1 /* $OpenBSD: ip_esp.c,v 1.162 2021/02/25 02:48:21 dlg Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001 Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 #include "pfsync.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/mbuf.h> 43 #include <sys/socket.h> 44 45 #include <net/if.h> 46 #include <net/if_var.h> 47 #include <net/bpf.h> 48 49 #include <netinet/in.h> 50 #include <netinet/ip.h> 51 #include <netinet/ip_var.h> 52 53 #ifdef INET6 54 #include <netinet/ip6.h> 55 #endif /* INET6 */ 56 57 #include <netinet/ip_ipsp.h> 58 #include <netinet/ip_esp.h> 59 #include <net/pfkeyv2.h> 60 #include <net/if_enc.h> 61 62 #if NPFSYNC > 0 63 #include <net/pfvar.h> 64 #include <net/if_pfsync.h> 65 #endif /* NPFSYNC > 0 */ 66 67 #include <crypto/cryptodev.h> 68 #include <crypto/xform.h> 69 70 #include "bpfilter.h" 71 72 #ifdef ENCDEBUG 73 #define DPRINTF(x) if (encdebug) printf x 74 #else 75 #define DPRINTF(x) 76 #endif 77 78 /* 79 * esp_attach() is called from the transformation initialization code. 80 */ 81 int 82 esp_attach(void) 83 { 84 return 0; 85 } 86 87 /* 88 * esp_init() is called when an SPI is being set up. 89 */ 90 int 91 esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) 92 { 93 struct enc_xform *txform = NULL; 94 struct auth_hash *thash = NULL; 95 struct cryptoini cria, crie, crin; 96 97 if (!ii->ii_encalg && !ii->ii_authalg) { 98 DPRINTF(("esp_init(): neither authentication nor encryption " 99 "algorithm given")); 100 return EINVAL; 101 } 102 103 if (ii->ii_encalg) { 104 switch (ii->ii_encalg) { 105 case SADB_EALG_NULL: 106 txform = &enc_xform_null; 107 break; 108 109 case SADB_EALG_3DESCBC: 110 txform = &enc_xform_3des; 111 break; 112 113 case SADB_X_EALG_AES: 114 txform = &enc_xform_aes; 115 break; 116 117 case SADB_X_EALG_AESCTR: 118 txform = &enc_xform_aes_ctr; 119 break; 120 121 case SADB_X_EALG_AESGCM16: 122 txform = &enc_xform_aes_gcm; 123 break; 124 125 case SADB_X_EALG_AESGMAC: 126 txform = &enc_xform_aes_gmac; 127 break; 128 129 case SADB_X_EALG_CHACHA20POLY1305: 130 txform = &enc_xform_chacha20_poly1305; 131 break; 132 133 case SADB_X_EALG_BLF: 134 txform = &enc_xform_blf; 135 break; 136 137 case SADB_X_EALG_CAST: 138 txform = &enc_xform_cast5; 139 break; 140 141 default: 142 DPRINTF(("esp_init(): unsupported encryption " 143 "algorithm %d specified\n", ii->ii_encalg)); 144 return EINVAL; 145 } 146 147 if (ii->ii_enckeylen < txform->minkey) { 148 DPRINTF(("esp_init(): keylength %d too small " 149 "(min length is %d) for algorithm %s\n", 150 ii->ii_enckeylen, txform->minkey, txform->name)); 151 return EINVAL; 152 } 153 154 if (ii->ii_enckeylen > txform->maxkey) { 155 DPRINTF(("esp_init(): keylength %d too large " 156 "(max length is %d) for algorithm %s\n", 157 ii->ii_enckeylen, txform->maxkey, txform->name)); 158 return EINVAL; 159 } 160 161 if (ii->ii_encalg == SADB_X_EALG_AESGCM16 || 162 ii->ii_encalg == SADB_X_EALG_AESGMAC) { 163 switch (ii->ii_enckeylen) { 164 case 20: 165 ii->ii_authalg = SADB_X_AALG_AES128GMAC; 166 break; 167 case 28: 168 ii->ii_authalg = SADB_X_AALG_AES192GMAC; 169 break; 170 case 36: 171 ii->ii_authalg = SADB_X_AALG_AES256GMAC; 172 break; 173 } 174 ii->ii_authkeylen = ii->ii_enckeylen; 175 ii->ii_authkey = ii->ii_enckey; 176 } else if (ii->ii_encalg == SADB_X_EALG_CHACHA20POLY1305) { 177 ii->ii_authalg = SADB_X_AALG_CHACHA20POLY1305; 178 ii->ii_authkeylen = ii->ii_enckeylen; 179 ii->ii_authkey = ii->ii_enckey; 180 } 181 182 tdbp->tdb_encalgxform = txform; 183 184 DPRINTF(("esp_init(): initialized TDB with enc algorithm %s\n", 185 txform->name)); 186 187 tdbp->tdb_ivlen = txform->ivsize; 188 } 189 190 if (ii->ii_authalg) { 191 switch (ii->ii_authalg) { 192 case SADB_AALG_MD5HMAC: 193 thash = &auth_hash_hmac_md5_96; 194 break; 195 196 case SADB_AALG_SHA1HMAC: 