]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/ah_core.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-3247.10.11.tar.gz
[apple/xnu.git] / bsd / netinet6 / ah_core.c
1 /*
2 * Copyright (c) 2008-2011 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /* $FreeBSD: src/sys/netinet6/ah_core.c,v 1.2.2.4 2001/07/03 11:01:49 ume Exp $ */
30 /* $KAME: ah_core.c,v 1.44 2001/03/12 11:24:39 itojun Exp $ */
31
32 /*
33 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
34 * All rights reserved.
35 *
36 * Redistribution and use in source and binary forms, with or without
37 * modification, are permitted provided that the following conditions
38 * are met:
39 * 1. Redistributions of source code must retain the above copyright
40 * notice, this list of conditions and the following disclaimer.
41 * 2. Redistributions in binary form must reproduce the above copyright
42 * notice, this list of conditions and the following disclaimer in the
43 * documentation and/or other materials provided with the distribution.
44 * 3. Neither the name of the project nor the names of its contributors
45 * may be used to endorse or promote products derived from this software
46 * without specific prior written permission.
47 *
48 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
58 * SUCH DAMAGE.
59 */
60
61 /*
62 * RFC1826/2402 authentication header.
63 */
64
65 /* TODO: have shared routines for hmac-* algorithms */
66
67 #include <sys/param.h>
68 #include <sys/systm.h>
69 #include <sys/malloc.h>
70 #include <sys/mbuf.h>
71 #include <sys/domain.h>
72 #include <sys/protosw.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <sys/errno.h>
76 #include <sys/time.h>
77 #include <sys/syslog.h>
78
79 #include <net/if.h>
80 #include <net/route.h>
81
82 #include <netinet/in.h>
83 #include <netinet/in_systm.h>
84 #include <netinet/ip.h>
85 #include <netinet/in_var.h>
86
87 #if INET6
88 #include <netinet/ip6.h>
89 #include <netinet6/ip6_var.h>
90 #include <netinet/icmp6.h>
91 #endif
92
93 #include <netinet6/ipsec.h>
94 #if INET6
95 #include <netinet6/ipsec6.h>
96 #endif
97 #include <netinet6/ah.h>
98 #if INET6
99 #include <netinet6/ah6.h>
100 #endif
101 #if IPSEC_ESP
102 #include <netinet6/esp.h>
103 #if INET6
104 #include <netinet6/esp6.h>
105 #endif
106 #endif
107 #include <net/pfkeyv2.h>
108 #include <netkey/keydb.h>
109 #include <libkern/crypto/md5.h>
110 #include <libkern/crypto/sha1.h>
111 #include <libkern/crypto/sha2.h>
112
113 #include <net/net_osdep.h>
114
115 #define HMACSIZE 16
116
117 static int ah_sumsiz_1216(struct secasvar *);
118 static int ah_sumsiz_zero(struct secasvar *);
119 static int ah_none_mature(struct secasvar *);
120 static int ah_none_init(struct ah_algorithm_state *, struct secasvar *);
121 static void ah_none_loop(struct ah_algorithm_state *, caddr_t, size_t);
122 static void ah_none_result(struct ah_algorithm_state *, caddr_t, size_t);
123 static int ah_keyed_md5_mature(struct secasvar *);
124 static int ah_keyed_md5_init(struct ah_algorithm_state *, struct secasvar *);
125 static void ah_keyed_md5_loop(struct ah_algorithm_state *, caddr_t, size_t);
126 static void ah_keyed_md5_result(struct ah_algorithm_state *, caddr_t, size_t);
127 static int ah_keyed_sha1_mature(struct secasvar *);
128 static int ah_keyed_sha1_init(struct ah_algorithm_state *, struct secasvar *);
129 static void ah_keyed_sha1_loop(struct ah_algorithm_state *, caddr_t, size_t);
130 static void ah_keyed_sha1_result(struct ah_algorithm_state *, caddr_t, size_t);
131 static int ah_hmac_md5_mature(struct secasvar *);
132 static int ah_hmac_md5_init(struct ah_algorithm_state *, struct secasvar *);
133 static void ah_hmac_md5_loop(struct ah_algorithm_state *, caddr_t, size_t);
134 static void ah_hmac_md5_result(struct ah_algorithm_state *, caddr_t, size_t);
135 static int ah_hmac_sha1_mature(struct secasvar *);
136 static int ah_hmac_sha1_init(struct ah_algorithm_state *, struct secasvar *);
137 static void ah_hmac_sha1_loop(struct ah_algorithm_state *, caddr_t, size_t);
138 static void ah_hmac_sha1_result(struct ah_algorithm_state *, caddr_t, size_t);
139 #if AH_ALL_CRYPTO
140 static int ah_sumsiz_sha2_256(struct secasvar *);
141 static int ah_hmac_sha2_256_mature(struct secasvar *);
142 static int ah_hmac_sha2_256_init(struct ah_algorithm_state *,
143 struct secasvar *);
144 static void ah_hmac_sha2_256_loop(struct ah_algorithm_state *, caddr_t, size_t);
145 static void ah_hmac_sha2_256_result(struct ah_algorithm_state *, caddr_t, size_t);
146 static int ah_sumsiz_sha2_384(struct secasvar *);
147 static int ah_hmac_sha2_384_mature(struct secasvar *);
148 static int ah_hmac_sha2_384_init(struct ah_algorithm_state *,
149 struct secasvar *);
150 static void ah_hmac_sha2_384_loop(struct ah_algorithm_state *, caddr_t, size_t);
151 static void ah_hmac_sha2_384_result(struct ah_algorithm_state *, caddr_t, size_t);
152 static int ah_sumsiz_sha2_512(struct secasvar *);
153 static int ah_hmac_sha2_512_mature(struct secasvar *);
154 static int ah_hmac_sha2_512_init(struct ah_algorithm_state *,
155 struct secasvar *);
156 static void ah_hmac_sha2_512_loop(struct ah_algorithm_state *, caddr_t, size_t);
157 static void ah_hmac_sha2_512_result(struct ah_algorithm_state *, caddr_t, size_t);
158 #endif /* AH_ALL_CRYPTO */
159
160 static void ah_update_mbuf(struct mbuf *, int, int,
161 const struct ah_algorithm *, struct ah_algorithm_state *);
162
163 const struct ah_algorithm *
164 ah_algorithm_lookup(idx)
165 int idx;
166 {
167 /* checksum algorithms */
168 static struct ah_algorithm hmac_md5 =
169 { ah_sumsiz_1216, ah_hmac_md5_mature, 128, 128, "hmac-md5",
170 ah_hmac_md5_init, ah_hmac_md5_loop,
171 ah_hmac_md5_result, };
172 static struct ah_algorithm keyed_md5 =
173 { ah_sumsiz_1216, ah_keyed_md5_mature, 128, 128, "keyed-md5",
174 ah_keyed_md5_init, ah_keyed_md5_loop,
175 ah_keyed_md5_result, };
176 static struct ah_algorithm hmac_sha1 =
177 { ah_sumsiz_1216, ah_hmac_sha1_mature, 160, 160, "hmac-sha1",
178 ah_hmac_sha1_init, ah_hmac_sha1_loop,
179 ah_hmac_sha1_result, };
180 static struct ah_algorithm keyed_sha1 =
181 { ah_sumsiz_1216, ah_keyed_sha1_mature, 160, 160, "keyed-sha1",
182 ah_keyed_sha1_init, ah_keyed_sha1_loop,
183 ah_keyed_sha1_result, };
