1 /* $FreeBSD: src/sys/netinet6/ah_core.c,v 1.2.2.5 2002/04/28 05:40:26 suz Exp $ */
2 /* $DragonFly: src/sys/netinet6/ah_core.c,v 1.2 2003/06/17 04:28:51 dillon Exp $ */
3 /* $KAME: ah_core.c,v 1.44 2001/03/12 11:24:39 itojun Exp $ */
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * RFC1826/2402 authentication header.
38 /* TODO: have shared routines for hmac-* algorithms */
41 #include "opt_inet6.h"
42 #include "opt_ipsec.h"
44 #include <sys/param.h>
45 #include <sys/systm.h>
46 #include <sys/malloc.h>
48 #include <sys/domain.h>
49 #include <sys/protosw.h>
50 #include <sys/socket.h>
51 #include <sys/socketvar.h>
52 #include <sys/errno.h>
54 #include <sys/syslog.h>
57 #include <net/route.h>
59 #include <netinet/in.h>
60 #include <netinet/in_systm.h>
61 #include <netinet/ip.h>
62 #include <netinet/in_var.h>
65 #include <netinet/ip6.h>
66 #include <netinet6/ip6_var.h>
67 #include <netinet/icmp6.h>
70 #include <netinet6/ipsec.h>
72 #include <netinet6/ipsec6.h>
74 #include <netinet6/ah.h>
76 #include <netinet6/ah6.h>
79 #include <netinet6/esp.h>
81 #include <netinet6/esp6.h>
84 #include <net/pfkeyv2.h>
85 #include <netkey/keydb.h>
87 #include <crypto/sha1.h>
88 #include <crypto/sha2/sha2.h>
90 #include <net/net_osdep.h>
94 static int ah_sumsiz_1216 __P((struct secasvar *));
95 static int ah_sumsiz_zero __P((struct secasvar *));
96 static int ah_none_mature __P((struct secasvar *));
97 static int ah_none_init __P((struct ah_algorithm_state *, struct secasvar *));
98 static void ah_none_loop __P((struct ah_algorithm_state *, caddr_t, size_t));
99 static void ah_none_result __P((struct ah_algorithm_state *, caddr_t));
100 static int ah_keyed_md5_mature __P((struct secasvar *));
101 static int ah_keyed_md5_init __P((struct ah_algorithm_state *,
103 static void ah_keyed_md5_loop __P((struct ah_algorithm_state *, caddr_t,
105 static void ah_keyed_md5_result __P((struct ah_algorithm_state *, caddr_t));
106 static int ah_keyed_sha1_mature __P((struct secasvar *));
107 static int ah_keyed_sha1_init __P((struct ah_algorithm_state *,
109 static void ah_keyed_sha1_loop __P((struct ah_algorithm_state *, caddr_t,
111 static void ah_keyed_sha1_result __P((struct ah_algorithm_state *, caddr_t));
112 static int ah_hmac_md5_mature __P((struct secasvar *));
113 static int ah_hmac_md5_init __P((struct ah_algorithm_state *,
115 static void ah_hmac_md5_loop __P((struct ah_algorithm_state *, caddr_t,
117 static void ah_hmac_md5_result __P((struct ah_algorithm_state *, caddr_t));
118 static int ah_hmac_sha1_mature __P((struct secasvar *));
119 static int ah_hmac_sha1_init __P((struct ah_algorithm_state *,
121 static void ah_hmac_sha1_loop __P((struct ah_algorithm_state *, caddr_t,
123 static void ah_hmac_sha1_result __P((struct ah_algorithm_state *, caddr_t));
124 static int ah_hmac_sha2_256_mature __P((struct secasvar *));
125 static int ah_hmac_sha2_256_init __P((struct ah_algorithm_state *,
127 static void ah_hmac_sha2_256_loop __P((struct ah_algorithm_state *, caddr_t,
129 static void ah_hmac_sha2_256_result __P((struct ah_algorithm_state *, caddr_t));
130 static int ah_hmac_sha2_384_mature __P((struct secasvar *));
131 static int ah_hmac_sha2_384_init __P((struct ah_algorithm_state *,
133 static void ah_hmac_sha2_384_loop __P((struct ah_algorithm_state *, caddr_t,
