]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/esp_core.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-3789.1.32.tar.gz
[apple/xnu.git] / bsd / netinet6 / esp_core.c
1 /*
2 * Copyright (c) 2008-2016 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /* $FreeBSD: src/sys/netinet6/esp_core.c,v 1.1.2.4 2002/03/26 10:12:29 ume Exp $ */
30 /* $KAME: esp_core.c,v 1.50 2000/11/02 12:27:38 itojun Exp $ */
31
32 /*
33 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
34 * All rights reserved.
35 *
36 * Redistribution and use in source and binary forms, with or without
37 * modification, are permitted provided that the following conditions
38 * are met:
39 * 1. Redistributions of source code must retain the above copyright
40 * notice, this list of conditions and the following disclaimer.
41 * 2. Redistributions in binary form must reproduce the above copyright
42 * notice, this list of conditions and the following disclaimer in the
43 * documentation and/or other materials provided with the distribution.
44 * 3. Neither the name of the project nor the names of its contributors
45 * may be used to endorse or promote products derived from this software
46 * without specific prior written permission.
47 *
48 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
58 * SUCH DAMAGE.
59 */
60
61 #define _IP_VHL
62
63 #include <sys/param.h>
64 #include <sys/systm.h>
65 #include <sys/malloc.h>
66 #include <sys/mbuf.h>
67 #include <sys/domain.h>
68 #include <sys/protosw.h>
69 #include <sys/socket.h>
70 #include <sys/errno.h>
71 #include <sys/time.h>
72 #include <sys/kernel.h>
73 #include <sys/syslog.h>
74
75 #include <kern/locks.h>
76
77 #include <net/if.h>
78 #include <net/route.h>
79
80 #include <netinet/in.h>
81 #include <netinet/in_var.h>
82 #if INET6
83 #include <netinet/ip6.h>
84 #include <netinet6/ip6_var.h>
85 #include <netinet/icmp6.h>
86 #endif
87
88 #include <netinet6/ipsec.h>
89 #if INET6
90 #include <netinet6/ipsec6.h>
91 #endif
92 #include <netinet6/ah.h>
93 #if INET6
94 #include <netinet6/ah6.h>
95 #endif
96 #include <netinet6/esp.h>
97 #if INET6
98 #include <netinet6/esp6.h>
99 #endif
100 #include <netinet6/esp_rijndael.h>
101 #include <net/pfkeyv2.h>
102 #include <netkey/keydb.h>
103 #include <netkey/key.h>
104 #include <libkern/crypto/des.h>
105
106 #include <net/net_osdep.h>
107
108 #include <sys/kdebug.h>
109 #define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1)
110 #define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3)
111 #define DBG_FNC_ESPAUTH NETDBG_CODE(DBG_NETIPSEC, (8 << 8))
112 #define MAX_SBUF_LEN 2000
113
114 extern lck_mtx_t *sadb_mutex;
115
116 static int esp_null_mature(struct secasvar *);
117 static int esp_null_decrypt(struct mbuf *, size_t,
118 struct secasvar *, const struct esp_algorithm *, int);
119 static int esp_null_encrypt(struct mbuf *, size_t, size_t,
120 struct secasvar *, const struct esp_algorithm *, int);
121 static int esp_descbc_mature(struct secasvar *);
122 static int esp_descbc_ivlen(const struct esp_algorithm *,
123 struct secasvar *);
124 static int esp_des_schedule(const struct esp_algorithm *,
125 struct secasvar *);
126 static int esp_des_schedlen(const struct esp_algorithm *);
127 static int esp_des_blockdecrypt(const struct esp_algorithm *,
128 struct secasvar *, u_int8_t *, u_int8_t *);
129 static int esp_des_blockencrypt(const struct esp_algorithm *,
130 struct secasvar *, u_int8_t *, u_int8_t *);
131 static int esp_cbc_mature(struct secasvar *);
132 static int esp_3des_schedule(const struct esp_algorithm *,
133 struct secasvar *);
134 static int esp_3des_schedlen(const struct esp_algorithm *);
135 static int esp_3des_blockdecrypt(const struct esp_algorithm *,
136 struct secasvar *, u_int8_t *, u_int8_t *);
