1 /* $FreeBSD: src/sys/netinet6/ah_output.c,v 1.1.2.5 2003/05/06 06:46:58 suz Exp $ */
2 /* $DragonFly: src/sys/netinet6/ah_output.c,v 1.2 2003/06/17 04:28:51 dillon Exp $ */
3 /* $KAME: ah_output.c,v 1.31 2001/07/26 06:53:15 jinmei Exp $ */
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * RFC1826/2402 authentication header.
39 #include "opt_inet6.h"
41 #include <sys/param.h>
42 #include <sys/systm.h>
44 #include <sys/domain.h>
45 #include <sys/protosw.h>
46 #include <sys/socket.h>
47 #include <sys/socketvar.h>
48 #include <sys/errno.h>
50 #include <sys/syslog.h>
53 #include <net/route.h>
55 #include <netinet/in.h>
57 #include <netinet/in_systm.h>
58 #include <netinet/ip.h>
59 #include <netinet/in_var.h>
62 #include <netinet/ip6.h>
63 #include <netinet6/ip6_var.h>
64 #include <netinet/icmp6.h>
67 #include <netinet6/ipsec.h>
69 #include <netinet6/ipsec6.h>
71 #include <netinet6/ah.h>
73 #include <netinet6/ah6.h>
75 #include <netkey/key.h>
76 #include <netkey/keydb.h>
78 #include <net/net_osdep.h>
81 static struct in_addr *ah4_finaldst __P((struct mbuf *));
85 * compute AH header size.
86 * transport mode only. for tunnel mode, we should implement
87 * virtual interface, and control MTU/MSS by the interface MTU.
91 struct ipsecrequest *isr;
93 const struct ah_algorithm *algo;
98 panic("ah_hdrsiz: NULL was passed.");
100 if (isr->saidx.proto != IPPROTO_AH)
101 panic("unsupported mode passed to ah_hdrsiz");
103 if (isr->sav == NULL)
105 if (isr->sav->state != SADB_SASTATE_MATURE
106 && isr->sav->state != SADB_SASTATE_DYING)
109 /* we need transport mode AH. */
110 algo = ah_algorithm_lookup(isr->sav->alg_auth);
116 * right now we don't calcurate the padding size. simply
117 * treat the padding size as constant, for simplicity.
119 * XXX variable size padding support
121 hdrsiz = (((*algo->sumsiz)(isr->sav) + 3) & ~(4 - 1));
122 if (isr->sav->flags & SADB_X_EXT_OLD)
123 hdrsiz += sizeof(struct ah);
125 hdrsiz += sizeof(struct newah);
131 * sizeof(struct newah) > sizeof(struct ah).
132 * 16 = (16 + 3) & ~(4 - 1).
134 return sizeof(struct newah) + 16;
139 * Modify the packet so that it includes the authentication data.
140 * The mbuf passed must start with IPv4 header.
142 * assumes that the first mbuf contains IPv4 header + option only.
143 * the function does not modify m.
148 struct ipsecrequest *isr;
150 struct secasvar *sav = isr->sav;
151 const struct ah_algorithm *algo;
154 u_char *ahsumpos = NULL;
155 size_t hlen = 0; /* IP header+option in bytes */
156 size_t plen = 0; /* AH payload size in bytes */
157 size_t ahlen = 0; /* plen + sizeof(ah) */
160 struct in_addr *finaldst;
164 if ((sav->flags & SADB_X_EXT_OLD) == 0 && !sav->replay) {
167 ip = mtod(m, struct ip *);
168 ipseclog((LOG_DEBUG, "ah4_output: internal error: "
169 "sav->replay is null: %x->%x, SPI=%u\n",
170 (u_int32_t)ntohl(ip->ip_src.s_addr),
171 (u_int32_t)ntohl(ip->ip_dst.s_addr),
172 (u_int32_t)ntohl(sav->spi)));
173 ipsecstat.out_inval++;
178 algo = ah_algorithm_lookup(sav->alg_auth);
180 ipseclog((LOG_ERR, "ah4_output: unsupported algorithm: "
181 "SPI=%u\n", (u_int32_t)ntohl(sav->spi)));
182 ipsecstat.out_inval++;
189 * determine the size to grow.
191 if (sav->flags & SADB_X_EXT_OLD) {
193 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
194 ahlen = plen + sizeof(struct ah);
197 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
198 ahlen = plen + sizeof(struct newah);
202 * grow the mbuf to accomodate AH.
