The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netipsec/xform_esp.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*      $FreeBSD: releng/5.1/sys/netipsec/xform_esp.c 111297 2003-02-23 07:25:48Z sam $ */
    2 /*      $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
    3 /*
    4  * The authors of this code are John Ioannidis (ji@tla.org),
    5  * Angelos D. Keromytis (kermit@csd.uch.gr) and
    6  * Niels Provos (provos@physnet.uni-hamburg.de).
    7  *
    8  * The original version of this code was written by John Ioannidis
    9  * for BSD/OS in Athens, Greece, in November 1995.
   10  *
   11  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
   12  * by Angelos D. Keromytis.
   13  *
   14  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
   15  * and Niels Provos.
   16  *
   17  * Additional features in 1999 by Angelos D. Keromytis.
   18  *
   19  * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
   20  * Angelos D. Keromytis and Niels Provos.
   21  * Copyright (c) 2001 Angelos D. Keromytis.
   22  *
   23  * Permission to use, copy, and modify this software with or without fee
   24  * is hereby granted, provided that this entire notice is included in
   25  * all copies of any software which is or includes a copy or
   26  * modification of this software.
   27  * You may use this code under the GNU public license if you so wish. Please
   28  * contribute changes back to the authors under this freer than GPL license
   29  * so that we may further the use of strong encryption without limitations to
   30  * all.
   31  *
   32  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
   33  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
   34  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
   35  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
   36  * PURPOSE.
   37  */
   38 #include "opt_inet.h"
   39 #include "opt_inet6.h"
   40 
   41 #include <sys/param.h>
   42 #include <sys/systm.h>
   43 #include <sys/mbuf.h>
   44 #include <sys/socket.h>
   45 #include <sys/syslog.h>
   46 #include <sys/kernel.h>
   47 #include <sys/random.h>
   48 #include <sys/sysctl.h>
   49 
   50 #include <net/if.h>
   51 
   52 #include <netinet/in.h>
   53 #include <netinet/in_systm.h>
   54 #include <netinet/ip.h>
   55 #include <netinet/ip_ecn.h>
   56 #include <netinet/ip6.h>
   57 
   58 #include <net/route.h>
   59 #include <netipsec/ipsec.h>
   60 #include <netipsec/ah.h>
   61 #include <netipsec/ah_var.h>
   62 #include <netipsec/esp.h>
   63 #include <netipsec/esp_var.h>
   64 #include <netipsec/xform.h>
   65 
   66 #ifdef INET6
   67 #include <netinet6/ip6_var.h>
   68 #include <netipsec/ipsec6.h>
   69 #include <netinet6/ip6_ecn.h>
   70 #endif
   71 
   72 #include <netipsec/key.h>
   73 #include <netipsec/key_debug.h>
   74 
   75 #include <opencrypto/cryptodev.h>
   76 #include <opencrypto/xform.h>
   77 
   78 int     esp_enable = 1;
   79 struct  espstat espstat;
   80 
   81 SYSCTL_DECL(_net_inet_esp);
   82 SYSCTL_INT(_net_inet_esp, OID_AUTO,
   83         esp_enable,     CTLFLAG_RW,     &esp_enable,    0, "");
   84 SYSCTL_STRUCT(_net_inet_esp, IPSECCTL_STATS,
   85         stats,          CTLFLAG_RD,     &espstat,       espstat, "");
   86 
   87 static  int esp_max_ivlen;              /* max iv length over all algorithms */
   88 
   89 static int esp_input_cb(struct cryptop *op);
   90 static int esp_output_cb(struct cryptop *crp);
   91 
   92 /*
   93  * NB: this is public for use by the PF_KEY support.
   94  * NB: if you add support here; be sure to add code to esp_attach below!
   95  */
   96 struct enc_xform *
   97 esp_algorithm_lookup(int alg)
   98 {
   99         if (alg >= ESP_ALG_MAX)
  100                 return NULL;
  101         switch (alg) {
  102         case SADB_EALG_DESCBC:
  103                 return &enc_xform_des;
  104         case SADB_EALG_3DESCBC:
  105                 return &enc_xform_3des;
  106         case SADB_X_EALG_AES:
  107                 return &enc_xform_rijndael128;
  108         case SADB_X_EALG_BLOWFISHCBC:
  109                 return &enc_xform_blf;
  110         case SADB_X_EALG_CAST128CBC:
  111                 return &enc_xform_cast5;
  112         case SADB_X_EALG_SKIPJACK:
  113                 return &enc_xform_skipjack;
  114         case SADB_EALG_NULL:
  115                 return &enc_xform_null;
  116         }
  117         return NULL;
  118 }
  119 
  120 size_t
  121 esp_hdrsiz(struct secasvar *sav)
  122 {
  123         size_t size;
  124 
  125         if (sav != NULL) {
  126                 /*XXX not right for null algorithm--does it matter??*/
  127                 KASSERT(sav->tdb_encalgxform != NULL,
  128                         ("esp_hdrsiz: SA with null xform"));
  129                 if (sav->flags & SADB_X_EXT_OLD)
  130                         size = sizeof (struct esp);
  131                 else
  132                         size = sizeof (struct newesp);
  133                 size += sav->tdb_encalgxform->blocksize + 9;
  134                 /*XXX need alg check???*/
  135                 if (sav->tdb_authalgxform != NULL && sav->replay)
  136                         size += ah_hdrsiz(sav);
  137         } else {
  138                 /*
  139                  *   base header size
  140                  * + max iv length for CBC mode
  141                  * + max pad length
  142                  * + sizeof (pad length field)
  143                  * + sizeof (next header field)
  144                  * + max icv supported.
