search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
usched: Allow process to change self cpu affinity
[dragonfly.git] / sys / netinet6 / ah_output.c
blobf7b4cd00b1641ab44fcdee330e20c487c6fa905b
1 /* $FreeBSD: src/sys/netinet6/ah_output.c,v 1.1.2.5 2003/05/06 06:46:58 suz Exp $ */
2 /* $KAME: ah_output.c,v 1.31 2001/07/26 06:53:15 jinmei Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * RFC1826/2402 authentication header.
35 */
36
37 #include "opt_inet.h"
38 #include "opt_inet6.h"
39
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/mbuf.h>
43 #include <sys/domain.h>
44 #include <sys/protosw.h>
45 #include <sys/socket.h>
46 #include <sys/socketvar.h>
47 #include <sys/errno.h>
48 #include <sys/time.h>
49 #include <sys/syslog.h>
50
51 #include <net/if.h>
52 #include <net/route.h>
53
54 #include <netinet/in.h>
55
56 #include <netinet/in_systm.h>
57 #include <netinet/ip.h>
58 #include <netinet/in_var.h>
59
60 #ifdef INET6
61 #include <netinet/ip6.h>
62 #include <netinet6/ip6_var.h>
63 #include <netinet/icmp6.h>
64 #endif
65
66 #include <netinet6/ipsec.h>
67 #ifdef INET6
68 #include <netinet6/ipsec6.h>
69 #endif
70 #include <netinet6/ah.h>
71 #ifdef INET6
72 #include <netinet6/ah6.h>
73 #endif
74 #include <netproto/key/key.h>
75 #include <netproto/key/keydb.h>
76
77 #include <net/net_osdep.h>
78
79 #ifdef INET
80 static struct in_addr *ah4_finaldst (struct mbuf *);
81 #endif
82
83 /*
84 * compute AH header size.
85 * transport mode only. for tunnel mode, we should implement
86 * virtual interface, and control MTU/MSS by the interface MTU.
87 */
88 size_t
89 ah_hdrsiz(struct ipsecrequest *isr)
90 {
91 const struct ah_algorithm *algo;
92 size_t hdrsiz;
93
94 /* sanity check */
95 if (isr == NULL)
96 panic("ah_hdrsiz: NULL was passed.");
97
98 if (isr->saidx.proto != IPPROTO_AH)
99 panic("unsupported mode passed to ah_hdrsiz");
100
101 if (isr->sav == NULL)
102 goto estimate;
103 if (isr->sav->state != SADB_SASTATE_MATURE
104 && isr->sav->state != SADB_SASTATE_DYING)
105 goto estimate;
106
107 /* we need transport mode AH. */
108 algo = ah_algorithm_lookup(isr->sav->alg_auth);
109 if (!algo)
110 goto estimate;
111
112 /*
113 * XXX
114 * right now we don't calcurate the padding size. simply
115 * treat the padding size as constant, for simplicity.
116 *
117 * XXX variable size padding support
118 */
119 hdrsiz = (((*algo->sumsiz)(isr->sav) + 3) & ~(4 - 1));
120 if (isr->sav->flags & SADB_X_EXT_OLD)
121 hdrsiz += sizeof(struct ah);
122 else
123 hdrsiz += sizeof(struct newah);
124
125 return hdrsiz;
126
127 estimate:
128 /* ASSUMING:
129 * sizeof(struct newah) > sizeof(struct ah).
130 * 16 = (16 + 3) & ~(4 - 1).
131 */
132 return sizeof(struct newah) + 16;
133 }
134
135 #ifdef INET
136 /*
137 * Modify the packet so that it includes the authentication data.
138 * The mbuf passed must start with IPv4 header.
139 *
140 * assumes that the first mbuf contains IPv4 header + option only.
141 * the function does not modify m.
142 */
143 int
144 ah4_output(struct mbuf *m, struct ipsecrequest *isr)
145 {
146 struct secasvar *sav = isr->sav;
147 const struct ah_algorithm *algo;
148 u_int32_t spi;
149 u_char *ahdrpos;
150 u_char *ahsumpos = NULL;
151 size_t hlen = 0; /* IP header+option in bytes */
152 size_t plen = 0; /* AH payload size in bytes */
153 size_t ahlen = 0; /* plen + sizeof(ah) */
154 struct ip *ip;
155 struct in_addr dst;
156 struct in_addr *finaldst;
157 int error;
158
159 /* sanity checks */
160 if ((sav->flags & SADB_X_EXT_OLD) == 0 && !sav->replay) {
161 struct ip *ip;
162
163 ip = mtod(m, struct ip *);
164 ipseclog((LOG_DEBUG, "ah4_output: internal error: "
165 "sav->replay is null: %x->%x, SPI=%u\n",
166 (u_int32_t)ntohl(ip->ip_src.s_addr),
167 (u_int32_t)ntohl(ip->ip_dst.s_addr),
168 (u_int32_t)ntohl(sav->spi)));
169 ipsecstat.out_inval++;
170 m_freem(m);
171 return EINVAL;
172 }
173
174 algo = ah_algorithm_lookup(sav->alg_auth);
175 if (!algo) {
176 ipseclog((LOG_ERR, "ah4_output: unsupported algorithm: "
177 "SPI=%u\n", (u_int32_t)ntohl(sav->spi)));
178 ipsecstat.out_inval++;
179 m_freem(m);
180 return EINVAL;
181 }
182 spi = sav->spi;
183
184 /*
185 * determine the size to grow.
