Home | History | Annotate | Line # | Download | only in netipsec
xform_esp.c revision 1.13
      1  1.13  christos /*	$NetBSD: xform_esp.c,v 1.13 2007/03/04 06:03:30 christos Exp $	*/
      2   1.1  jonathan /*	$FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $	*/
      3   1.1  jonathan /*	$OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
      4   1.1  jonathan 
      5   1.1  jonathan /*
      6   1.1  jonathan  * The authors of this code are John Ioannidis (ji (at) tla.org),
      7   1.1  jonathan  * Angelos D. Keromytis (kermit (at) csd.uch.gr) and
      8   1.1  jonathan  * Niels Provos (provos (at) physnet.uni-hamburg.de).
      9   1.1  jonathan  *
     10   1.1  jonathan  * The original version of this code was written by John Ioannidis
     11   1.1  jonathan  * for BSD/OS in Athens, Greece, in November 1995.
     12   1.1  jonathan  *
     13   1.1  jonathan  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
     14   1.1  jonathan  * by Angelos D. Keromytis.
     15   1.1  jonathan  *
     16   1.1  jonathan  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
     17   1.1  jonathan  * and Niels Provos.
     18   1.1  jonathan  *
     19   1.1  jonathan  * Additional features in 1999 by Angelos D. Keromytis.
     20   1.1  jonathan  *
     21   1.1  jonathan  * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
     22   1.1  jonathan  * Angelos D. Keromytis and Niels Provos.
     23   1.1  jonathan  * Copyright (c) 2001 Angelos D. Keromytis.
     24   1.1  jonathan  *
     25   1.1  jonathan  * Permission to use, copy, and modify this software with or without fee
     26   1.1  jonathan  * is hereby granted, provided that this entire notice is included in
     27   1.1  jonathan  * all copies of any software which is or includes a copy or
     28   1.1  jonathan  * modification of this software.
     29   1.1  jonathan  * You may use this code under the GNU public license if you so wish. Please
     30   1.1  jonathan  * contribute changes back to the authors under this freer than GPL license
     31   1.1  jonathan  * so that we may further the use of strong encryption without limitations to
     32   1.1  jonathan  * all.
     33   1.1  jonathan  *
     34   1.1  jonathan  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
     35   1.1  jonathan  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
     36   1.1  jonathan  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
     37   1.1  jonathan  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
     38   1.1  jonathan  * PURPOSE.
     39   1.1  jonathan  */
     40   1.1  jonathan 
     41   1.1  jonathan #include <sys/cdefs.h>
     42  1.13  christos __KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.13 2007/03/04 06:03:30 christos Exp $");
     43   1.1  jonathan 
     44   1.1  jonathan #include "opt_inet.h"
     45   1.2  jonathan #ifdef __FreeBSD__
     46   1.1  jonathan #include "opt_inet6.h"
     47   1.2  jonathan #endif
     48   1.1  jonathan 
     49   1.1  jonathan #include <sys/param.h>
     50   1.1  jonathan #include <sys/systm.h>
     51   1.1  jonathan #include <sys/mbuf.h>
     52   1.1  jonathan #include <sys/socket.h>
     53   1.1  jonathan #include <sys/syslog.h>
     54   1.1  jonathan #include <sys/kernel.h>
     55   1.1  jonathan /*#include <sys/random.h>*/
     56   1.1  jonathan #include <sys/sysctl.h>
     57   1.1  jonathan 
     58   1.1  jonathan #include <net/if.h>
     59   1.1  jonathan 
     60   1.1  jonathan #include <netinet/in.h>
     61   1.1  jonathan #include <netinet/in_systm.h>
     62   1.1  jonathan #include <netinet/ip.h>
     63   1.1  jonathan #include <netinet/ip_ecn.h>
     64   1.1  jonathan #include <netinet/ip6.h>
     65   1.1  jonathan 
     66   1.1  jonathan #include <net/route.h>
     67   1.1  jonathan #include <netipsec/ipsec.h>
     68   1.1  jonathan #include <netipsec/ah.h>
     69   1.1  jonathan #include <netipsec/ah_var.h>
     70   1.1  jonathan #include <netipsec/esp.h>
     71   1.1  jonathan #include <netipsec/esp_var.h>
     72   1.1  jonathan #include <netipsec/xform.h>
     73   1.1  jonathan 
     74   1.1  jonathan #ifdef INET6
     75   1.1  jonathan #include <netinet6/ip6_var.h>
     76   1.1  jonathan #include <netipsec/ipsec6.h>
     77   1.5  jonathan #  ifdef __FreeBSD__
     78   1.5  jonathan #  include <netinet6/ip6_ecn.h>
     79   1.5  jonathan #  endif
     80   1.1  jonathan #endif
     81   1.1  jonathan 
     82   1.4       tls #include <netipsec/key.h>
     83   1.4       tls #include <netipsec/key_debug.h>
     84   1.1  jonathan 
     85   1.1  jonathan #include <netipsec/ipsec_osdep.h>
     86   1.1  jonathan 
     87   1.1  jonathan #include <opencrypto/cryptodev.h>
     88   1.1  jonathan #include <opencrypto/xform.h>
     89   1.1  jonathan 
     90   1.1  jonathan int	esp_enable = 1;
     91   1.1  jonathan struct	espstat espstat;
     92   1.1  jonathan 
     93   1.1  jonathan #ifdef __FreeBSD__
     94   1.1  jonathan SYSCTL_DECL(_net_inet_esp);
     95   1.1  jonathan SYSCTL_INT(_net_inet_esp, OID_AUTO,
     96   1.1  jonathan 	esp_enable,	CTLFLAG_RW,	&esp_enable,	0, "");
     97   1.1  jonathan SYSCTL_STRUCT(_net_inet_esp, IPSECCTL_STATS,
     98   1.1  jonathan 	stats,		CTLFLAG_RD,	&espstat,	espstat, "");
     99   1.4       tls #endif /* __FreeBSD__ */
    100   1.1  jonathan 
    101   1.1  jonathan static	int esp_max_ivlen;		/* max iv length over all algorithms */
    102   1.1  jonathan 
    103   1.1  jonathan static int esp_input_cb(struct cryptop *op);
    104   1.1  jonathan static int esp_output_cb(struct cryptop *crp);
    105   1.1  jonathan 
    106   1.1  jonathan /*
    107   1.1  jonathan  * NB: this is public for use by the PF_KEY support.
    108   1.1  jonathan  * NB: if you add support here; be sure to add code to esp_attach below!
    109   1.1  jonathan  */
    110   1.1  jonathan struct enc_xform *
    111   1.1  jonathan esp_algorithm_lookup(int alg)
    112   1.1  jonathan {
    113   1.1  jonathan 	if (alg >= ESP_ALG_MAX)
    114   1.1  jonathan 		return NULL;
    115   1.1  jonathan 	switch (alg) {
    116   1.1  jonathan 	case SADB_EALG_DESCBC:
    117   1.1  jonathan 		return &enc_xform_des;
    118   1.1  jonathan 	case SADB_EALG_3DESCBC:
    119   1.1  jonathan 		return &enc_xform_3des;
    120   1.1  jonathan 	case SADB_X_EALG_AES:
    121   1.1  jonathan 		return &enc_xform_rijndael128;
    122   1.1  jonathan 	case SADB_X_EALG_BLOWFISHCBC:
    123   1.1  jonathan 		return &enc_xform_blf;
    124   1.1  jonathan 	case SADB_X_EALG_CAST128CBC:
    125   1.1  jonathan 		return &enc_xform_cast5;
    126   1.1  jonathan 	case SADB_X_EALG_SKIPJACK:
    127   1.1  jonathan 		return &enc_xform_skipjack;
    128   1.1  jonathan 	case SADB_EALG_NULL:
    129   1.1  jonathan 		return &enc_xform_null;
    130   1.1  jonathan 	}
    131   1.1  jonathan 	return NULL;
    132   1.1  jonathan }
    133   1.1  jonathan 
    134   1.1  jonathan size_t
    135   1.1  jonathan esp_hdrsiz(struct secasvar *sav)
    136   1.1  jonathan {
    137   1.1  jonathan 	size_t size;
    138   1.1  jonathan 
    139   1.1  jonathan 	if (sav != NULL) {
    140   1.1  jonathan 		/*XXX not right for null algorithm--does it matter??*/
    141   1.1  jonathan 		IPSEC_ASSERT(sav->tdb_encalgxform != NULL,
    142   1.1  jonathan 			("esp_hdrsiz: SA with null xform"));
    143   1.1  jonathan 		if (sav->flags & SADB_X_EXT_OLD)
    144   1.1  jonathan 			size = sizeof (struct esp);
    145   1.1  jonathan 		else
    146   1.1  jonathan 			size = sizeof (struct newesp);
    147   1.1  jonathan 		size += sav->tdb_encalgxform->blocksize + 9;
    148   1.1  jonathan 		/*XXX need alg check???*/
    149   1.1  jonathan 		if (sav->tdb_authalgxform != NULL && sav->replay)
    150   1.1  jonathan 			size += ah_hdrsiz(sav);
    151   1.1  jonathan 	} else {
    152   1.1  jonathan 		/*
    153   1.1  jonathan 		 *   base header size
    154   1.1  jonathan 		 * + max iv length for CBC mode
    155   1.1  jonathan 		 * + max pad length
    156   1.1  jonathan 		 * + sizeof (pad length field)
    157   1.1  jonathan 		 * + sizeof (next header field)
    158   1.1  jonathan 		 * + max icv supported.
