1 /* $FreeBSD: src/sys/netinet6/ah_core.c,v 1.2.2.5 2002/04/28 05:40:26 suz Exp $ */
2 /* $DragonFly: src/sys/netinet6/ah_core.c,v 1.6 2004/06/02 14:43:01 eirikn Exp $ */
3 /* $KAME: ah_core.c,v 1.44 2001/03/12 11:24:39 itojun Exp $ */
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * RFC1826/2402 authentication header.
38 /* TODO: have shared routines for hmac-* algorithms */
41 #include "opt_inet6.h"
42 #include "opt_ipsec.h"
44 #include <sys/param.h>
45 #include <sys/systm.h>
46 #include <sys/malloc.h>
48 #include <sys/domain.h>
49 #include <sys/protosw.h>
50 #include <sys/socket.h>
51 #include <sys/socketvar.h>
52 #include <sys/errno.h>
54 #include <sys/syslog.h>
57 #include <net/route.h>
59 #include <netinet/in.h>
60 #include <netinet/in_systm.h>
61 #include <netinet/ip.h>
62 #include <netinet/in_var.h>
65 #include <netinet/ip6.h>
66 #include <netinet6/ip6_var.h>
67 #include <netinet/icmp6.h>
70 #include <netinet6/ipsec.h>
72 #include <netinet6/ipsec6.h>
74 #include <netinet6/ah.h>
76 #include <netinet6/ah6.h>
79 #include <netinet6/esp.h>
81 #include <netinet6/esp6.h>
84 #include <net/pfkeyv2.h>
85 #include <netproto/key/keydb.h>
87 #include <crypto/sha1.h>
88 #include <crypto/sha2/sha2.h>
90 #include <net/net_osdep.h>
94 static int ah_sumsiz_1216 (struct secasvar *);
95 static int ah_sumsiz_zero (struct secasvar *);
96 static int ah_none_mature (struct secasvar *);
97 static int ah_none_init (struct ah_algorithm_state *, struct secasvar *);
98 static void ah_none_loop (struct ah_algorithm_state *, caddr_t, size_t);
99 static void ah_none_result (struct ah_algorithm_state *, caddr_t);
100 static int ah_keyed_md5_mature (struct secasvar *);
101 static int ah_keyed_md5_init (struct ah_algorithm_state *,
103 static void ah_keyed_md5_loop (struct ah_algorithm_state *, caddr_t,
105 static void ah_keyed_md5_result (struct ah_algorithm_state *, caddr_t);
106 static int ah_keyed_sha1_mature (struct secasvar *);
107 static int ah_keyed_sha1_init (struct ah_algorithm_state *,
109 static void ah_keyed_sha1_loop (struct ah_algorithm_state *, caddr_t,
111 static void ah_keyed_sha1_result (struct ah_algorithm_state *, caddr_t);
112 static int ah_hmac_md5_mature (struct secasvar *);
113 static int ah_hmac_md5_init (struct ah_algorithm_state *,
115 static void ah_hmac_md5_loop (struct ah_algorithm_state *, caddr_t,
117 static void ah_hmac_md5_result (struct ah_algorithm_state *, caddr_t);
118 static int ah_hmac_sha1_mature (struct secasvar *);
119 static int ah_hmac_sha1_init (struct ah_algorithm_state *,
121 static void ah_hmac_sha1_loop (struct ah_algorithm_state *, caddr_t,
123 static void ah_hmac_sha1_result (struct ah_algorithm_state *, caddr_t);
124 static int ah_hmac_sha2_256_mature (struct secasvar *);
125 static int ah_hmac_sha2_256_init (struct ah_algorithm_state *,
127 static void ah_hmac_sha2_256_loop (struct ah_algorithm_state *, caddr_t,
129 static void ah_hmac_sha2_256_result (struct ah_algorithm_state *, caddr_t);
130 static int ah_hmac_sha2_384_mature (struct secasvar *);
131 static int ah_hmac_sha2_384_init (struct ah_algorithm_state *,
133 static void ah_hmac_sha2_384_loop (struct ah_algorithm_state *, caddr_t,
