]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/esp_core.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-1504.9.17.tar.gz
[apple/xnu.git] / bsd / netinet6 / esp_core.c
1 /*
2 * Copyright (c) 2008 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /* $FreeBSD: src/sys/netinet6/esp_core.c,v 1.1.2.4 2002/03/26 10:12:29 ume Exp $ */
30 /* $KAME: esp_core.c,v 1.50 2000/11/02 12:27:38 itojun Exp $ */
31
32 /*
33 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
34 * All rights reserved.
35 *
36 * Redistribution and use in source and binary forms, with or without
37 * modification, are permitted provided that the following conditions
38 * are met:
39 * 1. Redistributions of source code must retain the above copyright
40 * notice, this list of conditions and the following disclaimer.
41 * 2. Redistributions in binary form must reproduce the above copyright
42 * notice, this list of conditions and the following disclaimer in the
43 * documentation and/or other materials provided with the distribution.
44 * 3. Neither the name of the project nor the names of its contributors
45 * may be used to endorse or promote products derived from this software
46 * without specific prior written permission.
47 *
48 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
58 * SUCH DAMAGE.
59 */
60
61 #define _IP_VHL
62
63 #include <sys/param.h>
64 #include <sys/systm.h>
65 #include <sys/malloc.h>
66 #include <sys/mbuf.h>
67 #include <sys/domain.h>
68 #include <sys/protosw.h>
69 #include <sys/socket.h>
70 #include <sys/errno.h>
71 #include <sys/time.h>
72 #include <sys/kernel.h>
73 #include <sys/syslog.h>
74
75 #include <kern/locks.h>
76
77 #include <net/if.h>
78 #include <net/route.h>
79
80 #include <netinet/in.h>
81 #include <netinet/in_var.h>
82 #if INET6
83 #include <netinet/ip6.h>
84 #include <netinet6/ip6_var.h>
85 #include <netinet/icmp6.h>
86 #endif
87
88 #include <netinet6/ipsec.h>
89 #if INET6
90 #include <netinet6/ipsec6.h>
91 #endif
92 #include <netinet6/ah.h>
93 #if INET6
94 #include <netinet6/ah6.h>
95 #endif
96 #include <netinet6/esp.h>
97 #if INET6
98 #include <netinet6/esp6.h>
99 #endif
100 #include <netinet6/esp_rijndael.h>
101 #include <net/pfkeyv2.h>
102 #include <netkey/keydb.h>
103 #include <netkey/key.h>
104 #include <crypto/des/des.h>
105 #include <crypto/blowfish/blowfish.h>
106 #include <crypto/cast128/cast128.h>
107
108 #include <net/net_osdep.h>
109
110 #include <sys/kdebug.h>
111 #define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1)
112 #define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3)
113 #define DBG_FNC_ESPAUTH NETDBG_CODE(DBG_NETIPSEC, (8 << 8))
114
115 extern lck_mtx_t *sadb_mutex;
116
117 static int esp_null_mature(struct secasvar *);
118 static int esp_null_decrypt(struct mbuf *, size_t,
119 struct secasvar *, const struct esp_algorithm *, int);
120 static int esp_null_encrypt(struct mbuf *, size_t, size_t,
121 struct secasvar *, const struct esp_algorithm *, int);
122 static int esp_descbc_mature(struct secasvar *);
123 static int esp_descbc_ivlen(const struct esp_algorithm *,
124 struct secasvar *);
125 static int esp_des_schedule(const struct esp_algorithm *,
126 struct secasvar *);
127 static int esp_des_schedlen(const struct esp_algorithm *);
128 static int esp_des_blockdecrypt(const struct esp_algorithm *,
129 struct secasvar *, u_int8_t *, u_int8_t *);
130 static int esp_des_blockencrypt(const struct esp_algorithm *,
131 struct secasvar *, u_int8_t *, u_int8_t *);
132 static int esp_cbc_mature(struct secasvar *);
133 #if ALLCRYPTO
134 static int esp_blowfish_schedule(const struct esp_algorithm *,
135 struct secasvar *);
136 static int esp_blowfish_schedlen(const struct esp_algorithm *);
137 static int esp_blowfish_blockdecrypt(const struct esp_algorithm *,
138 struct secasvar *, u_int8_t *, u_int8_t *);
139 static int esp_blowfish_blockencrypt(const struct esp_algorithm *,
140 struct secasvar *, u_int8_t *, u_int8_t *);
141 static int esp_cast128_schedule(const struct esp_algorithm *,
142 struct secasvar *);
143 static int esp_cast128_schedlen(const struct esp_algorithm *);
144 static int esp_cast128_blockdecrypt(const struct esp_algorithm *,
145 struct secasvar *, u_int8_t *, u_int8_t *);
146 static int esp_cast128_blockencrypt(const struct esp_algorithm *,
