esp_core.c source code [codebrowser/bsd/netinet6/esp_core.c]

1	/*
2	* Copyright (c) 2008-2016 Apple Inc. All rights reserved.
3	*
4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5	*
6	* This file contains Original Code and/or Modifications of Original Code
7	* as defined in and that are subject to the Apple Public Source License
8	* Version 2.0 (the 'License'). You may not use this file except in
9	* compliance with the License. The rights granted to you under the License
10	* may not be used to create, or enable the creation or redistribution of,
11	* unlawful or unlicensed copies of an Apple operating system, or to
12	* circumvent, violate, or enable the circumvention or violation of, any
13	* terms of an Apple operating system software license agreement.
14	*
15	* Please obtain a copy of the License at
16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
17	*
18	* The Original Code and all software distributed under the License are
19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23	* Please see the License for the specific language governing rights and
24	* limitations under the License.
25	*
26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27	*/
28
29	/ $FreeBSD: src/sys/netinet6/esp_core.c,v 1.1.2.4 2002/03/26 10:12:29 ume Exp $ /
30	/ $KAME: esp_core.c,v 1.50 2000/11/02 12:27:38 itojun Exp $ /
31
32	/*
33	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
34	* All rights reserved.
35	*
36	* Redistribution and use in source and binary forms, with or without
37	* modification, are permitted provided that the following conditions
38	* are met:
39	* 1. Redistributions of source code must retain the above copyright
40	* notice, this list of conditions and the following disclaimer.
41	* 2. Redistributions in binary form must reproduce the above copyright
42	* notice, this list of conditions and the following disclaimer in the
43	* documentation and/or other materials provided with the distribution.
44	* 3. Neither the name of the project nor the names of its contributors
45	* may be used to endorse or promote products derived from this software
46	* without specific prior written permission.
47	*
48	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
49	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
52	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
58	* SUCH DAMAGE.
59	*/
60
61	#define _IP_VHL
62
63	#include <sys/param.h>
64	#include <sys/systm.h>
65	#include <sys/malloc.h>
66	#include <sys/mbuf.h>
67	#include <sys/domain.h>
68	#include <sys/protosw.h>
69	#include <sys/socket.h>
70	#include <sys/errno.h>
71	#include <sys/time.h>
72	#include <sys/kernel.h>
73	#include <sys/syslog.h>
74
75	#include <kern/locks.h>
76
77	#include <net/if.h>
78	#include <net/route.h>
79
80	#include <netinet/in.h>
81	#include <netinet/in_var.h>
82	#if INET6
83	#include <netinet/ip6.h>
84	#include <netinet6/ip6_var.h>
85	#include <netinet/icmp6.h>
86	#endif
87
88	#include <netinet6/ipsec.h>
89	#if INET6
90	#include <netinet6/ipsec6.h>
91	#endif
92	#include <netinet6/ah.h>
93	#if INET6
94	#include <netinet6/ah6.h>
95	#endif
96	#include <netinet6/esp.h>
97	#if INET6
98	#include <netinet6/esp6.h>
99	#endif
100	#include <netinet6/esp_rijndael.h>
101	#include <netinet6/esp_chachapoly.h>
102	#include <net/pfkeyv2.h>
103	#include <netkey/keydb.h>
104	#include <netkey/key.h>
105	#include <libkern/crypto/des.h>
106
107	#include <net/net_osdep.h>
108
109	#include <sys/kdebug.h>
110	#define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1)
111	#define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3)
112	#define DBG_FNC_ESPAUTH NETDBG_CODE(DBG_NETIPSEC, (8 << 8))
113	#define MAX_SBUF_LEN 2000
114
115	extern lck_mtx_t *sadb_mutex;
116
117	static int esp_null_mature(struct secasvar *);
118	static int esp_null_decrypt(struct mbuf *, size_t,
119	struct secasvar , const* struct esp_algorithm , int*);
120	static int esp_null_encrypt(struct mbuf *, size_t, size_t,
121	struct secasvar , const* struct esp_algorithm , int*);
122	static int esp_descbc_mature(struct secasvar *);
123	static int esp_descbc_ivlen(const struct esp_algorithm *,
124	struct secasvar *);
125	static int esp_des_schedule(const struct esp_algorithm *,
126	struct secasvar *);
127	static int esp_des_schedlen(const struct esp_algorithm *);
128	static int esp_des_blockdecrypt(const struct esp_algorithm *,
129	struct secasvar , u_int8_t , u_int8_t *);
130	static int esp_des_blockencrypt(const struct esp_algorithm *,
131	struct secasvar , u_int8_t , u_int8_t *);
132	static int esp_cbc_mature(struct secasvar *);
133	static int esp_3des_schedule(const struct esp_algorithm *,
134	struct secasvar *);
135	static int esp_3des_schedlen(const struct esp_algorithm *);
136	static int esp_3des_blockdecrypt(const struct esp_algorithm *,
