2 /* $KAME: ah_core.c,v 1.59 2003/07/25 10:17:14 itojun Exp $ */
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * RFC1826/2402 authentication header.
37 /* TODO: have shared routines for hmac-* algorithms */
40 #include "opt_inet6.h"
41 #include "opt_ipsec.h"
43 #include <sys/param.h>
44 #include <sys/systm.h>
45 #include <sys/malloc.h>
47 #include <sys/domain.h>
48 #include <sys/protosw.h>
49 #include <sys/socket.h>
50 #include <sys/socketvar.h>
51 #include <sys/errno.h>
53 #include <sys/syslog.h>
56 #include <net/route.h>
58 #include <netinet/in.h>
59 #include <netinet/in_systm.h>
60 #include <netinet/ip.h>
61 #include <netinet/in_var.h>
64 #include <netinet/ip6.h>
65 #include <netinet6/ip6_var.h>
66 #include <netinet6/scope6_var.h>
67 #include <netinet/icmp6.h>
70 #include <netinet6/ipsec.h>
72 #include <netinet6/ipsec6.h>
74 #include <netinet6/ah.h>
76 #include <netinet6/ah6.h>
78 #include <netinet6/ah_aesxcbcmac.h>
80 #include <netinet6/esp.h>
82 #include <netinet6/esp6.h>
85 #include <net/pfkeyv2.h>
86 #include <netkey/keydb.h>
88 #define MD5_RESULTLEN 16
89 #include <crypto/sha1.h>
90 #include <crypto/sha2/sha2.h>
91 #include <opencrypto/rmd160.h>
92 #define RIPEMD160_RESULTLEN 20
94 static int ah_sumsiz_1216 __P((struct secasvar *));
95 static int ah_sumsiz_zero __P((struct secasvar *));
96 static int ah_common_mature __P((struct secasvar *));
97 static int ah_none_mature __P((struct secasvar *));
98 static int ah_none_init __P((struct ah_algorithm_state *, struct secasvar *));
99 static void ah_none_loop __P((struct ah_algorithm_state *, u_int8_t *, size_t));
100 static void ah_none_result __P((struct ah_algorithm_state *,
101 u_int8_t *, size_t));
102 static int ah_keyed_md5_mature __P((struct secasvar *));
103 static int ah_keyed_md5_init __P((struct ah_algorithm_state *,
105 static void ah_keyed_md5_loop __P((struct ah_algorithm_state *, u_int8_t *,
107 static void ah_keyed_md5_result __P((struct ah_algorithm_state *,
108 u_int8_t *, size_t));
109 static int ah_keyed_sha1_init __P((struct ah_algorithm_state *,
111 static void ah_keyed_sha1_loop __P((struct ah_algorithm_state *, u_int8_t *,
113 static void ah_keyed_sha1_result __P((struct ah_algorithm_state *, u_int8_t *,
115 static int ah_hmac_md5_init __P((struct ah_algorithm_state *,
117 static void ah_hmac_md5_loop __P((struct ah_algorithm_state *, u_int8_t *,
119 static void ah_hmac_md5_result __P((struct ah_algorithm_state *,
120 u_int8_t *, size_t));
121 static int ah_hmac_sha1_init __P((struct ah_algorithm_state *,
123 static void ah_hmac_sha1_loop __P((struct ah_algorithm_state *, u_int8_t *,
125 static void ah_hmac_sha1_result __P((struct ah_algorithm_state *,
126 u_int8_t *, size_t));
127 static int ah_hmac_sha2_256_init __P((struct ah_algorithm_state *,
129 static void ah_hmac_sha2_256_loop __P((struct ah_algorithm_state *, u_int8_t *,
131 static void ah_hmac_sha2_256_result __P((struct ah_algorithm_state *,
132 u_int8_t *, size_t));
133 static int ah_hmac_sha2_384_init __P((struct ah_algorithm_state *,
135 static void ah_hmac_sha2_384_loop __P((struct ah_algorithm_state *, u_int8_t *,
137 static void ah_hmac_sha2_384_result __P((struct ah_algorithm_state *,
138 u_int8_t *, size_t));
139 static int ah_hmac_sha2_512_init __P((struct ah_algorithm_state *,
141 static void ah_hmac_sha2_512_loop __P((struct ah_algorithm_state *, u_int8_t *,
143 static void ah_hmac_sha2_512_result __P((struct ah_algorithm_state *,
144 u_int8_t *, size_t));
145 static int ah_hmac_ripemd160_init __P((struct ah_algorithm_state *,
147 static void ah_hmac_ripemd160_loop __P((struct ah_algorithm_state *, u_int8_t *,
149 static void ah_hmac_ripemd160_result __P((struct ah_algorithm_state *,
150 u_int8_t *, size_t));
152 static void ah_update_mbuf __P((struct mbuf *, int, int,
153 const struct ah_algorithm *, struct ah_algorithm_state *));