204 ip = mtod(m, struct ip *);
206 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
208 hlen = ip->ip_hl << 2;
211 if (m->m_len != hlen)
212 panic("ah4_output: assumption failed (first mbuf length)");
213 if (M_LEADINGSPACE(m->m_next) < ahlen) {
215 MGET(n, M_DONTWAIT, MT_DATA);
217 ipseclog((LOG_DEBUG, "ENOBUFS in ah4_output %d\n",
223 n->m_next = m->m_next;
225 m->m_pkthdr.len += ahlen;
226 ahdrpos = mtod(n, u_char *);
228 m->m_next->m_len += ahlen;
229 m->m_next->m_data -= ahlen;
230 m->m_pkthdr.len += ahlen;
231 ahdrpos = mtod(m->m_next, u_char *);
234 ip = mtod(m, struct ip *); /* just to be sure */
239 if (sav->flags & SADB_X_EXT_OLD) {
242 ahdr = (struct ah *)ahdrpos;
243 ahsumpos = (u_char *)(ahdr + 1);
244 ahdr->ah_len = plen >> 2;
245 ahdr->ah_nxt = ip->ip_p;
246 ahdr->ah_reserve = htons(0);
248 bzero(ahdr + 1, plen);
252 ahdr = (struct newah *)ahdrpos;
253 ahsumpos = (u_char *)(ahdr + 1);
254 ahdr->ah_len = (plen >> 2) + 1; /* plus one for seq# */
255 ahdr->ah_nxt = ip->ip_p;
256 ahdr->ah_reserve = htons(0);
258 if (sav->replay->count == ~0) {
259 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
260 /* XXX Is it noisy ? */
261 ipseclog((LOG_WARNING,
262 "replay counter overflowed. %s\n",
263 ipsec_logsastr(sav)));
264 ipsecstat.out_inval++;
269 sav->replay->count++;
271 * XXX sequence number must not be cycled, if the SA is
272 * installed by IKE daemon.
274 ahdr->ah_seq = htonl(sav->replay->count);
275 bzero(ahdr + 1, plen);
279 * modify IPv4 header.
281 ip->ip_p = IPPROTO_AH;
282 if (ahlen < (IP_MAXPACKET - ntohs(ip->ip_len)))
283 ip->ip_len = htons(ntohs(ip->ip_len) + ahlen);
285 ipseclog((LOG_ERR, "IPv4 AH output: size exceeds limit\n"));
286 ipsecstat.out_inval++;
292 * If there is source routing option, update destination field in
293 * the IPv4 header to the final destination.
294 * Note that we do not need to update source routing option itself
295 * (as done in IPv4 AH processing -- see ip6_output()), since
296 * source routing option is not part of the ICV computation.
298 finaldst = ah4_finaldst(m);
300 dst.s_addr = ip->ip_dst.s_addr;
301 ip->ip_dst.s_addr = finaldst->s_addr;
305 * calcurate the checksum, based on security association
306 * and the algorithm specified.
308 error = ah4_calccksum(m, (caddr_t)ahsumpos, plen, algo, sav);
311 "error after ah4_calccksum, called from ah4_output"));
314 ipsecstat.out_inval++;
319 ip = mtod(m, struct ip *); /* just to make sure */
320 ip->ip_dst.s_addr = dst.s_addr;
322 ipsecstat.out_success++;
323 ipsecstat.out_ahhist[sav->alg_auth]++;
324 key_sa_recordxfer(sav, m);
330 /* Calculate AH length */
333 struct secasvar *sav;
335 const struct ah_algorithm *algo;
338 algo = ah_algorithm_lookup(sav->alg_auth);
341 if (sav->flags & SADB_X_EXT_OLD) {
343 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
344 ahlen = plen + sizeof(struct ah);
347 plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /* XXX pad to 8byte? */
348 ahlen = plen + sizeof(struct newah);
356 * Fill in the Authentication Header and calculate checksum.