147 struct secasvar *, u_int8_t *, u_int8_t *);
148 #endif /* ALLCRYPTO */
149 static int esp_3des_schedule(const struct esp_algorithm *,
150 struct secasvar *);
151 static int esp_3des_schedlen(const struct esp_algorithm *);
152 static int esp_3des_blockdecrypt(const struct esp_algorithm *,
153 struct secasvar *, u_int8_t *, u_int8_t *);
154 static int esp_3des_blockencrypt(const struct esp_algorithm *,
155 struct secasvar *, u_int8_t *, u_int8_t *);
156 static int esp_common_ivlen(const struct esp_algorithm *,
157 struct secasvar *);
158 static int esp_cbc_decrypt(struct mbuf *, size_t,
159 struct secasvar *, const struct esp_algorithm *, int);
160 static int esp_cbc_encrypt(struct mbuf *, size_t, size_t,
161 struct secasvar *, const struct esp_algorithm *, int);
162
163 #define MAXIVLEN 16
164
165 static const struct esp_algorithm des_cbc =
166 { 8, -1, esp_descbc_mature, 64, 64, esp_des_schedlen,
167 "des-cbc",
168 esp_descbc_ivlen, esp_cbc_decrypt,
169 esp_cbc_encrypt, esp_des_schedule,
170 esp_des_blockdecrypt, esp_des_blockencrypt, };
171 static const struct esp_algorithm des3_cbc =
172 { 8, 8, esp_cbc_mature, 192, 192, esp_3des_schedlen,
173 "3des-cbc",
174 esp_common_ivlen, esp_cbc_decrypt,
175 esp_cbc_encrypt, esp_3des_schedule,
176 esp_3des_blockdecrypt, esp_3des_blockencrypt, };
177 static const struct esp_algorithm null_esp =
178 { 1, 0, esp_null_mature, 0, 2048, 0, "null",
179 esp_common_ivlen, esp_null_decrypt,
180 esp_null_encrypt, NULL, NULL, NULL };
181 #if ALLCRYPTO
182 static const struct esp_algorithm blowfish_cbc =
183 { 8, 8, esp_cbc_mature, 40, 448, esp_blowfish_schedlen, "blowfish-cbc",
184 esp_common_ivlen, esp_cbc_decrypt,
185 esp_cbc_encrypt, esp_blowfish_schedule,
186 esp_blowfish_blockdecrypt, esp_blowfish_blockencrypt, };
187 static const struct esp_algorithm cast128_cbc =
188 { 8, 8, esp_cbc_mature, 40, 128, esp_cast128_schedlen,
189 "cast128-cbc",
190 esp_common_ivlen, esp_cbc_decrypt,
191 esp_cbc_encrypt, esp_cast128_schedule,
192 esp_cast128_blockdecrypt, esp_cast128_blockencrypt, };
193 #endif /* ALLCRYPTO */
194 static const struct esp_algorithm aes_cbc =
195 { 16, 16, esp_cbc_mature, 128, 256, esp_aes_schedlen,
196 "aes-cbc",
197 esp_common_ivlen, esp_cbc_decrypt_aes,
198 esp_cbc_encrypt_aes, esp_aes_schedule,
199 0, 0 };
200
201 static const struct esp_algorithm *esp_algorithms[] = {
202 &des_cbc,
203 &des3_cbc,
204 &null_esp,
205 #if ALLCRYPTO
206 &blowfish_cbc,
207 &cast128_cbc,
208 #endif /* ALLCRYPTO */
209 &aes_cbc
210 };
211
212 const struct esp_algorithm *
213 esp_algorithm_lookup(idx)
214 int idx;
215 {
216
217 switch (idx) {
218 case SADB_EALG_DESCBC:
219 return &des_cbc;
220 case SADB_EALG_3DESCBC:
221 return &des3_cbc;
222 case SADB_EALG_NULL:
223 return &null_esp;
224 #if ALLCRYPTO
225 case SADB_X_EALG_BLOWFISHCBC:
226 return &blowfish_cbc;
227 case SADB_X_EALG_CAST128CBC:
228 return &cast128_cbc;
229 #endif /* ALLCRYPTO */
230 case SADB_X_EALG_RIJNDAELCBC:
231 return &aes_cbc;
232 default:
233 return NULL;
234 }
235 }
236
237 int
238 esp_max_ivlen()
239 {
240 int idx;
241 int ivlen;
242
243 ivlen = 0;
244 for (idx = 0; idx < sizeof(esp_algorithms)/sizeof(esp_algorithms[0]);
245 idx++) {
246 if (esp_algorithms[idx]->ivlenval > ivlen)
247 ivlen = esp_algorithms[idx]->ivlenval;
248 }
249
250 return ivlen;
251 }
252
253 int
254 esp_schedule(algo, sav)
255 const struct esp_algorithm *algo;
256 struct secasvar *sav;
257 {
258 int error;
259
260 /* check for key length */
261 if (_KEYBITS(sav->key_enc) < algo->keymin ||
262 _KEYBITS(sav->key_enc) > algo->keymax) {
263 ipseclog((LOG_ERR,
264 "esp_schedule %s: unsupported key length %d: "
265 "needs %d to %d bits\n", algo->name, _KEYBITS(sav->key_enc),
266 algo->keymin, algo->keymax));
267 return EINVAL;
268 }
269
270 lck_mtx_lock(sadb_mutex);
271 /* already allocated */
272 if (sav->sched && sav->schedlen != 0) {
273 lck_mtx_unlock(sadb_mutex);
274 return 0;
275 }
276 /* no schedule necessary */
277 if (!algo->schedule || !algo->schedlen) {
278 lck_mtx_unlock(sadb_mutex);
279 return 0;
280 }
281
282 sav->schedlen = (*algo->schedlen)(algo);
283 if ((signed) sav->schedlen < 0) {
284 lck_mtx_unlock(sadb_mutex);
285 return EINVAL;
286 }
287
288 //#### that malloc should be replaced by a saved buffer...
