1 /* $FreeBSD: releng/6.0/sys/netinet6/ah_output.c 139826 2005-01-07 02:30:35Z imp $ */
2 /* $KAME: ah_output.c,v 1.38 2003/09/06 05:15:43 itojun Exp $ */
3
4 /*-
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * RFC1826/2402 authentication header.
35 */
36
37 #include "opt_inet.h"
38 #include "opt_inet6.h"
39
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/mbuf.h>
43 #include <sys/domain.h>
44 #include <sys/protosw.h>
45 #include <sys/socket.h>
46 #include <sys/socketvar.h>
47 #include <sys/errno.h>
48 #include <sys/time.h>
49 #include <sys/syslog.h>
50
51 #include <net/if.h>
52 #include <net/route.h>
53
54 #include <netinet/in.h>
55
56 #include <netinet/in_systm.h>
57 #include <netinet/ip.h>
58 #include <netinet/in_var.h>
59
60 #ifdef INET6
61 #include <netinet/ip6.h>
62 #include <netinet6/ip6_var.h>
63 #include <netinet/icmp6.h>
64 #endif
65
66 #include <netinet6/ipsec.h>
67 #ifdef INET6
68 #include <netinet6/ipsec6.h>
69 #endif
70 #include <netinet6/ah.h>
71 #ifdef INET6
72 #include <netinet6/ah6.h>
73 #endif
74 #include <netkey/key.h>
75 #include <netkey/keydb.h>
76
77 #include <net/net_osdep.h>
78
79 #ifdef INET
80 static struct in_addr *ah4_finaldst __P((struct mbuf *));
81 #endif
82
83 /*
84 * compute AH header size.
85 * transport mode only. for tunnel mode, we should implement
86 * virtual interface, and control MTU/MSS by the interface MTU.
87 */
88 size_t
89 ah_hdrsiz(isr)
90 struct ipsecrequest *isr;
91 {
92 const struct ah_algorithm *algo;
93 size_t hdrsiz;
94
95 /* sanity check */
96 if (isr == NULL)
97 panic("ah_hdrsiz: NULL was passed.");
98
99 if (isr->saidx.proto != IPPROTO_AH)
100 panic("unsupported mode passed to ah_hdrsiz");
101
102 if (isr->sav == NULL)
103 goto estimate;
104 if (isr->sav->state != SADB_SASTATE_MATURE
105 && isr->sav->state != SADB_SASTATE_DYING)
106 goto estimate;
107
108 /* we need transport mode AH. */
109 algo = ah_algorithm_lookup(isr->sav->alg_auth);
110 if (!algo)
111 goto estimate;
112
113 /*
114 * XXX
115 * right now we don't calcurate the padding size. simply
116 * treat the padding size as constant, for simplicity.
117 *
118 * XXX variable size padding support
119 */
120 hdrsiz = (((*algo->sumsiz)(isr->sav) + 3) & ~(4 - 1));
121 if (isr->sav->flags & SADB_X_EXT_OLD)
122 hdrsiz += sizeof(struct ah);
123 else
124 hdrsiz += sizeof(struct newah);
125
126 return hdrsiz;
127
128 estimate:
129 /* ASSUMING:
130 * sizeof(struct newah) > sizeof(struct ah).
131 * AH_MAXSUMSIZE is multiple of 4.
132 */
133 return sizeof(struct newah) + AH_MAXSUMSIZE;
134 }
135
136 #ifdef INET
137 /*
138 * Modify the packet so that it includes the authentication data.
139 * The mbuf passed must start with IPv4 header.
140 *
141 * assumes that the first mbuf contains IPv4 header + option only.
142 * the function does not modify m.
143 */
144 int
145 ah4_output(m, isr)
146 struct mbuf *m;
147 struct ipsecrequest *isr;
148 {
149 struct secasvar *sav = isr->sav;
150 const struct ah_algorithm *algo;
151 u_int32_t spi;
152 u_char *ahdrpos;
153 u_int8_t *ahsumpos = NULL;
154 size_t hlen = 0; /* IP header+option in bytes */
155 size_t plen = 0; /* AH payload size in bytes */
156 size_t ahlen = 0; /* plen + sizeof(ah) */
157 struct ip *ip;
158 struct in_addr dst;
159 struct in_addr *finaldst;
160 int error;
161
162 /* sanity checks */
163 if ((sav->flags & SADB_X_EXT_OLD) == 0 && !sav->replay) {
164 struct ip *ip;
165
166 ip = mtod(m, struct ip *);
167 ipseclog((LOG_DEBUG, "ah4_output: internal error: "
168 "sav->replay is null: %x->%x, SPI=%u\n",
169 (u_int32_t)ntohl(ip->ip_src.s_addr),
170 (u_int32_t)ntohl(ip->ip_dst.s_addr),
171 (u_int32_t)ntohl(sav->spi)));
172 ipsecstat.out_inval++;
173 m_freem(m);
174 return EINVAL;
175 }
176
177 algo = ah_algorithm_lookup(sav->alg_auth);
178 if (!algo) {
179 ipseclog((LOG_ERR, "ah4_output: unsupported algorithm: "
180 "SPI=%u\n", (u_int32_t)ntohl(sav->spi)));
181 ipsecstat.out_inval++;
182 m_freem(m);
183 return EINVAL;
184 }
185 spi = sav->spi;
186
187 /*
188 * determine the size to grow.
