]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/esp_core.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-1228.12.14.tar.gz
[apple/xnu.git] / bsd / netinet6 / esp_core.c
1 /* $FreeBSD: src/sys/netinet6/esp_core.c,v 1.1.2.4 2002/03/26 10:12:29 ume Exp $ */
2 /* $KAME: esp_core.c,v 1.50 2000/11/02 12:27:38 itojun Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 #define _IP_VHL
34
35 #include <sys/param.h>
36 #include <sys/systm.h>
37 #include <sys/malloc.h>
38 #include <sys/mbuf.h>
39 #include <sys/domain.h>
40 #include <sys/protosw.h>
41 #include <sys/socket.h>
42 #include <sys/errno.h>
43 #include <sys/time.h>
44 #include <sys/kernel.h>
45 #include <sys/syslog.h>
46
47 #include <kern/locks.h>
48
49 #include <net/if.h>
50 #include <net/route.h>
51
52 #include <netinet/in.h>
53 #include <netinet/in_var.h>
54 #if INET6
55 #include <netinet/ip6.h>
56 #include <netinet6/ip6_var.h>
57 #include <netinet/icmp6.h>
58 #endif
59
60 #include <netinet6/ipsec.h>
61 #if INET6
62 #include <netinet6/ipsec6.h>
63 #endif
64 #include <netinet6/ah.h>
65 #if INET6
66 #include <netinet6/ah6.h>
67 #endif
68 #include <netinet6/esp.h>
69 #if INET6
70 #include <netinet6/esp6.h>
71 #endif
72 #include <netinet6/esp_rijndael.h>
73 #include <net/pfkeyv2.h>
74 #include <netkey/keydb.h>
75 #include <netkey/key.h>
76 #include <crypto/des/des.h>
77 #include <crypto/blowfish/blowfish.h>
78 #include <crypto/cast128/cast128.h>
79
80 #include <net/net_osdep.h>
81
82 #include <sys/kdebug.h>
83 #define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1)
84 #define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3)
85 #define DBG_FNC_ESPAUTH NETDBG_CODE(DBG_NETIPSEC, (8 << 8))
86
87 extern lck_mtx_t *sadb_mutex;
88
89 static int esp_null_mature(struct secasvar *);
90 static int esp_null_decrypt(struct mbuf *, size_t,
91 struct secasvar *, const struct esp_algorithm *, int);
92 static int esp_null_encrypt(struct mbuf *, size_t, size_t,
93 struct secasvar *, const struct esp_algorithm *, int);
94 static int esp_descbc_mature(struct secasvar *);
95 static int esp_descbc_ivlen(const struct esp_algorithm *,
96 struct secasvar *);
97 static int esp_des_schedule(const struct esp_algorithm *,
98 struct secasvar *);
99 static int esp_des_schedlen(const struct esp_algorithm *);
100 static int esp_des_blockdecrypt(const struct esp_algorithm *,
101 struct secasvar *, u_int8_t *, u_int8_t *);
102 static int esp_des_blockencrypt(const struct esp_algorithm *,
103 struct secasvar *, u_int8_t *, u_int8_t *);
104 static int esp_cbc_mature(struct secasvar *);
105 #if ALLCRYPTO
106 static int esp_blowfish_schedule(const struct esp_algorithm *,
107 struct secasvar *);
108 static int esp_blowfish_schedlen(const struct esp_algorithm *);
109 static int esp_blowfish_blockdecrypt(const struct esp_algorithm *,
110 struct secasvar *, u_int8_t *, u_int8_t *);
111 static int esp_blowfish_blockencrypt(const struct esp_algorithm *,
112 struct secasvar *, u_int8_t *, u_int8_t *);
113 static int esp_cast128_schedule(const struct esp_algorithm *,
114 struct secasvar *);
115 static int esp_cast128_schedlen(const struct esp_algorithm *);
116 static int esp_cast128_blockdecrypt(const struct esp_algorithm *,
117 struct secasvar *, u_int8_t *, u_int8_t *);
118 static int esp_cast128_blockencrypt(const struct esp_algorithm *,
119 struct secasvar *, u_int8_t *, u_int8_t *);
120 #endif /* ALLCRYPTO */
121 static int esp_3des_schedule(const struct esp_algorithm *,
122 struct secasvar *);
123 static int esp_3des_schedlen(const struct esp_algorithm *);
124 static int esp_3des_blockdecrypt(const struct esp_algorithm *,
125 struct secasvar *, u_int8_t *, u_int8_t *);
126 static int esp_3des_blockencrypt(const struct esp_algorithm *,
127 struct secasvar *, u_int8_t *, u_int8_t *);