155 /* checksum algorithms */
156 static const struct ah_algorithm ah_algorithms[] = {
157 { ah_sumsiz_1216, ah_common_mature, 128, 128, "hmac-md5",
158 ah_hmac_md5_init, ah_hmac_md5_loop,
159 ah_hmac_md5_result, },
160 { ah_sumsiz_1216, ah_common_mature, 160, 160, "hmac-sha1",
161 ah_hmac_sha1_init, ah_hmac_sha1_loop,
162 ah_hmac_sha1_result, },
163 { ah_sumsiz_1216, ah_keyed_md5_mature, 128, 128, "keyed-md5",
164 ah_keyed_md5_init, ah_keyed_md5_loop,
165 ah_keyed_md5_result, },
166 { ah_sumsiz_1216, ah_common_mature, 160, 160, "keyed-sha1",
167 ah_keyed_sha1_init, ah_keyed_sha1_loop,
168 ah_keyed_sha1_result, },
169 { ah_sumsiz_zero, ah_none_mature, 0, 2048, "none",
170 ah_none_init, ah_none_loop, ah_none_result, },
171 { ah_sumsiz_1216, ah_common_mature, 256, 256,
173 ah_hmac_sha2_256_init, ah_hmac_sha2_256_loop,
174 ah_hmac_sha2_256_result, },
175 { ah_sumsiz_1216, ah_common_mature, 384, 384,
177 ah_hmac_sha2_384_init, ah_hmac_sha2_384_loop,
178 ah_hmac_sha2_384_result, },
179 { ah_sumsiz_1216, ah_common_mature, 512, 512,
181 ah_hmac_sha2_512_init, ah_hmac_sha2_512_loop,
182 ah_hmac_sha2_512_result, },
183 { ah_sumsiz_1216, ah_common_mature, 160, 160,
185 ah_hmac_ripemd160_init, ah_hmac_ripemd160_loop,
186 ah_hmac_ripemd160_result, },
187 { ah_sumsiz_1216, ah_common_mature, 128, 128,
189 ah_aes_xcbc_mac_init, ah_aes_xcbc_mac_loop,
190 ah_aes_xcbc_mac_result, },
191 { ah_sumsiz_1216, ah_none_mature, 8, 640, /* bits (RFC 2385) */
193 ah_none_init, ah_none_loop,
197 const struct ah_algorithm *
198 ah_algorithm_lookup(idx)
203 case SADB_AALG_MD5HMAC:
204 return &ah_algorithms[0];
205 case SADB_AALG_SHA1HMAC:
206 return &ah_algorithms[1];
207 case SADB_X_AALG_MD5:
208 return &ah_algorithms[2];
209 case SADB_X_AALG_SHA:
210 return &ah_algorithms[3];
211 case SADB_X_AALG_NULL:
212 return &ah_algorithms[4];
213 case SADB_X_AALG_SHA2_256:
214 return &ah_algorithms[5];
215 case SADB_X_AALG_SHA2_384:
216 return &ah_algorithms[6];
217 case SADB_X_AALG_SHA2_512:
218 return &ah_algorithms[7];
219 case SADB_X_AALG_RIPEMD160HMAC:
220 return &ah_algorithms[8];
221 case SADB_X_AALG_AES_XCBC_MAC:
222 return &ah_algorithms[9];
223 case SADB_X_AALG_TCP_MD5:
224 return &ah_algorithms[10];
233 struct secasvar *sav;
236 panic("ah_sumsiz_1216: null pointer is passed");
237 if (sav->flags & SADB_X_EXT_OLD)
245 struct secasvar *sav;
248 panic("ah_sumsiz_zero: null pointer is passed");
253 ah_common_mature(sav)
254 struct secasvar *sav;
256 const struct ah_algorithm *algo;
258 if (!sav->key_auth) {
259 ipseclog((LOG_ERR, "ah_common_mature: no key is given.\n"));
263 algo = ah_algorithm_lookup(sav->alg_auth);
265 ipseclog((LOG_ERR, "ah_common_mature: unsupported algorithm.\n"));
269 if (sav->key_auth->sadb_key_bits < algo->keymin ||
270 algo->keymax < sav->key_auth->sadb_key_bits) {
272 "ah_common_mature: invalid key length %d for %s.\n",
273 sav->key_auth->sadb_key_bits, algo->name));
282 struct secasvar *sav;
284 if (sav->sah->saidx.proto == IPPROTO_AH) {
286 "ah_none_mature: protocol and algorithm mismatch.\n"));
293 ah_none_init(state, sav)
294 struct ah_algorithm_state *state;
295 struct secasvar *sav;
302 ah_none_loop(state, addr, len)
303 struct ah_algorithm_state *state;
310 ah_none_result(state, addr, l)
311 struct ah_algorithm_state *state;
318 ah_keyed_md5_mature(sav)
319 struct secasvar *sav;
321 /* anything is okay */
326 ah_keyed_md5_init(state, sav)
327 struct ah_algorithm_state *state;
328 struct secasvar *sav;
335 panic("ah_keyed_md5_init: what?");
338 state->foo = (void *)malloc(sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
339 if (state->foo == NULL)
342 MD5Init((MD5_CTX *)state->foo);
344 MD5Update((MD5_CTX *)state->foo,
345 (u_int8_t *)_KEYBUF(state->sav->key_auth),
346 (u_int)_KEYLEN(state->sav->key_auth));
350 * We cannot simply use md5_pad() since the function
351 * won't update the total length.
