1 /* $FreeBSD$ */
2 /* $KAME: esp_core.c,v 1.50 2000/11/02 12:27:38 itojun Exp $ */
3
4 /*-
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 #include "opt_inet.h"
34 #include "opt_inet6.h"
35
36 #include <sys/param.h>
37 #include <sys/systm.h>
38 #include <sys/malloc.h>
39 #include <sys/mbuf.h>
40 #include <sys/domain.h>
41 #include <sys/protosw.h>
42 #include <sys/socket.h>
43 #include <sys/errno.h>
44 #include <sys/time.h>
45 #include <sys/syslog.h>
46
47 #include <net/if.h>
48 #include <net/route.h>
49
50 #include <netinet/in.h>
51 #include <netinet/in_var.h>
52 #ifdef INET6
53 #include <netinet/ip6.h>
54 #include <netinet6/ip6_var.h>
55 #include <netinet/icmp6.h>
56 #endif
57
58 #include <netinet6/ipsec.h>
59 #ifdef INET6
60 #include <netinet6/ipsec6.h>
61 #endif
62 #include <netinet6/ah.h>
63 #ifdef INET6
64 #include <netinet6/ah6.h>
65 #endif
66 #include <netinet6/esp.h>
67 #ifdef INET6
68 #include <netinet6/esp6.h>
69 #endif
70 #include <netinet6/esp_rijndael.h>
71 #include <netinet6/esp_camellia.h>
72 #include <netinet6/esp_aesctr.h>
73 #include <net/pfkeyv2.h>
74 #include <netkey/keydb.h>
75 #include <netkey/key.h>
76
77 #include <crypto/des/des.h>
78 #include <crypto/blowfish/blowfish.h>
79
80 #include <opencrypto/cast.h>
81 #define cast128_key cast_key
82 #define cast128_setkey(key, rawkey, keybytes) \
83 cast_setkey((key), (rawkey), (keybytes))
84 #define cast128_encrypt(key, inblock, outblock) \
85 cast_encrypt((key), (inblock), (outblock))
86 #define cast128_decrypt(key, inblock, outblock) \
87 cast_decrypt((key), (inblock), (outblock))
88
89 #include <net/net_osdep.h>
90
91 static int esp_null_mature __P((struct secasvar *));
92 static int esp_null_decrypt __P((struct mbuf *, size_t,
93 struct secasvar *, const struct esp_algorithm *, int));
94 static int esp_null_encrypt __P((struct mbuf *, size_t, size_t,
95 struct secasvar *, const struct esp_algorithm *, int));
96 static int esp_descbc_mature __P((struct secasvar *));
97 static int esp_descbc_ivlen __P((const struct esp_algorithm *,
98 struct secasvar *));
99 static int esp_des_schedule __P((const struct esp_algorithm *,
100 struct secasvar *));
101 static size_t esp_des_schedlen __P((const struct esp_algorithm *));
102 static int esp_des_blockdecrypt __P((const struct esp_algorithm *,
103 struct secasvar *, u_int8_t *, u_int8_t *));
104 static int esp_des_blockencrypt __P((const struct esp_algorithm *,
105 struct secasvar *, u_int8_t *, u_int8_t *));
106 static int esp_cbc_mature __P((struct secasvar *));
107 static int esp_blowfish_schedule __P((const struct esp_algorithm *,
108 struct secasvar *));
109 static size_t esp_blowfish_schedlen __P((const struct esp_algorithm *));
110 static int esp_blowfish_blockdecrypt __P((const struct esp_algorithm *,
111 struct secasvar *, u_int8_t *, u_int8_t *));
112 static int esp_blowfish_blockencrypt __P((const struct esp_algorithm *,
113 struct secasvar *, u_int8_t *, u_int8_t *));
114 static int esp_cast128_schedule __P((const struct esp_algorithm *,
115 struct secasvar *));
116 static size_t esp_cast128_schedlen __P((const struct esp_algorithm *));
117 static int esp_cast128_blockdecrypt __P((const struct esp_algorithm *,
118 struct secasvar *, u_int8_t *, u_int8_t *));
119 static int esp_cast128_blockencrypt __P((const struct esp_algorithm *,
120 struct secasvar *, u_int8_t *, u_int8_t *));
121 static int esp_3des_schedule __P((const struct esp_algorithm *,
122 struct secasvar *));
123 static size_t esp_3des_schedlen __P((const struct esp_algorithm *));
