xform_esp.c revision 1.16 1 1.16 degroote /* $NetBSD: xform_esp.c,v 1.16 2007/06/27 20:38:33 degroote Exp $ */
2 1.1 jonathan /* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
3 1.1 jonathan /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
4 1.1 jonathan
5 1.1 jonathan /*
6 1.1 jonathan * The authors of this code are John Ioannidis (ji (at) tla.org),
7 1.1 jonathan * Angelos D. Keromytis (kermit (at) csd.uch.gr) and
8 1.1 jonathan * Niels Provos (provos (at) physnet.uni-hamburg.de).
9 1.1 jonathan *
10 1.1 jonathan * The original version of this code was written by John Ioannidis
11 1.1 jonathan * for BSD/OS in Athens, Greece, in November 1995.
12 1.1 jonathan *
13 1.1 jonathan * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
14 1.1 jonathan * by Angelos D. Keromytis.
15 1.1 jonathan *
16 1.1 jonathan * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
17 1.1 jonathan * and Niels Provos.
18 1.1 jonathan *
19 1.1 jonathan * Additional features in 1999 by Angelos D. Keromytis.
20 1.1 jonathan *
21 1.1 jonathan * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
22 1.1 jonathan * Angelos D. Keromytis and Niels Provos.
23 1.1 jonathan * Copyright (c) 2001 Angelos D. Keromytis.
24 1.1 jonathan *
25 1.1 jonathan * Permission to use, copy, and modify this software with or without fee
26 1.1 jonathan * is hereby granted, provided that this entire notice is included in
27 1.1 jonathan * all copies of any software which is or includes a copy or
28 1.1 jonathan * modification of this software.
29 1.1 jonathan * You may use this code under the GNU public license if you so wish. Please
30 1.1 jonathan * contribute changes back to the authors under this freer than GPL license
31 1.1 jonathan * so that we may further the use of strong encryption without limitations to
32 1.1 jonathan * all.
33 1.1 jonathan *
34 1.1 jonathan * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
35 1.1 jonathan * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
36 1.1 jonathan * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
37 1.1 jonathan * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
38 1.1 jonathan * PURPOSE.
39 1.1 jonathan */
40 1.1 jonathan
41 1.1 jonathan #include <sys/cdefs.h>
42 1.16 degroote __KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.16 2007/06/27 20:38:33 degroote Exp $");
43 1.1 jonathan
44 1.1 jonathan #include "opt_inet.h"
45 1.2 jonathan #ifdef __FreeBSD__
46 1.1 jonathan #include "opt_inet6.h"
47 1.2 jonathan #endif
48 1.1 jonathan
49 1.1 jonathan #include <sys/param.h>
50 1.1 jonathan #include <sys/systm.h>
51 1.1 jonathan #include <sys/mbuf.h>
52 1.1 jonathan #include <sys/socket.h>
53 1.1 jonathan #include <sys/syslog.h>
54 1.1 jonathan #include <sys/kernel.h>
55 1.1 jonathan /*#include <sys/random.h>*/
56 1.1 jonathan #include <sys/sysctl.h>
57 1.1 jonathan
58 1.1 jonathan #include <net/if.h>
59 1.1 jonathan
60 1.1 jonathan #include <netinet/in.h>
61 1.1 jonathan #include <netinet/in_systm.h>
62 1.1 jonathan #include <netinet/ip.h>
63 1.1 jonathan #include <netinet/ip_ecn.h>
64 1.1 jonathan #include <netinet/ip6.h>
65 1.1 jonathan
66 1.1 jonathan #include <net/route.h>
67 1.1 jonathan #include <netipsec/ipsec.h>
68 1.1 jonathan #include <netipsec/ah.h>
69 1.1 jonathan #include <netipsec/ah_var.h>
70 1.1 jonathan #include <netipsec/esp.h>
71 1.1 jonathan #include <netipsec/esp_var.h>
72 1.1 jonathan #include <netipsec/xform.h>
73 1.1 jonathan
74 1.1 jonathan #ifdef INET6
75 1.1 jonathan #include <netinet6/ip6_var.h>
76 1.1 jonathan #include <netipsec/ipsec6.h>
77 1.5 jonathan # ifdef __FreeBSD__
78 1.5 jonathan # include <netinet6/ip6_ecn.h>
79 1.5 jonathan # endif
80 1.1 jonathan #endif
81 1.1 jonathan
82 1.4 tls #include <netipsec/key.h>
83 1.4 tls #include <netipsec/key_debug.h>
84 1.1 jonathan
85 1.1 jonathan #include <netipsec/ipsec_osdep.h>
86 1.1 jonathan
87 1.1 jonathan #include <opencrypto/cryptodev.h>
88 1.1 jonathan #include <opencrypto/xform.h>
89 1.1 jonathan
90 1.1 jonathan int esp_enable = 1;
91 1.1 jonathan struct espstat espstat;
92 1.1 jonathan
93 1.1 jonathan #ifdef __FreeBSD__
94 1.1 jonathan SYSCTL_DECL(_net_inet_esp);
95 1.1 jonathan SYSCTL_INT(_net_inet_esp, OID_AUTO,
96 1.1 jonathan esp_enable, CTLFLAG_RW, &esp_enable, 0, "");
97 1.1 jonathan SYSCTL_STRUCT(_net_inet_esp, IPSECCTL_STATS,
98 1.1 jonathan stats, CTLFLAG_RD, &espstat, espstat, "");
99 1.4 tls #endif /* __FreeBSD__ */
100 1.1 jonathan
101 1.1 jonathan static int esp_max_ivlen; /* max iv length over all algorithms */
102 1.1 jonathan
103 1.1 jonathan static int esp_input_cb(struct cryptop *op);
104 1.1 jonathan static int esp_output_cb(struct cryptop *crp);
105 1.1 jonathan
106 1.1 jonathan /*
107 1.1 jonathan * NB: this is public for use by the PF_KEY support.
108 1.1 jonathan * NB: if you add support here; be sure to add code to esp_attach below!
