1 /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.2 2003/02/26 00:14:05 sam Exp $ */
2 /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
4 * The authors of this code are John Ioannidis (ji@tla.org),
5 * Angelos D. Keromytis (kermit@csd.uch.gr) and
6 * Niels Provos (provos@physnet.uni-hamburg.de).
8 * The original version of this code was written by John Ioannidis
9 * for BSD/OS in Athens, Greece, in November 1995.
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20 * Angelos D. Keromytis and Niels Provos.
21 * Copyright (c) 1999 Niklas Hallqvist.
22 * Copyright (c) 2001 Angelos D. Keromytis.
24 * Permission to use, copy, and modify this software with or without fee
25 * is hereby granted, provided that this entire notice is included in
26 * all copies of any software which is or includes a copy or
27 * modification of this software.
28 * You may use this code under the GNU public license if you so wish. Please
29 * contribute changes back to the authors under this freer than GPL license
30 * so that we may further the use of strong encryption without limitations to
33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
40 #include "opt_inet6.h"
42 #include <sys/param.h>
43 #include <sys/systm.h>
45 #include <sys/socket.h>
46 #include <sys/syslog.h>
47 #include <sys/kernel.h>
48 #include <sys/sysctl.h>
52 #include <netinet/in.h>
53 #include <netinet/in_systm.h>
54 #include <netinet/ip.h>
55 #include <netinet/ip_ecn.h>
56 #include <netinet/ip6.h>
58 #include <net/route.h>
59 #include <netproto/ipsec/ipsec.h>
60 #include <netproto/ipsec/ah.h>
61 #include <netproto/ipsec/ah_var.h>
62 #include <netproto/ipsec/xform.h>
65 #include <netinet6/ip6_var.h>
66 #include <netproto/ipsec/ipsec6.h>
67 #include <netinet6/ip6_ecn.h>
70 #include <netproto/ipsec/key.h>
71 #include <netproto/ipsec/key_debug.h>
73 #include <opencrypto/cryptodev.h>
74 #include <opencrypto/xform.h>
77 * Return header size in bytes. The old protocol did not support
78 * the replay counter; the new protocol always includes the counter.
80 #define HDRSIZE(sav) \
81 (((sav)->flags & SADB_X_EXT_OLD) ? \
82 sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t))
84 * Return authenticator size in bytes. The old protocol is known
85 * to use a fixed 16-byte authenticator. The new algorithm gets
86 * this size from the xform but is (currently) always 12.
88 #define AUTHSIZE(sav) \
89 ((sav->flags & SADB_X_EXT_OLD) ? 16 : (sav)->tdb_authalgxform->blocksize)
91 int ah_enable
= 1; /* control flow of packets with AH */
92 int ah_cleartos
= 1; /* clear ip_tos when doing AH calc */
95 SYSCTL_DECL(_net_inet_ah
);
96 SYSCTL_INT(_net_inet_ah
, OID_AUTO
,
97 ah_enable
, CTLFLAG_RW
, &ah_enable
, 0, "");
98 SYSCTL_INT(_net_inet_ah
, OID_AUTO
,
99 ah_cleartos
, CTLFLAG_RW
, &ah_cleartos
, 0, "");
100 SYSCTL_STRUCT(_net_inet_ah
, IPSECCTL_STATS
,
101 stats
, CTLFLAG_RD
, &ahstat
, ahstat
, "");
103 static unsigned char ipseczeroes
[256]; /* larger than an ip6 extension hdr */
105 static int ah_input_cb(struct cryptop
*);
106 static int ah_output_cb(struct cryptop
*);
109 * NB: this is public for use by the PF_KEY support.
