1 /*
2 * Copyright (c) 2008-2021 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /* $FreeBSD: src/sys/netinet6/ah_core.c,v 1.2.2.4 2001/07/03 11:01:49 ume Exp $ */
30 /* $KAME: ah_core.c,v 1.44 2001/03/12 11:24:39 itojun Exp $ */
31
32 /*
33 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
34 * All rights reserved.
35 *
36 * Redistribution and use in source and binary forms, with or without
37 * modification, are permitted provided that the following conditions
38 * are met:
39 * 1. Redistributions of source code must retain the above copyright
40 * notice, this list of conditions and the following disclaimer.
41 * 2. Redistributions in binary form must reproduce the above copyright
42 * notice, this list of conditions and the following disclaimer in the
43 * documentation and/or other materials provided with the distribution.
44 * 3. Neither the name of the project nor the names of its contributors
45 * may be used to endorse or promote products derived from this software
46 * without specific prior written permission.
47 *
48 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
58 * SUCH DAMAGE.
59 */
60
61 /*
62 * RFC1826/2402 authentication header.
63 */
64
65 /* TODO: have shared routines for hmac-* algorithms */
66
67 #include <sys/param.h>
68 #include <sys/systm.h>
69 #include <sys/malloc.h>
70 #include <sys/mbuf.h>
71 #include <sys/domain.h>
72 #include <sys/protosw.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <sys/errno.h>
76 #include <sys/time.h>
77 #include <sys/syslog.h>
78
79 #include <net/if.h>
80 #include <net/route.h>
81
82 #include <netinet/in.h>
83 #include <netinet/in_systm.h>
84 #include <netinet/ip.h>
85 #include <netinet/in_var.h>
86
87 #include <netinet/ip6.h>
88 #include <netinet6/ip6_var.h>
89 #include <netinet/icmp6.h>
90
91 #include <netinet6/ipsec.h>
92 #include <netinet6/ipsec6.h>
93 #include <netinet6/ah.h>
94 #include <netinet6/ah6.h>
95 #if IPSEC_ESP
96 #include <netinet6/esp.h>
97 #include <netinet6/esp6.h>
98 #endif
99 #include <net/pfkeyv2.h>
100 #include <netkey/keydb.h>
101 #include <libkern/crypto/md5.h>
102 #include <libkern/crypto/sha1.h>
103 #include <libkern/crypto/sha2.h>
104
105 #include <net/net_osdep.h>
106
107 #define HMACSIZE 16
108 #define KEYED_MD5_DATA_SIZE sizeof(MD5_CTX)
109 #define KEYED_SHA1_DATA_SIZE sizeof(SHA1_CTX)
110 #define HMAC_MD5_DATA_SIZE (64 + 64 + sizeof(MD5_CTX))
111 #define HMAC_SHA1_DATA_SIZE (64 + 64 + sizeof(SHA1_CTX))
112 #define HMAC_SHA2_256_DATA_SIZE (64 + 64 + sizeof(SHA256_CTX))
113 #define HMAC_SHA2_384_DATA_SIZE (128 + 128 + sizeof(SHA384_CTX))
114 #define HMAC_SHA2_512_DATA_SIZE (128 + 128 + sizeof(SHA512_CTX))
115
116 static int ah_sumsiz_1216(struct secasvar *);
117 static int ah_sumsiz_zero(struct secasvar *);
118 static int ah_none_mature(struct secasvar *);
119 static int ah_none_init(struct ah_algorithm_state *, struct secasvar *);
120 static void ah_none_loop(struct ah_algorithm_state *, caddr_t, size_t);
121 static void ah_none_result(struct ah_algorithm_state *, caddr_t, size_t);
122 static int ah_keyed_md5_mature(struct secasvar *);
123 static int ah_keyed_md5_init(struct ah_algorithm_state *, struct secasvar *);
124 static void ah_keyed_md5_loop(struct ah_algorithm_state *, caddr_t, size_t);
125 static void ah_keyed_md5_result(struct ah_algorithm_state *, caddr_t, size_t);
126 static int ah_keyed_sha1_mature(struct secasvar *);
127 static int ah_keyed_sha1_init(struct ah_algorithm_state *, struct secasvar *);
128 static void ah_keyed_sha1_loop(struct ah_algorithm_state *, caddr_t, size_t);
129 static void ah_keyed_sha1_result(struct ah_algorithm_state *, caddr_t, size_t);
130 static int ah_hmac_md5_mature(struct secasvar *);
131 static int ah_hmac_md5_init(struct ah_algorithm_state *, struct secasvar *);
132 static void ah_hmac_md5_loop(struct ah_algorithm_state *, caddr_t, size_t);
133 static void ah_hmac_md5_result(struct ah_algorithm_state *, caddr_t, size_t);
134 static int ah_hmac_sha1_mature(struct secasvar *);
135 static int ah_hmac_sha1_init(struct ah_algorithm_state *, struct secasvar *);
136 static void ah_hmac_sha1_loop(struct ah_algorithm_state *, caddr_t, size_t);
137 static void ah_hmac_sha1_result(struct ah_algorithm_state *, caddr_t, size_t);
138 #if AH_ALL_CRYPTO
139 static int ah_sumsiz_sha2_256(struct secasvar *);
140 static int ah_hmac_sha2_256_mature(struct secasvar *);
141 static int ah_hmac_sha2_256_init(struct ah_algorithm_state *,
142 struct secasvar *);
143 static void ah_hmac_sha2_256_loop(struct ah_algorithm_state *, caddr_t, size_t);
144 static void ah_hmac_sha2_256_result(struct ah_algorithm_state *, caddr_t, size_t);
145 static int ah_sumsiz_sha2_384(struct secasvar *);
146 static int ah_hmac_sha2_384_mature(struct secasvar *);
147 static int ah_hmac_sha2_384_init(struct ah_algorithm_state *,
148 struct secasvar *);
149 static void ah_hmac_sha2_384_loop(struct ah_algorithm_state *, caddr_t, size_t);
150 static void ah_hmac_sha2_384_result(struct ah_algorithm_state *, caddr_t, size_t);
151 static int ah_sumsiz_sha2_512(struct secasvar *);
152 static int ah_hmac_sha2_512_mature(struct secasvar *);
153 static int ah_hmac_sha2_512_init(struct ah_algorithm_state *,
154 struct secasvar *);
155 static void ah_hmac_sha2_512_loop(struct ah_algorithm_state *, caddr_t, size_t);
156 static void ah_hmac_sha2_512_result(struct ah_algorithm_state *, caddr_t, size_t);
157 #endif /* AH_ALL_CRYPTO */
158
159 static void ah_update_mbuf(struct mbuf *, int, int,
160 const struct ah_algorithm *, struct ah_algorithm_state *);
161
162 /*
163 * If any algorithm requires more than 2048 bits (256 bytes) of key material,
164 * update IPSEC_KEY_AUTH_MAX_BYTES in ipsec.h
165 */
166 const struct ah_algorithm *
ah_algorithm_lookup(int idx)167 ah_algorithm_lookup(int idx)
168 {
169 /* checksum algorithms */
170 static const struct ah_algorithm hmac_md5 =
171 { ah_sumsiz_1216, ah_hmac_md5_mature, 128, 128, "hmac-md5",
172 ah_hmac_md5_init, ah_hmac_md5_loop,
173 ah_hmac_md5_result, };
174 static const struct ah_algorithm keyed_md5 =
175 { ah_sumsiz_1216, ah_keyed_md5_mature, 128, 128, "keyed-md5",
176 ah_keyed_md5_init, ah_keyed_md5_loop,
177 ah_keyed_md5_result, };
178 static const struct ah_algorithm hmac_sha1 =
179 { ah_sumsiz_1216, ah_hmac_sha1_mature, 160, 160, "hmac-sha1",
180 ah_hmac_sha1_init, ah_hmac_sha1_loop,
181 ah_hmac_sha1_result, };
182 static const struct ah_algorithm keyed_sha1 =
183 { ah_sumsiz_1216, ah_keyed_sha1_mature, 160, 160, "keyed-sha1",
184 ah_keyed_sha1_init, ah_keyed_sha1_loop,
185 ah_keyed_sha1_result, };
186 static const struct ah_algorithm ah_none =
187 { ah_sumsiz_zero, ah_none_mature, 0, 2048, "none",
188 ah_none_init, ah_none_loop, ah_none_result, };
189 #if AH_ALL_CRYPTO
190 static const struct ah_algorithm hmac_sha2_256 =
