1 /* $FreeBSD: src/sys/netinet6/ah_core.c,v 1.2.2.5 2002/04/28 05:40:26 suz Exp $ */
2 /* $DragonFly: src/sys/netinet6/ah_core.c,v 1.11 2008/01/05 14:02:40 swildner Exp $ */
3 /* $KAME: ah_core.c,v 1.44 2001/03/12 11:24:39 itojun Exp $ */
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * RFC1826/2402 authentication header.
38 /* TODO: have shared routines for hmac-* algorithms */
41 #include "opt_inet6.h"
42 #include "opt_ipsec.h"
44 #include <sys/param.h>
45 #include <sys/systm.h>
46 #include <sys/malloc.h>
48 #include <sys/domain.h>
49 #include <sys/protosw.h>
50 #include <sys/socket.h>
51 #include <sys/socketvar.h>
52 #include <sys/errno.h>
54 #include <sys/syslog.h>
57 #include <net/route.h>
59 #include <netinet/in.h>
60 #include <netinet/in_systm.h>
61 #include <netinet/ip.h>
62 #include <netinet/in_var.h>
65 #include <netinet/ip6.h>
66 #include <netinet6/ip6_var.h>
67 #include <netinet/icmp6.h>
70 #include <netinet6/ipsec.h>
72 #include <netinet6/ipsec6.h>
74 #include <netinet6/ah.h>
76 #include <netinet6/ah6.h>
79 #include <netinet6/esp.h>
81 #include <netinet6/esp6.h>
84 #include <net/pfkeyv2.h>
85 #include <netproto/key/keydb.h>
87 #include <crypto/sha1.h>
88 #include <crypto/sha2/sha2.h>
90 #include <net/net_osdep.h>
94 static int ah_sumsiz_1216 (struct secasvar *);
95 static int ah_sumsiz_zero (struct secasvar *);
96 static int ah_none_mature (struct secasvar *);
97 static int ah_none_init (struct ah_algorithm_state *, struct secasvar *);
98 static void ah_none_loop (struct ah_algorithm_state *, caddr_t, size_t);
99 static void ah_none_result (struct ah_algorithm_state *, caddr_t);
100 static int ah_keyed_md5_mature (struct secasvar *);
101 static int ah_keyed_md5_init (struct ah_algorithm_state *,
103 static void ah_keyed_md5_loop (struct ah_algorithm_state *, caddr_t,
105 static void ah_keyed_md5_result (struct ah_algorithm_state *, caddr_t);
106 static int ah_keyed_sha1_mature (struct secasvar *);
107 static int ah_keyed_sha1_init (struct ah_algorithm_state *,
109 static void ah_keyed_sha1_loop (struct ah_algorithm_state *, caddr_t,
111 static void ah_keyed_sha1_result (struct ah_algorithm_state *, caddr_t);
112 static int ah_hmac_md5_mature (struct secasvar *);
113 static int ah_hmac_md5_init (struct ah_algorithm_state *,
115 static void ah_hmac_md5_loop (struct ah_algorithm_state *, caddr_t,
117 static void ah_hmac_md5_result (struct ah_algorithm_state *, caddr_t);
118 static int ah_hmac_sha1_mature (struct secasvar *);
119 static int ah_hmac_sha1_init (struct ah_algorithm_state *,
121 static void ah_hmac_sha1_loop (struct ah_algorithm_state *, caddr_t,
123 static void ah_hmac_sha1_result (struct ah_algorithm_state *, caddr_t);
124 static int ah_hmac_sha2_256_mature (struct secasvar *);
125 static int ah_hmac_sha2_256_init (struct ah_algorithm_state *,
127 static void ah_hmac_sha2_256_loop (struct ah_algorithm_state *, caddr_t,
129 static void ah_hmac_sha2_256_result (struct ah_algorithm_state *, caddr_t);
130 static int ah_hmac_sha2_384_mature (struct secasvar *);
131 static int ah_hmac_sha2_384_init (struct ah_algorithm_state *,
133 static void ah_hmac_sha2_384_loop (struct ah_algorithm_state *, caddr_t,
