search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Expand PMF_FN_* macros.
[netbsd-mini2440.git] / sys / netipsec / xform_esp.c
blobe21fbf7f006d19d6b72984ddf899ae2ba161a64b
1 /* $NetBSD: xform_esp.c,v 1.21 2009/03/18 17:06:52 cegger Exp $ */
2 /* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
3 /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
4
5 /*
6 * The authors of this code are John Ioannidis (ji@tla.org),
7 * Angelos D. Keromytis (kermit@csd.uch.gr) and
8 * Niels Provos (provos@physnet.uni-hamburg.de).
9 *
10 * The original version of this code was written by John Ioannidis
11 * for BSD/OS in Athens, Greece, in November 1995.
12 *
13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
14 * by Angelos D. Keromytis.
15 *
16 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
17 * and Niels Provos.
18 *
19 * Additional features in 1999 by Angelos D. Keromytis.
20 *
21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
22 * Angelos D. Keromytis and Niels Provos.
23 * Copyright (c) 2001 Angelos D. Keromytis.
24 *
25 * Permission to use, copy, and modify this software with or without fee
26 * is hereby granted, provided that this entire notice is included in
27 * all copies of any software which is or includes a copy or
28 * modification of this software.
29 * You may use this code under the GNU public license if you so wish. Please
30 * contribute changes back to the authors under this freer than GPL license
31 * so that we may further the use of strong encryption without limitations to
32 * all.
33 *
34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
38 * PURPOSE.
39 */
40
41 #include <sys/cdefs.h>
42 __KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.21 2009/03/18 17:06:52 cegger Exp $");
43
44 #include "opt_inet.h"
45 #ifdef __FreeBSD__
46 #include "opt_inet6.h"
47 #endif
48
49 #include <sys/param.h>
50 #include <sys/systm.h>
51 #include <sys/mbuf.h>
52 #include <sys/socket.h>
53 #include <sys/syslog.h>
54 #include <sys/kernel.h>
55 /*#include <sys/random.h>*/
56 #include <sys/sysctl.h>
57
58 #include <net/if.h>
59
60 #include <netinet/in.h>
61 #include <netinet/in_systm.h>
62 #include <netinet/ip.h>
63 #include <netinet/ip_ecn.h>
64 #include <netinet/ip6.h>
65
66 #include <net/route.h>
67 #include <netipsec/ipsec.h>
68 #include <netipsec/ipsec_private.h>
69 #include <netipsec/ah.h>
70 #include <netipsec/ah_var.h>
71 #include <netipsec/esp.h>
72 #include <netipsec/esp_var.h>
73 #include <netipsec/xform.h>
74
75 #ifdef INET6
76 #include <netinet6/ip6_var.h>
77 #include <netipsec/ipsec6.h>
78 # ifdef __FreeBSD__
79 # include <netinet6/ip6_ecn.h>
80 # endif
81 #endif
82
83 #include <netipsec/key.h>
84 #include <netipsec/key_debug.h>
85
86 #include <netipsec/ipsec_osdep.h>
87
88 #include <opencrypto/cryptodev.h>
89 #include <opencrypto/xform.h>
90
91 percpu_t *espstat_percpu;
92
93 int esp_enable = 1;
94
95 #ifdef __FreeBSD__
96 SYSCTL_DECL(_net_inet_esp);
97 SYSCTL_INT(_net_inet_esp, OID_AUTO,
98 esp_enable, CTLFLAG_RW, &esp_enable, 0, "");
99 SYSCTL_STRUCT(_net_inet_esp, IPSECCTL_STATS,
100 stats, CTLFLAG_RD, &espstat, espstat, "");
101 #endif /* __FreeBSD__ */
102
103 static int esp_max_ivlen; /* max iv length over all algorithms */
104
105 static int esp_input_cb(struct cryptop *op);
106 static int esp_output_cb(struct cryptop *crp);
107
108 /*
109 * NB: this is public for use by the PF_KEY support.
110 * NB: if you add support here; be sure to add code to esp_attach below!
