1 /* $OpenBSD: ip_esp.c,v 1.141 2016/09/19 18:09:22 tedu Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001 Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 #include "pfsync.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/mbuf.h> 43 #include <sys/socket.h> 44 45 #include <net/if.h> 46 #include <net/if_var.h> 47 #include <net/bpf.h> 48 49 #include <netinet/in.h> 50 #include <netinet/ip.h> 51 #include <netinet/ip_var.h> 52 53 #ifdef INET6 54 #include <netinet/ip6.h> 55 #endif /* INET6 */ 56 57 #include <netinet/ip_ipsp.h> 58 #include <netinet/ip_esp.h> 59 #include <net/pfkeyv2.h> 60 #include <net/if_enc.h> 61 62 #if NPFSYNC > 0 63 #include <net/pfvar.h> 64 #include <net/if_pfsync.h> 65 #endif /* NPFSYNC > 0 */ 66 67 #include <crypto/cryptodev.h> 68 #include <crypto/xform.h> 69 70 #include "bpfilter.h" 71 72 int esp_output_cb(struct cryptop *); 73 int esp_input_cb(struct cryptop *); 74 75 #ifdef ENCDEBUG 76 #define DPRINTF(x) if (encdebug) printf x 77 #else 78 #define DPRINTF(x) 79 #endif 80 81 struct espstat espstat; 82 83 /* 84 * esp_attach() is called from the transformation initialization code. 85 */ 86 int 87 esp_attach(void) 88 { 89 return 0; 90 } 91 92 /* 93 * esp_init() is called when an SPI is being set up. 94 */ 95 int 96 esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) 97 { 98 struct enc_xform *txform = NULL; 99 struct auth_hash *thash = NULL; 100 struct cryptoini cria, crie, crin; 101 102 if (!ii->ii_encalg && !ii->ii_authalg) { 103 DPRINTF(("esp_init(): neither authentication nor encryption " 104 "algorithm given")); 105 return EINVAL; 106 } 107 108 if (ii->ii_encalg) { 109 switch (ii->ii_encalg) { 110 case SADB_EALG_NULL: 111 txform = &enc_xform_null; 112 break; 113 114 case SADB_EALG_3DESCBC: 115 txform = &enc_xform_3des; 116 break; 117 118 case SADB_X_EALG_AES: 119 txform = &enc_xform_rijndael128; 120 break; 121 122 case SADB_X_EALG_AESCTR: 123 txform = &enc_xform_aes_ctr; 124 break; 125 126 case SADB_X_EALG_AESGCM16: 127 txform = &enc_xform_aes_gcm; 128 break; 129 130 case SADB_X_EALG_AESGMAC: 131 txform = &enc_xform_aes_gmac; 132 break; 133 134 case SADB_X_EALG_CHACHA20POLY1305: 135 txform = &enc_xform_chacha20_poly1305; 136 break; 137 138 case SADB_X_EALG_BLF: 139 txform = &enc_xform_blf; 140 break; 141 142 case SADB_X_EALG_CAST: 143 txform = &enc_xform_cast5; 144 break; 145 146 default: 147 DPRINTF(("esp_init(): unsupported encryption " 148 "algorithm %d specified\n", ii->ii_encalg)); 149 return EINVAL; 150 } 151 152 if (ii->ii_enckeylen < txform->minkey) { 153 DPRINTF(("esp_init(): keylength %d too small " 154 "(min length is %d) for algorithm %s\n", 155 ii->ii_enckeylen, txform->minkey, txform->name)); 156 return EINVAL; 157 } 158 159 if (ii->ii_enckeylen > txform->maxkey) { 160 DPRINTF(("esp_init(): keylength %d too large " 161 "(max length is %d) for algorithm %s\n", 162 ii->ii_enckeylen, txform->maxkey, txform->name)); 163 return EINVAL; 164 } 165 166 if (ii->ii_encalg == SADB_X_EALG_AESGCM16 || 167 ii->ii_encalg == SADB_X_EALG_AESGMAC) { 168 switch (ii->ii_enckeylen) { 169 case 20: 170 ii->ii_authalg = SADB_X_AALG_AES128GMAC; 171 break; 172 case 28: 173 ii->ii_authalg = SADB_X_AALG_AES192GMAC; 174 break; 175 case 36: 176 ii->ii_authalg = SADB_X_AALG_AES256GMAC; 177 break; 178 } 179 ii->ii_authkeylen = ii->ii_enckeylen; 180 ii->ii_authkey = ii->ii_enckey; 181 } else if (ii->ii_encalg == SADB_X_EALG_CHACHA20POLY1305) { 182 ii->ii_authalg = SADB_X_AALG_CHACHA20POLY1305; 183 ii->ii_authkeylen = ii->ii_enckeylen; 184 ii->ii_authkey = ii->ii_enckey; 185 } 186 187 tdbp->tdb_encalgxform = txform; 188 189 DPRINTF(("esp_init(): initialized TDB with enc algorithm %s\n", 190 txform->name)); 191 192 tdbp->tdb_ivlen = txform->ivsize; 193 } 194 195 if (ii->ii_authalg) { 196 switch (ii->ii_authalg) { 197 case SADB_AALG_MD5HMAC: 198 thash = &auth_hash_hmac_md5_96; 199 break; 200 201 case SADB_AALG_SHA1HMAC: 202 thash = &auth_hash_hmac_sha1_96; 203 break; 204 205 case SADB_X_AALG_RIPEMD160HMAC: 206 thash = &auth_hash_hmac_ripemd_160_96; 207 break; 208 209 case SADB_X_AALG_SHA2_256: 210 thash = &auth_hash_hmac_sha2_256_128; 211 break; 212 213 case SADB_X_AALG_SHA2_384: 214 thash = &auth_hash_hmac_sha2_384_192; 215 break; 216 217 case SADB_X_AALG_SHA2_512: 218 thash = &auth_hash_hmac_sha2_512_256; 219 break; 220 221 case SADB_X_AALG_AES128GMAC: 222 thash = &auth_hash_gmac_aes_128; 223 break; 224 225 case SADB_X_AALG_AES192GMAC: 226 thash = &auth_hash_gmac_aes_192; 227 break; 228 229 case SADB_X_AALG_AES256GMAC: 230 thash = &auth_hash_gmac_aes_256; 231 break; 232 233 case SADB_X_AALG_CHACHA20POLY1305: 234 thash = &auth_hash_chacha20_poly1305; 235 break; 236 237 default: 238 DPRINTF(("esp_init(): unsupported authentication " 239 "algorithm %d specified\n", ii->ii_authalg)); 240 return EINVAL; 241 } 242 243 if (ii->ii_authkeylen != thash->keysize) { 244 DPRINTF(("esp_init(): keylength %d doesn't match " 245 "algorithm %s keysize (%d)\n", ii->ii_authkeylen, 246 thash->name, thash->keysize)); 247 return EINVAL; 248 } 249 250 tdbp->tdb_authalgxform = thash; 251 252 DPRINTF(("esp_init(): initialized TDB with hash algorithm %s\n", 253 thash->name)); 254 } 255 256 tdbp->tdb_xform = xsp; 257 tdbp->tdb_rpl = AH_HMAC_INITIAL_RPL; 258 259 /* Initialize crypto session */ 260 if (tdbp->tdb_encalgxform) { 261 /* Save the raw keys */ 262 tdbp->tdb_emxkeylen = ii->ii_enckeylen; 263 tdbp->tdb_emxkey = malloc(tdbp->tdb_emxkeylen, M_XDATA, 264 M_WAITOK); 265 memcpy(tdbp->tdb_emxkey, ii->ii_enckey, tdbp->tdb_emxkeylen); 266 267 memset(&crie, 0, sizeof(crie)); 268 269 crie.cri_alg = tdbp->tdb_encalgxform->type; 270 271 if (tdbp->tdb_authalgxform) 272 crie.cri_next = &cria; 273 else 274 crie.cri_next = NULL; 275 276 crie.cri_klen = ii->ii_enckeylen * 8; 277 crie.cri_key = ii->ii_enckey; 278 /* XXX Rounds ? */ 279 } 280 281 if (tdbp->tdb_authalgxform) { 282 /* Save the raw keys */ 283 tdbp->tdb_amxkeylen = ii->ii_authkeylen; 284 tdbp->tdb_amxkey = malloc(tdbp->tdb_amxkeylen, M_XDATA, 285 M_WAITOK); 286 memcpy(tdbp->tdb_amxkey, ii->ii_authkey, tdbp->tdb_amxkeylen); 287 288 memset(&cria, 0, sizeof(cria)); 289 290 cria.cri_alg = tdbp->tdb_authalgxform->type; 291 292 if ((tdbp->tdb_wnd > 0) && (tdbp->tdb_flags & TDBF_ESN)) { 293 memset(&crin, 0, sizeof(crin)); 294 crin.cri_alg = CRYPTO_ESN; 295 cria.cri_next = &crin; 296 } 297 298 cria.cri_klen = ii->ii_authkeylen * 8; 299 cria.cri_key = ii->ii_authkey; 300 } 301 302 return crypto_newsession(&tdbp->tdb_cryptoid, 303 (tdbp->tdb_encalgxform ? &crie : &cria), 0); 304 } 305 306 /* 307 * Paranoia. 308 */ 309 int 310 esp_zeroize(struct tdb *tdbp) 311 { 312 int err; 313 314 if (tdbp->tdb_amxkey) { 315 explicit_bzero(tdbp->tdb_amxkey, tdbp->tdb_amxkeylen); 316 free(tdbp->tdb_amxkey, M_XDATA, 0); 317 tdbp->tdb_amxkey = NULL; 318 } 319 320 if (tdbp->tdb_emxkey) { 321 explicit_bzero(tdbp->tdb_emxkey, tdbp->tdb_emxkeylen); 322 free(tdbp->tdb_emxkey, M_XDATA, 0); 323 tdbp->tdb_emxkey = NULL; 324 } 325 326 err = crypto_freesession(tdbp->tdb_cryptoid); 327 tdbp->tdb_cryptoid = 0; 328 return err; 329 } 330 331 #define MAXBUFSIZ (AH_ALEN_MAX > ESP_MAX_IVS ? AH_ALEN_MAX : ESP_MAX_IVS) 332 333 /* 334 * ESP input processing, called (eventually) through the protocol switch. 335 */ 336 int 337 esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) 338 { 339 struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform; 340 struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform; 341 struct cryptodesc *crde = NULL, *crda = NULL; 342 struct cryptop *crp; 343 struct tdb_crypto *tc; 344 int plen, alen, hlen; 345 u_int32_t btsx, esn; 346 #ifdef ENCDEBUG 347 char buf[INET6_ADDRSTRLEN]; 348 #endif 349 350 /* Determine the ESP header length */ 351 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */ 352 alen = esph ? esph->authsize : 0; 353 plen = m->m_pkthdr.len - (skip + hlen + alen); 354 if (plen <= 0) { 355 DPRINTF(("esp_input: invalid payload length\n")); 356 espstat.esps_badilen++; 357 m_freem(m); 358 return EINVAL; 359 } 360 361 if (espx) { 362 /* 363 * Verify payload length is multiple of encryption algorithm 364 * block size. 365 */ 366 if (plen & (espx->blocksize - 1)) { 367 DPRINTF(("esp_input(): payload of %d octets " 368 "not a multiple of %d octets, SA %s/%08x\n", 369 plen, espx->blocksize, ipsp_address(&tdb->tdb_dst, 370 buf, sizeof(buf)), ntohl(tdb->tdb_spi))); 371 espstat.esps_badilen++; 372 m_freem(m); 373 return EINVAL; 374 } 375 } 376 377 /* Replay window checking, if appropriate -- no value commitment. */ 378 if (tdb->tdb_wnd > 0) { 379 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 380 (unsigned char *) &btsx); 381 btsx = ntohl(btsx); 382 383 switch (checkreplaywindow(tdb, btsx, &esn, 0)) { 384 case 0: /* All's well */ 385 break; 386 case 1: 387 m_freem(m); 388 DPRINTF(("esp_input(): replay counter wrapped" 389 " for SA %s/%08x\n", 390 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 391 ntohl(tdb->tdb_spi))); 392 espstat.esps_wrap++; 393 return EACCES; 394 case 2: 395 m_freem(m); 396 DPRINTF(("esp_input(): old packet received" 397 " in SA %s/%08x\n", 398 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 399 ntohl(tdb->tdb_spi))); 400 espstat.esps_replay++; 401 return EACCES; 402 case 3: 403 m_freem(m); 404 DPRINTF(("esp_input(): duplicate packet received" 405 " in SA %s/%08x\n", 406 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 407 ntohl(tdb->tdb_spi))); 408 espstat.esps_replay++; 409 return EACCES; 410 default: 411 m_freem(m); 412 DPRINTF(("esp_input(): bogus value from" 413 " checkreplaywindow() in SA %s/%08x\n", 414 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 415 ntohl(tdb->tdb_spi))); 416 espstat.esps_replay++; 417 return EACCES; 418 } 419 } 420 421 /* Update the counters */ 422 tdb->tdb_cur_bytes += m->m_pkthdr.len - skip - hlen - alen; 423 espstat.esps_ibytes += m->m_pkthdr.len - skip - hlen - alen; 424 425 /* Hard expiration */ 426 if ((tdb->tdb_flags & TDBF_BYTES) && 427 (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) { 428 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 429 tdb_delete(tdb); 430 m_freem(m); 431 return ENXIO; 432 } 433 434 /* Notify on soft expiration */ 435 if ((tdb->tdb_flags & TDBF_SOFT_BYTES) && 436 (tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes)) { 437 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 438 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking */ 439 } 440 441 /* Get crypto descriptors */ 442 crp = crypto_getreq(esph && espx ? 2 : 1); 443 if (crp == NULL) { 444 m_freem(m); 445 DPRINTF(("esp_input(): failed to acquire crypto descriptors\n")); 446 espstat.esps_crypto++; 447 return ENOBUFS; 448 } 449 450 /* Get IPsec-specific opaque pointer */ 451 if (esph == NULL) 452 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); 453 else 454 tc = malloc(sizeof(*tc) + alen, M_XDATA, M_NOWAIT | M_ZERO); 455 if (tc == NULL) { 456 m_freem(m); 457 crypto_freereq(crp); 458 DPRINTF(("esp_input(): failed to allocate tdb_crypto\n")); 459 espstat.esps_crypto++; 460 return ENOBUFS; 461 } 462 463 if (esph) { 464 crda = crp->crp_desc; 465 crde = crda->crd_next; 466 467 /* Authentication descriptor */ 468 crda->crd_skip = skip; 469 crda->crd_inject = m->m_pkthdr.len - alen; 470 471 crda->crd_alg = esph->type; 472 crda->crd_key = tdb->tdb_amxkey; 473 crda->crd_klen = tdb->tdb_amxkeylen * 8; 474 475 if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) { 476 esn = htonl(esn); 477 memcpy(crda->crd_esn, &esn, 4); 478 crda->crd_flags |= CRD_F_ESN; 479 } 480 481 if (espx && 482 (espx->type == CRYPTO_AES_GCM_16 || 483 espx->type == CRYPTO_CHACHA20_POLY1305)) 484 crda->crd_len = hlen - tdb->tdb_ivlen; 485 else 486 crda->crd_len = m->m_pkthdr.len - (skip + alen); 487 488 /* Copy the authenticator */ 489 m_copydata(m, m->m_pkthdr.len - alen, alen, (caddr_t)(tc + 1)); 490 } else 491 crde = crp->crp_desc; 492 493 /* Crypto operation descriptor */ 494 crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ 495 crp->crp_flags = CRYPTO_F_IMBUF; 496 crp->crp_buf = (caddr_t)m; 497 crp->crp_callback = esp_input_cb; 