1 /* $FreeBSD: releng/5.3/sys/netinet6/ah_core.c 136588 2004-10-16 08:43:07Z cvs2svn $ */
2 /* $KAME: ah_core.c,v 1.59 2003/07/25 10:17:14 itojun Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * RFC1826/2402 authentication header.
35 */
36
37 /* TODO: have shared routines for hmac-* algorithms */
38
39 #include "opt_inet.h"
40 #include "opt_inet6.h"
41 #include "opt_ipsec.h"
42
43 #include <sys/param.h>
44 #include <sys/systm.h>
45 #include <sys/malloc.h>
46 #include <sys/mbuf.h>
47 #include <sys/domain.h>
48 #include <sys/protosw.h>
49 #include <sys/socket.h>
50 #include <sys/socketvar.h>
51 #include <sys/errno.h>
52 #include <sys/time.h>
53 #include <sys/syslog.h>
54
55 #include <net/if.h>
56 #include <net/route.h>
57
58 #include <netinet/in.h>
59 #include <netinet/in_systm.h>
60 #include <netinet/ip.h>
61 #include <netinet/in_var.h>
62
63 #ifdef INET6
64 #include <netinet/ip6.h>
65 #include <netinet6/ip6_var.h>
66 #include <netinet/icmp6.h>
67 #endif
68
69 #include <netinet6/ipsec.h>
70 #ifdef INET6
71 #include <netinet6/ipsec6.h>
72 #endif
73 #include <netinet6/ah.h>
74 #ifdef INET6
75 #include <netinet6/ah6.h>
76 #endif
77 #include <netinet6/ah_aesxcbcmac.h>
78 #ifdef IPSEC_ESP
79 #include <netinet6/esp.h>
80 #ifdef INET6
81 #include <netinet6/esp6.h>
82 #endif
83 #endif
84 #include <net/pfkeyv2.h>
85 #include <netkey/keydb.h>
86 #include <sys/md5.h>
87 #define MD5_RESULTLEN 16
88 #include <crypto/sha1.h>
89 #include <crypto/sha2/sha2.h>
90 #include <opencrypto/rmd160.h>
91 #define RIPEMD160_RESULTLEN 20
92
93 #include <net/net_osdep.h>
94
95 static int ah_sumsiz_1216 __P((struct secasvar *));
96 static int ah_sumsiz_zero __P((struct secasvar *));
97 static int ah_common_mature __P((struct secasvar *));
98 static int ah_none_mature __P((struct secasvar *));
99 static int ah_none_init __P((struct ah_algorithm_state *, struct secasvar *));
100 static void ah_none_loop __P((struct ah_algorithm_state *, u_int8_t *, size_t));
101 static void ah_none_result __P((struct ah_algorithm_state *,
102 u_int8_t *, size_t));
103 static int ah_keyed_md5_mature __P((struct secasvar *));
104 static int ah_keyed_md5_init __P((struct ah_algorithm_state *,
105 struct secasvar *));
106 static void ah_keyed_md5_loop __P((struct ah_algorithm_state *, u_int8_t *,
107 size_t));
108 static void ah_keyed_md5_result __P((struct ah_algorithm_state *,
109 u_int8_t *, size_t));
110 static int ah_keyed_sha1_init __P((struct ah_algorithm_state *,
111 struct secasvar *));
112 static void ah_keyed_sha1_loop __P((struct ah_algorithm_state *, u_int8_t *,
113 size_t));
114 static void ah_keyed_sha1_result __P((struct ah_algorithm_state *, u_int8_t *,
115 size_t));
116 static int ah_hmac_md5_init __P((struct ah_algorithm_state *,
117 struct secasvar *));
118 static void ah_hmac_md5_loop __P((struct ah_algorithm_state *, u_int8_t *,
119 size_t));
120 static void ah_hmac_md5_result __P((struct ah_algorithm_state *,
121 u_int8_t *, size_t));
122 static int ah_hmac_sha1_init __P((struct ah_algorithm_state *,
123 struct secasvar *));
124 static void ah_hmac_sha1_loop __P((struct ah_algorithm_state *, u_int8_t *,
125 size_t));
126 static void ah_hmac_sha1_result __P((struct ah_algorithm_state *,
127 u_int8_t *, size_t));
128 static int ah_hmac_sha2_256_init __P((struct ah_algorithm_state *,
129 struct secasvar *));
130 static void ah_hmac_sha2_256_loop __P((struct ah_algorithm_state *, u_int8_t *,
131 size_t));
132 static void ah_hmac_sha2_256_result __P((struct ah_algorithm_state *,
133 u_int8_t *, size_t));
134 static int ah_hmac_sha2_384_init __P((struct ah_algorithm_state *,
135 struct secasvar *));
136 static void ah_hmac_sha2_384_loop __P((struct ah_algorithm_state *, u_int8_t *,
137 size_t));
138 static void ah_hmac_sha2_384_result __P((struct ah_algorithm_state *,
139 u_int8_t *, size_t));
140 static int ah_hmac_sha2_512_init __P((struct ah_algorithm_state *,
141 struct secasvar *));
142 static void ah_hmac_sha2_512_loop __P((struct ah_algorithm_state *, u_int8_t *,
143 size_t));
144 static void ah_hmac_sha2_512_result __P((struct ah_algorithm_state *,
145 u_int8_t *, size_t));
146 static int ah_hmac_ripemd160_init __P((struct ah_algorithm_state *,
147 struct secasvar *));
148 static void ah_hmac_ripemd160_loop __P((struct ah_algorithm_state *, u_int8_t *,
149 size_t));
150 static void ah_hmac_ripemd160_result __P((struct ah_algorithm_state *,
151 u_int8_t *, size_t));
152
153 static void ah_update_mbuf __P((struct mbuf *, int, int,
154 const struct ah_algorithm *, struct ah_algorithm_state *));
155
156 /* checksum algorithms */
157 static const struct ah_algorithm ah_algorithms[] = {
158 { ah_sumsiz_1216, ah_common_mature, 128, 128, "hmac-md5",