289 sav->sched = _MALLOC(sav->schedlen, M_SECA, M_DONTWAIT);
290 if (!sav->sched) {
291 sav->schedlen = 0;
292 lck_mtx_unlock(sadb_mutex);
293 return ENOBUFS;
294 }
295
296 error = (*algo->schedule)(algo, sav);
297 if (error) {
298 ipseclog((LOG_ERR, "esp_schedule %s: error %d\n",
299 algo->name, error));
300 bzero(sav->sched, sav->schedlen);
301 FREE(sav->sched, M_SECA);
302 sav->sched = NULL;
303 sav->schedlen = 0;
304 }
305 lck_mtx_unlock(sadb_mutex);
306 return error;
307 }
308
309 static int
310 esp_null_mature(
311 __unused struct secasvar *sav)
312 {
313
314 /* anything is okay */
315 return 0;
316 }
317
318 static int
319 esp_null_decrypt(
320 __unused struct mbuf *m,
321 __unused size_t off, /* offset to ESP header */
322 __unused struct secasvar *sav,
323 __unused const struct esp_algorithm *algo,
324 __unused int ivlen)
325 {
326
327 return 0; /* do nothing */
328 }
329
330 static int
331 esp_null_encrypt(
332 __unused struct mbuf *m,
333 __unused size_t off, /* offset to ESP header */
334 __unused size_t plen, /* payload length (to be encrypted) */
335 __unused struct secasvar *sav,
336 __unused const struct esp_algorithm *algo,
337 __unused int ivlen)
338 {
339
340 return 0; /* do nothing */
341 }
342
343 static int
344 esp_descbc_mature(sav)
345 struct secasvar *sav;
346 {
347 const struct esp_algorithm *algo;
348
349 if (!(sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_IV4B)) {
350 ipseclog((LOG_ERR, "esp_cbc_mature: "
351 "algorithm incompatible with 4 octets IV length\n"));
352 return 1;
353 }
354
355 if (!sav->key_enc) {
356 ipseclog((LOG_ERR, "esp_descbc_mature: no key is given.\n"));
357 return 1;
358 }
359
360 algo = esp_algorithm_lookup(sav->alg_enc);
361 if (!algo) {
362 ipseclog((LOG_ERR,
363 "esp_descbc_mature: unsupported algorithm.\n"));
364 return 1;
365 }
366
367 if (_KEYBITS(sav->key_enc) < algo->keymin ||
368 _KEYBITS(sav->key_enc) > algo->keymax) {
369 ipseclog((LOG_ERR,
370 "esp_descbc_mature: invalid key length %d.\n",
371 _KEYBITS(sav->key_enc)));
372 return 1;
373 }
374
375 /* weak key check */
376 if (des_is_weak_key((des_cblock *)_KEYBUF(sav->key_enc))) {
377 ipseclog((LOG_ERR,
378 "esp_descbc_mature: weak key was passed.\n"));
379 return 1;
380 }
381
382 return 0;
383 }
384
385 static int
386 esp_descbc_ivlen(
387 __unused const struct esp_algorithm *algo,
388 struct secasvar *sav)
389 {
390
391 if (!sav)
392 return 8;
393 if ((sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_IV4B))
394 return 4;
395 if (!(sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_DERIV))
396 return 4;
397 return 8;
398 }
399
400 static int
401 esp_des_schedlen(
402 __unused const struct esp_algorithm *algo)
403 {
404
405 return sizeof(des_key_schedule);
406 }
407
408 static int
409 esp_des_schedule(
410 __unused const struct esp_algorithm *algo,
411 struct secasvar *sav)
412 {
413
414 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_OWNED);
415 if (des_key_sched((des_cblock *)_KEYBUF(sav->key_enc),
416 *(des_key_schedule *)sav->sched))
417 return EINVAL;
418 else
419 return 0;
420 }
421
422 static int
423 esp_des_blockdecrypt(
424 __unused const struct esp_algorithm *algo,
425 struct secasvar *sav,
426 u_int8_t *s,
427 u_int8_t *d)
428 {
429
430 /* assumption: d has a good alignment */
431 bcopy(s, d, sizeof(DES_LONG) * 2);
432 des_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
433 *(des_key_schedule *)sav->sched, DES_DECRYPT);
434 return 0;
435 }
436
437 static int
438 esp_des_blockencrypt(
439 __unused const struct esp_algorithm *algo,
440 struct secasvar *sav,
441 u_int8_t *s,
442 u_int8_t *d)
443 {
444
445 /* assumption: d has a good alignment */
446 bcopy(s, d, sizeof(DES_LONG) * 2);
447 des_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
