/* * Copyright (c) 2008-2017 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in * compliance with the License. The rights granted to you under the License * may not be used to create, or enable the creation or redistribution of, * unlawful or unlicensed copies of an Apple operating system, or to * circumvent, violate, or enable the circumvention or violation of, any * terms of an Apple operating system software license agreement. * * Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this file. * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. * * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ */ /* $FreeBSD: src/sys/netinet6/esp_output.c,v 1.1.2.3 2002/04/28 05:40:26 suz Exp $ */ /* $KAME: esp_output.c,v 1.44 2001/07/26 06:53:15 jinmei Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #define _IP_VHL /* * RFC1827/2406 Encapsulated Security Payload. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* for nat traversal */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1) #define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3) #define DBG_FNC_ESPOUT NETDBG_CODE(DBG_NETIPSEC, (4 << 8)) #define DBG_FNC_ENCRYPT NETDBG_CODE(DBG_NETIPSEC, (5 << 8)) static int esp_output(struct mbuf *, u_char *, struct mbuf *, int, struct secasvar *sav); extern int esp_udp_encap_port; extern u_int64_t natt_now; /* * compute ESP header size. */ size_t esp_hdrsiz(__unused struct ipsecrequest *isr) { #if 0 /* sanity check */ if (isr == NULL) { panic("esp_hdrsiz: NULL was passed."); } lck_mtx_lock(sadb_mutex); { struct secasvar *sav; const struct esp_algorithm *algo; const struct ah_algorithm *aalgo; size_t ivlen; size_t authlen; size_t hdrsiz; size_t maxpad; /*%%%% this needs to change - no sav in ipsecrequest any more */ sav = isr->sav; if (isr->saidx.proto != IPPROTO_ESP) { panic("unsupported mode passed to esp_hdrsiz"); } if (sav == NULL) { goto estimate; } if (sav->state != SADB_SASTATE_MATURE && sav->state != SADB_SASTATE_DYING) { goto estimate; } /* we need transport mode ESP. */ algo = esp_algorithm_lookup(sav->alg_enc); if (!algo) { goto estimate; } ivlen = sav->ivlen; if (ivlen < 0) { goto estimate; } if (algo->padbound) { maxpad = algo->padbound; } else { maxpad = 4; } maxpad += 1; /* maximum 'extendsiz' is padbound + 1, see esp_output */ if (sav->flags & SADB_X_EXT_OLD) { /* RFC 1827 */ hdrsiz = sizeof(struct esp) + ivlen + maxpad; } else { /* RFC 2406 */ aalgo = ah_algorithm_lookup(sav->alg_auth); if (aalgo && sav->replay[0] != NULL && sav->key_auth) { authlen = (aalgo->sumsiz)(sav); } else { authlen = 0; } hdrsiz = sizeof(struct newesp) + ivlen + maxpad + authlen; } /* * If the security association indicates that NATT is required, * add the size of the NATT encapsulation header: */ if ((sav->flags & SADB_X_EXT_NATT) != 0) { hdrsiz += sizeof(struct udphdr) + 4; } lck_mtx_unlock(sadb_mutex); return hdrsiz; } estimate: lck_mtx_unlock(sadb_mutex); #endif /* * ASSUMING: * sizeof(struct newesp) > sizeof(struct esp). (8) * esp_max_ivlen() = max ivlen for CBC mode * 17 = (maximum padding length without random padding length) * + (Pad Length field) + (Next Header field). * 64 = maximum ICV we support. * sizeof(struct udphdr) in case NAT traversal is used */ return sizeof(struct newesp) + esp_max_ivlen() + 17 + AH_MAXSUMSIZE + sizeof(struct udphdr); } /* * Modify the packet so that the payload is encrypted. * The