1 /*
2 * Copyright (c) 2008-2021 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /* $FreeBSD: src/sys/netinet6/ah_core.c,v 1.2.2.4 2001/07/03 11:01:49 ume Exp $ */
30 /* $KAME: ah_core.c,v 1.44 2001/03/12 11:24:39 itojun Exp $ */
31
32 /*
33 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
34 * All rights reserved.
35 *
36 * Redistribution and use in source and binary forms, with or without
37 * modification, are permitted provided that the following conditions
38 * are met:
39 * 1. Redistributions of source code must retain the above copyright
40 * notice, this list of conditions and the following disclaimer.
41 * 2. Redistributions in binary form must reproduce the above copyright
42 * notice, this list of conditions and the following disclaimer in the
43 * documentation and/or other materials provided with the distribution.
44 * 3. Neither the name of the project nor the names of its contributors
45 * may be used to endorse or promote products derived from this software
46 * without specific prior written permission.
47 *
48 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
58 * SUCH DAMAGE.
59 */
60
61 /*
62 * RFC1826/2402 authentication header.
63 */
64
65 /* TODO: have shared routines for hmac-* algorithms */
66
67 #include <sys/param.h>
68 #include <sys/systm.h>
69 #include <sys/malloc.h>
70 #include <sys/mbuf.h>
71 #include <sys/domain.h>
72 #include <sys/protosw.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <sys/errno.h>
76 #include <sys/time.h>
77 #include <sys/syslog.h>
78
79 #include <net/if.h>
80 #include <net/route.h>
81
82 #include <netinet/in.h>
83 #include <netinet/in_systm.h>
84 #include <netinet/ip.h>
85 #include <netinet/in_var.h>
86
87 #include <netinet/ip6.h>
88 #include <netinet6/ip6_var.h>
89 #include <netinet/icmp6.h>
90
91 #include <netinet6/ipsec.h>
92 #include <netinet6/ipsec6.h>
93 #include <netinet6/ah.h>
94 #include <netinet6/ah6.h>
95 #if IPSEC_ESP
96 #include <netinet6/esp.h>
97 #include <netinet6/esp6.h>
98 #endif
99 #include <net/pfkeyv2.h>
100 #include <netkey/keydb.h>
101 #include <libkern/crypto/md5.h>
102 #include <libkern/crypto/sha1.h>
103 #include <libkern/crypto/sha2.h>
104
105 #include <net/net_osdep.h>
106
107 #define HMACSIZE 16
108 #define KEYED_MD5_DATA_SIZE sizeof(MD5_CTX)
109 #define KEYED_SHA1_DATA_SIZE sizeof(SHA1_CTX)
110 #define HMAC_MD5_DATA_SIZE (64 + 64 + sizeof(MD5_CTX))
111 #define HMAC_SHA1_DATA_SIZE (64 + 64 + sizeof(SHA1_CTX))
112 #define HMAC_SHA2_256_DATA_SIZE (64 + 64 + sizeof(SHA256_CTX))
113 #define HMAC_SHA2_384_DATA_SIZE (128 + 128 + sizeof(SHA384_CTX))
114 #define HMAC_SHA2_512_DATA_SIZE (128 + 128 + sizeof(SHA512_CTX))
115
116 static int ah_sumsiz_1216(struct secasvar *);
117 static int ah_sumsiz_zero(struct secasvar *);
118 static int ah_none_mature(struct secasvar *);
119 static int ah_none_init(struct ah_algorithm_state *, struct secasvar *);
120 static void ah_none_loop(struct ah_algorithm_state *, caddr_t, size_t);
121 static void ah_none_result(struct ah_algorithm_state *, caddr_t, size_t);
122 static int ah_keyed_md5_mature(struct secasvar *);
123 static int ah_keyed_md5_init(struct ah_algorithm_state *, struct secasvar *);
124 static void ah_keyed_md5_loop(struct ah_algorithm_state *, caddr_t, size_t);
125 static void ah_keyed_md5_result(struct ah_algorithm_state *, caddr_t, size_t);
126 static int ah_keyed_sha1_mature(struct secasvar *);
127 static int ah_keyed_sha1_init(struct ah_algorithm_state *, struct secasvar *);
128 static void ah_keyed_sha1_loop(struct ah_algorithm_state *, caddr_t, size_t);
129 static void ah_keyed_sha1_result(struct ah_algorithm_state *, caddr_t, size_t);
130 static int ah_hmac_md5_mature(struct secasvar *);
131 static int ah_hmac_md5_init(struct ah_algorithm_state *, struct secasvar *);
132 static void ah_hmac_md5_loop(struct ah_algorithm_state *, caddr_t, size_t);
133 static void ah_hmac_md5_result(struct ah_algorithm_state *, caddr_t, size_t);
134 static int ah_hmac_sha1_mature(struct secasvar *);
135 static int ah_hmac_sha1_init(struct ah_algorithm_state *, struct secasvar *);
136 static void ah_hmac_sha1_loop(struct ah_algorithm_state *, caddr_t, size_t);
137 static void ah_hmac_sha1_result(struct ah_algorithm_state *, caddr_t, size_t);
138 #if AH_ALL_CRYPTO
139 static int ah_sumsiz_sha2_256(struct secasvar *);
140 static int ah_hmac_sha2_256_mature(struct secasvar *);
141 static int ah_hmac_sha2_256_init(struct ah_algorithm_state *,
142 struct secasvar *);
143 static void ah_hmac_sha2_256_loop(struct ah_algorithm_state *, caddr_t, size_t);
144 static void ah_hmac_sha2_256_result(struct ah_algorithm_state *, caddr_t, size_t);
145 static int ah_sumsiz_sha2_384(struct secasvar *);
146 static int ah_hmac_sha2_384_mature(struct secasvar *);
147 static int ah_hmac_sha2_384_init(struct ah_algorithm_state *,
148 struct secasvar *);
149 static void ah_hmac_sha2_384_loop(struct ah_algorithm_state *, caddr_t, size_t);
150 static void ah_hmac_sha2_384_result(struct ah_algorithm_state *, caddr_t, size_t);
151 static int ah_sumsiz_sha2_512(struct secasvar *);
152 static int ah_hmac_sha2_512_mature(struct secasvar *);
153 static int ah_hmac_sha2_512_init(struct ah_algorithm_state *,
154 struct secasvar *);
155 static void ah_hmac_sha2_512_loop(struct ah_algorithm_state *, caddr_t, size_t);
156 static void ah_hmac_sha2_512_result(struct ah_algorithm_state *, caddr_t, size_t);
157 #endif /* AH_ALL_CRYPTO */
158
159 static void ah_update_mbuf(struct mbuf *, int, int,
160 const struct ah_algorithm *, struct ah_algorithm_state *);
161
162 const struct ah_algorithm *
ah_algorithm_lookup(int idx)163 ah_algorithm_lookup(int idx)
164 {
165 /* checksum algorithms */
166 static const struct ah_algorithm hmac_md5 =
167 { ah_sumsiz_1216, ah_hmac_md5_mature, 128, 128, "hmac-md5",
168 ah_hmac_md5_init, ah_hmac_md5_loop,
169 ah_hmac_md5_result, };
170 static const struct ah_algorithm keyed_md5 =
171 { ah_sumsiz_1216, ah_keyed_md5_mature, 128, 128, "keyed-md5",
172 ah_keyed_md5_init, ah_keyed_md5_loop,
173 ah_keyed_md5_result, };
174 static const struct ah_algorithm hmac_sha1 =
175 { ah_sumsiz_1216, ah_hmac_sha1_mature, 160, 160, "hmac-sha1",
176 ah_hmac_sha1_init, ah_hmac_sha1_loop,
177 ah_hmac_sha1_result, };
178 static const struct ah_algorithm keyed_sha1 =
179 { ah_sumsiz_1216, ah_keyed_sha1_mature, 160, 160, "keyed-sha1",
180 ah_keyed_sha1_init, ah_keyed_sha1_loop,
181 ah_keyed_sha1_result, };
182 static const struct ah_algorithm ah_none =
183 { ah_sumsiz_zero, ah_none_mature, 0, 2048, "none",
184 ah_none_init, ah_none_loop, ah_none_result, };
185 #if AH_ALL_CRYPTO
186 static const struct ah_algorithm hmac_sha2_256 =
187 { ah_sumsiz_sha2_256, ah_hmac_sha2_256_mature, 256, 256,