    159   1.1  jonathan 		 */
    160   1.1  jonathan 		size = sizeof (struct newesp) + esp_max_ivlen + 9 + 16;
    161   1.1  jonathan 	}
    162   1.1  jonathan 	return size;
    163   1.1  jonathan }
    164   1.1  jonathan 
    165   1.1  jonathan /*
    166   1.1  jonathan  * esp_init() is called when an SPI is being set up.
    167   1.1  jonathan  */
    168   1.1  jonathan static int
    169   1.1  jonathan esp_init(struct secasvar *sav, struct xformsw *xsp)
    170   1.1  jonathan {
    171   1.1  jonathan 	struct enc_xform *txform;
    172   1.1  jonathan 	struct cryptoini cria, crie;
    173   1.1  jonathan 	int keylen;
    174   1.1  jonathan 	int error;
    175   1.1  jonathan 
    176   1.1  jonathan 	txform = esp_algorithm_lookup(sav->alg_enc);
    177   1.1  jonathan 	if (txform == NULL) {
    178   1.1  jonathan 		DPRINTF(("esp_init: unsupported encryption algorithm %d\n",
    179   1.1  jonathan 			sav->alg_enc));
    180   1.1  jonathan 		return EINVAL;
    181   1.1  jonathan 	}
    182   1.1  jonathan 	if (sav->key_enc == NULL) {
    183   1.1  jonathan 		DPRINTF(("esp_init: no encoding key for %s algorithm\n",
    184   1.1  jonathan 			 txform->name));
    185   1.1  jonathan 		return EINVAL;
    186   1.1  jonathan 	}
    187   1.1  jonathan 	if ((sav->flags&(SADB_X_EXT_OLD|SADB_X_EXT_IV4B)) == SADB_X_EXT_IV4B) {
    188   1.1  jonathan 		DPRINTF(("esp_init: 4-byte IV not supported with protocol\n"));
    189   1.1  jonathan 		return EINVAL;
    190   1.1  jonathan 	}
    191   1.1  jonathan 	keylen = _KEYLEN(sav->key_enc);
    192   1.1  jonathan 	if (txform->minkey > keylen || keylen > txform->maxkey) {
    193   1.1  jonathan 		DPRINTF(("esp_init: invalid key length %u, must be in "
    194   1.1  jonathan 			"the range [%u..%u] for algorithm %s\n",
    195   1.1  jonathan 			keylen, txform->minkey, txform->maxkey,
    196   1.1  jonathan 			txform->name));
    197   1.1  jonathan 		return EINVAL;
    198   1.1  jonathan 	}
    199   1.1  jonathan 
    200   1.1  jonathan 	/*
    201   1.1  jonathan 	 * NB: The null xform needs a non-zero blocksize to keep the
    202   1.1  jonathan 	 *      crypto code happy but if we use it to set ivlen then
    203   1.1  jonathan 	 *      the ESP header will be processed incorrectly.  The
    204   1.1  jonathan 	 *      compromise is to force it to zero here.
    205   1.1  jonathan 	 */
    206   1.1  jonathan 	sav->ivlen = (txform == &enc_xform_null ? 0 : txform->blocksize);
    207  1.13  christos 	sav->iv = (void *) malloc(sav->ivlen, M_SECA, M_WAITOK);
    208   1.1  jonathan 	if (sav->iv == NULL) {
    209   1.1  jonathan 		DPRINTF(("esp_init: no memory for IV\n"));
    210   1.1  jonathan 		return EINVAL;
    211   1.1  jonathan 	}
    212   1.1  jonathan 	key_randomfill(sav->iv, sav->ivlen);	/*XXX*/
    213   1.1  jonathan 
    214   1.1  jonathan 	/*
    215   1.1  jonathan 	 * Setup AH-related state.
    216   1.1  jonathan 	 */
    217   1.1  jonathan 	if (sav->alg_auth != 0) {
    218   1.1  jonathan 		error = ah_init0(sav, xsp, &cria);
    219   1.1  jonathan 		if (error)
    220   1.1  jonathan 			return error;
    221   1.1  jonathan 	}
    222   1.1  jonathan 
    223   1.1  jonathan 	/* NB: override anything set in ah_init0 */
    224   1.1  jonathan 	sav->tdb_xform = xsp;
    225   1.1  jonathan 	sav->tdb_encalgxform = txform;
    226   1.1  jonathan 
    227   1.1  jonathan 	/* Initialize crypto session. */
    228   1.1  jonathan 	bzero(&crie, sizeof (crie));
    229   1.1  jonathan 	crie.cri_alg = sav->tdb_encalgxform->type;
    230   1.1  jonathan 	crie.cri_klen = _KEYBITS(sav->key_enc);
    231   1.1  jonathan 	crie.cri_key = _KEYBUF(sav->key_enc);
    232   1.1  jonathan 	/* XXX Rounds ? */
    233   1.1  jonathan 
    234   1.1  jonathan 	if (sav->tdb_authalgxform && sav->tdb_encalgxform) {
    235   1.1  jonathan 		/* init both auth & enc */
    236   1.1  jonathan 		crie.cri_next = &cria;
    237   1.1  jonathan 		error = crypto_newsession(&sav->tdb_cryptoid,
    238   1.1  jonathan 					  &crie, crypto_support);
    239   1.1  jonathan 	} else if (sav->tdb_encalgxform) {
    240   1.1  jonathan 		error = crypto_newsession(&sav->tdb_cryptoid,
    241   1.1  jonathan 					  &crie, crypto_support);
    242   1.1  jonathan 	} else if (sav->tdb_authalgxform) {
    243   1.1  jonathan 		error = crypto_newsession(&sav->tdb_cryptoid,
    244   1.1  jonathan 					  &cria, crypto_support);
    245   1.1  jonathan 	} else {
    246   1.1  jonathan 		/* XXX cannot happen? */
    247   1.1  jonathan 		DPRINTF(("esp_init: no encoding OR authentication xform!\n"));
    248   1.1  jonathan 		error = EINVAL;
    249   1.1  jonathan 	}
    250   1.1  jonathan 	return error;
    251   1.1  jonathan }
    252   1.1  jonathan 
    253   1.1  jonathan /*
    254   1.1  jonathan  * Paranoia.
