]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/esp_core.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-4570.20.62.tar.gz
[apple/xnu.git] / bsd / netinet6 / esp_core.c
1 /*
2 * Copyright (c) 2008-2016 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /* $FreeBSD: src/sys/netinet6/esp_core.c,v 1.1.2.4 2002/03/26 10:12:29 ume Exp $ */
30 /* $KAME: esp_core.c,v 1.50 2000/11/02 12:27:38 itojun Exp $ */
31
32 /*
33 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
34 * All rights reserved.
35 *
36 * Redistribution and use in source and binary forms, with or without
37 * modification, are permitted provided that the following conditions
38 * are met:
39 * 1. Redistributions of source code must retain the above copyright
40 * notice, this list of conditions and the following disclaimer.
41 * 2. Redistributions in binary form must reproduce the above copyright
42 * notice, this list of conditions and the following disclaimer in the
43 * documentation and/or other materials provided with the distribution.
44 * 3. Neither the name of the project nor the names of its contributors
45 * may be used to endorse or promote products derived from this software
46 * without specific prior written permission.
47 *
48 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
58 * SUCH DAMAGE.
59 */
60
61 #define _IP_VHL
62
63 #include <sys/param.h>
64 #include <sys/systm.h>
65 #include <sys/malloc.h>
66 #include <sys/mbuf.h>
67 #include <sys/domain.h>
68 #include <sys/protosw.h>
69 #include <sys/socket.h>
70 #include <sys/errno.h>
71 #include <sys/time.h>
72 #include <sys/kernel.h>
73 #include <sys/syslog.h>
74
75 #include <kern/locks.h>
76
77 #include <net/if.h>
78 #include <net/route.h>
79
80 #include <netinet/in.h>
81 #include <netinet/in_var.h>
82 #if INET6
83 #include <netinet/ip6.h>
84 #include <netinet6/ip6_var.h>
85 #include <netinet/icmp6.h>
86 #endif
87
88 #include <netinet6/ipsec.h>
89 #if INET6
90 #include <netinet6/ipsec6.h>
91 #endif
92 #include <netinet6/ah.h>
93 #if INET6
94 #include <netinet6/ah6.h>
95 #endif
96 #include <netinet6/esp.h>
97 #if INET6
98 #include <netinet6/esp6.h>
99 #endif
100 #include <netinet6/esp_rijndael.h>
101 #include <netinet6/esp_chachapoly.h>
102 #include <net/pfkeyv2.h>
103 #include <netkey/keydb.h>
104 #include <netkey/key.h>
105 #include <libkern/crypto/des.h>
106
107 #include <net/net_osdep.h>
108
109 #include <sys/kdebug.h>
110 #define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1)
111 #define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3)
112 #define DBG_FNC_ESPAUTH NETDBG_CODE(DBG_NETIPSEC, (8 << 8))
113 #define MAX_SBUF_LEN 2000
114
115 extern lck_mtx_t *sadb_mutex;
116
117 static int esp_null_mature(struct secasvar *);
118 static int esp_null_decrypt(struct mbuf *, size_t,
119 struct secasvar *, const struct esp_algorithm *, int);
120 static int esp_null_encrypt(struct mbuf *, size_t, size_t,
121 struct secasvar *, const struct esp_algorithm *, int);
122 static int esp_descbc_mature(struct secasvar *);
123 static int esp_descbc_ivlen(const struct esp_algorithm *,
124 struct secasvar *);
125 static int esp_des_schedule(const struct esp_algorithm *,
126 struct secasvar *);
127 static int esp_des_schedlen(const struct esp_algorithm *);
128 static int esp_des_blockdecrypt(const struct esp_algorithm *,
129 struct secasvar *, u_int8_t *, u_int8_t *);
130 static int esp_des_blockencrypt(const struct esp_algorithm *,
131 struct secasvar *, u_int8_t *, u_int8_t *);
132 static int esp_cbc_mature(struct secasvar *);
133 static int esp_3des_schedule(const struct esp_algorithm *,
134 struct secasvar *);
135 static int esp_3des_schedlen(const struct esp_algorithm *);
136 static int esp_3des_blockdecrypt(const struct esp_algorithm *,
137 struct secasvar *, u_int8_t *, u_int8_t *);
138 static int esp_3des_blockencrypt(const struct esp_algorithm *,
139 struct secasvar *, u_int8_t *, u_int8_t *);
140 static int esp_common_ivlen(const struct esp_algorithm *,
141 struct secasvar *);
142 static int esp_cbc_decrypt(struct mbuf *, size_t,
143 struct secasvar *, const struct esp_algorithm *, int);
144 static int esp_cbc_encrypt(struct mbuf *, size_t, size_t,
