2 /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * This code is referd to RFC 2367
38 #include "opt_inet6.h"
39 #include "opt_ipsec.h"
41 #include <sys/types.h>
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/kernel.h>
46 #include <sys/mutex.h>
48 #include <sys/domain.h>
49 #include <sys/protosw.h>
50 #include <sys/malloc.h>
51 #include <sys/rmlock.h>
52 #include <sys/socket.h>
53 #include <sys/socketvar.h>
54 #include <sys/sysctl.h>
55 #include <sys/errno.h>
57 #include <sys/queue.h>
58 #include <sys/refcount.h>
59 #include <sys/syslog.h>
62 #include <net/if_var.h>
64 #include <net/raw_cb.h>
66 #include <netinet/in.h>
67 #include <netinet/in_systm.h>
68 #include <netinet/ip.h>
69 #include <netinet/in_var.h>
72 #include <netinet/ip6.h>
73 #include <netinet6/in6_var.h>
74 #include <netinet6/ip6_var.h>
77 #if defined(INET) || defined(INET6)
78 #include <netinet/in_pcb.h>
81 #include <netinet6/in6_pcb.h>
84 #include <net/pfkeyv2.h>
85 #include <netipsec/keydb.h>
86 #include <netipsec/key.h>
87 #include <netipsec/keysock.h>
88 #include <netipsec/key_debug.h>
90 #include <netipsec/ipsec.h>
92 #include <netipsec/ipsec6.h>
95 #include <netipsec/xform.h>
97 #include <machine/stdarg.h>
100 #include <sys/random.h>
102 #define FULLMASK 0xff
103 #define _BITS(bytes) ((bytes) << 3)
106 * Note on SA reference counting:
107 * - SAs that are not in DEAD state will have (total external reference + 1)
108 * following value in reference count field. they cannot be freed and are
109 * referenced from SA header.
110 * - SAs that are in DEAD state will have (total external reference)
111 * in reference count field. they are ready to be freed. reference from
112 * SA header will be removed in key_delsav(), when the reference count
113 * field hits 0 (= no external reference other than from SA header.
116 VNET_DEFINE(u_int32_t, key_debug_level) = 0;
117 static VNET_DEFINE(u_int, key_spi_trycnt) = 1000;
118 static VNET_DEFINE(u_int32_t, key_spi_minval) = 0x100;
119 static VNET_DEFINE(u_int32_t, key_spi_maxval) = 0x0fffffff; /* XXX */
120 static VNET_DEFINE(u_int32_t, policy_id) = 0;
121 /*interval to initialize randseed,1(m)*/
122 static VNET_DEFINE(u_int, key_int_random) = 60;
123 /* interval to expire acquiring, 30(s)*/
124 static VNET_DEFINE(u_int, key_larval_lifetime) = 30;
125 /* counter for blocking SADB_ACQUIRE.*/
126 static VNET_DEFINE(int, key_blockacq_count) = 10;
127 /* lifetime for blocking SADB_ACQUIRE.*/
128 static VNET_DEFINE(int, key_blockacq_lifetime) = 20;
129 /* preferred old sa rather than new sa.*/
130 static VNET_DEFINE(int, key_preferred_oldsa) = 1;
131 #define V_key_spi_trycnt VNET(key_spi_trycnt)
132 #define V_key_spi_minval VNET(key_spi_minval)
133 #define V_key_spi_maxval VNET(key_spi_maxval)
134 #define V_policy_id VNET(policy_id)
135 #define V_key_int_random VNET(key_int_random)
136 #define V_key_larval_lifetime VNET(key_larval_lifetime)
137 #define V_key_blockacq_count VNET(key_blockacq_count)
138 #define V_key_blockacq_lifetime VNET(key_blockacq_lifetime)
139 #define V_key_preferred_oldsa VNET(key_preferred_oldsa)
141 static VNET_DEFINE(u_int32_t, acq_seq) = 0;
142 #define V_acq_seq VNET(acq_seq)
145 static VNET_DEFINE(TAILQ_HEAD(_sptree, secpolicy), sptree[IPSEC_DIR_MAX]);
146 static struct rmlock sptree_lock;
147 #define V_sptree VNET(sptree)
148 #define SPTREE_LOCK_INIT() rm_init(&sptree_lock, "sptree")
149 #define SPTREE_LOCK_DESTROY() rm_destroy(&sptree_lock)
150 #define SPTREE_RLOCK_TRACKER struct rm_priotracker sptree_tracker
151 #define SPTREE_RLOCK() rm_rlock(&sptree_lock, &sptree_tracker)
152 #define SPTREE_RUNLOCK() rm_runlock(&sptree_lock, &sptree_tracker)
153 #define SPTREE_RLOCK_ASSERT() rm_assert(&sptree_lock, RA_RLOCKED)
154 #define SPTREE_WLOCK() rm_wlock(&sptree_lock)
155 #define SPTREE_WUNLOCK() rm_wunlock(&sptree_lock)
156 #define SPTREE_WLOCK_ASSERT() rm_assert(&sptree_lock, RA_WLOCKED)
157 #define SPTREE_UNLOCK_ASSERT() rm_assert(&sptree_lock, RA_UNLOCKED)
159 static VNET_DEFINE(LIST_HEAD(_sahtree, secashead), sahtree); /* SAD */
160 #define V_sahtree VNET(sahtree)
161 static struct mtx sahtree_lock;
162 #define SAHTREE_LOCK_INIT() \
163 mtx_init(&sahtree_lock, "sahtree", \
164 "fast ipsec security association database", MTX_DEF)
165 #define SAHTREE_LOCK_DESTROY() mtx_destroy(&sahtree_lock)
166 #define SAHTREE_LOCK() mtx_lock(&sahtree_lock)
167 #define SAHTREE_UNLOCK() mtx_unlock(&sahtree_lock)
168 #define SAHTREE_LOCK_ASSERT() mtx_assert(&sahtree_lock, MA_OWNED)
171 static VNET_DEFINE(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]);
172 #define V_regtree VNET(regtree)
173 static struct mtx regtree_lock;
174 #define REGTREE_LOCK_INIT() \
175 mtx_init(®tree_lock, "regtree", "fast ipsec regtree", MTX_DEF)
176 #define REGTREE_LOCK_DESTROY() mtx_destroy(®tree_lock)
177 #define REGTREE_LOCK() mtx_lock(®tree_lock)
178 #define REGTREE_UNLOCK() mtx_unlock(®tree_lock)
179 #define REGTREE_LOCK_ASSERT() mtx_assert(®tree_lock, MA_OWNED)
181 static VNET_DEFINE(LIST_HEAD(_acqtree, secacq), acqtree); /* acquiring list */
182 #define V_acqtree VNET(acqtree)
183 static struct mtx acq_lock;
184 #define ACQ_LOCK_INIT() \
185 mtx_init(&acq_lock, "acqtree", "fast ipsec acquire list", MTX_DEF)
186 #define ACQ_LOCK_DESTROY() mtx_destroy(&acq_lock)
187 #define ACQ_LOCK() mtx_lock(&acq_lock)
188 #define ACQ_UNLOCK() mtx_unlock(&acq_lock)
189 #define ACQ_LOCK_ASSERT() mtx_assert(&acq_lock, MA_OWNED)
191 /* SP acquiring list */
192 static VNET_DEFINE(LIST_HEAD(_spacqtree, secspacq), spacqtree);
193 #define V_spacqtree VNET(spacqtree)
194 static struct mtx spacq_lock;
195 #define SPACQ_LOCK_INIT() \
196 mtx_init(&spacq_lock, "spacqtree", \
197 "fast ipsec security policy acquire list", MTX_DEF)
198 #define SPACQ_LOCK_DESTROY() mtx_destroy(&spacq_lock)
199 #define SPACQ_LOCK() mtx_lock(&spacq_lock)
200 #define SPACQ_UNLOCK() mtx_unlock(&spacq_lock)
201 #define SPACQ_LOCK_ASSERT() mtx_assert(&spacq_lock, MA_OWNED)
203 /* search order for SAs */
204 static const u_int saorder_state_valid_prefer_old[] = {
205 SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
207 static const u_int saorder_state_valid_prefer_new[] = {
208 SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
210 static const u_int saorder_state_alive[] = {
212 SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL
214 static const u_int saorder_state_any[] = {
215 SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
216 SADB_SASTATE_LARVAL, SADB_SASTATE_DEAD
219 static const int minsize[] = {
220 sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */
221 sizeof(struct sadb_sa), /* SADB_EXT_SA */
222 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */
223 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */
224 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */
225 sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_SRC */
226 sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_DST */
227 sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_PROXY */
228 sizeof(struct sadb_key), /* SADB_EXT_KEY_AUTH */
229 sizeof(struct sadb_key), /* SADB_EXT_KEY_ENCRYPT */
230 sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_SRC */
231 sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_DST */
232 sizeof(struct sadb_sens), /* SADB_EXT_SENSITIVITY */
233 sizeof(struct sadb_prop), /* SADB_EXT_PROPOSAL */
234 sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_AUTH */
235 sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_ENCRYPT */
236 sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */
237 0, /* SADB_X_EXT_KMPRIVATE */
238 sizeof(struct sadb_x_policy), /* SADB_X_EXT_POLICY */
239 sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */
240 sizeof(struct sadb_x_nat_t_type),/* SADB_X_EXT_NAT_T_TYPE */
241 sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_SPORT */
242 sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_DPORT */
243 sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAI */
244 sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAR */
245 sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */
246 sizeof(struct sadb_x_sa_replay), /* SADB_X_EXT_SA_REPLAY */
248 _Static_assert(sizeof(minsize)/sizeof(int) == SADB_EXT_MAX + 1, "minsize size mismatch");
250 static const int maxsize[] = {
251 sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */
252 sizeof(struct sadb_sa), /* SADB_EXT_SA */
253 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */
254 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */
255 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */
256 0, /* SADB_EXT_ADDRESS_SRC */
257 0, /* SADB_EXT_ADDRESS_DST */
258 0, /* SADB_EXT_ADDRESS_PROXY */
259 0, /* SADB_EXT_KEY_AUTH */
260 0, /* SADB_EXT_KEY_ENCRYPT */
261 0, /* SADB_EXT_IDENTITY_SRC */
262 0, /* SADB_EXT_IDENTITY_DST */
263 0, /* SADB_EXT_SENSITIVITY */
264 0, /* SADB_EXT_PROPOSAL */
265 0, /* SADB_EXT_SUPPORTED_AUTH */
266 0, /* SADB_EXT_SUPPORTED_ENCRYPT */
267 sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */
268 0, /* SADB_X_EXT_KMPRIVATE */
269 0, /* SADB_X_EXT_POLICY */
270 sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */
271 sizeof(struct sadb_x_nat_t_type),/* SADB_X_EXT_NAT_T_TYPE */
272 sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_SPORT */
273 sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_DPORT */
274 0, /* SADB_X_EXT_NAT_T_OAI */
275 0, /* SADB_X_EXT_NAT_T_OAR */
276 sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */
277 sizeof(struct sadb_x_sa_replay), /* SADB_X_EXT_SA_REPLAY */
279 _Static_assert(sizeof(maxsize)/sizeof(int) == SADB_EXT_MAX + 1, "minsize size mismatch");
281 static VNET_DEFINE(int, ipsec_esp_keymin) = 256;
282 static VNET_DEFINE(int, ipsec_esp_auth) = 0;
283 static VNET_DEFINE(int, ipsec_ah_keymin) = 128;
285 #define V_ipsec_esp_keymin VNET(ipsec_esp_keymin)
286 #define V_ipsec_esp_auth VNET(ipsec_esp_auth)
287 #define V_ipsec_ah_keymin VNET(ipsec_ah_keymin)
290 SYSCTL_DECL(_net_key);
293 SYSCTL_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug,
294 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_debug_level), 0, "");
296 /* max count of trial for the decision of spi value */
297 SYSCTL_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt,
298 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_spi_trycnt), 0, "");
300 /* minimum spi value to allocate automatically. */
301 SYSCTL_INT(_net_key, KEYCTL_SPI_MIN_VALUE, spi_minval,
302 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_spi_minval), 0, "");
304 /* maximun spi value to allocate automatically. */
305 SYSCTL_INT(_net_key, KEYCTL_SPI_MAX_VALUE, spi_maxval,
306 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_spi_maxval), 0, "");
308 /* interval to initialize randseed */
309 SYSCTL_INT(_net_key, KEYCTL_RANDOM_INT, int_random,
310 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_int_random), 0, "");
312 /* lifetime for larval SA */
313 SYSCTL_INT(_net_key, KEYCTL_LARVAL_LIFETIME, larval_lifetime,
314 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_larval_lifetime), 0, "");
316 /* counter for blocking to send SADB_ACQUIRE to IKEd */
317 SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_COUNT, blockacq_count,
318 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_blockacq_count), 0, "");
320 /* lifetime for blocking to send SADB_ACQUIRE to IKEd */
321 SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME, blockacq_lifetime,
322 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_blockacq_lifetime), 0, "");
325 SYSCTL_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth,
326 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_esp_auth), 0, "");
328 /* minimum ESP key length */
329 SYSCTL_INT(_net_key, KEYCTL_ESP_KEYMIN, esp_keymin,
330 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_esp_keymin), 0, "");
332 /* minimum AH key length */
333 SYSCTL_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin,
334 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_ah_keymin), 0, "");
336 /* perfered old SA rather than new SA */
337 SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, preferred_oldsa,
338 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_preferred_oldsa), 0, "");
340 #define __LIST_CHAINED(elm) \
341 (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL))
342 #define LIST_INSERT_TAIL(head, elm, type, field) \
344 struct type *curelm = LIST_FIRST(head); \
345 if (curelm == NULL) {\
346 LIST_INSERT_HEAD(head, elm, field); \
348 while (LIST_NEXT(curelm, field)) \
349 curelm = LIST_NEXT(curelm, field);\
350 LIST_INSERT_AFTER(curelm, elm, field);\
354 #define KEY_CHKSASTATE(head, sav, name) \
356 if ((head) != (sav)) { \
357 ipseclog((LOG_DEBUG, "%s: state mismatched (TREE=%d SA=%d)\n", \
358 (name), (head), (sav))); \
363 #define KEY_CHKSPDIR(head, sp, name) \
365 if ((head) != (sp)) { \
366 ipseclog((LOG_DEBUG, "%s: direction mismatched (TREE=%d SP=%d), " \
367 "anyway continue.\n", \
368 (name), (head), (sp))); \
372 MALLOC_DEFINE(M_IPSEC_SA, "secasvar", "ipsec security association");
373 MALLOC_DEFINE(M_IPSEC_SAH, "sahead", "ipsec sa head");
374 MALLOC_DEFINE(M_IPSEC_SP, "ipsecpolicy", "ipsec security policy");
375 MALLOC_DEFINE(M_IPSEC_SR, "ipsecrequest", "ipsec security request");
376 MALLOC_DEFINE(M_IPSEC_MISC, "ipsec-misc", "ipsec miscellaneous");
377 MALLOC_DEFINE(M_IPSEC_SAQ, "ipsec-saq", "ipsec sa acquire");
378 MALLOC_DEFINE(M_IPSEC_SAR, "ipsec-reg", "ipsec sa acquire");
381 * set parameters into secpolicyindex buffer.