128 static int esp_common_ivlen(const struct esp_algorithm *,
129 struct secasvar *);
130 static int esp_cbc_decrypt(struct mbuf *, size_t,
131 struct secasvar *, const struct esp_algorithm *, int);
132 static int esp_cbc_encrypt(struct mbuf *, size_t, size_t,
133 struct secasvar *, const struct esp_algorithm *, int);
134
135 #define MAXIVLEN 16
136
137 static const struct esp_algorithm des_cbc =
138 { 8, -1, esp_descbc_mature, 64, 64, esp_des_schedlen,
139 "des-cbc",
140 esp_descbc_ivlen, esp_cbc_decrypt,
141 esp_cbc_encrypt, esp_des_schedule,
142 esp_des_blockdecrypt, esp_des_blockencrypt, };
143 static const struct esp_algorithm des3_cbc =
144 { 8, 8, esp_cbc_mature, 192, 192, esp_3des_schedlen,
145 "3des-cbc",
146 esp_common_ivlen, esp_cbc_decrypt,
147 esp_cbc_encrypt, esp_3des_schedule,
148 esp_3des_blockdecrypt, esp_3des_blockencrypt, };
149 static const struct esp_algorithm null_esp =
150 { 1, 0, esp_null_mature, 0, 2048, 0, "null",
151 esp_common_ivlen, esp_null_decrypt,
152 esp_null_encrypt, NULL, NULL, NULL };
153 #if ALLCRYPTO
154 static const struct esp_algorithm blowfish_cbc =
155 { 8, 8, esp_cbc_mature, 40, 448, esp_blowfish_schedlen, "blowfish-cbc",
156 esp_common_ivlen, esp_cbc_decrypt,
157 esp_cbc_encrypt, esp_blowfish_schedule,
158 esp_blowfish_blockdecrypt, esp_blowfish_blockencrypt, };
159 static const struct esp_algorithm cast128_cbc =
160 { 8, 8, esp_cbc_mature, 40, 128, esp_cast128_schedlen,
161 "cast128-cbc",
162 esp_common_ivlen, esp_cbc_decrypt,
163 esp_cbc_encrypt, esp_cast128_schedule,
164 esp_cast128_blockdecrypt, esp_cast128_blockencrypt, };
165 #endif /* ALLCRYPTO */
166 static const struct esp_algorithm aes_cbc =
167 { 16, 16, esp_cbc_mature, 128, 256, esp_aes_schedlen,
168 "aes-cbc",
169 esp_common_ivlen, esp_cbc_decrypt_aes,
170 esp_cbc_encrypt_aes, esp_aes_schedule,
171 0, 0 };
172
173 static const struct esp_algorithm *esp_algorithms[] = {
174 &des_cbc,
175 &des3_cbc,
176 &null_esp,
177 #if ALLCRYPTO
178 &blowfish_cbc,
179 &cast128_cbc,
180 #endif /* ALLCRYPTO */
181 &aes_cbc
182 };
183
184 const struct esp_algorithm *
185 esp_algorithm_lookup(idx)
186 int idx;
187 {
188
189 switch (idx) {
190 case SADB_EALG_DESCBC:
191 return &des_cbc;
192 case SADB_EALG_3DESCBC:
193 return &des3_cbc;
194 case SADB_EALG_NULL:
195 return &null_esp;
196 #if ALLCRYPTO
197 case SADB_X_EALG_BLOWFISHCBC:
198 return &blowfish_cbc;
199 case SADB_X_EALG_CAST128CBC:
200 return &cast128_cbc;
201 #endif /* ALLCRYPTO */
202 case SADB_X_EALG_RIJNDAELCBC:
203 return &aes_cbc;
204 default:
205 return NULL;
206 }
207 }
208
209 int
210 esp_max_ivlen()
211 {
212 int idx;
213 int ivlen;
214
215 ivlen = 0;
216 for (idx = 0; idx < sizeof(esp_algorithms)/sizeof(esp_algorithms[0]);
217 idx++) {
218 if (esp_algorithms[idx]->ivlenval > ivlen)
219 ivlen = esp_algorithms[idx]->ivlenval;
220 }
221
222 return ivlen;
223 }
224
225 int
226 esp_schedule(algo, sav)
227 const struct esp_algorithm *algo;
228 struct secasvar *sav;
229 {
230 int error;
231
232 /* check for key length */
233 if (_KEYBITS(sav->key_enc) < algo->keymin ||
234 _KEYBITS(sav->key_enc) > algo->keymax) {
235 ipseclog((LOG_ERR,
236 "esp_schedule %s: unsupported key length %d: "
237 "needs %d to %d bits\n", algo->name, _KEYBITS(sav->key_enc),
238 algo->keymin, algo->keymax));
239 return EINVAL;
240 }
241
242 lck_mtx_lock(sadb_mutex);
243 /* already allocated */
244 if (sav->sched && sav->schedlen != 0) {
245 lck_mtx_unlock(sadb_mutex);
246 return 0;
247 }
248 /* no schedule necessary */
249 if (!algo->schedule || !algo->schedlen) {
250 lck_mtx_unlock(sadb_mutex);
251 return 0;
252 }
253
254 sav->schedlen = (*algo->schedlen)(algo);
255 if (sav->schedlen < 0) {
256 lck_mtx_unlock(sadb_mutex);
257 return EINVAL;
258 }
259
260 //#### that malloc should be replaced by a saved buffer...