  145                  */
  146                 size = sizeof (struct newesp) + esp_max_ivlen + 9 + 16;
  147         }
  148         return size;
  149 }
  150 
  151 /*
  152  * esp_init() is called when an SPI is being set up.
  153  */
  154 static int
  155 esp_init(struct secasvar *sav, struct xformsw *xsp)
  156 {
  157         struct enc_xform *txform;
  158         struct cryptoini cria, crie;
  159         int keylen;
  160         int error;
  161 
  162         txform = esp_algorithm_lookup(sav->alg_enc);
  163         if (txform == NULL) {
  164                 DPRINTF(("esp_init: unsupported encryption algorithm %d\n",
  165                         sav->alg_enc));
  166                 return EINVAL;
  167         }
  168         if (sav->key_enc == NULL) {
  169                 DPRINTF(("esp_init: no encoding key for %s algorithm\n",
  170                          txform->name));
  171                 return EINVAL;
  172         }
  173         if ((sav->flags&(SADB_X_EXT_OLD|SADB_X_EXT_IV4B)) == SADB_X_EXT_IV4B) {
  174                 DPRINTF(("esp_init: 4-byte IV not supported with protocol\n"));
  175                 return EINVAL;
  176         }
  177         keylen = _KEYLEN(sav->key_enc);
  178         if (txform->minkey > keylen || keylen > txform->maxkey) {
  179                 DPRINTF(("esp_init: invalid key length %u, must be in "
  180                         "the range [%u..%u] for algorithm %s\n",
  181                         keylen, txform->minkey, txform->maxkey,
  182                         txform->name));
  183                 return EINVAL;
  184         }
  185 
  186         /*
  187          * NB: The null xform needs a non-zero blocksize to keep the
  188          *      crypto code happy but if we use it to set ivlen then
  189          *      the ESP header will be processed incorrectly.  The
  190          *      compromise is to force it to zero here.
  191          */
  192         sav->ivlen = (txform == &enc_xform_null ? 0 : txform->blocksize);
  193         sav->iv = (caddr_t) malloc(sav->ivlen, M_XDATA, M_WAITOK);
  194         if (sav->iv == NULL) {
  195                 DPRINTF(("esp_init: no memory for IV\n"));
  196                 return EINVAL;
  197         }
  198         key_randomfill(sav->iv, sav->ivlen);    /*XXX*/
  199 
  200         /*
  201          * Setup AH-related state.
  202          */
  203         if (sav->alg_auth != 0) {
  204                 error = ah_init0(sav, xsp, &cria);
  205                 if (error)
  206                         return error;
  207         }
  208 
  209         /* NB: override anything set in ah_init0 */
  210         sav->tdb_xform = xsp;
  211         sav->tdb_encalgxform = txform;
  212 
  213         /* Initialize crypto session. */
  214         bzero(&crie, sizeof (crie));
  215         crie.cri_alg = sav->tdb_encalgxform->type;
  216         crie.cri_klen = _KEYBITS(sav->key_enc);
  217         crie.cri_key = _KEYBUF(sav->key_enc);
  218         /* XXX Rounds ? */
  219 
  220         if (sav->tdb_authalgxform && sav->tdb_encalgxform) {
  221                 /* init both auth & enc */
  222                 crie.cri_next = &cria;
  223                 error = crypto_newsession(&sav->tdb_cryptoid,
  224                                           &crie, crypto_support);
  225         } else if (sav->tdb_encalgxform) {
  226                 error = crypto_newsession(&sav->tdb_cryptoid,
  227                                           &crie, crypto_support);
  228         } else if (sav->tdb_authalgxform) {
  229                 error = crypto_newsession(&sav->tdb_cryptoid,
  230                                           &cria, crypto_support);
  231         } else {
  232                 /* XXX cannot happen? */
  233                 DPRINTF(("esp_init: no encoding OR authentication xform!\n"));
  234                 error = EINVAL;
  235         }
  236         return error;
  237 }
  238 
  239 /*
  240  * Paranoia.