    255   1.1  jonathan  */
    256   1.1  jonathan static int
    257   1.1  jonathan esp_zeroize(struct secasvar *sav)
    258   1.1  jonathan {
    259   1.1  jonathan 	/* NB: ah_zerorize free's the crypto session state */
    260   1.1  jonathan 	int error = ah_zeroize(sav);
    261   1.1  jonathan 
    262   1.1  jonathan 	if (sav->key_enc)
    263   1.1  jonathan 		bzero(_KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc));
    264   1.1  jonathan 	/* NB: sav->iv is freed elsewhere, even though we malloc it! */
    265   1.1  jonathan 	sav->tdb_encalgxform = NULL;
    266   1.1  jonathan 	sav->tdb_xform = NULL;
    267   1.1  jonathan 	return error;
    268   1.1  jonathan }
    269   1.1  jonathan 
    270   1.1  jonathan /*
    271   1.1  jonathan  * ESP input processing, called (eventually) through the protocol switch.
    272   1.1  jonathan  */
    273   1.1  jonathan static int
    274   1.1  jonathan esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
    275   1.1  jonathan {
    276   1.1  jonathan 	struct auth_hash *esph;
    277   1.1  jonathan 	struct enc_xform *espx;
    278   1.1  jonathan 	struct tdb_ident *tdbi;
    279   1.1  jonathan 	struct tdb_crypto *tc;
    280   1.1  jonathan 	int plen, alen, hlen;
    281   1.1  jonathan 	struct m_tag *mtag;
    282   1.1  jonathan 	struct newesp *esp;
    283   1.1  jonathan 
    284   1.1  jonathan 	struct cryptodesc *crde;
    285   1.1  jonathan 	struct cryptop *crp;
    286   1.1  jonathan 
    287   1.1  jonathan 	IPSEC_SPLASSERT_SOFTNET("esp_input");
    288   1.1  jonathan 
    289   1.1  jonathan 	IPSEC_ASSERT(sav != NULL, ("esp_input: null SA"));
    290   1.1  jonathan 	IPSEC_ASSERT(sav->tdb_encalgxform != NULL,
    291   1.1  jonathan 		("esp_input: null encoding xform"));
    292   1.1  jonathan 	IPSEC_ASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0,
    293   1.1  jonathan 		("esp_input: misaligned packet, skip %u pkt len %u",
    294   1.1  jonathan 			skip, m->m_pkthdr.len));
    295   1.1  jonathan 
    296   1.1  jonathan 	/* XXX don't pullup, just copy header */
    297   1.1  jonathan 	IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp));
    298   1.1  jonathan 
    299   1.1  jonathan 	esph = sav->tdb_authalgxform;
    300   1.1  jonathan 	espx = sav->tdb_encalgxform;
    301   1.1  jonathan 
    302   1.1  jonathan 	/* Determine the ESP header length */
    303   1.1  jonathan 	if (sav->flags & SADB_X_EXT_OLD)
    304   1.1  jonathan 		hlen = sizeof (struct esp) + sav->ivlen;
    305   1.1  jonathan 	else
    306   1.1  jonathan 		hlen = sizeof (struct newesp) + sav->ivlen;
    307   1.1  jonathan 	/* Authenticator hash size */
    308   1.1  jonathan 	alen = esph ? AH_HMAC_HASHLEN : 0;
    309   1.1  jonathan 
    310   1.1  jonathan 	/*
    311   1.1  jonathan 	 * Verify payload length is multiple of encryption algorithm
    312   1.1  jonathan 	 * block size.
    313   1.1  jonathan 	 *
    314   1.1  jonathan 	 * NB: This works for the null algorithm because the blocksize
    315   1.1  jonathan 	 *     is 4 and all packets must be 4-byte aligned regardless
    316   1.1  jonathan 	 *     of the algorithm.
    317   1.1  jonathan 	 */
    318   1.1  jonathan 	plen = m->m_pkthdr.len - (skip + hlen + alen);
    319   1.1  jonathan 	if ((plen & (espx->blocksize - 1)) || (plen <= 0)) {
    320   1.1  jonathan 		DPRINTF(("esp_input: "
    321   1.1  jonathan 		    "payload of %d octets not a multiple of %d octets,"
    322   1.1  jonathan 		    "  SA %s/%08lx\n",
    323   1.1  jonathan 		    plen, espx->blocksize,
    324   1.1  jonathan 		    ipsec_address(&sav->sah->saidx.dst),
    325   1.1  jonathan 		    (u_long) ntohl(sav->spi)));
    326   1.1  jonathan 		espstat.esps_badilen++;
    327   1.1  jonathan 		m_freem(m);
    328   1.1  jonathan 		return EINVAL;
    329   1.1  jonathan 	}
    330   1.1  jonathan 
    331   1.1  jonathan 	/*
    332   1.1  jonathan 	 * Check sequence number.
    333   1.1  jonathan 	 */
    334   1.1  jonathan 	if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) {
    335   1.1  jonathan 		DPRINTF(("esp_input: packet replay check for %s\n",
    336   1.1  jonathan 		    ipsec_logsastr(sav)));	/*XXX*/
    337   1.1  jonathan 		espstat.esps_replay++;
    338   1.1  jonathan 		m_freem(m);
    339   1.1  jonathan 		return ENOBUFS;		/*XXX*/
    340   1.1  jonathan 	}
    341   1.1  jonathan 
    342   1.1  jonathan 	/* Update the counters */
    343   1.1  jonathan 	espstat.esps_ibytes += m->m_pkthdr.len - skip - hlen - alen;
    344   1.1  jonathan 
    345   1.1  jonathan 	/* Find out if we've already done crypto */
    346   1.1  jonathan 	for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
    347   1.1  jonathan 	     mtag != NULL;
    348   1.1  jonathan 	     mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
    349   1.1  jonathan 		tdbi = (struct tdb_ident *) (mtag + 1);
    350   1.1  jonathan 		if (tdbi->proto == sav->sah->saidx.proto &&
    351   1.1  jonathan 		    tdbi->spi == sav->spi &&
    352   1.1  jonathan 		    !bcmp(&tdbi->dst, &sav->sah->saidx.dst,
    353   1.1  jonathan 			  sizeof(union sockaddr_union)))
    354   1.1  jonathan 			break;
    355   1.1  jonathan 	}
    356   1.1  jonathan 
    357   1.1  jonathan 	/* Get crypto descriptors */
    358   1.1  jonathan 	crp = crypto_getreq(esph && espx ? 2 : 1);
    359   1.1  jonathan 	if (crp == NULL) {
    360   1.1  jonathan 		DPRINTF(("esp_input: failed to acquire crypto descriptors\n"));
    361   1.1  jonathan 		espstat.esps_crypto++;
    362   1.1  jonathan 		m_freem(m);
    363   1.1  jonathan 		return ENOBUFS;
    364   1.1  jonathan 	}
    365   1.1  jonathan 
    366   1.1  jonathan 	/* Get IPsec-specific opaque pointer */
    367   1.1  jonathan 	if (esph == NULL || mtag != NULL)
    368   1.1  jonathan 		tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
    369   1.1  jonathan 		    M_XDATA, M_NOWAIT|M_ZERO);
    370   1.1  jonathan 	else
    371   1.1  jonathan 		tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto) + alen,
    372   1.1  jonathan 		    M_XDATA, M_NOWAIT|M_ZERO);
    373   1.1  jonathan 	if (tc == NULL) {
    374   1.1  jonathan 		crypto_freereq(crp);
    375   1.1  jonathan 		DPRINTF(("esp_input: failed to allocate tdb_crypto\n"));
    376   1.1  jonathan 		espstat.esps_crypto++;
    377   1.1  jonathan 		m_freem(m);
    378   1.1  jonathan 		return ENOBUFS;
    379   1.1  jonathan 	}
    380   1.1  jonathan 
    381  1.13  christos 	tc->tc_ptr = (void *) mtag;
    382   1.1  jonathan 
    383   1.1  jonathan 	if (esph) {
    384   1.1  jonathan 		struct cryptodesc *crda = crp->crp_desc;
    385   1.1  jonathan 
    386   1.1  jonathan 		IPSEC_ASSERT(crda != NULL, ("esp_input: null ah crypto descriptor"));
    387   1.1  jonathan 
    388   1.1  jonathan 		/* Authentication descriptor */
    389   1.1  jonathan 		crda->crd_skip = skip;
    390   1.1  jonathan 		crda->crd_len = m->m_pkthdr.len - (skip + alen);
    391   1.1  jonathan 		crda->crd_inject = m->m_pkthdr.len - alen;
    392   1.1  jonathan 
    393   1.1  jonathan 		crda->crd_alg = esph->type;
    394   1.1  jonathan 		crda->crd_key = _KEYBUF(sav->key_auth);