382 * Must allocate secpolicyindex buffer passed to this function.
384 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, idx) \
386 bzero((idx), sizeof(struct secpolicyindex)); \
387 (idx)->dir = (_dir); \
388 (idx)->prefs = (ps); \
389 (idx)->prefd = (pd); \
390 (idx)->ul_proto = (ulp); \
391 bcopy((s), &(idx)->src, ((const struct sockaddr *)(s))->sa_len); \
392 bcopy((d), &(idx)->dst, ((const struct sockaddr *)(d))->sa_len); \
396 * set parameters into secasindex buffer.
397 * Must allocate secasindex buffer before calling this function.
399 #define KEY_SETSECASIDX(p, m, r, s, d, idx) \
401 bzero((idx), sizeof(struct secasindex)); \
402 (idx)->proto = (p); \
404 (idx)->reqid = (r); \
405 bcopy((s), &(idx)->src, ((const struct sockaddr *)(s))->sa_len); \
406 bcopy((d), &(idx)->dst, ((const struct sockaddr *)(d))->sa_len); \
411 u_long getspi_count; /* the avarage of count to try to get new SPI */
415 struct sadb_msg *msg;
416 struct sadb_ext *ext[SADB_EXT_MAX + 1];
417 int extoff[SADB_EXT_MAX + 1];
418 int extlen[SADB_EXT_MAX + 1];
422 static struct callout key_timer;
425 static struct secasvar *key_allocsa_policy(const struct secasindex *);
426 static void key_freesp_so(struct secpolicy **);
427 static struct secasvar *key_do_allocsa_policy(struct secashead *, u_int);
428 static void key_unlink(struct secpolicy *);
429 static struct secpolicy *key_getsp(struct secpolicyindex *);
430 static struct secpolicy *key_getspbyid(u_int32_t);
431 static u_int32_t key_newreqid(void);
432 static struct mbuf *key_gather_mbuf(struct mbuf *,
433 const struct sadb_msghdr *, int, int, ...);
434 static int key_spdadd(struct socket *, struct mbuf *,
435 const struct sadb_msghdr *);
436 static u_int32_t key_getnewspid(void);
437 static int key_spddelete(struct socket *, struct mbuf *,
438 const struct sadb_msghdr *);
439 static int key_spddelete2(struct socket *, struct mbuf *,
440 const struct sadb_msghdr *);
441 static int key_spdget(struct socket *, struct mbuf *,
442 const struct sadb_msghdr *);
443 static int key_spdflush(struct socket *, struct mbuf *,
444 const struct sadb_msghdr *);
445 static int key_spddump(struct socket *, struct mbuf *,
446 const struct sadb_msghdr *);
447 static struct mbuf *key_setdumpsp(struct secpolicy *,
448 u_int8_t, u_int32_t, u_int32_t);
449 static u_int key_getspreqmsglen(struct secpolicy *);
450 static int key_spdexpire(struct secpolicy *);
451 static struct secashead *key_newsah(struct secasindex *);
452 static void key_delsah(struct secashead *);
453 static struct secasvar *key_newsav(struct mbuf *,
454 const struct sadb_msghdr *, struct secashead *, int *,
456 #define KEY_NEWSAV(m, sadb, sah, e) \
457 key_newsav(m, sadb, sah, e, __FILE__, __LINE__)
458 static void key_delsav(struct secasvar *);
459 static struct secashead *key_getsah(struct secasindex *);
460 static struct secasvar *key_checkspidup(struct secasindex *, u_int32_t);
461 static struct secasvar *key_getsavbyspi(struct secashead *, u_int32_t);
462 static int key_setsaval(struct secasvar *, struct mbuf *,
463 const struct sadb_msghdr *);
464 static int key_mature(struct secasvar *);
465 static struct mbuf *key_setdumpsa(struct secasvar *, u_int8_t,
466 u_int8_t, u_int32_t, u_int32_t);
467 static struct mbuf *key_setsadbmsg(u_int8_t, u_int16_t, u_int8_t,
468 u_int32_t, pid_t, u_int16_t);
469 static struct mbuf *key_setsadbsa(struct secasvar *);
470 static struct mbuf *key_setsadbaddr(u_int16_t,
471 const struct sockaddr *, u_int8_t, u_int16_t);
473 static struct mbuf *key_setsadbxport(u_int16_t, u_int16_t);
474 static struct mbuf *key_setsadbxtype(u_int16_t);
476 static void key_porttosaddr(struct sockaddr *, u_int16_t);
477 #define KEY_PORTTOSADDR(saddr, port) \
478 key_porttosaddr((struct sockaddr *)(saddr), (port))
479 static struct mbuf *key_setsadbxsa2(u_int8_t, u_int32_t, u_int32_t);
480 static struct mbuf *key_setsadbxsareplay(u_int32_t);
481 static struct mbuf *key_setsadbxpolicy(u_int16_t, u_int8_t,
482 u_int32_t, u_int32_t);
483 static struct seckey *key_dup_keymsg(const struct sadb_key *, u_int,
484 struct malloc_type *);
485 static struct seclifetime *key_dup_lifemsg(const struct sadb_lifetime *src,
486 struct malloc_type *type);
488 static int key_ismyaddr6(struct sockaddr_in6 *);
491 /* flags for key_cmpsaidx() */
492 #define CMP_HEAD 1 /* protocol, addresses. */
493 #define CMP_MODE_REQID 2 /* additionally HEAD, reqid, mode. */
494 #define CMP_REQID 3 /* additionally HEAD, reaid. */
495 #define CMP_EXACTLY 4 /* all elements. */
496 static int key_cmpsaidx(const struct secasindex *,
497 const struct secasindex *, int);
498 static int key_cmpspidx_exactly(struct secpolicyindex *,
499 struct secpolicyindex *);
500 static int key_cmpspidx_withmask(struct secpolicyindex *,
501 struct secpolicyindex *);
502 static int key_sockaddrcmp(const struct sockaddr *,
503 const struct sockaddr *, int);
504 static int key_bbcmp(const void *, const void *, u_int);
505 static u_int16_t key_satype2proto(u_int8_t);
506 static u_int8_t key_proto2satype(u_int16_t);
508 static int key_getspi(struct socket *, struct mbuf *,
509 const struct sadb_msghdr *);
510 static u_int32_t key_do_getnewspi(struct sadb_spirange *,
511 struct secasindex *);
512 static int key_update(struct socket *, struct mbuf *,
513 const struct sadb_msghdr *);
514 #ifdef IPSEC_DOSEQCHECK
515 static struct secasvar *key_getsavbyseq(struct secashead *, u_int32_t);
517 static int key_add(struct socket *, struct mbuf *,
518 const struct sadb_msghdr *);
519 static int key_setident(struct secashead *, struct mbuf *,
520 const struct sadb_msghdr *);
521 static struct mbuf *key_getmsgbuf_x1(struct mbuf *,
522 const struct sadb_msghdr *);
523 static int key_delete(struct socket *, struct mbuf *,
524 const struct sadb_msghdr *);
525 static int key_delete_all(struct socket *, struct mbuf *,
526 const struct sadb_msghdr *, u_int16_t);
527 static int key_get(struct socket *, struct mbuf *,
528 const struct sadb_msghdr *);
530 static void key_getcomb_setlifetime(struct sadb_comb *);
531 static struct mbuf *key_getcomb_esp(void);
532 static struct mbuf *key_getcomb_ah(void);
533 static struct mbuf *key_getcomb_ipcomp(void);
534 static struct mbuf *key_getprop(const struct secasindex *);
536 static int key_acquire(const struct secasindex *, struct secpolicy *);
537 static struct secacq *key_newacq(const struct secasindex *);
538 static struct secacq *key_getacq(const struct secasindex *);
539 static struct secacq *key_getacqbyseq(u_int32_t);
540 static struct secspacq *key_newspacq(struct secpolicyindex *);
541 static struct secspacq *key_getspacq(struct secpolicyindex *);
542 static int key_acquire2(struct socket *, struct mbuf *,
543 const struct sadb_msghdr *);
544 static int key_register(struct socket *, struct mbuf *,
545 const struct sadb_msghdr *);
546 static int key_expire(struct secasvar *, int);
547 static int key_flush(struct socket *, struct mbuf *,
548 const struct sadb_msghdr *);
549 static int key_dump(struct socket *, struct mbuf *,
550 const struct sadb_msghdr *);
551 static int key_promisc(struct socket *, struct mbuf *,
552 const struct sadb_msghdr *);
553 static int key_senderror(struct socket *, struct mbuf *, int);
554 static int key_validate_ext(const struct sadb_ext *, int);
555 static int key_align(struct mbuf *, struct sadb_msghdr *);
556 static struct mbuf *key_setlifetime(struct seclifetime *src,
558 static struct mbuf *key_setkey(struct seckey *src, u_int16_t exttype);
561 static const char *key_getfqdn(void);
562 static const char *key_getuserfqdn(void);
564 static void key_sa_chgstate(struct secasvar *, u_int8_t);
567 sa_initref(struct secasvar *sav)
570 refcount_init(&sav->refcnt, 1);
573 sa_addref(struct secasvar *sav)
576 refcount_acquire(&sav->refcnt);
577 IPSEC_ASSERT(sav->refcnt != 0, ("SA refcnt overflow"));
580 sa_delref(struct secasvar *sav)
583 IPSEC_ASSERT(sav->refcnt > 0, ("SA refcnt underflow"));
584 return (refcount_release(&sav->refcnt));
587 #define SP_ADDREF(p) refcount_acquire(&(p)->refcnt)
588 #define SP_DELREF(p) refcount_release(&(p)->refcnt)
591 * Update the refcnt while holding the SPTREE lock.
594 key_addref(struct secpolicy *sp)
601 * Return 0 when there are known to be no SP's for the specified
602 * direction. Otherwise return 1. This is used by IPsec code
603 * to optimize performance.
606 key_havesp(u_int dir)
609 return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ?
610 TAILQ_FIRST(&V_sptree[dir]) != NULL : 1);
613 /* %%% IPsec policy management */
615 * allocating a SP for OUTBOUND or INBOUND packet.
616 * Must call key_freesp() later.
617 * OUT: NULL: not found
618 * others: found and return the pointer.
621 key_allocsp(struct secpolicyindex *spidx, u_int dir, const char* where,
624 SPTREE_RLOCK_TRACKER;
625 struct secpolicy *sp;
627 IPSEC_ASSERT(spidx != NULL, ("null spidx"));
628 IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
629 ("invalid direction %u", dir));
631 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
632 printf("DP %s from %s:%u\n", __func__, where, tag));
635 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
636 printf("*** objects\n");
637 kdebug_secpolicyindex(spidx));
640 TAILQ_FOREACH(sp, &V_sptree[dir], chain) {
641 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
642 printf("*** in SPD\n");
643 kdebug_secpolicyindex(&sp->spidx));
644 if (key_cmpspidx_withmask(&sp->spidx, spidx))
651 KEY_CHKSPDIR(sp->spidx.dir, dir, __func__);
653 /* found a SPD entry */
654 sp->lastused = time_second;
659 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
660 printf("DP %s return SP:%p (ID=%u) refcnt %u\n", __func__,
661 sp, sp ? sp->id : 0, sp ? sp->refcnt : 0));
666 * allocating a SP for OUTBOUND or INBOUND packet.
667 * Must call key_freesp() later.
668 * OUT: NULL: not found
669 * others: found and return the pointer.