109 1.1 jonathan */
110 1.1 jonathan struct enc_xform *
111 1.1 jonathan esp_algorithm_lookup(int alg)
112 1.1 jonathan {
113 1.1 jonathan if (alg >= ESP_ALG_MAX)
114 1.1 jonathan return NULL;
115 1.1 jonathan switch (alg) {
116 1.1 jonathan case SADB_EALG_DESCBC:
117 1.1 jonathan return &enc_xform_des;
118 1.1 jonathan case SADB_EALG_3DESCBC:
119 1.1 jonathan return &enc_xform_3des;
120 1.1 jonathan case SADB_X_EALG_AES:
121 1.1 jonathan return &enc_xform_rijndael128;
122 1.1 jonathan case SADB_X_EALG_BLOWFISHCBC:
123 1.1 jonathan return &enc_xform_blf;
124 1.1 jonathan case SADB_X_EALG_CAST128CBC:
125 1.1 jonathan return &enc_xform_cast5;
126 1.1 jonathan case SADB_X_EALG_SKIPJACK:
127 1.1 jonathan return &enc_xform_skipjack;
128 1.1 jonathan case SADB_EALG_NULL:
129 1.1 jonathan return &enc_xform_null;
130 1.1 jonathan }
131 1.1 jonathan return NULL;
132 1.1 jonathan }
133 1.1 jonathan
134 1.1 jonathan size_t
135 1.1 jonathan esp_hdrsiz(struct secasvar *sav)
136 1.1 jonathan {
137 1.1 jonathan size_t size;
138 1.1 jonathan
139 1.1 jonathan if (sav != NULL) {
140 1.1 jonathan /*XXX not right for null algorithm--does it matter??*/
141 1.1 jonathan IPSEC_ASSERT(sav->tdb_encalgxform != NULL,
142 1.1 jonathan ("esp_hdrsiz: SA with null xform"));
143 1.1 jonathan if (sav->flags & SADB_X_EXT_OLD)
144 1.1 jonathan size = sizeof (struct esp);
145 1.1 jonathan else
146 1.1 jonathan size = sizeof (struct newesp);
147 1.1 jonathan size += sav->tdb_encalgxform->blocksize + 9;
148 1.1 jonathan /*XXX need alg check???*/
149 1.1 jonathan if (sav->tdb_authalgxform != NULL && sav->replay)
150 1.1 jonathan size += ah_hdrsiz(sav);
151 1.1 jonathan } else {
152 1.1 jonathan /*
153 1.1 jonathan * base header size
154 1.1 jonathan * + max iv length for CBC mode
155 1.1 jonathan * + max pad length
156 1.1 jonathan * + sizeof (pad length field)
157 1.1 jonathan * + sizeof (next header field)
158 1.1 jonathan * + max icv supported.
159 1.1 jonathan */
160 1.1 jonathan size = sizeof (struct newesp) + esp_max_ivlen + 9 + 16;
161 1.1 jonathan }
162 1.1 jonathan return size;
163 1.1 jonathan }
164 1.1 jonathan
165 1.1 jonathan /*
166 1.1 jonathan * esp_init() is called when an SPI is being set up.
167 1.1 jonathan */
168 1.1 jonathan static int
169 1.1 jonathan esp_init(struct secasvar *sav, struct xformsw *xsp)
170 1.1 jonathan {
171 1.1 jonathan struct enc_xform *txform;
172 1.1 jonathan struct cryptoini cria, crie;
173 1.1 jonathan int keylen;
174 1.1 jonathan int error;
175 1.1 jonathan
176 1.1 jonathan txform = esp_algorithm_lookup(sav->alg_enc);
177 1.1 jonathan if (txform == NULL) {
178 1.1 jonathan DPRINTF(("esp_init: unsupported encryption algorithm %d\n",
179 1.1 jonathan sav->alg_enc));
180 1.1 jonathan return EINVAL;
181 1.1 jonathan }
182 1.1 jonathan if (sav->key_enc == NULL) {
183 1.1 jonathan DPRINTF(("esp_init: no encoding key for %s algorithm\n",
184 1.1 jonathan txform->name));
185 1.1 jonathan return EINVAL;
186 1.1 jonathan }
187 1.1 jonathan if ((sav->flags&(SADB_X_EXT_OLD|SADB_X_EXT_IV4B)) == SADB_X_EXT_IV4B) {
188 1.1 jonathan DPRINTF(("esp_init: 4-byte IV not supported with protocol\n"));
189 1.1 jonathan return EINVAL;
190 1.1 jonathan }
191 1.1 jonathan keylen = _KEYLEN(sav->key_enc);
192 1.1 jonathan if (txform->minkey > keylen || keylen > txform->maxkey) {
193 1.1 jonathan DPRINTF(("esp_init: invalid key length %u, must be in "
194 1.1 jonathan "the range [%u..%u] for algorithm %s\n",
195 1.1 jonathan keylen, txform->minkey, txform->maxkey,
196 1.1 jonathan txform->name));
197 1.1 jonathan return EINVAL;
198 1.1 jonathan }
199 1.1 jonathan
200 1.1 jonathan /*
201 1.1 jonathan * NB: The null xform needs a non-zero blocksize to keep the
202 1.1 jonathan * crypto code happy but if we use it to set ivlen then
203 1.1 jonathan * the ESP header will be processed incorrectly. The
204 1.1 jonathan * compromise is to force it to zero here.
205 1.1 jonathan */
206 1.1 jonathan sav->ivlen = (txform == &enc_xform_null ? 0 : txform->blocksize);
207 1.15 degroote sav->iv = malloc(sav->ivlen, M_SECA, M_WAITOK);
208 1.1 jonathan if (sav->iv == NULL) {
209 1.1 jonathan DPRINTF(("esp_init: no memory for IV\n"));
210 1.1 jonathan return EINVAL;
211 1.1 jonathan }
212 1.1 jonathan key_randomfill(sav->iv, sav->ivlen); /*XXX*/
213 1.1 jonathan
214 1.1 jonathan /*
215 1.1 jonathan * Setup AH-related state.
216 1.1 jonathan */
217 1.1 jonathan if (sav->alg_auth != 0) {
218 1.1 jonathan error = ah_init0(sav, xsp, &cria);
219 1.1 jonathan if (error)
220 1.1 jonathan return error;
221 1.1 jonathan }
222 1.1 jonathan
223 1.1 jonathan /* NB: override anything set in ah_init0 */
224 1.1 jonathan sav->tdb_xform = xsp;
225 1.1 jonathan sav->tdb_encalgxform = txform;
226 1.1 jonathan
227 1.1 jonathan /* Initialize crypto session. */
228 1.1 jonathan bzero(&crie, sizeof (crie));
229 1.1 jonathan crie.cri_alg = sav->tdb_encalgxform->type;
230 1.1 jonathan crie.cri_klen = _KEYBITS(sav->key_enc);
231 1.1 jonathan crie.cri_key = _KEYBUF(sav->key_enc);
232 1.1 jonathan /* XXX Rounds ? */
233 1.1 jonathan
234 1.1 jonathan if (sav->tdb_authalgxform && sav->tdb_encalgxform) {
235 1.1 jonathan /* init both auth & enc */
236 1.1 jonathan crie.cri_next = &cria;
237 1.1 jonathan error = crypto_newsession(&sav->tdb_cryptoid,
238 1.1 jonathan &crie, crypto_support);
239 1.1 jonathan } else if (sav->tdb_encalgxform) {
240 1.1 jonathan error = crypto_newsession(&sav->tdb_cryptoid,
241 1.1 jonathan &crie, crypto_support);
242 1.1 jonathan } else if (sav->tdb_authalgxform) {
243 1.1 jonathan error = crypto_newsession(&sav->tdb_cryptoid,
244 1.1 jonathan &cria, crypto_support);
245 1.1 jonathan } else {
246 1.1 jonathan /* XXX cannot happen? */
247 1.1 jonathan DPRINTF(("esp_init: no encoding OR authentication xform!\n"));
248 1.1 jonathan error = EINVAL;
249 1.1 jonathan }
250 1.1 jonathan return error;
251 1.1 jonathan }
252 1.1 jonathan
253 1.1 jonathan /*
254 1.1 jonathan * Paranoia.
