1 //==========================================================================
3 // src/sys/netinet6/ah_core.c
5 //==========================================================================
6 //####BSDCOPYRIGHTBEGIN####
8 // -------------------------------------------
10 // Portions of this software may have been derived from OpenBSD,
11 // FreeBSD or other sources, and are covered by the appropriate
12 // copyright disclaimers included herein.
14 // Portions created by Red Hat are
15 // Copyright (C) 2002 Red Hat, Inc. All Rights Reserved.
17 // -------------------------------------------
19 //####BSDCOPYRIGHTEND####
20 //==========================================================================
22 /* $KAME: ah_core.c,v 1.47 2001/10/29 04:43:08 itojun Exp $ */
25 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
26 * All rights reserved.
28 * Redistribution and use in source and binary forms, with or without
29 * modification, are permitted provided that the following conditions
31 * 1. Redistributions of source code must retain the above copyright
32 * notice, this list of conditions and the following disclaimer.
33 * 2. Redistributions in binary form must reproduce the above copyright
34 * notice, this list of conditions and the following disclaimer in the
35 * documentation and/or other materials provided with the distribution.
36 * 3. Neither the name of the project nor the names of its contributors
37 * may be used to endorse or promote products derived from this software
38 * without specific prior written permission.
40 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
54 * RFC1826/2402 authentication header.
57 /* TODO: have shared routines for hmac-* algorithms */
59 #include <sys/param.h>
60 #include <sys/malloc.h>
62 #include <sys/domain.h>
63 #include <sys/protosw.h>
64 #include <sys/socket.h>
65 #include <sys/socketvar.h>
66 #include <sys/errno.h>
68 #if !(defined(__FreeBSD__) && __FreeBSD__ >= 4)
69 #include <sys/kernel.h>
73 #include <net/route.h>
75 #include <netinet/in.h>
76 #include <netinet/in_systm.h>
77 #include <netinet/ip.h>
78 #include <netinet/in_var.h>
81 #include <netinet/ip6.h>
82 #include <netinet6/ip6_var.h>
83 #include <netinet/icmp6.h>
86 #include <netinet6/ipsec.h>
87 #include <netinet6/ah.h>
89 #include <netinet6/esp.h>
91 #include <net/pfkeyv2.h>
92 #include <netkey/keydb.h>
96 #include <crypto/md5.h>
100 #define SHA1_RESULTLEN 20
102 #include <crypto/sha1.h>
104 #include <crypto/sha2/sha2.h>
108 static int ah_sumsiz_1216 __P((struct secasvar *));
109 static int ah_sumsiz_zero __P((struct secasvar *));
110 static int ah_none_mature __P((struct secasvar *));
111 static int ah_none_init __P((struct ah_algorithm_state *, struct secasvar *));
112 static void ah_none_loop __P((struct ah_algorithm_state *, caddr_t, size_t));
113 static void ah_none_result __P((struct ah_algorithm_state *, caddr_t));
114 static int ah_keyed_md5_mature __P((struct secasvar *));
115 static int ah_keyed_md5_init __P((struct ah_algorithm_state *,
117 static void ah_keyed_md5_loop __P((struct ah_algorithm_state *, caddr_t,
119 static void ah_keyed_md5_result __P((struct ah_algorithm_state *, caddr_t));
120 static int ah_keyed_sha1_mature __P((struct secasvar *));
121 static int ah_keyed_sha1_init __P((struct ah_algorithm_state *,
123 static void ah_keyed_sha1_loop __P((struct ah_algorithm_state *, caddr_t,
125 static void ah_keyed_sha1_result __P((struct ah_algorithm_state *, caddr_t));
126 static int ah_hmac_md5_mature __P((struct secasvar *));
127 static int ah_hmac_md5_init __P((struct ah_algorithm_state *,
129 static void ah_hmac_md5_loop __P((struct ah_algorithm_state *, caddr_t,
131 static void ah_hmac_md5_result __P((struct ah_algorithm_state *, caddr_t));
132 static int ah_hmac_sha1_mature __P((struct secasvar *));
133 static int ah_hmac_sha1_init __P((struct ah_algorithm_state *,