135 static void ah_hmac_sha2_384_result __P((struct ah_algorithm_state *, caddr_t));
136 static int ah_hmac_sha2_512_mature __P((struct secasvar *));
137 static int ah_hmac_sha2_512_init __P((struct ah_algorithm_state *,
139 static void ah_hmac_sha2_512_loop __P((struct ah_algorithm_state *, caddr_t,
141 static void ah_hmac_sha2_512_result __P((struct ah_algorithm_state *, caddr_t));
143 static void ah_update_mbuf __P((struct mbuf *, int, int,
144 const struct ah_algorithm *, struct ah_algorithm_state *));
146 const struct ah_algorithm *
147 ah_algorithm_lookup(idx)
150 /* checksum algorithms */
151 static struct ah_algorithm ah_algorithms[] = {
152 { ah_sumsiz_1216, ah_hmac_md5_mature, 128, 128, "hmac-md5",
153 ah_hmac_md5_init, ah_hmac_md5_loop,
154 ah_hmac_md5_result, },
155 { ah_sumsiz_1216, ah_hmac_sha1_mature, 160, 160, "hmac-sha1",
156 ah_hmac_sha1_init, ah_hmac_sha1_loop,
157 ah_hmac_sha1_result, },
158 { ah_sumsiz_1216, ah_keyed_md5_mature, 128, 128, "keyed-md5",
159 ah_keyed_md5_init, ah_keyed_md5_loop,
160 ah_keyed_md5_result, },
161 { ah_sumsiz_1216, ah_keyed_sha1_mature, 160, 160, "keyed-sha1",
162 ah_keyed_sha1_init, ah_keyed_sha1_loop,
163 ah_keyed_sha1_result, },
164 { ah_sumsiz_zero, ah_none_mature, 0, 2048, "none",
165 ah_none_init, ah_none_loop, ah_none_result, },
166 { ah_sumsiz_1216, ah_hmac_sha2_256_mature, 256, 256,
168 ah_hmac_sha2_256_init, ah_hmac_sha2_256_loop,
169 ah_hmac_sha2_256_result, },
170 { ah_sumsiz_1216, ah_hmac_sha2_384_mature, 384, 384,
172 ah_hmac_sha2_384_init, ah_hmac_sha2_384_loop,
173 ah_hmac_sha2_384_result, },
174 { ah_sumsiz_1216, ah_hmac_sha2_512_mature, 512, 512,
176 ah_hmac_sha2_512_init, ah_hmac_sha2_512_loop,
177 ah_hmac_sha2_512_result, },
181 case SADB_AALG_MD5HMAC:
182 return &ah_algorithms[0];
183 case SADB_AALG_SHA1HMAC:
184 return &ah_algorithms[1];
185 case SADB_X_AALG_MD5:
186 return &ah_algorithms[2];
187 case SADB_X_AALG_SHA:
188 return &ah_algorithms[3];
189 case SADB_X_AALG_NULL:
190 return &ah_algorithms[4];
191 case SADB_X_AALG_SHA2_256:
192 return &ah_algorithms[5];
193 case SADB_X_AALG_SHA2_384:
194 return &ah_algorithms[6];
195 case SADB_X_AALG_SHA2_512:
196 return &ah_algorithms[7];
205 struct secasvar *sav;
209 if (sav->flags & SADB_X_EXT_OLD)
217 struct secasvar *sav;
226 struct secasvar *sav;
228 if (sav->sah->saidx.proto == IPPROTO_AH) {
230 "ah_none_mature: protocol and algorithm mismatch.\n"));
237 ah_none_init(state, sav)
238 struct ah_algorithm_state *state;
239 struct secasvar *sav;
246 ah_none_loop(state, addr, len)
247 struct ah_algorithm_state *state;
254 ah_none_result(state, addr)
255 struct ah_algorithm_state *state;
261 ah_keyed_md5_mature(sav)
262 struct secasvar *sav;
264 /* anything is okay */
269 ah_keyed_md5_init(state, sav)
270 struct ah_algorithm_state *state;
271 struct secasvar *sav;
278 panic("ah_keyed_md5_init: what?");
281 state->foo = (void *)malloc(sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
282 if (state->foo == NULL)
285 MD5Init((MD5_CTX *)state->foo);
287 MD5Update((MD5_CTX *)state->foo,
288 (u_int8_t *)_KEYBUF(state->sav->key_auth),
289 (u_int)_KEYLEN(state->sav->key_auth));
293 * We cannot simply use md5_pad() since the function
294 * won't update the total length.