135 static void ah_hmac_sha2_384_result (struct ah_algorithm_state *, caddr_t);
136 static int ah_hmac_sha2_512_mature (struct secasvar *);
137 static int ah_hmac_sha2_512_init (struct ah_algorithm_state *,
139 static void ah_hmac_sha2_512_loop (struct ah_algorithm_state *, caddr_t,
141 static void ah_hmac_sha2_512_result (struct ah_algorithm_state *, caddr_t);
143 static void ah_update_mbuf (struct mbuf *, int, int,
144 const struct ah_algorithm *, struct ah_algorithm_state *);
146 const struct ah_algorithm *
147 ah_algorithm_lookup(int idx)
149 /* checksum algorithms */
150 static struct ah_algorithm ah_algorithms[] = {
151 { ah_sumsiz_1216, ah_hmac_md5_mature, 128, 128, "hmac-md5",
152 ah_hmac_md5_init, ah_hmac_md5_loop,
153 ah_hmac_md5_result, },
154 { ah_sumsiz_1216, ah_hmac_sha1_mature, 160, 160, "hmac-sha1",
155 ah_hmac_sha1_init, ah_hmac_sha1_loop,
156 ah_hmac_sha1_result, },
157 { ah_sumsiz_1216, ah_keyed_md5_mature, 128, 128, "keyed-md5",
158 ah_keyed_md5_init, ah_keyed_md5_loop,
159 ah_keyed_md5_result, },
160 { ah_sumsiz_1216, ah_keyed_sha1_mature, 160, 160, "keyed-sha1",
161 ah_keyed_sha1_init, ah_keyed_sha1_loop,
162 ah_keyed_sha1_result, },
163 { ah_sumsiz_zero, ah_none_mature, 0, 2048, "none",
164 ah_none_init, ah_none_loop, ah_none_result, },
165 { ah_sumsiz_1216, ah_hmac_sha2_256_mature, 256, 256,
167 ah_hmac_sha2_256_init, ah_hmac_sha2_256_loop,
168 ah_hmac_sha2_256_result, },
169 { ah_sumsiz_1216, ah_hmac_sha2_384_mature, 384, 384,
171 ah_hmac_sha2_384_init, ah_hmac_sha2_384_loop,
172 ah_hmac_sha2_384_result, },
173 { ah_sumsiz_1216, ah_hmac_sha2_512_mature, 512, 512,
175 ah_hmac_sha2_512_init, ah_hmac_sha2_512_loop,
176 ah_hmac_sha2_512_result, },
180 case SADB_AALG_MD5HMAC:
181 return &ah_algorithms[0];
182 case SADB_AALG_SHA1HMAC:
183 return &ah_algorithms[1];
184 case SADB_X_AALG_MD5:
185 return &ah_algorithms[2];
186 case SADB_X_AALG_SHA:
187 return &ah_algorithms[3];
188 case SADB_X_AALG_NULL:
189 return &ah_algorithms[4];
190 case SADB_X_AALG_SHA2_256:
191 return &ah_algorithms[5];
192 case SADB_X_AALG_SHA2_384:
193 return &ah_algorithms[6];
194 case SADB_X_AALG_SHA2_512:
195 return &ah_algorithms[7];
203 ah_sumsiz_1216(struct secasvar *sav)
207 if (sav->flags & SADB_X_EXT_OLD)
214 ah_sumsiz_zero(struct secasvar *sav)
222 ah_none_mature(struct secasvar *sav)
224 if (sav->sah->saidx.proto == IPPROTO_AH) {
226 "ah_none_mature: protocol and algorithm mismatch.\n"));
233 ah_none_init(struct ah_algorithm_state *state, struct secasvar *sav)
240 ah_none_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
245 ah_none_result(struct ah_algorithm_state *state, caddr_t addr)
250 ah_keyed_md5_mature(struct secasvar *sav)
252 /* anything is okay */
257 ah_keyed_md5_init(struct ah_algorithm_state *state, struct secasvar *sav)
264 panic("ah_keyed_md5_init: what?");
267 state->foo = (void *)malloc(sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
268 if (state->foo == NULL)
271 MD5Init((MD5_CTX *)state->foo);
273 MD5Update((MD5_CTX *)state->foo,
274 (u_int8_t *)_KEYBUF(state->sav->key_auth),
275 (u_int)_KEYLEN(state->sav->key_auth));
279 * We cannot simply use md5_pad() since the function
280 * won't update the total length.