135 static void ah_hmac_sha2_384_result (struct ah_algorithm_state *, caddr_t);
136 static int ah_hmac_sha2_512_mature (struct secasvar *);
137 static int ah_hmac_sha2_512_init (struct ah_algorithm_state *,
139 static void ah_hmac_sha2_512_loop (struct ah_algorithm_state *, caddr_t,
141 static void ah_hmac_sha2_512_result (struct ah_algorithm_state *, caddr_t);
143 static void ah_update_mbuf (struct mbuf *, int, int,
144 const struct ah_algorithm *, struct ah_algorithm_state *);
146 const struct ah_algorithm *
147 ah_algorithm_lookup(int idx)
149 /* checksum algorithms */
150 static struct ah_algorithm ah_algorithms[] = {
151 { ah_sumsiz_1216, ah_hmac_md5_mature, 128, 128, "hmac-md5",
152 ah_hmac_md5_init, ah_hmac_md5_loop,
153 ah_hmac_md5_result, },
154 { ah_sumsiz_1216, ah_hmac_sha1_mature, 160, 160, "hmac-sha1",
155 ah_hmac_sha1_init, ah_hmac_sha1_loop,
156 ah_hmac_sha1_result, },
157 { ah_sumsiz_1216, ah_keyed_md5_mature, 128, 128, "keyed-md5",
158 ah_keyed_md5_init, ah_keyed_md5_loop,
159 ah_keyed_md5_result, },
160 { ah_sumsiz_1216, ah_keyed_sha1_mature, 160, 160, "keyed-sha1",
161 ah_keyed_sha1_init, ah_keyed_sha1_loop,
162 ah_keyed_sha1_result, },
163 { ah_sumsiz_zero, ah_none_mature, 0, 2048, "none",
164 ah_none_init, ah_none_loop, ah_none_result, },
165 { ah_sumsiz_1216, ah_hmac_sha2_256_mature, 256, 256,
167 ah_hmac_sha2_256_init, ah_hmac_sha2_256_loop,
168 ah_hmac_sha2_256_result, },
169 { ah_sumsiz_1216, ah_hmac_sha2_384_mature, 384, 384,
171 ah_hmac_sha2_384_init, ah_hmac_sha2_384_loop,
172 ah_hmac_sha2_384_result, },
173 { ah_sumsiz_1216, ah_hmac_sha2_512_mature, 512, 512,
175 ah_hmac_sha2_512_init, ah_hmac_sha2_512_loop,
176 ah_hmac_sha2_512_result, },
180 case SADB_AALG_MD5HMAC:
181 return &ah_algorithms[0];
182 case SADB_AALG_SHA1HMAC:
183 return &ah_algorithms[1];
184 case SADB_X_AALG_MD5:
185 return &ah_algorithms[2];
186 case SADB_X_AALG_SHA:
187 return &ah_algorithms[3];
188 case SADB_X_AALG_NULL:
189 return &ah_algorithms[4];
190 case SADB_X_AALG_SHA2_256:
191 return &ah_algorithms[5];
192 case SADB_X_AALG_SHA2_384:
193 return &ah_algorithms[6];
194 case SADB_X_AALG_SHA2_512:
195 return &ah_algorithms[7];
203 ah_sumsiz_1216(struct secasvar *sav)
207 if (sav->flags & SADB_X_EXT_OLD)
214 ah_sumsiz_zero(struct secasvar *sav)
222 ah_none_mature(struct secasvar *sav)
224 if (sav->sah->saidx.proto == IPPROTO_AH) {
226 "ah_none_mature: protocol and algorithm mismatch.\n"));
233 ah_none_init(struct ah_algorithm_state *state, struct secasvar *sav)
240 ah_none_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
245 ah_none_result(struct ah_algorithm_state *state, caddr_t addr)
250 ah_keyed_md5_mature(struct secasvar *sav)
252 /* anything is okay */
257 ah_keyed_md5_init(struct ah_algorithm_state *state, struct secasvar *sav)
264 panic("ah_keyed_md5_init: what?");
267 state->foo = (void *)kmalloc(sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
268 if (state->foo == NULL)
271 MD5Init((MD5_CTX *)state->foo);
273 MD5Update((MD5_CTX *)state->foo,
274 (u_int8_t *)_KEYBUF(state->sav->key_auth),
275 (u_int)_KEYLEN(state->sav->key_auth));
279 * We cannot simply use md5_pad() since the function
280 * won't update the total length.