197 thash = &auth_hash_hmac_sha1_96; 198 break; 199 200 case SADB_X_AALG_RIPEMD160HMAC: 201 thash = &auth_hash_hmac_ripemd_160_96; 202 break; 203 204 case SADB_X_AALG_SHA2_256: 205 thash = &auth_hash_hmac_sha2_256_128; 206 break; 207 208 case SADB_X_AALG_SHA2_384: 209 thash = &auth_hash_hmac_sha2_384_192; 210 break; 211 212 case SADB_X_AALG_SHA2_512: 213 thash = &auth_hash_hmac_sha2_512_256; 214 break; 215 216 case SADB_X_AALG_AES128GMAC: 217 thash = &auth_hash_gmac_aes_128; 218 break; 219 220 case SADB_X_AALG_AES192GMAC: 221 thash = &auth_hash_gmac_aes_192; 222 break; 223 224 case SADB_X_AALG_AES256GMAC: 225 thash = &auth_hash_gmac_aes_256; 226 break; 227 228 case SADB_X_AALG_CHACHA20POLY1305: 229 thash = &auth_hash_chacha20_poly1305; 230 break; 231 232 default: 233 DPRINTF(("esp_init(): unsupported authentication " 234 "algorithm %d specified\n", ii->ii_authalg)); 235 return EINVAL; 236 } 237 238 if (ii->ii_authkeylen != thash->keysize) { 239 DPRINTF(("esp_init(): keylength %d doesn't match " 240 "algorithm %s keysize (%d)\n", ii->ii_authkeylen, 241 thash->name, thash->keysize)); 242 return EINVAL; 243 } 244 245 tdbp->tdb_authalgxform = thash; 246 247 DPRINTF(("esp_init(): initialized TDB with hash algorithm %s\n", 248 thash->name)); 249 } 250 251 tdbp->tdb_xform = xsp; 252 tdbp->tdb_rpl = AH_HMAC_INITIAL_RPL; 253 254 /* Initialize crypto session */ 255 if (tdbp->tdb_encalgxform) { 256 /* Save the raw keys */ 257 tdbp->tdb_emxkeylen = ii->ii_enckeylen; 258 tdbp->tdb_emxkey = malloc(tdbp->tdb_emxkeylen, M_XDATA, 259 M_WAITOK); 260 memcpy(tdbp->tdb_emxkey, ii->ii_enckey, tdbp->tdb_emxkeylen); 261 262 memset(&crie, 0, sizeof(crie)); 263 264 crie.cri_alg = tdbp->tdb_encalgxform->type; 265 266 if (tdbp->tdb_authalgxform) 267 crie.cri_next = &cria; 268 else 269 crie.cri_next = NULL; 270 271 crie.cri_klen = ii->ii_enckeylen * 8; 272 crie.cri_key = ii->ii_enckey; 273 /* XXX Rounds ? */ 274 } 275 276 if (tdbp->tdb_authalgxform) { 277 /* Save the raw keys */ 278 tdbp->tdb_amxkeylen = ii->ii_authkeylen; 279 tdbp->tdb_amxkey = malloc(tdbp->tdb_amxkeylen, M_XDATA, 280 M_WAITOK); 281 memcpy(tdbp->tdb_amxkey, ii->ii_authkey, tdbp->tdb_amxkeylen); 282 283 memset(&cria, 0, sizeof(cria)); 284 285 cria.cri_alg = tdbp->tdb_authalgxform->type; 286 287 if ((tdbp->tdb_wnd > 0) && (tdbp->tdb_flags & TDBF_ESN)) { 288 memset(&crin, 0, sizeof(crin)); 289 crin.cri_alg = CRYPTO_ESN; 290 cria.cri_next = &crin; 291 } 292 293 cria.cri_klen = ii->ii_authkeylen * 8; 294 cria.cri_key = ii->ii_authkey; 295 } 296 297 return crypto_newsession(&tdbp->tdb_cryptoid, 298 (tdbp->tdb_encalgxform ? &crie : &cria), 0); 299 } 300 301 /* 302 * Paranoia. 303 */ 304 int 305 esp_zeroize(struct tdb *tdbp) 306 { 307 int err; 308 309 if (tdbp->tdb_amxkey) { 310 explicit_bzero(tdbp->tdb_amxkey, tdbp->tdb_amxkeylen); 311 free(tdbp->tdb_amxkey, M_XDATA, tdbp->tdb_amxkeylen); 312 tdbp->tdb_amxkey = NULL; 313 } 314 315 if (tdbp->tdb_emxkey) { 316 explicit_bzero(tdbp->tdb_emxkey, tdbp->tdb_emxkeylen); 317 free(tdbp->tdb_emxkey, M_XDATA, tdbp->tdb_emxkeylen); 318 tdbp->tdb_emxkey = NULL; 319 } 320 321 err = crypto_freesession(tdbp->tdb_cryptoid); 322 tdbp->tdb_cryptoid = 0; 323 return err; 324 } 325 326 #define MAXBUFSIZ (AH_ALEN_MAX > ESP_MAX_IVS ? AH_ALEN_MAX : ESP_MAX_IVS) 327 328 /* 329 * ESP input processing, called (eventually) through the protocol switch. 