282 if (_KEYLEN(state->sav->key_auth) < 56)
283 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
285 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
286 keybitlen = _KEYLEN(state->sav->key_auth);
290 MD5Update((MD5_CTX *)state->foo, &buf[0], 1);
293 bzero(buf, sizeof(buf));
294 while (sizeof(buf) < padlen) {
295 MD5Update((MD5_CTX *)state->foo, &buf[0], sizeof(buf));
296 padlen -= sizeof(buf);
299 MD5Update((MD5_CTX *)state->foo, &buf[0], padlen);
302 buf[0] = (keybitlen >> 0) & 0xff;
303 buf[1] = (keybitlen >> 8) & 0xff;
304 buf[2] = (keybitlen >> 16) & 0xff;
305 buf[3] = (keybitlen >> 24) & 0xff;
306 MD5Update((MD5_CTX *)state->foo, buf, 8);
313 ah_keyed_md5_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
316 panic("ah_keyed_md5_loop: what?");
318 MD5Update((MD5_CTX *)state->foo, addr, len);
322 ah_keyed_md5_result(struct ah_algorithm_state *state, caddr_t addr)
327 panic("ah_keyed_md5_result: what?");
330 MD5Update((MD5_CTX *)state->foo,
331 (u_int8_t *)_KEYBUF(state->sav->key_auth),
332 (u_int)_KEYLEN(state->sav->key_auth));
334 MD5Final(&digest[0], (MD5_CTX *)state->foo);
335 free(state->foo, M_TEMP);
336 bcopy(&digest[0], (void *)addr, sizeof(digest));
340 ah_keyed_sha1_mature(struct secasvar *sav)
342 const struct ah_algorithm *algo;
344 if (!sav->key_auth) {
345 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: no key is given.\n"));
349 algo = ah_algorithm_lookup(sav->alg_auth);
351 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: unsupported algorithm.\n"));
355 if (sav->key_auth->sadb_key_bits < algo->keymin
356 || algo->keymax < sav->key_auth->sadb_key_bits) {
358 "ah_keyed_sha1_mature: invalid key length %d.\n",
359 sav->key_auth->sadb_key_bits));
367 ah_keyed_sha1_init(struct ah_algorithm_state *state, struct secasvar *sav)
375 panic("ah_keyed_sha1_init: what?");
378 state->foo = (void *)malloc(sizeof(SHA1_CTX), M_TEMP, M_NOWAIT);
382 ctxt = (SHA1_CTX *)state->foo;
386 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
387 (u_int)_KEYLEN(state->sav->key_auth));
392 if (_KEYLEN(state->sav->key_auth) < 56)
393 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
395 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
396 keybitlen = _KEYLEN(state->sav->key_auth);
400 SHA1Update(ctxt, &buf[0], 1);
403 bzero(buf, sizeof(buf));
404 while (sizeof(buf) < padlen) {
405 SHA1Update(ctxt, &buf[0], sizeof(buf));
406 padlen -= sizeof(buf);
409 SHA1Update(ctxt, &buf[0], padlen);
412 buf[0] = (keybitlen >> 0) & 0xff;
413 buf[1] = (keybitlen >> 8) & 0xff;
414 buf[2] = (keybitlen >> 16) & 0xff;
415 buf[3] = (keybitlen >> 24) & 0xff;
416 SHA1Update(ctxt, buf, 8);
423 ah_keyed_sha1_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
427 if (!state || !state->foo)
428 panic("ah_keyed_sha1_loop: what?");
429 ctxt = (SHA1_CTX *)state->foo;
431 SHA1Update(ctxt, (caddr_t)addr, (size_t)len);
435 ah_keyed_sha1_result(struct ah_algorithm_state *state, caddr_t addr)
437 u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
440 if (!state || !state->foo)
441 panic("ah_keyed_sha1_result: what?");
442 ctxt = (SHA1_CTX *)state->foo;
445 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
446 (u_int)_KEYLEN(state->sav->key_auth));
448 SHA1Final((caddr_t)&digest[0], ctxt);
449 bcopy(&digest[0], (void *)addr, HMACSIZE);
451 free(state->foo, M_TEMP);
455 ah_hmac_md5_mature(struct secasvar *sav)
457 const struct ah_algorithm *algo;
459 if (!sav->key_auth) {
460 ipseclog((LOG_ERR, "ah_hmac_md5_mature: no key is given.\n"));
464 algo = ah_algorithm_lookup(sav->alg_auth);