159 ah_hmac_md5_init, ah_hmac_md5_loop,
160 ah_hmac_md5_result, },
161 { ah_sumsiz_1216, ah_common_mature, 160, 160, "hmac-sha1",
162 ah_hmac_sha1_init, ah_hmac_sha1_loop,
163 ah_hmac_sha1_result, },
164 { ah_sumsiz_1216, ah_keyed_md5_mature, 128, 128, "keyed-md5",
165 ah_keyed_md5_init, ah_keyed_md5_loop,
166 ah_keyed_md5_result, },
167 { ah_sumsiz_1216, ah_common_mature, 160, 160, "keyed-sha1",
168 ah_keyed_sha1_init, ah_keyed_sha1_loop,
169 ah_keyed_sha1_result, },
170 { ah_sumsiz_zero, ah_none_mature, 0, 2048, "none",
171 ah_none_init, ah_none_loop, ah_none_result, },
172 { ah_sumsiz_1216, ah_common_mature, 256, 256,
173 "hmac-sha2-256",
174 ah_hmac_sha2_256_init, ah_hmac_sha2_256_loop,
175 ah_hmac_sha2_256_result, },
176 { ah_sumsiz_1216, ah_common_mature, 384, 384,
177 "hmac-sha2-384",
178 ah_hmac_sha2_384_init, ah_hmac_sha2_384_loop,
179 ah_hmac_sha2_384_result, },
180 { ah_sumsiz_1216, ah_common_mature, 512, 512,
181 "hmac-sha2-512",
182 ah_hmac_sha2_512_init, ah_hmac_sha2_512_loop,
183 ah_hmac_sha2_512_result, },
184 { ah_sumsiz_1216, ah_common_mature, 160, 160,
185 "hmac-ripemd160",
186 ah_hmac_ripemd160_init, ah_hmac_ripemd160_loop,
187 ah_hmac_ripemd160_result, },
188 { ah_sumsiz_1216, ah_common_mature, 128, 128,
189 "aes-xcbc-mac",
190 ah_aes_xcbc_mac_init, ah_aes_xcbc_mac_loop,
191 ah_aes_xcbc_mac_result, },
192 };
193
194 const struct ah_algorithm *
195 ah_algorithm_lookup(idx)
196 int idx;
197 {
198
199 switch (idx) {
200 case SADB_AALG_MD5HMAC:
201 return &ah_algorithms[0];
202 case SADB_AALG_SHA1HMAC:
203 return &ah_algorithms[1];
204 case SADB_X_AALG_MD5:
205 return &ah_algorithms[2];
206 case SADB_X_AALG_SHA:
207 return &ah_algorithms[3];
208 case SADB_X_AALG_NULL:
209 return &ah_algorithms[4];
210 case SADB_X_AALG_SHA2_256:
211 return &ah_algorithms[5];
212 case SADB_X_AALG_SHA2_384:
213 return &ah_algorithms[6];
214 case SADB_X_AALG_SHA2_512:
215 return &ah_algorithms[7];
216 case SADB_X_AALG_RIPEMD160HMAC:
217 return &ah_algorithms[8];
218 case SADB_X_AALG_AES_XCBC_MAC:
219 return &ah_algorithms[9];
220 default:
221 return NULL;
222 }
223 }
224
225
226 static int
227 ah_sumsiz_1216(sav)
228 struct secasvar *sav;
229 {
230 if (!sav)
231 panic("ah_sumsiz_1216: null pointer is passed");
232 if (sav->flags & SADB_X_EXT_OLD)
233 return 16;
234 else
235 return 12;
236 }
237
238 static int
239 ah_sumsiz_zero(sav)
240 struct secasvar *sav;
241 {
242 if (!sav)
243 panic("ah_sumsiz_zero: null pointer is passed");
244 return 0;
245 }
246
247 static int
248 ah_common_mature(sav)
249 struct secasvar *sav;
250 {
251 const struct ah_algorithm *algo;
252
253 if (!sav->key_auth) {
254 ipseclog((LOG_ERR, "ah_common_mature: no key is given.\n"));
255 return 1;
256 }
257
258 algo = ah_algorithm_lookup(sav->alg_auth);
259 if (!algo) {
260 ipseclog((LOG_ERR, "ah_common_mature: unsupported algorithm.\n"));
261 return 1;
262 }
263
264 if (sav->key_auth->sadb_key_bits < algo->keymin ||
265 algo->keymax < sav->key_auth->sadb_key_bits) {
266 ipseclog((LOG_ERR,
267 "ah_common_mature: invalid key length %d for %s.\n",
268 sav->key_auth->sadb_key_bits, algo->name));
269 return 1;
270 }
271
272 return 0;
273 }
274
275 static int
276 ah_none_mature(sav)
277 struct secasvar *sav;
278 {
279 if (sav->sah->saidx.proto == IPPROTO_AH) {
280 ipseclog((LOG_ERR,
281 "ah_none_mature: protocol and algorithm mismatch.\n"));
282 return 1;
283 }
284 return 0;
285 }
286
287 static int
288 ah_none_init(state, sav)
289 struct ah_algorithm_state *state;
290 struct secasvar *sav;
291 {
292 state->foo = NULL;
293 return 0;
294 }
295
296 static void
297 ah_none_loop(state, addr, len)
298 struct ah_algorithm_state *state;
299 u_int8_t * addr;
300 size_t len;
301 {
302 }
303
304 static void
305 ah_none_result(state, addr, l)
306 struct ah_algorithm_state *state;
307 u_int8_t *addr;
308 size_t l;
309 {
310 }
311
312 static int
313 ah_keyed_md5_mature(sav)
314 struct secasvar *sav;
315 {
316 /* anything is okay */
317 return 0;
318 }
319
320 static int
321 ah_keyed_md5_init(state, sav)
322 struct ah_algorithm_state *state;
323 struct secasvar *sav;
324 {
325 size_t padlen;
326 size_t keybitlen;
327 u_int8_t buf[32];
328
329 if (!state)
330 panic("ah_keyed_md5_init: what?");
331
332 state->sav = sav;
333 state->foo = (void *)malloc(sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
334 if (state->foo == NULL)
335 return ENOBUFS;
336
337 MD5Init((MD5_CTX *)state->foo);
338 if (state->sav) {
339 MD5Update((MD5_CTX *)state->foo,
340 (u_int8_t *)_KEYBUF(state->sav->key_auth),
341 (u_int)_KEYLEN(state->sav->key_auth));
342
343 /*
344 * Pad after the key.
345 * We cannot simply use md5_pad() since the function
346 * won't update the total length.
