long) ntohl(sav->spi),
    894 			 calc[0], calc[1], calc[2], calc[3],
    895 			 calc[4], calc[5], calc[6], calc[7],
    896 			 calc[8], calc[9], calc[10], calc[11],
    897 			 pppp[0], pppp[1], pppp[2], pppp[3],
    898 			 pppp[4], pppp[5], pppp[6], pppp[7],
    899 			 pppp[8], pppp[9], pppp[10], pppp[11]
    900 			 ));
    901 		AH_STATINC(AH_STAT_BADAUTH);
    902 		error = EACCES;
    903 		goto bad;
    904 	}
    905 
    906 	/* Fix the Next Protocol field. */
    907 	ptr[protoff] = nxt;
    908 
    909 	/* Copyback the saved (uncooked) network headers. */
    910 	m_copyback(m, 0, skip, ptr);
    911 
    912 	pool_cache_put(ah_tdb_crypto_pool_cache, tc);
    913 	tc = NULL;
    914 
    915 	/*
    916 	 * Header is now authenticated.
    917 	 */
    918 	m->m_flags |= M_AUTHIPHDR|M_AUTHIPDGM;
    919 
    920 	/*
    921 	 * Update replay sequence number, if appropriate.
    922 	 */
    923 	if (sav->replay) {
    924 		uint32_t seq;
    925 
    926 		m_copydata(m, skip + offsetof(struct newah, ah_seq),
    927 		    sizeof(seq), &seq);
    928 		if (ipsec_updatereplay(ntohl(seq), sav)) {
    929 			AH_STATINC(AH_STAT_REPLAY);
    930 			error = ENOBUFS;			/*XXX as above*/
    931 			goto bad;
    932 		}
    933 	}
    934 
    935 	/*
    936 	 * Remove the AH header and authenticator from the mbuf.
    937 	 */
    938 	error = m_striphdr(m, skip, rplen + authsize);
    939 	if (error) {
    940 		DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
    941 		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
    942 		    (u_long) ntohl(sav->spi)));
    943 
    944 		AH_STATINC(AH_STAT_HDROPS);
    945 		goto bad;
    946 	}
    947 
    948 	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff);
    949 
    950 	KEY_SA_UNREF(&sav);
    951 	IPSEC_RELEASE_GLOBAL_LOCKS();
    952 	return error;
    953 bad:
    954 	if (sav)
    955 		KEY_SA_UNREF(&sav);
    956 	IPSEC_RELEASE_GLOBAL_LOCKS();
    957 	if (m != NULL)
    958 		m_freem(m);
    959 	if (tc != NULL)
    960 		pool_cache_put(ah_tdb_crypto_pool_cache, tc);
    961 	if (crp != NULL)
    962 		crypto_freereq(crp);
    963 	return error;
    964 }
    965 
    966 /*
    967  * AH output routine, called by ipsec[46]_process_packet().