111 */
112 struct enc_xform *
113 esp_algorithm_lookup(int alg)
114 {
115 if (alg >= ESP_ALG_MAX)
116 return NULL;
117 switch (alg) {
118 case SADB_EALG_DESCBC:
119 return &enc_xform_des;
120 case SADB_EALG_3DESCBC:
121 return &enc_xform_3des;
122 case SADB_X_EALG_AES:
123 return &enc_xform_rijndael128;
124 case SADB_X_EALG_BLOWFISHCBC:
125 return &enc_xform_blf;
126 case SADB_X_EALG_CAST128CBC:
127 return &enc_xform_cast5;
128 case SADB_X_EALG_SKIPJACK:
129 return &enc_xform_skipjack;
130 case SADB_EALG_NULL:
131 return &enc_xform_null;
132 }
133 return NULL;
134 }
135
136 size_t
137 esp_hdrsiz(struct secasvar *sav)
138 {
139 size_t size;
140
141 if (sav != NULL) {
142 /*XXX not right for null algorithm--does it matter??*/
143 IPSEC_ASSERT(sav->tdb_encalgxform != NULL,
144 ("esp_hdrsiz: SA with null xform"));
145 if (sav->flags & SADB_X_EXT_OLD)
146 size = sizeof (struct esp);
147 else
148 size = sizeof (struct newesp);
149 size += sav->tdb_encalgxform->blocksize + 9;
150 /*XXX need alg check???*/
151 if (sav->tdb_authalgxform != NULL && sav->replay)
152 size += ah_hdrsiz(sav);
153 } else {
154 /*
155 * base header size
156 * + max iv length for CBC mode
157 * + max pad length
158 * + sizeof (pad length field)
159 * + sizeof (next header field)
160 * + max icv supported.
161 */
162 size = sizeof (struct newesp) + esp_max_ivlen + 9 + 16;
163 }
164 return size;
165 }
166
167 /*
168 * esp_init() is called when an SPI is being set up.
169 */
170 static int
171 esp_init(struct secasvar *sav, struct xformsw *xsp)
172 {
173 struct enc_xform *txform;
174 struct cryptoini cria, crie;
175 int keylen;
176 int error;
177
178 txform = esp_algorithm_lookup(sav->alg_enc);
179 if (txform == NULL) {
180 DPRINTF(("esp_init: unsupported encryption algorithm %d\n",
181 sav->alg_enc));
182 return EINVAL;
183 }
184 if (sav->key_enc == NULL) {
185 DPRINTF(("esp_init: no encoding key for %s algorithm\n",
186 txform->name));
187 return EINVAL;
188 }
189 if ((sav->flags&(SADB_X_EXT_OLD|SADB_X_EXT_IV4B)) == SADB_X_EXT_IV4B) {
190 DPRINTF(("esp_init: 4-byte IV not supported with protocol\n"));
191 return EINVAL;
192 }
193 keylen = _KEYLEN(sav->key_enc);
194 if (txform->minkey > keylen || keylen > txform->maxkey) {
195 DPRINTF(("esp_init: invalid key length %u, must be in "
196 "the range [%u..%u] for algorithm %s\n",
197 keylen, txform->minkey, txform->maxkey,
198 txform->name));
199 return EINVAL;
200 }
201
202 /*
203 * NB: The null xform needs a non-zero blocksize to keep the
204 * crypto code happy but if we use it to set ivlen then
205 * the ESP header will be processed incorrectly. The
206 * compromise is to force it to zero here.
207 */
208 sav->ivlen = (txform == &enc_xform_null ? 0 : txform->blocksize);
209 sav->iv = malloc(sav->ivlen, M_SECA, M_WAITOK);
210 if (sav->iv == NULL) {
211 DPRINTF(("esp_init: no memory for IV\n"));
212 return EINVAL;
213 }
214 key_randomfill(sav->iv, sav->ivlen); /*XXX*/
215
216 /*
217 * Setup AH-related state.
218 */
219 if (sav->alg_auth != 0) {
220 error = ah_init0(sav, xsp, &cria);
221 if (error)
222 return error;
223 }
224
225 /* NB: override anything set in ah_init0 */
226 sav->tdb_xform = xsp;
227 sav->tdb_encalgxform = txform;
228
229 /* Initialize crypto session. */
230 memset(&crie, 0, sizeof (crie));
231 crie.cri_alg = sav->tdb_encalgxform->type;
232 crie.cri_klen = _KEYBITS(sav->key_enc);
233 crie.cri_key = _KEYBUF(sav->key_enc);
234 /* XXX Rounds ? */
235
236 mutex_spin_enter(&crypto_mtx);
237 if (sav->tdb_authalgxform && sav->tdb_encalgxform) {
238 /* init both auth & enc */
239 crie.cri_next = &cria;
240 error = crypto_newsession(&sav->tdb_cryptoid,
241 &crie, crypto_support);
242 } else if (sav->tdb_encalgxform) {
243 error = crypto_newsession(&sav->tdb_cryptoid,
244 &crie, crypto_support);
245 } else if (sav->tdb_authalgxform) {
246 error = crypto_newsession(&sav->tdb_cryptoid,
247 &cria, crypto_support);
248 } else {
249 /* XXX cannot happen? */
250 DPRINTF(("esp_init: no encoding OR authentication xform!\n"));
251 error = EINVAL;
252 }
253 mutex_spin_exit(&crypto_mtx);
254 return error;
255 }
256
257 /*
258 * Paranoia.
