2002-10-16 02:10:08 +00:00
|
|
|
/* $FreeBSD$ */
|
|
|
|
/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
|
2005-01-07 01:45:51 +00:00
|
|
|
/*-
|
2002-10-16 02:10:08 +00:00
|
|
|
* The authors of this code are John Ioannidis (ji@tla.org),
|
|
|
|
* Angelos D. Keromytis (kermit@csd.uch.gr) and
|
|
|
|
* Niels Provos (provos@physnet.uni-hamburg.de).
|
|
|
|
*
|
|
|
|
* The original version of this code was written by John Ioannidis
|
|
|
|
* for BSD/OS in Athens, Greece, in November 1995.
|
|
|
|
*
|
|
|
|
* Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
|
|
|
|
* by Angelos D. Keromytis.
|
|
|
|
*
|
|
|
|
* Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
|
|
|
|
* and Niels Provos.
|
|
|
|
*
|
|
|
|
* Additional features in 1999 by Angelos D. Keromytis.
|
|
|
|
*
|
|
|
|
* Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
|
|
|
|
* Angelos D. Keromytis and Niels Provos.
|
|
|
|
* Copyright (c) 2001 Angelos D. Keromytis.
|
|
|
|
*
|
|
|
|
* Permission to use, copy, and modify this software with or without fee
|
|
|
|
* is hereby granted, provided that this entire notice is included in
|
|
|
|
* all copies of any software which is or includes a copy or
|
|
|
|
* modification of this software.
|
|
|
|
* You may use this code under the GNU public license if you so wish. Please
|
|
|
|
* contribute changes back to the authors under this freer than GPL license
|
|
|
|
* so that we may further the use of strong encryption without limitations to
|
|
|
|
* all.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
|
|
|
|
* IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
|
|
|
|
* REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
|
|
|
|
* MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
|
|
|
|
* PURPOSE.
|
|
|
|
*/
|
|
|
|
#include "opt_inet.h"
|
|
|
|
#include "opt_inet6.h"
|
|
|
|
|
|
|
|
#include <sys/param.h>
|
|
|
|
#include <sys/systm.h>
|
|
|
|
#include <sys/mbuf.h>
|
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <sys/syslog.h>
|
|
|
|
#include <sys/kernel.h>
|
2013-10-26 18:18:50 +00:00
|
|
|
#include <sys/lock.h>
|
2002-10-16 02:10:08 +00:00
|
|
|
#include <sys/random.h>
|
2017-02-06 08:49:57 +00:00
|
|
|
#include <sys/mutex.h>
|
2002-10-16 02:10:08 +00:00
|
|
|
#include <sys/sysctl.h>
|
2015-08-04 17:47:11 +00:00
|
|
|
#include <sys/mutex.h>
|
|
|
|
#include <machine/atomic.h>
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
#include <net/if.h>
|
Build on Jeff Roberson's linker-set based dynamic per-CPU allocator
(DPCPU), as suggested by Peter Wemm, and implement a new per-virtual
network stack memory allocator. Modify vnet to use the allocator
instead of monolithic global container structures (vinet, ...). This
change solves many binary compatibility problems associated with
VIMAGE, and restores ELF symbols for virtualized global variables.
Each virtualized global variable exists as a "reference copy", and also
once per virtual network stack. Virtualized global variables are
tagged at compile-time, placing the in a special linker set, which is
loaded into a contiguous region of kernel memory. Virtualized global
variables in the base kernel are linked as normal, but those in modules
are copied and relocated to a reserved portion of the kernel's vnet
region with the help of a the kernel linker.
Virtualized global variables exist in per-vnet memory set up when the
network stack instance is created, and are initialized statically from
the reference copy. Run-time access occurs via an accessor macro, which
converts from the current vnet and requested symbol to a per-vnet
address. When "options VIMAGE" is not compiled into the kernel, normal
global ELF symbols will be used instead and indirection is avoided.
This change restores static initialization for network stack global
variables, restores support for non-global symbols and types, eliminates
the need for many subsystem constructors, eliminates large per-subsystem
structures that caused many binary compatibility issues both for
monitoring applications (netstat) and kernel modules, removes the
per-function INIT_VNET_*() macros throughout the stack, eliminates the
need for vnet_symmap ksym(2) munging, and eliminates duplicate
definitions of virtualized globals under VIMAGE_GLOBALS.
Bump __FreeBSD_version and update UPDATING.
Portions submitted by: bz
Reviewed by: bz, zec
Discussed with: gnn, jamie, jeff, jhb, julian, sam
Suggested by: peter
Approved by: re (kensmith)
2009-07-14 22:48:30 +00:00
|
|
|
#include <net/vnet.h>
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
#include <netinet/in.h>
|
|
|
|
#include <netinet/in_systm.h>
|
|
|
|
#include <netinet/ip.h>
|
|
|
|
#include <netinet/ip_ecn.h>
|
|
|
|
#include <netinet/ip6.h>
|
|
|
|
|
|
|
|
#include <netipsec/ipsec.h>
|
|
|
|
#include <netipsec/ah.h>
|
|
|
|
#include <netipsec/ah_var.h>
|
|
|
|
#include <netipsec/esp.h>
|
|
|
|
#include <netipsec/esp_var.h>
|
|
|
|
#include <netipsec/xform.h>
|
|
|
|
|
|
|
|
#ifdef INET6
|
|
|
|
#include <netinet6/ip6_var.h>
|
|
|
|
#include <netipsec/ipsec6.h>
|
|
|
|
#include <netinet6/ip6_ecn.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <netipsec/key.h>
|
|
|
|
#include <netipsec/key_debug.h>
|
|
|
|
|
|
|
|
#include <opencrypto/cryptodev.h>
|
|
|
|
#include <opencrypto/xform.h>
|
|
|
|
|
Build on Jeff Roberson's linker-set based dynamic per-CPU allocator
(DPCPU), as suggested by Peter Wemm, and implement a new per-virtual
network stack memory allocator. Modify vnet to use the allocator
instead of monolithic global container structures (vinet, ...). This
change solves many binary compatibility problems associated with
VIMAGE, and restores ELF symbols for virtualized global variables.
Each virtualized global variable exists as a "reference copy", and also
once per virtual network stack. Virtualized global variables are
tagged at compile-time, placing the in a special linker set, which is
loaded into a contiguous region of kernel memory. Virtualized global
variables in the base kernel are linked as normal, but those in modules
are copied and relocated to a reserved portion of the kernel's vnet
region with the help of a the kernel linker.
Virtualized global variables exist in per-vnet memory set up when the
network stack instance is created, and are initialized statically from
the reference copy. Run-time access occurs via an accessor macro, which
converts from the current vnet and requested symbol to a per-vnet
address. When "options VIMAGE" is not compiled into the kernel, normal
global ELF symbols will be used instead and indirection is avoided.
This change restores static initialization for network stack global
variables, restores support for non-global symbols and types, eliminates
the need for many subsystem constructors, eliminates large per-subsystem
structures that caused many binary compatibility issues both for
monitoring applications (netstat) and kernel modules, removes the
per-function INIT_VNET_*() macros throughout the stack, eliminates the
need for vnet_symmap ksym(2) munging, and eliminates duplicate
definitions of virtualized globals under VIMAGE_GLOBALS.
Bump __FreeBSD_version and update UPDATING.
