1 /* $FreeBSD: src/sys/netinet6/ah_core.c,v 1.2.2.5 2002/04/28 05:40:26 suz Exp $ */
2 /* $KAME: ah_core.c,v 1.44 2001/03/12 11:24:39 itojun Exp $ */
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * RFC1826/2402 authentication header.
37 /* TODO: have shared routines for hmac-* algorithms */
40 #include "opt_inet6.h"
41 #include "opt_ipsec.h"
43 #include <sys/param.h>
44 #include <sys/systm.h>
45 #include <sys/malloc.h>
47 #include <sys/domain.h>
48 #include <sys/protosw.h>
49 #include <sys/socket.h>
50 #include <sys/socketvar.h>
51 #include <sys/errno.h>
53 #include <sys/syslog.h>
56 #include <net/route.h>
58 #include <netinet/in.h>
59 #include <netinet/in_systm.h>
60 #include <netinet/ip.h>
61 #include <netinet/in_var.h>
64 #include <netinet/ip6.h>
65 #include <netinet6/ip6_var.h>
66 #include <netinet/icmp6.h>
69 #include <netinet6/ipsec.h>
71 #include <netinet6/ipsec6.h>
73 #include <netinet6/ah.h>
75 #include <netinet6/ah6.h>
78 #include <netinet6/esp.h>
80 #include <netinet6/esp6.h>
83 #include <net/pfkeyv2.h>
84 #include <netproto/key/keydb.h>
86 #include <crypto/sha1.h>
87 #include <crypto/sha2/sha2.h>
89 #include <net/net_osdep.h>
93 static int ah_sumsiz_1216 (struct secasvar *);
94 static int ah_sumsiz_zero (struct secasvar *);
95 static int ah_none_mature (struct secasvar *);
96 static int ah_none_init (struct ah_algorithm_state *, struct secasvar *);
97 static void ah_none_loop (struct ah_algorithm_state *, caddr_t, size_t);
98 static void ah_none_result (struct ah_algorithm_state *, caddr_t);
99 static int ah_keyed_md5_mature (struct secasvar *);
100 static int ah_keyed_md5_init (struct ah_algorithm_state *,
102 static void ah_keyed_md5_loop (struct ah_algorithm_state *, caddr_t,
104 static void ah_keyed_md5_result (struct ah_algorithm_state *, caddr_t);
105 static int ah_keyed_sha1_mature (struct secasvar *);
106 static int ah_keyed_sha1_init (struct ah_algorithm_state *,
108 static void ah_keyed_sha1_loop (struct ah_algorithm_state *, caddr_t,
110 static void ah_keyed_sha1_result (struct ah_algorithm_state *, caddr_t);
111 static int ah_hmac_md5_mature (struct secasvar *);
112 static int ah_hmac_md5_init (struct ah_algorithm_state *,
114 static void ah_hmac_md5_loop (struct ah_algorithm_state *, caddr_t,
116 static void ah_hmac_md5_result (struct ah_algorithm_state *, caddr_t);
117 static int ah_hmac_sha1_mature (struct secasvar *);
118 static int ah_hmac_sha1_init (struct ah_algorithm_state *,
120 static void ah_hmac_sha1_loop (struct ah_algorithm_state *, caddr_t,
122 static void ah_hmac_sha1_result (struct ah_algorithm_state *, caddr_t);
123 static int ah_hmac_sha2_256_mature (struct secasvar *);
124 static int ah_hmac_sha2_256_init (struct ah_algorithm_state *,
126 static void ah_hmac_sha2_256_loop (struct ah_algorithm_state *, caddr_t,
128 static void ah_hmac_sha2_256_result (struct ah_algorithm_state *, caddr_t);
129 static int ah_hmac_sha2_384_mature (struct secasvar *);
130 static int ah_hmac_sha2_384_init (struct ah_algorithm_state *,
132 static void ah_hmac_sha2_384_loop (struct ah_algorithm_state *, caddr_t,
134 static void ah_hmac_sha2_384_result (struct ah_algorithm_state *, caddr_t);
