xnu-6153.11.26.tar.gz

[apple/xnu.git] / bsd / netinet6 / esp_core.c
diff --git a/bsd/netinet6/esp_core.c b/bsd/netinet6/esp_core.c

index 7b8b124c6553e54102c6ad35efaab0d792b10b50..17bd8e242007cd75c1a75ef10a61ecb2b8abdc66 100644 (file)
--- a/bsd/netinet6/esp_core.c
+++ b/bsd/netinet6/esp_core.c
@@ -1,3 +1,31 @@
+/*
+ * Copyright (c) 2008-2019 Apple Inc. All rights reserved.
+ *
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
+ *
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
+ */
+
  /*     $FreeBSD: src/sys/netinet6/esp_core.c,v 1.1.2.4 2002/03/26 10:12:29 ume Exp $   */
  /*     $KAME: esp_core.c,v 1.50 2000/11/02 12:27:38 itojun Exp $       */
  
  /*     $FreeBSD: src/sys/netinet6/esp_core.c,v 1.1.2.4 2002/03/26 10:12:29 ume Exp $   */
  /*     $KAME: esp_core.c,v 1.50 2000/11/02 12:27:38 itojun Exp $       */
  
@@ -44,6 +72,8 @@
  #include <sys/kernel.h>
  #include <sys/syslog.h>
  
  #include <sys/kernel.h>
  #include <sys/syslog.h>
  
+#include <kern/locks.h>
+
  #include <net/if.h>
  #include <net/route.h>
  
  #include <net/if.h>
  #include <net/route.h>
  
@@ -68,139 +98,223 @@
  #include <netinet6/esp6.h>
  #endif
  #include <netinet6/esp_rijndael.h>
  #include <netinet6/esp6.h>
  #endif
  #include <netinet6/esp_rijndael.h>
+#include <netinet6/esp_chachapoly.h>
  #include <net/pfkeyv2.h>
  #include <netkey/keydb.h>
  #include <netkey/key.h>
  #include <net/pfkeyv2.h>
  #include <netkey/keydb.h>
  #include <netkey/key.h>
-#include <crypto/des/des.h>
-#include <crypto/blowfish/blowfish.h>
-#include <crypto/cast128/cast128.h>
+#include <libkern/crypto/des.h>
  
