The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netipsec/xform_ah.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*      $FreeBSD: releng/11.2/sys/netipsec/xform_ah.c 331693 2018-03-28 17:49:31Z jhb $ */
    2 /*      $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
    3 /*-
    4  * The authors of this code are John Ioannidis (ji@tla.org),
    5  * Angelos D. Keromytis (kermit@csd.uch.gr) and
    6  * Niels Provos (provos@physnet.uni-hamburg.de).
    7  *
    8  * The original version of this code was written by John Ioannidis
    9  * for BSD/OS in Athens, Greece, in November 1995.
   10  *
   11  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
   12  * by Angelos D. Keromytis.
   13  *
   14  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
   15  * and Niels Provos.
   16  *
   17  * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
   18  *
   19  * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
   20  * Angelos D. Keromytis and Niels Provos.
   21  * Copyright (c) 1999 Niklas Hallqvist.
   22  * Copyright (c) 2001 Angelos D. Keromytis.
   23  *
   24  * Permission to use, copy, and modify this software with or without fee
   25  * is hereby granted, provided that this entire notice is included in
   26  * all copies of any software which is or includes a copy or
   27  * modification of this software.
   28  * You may use this code under the GNU public license if you so wish. Please
   29  * contribute changes back to the authors under this freer than GPL license
   30  * so that we may further the use of strong encryption without limitations to
   31  * all.
   32  *
   33  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
   34  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
   35  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
   36  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
   37  * PURPOSE.
   38  */
   39 #include "opt_inet.h"
   40 #include "opt_inet6.h"
   41 
   42 #include <sys/param.h>
   43 #include <sys/systm.h>
   44 #include <sys/mbuf.h>
   45 #include <sys/socket.h>
   46 #include <sys/syslog.h>
   47 #include <sys/kernel.h>
   48 #include <sys/lock.h>
   49 #include <sys/mutex.h>
   50 #include <sys/sysctl.h>
   51 
   52 #include <net/if.h>
   53 #include <net/vnet.h>
   54 
   55 #include <netinet/in.h>
   56 #include <netinet/in_systm.h>
   57 #include <netinet/ip.h>
   58 #include <netinet/ip_ecn.h>
   59 #include <netinet/ip6.h>
   60 
   61 #include <netipsec/ipsec.h>
   62 #include <netipsec/ah.h>
   63 #include <netipsec/ah_var.h>
   64 #include <netipsec/xform.h>
   65 
   66 #ifdef INET6
   67 #include <netinet6/ip6_var.h>
   68 #include <netipsec/ipsec6.h>
   69 #include <netinet6/ip6_ecn.h>
   70 #endif
   71 
   72 #include <netipsec/key.h>
   73 #include <netipsec/key_debug.h>
   74 
   75 #include <opencrypto/cryptodev.h>
   76 
   77 /*
   78  * Return header size in bytes.  The old protocol did not support
   79  * the replay counter; the new protocol always includes the counter.
   80  */
   81 #define HDRSIZE(sav) \
   82         (((sav)->flags & SADB_X_EXT_OLD) ? \
   83                 sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t))
   84 /* 
   85  * Return authenticator size in bytes, based on a field in the
   86  * algorithm descriptor.
   87  */
   88 #define AUTHSIZE(sav)   ((sav->flags & SADB_X_EXT_OLD) ? 16 :   \
   89                          xform_ah_authsize((sav)->tdb_authalgxform))
   90 
   91 VNET_DEFINE(int, ah_enable) = 1;        /* control flow of packets with AH */
   92 VNET_DEFINE(int, ah_cleartos) = 1;      /* clear ip_tos when doing AH calc */
   93 VNET_PCPUSTAT_DEFINE(struct ahstat, ahstat);
   94 VNET_PCPUSTAT_SYSINIT(ahstat);
   95 
   96 #ifdef VIMAGE
   97 VNET_PCPUSTAT_SYSUNINIT(ahstat);
   98 #endif /* VIMAGE */
   99 
  100 #ifdef INET
  101 SYSCTL_DECL(_net_inet_ah);
  102 SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_enable,
  103         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_enable), 0, "");
  104 SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_cleartos,
  105         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, "");
  106 SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat,
  107     ahstat, "AH statistics (struct ahstat, netipsec/ah_var.h)");
  108 #endif
  109 
  110 static unsigned char ipseczeroes[256];  /* larger than an ip6 extension hdr */
  111 
  112 static int ah_input_cb(struct cryptop*);
  113 static int ah_output_cb(struct cryptop*);
  114 
  115 int
  116 xform_ah_authsize(const struct auth_hash *esph)
  117 {
  118         int alen;
  119 
  120         if (esph == NULL)
  121                 return 0;
  122 
  123         switch (esph->type) {
  124         case CRYPTO_SHA2_256_HMAC:
  125         case CRYPTO_SHA2_384_HMAC:
  126         case CRYPTO_SHA2_512_HMAC:
  127                 alen = esph->hashsize / 2;      /* RFC4868 2.3 */
  128                 break;
  129 
  130         case CRYPTO_AES_128_NIST_GMAC:
  131         case CRYPTO_AES_192_NIST_GMAC:
  132         case CRYPTO_AES_256_NIST_GMAC:
  133                 alen = esph->hashsize;
  134                 break;
  135 
  136         default:
  137                 alen = AH_HMAC_HASHLEN;
  138                 break;
  139         }
  140 
  141         return alen;
  142 }
  143 
  144 size_t
  145 ah_hdrsiz(struct secasvar *sav)
  146 {
  147         size_t size;
  148 
  149         if (sav != NULL) {
  150                 int authsize;
  151                 IPSEC_ASSERT(sav->tdb_authalgxform != NULL, ("null xform"));
  152                 /*XXX not right for null algorithm--does it matter??*/
  153                 authsize = AUTHSIZE(sav);
  154                 size = roundup(authsize, sizeof (u_int32_t)) + HDRSIZE(sav);
  155         } else {
  156                 /* default guess */
  157                 size = sizeof (struct ah) + sizeof (u_int32_t) + 16;
  158         }
  159         return size;
  160 }
  161 
  162 /*
  163  * NB: public for use by esp_init.