188 "hmac-sha2-256",
189 ah_hmac_sha2_256_init, ah_hmac_sha2_256_loop,
190 ah_hmac_sha2_256_result, };
191 static const struct ah_algorithm hmac_sha2_384 =
192 { ah_sumsiz_sha2_384, ah_hmac_sha2_384_mature, 384, 384,
193 "hmac-sha2-384",
194 ah_hmac_sha2_384_init, ah_hmac_sha2_384_loop,
195 ah_hmac_sha2_384_result, };
196 static const struct ah_algorithm hmac_sha2_512 =
197 { ah_sumsiz_sha2_512, ah_hmac_sha2_512_mature, 512, 512,
198 "hmac-sha2-512",
199 ah_hmac_sha2_512_init, ah_hmac_sha2_512_loop,
200 ah_hmac_sha2_512_result, };
201 #endif /* AH_ALL_CRYPTO */
202
203 switch (idx) {
204 case SADB_AALG_MD5HMAC:
205 return &hmac_md5;
206 case SADB_AALG_SHA1HMAC:
207 return &hmac_sha1;
208 case SADB_X_AALG_MD5:
209 return &keyed_md5;
210 case SADB_X_AALG_SHA:
211 return &keyed_sha1;
212 case SADB_X_AALG_NULL:
213 return &ah_none;
214 #if AH_ALL_CRYPTO
215 case SADB_X_AALG_SHA2_256:
216 return &hmac_sha2_256;
217 case SADB_X_AALG_SHA2_384:
218 return &hmac_sha2_384;
219 case SADB_X_AALG_SHA2_512:
220 return &hmac_sha2_512;
221 #endif /* AH_ALL_CRYPTO */
222 default:
223 return NULL;
224 }
225 }
226
227
228 static int
ah_sumsiz_1216(struct secasvar * sav)229 ah_sumsiz_1216(struct secasvar *sav)
230 {
231 if (!sav) {
232 return -1;
233 }
234 if (sav->flags & SADB_X_EXT_OLD) {
235 return 16;
236 } else {
237 return 12;
238 }
239 }
240
241 static int
ah_sumsiz_zero(struct secasvar * sav)242 ah_sumsiz_zero(struct secasvar *sav)
243 {
244 if (!sav) {
245 return -1;
246 }
247 return 0;
248 }
249
250 static int
ah_none_mature(struct secasvar * sav)251 ah_none_mature(struct secasvar *sav)
252 {
253 if (sav->sah->saidx.proto == IPPROTO_AH) {
254 ipseclog((LOG_ERR,
255 "ah_none_mature: protocol and algorithm mismatch.\n"));
256 return 1;
257 }
258 return 0;
259 }
260
261 static int
ah_none_init(struct ah_algorithm_state * state,__unused struct secasvar * sav)262 ah_none_init(
263 struct ah_algorithm_state *state,
264 __unused struct secasvar *sav)
265 {
266 state->foo = NULL;
267 return 0;
268 }
269
270 static void
ah_none_loop(__unused struct ah_algorithm_state * state,__unused caddr_t addr,__unused size_t len)271 ah_none_loop(
272 __unused struct ah_algorithm_state *state,
273 __unused caddr_t addr,
274 __unused size_t len)
275 {
276 }
277
278 static void
ah_none_result(__unused struct ah_algorithm_state * state,__unused caddr_t addr,__unused size_t l)279 ah_none_result(
280 __unused struct ah_algorithm_state *state,
281 __unused caddr_t addr,
282 __unused size_t l)
283 {
284 }
285
286 static int
ah_keyed_md5_mature(__unused struct secasvar * sav)287 ah_keyed_md5_mature(
288 __unused struct secasvar *sav)
289 {
290 /* anything is okay */
291 return 0;
292 }
293
294 static int
ah_keyed_md5_init(struct ah_algorithm_state * state,struct secasvar * sav)295 ah_keyed_md5_init(struct ah_algorithm_state *state, struct secasvar *sav)
296 {
297 size_t keybitlen;
298 u_int8_t buf[32] __attribute__((aligned(4)));
299 unsigned int padlen;
300
301 if (!state) {
302 panic("ah_keyed_md5_init: what?");
303 }
304
305 state->sav = sav;
306 state->foo = (void *)kalloc_data(KEYED_MD5_DATA_SIZE, Z_NOWAIT);
307 if (state->foo == NULL) {
308 return ENOBUFS;
309 }
310
311 MD5Init((MD5_CTX *)state->foo);
312 if (state->sav) {
313 MD5Update((MD5_CTX *)state->foo,
314 (u_int8_t *)_KEYBUF(state->sav->key_auth),
315 (u_int)_KEYLEN(state->sav->key_auth));
316
317 /*
318 * Pad after the key.
319 * We cannot simply use md5_pad() since the function
320 * won't update the total length.
321 */
322 if (_KEYLEN(state->sav->key_auth) < 56) {
323 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
324 } else {
325 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
326 }
327 keybitlen = _KEYLEN(state->sav->key_auth);
328 keybitlen *= 8;
329
330 buf[0] = 0x80;
331 MD5Update((MD5_CTX *)state->foo, &buf[0], 1);
332 padlen--;
333
334 bzero(buf, sizeof(buf));
335 while (sizeof(buf) < padlen) {
336 MD5Update((MD5_CTX *)state->foo, &buf[0], sizeof(buf));
337 padlen -= sizeof(buf);
338 }
339 if (padlen) {
340 MD5Update((MD5_CTX *)state->foo, &buf[0], padlen);
341 }
342
343 buf[0] = (keybitlen >> 0) & 0xff;
344 buf[1] = (keybitlen >> 8) & 0xff;
345 buf[2] = (keybitlen >> 16) & 0xff;
346 buf[3] = (keybitlen >> 24) & 0xff;
347 MD5Update((MD5_CTX *)state->foo, buf, 8);
348 }
349
350 return 0;
351 }
352
353 static void
ah_keyed_md5_loop(struct ah_algorithm_state * state,caddr_t addr,size_t len)354 ah_keyed_md5_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
355 {
356 if (!state) {
357 panic("ah_keyed_md5_loop: what?");
358 }
359
360 VERIFY(len <= UINT_MAX);
361 MD5Update((MD5_CTX *)state->foo, addr, (uint)len);
362 }
363
364 static void
ah_keyed_md5_result(struct ah_algorithm_state * state,caddr_t addr,size_t l)365 ah_keyed_md5_result(struct ah_algorithm_state *state, caddr_t addr, size_t l)
366 {
367 u_char digest[16] __attribute__((aligned(4)));
368
369 if (!state) {
370 panic("ah_keyed_md5_result: what?");
371 }
372
373 if (state->sav) {
374 MD5Update((MD5_CTX *)state->foo,
375 (u_int8_t *)_KEYBUF(state->sav->key_auth),
376 (u_int)_KEYLEN(state->sav->key_auth));
377 }
378 MD5Final(&digest[0], (MD5_CTX *)state->foo);
379 kfree_data(state->foo, KEYED_MD5_DATA_SIZE);
380 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
381 }
382
383 static int
ah_keyed_sha1_mature(struct secasvar * sav)384 ah_keyed_sha1_mature(struct secasvar *sav)
385 {
386 const struct ah_algorithm *algo;
387
388 if (!sav->key_auth) {
389 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: no key is given.\n"));
390 return 1;
391 }
392
393 algo = ah_algorithm_lookup(sav->alg_auth);
394 if (!algo) {
395 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: unsupported algorithm.\n"));
396 return 1;
397 }
398
399 if (sav->key_auth->sadb_key_bits < algo->keymin
400 || algo->keymax < sav->key_auth->sadb_key_bits) {
401 ipseclog((LOG_ERR,
402 "ah_keyed_sha1_mature: invalid key length %d.\n",
403 sav->key_auth->sadb_key_bits));
404 return 1;
405 }
406
407 return 0;
408 }
409
410 static int
ah_keyed_sha1_init(struct ah_algorithm_state * state,struct secasvar * sav)411 ah_keyed_sha1_init(struct ah_algorithm_state *state, struct secasvar *sav)
412 {
413 SHA1_CTX *ctxt;
414 size_t padlen;
415 size_t keybitlen;
416 u_int8_t buf[32] __attribute__((aligned(4)));
417
418 if (!state) {
419 panic("ah_keyed_sha1_init: what?");
420 }
421
422 state->sav = sav;
423 state->foo = (void *)kalloc_data(KEYED_SHA1_DATA_SIZE, Z_NOWAIT);
424 if (!state->foo) {
425 return ENOBUFS;
426 }
427
428 ctxt = (SHA1_CTX *)state->foo;
429 SHA1Init(ctxt);
430
431 if (state->sav) {
432 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
433 (u_int)_KEYLEN(state->sav->key_auth));
434
435 /*
436 * Pad after the key.