112 ah_algorithm_lookup(int alg
)
114 if (alg
>= AH_ALG_MAX
)
117 case SADB_X_AALG_NULL
:
118 return &auth_hash_null
;
119 case SADB_AALG_MD5HMAC
:
120 return &auth_hash_hmac_md5
;
121 case SADB_AALG_SHA1HMAC
:
122 return &auth_hash_hmac_sha1
;
123 case SADB_X_AALG_RIPEMD160HMAC
:
124 return &auth_hash_hmac_ripemd_160
;
125 case SADB_X_AALG_MD5
:
126 return &auth_hash_key_md5
;
127 case SADB_X_AALG_SHA
:
128 return &auth_hash_key_sha1
;
129 case SADB_X_AALG_SHA2_256
:
130 return &auth_hash_hmac_sha2_256
;
131 case SADB_X_AALG_SHA2_384
:
132 return &auth_hash_hmac_sha2_384
;
133 case SADB_X_AALG_SHA2_512
:
134 return &auth_hash_hmac_sha2_512
;
140 ah_hdrsiz(struct secasvar
*sav
)
146 KASSERT(sav
->tdb_authalgxform
!= NULL
,
147 ("ah_hdrsiz: null xform"));
148 /*XXX not right for null algorithm--does it matter??*/
149 authsize
= AUTHSIZE(sav
);
150 size
= roundup(authsize
, sizeof (u_int32_t
)) + HDRSIZE(sav
);
153 size
= sizeof (struct ah
) + sizeof (u_int32_t
) + 16;
159 * NB: public for use by esp_init.
162 ah_init0(struct secasvar
*sav
, struct xformsw
*xsp
, struct cryptoini
*cria
)
164 struct auth_hash
*thash
;
167 thash
= ah_algorithm_lookup(sav
->alg_auth
);
169 DPRINTF(("ah_init: unsupported authentication algorithm %u\n",
174 * Verify the replay state block allocation is consistent with
175 * the protocol type. We check here so we can make assumptions
176 * later during protocol processing.
178 /* NB: replay state is setup elsewhere (sigh) */
179 if (((sav
->flags
&SADB_X_EXT_OLD
) == 0) ^ (sav
->replay
!= NULL
)) {
180 DPRINTF(("ah_init: replay state block inconsistency, "
181 "%s algorithm %s replay state\n",
182 (sav
->flags
& SADB_X_EXT_OLD
) ? "old" : "new",
183 sav
->replay
== NULL
? "without" : "with"));
186 if (sav
->key_auth
== NULL
) {
187 DPRINTF(("ah_init: no authentication key for %s "
188 "algorithm\n", thash
->name
));
191 keylen
= _KEYLEN(sav
->key_auth
);
192 if (keylen
!= thash
->keysize
&& thash
->keysize
!= 0) {
193 DPRINTF(("ah_init: invalid keylength %d, algorithm "
194 "%s requires keysize %d\n",
195 keylen
, thash
->name
, thash
->keysize
));
199 sav
->tdb_xform
= xsp
;
200 sav
->tdb_authalgxform
= thash
;
202 /* Initialize crypto session. */
203 bzero(cria
, sizeof (*cria
));
204 cria
->cri_alg
= sav
->tdb_authalgxform
->type
;
205 cria
->cri_klen
= _KEYBITS(sav
->key_auth
);
206 cria
->cri_key
= _KEYBUF(sav
->key_auth
);
212 * ah_init() is called when an SPI is being set up.
215 ah_init(struct secasvar
*sav
, struct xformsw
*xsp
)
217 struct cryptoini cria
;
220 error
= ah_init0(sav
, xsp
, &cria
);
221 return error
? error
:
222 crypto_newsession(&sav
->tdb_cryptoid
, &cria
, crypto_support
);
228 * NB: public for use by esp_zeroize (XXX).
231 ah_zeroize(struct secasvar
*sav
)
236 bzero(_KEYBUF(sav
->key_auth
), _KEYLEN(sav
->key_auth
));
238 err
= crypto_freesession(sav
->tdb_cryptoid
);
239 sav
->tdb_cryptoid
= 0;
240 sav
->tdb_authalgxform
= NULL
;
241 sav
->tdb_xform
= NULL
;
246 * Massage IPv4/IPv6 headers for AH processing.
