search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kernel - close holes in autoconf's run_interrupt_driven_config_hooks()
[dragonfly.git] / sys / netinet6 / ah_output.c
blob64205d05c1e99e57569a45986903d60c3bad00cb
1 /* $FreeBSD: src/sys/netinet6/ah_output.c,v 1.1.2.5 2003/05/06 06:46:58 suz Exp $ */
2 /* $DragonFly: src/sys/netinet6/ah_output.c,v 1.9 2006/10/24 06:18:42 hsu Exp $ */
3 /* $KAME: ah_output.c,v 1.31 2001/07/26 06:53:15 jinmei Exp $ */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /*
35 * RFC1826/2402 authentication header.
36 */
37
38 #include "opt_inet.h"
39 #include "opt_inet6.h"
40
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/mbuf.h>
44 #include <sys/domain.h>
45 #include <sys/protosw.h>
46 #include <sys/socket.h>
47 #include <sys/socketvar.h>
48 #include <sys/errno.h>
49 #include <sys/time.h>
50 #include <sys/syslog.h>
51
52 #include <net/if.h>
53 #include <net/route.h>
54
55 #include <netinet/in.h>
56
57 #include <netinet/in_systm.h>
58 #include <netinet/ip.h>
59 #include <netinet/in_var.h>
60
61 #ifdef INET6
62 #include <netinet/ip6.h>
63 #include <netinet6/ip6_var.h>
64 #include <netinet/icmp6.h>
65 #endif
66
67 #include <netinet6/ipsec.h>
68 #ifdef INET6
69 #include <netinet6/ipsec6.h>
70 #endif
71 #include <netinet6/ah.h>
72 #ifdef INET6
73 #include <netinet6/ah6.h>
74 #endif
75 #include <netproto/key/key.h>
76 #include <netproto/key/keydb.h>
77
78 #include <net/net_osdep.h>
79
80 #ifdef INET
81 static struct in_addr *ah4_finaldst (struct mbuf *);
82 #endif
83
84 /*
85 * compute AH header size.
86 * transport mode only. for tunnel mode, we should implement
87 * virtual interface, and control MTU/MSS by the interface MTU.
88 */
89 size_t
90 ah_hdrsiz(struct ipsecrequest *isr)
91 {
92 const struct ah_algorithm *algo;
93 size_t hdrsiz;
94
95 /* sanity check */
96 if (isr == NULL)
97 panic("ah_hdrsiz: NULL was passed.");
98
99 if (isr->saidx.proto != IPPROTO_AH)
100 panic("unsupported mode passed to ah_hdrsiz");
101
102 if (isr->sav == NULL)
103 goto estimate;
104 if (isr->sav->state != SADB_SASTATE_MATURE
105 && isr->sav->state != SADB_SASTATE_DYING)
106 goto estimate;
107
108 /* we need transport mode AH. */
109 algo = ah_algorithm_lookup(isr->sav->alg_auth);
110 if (!algo)
111 goto estimate;
112
113 /*
114 * XXX
115 * right now we don't calcurate the padding size. simply
116 * treat the padding size as constant, for simplicity.
117 *
118 * XXX variable size padding support
119 */
120 hdrsiz = (((*algo->sumsiz)(isr->sav) + 3) & ~(4 - 1));
121 if (isr->sav->flags & SADB_X_EXT_OLD)
122 hdrsiz += sizeof(struct ah);
123 else
124 hdrsiz += sizeof(struct newah);
125
126 return hdrsiz;
127
128 estimate:
129 /* ASSUMING:
130 * sizeof(struct newah) > sizeof(struct ah).
131 * 16 = (16 + 3) & ~(4 - 1).
132 */
133 return sizeof(struct newah) + 16;
134 }
135
136 #ifdef INET
137 /*
138 * Modify the packet so that it includes the authentication data.
139 * The mbuf passed must start with IPv4 header.
140 *
141 * assumes that the first mbuf contains IPv4 header + option only.
142 * the function does not modify m.