437 */
438 if (_KEYLEN(state->sav->key_auth) < 56) {
439 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
440 } else {
441 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
442 }
443 keybitlen = _KEYLEN(state->sav->key_auth);
444 keybitlen *= 8;
445
446 buf[0] = 0x80;
447 SHA1Update(ctxt, &buf[0], 1);
448 padlen--;
449
450 bzero(buf, sizeof(buf));
451 while (sizeof(buf) < padlen) {
452 SHA1Update(ctxt, &buf[0], sizeof(buf));
453 padlen -= sizeof(buf);
454 }
455 if (padlen) {
456 SHA1Update(ctxt, &buf[0], padlen);
457 }
458
459 buf[0] = (keybitlen >> 0) & 0xff;
460 buf[1] = (keybitlen >> 8) & 0xff;
461 buf[2] = (keybitlen >> 16) & 0xff;
462 buf[3] = (keybitlen >> 24) & 0xff;
463 SHA1Update(ctxt, buf, 8);
464 }
465
466 return 0;
467 }
468
469 static void
ah_keyed_sha1_loop(struct ah_algorithm_state * state,caddr_t addr,size_t len)470 ah_keyed_sha1_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
471 {
472 SHA1_CTX *ctxt;
473
474 if (!state || !state->foo) {
475 panic("ah_keyed_sha1_loop: what?");
476 }
477 ctxt = (SHA1_CTX *)state->foo;
478
479 SHA1Update(ctxt, (caddr_t)addr, (size_t)len);
480 }
481
482 static void
ah_keyed_sha1_result(struct ah_algorithm_state * state,caddr_t addr,size_t l)483 ah_keyed_sha1_result(struct ah_algorithm_state *state, caddr_t addr, size_t l)
484 {
485 u_char digest[SHA1_RESULTLEN] __attribute__((aligned(4))); /* SHA-1 generates 160 bits */
486 SHA1_CTX *ctxt;
487
488 if (!state || !state->foo) {
489 panic("ah_keyed_sha1_result: what?");
490 }
491 ctxt = (SHA1_CTX *)state->foo;
492
493 if (state->sav) {
494 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
495 (u_int)_KEYLEN(state->sav->key_auth));
496 }
497 SHA1Final((caddr_t)&digest[0], ctxt);
498 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
499
500 kfree_data(state->foo, KEYED_SHA1_DATA_SIZE);
501 }
502
503 static int
ah_hmac_md5_mature(struct secasvar * sav)504 ah_hmac_md5_mature(struct secasvar *sav)
505 {
506 const struct ah_algorithm *algo;
507
508 if (!sav->key_auth) {
509 ipseclog((LOG_ERR, "ah_hmac_md5_mature: no key is given.\n"));
510 return 1;
511 }
512
513 algo = ah_algorithm_lookup(sav->alg_auth);
514 if (!algo) {
515 ipseclog((LOG_ERR, "ah_hmac_md5_mature: unsupported algorithm.\n"));
516 return 1;
517 }
518
519 if (sav->key_auth->sadb_key_bits < algo->keymin
520 || algo->keymax < sav->key_auth->sadb_key_bits) {
521 ipseclog((LOG_ERR,
522 "ah_hmac_md5_mature: invalid key length %d.\n",
523 sav->key_auth->sadb_key_bits));
524 return 1;
525 }
526
527 return 0;
528 }
529
530 static int
ah_hmac_md5_init(struct ah_algorithm_state * state,struct secasvar * sav)531 ah_hmac_md5_init(struct ah_algorithm_state *state, struct secasvar *sav)
532 {
533 u_char *ipad;
534 u_char *opad;
535 u_char tk[16] __attribute__((aligned(4)));
536 u_char *key;
537 size_t keylen;
538 size_t i;
539 MD5_CTX *ctxt;
540
541 if (!state) {
542 panic("ah_hmac_md5_init: what?");
543 }
544
545 state->sav = sav;
546 state->foo = (void *)kalloc_data(HMAC_MD5_DATA_SIZE, Z_NOWAIT);
547 if (!state->foo) {
548 return ENOBUFS;
549 }
550
551 ipad = (u_char *)state->foo;
552 opad = (u_char *)(ipad + 64);
553 ctxt = (MD5_CTX *)(void *)(opad + 64);
554
555 /* compress the key if necessery */
556 if (64 < _KEYLEN(state->sav->key_auth)) {
557 MD5Init(ctxt);
558 MD5Update(ctxt, _KEYBUF(state->sav->key_auth),
559 _KEYLEN(state->sav->key_auth));
560 MD5Final(&tk[0], ctxt);
561 key = &tk[0];
562 keylen = 16;
563 } else {
564 key = (u_char *) _KEYBUF(state->sav->key_auth);
565 keylen = _KEYLEN(state->sav->key_auth);
566 }
567
568 bzero(ipad, 64);
569 bzero(opad, 64);
570 bcopy(key, ipad, keylen);
571 bcopy(key, opad, keylen);
572 for (i = 0; i < 64; i++) {
573 ipad[i] ^= 0x36;
574 opad[i] ^= 0x5c;
575 }
576
577 MD5Init(ctxt);
578 MD5Update(ctxt, ipad, 64);
579
580 return 0;
581 }
582
583 static void
ah_hmac_md5_loop(struct ah_algorithm_state * state,caddr_t addr,size_t len)584 ah_hmac_md5_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
585 {
586 MD5_CTX *ctxt;
587
588 if (!state || !state->foo) {
589 panic("ah_hmac_md5_loop: what?");
590 }
591 ctxt = (MD5_CTX *)(void *)(((caddr_t)state->foo) + 128);
592 VERIFY(len <= UINT_MAX);
593 MD5Update(ctxt, addr, (uint)len);
594 }
595
596 static void
ah_hmac_md5_result(struct ah_algorithm_state * state,caddr_t addr,size_t l)597 ah_hmac_md5_result(struct ah_algorithm_state *state, caddr_t addr, size_t l)
598 {
599 u_char digest[16] __attribute__((aligned(4)));
600 u_char *ipad;
601 u_char *opad;
602 MD5_CTX *ctxt;
603
604 if (!state || !state->foo) {
605 panic("ah_hmac_md5_result: what?");
606 }
607
608 ipad = (u_char *)state->foo;
609 opad = (u_char *)(ipad + 64);
610 ctxt = (MD5_CTX *)(void *)(opad + 64);
611
612 MD5Final(&digest[0], ctxt);
613
614 MD5Init(ctxt);
615 MD5Update(ctxt, opad, 64);
616 MD5Update(ctxt, &digest[0], sizeof(digest));
617 MD5Final(&digest[0], ctxt);
618
619 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
620
621 kfree_data(state->foo, HMAC_MD5_DATA_SIZE);
622 }
623
624 static int
ah_hmac_sha1_mature(struct secasvar * sav)625 ah_hmac_sha1_mature(struct secasvar *sav)
626 {
627 const struct ah_algorithm *algo;
628
629 if (!sav->key_auth) {
630 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: no key is given.\n"));
631 return 1;
632 }
633