  164  */
  165 int
  166 ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
  167 {
  168         const struct auth_hash *thash;
  169         int keylen;
  170 
  171         thash = auth_algorithm_lookup(sav->alg_auth);
  172         if (thash == NULL) {
  173                 DPRINTF(("%s: unsupported authentication algorithm %u\n",
  174                         __func__, sav->alg_auth));
  175                 return EINVAL;
  176         }
  177         /*
  178          * Verify the replay state block allocation is consistent with
  179          * the protocol type.  We check here so we can make assumptions
  180          * later during protocol processing.
  181          */
  182         /* NB: replay state is setup elsewhere (sigh) */
  183         if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) {
  184                 DPRINTF(("%s: replay state block inconsistency, "
  185                         "%s algorithm %s replay state\n", __func__,
  186                         (sav->flags & SADB_X_EXT_OLD) ? "old" : "new",
  187                         sav->replay == NULL ? "without" : "with"));
  188                 return EINVAL;
  189         }
  190         if (sav->key_auth == NULL) {
  191                 DPRINTF(("%s: no authentication key for %s algorithm\n",
  192                         __func__, thash->name));
  193                 return EINVAL;
  194         }
  195         keylen = _KEYLEN(sav->key_auth);
  196         if (keylen != thash->keysize && thash->keysize != 0) {
  197                 DPRINTF(("%s: invalid keylength %d, algorithm %s requires "
  198                         "keysize %d\n", __func__,
  199                          keylen, thash->name, thash->keysize));
  200                 return EINVAL;
  201         }
  202 
  203         sav->tdb_xform = xsp;
  204         sav->tdb_authalgxform = thash;
  205 
  206         /* Initialize crypto session. */
  207         bzero(cria, sizeof (*cria));
  208         cria->cri_alg = sav->tdb_authalgxform->type;
  209         cria->cri_klen = _KEYBITS(sav->key_auth);
  210         cria->cri_key = sav->key_auth->key_data;
  211         cria->cri_mlen = AUTHSIZE(sav);
  212 
  213         return 0;
  214 }
  215 
  216 /*
  217  * ah_init() is called when an SPI is being set up.
  218  */
  219 static int
  220 ah_init(struct secasvar *sav, struct xformsw *xsp)
  221 {
  222         struct cryptoini cria;
  223         int error;
  224 
  225         error = ah_init0(sav, xsp, &cria);
  226         return error ? error :
  227                  crypto_newsession(&sav->tdb_cryptoid, &cria, V_crypto_support);
  228 }
  229 
  230 /*
  231  * Paranoia.
  232  *
  233  * NB: public for use by esp_zeroize (XXX).
  234  */
  235 int
  236 ah_zeroize(struct secasvar *sav)
  237 {
  238         int err;
  239 
  240         if (sav->key_auth)
  241                 bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
  242 
  243         err = crypto_freesession(sav->tdb_cryptoid);
  244         sav->tdb_cryptoid = 0;
  245         sav->tdb_authalgxform = NULL;
  246         sav->tdb_xform = NULL;
  247         return err;
  248 }
  249 
  250 /*
  251  * Massage IPv4/IPv6 headers for AH processing.
  252  */
  253 static int
  254 ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
  255 {
  256         struct mbuf *m = *m0;
  257         unsigned char *ptr;
  258         int off, count;
  259 
  260 #ifdef INET
  261         struct ip *ip;
  262 #endif /* INET */
  263 
  264 #ifdef INET6
  265         struct ip6_ext *ip6e;
  266         struct ip6_hdr ip6;
  267         int ad, alloc, nxt, noff;
  268 #endif /* INET6 */
  269 
  270         switch (proto) {
  271 #ifdef INET
  272         case AF_INET:
  273                 /*
  274                  * This is the least painful way of dealing with IPv4 header
  275                  * and option processing -- just make sure they're in
  276                  * contiguous memory.