189 */
190 if (sav->flags & SADB_X_EXT_OLD) {
191 /* RFC 1826 */
192 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
193 ahlen = plen + sizeof(struct ah);
194 } else {
195 /* RFC 2402 */
196 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
197 ahlen = plen + sizeof(struct newah);
198 }
199
200 /*
201 * grow the mbuf to accomodate AH.
202 */
203 ip = mtod(m, struct ip *);
204 #ifdef _IP_VHL
205 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
206 #else
207 hlen = ip->ip_hl << 2;
208 #endif
209
210 if (m->m_len != hlen)
211 panic("ah4_output: assumption failed (first mbuf length)");
212 if (M_LEADINGSPACE(m->m_next) < ahlen) {
213 struct mbuf *n;
214 MGET(n, M_DONTWAIT, MT_DATA);
215 if (!n) {
216 ipseclog((LOG_DEBUG, "ENOBUFS in ah4_output %d\n",
217 __LINE__));
218 m_freem(m);
219 return ENOBUFS;
220 }
221 n->m_len = ahlen;
222 n->m_next = m->m_next;
223 m->m_next = n;
224 m->m_pkthdr.len += ahlen;
225 ahdrpos = mtod(n, u_char *);
226 } else {
227 m->m_next->m_len += ahlen;
228 m->m_next->m_data -= ahlen;
229 m->m_pkthdr.len += ahlen;
230 ahdrpos = mtod(m->m_next, u_char *);
231 }
232
233 ip = mtod(m, struct ip *); /* just to be sure */
234
235 /*
236 * initialize AH.
237 */
238 if (sav->flags & SADB_X_EXT_OLD) {
239 struct ah *ahdr;
240
241 ahdr = (struct ah *)ahdrpos;
242 ahsumpos = (u_char *)(ahdr + 1);
243 ahdr->ah_len = plen >> 2;
244 ahdr->ah_nxt = ip->ip_p;
245 ahdr->ah_reserve = htons(0);
246 ahdr->ah_spi = spi;
247 bzero(ahdr + 1, plen);
248 } else {
249 struct newah *ahdr;
250
251 ahdr = (struct newah *)ahdrpos;
252 ahsumpos = (u_char *)(ahdr + 1);
253 ahdr->ah_len = (plen >> 2) + 1; /* plus one for seq# */
254 ahdr->ah_nxt = ip->ip_p;
255 ahdr->ah_reserve = htons(0);
256 ahdr->ah_spi = spi;
257 if (sav->replay->count == ~0) {
258 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
259 /* XXX Is it noisy ? */
260 ipseclog((LOG_WARNING,
261 "replay counter overflowed. %s\n",
262 ipsec_logsastr(sav)));
263 ipsecstat.out_inval++;
264 m_freem(m);
265 return EINVAL;
266 }
267 }
268 sav->replay->count++;
269 /*
270 * XXX sequence number must not be cycled, if the SA is
271 * installed by IKE daemon.
272 */
273 ahdr->ah_seq = htonl(sav->replay->count & 0xffffffff);
274 bzero(ahdr + 1, plen);
275 }
276
277 /*
278 * modify IPv4 header.
279 */
280 ip->ip_p = IPPROTO_AH;
281 if (ahlen < (IP_MAXPACKET - ntohs(ip->ip_len)))
282 ip->ip_len = htons(ntohs(ip->ip_len) + ahlen);
283 else {
284 ipseclog((LOG_ERR, "IPv4 AH output: size exceeds limit\n"));
285 ipsecstat.out_inval++;
286 m_freem(m);
287 return EMSGSIZE;
288 }
289
290 /*
291 * If there is source routing option, update destination field in
292 * the IPv4 header to the final destination.
293 * Note that we do not need to update source routing option itself
294 * (as done in IPv4 AH processing -- see ip6_output()), since
295 * source routing option is not part of the ICV computation.
296 */
297 finaldst = ah4_finaldst(m);
298 if (finaldst) {
299 dst.s_addr = ip->ip_dst.s_addr;
300 ip->ip_dst.s_addr = finaldst->s_addr;
301 }
302
303 /*
304 * calcurate the checksum, based on security association
305 * and the algorithm specified.