  241  */
  242 static int
  243 esp_zeroize(struct secasvar *sav)
  244 {
  245         /* NB: ah_zerorize free's the crypto session state */
  246         int error = ah_zeroize(sav);
  247 
  248         if (sav->key_enc)
  249                 bzero(_KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc));
  250         /* NB: sav->iv is freed elsewhere, even though we malloc it! */
  251         sav->tdb_encalgxform = NULL;
  252         sav->tdb_xform = NULL;
  253         return error;
  254 }
  255 
  256 /*
  257  * ESP input processing, called (eventually) through the protocol switch.
  258  */
  259 static int
  260 esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
  261 {
  262         struct auth_hash *esph;
  263         struct enc_xform *espx;
  264         struct tdb_ident *tdbi;
  265         struct tdb_crypto *tc;
  266         int plen, alen, hlen;
  267         struct m_tag *mtag;
  268         struct newesp *esp;
  269 
  270         struct cryptodesc *crde;
  271         struct cryptop *crp;
  272 
  273 #if 0
  274         SPLASSERT(net, "esp_input");
  275 #endif
  276 
  277         KASSERT(sav != NULL, ("esp_input: null SA"));
  278         KASSERT(sav->tdb_encalgxform != NULL,
  279                 ("esp_input: null encoding xform"));
  280         KASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0,
  281                 ("esp_input: misaligned packet, skip %u pkt len %u",
  282                         skip, m->m_pkthdr.len));
  283 
  284         /* XXX don't pullup, just copy header */
  285         IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp));
  286 
  287         esph = sav->tdb_authalgxform;
  288         espx = sav->tdb_encalgxform;
  289 
  290         /* Determine the ESP header length */
  291         if (sav->flags & SADB_X_EXT_OLD)
  292                 hlen = sizeof (struct esp) + sav->ivlen;
  293         else
  294                 hlen = sizeof (struct newesp) + sav->ivlen;
  295         /* Authenticator hash size */
  296         alen = esph ? AH_HMAC_HASHLEN : 0;
  297 
  298         /*
  299          * Verify payload length is multiple of encryption algorithm
  300          * block size.
  301          *
  302          * NB: This works for the null algorithm because the blocksize
  303          *     is 4 and all packets must be 4-byte aligned regardless
  304          *     of the algorithm.
  305          */
  306         plen = m->m_pkthdr.len - (skip + hlen + alen);
  307         if ((plen & (espx->blocksize - 1)) || (plen <= 0)) {
  308                 DPRINTF(("esp_input: "
  309                     "payload of %d octets not a multiple of %d octets,"
  310                     "  SA %s/%08lx\n",
  311                     plen, espx->blocksize,
  312                     ipsec_address(&sav->sah->saidx.dst),
  313                     (u_long) ntohl(sav->spi)));
  314                 espstat.esps_badilen++;
  315                 m_freem(m);
  316                 return EINVAL;
  317         }
  318 
  319         /*
  320          * Check sequence number.
  321          */
  322         if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) {
  323                 DPRINTF(("esp_input: packet replay check for %s\n",
  324                     ipsec_logsastr(sav)));      /*XXX*/
  325                 espstat.esps_replay++;
  326                 m_freem(m);
  327                 return ENOBUFS;         /*XXX*/
  328         }
  329 
  330         /* Update the counters */
  331         espstat.esps_ibytes += m->m_pkthdr.len - skip - hlen - alen;
  332 
  333         /* Find out if we've already done crypto */
  334         for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
  335              mtag != NULL;
  336              mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
  337                 tdbi = (struct tdb_ident *) (mtag + 1);
  338                 if (tdbi->proto == sav->sah->saidx.proto &&
  339                     tdbi->spi == sav->spi &&
  340                     !bcmp(&tdbi->dst, &sav->sah->saidx.dst,
  341                           sizeof(union sockaddr_union)))
  342                         break;
  343         }
  344 
  345         /* Get crypto descriptors */
  346         crp = crypto_getreq(esph && espx ? 2 : 1);
  347         if (crp == NULL) {
  348                 DPRINTF(("esp_input: failed to acquire crypto descriptors\n"));
  349                 espstat.esps_crypto++;
  350                 m_freem(m);
  351                 return ENOBUFS;
  352         }
  353 
  354         /* Get IPsec-specific opaque pointer */
  355         if (esph == NULL || mtag != NULL)
  356                 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
  357                     M_XDATA, M_NOWAIT|M_ZERO);
  358         else
  359                 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto) + alen,
  360                     M_XDATA, M_NOWAIT|M_ZERO);
  361         if (tc == NULL) {
  362                 crypto_freereq(crp);
  363                 DPRINTF(("esp_input: failed to allocate tdb_crypto\n"));
  364                 espstat.esps_crypto++;
  365                 m_freem(m);
  366                 return ENOBUFS;
  367         }
  368 
  369         tc->tc_ptr = (caddr_t) mtag;
  370 
  371         if (esph) {
  372                 struct cryptodesc *crda = crp->crp_desc;
  373 