184 static struct ah_algorithm ah_none =
185 { ah_sumsiz_zero, ah_none_mature, 0, 2048, "none",
186 ah_none_init, ah_none_loop, ah_none_result, };
187 #if AH_ALL_CRYPTO
188 static struct ah_algorithm hmac_sha2_256 =
189 { ah_sumsiz_sha2_256, ah_hmac_sha2_256_mature, 256, 256,
190 "hmac-sha2-256",
191 ah_hmac_sha2_256_init, ah_hmac_sha2_256_loop,
192 ah_hmac_sha2_256_result, };
193 static struct ah_algorithm hmac_sha2_384 =
194 { ah_sumsiz_sha2_384, ah_hmac_sha2_384_mature, 384, 384,
195 "hmac-sha2-384",
196 ah_hmac_sha2_384_init, ah_hmac_sha2_384_loop,
197 ah_hmac_sha2_384_result, };
198 static struct ah_algorithm hmac_sha2_512 =
199 { ah_sumsiz_sha2_512, ah_hmac_sha2_512_mature, 512, 512,
200 "hmac-sha2-512",
201 ah_hmac_sha2_512_init, ah_hmac_sha2_512_loop,
202 ah_hmac_sha2_512_result, };
203 #endif /* AH_ALL_CRYPTO */
204
205 switch (idx) {
206 case SADB_AALG_MD5HMAC:
207 return &hmac_md5;
208 case SADB_AALG_SHA1HMAC:
209 return &hmac_sha1;
210 case SADB_X_AALG_MD5:
211 return &keyed_md5;
212 case SADB_X_AALG_SHA:
213 return &keyed_sha1;
214 case SADB_X_AALG_NULL:
215 return &ah_none;
216 #if AH_ALL_CRYPTO
217 case SADB_X_AALG_SHA2_256:
218 return &hmac_sha2_256;
219 case SADB_X_AALG_SHA2_384:
220 return &hmac_sha2_384;
221 case SADB_X_AALG_SHA2_512:
222 return &hmac_sha2_512;
223 #endif /* AH_ALL_CRYPTO */
224 default:
225 return NULL;
226 }
227 }
228
229
230 static int
231 ah_sumsiz_1216(sav)
232 struct secasvar *sav;
233 {
234 if (!sav)
235 return -1;
236 if (sav->flags & SADB_X_EXT_OLD)
237 return 16;
238 else
239 return 12;
240 }
241
242 static int
243 ah_sumsiz_zero(sav)
244 struct secasvar *sav;
245 {
246 if (!sav)
247 return -1;
248 return 0;
249 }
250
251 static int
252 ah_none_mature(sav)
253 struct secasvar *sav;
254 {
255 if (sav->sah->saidx.proto == IPPROTO_AH) {
256 ipseclog((LOG_ERR,
257 "ah_none_mature: protocol and algorithm mismatch.\n"));
258 return 1;
259 }
260 return 0;
261 }
262
263 static int
264 ah_none_init(
265 struct ah_algorithm_state *state,
266 __unused struct secasvar *sav)
267 {
268 state->foo = NULL;
269 return 0;
270 }
271
272 static void
273 ah_none_loop(
274 __unused struct ah_algorithm_state *state,
275 __unused caddr_t addr,
276 __unused size_t len)
277 {
278 }
279
280 static void
281 ah_none_result(
282 __unused struct ah_algorithm_state *state,
283 __unused caddr_t addr,
284 __unused size_t l)
285 {
286 }
287
288 static int
289 ah_keyed_md5_mature(
290 __unused struct secasvar *sav)
291 {
292 /* anything is okay */
293 return 0;
294 }
295
296 static int
297 ah_keyed_md5_init(state, sav)
298 struct ah_algorithm_state *state;
299 struct secasvar *sav;
300 {
301 size_t padlen;
302 size_t keybitlen;
303 u_int8_t buf[32] __attribute__((aligned(4)));
304
305 if (!state)
306 panic("ah_keyed_md5_init: what?");
307
308 state->sav = sav;
309 state->foo = (void *)_MALLOC(sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
310 if (state->foo == NULL)
311 return ENOBUFS;
312
313 MD5Init((MD5_CTX *)state->foo);
314 if (state->sav) {
315 MD5Update((MD5_CTX *)state->foo,
316 (u_int8_t *)_KEYBUF(state->sav->key_auth),
317 (u_int)_KEYLEN(state->sav->key_auth));
318
319 /*
320 * Pad after the key.
321 * We cannot simply use md5_pad() since the function
322 * won't update the total length.
323 */
324 if (_KEYLEN(state->sav->key_auth) < 56)
325 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
326 else
327 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
328 keybitlen = _KEYLEN(state->sav->key_auth);
329 keybitlen *= 8;
330
331 buf[0] = 0x80;
332 MD5Update((MD5_CTX *)state->foo, &buf[0], 1);
333 padlen--;
334
335 bzero(buf, sizeof(buf));
336 while (sizeof(buf) < padlen) {
337 MD5Update((MD5_CTX *)state->foo, &buf[0], sizeof(buf));
338 padlen -= sizeof(buf);
339 }
340 if (padlen) {
341 MD5Update((MD5_CTX *)state->foo, &buf[0], padlen);
342 }
343
344 buf[0] = (keybitlen >> 0) & 0xff;
345 buf[1] = (keybitlen >> 8) & 0xff;
346 buf[2] = (keybitlen >> 16) & 0xff;
347 buf[3] = (keybitlen >> 24) & 0xff;
348 MD5Update((MD5_CTX *)state->foo, buf, 8);
349 }
350
351 return 0;
352 }
353
354 static void
355 ah_keyed_md5_loop(state, addr, len)
356 struct ah_algorithm_state *state;
357 caddr_t addr;
358 size_t len;
359 {
360 if (!state)
361 panic("ah_keyed_md5_loop: what?");
362
363 MD5Update((MD5_CTX *)state->foo, addr, len);
364 }
365
366 static void
367 ah_keyed_md5_result(state, addr, l)
368 struct ah_algorithm_state *state;
369 caddr_t addr;
370 size_t l;
371 {
372 u_char digest[16] __attribute__((aligned(4)));
373
374 if (!state)
375 panic("ah_keyed_md5_result: what?");
376
377 if (state->sav) {
378 MD5Update((MD5_CTX *)state->foo,
379 (u_int8_t *)_KEYBUF(state->sav->key_auth),
380 (u_int)_KEYLEN(state->sav->key_auth));
381 }
382 MD5Final(&digest[0], (MD5_CTX *)state->foo);
383 FREE(state->foo, M_TEMP);
384 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
385 }
386
387 static int
388 ah_keyed_sha1_mature(sav)
389 struct secasvar *sav;
390 {
391 const struct ah_algorithm *algo;
392
393 if (!sav->key_auth) {
394 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: no key is given.\n"));
395 return 1;
396 }
397
398 algo = ah_algorithm_lookup(sav->alg_auth);
399 if (!algo) {
400 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: unsupported algorithm.\n"));
401 return 1;
402 }
403
404 if (sav->key_auth->sadb_key_bits < algo->keymin
405 || algo->keymax < sav->key_auth->sadb_key_bits) {
406 ipseclog((LOG_ERR,
407 "ah_keyed_sha1_mature: invalid key length %d.\n",
408 sav->key_auth->sadb_key_bits));
409 return 1;
410 }
411
412 return 0;
413 }
414
415 static int
416 ah_keyed_sha1_init(state, sav)
417 struct ah_algorithm_state *state;
418 struct secasvar *sav;
419 {
420 SHA1_CTX *ctxt;
421 size_t padlen;
422 size_t keybitlen;
423 u_int8_t buf[32] __attribute__((aligned(4)));
424
425 if (!state)
426 panic("ah_keyed_sha1_init: what?");
427
428 state->sav = sav;
429 state->foo = (void *)_MALLOC(sizeof(SHA1_CTX), M_TEMP, M_NOWAIT);
430 if (!state->foo)
431 return ENOBUFS;
432
433 ctxt = (SHA1_CTX *)state->foo;
434 SHA1Init(ctxt);
435
436 if (state->sav) {
437 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
438 (u_int)_KEYLEN(state->sav->key_auth));
439
440 /*
441 * Pad after the key.