255 1.1 jonathan */
256 1.1 jonathan static int
257 1.1 jonathan esp_zeroize(struct secasvar *sav)
258 1.1 jonathan {
259 1.1 jonathan /* NB: ah_zerorize free's the crypto session state */
260 1.1 jonathan int error = ah_zeroize(sav);
261 1.1 jonathan
262 1.1 jonathan if (sav->key_enc)
263 1.1 jonathan bzero(_KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc));
264 1.1 jonathan /* NB: sav->iv is freed elsewhere, even though we malloc it! */
265 1.1 jonathan sav->tdb_encalgxform = NULL;
266 1.1 jonathan sav->tdb_xform = NULL;
267 1.1 jonathan return error;
268 1.1 jonathan }
269 1.1 jonathan
270 1.1 jonathan /*
271 1.1 jonathan * ESP input processing, called (eventually) through the protocol switch.
272 1.1 jonathan */
273 1.1 jonathan static int
274 1.1 jonathan esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
275 1.1 jonathan {
276 1.1 jonathan struct auth_hash *esph;
277 1.1 jonathan struct enc_xform *espx;
278 1.1 jonathan struct tdb_ident *tdbi;
279 1.1 jonathan struct tdb_crypto *tc;
280 1.1 jonathan int plen, alen, hlen;
281 1.1 jonathan struct m_tag *mtag;
282 1.1 jonathan struct newesp *esp;
283 1.1 jonathan
284 1.1 jonathan struct cryptodesc *crde;
285 1.1 jonathan struct cryptop *crp;
286 1.1 jonathan
287 1.1 jonathan IPSEC_SPLASSERT_SOFTNET("esp_input");
288 1.1 jonathan
289 1.1 jonathan IPSEC_ASSERT(sav != NULL, ("esp_input: null SA"));
290 1.1 jonathan IPSEC_ASSERT(sav->tdb_encalgxform != NULL,
291 1.1 jonathan ("esp_input: null encoding xform"));
292 1.1 jonathan IPSEC_ASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0,
293 1.1 jonathan ("esp_input: misaligned packet, skip %u pkt len %u",
294 1.1 jonathan skip, m->m_pkthdr.len));
295 1.1 jonathan
296 1.1 jonathan /* XXX don't pullup, just copy header */
297 1.1 jonathan IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp));
298 1.1 jonathan
299 1.1 jonathan esph = sav->tdb_authalgxform;
300 1.1 jonathan espx = sav->tdb_encalgxform;
301 1.1 jonathan
302 1.1 jonathan /* Determine the ESP header length */
303 1.1 jonathan if (sav->flags & SADB_X_EXT_OLD)
304 1.1 jonathan hlen = sizeof (struct esp) + sav->ivlen;
305 1.1 jonathan else
306 1.1 jonathan hlen = sizeof (struct newesp) + sav->ivlen;
307 1.1 jonathan /* Authenticator hash size */
308 1.1 jonathan alen = esph ? AH_HMAC_HASHLEN : 0;
309 1.1 jonathan
310 1.1 jonathan /*
311 1.1 jonathan * Verify payload length is multiple of encryption algorithm
312 1.1 jonathan * block size.
313 1.1 jonathan *
314 1.1 jonathan * NB: This works for the null algorithm because the blocksize
315 1.1 jonathan * is 4 and all packets must be 4-byte aligned regardless
316 1.1 jonathan * of the algorithm.
317 1.1 jonathan */
318 1.1 jonathan plen = m->m_pkthdr.len - (skip + hlen + alen);
319 1.1 jonathan if ((plen & (espx->blocksize - 1)) || (plen <= 0)) {
320 1.1 jonathan DPRINTF(("esp_input: "
321 1.1 jonathan "payload of %d octets not a multiple of %d octets,"
322 1.1 jonathan " SA %s/%08lx\n",
323 1.1 jonathan plen, espx->blocksize,
324 1.1 jonathan ipsec_address(&sav->sah->saidx.dst),
325 1.1 jonathan (u_long) ntohl(sav->spi)));
326 1.1 jonathan espstat.esps_badilen++;
327 1.1 jonathan m_freem(m);
328 1.1 jonathan return EINVAL;
329 1.1 jonathan }
330 1.1 jonathan
331 1.1 jonathan /*
332 1.1 jonathan * Check sequence number.
333 1.1 jonathan */
334 1.1 jonathan if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) {
335 1.1 jonathan DPRINTF(("esp_input: packet replay check for %s\n",
336 1.1 jonathan ipsec_logsastr(sav))); /*XXX*/
337 1.1 jonathan espstat.esps_replay++;
338 1.1 jonathan m_freem(m);
339 1.1 jonathan return ENOBUFS; /*XXX*/
340 1.1 jonathan }
341 1.1 jonathan
342 1.1 jonathan /* Update the counters */
343 1.1 jonathan espstat.esps_ibytes += m->m_pkthdr.len - skip - hlen - alen;
344 1.1 jonathan
345 1.1 jonathan /* Find out if we've already done crypto */
346 1.1 jonathan for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
347 1.1 jonathan mtag != NULL;
348 1.1 jonathan mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
349 1.1 jonathan tdbi = (struct tdb_ident *) (mtag + 1);
350 1.1 jonathan if (tdbi->proto == sav->sah->saidx.proto &&
351 1.1 jonathan tdbi->spi == sav->spi &&
352 1.1 jonathan !bcmp(&tdbi->dst, &sav->sah->saidx.dst,
353 1.1 jonathan sizeof(union sockaddr_union)))
354 1.1 jonathan break;
355 1.1 jonathan }
356 1.1 jonathan
357 1.1 jonathan /* Get crypto descriptors */
358 1.1 jonathan crp = crypto_getreq(esph && espx ? 2 : 1);
359 1.1 jonathan if (crp == NULL) {
360 1.1 jonathan DPRINTF(("esp_input: failed to acquire crypto descriptors\n"));
361 1.1 jonathan espstat.esps_crypto++;
362 1.1 jonathan m_freem(m);
363 1.1 jonathan return ENOBUFS;
364 1.1 jonathan }
365 1.1 jonathan
366 1.1 jonathan /* Get IPsec-specific opaque pointer */
367 1.1 jonathan if (esph == NULL || mtag != NULL)
368 1.1 jonathan tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
369 1.1 jonathan M_XDATA, M_NOWAIT|M_ZERO);
370 1.1 jonathan else
371 1.1 jonathan tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto) + alen,
372 1.1 jonathan M_XDATA, M_NOWAIT|M_ZERO);
373 1.1 jonathan if (tc == NULL) {
374 1.1 jonathan crypto_freereq(crp);
375 1.1 jonathan DPRINTF(("esp_input: failed to allocate tdb_crypto\n"));
376 1.1 jonathan espstat.esps_crypto++;
377 1.1 jonathan m_freem(m);
378 1.1 jonathan return ENOBUFS;
379 1.1 jonathan }
380 1.1 jonathan
381 1.15 degroote tc->tc_ptr = mtag;
382 1.1 jonathan
383 1.1 jonathan if (esph) {
384 1.1 jonathan struct cryptodesc *crda = crp->crp_desc;
385 1.1 jonathan
386 1.1 jonathan IPSEC_ASSERT(crda != NULL, ("esp_input: null ah crypto descriptor"));
387 1.1 jonathan
388 1.1 jonathan /* Authentication descriptor */
389 1.1 jonathan crda->crd_skip = skip;
390 1.1 jonathan crda->crd_len = m->m_pkthdr.len - (skip + alen);
391 1.1 jonathan crda->crd_inject = m->m_pkthdr.len - alen;
392 1.1 jonathan
393 1.1 jonathan crda->crd_alg = esph->type;
394 1.1 jonathan crda->crd_key = _KEYBUF(sav->key_auth);
395 1.1 jonathan crda->crd_klen = _KEYBITS(sav->key_auth);
396 1.1 jonathan
397 1.1 jonathan /* Copy the authenticator */
398 1.1 jonathan if (mtag == NULL)
399 1.1 jonathan m_copydata(m, m->m_pkthdr.len - alen, alen,
400 1.15 degroote (tc + 1));