  374                 KASSERT(crda != NULL, ("esp_input: null ah crypto descriptor"));
  375 
  376                 /* Authentication descriptor */
  377                 crda->crd_skip = skip;
  378                 crda->crd_len = m->m_pkthdr.len - (skip + alen);
  379                 crda->crd_inject = m->m_pkthdr.len - alen;
  380 
  381                 crda->crd_alg = esph->type;
  382                 crda->crd_key = _KEYBUF(sav->key_auth);
  383                 crda->crd_klen = _KEYBITS(sav->key_auth);
  384 
  385                 /* Copy the authenticator */
  386                 if (mtag == NULL)
  387                         m_copydata(m, m->m_pkthdr.len - alen, alen,
  388                                    (caddr_t) (tc + 1));
  389 
  390                 /* Chain authentication request */
  391                 crde = crda->crd_next;
  392         } else {
  393                 crde = crp->crp_desc;
  394         }
  395 
  396         /* Crypto operation descriptor */
  397         crp->crp_ilen = m->m_pkthdr.len; /* Total input length */
  398         crp->crp_flags = CRYPTO_F_IMBUF;
  399         crp->crp_buf = (caddr_t) m;
  400         crp->crp_callback = esp_input_cb;
  401         crp->crp_sid = sav->tdb_cryptoid;
  402         crp->crp_opaque = (caddr_t) tc;
  403 
  404         /* These are passed as-is to the callback */
  405         tc->tc_spi = sav->spi;
  406         tc->tc_dst = sav->sah->saidx.dst;
  407         tc->tc_proto = sav->sah->saidx.proto;
  408         tc->tc_protoff = protoff;
  409         tc->tc_skip = skip;
  410 
  411         /* Decryption descriptor */
  412         if (espx) {
  413                 KASSERT(crde != NULL, ("esp_input: null esp crypto descriptor"));
  414                 crde->crd_skip = skip + hlen;
  415                 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
  416                 crde->crd_inject = skip + hlen - sav->ivlen;
  417 
  418                 crde->crd_alg = espx->type;
  419                 crde->crd_key = _KEYBUF(sav->key_enc);
  420                 crde->crd_klen = _KEYBITS(sav->key_enc);
  421                 /* XXX Rounds ? */
  422         }
  423 
  424         if (mtag == NULL)
  425                 return crypto_dispatch(crp);
  426         else
  427                 return esp_input_cb(crp);
  428 }
  429 
  430 #ifdef INET6
  431 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do {              \
  432         if (saidx->dst.sa.sa_family == AF_INET6) {                           \
  433                 error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
  434         } else {                                                             \
  435                 error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
  436         }                                                                    \
  437 } while (0)
  438 #else
  439 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag)                   \
  440         (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
  441 #endif
  442 
  443 /*
  444  * ESP input callback from the crypto driver.
  445  */
  446 static int
  447 esp_input_cb(struct cryptop *crp)
  448 {
  449         u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN];
  450         int s, hlen, skip, protoff, error;
  451         struct mbuf *m;
  452         struct cryptodesc *crd;
  453         struct auth_hash *esph;
  454         struct enc_xform *espx;
  455         struct tdb_crypto *tc;
  456         struct m_tag *mtag;
  457         struct secasvar *sav;
  458         struct secasindex *saidx;
  459         caddr_t ptr;
  460 
  461         crd = crp->crp_desc;
  462         KASSERT(crd != NULL, ("esp_input_cb: null crypto descriptor!"));
  463 
  464         tc = (struct tdb_crypto *) crp->crp_opaque;
  465         KASSERT(tc != NULL, ("esp_input_cb: null opaque crypto data area!"));
  466         skip = tc->tc_skip;
  467         protoff = tc->tc_protoff;
  468         mtag = (struct m_tag *) tc->tc_ptr;
  469         m = (struct mbuf *) crp->crp_buf;
  470 
  471         s = splnet();
  472 
  473         sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
  474         if (sav == NULL) {
  475                 espstat.esps_notdb++;
  476                 DPRINTF(("esp_input_cb: SA expired while in crypto "
  477                     "(SA %s/%08lx proto %u)\n", ipsec_address(&tc->tc_dst),
  478                     (u_long) ntohl(tc->tc_spi), tc->tc_proto));
  479                 error = ENOBUFS;                /*XXX*/
  480                 goto bad;
  481         }
  482 
  483         saidx = &sav->sah->saidx;
  484         KASSERT(saidx->dst.sa.sa_family == AF_INET ||
  485                 saidx->dst.sa.sa_family == AF_INET6,
  486                 ("ah_input_cb: unexpected protocol family %u",
  487                  saidx->dst.sa.sa_family));
  488 
  489         esph = sav->tdb_authalgxform;
  490         espx = sav->tdb_encalgxform;
  491 
  492         /* Check for crypto errors */
  493         if (crp->crp_etype) {
  494                 /* Reset the session ID */
  495                 if (sav->tdb_cryptoid != 0)
  496                         sav->tdb_cryptoid = crp->crp_sid;
  497 
  498                 if (crp->crp_etype == EAGAIN) {
  499                         KEY_FREESAV(&sav);
  500                         splx(s);
  501                         return crypto_dispatch(crp);
  502                 }