634 algo = ah_algorithm_lookup(sav->alg_auth);
635 if (!algo) {
636 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: unsupported algorithm.\n"));
637 return 1;
638 }
639
640 if (sav->key_auth->sadb_key_bits < algo->keymin
641 || algo->keymax < sav->key_auth->sadb_key_bits) {
642 ipseclog((LOG_ERR,
643 "ah_hmac_sha1_mature: invalid key length %d.\n",
644 sav->key_auth->sadb_key_bits));
645 return 1;
646 }
647
648 return 0;
649 }
650
651 static int
ah_hmac_sha1_init(struct ah_algorithm_state * state,struct secasvar * sav)652 ah_hmac_sha1_init(struct ah_algorithm_state *state, struct secasvar *sav)
653 {
654 u_char *ipad;
655 u_char *opad;
656 SHA1_CTX *ctxt;
657 u_char tk[SHA1_RESULTLEN] __attribute__((aligned(4))); /* SHA-1 generates 160 bits */
658 u_char *key;
659 size_t keylen;
660 size_t i;
661
662 if (!state) {
663 panic("ah_hmac_sha1_init: what?");
664 }
665
666 state->sav = sav;
667 state->foo = (void *)kalloc_data(HMAC_SHA1_DATA_SIZE, Z_NOWAIT);
668 if (!state->foo) {
669 return ENOBUFS;
670 }
671
672 ipad = (u_char *)state->foo;
673 opad = (u_char *)(ipad + 64);
674 ctxt = (SHA1_CTX *)(void *)(opad + 64);
675
676 /* compress the key if necessery */
677 if (64 < _KEYLEN(state->sav->key_auth)) {
678 SHA1Init(ctxt);
679 SHA1Update(ctxt, _KEYBUF(state->sav->key_auth),
680 _KEYLEN(state->sav->key_auth));
681 SHA1Final(&tk[0], ctxt);
682 key = &tk[0];
683 keylen = SHA1_RESULTLEN;
684 } else {
685 key = (u_char *) _KEYBUF(state->sav->key_auth);
686 keylen = _KEYLEN(state->sav->key_auth);
687 }
688
689 bzero(ipad, 64);
690 bzero(opad, 64);
691 bcopy(key, ipad, keylen);
692 bcopy(key, opad, keylen);
693 for (i = 0; i < 64; i++) {
694 ipad[i] ^= 0x36;
695 opad[i] ^= 0x5c;
696 }
697
698 SHA1Init(ctxt);
699 SHA1Update(ctxt, ipad, 64);
700
701 return 0;
702 }
703
704 static void
ah_hmac_sha1_loop(struct ah_algorithm_state * state,caddr_t addr,size_t len)705 ah_hmac_sha1_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
706 {
707 SHA1_CTX *ctxt;
708
709 if (!state || !state->foo) {
710 panic("ah_hmac_sha1_loop: what?");
711 }
712
713 ctxt = (SHA1_CTX *)(void *)(((u_char *)state->foo) + 128);
714 SHA1Update(ctxt, (caddr_t)addr, (size_t)len);
715 }
716
717 static void
ah_hmac_sha1_result(struct ah_algorithm_state * state,caddr_t addr,size_t l)718 ah_hmac_sha1_result(struct ah_algorithm_state *state, caddr_t addr, size_t l)
719 {
720 u_char digest[SHA1_RESULTLEN] __attribute__((aligned(4))); /* SHA-1 generates 160 bits */
721 u_char *ipad;
722 u_char *opad;
723 SHA1_CTX *ctxt;
724
725 if (!state || !state->foo) {
726 panic("ah_hmac_sha1_result: what?");
727 }
728
729 ipad = (u_char *)state->foo;
730 opad = (u_char *)(ipad + 64);
731 ctxt = (SHA1_CTX *)(void *)(opad + 64);
732
733 SHA1Final((caddr_t)&digest[0], ctxt);
734
735 SHA1Init(ctxt);
736 SHA1Update(ctxt, opad, 64);
737 SHA1Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
738 SHA1Final((caddr_t)&digest[0], ctxt);
739
740 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
741
742 kfree_data(state->foo, HMAC_SHA1_DATA_SIZE);
743 }
744
745 #if AH_ALL_CRYPTO
746 static int
ah_sumsiz_sha2_256(struct secasvar * sav)747 ah_sumsiz_sha2_256(struct secasvar *sav)
748 {
749 if (!sav) {
750 return -1;
751 }
752 // return half the output size (in bytes), as per rfc 4868
753 return 16; // 256/(8*2)
754 }
755
756 static int
ah_hmac_sha2_256_mature(struct secasvar * sav)757 ah_hmac_sha2_256_mature(struct secasvar *sav)
758 {
759 const struct ah_algorithm *algo;
760
761 if (!sav->key_auth) {
762 ipseclog((LOG_ERR,
763 "ah_hmac_sha2_256_mature: no key is given.\n"));
764 return 1;
765 }
766
767 algo = ah_algorithm_lookup(sav->alg_auth);
768 if (!algo) {
769 ipseclog((LOG_ERR,
770 "ah_hmac_sha2_256_mature: unsupported algorithm.\n"));
771 return 1;
772 }
773
774 if (sav->key_auth->sadb_key_bits < algo->keymin ||
775 algo->keymax < sav->key_auth->sadb_key_bits) {
776 ipseclog((LOG_ERR,
777 "ah_hmac_sha2_256_mature: invalid key length %d.\n",
778 sav->key_auth->sadb_key_bits));
779 return 1;
780 }
781
782 return 0;
783 }
784
785 static int
ah_hmac_sha2_256_init(struct ah_algorithm_state * state,struct secasvar * sav)786 ah_hmac_sha2_256_init(struct ah_algorithm_state *state, struct secasvar *sav)
787 {
788 u_char *ipad;
789 u_char *opad;
790 SHA256_CTX *ctxt;
791 u_char tk[SHA256_DIGEST_LENGTH] __attribute__((aligned(4)));
792 u_char *key;
793 size_t keylen;
794 size_t i;
795
796 if (!state) {
797 panic("ah_hmac_sha2_256_init: what?");
798 }
799
800 state->sav = sav;
801 state->foo = (void *)kalloc_data(HMAC_SHA2_256_DATA_SIZE, Z_NOWAIT);
802 if (!state->foo) {
803 return ENOBUFS;
804 }
805
806 ipad = (u_char *)state->foo;
807 opad = (u_char *)(ipad + 64);
808 ctxt = (SHA256_CTX *)(void *)(opad + 64);
809
810 /* compress the key if necessery */
811 if (64 < _KEYLEN(state->sav->key_auth)) {
812 bzero(tk, sizeof(tk));
813 bzero(ctxt, sizeof(*ctxt));
814 SHA256_Init(ctxt);
815 SHA256_Update(ctxt, (const u_int8_t *) _KEYBUF(state->sav->key_auth),
816 _KEYLEN(state->sav->key_auth));
817 SHA256_Final(&tk[0], ctxt);
818 key = &tk[0];
819 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
820 } else {
821 key = (u_char *) _KEYBUF(state->sav->key_auth);
822 keylen = _KEYLEN(state->sav->key_auth);
823 }
824
825 bzero(ipad, 64);
826 bzero(opad, 64);