442 */
443 if (_KEYLEN(state->sav->key_auth) < 56)
444 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
445 else
446 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
447 keybitlen = _KEYLEN(state->sav->key_auth);
448 keybitlen *= 8;
449
450 buf[0] = 0x80;
451 SHA1Update(ctxt, &buf[0], 1);
452 padlen--;
453
454 bzero(buf, sizeof(buf));
455 while (sizeof(buf) < padlen) {
456 SHA1Update(ctxt, &buf[0], sizeof(buf));
457 padlen -= sizeof(buf);
458 }
459 if (padlen) {
460 SHA1Update(ctxt, &buf[0], padlen);
461 }
462
463 buf[0] = (keybitlen >> 0) & 0xff;
464 buf[1] = (keybitlen >> 8) & 0xff;
465 buf[2] = (keybitlen >> 16) & 0xff;
466 buf[3] = (keybitlen >> 24) & 0xff;
467 SHA1Update(ctxt, buf, 8);
468 }
469
470 return 0;
471 }
472
473 static void
474 ah_keyed_sha1_loop(state, addr, len)
475 struct ah_algorithm_state *state;
476 caddr_t addr;
477 size_t len;
478 {
479 SHA1_CTX *ctxt;
480
481 if (!state || !state->foo)
482 panic("ah_keyed_sha1_loop: what?");
483 ctxt = (SHA1_CTX *)state->foo;
484
485 SHA1Update(ctxt, (caddr_t)addr, (size_t)len);
486 }
487
488 static void
489 ah_keyed_sha1_result(state, addr, l)
490 struct ah_algorithm_state *state;
491 caddr_t addr;
492 size_t l;
493 {
494 u_char digest[SHA1_RESULTLEN] __attribute__((aligned(4))); /* SHA-1 generates 160 bits */
495 SHA1_CTX *ctxt;
496
497 if (!state || !state->foo)
498 panic("ah_keyed_sha1_result: what?");
499 ctxt = (SHA1_CTX *)state->foo;
500
501 if (state->sav) {
502 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
503 (u_int)_KEYLEN(state->sav->key_auth));
504 }
505 SHA1Final((caddr_t)&digest[0], ctxt);
506 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
507
508 FREE(state->foo, M_TEMP);
509 }
510
511 static int
512 ah_hmac_md5_mature(sav)
513 struct secasvar *sav;
514 {
515 const struct ah_algorithm *algo;
516
517 if (!sav->key_auth) {
518 ipseclog((LOG_ERR, "ah_hmac_md5_mature: no key is given.\n"));
519 return 1;
520 }
521
522 algo = ah_algorithm_lookup(sav->alg_auth);
523 if (!algo) {
524 ipseclog((LOG_ERR, "ah_hmac_md5_mature: unsupported algorithm.\n"));
525 return 1;
526 }
527
528 if (sav->key_auth->sadb_key_bits < algo->keymin
529 || algo->keymax < sav->key_auth->sadb_key_bits) {
530 ipseclog((LOG_ERR,
531 "ah_hmac_md5_mature: invalid key length %d.\n",
532 sav->key_auth->sadb_key_bits));
533 return 1;
534 }
535
536 return 0;
537 }
538
539 static int
540 ah_hmac_md5_init(state, sav)
541 struct ah_algorithm_state *state;
542 struct secasvar *sav;
543 {
544 u_char *ipad;
545 u_char *opad;
546 u_char tk[16] __attribute__((aligned(4)));
547 u_char *key;
548 size_t keylen;
549 size_t i;
550 MD5_CTX *ctxt;
551
552 if (!state)
553 panic("ah_hmac_md5_init: what?");
554
555 state->sav = sav;
556 state->foo = (void *)_MALLOC(64 + 64 + sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
557 if (!state->foo)
558 return ENOBUFS;
559
560 ipad = (u_char *)state->foo;
561 opad = (u_char *)(ipad + 64);
562 ctxt = (MD5_CTX *)(void *)(opad + 64);
563
564 /* compress the key if necessery */
565 if (64 < _KEYLEN(state->sav->key_auth)) {
566 MD5Init(ctxt);
567 MD5Update(ctxt, _KEYBUF(state->sav->key_auth),
568 _KEYLEN(state->sav->key_auth));
569 MD5Final(&tk[0], ctxt);
570 key = &tk[0];
571 keylen = 16;
572 } else {
573 key = (u_char *) _KEYBUF(state->sav->key_auth);
574 keylen = _KEYLEN(state->sav->key_auth);
575 }
576
577 bzero(ipad, 64);
578 bzero(opad, 64);
579 bcopy(key, ipad, keylen);
580 bcopy(key, opad, keylen);
581 for (i = 0; i < 64; i++) {
582 ipad[i] ^= 0x36;
583 opad[i] ^= 0x5c;
584 }
585
586 MD5Init(ctxt);
587 MD5Update(ctxt, ipad, 64);
588
589 return 0;
590 }
591
592 static void
593 ah_hmac_md5_loop(state, addr, len)
594 struct ah_algorithm_state *state;
595 caddr_t addr;
596 size_t len;
597 {
598 MD5_CTX *ctxt;
599
600 if (!state || !state->foo)
601 panic("ah_hmac_md5_loop: what?");
602 ctxt = (MD5_CTX *)(void *)(((caddr_t)state->foo) + 128);
603 MD5Update(ctxt, addr, len);
604 }
605
606 static void
607 ah_hmac_md5_result(state, addr, l)
608 struct ah_algorithm_state *state;
609 caddr_t addr;
610 size_t l;
611 {
612 u_char digest[16] __attribute__((aligned(4)));
613 u_char *ipad;
614 u_char *opad;
615 MD5_CTX *ctxt;
616
617 if (!state || !state->foo)
618 panic("ah_hmac_md5_result: what?");
619
620 ipad = (u_char *)state->foo;
621 opad = (u_char *)(ipad + 64);
622 ctxt = (MD5_CTX *)(void *)(opad + 64);
623
624 MD5Final(&digest[0], ctxt);
625
626 MD5Init(ctxt);
627 MD5Update(ctxt, opad, 64);
628 MD5Update(ctxt, &digest[0], sizeof(digest));
629 MD5Final(&digest[0], ctxt);
630
631 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
632
633 FREE(state->foo, M_TEMP);
634 }
635
636 static int
637 ah_hmac_sha1_mature(sav)
638 struct secasvar *sav;
639 {
640 const struct ah_algorithm *algo;
641
642 if (!sav->key_auth) {
643 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: no key is given.\n"));
644 return 1;
645 }
646
647 algo = ah_algorithm_lookup(sav->alg_auth);