    395   1.1  jonathan 		crda->crd_klen = _KEYBITS(sav->key_auth);
    396   1.1  jonathan 
    397   1.1  jonathan 		/* Copy the authenticator */
    398   1.1  jonathan 		if (mtag == NULL)
    399   1.1  jonathan 			m_copydata(m, m->m_pkthdr.len - alen, alen,
    400  1.13  christos 				   (void *) (tc + 1));
    401   1.1  jonathan 
    402   1.1  jonathan 		/* Chain authentication request */
    403   1.1  jonathan 		crde = crda->crd_next;
    404   1.1  jonathan 	} else {
    405   1.1  jonathan 		crde = crp->crp_desc;
    406   1.1  jonathan 	}
    407   1.1  jonathan 
    408   1.1  jonathan 	/* Crypto operation descriptor */
    409   1.1  jonathan 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length */
    410   1.1  jonathan 	crp->crp_flags = CRYPTO_F_IMBUF;
    411  1.13  christos 	crp->crp_buf = (void *) m;
    412   1.1  jonathan 	crp->crp_callback = esp_input_cb;
    413   1.1  jonathan 	crp->crp_sid = sav->tdb_cryptoid;
    414  1.13  christos 	crp->crp_opaque = (void *) tc;
    415   1.1  jonathan 
    416   1.1  jonathan 	/* These are passed as-is to the callback */
    417   1.1  jonathan 	tc->tc_spi = sav->spi;
    418   1.1  jonathan 	tc->tc_dst = sav->sah->saidx.dst;
    419   1.1  jonathan 	tc->tc_proto = sav->sah->saidx.proto;
    420   1.1  jonathan 	tc->tc_protoff = protoff;
    421   1.1  jonathan 	tc->tc_skip = skip;
    422   1.1  jonathan 
    423   1.1  jonathan 	/* Decryption descriptor */
    424   1.1  jonathan 	if (espx) {
    425   1.1  jonathan 		IPSEC_ASSERT(crde != NULL, ("esp_input: null esp crypto descriptor"));
    426   1.1  jonathan 		crde->crd_skip = skip + hlen;
    427   1.1  jonathan 		crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
    428   1.1  jonathan 		crde->crd_inject = skip + hlen - sav->ivlen;
    429   1.1  jonathan 
    430   1.1  jonathan 		crde->crd_alg = espx->type;
    431   1.1  jonathan 		crde->crd_key = _KEYBUF(sav->key_enc);
    432   1.1  jonathan 		crde->crd_klen = _KEYBITS(sav->key_enc);
    433   1.1  jonathan 		/* XXX Rounds ? */
    434   1.1  jonathan 	}
    435   1.1  jonathan 
    436   1.1  jonathan 	if (mtag == NULL)
    437   1.1  jonathan 		return crypto_dispatch(crp);
    438   1.1  jonathan 	else
    439   1.1  jonathan 		return esp_input_cb(crp);
    440   1.1  jonathan }
    441   1.1  jonathan 
    442   1.1  jonathan #ifdef INET6
    443   1.1  jonathan #define	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do {		     \
    444   1.1  jonathan 	if (saidx->dst.sa.sa_family == AF_INET6) {			     \
    445   1.1  jonathan 		error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
    446   1.1  jonathan 	} else {							     \
    447   1.1  jonathan 		error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
    448   1.1  jonathan 	}								     \
    449   1.1  jonathan } while (0)
    450   1.1  jonathan #else
    451   1.1  jonathan #define	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag)		     \
    452   1.1  jonathan 	(error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
    453   1.1  jonathan #endif
    454   1.1  jonathan 
    455   1.1  jonathan /*
    456   1.1  jonathan  * ESP input callback from the crypto driver.
    457   1.1  jonathan  */
    458   1.1  jonathan static int
    459   1.1  jonathan esp_input_cb(struct cryptop *crp)
    460   1.1  jonathan {
    461   1.1  jonathan 	u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN];
    462   1.1  jonathan 	int s, hlen, skip, protoff, error;
    463   1.1  jonathan 	struct mbuf *m;
    464   1.1  jonathan 	struct cryptodesc *crd;
    465   1.1  jonathan 	struct auth_hash *esph;
    466   1.1  jonathan 	struct enc_xform *espx;
    467   1.1  jonathan 	struct tdb_crypto *tc;
    468   1.1  jonathan 	struct m_tag *mtag;
    469   1.1  jonathan 	struct secasvar *sav;
    470   1.1  jonathan 	struct secasindex *saidx;
    471  1.13  christos 	void *ptr;
    472   1.1  jonathan 
    473   1.1  jonathan 	crd = crp->crp_desc;
    474   1.1  jonathan 	IPSEC_ASSERT(crd != NULL, ("esp_input_cb: null crypto descriptor!"));
    475   1.1  jonathan 
    476   1.1  jonathan 	tc = (struct tdb_crypto *) crp->crp_opaque;
    477   1.1  jonathan 	IPSEC_ASSERT(tc != NULL, ("esp_input_cb: null opaque crypto data area!"));
    478   1.1  jonathan 	skip = tc->tc_skip;
    479   1.1  jonathan 	protoff = tc->tc_protoff;
    480   1.1  jonathan 	mtag = (struct m_tag *) tc->tc_ptr;
    481   1.1  jonathan 	m = (struct mbuf *) crp->crp_buf;
    482   1.1  jonathan 
    483   1.1  jonathan 	s = splsoftnet();
    484   1.1  jonathan 
    485   1.1  jonathan 	sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
    486   1.1  jonathan 	if (sav == NULL) {
    487   1.1  jonathan 		espstat.esps_notdb++;
    488   1.1  jonathan 		DPRINTF(("esp_input_cb: SA expired while in crypto "
    489   1.1  jonathan 		    "(SA %s/%08lx proto %u)\n", ipsec_address(&tc->tc_dst),
    490   1.1  jonathan 		    (u_long) ntohl(tc->tc_spi), tc->tc_proto));
    491   1.1  jonathan 		error = ENOBUFS;		/*XXX*/
    492   1.1  jonathan 		goto bad;
    493   1.1  jonathan 	}
    494   1.1  jonathan 
    495   1.1  jonathan 	saidx = &sav->sah->saidx;
    496   1.1  jonathan 	IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
    497   1.1  jonathan 		saidx->dst.sa.sa_family == AF_INET6,
    498   1.1  jonathan 		("ah_input_cb: unexpected protocol family %u",
    499   1.1  jonathan 		 saidx->dst.sa.sa_family));
    500   1.1  jonathan 
    501   1.1  jonathan 	esph = sav->tdb_authalgxform;
    502   1.1  jonathan 	espx = sav->tdb_encalgxform;
    503   1.1  jonathan 
    504   1.1  jonathan 	/* Check for crypto errors */
    505   1.1  jonathan 	if (crp->crp_etype) {
    506   1.1  jonathan 		/* Reset the session ID */
    507   1.1  jonathan 		if (sav->tdb_cryptoid != 0)
    508   1.1  jonathan 			sav->tdb_cryptoid = crp->crp_sid;
    509   1.1  jonathan 
    510   1.1  jonathan 		if (crp->crp_etype == EAGAIN) {
    511   1.1  jonathan 			KEY_FREESAV(&sav);
    512   1.1  jonathan 			splx(s);
    513   1.1  jonathan 			return crypto_dispatch(crp);
    514   1.1  jonathan 		}
    515   1.1  jonathan 
    516   1.1  jonathan 		espstat.esps_noxform++;
    517   1.1  jonathan 		DPRINTF(("esp_input_cb: crypto error %d\n", crp->crp_etype));
    518   1.1  jonathan 		error = crp->crp_etype;
    519   1.1  jonathan 		goto bad;
    520   1.1  jonathan 	}
    521   1.1  jonathan 
    522   1.1  jonathan 	/* Shouldn't happen... */
    523   1.1  jonathan 	if (m == NULL) {
    524   1.1  jonathan 		espstat.esps_crypto++;
    525   1.1  jonathan 		DPRINTF(("esp_input_cb: bogus returned buffer from crypto\n"));
    526   1.1  jonathan 		error = EINVAL;
    527   1.1  jonathan 		goto bad;
    528   1.1  jonathan 	}
    529   1.1  jonathan 	espstat.esps_hist[sav->alg_enc]++;
    530   1.1  jonathan 
    531   1.1  jonathan 	/* If authentication was performed, check now. */
    532   1.1  jonathan 	if (esph != NULL) {
    533   1.1  jonathan 		/*
    534   1.1  jonathan 		 * If we have a tag, it means an IPsec-aware NIC did
    535   1.1  jonathan 		 * the verification for us.  Otherwise we need to
    536   1.1  jonathan 		 * check the authentication calculation.
