]> git.saurik.com Git - apple/xnu.git/blame - bsd/netinet6/esp_output.c
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-1228.3.13.tar.gz
[apple/xnu.git] / bsd / netinet6 / esp_output.c
CommitLineData
55e303ae
A		 1/* $FreeBSD: src/sys/netinet6/esp_output.c,v 1.1.2.3 2002/04/28 05:40:26 suz Exp $ */
2/* $KAME: esp_output.c,v 1.44 2001/07/26 06:53:15 jinmei Exp $ */
1c79356b
A		 3
4/*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33#define _IP_VHL
1c79356b
A		 34
35/*
36 * RFC1827/2406 Encapsulated Security Payload.
37 */
38
39#include <sys/param.h>
40#include <sys/systm.h>
41#include <sys/malloc.h>
42#include <sys/mbuf.h>
43#include <sys/domain.h>
44#include <sys/protosw.h>
45#include <sys/socket.h>
46#include <sys/socketvar.h>
47#include <sys/errno.h>
48#include <sys/time.h>
49#include <sys/kernel.h>
50#include <sys/syslog.h>
51
52#include <net/if.h>
53#include <net/route.h>
54
55#include <netinet/in.h>
56#include <netinet/in_systm.h>
57#include <netinet/ip.h>
58#include <netinet/in_var.h>
55e303ae 59#include <netinet/udp.h> /* for nat traversal */
1c79356b
A		 60
61#if INET6
62#include <netinet/ip6.h>
63#include <netinet6/ip6_var.h>
64#include <netinet/icmp6.h>
65#endif
66
67#include <netinet6/ipsec.h>
9bccf70c
A		 68#if INET6
69#include <netinet6/ipsec6.h>
70#endif
1c79356b 71#include <netinet6/ah.h>
9bccf70c
A		 72#if INET6
73#include <netinet6/ah6.h>
74#endif
1c79356b 75#include <netinet6/esp.h>
9bccf70c
A		 76#if INET6
77#include <netinet6/esp6.h>
78#endif
1c79356b
A		 79#include <netkey/key.h>
80#include <netkey/keydb.h>
1c79356b
A		 81
82#include <net/net_osdep.h>
83
55e303ae
A		 84#include <sys/kdebug.h>
85#define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1)
86#define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3)
87#define DBG_FNC_ESPOUT NETDBG_CODE(DBG_NETIPSEC, (4 << 8))
88#define DBG_FNC_ENCRYPT NETDBG_CODE(DBG_NETIPSEC, (5 << 8))
89
91447636 90static int esp_output(struct mbuf *, u_char *, struct mbuf *,
2d21ac55 91 int, struct secasvar *sav);
1c79356b 92
55e303ae
A		 93extern int esp_udp_encap_port;
94extern u_int32_t natt_now;
95
2d21ac55
A		 96extern lck_mtx_t *sadb_mutex;
97
1c79356b
A		 98/*
99 * compute ESP header size.
100 */
101size_t
102esp_hdrsiz(isr)
103 struct ipsecrequest *isr;
104{
1c79356b
A		 105
106 /* sanity check */
107 if (isr == NULL)
108 panic("esp_hdrsiz: NULL was passed.\n");
109
1c79356b 110
2d21ac55
A		 111#if 0
112 lck_mtx_lock(sadb_mutex);
113 {
114 struct secasvar *sav;
115 const struct esp_algorithm *algo;
116 const struct ah_algorithm *aalgo;
117 size_t ivlen;
118 size_t authlen;
119 size_t hdrsiz;
120 size_t maxpad;
55e303ae 121
2d21ac55
A		 122 /*%%%% this needs to change - no sav in ipsecrequest any more */
123 sav = isr->sav;
124
125 if (isr->saidx.proto != IPPROTO_ESP)
126 panic("unsupported mode passed to esp_hdrsiz");
127
128 if (sav == NULL)
129 goto estimate;
130 if (sav->state != SADB_SASTATE_MATURE
131 && sav->state != SADB_SASTATE_DYING)
132 goto estimate;
133
134 /* we need transport mode ESP. */
135 algo = esp_algorithm_lookup(sav->alg_enc);
136 if (!algo)
137 goto estimate;
138 ivlen = sav->ivlen;
139 if (ivlen < 0)
140 goto estimate;
141
142 if (algo->padbound)
143 maxpad = algo->padbound;
1c79356b 144 else
2d21ac55
A		 145 maxpad = 4;