mbuf (m) must start with IPv4 or IPv6 header. * On failure, free the given mbuf and return NULL. * * on invocation: * m nexthdrp md * v v v * IP ......... payload * during the encryption: * m nexthdrp mprev md * v v v v * IP ............... esp iv payload pad padlen nxthdr * <--><-><------><---------------> * esplen plen extendsiz * ivlen * <-----> esphlen * <-> hlen * <-----------------> espoff */ static int esp_output( struct mbuf *m, u_char *nexthdrp, struct mbuf *md, int af, struct secasvar *sav) { struct mbuf *n; struct mbuf *mprev; struct esp *esp; struct esptail *esptail; const struct esp_algorithm *algo; struct tcphdr th = {}; u_int32_t spi; u_int32_t seq; size_t inner_payload_len = 0; u_int8_t inner_protocol = 0; u_int8_t nxt = 0; size_t plen; /*payload length to be encrypted*/ size_t espoff; size_t esphlen; /* sizeof(struct esp/newesp) + ivlen */ int ivlen; int afnumber; size_t extendsiz; int error = 0; struct ipsecstat *stat; struct udphdr *udp = NULL; int udp_encapsulate = (sav->flags & SADB_X_EXT_NATT && (af == AF_INET || af == AF_INET6) && ((esp_udp_encap_port & 0xFFFF) != 0 || sav->natt_encapsulated_src_port != 0)); KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_START, sav->ivlen, 0, 0, 0, 0); switch (af) { case AF_INET: afnumber = 4; stat = &ipsecstat; break; case AF_INET6: afnumber = 6; stat = &ipsec6stat; break; default: ipseclog((LOG_ERR, "esp_output: unsupported af %d\n", af)); KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_END, 1, 0, 0, 0, 0); return 0; /* no change at all */ } mbuf_traffic_class_t traffic_class = 0; if ((sav->flags2 & SADB_X_EXT_SA2_SEQ_PER_TRAFFIC_CLASS) == SADB_X_EXT_SA2_SEQ_PER_TRAFFIC_CLASS) { u_int8_t dscp = 0; switch (af) { case AF_INET: { struct ip *ip = mtod(m, struct ip *); dscp = ip->ip_tos >> IPTOS_DSCP_SHIFT; break; } case AF_INET6: { struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); dscp = (ntohl(ip6->ip6_flow) & IP6FLOW_DSCP_MASK) >> IP6FLOW_DSCP_SHIFT; break; } default: panic("esp_output: should not reach here"); } traffic_class = rfc4594_dscp_to_tc(dscp); } /* some sanity check */ if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay[traffic_class] == NULL) { switch (af) { case AF_INET: { struct ip *ip; ip = mtod(m, struct ip *); ipseclog((LOG_DEBUG, "esp4_output: internal error: " "sav->replay is null: %x->%x, SPI=%u\n", (u_int32_t)ntohl(ip->ip_src.s_addr), (u_int32_t)ntohl(ip->ip_dst.s_addr), (u_int32_t)ntohl(sav->spi))); IPSEC_STAT_INCREMENT(ipsecstat.out_inval); break; } case AF_INET6: ipseclog((LOG_DEBUG, "esp6_output: internal error: " "sav->replay is null: SPI=%u\n", (u_int32_t)ntohl(sav->spi))); IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); break; default: panic("esp_output: should not reach here"); } m_freem(m); KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_END, 2, 0, 0, 0, 0); return EINVAL; } algo = esp_algorithm_lookup(sav->alg_enc); if (!algo) { ipseclog((LOG_ERR, "esp_output: unsupported algorithm: " "SPI=%u\n", (u_int32_t)ntohl(sav->spi))); m_freem(m); KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_END, 3, 0, 0, 0, 0); return EINVAL; } spi = sav->spi; ivlen = sav->ivlen; /* should be okey */ if (ivlen < 0) { panic("invalid ivlen"); } { /* * insert ESP header. * XXX inserts ESP header right after IPv4 header. should * chase the header chain. * XXX sequential number */ struct ip *ip = NULL; struct