137 static int esp_3des_blockencrypt(const struct esp_algorithm *,
138 struct secasvar *, u_int8_t *, u_int8_t *);
139 static int esp_common_ivlen(const struct esp_algorithm *,
140 struct secasvar *);
141 static int esp_cbc_decrypt(struct mbuf *, size_t,
142 struct secasvar *, const struct esp_algorithm *, int);
143 static int esp_cbc_encrypt(struct mbuf *, size_t, size_t,
144 struct secasvar *, const struct esp_algorithm *, int);
145 static int esp_gcm_mature(struct secasvar *);
146
147 #define MAXIVLEN 16
148
149 #define ESP_AESGCM_KEYLEN128 160 // 16-bytes key + 4 bytes salt
150 #define ESP_AESGCM_KEYLEN192 224 // 24-bytes key + 4 bytes salt
151 #define ESP_AESGCM_KEYLEN256 288 // 32-bytes key + 4 bytes salt
152
153 static const struct esp_algorithm des_cbc =
154 { 8, -1, esp_descbc_mature, 64, 64, esp_des_schedlen,
155 "des-cbc",
156 esp_descbc_ivlen, esp_cbc_decrypt,
157 esp_cbc_encrypt, esp_des_schedule,
158 esp_des_blockdecrypt, esp_des_blockencrypt,
159 0, 0, 0 };
160 static const struct esp_algorithm des3_cbc =
161 { 8, 8, esp_cbc_mature, 192, 192, esp_3des_schedlen,
162 "3des-cbc",
163 esp_common_ivlen, esp_cbc_decrypt,
164 esp_cbc_encrypt, esp_3des_schedule,
165 esp_3des_blockdecrypt, esp_3des_blockencrypt,
166 0, 0, 0 };
167 static const struct esp_algorithm null_esp =
168 { 1, 0, esp_null_mature, 0, 2048, 0, "null",
169 esp_common_ivlen, esp_null_decrypt,
170 esp_null_encrypt, NULL, NULL, NULL,
171 0, 0, 0 };
172 static const struct esp_algorithm aes_cbc =
173 { 16, 16, esp_cbc_mature, 128, 256, esp_aes_schedlen,
174 "aes-cbc",
175 esp_common_ivlen, esp_cbc_decrypt_aes,
176 esp_cbc_encrypt_aes, esp_aes_schedule,
177 0, 0,
178 0, 0, 0 };
179 static const struct esp_algorithm aes_gcm =
180 { 4, 8, esp_gcm_mature, ESP_AESGCM_KEYLEN128, ESP_AESGCM_KEYLEN256, esp_gcm_schedlen,
181 "aes-gcm",
182 esp_common_ivlen, esp_gcm_decrypt_aes,
183 esp_gcm_encrypt_aes, esp_gcm_schedule,
184 0, 0,
185 16, esp_gcm_decrypt_finalize, esp_gcm_encrypt_finalize};
186
187 static const struct esp_algorithm *esp_algorithms[] = {
188 &des_cbc,
189 &des3_cbc,
190 &null_esp,
191 &aes_cbc,
192 &aes_gcm,
193 };
194
195 const struct esp_algorithm *
196 esp_algorithm_lookup(int idx)
197 {
198 switch (idx) {
199 case SADB_EALG_DESCBC:
200 return &des_cbc;
201 case SADB_EALG_3DESCBC:
202 return &des3_cbc;
203 case SADB_EALG_NULL:
204 return &null_esp;
205 case SADB_X_EALG_RIJNDAELCBC:
206 return &aes_cbc;
207 case SADB_X_EALG_AES_GCM:
208 return &aes_gcm;
209 default:
210 return NULL;
211 }
212 }
213
214 int
215 esp_max_ivlen(void)
216 {
217 int idx;
218 int ivlen;
219
220 ivlen = 0;
221 for (idx = 0; idx < sizeof(esp_algorithms)/sizeof(esp_algorithms[0]);
222 idx++) {
223 if (esp_algorithms[idx]->ivlenval > ivlen)
224 ivlen = esp_algorithms[idx]->ivlenval;
225 }
226
227 return ivlen;
228 }
229
230 int
231 esp_schedule(const struct esp_algorithm *algo, struct secasvar *sav)
232 {
233 int error;
234
235 /* check for key length */
236 if (_KEYBITS(sav->key_enc) < algo->keymin ||
237 _KEYBITS(sav->key_enc) > algo->keymax) {
238 ipseclog((LOG_ERR,
239 "esp_schedule %s: unsupported key length %d: "
240 "needs %d to %d bits\n", algo->name, _KEYBITS(sav->key_enc),
241 algo->keymin, algo->keymax));
242 return EINVAL;
243 }
244
245 lck_mtx_lock(sadb_mutex);
246 /* already allocated */
247 if (sav->sched && sav->schedlen != 0) {
248 lck_mtx_unlock(sadb_mutex);
249 return 0;
250 }
251 /* no schedule necessary */
252 if (!algo->schedule || !algo->schedlen) {
253 lck_mtx_unlock(sadb_mutex);
254 return 0;
255 }
256
257 sav->schedlen = (*algo->schedlen)(algo);
258 if ((signed) sav->schedlen < 0) {
259 lck_mtx_unlock(sadb_mutex);
260 return EINVAL;
261 }
262
263 //#### that malloc should be replaced by a saved buffer...