137	struct secasvar , u_int8_t , u_int8_t *);
138	static int esp_3des_blockencrypt(const struct esp_algorithm *,
139	struct secasvar , u_int8_t , u_int8_t *);
140	static int esp_common_ivlen(const struct esp_algorithm *,
141	struct secasvar *);
142	static int esp_cbc_decrypt(struct mbuf *, size_t,
143	struct secasvar , const* struct esp_algorithm , int*);
144	static int esp_cbc_encrypt(struct mbuf *, size_t, size_t,
145	struct secasvar , const* struct esp_algorithm , int*);
146	static int esp_gcm_mature(struct secasvar *);
147
148	#define MAXIVLEN 16
149
150	#define ESP_AESGCM_KEYLEN128 160 // 16-bytes key + 4 bytes salt
151	#define ESP_AESGCM_KEYLEN192 224 // 24-bytes key + 4 bytes salt
152	#define ESP_AESGCM_KEYLEN256 288 // 32-bytes key + 4 bytes salt
153
154	static const struct esp_algorithm des_cbc =
155	{ `8`, -`1`, esp_descbc_mature, `64`, `64`, esp_des_schedlen,
156	"des-cbc",
157	esp_descbc_ivlen, esp_cbc_decrypt,
158	esp_cbc_encrypt, esp_des_schedule,
159	esp_des_blockdecrypt, esp_des_blockencrypt,
160	`0`, `0`, `0` };
161	static const struct esp_algorithm des3_cbc =
162	{ `8`, `8`, esp_cbc_mature, `192`, `192`, esp_3des_schedlen,
163	"3des-cbc",
164	esp_common_ivlen, esp_cbc_decrypt,
165	esp_cbc_encrypt, esp_3des_schedule,
166	esp_3des_blockdecrypt, esp_3des_blockencrypt,
167	`0`, `0`, `0` };
168	static const struct esp_algorithm null_esp =
169	{ `1`, `0`, esp_null_mature, `0`, `2048`, `0`, "null",
170	esp_common_ivlen, esp_null_decrypt,
171	esp_null_encrypt, NULL, NULL, NULL,
172	`0`, `0`, `0` };
173	static const struct esp_algorithm aes_cbc =
174	{ `16`, `16`, esp_cbc_mature, `128`, `256`, esp_aes_schedlen,
175	"aes-cbc",
176	esp_common_ivlen, esp_cbc_decrypt_aes,
177	esp_cbc_encrypt_aes, esp_aes_schedule,
178	`0`, `0`,
179	`0`, `0`, `0` };
180	static const struct esp_algorithm aes_gcm =
181	{ `4`, `8`, esp_gcm_mature, ESP_AESGCM_KEYLEN128, ESP_AESGCM_KEYLEN256, esp_gcm_schedlen,
182	"aes-gcm",
183	esp_common_ivlen, esp_gcm_decrypt_aes,
184	esp_gcm_encrypt_aes, esp_gcm_schedule,
185	`0`, `0`,
186	`16`, esp_gcm_decrypt_finalize, esp_gcm_encrypt_finalize};
187	static const struct esp_algorithm chacha_poly =
188	{ ESP_CHACHAPOLY_PAD_BOUND, ESP_CHACHAPOLY_IV_LEN,
189	esp_chachapoly_mature, ESP_CHACHAPOLY_KEYBITS_WITH_SALT,
190	ESP_CHACHAPOLY_KEYBITS_WITH_SALT, esp_chachapoly_schedlen,
191	"chacha-poly", esp_chachapoly_ivlen, esp_chachapoly_decrypt,
192	esp_chachapoly_encrypt, esp_chachapoly_schedule,
193	NULL, NULL, ESP_CHACHAPOLY_ICV_LEN,
194	esp_chachapoly_decrypt_finalize, esp_chachapoly_encrypt_finalize};
195
196	static const struct esp_algorithm *esp_algorithms[] = {
197	&des_cbc,
198	&des3_cbc,
199	&null_esp,
200	&aes_cbc,
201	&aes_gcm,
202	&chacha_poly,
203	};
204
205	const struct esp_algorithm *
206	esp_algorithm_lookup(int idx)
207	{
208	switch (idx) {
209	case SADB_EALG_DESCBC:
210	return &des_cbc;
211	case SADB_EALG_3DESCBC:
212	return &des3_cbc;
213	case SADB_EALG_NULL:
214	return &null_esp;
215	case SADB_X_EALG_RIJNDAELCBC:
216	return &aes_cbc;
217	case SADB_X_EALG_AES_GCM:
218	return &aes_gcm;
219	case SADB_X_EALG_CHACHA20POLY1305:
220	return &chacha_poly;
221	default:
222	return NULL;
223	}
224	}
225
226	int
227	esp_max_ivlen(void)
228	{
229	int idx;
230	int ivlen;
231
232	ivlen = `0`;
233	for (idx = `0`; idx < sizeof(esp_algorithms)/sizeof(esp_algorithms[`0`]);
234	idx++) {
235	if (esp_algorithms[idx]->ivlenval > ivlen)
236	ivlen = esp_algorithms[idx]->ivlenval;
237	}
238
239	return ivlen;
240	}
241
242	int
243	esp_schedule(const struct esp_algorithm algo, struct* secasvar *sav)
244	{
245	int error;
246
247	/ check for key length /
248	if (_KEYBITS(sav->key_enc) < algo->keymin \|\|
249	_KEYBITS(sav->key_enc) > algo->keymax) {
250	ipseclog((LOG_ERR,
251	"esp_schedule %s: unsupported key length %d: "
252	"needs %d to %d bits\n", algo->name, _KEYBITS(sav->key_enc),
253	algo->keymin, algo->keymax));
254	return EINVAL;
255	}
256
257	lck_mtx_lock(sadb_mutex);
258	/ already allocated /
259	if (sav->sched && sav->schedlen != `0`) {
260	lck_mtx_unlock(sadb_mutex);
261	return `0`;
262	}
263
264	/ prevent disallowed implicit IV /
265	if (((sav->flags & SADB_X_EXT_IIV) != `0`) &&
266	(sav->alg_enc != SADB_X_EALG_AES_GCM) &&
267	(sav->alg_enc != SADB_X_EALG_CHACHA20POLY1305)) {
268	ipseclog((LOG_ERR,
269	"esp_schedule %s: implicit IV not allowed\n",
270	algo->name));
271	lck_mtx_unlock(sadb_mutex);
272	return EINVAL;
273	}
274
275	/ no schedule necessary /
276	if (!algo->schedule \|\| !algo->schedlen) {
277	lck_mtx_unlock(sadb_mutex);
278	return `0`;
279	}
280
281	sav->schedlen = (*algo->schedlen)(algo);
282	if ((signed) sav->schedlen < `0`) {
283	lck_mtx_unlock(sadb_mutex);
284	return EINVAL;
285	}
286
287	//#### that malloc should be replaced by a saved buffer...
