[apple/xnu.git] / bsd / netinet6 / esp_rijndael.c

/*
 * Copyright (c) 2008 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 * 
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */

/*	$FreeBSD: src/sys/netinet6/esp_rijndael.c,v 1.1.2.1 2001/07/03 11:01:50 ume Exp $	*/
/*	$KAME: esp_rijndael.c,v 1.4 2001/03/02 05:53:05 itojun Exp $	*/

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <sys/param.h>
#include <sys/systm.h>
#include <sys/socket.h>
#include <sys/queue.h>
#include <sys/syslog.h>
#include <sys/mbuf.h>

#include <kern/locks.h>

#include <net/if.h>
#include <net/route.h>

#include <netinet6/ipsec.h>
#include <netinet6/esp.h>
#include <netinet6/esp_rijndael.h>

#include <crypto/aes/aes.h>

#include <netkey/key.h>

#include <net/net_osdep.h>

#define AES_BLOCKLEN 16

extern lck_mtx_t *sadb_mutex;

int
esp_aes_schedlen(
	__unused const struct esp_algorithm *algo)
{

	return sizeof(aes_ctx);
}

int
esp_aes_schedule(
	__unused const struct esp_algorithm *algo,
	struct secasvar *sav)
{

	lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_OWNED);
	aes_ctx *ctx = (aes_ctx*)sav->sched;
	
	aes_decrypt_key((const unsigned char *) _KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc), &ctx->decrypt);
	aes_encrypt_key((const unsigned char *) _KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc), &ctx->encrypt);
	
	return 0;
}


/* The following 2 functions decrypt or encrypt the contents of
 * the mbuf chain passed in keeping the IP and ESP header's in place,
 * along with the IV.
 * The code attempts to call the crypto code with the largest chunk
 * of data it can based on the amount of source data in
 * the current source mbuf and the space remaining in the current
 * destination mbuf.  The crypto code requires data to be a multiples
 * of 16 bytes.  A separate buffer is used when a 16 byte block spans
 * mbufs.
 *
 * m = mbuf chain
 * off = offset to ESP header
 * 
 * local vars for source:
 * soff = offset from beginning of the chain to the head of the
 *			current mbuf.
 * scut = last mbuf that contains headers to be retained
 * scutoff = offset to end of the headers in scut
 * s = the current mbuf
 * sn = current offset to data in s (next source data to process)
 *
 * local vars for dest:
 * d0 = head of chain
 * d = current mbuf
 * dn = current offset in d (next location to store result)
 */
 
 
int
esp_cbc_decrypt_aes(m, off, sav, algo, ivlen)
	struct mbuf *m;
	size_t off;
	struct secasvar *sav;
	const struct esp_algorithm *algo;
	int ivlen;
{
	struct mbuf *s;
	struct mbuf *d, *d0, *dp;
	int soff;	/* offset from the head of chain, to head of this mbuf */
	int sn, dn;	/* offset from the head of the mbuf, to meat */
	size_t ivoff, bodyoff;
	u_int8_t iv[AES_BLOCKLEN], *dptr;
	u_int8_t sbuf[AES_BLOCKLEN], *sp;
	struct mbuf *scut;
	int scutoff;
	int	i, len;

		
	if (ivlen != AES_BLOCKLEN) {
		ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
		    "unsupported ivlen %d\n", algo->name, ivlen));
		m_freem(m);
		return EINVAL;
	}

	if (sav->flags & SADB_X_EXT_OLD) {
		/* RFC 1827 */
		ivoff = off + sizeof(struct esp);
		bodyoff = off + sizeof(struct esp) + ivlen;
	} else {
		ivoff = off + sizeof(struct newesp);
		bodyoff = off + sizeof(struct newesp) + ivlen;
	}

	if (m->m_pkthdr.len < bodyoff) {
		ipseclog((LOG_ERR, "esp_cbc_decrypt %s: bad len %d/%lu\n",
		    algo->name, m->m_pkthdr.len, (u_int32_t)bodyoff));
		m_freem(m);
		return EINVAL;
	}
	if ((m->m_pkthdr.len - bodyoff) % AES_BLOCKLEN) {
		ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
		    "payload length must be multiple of %d\n",
		    algo->name, AES_BLOCKLEN));
		m_freem(m);
		return EINVAL;
	}