448 *(des_key_schedule *)sav->sched, DES_ENCRYPT);
449 return 0;
450 }
451
452 static int
453 esp_cbc_mature(sav)
454 struct secasvar *sav;
455 {
456 int keylen;
457 const struct esp_algorithm *algo;
458
459 if (sav->flags & SADB_X_EXT_OLD) {
460 ipseclog((LOG_ERR,
461 "esp_cbc_mature: algorithm incompatible with esp-old\n"));
462 return 1;
463 }
464 if (sav->flags & SADB_X_EXT_DERIV) {
465 ipseclog((LOG_ERR,
466 "esp_cbc_mature: algorithm incompatible with derived\n"));
467 return 1;
468 }
469
470 if (!sav->key_enc) {
471 ipseclog((LOG_ERR, "esp_cbc_mature: no key is given.\n"));
472 return 1;
473 }
474
475 algo = esp_algorithm_lookup(sav->alg_enc);
476 if (!algo) {
477 ipseclog((LOG_ERR,
478 "esp_cbc_mature %s: unsupported algorithm.\n", algo->name));
479 return 1;
480 }
481
482 keylen = sav->key_enc->sadb_key_bits;
483 if (keylen < algo->keymin || algo->keymax < keylen) {
484 ipseclog((LOG_ERR,
485 "esp_cbc_mature %s: invalid key length %d.\n",
486 algo->name, sav->key_enc->sadb_key_bits));
487 return 1;
488 }
489 switch (sav->alg_enc) {
490 case SADB_EALG_3DESCBC:
491 /* weak key check */
492 if (des_is_weak_key((des_cblock *)_KEYBUF(sav->key_enc)) ||
493 des_is_weak_key((des_cblock *)(_KEYBUF(sav->key_enc) + 8)) ||
494 des_is_weak_key((des_cblock *)(_KEYBUF(sav->key_enc) + 16))) {
495 ipseclog((LOG_ERR,
496 "esp_cbc_mature %s: weak key was passed.\n",
497 algo->name));
498 return 1;
499 }
500 break;
501 case SADB_X_EALG_BLOWFISHCBC:
502 case SADB_X_EALG_CAST128CBC:
503 break;
504 case SADB_X_EALG_RIJNDAELCBC:
505 /* allows specific key sizes only */
506 if (!(keylen == 128 || keylen == 192 || keylen == 256)) {
507 ipseclog((LOG_ERR,
508 "esp_cbc_mature %s: invalid key length %d.\n",
509 algo->name, keylen));
510 return 1;
511 }
512 break;
513 }
514
515 return 0;
516 }
517
518 #if ALLCRYPTO
519 static int
520 esp_blowfish_schedlen(
521 __unused const struct esp_algorithm *algo)
522 {
523
524 return sizeof(BF_KEY);
525 }
526
527 static int
528 esp_blowfish_schedule(
529 __unused const struct esp_algorithm *algo,
530 struct secasvar *sav)
531 {
532
533 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_OWNED);
534 BF_set_key((BF_KEY *)sav->sched, _KEYLEN(sav->key_enc),
535 (u_int8_t *) _KEYBUF(sav->key_enc));
536 return 0;
537 }
538
539 static int
540 esp_blowfish_blockdecrypt(
541 __unused const struct esp_algorithm *algo,
542 struct secasvar *sav,
543 u_int8_t *s,
544 u_int8_t *d)
545 {
546 /* HOLY COW! BF_decrypt() takes values in host byteorder */
547 BF_LONG t[2];
548
549 bcopy(s, t, sizeof(t));
550 t[0] = ntohl(t[0]);
551 t[1] = ntohl(t[1]);
552 BF_decrypt(t, (BF_KEY *)sav->sched);
553 t[0] = htonl(t[0]);
554 t[1] = htonl(t[1]);
555 bcopy(t, d, sizeof(t));
556 return 0;
557 }
558
559 static int
560 esp_blowfish_blockencrypt(
561 __unused const struct esp_algorithm *algo,
562 struct secasvar *sav,
563 u_int8_t *s,
564 u_int8_t *d)
565 {
566 /* HOLY COW! BF_encrypt() takes values in host byteorder */
567 BF_LONG t[2];
568
569 bcopy(s, t, sizeof(t));
570 t[0] = ntohl(t[0]);
571 t[1] = ntohl(t[1]);
572 BF_encrypt(t, (BF_KEY *)sav->sched);
573 t[0] = htonl(t[0]);
574 t[1] = htonl(t[1]);
575 bcopy(t, d, sizeof(t));
576 return 0;
577 }
578
579 static int
580 esp_cast128_schedlen(
581 __unused const struct esp_algorithm *algo)
582 {
583
584 return sizeof(u_int32_t) * 32;
585 }
586
587 static int
588 esp_cast128_schedule(
589 __unused const struct esp_algorithm *algo,
590 struct secasvar *sav)
591 {
592 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_OWNED);
593 set_cast128_subkey((u_int32_t *)sav->sched, (u_int8_t *) _KEYBUF(sav->key_enc),
594 _KEYLEN(sav->key_enc));
595 return 0;
596 }
597
598 static int
599 esp_cast128_blockdecrypt(
600 __unused const struct esp_algorithm *algo,