288	sav->sched = _MALLOC(sav->schedlen, M_SECA, M_DONTWAIT);
289	if (!sav->sched) {
290	sav->schedlen = `0`;
291	lck_mtx_unlock(sadb_mutex);
292	return ENOBUFS;
293	}
294
295	error = (*algo->schedule)(algo, sav);
296	if (error) {
297	ipseclog((LOG_ERR, "esp_schedule %s: error %d\n",
298	algo->name, error));
299	bzero(sav->sched, sav->schedlen);
300	FREE(sav->sched, M_SECA);
301	sav->sched = NULL;
302	sav->schedlen = `0`;
303	}
304	lck_mtx_unlock(sadb_mutex);
305	return error;
306	}
307
308	static int
309	esp_null_mature(
310	__unused struct secasvar *sav)
311	{
312
313	/ anything is okay /
314	return `0`;
315	}
316
317	static int
318	esp_null_decrypt(
319	__unused struct mbuf *m,
320	__unused size_t off, / offset to ESP header /
321	__unused struct secasvar *sav,
322	__unused const struct esp_algorithm *algo,
323	__unused int ivlen)
324	{
325
326	return `0`; / do nothing /
327	}
328
329	static int
330	esp_null_encrypt(
331	__unused struct mbuf *m,
332	__unused size_t off, / offset to ESP header /
333	__unused size_t plen, / payload length (to be encrypted) /
334	__unused struct secasvar *sav,
335	__unused const struct esp_algorithm *algo,
336	__unused int ivlen)
337	{
338
339	return `0`; / do nothing /
340	}
341
342	static int
343	esp_descbc_mature(struct secasvar *sav)
344	{
345	const struct esp_algorithm *algo;
346
347	if (!(sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_IV4B)) {
348	ipseclog((LOG_ERR, "esp_cbc_mature: "
349	"algorithm incompatible with 4 octets IV length\n"));
350	return `1`;
351	}
352
353	if (!sav->key_enc) {
354	ipseclog((LOG_ERR, "esp_descbc_mature: no key is given.\n"));
355	return `1`;
356	}
357
358	algo = esp_algorithm_lookup(sav->alg_enc);
359	if (!algo) {
360	ipseclog((LOG_ERR,
361	"esp_descbc_mature: unsupported algorithm.\n"));
362	return `1`;
363	}
364
365	if (_KEYBITS(sav->key_enc) < algo->keymin \|\|
366	_KEYBITS(sav->key_enc) > algo->keymax) {
367	ipseclog((LOG_ERR,
368	"esp_descbc_mature: invalid key length %d.\n",
369	_KEYBITS(sav->key_enc)));
370	return `1`;
371	}
372
373	/ weak key check /
374	if (des_is_weak_key((des_cblock *)_KEYBUF(sav->key_enc))) {
375	ipseclog((LOG_ERR,
376	"esp_descbc_mature: weak key was passed.\n"));
377	return `1`;
378	}
379
380	return `0`;
381	}
382
383	static int
384	esp_descbc_ivlen(
385	__unused const struct esp_algorithm *algo,
386	struct secasvar *sav)
387	{
388
389	if (!sav)
390	return `8`;
391	if ((sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_IV4B))
392	return `4`;
393	if (!(sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_DERIV))
394	return `4`;
395	return `8`;
396	}
397
398	static int
399	esp_des_schedlen(
400	__unused const struct esp_algorithm *algo)
401	{
402	return sizeof(des_ecb_key_schedule);
403	}
404
405	static int
406	esp_des_schedule(
407	__unused const struct esp_algorithm *algo,
408	struct secasvar *sav)
409	{
410
411	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_OWNED);
412	if (des_ecb_key_sched((des_cblock *)_KEYBUF(sav->key_enc),
413	(des_ecb_key_schedule *)sav->sched))
414	return EINVAL;
415	else
416	return `0`;
417	}
418
419	static int
420	esp_des_blockdecrypt(
421	__unused const struct esp_algorithm *algo,
422	struct secasvar *sav,
423	u_int8_t *s,
424	u_int8_t *d)
425	{
426	/ assumption: d has a good alignment /
427	bcopy(s, d, sizeof(DES_LONG) * `2`);
428	des_ecb_encrypt((des_cblock )d, (des_cblock )d,
429	(des_ecb_key_schedule *)sav->sched, DES_DECRYPT);
430	return `0`;
431	}
432
433	static int
434	esp_des_blockencrypt(
435	__unused const struct esp_algorithm *algo,
436	struct secasvar *sav,
437	u_int8_t *s,
438	u_int8_t *d)
439	{
440	/ assumption: d has a good alignment /
441	bcopy(s, d, sizeof(DES_LONG) * `2`);
442	des_ecb_encrypt((des_cblock )d, (des_cblock )d,
443	(des_ecb_key_schedule *)sav->sched, DES_ENCRYPT);
444	return `0`;
445	}
446
447	static int