Portions submitted by: bz
Reviewed by: bz, zec
Discussed with: gnn, jamie, jeff, jhb, julian, sam
Suggested by: peter
Approved by: re (kensmith)
2009-07-14 22:48:30 +00:00
|
|
|
VNET_DEFINE(int, esp_enable) = 1;
|
2013-07-09 10:08:13 +00:00
|
|
|
VNET_PCPUSTAT_DEFINE(struct espstat, espstat);
|
|
|
|
VNET_PCPUSTAT_SYSINIT(espstat);
|
|
|
|
|
|
|
|
#ifdef VIMAGE
|
|
|
|
VNET_PCPUSTAT_SYSUNINIT(espstat);
|
|
|
|
#endif /* VIMAGE */
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
SYSCTL_DECL(_net_inet_esp);
|
2014-11-07 09:39:05 +00:00
|
|
|
SYSCTL_INT(_net_inet_esp, OID_AUTO, esp_enable,
|
|
|
|
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(esp_enable), 0, "");
|
2013-07-09 10:08:13 +00:00
|
|
|
SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats,
|
|
|
|
struct espstat, espstat,
|
|
|
|
"ESP statistics (struct espstat, netipsec/esp_var.h");
|
Build on Jeff Roberson's linker-set based dynamic per-CPU allocator
(DPCPU), as suggested by Peter Wemm, and implement a new per-virtual
network stack memory allocator. Modify vnet to use the allocator
instead of monolithic global container structures (vinet, ...). This
change solves many binary compatibility problems associated with
VIMAGE, and restores ELF symbols for virtualized global variables.
Each virtualized global variable exists as a "reference copy", and also
once per virtual network stack. Virtualized global variables are
tagged at compile-time, placing the in a special linker set, which is
loaded into a contiguous region of kernel memory. Virtualized global
variables in the base kernel are linked as normal, but those in modules
are copied and relocated to a reserved portion of the kernel's vnet
region with the help of a the kernel linker.
Virtualized global variables exist in per-vnet memory set up when the
network stack instance is created, and are initialized statically from
the reference copy. Run-time access occurs via an accessor macro, which
converts from the current vnet and requested symbol to a per-vnet
address. When "options VIMAGE" is not compiled into the kernel, normal
global ELF symbols will be used instead and indirection is avoided.
This change restores static initialization for network stack global
variables, restores support for non-global symbols and types, eliminates
the need for many subsystem constructors, eliminates large per-subsystem
structures that caused many binary compatibility issues both for
monitoring applications (netstat) and kernel modules, removes the
per-function INIT_VNET_*() macros throughout the stack, eliminates the
need for vnet_symmap ksym(2) munging, and eliminates duplicate
definitions of virtualized globals under VIMAGE_GLOBALS.
Bump __FreeBSD_version and update UPDATING.
Portions submitted by: bz
Reviewed by: bz, zec
Discussed with: gnn, jamie, jeff, jhb, julian, sam
Suggested by: peter
Approved by: re (kensmith)
2009-07-14 22:48:30 +00:00
|
|
|
|
2002-10-16 02:10:08 +00:00
|
|
|
static int esp_input_cb(struct cryptop *op);
|
|
|
|
static int esp_output_cb(struct cryptop *crp);
|
Introduce vnet module registration / initialization framework with
dependency tracking and ordering enforcement.
With this change, per-vnet initialization functions introduced with
r190787 are no longer directly called from traditional initialization
functions (which cc in most cases inlined to pre-r190787 code), but are
instead registered via the vnet framework first, and are invoked only
after all prerequisite modules have been initialized. In the long run,
this framework should allow us to both initialize and dismantle
multiple vnet instances in a correct order.
The problem this change aims to solve is how to replay the
initialization sequence of various network stack components, which
have been traditionally triggered via different mechanisms (SYSINIT,
protosw). Note that this initialization sequence was and still can be
subtly different depending on whether certain pieces of code have been
statically compiled into the kernel, loaded as modules by boot
loader, or kldloaded at run time.
The approach is simple - we record the initialization sequence
established by the traditional mechanisms whenever vnet_mod_register()
is called for a particular vnet module. The vnet_mod_register_multi()
variant allows a single initializer function to be registered multiple
times but with different arguments - currently this is only used in
kern/uipc_domain.c by net_add_domain() with different struct domain *
as arguments, which allows for protosw-registered initialization
routines to be invoked in a correct order by the new vnet
initialization framework.
For the purpose of identifying vnet modules, each vnet module has to
have a unique ID, which is statically assigned in sys/vimage.h.
Dynamic assignment of vnet module IDs is not supported yet.
A vnet module may specify a single prerequisite module at registration
time by filling in the vmi_dependson field of its vnet_modinfo struct
with the ID of the module it depends on. Unless specified otherwise,
all vnet modules depend on VNET_MOD_NET (container for ifnet list head,
rt_tables etc.), which thus has to and will always be initialized
first. The framework will panic if it detects any unresolved
dependencies before completing system initialization. Detection of
unresolved dependencies for vnet modules registered after boot
(kldloaded modules) is not provided.
Note that the fact that each module can specify only a single
prerequisite may become problematic in the long run. In particular,
INET6 depends on INET being already instantiated, due to TCP / UDP
structures residing in INET container. IPSEC also depends on INET,
which will in turn additionally complicate making INET6-only kernel
configs a reality.
The entire registration framework can be compiled out by turning on the
VIMAGE_GLOBALS kernel config option.
Reviewed by: bz
Approved by: julian (mentor)
2009-04-11 05:58:58 +00:00
|
|
|
|
2002-10-16 02:10:08 +00:00
|
|
|
size_t
|
|
|
|
esp_hdrsiz(struct secasvar *sav)
|
|
|
|
{
|
|
|
|
size_t size;
|
|
|
|
|
|
|
|
if (sav != NULL) {
|
|
|
|
/*XXX not right for null algorithm--does it matter??*/
|
2003-09-29 22:57:43 +00:00
|
|
|
IPSEC_ASSERT(sav->tdb_encalgxform != NULL,
|
|
|
|
("SA with null xform"));
|
2002-10-16 02:10:08 +00:00
|
|
|
if (sav->flags & SADB_X_EXT_OLD)
|
|
|
|
size = sizeof (struct esp);
|
|
|
|
else
|
|
|
|
size = sizeof (struct newesp);
|
|
|
|
size += sav->tdb_encalgxform->blocksize + 9;
|
|
|
|
/*XXX need alg check???*/
|
|
|
|
if (sav->tdb_authalgxform != NULL && sav->replay)
|
|
|
|
size += ah_hdrsiz(sav);
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* base header size
|
|
|
|
* + max iv length for CBC mode
|
|
|
|
* + max pad length
|
|
|
|
* + sizeof (pad length field)
|
|
|
|
* + sizeof (next header field)
|
|
|
|
* + max icv supported.
|
|
|
|
*/
|
2011-11-26 23:27:41 +00:00
|
|
|
size = sizeof (struct newesp) + EALG_MAX_BLOCK_LEN + 9 + 16;
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
|
|
|
return size;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* esp_init() is called when an SPI is being set up.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
esp_init(struct secasvar *sav, struct xformsw *xsp)
|
|
|
|
{
|
2017-02-06 08:49:57 +00:00
|
|
|
const struct enc_xform *txform;
|
2002-10-16 02:10:08 +00:00
|
|
|
struct cryptoini cria, crie;
|
|
|
|
int keylen;
|
|
|
|
int error;
|
|
|
|
|
2017-02-06 08:49:57 +00:00
|
|
|
txform = enc_algorithm_lookup(sav->alg_enc);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (txform == NULL) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: unsupported encryption algorithm %d\n",
|
|
|
|
__func__, sav->alg_enc));
|
2002-10-16 02:10:08 +00:00
|
|
|
return EINVAL;
|
|
|
|
}
|
|
|
|
if (sav->key_enc == NULL) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: no encoding key for %s algorithm\n",
|
|
|
|
__func__, txform->name));
|
2002-10-16 02:10:08 +00:00
|
|
|
return EINVAL;
|
|
|
|
}
|
2015-08-04 17:47:11 +00:00
|
|
|
if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_IV4B)) ==
|
|
|
|
SADB_X_EXT_IV4B) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: 4-byte IV not supported with protocol\n",
|
|
|
|
__func__));
|
2002-10-16 02:10:08 +00:00
|
|
|
return EINVAL;
|
|
|
|
}
|
2015-08-04 17:47:11 +00:00
|
|
|
/* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */
|
|
|
|
keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4;
|
2002-10-16 02:10:08 +00:00
|
|
|
if (txform->minkey > keylen || keylen > txform->maxkey) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: invalid key length %u, must be in the range "
|
|
|
|
"[%u..%u] for algorithm %s\n", __func__,
|
2002-10-16 02:10:08 +00:00
|
|
|
keylen, txform->minkey, txform->maxkey,
|
|
|
|
txform->name));
|
|
|
|
return EINVAL;
|
|
|
|
}
|
|
|
|
|
2015-08-04 17:47:11 +00:00
|
|
|
if (SAV_ISCTRORGCM(sav))
|
|
|
|
sav->ivlen = 8; /* RFC4106 3.1 and RFC3686 3.1 */
|
|
|
|
else
|
2015-11-16 07:10:42 +00:00
|
|
|
sav->ivlen = txform->ivsize;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Setup AH-related state.