124 static int esp_3des_blockdecrypt __P((const struct esp_algorithm *,
125 struct secasvar *, u_int8_t *, u_int8_t *));
126 static int esp_3des_blockencrypt __P((const struct esp_algorithm *,
127 struct secasvar *, u_int8_t *, u_int8_t *));
128 static int esp_common_ivlen __P((const struct esp_algorithm *,
129 struct secasvar *));
130 static int esp_cbc_decrypt __P((struct mbuf *, size_t,
131 struct secasvar *, const struct esp_algorithm *, int));
132 static int esp_cbc_encrypt __P((struct mbuf *, size_t, size_t,
133 struct secasvar *, const struct esp_algorithm *, int));
134
135 #define MAXIVLEN 16
136
137 static const struct esp_algorithm esp_algorithms[] = {
138 { 8, -1, esp_descbc_mature, 64, 64, esp_des_schedlen,
139 "des-cbc",
140 esp_descbc_ivlen, esp_cbc_decrypt,
141 esp_cbc_encrypt, esp_des_schedule,
142 esp_des_blockdecrypt, esp_des_blockencrypt, },
143 { 8, 8, esp_cbc_mature, 192, 192, esp_3des_schedlen,
144 "3des-cbc",
145 esp_common_ivlen, esp_cbc_decrypt,
146 esp_cbc_encrypt, esp_3des_schedule,
147 esp_3des_blockdecrypt, esp_3des_blockencrypt, },
148 { 1, 0, esp_null_mature, 0, 2048, NULL, "null",
149 esp_common_ivlen, esp_null_decrypt,
150 esp_null_encrypt, NULL, },
151 { 8, 8, esp_cbc_mature, 40, 448, esp_blowfish_schedlen, "blowfish-cbc",
152 esp_common_ivlen, esp_cbc_decrypt,
153 esp_cbc_encrypt, esp_blowfish_schedule,
154 esp_blowfish_blockdecrypt, esp_blowfish_blockencrypt, },
155 { 8, 8, esp_cbc_mature, 40, 128, esp_cast128_schedlen,
156 "cast128-cbc",
157 esp_common_ivlen, esp_cbc_decrypt,
158 esp_cbc_encrypt, esp_cast128_schedule,
159 esp_cast128_blockdecrypt, esp_cast128_blockencrypt, },
160 { 16, 16, esp_cbc_mature, 128, 256, esp_rijndael_schedlen,
161 "rijndael-cbc",
162 esp_common_ivlen, esp_cbc_decrypt,
163 esp_cbc_encrypt, esp_rijndael_schedule,
164 esp_rijndael_blockdecrypt, esp_rijndael_blockencrypt },
165 { 16, 8, esp_aesctr_mature, 160, 288, esp_aesctr_schedlen, "aes-ctr",
166 esp_common_ivlen, esp_aesctr_decrypt,
167 esp_aesctr_encrypt, esp_aesctr_schedule },
168 { 16, 16, esp_cbc_mature, 128, 256, esp_camellia_schedlen,
169 "camellia-cbc",
170 esp_common_ivlen, esp_cbc_decrypt,
171 esp_cbc_encrypt, esp_camellia_schedule,
172 esp_camellia_blockdecrypt, esp_camellia_blockencrypt },
173 };
174
175 const struct esp_algorithm *
176 esp_algorithm_lookup(idx)
177 int idx;
178 {
179
180 switch (idx) {
181 case SADB_EALG_DESCBC:
182 return &esp_algorithms[0];
183 case SADB_EALG_3DESCBC:
184 return &esp_algorithms[1];
185 case SADB_EALG_NULL:
186 return &esp_algorithms[2];
187 case SADB_X_EALG_BLOWFISHCBC:
188 return &esp_algorithms[3];
189 case SADB_X_EALG_CAST128CBC:
190 return &esp_algorithms[4];
191 case SADB_X_EALG_RIJNDAELCBC:
192 return &esp_algorithms[5];
193 case SADB_X_EALG_AESCTR:
194 return &esp_algorithms[6];
195 case SADB_X_EALG_CAMELLIACBC:
196 return &esp_algorithms[7];
197 default:
198 return NULL;
199 }
200 }
201
202 int
203 esp_max_ivlen()
204 {
205 int idx;
206 int ivlen;
207
208 ivlen = 0;
209 for (idx = 0; idx < sizeof(esp_algorithms)/sizeof(esp_algorithms[0]);
210 idx++) {
211 if (esp_algorithms[idx].ivlenval > ivlen)
212 ivlen = esp_algorithms[idx].ivlenval;
213 }
214 return ivlen;
215 }
216
217 int
218 esp_schedule(algo, sav)
219 const struct esp_algorithm *algo;
220 struct secasvar *sav;
221 {
222 int error;
223
224 /* check for key length */
225 if (_KEYBITS(sav->key_enc) < algo->keymin ||
226 _KEYBITS(sav->key_enc) > algo->keymax) {
227 ipseclog((LOG_ERR,
228 "esp_schedule %s: unsupported key length %d: "
