Remove a last, dangling, file from the Kame IPsec code.
Approved by: re Spotted by: rwatson, bz
This commit is contained in:
parent
f275d39c8f
commit
d8c2182456
@ -1,718 +0,0 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: esp_output.c,v 1.44 2001/07/26 06:53:15 jinmei Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "opt_inet.h"
|
||||
#include "opt_inet6.h"
|
||||
|
||||
/*
|
||||
* RFC1827/2406 Encapsulated Security Payload.
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/mbuf.h>
|
||||
#include <sys/domain.h>
|
||||
#include <sys/protosw.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/socketvar.h>
|
||||
#include <sys/errno.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/syslog.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <net/route.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/in_var.h>
|
||||
|
||||
#ifdef INET6
|
||||
#include <netinet/ip6.h>
|
||||
#include <netinet6/ip6_var.h>
|
||||
#include <netinet/icmp6.h>
|
||||
#endif
|
||||
|
||||
#include <netinet6/ipsec.h>
|
||||
#ifdef INET6
|
||||
#include <netinet6/ipsec6.h>
|
||||
#endif
|
||||
#include <netinet6/ah.h>
|
||||
#ifdef INET6
|
||||
#include <netinet6/ah6.h>
|
||||
#endif
|
||||
#include <netinet6/esp.h>
|
||||
#ifdef INET6
|
||||
#include <netinet6/esp6.h>
|
||||
#endif
|
||||
#include <netkey/key.h>
|
||||
#include <netkey/keydb.h>
|
||||
|
||||
static int esp_output __P((struct mbuf *, u_char *, struct mbuf *,
|
||||
struct ipsecrequest *, int));
|
||||
|
||||
/*
|
||||
* compute ESP header size.
|
||||
*/
|
||||
size_t
|
||||
esp_hdrsiz(isr)
|
||||
struct ipsecrequest *isr;
|
||||
{
|
||||
struct secasvar *sav;
|
||||
const struct esp_algorithm *algo;
|
||||
const struct ah_algorithm *aalgo;
|
||||
size_t ivlen;
|
||||
size_t authlen;
|
||||
size_t hdrsiz;
|
||||
|
||||
/* sanity check */
|
||||
if (isr == NULL)
|
||||
panic("esp_hdrsiz: NULL was passed.");
|
||||
|
||||
sav = isr->sav;
|
||||
|
||||
if (isr->saidx.proto != IPPROTO_ESP)
|
||||
panic("unsupported mode passed to esp_hdrsiz");
|
||||
|
||||
if (sav == NULL)
|
||||
goto estimate;
|
||||
if (sav->state != SADB_SASTATE_MATURE
|
||||
&& sav->state != SADB_SASTATE_DYING)
|
||||
goto estimate;
|
||||
|
||||
/* we need transport mode ESP. */
|
||||
algo = esp_algorithm_lookup(sav->alg_enc);
|
||||
if (!algo)
|
||||
goto estimate;
|
||||
ivlen = sav->ivlen;
|
||||
if (ivlen < 0)
|
||||
goto estimate;
|
||||
|
||||
/*
|
||||
* XXX
|
||||
* right now we don't calcurate the padding size. simply
|
||||
* treat the padding size as constant, for simplicity.
|
||||
*
|
||||
* XXX variable size padding support
|
||||
*/
|
||||
if (sav->flags & SADB_X_EXT_OLD) {
|
||||
/* RFC 1827 */
|
||||
hdrsiz = sizeof(struct esp) + ivlen + 9;
|
||||
} else {
|
||||
/* RFC 2406 */
|
||||
aalgo = ah_algorithm_lookup(sav->alg_auth);
|
||||
if (aalgo && sav->replay && sav->key_auth)
|
||||
authlen = (aalgo->sumsiz)(sav);
|
||||
else
|
||||
authlen = 0;
|
||||
hdrsiz = sizeof(struct newesp) + ivlen + 9 + authlen;
|
||||
}
|
||||
|
||||
return hdrsiz;
|
||||
|
||||
estimate:
|
||||
/*
|
||||
* ASSUMING:
|
||||
* sizeof(struct newesp) > sizeof(struct esp).