  503 
  504                 espstat.esps_noxform++;
  505                 DPRINTF(("esp_input_cb: crypto error %d\n", crp->crp_etype));
  506                 error = crp->crp_etype;
  507                 goto bad;
  508         }
  509 
  510         /* Shouldn't happen... */
  511         if (m == NULL) {
  512                 espstat.esps_crypto++;
  513                 DPRINTF(("esp_input_cb: bogus returned buffer from crypto\n"));
  514                 error = EINVAL;
  515                 goto bad;
  516         }
  517         espstat.esps_hist[sav->alg_enc]++;
  518 
  519         /* If authentication was performed, check now. */
  520         if (esph != NULL) {
  521                 /*
  522                  * If we have a tag, it means an IPsec-aware NIC did
  523                  * the verification for us.  Otherwise we need to
  524                  * check the authentication calculation.
  525                  */
  526                 ahstat.ahs_hist[sav->alg_auth]++;
  527                 if (mtag == NULL) {
  528                         /* Copy the authenticator from the packet */
  529                         m_copydata(m, m->m_pkthdr.len - esph->authsize,
  530                                 esph->authsize, aalg);
  531 
  532                         ptr = (caddr_t) (tc + 1);
  533 
  534                         /* Verify authenticator */
  535                         if (bcmp(ptr, aalg, esph->authsize) != 0) {
  536                                 DPRINTF(("esp_input_cb: "
  537                     "authentication hash mismatch for packet in SA %s/%08lx\n",
  538                                     ipsec_address(&saidx->dst),
  539                                     (u_long) ntohl(sav->spi)));
  540                                 espstat.esps_badauth++;
  541                                 error = EACCES;
  542                                 goto bad;
  543                         }
  544                 }
  545 
  546                 /* Remove trailing authenticator */
  547                 m_adj(m, -(esph->authsize));
  548         }
  549 
  550         /* Release the crypto descriptors */
  551         free(tc, M_XDATA), tc = NULL;
  552         crypto_freereq(crp), crp = NULL;
  553 
  554         /*
  555          * Packet is now decrypted.
  556          */
  557         m->m_flags |= M_DECRYPTED;
  558 
  559         /* Determine the ESP header length */
  560         if (sav->flags & SADB_X_EXT_OLD)
  561                 hlen = sizeof (struct esp) + sav->ivlen;
  562         else
  563                 hlen = sizeof (struct newesp) + sav->ivlen;
  564 
  565         /* Remove the ESP header and IV from the mbuf. */
  566         error = m_striphdr(m, skip, hlen);
  567         if (error) {
  568                 espstat.esps_hdrops++;
  569                 DPRINTF(("esp_input_cb: bad mbuf chain, SA %s/%08lx\n",
  570                     ipsec_address(&sav->sah->saidx.dst),
  571                     (u_long) ntohl(sav->spi)));
  572                 goto bad;
  573         }
  574 
  575         /* Save the last three bytes of decrypted data */
  576         m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
  577 
  578         /* Verify pad length */
  579         if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
  580                 espstat.esps_badilen++;
  581                 DPRINTF(("esp_input_cb: invalid padding length %d "
  582                          "for %u byte packet in SA %s/%08lx\n",
  583                          lastthree[1], m->m_pkthdr.len - skip,
  584                          ipsec_address(&sav->sah->saidx.dst),
  585                          (u_long) ntohl(sav->spi)));
  586                 error = EINVAL;
  587                 goto bad;
  588         }
  589 
  590         /* Verify correct decryption by checking the last padding bytes */
  591         if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) {
  592                 if (lastthree[1] != lastthree[0] && lastthree[1] != 0) {
  593                         espstat.esps_badenc++;
  594                         DPRINTF(("esp_input_cb: decryption failed "
  595                                 "for packet in SA %s/%08lx\n",
  596                                 ipsec_address(&sav->sah->saidx.dst),
  597                                 (u_long) ntohl(sav->spi)));
  598 DPRINTF(("esp_input_cb: %x %x\n", lastthree[0], lastthree[1]));
  599                         error = EINVAL;
  600                         goto bad;
  601                 }
  602         }
  603 
  604         /* Trim the mbuf chain to remove trailing authenticator and padding */
  605         m_adj(m, -(lastthree[1] + 2));
  606 
  607         /* Restore the Next Protocol field */
  608         m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2);
  609 
  610         IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);
  611 
  612         KEY_FREESAV(&sav);
  613         splx(s);
  614         return error;
  615 bad:
  616         if (sav)
  617                 KEY_FREESAV(&sav);
  618         splx(s);
  619         if (m != NULL)
  620                 m_freem(m);
  621         if (tc != NULL)
  622                 free(tc, M_XDATA);
  623         if (crp != NULL)
  624                 crypto_freereq(crp);
  625         return error;
  626 }
  627 
  628 /*
  629  * ESP output routine, called by ipsec[46]_process_packet().