296 if (_KEYLEN(state->sav->key_auth) < 56)
297 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
299 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
300 keybitlen = _KEYLEN(state->sav->key_auth);
304 MD5Update((MD5_CTX *)state->foo, &buf[0], 1);
307 bzero(buf, sizeof(buf));
308 while (sizeof(buf) < padlen) {
309 MD5Update((MD5_CTX *)state->foo, &buf[0], sizeof(buf));
310 padlen -= sizeof(buf);
313 MD5Update((MD5_CTX *)state->foo, &buf[0], padlen);
316 buf[0] = (keybitlen >> 0) & 0xff;
317 buf[1] = (keybitlen >> 8) & 0xff;
318 buf[2] = (keybitlen >> 16) & 0xff;
319 buf[3] = (keybitlen >> 24) & 0xff;
320 MD5Update((MD5_CTX *)state->foo, buf, 8);
327 ah_keyed_md5_loop(state, addr, len)
328 struct ah_algorithm_state *state;
333 panic("ah_keyed_md5_loop: what?");
335 MD5Update((MD5_CTX *)state->foo, addr, len);
339 ah_keyed_md5_result(state, addr)
340 struct ah_algorithm_state *state;
346 panic("ah_keyed_md5_result: what?");
349 MD5Update((MD5_CTX *)state->foo,
350 (u_int8_t *)_KEYBUF(state->sav->key_auth),
351 (u_int)_KEYLEN(state->sav->key_auth));
353 MD5Final(&digest[0], (MD5_CTX *)state->foo);
354 free(state->foo, M_TEMP);
355 bcopy(&digest[0], (void *)addr, sizeof(digest));
359 ah_keyed_sha1_mature(sav)
360 struct secasvar *sav;
362 const struct ah_algorithm *algo;
364 if (!sav->key_auth) {
365 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: no key is given.\n"));
369 algo = ah_algorithm_lookup(sav->alg_auth);
371 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: unsupported algorithm.\n"));
375 if (sav->key_auth->sadb_key_bits < algo->keymin
376 || algo->keymax < sav->key_auth->sadb_key_bits) {
378 "ah_keyed_sha1_mature: invalid key length %d.\n",
379 sav->key_auth->sadb_key_bits));
387 ah_keyed_sha1_init(state, sav)
388 struct ah_algorithm_state *state;
389 struct secasvar *sav;
397 panic("ah_keyed_sha1_init: what?");
400 state->foo = (void *)malloc(sizeof(SHA1_CTX), M_TEMP, M_NOWAIT);
404 ctxt = (SHA1_CTX *)state->foo;
408 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
409 (u_int)_KEYLEN(state->sav->key_auth));
414 if (_KEYLEN(state->sav->key_auth) < 56)
415 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
417 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
418 keybitlen = _KEYLEN(state->sav->key_auth);
422 SHA1Update(ctxt, &buf[0], 1);
425 bzero(buf, sizeof(buf));
426 while (sizeof(buf) < padlen) {
427 SHA1Update(ctxt, &buf[0], sizeof(buf));
428 padlen -= sizeof(buf);
431 SHA1Update(ctxt, &buf[0], padlen);
434 buf[0] = (keybitlen >> 0) & 0xff;
435 buf[1] = (keybitlen >> 8) & 0xff;
436 buf[2] = (keybitlen >> 16) & 0xff;
437 buf[3] = (keybitlen >> 24) & 0xff;
438 SHA1Update(ctxt, buf, 8);
445 ah_keyed_sha1_loop(state, addr, len)
446 struct ah_algorithm_state *state;
452 if (!state || !state->foo)
453 panic("ah_keyed_sha1_loop: what?");
454 ctxt = (SHA1_CTX *)state->foo;
456 SHA1Update(ctxt, (caddr_t)addr, (size_t)len);
460 ah_keyed_sha1_result(state, addr)
461 struct ah_algorithm_state *state;
464 u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
467 if (!state || !state->foo)
468 panic("ah_keyed_sha1_result: what?");
469 ctxt = (SHA1_CTX *)state->foo;
472 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
473 (u_int)_KEYLEN(state->sav->key_auth));
475 SHA1Final((caddr_t)&digest[0], ctxt);
476 bcopy(&digest[0], (void *)addr, HMACSIZE);
478 free(state->foo, M_TEMP);
482 ah_hmac_md5_mature(sav)
483 struct secasvar *sav;
485 const struct ah_algorithm *algo;
487 if (!sav->key_auth) {
488 ipseclog((LOG_ERR, "ah_hmac_md5_mature: no key is given.\n"));
492 algo = ah_algorithm_lookup(sav->alg_auth);