249 ah_massage_headers(struct mbuf
**m0
, int proto
, int skip
, int alg
, int out
)
251 struct mbuf
*m
= *m0
;
260 struct ip6_ext
*ip6e
;
269 * This is the least painful way of dealing with IPv4 header
270 * and option processing -- just make sure they're in
273 *m0
= m
= m_pullup(m
, skip
);
275 DPRINTF(("ah_massage_headers: m_pullup failed\n"));
279 /* Fix the IP header */
280 ip
= mtod(m
, struct ip
*);
287 * On input, fix ip_len which has been byte-swapped
291 ip
->ip_len
= htons(ip
->ip_len
+ skip
);
293 if (alg
== CRYPTO_MD5_KPDK
|| alg
== CRYPTO_SHA1_KPDK
)
294 ip
->ip_off
= htons(ip
->ip_off
& IP_DF
);
298 if (alg
== CRYPTO_MD5_KPDK
|| alg
== CRYPTO_SHA1_KPDK
)
299 ip
->ip_off
= htons(ntohs(ip
->ip_off
) & IP_DF
);
304 ptr
= mtod(m
, unsigned char *) + sizeof(struct ip
);
306 /* IPv4 option processing */
307 for (off
= sizeof(struct ip
); off
< skip
;) {
308 if (ptr
[off
] == IPOPT_EOL
|| ptr
[off
] == IPOPT_NOP
||
312 DPRINTF(("ah_massage_headers: illegal IPv4 "
313 "option length for option %d\n",
322 off
= skip
; /* End the loop. */
329 case IPOPT_SECURITY
: /* 0x82 */
330 case 0x85: /* Extended security. */
331 case 0x86: /* Commercial security. */
332 case 0x94: /* Router alert */
333 case 0x95: /* RFC1770 */
334 /* Sanity check for option length. */
335 if (ptr
[off
+ 1] < 2) {
336 DPRINTF(("ah_massage_headers: "
337 "illegal IPv4 option length for "
338 "option %d\n", ptr
[off
]));
349 /* Sanity check for option length. */
350 if (ptr
[off
+ 1] < 2) {
351 DPRINTF(("ah_massage_headers: "
352 "illegal IPv4 option length for "
353 "option %d\n", ptr
[off
]));
360 * On output, if we have either of the
361 * source routing options, we should
362 * swap the destination address of the
363 * IP header with the last address
364 * specified in the option, as that is
365 * what the destination's IP header
369 bcopy(ptr
+ off
+ ptr
[off
+ 1] -
370 sizeof(struct in_addr
),
371 &(ip
->ip_dst
), sizeof(struct in_addr
));
375 /* Sanity check for option length. */
376 if (ptr
[off
+ 1] < 2) {
377 DPRINTF(("ah_massage_headers: "
378 "illegal IPv4 option length for "
379 "option %d\n", ptr
[off
]));
384 /* Zeroize all other options. */
385 count
= ptr
[off
+ 1];
386 bcopy(ipseczeroes
, ptr
, count
);
393 DPRINTF(("ah_massage_headers(): malformed "
394 "IPv4 options header\n"));
405 case AF_INET6
: /* Ugly... */
406 /* Copy and "cook" the IPv6 header. */
407 m_copydata(m
, 0, sizeof(ip6
), (caddr_t
) &ip6
);
409 /* We don't do IPv6 Jumbograms. */
410 if (ip6
.ip6_plen
== 0) {
411 DPRINTF(("ah_massage_headers: unsupported IPv6 jumbogram\n"));
418 ip6
.ip6_vfc
&= ~IPV6_VERSION_MASK
;
419 ip6
.ip6_vfc
|= IPV6_VERSION
;
421 /* Scoped address handling. */
422 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
.ip6_src
))
423 ip6
.ip6_src
.s6_addr16
[1] = 0;
424 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
.ip6_dst
))
425 ip6
.ip6_dst
.s6_addr16
[1] = 0;
427 /* Done with IPv6 header. */
428 m_copyback(m
, 0, sizeof(struct ip6_hdr
), (caddr_t
) &ip6
);
430 /* Let's deal with the remaining headers (if any). */
431 if (skip
- sizeof(struct ip6_hdr
) > 0) {
432 if (m
->m_len
<= skip
) {
433 ptr
= kmalloc(skip
- sizeof(struct ip6_hdr
),
434 M_XDATA
, M_INTWAIT
| M_NULLOK
);
436 DPRINTF(("ah_massage_headers: failed "
437 "to allocate memory for IPv6 "
444 * Copy all the protocol headers after
447 m_copydata(m
, sizeof(struct ip6_hdr
),
448 skip
- sizeof(struct ip6_hdr
), ptr
);
451 /* No need to allocate memory. */
452 ptr
= mtod(m
, unsigned char *) +
453 sizeof(struct ip6_hdr
);
459 off
= ip6
.ip6_nxt
& 0xff; /* Next header type. */
461 for (len
= 0; len