264 sav->sched = _MALLOC(sav->schedlen, M_SECA, M_DONTWAIT);
265 if (!sav->sched) {
266 sav->schedlen = 0;
267 lck_mtx_unlock(sadb_mutex);
268 return ENOBUFS;
269 }
270
271 error = (*algo->schedule)(algo, sav);
272 if (error) {
273 ipseclog((LOG_ERR, "esp_schedule %s: error %d\n",
274 algo->name, error));
275 bzero(sav->sched, sav->schedlen);
276 FREE(sav->sched, M_SECA);
277 sav->sched = NULL;
278 sav->schedlen = 0;
279 }
280 lck_mtx_unlock(sadb_mutex);
281 return error;
282 }
283
284 static int
285 esp_null_mature(
286 __unused struct secasvar *sav)
287 {
288
289 /* anything is okay */
290 return 0;
291 }
292
293 static int
294 esp_null_decrypt(
295 __unused struct mbuf *m,
296 __unused size_t off, /* offset to ESP header */
297 __unused struct secasvar *sav,
298 __unused const struct esp_algorithm *algo,
299 __unused int ivlen)
300 {
301
302 return 0; /* do nothing */
303 }
304
305 static int
306 esp_null_encrypt(
307 __unused struct mbuf *m,
308 __unused size_t off, /* offset to ESP header */
309 __unused size_t plen, /* payload length (to be encrypted) */
310 __unused struct secasvar *sav,
311 __unused const struct esp_algorithm *algo,
312 __unused int ivlen)
313 {
314
315 return 0; /* do nothing */
316 }
317
318 static int
319 esp_descbc_mature(struct secasvar *sav)
320 {
321 const struct esp_algorithm *algo;
322
323 if (!(sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_IV4B)) {
324 ipseclog((LOG_ERR, "esp_cbc_mature: "
325 "algorithm incompatible with 4 octets IV length\n"));
326 return 1;
327 }
328
329 if (!sav->key_enc) {
330 ipseclog((LOG_ERR, "esp_descbc_mature: no key is given.\n"));
331 return 1;
332 }
333
334 algo = esp_algorithm_lookup(sav->alg_enc);
335 if (!algo) {
336 ipseclog((LOG_ERR,
337 "esp_descbc_mature: unsupported algorithm.\n"));
338 return 1;
339 }
340
341 if (_KEYBITS(sav->key_enc) < algo->keymin ||
342 _KEYBITS(sav->key_enc) > algo->keymax) {
343 ipseclog((LOG_ERR,
344 "esp_descbc_mature: invalid key length %d.\n",
345 _KEYBITS(sav->key_enc)));
346 return 1;
347 }
348
349 /* weak key check */
350 if (des_is_weak_key((des_cblock *)_KEYBUF(sav->key_enc))) {
351 ipseclog((LOG_ERR,
352 "esp_descbc_mature: weak key was passed.\n"));
353 return 1;
354 }
355
356 return 0;
357 }
358
359 static int
360 esp_descbc_ivlen(
361 __unused const struct esp_algorithm *algo,
362 struct secasvar *sav)
363 {
364
365 if (!sav)
366 return 8;
367 if ((sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_IV4B))
368 return 4;
369 if (!(sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_DERIV))
370 return 4;
371 return 8;
372 }
373
374 static int
375 esp_des_schedlen(
376 __unused const struct esp_algorithm *algo)
377 {
378 return sizeof(des_ecb_key_schedule);
379 }
380
381 static int
382 esp_des_schedule(
383 __unused const struct esp_algorithm *algo,
384 struct secasvar *sav)
385 {
386
387 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_OWNED);
388 if (des_ecb_key_sched((des_cblock *)_KEYBUF(sav->key_enc),
389 (des_ecb_key_schedule *)sav->sched))
390 return EINVAL;
391 else
392 return 0;
393 }
394
395 static int
396 esp_des_blockdecrypt(
397 __unused const struct esp_algorithm *algo,
398 struct secasvar *sav,
399 u_int8_t *s,
400 u_int8_t *d)
401 {
402 /* assumption: d has a good alignment */
403 bcopy(s, d, sizeof(DES_LONG) * 2);
404 des_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
405 (des_ecb_key_schedule *)sav->sched, DES_DECRYPT);
406 return 0;
407 }
408
409 static int
410 esp_des_blockencrypt(
411 __unused const struct esp_algorithm *algo,
412 struct secasvar *sav,
413 u_int8_t *s,
414 u_int8_t *d)
415 {
416 /* assumption: d has a good alignment */
417 bcopy(s, d, sizeof(DES_LONG) * 2);
418 des_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
419 (des_ecb_key_schedule *)sav->sched, DES_ENCRYPT);