261 sav->sched = _MALLOC(sav->schedlen, M_SECA, M_DONTWAIT);
262 if (!sav->sched) {
263 sav->schedlen = 0;
264 lck_mtx_unlock(sadb_mutex);
265 return ENOBUFS;
266 }
267
268 error = (*algo->schedule)(algo, sav);
269 if (error) {
270 ipseclog((LOG_ERR, "esp_schedule %s: error %d\n",
271 algo->name, error));
272 bzero(sav->sched, sav->schedlen);
273 FREE(sav->sched, M_SECA);
274 sav->sched = NULL;
275 sav->schedlen = 0;
276 }
277 lck_mtx_unlock(sadb_mutex);
278 return error;
279 }
280
281 static int
282 esp_null_mature(
283 __unused struct secasvar *sav)
284 {
285
286 /* anything is okay */
287 return 0;
288 }
289
290 static int
291 esp_null_decrypt(
292 __unused struct mbuf *m,
293 __unused size_t off, /* offset to ESP header */
294 __unused struct secasvar *sav,
295 __unused const struct esp_algorithm *algo,
296 __unused int ivlen)
297 {
298
299 return 0; /* do nothing */
300 }
301
302 static int
303 esp_null_encrypt(
304 __unused struct mbuf *m,
305 __unused size_t off, /* offset to ESP header */
306 __unused size_t plen, /* payload length (to be encrypted) */
307 __unused struct secasvar *sav,
308 __unused const struct esp_algorithm *algo,
309 __unused int ivlen)
310 {
311
312 return 0; /* do nothing */
313 }
314
315 static int
316 esp_descbc_mature(sav)
317 struct secasvar *sav;
318 {
319 const struct esp_algorithm *algo;
320
321 if (!(sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_IV4B)) {
322 ipseclog((LOG_ERR, "esp_cbc_mature: "
323 "algorithm incompatible with 4 octets IV length\n"));
324 return 1;
325 }
326
327 if (!sav->key_enc) {
328 ipseclog((LOG_ERR, "esp_descbc_mature: no key is given.\n"));
329 return 1;
330 }
331
332 algo = esp_algorithm_lookup(sav->alg_enc);
333 if (!algo) {
334 ipseclog((LOG_ERR,
335 "esp_descbc_mature: unsupported algorithm.\n"));
336 return 1;
337 }
338
339 if (_KEYBITS(sav->key_enc) < algo->keymin ||
340 _KEYBITS(sav->key_enc) > algo->keymax) {
341 ipseclog((LOG_ERR,
342 "esp_descbc_mature: invalid key length %d.\n",
343 _KEYBITS(sav->key_enc)));
344 return 1;
345 }
346
347 /* weak key check */
348 if (des_is_weak_key((des_cblock *)_KEYBUF(sav->key_enc))) {
349 ipseclog((LOG_ERR,
350 "esp_descbc_mature: weak key was passed.\n"));
351 return 1;
352 }
353
354 return 0;
355 }
356
357 static int
358 esp_descbc_ivlen(
359 __unused const struct esp_algorithm *algo,
360 struct secasvar *sav)
361 {
362
363 if (!sav)
364 return 8;
365 if ((sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_IV4B))
366 return 4;
367 if (!(sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_DERIV))
368 return 4;
369 return 8;
370 }
371
372 static int
373 esp_des_schedlen(
374 __unused const struct esp_algorithm *algo)
375 {
376
377 return sizeof(des_key_schedule);
378 }
379
380 static int
381 esp_des_schedule(
382 __unused const struct esp_algorithm *algo,
383 struct secasvar *sav)
384 {
385
386 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_OWNED);
387 if (des_key_sched((des_cblock *)_KEYBUF(sav->key_enc),
388 *(des_key_schedule *)sav->sched))
389 return EINVAL;
390 else
391 return 0;
392 }
393
394 static int
395 esp_des_blockdecrypt(
396 __unused const struct esp_algorithm *algo,
397 struct secasvar *sav,
398 u_int8_t *s,
399 u_int8_t *d)
400 {
401
402 /* assumption: d has a good alignment */
403 bcopy(s, d, sizeof(DES_LONG) * 2);
404 des_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
405 *(des_key_schedule *)sav->sched, DES_DECRYPT);
406 return 0;
407 }
408
409 static int
410 esp_des_blockencrypt(
411 __unused const struct esp_algorithm *algo,
412 struct secasvar *sav,
413 u_int8_t *s,
414 u_int8_t *d)
415 {
416
417 /* assumption: d has a good alignment */
418 bcopy(s, d, sizeof(DES_LONG) * 2);
419 des_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
