1 /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.2 2003/02/26 00:14:05 sam Exp $ */
2 /* $DragonFly: src/sys/netproto/ipsec/xform_ah.c,v 1.10 2006/10/12 01:32:51 hsu Exp $ */
3 /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
5 * The authors of this code are John Ioannidis (ji@tla.org),
6 * Angelos D. Keromytis (kermit@csd.uch.gr) and
7 * Niels Provos (provos@physnet.uni-hamburg.de).
9 * The original version of this code was written by John Ioannidis
10 * for BSD/OS in Athens, Greece, in November 1995.
12 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
13 * by Angelos D. Keromytis.
15 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
18 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
20 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
21 * Angelos D. Keromytis and Niels Provos.
22 * Copyright (c) 1999 Niklas Hallqvist.
23 * Copyright (c) 2001 Angelos D. Keromytis.
25 * Permission to use, copy, and modify this software with or without fee
26 * is hereby granted, provided that this entire notice is included in
27 * all copies of any software which is or includes a copy or
28 * modification of this software.
29 * You may use this code under the GNU public license if you so wish. Please
30 * contribute changes back to the authors under this freer than GPL license
31 * so that we may further the use of strong encryption without limitations to
34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
41 #include "opt_inet6.h"
43 #include <sys/param.h>
44 #include <sys/systm.h>
46 #include <sys/socket.h>
47 #include <sys/syslog.h>
48 #include <sys/kernel.h>
49 #include <sys/sysctl.h>
53 #include <netinet/in.h>
54 #include <netinet/in_systm.h>
55 #include <netinet/ip.h>
56 #include <netinet/ip_ecn.h>
57 #include <netinet/ip6.h>
59 #include <net/route.h>
60 #include <netproto/ipsec/ipsec.h>
61 #include <netproto/ipsec/ah.h>
62 #include <netproto/ipsec/ah_var.h>
63 #include <netproto/ipsec/xform.h>
66 #include <netinet6/ip6_var.h>
67 #include <netproto/ipsec/ipsec6.h>
68 #include <netinet6/ip6_ecn.h>
71 #include <netproto/ipsec/key.h>
72 #include <netproto/ipsec/key_debug.h>
74 #include <opencrypto/cryptodev.h>
77 * Return header size in bytes. The old protocol did not support
78 * the replay counter; the new protocol always includes the counter.
80 #define HDRSIZE(sav) \
81 (((sav)->flags & SADB_X_EXT_OLD) ? \
82 sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t))
84 * Return authenticator size in bytes. The old protocol is known
85 * to use a fixed 16-byte authenticator. The new algorithm gets
86 * this size from the xform but is (currently) always 12.
88 #define AUTHSIZE(sav) \
89 ((sav->flags & SADB_X_EXT_OLD) ? 16 : (sav)->tdb_authalgxform->authsize)
91 int ah_enable
= 1; /* control flow of packets with AH */
92 int ah_cleartos
= 1; /* clear ip_tos when doing AH calc */
95 SYSCTL_DECL(_net_inet_ah
);
96 SYSCTL_INT(_net_inet_ah
, OID_AUTO
,
97 ah_enable
, CTLFLAG_RW
, &ah_enable
, 0, "");
98 SYSCTL_INT(_net_inet_ah
, OID_AUTO
,
99 ah_cleartos
, CTLFLAG_RW
, &ah_cleartos
, 0, "");
100 SYSCTL_STRUCT(_net_inet_ah
, IPSECCTL_STATS
,
101 stats
, CTLFLAG_RD
, &ahstat
, ahstat
, "");
103 static unsigned char ipseczeroes
[256]; /* larger than an ip6 extension hdr */
105 static int ah_input_cb(struct cryptop
*);
106 static int ah_output_cb(struct cryptop
*);
109 * NB: this is public for use by the PF_KEY support.
