1 /* $OpenBSD: ip_esp.c,v 1.105 2008/06/09 07:07:17 djm Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001 Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 #include "pfsync.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/mbuf.h> 43 #include <sys/socket.h> 44 45 #include <net/if.h> 46 #include <net/bpf.h> 47 48 #include <dev/rndvar.h> 49 50 #ifdef INET 51 #include <netinet/in.h> 52 #include <netinet/in_systm.h> 53 #include <netinet/ip.h> 54 #include <netinet/ip_var.h> 55 #endif /* INET */ 56 57 #ifdef INET6 58 #ifndef INET 59 #include <netinet/in.h> 60 #endif 61 #include <netinet/ip6.h> 62 #endif /* INET6 */ 63 64 #include <netinet/ip_ipsp.h> 65 #include <netinet/ip_esp.h> 66 #include <net/pfkeyv2.h> 67 #include <net/if_enc.h> 68 69 #if NPFSYNC > 0 70 #include <net/pfvar.h> 71 #include <net/if_pfsync.h> 72 #endif /* NPFSYNC > 0 */ 73 74 #include <crypto/cryptodev.h> 75 #include <crypto/xform.h> 76 77 #include "bpfilter.h" 78 79 #ifdef ENCDEBUG 80 #define DPRINTF(x) if (encdebug) printf x 81 #else 82 #define DPRINTF(x) 83 #endif 84 85 struct espstat espstat; 86 87 /* 88 * esp_attach() is called from the transformation initialization code. 89 */ 90 int 91 esp_attach() 92 { 93 return 0; 94 } 95 96 /* 97 * esp_init() is called when an SPI is being set up. 98 */ 99 int 100 esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) 101 { 102 struct enc_xform *txform = NULL; 103 struct auth_hash *thash = NULL; 104 struct cryptoini cria, crie; 105 106 if (!ii->ii_encalg && !ii->ii_authalg) { 107 DPRINTF(("esp_init(): neither authentication nor encryption " 108 "algorithm given")); 109 return EINVAL; 110 } 111 112 if (ii->ii_encalg) { 113 switch (ii->ii_encalg) { 114 case SADB_EALG_NULL: 115 txform = &enc_xform_null; 116 break; 117 118 case SADB_EALG_DESCBC: 119 txform = &enc_xform_des; 120 break; 121 122 case SADB_EALG_3DESCBC: 123 txform = &enc_xform_3des; 124 break; 125 126 case SADB_X_EALG_AES: 127 txform = &enc_xform_rijndael128; 128 break; 129 130 case SADB_X_EALG_AESCTR: 131 txform = &enc_xform_aes_ctr; 132 break; 133 134 case SADB_X_EALG_BLF: 135 txform = &enc_xform_blf; 136 break; 137 138 case SADB_X_EALG_CAST: 139 txform = &enc_xform_cast5; 140 break; 141 142 case SADB_X_EALG_SKIPJACK: 143 txform = &enc_xform_skipjack; 144 break; 145 146 default: 147 DPRINTF(("esp_init(): unsupported encryption algorithm %d specified\n", ii->ii_encalg)); 148 return EINVAL; 149 } 150 151 if (ii->ii_enckeylen < txform->minkey) { 152 DPRINTF(("esp_init(): keylength %d too small (min length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->minkey, txform->name)); 153 return EINVAL; 154 } 155 156 if (ii->ii_enckeylen > txform->maxkey) { 157 DPRINTF(("esp_init(): keylength %d too large (max length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->maxkey, txform->name)); 158 return EINVAL; 159 } 160 161 tdbp->tdb_encalgxform = txform; 162 163 DPRINTF(("esp_init(): initialized TDB with enc algorithm %s\n", 164 txform->name)); 165 166 tdbp->tdb_ivlen = txform->ivsize; 167 if (tdbp->tdb_flags & TDBF_HALFIV) 168 tdbp->tdb_ivlen /= 2; 169 } 170 171 if (ii->ii_authalg) { 172 switch (ii->ii_authalg) { 173 case SADB_AALG_MD5HMAC: 174 thash = &auth_hash_hmac_md5_96; 175 break; 176 177 case SADB_AALG_SHA1HMAC: 178 thash = &auth_hash_hmac_sha1_96; 179 break; 180 181 case SADB_X_AALG_RIPEMD160HMAC: 182 thash = &auth_hash_hmac_ripemd_160_96; 183 break; 184 185 case SADB_X_AALG_SHA2_256: 186 thash = &auth_hash_hmac_sha2_256_96; 187 break; 188 189 case SADB_X_AALG_SHA2_384: 190 thash = &auth_hash_hmac_sha2_384_96; 191 break; 192 193 case SADB_X_AALG_SHA2_512: 194 thash = &auth_hash_hmac_sha2_512_96; 195 break; 196 197 default: 198 DPRINTF(("esp_init(): unsupported authentication algorithm %d specified\n", ii->ii_authalg)); 199 return EINVAL; 200 } 201 202 if (ii->ii_authkeylen != thash->keysize) { 203 DPRINTF(("esp_init(): keylength %d doesn't match algorithm %s keysize (%d)\n", ii->ii_authkeylen, thash->name, thash->keysize)); 204 return EINVAL; 205 } 206 207 tdbp->tdb_authalgxform = thash; 208 209 DPRINTF(("esp_init(): initialized TDB with hash algorithm %s\n", 210 thash->name)); 211 } 212 213 tdbp->tdb_xform = xsp; 214 tdbp->tdb_bitmap = 0; 215 tdbp->tdb_rpl = AH_HMAC_INITIAL_RPL; 216 217 /* Initialize crypto session */ 218 if (tdbp->tdb_encalgxform) { 219 /* Save the raw keys */ 220 tdbp->tdb_emxkeylen = ii->ii_enckeylen; 221 tdbp->tdb_emxkey = malloc(tdbp->tdb_emxkeylen, M_XDATA, 222 M_WAITOK); 223 bcopy(ii->ii_enckey, tdbp->tdb_emxkey, tdbp->tdb_emxkeylen); 224 225 bzero(&crie, sizeof(crie)); 226 227 crie.cri_alg = tdbp->tdb_encalgxform->type; 228 229 if (tdbp->tdb_authalgxform) 230 crie.cri_next = &cria; 231 else 232 crie.cri_next = NULL; 233 234 crie.cri_klen = ii->ii_enckeylen * 8; 235 crie.cri_key = ii->ii_enckey; 236 /* XXX Rounds ? */ 237 } 238 239 if (tdbp->tdb_authalgxform) { 240 /* Save the raw keys */ 241 tdbp->tdb_amxkeylen = ii->ii_authkeylen; 242 tdbp->tdb_amxkey = malloc(tdbp->tdb_amxkeylen, M_XDATA, 243 M_WAITOK); 244 bcopy(ii->ii_authkey, tdbp->tdb_amxkey, tdbp->tdb_amxkeylen); 245 246 bzero(&cria, sizeof(cria)); 247 248 cria.cri_alg = tdbp->tdb_authalgxform->type; 249 cria.cri_next = NULL; 250 cria.cri_klen = ii->ii_authkeylen * 8; 251 cria.cri_key = ii->ii_authkey; 252 } 253 254 return crypto_newsession(&tdbp->tdb_cryptoid, 255 (tdbp->tdb_encalgxform ? &crie : &cria), 0); 256 } 257 258 /* 259 * Paranoia. 260 */ 261 int 262 esp_zeroize(struct tdb *tdbp) 263 { 264 int err; 265 266 if (tdbp->tdb_amxkey) { 267 bzero(tdbp->tdb_amxkey, tdbp->tdb_amxkeylen); 268 free(tdbp->tdb_amxkey, M_XDATA); 269 tdbp->tdb_amxkey = NULL; 270 } 271 272 if (tdbp->tdb_emxkey) { 273 bzero(tdbp->tdb_emxkey, tdbp->tdb_emxkeylen); 274 free(tdbp->tdb_emxkey, M_XDATA); 275 tdbp->tdb_emxkey = NULL; 276 } 277 278 err = crypto_freesession(tdbp->tdb_cryptoid); 279 tdbp->tdb_cryptoid = 0; 280 return err; 281 } 282 283 #define MAXBUFSIZ (AH_ALEN_MAX > ESP_MAX_IVS ? AH_ALEN_MAX : ESP_MAX_IVS) 284 285 /* 286 * ESP input processing, called (eventually) through the protocol switch. 287 */ 288 int 289 esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) 290 { 291 struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform; 292 struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform; 293 struct tdb_crypto *tc; 294 int plen, alen, hlen; 295 struct m_tag *mtag; 296 u_int32_t btsx; 297 298 struct cryptodesc *crde = NULL, *crda = NULL; 299 struct cryptop *crp; 300 301 /* Determine the ESP header length */ 302 if (tdb->tdb_flags & TDBF_NOREPLAY) 303 hlen = sizeof(u_int32_t) + tdb->tdb_ivlen; /* "old" ESP */ 304 else 305 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */ 306 307 if (esph) 308 alen = AH_HMAC_HASHLEN; 309 else 310 alen = 0; 311 312 plen = m->m_pkthdr.len - (skip + hlen + alen); 313 if (plen <= 0) { 314 DPRINTF(("esp_input: invalid payload length\n")); 315 espstat.esps_badilen++; 316 m_freem(m); 317 return EINVAL; 318 } 319 320 if (espx) { 321 /* 322 * Verify payload length is multiple of encryption algorithm 323 * block size. 324 */ 325 if (plen & (espx->blocksize - 1)) { 326 DPRINTF(("esp_input(): payload of %d octets not a multiple of %d octets, SA %s/%08x\n", plen, espx->blocksize, ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 327 espstat.esps_badilen++; 328 m_freem(m); 329 return EINVAL; 330 } 331 } 332 333 /* Replay window checking, if appropriate -- no value commitment. */ 334 if ((tdb->tdb_wnd > 0) && (!