135 static void ah_hmac_sha1_loop __P((struct ah_algorithm_state *, caddr_t,
137 static void ah_hmac_sha1_result __P((struct ah_algorithm_state *, caddr_t));
138 static int ah_hmac_sha2_256_mature __P((struct secasvar *));
139 static int ah_hmac_sha2_256_init __P((struct ah_algorithm_state *,
141 static void ah_hmac_sha2_256_loop __P((struct ah_algorithm_state *, caddr_t,
143 static void ah_hmac_sha2_256_result __P((struct ah_algorithm_state *, caddr_t));
144 static int ah_hmac_sha2_384_mature __P((struct secasvar *));
145 static int ah_hmac_sha2_384_init __P((struct ah_algorithm_state *,
147 static void ah_hmac_sha2_384_loop __P((struct ah_algorithm_state *, caddr_t,
149 static void ah_hmac_sha2_384_result __P((struct ah_algorithm_state *, caddr_t));
150 static int ah_hmac_sha2_512_mature __P((struct secasvar *));
151 static int ah_hmac_sha2_512_init __P((struct ah_algorithm_state *,
153 static void ah_hmac_sha2_512_loop __P((struct ah_algorithm_state *, caddr_t,
155 static void ah_hmac_sha2_512_result __P((struct ah_algorithm_state *, caddr_t));
157 static void ah_update_mbuf __P((struct mbuf *, int, int,
158 const struct ah_algorithm *, struct ah_algorithm_state *));
160 const struct ah_algorithm *
161 ah_algorithm_lookup(idx)
164 /* checksum algorithms */
165 static struct ah_algorithm ah_algorithms[] = {
166 { ah_sumsiz_1216, ah_hmac_md5_mature, 128, 128, "hmac-md5",
167 ah_hmac_md5_init, ah_hmac_md5_loop,
168 ah_hmac_md5_result, },
169 { ah_sumsiz_1216, ah_hmac_sha1_mature, 160, 160, "hmac-sha1",
170 ah_hmac_sha1_init, ah_hmac_sha1_loop,
171 ah_hmac_sha1_result, },
172 { ah_sumsiz_1216, ah_keyed_md5_mature, 128, 128, "keyed-md5",
173 ah_keyed_md5_init, ah_keyed_md5_loop,
174 ah_keyed_md5_result, },
175 { ah_sumsiz_1216, ah_keyed_sha1_mature, 160, 160, "keyed-sha1",
176 ah_keyed_sha1_init, ah_keyed_sha1_loop,
177 ah_keyed_sha1_result, },
178 { ah_sumsiz_zero, ah_none_mature, 0, 2048, "none",
179 ah_none_init, ah_none_loop, ah_none_result, },
180 { ah_sumsiz_1216, ah_hmac_sha2_256_mature, 256, 256,
182 ah_hmac_sha2_256_init, ah_hmac_sha2_256_loop,
183 ah_hmac_sha2_256_result, },
184 { ah_sumsiz_1216, ah_hmac_sha2_384_mature, 384, 384,
186 ah_hmac_sha2_384_init, ah_hmac_sha2_384_loop,
187 ah_hmac_sha2_384_result, },
188 { ah_sumsiz_1216, ah_hmac_sha2_512_mature, 512, 512,
190 ah_hmac_sha2_512_init, ah_hmac_sha2_512_loop,
191 ah_hmac_sha2_512_result, },
195 case SADB_AALG_MD5HMAC:
196 return &ah_algorithms[0];
197 case SADB_AALG_SHA1HMAC:
198 return &ah_algorithms[1];
199 case SADB_X_AALG_MD5:
200 return &ah_algorithms[2];
201 case SADB_X_AALG_SHA:
202 return &ah_algorithms[3];
203 case SADB_X_AALG_NULL:
204 return &ah_algorithms[4];
205 case SADB_X_AALG_SHA2_256:
206 return &ah_algorithms[5];
207 case SADB_X_AALG_SHA2_384:
208 return &ah_algorithms[6];
209 case SADB_X_AALG_SHA2_512:
210 return &ah_algorithms[7];
219 struct secasvar *sav;
223 if (sav->flags & SADB_X_EXT_OLD)
231 struct secasvar *sav;
240 struct secasvar *sav;
242 if (sav->sah->saidx.proto == IPPROTO_AH) {
244 "ah_none_mature: protocol and algorithm mismatch.\n"));
251 ah_none_init(state, sav)
252 struct ah_algorithm_state *state;
253 struct secasvar *sav;
260 ah_none_loop(state, addr, len)
261 struct ah_algorithm_state *state;
268 ah_none_result(state, addr)
269 struct ah_algorithm_state *state;
275 ah_keyed_md5_mature(sav)
276 struct secasvar *sav;
278 /* anything is okay */
283 ah_keyed_md5_init(state, sav)
284 struct ah_algorithm_state *state;
285 struct secasvar *sav;
292 panic("ah_keyed_md5_init: what?");
295 state->foo = (void *)malloc(sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
296 if (state->foo == NULL)
299 MD5Init((MD5_CTX *)state->foo);
301 MD5Update((MD5_CTX *)state->foo,
302 (u_int8_t *)_KEYBUF(state->sav->key_auth),
303 (u_int)_KEYLEN(state->sav->key_auth));
307 * We cannot simply use md5_pad() since the function
308 * won't update the total length.