186 */
187 if (sav->flags & SADB_X_EXT_OLD) {
188 /* RFC 1826 */
189 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
190 ahlen = plen + sizeof(struct ah);
191 } else {
192 /* RFC 2402 */
193 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
194 ahlen = plen + sizeof(struct newah);
195 }
196
197 /*
198 * grow the mbuf to accomodate AH.
199 */
200 ip = mtod(m, struct ip *);
201 #ifdef _IP_VHL
202 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
203 #else
204 hlen = ip->ip_hl << 2;
205 #endif
206
207 if (m->m_len != hlen)
208 panic("ah4_output: assumption failed (first mbuf length)");
209 if (M_LEADINGSPACE(m->m_next) < ahlen) {
210 struct mbuf *n;
211 MGET(n, M_NOWAIT, MT_DATA);
212 if (!n) {
213 ipseclog((LOG_DEBUG, "ENOBUFS in ah4_output %d\n",
214 __LINE__));
215 m_freem(m);
216 return ENOBUFS;
217 }
218 n->m_len = ahlen;
219 n->m_next = m->m_next;
220 m->m_next = n;
221 m->m_pkthdr.len += ahlen;
222 ahdrpos = mtod(n, u_char *);
223 } else {
224 m->m_next->m_len += ahlen;
225 m->m_next->m_data -= ahlen;
226 m->m_pkthdr.len += ahlen;
227 ahdrpos = mtod(m->m_next, u_char *);
228 }
229
230 ip = mtod(m, struct ip *); /* just to be sure */
231
232 /*
233 * initialize AH.
234 */
235 if (sav->flags & SADB_X_EXT_OLD) {
236 struct ah *ahdr;
237
238 ahdr = (struct ah *)ahdrpos;
239 ahsumpos = (u_char *)(ahdr + 1);
240 ahdr->ah_len = plen >> 2;
241 ahdr->ah_nxt = ip->ip_p;
242 ahdr->ah_reserve = htons(0);
243 ahdr->ah_spi = spi;
244 bzero(ahdr + 1, plen);
245 } else {
246 struct newah *ahdr;
247
248 ahdr = (struct newah *)ahdrpos;
249 ahsumpos = (u_char *)(ahdr + 1);
250 ahdr->ah_len = (plen >> 2) + 1; /* plus one for seq# */
251 ahdr->ah_nxt = ip->ip_p;
252 ahdr->ah_reserve = htons(0);
253 ahdr->ah_spi = spi;
254 if (sav->replay->count == ~0) {
255 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
256 /* XXX Is it noisy ? */
257 ipseclog((LOG_WARNING,
258 "replay counter overflowed. %s\n",
259 ipsec_logsastr(sav)));
260 ipsecstat.out_inval++;
261 m_freem(m);
262 return EINVAL;
263 }
264 }
265 sav->replay->count++;
266 /*
267 * XXX sequence number must not be cycled, if the SA is
268 * installed by IKE daemon.
269 */
270 ahdr->ah_seq = htonl(sav->replay->count & 0xffffffff);
271 bzero(ahdr + 1, plen);
272 }
273
274 /*
275 * modify IPv4 header.
276 */
277 ip->ip_p = IPPROTO_AH;
278 if (ahlen < (IP_MAXPACKET - ntohs(ip->ip_len)))
279 ip->ip_len = htons(ntohs(ip->ip_len) + ahlen);
280 else {
281 ipseclog((LOG_ERR, "IPv4 AH output: size exceeds limit\n"));
282 ipsecstat.out_inval++;
283 m_freem(m);
284 return EMSGSIZE;
285 }
286
287 /*
288 * If there is source routing option, update destination field in
289 * the IPv4 header to the final destination.
290 * Note that we do not need to update source routing option itself
291 * (as done in IPv4 AH processing -- see ip6_output()), since
292 * source routing option is not part of the ICV computation.