259 */
260 static int
261 esp_zeroize(struct secasvar *sav)
262 {
263 /* NB: ah_zerorize free's the crypto session state */
264 int error = ah_zeroize(sav);
265
266 if (sav->key_enc)
267 memset(_KEYBUF(sav->key_enc), 0, _KEYLEN(sav->key_enc));
268 /* NB: sav->iv is freed elsewhere, even though we malloc it! */
269 sav->tdb_encalgxform = NULL;
270 sav->tdb_xform = NULL;
271 return error;
272 }
273
274 /*
275 * ESP input processing, called (eventually) through the protocol switch.
276 */
277 static int
278 esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
279 {
280 struct auth_hash *esph;
281 struct enc_xform *espx;
282 struct tdb_ident *tdbi;
283 struct tdb_crypto *tc;
284 int plen, alen, hlen;
285 struct m_tag *mtag;
286 struct newesp *esp;
287
288 struct cryptodesc *crde;
289 struct cryptop *crp;
290
291 IPSEC_SPLASSERT_SOFTNET("esp_input");
292
293 IPSEC_ASSERT(sav != NULL, ("esp_input: null SA"));
294 IPSEC_ASSERT(sav->tdb_encalgxform != NULL,
295 ("esp_input: null encoding xform"));
296 IPSEC_ASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0,
297 ("esp_input: misaligned packet, skip %u pkt len %u",
298 skip, m->m_pkthdr.len));
299
300 /* XXX don't pullup, just copy header */
301 IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp));
302
303 esph = sav->tdb_authalgxform;
304 espx = sav->tdb_encalgxform;
305
306 /* Determine the ESP header length */
307 if (sav->flags & SADB_X_EXT_OLD)
308 hlen = sizeof (struct esp) + sav->ivlen;
309 else
310 hlen = sizeof (struct newesp) + sav->ivlen;
311 /* Authenticator hash size */
312 alen = esph ? AH_HMAC_HASHLEN : 0;
313
314 /*
315 * Verify payload length is multiple of encryption algorithm
316 * block size.
317 *
318 * NB: This works for the null algorithm because the blocksize
319 * is 4 and all packets must be 4-byte aligned regardless
320 * of the algorithm.
321 */
322 plen = m->m_pkthdr.len - (skip + hlen + alen);
323 if ((plen & (espx->blocksize - 1)) || (plen <= 0)) {
324 DPRINTF(("esp_input: "
325 "payload of %d octets not a multiple of %d octets,"
326 " SA %s/%08lx\n",
327 plen, espx->blocksize,
328 ipsec_address(&sav->sah->saidx.dst),
329 (u_long) ntohl(sav->spi)));
330 ESP_STATINC(ESP_STAT_BADILEN);
331 m_freem(m);
332 return EINVAL;
333 }
334
335 /*
336 * Check sequence number.
337 */
338 if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) {
339 DPRINTF(("esp_input: packet replay check for %s\n",
340 ipsec_logsastr(sav))); /*XXX*/
341 ESP_STATINC(ESP_STAT_REPLAY);
342 m_freem(m);
343 return ENOBUFS; /*XXX*/
344 }
345
346 /* Update the counters */
347 ESP_STATADD(ESP_STAT_IBYTES, m->m_pkthdr.len - skip - hlen - alen);
348
349 /* Find out if we've already done crypto */
350 for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
351 mtag != NULL;
352 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
353 tdbi = (struct tdb_ident *) (mtag + 1);
354 if (tdbi->proto == sav->sah->saidx.proto &&
355 tdbi->spi == sav->spi &&
356 !memcmp(&tdbi->dst, &sav->sah->saidx.dst,
357 sizeof(union sockaddr_union)))
358 break;
359 }
360
361 /* Get crypto descriptors */
362 crp = crypto_getreq(esph && espx ? 2 : 1);
363 if (crp == NULL) {
364 DPRINTF(("esp_input: failed to acquire crypto descriptors\n"));
365 ESP_STATINC(ESP_STAT_CRYPTO);
366 m_freem(m);
367 return ENOBUFS;
368 }
369
370 /* Get IPsec-specific opaque pointer */
371 if (esph == NULL || mtag != NULL)
372 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
373 M_XDATA, M_NOWAIT|M_ZERO);
374 else
375 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto) + alen,
376 M_XDATA, M_NOWAIT|M_ZERO);
377 if (tc == NULL) {
378 crypto_freereq(crp);
379 DPRINTF(("esp_input: failed to allocate tdb_crypto\n"));
380 ESP_STATINC(ESP_STAT_CRYPTO);
381 m_freem(m);
382 return ENOBUFS;
383 }
384
385 tc->tc_ptr = mtag;
386
387 if (esph) {
388 struct cryptodesc *crda = crp->crp_desc;
389
390 IPSEC_ASSERT(crda != NULL, ("esp_input: null ah crypto descriptor"));
391
392 /* Authentication descriptor */
393 crda->crd_skip = skip;
394 crda->crd_len = m->m_pkthdr.len - (skip + alen);
395 crda->crd_inject = m->m_pkthdr.len - alen;
396
397 crda->crd_alg = esph->type;
398 crda->crd_key = _KEYBUF(sav->key_auth);
399 crda->crd_klen = _KEYBITS(sav->key_auth);
400
401 /* Copy the authenticator */
402 if (mtag == NULL)
403 m_copydata(m, m->m_pkthdr.len - alen, alen,