310 if (_KEYLEN(state->sav->key_auth) < 56)
311 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
313 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
314 keybitlen = _KEYLEN(state->sav->key_auth);
318 MD5Update((MD5_CTX *)state->foo, &buf[0], 1);
321 bzero(buf, sizeof(buf));
322 while (sizeof(buf) < padlen) {
323 MD5Update((MD5_CTX *)state->foo, &buf[0], sizeof(buf));
324 padlen -= sizeof(buf);
327 MD5Update((MD5_CTX *)state->foo, &buf[0], padlen);
330 buf[0] = (keybitlen >> 0) & 0xff;
331 buf[1] = (keybitlen >> 8) & 0xff;
332 buf[2] = (keybitlen >> 16) & 0xff;
333 buf[3] = (keybitlen >> 24) & 0xff;
334 MD5Update((MD5_CTX *)state->foo, buf, 8);
341 ah_keyed_md5_loop(state, addr, len)
342 struct ah_algorithm_state *state;
347 panic("ah_keyed_md5_loop: what?");
349 MD5Update((MD5_CTX *)state->foo, addr, len);
353 ah_keyed_md5_result(state, addr)
354 struct ah_algorithm_state *state;
360 panic("ah_keyed_md5_result: what?");
363 MD5Update((MD5_CTX *)state->foo,
364 (u_int8_t *)_KEYBUF(state->sav->key_auth),
365 (u_int)_KEYLEN(state->sav->key_auth));
367 MD5Final(&digest[0], (MD5_CTX *)state->foo);
368 free(state->foo, M_TEMP);
369 bcopy(&digest[0], (void *)addr, sizeof(digest));
373 ah_keyed_sha1_mature(sav)
374 struct secasvar *sav;
376 const struct ah_algorithm *algo;
378 if (!sav->key_auth) {
379 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: no key is given.\n"));
383 algo = ah_algorithm_lookup(sav->alg_auth);
385 ipseclog((LOG_ERR, "ah_keyed_sha1_mature: unsupported algorithm.\n"));
389 if (sav->key_auth->sadb_key_bits < algo->keymin
390 || algo->keymax < sav->key_auth->sadb_key_bits) {
392 "ah_keyed_sha1_mature: invalid key length %d.\n",
393 sav->key_auth->sadb_key_bits));
401 ah_keyed_sha1_init(state, sav)
402 struct ah_algorithm_state *state;
403 struct secasvar *sav;
411 panic("ah_keyed_sha1_init: what?");
414 state->foo = (void *)malloc(sizeof(SHA1_CTX), M_TEMP, M_NOWAIT);
418 ctxt = (SHA1_CTX *)state->foo;
422 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
423 (u_int)_KEYLEN(state->sav->key_auth));
428 if (_KEYLEN(state->sav->key_auth) < 56)
429 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
431 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
432 keybitlen = _KEYLEN(state->sav->key_auth);
436 SHA1Update(ctxt, &buf[0], 1);
439 bzero(buf, sizeof(buf));
440 while (sizeof(buf) < padlen) {
441 SHA1Update(ctxt, &buf[0], sizeof(buf));
442 padlen -= sizeof(buf);
445 SHA1Update(ctxt, &buf[0], padlen);
448 buf[0] = (keybitlen >> 0) & 0xff;
449 buf[1] = (keybitlen >> 8) & 0xff;
450 buf[2] = (keybitlen >> 16) & 0xff;
451 buf[3] = (keybitlen >> 24) & 0xff;
452 SHA1Update(ctxt, buf, 8);
459 ah_keyed_sha1_loop(state, addr, len)
460 struct ah_algorithm_state *state;
466 if (!state || !state->foo)
467 panic("ah_keyed_sha1_loop: what?");
468 ctxt = (SHA1_CTX *)state->foo;
470 SHA1Update(ctxt, (caddr_t)addr, (size_t)len);
474 ah_keyed_sha1_result(state, addr)
475 struct ah_algorithm_state *state;
478 u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
481 if (!state || !state->foo)
482 panic("ah_keyed_sha1_result: what?");
483 ctxt = (SHA1_CTX *)state->foo;
486 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
487 (u_int)_KEYLEN(state->sav->key_auth));
489 SHA1Final((caddr_t)&digest[0], ctxt);
490 bcopy(&digest[0], (void *)addr, HMACSIZE);
492 free(state->foo, M_TEMP);
496 ah_hmac_md5_mature(sav)
497 struct secasvar *sav;
499 const struct ah_algorithm *algo;
501 if (!sav->key_auth) {
502 ipseclog((LOG_ERR, "ah_hmac_md5_mature: no key is given.\n"));
506 algo = ah_algorithm_lookup(sav->alg_auth);