827 bcopy(key, ipad, keylen);
828 bcopy(key, opad, keylen);
829 for (i = 0; i < 64; i++) {
830 ipad[i] ^= 0x36;
831 opad[i] ^= 0x5c;
832 }
833
834 bzero(ctxt, sizeof(*ctxt));
835 SHA256_Init(ctxt);
836 SHA256_Update(ctxt, ipad, 64);
837
838 return 0;
839 }
840
841 static void
ah_hmac_sha2_256_loop(struct ah_algorithm_state * state,caddr_t addr,size_t len)842 ah_hmac_sha2_256_loop(struct ah_algorithm_state *state,
843 caddr_t addr,
844 size_t len)
845 {
846 SHA256_CTX *ctxt;
847
848 if (!state || !state->foo) {
849 panic("ah_hmac_sha2_256_loop: what?");
850 }
851
852 ctxt = (SHA256_CTX *)(void *)(((u_char *)state->foo) + 128);
853 SHA256_Update(ctxt, (const u_int8_t *)addr, (size_t)len);
854 }
855
856 static void
ah_hmac_sha2_256_result(struct ah_algorithm_state * state,caddr_t addr,size_t l)857 ah_hmac_sha2_256_result(struct ah_algorithm_state *state,
858 caddr_t addr,
859 size_t l)
860 {
861 u_char digest[SHA256_DIGEST_LENGTH] __attribute__((aligned(4)));
862 u_char *ipad;
863 u_char *opad;
864 SHA256_CTX *ctxt;
865
866 if (!state || !state->foo) {
867 panic("ah_hmac_sha2_256_result: what?");
868 }
869
870 ipad = (u_char *)state->foo;
871 opad = (u_char *)(ipad + 64);
872 ctxt = (SHA256_CTX *)(void *)(opad + 64);
873
874 SHA256_Final((u_int8_t *)digest, ctxt);
875
876 SHA256_Init(ctxt);
877 SHA256_Update(ctxt, opad, 64);
878 SHA256_Update(ctxt, (const u_int8_t *)digest, sizeof(digest));
879 SHA256_Final((u_int8_t *)digest, ctxt);
880
881 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
882
883 kfree_data(state->foo, HMAC_SHA2_256_DATA_SIZE);
884 }
885
886 static int
ah_sumsiz_sha2_384(struct secasvar * sav)887 ah_sumsiz_sha2_384(struct secasvar *sav)
888 {
889 if (!sav) {
890 return -1;
891 }
892 // return half the output size (in bytes), as per rfc 4868
893 return 24; // 384/(8*2)
894 }
895
896 static int
ah_hmac_sha2_384_mature(struct secasvar * sav)897 ah_hmac_sha2_384_mature(struct secasvar *sav)
898 {
899 const struct ah_algorithm *algo;
900
901 if (!sav->key_auth) {
902 ipseclog((LOG_ERR,
903 "ah_hmac_sha2_384_mature: no key is given.\n"));
904 return 1;
905 }
906
907 algo = ah_algorithm_lookup(sav->alg_auth);
908 if (!algo) {
909 ipseclog((LOG_ERR,
910 "ah_hmac_sha2_384_mature: unsupported algorithm.\n"));
911 return 1;
912 }
913
914 if (sav->key_auth->sadb_key_bits < algo->keymin ||
915 algo->keymax < sav->key_auth->sadb_key_bits) {
916 ipseclog((LOG_ERR,
917 "ah_hmac_sha2_384_mature: invalid key length %d.\n",
918 sav->key_auth->sadb_key_bits));
919 return 1;
920 }
921
922 return 0;
923 }
924
925 static int
ah_hmac_sha2_384_init(struct ah_algorithm_state * state,struct secasvar * sav)926 ah_hmac_sha2_384_init(struct ah_algorithm_state *state, struct secasvar *sav)
927 {
928 u_char *ipad;
929 u_char *opad;
930 SHA384_CTX *ctxt;
931 u_char tk[SHA384_DIGEST_LENGTH] __attribute__((aligned(4)));
932 u_char *key;
933 size_t keylen;
934 size_t i;
935
936 if (!state) {
937 panic("ah_hmac_sha2_384_init: what?");
938 }
939
940 state->sav = sav;
941 state->foo = (void *)kalloc_data(HMAC_SHA2_384_DATA_SIZE,
942 Z_NOWAIT | Z_ZERO);
943 if (!state->foo) {
944 return ENOBUFS;
945 }
946
947 ipad = (u_char *)state->foo;
948 opad = (u_char *)(ipad + 128);
949 ctxt = (SHA384_CTX *)(void *)(opad + 128);
950
951 /* compress the key if necessery */
952 if (128 < _KEYLEN(state->sav->key_auth)) {
953 bzero(tk, sizeof(tk));
954 bzero(ctxt, sizeof(*ctxt));
955 SHA384_Init(ctxt);
956 SHA384_Update(ctxt, (const u_int8_t *) _KEYBUF(state->sav->key_auth),
957 _KEYLEN(state->sav->key_auth));
958 SHA384_Final(&tk[0], ctxt);
959 key = &tk[0];
960 keylen = sizeof(tk) < 128 ? sizeof(tk) : 128;
961 } else {
962 key = (u_char *) _KEYBUF(state->sav->key_auth);
963 keylen = _KEYLEN(state->sav->key_auth);
964 }
965
966 bzero(ipad, 128);
967 bzero(opad, 128);
968 bcopy(key, ipad, keylen);
969 bcopy(key, opad, keylen);
970 for (i = 0; i < 128; i++) {
971 ipad[i] ^= 0x36;
972 opad[i] ^= 0x5c;
973 }
974
975 bzero(ctxt, sizeof(*ctxt));
976 SHA384_Init(ctxt);
977 SHA384_Update(ctxt, ipad, 128);
978
979 return 0;
980 }
981
982 static void
ah_hmac_sha2_384_loop(struct ah_algorithm_state * state,caddr_t addr,size_t len)983 ah_hmac_sha2_384_loop(struct ah_algorithm_state *state,
984 caddr_t addr,
985 size_t len)
986 {
987 SHA384_CTX *ctxt;
988
989 if (!state || !state->foo) {
990 panic("ah_hmac_sha2_384_loop: what?");
991 }
992
993 ctxt = (SHA384_CTX *)(void *)(((u_char *)state->foo) + 256);
994 SHA384_Update(ctxt, (const u_int8_t *)addr, (size_t)len);
995 }
996
997 static void
ah_hmac_sha2_384_result(struct ah_algorithm_state * state,caddr_t addr,size_t l)998 ah_hmac_sha2_384_result(struct ah_algorithm_state *state,
999 caddr_t addr,
1000 size_t l)
1001 {
1002 u_char digest[SHA384_DIGEST_LENGTH];
1003 u_char *ipad;
1004 u_char *opad;
1005 SHA384_CTX *ctxt;
1006
1007 if (!state || !state->foo) {
1008 panic("ah_hmac_sha2_384_result: what?");
1009 }
1010
1011 ipad = (u_char *)state->foo;
1012 opad = (u_char *)(ipad + 128);
1013 ctxt = (SHA384_CTX *)(void *)(opad + 128);
1014
1015 SHA384_Final((u_int8_t *)digest, ctxt);
1016
1017 SHA384_Init(ctxt);
1018 SHA384_Update(ctxt, opad, 128);
1019 SHA384_Update(ctxt, (const u_int8_t *)digest, sizeof(digest));
1020 SHA384_Final((u_int8_t *)digest, ctxt);
1021
1022 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