466 ipseclog((LOG_ERR, "ah_hmac_md5_mature: unsupported algorithm.\n"));
470 if (sav->key_auth->sadb_key_bits < algo->keymin
471 || algo->keymax < sav->key_auth->sadb_key_bits) {
473 "ah_hmac_md5_mature: invalid key length %d.\n",
474 sav->key_auth->sadb_key_bits));
482 ah_hmac_md5_init(struct ah_algorithm_state *state, struct secasvar *sav)
493 panic("ah_hmac_md5_init: what?");
496 state->foo = (void *)malloc(64 + 64 + sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
500 ipad = (u_char *)state->foo;
501 opad = (u_char *)(ipad + 64);
502 ctxt = (MD5_CTX *)(opad + 64);
504 /* compress the key if necessery */
505 if (64 < _KEYLEN(state->sav->key_auth)) {
507 MD5Update(ctxt, _KEYBUF(state->sav->key_auth),
508 _KEYLEN(state->sav->key_auth));
509 MD5Final(&tk[0], ctxt);
513 key = _KEYBUF(state->sav->key_auth);
514 keylen = _KEYLEN(state->sav->key_auth);
519 bcopy(key, ipad, keylen);
520 bcopy(key, opad, keylen);
521 for (i = 0; i < 64; i++) {
527 MD5Update(ctxt, ipad, 64);
533 ah_hmac_md5_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
537 if (!state || !state->foo)
538 panic("ah_hmac_md5_loop: what?");
539 ctxt = (MD5_CTX *)(((caddr_t)state->foo) + 128);
540 MD5Update(ctxt, addr, len);
544 ah_hmac_md5_result(struct ah_algorithm_state *state, caddr_t addr)
551 if (!state || !state->foo)
552 panic("ah_hmac_md5_result: what?");
554 ipad = (u_char *)state->foo;
555 opad = (u_char *)(ipad + 64);
556 ctxt = (MD5_CTX *)(opad + 64);
558 MD5Final(&digest[0], ctxt);
561 MD5Update(ctxt, opad, 64);
562 MD5Update(ctxt, &digest[0], sizeof(digest));
563 MD5Final(&digest[0], ctxt);
565 bcopy(&digest[0], (void *)addr, HMACSIZE);
567 free(state->foo, M_TEMP);
571 ah_hmac_sha1_mature(struct secasvar *sav)
573 const struct ah_algorithm *algo;
575 if (!sav->key_auth) {
576 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: no key is given.\n"));
580 algo = ah_algorithm_lookup(sav->alg_auth);
582 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: unsupported algorithm.\n"));
586 if (sav->key_auth->sadb_key_bits < algo->keymin
587 || algo->keymax < sav->key_auth->sadb_key_bits) {
589 "ah_hmac_sha1_mature: invalid key length %d.\n",
590 sav->key_auth->sadb_key_bits));
598 ah_hmac_sha1_init(struct ah_algorithm_state *state, struct secasvar *sav)
603 u_char tk[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
609 panic("ah_hmac_sha1_init: what?");
612 state->foo = (void *)malloc(64 + 64 + sizeof(SHA1_CTX),
617 ipad = (u_char *)state->foo;
618 opad = (u_char *)(ipad + 64);
619 ctxt = (SHA1_CTX *)(opad + 64);
621 /* compress the key if necessery */
622 if (64 < _KEYLEN(state->sav->key_auth)) {
624 SHA1Update(ctxt, _KEYBUF(state->sav->key_auth),
625 _KEYLEN(state->sav->key_auth));
626 SHA1Final(&tk[0], ctxt);
628 keylen = SHA1_RESULTLEN;
630 key = _KEYBUF(state->sav->key_auth);
631 keylen = _KEYLEN(state->sav->key_auth);
636 bcopy(key, ipad, keylen);
637 bcopy(key, opad, keylen);
638 for (i = 0; i < 64; i++) {
644 SHA1Update(ctxt, ipad, 64);
650 ah_hmac_sha1_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
654 if (!state || !state->foo)
655 panic("ah_hmac_sha1_loop: what?");
657 ctxt = (SHA1_CTX *)(((u_char *)state->foo) + 128);
658 SHA1Update(ctxt, (caddr_t)addr, (size_t)len);
662 ah_hmac_sha1_result(struct ah_algorithm_state *state, caddr_t addr)
664 u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
669 if (!state || !state->foo)
670 panic("ah_hmac_sha1_result: what?");
672 ipad = (u_char *)state->foo;
673 opad = (u_char *)(ipad + 64);
674 ctxt = (SHA1_CTX *)(opad + 64);
676 SHA1Final((caddr_t)&digest[0], ctxt);