135 static int ah_hmac_sha2_512_mature (struct secasvar *);
136 static int ah_hmac_sha2_512_init (struct ah_algorithm_state *,
138 static void ah_hmac_sha2_512_loop (struct ah_algorithm_state *, caddr_t,
140 static void ah_hmac_sha2_512_result (struct ah_algorithm_state *, caddr_t);
142 static void ah_update_mbuf (struct mbuf *, int, int,
143 const struct ah_algorithm *, struct ah_algorithm_state *);
145 const struct ah_algorithm *
146 ah_algorithm_lookup(int idx)
148 /* checksum algorithms */
149 static struct ah_algorithm ah_algorithms[] = {
150 { ah_sumsiz_1216, ah_hmac_md5_mature, 128, 128, "hmac-md5",
151 ah_hmac_md5_init, ah_hmac_md5_loop,
152 ah_hmac_md5_result, },
153 { ah_sumsiz_1216, ah_hmac_sha1_mature, 160, 160, "hmac-sha1",
154 ah_hmac_sha1_init, ah_hmac_sha1_loop,
155 ah_hmac_sha1_result, },
156 { ah_sumsiz_1216, ah_keyed_md5_mature, 128, 128, "keyed-md5",
157 ah_keyed_md5_init, ah_keyed_md5_loop,
158 ah_keyed_md5_result, },
159 { ah_sumsiz_1216, ah_keyed_sha1_mature, 160, 160, "keyed-sha1",
160 ah_keyed_sha1_init, ah_keyed_sha1_loop,
161 ah_keyed_sha1_result, },
162 { ah_sumsiz_zero, ah_none_mature, 0, 2048, "none",
163 ah_none_init, ah_none_loop, ah_none_result, },
164 { ah_sumsiz_1216, ah_hmac_sha2_256_mature, 256, 256,
166 ah_hmac_sha2_256_init, ah_hmac_sha2_256_loop,
167 ah_hmac_sha2_256_result, },
168 { ah_sumsiz_1216, ah_hmac_sha2_384_mature, 384, 384,
170 ah_hmac_sha2_384_init, ah_hmac_sha2_384_loop,
171 ah_hmac_sha2_384_result, },
172 { ah_sumsiz_1216, ah_hmac_sha2_512_mature, 512, 512,
174 ah_hmac_sha2_512_init, ah_hmac_sha2_512_loop,
175 ah_hmac_sha2_512_result, },
179 case SADB_AALG_MD5HMAC:
180 return &ah_algorithms[0];
181 case SADB_AALG_SHA1HMAC:
182 return &ah_algorithms[1];
183 case SADB_X_AALG_MD5:
184 return &ah_algorithms[2];
185 case SADB_X_AALG_SHA:
186 return &ah_algorithms[3];
187 case SADB_X_AALG_NULL:
188 return &ah_algorithms[4];
189 case SADB_X_AALG_SHA2_256:
190 return &ah_algorithms[5];
191 case SADB_X_AALG_SHA2_384:
192 return &ah_algorithms[6];
193 case SADB_X_AALG_SHA2_512:
194 return &ah_algorithms[7];
202 ah_sumsiz_1216(struct secasvar *sav)
206 if (sav->flags & SADB_X_EXT_OLD)
213 ah_sumsiz_zero(struct secasvar *sav)
221 ah_none_mature(struct secasvar *sav)
223 if (sav->sah->saidx.proto == IPPROTO_AH) {
225 "ah_none_mature: protocol and algorithm mismatch.\n"));
232 ah_none_init(struct ah_algorithm_state *state, struct secasvar *sav)
239 ah_none_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
244 ah_none_result(struct ah_algorithm_state *state, caddr_t addr)
249 ah_keyed_md5_mature(struct secasvar *sav)
251 /* anything is okay */
256 ah_keyed_md5_init(struct ah_algorithm_state *state, struct secasvar *sav)
263 panic("ah_keyed_md5_init: what?");
266 state->foo = (void *)kmalloc(sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
267 if (state->foo == NULL)
270 MD5Init((MD5_CTX *)state->foo);
272 MD5Update((MD5_CTX *)state->foo,
273 (u_int8_t *)_KEYBUF(state->sav->key_auth),
274 (u_int)_KEYLEN(state->sav->key_auth));
278 * We cannot simply use md5_pad() since the function
279 * won't update the total length.