420 *(des_key_schedule *)sav->sched, DES_ENCRYPT);
421 return 0;
422 }
423
424 static int
425 esp_cbc_mature(sav)
426 struct secasvar *sav;
427 {
428 int keylen;
429 const struct esp_algorithm *algo;
430
431 if (sav->flags & SADB_X_EXT_OLD) {
432 ipseclog((LOG_ERR,
433 "esp_cbc_mature: algorithm incompatible with esp-old\n"));
434 return 1;
435 }
436 if (sav->flags & SADB_X_EXT_DERIV) {
437 ipseclog((LOG_ERR,
438 "esp_cbc_mature: algorithm incompatible with derived\n"));
439 return 1;
440 }
441
442 if (!sav->key_enc) {
443 ipseclog((LOG_ERR, "esp_cbc_mature: no key is given.\n"));
444 return 1;
445 }
446
447 algo = esp_algorithm_lookup(sav->alg_enc);
448 if (!algo) {
449 ipseclog((LOG_ERR,
450 "esp_cbc_mature %s: unsupported algorithm.\n", algo->name));
451 return 1;
452 }
453
454 keylen = sav->key_enc->sadb_key_bits;
455 if (keylen < algo->keymin || algo->keymax < keylen) {
456 ipseclog((LOG_ERR,
457 "esp_cbc_mature %s: invalid key length %d.\n",
458 algo->name, sav->key_enc->sadb_key_bits));
459 return 1;
460 }
461 switch (sav->alg_enc) {
462 case SADB_EALG_3DESCBC:
463 /* weak key check */
464 if (des_is_weak_key((des_cblock *)_KEYBUF(sav->key_enc)) ||
465 des_is_weak_key((des_cblock *)(_KEYBUF(sav->key_enc) + 8)) ||
466 des_is_weak_key((des_cblock *)(_KEYBUF(sav->key_enc) + 16))) {
467 ipseclog((LOG_ERR,
468 "esp_cbc_mature %s: weak key was passed.\n",
469 algo->name));
470 return 1;
471 }
472 break;
473 case SADB_X_EALG_BLOWFISHCBC:
474 case SADB_X_EALG_CAST128CBC:
475 break;
476 case SADB_X_EALG_RIJNDAELCBC:
477 /* allows specific key sizes only */
478 if (!(keylen == 128 || keylen == 192 || keylen == 256)) {
479 ipseclog((LOG_ERR,
480 "esp_cbc_mature %s: invalid key length %d.\n",
481 algo->name, keylen));
482 return 1;
483 }
484 break;
485 }
486
487 return 0;
488 }
489
490 #if ALLCRYPTO
491 static int
492 esp_blowfish_schedlen(
493 __unused const struct esp_algorithm *algo)
494 {
495
496 return sizeof(BF_KEY);
497 }
498
499 static int
500 esp_blowfish_schedule(
501 __unused const struct esp_algorithm *algo,
502 struct secasvar *sav)
503 {
504
505 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_OWNED);
506 BF_set_key((BF_KEY *)sav->sched, _KEYLEN(sav->key_enc),
507 _KEYBUF(sav->key_enc));
508 return 0;
509 }
510
511 static int
512 esp_blowfish_blockdecrypt(
513 __unused const struct esp_algorithm *algo,
514 struct secasvar *sav,
515 u_int8_t *s,
516 u_int8_t *d)
517 {
518 /* HOLY COW! BF_decrypt() takes values in host byteorder */
519 BF_LONG t[2];
520
521 bcopy(s, t, sizeof(t));
522 t[0] = ntohl(t[0]);
523 t[1] = ntohl(t[1]);
524 BF_decrypt(t, (BF_KEY *)sav->sched);
525 t[0] = htonl(t[0]);
526 t[1] = htonl(t[1]);
527 bcopy(t, d, sizeof(t));
528 return 0;
529 }
530
531 static int
532 esp_blowfish_blockencrypt(
533 __unused const struct esp_algorithm *algo,
534 struct secasvar *sav,
535 u_int8_t *s,
536 u_int8_t *d)
537 {
538 /* HOLY COW! BF_encrypt() takes values in host byteorder */
539 BF_LONG t[2];
540
541 bcopy(s, t, sizeof(t));
542 t[0] = ntohl(t[0]);
543 t[1] = ntohl(t[1]);
544 BF_encrypt(t, (BF_KEY *)sav->sched);
545 t[0] = htonl(t[0]);
546 t[1] = htonl(t[1]);
547 bcopy(t, d, sizeof(t));
548 return 0;
549 }
550
551 static int
552 esp_cast128_schedlen(
553 __unused const struct esp_algorithm *algo)
554 {
555
556 return sizeof(u_int32_t) * 32;
557 }
558
559 static int
560 esp_cast128_schedule(
561 __unused const struct esp_algorithm *algo,
562 struct secasvar *sav)
563 {
564 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_OWNED);
565 set_cast128_subkey((u_int32_t *)sav->sched, _KEYBUF(sav->key_enc),
566 _KEYLEN(sav->key_enc));
567 return 0;
568 }
569
570 static int
571 esp_cast128_blockdecrypt(
572 __unused const struct esp_algorithm *algo,