112 ah_algorithm_lookup(int alg
)
114 if (alg
>= AH_ALG_MAX
)
117 case SADB_X_AALG_NULL
:
118 return &auth_hash_null
;
119 case SADB_AALG_MD5HMAC
:
120 return &auth_hash_hmac_md5_96
;
121 case SADB_AALG_SHA1HMAC
:
122 return &auth_hash_hmac_sha1_96
;
123 case SADB_X_AALG_RIPEMD160HMAC
:
124 return &auth_hash_hmac_ripemd_160_96
;
125 case SADB_X_AALG_MD5
:
126 return &auth_hash_key_md5
;
127 case SADB_X_AALG_SHA
:
128 return &auth_hash_key_sha1
;
129 case SADB_X_AALG_SHA2_256
:
130 return &auth_hash_hmac_sha2_256
;
131 case SADB_X_AALG_SHA2_384
:
132 return &auth_hash_hmac_sha2_384
;
133 case SADB_X_AALG_SHA2_512
:
134 return &auth_hash_hmac_sha2_512
;
140 ah_hdrsiz(struct secasvar
*sav
)
146 KASSERT(sav
->tdb_authalgxform
!= NULL
,
147 ("ah_hdrsiz: null xform"));
148 /*XXX not right for null algorithm--does it matter??*/
149 authsize
= AUTHSIZE(sav
);
150 size
= roundup(authsize
, sizeof (u_int32_t
)) + HDRSIZE(sav
);
153 size
= sizeof (struct ah
) + sizeof (u_int32_t
) + 16;
159 * NB: public for use by esp_init.
162 ah_init0(struct secasvar
*sav
, struct xformsw
*xsp
, struct cryptoini
*cria
)
164 struct auth_hash
*thash
;
167 thash
= ah_algorithm_lookup(sav
->alg_auth
);
169 DPRINTF(("ah_init: unsupported authentication algorithm %u\n",
174 * Verify the replay state block allocation is consistent with
175 * the protocol type. We check here so we can make assumptions
176 * later during protocol processing.
178 /* NB: replay state is setup elsewhere (sigh) */
179 if (((sav
->flags
&SADB_X_EXT_OLD
) == 0) ^ (sav
->replay
!= NULL
)) {
180 DPRINTF(("ah_init: replay state block inconsistency, "
181 "%s algorithm %s replay state\n",
182 (sav
->flags
& SADB_X_EXT_OLD
) ? "old" : "new",
183 sav
->replay
== NULL
? "without" : "with"));
186 if (sav
->key_auth
== NULL
) {
187 DPRINTF(("ah_init: no authentication key for %s "
188 "algorithm\n", thash
->name
));
191 keylen
= _KEYLEN(sav
->key_auth
);
192 if (keylen
!= thash
->keysize
&& thash
->keysize
!= 0) {
193 DPRINTF(("ah_init: invalid keylength %d, algorithm "
194 "%s requires keysize %d\n",
195 keylen
, thash
->name
, thash
->keysize
));
199 sav
->tdb_xform
= xsp
;
200 sav
->tdb_authalgxform
= thash
;
202 /* Initialize crypto session. */
203 bzero(cria
, sizeof (*cria
));
204 cria
->cri_alg
= sav
->tdb_authalgxform
->type
;
205 cria
->cri_klen
= _KEYBITS(sav
->key_auth
);
206 cria
->cri_key
= _KEYBUF(sav
->key_auth
);
212 * ah_init() is called when an SPI is being set up.
215 ah_init(struct secasvar
*sav
, struct xformsw
*xsp
)
217 struct cryptoini cria
;
220 error
= ah_init0(sav
, xsp
, &cria
);
221 return error
? error
:
222 crypto_newsession(&sav
->tdb_cryptoid
, &cria
, crypto_support
);
228 * NB: public for use by esp_zeroize (XXX).
231 ah_zeroize(struct secasvar
*sav
)
236 bzero(_KEYBUF(sav
->key_auth
), _KEYLEN(sav
->key_auth
));
238 err
= crypto_freesession(sav
->tdb_cryptoid
);
239 sav
->tdb_cryptoid
= 0;
240 sav
->tdb_authalgxform
= NULL
;
241 sav
->tdb_xform
= NULL
;
246 * Massage IPv4/IPv6 headers for AH processing.