< skip
- sizeof(struct ip6_hdr
);)
463 case IPPROTO_HOPOPTS
:
464 case IPPROTO_DSTOPTS
:
465 ip6e
= (struct ip6_ext
*) (ptr
+ len
);
468 * Process the mutable/immutable
469 * options -- borrows heavily from the
472 for (count
= len
+ sizeof(struct ip6_ext
);
473 count
< len
+ ((ip6e
->ip6e_len
+ 1) << 3);) {
474 if (ptr
[count
] == IP6OPT_PAD1
) {
476 continue; /* Skip padding. */
481 ((ip6e
->ip6e_len
+ 1) << 3)) {
484 /* Free, if we allocated. */
492 /* If mutable option, zeroize. */
493 if (ptr
[count
] & IP6OPT_MUTABLE
)
494 bcopy(ipseczeroes
, ptr
+ count
,
501 skip
- sizeof(struct ip6_hdr
)) {
504 /* Free, if we allocated. */
512 len
+= ((ip6e
->ip6e_len
+ 1) << 3);
513 off
= ip6e
->ip6e_nxt
;
516 case IPPROTO_ROUTING
:
518 * Always include routing headers in
521 ip6e
= (struct ip6_ext
*) (ptr
+ len
);
522 len
+= ((ip6e
->ip6e_len
+ 1) << 3);
523 off
= ip6e
->ip6e_nxt
;
527 DPRINTF(("ah_massage_headers: unexpected "
528 "IPv6 header type %d", off
));
535 /* Copyback and free, if we allocated. */
537 m_copyback(m
, sizeof(struct ip6_hdr
),
538 skip
- sizeof(struct ip6_hdr
), ptr
);
550 * ah_input() gets called to verify that an input packet
551 * passes authentication.
554 ah_input(struct mbuf
*m
, struct secasvar
*sav
, int skip
, int protoff
)
556 struct auth_hash
*ahx
;
557 struct tdb_ident
*tdbi
;
558 struct tdb_crypto
*tc
;
561 int hl
, rplen
, authsize
;
563 struct cryptodesc
*crda
;
566 KASSERT(sav
!= NULL
, ("ah_input: null SA"));
567 KASSERT(sav
->key_auth
!= NULL
,
568 ("ah_input: null authentication key"));
569 KASSERT(sav
->tdb_authalgxform
!= NULL
,
570 ("ah_input: null authentication xform"));
572 /* Figure out header size. */
573 rplen
= HDRSIZE(sav
);
575 /* XXX don't pullup, just copy header */
576 IP6_EXTHDR_GET(ah
, struct newah
*, m
, skip
, rplen
);
578 DPRINTF(("ah_input: cannot pullup header\n"));
579 ahstat
.ahs_hdrops
++; /*XXX*/
584 /* Check replay window, if applicable. */
585 if (sav
->replay
&& !ipsec_chkreplay(ntohl(ah
->ah_seq
), sav
)) {
587 DPRINTF(("ah_input: packet replay failure: %s\n",
588 ipsec_logsastr(sav
)));
593 /* Verify AH header length. */
594 hl
= ah
->ah_len
* sizeof (u_int32_t
);
595 ahx
= sav
->tdb_authalgxform
;
596 authsize
= AUTHSIZE(sav
);
597 if (hl
!= authsize
+ rplen
- sizeof (struct ah
)) {
598 DPRINTF(("ah_input: bad authenticator length %u (expecting %lu)"
599 " for packet in SA %s/%08lx\n",
600 hl
, (u_long
) (authsize
+ rplen
- sizeof (struct ah
)),
601 ipsec_address(&sav
->sah
->saidx
.dst
),
602 (u_long
) ntohl(sav
->spi
)));
603 ahstat
.ahs_badauthl
++;
607 ahstat
.ahs_ibytes
+= m
->m_pkthdr
.len
- skip
- hl
;
609 /* Get crypto descriptors. */
610 crp
= crypto_getreq(1);
612 DPRINTF(("ah_input: failed to acquire crypto descriptor\n"));
618 crda
= crp
->crp_desc
;
619 KASSERT(crda
!= NULL
, ("ah_input: null crypto descriptor"));
622 crda
->crd_len
= m
->m_pkthdr
.len
;
623 crda
->crd_inject
= skip
+ rplen
;
625 /* Authentication operation. */
626 crda
->crd_alg
= ahx
->type
;
627 crda
->crd_key
= _KEYBUF(sav
->key_auth
);
628 crda
->crd_klen
= _KEYBITS(sav
->key_auth
);
630 /* Find out if we've already done crypto. */
631 for (mtag
= m_tag_find(m
, PACKET_TAG_IPSEC_IN_CRYPTO_DONE
, NULL
);
633 mtag
= m_tag_find(m
, PACKET_TAG_IPSEC_IN_CRYPTO_DONE
, mtag
)) {
634 tdbi
= (struct tdb_ident
*)m_tag_data(mtag
);
635 if (tdbi
->proto
== sav
->sah
->saidx
.proto
&&
636 tdbi
->spi
== sav
->spi
&&
637 !bcmp(&tdbi
->dst
, &sav
->sah
->saidx
.dst
,
638 sizeof (union sockaddr_union
)))
642 /* Allocate IPsec-specific opaque crypto info. */
644 tc
= kmalloc(sizeof (struct tdb_crypto
) +
645 skip