282 if (_KEYLEN(state->sav->key_auth) < 56)
283 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
285 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
286 keybitlen = _KEYLEN(state->sav->key_auth);
290 MD5Update((MD5_CTX *)state->foo, &buf[0], 1);
293 bzero(buf, sizeof(buf));
294 while (sizeof(buf) < padlen) {
295 MD5Update((MD5_CTX *)state->foo, &buf[0], sizeof(buf));
296 padlen -= sizeof(buf);
299 MD5Update((MD5_CTX *)state->foo, &buf[0], padlen);
302 buf[0] = (keybitlen >> 0) & 0xff;
303 buf[1] = (keybitlen >> 8) & 0xff;
304 buf[2] = (keybitlen >> 16) & 0xff;
305 buf[3] = (keybitlen >> 24) & 0xff;
306 MD5Update((MD5_CTX *)state->foo, buf, 8);
313 ah_keyed_md5_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
316 panic("ah_keyed_md5_loop: what?");
318 MD5Update((MD5_CTX *)state->foo, addr, len);
322 ah_keyed_md5_result(struct ah_algorithm_state *state, caddr_t addr)
327 panic("ah_keyed_md5_result: what?");
330 MD5Update((MD5_CTX *)state->foo,
331 (u_int8_t *)_KEYBUF(state->sav->key_auth),
332 (u_int)_KEYLEN(state->sav->key_auth));
334 MD5Final(&digest[0], (MD5_CTX *)state->foo);
335 kfree(state->foo, M_TEMP);
336 bcopy(&digest[0], (void *)addr, sizeof(digest));
340 ah_keyed_sha1_mature(struct secasvar *sav)
342 const struct ah_algorithm *algo;
344 if (!sav->key_auth) {
345 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: no key is given.\n"));
349 algo = ah_algorithm_lookup(sav->alg_auth);
351 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: unsupported algorithm.\n"));
355 if (sav->key_auth->sadb_key_bits < algo->keymin
356 || algo->keymax < sav->key_auth->sadb_key_bits) {
358 "ah_keyed_sha1_mature: invalid key length %d.\n",
359 sav->key_auth->sadb_key_bits));
367 ah_keyed_sha1_init(struct ah_algorithm_state *state, struct secasvar *sav)
375 panic("ah_keyed_sha1_init: what?");
378 state->foo = (void *)kmalloc(sizeof(SHA1_CTX), M_TEMP, M_NOWAIT);
382 ctxt = (SHA1_CTX *)state->foo;
386 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
387 (u_int)_KEYLEN(state->sav->key_auth));
392 if (_KEYLEN(state->sav->key_auth) < 56)
393 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
395 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
396 keybitlen = _KEYLEN(state->sav->key_auth);
400 SHA1Update(ctxt, &buf[0], 1);
403 bzero(buf, sizeof(buf));
404 while (sizeof(buf) < padlen) {
405 SHA1Update(ctxt, &buf[0], sizeof(buf));
406 padlen -= sizeof(buf);
409 SHA1Update(ctxt, &buf[0], padlen);
412 buf[0] = (keybitlen >> 0) & 0xff;
413 buf[1] = (keybitlen >> 8) & 0xff;
414 buf[2] = (keybitlen >> 16) & 0xff;
415 buf[3] = (keybitlen >> 24) & 0xff;
416 SHA1Update(ctxt, buf, 8);
423 ah_keyed_sha1_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
427 if (!state || !state->foo)
428 panic("ah_keyed_sha1_loop: what?");
429 ctxt = (SHA1_CTX *)state->foo;
431 SHA1Update(ctxt, (caddr_t)addr, (size_t)len);
435 ah_keyed_sha1_result(struct ah_algorithm_state *state, caddr_t addr)
437 u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
440 if (!state || !state->foo)
441 panic("ah_keyed_sha1_result: what?");
442 ctxt = (SHA1_CTX *)state->foo;
445 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
446 (u_int)_KEYLEN(state->sav->key_auth));
448 SHA1Final((caddr_t)&digest[0], ctxt);
449 bcopy(&digest[0], (void *)addr, HMACSIZE);
451 kfree(state->foo, M_TEMP);
455 ah_hmac_md5_mature(struct secasvar *sav)
457 const struct ah_algorithm *algo;
459 if (!sav->key_auth) {
460 ipseclog((LOG_ERR, "ah_hmac_md5_mature: no key is given.\n"));
464 algo = ah_algorithm_lookup(sav->alg_auth);