508 ipseclog((LOG_ERR, "ah_hmac_md5_mature: unsupported algorithm.\n"));
512 if (sav->key_auth->sadb_key_bits < algo->keymin
513 || algo->keymax < sav->key_auth->sadb_key_bits) {
515 "ah_hmac_md5_mature: invalid key length %d.\n",
516 sav->key_auth->sadb_key_bits));
524 ah_hmac_md5_init(state, sav)
525 struct ah_algorithm_state *state;
526 struct secasvar *sav;
537 panic("ah_hmac_md5_init: what?");
540 state->foo = (void *)malloc(64 + 64 + sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
544 ipad = (u_char *)state->foo;
545 opad = (u_char *)(ipad + 64);
546 ctxt = (MD5_CTX *)(opad + 64);
548 /* compress the key if necessery */
549 if (64 < _KEYLEN(state->sav->key_auth)) {
551 MD5Update(ctxt, _KEYBUF(state->sav->key_auth),
552 _KEYLEN(state->sav->key_auth));
553 MD5Final(&tk[0], ctxt);
557 key = _KEYBUF(state->sav->key_auth);
558 keylen = _KEYLEN(state->sav->key_auth);
563 bcopy(key, ipad, keylen);
564 bcopy(key, opad, keylen);
565 for (i = 0; i < 64; i++) {
571 MD5Update(ctxt, ipad, 64);
577 ah_hmac_md5_loop(state, addr, len)
578 struct ah_algorithm_state *state;
584 if (!state || !state->foo)
585 panic("ah_hmac_md5_loop: what?");
586 ctxt = (MD5_CTX *)(((caddr_t)state->foo) + 128);
587 MD5Update(ctxt, addr, len);
591 ah_hmac_md5_result(state, addr)
592 struct ah_algorithm_state *state;
600 if (!state || !state->foo)
601 panic("ah_hmac_md5_result: what?");
603 ipad = (u_char *)state->foo;
604 opad = (u_char *)(ipad + 64);
605 ctxt = (MD5_CTX *)(opad + 64);
607 MD5Final(&digest[0], ctxt);
610 MD5Update(ctxt, opad, 64);
611 MD5Update(ctxt, &digest[0], sizeof(digest));
612 MD5Final(&digest[0], ctxt);
614 bcopy(&digest[0], (void *)addr, HMACSIZE);
616 free(state->foo, M_TEMP);
620 ah_hmac_sha1_mature(sav)
621 struct secasvar *sav;
623 const struct ah_algorithm *algo;
625 if (!sav->key_auth) {
626 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: no key is given.\n"));
630 algo = ah_algorithm_lookup(sav->alg_auth);
632 ipseclog((LOG_ERR, "ah_hmac_sha1_mature: unsupported algorithm.\n"));
636 if (sav->key_auth->sadb_key_bits < algo->keymin
637 || algo->keymax < sav->key_auth->sadb_key_bits) {
639 "ah_hmac_sha1_mature: invalid key length %d.\n",
640 sav->key_auth->sadb_key_bits));
648 ah_hmac_sha1_init(state, sav)
649 struct ah_algorithm_state *state;
650 struct secasvar *sav;
655 u_char tk[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
661 panic("ah_hmac_sha1_init: what?");
664 state->foo = (void *)malloc(64 + 64 + sizeof(SHA1_CTX),
669 ipad = (u_char *)state->foo;
670 opad = (u_char *)(ipad + 64);
671 ctxt = (SHA1_CTX *)(opad + 64);
673 /* compress the key if necessery */
674 if (64 < _KEYLEN(state->sav->key_auth)) {
676 SHA1Update(ctxt, _KEYBUF(state->sav->key_auth),
677 _KEYLEN(state->sav->key_auth));
678 SHA1Final(&tk[0], ctxt);
680 keylen = SHA1_RESULTLEN;
682 key = _KEYBUF(state->sav->key_auth);
683 keylen = _KEYLEN(state->sav->key_auth);
688 bcopy(key, ipad, keylen);
689 bcopy(key, opad, keylen);
690 for (i = 0; i < 64; i++) {
696 SHA1Update(ctxt, ipad, 64);
702 ah_hmac_sha1_loop(state, addr, len)
703 struct ah_algorithm_state *state;
709 if (!state || !state->foo)
710 panic("ah_hmac_sha1_loop: what?");
712 ctxt = (SHA1_CTX *)(((u_char *)state->foo) + 128);
713 SHA1Update(ctxt, (caddr_t)addr, (size_t)len);
717 ah_hmac_sha1_result(state, addr)
718 struct ah_algorithm_state *state;
721 u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
726 if (!state || !state->foo)
727 panic("ah_hmac_sha1_result: what?");
729 ipad = (u_char *)state->foo;
730 opad = (u_char *)(ipad + 64);
731 ctxt = (SHA1_CTX *)(opad + 64);
733 SHA1Final((caddr_t)&digest[0], ctxt);
736 SHA1Update(ctxt, opad, 64);