(tdb->tdb_flags & TDBF_NOREPLAY))) { 335 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 336 (unsigned char *) &btsx); 337 btsx = ntohl(btsx); 338 339 switch (checkreplaywindow32(btsx, 0, &(tdb->tdb_rpl), 340 tdb->tdb_wnd, &(tdb->tdb_bitmap), 0)) { 341 case 0: /* All's well */ 342 break; 343 344 case 1: 345 m_freem(m); 346 DPRINTF(("esp_input(): replay counter wrapped for SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 347 espstat.esps_wrap++; 348 return EACCES; 349 350 case 2: 351 case 3: 352 DPRINTF(("esp_input(): duplicate packet received in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 353 m_freem(m); 354 return EACCES; 355 356 default: 357 m_freem(m); 358 DPRINTF(("esp_input(): bogus value from checkreplaywindow32() in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 359 espstat.esps_replay++; 360 return EACCES; 361 } 362 } 363 364 /* Update the counters */ 365 tdb->tdb_cur_bytes += m->m_pkthdr.len - skip - hlen - alen; 366 espstat.esps_ibytes += m->m_pkthdr.len - skip - hlen - alen; 367 368 /* Hard expiration */ 369 if ((tdb->tdb_flags & TDBF_BYTES) && 370 (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) { 371 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 372 tdb_delete(tdb); 373 m_freem(m); 374 return ENXIO; 375 } 376 377 /* Notify on soft expiration */ 378 if ((tdb->tdb_flags & TDBF_SOFT_BYTES) && 379 (tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes)) { 380 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 381 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking */ 382 } 383 384 #ifdef notyet 385 /* Find out if we've already done crypto */ 386 for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); 387 mtag != NULL; 388 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) { 389 struct tdb_ident *tdbi; 390 391 tdbi = (struct tdb_ident *) (mtag + 1); 392 if (tdbi->proto == tdb->tdb_sproto && tdbi->spi == tdb->tdb_spi && 393 !bcmp(&tdbi->dst, &tdb->tdb_dst, sizeof(union sockaddr_union))) 394 break; 395 } 396 #else 397 mtag = NULL; 398 #endif 399 400 /* Get crypto descriptors */ 401 crp = crypto_getreq(esph && espx ? 2 : 1); 402 if (crp == NULL) { 403 m_freem(m); 404 DPRINTF(("esp_input(): failed to acquire crypto descriptors\n")); 405 espstat.esps_crypto++; 406 return ENOBUFS; 407 } 408 409 /* Get IPsec-specific opaque pointer */ 410 if (esph == NULL || mtag != NULL) 411 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); 412 else 413 tc = malloc(sizeof(*tc) + alen, M_XDATA, M_NOWAIT | M_ZERO); 414 if (tc == NULL) { 415 m_freem(m); 416 crypto_freereq(crp); 417 DPRINTF(("esp_input(): failed to allocate tdb_crypto\n")); 418 espstat.esps_crypto++; 419 return ENOBUFS; 420 } 421 422 tc->tc_ptr = (caddr_t) mtag; 423 424 if (esph) { 425 crda = crp->crp_desc; 426 crde = crda->crd_next; 427 428 /* Authentication descriptor */ 429 crda->crd_skip = skip; 430 crda->crd_len = m->m_pkthdr.len - (skip + alen); 431 crda->crd_inject = m->m_pkthdr.len - alen; 432 433 crda->crd_alg = esph->type; 434 crda->crd_key = tdb->tdb_amxkey; 435 crda->crd_klen = tdb->tdb_amxkeylen * 8; 436 437 /* Copy the authenticator */ 438 if (mtag == NULL) 439 m_copydata(m, m->m_pkthdr.len - alen, alen, (caddr_t) (tc + 1)); 440 } else 441 crde = crp->crp_desc; 442 443 /* Crypto operation descriptor */ 444 crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ 445 crp->crp_flags = CRYPTO_F_IMBUF; 446 crp->crp_buf = (caddr_t) m; 447 crp->crp_callback = (int (*) (struct cryptop *)) esp_input_cb; 448 crp->crp_sid = tdb->tdb_cryptoid; 449 crp->crp_opaque = (caddr_t) tc; 450 451 /* These are passed as-is to the callback */ 452 tc->tc_skip = skip; 453 tc->tc_protoff = protoff; 454 tc->tc_spi = tdb->tdb_spi; 455 tc->tc_proto = tdb->tdb_sproto; 456 bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union)); 457 458 /* Decryption descriptor */ 459 if (espx) { 460 crde->crd_skip = skip + hlen; 461 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 462 crde->crd_inject = skip + hlen - tdb->tdb_ivlen; 463 464 if (tdb->tdb_flags & TDBF_HALFIV) { 465 /* Copy half-IV from packet */ 466 m_copydata(m, crde->crd_inject, tdb->tdb_ivlen, crde->crd_iv); 467 468 /* Cook IV */ 469 for (btsx = 0; btsx < tdb->tdb_ivlen; btsx++) 470 crde->crd_iv[tdb->tdb_ivlen + btsx] = ~crde->crd_iv[btsx]; 471 472 crde->crd_flags |= CRD_F_IV_EXPLICIT; 473 } 474 475 crde->crd_alg = espx->type; 476 crde->crd_key = tdb->tdb_emxkey; 477 crde->crd_klen = tdb->tdb_emxkeylen * 8; 478 /* XXX Rounds ? */ 479 } 480 481 if (mtag == NULL) 482 return crypto_dispatch(crp); 483 else 484 return esp_input_cb(crp); 485 } 486 487 /* 488 * ESP input callback, called directly by the crypto driver. 