146 maxpad += 1; /* maximum 'extendsiz' is padbound + 1, see esp_output */
147
148 if (sav->flags & SADB_X_EXT_OLD) {
149 /* RFC 1827 */
150 hdrsiz = sizeof(struct esp) + ivlen + maxpad;
151 } else {
152 /* RFC 2406 */
153 aalgo = ah_algorithm_lookup(sav->alg_auth);
154 if (aalgo && sav->replay && sav->key_auth)
155 authlen = (aalgo->sumsiz)(sav);
156 else
157 authlen = 0;
158 hdrsiz = sizeof(struct newesp) + ivlen + maxpad + authlen;
159 }
160
161 /*
162 * If the security association indicates that NATT is required,
163 * add the size of the NATT encapsulation header:
164 */
165 if ((sav->flags & SADB_X_EXT_NATT) != 0) hdrsiz += sizeof(struct udphdr) + 4;
55e303ae 166
2d21ac55
A		 167 lck_mtx_unlock(sadb_mutex);
168 return hdrsiz;
169 }
170estimate:
171 lck_mtx_unlock(sadb_mutex);
172#endif
1c79356b
A		 173 /*
174 * ASSUMING:
55e303ae 175 * sizeof(struct newesp) > sizeof(struct esp). (8)
9bccf70c 176 * esp_max_ivlen() = max ivlen for CBC mode
55e303ae 177 * 17 = (maximum padding length without random padding length)
1c79356b
A		 178 * + (Pad Length field) + (Next Header field).
179 * 16 = maximum ICV we support.
55e303ae 180 * sizeof(struct udphdr) in case NAT traversal is used
1c79356b 181 */
55e303ae 182 return sizeof(struct newesp) + esp_max_ivlen() + 17 + 16 + sizeof(struct udphdr);
1c79356b
A		 183}
184
185/*
186 * Modify the packet so that the payload is encrypted.
187 * The mbuf (m) must start with IPv4 or IPv6 header.
188 * On failure, free the given mbuf and return NULL.
189 *
190 * on invocation:
191 * m nexthdrp md
192 * v v v
193 * IP ......... payload
194 * during the encryption:
195 * m nexthdrp mprev md
196 * v v v v
197 * IP ............... esp iv payload pad padlen nxthdr
198 * <--><-><------><--------------->
199 * esplen plen extendsiz
200 * ivlen
201 * <-----> esphlen
202 * <-> hlen
203 * <-----------------> espoff
204 */
205static int
2d21ac55 206esp_output(m, nexthdrp, md, af, sav)
1c79356b
A		 207 struct mbuf *m;
208 u_char *nexthdrp;
209 struct mbuf *md;
1c79356b 210 int af;
2d21ac55 211 struct secasvar *sav;
1c79356b
A		 212{
213 struct mbuf *n;
214 struct mbuf *mprev;
215 struct esp *esp;
216 struct esptail *esptail;
9bccf70c 217 const struct esp_algorithm *algo;
1c79356b
A		 218 u_int32_t spi;
219 u_int8_t nxt = 0;
220 size_t plen; /*payload length to be encrypted*/
221 size_t espoff;
222 int ivlen;
223 int afnumber;
224 size_t extendsiz;
225 int error = 0;
9bccf70c 226 struct ipsecstat *stat;
55e303ae
A		 227 struct udphdr *udp = NULL;
228 int udp_encapsulate = (sav->flags & SADB_X_EXT_NATT && af == AF_INET &&
229 (esp_udp_encap_port & 0xFFFF) != 0);
1c79356b 230
55e303ae 231 KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_START, sav->ivlen,0,0,0,0);
1c79356b
A		 232 switch (af) {
233#if INET
234 case AF_INET:
235 afnumber = 4;
9bccf70c 236 stat = &ipsecstat;
1c79356b
A		 237 break;
238#endif
239#if INET6
240 case AF_INET6:
241 afnumber = 6;
9bccf70c 242 stat = &ipsec6stat;
1c79356b
A		 243 break;
244#endif
245 default:
246 ipseclog((LOG_ERR, "esp_output: unsupported af %d\n", af));
55e303ae 247 KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_END, 1,0,0,0,0);
1c79356b
A		 248 return 0; /* no change at all */
249 }
250
251 /* some sanity check */
252 if ((sav->flags & SADB_X_EXT_OLD) == 0 && !sav->replay) {