  277                  */
  278                 *m0 = m = m_pullup(m, skip);
  279                 if (m == NULL) {
  280                         DPRINTF(("%s: m_pullup failed\n", __func__));
  281                         return ENOBUFS;
  282                 }
  283 
  284                 /* Fix the IP header */
  285                 ip = mtod(m, struct ip *);
  286                 if (V_ah_cleartos)
  287                         ip->ip_tos = 0;
  288                 ip->ip_ttl = 0;
  289                 ip->ip_sum = 0;
  290 
  291                 if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK)
  292                         ip->ip_off &= htons(IP_DF);
  293                 else
  294                         ip->ip_off = htons(0);
  295 
  296                 ptr = mtod(m, unsigned char *);
  297 
  298                 /* IPv4 option processing */
  299                 for (off = sizeof(struct ip); off < skip;) {
  300                         if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP ||
  301                             off + 1 < skip)
  302                                 ;
  303                         else {
  304                                 DPRINTF(("%s: illegal IPv4 option length for "
  305                                         "option %d\n", __func__, ptr[off]));
  306 
  307                                 m_freem(m);
  308                                 return EINVAL;
  309                         }
  310 
  311                         switch (ptr[off]) {
  312                         case IPOPT_EOL:
  313                                 off = skip;  /* End the loop. */
  314                                 break;
  315 
  316                         case IPOPT_NOP:
  317                                 off++;
  318                                 break;
  319 
  320                         case IPOPT_SECURITY:    /* 0x82 */
  321                         case 0x85:      /* Extended security. */
  322                         case 0x86:      /* Commercial security. */
  323                         case 0x94:      /* Router alert */
  324                         case 0x95:      /* RFC1770 */
  325                                 /* Sanity check for option length. */
  326                                 if (ptr[off + 1] < 2) {
  327                                         DPRINTF(("%s: illegal IPv4 option "
  328                                                 "length for option %d\n",
  329                                                 __func__, ptr[off]));
  330 
  331                                         m_freem(m);
  332                                         return EINVAL;
  333                                 }
  334 
  335                                 off += ptr[off + 1];
  336                                 break;
  337 
  338                         case IPOPT_LSRR:
  339                         case IPOPT_SSRR:
  340                                 /* Sanity check for option length. */
  341                                 if (ptr[off + 1] < 2) {
  342                                         DPRINTF(("%s: illegal IPv4 option "
  343                                                 "length for option %d\n",
  344                                                 __func__, ptr[off]));
  345 
  346                                         m_freem(m);
  347                                         return EINVAL;
  348                                 }
  349 
  350                                 /*
  351                                  * On output, if we have either of the
  352                                  * source routing options, we should
  353                                  * swap the destination address of the
  354                                  * IP header with the last address
  355                                  * specified in the option, as that is
  356                                  * what the destination's IP header
  357                                  * will look like.
  358                                  */
  359                                 if (out)
  360                                         bcopy(ptr + off + ptr[off + 1] -
  361                                             sizeof(struct in_addr),
  362                                             &(ip->ip_dst), sizeof(struct in_addr));
  363 
  364                                 /* Fall through */
  365                         default:
  366                                 /* Sanity check for option length. */
  367                                 if (ptr[off + 1] < 2) {
  368                                         DPRINTF(("%s: illegal IPv4 option "
  369                                                 "length for option %d\n",
  370                                                 __func__, ptr[off]));
  371                                         m_freem(m);
  372                                         return EINVAL;
  373                                 }
  374 
  375                                 /* Zeroize all other options. */
  376                                 count = ptr[off + 1];
  377                                 bcopy(ipseczeroes, ptr + off, count);
  378                                 off += count;
  379                                 break;
  380                         }
  381 
  382                         /* Sanity check. */
  383                         if (off > skip) {
  384                                 DPRINTF(("%s: malformed IPv4 options header\n",
  385                                         __func__));
  386 
  387                                 m_freem(m);
  388                                 return EINVAL;
  389                         }
  390                 }
  391 
  392                 break;
  393 #endif /* INET */
  394 
  395 #ifdef INET6
  396         case AF_INET6:  /* Ugly... */
  397                 /* Copy and "cook" the IPv6 header. */
  398                 m_copydata(m, 0, sizeof(ip6), (caddr_t) &ip6);
  399 
  400                 /* We don't do IPv6 Jumbograms. */
  401                 if (ip6.ip6_plen == 0) {
  402                         DPRINTF(("%s: unsupported IPv6 jumbogram\n", __func__));
  403                         m_freem(m);
  404                         return EMSGSIZE;
  405                 }
  406 
  407                 ip6.ip6_flow = 0;
  408                 ip6.ip6_hlim = 0;
  409                 ip6.ip6_vfc &= ~IPV6_VERSION_MASK;
  410                 ip6.ip6_vfc |= IPV6_VERSION;
  411 
  412                 /* Scoped address handling. */
  413                 if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_src))
  414                         ip6.ip6_src.s6_addr16[1] = 0;
  415                 if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_dst))
  416                         ip6.ip6_dst.s6_addr16[1] = 0;
  417 
  418                 /* Done with IPv6 header. */
  419                 m_copyback(m, 0, sizeof(struct ip6_hdr), (caddr_t) &ip6);
  420 
  421                 /* Let's deal with the remaining headers (if any). */
  422                 if (skip - sizeof(struct ip6_hdr) > 0) {
  423                         if (m->m_len <= skip) {
  424                                 ptr = (unsigned char *) malloc(
  425                                     skip - sizeof(struct ip6_hdr),
  426                                     M_XDATA, M_NOWAIT);
  427                                 if (ptr == NULL) {
  428                                         DPRINTF(("%s: failed to allocate memory"
  429                                                 "for IPv6 headers\n",__func__));
  430                                         m_freem(m);
  431                                         return ENOBUFS;
  432                                 }
  433 
  434                                 /*
  435                                  * Copy all the protocol headers after
  436                                  * the IPv6 header.
  437                                  */
  438                                 m_copydata(m, sizeof(struct ip6_hdr),
  439                                     skip - sizeof(struct ip6_hdr), ptr);
  440                                 alloc = 1;
  441                         } else {
  442                                 /* No need to allocate memory. */
  443                                 ptr = mtod(m, unsigned char *) +
  444                                     sizeof(struct ip6_hdr);
  445                                 alloc = 0;
  446                         }
  447                 } else
  448                         break;
  449 
  450                 nxt = ip6.ip6_nxt & 0xff; /* Next header type. */
  451 
  452                 for (off = 0; off < skip - sizeof(struct ip6_hdr);)
  453                         switch (nxt) {
  454                         case IPPROTO_HOPOPTS:
  455                         case IPPROTO_DSTOPTS:
  456                                 ip6e = (struct ip6_ext *)(ptr + off);
  457                                 noff = off + ((ip6e->ip6e_len + 1) << 3);
  458 
  459                                 /* Sanity check. */
  460                                 if (noff > skip - sizeof(struct ip6_hdr))
  461                                         goto error6;
  462 
  463                                 /*
  464                                  * Zero out mutable options.