229 "needs %d to %d bits\n", algo->name, _KEYBITS(sav->key_enc),
230 algo->keymin, algo->keymax));
231 return EINVAL;
232 }
233
234 /* already allocated */
235 if (sav->sched && sav->schedlen != 0)
236 return 0;
237 /* no schedule necessary */
238 if (!algo->schedule || !algo->schedlen)
239 return 0;
240
241 sav->schedlen = (*algo->schedlen)(algo);
242 sav->sched = malloc(sav->schedlen, M_SECA, M_NOWAIT);
243 if (!sav->sched) {
244 sav->schedlen = 0;
245 return ENOBUFS;
246 }
247
248 error = (*algo->schedule)(algo, sav);
249 if (error) {
250 ipseclog((LOG_ERR, "esp_schedule %s: error %d\n",
251 algo->name, error));
252 bzero(sav->sched, sav->schedlen);
253 free(sav->sched, M_SECA);
254 sav->sched = NULL;
255 sav->schedlen = 0;
256 }
257 return error;
258 }
259
260 static int
261 esp_null_mature(sav)
262 struct secasvar *sav;
263 {
264
265 /* anything is okay */
266 return 0;
267 }
268
269 static int
270 esp_null_decrypt(m, off, sav, algo, ivlen)
271 struct mbuf *m;
272 size_t off; /* offset to ESP header */
273 struct secasvar *sav;
274 const struct esp_algorithm *algo;
275 int ivlen;
276 {
277
278 return 0; /* do nothing */
279 }
280
281 static int
282 esp_null_encrypt(m, off, plen, sav, algo, ivlen)
283 struct mbuf *m;
284 size_t off; /* offset to ESP header */
285 size_t plen; /* payload length (to be encrypted) */
286 struct secasvar *sav;
287 const struct esp_algorithm *algo;
288 int ivlen;
289 {
290
291 return 0; /* do nothing */
292 }
293
294 static int
295 esp_descbc_mature(sav)
296 struct secasvar *sav;
297 {
298 const struct esp_algorithm *algo;
299
300 if (!(sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_IV4B)) {
301 ipseclog((LOG_ERR, "esp_cbc_mature: "
302 "algorithm incompatible with 4 octets IV length\n"));
303 return 1;
304 }
305
306 if (!sav->key_enc) {
307 ipseclog((LOG_ERR, "esp_descbc_mature: no key is given.\n"));
308 return 1;
309 }
310
311 algo = esp_algorithm_lookup(sav->alg_enc);
312 if (!algo) {
313 ipseclog((LOG_ERR,
314 "esp_descbc_mature: unsupported algorithm.\n"));
315 return 1;
316 }
317
318 if (_KEYBITS(sav->key_enc) < algo->keymin ||
319 _KEYBITS(sav->key_enc) > algo->keymax) {
320 ipseclog((LOG_ERR,
321 "esp_descbc_mature: invalid key length %d.\n",
322 _KEYBITS(sav->key_enc)));
323 return 1;
324 }
325
326 /* weak key check */
327 if (des_is_weak_key((des_cblock *)_KEYBUF(sav->key_enc))) {
328 ipseclog((LOG_ERR,
329 "esp_descbc_mature: weak key was passed.\n"));
330 return 1;
331 }
332
333 return 0;
334 }
335
336 static int
337 esp_descbc_ivlen(algo, sav)
338 const struct esp_algorithm *algo;
339 struct secasvar *sav;
340 {
341
342 if (!sav)
343 return 8;
344 if ((sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_IV4B))
345 return 4;
346 if (!(sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_DERIV))
347 return 4;
348 return 8;
349 }
350
351 static size_t
352 esp_des_schedlen(algo)
353 const struct esp_algorithm *algo;
354 {
355
356 return sizeof(des_key_schedule);
357 }
358
359 static int
360 esp_des_schedule(algo, sav)
361 const struct esp_algorithm *algo;
362 struct secasvar *sav;
363 {
364
365 if (des_key_sched((des_cblock *)_KEYBUF(sav->key_enc),
366 *(des_key_schedule *)sav->sched))
367 return EINVAL;
368 else
369 return 0;
370 }
371
372 static int
373 esp_des_blockdecrypt(algo, sav, s, d)
374 const struct esp_algorithm *algo;
375 struct secasvar *sav;
376 u_int8_t *s;
377 u_int8_t *d;
378 {
379
380 /* assumption: d has a good alignment */
381 bcopy(s, d, sizeof(DES_LONG) * 2);
382 des_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