|
||||
* esp_max_ivlen() = max ivlen for CBC mode
|
||||
* 9 = (maximum padding length without random padding length)
|
||||
* + (Pad Length field) + (Next Header field).
|
||||
* 16 = maximum ICV we support.
|
||||
*/
|
||||
return sizeof(struct newesp) + esp_max_ivlen() + 9 + 16;
|
||||
}
|
||||
|
||||
/*
|
||||
* Modify the packet so that the payload is encrypted.
|
||||
* The mbuf (m) must start with IPv4 or IPv6 header.
|
||||
* On failure, free the given mbuf and return NULL.
|
||||
*
|
||||
* on invocation:
|
||||
* m nexthdrp md
|
||||
* v v v
|
||||
* IP ......... payload
|
||||
* during the encryption:
|
||||
* m nexthdrp mprev md
|
||||
* v v v v
|
||||
* IP ............... esp iv payload pad padlen nxthdr
|
||||
* <--><-><------><--------------->
|
||||
* esplen plen extendsiz
|
||||
* ivlen
|
||||
* <-----> esphlen
|
||||
* <-> hlen
|
||||
* <-----------------> espoff
|
||||
*/
|
||||
static int
|
||||
esp_output(m, nexthdrp, md, isr, af)
|
||||
struct mbuf *m;
|
||||
u_char *nexthdrp;
|
||||
struct mbuf *md;
|
||||
struct ipsecrequest *isr;
|
||||
int af;
|
||||
{
|
||||
struct mbuf *n;
|
||||
struct mbuf *mprev;
|
||||
struct esp *esp;
|
||||
struct esptail *esptail;
|
||||
struct secasvar *sav = isr->sav;
|
||||
const struct esp_algorithm *algo;
|
||||
u_int32_t spi;
|
||||
u_int8_t nxt = 0;
|
||||
size_t plen; /* payload length to be encrypted */
|
||||
size_t espoff;
|
||||
int ivlen;
|
||||
int afnumber;
|
||||
size_t extendsiz;
|
||||
int error = 0;
|
||||
struct ipsecstat *stat;
|
||||
|
||||
switch (af) {
|
||||
#ifdef INET
|
||||
case AF_INET:
|
||||
afnumber = 4;
|
||||
stat = &ipsecstat;
|
||||
break;
|
||||
#endif
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
afnumber = 6;
|
||||
stat = &ipsec6stat;
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
ipseclog((LOG_ERR, "esp_output: unsupported af %d\n", af));
|
||||
return 0; /* no change at all */
|
||||
}
|
||||
|
||||
/* some sanity check */
|
||||
if ((sav->flags & SADB_X_EXT_OLD) == 0 && !sav->replay) {
|
||||
switch (af) {
|
||||
#ifdef INET
|
||||
case AF_INET:
|
||||
{
|
||||
struct ip *ip;
|
||||
|
||||
ip = mtod(m, struct ip *);
|
||||
ipseclog((LOG_DEBUG, "esp4_output: internal error: "
|
||||
"sav->replay is null: %x->%x, SPI=%u\n",
|
||||
(u_int32_t)ntohl(ip->ip_src.s_addr),
|
||||
(u_int32_t)ntohl(ip->ip_dst.s_addr),
|
||||
(u_int32_t)ntohl(sav->spi)));
|
||||
ipsecstat.out_inval++;
|
||||
break;
|
||||
}
|
||||
#endif /* INET */
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
ipseclog((LOG_DEBUG, "esp6_output: internal error: "
|
||||
"sav->replay is null: SPI=%u\n",
|
||||
(u_int32_t)ntohl(sav->spi)));
|
||||
ipsec6stat.out_inval++;
|
||||
break;
|
||||
#endif /* INET6 */
|
||||
default:
|
||||
panic("esp_output: should not reach here");
|
||||
}
|
||||
m_freem(m);
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
algo = esp_algorithm_lookup(sav->alg_enc);
|
||||
if (!algo) {
|
||||
ipseclog((LOG_ERR, "esp_output: unsupported algorithm: "
|
||||
"SPI=%u\n", (u_int32_t)ntohl(sav->spi)));
|
||||
m_freem(m);
|
||||
return EINVAL;
|
||||
}
|
||||
spi = sav->spi;
|
||||
ivlen = sav->ivlen;
|
||||
/* should be okey */
|
||||
if (ivlen < 0) {
|
||||
panic("invalid ivlen");
|
||||
}
|
||||
|
||||
{
|
||||
/*
|
||||
* insert ESP header.