601 struct secasvar *sav,
602 u_int8_t *s,
603 u_int8_t *d)
604 {
605
606 if (_KEYLEN(sav->key_enc) <= 80 / 8)
607 cast128_decrypt_round12(d, s, (u_int32_t *)sav->sched);
608 else
609 cast128_decrypt_round16(d, s, (u_int32_t *)sav->sched);
610 return 0;
611 }
612
613 static int
614 esp_cast128_blockencrypt(
615 __unused const struct esp_algorithm *algo,
616 struct secasvar *sav,
617 u_int8_t *s,
618 u_int8_t *d)
619 {
620
621 if (_KEYLEN(sav->key_enc) <= 80 / 8)
622 cast128_encrypt_round12(d, s, (u_int32_t *)sav->sched);
623 else
624 cast128_encrypt_round16(d, s, (u_int32_t *)sav->sched);
625 return 0;
626 }
627 #endif /* ALLCRYPTO */
628
629 static int
630 esp_3des_schedlen(
631 __unused const struct esp_algorithm *algo)
632 {
633
634 return sizeof(des_key_schedule) * 3;
635 }
636
637 static int
638 esp_3des_schedule(
639 __unused const struct esp_algorithm *algo,
640 struct secasvar *sav)
641 {
642 int error;
643 des_key_schedule *p;
644 int i;
645 char *k;
646
647 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_OWNED);
648 p = (des_key_schedule *)sav->sched;
649 k = _KEYBUF(sav->key_enc);
650 for (i = 0; i < 3; i++) {
651 error = des_key_sched((des_cblock *)(k + 8 * i), p[i]);
652 if (error)
653 return EINVAL;
654 }
655 return 0;
656 }
657
658 static int
659 esp_3des_blockdecrypt(
660 __unused const struct esp_algorithm *algo,
661 struct secasvar *sav,
662 u_int8_t *s,
663 u_int8_t *d)
664 {
665 des_key_schedule *p;
666
667 /* assumption: d has a good alignment */
668 p = (des_key_schedule *)sav->sched;
669 bcopy(s, d, sizeof(DES_LONG) * 2);
670 des_ecb3_encrypt((des_cblock *)d, (des_cblock *)d,
671 p[0], p[1], p[2], DES_DECRYPT);
672 return 0;
673 }
674
675 static int
676 esp_3des_blockencrypt(
677 __unused const struct esp_algorithm *algo,
678 struct secasvar *sav,
679 u_int8_t *s,
680 u_int8_t *d)
681 {
682 des_key_schedule *p;
683
684 /* assumption: d has a good alignment */
685 p = (des_key_schedule *)sav->sched;
686 bcopy(s, d, sizeof(DES_LONG) * 2);
687 des_ecb3_encrypt((des_cblock *)d, (des_cblock *)d,
688 p[0], p[1], p[2], DES_ENCRYPT);
689 return 0;
690 }
691
692 static int
693 esp_common_ivlen(
694 const struct esp_algorithm *algo,
695 __unused struct secasvar *sav)
696 {
697
698 if (!algo)
699 panic("esp_common_ivlen: unknown algorithm");
700 return algo->ivlenval;
701 }
702
703 static int
704 esp_cbc_decrypt(m, off, sav, algo, ivlen)
705 struct mbuf *m;
706 size_t off;
707 struct secasvar *sav;
708 const struct esp_algorithm *algo;
709 int ivlen;
710 {
711 struct mbuf *s;
712 struct mbuf *d, *d0, *dp;
713 int soff, doff; /* offset from the head of chain, to head of this mbuf */
714 int sn, dn; /* offset from the head of the mbuf, to meat */
715 size_t ivoff, bodyoff;
716 u_int8_t iv[MAXIVLEN], *ivp;
717 u_int8_t sbuf[MAXIVLEN], *sp;
718 u_int8_t *p, *q;
719 struct mbuf *scut;
720 int scutoff;
721 int i;
722 int blocklen;
723 int derived;
724
725 if (ivlen != sav->ivlen || ivlen > sizeof(iv)) {
726 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
727 "unsupported ivlen %d\n", algo->name, ivlen));
728 m_freem(m);
729 return EINVAL;
730 }
731
732 /* assumes blocklen == padbound */
733 blocklen = algo->padbound;
734
735 #if DIAGNOSTIC
736 if (blocklen > sizeof(iv)) {
737 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
738 "unsupported blocklen %d\n", algo->name, blocklen));
739 m_freem(m);
740 return EINVAL;
741 }
742 #endif
743
744 if (sav->flags & SADB_X_EXT_OLD) {
745 /* RFC 1827 */
746 ivoff = off + sizeof(struct esp);
747 bodyoff = off + sizeof(struct esp) + ivlen;
748 derived = 0;
749 } else {
750 /* RFC 2406 */
751 if (sav->flags & SADB_X_EXT_DERIV) {
752 /*
753 * draft-ietf-ipsec-ciph-des-derived-00.txt
754 * uses sequence number field as IV field.