	/* grab iv */
	m_copydata(m, ivoff, ivlen, (caddr_t) iv);

	s = m;
	soff = sn = dn = 0;
	d = d0 = dp = NULL;
	sp = dptr = NULL;
	
	/* skip header/IV offset */
	while (soff < bodyoff) {
		if (soff + s->m_len > bodyoff) {
			sn = bodyoff - soff;
			break;
		}

		soff += s->m_len;
		s = s->m_next;
	}
	scut = s;
	scutoff = sn;

	/* skip over empty mbuf */
	while (s && s->m_len == 0)
		s = s->m_next;
	
	while (soff < m->m_pkthdr.len) {
		/* source */
		if (sn + AES_BLOCKLEN <= s->m_len) {
			/* body is continuous */
			sp = mtod(s, u_int8_t *) + sn;
			len = s->m_len - sn;
			len -= len % AES_BLOCKLEN;	// full blocks only
		} else {
			/* body is non-continuous */
			m_copydata(s, sn, AES_BLOCKLEN, (caddr_t) sbuf);
			sp = sbuf;
			len = AES_BLOCKLEN;			// 1 block only in sbuf
		}

		/* destination */
		if (!d || dn + AES_BLOCKLEN > d->m_len) {
			if (d)
				dp = d;
			MGET(d, M_DONTWAIT, MT_DATA);
			i = m->m_pkthdr.len - (soff + sn);
			if (d && i > MLEN) {
				MCLGET(d, M_DONTWAIT);
				if ((d->m_flags & M_EXT) == 0) {
					d = m_mbigget(d, M_DONTWAIT);
					if ((d->m_flags & M_EXT) == 0) {
						m_free(d);
						d = NULL;
					}
				}
			}
			if (!d) {
				m_freem(m);
				if (d0)
					m_freem(d0);
				return ENOBUFS;
			}
			if (!d0)
				d0 = d;
			if (dp)
				dp->m_next = d;
			d->m_len = M_TRAILINGSPACE(d);
			d->m_len -= d->m_len % AES_BLOCKLEN;
			if (d->m_len > i)
				d->m_len = i;
			dptr = mtod(d, u_int8_t *);	
			dn = 0;
		}

		/* adjust len if greater than space available in dest */
		if (len > d->m_len - dn)
			len = d->m_len - dn;

		/* decrypt */
		aes_decrypt_cbc(sp, iv, len >> 4, dptr + dn, 
				(aes_decrypt_ctx*)(&(((aes_ctx*)sav->sched)->decrypt)));
		
		/* udpate offsets */
		sn += len;
		dn += len;
		
		// next iv
		bcopy(sp + len - AES_BLOCKLEN, iv, AES_BLOCKLEN);

		/* find the next source block */
		while (s && sn >= s->m_len) {
			sn -= s->m_len;
			soff += s->m_len;
			s = s->m_next;
		}

	}

	/* free un-needed source mbufs and add dest mbufs to chain */
	m_freem(scut->m_next);
	scut->m_len = scutoff;
	scut->m_next = d0;

	/* just in case */
	bzero(iv, sizeof(iv));
	bzero(sbuf, sizeof(sbuf));

	return 0;
}

int
esp_cbc_encrypt_aes(
	struct mbuf *m,
	size_t off,
	__unused size_t plen,
	struct secasvar *sav,
	const struct esp_algorithm *algo,
	int ivlen)
{
	struct mbuf *s;
	struct mbuf *d, *d0, *dp;
	int soff;	/* offset from the head of chain, to head of this mbuf */
	int sn, dn;	/* offset from the head of the mbuf, to meat */
	size_t ivoff, bodyoff;
	u_int8_t *ivp, *dptr;
	u_int8_t sbuf[AES_BLOCKLEN], *sp;
	struct mbuf *scut;
	int scutoff;
	int i, len;

	if (ivlen != AES_BLOCKLEN) {
		ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
		    "unsupported ivlen %d\n", algo->name, ivlen));
		m_freem(m);
		return EINVAL;
	}

	if (sav->flags & SADB_X_EXT_OLD) {
		/* RFC 1827 */
		ivoff = off + sizeof(struct esp);
		bodyoff = off + sizeof(struct esp) + ivlen;
	} else {
		ivoff = off + sizeof(struct newesp);
		bodyoff = off + sizeof(struct newesp) + ivlen;
	}