420 return 0;
421 }
422
423 static int
424 esp_cbc_mature(struct secasvar *sav)
425 {
426 int keylen;
427 const struct esp_algorithm *algo;
428
429 if (sav->flags & SADB_X_EXT_OLD) {
430 ipseclog((LOG_ERR,
431 "esp_cbc_mature: algorithm incompatible with esp-old\n"));
432 return 1;
433 }
434 if (sav->flags & SADB_X_EXT_DERIV) {
435 ipseclog((LOG_ERR,
436 "esp_cbc_mature: algorithm incompatible with derived\n"));
437 return 1;
438 }
439
440 if (!sav->key_enc) {
441 ipseclog((LOG_ERR, "esp_cbc_mature: no key is given.\n"));
442 return 1;
443 }
444
445 algo = esp_algorithm_lookup(sav->alg_enc);
446 if (!algo) {
447 ipseclog((LOG_ERR,
448 "esp_cbc_mature: unsupported algorithm.\n"));
449 return 1;
450 }
451
452 keylen = sav->key_enc->sadb_key_bits;
453 if (keylen < algo->keymin || algo->keymax < keylen) {
454 ipseclog((LOG_ERR,
455 "esp_cbc_mature %s: invalid key length %d.\n",
456 algo->name, sav->key_enc->sadb_key_bits));
457 return 1;
458 }
459 switch (sav->alg_enc) {
460 case SADB_EALG_3DESCBC:
461 /* weak key check */
462 if (des_is_weak_key((des_cblock *)_KEYBUF(sav->key_enc)) ||
463 des_is_weak_key((des_cblock *)(_KEYBUF(sav->key_enc) + 8)) ||
464 des_is_weak_key((des_cblock *)(_KEYBUF(sav->key_enc) + 16))) {
465 ipseclog((LOG_ERR,
466 "esp_cbc_mature %s: weak key was passed.\n",
467 algo->name));
468 return 1;
469 }
470 break;
471 case SADB_X_EALG_RIJNDAELCBC:
472 /* allows specific key sizes only */
473 if (!(keylen == 128 || keylen == 192 || keylen == 256)) {
474 ipseclog((LOG_ERR,
475 "esp_cbc_mature %s: invalid key length %d.\n",
476 algo->name, keylen));
477 return 1;
478 }
479 break;
480 }
481
482 return 0;
483 }
484
485 static int
486 esp_gcm_mature(struct secasvar *sav)
487 {
488 int keylen;
489 const struct esp_algorithm *algo;
490
491 if (sav->flags & SADB_X_EXT_OLD) {
492 ipseclog((LOG_ERR,
493 "esp_gcm_mature: algorithm incompatible with esp-old\n"));
494 return 1;
495 }
496 if (sav->flags & SADB_X_EXT_DERIV) {
497 ipseclog((LOG_ERR,
498 "esp_gcm_mature: algorithm incompatible with derived\n"));
499 return 1;
500 }
501
502 if (!sav->key_enc) {
503 ipseclog((LOG_ERR, "esp_gcm_mature: no key is given.\n"));
504 return 1;
505 }
506
507 algo = esp_algorithm_lookup(sav->alg_enc);
508 if (!algo) {
509 ipseclog((LOG_ERR,
510 "esp_gcm_mature: unsupported algorithm.\n"));
511 return 1;
512 }
513
514 keylen = sav->key_enc->sadb_key_bits;
515 if (keylen < algo->keymin || algo->keymax < keylen) {
516 ipseclog((LOG_ERR,
517 "esp_gcm_mature %s: invalid key length %d.\n",
518 algo->name, sav->key_enc->sadb_key_bits));
519 return 1;
520 }
521 switch (sav->alg_enc) {
522 case SADB_X_EALG_AES_GCM:
523 /* allows specific key sizes only */
524 if (!(keylen == ESP_AESGCM_KEYLEN128 || keylen == ESP_AESGCM_KEYLEN192 || keylen == ESP_AESGCM_KEYLEN256)) {
525 ipseclog((LOG_ERR,
526 "esp_gcm_mature %s: invalid key length %d.\n",
527 algo->name, keylen));
528 return 1;
529 }
530 break;
531 default:
532 ipseclog((LOG_ERR,
533 "esp_gcm_mature %s: invalid algo %d.\n", sav->alg_enc));
534 return 1;
535 }
536
537 return 0;
538 }
539
540 static int
541 esp_3des_schedlen(
542 __unused const struct esp_algorithm *algo)
543 {
544
545 return sizeof(des3_ecb_key_schedule);
546 }
547
548 static int
549 esp_3des_schedule(
550 __unused const struct esp_algorithm *algo,
551 struct secasvar *sav)
552 {
553 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_OWNED);
554
555 if (des3_ecb_key_sched((des_cblock *)_KEYBUF(sav->key_enc),
556 (des3_ecb_key_schedule *)sav->sched))
557 return EINVAL;
558 else
559 return 0;
560 }
561
562 static int
563 esp_3des_blockdecrypt(
564 __unused const struct esp_algorithm *algo,
565 struct secasvar *sav,
566 u_int8_t *s,
567 u_int8_t *d)
568 {
569 /* assumption: d has a good alignment */
570 bcopy(s, d, sizeof(DES_LONG) * 2);