191 { ah_sumsiz_sha2_256, ah_hmac_sha2_256_mature, 256, 256,
192 "hmac-sha2-256",
193 ah_hmac_sha2_256_init, ah_hmac_sha2_256_loop,
194 ah_hmac_sha2_256_result, };
195 static const struct ah_algorithm hmac_sha2_384 =
196 { ah_sumsiz_sha2_384, ah_hmac_sha2_384_mature, 384, 384,
197 "hmac-sha2-384",
198 ah_hmac_sha2_384_init, ah_hmac_sha2_384_loop,
199 ah_hmac_sha2_384_result, };
200 static const struct ah_algorithm hmac_sha2_512 =
201 { ah_sumsiz_sha2_512, ah_hmac_sha2_512_mature, 512, 512,
202 "hmac-sha2-512",
203 ah_hmac_sha2_512_init, ah_hmac_sha2_512_loop,
204 ah_hmac_sha2_512_result, };
205 #endif /* AH_ALL_CRYPTO */
206
207 switch (idx) {
208 case SADB_AALG_MD5HMAC:
209 return &hmac_md5;
210 case SADB_AALG_SHA1HMAC:
211 return &hmac_sha1;
212 case SADB_X_AALG_MD5:
213 return &keyed_md5;
214 case SADB_X_AALG_SHA:
215 return &keyed_sha1;
216 case SADB_X_AALG_NULL:
217 return &ah_none;
218 #if AH_ALL_CRYPTO
219 case SADB_X_AALG_SHA2_256:
220 return &hmac_sha2_256;
221 case SADB_X_AALG_SHA2_384:
222 return &hmac_sha2_384;
223 case SADB_X_AALG_SHA2_512:
224 return &hmac_sha2_512;
225 #endif /* AH_ALL_CRYPTO */
226 default:
227 return NULL;
228 }
229 }
230
231
232 static int
ah_sumsiz_1216(struct secasvar * sav)233 ah_sumsiz_1216(struct secasvar *sav)
234 {
235 if (!sav) {
236 return -1;
237 }
238 if (sav->flags & SADB_X_EXT_OLD) {
239 return 16;
240 } else {
241 return 12;
242 }
243 }
244
245 static int
ah_sumsiz_zero(struct secasvar * sav)246 ah_sumsiz_zero(struct secasvar *sav)
247 {
248 if (!sav) {
249 return -1;
250 }
251 return 0;
252 }
253
254 static int
ah_none_mature(struct secasvar * sav)255 ah_none_mature(struct secasvar *sav)
256 {
257 if (sav->sah->saidx.proto == IPPROTO_AH) {
258 ipseclog((LOG_ERR,
259 "ah_none_mature: protocol and algorithm mismatch.\n"));
260 return 1;
261 }
262 return 0;
263 }
264
265 static int
ah_none_init(struct ah_algorithm_state * state,__unused struct secasvar * sav)266 ah_none_init(
267 struct ah_algorithm_state *state,
268 __unused struct secasvar *sav)
269 {
270 state->foo = NULL;
271 return 0;
272 }
273
274 static void
ah_none_loop(__unused struct ah_algorithm_state * state,__unused caddr_t addr,__unused size_t len)275 ah_none_loop(
276 __unused struct ah_algorithm_state *state,
277 __unused caddr_t addr,
278 __unused size_t len)
279 {
280 }
281
282 static void
ah_none_result(__unused struct ah_algorithm_state * state,__unused caddr_t addr,__unused size_t l)283 ah_none_result(
284 __unused struct ah_algorithm_state *state,
285 __unused caddr_t addr,
286 __unused size_t l)
287 {
288 }
289
290 static int
ah_keyed_md5_mature(__unused struct secasvar * sav)291 ah_keyed_md5_mature(
292 __unused struct secasvar *sav)
293 {
294 /* anything is okay */
295 return 0;
296 }
297
298 static int
ah_keyed_md5_init(struct ah_algorithm_state * state,struct secasvar * sav)299 ah_keyed_md5_init(struct ah_algorithm_state *state, struct secasvar *sav)
300 {
301 size_t keybitlen;
302 u_int8_t buf[32] __attribute__((aligned(4)));
303 unsigned int padlen;
304
305 if (!state) {
306 panic("ah_keyed_md5_init: what?");
307 }
308
309 state->sav = sav;
310 state->foo = (void *)kalloc_data(KEYED_MD5_DATA_SIZE, Z_NOWAIT);
311 if (state->foo == NULL) {
312 return ENOBUFS;
313 }
314
315 MD5Init((MD5_CTX *)state->foo);
316 if (state->sav) {
317 MD5Update((MD5_CTX *)state->foo,
318 (u_int8_t *)_KEYBUF(state->sav->key_auth),
319 (u_int)_KEYLEN(state->sav->key_auth));
320
321 /*
322 * Pad after the key.
323 * We cannot simply use md5_pad() since the function
324 * won't update the total length.
325 */
326 if (_KEYLEN(state->sav->key_auth) < 56) {
327 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
328 } else {
329 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
330 }
331 keybitlen = _KEYLEN(state->sav->key_auth);
332 keybitlen *= 8;
333
334 buf[0] = 0x80;
335 MD5Update((MD5_CTX *)state->foo, &buf[0], 1);
336 padlen--;
337
338 bzero(buf, sizeof(buf));
339 while (sizeof(buf) < padlen) {
340 MD5Update((MD5_CTX *)state->foo, &buf[0], sizeof(buf));
341 padlen -= sizeof(buf);
342 }
343 if (padlen) {
344 MD5Update((MD5_CTX *)state->foo, &buf[0], padlen);
345 }
346
347 buf[0] = (keybitlen >> 0) & 0xff;
348 buf[1] = (keybitlen >> 8) & 0xff;
349 buf[2] = (keybitlen >> 16) & 0xff;
350 buf[3] = (keybitlen >> 24) & 0xff;
351 MD5Update((MD5_CTX *)state->foo, buf, 8);
352 }
353
354 return 0;
355 }
356
357 static void
ah_keyed_md5_loop(struct ah_algorithm_state * state,caddr_t addr,size_t len)358 ah_keyed_md5_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
359 {
360 if (!state) {
361 panic("ah_keyed_md5_loop: what?");
362 }
363
364 VERIFY(len <= UINT_MAX);
365 MD5Update((MD5_CTX *)state->foo, addr, (uint)len);
366 }
367
368 static void
ah_keyed_md5_result(struct ah_algorithm_state * state,caddr_t addr,size_t l)369 ah_keyed_md5_result(struct ah_algorithm_state *state, caddr_t addr, size_t l)
370 {
371 u_char digest[16] __attribute__((aligned(4)));
372
373 if (!state) {
374 panic("ah_keyed_md5_result: what?");
375 }
376
377 if (state->sav) {
378 MD5Update((MD5_CTX *)state->foo,
379 (u_int8_t *)_KEYBUF(state->sav->key_auth),
380 (u_int)_KEYLEN(state->sav->key_auth));
381 }
382 MD5Final(&digest[0], (MD5_CTX *)state->foo);
383 kfree_data(state->foo, KEYED_MD5_DATA_SIZE);
384 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
385 }
386
387 static int
ah_keyed_sha1_mature(struct secasvar * sav)388 ah_keyed_sha1_mature(struct secasvar *sav)
389 {
390 const struct ah_algorithm *algo;
391
392 if (!sav->key_auth) {
393 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: no key is given.\n"));
394 return 1;
395 }
396
397 algo = ah_algorithm_lookup(sav->alg_auth);
398 if (!algo) {
399 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: unsupported algorithm.\n"));
400 return 1;
401 }
402
403 if (sav->key_auth->sadb_key_bits < algo->keymin
404 || algo->keymax < sav->key_auth->sadb_key_bits) {
405 ipseclog((LOG_ERR,
406 "ah_keyed_sha1_mature: invalid key length %d.\n",
407 sav->key_auth->sadb_key_bits));
408 return 1;
409 }
410
411 return 0;
412 }
413
414 static int
ah_keyed_sha1_init(struct ah_algorithm_state * state,struct secasvar * sav)415 ah_keyed_sha1_init(struct ah_algorithm_state *state, struct secasvar *sav)
416 {
417 SHA1_CTX *ctxt;
418 size_t padlen;
419 size_t keybitlen;
420 u_int8_t buf[32] __attribute__((aligned(4)));
421
422 if (!state) {
423 panic("ah_keyed_sha1_init: what?");
424 }
425
426 state->sav = sav;
427 state->foo = (void *)kalloc_data(KEYED_SHA1_DATA_SIZE, Z_NOWAIT);
428 if (!state->foo) {
429 return ENOBUFS;
430 }
431
432 ctxt = (SHA1_CTX *)state->foo;
433 SHA1Init(ctxt);
434
435 if (state->sav) {
436 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
437 (u_int)_KEYLEN(state->sav->key_auth));
438
439 /*
440 * Pad after the key.