306 */
307 error = ah4_calccksum(m, ahsumpos, plen, algo, sav);
308 if (error) {
309 ipseclog((LOG_ERR,
310 "error after ah4_calccksum, called from ah4_output"));
311 m_freem(m);
312 m = NULL;
313 ipsecstat.out_inval++;
314 return error;
315 }
316
317 if (finaldst) {
318 ip = mtod(m, struct ip *); /* just to make sure */
319 ip->ip_dst.s_addr = dst.s_addr;
320 }
321 ipsecstat.out_success++;
322 ipsecstat.out_ahhist[sav->alg_auth]++;
323 key_sa_recordxfer(sav, m);
324
325 return 0;
326 }
327 #endif
328
329 /* Calculate AH length */
330 int
331 ah_hdrlen(sav)
332 struct secasvar *sav;
333 {
334 const struct ah_algorithm *algo;
335 int plen, ahlen;
336
337 algo = ah_algorithm_lookup(sav->alg_auth);
338 if (!algo)
339 return 0;
340 if (sav->flags & SADB_X_EXT_OLD) {
341 /* RFC 1826 */
342 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
343 ahlen = plen + sizeof(struct ah);
344 } else {
345 /* RFC 2402 */
346 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
347 ahlen = plen + sizeof(struct newah);
348 }
349
350 return (ahlen);
351 }
352
353 #ifdef INET6
354 /*
355 * Fill in the Authentication Header and calculate checksum.
356 */
357 int
358 ah6_output(m, nexthdrp, md, isr)
359 struct mbuf *m;
360 u_char *nexthdrp;
361 struct mbuf *md;
362 struct ipsecrequest *isr;
363 {
364 struct mbuf *mprev;
365 struct mbuf *mah;
366 struct secasvar *sav = isr->sav;
367 const struct ah_algorithm *algo;
368 u_int32_t spi;
369 u_int8_t *ahsumpos = NULL;
370 size_t plen; /* AH payload size in bytes */
371 int error = 0;
372 int ahlen;
373 struct ip6_hdr *ip6;
374
375 if (m->m_len < sizeof(struct ip6_hdr)) {
376 ipseclog((LOG_DEBUG, "ah6_output: first mbuf too short\n"));
377 m_freem(m);
378 return EINVAL;
379 }
380
381 ahlen = ah_hdrlen(sav);
382 if (ahlen == 0)
383 return 0;
384
385 for (mprev = m; mprev && mprev->m_next != md; mprev = mprev->m_next)
386 ;
387 if (!mprev || mprev->m_next != md) {
388 ipseclog((LOG_DEBUG, "ah6_output: md is not in chain\n"));
389 m_freem(m);
390 return EINVAL;
391 }
392
393 MGET(mah, M_DONTWAIT, MT_DATA);
394 if (!mah) {
395 m_freem(m);
396 return ENOBUFS;
397 }
398 if (ahlen > MLEN) {
399 MCLGET(mah, M_DONTWAIT);
400 if ((mah->m_flags & M_EXT) == 0) {
401 m_free(mah);
402 m_freem(m);
403 return ENOBUFS;
404 }
405 }
406 mah->m_len = ahlen;
407 mah->m_next = md;
408 mprev->m_next = mah;
409 m->m_pkthdr.len += ahlen;
410
411 /* fix plen */
412 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) > IPV6_MAXPACKET) {
413 ipseclog((LOG_ERR,
414 "ah6_output: AH with IPv6 jumbogram is not supported\n"));
415 m_freem(m);
416 return EINVAL;
417 }
418 ip6 = mtod(m, struct ip6_hdr *);
419 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
420
421 if ((sav->flags & SADB_X_EXT_OLD) == 0 && !sav->replay) {
422 ipseclog((LOG_DEBUG, "ah6_output: internal error: "
423 "sav->replay is null: SPI=%u\n",
424 (u_int32_t)ntohl(sav->spi)));
425 ipsec6stat.out_inval++;
426 m_freem(m);
427 return EINVAL;
428 }
429
430 algo = ah_algorithm_lookup(sav->alg_auth);
431 if (!algo) {
432 ipseclog((LOG_ERR, "ah6_output: unsupported algorithm: "
433 "SPI=%u\n", (u_int32_t)ntohl(sav->spi)));
434 ipsec6stat.out_inval++;
435 m_freem(m);
436 return EINVAL;
437 }
438 spi = sav->spi;
439
440 /*
441 * initialize AH.