573 struct secasvar *sav,
574 u_int8_t *s,
575 u_int8_t *d)
576 {
577
578 if (_KEYLEN(sav->key_enc) <= 80 / 8)
579 cast128_decrypt_round12(d, s, (u_int32_t *)sav->sched);
580 else
581 cast128_decrypt_round16(d, s, (u_int32_t *)sav->sched);
582 return 0;
583 }
584
585 static int
586 esp_cast128_blockencrypt(
587 __unused const struct esp_algorithm *algo,
588 struct secasvar *sav,
589 u_int8_t *s,
590 u_int8_t *d)
591 {
592
593 if (_KEYLEN(sav->key_enc) <= 80 / 8)
594 cast128_encrypt_round12(d, s, (u_int32_t *)sav->sched);
595 else
596 cast128_encrypt_round16(d, s, (u_int32_t *)sav->sched);
597 return 0;
598 }
599 #endif /* ALLCRYPTO */
600
601 static int
602 esp_3des_schedlen(
603 __unused const struct esp_algorithm *algo)
604 {
605
606 return sizeof(des_key_schedule) * 3;
607 }
608
609 static int
610 esp_3des_schedule(
611 __unused const struct esp_algorithm *algo,
612 struct secasvar *sav)
613 {
614 int error;
615 des_key_schedule *p;
616 int i;
617 char *k;
618
619 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_OWNED);
620 p = (des_key_schedule *)sav->sched;
621 k = _KEYBUF(sav->key_enc);
622 for (i = 0; i < 3; i++) {
623 error = des_key_sched((des_cblock *)(k + 8 * i), p[i]);
624 if (error)
625 return EINVAL;
626 }
627 return 0;
628 }
629
630 static int
631 esp_3des_blockdecrypt(
632 __unused const struct esp_algorithm *algo,
633 struct secasvar *sav,
634 u_int8_t *s,
635 u_int8_t *d)
636 {
637 des_key_schedule *p;
638
639 /* assumption: d has a good alignment */
640 p = (des_key_schedule *)sav->sched;
641 bcopy(s, d, sizeof(DES_LONG) * 2);
642 des_ecb3_encrypt((des_cblock *)d, (des_cblock *)d,
643 p[0], p[1], p[2], DES_DECRYPT);
644 return 0;
645 }
646
647 static int
648 esp_3des_blockencrypt(
649 __unused const struct esp_algorithm *algo,
650 struct secasvar *sav,
651 u_int8_t *s,
652 u_int8_t *d)
653 {
654 des_key_schedule *p;
655
656 /* assumption: d has a good alignment */
657 p = (des_key_schedule *)sav->sched;
658 bcopy(s, d, sizeof(DES_LONG) * 2);
659 des_ecb3_encrypt((des_cblock *)d, (des_cblock *)d,
660 p[0], p[1], p[2], DES_ENCRYPT);
661 return 0;
662 }
663
664 static int
665 esp_common_ivlen(
666 const struct esp_algorithm *algo,
667 __unused struct secasvar *sav)
668 {
669
670 if (!algo)
671 panic("esp_common_ivlen: unknown algorithm");
672 return algo->ivlenval;
673 }
674
675 static int
676 esp_cbc_decrypt(m, off, sav, algo, ivlen)
677 struct mbuf *m;
678 size_t off;
679 struct secasvar *sav;
680 const struct esp_algorithm *algo;
681 int ivlen;
682 {
683 struct mbuf *s;
684 struct mbuf *d, *d0, *dp;
685 int soff, doff; /* offset from the head of chain, to head of this mbuf */
686 int sn, dn; /* offset from the head of the mbuf, to meat */
687 size_t ivoff, bodyoff;
688 u_int8_t iv[MAXIVLEN], *ivp;
689 u_int8_t sbuf[MAXIVLEN], *sp;
690 u_int8_t *p, *q;
691 struct mbuf *scut;
692 int scutoff;
693 int i;
694 int blocklen;
695 int derived;
696
697 if (ivlen != sav->ivlen || ivlen > sizeof(iv)) {
698 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
699 "unsupported ivlen %d\n", algo->name, ivlen));
700 m_freem(m);
701 return EINVAL;
702 }
703
704 /* assumes blocklen == padbound */
705 blocklen = algo->padbound;
706
707 #if DIAGNOSTIC
708 if (blocklen > sizeof(iv)) {
709 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
710 "unsupported blocklen %d\n", algo->name, blocklen));
711 m_freem(m);
712 return EINVAL;
713 }
714 #endif
715
716 if (sav->flags & SADB_X_EXT_OLD) {
717 /* RFC 1827 */
718 ivoff = off + sizeof(struct esp);
719 bodyoff = off + sizeof(struct esp) + ivlen;
720 derived = 0;
721 } else {
722 /* RFC 2406 */
723 if (sav->flags & SADB_X_EXT_DERIV) {
724 /*
725 * draft-ietf-ipsec-ciph-des-derived-00.txt
726 * uses sequence number field as IV field.