383 *(des_key_schedule *)sav->sched, DES_DECRYPT);
384 return 0;
385 }
386
387 static int
388 esp_des_blockencrypt(algo, sav, s, d)
389 const struct esp_algorithm *algo;
390 struct secasvar *sav;
391 u_int8_t *s;
392 u_int8_t *d;
393 {
394
395 /* assumption: d has a good alignment */
396 bcopy(s, d, sizeof(DES_LONG) * 2);
397 des_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
398 *(des_key_schedule *)sav->sched, DES_ENCRYPT);
399 return 0;
400 }
401
402 static int
403 esp_cbc_mature(sav)
404 struct secasvar *sav;
405 {
406 int keylen;
407 const struct esp_algorithm *algo;
408
409 if (sav->flags & SADB_X_EXT_OLD) {
410 ipseclog((LOG_ERR,
411 "esp_cbc_mature: algorithm incompatible with esp-old\n"));
412 return 1;
413 }
414 if (sav->flags & SADB_X_EXT_DERIV) {
415 ipseclog((LOG_ERR,
416 "esp_cbc_mature: algorithm incompatible with derived\n"));
417 return 1;
418 }
419
420 if (!sav->key_enc) {
421 ipseclog((LOG_ERR, "esp_cbc_mature: no key is given.\n"));
422 return 1;
423 }
424
425 algo = esp_algorithm_lookup(sav->alg_enc);
426 if (!algo) {
427 ipseclog((LOG_ERR,
428 "esp_cbc_mature %s: unsupported algorithm.\n", algo->name));
429 return 1;
430 }
431
432 keylen = sav->key_enc->sadb_key_bits;
433 if (keylen < algo->keymin || algo->keymax < keylen) {
434 ipseclog((LOG_ERR,
435 "esp_cbc_mature %s: invalid key length %d.\n",
436 algo->name, sav->key_enc->sadb_key_bits));
437 return 1;
438 }
439 switch (sav->alg_enc) {
440 case SADB_EALG_3DESCBC:
441 /* weak key check */
442 if (des_is_weak_key((des_cblock *)_KEYBUF(sav->key_enc)) ||
443 des_is_weak_key((des_cblock *)(_KEYBUF(sav->key_enc) + 8)) ||
444 des_is_weak_key((des_cblock *)(_KEYBUF(sav->key_enc) + 16))) {
445 ipseclog((LOG_ERR,
446 "esp_cbc_mature %s: weak key was passed.\n",
447 algo->name));
448 return 1;
449 }
450 break;
451 case SADB_X_EALG_BLOWFISHCBC:
452 case SADB_X_EALG_CAST128CBC:
453 break;
454 case SADB_X_EALG_RIJNDAELCBC:
455 case SADB_X_EALG_CAMELLIACBC:
456 /* allows specific key sizes only */
457 if (!(keylen == 128 || keylen == 192 || keylen == 256)) {
458 ipseclog((LOG_ERR,
459 "esp_cbc_mature %s: invalid key length %d.\n",
460 algo->name, keylen));
461 return 1;
462 }
463 break;
464 }
465
466 return 0;
467 }
468
469 static size_t
470 esp_blowfish_schedlen(algo)
471 const struct esp_algorithm *algo;
472 {
473
474 return sizeof(BF_KEY);
475 }
476
477 static int
478 esp_blowfish_schedule(algo, sav)
479 const struct esp_algorithm *algo;
480 struct secasvar *sav;
481 {
482
483 BF_set_key((BF_KEY *)sav->sched, _KEYLEN(sav->key_enc),
484 _KEYBUF(sav->key_enc));
485 return 0;
486 }
487
488 static int
489 esp_blowfish_blockdecrypt(algo, sav, s, d)
490 const struct esp_algorithm *algo;
491 struct secasvar *sav;
492 u_int8_t *s;
493 u_int8_t *d;
494 {
495
496 BF_ecb_encrypt(s, d, (BF_KEY *)sav->sched, 0);
497 return 0;
498 }
499
500 static int
501 esp_blowfish_blockencrypt(algo, sav, s, d)
502 const struct esp_algorithm *algo;
503 struct secasvar *sav;
504 u_int8_t *s;
505 u_int8_t *d;
506 {
507
508 BF_ecb_encrypt(s, d, (BF_KEY *)sav->sched, 1);
509 return 0;
510 }
511
512 static size_t
513 esp_cast128_schedlen(algo)
514 const struct esp_algorithm *algo;
515 {
516
517 return sizeof(cast128_key);
518 }
519
520 static int
521 esp_cast128_schedule(algo, sav)
522 const struct esp_algorithm *algo;
523 struct secasvar *sav;
524 {
525
526 cast128_setkey((cast128_key *)sav->sched, _KEYBUF(sav->key_enc),
527 _KEYLEN(sav->key_enc));
528 return 0;
529 }
530
531 static int