249 ah_massage_headers(struct mbuf
**m0
, int proto
, int skip
, int alg
, int out
)
251 struct mbuf
*m
= *m0
;
260 struct ip6_ext
*ip6e
;
269 * This is the least painful way of dealing with IPv4 header
270 * and option processing -- just make sure they're in
273 *m0
= m
= m_pullup(m
, skip
);
275 DPRINTF(("ah_massage_headers: m_pullup failed\n"));
279 /* Fix the IP header */
280 ip
= mtod(m
, struct ip
*);
287 * On input, fix ip_len which has been byte-swapped
291 ip
->ip_len
= htons(ip
->ip_len
+ skip
);
293 if (alg
== CRYPTO_MD5_KPDK
|| alg
== CRYPTO_SHA1_KPDK
)
294 ip
->ip_off
= htons(ip
->ip_off
& IP_DF
);
298 if (alg
== CRYPTO_MD5_KPDK
|| alg
== CRYPTO_SHA1_KPDK
)
299 ip
->ip_off
= htons(ntohs(ip
->ip_off
) & IP_DF
);
304 ptr
= mtod(m
, unsigned char *) + sizeof(struct ip
);
306 /* IPv4 option processing */
307 for (off
= sizeof(struct ip
); off
< skip
;) {
308 if (ptr
[off
] == IPOPT_EOL
|| ptr
[off
] == IPOPT_NOP
||
312 DPRINTF(("ah_massage_headers: illegal IPv4 "
313 "option length for option %d\n",
322 off
= skip
; /* End the loop. */
329 case IPOPT_SECURITY
: /* 0x82 */
330 case 0x85: /* Extended security. */
331 case 0x86: /* Commercial security. */
332 case 0x94: /* Router alert */
333 case 0x95: /* RFC1770 */
334 /* Sanity check for option length. */
335 if (ptr
[off
+ 1] < 2) {
336 DPRINTF(("ah_massage_headers: "
337 "illegal IPv4 option length for "
338 "option %d\n", ptr
[off
]));
349 /* Sanity check for option length. */
350 if (ptr
[off
+ 1] < 2) {
351 DPRINTF(("ah_massage_headers: "
352 "illegal IPv4 option length for "
353 "option %d\n", ptr
[off
]));
360 * On output, if we have either of the
361 * source routing options, we should
362 * swap the destination address of the
363 * IP header with the last address
364 * specified in the option, as that is
365 * what the destination's IP header
369 bcopy(ptr
+ off
+ ptr
[off
+ 1] -
370 sizeof(struct in_addr
),
371 &(ip
->ip_dst
), sizeof(struct in_addr
));
375 /* Sanity check for option length. */
376 if (ptr
[off
+ 1] < 2) {
377 DPRINTF(("ah_massage_headers: "
378 "illegal IPv4 option length for "
379 "option %d\n", ptr
[off
]));
384 /* Zeroize all other options. */
385 count
= ptr
[off
+ 1];
386 bcopy(ipseczeroes
, ptr
, count
);
393 DPRINTF(("ah_massage_headers(): malformed "
394 "IPv4 options header\n"));
405 case AF_INET6
: /* Ugly... */
406 /* Copy and "cook" the IPv6 header. */
407 m_copydata(m
, 0, sizeof(ip6
), (caddr_t
) &ip6
);
409 /* We don't do IPv6 Jumbograms. */
410 if (ip6
.ip6_plen
== 0) {
411 DPRINTF(("ah_massage_headers: unsupported IPv6 jumbogram\n"));
418 ip6
.ip6_vfc
&= ~IPV6_VERSION_MASK
;
419 ip6
.ip6_vfc
|= IPV6_VERSION
;
421 /* Scoped address handling. */
422 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
.ip6_src
))
423 ip6
.ip6_src
.s6_addr16
[1] = 0;
424 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
.ip6_dst
))
425 ip6
.ip6_dst
.s6_addr16
[1] = 0;
427 /* Done with IPv6 header. */
428 m_copyback(m
, 0, sizeof(struct ip6_hdr
), (caddr_t
) &ip6
);
430 /* Let's deal with the remaining headers (if any). */
431 if (skip
- sizeof(struct ip6_hdr
) > 0) {
432 if (m
->m_len
<= skip
) {
433 ptr
= kmalloc(skip
- sizeof(struct ip6_hdr
),
434 M_XDATA
, M_INTWAIT
| M_NULLOK
);
436 DPRINTF(("ah_massage_headers: failed "
437 "to allocate memory for IPv6 "
444 * Copy all the protocol headers after
447 m_copydata(m
, sizeof(struct ip6_hdr
),
448 skip
- sizeof(struct ip6_hdr
), ptr
);
451 /* No need to allocate memory. */
452 ptr
= mtod(m
, unsigned char *) +
453 sizeof(struct ip6_hdr
);
459 off
= ip6
.ip6_nxt
& 0xff; /* Next header type. */
461 for (len
= 0; len