571 des3_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
572 (des3_ecb_key_schedule *)sav->sched, DES_DECRYPT);
573 return 0;
574 }
575
576 static int
577 esp_3des_blockencrypt(
578 __unused const struct esp_algorithm *algo,
579 struct secasvar *sav,
580 u_int8_t *s,
581 u_int8_t *d)
582 {
583 /* assumption: d has a good alignment */
584 bcopy(s, d, sizeof(DES_LONG) * 2);
585 des3_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
586 (des3_ecb_key_schedule *)sav->sched, DES_ENCRYPT);
587 return 0;
588 }
589
590 static int
591 esp_common_ivlen(
592 const struct esp_algorithm *algo,
593 __unused struct secasvar *sav)
594 {
595
596 if (!algo)
597 panic("esp_common_ivlen: unknown algorithm");
598 return algo->ivlenval;
599 }
600
601 static int
602 esp_cbc_decrypt(struct mbuf *m, size_t off, struct secasvar *sav,
603 const struct esp_algorithm *algo, int ivlen)
604 {
605 struct mbuf *s;
606 struct mbuf *d, *d0, *dp;
607 int soff, doff; /* offset from the head of chain, to head of this mbuf */
608 int sn, dn; /* offset from the head of the mbuf, to meat */
609 size_t ivoff, bodyoff;
610 u_int8_t iv[MAXIVLEN] __attribute__((aligned(4))), *ivp;
611 u_int8_t *sbuf = NULL, *sp, *sp_unaligned;
612 u_int8_t *p, *q;
613 struct mbuf *scut;
614 int scutoff;
615 int i, result = 0;
616 int blocklen;
617 int derived;
618
619 if (ivlen != sav->ivlen || ivlen > sizeof(iv)) {
620 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
621 "unsupported ivlen %d\n", algo->name, ivlen));
622 m_freem(m);
623 return EINVAL;
624 }
625
626 /* assumes blocklen == padbound */
627 blocklen = algo->padbound;
628
629 #if DIAGNOSTIC
630 if (blocklen > sizeof(iv)) {
631 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
632 "unsupported blocklen %d\n", algo->name, blocklen));
633 m_freem(m);
634 return EINVAL;
635 }
636 #endif
637
638 if (sav->flags & SADB_X_EXT_OLD) {
639 /* RFC 1827 */
640 ivoff = off + sizeof(struct esp);
641 bodyoff = off + sizeof(struct esp) + ivlen;
642 derived = 0;
643 } else {
644 /* RFC 2406 */
645 if (sav->flags & SADB_X_EXT_DERIV) {
646 /*
647 * draft-ietf-ipsec-ciph-des-derived-00.txt
648 * uses sequence number field as IV field.
649 */
650 ivoff = off + sizeof(struct esp);
651 bodyoff = off + sizeof(struct esp) + sizeof(u_int32_t);
652 ivlen = sizeof(u_int32_t);
653 derived = 1;
654 } else {
655 ivoff = off + sizeof(struct newesp);
656 bodyoff = off + sizeof(struct newesp) + ivlen;
657 derived = 0;
658 }
659 }
660
661 /* grab iv */
662 m_copydata(m, ivoff, ivlen, (caddr_t) iv);
663
664 /* extend iv */
665 if (ivlen == blocklen)
666 ;
667 else if (ivlen == 4 && blocklen == 8) {
668 bcopy(&iv[0], &iv[4], 4);
669 iv[4] ^= 0xff;
670 iv[5] ^= 0xff;
671 iv[6] ^= 0xff;
672 iv[7] ^= 0xff;
673 } else {
674 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
675 "unsupported ivlen/blocklen: %d %d\n",
676 algo->name, ivlen, blocklen));
677 m_freem(m);
678 return EINVAL;
679 }
680
681 if (m->m_pkthdr.len < bodyoff) {
682 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: bad len %d/%lu\n",
683 algo->name, m->m_pkthdr.len, (u_int32_t)bodyoff));
684 m_freem(m);
685 return EINVAL;
686 }
687 if ((m->m_pkthdr.len - bodyoff) % blocklen) {
688 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
689 "payload length must be multiple of %d\n",
690 algo->name, blocklen));
691 m_freem(m);
692 return EINVAL;
693 }
694
695 s = m;
696 d = d0 = dp = NULL;
697 soff = doff = sn = dn = 0;
698 ivp = sp = NULL;
699
700 /* skip bodyoff */
701 while (soff < bodyoff) {
702 if (soff + s->m_len > bodyoff) {
703 sn = bodyoff - soff;
704 break;
705 }
706
707 soff += s->m_len;
708 s = s->m_next;
709 }
710 scut = s;
711 scutoff = sn;
712
713 /* skip over empty mbuf */
714 while (s && s->m_len == 0)
715 s = s->m_next;
716
717 // Allocate blocksized buffer for unaligned or non-contiguous access