281 if (_KEYLEN(state->sav->key_auth) < 56)
282 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
284 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
285 keybitlen = _KEYLEN(state->sav->key_auth);
289 MD5Update((MD5_CTX *)state->foo, &buf[0], 1);
292 bzero(buf, sizeof(buf));
293 while (sizeof(buf) < padlen) {
294 MD5Update((MD5_CTX *)state->foo, &buf[0], sizeof(buf));
295 padlen -= sizeof(buf);
298 MD5Update((MD5_CTX *)state->foo, &buf[0], padlen);
301 buf[0] = (keybitlen >> 0) & 0xff;
302 buf[1] = (keybitlen >> 8) & 0xff;
303 buf[2] = (keybitlen >> 16) & 0xff;
304 buf[3] = (keybitlen >> 24) & 0xff;
305 MD5Update((MD5_CTX *)state->foo, buf, 8);
312 ah_keyed_md5_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
315 panic("ah_keyed_md5_loop: what?");
317 MD5Update((MD5_CTX *)state->foo, addr, len);
321 ah_keyed_md5_result(struct ah_algorithm_state *state, caddr_t addr)
326 panic("ah_keyed_md5_result: what?");
329 MD5Update((MD5_CTX *)state->foo,
330 (u_int8_t *)_KEYBUF(state->sav->key_auth),
331 (u_int)_KEYLEN(state->sav->key_auth));
333 MD5Final(&digest[0], (MD5_CTX *)state->foo);
334 kfree(state->foo, M_TEMP);
335 bcopy(&digest[0], (void *)addr, sizeof(digest));
339 ah_keyed_sha1_mature(struct secasvar *sav)
341 const struct ah_algorithm *algo;
343 if (!sav->key_auth) {
344 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: no key is given.\n"));
348 algo = ah_algorithm_lookup(sav->alg_auth);
350 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: unsupported algorithm.\n"));
354 if (sav->key_auth->sadb_key_bits < algo->keymin
355 || algo->keymax < sav->key_auth->sadb_key_bits) {
357 "ah_keyed_sha1_mature: invalid key length %d.\n",
358 sav->key_auth->sadb_key_bits));
366 ah_keyed_sha1_init(struct ah_algorithm_state *state, struct secasvar *sav)
374 panic("ah_keyed_sha1_init: what?");
377 state->foo = (void *)kmalloc(sizeof(SHA1_CTX), M_TEMP, M_NOWAIT);
381 ctxt = (SHA1_CTX *)state->foo;
385 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
386 (u_int)_KEYLEN(state->sav->key_auth));
391 if (_KEYLEN(state->sav->key_auth) < 56)
392 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
394 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
395 keybitlen = _KEYLEN(state->sav->key_auth);
399 SHA1Update(ctxt, &buf[0], 1);
402 bzero(buf, sizeof(buf));
403 while (sizeof(buf) < padlen) {
404 SHA1Update(ctxt, &buf[0], sizeof(buf));
405 padlen -= sizeof(buf);
408 SHA1Update(ctxt, &buf[0], padlen);
411 buf[0] = (keybitlen >> 0) & 0xff;
412 buf[1] = (keybitlen >> 8) & 0xff;
413 buf[2] = (keybitlen >> 16) & 0xff;
414 buf[3] = (keybitlen >> 24) & 0xff;
415 SHA1Update(ctxt, buf, 8);
422 ah_keyed_sha1_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
426 if (!state || !state->foo)
427 panic("ah_keyed_sha1_loop: what?");
428 ctxt = (SHA1_CTX *)state->foo;
430 SHA1Update(ctxt, addr, len);
434 ah_keyed_sha1_result(struct ah_algorithm_state *state, caddr_t addr)
436 u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
439 if (!state || !state->foo)
440 panic("ah_keyed_sha1_result: what?");
441 ctxt = (SHA1_CTX *)state->foo;
444 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
445 (u_int)_KEYLEN(state->sav->key_auth));
447 SHA1Final((caddr_t)&digest[0], ctxt);
448 bcopy(&digest[0], (void *)addr, HMACSIZE);
450 kfree(state->foo, M_TEMP);
454 ah_hmac_md5_mature(struct secasvar *sav)
456 const struct ah_algorithm *algo;
458 if (!sav->key_auth) {
459 ipseclog((LOG_ERR, "ah_hmac_md5_mature: no key is given.\n"));
463 algo = ah_algorithm_lookup(sav->alg_auth);