253 switch (af) {
254#if INET
255 case AF_INET:
256 {
257 struct ip *ip;
258
259 ip = mtod(m, struct ip *);
260 ipseclog((LOG_DEBUG, "esp4_output: internal error: "
261 "sav->replay is null: %x->%x, SPI=%u\n",
262 (u_int32_t)ntohl(ip->ip_src.s_addr),
263 (u_int32_t)ntohl(ip->ip_dst.s_addr),
264 (u_int32_t)ntohl(sav->spi)));
2d21ac55 265 IPSEC_STAT_INCREMENT(ipsecstat.out_inval);
9bccf70c 266 break;
1c79356b
A		 267 }
268#endif /*INET*/
269#if INET6
270 case AF_INET6:
1c79356b
A		 271 ipseclog((LOG_DEBUG, "esp6_output: internal error: "
272 "sav->replay is null: SPI=%u\n",
273 (u_int32_t)ntohl(sav->spi)));
2d21ac55 274 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
9bccf70c 275 break;
1c79356b 276#endif /*INET6*/
9bccf70c
A		 277 default:
278 panic("esp_output: should not reach here");
1c79356b 279 }
9bccf70c 280 m_freem(m);
55e303ae 281 KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_END, 2,0,0,0,0);
9bccf70c 282 return EINVAL;
1c79356b
A		 283 }
284
9bccf70c
A		 285 algo = esp_algorithm_lookup(sav->alg_enc);
286 if (!algo) {
287 ipseclog((LOG_ERR, "esp_output: unsupported algorithm: "
288 "SPI=%u\n", (u_int32_t)ntohl(sav->spi)));
289 m_freem(m);
55e303ae 290 KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_END, 3,0,0,0,0);
9bccf70c
A		 291 return EINVAL;
292 }
1c79356b
A		 293 spi = sav->spi;
294 ivlen = sav->ivlen;
295 /* should be okey */
296 if (ivlen < 0) {
297 panic("invalid ivlen");
298 }
299
300 {
301 /*
302 * insert ESP header.
303 * XXX inserts ESP header right after IPv4 header. should
304 * chase the header chain.
305 * XXX sequential number
306 */
307#if INET
308 struct ip *ip = NULL;
309#endif
310#if INET6
311 struct ip6_hdr *ip6 = NULL;
312#endif
55e303ae
A		 313 size_t esplen; /* sizeof(struct esp/newesp) */
314 size_t esphlen; /* sizeof(struct esp/newesp) + ivlen */
315 size_t hlen = 0; /* ip header len */
1c79356b
A		 316
317 if (sav->flags & SADB_X_EXT_OLD) {
318 /* RFC 1827 */
319 esplen = sizeof(struct esp);
320 } else {
321 /* RFC 2406 */
322 if (sav->flags & SADB_X_EXT_DERIV)
323 esplen = sizeof(struct esp);
324 else
325 esplen = sizeof(struct newesp);
326 }
327 esphlen = esplen + ivlen;
328
329 for (mprev = m; mprev && mprev->m_next != md; mprev = mprev->m_next)
330 ;
331 if (mprev == NULL || mprev->m_next != md) {
332 ipseclog((LOG_DEBUG, "esp%d_output: md is not in chain\n",
333 afnumber));
334 m_freem(m);
55e303ae 335 KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_END, 4,0,0,0,0);
1c79356b
A		 336 return EINVAL;
337 }
338
339 plen = 0;
340 for (n = md; n; n = n->m_next)
341 plen += n->m_len;
342
343 switch (af) {
344#if INET
345 case AF_INET:
346 ip = mtod(m, struct ip *);
347#ifdef _IP_VHL
348 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
349#else
350 hlen = ip->ip_hl << 2;
351#endif
352 break;
353#endif
354#if INET6
355 case AF_INET6:
356 ip6 = mtod(m, struct ip6_hdr *);
357 hlen = sizeof(*ip6);
358 break;
359#endif
360 }
361
362 /* make the packet over-writable */
363 mprev->m_next = NULL;
364 if ((md = ipsec_copypkt(md)) == NULL) {
365 m_freem(m);
366 error = ENOBUFS;
367 goto fail;
368 }
369 mprev->m_next = md;
2d21ac55
A		 370
371 /*
372 * Translate UDP source port back to its original value.
373 * SADB_X_EXT_NATT_MULTIPLEUSERS is only set for transort mode.