727 */
728 ivoff = off + sizeof(struct esp);
729 bodyoff = off + sizeof(struct esp) + sizeof(u_int32_t);
730 ivlen = sizeof(u_int32_t);
731 derived = 1;
732 } else {
733 ivoff = off + sizeof(struct newesp);
734 bodyoff = off + sizeof(struct newesp) + ivlen;
735 derived = 0;
736 }
737 }
738
739 /* grab iv */
740 m_copydata(m, ivoff, ivlen, iv);
741
742 /* extend iv */
743 if (ivlen == blocklen)
744 ;
745 else if (ivlen == 4 && blocklen == 8) {
746 bcopy(&iv[0], &iv[4], 4);
747 iv[4] ^= 0xff;
748 iv[5] ^= 0xff;
749 iv[6] ^= 0xff;
750 iv[7] ^= 0xff;
751 } else {
752 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
753 "unsupported ivlen/blocklen: %d %d\n",
754 algo->name, ivlen, blocklen));
755 m_freem(m);
756 return EINVAL;
757 }
758
759 if (m->m_pkthdr.len < bodyoff) {
760 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: bad len %d/%lu\n",
761 algo->name, m->m_pkthdr.len, (unsigned long)bodyoff));
762 m_freem(m);
763 return EINVAL;
764 }
765 if ((m->m_pkthdr.len - bodyoff) % blocklen) {
766 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
767 "payload length must be multiple of %d\n",
768 algo->name, blocklen));
769 m_freem(m);
770 return EINVAL;
771 }
772
773 s = m;
774 d = d0 = dp = NULL;
775 soff = doff = sn = dn = 0;
776 ivp = sp = NULL;
777
778 /* skip bodyoff */
779 while (soff < bodyoff) {
780 if (soff + s->m_len > bodyoff) {
781 sn = bodyoff - soff;
782 break;
783 }
784
785 soff += s->m_len;
786 s = s->m_next;
787 }
788 scut = s;
789 scutoff = sn;
790
791 /* skip over empty mbuf */
792 while (s && s->m_len == 0)
793 s = s->m_next;
794
795 while (soff < m->m_pkthdr.len) {
796 /* source */
797 if (sn + blocklen <= s->m_len) {
798 /* body is continuous */
799 sp = mtod(s, u_int8_t *) + sn;
800 } else {
801 /* body is non-continuous */
802 m_copydata(s, sn, blocklen, sbuf);
803 sp = sbuf;
804 }
805
806 /* destination */
807 if (!d || dn + blocklen > d->m_len) {
808 if (d)
809 dp = d;
810 MGET(d, M_DONTWAIT, MT_DATA);
811 i = m->m_pkthdr.len - (soff + sn);
812 if (d && i > MLEN) {
813 MCLGET(d, M_DONTWAIT);
814 if ((d->m_flags & M_EXT) == 0) {
815 m_free(d);
816 d = NULL;
817 }
818 }
819 if (!d) {
820 m_freem(m);
821 if (d0)
822 m_freem(d0);
823 return ENOBUFS;
824 }
825 if (!d0)
826 d0 = d;
827 if (dp)
828 dp->m_next = d;
829 d->m_len = 0;
830 d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
831 if (d->m_len > i)
832 d->m_len = i;
833 dn = 0;
834 }
835
836 /* decrypt */
837 (*algo->blockdecrypt)(algo, sav, sp, mtod(d, u_int8_t *) + dn);
838
839 /* xor */
840 p = ivp ? ivp : iv;
841 q = mtod(d, u_int8_t *) + dn;
842 for (i = 0; i < blocklen; i++)
843 q[i] ^= p[i];
844
845 /* next iv */
846 if (sp == sbuf) {
847 bcopy(sbuf, iv, blocklen);
848 ivp = NULL;
849 } else
850 ivp = sp;
851
852 sn += blocklen;
853 dn += blocklen;
854
855 /* find the next source block */
856 while (s && sn >= s->m_len) {
857 sn -= s->m_len;
858 soff += s->m_len;
859 s = s->m_next;
860 }
861 }
862
863 m_freem(scut->m_next);
864 scut->m_len = scutoff;
865 scut->m_next = d0;
866
867 /* just in case */
868 bzero(iv, sizeof(iv));
869 bzero(sbuf, sizeof(sbuf));
870
871 return 0;
872 }
873
874 static int
875 esp_cbc_encrypt(
876 struct mbuf *m,
877 size_t off,
878 __unused size_t plen,
879 struct secasvar *sav,
880 const struct esp_algorithm *algo,
881 int ivlen)
882 {
883 struct mbuf *s;
884 struct mbuf *d, *d0, *dp;
885 int soff, doff; /* offset from the head of chain, to head of this mbuf */
886 int sn, dn; /* offset from the head of the mbuf, to meat */
887 size_t ivoff, bodyoff;
888 u_int8_t iv[MAXIVLEN], *ivp;
889 u_int8_t sbuf[MAXIVLEN], *sp;
890 u_int8_t *p, *q;
891 struct mbuf *scut;
892 int scutoff;
893 int i;
894 int blocklen;
895 int derived;
896
897 if (ivlen != sav->ivlen || ivlen > sizeof(iv)) {
898 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
899 "unsupported ivlen %d\n", algo->name, ivlen));
900 m_freem(m);
901 return EINVAL;
902 }
903
904 /* assumes blocklen == padbound */
905 blocklen = algo->padbound;
906
907 #if DIAGNOSTIC
908 if (blocklen > sizeof(iv)) {
909 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
910 "unsupported blocklen %d\n", algo->name, blocklen));
911 m_freem(m);
912 return EINVAL;
913 }
914 #endif
915
916 if (sav->flags & SADB_X_EXT_OLD) {
917 /* RFC 1827 */
918 ivoff = off + sizeof(struct esp);
919 bodyoff = off + sizeof(struct esp) + ivlen;
920 derived = 0;
921 } else {
922 /* RFC 2406 */
923 if (sav->flags & SADB_X_EXT_DERIV) {
924 /*
925 * draft-ietf-ipsec-ciph-des-derived-00.txt
926 * uses sequence number field as IV field.
