esp_chachapoly.c   [plain text]

/*
 * Copyright (c) 2017 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 *
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */

#include <sys/param.h>
#include <sys/systm.h>
#include <sys/socket.h>
#include <sys/queue.h>
#include <sys/syslog.h>
#include <sys/errno.h>
#include <sys/mbuf.h>
#include <sys/mcache.h>
#include <mach/vm_param.h>
#include <kern/locks.h>
#include <string.h>
#include <net/if.h>
#include <net/route.h>
#include <net/net_osdep.h>
#include <netinet6/ipsec.h>
#include <netinet6/esp.h>
#include <netinet6/esp_chachapoly.h>
#include <netkey/key.h>
#include <netkey/keydb.h>
#include <corecrypto/cc.h>
#include <libkern/crypto/chacha20poly1305.h>

#define ESP_CHACHAPOLY_SALT_LEN		4
#define ESP_CHACHAPOLY_KEY_LEN		32
#define ESP_CHACHAPOLY_NONCE_LEN	12

// The minimum alignment is documented in KALLOC_LOG2_MINALIGN
// which isn't accessible from here. Current minimum is 8.
_Static_assert(_Alignof(chacha20poly1305_ctx) <= 8,
			   "Alignment guarantee is broken");

#if ((( 8 * (ESP_CHACHAPOLY_KEY_LEN + ESP_CHACHAPOLY_SALT_LEN)) != ESP_CHACHAPOLY_KEYBITS_WITH_SALT) || \
	(ESP_CHACHAPOLY_KEY_LEN != CCCHACHA20_KEY_NBYTES) || \
	(ESP_CHACHAPOLY_NONCE_LEN != CCCHACHA20POLY1305_NONCE_NBYTES))
#error "Invalid sizes"
#endif

extern lck_mtx_t *sadb_mutex;

typedef struct _esp_chachapoly_ctx {
	chacha20poly1305_ctx ccp_ctx;
	uint8_t ccp_salt[ESP_CHACHAPOLY_SALT_LEN];
	bool ccp_implicit_iv;
} esp_chachapoly_ctx_s, *esp_chachapoly_ctx_t;


#define ESP_ASSERT(_cond, _format, ...)											\
	do {																		\
		if (!(_cond)) {															\
			panic("%s:%d " _format, __FUNCTION__, __LINE__, ##__VA_ARGS__);		\
		}																		\
	} while (0)

#define ESP_CHECK_ARG(_arg) ESP_ASSERT(_arg != NULL, #_arg "is NULL")

#define _esp_log(_level, _format, ...)  \
	log(_level, "%s:%d " _format, __FUNCTION__, __LINE__, ##__VA_ARGS__)
#define esp_log_err(_format, ...) _esp_log(LOG_ERR, _format, ##__VA_ARGS__)

#define _esp_packet_log(_level, _format, ...)  \
	ipseclog((_level, "%s:%d " _format, __FUNCTION__, __LINE__, ##__VA_ARGS__))
#define esp_packet_log_err(_format, ...) _esp_packet_log(LOG_ERR, _format, ##__VA_ARGS__)

int
esp_chachapoly_mature(struct secasvar *sav)
{
	const struct esp_algorithm *algo;

	ESP_CHECK_ARG(sav);

	if ((sav->flags & SADB_X_EXT_OLD) != 0) {
		esp_log_err("ChaChaPoly is incompatible with SADB_X_EXT_OLD");
		return 1;
	}
	if ((sav->flags & SADB_X_EXT_DERIV) != 0) {
		esp_log_err("ChaChaPoly is incompatible with SADB_X_EXT_DERIV");
		return 1;
	}

	if (sav->alg_enc != SADB_X_EALG_CHACHA20POLY1305) {
		esp_log_err("ChaChaPoly unsupported algorithm %d",
					sav->alg_enc);
		return 1;
	}

	if (sav->key_enc == NULL) {
		esp_log_err("ChaChaPoly key is missing");
		return 1;
	}

	algo = esp_algorithm_lookup(sav->alg_enc);
	if (algo == NULL) {
		esp_log_err("ChaChaPoly lookup failed for algorithm %d",
					sav->alg_enc);
		return 1;
	}

	if (sav->key_enc->sadb_key_bits != ESP_CHACHAPOLY_KEYBITS_WITH_SALT) {
		esp_log_err("ChaChaPoly invalid key length %d bits",
					sav->key_enc->sadb_key_bits);
		return 1;
	}

	return 0;
}

int
esp_chachapoly_schedlen(__unused const struct esp_algorithm *algo)
{
	return sizeof(esp_chachapoly_ctx_s);
}

int
esp_chachapoly_schedule(__unused const struct esp_algorithm *algo,
						struct secasvar *sav)
{
	esp_chachapoly_ctx_t esp_ccp_ctx;
	int rc = 0;