448	esp_cbc_mature(struct secasvar *sav)
449	{
450	int keylen;
451	const struct esp_algorithm *algo;
452
453	if (sav->flags & SADB_X_EXT_OLD) {
454	ipseclog((LOG_ERR,
455	"esp_cbc_mature: algorithm incompatible with esp-old\n"));
456	return `1`;
457	}
458	if (sav->flags & SADB_X_EXT_DERIV) {
459	ipseclog((LOG_ERR,
460	"esp_cbc_mature: algorithm incompatible with derived\n"));
461	return `1`;
462	}
463
464	if (!sav->key_enc) {
465	ipseclog((LOG_ERR, "esp_cbc_mature: no key is given.\n"));
466	return `1`;
467	}
468
469	algo = esp_algorithm_lookup(sav->alg_enc);
470	if (!algo) {
471	ipseclog((LOG_ERR,
472	"esp_cbc_mature: unsupported algorithm.\n"));
473	return `1`;
474	}
475
476	keylen = sav->key_enc->sadb_key_bits;
477	if (keylen < algo->keymin \|\| algo->keymax < keylen) {
478	ipseclog((LOG_ERR,
479	"esp_cbc_mature %s: invalid key length %d.\n",
480	algo->name, sav->key_enc->sadb_key_bits));
481	return `1`;
482	}
483	switch (sav->alg_enc) {
484	case SADB_EALG_3DESCBC:
485	/ weak key check /
486	if (des_is_weak_key((des_cblock *)_KEYBUF(sav->key_enc)) \|\|
487	des_is_weak_key((des_cblock *)(_KEYBUF(sav->key_enc) + `8`)) \|\|
488	des_is_weak_key((des_cblock *)(_KEYBUF(sav->key_enc) + `16`))) {
489	ipseclog((LOG_ERR,
490	"esp_cbc_mature %s: weak key was passed.\n",
491	algo->name));
492	return `1`;
493	}
494	break;
495	case SADB_X_EALG_RIJNDAELCBC:
496	/ allows specific key sizes only /
497	if (!(keylen == `128` \|\| keylen == `192` \|\| keylen == `256`)) {
498	ipseclog((LOG_ERR,
499	"esp_cbc_mature %s: invalid key length %d.\n",
500	algo->name, keylen));
501	return `1`;
502	}
503	break;
504	}
505
506	return `0`;
507	}
508
509	static int
510	esp_gcm_mature(struct secasvar *sav)
511	{
512	int keylen;
513	const struct esp_algorithm *algo;
514
515	if (sav->flags & SADB_X_EXT_OLD) {
516	ipseclog((LOG_ERR,
517	"esp_gcm_mature: algorithm incompatible with esp-old\n"));
518	return `1`;
519	}
520	if (sav->flags & SADB_X_EXT_DERIV) {
521	ipseclog((LOG_ERR,
522	"esp_gcm_mature: algorithm incompatible with derived\n"));
523	return `1`;
524	}
525	if (sav->flags & SADB_X_EXT_IIV) {
526	ipseclog((LOG_ERR,
527	"esp_gcm_mature: implicit IV not currently implemented\n"));
528	return `1`;
529	}
530
531	if (!sav->key_enc) {
532	ipseclog((LOG_ERR, "esp_gcm_mature: no key is given.\n"));
533	return `1`;
534	}
535
536	algo = esp_algorithm_lookup(sav->alg_enc);
537	if (!algo) {
538	ipseclog((LOG_ERR,
539	"esp_gcm_mature: unsupported algorithm.\n"));
540	return `1`;
541	}
542
543	keylen = sav->key_enc->sadb_key_bits;
544	if (keylen < algo->keymin \|\| algo->keymax < keylen) {
545	ipseclog((LOG_ERR,
546	"esp_gcm_mature %s: invalid key length %d.\n",
547	algo->name, sav->key_enc->sadb_key_bits));
548	return `1`;
549	}
550	switch (sav->alg_enc) {
551	case SADB_X_EALG_AES_GCM:
552	/ allows specific key sizes only /
553	if (!(keylen == ESP_AESGCM_KEYLEN128 \|\| keylen == ESP_AESGCM_KEYLEN192 \|\| keylen == ESP_AESGCM_KEYLEN256)) {
554	ipseclog((LOG_ERR,
555	"esp_gcm_mature %s: invalid key length %d.\n",
556	algo->name, keylen));
557	return `1`;
558	}
559	break;
560	default:
561	ipseclog((LOG_ERR,
562	"esp_gcm_mature %s: invalid algo %d.\n", sav->alg_enc));
563	return `1`;
564	}
565
566	return `0`;
567	}
568
569	static int
570	esp_3des_schedlen(
571	__unused const struct esp_algorithm *algo)
572	{
573
574	return sizeof(des3_ecb_key_schedule);
575	}
576
577	static int
578	esp_3des_schedule(
579	__unused const struct esp_algorithm *algo,
580	struct secasvar *sav)
581	{
582	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_OWNED);
583
584	if (des3_ecb_key_sched((des_cblock *)_KEYBUF(sav->key_enc),
585	(des3_ecb_key_schedule *)sav->sched))
586	return EINVAL;
587	else
588	return `0`;
589	}
590
591	static int
592	esp_3des_blockdecrypt(
593	__unused const struct esp_algorithm *algo,
594	struct secasvar *sav,