145 struct secasvar *, const struct esp_algorithm *, int);
146 static int esp_gcm_mature(struct secasvar *);
147
148 #define MAXIVLEN 16
149
150 #define ESP_AESGCM_KEYLEN128 160 // 16-bytes key + 4 bytes salt
151 #define ESP_AESGCM_KEYLEN192 224 // 24-bytes key + 4 bytes salt
152 #define ESP_AESGCM_KEYLEN256 288 // 32-bytes key + 4 bytes salt
153
154 static const struct esp_algorithm des_cbc =
155 { 8, -1, esp_descbc_mature, 64, 64, esp_des_schedlen,
156 "des-cbc",
157 esp_descbc_ivlen, esp_cbc_decrypt,
158 esp_cbc_encrypt, esp_des_schedule,
159 esp_des_blockdecrypt, esp_des_blockencrypt,
160 0, 0, 0 };
161 static const struct esp_algorithm des3_cbc =
162 { 8, 8, esp_cbc_mature, 192, 192, esp_3des_schedlen,
163 "3des-cbc",
164 esp_common_ivlen, esp_cbc_decrypt,
165 esp_cbc_encrypt, esp_3des_schedule,
166 esp_3des_blockdecrypt, esp_3des_blockencrypt,
167 0, 0, 0 };
168 static const struct esp_algorithm null_esp =
169 { 1, 0, esp_null_mature, 0, 2048, 0, "null",
170 esp_common_ivlen, esp_null_decrypt,
171 esp_null_encrypt, NULL, NULL, NULL,
172 0, 0, 0 };
173 static const struct esp_algorithm aes_cbc =
174 { 16, 16, esp_cbc_mature, 128, 256, esp_aes_schedlen,
175 "aes-cbc",
176 esp_common_ivlen, esp_cbc_decrypt_aes,
177 esp_cbc_encrypt_aes, esp_aes_schedule,
178 0, 0,
179 0, 0, 0 };
180 static const struct esp_algorithm aes_gcm =
181 { 4, 8, esp_gcm_mature, ESP_AESGCM_KEYLEN128, ESP_AESGCM_KEYLEN256, esp_gcm_schedlen,
182 "aes-gcm",
183 esp_common_ivlen, esp_gcm_decrypt_aes,
184 esp_gcm_encrypt_aes, esp_gcm_schedule,
185 0, 0,
186 16, esp_gcm_decrypt_finalize, esp_gcm_encrypt_finalize};
187 static const struct esp_algorithm chacha_poly =
188 { ESP_CHACHAPOLY_PAD_BOUND, ESP_CHACHAPOLY_IV_LEN,
189 esp_chachapoly_mature, ESP_CHACHAPOLY_KEYBITS_WITH_SALT,
190 ESP_CHACHAPOLY_KEYBITS_WITH_SALT, esp_chachapoly_schedlen,
191 "chacha-poly", esp_common_ivlen, esp_chachapoly_decrypt,
192 esp_chachapoly_encrypt, esp_chachapoly_schedule,
193 NULL, NULL, ESP_CHACHAPOLY_ICV_LEN,
194 esp_chachapoly_decrypt_finalize, esp_chachapoly_encrypt_finalize};
195
196 static const struct esp_algorithm *esp_algorithms[] = {
197 &des_cbc,
198 &des3_cbc,
199 &null_esp,
200 &aes_cbc,
201 &aes_gcm,
202 &chacha_poly,
203 };
204
205 const struct esp_algorithm *
206 esp_algorithm_lookup(int idx)
207 {
208 switch (idx) {
209 case SADB_EALG_DESCBC:
210 return &des_cbc;
211 case SADB_EALG_3DESCBC:
212 return &des3_cbc;
213 case SADB_EALG_NULL:
214 return &null_esp;
215 case SADB_X_EALG_RIJNDAELCBC:
216 return &aes_cbc;
217 case SADB_X_EALG_AES_GCM:
218 return &aes_gcm;
219 case SADB_X_EALG_CHACHA20POLY1305:
220 return &chacha_poly;
221 default:
222 return NULL;
223 }
224 }
225
226 int
227 esp_max_ivlen(void)
228 {
229 int idx;
230 int ivlen;
231
232 ivlen = 0;
233 for (idx = 0; idx < sizeof(esp_algorithms)/sizeof(esp_algorithms[0]);
234 idx++) {
235 if (esp_algorithms[idx]->ivlenval > ivlen)
236 ivlen = esp_algorithms[idx]->ivlenval;
237 }
238
239 return ivlen;
240 }
241
242 int
243 esp_schedule(const struct esp_algorithm *algo, struct secasvar *sav)
244 {
245 int error;
246
247 /* check for key length */
248 if (_KEYBITS(sav->key_enc) < algo->keymin ||
249 _KEYBITS(sav->key_enc) > algo->keymax) {
250 ipseclog((LOG_ERR,
251 "esp_schedule %s: unsupported key length %d: "
252 "needs %d to %d bits\n", algo->name, _KEYBITS(sav->key_enc),
253 algo->keymin, algo->keymax));
254 return EINVAL;
255 }
256
257 lck_mtx_lock(sadb_mutex);
258 /* already allocated */
259 if (sav->sched && sav->schedlen != 0) {
260 lck_mtx_unlock(sadb_mutex);
261 return 0;
262 }
263
264 /* prevent disallowed implicit IV */
265 if (((sav->flags & SADB_X_EXT_IIV) != 0) &&
266 (sav->alg_enc != SADB_X_EALG_AES_GCM) &&
267 (sav->alg_enc != SADB_X_EALG_CHACHA20POLY1305)) {
268 ipseclog((LOG_ERR,
269 "esp_schedule %s: implicit IV not allowed\n",
270 algo->name));
271 return EINVAL;
272 }
273
274 /* no schedule necessary */
275 if (!algo->schedule || !algo->schedlen) {
276 lck_mtx_unlock(sadb_mutex);
277 return 0;
278 }
279
280 sav->schedlen = (*algo->schedlen)(algo);
281 if ((signed) sav->schedlen < 0) {
282 lck_mtx_unlock(sadb_mutex);
283 return EINVAL;
284 }
285
286 //#### that malloc should be replaced by a saved buffer...