532 esp_cast128_blockdecrypt(algo, sav, s, d)
533 const struct esp_algorithm *algo;
534 struct secasvar *sav;
535 u_int8_t *s;
536 u_int8_t *d;
537 {
538
539 cast128_decrypt((cast128_key *)sav->sched, s, d);
540 return 0;
541 }
542
543 static int
544 esp_cast128_blockencrypt(algo, sav, s, d)
545 const struct esp_algorithm *algo;
546 struct secasvar *sav;
547 u_int8_t *s;
548 u_int8_t *d;
549 {
550
551 cast128_encrypt((cast128_key *)sav->sched, s, d);
552 return 0;
553 }
554
555 static size_t
556 esp_3des_schedlen(algo)
557 const struct esp_algorithm *algo;
558 {
559
560 return sizeof(des_key_schedule) * 3;
561 }
562
563 static int
564 esp_3des_schedule(algo, sav)
565 const struct esp_algorithm *algo;
566 struct secasvar *sav;
567 {
568 int error;
569 des_key_schedule *p;
570 int i;
571 u_int8_t *k;
572
573 p = (des_key_schedule *)sav->sched;
574 k = _KEYBUF(sav->key_enc);
575 for (i = 0; i < 3; i++) {
576 error = des_key_sched((des_cblock *)(k + 8 * i), p[i]);
577 if (error)
578 return EINVAL;
579 }
580 return 0;
581 }
582
583 static int
584 esp_3des_blockdecrypt(algo, sav, s, d)
585 const struct esp_algorithm *algo;
586 struct secasvar *sav;
587 u_int8_t *s;
588 u_int8_t *d;
589 {
590 des_key_schedule *p;
591
592 /* assumption: d has a good alignment */
593 p = (des_key_schedule *)sav->sched;
594 bcopy(s, d, sizeof(DES_LONG) * 2);
595 des_ecb3_encrypt((des_cblock *)d, (des_cblock *)d,
596 p[0], p[1], p[2], DES_DECRYPT);
597 return 0;
598 }
599
600 static int
601 esp_3des_blockencrypt(algo, sav, s, d)
602 const struct esp_algorithm *algo;
603 struct secasvar *sav;
604 u_int8_t *s;
605 u_int8_t *d;
606 {
607 des_key_schedule *p;
608
609 /* assumption: d has a good alignment */
610 p = (des_key_schedule *)sav->sched;
611 bcopy(s, d, sizeof(DES_LONG) * 2);
612 des_ecb3_encrypt((des_cblock *)d, (des_cblock *)d,
613 p[0], p[1], p[2], DES_ENCRYPT);
614 return 0;
615 }
616
617 static int
618 esp_common_ivlen(algo, sav)
619 const struct esp_algorithm *algo;
620 struct secasvar *sav;
621 {
622
623 if (!algo)
624 panic("esp_common_ivlen: unknown algorithm");
625 return algo->ivlenval;
626 }
627
628 static int
629 esp_cbc_decrypt(m, off, sav, algo, ivlen)
630 struct mbuf *m;
631 size_t off;
632 struct secasvar *sav;
633 const struct esp_algorithm *algo;
634 int ivlen;
635 {
636 struct mbuf *s;
637 struct mbuf *d, *d0, *dp;
638 int soff, doff; /* offset from the head of chain, to head of this mbuf */
639 int sn, dn; /* offset from the head of the mbuf, to meat */
640 size_t ivoff, bodyoff;
641 u_int8_t iv[MAXIVLEN], *ivp;
642 u_int8_t sbuf[MAXIVLEN], *sp;
643 u_int8_t *p, *q;
644 struct mbuf *scut;
645 int scutoff;
646 int i;
647 int blocklen;
648 int derived;
649
650 if (ivlen != sav->ivlen || ivlen > sizeof(iv)) {
651 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
652 "unsupported ivlen %d\n", algo->name, ivlen));
653 m_freem(m);
654 return EINVAL;
655 }
656
657 /* assumes blocklen == padbound */
658 blocklen = algo->padbound;
659
660 #ifdef DIAGNOSTIC
661 if (blocklen > sizeof(iv)) {
662 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
663 "unsupported blocklen %d\n", algo->name, blocklen));
664 m_freem(m);
665 return EINVAL;
666 }
667 #endif
668
669 if (sav->flags & SADB_X_EXT_OLD) {
670 /* RFC 1827 */
671 ivoff = off + sizeof(struct esp);
672 bodyoff = off + sizeof(struct esp) + ivlen;
673 derived = 0;
674 } else {
675 /* RFC 2406 */
676 if (sav->flags & SADB_X_EXT_DERIV) {
677 /*
678 * draft-ietf-ipsec-ciph-des-derived-00.txt
679 * uses sequence number field as IV field.