  #include <net/net_osdep.h>
  
  #include <sys/kdebug.h>
  
  #include <net/net_osdep.h>
  
  #include <sys/kdebug.h>
-#define DBG_LAYER_BEG          NETDBG_CODE(DBG_NETIPSEC, 1)
-#define DBG_LAYER_END          NETDBG_CODE(DBG_NETIPSEC, 3)
-#define DBG_FNC_ESPAUTH                NETDBG_CODE(DBG_NETIPSEC, (8 << 8))
-
-static int esp_null_mature __P((struct secasvar *));
-static int esp_null_decrypt __P((struct mbuf *, size_t,
-       struct secasvar *, const struct esp_algorithm *, int));
-static int esp_null_encrypt __P((struct mbuf *, size_t, size_t,
-       struct secasvar *, const struct esp_algorithm *, int));
-static int esp_descbc_mature __P((struct secasvar *));
-static int esp_descbc_ivlen __P((const struct esp_algorithm *,
-       struct secasvar *));
-static int esp_des_schedule __P((const struct esp_algorithm *,
-       struct secasvar *));
-static int esp_des_schedlen __P((const struct esp_algorithm *));
-static int esp_des_blockdecrypt __P((const struct esp_algorithm *,
-       struct secasvar *, u_int8_t *, u_int8_t *));
-static int esp_des_blockencrypt __P((const struct esp_algorithm *,
-       struct secasvar *, u_int8_t *, u_int8_t *));
-static int esp_cbc_mature __P((struct secasvar *));
-static int esp_blowfish_schedule __P((const struct esp_algorithm *,
-       struct secasvar *));
-static int esp_blowfish_schedlen __P((const struct esp_algorithm *));
-static int esp_blowfish_blockdecrypt __P((const struct esp_algorithm *,
-       struct secasvar *, u_int8_t *, u_int8_t *));
-static int esp_blowfish_blockencrypt __P((const struct esp_algorithm *,
-       struct secasvar *, u_int8_t *, u_int8_t *));
-static int esp_cast128_schedule __P((const struct esp_algorithm *,
-       struct secasvar *));
-static int esp_cast128_schedlen __P((const struct esp_algorithm *));
-static int esp_cast128_blockdecrypt __P((const struct esp_algorithm *,
-       struct secasvar *, u_int8_t *, u_int8_t *));
-static int esp_cast128_blockencrypt __P((const struct esp_algorithm *,
-       struct secasvar *, u_int8_t *, u_int8_t *));
-static int esp_3des_schedule __P((const struct esp_algorithm *,
-       struct secasvar *));
-static int esp_3des_schedlen __P((const struct esp_algorithm *));
-static int esp_3des_blockdecrypt __P((const struct esp_algorithm *,
-       struct secasvar *, u_int8_t *, u_int8_t *));
-static int esp_3des_blockencrypt __P((const struct esp_algorithm *,
-       struct secasvar *, u_int8_t *, u_int8_t *));
-static int esp_common_ivlen __P((const struct esp_algorithm *,
-       struct secasvar *));
-static int esp_cbc_decrypt __P((struct mbuf *, size_t,
-       struct secasvar *, const struct esp_algorithm *, int));
-static int esp_cbc_encrypt __P((struct mbuf *, size_t, size_t,
-       struct secasvar *, const struct esp_algorithm *, int));
-
-#define MAXIVLEN       16
-
-static const struct esp_algorithm esp_algorithms[] = {
-       { 8, -1, esp_descbc_mature, 64, 64, esp_des_schedlen,
-               "des-cbc",
-               esp_descbc_ivlen, esp_cbc_decrypt,
-               esp_cbc_encrypt, esp_des_schedule,
-               esp_des_blockdecrypt, esp_des_blockencrypt, },
-       { 8, 8, esp_cbc_mature, 192, 192, esp_3des_schedlen,
-               "3des-cbc",
-               esp_common_ivlen, esp_cbc_decrypt,
-               esp_cbc_encrypt, esp_3des_schedule,
-               esp_3des_blockdecrypt, esp_3des_blockencrypt, },
-       { 1, 0, esp_null_mature, 0, 2048, 0, "null",
-               esp_common_ivlen, esp_null_decrypt,
-               esp_null_encrypt, NULL, },
-       { 8, 8, esp_cbc_mature, 40, 448, esp_blowfish_schedlen, "blowfish-cbc",
-               esp_common_ivlen, esp_cbc_decrypt,
-               esp_cbc_encrypt, esp_blowfish_schedule,
-               esp_blowfish_blockdecrypt, esp_blowfish_blockencrypt, },
-       { 8, 8, esp_cbc_mature, 40, 128, esp_cast128_schedlen,
-               "cast128-cbc",
-               esp_common_ivlen, esp_cbc_decrypt,
-               esp_cbc_encrypt, esp_cast128_schedule,
-               esp_cast128_blockdecrypt, esp_cast128_blockencrypt, },
-       { 16, 16, esp_cbc_mature, 128, 256, esp_rijndael_schedlen,
-               "rijndael-cbc",
-               esp_common_ivlen, esp_cbc_decrypt,
-               esp_cbc_encrypt, esp_rijndael_schedule,
-               esp_rijndael_blockdecrypt, esp_rijndael_blockencrypt },
+#define DBG_LAYER_BEG           NETDBG_CODE(DBG_NETIPSEC, 1)
+#define DBG_LAYER_END           NETDBG_CODE(DBG_NETIPSEC, 3)
+#define DBG_FNC_ESPAUTH         NETDBG_CODE(DBG_NETIPSEC, (8 << 8))
+#define MAX_SBUF_LEN            2000
+
+extern lck_mtx_t *sadb_mutex;
+os_log_t esp_mpkl_log_object = NULL;
+
+static int esp_null_mature(struct secasvar *);
+static int esp_null_decrypt(struct mbuf *, size_t,
+    struct secasvar *, const struct esp_algorithm *, int);
+static int esp_null_encrypt(struct mbuf *, size_t, size_t,
+    struct secasvar *, const struct esp_algorithm *, int);
+static int esp_descbc_mature(struct secasvar *);
+static int esp_descbc_ivlen(const struct esp_algorithm *,
+    struct secasvar *);
+static int esp_des_schedule(const struct esp_algorithm *,
+    struct secasvar *);
+static int esp_des_schedlen(const struct esp_algorithm *);
+static int esp_des_blockdecrypt(const struct esp_algorithm *,
+    struct secasvar *, u_int8_t *, u_int8_t *);
+static int esp_des_blockencrypt(const struct esp_algorithm *,
+    struct secasvar *, u_int8_t *, u_int8_t *);
+static int esp_cbc_mature(struct secasvar *);
+static int esp_3des_schedule(const struct esp_algorithm *,
+    struct secasvar *);
+static int esp_3des_schedlen(const struct esp_algorithm *);
+static int esp_3des_blockdecrypt(const struct esp_algorithm *,
+    struct secasvar *, u_int8_t *, u_int8_t *);
+static int esp_3des_blockencrypt(const struct esp_algorithm *,
+    struct secasvar *, u_int8_t *, u_int8_t *);
+static int esp_common_ivlen(const struct esp_algorithm *,
+    struct secasvar *);
+static int esp_cbc_decrypt(struct mbuf *, size_t,
+    struct secasvar *, const struct esp_algorithm *, int);
+static int esp_cbc_encrypt(struct mbuf *, size_t, size_t,
+    struct secasvar *, const struct esp_algorithm *, int);
+static int esp_gcm_mature(struct secasvar *);
+
+#define MAXIVLEN        16
+
+#define ESP_AESGCM_KEYLEN128 160 // 16-bytes key + 4 bytes salt
+#define ESP_AESGCM_KEYLEN192 224 // 24-bytes key + 4 bytes salt
+#define ESP_AESGCM_KEYLEN256 288 // 32-bytes key + 4 bytes salt
+
+static const struct esp_algorithm des_cbc = {
+       .padbound = 8,
+       .ivlenval = -1,
+       .mature = esp_descbc_mature,
+       .keymin = 64,
+       .keymax = 64,
+       .schedlen = esp_des_schedlen,
+       .name = "des-cbc",
+       .ivlen = esp_descbc_ivlen,
+       .decrypt = esp_cbc_decrypt,
+       .encrypt = esp_cbc_encrypt,
+       .schedule = esp_des_schedule,
+       .blockdecrypt = esp_des_blockdecrypt,
+       .blockencrypt = esp_des_blockencrypt,
+       .icvlen = 0,
+       .finalizedecrypt = NULL,
+       .finalizeencrypt = NULL
+};
+
+static const struct esp_algorithm des3_cbc = {
+       .padbound = 8,
+       .ivlenval = 8,
+       .mature = esp_cbc_mature,
+       .keymin = 192,
+       .keymax = 192,
+       .schedlen = esp_3des_schedlen,
+       .name = "3des-cbc",
+       .ivlen = esp_common_ivlen,
+       .decrypt = esp_cbc_decrypt,
+       .encrypt = esp_cbc_encrypt,
+       .schedule = esp_3des_schedule,
+       .blockdecrypt = esp_3des_blockdecrypt,
+       .blockencrypt = esp_3des_blockencrypt,
+       .icvlen = 0,
+       .finalizedecrypt = NULL,
+       .finalizeencrypt = NULL
+};
+
+static const struct esp_algorithm null_esp = {
+       .padbound = 1,
+       .ivlenval = 0,
+       .mature = esp_null_mature,
+       .keymin = 0,
+       .keymax = 2048,
+       .schedlen = NULL,
+       .name = "null",
+       .ivlen = esp_common_ivlen,
+       .decrypt = esp_null_decrypt,
+       .encrypt = esp_null_encrypt,
+       .schedule = NULL,
+       .blockdecrypt = NULL,
+       .blockencrypt = NULL,
+       .icvlen = 0,
+       .finalizedecrypt = NULL,
+       .finalizeencrypt = NULL
+};
+
+static const struct esp_algorithm aes_cbc = {
+       .padbound = 16,
+       .ivlenval = 16,
+       .mature = esp_cbc_mature,
+       .keymin = 128,
+       .keymax = 256,
+       .schedlen = esp_aes_schedlen,
+       .name = "aes-cbc",
+       .ivlen = esp_common_ivlen,
+       .decrypt = esp_cbc_decrypt_aes,
+       .encrypt = esp_cbc_encrypt_aes,
+       .schedule = esp_aes_schedule,
+       .blockdecrypt = NULL,
+       .blockencrypt = NULL,
+       .icvlen = 0,
+       .finalizedecrypt = NULL,
+       .finalizeencrypt = NULL
+};
+
+static const struct esp_algorithm aes_gcm = {
+       .padbound = 4,
+       .ivlenval = 8,
+       .mature = esp_gcm_mature,
+       .keymin = ESP_AESGCM_KEYLEN128,
+       .keymax = ESP_AESGCM_KEYLEN256,
+       .schedlen = esp_gcm_schedlen,
+       .name = "aes-gcm",
+       .ivlen = esp_common_ivlen,
+       .decrypt = esp_gcm_decrypt_aes,
+       .encrypt = esp_gcm_encrypt_aes,
+       .schedule = esp_gcm_schedule,
+       .blockdecrypt = NULL,
+       .blockencrypt = NULL,
+       .icvlen = 16,
+       .finalizedecrypt = esp_gcm_decrypt_finalize,
+       .finalizeencrypt = esp_gcm_encrypt_finalize
+};
+
+static const struct esp_algorithm chacha_poly = {
+       .padbound = ESP_CHACHAPOLY_PAD_BOUND,
+       .ivlenval = ESP_CHACHAPOLY_IV_LEN,
+       .mature = esp_chachapoly_mature,
+       .keymin = ESP_CHACHAPOLY_KEYBITS_WITH_SALT,
+       .keymax = ESP_CHACHAPOLY_KEYBITS_WITH_SALT,
+       .schedlen = esp_chachapoly_schedlen,
+       .name = "chacha-poly",
+       .ivlen = esp_chachapoly_ivlen,
+       .decrypt = esp_chachapoly_decrypt,
+       .encrypt = esp_chachapoly_encrypt,
+       .schedule = esp_chachapoly_schedule,
+       .blockdecrypt = NULL,
+       .blockencrypt = NULL,
+       .icvlen = ESP_CHACHAPOLY_ICV_LEN,
+       .finalizedecrypt = esp_chachapoly_decrypt_finalize,
+       .finalizeencrypt = esp_chachapoly_encrypt_finalize
+};
+
+static const struct esp_algorithm *esp_algorithms[] = {
+       &des_cbc,
+       &des3_cbc,
+       &null_esp,
+       &aes_cbc,
+       &aes_gcm,
+       &chacha_poly,
  };
  
  const struct esp_algorithm *
  };
  