347 */
348 if (_KEYLEN(state->sav->key_auth) < 56)
349 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
350 else
351 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
352 keybitlen = _KEYLEN(state->sav->key_auth);
353 keybitlen *= 8;
354
355 buf[0] = 0x80;
356 MD5Update((MD5_CTX *)state->foo, &buf[0], 1);
357 padlen--;
358
359 bzero(buf, sizeof(buf));
360 while (sizeof(buf) < padlen) {
361 MD5Update((MD5_CTX *)state->foo, &buf[0], sizeof(buf));
362 padlen -= sizeof(buf);
363 }
364 if (padlen) {
365 MD5Update((MD5_CTX *)state->foo, &buf[0], padlen);
366 }
367
368 buf[0] = (keybitlen >> 0) & 0xff;
369 buf[1] = (keybitlen >> 8) & 0xff;
370 buf[2] = (keybitlen >> 16) & 0xff;
371 buf[3] = (keybitlen >> 24) & 0xff;
372 MD5Update((MD5_CTX *)state->foo, buf, 8);
373 }
374
375 return 0;
376 }
377
378 static void
379 ah_keyed_md5_loop(state, addr, len)
380 struct ah_algorithm_state *state;
381 u_int8_t * addr;
382 size_t len;
383 {
384 if (!state)
385 panic("ah_keyed_md5_loop: what?");
386
387 MD5Update((MD5_CTX *)state->foo, addr, len);
388 }
389
390 static void
391 ah_keyed_md5_result(state, addr, l)
392 struct ah_algorithm_state *state;
393 u_int8_t *addr;
394 size_t l;
395 {
396 u_char digest[MD5_RESULTLEN];
397
398 if (!state)
399 panic("ah_keyed_md5_result: what?");
400
401 if (state->sav) {
402 MD5Update((MD5_CTX *)state->foo,
403 (u_int8_t *)_KEYBUF(state->sav->key_auth),
404 (u_int)_KEYLEN(state->sav->key_auth));
405 }
406 MD5Final(digest, (MD5_CTX *)state->foo);
407 free(state->foo, M_TEMP);
408 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
409 }
410
411 static int
412 ah_keyed_sha1_init(state, sav)
413 struct ah_algorithm_state *state;
414 struct secasvar *sav;
415 {
416 SHA1_CTX *ctxt;
417 size_t padlen;
418 size_t keybitlen;
419 u_int8_t buf[32];
420
421 if (!state)
422 panic("ah_keyed_sha1_init: what?");
423
424 state->sav = sav;
425 state->foo = (void *)malloc(sizeof(SHA1_CTX), M_TEMP, M_NOWAIT);
426 if (!state->foo)
427 return ENOBUFS;
428
429 ctxt = (SHA1_CTX *)state->foo;
430 SHA1Init(ctxt);
431
432 if (state->sav) {
433 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
434 (u_int)_KEYLEN(state->sav->key_auth));
435
436 /*
437 * Pad after the key.
438 */
439 if (_KEYLEN(state->sav->key_auth) < 56)
440 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
441 else
442 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
443 keybitlen = _KEYLEN(state->sav->key_auth);
444 keybitlen *= 8;
445
446 buf[0] = 0x80;
447 SHA1Update(ctxt, &buf[0], 1);
448 padlen--;
449
450 bzero(buf, sizeof(buf));
451 while (sizeof(buf) < padlen) {
452 SHA1Update(ctxt, &buf[0], sizeof(buf));
453 padlen -= sizeof(buf);
454 }
455 if (padlen) {
456 SHA1Update(ctxt, &buf[0], padlen);
457 }
458
459 buf[0] = (keybitlen >> 0) & 0xff;
460 buf[1] = (keybitlen >> 8) & 0xff;
461 buf[2] = (keybitlen >> 16) & 0xff;
462 buf[3] = (keybitlen >> 24) & 0xff;
463 SHA1Update(ctxt, buf, 8);
464 }
465
466 return 0;
467 }
468
469 static void
470 ah_keyed_sha1_loop(state, addr, len)
471 struct ah_algorithm_state *state;
472 u_int8_t * addr;
473 size_t len;
474 {
475 SHA1_CTX *ctxt;
476
477 if (!state || !state->foo)
478 panic("ah_keyed_sha1_loop: what?");
479 ctxt = (SHA1_CTX *)state->foo;
480
481 SHA1Update(ctxt, (u_int8_t *)addr, (size_t)len);
482 }
483
484 static void
485 ah_keyed_sha1_result(state, addr, l)
486 struct ah_algorithm_state *state;
487 u_int8_t *addr;
488 size_t l;
489 {
490 u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
491 SHA1_CTX *ctxt;
492
493 if (!state || !state->foo)
494 panic("ah_keyed_sha1_result: what?");
495 ctxt = (SHA1_CTX *)state->foo;
496
497 if (state->sav) {
498 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
499 (u_int)_KEYLEN(state->sav->key_auth));
500 }
501 SHA1Final((u_int8_t *)digest, ctxt);
502 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
503
504 free(state->foo, M_TEMP);
505 }
506
507 static int
508 ah_hmac_md5_init(state, sav)
509 struct ah_algorithm_state *state;
510 struct secasvar *sav;
511 {
512 u_char *ipad;
513 u_char *opad;
514 u_char tk[MD5_RESULTLEN];
515 u_char *key;
516 size_t keylen;
517 size_t i;
518 MD5_CTX *ctxt;
519
520 if (!state)
521 panic("ah_hmac_md5_init: what?");
522
523 state->sav = sav;
524 state->foo = (void *)malloc(64 + 64 + sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
525 if (!state->foo)
526 return ENOBUFS;
527
528 ipad = (u_char *)state->foo;
529 opad = (u_char *)(ipad + 64);
530 ctxt = (MD5_CTX *)(opad + 64);
531
532 /* compress the key if necessery */
533 if (64 < _KEYLEN(state->sav->key_auth)) {
534 MD5Init(ctxt);
535 MD5Update(ctxt, _KEYBUF(state->sav->key_auth),
536 _KEYLEN(state->sav->key_auth));
537 MD5Final(&tk[0], ctxt);
538 key = &tk[0];
539 keylen = 16;
540 } else {
541 key = _KEYBUF(state->sav->key_auth);
542 keylen = _KEYLEN(state->sav->key_auth);
543 }
544
545 bzero(ipad, 64);
546 bzero(opad, 64);
547 bcopy(key, ipad, keylen);
548 bcopy(key, opad, keylen);
549 for (i = 0; i < 64; i++) {
550 ipad[i] ^= 0x36;
551 opad[i] ^= 0x5c;
552 }
553
554 MD5Init(ctxt);
555 MD5Update(ctxt, ipad, 64);
556
557 return 0;
558 }
559
560 static void
561 ah_hmac_md5_loop(state, addr, len)
562 struct ah_algorithm_state *state;
563 u_int8_t * addr;