442 */
443 if (sav->flags & SADB_X_EXT_OLD) {
444 struct ah *ahdr = mtod(mah, struct ah *);
445
446 plen = mah->m_len - sizeof(struct ah);
447 ahsumpos = (u_char *)(ahdr + 1);
448 ahdr->ah_nxt = *nexthdrp;
449 *nexthdrp = IPPROTO_AH;
450 ahdr->ah_len = plen >> 2;
451 ahdr->ah_reserve = htons(0);
452 ahdr->ah_spi = spi;
453 bzero(ahdr + 1, plen);
454 } else {
455 struct newah *ahdr = mtod(mah, struct newah *);
456
457 plen = mah->m_len - sizeof(struct newah);
458 ahsumpos = (u_char *)(ahdr + 1);
459 ahdr->ah_nxt = *nexthdrp;
460 *nexthdrp = IPPROTO_AH;
461 ahdr->ah_len = (plen >> 2) + 1; /* plus one for seq# */
462 ahdr->ah_reserve = htons(0);
463 ahdr->ah_spi = spi;
464 if (sav->replay->count == ~0) {
465 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
466 /* XXX Is it noisy ? */
467 ipseclog((LOG_WARNING,
468 "replay counter overflowed. %s\n",
469 ipsec_logsastr(sav)));
470 ipsec6stat.out_inval++;
471 m_freem(m);
472 return EINVAL;
473 }
474 }
475 sav->replay->count++;
476 /*
477 * XXX sequence number must not be cycled, if the SA is
478 * installed by IKE daemon.
479 */
480 ahdr->ah_seq = htonl(sav->replay->count);
481 bzero(ahdr + 1, plen);
482 }
483
484 /*
485 * calcurate the checksum, based on security association
486 * and the algorithm specified.
487 */
488 error = ah6_calccksum(m, ahsumpos, plen, algo, sav);
489 if (error) {
490 ipsec6stat.out_inval++;
491 m_freem(m);
492 } else {
493 ipsec6stat.out_success++;
494 key_sa_recordxfer(sav, m);
495 }
496 ipsec6stat.out_ahhist[sav->alg_auth]++;
497
498 return (error);
499 }
500 #endif
501
502 #ifdef INET
503 /*
504 * Find the final destination if there is loose/strict source routing option.
505 * Returns NULL if there's no source routing options.
506 * Returns NULL on errors too.
507 * Note that this function will return a pointer INTO the given parameter,
508 * struct mbuf *m.
509 * The mbuf must be pulled up toward, at least, ip option part.
510 */
511 static struct in_addr *
512 ah4_finaldst(m)
513 struct mbuf *m;
514 {
515 struct ip *ip;
516 int optlen;
517 u_char *q;
518 int i;
519 int hlen;
520
521 if (!m)
522 panic("ah4_finaldst: m == NULL");
523 ip = mtod(m, struct ip *);
524 hlen = (ip->ip_hl << 2);
525
526 if (m->m_len < hlen) {
527 ipseclog((LOG_DEBUG,
528 "ah4_finaldst: parameter mbuf wrong (not pulled up)\n"));
529 return NULL;
530 }
531
532 if (hlen == sizeof(struct ip))
533 return NULL;
534
535 optlen = hlen - sizeof(struct ip);
536 if (optlen < 0) {
537 ipseclog((LOG_DEBUG, "ah4_finaldst: wrong optlen %d\n",
538 optlen));
539 return NULL;
540 }
541
542 q = (u_char *)(ip + 1);
543 i = 0;
544 while (i < optlen) {
545 if (i + IPOPT_OPTVAL >= optlen)
546 return NULL;
547 if (q[i + IPOPT_OPTVAL] == IPOPT_EOL ||
548 q[i + IPOPT_OPTVAL] == IPOPT_NOP ||
549 i + IPOPT_OLEN < optlen)
550 ;
551 else
552 return NULL;
553
554 switch (q[i + IPOPT_OPTVAL]) {
555 case IPOPT_EOL:
556 i = optlen; /* bye */
557 break;
558 case IPOPT_NOP:
559 i++;
560 break;
561 case IPOPT_LSRR:
562 case IPOPT_SSRR:
563 if (q[i + IPOPT_OLEN] < 2 + sizeof(struct in_addr) ||
564 optlen - i < q[i + IPOPT_OLEN]) {
565 ipseclog((LOG_ERR,
566 "ip_finaldst: invalid IP option "
567 "(code=%02x len=%02x)\n",
568 q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]));
569 return NULL;
570 }
571 i += q[i + IPOPT_OLEN] - sizeof(struct in_addr);
572 return (struct in_addr *)(q + i);
573 default:
574 if (q[i + IPOPT_OLEN] < 2 ||
575 optlen - i < q[i + IPOPT_OLEN]) {
576 ipseclog((LOG_ERR,
577 "ip_finaldst: invalid IP option "
578 "(code=%02x len=%02x)\n",
579 q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]));
580 return NULL;
581 }
582 i += q[i + IPOPT_OLEN];
583 break;
584 }
585 }
586 return NULL;
587 }
588 #endif
Cache object: e3851f4efc6e02f254825e3e606f716c
|