465 ipseclog((LOG_ERR, "ah_hmac_md5_mature: unsupported algorithm.\n"));
469 if (sav->key_auth->sadb_key_bits < algo->keymin
470 || algo->keymax < sav->key_auth->sadb_key_bits) {
472 "ah_hmac_md5_mature: invalid key length %d.\n",
473 sav->key_auth->sadb_key_bits));
481 ah_hmac_md5_init(struct ah_algorithm_state *state, struct secasvar *sav)
492 panic("ah_hmac_md5_init: what?");
495 state->foo = (void *)kmalloc(64 + 64 + sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
499 ipad = (u_char *)state->foo;
500 opad = (u_char *)(ipad + 64);
501 ctxt = (MD5_CTX *)(opad + 64);
503 /* compress the key if necessery */
504 if (64 < _KEYLEN(state->sav->key_auth)) {
506 MD5Update(ctxt, _KEYBUF(state->sav->key_auth),
507 _KEYLEN(state->sav->key_auth));
508 MD5Final(&tk[0], ctxt);
512 key = _KEYBUF(state->sav->key_auth);
513 keylen = _KEYLEN(state->sav->key_auth);
518 bcopy(key, ipad, keylen);
519 bcopy(key, opad, keylen);
520 for (i = 0; i < 64; i++) {
526 MD5Update(ctxt, ipad, 64);
532 ah_hmac_md5_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
536 if (!state || !state->foo)
537 panic("ah_hmac_md5_loop: what?");
538 ctxt = (MD5_CTX *)(((caddr_t)state->foo) + 128);
539 MD5Update(ctxt, addr, len);
543 ah_hmac_md5_result(struct ah_algorithm_state *state, caddr_t addr)
550 if (!state || !state->foo)
551 panic("ah_hmac_md5_result: what?");
553 ipad = (u_char *)state->foo;
554 opad = (u_char *)(ipad + 64);
555 ctxt = (MD5_CTX *)(opad + 64);
557 MD5Final(&digest[0], ctxt);
560 MD5Update(ctxt, opad, 64);
561 MD5Update(ctxt, &digest[0], sizeof(digest));
562 MD5Final(&digest[0], ctxt);
564 bcopy(&digest[0], (void *)addr, HMACSIZE);
566 kfree(state->foo, M_TEMP);
570 ah_hmac_sha1_mature(struct secasvar *sav)
572 const struct ah_algorithm *algo;
574 if (!sav->key_auth) {
575 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: no key is given.\n"));
579 algo = ah_algorithm_lookup(sav->alg_auth);
581 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: unsupported algorithm.\n"));
585 if (sav->key_auth->sadb_key_bits < algo->keymin
586 || algo->keymax < sav->key_auth->sadb_key_bits) {
588 "ah_hmac_sha1_mature: invalid key length %d.\n",
589 sav->key_auth->sadb_key_bits));
597 ah_hmac_sha1_init(struct ah_algorithm_state *state, struct secasvar *sav)
602 u_char tk[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
608 panic("ah_hmac_sha1_init: what?");
611 state->foo = (void *)kmalloc(64 + 64 + sizeof(SHA1_CTX),
616 ipad = (u_char *)state->foo;
617 opad = (u_char *)(ipad + 64);
618 ctxt = (SHA1_CTX *)(opad + 64);
620 /* compress the key if necessery */
621 if (64 < _KEYLEN(state->sav->key_auth)) {
623 SHA1Update(ctxt, _KEYBUF(state->sav->key_auth),
624 _KEYLEN(state->sav->key_auth));
625 SHA1Final(&tk[0], ctxt);
627 keylen = SHA1_RESULTLEN;
629 key = _KEYBUF(state->sav->key_auth);
630 keylen = _KEYLEN(state->sav->key_auth);
635 bcopy(key, ipad, keylen);
636 bcopy(key, opad, keylen);
637 for (i = 0; i < 64; i++) {
643 SHA1Update(ctxt, ipad, 64);
649 ah_hmac_sha1_loop(struct ah_algorithm_state *state, caddr_t addr, size_t len)
653 if (!state || !state->foo)
654 panic("ah_hmac_sha1_loop: what?");
656 ctxt = (SHA1_CTX *)(((u_char *)state->foo) + 128);
657 SHA1Update(ctxt, addr, len);
661 ah_hmac_sha1_result(struct ah_algorithm_state *state, caddr_t addr)
663 u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
668 if (!state || !state->foo)
669 panic("ah_hmac_sha1_result: what?");
671 ipad = (u_char *)state->foo;
672 opad = (u_char *)(ipad + 64);
673 ctxt = (SHA1_CTX *)(opad + 64);