287 sav->sched = _MALLOC(sav->schedlen, M_SECA, M_DONTWAIT);
288 if (!sav->sched) {
289 sav->schedlen = 0;
290 lck_mtx_unlock(sadb_mutex);
291 return ENOBUFS;
292 }
293
294 error = (*algo->schedule)(algo, sav);
295 if (error) {
296 ipseclog((LOG_ERR, "esp_schedule %s: error %d\n",
297 algo->name, error));
298 bzero(sav->sched, sav->schedlen);
299 FREE(sav->sched, M_SECA);
300 sav->sched = NULL;
301 sav->schedlen = 0;
302 }
303 lck_mtx_unlock(sadb_mutex);
304 return error;
305 }
306
307 static int
308 esp_null_mature(
309 __unused struct secasvar *sav)
310 {
311
312 /* anything is okay */
313 return 0;
314 }
315
316 static int
317 esp_null_decrypt(
318 __unused struct mbuf *m,
319 __unused size_t off, /* offset to ESP header */
320 __unused struct secasvar *sav,
321 __unused const struct esp_algorithm *algo,
322 __unused int ivlen)
323 {
324
325 return 0; /* do nothing */
326 }
327
328 static int
329 esp_null_encrypt(
330 __unused struct mbuf *m,
331 __unused size_t off, /* offset to ESP header */
332 __unused size_t plen, /* payload length (to be encrypted) */
333 __unused struct secasvar *sav,
334 __unused const struct esp_algorithm *algo,
335 __unused int ivlen)
336 {
337
338 return 0; /* do nothing */
339 }
340
341 static int
342 esp_descbc_mature(struct secasvar *sav)
343 {
344 const struct esp_algorithm *algo;
345
346 if (!(sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_IV4B)) {
347 ipseclog((LOG_ERR, "esp_cbc_mature: "
348 "algorithm incompatible with 4 octets IV length\n"));
349 return 1;
350 }
351
352 if (!sav->key_enc) {
353 ipseclog((LOG_ERR, "esp_descbc_mature: no key is given.\n"));
354 return 1;
355 }
356
357 algo = esp_algorithm_lookup(sav->alg_enc);
358 if (!algo) {
359 ipseclog((LOG_ERR,
360 "esp_descbc_mature: unsupported algorithm.\n"));
361 return 1;
362 }
363
364 if (_KEYBITS(sav->key_enc) < algo->keymin ||
365 _KEYBITS(sav->key_enc) > algo->keymax) {
366 ipseclog((LOG_ERR,
367 "esp_descbc_mature: invalid key length %d.\n",
368 _KEYBITS(sav->key_enc)));
369 return 1;
370 }
371
372 /* weak key check */
373 if (des_is_weak_key((des_cblock *)_KEYBUF(sav->key_enc))) {
374 ipseclog((LOG_ERR,
375 "esp_descbc_mature: weak key was passed.\n"));
376 return 1;
377 }
378
379 return 0;
380 }
381
382 static int
383 esp_descbc_ivlen(
384 __unused const struct esp_algorithm *algo,
385 struct secasvar *sav)
386 {
387
388 if (!sav)
389 return 8;
390 if ((sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_IV4B))
391 return 4;
392 if (!(sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_DERIV))
393 return 4;
394 return 8;
395 }
396
397 static int
398 esp_des_schedlen(
399 __unused const struct esp_algorithm *algo)
400 {
401 return sizeof(des_ecb_key_schedule);
402 }
403
404 static int
405 esp_des_schedule(
406 __unused const struct esp_algorithm *algo,
407 struct secasvar *sav)
408 {
409
410 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_OWNED);
411 if (des_ecb_key_sched((des_cblock *)_KEYBUF(sav->key_enc),
412 (des_ecb_key_schedule *)sav->sched))
413 return EINVAL;
414 else
415 return 0;
416 }
417
418 static int
419 esp_des_blockdecrypt(
420 __unused const struct esp_algorithm *algo,
421 struct secasvar *sav,
422 u_int8_t *s,
423 u_int8_t *d)
424 {
425 /* assumption: d has a good alignment */
426 bcopy(s, d, sizeof(DES_LONG) * 2);
427 des_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
428 (des_ecb_key_schedule *)sav->sched, DES_DECRYPT);
429 return 0;
430 }
431
432 static int
433 esp_des_blockencrypt(
434 __unused const struct esp_algorithm *algo,
435 struct secasvar *sav,
436 u_int8_t *s,
437 u_int8_t *d)
438 {
439 /* assumption: d has a good alignment */
440 bcopy(s, d, sizeof(DES_LONG) * 2);
441 des_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
442 (des_ecb_key_schedule *)sav->sched, DES_ENCRYPT);
443 return 0;
444 }
445
446 static int