404 (tc + 1));
405
406 /* Chain authentication request */
407 crde = crda->crd_next;
408 } else {
409 crde = crp->crp_desc;
410 }
411
412 /* Crypto operation descriptor */
413 crp->crp_ilen = m->m_pkthdr.len; /* Total input length */
414 crp->crp_flags = CRYPTO_F_IMBUF;
415 crp->crp_buf = m;
416 crp->crp_callback = esp_input_cb;
417 crp->crp_sid = sav->tdb_cryptoid;
418 crp->crp_opaque = tc;
419
420 /* These are passed as-is to the callback */
421 tc->tc_spi = sav->spi;
422 tc->tc_dst = sav->sah->saidx.dst;
423 tc->tc_proto = sav->sah->saidx.proto;
424 tc->tc_protoff = protoff;
425 tc->tc_skip = skip;
426
427 /* Decryption descriptor */
428 if (espx) {
429 IPSEC_ASSERT(crde != NULL, ("esp_input: null esp crypto descriptor"));
430 crde->crd_skip = skip + hlen;
431 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
432 crde->crd_inject = skip + hlen - sav->ivlen;
433
434 crde->crd_alg = espx->type;
435 crde->crd_key = _KEYBUF(sav->key_enc);
436 crde->crd_klen = _KEYBITS(sav->key_enc);
437 /* XXX Rounds ? */
438 }
439
440 if (mtag == NULL)
441 return crypto_dispatch(crp);
442 else
443 return esp_input_cb(crp);
444 }
445
446 #ifdef INET6
447 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \
448 if (saidx->dst.sa.sa_family == AF_INET6) { \
449 error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
450 } else { \
451 error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
452 } \
453 } while (0)
454 #else
455 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \
456 (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
457 #endif
458
459 /*
460 * ESP input callback from the crypto driver.
461 */
462 static int
463 esp_input_cb(struct cryptop *crp)
464 {
465 u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN];
466 int s, hlen, skip, protoff, error;
467 struct mbuf *m;
468 struct cryptodesc *crd;
469 struct auth_hash *esph;
470 struct enc_xform *espx;
471 struct tdb_crypto *tc;
472 struct m_tag *mtag;
473 struct secasvar *sav;
474 struct secasindex *saidx;
475 void *ptr;
476 u_int16_t dport = 0;
477 u_int16_t sport = 0;
478 #ifdef IPSEC_NAT_T
479 struct m_tag * tag = NULL;
480 #endif
481
482 crd = crp->crp_desc;
483 IPSEC_ASSERT(crd != NULL, ("esp_input_cb: null crypto descriptor!"));
484
485 tc = (struct tdb_crypto *) crp->crp_opaque;
486 IPSEC_ASSERT(tc != NULL, ("esp_input_cb: null opaque crypto data area!"));
487 skip = tc->tc_skip;
488 protoff = tc->tc_protoff;
489 mtag = (struct m_tag *) tc->tc_ptr;
490 m = (struct mbuf *) crp->crp_buf;
491
492 #ifdef IPSEC_NAT_T
493 /* find the source port for NAT-T */
494 if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
495 sport = ((u_int16_t *)(tag + 1))[0];
496 dport = ((u_int16_t *)(tag + 1))[1];
497 }
498 #endif
499
500 s = splsoftnet();
501
502 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport);
503 if (sav == NULL) {
504 ESP_STATINC(ESP_STAT_NOTDB);
505 DPRINTF(("esp_input_cb: SA expired while in crypto "
506 "(SA %s/%08lx proto %u)\n", ipsec_address(&tc->tc_dst),
507 (u_long) ntohl(tc->tc_spi), tc->tc_proto));
508 error = ENOBUFS; /*XXX*/
509 goto bad;
510 }
511
512 saidx = &sav->sah->saidx;
513 IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
514 saidx->dst.sa.sa_family == AF_INET6,
515 ("ah_input_cb: unexpected protocol family %u",
516 saidx->dst.sa.sa_family));
517
518 esph = sav->tdb_authalgxform;
519 espx = sav->tdb_encalgxform;
520
521 /* Check for crypto errors */
522 if (crp->crp_etype) {
523 /* Reset the session ID */
524 if (sav->tdb_cryptoid != 0)
525 sav->tdb_cryptoid = crp->crp_sid;
526
527 if (crp->crp_etype == EAGAIN) {
528 KEY_FREESAV(&sav);
529 splx(s);
530 return crypto_dispatch(crp);
531 }
532
533 ESP_STATINC(ESP_STAT_NOXFORM);
534 DPRINTF(("esp_input_cb: crypto error %d\n", crp->crp_etype));
535 error = crp->crp_etype;
536 goto bad;
537 }
538
539 /* Shouldn't happen... */
540 if (m == NULL) {
541 ESP_STATINC(ESP_STAT_CRYPTO);
542 DPRINTF(("esp_input_cb: bogus returned buffer from crypto\n"));
543 error = EINVAL;
544 goto bad;
545 }
546 ESP_STATINC(ESP_STAT_HIST + sav->alg_enc);
547
548 /* If authentication was performed, check now. */
549 if (esph != NULL) {
550 /*
551 * If we have a tag, it means an IPsec-aware NIC did
552 * the verification for us. Otherwise we need to
553 * check the authentication calculation.