|
|
|
|
*/
|
|
|
|
if (sav->alg_auth != 0) {
|
|
|
|
error = ah_init0(sav, xsp, &cria);
|
|
|
|
if (error)
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* NB: override anything set in ah_init0 */
|
|
|
|
sav->tdb_xform = xsp;
|
|
|
|
sav->tdb_encalgxform = txform;
|
|
|
|
|
2015-07-09 18:16:35 +00:00
|
|
|
/*
|
|
|
|
* Whenever AES-GCM is used for encryption, one
|
|
|
|
* of the AES authentication algorithms is chosen
|
|
|
|
* as well, based on the key size.
|
|
|
|
*/
|
|
|
|
if (sav->alg_enc == SADB_X_EALG_AESGCM16) {
|
|
|
|
switch (keylen) {
|
2015-08-04 17:47:11 +00:00
|
|
|
case AES_128_GMAC_KEY_LEN:
|
2015-07-09 18:16:35 +00:00
|
|
|
sav->alg_auth = SADB_X_AALG_AES128GMAC;
|
|
|
|
sav->tdb_authalgxform = &auth_hash_nist_gmac_aes_128;
|
|
|
|
break;
|
2015-08-04 17:47:11 +00:00
|
|
|
case AES_192_GMAC_KEY_LEN:
|
2015-07-09 18:16:35 +00:00
|
|
|
sav->alg_auth = SADB_X_AALG_AES192GMAC;
|
|
|
|
sav->tdb_authalgxform = &auth_hash_nist_gmac_aes_192;
|
|
|
|
break;
|
2015-08-04 17:47:11 +00:00
|
|
|
case AES_256_GMAC_KEY_LEN:
|
2015-07-09 18:16:35 +00:00
|
|
|
sav->alg_auth = SADB_X_AALG_AES256GMAC;
|
|
|
|
sav->tdb_authalgxform = &auth_hash_nist_gmac_aes_256;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
DPRINTF(("%s: invalid key length %u"
|
|
|
|
"for algorithm %s\n", __func__,
|
|
|
|
keylen, txform->name));
|
|
|
|
return EINVAL;
|
|
|
|
}
|
|
|
|
bzero(&cria, sizeof(cria));
|
|
|
|
cria.cri_alg = sav->tdb_authalgxform->type;
|
|
|
|
cria.cri_key = sav->key_enc->key_data;
|
2015-08-04 17:47:11 +00:00
|
|
|
cria.cri_klen = _KEYBITS(sav->key_enc) - SAV_ISGCM(sav) * 32;
|
2015-07-09 18:16:35 +00:00
|
|
|
}
|
|
|
|
|
2002-10-16 02:10:08 +00:00
|
|
|
/* Initialize crypto session. */
|
2015-08-04 17:47:11 +00:00
|
|
|
bzero(&crie, sizeof(crie));
|
2002-10-16 02:10:08 +00:00
|
|
|
crie.cri_alg = sav->tdb_encalgxform->type;
|
2006-03-25 13:38:52 +00:00
|
|
|
crie.cri_key = sav->key_enc->key_data;
|
2015-08-04 17:47:11 +00:00
|
|
|
crie.cri_klen = _KEYBITS(sav->key_enc) - SAV_ISCTRORGCM(sav) * 32;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
if (sav->tdb_authalgxform && sav->tdb_encalgxform) {
|
|
|
|
/* init both auth & enc */
|
|
|
|
crie.cri_next = &cria;
|
|
|
|
error = crypto_newsession(&sav->tdb_cryptoid,
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
&crie, V_crypto_support);
|
2002-10-16 02:10:08 +00:00
|
|
|
} else if (sav->tdb_encalgxform) {
|
|
|
|
error = crypto_newsession(&sav->tdb_cryptoid,
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
&crie, V_crypto_support);
|
2002-10-16 02:10:08 +00:00
|
|
|
} else if (sav->tdb_authalgxform) {
|
|
|
|
error = crypto_newsession(&sav->tdb_cryptoid,
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
&cria, V_crypto_support);
|
2002-10-16 02:10:08 +00:00
|
|
|
} else {
|
|
|
|
/* XXX cannot happen? */
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: no encoding OR authentication xform!\n",
|
|
|
|
__func__));
|
2002-10-16 02:10:08 +00:00
|
|
|
error = EINVAL;
|
|
|
|
}
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Paranoia.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
esp_zeroize(struct secasvar *sav)
|
|
|
|
{
|
|
|
|
/* NB: ah_zerorize free's the crypto session state */
|
|
|
|
int error = ah_zeroize(sav);
|
|
|
|
|
|
|
|
if (sav->key_enc)
|
2006-03-25 13:38:52 +00:00
|
|
|
bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc));
|
2002-10-16 02:10:08 +00:00
|
|
|
sav->tdb_encalgxform = NULL;
|
|
|
|
sav->tdb_xform = NULL;
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* ESP input processing, called (eventually) through the protocol switch.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
|
|
|
{
|
2017-05-29 09:30:38 +00:00
|
|
|
IPSEC_DEBUG_DECLARE(char buf[128]);
|
2017-02-06 08:49:57 +00:00
|
|
|
const struct auth_hash *esph;
|
|
|
|
const struct enc_xform *espx;
|
|
|
|
struct xform_data *xd;
|
2002-10-16 02:10:08 +00:00
|
|
|
struct cryptodesc *crde;
|
|
|
|
struct cryptop *crp;
|
2017-02-06 08:49:57 +00:00
|
|
|
struct newesp *esp;
|
|
|
|
uint8_t *ivp;
|
2018-07-13 23:46:07 +00:00
|
|
|
crypto_session_t cryptoid;
|
2017-05-23 09:01:48 +00:00
|
|
|
int alen, error, hlen, plen;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2003-09-29 22:57:43 +00:00
|
|
|
IPSEC_ASSERT(sav != NULL, ("null SA"));
|
|
|
|
IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform"));
|
2009-10-01 15:33:53 +00:00
|
|
|
|
2017-05-23 09:01:48 +00:00
|
|
|
error = EINVAL;
|
2009-10-01 15:33:53 +00:00
|
|
|
/* Valid IP Packet length ? */
|
|
|
|
if ( (skip&3) || (m->m_pkthdr.len&3) ){
|
|
|
|
DPRINTF(("%s: misaligned packet, skip %u pkt len %u",
|
|
|
|
__func__, skip, m->m_pkthdr.len));
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_badilen);
|
2017-05-23 09:01:48 +00:00
|
|
|
goto bad;
|
2009-10-01 15:33:53 +00:00
|
|
|
}
|
2002-10-16 02:10:08 +00:00
|
|
|
/* XXX don't pullup, just copy header */
|
|
|
|
IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp));
|
|
|
|
|
|
|
|
esph = sav->tdb_authalgxform;
|
|
|
|
espx = sav->tdb_encalgxform;
|
|
|
|
|
2015-07-29 07:15:16 +00:00
|
|
|
/* Determine the ESP header and auth length */
|
2002-10-16 02:10:08 +00:00
|
|
|
if (sav->flags & SADB_X_EXT_OLD)
|
|
|
|
hlen = sizeof (struct esp) + sav->ivlen;
|
|
|
|
else
|
|
|
|
hlen = sizeof (struct newesp) + sav->ivlen;
|
2015-07-29 07:15:16 +00:00
|
|
|
|
|
|
|
alen = xform_ah_authsize(esph);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Verify payload length is multiple of encryption algorithm
|
|
|
|
* block size.