466 ipseclog((LOG_ERR, "ah_hmac_md5_mature: unsupported algorithm.\n"));
470 if (sav->key_auth->sadb_key_bits < algo->keymin
471 || algo->keymax < sav->key_auth->sadb_key_bits) {
473 "ah_hmac_md5_mature: invalid key length %d.\n",
474 sav->key_auth->sadb_key_bits));
482 ah_hmac_md5_init(struct ah_algorithm_state *state, struct secasvar *sav)
493 panic("ah_hmac_md5_init: what?");
496 state->foo = (void *)kmalloc(64 + 64 + sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
500 ipad = (u_char *)state->foo;
501 opad = (u_char *)(ipad + 64);
502 ctxt = (MD5_CTX *)(opad + 64);
504 /* compress the key if necessery */
505 if (64 < _KEYLEN(state->sav->key_auth)) {
507 MD5Update(ctxt, _KEYBUF(state->sav->key_auth),
508 _KEYLEN(state->sav->key_auth));
509 MD5Final(&tk[0], ctxt);
513 key = _KEYBUF(state->sav->key_auth);
514 keylen = _KEYLEN(state->sav->key_auth);
519 bcopy(key, ipad, keylen);
520 bcopy(key, opad, keylen);
521 for (i = 0; i < 64; i++) {
527 MD5Update(ctxt, ipad, 64);
533 ah_hmac_md5_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
537 if (!state || !state->foo)
538 panic("ah_hmac_md5_loop: what?");
539 ctxt = (MD5_CTX *)(((caddr_t)state->foo) + 128);
540 MD5Update(ctxt, addr, len);
544 ah_hmac_md5_result(struct ah_algorithm_state *state, caddr_t addr)
551 if (!state || !state->foo)
552 panic("ah_hmac_md5_result: what?");
554 ipad = (u_char *)state->foo;
555 opad = (u_char *)(ipad + 64);
556 ctxt = (MD5_CTX *)(opad + 64);
558 MD5Final(&digest[0], ctxt);
561 MD5Update(ctxt, opad, 64);
562 MD5Update(ctxt, &digest[0], sizeof(digest));
563 MD5Final(&digest[0], ctxt);
565 bcopy(&digest[0], (void *)addr, HMACSIZE);
567 kfree(state->foo, M_TEMP);
571 ah_hmac_sha1_mature(struct secasvar *sav)
573 const struct ah_algorithm *algo;
575 if (!sav->key_auth) {
576 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: no key is given.\n"));
580 algo = ah_algorithm_lookup(sav->alg_auth);
582 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: unsupported algorithm.\n"));
586 if (sav->key_auth->sadb_key_bits < algo->keymin
587 || algo->keymax < sav->key_auth->sadb_key_bits) {
589 "ah_hmac_sha1_mature: invalid key length %d.\n",
590 sav->key_auth->sadb_key_bits));
598 ah_hmac_sha1_init(struct ah_algorithm_state *state, struct secasvar *sav)
603 u_char tk[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
609 panic("ah_hmac_sha1_init: what?");
612 state->foo = (void *)kmalloc(64 + 64 + sizeof(SHA1_CTX),
617 ipad = (u_char *)state->foo;
618 opad = (u_char *)(ipad + 64);
619 ctxt = (SHA1_CTX *)(opad + 64);
621 /* compress the key if necessery */
622 if (64 < _KEYLEN(state->sav->key_auth)) {
624 SHA1Update(ctxt, _KEYBUF(state->sav->key_auth),
625 _KEYLEN(state->sav->key_auth));
626 SHA1Final(&tk[0], ctxt);
628 keylen = SHA1_RESULTLEN;
630 key = _KEYBUF(state->sav->key_auth);
631 keylen = _KEYLEN(state->sav->key_auth);
636 bcopy(key, ipad, keylen);
637 bcopy(key, opad, keylen);
638 for (i = 0; i < 64; i++) {
644 SHA1Update(ctxt, ipad, 64);
650 ah_hmac_sha1_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
654 if (!state || !state->foo)
655 panic("ah_hmac_sha1_loop: what?");
657 ctxt = (SHA1_CTX *)(((u_char *)state->foo) + 128);
658 SHA1Update(ctxt, (caddr_t)addr, (size_t)len);
662 ah_hmac_sha1_result(struct ah_algorithm_state *state, caddr_t addr)
664 u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
669 if (!state || !state->foo)
670 panic("ah_hmac_sha1_result: what?");
672 ipad = (u_char *)state->foo;
673 opad = (u_char *)(ipad + 64);
674 ctxt = (SHA1_CTX *)(opad + 64);