718 sbuf = (u_int8_t *)_MALLOC(blocklen, M_SECA, M_DONTWAIT);
719 if (sbuf == NULL)
720 return ENOBUFS;
721 while (soff < m->m_pkthdr.len) {
722 /* source */
723 if (sn + blocklen <= s->m_len) {
724 /* body is continuous */
725 sp = mtod(s, u_int8_t *) + sn;
726 } else {
727 /* body is non-continuous */
728 m_copydata(s, sn, blocklen, (caddr_t) sbuf);
729 sp = sbuf;
730 }
731
732 /* destination */
733 if (!d || dn + blocklen > d->m_len) {
734 if (d)
735 dp = d;
736 MGET(d, M_DONTWAIT, MT_DATA);
737 i = m->m_pkthdr.len - (soff + sn);
738 if (d && i > MLEN) {
739 MCLGET(d, M_DONTWAIT);
740 if ((d->m_flags & M_EXT) == 0) {
741 m_free(d);
742 d = NULL;
743 }
744 }
745 if (!d) {
746 m_freem(m);
747 if (d0)
748 m_freem(d0);
749 result = ENOBUFS;
750 goto end;
751 }
752 if (!d0)
753 d0 = d;
754 if (dp)
755 dp->m_next = d;
756
757 // try to make mbuf data aligned
758 if (!IPSEC_IS_P2ALIGNED(d->m_data)) {
759 m_adj(d, IPSEC_GET_P2UNALIGNED_OFS(d->m_data));
760 }
761
762 d->m_len = 0;
763 d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
764 if (d->m_len > i)
765 d->m_len = i;
766 dn = 0;
767 }
768
769 /* decrypt */
770 // check input pointer alignment and use a separate aligned buffer (if sp is unaligned on 4-byte boundary).
771 if (IPSEC_IS_P2ALIGNED(sp)) {
772 sp_unaligned = NULL;
773 } else {
774 sp_unaligned = sp;
775 sp = sbuf;
776 memcpy(sp, sp_unaligned, blocklen);
777 }
778 // no need to check output pointer alignment
779 (*algo->blockdecrypt)(algo, sav, sp, mtod(d, u_int8_t *) + dn);
780
781 // update unaligned pointers
782 if (!IPSEC_IS_P2ALIGNED(sp_unaligned)) {
783 sp = sp_unaligned;
784 }
785
786 /* xor */
787 p = ivp ? ivp : iv;
788 q = mtod(d, u_int8_t *) + dn;
789 for (i = 0; i < blocklen; i++)
790 q[i] ^= p[i];
791
792 /* next iv */
793 if (sp == sbuf) {
794 bcopy(sbuf, iv, blocklen);
795 ivp = NULL;
796 } else
797 ivp = sp;
798
799 sn += blocklen;
800 dn += blocklen;
801
802 /* find the next source block */
803 while (s && sn >= s->m_len) {
804 sn -= s->m_len;
805 soff += s->m_len;
806 s = s->m_next;
807 }
808 }
809
810 m_freem(scut->m_next);
811 scut->m_len = scutoff;
812 scut->m_next = d0;
813
814 /* just in case */
815 bzero(iv, sizeof(iv));
816 bzero(sbuf, blocklen);
817 end:
818 if (sbuf != NULL)
819 FREE(sbuf, M_SECA);
820 return result;
821 }
822
823 static int
824 esp_cbc_encrypt(
825 struct mbuf *m,
826 size_t off,
827 __unused size_t plen,
828 struct secasvar *sav,
829 const struct esp_algorithm *algo,
830 int ivlen)
831 {
832 struct mbuf *s;
833 struct mbuf *d, *d0, *dp;
834 int soff, doff; /* offset from the head of chain, to head of this mbuf */
835 int sn, dn; /* offset from the head of the mbuf, to meat */
836 size_t ivoff, bodyoff;
837 u_int8_t iv[MAXIVLEN] __attribute__((aligned(4))), *ivp;
838 u_int8_t *sbuf = NULL, *sp, *sp_unaligned;
839 u_int8_t *p, *q;
840 struct mbuf *scut;
841 int scutoff;
842 int i, result = 0;
843 int blocklen;
844 int derived;
845
846 if (ivlen != sav->ivlen || ivlen > sizeof(iv)) {
847 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
848 "unsupported ivlen %d\n", algo->name, ivlen));
849 m_freem(m);
850 return EINVAL;
851 }
852
853 /* assumes blocklen == padbound */
854 blocklen = algo->padbound;
855
856 #if DIAGNOSTIC
857 if (blocklen > sizeof(iv)) {
858 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
859 "unsupported blocklen %d\n", algo->name, blocklen));
860 m_freem(m);
861 return EINVAL;
862 }
863 #endif
864
865 if (sav->flags & SADB_X_EXT_OLD) {
866 /* RFC 1827 */
867 ivoff = off + sizeof(struct esp);
868 bodyoff = off + sizeof(struct esp) + ivlen;
869 derived = 0;
870 } else {
871 /* RFC 2406 */
872 if (sav->flags & SADB_X_EXT_DERIV) {
873 /*
874 * draft-ietf-ipsec-ciph-des-derived-00.txt
875 * uses sequence number field as IV field.