	/* put iv into the packet */
	m_copyback(m, ivoff, ivlen, sav->iv);
	ivp = (u_int8_t *) sav->iv;

	if (m->m_pkthdr.len < bodyoff) {
		ipseclog((LOG_ERR, "esp_cbc_encrypt %s: bad len %d/%lu\n",
		    algo->name, m->m_pkthdr.len, (u_int32_t)bodyoff));
		m_freem(m);
		return EINVAL;
	}
	if ((m->m_pkthdr.len - bodyoff) % AES_BLOCKLEN) {
		ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
		    "payload length must be multiple of %lu\n",
		    algo->name, AES_BLOCKLEN));
		m_freem(m);
		return EINVAL;
	}

	s = m;
	soff = sn = dn = 0;
	d = d0 = dp = NULL;
	sp = dptr = NULL;
	
	/* skip headers/IV */
	while (soff < bodyoff) {
		if (soff + s->m_len > bodyoff) {
			sn = bodyoff - soff;
			break;
		}

		soff += s->m_len;
		s = s->m_next;
	}
	scut = s;
	scutoff = sn;

	/* skip over empty mbuf */
	while (s && s->m_len == 0)
		s = s->m_next;
	
	while (soff < m->m_pkthdr.len) {
		/* source */
		if (sn + AES_BLOCKLEN <= s->m_len) {
			/* body is continuous */
			sp = mtod(s, u_int8_t *) + sn;
			len = s->m_len - sn;
			len -= len % AES_BLOCKLEN;	// full blocks only
		} else {
			/* body is non-continuous */
			m_copydata(s, sn, AES_BLOCKLEN, (caddr_t) sbuf);
			sp = sbuf;
			len = AES_BLOCKLEN;			// 1 block only in sbuf
		}

		/* destination */
		if (!d || dn + AES_BLOCKLEN > d->m_len) {
			if (d)
				dp = d;
			MGET(d, M_DONTWAIT, MT_DATA);
			i = m->m_pkthdr.len - (soff + sn);
			if (d && i > MLEN) {
				MCLGET(d, M_DONTWAIT);
				if ((d->m_flags & M_EXT) == 0) {
					d = m_mbigget(d, M_DONTWAIT);
					if ((d->m_flags & M_EXT) == 0) {
						m_free(d);
						d = NULL;
					}
				}
			}
			if (!d) {
				m_freem(m);
				if (d0)
					m_freem(d0);
				return ENOBUFS;
			}
			if (!d0)
				d0 = d;
			if (dp)
				dp->m_next = d;

			d->m_len = M_TRAILINGSPACE(d);
			d->m_len -= d->m_len % AES_BLOCKLEN;
			if (d->m_len > i)
				d->m_len = i;
			dptr = mtod(d, u_int8_t *);
			dn = 0;
		}
		
		/* adjust len if greater than space available */
		if (len > d->m_len - dn)
			len = d->m_len - dn;
		
		/* encrypt */
		aes_encrypt_cbc(sp, ivp, len >> 4, dptr + dn, 
			(aes_encrypt_ctx*)(&(((aes_ctx*)sav->sched)->encrypt)));

		/* update offsets */
		sn += len;
		dn += len;

		/* next iv */
		ivp = dptr + dn - AES_BLOCKLEN;	// last block encrypted
		
		/* find the next source block and skip empty mbufs */
		while (s && sn >= s->m_len) {
			sn -= s->m_len;
			soff += s->m_len;
			s = s->m_next;
		}

	}

	/* free un-needed source mbufs and add dest mbufs to chain */
	m_freem(scut->m_next);
	scut->m_len = scutoff;
	scut->m_next = d0;