676 SHA1Final((caddr_t)&digest[0], ctxt);
679 SHA1Update(ctxt, opad, 64);
680 SHA1Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
681 SHA1Final((caddr_t)&digest[0], ctxt);
683 bcopy(&digest[0], (void *)addr, HMACSIZE);
685 kfree(state->foo, M_TEMP);
689 ah_hmac_sha2_256_mature(struct secasvar *sav)
691 const struct ah_algorithm *algo;
693 if (!sav->key_auth) {
695 "ah_hmac_sha2_256_mature: no key is given.\n"));
699 algo = ah_algorithm_lookup(sav->alg_auth);
702 "ah_hmac_sha2_256_mature: unsupported algorithm.\n"));
706 if (sav->key_auth->sadb_key_bits < algo->keymin ||
707 algo->keymax < sav->key_auth->sadb_key_bits) {
709 "ah_hmac_sha2_256_mature: invalid key length %d.\n",
710 sav->key_auth->sadb_key_bits));
718 ah_hmac_sha2_256_init(struct ah_algorithm_state *state, struct secasvar *sav)
723 u_char tk[SHA256_DIGEST_LENGTH];
729 panic("ah_hmac_sha2_256_init: what?");
732 state->foo = (void *)kmalloc(64 + 64 + sizeof(SHA256_CTX),
737 ipad = (u_char *)state->foo;
738 opad = (u_char *)(ipad + 64);
739 ctxt = (SHA256_CTX *)(opad + 64);
741 /* compress the key if necessery */
742 if (64 < _KEYLEN(state->sav->key_auth)) {
743 bzero(tk, sizeof(tk));
744 bzero(ctxt, sizeof(*ctxt));
746 SHA256_Update(ctxt, _KEYBUF(state->sav->key_auth),
747 _KEYLEN(state->sav->key_auth));
748 SHA256_Final(&tk[0], ctxt);
750 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
752 key = _KEYBUF(state->sav->key_auth);
753 keylen = _KEYLEN(state->sav->key_auth);
758 bcopy(key, ipad, keylen);
759 bcopy(key, opad, keylen);
760 for (i = 0; i < 64; i++) {
765 bzero(ctxt, sizeof(*ctxt));
767 SHA256_Update(ctxt, ipad, 64);
773 ah_hmac_sha2_256_loop(struct ah_algorithm_state *state, caddr_t addr, size_t
778 if (!state || !state->foo)
779 panic("ah_hmac_sha2_256_loop: what?");
781 ctxt = (SHA256_CTX *)(((u_char *)state->foo) + 128);
782 SHA256_Update(ctxt, (caddr_t)addr, (size_t)len);
786 ah_hmac_sha2_256_result(struct ah_algorithm_state *state, caddr_t addr)
788 u_char digest[SHA256_DIGEST_LENGTH];
793 if (!state || !state->foo)
794 panic("ah_hmac_sha2_256_result: what?");
796 ipad = (u_char *)state->foo;
797 opad = (u_char *)(ipad + 64);
798 ctxt = (SHA256_CTX *)(opad + 64);
800 SHA256_Final((caddr_t)&digest[0], ctxt);
802 bzero(ctxt, sizeof(*ctxt));
804 SHA256_Update(ctxt, opad, 64);
805 SHA256_Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
806 SHA256_Final((caddr_t)&digest[0], ctxt);
808 bcopy(&digest[0], (void *)addr, HMACSIZE);
810 kfree(state->foo, M_TEMP);
814 ah_hmac_sha2_384_mature(struct secasvar *sav)
816 const struct ah_algorithm *algo;
818 if (!sav->key_auth) {
820 "ah_hmac_sha2_384_mature: no key is given.\n"));
824 algo = ah_algorithm_lookup(sav->alg_auth);
827 "ah_hmac_sha2_384_mature: unsupported algorithm.\n"));
831 if (sav->key_auth->sadb_key_bits < algo->keymin ||
832 algo->keymax < sav->key_auth->sadb_key_bits) {
834 "ah_hmac_sha2_384_mature: invalid key length %d.\n",
835 sav->key_auth->sadb_key_bits));
843 ah_hmac_sha2_384_init(struct ah_algorithm_state *state, struct secasvar *sav)
848 u_char tk[SHA384_DIGEST_LENGTH];
854 panic("ah_hmac_sha2_384_init: what?");
857 state->foo = (void *)kmalloc(64 + 64 + sizeof(SHA384_CTX),
858 M_TEMP, M_NOWAIT | M_ZERO);
862 ipad = (u_char *)state->foo;
863 opad = (u_char *)(ipad + 64);
864 ctxt = (SHA384_CTX *)(opad + 64);
866 /* compress the key if necessery */
867 if (64 < _KEYLEN(state->sav->key_auth)) {
868 bzero(tk, sizeof(tk));
869 bzero(ctxt, sizeof(*ctxt));
871 SHA384_Update(ctxt, _KEYBUF(state->sav->key_auth),
872 _KEYLEN(state->sav->key_auth));
873 SHA384_Final(&tk[0], ctxt);