|
|
|
|
*
|
|
|
|
* NB: This works for the null algorithm because the blocksize
|
|
|
|
* is 4 and all packets must be 4-byte aligned regardless
|
|
|
|
* of the algorithm.
|
|
|
|
*/
|
|
|
|
plen = m->m_pkthdr.len - (skip + hlen + alen);
|
|
|
|
if ((plen & (espx->blocksize - 1)) || (plen <= 0)) {
|
2015-08-04 17:47:11 +00:00
|
|
|
DPRINTF(("%s: payload of %d octets not a multiple of %d octets,"
|
|
|
|
" SA %s/%08lx\n", __func__, plen, espx->blocksize,
|
|
|
|
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
|
|
|
|
(u_long)ntohl(sav->spi)));
|
|
|
|
ESPSTAT_INC(esps_badilen);
|
2017-05-23 09:01:48 +00:00
|
|
|
goto bad;
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check sequence number.
|
|
|
|
*/
|
2017-02-06 08:49:57 +00:00
|
|
|
SECASVAR_LOCK(sav);
|
|
|
|
if (esph != NULL && sav->replay != NULL && sav->replay->wsize != 0) {
|
|
|
|
if (ipsec_chkreplay(ntohl(esp->esp_seq), sav) == 0) {
|
|
|
|
SECASVAR_UNLOCK(sav);
|
|
|
|
DPRINTF(("%s: packet replay check for %s\n", __func__,
|
|
|
|
ipsec_sa2str(sav, buf, sizeof(buf))));
|
|
|
|
ESPSTAT_INC(esps_replay);
|
2017-05-23 09:01:48 +00:00
|
|
|
error = EACCES;
|
|
|
|
goto bad;
|
2017-02-06 08:49:57 +00:00
|
|
|
}
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
2017-02-06 08:49:57 +00:00
|
|
|
cryptoid = sav->tdb_cryptoid;
|
|
|
|
SECASVAR_UNLOCK(sav);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
/* Update the counters */
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_ADD(esps_ibytes, m->m_pkthdr.len - (skip + hlen + alen));
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
/* Get crypto descriptors */
|
|
|
|
crp = crypto_getreq(esph && espx ? 2 : 1);
|
|
|
|
if (crp == NULL) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: failed to acquire crypto descriptors\n",
|
|
|
|
__func__));
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_crypto);
|
2017-05-23 09:01:48 +00:00
|
|
|
error = ENOBUFS;
|
|
|
|
goto bad;
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Get IPsec-specific opaque pointer */
|
2017-02-06 08:49:57 +00:00
|
|
|
xd = malloc(sizeof(*xd) + alen, M_XDATA, M_NOWAIT | M_ZERO);
|
|
|
|
if (xd == NULL) {
|
|
|
|
DPRINTF(("%s: failed to allocate xform_data\n", __func__));
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_crypto);
|
2017-02-06 08:49:57 +00:00
|
|
|
crypto_freereq(crp);
|
2017-05-23 09:01:48 +00:00
|
|
|
error = ENOBUFS;
|
|
|
|
goto bad;
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
|
|
|
|
2014-12-11 17:07:21 +00:00
|
|
|
if (esph != NULL) {
|
2002-10-16 02:10:08 +00:00
|
|
|
struct cryptodesc *crda = crp->crp_desc;
|
|
|
|
|
2003-09-29 22:57:43 +00:00
|
|
|
IPSEC_ASSERT(crda != NULL, ("null ah crypto descriptor"));
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
/* Authentication descriptor */
|
|
|
|
crda->crd_skip = skip;
|
2015-08-04 17:47:11 +00:00
|
|
|
if (SAV_ISGCM(sav))
|
|
|
|
crda->crd_len = 8; /* RFC4106 5, SPI + SN */
|
2015-07-09 18:16:35 +00:00
|
|
|
else
|
|
|
|
crda->crd_len = m->m_pkthdr.len - (skip + alen);
|
2002-10-16 02:10:08 +00:00
|
|
|
crda->crd_inject = m->m_pkthdr.len - alen;
|
|
|
|
|
|
|
|
crda->crd_alg = esph->type;
|
|
|
|
|
|
|
|
/* Copy the authenticator */
|
2014-12-11 17:07:21 +00:00
|
|
|
m_copydata(m, m->m_pkthdr.len - alen, alen,
|
2017-02-06 08:49:57 +00:00
|
|
|
(caddr_t) (xd + 1));
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
/* Chain authentication request */
|
|
|
|
crde = crda->crd_next;
|
|
|
|
} else {
|
|
|
|
crde = crp->crp_desc;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Crypto operation descriptor */
|
|
|
|
crp->crp_ilen = m->m_pkthdr.len; /* Total input length */
|
2003-06-30 05:09:32 +00:00
|
|
|
crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
|
2017-11-03 10:27:22 +00:00
|
|
|
if (V_async_crypto)
|
|
|
|
crp->crp_flags |= CRYPTO_F_ASYNC | CRYPTO_F_ASYNC_KEEPORDER;
|
2002-10-16 02:10:08 +00:00
|
|
|
crp->crp_buf = (caddr_t) m;
|
|
|
|
crp->crp_callback = esp_input_cb;
|
2018-07-18 00:56:25 +00:00
|
|
|
crp->crp_session = cryptoid;
|
2017-02-06 08:49:57 +00:00
|
|
|
crp->crp_opaque = (caddr_t) xd;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
/* These are passed as-is to the callback */
|
2017-02-06 08:49:57 +00:00
|
|
|
xd->sav = sav;
|
|
|
|
xd->protoff = protoff;
|
|
|
|
xd->skip = skip;
|
|
|
|
xd->cryptoid = cryptoid;
|
2018-03-20 17:05:23 +00:00
|
|
|
xd->vnet = curvnet;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
/* Decryption descriptor */
|
2014-12-11 17:07:21 +00:00
|
|
|
IPSEC_ASSERT(crde != NULL, ("null esp crypto descriptor"));
|
|
|
|
crde->crd_skip = skip + hlen;
|
|
|
|
crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
|
|
|
|
crde->crd_inject = skip + hlen - sav->ivlen;
|
|
|
|
|
2015-08-04 17:47:11 +00:00
|
|
|
if (SAV_ISCTRORGCM(sav)) {
|
|
|
|
ivp = &crde->crd_iv[0];
|
|
|
|
|
|
|
|
/* GCM IV Format: RFC4106 4 */
|
|
|
|
/* CTR IV Format: RFC3686 4 */
|
|
|
|
/* Salt is last four bytes of key, RFC4106 8.1 */
|
|
|
|