554 */
555 AH_STATINC(AH_STAT_HIST + sav->alg_auth);
556 if (mtag == NULL) {
557 /* Copy the authenticator from the packet */
558 m_copydata(m, m->m_pkthdr.len - esph->authsize,
559 esph->authsize, aalg);
560
561 ptr = (tc + 1);
562
563 /* Verify authenticator */
564 if (memcmp(ptr, aalg, esph->authsize) != 0) {
565 DPRINTF(("esp_input_cb: "
566 "authentication hash mismatch for packet in SA %s/%08lx\n",
567 ipsec_address(&saidx->dst),
568 (u_long) ntohl(sav->spi)));
569 ESP_STATINC(ESP_STAT_BADAUTH);
570 error = EACCES;
571 goto bad;
572 }
573 }
574
575 /* Remove trailing authenticator */
576 m_adj(m, -(esph->authsize));
577 }
578
579 /* Release the crypto descriptors */
580 free(tc, M_XDATA), tc = NULL;
581 crypto_freereq(crp), crp = NULL;
582
583 /*
584 * Packet is now decrypted.
585 */
586 m->m_flags |= M_DECRYPTED;
587
588 /*
589 * Update replay sequence number, if appropriate.
590 */
591 if (sav->replay) {
592 u_int32_t seq;
593
594 m_copydata(m, skip + offsetof(struct newesp, esp_seq),
595 sizeof (seq), &seq);
596 if (ipsec_updatereplay(ntohl(seq), sav)) {
597 DPRINTF(("%s: packet replay check for %s\n", __func__,
598 ipsec_logsastr(sav)));
599 ESP_STATINC(ESP_STAT_REPLAY);
600 error = ENOBUFS;
601 goto bad;
602 }
603 }
604
605 /* Determine the ESP header length */
606 if (sav->flags & SADB_X_EXT_OLD)
607 hlen = sizeof (struct esp) + sav->ivlen;
608 else
609 hlen = sizeof (struct newesp) + sav->ivlen;
610
611 /* Remove the ESP header and IV from the mbuf. */
612 error = m_striphdr(m, skip, hlen);
613 if (error) {
614 ESP_STATINC(ESP_STAT_HDROPS);
615 DPRINTF(("esp_input_cb: bad mbuf chain, SA %s/%08lx\n",
616 ipsec_address(&sav->sah->saidx.dst),
617 (u_long) ntohl(sav->spi)));
618 goto bad;
619 }
620
621 /* Save the last three bytes of decrypted data */
622 m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
623
624 /* Verify pad length */
625 if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
626 ESP_STATINC(ESP_STAT_BADILEN);
627 DPRINTF(("esp_input_cb: invalid padding length %d "
628 "for %u byte packet in SA %s/%08lx\n",
629 lastthree[1], m->m_pkthdr.len - skip,
630 ipsec_address(&sav->sah->saidx.dst),
631 (u_long) ntohl(sav->spi)));
632 error = EINVAL;
633 goto bad;
634 }
635
636 /* Verify correct decryption by checking the last padding bytes */
637 if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) {
638 if (lastthree[1] != lastthree[0] && lastthree[1] != 0) {
639 ESP_STATINC(ESP_STAT_BADENC);
640 DPRINTF(("esp_input_cb: decryption failed "
641 "for packet in SA %s/%08lx\n",
642 ipsec_address(&sav->sah->saidx.dst),
643 (u_long) ntohl(sav->spi)));
644 DPRINTF(("esp_input_cb: %x %x\n", lastthree[0], lastthree[1]));
645 error = EINVAL;
646 goto bad;
647 }
648 }
649
650 /* Trim the mbuf chain to remove trailing authenticator and padding */
651 m_adj(m, -(lastthree[1] + 2));
652
653 /* Restore the Next Protocol field */
654 m = m_copyback_cow(m, protoff, sizeof (u_int8_t), lastthree + 2,
655 M_DONTWAIT);
656
657 if (m == NULL) {
658 ESP_STATINC(ESP_STAT_CRYPTO);
659 DPRINTF(("esp_input_cb: failed to allocate mbuf\n"));
660 error = ENOBUFS;
661 goto bad;
662 }
663
664 IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);
665
666 KEY_FREESAV(&sav);
667 splx(s);
668 return error;
669 bad:
670 if (sav)
671 KEY_FREESAV(&sav);
672 splx(s);
673 if (m != NULL)
674 m_freem(m);
675 if (tc != NULL)
676 free(tc, M_XDATA);
677 if (crp != NULL)
678 crypto_freereq(crp);
679 return error;
680 }
681
682 /*
683 * ESP output routine, called by ipsec[46]_process_packet().