    968  */
    969 static int
    970 ah_output(
    971     struct mbuf *m,
    972     struct ipsecrequest *isr,
    973     struct secasvar *sav,
    974     struct mbuf **mp,
    975     int skip,
    976     int protoff
    977 )
    978 {
    979 	char buf[IPSEC_ADDRSTRLEN];
    980 	const struct auth_hash *ahx;
    981 	struct cryptodesc *crda;
    982 	struct tdb_crypto *tc;
    983 	struct mbuf *mi;
    984 	struct cryptop *crp;
    985 	uint16_t iplen;
    986 	int error, rplen, authsize, maxpacketsize, roff;
    987 	uint8_t prot;
    988 	struct newah *ah;
    989 
    990 	IPSEC_SPLASSERT_SOFTNET(__func__);
    991 
    992 	KASSERT(sav != NULL);
    993 	KASSERT(sav->tdb_authalgxform != NULL);
    994 	ahx = sav->tdb_authalgxform;
    995 
    996 	AH_STATINC(AH_STAT_OUTPUT);
    997 
    998 	/* Figure out header size. */
    999 	rplen = HDRSIZE(sav);
   1000 
   1001 	size_t ipoffs;
   1002 	/* Check for maximum packet size violations. */
   1003 	switch (sav->sah->saidx.dst.sa.sa_family) {
   1004 #ifdef INET
   1005 	case AF_INET:
   1006 		maxpacketsize = IP_MAXPACKET;
   1007 		ipoffs = offsetof(struct ip, ip_len);
   1008 		break;
   1009 #endif /* INET */
   1010 #ifdef INET6
   1011 	case AF_INET6:
   1012 		maxpacketsize = IPV6_MAXPACKET;
   1013 		ipoffs = offsetof(struct ip6_hdr, ip6_plen);
   1014 		break;
   1015 #endif /* INET6 */
   1016 	default:
   1017 		DPRINTF(("%s: unknown/unsupported protocol "
   1018 		    "family %u, SA %s/%08lx\n", __func__,
   1019 		    sav->sah->saidx.dst.sa.sa_family,
   1020 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
   1021 		    (u_long) ntohl(sav->spi)));
   1022 		AH_STATINC(AH_STAT_NOPF);
   1023 		error = EPFNOSUPPORT;
   1024 		goto bad;
   1025 	}
   1026 	authsize = AUTHSIZE(sav);
   1027 	if (rplen + authsize + m->m_pkthdr.len > maxpacketsize) {
   1028 		DPRINTF(("%s: packet in SA %s/%08lx got too big "
   1029 		    "(len %u, max len %u)\n", __func__,
   1030 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
   1031 		    (u_long) ntohl(sav->spi),
   1032 		    rplen + authsize + m->m_pkthdr.len, maxpacketsize));
   1033 		AH_STATINC(AH_STAT_TOOBIG);
   1034 		error = EMSGSIZE;
   1035 		goto bad;
   1036 	}
   1037 
   1038 	/* Update the counters. */
   1039 	AH_STATADD(AH_STAT_OBYTES, m->m_pkthdr.len - skip);
   1040 
   1041 	m = m_clone(m);
   1042 	if (m == NULL) {
   1043 		DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
   1044 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
   1045 		    (u_long) ntohl(sav->spi)));
   1046 		AH_STATINC(AH_STAT_HDROPS);
   1047 		error = ENOBUFS;
   1048 		goto bad;
   1049 	}
   1050 
   1051 	/* Inject AH header. */
   1052 	mi = m_makespace(m, skip, rplen + authsize, &roff);
   1053 	if (mi == NULL) {
   1054 		DPRINTF(("%s: failed to inject %u byte AH header for SA "
   1055 		    "%s/%08lx\n", __func__,
   1056 		    rplen + authsize,
   1057 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
   1058 		    (u_long) ntohl(sav->spi)));
   1059 		AH_STATINC(AH_STAT_HDROPS);	/*XXX differs from openbsd */
   1060 		error = ENOBUFS;
   1061 		goto bad;
   1062 	}
   1063 
   1064 	/*
   1065 	 * The AH header is guaranteed by m_makespace() to be in
   1066 	 * contiguous memory, at roff bytes offset into the returned mbuf.