441 */
442 if (_KEYLEN(state->sav->key_auth) < 56) {
443 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
444 } else {
445 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
446 }
447 keybitlen = _KEYLEN(state->sav->key_auth);
448 keybitlen *= 8;
449
450 buf[0] = 0x80;
451 SHA1Update(ctxt, &buf[0], 1);
452 padlen--;
453
454 bzero(buf, sizeof(buf));
455 while (sizeof(buf) < padlen) {
456 SHA1Update(ctxt, &buf[0], sizeof(buf));
457 padlen -= sizeof(buf);
458 }
459 if (padlen) {
460 SHA1Update(ctxt, &buf[0], padlen);
461 }
462
463 buf[0] = (keybitlen >> 0) & 0xff;
464 buf[1] = (keybitlen >> 8) & 0xff;
465 buf[2] = (keybitlen >> 16) & 0xff;
466 buf[3] = (keybitlen >> 24) & 0xff;
467 SHA1Update(ctxt, buf, 8);
468 }
469
470 return 0;
471 }
472
473 static void
ah_keyed_sha1_loop(struct ah_algorithm_state * state,caddr_t addr,size_t len)474 ah_keyed_sha1_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
475 {
476 SHA1_CTX *ctxt;
477
478 if (!state || !state->foo) {
479 panic("ah_keyed_sha1_loop: what?");
480 }
481 ctxt = (SHA1_CTX *)state->foo;
482
483 SHA1Update(ctxt, (caddr_t)addr, (size_t)len);
484 }
485
486 static void
ah_keyed_sha1_result(struct ah_algorithm_state * state,caddr_t addr,size_t l)487 ah_keyed_sha1_result(struct ah_algorithm_state *state, caddr_t addr, size_t l)
488 {
489 u_char digest[SHA1_RESULTLEN] __attribute__((aligned(4))); /* SHA-1 generates 160 bits */
490 SHA1_CTX *ctxt;
491
492 if (!state || !state->foo) {
493 panic("ah_keyed_sha1_result: what?");
494 }
495 ctxt = (SHA1_CTX *)state->foo;
496
497 if (state->sav) {
498 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
499 (u_int)_KEYLEN(state->sav->key_auth));
500 }
501 SHA1Final((caddr_t)&digest[0], ctxt);
502 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
503
504 kfree_data(state->foo, KEYED_SHA1_DATA_SIZE);
505 }
506
507 static int
ah_hmac_md5_mature(struct secasvar * sav)508 ah_hmac_md5_mature(struct secasvar *sav)
509 {
510 const struct ah_algorithm *algo;
511
512 if (!sav->key_auth) {
513 ipseclog((LOG_ERR, "ah_hmac_md5_mature: no key is given.\n"));
514 return 1;
515 }
516
517 algo = ah_algorithm_lookup(sav->alg_auth);
518 if (!algo) {
519 ipseclog((LOG_ERR, "ah_hmac_md5_mature: unsupported algorithm.\n"));
520 return 1;
521 }
522
523 if (sav->key_auth->sadb_key_bits < algo->keymin
524 || algo->keymax < sav->key_auth->sadb_key_bits) {
525 ipseclog((LOG_ERR,
526 "ah_hmac_md5_mature: invalid key length %d.\n",
527 sav->key_auth->sadb_key_bits));
528 return 1;
529 }
530
531 return 0;
532 }
533
534 static int
ah_hmac_md5_init(struct ah_algorithm_state * state,struct secasvar * sav)535 ah_hmac_md5_init(struct ah_algorithm_state *state, struct secasvar *sav)
536 {
537 u_char *ipad;
538 u_char *opad;
539 u_char tk[16] __attribute__((aligned(4)));
540 u_char *key;
541 size_t keylen;
542 size_t i;
543 MD5_CTX *ctxt;
544
545 if (!state) {
546 panic("ah_hmac_md5_init: what?");
547 }
548
549 state->sav = sav;
550 state->foo = (void *)kalloc_data(HMAC_MD5_DATA_SIZE, Z_NOWAIT);
551 if (!state->foo) {
552 return ENOBUFS;
553 }
554
555 ipad = (u_char *)state->foo;
556 opad = (u_char *)(ipad + 64);
557 ctxt = (MD5_CTX *)(void *)(opad + 64);
558
559 /* compress the key if necessery */
560 if (64 < _KEYLEN(state->sav->key_auth)) {
561 MD5Init(ctxt);
562 MD5Update(ctxt, _KEYBUF(state->sav->key_auth),
563 _KEYLEN(state->sav->key_auth));
564 MD5Final(&tk[0], ctxt);
565 key = &tk[0];
566 keylen = 16;
567 } else {
568 key = (u_char *) _KEYBUF(state->sav->key_auth);
569 keylen = _KEYLEN(state->sav->key_auth);
570 }
571
572 bzero(ipad, 64);
573 bzero(opad, 64);
574 bcopy(key, ipad, keylen);
575 bcopy(key, opad, keylen);
576 for (i = 0; i < 64; i++) {
577 ipad[i] ^= 0x36;
578 opad[i] ^= 0x5c;
579 }
580
581 MD5Init(ctxt);
582 MD5Update(ctxt, ipad, 64);
583
584 return 0;
585 }
586
587 static void
ah_hmac_md5_loop(struct ah_algorithm_state * state,caddr_t addr,size_t len)588 ah_hmac_md5_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
589 {
590 MD5_CTX *ctxt;
591
592 if (!state || !state->foo) {
593 panic("ah_hmac_md5_loop: what?");
594 }
595 ctxt = (MD5_CTX *)(void *)(((caddr_t)state->foo) + 128);
596 VERIFY(len <= UINT_MAX);
597 MD5Update(ctxt, addr, (uint)len);
598 }
599
600 static void
ah_hmac_md5_result(struct ah_algorithm_state * state,caddr_t addr,size_t l)601 ah_hmac_md5_result(struct ah_algorithm_state *state, caddr_t addr, size_t l)
602 {
603 u_char digest[16] __attribute__((aligned(4)));
604 u_char *ipad;
605 u_char *opad;
606 MD5_CTX *ctxt;
607
608 if (!state || !state->foo) {
609 panic("ah_hmac_md5_result: what?");
610 }
611
612 ipad = (u_char *)state->foo;
613 opad = (u_char *)(ipad + 64);
614 ctxt = (MD5_CTX *)(void *)(opad + 64);
615
616 MD5Final(&digest[0], ctxt);
617
618 MD5Init(ctxt);
619 MD5Update(ctxt, opad, 64);
620 MD5Update(ctxt, &digest[0], sizeof(digest));
621 MD5Final(&digest[0], ctxt);
622
623 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
624
625 kfree_data(state->foo, HMAC_MD5_DATA_SIZE);
626 }
627
628 static int
ah_hmac_sha1_mature(struct secasvar * sav)629 ah_hmac_sha1_mature(struct secasvar *sav)
630 {
631 const struct ah_algorithm *algo;
632
633 if (!sav->key_auth) {
634 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: no key is given.\n"));
635 return 1;
636 }
637