|
||||
* XXX inserts ESP header right after IPv4 header. should
|
||||
* chase the header chain.
|
||||
* XXX sequential number
|
||||
*/
|
||||
#ifdef INET
|
||||
struct ip *ip = NULL;
|
||||
#endif
|
||||
#ifdef INET6
|
||||
struct ip6_hdr *ip6 = NULL;
|
||||
#endif
|
||||
size_t esplen; /* sizeof(struct esp/newesp) */
|
||||
size_t esphlen; /* sizeof(struct esp/newesp) + ivlen */
|
||||
size_t hlen = 0; /* ip header len */
|
||||
|
||||
if (sav->flags & SADB_X_EXT_OLD) {
|
||||
/* RFC 1827 */
|
||||
esplen = sizeof(struct esp);
|
||||
} else {
|
||||
/* RFC 2406 */
|
||||
if (sav->flags & SADB_X_EXT_DERIV)
|
||||
esplen = sizeof(struct esp);
|
||||
else
|
||||
esplen = sizeof(struct newesp);
|
||||
}
|
||||
esphlen = esplen + ivlen;
|
||||
|
||||
for (mprev = m; mprev && mprev->m_next != md; mprev = mprev->m_next)
|
||||
;
|
||||
if (mprev == NULL || mprev->m_next != md) {
|
||||
ipseclog((LOG_DEBUG, "esp%d_output: md is not in chain\n",
|
||||
afnumber));
|
||||
m_freem(m);
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
plen = 0;
|
||||
for (n = md; n; n = n->m_next)
|
||||
plen += n->m_len;
|
||||
|
||||
switch (af) {
|
||||
#ifdef INET
|
||||
case AF_INET:
|
||||
ip = mtod(m, struct ip *);
|
||||
#ifdef _IP_VHL
|
||||
hlen = IP_VHL_HL(ip->ip_vhl) << 2;
|
||||
#else
|
||||
hlen = ip->ip_hl << 2;
|
||||
#endif
|
||||
break;
|
||||
#endif
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
hlen = sizeof(*ip6);
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* make the packet over-writable */
|
||||
mprev->m_next = NULL;
|
||||
if ((md = ipsec_copypkt(md)) == NULL) {
|
||||
m_freem(m);
|
||||
error = ENOBUFS;
|
||||
goto fail;
|
||||
}
|
||||
mprev->m_next = md;
|
||||
|
||||
espoff = m->m_pkthdr.len - plen;
|
||||
|
||||
/*
|
||||
* grow the mbuf to accomodate ESP header.
|
||||
* before: IP ... payload
|
||||
* after: IP ... ESP IV payload
|
||||
*/
|
||||
if (M_LEADINGSPACE(md) < esphlen || (md->m_flags & M_EXT) != 0) {
|
||||
MGET(n, M_DONTWAIT, MT_DATA);
|
||||
if (!n) {
|
||||
m_freem(m);
|
||||
error = ENOBUFS;
|
||||
goto fail;
|
||||
}
|
||||
n->m_len = esphlen;
|
||||
mprev->m_next = n;
|
||||
n->m_next = md;
|
||||
m->m_pkthdr.len += esphlen;
|
||||
esp = mtod(n, struct esp *);
|
||||
} else {
|
||||
md->m_len += esphlen;
|
||||
md->m_data -= esphlen;
|
||||
m->m_pkthdr.len += esphlen;
|
||||
esp = mtod(md, struct esp *);
|
||||
}
|
||||
|
||||
nxt = *nexthdrp;
|
||||
*nexthdrp = IPPROTO_ESP;
|
||||
switch (af) {
|
||||
#ifdef INET
|
||||
case AF_INET:
|
||||
if (esphlen < (IP_MAXPACKET - ntohs(ip->ip_len)))
|
||||
ip->ip_len = htons(ntohs(ip->ip_len) + esphlen);
|
||||
else {
|
||||
ipseclog((LOG_ERR,
|
||||
"IPv4 ESP output: size exceeds limit\n"));
|
||||
ipsecstat.out_inval++;
|
||||
m_freem(m);
|
||||
error = EMSGSIZE;
|
||||
goto fail;
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
/* total packet length will be computed in ip6_output() */
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
/* initialize esp header. */
|
||||
esp->esp_spi = spi;
|
||||
if ((sav->flags & SADB_X_EXT_OLD) == 0) {
|
||||
struct newesp *nesp;
|
||||
nesp = (struct newesp *)esp;
|
||||
if (sav->replay->count == ~0) {
|
||||
if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
|
||||
/* XXX Is it noisy ? */
|
||||
ipseclog((LOG_WARNING,
|
||||
"replay counter overflowed. %s\n",
|
||||
ipsec_logsastr(sav)));
|
||||
stat->out_inval++;
|
||||
m_freem(m);
|
||||
return EINVAL;
|
||||
}
|
||||
}
|
||||
sav->replay->count++;
|
||||
/*
|
||||
* XXX sequence number must not be cycled, if the SA is
|
||||
* installed by IKE daemon.