374 */
375 if ((sav->flags & SADB_X_EXT_NATT_MULTIPLEUSERS) != 0) {
376 /* if not UDP - drop it */
377 if (ip->ip_p != IPPROTO_UDP) {
378 IPSEC_STAT_INCREMENT(ipsecstat.out_inval);
379 m_freem(m);
380 error = EINVAL;
381 goto fail;
382 }
383
384 udp = mtod(md, struct udphdr *);
385
386 /* if src port not set in sav - find it */
387 if (sav->natt_encapsulated_src_port == 0)
388 if (key_natt_get_translated_port(sav) == 0) {
389 m_freem(m);
390 error = EINVAL;
391 goto fail;
392 }
393 if (sav->remote_ike_port == htons(udp->uh_dport)) {
394 /* translate UDP port */
395 udp->uh_dport = sav->natt_encapsulated_src_port;
396 udp->uh_sum = 0; /* don't need checksum with ESP auth */
397 } else {
398 /* drop the packet - can't translate the port */
399 IPSEC_STAT_INCREMENT(ipsecstat.out_inval);
400 m_freem(m);
401 error = EINVAL;
402 goto fail;
403 }
404 }
405
1c79356b
A		 406
407 espoff = m->m_pkthdr.len - plen;
55e303ae
A		 408
409 if (udp_encapsulate) {
410 esphlen += sizeof(struct udphdr);
411 espoff += sizeof(struct udphdr);
412 }
1c79356b
A		 413
414 /*
415 * grow the mbuf to accomodate ESP header.
416 * before: IP ... payload
55e303ae 417 * after: IP ... [UDP] ESP IV payload
1c79356b 418 */
9bccf70c 419 if (M_LEADINGSPACE(md) < esphlen || (md->m_flags & M_EXT) != 0) {
1c79356b
A		 420 MGET(n, M_DONTWAIT, MT_DATA);
421 if (!n) {
422 m_freem(m);
423 error = ENOBUFS;
424 goto fail;
425 }
426 n->m_len = esphlen;
427 mprev->m_next = n;
428 n->m_next = md;
429 m->m_pkthdr.len += esphlen;
55e303ae
A		 430 if (udp_encapsulate) {
431 udp = mtod(n, struct udphdr *);
432 esp = (struct esp *)((caddr_t)udp + sizeof(struct udphdr));
433 } else {
434 esp = mtod(n, struct esp *);
435 }
1c79356b
A		 436 } else {
437 md->m_len += esphlen;
438 md->m_data -= esphlen;
439 m->m_pkthdr.len += esphlen;
440 esp = mtod(md, struct esp *);
55e303ae
A		 441 if (udp_encapsulate) {
442 udp = mtod(md, struct udphdr *);
443 esp = (struct esp *)((caddr_t)udp + sizeof(struct udphdr));
444 } else {
445 esp = mtod(md, struct esp *);
446 }
1c79356b
A		 447 }
448
1c79356b
A		 449 switch (af) {
450#if INET
451 case AF_INET:
452 if (esphlen < (IP_MAXPACKET - ntohs(ip->ip_len)))
453 ip->ip_len = htons(ntohs(ip->ip_len) + esphlen);
454 else {
455 ipseclog((LOG_ERR,
456 "IPv4 ESP output: size exceeds limit\n"));
2d21ac55 457 IPSEC_STAT_INCREMENT(ipsecstat.out_inval);
1c79356b
A		 458 m_freem(m);
459 error = EMSGSIZE;
460 goto fail;
461 }
462 break;
463#endif
464#if INET6
465 case AF_INET6:
466 /* total packet length will be computed in ip6_output() */
467 break;
468#endif
469 }
470 }
471
472 /* initialize esp header. */
473 esp->esp_spi = spi;
474 if ((sav->flags & SADB_X_EXT_OLD) == 0) {
475 struct newesp *nesp;
476 nesp = (struct newesp *)esp;
477 if (sav->replay->count == ~0) {
478 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
479 /* XXX Is it noisy ? */
480 ipseclog((LOG_WARNING,
481 "replay counter overflowed. %s\n",
482 ipsec_logsastr(sav)));
2d21ac55 483 IPSEC_STAT_INCREMENT(stat->out_inval);
1c79356b 484 m_freem(m);
55e303ae 485 KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_END, 5,0,0,0,0);
1c79356b
A		 486 return EINVAL;
487 }
488 }
2d21ac55 489 lck_mtx_lock(sadb_mutex);
1c79356b 490 sav->replay->count++;
2d21ac55 491 lck_mtx_unlock(sadb_mutex);
1c79356b
A		 492 /*
493 * XXX sequence number must not be cycled, if the SA is
494 * installed by IKE daemon.