143 */
144 int
145 ah4_output(struct mbuf *m, struct ipsecrequest *isr)
146 {
147 struct secasvar *sav = isr->sav;
148 const struct ah_algorithm *algo;
149 u_int32_t spi;
150 u_char *ahdrpos;
151 u_char *ahsumpos = NULL;
152 size_t hlen = 0; /* IP header+option in bytes */
153 size_t plen = 0; /* AH payload size in bytes */
154 size_t ahlen = 0; /* plen + sizeof(ah) */
155 struct ip *ip;
156 struct in_addr dst;
157 struct in_addr *finaldst;
158 int error;
159
160 /* sanity checks */
161 if ((sav->flags & SADB_X_EXT_OLD) == 0 && !sav->replay) {
162 struct ip *ip;
163
164 ip = mtod(m, struct ip *);
165 ipseclog((LOG_DEBUG, "ah4_output: internal error: "
166 "sav->replay is null: %x->%x, SPI=%u\n",
167 (u_int32_t)ntohl(ip->ip_src.s_addr),
168 (u_int32_t)ntohl(ip->ip_dst.s_addr),
169 (u_int32_t)ntohl(sav->spi)));
170 ipsecstat.out_inval++;
171 m_freem(m);
172 return EINVAL;
173 }
174
175 algo = ah_algorithm_lookup(sav->alg_auth);
176 if (!algo) {
177 ipseclog((LOG_ERR, "ah4_output: unsupported algorithm: "
178 "SPI=%u\n", (u_int32_t)ntohl(sav->spi)));
179 ipsecstat.out_inval++;
180 m_freem(m);
181 return EINVAL;
182 }
183 spi = sav->spi;
184
185 /*
186 * determine the size to grow.
187 */
188 if (sav->flags & SADB_X_EXT_OLD) {
189 /* RFC 1826 */
190 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
191 ahlen = plen + sizeof(struct ah);
192 } else {
193 /* RFC 2402 */
194 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
195 ahlen = plen + sizeof(struct newah);
196 }
197
198 /*
199 * grow the mbuf to accomodate AH.
200 */
201 ip = mtod(m, struct ip *);
202 #ifdef _IP_VHL
203 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
204 #else
205 hlen = ip->ip_hl << 2;
206 #endif
207
208 if (m->m_len != hlen)
209 panic("ah4_output: assumption failed (first mbuf length)");
210 if (M_LEADINGSPACE(m->m_next) < ahlen) {
211 struct mbuf *n;
212 MGET(n, MB_DONTWAIT, MT_DATA);
213 if (!n) {
214 ipseclog((LOG_DEBUG, "ENOBUFS in ah4_output %d\n",
215 __LINE__));
216 m_freem(m);
217 return ENOBUFS;
218 }
219 n->m_len = ahlen;
220 n->m_next = m->m_next;
221 m->m_next = n;
222 m->m_pkthdr.len += ahlen;
223 ahdrpos = mtod(n, u_char *);
224 } else {
225 m->m_next->m_len += ahlen;
226 m->m_next->m_data -= ahlen;
227 m->m_pkthdr.len += ahlen;
228 ahdrpos = mtod(m->m_next, u_char *);
229 }
230
231 ip = mtod(m, struct ip *); /* just to be sure */
232
233 /*
234 * initialize AH.
235 */
236 if (sav->flags & SADB_X_EXT_OLD) {
237 struct ah *ahdr;
238
239 ahdr = (struct ah *)ahdrpos;
240 ahsumpos = (u_char *)(ahdr + 1);
241 ahdr->ah_len = plen >> 2;
242 ahdr->ah_nxt = ip->ip_p;
243 ahdr->ah_reserve = htons(0);
244 ahdr->ah_spi = spi;
245 bzero(ahdr + 1, plen);
246 } else {
247 struct newah *ahdr;
248
249 ahdr = (struct newah *)ahdrpos;
250 ahsumpos = (u_char *)(ahdr + 1);
251 ahdr->ah_len = (plen >> 2) + 1; /* plus one for seq# */
252 ahdr->ah_nxt = ip->ip_p;
253 ahdr->ah_reserve = htons(0);
254 ahdr->ah_spi = spi;
255 if (sav->replay->count == ~0) {
256 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
257 /* XXX Is it noisy ? */
258 ipseclog((LOG_WARNING,
259 "replay counter overflowed. %s\n",
260 ipsec_logsastr(sav)));
261 ipsecstat.out_inval++;
262 m_freem(m);
263 return EINVAL;
264 }
265 }
266 sav->replay->count++;
267 /*
268 * XXX sequence number must not be cycled, if the SA is
269 * installed by IKE daemon.
270 */
271 ahdr->ah_seq = htonl(sav->replay->count & 0xffffffff);
272 bzero(ahdr + 1, plen);
273 }
274
275 /*
276 * modify IPv4 header.
277 */
278 ip->ip_p = IPPROTO_AH;
279 if (ahlen < (IP_MAXPACKET - ntohs(ip->ip_len)))
280 ip->ip_len = htons(ntohs(ip->ip_len) + ahlen);
281 else {
282 ipseclog((LOG_ERR, "IPv4 AH output: size exceeds limit\n"));
283 ipsecstat.out_inval++;
284 m_freem(m);
285 return EMSGSIZE;
286 }
287
288 /*
289 * If there is source routing option, update destination field in
290 * the IPv4 header to the final destination.
291 * Note that we do not need to update source routing option itself
292 * (as done in IPv4 AH processing -- see ip6_output()), since
293 * source routing option is not part of the ICV computation.