353 if (_KEYLEN(state->sav->key_auth) < 56)
354 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
356 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
357 keybitlen = _KEYLEN(state->sav->key_auth);
361 MD5Update((MD5_CTX *)state->foo, &buf[0], 1);
364 bzero(buf, sizeof(buf));
365 while (sizeof(buf) < padlen) {
366 MD5Update((MD5_CTX *)state->foo, &buf[0], sizeof(buf));
367 padlen -= sizeof(buf);
370 MD5Update((MD5_CTX *)state->foo, &buf[0], padlen);
373 buf[0] = (keybitlen >> 0) & 0xff;
374 buf[1] = (keybitlen >> 8) & 0xff;
375 buf[2] = (keybitlen >> 16) & 0xff;
376 buf[3] = (keybitlen >> 24) & 0xff;
377 MD5Update((MD5_CTX *)state->foo, buf, 8);
384 ah_keyed_md5_loop(state, addr, len)
385 struct ah_algorithm_state *state;
390 panic("ah_keyed_md5_loop: what?");
392 MD5Update((MD5_CTX *)state->foo, addr, len);
396 ah_keyed_md5_result(state, addr, l)
397 struct ah_algorithm_state *state;
401 u_char digest[MD5_RESULTLEN];
404 panic("ah_keyed_md5_result: what?");
407 MD5Update((MD5_CTX *)state->foo,
408 (u_int8_t *)_KEYBUF(state->sav->key_auth),
409 (u_int)_KEYLEN(state->sav->key_auth));
411 MD5Final(digest, (MD5_CTX *)state->foo);
412 free(state->foo, M_TEMP);
413 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
417 ah_keyed_sha1_init(state, sav)
418 struct ah_algorithm_state *state;
419 struct secasvar *sav;
427 panic("ah_keyed_sha1_init: what?");
430 state->foo = (void *)malloc(sizeof(SHA1_CTX), M_TEMP, M_NOWAIT);
434 ctxt = (SHA1_CTX *)state->foo;
438 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
439 (u_int)_KEYLEN(state->sav->key_auth));
444 if (_KEYLEN(state->sav->key_auth) < 56)
445 padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
447 padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
448 keybitlen = _KEYLEN(state->sav->key_auth);
452 SHA1Update(ctxt, &buf[0], 1);
455 bzero(buf, sizeof(buf));
456 while (sizeof(buf) < padlen) {
457 SHA1Update(ctxt, &buf[0], sizeof(buf));
458 padlen -= sizeof(buf);
461 SHA1Update(ctxt, &buf[0], padlen);
464 buf[0] = (keybitlen >> 0) & 0xff;
465 buf[1] = (keybitlen >> 8) & 0xff;
466 buf[2] = (keybitlen >> 16) & 0xff;
467 buf[3] = (keybitlen >> 24) & 0xff;
468 SHA1Update(ctxt, buf, 8);
475 ah_keyed_sha1_loop(state, addr, len)
476 struct ah_algorithm_state *state;
482 if (!state || !state->foo)
483 panic("ah_keyed_sha1_loop: what?");
484 ctxt = (SHA1_CTX *)state->foo;
486 SHA1Update(ctxt, (u_int8_t *)addr, (size_t)len);
490 ah_keyed_sha1_result(state, addr, l)
491 struct ah_algorithm_state *state;
495 u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
498 if (!state || !state->foo)
499 panic("ah_keyed_sha1_result: what?");
500 ctxt = (SHA1_CTX *)state->foo;
503 SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
504 (u_int)_KEYLEN(state->sav->key_auth));
506 SHA1Final((u_int8_t *)digest, ctxt);
507 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
509 free(state->foo, M_TEMP);
513 ah_hmac_md5_init(state, sav)
514 struct ah_algorithm_state *state;
515 struct secasvar *sav;
519 u_char tk[MD5_RESULTLEN];
526 panic("ah_hmac_md5_init: what?");
529 state->foo = (void *)malloc(64 + 64 + sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
533 ipad = (u_char *)state->foo;
534 opad = (u_char *)(ipad + 64);
535 ctxt = (MD5_CTX *)(opad + 64);
537 /* compress the key if necessery */
538 if (64 < _KEYLEN(state->sav->key_auth)) {