+ rplen
+ authsize
, M_XDATA
,
646 M_INTWAIT
| M_ZERO
| M_NULLOK
);
648 /* Hash verification has already been done successfully. */
649 tc
= kmalloc(sizeof (struct tdb_crypto
),
650 M_XDATA
, M_INTWAIT
| M_ZERO
| M_NULLOK
);
653 DPRINTF(("ah_input: failed to allocate tdb_crypto\n"));
660 /* Only save information if crypto processing is needed. */
665 * Save the authenticator, the skipped portion of the packet,
668 m_copydata(m
, 0, skip
+ rplen
+ authsize
, (caddr_t
)(tc
+1));
670 /* Zeroize the authenticator on the packet. */
671 m_copyback(m
, skip
+ rplen
, authsize
, ipseczeroes
);
673 /* "Massage" the packet headers for crypto processing. */
674 error
= ah_massage_headers(&m
, sav
->sah
->saidx
.dst
.sa
.sa_family
,
677 /* NB: mbuf is free'd by ah_massage_headers */
685 /* Crypto operation descriptor. */
686 crp
->crp_ilen
= m
->m_pkthdr
.len
; /* Total input length. */
687 crp
->crp_flags
= CRYPTO_F_IMBUF
;
688 crp
->crp_buf
= (caddr_t
) m
;
689 crp
->crp_callback
= ah_input_cb
;
690 crp
->crp_sid
= sav
->tdb_cryptoid
;
691 crp
->crp_opaque
= (caddr_t
) tc
;
693 /* These are passed as-is to the callback. */
694 tc
->tc_spi
= sav
->spi
;
695 tc
->tc_dst
= sav
->sah
->saidx
.dst
;
696 tc
->tc_proto
= sav
->sah
->saidx
.proto
;
697 tc
->tc_nxt
= ah
->ah_nxt
;
698 tc
->tc_protoff
= protoff
;
700 tc
->tc_ptr
= (caddr_t
) mtag
; /* Save the mtag we've identified. */
703 return crypto_dispatch(crp
);
705 return ah_input_cb(crp
);
709 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \
710 if (saidx->dst.sa.sa_family == AF_INET6) { \
711 error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
713 error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
717 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \
718 (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
722 * AH input callback from the crypto driver.
725 ah_input_cb(struct cryptop
*crp
)
727 int rplen
, error
, skip
, protoff
;
728 unsigned char calc
[AH_ALEN_MAX
];
730 struct cryptodesc
*crd
;
731 struct auth_hash
*ahx
;
732 struct tdb_crypto
*tc
;
734 struct secasvar
*sav
;
735 struct secasindex
*saidx
;
742 tc
= (struct tdb_crypto
*) crp
->crp_opaque
;
743 KASSERT(tc
!= NULL
, ("ah_input_cb: null opaque crypto data area!"));
746 protoff
= tc
->tc_protoff
;
747 mtag
= (struct m_tag
*) tc
->tc_ptr
;
748 m
= (struct mbuf
*) crp
->crp_buf
;
752 sav
= KEY_ALLOCSA(&tc
->tc_dst
, tc
->tc_proto
, tc
->tc_spi
);
755 DPRINTF(("ah_input_cb: SA expired while in crypto\n"));
756 error
= ENOBUFS
; /*XXX*/
760 saidx
= &sav
->sah
->saidx
;
761 KASSERT(saidx
->dst
.sa
.sa_family
== AF_INET
||
762 saidx
->dst
.sa
.sa_family
== AF_INET6
,
763 ("ah_input_cb: unexpected protocol family %u",
764 saidx
->dst
.sa
.sa_family
));
766 ahx
= (struct auth_hash
*) sav
->tdb_authalgxform
;
768 /* Check for crypto errors. */
769 if (crp
->crp_etype
) {
770 if (sav
->tdb_cryptoid
!= 0)
771 sav
->tdb_cryptoid
= crp
->crp_sid
;
773 if (crp
->crp_etype
== EAGAIN
) {
774 error
= crypto_dispatch(crp
);
779 ahstat
.ahs_noxform
++;
780 DPRINTF(("ah_input_cb: crypto error %d\n", crp
->crp_etype
));
781 error
= crp
->crp_etype
;
784 ahstat
.ahs_hist
[sav
->alg_auth
]++;
785 crypto_freereq(crp
); /* No longer needed. */
789 /* Shouldn't happen... */
792 DPRINTF(("ah_input_cb: bogus returned buffer from crypto\n"));
797 /* Figure out header size. */
798 rplen
= HDRSIZE(sav
);
799 authsize
= AUTHSIZE(sav
);
801 /* Copy authenticator off the packet. */
802 m_copydata(m
, skip
+ rplen
, authsize
, calc
);
805 * If we have an mtag, we don't need to verify the authenticator --
806 * it has been verified by an IPsec-aware NIC.