680 */
681 ivoff = off + sizeof(struct esp);
682 bodyoff = off + sizeof(struct esp) + sizeof(u_int32_t);
683 ivlen = sizeof(u_int32_t);
684 derived = 1;
685 } else {
686 ivoff = off + sizeof(struct newesp);
687 bodyoff = off + sizeof(struct newesp) + ivlen;
688 derived = 0;
689 }
690 }
691
692 /* grab iv */
693 m_copydata(m, ivoff, ivlen, (caddr_t)iv);
694
695 /* extend iv */
696 if (ivlen == blocklen)
697 ;
698 else if (ivlen == 4 && blocklen == 8) {
699 bcopy(&iv[0], &iv[4], 4);
700 iv[4] ^= 0xff;
701 iv[5] ^= 0xff;
702 iv[6] ^= 0xff;
703 iv[7] ^= 0xff;
704 } else {
705 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
706 "unsupported ivlen/blocklen: %d %d\n",
707 algo->name, ivlen, blocklen));
708 m_freem(m);
709 return EINVAL;
710 }
711
712 if (m->m_pkthdr.len < bodyoff) {
713 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: bad len %d/%lu\n",
714 algo->name, m->m_pkthdr.len, (unsigned long)bodyoff));
715 m_freem(m);
716 return EINVAL;
717 }
718 if ((m->m_pkthdr.len - bodyoff) % blocklen) {
719 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
720 "payload length must be multiple of %d\n",
721 algo->name, blocklen));
722 m_freem(m);
723 return EINVAL;
724 }
725
726 s = m;
727 d = d0 = dp = NULL;
728 soff = doff = sn = dn = 0;
729 ivp = sp = NULL;
730
731 /* skip bodyoff */
732 while (soff < bodyoff) {
733 if (soff + s->m_len >= bodyoff) {
734 sn = bodyoff - soff;
735 break;
736 }
737
738 soff += s->m_len;
739 s = s->m_next;
740 }
741 scut = s;
742 scutoff = sn;
743
744 /* skip over empty mbuf */
745 while (s && s->m_len == 0)
746 s = s->m_next;
747
748 while (soff < m->m_pkthdr.len) {
749 /* source */
750 if (sn + blocklen <= s->m_len) {
751 /* body is continuous */
752 sp = mtod(s, u_int8_t *) + sn;
753 } else {
754 /* body is non-continuous */
755 m_copydata(s, sn, blocklen, sbuf);
756 sp = sbuf;
757 }
758
759 /* destination */
760 if (!d || dn + blocklen > d->m_len) {
761 if (d)
762 dp = d;
763 MGET(d, M_DONTWAIT, MT_DATA);
764 i = m->m_pkthdr.len - (soff + sn);
765 if (d && i > MLEN) {
766 MCLGET(d, M_DONTWAIT);
767 if ((d->m_flags & M_EXT) == 0) {
768 m_free(d);
769 d = NULL;
770 }
771 }
772 if (!d) {
773 m_freem(m);
774 if (d0)
775 m_freem(d0);
776 return ENOBUFS;
777 }
778 if (!d0)
779 d0 = d;
780 if (dp)
781 dp->m_next = d;
782 d->m_len = 0;
783 d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
784 if (d->m_len > i)
785 d->m_len = i;
786 dn = 0;
787 }
788
789 /* decrypt */
790 (*algo->blockdecrypt)(algo, sav, sp, mtod(d, u_int8_t *) + dn);
791
792 /* xor */
793 p = ivp ? ivp : iv;
794 q = mtod(d, u_int8_t *) + dn;
795 for (i = 0; i < blocklen; i++)
796 q[i] ^= p[i];
797
798 /* next iv */
799 if (sp == sbuf) {
800 bcopy(sbuf, iv, blocklen);
801 ivp = NULL;
802 } else
803 ivp = sp;
804
805 sn += blocklen;
806 dn += blocklen;
807
808 /* find the next source block */
809 while (s && sn >= s->m_len) {
810 sn -= s->m_len;
811 soff += s->m_len;
812 s = s->m_next;
813 }
814
815 /* skip over empty mbuf */
816 while (s && s->m_len == 0)
817 s = s->m_next;
818 }
819
820 m_freem(scut->m_next);
821 scut->m_len = scutoff;
822 scut->m_next = d0;
823
824 /* just in case */
825 bzero(iv, sizeof(iv));
826 bzero(sbuf, sizeof(sbuf));
827
828 return 0;
829 }
830
831 static int
832 esp_cbc_encrypt(m, off, plen, sav, algo, ivlen)
833 struct mbuf *m;
834 size_t off;
835 size_t plen;
836 struct secasvar *sav;
837 const struct esp_algorithm *algo;
838 int ivlen;
839 {
840 struct mbuf *s;
841 struct mbuf *d, *d0, *dp;
842 int soff, doff; /* offset from the head of chain, to head of this mbuf */
843 int sn, dn; /* offset from the head of the mbuf, to meat */
844 size_t ivoff, bodyoff;
845 u_int8_t iv[MAXIVLEN], *ivp;
846 u_int8_t sbuf[MAXIVLEN], *sp;
847 u_int8_t *p, *q;
848 struct mbuf *scut;
849 int scutoff;
850 int i;
851 int blocklen;
852 int derived;
853
854 if (ivlen != sav->ivlen || ivlen > sizeof(iv)) {
855 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
856 "unsupported ivlen %d\n", algo->name, ivlen));
857 m_freem(m);
858 return EINVAL;
859 }
860
861 /* assumes blocklen == padbound */
862 blocklen = algo->padbound;
863
864 #ifdef DIAGNOSTIC
865 if (blocklen > sizeof(iv)) {
866 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
867 "unsupported blocklen %d\n", algo->name, blocklen));
868 m_freem(m);
869 return EINVAL;
870 }
871 #endif
872
873 if (sav->flags & SADB_X_EXT_OLD) {
874 /* RFC 1827 */
875 ivoff = off + sizeof(struct esp);
876 bodyoff = off + sizeof(struct esp) + ivlen;
877 derived = 0;
878 } else {
879 /* RFC 2406 */
880 if (sav->flags & SADB_X_EXT_DERIV) {
881 /*
882 * draft-ietf-ipsec-ciph-des-derived-00.txt
883 * uses sequence number field as IV field.