ip6_hdr *ip6 = NULL; size_t esplen; /* sizeof(struct esp/newesp) */ size_t hlen = 0; /* ip header len */ if (sav->flags & SADB_X_EXT_OLD) { /* RFC 1827 */ esplen = sizeof(struct esp); } else { /* RFC 2406 */ if (sav->flags & SADB_X_EXT_DERIV) { esplen = sizeof(struct esp); } else { esplen = sizeof(struct newesp); } } esphlen = esplen + ivlen; for (mprev = m; mprev && mprev->m_next != md; mprev = mprev->m_next) { ; } if (mprev == NULL || mprev->m_next != md) { ipseclog((LOG_DEBUG, "esp%d_output: md is not in chain\n", afnumber)); m_freem(m); KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_END, 4, 0, 0, 0, 0); return EINVAL; } plen = 0; for (n = md; n; n = n->m_next) { plen += n->m_len; } switch (af) { case AF_INET: ip = mtod(m, struct ip *); #ifdef _IP_VHL hlen = IP_VHL_HL(ip->ip_vhl) << 2; #else hlen = ip->ip_hl << 2; #endif break; case AF_INET6: ip6 = mtod(m, struct ip6_hdr *); hlen = sizeof(*ip6); break; } /* grab info for packet logging */ struct secashead *sah = sav->sah; if (net_mpklog_enabled && sah != NULL && sah->ipsec_if != NULL) { ifnet_t ifp = sah->ipsec_if; if ((ifp->if_xflags & IFXF_MPK_LOG) == IFXF_MPK_LOG) { size_t iphlen = 0; if (sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) { struct ip *inner_ip = mtod(md, struct ip *); if (IP_VHL_V(inner_ip->ip_vhl) == IPVERSION) { #ifdef _IP_VHL iphlen = IP_VHL_HL(inner_ip->ip_vhl) << 2; #else iphlen = inner_ip->ip_hl << 2; #endif inner_protocol = inner_ip->ip_p; } else if (IP_VHL_V(inner_ip->ip_vhl) == IPV6_VERSION) { struct ip6_hdr *inner_ip6 = mtod(md, struct ip6_hdr *); iphlen = sizeof(struct ip6_hdr); inner_protocol = inner_ip6->ip6_nxt; } if (inner_protocol == IPPROTO_TCP) { if ((int)(iphlen + sizeof(th)) <= (m->m_pkthdr.len - m->m_len)) { m_copydata(md, (int)iphlen, sizeof(th), (u_int8_t *)&th); } inner_payload_len = m->m_pkthdr.len - m->m_len - iphlen - (th.th_off << 2); } } else { iphlen = hlen; if (af == AF_INET) { inner_protocol = ip->ip_p; } else if (af == AF_INET6) { inner_protocol = ip6->ip6_nxt; } if (inner_protocol == IPPROTO_TCP) { if ((int)(iphlen + sizeof(th)) <= m->m_pkthdr.len) { m_copydata(m, (int)iphlen, sizeof(th), (u_int8_t *)&th); } inner_payload_len = m->m_pkthdr.len - iphlen - (th.th_off << 2); } } } } /* make the packet over-writable */ mprev->m_next = NULL; if ((md = ipsec_copypkt(md)) == NULL) { m_freem(m); error = ENOBUFS; goto fail; } mprev->m_next = md; /* * Translate UDP source port back to its original value. * SADB_X_EXT_NATT_MULTIPLEUSERS is only set for transort mode. */ if ((sav->flags & SADB_X_EXT_NATT_MULTIPLEUSERS) != 0) { /* if not UDP - drop it */ if (ip->ip_p != IPPROTO_UDP) { IPSEC_STAT_INCREMENT(ipsecstat.out_inval); m_freem(m); error = EINVAL; goto fail; } udp = mtod(md, struct udphdr *); /* if src port not set in sav - find it */ if (sav->natt_encapsulated_src_port == 0) { if (key_natt_get_translated_port(sav) == 0) { m_freem(m); error = EINVAL; goto fail; } } if (sav->remote_ike_port == htons(udp->uh_dport)) { /* translate UDP port */ udp->uh_dport = sav->natt_encapsulated_src_port; udp->uh_sum = 0; /* don't need checksum with ESP auth */ } else { /* drop the packet - can't translate the port */ IPSEC_STAT_INCREMENT(ipsecstat.out_inval); m_freem(m); error = EINVAL; goto fail; } } espoff = m->m_pkthdr.len - plen; if (udp_encapsulate) { esphlen += sizeof(struct udphdr); espoff += sizeof(struct udphdr); } /* * grow