672 key_allocsp2(u_int32_t spi, union sockaddr_union *dst, u_int8_t proto,
673 u_int dir, const char* where, int tag)
675 SPTREE_RLOCK_TRACKER;
676 struct secpolicy *sp;
678 IPSEC_ASSERT(dst != NULL, ("null dst"));
679 IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
680 ("invalid direction %u", dir));
682 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
683 printf("DP %s from %s:%u\n", __func__, where, tag));
686 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
687 printf("*** objects\n");
688 printf("spi %u proto %u dir %u\n", spi, proto, dir);
689 kdebug_sockaddr(&dst->sa));
692 TAILQ_FOREACH(sp, &V_sptree[dir], chain) {
693 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
694 printf("*** in SPD\n");
695 kdebug_secpolicyindex(&sp->spidx));
696 /* compare simple values, then dst address */
697 if (sp->spidx.ul_proto != proto)
699 /* NB: spi's must exist and match */
700 if (!sp->req || !sp->req->sav || sp->req->sav->spi != spi)
702 if (key_sockaddrcmp(&sp->spidx.dst.sa, &dst->sa, 1) == 0)
709 KEY_CHKSPDIR(sp->spidx.dir, dir, __func__);
711 /* found a SPD entry */
712 sp->lastused = time_second;
717 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
718 printf("DP %s return SP:%p (ID=%u) refcnt %u\n", __func__,
719 sp, sp ? sp->id : 0, sp ? sp->refcnt : 0));
725 * return a policy that matches this particular inbound packet.
729 key_gettunnel(const struct sockaddr *osrc,
730 const struct sockaddr *odst,
731 const struct sockaddr *isrc,
732 const struct sockaddr *idst,
733 const char* where, int tag)
735 struct secpolicy *sp;
736 const int dir = IPSEC_DIR_INBOUND;
737 struct ipsecrequest *r1, *r2, *p;
738 struct secpolicyindex spidx;
740 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
741 printf("DP %s from %s:%u\n", __func__, where, tag));
743 if (isrc->sa_family != idst->sa_family) {
744 ipseclog((LOG_ERR, "%s: protocol family mismatched %d != %d\n.",
745 __func__, isrc->sa_family, idst->sa_family));
751 LIST_FOREACH(sp, &V_sptree[dir], chain) {
752 if (sp->state == IPSEC_SPSTATE_DEAD)
756 for (p = sp->req; p; p = p->next) {
757 if (p->saidx.mode != IPSEC_MODE_TUNNEL)
764 /* here we look at address matches only */
766 if (isrc->sa_len > sizeof(spidx.src) ||
767 idst->sa_len > sizeof(spidx.dst))
769 bcopy(isrc, &spidx.src, isrc->sa_len);
770 bcopy(idst, &spidx.dst, idst->sa_len);
771 if (!key_cmpspidx_withmask(&sp->spidx, &spidx))
774 if (key_sockaddrcmp(&r1->saidx.src.sa, isrc, 0) ||
775 key_sockaddrcmp(&r1->saidx.dst.sa, idst, 0))
779 if (key_sockaddrcmp(&r2->saidx.src.sa, osrc, 0) ||
780 key_sockaddrcmp(&r2->saidx.dst.sa, odst, 0))
789 sp->lastused = time_second;
794 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
795 printf("DP %s return SP:%p (ID=%u) refcnt %u\n", __func__,
796 sp, sp ? sp->id : 0, sp ? sp->refcnt : 0));
802 * allocating an SA entry for an *OUTBOUND* packet.
803 * checking each request entries in SP, and acquire an SA if need.
804 * OUT: 0: there are valid requests.
805 * ENOENT: policy may be valid, but SA with REQUIRE is on acquiring.
808 key_checkrequest(struct ipsecrequest *isr, const struct secasindex *saidx)
812 struct secasvar *sav;
814 IPSEC_ASSERT(isr != NULL, ("null isr"));
815 IPSEC_ASSERT(saidx != NULL, ("null saidx"));
816 IPSEC_ASSERT(saidx->mode == IPSEC_MODE_TRANSPORT ||
817 saidx->mode == IPSEC_MODE_TUNNEL,
818 ("unexpected policy %u", saidx->mode));
821 * XXX guard against protocol callbacks from the crypto
822 * thread as they reference ipsecrequest.sav which we
823 * temporarily null out below. Need to rethink how we
824 * handle bundled SA's in the callback thread.
826 IPSECREQUEST_LOCK_ASSERT(isr);
828 /* get current level */
829 level = ipsec_get_reqlevel(isr);
832 * We check new SA in the IPsec request because a different
833 * SA may be involved each time this request is checked, either
834 * because new SAs are being configured, or this request is
835 * associated with an unconnected datagram socket, or this request
836 * is associated with a system default policy.
838 * key_allocsa_policy should allocate the oldest SA available.
839 * See key_do_allocsa_policy(), and draft-jenkins-ipsec-rekeying-03.txt.
841 sav = key_allocsa_policy(saidx);
842 if (sav != isr->sav) {
843 /* SA need to be updated. */
844 if (!IPSECREQUEST_UPGRADE(isr)) {
845 /* Kick everyone off. */
846 IPSECREQUEST_UNLOCK(isr);
847 IPSECREQUEST_WLOCK(isr);
849 if (isr->sav != NULL)
850 KEY_FREESAV(&isr->sav);
852 IPSECREQUEST_DOWNGRADE(isr);
853 } else if (sav != NULL)
856 /* When there is SA. */
857 if (isr->sav != NULL) {
858 if (isr->sav->state != SADB_SASTATE_MATURE &&
859 isr->sav->state != SADB_SASTATE_DYING)
865 error = key_acquire(saidx, isr->sp);
867 /* XXX What should I do ? */
868 ipseclog((LOG_DEBUG, "%s: error %d returned from key_acquire\n",
873 if (level != IPSEC_LEVEL_REQUIRE) {
874 /* XXX sigh, the interface to this routine is botched */
875 IPSEC_ASSERT(isr->sav == NULL, ("unexpected SA"));
883 * allocating a SA for policy entry from SAD.
884 * NOTE: searching SAD of aliving state.
885 * OUT: NULL: not found.
886 * others: found and return the pointer.
888 static struct secasvar *
889 key_allocsa_policy(const struct secasindex *saidx)
891 #define N(a) _ARRAYLEN(a)
892 struct secashead *sah;
893 struct secasvar *sav;
894 u_int stateidx, arraysize;
895 const u_int *state_valid;
897 state_valid = NULL; /* silence gcc */
898 arraysize = 0; /* silence gcc */
901 LIST_FOREACH(sah, &V_sahtree, chain) {
902 if (sah->state == SADB_SASTATE_DEAD)
904 if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID)) {
905 if (V_key_preferred_oldsa) {
906 state_valid = saorder_state_valid_prefer_old;
907 arraysize = N(saorder_state_valid_prefer_old);
909 state_valid = saorder_state_valid_prefer_new;
910 arraysize = N(saorder_state_valid_prefer_new);
919 /* search valid state */
920 for (stateidx = 0; stateidx < arraysize; stateidx++) {
921 sav = key_do_allocsa_policy(sah, state_valid[stateidx]);
931 * searching SAD with direction, protocol, mode and state.
932 * called by key_allocsa_policy().
935 * others : found, pointer to a SA.
937 static struct secasvar *
938 key_do_allocsa_policy(struct secashead *sah, u_int state)
940 struct secasvar *sav, *nextsav, *candidate, *d;
946 for (sav = LIST_FIRST(&sah->savtree[state]);
950 nextsav = LIST_NEXT(sav, chain);
953 KEY_CHKSASTATE(sav->state, state, __func__);
956 if (candidate == NULL) {
961 /* Which SA is the better ? */
963 IPSEC_ASSERT(candidate->lft_c != NULL,
964 ("null candidate lifetime"));
965 IPSEC_ASSERT(sav->lft_c != NULL, ("null sav lifetime"));
967 /* What the best method is to compare ? */
968 if (V_key_preferred_oldsa) {
969 if (candidate->lft_c->addtime >
970 sav->lft_c->addtime) {
977 /* preferred new sa rather than old sa */
978 if (candidate->lft_c->addtime <
979 sav->lft_c->addtime) {
986 * prepared to delete the SA when there is more
987 * suitable candidate and the lifetime of the SA is not
990 if (d->lft_h->addtime != 0) {
991 struct mbuf *m, *result;
994 key_sa_chgstate(d, SADB_SASTATE_DEAD);
996 IPSEC_ASSERT(d->refcnt > 0, ("bogus ref count"));
998 satype = key_proto2satype(d->sah->saidx.proto);
1002 m = key_setsadbmsg(SADB_DELETE, 0,
1003 satype, 0, 0, d->refcnt - 1);
1008 /* set sadb_address for saidx's. */
1009 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC,
1010 &d->sah->saidx.src.sa,
1011 d->sah->saidx.src.sa.sa_len << 3,
1017 /* set sadb_address for saidx's. */
1018 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
1019 &d->sah->saidx.dst.sa,
1020 d->sah->saidx.dst.sa.sa_len << 3,
1026 /* create SA extension */
1027 m = key_setsadbsa(d);
1032 if (result->m_len < sizeof(struct sadb_msg)) {
1033 result = m_pullup(result,
1034 sizeof(struct sadb_msg));
1039 result->m_pkthdr.len = 0;
1040 for (m = result; m; m = m->m_next)
1041 result->m_pkthdr.len += m->m_len;
1042 mtod(result, struct sadb_msg *)->sadb_msg_len =
1043 PFKEY_UNIT64(result->m_pkthdr.len);
1045 if (key_sendup_mbuf(NULL, result,
1046 KEY_SENDUP_REGISTERED))
1053 sa_addref(candidate);
1054 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1055 printf("DP %s cause refcnt++:%d SA:%p\n",
1056 __func__, candidate->refcnt, candidate));
1064 * allocating a usable SA entry for a *INBOUND* packet.
1065 * Must call key_freesav() later.
1066 * OUT: positive: pointer to a usable sav (i.e. MATURE or DYING state).
1067 * NULL: not found, or error occurred.
1069 * In the comparison, no source address is used--for RFC2401 conformance.
1070 * To quote, from section 4.1:
1071 * A security association is uniquely identified by a triple consisting
1072 * of a Security Parameter Index (SPI), an IP Destination Address, and a
1073 * security protocol (AH or ESP) identifier.
1074 * Note that, however, we do need to keep source address in IPsec SA.
1075 * IKE specification and PF_KEY specification do assume that we
1076 * keep source address in IPsec SA. We see a tricky situation here.
1079 key_allocsa(union sockaddr_union *dst, u_int proto, u_int32_t spi,
1080 const char* where, int tag)
1082 struct secashead *sah;
1083 struct secasvar *sav;
1084 u_int stateidx, arraysize, state;
1085 const u_int *saorder_state_valid;
1090 IPSEC_ASSERT(dst != NULL, ("null dst address"));
1092 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1093 printf("DP %s from %s:%u\n", __func__, where, tag));
1096 natt_chkport = (dst->sa.sa_family == AF_INET &&
1097 dst->sa.sa_len == sizeof(struct sockaddr_in) &&
1098 dst->sin.sin_port != 0);
1103 * XXX: to be checked internal IP header somewhere. Also when
1104 * IPsec tunnel packet is received. But ESP tunnel mode is
1105 * encrypted so we can't check internal IP header.
1108 if (V_key_preferred_oldsa) {
1109 saorder_state_valid = saorder_state_valid_prefer_old;
1110 arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
1112 saorder_state_valid = saorder_state_valid_prefer_new;
1113 arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
1115 LIST_FOREACH(sah, &V_sahtree, chain) {
1118 /* search valid state */
1119 for (stateidx = 0; stateidx < arraysize; stateidx++) {
1120 state = saorder_state_valid[stateidx];
1121 LIST_FOREACH(sav, &sah->savtree[state], chain) {
1123 KEY_CHKSASTATE(sav->state, state, __func__);
1124 /* do not return entries w/ unusable state */
1125 if (sav->state != SADB_SASTATE_MATURE &&
1126 sav->state != SADB_SASTATE_DYING)
1128 if (proto != sav->sah->saidx.proto)
1130 if (spi != sav->spi)
1135 * Really only check ports when this is a NAT-T
1136 * SA. Otherwise other lookups providing ports
1139 if (sav->natt_type && natt_chkport)
1142 #if 0 /* don't check src */
1143 /* check src address */
1144 if (key_sockaddrcmp(&src->sa,
1145 &sav->sah->saidx.src.sa, checkport) != 0)
1148 /* check dst address */
1149 if (key_sockaddrcmp(&dst->sa,
1150 &sav->sah->saidx.dst.sa, checkport) != 0)
1161 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1162 printf("DP %s return SA:%p; refcnt %u\n", __func__,
1163 sav, sav ? sav->refcnt : 0));
1168 key_allocsa_tunnel(union sockaddr_union *src, union sockaddr_union *dst,
1169 u_int proto, const char* where, int tag)
1171 struct secashead *sah;
1172 struct secasvar *sav;
1173 u_int stateidx, arraysize, state;
1174 const u_int *saorder_state_valid;
1176 IPSEC_ASSERT(src != NULL, ("null src address"));
1177 IPSEC_ASSERT(dst != NULL, ("null dst address"));
1178 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1179 printf("DP %s from %s:%u\n", __func__, where, tag));
1182 if (V_key_preferred_oldsa) {
1183 saorder_state_valid = saorder_state_valid_prefer_old;
1184 arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
1186 saorder_state_valid = saorder_state_valid_prefer_new;
1187 arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
1189 LIST_FOREACH(sah, &V_sahtree, chain) {
1190 /* search valid state */
1191 for (stateidx = 0; stateidx < arraysize; stateidx++) {
1192 state = saorder_state_valid[stateidx];
1193 LIST_FOREACH(sav, &sah->savtree[state], chain) {
1195 KEY_CHKSASTATE(sav->state, state, __func__);
1196 /* do not return entries w/ unusable state */
1197 if (sav->state != SADB_SASTATE_MATURE &&
1198 sav->state != SADB_SASTATE_DYING)
1200 if (IPSEC_MODE_TUNNEL != sav->sah->saidx.mode)
1202 if (proto != sav->sah->saidx.proto)
1204 /* check src address */
1205 if (key_sockaddrcmp(&src->sa,
1206 &sav->sah->saidx.src.sa, 0) != 0)
1208 /* check dst address */
1209 if (key_sockaddrcmp(&dst->sa,
1210 &sav->sah->saidx.dst.sa, 0) != 0)
1221 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1222 printf("DP %s return SA:%p; refcnt %u\n", __func__,
1223 sav, sav ? sav->refcnt : 0));
1228 * Must be called after calling key_allocsp().