876 */
877 ivoff = off + sizeof(struct esp);
878 bodyoff = off + sizeof(struct esp) + sizeof(u_int32_t);
879 ivlen = sizeof(u_int32_t);
880 derived = 1;
881 } else {
882 ivoff = off + sizeof(struct newesp);
883 bodyoff = off + sizeof(struct newesp) + ivlen;
884 derived = 0;
885 }
886 }
887
888 /* put iv into the packet. if we are in derived mode, use seqno. */
889 if (derived)
890 m_copydata(m, ivoff, ivlen, (caddr_t) iv);
891 else {
892 bcopy(sav->iv, iv, ivlen);
893 /* maybe it is better to overwrite dest, not source */
894 m_copyback(m, ivoff, ivlen, (caddr_t) iv);
895 }
896
897 /* extend iv */
898 if (ivlen == blocklen)
899 ;
900 else if (ivlen == 4 && blocklen == 8) {
901 bcopy(&iv[0], &iv[4], 4);
902 iv[4] ^= 0xff;
903 iv[5] ^= 0xff;
904 iv[6] ^= 0xff;
905 iv[7] ^= 0xff;
906 } else {
907 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
908 "unsupported ivlen/blocklen: %d %d\n",
909 algo->name, ivlen, blocklen));
910 m_freem(m);
911 return EINVAL;
912 }
913
914 if (m->m_pkthdr.len < bodyoff) {
915 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: bad len %d/%lu\n",
916 algo->name, m->m_pkthdr.len, (u_int32_t)bodyoff));
917 m_freem(m);
918 return EINVAL;
919 }
920 if ((m->m_pkthdr.len - bodyoff) % blocklen) {
921 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
922 "payload length must be multiple of %lu\n",
923 algo->name, (u_int32_t)algo->padbound));
924 m_freem(m);
925 return EINVAL;
926 }
927
928 s = m;
929 d = d0 = dp = NULL;
930 soff = doff = sn = dn = 0;
931 ivp = sp = NULL;
932
933 /* skip bodyoff */
934 while (soff < bodyoff) {
935 if (soff + s->m_len > bodyoff) {
936 sn = bodyoff - soff;
937 break;
938 }
939
940 soff += s->m_len;
941 s = s->m_next;
942 }
943 scut = s;
944 scutoff = sn;
945
946 /* skip over empty mbuf */
947 while (s && s->m_len == 0)
948 s = s->m_next;
949
950 // Allocate blocksized buffer for unaligned or non-contiguous access
951 sbuf = (u_int8_t *)_MALLOC(blocklen, M_SECA, M_DONTWAIT);
952 if (sbuf == NULL)
953 return ENOBUFS;
954 while (soff < m->m_pkthdr.len) {
955 /* source */
956 if (sn + blocklen <= s->m_len) {
957 /* body is continuous */
958 sp = mtod(s, u_int8_t *) + sn;
959 } else {
960 /* body is non-continuous */
961 m_copydata(s, sn, blocklen, (caddr_t) sbuf);
962 sp = sbuf;
963 }
964
965 /* destination */
966 if (!d || dn + blocklen > d->m_len) {
967 if (d)
968 dp = d;
969 MGET(d, M_DONTWAIT, MT_DATA);
970 i = m->m_pkthdr.len - (soff + sn);
971 if (d && i > MLEN) {
972 MCLGET(d, M_DONTWAIT);
973 if ((d->m_flags & M_EXT) == 0) {
974 m_free(d);
975 d = NULL;
976 }
977 }
978 if (!d) {
979 m_freem(m);
980 if (d0)
981 m_freem(d0);
982 result = ENOBUFS;
983 goto end;
984 }
985 if (!d0)
986 d0 = d;
987 if (dp)
988 dp->m_next = d;
989
990 // try to make mbuf data aligned
991 if (!IPSEC_IS_P2ALIGNED(d->m_data)) {
992 m_adj(d, IPSEC_GET_P2UNALIGNED_OFS(d->m_data));
993 }
994
995 d->m_len = 0;
996 d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
997 if (d->m_len > i)
998 d->m_len = i;
999 dn = 0;
1000 }
1001
1002 /* xor */
1003 p = ivp ? ivp : iv;
1004 q = sp;
1005 for (i = 0; i < blocklen; i++)
1006 q[i] ^= p[i];
1007
1008 /* encrypt */
1009 // check input pointer alignment and use a separate aligned buffer (if sp is not aligned on 4-byte boundary).