684 */
685 static int
686 esp_output(
687 struct mbuf *m,
688 struct ipsecrequest *isr,
689 struct mbuf **mp,
690 int skip,
691 int protoff
692 )
693 {
694 struct enc_xform *espx;
695 struct auth_hash *esph;
696 int hlen, rlen, plen, padding, blks, alen, i, roff;
697 struct mbuf *mo = (struct mbuf *) NULL;
698 struct tdb_crypto *tc;
699 struct secasvar *sav;
700 struct secasindex *saidx;
701 unsigned char *pad;
702 u_int8_t prot;
703 int error, maxpacketsize;
704
705 struct cryptodesc *crde = NULL, *crda = NULL;
706 struct cryptop *crp;
707
708 IPSEC_SPLASSERT_SOFTNET("esp_output");
709
710 sav = isr->sav;
711 IPSEC_ASSERT(sav != NULL, ("esp_output: null SA"));
712 esph = sav->tdb_authalgxform;
713 espx = sav->tdb_encalgxform;
714 IPSEC_ASSERT(espx != NULL, ("esp_output: null encoding xform"));
715
716 if (sav->flags & SADB_X_EXT_OLD)
717 hlen = sizeof (struct esp) + sav->ivlen;
718 else
719 hlen = sizeof (struct newesp) + sav->ivlen;
720
721 rlen = m->m_pkthdr.len - skip; /* Raw payload length. */
722 /*
723 * NB: The null encoding transform has a blocksize of 4
724 * so that headers are properly aligned.
725 */
726 blks = espx->blocksize; /* IV blocksize */
727
728 /* XXX clamp padding length a la KAME??? */
729 padding = ((blks - ((rlen + 2) % blks)) % blks) + 2;
730 plen = rlen + padding; /* Padded payload length. */
731
732 if (esph)
733 alen = AH_HMAC_HASHLEN;
734 else
735 alen = 0;
736
737 ESP_STATINC(ESP_STAT_OUTPUT);
738
739 saidx = &sav->sah->saidx;
740 /* Check for maximum packet size violations. */
741 switch (saidx->dst.sa.sa_family) {
742 #ifdef INET
743 case AF_INET:
744 maxpacketsize = IP_MAXPACKET;
745 break;
746 #endif /* INET */
747 #ifdef INET6
748 case AF_INET6:
749 maxpacketsize = IPV6_MAXPACKET;
750 break;
751 #endif /* INET6 */
752 default:
753 DPRINTF(("esp_output: unknown/unsupported protocol "
754 "family %d, SA %s/%08lx\n",
755 saidx->dst.sa.sa_family, ipsec_address(&saidx->dst),
756 (u_long) ntohl(sav->spi)));
757 ESP_STATINC(ESP_STAT_NOPF);
758 error = EPFNOSUPPORT;
759 goto bad;
760 }
761 if (skip + hlen + rlen + padding + alen > maxpacketsize) {
762 DPRINTF(("esp_output: packet in SA %s/%08lx got too big "
763 "(len %u, max len %u)\n",
764 ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi),
765 skip + hlen + rlen + padding + alen, maxpacketsize));
766 ESP_STATINC(ESP_STAT_TOOBIG);
767 error = EMSGSIZE;
768 goto bad;
769 }
770
771 /* Update the counters. */
772 ESP_STATADD(ESP_STAT_OUTPUT, m->m_pkthdr.len - skip);
773
774 m = m_clone(m);
775 if (m == NULL) {
776 DPRINTF(("esp_output: cannot clone mbuf chain, SA %s/%08lx\n",
777 ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
778 ESP_STATINC(ESP_STAT_HDROPS);
779 error = ENOBUFS;
780 goto bad;
781 }
782
783 /* Inject ESP header. */
784 mo = m_makespace(m, skip, hlen, &roff);
785 if (mo == NULL) {
786 DPRINTF(("esp_output: failed to inject %u byte ESP hdr for SA "
787 "%s/%08lx\n",
788 hlen, ipsec_address(&saidx->dst),
789 (u_long) ntohl(sav->spi)));
790 ESP_STATINC(ESP_STAT_HDROPS); /* XXX diffs from openbsd */
791 error = ENOBUFS;
792 goto bad;
793 }
794
795 /* Initialize ESP header. */
796 memcpy(mtod(mo, char *) + roff, &sav->spi, sizeof(u_int32_t));
797 if (sav->replay) {
798 u_int32_t replay;
799
800 #ifdef IPSEC_DEBUG
801 /* Emulate replay attack when ipsec_replay is TRUE. */
802 if (!ipsec_replay)
803 #endif
804 sav->replay->count++;
805
806 replay = htonl(sav->replay->count);
807 bcopy(&replay,
808 mtod(mo,char *) + roff + sizeof(u_int32_t),
809 sizeof(u_int32_t));
810 }
811
812 /*
813 * Add padding -- better to do it ourselves than use the crypto engine,
814 * although if/when we support compression, we'd have to do that.
