From owner-svn-src-head@freebsd.org Fri Oct 16 11:24:14 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0EAE84317B4; Fri, 16 Oct 2020 11:24:14 +0000 (UTC) (envelope-from mw@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CCP1T73nDz4p2K; Fri, 16 Oct 2020 11:24:13 +0000 (UTC) (envelope-from mw@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BB78FF7DE; Fri, 16 Oct 2020 11:24:13 +0000 (UTC) (envelope-from mw@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09GBODZB073838; Fri, 16 Oct 2020 11:24:13 GMT (envelope-from mw@FreeBSD.org) Received: (from mw@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09GBOCTw073832; Fri, 16 Oct 2020 11:24:12 GMT (envelope-from mw@FreeBSD.org) Message-Id: <202010161124.09GBOCTw073832@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mw set sender to mw@FreeBSD.org using -f From: Marcin Wojtas Date: Fri, 16 Oct 2020 11:24:12 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r366757 - head/sys/netipsec X-SVN-Group: head X-SVN-Commit-Author: mw X-SVN-Commit-Paths: head/sys/netipsec X-SVN-Commit-Revision: 366757 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Oct 2020 11:24:14 -0000 Author: mw Date: Fri Oct 16 11:24:12 2020 New Revision: 366757 URL: https://svnweb.freebsd.org/changeset/base/366757 Log: Implement anti-replay algorithm with ESN support As RFC 4304 describes there is anti-replay algorithm responsibility to provide appropriate value of Extended Sequence Number. This patch introduces anti-replay algorithm with ESN support based on RFC 4304, however to avoid performance regressions window implementation was based on RFC 6479, which was already implemented in FreeBSD. To keep things clean and improve code readability, implementation of window is kept in seperate functions. Submitted by: Grzegorz Jaszczyk Patryk Duda Reviewed by: jhb Differential revision: https://reviews.freebsd.org/D22367 Obtained from: Semihalf Sponsored by: Stormshield Modified: head/sys/netipsec/ipsec.c head/sys/netipsec/ipsec.h head/sys/netipsec/key_debug.c head/sys/netipsec/keydb.h head/sys/netipsec/xform_ah.c head/sys/netipsec/xform_esp.c Modified: head/sys/netipsec/ipsec.c ============================================================================== --- head/sys/netipsec/ipsec.c Fri Oct 16 11:23:30 2020 (r366756) +++ head/sys/netipsec/ipsec.c Fri Oct 16 11:24:12 2020 (r366757) @@ -1173,7 +1173,67 @@ ipsec_hdrsiz_inpcb(struct inpcb *inp) return (sz); } + +#define IPSEC_BITMAP_INDEX_MASK(w) (w - 1) +#define IPSEC_REDUNDANT_BIT_SHIFTS 5 +#define IPSEC_REDUNDANT_BITS (1 << IPSEC_REDUNDANT_BIT_SHIFTS) +#define IPSEC_BITMAP_LOC_MASK (IPSEC_REDUNDANT_BITS - 1) + /* + * Functions below are responsible for checking and updating bitmap. + * These are used to separate ipsec_chkreplay() and ipsec_updatereplay() + * from window implementation + * + * Based on RFC 6479. Blocks are 32 bits unsigned integers + */ + +static inline int +check_window(const struct secreplay *replay, uint64_t seq) +{ + int index, bit_location; + + bit_location = seq & IPSEC_BITMAP_LOC_MASK; + index = (seq >> IPSEC_REDUNDANT_BIT_SHIFTS) + & IPSEC_BITMAP_INDEX_MASK(replay->bitmap_size); + + /* This packet already seen? */ + return ((replay->bitmap)[index] & (1 << bit_location)); +} + +static inline void +advance_window(const struct secreplay *replay, uint64_t seq) +{ + int i; + uint64_t index, index_cur, diff; + + index_cur = replay->last >> IPSEC_REDUNDANT_BIT_SHIFTS; + index = seq >> IPSEC_REDUNDANT_BIT_SHIFTS; + diff = index - index_cur; + + if (diff > replay->bitmap_size) { + /* something unusual in this case */ + diff = replay->bitmap_size; + } + + for (i = 0; i < diff; i++) { + replay->bitmap[(i + index_cur + 1) + & IPSEC_BITMAP_INDEX_MASK(replay->bitmap_size)] = 0; + } +} + +static inline void +set_window(const struct secreplay *replay, uint64_t seq) +{ + int index, bit_location; + + bit_location = seq & IPSEC_BITMAP_LOC_MASK; + index = (seq >> IPSEC_REDUNDANT_BIT_SHIFTS) + & IPSEC_BITMAP_INDEX_MASK(replay->bitmap_size); + + replay->bitmap[index] |= (1 << bit_location); +} + +/* * Check the variable replay window. * ipsec_chkreplay() performs replay check before ICV verification. * ipsec_updatereplay() updates replay bitmap. This must be called after @@ -1181,20 +1241,17 @@ ipsec_hdrsiz_inpcb(struct inpcb *inp) * beforehand). * 0 (zero) is returned if packet disallowed, 1 if packet permitted. * - * Based on RFC 6479. Blocks are 32 bits unsigned integers + * Based on RFC 4303 */ -#define IPSEC_BITMAP_INDEX_MASK(w) (w - 1) -#define IPSEC_REDUNDANT_BIT_SHIFTS 5 -#define IPSEC_REDUNDANT_BITS (1 << IPSEC_REDUNDANT_BIT_SHIFTS) -#define IPSEC_BITMAP_LOC_MASK (IPSEC_REDUNDANT_BITS - 1) - int -ipsec_chkreplay(uint32_t seq, struct secasvar *sav) +ipsec_chkreplay(uint32_t seq, uint32_t *seqhigh, struct secasvar *sav) { - const struct secreplay *replay; - uint32_t wsizeb; /* Constant: window size. */ - int index, bit_location; + char buf[128]; + struct secreplay *replay; + uint32_t window; + uint32_t tl, th, bl; + uint32_t seqh; IPSEC_ASSERT(sav != NULL, ("Null SA")); IPSEC_ASSERT(sav->replay != NULL, ("Null replay state")); @@ -1205,36 +1262,96 @@ ipsec_chkreplay(uint32_t seq, struct secasvar *sav) if (replay->wsize == 0) return (1); - /* Constant. */ - wsizeb = replay->wsize << 3; - - /* Sequence number of 0 is invalid. */ - if (seq == 0) + /* Zero sequence number is not allowed. */ + if (seq == 0 && replay->last == 0) return (0); - /* First time is always okay. */ - if (replay->count == 0) - return (1); + window = replay->wsize << 3; /* Size of window */ + tl = (uint32_t)replay->last; /* Top of window, lower part */ + th = (uint32_t)(replay->last >> 32); /* Top of window, high part */ + bl = tl - window + 1; /* Bottom of window, lower part */ - /* Larger sequences are okay. */ - if (seq > replay->lastseq) + /* + * We keep the high part intact when: + * 1) the seq is within [bl, 0xffffffff] and the whole window is + * within one subspace; + * 2) the seq is within [0, bl) and window spans two subspaces. + */ + if ((tl >= window - 1 && seq >= bl) || + (tl < window - 1 && seq < bl)) { + *seqhigh = th; + if (seq <= tl) { + /* Sequence number inside window - check against replay */ + if (check_window(replay, seq)) + return (0); + } + + /* Sequence number above top of window or not found in bitmap */ return (1); + } - /* Over range to check, i.e. too old or wrapped. */ - if (replay->lastseq - seq >= wsizeb) - return (0); + /* + * If ESN is not enabled and packet with highest sequence number + * was received we should report overflow + */ + if (tl == 0xffffffff && !