/* Nonce is last four bytes of key, RFC3686 5.1 */
|
|
|
|
memcpy(ivp, sav->key_enc->key_data +
|
|
|
|
_KEYLEN(sav->key_enc) - 4, 4);
|
|
|
|
|
|
|
|
if (SAV_ISCTR(sav)) {
|
|
|
|
/* Initial block counter is 1, RFC3686 4 */
|
|
|
|
be32enc(&ivp[sav->ivlen + 4], 1);
|
|
|
|
}
|
|
|
|
|
|
|
|
m_copydata(m, skip + hlen - sav->ivlen, sav->ivlen, &ivp[4]);
|
2015-07-09 18:16:35 +00:00
|
|
|
crde->crd_flags |= CRD_F_IV_EXPLICIT;
|
2015-08-04 17:47:11 +00:00
|
|
|
}
|
2015-07-09 18:16:35 +00:00
|
|
|
|
2015-08-04 17:47:11 +00:00
|
|
|
crde->crd_alg = espx->type;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2014-12-11 17:07:21 +00:00
|
|
|
return (crypto_dispatch(crp));
|
2017-05-23 09:01:48 +00:00
|
|
|
bad:
|
|
|
|
m_freem(m);
|
|
|
|
key_freesav(&sav);
|
|
|
|
return (error);
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* ESP input callback from the crypto driver.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
esp_input_cb(struct cryptop *crp)
|
|
|
|
{
|
2017-05-29 09:30:38 +00:00
|
|
|
IPSEC_DEBUG_DECLARE(char buf[128]);
|
2011-02-18 09:40:13 +00:00
|
|
|
u_int8_t lastthree[3], aalg[AH_HMAC_MAXHASHLEN];
|
2017-02-06 08:49:57 +00:00
|
|
|
const struct auth_hash *esph;
|
2002-10-16 02:10:08 +00:00
|
|
|
struct mbuf *m;
|
|
|
|
struct cryptodesc *crd;
|
2017-02-06 08:49:57 +00:00
|
|
|
struct xform_data *xd;
|
2002-10-16 02:10:08 +00:00
|
|
|
struct secasvar *sav;
|
|
|
|
struct secasindex *saidx;
|
|
|
|
caddr_t ptr;
|
2018-07-13 23:46:07 +00:00
|
|
|
crypto_session_t cryptoid;
|
2017-02-06 08:49:57 +00:00
|
|
|
int hlen, skip, protoff, error, alen;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
crd = crp->crp_desc;
|
2003-09-29 22:57:43 +00:00
|
|
|
IPSEC_ASSERT(crd != NULL, ("null crypto descriptor!"));
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
m = (struct mbuf *) crp->crp_buf;
|
2017-02-06 08:49:57 +00:00
|
|
|
xd = (struct xform_data *) crp->crp_opaque;
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_SET(xd->vnet);
|
2017-02-06 08:49:57 +00:00
|
|
|
sav = xd->sav;
|
|
|
|
skip = xd->skip;
|
|
|
|
protoff = xd->protoff;
|
|
|
|
cryptoid = xd->cryptoid;
|
2002-10-16 02:10:08 +00:00
|
|
|
saidx = &sav->sah->saidx;
|
|
|
|
esph = sav->tdb_authalgxform;
|
|
|
|
|
|
|
|
/* Check for crypto errors */
|
|
|
|
if (crp->crp_etype) {
|
2017-02-06 08:49:57 +00:00
|
|
|
if (crp->crp_etype == EAGAIN) {
|
|
|
|
/* Reset the session ID */
|
2018-07-18 00:56:25 +00:00
|
|
|
if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
|
2017-02-06 08:49:57 +00:00
|
|
|
crypto_freesession(cryptoid);
|
2018-07-18 00:56:25 +00:00
|
|
|
xd->cryptoid = crp->crp_session;
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_RESTORE();
|
2011-11-26 23:13:30 +00:00
|
|
|
return (crypto_dispatch(crp));
|
2017-02-06 08:49:57 +00:00
|
|
|
}
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_noxform);
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
|
2002-10-16 02:10:08 +00:00
|
|
|
error = crp->crp_etype;
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Shouldn't happen... */
|
|
|
|
if (m == NULL) {
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_crypto);
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
|
2002-10-16 02:10:08 +00:00
|
|
|
error = EINVAL;
|
|
|
|
goto bad;
|
|
|
|
}
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_hist[sav->alg_enc]);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
/* If authentication was performed, check now. */
|
|
|
|
if (esph != NULL) {
|
2015-07-29 07:15:16 +00:00
|
|
|
alen = xform_ah_authsize(esph);
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_hist[sav->alg_auth]);
|
2014-12-11 17:07:21 +00:00
|
|
|
/* Copy the authenticator from the packet */
|
|
|
|
m_copydata(m, m->m_pkthdr.len - alen, alen, aalg);
|
2017-02-06 08:49:57 +00:00
|
|
|
ptr = (caddr_t) (xd + 1);
|
2014-12-11 17:07:21 +00:00
|
|
|
|
|
|
|
/* Verify authenticator */
|
2015-07-31 00:31:52 +00:00
|
|
|
if (timingsafe_bcmp(ptr, aalg, alen) != 0) {
|
2014-12-11 17:07:21 +00:00
|
|
|
DPRINTF(("%s: authentication hash mismatch for "
|
|
|
|
"packet in SA %s/%08lx\n", __func__,
|
2015-04-18 16:58:33 +00:00
|
|
|
ipsec_address(&saidx->dst, buf, sizeof(buf)),
|
2014-12-11 17:07:21 +00:00
|
|
|
(u_long) ntohl(sav->spi)));
|
|
|
|
ESPSTAT_INC(esps_badauth);
|
|
|
|
error = EACCES;
|
|
|
|
goto bad;
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
2017-02-06 08:49:57 +00:00
|
|
|
m->m_flags |= M_AUTHIPDGM;
|
2002-10-16 02:10:08 +00:00
|
|
|
/* Remove trailing authenticator */
|
2011-02-18 09:40:13 +00:00
|
|
|
m_adj(m, -alen);
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Release the crypto descriptors */
|
2017-02-06 08:49:57 +00:00
|
|
|
free(xd, M_XDATA), xd = NULL;
|
2002-10-16 02:10:08 +00:00
|
|
|
crypto_freereq(crp), crp = NULL;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Packet is now decrypted.
|
|
|
|
*/
|
|
|
|
m->m_flags |= M_DECRYPTED;
|
|
|
|
|
2006-03-22 16:00:42 +00:00
|
|
|
/*
|
|
|
|
* Update replay sequence number, if appropriate.