  const struct esp_algorithm *
-esp_algorithm_lookup(idx)
-       int idx;
+esp_algorithm_lookup(int idx)
  {
  {
-
         switch (idx) {
         case SADB_EALG_DESCBC:
         switch (idx) {
         case SADB_EALG_DESCBC:
-               return &esp_algorithms[0];
+               return &des_cbc;
         case SADB_EALG_3DESCBC:
         case SADB_EALG_3DESCBC:
-               return &esp_algorithms[1];
+               return &des3_cbc;
         case SADB_EALG_NULL:
         case SADB_EALG_NULL:
-               return &esp_algorithms[2];
-       case SADB_X_EALG_BLOWFISHCBC:
-               return &esp_algorithms[3];
-       case SADB_X_EALG_CAST128CBC:
-               return &esp_algorithms[4];
+               return &null_esp;
         case SADB_X_EALG_RIJNDAELCBC:
         case SADB_X_EALG_RIJNDAELCBC:
-               return &esp_algorithms[5];
+               return &aes_cbc;
+       case SADB_X_EALG_AES_GCM:
+               return &aes_gcm;
+       case SADB_X_EALG_CHACHA20POLY1305:
+               return &chacha_poly;
         default:
                 return NULL;
         }
  }
  
  int
         default:
                 return NULL;
         }
  }
  
  int
-esp_max_ivlen()
+esp_max_ivlen(void)
  {
         int idx;
         int ivlen;
  
         ivlen = 0;
  {
         int idx;
         int ivlen;
  
         ivlen = 0;
-       for (idx = 0; idx < sizeof(esp_algorithms)/sizeof(esp_algorithms[0]);
-            idx++) {
-               if (esp_algorithms[idx].ivlenval > ivlen)
-                       ivlen = esp_algorithms[idx].ivlenval;
+       for (idx = 0; idx < sizeof(esp_algorithms) / sizeof(esp_algorithms[0]);
+           idx++) {
+               if (esp_algorithms[idx]->ivlenval > ivlen) {
+                       ivlen = esp_algorithms[idx]->ivlenval;
+               }
         }
  
         return ivlen;
  }
  
  int
         }
  
         return ivlen;
  }
  
  int
-esp_schedule(algo, sav)
-       const struct esp_algorithm *algo;
-       struct secasvar *sav;
+esp_schedule(const struct esp_algorithm *algo, struct secasvar *sav)
  {
         int error;
  
  {
         int error;
  
@@ -214,21 +328,41 @@ esp_schedule(algo, sav)
                 return EINVAL;
         }
  
                 return EINVAL;
         }
  
+       lck_mtx_lock(sadb_mutex);
         /* already allocated */
         /* already allocated */
-       if (sav->sched && sav->schedlen != 0)
+       if (sav->sched && sav->schedlen != 0) {
+               lck_mtx_unlock(sadb_mutex);
                 return 0;
                 return 0;
+       }
+
+       /* prevent disallowed implicit IV */
+       if (((sav->flags & SADB_X_EXT_IIV) != 0) &&
+           (sav->alg_enc != SADB_X_EALG_AES_GCM) &&
+           (sav->alg_enc != SADB_X_EALG_CHACHA20POLY1305)) {
+               ipseclog((LOG_ERR,
+                   "esp_schedule %s: implicit IV not allowed\n",
+                   algo->name));
+               lck_mtx_unlock(sadb_mutex);
+               return EINVAL;
+       }
+
         /* no schedule necessary */
         /* no schedule necessary */
-       if (!algo->schedule || !algo->schedlen)
+       if (!algo->schedule || !algo->schedlen) {
+               lck_mtx_unlock(sadb_mutex);
                 return 0;
                 return 0;
+       }
  
         sav->schedlen = (*algo->schedlen)(algo);
  
         sav->schedlen = (*algo->schedlen)(algo);
-       if (sav->schedlen < 0)
+       if ((signed) sav->schedlen < 0) {
+               lck_mtx_unlock(sadb_mutex);
                 return EINVAL;
                 return EINVAL;
+       }
  
  //#### that malloc should be replaced by a saved buffer...
         sav->sched = _MALLOC(sav->schedlen, M_SECA, M_DONTWAIT);
         if (!sav->sched) {
                 sav->schedlen = 0;
  
  //#### that malloc should be replaced by a saved buffer...
         sav->sched = _MALLOC(sav->schedlen, M_SECA, M_DONTWAIT);
         if (!sav->sched) {
                 sav->schedlen = 0;
+               lck_mtx_unlock(sadb_mutex);
                 return ENOBUFS;
         }
  
                 return ENOBUFS;
         }
  
@@ -241,46 +375,43 @@ esp_schedule(algo, sav)
                 sav->sched = NULL;
                 sav->schedlen = 0;
         }
                 sav->sched = NULL;
                 sav->schedlen = 0;
         }
+       lck_mtx_unlock(sadb_mutex);
         return error;
  }
  
  static int
         return error;
  }
  
  static int
-esp_null_mature(sav)
-       struct secasvar *sav;
+esp_null_mature(
+       __unused struct secasvar *sav)
  {
  {
-
         /* anything is okay */
         return 0;
  }
  
  static int
         /* anything is okay */
         return 0;
  }
  
  static int
-esp_null_decrypt(m, off, sav, algo, ivlen)
-       struct mbuf *m;
-       size_t off;             /* offset to ESP header */
-       struct secasvar *sav;
-       const struct esp_algorithm *algo;
-       int ivlen;
+esp_null_decrypt(
+       __unused struct mbuf *m,
+       __unused size_t off,            /* offset to ESP header */
+       __unused struct secasvar *sav,
+       __unused const struct esp_algorithm *algo,
+       __unused int ivlen)
  {
  {
-
         return 0; /* do nothing */
  }
  
  static int
         return 0; /* do nothing */
  }
  
  static int
-esp_null_encrypt(m, off, plen, sav, algo, ivlen)
-       struct mbuf *m;
-       size_t off;     /* offset to ESP header */
-       size_t plen;    /* payload length (to be encrypted) */
-       struct secasvar *sav;
-       const struct esp_algorithm *algo;
-       int ivlen;
+esp_null_encrypt(
+       __unused struct mbuf *m,
+       __unused size_t off,    /* offset to ESP header */
+       __unused size_t plen,   /* payload length (to be encrypted) */
+       __unused struct secasvar *sav,
+       __unused const struct esp_algorithm *algo,
+       __unused int ivlen)
  {
  {
-
         return 0; /* do nothing */
  }
  
  static int
         return 0; /* do nothing */
  }
  
  static int
-esp_descbc_mature(sav)
-       struct secasvar *sav;
+esp_descbc_mature(struct secasvar *sav)
  {
         const struct esp_algorithm *algo;
  
  {
         const struct esp_algorithm *algo;
  
@@ -321,74 +452,71 @@ esp_descbc_mature(sav)
  }
  
  static int
  }
  
  static int
-esp_descbc_ivlen(algo, sav)
-       const struct esp_algorithm *algo;
-       struct secasvar *sav;
+esp_descbc_ivlen(
+       __unused const struct esp_algorithm *algo,
+       struct secasvar *sav)
  {
  {
-
-       if (!sav)
+       if (!sav) {
                 return 8;
                 return 8;
-       if ((sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_IV4B))
+       }
+       if ((sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_IV4B)) {
                 return 4;
                 return 4;
-       if (!(sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_DERIV))
+       }
+       if (!(sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_DERIV)) {
                 return 4;
                 return 4;
+       }
         return 8;
  }
  
  static int
         return 8;
  }
  
  static int
-esp_des_schedlen(algo)
-       const struct esp_algorithm *algo;
+esp_des_schedlen(
+       __unused const struct esp_algorithm *algo)
  {
  {
-
-       return sizeof(des_key_schedule);
+       return sizeof(des_ecb_key_schedule);
  }
  