	ESP_CHECK_ARG(sav);
	if (sav->ivlen != ESP_CHACHAPOLY_IV_LEN) {
		esp_log_err("Invalid ivlen %u", sav->ivlen);
		return EINVAL;
	}
	if (_KEYLEN(sav->key_enc) != ESP_CHACHAPOLY_KEY_LEN + ESP_CHACHAPOLY_SALT_LEN) {
		esp_log_err("Invalid key len %u", _KEYLEN(sav->key_enc));
		return EINVAL;
	}
	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_OWNED);

	esp_ccp_ctx = (esp_chachapoly_ctx_t)sav->sched;

	rc = chacha20poly1305_init(&esp_ccp_ctx->ccp_ctx,
							   (const uint8_t *)_KEYBUF(sav->key_enc));
	if (rc != 0) {
		esp_log_err("chacha20poly1305_init returned %d", rc);
		return rc;
	}

	memcpy(esp_ccp_ctx->ccp_salt,
		   (const uint8_t *)_KEYBUF(sav->key_enc) + ESP_CHACHAPOLY_KEY_LEN,
		   sizeof(esp_ccp_ctx->ccp_salt));

	esp_ccp_ctx->ccp_implicit_iv = ((sav->flags & SADB_X_EXT_IIV) != 0);

	return 0;
}

int
esp_chachapoly_encrypt_finalize(struct secasvar *sav,
								unsigned char *tag,
								unsigned int tag_bytes)
{
	esp_chachapoly_ctx_t esp_ccp_ctx;
	int rc = 0;

	ESP_CHECK_ARG(sav);
	ESP_CHECK_ARG(tag);
	if (tag_bytes != ESP_CHACHAPOLY_ICV_LEN) {
		esp_log_err("Invalid tag_bytes %u", tag_bytes);
		return EINVAL;
	}

	esp_ccp_ctx = (esp_chachapoly_ctx_t)sav->sched;
	rc = chacha20poly1305_finalize(&esp_ccp_ctx->ccp_ctx, tag);
	if (rc != 0) {
		esp_log_err("chacha20poly1305_finalize returned %d", rc);
		return rc;
	}
	return 0;
}

int
esp_chachapoly_decrypt_finalize(struct secasvar *sav,
								unsigned char *tag,
								unsigned int tag_bytes)
{
	esp_chachapoly_ctx_t esp_ccp_ctx;
	int rc = 0;

	ESP_CHECK_ARG(sav);
	ESP_CHECK_ARG(tag);
	if (tag_bytes != ESP_CHACHAPOLY_ICV_LEN) {
		esp_log_err("Invalid tag_bytes %u", tag_bytes);
		return EINVAL;
	}

	esp_ccp_ctx = (esp_chachapoly_ctx_t)sav->sched;
	rc = chacha20poly1305_verify(&esp_ccp_ctx->ccp_ctx, tag);
	if (rc != 0) {
		esp_log_err("chacha20poly1305_finalize returned %d", rc);
		return rc;
	}
	return 0;
}

int
esp_chachapoly_encrypt(struct mbuf *m, // head of mbuf chain
					   size_t off, // offset to ESP header
					   __unused size_t plen,
					   struct secasvar *sav,
					   __unused const struct esp_algorithm *algo,
					   int ivlen)
{
	struct mbuf *s = m; // this mbuf
	int32_t soff = 0; // offset from the head of mbuf chain (m) to head of this mbuf (s)
	int32_t sn = 0; // offset from the head of this mbuf (s) to the body
	uint8_t *sp; // buffer of a given encryption round
	size_t len; // length of a given encryption round
	const int32_t ivoff = (int32_t)off + (int32_t)sizeof(struct newesp); // IV offset
	int32_t bodyoff; // body offset
	int rc = 0; // return code of corecrypto operations
	struct newesp esp_hdr; // ESP header for AAD
	_Static_assert(sizeof(esp_hdr) == 8, "Bad size");
	uint8_t nonce[ESP_CHACHAPOLY_NONCE_LEN];
	esp_chachapoly_ctx_t esp_ccp_ctx;