< skip
- sizeof(struct ip6_hdr
);)
463 case IPPROTO_HOPOPTS
:
464 case IPPROTO_DSTOPTS
:
465 ip6e
= (struct ip6_ext
*) (ptr
+ len
);
468 * Process the mutable/immutable
469 * options -- borrows heavily from the
472 for (count
= len
+ sizeof(struct ip6_ext
);
473 count
< len
+ ((ip6e
->ip6e_len
+ 1) << 3);) {
474 if (ptr
[count
] == IP6OPT_PAD1
) {
476 continue; /* Skip padding. */
481 ((ip6e
->ip6e_len
+ 1) << 3)) {
484 /* Free, if we allocated. */
492 /* If mutable option, zeroize. */
493 if (ptr
[count
] & IP6OPT_MUTABLE
)
494 bcopy(ipseczeroes
, ptr
+ count
,
501 skip
- sizeof(struct ip6_hdr
)) {
504 /* Free, if we allocated. */
512 len
+= ((ip6e
->ip6e_len
+ 1) << 3);
513 off
= ip6e
->ip6e_nxt
;
516 case IPPROTO_ROUTING
:
518 * Always include routing headers in
521 ip6e
= (struct ip6_ext
*) (ptr
+ len
);
522 len
+= ((ip6e
->ip6e_len
+ 1) << 3);
523 off
= ip6e
->ip6e_nxt
;
527 DPRINTF(("ah_massage_headers: unexpected "
528 "IPv6 header type %d", off
));
535 /* Copyback and free, if we allocated. */
537 m_copyback(m
, sizeof(struct ip6_hdr
),
538 skip
- sizeof(struct ip6_hdr
), ptr
);
550 * ah_input() gets called to verify that an input packet
551 * passes authentication.
554 ah_input(struct mbuf
*m
, struct secasvar
*sav
, int skip
, int protoff
)
556 struct auth_hash
*ahx
;
557 struct tdb_ident
*tdbi
;
558 struct tdb_crypto
*tc
;
561 int hl
, rplen
, authsize
;
563 struct cryptodesc
*crda
;
566 KASSERT(sav
!= NULL
, ("ah_input: null SA"));
567 KASSERT(sav
->key_auth
!= NULL
,
568 ("ah_input: null authentication key"));
569 KASSERT(sav
->tdb_authalgxform
!= NULL
,
570 ("ah_input: null authentication xform"));
572 /* Figure out header size. */
573 rplen
= HDRSIZE(sav
);
575 /* XXX don't pullup, just copy header */
576 IP6_EXTHDR_GET(ah
, struct newah
*, m
, skip
, rplen
);
578 DPRINTF(("ah_input: cannot pullup header\n"));
579 ahstat
.ahs_hdrops
++; /*XXX*/
584 /* Check replay window, if applicable. */
585 if (sav
->replay
&& !ipsec_chkreplay(ntohl(ah
->ah_seq
), sav
)) {
587 DPRINTF(("ah_input: packet replay failure: %s\n",
588 ipsec_logsastr(sav
)));
593 /* Verify AH header length. */
594 hl
= ah
->ah_len
* sizeof (u_int32_t
);
595 ahx
= sav
->tdb_authalgxform
;
596 authsize
= AUTHSIZE(sav
);
597 if (hl
!= authsize
+ rplen
- sizeof (struct ah
)) {
598 DPRINTF(("ah_input: bad authenticator length %u (expecting %lu)"
599 " for packet in SA %s/%08lx\n",
600 hl
, (u_long
) (authsize
+ rplen
- sizeof (struct ah
)),
601 ipsec_address(&sav
->sah
->saidx
.dst
),
602 (u_long
) ntohl(sav
->spi
)));
603 ahstat
.ahs_badauthl
++;
607 ahstat
.ahs_ibytes
+= m
->m_pkthdr
.len
- skip
- hl
;
609 /* Get crypto descriptors. */
610 crp
= crypto_getreq(1);
612 DPRINTF(("ah_input: failed to acquire crypto descriptor\n"));
618 crda
= crp
->crp_desc
;
619 KASSERT(crda
!= NULL
, ("ah_input: null crypto descriptor"));
622 crda
->crd_len
= m
->m_pkthdr
.len
;
623 crda
->crd_inject
= skip
+ rplen
;
625 /* Authentication operation. */
626 crda
->crd_alg
= ahx
->type
;
627 crda
->crd_key
= _KEYBUF(sav
->key_auth
);
628 crda
->crd_klen
= _KEYBITS(sav
->key_auth
);
630 /* Find out if we've already done crypto. */
631 for (mtag
= m_tag_find(m
, PACKET_TAG_IPSEC_IN_CRYPTO_DONE
, NULL
);
633 mtag
= m_tag_find(m
, PACKET_TAG_IPSEC_IN_CRYPTO_DONE
, mtag
)) {
634 tdbi
= (struct tdb_ident
*)m_tag_data(mtag
);
635 if (tdbi
->proto
== sav
->sah
->saidx
.proto
&&
636 tdbi
->spi
== sav
->spi
&&
637 !bcmp(&tdbi
->dst
, &sav
->sah
->saidx
.dst
,
638 sizeof (union sockaddr_union
)))
642 /* Allocate IPsec-specific opaque crypto info. */
644 tc
= kmalloc(sizeof (struct tdb_crypto
) +
645 skip