494 ipseclog((LOG_ERR, "ah_hmac_md5_mature: unsupported algorithm.\n"));
498 if (sav->key_auth->sadb_key_bits < algo->keymin
499 || algo->keymax < sav->key_auth->sadb_key_bits) {
501 "ah_hmac_md5_mature: invalid key length %d.\n",
502 sav->key_auth->sadb_key_bits));
510 ah_hmac_md5_init(state, sav)
511 struct ah_algorithm_state *state;
512 struct secasvar *sav;
523 panic("ah_hmac_md5_init: what?");
526 state->foo = (void *)malloc(64 + 64 + sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
530 ipad = (u_char *)state->foo;
531 opad = (u_char *)(ipad + 64);
532 ctxt = (MD5_CTX *)(opad + 64);
534 /* compress the key if necessery */
535 if (64 < _KEYLEN(state->sav->key_auth)) {
537 MD5Update(ctxt, _KEYBUF(state->sav->key_auth),
538 _KEYLEN(state->sav->key_auth));
539 MD5Final(&tk[0], ctxt);
543 key = _KEYBUF(state->sav->key_auth);
544 keylen = _KEYLEN(state->sav->key_auth);
549 bcopy(key, ipad, keylen);
550 bcopy(key, opad, keylen);
551 for (i = 0; i < 64; i++) {
557 MD5Update(ctxt, ipad, 64);
563 ah_hmac_md5_loop(state, addr, len)
564 struct ah_algorithm_state *state;
570 if (!state || !state->foo)
571 panic("ah_hmac_md5_loop: what?");
572 ctxt = (MD5_CTX *)(((caddr_t)state->foo) + 128);
573 MD5Update(ctxt, addr, len);
577 ah_hmac_md5_result(state, addr)
578 struct ah_algorithm_state *state;
586 if (!state || !state->foo)
587 panic("ah_hmac_md5_result: what?");
589 ipad = (u_char *)state->foo;
590 opad = (u_char *)(ipad + 64);
591 ctxt = (MD5_CTX *)(opad + 64);
593 MD5Final(&digest[0], ctxt);
596 MD5Update(ctxt, opad, 64);
597 MD5Update(ctxt, &digest[0], sizeof(digest));
598 MD5Final(&digest[0], ctxt);
600 bcopy(&digest[0], (void *)addr, HMACSIZE);
602 free(state->foo, M_TEMP);
606 ah_hmac_sha1_mature(sav)
607 struct secasvar *sav;
609 const struct ah_algorithm *algo;
611 if (!sav->key_auth) {
612 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: no key is given.\n"));
616 algo = ah_algorithm_lookup(sav->alg_auth);
618 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: unsupported algorithm.\n"));
622 if (sav->key_auth->sadb_key_bits < algo->keymin
623 || algo->keymax < sav->key_auth->sadb_key_bits) {
625 "ah_hmac_sha1_mature: invalid key length %d.\n",
626 sav->key_auth->sadb_key_bits));
634 ah_hmac_sha1_init(state, sav)
635 struct ah_algorithm_state *state;
636 struct secasvar *sav;
641 u_char tk[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
647 panic("ah_hmac_sha1_init: what?");
650 state->foo = (void *)malloc(64 + 64 + sizeof(SHA1_CTX),
655 ipad = (u_char *)state->foo;
656 opad = (u_char *)(ipad + 64);
657 ctxt = (SHA1_CTX *)(opad + 64);
659 /* compress the key if necessery */
660 if (64 < _KEYLEN(state->sav->key_auth)) {
662 SHA1Update(ctxt, _KEYBUF(state->sav->key_auth),
663 _KEYLEN(state->sav->key_auth));
664 SHA1Final(&tk[0], ctxt);
666 keylen = SHA1_RESULTLEN;
668 key = _KEYBUF(state->sav->key_auth);
669 keylen = _KEYLEN(state->sav->key_auth);
674 bcopy(key, ipad, keylen);
675 bcopy(key, opad, keylen);
676 for (i = 0; i < 64; i++) {
682 SHA1Update(ctxt, ipad, 64);
688 ah_hmac_sha1_loop(state, addr, len)
689 struct ah_algorithm_state *state;
695 if (!state || !state->foo)
696 panic("ah_hmac_sha1_loop: what?");
698 ctxt = (SHA1_CTX *)(((u_char *)state->foo) + 128);
699 SHA1Update(ctxt, (caddr_t)addr, (size_t)len);
703 ah_hmac_sha1_result(state, addr)
704 struct ah_algorithm_state *state;
707 u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
712 if (!state || !state->foo)
713 panic("ah_hmac_sha1_result: what?");
715 ipad = (u_char *)state->foo;
716 opad = (u_char *)(ipad + 64);
717 ctxt = (SHA1_CTX *)(opad + 64);
719 SHA1Final((caddr_t)&digest[0], ctxt);