1023
1024 kfree_data(state->foo, HMAC_SHA2_384_DATA_SIZE);
1025 }
1026
1027 static int
ah_sumsiz_sha2_512(struct secasvar * sav)1028 ah_sumsiz_sha2_512(struct secasvar *sav)
1029 {
1030 if (!sav) {
1031 return -1;
1032 }
1033 // return half the output size (in bytes), as per rfc 4868
1034 return 32; // 512/(8*2)
1035 }
1036
1037 static int
ah_hmac_sha2_512_mature(struct secasvar * sav)1038 ah_hmac_sha2_512_mature(struct secasvar *sav)
1039 {
1040 const struct ah_algorithm *algo;
1041
1042 if (!sav->key_auth) {
1043 ipseclog((LOG_ERR,
1044 "ah_hmac_sha2_512_mature: no key is given.\n"));
1045 return 1;
1046 }
1047
1048 algo = ah_algorithm_lookup(sav->alg_auth);
1049 if (!algo) {
1050 ipseclog((LOG_ERR,
1051 "ah_hmac_sha2_512_mature: unsupported algorithm.\n"));
1052 return 1;
1053 }
1054
1055 if (sav->key_auth->sadb_key_bits < algo->keymin ||
1056 algo->keymax < sav->key_auth->sadb_key_bits) {
1057 ipseclog((LOG_ERR,
1058 "ah_hmac_sha2_512_mature: invalid key length %d.\n",
1059 sav->key_auth->sadb_key_bits));
1060 return 1;
1061 }
1062
1063 return 0;
1064 }
1065
1066 static int
ah_hmac_sha2_512_init(struct ah_algorithm_state * state,struct secasvar * sav)1067 ah_hmac_sha2_512_init(struct ah_algorithm_state *state, struct secasvar *sav)
1068 {
1069 u_char *ipad;
1070 u_char *opad;
1071 SHA512_CTX *ctxt;
1072 u_char tk[SHA512_DIGEST_LENGTH] __attribute__((aligned(4)));
1073 u_char *key;
1074 size_t keylen;
1075 size_t i;
1076
1077 if (!state) {
1078 panic("ah_hmac_sha2_512_init: what?");
1079 }
1080
1081 state->sav = sav;
1082 state->foo = (void *)kalloc_data(HMAC_SHA2_512_DATA_SIZE,
1083 Z_NOWAIT | Z_ZERO);
1084 if (!state->foo) {
1085 return ENOBUFS;
1086 }
1087
1088 ipad = (u_char *)state->foo;
1089 opad = (u_char *)(ipad + 128);
1090 ctxt = (SHA512_CTX *)(void *)(opad + 128);
1091
1092 /* compress the key if necessery */
1093 if (128 < _KEYLEN(state->sav->key_auth)) {
1094 bzero(tk, sizeof(tk));
1095 bzero(ctxt, sizeof(*ctxt));
1096 SHA512_Init(ctxt);
1097 SHA512_Update(ctxt, (const u_int8_t *) _KEYBUF(state->sav->key_auth),
1098 _KEYLEN(state->sav->key_auth));
1099 SHA512_Final(&tk[0], ctxt);
1100 key = &tk[0];
1101 keylen = sizeof(tk) < 128 ? sizeof(tk) : 128;
1102 } else {
1103 key = (u_char *) _KEYBUF(state->sav->key_auth);
1104 keylen = _KEYLEN(state->sav->key_auth);
1105 }
1106
1107 bzero(ipad, 128);
1108 bzero(opad, 128);
1109 bcopy(key, ipad, keylen);
1110 bcopy(key, opad, keylen);
1111 for (i = 0; i < 128; i++) {
1112 ipad[i] ^= 0x36;
1113 opad[i] ^= 0x5c;
1114 }
1115
1116 bzero(ctxt, sizeof(*ctxt));
1117 SHA512_Init(ctxt);
1118 SHA512_Update(ctxt, ipad, 128);
1119
1120 return 0;
1121 }
1122
1123 static void
ah_hmac_sha2_512_loop(struct ah_algorithm_state * state,caddr_t addr,size_t len)1124 ah_hmac_sha2_512_loop(struct ah_algorithm_state *state,
1125 caddr_t addr,
1126 size_t len)
1127 {
1128 SHA512_CTX *ctxt;
1129
1130 if (!state || !state->foo) {
1131 panic("ah_hmac_sha2_512_loop: what?");
1132 }
1133
1134 ctxt = (SHA512_CTX *)(void *)(((u_char *)state->foo) + 256);
1135 SHA512_Update(ctxt, (const u_int8_t *) addr, (size_t)len);
1136 }
1137
1138 static void
ah_hmac_sha2_512_result(struct ah_algorithm_state * state,caddr_t addr,size_t l)1139 ah_hmac_sha2_512_result(struct ah_algorithm_state *state,
1140 caddr_t addr,
1141 size_t l)
1142 {
1143 u_char digest[SHA512_DIGEST_LENGTH] __attribute__((aligned(4)));
1144 u_char *ipad;
1145 u_char *opad;
1146 SHA512_CTX *ctxt;
1147
1148 if (!state || !state->foo) {
1149 panic("ah_hmac_sha2_512_result: what?");
1150 }
1151
1152 ipad = (u_char *)state->foo;
1153 opad = (u_char *)(ipad + 128);
1154 ctxt = (SHA512_CTX *)(void *)(opad + 128);
1155
1156 SHA512_Final((u_int8_t *)digest, ctxt);
1157
1158 SHA512_Init(ctxt);
1159 SHA512_Update(ctxt, opad, 128);
1160 SHA512_Update(ctxt, (const u_int8_t *)digest, sizeof(digest));
1161 SHA512_Final((u_int8_t *)digest, ctxt);
1162
1163 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
1164
1165 kfree_data(state->foo, HMAC_SHA2_512_DATA_SIZE);
1166 }
1167 #endif /* AH_ALL_CRYPTO */
1168
1169 /*------------------------------------------------------------*/
1170
1171 /*
1172 * go generate the checksum.
1173 */
1174 static void
ah_update_mbuf(struct mbuf * m,int off,int len,const struct ah_algorithm * algo,struct ah_algorithm_state * algos)1175 ah_update_mbuf(struct mbuf *m, int off, int len,
1176 const struct ah_algorithm *algo,
1177 struct ah_algorithm_state *algos)
1178 {
1179 struct mbuf *n;
1180 int tlen;
1181
1182 /* easy case first */
1183 if (off + len <= m->m_len) {
1184 (algo->update)(algos, mtod(m, caddr_t) + off, len);
1185 return;
1186 }
1187
1188 for (n = m; n; n = n->m_next) {
1189 if (off < n->m_len) {
1190 break;
1191 }
1192
1193 off -= n->m_len;
1194 }
1195
1196 if (!n) {
1197 panic("ah_update_mbuf: wrong offset specified");
1198 }
1199
1200 for (/*nothing*/; n && len > 0; n = n->m_next) {
1201 if (n->m_len == 0) {
1202 continue;
1203 }
1204 if (n->m_len - off < len) {
1205 tlen = n->m_len - off;
1206 } else {
1207 tlen = len;
1208 }
1209
1210 (algo->update)(algos, mtod(n, caddr_t) + off, tlen);
1211
1212 len -= tlen;
1213 off = 0;
1214 }
1215 }
1216
1217 #if INET
1218 /*
1219 * Go generate the checksum. This function won't modify the mbuf chain
1220 * except AH itself.