+ rplen
+ authsize
, M_XDATA
,
646 M_INTWAIT
| M_ZERO
| M_NULLOK
);
648 /* Hash verification has already been done successfully. */
649 tc
= kmalloc(sizeof (struct tdb_crypto
),
650 M_XDATA
, M_INTWAIT
| M_ZERO
| M_NULLOK
);
653 DPRINTF(("ah_input: failed to allocate tdb_crypto\n"));
660 /* Only save information if crypto processing is needed. */
665 * Save the authenticator, the skipped portion of the packet,
668 m_copydata(m
, 0, skip
+ rplen
+ authsize
, (caddr_t
)(tc
+1));
670 /* Zeroize the authenticator on the packet. */
671 m_copyback(m
, skip
+ rplen
, authsize
, ipseczeroes
);
673 /* "Massage" the packet headers for crypto processing. */
674 error
= ah_massage_headers(&m
, sav
->sah
->saidx
.dst
.sa
.sa_family
,
677 /* NB: mbuf is free'd by ah_massage_headers */
685 /* Crypto operation descriptor. */
686 crp
->crp_ilen
= m
->m_pkthdr
.len
; /* Total input length. */
687 crp
->crp_flags
= CRYPTO_F_IMBUF
;
688 crp
->crp_buf
= (caddr_t
) m
;
689 crp
->crp_callback
= ah_input_cb
;
690 crp
->crp_sid
= sav
->tdb_cryptoid
;
691 crp
->crp_opaque
= (caddr_t
) tc
;
693 /* These are passed as-is to the callback. */
694 tc
->tc_spi
= sav
->spi
;
695 tc
->tc_dst
= sav
->sah
->saidx
.dst
;
696 tc
->tc_proto
= sav
->sah
->saidx
.proto
;
697 tc
->tc_nxt
= ah
->ah_nxt
;
698 tc
->tc_protoff
= protoff
;
700 tc
->tc_ptr
= (caddr_t
) mtag
; /* Save the mtag we've identified. */
703 return crypto_dispatch(crp
);
705 return ah_input_cb(crp
);
709 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \
710 if (saidx->dst.sa.sa_family == AF_INET6) { \
711 error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
713 error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
717 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \
718 (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
722 * AH input callback from the crypto driver.
725 ah_input_cb(struct cryptop
*crp
)
727 int rplen
, error
, skip
, protoff
;
728 unsigned char calc
[AH_ALEN_MAX
];
730 struct cryptodesc
*crd
;
731 struct auth_hash
*ahx
;
732 struct tdb_crypto
*tc
;
734 struct secasvar
*sav
;
735 struct secasindex
*saidx
;
742 tc
= (struct tdb_crypto
*) crp
->crp_opaque
;
743 KASSERT(tc
!= NULL
, ("ah_input_cb: null opaque crypto data area!"));
746 protoff
= tc
->tc_protoff
;
747 mtag
= (struct m_tag
*) tc
->tc_ptr
;
748 m
= (struct mbuf
*) crp
->crp_buf
;
752 sav
= KEY_ALLOCSA(&tc
->tc_dst
, tc
->tc_proto
, tc
->tc_spi
);
755 DPRINTF(("ah_input_cb: SA expired while in crypto\n"));
756 error
= ENOBUFS
; /*XXX*/
760 saidx
= &sav
->sah
->saidx
;
761 KASSERT(saidx
->dst
.sa
.sa_family
== AF_INET
||
762 saidx
->dst
.sa
.sa_family
== AF_INET6
,
763 ("ah_input_cb: unexpected protocol family %u",
764 saidx
->dst
.sa
.sa_family
));
766 ahx
= (struct auth_hash
*) sav
->tdb_authalgxform
;
768 /* Check for crypto errors. */
769 if (crp
->crp_etype
) {
770 if (sav
->tdb_cryptoid
!= 0)
771 sav
->tdb_cryptoid
= crp
->crp_sid
;
773 if (crp
->crp_etype
== EAGAIN
)
774 return crypto_dispatch(crp
);
776 ahstat
.ahs_noxform
++;
777 DPRINTF(("ah_input_cb: crypto error %d\n", crp
->crp_etype
));
778 error
= crp
->crp_etype
;
781 ahstat
.ahs_hist
[sav
->alg_auth
]++;
782 crypto_freereq(crp
); /* No longer needed. */
786 /* Shouldn't happen... */
789 DPRINTF(("ah_input_cb: bogus returned buffer from crypto\n"));
794 /* Figure out header size. */
795 rplen
= HDRSIZE(sav
);
796 authsize
= AUTHSIZE(sav
);
798 /* Copy authenticator off the packet. */
799 m_copydata(m
, skip
+ rplen
, authsize
, calc
);
802 * If we have an mtag, we don't need to verify the authenticator --
803 * it has been verified by an IPsec-aware NIC.