595	u_int8_t *s,
596	u_int8_t *d)
597	{
598	/ assumption: d has a good alignment /
599	bcopy(s, d, sizeof(DES_LONG) * `2`);
600	des3_ecb_encrypt((des_cblock )d, (des_cblock )d,
601	(des3_ecb_key_schedule *)sav->sched, DES_DECRYPT);
602	return `0`;
603	}
604
605	static int
606	esp_3des_blockencrypt(
607	__unused const struct esp_algorithm *algo,
608	struct secasvar *sav,
609	u_int8_t *s,
610	u_int8_t *d)
611	{
612	/ assumption: d has a good alignment /
613	bcopy(s, d, sizeof(DES_LONG) * `2`);
614	des3_ecb_encrypt((des_cblock )d, (des_cblock )d,
615	(des3_ecb_key_schedule *)sav->sched, DES_ENCRYPT);
616	return `0`;
617	}
618
619	static int
620	esp_common_ivlen(
621	const struct esp_algorithm *algo,
622	__unused struct secasvar *sav)
623	{
624
625	if (!algo)
626	panic("esp_common_ivlen: unknown algorithm");
627	return algo->ivlenval;
628	}
629
630	static int
631	esp_cbc_decrypt(struct mbuf m, size_t off, struct* secasvar *sav,
632	const struct esp_algorithm algo, int* ivlen)
633	{
634	struct mbuf *s;
635	struct mbuf d, d0, *dp;
636	int soff, doff; / offset from the head of chain, to head of this mbuf /
637	int sn, dn; / offset from the head of the mbuf, to meat /
638	size_t ivoff, bodyoff;
639	u_int8_t iv[MAXIVLEN] __attribute__((aligned(`4`))), *ivp;
640	u_int8_t sbuf = NULL, sp, *sp_unaligned;
641	u_int8_t p, q;
642	struct mbuf *scut;
643	int scutoff;
644	int i, result = `0`;
645	int blocklen;
646	int derived;
647
648	if (ivlen != sav->ivlen \|\| ivlen > sizeof(iv)) {
649	ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
650	"unsupported ivlen %d\n", algo->name, ivlen));
651	m_freem(m);
652	return EINVAL;
653	}
654
655	/ assumes blocklen == padbound /
656	blocklen = algo->padbound;
657
658	#if DIAGNOSTIC
659	if (blocklen > sizeof(iv)) {
660	ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
661	"unsupported blocklen %d\n", algo->name, blocklen));
662	m_freem(m);
663	return EINVAL;
664	}
665	#endif
666
667	if (sav->flags & SADB_X_EXT_OLD) {
668	/ RFC 1827 /
669	ivoff = off + sizeof(struct esp);
670	bodyoff = off + sizeof(struct esp) + ivlen;
671	derived = `0`;
672	} else {
673	/ RFC 2406 /
674	if (sav->flags & SADB_X_EXT_DERIV) {
675	/*
676	* draft-ietf-ipsec-ciph-des-derived-00.txt
677	* uses sequence number field as IV field.
678	*/
679	ivoff = off + sizeof(struct esp);
680	bodyoff = off + sizeof(struct esp) + sizeof(u_int32_t);
681	ivlen = sizeof(u_int32_t);
682	derived = `1`;
683	} else {
684	ivoff = off + sizeof(struct newesp);
685	bodyoff = off + sizeof(struct newesp) + ivlen;
686	derived = `0`;
687	}
688	}
689
690	/ grab iv /
691	m_copydata(m, ivoff, ivlen, (caddr_t) iv);
692
693	/ extend iv /
694	if (ivlen == blocklen)
695	;
696	else if (ivlen == `4` && blocklen == `8`) {
697	bcopy(&iv[`0`], &iv[`4`], `4`);
698	iv[`4`] ^= `0xff`;
699	iv[`5`] ^= `0xff`;
700	iv[`6`] ^= `0xff`;
701	iv[`7`] ^= `0xff`;
702	} else {
703	ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
704	"unsupported ivlen/blocklen: %d %d\n",
705	algo->name, ivlen, blocklen));
706	m_freem(m);
707	return EINVAL;
708	}
709
710	if (m->m_pkthdr.len < bodyoff) {
711	ipseclog((LOG_ERR, "esp_cbc_decrypt %s: bad len %d/%lu\n",
712	algo->name, m->m_pkthdr.len, (u_int32_t)bodyoff));
713	m_freem(m);
714	return EINVAL;
715	}
716	if ((m->m_pkthdr.len - bodyoff) % blocklen) {
717	ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
718	"payload length must be multiple of %d\n",
719	algo->name, blocklen));
720	m_freem(m);
721	return EINVAL;
722	}
723
724	s = m;
725	d = d0 = dp = NULL;
726	soff = doff = sn = dn = `0`;
727	ivp = sp = NULL;
728
729	/ skip bodyoff /
730	while (soff < bodyoff) {
731	if (soff + s->m_len > bodyoff) {
732	sn = bodyoff - soff;
733	break;
734	}
735
736	soff += s->m_len;
737	s = s->m_next;
738	}
739	scut = s;
740	scutoff = sn;
741
742	/ skip over empty mbuf /
743	while (s && s->m_len == `0`)