   1067 	 */
   1068 	ah = (struct newah *)(mtod(mi, char *) + roff);
   1069 
   1070 	/* Initialize the AH header. */
   1071 	m_copydata(m, protoff, sizeof(uint8_t), &ah->ah_nxt);
   1072 	ah->ah_len = (rplen + authsize - sizeof(struct ah)) / sizeof(uint32_t);
   1073 	ah->ah_reserve = 0;
   1074 	ah->ah_spi = sav->spi;
   1075 
   1076 	/* Zeroize authenticator. */
   1077 	m_copyback(m, skip + rplen, authsize, ipseczeroes);
   1078 
   1079 	/* Insert packet replay counter, as requested.  */
   1080 	if (sav->replay) {
   1081 		if (sav->replay->count == ~0 &&
   1082 		    (sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
   1083 			DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n",
   1084 			    __func__, ipsec_address(&sav->sah->saidx.dst, buf,
   1085 			    sizeof(buf)), (u_long) ntohl(sav->spi)));
   1086 			AH_STATINC(AH_STAT_WRAP);
   1087 			error = EINVAL;
   1088 			goto bad;
   1089 		}
   1090 #ifdef IPSEC_DEBUG
   1091 		/* Emulate replay attack when ipsec_replay is TRUE. */
   1092 		if (!ipsec_replay)
   1093 #endif
   1094 			sav->replay->count++;
   1095 		ah->ah_seq = htonl(sav->replay->count);
   1096 	}
   1097 
   1098 	/* Get crypto descriptors. */
   1099 	crp = crypto_getreq(1);
   1100 	if (crp == NULL) {
   1101 		DPRINTF(("%s: failed to acquire crypto descriptors\n",
   1102 		    __func__));
   1103 		AH_STATINC(AH_STAT_CRYPTO);
   1104 		error = ENOBUFS;
   1105 		goto bad;
   1106 	}
   1107 
   1108 	crda = crp->crp_desc;
   1109 
   1110 	crda->crd_skip = 0;
   1111 	crda->crd_inject = skip + rplen;
   1112 	crda->crd_len = m->m_pkthdr.len;
   1113 
   1114 	/* Authentication operation. */
   1115 	crda->crd_alg = ahx->type;
   1116 	crda->crd_key = _KEYBUF(sav->key_auth);
   1117 	crda->crd_klen = _KEYBITS(sav->key_auth);
   1118 
   1119 	/* Allocate IPsec-specific opaque crypto info. */
   1120 	tc = pool_cache_get(ah_tdb_crypto_pool_cache, PR_NOWAIT);
   1121 	if (tc == NULL) {
   1122 		crypto_freereq(crp);
   1123 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
   1124 		AH_STATINC(AH_STAT_CRYPTO);
   1125 		error = ENOBUFS;
   1126 		goto bad;
   1127 	}
   1128 
   1129 	uint8_t *pext = (char *)(tc + 1);
   1130 	/* Save the skipped portion of the packet. */
   1131 	m_copydata(m, 0, skip, pext);
   1132 
   1133 	/*
   1134 	 * Fix IP header length on the header used for
   1135 	 * authentication. We don't need to fix the original
   1136 	 * header length as it will be fixed by our caller.
   1137 	 */
   1138 	memcpy(&iplen, pext + ipoffs, sizeof(iplen));
   1139 	iplen = htons(ntohs(iplen) + rplen + authsize);
   1140 	m_copyback(m, ipoffs, sizeof(iplen), &iplen);
   1141 
   1142 	/* Fix the Next Header field in saved header. */
   1143 	pext[protoff] = IPPROTO_AH;
   1144 
   1145 	/* Update the Next Protocol field in the IP header. */
   1146 	prot = IPPROTO_AH;
   1147 	m_copyback(m, protoff, sizeof(prot), &prot);
   1148 
   1149 	/* "Massage" the packet headers for crypto processing. */
   1150 	error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
   1151 	    skip, ahx->type, 1);
   1152 	if (error != 0) {
   1153 		m = NULL;	/* mbuf was free'd by ah_massage_headers. */
   1154 		pool_cache_put(ah_tdb_crypto_pool_cache, tc);
   1155 		crypto_freereq(crp);
   1156 		goto bad;
   1157 	}
   1158 
   1159     {
   1160 	int s = pserialize_read_enter();
   1161 
   1162 	/*
   1163 	 * Take another reference to the SP and the SA for opencrypto callback.