294 */
295 finaldst = ah4_finaldst(m);
296 if (finaldst) {
297 dst.s_addr = ip->ip_dst.s_addr;
298 ip->ip_dst.s_addr = finaldst->s_addr;
299 } else {
300 dst.s_addr = 0; /* fix compiler warning */
301 }
302
303 /*
304 * calcurate the checksum, based on security association
305 * and the algorithm specified.
306 */
307 error = ah4_calccksum(m, (caddr_t)ahsumpos, plen, algo, sav);
308 if (error) {
309 ipseclog((LOG_ERR,
310 "error after ah4_calccksum, called from ah4_output"));
311 m_freem(m);
312 m = NULL;
313 ipsecstat.out_inval++;
314 return error;
315 }
316
317 if (finaldst) {
318 ip = mtod(m, struct ip *); /* just to make sure */
319 ip->ip_dst.s_addr = dst.s_addr;
320 }
321 ipsecstat.out_success++;
322 ipsecstat.out_ahhist[sav->alg_auth]++;
323 key_sa_recordxfer(sav, m);
324
325 return 0;
326 }
327 #endif
328
329 /* Calculate AH length */
330 int
331 ah_hdrlen(struct secasvar *sav)
332 {
333 const struct ah_algorithm *algo;
334 int plen, ahlen;
335
336 algo = ah_algorithm_lookup(sav->alg_auth);
337 if (!algo)
338 return 0;
339 if (sav->flags & SADB_X_EXT_OLD) {
340 /* RFC 1826 */
341 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
342 ahlen = plen + sizeof(struct ah);
343 } else {
344 /* RFC 2402 */
345 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
346 ahlen = plen + sizeof(struct newah);
347 }
348
349 return (ahlen);
350 }
351
352 #ifdef INET6
353 /*
354 * Fill in the Authentication Header and calculate checksum.
355 */
356 int
357 ah6_output(struct mbuf *m, u_char *nexthdrp, struct mbuf *md,
358 struct ipsecrequest *isr)
359 {
360 struct mbuf *mprev;
361 struct mbuf *mah;
362 struct secasvar *sav = isr->sav;
363 const struct ah_algorithm *algo;
364 u_int32_t spi;
365 u_char *ahsumpos = NULL;
366 size_t plen; /* AH payload size in bytes */
367 int error = 0;
368 int ahlen;
369 struct ip6_hdr *ip6;
370
371 if (m->m_len < sizeof(struct ip6_hdr)) {
372 ipseclog((LOG_DEBUG, "ah6_output: first mbuf too short\n"));
373 m_freem(m);
374 return EINVAL;
375 }
376
377 ahlen = ah_hdrlen(sav);
378 if (ahlen == 0)
379 return 0;
380
381 for (mprev = m; mprev && mprev->m_next != md; mprev = mprev->m_next)
382 ;
383 if (!mprev || mprev->m_next != md) {
384 ipseclog((LOG_DEBUG, "ah6_output: md is not in chain\n"));
385 m_freem(m);
386 return EINVAL;
387 }
388
389 mah = m_getb(ahlen, MB_DONTWAIT, MT_DATA, 0);
390 if (mah == NULL) {
391 m_freem(m);
392 return ENOBUFS;
393 }
394 mah->m_len = ahlen;
395 mah->m_next = md;
396 mprev->m_next = mah;
397 m->m_pkthdr.len += ahlen;
398
399 /* fix plen */
400 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) > IPV6_MAXPACKET) {
401 ipseclog((LOG_ERR,
402 "ah6_output: AH with IPv6 jumbogram is not supported\n"));
403 m_freem(m);
404 return EINVAL;
405 }
406 ip6 = mtod(m, struct ip6_hdr *);
407 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
408
409 if ((sav->flags & SADB_X_EXT_OLD) == 0 && !sav->replay) {
410 ipseclog((LOG_DEBUG, "ah6_output: internal error: "
411 "sav->replay is null: SPI=%u\n",
412 (u_int32_t)ntohl(sav->spi)));
413 ipsec6stat.out_inval++;
414 m_freem(m);
415 return EINVAL;
416 }
417
418 algo = ah_algorithm_lookup(sav->alg_auth);
419 if (!algo) {
420 ipseclog((LOG_ERR, "ah6_output: unsupported algorithm: "
421 "SPI=%u\n", (u_int32_t)ntohl(sav->spi)));
422 ipsec6stat.out_inval++;
423 m_freem(m);
424 return EINVAL;
425 }
426 spi = sav->spi;
427
428 /*
429 * initialize AH.