755 */
756 ivoff = off + sizeof(struct esp);
757 bodyoff = off + sizeof(struct esp) + sizeof(u_int32_t);
758 ivlen = sizeof(u_int32_t);
759 derived = 1;
760 } else {
761 ivoff = off + sizeof(struct newesp);
762 bodyoff = off + sizeof(struct newesp) + ivlen;
763 derived = 0;
764 }
765 }
766
767 /* grab iv */
768 m_copydata(m, ivoff, ivlen, (caddr_t) iv);
769
770 /* extend iv */
771 if (ivlen == blocklen)
772 ;
773 else if (ivlen == 4 && blocklen == 8) {
774 bcopy(&iv[0], &iv[4], 4);
775 iv[4] ^= 0xff;
776 iv[5] ^= 0xff;
777 iv[6] ^= 0xff;
778 iv[7] ^= 0xff;
779 } else {
780 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
781 "unsupported ivlen/blocklen: %d %d\n",
782 algo->name, ivlen, blocklen));
783 m_freem(m);
784 return EINVAL;
785 }
786
787 if (m->m_pkthdr.len < bodyoff) {
788 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: bad len %d/%lu\n",
789 algo->name, m->m_pkthdr.len, (u_int32_t)bodyoff));
790 m_freem(m);
791 return EINVAL;
792 }
793 if ((m->m_pkthdr.len - bodyoff) % blocklen) {
794 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
795 "payload length must be multiple of %d\n",
796 algo->name, blocklen));
797 m_freem(m);
798 return EINVAL;
799 }
800
801 s = m;
802 d = d0 = dp = NULL;
803 soff = doff = sn = dn = 0;
804 ivp = sp = NULL;
805
806 /* skip bodyoff */
807 while (soff < bodyoff) {
808 if (soff + s->m_len > bodyoff) {
809 sn = bodyoff - soff;
810 break;
811 }
812
813 soff += s->m_len;
814 s = s->m_next;
815 }
816 scut = s;
817 scutoff = sn;
818
819 /* skip over empty mbuf */
820 while (s && s->m_len == 0)
821 s = s->m_next;
822
823 while (soff < m->m_pkthdr.len) {
824 /* source */
825 if (sn + blocklen <= s->m_len) {
826 /* body is continuous */
827 sp = mtod(s, u_int8_t *) + sn;
828 } else {
829 /* body is non-continuous */
830 m_copydata(s, sn, blocklen, (caddr_t) sbuf);
831 sp = sbuf;
832 }
833
834 /* destination */
835 if (!d || dn + blocklen > d->m_len) {
836 if (d)
837 dp = d;
838 MGET(d, M_DONTWAIT, MT_DATA);
839 i = m->m_pkthdr.len - (soff + sn);
840 if (d && i > MLEN) {
841 MCLGET(d, M_DONTWAIT);
842 if ((d->m_flags & M_EXT) == 0) {
843 m_free(d);
844 d = NULL;
845 }
846 }
847 if (!d) {
848 m_freem(m);
849 if (d0)
850 m_freem(d0);
851 return ENOBUFS;
852 }
853 if (!d0)
854 d0 = d;
855 if (dp)
856 dp->m_next = d;
857 d->m_len = 0;
858 d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
859 if (d->m_len > i)
860 d->m_len = i;
861 dn = 0;
862 }
863
864 /* decrypt */
865 (*algo->blockdecrypt)(algo, sav, sp, mtod(d, u_int8_t *) + dn);
866
867 /* xor */
868 p = ivp ? ivp : iv;
869 q = mtod(d, u_int8_t *) + dn;
870 for (i = 0; i < blocklen; i++)
871 q[i] ^= p[i];
872
873 /* next iv */
874 if (sp == sbuf) {
875 bcopy(sbuf, iv, blocklen);
876 ivp = NULL;
877 } else
878 ivp = sp;
879
880 sn += blocklen;
881 dn += blocklen;
882
883 /* find the next source block */
884 while (s && sn >= s->m_len) {
885 sn -= s->m_len;
886 soff += s->m_len;
887 s = s->m_next;
888 }
889 }
890
891 m_freem(scut->m_next);
892 scut->m_len = scutoff;
893 scut->m_next = d0;
894
895 /* just in case */
896 bzero(iv, sizeof(iv));
897 bzero(sbuf, sizeof(sbuf));
898
899 return 0;
900 }
901
902 static int
903 esp_cbc_encrypt(
904 struct mbuf *m,
905 size_t off,
906 __unused size_t plen,
907 struct secasvar *sav,
908 const struct esp_algorithm *algo,
909 int ivlen)
910 {
911 struct mbuf *s;
912 struct mbuf *d, *d0, *dp;
913 int soff, doff; /* offset from the head of chain, to head of this mbuf */
914 int sn, dn; /* offset from the head of the mbuf, to meat */
915 size_t ivoff, bodyoff;
916 u_int8_t iv[MAXIVLEN], *ivp;
917 u_int8_t sbuf[MAXIVLEN], *sp;
918 u_int8_t *p, *q;