1221 *
1222 * NOTE: the function does not free mbuf on failure.
1223 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1224 */
1225 int
ah4_calccksum(struct mbuf * m,caddr_t ahdat,size_t len,const struct ah_algorithm * algo,struct secasvar * sav)1226 ah4_calccksum(struct mbuf *m, caddr_t ahdat, size_t len,
1227 const struct ah_algorithm *algo, struct secasvar *sav)
1228 {
1229 int off;
1230 int hdrtype;
1231 size_t advancewidth;
1232 struct ah_algorithm_state algos;
1233 u_char sumbuf[AH_MAXSUMSIZE] __attribute__((aligned(4)));
1234 int error = 0;
1235 int ahseen;
1236 struct mbuf *n = NULL;
1237
1238 if ((m->m_flags & M_PKTHDR) == 0) {
1239 return EINVAL;
1240 }
1241
1242 ahseen = 0;
1243 hdrtype = -1; /*dummy, it is called IPPROTO_IP*/
1244
1245 off = 0;
1246
1247 error = (algo->init)(&algos, sav);
1248 if (error) {
1249 return error;
1250 }
1251
1252 advancewidth = 0; /*safety*/
1253
1254 again:
1255 /* gory. */
1256 switch (hdrtype) {
1257 case -1: /*first one only*/
1258 {
1259 /*
1260 * copy ip hdr, modify to fit the AH checksum rule,
1261 * then take a checksum.
1262 */
1263 struct ip iphdr;
1264 size_t hlen;
1265
1266 m_copydata(m, off, sizeof(iphdr), (caddr_t)&iphdr);
1267 #if _IP_VHL
1268 hlen = IP_VHL_HL(iphdr.ip_vhl) << 2;
1269 #else
1270 hlen = iphdr.ip_hl << 2;
1271 #endif
1272 iphdr.ip_ttl = 0;
1273 iphdr.ip_sum = htons(0);
1274 if (ip4_ah_cleartos) {
1275 iphdr.ip_tos = 0;
1276 }
1277 iphdr.ip_off = htons(ntohs(iphdr.ip_off) & ip4_ah_offsetmask);
1278 (algo->update)(&algos, (caddr_t)&iphdr, sizeof(struct ip));
1279
1280 if (hlen != sizeof(struct ip)) {
1281 u_char *p;
1282 int i, l, skip;
1283
1284 if (hlen > MCLBYTES) {
1285 error = EMSGSIZE;
1286 goto fail;
1287 }
1288 MGET(n, M_DONTWAIT, MT_DATA);
1289 if (n && hlen > MLEN) {
1290 MCLGET(n, M_DONTWAIT);
1291 if ((n->m_flags & M_EXT) == 0) {
1292 m_free(n);
1293 n = NULL;
1294 }
1295 }
1296 if (n == NULL) {
1297 error = ENOBUFS;
1298 goto fail;
1299 }
1300 VERIFY(hlen <= INT_MAX);
1301 m_copydata(m, off, (int)hlen, mtod(n, caddr_t));
1302
1303 /*
1304 * IP options processing.
1305 * See RFC2402 appendix A.
1306 */
1307 p = mtod(n, u_char *);
1308 i = sizeof(struct ip);
1309 while (i < hlen) {
1310 if (i + IPOPT_OPTVAL >= hlen) {
1311 ipseclog((LOG_ERR, "ah4_calccksum: "
1312 "invalid IP option\n"));
1313 error = EINVAL;
1314 goto fail;
1315 }
1316 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL ||
1317 p[i + IPOPT_OPTVAL] == IPOPT_NOP ||
1318 i + IPOPT_OLEN < hlen) {
1319 ;
1320 } else {
1321 ipseclog((LOG_ERR,
1322 "ah4_calccksum: invalid IP option "
1323 "(type=%02x)\n",
1324 p[i + IPOPT_OPTVAL]));
1325 error = EINVAL;
1326 goto fail;
1327 }
1328
1329 skip = 1;
1330 switch (p[i + IPOPT_OPTVAL]) {
1331 case IPOPT_EOL:
1332 case IPOPT_NOP:
1333 l = 1;
1334 skip = 0;
1335 break;
1336 case IPOPT_SECURITY: /* 0x82 */
1337 case 0x85: /* Extended security */
1338 case 0x86: /* Commercial security */
1339 case 0x94: /* Router alert */
1340 case 0x95: /* RFC1770 */
1341 l = p[i + IPOPT_OLEN];
1342 if (l < 2) {
1343 goto invalopt;
1344 }
1345 skip = 0;
1346 break;
1347 default:
1348 l = p[i + IPOPT_OLEN];
1349 if (l < 2) {
1350 goto invalopt;
1351 }
1352 skip = 1;
1353 break;
1354 }
1355 if (l < 1 || hlen - i < l) {
1356 invalopt:
1357 ipseclog((LOG_ERR,
1358 "ah4_calccksum: invalid IP option "
1359 "(type=%02x len=%02x)\n",
1360 p[i + IPOPT_OPTVAL],
1361 p[i + IPOPT_OLEN]));
1362 error = EINVAL;
1363 goto fail;
1364 }
1365 if (skip) {
1366 bzero(p + i, l);
1367 }
1368 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL) {
1369 break;
1370 }
1371 i += l;
1372 }
1373
1374 p = mtod(n, u_char *) + sizeof(struct ip);
1375 (algo->update)(&algos, (caddr_t)p, hlen - sizeof(struct ip));
1376
1377 m_free(n);
1378 n = NULL;
1379 }
1380
1381 hdrtype = (iphdr.ip_p) & 0xff;
1382 advancewidth = hlen;
1383 break;
1384 }
1385
1386 case IPPROTO_AH:
1387 {
1388 struct ah ah;
1389 int siz;
1390 int hdrsiz;
1391 int totlen;
1392
1393 m_copydata(m, off, sizeof(ah), (caddr_t)&ah);
1394 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1395 ? sizeof(struct ah)
1396 : sizeof(struct newah);
1397 siz = (*algo->sumsiz)(sav);
1398 totlen = (ah.ah_len + 2) << 2;
1399
1400 /*
1401 * special treatment is necessary for the first one, not others
1402 */
1403 if (!ahseen) {
1404 if (totlen > m->m_pkthdr.len - off ||
1405 totlen > MCLBYTES) {
1406 error = EMSGSIZE;
1407 goto fail;
1408 }
1409 MGET(n, M_DONTWAIT, MT_DATA);
1410 if (n && totlen > MLEN) {
1411 MCLGET(n, M_DONTWAIT);
1412 if ((n->m_flags & M_EXT) == 0) {
1413 m_free(n);
1414 n = NULL;
1415 }
1416 }
1417 if (n == NULL) {
1418 error = ENOBUFS;
1419 goto fail;
1420 }
1421 m_copydata(m, off, totlen, mtod(n, caddr_t));
1422 n->m_len = totlen;
1423 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1424 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1425 m_free(n);
1426 n = NULL;
1427 } else {
1428 ah_update_mbuf(m, off, totlen, algo, &algos);
1429 }
1430 ahseen++;
1431
1432 hdrtype = ah.ah_nxt;
1433 advancewidth = totlen;
1434 break;
1435 }
1436
1437 default:
1438 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo, &algos);
1439 advancewidth = m->m_pkthdr.len - off;
1440 break;
1441 }
1442
1443 off += advancewidth;
1444 if (off < m->m_pkthdr.len) {
1445 goto again;
1446 }
1447
1448 if (len < (*algo->sumsiz)(sav)) {
1449 error = EINVAL;
1450 goto fail;
1451 }
1452
1453 (algo->result)(&algos, (caddr_t) &sumbuf[0], sizeof(sumbuf));
1454 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
1455
1456 if (n) {
1457 m_free(n);
1458 }
1459 return error;
1460
1461 fail:
1462 if (n) {
1463 m_free(n);
1464 }
1465 return error;
1466 }
1467 #endif
1468
1469 /*
1470 * Go generate the checksum. This function won't modify the mbuf chain
1471 * except AH itself.