330 */ 331 int 332 esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) 333 { 334 struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform; 335 struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform; 336 struct cryptodesc *crde = NULL, *crda = NULL; 337 struct cryptop *crp = NULL; 338 struct tdb_crypto *tc = NULL; 339 int plen, alen, hlen, error; 340 u_int32_t btsx, esn; 341 u_int64_t ibytes; 342 #ifdef ENCDEBUG 343 char buf[INET6_ADDRSTRLEN]; 344 #endif 345 346 /* Determine the ESP header length */ 347 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */ 348 alen = esph ? esph->authsize : 0; 349 plen = m->m_pkthdr.len - (skip + hlen + alen); 350 if (plen <= 0) { 351 DPRINTF(("%s: invalid payload length\n", __func__)); 352 espstat_inc(esps_badilen); 353 error = EINVAL; 354 goto drop; 355 } 356 357 if (espx) { 358 /* 359 * Verify payload length is multiple of encryption algorithm 360 * block size. 361 */ 362 if (plen & (espx->blocksize - 1)) { 363 DPRINTF(("%s: payload of %d octets not a multiple of %d" 364 " octets, SA %s/%08x\n", __func__, 365 plen, espx->blocksize, ipsp_address(&tdb->tdb_dst, 366 buf, sizeof(buf)), ntohl(tdb->tdb_spi))); 367 espstat_inc(esps_badilen); 368 error = EINVAL; 369 goto drop; 370 } 371 } 372 373 /* Replay window checking, if appropriate -- no value commitment. */ 374 if (tdb->tdb_wnd > 0) { 375 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 376 &btsx); 377 btsx = ntohl(btsx); 378 379 switch (checkreplaywindow(tdb, btsx, &esn, 0)) { 380 case 0: /* All's well */ 381 break; 382 case 1: 383 DPRINTF(("%s: replay counter wrapped for SA %s/%08x\n", 384 __func__, 385 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 386 ntohl(tdb->tdb_spi))); 387 espstat_inc(esps_wrap); 388 error = EACCES; 389 goto drop; 390 case 2: 391 DPRINTF(("%s: old packet received in SA %s/%08x\n", 392 __func__, 393 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 394 ntohl(tdb->tdb_spi))); 395 espstat_inc(esps_replay); 396 error = EACCES; 397 goto drop; 398 case 3: 399 DPRINTF(("%s: duplicate packet received" 400 " in SA %s/%08x\n", __func__, 401 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 402 ntohl(tdb->tdb_spi))); 403 espstat_inc(esps_replay); 404 error = EACCES; 405 goto drop; 406 default: 407 DPRINTF(("%s: bogus value from" 408 " checkreplaywindow() in SA %s/%08x\n", 409 __func__, 410 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 411 ntohl(tdb->tdb_spi))); 412 espstat_inc(esps_replay); 413 error = EACCES; 414 goto drop; 415 } 416 } 417 418 /* Update the counters */ 419 ibytes = m->m_pkthdr.len - skip - hlen - alen; 420 tdb->tdb_cur_bytes += ibytes; 421 tdb->tdb_ibytes += ibytes; 422 espstat_add(esps_ibytes, ibytes); 423 424 /* Hard expiration */ 425 if ((tdb->tdb_flags & TDBF_BYTES) && 426 (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) { 427 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 428 tdb_delete(tdb); 429 error = ENXIO; 430 goto drop; 431 } 432 433 /* Notify on soft expiration */ 434 if ((tdb->tdb_flags & TDBF_SOFT_BYTES) && 435 (tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes)) { 436 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 437 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking */ 438 } 439 440 /* Get crypto descriptors */ 441 crp = crypto_getreq(esph && espx ? 2 : 1); 442 if (crp == NULL) { 443 DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); 444 espstat_inc(esps_crypto); 445 error = ENOBUFS; 446 goto drop; 447 } 448 449 /* Get IPsec-specific opaque pointer */ 450 if (esph == NULL) 451 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); 452 else 453 tc = malloc(sizeof(*tc) + alen, M_XDATA, M_NOWAIT | M_ZERO); 454 if (tc == NULL) { 455 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); 456 espstat_inc(esps_crypto); 457 error = ENOBUFS; 458 goto drop; 459 } 460 461 if (esph) { 462 crda = &crp->crp_desc[0]; 463 crde = &crp->crp_desc[1]; 464 465 /* Authentication descriptor */ 466 crda->crd_skip = skip; 467 crda->crd_inject = m->m_pkthdr.len - alen; 468 469 crda->crd_alg = esph->type; 470 crda->crd_key = tdb->tdb_amxkey; 471 crda->crd_klen = tdb->tdb_amxkeylen * 8; 472 473 if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) { 