|
|
|
|
*/
|
|
|
|
if (sav->replay) {
|
|
|
|
u_int32_t seq;
|
|
|
|
|
|
|
|
m_copydata(m, skip + offsetof(struct newesp, esp_seq),
|
|
|
|
sizeof (seq), (caddr_t) &seq);
|
2017-02-06 08:49:57 +00:00
|
|
|
SECASVAR_LOCK(sav);
|
2006-03-22 16:00:42 +00:00
|
|
|
if (ipsec_updatereplay(ntohl(seq), sav)) {
|
2017-02-06 08:49:57 +00:00
|
|
|
SECASVAR_UNLOCK(sav);
|
2006-03-22 16:00:42 +00:00
|
|
|
DPRINTF(("%s: packet replay check for %s\n", __func__,
|
2017-02-06 08:49:57 +00:00
|
|
|
ipsec_sa2str(sav, buf, sizeof(buf))));
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_replay);
|
2017-02-06 08:49:57 +00:00
|
|
|
error = EACCES;
|
2006-03-22 16:00:42 +00:00
|
|
|
goto bad;
|
|
|
|
}
|
2017-02-06 08:49:57 +00:00
|
|
|
SECASVAR_UNLOCK(sav);
|
2006-03-22 16:00:42 +00:00
|
|
|
}
|
|
|
|
|
2002-10-16 02:10:08 +00:00
|
|
|
/* Determine the ESP header length */
|
|
|
|
if (sav->flags & SADB_X_EXT_OLD)
|
|
|
|
hlen = sizeof (struct esp) + sav->ivlen;
|
|
|
|
else
|
|
|
|
hlen = sizeof (struct newesp) + sav->ivlen;
|
|
|
|
|
|
|
|
/* Remove the ESP header and IV from the mbuf. */
|
|
|
|
error = m_striphdr(m, skip, hlen);
|
|
|
|
if (error) {
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_hdrops);
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__,
|
2015-04-18 16:58:33 +00:00
|
|
|
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
|
2002-10-16 02:10:08 +00:00
|
|
|
(u_long) ntohl(sav->spi)));
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Save the last three bytes of decrypted data */
|
|
|
|
m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
|
|
|
|
|
|
|
|
/* Verify pad length */
|
|
|
|
if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_badilen);
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: invalid padding length %d for %u byte packet "
|
2015-04-18 16:58:33 +00:00
|
|
|
"in SA %s/%08lx\n", __func__, lastthree[1],
|
|
|
|
m->m_pkthdr.len - skip,
|
|
|
|
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
|
|
|
|
(u_long) ntohl(sav->spi)));
|
2002-10-16 02:10:08 +00:00
|
|
|
error = EINVAL;
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Verify correct decryption by checking the last padding bytes */
|
|
|
|
if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) {
|
|
|
|
if (lastthree[1] != lastthree[0] && lastthree[1] != 0) {
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_badenc);
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: decryption failed for packet in "
|
2015-04-18 16:58:33 +00:00
|
|
|
"SA %s/%08lx\n", __func__, ipsec_address(
|
|
|
|
&sav->sah->saidx.dst, buf, sizeof(buf)),
|
|
|
|
(u_long) ntohl(sav->spi)));
|
2002-10-16 02:10:08 +00:00
|
|
|
error = EINVAL;
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Trim the mbuf chain to remove trailing authenticator and padding */
|
|
|
|
m_adj(m, -(lastthree[1] + 2));
|
|
|
|
|
|
|
|
/* Restore the Next Protocol field */
|
|
|
|
m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2);
|
|
|
|
|
2011-04-27 19:28:42 +00:00
|
|
|
switch (saidx->dst.sa.sa_family) {
|
|
|
|
#ifdef INET6
|
|
|
|
case AF_INET6:
|
2014-12-11 17:14:49 +00:00
|
|
|
error = ipsec6_common_input_cb(m, sav, skip, protoff);
|
2011-04-27 19:28:42 +00:00
|
|
|
break;
|
|
|
|
#endif
|
|
|
|
#ifdef INET
|
|
|
|
case AF_INET:
|
2014-12-11 17:14:49 +00:00
|
|
|
error = ipsec4_common_input_cb(m, sav, skip, protoff);
|
2011-04-27 19:28:42 +00:00
|
|
|
break;
|
|
|
|
#endif
|
|
|
|
default:
|
|
|
|
panic("%s: Unexpected address family: %d saidx=%p", __func__,
|
|
|
|
saidx->dst.sa.sa_family, saidx);
|
|
|
|
}
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_RESTORE();
|
2002-10-16 02:10:08 +00:00
|
|
|
return error;
|
|
|
|
bad:
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_RESTORE();
|
2017-02-06 08:49:57 +00:00
|
|
|
if (sav != NULL)
|
|
|
|
key_freesav(&sav);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (m != NULL)
|
|
|
|
m_freem(m);
|
2017-02-06 08:49:57 +00:00
|
|
|
if (xd != NULL)
|
|
|
|
free(xd, M_XDATA);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (crp != NULL)
|
|
|
|
crypto_freereq(crp);
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
/*
|
2017-02-06 08:49:57 +00:00
|
|
|
* ESP output routine, called by ipsec[46]_perform_request().
|
2002-10-16 02:10:08 +00:00
|
|
|
*/
|
|
|
|
static int
|
2017-02-06 08:49:57 +00:00
|
|
|
esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
|
|
|
|
u_int idx, int skip, int protoff)
|
2002-10-16 02:10:08 +00:00
|
|
|
{
|
2017-05-29 09:30:38 +00:00
|
|
|
IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
|
2017-02-06 08:49:57 +00:00
|
|
|
struct cryptodesc *crde = NULL, *crda = NULL;
|
|
|
|
struct cryptop *crp;
|
|
|
|
const struct auth_hash *esph;
|
|
|
|
const struct enc_xform *espx;
|
|
|
|
struct mbuf *mo = NULL;
|
|
|
|
struct xform_data *xd;
|
2002-10-16 02:10:08 +00:00
|
|
|
struct secasindex *saidx;
|
|
|
|
unsigned char *pad;
|
2017-02-06 08:49:57 +00:00
|
|
|
uint8_t *ivp;
|
2018-07-13 23:46:07 +00:00
|
|
|
uint64_t cntr;
|
|
|
|
crypto_session_t cryptoid;
|
2017-02-06 08:49:57 +00:00
|
|
|
int hlen, rlen, padding, blks, alen, i, roff;
|
2002-10-16 02:10:08 +00:00
|
|
|
int error, maxpacketsize;
|
2017-02-06 08:49:57 +00:00
|
|
|
uint8_t prot;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2003-09-29 22:57:43 +00:00
|
|
|
IPSEC_ASSERT(sav != NULL, ("null SA"));
|
2002-10-16 02:10:08 +00:00
|
|
|
esph = sav->tdb_authalgxform;
|
|
|
|
espx = sav->tdb_encalgxform;
|
2003-09-29 22:57:43 +00:00
|
|
|
IPSEC_ASSERT(espx != NULL, ("null encoding xform"));
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
if (sav->flags & SADB_X_EXT_OLD)
|
|
|
|
hlen = sizeof (struct esp) + sav->ivlen;
|
|
|
|
else
|
|
|
|
hlen = sizeof (struct newesp) + sav->ivlen;
|
|
|
|
|
|
|
|
rlen = m->m_pkthdr.len - skip; /* Raw payload length. */
|
|
|
|
/*
|
2015-08-04 17:47:11 +00:00
|
|
|
* RFC4303 2.4 Requires 4 byte alignment.