  630  */
  631 static int
  632 esp_output(
  633         struct mbuf *m,
  634         struct ipsecrequest *isr,
  635         struct mbuf **mp,
  636         int skip,
  637         int protoff
  638 )
  639 {
  640         struct enc_xform *espx;
  641         struct auth_hash *esph;
  642         int hlen, rlen, plen, padding, blks, alen, i, roff;
  643         struct mbuf *mo = (struct mbuf *) NULL;
  644         struct tdb_crypto *tc;
  645         struct secasvar *sav;
  646         struct secasindex *saidx;
  647         unsigned char *pad;
  648         u_int8_t prot;
  649         int error, maxpacketsize;
  650 
  651         struct cryptodesc *crde = NULL, *crda = NULL;
  652         struct cryptop *crp;
  653 
  654 #if 0
  655         SPLASSERT(net, "esp_output");
  656 #endif
  657 
  658         sav = isr->sav;
  659         KASSERT(sav != NULL, ("esp_output: null SA"));
  660         esph = sav->tdb_authalgxform;
  661         espx = sav->tdb_encalgxform;
  662         KASSERT(espx != NULL, ("esp_output: null encoding xform"));
  663 
  664         if (sav->flags & SADB_X_EXT_OLD)
  665                 hlen = sizeof (struct esp) + sav->ivlen;
  666         else
  667                 hlen = sizeof (struct newesp) + sav->ivlen;
  668 
  669         rlen = m->m_pkthdr.len - skip;  /* Raw payload length. */
  670         /*
  671          * NB: The null encoding transform has a blocksize of 4
  672          *     so that headers are properly aligned.
  673          */
  674         blks = espx->blocksize;         /* IV blocksize */
  675 
  676         /* XXX clamp padding length a la KAME??? */
  677         padding = ((blks - ((rlen + 2) % blks)) % blks) + 2;
  678         plen = rlen + padding;          /* Padded payload length. */
  679 
  680         if (esph)
  681                 alen = AH_HMAC_HASHLEN;
  682         else
  683                 alen = 0;
  684 
  685         espstat.esps_output++;
  686 
  687         saidx = &sav->sah->saidx;
  688         /* Check for maximum packet size violations. */
  689         switch (saidx->dst.sa.sa_family) {
  690 #ifdef INET
  691         case AF_INET:
  692                 maxpacketsize = IP_MAXPACKET;
  693                 break;
  694 #endif /* INET */
  695 #ifdef INET6
  696         case AF_INET6:
  697                 maxpacketsize = IPV6_MAXPACKET;
  698                 break;
  699 #endif /* INET6 */
  700         default:
  701                 DPRINTF(("esp_output: unknown/unsupported protocol "
  702                     "family %d, SA %s/%08lx\n",
  703                     saidx->dst.sa.sa_family, ipsec_address(&saidx->dst),
  704                     (u_long) ntohl(sav->spi)));
  705                 espstat.esps_nopf++;
  706                 error = EPFNOSUPPORT;
  707                 goto bad;
  708         }
  709         if (skip + hlen + rlen + padding + alen > maxpacketsize) {
  710                 DPRINTF(("esp_output: packet in SA %s/%08lx got too big "
  711                     "(len %u, max len %u)\n",
  712                     ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi),
  713                     skip + hlen + rlen + padding + alen, maxpacketsize));
  714                 espstat.esps_toobig++;
  715                 error = EMSGSIZE;
  716                 goto bad;
  717         }
  718 
  719         /* Update the counters. */
  720         espstat.esps_obytes += m->m_pkthdr.len - skip;
  721 
  722         m = m_clone(m);
  723         if (m == NULL) {
  724                 DPRINTF(("esp_output: cannot clone mbuf chain, SA %s/%08lx\n",
  725                     ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
  726                 espstat.esps_hdrops++;
  727                 error = ENOBUFS;
  728                 goto bad;
  729         }
  730 
  731         /* Inject ESP header. */
  732         mo = m_makespace(m, skip, hlen, &roff);
  733         if (mo == NULL) {
  734                 DPRINTF(("esp_output: failed to inject %u byte ESP hdr for SA "
  735                     "%s/%08lx\n",
  736                     hlen, ipsec_address(&saidx->dst),
  737                     (u_long) ntohl(sav->spi)));
  738                 espstat.esps_hdrops++;          /* XXX diffs from openbsd */
  739                 error = ENOBUFS;
  740                 goto bad;
  741         }
  742 
  743         /* Initialize ESP header. */
  744         bcopy((caddr_t) &sav->spi, mtod(mo, caddr_t) + roff, sizeof(u_int32_t));
  745         if (sav->replay) {
  746                 u_int32_t replay = htonl(++(sav->replay->count));
  747                 bcopy((caddr_t) &replay,
  748                     mtod(mo, caddr_t) + roff + sizeof(u_int32_t),
  749                     sizeof(u_int32_t));
  750         }
  751 
  752         /*
  753          * Add padding -- better to do it ourselves than use the crypto engine,
  754          * although if/when we support compression, we'd have to do that.