722 SHA1Update(ctxt, opad, 64);
723 SHA1Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
724 SHA1Final((caddr_t)&digest[0], ctxt);
726 bcopy(&digest[0], (void *)addr, HMACSIZE);
728 free(state->foo, M_TEMP);
732 ah_hmac_sha2_256_mature(sav)
733 struct secasvar *sav;
735 const struct ah_algorithm *algo;
737 if (!sav->key_auth) {
739 "ah_hmac_sha2_256_mature: no key is given.\n"));
743 algo = ah_algorithm_lookup(sav->alg_auth);
746 "ah_hmac_sha2_256_mature: unsupported algorithm.\n"));
750 if (sav->key_auth->sadb_key_bits < algo->keymin ||
751 algo->keymax < sav->key_auth->sadb_key_bits) {
753 "ah_hmac_sha2_256_mature: invalid key length %d.\n",
754 sav->key_auth->sadb_key_bits));
762 ah_hmac_sha2_256_init(state, sav)
763 struct ah_algorithm_state *state;
764 struct secasvar *sav;
769 u_char tk[SHA256_DIGEST_LENGTH];
775 panic("ah_hmac_sha2_256_init: what?");
778 state->foo = (void *)malloc(64 + 64 + sizeof(SHA256_CTX),
783 ipad = (u_char *)state->foo;
784 opad = (u_char *)(ipad + 64);
785 ctxt = (SHA256_CTX *)(opad + 64);
787 /* compress the key if necessery */
788 if (64 < _KEYLEN(state->sav->key_auth)) {
789 bzero(tk, sizeof(tk));
790 bzero(ctxt, sizeof(*ctxt));
792 SHA256_Update(ctxt, _KEYBUF(state->sav->key_auth),
793 _KEYLEN(state->sav->key_auth));
794 SHA256_Final(&tk[0], ctxt);
796 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
798 key = _KEYBUF(state->sav->key_auth);
799 keylen = _KEYLEN(state->sav->key_auth);
804 bcopy(key, ipad, keylen);
805 bcopy(key, opad, keylen);
806 for (i = 0; i < 64; i++) {
811 bzero(ctxt, sizeof(*ctxt));
813 SHA256_Update(ctxt, ipad, 64);
819 ah_hmac_sha2_256_loop(state, addr, len)
820 struct ah_algorithm_state *state;
826 if (!state || !state->foo)
827 panic("ah_hmac_sha2_256_loop: what?");
829 ctxt = (SHA256_CTX *)(((u_char *)state->foo) + 128);
830 SHA256_Update(ctxt, (caddr_t)addr, (size_t)len);
834 ah_hmac_sha2_256_result(state, addr)
835 struct ah_algorithm_state *state;
838 u_char digest[SHA256_DIGEST_LENGTH];
843 if (!state || !state->foo)
844 panic("ah_hmac_sha2_256_result: what?");
846 ipad = (u_char *)state->foo;
847 opad = (u_char *)(ipad + 64);
848 ctxt = (SHA256_CTX *)(opad + 64);
850 SHA256_Final((caddr_t)&digest[0], ctxt);
852 bzero(ctxt, sizeof(*ctxt));
854 SHA256_Update(ctxt, opad, 64);
855 SHA256_Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
856 SHA256_Final((caddr_t)&digest[0], ctxt);
858 bcopy(&digest[0], (void *)addr, HMACSIZE);
860 free(state->foo, M_TEMP);
864 ah_hmac_sha2_384_mature(sav)
865 struct secasvar *sav;
867 const struct ah_algorithm *algo;
869 if (!sav->key_auth) {
871 "ah_hmac_sha2_384_mature: no key is given.\n"));
875 algo = ah_algorithm_lookup(sav->alg_auth);
878 "ah_hmac_sha2_384_mature: unsupported algorithm.\n"));
882 if (sav->key_auth->sadb_key_bits < algo->keymin ||
883 algo->keymax < sav->key_auth->sadb_key_bits) {
885 "ah_hmac_sha2_384_mature: invalid key length %d.\n",
886 sav->key_auth->sadb_key_bits));
894 ah_hmac_sha2_384_init(state, sav)
895 struct ah_algorithm_state *state;
896 struct secasvar *sav;
901 u_char tk[SHA384_DIGEST_LENGTH];
907 panic("ah_hmac_sha2_384_init: what?");
910 state->foo = (void *)malloc(64 + 64 + sizeof(SHA384_CTX),
914 bzero(state->foo, 64 + 64 + sizeof(SHA384_CTX));
916 ipad = (u_char *)state->foo;
917 opad = (u_char *)(ipad + 64);
918 ctxt = (SHA384_CTX *)(opad + 64);
920 /* compress the key if necessery */
921 if (64 < _KEYLEN(state->sav->key_auth)) {
922 bzero(tk, sizeof(tk));
923 bzero(ctxt, sizeof(*ctxt));
925 SHA384_Update(ctxt, _KEYBUF(state->sav->key_auth),
926 _KEYLEN(state->sav->key_auth));
927 SHA384_Final(&tk[0], ctxt);