737 SHA1Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
738 SHA1Final((caddr_t)&digest[0], ctxt);
740 bcopy(&digest[0], (void *)addr, HMACSIZE);
742 free(state->foo, M_TEMP);
746 ah_hmac_sha2_256_mature(sav)
747 struct secasvar *sav;
749 const struct ah_algorithm *algo;
751 if (!sav->key_auth) {
753 "ah_hmac_sha2_256_mature: no key is given.\n"));
757 algo = ah_algorithm_lookup(sav->alg_auth);
760 "ah_hmac_sha2_256_mature: unsupported algorithm.\n"));
764 if (sav->key_auth->sadb_key_bits < algo->keymin ||
765 algo->keymax < sav->key_auth->sadb_key_bits) {
767 "ah_hmac_sha2_256_mature: invalid key length %d.\n",
768 sav->key_auth->sadb_key_bits));
776 ah_hmac_sha2_256_init(state, sav)
777 struct ah_algorithm_state *state;
778 struct secasvar *sav;
783 u_char tk[SHA256_DIGEST_LENGTH];
789 panic("ah_hmac_sha2_256_init: what?");
792 state->foo = (void *)malloc(64 + 64 + sizeof(SHA256_CTX),
797 ipad = (u_char *)state->foo;
798 opad = (u_char *)(ipad + 64);
799 ctxt = (SHA256_CTX *)(opad + 64);
801 /* compress the key if necessery */
802 if (64 < _KEYLEN(state->sav->key_auth)) {
803 bzero(tk, sizeof(tk));
804 bzero(ctxt, sizeof(*ctxt));
806 SHA256_Update(ctxt, _KEYBUF(state->sav->key_auth),
807 _KEYLEN(state->sav->key_auth));
808 SHA256_Final(&tk[0], ctxt);
810 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
812 key = _KEYBUF(state->sav->key_auth);
813 keylen = _KEYLEN(state->sav->key_auth);
818 bcopy(key, ipad, keylen);
819 bcopy(key, opad, keylen);
820 for (i = 0; i < 64; i++) {
825 bzero(ctxt, sizeof(*ctxt));
827 SHA256_Update(ctxt, ipad, 64);
833 ah_hmac_sha2_256_loop(state, addr, len)
834 struct ah_algorithm_state *state;
840 if (!state || !state->foo)
841 panic("ah_hmac_sha2_256_loop: what?");
843 ctxt = (SHA256_CTX *)(((u_char *)state->foo) + 128);
844 SHA256_Update(ctxt, (caddr_t)addr, (size_t)len);
848 ah_hmac_sha2_256_result(state, addr)
849 struct ah_algorithm_state *state;
852 u_char digest[SHA256_DIGEST_LENGTH];
857 if (!state || !state->foo)
858 panic("ah_hmac_sha2_256_result: what?");
860 ipad = (u_char *)state->foo;
861 opad = (u_char *)(ipad + 64);
862 ctxt = (SHA256_CTX *)(opad + 64);
864 SHA256_Final((caddr_t)&digest[0], ctxt);
866 bzero(ctxt, sizeof(*ctxt));
868 SHA256_Update(ctxt, opad, 64);
869 SHA256_Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
870 SHA256_Final((caddr_t)&digest[0], ctxt);
872 bcopy(&digest[0], (void *)addr, HMACSIZE);
874 free(state->foo, M_TEMP);
878 ah_hmac_sha2_384_mature(sav)
879 struct secasvar *sav;
881 const struct ah_algorithm *algo;
883 if (!sav->key_auth) {
885 "ah_hmac_sha2_384_mature: no key is given.\n"));
889 algo = ah_algorithm_lookup(sav->alg_auth);
892 "ah_hmac_sha2_384_mature: unsupported algorithm.\n"));
896 if (sav->key_auth->sadb_key_bits < algo->keymin ||
897 algo->keymax < sav->key_auth->sadb_key_bits) {
899 "ah_hmac_sha2_384_mature: invalid key length %d.\n",
900 sav->key_auth->sadb_key_bits));
908 ah_hmac_sha2_384_init(state, sav)
909 struct ah_algorithm_state *state;
910 struct secasvar *sav;
915 u_char tk[SHA384_DIGEST_LENGTH];
921 panic("ah_hmac_sha2_384_init: what?");
924 state->foo = (void *)malloc(64 + 64 + sizeof(SHA384_CTX),
928 bzero(state->foo, 64 + 64 + sizeof(SHA384_CTX));
930 ipad = (u_char *)state->foo;
931 opad = (u_char *)(ipad + 64);
932 ctxt = (SHA384_CTX *)(opad + 64);
934 /* compress the key if necessery */
935 if (64 < _KEYLEN(state->sav->key_auth)) {
936 bzero(tk, sizeof(tk));
937 bzero(ctxt, sizeof(*ctxt));
939 SHA384_Update(ctxt, _KEYBUF(state->sav->key_auth),
940 _KEYLEN(state->sav->key_auth));
941 SHA384_Final(&tk[0], ctxt);