474 esn = htonl(esn); 475 memcpy(crda->crd_esn, &esn, 4); 476 crda->crd_flags |= CRD_F_ESN; 477 } 478 479 if (espx && 480 (espx->type == CRYPTO_AES_GCM_16 || 481 espx->type == CRYPTO_CHACHA20_POLY1305)) 482 crda->crd_len = hlen - tdb->tdb_ivlen; 483 else 484 crda->crd_len = m->m_pkthdr.len - (skip + alen); 485 486 /* Copy the authenticator */ 487 m_copydata(m, m->m_pkthdr.len - alen, alen, tc + 1); 488 } else 489 crde = &crp->crp_desc[0]; 490 491 /* Crypto operation descriptor */ 492 crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ 493 crp->crp_flags = CRYPTO_F_IMBUF; 494 crp->crp_buf = (caddr_t)m; 495 crp->crp_callback = ipsec_input_cb; 496 crp->crp_sid = tdb->tdb_cryptoid; 497 crp->crp_opaque = (caddr_t)tc; 498 499 /* These are passed as-is to the callback */ 500 tc->tc_skip = skip; 501 tc->tc_protoff = protoff; 502 tc->tc_spi = tdb->tdb_spi; 503 tc->tc_proto = tdb->tdb_sproto; 504 tc->tc_rdomain = tdb->tdb_rdomain; 505 tc->tc_dst = tdb->tdb_dst; 506 507 /* Decryption descriptor */ 508 if (espx) { 509 crde->crd_skip = skip + hlen; 510 crde->crd_inject = skip + hlen - tdb->tdb_ivlen; 511 crde->crd_alg = espx->type; 512 crde->crd_key = tdb->tdb_emxkey; 513 crde->crd_klen = tdb->tdb_emxkeylen * 8; 514 /* XXX Rounds ? */ 515 516 if (crde->crd_alg == CRYPTO_AES_GMAC) 517 crde->crd_len = 0; 518 else 519 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 520 } 521 522 return crypto_dispatch(crp); 523 524 drop: 525 m_freem(m); 526 crypto_freereq(crp); 527 free(tc, M_XDATA, 0); 528 return error; 529 } 530 531 /* 532 * ESP input callback, called directly by the crypto driver. 533 */ 534 int 535 esp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m, int clen) 536 { 537 u_int8_t lastthree[3], aalg[AH_HMAC_MAX_HASHLEN]; 538 int hlen, roff, skip, protoff; 539 struct mbuf *m1, *mo; 540 struct auth_hash *esph; 541 u_int32_t btsx, esn; 542 caddr_t ptr; 543 #ifdef ENCDEBUG 544 char buf[INET6_ADDRSTRLEN]; 545 #endif 546 547 skip = tc->tc_skip; 548 protoff = tc->tc_protoff; 549 550 NET_ASSERT_LOCKED(); 551 552 esph = (struct auth_hash *) tdb->tdb_authalgxform; 553 554 /* If authentication was performed, check now. */ 555 if (esph != NULL) { 556 /* Copy the authenticator from the packet */ 557 m_copydata(m, m->m_pkthdr.len - esph->authsize, 558 esph->authsize, aalg); 559 560 ptr = (caddr_t) (tc + 1); 561 562 /* Verify authenticator */ 563 if (timingsafe_bcmp(ptr, aalg, esph->authsize)) { 564 DPRINTF(("%s: authentication " 565 "failed for packet in SA %s/%08x\n", __func__, 566 ipsp_address(&tdb->tdb_dst, buf, 567 sizeof(buf)), ntohl(tdb->tdb_spi))); 568 espstat_inc(esps_badauth); 569 goto baddone; 570 } 571 572 /* Remove trailing authenticator */ 573 m_adj(m, -(esph->authsize)); 574 } 575 576 /* Replay window checking, if appropriate */ 577 if (tdb->tdb_wnd > 0) { 578 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 579 &btsx); 580 btsx = ntohl(btsx); 581 582 switch (checkreplaywindow(tdb, btsx, &esn, 1)) { 583 case 0: /* All's well */ 584 #if NPFSYNC > 0 585 pfsync_update_tdb(tdb,0); 586 #endif 587 break; 588 589 case 1: 590 DPRINTF(("%s: replay counter wrapped for SA %s/%08x\n", 591 __func__, 592 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 593 ntohl(tdb->tdb_spi))); 594 espstat_inc(esps_wrap); 595 goto baddone; 596 case 2: 597 DPRINTF(("%s: old packet received in SA %s/%08x\n", 598 __func__, 599 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 600 ntohl(tdb->tdb_spi))); 601 espstat_inc(esps_replay); 602 goto baddone; 603 case 3: 604 DPRINTF(("%s: duplicate packet received" 605 " in SA %s/%08x\n", __func__, 606 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 607 ntohl(tdb->tdb_spi))); 608 espstat_inc(esps_replay); 609 goto baddone; 610 default: 611 DPRINTF(("%s: bogus