675 SHA1Final((caddr_t)&digest[0], ctxt);
678 SHA1Update(ctxt, opad, 64);
679 SHA1Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
680 SHA1Final((caddr_t)&digest[0], ctxt);
682 bcopy(&digest[0], (void *)addr, HMACSIZE);
684 kfree(state->foo, M_TEMP);
688 ah_hmac_sha2_256_mature(struct secasvar *sav)
690 const struct ah_algorithm *algo;
692 if (!sav->key_auth) {
694 "ah_hmac_sha2_256_mature: no key is given.\n"));
698 algo = ah_algorithm_lookup(sav->alg_auth);
701 "ah_hmac_sha2_256_mature: unsupported algorithm.\n"));
705 if (sav->key_auth->sadb_key_bits < algo->keymin ||
706 algo->keymax < sav->key_auth->sadb_key_bits) {
708 "ah_hmac_sha2_256_mature: invalid key length %d.\n",
709 sav->key_auth->sadb_key_bits));
717 ah_hmac_sha2_256_init(struct ah_algorithm_state *state, struct secasvar *sav)
722 u_char tk[SHA256_DIGEST_LENGTH];
728 panic("ah_hmac_sha2_256_init: what?");
731 state->foo = (void *)kmalloc(64 + 64 + sizeof(SHA256_CTX),
736 ipad = (u_char *)state->foo;
737 opad = (u_char *)(ipad + 64);
738 ctxt = (SHA256_CTX *)(opad + 64);
740 /* compress the key if necessery */
741 if (64 < _KEYLEN(state->sav->key_auth)) {
742 bzero(tk, sizeof(tk));
743 bzero(ctxt, sizeof(*ctxt));
745 SHA256_Update(ctxt, _KEYBUF(state->sav->key_auth),
746 _KEYLEN(state->sav->key_auth));
747 SHA256_Final(&tk[0], ctxt);
749 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
751 key = _KEYBUF(state->sav->key_auth);
752 keylen = _KEYLEN(state->sav->key_auth);
757 bcopy(key, ipad, keylen);
758 bcopy(key, opad, keylen);
759 for (i = 0; i < 64; i++) {
764 bzero(ctxt, sizeof(*ctxt));
766 SHA256_Update(ctxt, ipad, 64);
772 ah_hmac_sha2_256_loop(struct ah_algorithm_state *state, caddr_t addr, size_t
777 if (!state || !state->foo)
778 panic("ah_hmac_sha2_256_loop: what?");
780 ctxt = (SHA256_CTX *)(((u_char *)state->foo) + 128);
781 SHA256_Update(ctxt, addr, len);
785 ah_hmac_sha2_256_result(struct ah_algorithm_state *state, caddr_t addr)
787 u_char digest[SHA256_DIGEST_LENGTH];
792 if (!state || !state->foo)
793 panic("ah_hmac_sha2_256_result: what?");
795 ipad = (u_char *)state->foo;
796 opad = (u_char *)(ipad + 64);
797 ctxt = (SHA256_CTX *)(opad + 64);
799 SHA256_Final((caddr_t)&digest[0], ctxt);
801 bzero(ctxt, sizeof(*ctxt));
803 SHA256_Update(ctxt, opad, 64);
804 SHA256_Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
805 SHA256_Final((caddr_t)&digest[0], ctxt);
807 bcopy(&digest[0], (void *)addr, HMACSIZE);
809 kfree(state->foo, M_TEMP);
813 ah_hmac_sha2_384_mature(struct secasvar *sav)
815 const struct ah_algorithm *algo;
817 if (!sav->key_auth) {
819 "ah_hmac_sha2_384_mature: no key is given.\n"));
823 algo = ah_algorithm_lookup(sav->alg_auth);
826 "ah_hmac_sha2_384_mature: unsupported algorithm.\n"));
830 if (sav->key_auth->sadb_key_bits < algo->keymin ||
831 algo->keymax < sav->key_auth->sadb_key_bits) {
833 "ah_hmac_sha2_384_mature: invalid key length %d.\n",
834 sav->key_auth->sadb_key_bits));
842 ah_hmac_sha2_384_init(struct ah_algorithm_state *state, struct secasvar *sav)
847 u_char tk[SHA384_DIGEST_LENGTH];
853 panic("ah_hmac_sha2_384_init: what?");
856 state->foo = (void *)kmalloc(64 + 64 + sizeof(SHA384_CTX),
857 M_TEMP, M_NOWAIT | M_ZERO);
861 ipad = (u_char *)state->foo;
862 opad = (u_char *)(ipad + 64);
863 ctxt = (SHA384_CTX *)(opad + 64);
865 /* compress the key if necessery */
866 if (64 < _KEYLEN(state->sav->key_auth)) {
867 bzero(tk, sizeof(tk));
868 bzero(ctxt, sizeof(*ctxt));
870 SHA384_Update(ctxt, _KEYBUF(state->sav->key_auth),
871 _KEYLEN(state->sav->key_auth));