359 ah6_output(m, nexthdrp, md, isr)
363 struct ipsecrequest *isr;
367 struct secasvar *sav = isr->sav;
368 const struct ah_algorithm *algo;
370 u_char *ahsumpos = NULL;
371 size_t plen; /* AH payload size in bytes */
376 if (m->m_len < sizeof(struct ip6_hdr)) {
377 ipseclog((LOG_DEBUG, "ah6_output: first mbuf too short\n"));
382 ahlen = ah_hdrlen(sav);
386 for (mprev = m; mprev && mprev->m_next != md; mprev = mprev->m_next)
388 if (!mprev || mprev->m_next != md) {
389 ipseclog((LOG_DEBUG, "ah6_output: md is not in chain\n"));
394 MGET(mah, M_DONTWAIT, MT_DATA);
400 MCLGET(mah, M_DONTWAIT);
401 if ((mah->m_flags & M_EXT) == 0) {
410 m->m_pkthdr.len += ahlen;
413 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) > IPV6_MAXPACKET) {
415 "ip6_output: AH with IPv6 jumbogram is not supported\n"));
419 ip6 = mtod(m, struct ip6_hdr *);
420 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
422 if ((sav->flags & SADB_X_EXT_OLD) == 0 && !sav->replay) {
423 ipseclog((LOG_DEBUG, "ah6_output: internal error: "
424 "sav->replay is null: SPI=%u\n",
425 (u_int32_t)ntohl(sav->spi)));
426 ipsec6stat.out_inval++;
431 algo = ah_algorithm_lookup(sav->alg_auth);
433 ipseclog((LOG_ERR, "ah6_output: unsupported algorithm: "
434 "SPI=%u\n", (u_int32_t)ntohl(sav->spi)));
435 ipsec6stat.out_inval++;
444 if (sav->flags & SADB_X_EXT_OLD) {
445 struct ah *ahdr = mtod(mah, struct ah *);
447 plen = mah->m_len - sizeof(struct ah);
448 ahsumpos = (u_char *)(ahdr + 1);
449 ahdr->ah_nxt = *nexthdrp;
450 *nexthdrp = IPPROTO_AH;
451 ahdr->ah_len = plen >> 2;
452 ahdr->ah_reserve = htons(0);
454 bzero(ahdr + 1, plen);
456 struct newah *ahdr = mtod(mah, struct newah *);
458 plen = mah->m_len - sizeof(struct newah);
459 ahsumpos = (u_char *)(ahdr + 1);
460 ahdr->ah_nxt = *nexthdrp;
461 *nexthdrp = IPPROTO_AH;
462 ahdr->ah_len = (plen >> 2) + 1; /* plus one for seq# */
463 ahdr->ah_reserve = htons(0);
465 if (sav->replay->count == ~0) {
466 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
467 /* XXX Is it noisy ? */
468 ipseclog((LOG_WARNING,
469 "replay counter overflowed. %s\n",
470 ipsec_logsastr(sav)));
471 ipsec6stat.out_inval++;
476 sav->replay->count++;
478 * XXX sequence number must not be cycled, if the SA is
479 * installed by IKE daemon.
481 ahdr->ah_seq = htonl(sav->replay->count);
482 bzero(ahdr + 1, plen);
486 * calcurate the checksum, based on security association
487 * and the algorithm specified.
489 error = ah6_calccksum(m, (caddr_t)ahsumpos, plen, algo, sav);
491 ipsec6stat.out_inval++;
494 ipsec6stat.out_success++;
495 key_sa_recordxfer(sav, m);
497 ipsec6stat.out_ahhist[sav->alg_auth]++;
505 * Find the final destination if there is loose/strict source routing option.
506 * Returns NULL if there's no source routing options.
507 * Returns NULL on errors too.
508 * Note that this function will return a pointer INTO the given parameter,
510 * The mbuf must be pulled up toward, at least, ip option part.
512 static struct in_addr *
523 panic("ah4_finaldst: m == NULL");
524 ip = mtod(m, struct ip *);
525 hlen = (ip->ip_hl << 2);
527 if (m->m_len < hlen) {
529 "ah4_finaldst: parameter mbuf wrong (not pulled up)\n"));
533 if (hlen == sizeof(struct ip))
536 optlen = hlen - sizeof(struct ip);
538 ipseclog((LOG_DEBUG, "ah4_finaldst: wrong optlen %d\n",
543 q = (u_char *)(ip + 1);
546 if (i + IPOPT_OPTVAL >= optlen)
548 if (q[i + IPOPT_OPTVAL] == IPOPT_EOL ||
549 q[i + IPOPT_OPTVAL] == IPOPT_NOP ||
550 i + IPOPT_OLEN < optlen)
555 switch (q[i + IPOPT_OPTVAL]) {
557 i = optlen; /* bye */
564 if (q[i + IPOPT_OLEN] < 2 + sizeof(struct in_addr) ||
565 optlen - i < q[i + IPOPT_OLEN]) {
567 "ip_finaldst: invalid IP option "
568 "(code=%02x len=%02x)\n",
569 q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]));
572 i += q[i + IPOPT_OLEN] - sizeof(struct in_addr);
573 return (struct in_addr *)(q + i);
575 if (q[i + IPOPT_OLEN] < 2 ||
576 optlen - i < q[i + IPOPT_OLEN]) {
578 "ip_finaldst: invalid IP option "
579 "(code=%02x len=%02x)\n",
580 q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]));
583 i += q[i + IPOPT_OLEN];