  static int
  }
  
  static int
-esp_des_schedule(algo, sav)
-       const struct esp_algorithm *algo;
-       struct secasvar *sav;
+esp_des_schedule(
+       __unused const struct esp_algorithm *algo,
+       struct secasvar *sav)
  {
  {
-
-       if (des_key_sched((des_cblock *)_KEYBUF(sav->key_enc),
-           *(des_key_schedule *)sav->sched))
+       LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_OWNED);
+       if (des_ecb_key_sched((des_cblock *)_KEYBUF(sav->key_enc),
+           (des_ecb_key_schedule *)sav->sched)) {
                 return EINVAL;
                 return EINVAL;
-       else
+       } else {
                 return 0;
                 return 0;
+       }
  }
  
  static int
  }
  
  static int
-esp_des_blockdecrypt(algo, sav, s, d)
-       const struct esp_algorithm *algo;
-       struct secasvar *sav;
-       u_int8_t *s;
-       u_int8_t *d;
+esp_des_blockdecrypt(
+       __unused const struct esp_algorithm *algo,
+       struct secasvar *sav,
+       u_int8_t *s,
+       u_int8_t *d)
  {
  {
-
         /* assumption: d has a good alignment */
         bcopy(s, d, sizeof(DES_LONG) * 2);
         /* assumption: d has a good alignment */
         bcopy(s, d, sizeof(DES_LONG) * 2);
-       des_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
-           *(des_key_schedule *)sav->sched, DES_DECRYPT);
-       return 0;
+       return des_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
+                  (des_ecb_key_schedule *)sav->sched, DES_DECRYPT);
  }
  
  static int
  }
  
  static int
-esp_des_blockencrypt(algo, sav, s, d)
-       const struct esp_algorithm *algo;
-       struct secasvar *sav;
-       u_int8_t *s;
-       u_int8_t *d;
+esp_des_blockencrypt(
+       __unused const struct esp_algorithm *algo,
+       struct secasvar *sav,
+       u_int8_t *s,
+       u_int8_t *d)
  {
  {
-
         /* assumption: d has a good alignment */
         bcopy(s, d, sizeof(DES_LONG) * 2);
         /* assumption: d has a good alignment */
         bcopy(s, d, sizeof(DES_LONG) * 2);
-       des_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
-           *(des_key_schedule *)sav->sched, DES_ENCRYPT);
-       return 0;
+       return des_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
+                  (des_ecb_key_schedule *)sav->sched, DES_ENCRYPT);
  }
  
  static int
  }
  
  static int
-esp_cbc_mature(sav)
-       struct secasvar *sav;
+esp_cbc_mature(struct secasvar *sav)
  {
         int keylen;
         const struct esp_algorithm *algo;
  {
         int keylen;
         const struct esp_algorithm *algo;
@@ -412,7 +540,7 @@ esp_cbc_mature(sav)
         algo = esp_algorithm_lookup(sav->alg_enc);
         if (!algo) {
                 ipseclog((LOG_ERR,
         algo = esp_algorithm_lookup(sav->alg_enc);
         if (!algo) {
                 ipseclog((LOG_ERR,
-                   "esp_cbc_mature %s: unsupported algorithm.\n", algo->name));
+                   "esp_cbc_mature: unsupported algorithm.\n"));
                 return 1;
         }
  
                 return 1;
         }
  
@@ -435,9 +563,6 @@ esp_cbc_mature(sav)
                         return 1;
                 }
                 break;
                         return 1;
                 }
                 break;
-       case SADB_X_EALG_BLOWFISHCBC:
-       case SADB_X_EALG_CAST128CBC:
-               break;
         case SADB_X_EALG_RIJNDAELCBC:
                 /* allows specific key sizes only */
                 if (!(keylen == 128 || keylen == 192 || keylen == 256)) {
         case SADB_X_EALG_RIJNDAELCBC:
                 /* allows specific key sizes only */
                 if (!(keylen == 128 || keylen == 192 || keylen == 256)) {
@@ -453,205 +578,139 @@ esp_cbc_mature(sav)
  }
  
  static int
  }
  
  static int
-esp_blowfish_schedlen(algo)
-       const struct esp_algorithm *algo;
-{
-
-       return sizeof(BF_KEY);
-}
-
-static int
-esp_blowfish_schedule(algo, sav)
-       const struct esp_algorithm *algo;
-       struct secasvar *sav;
-{
-
-       BF_set_key((BF_KEY *)sav->sched, _KEYLEN(sav->key_enc),
-           _KEYBUF(sav->key_enc));
-       return 0;
-}
-
-static int
-esp_blowfish_blockdecrypt(algo, sav, s, d)
-       const struct esp_algorithm *algo;
-       struct secasvar *sav;
-       u_int8_t *s;
-       u_int8_t *d;
-{
-       /* HOLY COW!  BF_decrypt() takes values in host byteorder */
-       BF_LONG t[2];
-
-       bcopy(s, t, sizeof(t));
-       t[0] = ntohl(t[0]);
-       t[1] = ntohl(t[1]);
-       BF_decrypt(t, (BF_KEY *)sav->sched);
-       t[0] = htonl(t[0]);
-       t[1] = htonl(t[1]);
-       bcopy(t, d, sizeof(t));
-       return 0;
-}
-
-static int
-esp_blowfish_blockencrypt(algo, sav, s, d)
-       const struct esp_algorithm *algo;
-       struct secasvar *sav;
-       u_int8_t *s;
-       u_int8_t *d;
-{
-       /* HOLY COW!  BF_encrypt() takes values in host byteorder */
-       BF_LONG t[2];
-
-       bcopy(s, t, sizeof(t));
-       t[0] = ntohl(t[0]);
-       t[1] = ntohl(t[1]);
-       BF_encrypt(t, (BF_KEY *)sav->sched);
-       t[0] = htonl(t[0]);
-       t[1] = htonl(t[1]);
-       bcopy(t, d, sizeof(t));
-       return 0;
-}
-
-static int
-esp_cast128_schedlen(algo)
-       const struct esp_algorithm *algo;
+esp_gcm_mature(struct secasvar *sav)
  {
  {
-
-       return sizeof(u_int32_t) * 32;
-}
-
-static int
-esp_cast128_schedule(algo, sav)
+       int keylen;
         const struct esp_algorithm *algo;
         const struct esp_algorithm *algo;
-       struct secasvar *sav;
-{
  
  
-       set_cast128_subkey((u_int32_t *)sav->sched, _KEYBUF(sav->key_enc),
-               _KEYLEN(sav->key_enc));
-       return 0;
-}
+       if (sav->flags & SADB_X_EXT_OLD) {
+               ipseclog((LOG_ERR,
+                   "esp_gcm_mature: algorithm incompatible with esp-old\n"));
+               return 1;
+       }
+       if (sav->flags & SADB_X_EXT_DERIV) {
+               ipseclog((LOG_ERR,
+                   "esp_gcm_mature: algorithm incompatible with derived\n"));
+               return 1;
+       }
+       if (sav->flags & SADB_X_EXT_IIV) {
+               ipseclog((LOG_ERR,
+                   "esp_gcm_mature: implicit IV not currently implemented\n"));
+               return 1;
+       }
  
  
-static int
-esp_cast128_blockdecrypt(algo, sav, s, d)
-       const struct esp_algorithm *algo;
-       struct secasvar *sav;
-       u_int8_t *s;
-       u_int8_t *d;
-{
+       if (!sav->key_enc) {
+               ipseclog((LOG_ERR, "esp_gcm_mature: no key is given.\n"));
+               return 1;
+       }
  
  
-       if (_KEYLEN(sav->key_enc) <= 80 / 8)
-               cast128_decrypt_round12(d, s, (u_int32_t *)sav->sched);
-       else
-               cast128_decrypt_round16(d, s, (u_int32_t *)sav->sched);
-       return 0;
-}
+       algo = esp_algorithm_lookup(sav->alg_enc);
+       if (!algo) {
+               ipseclog((LOG_ERR,
+                   "esp_gcm_mature: unsupported algorithm.\n"));
+               return 1;
+       }
  