  755          */
  756         pad = (u_char *) m_pad(m, padding + alen);
  757         if (pad == NULL) {
  758                 DPRINTF(("esp_output: m_pad failed for SA %s/%08lx\n",
  759                     ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
  760                 m = NULL;               /* NB: free'd by m_pad */
  761                 error = ENOBUFS;
  762                 goto bad;
  763         }
  764 
  765         /*
  766          * Add padding: random, zero, or self-describing.
  767          * XXX catch unexpected setting
  768          */
  769         switch (sav->flags & SADB_X_EXT_PMASK) {
  770         case SADB_X_EXT_PRAND:
  771                 (void) read_random(pad, padding - 2);
  772                 break;
  773         case SADB_X_EXT_PZERO:
  774                 bzero(pad, padding - 2);
  775                 break;
  776         case SADB_X_EXT_PSEQ:
  777                 for (i = 0; i < padding - 2; i++)
  778                         pad[i] = i+1;
  779                 break;
  780         }
  781 
  782         /* Fix padding length and Next Protocol in padding itself. */
  783         pad[padding - 2] = padding - 2;
  784         m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1);
  785 
  786         /* Fix Next Protocol in IPv4/IPv6 header. */
  787         prot = IPPROTO_ESP;
  788         m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot);
  789 
  790         /* Get crypto descriptors. */
  791         crp = crypto_getreq(esph && espx ? 2 : 1);
  792         if (crp == NULL) {
  793                 DPRINTF(("esp_output: failed to acquire crypto descriptors\n"));
  794                 espstat.esps_crypto++;
  795                 error = ENOBUFS;
  796                 goto bad;
  797         }
  798 
  799         if (espx) {
  800                 crde = crp->crp_desc;
  801                 crda = crde->crd_next;
  802 
  803                 /* Encryption descriptor. */
  804                 crde->crd_skip = skip + hlen;
  805                 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
  806                 crde->crd_flags = CRD_F_ENCRYPT;
  807                 crde->crd_inject = skip + hlen - sav->ivlen;
  808 
  809                 /* Encryption operation. */
  810                 crde->crd_alg = espx->type;
  811                 crde->crd_key = _KEYBUF(sav->key_enc);
  812                 crde->crd_klen = _KEYBITS(sav->key_enc);
  813                 /* XXX Rounds ? */
  814         } else
  815                 crda = crp->crp_desc;
  816 
  817         /* IPsec-specific opaque crypto info. */
  818         tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
  819                 M_XDATA, M_NOWAIT|M_ZERO);
  820         if (tc == NULL) {
  821                 crypto_freereq(crp);
  822                 DPRINTF(("esp_output: failed to allocate tdb_crypto\n"));
  823                 espstat.esps_crypto++;
  824                 error = ENOBUFS;
  825                 goto bad;
  826         }
  827 
  828         /* Callback parameters */
  829         tc->tc_isr = isr;
  830         tc->tc_spi = sav->spi;
  831         tc->tc_dst = saidx->dst;
  832         tc->tc_proto = saidx->proto;
  833 
  834         /* Crypto operation descriptor. */
  835         crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
  836         crp->crp_flags = CRYPTO_F_IMBUF;
  837         crp->crp_buf = (caddr_t) m;
  838         crp->crp_callback = esp_output_cb;
  839         crp->crp_opaque = (caddr_t) tc;
  840         crp->crp_sid = sav->tdb_cryptoid;
  841 
  842         if (esph) {
  843                 /* Authentication descriptor. */
  844                 crda->crd_skip = skip;
  845                 crda->crd_len = m->m_pkthdr.len - (skip + alen);
  846                 crda->crd_inject = m->m_pkthdr.len - alen;
  847 
  848                 /* Authentication operation. */
  849                 crda->crd_alg = esph->type;
  850                 crda->crd_key = _KEYBUF(sav->key_auth);
  851                 crda->crd_klen = _KEYBITS(sav->key_auth);
  852         }
  853 
  854         return crypto_dispatch(crp);
  855 bad:
  856         if (m)
  857                 m_freem(m);
  858         return (error);
  859 }
  860 
  861 /*
  862  * ESP output callback from the crypto driver.