value from" 612 " checkreplaywindow() in SA %s/%08x\n", __func__, 613 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 614 ntohl(tdb->tdb_spi))); 615 espstat_inc(esps_replay); 616 goto baddone; 617 } 618 } 619 620 /* Determine the ESP header length */ 621 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; 622 623 /* Find beginning of ESP header */ 624 m1 = m_getptr(m, skip, &roff); 625 if (m1 == NULL) { 626 DPRINTF(("%s: bad mbuf chain, SA %s/%08x\n", __func__, 627 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 628 ntohl(tdb->tdb_spi))); 629 espstat_inc(esps_hdrops); 630 goto baddone; 631 } 632 633 /* Remove the ESP header and IV from the mbuf. */ 634 if (roff == 0) { 635 /* The ESP header was conveniently at the beginning of the mbuf */ 636 m_adj(m1, hlen); 637 /* 638 * If m1 is the first mbuf, it has set M_PKTHDR and m_adj() 639 * has already adjusted the packet header length for us. 640 */ 641 if (m1 != m) 642 m->m_pkthdr.len -= hlen; 643 } else if (roff + hlen >= m1->m_len) { 644 int adjlen; 645 646 /* 647 * Part or all of the ESP header is at the end of this mbuf, so 648 * first let's remove the remainder of the ESP header from the 649 * beginning of the remainder of the mbuf chain, if any. 650 */ 651 if (roff + hlen > m1->m_len) { 652 adjlen = roff + hlen - m1->m_len; 653 654 /* Adjust the next mbuf by the remainder */ 655 m_adj(m1->m_next, adjlen); 656 657 /* The second mbuf is guaranteed not to have a pkthdr */ 658 m->m_pkthdr.len -= adjlen; 659 } 660 661 /* Now, let's unlink the mbuf chain for a second...*/ 662 mo = m1->m_next; 663 m1->m_next = NULL; 664 665 /* ...and trim the end of the first part of the chain...sick */ 666 adjlen = m1->m_len - roff; 667 m_adj(m1, -adjlen); 668 /* 669 * If m1 is the first mbuf, it has set M_PKTHDR and m_adj() 670 * has already adjusted the packet header length for us. 671 */ 672 if (m1 != m) 673 m->m_pkthdr.len -= adjlen; 674 675 /* Finally, let's relink */ 676 m1->m_next = mo; 677 } else { 678 /* 679 * The ESP header lies in the "middle" of the mbuf...do an 680 * overlapping copy of the remainder of the mbuf over the ESP 681 * header. 682 */ 683 memmove(mtod(m1, u_char *) + roff, 684 mtod(m1, u_char *) + roff + hlen, 685 m1->m_len - (roff + hlen)); 686 m1->m_len -= hlen; 687 m->m_pkthdr.len -= hlen; 688 } 689 690 /* Save the last three bytes of decrypted data */ 691 m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); 692 693 /* Verify pad length */ 694 if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { 695 DPRINTF(("%s: invalid padding length %d for packet in " 696 "SA %s/%08x\n", __func__, lastthree[1], 697 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 698 ntohl(tdb->tdb_spi))); 699 espstat_inc(esps_badilen); 700 goto baddone; 701 } 702 703 /* Verify correct decryption by checking the last padding bytes */ 704 if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) { 705 DPRINTF(("%s: decryption failed for packet in SA %s/%08x\n", 706 __func__, ipsp_address(&tdb->tdb_dst, buf, 707 sizeof(buf)), ntohl(tdb->tdb_spi))); 708 espstat_inc(esps_badenc); 709 goto baddone; 710 } 711 712 /* Trim the mbuf chain to remove the trailing authenticator and padding */ 713 m_adj(m, -(lastthree[1] + 2)); 714 715 /* Restore the Next Protocol field */ 716 m_copyback(m, protoff, sizeof(u_int8_t), lastthree + 2, M_NOWAIT); 717 718 /* Release the crypto descriptors */ 719 free(tc, M_XDATA, 0); 720 721 /* Back to generic IPsec input processing */ 722 return ipsec_common_input_cb(m, tdb, skip, protoff); 723 724 baddone: 725 m_freem(m); 726 free(tc, M_XDATA, 0); 727 return -1; 728 } 729 730 /* 731 * ESP output routine, called by ipsp_process_packet(). 