  
-static int
-esp_cast128_blockencrypt(algo, sav, s, d)
-       const struct esp_algorithm *algo;
-       struct secasvar *sav;
-       u_int8_t *s;
-       u_int8_t *d;
-{
+       keylen = sav->key_enc->sadb_key_bits;
+       if (keylen < algo->keymin || algo->keymax < keylen) {
+               ipseclog((LOG_ERR,
+                   "esp_gcm_mature %s: invalid key length %d.\n",
+                   algo->name, sav->key_enc->sadb_key_bits));
+               return 1;
+       }
+       switch (sav->alg_enc) {
+       case SADB_X_EALG_AES_GCM:
+               /* allows specific key sizes only */
+               if (!(keylen == ESP_AESGCM_KEYLEN128 || keylen == ESP_AESGCM_KEYLEN192 || keylen == ESP_AESGCM_KEYLEN256)) {
+                       ipseclog((LOG_ERR,
+                           "esp_gcm_mature %s: invalid key length %d.\n",
+                           algo->name, keylen));
+                       return 1;
+               }
+               break;
+       default:
+               ipseclog((LOG_ERR,
+                   "esp_gcm_mature %s: invalid algo %d.\n", sav->alg_enc));
+               return 1;
+       }
  
  
-       if (_KEYLEN(sav->key_enc) <= 80 / 8)
-               cast128_encrypt_round12(d, s, (u_int32_t *)sav->sched);
-       else
-               cast128_encrypt_round16(d, s, (u_int32_t *)sav->sched);
         return 0;
  }
  
  static int
         return 0;
  }
  
  static int
-esp_3des_schedlen(algo)
-       const struct esp_algorithm *algo;
+esp_3des_schedlen(
+       __unused const struct esp_algorithm *algo)
  {
  {
-
-       return sizeof(des_key_schedule) * 3;
+       return sizeof(des3_ecb_key_schedule);
  }
  
  static int
  }
  
  static int
-esp_3des_schedule(algo, sav)
-       const struct esp_algorithm *algo;
-       struct secasvar *sav;
+esp_3des_schedule(
+       __unused const struct esp_algorithm *algo,
+       struct secasvar *sav)
  {
  {
-       int error;
-       des_key_schedule *p;
-       int i;
-       char *k;
+       LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_OWNED);
  
  
-       p = (des_key_schedule *)sav->sched;
-       k = _KEYBUF(sav->key_enc);
-       for (i = 0; i < 3; i++) {
-               error = des_key_sched((des_cblock *)(k + 8 * i), p[i]);
-               if (error)
-                       return EINVAL;
+       if (des3_ecb_key_sched((des_cblock *)_KEYBUF(sav->key_enc),
+           (des3_ecb_key_schedule *)sav->sched)) {
+               return EINVAL;
+       } else {
+               return 0;
         }
         }
-       return 0;
  }
  
  static int
  }
  
  static int
-esp_3des_blockdecrypt(algo, sav, s, d)
-       const struct esp_algorithm *algo;
-       struct secasvar *sav;
-       u_int8_t *s;
-       u_int8_t *d;
+esp_3des_blockdecrypt(
+       __unused const struct esp_algorithm *algo,
+       struct secasvar *sav,
+       u_int8_t *s,
+       u_int8_t *d)
  {
  {
-       des_key_schedule *p;
-
         /* assumption: d has a good alignment */
         /* assumption: d has a good alignment */
-       p = (des_key_schedule *)sav->sched;
         bcopy(s, d, sizeof(DES_LONG) * 2);
         bcopy(s, d, sizeof(DES_LONG) * 2);
-       des_ecb3_encrypt((des_cblock *)d, (des_cblock *)d, 
-                        p[0], p[1], p[2], DES_DECRYPT);
-       return 0;
+       return des3_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
+                  (des3_ecb_key_schedule *)sav->sched, DES_DECRYPT);
  }
  
  static int
  }
  
  static int
-esp_3des_blockencrypt(algo, sav, s, d)
-       const struct esp_algorithm *algo;
-       struct secasvar *sav;
-       u_int8_t *s;
-       u_int8_t *d;
+esp_3des_blockencrypt(
+       __unused const struct esp_algorithm *algo,
+       struct secasvar *sav,
+       u_int8_t *s,
+       u_int8_t *d)
  {
  {
-       des_key_schedule *p;
-
         /* assumption: d has a good alignment */
         /* assumption: d has a good alignment */
-       p = (des_key_schedule *)sav->sched;
         bcopy(s, d, sizeof(DES_LONG) * 2);
         bcopy(s, d, sizeof(DES_LONG) * 2);
-       des_ecb3_encrypt((des_cblock *)d, (des_cblock *)d, 
-                        p[0], p[1], p[2], DES_ENCRYPT);
-       return 0;
+       return des3_ecb_encrypt((des_cblock *)d, (des_cblock *)d,
+                  (des3_ecb_key_schedule *)sav->sched, DES_ENCRYPT);
  }
  
  static int
  }
  
  static int
-esp_common_ivlen(algo, sav)
-       const struct esp_algorithm *algo;
-       struct secasvar *sav;
+esp_common_ivlen(
+       const struct esp_algorithm *algo,
+       __unused struct secasvar *sav)
  {
  {
-
-       if (!algo)
+       if (!algo) {
                 panic("esp_common_ivlen: unknown algorithm");
                 panic("esp_common_ivlen: unknown algorithm");
+       }
         return algo->ivlenval;
  }
  
  static int
         return algo->ivlenval;
  }
  
  static int
-esp_cbc_decrypt(m, off, sav, algo, ivlen)
-       struct mbuf *m;
-       size_t off;
-       struct secasvar *sav;
-       const struct esp_algorithm *algo;
-       int ivlen;
+esp_cbc_decrypt(struct mbuf *m, size_t off, struct secasvar *sav,
+    const struct esp_algorithm *algo, int ivlen)
  {
         struct mbuf *s;
         struct mbuf *d, *d0, *dp;
  {
         struct mbuf *s;
         struct mbuf *d, *d0, *dp;
-       int soff, doff; /* offset from the head of chain, to head of this mbuf */
-       int sn, dn;     /* offset from the head of the mbuf, to meat */
+       int soff, doff; /* offset from the head of chain, to head of this mbuf */
+       int sn, dn;     /* offset from the head of the mbuf, to meat */
         size_t ivoff, bodyoff;
         size_t ivoff, bodyoff;
-       u_int8_t iv[MAXIVLEN], *ivp;
-       u_int8_t sbuf[MAXIVLEN], *sp;
+       u_int8_t iv[MAXIVLEN] __attribute__((aligned(4))), *ivp;
+       u_int8_t *sbuf = NULL, *sp, *sp_unaligned;
         u_int8_t *p, *q;
         struct mbuf *scut;
         int scutoff;
         u_int8_t *p, *q;
         struct mbuf *scut;
         int scutoff;
-       int i;
+       int i, result = 0;
         int blocklen;
         int derived;
  
         int blocklen;
         int derived;
  
@@ -698,12 +757,12 @@ esp_cbc_decrypt(m, off, sav, algo, ivlen)
         }
  
         /* grab iv */
         }
  
         /* grab iv */
-       m_copydata(m, ivoff, ivlen, iv);
+       m_copydata(m, ivoff, ivlen, (caddr_t) iv);
  