    537   1.1  jonathan 		 */
    538   1.1  jonathan 		ahstat.ahs_hist[sav->alg_auth]++;
    539   1.1  jonathan 		if (mtag == NULL) {
    540   1.1  jonathan 			/* Copy the authenticator from the packet */
    541   1.1  jonathan 			m_copydata(m, m->m_pkthdr.len - esph->authsize,
    542   1.1  jonathan 				esph->authsize, aalg);
    543   1.1  jonathan 
    544  1.13  christos 			ptr = (void *) (tc + 1);
    545   1.1  jonathan 
    546   1.1  jonathan 			/* Verify authenticator */
    547   1.1  jonathan 			if (bcmp(ptr, aalg, esph->authsize) != 0) {
    548   1.1  jonathan 				DPRINTF(("esp_input_cb: "
    549   1.1  jonathan 		    "authentication hash mismatch for packet in SA %s/%08lx\n",
    550   1.1  jonathan 				    ipsec_address(&saidx->dst),
    551   1.1  jonathan 				    (u_long) ntohl(sav->spi)));
    552   1.1  jonathan 				espstat.esps_badauth++;
    553   1.1  jonathan 				error = EACCES;
    554   1.1  jonathan 				goto bad;
    555   1.1  jonathan 			}
    556   1.1  jonathan 		}
    557   1.1  jonathan 
    558   1.1  jonathan 		/* Remove trailing authenticator */
    559   1.1  jonathan 		m_adj(m, -(esph->authsize));
    560   1.1  jonathan 	}
    561   1.1  jonathan 
    562   1.1  jonathan 	/* Release the crypto descriptors */
    563   1.1  jonathan 	free(tc, M_XDATA), tc = NULL;
    564   1.1  jonathan 	crypto_freereq(crp), crp = NULL;
    565   1.1  jonathan 
    566   1.1  jonathan 	/*
    567   1.1  jonathan 	 * Packet is now decrypted.
    568   1.1  jonathan 	 */
    569   1.1  jonathan 	m->m_flags |= M_DECRYPTED;
    570   1.1  jonathan 
    571   1.8    rpaulo 	/*
    572   1.8    rpaulo 	 * Update replay sequence number, if appropriate.
    573   1.8    rpaulo 	 */
    574   1.8    rpaulo 	if (sav->replay) {
    575   1.8    rpaulo 		u_int32_t seq;
    576   1.8    rpaulo 
    577   1.8    rpaulo 		m_copydata(m, skip + offsetof(struct newesp, esp_seq),
    578  1.13  christos 		    sizeof (seq), (void *) &seq);
    579   1.8    rpaulo 		if (ipsec_updatereplay(ntohl(seq), sav)) {
    580   1.8    rpaulo 			DPRINTF(("%s: packet replay check for %s\n", __func__,
    581   1.8    rpaulo 			    ipsec_logsastr(sav)));
    582   1.8    rpaulo 			espstat.esps_replay++;
    583   1.8    rpaulo 			error = ENOBUFS;
    584   1.8    rpaulo 			goto bad;
    585   1.8    rpaulo 		}
    586   1.8    rpaulo 	}
    587   1.8    rpaulo 
    588   1.1  jonathan 	/* Determine the ESP header length */
    589   1.1  jonathan 	if (sav->flags & SADB_X_EXT_OLD)
    590   1.1  jonathan 		hlen = sizeof (struct esp) + sav->ivlen;
    591   1.1  jonathan 	else
    592   1.1  jonathan 		hlen = sizeof (struct newesp) + sav->ivlen;
    593   1.1  jonathan 
    594   1.1  jonathan 	/* Remove the ESP header and IV from the mbuf. */
    595   1.1  jonathan 	error = m_striphdr(m, skip, hlen);
    596   1.1  jonathan 	if (error) {
    597   1.1  jonathan 		espstat.esps_hdrops++;
    598   1.1  jonathan 		DPRINTF(("esp_input_cb: bad mbuf chain, SA %s/%08lx\n",
    599   1.1  jonathan 		    ipsec_address(&sav->sah->saidx.dst),
    600   1.1  jonathan 		    (u_long) ntohl(sav->spi)));
    601   1.1  jonathan 		goto bad;
    602   1.1  jonathan 	}
    603   1.1  jonathan 
    604   1.1  jonathan 	/* Save the last three bytes of decrypted data */
    605   1.1  jonathan 	m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
    606   1.1  jonathan 
    607   1.1  jonathan 	/* Verify pad length */
    608   1.1  jonathan 	if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
    609   1.1  jonathan 		espstat.esps_badilen++;
    610   1.1  jonathan 		DPRINTF(("esp_input_cb: invalid padding length %d "
    611   1.1  jonathan 			 "for %u byte packet in SA %s/%08lx\n",
    612   1.1  jonathan 			 lastthree[1], m->m_pkthdr.len - skip,
    613   1.1  jonathan 			 ipsec_address(&sav->sah->saidx.dst),
    614   1.1  jonathan 			 (u_long) ntohl(sav->spi)));
    615   1.1  jonathan 		error = EINVAL;
    616   1.1  jonathan 		goto bad;
    617   1.1  jonathan 	}
    618   1.1  jonathan 
    619   1.1  jonathan 	/* Verify correct decryption by checking the last padding bytes */
    620   1.1  jonathan 	if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) {
    621   1.1  jonathan 		if (lastthree[1] != lastthree[0] && lastthree[1] != 0) {
    622   1.1  jonathan 			espstat.esps_badenc++;
    623   1.1  jonathan 			DPRINTF(("esp_input_cb: decryption failed "
    624   1.1  jonathan 				"for packet in SA %s/%08lx\n",
    625   1.1  jonathan 				ipsec_address(&sav->sah->saidx.dst),
    626   1.1  jonathan 				(u_long) ntohl(sav->spi)));
    627   1.1  jonathan DPRINTF(("esp_input_cb: %x %x\n", lastthree[0], lastthree[1]));
    628   1.1  jonathan 			error = EINVAL;
    629   1.1  jonathan 			goto bad;
    630   1.1  jonathan 		}
    631   1.1  jonathan 	}
    632   1.1  jonathan 
    633   1.1  jonathan 	/* Trim the mbuf chain to remove trailing authenticator and padding */
    634   1.1  jonathan 	m_adj(m, -(lastthree[1] + 2));
    635   1.1  jonathan 
    636   1.1  jonathan 	/* Restore the Next Protocol field */
    637  1.10     pavel 	m = m_copyback_cow(m, protoff, sizeof (u_int8_t), lastthree + 2,
    638  1.10     pavel 			   M_DONTWAIT);
    639  1.10     pavel 
    640  1.10     pavel 	if (m == NULL) {
    641  1.10     pavel 		espstat.esps_crypto++;
    642  1.10     pavel 		DPRINTF(("esp_input_cb: failed to allocate mbuf\n"));
    643  1.10     pavel 		error = ENOBUFS;
    644  1.10     pavel 		goto bad;
    645  1.10     pavel 	}
    646   1.1  jonathan 
    647   1.1  jonathan 	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);
    648   1.1  jonathan 
    649   1.1  jonathan 	KEY_FREESAV(&sav);
    650   1.1  jonathan 	splx(s);
    651   1.1  jonathan 	return error;
    652   1.1  jonathan bad:
    653   1.1  jonathan 	if (sav)
    654   1.1  jonathan 		KEY_FREESAV(&sav);
    655   1.1  jonathan 	splx(s);
    656   1.1  jonathan 	if (m != NULL)
    657   1.1  jonathan 		m_freem(m);
    658   1.1  jonathan 	if (tc != NULL)
    659   1.1  jonathan 		free(tc, M_XDATA);
    660   1.1  jonathan 	if (crp != NULL)
    661   1.1  jonathan 		crypto_freereq(crp);
    662   1.1  jonathan 	return error;
    663   1.1  jonathan }
    664   1.1  jonathan 
    665   1.1  jonathan /*
    666   1.1  jonathan  * ESP output routine, called by ipsec[46]_process_packet().