|
||||
*/
|
||||
nesp->esp_seq = htonl(sav->replay->count & 0xffffffff);
|
||||
}
|
||||
|
||||
{
|
||||
/*
|
||||
* find the last mbuf. make some room for ESP trailer.
|
||||
*/
|
||||
#ifdef INET
|
||||
struct ip *ip = NULL;
|
||||
#endif
|
||||
size_t padbound;
|
||||
u_char *extend;
|
||||
int i;
|
||||
int randpadmax;
|
||||
|
||||
if (algo->padbound)
|
||||
padbound = algo->padbound;
|
||||
else
|
||||
padbound = 4;
|
||||
/* ESP packet, including nxthdr field, must be length of 4n */
|
||||
if (padbound < 4)
|
||||
padbound = 4;
|
||||
|
||||
extendsiz = padbound - (plen % padbound);
|
||||
if (extendsiz == 1)
|
||||
extendsiz = padbound + 1;
|
||||
|
||||
/* random padding */
|
||||
switch (af) {
|
||||
#ifdef INET
|
||||
case AF_INET:
|
||||
randpadmax = ip4_esp_randpad;
|
||||
break;
|
||||
#endif
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
randpadmax = ip6_esp_randpad;
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
randpadmax = -1;
|
||||
break;
|
||||
}
|
||||
if (randpadmax < 0 || plen + extendsiz >= randpadmax)
|
||||
;
|
||||
else {
|
||||
int n;
|
||||
|
||||
/* round */
|
||||
randpadmax = (randpadmax / padbound) * padbound;
|
||||
n = (randpadmax - plen + extendsiz) / padbound;
|
||||
|
||||
if (n > 0)
|
||||
n = (random() % n) * padbound;
|
||||
else
|
||||
n = 0;
|
||||
|
||||
/*
|
||||
* make sure we do not pad too much.
|
||||
* MLEN limitation comes from the trailer attachment
|
||||
* code below.
|
||||
* 256 limitation comes from sequential padding.
|
||||
* also, the 1-octet length field in ESP trailer imposes
|
||||
* limitation (but is less strict than sequential padding
|
||||
* as length field do not count the last 2 octets).
|
||||
*/
|
||||
if (extendsiz + n <= MLEN && extendsiz + n < 256)
|
||||
extendsiz += n;
|
||||
}
|
||||
|
||||
#ifdef DIAGNOSTIC
|
||||
if (extendsiz > MLEN || extendsiz >= 256)
|
||||
panic("extendsiz too big in esp_output");
|
||||
#endif
|
||||
|
||||
n = m;
|
||||
while (n->m_next)
|
||||
n = n->m_next;
|
||||
|
||||
/*
|
||||
* if M_EXT, the external mbuf data may be shared among
|
||||
* two consequtive TCP packets, and it may be unsafe to use the
|
||||
* trailing space.