1010 if (IPSEC_IS_P2ALIGNED(sp)) {
1011 sp_unaligned = NULL;
1012 } else {
1013 sp_unaligned = sp;
1014 sp = sbuf;
1015 memcpy(sp, sp_unaligned, blocklen);
1016 }
1017 // no need to check output pointer alignment
1018 (*algo->blockencrypt)(algo, sav, sp, mtod(d, u_int8_t *) + dn);
1019
1020 // update unaligned pointers
1021 if (!IPSEC_IS_P2ALIGNED(sp_unaligned)) {
1022 sp = sp_unaligned;
1023 }
1024
1025 /* next iv */
1026 ivp = mtod(d, u_int8_t *) + dn;
1027
1028 sn += blocklen;
1029 dn += blocklen;
1030
1031 /* find the next source block */
1032 while (s && sn >= s->m_len) {
1033 sn -= s->m_len;
1034 soff += s->m_len;
1035 s = s->m_next;
1036 }
1037 }
1038
1039 m_freem(scut->m_next);
1040 scut->m_len = scutoff;
1041 scut->m_next = d0;
1042
1043 /* just in case */
1044 bzero(iv, sizeof(iv));
1045 bzero(sbuf, blocklen);
1046
1047 key_sa_stir_iv(sav);
1048 end:
1049 if (sbuf != NULL)
1050 FREE(sbuf, M_SECA);
1051 return result;
1052 }
1053
1054 /*------------------------------------------------------------*/
1055
1056 /* does not free m0 on error */
1057 int
1058 esp_auth(
1059 struct mbuf *m0,
1060 size_t skip, /* offset to ESP header */
1061 size_t length, /* payload length */
1062 struct secasvar *sav,
1063 u_char *sum)
1064 {
1065 struct mbuf *m;
1066 size_t off;
1067 struct ah_algorithm_state s;
1068 u_char sumbuf[AH_MAXSUMSIZE] __attribute__((aligned(4)));
1069 const struct ah_algorithm *algo;
1070 size_t siz;
1071 int error;
1072
1073 /* sanity checks */
1074 if (m0->m_pkthdr.len < skip) {
1075 ipseclog((LOG_DEBUG, "esp_auth: mbuf length < skip\n"));
1076 return EINVAL;
1077 }
1078 if (m0->m_pkthdr.len < skip + length) {
1079 ipseclog((LOG_DEBUG,
1080 "esp_auth: mbuf length < skip + length\n"));
1081 return EINVAL;
1082 }
1083
1084 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_START, skip,length,0,0,0);
1085 /*
1086 * length of esp part (excluding authentication data) must be 4n,
1087 * since nexthdr must be at offset 4n+3.
1088 */
1089 if (length % 4) {
1090 ipseclog((LOG_ERR, "esp_auth: length is not multiple of 4\n"));
1091 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 1,0,0,0,0);
1092 return EINVAL;
1093 }
1094 if (!sav) {
1095 ipseclog((LOG_DEBUG, "esp_auth: NULL SA passed\n"));
1096 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 2,0,0,0,0);
1097 return EINVAL;
1098 }
1099 algo = ah_algorithm_lookup(sav->alg_auth);
1100 if (!algo) {
1101 ipseclog((LOG_ERR,
1102 "esp_auth: bad ESP auth algorithm passed: %d\n",
1103 sav->alg_auth));
1104 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 3,0,0,0,0);
1105 return EINVAL;
1106 }
1107
1108 m = m0;
1109 off = 0;
1110
1111 siz = (((*algo->sumsiz)(sav) + 3) & ~(4 - 1));
1112 if (sizeof(sumbuf) < siz) {
1113 ipseclog((LOG_DEBUG,
1114 "esp_auth: AH_MAXSUMSIZE is too small: siz=%lu\n",
1115 (u_int32_t)siz));
1116 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 4,0,0,0,0);
1117 return EINVAL;
1118 }
1119
1120 /* skip the header */
1121 while (skip) {
1122 if (!m)
1123 panic("mbuf chain?");
1124 if (m->m_len <= skip) {
1125 skip -= m->m_len;
1126 m = m->m_next;
1127 off = 0;
1128 } else {
1129 off = skip;
1130 skip = 0;
1131 }
1132 }
1133
1134 error = (*algo->init)(&s, sav);
1135 if (error) {
1136 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 5,0,0,0,0);
1137 return error;
1138 }
1139 while (0 < length) {
1140 if (!m)
1141 panic("mbuf chain?");
1142
1143 if (m->m_len - off < length) {
1144 (*algo->update)(&s, (caddr_t)(mtod(m, u_char *) + off),
1145 m->m_len - off);
1146 length -= m->m_len - off;
1147 m = m->m_next;
1148 off = 0;
1149 } else {
1150 (*algo->update)(&s, (caddr_t)(mtod(m, u_char *) + off), length);
1151 break;
1152 }
1153 }
1154 (*algo->result)(&s, (caddr_t) sumbuf, sizeof(sumbuf));
1155 bcopy(sumbuf, sum, siz); /*XXX*/
1156 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 6,0,0,0,0);
1157 return 0;
1158 }
mirror of XNU