732 */ 733 int 734 esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, 735 int protoff) 736 { 737 struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform; 738 struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform; 739 int ilen, hlen, rlen, padding, blks, alen, roff, error; 740 u_int64_t replay64; 741 u_int32_t replay; 742 struct mbuf *mi, *mo = (struct mbuf *) NULL; 743 struct tdb_crypto *tc = NULL; 744 unsigned char *pad; 745 u_int8_t prot; 746 #ifdef ENCDEBUG 747 char buf[INET6_ADDRSTRLEN]; 748 #endif 749 struct cryptodesc *crde = NULL, *crda = NULL; 750 struct cryptop *crp = NULL; 751 #if NBPFILTER > 0 752 struct ifnet *encif; 753 754 if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) != NULL) { 755 encif->if_opackets++; 756 encif->if_obytes += m->m_pkthdr.len; 757 758 if (encif->if_bpf) { 759 struct enchdr hdr; 760 761 memset(&hdr, 0, sizeof(hdr)); 762 763 hdr.af = tdb->tdb_dst.sa.sa_family; 764 hdr.spi = tdb->tdb_spi; 765 if (espx) 766 hdr.flags |= M_CONF; 767 if (esph) 768 hdr.flags |= M_AUTH; 769 770 bpf_mtap_hdr(encif->if_bpf, (char *)&hdr, 771 ENC_HDRLEN, m, BPF_DIRECTION_OUT); 772 } 773 } 774 #endif 775 776 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; 777 778 rlen = m->m_pkthdr.len - skip; /* Raw payload length. */ 779 if (espx) 780 blks = MAX(espx->blocksize, 4); 781 else 782 blks = 4; /* If no encryption, we have to be 4-byte aligned. */ 783 784 padding = ((blks - ((rlen + 2) % blks)) % blks) + 2; 785 786 alen = esph ? esph->authsize : 0; 787 espstat_inc(esps_output); 788 789 switch (tdb->tdb_dst.sa.sa_family) { 790 case AF_INET: 791 /* Check for IP maximum packet size violations. */ 792 if (skip + hlen + rlen + padding + alen > IP_MAXPACKET) { 793 DPRINTF(("%s: packet in SA %s/%08x got too big\n", 794 __func__, ipsp_address(&tdb->tdb_dst, buf, 795 sizeof(buf)), 796 ntohl(tdb->tdb_spi))); 797 espstat_inc(esps_toobig); 798 error = EMSGSIZE; 799 goto drop; 800 } 801 break; 802 803 #ifdef INET6 804 case AF_INET6: 805 /* Check for IPv6 maximum packet size violations. */ 806 if (skip + hlen + rlen + padding + alen > IPV6_MAXPACKET) { 807 DPRINTF(("%s: packet in SA %s/%08x got too big\n", 808 __func__, ipsp_address(&tdb->tdb_dst, buf, 809 sizeof(buf)), ntohl(tdb->tdb_spi))); 810 espstat_inc(esps_toobig); 811 error = EMSGSIZE; 812 goto drop; 813 } 814 break; 815 #endif /* INET6 */ 816 817 default: 818 DPRINTF(("%s: unknown/unsupported protocol family %d, " 819 "SA %s/%08x\n", __func__, tdb->tdb_dst.sa.sa_family, 820 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 821 ntohl(tdb->tdb_spi))); 822 espstat_inc(esps_nopf); 823 error = EPFNOSUPPORT; 824 goto drop; 825 } 826 827 /* Update the counters. */ 828 tdb->tdb_cur_bytes += m->m_pkthdr.len - skip; 829 espstat_add(esps_obytes, m->m_pkthdr.len - skip); 830 831 /* Hard byte expiration. */ 832 if (tdb->tdb_flags & TDBF_BYTES && 833 tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) { 834 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 835 tdb_delete(tdb); 836 error = EINVAL; 837 goto drop; 838 } 839 840 /* Soft byte expiration. */ 841 if (tdb->tdb_flags & TDBF_SOFT_BYTES && 842 tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes) { 843 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 844 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking. */ 845 } 846 847 /* 848 * Loop through mbuf chain; if we find a readonly mbuf, 849 * copy the packet. 