884 */
885 ivoff = off + sizeof(struct esp);
886 bodyoff = off + sizeof(struct esp) + sizeof(u_int32_t);
887 ivlen = sizeof(u_int32_t);
888 derived = 1;
889 } else {
890 ivoff = off + sizeof(struct newesp);
891 bodyoff = off + sizeof(struct newesp) + ivlen;
892 derived = 0;
893 }
894 }
895
896 /* put iv into the packet. if we are in derived mode, use seqno. */
897 if (derived)
898 m_copydata(m, ivoff, ivlen, (caddr_t)iv);
899 else {
900 bcopy(sav->iv, iv, ivlen);
901 /* maybe it is better to overwrite dest, not source */
902 m_copyback(m, ivoff, ivlen, (caddr_t)iv);
903 }
904
905 /* extend iv */
906 if (ivlen == blocklen)
907 ;
908 else if (ivlen == 4 && blocklen == 8) {
909 bcopy(&iv[0], &iv[4], 4);
910 iv[4] ^= 0xff;
911 iv[5] ^= 0xff;
912 iv[6] ^= 0xff;
913 iv[7] ^= 0xff;
914 } else {
915 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
916 "unsupported ivlen/blocklen: %d %d\n",
917 algo->name, ivlen, blocklen));
918 m_freem(m);
919 return EINVAL;
920 }
921
922 if (m->m_pkthdr.len < bodyoff) {
923 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: bad len %d/%lu\n",
924 algo->name, m->m_pkthdr.len, (unsigned long)bodyoff));
925 m_freem(m);
926 return EINVAL;
927 }
928 if ((m->m_pkthdr.len - bodyoff) % blocklen) {
929 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
930 "payload length must be multiple of %lu\n",
931 algo->name, (unsigned long)algo->padbound));
932 m_freem(m);
933 return EINVAL;
934 }
935
936 s = m;
937 d = d0 = dp = NULL;
938 soff = doff = sn = dn = 0;
939 ivp = sp = NULL;
940
941 /* skip bodyoff */
942 while (soff < bodyoff) {
943 if (soff + s->m_len >= bodyoff) {
944 sn = bodyoff - soff;
945 break;
946 }
947
948 soff += s->m_len;
949 s = s->m_next;
950 }
951 scut = s;
952 scutoff = sn;
953
954 /* skip over empty mbuf */
955 while (s && s->m_len == 0)
956 s = s->m_next;
957
958 while (soff < m->m_pkthdr.len) {
959 /* source */
960 if (sn + blocklen <= s->m_len) {
961 /* body is continuous */
962 sp = mtod(s, u_int8_t *) + sn;
963 } else {
964 /* body is non-continuous */
965 m_copydata(s, sn, blocklen, (caddr_t)sbuf);
966 sp = sbuf;
967 }
968
969 /* destination */
970 if (!d || dn + blocklen > d->m_len) {
971 if (d)
972 dp = d;
973 MGET(d, M_DONTWAIT, MT_DATA);
974 i = m->m_pkthdr.len - (soff + sn);
975 if (d && i > MLEN) {
976 MCLGET(d, M_DONTWAIT);
977 if ((d->m_flags & M_EXT) == 0) {
978 m_free(d);
979 d = NULL;
980 }
981 }
982 if (!d) {
983 m_freem(m);
984 if (d0)
985 m_freem(d0);
986 return ENOBUFS;
987 }
988 if (!d0)
989 d0 = d;
990 if (dp)
991 dp->m_next = d;
992 d->m_len = 0;
993 d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
994 if (d->m_len > i)
995 d->m_len = i;
996 dn = 0;
997 }
998
999 /* xor */
1000 p = ivp ? ivp : iv;
1001 q = sp;
1002 for (i = 0; i < blocklen; i++)
1003 q[i] ^= p[i];
1004
1005 /* encrypt */
1006 (*algo->blockencrypt)(algo, sav, sp, mtod(d, u_int8_t *) + dn);
1007
1008 /* next iv */
1009 ivp = mtod(d, u_int8_t *) + dn;
1010