|
2002-10-16 02:10:08 +00:00
|
|
|
*/
|
2015-08-04 17:47:11 +00:00
|
|
|
blks = MAX(4, espx->blocksize); /* Cipher blocksize */
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
/* XXX clamp padding length a la KAME??? */
|
|
|
|
padding = ((blks - ((rlen + 2) % blks)) % blks) + 2;
|
|
|
|
|
2015-07-29 07:15:16 +00:00
|
|
|
alen = xform_ah_authsize(esph);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_output);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
saidx = &sav->sah->saidx;
|
|
|
|
/* Check for maximum packet size violations. */
|
|
|
|
switch (saidx->dst.sa.sa_family) {
|
|
|
|
#ifdef INET
|
|
|
|
case AF_INET:
|
|
|
|
maxpacketsize = IP_MAXPACKET;
|
|
|
|
break;
|
|
|
|
#endif /* INET */
|
|
|
|
#ifdef INET6
|
|
|
|
case AF_INET6:
|
|
|
|
maxpacketsize = IPV6_MAXPACKET;
|
|
|
|
break;
|
|
|
|
#endif /* INET6 */
|
|
|
|
default:
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: unknown/unsupported protocol "
|
|
|
|
"family %d, SA %s/%08lx\n", __func__,
|
2015-04-18 16:58:33 +00:00
|
|
|
saidx->dst.sa.sa_family, ipsec_address(&saidx->dst,
|
|
|
|
buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_nopf);
|
2002-10-16 02:10:08 +00:00
|
|
|
error = EPFNOSUPPORT;
|
|
|
|
goto bad;
|
|
|
|
}
|
2017-02-06 08:49:57 +00:00
|
|
|
/*
|
2015-07-09 18:16:35 +00:00
|
|
|
DPRINTF(("%s: skip %d hlen %d rlen %d padding %d alen %d blksd %d\n",
|
2017-02-06 08:49:57 +00:00
|
|
|
__func__, skip, hlen, rlen, padding, alen, blks)); */
|
2002-10-16 02:10:08 +00:00
|
|
|
if (skip + hlen + rlen + padding + alen > maxpacketsize) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: packet in SA %s/%08lx got too big "
|
|
|
|
"(len %u, max len %u)\n", __func__,
|
2015-04-18 16:58:33 +00:00
|
|
|
ipsec_address(&saidx->dst, buf, sizeof(buf)),
|
|
|
|
(u_long) ntohl(sav->spi),
|
2002-10-16 02:10:08 +00:00
|
|
|
skip + hlen + rlen + padding + alen, maxpacketsize));
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_toobig);
|
2002-10-16 02:10:08 +00:00
|
|
|
error = EMSGSIZE;
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Update the counters. */
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_ADD(esps_obytes, m->m_pkthdr.len - skip);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2006-03-15 21:11:11 +00:00
|
|
|
m = m_unshare(m, M_NOWAIT);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (m == NULL) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
|
2015-04-18 16:58:33 +00:00
|
|
|
ipsec_address(&saidx->dst, buf, sizeof(buf)),
|
|
|
|
(u_long) ntohl(sav->spi)));
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_hdrops);
|
2002-10-16 02:10:08 +00:00
|
|
|
error = ENOBUFS;
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Inject ESP header. */
|
|
|
|
mo = m_makespace(m, skip, hlen, &roff);
|
|
|
|
if (mo == NULL) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: %u byte ESP hdr inject failed for SA %s/%08lx\n",
|
2015-04-18 16:58:33 +00:00
|
|
|
__func__, hlen, ipsec_address(&saidx->dst, buf,
|
|
|
|
sizeof(buf)), (u_long) ntohl(sav->spi)));
|
2017-02-06 08:49:57 +00:00
|
|
|
ESPSTAT_INC(esps_hdrops); /* XXX diffs from openbsd */
|
2002-10-16 02:10:08 +00:00
|
|
|
error = ENOBUFS;
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Initialize ESP header. */
|
2017-02-06 08:49:57 +00:00
|
|
|
bcopy((caddr_t) &sav->spi, mtod(mo, caddr_t) + roff,
|
|
|
|
sizeof(uint32_t));
|
|
|
|
SECASVAR_LOCK(sav);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (sav->replay) {
|
2017-02-06 08:49:57 +00:00
|
|
|
uint32_t replay;
|
2006-04-09 19:11:45 +00:00
|
|
|
|
2006-04-10 15:04:36 +00:00
|
|
|
#ifdef REGRESSION
|
2006-04-09 19:11:45 +00:00
|
|
|
/* Emulate replay attack when ipsec_replay is TRUE. */
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
if (!V_ipsec_replay)
|
2006-04-10 15:04:36 +00:00
|
|
|
#endif
|
2006-04-09 19:11:45 +00:00
|
|
|
sav->replay->count++;
|
|
|
|
replay = htonl(sav->replay->count);
|
2017-02-06 08:49:57 +00:00
|
|
|
|
|
|
|
bcopy((caddr_t) &replay, mtod(mo, caddr_t) + roff +
|
|
|
|
sizeof(uint32_t), sizeof(uint32_t));
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
2017-02-06 08:49:57 +00:00
|
|
|
cryptoid = sav->tdb_cryptoid;
|
|
|
|
if (SAV_ISCTRORGCM(sav))
|
|
|
|
cntr = sav->cntr++;
|
|
|
|
SECASVAR_UNLOCK(sav);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Add padding -- better to do it ourselves than use the crypto engine,
|
|
|
|
* although if/when we support compression, we'd have to do that.
|
|
|
|
*/
|
|
|
|
pad = (u_char *) m_pad(m, padding + alen);
|
|
|
|
if (pad == NULL) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: m_pad failed for SA %s/%08lx\n", __func__,
|
2015-04-18 16:58:33 +00:00
|
|
|
ipsec_address(&saidx->dst, buf, sizeof(buf)),
|
|
|
|
(u_long) ntohl(sav->spi)));
|
2002-10-16 02:10:08 +00:00
|
|
|
m = NULL; /* NB: free'd by m_pad */
|
|
|
|
error = ENOBUFS;
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Add padding: random, zero, or self-describing.
|
|
|
|
* XXX catch unexpected setting
|
|
|
|
*/
|
|
|
|
switch (sav->flags & SADB_X_EXT_PMASK) {
|
|
|
|
case SADB_X_EXT_PRAND:
|
|
|
|
(void) read_random(pad, padding - 2);
|
|
|
|
break;
|
|
|
|
case SADB_X_EXT_PZERO:
|
|
|
|
bzero(pad, padding - 2);
|
|
|
|
break;
|
|
|
|
case SADB_X_EXT_PSEQ:
|
|
|
|
for (i = 0; i < padding - 2; i++)
|
|
|
|
pad[i] = i+1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Fix padding length and Next Protocol in padding itself. */
|
|
|
|
pad[padding - 2] = padding - 2;
|
|
|
|
m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1);
|
|
|
|
|
|
|
|
/* Fix Next Protocol in IPv4/IPv6 header. */
|
|
|
|
prot = IPPROTO_ESP;
|
|
|
|
m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot);
|
|
|
|
|
|
|
|
/* Get crypto descriptors. */
|
2015-08-04 17:47:11 +00:00
|
|
|
crp = crypto_getreq(esph != NULL ? 2 : 1);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (crp == NULL) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: failed to acquire crypto descriptors\n",
|
|
|
|
__func__));
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_crypto);
|
2002-10-16 02:10:08 +00:00
|
|
|
error = ENOBUFS;
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* IPsec-specific opaque crypto info. */
|
2017-02-06 08:49:57 +00:00
|
|
|
xd = malloc(sizeof(struct xform_data), M_XDATA, M_NOWAIT | M_ZERO);
|
|
|
|
if (xd == NULL) {
|
2002-10-16 02:10:08 +00:00
|
|
|
crypto_freereq(crp);
|
2017-02-06 08:49:57 +00:00
|
|
|
DPRINTF(("%s: failed to allocate xform_data\n", __func__));
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_crypto);
|
2002-10-16 02:10:08 +00:00
|
|
|
error = ENOBUFS;
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
|
2015-08-04 17:47:11 +00:00
|
|
|
crde = crp->crp_desc;
|
|
|
|
crda = crde->crd_next;
|
|
|
|
|
|
|
|
/* Encryption descriptor. */
|
|
|
|
crde->crd_skip = skip + hlen;
|
|
|
|
crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
|
|
|
|
crde->crd_flags = CRD_F_ENCRYPT;
|
|
|
|
crde->crd_inject = skip + hlen - sav->ivlen;
|
|