943 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
945 key = _KEYBUF(state->sav->key_auth);
946 keylen = _KEYLEN(state->sav->key_auth);
951 bcopy(key, ipad, keylen);
952 bcopy(key, opad, keylen);
953 for (i = 0; i < 64; i++) {
958 bzero(ctxt, sizeof(*ctxt));
960 SHA384_Update(ctxt, ipad, 64);
966 ah_hmac_sha2_384_loop(state, addr, len)
967 struct ah_algorithm_state *state;
973 if (!state || !state->foo)
974 panic("ah_hmac_sha2_384_loop: what?");
976 ctxt = (SHA384_CTX *)(((u_char *)state->foo) + 128);
977 SHA384_Update(ctxt, (caddr_t)addr, (size_t)len);
981 ah_hmac_sha2_384_result(state, addr)
982 struct ah_algorithm_state *state;
985 u_char digest[SHA384_DIGEST_LENGTH];
990 if (!state || !state->foo)
991 panic("ah_hmac_sha2_384_result: what?");
993 ipad = (u_char *)state->foo;
994 opad = (u_char *)(ipad + 64);
995 ctxt = (SHA384_CTX *)(opad + 64);
997 SHA384_Final((caddr_t)&digest[0], ctxt);
999 bzero(ctxt, sizeof(*ctxt));
1001 SHA384_Update(ctxt, opad, 64);
1002 SHA384_Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
1003 SHA384_Final((caddr_t)&digest[0], ctxt);
1005 bcopy(&digest[0], (void *)addr, HMACSIZE);
1007 free(state->foo, M_TEMP);
1011 ah_hmac_sha2_512_mature(sav)
1012 struct secasvar *sav;
1014 const struct ah_algorithm *algo;
1016 if (!sav->key_auth) {
1018 "ah_hmac_sha2_512_mature: no key is given.\n"));
1022 algo = ah_algorithm_lookup(sav->alg_auth);
1025 "ah_hmac_sha2_512_mature: unsupported algorithm.\n"));
1029 if (sav->key_auth->sadb_key_bits < algo->keymin ||
1030 algo->keymax < sav->key_auth->sadb_key_bits) {
1032 "ah_hmac_sha2_512_mature: invalid key length %d.\n",
1033 sav->key_auth->sadb_key_bits));
1041 ah_hmac_sha2_512_init(state, sav)
1042 struct ah_algorithm_state *state;
1043 struct secasvar *sav;
1048 u_char tk[SHA512_DIGEST_LENGTH];
1054 panic("ah_hmac_sha2_512_init: what?");
1057 state->foo = (void *)malloc(64 + 64 + sizeof(SHA512_CTX),
1061 bzero(state->foo, 64 + 64 + sizeof(SHA512_CTX));
1063 ipad = (u_char *)state->foo;
1064 opad = (u_char *)(ipad + 64);
1065 ctxt = (SHA512_CTX *)(opad + 64);
1067 /* compress the key if necessery */
1068 if (64 < _KEYLEN(state->sav->key_auth)) {
1069 bzero(tk, sizeof(tk));
1070 bzero(ctxt, sizeof(*ctxt));
1072 SHA512_Update(ctxt, _KEYBUF(state->sav->key_auth),
1073 _KEYLEN(state->sav->key_auth));
1074 SHA512_Final(&tk[0], ctxt);
1076 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
1078 key = _KEYBUF(state->sav->key_auth);
1079 keylen = _KEYLEN(state->sav->key_auth);
1084 bcopy(key, ipad, keylen);
1085 bcopy(key, opad, keylen);
1086 for (i = 0; i < 64; i++) {
1091 bzero(ctxt, sizeof(*ctxt));
1093 SHA512_Update(ctxt, ipad, 64);
1099 ah_hmac_sha2_512_loop(state, addr, len)
1100 struct ah_algorithm_state *state;
1106 if (!state || !state->foo)
1107 panic("ah_hmac_sha2_512_loop: what?");
1109 ctxt = (SHA512_CTX *)(((u_char *)state->foo) + 128);
1110 SHA512_Update(ctxt, (caddr_t)addr, (size_t)len);
1114 ah_hmac_sha2_512_result(state, addr)
1115 struct ah_algorithm_state *state;
1118 u_char digest[SHA512_DIGEST_LENGTH];
1123 if (!state || !state->foo)
1124 panic("ah_hmac_sha2_512_result: what?");
1126 ipad = (u_char *)state->foo;
1127 opad = (u_char *)(ipad + 64);
1128 ctxt = (SHA512_CTX *)(opad + 64);
1130 SHA512_Final((caddr_t)&digest[0], ctxt);
1132 bzero(ctxt, sizeof(*ctxt));
1134 SHA512_Update(ctxt, opad, 64);
1135 SHA512_Update(ctxt, (caddr_t)&digest[0], sizeof(digest));
1136 SHA512_Final((caddr_t)&digest[0], ctxt);
1138 bcopy(&digest[0], (void *)addr, HMACSIZE);
1140 free(state->foo, M_TEMP);
1143 /*------------------------------------------------------------*/
1146 * go generate the checksum.