the mbuf to accomodate ESP header. * before: IP ... payload * after: IP ... [UDP] ESP IV payload */ if (M_LEADINGSPACE(md) < esphlen || (md->m_flags & M_EXT) != 0) { MGET(n, M_DONTWAIT, MT_DATA); if (!n) { m_freem(m); error = ENOBUFS; goto fail; } VERIFY(esphlen <= INT32_MAX); n->m_len = (int)esphlen; mprev->m_next = n; n->m_next = md; m->m_pkthdr.len += esphlen; if (udp_encapsulate) { udp = mtod(n, struct udphdr *); esp = (struct esp *)(void *)((caddr_t)udp + sizeof(struct udphdr)); } else { esp = mtod(n, struct esp *); } } else { md->m_len += esphlen; md->m_data -= esphlen; m->m_pkthdr.len += esphlen; esp = mtod(md, struct esp *); if (udp_encapsulate) { udp = mtod(md, struct udphdr *); esp = (struct esp *)(void *)((caddr_t)udp + sizeof(struct udphdr)); } else { esp = mtod(md, struct esp *); } } switch (af) { case AF_INET: if (esphlen < (IP_MAXPACKET - ntohs(ip->ip_len))) { ip->ip_len = htons(ntohs(ip->ip_len) + (u_short)esphlen); } else { ipseclog((LOG_ERR, "IPv4 ESP output: size exceeds limit\n")); IPSEC_STAT_INCREMENT(ipsecstat.out_inval); m_freem(m); error = EMSGSIZE; goto fail; } break; case AF_INET6: /* total packet length will be computed in ip6_output() */ break; } } /* initialize esp header. */ esp->esp_spi = spi; if ((sav->flags & SADB_X_EXT_OLD) == 0) { struct newesp *nesp; nesp = (struct newesp *)esp; if (sav->replay[traffic_class]->seq == sav->replay[traffic_class]->lastseq) { if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) { /* XXX Is it noisy ? */ ipseclog((LOG_WARNING, "replay counter overflowed. %s\n", ipsec_logsastr(sav))); IPSEC_STAT_INCREMENT(stat->out_inval); m_freem(m); KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_END, 5, 0, 0, 0, 0); return EINVAL; } } lck_mtx_lock(sadb_mutex); sav->replay[traffic_class]->count++; sav->replay[traffic_class]->seq++; lck_mtx_unlock(sadb_mutex); /* * XXX sequence number must not be cycled, if the SA is * installed by IKE daemon. */ nesp->esp_seq = htonl(sav->replay[traffic_class]->seq); seq = sav->replay[traffic_class]->seq; } { /* * find the last mbuf. make some room for ESP trailer. */ struct ip *ip = NULL; size_t padbound; u_char *extend; int i; int randpadmax; if (algo->padbound) { padbound = algo->padbound; } else { padbound = 4; } /* ESP packet, including nxthdr field, must be length of 4n */ if (padbound < 4) { padbound = 4; } extendsiz = padbound - (plen % padbound); if (extendsiz == 1) { extendsiz = padbound + 1; } /* random padding */ switch (af) { case AF_INET: randpadmax = ip4_esp_randpad; break; case AF_INET6: randpadmax = ip6_esp_randpad; break; default: randpadmax = -1; break; } if (randpadmax < 0 || plen + extendsiz >= randpadmax) { ; } else { size_t pad; /* round */ randpadmax = (int)((randpadmax / padbound) * padbound); pad = (randpadmax - plen + extendsiz) / padbound; if (pad > 0) { pad = (random() % pad) * padbound; } else { pad = 0; } /* * make sure we do not pad too much. * MLEN limitation comes from the trailer attachment * code below. * 256 limitation comes from sequential padding. * also, the 1-octet length field in ESP trailer imposes * limitation (but is less strict than sequential padding * as length field do not count the last 2 octets). */ if (extendsiz + pad <= MLEN && extendsiz + pad < 256) { extendsiz += pad; } } n = m; while (n->m_next) { n = n->m_next; } /* * if M_EXT, the external mbuf data may be shared among * two consequtive TCP packets, and it may be unsafe to use the * trailing space. */ if (!