|
||||
*/
|
||||
if (!(n->m_flags & M_EXT) && extendsiz < M_TRAILINGSPACE(n)) {
|
||||
extend = mtod(n, u_char *) + n->m_len;
|
||||
n->m_len += extendsiz;
|
||||
m->m_pkthdr.len += extendsiz;
|
||||
} else {
|
||||
struct mbuf *nn;
|
||||
|
||||
MGET(nn, M_DONTWAIT, MT_DATA);
|
||||
if (!nn) {
|
||||
ipseclog((LOG_DEBUG, "esp%d_output: can't alloc mbuf",
|
||||
afnumber));
|
||||
m_freem(m);
|
||||
error = ENOBUFS;
|
||||
goto fail;
|
||||
}
|
||||
extend = mtod(nn, u_char *);
|
||||
nn->m_len = extendsiz;
|
||||
nn->m_next = NULL;
|
||||
n->m_next = nn;
|
||||
n = nn;
|
||||
m->m_pkthdr.len += extendsiz;
|
||||
}
|
||||
switch (sav->flags & SADB_X_EXT_PMASK) {
|
||||
case SADB_X_EXT_PRAND:
|
||||
key_randomfill(extend, extendsiz);
|
||||
break;
|
||||
case SADB_X_EXT_PZERO:
|
||||
bzero(extend, extendsiz);
|
||||
break;
|
||||
case SADB_X_EXT_PSEQ:
|
||||
for (i = 0; i < extendsiz; i++)
|
||||
extend[i] = (i + 1) & 0xff;
|
||||
break;
|
||||
}
|
||||
|
||||
/* initialize esp trailer. */
|
||||
esptail = (struct esptail *)
|
||||
(mtod(n, u_int8_t *) + n->m_len - sizeof(struct esptail));
|
||||
esptail->esp_nxt = nxt;
|
||||
esptail->esp_padlen = extendsiz - 2;
|
||||
|
||||
/* modify IP header (for ESP header part only) */
|
||||
switch (af) {
|
||||
#ifdef INET
|
||||
case AF_INET:
|
||||
ip = mtod(m, struct ip *);
|
||||
if (extendsiz < (IP_MAXPACKET - ntohs(ip->ip_len)))
|
||||
ip->ip_len = htons(ntohs(ip->ip_len) + extendsiz);
|
||||
else {
|
||||
ipseclog((LOG_ERR,
|
||||
"IPv4 ESP output: size exceeds limit\n"));
|
||||
ipsecstat.out_inval++;
|
||||
m_freem(m);
|
||||
error = EMSGSIZE;
|
||||
goto fail;
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
/* total packet length will be computed in ip6_output() */
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* pre-compute and cache intermediate key
|
||||
*/
|
||||
error = esp_schedule(algo, sav);
|
||||
if (error) {
|
||||
m_freem(m);
|
||||
stat->out_inval++;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
/*
|
||||
* encrypt the packet, based on security association
|
||||
* and the algorithm specified.
|
||||
*/
|
||||
if (!algo->encrypt)
|
||||
panic("internal error: no encrypt function");
|
||||
if ((*algo->encrypt)(m, espoff, plen + extendsiz, sav, algo, ivlen)) {
|
||||
/* m is already freed */
|
||||
ipseclog((LOG_ERR, "packet encryption failure\n"));
|
||||
stat->out_inval++;
|
||||
error = EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
/*
|
||||
* calculate ICV if required.