	/* just in case */
	bzero(sbuf, sizeof(sbuf));
	key_sa_stir_iv(sav);

	return 0;
}
Commit	Line	Data
b0d623f7 A	1	/*
	2	* Copyright (c) 2008 Apple Inc. All rights reserved.
	3	*
	4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. The rights granted to you under the License
	10	* may not be used to create, or enable the creation or redistribution of,
	11	* unlawful or unlicensed copies of an Apple operating system, or to
	12	* circumvent, violate, or enable the circumvention or violation of, any
	13	* terms of an Apple operating system software license agreement.
	14	*
	15	* Please obtain a copy of the License at
	16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
	17	*
	18	* The Original Code and all software distributed under the License are
	19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	23	* Please see the License for the specific language governing rights and
	24	* limitations under the License.
	25	*
	26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
	27	*/
	28
9bccf70c A	29	/* $FreeBSD: src/sys/netinet6/esp_rijndael.c,v 1.1.2.1 2001/07/03 11:01:50 ume Exp $ */
	30	/* $KAME: esp_rijndael.c,v 1.4 2001/03/02 05:53:05 itojun Exp $ */
	31
	32	/*
	33	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	34	* All rights reserved.
	35	*
	36	* Redistribution and use in source and binary forms, with or without
	37	* modification, are permitted provided that the following conditions
	38	* are met:
	39	* 1. Redistributions of source code must retain the above copyright
	40	* notice, this list of conditions and the following disclaimer.
	41	* 2. Redistributions in binary form must reproduce the above copyright
	42	* notice, this list of conditions and the following disclaimer in the
	43	* documentation and/or other materials provided with the distribution.
	44	* 3. Neither the name of the project nor the names of its contributors
	45	* may be used to endorse or promote products derived from this software
	46	* without specific prior written permission.
	47	*
	48	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	49	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	50	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	51	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	52	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	53	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	54	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	55	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	56	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	57	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	58	* SUCH DAMAGE.
	59	*/
	60
	61	#include <sys/param.h>
	62	#include <sys/systm.h>
	63	#include <sys/socket.h>
	64	#include <sys/queue.h>
91447636 A	65	#include <sys/syslog.h>
	66	#include <sys/mbuf.h>
	67
	68	#include <kern/locks.h>
9bccf70c A	69
	70	#include <net/if.h>
	71	#include <net/route.h>
	72
	73	#include <netinet6/ipsec.h>
	74	#include <netinet6/esp.h>
	75	#include <netinet6/esp_rijndael.h>
	76
91447636	77	#include <crypto/aes/aes.h>
9bccf70c	78
2d21ac55 A	79	#include <netkey/key.h>
2d21ac55 A	80
9bccf70c A	81	#include <net/net_osdep.h>
9bccf70c A	82
91447636 A	83	#define AES_BLOCKLEN 16
	84
	85	extern lck_mtx_t *sadb_mutex;
	86
9bccf70c	87	int
2d21ac55 A	88	esp_aes_schedlen(
2d21ac55 A	89	__unused const struct esp_algorithm *algo)