679 SHA1Update(ctxt, opad, 64);
680 SHA1Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
681 SHA1Final((caddr_t)&digest[0], ctxt);
683 bcopy(&digest[0], (void *)addr, HMACSIZE);
685 free(state->foo, M_TEMP);
689 ah_hmac_sha2_256_mature(struct secasvar *sav)
691 const struct ah_algorithm *algo;
693 if (!sav->key_auth) {
695 "ah_hmac_sha2_256_mature: no key is given.\n"));
699 algo = ah_algorithm_lookup(sav->alg_auth);
702 "ah_hmac_sha2_256_mature: unsupported algorithm.\n"));
706 if (sav->key_auth->sadb_key_bits < algo->keymin ||
707 algo->keymax < sav->key_auth->sadb_key_bits) {
709 "ah_hmac_sha2_256_mature: invalid key length %d.\n",
710 sav->key_auth->sadb_key_bits));
718 ah_hmac_sha2_256_init(struct ah_algorithm_state *state, struct secasvar *sav)
723 u_char tk[SHA256_DIGEST_LENGTH];
729 panic("ah_hmac_sha2_256_init: what?");
732 state->foo = (void *)malloc(64 + 64 + sizeof(SHA256_CTX),
737 ipad = (u_char *)state->foo;
738 opad = (u_char *)(ipad + 64);
739 ctxt = (SHA256_CTX *)(opad + 64);
741 /* compress the key if necessery */
742 if (64 < _KEYLEN(state->sav->key_auth)) {
743 bzero(tk, sizeof(tk));
744 bzero(ctxt, sizeof(*ctxt));
746 SHA256_Update(ctxt, _KEYBUF(state->sav->key_auth),
747 _KEYLEN(state->sav->key_auth));
748 SHA256_Final(&tk[0], ctxt);
750 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
752 key = _KEYBUF(state->sav->key_auth);
753 keylen = _KEYLEN(state->sav->key_auth);
758 bcopy(key, ipad, keylen);
759 bcopy(key, opad, keylen);
760 for (i = 0; i < 64; i++) {
765 bzero(ctxt, sizeof(*ctxt));
767 SHA256_Update(ctxt, ipad, 64);
773 ah_hmac_sha2_256_loop(struct ah_algorithm_state *state, caddr_t addr, size_t
778 if (!state || !state->foo)
779 panic("ah_hmac_sha2_256_loop: what?");
781 ctxt = (SHA256_CTX *)(((u_char *)state->foo) + 128);
782 SHA256_Update(ctxt, (caddr_t)addr, (size_t)len);
786 ah_hmac_sha2_256_result(struct ah_algorithm_state *state, caddr_t addr)
788 u_char digest[SHA256_DIGEST_LENGTH];
793 if (!state || !state->foo)
794 panic("ah_hmac_sha2_256_result: what?");
796 ipad = (u_char *)state->foo;
797 opad = (u_char *)(ipad + 64);
798 ctxt = (SHA256_CTX *)(opad + 64);
800 SHA256_Final((caddr_t)&digest[0], ctxt);
802 bzero(ctxt, sizeof(*ctxt));
804 SHA256_Update(ctxt, opad, 64);
805 SHA256_Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
806 SHA256_Final((caddr_t)&digest[0], ctxt);
808 bcopy(&digest[0], (void *)addr, HMACSIZE);
810 free(state->foo, M_TEMP);
814 ah_hmac_sha2_384_mature(struct secasvar *sav)
816 const struct ah_algorithm *algo;
818 if (!sav->key_auth) {
820 "ah_hmac_sha2_384_mature: no key is given.\n"));
824 algo = ah_algorithm_lookup(sav->alg_auth);
827 "ah_hmac_sha2_384_mature: unsupported algorithm.\n"));
831 if (sav->key_auth->sadb_key_bits < algo->keymin ||
832 algo->keymax < sav->key_auth->sadb_key_bits) {
834 "ah_hmac_sha2_384_mature: invalid key length %d.\n",
835 sav->key_auth->sadb_key_bits));
843 ah_hmac_sha2_384_init(struct ah_algorithm_state *state, struct secasvar *sav)
848 u_char tk[SHA384_DIGEST_LENGTH];
854 panic("ah_hmac_sha2_384_init: what?");
857 state->foo = (void *)malloc(64 + 64 + sizeof(SHA384_CTX),
861 bzero(state->foo, 64 + 64 + sizeof(SHA384_CTX));
863 ipad = (u_char *)state->foo;
864 opad = (u_char *)(ipad + 64);
865 ctxt = (SHA384_CTX *)(opad + 64);
867 /* compress the key if necessery */
868 if (64 < _KEYLEN(state->sav->key_auth)) {
869 bzero(tk, sizeof(tk));
870 bzero(ctxt, sizeof(*ctxt));
872 SHA384_Update(ctxt, _KEYBUF(state->sav->key_auth),
873 _KEYLEN(state->sav->key_auth));
874 SHA384_Final(&tk[0], ctxt);