809 ptr
= (caddr_t
) (tc
+ 1);
811 /* Verify authenticator. */
812 if (bcmp(ptr
+ skip
+ rplen
, calc
, authsize
)) {
813 DPRINTF(("ah_input: authentication hash mismatch "
814 "for packet in SA %s/%08lx\n",
815 ipsec_address(&saidx
->dst
),
816 (u_long
) ntohl(sav
->spi
)));
817 ahstat
.ahs_badauth
++;
822 /* Fix the Next Protocol field. */
823 ((u_int8_t
*) ptr
)[protoff
] = nxt
;
825 /* Copyback the saved (uncooked) network headers. */
826 m_copyback(m
, 0, skip
, ptr
);
828 /* Fix the Next Protocol field. */
829 m_copyback(m
, protoff
, sizeof(u_int8_t
), &nxt
);
832 kfree(tc
, M_XDATA
), tc
= NULL
; /* No longer needed */
835 * Header is now authenticated.
837 m
->m_flags
|= M_AUTHIPHDR
|M_AUTHIPDGM
;
840 * Update replay sequence number, if appropriate.
845 m_copydata(m
, skip
+ offsetof(struct newah
, ah_seq
),
846 sizeof (seq
), (caddr_t
) &seq
);
847 if (ipsec_updatereplay(ntohl(seq
), sav
)) {
849 error
= ENOBUFS
; /*XXX as above*/
855 * Remove the AH header and authenticator from the mbuf.
857 error
= m_striphdr(m
, skip
, rplen
+ authsize
);
859 DPRINTF(("ah_input_cb: mangled mbuf chain for SA %s/%08lx\n",
860 ipsec_address(&saidx
->dst
), (u_long
) ntohl(sav
->spi
)));
866 IPSEC_COMMON_INPUT_CB(m
, sav
, skip
, protoff
, mtag
);
885 * AH output routine, called by ipsec[46]_process_packet().
890 struct ipsecrequest
*isr
,
895 struct secasvar
*sav
;
896 struct auth_hash
*ahx
;
897 struct cryptodesc
*crda
;
898 struct tdb_crypto
*tc
;
902 int error
, rplen
, authsize
, maxpacketsize
, roff
;
907 KASSERT(sav
!= NULL
, ("ah_output: null SA"));
908 ahx
= sav
->tdb_authalgxform
;
909 KASSERT(ahx
!= NULL
, ("ah_output: null authentication xform"));
913 /* Figure out header size. */
914 rplen
= HDRSIZE(sav
);
916 /* Check for maximum packet size violations. */
917 switch (sav
->sah
->saidx
.dst
.sa
.sa_family
) {
920 maxpacketsize
= IP_MAXPACKET
;
925 maxpacketsize
= IPV6_MAXPACKET
;
929 DPRINTF(("ah_output: unknown/unsupported protocol "
930 "family %u, SA %s/%08lx\n",
931 sav
->sah
->saidx
.dst
.sa
.sa_family
,
932 ipsec_address(&sav
->sah
->saidx
.dst
),
933 (u_long
) ntohl(sav
->spi
)));
935 error
= EPFNOSUPPORT
;
938 authsize
= AUTHSIZE(sav
);
939 if (rplen
+ authsize
+ m
->m_pkthdr
.len
> maxpacketsize
) {
940 DPRINTF(("ah_output: packet in SA %s/%08lx got too big "
941 "(len %u, max len %u)\n",
942 ipsec_address(&sav
->sah
->saidx
.dst
),
943 (u_long
) ntohl(sav
->spi
),
944 rplen
+ authsize
+ m
->m_pkthdr
.len
, maxpacketsize
));
950 /* Update the counters. */
951 ahstat
.ahs_obytes
+= m
->m_pkthdr
.len
- skip
;
955 DPRINTF(("ah_output: cannot clone mbuf chain, SA %s/%08lx\n",
956 ipsec_address(&sav
->sah
->saidx
.dst
),
957 (u_long
) ntohl(sav
->spi
)));
963 /* Inject AH header. */
964 mi
= m_makespace(m
, skip
, rplen
+ authsize
, &roff
);
966 DPRINTF(("ah_output: failed to inject %u byte AH header for SA "
969 ipsec_address(&sav
->sah
->saidx
.dst
),
970 (u_long
) ntohl(sav
->spi
)));
971 ahstat
.ahs_hdrops
++; /*XXX differs from openbsd */
977 * The AH header is guaranteed by m_makespace() to be in
978 * contiguous memory, at roff bytes offset into the returned mbuf.