447 esp_cbc_mature(struct secasvar *sav)
448 {
449 int keylen;
450 const struct esp_algorithm *algo;
451
452 if (sav->flags & SADB_X_EXT_OLD) {
453 ipseclog((LOG_ERR,
454 "esp_cbc_mature: algorithm incompatible with esp-old\n"));
455 return 1;
456 }
457 if (sav->flags & SADB_X_EXT_DERIV) {
458 ipseclog((LOG_ERR,
459 "esp_cbc_mature: algorithm incompatible with derived\n"));
460 return 1;
461 }
462
463 if (!sav->key_enc) {
464 ipseclog((LOG_ERR, "esp_cbc_mature: no key is given.\n"));
465 return 1;
466 }
467
468 algo = esp_algorithm_lookup(sav->alg_enc);
469 if (!algo) {
470 ipseclog((LOG_ERR,
471 "esp_cbc_mature: unsupported algorithm.\n"));
472 return 1;
473 }
474
475 keylen = sav->key_enc->sadb_key_bits;
476 if (keylen < algo->keymin || algo->keymax < keylen) {
477 ipseclog((LOG_ERR,
478 "esp_cbc_mature %s: invalid key length %d.\n",
479 algo->name, sav->key_enc->sadb_key_bits));
480 return 1;
481 }
482 switch (sav->alg_enc) {
483 case SADB_EALG_3DESCBC:
484 /* weak key check */
485 if (des_is_weak_key((des_cblock *)_KEYBUF(sav->key_enc)) ||
486 des_is_weak_key((des_cblock *)(_KEYBUF(sav->key_enc) + 8)) ||
487 des_is_weak_key((des_cblock *)(_KEYBUF(sav->key_enc) + 16))) {
488 ipseclog((LOG_ERR,
489 "esp_cbc_mature %s: weak key was passed.\n",
490 algo->name));
491 return 1;
492 }
493 break;
494 case SADB_X_EALG_RIJNDAELCBC:
495 /* allows specific key sizes only */
496 if (!(keylen == 128 || keylen == 192 || keylen == 256)) {
497 ipseclog((LOG_ERR,
498 "esp_cbc_mature %s: invalid key length %d.\n",
499 algo->name, keylen));
500 return 1;
501 }
502 break;
503 }
504
505 return 0;
506 }
507
508 static int
509 esp_gcm_mature(struct secasvar *sav)
510 {
511 int keylen;
512 const struct esp_algorithm *algo;
513
514 if (sav->flags & SADB_X_EXT_OLD) {
515 ipseclog((LOG_ERR,
516 "esp_gcm_mature: algorithm incompatible with esp-old\n"));
517 return 1;
518 }
519 if (sav->flags & SADB_X_EXT_DERIV) {
520 ipseclog((LOG_ERR,
521 "esp_gcm_mature: algorithm incompatible with derived\n"));
522 return 1;
523 }
524 if (sav->flags & SADB_X_EXT_IIV) {
525 ipseclog((LOG_ERR,
526 "esp_gcm_mature: implicit IV not currently implemented\n"));
527 return 1;
528 }
529
530 if (!sav->key_enc) {
531 ipseclog((LOG_ERR, "esp_gcm_mature: no key is given.\n"));
532 return 1;
533 }
534
535 algo = esp_algorithm_lookup(sav->alg_enc);
536 if (!algo) {
537 ipseclog((LOG_ERR,
538 "esp_gcm_mature: unsupported algorithm.\n"));
539 return 1;
540 }
541
542 keylen = sav->key_enc->sadb_key_bits;
543 if (keylen < algo->keymin || algo->keymax < keylen) {
544 ipseclog((LOG_ERR,
545 "esp_gcm_mature %s: invalid key length %d.\n",
546 algo->name, sav->key_enc->sadb_key_bits));
547 return 1;
548 }
549 switch (sav->alg_enc) {
550 case SADB_X_EALG_AES_GCM:
551 /* allows specific key sizes only */
552 if (!(keylen == ESP_AESGCM_KEYLEN128 || keylen == ESP_AESGCM_KEYLEN192 || keylen == ESP_AESGCM_KEYLEN256)) {
553 ipseclog((LOG_ERR,
554 "esp_gcm_mature %s: invalid key length %d.\n",
555 algo->name, keylen));
556 return 1;
557 }
558 break;
559 default:
560 ipseclog((LOG_ERR,
561 "esp_gcm_mature %s: invalid algo %d.\n", sav->alg_enc));
562 return 1;
563 }
564
565 return 0;
566 }
567
568 static int
569 esp_3des_schedlen(
570 __unused const struct esp_algorithm *algo)
571 {
572
573 return sizeof(des3_ecb_key_schedule);
574 }
575
576 static int
577 esp_3des_schedule(
578 __unused const struct esp_algorithm *algo,
579 struct secasvar *sav)
580 {
581 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_OWNED);
582
583 if (des3_ecb_key_sched((des_cblock *)_KEYBUF(sav->key_enc),
584 (des3_ecb_key_schedule *)sav->sched))
585 return EINVAL;
586 else
587 return 0;
588 }
589
590 static int
591 esp_3des_blockdecrypt(
592 __unused const struct esp_algorithm *algo,
593 struct secasvar *sav,
594 u_int8_t *s,
595 u_int8_t *d)
596 {