564 size_t len;
565 {
566 MD5_CTX *ctxt;
567
568 if (!state || !state->foo)
569 panic("ah_hmac_md5_loop: what?");
570 ctxt = (MD5_CTX *)(((u_int8_t *)state->foo) + 128);
571 MD5Update(ctxt, addr, len);
572 }
573
574 static void
575 ah_hmac_md5_result(state, addr, l)
576 struct ah_algorithm_state *state;
577 u_int8_t *addr;
578 size_t l;
579 {
580 u_char digest[MD5_RESULTLEN];
581 u_char *ipad;
582 u_char *opad;
583 MD5_CTX *ctxt;
584
585 if (!state || !state->foo)
586 panic("ah_hmac_md5_result: what?");
587
588 ipad = (u_char *)state->foo;
589 opad = (u_char *)(ipad + 64);
590 ctxt = (MD5_CTX *)(opad + 64);
591
592 MD5Final(digest, ctxt);
593
594 MD5Init(ctxt);
595 MD5Update(ctxt, opad, 64);
596 MD5Update(ctxt, digest, sizeof(digest));
597 MD5Final(digest, ctxt);
598
599 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
600
601 free(state->foo, M_TEMP);
602 }
603
604 static int
605 ah_hmac_sha1_init(state, sav)
606 struct ah_algorithm_state *state;
607 struct secasvar *sav;
608 {
609 u_char *ipad;
610 u_char *opad;
611 SHA1_CTX *ctxt;
612 u_char tk[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
613 u_char *key;
614 size_t keylen;
615 size_t i;
616
617 if (!state)
618 panic("ah_hmac_sha1_init: what?");
619
620 state->sav = sav;
621 state->foo = (void *)malloc(64 + 64 + sizeof(SHA1_CTX),
622 M_TEMP, M_NOWAIT);
623 if (!state->foo)
624 return ENOBUFS;
625
626 ipad = (u_char *)state->foo;
627 opad = (u_char *)(ipad + 64);
628 ctxt = (SHA1_CTX *)(opad + 64);
629
630 /* compress the key if necessery */
631 if (64 < _KEYLEN(state->sav->key_auth)) {
632 SHA1Init(ctxt);
633 SHA1Update(ctxt, _KEYBUF(state->sav->key_auth),
634 _KEYLEN(state->sav->key_auth));
635 SHA1Final(&tk[0], ctxt);
636 key = &tk[0];
637 keylen = SHA1_RESULTLEN;
638 } else {
639 key = _KEYBUF(state->sav->key_auth);
640 keylen = _KEYLEN(state->sav->key_auth);
641 }
642
643 bzero(ipad, 64);
644 bzero(opad, 64);
645 bcopy(key, ipad, keylen);
646 bcopy(key, opad, keylen);
647 for (i = 0; i < 64; i++) {
648 ipad[i] ^= 0x36;
649 opad[i] ^= 0x5c;
650 }
651
652 SHA1Init(ctxt);
653 SHA1Update(ctxt, ipad, 64);
654
655 return 0;
656 }
657
658 static void
659 ah_hmac_sha1_loop(state, addr, len)
660 struct ah_algorithm_state *state;
661 u_int8_t * addr;
662 size_t len;
663 {
664 SHA1_CTX *ctxt;
665
666 if (!state || !state->foo)
667 panic("ah_hmac_sha1_loop: what?");
668
669 ctxt = (SHA1_CTX *)(((u_char *)state->foo) + 128);
670 SHA1Update(ctxt, (u_int8_t *)addr, (size_t)len);
671 }
672
673 static void
674 ah_hmac_sha1_result(state, addr, l)
675 struct ah_algorithm_state *state;
676 u_int8_t *addr;
677 size_t l;
678 {
679 u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
680 u_char *ipad;
681 u_char *opad;
682 SHA1_CTX *ctxt;
683
684 if (!state || !state->foo)
685 panic("ah_hmac_sha1_result: what?");
686
687 ipad = (u_char *)state->foo;
688 opad = (u_char *)(ipad + 64);
689 ctxt = (SHA1_CTX *)(opad + 64);
690
691 SHA1Final((u_int8_t *)digest, ctxt);
692
693 SHA1Init(ctxt);
694 SHA1Update(ctxt, opad, 64);
695 SHA1Update(ctxt, (u_int8_t *)digest, sizeof(digest));
696 SHA1Final((u_int8_t *)digest, ctxt);
697
698 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
699
700 free(state->foo, M_TEMP);
701 }
702
703 static int
704 ah_hmac_sha2_256_init(state, sav)
705 struct ah_algorithm_state *state;
706 struct secasvar *sav;
707 {
708 u_char *ipad;
709 u_char *opad;
710 SHA256_CTX *ctxt;
711 u_char tk[SHA256_DIGEST_LENGTH];
712 u_char *key;
713 size_t keylen;
714 size_t i;
715
716 if (!state)
717 panic("ah_hmac_sha2_256_init: what?");
718
719 state->sav = sav;
720 state->foo = (void *)malloc(64 + 64 + sizeof(SHA256_CTX),
721 M_TEMP, M_NOWAIT);
722 if (!state->foo)
723 return ENOBUFS;
724
725 ipad = (u_char *)state->foo;
726 opad = (u_char *)(ipad + 64);
727 ctxt = (SHA256_CTX *)(opad + 64);
728
729 /* compress the key if necessery */
730 if (64 < _KEYLEN(state->sav->key_auth)) {
731 bzero(tk, sizeof(tk));
732 bzero(ctxt, sizeof(*ctxt));
733 SHA256_Init(ctxt);
734 SHA256_Update(ctxt, _KEYBUF(state->sav->key_auth),
735 _KEYLEN(state->sav->key_auth));
736 SHA256_Final(&tk[0], ctxt);
737 key = &tk[0];
738 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
739 } else {
740 key = _KEYBUF(state->sav->key_auth);
741 keylen = _KEYLEN(state->sav->key_auth);
742 }
743
744 bzero(ipad, 64);
745 bzero(opad, 64);
746 bcopy(key, ipad, keylen);
747 bcopy(key, opad, keylen);
748 for (i = 0; i < 64; i++) {
749 ipad[i] ^= 0x36;
750 opad[i] ^= 0x5c;
751 }
752
753 bzero(ctxt, sizeof(*ctxt));
754 SHA256_Init(ctxt);
755 SHA256_Update(ctxt, ipad, 64);
756
757 return 0;
758 }
759
760 static void
761 ah_hmac_sha2_256_loop(state, addr, len)
762 struct ah_algorithm_state *state;
763 u_int8_t *addr;
764 size_t len;
765 {
766 SHA256_CTX *ctxt;
767
768 if (!state || !state->foo)
769 panic("ah_hmac_sha2_256_loop: what?");
770
771 ctxt = (SHA256_CTX *)(((u_char *)state->foo) + 128);
772 SHA256_Update(ctxt, (caddr_t)addr, (size_t)len);
773 }
774
775 static void
776 ah_hmac_sha2_256_result(state, addr, l)
777 struct ah_algorithm_state *state;
778 u_int8_t *addr;
779 size_t l;
780 {
781 u_char digest[SHA256_DIGEST_LENGTH];
782 u_char *ipad;
783 u_char *opad;
784 SHA256_CTX *ctxt;
785