980 ah
= (struct newah
*)(mtod(mi
, caddr_t
) + roff
);
982 /* Initialize the AH header. */
983 m_copydata(m
, protoff
, sizeof(u_int8_t
), (caddr_t
) &ah
->ah_nxt
);
984 ah
->ah_len
= (rplen
+ authsize
- sizeof(struct ah
)) / sizeof(u_int32_t
);
986 ah
->ah_spi
= sav
->spi
;
988 /* Zeroize authenticator. */
989 m_copyback(m
, skip
+ rplen
, authsize
, ipseczeroes
);
991 /* Insert packet replay counter, as requested. */
993 if (sav
->replay
->count
== ~0 &&
994 (sav
->flags
& SADB_X_EXT_CYCSEQ
) == 0) {
995 DPRINTF(("ah_output: replay counter wrapped for SA "
997 ipsec_address(&sav
->sah
->saidx
.dst
),
998 (u_long
) ntohl(sav
->spi
)));
1003 sav
->replay
->count
++;
1004 ah
->ah_seq
= htonl(sav
->replay
->count
);
1007 /* Get crypto descriptors. */
1008 crp
= crypto_getreq(1);
1010 DPRINTF(("ah_output: failed to acquire crypto descriptors\n"));
1011 ahstat
.ahs_crypto
++;
1016 crda
= crp
->crp_desc
;
1019 crda
->crd_inject
= skip
+ rplen
;
1020 crda
->crd_len
= m
->m_pkthdr
.len
;
1022 /* Authentication operation. */
1023 crda
->crd_alg
= ahx
->type
;
1024 crda
->crd_key
= _KEYBUF(sav
->key_auth
);
1025 crda
->crd_klen
= _KEYBITS(sav
->key_auth
);
1027 /* Allocate IPsec-specific opaque crypto info. */
1028 tc
= kmalloc(sizeof(struct tdb_crypto
) + skip
, M_XDATA
,
1029 M_INTWAIT
| M_ZERO
| M_NULLOK
);
1031 crypto_freereq(crp
);
1032 DPRINTF(("ah_output: failed to allocate tdb_crypto\n"));
1033 ahstat
.ahs_crypto
++;
1038 /* Save the skipped portion of the packet. */
1039 m_copydata(m
, 0, skip
, (caddr_t
) (tc
+ 1));
1042 * Fix IP header length on the header used for
1043 * authentication. We don't need to fix the original
1044 * header length as it will be fixed by our caller.
