1 /* $FreeBSD: src/sys/netinet6/ah_output.c,v 1.1.2.5 2003/05/06 06:46:58 suz Exp $ */
2 /* $DragonFly: src/sys/netinet6/ah_output.c,v 1.9 2006/10/24 06:18:42 hsu Exp $ */
3 /* $KAME: ah_output.c,v 1.31 2001/07/26 06:53:15 jinmei Exp $ */
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * RFC1826/2402 authentication header.
39 #include "opt_inet6.h"
41 #include <sys/param.h>
42 #include <sys/systm.h>
44 #include <sys/domain.h>
45 #include <sys/protosw.h>
46 #include <sys/socket.h>
47 #include <sys/socketvar.h>
48 #include <sys/errno.h>
50 #include <sys/syslog.h>
53 #include <net/route.h>
55 #include <netinet/in.h>
57 #include <netinet/in_systm.h>
58 #include <netinet/ip.h>
59 #include <netinet/in_var.h>
62 #include <netinet/ip6.h>
63 #include <netinet6/ip6_var.h>
64 #include <netinet/icmp6.h>
67 #include <netinet6/ipsec.h>
69 #include <netinet6/ipsec6.h>
71 #include <netinet6/ah.h>
73 #include <netinet6/ah6.h>
75 #include <netproto/key/key.h>
76 #include <netproto/key/keydb.h>
78 #include <net/net_osdep.h>
81 static struct in_addr
*ah4_finaldst (struct mbuf
*);
85 * compute AH header size.
86 * transport mode only. for tunnel mode, we should implement
87 * virtual interface, and control MTU/MSS by the interface MTU.
90 ah_hdrsiz(struct ipsecrequest
*isr
)
92 const struct ah_algorithm
*algo
;
97 panic("ah_hdrsiz: NULL was passed.");
99 if (isr
->saidx
.proto
!= IPPROTO_AH
)
100 panic("unsupported mode passed to ah_hdrsiz");
102 if (isr
->sav
== NULL
)
104 if (isr
->sav
->state
!= SADB_SASTATE_MATURE
105 && isr
->sav
->state
!= SADB_SASTATE_DYING
)
108 /* we need transport mode AH. */
109 algo
= ah_algorithm_lookup(isr
->sav
->alg_auth
);
115 * right now we don't calcurate the padding size. simply
116 * treat the padding size as constant, for simplicity.
118 * XXX variable size padding support
120 hdrsiz
= (((*algo
->sumsiz
)(isr
->sav
) + 3) & ~(4 - 1));
121 if (isr
->sav
->flags
& SADB_X_EXT_OLD
)
122 hdrsiz
+= sizeof(struct ah
);
124 hdrsiz
+= sizeof(struct newah
);
130 * sizeof(struct newah) > sizeof(struct ah).
131 * 16 = (16 + 3) & ~(4 - 1).
133 return sizeof(struct newah
) + 16;
138 * Modify the packet so that it includes the authentication data.
139 * The mbuf passed must start with IPv4 header.
141 * assumes that the first mbuf contains IPv4 header + option only.
142 * the function does not modify m.
145 ah4_output(struct mbuf
*m
, struct ipsecrequest
*isr
)
147 struct secasvar
*sav
= isr
->sav
;
148 const struct ah_algorithm
*algo
;
151 u_char
*ahsumpos
= NULL
;
152 size_t hlen
= 0; /* IP header+option in bytes */
153 size_t plen
= 0; /* AH payload size in bytes */
154 size_t ahlen
= 0; /* plen + sizeof(ah) */
157 struct in_addr
*finaldst
;
161 if ((sav
->flags
& SADB_X_EXT_OLD
) == 0 && !sav
->replay
) {
164 ip
= mtod(m
, struct ip
*);
165 ipseclog((LOG_DEBUG
, "ah4_output: internal error: "
166 "sav->replay is null: %x->%x, SPI=%u\n",
167 (u_int32_t
)ntohl(ip
->ip_src
.s_addr
),
168 (u_int32_t
)ntohl(ip
->ip_dst
.s_addr
),
169 (u_int32_t
)ntohl(sav
->spi
)));
170 ipsecstat
.out_inval
++;
175 algo
= ah_algorithm_lookup(sav
->alg_auth
);
177 ipseclog((LOG_ERR
, "ah4_output: unsupported algorithm: "
178 "SPI=%u\n", (u_int32_t
)ntohl(sav
->spi
)));
179 ipsecstat
.out_inval
++;
186 * determine the size to grow.