540 MD5Update(ctxt, _KEYBUF(state->sav->key_auth),
541 _KEYLEN(state->sav->key_auth));
542 MD5Final(&tk[0], ctxt);
546 key = _KEYBUF(state->sav->key_auth);
547 keylen = _KEYLEN(state->sav->key_auth);
552 bcopy(key, ipad, keylen);
553 bcopy(key, opad, keylen);
554 for (i = 0; i < 64; i++) {
560 MD5Update(ctxt, ipad, 64);
566 ah_hmac_md5_loop(state, addr, len)
567 struct ah_algorithm_state *state;
573 if (!state || !state->foo)
574 panic("ah_hmac_md5_loop: what?");
575 ctxt = (MD5_CTX *)(((u_int8_t *)state->foo) + 128);
576 MD5Update(ctxt, addr, len);
580 ah_hmac_md5_result(state, addr, l)
581 struct ah_algorithm_state *state;
585 u_char digest[MD5_RESULTLEN];
590 if (!state || !state->foo)
591 panic("ah_hmac_md5_result: what?");
593 ipad = (u_char *)state->foo;
594 opad = (u_char *)(ipad + 64);
595 ctxt = (MD5_CTX *)(opad + 64);
597 MD5Final(digest, ctxt);
600 MD5Update(ctxt, opad, 64);
601 MD5Update(ctxt, digest, sizeof(digest));
602 MD5Final(digest, ctxt);
604 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
606 free(state->foo, M_TEMP);
610 ah_hmac_sha1_init(state, sav)
611 struct ah_algorithm_state *state;
612 struct secasvar *sav;
617 u_char tk[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
623 panic("ah_hmac_sha1_init: what?");
626 state->foo = (void *)malloc(64 + 64 + sizeof(SHA1_CTX),
631 ipad = (u_char *)state->foo;
632 opad = (u_char *)(ipad + 64);
633 ctxt = (SHA1_CTX *)(opad + 64);
635 /* compress the key if necessery */
636 if (64 < _KEYLEN(state->sav->key_auth)) {
638 SHA1Update(ctxt, _KEYBUF(state->sav->key_auth),
639 _KEYLEN(state->sav->key_auth));
640 SHA1Final(&tk[0], ctxt);
642 keylen = SHA1_RESULTLEN;
644 key = _KEYBUF(state->sav->key_auth);
645 keylen = _KEYLEN(state->sav->key_auth);
650 bcopy(key, ipad, keylen);
651 bcopy(key, opad, keylen);
652 for (i = 0; i < 64; i++) {
658 SHA1Update(ctxt, ipad, 64);
664 ah_hmac_sha1_loop(state, addr, len)
665 struct ah_algorithm_state *state;
671 if (!state || !state->foo)
672 panic("ah_hmac_sha1_loop: what?");
674 ctxt = (SHA1_CTX *)(((u_char *)state->foo) + 128);
675 SHA1Update(ctxt, (u_int8_t *)addr, (size_t)len);
679 ah_hmac_sha1_result(state, addr, l)
680 struct ah_algorithm_state *state;
684 u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
689 if (!state || !state->foo)
690 panic("ah_hmac_sha1_result: what?");
692 ipad = (u_char *)state->foo;
693 opad = (u_char *)(ipad + 64);
694 ctxt = (SHA1_CTX *)(opad + 64);
696 SHA1Final((u_int8_t *)digest, ctxt);
699 SHA1Update(ctxt, opad, 64);
700 SHA1Update(ctxt, (u_int8_t *)digest, sizeof(digest));
701 SHA1Final((u_int8_t *)digest, ctxt);
703 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
705 free(state->foo, M_TEMP);
709 ah_hmac_sha2_256_init(state, sav)
710 struct ah_algorithm_state *state;
711 struct secasvar *sav;
716 u_char tk[SHA256_DIGEST_LENGTH];
722 panic("ah_hmac_sha2_256_init: what?");
725 state->foo = (void *)malloc(64 + 64 + sizeof(SHA256_CTX),
730 ipad = (u_char *)state->foo;
731 opad = (u_char *)(ipad + 64);
732 ctxt = (SHA256_CTX *)(opad + 64);
734 /* compress the key if necessery */
735 if (64 < _KEYLEN(state->sav->key_auth)) {
736 bzero(tk, sizeof(tk));
737 bzero(ctxt, sizeof(*ctxt));
739 SHA256_Update(ctxt, _KEYBUF(state->sav->key_auth),
740 _KEYLEN(state->sav->key_auth));
741 SHA256_Final(&tk[0], ctxt);
743 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
745 key = _KEYBUF(state->sav->key_auth);