489 */ 490 int 491 esp_input_cb(void *op) 492 { 493 u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN]; 494 int s, hlen, roff, skip, protoff, error; 495 struct mbuf *m1, *mo, *m; 496 struct auth_hash *esph; 497 struct tdb_crypto *tc; 498 struct cryptop *crp; 499 struct m_tag *mtag; 500 struct tdb *tdb; 501 u_int32_t btsx; 502 caddr_t ptr; 503 504 crp = (struct cryptop *) op; 505 506 tc = (struct tdb_crypto *) crp->crp_opaque; 507 skip = tc->tc_skip; 508 protoff = tc->tc_protoff; 509 mtag = (struct m_tag *) tc->tc_ptr; 510 511 m = (struct mbuf *) crp->crp_buf; 512 if (m == NULL) { 513 /* Shouldn't happen... */ 514 free(tc, M_XDATA); 515 crypto_freereq(crp); 516 espstat.esps_crypto++; 517 DPRINTF(("esp_input_cb(): bogus returned buffer from crypto\n")); 518 return (EINVAL); 519 } 520 521 s = spltdb(); 522 523 tdb = gettdb(tc->tc_spi, &tc->tc_dst, tc->tc_proto); 524 if (tdb == NULL) { 525 free(tc, M_XDATA); 526 espstat.esps_notdb++; 527 DPRINTF(("esp_input_cb(): TDB is expired while in crypto")); 528 error = EPERM; 529 goto baddone; 530 } 531 532 esph = (struct auth_hash *) tdb->tdb_authalgxform; 533 534 /* Check for crypto errors */ 535 if (crp->crp_etype) { 536 if (crp->crp_etype == EAGAIN) { 537 /* Reset the session ID */ 538 if (tdb->tdb_cryptoid != 0) 539 tdb->tdb_cryptoid = crp->crp_sid; 540 splx(s); 541 return crypto_dispatch(crp); 542 } 543 free(tc, M_XDATA); 544 espstat.esps_noxform++; 545 DPRINTF(("esp_input_cb(): crypto error %d\n", crp->crp_etype)); 546 error = crp->crp_etype; 547 goto baddone; 548 } 549 550 /* If authentication was performed, check now. */ 551 if (esph != NULL) { 552 /* 553 * If we have a tag, it means an IPsec-aware NIC did the verification 554 * for us. 555 */ 556 if (mtag == NULL) { 557 /* Copy the authenticator from the packet */ 558 m_copydata(m, m->m_pkthdr.len - esph->authsize, 559 esph->authsize, aalg); 560 561 ptr = (caddr_t) (tc + 1); 562 563 /* Verify authenticator */ 564 if (bcmp(ptr, aalg, esph->authsize)) { 565 free(tc, M_XDATA); 566 DPRINTF(("esp_input_cb(): authentication failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 567 espstat.esps_badauth++; 568 error = EACCES; 569 goto baddone; 570 } 571 } 572 573 /* Remove trailing authenticator */ 574 m_adj(m, -(esph->authsize)); 575 } 576 free(tc, M_XDATA); 577 578 /* Replay window checking, if appropriate */ 579 if ((tdb->tdb_wnd > 0) && (!(tdb->tdb_flags & TDBF_NOREPLAY))) { 580 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 581 (unsigned char *) &btsx); 582 btsx = ntohl(btsx); 583 584 switch (checkreplaywindow32(btsx, 0, &(tdb->tdb_rpl), 585 tdb->tdb_wnd, &(tdb->tdb_bitmap), 1)) { 586 case 0: /* All's well */ 587 #if NPFSYNC > 0 588 pfsync_update_tdb(tdb,0); 589 #endif 590 break; 591 592 case 1: 593 DPRINTF(("esp_input_cb(): replay counter wrapped for SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 594 espstat.esps_wrap++; 595 error = EACCES; 596 goto baddone; 597 598 case 2: 599 case 3: 600 DPRINTF(("esp_input_cb(): duplicate packet received in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 601 error = EACCES; 602 goto baddone; 603 604 default: 605 DPRINTF(("esp_input_cb(): bogus value from checkreplaywindow32() in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 606 espstat.esps_replay++; 607 error = EACCES; 608 goto baddone; 609 } 610 } 611 612 /* Release the crypto descriptors */ 613 crypto_freereq(crp); 614 615 /* Determine the ESP header length */ 616 if (tdb->tdb_flags & TDBF_NOREPLAY) 617 hlen = sizeof(u_int32_t) + tdb->tdb_ivlen; /* "old" ESP */ 618 else 619 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */ 620 621 /* Find beginning of ESP header */ 622 m1 = m_getptr(m, skip, &roff); 623 if (m1 == NULL) { 624 espstat.esps_hdrops++; 625 splx(s); 626 DPRINTF(("esp_input_cb(): bad mbuf chain, SA %s/%08x\n", 627 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 628 m_freem(m); 629 return EINVAL; 630 } 631 632 /* Remove the ESP header and IV from the mbuf. */ 633 if (roff == 0) { 634 /* The ESP header was conveniently at the beginning of the mbuf */ 635 m_adj(m1, hlen); 636 if (!