188 if (sav
->flags
& SADB_X_EXT_OLD
) {
190 plen
= ((*algo
->sumsiz
)(sav
) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
191 ahlen
= plen
+ sizeof(struct ah
);
194 plen
= ((*algo
->sumsiz
)(sav
) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
195 ahlen
= plen
+ sizeof(struct newah
);
199 * grow the mbuf to accomodate AH.
201 ip
= mtod(m
, struct ip
*);
203 hlen
= IP_VHL_HL(ip
->ip_vhl
) << 2;
205 hlen
= ip
->ip_hl
<< 2;
208 if (m
->m_len
!= hlen
)
209 panic("ah4_output: assumption failed (first mbuf length)");
210 if (M_LEADINGSPACE(m
->m_next
) < ahlen
) {
212 MGET(n
, MB_DONTWAIT
, MT_DATA
);
214 ipseclog((LOG_DEBUG
, "ENOBUFS in ah4_output %d\n",
220 n
->m_next
= m
->m_next
;
222 m
->m_pkthdr
.len
+= ahlen
;
223 ahdrpos
= mtod(n
, u_char
*);
225 m
->m_next
->m_len
+= ahlen
;
226 m
->m_next
->m_data
-= ahlen
;
227 m
->m_pkthdr
.len
+= ahlen
;
228 ahdrpos
= mtod(m
->m_next
, u_char
*);
231 ip
= mtod(m
, struct ip
*); /* just to be sure */
236 if (sav
->flags
& SADB_X_EXT_OLD
) {
239 ahdr
= (struct ah
*)ahdrpos
;
240 ahsumpos
= (u_char
*)(ahdr
+ 1);
241 ahdr
->ah_len
= plen
>> 2;
242 ahdr
->ah_nxt
= ip
->ip_p
;
243 ahdr
->ah_reserve
= htons(0);
245 bzero(ahdr
+ 1, plen
);
249 ahdr
= (struct newah
*)ahdrpos
;
250 ahsumpos
= (u_char
*)(ahdr
+ 1);
251 ahdr
->ah_len
= (plen
>> 2) + 1; /* plus one for seq# */
252 ahdr
->ah_nxt
= ip
->ip_p
;
253 ahdr
->ah_reserve
= htons(0);
255 if (sav
->replay
->count
== ~0) {
256 if ((sav
->flags
& SADB_X_EXT_CYCSEQ
) == 0) {
257 /* XXX Is it noisy ? */
258 ipseclog((LOG_WARNING
,
259 "replay counter overflowed. %s\n",
260 ipsec_logsastr(sav
)));
261 ipsecstat
.out_inval
++;
266 sav
->replay
->count
++;
268 * XXX sequence number must not be cycled, if the SA is
269 * installed by IKE daemon.
271 ahdr
->ah_seq
= htonl(sav
->replay
->count
& 0xffffffff);
272 bzero(ahdr
+ 1, plen
);
276 * modify IPv4 header.
278 ip
->ip_p
= IPPROTO_AH
;
279 if (ahlen
< (IP_MAXPACKET
- ntohs(ip
->ip_len
)))
280 ip
->ip_len
= htons(ntohs(ip
->ip_len
) + ahlen
);
282 ipseclog((LOG_ERR
, "IPv4 AH output: size exceeds limit\n"));
283 ipsecstat
.out_inval
++;
289 * If there is source routing option, update destination field in
290 * the IPv4 header to the final destination.
291 * Note that we do not need to update source routing option itself
292 * (as done in IPv4 AH processing -- see ip6_output()), since
293 * source routing option is not part of the ICV computation.