430 */
431 if (sav->flags & SADB_X_EXT_OLD) {
432 struct ah *ahdr = mtod(mah, struct ah *);
433
434 plen = mah->m_len - sizeof(struct ah);
435 ahsumpos = (u_char *)(ahdr + 1);
436 ahdr->ah_nxt = *nexthdrp;
437 *nexthdrp = IPPROTO_AH;
438 ahdr->ah_len = plen >> 2;
439 ahdr->ah_reserve = htons(0);
440 ahdr->ah_spi = spi;
441 bzero(ahdr + 1, plen);
442 } else {
443 struct newah *ahdr = mtod(mah, struct newah *);
444
445 plen = mah->m_len - sizeof(struct newah);
446 ahsumpos = (u_char *)(ahdr + 1);
447 ahdr->ah_nxt = *nexthdrp;
448 *nexthdrp = IPPROTO_AH;
449 ahdr->ah_len = (plen >> 2) + 1; /* plus one for seq# */
450 ahdr->ah_reserve = htons(0);
451 ahdr->ah_spi = spi;
452 if (sav->replay->count == ~0) {
453 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
454 /* XXX Is it noisy ? */
455 ipseclog((LOG_WARNING,
456 "replay counter overflowed. %s\n",
457 ipsec_logsastr(sav)));
458 ipsec6stat.out_inval++;
459 m_freem(m);
460 return EINVAL;
461 }
462 }
463 sav->replay->count++;
464 /*
465 * XXX sequence number must not be cycled, if the SA is
466 * installed by IKE daemon.
467 */
468 ahdr->ah_seq = htonl(sav->replay->count);
469 bzero(ahdr + 1, plen);
470 }
471
472 /*
473 * calcurate the checksum, based on security association
474 * and the algorithm specified.
475 */
476 error = ah6_calccksum(m, (caddr_t)ahsumpos, plen, algo, sav);
477 if (error) {
478 ipsec6stat.out_inval++;
479 m_freem(m);
480 } else {
481 ipsec6stat.out_success++;
482 key_sa_recordxfer(sav, m);
483 }
484 ipsec6stat.out_ahhist[sav->alg_auth]++;
485
486 return (error);
487 }
488 #endif
489
490 #ifdef INET
491 /*
492 * Find the final destination if there is loose/strict source routing option.
493 * Returns NULL if there's no source routing options.
494 * Returns NULL on errors too.
495 * Note that this function will return a pointer INTO the given parameter,
496 * struct mbuf *m.
497 * The mbuf must be pulled up toward, at least, ip option part.
498 */
499 static struct in_addr *
500 ah4_finaldst(struct mbuf *m)
501 {
502 struct ip *ip;
503 int optlen;
504 u_char *q;
505 int i;
506 int hlen;
507
508 if (!m)
509 panic("ah4_finaldst: m == NULL");
510 ip = mtod(m, struct ip *);
511 hlen = (ip->ip_hl << 2);
512
513 if (m->m_len < hlen) {
514 ipseclog((LOG_DEBUG,
515 "ah4_finaldst: parameter mbuf wrong (not pulled up)\n"));
516 return NULL;
517 }
518
519 if (hlen == sizeof(struct ip))
520 return NULL;
521
522 optlen = hlen - sizeof(struct ip);
523 if (optlen < 0) {
524 ipseclog((LOG_DEBUG, "ah4_finaldst: wrong optlen %d\n",
525 optlen));
526 return NULL;
527 }
528
529 q = (u_char *)(ip + 1);
530 i = 0;
531 while (i < optlen) {
532 if (i + IPOPT_OPTVAL >= optlen)
533 return NULL;
534 if (q[i + IPOPT_OPTVAL] == IPOPT_EOL ||
535 q[i + IPOPT_OPTVAL] == IPOPT_NOP ||
536 i + IPOPT_OLEN < optlen)
537 ;
538 else
539 return NULL;
540
541 switch (q[i + IPOPT_OPTVAL]) {
542 case IPOPT_EOL:
543 i = optlen; /* bye */
544 break;
545 case IPOPT_NOP:
546 i++;
547 break;
548 case IPOPT_LSRR:
549 case IPOPT_SSRR:
550 if (q[i + IPOPT_OLEN] < 2 + sizeof(struct in_addr) ||
551 optlen - i < q[i + IPOPT_OLEN]) {
552 ipseclog((LOG_ERR,
553 "ip_finaldst: invalid IP option "
554 "(code=%02x len=%02x)\n",
555 q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]));
556 return NULL;
557 }
558 i += q[i + IPOPT_OLEN] - sizeof(struct in_addr);
559 return (struct in_addr *)(q + i);
560 default:
561 if (q[i + IPOPT_OLEN] < 2 ||
562 optlen - i < q[i + IPOPT_OLEN]) {
563 ipseclog((LOG_ERR,
564 "ip_finaldst: invalid IP option "
565 "(code=%02x len=%02x)\n",
566 q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]));
567 return NULL;
568 }
569 i += q[i + IPOPT_OLEN];
570 break;
571 }
572 }
573 return NULL;
574 }
575 #endif
DragonFly BSD