872 SHA384_Final(&tk[0], ctxt);
874 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
876 key = _KEYBUF(state->sav->key_auth);
877 keylen = _KEYLEN(state->sav->key_auth);
882 bcopy(key, ipad, keylen);
883 bcopy(key, opad, keylen);
884 for (i = 0; i < 64; i++) {
889 bzero(ctxt, sizeof(*ctxt));
891 SHA384_Update(ctxt, ipad, 64);
897 ah_hmac_sha2_384_loop(struct ah_algorithm_state *state, caddr_t addr,
902 if (!state || !state->foo)
903 panic("ah_hmac_sha2_384_loop: what?");
905 ctxt = (SHA384_CTX *)(((u_char *)state->foo) + 128);
906 SHA384_Update(ctxt, addr, len);
910 ah_hmac_sha2_384_result(struct ah_algorithm_state *state, caddr_t addr)
912 u_char digest[SHA384_DIGEST_LENGTH];
917 if (!state || !state->foo)
918 panic("ah_hmac_sha2_384_result: what?");
920 ipad = (u_char *)state->foo;
921 opad = (u_char *)(ipad + 64);
922 ctxt = (SHA384_CTX *)(opad + 64);
924 SHA384_Final((caddr_t)&digest[0], ctxt);
926 bzero(ctxt, sizeof(*ctxt));
928 SHA384_Update(ctxt, opad, 64);
929 SHA384_Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
930 SHA384_Final((caddr_t)&digest[0], ctxt);
932 bcopy(&digest[0], (void *)addr, HMACSIZE);
934 kfree(state->foo, M_TEMP);
938 ah_hmac_sha2_512_mature(struct secasvar *sav)
940 const struct ah_algorithm *algo;
942 if (!sav->key_auth) {
944 "ah_hmac_sha2_512_mature: no key is given.\n"));
948 algo = ah_algorithm_lookup(sav->alg_auth);
951 "ah_hmac_sha2_512_mature: unsupported algorithm.\n"));
955 if (sav->key_auth->sadb_key_bits < algo->keymin ||
956 algo->keymax < sav->key_auth->sadb_key_bits) {
958 "ah_hmac_sha2_512_mature: invalid key length %d.\n",
959 sav->key_auth->sadb_key_bits));
967 ah_hmac_sha2_512_init(struct ah_algorithm_state *state, struct secasvar *sav)
972 u_char tk[SHA512_DIGEST_LENGTH];
978 panic("ah_hmac_sha2_512_init: what?");
981 state->foo = (void *)kmalloc(64 + 64 + sizeof(SHA512_CTX),
982 M_TEMP, M_NOWAIT | M_ZERO);
986 ipad = (u_char *)state->foo;
987 opad = (u_char *)(ipad + 64);
988 ctxt = (SHA512_CTX *)(opad + 64);
990 /* compress the key if necessery */
991 if (64 < _KEYLEN(state->sav->key_auth)) {
992 bzero(tk, sizeof(tk));
993 bzero(ctxt, sizeof(*ctxt));
995 SHA512_Update(ctxt, _KEYBUF(state->sav->key_auth),
996 _KEYLEN(state->sav->key_auth));
997 SHA512_Final(&tk[0], ctxt);
999 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
1001 key = _KEYBUF(state->sav->key_auth);
1002 keylen = _KEYLEN(state->sav->key_auth);
1007 bcopy(key, ipad, keylen);
1008 bcopy(key, opad, keylen);
1009 for (i = 0; i < 64; i++) {
1014 bzero(ctxt, sizeof(*ctxt));
1016 SHA512_Update(ctxt, ipad, 64);
1022 ah_hmac_sha2_512_loop(struct ah_algorithm_state *state, caddr_t addr,
1027 if (!state || !state->foo)
1028 panic("ah_hmac_sha2_512_loop: what?");
1030 ctxt = (SHA512_CTX *)(((u_char *)state->foo) + 128);
1031 SHA512_Update(ctxt, addr, len);
1035 ah_hmac_sha2_512_result(struct ah_algorithm_state *state, caddr_t addr)
1037 u_char digest[SHA512_DIGEST_LENGTH];
1042 if (!state || !state->foo)
1043 panic("ah_hmac_sha2_512_result: what?");
1045 ipad = (u_char *)state->foo;
1046 opad = (u_char *)(ipad + 64);
1047 ctxt = (SHA512_CTX *)(opad + 64);
1049 SHA512_Final((caddr_t)&digest[0], ctxt);
1051 bzero(ctxt, sizeof(*ctxt));
1053 SHA512_Update(ctxt, opad, 64);
1054 SHA512_Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
1055 SHA512_Final((caddr_t)&digest[0], ctxt);
1057 bcopy(&digest[0], (void *)addr, HMACSIZE);
1059 kfree(state->foo, M_TEMP);
1062 /*------------------------------------------------------------*/
1065 * go generate the checksum.