875 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
877 key = _KEYBUF(state->sav->key_auth);
878 keylen = _KEYLEN(state->sav->key_auth);
883 bcopy(key, ipad, keylen);
884 bcopy(key, opad, keylen);
885 for (i = 0; i < 64; i++) {
890 bzero(ctxt, sizeof(*ctxt));
892 SHA384_Update(ctxt, ipad, 64);
898 ah_hmac_sha2_384_loop(struct ah_algorithm_state *state, caddr_t addr,
903 if (!state || !state->foo)
904 panic("ah_hmac_sha2_384_loop: what?");
906 ctxt = (SHA384_CTX *)(((u_char *)state->foo) + 128);
907 SHA384_Update(ctxt, (caddr_t)addr, (size_t)len);
911 ah_hmac_sha2_384_result(struct ah_algorithm_state *state, caddr_t addr)
913 u_char digest[SHA384_DIGEST_LENGTH];
918 if (!state || !state->foo)
919 panic("ah_hmac_sha2_384_result: what?");
921 ipad = (u_char *)state->foo;
922 opad = (u_char *)(ipad + 64);
923 ctxt = (SHA384_CTX *)(opad + 64);
925 SHA384_Final((caddr_t)&digest[0], ctxt);
927 bzero(ctxt, sizeof(*ctxt));
929 SHA384_Update(ctxt, opad, 64);
930 SHA384_Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
931 SHA384_Final((caddr_t)&digest[0], ctxt);
933 bcopy(&digest[0], (void *)addr, HMACSIZE);
935 kfree(state->foo, M_TEMP);
939 ah_hmac_sha2_512_mature(struct secasvar *sav)
941 const struct ah_algorithm *algo;
943 if (!sav->key_auth) {
945 "ah_hmac_sha2_512_mature: no key is given.\n"));
949 algo = ah_algorithm_lookup(sav->alg_auth);
952 "ah_hmac_sha2_512_mature: unsupported algorithm.\n"));
956 if (sav->key_auth->sadb_key_bits < algo->keymin ||
957 algo->keymax < sav->key_auth->sadb_key_bits) {
959 "ah_hmac_sha2_512_mature: invalid key length %d.\n",
960 sav->key_auth->sadb_key_bits));
968 ah_hmac_sha2_512_init(struct ah_algorithm_state *state, struct secasvar *sav)
973 u_char tk[SHA512_DIGEST_LENGTH];
979 panic("ah_hmac_sha2_512_init: what?");
982 state->foo = (void *)kmalloc(64 + 64 + sizeof(SHA512_CTX),
983 M_TEMP, M_NOWAIT | M_ZERO);
987 ipad = (u_char *)state->foo;
988 opad = (u_char *)(ipad + 64);
989 ctxt = (SHA512_CTX *)(opad + 64);
991 /* compress the key if necessery */
992 if (64 < _KEYLEN(state->sav->key_auth)) {
993 bzero(tk, sizeof(tk));
994 bzero(ctxt, sizeof(*ctxt));
996 SHA512_Update(ctxt, _KEYBUF(state->sav->key_auth),
997 _KEYLEN(state->sav->key_auth));
998 SHA512_Final(&tk[0], ctxt);
1000 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
1002 key = _KEYBUF(state->sav->key_auth);
1003 keylen = _KEYLEN(state->sav->key_auth);
1008 bcopy(key, ipad, keylen);
1009 bcopy(key, opad, keylen);
1010 for (i = 0; i < 64; i++) {
1015 bzero(ctxt, sizeof(*ctxt));
1017 SHA512_Update(ctxt, ipad, 64);
1023 ah_hmac_sha2_512_loop(struct ah_algorithm_state *state, caddr_t addr,
1028 if (!state || !state->foo)
1029 panic("ah_hmac_sha2_512_loop: what?");
1031 ctxt = (SHA512_CTX *)(((u_char *)state->foo) + 128);
1032 SHA512_Update(ctxt, (caddr_t)addr, (size_t)len);
1036 ah_hmac_sha2_512_result(struct ah_algorithm_state *state, caddr_t addr)
1038 u_char digest[SHA512_DIGEST_LENGTH];
1043 if (!state || !state->foo)
1044 panic("ah_hmac_sha2_512_result: what?");
1046 ipad = (u_char *)state->foo;
1047 opad = (u_char *)(ipad + 64);
1048 ctxt = (SHA512_CTX *)(opad + 64);
1050 SHA512_Final((caddr_t)&digest[0], ctxt);
1052 bzero(ctxt, sizeof(*ctxt));
1054 SHA512_Update(ctxt, opad, 64);
1055 SHA512_Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
1056 SHA512_Final((caddr_t)&digest[0], ctxt);
1058 bcopy(&digest[0], (void *)addr, HMACSIZE);
1060 kfree(state->foo, M_TEMP);
1063 /*------------------------------------------------------------*/
1066 * go generate the checksum.