786 if (!state || !state->foo)
787 panic("ah_hmac_sha2_256_result: what?");
788
789 ipad = (u_char *)state->foo;
790 opad = (u_char *)(ipad + 64);
791 ctxt = (SHA256_CTX *)(opad + 64);
792
793 SHA256_Final((caddr_t)digest, ctxt);
794
795 bzero(ctxt, sizeof(*ctxt));
796 SHA256_Init(ctxt);
797 SHA256_Update(ctxt, opad, 64);
798 SHA256_Update(ctxt, (caddr_t)digest, sizeof(digest));
799 SHA256_Final((caddr_t)digest, ctxt);
800
801 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
802
803 free(state->foo, M_TEMP);
804 }
805
806 static int
807 ah_hmac_sha2_384_init(state, sav)
808 struct ah_algorithm_state *state;
809 struct secasvar *sav;
810 {
811 u_char *ipad;
812 u_char *opad;
813 SHA384_CTX *ctxt;
814 u_char tk[SHA384_DIGEST_LENGTH];
815 u_char *key;
816 size_t keylen;
817 size_t i;
818
819 if (!state)
820 panic("ah_hmac_sha2_384_init: what?");
821
822 state->sav = sav;
823 state->foo = (void *)malloc(64 + 64 + sizeof(SHA384_CTX),
824 M_TEMP, M_NOWAIT);
825 if (!state->foo)
826 return ENOBUFS;
827 bzero(state->foo, 64 + 64 + sizeof(SHA384_CTX));
828
829 ipad = (u_char *)state->foo;
830 opad = (u_char *)(ipad + 64);
831 ctxt = (SHA384_CTX *)(opad + 64);
832
833 /* compress the key if necessery */
834 if (64 < _KEYLEN(state->sav->key_auth)) {
835 bzero(tk, sizeof(tk));
836 bzero(ctxt, sizeof(*ctxt));
837 SHA384_Init(ctxt);
838 SHA384_Update(ctxt, _KEYBUF(state->sav->key_auth),
839 _KEYLEN(state->sav->key_auth));
840 SHA384_Final(&tk[0], ctxt);
841 key = &tk[0];
842 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
843 } else {
844 key = _KEYBUF(state->sav->key_auth);
845 keylen = _KEYLEN(state->sav->key_auth);
846 }
847
848 bzero(ipad, 64);
849 bzero(opad, 64);
850 bcopy(key, ipad, keylen);
851 bcopy(key, opad, keylen);
852 for (i = 0; i < 64; i++) {
853 ipad[i] ^= 0x36;
854 opad[i] ^= 0x5c;
855 }
856
857 bzero(ctxt, sizeof(*ctxt));
858 SHA384_Init(ctxt);
859 SHA384_Update(ctxt, ipad, 64);
860
861 return 0;
862 }
863
864 static void
865 ah_hmac_sha2_384_loop(state, addr, len)
866 struct ah_algorithm_state *state;
867 u_int8_t *addr;
868 size_t len;
869 {
870 SHA384_CTX *ctxt;
871
872 if (!state || !state->foo)
873 panic("ah_hmac_sha2_384_loop: what?");
874
875 ctxt = (SHA384_CTX *)(((u_char *)state->foo) + 128);
876 SHA384_Update(ctxt, (caddr_t)addr, (size_t)len);
877 }
878
879 static void
880 ah_hmac_sha2_384_result(state, addr, l)
881 struct ah_algorithm_state *state;
882 u_int8_t *addr;
883 size_t l;
884 {
885 u_char digest[SHA384_DIGEST_LENGTH];
886 u_char *ipad;
887 u_char *opad;
888 SHA384_CTX *ctxt;
889
890 if (!state || !state->foo)
891 panic("ah_hmac_sha2_384_result: what?");
892
893 ipad = (u_char *)state->foo;
894 opad = (u_char *)(ipad + 64);
895 ctxt = (SHA384_CTX *)(opad + 64);
896
897 SHA384_Final((caddr_t)digest, ctxt);
898
899 bzero(ctxt, sizeof(*ctxt));
900 SHA384_Init(ctxt);
901 SHA384_Update(ctxt, opad, 64);
902 SHA384_Update(ctxt, (caddr_t)digest, sizeof(digest));
903 SHA384_Final((caddr_t)digest, ctxt);
904
905 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
906
907 free(state->foo, M_TEMP);
908 }
909
910 static int
911 ah_hmac_sha2_512_init(state, sav)
912 struct ah_algorithm_state *state;
913 struct secasvar *sav;
914 {
915 u_char *ipad;
916 u_char *opad;
917 SHA512_CTX *ctxt;
918 u_char tk[SHA512_DIGEST_LENGTH];
919 u_char *key;
920 size_t keylen;
921 size_t i;
922
923 if (!state)
924 panic("ah_hmac_sha2_512_init: what?");
925
926 state->sav = sav;
927 state->foo = (void *)malloc(64 + 64 + sizeof(SHA512_CTX),
928 M_TEMP, M_NOWAIT);
929 if (!state->foo)
930 return ENOBUFS;
931 bzero(state->foo, 64 + 64 + sizeof(SHA512_CTX));
932
933 ipad = (u_char *)state->foo;
934 opad = (u_char *)(ipad + 64);
935 ctxt = (SHA512_CTX *)(opad + 64);
936
937 /* compress the key if necessery */
938 if (64 < _KEYLEN(state->sav->key_auth)) {
939 bzero(tk, sizeof(tk));
940 bzero(ctxt, sizeof(*ctxt));
941 SHA512_Init(ctxt);
942 SHA512_Update(ctxt, _KEYBUF(state->sav->key_auth),
943 _KEYLEN(state->sav->key_auth));
944 SHA512_Final(&tk[0], ctxt);
945 key = &tk[0];
946 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
947 } else {
948 key = _KEYBUF(state->sav->key_auth);
949 keylen = _KEYLEN(state->sav->key_auth);
950 }
951
952 bzero(ipad, 64);
953 bzero(opad, 64);
954 bcopy(key, ipad, keylen);
955 bcopy(key, opad, keylen);
956 for (i = 0; i < 64; i++) {
957 ipad[i] ^= 0x36;
958 opad[i] ^= 0x5c;
959 }
960
961 bzero(ctxt, sizeof(*ctxt));
962 SHA512_Init(ctxt);
963 SHA512_Update(ctxt, ipad, 64);
964
965 return 0;
966 }
967
968 static void
969 ah_hmac_sha2_512_loop(state, addr, len)
970 struct ah_algorithm_state *state;
971 u_int8_t *addr;
972 size_t len;
973 {
974 SHA512_CTX *ctxt;
975
976 if (!state || !state->foo)
977 panic("ah_hmac_sha2_512_loop: what?");
978
979 ctxt = (SHA512_CTX *)(((u_char *)state->foo) + 128);
980 SHA512_Update(ctxt, (caddr_t)addr, (size_t)len);
981 }
982
983 static void
984 ah_hmac_sha2_512_result(state, addr, l)
985 struct ah_algorithm_state *state;
986 u_int8_t *addr;
987 size_t l;
988 {
989 u_char digest[SHA512_DIGEST_LENGTH];
990 u_char *ipad;
991 u_char *opad;
992 SHA512_CTX *ctxt;
993
994 if (!state || !state->foo)
995 panic("ah_hmac_sha2_512_result: what?");
996