929 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
931 key = _KEYBUF(state->sav->key_auth);
932 keylen = _KEYLEN(state->sav->key_auth);
937 bcopy(key, ipad, keylen);
938 bcopy(key, opad, keylen);
939 for (i = 0; i < 64; i++) {
944 bzero(ctxt, sizeof(*ctxt));
946 SHA384_Update(ctxt, ipad, 64);
952 ah_hmac_sha2_384_loop(state, addr, len)
953 struct ah_algorithm_state *state;
959 if (!state || !state->foo)
960 panic("ah_hmac_sha2_384_loop: what?");
962 ctxt = (SHA384_CTX *)(((u_char *)state->foo) + 128);
963 SHA384_Update(ctxt, (caddr_t)addr, (size_t)len);
967 ah_hmac_sha2_384_result(state, addr)
968 struct ah_algorithm_state *state;
971 u_char digest[SHA384_DIGEST_LENGTH];
976 if (!state || !state->foo)
977 panic("ah_hmac_sha2_384_result: what?");
979 ipad = (u_char *)state->foo;
980 opad = (u_char *)(ipad + 64);
981 ctxt = (SHA384_CTX *)(opad + 64);
983 SHA384_Final((caddr_t)&digest[0], ctxt);
985 bzero(ctxt, sizeof(*ctxt));
987 SHA384_Update(ctxt, opad, 64);
988 SHA384_Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
989 SHA384_Final((caddr_t)&digest[0], ctxt);
991 bcopy(&digest[0], (void *)addr, HMACSIZE);
993 free(state->foo, M_TEMP);
997 ah_hmac_sha2_512_mature(sav)
998 struct secasvar *sav;
1000 const struct ah_algorithm *algo;
1002 if (!sav->key_auth) {
1004 "ah_hmac_sha2_512_mature: no key is given.\n"));
1008 algo = ah_algorithm_lookup(sav->alg_auth);
1011 "ah_hmac_sha2_512_mature: unsupported algorithm.\n"));
1015 if (sav->key_auth->sadb_key_bits < algo->keymin ||
1016 algo->keymax < sav->key_auth->sadb_key_bits) {
1018 "ah_hmac_sha2_512_mature: invalid key length %d.\n",
1019 sav->key_auth->sadb_key_bits));
1027 ah_hmac_sha2_512_init(state, sav)
1028 struct ah_algorithm_state *state;
1029 struct secasvar *sav;
1034 u_char tk[SHA512_DIGEST_LENGTH];
1040 panic("ah_hmac_sha2_512_init: what?");
1043 state->foo = (void *)malloc(64 + 64 + sizeof(SHA512_CTX),
1047 bzero(state->foo, 64 + 64 + sizeof(SHA512_CTX));
1049 ipad = (u_char *)state->foo;
1050 opad = (u_char *)(ipad + 64);
1051 ctxt = (SHA512_CTX *)(opad + 64);
1053 /* compress the key if necessery */
1054 if (64 < _KEYLEN(state->sav->key_auth)) {
1055 bzero(tk, sizeof(tk));
1056 bzero(ctxt, sizeof(*ctxt));
1058 SHA512_Update(ctxt, _KEYBUF(state->sav->key_auth),
1059 _KEYLEN(state->sav->key_auth));
1060 SHA512_Final(&tk[0], ctxt);
1062 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
1064 key = _KEYBUF(state->sav->key_auth);
1065 keylen = _KEYLEN(state->sav->key_auth);
1070 bcopy(key, ipad, keylen);
1071 bcopy(key, opad, keylen);
1072 for (i = 0; i < 64; i++) {
1077 bzero(ctxt, sizeof(*ctxt));
1079 SHA512_Update(ctxt, ipad, 64);
1085 ah_hmac_sha2_512_loop(state, addr, len)
1086 struct ah_algorithm_state *state;
1092 if (!state || !state->foo)
1093 panic("ah_hmac_sha2_512_loop: what?");
1095 ctxt = (SHA512_CTX *)(((u_char *)state->foo) + 128);
1096 SHA512_Update(ctxt, (caddr_t)addr, (size_t)len);
1100 ah_hmac_sha2_512_result(state, addr)
1101 struct ah_algorithm_state *state;
1104 u_char digest[SHA512_DIGEST_LENGTH];
1109 if (!state || !state->foo)
1110 panic("ah_hmac_sha2_512_result: what?");
1112 ipad = (u_char *)state->foo;
1113 opad = (u_char *)(ipad + 64);
1114 ctxt = (SHA512_CTX *)(opad + 64);
1116 SHA512_Final((caddr_t)&digest[0], ctxt);
1118 bzero(ctxt, sizeof(*ctxt));
1120 SHA512_Update(ctxt, opad, 64);
1121 SHA512_Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
1122 SHA512_Final((caddr_t)&digest[0], ctxt);
1124 bcopy(&digest[0], (void *)addr, HMACSIZE);
1126 free(state->foo, M_TEMP);
1129 /*------------------------------------------------------------*/
1132 * go generate the checksum.