597 /* assumption: d has a good alignment */
598 bcopy(s, d, sizeof(DES_LONG) * 2);
599 des3_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
600 (des3_ecb_key_schedule *)sav->sched, DES_DECRYPT);
601 return 0;
602 }
603
604 static int
605 esp_3des_blockencrypt(
606 __unused const struct esp_algorithm *algo,
607 struct secasvar *sav,
608 u_int8_t *s,
609 u_int8_t *d)
610 {
611 /* assumption: d has a good alignment */
612 bcopy(s, d, sizeof(DES_LONG) * 2);
613 des3_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
614 (des3_ecb_key_schedule *)sav->sched, DES_ENCRYPT);
615 return 0;
616 }
617
618 static int
619 esp_common_ivlen(
620 const struct esp_algorithm *algo,
621 __unused struct secasvar *sav)
622 {
623
624 if (!algo)
625 panic("esp_common_ivlen: unknown algorithm");
626 return algo->ivlenval;
627 }
628
629 static int
630 esp_cbc_decrypt(struct mbuf *m, size_t off, struct secasvar *sav,
631 const struct esp_algorithm *algo, int ivlen)
632 {
633 struct mbuf *s;
634 struct mbuf *d, *d0, *dp;
635 int soff, doff; /* offset from the head of chain, to head of this mbuf */
636 int sn, dn; /* offset from the head of the mbuf, to meat */
637 size_t ivoff, bodyoff;
638 u_int8_t iv[MAXIVLEN] __attribute__((aligned(4))), *ivp;
639 u_int8_t *sbuf = NULL, *sp, *sp_unaligned;
640 u_int8_t *p, *q;
641 struct mbuf *scut;
642 int scutoff;
643 int i, result = 0;
644 int blocklen;
645 int derived;
646
647 if (ivlen != sav->ivlen || ivlen > sizeof(iv)) {
648 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
649 "unsupported ivlen %d\n", algo->name, ivlen));
650 m_freem(m);
651 return EINVAL;
652 }
653
654 /* assumes blocklen == padbound */
655 blocklen = algo->padbound;
656
657 #if DIAGNOSTIC
658 if (blocklen > sizeof(iv)) {
659 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
660 "unsupported blocklen %d\n", algo->name, blocklen));
661 m_freem(m);
662 return EINVAL;
663 }
664 #endif
665
666 if (sav->flags & SADB_X_EXT_OLD) {
667 /* RFC 1827 */
668 ivoff = off + sizeof(struct esp);
669 bodyoff = off + sizeof(struct esp) + ivlen;
670 derived = 0;
671 } else {
672 /* RFC 2406 */
673 if (sav->flags & SADB_X_EXT_DERIV) {
674 /*
675 * draft-ietf-ipsec-ciph-des-derived-00.txt
676 * uses sequence number field as IV field.
677 */
678 ivoff = off + sizeof(struct esp);
679 bodyoff = off + sizeof(struct esp) + sizeof(u_int32_t);
680 ivlen = sizeof(u_int32_t);
681 derived = 1;
682 } else {
683 ivoff = off + sizeof(struct newesp);
684 bodyoff = off + sizeof(struct newesp) + ivlen;
685 derived = 0;
686 }
687 }
688
689 /* grab iv */
690 m_copydata(m, ivoff, ivlen, (caddr_t) iv);
691
692 /* extend iv */
693 if (ivlen == blocklen)
694 ;
695 else if (ivlen == 4 && blocklen == 8) {
696 bcopy(&iv[0], &iv[4], 4);
697 iv[4] ^= 0xff;
698 iv[5] ^= 0xff;
699 iv[6] ^= 0xff;
700 iv[7] ^= 0xff;
701 } else {
702 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
703 "unsupported ivlen/blocklen: %d %d\n",
704 algo->name, ivlen, blocklen));
705 m_freem(m);
706 return EINVAL;
707 }
708
709 if (m->m_pkthdr.len < bodyoff) {
710 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: bad len %d/%lu\n",
711 algo->name, m->m_pkthdr.len, (u_int32_t)bodyoff));
712 m_freem(m);
713 return EINVAL;
714 }
715 if ((m->m_pkthdr.len - bodyoff) % blocklen) {
716 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
717 "payload length must be multiple of %d\n",
718 algo->name, blocklen));
719 m_freem(m);
720 return EINVAL;
721 }
722
723 s = m;
724 d = d0 = dp = NULL;
725 soff = doff = sn = dn = 0;
726 ivp = sp = NULL;
727
728 /* skip bodyoff */
729 while (soff < bodyoff) {
730 if (soff + s->m_len > bodyoff) {
731 sn = bodyoff - soff;
732 break;
733 }
734
735 soff += s->m_len;
736 s = s->m_next;
737 }
738 scut = s;
739 scutoff = sn;
740
741 /* skip over empty mbuf */
742 while (s && s->m_len == 0)
743 s = s->m_next;
744