746 keylen = _KEYLEN(state->sav->key_auth);
751 bcopy(key, ipad, keylen);
752 bcopy(key, opad, keylen);
753 for (i = 0; i < 64; i++) {
758 bzero(ctxt, sizeof(*ctxt));
760 SHA256_Update(ctxt, ipad, 64);
766 ah_hmac_sha2_256_loop(state, addr, len)
767 struct ah_algorithm_state *state;
773 if (!state || !state->foo)
774 panic("ah_hmac_sha2_256_loop: what?");
776 ctxt = (SHA256_CTX *)(((u_char *)state->foo) + 128);
777 SHA256_Update(ctxt, (caddr_t)addr, (size_t)len);
781 ah_hmac_sha2_256_result(state, addr, l)
782 struct ah_algorithm_state *state;
786 u_char digest[SHA256_DIGEST_LENGTH];
791 if (!state || !state->foo)
792 panic("ah_hmac_sha2_256_result: what?");
794 ipad = (u_char *)state->foo;
795 opad = (u_char *)(ipad + 64);
796 ctxt = (SHA256_CTX *)(opad + 64);
798 SHA256_Final((caddr_t)digest, ctxt);
800 bzero(ctxt, sizeof(*ctxt));
802 SHA256_Update(ctxt, opad, 64);
803 SHA256_Update(ctxt, (caddr_t)digest, sizeof(digest));
804 SHA256_Final((caddr_t)digest, ctxt);
806 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
808 free(state->foo, M_TEMP);
812 ah_hmac_sha2_384_init(state, sav)
813 struct ah_algorithm_state *state;
814 struct secasvar *sav;
819 u_char tk[SHA384_DIGEST_LENGTH];
825 panic("ah_hmac_sha2_384_init: what?");
828 state->foo = (void *)malloc(64 + 64 + sizeof(SHA384_CTX),
832 bzero(state->foo, 64 + 64 + sizeof(SHA384_CTX));
834 ipad = (u_char *)state->foo;
835 opad = (u_char *)(ipad + 64);
836 ctxt = (SHA384_CTX *)(opad + 64);
838 /* compress the key if necessery */
839 if (64 < _KEYLEN(state->sav->key_auth)) {
840 bzero(tk, sizeof(tk));
841 bzero(ctxt, sizeof(*ctxt));
843 SHA384_Update(ctxt, _KEYBUF(state->sav->key_auth),
844 _KEYLEN(state->sav->key_auth));
845 SHA384_Final(&tk[0], ctxt);
847 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
849 key = _KEYBUF(state->sav->key_auth);
850 keylen = _KEYLEN(state->sav->key_auth);
855 bcopy(key, ipad, keylen);
856 bcopy(key, opad, keylen);
857 for (i = 0; i < 64; i++) {
862 bzero(ctxt, sizeof(*ctxt));
864 SHA384_Update(ctxt, ipad, 64);
870 ah_hmac_sha2_384_loop(state, addr, len)
871 struct ah_algorithm_state *state;
877 if (!state || !state->foo)
878 panic("ah_hmac_sha2_384_loop: what?");
880 ctxt = (SHA384_CTX *)(((u_char *)state->foo) + 128);
881 SHA384_Update(ctxt, (caddr_t)addr, (size_t)len);
885 ah_hmac_sha2_384_result(state, addr, l)
886 struct ah_algorithm_state *state;
890 u_char digest[SHA384_DIGEST_LENGTH];
895 if (!state || !state->foo)
896 panic("ah_hmac_sha2_384_result: what?");
898 ipad = (u_char *)state->foo;
899 opad = (u_char *)(ipad + 64);
900 ctxt = (SHA384_CTX *)(opad + 64);
902 SHA384_Final((caddr_t)digest, ctxt);
904 bzero(ctxt, sizeof(*ctxt));
906 SHA384_Update(ctxt, opad, 64);
907 SHA384_Update(ctxt, (caddr_t)digest, sizeof(digest));
908 SHA384_Final((caddr_t)digest, ctxt);
910 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
912 free(state->foo, M_TEMP);
916 ah_hmac_sha2_512_init(state, sav)
917 struct ah_algorithm_state *state;
918 struct secasvar *sav;
923 u_char tk[SHA512_DIGEST_LENGTH];
929 panic("ah_hmac_sha2_512_init: what?");
932 state->foo = (void *)malloc(64 + 64 + sizeof(SHA512_CTX),
936 bzero(state->foo, 64 + 64 + sizeof(SHA512_CTX));
938 ipad = (u_char *)state->foo;
939 opad = (u_char *)(ipad + 64);
940 ctxt = (SHA512_CTX *)(opad + 64);
942 /* compress the key if necessery */