(m1->m_flags & M_PKTHDR)) 637 m->m_pkthdr.len -= hlen; 638 } else if (roff + hlen >= m1->m_len) { 639 /* 640 * Part or all of the ESP header is at the end of this mbuf, so 641 * first let's remove the remainder of the ESP header from the 642 * beginning of the remainder of the mbuf chain, if any. 643 */ 644 if (roff + hlen > m1->m_len) { 645 /* Adjust the next mbuf by the remainder */ 646 m_adj(m1->m_next, roff + hlen - m1->m_len); 647 648 /* The second mbuf is guaranteed not to have a pkthdr... */ 649 m->m_pkthdr.len -= (roff + hlen - m1->m_len); 650 } 651 652 /* Now, let's unlink the mbuf chain for a second...*/ 653 mo = m1->m_next; 654 m1->m_next = NULL; 655 656 /* ...and trim the end of the first part of the chain...sick */ 657 m_adj(m1, -(m1->m_len - roff)); 658 if (!(m1->m_flags & M_PKTHDR)) 659 m->m_pkthdr.len -= (m1->m_len - roff); 660 661 /* Finally, let's relink */ 662 m1->m_next = mo; 663 } else { 664 /* 665 * The ESP header lies in the "middle" of the mbuf...do an 666 * overlapping copy of the remainder of the mbuf over the ESP 667 * header. 668 */ 669 bcopy(mtod(m1, u_char *) + roff + hlen, 670 mtod(m1, u_char *) + roff, m1->m_len - (roff + hlen)); 671 m1->m_len -= hlen; 672 m->m_pkthdr.len -= hlen; 673 } 674 675 /* Save the last three bytes of decrypted data */ 676 m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); 677 678 /* Verify pad length */ 679 if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { 680 espstat.esps_badilen++; 681 splx(s); 682 DPRINTF(("esp_input_cb(): invalid padding length %d for packet in SA %s/%08x\n", lastthree[1], ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 683 m_freem(m); 684 return EINVAL; 685 } 686 687 /* Verify correct decryption by checking the last padding bytes */ 688 if (!(tdb->tdb_flags & TDBF_RANDOMPADDING)) { 689 if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) { 690 espstat.esps_badenc++; 691 splx(s); 692 DPRINTF(("esp_input(): decryption failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 693 m_freem(m); 694 return EINVAL; 695 } 696 } 697 698 /* Trim the mbuf chain to remove the trailing authenticator and padding */ 699 m_adj(m, -(lastthree[1] + 2)); 700 701 /* Restore the Next Protocol field */ 702 m_copyback(m, protoff, sizeof(u_int8_t), lastthree + 2); 703 704 /* Back to generic IPsec input processing */ 705 error = ipsec_common_input_cb(m, tdb, skip, protoff, mtag); 706 splx(s); 707 return (error); 708 709 baddone: 710 splx(s); 711 712 if (m != NULL) 713 m_freem(m); 714 715 crypto_freereq(crp); 716 717 return (error); 718 } 719 720 /* 721 * ESP output routine, called by ipsp_process_packet(). 722 */ 723 int 724 esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, 725 int protoff) 726 { 727 struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform; 728 struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform; 729 int ilen, hlen, rlen, padding, blks, alen; 730 struct mbuf *mi, *mo = (struct mbuf *) NULL; 731 struct tdb_crypto *tc; 732 unsigned char *pad; 733 u_int8_t prot; 734 735 struct cryptodesc *crde = NULL, *crda = NULL; 736 struct cryptop *crp; 737 #if NBPFILTER > 0 738 struct ifnet *ifn = &(encif[0].sc_if); 739 740 ifn->if_opackets++; 741 ifn->if_obytes += m->m_pkthdr.len; 742 743 if (ifn->if_bpf) { 744 struct enchdr hdr; 745 746 bzero (&hdr, sizeof(hdr)); 747 748 hdr.af = tdb->tdb_dst.sa.sa_family; 749 hdr.spi = tdb->tdb_spi; 750 if (espx) 751 hdr.flags |= M_CONF; 752 if (esph) 753 hdr.flags |= M_AUTH; 754 755 bpf_mtap_hdr(ifn->if_bpf, (char *)&hdr, ENC_HDRLEN, m, 756 BPF_DIRECTION_OUT); 757 } 758 #endif 759 760 if (tdb->tdb_flags & TDBF_NOREPLAY) 761 hlen = sizeof(u_int32_t) + tdb->tdb_ivlen; 762 else 763 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; 764 765 rlen = m->m_pkthdr.len - skip; /* Raw payload length. */ 766 if (espx) 767 blks = espx->blocksize; 768 else 769 blks = 4; /* If no encryption, we have to be 4-byte aligned. */ 770 771 padding = ((blks - ((rlen + 2) % blks)) % blks) + 2; 772 773 if (esph) 774 alen = AH_HMAC_HASHLEN; 775 else 776 alen = 0; 777 778 espstat.esps_output++; 779 780 switch (tdb->tdb_dst.sa.sa_family) { 781 #ifdef INET 782 case AF_INET: 783 /* Check for IP maximum packet size violations. */ 784 if (skip + hlen + rlen + padding + alen > IP_MAXPACKET) { 785 DPRINTF(("esp_output(): packet in SA %s/%08x got " 786 "too big\n", ipsp_address(tdb->tdb_dst), 787 ntohl(tdb->tdb_spi))); 788 m_freem(m); 789 espstat.esps_toobig++; 790 return EMSGSIZE; 791 } 792 break; 793 #endif /* INET */ 794 795 #ifdef INET6 796 case AF_INET6: 797 /* Check for IPv6 maximum packet size violations. */ 798 if (skip + hlen + rlen + padding + alen > IPV6_MAXPACKET) { 799 DPRINTF(("esp_output(): packet in SA %s/%08x got too " 800 "big\n", ipsp_address(tdb->tdb_dst), 801 ntohl(tdb->tdb_spi))); 802 m_freem(m); 803 espstat.esps_toobig++; 804 return EMSGSIZE; 805 } 806 break; 807 #endif /* INET6 */ 808 809 default: 810 DPRINTF(("esp_output(): unknown/unsupported protocol " 811 "family %d, SA %s/%08x\n", tdb->tdb_dst.sa.sa_family 812 , ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 813 m_freem(m); 814 espstat.esps_nopf++; 815 return EPFNOSUPPORT; 816 } 817 818 /* Update the counters. */ 819 tdb->tdb_cur_bytes += m->m_pkthdr.len - skip; 820 espstat.esps_obytes += m->m_pkthdr.len - skip; 821 822 /* Hard byte expiration. */ 823 if (tdb->tdb_flags & TDBF_BYTES && 824 tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) { 825 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 826 tdb_delete(tdb); 827 m_freem(m); 828 return EINVAL; 829 } 830 831 /* Soft byte expiration. */ 832 if (tdb->tdb_flags & TDBF_SOFT_BYTES && 833 tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes) { 834 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 835 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking. */ 836 } 837 838 /* 839 * Loop through mbuf chain; if we find a readonly mbuf, 840 * replace the rest of the chain. 841 */ 842 mo = NULL; 843 mi = m; 844 while (mi != NULL && !M_READONLY(mi)) { 845 mo = mi; 846 mi = mi->m_next; 847 } 848 849 if (mi != NULL) { 850 /* Replace the rest of the mbuf chain. */ 851 struct mbuf *n = m_copym2(mi, 0, M_COPYALL, M_DONTWAIT); 852 853 if (n == NULL) { 854 DPRINTF(("esp_output(): bad mbuf chain, SA %s/%08x\n", 855 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 856 espstat.esps_hdrops++; 857 m_freem(m); 858 return ENOBUFS; 859 } 860 861 if (mo != NULL) 862 mo->m_next = n; 863 else 864 m = n; 865 866 m_freem(mi); 867 } 868 869 /* Inject ESP header. */ 870 mo = m_inject(m, skip, hlen, M_DONTWAIT); 871 if (mo == NULL) { 872 DPRINTF(("esp_output(): failed to inject ESP header for " 873 "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), 874 ntohl(tdb->tdb_spi))); 875 m_freem(m); 876 espstat.esps_hdrops++; 877 return ENOBUFS; 878 } 879 880 /* Initialize ESP header. */ 881 bcopy((caddr_t) &tdb->tdb_spi, mtod(mo, caddr_t), sizeof(u_int32_t)); 882 if (!(tdb->tdb_flags & TDBF_NOREPLAY)) { 883 u_int32_t replay = htonl(tdb->tdb_rpl++); 884 bcopy((caddr_t) &replay, mtod(mo, caddr_t) + sizeof(u_int32_t), 885 sizeof(u_int32_t)); 886 #if NPFSYNC > 0 887 pfsync_update_tdb(tdb,1); 888 #endif 889 } 890 891 /* 892 * Add padding -- better to do it ourselves than use the crypto engine, 893 * although if/when we support compression, we'd have to do that. 894 */ 895 pad = (u_char *) m_pad(m, padding + alen); 896 if (pad == NULL) { 897 DPRINTF(("esp_output(): m_pad() failed for SA %s/%08x\n", 898 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 899 return ENOBUFS; 900 } 901 902 /* Self-describing or random padding ? */ 903 if (!