997 ipad = (u_char *)state->foo;
998 opad = (u_char *)(ipad + 64);
999 ctxt = (SHA512_CTX *)(opad + 64);
1000
1001 SHA512_Final((caddr_t)digest, ctxt);
1002
1003 bzero(ctxt, sizeof(*ctxt));
1004 SHA512_Init(ctxt);
1005 SHA512_Update(ctxt, opad, 64);
1006 SHA512_Update(ctxt, (caddr_t)digest, sizeof(digest));
1007 SHA512_Final((caddr_t)digest, ctxt);
1008
1009 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
1010
1011 free(state->foo, M_TEMP);
1012 }
1013
1014 static int
1015 ah_hmac_ripemd160_init(state, sav)
1016 struct ah_algorithm_state *state;
1017 struct secasvar *sav;
1018 {
1019 u_char *ipad;
1020 u_char *opad;
1021 RMD160_CTX *ctxt;
1022 u_char tk[RIPEMD160_RESULTLEN];
1023 u_char *key;
1024 size_t keylen;
1025 size_t i;
1026
1027 if (!state)
1028 panic("ah_hmac_ripemd160_init: what?");
1029
1030 state->sav = sav;
1031 state->foo = (void *)malloc(64 + 64 + sizeof(RMD160_CTX),
1032 M_TEMP, M_NOWAIT);
1033 if (!state->foo)
1034 return ENOBUFS;
1035 bzero(state->foo, 64 + 64 + sizeof(RMD160_CTX));
1036
1037 ipad = (u_char *)state->foo;
1038 opad = (u_char *)(ipad + 64);
1039 ctxt = (RMD160_CTX *)(opad + 64);
1040
1041 /* compress the key if necessery */
1042 if (64 < _KEYLEN(state->sav->key_auth)) {
1043 bzero(tk, sizeof(tk));
1044 bzero(ctxt, sizeof(*ctxt));
1045 RMD160Init(ctxt);
1046 RMD160Update(ctxt, _KEYBUF(state->sav->key_auth),
1047 _KEYLEN(state->sav->key_auth));
1048 RMD160Final(&tk[0], ctxt);
1049 key = &tk[0];
1050 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
1051 } else {
1052 key = _KEYBUF(state->sav->key_auth);
1053 keylen = _KEYLEN(state->sav->key_auth);
1054 }
1055
1056 bzero(ipad, 64);
1057 bzero(opad, 64);
1058 bcopy(key, ipad, keylen);
1059 bcopy(key, opad, keylen);
1060 for (i = 0; i < 64; i++) {
1061 ipad[i] ^= 0x36;
1062 opad[i] ^= 0x5c;
1063 }
1064
1065 bzero(ctxt, sizeof(*ctxt));
1066 RMD160Init(ctxt);
1067 RMD160Update(ctxt, ipad, 64);
1068
1069 return 0;
1070 }
1071
1072 static void
1073 ah_hmac_ripemd160_loop(state, addr, len)
1074 struct ah_algorithm_state *state;
1075 u_int8_t *addr;
1076 size_t len;
1077 {
1078 RMD160_CTX *ctxt;
1079
1080 if (!state || !state->foo)
1081 panic("ah_hmac_ripemd160_loop: what?");
1082
1083 ctxt = (RMD160_CTX *)(((u_char *)state->foo) + 128);
1084 RMD160Update(ctxt, (caddr_t)addr, (size_t)len);
1085 }
1086
1087 static void
1088 ah_hmac_ripemd160_result(state, addr, l)
1089 struct ah_algorithm_state *state;
1090 u_int8_t *addr;
1091 size_t l;
1092 {
1093 u_char digest[RIPEMD160_RESULTLEN];
1094 u_char *ipad;
1095 u_char *opad;
1096 RMD160_CTX *ctxt;
1097
1098 if (!state || !state->foo)
1099 panic("ah_hmac_ripemd160_result: what?");
1100
1101 ipad = (u_char *)state->foo;
1102 opad = (u_char *)(ipad + 64);
1103 ctxt = (RMD160_CTX *)(opad + 64);
1104
1105 RMD160Final((caddr_t)digest, ctxt);
1106
1107 bzero(ctxt, sizeof(*ctxt));
1108 RMD160Init(ctxt);
1109 RMD160Update(ctxt, opad, 64);
1110 RMD160Update(ctxt, (caddr_t)digest, sizeof(digest));
1111 RMD160Final((caddr_t)digest, ctxt);
1112
1113 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
1114
1115 free(state->foo, M_TEMP);
1116 }
1117
1118 /*------------------------------------------------------------*/
1119
1120 /*
1121 * go generate the checksum.
1122 */
1123 static void
1124 ah_update_mbuf(m, off, len, algo, algos)
1125 struct mbuf *m;
1126 int off;
1127 int len;
1128 const struct ah_algorithm *algo;
1129 struct ah_algorithm_state *algos;
1130 {
1131 struct mbuf *n;
1132 int tlen;
1133
1134 /* easy case first */
1135 if (off + len <= m->m_len) {
1136 (algo->update)(algos, mtod(m, u_int8_t *) + off, len);
1137 return;
1138 }
1139
1140 for (n = m; n; n = n->m_next) {
1141 if (off < n->m_len)
1142 break;
1143
1144 off -= n->m_len;
1145 }
1146
1147 if (!n)
1148 panic("ah_update_mbuf: wrong offset specified");
1149
1150 for (/* nothing */; n && len > 0; n = n->m_next) {
1151 if (n->m_len == 0)
1152 continue;
1153 if (n->m_len - off < len)
1154 tlen = n->m_len - off;
1155 else
1156 tlen = len;
1157
1158 (algo->update)(algos, mtod(n, u_int8_t *) + off, tlen);
1159
1160 len -= tlen;
1161 off = 0;
1162 }
1163 }
1164
1165 #ifdef INET
1166 /*
1167 * Go generate the checksum. This function won't modify the mbuf chain
1168 * except AH itself.
1169 *
1170 * NOTE: the function does not free mbuf on failure.
1171 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1172 */
1173 int
1174 ah4_calccksum(m, ahdat, len, algo, sav)
1175 struct mbuf *m;
1176 u_int8_t * ahdat;
1177 size_t len;
1178 const struct ah_algorithm *algo;
1179 struct secasvar *sav;
1180 {
1181 int off;
1182 int hdrtype;
1183 size_t advancewidth;
1184 struct ah_algorithm_state algos;
1185 u_char sumbuf[AH_MAXSUMSIZE];
1186 int error = 0;
1187 int ahseen;
1188 struct mbuf *n = NULL;
1189
1190 if ((m->m_flags & M_PKTHDR) == 0)
1191 return EINVAL;
1192
1193 ahseen = 0;
1194 hdrtype = -1; /* dummy, it is called IPPROTO_IP */
1195
1196 off = 0;
1197
1198 error = (algo->init)(&algos, sav);
1199 if (error)
1200 return error;
1201
1202 advancewidth = 0; /* safety */
1203
1204 again:
1205 /* gory. */
1206 switch (hdrtype) {
1207 case -1: /* first one only */
1208 {
1209 /*
1210 * copy ip hdr, modify to fit the AH checksum rule,
1211 * then take a checksum.