	ESP_CHECK_ARG(m);
	ESP_CHECK_ARG(sav);
	if (ivlen != ESP_CHACHAPOLY_IV_LEN) {
		m_freem(m);
		esp_log_err("Invalid ivlen %u", ivlen);
		return EINVAL;
	}
	if (sav->ivlen != ESP_CHACHAPOLY_IV_LEN) {
		m_freem(m);
		esp_log_err("Invalid sav->ivlen %u", sav->ivlen);
		return EINVAL;
	}

	esp_ccp_ctx = (esp_chachapoly_ctx_t)sav->sched;
	if (esp_ccp_ctx->ccp_implicit_iv) {
		bodyoff = ivoff;
	} else {
		bodyoff = ivoff + ivlen;
	}
	// check if total packet length is enough to contain ESP + IV
	if (m->m_pkthdr.len < bodyoff) {
		esp_log_err("Packet too short %d < %zu", m->m_pkthdr.len, bodyoff);
		m_freem(m);
		return EINVAL;
	}

	rc = chacha20poly1305_reset(&esp_ccp_ctx->ccp_ctx);
	if (rc != 0) {
		m_freem(m);
		esp_log_err("chacha20poly1305_reset failed %d", rc);
		return rc;
	}

	// RFC 7634 dictates that the 12 byte nonce must be
	// the 4 byte salt followed by the 8 byte IV.
	// The IV MUST be non-repeating but does not need to be unpredictable,
	// so we use 4 bytes of 0 followed by the 4 byte ESP sequence number.
	// this allows us to use implicit IV -- draft-mglt-ipsecme-implicit-iv
	memset(sav->iv, 0, 4);
	memcpy(sav->iv + 4, &sav->seq, sizeof(sav->seq));
	_Static_assert(4 + sizeof(sav->seq) == ESP_CHACHAPOLY_IV_LEN,
				   "Bad IV length");
	memcpy(nonce, esp_ccp_ctx->ccp_salt, ESP_CHACHAPOLY_SALT_LEN);
	memcpy(nonce + ESP_CHACHAPOLY_SALT_LEN, sav->iv, ESP_CHACHAPOLY_IV_LEN);
	_Static_assert(ESP_CHACHAPOLY_SALT_LEN + ESP_CHACHAPOLY_IV_LEN == sizeof(nonce),
				   "Bad nonce length");

	rc = chacha20poly1305_setnonce(&esp_ccp_ctx->ccp_ctx, nonce);
	if (rc != 0) {
		m_freem(m);
		esp_log_err("chacha20poly1305_setnonce failed %d", rc);
		return rc;
	}

	if (!esp_ccp_ctx->ccp_implicit_iv) {
		m_copyback(m, ivoff, ivlen, sav->iv);
	}
	cc_clear(sizeof(nonce), nonce);

	// Set Additional Authentication Data (AAD)
	m_copydata(m, (int)off, sizeof(esp_hdr), (void *)&esp_hdr);

	rc = chacha20poly1305_aad(&esp_ccp_ctx->ccp_ctx,
							  sizeof(esp_hdr),
							  (void *)&esp_hdr);
	if (rc != 0) {
		m_freem(m);
		esp_log_err("chacha20poly1305_aad failed %d", rc);
		return rc;
	}

	// skip headers/IV
	while (s != NULL && soff < bodyoff) {
		if (soff + s->m_len > bodyoff) {
			sn = bodyoff - soff;
			break;
		}

		soff += s->m_len;
		s = s->m_next;
	}

	while (s != NULL && soff < m->m_pkthdr.len) {
		len = (size_t)(s->m_len - sn);
		if (len == 0) {
			// skip empty mbufs
			continue;
		}
		sp = mtod(s, uint8_t *) + sn;

		rc = chacha20poly1305_encrypt(&esp_ccp_ctx->ccp_ctx,
									  len, sp, sp);
		if (rc != 0) {
			m_freem(m);
			esp_log_err("chacha20poly1305_encrypt failed %d", rc);
			return rc;
		}

		sn = 0;
		soff += s->m_len;
		s = s->m_next;
	}
	if (s == NULL && soff != m->m_pkthdr.len) {
		m_freem(m);
		esp_log_err("not enough mbufs %d %d", soff, m->m_pkthdr.len);
		return EFBIG;
	}
	return 0;
}

int
esp_chachapoly_decrypt(struct mbuf *m, // head of mbuf chain
					   size_t off, // offset to ESP header
					   struct secasvar *sav,
					   __unused const struct esp_algorithm *algo,
					   int ivlen)
{
	struct mbuf *s = m; // this mbuf
	int32_t soff = 0; // offset from the head of mbuf chain (m) to head of this mbuf (s)
	int32_t sn = 0; // offset from the head of this mbuf (s) to the body
	uint8_t *sp; // buffer of a given encryption round
	size_t len; // length of a given encryption round
	const int32_t ivoff = (int32_t)off + (int32_t)sizeof(struct newesp); // IV offset
	int32_t bodyoff; // body offset
	int rc = 0; // return code of corecrypto operations
	struct newesp esp_hdr; // ESP header for AAD
	_Static_assert(sizeof(esp_hdr) == 8, "Bad size");
	uint8_t nonce[ESP_CHACHAPOLY_NONCE_LEN];
	esp_chachapoly_ctx_t esp_ccp_ctx;