|
|
|
|
|
|
/* Encryption operation. */
|
|
|
|
crde->crd_alg = espx->type;
|
|
|
|
if (SAV_ISCTRORGCM(sav)) {
|
|
|
|
ivp = &crde->crd_iv[0];
|
|
|
|
|
|
|
|
/* GCM IV Format: RFC4106 4 */
|
|
|
|
/* CTR IV Format: RFC3686 4 */
|
|
|
|
/* Salt is last four bytes of key, RFC4106 8.1 */
|
|
|
|
/* Nonce is last four bytes of key, RFC3686 5.1 */
|
|
|
|
memcpy(ivp, sav->key_enc->key_data +
|
|
|
|
_KEYLEN(sav->key_enc) - 4, 4);
|
|
|
|
be64enc(&ivp[4], cntr);
|
|
|
|
if (SAV_ISCTR(sav)) {
|
|
|
|
/* Initial block counter is 1, RFC3686 4 */
|
2017-02-06 08:49:57 +00:00
|
|
|
/* XXXAE: should we use this only for first packet? */
|
2015-08-04 17:47:11 +00:00
|
|
|
be32enc(&ivp[sav->ivlen + 4], 1);
|
|
|
|
}
|
|
|
|
|
|
|
|
m_copyback(m, skip + hlen - sav->ivlen, sav->ivlen, &ivp[4]);
|
|
|
|
crde->crd_flags |= CRD_F_IV_EXPLICIT|CRD_F_IV_PRESENT;
|
|
|
|
}
|
|
|
|
|
2002-10-16 02:10:08 +00:00
|
|
|
/* Callback parameters */
|
2017-02-06 08:49:57 +00:00
|
|
|
xd->sp = sp;
|
|
|
|
xd->sav = sav;
|
|
|
|
xd->idx = idx;
|
|
|
|
xd->cryptoid = cryptoid;
|
2018-03-20 17:05:23 +00:00
|
|
|
xd->vnet = curvnet;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
/* Crypto operation descriptor. */
|
|
|
|
crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
|
2003-06-30 05:09:32 +00:00
|
|
|
crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
|
2017-11-03 10:27:22 +00:00
|
|
|
if (V_async_crypto)
|
|
|
|
crp->crp_flags |= CRYPTO_F_ASYNC | CRYPTO_F_ASYNC_KEEPORDER;
|
2002-10-16 02:10:08 +00:00
|
|
|
crp->crp_buf = (caddr_t) m;
|
|
|
|
crp->crp_callback = esp_output_cb;
|
2017-02-06 08:49:57 +00:00
|
|
|
crp->crp_opaque = (caddr_t) xd;
|
2018-07-18 00:56:25 +00:00
|
|
|
crp->crp_session = cryptoid;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
if (esph) {
|
|
|
|
/* Authentication descriptor. */
|
2015-08-04 17:47:11 +00:00
|
|
|
crda->crd_alg = esph->type;
|
2002-10-16 02:10:08 +00:00
|
|
|
crda->crd_skip = skip;
|
2015-08-04 17:47:11 +00:00
|
|
|
if (SAV_ISGCM(sav))
|
|
|
|
crda->crd_len = 8; /* RFC4106 5, SPI + SN */
|
2015-07-09 18:16:35 +00:00
|
|
|
else
|
|
|
|
crda->crd_len = m->m_pkthdr.len - (skip + alen);
|
2002-10-16 02:10:08 +00:00
|
|
|
crda->crd_inject = m->m_pkthdr.len - alen;
|
|
|
|
}
|
|
|
|
|
|
|
|
return crypto_dispatch(crp);
|
|
|
|
bad:
|
|
|
|
if (m)
|
|
|
|
m_freem(m);
|
2017-05-23 09:32:26 +00:00
|
|
|
key_freesav(&sav);
|
|
|
|
key_freesp(&sp);
|
2002-10-16 02:10:08 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
/*
|
|
|
|
* ESP output callback from the crypto driver.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
esp_output_cb(struct cryptop *crp)
|
|
|
|
{
|
2017-02-06 08:49:57 +00:00
|
|
|
struct xform_data *xd;
|
|
|
|
struct secpolicy *sp;
|
2002-10-16 02:10:08 +00:00
|
|
|
struct secasvar *sav;
|
|
|
|
struct mbuf *m;
|
2018-07-13 23:46:07 +00:00
|
|
|
crypto_session_t cryptoid;
|
2017-02-06 08:49:57 +00:00
|
|
|
u_int idx;
|
2011-11-26 23:15:28 +00:00
|
|
|
int error;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2017-02-06 08:49:57 +00:00
|
|
|
xd = (struct xform_data *) crp->crp_opaque;
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_SET(xd->vnet);
|
2002-10-16 02:10:08 +00:00
|
|
|
m = (struct mbuf *) crp->crp_buf;
|
2017-02-06 08:49:57 +00:00
|
|
|
sp = xd->sp;
|
|
|
|
sav = xd->sav;
|
|
|
|
idx = xd->idx;
|
|
|
|
cryptoid = xd->cryptoid;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
/* Check for crypto errors. */
|
|
|
|
if (crp->crp_etype) {
|
|
|
|
if (crp->crp_etype == EAGAIN) {
|
2017-02-06 08:49:57 +00:00
|
|
|
/* Reset the session ID */
|
2018-07-18 00:56:25 +00:00
|
|
|
if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
|
2017-02-06 08:49:57 +00:00
|
|
|
crypto_freesession(cryptoid);
|
2018-07-18 00:56:25 +00:00
|
|
|
xd->cryptoid = crp->crp_session;
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_RESTORE();
|
2011-11-26 23:13:30 +00:00
|
|
|
return (crypto_dispatch(crp));
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_noxform);
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
|
2002-10-16 02:10:08 +00:00
|
|
|
error = crp->crp_etype;
|
2017-02-06 08:49:57 +00:00
|
|
|
m_freem(m);
|
2002-10-16 02:10:08 +00:00
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Shouldn't happen... */
|
|
|
|
if (m == NULL) {
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_crypto);
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
|
2002-10-16 02:10:08 +00:00
|
|
|
error = EINVAL;
|
|
|
|
goto bad;
|
|
|
|
}
|
2017-02-06 08:49:57 +00:00
|
|
|
free(xd, M_XDATA);
|
|
|
|
crypto_freereq(crp);
|
2013-06-20 11:44:16 +00:00
|
|
|
ESPSTAT_INC(esps_hist[sav->alg_enc]);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (sav->tdb_authalgxform != NULL)
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_hist[sav->alg_auth]);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2006-04-10 15:04:36 +00:00
|
|
|
#ifdef REGRESSION
|
2006-04-09 19:11:45 +00:00
|
|
|
/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
if (V_ipsec_integrity) {
|
2011-02-18 09:40:13 +00:00
|
|
|
static unsigned char ipseczeroes[AH_HMAC_MAXHASHLEN];
|
2017-02-06 08:49:57 +00:00
|
|
|
const struct auth_hash *esph;
|
2006-04-09 19:11:45 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Corrupt HMAC if we want to test integrity verification of
|
|
|
|
* the other side.
|
|
|
|
*/
|
|
|
|
esph = sav->tdb_authalgxform;
|
|
|
|
if (esph != NULL) {
|
2011-02-18 09:40:13 +00:00
|
|
|
int alen;
|
|
|
|
|
2015-07-29 07:15:16 +00:00
|
|
|
alen = xform_ah_authsize(esph);
|
2011-02-18 09:40:13 +00:00
|
|
|
m_copyback(m, m->m_pkthdr.len - alen,
|
|
|
|
alen, ipseczeroes);
|
2006-04-09 19:11:45 +00:00
|
|
|
}
|
|
|
|
}
|
2006-04-10 15:04:36 +00:00
|
|
|
#endif
|
2006-04-09 19:11:45 +00:00
|
|
|
|
2002-10-16 02:10:08 +00:00
|
|
|
/* NB: m is reclaimed by ipsec_process_done. */
|
2017-02-06 08:49:57 +00:00
|
|
|
error = ipsec_process_done(m, sp, sav, idx);
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_RESTORE();
|
2015-04-27 00:55:56 +00:00
|
|
|
return (error);
|
2002-10-16 02:10:08 +00:00
|
|
|
bad:
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_RESTORE();
|
2017-02-06 08:49:57 +00:00
|
|
|
free(xd, M_XDATA);
|
2002-10-16 02:10:08 +00:00
|
|
|
crypto_freereq(crp);
|
2017-02-06 08:49:57 +00:00
|
|
|
key_freesav(&sav);
|
|
|
|
key_freesp(&sp);
|
2015-04-27 00:55:56 +00:00
|
|
|
return (error);
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static struct xformsw esp_xformsw = {
|
2017-02-06 08:49:57 +00:00
|
|
|
.xf_type = XF_ESP,
|
|
|
|
.xf_name = "IPsec ESP",
|
|
|
|
.xf_init = esp_init,
|
|
|
|
.xf_zeroize = esp_zeroize,
|
|
|
|
.xf_input = esp_input,
|
|
|
|
.xf_output = esp_output,
|
2002-10-16 02:10:08 +00:00
|
|
|
};
|
|
|
|
|
2017-02-06 08:49:57 +00:00
|
|
|
SYSINIT(esp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
|
|
|
|
xform_attach, &esp_xformsw);
|
|
|
|
SYSUNINIT(esp_xform_uninit, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
|
|
|
|
xform_detach, &esp_xformsw);
|