1212 */
1213 struct ip iphdr;
1214 size_t hlen;
1215
1216 m_copydata(m, off, sizeof(iphdr), (caddr_t)&iphdr);
1217 #ifdef _IP_VHL
1218 hlen = IP_VHL_HL(iphdr.ip_vhl) << 2;
1219 #else
1220 hlen = iphdr.ip_hl << 2;
1221 #endif
1222 iphdr.ip_ttl = 0;
1223 iphdr.ip_sum = htons(0);
1224 if (ip4_ah_cleartos)
1225 iphdr.ip_tos = 0;
1226 iphdr.ip_off = htons(ntohs(iphdr.ip_off) & ip4_ah_offsetmask);
1227 (algo->update)(&algos, (u_int8_t *)&iphdr, sizeof(struct ip));
1228
1229 if (hlen != sizeof(struct ip)) {
1230 u_char *p;
1231 int i, l, skip;
1232
1233 if (hlen > MCLBYTES) {
1234 error = EMSGSIZE;
1235 goto fail;
1236 }
1237 MGET(n, M_DONTWAIT, MT_DATA);
1238 if (n && hlen > MLEN) {
1239 MCLGET(n, M_DONTWAIT);
1240 if ((n->m_flags & M_EXT) == 0) {
1241 m_free(n);
1242 n = NULL;
1243 }
1244 }
1245 if (n == NULL) {
1246 error = ENOBUFS;
1247 goto fail;
1248 }
1249 m_copydata(m, off, hlen, mtod(n, caddr_t));
1250
1251 /*
1252 * IP options processing.
1253 * See RFC2402 appendix A.
1254 */
1255 p = mtod(n, u_char *);
1256 i = sizeof(struct ip);
1257 while (i < hlen) {
1258 if (i + IPOPT_OPTVAL >= hlen) {
1259 ipseclog((LOG_ERR, "ah4_calccksum: "
1260 "invalid IP option\n"));
1261 error = EINVAL;
1262 goto fail;
1263 }
1264 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL ||
1265 p[i + IPOPT_OPTVAL] == IPOPT_NOP ||
1266 i + IPOPT_OLEN < hlen)
1267 ;
1268 else {
1269 ipseclog((LOG_ERR,
1270 "ah4_calccksum: invalid IP option "
1271 "(type=%02x)\n",
1272 p[i + IPOPT_OPTVAL]));
1273 error = EINVAL;
1274 goto fail;
1275 }
1276
1277 skip = 1;
1278 switch (p[i + IPOPT_OPTVAL]) {
1279 case IPOPT_EOL:
1280 case IPOPT_NOP:
1281 l = 1;
1282 skip = 0;
1283 break;
1284 case IPOPT_SECURITY: /* 0x82 */
1285 case 0x85: /* Extended security */
1286 case 0x86: /* Commercial security */
1287 case 0x94: /* Router alert */
1288 case 0x95: /* RFC1770 */
1289 l = p[i + IPOPT_OLEN];
1290 if (l < 2)
1291 goto invalopt;
1292 skip = 0;
1293 break;
1294 default:
1295 l = p[i + IPOPT_OLEN];
1296 if (l < 2)
1297 goto invalopt;
1298 skip = 1;
1299 break;
1300 }
1301 if (l < 1 || hlen - i < l) {
1302 invalopt:
1303 ipseclog((LOG_ERR,
1304 "ah4_calccksum: invalid IP option "
1305 "(type=%02x len=%02x)\n",
1306 p[i + IPOPT_OPTVAL],
1307 p[i + IPOPT_OLEN]));
1308 error = EINVAL;
1309 goto fail;
1310 }
1311 if (skip)
1312 bzero(p + i, l);
1313 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL)
1314 break;
1315 i += l;
1316 }
1317 p = mtod(n, u_char *) + sizeof(struct ip);
1318 (algo->update)(&algos, p, hlen - sizeof(struct ip));
1319
1320 m_free(n);
1321 n = NULL;
1322 }
1323
1324 hdrtype = (iphdr.ip_p) & 0xff;
1325 advancewidth = hlen;
1326 break;
1327 }
1328
1329 case IPPROTO_AH:
1330 {
1331 struct ah ah;
1332 int siz;
1333 int hdrsiz;
1334 int totlen;
1335
1336 m_copydata(m, off, sizeof(ah), (caddr_t)&ah);
1337 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1338 ? sizeof(struct ah)
1339 : sizeof(struct newah);
1340 siz = (*algo->sumsiz)(sav);
1341 totlen = (ah.ah_len + 2) << 2;
1342
1343 /*
1344 * special treatment is necessary for the first one, not others
1345 */
1346 if (!ahseen) {
1347 if (totlen > m->m_pkthdr.len - off ||
1348 totlen > MCLBYTES) {
1349 error = EMSGSIZE;
1350 goto fail;
1351 }
1352 MGET(n, M_DONTWAIT, MT_DATA);
1353 if (n && totlen > MLEN) {
1354 MCLGET(n, M_DONTWAIT);
1355 if ((n->m_flags & M_EXT) == 0) {
1356 m_free(n);
1357 n = NULL;
1358 }
1359 }
1360 if (n == NULL) {
1361 error = ENOBUFS;
1362 goto fail;
1363 }
1364 m_copydata(m, off, totlen, mtod(n, caddr_t));
1365 n->m_len = totlen;
1366 bzero(mtod(n, u_int8_t *) + hdrsiz, siz);
1367 (algo->update)(&algos, mtod(n, u_int8_t *), n->m_len);
1368 m_free(n);
1369 n = NULL;
1370 } else
1371 ah_update_mbuf(m, off, totlen, algo, &algos);
1372 ahseen++;
1373
1374 hdrtype = ah.ah_nxt;
1375 advancewidth = totlen;
1376 break;
1377 }
1378
1379 default:
1380 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo, &algos);
1381 advancewidth = m->m_pkthdr.len - off;
1382 break;
1383 }
1384
1385 off += advancewidth;
1386 if (off < m->m_pkthdr.len)
1387 goto again;
1388
1389 if (len < (*algo->sumsiz)(sav)) {
1390 error = EINVAL;
1391 goto fail;
1392 }
1393
1394 (algo->result)(&algos, sumbuf, sizeof(sumbuf));
1395 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
1396
1397 if (n)
1398 m_free(n);
1399 return error;
1400
1401 fail:
1402 if (n)
1403 m_free(n);
1404 return error;
1405 }
1406 #endif
1407
1408 #ifdef INET6
1409 /*
1410 * Go generate the checksum. This function won't modify the mbuf chain
1411 * except AH itself.
1412 *
1413 * NOTE: the function does not free mbuf on failure.