401 1.1 jonathan
402 1.1 jonathan /* Chain authentication request */
403 1.1 jonathan crde = crda->crd_next;
404 1.1 jonathan } else {
405 1.1 jonathan crde = crp->crp_desc;
406 1.1 jonathan }
407 1.1 jonathan
408 1.1 jonathan /* Crypto operation descriptor */
409 1.1 jonathan crp->crp_ilen = m->m_pkthdr.len; /* Total input length */
410 1.1 jonathan crp->crp_flags = CRYPTO_F_IMBUF;
411 1.15 degroote crp->crp_buf = m;
412 1.1 jonathan crp->crp_callback = esp_input_cb;
413 1.1 jonathan crp->crp_sid = sav->tdb_cryptoid;
414 1.15 degroote crp->crp_opaque = tc;
415 1.1 jonathan
416 1.1 jonathan /* These are passed as-is to the callback */
417 1.1 jonathan tc->tc_spi = sav->spi;
418 1.1 jonathan tc->tc_dst = sav->sah->saidx.dst;
419 1.1 jonathan tc->tc_proto = sav->sah->saidx.proto;
420 1.1 jonathan tc->tc_protoff = protoff;
421 1.1 jonathan tc->tc_skip = skip;
422 1.1 jonathan
423 1.1 jonathan /* Decryption descriptor */
424 1.1 jonathan if (espx) {
425 1.1 jonathan IPSEC_ASSERT(crde != NULL, ("esp_input: null esp crypto descriptor"));
426 1.1 jonathan crde->crd_skip = skip + hlen;
427 1.1 jonathan crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
428 1.1 jonathan crde->crd_inject = skip + hlen - sav->ivlen;
429 1.1 jonathan
430 1.1 jonathan crde->crd_alg = espx->type;
431 1.1 jonathan crde->crd_key = _KEYBUF(sav->key_enc);
432 1.1 jonathan crde->crd_klen = _KEYBITS(sav->key_enc);
433 1.1 jonathan /* XXX Rounds ? */
434 1.1 jonathan }
435 1.1 jonathan
436 1.1 jonathan if (mtag == NULL)
437 1.1 jonathan return crypto_dispatch(crp);
438 1.1 jonathan else
439 1.1 jonathan return esp_input_cb(crp);
440 1.1 jonathan }
441 1.1 jonathan
442 1.1 jonathan #ifdef INET6
443 1.1 jonathan #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \
444 1.1 jonathan if (saidx->dst.sa.sa_family == AF_INET6) { \
445 1.1 jonathan error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
446 1.1 jonathan } else { \
447 1.1 jonathan error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
448 1.1 jonathan } \
449 1.1 jonathan } while (0)
450 1.1 jonathan #else
451 1.1 jonathan #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \
452 1.1 jonathan (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
453 1.1 jonathan #endif
454 1.1 jonathan
455 1.1 jonathan /*
456 1.1 jonathan * ESP input callback from the crypto driver.
457 1.1 jonathan */
458 1.1 jonathan static int
459 1.1 jonathan esp_input_cb(struct cryptop *crp)
460 1.1 jonathan {
461 1.1 jonathan u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN];
462 1.1 jonathan int s, hlen, skip, protoff, error;
463 1.1 jonathan struct mbuf *m;
464 1.1 jonathan struct cryptodesc *crd;
465 1.1 jonathan struct auth_hash *esph;
466 1.1 jonathan struct enc_xform *espx;
467 1.1 jonathan struct tdb_crypto *tc;
468 1.1 jonathan struct m_tag *mtag;
469 1.1 jonathan struct secasvar *sav;
470 1.1 jonathan struct secasindex *saidx;
471 1.13 christos void *ptr;
472 1.16 degroote u_int16_t dport = 0;
473 1.16 degroote u_int16_t sport = 0;
474 1.16 degroote #ifdef IPSEC_NAT_T
475 1.16 degroote struct m_tag * tag = NULL;
476 1.16 degroote #endif
477 1.1 jonathan
478 1.1 jonathan crd = crp->crp_desc;
479 1.1 jonathan IPSEC_ASSERT(crd != NULL, ("esp_input_cb: null crypto descriptor!"));
480 1.1 jonathan
481 1.1 jonathan tc = (struct tdb_crypto *) crp->crp_opaque;
482 1.1 jonathan IPSEC_ASSERT(tc != NULL, ("esp_input_cb: null opaque crypto data area!"));
483 1.1 jonathan skip = tc->tc_skip;
484 1.1 jonathan protoff = tc->tc_protoff;
485 1.1 jonathan mtag = (struct m_tag *) tc->tc_ptr;
486 1.1 jonathan m = (struct mbuf *) crp->crp_buf;
487 1.1 jonathan
488 1.16 degroote #ifdef IPSEC_NAT_T
489 1.16 degroote /* find the source port for NAT-T */
490 1.16 degroote if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
491 1.16 degroote sport = ((u_int16_t *)(tag + 1))[0];
492 1.16 degroote dport = ((u_int16_t *)(tag + 1))[1];
493 1.16 degroote }
494 1.16 degroote #endif
495 1.16 degroote
496 1.1 jonathan s = splsoftnet();
497 1.1 jonathan
498 1.16 degroote sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport);
499 1.1 jonathan if (sav == NULL) {
500 1.1 jonathan espstat.esps_notdb++;
501 1.1 jonathan DPRINTF(("esp_input_cb: SA expired while in crypto "
502 1.1 jonathan "(SA %s/%08lx proto %u)\n", ipsec_address(&tc->tc_dst),
503 1.1 jonathan (u_long) ntohl(tc->tc_spi), tc->tc_proto));
504 1.1 jonathan error = ENOBUFS; /*XXX*/
505 1.1 jonathan goto bad;
506 1.1 jonathan }
507 1.1 jonathan
508 1.1 jonathan saidx = &sav->sah->saidx;
509 1.1 jonathan IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
510 1.1 jonathan saidx->dst.sa.sa_family == AF_INET6,
511 1.1 jonathan ("ah_input_cb: unexpected protocol family %u",
512 1.1 jonathan saidx->dst.sa.sa_family));
513 1.1 jonathan
514 1.1 jonathan esph = sav->tdb_authalgxform;
515 1.1 jonathan espx = sav->tdb_encalgxform;
516 1.1 jonathan
517 1.1 jonathan /* Check for crypto errors */
518 1.1 jonathan if (crp->crp_etype) {
519 1.1 jonathan /* Reset the session ID */
520 1.1 jonathan if (sav->tdb_cryptoid != 0)
521 1.1 jonathan sav->tdb_cryptoid = crp->crp_sid;
522 1.1 jonathan
523 1.1 jonathan if (crp->crp_etype == EAGAIN) {
524 1.1 jonathan KEY_FREESAV(&sav);
525 1.1 jonathan splx(s);
526 1.1 jonathan return crypto_dispatch(crp);
527 1.1 jonathan }
528 1.1 jonathan
529 1.1 jonathan espstat.esps_noxform++;
530 1.1 jonathan DPRINTF(("esp_input_cb: crypto error %d\n", crp->crp_etype));
531 1.1 jonathan error = crp->crp_etype;
532 1.1 jonathan goto bad;
533 1.1 jonathan }
534 1.1 jonathan
535 1.1 jonathan /* Shouldn't happen... */
536 1.1 jonathan if (m == NULL) {
537 1.1 jonathan espstat.esps_crypto++;
538 1.1 jonathan DPRINTF(("esp_input_cb: bogus returned buffer from crypto\n"));
539 1.1 jonathan error = EINVAL;
540 1.1 jonathan goto bad;
541 1.1 jonathan }
542 1.1 jonathan espstat.esps_hist[sav->alg_enc]++;
543 1.1 jonathan
544 1.1 jonathan /* If authentication was performed, check now. */
545 1.1 jonathan if (esph != NULL) {
546 1.1 jonathan /*
547 1.1 jonathan * If we have a tag, it means an IPsec-aware NIC did
548 1.1 jonathan * the verification for us. Otherwise we need to
549 1.1 jonathan * check the authentication calculation.