876 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
878 key = _KEYBUF(state->sav->key_auth);
879 keylen = _KEYLEN(state->sav->key_auth);
884 bcopy(key, ipad, keylen);
885 bcopy(key, opad, keylen);
886 for (i = 0; i < 64; i++) {
891 bzero(ctxt, sizeof(*ctxt));
893 SHA384_Update(ctxt, ipad, 64);
899 ah_hmac_sha2_384_loop(struct ah_algorithm_state *state, caddr_t addr,
904 if (!state || !state->foo)
905 panic("ah_hmac_sha2_384_loop: what?");
907 ctxt = (SHA384_CTX *)(((u_char *)state->foo) + 128);
908 SHA384_Update(ctxt, (caddr_t)addr, (size_t)len);
912 ah_hmac_sha2_384_result(struct ah_algorithm_state *state, caddr_t addr)
914 u_char digest[SHA384_DIGEST_LENGTH];
919 if (!state || !state->foo)
920 panic("ah_hmac_sha2_384_result: what?");
922 ipad = (u_char *)state->foo;
923 opad = (u_char *)(ipad + 64);
924 ctxt = (SHA384_CTX *)(opad + 64);
926 SHA384_Final((caddr_t)&digest[0], ctxt);
928 bzero(ctxt, sizeof(*ctxt));
930 SHA384_Update(ctxt, opad, 64);
931 SHA384_Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
932 SHA384_Final((caddr_t)&digest[0], ctxt);
934 bcopy(&digest[0], (void *)addr, HMACSIZE);
936 free(state->foo, M_TEMP);
940 ah_hmac_sha2_512_mature(struct secasvar *sav)
942 const struct ah_algorithm *algo;
944 if (!sav->key_auth) {
946 "ah_hmac_sha2_512_mature: no key is given.\n"));
950 algo = ah_algorithm_lookup(sav->alg_auth);
953 "ah_hmac_sha2_512_mature: unsupported algorithm.\n"));
957 if (sav->key_auth->sadb_key_bits < algo->keymin ||
958 algo->keymax < sav->key_auth->sadb_key_bits) {
960 "ah_hmac_sha2_512_mature: invalid key length %d.\n",
961 sav->key_auth->sadb_key_bits));
969 ah_hmac_sha2_512_init(struct ah_algorithm_state *state, struct secasvar *sav)
974 u_char tk[SHA512_DIGEST_LENGTH];
980 panic("ah_hmac_sha2_512_init: what?");
983 state->foo = (void *)malloc(64 + 64 + sizeof(SHA512_CTX),
987 bzero(state->foo, 64 + 64 + sizeof(SHA512_CTX));
989 ipad = (u_char *)state->foo;
990 opad = (u_char *)(ipad + 64);
991 ctxt = (SHA512_CTX *)(opad + 64);
993 /* compress the key if necessery */
994 if (64 < _KEYLEN(state->sav->key_auth)) {
995 bzero(tk, sizeof(tk));
996 bzero(ctxt, sizeof(*ctxt));
998 SHA512_Update(ctxt, _KEYBUF(state->sav->key_auth),
999 _KEYLEN(state->sav->key_auth));
1000 SHA512_Final(&tk[0], ctxt);
1002 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
1004 key = _KEYBUF(state->sav->key_auth);
1005 keylen = _KEYLEN(state->sav->key_auth);
1010 bcopy(key, ipad, keylen);
1011 bcopy(key, opad, keylen);
1012 for (i = 0; i < 64; i++) {
1017 bzero(ctxt, sizeof(*ctxt));
1019 SHA512_Update(ctxt, ipad, 64);
1025 ah_hmac_sha2_512_loop(struct ah_algorithm_state *state, caddr_t addr,
1030 if (!state || !state->foo)
1031 panic("ah_hmac_sha2_512_loop: what?");
1033 ctxt = (SHA512_CTX *)(((u_char *)state->foo) + 128);
1034 SHA512_Update(ctxt, (caddr_t)addr, (size_t)len);
1038 ah_hmac_sha2_512_result(struct ah_algorithm_state *state, caddr_t addr)
1040 u_char digest[SHA512_DIGEST_LENGTH];
1045 if (!state || !state->foo)
1046 panic("ah_hmac_sha2_512_result: what?");
1048 ipad = (u_char *)state->foo;
1049 opad = (u_char *)(ipad + 64);
1050 ctxt = (SHA512_CTX *)(opad + 64);
1052 SHA512_Final((caddr_t)&digest[0], ctxt);
1054 bzero(ctxt, sizeof(*ctxt));
1056 SHA512_Update(ctxt, opad, 64);
1057 SHA512_Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
1058 SHA512_Final((caddr_t)&digest[0], ctxt);
1060 bcopy(&digest[0], (void *)addr, HMACSIZE);
1062 free(state->foo, M_TEMP);
1065 /*------------------------------------------------------------*/
1068 * go generate the checksum.