1069 ah_update_mbuf(struct mbuf *m, int off, int len,
1070 const struct ah_algorithm *algo,
1071 struct ah_algorithm_state *algos)
1076 /* easy case first */
1077 if (off + len <= m->m_len) {
1078 (algo->update)(algos, mtod(m, caddr_t) + off, len);
1082 for (n = m; n; n = n->m_next) {
1090 panic("ah_update_mbuf: wrong offset specified");
1092 for (/* nothing */; n && len > 0; n = n->m_next) {
1095 if (n->m_len - off < len)
1096 tlen = n->m_len - off;
1100 (algo->update)(algos, mtod(n, caddr_t) + off, tlen);
1109 * Go generate the checksum. This function won't modify the mbuf chain
1112 * NOTE: the function does not free mbuf on failure.
1113 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1116 ah4_calccksum(struct mbuf *m, caddr_t ahdat, size_t len,
1117 const struct ah_algorithm *algo, struct secasvar *sav)
1121 size_t advancewidth;
1122 struct ah_algorithm_state algos;
1123 u_char sumbuf[AH_MAXSUMSIZE];
1126 struct mbuf *n = NULL;
1128 if ((m->m_flags & M_PKTHDR) == 0)
1132 hdrtype = -1; /* dummy, it is called IPPROTO_IP */
1136 error = (algo->init)(&algos, sav);
1140 advancewidth = 0; /* safety */
1145 case -1: /* first one only */
1148 * copy ip hdr, modify to fit the AH checksum rule,
1149 * then take a checksum.
1154 m_copydata(m, off, sizeof(iphdr), (caddr_t)&iphdr);
1156 hlen = IP_VHL_HL(iphdr.ip_vhl) << 2;
1158 hlen = iphdr.ip_hl << 2;
1161 iphdr.ip_sum = htons(0);
1162 if (ip4_ah_cleartos)
1164 iphdr.ip_off = htons(ntohs(iphdr.ip_off) & ip4_ah_offsetmask);
1165 (algo->update)(&algos, (caddr_t)&iphdr, sizeof(struct ip));
1167 if (hlen != sizeof(struct ip)) {
1171 if (hlen > MCLBYTES) {
1175 n = m_getb(hlen, MB_DONTWAIT, MT_DATA, 0);
1180 m_copydata(m, off, hlen, mtod(n, caddr_t));
1183 * IP options processing.
1184 * See RFC2402 appendix A.
1186 p = mtod(n, u_char *);
1187 i = sizeof(struct ip);
1189 if (i + IPOPT_OPTVAL >= hlen) {
1190 ipseclog((LOG_ERR, "ah4_calccksum: "
1191 "invalid IP option\n"));
1195 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL ||
1196 p[i + IPOPT_OPTVAL] == IPOPT_NOP ||
1197 i + IPOPT_OLEN < hlen)
1201 "ah4_calccksum: invalid IP option "
1203 p[i + IPOPT_OPTVAL]));
1209 switch (p[i + IPOPT_OPTVAL]) {
1215 case IPOPT_SECURITY: /* 0x82 */
1216 case 0x85: /* Extended security */
1217 case 0x86: /* Commercial security */
1218 case 0x94: /* Router alert */
1219 case 0x95: /* RFC1770 */
1220 l = p[i + IPOPT_OLEN];
1226 l = p[i + IPOPT_OLEN];
1232 if (l < 1 || hlen - i < l) {
1235 "ah4_calccksum: invalid IP option "
1236 "(type=%02x len=%02x)\n",
1237 p[i + IPOPT_OPTVAL],
1238 p[i + IPOPT_OLEN]));
1244 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL)
1248 p = mtod(n, u_char *) + sizeof(struct ip);
1249 (algo->update)(&algos, p, hlen - sizeof(struct ip));
1255 hdrtype = (iphdr.ip_p) & 0xff;
1256 advancewidth = hlen;
1267 m_copydata(m, off, sizeof(ah), (caddr_t)&ah);
1268 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1270 : sizeof(struct newah);
1271 siz = (*algo->sumsiz)(sav);
1272 totlen = (ah.ah_len + 2) << 2;
1275 * special treatment is necessary for the first one, not others
1278 if (totlen > m->m_pkthdr.len - off ||
1279 totlen > MCLBYTES) {
1283 n = m_getb(totlen, MB_DONTWAIT, MT_DATA, 0);
1288 m_copydata(m, off, totlen, mtod(n, caddr_t));
1290 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1291 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1295 ah_update_mbuf(m, off, totlen, algo, &algos);
1298 hdrtype = ah.ah_nxt;
1299 advancewidth = totlen;
1304 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo, &algos);
1305 advancewidth = m->m_pkthdr.len - off;
1309 off += advancewidth;
1310 if (off < m->m_pkthdr.len)
1313 if (len < (*algo->sumsiz)(sav)) {
1318 (algo->result)(&algos, &sumbuf[0]);
1319 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
1334 * Go generate the checksum. This function won't modify the mbuf chain
1337 * NOTE: the function does not free mbuf on failure.