550 1.1 jonathan */
551 1.1 jonathan ahstat.ahs_hist[sav->alg_auth]++;
552 1.1 jonathan if (mtag == NULL) {
553 1.1 jonathan /* Copy the authenticator from the packet */
554 1.1 jonathan m_copydata(m, m->m_pkthdr.len - esph->authsize,
555 1.1 jonathan esph->authsize, aalg);
556 1.1 jonathan
557 1.15 degroote ptr = (tc + 1);
558 1.1 jonathan
559 1.1 jonathan /* Verify authenticator */
560 1.1 jonathan if (bcmp(ptr, aalg, esph->authsize) != 0) {
561 1.1 jonathan DPRINTF(("esp_input_cb: "
562 1.1 jonathan "authentication hash mismatch for packet in SA %s/%08lx\n",
563 1.1 jonathan ipsec_address(&saidx->dst),
564 1.1 jonathan (u_long) ntohl(sav->spi)));
565 1.1 jonathan espstat.esps_badauth++;
566 1.1 jonathan error = EACCES;
567 1.1 jonathan goto bad;
568 1.1 jonathan }
569 1.1 jonathan }
570 1.1 jonathan
571 1.1 jonathan /* Remove trailing authenticator */
572 1.1 jonathan m_adj(m, -(esph->authsize));
573 1.1 jonathan }
574 1.1 jonathan
575 1.1 jonathan /* Release the crypto descriptors */
576 1.1 jonathan free(tc, M_XDATA), tc = NULL;
577 1.1 jonathan crypto_freereq(crp), crp = NULL;
578 1.1 jonathan
579 1.1 jonathan /*
580 1.1 jonathan * Packet is now decrypted.
581 1.1 jonathan */
582 1.1 jonathan m->m_flags |= M_DECRYPTED;
583 1.1 jonathan
584 1.8 rpaulo /*
585 1.8 rpaulo * Update replay sequence number, if appropriate.
586 1.8 rpaulo */
587 1.8 rpaulo if (sav->replay) {
588 1.8 rpaulo u_int32_t seq;
589 1.8 rpaulo
590 1.8 rpaulo m_copydata(m, skip + offsetof(struct newesp, esp_seq),
591 1.15 degroote sizeof (seq), &seq);
592 1.8 rpaulo if (ipsec_updatereplay(ntohl(seq), sav)) {
593 1.8 rpaulo DPRINTF(("%s: packet replay check for %s\n", __func__,
594 1.8 rpaulo ipsec_logsastr(sav)));
595 1.8 rpaulo espstat.esps_replay++;
596 1.8 rpaulo error = ENOBUFS;
597 1.8 rpaulo goto bad;
598 1.8 rpaulo }
599 1.8 rpaulo }
600 1.8 rpaulo
601 1.1 jonathan /* Determine the ESP header length */
602 1.1 jonathan if (sav->flags & SADB_X_EXT_OLD)
603 1.1 jonathan hlen = sizeof (struct esp) + sav->ivlen;
604 1.1 jonathan else
605 1.1 jonathan hlen = sizeof (struct newesp) + sav->ivlen;
606 1.1 jonathan
607 1.1 jonathan /* Remove the ESP header and IV from the mbuf. */
608 1.1 jonathan error = m_striphdr(m, skip, hlen);
609 1.1 jonathan if (error) {
610 1.1 jonathan espstat.esps_hdrops++;
611 1.1 jonathan DPRINTF(("esp_input_cb: bad mbuf chain, SA %s/%08lx\n",
612 1.1 jonathan ipsec_address(&sav->sah->saidx.dst),
613 1.1 jonathan (u_long) ntohl(sav->spi)));
614 1.1 jonathan goto bad;
615 1.1 jonathan }
616 1.1 jonathan
617 1.1 jonathan /* Save the last three bytes of decrypted data */
618 1.1 jonathan m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
619 1.1 jonathan
620 1.1 jonathan /* Verify pad length */
621 1.1 jonathan if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
622 1.1 jonathan espstat.esps_badilen++;
623 1.1 jonathan DPRINTF(("esp_input_cb: invalid padding length %d "
624 1.1 jonathan "for %u byte packet in SA %s/%08lx\n",
625 1.1 jonathan lastthree[1], m->m_pkthdr.len - skip,
626 1.1 jonathan ipsec_address(&sav->sah->saidx.dst),
627 1.1 jonathan (u_long) ntohl(sav->spi)));
628 1.1 jonathan error = EINVAL;
629 1.1 jonathan goto bad;
630 1.1 jonathan }
631 1.1 jonathan
632 1.1 jonathan /* Verify correct decryption by checking the last padding bytes */
633 1.1 jonathan if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) {
634 1.1 jonathan if (lastthree[1] != lastthree[0] && lastthree[1] != 0) {
635 1.1 jonathan espstat.esps_badenc++;
636 1.1 jonathan DPRINTF(("esp_input_cb: decryption failed "
637 1.1 jonathan "for packet in SA %s/%08lx\n",
638 1.1 jonathan ipsec_address(&sav->sah->saidx.dst),
639 1.1 jonathan (u_long) ntohl(sav->spi)));
640 1.1 jonathan DPRINTF(("esp_input_cb: %x %x\n", lastthree[0], lastthree[1]));
641 1.1 jonathan error = EINVAL;
642 1.1 jonathan goto bad;
643 1.1 jonathan }
644 1.1 jonathan }
645 1.1 jonathan
646 1.1 jonathan /* Trim the mbuf chain to remove trailing authenticator and padding */
647 1.1 jonathan m_adj(m, -(lastthree[1] + 2));
648 1.1 jonathan
649 1.1 jonathan /* Restore the Next Protocol field */
650 1.10 pavel m = m_copyback_cow(m, protoff, sizeof (u_int8_t), lastthree + 2,
651 1.10 pavel M_DONTWAIT);
652 1.10 pavel
653 1.10 pavel if (m == NULL) {
654 1.10 pavel espstat.esps_crypto++;
655 1.10 pavel DPRINTF(("esp_input_cb: failed to allocate mbuf\n"));
656 1.10 pavel error = ENOBUFS;
657 1.10 pavel goto bad;
658 1.10 pavel }
659 1.1 jonathan
660 1.1 jonathan IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);
661 1.1 jonathan
662 1.1 jonathan KEY_FREESAV(&sav);
663 1.1 jonathan splx(s);
664 1.1 jonathan return error;
665 1.1 jonathan bad:
666 1.1 jonathan if (sav)
667 1.1 jonathan KEY_FREESAV(&sav);
668 1.1 jonathan splx(s);
669 1.1 jonathan if (m != NULL)
670 1.1 jonathan m_freem(m);
671 1.1 jonathan if (tc != NULL)
672 1.1 jonathan free(tc, M_XDATA);
673 1.1 jonathan if (crp != NULL)
674 1.1 jonathan crypto_freereq(crp);
675 1.1 jonathan return error;
676 1.1 jonathan }
677 1.1 jonathan
678 1.1 jonathan /*
679 1.1 jonathan * ESP output routine, called by ipsec[46]_process_packet().