943 if (64 < _KEYLEN(state->sav->key_auth)) {
944 bzero(tk, sizeof(tk));
945 bzero(ctxt, sizeof(*ctxt));
947 SHA512_Update(ctxt, _KEYBUF(state->sav->key_auth),
948 _KEYLEN(state->sav->key_auth));
949 SHA512_Final(&tk[0], ctxt);
951 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
953 key = _KEYBUF(state->sav->key_auth);
954 keylen = _KEYLEN(state->sav->key_auth);
959 bcopy(key, ipad, keylen);
960 bcopy(key, opad, keylen);
961 for (i = 0; i < 64; i++) {
966 bzero(ctxt, sizeof(*ctxt));
968 SHA512_Update(ctxt, ipad, 64);
974 ah_hmac_sha2_512_loop(state, addr, len)
975 struct ah_algorithm_state *state;
981 if (!state || !state->foo)
982 panic("ah_hmac_sha2_512_loop: what?");
984 ctxt = (SHA512_CTX *)(((u_char *)state->foo) + 128);
985 SHA512_Update(ctxt, (caddr_t)addr, (size_t)len);
989 ah_hmac_sha2_512_result(state, addr, l)
990 struct ah_algorithm_state *state;
994 u_char digest[SHA512_DIGEST_LENGTH];
999 if (!state || !state->foo)
1000 panic("ah_hmac_sha2_512_result: what?");
1002 ipad = (u_char *)state->foo;
1003 opad = (u_char *)(ipad + 64);
1004 ctxt = (SHA512_CTX *)(opad + 64);
1006 SHA512_Final((caddr_t)digest, ctxt);
1008 bzero(ctxt, sizeof(*ctxt));
1010 SHA512_Update(ctxt, opad, 64);
1011 SHA512_Update(ctxt, (caddr_t)digest, sizeof(digest));
1012 SHA512_Final((caddr_t)digest, ctxt);
1014 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
1016 free(state->foo, M_TEMP);
1020 ah_hmac_ripemd160_init(state, sav)
1021 struct ah_algorithm_state *state;
1022 struct secasvar *sav;
1027 u_char tk[RIPEMD160_RESULTLEN];
1033 panic("ah_hmac_ripemd160_init: what?");
1036 state->foo = (void *)malloc(64 + 64 + sizeof(RMD160_CTX),
1040 bzero(state->foo, 64 + 64 + sizeof(RMD160_CTX));
1042 ipad = (u_char *)state->foo;
1043 opad = (u_char *)(ipad + 64);
1044 ctxt = (RMD160_CTX *)(opad + 64);
1046 /* compress the key if necessery */
1047 if (64 < _KEYLEN(state->sav->key_auth)) {
1048 bzero(tk, sizeof(tk));
1049 bzero(ctxt, sizeof(*ctxt));
1051 RMD160Update(ctxt, _KEYBUF(state->sav->key_auth),
1052 _KEYLEN(state->sav->key_auth));
1053 RMD160Final(&tk[0], ctxt);
1055 keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
1057 key = _KEYBUF(state->sav->key_auth);
1058 keylen = _KEYLEN(state->sav->key_auth);
1063 bcopy(key, ipad, keylen);
1064 bcopy(key, opad, keylen);
1065 for (i = 0; i < 64; i++) {
1070 bzero(ctxt, sizeof(*ctxt));
1072 RMD160Update(ctxt, ipad, 64);
1078 ah_hmac_ripemd160_loop(state, addr, len)
1079 struct ah_algorithm_state *state;
1085 if (!state || !state->foo)
1086 panic("ah_hmac_ripemd160_loop: what?");
1088 ctxt = (RMD160_CTX *)(((u_char *)state->foo) + 128);
1089 RMD160Update(ctxt, (caddr_t)addr, (size_t)len);
1093 ah_hmac_ripemd160_result(state, addr, l)
1094 struct ah_algorithm_state *state;
1098 u_char digest[RIPEMD160_RESULTLEN];
1103 if (!state || !state->foo)
1104 panic("ah_hmac_ripemd160_result: what?");
1106 ipad = (u_char *)state->foo;
1107 opad = (u_char *)(ipad + 64);
1108 ctxt = (RMD160_CTX *)(opad + 64);
1110 RMD160Final((caddr_t)digest, ctxt);
1112 bzero(ctxt, sizeof(*ctxt));
1114 RMD160Update(ctxt, opad, 64);
1115 RMD160Update(ctxt, (caddr_t)digest, sizeof(digest));
1116 RMD160Final((caddr_t)digest, ctxt);
1118 bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
1120 free(state->foo, M_TEMP);
1123 /*------------------------------------------------------------*/
1126 * go generate the checksum.