  465                                  */
  466                                 for (count = off + sizeof(struct ip6_ext);
  467                                      count < noff;) {
  468                                         if (ptr[count] == IP6OPT_PAD1) {
  469                                                 count++;
  470                                                 continue; /* Skip padding. */
  471                                         }
  472 
  473                                         ad = ptr[count + 1] + 2;
  474                                         if (count + ad > noff)
  475                                                 goto error6;
  476 
  477                                         if (ptr[count] & IP6OPT_MUTABLE)
  478                                                 memset(ptr + count, 0, ad);
  479                                         count += ad;
  480                                 }
  481 
  482                                 if (count != noff)
  483                                         goto error6;
  484 
  485                                 /* Advance. */
  486                                 off += ((ip6e->ip6e_len + 1) << 3);
  487                                 nxt = ip6e->ip6e_nxt;
  488                                 break;
  489 
  490                         case IPPROTO_ROUTING:
  491                                 /*
  492                                  * Always include routing headers in
  493                                  * computation.
  494                                  */
  495                                 ip6e = (struct ip6_ext *) (ptr + off);
  496                                 off += ((ip6e->ip6e_len + 1) << 3);
  497                                 nxt = ip6e->ip6e_nxt;
  498                                 break;
  499 
  500                         default:
  501                                 DPRINTF(("%s: unexpected IPv6 header type %d",
  502                                         __func__, off));
  503 error6:
  504                                 if (alloc)
  505                                         free(ptr, M_XDATA);
  506                                 m_freem(m);
  507                                 return EINVAL;
  508                         }
  509 
  510                 /* Copyback and free, if we allocated. */
  511                 if (alloc) {
  512                         m_copyback(m, sizeof(struct ip6_hdr),
  513                             skip - sizeof(struct ip6_hdr), ptr);
  514                         free(ptr, M_XDATA);
  515                 }
  516 
  517                 break;
  518 #endif /* INET6 */
  519         }
  520 
  521         return 0;
  522 }
  523 
  524 /*
  525  * ah_input() gets called to verify that an input packet
  526  * passes authentication.
  527  */
  528 static int
  529 ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
  530 {
  531         IPSEC_DEBUG_DECLARE(char buf[128]);
  532         const struct auth_hash *ahx;
  533         struct cryptodesc *crda;
  534         struct cryptop *crp;
  535         struct xform_data *xd;
  536         struct newah *ah;
  537         uint64_t cryptoid;
  538         int hl, rplen, authsize, error;
  539 
  540         IPSEC_ASSERT(sav != NULL, ("null SA"));
  541         IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key"));
  542         IPSEC_ASSERT(sav->tdb_authalgxform != NULL,
  543                 ("null authentication xform"));
  544 
  545         /* Figure out header size. */
  546         rplen = HDRSIZE(sav);
  547 
  548         /* XXX don't pullup, just copy header */
  549         IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen);
  550         if (ah == NULL) {
  551                 DPRINTF(("ah_input: cannot pullup header\n"));
  552                 AHSTAT_INC(ahs_hdrops);         /*XXX*/
  553                 error = ENOBUFS;
  554                 goto bad;
  555         }
  556 
  557         /* Check replay window, if applicable. */
  558         SECASVAR_LOCK(sav);
  559         if (sav->replay != NULL && sav->replay->wsize != 0 &&
  560             ipsec_chkreplay(ntohl(ah->ah_seq), sav) == 0) {
  561                 SECASVAR_UNLOCK(sav);
  562                 AHSTAT_INC(ahs_replay);
  563                 DPRINTF(("%s: packet replay failure: %s\n", __func__,
  564                     ipsec_sa2str(sav, buf, sizeof(buf))));
  565                 error = EACCES;
  566                 goto bad;
  567         }
  568         cryptoid = sav->tdb_cryptoid;
  569         SECASVAR_UNLOCK(sav);
  570 
  571         /* Verify AH header length. */
  572         hl = ah->ah_len * sizeof (u_int32_t);
  573         ahx = sav->tdb_authalgxform;
  574         authsize = AUTHSIZE(sav);
  575         if (hl != authsize + rplen - sizeof (struct ah)) {
  576                 DPRINTF(("%s: bad authenticator length %u (expecting %lu)"
  577                     " for packet in SA %s/%08lx\n", __func__, hl,
  578                     (u_long) (authsize + rplen - sizeof (struct ah)),
  579                     ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
  580                     (u_long) ntohl(sav->spi)));
  581                 AHSTAT_INC(ahs_badauthl);
  582                 error = EACCES;
  583                 goto bad;
  584         }
  585         if (skip + authsize + rplen > m->m_pkthdr.len) {
  586                 DPRINTF(("%s: bad mbuf length %u (expecting %lu)"
  587                     " for packet in SA %s/%08lx\n", __func__,
  588                     m->m_pkthdr.len, (u_long) (skip + authsize + rplen),
  589                     ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
  590                     (u_long) ntohl(sav->spi)));
  591                 AHSTAT_INC(ahs_badauthl);
  592                 error = EACCES;
  593                 goto bad;
  594         }
  595         AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
  596 
  597         /* Get crypto descriptors. */
  598         crp = crypto_getreq(1);
  599         if (crp == NULL) {
  600                 DPRINTF(("%s: failed to acquire crypto descriptor\n",
  601                     __func__));
  602                 AHSTAT_INC(ahs_crypto);
  603                 error = ENOBUFS;
  604                 goto bad;
  605         }
  606 
  607         crda = crp->crp_desc;
  608         IPSEC_ASSERT(crda != NULL, ("null crypto descriptor"));
  609 
  610         crda->crd_skip = 0;
  611         crda->crd_len = m->m_pkthdr.len;
  612         crda->crd_inject = skip + rplen;
  613 
  614         /* Authentication operation. */
  615         crda->crd_alg = ahx->type;
  616         crda->crd_klen = _KEYBITS(sav->key_auth);
  617         crda->crd_key = sav->key_auth->key_data;
  618 
  619         /* Allocate IPsec-specific opaque crypto info. */
  620         xd = malloc(sizeof(*xd) + skip + rplen + authsize, M_XDATA,
  621             M_NOWAIT | M_ZERO);
  622         if (xd == NULL) {
  623                 DPRINTF(("%s: failed to allocate xform_data\n", __func__));
  624                 AHSTAT_INC(ahs_crypto);
  625                 crypto_freereq(crp);
  626                 error = ENOBUFS;
  627                 goto bad;
  628         }
  629 
  630         /*
  631          * Save the authenticator, the skipped portion of the packet,
  632          * and the AH header.