1068 ah_update_mbuf(struct mbuf *m, int off, int len,
1069 const struct ah_algorithm *algo,
1070 struct ah_algorithm_state *algos)
1075 /* easy case first */
1076 if (off + len <= m->m_len) {
1077 (algo->update)(algos, mtod(m, caddr_t) + off, len);
1081 for (n = m; n; n = n->m_next) {
1089 panic("ah_update_mbuf: wrong offset specified");
1091 for (/* nothing */; n && len > 0; n = n->m_next) {
1094 if (n->m_len - off < len)
1095 tlen = n->m_len - off;
1099 (algo->update)(algos, mtod(n, caddr_t) + off, tlen);
1108 * Go generate the checksum. This function won't modify the mbuf chain
1111 * NOTE: the function does not free mbuf on failure.
1112 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1115 ah4_calccksum(struct mbuf *m, caddr_t ahdat, size_t len,
1116 const struct ah_algorithm *algo, struct secasvar *sav)
1120 size_t advancewidth;
1121 struct ah_algorithm_state algos;
1122 u_char sumbuf[AH_MAXSUMSIZE];
1125 struct mbuf *n = NULL;
1127 if ((m->m_flags & M_PKTHDR) == 0)
1131 hdrtype = -1; /* dummy, it is called IPPROTO_IP */
1135 error = (algo->init)(&algos, sav);
1139 advancewidth = 0; /* safety */
1144 case -1: /* first one only */
1147 * copy ip hdr, modify to fit the AH checksum rule,
1148 * then take a checksum.
1153 m_copydata(m, off, sizeof(iphdr), (caddr_t)&iphdr);
1155 hlen = IP_VHL_HL(iphdr.ip_vhl) << 2;
1157 hlen = iphdr.ip_hl << 2;
1160 iphdr.ip_sum = htons(0);
1161 if (ip4_ah_cleartos)
1163 iphdr.ip_off = htons(ntohs(iphdr.ip_off) & ip4_ah_offsetmask);
1164 (algo->update)(&algos, (caddr_t)&iphdr, sizeof(struct ip));
1166 if (hlen != sizeof(struct ip)) {
1170 if (hlen > MCLBYTES) {
1174 n = m_getb(hlen, MB_DONTWAIT, MT_DATA, 0);
1179 m_copydata(m, off, hlen, mtod(n, caddr_t));
1182 * IP options processing.
1183 * See RFC2402 appendix A.
1185 p = mtod(n, u_char *);
1186 i = sizeof(struct ip);
1188 if (i + IPOPT_OPTVAL >= hlen) {
1189 ipseclog((LOG_ERR, "ah4_calccksum: "
1190 "invalid IP option\n"));
1194 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL ||
1195 p[i + IPOPT_OPTVAL] == IPOPT_NOP ||
1196 i + IPOPT_OLEN < hlen)
1200 "ah4_calccksum: invalid IP option "
1202 p[i + IPOPT_OPTVAL]));
1208 switch (p[i + IPOPT_OPTVAL]) {
1214 case IPOPT_SECURITY: /* 0x82 */
1215 case 0x85: /* Extended security */
1216 case 0x86: /* Commercial security */
1217 case 0x94: /* Router alert */
1218 case 0x95: /* RFC1770 */
1219 l = p[i + IPOPT_OLEN];
1225 l = p[i + IPOPT_OLEN];
1231 if (l < 1 || hlen - i < l) {
1234 "ah4_calccksum: invalid IP option "
1235 "(type=%02x len=%02x)\n",
1236 p[i + IPOPT_OPTVAL],
1237 p[i + IPOPT_OLEN]));
1243 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL)
1247 p = mtod(n, u_char *) + sizeof(struct ip);
1248 (algo->update)(&algos, p, hlen - sizeof(struct ip));
1254 hdrtype = (iphdr.ip_p) & 0xff;
1255 advancewidth = hlen;
1266 m_copydata(m, off, sizeof(ah), (caddr_t)&ah);
1267 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1269 : sizeof(struct newah);
1270 siz = (*algo->sumsiz)(sav);
1271 totlen = (ah.ah_len + 2) << 2;
1274 * special treatment is necessary for the first one, not others
1277 if (totlen > m->m_pkthdr.len - off ||
1278 totlen > MCLBYTES) {
1282 n = m_getb(totlen, MB_DONTWAIT, MT_DATA, 0);
1287 m_copydata(m, off, totlen, mtod(n, caddr_t));
1289 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1290 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1294 ah_update_mbuf(m, off, totlen, algo, &algos);
1297 hdrtype = ah.ah_nxt;
1298 advancewidth = totlen;
1303 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo, &algos);
1304 advancewidth = m->m_pkthdr.len - off;
1308 off += advancewidth;
1309 if (off < m->m_pkthdr.len)
1312 if (len < (*algo->sumsiz)(sav)) {
1317 (algo->result)(&algos, &sumbuf[0]);
1318 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
1333 * Go generate the checksum. This function won't modify the mbuf chain
1336 * NOTE: the function does not free mbuf on failure.