648 if (!algo) {
649 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: unsupported algorithm.\n"));
650 return 1;
651 }
652
653 if (sav->key_auth->sadb_key_bits < algo->keymin
654 || algo->keymax < sav->key_auth->sadb_key_bits) {
655 ipseclog((LOG_ERR,
656 "ah_hmac_sha1_mature: invalid key length %d.\n",
657 sav->key_auth->sadb_key_bits));
658 return 1;
659 }
660
661 return 0;
662 }
663
664 static int
665 ah_hmac_sha1_init(state, sav)
666 struct ah_algorithm_state *state;
667 struct secasvar *sav;
668 {
669 u_char *ipad;
670 u_char *opad;
671 SHA1_CTX *ctxt;
672 u_char tk[SHA1_RESULTLEN] __attribute__((aligned(4))); /* SHA-1 generates 160 bits */
673 u_char *key;
674 size_t keylen;
675 size_t i;
676
677 if (!state)
678 panic("ah_hmac_sha1_init: what?");
679
680 state->sav = sav;
681 state->foo = (void *)_MALLOC(64 + 64 + sizeof(SHA1_CTX),
682 M_TEMP, M_NOWAIT);
683 if (!state->foo)
684 return ENOBUFS;
685
686 ipad = (u_char *)state->foo;
687 opad = (u_char *)(ipad + 64);
688 ctxt = (SHA1_CTX *)(void *)(opad + 64);
689
690 /* compress the key if necessery */
691 if (64 < _KEYLEN(state->sav->key_auth)) {
692 SHA1Init(ctxt);
693 SHA1Update(ctxt, _KEYBUF(state->sav->key_auth),
694 _KEYLEN(state->sav->key_auth));
695 SHA1Final(&tk[0], ctxt);
696 key = &tk[0];
697 keylen = SHA1_RESULTLEN;
698 } else {
699 key = (u_char *) _KEYBUF(state->sav->key_auth);
700 keylen = _KEYLEN(state->sav->key_auth);
701 }
702
703 bzero(ipad, 64);
704 bzero(opad, 64);
705 bcopy(key, ipad, keylen);
706 bcopy(key, opad, keylen);
707 for (i = 0; i < 64; i++) {
708 ipad[i] ^= 0x36;
709 opad[i] ^= 0x5c;
710 }
711
712 SHA1Init(ctxt);
713 SHA1Update(ctxt, ipad, 64);
714
715 return 0;
716 }
717
718 static void
719 ah_hmac_sha1_loop(state, addr, len)
720 struct ah_algorithm_state *state;
721 caddr_t addr;
722 size_t len;
723 {
724 SHA1_CTX *ctxt;
725
726 if (!state || !state->foo)
727 panic("ah_hmac_sha1_loop: what?");
728
729 ctxt = (SHA1_CTX *)(void *)(((u_char *)state->foo) + 128);
730 SHA1Update(ctxt, (caddr_t)addr, (size_t)len);
731 }
732
733 static void
734 ah_hmac_sha1_result(state, addr, l)
735 struct ah_algorithm_state *state;
736 caddr_t addr;
737 size_t l;
738 {
739 u_char digest[SHA1_RESULTLEN] __attribute__((aligned(4))); /* SHA-1 generates 160 bits */
740 u_char *ipad;
741 u_char *opad;
742 SHA1_CTX *ctxt;
743
744 if (!state || !state->foo)
745 panic("ah_hmac_sha1_result: what?");
746
747 ipad = (u_char *)state->foo;
748 opad = (u_char *)(ipad + 64);
749 ctxt = (SHA1_CTX *)(void *)(opad + 64);
750
751 SHA1Final((caddr_t)&digest[0], ctxt);
752
753 SHA1Init(ctxt);
754 SHA1Update(ctxt, opad, 64);
755 SHA1Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
756 SHA1Final((caddr_t)&digest[0], ctxt);
757
758 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
759
760 FREE(state->foo, M_TEMP);
761 }
762
763 #if AH_ALL_CRYPTO
764 static int
765 ah_sumsiz_sha2_256(sav)
766 struct secasvar *sav;
767 {
768 if (!sav)
769 return -1;
770 // return half the output size (in bytes), as per rfc 4868
771 return 16; // 256/(8*2)
772 }
773
774 static int
775 ah_hmac_sha2_256_mature(sav)
776 struct secasvar *sav;
777 {
778 const struct ah_algorithm *algo;
779
780 if (!sav->key_auth) {
781 ipseclog((LOG_ERR,
782 "ah_hmac_sha2_256_mature: no key is given.\n"));
783 return 1;
784 }
785
786 algo = ah_algorithm_lookup(sav->alg_auth);
787 if (!algo) {
788 ipseclog((LOG_ERR,
789 "ah_hmac_sha2_256_mature: unsupported algorithm.\n"));
790 return 1;
791 }
792
793 if (sav->key_auth->sadb_key_bits < algo->keymin ||
794 algo->keymax < sav->key_auth->sadb_key_bits) {
795 ipseclog((LOG_ERR,
796 "ah_hmac_sha2_256_mature: invalid key length %d.\n",
797 sav->key_auth->sadb_key_bits));
798 return 1;
799 }
800
801 return 0;
802 }
803
804 static int
805 ah_hmac_sha2_256_init(state, sav)
806 struct ah_algorithm_state *state;
807 struct secasvar *sav;
808 {
809 u_char *ipad;
810 u_char *opad;
811 SHA256_CTX *ctxt;
812 u_char tk[SHA256_DIGEST_LENGTH] __attribute__((aligned(4)));
813 u_char *key;
814 size_t keylen;
815 size_t i;
816
817 if (!state)
818 panic("ah_hmac_sha2_256_init: what?");
819
820 state->sav = sav;
821 state->foo = (void *)_MALLOC(64 + 64 + sizeof(SHA256_CTX),
822 M_TEMP, M_NOWAIT);
823 if (!state->foo)
824 return ENOBUFS;
825
826 ipad = (u_char *)state->foo;
827 opad = (u_char *)(ipad + 64);
828 ctxt = (SHA256_CTX *)(void *)(opad + 64);
829
830 /* compress the key if necessery */
831 if (64 < _KEYLEN(state->sav->key_auth)) {
832 bzero(tk, sizeof(tk));
833 bzero(ctxt, sizeof(*ctxt));
834 SHA256_Init(ctxt);
835 SHA256_Update(ctxt, (const u_int8_t *) _KEYBUF(state->sav->key_auth),
836 _KEYLEN(state->sav->key_auth));
837 SHA256_Final(&tk[0], ctxt);
838 key = &tk[0];
839 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
840 } else {
841 key = (u_char *) _KEYBUF(state->sav->key_auth);
842 keylen = _KEYLEN(state->sav->key_auth);
843 }
844
845 bzero(ipad, 64);