927 */
928 ivoff = off + sizeof(struct esp);
929 bodyoff = off + sizeof(struct esp) + sizeof(u_int32_t);
930 ivlen = sizeof(u_int32_t);
931 derived = 1;
932 } else {
933 ivoff = off + sizeof(struct newesp);
934 bodyoff = off + sizeof(struct newesp) + ivlen;
935 derived = 0;
936 }
937 }
938
939 /* put iv into the packet. if we are in derived mode, use seqno. */
940 if (derived)
941 m_copydata(m, ivoff, ivlen, iv);
942 else {
943 bcopy(sav->iv, iv, ivlen);
944 /* maybe it is better to overwrite dest, not source */
945 m_copyback(m, ivoff, ivlen, iv);
946 }
947
948 /* extend iv */
949 if (ivlen == blocklen)
950 ;
951 else if (ivlen == 4 && blocklen == 8) {
952 bcopy(&iv[0], &iv[4], 4);
953 iv[4] ^= 0xff;
954 iv[5] ^= 0xff;
955 iv[6] ^= 0xff;
956 iv[7] ^= 0xff;
957 } else {
958 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
959 "unsupported ivlen/blocklen: %d %d\n",
960 algo->name, ivlen, blocklen));
961 m_freem(m);
962 return EINVAL;
963 }
964
965 if (m->m_pkthdr.len < bodyoff) {
966 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: bad len %d/%lu\n",
967 algo->name, m->m_pkthdr.len, (unsigned long)bodyoff));
968 m_freem(m);
969 return EINVAL;
970 }
971 if ((m->m_pkthdr.len - bodyoff) % blocklen) {
972 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
973 "payload length must be multiple of %lu\n",
974 algo->name, (unsigned long)algo->padbound));
975 m_freem(m);
976 return EINVAL;
977 }
978
979 s = m;
980 d = d0 = dp = NULL;
981 soff = doff = sn = dn = 0;
982 ivp = sp = NULL;
983
984 /* skip bodyoff */
985 while (soff < bodyoff) {
986 if (soff + s->m_len > bodyoff) {
987 sn = bodyoff - soff;
988 break;
989 }
990
991 soff += s->m_len;
992 s = s->m_next;
993 }
994 scut = s;
995 scutoff = sn;
996
997 /* skip over empty mbuf */
998 while (s && s->m_len == 0)
999 s = s->m_next;
1000
1001 while (soff < m->m_pkthdr.len) {
1002 /* source */
1003 if (sn + blocklen <= s->m_len) {
1004 /* body is continuous */
1005 sp = mtod(s, u_int8_t *) + sn;
1006 } else {
1007 /* body is non-continuous */
1008 m_copydata(s, sn, blocklen, sbuf);
1009 sp = sbuf;
1010 }
1011
1012 /* destination */
1013 if (!d || dn + blocklen > d->m_len) {
1014 if (d)
1015 dp = d;
1016 MGET(d, M_DONTWAIT, MT_DATA);
1017 i = m->m_pkthdr.len - (soff + sn);
1018 if (d && i > MLEN) {
1019 MCLGET(d, M_DONTWAIT);
1020 if ((d->m_flags & M_EXT) == 0) {
1021 m_free(d);
1022 d = NULL;
1023 }
1024 }
1025 if (!d) {
1026 m_freem(m);
1027 if (d0)
1028 m_freem(d0);
1029 return ENOBUFS;
1030 }
1031 if (!d0)
1032 d0 = d;
1033 if (dp)
1034 dp->m_next = d;
1035 d->m_len = 0;
1036 d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
1037 if (d->m_len > i)
1038 d->m_len = i;
1039 dn = 0;
1040 }
1041
1042 /* xor */
1043 p = ivp ? ivp : iv;
1044 q = sp;
1045 for (i = 0; i < blocklen; i++)
1046 q[i] ^= p[i];
1047
1048 /* encrypt */
1049 (*algo->blockencrypt)(algo, sav, sp, mtod(d, u_int8_t *) + dn);
1050
1051 /* next iv */
1052 ivp = mtod(d, u_int8_t *) + dn;
1053
1054 sn += blocklen;
1055 dn += blocklen;
1056
1057 /* find the next source block */
1058 while (s && sn >= s->m_len) {
1059 sn -= s->m_len;
1060 soff += s->m_len;
1061 s = s->m_next;