(n->m_flags & M_EXT) && extendsiz < M_TRAILINGSPACE(n)) { extend = mtod(n, u_char *) + n->m_len; n->m_len += (int)extendsiz; m->m_pkthdr.len += extendsiz; } else { struct mbuf *nn; MGET(nn, M_DONTWAIT, MT_DATA); if (!nn) { ipseclog((LOG_DEBUG, "esp%d_output: can't alloc mbuf", afnumber)); m_freem(m); error = ENOBUFS; goto fail; } extend = mtod(nn, u_char *); VERIFY(extendsiz <= INT_MAX); nn->m_len = (int)extendsiz; nn->m_next = NULL; n->m_next = nn; n = nn; m->m_pkthdr.len += extendsiz; } switch (sav->flags & SADB_X_EXT_PMASK) { case SADB_X_EXT_PRAND: key_randomfill(extend, extendsiz); break; case SADB_X_EXT_PZERO: bzero(extend, extendsiz); break; case SADB_X_EXT_PSEQ: for (i = 0; i < extendsiz; i++) { extend[i] = (i + 1) & 0xff; } break; } nxt = *nexthdrp; if (udp_encapsulate) { *nexthdrp = IPPROTO_UDP; /* Fill out the UDP header */ if (sav->natt_encapsulated_src_port != 0) { udp->uh_sport = (u_short)sav->natt_encapsulated_src_port; } else { udp->uh_sport = htons((u_short)esp_udp_encap_port); } udp->uh_dport = htons(sav->remote_ike_port); // udp->uh_len set later, after all length tweaks are complete udp->uh_sum = 0; /* Update last sent so we know if we need to send keepalive */ sav->natt_last_activity = natt_now; } else { *nexthdrp = IPPROTO_ESP; } /* initialize esp trailer. */ esptail = (struct esptail *) (mtod(n, u_int8_t *) + n->m_len - sizeof(struct esptail)); esptail->esp_nxt = nxt; VERIFY((extendsiz - 2) <= UINT8_MAX); esptail->esp_padlen = (u_int8_t)(extendsiz - 2); /* modify IP header (for ESP header part only) */ switch (af) { case AF_INET: ip = mtod(m, struct ip *); if (extendsiz < (IP_MAXPACKET - ntohs(ip->ip_len))) { ip->ip_len = htons(ntohs(ip->ip_len) + (u_short)extendsiz); } else { ipseclog((LOG_ERR, "IPv4 ESP output: size exceeds limit\n")); IPSEC_STAT_INCREMENT(ipsecstat.out_inval); m_freem(m); error = EMSGSIZE; goto fail; } break; case AF_INET6: /* total packet length will be computed in ip6_output() */ break; } } /* * pre-compute and cache intermediate key */ error = esp_schedule(algo, sav); if (error) { m_freem(m); IPSEC_STAT_INCREMENT(stat->out_inval); goto fail; } /* * encrypt the packet, based on security association * and the algorithm specified. */ if (!algo->encrypt) { panic("internal error: no encrypt function"); } KERNEL_DEBUG(DBG_FNC_ENCRYPT | DBG_FUNC_START, 0, 0, 0, 0, 0); if ((*algo->encrypt)(m, espoff, plen + extendsiz, sav, algo, ivlen)) { /* m is already freed */ ipseclog((LOG_ERR, "packet encryption failure\n")); IPSEC_STAT_INCREMENT(stat->out_inval); error = EINVAL; KERNEL_DEBUG(DBG_FNC_ENCRYPT | DBG_FUNC_END, 1, error, 0, 0, 0); goto fail; } KERNEL_DEBUG(DBG_FNC_ENCRYPT | DBG_FUNC_END, 2, 0, 0, 0, 0); /* * calculate ICV if required. */ size_t siz = 0; u_char authbuf[AH_MAXSUMSIZE] __attribute__((aligned(4))); if (algo->finalizeencrypt) { siz = algo->icvlen; if ((*algo->finalizeencrypt)(sav, authbuf, siz)) { ipseclog((LOG_ERR, "packet encryption ICV failure\n")); IPSEC_STAT_INCREMENT(stat->out_inval); error = EINVAL; KERNEL_DEBUG(DBG_FNC_ENCRYPT | DBG_FUNC_END, 1, error, 0, 0, 0); goto fail; } goto fill_icv; } if (!sav->replay[traffic_class]) { goto noantireplay; } if (!sav->key_auth) { goto noantireplay; } if (sav->key_auth == SADB_AALG_NONE) { goto noantireplay; } { const struct ah_algorithm *aalgo; aalgo = ah_algorithm_lookup(sav->alg_auth); if (!aalgo) { goto noantireplay; } siz = ((aalgo->sumsiz)(sav) + 3) & ~(4 - 1); if (AH_MAXSUMSIZE < siz) { panic("assertion failed for AH_MAXSUMSIZE"); } if (esp_auth(m, espoff, m->m_pkthdr.len - espoff, sav, authbuf)) { ipseclog((LOG_ERR, "ESP checksum generation failure\n")); m_freem(m); error = EINVAL; IPSEC_STAT_INCREMENT(stat->out_inval); goto fail; } } fill_icv: { struct ip *ip; u_char *p; n = m; while (n->m_next) { n = n->m_next; } if (!