293 */
294 finaldst = ah4_finaldst(m);
295 if (finaldst) {
296 dst.s_addr = ip->ip_dst.s_addr;
297 ip->ip_dst.s_addr = finaldst->s_addr;
298 } else {
299 dst.s_addr = 0; /* fix compiler warning */
300 }
301
302 /*
303 * calcurate the checksum, based on security association
304 * and the algorithm specified.
305 */
306 error = ah4_calccksum(m, (caddr_t)ahsumpos, plen, algo, sav);
307 if (error) {
308 ipseclog((LOG_ERR,
309 "error after ah4_calccksum, called from ah4_output"));
310 m_freem(m);
311 m = NULL;
312 ipsecstat.out_inval++;
313 return error;
314 }
315
316 if (finaldst) {
317 ip = mtod(m, struct ip *); /* just to make sure */
318 ip->ip_dst.s_addr = dst.s_addr;
319 }
320 ipsecstat.out_success++;
321 ipsecstat.out_ahhist[sav->alg_auth]++;
322 key_sa_recordxfer(sav, m);
323
324 return 0;
325 }
326 #endif
327
328 /* Calculate AH length */
329 int
330 ah_hdrlen(struct secasvar *sav)
331 {
332 const struct ah_algorithm *algo;
333 int plen, ahlen;
334
335 algo = ah_algorithm_lookup(sav->alg_auth);
336 if (!algo)
337 return 0;
338 if (sav->flags & SADB_X_EXT_OLD) {
339 /* RFC 1826 */
340 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
341 ahlen = plen + sizeof(struct ah);
342 } else {
343 /* RFC 2402 */
344 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
345 ahlen = plen + sizeof(struct newah);
346 }
347
348 return (ahlen);
349 }
350
351 #ifdef INET6
352 /*
353 * Fill in the Authentication Header and calculate checksum.
354 */
355 int
356 ah6_output(struct mbuf *m, u_char *nexthdrp, struct mbuf *md,
357 struct ipsecrequest *isr)
358 {
359 struct mbuf *mprev;
360 struct mbuf *mah;
361 struct secasvar *sav = isr->sav;
362 const struct ah_algorithm *algo;
363 u_int32_t spi;
364 u_char *ahsumpos = NULL;
365 size_t plen; /* AH payload size in bytes */
366 int error = 0;
367 int ahlen;
368 struct ip6_hdr *ip6;
369
370 if (m->m_len < sizeof(struct ip6_hdr)) {
371 ipseclog((LOG_DEBUG, "ah6_output: first mbuf too short\n"));
372 m_freem(m);
373 return EINVAL;
374 }
375
376 ahlen = ah_hdrlen(sav);
377 if (ahlen == 0)
378 return 0;
379
380 for (mprev = m; mprev && mprev->m_next != md; mprev = mprev->m_next)
381 ;
382 if (!mprev || mprev->m_next != md) {
383 ipseclog((LOG_DEBUG, "ah6_output: md is not in chain\n"));
384 m_freem(m);
385 return EINVAL;
386 }
387
388 mah = m_getb(ahlen, M_NOWAIT, MT_DATA, 0);
389 if (mah == NULL) {
390 m_freem(m);
391 return ENOBUFS;
392 }
393 mah->m_len = ahlen;
394 mah->m_next = md;
395 mprev->m_next = mah;
396 m->m_pkthdr.len += ahlen;
397
398 /* fix plen */
399 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) > IPV6_MAXPACKET) {
400 ipseclog((LOG_ERR,
401 "ah6_output: AH with IPv6 jumbogram is not supported\n"));
402 m_freem(m);
403 return EINVAL;
404 }
405 ip6 = mtod(m, struct ip6_hdr *);
406 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
407
408 if ((sav->flags & SADB_X_EXT_OLD) == 0 && !sav->replay) {
409 ipseclog((LOG_DEBUG, "ah6_output: internal error: "
410 "sav->replay is null: SPI=%u\n",
411 (u_int32_t)ntohl(sav->spi)));
412 ipsec6stat.out_inval++;
413 m_freem(m);
414 return EINVAL;
415 }
416
417 algo = ah_algorithm_lookup(sav->alg_auth);
418 if (!algo) {
419 ipseclog((LOG_ERR, "ah6_output: unsupported algorithm: "
420 "SPI=%u\n", (u_int32_t)ntohl(sav->spi)));
421 ipsec6stat.out_inval++;
422 m_freem(m);
423 return EINVAL;
424 }
425 spi = sav->spi;
426
427 /*
428 * initialize AH.