1062 }
1063 }
1064
1065 m_freem(scut->m_next);
1066 scut->m_len = scutoff;
1067 scut->m_next = d0;
1068
1069 /* just in case */
1070 bzero(iv, sizeof(iv));
1071 bzero(sbuf, sizeof(sbuf));
1072
1073 key_sa_stir_iv(sav);
1074
1075 return 0;
1076 }
1077
1078 /*------------------------------------------------------------*/
1079
1080 /* does not free m0 on error */
1081 int
1082 esp_auth(m0, skip, length, sav, sum)
1083 struct mbuf *m0;
1084 size_t skip; /* offset to ESP header */
1085 size_t length; /* payload length */
1086 struct secasvar *sav;
1087 u_char *sum;
1088 {
1089 struct mbuf *m;
1090 size_t off;
1091 struct ah_algorithm_state s;
1092 u_char sumbuf[AH_MAXSUMSIZE];
1093 const struct ah_algorithm *algo;
1094 size_t siz;
1095 int error;
1096
1097 /* sanity checks */
1098 if (m0->m_pkthdr.len < skip) {
1099 ipseclog((LOG_DEBUG, "esp_auth: mbuf length < skip\n"));
1100 return EINVAL;
1101 }
1102 if (m0->m_pkthdr.len < skip + length) {
1103 ipseclog((LOG_DEBUG,
1104 "esp_auth: mbuf length < skip + length\n"));
1105 return EINVAL;
1106 }
1107
1108 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_START, skip,length,0,0,0);
1109 /*
1110 * length of esp part (excluding authentication data) must be 4n,
1111 * since nexthdr must be at offset 4n+3.
1112 */
1113 if (length % 4) {
1114 ipseclog((LOG_ERR, "esp_auth: length is not multiple of 4\n"));
1115 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 1,0,0,0,0);
1116 return EINVAL;
1117 }
1118 if (!sav) {
1119 ipseclog((LOG_DEBUG, "esp_auth: NULL SA passed\n"));
1120 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 2,0,0,0,0);
1121 return EINVAL;
1122 }
1123 algo = ah_algorithm_lookup(sav->alg_auth);
1124 if (!algo) {
1125 ipseclog((LOG_ERR,
1126 "esp_auth: bad ESP auth algorithm passed: %d\n",
1127 sav->alg_auth));
1128 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 3,0,0,0,0);
1129 return EINVAL;
1130 }
1131
1132 m = m0;
1133 off = 0;
1134
1135 siz = (((*algo->sumsiz)(sav) + 3) & ~(4 - 1));
1136 if (sizeof(sumbuf) < siz) {
1137 ipseclog((LOG_DEBUG,
1138 "esp_auth: AH_MAXSUMSIZE is too small: siz=%lu\n",
1139 (u_long)siz));
1140 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 4,0,0,0,0);
1141 return EINVAL;
1142 }
1143
1144 /* skip the header */
1145 while (skip) {
1146 if (!m)
1147 panic("mbuf chain?");
1148 if (m->m_len <= skip) {
1149 skip -= m->m_len;
1150 m = m->m_next;
1151 off = 0;
1152 } else {
1153 off = skip;
1154 skip = 0;
1155 }
1156 }
1157
1158 error = (*algo->init)(&s, sav);
1159 if (error) {
1160 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 5,0,0,0,0);
1161 return error;
1162 }
1163 while (0 < length) {
1164 if (!m)
1165 panic("mbuf chain?");
1166
1167 if (m->m_len - off < length) {
1168 (*algo->update)(&s, mtod(m, u_char *) + off,
1169 m->m_len - off);
1170 length -= m->m_len - off;
1171 m = m->m_next;
1172 off = 0;
1173 } else {
1174 (*algo->update)(&s, mtod(m, u_char *) + off, length);
1175 break;
1176 }
1177 }
1178 (*algo->result)(&s, sumbuf);
1179 bcopy(sumbuf, sum, siz); /*XXX*/
1180 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 6,0,0,0,0);
1181 return 0;
1182 }
mirror of XNU