1046 switch (sav
->sah
->saidx
.dst
.sa
.sa_family
) {
1049 bcopy(((caddr_t
)(tc
+ 1)) +
1050 offsetof(struct ip
, ip_len
),
1051 (caddr_t
) &iplen
, sizeof(u_int16_t
));
1052 iplen
= htons(ntohs(iplen
) + rplen
+ authsize
);
1053 m_copyback(m
, offsetof(struct ip
, ip_len
),
1054 sizeof(u_int16_t
), (caddr_t
) &iplen
);
1060 bcopy(((caddr_t
)(tc
+ 1)) +
1061 offsetof(struct ip6_hdr
, ip6_plen
),
1062 (caddr_t
) &iplen
, sizeof(u_int16_t
));
1063 iplen
= htons(ntohs(iplen
) + rplen
+ authsize
);
1064 m_copyback(m
, offsetof(struct ip6_hdr
, ip6_plen
),
1065 sizeof(u_int16_t
), (caddr_t
) &iplen
);
1070 /* Fix the Next Header field in saved header. */
1071 ((u_int8_t
*) (tc
+ 1))[protoff
] = IPPROTO_AH
;
1073 /* Update the Next Protocol field in the IP header. */
1075 m_copyback(m
, protoff
, sizeof(u_int8_t
), (caddr_t
) &prot
);
1077 /* "Massage" the packet headers for crypto processing. */
1078 error
= ah_massage_headers(&m
, sav
->sah
->saidx
.dst
.sa
.sa_family
,
1079 skip
, ahx
->type
, 1);
1081 m
= NULL
; /* mbuf was free'd by ah_massage_headers. */
1083 crypto_freereq(crp
);
1087 /* Crypto operation descriptor. */
1088 crp
->crp_ilen
= m
->m_pkthdr
.len
; /* Total input length. */
1089 crp
->crp_flags
= CRYPTO_F_IMBUF
;
1090 crp
->crp_buf
= (caddr_t
) m
;
1091 crp
->crp_callback
= ah_output_cb
;
1092 crp
->crp_sid
= sav
->tdb_cryptoid
;
1093 crp
->crp_opaque
= (caddr_t
) tc
;
1095 /* These are passed as-is to the callback. */
1097 tc
->tc_spi
= sav
->spi
;
1098 tc
->tc_dst
= sav
->sah
->saidx
.dst
;
1099 tc
->tc_proto
= sav
->sah
->saidx
.proto
;
1101 tc
->tc_protoff
= protoff
;
1103 return crypto_dispatch(crp
);
1111 * AH output callback from the crypto driver.
1114 ah_output_cb(struct cryptop
*crp
)
1116 int skip
, protoff
, error
;
1117 struct tdb_crypto
*tc
;
1118 struct ipsecrequest
*isr
;
1119 struct secasvar
*sav
;
1124 tc
= (struct tdb_crypto
*) crp
->crp_opaque
;
1125 KASSERT(tc
!= NULL
, ("ah_output_cb: null opaque data area!"));
1127 protoff
= tc
->tc_protoff
;
1128 ptr
= (caddr_t
) (tc
+ 1);
1129 m
= (struct mbuf
*) crp
->crp_buf
;
1134 sav
= KEY_ALLOCSA(&tc
->tc_dst
, tc
->tc_proto
, tc
->tc_spi
);
1137 DPRINTF(("ah_output_cb: SA expired while in crypto\n"));
1138 error
= ENOBUFS
; /*XXX*/
1141 KASSERT(isr
->sav
== sav
, ("ah_output_cb: SA changed"));
1143 /* Check for crypto errors. */
1144 if (crp
->crp_etype
) {
1145 if (sav
->tdb_cryptoid
!= 0)
1146 sav
->tdb_cryptoid
= crp
->crp_sid
;
1148 if (crp
->crp_etype
== EAGAIN
) {
1151 return crypto_dispatch(crp
);
1154 ahstat
.ahs_noxform
++;
1155 DPRINTF(("ah_output_cb: crypto error %d\n", crp
->crp_etype
));
1156 error
= crp
->crp_etype
;
1160 /* Shouldn't happen... */
1162 ahstat
.ahs_crypto
++;
1163 DPRINTF(("ah_output_cb: bogus returned buffer from crypto\n"));
1167 ahstat
.ahs_hist
[sav
->alg_auth
]++;
1170 * Copy original headers (with the new protocol number) back
1173 m_copyback(m
, 0, skip
, ptr
);
1175 /* No longer needed. */
1177 crypto_freereq(crp
);
1179 /* NB: m is reclaimed by ipsec_process_done. */
1180 err
= ipsec_process_done(m
, isr
);
1191 crypto_freereq(crp
);
1195 static struct xformsw ah_xformsw
= {
1196 XF_AH
, XFT_AUTH
, "IPsec AH",
1197 ah_init
, ah_zeroize
, ah_input
, ah_output
,
1203 xform_register(&ah_xformsw
);
1205 SYSINIT(ah_xform_init
, SI_SUB_PROTO_DOMAIN
, SI_ORDER_MIDDLE
, ah_attach
, NULL
);