  633          */
  634         m_copydata(m, 0, skip + rplen + authsize, (caddr_t)(xd + 1));
  635 
  636         /* Zeroize the authenticator on the packet. */
  637         m_copyback(m, skip + rplen, authsize, ipseczeroes);
  638 
  639         /* Save ah_nxt, since ah pointer can become invalid after "massage" */
  640         hl = ah->ah_nxt;
  641 
  642         /* "Massage" the packet headers for crypto processing. */
  643         error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
  644             skip, ahx->type, 0);
  645         if (error != 0) {
  646                 /* NB: mbuf is free'd by ah_massage_headers */
  647                 AHSTAT_INC(ahs_hdrops);
  648                 free(xd, M_XDATA);
  649                 crypto_freereq(crp);
  650                 key_freesav(&sav);
  651                 return (error);
  652         }
  653 
  654         /* Crypto operation descriptor. */
  655         crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
  656         crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
  657         crp->crp_buf = (caddr_t) m;
  658         crp->crp_callback = ah_input_cb;
  659         crp->crp_sid = cryptoid;
  660         crp->crp_opaque = (caddr_t) xd;
  661 
  662         /* These are passed as-is to the callback. */
  663         xd->sav = sav;
  664         xd->nxt = hl;
  665         xd->protoff = protoff;
  666         xd->skip = skip;
  667         xd->cryptoid = cryptoid;
  668         xd->vnet = curvnet;
  669         return (crypto_dispatch(crp));
  670 bad:
  671         m_freem(m);
  672         key_freesav(&sav);
  673         return (error);
  674 }
  675 
  676 /*
  677  * AH input callback from the crypto driver.
  678  */
  679 static int
  680 ah_input_cb(struct cryptop *crp)
  681 {
  682         IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
  683         unsigned char calc[AH_ALEN_MAX];
  684         const struct auth_hash *ahx;
  685         struct mbuf *m;
  686         struct cryptodesc *crd;
  687         struct xform_data *xd;
  688         struct secasvar *sav;
  689         struct secasindex *saidx;
  690         caddr_t ptr;
  691         uint64_t cryptoid;
  692         int authsize, rplen, error, skip, protoff;
  693         uint8_t nxt;
  694 
  695         crd = crp->crp_desc;
  696         m = (struct mbuf *) crp->crp_buf;
  697         xd = (struct xform_data *) crp->crp_opaque;
  698         CURVNET_SET(xd->vnet);
  699         sav = xd->sav;
  700         skip = xd->skip;
  701         nxt = xd->nxt;
  702         protoff = xd->protoff;
  703         cryptoid = xd->cryptoid;
  704         saidx = &sav->sah->saidx;
  705         IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
  706                 saidx->dst.sa.sa_family == AF_INET6,
  707                 ("unexpected protocol family %u", saidx->dst.sa.sa_family));
  708 
  709         ahx = sav->tdb_authalgxform;
  710 
  711         /* Check for crypto errors. */
  712         if (crp->crp_etype) {
  713                 if (crp->crp_etype == EAGAIN) {
  714                         /* Reset the session ID */
  715                         if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0)
  716                                 crypto_freesession(cryptoid);
  717                         xd->cryptoid = crp->crp_sid;
  718                         CURVNET_RESTORE();
  719                         return (crypto_dispatch(crp));
  720                 }
  721                 AHSTAT_INC(ahs_noxform);
  722                 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
  723                 error = crp->crp_etype;
  724                 goto bad;
  725         } else {
  726                 AHSTAT_INC(ahs_hist[sav->alg_auth]);
  727                 crypto_freereq(crp);            /* No longer needed. */
  728                 crp = NULL;
  729         }
  730 
  731         /* Shouldn't happen... */
  732         if (m == NULL) {
  733                 AHSTAT_INC(ahs_crypto);
  734                 DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
  735                 error = EINVAL;
  736                 goto bad;
  737         }
  738 
  739         /* Figure out header size. */
  740         rplen = HDRSIZE(sav);
  741         authsize = AUTHSIZE(sav);
  742 
  743         /* Copy authenticator off the packet. */
  744         m_copydata(m, skip + rplen, authsize, calc);
  745 
  746         /* Verify authenticator. */
  747         ptr = (caddr_t) (xd + 1);
  748         if (timingsafe_bcmp(ptr + skip + rplen, calc, authsize)) {
  749                 DPRINTF(("%s: authentication hash mismatch for packet "
  750                     "in SA %s/%08lx\n", __func__,
  751                     ipsec_address(&saidx->dst, buf, sizeof(buf)),
  752                     (u_long) ntohl(sav->spi)));
  753                 AHSTAT_INC(ahs_badauth);
  754                 error = EACCES;
  755                 goto bad;
  756         }
  757         /* Fix the Next Protocol field. */
  758         ((uint8_t *) ptr)[protoff] = nxt;
  759 
  760         /* Copyback the saved (uncooked) network headers. */
  761         m_copyback(m, 0, skip, ptr);
  762         free(xd, M_XDATA), xd = NULL;                   /* No longer needed */
  763 
  764         /*
  765          * Header is now authenticated.