498 crp->crp_sid = tdb->tdb_cryptoid; 499 crp->crp_opaque = (caddr_t)tc; 500 501 /* These are passed as-is to the callback */ 502 tc->tc_skip = skip; 503 tc->tc_protoff = protoff; 504 tc->tc_spi = tdb->tdb_spi; 505 tc->tc_proto = tdb->tdb_sproto; 506 tc->tc_rdomain = tdb->tdb_rdomain; 507 memcpy(&tc->tc_dst, &tdb->tdb_dst, sizeof(union sockaddr_union)); 508 509 /* Decryption descriptor */ 510 if (espx) { 511 crde->crd_skip = skip + hlen; 512 crde->crd_inject = skip + hlen - tdb->tdb_ivlen; 513 crde->crd_alg = espx->type; 514 crde->crd_key = tdb->tdb_emxkey; 515 crde->crd_klen = tdb->tdb_emxkeylen * 8; 516 /* XXX Rounds ? */ 517 518 if (crde->crd_alg == CRYPTO_AES_GMAC) 519 crde->crd_len = 0; 520 else 521 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 522 } 523 524 return crypto_dispatch(crp); 525 } 526 527 /* 528 * ESP input callback, called directly by the crypto driver. 529 */ 530 int 531 esp_input_cb(struct cryptop *crp) 532 { 533 u_int8_t lastthree[3], aalg[AH_HMAC_MAX_HASHLEN]; 534 int s, hlen, roff, skip, protoff, error; 535 struct mbuf *m1, *mo, *m; 536 struct auth_hash *esph; 537 struct tdb_crypto *tc; 538 struct tdb *tdb; 539 u_int32_t btsx, esn; 540 caddr_t ptr; 541 #ifdef ENCDEBUG 542 char buf[INET6_ADDRSTRLEN]; 543 #endif 544 545 tc = (struct tdb_crypto *) crp->crp_opaque; 546 skip = tc->tc_skip; 547 protoff = tc->tc_protoff; 548 549 m = (struct mbuf *) crp->crp_buf; 550 if (m == NULL) { 551 /* Shouldn't happen... */ 552 free(tc, M_XDATA, 0); 553 crypto_freereq(crp); 554 espstat.esps_crypto++; 555 DPRINTF(("esp_input_cb(): bogus returned buffer from crypto\n")); 556 return (EINVAL); 557 } 558 559 s = splsoftnet(); 560 561 tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); 562 if (tdb == NULL) { 563 free(tc, M_XDATA, 0); 564 espstat.esps_notdb++; 565 DPRINTF(("esp_input_cb(): TDB is expired while in crypto")); 566 error = EPERM; 567 goto baddone; 568 } 569 570 esph = (struct auth_hash *) tdb->tdb_authalgxform; 571 572 /* Check for crypto errors */ 573 if (crp->crp_etype) { 574 if (crp->crp_etype == EAGAIN) { 575 /* Reset the session ID */ 576 if (tdb->tdb_cryptoid != 0) 577 tdb->tdb_cryptoid = crp->crp_sid; 578 splx(s); 579 return crypto_dispatch(crp); 580 } 581 free(tc, M_XDATA, 0); 582 espstat.esps_noxform++; 583 DPRINTF(("esp_input_cb(): crypto error %d\n", crp->crp_etype)); 584 error = crp->crp_etype; 585 goto baddone; 586 } 587 588 /* If authentication was performed, check now. */ 589 if (esph != NULL) { 590 /* Copy the authenticator from the packet */ 591 m_copydata(m, m->m_pkthdr.len - esph->authsize, 592 esph->authsize, aalg); 593 594 ptr = (caddr_t) (tc + 1); 595 596 /* Verify authenticator */ 597 if (timingsafe_bcmp(ptr, aalg, esph->authsize)) { 598 free(tc, M_XDATA, 0); 599 DPRINTF(("esp_input_cb(): authentication " 600 "failed for packet in SA %s/%08x\n", 601 ipsp_address(&tdb->tdb_dst, buf, 602 sizeof(buf)), ntohl(tdb->tdb_spi))); 603 espstat.esps_badauth++; 604 error = EACCES; 605 goto baddone; 606 } 607 608 /* Remove trailing authenticator */ 609 m_adj(m, -(esph->authsize)); 610 } 611 free(tc, M_XDATA, 0); 612 613 /* Replay window checking, if appropriate */ 614 if (tdb->tdb_wnd > 0) { 615 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 616 (unsigned char *) &btsx); 617 btsx = ntohl(btsx); 618 619 switch (checkreplaywindow(tdb, btsx, &esn, 1)) { 620 case 0: /* All's well */ 621 #if NPFSYNC > 0 622 pfsync_update_tdb(tdb,0); 623 #endif 624 break; 625 626 case 1: 627 DPRINTF(("esp_input_cb(): replay counter wrapped" 628 " for SA %s/%08x\n", 629 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 630 ntohl(tdb->tdb_spi))); 631 espstat.esps_wrap++; 632 error = EACCES; 633 goto baddone; 634 case 2: 635 DPRINTF(("esp_input_cb(): old packet received" 636 " in SA %s/%08x\n", 637 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 638 ntohl(tdb->tdb_spi))); 639 espstat.esps_replay++; 640 error = EACCES; 641 goto baddone; 642 case 3: 643 DPRINTF(("esp_input_cb(): duplicate packet received" 644 " in SA %s/%08x\n", 645 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 646 ntohl(tdb->tdb_spi))); 647 espstat.esps_replay++; 648 error = EACCES; 649 goto baddone; 650 default: 651 DPRINTF(("esp_input_cb(): bogus value from" 652 " checkreplaywindow() in SA %s/%08x\n", 653 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 654 ntohl(tdb->tdb_spi))); 655 espstat.esps_replay++; 656 error = EACCES; 657 goto baddone; 658 } 659 } 660 661 /* Release the crypto descriptors */ 662 crypto_freereq(crp); 663 664 /* Determine the ESP header length */ 665 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; 666 667 /* Find beginning of ESP header */ 668 m1 = m_getptr(m, skip, &roff); 669 if (m1 == NULL) { 670 espstat.esps_hdrops++; 671 splx(s); 672 DPRINTF(("esp_input_cb(): bad mbuf chain, SA %s/%08x\n", 673 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 674 ntohl(tdb->tdb_spi))); 675 m_freem(m); 676 return EINVAL; 677 } 678 679 /* Remove the ESP header and IV from the mbuf. */ 680 if (roff == 0) { 681 /* The ESP header was conveniently at the beginning of the mbuf */ 682 m_adj(m1, hlen); 683 if (!(m1->m_flags & M_PKTHDR)) 684 m->m_pkthdr.len -= hlen; 685 } else if (roff + hlen >= m1->m_len) { 686 /* 687 * Part or all of the ESP header is at the end of this mbuf, so 688 * first let's remove the remainder of the ESP header from the 689 * beginning of the remainder of the mbuf chain, if any. 690 */ 691 if (roff + hlen > m1->m_len) { 692 /* Adjust the next mbuf by the remainder */ 693 m_adj(m1->m_next, roff + hlen - m1->m_len); 694 695 /* The second mbuf is guaranteed not to have a pkthdr */ 696 m->m_pkthdr.len -= (roff + hlen - m1->m_len); 697 } 698 699 /* Now, let's unlink the mbuf chain for a second...*/ 700 mo = m1->m_next; 701 m1->m_next = NULL; 702 703 /* ...and trim the end of the first part of the chain...sick */ 704 m_adj(m1, -(m1->m_len - roff)); 705 if (!(m1->m_flags & M_PKTHDR)) 706 m->m_pkthdr.len -= (m1->m_len - roff); 707 708 /* Finally, let's relink */ 709 m1->m_next = mo; 710 } else { 711 /* 712 * The ESP header lies in the "middle" of the mbuf...do an 713 * overlapping copy of the remainder of the mbuf over the ESP 714 * header. 715 */ 716 bcopy(mtod(m1, u_char *) + roff + hlen, 717 mtod(m1, u_char *) + roff, m1->m_len - (roff + hlen)); 718 m1->m_len -= hlen; 719 m->m_pkthdr.len -= hlen; 720 } 721 722 /* Save the last three bytes of decrypted data */ 723 m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); 724 725 /* Verify pad length */ 726 if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { 727 espstat.esps_badilen++; 728 splx(s); 729 DPRINTF(("esp_input_cb(): invalid padding length %d for " 730 "packet in SA %s/%08x\n", lastthree[1], 731 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 732 ntohl(tdb->tdb_spi))); 733 m_freem(m); 734 return EINVAL; 735 } 736 737 /* Verify correct decryption by checking the last padding bytes */ 738 if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) { 739 espstat.esps_badenc++; 740 splx(s); 741 DPRINTF(("esp_input(): decryption failed for packet in " 742 "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, 743 sizeof(buf)), ntohl(tdb->tdb_spi))); 744 m_freem(m); 745 return EINVAL; 746 } 747 748 /* Trim the mbuf chain to remove the trailing authenticator and padding */ 749 m_adj(m, -(lastthree[1] + 2)); 750 751 /* Restore the Next Protocol field */ 752 m_copyback(m, protoff, sizeof(u_int8_t), lastthree + 2, M_NOWAIT); 753 754 /* Back to generic IPsec input processing */ 755 error = ipsec_common_input_cb(m, tdb, skip, protoff); 756 splx(s); 757 return (error); 758 759 baddone: 760 splx(s); 761 762 m_freem(m); 763 764 crypto_freereq(crp); 765 766 return (error); 767 } 768 769 /* 770 * ESP output routine, called by ipsp_process_packet(). 