495 */
496 nesp->esp_seq = htonl(sav->replay->count);
497 }
498
499 {
500 /*
501 * find the last mbuf. make some room for ESP trailer.
1c79356b
A		 502 */
503#if INET
504 struct ip *ip = NULL;
505#endif
506 size_t padbound;
507 u_char *extend;
508 int i;
9bccf70c 509 int randpadmax;
1c79356b
A		 510
511 if (algo->padbound)
512 padbound = algo->padbound;
513 else
514 padbound = 4;
515 /* ESP packet, including nxthdr field, must be length of 4n */
516 if (padbound < 4)
517 padbound = 4;
518
519 extendsiz = padbound - (plen % padbound);
520 if (extendsiz == 1)
521 extendsiz = padbound + 1;
522
9bccf70c
A		 523 /* random padding */
524 switch (af) {
525#if INET
526 case AF_INET:
527 randpadmax = ip4_esp_randpad;
528 break;
529#endif
530#if INET6
531 case AF_INET6:
532 randpadmax = ip6_esp_randpad;
533 break;
534#endif
535 default:
536 randpadmax = -1;
537 break;
538 }
539 if (randpadmax < 0 || plen + extendsiz >= randpadmax)
540 ;
541 else {
2d21ac55 542 int pad;
9bccf70c
A		 543
544 /* round */
545 randpadmax = (randpadmax / padbound) * padbound;
2d21ac55 546 pad = (randpadmax - plen + extendsiz) / padbound;
9bccf70c 547
2d21ac55
A		 548 if (pad > 0)
549 pad = (random() % pad) * padbound;
9bccf70c 550 else
2d21ac55 551 pad = 0;
9bccf70c
A		 552
553 /*
554 * make sure we do not pad too much.
555 * MLEN limitation comes from the trailer attachment
556 * code below.
557 * 256 limitation comes from sequential padding.
558 * also, the 1-octet length field in ESP trailer imposes
559 * limitation (but is less strict than sequential padding
560 * as length field do not count the last 2 octets).
561 */
2d21ac55
A		 562 if (extendsiz + pad <= MLEN && extendsiz + pad < 256)
563 extendsiz += pad;
9bccf70c
A		 564 }
565
566#if DIAGNOSTIC
567 if (extendsiz > MLEN || extendsiz >= 256)
568 panic("extendsiz too big in esp_output");
569#endif
570
1c79356b
A		 571 n = m;
572 while (n->m_next)
573 n = n->m_next;
574
575 /*
9bccf70c
A		 576 * if M_EXT, the external mbuf data may be shared among
577 * two consequtive TCP packets, and it may be unsafe to use the
578 * trailing space.
1c79356b
A		 579 */
580 if (!(n->m_flags & M_EXT) && extendsiz < M_TRAILINGSPACE(n)) {
581 extend = mtod(n, u_char *) + n->m_len;
582 n->m_len += extendsiz;
583 m->m_pkthdr.len += extendsiz;
584 } else {
585 struct mbuf *nn;
586
587 MGET(nn, M_DONTWAIT, MT_DATA);
588 if (!nn) {
589 ipseclog((LOG_DEBUG, "esp%d_output: can't alloc mbuf",
590 afnumber));
591 m_freem(m);
592 error = ENOBUFS;
593 goto fail;
594 }
595 extend = mtod(nn, u_char *);
596 nn->m_len = extendsiz;
597 nn->m_next = NULL;
598 n->m_next = nn;
599 n = nn;
600 m->m_pkthdr.len += extendsiz;