1229 * For both the packet without socket and key_freeso().
1232 _key_freesp(struct secpolicy **spp, const char* where, int tag)
1234 struct ipsecrequest *isr, *nextisr;
1235 struct secpolicy *sp = *spp;
1237 IPSEC_ASSERT(sp != NULL, ("null sp"));
1238 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1239 printf("DP %s SP:%p (ID=%u) from %s:%u; refcnt now %u\n",
1240 __func__, sp, sp->id, where, tag, sp->refcnt));
1242 if (SP_DELREF(sp) == 0)
1245 for (isr = sp->req; isr != NULL; isr = nextisr) {
1246 if (isr->sav != NULL) {
1247 KEY_FREESAV(&isr->sav);
1250 nextisr = isr->next;
1253 free(sp, M_IPSEC_SP);
1257 key_unlink(struct secpolicy *sp)
1260 IPSEC_ASSERT(sp != NULL, ("null sp"));
1261 IPSEC_ASSERT(sp->spidx.dir == IPSEC_DIR_INBOUND ||
1262 sp->spidx.dir == IPSEC_DIR_OUTBOUND,
1263 ("invalid direction %u", sp->spidx.dir));
1264 SPTREE_UNLOCK_ASSERT();
1267 if (sp->state == IPSEC_SPSTATE_DEAD) {
1271 sp->state = IPSEC_SPSTATE_DEAD;
1272 TAILQ_REMOVE(&V_sptree[sp->spidx.dir], sp, chain);
1278 * insert a secpolicy into the SP database. Lower priorities first
1281 key_insertsp(struct secpolicy *newsp)
1283 struct secpolicy *sp;
1286 TAILQ_FOREACH(sp, &V_sptree[newsp->spidx.dir], chain) {
1287 if (newsp->priority < sp->priority) {
1288 TAILQ_INSERT_BEFORE(sp, newsp, chain);
1293 TAILQ_INSERT_TAIL(&V_sptree[newsp->spidx.dir], newsp, chain);
1296 newsp->state = IPSEC_SPSTATE_ALIVE;
1301 * Must be called after calling key_allocsp().
1302 * For the packet with socket.
1305 key_freeso(struct socket *so)
1307 IPSEC_ASSERT(so != NULL, ("null so"));
1309 switch (so->so_proto->pr_domain->dom_family) {
1310 #if defined(INET) || defined(INET6)
1318 struct inpcb *pcb = sotoinpcb(so);
1320 /* Does it have a PCB ? */
1323 key_freesp_so(&pcb->inp_sp->sp_in);
1324 key_freesp_so(&pcb->inp_sp->sp_out);
1327 #endif /* INET || INET6 */
1329 ipseclog((LOG_DEBUG, "%s: unknown address family=%d.\n",
1330 __func__, so->so_proto->pr_domain->dom_family));
1336 key_freesp_so(struct secpolicy **sp)
1338 IPSEC_ASSERT(sp != NULL && *sp != NULL, ("null sp"));
1340 if ((*sp)->policy == IPSEC_POLICY_ENTRUST ||
1341 (*sp)->policy == IPSEC_POLICY_BYPASS)
1344 IPSEC_ASSERT((*sp)->policy == IPSEC_POLICY_IPSEC,
1345 ("invalid policy %u", (*sp)->policy));
1350 key_addrefsa(struct secasvar *sav, const char* where, int tag)
1353 IPSEC_ASSERT(sav != NULL, ("null sav"));
1354 IPSEC_ASSERT(sav->refcnt > 0, ("refcount must exist"));
1360 * Must be called after calling key_allocsa().
1361 * This function is called by key_freesp() to free some SA allocated
1365 key_freesav(struct secasvar **psav, const char* where, int tag)
1367 struct secasvar *sav = *psav;
1369 IPSEC_ASSERT(sav != NULL, ("null sav"));
1371 if (sa_delref(sav)) {
1372 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1373 printf("DP %s SA:%p (SPI %u) from %s:%u; refcnt now %u\n",
1374 __func__, sav, ntohl(sav->spi), where, tag, sav->refcnt));
1378 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1379 printf("DP %s SA:%p (SPI %u) from %s:%u; refcnt now %u\n",
1380 __func__, sav, ntohl(sav->spi), where, tag, sav->refcnt));
1384 /* %%% SPD management */
1387 * OUT: NULL : not found
1388 * others : found, pointer to a SP.
1390 static struct secpolicy *
1391 key_getsp(struct secpolicyindex *spidx)
1393 SPTREE_RLOCK_TRACKER;
1394 struct secpolicy *sp;
1396 IPSEC_ASSERT(spidx != NULL, ("null spidx"));
1399 TAILQ_FOREACH(sp, &V_sptree[spidx->dir], chain) {
1400 if (key_cmpspidx_exactly(spidx, &sp->spidx)) {
1412 * OUT: NULL : not found
1413 * others : found, pointer to a SP.
1415 static struct secpolicy *
1416 key_getspbyid(u_int32_t id)
1418 SPTREE_RLOCK_TRACKER;
1419 struct secpolicy *sp;
1422 TAILQ_FOREACH(sp, &V_sptree[IPSEC_DIR_INBOUND], chain) {
1429 TAILQ_FOREACH(sp, &V_sptree[IPSEC_DIR_OUTBOUND], chain) {
1442 key_newsp(const char* where, int tag)
1444 struct secpolicy *newsp = NULL;
1446 newsp = (struct secpolicy *)
1447 malloc(sizeof(struct secpolicy), M_IPSEC_SP, M_NOWAIT|M_ZERO);
1449 refcount_init(&newsp->refcnt, 1);
1451 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1452 printf("DP %s from %s:%u return SP:%p\n", __func__,
1453 where, tag, newsp));
1458 * create secpolicy structure from sadb_x_policy structure.
1459 * NOTE: `state', `secpolicyindex' in secpolicy structure are not set,
1460 * so must be set properly later.
1463 key_msg2sp(struct sadb_x_policy *xpl0, size_t len, int *error)
1465 struct secpolicy *newsp;
1467 IPSEC_ASSERT(xpl0 != NULL, ("null xpl0"));
1468 IPSEC_ASSERT(len >= sizeof(*xpl0), ("policy too short: %zu", len));
1470 if (len != PFKEY_EXTLEN(xpl0)) {
1471 ipseclog((LOG_DEBUG, "%s: Invalid msg length.\n", __func__));
1476 if ((newsp = KEY_NEWSP()) == NULL) {
1481 newsp->spidx.dir = xpl0->sadb_x_policy_dir;
1482 newsp->policy = xpl0->sadb_x_policy_type;
1483 newsp->priority = xpl0->sadb_x_policy_priority;
1486 switch (xpl0->sadb_x_policy_type) {
1487 case IPSEC_POLICY_DISCARD:
1488 case IPSEC_POLICY_NONE:
1489 case IPSEC_POLICY_ENTRUST:
1490 case IPSEC_POLICY_BYPASS:
1494 case IPSEC_POLICY_IPSEC:
1497 struct sadb_x_ipsecrequest *xisr;
1498 struct ipsecrequest **p_isr = &newsp->req;
1500 /* validity check */
1501 if (PFKEY_EXTLEN(xpl0) < sizeof(*xpl0)) {
1502 ipseclog((LOG_DEBUG, "%s: Invalid msg length.\n",
1509 tlen = PFKEY_EXTLEN(xpl0) - sizeof(*xpl0);
1510 xisr = (struct sadb_x_ipsecrequest *)(xpl0 + 1);
1514 if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) {
1515 ipseclog((LOG_DEBUG, "%s: invalid ipsecrequest "
1516 "length.\n", __func__));
1522 /* allocate request buffer */
1523 /* NB: data structure is zero'd */
1524 *p_isr = ipsec_newisr();
1525 if ((*p_isr) == NULL) {
1526 ipseclog((LOG_DEBUG,
1527 "%s: No more memory.\n", __func__));
1534 switch (xisr->sadb_x_ipsecrequest_proto) {
1537 case IPPROTO_IPCOMP:
1540 ipseclog((LOG_DEBUG,
1541 "%s: invalid proto type=%u\n", __func__,
1542 xisr->sadb_x_ipsecrequest_proto));
1544 *error = EPROTONOSUPPORT;
1547 (*p_isr)->saidx.proto = xisr->sadb_x_ipsecrequest_proto;
1549 switch (xisr->sadb_x_ipsecrequest_mode) {
1550 case IPSEC_MODE_TRANSPORT:
1551 case IPSEC_MODE_TUNNEL:
1553 case IPSEC_MODE_ANY:
1555 ipseclog((LOG_DEBUG,
1556 "%s: invalid mode=%u\n", __func__,
1557 xisr->sadb_x_ipsecrequest_mode));
1562 (*p_isr)->saidx.mode = xisr->sadb_x_ipsecrequest_mode;
1564 switch (xisr->sadb_x_ipsecrequest_level) {
1565 case IPSEC_LEVEL_DEFAULT:
1566 case IPSEC_LEVEL_USE:
1567 case IPSEC_LEVEL_REQUIRE:
1569 case IPSEC_LEVEL_UNIQUE:
1570 /* validity check */
1572 * If range violation of reqid, kernel will
1573 * update it, don't refuse it.
1575 if (xisr->sadb_x_ipsecrequest_reqid
1576 > IPSEC_MANUAL_REQID_MAX) {
1577 ipseclog((LOG_DEBUG,
1578 "%s: reqid=%d range "
1579 "violation, updated by kernel.\n",
1581 xisr->sadb_x_ipsecrequest_reqid));
1582 xisr->sadb_x_ipsecrequest_reqid = 0;
1585 /* allocate new reqid id if reqid is zero. */
1586 if (xisr->sadb_x_ipsecrequest_reqid == 0) {
1588 if ((reqid = key_newreqid()) == 0) {
1593 (*p_isr)->saidx.reqid = reqid;
1594 xisr->sadb_x_ipsecrequest_reqid = reqid;
1596 /* set it for manual keying. */
1597 (*p_isr)->saidx.reqid =
1598 xisr->sadb_x_ipsecrequest_reqid;
1603 ipseclog((LOG_DEBUG, "%s: invalid level=%u\n",
1605 xisr->sadb_x_ipsecrequest_level));
1610 (*p_isr)->level = xisr->sadb_x_ipsecrequest_level;
1612 /* set IP addresses if there */
1613 if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
1614 struct sockaddr *paddr;
1616 paddr = (struct sockaddr *)(xisr + 1);
1618 /* validity check */
1620 > sizeof((*p_isr)->saidx.src)) {
1621 ipseclog((LOG_DEBUG, "%s: invalid "
1622 "request address length.\n",
1628 bcopy(paddr, &(*p_isr)->saidx.src,
1631 paddr = (struct sockaddr *)((caddr_t)paddr
1634 /* validity check */
1636 > sizeof((*p_isr)->saidx.dst)) {
1637 ipseclog((LOG_DEBUG, "%s: invalid "
1638 "request address length.\n",
1644 bcopy(paddr, &(*p_isr)->saidx.dst,
1648 (*p_isr)->sp = newsp;
1650 /* initialization for the next. */
1651 p_isr = &(*p_isr)->next;
1652 tlen -= xisr->sadb_x_ipsecrequest_len;
1654 /* validity check */
1656 ipseclog((LOG_DEBUG, "%s: becoming tlen < 0.\n",
1663 xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
1664 + xisr->sadb_x_ipsecrequest_len);
1669 ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__));
1682 static u_int32_t auto_reqid = IPSEC_MANUAL_REQID_MAX + 1;
1684 auto_reqid = (auto_reqid == ~0
1685 ? IPSEC_MANUAL_REQID_MAX + 1 : auto_reqid + 1);
1687 /* XXX should be unique check */
1693 * copy secpolicy struct to sadb_x_policy structure indicated.
1696 key_sp2msg(struct secpolicy *sp)
1698 struct sadb_x_policy *xpl;
1703 IPSEC_ASSERT(sp != NULL, ("null policy"));
1705 tlen = key_getspreqmsglen(sp);
1707 m = m_get2(tlen, M_NOWAIT, MT_DATA, 0);
1712 xpl = mtod(m, struct sadb_x_policy *);
1715 xpl->sadb_x_policy_len = PFKEY_UNIT64(tlen);
1716 xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1717 xpl->sadb_x_policy_type = sp->policy;
1718 xpl->sadb_x_policy_dir = sp->spidx.dir;
1719 xpl->sadb_x_policy_id = sp->id;
1720 xpl->sadb_x_policy_priority = sp->priority;
1721 p = (caddr_t)xpl + sizeof(*xpl);
1723 /* if is the policy for ipsec ? */
1724 if (sp->policy == IPSEC_POLICY_IPSEC) {
1725 struct sadb_x_ipsecrequest *xisr;
1726 struct ipsecrequest *isr;
1728 for (isr = sp->req; isr != NULL; isr = isr->next) {
1730 xisr = (struct sadb_x_ipsecrequest *)p;
1732 xisr->sadb_x_ipsecrequest_proto = isr->saidx.proto;
1733 xisr->sadb_x_ipsecrequest_mode = isr->saidx.mode;
1734 xisr->sadb_x_ipsecrequest_level = isr->level;
1735 xisr->sadb_x_ipsecrequest_reqid = isr->saidx.reqid;
1738 bcopy(&isr->saidx.src, p, isr->saidx.src.sa.sa_len);
1739 p += isr->saidx.src.sa.sa_len;
1740 bcopy(&isr->saidx.dst, p, isr->saidx.dst.sa.sa_len);
1741 p += isr->saidx.src.sa.sa_len;
1743 xisr->sadb_x_ipsecrequest_len =
1744 PFKEY_ALIGN8(sizeof(*xisr)
1745 + isr->saidx.src.sa.sa_len
1746 + isr->saidx.dst.sa.sa_len);
1753 /* m will not be freed nor modified */
1754 static struct mbuf *
1755 key_gather_mbuf(struct mbuf *m, const struct sadb_msghdr *mhp,
1756 int ndeep, int nitem, ...)