   1164 	 */
   1165 	if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD ||
   1166 	    sav->state == SADB_SASTATE_DEAD)) {
   1167 		pserialize_read_exit(s);
   1168 		pool_cache_put(ah_tdb_crypto_pool_cache, tc);
   1169 		crypto_freereq(crp);
   1170 		AH_STATINC(AH_STAT_NOTDB);
   1171 		error = ENOENT;
   1172 		goto bad;
   1173 	}
   1174 	KEY_SP_REF(isr->sp);
   1175 	KEY_SA_REF(sav);
   1176 	pserialize_read_exit(s);
   1177     }
   1178 
   1179 	/* Crypto operation descriptor. */
   1180 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
   1181 	crp->crp_flags = CRYPTO_F_IMBUF;
   1182 	crp->crp_buf = m;
   1183 	crp->crp_callback = ah_output_cb;
   1184 	crp->crp_sid = sav->tdb_cryptoid;
   1185 	crp->crp_opaque = tc;
   1186 
   1187 	/* These are passed as-is to the callback. */
   1188 	tc->tc_isr = isr;
   1189 	tc->tc_spi = sav->spi;
   1190 	tc->tc_dst = sav->sah->saidx.dst;
   1191 	tc->tc_proto = sav->sah->saidx.proto;
   1192 	tc->tc_skip = skip;
   1193 	tc->tc_protoff = protoff;
   1194 	tc->tc_sav = sav;
   1195 
   1196 	return crypto_dispatch(crp);
   1197 bad:
   1198 	if (m)
   1199 		m_freem(m);
   1200 	return (error);
   1201 }
   1202 
   1203 /*
   1204  * AH output callback from the crypto driver.
   1205  */
   1206 static int
   1207 ah_output_cb(struct cryptop *crp)
   1208 {
   1209 	int skip, error;
   1210 	struct tdb_crypto *tc;
   1211 	struct ipsecrequest *isr;
   1212 	struct secasvar *sav;
   1213 	struct mbuf *m;
   1214 	void *ptr;
   1215 	int err;
   1216 	IPSEC_DECLARE_LOCK_VARIABLE;
   1217 
   1218 	KASSERT(crp->crp_opaque != NULL);
   1219 	tc = crp->crp_opaque;
   1220 	skip = tc->tc_skip;
   1221 	ptr = (tc + 1);
   1222 	m = crp->crp_buf;
   1223 
   1224 	IPSEC_ACQUIRE_GLOBAL_LOCKS();
   1225 
   1226 	isr = tc->tc_isr;
   1227 	sav = tc->tc_sav;
   1228 	if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) {
   1229 		AH_STATINC(AH_STAT_NOTDB);
   1230 		IPSECLOG(LOG_DEBUG,
   1231 		    "SP is being destroyed while in crypto (id=%u)\n",
   1232 		    isr->sp->id);
   1233 		error = ENOENT;
   1234 		goto bad;
   1235 	}
   1236 	if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
   1237 		KEY_SA_UNREF(&sav);
   1238 		sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
   1239 		if (sav == NULL) {
   1240 			AH_STATINC(AH_STAT_NOTDB);
   1241 			DPRINTF(("%s: SA expired while in crypto\n", __func__));
   1242 			error = ENOBUFS;		/*XXX*/
   1243 			goto bad;
   1244 		}
   1245 	}
   1246 
   1247 	/* Check for crypto errors. */
   1248 	if (crp->crp_etype) {
   1249 		if (sav->tdb_cryptoid != 0)
   1250 			sav->tdb_cryptoid = crp->crp_sid;
   1251 
   1252 		if (crp->crp_etype == EAGAIN) {
   1253 			IPSEC_RELEASE_GLOBAL_LOCKS();
   1254 			return crypto_dispatch(crp);
   1255 		}
   1256 
   1257 		AH_STATINC(AH_STAT_NOXFORM);
   1258 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
   1259 		error = crp->crp_etype;
   1260 		goto bad;
   1261 	}
   1262 
   1263 	AH_STATINC(AH_STAT_HIST + ah_stats[sav->alg_auth]);
   1264 
   1265 	/*
   1266 	 * Copy original headers (with the new protocol number) back
   1267 	 * in place.
   1268 	 */
   1269 	m_copyback(m, 0, skip, ptr);
   1270 
   1271 	/* No longer needed. */
   1272 	pool_cache_put(ah_tdb_crypto_pool_cache, tc);
   1273 	crypto_freereq(crp);
   1274 
   1275 #ifdef IPSEC_DEBUG
   1276 	/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
   1277 	if (ipsec_integrity) {
   1278 		int alen;
   1279 
   1280 		/*
   1281 		 * Corrupt HMAC if we want to test integrity verification of
   1282 		 * the other side.