9bccf70c A	90	{
9bccf70c A	91
91447636	92	return sizeof(aes_ctx);
9bccf70c A	93	}
	94
	95	int
2d21ac55 A	96	esp_aes_schedule(
	97	__unused const struct esp_algorithm *algo,
	98	struct secasvar *sav)
9bccf70c	99	{
2d21ac55 A	100
2d21ac55 A	101	lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_OWNED);
91447636 A	102	aes_ctx ctx = (aes_ctx)sav->sched;
91447636 A	103
b0d623f7 A	104	aes_decrypt_key((const unsigned char *) _KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc), &ctx->decrypt);
b0d623f7 A	105	aes_encrypt_key((const unsigned char *) _KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc), &ctx->encrypt);
91447636	106
9bccf70c A	107	return 0;
	108	}
	109
91447636 A	110
	111	/* The following 2 functions decrypt or encrypt the contents of
	112	* the mbuf chain passed in keeping the IP and ESP header's in place,
	113	* along with the IV.
	114	* The code attempts to call the crypto code with the largest chunk
	115	* of data it can based on the amount of source data in
	116	* the current source mbuf and the space remaining in the current
	117	* destination mbuf. The crypto code requires data to be a multiples
	118	* of 16 bytes. A separate buffer is used when a 16 byte block spans
	119	* mbufs.
	120	*
	121	* m = mbuf chain
	122	* off = offset to ESP header
	123	*
	124	* local vars for source:
	125	* soff = offset from beginning of the chain to the head of the
	126	* current mbuf.
	127	* scut = last mbuf that contains headers to be retained
	128	* scutoff = offset to end of the headers in scut
	129	* s = the current mbuf
	130	* sn = current offset to data in s (next source data to process)
	131	*
	132	* local vars for dest:
	133	* d0 = head of chain
	134	* d = current mbuf
	135	* dn = current offset in d (next location to store result)
	136	*/
	137
	138
9bccf70c	139	int
91447636 A	140	esp_cbc_decrypt_aes(m, off, sav, algo, ivlen)
	141	struct mbuf *m;
	142	size_t off;
9bccf70c	143	struct secasvar *sav;
91447636 A	144	const struct esp_algorithm *algo;
91447636 A	145	int ivlen;
9bccf70c	146	{
91447636 A	147	struct mbuf *s;
	148	struct mbuf d, d0, *dp;
	149	int soff; /* offset from the head of chain, to head of this mbuf */
	150	int sn, dn; /* offset from the head of the mbuf, to meat */
	151	size_t ivoff, bodyoff;
	152	u_int8_t iv[AES_BLOCKLEN], *dptr;
	153	u_int8_t sbuf[AES_BLOCKLEN], *sp;
	154	struct mbuf *scut;
	155	int scutoff;
	156	int i, len;
	157
	158
	159	if (ivlen != AES_BLOCKLEN) {
	160	ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
	161	"unsupported ivlen %d\n", algo->name, ivlen));
	162	m_freem(m);
	163	return EINVAL;
	164	}
	165
	166	if (sav->flags & SADB_X_EXT_OLD) {
	167	/* RFC 1827 */
	168	ivoff = off + sizeof(struct esp);
	169	bodyoff = off + sizeof(struct esp) + ivlen;
	170	} else {
	171	ivoff = off + sizeof(struct newesp);
	172	bodyoff = off + sizeof(struct newesp) + ivlen;
	173	}
	174
	175	if (m->m_pkthdr.len < bodyoff) {
	176	ipseclog((LOG_ERR, "esp_cbc_decrypt %s: bad len %d/%lu\n",
b0d623f7	177	algo->name, m->m_pkthdr.len, (u_int32_t)bodyoff));
91447636 A	178	m_freem(m);
	179	return EINVAL;
	180	}
	181	if ((m->m_pkthdr.len - bodyoff) % AES_BLOCKLEN) {
	182	ipseclog((LOG_ERR, "esp_cbc_decrypt %s: "
	183	"payload length must be multiple of %d\n",
	184	algo->name, AES_BLOCKLEN));
	185	m_freem(m);
	186	return EINVAL;
	187	}
	188
	189	/* grab iv */