850 */ 851 mi = m; 852 while (mi != NULL && !M_READONLY(mi)) 853 mi = mi->m_next; 854 855 if (mi != NULL) { 856 struct mbuf *n = m_dup_pkt(m, 0, M_DONTWAIT); 857 858 if (n == NULL) { 859 DPRINTF(("%s: bad mbuf chain, SA %s/%08x\n", __func__, 860 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 861 ntohl(tdb->tdb_spi))); 862 espstat_inc(esps_hdrops); 863 error = ENOBUFS; 864 goto drop; 865 } 866 867 m_freem(m); 868 m = n; 869 } 870 871 /* Inject ESP header. */ 872 mo = m_makespace(m, skip, hlen, &roff); 873 if (mo == NULL) { 874 DPRINTF(("%s: failed to inject ESP header for SA %s/%08x\n", 875 __func__, ipsp_address(&tdb->tdb_dst, buf, 876 sizeof(buf)), ntohl(tdb->tdb_spi))); 877 espstat_inc(esps_hdrops); 878 error = ENOBUFS; 879 goto drop; 880 } 881 882 /* Initialize ESP header. */ 883 memcpy(mtod(mo, caddr_t) + roff, (caddr_t) &tdb->tdb_spi, 884 sizeof(u_int32_t)); 885 replay64 = tdb->tdb_rpl++; /* used for both header and ESN */ 886 replay = htonl((u_int32_t)replay64); 887 memcpy(mtod(mo, caddr_t) + roff + sizeof(u_int32_t), (caddr_t) &replay, 888 sizeof(u_int32_t)); 889 890 #if NPFSYNC > 0 891 pfsync_update_tdb(tdb,1); 892 #endif 893 894 /* 895 * Add padding -- better to do it ourselves than use the crypto engine, 896 * although if/when we support compression, we'd have to do that. 897 */ 898 mo = m_makespace(m, m->m_pkthdr.len, padding + alen, &roff); 899 if (mo == NULL) { 900 DPRINTF(("%s: m_makespace() failed for SA %s/%08x\n", __func__, 901 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 902 ntohl(tdb->tdb_spi))); 903 espstat_inc(esps_hdrops); 904 error = ENOBUFS; 905 goto drop; 906 } 907 pad = mtod(mo, caddr_t) + roff; 908 909 /* Apply self-describing padding */ 910 for (ilen = 0; ilen < padding - 2; ilen++) 911 pad[ilen] = ilen + 1; 912 913 /* Fix padding length and Next Protocol in padding itself. */ 914 pad[padding - 2] = padding - 2; 915 m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1); 916 917 /* Fix Next Protocol in IPv4/IPv6 header. */ 918 prot = IPPROTO_ESP; 919 m_copyback(m, protoff, sizeof(u_int8_t), &prot, M_NOWAIT); 920 921 /* Get crypto descriptors. */ 922 crp = crypto_getreq(esph && espx ? 2 : 1); 923 if (crp == NULL) { 924 DPRINTF(("%s: failed to acquire crypto descriptors\n", 925 __func__)); 926 espstat_inc(esps_crypto); 927 error = ENOBUFS; 928 goto drop; 929 } 930 931 if (espx) { 932 crde = &crp->crp_desc[0]; 933 crda = &crp->crp_desc[1]; 934 935 /* Encryption descriptor. */ 936 crde->crd_skip = skip + hlen; 937 crde->crd_flags = CRD_F_ENCRYPT | CRD_F_IV_EXPLICIT; 938 crde->crd_inject = skip + hlen - tdb->tdb_ivlen; 939 940 /* Encryption operation. */ 941 crde->crd_alg = espx->type; 942 crde->crd_key = tdb->tdb_emxkey; 943 crde->crd_klen = tdb->tdb_emxkeylen * 8; 944 /* XXX Rounds ? */ 945 946 if (crde->crd_alg == CRYPTO_AES_GMAC) 947 crde->crd_len = 0; 948 else 949 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 950 951 /* GCM & friends just require a NONCE (non-repeating!) */ 952 if (espx->type == CRYPTO_AES_CTR || 953 espx->type == CRYPTO_AES_GCM_16 || 954 espx->type == CRYPTO_CHACHA20_POLY1305) 955 bcopy(&replay64, crde->crd_iv, sizeof(replay64)); 956 else 957 arc4random_buf(crde->crd_iv, espx->ivsize); 958 } else 959 crda = &crp->crp_desc[0]; 960 961 /* IPsec-specific opaque crypto info. */ 962 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); 963 if (tc == NULL) { 964 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); 965 espstat_inc(esps_crypto); 966 error = ENOBUFS; 967 goto drop; 968 } 969 970 tc->tc_spi = tdb->tdb_spi; 971 tc->tc_proto = tdb->tdb_sproto; 972 tc->tc_rdomain = tdb->tdb_rdomain; 973 tc->tc_dst = tdb->tdb_dst; 974 975 /* Crypto operation descriptor. */ 976 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ 977 crp->crp_flags = CRYPTO_F_IMBUF; 978 crp->crp_buf = (caddr_t)m; 979 crp->crp_callback = ipsec_output_cb; 980 crp->crp_opaque = (caddr_t)tc; 981 crp->crp_sid = tdb->tdb_cryptoid; 982 983 if (esph) { 984 /* Authentication descriptor. */ 985 crda->crd_skip = skip; 986 crda->crd_inject = m->m_pkthdr.len - alen; 987 988 /* Authentication operation. */ 989 crda->crd_alg = esph->type; 990 crda->crd_key = tdb->tdb_amxkey; 991 crda->crd_klen = tdb->tdb_amxkeylen * 8; 992 993 