745 // Allocate blocksized buffer for unaligned or non-contiguous access
746 sbuf = (u_int8_t *)_MALLOC(blocklen, M_SECA, M_DONTWAIT);
747 if (sbuf == NULL)
748 return ENOBUFS;
749 while (soff < m->m_pkthdr.len) {
750 /* source */
751 if (sn + blocklen <= s->m_len) {
752 /* body is continuous */
753 sp = mtod(s, u_int8_t *) + sn;
754 } else {
755 /* body is non-continuous */
756 m_copydata(s, sn, blocklen, (caddr_t) sbuf);
757 sp = sbuf;
758 }
759
760 /* destination */
761 if (!d || dn + blocklen > d->m_len) {
762 if (d)
763 dp = d;
764 MGET(d, M_DONTWAIT, MT_DATA);
765 i = m->m_pkthdr.len - (soff + sn);
766 if (d && i > MLEN) {
767 MCLGET(d, M_DONTWAIT);
768 if ((d->m_flags & M_EXT) == 0) {
769 m_free(d);
770 d = NULL;
771 }
772 }
773 if (!d) {
774 m_freem(m);
775 if (d0)
776 m_freem(d0);
777 result = ENOBUFS;
778 goto end;
779 }
780 if (!d0)
781 d0 = d;
782 if (dp)
783 dp->m_next = d;
784
785 // try to make mbuf data aligned
786 if (!IPSEC_IS_P2ALIGNED(d->m_data)) {
787 m_adj(d, IPSEC_GET_P2UNALIGNED_OFS(d->m_data));
788 }
789
790 d->m_len = 0;
791 d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
792 if (d->m_len > i)
793 d->m_len = i;
794 dn = 0;
795 }
796
797 /* decrypt */
798 // check input pointer alignment and use a separate aligned buffer (if sp is unaligned on 4-byte boundary).
799 if (IPSEC_IS_P2ALIGNED(sp)) {
800 sp_unaligned = NULL;
801 } else {
802 sp_unaligned = sp;
803 sp = sbuf;
804 memcpy(sp, sp_unaligned, blocklen);
805 }
806 // no need to check output pointer alignment
807 (*algo->blockdecrypt)(algo, sav, sp, mtod(d, u_int8_t *) + dn);
808
809 // update unaligned pointers
810 if (!IPSEC_IS_P2ALIGNED(sp_unaligned)) {
811 sp = sp_unaligned;
812 }
813
814 /* xor */
815 p = ivp ? ivp : iv;
816 q = mtod(d, u_int8_t *) + dn;
817 for (i = 0; i < blocklen; i++)
818 q[i] ^= p[i];
819
820 /* next iv */
821 if (sp == sbuf) {
822 bcopy(sbuf, iv, blocklen);
823 ivp = NULL;
824 } else
825 ivp = sp;
826
827 sn += blocklen;
828 dn += blocklen;
829
830 /* find the next source block */
831 while (s && sn >= s->m_len) {
832 sn -= s->m_len;
833 soff += s->m_len;
834 s = s->m_next;
835 }
836 }
837
838 m_freem(scut->m_next);
839 scut->m_len = scutoff;
840 scut->m_next = d0;
841
842 /* just in case */
843 bzero(iv, sizeof(iv));
844 bzero(sbuf, blocklen);
845 end:
846 if (sbuf != NULL)
847 FREE(sbuf, M_SECA);
848 return result;
849 }
850
851 static int
852 esp_cbc_encrypt(
853 struct mbuf *m,
854 size_t off,
855 __unused size_t plen,
856 struct secasvar *sav,
857 const struct esp_algorithm *algo,
858 int ivlen)
859 {
860 struct mbuf *s;
861 struct mbuf *d, *d0, *dp;
862 int soff, doff; /* offset from the head of chain, to head of this mbuf */
863 int sn, dn; /* offset from the head of the mbuf, to meat */
864 size_t ivoff, bodyoff;
865 u_int8_t iv[MAXIVLEN] __attribute__((aligned(4))), *ivp;
866 u_int8_t *sbuf = NULL, *sp, *sp_unaligned;
867 u_int8_t *p, *q;
868 struct mbuf *scut;
869 int scutoff;
870 int i, result = 0;
871 int blocklen;
872 int derived;
873
874 if (ivlen != sav->ivlen || ivlen > sizeof(iv)) {
875 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
876 "unsupported ivlen %d\n", algo->name, ivlen));
877 m_freem(m);
878 return EINVAL;
879 }
880
881 /* assumes blocklen == padbound */
882 blocklen = algo->padbound;
883
884 #if DIAGNOSTIC
885 if (blocklen > sizeof(iv)) {
886 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
887 "unsupported blocklen %d\n", algo->name, blocklen));
888 m_freem(m);
889 return EINVAL;
890 }
891 #endif
892
893 if (sav->flags & SADB_X_EXT_OLD) {
894 /* RFC 1827 */
895 ivoff = off + sizeof(struct esp);
896 bodyoff = off + sizeof(struct esp) + ivlen;
897 derived = 0;
898 } else {
899 /* RFC 2406 */
900 if (sav->flags & SADB_X_EXT_DERIV) {
901 /*
902 * draft-ietf-ipsec-ciph-des-derived-00.txt
903 * uses sequence number field as IV field.