638 algo = ah_algorithm_lookup(sav->alg_auth);
639 if (!algo) {
640 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: unsupported algorithm.\n"));
641 return 1;
642 }
643
644 if (sav->key_auth->sadb_key_bits < algo->keymin
645 || algo->keymax < sav->key_auth->sadb_key_bits) {
646 ipseclog((LOG_ERR,
647 "ah_hmac_sha1_mature: invalid key length %d.\n",
648 sav->key_auth->sadb_key_bits));
649 return 1;
650 }
651
652 return 0;
653 }
654
655 static int
ah_hmac_sha1_init(struct ah_algorithm_state * state,struct secasvar * sav)656 ah_hmac_sha1_init(struct ah_algorithm_state *state, struct secasvar *sav)
657 {
658 u_char *ipad;
659 u_char *opad;
660 SHA1_CTX *ctxt;
661 u_char tk[SHA1_RESULTLEN] __attribute__((aligned(4))); /* SHA-1 generates 160 bits */
662 u_char *key;
663 size_t keylen;
664 size_t i;
665
666 if (!state) {
667 panic("ah_hmac_sha1_init: what?");
668 }
669
670 state->sav = sav;
671 state->foo = (void *)kalloc_data(HMAC_SHA1_DATA_SIZE, Z_NOWAIT);
672 if (!state->foo) {
673 return ENOBUFS;
674 }
675
676 ipad = (u_char *)state->foo;
677 opad = (u_char *)(ipad + 64);
678 ctxt = (SHA1_CTX *)(void *)(opad + 64);
679
680 /* compress the key if necessery */
681 if (64 < _KEYLEN(state->sav->key_auth)) {
682 SHA1Init(ctxt);
683 SHA1Update(ctxt, _KEYBUF(state->sav->key_auth),
684 _KEYLEN(state->sav->key_auth));
685 SHA1Final(&tk[0], ctxt);
686 key = &tk[0];
687 keylen = SHA1_RESULTLEN;
688 } else {
689 key = (u_char *) _KEYBUF(state->sav->key_auth);
690 keylen = _KEYLEN(state->sav->key_auth);
691 }
692
693 bzero(ipad, 64);
694 bzero(opad, 64);
695 bcopy(key, ipad, keylen);
696 bcopy(key, opad, keylen);
697 for (i = 0; i < 64; i++) {
698 ipad[i] ^= 0x36;
699 opad[i] ^= 0x5c;
700 }
701
702 SHA1Init(ctxt);
703 SHA1Update(ctxt, ipad, 64);
704
705 return 0;
706 }
707
708 static void
ah_hmac_sha1_loop(struct ah_algorithm_state * state,caddr_t addr,size_t len)709 ah_hmac_sha1_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
710 {
711 SHA1_CTX *ctxt;
712
713 if (!state || !state->foo) {
714 panic("ah_hmac_sha1_loop: what?");
715 }
716
717 ctxt = (SHA1_CTX *)(void *)(((u_char *)state->foo) + 128);
718 SHA1Update(ctxt, (caddr_t)addr, (size_t)len);
719 }
720
721 static void
ah_hmac_sha1_result(struct ah_algorithm_state * state,caddr_t addr,size_t l)722 ah_hmac_sha1_result(struct ah_algorithm_state *state, caddr_t addr, size_t l)
723 {
724 u_char digest[SHA1_RESULTLEN] __attribute__((aligned(4))); /* SHA-1 generates 160 bits */
725 u_char *ipad;
726 u_char *opad;
727 SHA1_CTX *ctxt;
728
729 if (!state || !state->foo) {
730 panic("ah_hmac_sha1_result: what?");
731 }
732
733 ipad = (u_char *)state->foo;
734 opad = (u_char *)(ipad + 64);
735 ctxt = (SHA1_CTX *)(void *)(opad + 64);
736
737 SHA1Final((caddr_t)&digest[0], ctxt);
738
739 SHA1Init(ctxt);
740 SHA1Update(ctxt, opad, 64);
741 SHA1Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
742 SHA1Final((caddr_t)&digest[0], ctxt);
743
744 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
745
746 kfree_data(state->foo, HMAC_SHA1_DATA_SIZE);
747 }
748
749 #if AH_ALL_CRYPTO
750 static int
ah_sumsiz_sha2_256(struct secasvar * sav)751 ah_sumsiz_sha2_256(struct secasvar *sav)
752 {
753 if (!sav) {
754 return -1;
755 }
756 // return half the output size (in bytes), as per rfc 4868
757 return 16; // 256/(8*2)
758 }
759
760 static int
ah_hmac_sha2_256_mature(struct secasvar * sav)761 ah_hmac_sha2_256_mature(struct secasvar *sav)
762 {
763 const struct ah_algorithm *algo;
764
765 if (!sav->key_auth) {
766 ipseclog((LOG_ERR,
767 "ah_hmac_sha2_256_mature: no key is given.\n"));
768 return 1;
769 }
770
771 algo = ah_algorithm_lookup(sav->alg_auth);
772 if (!algo) {
773 ipseclog((LOG_ERR,
774 "ah_hmac_sha2_256_mature: unsupported algorithm.\n"));
775 return 1;
776 }
777
778 if (sav->key_auth->sadb_key_bits < algo->keymin ||
779 algo->keymax < sav->key_auth->sadb_key_bits) {
780 ipseclog((LOG_ERR,
781 "ah_hmac_sha2_256_mature: invalid key length %d.\n",
782 sav->key_auth->sadb_key_bits));
783 return 1;
784 }
785
786 return 0;
787 }
788
789 static int
ah_hmac_sha2_256_init(struct ah_algorithm_state * state,struct secasvar * sav)790 ah_hmac_sha2_256_init(struct ah_algorithm_state *state, struct secasvar *sav)
791 {
792 u_char *ipad;
793 u_char *opad;
794 SHA256_CTX *ctxt;
795 u_char tk[SHA256_DIGEST_LENGTH] __attribute__((aligned(4)));
796 u_char *key;
797 size_t keylen;
798 size_t i;
799
800 if (!state) {
801 panic("ah_hmac_sha2_256_init: what?");
802 }
803
804 state->sav = sav;
805 state->foo = (void *)kalloc_data(HMAC_SHA2_256_DATA_SIZE, Z_NOWAIT);
806 if (!state->foo) {
807 return ENOBUFS;
808 }
809
810 ipad = (u_char *)state->foo;
811 opad = (u_char *)(ipad + 64);
812 ctxt = (SHA256_CTX *)(void *)(opad + 64);
813
814 /* compress the key if necessery */
815 if (64 < _KEYLEN(state->sav->key_auth)) {
816 bzero(tk, sizeof(tk));
817 bzero(ctxt, sizeof(*ctxt));
818 SHA256_Init(ctxt);
819 SHA256_Update(ctxt, (const u_int8_t *) _KEYBUF(state->sav->key_auth),
820 _KEYLEN(state->sav->key_auth));
821 SHA256_Final(&tk[0], ctxt);
822 key = &tk[0];
823 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
824 } else {
825 key = (u_char *) _KEYBUF(state->sav->key_auth);
826 keylen = _KEYLEN(state->sav->key_auth);
827 }
828
829 bzero(ipad, 64);
830 bzero(opad, 64);
831 bcopy(key, ipad, keylen);