    667   1.1  jonathan  */
    668   1.1  jonathan static int
    669   1.1  jonathan esp_output(
    670  1.11  christos     struct mbuf *m,
    671  1.11  christos     struct ipsecrequest *isr,
    672  1.12  christos     struct mbuf **mp,
    673  1.11  christos     int skip,
    674  1.11  christos     int protoff
    675   1.1  jonathan )
    676   1.1  jonathan {
    677   1.1  jonathan 	struct enc_xform *espx;
    678   1.1  jonathan 	struct auth_hash *esph;
    679   1.1  jonathan 	int hlen, rlen, plen, padding, blks, alen, i, roff;
    680   1.1  jonathan 	struct mbuf *mo = (struct mbuf *) NULL;
    681   1.1  jonathan 	struct tdb_crypto *tc;
    682   1.1  jonathan 	struct secasvar *sav;
    683   1.1  jonathan 	struct secasindex *saidx;
    684   1.1  jonathan 	unsigned char *pad;
    685   1.1  jonathan 	u_int8_t prot;
    686   1.1  jonathan 	int error, maxpacketsize;
    687   1.1  jonathan 
    688   1.1  jonathan 	struct cryptodesc *crde = NULL, *crda = NULL;
    689   1.1  jonathan 	struct cryptop *crp;
    690   1.1  jonathan 
    691   1.1  jonathan 	IPSEC_SPLASSERT_SOFTNET("esp_output");
    692   1.1  jonathan 
    693   1.1  jonathan 	sav = isr->sav;
    694   1.1  jonathan 	IPSEC_ASSERT(sav != NULL, ("esp_output: null SA"));
    695   1.1  jonathan 	esph = sav->tdb_authalgxform;
    696   1.1  jonathan 	espx = sav->tdb_encalgxform;
    697   1.1  jonathan 	IPSEC_ASSERT(espx != NULL, ("esp_output: null encoding xform"));
    698   1.1  jonathan 
    699   1.1  jonathan 	if (sav->flags & SADB_X_EXT_OLD)
    700   1.1  jonathan 		hlen = sizeof (struct esp) + sav->ivlen;
    701   1.1  jonathan 	else
    702   1.1  jonathan 		hlen = sizeof (struct newesp) + sav->ivlen;
    703   1.1  jonathan 
    704   1.1  jonathan 	rlen = m->m_pkthdr.len - skip;	/* Raw payload length. */
    705   1.1  jonathan 	/*
    706   1.1  jonathan 	 * NB: The null encoding transform has a blocksize of 4
    707   1.1  jonathan 	 *     so that headers are properly aligned.
    708   1.1  jonathan 	 */
    709   1.1  jonathan 	blks = espx->blocksize;		/* IV blocksize */
    710   1.1  jonathan 
    711   1.1  jonathan 	/* XXX clamp padding length a la KAME??? */
    712   1.1  jonathan 	padding = ((blks - ((rlen + 2) % blks)) % blks) + 2;
    713   1.1  jonathan 	plen = rlen + padding;		/* Padded payload length. */
    714   1.1  jonathan 
    715   1.1  jonathan 	if (esph)
    716   1.1  jonathan 		alen = AH_HMAC_HASHLEN;
    717   1.1  jonathan 	else
    718   1.1  jonathan 		alen = 0;
    719   1.1  jonathan 
    720   1.1  jonathan 	espstat.esps_output++;
    721   1.1  jonathan 
    722   1.1  jonathan 	saidx = &sav->sah->saidx;
    723   1.1  jonathan 	/* Check for maximum packet size violations. */
    724   1.1  jonathan 	switch (saidx->dst.sa.sa_family) {
    725   1.1  jonathan #ifdef INET
    726   1.1  jonathan 	case AF_INET:
    727   1.1  jonathan 		maxpacketsize = IP_MAXPACKET;
    728   1.1  jonathan 		break;
    729   1.1  jonathan #endif /* INET */
    730   1.1  jonathan #ifdef INET6
    731   1.1  jonathan 	case AF_INET6:
    732   1.1  jonathan 		maxpacketsize = IPV6_MAXPACKET;
    733   1.1  jonathan 		break;
    734   1.1  jonathan #endif /* INET6 */
    735   1.1  jonathan 	default:
    736   1.1  jonathan 		DPRINTF(("esp_output: unknown/unsupported protocol "
    737   1.1  jonathan 		    "family %d, SA %s/%08lx\n",
    738   1.1  jonathan 		    saidx->dst.sa.sa_family, ipsec_address(&saidx->dst),
    739   1.1  jonathan 		    (u_long) ntohl(sav->spi)));
    740   1.1  jonathan 		espstat.esps_nopf++;
    741   1.1  jonathan 		error = EPFNOSUPPORT;
    742   1.1  jonathan 		goto bad;
    743   1.1  jonathan 	}
    744   1.1  jonathan 	if (skip + hlen + rlen + padding + alen > maxpacketsize) {
    745   1.1  jonathan 		DPRINTF(("esp_output: packet in SA %s/%08lx got too big "
    746   1.1  jonathan 		    "(len %u, max len %u)\n",
    747   1.1  jonathan 		    ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi),
    748   1.1  jonathan 		    skip + hlen + rlen + padding + alen, maxpacketsize));
    749   1.1  jonathan 		espstat.esps_toobig++;
    750   1.1  jonathan 		error = EMSGSIZE;
    751   1.1  jonathan 		goto bad;
    752   1.1  jonathan 	}
    753   1.1  jonathan 
    754   1.1  jonathan 	/* Update the counters. */
    755   1.1  jonathan 	espstat.esps_obytes += m->m_pkthdr.len - skip;
    756   1.1  jonathan 
    757   1.1  jonathan 	m = m_clone(m);
    758   1.1  jonathan 	if (m == NULL) {
    759   1.1  jonathan 		DPRINTF(("esp_output: cannot clone mbuf chain, SA %s/%08lx\n",
    760   1.1  jonathan 		    ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
    761   1.1  jonathan 		espstat.esps_hdrops++;
    762   1.1  jonathan 		error = ENOBUFS;
    763   1.1  jonathan 		goto bad;
    764   1.1  jonathan 	}
    765   1.1  jonathan 
    766   1.1  jonathan 	/* Inject ESP header. */
    767   1.1  jonathan 	mo = m_makespace(m, skip, hlen, &roff);
    768   1.1  jonathan 	if (mo == NULL) {
    769   1.1  jonathan 		DPRINTF(("esp_output: failed to inject %u byte ESP hdr for SA "
    770   1.1  jonathan 		    "%s/%08lx\n",
    771   1.1  jonathan 		    hlen, ipsec_address(&saidx->dst),
    772   1.1  jonathan 		    (u_long) ntohl(sav->spi)));
    773   1.1  jonathan 		espstat.esps_hdrops++;		/* XXX diffs from openbsd */
    774   1.1  jonathan 		error = ENOBUFS;
    775   1.1  jonathan 		goto bad;
    776   1.1  jonathan 	}
    777   1.1  jonathan 
    778   1.1  jonathan 	/* Initialize ESP header. */
    779  1.13  christos 	bcopy((void *) &sav->spi, mtod(mo, void *) + roff, sizeof(u_int32_t));
    780   1.1  jonathan 	if (sav->replay) {
    781   1.9    rpaulo 		u_int32_t replay;
    782   1.9    rpaulo 
    783   1.9    rpaulo #ifdef IPSEC_DEBUG
    784   1.9    rpaulo 		/* Emulate replay attack when ipsec_replay is TRUE. */
    785   1.9    rpaulo 		if (!ipsec_replay)
    786   1.9    rpaulo #endif
    787   1.9    rpaulo 			sav->replay->count++;
    788   1.9    rpaulo 
    789   1.9    rpaulo 		replay = htonl(sav->replay->count);
    790  1.13  christos 		bcopy((void *) &replay,
    791  1.13  christos 		    mtod(mo, void *) + roff + sizeof(u_int32_t),
    792   1.1  jonathan 		    sizeof(u_int32_t));
    793   1.1  jonathan 	}
    794   1.1  jonathan 
    795   1.1  jonathan 	/*
    796   1.1  jonathan 	 * Add padding -- better to do it ourselves than use the crypto engine,
    797   1.1  jonathan 	 * although if/when we support compression, we'd have to do that.