846 bzero(opad, 64);
847 bcopy(key, ipad, keylen);
848 bcopy(key, opad, keylen);
849 for (i = 0; i < 64; i++) {
850 ipad[i] ^= 0x36;
851 opad[i] ^= 0x5c;
852 }
853
854 bzero(ctxt, sizeof(*ctxt));
855 SHA256_Init(ctxt);
856 SHA256_Update(ctxt, ipad, 64);
857
858 return 0;
859 }
860
861 static void
862 ah_hmac_sha2_256_loop(state, addr, len)
863 struct ah_algorithm_state *state;
864 caddr_t addr;
865 size_t len;
866 {
867 SHA256_CTX *ctxt;
868
869 if (!state || !state->foo)
870 panic("ah_hmac_sha2_256_loop: what?");
871
872 ctxt = (SHA256_CTX *)(void *)(((u_char *)state->foo) + 128);
873 SHA256_Update(ctxt, (const u_int8_t *)addr, (size_t)len);
874 }
875
876 static void
877 ah_hmac_sha2_256_result(state, addr, l)
878 struct ah_algorithm_state *state;
879 caddr_t addr;
880 size_t l;
881 {
882 u_char digest[SHA256_DIGEST_LENGTH] __attribute__((aligned(4)));
883 u_char *ipad;
884 u_char *opad;
885 SHA256_CTX *ctxt;
886
887 if (!state || !state->foo)
888 panic("ah_hmac_sha2_256_result: what?");
889
890 ipad = (u_char *)state->foo;
891 opad = (u_char *)(ipad + 64);
892 ctxt = (SHA256_CTX *)(void *)(opad + 64);
893
894 SHA256_Final((u_int8_t *)digest, ctxt);
895
896 SHA256_Init(ctxt);
897 SHA256_Update(ctxt, opad, 64);
898 SHA256_Update(ctxt, (const u_int8_t *)digest, sizeof(digest));
899 SHA256_Final((u_int8_t *)digest, ctxt);
900
901 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
902
903 FREE(state->foo, M_TEMP);
904 }
905
906 static int
907 ah_sumsiz_sha2_384(sav)
908 struct secasvar *sav;
909 {
910 if (!sav)
911 return -1;
912 // return half the output size (in bytes), as per rfc 4868
913 return 24; // 384/(8*2)
914 }
915
916 static int
917 ah_hmac_sha2_384_mature(sav)
918 struct secasvar *sav;
919 {
920 const struct ah_algorithm *algo;
921
922 if (!sav->key_auth) {
923 ipseclog((LOG_ERR,
924 "ah_hmac_sha2_384_mature: no key is given.\n"));
925 return 1;
926 }
927
928 algo = ah_algorithm_lookup(sav->alg_auth);
929 if (!algo) {
930 ipseclog((LOG_ERR,
931 "ah_hmac_sha2_384_mature: unsupported algorithm.\n"));
932 return 1;
933 }
934
935 if (sav->key_auth->sadb_key_bits < algo->keymin ||
936 algo->keymax < sav->key_auth->sadb_key_bits) {
937 ipseclog((LOG_ERR,
938 "ah_hmac_sha2_384_mature: invalid key length %d.\n",
939 sav->key_auth->sadb_key_bits));
940 return 1;
941 }
942
943 return 0;
944 }
945
946 static int
947 ah_hmac_sha2_384_init(state, sav)
948 struct ah_algorithm_state *state;
949 struct secasvar *sav;
950 {
951 u_char *ipad;
952 u_char *opad;
953 SHA384_CTX *ctxt;
954 u_char tk[SHA384_DIGEST_LENGTH] __attribute__((aligned(4)));
955 u_char *key;
956 size_t keylen;
957 size_t i;
958
959 if (!state)
960 panic("ah_hmac_sha2_384_init: what?");
961
962 state->sav = sav;
963 state->foo = (void *)_MALLOC(128 + 128 + sizeof(SHA384_CTX),
964 M_TEMP, M_NOWAIT | M_ZERO);
965 if (!state->foo)
966 return ENOBUFS;
967
968 ipad = (u_char *)state->foo;
969 opad = (u_char *)(ipad + 128);
970 ctxt = (SHA384_CTX *)(void *)(opad + 128);
971
972 /* compress the key if necessery */
973 if (128 < _KEYLEN(state->sav->key_auth)) {
974 bzero(tk, sizeof(tk));
975 bzero(ctxt, sizeof(*ctxt));
976 SHA384_Init(ctxt);
977 SHA384_Update(ctxt, (const u_int8_t *) _KEYBUF(state->sav->key_auth),
978 _KEYLEN(state->sav->key_auth));
979 SHA384_Final(&tk[0], ctxt);
980 key = &tk[0];
981 keylen = sizeof(tk) < 128 ? sizeof(tk) : 128;
982 } else {
983 key = (u_char *) _KEYBUF(state->sav->key_auth);
984 keylen = _KEYLEN(state->sav->key_auth);
985 }
986
987 bzero(ipad, 128);
988 bzero(opad, 128);
989 bcopy(key, ipad, keylen);
990 bcopy(key, opad, keylen);
991 for (i = 0; i < 128; i++) {
992 ipad[i] ^= 0x36;
993 opad[i] ^= 0x5c;
994 }
995
996 bzero(ctxt, sizeof(*ctxt));
997 SHA384_Init(ctxt);
998 SHA384_Update(ctxt, ipad, 128);
999
1000 return 0;
1001 }
1002
1003 static void
1004 ah_hmac_sha2_384_loop(state, addr, len)
1005 struct ah_algorithm_state *state;
1006 caddr_t addr;
1007 size_t len;
1008 {
1009 SHA384_CTX *ctxt;
1010
1011 if (!state || !state->foo)
1012 panic("ah_hmac_sha2_384_loop: what?");
1013
1014 ctxt = (SHA384_CTX *)(void *)(((u_char *)state->foo) + 256);
1015 SHA384_Update(ctxt, (const u_int8_t *)addr, (size_t)len);
1016 }
1017
1018 static void
1019 ah_hmac_sha2_384_result(state, addr, l)
1020 struct ah_algorithm_state *state;
1021 caddr_t addr;
1022 size_t l;
1023 {
1024 u_char digest[SHA384_DIGEST_LENGTH];
1025 u_char *ipad;
1026 u_char *opad;
1027 SHA384_CTX *ctxt;
1028
1029 if (!state || !state->foo)
1030 panic("ah_hmac_sha2_384_result: what?");
1031
1032 ipad = (u_char *)state->foo;
1033 opad = (u_char *)(ipad + 128);
1034 ctxt = (SHA384_CTX *)(void *)(opad + 128);
1035
1036 SHA384_Final((u_int8_t *)digest, ctxt);
1037
1038 SHA384_Init(ctxt);
1039 SHA384_Update(ctxt, opad, 128);
1040 SHA384_Update(ctxt, (const u_int8_t *)digest, sizeof(digest));
1041 SHA384_Final((u_int8_t *)digest, ctxt);
1042
1043 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