1761 struct mbuf *result = NULL, *n;
1764 IPSEC_ASSERT(m != NULL, ("null mbuf"));
1765 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
1767 va_start(ap, nitem);
1768 for (i = 0; i < nitem; i++) {
1769 idx = va_arg(ap, int);
1770 if (idx < 0 || idx > SADB_EXT_MAX)
1772 /* don't attempt to pull empty extension */
1773 if (idx == SADB_EXT_RESERVED && mhp->msg == NULL)
1775 if (idx != SADB_EXT_RESERVED &&
1776 (mhp->ext[idx] == NULL || mhp->extlen[idx] == 0))
1779 if (idx == SADB_EXT_RESERVED) {
1780 len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
1782 IPSEC_ASSERT(len <= MHLEN, ("header too big %u", len));
1784 MGETHDR(n, M_NOWAIT, MT_DATA);
1789 m_copydata(m, 0, sizeof(struct sadb_msg),
1791 } else if (i < ndeep) {
1792 len = mhp->extlen[idx];
1793 n = m_get2(len, M_NOWAIT, MT_DATA, 0);
1798 m_copydata(m, mhp->extoff[idx], mhp->extlen[idx],
1801 n = m_copym(m, mhp->extoff[idx], mhp->extlen[idx],
1814 if ((result->m_flags & M_PKTHDR) != 0) {
1815 result->m_pkthdr.len = 0;
1816 for (n = result; n; n = n->m_next)
1817 result->m_pkthdr.len += n->m_len;
1829 * SADB_X_SPDADD, SADB_X_SPDSETIDX or SADB_X_SPDUPDATE processing
1830 * add an entry to SP database, when received
1831 * <base, address(SD), (lifetime(H),) policy>
1833 * Adding to SP database,
1835 * <base, address(SD), (lifetime(H),) policy>
1836 * to the socket which was send.
1838 * SPDADD set a unique policy entry.
1839 * SPDSETIDX like SPDADD without a part of policy requests.
1840 * SPDUPDATE replace a unique policy entry.
1842 * m will always be freed.
1845 key_spdadd(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
1847 struct sadb_address *src0, *dst0;
1848 struct sadb_x_policy *xpl0, *xpl;
1849 struct sadb_lifetime *lft = NULL;
1850 struct secpolicyindex spidx;
1851 struct secpolicy *newsp;
1854 IPSEC_ASSERT(so != NULL, ("null socket"));
1855 IPSEC_ASSERT(m != NULL, ("null mbuf"));
1856 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
1857 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
1859 if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL ||
1860 mhp->ext[SADB_EXT_ADDRESS_DST] == NULL ||
1861 mhp->ext[SADB_X_EXT_POLICY] == NULL) {
1862 ipseclog((LOG_DEBUG, "key_spdadd: invalid message is passed.\n"));
1863 return key_senderror(so, m, EINVAL);
1865 if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) ||
1866 mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) ||
1867 mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) {
1868 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
1870 return key_senderror(so, m, EINVAL);
1872 if (mhp->ext[SADB_EXT_LIFETIME_HARD] != NULL) {
1873 if (mhp->extlen[SADB_EXT_LIFETIME_HARD]
1874 < sizeof(struct sadb_lifetime)) {
1875 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
1877 return key_senderror(so, m, EINVAL);
1879 lft = (struct sadb_lifetime *)mhp->ext[SADB_EXT_LIFETIME_HARD];
1882 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC];
1883 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST];
1884 xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY];
1887 * Note: do not parse SADB_X_EXT_NAT_T_* here:
1888 * we are processing traffic endpoints.
1892 /* XXX boundary check against sa_len */
1893 KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir,
1896 src0->sadb_address_prefixlen,
1897 dst0->sadb_address_prefixlen,
1898 src0->sadb_address_proto,
1901 /* checking the direciton. */
1902 switch (xpl0->sadb_x_policy_dir) {
1903 case IPSEC_DIR_INBOUND:
1904 case IPSEC_DIR_OUTBOUND:
1907 ipseclog((LOG_DEBUG, "%s: Invalid SP direction.\n", __func__));
1908 mhp->msg->sadb_msg_errno = EINVAL;
1913 /* key_spdadd() accepts DISCARD, NONE and IPSEC. */
1914 if (xpl0->sadb_x_policy_type == IPSEC_POLICY_ENTRUST
1915 || xpl0->sadb_x_policy_type == IPSEC_POLICY_BYPASS) {
1916 ipseclog((LOG_DEBUG, "%s: Invalid policy type.\n", __func__));
1917 return key_senderror(so, m, EINVAL);
1920 /* policy requests are mandatory when action is ipsec. */
1921 if (mhp->msg->sadb_msg_type != SADB_X_SPDSETIDX
1922 && xpl0->sadb_x_policy_type == IPSEC_POLICY_IPSEC
1923 && mhp->extlen[SADB_X_EXT_POLICY] <= sizeof(*xpl0)) {
1924 ipseclog((LOG_DEBUG, "%s: some policy requests part required\n",
1926 return key_senderror(so, m, EINVAL);
1930 * checking there is SP already or not.
1931 * SPDUPDATE doesn't depend on whether there is a SP or not.
1932 * If the type is either SPDADD or SPDSETIDX AND a SP is found,
1935 newsp = key_getsp(&spidx);
1936 if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) {
1942 if (newsp != NULL) {
1944 ipseclog((LOG_DEBUG, "%s: a SP entry exists already.\n",
1946 return key_senderror(so, m, EEXIST);
1950 /* XXX: there is race between key_getsp and key_msg2sp. */
1952 /* allocation new SP entry */
1953 if ((newsp = key_msg2sp(xpl0, PFKEY_EXTLEN(xpl0), &error)) == NULL) {
1954 return key_senderror(so, m, error);
1957 if ((newsp->id = key_getnewspid()) == 0) {
1959 return key_senderror(so, m, ENOBUFS);
1962 /* XXX boundary check against sa_len */
1963 KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir,
1966 src0->sadb_address_prefixlen,
1967 dst0->sadb_address_prefixlen,
1968 src0->sadb_address_proto,
1971 /* sanity check on addr pair */
1972 if (((struct sockaddr *)(src0 + 1))->sa_family !=
1973 ((struct sockaddr *)(dst0+ 1))->sa_family) {
1975 return key_senderror(so, m, EINVAL);
1977 if (((struct sockaddr *)(src0 + 1))->sa_len !=
1978 ((struct sockaddr *)(dst0+ 1))->sa_len) {
1980 return key_senderror(so, m, EINVAL);
1983 if (newsp->req && newsp->req->saidx.src.sa.sa_family &&
1984 newsp->req->saidx.dst.sa.sa_family) {
1985 if (newsp->req->saidx.src.sa.sa_family !=
1986 newsp->req->saidx.dst.sa.sa_family) {
1988 return key_senderror(so, m, EINVAL);
1993 newsp->created = time_second;
1994 newsp->lastused = newsp->created;
1995 newsp->lifetime = lft ? lft->sadb_lifetime_addtime : 0;
1996 newsp->validtime = lft ? lft->sadb_lifetime_usetime : 0;
1998 key_insertsp(newsp);
2000 /* delete the entry in spacqtree */
2001 if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) {
2002 struct secspacq *spacq = key_getspacq(&spidx);
2003 if (spacq != NULL) {
2004 /* reset counter in order to deletion by timehandler. */
2005 spacq->created = time_second;
2012 struct mbuf *n, *mpolicy;
2013 struct sadb_msg *newmsg;
2017 * Note: do not send SADB_X_EXT_NAT_T_* here:
2018 * we are sending traffic endpoints.
2021 /* create new sadb_msg to reply. */
2023 n = key_gather_mbuf(m, mhp, 2, 5, SADB_EXT_RESERVED,
2024 SADB_X_EXT_POLICY, SADB_EXT_LIFETIME_HARD,
2025 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
2027 n = key_gather_mbuf(m, mhp, 2, 4, SADB_EXT_RESERVED,
2029 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
2032 return key_senderror(so, m, ENOBUFS);
2034 if (n->m_len < sizeof(*newmsg)) {
2035 n = m_pullup(n, sizeof(*newmsg));
2037 return key_senderror(so, m, ENOBUFS);
2039 newmsg = mtod(n, struct sadb_msg *);
2040 newmsg->sadb_msg_errno = 0;
2041 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
2044 mpolicy = m_pulldown(n, PFKEY_ALIGN8(sizeof(struct sadb_msg)),
2045 sizeof(*xpl), &off);
2046 if (mpolicy == NULL) {
2047 /* n is already freed */
2048 return key_senderror(so, m, ENOBUFS);
2050 xpl = (struct sadb_x_policy *)(mtod(mpolicy, caddr_t) + off);
2051 if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) {
2053 return key_senderror(so, m, EINVAL);
2055 xpl->sadb_x_policy_id = newsp->id;
2058 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
2063 * get new policy id.
2071 u_int32_t newid = 0;
2072 int count = V_key_spi_trycnt; /* XXX */
2073 struct secpolicy *sp;
2075 /* when requesting to allocate spi ranged */
2077 newid = (V_policy_id = (V_policy_id == ~0 ? 1 : V_policy_id + 1));
2079 if ((sp = key_getspbyid(newid)) == NULL)
2085 if (count == 0 || newid == 0) {
2086 ipseclog((LOG_DEBUG, "%s: to allocate policy id is failed.\n",
2095 * SADB_SPDDELETE processing
2097 * <base, address(SD), policy(*)>
2098 * from the user(?), and set SADB_SASTATE_DEAD,
2100 * <base, address(SD), policy(*)>
2102 * policy(*) including direction of policy.
2104 * m will always be freed.
2107 key_spddelete(struct socket *so, struct mbuf *m,
2108 const struct sadb_msghdr *mhp)
2110 struct sadb_address *src0, *dst0;
2111 struct sadb_x_policy *xpl0;
2112 struct secpolicyindex spidx;
2113 struct secpolicy *sp;
2115 IPSEC_ASSERT(so != NULL, ("null so"));
2116 IPSEC_ASSERT(m != NULL, ("null mbuf"));
2117 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
2118 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
2120 if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL ||
2121 mhp->ext[SADB_EXT_ADDRESS_DST] == NULL ||
2122 mhp->ext[SADB_X_EXT_POLICY] == NULL) {
2123 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
2125 return key_senderror(so, m, EINVAL);
2127 if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) ||
2128 mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) ||
2129 mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) {
2130 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
2132 return key_senderror(so, m, EINVAL);
2135 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC];
2136 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST];
2137 xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY];
2140 * Note: do not parse SADB_X_EXT_NAT_T_* here:
2141 * we are processing traffic endpoints.
2145 /* XXX boundary check against sa_len */
2146 KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir,
2149 src0->sadb_address_prefixlen,
2150 dst0->sadb_address_prefixlen,
2151 src0->sadb_address_proto,
2154 /* checking the direciton. */
2155 switch (xpl0->sadb_x_policy_dir) {
2156 case IPSEC_DIR_INBOUND:
2157 case IPSEC_DIR_OUTBOUND:
2160 ipseclog((LOG_DEBUG, "%s: Invalid SP direction.\n", __func__));
2161 return key_senderror(so, m, EINVAL);
2164 /* Is there SP in SPD ? */
2165 if ((sp = key_getsp(&spidx)) == NULL) {
2166 ipseclog((LOG_DEBUG, "%s: no SP found.\n", __func__));
2167 return key_senderror(so, m, EINVAL);
2170 /* save policy id to buffer to be returned. */
2171 xpl0->sadb_x_policy_id = sp->id;
2178 struct sadb_msg *newmsg;
2181 * Note: do not send SADB_X_EXT_NAT_T_* here:
2182 * we are sending traffic endpoints.
2185 /* create new sadb_msg to reply. */
2186 n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED,
2187 SADB_X_EXT_POLICY, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
2189 return key_senderror(so, m, ENOBUFS);
2191 newmsg = mtod(n, struct sadb_msg *);
2192 newmsg->sadb_msg_errno = 0;
2193 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
2196 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
2201 * SADB_SPDDELETE2 processing
2204 * from the user(?), and set SADB_SASTATE_DEAD,
2208 * policy(*) including direction of policy.
2210 * m will always be freed.