  766          */
  767         m->m_flags |= M_AUTHIPHDR|M_AUTHIPDGM;
  768 
  769         /*
  770          * Update replay sequence number, if appropriate.
  771          */
  772         if (sav->replay) {
  773                 u_int32_t seq;
  774 
  775                 m_copydata(m, skip + offsetof(struct newah, ah_seq),
  776                            sizeof (seq), (caddr_t) &seq);
  777                 SECASVAR_LOCK(sav);
  778                 if (ipsec_updatereplay(ntohl(seq), sav)) {
  779                         SECASVAR_UNLOCK(sav);
  780                         AHSTAT_INC(ahs_replay);
  781                         error = EACCES;
  782                         goto bad;
  783                 }
  784                 SECASVAR_UNLOCK(sav);
  785         }
  786 
  787         /*
  788          * Remove the AH header and authenticator from the mbuf.
  789          */
  790         error = m_striphdr(m, skip, rplen + authsize);
  791         if (error) {
  792                 DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
  793                     ipsec_address(&saidx->dst, buf, sizeof(buf)),
  794                     (u_long) ntohl(sav->spi)));
  795                 AHSTAT_INC(ahs_hdrops);
  796                 goto bad;
  797         }
  798 
  799         switch (saidx->dst.sa.sa_family) {
  800 #ifdef INET6
  801         case AF_INET6:
  802                 error = ipsec6_common_input_cb(m, sav, skip, protoff);
  803                 break;
  804 #endif
  805 #ifdef INET
  806         case AF_INET:
  807                 error = ipsec4_common_input_cb(m, sav, skip, protoff);
  808                 break;
  809 #endif
  810         default:
  811                 panic("%s: Unexpected address family: %d saidx=%p", __func__,
  812                     saidx->dst.sa.sa_family, saidx);
  813         }
  814         CURVNET_RESTORE();
  815         return error;
  816 bad:
  817         CURVNET_RESTORE();
  818         if (sav)
  819                 key_freesav(&sav);
  820         if (m != NULL)
  821                 m_freem(m);
  822         if (xd != NULL)
  823                 free(xd, M_XDATA);
  824         if (crp != NULL)
  825                 crypto_freereq(crp);
  826         return error;
  827 }
  828 
  829 /*
  830  * AH output routine, called by ipsec[46]_perform_request().
  831  */
  832 static int
  833 ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
  834     u_int idx, int skip, int protoff)
  835 {
  836         IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
  837         const struct auth_hash *ahx;
  838         struct cryptodesc *crda;
  839         struct xform_data *xd;
  840         struct mbuf *mi;
  841         struct cryptop *crp;
  842         struct newah *ah;
  843         uint64_t cryptoid;
  844         uint16_t iplen;
  845         int error, rplen, authsize, maxpacketsize, roff;
  846         uint8_t prot;
  847 
  848         IPSEC_ASSERT(sav != NULL, ("null SA"));
  849         ahx = sav->tdb_authalgxform;
  850         IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
  851 
  852         AHSTAT_INC(ahs_output);
  853 
  854         /* Figure out header size. */
  855         rplen = HDRSIZE(sav);
  856 
  857         /* Check for maximum packet size violations. */
  858         switch (sav->sah->saidx.dst.sa.sa_family) {
  859 #ifdef INET
  860         case AF_INET:
  861                 maxpacketsize = IP_MAXPACKET;
  862                 break;
  863 #endif /* INET */
  864 #ifdef INET6
  865         case AF_INET6:
  866                 maxpacketsize = IPV6_MAXPACKET;
  867                 break;
  868 #endif /* INET6 */
  869         default:
  870                 DPRINTF(("%s: unknown/unsupported protocol family %u, "
  871                     "SA %s/%08lx\n", __func__,
  872                     sav->sah->saidx.dst.sa.sa_family,
  873                     ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
  874                     (u_long) ntohl(sav->spi)));
  875                 AHSTAT_INC(ahs_nopf);
  876                 error = EPFNOSUPPORT;
  877                 goto bad;
  878         }
  879         authsize = AUTHSIZE(sav);
  880         if (rplen + authsize + m->m_pkthdr.len > maxpacketsize) {
  881                 DPRINTF(("%s: packet in SA %s/%08lx got too big "
  882                     "(len %u, max len %u)\n", __func__,
  883                     ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
  884                     (u_long) ntohl(sav->spi),
  885                     rplen + authsize + m->m_pkthdr.len, maxpacketsize));
  886                 AHSTAT_INC(ahs_toobig);
  887                 error = EMSGSIZE;
  888                 goto bad;
  889         }
  890 
  891         /* Update the counters. */
  892         AHSTAT_ADD(ahs_obytes, m->m_pkthdr.len - skip);
  893 
  894         m = m_unshare(m, M_NOWAIT);
  895         if (m == NULL) {
  896                 DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
  897                     ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
  898                     (u_long) ntohl(sav->spi)));
  899                 AHSTAT_INC(ahs_hdrops);
  900                 error = ENOBUFS;
  901                 goto bad;
  902         }
  903 
  904         /* Inject AH header. */
  905         mi = m_makespace(m, skip, rplen + authsize, &roff);
  906         if (mi == NULL) {
  907                 DPRINTF(("%s: failed to inject %u byte AH header for SA "
  908                     "%s/%08lx\n", __func__,
  909                     rplen + authsize,
  910                     ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
  911                     (u_long) ntohl(sav->spi)));
  912                 AHSTAT_INC(ahs_hdrops);         /*XXX differs from openbsd */
  913                 error = ENOBUFS;
  914                 goto bad;
  915         }
  916 
  917         /*
  918          * The AH header is guaranteed by m_makespace() to be in
  919          * contiguous memory, at roff bytes offset into the returned mbuf.