1071 ah_update_mbuf(struct mbuf *m, int off, int len,
1072 const struct ah_algorithm *algo,
1073 struct ah_algorithm_state *algos)
1078 /* easy case first */
1079 if (off + len <= m->m_len) {
1080 (algo->update)(algos, mtod(m, caddr_t) + off, len);
1084 for (n = m; n; n = n->m_next) {
1092 panic("ah_update_mbuf: wrong offset specified");
1094 for (/* nothing */; n && len > 0; n = n->m_next) {
1097 if (n->m_len - off < len)
1098 tlen = n->m_len - off;
1102 (algo->update)(algos, mtod(n, caddr_t) + off, tlen);
1111 * Go generate the checksum. This function won't modify the mbuf chain
1114 * NOTE: the function does not free mbuf on failure.
1115 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1118 ah4_calccksum(struct mbuf *m, caddr_t ahdat, size_t len,
1119 const struct ah_algorithm *algo, struct secasvar *sav)
1123 size_t advancewidth;
1124 struct ah_algorithm_state algos;
1125 u_char sumbuf[AH_MAXSUMSIZE];
1128 struct mbuf *n = NULL;
1130 if ((m->m_flags & M_PKTHDR) == 0)
1134 hdrtype = -1; /* dummy, it is called IPPROTO_IP */
1138 error = (algo->init)(&algos, sav);
1142 advancewidth = 0; /* safety */
1147 case -1: /* first one only */
1150 * copy ip hdr, modify to fit the AH checksum rule,
1151 * then take a checksum.
1156 m_copydata(m, off, sizeof(iphdr), (caddr_t)&iphdr);
1158 hlen = IP_VHL_HL(iphdr.ip_vhl) << 2;
1160 hlen = iphdr.ip_hl << 2;
1163 iphdr.ip_sum = htons(0);
1164 if (ip4_ah_cleartos)
1166 iphdr.ip_off = htons(ntohs(iphdr.ip_off) & ip4_ah_offsetmask);
1167 (algo->update)(&algos, (caddr_t)&iphdr, sizeof(struct ip));
1169 if (hlen != sizeof(struct ip)) {
1173 if (hlen > MCLBYTES) {
1177 MGET(n, MB_DONTWAIT, MT_DATA);
1178 if (n && hlen > MLEN) {
1179 MCLGET(n, MB_DONTWAIT);
1180 if ((n->m_flags & M_EXT) == 0) {
1189 m_copydata(m, off, hlen, mtod(n, caddr_t));
1192 * IP options processing.
1193 * See RFC2402 appendix A.
1195 p = mtod(n, u_char *);
1196 i = sizeof(struct ip);
1198 if (i + IPOPT_OPTVAL >= hlen) {
1199 ipseclog((LOG_ERR, "ah4_calccksum: "
1200 "invalid IP option\n"));
1204 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL ||
1205 p[i + IPOPT_OPTVAL] == IPOPT_NOP ||
1206 i + IPOPT_OLEN < hlen)
1210 "ah4_calccksum: invalid IP option "
1212 p[i + IPOPT_OPTVAL]));
1218 switch (p[i + IPOPT_OPTVAL]) {
1224 case IPOPT_SECURITY: /* 0x82 */
1225 case 0x85: /* Extended security */
1226 case 0x86: /* Commercial security */
1227 case 0x94: /* Router alert */
1228 case 0x95: /* RFC1770 */
1229 l = p[i + IPOPT_OLEN];
1235 l = p[i + IPOPT_OLEN];
1241 if (l < 1 || hlen - i < l) {
1244 "ah4_calccksum: invalid IP option "
1245 "(type=%02x len=%02x)\n",
1246 p[i + IPOPT_OPTVAL],
1247 p[i + IPOPT_OLEN]));
1253 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL)
1257 p = mtod(n, u_char *) + sizeof(struct ip);
1258 (algo->update)(&algos, p, hlen - sizeof(struct ip));
1264 hdrtype = (iphdr.ip_p) & 0xff;
1265 advancewidth = hlen;
1276 m_copydata(m, off, sizeof(ah), (caddr_t)&ah);
1277 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1279 : sizeof(struct newah);
1280 siz = (*algo->sumsiz)(sav);
1281 totlen = (ah.ah_len + 2) << 2;
1284 * special treatment is necessary for the first one, not others
1287 if (totlen > m->m_pkthdr.len - off ||
1288 totlen > MCLBYTES) {
1292 MGET(n, MB_DONTWAIT, MT_DATA);
1293 if (n && totlen > MLEN) {
1294 MCLGET(n, MB_DONTWAIT);
1295 if ((n->m_flags & M_EXT) == 0) {
1304 m_copydata(m, off, totlen, mtod(n, caddr_t));
1306 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1307 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1311 ah_update_mbuf(m, off, totlen, algo, &algos);
1314 hdrtype = ah.ah_nxt;
1315 advancewidth = totlen;
1320 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo, &algos);
1321 advancewidth = m->m_pkthdr.len - off;
1325 off += advancewidth;
1326 if (off < m->m_pkthdr.len)
1329 if (len < (*algo->sumsiz)(sav)) {
1334 (algo->result)(&algos, &sumbuf[0]);
1335 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
1350 * Go generate the checksum. This function won't modify the mbuf chain
1353 * NOTE: the function does not free mbuf on failure.