if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) { 994 u_int32_t esn; 995 996 esn = htonl((u_int32_t)(replay64 >> 32)); 997 memcpy(crda->crd_esn, &esn, 4); 998 crda->crd_flags |= CRD_F_ESN; 999 } 1000 1001 if (espx && 1002 (espx->type == CRYPTO_AES_GCM_16 || 1003 espx->type == CRYPTO_CHACHA20_POLY1305)) 1004 crda->crd_len = hlen - tdb->tdb_ivlen; 1005 else 1006 crda->crd_len = m->m_pkthdr.len - (skip + alen); 1007 } 1008 1009 return crypto_dispatch(crp); 1010 1011 drop: 1012 m_freem(m); 1013 crypto_freereq(crp); 1014 free(tc, M_XDATA, 0); 1015 return error; 1016 } 1017 1018 int 1019 esp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m, int ilen, 1020 int olen) 1021 { 1022 /* Release crypto descriptors. */ 1023 free(tc, M_XDATA, 0); 1024 1025 /* Call the IPsec input callback. */ 1026 if (ipsp_process_done(m, tdb)) { 1027 espstat_inc(esps_outfail); 1028 return -1; 1029 } 1030 1031 return 0; 1032 } 1033 1034 #define SEEN_SIZE howmany(TDB_REPLAYMAX, 32) 1035 1036 /* 1037 * return 0 on success 1038 * return 1 for counter == 0 1039 * return 2 for very old packet 1040 * return 3 for packet within current window but already received 1041 */ 1042 int 1043 checkreplaywindow(struct tdb *tdb, u_int32_t seq, u_int32_t *seqh, int commit) 1044 { 1045 u_int32_t tl, th, wl; 1046 u_int32_t packet, window = TDB_REPLAYMAX - TDB_REPLAYWASTE; 1047 int idx, esn = tdb->tdb_flags & TDBF_ESN; 1048 1049 tl = (u_int32_t)tdb->tdb_rpl; 1050 th = (u_int32_t)(tdb->tdb_rpl >> 32); 1051 1052 /* Zero SN is not allowed */ 1053 if ((esn && seq == 0 && tl <= AH_HMAC_INITIAL_RPL && th == 0) || 1054 (!esn && seq == 0)) 1055 return (1); 1056 1057 if (th == 0 && tl < window) 1058 window = tl; 1059 /* Current replay window starts here */ 1060 wl = tl - window + 1; 1061 1062 idx = (seq % TDB_REPLAYMAX) / 32; 1063 packet = 1 << (31 - (seq & 31)); 1064 1065 /* 1066 * We keep the high part intact when: 1067 * 1) the SN is within [wl, 0xffffffff] and the whole window is 1068 * within one subspace; 1069 * 2) the SN is within [0, wl) and window spans two subspaces. 1070 */ 1071 if ((tl >= window - 1 && seq >= wl) || 1072 (tl < window - 1 && seq < wl)) { 1073 *seqh = th; 1074 if (seq > tl) { 1075 if (commit) { 1076 if (seq - tl > window) 1077 memset(tdb->tdb_seen, 0, 1078 sizeof(tdb->tdb_seen)); 1079 else { 1080 int i = (tl % TDB_REPLAYMAX) / 32; 1081 1082 while (i != idx) { 1083 i = (i + 1) % SEEN_SIZE; 1084 tdb->tdb_seen[i] = 0; 1085 } 1086 } 1087 tdb->tdb_seen[idx] |= packet; 1088 tdb->tdb_rpl = ((u_int64_t)*seqh << 32) | seq; 1089 } 1090 } else { 1091 if (tl - seq >= window) 1092 return (2); 1093 if (tdb->tdb_seen[idx] & packet) 1094 return (3); 1095 if (commit) 1096 tdb->tdb_seen[idx] |= packet; 1097 } 1098 return (0); 1099 } 1100 1101 /* Can't wrap if not doing ESN */ 1102 if (!esn) 1103 return (2); 1104 1105 /* 1106 * SN is within [wl, 0xffffffff] and wl is within 1107 * [0xffffffff-window, 0xffffffff]. This means we got a SN 1108 * which is within our replay window, but in the previous 1109 * subspace. 1110 */ 1111 if (tl < window - 1 && seq >= wl) { 1112 if (tdb->tdb_seen[idx] & packet) 1113 return (3); 1114 *seqh = th - 1; 1115 if (commit) 1116 tdb->tdb_seen[idx] |= packet; 1117 return (0); 1118 } 1119 1120 /* 1121 * SN has wrapped and the last authenticated SN is in the old 1122 * subspace. 1123 */ 1124 *seqh = th + 1; 1125 if (*seqh == 0) /* Don't let high bit to wrap */ 1126 return (1); 1127 if (commit) { 1128 if (seq - tl > window) 1129 memset(tdb->tdb_seen, 0, sizeof(tdb->tdb_seen)); 1130 else { 1131 int i = (tl % TDB_REPLAYMAX) / 32; 1132 1133 while (i != idx) { 1134 i = (i + 1) % SEEN_SIZE; 1135 tdb->tdb_seen[i] = 0; 1136 } 1137 } 1138 tdb->tdb_seen[idx] |= packet; 1139 tdb->tdb_rpl = ((u_int64_t)*seqh << 32) | seq; 1140 } 1141 1142 return (0); 1143 } 1144