771 */ 772 int 773 esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, 774 int protoff) 775 { 776 struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform; 777 struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform; 778 int ilen, hlen, rlen, padding, blks, alen, roff; 779 u_int32_t replay; 780 struct mbuf *mi, *mo = (struct mbuf *) NULL; 781 struct tdb_crypto *tc; 782 unsigned char *pad; 783 u_int8_t prot; 784 #ifdef ENCDEBUG 785 char buf[INET6_ADDRSTRLEN]; 786 #endif 787 struct cryptodesc *crde = NULL, *crda = NULL; 788 struct cryptop *crp; 789 #if NBPFILTER > 0 790 struct ifnet *encif; 791 792 if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) != NULL) { 793 encif->if_opackets++; 794 encif->if_obytes += m->m_pkthdr.len; 795 796 if (encif->if_bpf) { 797 struct enchdr hdr; 798 799 memset(&hdr, 0, sizeof(hdr)); 800 801 hdr.af = tdb->tdb_dst.sa.sa_family; 802 hdr.spi = tdb->tdb_spi; 803 if (espx) 804 hdr.flags |= M_CONF; 805 if (esph) 806 hdr.flags |= M_AUTH; 807 808 bpf_mtap_hdr(encif->if_bpf, (char *)&hdr, 809 ENC_HDRLEN, m, BPF_DIRECTION_OUT, NULL); 810 } 811 } 812 #endif 813 814 hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; 815 816 rlen = m->m_pkthdr.len - skip; /* Raw payload length. */ 817 if (espx) 818 blks = MAX(espx->blocksize, 4); 819 else 820 blks = 4; /* If no encryption, we have to be 4-byte aligned. */ 821 822 padding = ((blks - ((rlen + 2) % blks)) % blks) + 2; 823 824 alen = esph ? esph->authsize : 0; 825 espstat.esps_output++; 826 827 switch (tdb->tdb_dst.sa.sa_family) { 828 case AF_INET: 829 /* Check for IP maximum packet size violations. */ 830 if (skip + hlen + rlen + padding + alen > IP_MAXPACKET) { 831 DPRINTF(("esp_output(): packet in SA %s/%08x got " 832 "too big\n", ipsp_address(&tdb->tdb_dst, buf, 833 sizeof(buf)), 834 ntohl(tdb->tdb_spi))); 835 m_freem(m); 836 espstat.esps_toobig++; 837 return EMSGSIZE; 838 } 839 break; 840 841 #ifdef INET6 842 case AF_INET6: 843 /* Check for IPv6 maximum packet size violations. */ 844 if (skip + hlen + rlen + padding + alen > IPV6_MAXPACKET) { 845 DPRINTF(("esp_output(): packet in SA %s/%08x got too " 846 "big\n", ipsp_address(&tdb->tdb_dst, buf, 847 sizeof(buf)), ntohl(tdb->tdb_spi))); 848 m_freem(m); 849 espstat.esps_toobig++; 850 return EMSGSIZE; 851 } 852 break; 853 #endif /* INET6 */ 854 855 default: 856 DPRINTF(("esp_output(): unknown/unsupported protocol " 857 "family %d, SA %s/%08x\n", tdb->tdb_dst.sa.sa_family, 858 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 859 ntohl(tdb->tdb_spi))); 860 m_freem(m); 861 espstat.esps_nopf++; 862 return EPFNOSUPPORT; 863 } 864 865 /* Update the counters. */ 866 tdb->tdb_cur_bytes += m->m_pkthdr.len - skip; 867 espstat.esps_obytes += m->m_pkthdr.len - skip; 868 869 /* Hard byte expiration. */ 870 if (tdb->tdb_flags & TDBF_BYTES && 871 tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) { 872 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 873 tdb_delete(tdb); 874 m_freem(m); 875 return EINVAL; 876 } 877 878 /* Soft byte expiration. */ 879 if (tdb->tdb_flags & TDBF_SOFT_BYTES && 880 tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes) { 881 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 882 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking. */ 883 } 884 885 /* 886 * Loop through mbuf chain; if we find a readonly mbuf, 887 * copy the packet. 888 */ 889 mi = m; 890 while (mi != NULL && !M_READONLY(mi)) 891 mi = mi->m_next; 892 893 if (mi != NULL) { 894 struct mbuf *n = m_dup_pkt(m, 0, M_DONTWAIT); 895 896 if (n == NULL) { 897 DPRINTF(("esp_output(): bad mbuf chain, SA %s/%08x\n", 898 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 899 ntohl(tdb->tdb_spi))); 900 espstat.esps_hdrops++; 901 m_freem(m); 902 return ENOBUFS; 903 } 904 905 m_freem(m); 906 m = n; 907 } 908 909 /* Inject ESP header. */ 910 mo = m_makespace(m, skip, hlen, &roff); 911 if (mo == NULL) { 912 DPRINTF(("esp_output(): failed to inject ESP header for " 913 "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, 914 sizeof(buf)), ntohl(tdb->tdb_spi))); 915 m_freem(m); 916 espstat.esps_hdrops++; 917 return ENOBUFS; 918 } 919 920 /* Initialize ESP header. */ 921 bcopy((caddr_t) &tdb->tdb_spi, mtod(mo, caddr_t) + roff, 922 sizeof(u_int32_t)); 923 tdb->tdb_rpl++; 