806 ptr
= (caddr_t
) (tc
+ 1);
808 /* Verify authenticator. */
809 if (bcmp(ptr
+ skip
+ rplen
, calc
, authsize
)) {
810 DPRINTF(("ah_input: authentication hash mismatch "
811 "for packet in SA %s/%08lx\n",
812 ipsec_address(&saidx
->dst
),
813 (u_long
) ntohl(sav
->spi
)));
814 ahstat
.ahs_badauth
++;
819 /* Fix the Next Protocol field. */
820 ((u_int8_t
*) ptr
)[protoff
] = nxt
;
822 /* Copyback the saved (uncooked) network headers. */
823 m_copyback(m
, 0, skip
, ptr
);
825 /* Fix the Next Protocol field. */
826 m_copyback(m
, protoff
, sizeof(u_int8_t
), &nxt
);
829 kfree(tc
, M_XDATA
), tc
= NULL
; /* No longer needed */
832 * Header is now authenticated.
834 m
->m_flags
|= M_AUTHIPHDR
|M_AUTHIPDGM
;
837 * Update replay sequence number, if appropriate.
842 m_copydata(m
, skip
+ offsetof(struct newah
, ah_seq
),
843 sizeof (seq
), (caddr_t
) &seq
);
844 if (ipsec_updatereplay(ntohl(seq
), sav
)) {
846 error
= ENOBUFS
; /*XXX as above*/
852 * Remove the AH header and authenticator from the mbuf.
854 error
= m_striphdr(m
, skip
, rplen
+ authsize
);
856 DPRINTF(("ah_input_cb: mangled mbuf chain for SA %s/%08lx\n",
857 ipsec_address(&saidx
->dst
), (u_long
) ntohl(sav
->spi
)));
863 IPSEC_COMMON_INPUT_CB(m
, sav
, skip
, protoff
, mtag
);
882 * AH output routine, called by ipsec[46]_process_packet().
887 struct ipsecrequest
*isr
,
892 struct secasvar
*sav
;
893 struct auth_hash
*ahx
;
894 struct cryptodesc
*crda
;
895 struct tdb_crypto
*tc
;
899 int error
, rplen
, authsize
, maxpacketsize
, roff
;
904 KASSERT(sav
!= NULL
, ("ah_output: null SA"));
905 ahx
= sav
->tdb_authalgxform
;
906 KASSERT(ahx
!= NULL
, ("ah_output: null authentication xform"));
910 /* Figure out header size. */
911 rplen
= HDRSIZE(sav
);
913 /* Check for maximum packet size violations. */
914 switch (sav
->sah
->saidx
.dst
.sa
.sa_family
) {
917 maxpacketsize
= IP_MAXPACKET
;
922 maxpacketsize
= IPV6_MAXPACKET
;
926 DPRINTF(("ah_output: unknown/unsupported protocol "
927 "family %u, SA %s/%08lx\n",
928 sav
->sah
->saidx
.dst
.sa
.sa_family
,
929 ipsec_address(&sav
->sah
->saidx
.dst
),
930 (u_long
) ntohl(sav
->spi
)));
932 error
= EPFNOSUPPORT
;
935 authsize
= AUTHSIZE(sav
);
936 if (rplen
+ authsize
+ m
->m_pkthdr
.len
> maxpacketsize
) {
937 DPRINTF(("ah_output: packet in SA %s/%08lx got too big "
938 "(len %u, max len %u)\n",
939 ipsec_address(&sav
->sah
->saidx
.dst
),
940 (u_long
) ntohl(sav
->spi
),
941 rplen
+ authsize
+ m
->m_pkthdr
.len
, maxpacketsize
));
947 /* Update the counters. */
948 ahstat
.ahs_obytes
+= m
->m_pkthdr
.len
- skip
;
952 DPRINTF(("ah_output: cannot clone mbuf chain, SA %s/%08lx\n",
953 ipsec_address(&sav
->sah
->saidx
.dst
),
954 (u_long
) ntohl(sav
->spi
)));
960 /* Inject AH header. */
961 mi
= m_makespace(m
, skip
, rplen
+ authsize
, &roff
);
963 DPRINTF(("ah_output: failed to inject %u byte AH header for SA "
966 ipsec_address(&sav
->sah
->saidx
.dst
),
967 (u_long
) ntohl(sav
->spi
)));
968 ahstat
.ahs_hdrops
++; /*XXX differs from openbsd */
974 * The AH header is guaranteed by m_makespace() to be in
975 * contiguous memory, at roff bytes offset into the returned mbuf.