832 bcopy(key, opad, keylen);
833 for (i = 0; i < 64; i++) {
834 ipad[i] ^= 0x36;
835 opad[i] ^= 0x5c;
836 }
837
838 bzero(ctxt, sizeof(*ctxt));
839 SHA256_Init(ctxt);
840 SHA256_Update(ctxt, ipad, 64);
841
842 return 0;
843 }
844
845 static void
ah_hmac_sha2_256_loop(struct ah_algorithm_state * state,caddr_t addr,size_t len)846 ah_hmac_sha2_256_loop(struct ah_algorithm_state *state,
847 caddr_t addr,
848 size_t len)
849 {
850 SHA256_CTX *ctxt;
851
852 if (!state || !state->foo) {
853 panic("ah_hmac_sha2_256_loop: what?");
854 }
855
856 ctxt = (SHA256_CTX *)(void *)(((u_char *)state->foo) + 128);
857 SHA256_Update(ctxt, (const u_int8_t *)addr, (size_t)len);
858 }
859
860 static void
ah_hmac_sha2_256_result(struct ah_algorithm_state * state,caddr_t addr,size_t l)861 ah_hmac_sha2_256_result(struct ah_algorithm_state *state,
862 caddr_t addr,
863 size_t l)
864 {
865 u_char digest[SHA256_DIGEST_LENGTH] __attribute__((aligned(4)));
866 u_char *ipad;
867 u_char *opad;
868 SHA256_CTX *ctxt;
869
870 if (!state || !state->foo) {
871 panic("ah_hmac_sha2_256_result: what?");
872 }
873
874 ipad = (u_char *)state->foo;
875 opad = (u_char *)(ipad + 64);
876 ctxt = (SHA256_CTX *)(void *)(opad + 64);
877
878 SHA256_Final((u_int8_t *)digest, ctxt);
879
880 SHA256_Init(ctxt);
881 SHA256_Update(ctxt, opad, 64);
882 SHA256_Update(ctxt, (const u_int8_t *)digest, sizeof(digest));
883 SHA256_Final((u_int8_t *)digest, ctxt);
884
885 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
886
887 kfree_data(state->foo, HMAC_SHA2_256_DATA_SIZE);
888 }
889
890 static int
ah_sumsiz_sha2_384(struct secasvar * sav)891 ah_sumsiz_sha2_384(struct secasvar *sav)
892 {
893 if (!sav) {
894 return -1;
895 }
896 // return half the output size (in bytes), as per rfc 4868
897 return 24; // 384/(8*2)
898 }
899
900 static int
ah_hmac_sha2_384_mature(struct secasvar * sav)901 ah_hmac_sha2_384_mature(struct secasvar *sav)
902 {
903 const struct ah_algorithm *algo;
904
905 if (!sav->key_auth) {
906 ipseclog((LOG_ERR,
907 "ah_hmac_sha2_384_mature: no key is given.\n"));
908 return 1;
909 }
910
911 algo = ah_algorithm_lookup(sav->alg_auth);
912 if (!algo) {
913 ipseclog((LOG_ERR,
914 "ah_hmac_sha2_384_mature: unsupported algorithm.\n"));
915 return 1;
916 }
917
918 if (sav->key_auth->sadb_key_bits < algo->keymin ||
919 algo->keymax < sav->key_auth->sadb_key_bits) {
920 ipseclog((LOG_ERR,
921 "ah_hmac_sha2_384_mature: invalid key length %d.\n",
922 sav->key_auth->sadb_key_bits));
923 return 1;
924 }
925
926 return 0;
927 }
928
929 static int
ah_hmac_sha2_384_init(struct ah_algorithm_state * state,struct secasvar * sav)930 ah_hmac_sha2_384_init(struct ah_algorithm_state *state, struct secasvar *sav)
931 {
932 u_char *ipad;
933 u_char *opad;
934 SHA384_CTX *ctxt;
935 u_char tk[SHA384_DIGEST_LENGTH] __attribute__((aligned(4)));
936 u_char *key;
937 size_t keylen;
938 size_t i;
939
940 if (!state) {
941 panic("ah_hmac_sha2_384_init: what?");
942 }
943
944 state->sav = sav;
945 state->foo = (void *)kalloc_data(HMAC_SHA2_384_DATA_SIZE,
946 Z_NOWAIT | Z_ZERO);
947 if (!state->foo) {
948 return ENOBUFS;
949 }
950
951 ipad = (u_char *)state->foo;
952 opad = (u_char *)(ipad + 128);
953 ctxt = (SHA384_CTX *)(void *)(opad + 128);
954
955 /* compress the key if necessery */
956 if (128 < _KEYLEN(state->sav->key_auth)) {
957 bzero(tk, sizeof(tk));
958 bzero(ctxt, sizeof(*ctxt));
959 SHA384_Init(ctxt);
960 SHA384_Update(ctxt, (const u_int8_t *) _KEYBUF(state->sav->key_auth),
961 _KEYLEN(state->sav->key_auth));
962 SHA384_Final(&tk[0], ctxt);
963 key = &tk[0];
964 keylen = sizeof(tk) < 128 ? sizeof(tk) : 128;
965 } else {
966 key = (u_char *) _KEYBUF(state->sav->key_auth);
967 keylen = _KEYLEN(state->sav->key_auth);
968 }
969
970 bzero(ipad, 128);
971 bzero(opad, 128);
972 bcopy(key, ipad, keylen);
973 bcopy(key, opad, keylen);
974 for (i = 0; i < 128; i++) {
975 ipad[i] ^= 0x36;
976 opad[i] ^= 0x5c;
977 }
978
979 bzero(ctxt, sizeof(*ctxt));
980 SHA384_Init(ctxt);
981 SHA384_Update(ctxt, ipad, 128);
982
983 return 0;
984 }
985
986 static void
ah_hmac_sha2_384_loop(struct ah_algorithm_state * state,caddr_t addr,size_t len)987 ah_hmac_sha2_384_loop(struct ah_algorithm_state *state,
988 caddr_t addr,
989 size_t len)
990 {
991 SHA384_CTX *ctxt;
992
993 if (!state || !state->foo) {
994 panic("ah_hmac_sha2_384_loop: what?");
995 }
996
997 ctxt = (SHA384_CTX *)(void *)(((u_char *)state->foo) + 256);
998 SHA384_Update(ctxt, (const u_int8_t *)addr, (size_t)len);
999 }
1000
1001 static void
ah_hmac_sha2_384_result(struct ah_algorithm_state * state,caddr_t addr,size_t l)1002 ah_hmac_sha2_384_result(struct ah_algorithm_state *state,
1003 caddr_t addr,
1004 size_t l)
1005 {
1006 u_char digest[SHA384_DIGEST_LENGTH];
1007 u_char *ipad;
1008 u_char *opad;
1009 SHA384_CTX *ctxt;
1010
1011 if (!state || !state->foo) {
1012 panic("ah_hmac_sha2_384_result: what?");
1013 }
1014
1015 ipad = (u_char *)state->foo;
1016 opad = (u_char *)(ipad + 128);
1017 ctxt = (SHA384_CTX *)(void *)(opad + 128);
1018
1019 SHA384_Final((u_int8_t *)digest, ctxt);
1020
1021 SHA384_Init(ctxt);
1022 SHA384_Update(ctxt, opad, 128);
1023 SHA384_Update(ctxt, (const u_int8_t *)digest, sizeof(digest));
1024 SHA384_Final((u_int8_t *)digest, ctxt);
1025
1026 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