744	s = s->m_next;
745
746	// Allocate blocksized buffer for unaligned or non-contiguous access
747	sbuf = (u_int8_t *)_MALLOC(blocklen, M_SECA, M_DONTWAIT);
748	if (sbuf == NULL)
749	return ENOBUFS;
750	while (soff < m->m_pkthdr.len) {
751	/ source /
752	if (sn + blocklen <= s->m_len) {
753	/ body is continuous /
754	sp = mtod(s, u_int8_t *) + sn;
755	} else {
756	/ body is non-continuous /
757	m_copydata(s, sn, blocklen, (caddr_t) sbuf);
758	sp = sbuf;
759	}
760
761	/ destination /
762	if (!d \|\| dn + blocklen > d->m_len) {
763	if (d)
764	dp = d;
765	MGET(d, M_DONTWAIT, MT_DATA);
766	i = m->m_pkthdr.len - (soff + sn);
767	if (d && i > MLEN) {
768	MCLGET(d, M_DONTWAIT);
769	if ((d->m_flags & M_EXT) == `0`) {
770	m_free(d);
771	d = NULL;
772	}
773	}
774	if (!d) {
775	m_freem(m);
776	if (d0)
777	m_freem(d0);
778	result = ENOBUFS;
779	goto end;
780	}
781	if (!d0)
782	d0 = d;
783	if (dp)
784	dp->m_next = d;
785
786	// try to make mbuf data aligned
787	if (!IPSEC_IS_P2ALIGNED(d->m_data)) {
788	m_adj(d, IPSEC_GET_P2UNALIGNED_OFS(d->m_data));
789	}
790
791	d->m_len = `0`;
792	d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
793	if (d->m_len > i)
794	d->m_len = i;
795	dn = `0`;
796	}
797
798	/ decrypt /
799	// check input pointer alignment and use a separate aligned buffer (if sp is unaligned on 4-byte boundary).
800	if (IPSEC_IS_P2ALIGNED(sp)) {
801	sp_unaligned = NULL;
802	} else {
803	sp_unaligned = sp;
804	sp = sbuf;
805	memcpy(sp, sp_unaligned, blocklen);
806	}
807	// no need to check output pointer alignment
808	(algo->blockdecrypt)(algo, sav, sp, mtod(d, u_int8_t ) + dn);
809
810	// update unaligned pointers
811	if (!IPSEC_IS_P2ALIGNED(sp_unaligned)) {
812	sp = sp_unaligned;
813	}
814
815	/ xor /
816	p = ivp ? ivp : iv;
817	q = mtod(d, u_int8_t *) + dn;
818	for (i = `0`; i < blocklen; i++)
819	q[i] ^= p[i];
820
821	/ next iv /
822	if (sp == sbuf) {
823	bcopy(sbuf, iv, blocklen);
824	ivp = NULL;
825	} else
826	ivp = sp;
827
828	sn += blocklen;
829	dn += blocklen;
830
831	/ find the next source block /
832	while (s && sn >= s->m_len) {
833	sn -= s->m_len;
834	soff += s->m_len;
835	s = s->m_next;
836	}
837	}
838
839	m_freem(scut->m_next);
840	scut->m_len = scutoff;
841	scut->m_next = d0;
842
843	/ just in case /
844	bzero(iv, sizeof(iv));
845	bzero(sbuf, blocklen);
846	end:
847	if (sbuf != NULL)
848	FREE(sbuf, M_SECA);
849	return result;
850	}
851
852	static int
853	esp_cbc_encrypt(
854	struct mbuf *m,
855	size_t off,
856	__unused size_t plen,
857	struct secasvar *sav,
858	const struct esp_algorithm *algo,
859	int ivlen)
860	{
861	struct mbuf *s;
862	struct mbuf d, d0, *dp;
863	int soff, doff; / offset from the head of chain, to head of this mbuf /
864	int sn, dn; / offset from the head of the mbuf, to meat /
865	size_t ivoff, bodyoff;
866	u_int8_t iv[MAXIVLEN] __attribute__((aligned(`4`))), *ivp;
867	u_int8_t sbuf = NULL, sp, *sp_unaligned;
868	u_int8_t p, q;
869	struct mbuf *scut;
870	int scutoff;
871	int i, result = `0`;
872	int blocklen;
873	int derived;
874
875	if (ivlen != sav->ivlen \|\| ivlen > sizeof(iv)) {
876	ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
877	"unsupported ivlen %d\n", algo->name, ivlen));
878	m_freem(m);
879	return EINVAL;
880	}
881
882	/ assumes blocklen == padbound /
883	blocklen = algo->padbound;
884
885	#if DIAGNOSTIC
886	if (blocklen > sizeof(iv)) {
887	ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
888	"unsupported blocklen %d\n", algo->name, blocklen));
889	m_freem(m);
890	return EINVAL;
891	}
892	#endif
893
894	if (sav->flags & SADB_X_EXT_OLD) {
895	/ RFC 1827 /
896	ivoff = off + sizeof(struct esp);
897	bodyoff = off + sizeof(struct esp) + ivlen;
898	derived = `0`;
899	} else {
900	/ RFC 2406 /
901	if (sav->flags & SADB_X_EXT_DERIV) {
902	/*
903	* draft-ietf-ipsec-ciph-des-derived-00.txt
904	* uses sequence number field as IV field.