    798   1.1  jonathan 	 */
    799   1.1  jonathan 	pad = (u_char *) m_pad(m, padding + alen);
    800   1.1  jonathan 	if (pad == NULL) {
    801   1.1  jonathan 		DPRINTF(("esp_output: m_pad failed for SA %s/%08lx\n",
    802   1.1  jonathan 		    ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
    803   1.1  jonathan 		m = NULL;		/* NB: free'd by m_pad */
    804   1.1  jonathan 		error = ENOBUFS;
    805   1.1  jonathan 		goto bad;
    806   1.1  jonathan 	}
    807   1.1  jonathan 
    808   1.1  jonathan 	/*
    809   1.1  jonathan 	 * Add padding: random, zero, or self-describing.
    810   1.1  jonathan 	 * XXX catch unexpected setting
    811   1.1  jonathan 	 */
    812   1.1  jonathan 	switch (sav->flags & SADB_X_EXT_PMASK) {
    813   1.1  jonathan 	case SADB_X_EXT_PRAND:
    814   1.1  jonathan 		(void) read_random(pad, padding - 2);
    815   1.1  jonathan 		break;
    816   1.1  jonathan 	case SADB_X_EXT_PZERO:
    817   1.1  jonathan 		bzero(pad, padding - 2);
    818   1.1  jonathan 		break;
    819   1.1  jonathan 	case SADB_X_EXT_PSEQ:
    820   1.1  jonathan 		for (i = 0; i < padding - 2; i++)
    821   1.1  jonathan 			pad[i] = i+1;
    822   1.1  jonathan 		break;
    823   1.1  jonathan 	}
    824   1.1  jonathan 
    825   1.1  jonathan 	/* Fix padding length and Next Protocol in padding itself. */
    826   1.1  jonathan 	pad[padding - 2] = padding - 2;
    827   1.1  jonathan 	m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1);
    828   1.1  jonathan 
    829   1.1  jonathan 	/* Fix Next Protocol in IPv4/IPv6 header. */
    830   1.1  jonathan 	prot = IPPROTO_ESP;
    831   1.1  jonathan 	m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot);
    832   1.1  jonathan 
    833   1.1  jonathan 	/* Get crypto descriptors. */
    834   1.1  jonathan 	crp = crypto_getreq(esph && espx ? 2 : 1);
    835   1.1  jonathan 	if (crp == NULL) {
    836   1.1  jonathan 		DPRINTF(("esp_output: failed to acquire crypto descriptors\n"));
    837   1.1  jonathan 		espstat.esps_crypto++;
    838   1.1  jonathan 		error = ENOBUFS;
    839   1.1  jonathan 		goto bad;
    840   1.1  jonathan 	}
    841   1.1  jonathan 
    842   1.1  jonathan 	if (espx) {
    843   1.1  jonathan 		crde = crp->crp_desc;
    844   1.1  jonathan 		crda = crde->crd_next;
    845   1.1  jonathan 
    846   1.1  jonathan 		/* Encryption descriptor. */
    847   1.1  jonathan 		crde->crd_skip = skip + hlen;
    848   1.1  jonathan 		crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
    849   1.1  jonathan 		crde->crd_flags = CRD_F_ENCRYPT;
    850   1.1  jonathan 		crde->crd_inject = skip + hlen - sav->ivlen;
    851   1.1  jonathan 
    852   1.1  jonathan 		/* Encryption operation. */
    853   1.1  jonathan 		crde->crd_alg = espx->type;
    854   1.1  jonathan 		crde->crd_key = _KEYBUF(sav->key_enc);
    855   1.1  jonathan 		crde->crd_klen = _KEYBITS(sav->key_enc);
    856   1.1  jonathan 		/* XXX Rounds ? */
    857   1.1  jonathan 	} else
    858   1.1  jonathan 		crda = crp->crp_desc;
    859   1.1  jonathan 
    860   1.1  jonathan 	/* IPsec-specific opaque crypto info. */
    861   1.1  jonathan 	tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
    862   1.1  jonathan 		M_XDATA, M_NOWAIT|M_ZERO);
    863   1.1  jonathan 	if (tc == NULL) {
    864   1.1  jonathan 		crypto_freereq(crp);
    865   1.1  jonathan 		DPRINTF(("esp_output: failed to allocate tdb_crypto\n"));
    866   1.1  jonathan 		espstat.esps_crypto++;
    867   1.1  jonathan 		error = ENOBUFS;
    868   1.1  jonathan 		goto bad;
    869   1.1  jonathan 	}
    870   1.1  jonathan 
    871   1.1  jonathan 	/* Callback parameters */
    872   1.1  jonathan 	tc->tc_isr = isr;
    873   1.1  jonathan 	tc->tc_spi = sav->spi;
    874   1.1  jonathan 	tc->tc_dst = saidx->dst;
    875   1.1  jonathan 	tc->tc_proto = saidx->proto;
    876   1.1  jonathan 
    877   1.1  jonathan 	/* Crypto operation descriptor. */
    878   1.1  jonathan 	crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
    879   1.1  jonathan 	crp->crp_flags = CRYPTO_F_IMBUF;
    880  1.13  christos 	crp->crp_buf = (void *) m;
    881   1.1  jonathan 	crp->crp_callback = esp_output_cb;
    882  1.13  christos 	crp->crp_opaque = (void *) tc;
    883   1.1  jonathan 	crp->crp_sid = sav->tdb_cryptoid;
    884   1.1  jonathan 
    885   1.1  jonathan 	if (esph) {
    886   1.1  jonathan 		/* Authentication descriptor. */
    887   1.1  jonathan 		crda->crd_skip = skip;
    888   1.1  jonathan 		crda->crd_len = m->m_pkthdr.len - (skip + alen);
    889   1.1  jonathan 		crda->crd_inject = m->m_pkthdr.len - alen;
    890   1.1  jonathan 
    891   1.1  jonathan 		/* Authentication operation. */
    892   1.1  jonathan 		crda->crd_alg = esph->type;
    893   1.1  jonathan 		crda->crd_key = _KEYBUF(sav->key_auth);
    894   1.1  jonathan 		crda->crd_klen = _KEYBITS(sav->key_auth);
    895   1.1  jonathan 	}
    896   1.1  jonathan 
    897   1.1  jonathan 	return crypto_dispatch(crp);
    898   1.1  jonathan bad:
    899   1.1  jonathan 	if (m)
    900   1.1  jonathan 		m_freem(m);
    901   1.1  jonathan 	return (error);
    902   1.1  jonathan }
    903   1.1  jonathan 
    904   1.1  jonathan /*
    905   1.1  jonathan  * ESP output callback from the crypto driver.