1135 ah_update_mbuf(m, off, len, algo, algos)
1139 const struct ah_algorithm *algo;
1140 struct ah_algorithm_state *algos;
1145 /* easy case first */
1146 if (off + len <= m->m_len) {
1147 (algo->update)(algos, mtod(m, caddr_t) + off, len);
1151 for (n = m; n; n = n->m_next) {
1159 panic("ah_update_mbuf: wrong offset specified");
1161 for (/* nothing */; n && len > 0; n = n->m_next) {
1164 if (n->m_len - off < len)
1165 tlen = n->m_len - off;
1169 (algo->update)(algos, mtod(n, caddr_t) + off, tlen);
1178 * Go generate the checksum. This function won't modify the mbuf chain
1181 * NOTE: the function does not free mbuf on failure.
1182 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1185 ah4_calccksum(m, ahdat, len, algo, sav)
1189 const struct ah_algorithm *algo;
1190 struct secasvar *sav;
1194 size_t advancewidth;
1195 struct ah_algorithm_state algos;
1196 u_char sumbuf[AH_MAXSUMSIZE];
1199 struct mbuf *n = NULL;
1201 if ((m->m_flags & M_PKTHDR) == 0)
1205 hdrtype = -1; /* dummy, it is called IPPROTO_IP */
1209 error = (algo->init)(&algos, sav);
1213 advancewidth = 0; /* safety */
1218 case -1: /* first one only */
1221 * copy ip hdr, modify to fit the AH checksum rule,
1222 * then take a checksum.
1227 m_copydata(m, off, sizeof(iphdr), (caddr_t)&iphdr);
1229 hlen = IP_VHL_HL(iphdr.ip_vhl) << 2;
1231 hlen = iphdr.ip_hl << 2;
1234 iphdr.ip_sum = htons(0);
1235 if (ip4_ah_cleartos)
1237 iphdr.ip_off = htons(ntohs(iphdr.ip_off) & ip4_ah_offsetmask);
1238 (algo->update)(&algos, (caddr_t)&iphdr, sizeof(struct ip));
1240 if (hlen != sizeof(struct ip)) {
1244 if (hlen > MCLBYTES) {
1248 MGET(n, M_DONTWAIT, MT_DATA);
1249 if (n && hlen > MLEN) {
1250 MCLGET(n, M_DONTWAIT);
1251 if ((n->m_flags & M_EXT) == 0) {
1260 m_copydata(m, off, hlen, mtod(n, caddr_t));
1263 * IP options processing.
1264 * See RFC2402 appendix A.
1266 p = mtod(n, u_char *);
1267 i = sizeof(struct ip);
1269 if (i + IPOPT_OPTVAL >= hlen) {
1270 ipseclog((LOG_ERR, "ah4_calccksum: "
1271 "invalid IP option\n"));
1275 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL ||
1276 p[i + IPOPT_OPTVAL] == IPOPT_NOP ||
1277 i + IPOPT_OLEN < hlen)
1281 "ah4_calccksum: invalid IP option "
1283 p[i + IPOPT_OPTVAL]));
1289 switch (p[i + IPOPT_OPTVAL]) {
1295 case IPOPT_SECURITY: /* 0x82 */
1296 case 0x85: /* Extended security */
1297 case 0x86: /* Commercial security */
1298 case 0x94: /* Router alert */
1299 case 0x95: /* RFC1770 */
1300 l = p[i + IPOPT_OLEN];
1306 l = p[i + IPOPT_OLEN];
1312 if (l < 1 || hlen - i < l) {
1315 "ah4_calccksum: invalid IP option "
1316 "(type=%02x len=%02x)\n",
1317 p[i + IPOPT_OPTVAL],
1318 p[i + IPOPT_OLEN]));
1324 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL)
1328 p = mtod(n, u_char *) + sizeof(struct ip);
1329 (algo->update)(&algos, p, hlen - sizeof(struct ip));
1335 hdrtype = (iphdr.ip_p) & 0xff;
1336 advancewidth = hlen;
1347 m_copydata(m, off, sizeof(ah), (caddr_t)&ah);
1348 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1350 : sizeof(struct newah);
1351 siz = (*algo->sumsiz)(sav);
1352 totlen = (ah.ah_len + 2) << 2;
1355 * special treatment is necessary for the first one, not others
1358 if (totlen > m->m_pkthdr.len - off ||
1359 totlen > MCLBYTES) {
1363 MGET(n, M_DONTWAIT, MT_DATA);
1364 if (n && totlen > MLEN) {
1365 MCLGET(n, M_DONTWAIT);
1366 if ((n->m_flags & M_EXT) == 0) {
1375 m_copydata(m, off, totlen, mtod(n, caddr_t));
1377 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1378 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1382 ah_update_mbuf(m, off, totlen, algo, &algos);
1385 hdrtype = ah.ah_nxt;
1386 advancewidth = totlen;
1391 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo, &algos);
1392 advancewidth = m->m_pkthdr.len - off;
1396 off += advancewidth;
1397 if (off < m->m_pkthdr.len)
1400 if (len < (*algo->sumsiz)(sav)) {
1405 (algo->result)(&algos, &sumbuf[0]);
1406 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
1421 * Go generate the checksum. This function won't modify the mbuf chain
1424 * NOTE: the function does not free mbuf on failure.