680 1.1 jonathan */
681 1.1 jonathan static int
682 1.1 jonathan esp_output(
683 1.11 christos struct mbuf *m,
684 1.11 christos struct ipsecrequest *isr,
685 1.12 christos struct mbuf **mp,
686 1.11 christos int skip,
687 1.11 christos int protoff
688 1.1 jonathan )
689 1.1 jonathan {
690 1.1 jonathan struct enc_xform *espx;
691 1.1 jonathan struct auth_hash *esph;
692 1.1 jonathan int hlen, rlen, plen, padding, blks, alen, i, roff;
693 1.1 jonathan struct mbuf *mo = (struct mbuf *) NULL;
694 1.1 jonathan struct tdb_crypto *tc;
695 1.1 jonathan struct secasvar *sav;
696 1.1 jonathan struct secasindex *saidx;
697 1.1 jonathan unsigned char *pad;
698 1.1 jonathan u_int8_t prot;
699 1.1 jonathan int error, maxpacketsize;
700 1.1 jonathan
701 1.1 jonathan struct cryptodesc *crde = NULL, *crda = NULL;
702 1.1 jonathan struct cryptop *crp;
703 1.1 jonathan
704 1.1 jonathan IPSEC_SPLASSERT_SOFTNET("esp_output");
705 1.1 jonathan
706 1.1 jonathan sav = isr->sav;
707 1.1 jonathan IPSEC_ASSERT(sav != NULL, ("esp_output: null SA"));
708 1.1 jonathan esph = sav->tdb_authalgxform;
709 1.1 jonathan espx = sav->tdb_encalgxform;
710 1.1 jonathan IPSEC_ASSERT(espx != NULL, ("esp_output: null encoding xform"));
711 1.1 jonathan
712 1.1 jonathan if (sav->flags & SADB_X_EXT_OLD)
713 1.1 jonathan hlen = sizeof (struct esp) + sav->ivlen;
714 1.1 jonathan else
715 1.1 jonathan hlen = sizeof (struct newesp) + sav->ivlen;
716 1.1 jonathan
717 1.1 jonathan rlen = m->m_pkthdr.len - skip; /* Raw payload length. */
718 1.1 jonathan /*
719 1.1 jonathan * NB: The null encoding transform has a blocksize of 4
720 1.1 jonathan * so that headers are properly aligned.
721 1.1 jonathan */
722 1.1 jonathan blks = espx->blocksize; /* IV blocksize */
723 1.1 jonathan
724 1.1 jonathan /* XXX clamp padding length a la KAME??? */
725 1.1 jonathan padding = ((blks - ((rlen + 2) % blks)) % blks) + 2;
726 1.1 jonathan plen = rlen + padding; /* Padded payload length. */
727 1.1 jonathan
728 1.1 jonathan if (esph)
729 1.1 jonathan alen = AH_HMAC_HASHLEN;
730 1.1 jonathan else
731 1.1 jonathan alen = 0;
732 1.1 jonathan
733 1.1 jonathan espstat.esps_output++;
734 1.1 jonathan
735 1.1 jonathan saidx = &sav->sah->saidx;
736 1.1 jonathan /* Check for maximum packet size violations. */
737 1.1 jonathan switch (saidx->dst.sa.sa_family) {
738 1.1 jonathan #ifdef INET
739 1.1 jonathan case AF_INET:
740 1.1 jonathan maxpacketsize = IP_MAXPACKET;
741 1.1 jonathan break;
742 1.1 jonathan #endif /* INET */
743 1.1 jonathan #ifdef INET6
744 1.1 jonathan case AF_INET6:
745 1.1 jonathan maxpacketsize = IPV6_MAXPACKET;
746 1.1 jonathan break;
747 1.1 jonathan #endif /* INET6 */
748 1.1 jonathan default:
749 1.1 jonathan DPRINTF(("esp_output: unknown/unsupported protocol "
750 1.1 jonathan "family %d, SA %s/%08lx\n",
751 1.1 jonathan saidx->dst.sa.sa_family, ipsec_address(&saidx->dst),
752 1.1 jonathan (u_long) ntohl(sav->spi)));
753 1.1 jonathan espstat.esps_nopf++;
754 1.1 jonathan error = EPFNOSUPPORT;
755 1.1 jonathan goto bad;
756 1.1 jonathan }
757 1.1 jonathan if (skip + hlen + rlen + padding + alen > maxpacketsize) {
758 1.1 jonathan DPRINTF(("esp_output: packet in SA %s/%08lx got too big "
759 1.1 jonathan "(len %u, max len %u)\n",
760 1.1 jonathan ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi),
761 1.1 jonathan skip + hlen + rlen + padding + alen, maxpacketsize));
762 1.1 jonathan espstat.esps_toobig++;
763 1.1 jonathan error = EMSGSIZE;
764 1.1 jonathan goto bad;
765 1.1 jonathan }
766 1.1 jonathan
767 1.1 jonathan /* Update the counters. */
768 1.1 jonathan espstat.esps_obytes += m->m_pkthdr.len - skip;
769 1.1 jonathan
770 1.1 jonathan m = m_clone(m);
771 1.1 jonathan if (m == NULL) {
772 1.1 jonathan DPRINTF(("esp_output: cannot clone mbuf chain, SA %s/%08lx\n",
773 1.1 jonathan ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
774 1.1 jonathan espstat.esps_hdrops++;
775 1.1 jonathan error = ENOBUFS;
776 1.1 jonathan goto bad;
777 1.1 jonathan }
778 1.1 jonathan
779 1.1 jonathan /* Inject ESP header. */
780 1.1 jonathan mo = m_makespace(m, skip, hlen, &roff);
781 1.1 jonathan if (mo == NULL) {
782 1.1 jonathan DPRINTF(("esp_output: failed to inject %u byte ESP hdr for SA "
783 1.1 jonathan "%s/%08lx\n",
784 1.1 jonathan hlen, ipsec_address(&saidx->dst),
785 1.1 jonathan (u_long) ntohl(sav->spi)));
786 1.1 jonathan espstat.esps_hdrops++; /* XXX diffs from openbsd */
787 1.1 jonathan error = ENOBUFS;
788 1.1 jonathan goto bad;
789 1.1 jonathan }
790 1.1 jonathan
791 1.1 jonathan /* Initialize ESP header. */
792 1.15 degroote bcopy(&sav->spi, mtod(mo, char *) + roff, sizeof(u_int32_t));
793 1.1 jonathan if (sav->replay) {
794 1.9 rpaulo u_int32_t replay;
795 1.9 rpaulo
796 1.9 rpaulo #ifdef IPSEC_DEBUG
797 1.9 rpaulo /* Emulate replay attack when ipsec_replay is TRUE. */
798 1.9 rpaulo if (!ipsec_replay)
799 1.9 rpaulo #endif
800 1.9 rpaulo sav->replay->count++;
801 1.9 rpaulo
802 1.9 rpaulo replay = htonl(sav->replay->count);
803 1.15 degroote bcopy(&replay,
804 1.14 degroote mtod(mo,char *) + roff + sizeof(u_int32_t),
805 1.1 jonathan sizeof(u_int32_t));
806 1.1 jonathan }
807 1.1 jonathan
808 1.1 jonathan /*
809 1.1 jonathan * Add padding -- better to do it ourselves than use the crypto engine,
810 1.1 jonathan * although if/when we support compression, we'd have to do that.