  920          */
  921         ah = (struct newah *)(mtod(mi, caddr_t) + roff);
  922 
  923         /* Initialize the AH header. */
  924         m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &ah->ah_nxt);
  925         ah->ah_len = (rplen + authsize - sizeof(struct ah)) / sizeof(u_int32_t);
  926         ah->ah_reserve = 0;
  927         ah->ah_spi = sav->spi;
  928 
  929         /* Zeroize authenticator. */
  930         m_copyback(m, skip + rplen, authsize, ipseczeroes);
  931 
  932         /* Insert packet replay counter, as requested.  */
  933         SECASVAR_LOCK(sav);
  934         if (sav->replay) {
  935                 if (sav->replay->count == ~0 &&
  936                     (sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
  937                         SECASVAR_UNLOCK(sav);
  938                         DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n",
  939                             __func__, ipsec_address(&sav->sah->saidx.dst, buf,
  940                             sizeof(buf)), (u_long) ntohl(sav->spi)));
  941                         AHSTAT_INC(ahs_wrap);
  942                         error = EACCES;
  943                         goto bad;
  944                 }
  945 #ifdef REGRESSION
  946                 /* Emulate replay attack when ipsec_replay is TRUE. */
  947                 if (!V_ipsec_replay)
  948 #endif
  949                         sav->replay->count++;
  950                 ah->ah_seq = htonl(sav->replay->count);
  951         }
  952         cryptoid = sav->tdb_cryptoid;
  953         SECASVAR_UNLOCK(sav);
  954 
  955         /* Get crypto descriptors. */
  956         crp = crypto_getreq(1);
  957         if (crp == NULL) {
  958                 DPRINTF(("%s: failed to acquire crypto descriptors\n",
  959                         __func__));
  960                 AHSTAT_INC(ahs_crypto);
  961                 error = ENOBUFS;
  962                 goto bad;
  963         }
  964 
  965         crda = crp->crp_desc;
  966         crda->crd_skip = 0;
  967         crda->crd_inject = skip + rplen;
  968         crda->crd_len = m->m_pkthdr.len;
  969 
  970         /* Authentication operation. */
  971         crda->crd_alg = ahx->type;
  972         crda->crd_key = sav->key_auth->key_data;
  973         crda->crd_klen = _KEYBITS(sav->key_auth);
  974 
  975         /* Allocate IPsec-specific opaque crypto info. */
  976         xd =  malloc(sizeof(struct xform_data) + skip, M_XDATA,
  977             M_NOWAIT | M_ZERO);
  978         if (xd == NULL) {
  979                 crypto_freereq(crp);
  980                 DPRINTF(("%s: failed to allocate xform_data\n", __func__));
  981                 AHSTAT_INC(ahs_crypto);
  982                 error = ENOBUFS;
  983                 goto bad;
  984         }
  985 
  986         /* Save the skipped portion of the packet. */
  987         m_copydata(m, 0, skip, (caddr_t) (xd + 1));
  988 
  989         /*
  990          * Fix IP header length on the header used for
  991          * authentication. We don't need to fix the original
  992          * header length as it will be fixed by our caller.