(tdb->tdb_flags & TDBF_RANDOMPADDING)) 904 for (ilen = 0; ilen < padding - 2; ilen++) 905 pad[ilen] = ilen + 1; 906 else 907 arc4random_buf((void *) pad, padding - 2); 908 909 /* Fix padding length and Next Protocol in padding itself. */ 910 pad[padding - 2] = padding - 2; 911 m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1); 912 913 /* Fix Next Protocol in IPv4/IPv6 header. */ 914 prot = IPPROTO_ESP; 915 m_copyback(m, protoff, sizeof(u_int8_t), &prot); 916 917 /* Get crypto descriptors. */ 918 crp = crypto_getreq(esph && espx ? 2 : 1); 919 if (crp == NULL) { 920 m_freem(m); 921 DPRINTF(("esp_output(): failed to acquire crypto " 922 "descriptors\n")); 923 espstat.esps_crypto++; 924 return ENOBUFS; 925 } 926 927 if (espx) { 928 crde = crp->crp_desc; 929 crda = crde->crd_next; 930 931 /* Encryption descriptor. */ 932 crde->crd_skip = skip + hlen; 933 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 934 crde->crd_flags = CRD_F_ENCRYPT; 935 crde->crd_inject = skip + hlen - tdb->tdb_ivlen; 936 937 if (tdb->tdb_flags & TDBF_HALFIV) { 938 /* Copy half-iv in the packet. */ 939 m_copyback(m, crde->crd_inject, tdb->tdb_ivlen, 940 tdb->tdb_iv); 941 942 /* Cook half-iv. */ 943 bcopy(tdb->tdb_iv, crde->crd_iv, tdb->tdb_ivlen); 944 for (ilen = 0; ilen < tdb->tdb_ivlen; ilen++) 945 crde->crd_iv[tdb->tdb_ivlen + ilen] = 946 ~crde->crd_iv[ilen]; 947 948 crde->crd_flags |= 949 CRD_F_IV_PRESENT | CRD_F_IV_EXPLICIT; 950 } 951 952 /* Encryption operation. */ 953 crde->crd_alg = espx->type; 954 crde->crd_key = tdb->tdb_emxkey; 955 crde->crd_klen = tdb->tdb_emxkeylen * 8; 956 /* XXX Rounds ? */ 957 } else 958 crda = crp->crp_desc; 959 960 /* IPsec-specific opaque crypto info. */ 961 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); 962 if (tc == NULL) { 963 m_freem(m); 964 crypto_freereq(crp); 965 DPRINTF(("esp_output(): failed to allocate tdb_crypto\n")); 966 espstat.esps_crypto++; 967 return ENOBUFS; 968 } 969 970 tc->tc_spi = tdb->tdb_spi; 971 tc->tc_proto = tdb->tdb_sproto; 972 bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union)); 973 974 /* Crypto operation descriptor. */ 975 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ 976 crp->crp_flags = CRYPTO_F_IMBUF; 977 crp->crp_buf = (caddr_t) m; 978 crp->crp_callback = (int (*) (struct cryptop *)) esp_output_cb; 979 crp->crp_opaque = (caddr_t) tc; 980 crp->crp_sid = tdb->tdb_cryptoid; 981 982 if (esph) { 983 /* Authentication descriptor. */ 984 crda->crd_skip = skip; 985 crda->crd_len = m->m_pkthdr.len - (skip + alen); 986 crda->crd_inject = m->m_pkthdr.len - alen; 987 988 /* Authentication operation. */ 989 crda->crd_alg = esph->type; 990 crda->crd_key = tdb->tdb_amxkey; 991 crda->crd_klen = tdb->tdb_amxkeylen * 8; 992 } 993 994 if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0) 995 return crypto_dispatch(crp); 996 else 997 return esp_output_cb(crp); 998 } 999 1000 /* 1001 * ESP output callback, called directly by the crypto driver. 1002 */ 1003 int 1004 esp_output_cb(void *op) 1005 { 1006 struct cryptop *crp = (struct cryptop *) op; 1007 struct tdb_crypto *tc; 1008 struct tdb *tdb; 1009 struct mbuf *m; 1010 int error, s; 1011 1012 tc = (struct tdb_crypto *) crp->crp_opaque; 1013 1014 m = (struct mbuf *) crp->crp_buf; 1015 if (m == NULL) { 1016 /* Shouldn't happen... */ 1017 free(tc, M_XDATA); 1018 crypto_freereq(crp); 1019 espstat.esps_crypto++; 1020 DPRINTF(("esp_output_cb(): bogus returned buffer from " 1021 "crypto\n")); 1022 return (EINVAL); 1023 } 1024 1025 1026 s = spltdb(); 1027 1028 tdb = gettdb(tc->tc_spi, &tc->tc_dst, tc->tc_proto); 1029 if (tdb == NULL) { 1030 free(tc, M_XDATA); 1031 espstat.esps_notdb++; 1032 DPRINTF(("esp_output_cb(): TDB is expired while in crypto\n")); 1033 error = EPERM; 1034 goto baddone; 1035 } 1036 1037 /* Check for crypto errors. */ 1038 if (crp->crp_etype) { 1039 if (crp->crp_etype == EAGAIN) { 