429 */
430 if (sav->flags & SADB_X_EXT_OLD) {
431 struct ah *ahdr = mtod(mah, struct ah *);
432
433 plen = mah->m_len - sizeof(struct ah);
434 ahsumpos = (u_char *)(ahdr + 1);
435 ahdr->ah_nxt = *nexthdrp;
436 *nexthdrp = IPPROTO_AH;
437 ahdr->ah_len = plen >> 2;
438 ahdr->ah_reserve = htons(0);
439 ahdr->ah_spi = spi;
440 bzero(ahdr + 1, plen);
441 } else {
442 struct newah *ahdr = mtod(mah, struct newah *);
443
444 plen = mah->m_len - sizeof(struct newah);
445 ahsumpos = (u_char *)(ahdr + 1);
446 ahdr->ah_nxt = *nexthdrp;
447 *nexthdrp = IPPROTO_AH;
448 ahdr->ah_len = (plen >> 2) + 1; /* plus one for seq# */
449 ahdr->ah_reserve = htons(0);
450 ahdr->ah_spi = spi;
451 if (sav->replay->count == ~0) {
452 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
453 /* XXX Is it noisy ? */
454 ipseclog((LOG_WARNING,
455 "replay counter overflowed. %s\n",
456 ipsec_logsastr(sav)));
457 ipsec6stat.out_inval++;
458 m_freem(m);
459 return EINVAL;
460 }
461 }
462 sav->replay->count++;
463 /*
464 * XXX sequence number must not be cycled, if the SA is
465 * installed by IKE daemon.
466 */
467 ahdr->ah_seq = htonl(sav->replay->count);
468 bzero(ahdr + 1, plen);
469 }
470
471 /*
472 * calcurate the checksum, based on security association
473 * and the algorithm specified.
474 */
475 error = ah6_calccksum(m, (caddr_t)ahsumpos, plen, algo, sav);
476 if (error) {
477 ipsec6stat.out_inval++;
478 m_freem(m);
479 } else {
480 ipsec6stat.out_success++;
481 key_sa_recordxfer(sav, m);
482 }
483 ipsec6stat.out_ahhist[sav->alg_auth]++;
484
485 return (error);
486 }
487 #endif
488
489 #ifdef INET
490 /*
491 * Find the final destination if there is loose/strict source routing option.
492 * Returns NULL if there's no source routing options.
493 * Returns NULL on errors too.
494 * Note that this function will return a pointer INTO the given parameter,
495 * struct mbuf *m.
496 * The mbuf must be pulled up toward, at least, ip option part.
497 */
498 static struct in_addr *
499 ah4_finaldst(struct mbuf *m)
500 {
501 struct ip *ip;
502 int optlen;
503 u_char *q;
504 int i;
505 int hlen;
506
507 if (!m)
508 panic("ah4_finaldst: m == NULL");
509 ip = mtod(m, struct ip *);
510 hlen = (ip->ip_hl << 2);
511
512 if (m->m_len < hlen) {
513 ipseclog((LOG_DEBUG,
514 "ah4_finaldst: parameter mbuf wrong (not pulled up)\n"));
515 return NULL;
516 }
517
518 if (hlen == sizeof(struct ip))
519 return NULL;
520
521 optlen = hlen - sizeof(struct ip);
522 if (optlen < 0) {
523 ipseclog((LOG_DEBUG, "ah4_finaldst: wrong optlen %d\n",
524 optlen));
525 return NULL;
526 }
527
528 q = (u_char *)(ip + 1);
529 i = 0;
530 while (i < optlen) {
531 if (i + IPOPT_OPTVAL >= optlen)
532 return NULL;
533 if (q[i + IPOPT_OPTVAL] == IPOPT_EOL ||
534 q[i + IPOPT_OPTVAL] == IPOPT_NOP ||
535 i + IPOPT_OLEN < optlen)
536 ;
537 else
538 return NULL;
539
540 switch (q[i + IPOPT_OPTVAL]) {
541 case IPOPT_EOL:
542 i = optlen; /* bye */
543 break;
544 case IPOPT_NOP:
545 i++;
546 break;
547 case IPOPT_LSRR:
548 case IPOPT_SSRR:
549 if (q[i + IPOPT_OLEN] < 2 + sizeof(struct in_addr) ||
550 optlen - i < q[i + IPOPT_OLEN]) {
551 ipseclog((LOG_ERR,
552 "ip_finaldst: invalid IP option "
553 "(code=%02x len=%02x)\n",
554 q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]));
555 return NULL;
556 }
557 i += q[i + IPOPT_OLEN] - sizeof(struct in_addr);
558 return (struct in_addr *)(q + i);
559 default:
560 if (q[i + IPOPT_OLEN] < 2 ||
561 optlen - i < q[i + IPOPT_OLEN]) {
562 ipseclog((LOG_ERR,
563 "ip_finaldst: invalid IP option "
564 "(code=%02x len=%02x)\n",
565 q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]));
566 return NULL;
567 }
568 i += q[i + IPOPT_OLEN];
569 break;
570 }
571 }
572 return NULL;
573 }
574 #endif
DragonFly BSD