811 1.1 jonathan */
812 1.1 jonathan pad = (u_char *) m_pad(m, padding + alen);
813 1.1 jonathan if (pad == NULL) {
814 1.1 jonathan DPRINTF(("esp_output: m_pad failed for SA %s/%08lx\n",
815 1.1 jonathan ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
816 1.1 jonathan m = NULL; /* NB: free'd by m_pad */
817 1.1 jonathan error = ENOBUFS;
818 1.1 jonathan goto bad;
819 1.1 jonathan }
820 1.1 jonathan
821 1.1 jonathan /*
822 1.1 jonathan * Add padding: random, zero, or self-describing.
823 1.1 jonathan * XXX catch unexpected setting
824 1.1 jonathan */
825 1.1 jonathan switch (sav->flags & SADB_X_EXT_PMASK) {
826 1.1 jonathan case SADB_X_EXT_PRAND:
827 1.1 jonathan (void) read_random(pad, padding - 2);
828 1.1 jonathan break;
829 1.1 jonathan case SADB_X_EXT_PZERO:
830 1.1 jonathan bzero(pad, padding - 2);
831 1.1 jonathan break;
832 1.1 jonathan case SADB_X_EXT_PSEQ:
833 1.1 jonathan for (i = 0; i < padding - 2; i++)
834 1.1 jonathan pad[i] = i+1;
835 1.1 jonathan break;
836 1.1 jonathan }
837 1.1 jonathan
838 1.1 jonathan /* Fix padding length and Next Protocol in padding itself. */
839 1.1 jonathan pad[padding - 2] = padding - 2;
840 1.1 jonathan m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1);
841 1.1 jonathan
842 1.1 jonathan /* Fix Next Protocol in IPv4/IPv6 header. */
843 1.1 jonathan prot = IPPROTO_ESP;
844 1.1 jonathan m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot);
845 1.1 jonathan
846 1.1 jonathan /* Get crypto descriptors. */
847 1.1 jonathan crp = crypto_getreq(esph && espx ? 2 : 1);
848 1.1 jonathan if (crp == NULL) {
849 1.1 jonathan DPRINTF(("esp_output: failed to acquire crypto descriptors\n"));
850 1.1 jonathan espstat.esps_crypto++;
851 1.1 jonathan error = ENOBUFS;
852 1.1 jonathan goto bad;
853 1.1 jonathan }
854 1.1 jonathan
855 1.1 jonathan if (espx) {
856 1.1 jonathan crde = crp->crp_desc;
857 1.1 jonathan crda = crde->crd_next;
858 1.1 jonathan
859 1.1 jonathan /* Encryption descriptor. */
860 1.1 jonathan crde->crd_skip = skip + hlen;
861 1.1 jonathan crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
862 1.1 jonathan crde->crd_flags = CRD_F_ENCRYPT;
863 1.1 jonathan crde->crd_inject = skip + hlen - sav->ivlen;
864 1.1 jonathan
865 1.1 jonathan /* Encryption operation. */
866 1.1 jonathan crde->crd_alg = espx->type;
867 1.1 jonathan crde->crd_key = _KEYBUF(sav->key_enc);
868 1.1 jonathan crde->crd_klen = _KEYBITS(sav->key_enc);
869 1.1 jonathan /* XXX Rounds ? */
870 1.1 jonathan } else
871 1.1 jonathan crda = crp->crp_desc;
872 1.1 jonathan
873 1.1 jonathan /* IPsec-specific opaque crypto info. */
874 1.1 jonathan tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
875 1.1 jonathan M_XDATA, M_NOWAIT|M_ZERO);
876 1.1 jonathan if (tc == NULL) {
877 1.1 jonathan crypto_freereq(crp);
878 1.1 jonathan DPRINTF(("esp_output: failed to allocate tdb_crypto\n"));
879 1.1 jonathan espstat.esps_crypto++;
880 1.1 jonathan error = ENOBUFS;
881 1.1 jonathan goto bad;
882 1.1 jonathan }
883 1.1 jonathan
884 1.1 jonathan /* Callback parameters */
885 1.1 jonathan tc->tc_isr = isr;
886 1.1 jonathan tc->tc_spi = sav->spi;
887 1.1 jonathan tc->tc_dst = saidx->dst;
888 1.1 jonathan tc->tc_proto = saidx->proto;
889 1.1 jonathan
890 1.1 jonathan /* Crypto operation descriptor. */
891 1.1 jonathan crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
892 1.1 jonathan crp->crp_flags = CRYPTO_F_IMBUF;
893 1.15 degroote crp->crp_buf = m;
894 1.1 jonathan crp->crp_callback = esp_output_cb;
895 1.15 degroote crp->crp_opaque = tc;
896 1.1 jonathan crp->crp_sid = sav->tdb_cryptoid;
897 1.1 jonathan
898 1.1 jonathan if (esph) {
899 1.1 jonathan /* Authentication descriptor. */
900 1.1 jonathan crda->crd_skip = skip;
901 1.1 jonathan crda->crd_len = m->m_pkthdr.len - (skip + alen);
902 1.1 jonathan crda->crd_inject = m->m_pkthdr.len - alen;
903 1.1 jonathan
904 1.1 jonathan /* Authentication operation. */
905 1.1 jonathan crda->crd_alg = esph->type;
906 1.1 jonathan crda->crd_key = _KEYBUF(sav->key_auth);
907 1.1 jonathan crda->crd_klen = _KEYBITS(sav->key_auth);
908 1.1 jonathan }
909 1.1 jonathan
910 1.1 jonathan return crypto_dispatch(crp);
911 1.1 jonathan bad:
912 1.1 jonathan if (m)
913 1.1 jonathan m_freem(m);
914 1.1 jonathan return (error);
915 1.1 jonathan }
916 1.1 jonathan
917 1.1 jonathan /*
918 1.1 jonathan * ESP output callback from the crypto driver.