b0d623f7	190	m_copydata(m, ivoff, ivlen, (caddr_t) iv);
91447636	191
91447636 A	192	s = m;
	193	soff = sn = dn = 0;
	194	d = d0 = dp = NULL;
	195	sp = dptr = NULL;
	196
	197	/* skip header/IV offset */
	198	while (soff < bodyoff) {
	199	if (soff + s->m_len > bodyoff) {
	200	sn = bodyoff - soff;
	201	break;
	202	}
	203
	204	soff += s->m_len;
	205	s = s->m_next;
	206	}
	207	scut = s;
	208	scutoff = sn;
	209
	210	/* skip over empty mbuf */
	211	while (s && s->m_len == 0)
	212	s = s->m_next;
	213
	214	while (soff < m->m_pkthdr.len) {
	215	/* source */
	216	if (sn + AES_BLOCKLEN <= s->m_len) {
	217	/* body is continuous */
	218	sp = mtod(s, u_int8_t *) + sn;
	219	len = s->m_len - sn;
	220	len -= len % AES_BLOCKLEN; // full blocks only
	221	} else {
	222	/* body is non-continuous */
b0d623f7	223	m_copydata(s, sn, AES_BLOCKLEN, (caddr_t) sbuf);
91447636 A	224	sp = sbuf;
	225	len = AES_BLOCKLEN; // 1 block only in sbuf
	226	}
	227
	228	/* destination */
	229	if (!d \|\| dn + AES_BLOCKLEN > d->m_len) {
	230	if (d)
	231	dp = d;
	232	MGET(d, M_DONTWAIT, MT_DATA);
	233	i = m->m_pkthdr.len - (soff + sn);
	234	if (d && i > MLEN) {
	235	MCLGET(d, M_DONTWAIT);
	236	if ((d->m_flags & M_EXT) == 0) {
2d21ac55 A	237	d = m_mbigget(d, M_DONTWAIT);
	238	if ((d->m_flags & M_EXT) == 0) {
	239	m_free(d);
	240	d = NULL;
	241	}
91447636 A	242	}
	243	}
	244	if (!d) {
	245	m_freem(m);
	246	if (d0)
	247	m_freem(d0);
91447636 A	248	return ENOBUFS;
	249	}
	250	if (!d0)
	251	d0 = d;
	252	if (dp)
	253	dp->m_next = d;
	254	d->m_len = M_TRAILINGSPACE(d);
	255	d->m_len -= d->m_len % AES_BLOCKLEN;
	256	if (d->m_len > i)
	257	d->m_len = i;
	258	dptr = mtod(d, u_int8_t *);
	259	dn = 0;
	260	}
	261
	262	/* adjust len if greater than space available in dest */
	263	if (len > d->m_len - dn)
	264	len = d->m_len - dn;
	265
	266	/* decrypt */
	267	aes_decrypt_cbc(sp, iv, len >> 4, dptr + dn,
	268	(aes_decrypt_ctx)(&(((aes_ctx)sav->sched)->decrypt)));
	269
	270	/* udpate offsets */
	271	sn += len;
	272	dn += len;
	273
	274	// next iv
	275	bcopy(sp + len - AES_BLOCKLEN, iv, AES_BLOCKLEN);
	276
	277	/* find the next source block */
	278	while (s && sn >= s->m_len) {
	279	sn -= s->m_len;
	280	soff += s->m_len;
	281	s = s->m_next;
	282	}
	283
	284	}
	285
	286	/* free un-needed source mbufs and add dest mbufs to chain */
	287	m_freem(scut->m_next);
	288	scut->m_len = scutoff;
	289	scut->m_next = d0;
	290
	291	/* just in case */
	292	bzero(iv, sizeof(iv));
	293	bzero(sbuf, sizeof(sbuf));
91447636	294
9bccf70c A	295	return 0;
	296	}
	297
	298	int
2d21ac55 A	299	esp_cbc_encrypt_aes(
	300	struct mbuf *m,
	301	size_t off,
	302	__unused size_t plen,
	303	struct secasvar *sav,
	304	const struct esp_algorithm *algo,
	305	int ivlen)
9bccf70c	306	{
91447636 A	307	struct mbuf *s;
91447636 A	308	struct mbuf d, d0, *dp;
2d21ac55	309	int soff; /* offset from the head of chain, to head of this mbuf */
91447636 A	310	int sn, dn; /* offset from the head of the mbuf, to meat */
	311	size_t ivoff, bodyoff;
	312	u_int8_t ivp, dptr;
	313	u_int8_t sbuf[AES_BLOCKLEN], *sp;
	314	struct mbuf *scut;
	315	int scutoff;
	316	int i, len;
	317
	318	if (ivlen != AES_BLOCKLEN) {
	319	ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
	320	"unsupported ivlen %d\n", algo->name, ivlen));
	321	m_freem(m);
	322	return EINVAL;
	323	}
	324
	325	if (sav->flags & SADB_X_EXT_OLD) {