(sav->flags & SADB_X_SAFLAGS_ESN)) { + /* Set overflow flag. */ + replay->overflow++; - /* The sequence is inside the sliding window - * now check the bit in the bitmap - * bit location only depends on the sequence number + if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) { + if (sav->sah->saidx.proto == IPPROTO_ESP) + ESPSTAT_INC(esps_wrap); + else if (sav->sah->saidx.proto == IPPROTO_AH) + AHSTAT_INC(ahs_wrap); + return (0); + } + + ipseclog((LOG_WARNING, "%s: replay counter made %d cycle. %s\n", + __func__, replay->overflow, + ipsec_sa2str(sav, buf, sizeof(buf)))); + } + + /* + * Seq is within [bl, 0xffffffff] and bl is within + * [0xffffffff-window, 0xffffffff]. This means we got a seq + * which is within our replay window, but in the previous + * subspace. */ - bit_location = seq & IPSEC_BITMAP_LOC_MASK; - index = (seq >> IPSEC_REDUNDANT_BIT_SHIFTS) - & IPSEC_BITMAP_INDEX_MASK(replay->bitmap_size); + if (tl < window - 1 && seq >= bl) { + if (th == 0) + return (0); + *seqhigh = th - 1; + seqh = th - 1; + if (check_window(replay, seq)) + return (0); + return (1); + } - /* This packet already seen? */ - if ((replay->bitmap)[index] & (1 << bit_location)) - return (0); + /* + * Seq is within [0, bl) but the whole window is within one subspace. + * This means that seq has wrapped and is in next subspace + */ + *seqhigh = th + 1; + seqh = th + 1; + + /* Don't let high part wrap. */ + if (seqh == 0) { + /* Set overflow flag. */ + replay->overflow++; + + if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) { + if (sav->sah->saidx.proto == IPPROTO_ESP) + ESPSTAT_INC(esps_wrap); + else if (sav->sah->saidx.proto == IPPROTO_AH) + AHSTAT_INC(ahs_wrap); + return (0); + } + + ipseclog((LOG_WARNING, "%s: replay counter made %d cycle. %s\n", + __func__, replay->overflow, + ipsec_sa2str(sav, buf, sizeof(buf)))); + } + return (1); } @@ -1246,84 +1363,90 @@ ipsec_chkreplay(uint32_t seq, struct secasvar *sav) int ipsec_updatereplay(uint32_t seq, struct secasvar *sav) { - char buf[128]; struct secreplay *replay; - uint32_t wsizeb; /* Constant: window size. */ - int diff, index, bit_location; + uint32_t window; + uint32_t tl, th, bl; + uint32_t seqh; IPSEC_ASSERT(sav != NULL, ("Null SA")); IPSEC_ASSERT(sav->replay != NULL, ("Null replay state")); replay = sav->replay; + /* No need to check replay if disabled. */ if (replay->wsize == 0) - goto ok; /* No need to check replay. */ + return (0); - /* Constant. */ - wsizeb = replay->wsize << 3; - - /* Sequence number of 0 is invalid. */ - if (seq == 0) + /* Zero sequence number is not allowed. */ + if (seq == 0 && replay->last == 0) return (1); - /* The packet is too old, no need to update */ - if (wsizeb + seq < replay->lastseq) - goto ok; + window = replay->wsize << 3; /* Size of window */ + tl = (uint32_t)replay->last; /* Top of window, lower part */ + th = (uint32_t)(replay->last >> 32); /* Top of window, high part */ + bl = tl - window + 1; /* Bottom of window, lower part */ - /* Now update the bit */ - index = (seq >> IPSEC_REDUNDANT_BIT_SHIFTS); - - /* First check if the sequence number is in the range */ - if (seq > replay->lastseq) { - int id; - int index_cur = replay->lastseq >> IPSEC_REDUNDANT_BIT_SHIFTS; - - diff = index - index_cur; - if (diff > replay->bitmap_size) { - /* something unusual in this case */ - diff = replay->bitmap_size; + /* + * We keep the high part intact when: + * 1) the seq is within [bl, 0xffffffff] and the whole window is + * within one subspace; + * 2) the seq is within [0, bl) and window spans two subspaces. + */ + if ((tl >= window - 1 && seq >= bl) || + (tl < window - 1 && seq < bl)) { + seqh = th; + if (seq <= tl) { + /* Sequence number inside window - check against replay */ + if (check_window(replay, seq)) + return (1); + set_window(replay, seq); + } else { + advance_window(replay, ((uint64_t)seqh << 32) | seq); + set_window(replay, seq); + replay->last = ((uint64_t)seqh << 32) | seq; } - for (id = 0; id < diff; ++id) { - replay->bitmap[(id + index_cur + 1) - & IPSEC_BITMAP_INDEX_MASK(replay->bitmap_size)] = 0; - } - - replay->lastseq = seq; + /* Sequence number above top of window or not found in bitmap */ + replay->count++; + return (0); } - index &= IPSEC_BITMAP_INDEX_MASK(replay->bitmap_size); - bit_location = seq & IPSEC_BITMAP_LOC_MASK; - - /* this packet has already been received */ - if (replay->bitmap[index] & (1 << bit_location)) + if (!(sav->flags & SADB_X_SAFLAGS_ESN)) return (1); - replay->bitmap[index] |= (1 << bit_location); - -ok: - if (replay->count == ~0) { - /* Set overflow flag. */ - replay->overflow++; - - /* Don't increment, no more packets accepted. */ - if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) { - if (sav->sah->saidx.proto == IPPROTO_AH) - AHSTAT_INC(ahs_wrap); - else if (sav->sah->saidx.proto == IPPROTO_ESP) - ESPSTAT_INC(esps_wrap); + /* + * Seq is within [bl, 0xffffffff] and bl is within + * [0xffffffff-window, 0xffffffff]. This means we got a seq + * which is within our replay window, but in the previous + * subspace. + */ + if (tl < window - 1 && seq >= bl) { + if (th == 0) return (1); - } + if (check_window(replay, seq)) + return (1); - ipseclog((LOG_WARNING, "%s: replay counter made %d cycle. %s\n", - __func__, replay->overflow, - ipsec_sa2str(sav, buf, sizeof(buf)))); + set_window(replay, seq); + replay->count++; + return (0); } + /* + * Seq is within [0, bl) but the whole window is within one subspace. + * This means that seq has wrapped and is in next subspace + */ + seqh = th + 1; + + /* Don't let high part wrap. */ + if (seqh == 0) + return (1); + + advance_window(replay, ((uint64_t)seqh << 32) | seq); + set_window(replay, seq); + replay->last = ((uint64_t)seqh << 32) | seq; replay->count++; return (0); } - int ipsec_updateid(struct secasvar *sav, crypto_session_t *new, crypto_session_t *old) Modified: head/sys/netipsec/ipsec.h ============================================================================== --- head/sys/netipsec/ipsec.h Fri Oct 16 11:23:30 2020 (r366756) +++ head/sys/netipsec/ipsec.h Fri Oct 16 11:24:12 2020 (r366757) @@ -325,7 +325,7 @@ int udp_ipsec_output(struct mbuf *, struct secasvar *) int udp_ipsec_input(struct mbuf *, int, int); int udp_ipsec_pcbctl(struct inpcb *, struct sockopt *); -int ipsec_chkreplay(uint32_t, struct secasvar *); +int ipsec_chkreplay(uint32_t, uint32_t *, struct secasvar *); int ipsec_updatereplay(uint32_t, struct secasvar *); int ipsec_updateid(struct secasvar *, crypto_session_t *, crypto_session_t *); int ipsec_initialized(void); Modified: head/sys/netipsec/key_debug.c ============================================================================== --- head/sys/netipsec/key_debug.c Fri Oct 16 11:23:30 2020 (r366756) +++ head/sys/netipsec/key_debug.c Fri Oct 16 11:24:12 2020 (r366757) @@ -809,8 +809,8 @@ kdebug_secreplay(struct secreplay *rpl) int len, l; IPSEC_ASSERT(rpl != NULL, ("null rpl")); - printf(" secreplay{ count=%u bitmap_size=%u wsize=%u seq=%u lastseq=%u", - rpl->count, rpl->bitmap_size, rpl->wsize, rpl->seq, rpl->lastseq); + printf(" secreplay{ count=%lu bitmap_size=%u wsize=%u last=%lu", + rpl->count, rpl->bitmap_size, rpl->wsize, rpl->last); if (rpl->bitmap == NULL) { printf(" }\n"); Modified: head/sys/netipsec/keydb.h ============================================================================== --- head/sys/netipsec/keydb.h