919 1.1 jonathan */
920 1.1 jonathan static int
921 1.1 jonathan esp_output_cb(struct cryptop *crp)
922 1.1 jonathan {
923 1.1 jonathan struct tdb_crypto *tc;
924 1.1 jonathan struct ipsecrequest *isr;
925 1.1 jonathan struct secasvar *sav;
926 1.1 jonathan struct mbuf *m;
927 1.1 jonathan int s, err, error;
928 1.1 jonathan
929 1.1 jonathan tc = (struct tdb_crypto *) crp->crp_opaque;
930 1.1 jonathan IPSEC_ASSERT(tc != NULL, ("esp_output_cb: null opaque data area!"));
931 1.1 jonathan m = (struct mbuf *) crp->crp_buf;
932 1.1 jonathan
933 1.1 jonathan s = splsoftnet();
934 1.1 jonathan
935 1.1 jonathan isr = tc->tc_isr;
936 1.16 degroote sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
937 1.1 jonathan if (sav == NULL) {
938 1.1 jonathan espstat.esps_notdb++;
939 1.1 jonathan DPRINTF(("esp_output_cb: SA expired while in crypto "
940 1.1 jonathan "(SA %s/%08lx proto %u)\n", ipsec_address(&tc->tc_dst),
941 1.1 jonathan (u_long) ntohl(tc->tc_spi), tc->tc_proto));
942 1.1 jonathan error = ENOBUFS; /*XXX*/
943 1.1 jonathan goto bad;
944 1.1 jonathan }
945 1.1 jonathan IPSEC_ASSERT(isr->sav == sav,
946 1.1 jonathan ("esp_output_cb: SA changed was %p now %p\n", isr->sav, sav));
947 1.1 jonathan
948 1.1 jonathan /* Check for crypto errors. */
949 1.1 jonathan if (crp->crp_etype) {
950 1.1 jonathan /* Reset session ID. */
951 1.1 jonathan if (sav->tdb_cryptoid != 0)
952 1.1 jonathan sav->tdb_cryptoid = crp->crp_sid;
953 1.1 jonathan
954 1.1 jonathan if (crp->crp_etype == EAGAIN) {
955 1.1 jonathan KEY_FREESAV(&sav);
956 1.1 jonathan splx(s);
957 1.1 jonathan return crypto_dispatch(crp);
958 1.1 jonathan }
959 1.1 jonathan
960 1.1 jonathan espstat.esps_noxform++;
961 1.1 jonathan DPRINTF(("esp_output_cb: crypto error %d\n", crp->crp_etype));
962 1.1 jonathan error = crp->crp_etype;
963 1.1 jonathan goto bad;
964 1.1 jonathan }
965 1.1 jonathan
966 1.1 jonathan /* Shouldn't happen... */
967 1.1 jonathan if (m == NULL) {
968 1.1 jonathan espstat.esps_crypto++;
969 1.1 jonathan DPRINTF(("esp_output_cb: bogus returned buffer from crypto\n"));
970 1.1 jonathan error = EINVAL;
971 1.1 jonathan goto bad;
972 1.1 jonathan }
973 1.1 jonathan espstat.esps_hist[sav->alg_enc]++;
974 1.1 jonathan if (sav->tdb_authalgxform != NULL)
975 1.1 jonathan ahstat.ahs_hist[sav->alg_auth]++;
976 1.1 jonathan
977 1.1 jonathan /* Release crypto descriptors. */
978 1.1 jonathan free(tc, M_XDATA);
979 1.1 jonathan crypto_freereq(crp);
980 1.1 jonathan
981 1.9 rpaulo #ifdef IPSEC_DEBUG
982 1.9 rpaulo /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
983 1.9 rpaulo if (ipsec_integrity) {
984 1.9 rpaulo static unsigned char ipseczeroes[AH_HMAC_HASHLEN];
985 1.9 rpaulo struct auth_hash *esph;
986 1.9 rpaulo
987 1.9 rpaulo /*
988 1.9 rpaulo * Corrupt HMAC if we want to test integrity verification of
989 1.9 rpaulo * the other side.
990 1.9 rpaulo */
991 1.9 rpaulo esph = sav->tdb_authalgxform;
992 1.9 rpaulo if (esph != NULL) {
993 1.9 rpaulo m_copyback(m, m->m_pkthdr.len - AH_HMAC_HASHLEN,
994 1.9 rpaulo AH_HMAC_HASHLEN, ipseczeroes);
995 1.9 rpaulo }
996 1.9 rpaulo }
997 1.9 rpaulo #endif
998 1.9 rpaulo
999 1.1 jonathan /* NB: m is reclaimed by ipsec_process_done. */
1000 1.1 jonathan err = ipsec_process_done(m, isr);
1001 1.1 jonathan KEY_FREESAV(&sav);
1002 1.1 jonathan splx(s);
1003 1.1 jonathan return err;
1004 1.1 jonathan bad:
1005 1.1 jonathan if (sav)
1006 1.1 jonathan KEY_FREESAV(&sav);
1007 1.1 jonathan splx(s);
1008 1.1 jonathan if (m)
1009 1.1 jonathan m_freem(m);
1010 1.1 jonathan free(tc, M_XDATA);
1011 1.1 jonathan crypto_freereq(crp);
1012 1.1 jonathan return error;
1013 1.1 jonathan }
1014 1.1 jonathan
1015 1.1 jonathan static struct xformsw esp_xformsw = {
1016 1.1 jonathan XF_ESP, XFT_CONF|XFT_AUTH, "IPsec ESP",
1017 1.1 jonathan esp_init, esp_zeroize, esp_input,
1018 1.11 christos esp_output,
1019 1.11 christos NULL,
1020 1.1 jonathan };
1021 1.1 jonathan
1022 1.1 jonathan INITFN void
1023 1.1 jonathan esp_attach(void)
1024 1.1 jonathan {
1025 1.1 jonathan #define MAXIV(xform) \
1026 1.1 jonathan if (xform.blocksize > esp_max_ivlen) \
1027 1.1 jonathan esp_max_ivlen = xform.blocksize \
1028 1.1 jonathan
1029 1.1 jonathan esp_max_ivlen = 0;
1030 1.1 jonathan MAXIV(enc_xform_des); /* SADB_EALG_DESCBC */
1031 1.1 jonathan MAXIV(enc_xform_3des); /* SADB_EALG_3DESCBC */
1032 1.1 jonathan MAXIV(enc_xform_rijndael128); /* SADB_X_EALG_AES */
1033 1.1 jonathan MAXIV(enc_xform_blf); /* SADB_X_EALG_BLOWFISHCBC */
1034 1.1 jonathan MAXIV(enc_xform_cast5); /* SADB_X_EALG_CAST128CBC */
1035 1.1 jonathan MAXIV(enc_xform_skipjack); /* SADB_X_EALG_SKIPJACK */
1036 1.1 jonathan MAXIV(enc_xform_null); /* SADB_EALG_NULL */
1037 1.1 jonathan
1038 1.1 jonathan xform_register(&esp_xformsw);
1039 1.1 jonathan #undef MAXIV
1040 1.1 jonathan }
1041 1.1 jonathan #ifdef __FreeBSD__
1042 1.1 jonathan SYSINIT(esp_xform_init, SI_SUB_DRIVERS, SI_ORDER_FIRST, esp_attach, NULL)
1043 1.1 jonathan #else
1044 1.1 jonathan #endif
1045