295 finaldst
= ah4_finaldst(m
);
297 dst
.s_addr
= ip
->ip_dst
.s_addr
;
298 ip
->ip_dst
.s_addr
= finaldst
->s_addr
;
300 dst
.s_addr
= 0; /* fix compiler warning */
304 * calcurate the checksum, based on security association
305 * and the algorithm specified.
307 error
= ah4_calccksum(m
, (caddr_t
)ahsumpos
, plen
, algo
, sav
);
310 "error after ah4_calccksum, called from ah4_output"));
313 ipsecstat
.out_inval
++;
318 ip
= mtod(m
, struct ip
*); /* just to make sure */
319 ip
->ip_dst
.s_addr
= dst
.s_addr
;
321 ipsecstat
.out_success
++;
322 ipsecstat
.out_ahhist
[sav
->alg_auth
]++;
323 key_sa_recordxfer(sav
, m
);
329 /* Calculate AH length */
331 ah_hdrlen(struct secasvar
*sav
)
333 const struct ah_algorithm
*algo
;
336 algo
= ah_algorithm_lookup(sav
->alg_auth
);
339 if (sav
->flags
& SADB_X_EXT_OLD
) {
341 plen
= ((*algo
->sumsiz
)(sav
) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
342 ahlen
= plen
+ sizeof(struct ah
);
345 plen
= ((*algo
->sumsiz
)(sav
) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
346 ahlen
= plen
+ sizeof(struct newah
);
354 * Fill in the Authentication Header and calculate checksum.
357 ah6_output(struct mbuf
*m
, u_char
*nexthdrp
, struct mbuf
*md
,
358 struct ipsecrequest
*isr
)
362 struct secasvar
*sav
= isr
->sav
;
363 const struct ah_algorithm
*algo
;
365 u_char
*ahsumpos
= NULL
;
366 size_t plen
; /* AH payload size in bytes */
371 if (m
->m_len
< sizeof(struct ip6_hdr
)) {
372 ipseclog((LOG_DEBUG
, "ah6_output: first mbuf too short\n"));
377 ahlen
= ah_hdrlen(sav
);
381 for (mprev
= m
; mprev
&& mprev
->m_next
!= md
; mprev
= mprev
->m_next
)
383 if (!mprev
|| mprev
->m_next
!= md
) {
384 ipseclog((LOG_DEBUG
, "ah6_output: md is not in chain\n"));
389 mah
= m_getb(ahlen
, MB_DONTWAIT
, MT_DATA
, 0);
397 m
->m_pkthdr
.len
+= ahlen
;
400 if (m
->m_pkthdr
.len
- sizeof(struct ip6_hdr
) > IPV6_MAXPACKET
) {
402 "ah6_output: AH with IPv6 jumbogram is not supported\n"));
406 ip6
= mtod(m
, struct ip6_hdr
*);
407 ip6
->ip6_plen
= htons(m
->m_pkthdr
.len
- sizeof(struct ip6_hdr
));
409 if ((sav
->flags
& SADB_X_EXT_OLD
) == 0 && !sav
->replay
) {
410 ipseclog((LOG_DEBUG
, "ah6_output: internal error: "
411 "sav->replay is null: SPI=%u\n",
412 (u_int32_t
)ntohl(sav
->spi
)));
413 ipsec6stat
.out_inval
++;
418 algo
= ah_algorithm_lookup(sav
->alg_auth
);
420 ipseclog((LOG_ERR
, "ah6_output: unsupported algorithm: "
421 "SPI=%u\n", (u_int32_t
)ntohl(sav
->spi
)));
422 ipsec6stat
.out_inval
++;
431 if (sav
->flags
& SADB_X_EXT_OLD
) {
432 struct ah
*ahdr
= mtod(mah
, struct ah
*);
434 plen
= mah
->m_len
- sizeof(struct ah
);
435 ahsumpos
= (u_char
*)(ahdr
+ 1);
436 ahdr
->ah_nxt
= *nexthdrp
;
437 *nexthdrp
= IPPROTO_AH
;
438 ahdr
->ah_len
= plen
>> 2;
439 ahdr
->ah_reserve
= htons(0);
441 bzero(ahdr
+ 1, plen
);
443 struct newah
*ahdr
= mtod(mah
, struct newah
*);
445 plen
= mah
->m_len
- sizeof(struct newah
);
446 ahsumpos
= (u_char
*)(ahdr
+ 1);
447 ahdr
->ah_nxt
= *nexthdrp
;
448 *nexthdrp
= IPPROTO_AH
;
449 ahdr
->ah_len
= (plen
>> 2) + 1; /* plus one for seq# */
450 ahdr
->ah_reserve
= htons(0);
452 if (sav
->replay
->count
== ~0) {
453 if ((sav
->flags
& SADB_X_EXT_CYCSEQ
) == 0) {
454 /* XXX Is it noisy ? */
455 ipseclog((LOG_WARNING
,
456 "replay counter overflowed. %s\n",
457 ipsec_logsastr(sav
)));
458 ipsec6stat
.out_inval
++;
463 sav
->replay
->count
++;
465 * XXX sequence number must not be cycled, if the SA is
466 * installed by IKE daemon.