977 ah
= (struct newah
*)(mtod(mi
, caddr_t
) + roff
);
979 /* Initialize the AH header. */
980 m_copydata(m
, protoff
, sizeof(u_int8_t
), (caddr_t
) &ah
->ah_nxt
);
981 ah
->ah_len
= (rplen
+ authsize
- sizeof(struct ah
)) / sizeof(u_int32_t
);
983 ah
->ah_spi
= sav
->spi
;
985 /* Zeroize authenticator. */
986 m_copyback(m
, skip
+ rplen
, authsize
, ipseczeroes
);
988 /* Insert packet replay counter, as requested. */
990 if (sav
->replay
->count
== ~0 &&
991 (sav
->flags
& SADB_X_EXT_CYCSEQ
) == 0) {
992 DPRINTF(("ah_output: replay counter wrapped for SA "
994 ipsec_address(&sav
->sah
->saidx
.dst
),
995 (u_long
) ntohl(sav
->spi
)));
1000 sav
->replay
->count
++;
1001 ah
->ah_seq
= htonl(sav
->replay
->count
);
1004 /* Get crypto descriptors. */
1005 crp
= crypto_getreq(1);
1007 DPRINTF(("ah_output: failed to acquire crypto descriptors\n"));
1008 ahstat
.ahs_crypto
++;
1013 crda
= crp
->crp_desc
;
1016 crda
->crd_inject
= skip
+ rplen
;
1017 crda
->crd_len
= m
->m_pkthdr
.len
;
1019 /* Authentication operation. */
1020 crda
->crd_alg
= ahx
->type
;
1021 crda
->crd_key
= _KEYBUF(sav
->key_auth
);
1022 crda
->crd_klen
= _KEYBITS(sav
->key_auth
);
1024 /* Allocate IPsec-specific opaque crypto info. */
1025 tc
= kmalloc(sizeof(struct tdb_crypto
) + skip
, M_XDATA
,
1026 M_INTWAIT
| M_ZERO
| M_NULLOK
);
1028 crypto_freereq(crp
);
1029 DPRINTF(("ah_output: failed to allocate tdb_crypto\n"));
1030 ahstat
.ahs_crypto
++;
1035 /* Save the skipped portion of the packet. */
1036 m_copydata(m
, 0, skip
, (caddr_t
) (tc
+ 1));
1039 * Fix IP header length on the header used for
1040 * authentication. We don't need to fix the original
1041 * header length as it will be fixed by our caller.