815 */
816 pad = (u_char *) m_pad(m, padding + alen);
817 if (pad == NULL) {
818 DPRINTF(("esp_output: m_pad failed for SA %s/%08lx\n",
819 ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
820 m = NULL; /* NB: free'd by m_pad */
821 error = ENOBUFS;
822 goto bad;
823 }
824
825 /*
826 * Add padding: random, zero, or self-describing.
827 * XXX catch unexpected setting
828 */
829 switch (sav->flags & SADB_X_EXT_PMASK) {
830 case SADB_X_EXT_PRAND:
831 (void) read_random(pad, padding - 2);
832 break;
833 case SADB_X_EXT_PZERO:
834 memset(pad, 0, padding - 2);
835 break;
836 case SADB_X_EXT_PSEQ:
837 for (i = 0; i < padding - 2; i++)
838 pad[i] = i+1;
839 break;
840 }
841
842 /* Fix padding length and Next Protocol in padding itself. */
843 pad[padding - 2] = padding - 2;
844 m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1);
845
846 /* Fix Next Protocol in IPv4/IPv6 header. */
847 prot = IPPROTO_ESP;
848 m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot);
849
850 /* Get crypto descriptors. */
851 crp = crypto_getreq(esph && espx ? 2 : 1);
852 if (crp == NULL) {
853 DPRINTF(("esp_output: failed to acquire crypto descriptors\n"));
854 ESP_STATINC(ESP_STAT_CRYPTO);
855 error = ENOBUFS;
856 goto bad;
857 }
858
859 if (espx) {
860 crde = crp->crp_desc;
861 crda = crde->crd_next;
862
863 /* Encryption descriptor. */
864 crde->crd_skip = skip + hlen;
865 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
866 crde->crd_flags = CRD_F_ENCRYPT;
867 crde->crd_inject = skip + hlen - sav->ivlen;
868
869 /* Encryption operation. */
870 crde->crd_alg = espx->type;
871 crde->crd_key = _KEYBUF(sav->key_enc);
872 crde->crd_klen = _KEYBITS(sav->key_enc);
873 /* XXX Rounds ? */
874 } else
875 crda = crp->crp_desc;
876
877 /* IPsec-specific opaque crypto info. */
878 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
879 M_XDATA, M_NOWAIT|M_ZERO);
880 if (tc == NULL) {
881 crypto_freereq(crp);
882 DPRINTF(("esp_output: failed to allocate tdb_crypto\n"));
883 ESP_STATINC(ESP_STAT_CRYPTO);
884 error = ENOBUFS;
885 goto bad;
886 }
887
888 /* Callback parameters */
889 tc->tc_isr = isr;
890 tc->tc_spi = sav->spi;
891 tc->tc_dst = saidx->dst;
892 tc->tc_proto = saidx->proto;
893
894 /* Crypto operation descriptor. */
895 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
896 crp->crp_flags = CRYPTO_F_IMBUF;
897 crp->crp_buf = m;
898 crp->crp_callback = esp_output_cb;
899 crp->crp_opaque = tc;
900 crp->crp_sid = sav->tdb_cryptoid;
901
902 if (esph) {
903 /* Authentication descriptor. */
904 crda->crd_skip = skip;
905 crda->crd_len = m->m_pkthdr.len - (skip + alen);
906 crda->crd_inject = m->m_pkthdr.len - alen;
907
908 /* Authentication operation. */
909 crda->crd_alg = esph->type;
910 crda->crd_key = _KEYBUF(sav->key_auth);
911 crda->crd_klen = _KEYBITS(sav->key_auth);
912 }
913
914 return crypto_dispatch(crp);
915 bad:
916 if (m)
917 m_freem(m);
918 return (error);
919 }
920
921 /*
922 * ESP output callback from the crypto driver.