601 }
602 switch (sav->flags & SADB_X_EXT_PMASK) {
603 case SADB_X_EXT_PRAND:
9bccf70c 604 key_randomfill(extend, extendsiz);
1c79356b
A		 605 break;
606 case SADB_X_EXT_PZERO:
607 bzero(extend, extendsiz);
608 break;
609 case SADB_X_EXT_PSEQ:
610 for (i = 0; i < extendsiz; i++)
611 extend[i] = (i + 1) & 0xff;
612 break;
613 }
55e303ae
A		 614
615 nxt = *nexthdrp;
616 if (udp_encapsulate) {
617 *nexthdrp = IPPROTO_UDP;
618
619 /* Fill out the UDP header */
620 udp->uh_sport = ntohs((u_short)esp_udp_encap_port);
621 udp->uh_dport = ntohs(sav->remote_ike_port);
622// udp->uh_len set later, after all length tweaks are complete
623 udp->uh_sum = 0;
624
625 /* Update last sent so we know if we need to send keepalive */
626 sav->natt_last_activity = natt_now;
627 } else {
628 *nexthdrp = IPPROTO_ESP;
629 }
1c79356b
A		 630
631 /* initialize esp trailer. */
632 esptail = (struct esptail *)
633 (mtod(n, u_int8_t *) + n->m_len - sizeof(struct esptail));
634 esptail->esp_nxt = nxt;
635 esptail->esp_padlen = extendsiz - 2;
636
637 /* modify IP header (for ESP header part only) */
638 switch (af) {
639#if INET
640 case AF_INET:
641 ip = mtod(m, struct ip *);
642 if (extendsiz < (IP_MAXPACKET - ntohs(ip->ip_len)))
643 ip->ip_len = htons(ntohs(ip->ip_len) + extendsiz);
644 else {
645 ipseclog((LOG_ERR,
646 "IPv4 ESP output: size exceeds limit\n"));
2d21ac55 647 IPSEC_STAT_INCREMENT(ipsecstat.out_inval);
1c79356b
A		 648 m_freem(m);
649 error = EMSGSIZE;
650 goto fail;
651 }
652 break;
653#endif
654#if INET6
655 case AF_INET6:
656 /* total packet length will be computed in ip6_output() */
657 break;
658#endif
659 }
660 }
661
9bccf70c
A		 662 /*
663 * pre-compute and cache intermediate key
664 */
665 error = esp_schedule(algo, sav);
666 if (error) {
667 m_freem(m);
2d21ac55 668 IPSEC_STAT_INCREMENT(stat->out_inval);
9bccf70c
A		 669 goto fail;
670 }
671
1c79356b
A		 672 /*
673 * encrypt the packet, based on security association
674 * and the algorithm specified.
675 */
676 if (!algo->encrypt)
677 panic("internal error: no encrypt function");
55e303ae 678 KERNEL_DEBUG(DBG_FNC_ENCRYPT | DBG_FUNC_START, 0,0,0,0,0);
1c79356b 679 if ((*algo->encrypt)(m, espoff, plen + extendsiz, sav, algo, ivlen)) {
9bccf70c 680 /* m is already freed */
1c79356b 681 ipseclog((LOG_ERR, "packet encryption failure\n"));
2d21ac55 682 IPSEC_STAT_INCREMENT(stat->out_inval);
1c79356b 683 error = EINVAL;
55e303ae 684 KERNEL_DEBUG(DBG_FNC_ENCRYPT | DBG_FUNC_END, 1,error,0,0,0);
1c79356b
A		 685 goto fail;
686 }
55e303ae 687 KERNEL_DEBUG(DBG_FNC_ENCRYPT | DBG_FUNC_END, 2,0,0,0,0);
1c79356b
A		 688
689 /*
690 * calculate ICV if required.