1414 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1415 */
1416 int
1417 ah6_calccksum(m, ahdat, len, algo, sav)
1418 struct mbuf *m;
1419 u_int8_t * ahdat;
1420 size_t len;
1421 const struct ah_algorithm *algo;
1422 struct secasvar *sav;
1423 {
1424 int newoff, off;
1425 int proto, nxt;
1426 struct mbuf *n = NULL;
1427 int error;
1428 int ahseen;
1429 struct ah_algorithm_state algos;
1430 u_char sumbuf[AH_MAXSUMSIZE];
1431
1432 if ((m->m_flags & M_PKTHDR) == 0)
1433 return EINVAL;
1434
1435 error = (algo->init)(&algos, sav);
1436 if (error)
1437 return error;
1438
1439 off = 0;
1440 proto = IPPROTO_IPV6;
1441 nxt = -1;
1442 ahseen = 0;
1443
1444 again:
1445 newoff = ip6_nexthdr(m, off, proto, &nxt);
1446 if (newoff < 0)
1447 newoff = m->m_pkthdr.len;
1448 else if (newoff <= off) {
1449 error = EINVAL;
1450 goto fail;
1451 }
1452
1453 switch (proto) {
1454 case IPPROTO_IPV6:
1455 /*
1456 * special treatment is necessary for the first one, not others
1457 */
1458 if (off == 0) {
1459 struct ip6_hdr ip6copy;
1460
1461 if (newoff - off != sizeof(struct ip6_hdr)) {
1462 error = EINVAL;
1463 goto fail;
1464 }
1465
1466 m_copydata(m, off, newoff - off, (caddr_t)&ip6copy);
1467 /* RFC2402 */
1468 ip6copy.ip6_flow = 0;
1469 ip6copy.ip6_vfc &= ~IPV6_VERSION_MASK;
1470 ip6copy.ip6_vfc |= IPV6_VERSION;
1471 ip6copy.ip6_hlim = 0;
1472 in6_clearscope(&ip6copy.ip6_src); /* XXX */
1473 in6_clearscope(&ip6copy.ip6_dst); /* XXX */
1474 (algo->update)(&algos, (u_int8_t *)&ip6copy,
1475 sizeof(struct ip6_hdr));
1476 } else {
1477 newoff = m->m_pkthdr.len;
1478 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo,
1479 &algos);
1480 }
1481 break;
1482
1483 case IPPROTO_AH:
1484 {
1485 int siz;
1486 int hdrsiz;
1487
1488 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1489 ? sizeof(struct ah)
1490 : sizeof(struct newah);
1491 siz = (*algo->sumsiz)(sav);
1492
1493 /*
1494 * special treatment is necessary for the first one, not others
1495 */
1496 if (!ahseen) {
1497 if (newoff - off > MCLBYTES) {
1498 error = EMSGSIZE;
1499 goto fail;
1500 }
1501 MGET(n, M_DONTWAIT, MT_DATA);
1502 if (n && newoff - off > MLEN) {
1503 MCLGET(n, M_DONTWAIT);
1504 if ((n->m_flags & M_EXT) == 0) {
1505 m_free(n);
1506 n = NULL;
1507 }
1508 }
1509 if (n == NULL) {
1510 error = ENOBUFS;
1511 goto fail;
1512 }
1513 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1514 n->m_len = newoff - off;
1515 bzero(mtod(n, u_int8_t *) + hdrsiz, siz);
1516 (algo->update)(&algos, mtod(n, u_int8_t *), n->m_len);
1517 m_free(n);
1518 n = NULL;
1519 } else
1520 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1521 ahseen++;
1522 break;
1523 }
1524
1525 case IPPROTO_HOPOPTS:
1526 case IPPROTO_DSTOPTS:
1527 {
1528 struct ip6_ext *ip6e;
1529 int hdrlen, optlen;
1530 u_int8_t *p, *optend, *optp;
1531
1532 if (newoff - off > MCLBYTES) {
1533 error = EMSGSIZE;
1534 goto fail;
1535 }
1536 MGET(n, M_DONTWAIT, MT_DATA);
1537 if (n && newoff - off > MLEN) {
1538 MCLGET(n, M_DONTWAIT);
1539 if ((n->m_flags & M_EXT) == 0) {
1540 m_free(n);
1541 n = NULL;
1542 }
1543 }
1544 if (n == NULL) {
1545 error = ENOBUFS;
1546 goto fail;
1547 }
1548 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1549 n->m_len = newoff - off;
1550
1551 ip6e = mtod(n, struct ip6_ext *);
1552 hdrlen = (ip6e->ip6e_len + 1) << 3;
1553 if (newoff - off < hdrlen) {
1554 error = EINVAL;
1555 m_free(n);
1556 n = NULL;
1557 goto fail;
1558 }
1559 p = mtod(n, u_int8_t *);
1560 optend = p + hdrlen;
1561
1562 /*
1563 * ICV calculation for the options header including all
1564 * options. This part is a little tricky since there are
1565 * two type of options; mutable and immutable. We try to
1566 * null-out mutable ones here.
1567 */
1568 optp = p + 2;
1569 while (optp < optend) {
1570 if (optp[0] == IP6OPT_PAD1)
1571 optlen = 1;
1572 else {
1573 if (optp + 2 > optend) {
1574 error = EINVAL;
1575 m_free(n);
1576 n = NULL;
1577 goto fail;
1578 }
1579 optlen = optp[1] + 2;
1580 }
1581
1582 if (optp + optlen > optend) {
1583 error = EINVAL;
1584 m_free(n);
1585 n = NULL;
1586 goto fail;
1587 }
1588
1589 if (optp[0] & IP6OPT_MUTABLE)
1590 bzero(optp + 2, optlen - 2);
1591
1592 optp += optlen;
1593 }
1594
1595 (algo->update)(&algos, mtod(n, u_int8_t *), n->m_len);
1596 m_free(n);
1597 n = NULL;
1598 break;
1599 }
1600
1601 case IPPROTO_ROUTING:
1602 /*
1603 * For an input packet, we can just calculate `as is'.
1604 * For an output packet, we assume ip6_output have already
1605 * made packet how it will be received at the final
1606 * destination.
1607 */
1608 /* FALLTHROUGH */
1609
1610 default:
1611 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1612 break;
1613 }
1614
1615 if (newoff < m->m_pkthdr.len) {
1616 proto = nxt;
1617 off = newoff;
1618 goto again;
1619 }
1620
1621 if (len < (*algo->sumsiz)(sav)) {
1622 error = EINVAL;
1623 goto fail;
1624 }
1625
1626 (algo->result)(&algos, sumbuf, sizeof(sumbuf));
1627 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
1628
1629 /* just in case */
1630 if (n)
1631 m_free(n);
1632 return 0;
1633 fail:
1634 /* just in case */
1635 if (n)
1636 m_free(n);
1637 return error;
1638 }
1639 #endif
Cache object: 51dbaccf1413a0f6dc92711f173adffd
|