1044
1045 FREE(state->foo, M_TEMP);
1046 }
1047
1048 static int
1049 ah_sumsiz_sha2_512(sav)
1050 struct secasvar *sav;
1051 {
1052 if (!sav)
1053 return -1;
1054 // return half the output size (in bytes), as per rfc 4868
1055 return 32; // 512/(8*2)
1056 }
1057
1058 static int
1059 ah_hmac_sha2_512_mature(sav)
1060 struct secasvar *sav;
1061 {
1062 const struct ah_algorithm *algo;
1063
1064 if (!sav->key_auth) {
1065 ipseclog((LOG_ERR,
1066 "ah_hmac_sha2_512_mature: no key is given.\n"));
1067 return 1;
1068 }
1069
1070 algo = ah_algorithm_lookup(sav->alg_auth);
1071 if (!algo) {
1072 ipseclog((LOG_ERR,
1073 "ah_hmac_sha2_512_mature: unsupported algorithm.\n"));
1074 return 1;
1075 }
1076
1077 if (sav->key_auth->sadb_key_bits < algo->keymin ||
1078 algo->keymax < sav->key_auth->sadb_key_bits) {
1079 ipseclog((LOG_ERR,
1080 "ah_hmac_sha2_512_mature: invalid key length %d.\n",
1081 sav->key_auth->sadb_key_bits));
1082 return 1;
1083 }
1084
1085 return 0;
1086 }
1087
1088 static int
1089 ah_hmac_sha2_512_init(state, sav)
1090 struct ah_algorithm_state *state;
1091 struct secasvar *sav;
1092 {
1093 u_char *ipad;
1094 u_char *opad;
1095 SHA512_CTX *ctxt;
1096 u_char tk[SHA512_DIGEST_LENGTH] __attribute__((aligned(4)));
1097 u_char *key;
1098 size_t keylen;
1099 size_t i;
1100
1101 if (!state)
1102 panic("ah_hmac_sha2_512_init: what?");
1103
1104 state->sav = sav;
1105 state->foo = (void *)_MALLOC(128 + 128 + sizeof(SHA512_CTX),
1106 M_TEMP, M_NOWAIT | M_ZERO);
1107 if (!state->foo)
1108 return ENOBUFS;
1109
1110 ipad = (u_char *)state->foo;
1111 opad = (u_char *)(ipad + 128);
1112 ctxt = (SHA512_CTX *)(void *)(opad + 128);
1113
1114 /* compress the key if necessery */
1115 if (128 < _KEYLEN(state->sav->key_auth)) {
1116 bzero(tk, sizeof(tk));
1117 bzero(ctxt, sizeof(*ctxt));
1118 SHA512_Init(ctxt);
1119 SHA512_Update(ctxt, (const u_int8_t *) _KEYBUF(state->sav->key_auth),
1120 _KEYLEN(state->sav->key_auth));
1121 SHA512_Final(&tk[0], ctxt);
1122 key = &tk[0];
1123 keylen = sizeof(tk) < 128 ? sizeof(tk) : 128;
1124 } else {
1125 key = (u_char *) _KEYBUF(state->sav->key_auth);
1126 keylen = _KEYLEN(state->sav->key_auth);
1127 }
1128
1129 bzero(ipad, 128);
1130 bzero(opad, 128);
1131 bcopy(key, ipad, keylen);
1132 bcopy(key, opad, keylen);
1133 for (i = 0; i < 128; i++) {
1134 ipad[i] ^= 0x36;
1135 opad[i] ^= 0x5c;
1136 }
1137
1138 bzero(ctxt, sizeof(*ctxt));
1139 SHA512_Init(ctxt);
1140 SHA512_Update(ctxt, ipad, 128);
1141
1142 return 0;
1143 }
1144
1145 static void
1146 ah_hmac_sha2_512_loop(state, addr, len)
1147 struct ah_algorithm_state *state;
1148 caddr_t addr;
1149 size_t len;
1150 {
1151 SHA512_CTX *ctxt;
1152
1153 if (!state || !state->foo)
1154 panic("ah_hmac_sha2_512_loop: what?");
1155
1156 ctxt = (SHA512_CTX *)(void *)(((u_char *)state->foo) + 256);
1157 SHA512_Update(ctxt, (const u_int8_t *) addr, (size_t)len);
1158 }
1159
1160 static void
1161 ah_hmac_sha2_512_result(state, addr, l)
1162 struct ah_algorithm_state *state;
1163 caddr_t addr;
1164 size_t l;
1165 {
1166 u_char digest[SHA512_DIGEST_LENGTH] __attribute__((aligned(4)));
1167 u_char *ipad;
1168 u_char *opad;
1169 SHA512_CTX *ctxt;
1170
1171 if (!state || !state->foo)
1172 panic("ah_hmac_sha2_512_result: what?");
1173
1174 ipad = (u_char *)state->foo;
1175 opad = (u_char *)(ipad + 128);
1176 ctxt = (SHA512_CTX *)(void *)(opad + 128);
1177
1178 SHA512_Final((u_int8_t *)digest, ctxt);
1179
1180 SHA512_Init(ctxt);
1181 SHA512_Update(ctxt, opad, 128);
1182 SHA512_Update(ctxt, (const u_int8_t *)digest, sizeof(digest));
1183 SHA512_Final((u_int8_t *)digest, ctxt);
1184
1185 bcopy(&digest[0], (void *)addr, sizeof(digest) > l ? l : sizeof(digest));
1186
1187 FREE(state->foo, M_TEMP);
1188 }
1189 #endif /* AH_ALL_CRYPTO */
1190
1191 /*------------------------------------------------------------*/
1192
1193 /*
1194 * go generate the checksum.
1195 */
1196 static void
1197 ah_update_mbuf(m, off, len, algo, algos)
1198 struct mbuf *m;
1199 int off;
1200 int len;
1201 const struct ah_algorithm *algo;
1202 struct ah_algorithm_state *algos;
1203 {
1204 struct mbuf *n;
1205 int tlen;
1206
1207 /* easy case first */
1208 if (off + len <= m->m_len) {
1209 (algo->update)(algos, mtod(m, caddr_t) + off, len);
1210 return;
1211 }
1212
1213 for (n = m; n; n = n->m_next) {
1214 if (off < n->m_len)
1215 break;
1216
1217 off -= n->m_len;
1218 }
1219
1220 if (!n)
1221 panic("ah_update_mbuf: wrong offset specified");
1222
1223 for (/*nothing*/; n && len > 0; n = n->m_next) {
1224 if (n->m_len == 0)
1225 continue;
1226 if (n->m_len - off < len)
1227 tlen = n->m_len - off;
1228 else
1229 tlen = len;
1230
1231 (algo->update)(algos, mtod(n, caddr_t) + off, tlen);
1232
1233 len -= tlen;
1234 off = 0;
1235 }
1236 }
1237
1238 #if INET
1239 /*
1240 * Go generate the checksum. This function won't modify the mbuf chain
1241 * except AH itself.
1242 *
1243 * NOTE: the function does not free mbuf on failure.