1338 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1341 ah6_calccksum(struct mbuf *m, caddr_t ahdat, size_t len,
1342 const struct ah_algorithm *algo, struct secasvar *sav)
1346 struct mbuf *n = NULL;
1349 struct ah_algorithm_state algos;
1350 u_char sumbuf[AH_MAXSUMSIZE];
1352 if ((m->m_flags & M_PKTHDR) == 0)
1355 error = (algo->init)(&algos, sav);
1360 proto = IPPROTO_IPV6;
1365 newoff = ip6_nexthdr(m, off, proto, &nxt);
1367 newoff = m->m_pkthdr.len;
1368 else if (newoff <= off) {
1376 * special treatment is necessary for the first one, not others
1379 struct ip6_hdr ip6copy;
1381 if (newoff - off != sizeof(struct ip6_hdr)) {
1386 m_copydata(m, off, newoff - off, (caddr_t)&ip6copy);
1388 ip6copy.ip6_flow = 0;
1389 ip6copy.ip6_vfc &= ~IPV6_VERSION_MASK;
1390 ip6copy.ip6_vfc |= IPV6_VERSION;
1391 ip6copy.ip6_hlim = 0;
1392 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_src))
1393 ip6copy.ip6_src.s6_addr16[1] = 0x0000;
1394 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_dst))
1395 ip6copy.ip6_dst.s6_addr16[1] = 0x0000;
1396 (algo->update)(&algos, (caddr_t)&ip6copy,
1397 sizeof(struct ip6_hdr));
1399 newoff = m->m_pkthdr.len;
1400 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo,
1410 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1412 : sizeof(struct newah);
1413 siz = (*algo->sumsiz)(sav);
1416 * special treatment is necessary for the first one, not others
1419 if (newoff - off > MCLBYTES) {
1423 n = m_getb(newoff - off, MB_DONTWAIT, MT_DATA, 0);
1428 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1429 n->m_len = newoff - off;
1430 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1431 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1435 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1440 case IPPROTO_HOPOPTS:
1441 case IPPROTO_DSTOPTS:
1443 struct ip6_ext *ip6e;
1445 u_int8_t *p, *optend, *optp;
1447 if (newoff - off > MCLBYTES) {
1451 n = m_getb(newoff - off, MB_DONTWAIT, MT_DATA, 0);
1456 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1457 n->m_len = newoff - off;
1459 ip6e = mtod(n, struct ip6_ext *);
1460 hdrlen = (ip6e->ip6e_len + 1) << 3;
1461 if (newoff - off < hdrlen) {
1467 p = mtod(n, u_int8_t *);
1468 optend = p + hdrlen;
1471 * ICV calculation for the options header including all
1472 * options. This part is a little tricky since there are
1473 * two type of options; mutable and immutable. We try to
1474 * null-out mutable ones here.
1477 while (optp < optend) {
1478 if (optp[0] == IP6OPT_PAD1)
1481 if (optp + 2 > optend) {
1487 optlen = optp[1] + 2;
1489 if (optp[0] & IP6OPT_MUTABLE)
1490 bzero(optp + 2, optlen - 2);
1496 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1502 case IPPROTO_ROUTING:
1504 * For an input packet, we can just calculate `as is'.
1505 * For an output packet, we assume ip6_output have already
1506 * made packet how it will be received at the final
1512 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1516 if (newoff < m->m_pkthdr.len) {
1522 if (len < (*algo->sumsiz)(sav)) {
1527 (algo->result)(&algos, &sumbuf[0]);
1528 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));