904 */
905 ivoff = off + sizeof(struct esp);
906 bodyoff = off + sizeof(struct esp) + sizeof(u_int32_t);
907 ivlen = sizeof(u_int32_t);
908 derived = 1;
909 } else {
910 ivoff = off + sizeof(struct newesp);
911 bodyoff = off + sizeof(struct newesp) + ivlen;
912 derived = 0;
913 }
914 }
915
916 /* put iv into the packet. if we are in derived mode, use seqno. */
917 if (derived)
918 m_copydata(m, ivoff, ivlen, (caddr_t) iv);
919 else {
920 bcopy(sav->iv, iv, ivlen);
921 /* maybe it is better to overwrite dest, not source */
922 m_copyback(m, ivoff, ivlen, (caddr_t) iv);
923 }
924
925 /* extend iv */
926 if (ivlen == blocklen)
927 ;
928 else if (ivlen == 4 && blocklen == 8) {
929 bcopy(&iv[0], &iv[4], 4);
930 iv[4] ^= 0xff;
931 iv[5] ^= 0xff;
932 iv[6] ^= 0xff;
933 iv[7] ^= 0xff;
934 } else {
935 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
936 "unsupported ivlen/blocklen: %d %d\n",
937 algo->name, ivlen, blocklen));
938 m_freem(m);
939 return EINVAL;
940 }
941
942 if (m->m_pkthdr.len < bodyoff) {
943 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: bad len %d/%lu\n",
944 algo->name, m->m_pkthdr.len, (u_int32_t)bodyoff));
945 m_freem(m);
946 return EINVAL;
947 }
948 if ((m->m_pkthdr.len - bodyoff) % blocklen) {
949 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
950 "payload length must be multiple of %lu\n",
951 algo->name, (u_int32_t)algo->padbound));
952 m_freem(m);
953 return EINVAL;
954 }
955
956 s = m;
957 d = d0 = dp = NULL;
958 soff = doff = sn = dn = 0;
959 ivp = sp = NULL;
960
961 /* skip bodyoff */
962 while (soff < bodyoff) {
963 if (soff + s->m_len > bodyoff) {
964 sn = bodyoff - soff;
965 break;
966 }
967
968 soff += s->m_len;
969 s = s->m_next;
970 }
971 scut = s;
972 scutoff = sn;
973
974 /* skip over empty mbuf */
975 while (s && s->m_len == 0)
976 s = s->m_next;
977
978 // Allocate blocksized buffer for unaligned or non-contiguous access
979 sbuf = (u_int8_t *)_MALLOC(blocklen, M_SECA, M_DONTWAIT);
980 if (sbuf == NULL)
981 return ENOBUFS;
982 while (soff < m->m_pkthdr.len) {
983 /* source */
984 if (sn + blocklen <= s->m_len) {
985 /* body is continuous */
986 sp = mtod(s, u_int8_t *) + sn;
987 } else {
988 /* body is non-continuous */
989 m_copydata(s, sn, blocklen, (caddr_t) sbuf);
990 sp = sbuf;
991 }
992
993 /* destination */
994 if (!d || dn + blocklen > d->m_len) {
995 if (d)
996 dp = d;
997 MGET(d, M_DONTWAIT, MT_DATA);
998 i = m->m_pkthdr.len - (soff + sn);
999 if (d && i > MLEN) {
1000 MCLGET(d, M_DONTWAIT);
1001 if ((d->m_flags & M_EXT) == 0) {
1002 m_free(d);
1003 d = NULL;
1004 }
1005 }
1006 if (!d) {
1007 m_freem(m);
1008 if (d0)
1009 m_freem(d0);
1010 result = ENOBUFS;
1011 goto end;
1012 }
1013 if (!d0)
1014 d0 = d;
1015 if (dp)
1016 dp->m_next = d;
1017
1018 // try to make mbuf data aligned
1019 if (!IPSEC_IS_P2ALIGNED(d->m_data)) {
1020 m_adj(d, IPSEC_GET_P2UNALIGNED_OFS(d->m_data));
1021 }
1022
1023 d->m_len = 0;
1024 d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
1025 if (d->m_len > i)
1026 d->m_len = i;
1027 dn = 0;
1028 }
1029
1030 /* xor */
1031 p = ivp ? ivp : iv;
1032 q = sp;
1033 for (i = 0; i < blocklen; i++)
1034 q[i] ^= p[i];
1035
1036 /* encrypt */
1037 // check input pointer alignment and use a separate aligned buffer (if sp is not aligned on 4-byte boundary).