	326	/* RFC 1827 */
	327	ivoff = off + sizeof(struct esp);
	328	bodyoff = off + sizeof(struct esp) + ivlen;
	329	} else {
	330	ivoff = off + sizeof(struct newesp);
	331	bodyoff = off + sizeof(struct newesp) + ivlen;
	332	}
	333
	334	/* put iv into the packet */
	335	m_copyback(m, ivoff, ivlen, sav->iv);
b0d623f7	336	ivp = (u_int8_t *) sav->iv;
91447636 A	337
	338	if (m->m_pkthdr.len < bodyoff) {
	339	ipseclog((LOG_ERR, "esp_cbc_encrypt %s: bad len %d/%lu\n",
b0d623f7	340	algo->name, m->m_pkthdr.len, (u_int32_t)bodyoff));
91447636 A	341	m_freem(m);
	342	return EINVAL;
	343	}
	344	if ((m->m_pkthdr.len - bodyoff) % AES_BLOCKLEN) {
	345	ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
	346	"payload length must be multiple of %lu\n",
	347	algo->name, AES_BLOCKLEN));
	348	m_freem(m);
	349	return EINVAL;
	350	}
91447636 A	351
	352	s = m;
	353	soff = sn = dn = 0;
	354	d = d0 = dp = NULL;
	355	sp = dptr = NULL;
	356
	357	/* skip headers/IV */
	358	while (soff < bodyoff) {
	359	if (soff + s->m_len > bodyoff) {
	360	sn = bodyoff - soff;
	361	break;
	362	}
	363
	364	soff += s->m_len;
	365	s = s->m_next;
	366	}
	367	scut = s;
	368	scutoff = sn;
	369
	370	/* skip over empty mbuf */
	371	while (s && s->m_len == 0)
	372	s = s->m_next;
	373
	374	while (soff < m->m_pkthdr.len) {
	375	/* source */
	376	if (sn + AES_BLOCKLEN <= s->m_len) {
	377	/* body is continuous */
	378	sp = mtod(s, u_int8_t *) + sn;
	379	len = s->m_len - sn;
	380	len -= len % AES_BLOCKLEN; // full blocks only
	381	} else {
	382	/* body is non-continuous */
b0d623f7	383	m_copydata(s, sn, AES_BLOCKLEN, (caddr_t) sbuf);
91447636 A	384	sp = sbuf;
	385	len = AES_BLOCKLEN; // 1 block only in sbuf
	386	}
	387
	388	/* destination */
	389	if (!d \|\| dn + AES_BLOCKLEN > d->m_len) {
	390	if (d)
	391	dp = d;
	392	MGET(d, M_DONTWAIT, MT_DATA);
	393	i = m->m_pkthdr.len - (soff + sn);
	394	if (d && i > MLEN) {
	395	MCLGET(d, M_DONTWAIT);
	396	if ((d->m_flags & M_EXT) == 0) {
2d21ac55 A	397	d = m_mbigget(d, M_DONTWAIT);
	398	if ((d->m_flags & M_EXT) == 0) {
	399	m_free(d);
	400	d = NULL;
	401	}
91447636 A	402	}
	403	}
	404	if (!d) {
	405	m_freem(m);
	406	if (d0)
	407	m_freem(d0);
91447636 A	408	return ENOBUFS;
	409	}
	410	if (!d0)
	411	d0 = d;
	412	if (dp)
	413	dp->m_next = d;
	414
	415	d->m_len = M_TRAILINGSPACE(d);
	416	d->m_len -= d->m_len % AES_BLOCKLEN;
	417	if (d->m_len > i)
	418	d->m_len = i;
	419	dptr = mtod(d, u_int8_t *);
	420	dn = 0;
	421	}
	422
	423	/* adjust len if greater than space available */
	424	if (len > d->m_len - dn)
	425	len = d->m_len - dn;
	426
	427	/* encrypt */
	428	aes_encrypt_cbc(sp, ivp, len >> 4, dptr + dn,
	429	(aes_encrypt_ctx)(&(((aes_ctx)sav->sched)->encrypt)));
	430
	431	/* update offsets */
	432	sn += len;
	433	dn += len;
	434
	435	/* next iv */
	436	ivp = dptr + dn - AES_BLOCKLEN; // last block encrypted
	437
	438	/* find the next source block and skip empty mbufs */
	439	while (s && sn >= s->m_len) {
	440	sn -= s->m_len;
	441	soff += s->m_len;
	442	s = s->m_next;
	443	}
	444
	445	}
	446
	447	/* free un-needed source mbufs and add dest mbufs to chain */
	448	m_freem(scut->m_next);
	449	scut->m_len = scutoff;
	450	scut->m_next = d0;
	451
	452	/* just in case */
	453	bzero(sbuf, sizeof(sbuf));
91447636 A	454	key_sa_stir_iv(sav);
91447636 A	455
9bccf70c A	456	return 0;
9bccf70c A	457	}