1244 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1245 */
1246 int
1247 ah4_calccksum(m, ahdat, len, algo, sav)
1248 struct mbuf *m;
1249 caddr_t ahdat;
1250 size_t len;
1251 const struct ah_algorithm *algo;
1252 struct secasvar *sav;
1253 {
1254 int off;
1255 int hdrtype;
1256 size_t advancewidth;
1257 struct ah_algorithm_state algos;
1258 u_char sumbuf[AH_MAXSUMSIZE] __attribute__((aligned(4)));
1259 int error = 0;
1260 int ahseen;
1261 struct mbuf *n = NULL;
1262
1263 if ((m->m_flags & M_PKTHDR) == 0)
1264 return EINVAL;
1265
1266 ahseen = 0;
1267 hdrtype = -1; /*dummy, it is called IPPROTO_IP*/
1268
1269 off = 0;
1270
1271 error = (algo->init)(&algos, sav);
1272 if (error)
1273 return error;
1274
1275 advancewidth = 0; /*safety*/
1276
1277 again:
1278 /* gory. */
1279 switch (hdrtype) {
1280 case -1: /*first one only*/
1281 {
1282 /*
1283 * copy ip hdr, modify to fit the AH checksum rule,
1284 * then take a checksum.
1285 */
1286 struct ip iphdr;
1287 size_t hlen;
1288
1289 m_copydata(m, off, sizeof(iphdr), (caddr_t)&iphdr);
1290 #if _IP_VHL
1291 hlen = IP_VHL_HL(iphdr.ip_vhl) << 2;
1292 #else
1293 hlen = iphdr.ip_hl << 2;
1294 #endif
1295 iphdr.ip_ttl = 0;
1296 iphdr.ip_sum = htons(0);
1297 if (ip4_ah_cleartos)
1298 iphdr.ip_tos = 0;
1299 iphdr.ip_off = htons(ntohs(iphdr.ip_off) & ip4_ah_offsetmask);
1300 (algo->update)(&algos, (caddr_t)&iphdr, sizeof(struct ip));
1301
1302 if (hlen != sizeof(struct ip)) {
1303 u_char *p;
1304 int i, l, skip;
1305
1306 if (hlen > MCLBYTES) {
1307 error = EMSGSIZE;
1308 goto fail;
1309 }
1310 MGET(n, M_DONTWAIT, MT_DATA);
1311 if (n && hlen > MLEN) {
1312 MCLGET(n, M_DONTWAIT);
1313 if ((n->m_flags & M_EXT) == 0) {
1314 m_free(n);
1315 n = NULL;
1316 }
1317 }
1318 if (n == NULL) {
1319 error = ENOBUFS;
1320 goto fail;
1321 }
1322 m_copydata(m, off, hlen, mtod(n, caddr_t));
1323
1324 /*
1325 * IP options processing.
1326 * See RFC2402 appendix A.
1327 */
1328 p = mtod(n, u_char *);
1329 i = sizeof(struct ip);
1330 while (i < hlen) {
1331 if (i + IPOPT_OPTVAL >= hlen) {
1332 ipseclog((LOG_ERR, "ah4_calccksum: "
1333 "invalid IP option\n"));
1334 error = EINVAL;
1335 goto fail;
1336 }
1337 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL ||
1338 p[i + IPOPT_OPTVAL] == IPOPT_NOP ||
1339 i + IPOPT_OLEN < hlen)
1340 ;
1341 else {
1342 ipseclog((LOG_ERR,
1343 "ah4_calccksum: invalid IP option "
1344 "(type=%02x)\n",
1345 p[i + IPOPT_OPTVAL]));
1346 error = EINVAL;
1347 goto fail;
1348 }
1349
1350 skip = 1;
1351 switch (p[i + IPOPT_OPTVAL]) {
1352 case IPOPT_EOL:
1353 case IPOPT_NOP:
1354 l = 1;
1355 skip = 0;
1356 break;
1357 case IPOPT_SECURITY: /* 0x82 */
1358 case 0x85: /* Extended security */
1359 case 0x86: /* Commercial security */
1360 case 0x94: /* Router alert */
1361 case 0x95: /* RFC1770 */
1362 l = p[i + IPOPT_OLEN];
1363 if (l < 2)
1364 goto invalopt;
1365 skip = 0;
1366 break;
1367 default:
1368 l = p[i + IPOPT_OLEN];
1369 if (l < 2)
1370 goto invalopt;
1371 skip = 1;
1372 break;
1373 }
1374 if (l < 1 || hlen - i < l) {
1375 invalopt:
1376 ipseclog((LOG_ERR,
1377 "ah4_calccksum: invalid IP option "
1378 "(type=%02x len=%02x)\n",
1379 p[i + IPOPT_OPTVAL],
1380 p[i + IPOPT_OLEN]));
1381 error = EINVAL;
1382 goto fail;
1383 }
1384 if (skip)
1385 bzero(p + i, l);
1386 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL)
1387 break;
1388 i += l;
1389 }
1390
1391 p = mtod(n, u_char *) + sizeof(struct ip);
1392 (algo->update)(&algos, (caddr_t)p, hlen - sizeof(struct ip));
1393
1394 m_free(n);
1395 n = NULL;
1396 }
1397
1398 hdrtype = (iphdr.ip_p) & 0xff;
1399 advancewidth = hlen;
1400 break;
1401 }
1402
1403 case IPPROTO_AH:
1404 {
1405 struct ah ah;
1406 int siz;
1407 int hdrsiz;
1408 int totlen;
1409
1410 m_copydata(m, off, sizeof(ah), (caddr_t)&ah);
1411 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1412 ? sizeof(struct ah)
1413 : sizeof(struct newah);
1414 siz = (*algo->sumsiz)(sav);
1415 totlen = (ah.ah_len + 2) << 2;
1416
1417 /*
1418 * special treatment is necessary for the first one, not others
1419 */
1420 if (!ahseen) {
1421 if (totlen > m->m_pkthdr.len - off ||
1422 totlen > MCLBYTES) {
1423 error = EMSGSIZE;
1424 goto fail;
1425 }
1426 MGET(n, M_DONTWAIT, MT_DATA);
1427 if (n && totlen > MLEN) {
1428 MCLGET(n, M_DONTWAIT);
1429 if ((n->m_flags & M_EXT) == 0) {
1430 m_free(n);
1431 n = NULL;
1432 }
1433 }
1434 if (n == NULL) {
1435 error = ENOBUFS;
1436 goto fail;
1437 }
1438 m_copydata(m, off, totlen, mtod(n, caddr_t));
1439 n->m_len = totlen;
1440 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1441 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1442 m_free(n);
1443 n = NULL;
1444 } else
1445 ah_update_mbuf(m, off, totlen, algo, &algos);
1446 ahseen++;
1447
1448 hdrtype = ah.ah_nxt;
1449 advancewidth = totlen;
1450 break;
1451 }
1452
1453 default:
1454 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo, &algos);
1455 advancewidth = m->m_pkthdr.len - off;
1456 break;
1457 }
1458
1459 off += advancewidth;
1460 if (off < m->m_pkthdr.len)
1461 goto again;
1462
1463 if (len < (*algo->sumsiz)(sav)) {
1464 error = EINVAL;
1465 goto fail;
1466 }
1467
1468 (algo->result)(&algos, (caddr_t) &sumbuf[0], sizeof(sumbuf));
1469 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
1470
1471 if (n)
1472 m_free(n);
1473 return error;
1474
1475 fail:
1476 if (n)
1477 m_free(n);
1478 return error;
1479 }
1480 #endif
1481
1482 #if INET6
1483 /*
1484 * Go generate the checksum. This function won't modify the mbuf chain
1485 * except AH itself.