905	*/
906	ivoff = off + sizeof(struct esp);
907	bodyoff = off + sizeof(struct esp) + sizeof(u_int32_t);
908	ivlen = sizeof(u_int32_t);
909	derived = `1`;
910	} else {
911	ivoff = off + sizeof(struct newesp);
912	bodyoff = off + sizeof(struct newesp) + ivlen;
913	derived = `0`;
914	}
915	}
916
917	/ put iv into the packet. if we are in derived mode, use seqno. /
918	if (derived)
919	m_copydata(m, ivoff, ivlen, (caddr_t) iv);
920	else {
921	bcopy(sav->iv, iv, ivlen);
922	/ maybe it is better to overwrite dest, not source /
923	m_copyback(m, ivoff, ivlen, (caddr_t) iv);
924	}
925
926	/ extend iv /
927	if (ivlen == blocklen)
928	;
929	else if (ivlen == `4` && blocklen == `8`) {
930	bcopy(&iv[`0`], &iv[`4`], `4`);
931	iv[`4`] ^= `0xff`;
932	iv[`5`] ^= `0xff`;
933	iv[`6`] ^= `0xff`;
934	iv[`7`] ^= `0xff`;
935	} else {
936	ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
937	"unsupported ivlen/blocklen: %d %d\n",
938	algo->name, ivlen, blocklen));
939	m_freem(m);
940	return EINVAL;
941	}
942
943	if (m->m_pkthdr.len < bodyoff) {
944	ipseclog((LOG_ERR, "esp_cbc_encrypt %s: bad len %d/%lu\n",
945	algo->name, m->m_pkthdr.len, (u_int32_t)bodyoff));
946	m_freem(m);
947	return EINVAL;
948	}
949	if ((m->m_pkthdr.len - bodyoff) % blocklen) {
950	ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
951	"payload length must be multiple of %lu\n",
952	algo->name, (u_int32_t)algo->padbound));
953	m_freem(m);
954	return EINVAL;
955	}
956
957	s = m;
958	d = d0 = dp = NULL;
959	soff = doff = sn = dn = `0`;
960	ivp = sp = NULL;
961
962	/ skip bodyoff /
963	while (soff < bodyoff) {
964	if (soff + s->m_len > bodyoff) {
965	sn = bodyoff - soff;
966	break;
967	}
968
969	soff += s->m_len;
970	s = s->m_next;
971	}
972	scut = s;
973	scutoff = sn;
974
975	/ skip over empty mbuf /
976	while (s && s->m_len == `0`)
977	s = s->m_next;
978
979	// Allocate blocksized buffer for unaligned or non-contiguous access
980	sbuf = (u_int8_t *)_MALLOC(blocklen, M_SECA, M_DONTWAIT);
981	if (sbuf == NULL)
982	return ENOBUFS;
983	while (soff < m->m_pkthdr.len) {
984	/ source /
985	if (sn + blocklen <= s->m_len) {
986	/ body is continuous /
987	sp = mtod(s, u_int8_t *) + sn;
988	} else {
989	/ body is non-continuous /
990	m_copydata(s, sn, blocklen, (caddr_t) sbuf);
991	sp = sbuf;
992	}
993
994	/ destination /
995	if (!d \|\| dn + blocklen > d->m_len) {
996	if (d)
997	dp = d;
998	MGET(d, M_DONTWAIT, MT_DATA);
999	i = m->m_pkthdr.len - (soff + sn);
1000	if (d && i > MLEN) {
1001	MCLGET(d, M_DONTWAIT);
1002	if ((d->m_flags & M_EXT) == `0`) {
1003	m_free(d);
1004	d = NULL;
1005	}
1006	}
1007	if (!d) {
1008	m_freem(m);
1009	if (d0)
1010	m_freem(d0);
1011	result = ENOBUFS;
1012	goto end;
1013	}
1014	if (!d0)
1015	d0 = d;
1016	if (dp)
1017	dp->m_next = d;
1018
1019	// try to make mbuf data aligned
1020	if (!IPSEC_IS_P2ALIGNED(d->m_data)) {
1021	m_adj(d, IPSEC_GET_P2UNALIGNED_OFS(d->m_data));
1022	}
1023
1024	d->m_len = `0`;
1025	d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
1026	if (d->m_len > i)
1027	d->m_len = i;
1028	dn = `0`;
1029	}
1030
1031	/ xor /
1032	p = ivp ? ivp : iv;
1033	q = sp;
1034	for (i = `0`; i < blocklen; i++)
1035	q[i] ^= p[i];
1036
1037	/ encrypt /
1038	// check input pointer alignment and use a separate aligned buffer (if sp is not aligned on 4-byte boundary).