468 ahdr
->ah_seq
= htonl(sav
->replay
->count
);
469 bzero(ahdr
+ 1, plen
);
473 * calcurate the checksum, based on security association
474 * and the algorithm specified.
476 error
= ah6_calccksum(m
, (caddr_t
)ahsumpos
, plen
, algo
, sav
);
478 ipsec6stat
.out_inval
++;
481 ipsec6stat
.out_success
++;
482 key_sa_recordxfer(sav
, m
);
484 ipsec6stat
.out_ahhist
[sav
->alg_auth
]++;
492 * Find the final destination if there is loose/strict source routing option.
493 * Returns NULL if there's no source routing options.
494 * Returns NULL on errors too.
495 * Note that this function will return a pointer INTO the given parameter,
497 * The mbuf must be pulled up toward, at least, ip option part.
499 static struct in_addr
*
500 ah4_finaldst(struct mbuf
*m
)
509 panic("ah4_finaldst: m == NULL");
510 ip
= mtod(m
, struct ip
*);
511 hlen
= (ip
->ip_hl
<< 2);
513 if (m
->m_len
< hlen
) {
515 "ah4_finaldst: parameter mbuf wrong (not pulled up)\n"));
519 if (hlen
== sizeof(struct ip
))
522 optlen
= hlen
- sizeof(struct ip
);
524 ipseclog((LOG_DEBUG
, "ah4_finaldst: wrong optlen %d\n",
529 q
= (u_char
*)(ip
+ 1);
532 if (i
+ IPOPT_OPTVAL
>= optlen
)
534 if (q
[i
+ IPOPT_OPTVAL
] == IPOPT_EOL
||
535 q
[i
+ IPOPT_OPTVAL
] == IPOPT_NOP
||
536 i
+ IPOPT_OLEN
< optlen
)
541 switch (q
[i
+ IPOPT_OPTVAL
]) {
543 i
= optlen
; /* bye */
550 if (q
[i
+ IPOPT_OLEN
] < 2 + sizeof(struct in_addr
) ||
551 optlen
- i
< q
[i
+ IPOPT_OLEN
]) {
553 "ip_finaldst: invalid IP option "
554 "(code=%02x len=%02x)\n",
555 q
[i
+ IPOPT_OPTVAL
], q
[i
+ IPOPT_OLEN
]));
558 i
+= q
[i
+ IPOPT_OLEN
] - sizeof(struct in_addr
);
559 return (struct in_addr
*)(q
+ i
);
561 if (q
[i
+ IPOPT_OLEN
] < 2 ||
562 optlen
- i
< q
[i
+ IPOPT_OLEN
]) {
564 "ip_finaldst: invalid IP option "
565 "(code=%02x len=%02x)\n",
566 q
[i
+ IPOPT_OPTVAL
], q
[i
+ IPOPT_OLEN
]));
569 i
+= q
[i
+ IPOPT_OLEN
];