1129 ah_update_mbuf(m, off, len, algo, algos)
1133 const struct ah_algorithm *algo;
1134 struct ah_algorithm_state *algos;
1139 /* easy case first */
1140 if (off + len <= m->m_len) {
1141 (algo->update)(algos, mtod(m, u_int8_t *) + off, len);
1145 for (n = m; n; n = n->m_next) {
1153 panic("ah_update_mbuf: wrong offset specified");
1155 for (/* nothing */; n && len > 0; n = n->m_next) {
1158 if (n->m_len - off < len)
1159 tlen = n->m_len - off;
1163 (algo->update)(algos, mtod(n, u_int8_t *) + off, tlen);
1172 * Go generate the checksum. This function won't modify the mbuf chain
1175 * NOTE: the function does not free mbuf on failure.
1176 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1179 ah4_calccksum(m, ahdat, len, algo, sav)
1183 const struct ah_algorithm *algo;
1184 struct secasvar *sav;
1188 size_t advancewidth;
1189 struct ah_algorithm_state algos;
1190 u_char sumbuf[AH_MAXSUMSIZE];
1193 struct mbuf *n = NULL;
1195 if ((m->m_flags & M_PKTHDR) == 0)
1199 hdrtype = -1; /* dummy, it is called IPPROTO_IP */
1203 error = (algo->init)(&algos, sav);
1207 advancewidth = 0; /* safety */
1212 case -1: /* first one only */
1215 * copy ip hdr, modify to fit the AH checksum rule,
1216 * then take a checksum.
1221 m_copydata(m, off, sizeof(iphdr), (caddr_t)&iphdr);
1223 hlen = IP_VHL_HL(iphdr.ip_vhl) << 2;
1225 hlen = iphdr.ip_hl << 2;
1228 iphdr.ip_sum = htons(0);
1229 if (ip4_ah_cleartos)
1231 iphdr.ip_off = htons(ntohs(iphdr.ip_off) & ip4_ah_offsetmask);
1232 (algo->update)(&algos, (u_int8_t *)&iphdr, sizeof(struct ip));
1234 if (hlen != sizeof(struct ip)) {
1238 if (hlen > MCLBYTES) {
1242 MGET(n, M_DONTWAIT, MT_DATA);
1243 if (n && hlen > MLEN) {
1244 MCLGET(n, M_DONTWAIT);
1245 if ((n->m_flags & M_EXT) == 0) {
1254 m_copydata(m, off, hlen, mtod(n, caddr_t));
1257 * IP options processing.
1258 * See RFC2402 appendix A.
1260 p = mtod(n, u_char *);
1261 i = sizeof(struct ip);
1263 if (i + IPOPT_OPTVAL >= hlen) {
1264 ipseclog((LOG_ERR, "ah4_calccksum: "
1265 "invalid IP option\n"));
1269 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL ||
1270 p[i + IPOPT_OPTVAL] == IPOPT_NOP ||
1271 i + IPOPT_OLEN < hlen)
1275 "ah4_calccksum: invalid IP option "
1277 p[i + IPOPT_OPTVAL]));
1283 switch (p[i + IPOPT_OPTVAL]) {
1289 case IPOPT_SECURITY: /* 0x82 */
1290 case 0x85: /* Extended security */
1291 case 0x86: /* Commercial security */
1292 case 0x94: /* Router alert */
1293 case 0x95: /* RFC1770 */
1294 l = p[i + IPOPT_OLEN];
1300 l = p[i + IPOPT_OLEN];
1306 if (l < 1 || hlen - i < l) {
1309 "ah4_calccksum: invalid IP option "
1310 "(type=%02x len=%02x)\n",
1311 p[i + IPOPT_OPTVAL],
1312 p[i + IPOPT_OLEN]));
1318 if (p[i + IPOPT_OPTVAL] == IPOPT_EOL)
1322 p = mtod(n, u_char *) + sizeof(struct ip);
1323 (algo->update)(&algos, p, hlen - sizeof(struct ip));
1329 hdrtype = (iphdr.ip_p) & 0xff;
1330 advancewidth = hlen;
1341 m_copydata(m, off, sizeof(ah), (caddr_t)&ah);
1342 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1344 : sizeof(struct newah);
1345 siz = (*algo->sumsiz)(sav);
1346 totlen = (ah.ah_len + 2) << 2;
1349 * special treatment is necessary for the first one, not others
1352 if (totlen > m->m_pkthdr.len - off ||
1353 totlen > MCLBYTES) {
1357 MGET(n, M_DONTWAIT, MT_DATA);
1358 if (n && totlen > MLEN) {
1359 MCLGET(n, M_DONTWAIT);
1360 if ((n->m_flags & M_EXT) == 0) {
1369 m_copydata(m, off, totlen, mtod(n, caddr_t));
1371 bzero(mtod(n, u_int8_t *) + hdrsiz, siz);
1372 (algo->update)(&algos, mtod(n, u_int8_t *), n->m_len);
1376 ah_update_mbuf(m, off, totlen, algo, &algos);
1379 hdrtype = ah.ah_nxt;
1380 advancewidth = totlen;
1385 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo, &algos);
1386 advancewidth = m->m_pkthdr.len - off;
1390 off += advancewidth;
1391 if (off < m->m_pkthdr.len)
1394 if (len < (*algo->sumsiz)(sav)) {
1399 (algo->result)(&algos, sumbuf, sizeof(sumbuf));
1400 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
1415 * Go generate the checksum. This function won't modify the mbuf chain
1418 * NOTE: the function does not free mbuf on failure.