1149 ah_update_mbuf(m, off, len, algo, algos)
1153 const struct ah_algorithm *algo;
1154 struct ah_algorithm_state *algos;
1159 /* easy case first */
1160 if (off + len <= m->m_len) {
1161 (algo->update)(algos, mtod(m, caddr_t) + off, len);
1165 for (n = m; n; n = n->m_next) {
1173 panic("ah_update_mbuf: wrong offset specified");
1175 for (/* nothing */; n && len > 0; n = n->m_next) {
1178 if (n->m_len - off < len)
1179 tlen = n->m_len - off;
1183 (algo->update)(algos, mtod(n, caddr_t) + off, tlen);
1192 * Go generate the checksum. This function won't modify the mbuf chain
1195 * NOTE: the function does not free mbuf on failure.
1196 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1199 ah4_calccksum(m, ahdat, len, algo, sav)
1203 const struct ah_algorithm *algo;
1204 struct secasvar *sav;
1208 size_t advancewidth;
1209 struct ah_algorithm_state algos;
1210 u_char sumbuf[AH_MAXSUMSIZE];
1213 struct mbuf *n = NULL;
1215 if ((m->m_flags & M_PKTHDR) == 0)
1219 hdrtype = -1; /* dummy, it is called IPPROTO_IP */
1223 error = (algo->init)(&algos, sav);
1227 advancewidth = 0; /* safety */
1232 case -1: /* first one only */
1235 * copy ip hdr, modify to fit the AH checksum rule,
1236 * then take a checksum.
1241 m_copydata(m, off, sizeof(iphdr), (caddr_t)&iphdr);
1243 hlen = IP_VHL_HL(iphdr.ip_vhl) << 2;
1245 hlen = iphdr.ip_hl << 2;
1248 iphdr.ip_sum = htons(0);
1249 if (ip4_ah_cleartos)
1251 iphdr.ip_off = htons(ntohs(iphdr.ip_off) & ip4_ah_offsetmask);
1252 (algo->update)(&algos, (caddr_t)&iphdr, sizeof(struct ip));
1254 if (hlen != sizeof(struct ip)) {
1258 if (hlen > MCLBYTES) {
1262 MGET(n, M_DONTWAIT, MT_DATA);
1263 if (n && hlen > MLEN) {
1264 MCLGET(n, M_DONTWAIT);
1265 if ((n->m_flags & M_EXT) == 0) {
1274 m_copydata(m, off, hlen, mtod(n, caddr_t));
1277 * IP options processing.
1278 * See RFC2402 appendix A.
1280 p = mtod(n, u_char *);
1281 i = sizeof(struct ip);
1283 if (i + IPOPT_OPTVAL >= hlen) {
1284 ipseclog((LOG_ERR, "ah4_calccksum: "
1285 "invalid IP option\n"));
1289 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL ||
1290 p[i + IPOPT_OPTVAL] == IPOPT_NOP ||
1291 i + IPOPT_OLEN < hlen)
1295 "ah4_calccksum: invalid IP option "
1297 p[i + IPOPT_OPTVAL]));
1303 switch (p[i + IPOPT_OPTVAL]) {
1309 case IPOPT_SECURITY: /* 0x82 */
1310 case 0x85: /* Extended security */
1311 case 0x86: /* Commercial security */
1312 case 0x94: /* Router alert */
1313 case 0x95: /* RFC1770 */
1314 l = p[i + IPOPT_OLEN];
1320 l = p[i + IPOPT_OLEN];
1326 if (l < 1 || hlen - i < l) {
1329 "ah4_calccksum: invalid IP option "
1330 "(type=%02x len=%02x)\n",
1331 p[i + IPOPT_OPTVAL],
1332 p[i + IPOPT_OLEN]));
1338 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL)
1342 p = mtod(n, u_char *) + sizeof(struct ip);
1343 (algo->update)(&algos, p, hlen - sizeof(struct ip));
1349 hdrtype = (iphdr.ip_p) & 0xff;
1350 advancewidth = hlen;
1361 m_copydata(m, off, sizeof(ah), (caddr_t)&ah);
1362 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1364 : sizeof(struct newah);
1365 siz = (*algo->sumsiz)(sav);
1366 totlen = (ah.ah_len + 2) << 2;
1369 * special treatment is necessary for the first one, not others
1372 if (totlen > m->m_pkthdr.len - off ||
1373 totlen > MCLBYTES) {
1377 MGET(n, M_DONTWAIT, MT_DATA);
1378 if (n && totlen > MLEN) {
1379 MCLGET(n, M_DONTWAIT);
1380 if ((n->m_flags & M_EXT) == 0) {
1389 m_copydata(m, off, totlen, mtod(n, caddr_t));
1391 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1392 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1396 ah_update_mbuf(m, off, totlen, algo, &algos);
1399 hdrtype = ah.ah_nxt;
1400 advancewidth = totlen;
1405 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo, &algos);
1406 advancewidth = m->m_pkthdr.len - off;
1410 off += advancewidth;
1411 if (off < m->m_pkthdr.len)
1414 if (len < (*algo->sumsiz)(sav)) {
1419 (algo->result)(&algos, &sumbuf[0]);
1420 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
1435 * Go generate the checksum. This function won't modify the mbuf chain
1438 * NOTE: the function does not free mbuf on failure.