1040 /* Reset the session ID */ 1041 if (tdb->tdb_cryptoid != 0) 1042 tdb->tdb_cryptoid = crp->crp_sid; 1043 splx(s); 1044 return crypto_dispatch(crp); 1045 } 1046 free(tc, M_XDATA); 1047 espstat.esps_noxform++; 1048 DPRINTF(("esp_output_cb(): crypto error %d\n", 1049 crp->crp_etype)); 1050 error = crp->crp_etype; 1051 goto baddone; 1052 } 1053 free(tc, M_XDATA); 1054 1055 /* Release crypto descriptors. */ 1056 crypto_freereq(crp); 1057 1058 /* 1059 * If we're doing half-iv, keep a copy of the last few bytes of the 1060 * encrypted part, for use as the next IV. Note that HALF-IV is only 1061 * supposed to be used without authentication (the old ESP specs). 1062 */ 1063 if (tdb->tdb_flags & TDBF_HALFIV) 1064 m_copydata(m, m->m_pkthdr.len - tdb->tdb_ivlen, tdb->tdb_ivlen, 1065 tdb->tdb_iv); 1066 1067 /* Call the IPsec input callback. */ 1068 error = ipsp_process_done(m, tdb); 1069 splx(s); 1070 return error; 1071 1072 baddone: 1073 splx(s); 1074 1075 if (m != NULL) 1076 m_freem(m); 1077 1078 crypto_freereq(crp); 1079 1080 return error; 1081 } 1082 1083 /* 1084 * return 0 on success 1085 * return 1 for counter == 0 1086 * return 2 for very old packet 1087 * return 3 for packet within current window but already received 1088 */ 1089 int 1090 checkreplaywindow32(u_int32_t seq, u_int32_t initial, u_int32_t *lastseq, 1091 u_int32_t window, u_int32_t *bitmap, int commit) 1092 { 1093 u_int32_t diff, llseq, lbitmap; 1094 1095 /* Just do the checking, without "committing" any changes. */ 1096 if (commit == 0) { 1097 llseq = *lastseq; 1098 lbitmap = *bitmap; 1099 1100 lastseq = &llseq; 1101 bitmap = &lbitmap; 1102 } 1103 1104 seq -= initial; 1105 1106 if (seq == 0) 1107 return 1; 1108 1109 if (seq > *lastseq - initial) { 1110 diff = seq - (*lastseq - initial); 1111 if (diff < window) 1112 *bitmap = ((*bitmap) << diff) | 1; 1113 else 1114 *bitmap = 1; 1115 *lastseq = seq + initial; 1116 return 0; 1117 } 1118 1119 diff = *lastseq - initial - seq; 1120 if (diff >= window) { 1121 espstat.esps_wrap++; 1122 return 2; 1123 } 1124 1125 if ((*bitmap) & (((u_int32_t) 1) << diff)) { 1126 espstat.esps_replay++; 1127 return 3; 1128 } 1129 1130 *bitmap |= (((u_int32_t) 1) << diff); 1131 return 0; 1132 } 1133 1134 /* 1135 * m_pad(m, n) pads <m> with <n> bytes at the end. The packet header 1136 * length is updated, and a pointer to the first byte of the padding 1137 * (which is guaranteed to be all in one mbuf) is returned. 1138 */ 1139 1140 caddr_t 1141 m_pad(struct mbuf *m, int n) 1142 { 1143 struct mbuf *m0, *m1; 1144 int len, pad; 1145 caddr_t retval; 1146 1147 if (n <= 0) { /* No stupid arguments. */ 1148 DPRINTF(("m_pad(): pad length invalid (%d)\n", n)); 1149 m_freem(m); 1150 return NULL; 1151 } 1152 1153 len = m->m_pkthdr.len; 1154 pad = n; 1155 m0 = m; 1156 1157 while (m0->m_len < len) { 1158 len -= m0->m_len; 1159 m0 = m0->m_next; 1160 } 1161 1162 if (m0->m_len != len) { 1163 DPRINTF(("m_pad(): length mismatch (should be %d instead of " 1164 "%d)\n", m->m_pkthdr.len, 1165 m->m_pkthdr.len + m0->m_len - len)); 1166 1167 m_freem(m); 1168 return NULL; 1169 } 1170 1171 /* Check for zero-length trailing mbufs, and find the last one. */ 1172 for (m1 = m0; m1->m_next; m1 = m1->m_next) { 1173 if (m1->m_next->m_len != 0) { 1174 DPRINTF(("m_pad(): length mismatch (should be %d " 1175 "instead of %d)\n", m->m_pkthdr.len, 1176 m->m_pkthdr.len + m1->m_next->m_len)); 1177 1178 m_freem(m); 1179 return NULL; 1180 } 1181 1182 m0 = m1->m_next; 1183 } 1184 1185 if ((m0->m_flags & M_EXT) || 1186 m0->m_data + m0->m_len + pad >= &(m0->m_dat[MLEN])) { 1187 /* Add an mbuf to the chain. */ 1188 MGET(m1, M_DONTWAIT, MT_DATA); 1189 if (m1 == 0) { 1190 m_freem(m0); 1191 DPRINTF(("m_pad(): cannot append\n")); 1192 return NULL; 1193 } 1194 1195 m0->m_next = m1; 1196 m0 = m1; 1197 m0->m_len = 0; 1198 } 1199 1200 retval = m0->m_data + m0->m_len; 1201 m0->m_len += pad; 1202 m->m_pkthdr.len += pad; 1203 1204 return retval; 1205 } 1206