1419 * Don't use m_copy(), it will try to share cluster mbuf by using refcnt.
1422 ah6_calccksum(m, ahdat, len, algo, sav)
1426 const struct ah_algorithm *algo;
1427 struct secasvar *sav;
1431 struct mbuf *n = NULL;
1434 struct ah_algorithm_state algos;
1435 u_char sumbuf[AH_MAXSUMSIZE];
1437 if ((m->m_flags & M_PKTHDR) == 0)
1440 error = (algo->init)(&algos, sav);
1445 proto = IPPROTO_IPV6;
1450 newoff = ip6_nexthdr(m, off, proto, &nxt);
1452 newoff = m->m_pkthdr.len;
1453 else if (newoff <= off) {
1461 * special treatment is necessary for the first one, not others
1464 struct ip6_hdr ip6copy;
1466 if (newoff - off != sizeof(struct ip6_hdr)) {
1471 m_copydata(m, off, newoff - off, (caddr_t)&ip6copy);
1473 ip6copy.ip6_flow = 0;
1474 ip6copy.ip6_vfc &= ~IPV6_VERSION_MASK;
1475 ip6copy.ip6_vfc |= IPV6_VERSION;
1476 ip6copy.ip6_hlim = 0;
1477 in6_clearscope(&ip6copy.ip6_src); /* XXX */
1478 in6_clearscope(&ip6copy.ip6_dst); /* XXX */
1479 (algo->update)(&algos, (u_int8_t *)&ip6copy,
1480 sizeof(struct ip6_hdr));
1482 newoff = m->m_pkthdr.len;
1483 ah_update_mbuf(m, off, m->m_pkthdr.len - off, algo,
1493 hdrsiz = (sav->flags & SADB_X_EXT_OLD)
1495 : sizeof(struct newah);
1496 siz = (*algo->sumsiz)(sav);
1499 * special treatment is necessary for the first one, not others
1502 if (newoff - off > MCLBYTES) {
1506 MGET(n, M_DONTWAIT, MT_DATA);
1507 if (n && newoff - off > MLEN) {
1508 MCLGET(n, M_DONTWAIT);
1509 if ((n->m_flags & M_EXT) == 0) {
1518 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1519 n->m_len = newoff - off;
1520 bzero(mtod(n, u_int8_t *) + hdrsiz, siz);
1521 (algo->update)(&algos, mtod(n, u_int8_t *), n->m_len);
1525 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1530 case IPPROTO_HOPOPTS:
1531 case IPPROTO_DSTOPTS:
1533 struct ip6_ext *ip6e;
1535 u_int8_t *p, *optend, *optp;
1537 if (newoff - off > MCLBYTES) {
1541 MGET(n, M_DONTWAIT, MT_DATA);
1542 if (n && newoff - off > MLEN) {
1543 MCLGET(n, M_DONTWAIT);
1544 if ((n->m_flags & M_EXT) == 0) {
1553 m_copydata(m, off, newoff - off, mtod(n, caddr_t));
1554 n->m_len = newoff - off;
1556 ip6e = mtod(n, struct ip6_ext *);
1557 hdrlen = (ip6e->ip6e_len + 1) << 3;
1558 if (newoff - off < hdrlen) {
1564 p = mtod(n, u_int8_t *);
1565 optend = p + hdrlen;
1568 * ICV calculation for the options header including all
1569 * options. This part is a little tricky since there are
1570 * two type of options; mutable and immutable. We try to
1571 * null-out mutable ones here.
1574 while (optp < optend) {
1575 if (optp[0] == IP6OPT_PAD1)
1578 if (optp + 2 > optend) {
1584 optlen = optp[1] + 2;
1587 if (optp + optlen > optend) {
1594 if (optp[0] & IP6OPT_MUTABLE)
1595 bzero(optp + 2, optlen - 2);
1600 (algo->update)(&algos, mtod(n, u_int8_t *), n->m_len);
1606 case IPPROTO_ROUTING:
1608 * For an input packet, we can just calculate `as is'.
1609 * For an output packet, we assume ip6_output have already
1610 * made packet how it will be received at the final
1616 ah_update_mbuf(m, off, newoff - off, algo, &algos);
1620 if (newoff < m->m_pkthdr.len) {
1626 if (len < (*algo->sumsiz)(sav)) {
1631 (algo->result)(&algos, sumbuf, sizeof(sumbuf));
1632 bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));