2213 key_spddelete2(struct socket *so, struct mbuf *m,
2214 const struct sadb_msghdr *mhp)
2217 struct secpolicy *sp;
2219 IPSEC_ASSERT(so != NULL, ("null socket"));
2220 IPSEC_ASSERT(m != NULL, ("null mbuf"));
2221 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
2222 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
2224 if (mhp->ext[SADB_X_EXT_POLICY] == NULL ||
2225 mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) {
2226 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", __func__));
2227 return key_senderror(so, m, EINVAL);
2230 id = ((struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id;
2232 /* Is there SP in SPD ? */
2233 if ((sp = key_getspbyid(id)) == NULL) {
2234 ipseclog((LOG_DEBUG, "%s: no SP found id:%u.\n", __func__, id));
2235 return key_senderror(so, m, EINVAL);
2242 struct mbuf *n, *nn;
2243 struct sadb_msg *newmsg;
2246 /* create new sadb_msg to reply. */
2247 len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
2249 MGETHDR(n, M_NOWAIT, MT_DATA);
2250 if (n && len > MHLEN) {
2251 if (!(MCLGET(n, M_NOWAIT))) {
2257 return key_senderror(so, m, ENOBUFS);
2263 m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off);
2264 off += PFKEY_ALIGN8(sizeof(struct sadb_msg));
2266 IPSEC_ASSERT(off == len, ("length inconsistency (off %u len %u)",
2269 n->m_next = m_copym(m, mhp->extoff[SADB_X_EXT_POLICY],
2270 mhp->extlen[SADB_X_EXT_POLICY], M_NOWAIT);
2273 return key_senderror(so, m, ENOBUFS);
2276 n->m_pkthdr.len = 0;
2277 for (nn = n; nn; nn = nn->m_next)
2278 n->m_pkthdr.len += nn->m_len;
2280 newmsg = mtod(n, struct sadb_msg *);
2281 newmsg->sadb_msg_errno = 0;
2282 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
2285 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
2290 * SADB_X_SPDGET processing
2295 * <base, address(SD), policy>
2297 * policy(*) including direction of policy.
2299 * m will always be freed.
2302 key_spdget(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
2305 struct secpolicy *sp;
2308 IPSEC_ASSERT(so != NULL, ("null socket"));
2309 IPSEC_ASSERT(m != NULL, ("null mbuf"));
2310 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
2311 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
2313 if (mhp->ext[SADB_X_EXT_POLICY] == NULL ||
2314 mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) {
2315 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
2317 return key_senderror(so, m, EINVAL);
2320 id = ((struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id;
2322 /* Is there SP in SPD ? */
2323 if ((sp = key_getspbyid(id)) == NULL) {
2324 ipseclog((LOG_DEBUG, "%s: no SP found id:%u.\n", __func__, id));
2325 return key_senderror(so, m, ENOENT);
2328 n = key_setdumpsp(sp, SADB_X_SPDGET, mhp->msg->sadb_msg_seq,
2329 mhp->msg->sadb_msg_pid);
2333 return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
2335 return key_senderror(so, m, ENOBUFS);
2339 * SADB_X_SPDACQUIRE processing.
2340 * Acquire policy and SA(s) for a *OUTBOUND* packet.
2343 * to KMD, and expect to receive
2344 * <base> with SADB_X_SPDACQUIRE if error occurred,
2347 * with SADB_X_SPDUPDATE from KMD by PF_KEY.
2348 * policy(*) is without policy requests.
2351 * others: error number
2354 key_spdacquire(struct secpolicy *sp)
2356 struct mbuf *result = NULL, *m;
2357 struct secspacq *newspacq;
2359 IPSEC_ASSERT(sp != NULL, ("null secpolicy"));
2360 IPSEC_ASSERT(sp->req == NULL, ("policy exists"));
2361 IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC,
2362 ("policy not IPSEC %u", sp->policy));
2364 /* Get an entry to check whether sent message or not. */
2365 newspacq = key_getspacq(&sp->spidx);
2366 if (newspacq != NULL) {
2367 if (V_key_blockacq_count < newspacq->count) {
2368 /* reset counter and do send message. */
2369 newspacq->count = 0;
2371 /* increment counter and do nothing. */
2378 /* make new entry for blocking to send SADB_ACQUIRE. */
2379 newspacq = key_newspacq(&sp->spidx);
2380 if (newspacq == NULL)
2384 /* create new sadb_msg to reply. */
2385 m = key_setsadbmsg(SADB_X_SPDACQUIRE, 0, 0, 0, 0, 0);
2391 result->m_pkthdr.len = 0;
2392 for (m = result; m; m = m->m_next)
2393 result->m_pkthdr.len += m->m_len;
2395 mtod(result, struct sadb_msg *)->sadb_msg_len =
2396 PFKEY_UNIT64(result->m_pkthdr.len);
2398 return key_sendup_mbuf(NULL, m, KEY_SENDUP_REGISTERED);
2402 * SADB_SPDFLUSH processing
2405 * from the user, and free all entries in secpctree.
2409 * NOTE: what to do is only marking SADB_SASTATE_DEAD.
2411 * m will always be freed.
2414 key_spdflush(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
2416 TAILQ_HEAD(, secpolicy) drainq;
2417 struct sadb_msg *newmsg;
2418 struct secpolicy *sp, *nextsp;
2421 IPSEC_ASSERT(so != NULL, ("null socket"));
2422 IPSEC_ASSERT(m != NULL, ("null mbuf"));
2423 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
2424 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
2426 if (m->m_len != PFKEY_ALIGN8(sizeof(struct sadb_msg)))
2427 return key_senderror(so, m, EINVAL);
2429 TAILQ_INIT(&drainq);
2431 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
2432 TAILQ_CONCAT(&drainq, &V_sptree[dir], chain);
2435 * We need to set state to DEAD for each policy to be sure,
2436 * that another thread won't try to unlink it.
2438 TAILQ_FOREACH(sp, &drainq, chain)
2439 sp->state = IPSEC_SPSTATE_DEAD;
2441 sp = TAILQ_FIRST(&drainq);
2442 while (sp != NULL) {
2443 nextsp = TAILQ_NEXT(sp, chain);
2448 if (sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) {
2449 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
2450 return key_senderror(so, m, ENOBUFS);
2456 m->m_pkthdr.len = m->m_len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
2457 newmsg = mtod(m, struct sadb_msg *);
2458 newmsg->sadb_msg_errno = 0;
2459 newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
2461 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL);
2465 * SADB_SPDDUMP processing
2468 * from the user, and dump all SP leaves
2473 * m will always be freed.
2476 key_spddump(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
2478 SPTREE_RLOCK_TRACKER;
2479 struct secpolicy *sp;
2484 IPSEC_ASSERT(so != NULL, ("null socket"));
2485 IPSEC_ASSERT(m != NULL, ("null mbuf"));
2486 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
2487 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
2489 /* search SPD entry and get buffer size. */
2492 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
2493 TAILQ_FOREACH(sp, &V_sptree[dir], chain) {
2500 return key_senderror(so, m, ENOENT);
2503 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
2504 TAILQ_FOREACH(sp, &V_sptree[dir], chain) {
2506 n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt,
2507 mhp->msg->sadb_msg_pid);
2510 key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
2519 static struct mbuf *
2520 key_setdumpsp(struct secpolicy *sp, u_int8_t type, u_int32_t seq,
2523 struct mbuf *result = NULL, *m;
2524 struct seclifetime lt;
2526 m = key_setsadbmsg(type, 0, SADB_SATYPE_UNSPEC, seq, pid, sp->refcnt);
2532 * Note: do not send SADB_X_EXT_NAT_T_* here:
2533 * we are sending traffic endpoints.
2535 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC,
2536 &sp->spidx.src.sa, sp->spidx.prefs,
2537 sp->spidx.ul_proto);
2542 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
2543 &sp->spidx.dst.sa, sp->spidx.prefd,
2544 sp->spidx.ul_proto);
2555 lt.addtime=sp->created;
2556 lt.usetime= sp->lastused;
2557 m = key_setlifetime(<, SADB_EXT_LIFETIME_CURRENT);
2562 lt.addtime=sp->lifetime;
2563 lt.usetime= sp->validtime;
2564 m = key_setlifetime(<, SADB_EXT_LIFETIME_HARD);
2570 if ((result->m_flags & M_PKTHDR) == 0)
2573 if (result->m_len < sizeof(struct sadb_msg)) {
2574 result = m_pullup(result, sizeof(struct sadb_msg));
2579 result->m_pkthdr.len = 0;
2580 for (m = result; m; m = m->m_next)
2581 result->m_pkthdr.len += m->m_len;
2583 mtod(result, struct sadb_msg *)->sadb_msg_len =
2584 PFKEY_UNIT64(result->m_pkthdr.len);
2594 * get PFKEY message length for security policy and request.
2597 key_getspreqmsglen(struct secpolicy *sp)
2601 tlen = sizeof(struct sadb_x_policy);
2603 /* if is the policy for ipsec ? */
2604 if (sp->policy != IPSEC_POLICY_IPSEC)
2607 /* get length of ipsec requests */
2609 struct ipsecrequest *isr;
2612 for (isr = sp->req; isr != NULL; isr = isr->next) {
2613 len = sizeof(struct sadb_x_ipsecrequest)
2614 + isr->saidx.src.sa.sa_len
2615 + isr->saidx.dst.sa.sa_len;
2617 tlen += PFKEY_ALIGN8(len);
2625 * SADB_SPDEXPIRE processing
2627 * <base, address(SD), lifetime(CH), policy>
2631 * others : error number
2634 key_spdexpire(struct secpolicy *sp)
2636 struct mbuf *result = NULL, *m;
2639 struct sadb_lifetime *lt;
2641 /* XXX: Why do we lock ? */
2643 IPSEC_ASSERT(sp != NULL, ("null secpolicy"));
2645 /* set msg header */
2646 m = key_setsadbmsg(SADB_X_SPDEXPIRE, 0, 0, 0, 0, 0);
2653 /* create lifetime extension (current and hard) */
2654 len = PFKEY_ALIGN8(sizeof(*lt)) * 2;
2655 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
2662 bzero(mtod(m, caddr_t), len);
2663 lt = mtod(m, struct sadb_lifetime *);
2664 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
2665 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
2666 lt->sadb_lifetime_allocations = 0;
2667 lt->sadb_lifetime_bytes = 0;
2668 lt->sadb_lifetime_addtime = sp->created;
2669 lt->sadb_lifetime_usetime = sp->lastused;
2670 lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2);
2671 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
2672 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
2673 lt->sadb_lifetime_allocations = 0;
2674 lt->sadb_lifetime_bytes = 0;
2675 lt->sadb_lifetime_addtime = sp->lifetime;
2676 lt->sadb_lifetime_usetime = sp->validtime;
2680 * Note: do not send SADB_X_EXT_NAT_T_* here:
2681 * we are sending traffic endpoints.
2684 /* set sadb_address for source */
2685 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC,
2687 sp->spidx.prefs, sp->spidx.ul_proto);
2694 /* set sadb_address for destination */
2695 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
2697 sp->spidx.prefd, sp->spidx.ul_proto);
2712 if ((result->m_flags & M_PKTHDR) == 0) {
2717 if (result->m_len < sizeof(struct sadb_msg)) {
2718 result = m_pullup(result, sizeof(struct sadb_msg));
2719 if (result == NULL) {
2725 result->m_pkthdr.len = 0;
2726 for (m = result; m; m = m->m_next)
2727 result->m_pkthdr.len += m->m_len;
2729 mtod(result, struct sadb_msg *)->sadb_msg_len =
2730 PFKEY_UNIT64(result->m_pkthdr.len);
2732 return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED);
2740 /* %%% SAD management */
2742 * allocating a memory for new SA head, and copy from the values of mhp.
2743 * OUT: NULL : failure due to the lack of memory.
2744 * others : pointer to new SA head.
2746 static struct secashead *
2747 key_newsah(struct secasindex *saidx)
2749 struct secashead *newsah;
2751 IPSEC_ASSERT(saidx != NULL, ("null saidx"));
2753 newsah = malloc(sizeof(struct secashead), M_IPSEC_SAH, M_NOWAIT|M_ZERO);
2754 if (newsah != NULL) {
2756 for (i = 0; i < sizeof(newsah->savtree)/sizeof(newsah->savtree[0]); i++)
2757 LIST_INIT(&newsah->savtree[i]);
2758 newsah->saidx = *saidx;
2760 /* add to saidxtree */
2761 newsah->state = SADB_SASTATE_MATURE;
2764 LIST_INSERT_HEAD(&V_sahtree, newsah, chain);
2771 * delete SA index and all SA registerd.
2774 key_delsah(struct secashead *sah)
2776 struct secasvar *sav, *nextsav;
2780 IPSEC_ASSERT(sah != NULL, ("NULL sah"));
2781 SAHTREE_LOCK_ASSERT();
2783 /* searching all SA registerd in the secindex. */
2785 stateidx < _ARRAYLEN(saorder_state_any);
2787 u_int state = saorder_state_any[stateidx];
2788 LIST_FOREACH_SAFE(sav, &sah->savtree[state], chain, nextsav) {
2789 if (sav->refcnt == 0) {
2791 KEY_CHKSASTATE(state, sav->state, __func__);
2793 * do NOT call KEY_FREESAV here:
2794 * it will only delete the sav if refcnt == 1,
2795 * where we already know that refcnt == 0
2799 /* give up to delete this sa */
2804 if (!zombie) { /* delete only if there are savs */
2805 /* remove from tree of SA index */
2806 if (__LIST_CHAINED(sah))
2807 LIST_REMOVE(sah, chain);
2808 free(sah, M_IPSEC_SAH);
2813 * allocating a new SA with LARVAL state. key_add() and key_getspi() call,
2814 * and copy the values of mhp into new buffer.
2815 * When SAD message type is GETSPI:
2816 * to set sequence number from acq_seq++,
2817 * to set zero to SPI.
2818 * not to call key_setsava().
2820 * others : pointer to new secasvar.
2822 * does not modify mbuf. does not free mbuf on error.