    906   1.1  jonathan  */
    907   1.1  jonathan static int
    908   1.1  jonathan esp_output_cb(struct cryptop *crp)
    909   1.1  jonathan {
    910   1.1  jonathan 	struct tdb_crypto *tc;
    911   1.1  jonathan 	struct ipsecrequest *isr;
    912   1.1  jonathan 	struct secasvar *sav;
    913   1.1  jonathan 	struct mbuf *m;
    914   1.1  jonathan 	int s, err, error;
    915   1.1  jonathan 
    916   1.1  jonathan 	tc = (struct tdb_crypto *) crp->crp_opaque;
    917   1.1  jonathan 	IPSEC_ASSERT(tc != NULL, ("esp_output_cb: null opaque data area!"));
    918   1.1  jonathan 	m = (struct mbuf *) crp->crp_buf;
    919   1.1  jonathan 
    920   1.1  jonathan 	s = splsoftnet();
    921   1.1  jonathan 
    922   1.1  jonathan 	isr = tc->tc_isr;
    923   1.1  jonathan 	sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
    924   1.1  jonathan 	if (sav == NULL) {
    925   1.1  jonathan 		espstat.esps_notdb++;
    926   1.1  jonathan 		DPRINTF(("esp_output_cb: SA expired while in crypto "
    927   1.1  jonathan 		    "(SA %s/%08lx proto %u)\n", ipsec_address(&tc->tc_dst),
    928   1.1  jonathan 		    (u_long) ntohl(tc->tc_spi), tc->tc_proto));
    929   1.1  jonathan 		error = ENOBUFS;		/*XXX*/
    930   1.1  jonathan 		goto bad;
    931   1.1  jonathan 	}
    932   1.1  jonathan 	IPSEC_ASSERT(isr->sav == sav,
    933   1.1  jonathan 		("esp_output_cb: SA changed was %p now %p\n", isr->sav, sav));
    934   1.1  jonathan 
    935   1.1  jonathan 	/* Check for crypto errors. */
    936   1.1  jonathan 	if (crp->crp_etype) {
    937   1.1  jonathan 		/* Reset session ID. */
    938   1.1  jonathan 		if (sav->tdb_cryptoid != 0)
    939   1.1  jonathan 			sav->tdb_cryptoid = crp->crp_sid;
    940   1.1  jonathan 
    941   1.1  jonathan 		if (crp->crp_etype == EAGAIN) {
    942   1.1  jonathan 			KEY_FREESAV(&sav);
    943   1.1  jonathan 			splx(s);
    944   1.1  jonathan 			return crypto_dispatch(crp);
    945   1.1  jonathan 		}
    946   1.1  jonathan 
    947   1.1  jonathan 		espstat.esps_noxform++;
    948   1.1  jonathan 		DPRINTF(("esp_output_cb: crypto error %d\n", crp->crp_etype));
    949   1.1  jonathan 		error = crp->crp_etype;
    950   1.1  jonathan 		goto bad;
    951   1.1  jonathan 	}
    952   1.1  jonathan 
    953   1.1  jonathan 	/* Shouldn't happen... */
    954   1.1  jonathan 	if (m == NULL) {
    955   1.1  jonathan 		espstat.esps_crypto++;
    956   1.1  jonathan 		DPRINTF(("esp_output_cb: bogus returned buffer from crypto\n"));
    957   1.1  jonathan 		error = EINVAL;
    958   1.1  jonathan 		goto bad;
    959   1.1  jonathan 	}
    960   1.1  jonathan 	espstat.esps_hist[sav->alg_enc]++;
    961   1.1  jonathan 	if (sav->tdb_authalgxform != NULL)
    962   1.1  jonathan 		ahstat.ahs_hist[sav->alg_auth]++;
    963   1.1  jonathan 
    964   1.1  jonathan 	/* Release crypto descriptors. */
    965   1.1  jonathan 	free(tc, M_XDATA);
    966   1.1  jonathan 	crypto_freereq(crp);
    967   1.1  jonathan 
    968   1.9    rpaulo #ifdef IPSEC_DEBUG
    969   1.9    rpaulo 	/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
    970   1.9    rpaulo 	if (ipsec_integrity) {
    971   1.9    rpaulo 		static unsigned char ipseczeroes[AH_HMAC_HASHLEN];
    972   1.9    rpaulo 		struct auth_hash *esph;
    973   1.9    rpaulo 
    974   1.9    rpaulo 		/*
    975   1.9    rpaulo 		 * Corrupt HMAC if we want to test integrity verification of
    976   1.9    rpaulo 		 * the other side.
    977   1.9    rpaulo 		 */
    978   1.9    rpaulo 		esph = sav->tdb_authalgxform;
    979   1.9    rpaulo 		if (esph !=  NULL) {
    980   1.9    rpaulo 			m_copyback(m, m->m_pkthdr.len - AH_HMAC_HASHLEN,
    981   1.9    rpaulo 			    AH_HMAC_HASHLEN, ipseczeroes);
    982   1.9    rpaulo 		}
    983   1.9    rpaulo 	}
    984   1.9    rpaulo #endif
    985   1.9    rpaulo 
    986   1.1  jonathan 	/* NB: m is reclaimed by ipsec_process_done. */
    987   1.1  jonathan 	err = ipsec_process_done(m, isr);
    988   1.1  jonathan 	KEY_FREESAV(&sav);
    989   1.1  jonathan 	splx(s);
    990   1.1  jonathan 	return err;
    991   1.1  jonathan bad:
    992   1.1  jonathan 	if (sav)
    993   1.1  jonathan 		KEY_FREESAV(&sav);
    994   1.1  jonathan 	splx(s);
    995   1.1  jonathan 	if (m)
    996   1.1  jonathan 		m_freem(m);
    997   1.1  jonathan 	free(tc, M_XDATA);
    998   1.1  jonathan 	crypto_freereq(crp);
    999   1.1  jonathan 	return error;
   1000   1.1  jonathan }
   1001   1.1  jonathan 
   1002   1.1  jonathan static struct xformsw esp_xformsw = {
   1003   1.1  jonathan 	XF_ESP,		XFT_CONF|XFT_AUTH,	"IPsec ESP",
   1004   1.1  jonathan 	esp_init,	esp_zeroize,		esp_input,
   1005  1.11  christos 	esp_output,
   1006  1.11  christos 	NULL,
   1007   1.1  jonathan };
   1008   1.1  jonathan 
   1009   1.1  jonathan INITFN void
   1010   1.1  jonathan esp_attach(void)
   1011   1.1  jonathan {
   1012   1.1  jonathan #define	MAXIV(xform)					\
   1013   1.1  jonathan 	if (xform.blocksize > esp_max_ivlen)		\
   1014   1.1  jonathan 		esp_max_ivlen = xform.blocksize		\
   1015   1.1  jonathan 
   1016   1.1  jonathan 	esp_max_ivlen = 0;
   1017   1.1  jonathan 	MAXIV(enc_xform_des);		/* SADB_EALG_DESCBC */
   1018   1.1  jonathan 	MAXIV(enc_xform_3des);		/* SADB_EALG_3DESCBC */
   1019   1.1  jonathan 	MAXIV(enc_xform_rijndael128);	/* SADB_X_EALG_AES */
   1020   1.1  jonathan 	MAXIV(enc_xform_blf);		/* SADB_X_EALG_BLOWFISHCBC */
   1021   1.1  jonathan 	MAXIV(enc_xform_cast5);		/* SADB_X_EALG_CAST128CBC */
   1022   1.1  jonathan 	MAXIV(enc_xform_skipjack);	/* SADB_X_EALG_SKIPJACK */
   1023   1.1  jonathan 	MAXIV(enc_xform_null);		/* SADB_EALG_NULL */
   1024   1.1  jonathan 
   1025   1.1  jonathan 	xform_register(&esp_xformsw);
   1026   1.1  jonathan #undef MAXIV
   1027   1.1  jonathan }
   1028   1.1  jonathan #ifdef __FreeBSD__
   1029   1.1  jonathan SYSINIT(esp_xform_init, SI_SUB_DRIVERS, SI_ORDER_FIRST, esp_attach, NULL)
   1030   1.1  jonathan #else
   1031   1.1  jonathan #endif
   1032