919 struct mbuf *scut;
920 int scutoff;
921 int i;
922 int blocklen;
923 int derived;
924
925 if (ivlen != sav->ivlen || ivlen > sizeof(iv)) {
926 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
927 "unsupported ivlen %d\n", algo->name, ivlen));
928 m_freem(m);
929 return EINVAL;
930 }
931
932 /* assumes blocklen == padbound */
933 blocklen = algo->padbound;
934
935 #if DIAGNOSTIC
936 if (blocklen > sizeof(iv)) {
937 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
938 "unsupported blocklen %d\n", algo->name, blocklen));
939 m_freem(m);
940 return EINVAL;
941 }
942 #endif
943
944 if (sav->flags & SADB_X_EXT_OLD) {
945 /* RFC 1827 */
946 ivoff = off + sizeof(struct esp);
947 bodyoff = off + sizeof(struct esp) + ivlen;
948 derived = 0;
949 } else {
950 /* RFC 2406 */
951 if (sav->flags & SADB_X_EXT_DERIV) {
952 /*
953 * draft-ietf-ipsec-ciph-des-derived-00.txt
954 * uses sequence number field as IV field.
955 */
956 ivoff = off + sizeof(struct esp);
957 bodyoff = off + sizeof(struct esp) + sizeof(u_int32_t);
958 ivlen = sizeof(u_int32_t);
959 derived = 1;
960 } else {
961 ivoff = off + sizeof(struct newesp);
962 bodyoff = off + sizeof(struct newesp) + ivlen;
963 derived = 0;
964 }
965 }
966
967 /* put iv into the packet. if we are in derived mode, use seqno. */
968 if (derived)
969 m_copydata(m, ivoff, ivlen, (caddr_t) iv);
970 else {
971 bcopy(sav->iv, iv, ivlen);
972 /* maybe it is better to overwrite dest, not source */
973 m_copyback(m, ivoff, ivlen, (caddr_t) iv);
974 }
975
976 /* extend iv */
977 if (ivlen == blocklen)
978 ;
979 else if (ivlen == 4 && blocklen == 8) {
980 bcopy(&iv[0], &iv[4], 4);
981 iv[4] ^= 0xff;
982 iv[5] ^= 0xff;
983 iv[6] ^= 0xff;
984 iv[7] ^= 0xff;
985 } else {
986 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
987 "unsupported ivlen/blocklen: %d %d\n",
988 algo->name, ivlen, blocklen));
989 m_freem(m);
990 return EINVAL;
991 }
992
993 if (m->m_pkthdr.len < bodyoff) {
994 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: bad len %d/%lu\n",
995 algo->name, m->m_pkthdr.len, (u_int32_t)bodyoff));
996 m_freem(m);
997 return EINVAL;
998 }
999 if ((m->m_pkthdr.len - bodyoff) % blocklen) {
1000 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
1001 "payload length must be multiple of %lu\n",
1002 algo->name, (u_int32_t)algo->padbound));
1003 m_freem(m);
1004 return EINVAL;
1005 }
1006
1007 s = m;
1008 d = d0 = dp = NULL;
1009 soff = doff = sn = dn = 0;
1010 ivp = sp = NULL;
1011
1012 /* skip bodyoff */
1013 while (soff < bodyoff) {
1014 if (soff + s->m_len > bodyoff) {
1015 sn = bodyoff - soff;
1016 break;
1017 }
1018
1019 soff += s->m_len;
1020 s = s->m_next;
1021 }
1022 scut = s;
1023 scutoff = sn;
1024
1025 /* skip over empty mbuf */
1026 while (s && s->m_len == 0)
1027 s = s->m_next;
1028
1029 while (soff < m->m_pkthdr.len) {
1030 /* source */
1031 if (sn + blocklen <= s->m_len) {
1032 /* body is continuous */
1033 sp = mtod(s, u_int8_t *) + sn;
1034 } else {
1035 /* body is non-continuous */
1036 m_copydata(s, sn, blocklen, (caddr_t) sbuf);
1037 sp = sbuf;
1038 }
1039
1040 /* destination */
1041 if (!d || dn + blocklen > d->m_len) {
1042 if (d)
1043 dp = d;
1044 MGET(d, M_DONTWAIT, MT_DATA);
1045 i = m->m_pkthdr.len - (soff + sn);
1046 if (d && i > MLEN) {
1047 MCLGET(d, M_DONTWAIT);
1048 if ((d->m_flags & M_EXT) == 0) {
1049 m_free(d);
1050 d = NULL;
1051 }
1052 }
1053 if (!d) {
1054 m_freem(m);
1055 if (d0)
1056 m_freem(d0);
1057 return ENOBUFS;
1058 }
1059 if (!d0)
1060 d0 = d;
1061 if (dp)
1062 dp->m_next = d;
1063 d->m_len = 0;
1064 d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
1065 if (d->m_len > i)
1066 d->m_len = i;