2824 static struct secasvar *
2825 key_newsav(struct mbuf *m, const struct sadb_msghdr *mhp,
2826 struct secashead *sah, int *errp, const char *where, int tag)
2828 struct secasvar *newsav;
2829 const struct sadb_sa *xsa;
2831 IPSEC_ASSERT(m != NULL, ("null mbuf"));
2832 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
2833 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
2834 IPSEC_ASSERT(sah != NULL, ("null secashead"));
2836 newsav = malloc(sizeof(struct secasvar), M_IPSEC_SA, M_NOWAIT|M_ZERO);
2837 if (newsav == NULL) {
2838 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
2843 switch (mhp->msg->sadb_msg_type) {
2847 #ifdef IPSEC_DOSEQCHECK
2848 /* sync sequence number */
2849 if (mhp->msg->sadb_msg_seq == 0)
2851 (V_acq_seq = (V_acq_seq == ~0 ? 1 : ++V_acq_seq));
2854 newsav->seq = mhp->msg->sadb_msg_seq;
2859 if (mhp->ext[SADB_EXT_SA] == NULL) {
2860 free(newsav, M_IPSEC_SA);
2862 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
2867 xsa = (const struct sadb_sa *)mhp->ext[SADB_EXT_SA];
2868 newsav->spi = xsa->sadb_sa_spi;
2869 newsav->seq = mhp->msg->sadb_msg_seq;
2872 free(newsav, M_IPSEC_SA);
2879 /* copy sav values */
2880 if (mhp->msg->sadb_msg_type != SADB_GETSPI) {
2881 *errp = key_setsaval(newsav, m, mhp);
2883 free(newsav, M_IPSEC_SA);
2889 SECASVAR_LOCK_INIT(newsav);
2892 newsav->created = time_second;
2893 newsav->pid = mhp->msg->sadb_msg_pid;
2898 newsav->state = SADB_SASTATE_LARVAL;
2901 LIST_INSERT_TAIL(&sah->savtree[SADB_SASTATE_LARVAL], newsav,
2905 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2906 printf("DP %s from %s:%u return SP:%p\n", __func__,
2907 where, tag, newsav));
2913 * free() SA variable entry.
2916 key_cleansav(struct secasvar *sav)
2919 * Cleanup xform state. Note that zeroize'ing causes the
2920 * keys to be cleared; otherwise we must do it ourself.
2922 if (sav->tdb_xform != NULL) {
2923 sav->tdb_xform->xf_zeroize(sav);
2924 sav->tdb_xform = NULL;
2926 if (sav->key_auth != NULL)
2927 bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
2928 if (sav->key_enc != NULL)
2929 bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc));
2931 if (sav->key_auth != NULL) {
2932 if (sav->key_auth->key_data != NULL)
2933 free(sav->key_auth->key_data, M_IPSEC_MISC);
2934 free(sav->key_auth, M_IPSEC_MISC);
2935 sav->key_auth = NULL;
2937 if (sav->key_enc != NULL) {
2938 if (sav->key_enc->key_data != NULL)
2939 free(sav->key_enc->key_data, M_IPSEC_MISC);
2940 free(sav->key_enc, M_IPSEC_MISC);
2941 sav->key_enc = NULL;
2944 bzero(sav->sched, sav->schedlen);
2945 free(sav->sched, M_IPSEC_MISC);
2948 if (sav->replay != NULL) {
2949 if (sav->replay->bitmap != NULL)
2950 free(sav->replay->bitmap, M_IPSEC_MISC);
2951 free(sav->replay, M_IPSEC_MISC);
2954 if (sav->lft_c != NULL) {
2955 free(sav->lft_c, M_IPSEC_MISC);
2958 if (sav->lft_h != NULL) {
2959 free(sav->lft_h, M_IPSEC_MISC);
2962 if (sav->lft_s != NULL) {
2963 free(sav->lft_s, M_IPSEC_MISC);
2969 * free() SA variable entry.
2972 key_delsav(struct secasvar *sav)
2974 IPSEC_ASSERT(sav != NULL, ("null sav"));
2975 IPSEC_ASSERT(sav->refcnt == 0, ("reference count %u > 0", sav->refcnt));
2977 /* remove from SA header */
2978 if (__LIST_CHAINED(sav))
2979 LIST_REMOVE(sav, chain);
2981 SECASVAR_LOCK_DESTROY(sav);
2982 free(sav, M_IPSEC_SA);
2989 * others : found, pointer to a SA.
2991 static struct secashead *
2992 key_getsah(struct secasindex *saidx)
2994 struct secashead *sah;
2997 LIST_FOREACH(sah, &V_sahtree, chain) {
2998 if (sah->state == SADB_SASTATE_DEAD)
3000 if (key_cmpsaidx(&sah->saidx, saidx, CMP_REQID))
3009 * check not to be duplicated SPI.
3010 * NOTE: this function is too slow due to searching all SAD.
3013 * others : found, pointer to a SA.
3015 static struct secasvar *
3016 key_checkspidup(struct secasindex *saidx, u_int32_t spi)
3018 struct secashead *sah;
3019 struct secasvar *sav;
3021 /* check address family */
3022 if (saidx->src.sa.sa_family != saidx->dst.sa.sa_family) {
3023 ipseclog((LOG_DEBUG, "%s: address family mismatched.\n",
3031 LIST_FOREACH(sah, &V_sahtree, chain) {
3032 if (!key_ismyaddr((struct sockaddr *)&sah->saidx.dst))
3034 sav = key_getsavbyspi(sah, spi);
3044 * search SAD litmited alive SA, protocol, SPI.
3047 * others : found, pointer to a SA.
3049 static struct secasvar *
3050 key_getsavbyspi(struct secashead *sah, u_int32_t spi)
3052 struct secasvar *sav;
3053 u_int stateidx, state;
3056 SAHTREE_LOCK_ASSERT();
3057 /* search all status */
3059 stateidx < _ARRAYLEN(saorder_state_alive);
3062 state = saorder_state_alive[stateidx];
3063 LIST_FOREACH(sav, &sah->savtree[state], chain) {
3066 if (sav->state != state) {
3067 ipseclog((LOG_DEBUG, "%s: "
3068 "invalid sav->state (queue: %d SA: %d)\n",
3069 __func__, state, sav->state));
3073 if (sav->spi == spi)
3082 * copy SA values from PF_KEY message except *SPI, SEQ, PID, STATE and TYPE*.
3083 * You must update these if need.
3087 * does not modify mbuf. does not free mbuf on error.
3090 key_setsaval(struct secasvar *sav, struct mbuf *m,
3091 const struct sadb_msghdr *mhp)
3095 IPSEC_ASSERT(m != NULL, ("null mbuf"));
3096 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
3097 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
3099 /* initialization */
3101 sav->key_auth = NULL;
3102 sav->key_enc = NULL;
3108 sav->tdb_xform = NULL; /* transform */
3109 sav->tdb_encalgxform = NULL; /* encoding algorithm */
3110 sav->tdb_authalgxform = NULL; /* authentication algorithm */
3111 sav->tdb_compalgxform = NULL; /* compression algorithm */
3112 /* Initialize even if NAT-T not compiled in: */
3114 sav->natt_esp_frag_len = 0;
3117 if (mhp->ext[SADB_EXT_SA] != NULL) {
3118 const struct sadb_sa *sa0;
3121 sa0 = (const struct sadb_sa *)mhp->ext[SADB_EXT_SA];
3122 if (mhp->extlen[SADB_EXT_SA] < sizeof(*sa0)) {
3127 sav->alg_auth = sa0->sadb_sa_auth;
3128 sav->alg_enc = sa0->sadb_sa_encrypt;
3129 sav->flags = sa0->sadb_sa_flags;
3131 /* Optional replay window */
3133 if ((sa0->sadb_sa_flags & SADB_X_EXT_OLD) == 0)
3134 replay = sa0->sadb_sa_replay;
3135 if ((mhp->ext[SADB_X_EXT_SA_REPLAY]) != NULL) {
3136 replay = ((const struct sadb_x_sa_replay *)
3137 mhp->ext[SADB_X_EXT_SA_REPLAY])->sadb_x_sa_replay_replay;
3139 if (replay > UINT32_MAX - 32) {
3140 ipseclog((LOG_DEBUG, "%s: replay window too big.\n",
3146 replay = (replay + 7) >> 3;
3149 sav->replay = (struct secreplay *)
3150 malloc(sizeof(struct secreplay),
3151 M_IPSEC_MISC, M_NOWAIT|M_ZERO);
3152 if (sav->replay == NULL) {
3153 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
3160 /* number of 32b blocks to be allocated */
3161 u_int32_t bitmap_size;
3164 * - the allocated replay window size must be a power of two
3165 * - use an extra 32b block as a redundant window
3168 while (replay + 4 > bitmap_size)
3170 bitmap_size = bitmap_size / 4;
3172 sav->replay->bitmap = malloc(bitmap_size*sizeof(u_int32_t),
3173 M_IPSEC_MISC, M_NOWAIT|M_ZERO);
3174 if (sav->replay->bitmap == NULL) {
3175 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
3180 sav->replay->bitmap_size = bitmap_size;
3181 sav->replay->wsize = replay;
3185 /* Authentication keys */
3186 if (mhp->ext[SADB_EXT_KEY_AUTH] != NULL) {
3187 const struct sadb_key *key0;
3190 key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_AUTH];
3191 len = mhp->extlen[SADB_EXT_KEY_AUTH];
3194 if (len < sizeof(*key0)) {
3198 switch (mhp->msg->sadb_msg_satype) {
3199 case SADB_SATYPE_AH:
3200 case SADB_SATYPE_ESP:
3201 case SADB_X_SATYPE_TCPSIGNATURE:
3202 if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) &&
3203 sav->alg_auth != SADB_X_AALG_NULL)
3206 case SADB_X_SATYPE_IPCOMP:
3212 ipseclog((LOG_DEBUG, "%s: invalid key_auth values.\n",
3217 sav->key_auth = (struct seckey *)key_dup_keymsg(key0, len,
3219 if (sav->key_auth == NULL ) {
3220 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
3227 /* Encryption key */
3228 if (mhp->ext[SADB_EXT_KEY_ENCRYPT] != NULL) {
3229 const struct sadb_key *key0;
3232 key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_ENCRYPT];
3233 len = mhp->extlen[SADB_EXT_KEY_ENCRYPT];
3236 if (len < sizeof(*key0)) {
3240 switch (mhp->msg->sadb_msg_satype) {
3241 case SADB_SATYPE_ESP:
3242 if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) &&
3243 sav->alg_enc != SADB_EALG_NULL) {
3247 sav->key_enc = (struct seckey *)key_dup_keymsg(key0,
3250 if (sav->key_enc == NULL) {
3251 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
3257 case SADB_X_SATYPE_IPCOMP:
3258 if (len != PFKEY_ALIGN8(sizeof(struct sadb_key)))
3260 sav->key_enc = NULL; /*just in case*/
3262 case SADB_SATYPE_AH:
3263 case SADB_X_SATYPE_TCPSIGNATURE:
3269 ipseclog((LOG_DEBUG, "%s: invalid key_enc value.\n",
3278 switch (mhp->msg->sadb_msg_satype) {
3279 case SADB_SATYPE_AH:
3280 error = xform_init(sav, XF_AH);
3282 case SADB_SATYPE_ESP:
3283 error = xform_init(sav, XF_ESP);
3285 case SADB_X_SATYPE_IPCOMP:
3286 error = xform_init(sav, XF_IPCOMP);
3288 case SADB_X_SATYPE_TCPSIGNATURE:
3289 error = xform_init(sav, XF_TCPSIGNATURE);
3293 ipseclog((LOG_DEBUG, "%s: unable to initialize SA type %u.\n",
3294 __func__, mhp->msg->sadb_msg_satype));
3299 sav->created = time_second;
3301 /* make lifetime for CURRENT */
3302 sav->lft_c = malloc(sizeof(struct seclifetime), M_IPSEC_MISC, M_NOWAIT);
3303 if (sav->lft_c == NULL) {
3304 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
3309 sav->lft_c->allocations = 0;
3310 sav->lft_c->bytes = 0;
3311 sav->lft_c->addtime = time_second;
3312 sav->lft_c->usetime = 0;
3314 /* lifetimes for HARD and SOFT */
3316 const struct sadb_lifetime *lft0;
3318 lft0 = (struct sadb_lifetime *)mhp->ext[SADB_EXT_LIFETIME_HARD];
3320 if (mhp->extlen[SADB_EXT_LIFETIME_HARD] < sizeof(*lft0)) {
3324 sav->lft_h = key_dup_lifemsg(lft0, M_IPSEC_MISC);
3325 if (sav->lft_h == NULL) {
3326 ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__));
3330 /* to be initialize ? */
3333 lft0 = (struct sadb_lifetime *)mhp->ext[SADB_EXT_LIFETIME_SOFT];
3335 if (mhp->extlen[SADB_EXT_LIFETIME_SOFT] < sizeof(*lft0)) {
3339 sav->lft_s = key_dup_lifemsg(lft0, M_IPSEC_MISC);
3340 if (sav->lft_s == NULL) {
3341 ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__));
3345 /* to be initialize ? */
3352 /* initialization */
3359 * validation with a secasvar entry, and set SADB_SATYPE_MATURE.
3364 key_mature(struct secasvar *sav)
3368 /* check SPI value */
3369 switch (sav->sah->saidx.proto) {
3373 * RFC 4302, 2.4. Security Parameters Index (SPI), SPI values
3374 * 1-255 reserved by IANA for future use,
3375 * 0 for implementation specific, local use.