1043 switch (sav
->sah
->saidx
.dst
.sa
.sa_family
) {
1046 bcopy(((caddr_t
)(tc
+ 1)) +
1047 offsetof(struct ip
, ip_len
),
1048 (caddr_t
) &iplen
, sizeof(u_int16_t
));
1049 iplen
= htons(ntohs(iplen
) + rplen
+ authsize
);
1050 m_copyback(m
, offsetof(struct ip
, ip_len
),
1051 sizeof(u_int16_t
), (caddr_t
) &iplen
);
1057 bcopy(((caddr_t
)(tc
+ 1)) +
1058 offsetof(struct ip6_hdr
, ip6_plen
),
1059 (caddr_t
) &iplen
, sizeof(u_int16_t
));
1060 iplen
= htons(ntohs(iplen
) + rplen
+ authsize
);
1061 m_copyback(m
, offsetof(struct ip6_hdr
, ip6_plen
),
1062 sizeof(u_int16_t
), (caddr_t
) &iplen
);
1067 /* Fix the Next Header field in saved header. */
1068 ((u_int8_t
*) (tc
+ 1))[protoff
] = IPPROTO_AH
;
1070 /* Update the Next Protocol field in the IP header. */
1072 m_copyback(m
, protoff
, sizeof(u_int8_t
), (caddr_t
) &prot
);
1074 /* "Massage" the packet headers for crypto processing. */
1075 error
= ah_massage_headers(&m
, sav
->sah
->saidx
.dst
.sa
.sa_family
,
1076 skip
, ahx
->type
, 1);
1078 m
= NULL
; /* mbuf was free'd by ah_massage_headers. */
1080 crypto_freereq(crp
);
1084 /* Crypto operation descriptor. */
1085 crp
->crp_ilen
= m
->m_pkthdr
.len
; /* Total input length. */
1086 crp
->crp_flags
= CRYPTO_F_IMBUF
;
1087 crp
->crp_buf
= (caddr_t
) m
;
1088 crp
->crp_callback
= ah_output_cb
;
1089 crp
->crp_sid
= sav
->tdb_cryptoid
;
1090 crp
->crp_opaque
= (caddr_t
) tc
;
1092 /* These are passed as-is to the callback. */
1094 tc
->tc_spi
= sav
->spi
;
1095 tc
->tc_dst
= sav
->sah
->saidx
.dst
;
1096 tc
->tc_proto
= sav
->sah
->saidx
.proto
;
1098 tc
->tc_protoff
= protoff
;
1100 return crypto_dispatch(crp
);
1108 * AH output callback from the crypto driver.
1111 ah_output_cb(struct cryptop
*crp
)
1113 int skip
, protoff
, error
;
1114 struct tdb_crypto
*tc
;
1115 struct ipsecrequest
*isr
;
1116 struct secasvar
*sav
;
1121 tc
= (struct tdb_crypto
*) crp
->crp_opaque
;
1122 KASSERT(tc
!= NULL
, ("ah_output_cb: null opaque data area!"));
1124 protoff
= tc
->tc_protoff
;
1125 ptr
= (caddr_t
) (tc
+ 1);
1126 m
= (struct mbuf
*) crp
->crp_buf
;
1131 sav
= KEY_ALLOCSA(&tc
->tc_dst
, tc
->tc_proto
, tc
->tc_spi
);
1134 DPRINTF(("ah_output_cb: SA expired while in crypto\n"));
1135 error
= ENOBUFS
; /*XXX*/
1138 KASSERT(isr
->sav
== sav
, ("ah_output_cb: SA changed\n"));
1140 /* Check for crypto errors. */
1141 if (crp
->crp_etype
) {
1142 if (sav
->tdb_cryptoid
!= 0)
1143 sav
->tdb_cryptoid
= crp
->crp_sid
;
1145 if (crp
->crp_etype
== EAGAIN
) {
1148 return crypto_dispatch(crp
);
1151 ahstat
.ahs_noxform
++;
1152 DPRINTF(("ah_output_cb: crypto error %d\n", crp
->crp_etype
));
1153 error
= crp
->crp_etype
;
1157 /* Shouldn't happen... */
1159 ahstat
.ahs_crypto
++;
1160 DPRINTF(("ah_output_cb: bogus returned buffer from crypto\n"));
1164 ahstat
.ahs_hist
[sav
->alg_auth
]++;
1167 * Copy original headers (with the new protocol number) back
1170 m_copyback(m
, 0, skip
, ptr
);
1172 /* No longer needed. */
1174 crypto_freereq(crp
);
1176 /* NB: m is reclaimed by ipsec_process_done. */
1177 err
= ipsec_process_done(m
, isr
);
1188 crypto_freereq(crp
);
1192 static struct xformsw ah_xformsw
= {
1193 XF_AH
, XFT_AUTH
, "IPsec AH",
1194 ah_init
, ah_zeroize
, ah_input
, ah_output
,
1200 xform_register(&ah_xformsw
);
1202 SYSINIT(ah_xform_init
, SI_SUB_PROTO_DOMAIN
, SI_ORDER_MIDDLE
, ah_attach
, NULL
);