923 */
924 static int
925 esp_output_cb(struct cryptop *crp)
926 {
927 struct tdb_crypto *tc;
928 struct ipsecrequest *isr;
929 struct secasvar *sav;
930 struct mbuf *m;
931 int s, err, error;
932
933 tc = (struct tdb_crypto *) crp->crp_opaque;
934 IPSEC_ASSERT(tc != NULL, ("esp_output_cb: null opaque data area!"));
935 m = (struct mbuf *) crp->crp_buf;
936
937 s = splsoftnet();
938
939 isr = tc->tc_isr;
940 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
941 if (sav == NULL) {
942 ESP_STATINC(ESP_STAT_NOTDB);
943 DPRINTF(("esp_output_cb: SA expired while in crypto "
944 "(SA %s/%08lx proto %u)\n", ipsec_address(&tc->tc_dst),
945 (u_long) ntohl(tc->tc_spi), tc->tc_proto));
946 error = ENOBUFS; /*XXX*/
947 goto bad;
948 }
949 IPSEC_ASSERT(isr->sav == sav,
950 ("esp_output_cb: SA changed was %p now %p\n", isr->sav, sav));
951
952 /* Check for crypto errors. */
953 if (crp->crp_etype) {
954 /* Reset session ID. */
955 if (sav->tdb_cryptoid != 0)
956 sav->tdb_cryptoid = crp->crp_sid;
957
958 if (crp->crp_etype == EAGAIN) {
959 KEY_FREESAV(&sav);
960 splx(s);
961 return crypto_dispatch(crp);
962 }
963
964 ESP_STATINC(ESP_STAT_NOXFORM);
965 DPRINTF(("esp_output_cb: crypto error %d\n", crp->crp_etype));
966 error = crp->crp_etype;
967 goto bad;
968 }
969
970 /* Shouldn't happen... */
971 if (m == NULL) {
972 ESP_STATINC(ESP_STAT_CRYPTO);
973 DPRINTF(("esp_output_cb: bogus returned buffer from crypto\n"));
974 error = EINVAL;
975 goto bad;
976 }
977 ESP_STATINC(ESP_STAT_HIST + sav->alg_enc);
978 if (sav->tdb_authalgxform != NULL)
979 AH_STATINC(sav->alg_auth + sav->alg_auth);
980
981 /* Release crypto descriptors. */
982 free(tc, M_XDATA);
983 crypto_freereq(crp);
984
985 #ifdef IPSEC_DEBUG
986 /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
987 if (ipsec_integrity) {
988 static unsigned char ipseczeroes[AH_HMAC_HASHLEN];
989 struct auth_hash *esph;
990
991 /*
992 * Corrupt HMAC if we want to test integrity verification of
993 * the other side.
994 */
995 esph = sav->tdb_authalgxform;
996 if (esph != NULL) {
997 m_copyback(m, m->m_pkthdr.len - AH_HMAC_HASHLEN,
998 AH_HMAC_HASHLEN, ipseczeroes);
999 }
1000 }
1001 #endif
1002
1003 /* NB: m is reclaimed by ipsec_process_done. */
1004 err = ipsec_process_done(m, isr);
1005 KEY_FREESAV(&sav);
1006 splx(s);
1007 return err;
1008 bad:
1009 if (sav)
1010 KEY_FREESAV(&sav);
1011 splx(s);
1012 if (m)
1013 m_freem(m);
1014 free(tc, M_XDATA);
1015 crypto_freereq(crp);
1016 return error;
1017 }
1018
1019 static struct xformsw esp_xformsw = {
1020 XF_ESP, XFT_CONF|XFT_AUTH, "IPsec ESP",
1021 esp_init, esp_zeroize, esp_input,
1022 esp_output,
1023 NULL,
1024 };
1025
1026 INITFN void
1027 esp_attach(void)
1028 {
1029
1030 espstat_percpu = percpu_alloc(sizeof(uint64_t) * ESP_NSTATS);
1031
1032 #define MAXIV(xform) \
1033 if (xform.blocksize > esp_max_ivlen) \
1034 esp_max_ivlen = xform.blocksize \
1035
1036 esp_max_ivlen = 0;
1037 MAXIV(enc_xform_des); /* SADB_EALG_DESCBC */
1038 MAXIV(enc_xform_3des); /* SADB_EALG_3DESCBC */
1039 MAXIV(enc_xform_rijndael128); /* SADB_X_EALG_AES */
1040 MAXIV(enc_xform_blf); /* SADB_X_EALG_BLOWFISHCBC */
1041 MAXIV(enc_xform_cast5); /* SADB_X_EALG_CAST128CBC */
1042 MAXIV(enc_xform_skipjack); /* SADB_X_EALG_SKIPJACK */
1043 MAXIV(enc_xform_null); /* SADB_EALG_NULL */
1044
1045 xform_register(&esp_xformsw);
1046 #undef MAXIV
1047 }
1048 #ifdef __FreeBSD__
1049 SYSINIT(esp_xform_init, SI_SUB_DRIVERS, SI_ORDER_FIRST, esp_attach, NULL)
1050 #else
1051 #endif
NetBSD on the FriendlyARM MINI2440