	ESP_CHECK_ARG(m);
	ESP_CHECK_ARG(sav);
	if (ivlen != ESP_CHACHAPOLY_IV_LEN) {
		m_freem(m);
		esp_log_err("Invalid ivlen %u", ivlen);
		return EINVAL;
	}
	if (sav->ivlen != ESP_CHACHAPOLY_IV_LEN) {
		m_freem(m);
		esp_log_err("Invalid sav->ivlen %u", sav->ivlen);
		return EINVAL;
	}

	esp_ccp_ctx = (esp_chachapoly_ctx_t)sav->sched;
	if (esp_ccp_ctx->ccp_implicit_iv) {
		bodyoff = ivoff;
	} else {
		bodyoff = ivoff + ivlen;
	}
	// check if total packet length is enough to contain ESP + IV
	if (m->m_pkthdr.len < bodyoff) {
		esp_packet_log_err("Packet too short %d < %zu", m->m_pkthdr.len, bodyoff);
		m_freem(m);
		return EINVAL;
	}

	rc = chacha20poly1305_reset(&esp_ccp_ctx->ccp_ctx);
	if (rc != 0) {
		m_freem(m);
		esp_log_err("chacha20poly1305_reset failed %d", rc);
		return rc;
	}

	m_copydata(m, (int)off, sizeof(esp_hdr), (void *)&esp_hdr);

	// RFC 7634 dictates that the 12 byte nonce must be
	// the 4 byte salt followed by the 8 byte IV.
	memcpy(nonce, esp_ccp_ctx->ccp_salt, ESP_CHACHAPOLY_SALT_LEN);
	if (esp_ccp_ctx->ccp_implicit_iv) {
		// IV is implicit (4 zero bytes followed by the ESP sequence number)
		memset(nonce + ESP_CHACHAPOLY_SALT_LEN, 0, 4);
		memcpy(nonce + ESP_CHACHAPOLY_SALT_LEN + 4, &esp_hdr.esp_seq, sizeof(esp_hdr.esp_seq));
		_Static_assert(4 + sizeof(esp_hdr.esp_seq) == ESP_CHACHAPOLY_IV_LEN, "Bad IV length");
	} else {
		// copy IV from packet
		m_copydata(m, ivoff, ESP_CHACHAPOLY_IV_LEN, nonce + ESP_CHACHAPOLY_SALT_LEN);
	}
	_Static_assert(ESP_CHACHAPOLY_SALT_LEN + ESP_CHACHAPOLY_IV_LEN == sizeof(nonce),
				   "Bad nonce length");

	rc = chacha20poly1305_setnonce(&esp_ccp_ctx->ccp_ctx, nonce);
	if (rc != 0) {
		m_freem(m);
		esp_log_err("chacha20poly1305_setnonce failed %d", rc);
		return rc;
	}
	cc_clear(sizeof(nonce), nonce);

	// Set Additional Authentication Data (AAD)
	rc = chacha20poly1305_aad(&esp_ccp_ctx->ccp_ctx,
							  sizeof(esp_hdr),
							  (void *)&esp_hdr);
	if (rc != 0) {
		m_freem(m);
		esp_log_err("chacha20poly1305_aad failed %d", rc);
		return rc;
	}

	// skip headers/IV
	while (s != NULL && soff < bodyoff) {
		if (soff + s->m_len > bodyoff) {
			sn = bodyoff - soff;
			break;
		}

		soff += s->m_len;
		s = s->m_next;
	}

	while (s != NULL && soff < m->m_pkthdr.len) {
		len = (size_t)(s->m_len - sn);
		if (len == 0) {
			// skip empty mbufs
			continue;
		}
		sp = mtod(s, uint8_t *) + sn;

		rc = chacha20poly1305_decrypt(&esp_ccp_ctx->ccp_ctx,
									  len, sp, sp);
		if (rc != 0) {
			m_freem(m);
			esp_packet_log_err("chacha20poly1305_decrypt failed %d", rc);
			return rc;
		}

		sn = 0;
		soff += s->m_len;
		s = s->m_next;
	}
	if (s == NULL && soff != m->m_pkthdr.len) {
		m_freem(m);
		esp_packet_log_err("not enough mbufs %d %d", soff, m->m_pkthdr.len);
		return EFBIG;
	}
	return 0;
}