924 replay = htonl((u_int32_t)tdb->tdb_rpl); 925 memcpy(mtod(mo, caddr_t) + roff + sizeof(u_int32_t), (caddr_t) &replay, 926 sizeof(u_int32_t)); 927 928 #if NPFSYNC > 0 929 pfsync_update_tdb(tdb,1); 930 #endif 931 932 /* 933 * Add padding -- better to do it ourselves than use the crypto engine, 934 * although if/when we support compression, we'd have to do that. 935 */ 936 mo = m_makespace(m, m->m_pkthdr.len, padding + alen, &roff); 937 if (mo == NULL) { 938 DPRINTF(("esp_output(): m_makespace() failed for SA %s/%08x\n", 939 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 940 ntohl(tdb->tdb_spi))); 941 m_freem(m); 942 return ENOBUFS; 943 } 944 pad = mtod(mo, caddr_t) + roff; 945 946 /* Apply self-describing padding */ 947 for (ilen = 0; ilen < padding - 2; ilen++) 948 pad[ilen] = ilen + 1; 949 950 /* Fix padding length and Next Protocol in padding itself. */ 951 pad[padding - 2] = padding - 2; 952 m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1); 953 954 /* Fix Next Protocol in IPv4/IPv6 header. */ 955 prot = IPPROTO_ESP; 956 m_copyback(m, protoff, sizeof(u_int8_t), &prot, M_NOWAIT); 957 958 /* Get crypto descriptors. */ 959 crp = crypto_getreq(esph && espx ? 2 : 1); 960 if (crp == NULL) { 961 m_freem(m); 962 DPRINTF(("esp_output(): failed to acquire crypto " 963 "descriptors\n")); 964 espstat.esps_crypto++; 965 return ENOBUFS; 966 } 967 968 if (espx) { 969 crde = crp->crp_desc; 970 crda = crde->crd_next; 971 972 /* Encryption descriptor. */ 973 crde->crd_skip = skip + hlen; 974 crde->crd_flags = CRD_F_ENCRYPT; 975 crde->crd_inject = skip + hlen - tdb->tdb_ivlen; 976 977 /* Encryption operation. */ 978 crde->crd_alg = espx->type; 979 crde->crd_key = tdb->tdb_emxkey; 980 crde->crd_klen = tdb->tdb_emxkeylen * 8; 981 /* XXX Rounds ? */ 982 983 if (crde->crd_alg == CRYPTO_AES_GMAC) 984 crde->crd_len = 0; 985 else 986 crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); 987 } else 988 crda = crp->crp_desc; 989 990 /* IPsec-specific opaque crypto info. */ 991 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); 992 if (tc == NULL) { 993 m_freem(m); 994 crypto_freereq(crp); 995 DPRINTF(("esp_output(): failed to allocate tdb_crypto\n")); 996 espstat.esps_crypto++; 997 return ENOBUFS; 998 } 999 1000 tc->tc_spi = tdb->tdb_spi; 1001 tc->tc_proto = tdb->tdb_sproto; 1002 tc->tc_rdomain = tdb->tdb_rdomain; 1003 memcpy(&tc->tc_dst, &tdb->tdb_dst, sizeof(union sockaddr_union)); 1004 1005 /* Crypto operation descriptor. */ 1006 crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ 1007 crp->crp_flags = CRYPTO_F_IMBUF; 1008 crp->crp_buf = (caddr_t)m; 1009 crp->crp_callback = esp_output_cb; 1010 crp->crp_opaque = (caddr_t)tc; 1011 crp->crp_sid = tdb->tdb_cryptoid; 1012 1013 if (esph) { 1014 /* Authentication descriptor. */ 1015 crda->crd_skip = skip; 1016 crda->crd_inject = m->m_pkthdr.len - alen; 1017 1018 /* Authentication operation. */ 1019 crda->crd_alg = esph->type; 1020 crda->crd_key = tdb->tdb_amxkey; 1021 crda->crd_klen = tdb->tdb_amxkeylen * 8; 1022 1023 if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) { 1024 u_int32_t esn; 1025 1026 esn = htonl((u_int32_t)(tdb->tdb_rpl >> 32)); 1027 memcpy(crda->crd_esn, &esn, 4); 1028 crda->crd_flags |= CRD_F_ESN; 1029 } 1030 1031 if (espx && 1032 (espx->type == CRYPTO_AES_GCM_16 || 1033 espx->type == CRYPTO_CHACHA20_POLY1305)) 1034 crda->crd_len = hlen - tdb->tdb_ivlen; 1035 else 1036 crda->crd_len = m->m_pkthdr.len - (skip + alen); 1037 } 1038 1039 return crypto_dispatch(crp); 1040 } 1041 1042 /* 1043 * ESP output callback, called directly by the crypto driver. 