1011 sn += blocklen;
1012 dn += blocklen;
1013
1014 /* find the next source block */
1015 while (s && sn >= s->m_len) {
1016 sn -= s->m_len;
1017 soff += s->m_len;
1018 s = s->m_next;
1019 }
1020
1021 /* skip over empty mbuf */
1022 while (s && s->m_len == 0)
1023 s = s->m_next;
1024 }
1025
1026 m_freem(scut->m_next);
1027 scut->m_len = scutoff;
1028 scut->m_next = d0;
1029
1030 /* just in case */
1031 bzero(iv, sizeof(iv));
1032 bzero(sbuf, sizeof(sbuf));
1033
1034 key_sa_stir_iv(sav);
1035
1036 return 0;
1037 }
1038
1039 /*------------------------------------------------------------*/
1040
1041 /* does not free m0 on error */
1042 int
1043 esp_auth(m0, skip, length, sav, sum)
1044 struct mbuf *m0;
1045 size_t skip; /* offset to ESP header */
1046 size_t length; /* payload length */
1047 struct secasvar *sav;
1048 u_char *sum;
1049 {
1050 struct mbuf *m;
1051 size_t off;
1052 struct ah_algorithm_state s;
1053 u_char sumbuf[AH_MAXSUMSIZE];
1054 const struct ah_algorithm *algo;
1055 size_t siz;
1056 int error;
1057
1058 /* sanity checks */
1059 if (m0->m_pkthdr.len < skip) {
1060 ipseclog((LOG_DEBUG, "esp_auth: mbuf length < skip\n"));
1061 return EINVAL;
1062 }
1063 if (m0->m_pkthdr.len < skip + length) {
1064 ipseclog((LOG_DEBUG,
1065 "esp_auth: mbuf length < skip + length\n"));
1066 return EINVAL;
1067 }
1068 /*
1069 * length of esp part (excluding authentication data) must be 4n,
1070 * since nexthdr must be at offset 4n+3.
1071 */
1072 if (length % 4) {
1073 ipseclog((LOG_ERR, "esp_auth: length is not multiple of 4\n"));
1074 return EINVAL;
1075 }
1076 if (!sav) {
1077 ipseclog((LOG_DEBUG, "esp_auth: NULL SA passed\n"));
1078 return EINVAL;
1079 }
1080 algo = ah_algorithm_lookup(sav->alg_auth);
1081 if (!algo) {
1082 ipseclog((LOG_ERR,
1083 "esp_auth: bad ESP auth algorithm passed: %d\n",
1084 sav->alg_auth));
1085 return EINVAL;
1086 }
1087
1088 m = m0;
1089 off = 0;
1090
1091 siz = (((*algo->sumsiz)(sav) + 3) & ~(4 - 1));
1092 if (sizeof(sumbuf) < siz) {
1093 ipseclog((LOG_DEBUG,
1094 "esp_auth: AH_MAXSUMSIZE is too small: siz=%lu\n",
1095 (u_long)siz));
1096 return EINVAL;
1097 }
1098
1099 /* skip the header */
1100 while (skip) {
1101 if (!m)
1102 panic("mbuf chain?");
1103 if (m->m_len <= skip) {
1104 skip -= m->m_len;
1105 m = m->m_next;
1106 off = 0;
1107 } else {
1108 off = skip;
1109 skip = 0;
1110 }
1111 }
1112
1113 error = (*algo->init)(&s, sav);
1114 if (error)
1115 return error;
1116
1117 while (0 < length) {
1118 if (!m)
1119 panic("mbuf chain?");
1120
1121 if (m->m_len - off < length) {
1122 (*algo->update)(&s, mtod(m, u_char *) + off,
1123 m->m_len - off);
1124 length -= m->m_len - off;
1125 m = m->m_next;
1126 off = 0;
1127 } else {
1128 (*algo->update)(&s, mtod(m, u_char *) + off, length);
1129 break;
1130 }
1131 }
1132 (*algo->result)(&s, sumbuf, sizeof(sumbuf));
1133 bcopy(sumbuf, sum, siz); /* XXX */
1134
1135 return 0;
1136 }
Cache object: d1e9d15afbbe03e77f944a1161c91d01
|