1027
1028 kfree_data(state->foo, HMAC_SHA2_384_DATA_SIZE);
1029 }
1030
1031 static int
ah_sumsiz_sha2_512(struct secasvar * sav)1032 ah_sumsiz_sha2_512(struct secasvar *sav)
1033 {
1034 if (!sav) {
1035 return -1;
1036 }
1037 // return half the output size (in bytes), as per rfc 4868
1038 return 32; // 512/(8*2)
1039 }
1040
1041 static int
ah_hmac_sha2_512_mature(struct secasvar * sav)1042 ah_hmac_sha2_512_mature(struct secasvar *sav)
1043 {
1044 const struct ah_algorithm *algo;
1045
1046 if (!sav->key_auth) {
1047 ipseclog((LOG_ERR,
1048 "ah_hmac_sha2_512_mature: no key is given.\n"));
1049 return 1;
1050 }
1051
1052 algo = ah_algorithm_lookup(sav->alg_auth);
1053 if (!algo) {
1054 ipseclog((LOG_ERR,
1055 "ah_hmac_sha2_512_mature: unsupported algorithm.\n"));
1056 return 1;
1057 }
1058
1059 if (sav->key_auth->sadb_key_bits < algo->keymin ||
1060 algo->keymax < sav->key_auth->sadb_key_bits) {
1061 ipseclog((LOG_ERR,
1062 "ah_hmac_sha2_512_mature: invalid key length %d.\n",
1063 sav->key_auth->sadb_key_bits));
1064 return 1;
1065 }
1066
1067 return 0;
1068 }
1069
1070 static int
ah_hmac_sha2_512_init(struct ah_algorithm_state * state,struct secasvar * sav)1071 ah_hmac_sha2_512_init(struct ah_algorithm_state *state, struct secasvar *sav)
1072 {
1073 u_char *ipad;
1074 u_char *opad;
1075 SHA512_CTX *ctxt;
1076 u_char tk[SHA512_DIGEST_LENGTH] __attribute__((aligned(4)));
1077 u_char *key;
1078 size_t keylen;
1079 size_t i;
1080
1081 if (!state) {
1082 panic("ah_hmac_sha2_512_init: what?");
1083 }
1084
1085 state->sav = sav;
1086 state->foo = (void *)kalloc_data(HMAC_SHA2_512_DATA_SIZE,
1087 Z_NOWAIT | Z_ZERO);
1088 if (!state->foo) {
1089 return ENOBUFS;
1090 }
1091
1092 ipad = (u_char *)state->foo;
1093 opad = (u_char *)(ipad + 128);
1094 ctxt = (SHA512_CTX *)(void *)(opad + 128);
1095
1096 /* compress the key if necessery */
1097 if (128 < _KEYLEN(state->sav->key_auth)) {
1098 bzero(tk, sizeof(tk));
1099 bzero(ctxt, sizeof(*ctxt));
1100 SHA512_Init(ctxt);
1101 SHA512_Update(ctxt, (const u_int8_t *) _KEYBUF(state->sav->key_auth),
1102 _KEYLEN(state->sav->key_auth));
1103 SHA512_Final(&tk[0], ctxt);
1104 key = &tk[0];
1105 keylen = sizeof(tk) < 128 ? sizeof(tk) : 128;
1106 } else {
1107 key = (u_char *) _KEYBUF(state->sav->key_auth);
1108 keylen = _KEYLEN(state->sav->key_auth);
1109 }
1110
1111 bzero(ipad, 128);
1112 bzero(opad, 128);
1113 bcopy(key, ipad, keylen);
1114 bcopy(key, opad, keylen);
1115 for (i = 0; i < 128; i++) {
1116 ipad[i] ^= 0x36;
1117 opad[i] ^= 0x5c;
1118 }
1119
1120 bzero(ctxt, sizeof(*ctxt));
1121 SHA512_Init(ctxt);
1122 SHA512_Update(ctxt, ipad, 128);
1123
1124 return 0;
1125 }
1126
1127 static void
ah_hmac_sha2_512_loop(struct ah_algorithm_state * state,caddr_t addr,size_t len)1128 ah_hmac_sha2_512_loop(struct ah_algorithm_state *state,
1129 caddr_t addr,
1130 size_t len)
1131 {
1132 SHA512_CTX *ctxt;
1133
1134 if (!state || !state->foo) {
1135 panic("ah_hmac_sha2_512_loop: what?");
1136 }
1137
1138 ctxt = (SHA512_CTX *)(void *)(((u_char *)state->foo) + 256);
1139 SHA512_Update(ctxt, (const u_int8_t *) addr, (size_t)len);
1140 }
1141
1142 static void
ah_hmac_sha2_512_result(struct ah_algorithm_state * state,caddr_t addr,size_t l)1143 ah_hmac_sha2_512_result(struct ah_algorithm_state *state,
1144 caddr_t addr,
1145 size_t l)
1146 {
1147 u_char digest[SHA512_DIGEST_LENGTH] __attribute__((aligned(4)));
1148 u_char *ipad;
1149 u_char *opad;
1150 SHA512_CTX *ctxt;
1151
1152 if (!state || !state->foo) {
1153 panic("ah_hmac_sha2_512_result: what?");
1154 }
1155
1156 ipad = (u_char *)state->foo;
1157 opad = (u_char *)(ipad + 128);
1158 ctxt = (SHA512_CTX *)(void *)(opad + 128);
1159
1160 SHA512_Final((u_int8_t *)digest, ctxt);
1161
1162 SHA512_Init(ctxt);
1163 SHA512_Update(ctxt, opad, 128);
1164 SHA512_Update(ctxt, (const u_int8_t *)digest, sizeof(digest));
1165 SHA512_Final((u_int8_t *)digest, ctxt);
1166
1167 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
1168
1169 kfree_data(state->foo, HMAC_SHA2_512_DATA_SIZE);
1170 }
1171 #endif /* AH_ALL_CRYPTO */
1172
1173 /*------------------------------------------------------------*/
1174
1175 /*
1176 * go generate the checksum.
1177 */
1178 static void
ah_update_mbuf(struct mbuf * m,int off,int len,const struct ah_algorithm * algo,struct ah_algorithm_state * algos)1179 ah_update_mbuf(struct mbuf *m, int off, int len,
1180 const struct ah_algorithm *algo,
1181 struct ah_algorithm_state *algos)
1182 {
1183 struct mbuf *n;
1184 int tlen;
1185
1186 /* easy case first */
1187 if (off + len <= m->m_len) {
1188 (algo->update)(algos, mtod(m, caddr_t) + off, len);
1189 return;
1190 }
1191
1192 for (n = m; n; n = n->m_next) {
1193 if (off < n->m_len) {
1194 break;
1195 }
1196
1197 off -= n->m_len;
1198 }
1199
1200 if (!n) {
1201 panic("ah_update_mbuf: wrong offset specified");
1202 }
1203
1204 for (/*nothing*/; n && len > 0; n = n->m_next) {
1205 if (n->m_len == 0) {
1206 continue;
1207 }
1208 if (n->m_len - off < len) {
1209 tlen = n->m_len - off;
1210 } else {
1211 tlen = len;
1212 }
1213
1214 (algo->update)(algos, mtod(n, caddr_t) + off, tlen);
1215
1216 len -= tlen;
1217 off = 0;
1218 }
1219 }
1220
1221 #if INET
1222 /*
1223 * Go generate the checksum. This function won't modify the mbuf chain
1224 * except AH itself.