1354 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1357 ah6_calccksum(struct mbuf *m, caddr_t ahdat, size_t len,
1358 const struct ah_algorithm *algo, struct secasvar *sav)
1362 struct mbuf *n = NULL;
1365 struct ah_algorithm_state algos;
1366 u_char sumbuf[AH_MAXSUMSIZE];
1368 if ((m->m_flags & M_PKTHDR) == 0)
1371 error = (algo->init)(&algos, sav);
1376 proto = IPPROTO_IPV6;
1381 newoff = ip6_nexthdr(m, off, proto, &nxt);
1383 newoff = m->m_pkthdr.len;
1384 else if (newoff <= off) {
1392 * special treatment is necessary for the first one, not others
1395 struct ip6_hdr ip6copy;
1397 if (newoff - off != sizeof(struct ip6_hdr)) {
1402 m_copydata(m, off, newoff - off, (caddr_t)&ip6copy);
1404 ip6copy.ip6_flow = 0;
1405 ip6copy.ip6_vfc &= ~IPV6_VERSION_MASK;
1406 ip6copy.ip6_vfc |= IPV6_VERSION;
1407 ip6copy.ip6_hlim = 0;
1408 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_src))
1409 ip6copy.ip6_src.s6_addr16[1] = 0x0000;
1410 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_dst))
1411 ip6copy.ip6_dst.s6_addr16[1] = 0x0000;
1412 (algo->update)(&algos, (caddr_t)&ip6copy,
1413 sizeof(struct ip6_hdr));
1415 newoff = m->m_pkthdr.len;
1416 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo,
1426 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1428 : sizeof(struct newah);
1429 siz = (*algo->sumsiz)(sav);
1432 * special treatment is necessary for the first one, not others
1435 if (newoff - off > MCLBYTES) {
1439 MGET(n, MB_DONTWAIT, MT_DATA);
1440 if (n && newoff - off > MLEN) {
1441 MCLGET(n, MB_DONTWAIT);
1442 if ((n->m_flags & M_EXT) == 0) {
1451 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1452 n->m_len = newoff - off;
1453 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1454 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1458 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1463 case IPPROTO_HOPOPTS:
1464 case IPPROTO_DSTOPTS:
1466 struct ip6_ext *ip6e;
1468 u_int8_t *p, *optend, *optp;
1470 if (newoff - off > MCLBYTES) {
1474 MGET(n, MB_DONTWAIT, MT_DATA);
1475 if (n && newoff - off > MLEN) {
1476 MCLGET(n, MB_DONTWAIT);
1477 if ((n->m_flags & M_EXT) == 0) {
1486 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1487 n->m_len = newoff - off;
1489 ip6e = mtod(n, struct ip6_ext *);
1490 hdrlen = (ip6e->ip6e_len + 1) << 3;
1491 if (newoff - off < hdrlen) {
1497 p = mtod(n, u_int8_t *);
1498 optend = p + hdrlen;
1501 * ICV calculation for the options header including all
1502 * options. This part is a little tricky since there are
1503 * two type of options; mutable and immutable. We try to
1504 * null-out mutable ones here.
1507 while (optp < optend) {
1508 if (optp[0] == IP6OPT_PAD1)
1511 if (optp + 2 > optend) {
1517 optlen = optp[1] + 2;
1519 if (optp[0] & IP6OPT_MUTABLE)
1520 bzero(optp + 2, optlen - 2);
1526 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1532 case IPPROTO_ROUTING:
1534 * For an input packet, we can just calculate `as is'.
1535 * For an output packet, we assume ip6_output have already
1536 * made packet how it will be received at the final
1542 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1546 if (newoff < m->m_pkthdr.len) {
1552 if (len < (*algo->sumsiz)(sav)) {
1557 (algo->result)(&algos, &sumbuf[0]);
1558 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));