1472 *
1473 * NOTE: the function does not free mbuf on failure.
1474 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1475 */
1476 int
ah6_calccksum(struct mbuf * m,caddr_t ahdat,size_t len,const struct ah_algorithm * algo,struct secasvar * sav)1477 ah6_calccksum(struct mbuf *m, caddr_t ahdat, size_t len,
1478 const struct ah_algorithm *algo, struct secasvar *sav)
1479 {
1480 int newoff, off;
1481 int proto, nxt;
1482 struct mbuf *n = NULL;
1483 int error;
1484 int ahseen;
1485 struct ah_algorithm_state algos;
1486 u_char sumbuf[AH_MAXSUMSIZE] __attribute__((aligned(4)));
1487
1488 if ((m->m_flags & M_PKTHDR) == 0) {
1489 return EINVAL;
1490 }
1491
1492 error = (algo->init)(&algos, sav);
1493 if (error) {
1494 return error;
1495 }
1496
1497 off = 0;
1498 proto = IPPROTO_IPV6;
1499 nxt = -1;
1500 ahseen = 0;
1501
1502 again:
1503 newoff = ip6_nexthdr(m, off, proto, &nxt);
1504 if (newoff < 0) {
1505 newoff = m->m_pkthdr.len;
1506 } else if (newoff <= off) {
1507 error = EINVAL;
1508 goto fail;
1509 } else if (m->m_pkthdr.len < newoff) {
1510 error = EINVAL;
1511 goto fail;
1512 }
1513
1514 switch (proto) {
1515 case IPPROTO_IPV6:
1516 /*
1517 * special treatment is necessary for the first one, not others
1518 */
1519 if (off == 0) {
1520 struct ip6_hdr ip6copy;
1521
1522 if (newoff - off != sizeof(struct ip6_hdr)) {
1523 error = EINVAL;
1524 goto fail;
1525 }
1526
1527 m_copydata(m, off, newoff - off, (caddr_t)&ip6copy);
1528 /* RFC2402 */
1529 ip6copy.ip6_flow = 0;
1530 ip6copy.ip6_vfc &= ~IPV6_VERSION_MASK;
1531 ip6copy.ip6_vfc |= IPV6_VERSION;
1532 ip6copy.ip6_hlim = 0;
1533 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_src)) {
1534 ip6copy.ip6_src.s6_addr16[1] = 0x0000;
1535 }
1536 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_dst)) {
1537 ip6copy.ip6_dst.s6_addr16[1] = 0x0000;
1538 }
1539 (algo->update)(&algos, (caddr_t)&ip6copy,
1540 sizeof(struct ip6_hdr));
1541 } else {
1542 newoff = m->m_pkthdr.len;
1543 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo,
1544 &algos);
1545 }
1546 break;
1547
1548 case IPPROTO_AH:
1549 {
1550 int siz;
1551 int hdrsiz;
1552
1553 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1554 ? sizeof(struct ah)
1555 : sizeof(struct newah);
1556 siz = (*algo->sumsiz)(sav);
1557
1558 /*
1559 * special treatment is necessary for the first one, not others
1560 */
1561 if (!ahseen) {
1562 if (newoff - off > MCLBYTES) {
1563 error = EMSGSIZE;
1564 goto fail;
1565 }
1566 MGET(n, M_DONTWAIT, MT_DATA);
1567 if (n && newoff - off > MLEN) {
1568 MCLGET(n, M_DONTWAIT);
1569 if ((n->m_flags & M_EXT) == 0) {
1570 m_free(n);
1571 n = NULL;
1572 }
1573 }
1574 if (n == NULL) {
1575 error = ENOBUFS;
1576 goto fail;
1577 }
1578 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1579 n->m_len = newoff - off;
1580 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1581 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1582 m_free(n);
1583 n = NULL;
1584 } else {
1585 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1586 }
1587 ahseen++;
1588 break;
1589 }
1590
1591 case IPPROTO_HOPOPTS:
1592 case IPPROTO_DSTOPTS:
1593 {
1594 struct ip6_ext *ip6e;
1595 int hdrlen, optlen;
1596 u_int8_t *p, *optend, *optp;
1597
1598 if (newoff - off > MCLBYTES) {
1599 error = EMSGSIZE;
1600 goto fail;
1601 }
1602 MGET(n, M_DONTWAIT, MT_DATA);
1603 if (n && newoff - off > MLEN) {
1604 MCLGET(n, M_DONTWAIT);
1605 if ((n->m_flags & M_EXT) == 0) {
1606 m_free(n);
1607 n = NULL;
1608 }
1609 }
1610 if (n == NULL) {
1611 error = ENOBUFS;
1612 goto fail;
1613 }
1614 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1615 n->m_len = newoff - off;
1616
1617 ip6e = mtod(n, struct ip6_ext *);
1618 hdrlen = (ip6e->ip6e_len + 1) << 3;
1619 if (newoff - off < hdrlen) {
1620 error = EINVAL;
1621 m_free(n);
1622 n = NULL;
1623 goto fail;
1624 }
1625 p = mtod(n, u_int8_t *);
1626 optend = p + hdrlen;
1627
1628 /*
1629 * ICV calculation for the options header including all
1630 * options. This part is a little tricky since there are
1631 * two type of options; mutable and immutable. We try to
1632 * null-out mutable ones here.
1633 */
1634 optp = p + 2;
1635 while (optp < optend) {
1636 if (optp[0] == IP6OPT_PAD1) {
1637 optlen = 1;
1638 } else {
1639 if (optp + 2 > optend) {
1640 error = EINVAL;
1641 m_free(n);
1642 n = NULL;
1643 goto fail;
1644 }
1645 optlen = optp[1] + 2;
1646 if (optp + optlen > optend) {
1647 error = EINVAL;
1648 m_free(n);
1649 n = NULL;
1650 goto fail;
1651 }
1652
1653 if (optp[0] & IP6OPT_MUTABLE) {
1654 bzero(optp + 2, optlen - 2);
1655 }
1656 }
1657
1658 optp += optlen;
1659 }
1660
1661 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1662 m_free(n);
1663 n = NULL;
1664 break;
1665 }
1666
1667 case IPPROTO_ROUTING:
1668 /*
1669 * For an input packet, we can just calculate `as is'.
1670 * For an output packet, we assume ip6_output have already
1671 * made packet how it will be received at the final
1672 * destination.
1673 */
1674 /* FALLTHROUGH */
1675
1676 default:
1677 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1678 break;
1679 }
1680
1681 if (newoff < m->m_pkthdr.len) {
1682 proto = nxt;
1683 off = newoff;
1684 goto again;
1685 }
1686
1687 if (len < (*algo->sumsiz)(sav)) {
1688 error = EINVAL;
1689 goto fail;
1690 }
1691
1692 (algo->result)(&algos, (caddr_t) &sumbuf[0], sizeof(sumbuf));
1693 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
1694
1695 /* just in case */
1696 if (n) {
1697 m_free(n);
1698 }
1699 return 0;
1700 fail:
1701 /* just in case */
1702 if (n) {
1703 m_free(n);
1704 }
1705 return error;
1706 }
1707