Fri Oct 16 11:23:30 2020 (r366756) +++ head/sys/netipsec/keydb.h Fri Oct 16 11:24:12 2020 (r366757) @@ -202,10 +202,9 @@ struct secasvar { * (c) read only except during creation / free */ struct secreplay { - u_int32_t count; /* (m) */ + u_int64_t count; /* (m) */ u_int wsize; /* (c) window size, i.g. 4 bytes */ - u_int32_t seq; /* (m) used by sender */ - u_int32_t lastseq; /* (m) used by receiver */ + u_int64_t last; /* (m) used by receiver */ u_int32_t *bitmap; /* (m) used by receiver */ u_int bitmap_size; /* (c) size of the bitmap array */ int overflow; /* (m) overflow flag */ Modified: head/sys/netipsec/xform_ah.c ============================================================================== --- head/sys/netipsec/xform_ah.c Fri Oct 16 11:23:30 2020 (r366756) +++ head/sys/netipsec/xform_ah.c Fri Oct 16 11:24:12 2020 (r366757) @@ -534,6 +534,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski struct newah *ah; crypto_session_t cryptoid; int hl, rplen, authsize, ahsize, error; + uint32_t seqh; IPSEC_ASSERT(sav != NULL, ("null SA")); IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key")); @@ -557,7 +558,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski /* Check replay window, if applicable. */ SECASVAR_LOCK(sav); if (sav->replay != NULL && sav->replay->wsize != 0 && - ipsec_chkreplay(ntohl(ah->ah_seq), sav) == 0) { + ipsec_chkreplay(ntohl(ah->ah_seq), &seqh, sav) == 0) { SECASVAR_UNLOCK(sav); AHSTAT_INC(ahs_replay); DPRINTF(("%s: packet replay failure: %s\n", __func__, @@ -925,7 +926,9 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct /* Insert packet replay counter, as requested. */ SECASVAR_LOCK(sav); if (sav->replay) { - if (sav->replay->count == ~0 && + if ((sav->replay->count == ~0 || + (!(sav->flags & SADB_X_SAFLAGS_ESN) && + ((uint32_t)sav->replay->count) == ~0)) && (sav->flags & SADB_X_EXT_CYCSEQ) == 0) { SECASVAR_UNLOCK(sav); DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n", @@ -940,7 +943,7 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct if (!V_ipsec_replay) #endif sav->replay->count++; - ah->ah_seq = htonl(sav->replay->count); + ah->ah_seq = htonl((uint32_t)sav->replay->count); } cryptoid = sav->tdb_cryptoid; SECASVAR_UNLOCK(sav); Modified: head/sys/netipsec/xform_esp.c ============================================================================== --- head/sys/netipsec/xform_esp.c Fri Oct 16 11:23:30 2020 (r366756) +++ head/sys/netipsec/xform_esp.c Fri Oct 16 11:24:12 2020 (r366757) @@ -262,6 +262,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int sk uint8_t *ivp; crypto_session_t cryptoid; int alen, error, hlen, plen; + uint32_t seqh; IPSEC_ASSERT(sav != NULL, ("null SA")); IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform")); @@ -320,7 +321,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int sk */ SECASVAR_LOCK(sav); if (esph != NULL && sav->replay != NULL && sav->replay->wsize != 0) { - if (ipsec_chkreplay(ntohl(esp->esp_seq), sav) == 0) { + if (ipsec_chkreplay(ntohl(esp->esp_seq), &seqh, sav) == 0) { SECASVAR_UNLOCK(sav); DPRINTF(("%s: packet replay check for %s\n", __func__, ipsec_sa2str(sav, buf, sizeof(buf)))); @@ -740,7 +741,7 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struc if (!V_ipsec_replay) #endif sav->replay->count++; - replay = htonl(sav->replay->count); + replay = htonl((uint32_t)sav->replay->count); bcopy((caddr_t) &replay, mtod(mo, caddr_t) + roff + sizeof(uint32_t), sizeof(uint32_t));