         /* extend iv */
  
         /* extend iv */
-       if (ivlen == blocklen)
+       if (ivlen == blocklen) {
                 ;
                 ;
-       else if (ivlen == 4 && blocklen == 8) {
+       } else if (ivlen == 4 && blocklen == 8) {
                 bcopy(&iv[0], &iv[4], 4);
                 iv[4] ^= 0xff;
                 iv[5] ^= 0xff;
                 bcopy(&iv[0], &iv[4], 4);
                 iv[4] ^= 0xff;
                 iv[5] ^= 0xff;
@@ -719,7 +778,7 @@ esp_cbc_decrypt(m, off, sav, algo, ivlen)
  
         if (m->m_pkthdr.len < bodyoff) {
                 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: bad len %d/%lu\n",
  
         if (m->m_pkthdr.len < bodyoff) {
                 ipseclog((LOG_ERR, "esp_cbc_decrypt %s: bad len %d/%lu\n",
-                   algo->name, m->m_pkthdr.len, (unsigned long)bodyoff));
+                   algo->name, m->m_pkthdr.len, (u_int32_t)bodyoff));
                 m_freem(m);
                 return EINVAL;
         }
                 m_freem(m);
                 return EINVAL;
         }
@@ -750,9 +809,15 @@ esp_cbc_decrypt(m, off, sav, algo, ivlen)
         scutoff = sn;
  
         /* skip over empty mbuf */
         scutoff = sn;
  
         /* skip over empty mbuf */
-       while (s && s->m_len == 0)
+       while (s && s->m_len == 0) {
                 s = s->m_next;
                 s = s->m_next;
+       }
  
  
+       // Allocate blocksized buffer for unaligned or non-contiguous access
+       sbuf = (u_int8_t *)_MALLOC(blocklen, M_SECA, M_DONTWAIT);
+       if (sbuf == NULL) {
+               return ENOBUFS;
+       }
         while (soff < m->m_pkthdr.len) {
                 /* source */
                 if (sn + blocklen <= s->m_len) {
         while (soff < m->m_pkthdr.len) {
                 /* source */
                 if (sn + blocklen <= s->m_len) {
@@ -760,14 +825,15 @@ esp_cbc_decrypt(m, off, sav, algo, ivlen)
                         sp = mtod(s, u_int8_t *) + sn;
                 } else {
                         /* body is non-continuous */
                         sp = mtod(s, u_int8_t *) + sn;
                 } else {
                         /* body is non-continuous */
-                       m_copydata(s, sn, blocklen, sbuf);
+                       m_copydata(s, sn, blocklen, (caddr_t) sbuf);
                         sp = sbuf;
                 }
  
                 /* destination */
                 if (!d || dn + blocklen > d->m_len) {
                         sp = sbuf;
                 }
  
                 /* destination */
                 if (!d || dn + blocklen > d->m_len) {
-                       if (d)
+                       if (d) {
                                 dp = d;
                                 dp = d;
+                       }
                         MGET(d, M_DONTWAIT, MT_DATA);
                         i = m->m_pkthdr.len - (soff + sn);
                         if (d && i > MLEN) {
                         MGET(d, M_DONTWAIT, MT_DATA);
                         i = m->m_pkthdr.len - (soff + sn);
                         if (d && i > MLEN) {
@@ -779,36 +845,63 @@ esp_cbc_decrypt(m, off, sav, algo, ivlen)
                         }
                         if (!d) {
                                 m_freem(m);
                         }
                         if (!d) {
                                 m_freem(m);
-                               if (d0)
+                               if (d0) {
                                         m_freem(d0);
                                         m_freem(d0);
-                               return ENOBUFS;
+                               }
+                               result = ENOBUFS;
+                               goto end;
                         }
                         }
-                       if (!d0)
+                       if (!d0) {
                                 d0 = d;
                                 d0 = d;
-                       if (dp)
+                       }
+                       if (dp) {
                                 dp->m_next = d;
                                 dp->m_next = d;
+                       }
+
+                       // try to make mbuf data aligned
+                       if (!IPSEC_IS_P2ALIGNED(d->m_data)) {
+                               m_adj(d, IPSEC_GET_P2UNALIGNED_OFS(d->m_data));
+                       }
+
                         d->m_len = 0;
                         d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
                         d->m_len = 0;
                         d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
-                       if (d->m_len > i)
+                       if (d->m_len > i) {
                                 d->m_len = i;
                                 d->m_len = i;
+                       }
                         dn = 0;
                 }
  
                 /* decrypt */
                         dn = 0;
                 }
  
                 /* decrypt */
+               // check input pointer alignment and use a separate aligned buffer (if sp is unaligned on 4-byte boundary).
+               if (IPSEC_IS_P2ALIGNED(sp)) {
+                       sp_unaligned = NULL;
+               } else {
+                       sp_unaligned = sp;
+                       sp = sbuf;
+                       memcpy(sp, sp_unaligned, blocklen);
+               }
+               // no need to check output pointer alignment
                 (*algo->blockdecrypt)(algo, sav, sp, mtod(d, u_int8_t *) + dn);
  
                 (*algo->blockdecrypt)(algo, sav, sp, mtod(d, u_int8_t *) + dn);
  
+               // update unaligned pointers
+               if (!IPSEC_IS_P2ALIGNED(sp_unaligned)) {
+                       sp = sp_unaligned;
+               }
+
                 /* xor */
                 p = ivp ? ivp : iv;
                 q = mtod(d, u_int8_t *) + dn;
                 /* xor */
                 p = ivp ? ivp : iv;
                 q = mtod(d, u_int8_t *) + dn;
-               for (i = 0; i < blocklen; i++)
+               for (i = 0; i < blocklen; i++) {
                         q[i] ^= p[i];
                         q[i] ^= p[i];
+               }
  
                 /* next iv */
                 if (sp == sbuf) {
                         bcopy(sbuf, iv, blocklen);
                         ivp = NULL;
  
                 /* next iv */
                 if (sp == sbuf) {
                         bcopy(sbuf, iv, blocklen);
                         ivp = NULL;
-               } else
+               } else {
                         ivp = sp;
                         ivp = sp;
+               }
  
                 sn += blocklen;
                 dn += blocklen;
  
                 sn += blocklen;
                 dn += blocklen;
@@ -819,10 +912,6 @@ esp_cbc_decrypt(m, off, sav, algo, ivlen)
                         soff += s->m_len;
                         s = s->m_next;
                 }
                         soff += s->m_len;
                         s = s->m_next;
                 }
-
-               /* skip over empty mbuf */
-               while (s && s->m_len == 0)
-                       s = s->m_next;
         }
  
         m_freem(scut->m_next);
         }
  
         m_freem(scut->m_next);
@@ -831,31 +920,34 @@ esp_cbc_decrypt(m, off, sav, algo, ivlen)
  
         /* just in case */
         bzero(iv, sizeof(iv));
  
         /* just in case */
         bzero(iv, sizeof(iv));
-       bzero(sbuf, sizeof(sbuf));
-
-       return 0;
+       bzero(sbuf, blocklen);
+end:
+       if (sbuf != NULL) {
+               FREE(sbuf, M_SECA);
+       }
+       return result;
  }
  
  static int
  }
  
  static int
-esp_cbc_encrypt(m, off, plen, sav, algo, ivlen)
-       struct mbuf *m;
-       size_t off;
-       size_t plen;
-       struct secasvar *sav;
-       const struct esp_algorithm *algo;
-       int ivlen;
+esp_cbc_encrypt(
+       struct mbuf *m,
+       size_t off,
+       __unused size_t plen,
+       struct secasvar *sav,
+       const struct esp_algorithm *algo,
+       int ivlen)
  {
         struct mbuf *s;
         struct mbuf *d, *d0, *dp;
  {
         struct mbuf *s;
         struct mbuf *d, *d0, *dp;
-       int soff, doff; /* offset from the head of chain, to head of this mbuf */
-       int sn, dn;     /* offset from the head of the mbuf, to meat */
+       int soff, doff; /* offset from the head of chain, to head of this mbuf */
+       int sn, dn;     /* offset from the head of the mbuf, to meat */
         size_t ivoff, bodyoff;
         size_t ivoff, bodyoff;
-       u_int8_t iv[MAXIVLEN], *ivp;
-       u_int8_t sbuf[MAXIVLEN], *sp;
+       u_int8_t iv[MAXIVLEN] __attribute__((aligned(4))), *ivp;
+       u_int8_t *sbuf = NULL, *sp, *sp_unaligned;
         u_int8_t *p, *q;
         struct mbuf *scut;
         int scutoff;
         u_int8_t *p, *q;
         struct mbuf *scut;
         int scutoff;
-       int i;
+       int i, result = 0;
         int blocklen;
         int derived;
  
         int blocklen;
         int derived;
  