   1283 		 */
   1284 		alen = AUTHSIZE(sav);
   1285 		m_copyback(m, m->m_pkthdr.len - alen, alen, ipseczeroes);
   1286 	}
   1287 #endif
   1288 
   1289 	/* NB: m is reclaimed by ipsec_process_done. */
   1290 	err = ipsec_process_done(m, isr, sav);
   1291 	KEY_SA_UNREF(&sav);
   1292 	KEY_SP_UNREF(&isr->sp);
   1293 	IPSEC_RELEASE_GLOBAL_LOCKS();
   1294 	return err;
   1295 bad:
   1296 	if (sav)
   1297 		KEY_SA_UNREF(&sav);
   1298 	KEY_SP_UNREF(&isr->sp);
   1299 	IPSEC_RELEASE_GLOBAL_LOCKS();
   1300 	if (m)
   1301 		m_freem(m);
   1302 	pool_cache_put(ah_tdb_crypto_pool_cache, tc);
   1303 	crypto_freereq(crp);
   1304 	return error;
   1305 }
   1306 
   1307 static struct xformsw ah_xformsw = {
   1308 	.xf_type	= XF_AH,
   1309 	.xf_flags	= XFT_AUTH,
   1310 	.xf_name	= "IPsec AH",
   1311 	.xf_init	= ah_init,
   1312 	.xf_zeroize	= ah_zeroize,
   1313 	.xf_input	= ah_input,
   1314 	.xf_output	= ah_output,
   1315 	.xf_next	= NULL,
   1316 };
   1317 
   1318 void
   1319 ah_attach(void)
   1320 {
   1321 	ahstat_percpu = percpu_alloc(sizeof(uint64_t) * AH_NSTATS);
   1322 
   1323 #define MAXAUTHSIZE(name)						\
   1324 	if ((auth_hash_ ## name).authsize > ah_max_authsize)		\
   1325 		ah_max_authsize = (auth_hash_ ## name).authsize
   1326 
   1327 	ah_max_authsize = 0;
   1328 	MAXAUTHSIZE(null);
   1329 	MAXAUTHSIZE(md5);
   1330 	MAXAUTHSIZE(sha1);
   1331 	MAXAUTHSIZE(key_md5);
   1332 	MAXAUTHSIZE(key_sha1);
   1333 	MAXAUTHSIZE(hmac_md5);
   1334 	MAXAUTHSIZE(hmac_sha1);
   1335 	MAXAUTHSIZE(hmac_ripemd_160);
   1336 	MAXAUTHSIZE(hmac_md5_96);
   1337 	MAXAUTHSIZE(hmac_sha1_96);
   1338 	MAXAUTHSIZE(hmac_ripemd_160_96);
   1339 	MAXAUTHSIZE(hmac_sha2_256);
   1340 	MAXAUTHSIZE(hmac_sha2_384);
   1341 	MAXAUTHSIZE(hmac_sha2_512);
   1342 	MAXAUTHSIZE(aes_xcbc_mac_96);
   1343 	MAXAUTHSIZE(gmac_aes_128);
   1344 	MAXAUTHSIZE(gmac_aes_192);
   1345 	MAXAUTHSIZE(gmac_aes_256);
   1346 	IPSECLOG(LOG_DEBUG, "ah_max_authsize=%d\n", ah_max_authsize);
   1347 
   1348 #undef MAXAUTHSIZE
   1349 
   1350 	ah_pool_item_size = sizeof(struct tdb_crypto) +
   1351 	    sizeof(struct ip) + MAX_IPOPTLEN +
   1352 	    sizeof(struct ah) + sizeof(uint32_t) + ah_max_authsize;
   1353 	ah_tdb_crypto_pool_cache = pool_cache_init(ah_pool_item_size,
   1354 	    coherency_unit, 0, 0, "ah_tdb_crypto", NULL, IPL_SOFTNET,
   1355 	    NULL, NULL, NULL);
   1356 
   1357 	xform_register(&ah_xformsw);
   1358 }
   1359