1039	if (IPSEC_IS_P2ALIGNED(sp)) {
1040	sp_unaligned = NULL;
1041	} else {
1042	sp_unaligned = sp;
1043	sp = sbuf;
1044	memcpy(sp, sp_unaligned, blocklen);
1045	}
1046	// no need to check output pointer alignment
1047	(algo->blockencrypt)(algo, sav, sp, mtod(d, u_int8_t ) + dn);
1048
1049	// update unaligned pointers
1050	if (!IPSEC_IS_P2ALIGNED(sp_unaligned)) {
1051	sp = sp_unaligned;
1052	}
1053
1054	/ next iv /
1055	ivp = mtod(d, u_int8_t *) + dn;
1056
1057	sn += blocklen;
1058	dn += blocklen;
1059
1060	/ find the next source block /
1061	while (s && sn >= s->m_len) {
1062	sn -= s->m_len;
1063	soff += s->m_len;
1064	s = s->m_next;
1065	}
1066	}
1067
1068	m_freem(scut->m_next);
1069	scut->m_len = scutoff;
1070	scut->m_next = d0;
1071
1072	/ just in case /
1073	bzero(iv, sizeof(iv));
1074	bzero(sbuf, blocklen);
1075
1076	key_sa_stir_iv(sav);
1077	end:
1078	if (sbuf != NULL)
1079	FREE(sbuf, M_SECA);
1080	return result;
1081	}
1082
1083	/------------------------------------------------------------/
1084
1085	/ does not free m0 on error /
1086	int
1087	esp_auth(
1088	struct mbuf *m0,
1089	size_t skip, / offset to ESP header /
1090	size_t length, / payload length /
1091	struct secasvar *sav,
1092	u_char *sum)
1093	{
1094	struct mbuf *m;
1095	size_t off;
1096	struct ah_algorithm_state s;
1097	u_char sumbuf[AH_MAXSUMSIZE] __attribute__((aligned(`4`)));
1098	const struct ah_algorithm *algo;
1099	size_t siz;
1100	int error;
1101
1102	/ sanity checks /
1103	if (m0->m_pkthdr.len < skip) {
1104	ipseclog((LOG_DEBUG, "esp_auth: mbuf length < skip\n"));
1105	return EINVAL;
1106	}
1107	if (m0->m_pkthdr.len < skip + length) {
1108	ipseclog((LOG_DEBUG,
1109	"esp_auth: mbuf length < skip + length\n"));
1110	return EINVAL;
1111	}
1112
1113	KERNEL_DEBUG(DBG_FNC_ESPAUTH \| DBG_FUNC_START, skip,length,`0`,`0`,`0`);
1114	/*
1115	* length of esp part (excluding authentication data) must be 4n,
1116	* since nexthdr must be at offset 4n+3.
1117	*/
1118	if (length % `4`) {
1119	ipseclog((LOG_ERR, "esp_auth: length is not multiple of 4\n"));
1120	KERNEL_DEBUG(DBG_FNC_ESPAUTH \| DBG_FUNC_END, `1`,`0`,`0`,`0`,`0`);
1121	return EINVAL;
1122	}
1123	if (!sav) {
1124	ipseclog((LOG_DEBUG, "esp_auth: NULL SA passed\n"));
1125	KERNEL_DEBUG(DBG_FNC_ESPAUTH \| DBG_FUNC_END, `2`,`0`,`0`,`0`,`0`);
1126	return EINVAL;
1127	}
1128	algo = ah_algorithm_lookup(sav->alg_auth);
1129	if (!algo) {
1130	ipseclog((LOG_ERR,
1131	"esp_auth: bad ESP auth algorithm passed: %d\n",
1132	sav->alg_auth));
1133	KERNEL_DEBUG(DBG_FNC_ESPAUTH \| DBG_FUNC_END, `3`,`0`,`0`,`0`,`0`);
1134	return EINVAL;
1135	}
1136
1137	m = m0;
1138	off = `0`;
1139
1140	siz = (((*algo->sumsiz)(sav) + `3`) & ~(`4` - `1`));
1141	if (sizeof(sumbuf) < siz) {
1142	ipseclog((LOG_DEBUG,
1143	"esp_auth: AH_MAXSUMSIZE is too small: siz=%lu\n",
1144	(u_int32_t)siz));
1145	KERNEL_DEBUG(DBG_FNC_ESPAUTH \| DBG_FUNC_END, `4`,`0`,`0`,`0`,`0`);
1146	return EINVAL;
1147	}
1148
1149	/ skip the header /
1150	while (skip) {
1151	if (!m)
1152	panic("mbuf chain?");
1153	if (m->m_len <= skip) {
1154	skip -= m->m_len;
1155	m = m->m_next;
1156	off = `0`;
1157	} else {
1158	off = skip;
1159	skip = `0`;
1160	}
1161	}
1162
1163	error = (*algo->init)(&s, sav);
1164	if (error) {
1165	KERNEL_DEBUG(DBG_FNC_ESPAUTH \| DBG_FUNC_END, `5`,`0`,`0`,`0`,`0`);
1166	return error;
1167	}
1168	while (`0` < length) {
1169	if (!m)
1170	panic("mbuf chain?");
1171
1172	if (m->m_len - off < length) {
1173	(algo->update)(&s, (caddr_t)(mtod(m, u_char ) + off),
1174	m->m_len - off);
1175	length -= m->m_len - off;
1176	m = m->m_next;
1177	off = `0`;
1178	} else {
1179	(algo->update)(&s, (caddr_t)(mtod(m, u_char ) + off), length);
1180	break;
1181	}
1182	}
1183	(algo->result)(&s, (caddr_t) sumbuf, sizeof*(sumbuf));
1184	bcopy(sumbuf, sum, siz); /XXX/
1185	KERNEL_DEBUG(DBG_FNC_ESPAUTH \| DBG_FUNC_END, `6`,`0`,`0`,`0`,`0`);
1186	return `0`;
1187	}
1188

Browse the source code of codebrowser/bsd/netinet6/esp_core.c