@@ -902,18 +994,18 @@ esp_cbc_encrypt(m, off, plen, sav, algo, ivlen)
         }
  
         /* put iv into the packet.  if we are in derived mode, use seqno. */
         }
  
         /* put iv into the packet.  if we are in derived mode, use seqno. */
-       if (derived)
-               m_copydata(m, ivoff, ivlen, iv);
-       else {
+       if (derived) {
+               m_copydata(m, ivoff, ivlen, (caddr_t) iv);
+       } else {
                 bcopy(sav->iv, iv, ivlen);
                 /* maybe it is better to overwrite dest, not source */
                 bcopy(sav->iv, iv, ivlen);
                 /* maybe it is better to overwrite dest, not source */
-               m_copyback(m, ivoff, ivlen, iv);
+               m_copyback(m, ivoff, ivlen, (caddr_t) iv);
         }
  
         /* extend iv */
         }
  
         /* extend iv */
-       if (ivlen == blocklen)
+       if (ivlen == blocklen) {
                 ;
                 ;
-       else if (ivlen == 4 && blocklen == 8) {
+       } else if (ivlen == 4 && blocklen == 8) {
                 bcopy(&iv[0], &iv[4], 4);
                 iv[4] ^= 0xff;
                 iv[5] ^= 0xff;
                 bcopy(&iv[0], &iv[4], 4);
                 iv[4] ^= 0xff;
                 iv[5] ^= 0xff;
@@ -929,14 +1021,14 @@ esp_cbc_encrypt(m, off, plen, sav, algo, ivlen)
  
         if (m->m_pkthdr.len < bodyoff) {
                 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: bad len %d/%lu\n",
  
         if (m->m_pkthdr.len < bodyoff) {
                 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: bad len %d/%lu\n",
-                   algo->name, m->m_pkthdr.len, (unsigned long)bodyoff));
+                   algo->name, m->m_pkthdr.len, (u_int32_t)bodyoff));
                 m_freem(m);
                 return EINVAL;
         }
         if ((m->m_pkthdr.len - bodyoff) % blocklen) {
                 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
                     "payload length must be multiple of %lu\n",
                 m_freem(m);
                 return EINVAL;
         }
         if ((m->m_pkthdr.len - bodyoff) % blocklen) {
                 ipseclog((LOG_ERR, "esp_cbc_encrypt %s: "
                     "payload length must be multiple of %lu\n",
-                   algo->name, (unsigned long)algo->padbound));
+                   algo->name, (u_int32_t)algo->padbound));
                 m_freem(m);
                 return EINVAL;
         }
                 m_freem(m);
                 return EINVAL;
         }
@@ -960,9 +1052,15 @@ esp_cbc_encrypt(m, off, plen, sav, algo, ivlen)
         scutoff = sn;
  
         /* skip over empty mbuf */
         scutoff = sn;
  
         /* skip over empty mbuf */
-       while (s && s->m_len == 0)
+       while (s && s->m_len == 0) {
                 s = s->m_next;
                 s = s->m_next;
+       }
  
  
+       // Allocate blocksized buffer for unaligned or non-contiguous access
+       sbuf = (u_int8_t *)_MALLOC(blocklen, M_SECA, M_DONTWAIT);
+       if (sbuf == NULL) {
+               return ENOBUFS;
+       }
         while (soff < m->m_pkthdr.len) {
                 /* source */
                 if (sn + blocklen <= s->m_len) {
         while (soff < m->m_pkthdr.len) {
                 /* source */
                 if (sn + blocklen <= s->m_len) {
@@ -970,14 +1068,15 @@ esp_cbc_encrypt(m, off, plen, sav, algo, ivlen)
                         sp = mtod(s, u_int8_t *) + sn;
                 } else {
                         /* body is non-continuous */
                         sp = mtod(s, u_int8_t *) + sn;
                 } else {
                         /* body is non-continuous */
-                       m_copydata(s, sn, blocklen, sbuf);
+                       m_copydata(s, sn, blocklen, (caddr_t) sbuf);
                         sp = sbuf;
                 }
  
                 /* destination */
                 if (!d || dn + blocklen > d->m_len) {
                         sp = sbuf;
                 }
  
                 /* destination */
                 if (!d || dn + blocklen > d->m_len) {
-                       if (d)
+                       if (d) {
                                 dp = d;
                                 dp = d;
+                       }
                         MGET(d, M_DONTWAIT, MT_DATA);
                         i = m->m_pkthdr.len - (soff + sn);
                         if (d && i > MLEN) {
                         MGET(d, M_DONTWAIT, MT_DATA);
                         i = m->m_pkthdr.len - (soff + sn);
                         if (d && i > MLEN) {
@@ -989,30 +1088,56 @@ esp_cbc_encrypt(m, off, plen, sav, algo, ivlen)
                         }
                         if (!d) {
                                 m_freem(m);
                         }
                         if (!d) {
                                 m_freem(m);
-                               if (d0)
+                               if (d0) {
                                         m_freem(d0);
                                         m_freem(d0);
-                               return ENOBUFS;
+                               }
+                               result = ENOBUFS;
+                               goto end;
                         }
                         }
-                       if (!d0)
+                       if (!d0) {
                                 d0 = d;
                                 d0 = d;
-                       if (dp)
+                       }
+                       if (dp) {
                                 dp->m_next = d;
                                 dp->m_next = d;
+                       }
+
+                       // try to make mbuf data aligned
+                       if (!IPSEC_IS_P2ALIGNED(d->m_data)) {
+                               m_adj(d, IPSEC_GET_P2UNALIGNED_OFS(d->m_data));
+                       }
+
                         d->m_len = 0;
                         d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
                         d->m_len = 0;
                         d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
-                       if (d->m_len > i)
+                       if (d->m_len > i) {
                                 d->m_len = i;
                                 d->m_len = i;
+                       }
                         dn = 0;
                 }
  
                 /* xor */
                 p = ivp ? ivp : iv;
                 q = sp;
                         dn = 0;
                 }
  
                 /* xor */
                 p = ivp ? ivp : iv;
                 q = sp;
-               for (i = 0; i < blocklen; i++)
+               for (i = 0; i < blocklen; i++) {
                         q[i] ^= p[i];
                         q[i] ^= p[i];
+               }
  
                 /* encrypt */
  
                 /* encrypt */
+               // check input pointer alignment and use a separate aligned buffer (if sp is not aligned on 4-byte boundary).
+               if (IPSEC_IS_P2ALIGNED(sp)) {
+                       sp_unaligned = NULL;
+               } else {
+                       sp_unaligned = sp;
+                       sp = sbuf;
+                       memcpy(sp, sp_unaligned, blocklen);
+               }
+               // no need to check output pointer alignment
                 (*algo->blockencrypt)(algo, sav, sp, mtod(d, u_int8_t *) + dn);
  
                 (*algo->blockencrypt)(algo, sav, sp, mtod(d, u_int8_t *) + dn);
  