1425 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1428 ah6_calccksum(m, ahdat, len, algo, sav)
1432 const struct ah_algorithm *algo;
1433 struct secasvar *sav;
1437 struct mbuf *n = NULL;
1440 struct ah_algorithm_state algos;
1441 u_char sumbuf[AH_MAXSUMSIZE];
1443 if ((m->m_flags & M_PKTHDR) == 0)
1446 error = (algo->init)(&algos, sav);
1451 proto = IPPROTO_IPV6;
1456 newoff = ip6_nexthdr(m, off, proto, &nxt);
1458 newoff = m->m_pkthdr.len;
1459 else if (newoff <= off) {
1467 * special treatment is necessary for the first one, not others
1470 struct ip6_hdr ip6copy;
1472 if (newoff - off != sizeof(struct ip6_hdr)) {
1477 m_copydata(m, off, newoff - off, (caddr_t)&ip6copy);
1479 ip6copy.ip6_flow = 0;
1480 ip6copy.ip6_vfc &= ~IPV6_VERSION_MASK;
1481 ip6copy.ip6_vfc |= IPV6_VERSION;
1482 ip6copy.ip6_hlim = 0;
1483 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_src))
1484 ip6copy.ip6_src.s6_addr16[1] = 0x0000;
1485 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_dst))
1486 ip6copy.ip6_dst.s6_addr16[1] = 0x0000;
1487 (algo->update)(&algos, (caddr_t)&ip6copy,
1488 sizeof(struct ip6_hdr));
1490 newoff = m->m_pkthdr.len;
1491 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo,
1501 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1503 : sizeof(struct newah);
1504 siz = (*algo->sumsiz)(sav);
1507 * special treatment is necessary for the first one, not others
1510 if (newoff - off > MCLBYTES) {
1514 MGET(n, M_DONTWAIT, MT_DATA);
1515 if (n && newoff - off > MLEN) {
1516 MCLGET(n, M_DONTWAIT);
1517 if ((n->m_flags & M_EXT) == 0) {
1526 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1527 n->m_len = newoff - off;
1528 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1529 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1533 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1538 case IPPROTO_HOPOPTS:
1539 case IPPROTO_DSTOPTS:
1541 struct ip6_ext *ip6e;
1543 u_int8_t *p, *optend, *optp;
1545 if (newoff - off > MCLBYTES) {
1549 MGET(n, M_DONTWAIT, MT_DATA);
1550 if (n && newoff - off > MLEN) {
1551 MCLGET(n, M_DONTWAIT);
1552 if ((n->m_flags & M_EXT) == 0) {
1561 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1562 n->m_len = newoff - off;
1564 ip6e = mtod(n, struct ip6_ext *);
1565 hdrlen = (ip6e->ip6e_len + 1) << 3;
1566 if (newoff - off < hdrlen) {
1572 p = mtod(n, u_int8_t *);
1573 optend = p + hdrlen;
1576 * ICV calculation for the options header including all
1577 * options. This part is a little tricky since there are
1578 * two type of options; mutable and immutable. We try to
1579 * null-out mutable ones here.
1582 while (optp < optend) {
1583 if (optp[0] == IP6OPT_PAD1)
1586 if (optp + 2 > optend) {
1592 optlen = optp[1] + 2;
1594 if (optp[0] & IP6OPT_MUTABLE)
1595 bzero(optp + 2, optlen - 2);
1601 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1607 case IPPROTO_ROUTING:
1609 * For an input packet, we can just calculate `as is'.
1610 * For an output packet, we assume ip6_output have already
1611 * made packet how it will be received at the final
1617 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1621 if (newoff < m->m_pkthdr.len) {
1627 if (len < (*algo->sumsiz)(sav)) {
1632 (algo->result)(&algos, &sumbuf[0]);
1633 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));