1044 */ 1045 int 1046 esp_output_cb(struct cryptop *crp) 1047 { 1048 struct tdb_crypto *tc; 1049 struct tdb *tdb; 1050 struct mbuf *m; 1051 int error, s; 1052 1053 tc = (struct tdb_crypto *) crp->crp_opaque; 1054 1055 m = (struct mbuf *) crp->crp_buf; 1056 if (m == NULL) { 1057 /* Shouldn't happen... */ 1058 free(tc, M_XDATA, 0); 1059 crypto_freereq(crp); 1060 espstat.esps_crypto++; 1061 DPRINTF(("esp_output_cb(): bogus returned buffer from " 1062 "crypto\n")); 1063 return (EINVAL); 1064 } 1065 1066 1067 s = splsoftnet(); 1068 1069 tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); 1070 if (tdb == NULL) { 1071 free(tc, M_XDATA, 0); 1072 espstat.esps_notdb++; 1073 DPRINTF(("esp_output_cb(): TDB is expired while in crypto\n")); 1074 error = EPERM; 1075 goto baddone; 1076 } 1077 1078 /* Check for crypto errors. */ 1079 if (crp->crp_etype) { 1080 if (crp->crp_etype == EAGAIN) { 1081 /* Reset the session ID */ 1082 if (tdb->tdb_cryptoid != 0) 1083 tdb->tdb_cryptoid = crp->crp_sid; 1084 splx(s); 1085 return crypto_dispatch(crp); 1086 } 1087 free(tc, M_XDATA, 0); 1088 espstat.esps_noxform++; 1089 DPRINTF(("esp_output_cb(): crypto error %d\n", 1090 crp->crp_etype)); 1091 error = crp->crp_etype; 1092 goto baddone; 1093 } 1094 free(tc, M_XDATA, 0); 1095 1096 /* Release crypto descriptors. */ 1097 crypto_freereq(crp); 1098 1099 /* Call the IPsec input callback. */ 1100 error = ipsp_process_done(m, tdb); 1101 splx(s); 1102 return error; 1103 1104 baddone: 1105 splx(s); 1106 1107 m_freem(m); 1108 1109 crypto_freereq(crp); 1110 1111 return error; 1112 } 1113 1114 #define SEEN_SIZE howmany(TDB_REPLAYMAX, 32) 1115 1116 /* 1117 * return 0 on success 1118 * return 1 for counter == 0 1119 * return 2 for very old packet 1120 * return 3 for packet within current window but already received 1121 */ 1122 int 1123 checkreplaywindow(struct tdb *tdb, u_int32_t seq, u_int32_t *seqh, int commit) 1124 { 1125 u_int32_t tl, th, wl; 1126 u_int32_t packet, window = TDB_REPLAYMAX - TDB_REPLAYWASTE; 1127 int idx, esn = tdb->tdb_flags & TDBF_ESN; 1128 1129 tl = (u_int32_t)tdb->tdb_rpl; 1130 th = (u_int32_t)(tdb->tdb_rpl >> 32); 1131 1132 /* Zero SN is not allowed */ 1133 if ((esn && seq == 0 && tl <= AH_HMAC_INITIAL_RPL && th == 0) || 1134 (!esn && seq == 0)) 1135 return (1); 1136 1137 if (th == 0 && tl < window) 1138 window = tl; 1139 /* Current replay window starts here */ 1140 wl = tl - window + 1; 1141 1142 idx = (seq % TDB_REPLAYMAX) / 32; 1143 packet = 1 << (31 - (seq & 31)); 1144 1145 /* 1146 * We keep the high part intact when: 1147 * 1) the SN is within [wl, 0xffffffff] and the whole window is 1148 * within one subspace; 1149 * 2) the SN is within [0, wl) and window spans two subspaces. 1150 */ 1151 if ((tl >= window - 1 && seq >= wl) || 1152 (tl < window - 1 && seq < wl)) { 1153 *seqh = th; 1154 if (seq > tl) { 1155 if (commit) { 1156 if (seq - tl > window) 1157 memset(tdb->tdb_seen, 0, 1158 sizeof(tdb->tdb_seen)); 1159 else { 1160 int i = (tl % TDB_REPLAYMAX) / 32; 1161 1162 while (i != idx) { 1163 i = (i + 1) % SEEN_SIZE; 1164 tdb->tdb_seen[i] = 0; 1165 } 1166 } 1167 tdb->tdb_seen[idx] |= packet; 1168 tdb->tdb_rpl = ((u_int64_t)*seqh << 32) | seq; 1169 } 1170 } else { 1171 if (tl - seq >= window) 1172 return (2); 1173 if (tdb->tdb_seen[idx] & packet) 1174 return (3); 1175 if (commit) 1176 tdb->tdb_seen[idx] |= packet; 1177 } 1178 return (0); 1179 } 1180 1181 /* Can't wrap if not doing ESN */ 1182 if (!esn) 1183 return (2); 1184 1185 /* 1186 * SN is within [wl, 0xffffffff] and wl is within 1187 * [0xffffffff-window, 0xffffffff]. This means we got a SN 1188 * which is within our replay window, but in the previous 1189 * subspace. 1190 */ 1191 if (tl < window - 1 && seq >= wl) { 1192 if (tdb->tdb_seen[idx] & packet) 1193 return (3); 1194 *seqh = th - 1; 1195 if (commit) 1196 tdb->tdb_seen[idx] |= packet; 1197 return (0); 1198 } 1199 1200 /* 1201 * SN has wrapped and the last authenticated SN is in the old 1202 * subspace. 1203 */ 1204 *seqh = th + 1; 1205 if (*seqh == 0) /* Don't let high bit to wrap */ 1206 return (1); 1207 if (commit) { 1208 if (seq - tl > window) 1209 memset(tdb->tdb_seen, 0, sizeof(tdb->tdb_seen)); 1210 else { 1211 int i = (tl % TDB_REPLAYMAX) / 32; 1212 1213 while (i != idx) { 1214 i = (i + 1) % SEEN_SIZE; 1215 tdb->tdb_seen[i] = 0; 1216 } 1217 } 1218 tdb->tdb_seen[idx] |= packet; 1219 tdb->tdb_rpl = ((u_int64_t)*seqh << 32) | seq; 1220 } 1221 1222 return (0); 1223 } 1224