1486 *
1487 * NOTE: the function does not free mbuf on failure.
1488 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1489 */
1490 int
1491 ah6_calccksum(m, ahdat, len, algo, sav)
1492 struct mbuf *m;
1493 caddr_t ahdat;
1494 size_t len;
1495 const struct ah_algorithm *algo;
1496 struct secasvar *sav;
1497 {
1498 int newoff, off;
1499 int proto, nxt;
1500 struct mbuf *n = NULL;
1501 int error;
1502 int ahseen;
1503 struct ah_algorithm_state algos;
1504 u_char sumbuf[AH_MAXSUMSIZE] __attribute__((aligned(4)));
1505
1506 if ((m->m_flags & M_PKTHDR) == 0)
1507 return EINVAL;
1508
1509 error = (algo->init)(&algos, sav);
1510 if (error)
1511 return error;
1512
1513 off = 0;
1514 proto = IPPROTO_IPV6;
1515 nxt = -1;
1516 ahseen = 0;
1517
1518 again:
1519 newoff = ip6_nexthdr(m, off, proto, &nxt);
1520 if (newoff < 0)
1521 newoff = m->m_pkthdr.len;
1522 else if (newoff <= off) {
1523 error = EINVAL;
1524 goto fail;
1525 }
1526
1527 switch (proto) {
1528 case IPPROTO_IPV6:
1529 /*
1530 * special treatment is necessary for the first one, not others
1531 */
1532 if (off == 0) {
1533 struct ip6_hdr ip6copy;
1534
1535 if (newoff - off != sizeof(struct ip6_hdr)) {
1536 error = EINVAL;
1537 goto fail;
1538 }
1539
1540 m_copydata(m, off, newoff - off, (caddr_t)&ip6copy);
1541 /* RFC2402 */
1542 ip6copy.ip6_flow = 0;
1543 ip6copy.ip6_vfc &= ~IPV6_VERSION_MASK;
1544 ip6copy.ip6_vfc |= IPV6_VERSION;
1545 ip6copy.ip6_hlim = 0;
1546 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_src))
1547 ip6copy.ip6_src.s6_addr16[1] = 0x0000;
1548 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_dst))
1549 ip6copy.ip6_dst.s6_addr16[1] = 0x0000;
1550 (algo->update)(&algos, (caddr_t)&ip6copy,
1551 sizeof(struct ip6_hdr));
1552 } else {
1553 newoff = m->m_pkthdr.len;
1554 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo,
1555 &algos);
1556 }
1557 break;
1558
1559 case IPPROTO_AH:
1560 {
1561 int siz;
1562 int hdrsiz;
1563
1564 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1565 ? sizeof(struct ah)
1566 : sizeof(struct newah);
1567 siz = (*algo->sumsiz)(sav);
1568
1569 /*
1570 * special treatment is necessary for the first one, not others
1571 */
1572 if (!ahseen) {
1573 if (newoff - off > MCLBYTES) {
1574 error = EMSGSIZE;
1575 goto fail;
1576 }
1577 MGET(n, M_DONTWAIT, MT_DATA);
1578 if (n && newoff - off > MLEN) {
1579 MCLGET(n, M_DONTWAIT);
1580 if ((n->m_flags & M_EXT) == 0) {
1581 m_free(n);
1582 n = NULL;
1583 }
1584 }
1585 if (n == NULL) {
1586 error = ENOBUFS;
1587 goto fail;
1588 }
1589 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1590 n->m_len = newoff - off;
1591 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1592 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1593 m_free(n);
1594 n = NULL;
1595 } else
1596 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1597 ahseen++;
1598 break;
1599 }
1600
1601 case IPPROTO_HOPOPTS:
1602 case IPPROTO_DSTOPTS:
1603 {
1604 struct ip6_ext *ip6e;
1605 int hdrlen, optlen;
1606 u_int8_t *p, *optend, *optp;
1607
1608 if (newoff - off > MCLBYTES) {
1609 error = EMSGSIZE;
1610 goto fail;
1611 }
1612 MGET(n, M_DONTWAIT, MT_DATA);
1613 if (n && newoff - off > MLEN) {
1614 MCLGET(n, M_DONTWAIT);
1615 if ((n->m_flags & M_EXT) == 0) {
1616 m_free(n);
1617 n = NULL;
1618 }
1619 }
1620 if (n == NULL) {
1621 error = ENOBUFS;
1622 goto fail;
1623 }
1624 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1625 n->m_len = newoff - off;
1626
1627 ip6e = mtod(n, struct ip6_ext *);
1628 hdrlen = (ip6e->ip6e_len + 1) << 3;
1629 if (newoff - off < hdrlen) {
1630 error = EINVAL;
1631 m_free(n);
1632 n = NULL;
1633 goto fail;
1634 }
1635 p = mtod(n, u_int8_t *);
1636 optend = p + hdrlen;
1637
1638 /*
1639 * ICV calculation for the options header including all
1640 * options. This part is a little tricky since there are
1641 * two type of options; mutable and immutable. We try to
1642 * null-out mutable ones here.
1643 */
1644 optp = p + 2;
1645 while (optp < optend) {
1646 if (optp[0] == IP6OPT_PAD1)
1647 optlen = 1;
1648 else {
1649 if (optp + 2 > optend) {
1650 error = EINVAL;
1651 m_free(n);
1652 n = NULL;
1653 goto fail;
1654 }
1655 optlen = optp[1] + 2;
1656
1657 if (optp[0] & IP6OPT_MUTABLE)
1658 bzero(optp + 2, optlen - 2);
1659 }
1660
1661 optp += optlen;
1662 }
1663
1664 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1665 m_free(n);
1666 n = NULL;
1667 break;
1668 }
1669
1670 case IPPROTO_ROUTING:
1671 /*
1672 * For an input packet, we can just calculate `as is'.
1673 * For an output packet, we assume ip6_output have already
1674 * made packet how it will be received at the final
1675 * destination.
1676 */
1677 /* FALLTHROUGH */
1678
1679 default:
1680 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1681 break;
1682 }
1683
1684 if (newoff < m->m_pkthdr.len) {
1685 proto = nxt;
1686 off = newoff;
1687 goto again;
1688 }
1689
1690 if (len < (*algo->sumsiz)(sav)) {
1691 error = EINVAL;
1692 goto fail;
1693 }
1694
1695 (algo->result)(&algos, (caddr_t) &sumbuf[0], sizeof(sumbuf));
1696 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
1697
1698 /* just in case */
1699 if (n)
1700 m_free(n);
1701 return 0;
1702 fail:
1703 /* just in case */
1704 if (n)
1705 m_free(n);
1706 return error;
1707 }
1708 #endif
mirror of XNU