(n->m_flags & M_EXT) && siz < M_TRAILINGSPACE(n)) { /* XXX */ n->m_len += siz; m->m_pkthdr.len += siz; p = mtod(n, u_char *) + n->m_len - siz; } else { struct mbuf *nn; MGET(nn, M_DONTWAIT, MT_DATA); if (!nn) { ipseclog((LOG_DEBUG, "can't alloc mbuf in esp%d_output", afnumber)); m_freem(m); error = ENOBUFS; goto fail; } nn->m_len = (int)siz; nn->m_next = NULL; n->m_next = nn; n = nn; m->m_pkthdr.len += siz; p = mtod(nn, u_char *); } bcopy(authbuf, p, siz); /* modify IP header (for ESP header part only) */ switch (af) { case AF_INET: ip = mtod(m, struct ip *); if (siz < (IP_MAXPACKET - ntohs(ip->ip_len))) { ip->ip_len = htons(ntohs(ip->ip_len) + (u_short)siz); } else { ipseclog((LOG_ERR, "IPv4 ESP output: size exceeds limit\n")); IPSEC_STAT_INCREMENT(ipsecstat.out_inval); m_freem(m); error = EMSGSIZE; goto fail; } break; case AF_INET6: /* total packet length will be computed in ip6_output() */ break; } } if (udp_encapsulate) { struct ip *ip; struct ip6_hdr *ip6; switch (af) { case AF_INET: ip = mtod(m, struct ip *); udp->uh_ulen = htons((u_int16_t)(ntohs(ip->ip_len) - (IP_VHL_HL(ip->ip_vhl) << 2))); break; case AF_INET6: ip6 = mtod(m, struct ip6_hdr *); VERIFY((plen + siz + extendsiz + esphlen) <= UINT16_MAX); udp->uh_ulen = htons((u_int16_t)(plen + siz + extendsiz + esphlen)); udp->uh_sum = in6_pseudo(&ip6->ip6_src, &ip6->ip6_dst, htonl(ntohs(udp->uh_ulen) + IPPROTO_UDP)); m->m_pkthdr.csum_flags = (CSUM_UDPIPV6 | CSUM_ZERO_INVERT); m->m_pkthdr.csum_data = offsetof(struct udphdr, uh_sum); break; } } noantireplay: if (net_mpklog_enabled && sav->sah != NULL && sav->sah->ipsec_if != NULL && (sav->sah->ipsec_if->if_xflags & IFXF_MPK_LOG) && inner_protocol == IPPROTO_TCP) { MPKL_ESP_OUTPUT_TCP(esp_mpkl_log_object, ntohl(spi), seq, ntohs(th.th_sport), ntohs(th.th_dport), ntohl(th.th_seq), ntohl(th.th_ack), inner_payload_len, th.th_flags); } lck_mtx_lock(sadb_mutex); if (!m) { ipseclog((LOG_ERR, "NULL mbuf after encryption in esp%d_output", afnumber)); } else { stat->out_success++; } stat->out_esphist[sav->alg_enc]++; lck_mtx_unlock(sadb_mutex); key_sa_recordxfer(sav, m); KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_END, 6, 0, 0, 0, 0); return 0; fail: KERNEL_DEBUG(DBG_FNC_ESPOUT | DBG_FUNC_END, 7, error, 0, 0, 0); return error; } int esp4_output( struct mbuf *m, struct secasvar *sav) { struct ip *ip; if (m->m_len < sizeof(struct ip)) { ipseclog((LOG_DEBUG, "esp4_output: first mbuf too short\n")); m_freem(m); return EINVAL; } ip = mtod(m, struct ip *); /* XXX assumes that m->m_next points to payload */ return esp_output(m, &ip->ip_p, m->m_next, AF_INET, sav); } int esp6_output( struct mbuf *m, u_char *nexthdrp, struct mbuf *md, struct secasvar *sav) { if (m->m_len < sizeof(struct ip6_hdr)) { ipseclog((LOG_DEBUG, "esp6_output: first mbuf too short\n")); m_freem(m); return EINVAL; } return esp_output(m, nexthdrp, md, AF_INET6, sav); }