1337 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1340 ah6_calccksum(struct mbuf *m, caddr_t ahdat, size_t len,
1341 const struct ah_algorithm *algo, struct secasvar *sav)
1345 struct mbuf *n = NULL;
1348 struct ah_algorithm_state algos;
1349 u_char sumbuf[AH_MAXSUMSIZE];
1351 if ((m->m_flags & M_PKTHDR) == 0)
1354 error = (algo->init)(&algos, sav);
1359 proto = IPPROTO_IPV6;
1364 newoff = ip6_nexthdr(m, off, proto, &nxt);
1366 newoff = m->m_pkthdr.len;
1367 else if (newoff <= off) {
1375 * special treatment is necessary for the first one, not others
1378 struct ip6_hdr ip6copy;
1380 if (newoff - off != sizeof(struct ip6_hdr)) {
1385 m_copydata(m, off, newoff - off, (caddr_t)&ip6copy);
1387 ip6copy.ip6_flow = 0;
1388 ip6copy.ip6_vfc &= ~IPV6_VERSION_MASK;
1389 ip6copy.ip6_vfc |= IPV6_VERSION;
1390 ip6copy.ip6_hlim = 0;
1391 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_src))
1392 ip6copy.ip6_src.s6_addr16[1] = 0x0000;
1393 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_dst))
1394 ip6copy.ip6_dst.s6_addr16[1] = 0x0000;
1395 (algo->update)(&algos, (caddr_t)&ip6copy,
1396 sizeof(struct ip6_hdr));
1398 newoff = m->m_pkthdr.len;
1399 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo,
1409 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1411 : sizeof(struct newah);
1412 siz = (*algo->sumsiz)(sav);
1415 * special treatment is necessary for the first one, not others
1418 if (newoff - off > MCLBYTES) {
1422 n = m_getb(newoff - off, MB_DONTWAIT, MT_DATA, 0);
1427 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1428 n->m_len = newoff - off;
1429 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1430 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1434 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1439 case IPPROTO_HOPOPTS:
1440 case IPPROTO_DSTOPTS:
1442 struct ip6_ext *ip6e;
1444 u_int8_t *p, *optend, *optp;
1446 if (newoff - off > MCLBYTES) {
1450 n = m_getb(newoff - off, MB_DONTWAIT, MT_DATA, 0);
1455 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1456 n->m_len = newoff - off;
1458 ip6e = mtod(n, struct ip6_ext *);
1459 hdrlen = (ip6e->ip6e_len + 1) << 3;
1460 if (newoff - off < hdrlen) {
1466 p = mtod(n, u_int8_t *);
1467 optend = p + hdrlen;
1470 * ICV calculation for the options header including all
1471 * options. This part is a little tricky since there are
1472 * two type of options; mutable and immutable. We try to
1473 * null-out mutable ones here.
1476 while (optp < optend) {
1477 if (optp[0] == IP6OPT_PAD1)
1480 if (optp + 2 > optend) {
1486 optlen = optp[1] + 2;
1488 if (optp[0] & IP6OPT_MUTABLE)
1489 bzero(optp + 2, optlen - 2);
1495 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1501 case IPPROTO_ROUTING:
1503 * For an input packet, we can just calculate `as is'.
1504 * For an output packet, we assume ip6_output have already
1505 * made packet how it will be received at the final
1511 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1515 if (newoff < m->m_pkthdr.len) {
1521 if (len < (*algo->sumsiz)(sav)) {
1526 (algo->result)(&algos, &sumbuf[0]);
1527 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));