  863  */
  864 static int
  865 esp_output_cb(struct cryptop *crp)
  866 {
  867         struct tdb_crypto *tc;
  868         struct ipsecrequest *isr;
  869         struct secasvar *sav;
  870         struct mbuf *m;
  871         int s, err, error;
  872 
  873         tc = (struct tdb_crypto *) crp->crp_opaque;
  874         KASSERT(tc != NULL, ("esp_output_cb: null opaque data area!"));
  875         m = (struct mbuf *) crp->crp_buf;
  876 
  877         s = splnet();
  878 
  879         isr = tc->tc_isr;
  880         sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
  881         if (sav == NULL) {
  882                 espstat.esps_notdb++;
  883                 DPRINTF(("esp_output_cb: SA expired while in crypto "
  884                     "(SA %s/%08lx proto %u)\n", ipsec_address(&tc->tc_dst),
  885                     (u_long) ntohl(tc->tc_spi), tc->tc_proto));
  886                 error = ENOBUFS;                /*XXX*/
  887                 goto bad;
  888         }
  889         KASSERT(isr->sav == sav,
  890                 ("esp_output_cb: SA changed was %p now %p\n", isr->sav, sav));
  891 
  892         /* Check for crypto errors. */
  893         if (crp->crp_etype) {
  894                 /* Reset session ID. */
  895                 if (sav->tdb_cryptoid != 0)
  896                         sav->tdb_cryptoid = crp->crp_sid;
  897 
  898                 if (crp->crp_etype == EAGAIN) {
  899                         KEY_FREESAV(&sav);
  900                         splx(s);
  901                         return crypto_dispatch(crp);
  902                 }
  903 
  904                 espstat.esps_noxform++;
  905                 DPRINTF(("esp_output_cb: crypto error %d\n", crp->crp_etype));
  906                 error = crp->crp_etype;
  907                 goto bad;
  908         }
  909 
  910         /* Shouldn't happen... */
  911         if (m == NULL) {
  912                 espstat.esps_crypto++;
  913                 DPRINTF(("esp_output_cb: bogus returned buffer from crypto\n"));
  914                 error = EINVAL;
  915                 goto bad;
  916         }
  917         espstat.esps_hist[sav->alg_enc]++;
  918         if (sav->tdb_authalgxform != NULL)
  919                 ahstat.ahs_hist[sav->alg_auth]++;
  920 
  921         /* Release crypto descriptors. */
  922         free(tc, M_XDATA);
  923         crypto_freereq(crp);
  924 
  925         /* NB: m is reclaimed by ipsec_process_done. */
  926         err = ipsec_process_done(m, isr);
  927         KEY_FREESAV(&sav);
  928         splx(s);
  929         return err;
  930 bad:
  931         if (sav)
  932                 KEY_FREESAV(&sav);
  933         splx(s);
  934         if (m)
  935                 m_freem(m);
  936         free(tc, M_XDATA);
  937         crypto_freereq(crp);
  938         return error;
  939 }
  940 
  941 static struct xformsw esp_xformsw = {
  942         XF_ESP,         XFT_CONF|XFT_AUTH,      "IPsec ESP",
  943         esp_init,       esp_zeroize,            esp_input,
  944         esp_output
  945 };
  946 
  947 static void
  948 esp_attach(void)
  949 {
  950 #define MAXIV(xform)                                    \
  951         if (xform.blocksize > esp_max_ivlen)            \
  952                 esp_max_ivlen = xform.blocksize         \
  953 
  954         esp_max_ivlen = 0;
  955         MAXIV(enc_xform_des);           /* SADB_EALG_DESCBC */
  956         MAXIV(enc_xform_3des);          /* SADB_EALG_3DESCBC */
  957         MAXIV(enc_xform_rijndael128);   /* SADB_X_EALG_AES */
  958         MAXIV(enc_xform_blf);           /* SADB_X_EALG_BLOWFISHCBC */
  959         MAXIV(enc_xform_cast5);         /* SADB_X_EALG_CAST128CBC */
  960         MAXIV(enc_xform_skipjack);      /* SADB_X_EALG_SKIPJACK */
  961         MAXIV(enc_xform_null);          /* SADB_EALG_NULL */
  962 
  963         xform_register(&esp_xformsw);
  964 #undef MAXIV
  965 }
  966 SYSINIT(esp_xform_init, SI_SUB_DRIVERS, SI_ORDER_FIRST, esp_attach, NULL)

Cache object: bd4c93ad5353f93859d9eebecd9ffa95


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.