1225 *
1226 * NOTE: the function does not free mbuf on failure.
1227 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1228 */
1229 int
ah4_calccksum(struct mbuf * m,caddr_t ahdat,size_t len,const struct ah_algorithm * algo,struct secasvar * sav)1230 ah4_calccksum(struct mbuf *m, caddr_t ahdat, size_t len,
1231 const struct ah_algorithm *algo, struct secasvar *sav)
1232 {
1233 int off;
1234 int hdrtype;
1235 size_t advancewidth;
1236 struct ah_algorithm_state algos;
1237 u_char sumbuf[AH_MAXSUMSIZE] __attribute__((aligned(4)));
1238 int error = 0;
1239 int ahseen;
1240 struct mbuf *n = NULL;
1241
1242 if ((m->m_flags & M_PKTHDR) == 0) {
1243 return EINVAL;
1244 }
1245
1246 ahseen = 0;
1247 hdrtype = -1; /*dummy, it is called IPPROTO_IP*/
1248
1249 off = 0;
1250
1251 error = (algo->init)(&algos, sav);
1252 if (error) {
1253 return error;
1254 }
1255
1256 advancewidth = 0; /*safety*/
1257
1258 again:
1259 /* gory. */
1260 switch (hdrtype) {
1261 case -1: /*first one only*/
1262 {
1263 /*
1264 * copy ip hdr, modify to fit the AH checksum rule,
1265 * then take a checksum.
1266 */
1267 struct ip iphdr;
1268 size_t hlen;
1269
1270 m_copydata(m, off, sizeof(iphdr), (caddr_t)&iphdr);
1271 #if _IP_VHL
1272 hlen = IP_VHL_HL(iphdr.ip_vhl) << 2;
1273 #else
1274 hlen = iphdr.ip_hl << 2;
1275 #endif
1276 iphdr.ip_ttl = 0;
1277 iphdr.ip_sum = htons(0);
1278 if (ip4_ah_cleartos) {
1279 iphdr.ip_tos = 0;
1280 }
1281 iphdr.ip_off = htons(ntohs(iphdr.ip_off) & ip4_ah_offsetmask);
1282 (algo->update)(&algos, (caddr_t)&iphdr, sizeof(struct ip));
1283
1284 if (hlen != sizeof(struct ip)) {
1285 u_char *p;
1286 int i, l, skip;
1287
1288 if (hlen > MCLBYTES) {
1289 error = EMSGSIZE;
1290 goto fail;
1291 }
1292 MGET(n, M_DONTWAIT, MT_DATA);
1293 if (n && hlen > MLEN) {
1294 MCLGET(n, M_DONTWAIT);
1295 if ((n->m_flags & M_EXT) == 0) {
1296 m_free(n);
1297 n = NULL;
1298 }
1299 }
1300 if (n == NULL) {
1301 error = ENOBUFS;
1302 goto fail;
1303 }
1304 VERIFY(hlen <= INT_MAX);
1305 m_copydata(m, off, (int)hlen, mtod(n, caddr_t));
1306
1307 /*
1308 * IP options processing.
1309 * See RFC2402 appendix A.
1310 */
1311 p = mtod(n, u_char *);
1312 i = sizeof(struct ip);
1313 while (i < hlen) {
1314 if (i + IPOPT_OPTVAL >= hlen) {
1315 ipseclog((LOG_ERR, "ah4_calccksum: "
1316 "invalid IP option\n"));
1317 error = EINVAL;
1318 goto fail;
1319 }
1320 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL ||
1321 p[i + IPOPT_OPTVAL] == IPOPT_NOP ||
1322 i + IPOPT_OLEN < hlen) {
1323 ;
1324 } else {
1325 ipseclog((LOG_ERR,
1326 "ah4_calccksum: invalid IP option "
1327 "(type=%02x)\n",
1328 p[i + IPOPT_OPTVAL]));
1329 error = EINVAL;
1330 goto fail;
1331 }
1332
1333 skip = 1;
1334 switch (p[i + IPOPT_OPTVAL]) {
1335 case IPOPT_EOL:
1336 case IPOPT_NOP:
1337 l = 1;
1338 skip = 0;
1339 break;
1340 case IPOPT_SECURITY: /* 0x82 */
1341 case 0x85: /* Extended security */
1342 case 0x86: /* Commercial security */
1343 case 0x94: /* Router alert */
1344 case 0x95: /* RFC1770 */
1345 l = p[i + IPOPT_OLEN];
1346 if (l < 2) {
1347 goto invalopt;
1348 }
1349 skip = 0;
1350 break;
1351 default:
1352 l = p[i + IPOPT_OLEN];
1353 if (l < 2) {
1354 goto invalopt;
1355 }
1356 skip = 1;
1357 break;
1358 }
1359 if (l < 1 || hlen - i < l) {
1360 invalopt:
1361 ipseclog((LOG_ERR,
1362 "ah4_calccksum: invalid IP option "
1363 "(type=%02x len=%02x)\n",
1364 p[i + IPOPT_OPTVAL],
1365 p[i + IPOPT_OLEN]));
1366 error = EINVAL;
1367 goto fail;
1368 }
1369 if (skip) {
1370 bzero(p + i, l);
1371 }
1372 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL) {
1373 break;
1374 }
1375 i += l;
1376 }
1377
1378 p = mtod(n, u_char *) + sizeof(struct ip);
1379 (algo->update)(&algos, (caddr_t)p, hlen - sizeof(struct ip));
1380
1381 m_free(n);
1382 n = NULL;
1383 }
1384
1385 hdrtype = (iphdr.ip_p) & 0xff;
1386 advancewidth = hlen;
1387 break;
1388 }
1389
1390 case IPPROTO_AH:
1391 {
1392 struct ah ah;
1393 int siz;
1394 int hdrsiz;
1395 int totlen;
1396
1397 if (m->m_pkthdr.len - off < sizeof(ah)) {
1398 error = EMSGSIZE;
1399 goto fail;
1400 }
1401
1402 m_copydata(m, off, sizeof(ah), (caddr_t)&ah);
1403 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1404 ? sizeof(struct ah)
1405 : sizeof(struct newah);
1406 siz = (*algo->sumsiz)(sav);
1407 totlen = (ah.ah_len + 2) << 2;
1408
1409 if (totlen > m->m_pkthdr.len - off) {
1410 error = EMSGSIZE;
1411 goto fail;
1412 }
1413
1414 /*
1415 * special treatment is necessary for the first one, not others
1416 */
1417 if (!ahseen) {
1418 if (totlen > MCLBYTES) {
1419 error = EMSGSIZE;
1420 goto fail;
1421 }
1422 MGET(n, M_DONTWAIT, MT_DATA);
1423 if (n && totlen > MLEN) {
1424 MCLGET(n, M_DONTWAIT);
1425 if ((n->m_flags & M_EXT) == 0) {
1426 m_free(n);
1427 n = NULL;
1428 }
1429 }
1430 if (n == NULL) {
1431 error = ENOBUFS;
1432 goto fail;
1433 }
1434 m_copydata(m, off, totlen, mtod(n, caddr_t));
1435 n->m_len = totlen;
1436 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1437 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1438 m_free(n);
1439 n = NULL;
1440 } else {
1441 ah_update_mbuf(m, off, totlen, algo, &algos);
1442 }
1443 ahseen++;
1444
1445 hdrtype = ah.ah_nxt;
1446 advancewidth = totlen;
1447 break;
1448 }
1449
1450 default:
1451 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo, &algos);
1452 advancewidth = m->m_pkthdr.len - off;
1453 break;
1454 }
1455
1456 off += advancewidth;
1457 if (off < m->m_pkthdr.len) {
1458 goto again;
1459 }
1460
1461 if (len < (*algo->sumsiz)(sav)) {
1462 error = EINVAL;
1463 goto fail;
1464 }
1465
1466 (algo->result)(&algos, (caddr_t) &sumbuf[0], sizeof(sumbuf));
1467 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
1468
1469 if (n) {
1470 m_free(n);
1471 }
1472 return error;
1473
1474 fail:
1475 if (n) {
1476 m_free(n);
1477 }
1478 return error;
1479 }
1480 #endif
1481
1482 /*
1483 * Go generate the checksum. This function won't modify the mbuf chain
1484 * except AH itself.