1439 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1442 ah6_calccksum(m, ahdat, len, algo, sav)
1446 const struct ah_algorithm *algo;
1447 struct secasvar *sav;
1451 struct mbuf *n = NULL;
1454 struct ah_algorithm_state algos;
1455 u_char sumbuf[AH_MAXSUMSIZE];
1457 if ((m->m_flags & M_PKTHDR) == 0)
1460 error = (algo->init)(&algos, sav);
1465 proto = IPPROTO_IPV6;
1470 newoff = ip6_nexthdr(m, off, proto, &nxt);
1472 newoff = m->m_pkthdr.len;
1473 else if (newoff <= off) {
1481 * special treatment is necessary for the first one, not others
1484 struct ip6_hdr ip6copy;
1486 if (newoff - off != sizeof(struct ip6_hdr)) {
1491 m_copydata(m, off, newoff - off, (caddr_t)&ip6copy);
1493 ip6copy.ip6_flow = 0;
1494 ip6copy.ip6_vfc &= ~IPV6_VERSION_MASK;
1495 ip6copy.ip6_vfc |= IPV6_VERSION;
1496 ip6copy.ip6_hlim = 0;
1497 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_src))
1498 ip6copy.ip6_src.s6_addr16[1] = 0x0000;
1499 if (IN6_IS_ADDR_LINKLOCAL(&ip6copy.ip6_dst))
1500 ip6copy.ip6_dst.s6_addr16[1] = 0x0000;
1501 (algo->update)(&algos, (caddr_t)&ip6copy,
1502 sizeof(struct ip6_hdr));
1504 newoff = m->m_pkthdr.len;
1505 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo,
1515 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1517 : sizeof(struct newah);
1518 siz = (*algo->sumsiz)(sav);
1521 * special treatment is necessary for the first one, not others
1524 if (newoff - off > MCLBYTES) {
1528 MGET(n, M_DONTWAIT, MT_DATA);
1529 if (n && newoff - off > MLEN) {
1530 MCLGET(n, M_DONTWAIT);
1531 if ((n->m_flags & M_EXT) == 0) {
1540 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1541 n->m_len = newoff - off;
1542 bzero(mtod(n, caddr_t) + hdrsiz, siz);
1543 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1547 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1552 case IPPROTO_HOPOPTS:
1553 case IPPROTO_DSTOPTS:
1555 struct ip6_ext *ip6e;
1557 u_int8_t *p, *optend, *optp;
1559 if (newoff - off > MCLBYTES) {
1563 MGET(n, M_DONTWAIT, MT_DATA);
1564 if (n && newoff - off > MLEN) {
1565 MCLGET(n, M_DONTWAIT);
1566 if ((n->m_flags & M_EXT) == 0) {
1575 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1576 n->m_len = newoff - off;
1578 ip6e = mtod(n, struct ip6_ext *);
1579 hdrlen = (ip6e->ip6e_len + 1) << 3;
1580 if (newoff - off < hdrlen) {
1586 p = mtod(n, u_int8_t *);
1587 optend = p + hdrlen;
1590 * ICV calculation for the options header including all
1591 * options. This part is a little tricky since there are
1592 * two type of options; mutable and immutable. We try to
1593 * null-out mutable ones here.
1596 while (optp < optend) {
1597 if (optp[0] == IP6OPT_PAD1)
1600 if (optp + 2 > optend) {
1606 optlen = optp[1] + 2;
1609 if (optp + optlen > optend) {
1616 if (optp[0] & IP6OPT_MUTABLE)
1617 bzero(optp + 2, optlen - 2);
1622 (algo->update)(&algos, mtod(n, caddr_t), n->m_len);
1628 case IPPROTO_ROUTING:
1630 * For an input packet, we can just calculate `as is'.
1631 * For an output packet, we assume ip6_output have already
1632 * made packet how it will be received at the final
1638 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1642 if (newoff < m->m_pkthdr.len) {
1648 if (len < (*algo->sumsiz)(sav)) {
1653 (algo->result)(&algos, &sumbuf[0]);
1654 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));