1067 dn = 0;
1068 }
1069
1070 /* xor */
1071 p = ivp ? ivp : iv;
1072 q = sp;
1073 for (i = 0; i < blocklen; i++)
1074 q[i] ^= p[i];
1075
1076 /* encrypt */
1077 (*algo->blockencrypt)(algo, sav, sp, mtod(d, u_int8_t *) + dn);
1078
1079 /* next iv */
1080 ivp = mtod(d, u_int8_t *) + dn;
1081
1082 sn += blocklen;
1083 dn += blocklen;
1084
1085 /* find the next source block */
1086 while (s && sn >= s->m_len) {
1087 sn -= s->m_len;
1088 soff += s->m_len;
1089 s = s->m_next;
1090 }
1091 }
1092
1093 m_freem(scut->m_next);
1094 scut->m_len = scutoff;
1095 scut->m_next = d0;
1096
1097 /* just in case */
1098 bzero(iv, sizeof(iv));
1099 bzero(sbuf, sizeof(sbuf));
1100
1101 key_sa_stir_iv(sav);
1102
1103 return 0;
1104 }
1105
1106 /*------------------------------------------------------------*/
1107
1108 /* does not free m0 on error */
1109 int
1110 esp_auth(m0, skip, length, sav, sum)
1111 struct mbuf *m0;
1112 size_t skip; /* offset to ESP header */
1113 size_t length; /* payload length */
1114 struct secasvar *sav;
1115 u_char *sum;
1116 {
1117 struct mbuf *m;
1118 size_t off;
1119 struct ah_algorithm_state s;
1120 u_char sumbuf[AH_MAXSUMSIZE];
1121 const struct ah_algorithm *algo;
1122 size_t siz;
1123 int error;
1124
1125 /* sanity checks */
1126 if (m0->m_pkthdr.len < skip) {
1127 ipseclog((LOG_DEBUG, "esp_auth: mbuf length < skip\n"));
1128 return EINVAL;
1129 }
1130 if (m0->m_pkthdr.len < skip + length) {
1131 ipseclog((LOG_DEBUG,
1132 "esp_auth: mbuf length < skip + length\n"));
1133 return EINVAL;
1134 }
1135
1136 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_START, skip,length,0,0,0);
1137 /*
1138 * length of esp part (excluding authentication data) must be 4n,
1139 * since nexthdr must be at offset 4n+3.
1140 */
1141 if (length % 4) {
1142 ipseclog((LOG_ERR, "esp_auth: length is not multiple of 4\n"));
1143 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 1,0,0,0,0);
1144 return EINVAL;
1145 }
1146 if (!sav) {
1147 ipseclog((LOG_DEBUG, "esp_auth: NULL SA passed\n"));
1148 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 2,0,0,0,0);
1149 return EINVAL;
1150 }
1151 algo = ah_algorithm_lookup(sav->alg_auth);
1152 if (!algo) {
1153 ipseclog((LOG_ERR,
1154 "esp_auth: bad ESP auth algorithm passed: %d\n",
1155 sav->alg_auth));
1156 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 3,0,0,0,0);
1157 return EINVAL;
1158 }
1159
1160 m = m0;
1161 off = 0;
1162
1163 siz = (((*algo->sumsiz)(sav) + 3) & ~(4 - 1));
1164 if (sizeof(sumbuf) < siz) {
1165 ipseclog((LOG_DEBUG,
1166 "esp_auth: AH_MAXSUMSIZE is too small: siz=%lu\n",
1167 (u_int32_t)siz));
1168 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 4,0,0,0,0);
1169 return EINVAL;
1170 }
1171
1172 /* skip the header */
1173 while (skip) {
1174 if (!m)
1175 panic("mbuf chain?");
1176 if (m->m_len <= skip) {
1177 skip -= m->m_len;
1178 m = m->m_next;
1179 off = 0;
1180 } else {
1181 off = skip;
1182 skip = 0;
1183 }
1184 }
1185
1186 error = (*algo->init)(&s, sav);
1187 if (error) {
1188 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 5,0,0,0,0);
1189 return error;
1190 }
1191 while (0 < length) {
1192 if (!m)
1193 panic("mbuf chain?");
1194
1195 if (m->m_len - off < length) {
1196 (*algo->update)(&s, (caddr_t)(mtod(m, u_char *) + off),
1197 m->m_len - off);
1198 length -= m->m_len - off;
1199 m = m->m_next;
1200 off = 0;
1201 } else {
1202 (*algo->update)(&s, (caddr_t)(mtod(m, u_char *) + off), length);
1203 break;
1204 }
1205 }
1206 (*algo->result)(&s, (caddr_t) sumbuf);
1207 bcopy(sumbuf, sum, siz); /*XXX*/
1208 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 6,0,0,0,0);
1209 return 0;
1210 }
mirror of XNU