  993          */
  994         switch (sav->sah->saidx.dst.sa.sa_family) {
  995 #ifdef INET
  996         case AF_INET:
  997                 bcopy(((caddr_t)(xd + 1)) +
  998                     offsetof(struct ip, ip_len),
  999                     (caddr_t) &iplen, sizeof(u_int16_t));
 1000                 iplen = htons(ntohs(iplen) + rplen + authsize);
 1001                 m_copyback(m, offsetof(struct ip, ip_len),
 1002                     sizeof(u_int16_t), (caddr_t) &iplen);
 1003                 break;
 1004 #endif /* INET */
 1005 
 1006 #ifdef INET6
 1007         case AF_INET6:
 1008                 bcopy(((caddr_t)(xd + 1)) +
 1009                     offsetof(struct ip6_hdr, ip6_plen),
 1010                     (caddr_t) &iplen, sizeof(uint16_t));
 1011                 iplen = htons(ntohs(iplen) + rplen + authsize);
 1012                 m_copyback(m, offsetof(struct ip6_hdr, ip6_plen),
 1013                     sizeof(uint16_t), (caddr_t) &iplen);
 1014                 break;
 1015 #endif /* INET6 */
 1016         }
 1017 
 1018         /* Fix the Next Header field in saved header. */
 1019         ((uint8_t *) (xd + 1))[protoff] = IPPROTO_AH;
 1020 
 1021         /* Update the Next Protocol field in the IP header. */
 1022         prot = IPPROTO_AH;
 1023         m_copyback(m, protoff, sizeof(uint8_t), (caddr_t) &prot);
 1024 
 1025         /* "Massage" the packet headers for crypto processing. */
 1026         error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
 1027                         skip, ahx->type, 1);
 1028         if (error != 0) {
 1029                 m = NULL;       /* mbuf was free'd by ah_massage_headers. */
 1030                 free(xd, M_XDATA);
 1031                 crypto_freereq(crp);
 1032                 goto bad;
 1033         }
 1034 
 1035         /* Crypto operation descriptor. */
 1036         crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
 1037         crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
 1038         crp->crp_buf = (caddr_t) m;
 1039         crp->crp_callback = ah_output_cb;
 1040         crp->crp_sid = cryptoid;
 1041         crp->crp_opaque = (caddr_t) xd;
 1042 
 1043         /* These are passed as-is to the callback. */
 1044         xd->sp = sp;
 1045         xd->sav = sav;
 1046         xd->skip = skip;
 1047         xd->idx = idx;
 1048         xd->cryptoid = cryptoid;
 1049         xd->vnet = curvnet;
 1050 
 1051         return crypto_dispatch(crp);
 1052 bad:
 1053         if (m)
 1054                 m_freem(m);
 1055         key_freesav(&sav);
 1056         key_freesp(&sp);
 1057         return (error);
 1058 }
 1059 
 1060 /*
 1061  * AH output callback from the crypto driver.
 1062  */
 1063 static int
 1064 ah_output_cb(struct cryptop *crp)
 1065 {
 1066         struct xform_data *xd;
 1067         struct secpolicy *sp;
 1068         struct secasvar *sav;
 1069         struct mbuf *m;
 1070         uint64_t cryptoid;
 1071         caddr_t ptr;
 1072         u_int idx;
 1073         int skip, error;
 1074 
 1075         m = (struct mbuf *) crp->crp_buf;
 1076         xd = (struct xform_data *) crp->crp_opaque;
 1077         CURVNET_SET(xd->vnet);
 1078         sp = xd->sp;
 1079         sav = xd->sav;
 1080         skip = xd->skip;
 1081         idx = xd->idx;
 1082         cryptoid = xd->cryptoid;
 1083         ptr = (caddr_t) (xd + 1);
 1084 
 1085         /* Check for crypto errors. */
 1086         if (crp->crp_etype) {
 1087                 if (crp->crp_etype == EAGAIN) {
 1088                         /* Reset the session ID */
 1089                         if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0)
 1090                                 crypto_freesession(cryptoid);
 1091                         xd->cryptoid = crp->crp_sid;
 1092                         CURVNET_RESTORE();
 1093                         return (crypto_dispatch(crp));
 1094                 }
 1095                 AHSTAT_INC(ahs_noxform);
 1096                 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
 1097                 error = crp->crp_etype;
 1098                 m_freem(m);
 1099                 goto bad;
 1100         }
 1101 
 1102         /* Shouldn't happen... */
 1103         if (m == NULL) {
 1104                 AHSTAT_INC(ahs_crypto);
 1105                 DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
 1106                 error = EINVAL;
 1107                 goto bad;
 1108         }
 1109         /*
 1110          * Copy original headers (with the new protocol number) back
 1111          * in place.
 1112          */
 1113         m_copyback(m, 0, skip, ptr);
 1114 
 1115         free(xd, M_XDATA);
 1116         crypto_freereq(crp);
 1117         AHSTAT_INC(ahs_hist[sav->alg_auth]);
 1118 #ifdef REGRESSION
 1119         /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
 1120         if (V_ipsec_integrity) {
 1121                 int alen;
 1122 
 1123                 /*
 1124                  * Corrupt HMAC if we want to test integrity verification of
 1125                  * the other side.
 1126                  */
 1127                 alen = AUTHSIZE(sav);
 1128                 m_copyback(m, m->m_pkthdr.len - alen, alen, ipseczeroes);
 1129         }
 1130 #endif
 1131 
 1132         /* NB: m is reclaimed by ipsec_process_done. */
 1133         error = ipsec_process_done(m, sp, sav, idx);
 1134         CURVNET_RESTORE();
 1135         return (error);
 1136 bad:
 1137         CURVNET_RESTORE();
 1138         free(xd, M_XDATA);
 1139         crypto_freereq(crp);
 1140         key_freesav(&sav);
 1141         key_freesp(&sp);
 1142         return (error);
 1143 }
 1144 
 1145 static struct xformsw ah_xformsw = {
 1146         .xf_type =      XF_AH,
 1147         .xf_name =      "IPsec AH",
 1148         .xf_init =      ah_init,
 1149         .xf_zeroize =   ah_zeroize,
 1150         .xf_input =     ah_input,
 1151         .xf_output =    ah_output,
 1152 };
 1153 
 1154 SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
 1155     xform_attach, &ah_xformsw);
 1156 SYSUNINIT(ah_xform_uninit, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
 1157     xform_detach, &ah_xformsw);

Cache object: 0475ba1fc4dd7175d103c74869d0b5f6


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.