1038 if (IPSEC_IS_P2ALIGNED(sp)) {
1039 sp_unaligned = NULL;
1040 } else {
1041 sp_unaligned = sp;
1042 sp = sbuf;
1043 memcpy(sp, sp_unaligned, blocklen);
1044 }
1045 // no need to check output pointer alignment
1046 (*algo->blockencrypt)(algo, sav, sp, mtod(d, u_int8_t *) + dn);
1047
1048 // update unaligned pointers
1049 if (!IPSEC_IS_P2ALIGNED(sp_unaligned)) {
1050 sp = sp_unaligned;
1051 }
1052
1053 /* next iv */
1054 ivp = mtod(d, u_int8_t *) + dn;
1055
1056 sn += blocklen;
1057 dn += blocklen;
1058
1059 /* find the next source block */
1060 while (s && sn >= s->m_len) {
1061 sn -= s->m_len;
1062 soff += s->m_len;
1063 s = s->m_next;
1064 }
1065 }
1066
1067 m_freem(scut->m_next);
1068 scut->m_len = scutoff;
1069 scut->m_next = d0;
1070
1071 /* just in case */
1072 bzero(iv, sizeof(iv));
1073 bzero(sbuf, blocklen);
1074
1075 key_sa_stir_iv(sav);
1076 end:
1077 if (sbuf != NULL)
1078 FREE(sbuf, M_SECA);
1079 return result;
1080 }
1081
1082 /*------------------------------------------------------------*/
1083
1084 /* does not free m0 on error */
1085 int
1086 esp_auth(
1087 struct mbuf *m0,
1088 size_t skip, /* offset to ESP header */
1089 size_t length, /* payload length */
1090 struct secasvar *sav,
1091 u_char *sum)
1092 {
1093 struct mbuf *m;
1094 size_t off;
1095 struct ah_algorithm_state s;
1096 u_char sumbuf[AH_MAXSUMSIZE] __attribute__((aligned(4)));
1097 const struct ah_algorithm *algo;
1098 size_t siz;
1099 int error;
1100
1101 /* sanity checks */
1102 if (m0->m_pkthdr.len < skip) {
1103 ipseclog((LOG_DEBUG, "esp_auth: mbuf length < skip\n"));
1104 return EINVAL;
1105 }
1106 if (m0->m_pkthdr.len < skip + length) {
1107 ipseclog((LOG_DEBUG,
1108 "esp_auth: mbuf length < skip + length\n"));
1109 return EINVAL;
1110 }
1111
1112 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_START, skip,length,0,0,0);
1113 /*
1114 * length of esp part (excluding authentication data) must be 4n,
1115 * since nexthdr must be at offset 4n+3.
1116 */
1117 if (length % 4) {
1118 ipseclog((LOG_ERR, "esp_auth: length is not multiple of 4\n"));
1119 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 1,0,0,0,0);
1120 return EINVAL;
1121 }
1122 if (!sav) {
1123 ipseclog((LOG_DEBUG, "esp_auth: NULL SA passed\n"));
1124 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 2,0,0,0,0);
1125 return EINVAL;
1126 }
1127 algo = ah_algorithm_lookup(sav->alg_auth);
1128 if (!algo) {
1129 ipseclog((LOG_ERR,
1130 "esp_auth: bad ESP auth algorithm passed: %d\n",
1131 sav->alg_auth));
1132 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 3,0,0,0,0);
1133 return EINVAL;
1134 }
1135
1136 m = m0;
1137 off = 0;
1138
1139 siz = (((*algo->sumsiz)(sav) + 3) & ~(4 - 1));
1140 if (sizeof(sumbuf) < siz) {
1141 ipseclog((LOG_DEBUG,
1142 "esp_auth: AH_MAXSUMSIZE is too small: siz=%lu\n",
1143 (u_int32_t)siz));
1144 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 4,0,0,0,0);
1145 return EINVAL;
1146 }
1147
1148 /* skip the header */
1149 while (skip) {
1150 if (!m)
1151 panic("mbuf chain?");
1152 if (m->m_len <= skip) {
1153 skip -= m->m_len;
1154 m = m->m_next;
1155 off = 0;
1156 } else {
1157 off = skip;
1158 skip = 0;
1159 }
1160 }
1161
1162 error = (*algo->init)(&s, sav);
1163 if (error) {
1164 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 5,0,0,0,0);
1165 return error;
1166 }
1167 while (0 < length) {
1168 if (!m)
1169 panic("mbuf chain?");
1170
1171 if (m->m_len - off < length) {
1172 (*algo->update)(&s, (caddr_t)(mtod(m, u_char *) + off),
1173 m->m_len - off);
1174 length -= m->m_len - off;
1175 m = m->m_next;
1176 off = 0;
1177 } else {
1178 (*algo->update)(&s, (caddr_t)(mtod(m, u_char *) + off), length);
1179 break;
1180 }
1181 }
1182 (*algo->result)(&s, (caddr_t) sumbuf, sizeof(sumbuf));
1183 bcopy(sumbuf, sum, siz); /*XXX*/
1184 KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 6,0,0,0,0);
1185 return 0;
1186 }
mirror of XNU