+               // update unaligned pointers
+               if (!IPSEC_IS_P2ALIGNED(sp_unaligned)) {
+                       sp = sp_unaligned;
+               }
+
                 /* next iv */
                 ivp = mtod(d, u_int8_t *) + dn;
  
                 /* next iv */
                 ivp = mtod(d, u_int8_t *) + dn;
  
@@ -1025,10 +1150,6 @@ esp_cbc_encrypt(m, off, plen, sav, algo, ivlen)
                         soff += s->m_len;
                         s = s->m_next;
                 }
                         soff += s->m_len;
                         s = s->m_next;
                 }
-
-               /* skip over empty mbuf */
-               while (s && s->m_len == 0)
-                       s = s->m_next;
         }
  
         m_freem(scut->m_next);
         }
  
         m_freem(scut->m_next);
@@ -1037,28 +1158,31 @@ esp_cbc_encrypt(m, off, plen, sav, algo, ivlen)
  
         /* just in case */
         bzero(iv, sizeof(iv));
  
         /* just in case */
         bzero(iv, sizeof(iv));
-       bzero(sbuf, sizeof(sbuf));
+       bzero(sbuf, blocklen);
  
         key_sa_stir_iv(sav);
  
         key_sa_stir_iv(sav);
-
-       return 0;
+end:
+       if (sbuf != NULL) {
+               FREE(sbuf, M_SECA);
+       }
+       return result;
  }
  
  /*------------------------------------------------------------*/
  
  /* does not free m0 on error */
  int
  }
  
  /*------------------------------------------------------------*/
  
  /* does not free m0 on error */
  int
-esp_auth(m0, skip, length, sav, sum)
-       struct mbuf *m0;
-       size_t skip;    /* offset to ESP header */
-       size_t length;  /* payload length */
-       struct secasvar *sav;
-       u_char *sum;
+esp_auth(
+       struct mbuf *m0,
+       size_t skip,    /* offset to ESP header */
+       size_t length,  /* payload length */
+       struct secasvar *sav,
+       u_char *sum)
  {
         struct mbuf *m;
         size_t off;
         struct ah_algorithm_state s;
  {
         struct mbuf *m;
         size_t off;
         struct ah_algorithm_state s;
-       u_char sumbuf[AH_MAXSUMSIZE];
+       u_char sumbuf[AH_MAXSUMSIZE] __attribute__((aligned(4)));
         const struct ah_algorithm *algo;
         size_t siz;
         int error;
         const struct ah_algorithm *algo;
         size_t siz;
         int error;
@@ -1074,19 +1198,19 @@ esp_auth(m0, skip, length, sav, sum)
                 return EINVAL;
         }
  
                 return EINVAL;
         }
  
-       KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_START, skip,length,0,0,0);
+       KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_START, skip, length, 0, 0, 0);
         /*
          * length of esp part (excluding authentication data) must be 4n,
          * since nexthdr must be at offset 4n+3.
          */
         if (length % 4) {
                 ipseclog((LOG_ERR, "esp_auth: length is not multiple of 4\n"));
         /*
          * length of esp part (excluding authentication data) must be 4n,
          * since nexthdr must be at offset 4n+3.
          */
         if (length % 4) {
                 ipseclog((LOG_ERR, "esp_auth: length is not multiple of 4\n"));
-               KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 1,0,0,0,0);
+               KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 1, 0, 0, 0, 0);
                 return EINVAL;
         }
         if (!sav) {
                 ipseclog((LOG_DEBUG, "esp_auth: NULL SA passed\n"));
                 return EINVAL;
         }
         if (!sav) {
                 ipseclog((LOG_DEBUG, "esp_auth: NULL SA passed\n"));
-               KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 2,0,0,0,0);
+               KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 2, 0, 0, 0, 0);
                 return EINVAL;
         }
         algo = ah_algorithm_lookup(sav->alg_auth);
                 return EINVAL;
         }
         algo = ah_algorithm_lookup(sav->alg_auth);
@@ -1094,7 +1218,7 @@ esp_auth(m0, skip, length, sav, sum)
                 ipseclog((LOG_ERR,
                     "esp_auth: bad ESP auth algorithm passed: %d\n",
                     sav->alg_auth));
                 ipseclog((LOG_ERR,
                     "esp_auth: bad ESP auth algorithm passed: %d\n",
                     sav->alg_auth));
-               KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 3,0,0,0,0);
+               KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 3, 0, 0, 0, 0);
                 return EINVAL;
         }
  
                 return EINVAL;
         }
  
@@ -1105,15 +1229,16 @@ esp_auth(m0, skip, length, sav, sum)
         if (sizeof(sumbuf) < siz) {
                 ipseclog((LOG_DEBUG,
                     "esp_auth: AH_MAXSUMSIZE is too small: siz=%lu\n",
         if (sizeof(sumbuf) < siz) {
                 ipseclog((LOG_DEBUG,
                     "esp_auth: AH_MAXSUMSIZE is too small: siz=%lu\n",
-                   (u_long)siz));
-               KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 4,0,0,0,0);
+                   (u_int32_t)siz));
+               KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 4, 0, 0, 0, 0);
                 return EINVAL;
         }
  
         /* skip the header */
         while (skip) {
                 return EINVAL;
         }
  
         /* skip the header */
         while (skip) {
-               if (!m)
+               if (!m) {
                         panic("mbuf chain?");
                         panic("mbuf chain?");
+               }
                 if (m->m_len <= skip) {
                         skip -= m->m_len;
                         m = m->m_next;
                 if (m->m_len <= skip) {
                         skip -= m->m_len;
                         m = m->m_next;
@@ -1126,28 +1251,46 @@ esp_auth(m0, skip, length, sav, sum)
  
         error = (*algo->init)(&s, sav);
         if (error) {
  
         error = (*algo->init)(&s, sav);
         if (error) {
-               KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 5,0,0,0,0);
+               KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 5, 0, 0, 0, 0);
                 return error;
         }
                 return error;
         }
-
         while (0 < length) {
         while (0 < length) {
-               if (!m)
+               if (!m) {
                         panic("mbuf chain?");
                         panic("mbuf chain?");
+               }
  
                 if (m->m_len - off < length) {
  
                 if (m->m_len - off < length) {
-                       (*algo->update)(&s, mtod(m, u_char *) + off,
-                               m->m_len - off);
+                       (*algo->update)(&s, (caddr_t)(mtod(m, u_char *) + off),
+                           m->m_len - off);
                         length -= m->m_len - off;
                         m = m->m_next;
                         off = 0;
                 } else {
                         length -= m->m_len - off;
                         m = m->m_next;
                         off = 0;
                 } else {
-                       (*algo->update)(&s, mtod(m, u_char *) + off, length);
+                       (*algo->update)(&s, (caddr_t)(mtod(m, u_char *) + off), length);
                         break;
                 }
         }
                         break;
                 }
         }
-       (*algo->result)(&s, sumbuf);
-       bcopy(sumbuf, sum, siz);        /*XXX*/
-       
-       KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 6,0,0,0,0);
+       (*algo->result)(&s, (caddr_t) sumbuf, sizeof(sumbuf));
+       bcopy(sumbuf, sum, siz);        /*XXX*/
+       KERNEL_DEBUG(DBG_FNC_ESPAUTH | DBG_FUNC_END, 6, 0, 0, 0, 0);
         return 0;
  }
         return 0;
  }
+
+void
+esp_init(void)
+{
+       static int esp_initialized = 0;
+
+       if (esp_initialized) {
+               return;
+       }
+
+       esp_initialized = 1;
+
+       esp_mpkl_log_object = MPKL_CREATE_LOGOBJECT("com.apple.xnu.esp");
+       if (esp_mpkl_log_object == NULL) {
+               panic("MPKL_CREATE_LOGOBJECT for ESP failed");
+       }
+
+       return;
+}