1485 *
1486 * NOTE: the function does not free mbuf on failure.
1487 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1488 */
1489 int
ah6_calccksum(struct mbuf * m,caddr_t ahdat,size_t len,const struct ah_algorithm * algo,struct secasvar * sav)1490 ah6_calccksum(struct mbuf *m, caddr_t ahdat, size_t len,
1491 const struct ah_algorithm *algo, struct secasvar *sav)
1492 {
1493 int newoff, off;
1494 int proto, nxt;
1495 struct mbuf *n = NULL;
1496 int error;
1497 int ahseen;
1498 struct ah_algorithm_state algos;
1499 u_char sumbuf[AH_MAXSUMSIZE] __attribute__((aligned(4)));
1500
1501 if ((m->m_flags & M_PKTHDR) == 0) {
1502 return EINVAL;
1503 }
1504
1505 error = (algo->init)(&algos, sav);
1506 if (error) {
1507 return error;
1508 }
1509
1510 off = 0;
1511 proto = IPPROTO_IPV6;
1512 nxt = -1;
1513 ahseen = 0;
1514
1515 again:
1516 newoff = ip6_nexthdr(m, off, proto, &nxt);
1517 if (newoff < 0) {
1518 newoff = m->m_pkthdr.len;
1519 } else if (newoff <= off) {
1520 error = EINVAL;
1521 goto fail;
1522 } else if (m->m_pkthdr.len < newoff) {
1523 error = EINVAL;
1524 goto fail;
1525 }
1526
1527 switch (proto) {
1528 case IPPROTO_IPV6:
1529 /*
1530 * special treatment is necessary for the first one, not others
1531 */
1532 if (off == 0) {
1533 struct ip6_hdr ip6copy;
1534
1535 if (newoff - off != sizeof(struct ip6_hdr)) {
1536 error = EINVAL;
1537 goto fail;
1538 }
1539
1540 m_copydata(m, off, newoff - off, (caddr_t)&ip6copy);
1541 /* RFC2402 */
1542 ip6copy.ip6_flow = 0;
1543 ip6copy.ip6_vfc &= ~IPV6_VERSION_MASK;
1544 ip6copy.ip6_vfc |= IPV6_VERSION;
1545 ip6copy.ip6_hlim = 0;
1546 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_src)) {
1547 ip6copy.ip6_src.s6_addr16[1] = 0x0000;
1548 }
1549 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_dst)) {
1550 ip6copy.ip6_dst.s6_addr16[1] = 0x0000;
1551 }
1552 (algo->update)(&algos, (caddr_t)&ip6copy,
1553 sizeof(struct ip6_hdr));
1554 } else {
1555 newoff = m->m_pkthdr.len;
1556 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo,
1557 &algos);
1558 }
1559 break;
1560
1561 case IPPROTO_AH:
1562 {
1563 int siz;
1564 int hdrsiz;
1565
1566 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1567 ? sizeof(struct ah)
1568 : sizeof(struct newah);
1569 siz = (*algo->sumsiz)(sav);
1570
1571 /*
1572 * special treatment is necessary for the first one, not others
1573 */
1574 if (!ahseen) {
1575 if (newoff - off > MCLBYTES) {
1576 error = EMSGSIZE;
1577 goto fail;
1578 }
1579 MGET(n, M_DONTWAIT, MT_DATA);
1580 if (n && newoff - off > MLEN) {
1581 MCLGET(n, M_DONTWAIT);
1582 if ((n->m_flags & M_EXT) == 0) {
1583 m_free(n);
1584 n = NULL;
1585 }
1586 }
1587 if (n == NULL) {
1588 error = ENOBUFS;
1589 goto fail;
1590 }
1591 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1592 n->m_len = newoff - off;
1593 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1594 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1595 m_free(n);
1596 n = NULL;
1597 } else {
1598 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1599 }
1600 ahseen++;
1601 break;
1602 }
1603
1604 case IPPROTO_HOPOPTS:
1605 case IPPROTO_DSTOPTS:
1606 {
1607 struct ip6_ext *ip6e;
1608 int hdrlen, optlen;
1609 u_int8_t *p, *optend, *optp;
1610
1611 if (newoff - off > MCLBYTES) {
1612 error = EMSGSIZE;
1613 goto fail;
1614 }
1615 MGET(n, M_DONTWAIT, MT_DATA);
1616 if (n && newoff - off > MLEN) {
1617 MCLGET(n, M_DONTWAIT);
1618 if ((n->m_flags & M_EXT) == 0) {
1619 m_free(n);
1620 n = NULL;
1621 }
1622 }
1623 if (n == NULL) {
1624 error = ENOBUFS;
1625 goto fail;
1626 }
1627 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1628 n->m_len = newoff - off;
1629
1630 ip6e = mtod(n, struct ip6_ext *);
1631 hdrlen = (ip6e->ip6e_len + 1) << 3;
1632 if (newoff - off < hdrlen) {
1633 error = EINVAL;
1634 m_free(n);
1635 n = NULL;
1636 goto fail;
1637 }
1638 p = mtod(n, u_int8_t *);
1639 optend = p + hdrlen;
1640
1641 /*
1642 * ICV calculation for the options header including all
1643 * options. This part is a little tricky since there are
1644 * two type of options; mutable and immutable. We try to
1645 * null-out mutable ones here.
1646 */
1647 optp = p + 2;
1648 while (optp < optend) {
1649 if (optp[0] == IP6OPT_PAD1) {
1650 optlen = 1;
1651 } else {
1652 if (optp + 2 > optend) {
1653 error = EINVAL;
1654 m_free(n);
1655 n = NULL;
1656 goto fail;
1657 }
1658 optlen = optp[1] + 2;
1659 if (optp + optlen > optend) {
1660 error = EINVAL;
1661 m_free(n);
1662 n = NULL;
1663 goto fail;
1664 }
1665
1666 if (optp[0] & IP6OPT_MUTABLE) {
1667 bzero(optp + 2, optlen - 2);
1668 }
1669 }
1670
1671 optp += optlen;
1672 }
1673
1674 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1675 m_free(n);
1676 n = NULL;
1677 break;
1678 }
1679
1680 case IPPROTO_ROUTING:
1681 /*
1682 * For an input packet, we can just calculate `as is'.
1683 * For an output packet, we assume ip6_output have already
1684 * made packet how it will be received at the final
1685 * destination.
1686 */
1687 /* FALLTHROUGH */
1688
1689 default:
1690 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1691 break;
1692 }
1693
1694 if (newoff < m->m_pkthdr.len) {
1695 proto = nxt;
1696 off = newoff;
1697 goto again;
1698 }
1699
1700 if (len < (*algo->sumsiz)(sav)) {
1701 error = EINVAL;
1702 goto fail;
1703 }
1704
1705 (algo->result)(&algos, (caddr_t) &sumbuf[0], sizeof(sumbuf));
1706 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
1707
1708 /* just in case */
1709 if (n) {
1710 m_free(n);
1711 }
1712 return 0;
1713 fail:
1714 /* just in case */
1715 if (n) {
1716 m_free(n);
1717 }
1718 return error;
1719 }
1720