691 */
692 if (!sav->replay)
693 goto noantireplay;
694 if (!sav->key_auth)
695 goto noantireplay;
9bccf70c 696 if (sav->key_auth == SADB_AALG_NONE)
1c79356b 697 goto noantireplay;
9bccf70c 698
1c79356b 699 {
2d21ac55
A		 700 const struct ah_algorithm *aalgo;
701 u_char authbuf[AH_MAXSUMSIZE];
702 u_char *p;
703 size_t siz;
704 #if INET
705 struct ip *ip;
706 #endif
707
708 aalgo = ah_algorithm_lookup(sav->alg_auth);
709 if (!aalgo)
710 goto noantireplay;
711 siz = ((aalgo->sumsiz)(sav) + 3) & ~(4 - 1);
712 if (AH_MAXSUMSIZE < siz)
713 panic("assertion failed for AH_MAXSUMSIZE");
714
715 if (esp_auth(m, espoff, m->m_pkthdr.len - espoff, sav, authbuf)) {
716 ipseclog((LOG_ERR, "ESP checksum generation failure\n"));
1c79356b 717 m_freem(m);
2d21ac55
A		 718 error = EINVAL;
719 IPSEC_STAT_INCREMENT(stat->out_inval);
1c79356b
A		 720 goto fail;
721 }
2d21ac55
A		 722
723 n = m;
724 while (n->m_next)
725 n = n->m_next;
726
727 if (!(n->m_flags & M_EXT) && siz < M_TRAILINGSPACE(n)) { /* XXX */
728 n->m_len += siz;
729 m->m_pkthdr.len += siz;
730 p = mtod(n, u_char *) + n->m_len - siz;
731 } else {
732 struct mbuf *nn;
733
734 MGET(nn, M_DONTWAIT, MT_DATA);
735 if (!nn) {
736 ipseclog((LOG_DEBUG, "can't alloc mbuf in esp%d_output",
737 afnumber));
738 m_freem(m);
739 error = ENOBUFS;
740 goto fail;
741 }
742 nn->m_len = siz;
743 nn->m_next = NULL;
744 n->m_next = nn;
745 n = nn;
746 m->m_pkthdr.len += siz;
747 p = mtod(nn, u_char *);
748 }
749 bcopy(authbuf, p, siz);
750
751 /* modify IP header (for ESP header part only) */
752 switch (af) {
753 #if INET
754 case AF_INET:
755 ip = mtod(m, struct ip *);
756 if (siz < (IP_MAXPACKET - ntohs(ip->ip_len)))
757 ip->ip_len = htons(ntohs(ip->ip_len) + siz);
758 else {
759 ipseclog((LOG_ERR,
760 "IPv4 ESP output: size exceeds limit\n"));
761 IPSEC_STAT_INCREMENT(ipsecstat.out_inval);
762 m_freem(m);
763 error = EMSGSIZE;
764 goto fail;
765 }
766 break;
767 #endif
768 #if INET6
769 case AF_INET6:
770 /* total packet length will be computed in ip6_output() */
771 break;
772 #endif
1c79356b 773 }
1c79356b 774 }
55e303ae
A		 775
776 if (udp_encapsulate) {
777 struct ip *ip;
778 ip = mtod(m, struct ip *);
779 udp->uh_ulen = htons(ntohs(ip->ip_len) - (IP_VHL_HL(ip->ip_vhl) << 2));
780 }
781
1c79356b
A		 782
783noantireplay:
2d21ac55 784 lck_mtx_lock(sadb_mutex);
1c79356b
A		 785 if (!m) {
786 ipseclog((LOG_ERR,
787 "NULL mbuf after encryption in esp%d_output", afnumber));
9bccf70c
A		 788 } else
789 stat->out_success++;
790 stat->out_esphist[sav->alg_enc]++;
2d21ac55 791 lck_mtx_unlock(sadb_mutex);
1c79356b 792 key_sa_recordxfer(sav, m);
55e303ae 793 KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_END, 6,0,0,0,0);
1c79356b
A		 794 return 0;
795
796fail:
797#if 1
55e303ae 798 KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_END, 7,error,0,0,0);
1c79356b
A		 799 return error;
800#else
801 panic("something bad in esp_output");
802#endif
803}
804
805#if INET
806int
2d21ac55 807esp4_output(m, sav)
1c79356b 808 struct mbuf *m;
2d21ac55 809 struct secasvar *sav;
1c79356b
A		 810{
811 struct ip *ip;
812 if (m->m_len < sizeof(struct ip)) {
813 ipseclog((LOG_DEBUG, "esp4_output: first mbuf too short\n"));
814 m_freem(m);
2d21ac55 815 return EINVAL;
1c79356b
A		 816 }
817 ip = mtod(m, struct ip *);
818 /* XXX assumes that m->m_next points to payload */
2d21ac55 819 return esp_output(m, &ip->ip_p, m->m_next, AF_INET, sav);
1c79356b
A		 820}
821#endif /*INET*/
822
823#if INET6
824int
2d21ac55 825esp6_output(m, nexthdrp, md, sav)
1c79356b
A		 826 struct mbuf *m;
827 u_char *nexthdrp;
828 struct mbuf *md;
2d21ac55 829 struct secasvar *sav;
1c79356b
A		 830{
831 if (m->m_len < sizeof(struct ip6_hdr)) {
832 ipseclog((LOG_DEBUG, "esp6_output: first mbuf too short\n"));
833 m_freem(m);
2d21ac55 834 return EINVAL;
1c79356b 835 }
2d21ac55 836 return esp_output(m, nexthdrp, md, AF_INET6, sav);
1c79356b
A		 837}
838#endif /*INET6*/
mirror of XNU