|
||||
*/
|
||||
if (!sav->replay)
|
||||
goto noantireplay;
|
||||
if (!sav->key_auth)
|
||||
goto noantireplay;
|
||||
if (sav->alg_auth == SADB_AALG_NONE)
|
||||
goto noantireplay;
|
||||
|
||||
{
|
||||
const struct ah_algorithm *aalgo;
|
||||
u_char authbuf[AH_MAXSUMSIZE];
|
||||
struct mbuf *n;
|
||||
u_char *p;
|
||||
size_t siz;
|
||||
#ifdef INET
|
||||
struct ip *ip;
|
||||
#endif
|
||||
|
||||
aalgo = ah_algorithm_lookup(sav->alg_auth);
|
||||
if (!aalgo)
|
||||
goto noantireplay;
|
||||
siz = ((aalgo->sumsiz)(sav) + 3) & ~(4 - 1);
|
||||
if (AH_MAXSUMSIZE < siz)
|
||||
panic("assertion failed for AH_MAXSUMSIZE");
|
||||
|
||||
if (esp_auth(m, espoff, m->m_pkthdr.len - espoff, sav, authbuf)) {
|
||||
ipseclog((LOG_ERR, "ESP checksum generation failure\n"));
|
||||
m_freem(m);
|
||||
error = EINVAL;
|
||||
stat->out_inval++;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
n = m;
|
||||
while (n->m_next)
|
||||
n = n->m_next;
|
||||
|
||||
if (!(n->m_flags & M_EXT) && siz < M_TRAILINGSPACE(n)) { /* XXX */
|
||||
n->m_len += siz;
|
||||
m->m_pkthdr.len += siz;
|
||||
p = mtod(n, u_char *) + n->m_len - siz;
|
||||
} else {
|
||||
struct mbuf *nn;
|
||||
|
||||
MGET(nn, M_DONTWAIT, MT_DATA);
|
||||
if (!nn) {
|
||||
ipseclog((LOG_DEBUG, "can't alloc mbuf in esp%d_output",
|
||||
afnumber));
|
||||
m_freem(m);
|
||||
error = ENOBUFS;
|
||||
goto fail;
|
||||
}
|
||||
nn->m_len = siz;
|
||||
nn->m_next = NULL;
|
||||
n->m_next = nn;
|
||||
n = nn;
|
||||
m->m_pkthdr.len += siz;
|
||||
p = mtod(nn, u_char *);
|
||||
}
|
||||
bcopy(authbuf, p, siz);
|
||||
|
||||
/* modify IP header (for ESP header part only) */
|
||||
switch (af) {
|
||||
#ifdef INET
|
||||
case AF_INET:
|
||||
ip = mtod(m, struct ip *);
|
||||
if (siz < (IP_MAXPACKET - ntohs(ip->ip_len)))
|
||||
ip->ip_len = htons(ntohs(ip->ip_len) + siz);
|
||||
else {
|
||||
ipseclog((LOG_ERR,
|
||||
"IPv4 ESP output: size exceeds limit\n"));
|
||||
ipsecstat.out_inval++;
|
||||
m_freem(m);
|
||||
error = EMSGSIZE;
|
||||
goto fail;
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
/* total packet length will be computed in ip6_output() */
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
noantireplay:
|
||||
if (!m) {
|
||||
ipseclog((LOG_ERR,
|
||||
"NULL mbuf after encryption in esp%d_output", afnumber));
|
||||
} else
|
||||
stat->out_success++;
|
||||
stat->out_esphist[sav->alg_enc]++;
|
||||
key_sa_recordxfer(sav, m);
|
||||
return 0;
|
||||
|
||||
fail:
|
||||
#if 1
|
||||
return error;
|
||||
#else
|
||||
panic("something bad in esp_output");
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifdef INET
|
||||
int
|
||||
esp4_output(m, isr)
|
||||
struct mbuf *m;
|
||||
struct ipsecrequest *isr;
|
||||
{
|
||||
struct ip *ip;
|
||||
if (m->m_len < sizeof(struct ip)) {
|
||||
ipseclog((LOG_DEBUG, "esp4_output: first mbuf too short\n"));
|
||||
m_freem(m);
|
||||
return 0;
|
||||
}
|
||||
ip = mtod(m, struct ip *);
|
||||
/* XXX assumes that m->m_next points to payload */
|
||||
return esp_output(m, &ip->ip_p, m->m_next, isr, AF_INET);
|
||||
}
|
||||
#endif /* INET */
|
||||
|
||||
#ifdef INET6
|
||||
int
|
||||
esp6_output(m, nexthdrp, md, isr)
|
||||
struct mbuf *m;
|
||||
u_char *nexthdrp;
|
||||
struct mbuf *md;
|
||||
struct ipsecrequest *isr;
|
||||
{
|
||||
if (m->m_len < sizeof(struct ip6_hdr)) {
|
||||
ipseclog((LOG_DEBUG, "esp6_output: first mbuf too short\n"));
|
||||
m_freem(m);
|
||||
return 0;
|
||||
}
|
||||
return esp_output(m, nexthdrp, md, isr, AF_INET6);
|
||||
}
|
||||
#endif /* INET6 */
|
Loading…
x
Reference in New Issue
Block a user