3377 if (ntohl(sav->spi) <= 255) {
3378 ipseclog((LOG_DEBUG, "%s: illegal range of SPI %u.\n",
3379 __func__, (u_int32_t)ntohl(sav->spi)));
3386 switch (sav->sah->saidx.proto) {
3389 if ((sav->flags & (SADB_X_EXT_OLD|SADB_X_EXT_DERIV)) ==
3390 (SADB_X_EXT_OLD|SADB_X_EXT_DERIV)) {
3391 ipseclog((LOG_DEBUG, "%s: invalid flag (derived) "
3392 "given to old-esp.\n", __func__));
3395 error = xform_init(sav, XF_ESP);
3399 if (sav->flags & SADB_X_EXT_DERIV) {
3400 ipseclog((LOG_DEBUG, "%s: invalid flag (derived) "
3401 "given to AH SA.\n", __func__));
3404 if (sav->alg_enc != SADB_EALG_NONE) {
3405 ipseclog((LOG_DEBUG, "%s: protocol and algorithm "
3406 "mismated.\n", __func__));
3409 error = xform_init(sav, XF_AH);
3411 case IPPROTO_IPCOMP:
3412 if (sav->alg_auth != SADB_AALG_NONE) {
3413 ipseclog((LOG_DEBUG, "%s: protocol and algorithm "
3414 "mismated.\n", __func__));
3417 if ((sav->flags & SADB_X_EXT_RAWCPI) == 0
3418 && ntohl(sav->spi) >= 0x10000) {
3419 ipseclog((LOG_DEBUG, "%s: invalid cpi for IPComp.\n",
3423 error = xform_init(sav, XF_IPCOMP);
3426 if (sav->alg_enc != SADB_EALG_NONE) {
3427 ipseclog((LOG_DEBUG, "%s: protocol and algorithm "
3428 "mismated.\n", __func__));
3431 error = xform_init(sav, XF_TCPSIGNATURE);
3434 ipseclog((LOG_DEBUG, "%s: Invalid satype.\n", __func__));
3435 error = EPROTONOSUPPORT;
3440 key_sa_chgstate(sav, SADB_SASTATE_MATURE);
3447 * subroutine for SADB_GET and SADB_DUMP.
3449 static struct mbuf *
3450 key_setdumpsa(struct secasvar *sav, u_int8_t type, u_int8_t satype,
3451 u_int32_t seq, u_int32_t pid)
3453 struct mbuf *result = NULL, *tres = NULL, *m;
3456 SADB_EXT_SA, SADB_X_EXT_SA2, SADB_X_EXT_SA_REPLAY,
3457 SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT,
3458 SADB_EXT_LIFETIME_CURRENT, SADB_EXT_ADDRESS_SRC,
3459 SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_EXT_KEY_AUTH,
3460 SADB_EXT_KEY_ENCRYPT, SADB_EXT_IDENTITY_SRC,
3461 SADB_EXT_IDENTITY_DST, SADB_EXT_SENSITIVITY,
3463 SADB_X_EXT_NAT_T_TYPE,
3464 SADB_X_EXT_NAT_T_SPORT, SADB_X_EXT_NAT_T_DPORT,
3465 SADB_X_EXT_NAT_T_OAI, SADB_X_EXT_NAT_T_OAR,
3466 SADB_X_EXT_NAT_T_FRAG,
3469 u_int32_t replay_count;
3471 m = key_setsadbmsg(type, 0, satype, seq, pid, sav->refcnt);
3476 for (i = nitems(dumporder) - 1; i >= 0; i--) {
3478 switch (dumporder[i]) {
3480 m = key_setsadbsa(sav);
3485 case SADB_X_EXT_SA2:
3487 replay_count = sav->replay ? sav->replay->count : 0;
3488 SECASVAR_UNLOCK(sav);
3489 m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count,
3490 sav->sah->saidx.reqid);
3495 case SADB_X_EXT_SA_REPLAY:
3496 if (sav->replay == NULL ||
3497 sav->replay->wsize <= UINT8_MAX)
3500 m = key_setsadbxsareplay(sav->replay->wsize);
3505 case SADB_EXT_ADDRESS_SRC:
3506 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC,
3507 &sav->sah->saidx.src.sa,
3508 FULLMASK, IPSEC_ULPROTO_ANY);
3513 case SADB_EXT_ADDRESS_DST:
3514 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
3515 &sav->sah->saidx.dst.sa,
3516 FULLMASK, IPSEC_ULPROTO_ANY);
3521 case SADB_EXT_KEY_AUTH:
3524 m = key_setkey(sav->key_auth, SADB_EXT_KEY_AUTH);
3529 case SADB_EXT_KEY_ENCRYPT:
3532 m = key_setkey(sav->key_enc, SADB_EXT_KEY_ENCRYPT);
3537 case SADB_EXT_LIFETIME_CURRENT:
3540 m = key_setlifetime(sav->lft_c,
3541 SADB_EXT_LIFETIME_CURRENT);
3546 case SADB_EXT_LIFETIME_HARD:
3549 m = key_setlifetime(sav->lft_h,
3550 SADB_EXT_LIFETIME_HARD);
3555 case SADB_EXT_LIFETIME_SOFT:
3558 m = key_setlifetime(sav->lft_s,
3559 SADB_EXT_LIFETIME_SOFT);
3566 case SADB_X_EXT_NAT_T_TYPE:
3567 m = key_setsadbxtype(sav->natt_type);
3572 case SADB_X_EXT_NAT_T_DPORT:
3573 m = key_setsadbxport(
3574 KEY_PORTFROMSADDR(&sav->sah->saidx.dst),
3575 SADB_X_EXT_NAT_T_DPORT);
3580 case SADB_X_EXT_NAT_T_SPORT:
3581 m = key_setsadbxport(
3582 KEY_PORTFROMSADDR(&sav->sah->saidx.src),
3583 SADB_X_EXT_NAT_T_SPORT);
3588 case SADB_X_EXT_NAT_T_OAI:
3589 case SADB_X_EXT_NAT_T_OAR:
3590 case SADB_X_EXT_NAT_T_FRAG:
3591 /* We do not (yet) support those. */
3595 case SADB_EXT_ADDRESS_PROXY:
3596 case SADB_EXT_IDENTITY_SRC:
3597 case SADB_EXT_IDENTITY_DST:
3598 /* XXX: should we brought from SPD ? */
3599 case SADB_EXT_SENSITIVITY:
3612 m_cat(result, tres);
3614 if (result->m_len < sizeof(struct sadb_msg)) {
3615 result = m_pullup(result, sizeof(struct sadb_msg));
3620 result->m_pkthdr.len = 0;
3621 for (m = result; m; m = m->m_next)
3622 result->m_pkthdr.len += m->m_len;
3624 mtod(result, struct sadb_msg *)->sadb_msg_len =
3625 PFKEY_UNIT64(result->m_pkthdr.len);
3636 * set data into sadb_msg.
3638 static struct mbuf *
3639 key_setsadbmsg(u_int8_t type, u_int16_t tlen, u_int8_t satype, u_int32_t seq,
3640 pid_t pid, u_int16_t reserved)
3646 len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
3649 MGETHDR(m, M_NOWAIT, MT_DATA);
3650 if (m && len > MHLEN) {
3651 if (!(MCLGET(m, M_NOWAIT))) {
3658 m->m_pkthdr.len = m->m_len = len;
3661 p = mtod(m, struct sadb_msg *);
3664 p->sadb_msg_version = PF_KEY_V2;
3665 p->sadb_msg_type = type;
3666 p->sadb_msg_errno = 0;
3667 p->sadb_msg_satype = satype;
3668 p->sadb_msg_len = PFKEY_UNIT64(tlen);
3669 p->sadb_msg_reserved = reserved;
3670 p->sadb_msg_seq = seq;
3671 p->sadb_msg_pid = (u_int32_t)pid;
3677 * copy secasvar data into sadb_address.
3679 static struct mbuf *
3680 key_setsadbsa(struct secasvar *sav)
3686 len = PFKEY_ALIGN8(sizeof(struct sadb_sa));
3687 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
3692 p = mtod(m, struct sadb_sa *);
3694 p->sadb_sa_len = PFKEY_UNIT64(len);
3695 p->sadb_sa_exttype = SADB_EXT_SA;
3696 p->sadb_sa_spi = sav->spi;
3697 p->sadb_sa_replay = sav->replay ?
3698 (sav->replay->wsize > UINT8_MAX ?
3699 UINT8_MAX : sav->replay->wsize) : 0;
3700 p->sadb_sa_state = sav->state;
3701 p->sadb_sa_auth = sav->alg_auth;
3702 p->sadb_sa_encrypt = sav->alg_enc;
3703 p->sadb_sa_flags = sav->flags;
3709 * set data into sadb_address.
3711 static struct mbuf *
3712 key_setsadbaddr(u_int16_t exttype, const struct sockaddr *saddr,
3713 u_int8_t prefixlen, u_int16_t ul_proto)
3716 struct sadb_address *p;
3719 len = PFKEY_ALIGN8(sizeof(struct sadb_address)) +
3720 PFKEY_ALIGN8(saddr->sa_len);
3721 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
3726 p = mtod(m, struct sadb_address *);
3729 p->sadb_address_len = PFKEY_UNIT64(len);
3730 p->sadb_address_exttype = exttype;
3731 p->sadb_address_proto = ul_proto;
3732 if (prefixlen == FULLMASK) {
3733 switch (saddr->sa_family) {
3735 prefixlen = sizeof(struct in_addr) << 3;
3738 prefixlen = sizeof(struct in6_addr) << 3;
3744 p->sadb_address_prefixlen = prefixlen;
3745 p->sadb_address_reserved = 0;
3748 mtod(m, caddr_t) + PFKEY_ALIGN8(sizeof(struct sadb_address)),
3755 * set data into sadb_x_sa2.
3757 static struct mbuf *
3758 key_setsadbxsa2(u_int8_t mode, u_int32_t seq, u_int32_t reqid)
3761 struct sadb_x_sa2 *p;
3764 len = PFKEY_ALIGN8(sizeof(struct sadb_x_sa2));
3765 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
3770 p = mtod(m, struct sadb_x_sa2 *);
3773 p->sadb_x_sa2_len = PFKEY_UNIT64(len);
3774 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
3775 p->sadb_x_sa2_mode = mode;
3776 p->sadb_x_sa2_reserved1 = 0;
3777 p->sadb_x_sa2_reserved2 = 0;
3778 p->sadb_x_sa2_sequence = seq;
3779 p->sadb_x_sa2_reqid = reqid;
3785 * Set data into sadb_x_sa_replay.
3787 static struct mbuf *
3788 key_setsadbxsareplay(u_int32_t replay)
3791 struct sadb_x_sa_replay *p;
3794 len = PFKEY_ALIGN8(sizeof(struct sadb_x_sa_replay));
3795 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
3800 p = mtod(m, struct sadb_x_sa_replay *);
3803 p->sadb_x_sa_replay_len = PFKEY_UNIT64(len);
3804 p->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY;
3805 p->sadb_x_sa_replay_replay = (replay << 3);
3812 * Set a type in sadb_x_nat_t_type.
3814 static struct mbuf *
3815 key_setsadbxtype(u_int16_t type)
3819 struct sadb_x_nat_t_type *p;
3821 len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_type));
3823 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
3828 p = mtod(m, struct sadb_x_nat_t_type *);
3831 p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len);
3832 p->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
3833 p->sadb_x_nat_t_type_type = type;
3838 * Set a port in sadb_x_nat_t_port.
3839 * In contrast to default RFC 2367 behaviour, port is in network byte order.
3841 static struct mbuf *
3842 key_setsadbxport(u_int16_t port, u_int16_t type)
3846 struct sadb_x_nat_t_port *p;
3848 len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_port));
3850 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
3855 p = mtod(m, struct sadb_x_nat_t_port *);
3858 p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len);
3859 p->sadb_x_nat_t_port_exttype = type;
3860 p->sadb_x_nat_t_port_port = port;
3866 * Get port from sockaddr. Port is in network byte order.
3869 key_portfromsaddr(struct sockaddr *sa)
3872 switch (sa->sa_family) {
3875 return ((struct sockaddr_in *)sa)->sin_port;
3879 return ((struct sockaddr_in6 *)sa)->sin6_port;
3882 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
3883 printf("DP %s unexpected address family %d\n",
3884 __func__, sa->sa_family));
3887 #endif /* IPSEC_NAT_T */
3890 * Set port in struct sockaddr. Port is in network byte order.
3893 key_porttosaddr(struct sockaddr *sa, u_int16_t port)
3896 switch (sa->sa_family) {
3899 ((struct sockaddr_in *)sa)->sin_port = port;
3904 ((struct sockaddr_in6 *)sa)->sin6_port = port;
3908 ipseclog((LOG_DEBUG, "%s: unexpected address family %d.\n",
3909 __func__, sa->sa_family));
3915 * set data into sadb_x_policy
3917 static struct mbuf *
3918 key_setsadbxpolicy(u_int16_t type, u_int8_t dir, u_int32_t id, u_int32_t priority)
3921 struct sadb_x_policy *p;
3924 len = PFKEY_ALIGN8(sizeof(struct sadb_x_policy));
3925 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
3930 p = mtod(m, struct sadb_x_policy *);
3933 p->sadb_x_policy_len = PFKEY_UNIT64(len);
3934 p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
3935 p->sadb_x_policy_type = type;
3936 p->sadb_x_policy_dir = dir;
3937 p->sadb_x_policy_id = id;
3938 p->sadb_x_policy_priority = priority;
3944 /* Take a key message (sadb_key) from the socket and turn it into one
3945 * of the kernel's key structures (seckey).
3947 * IN: pointer to the src
3948 * OUT: NULL no more memory
3951 key_dup_keymsg(const struct sadb_key *src, u_int len,
3952 struct malloc_type *type)
3955 dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT);
3957 dst->bits = src->sadb_key_bits;
3958 dst->key_data = (char *)malloc(len, type, M_NOWAIT);
3959 if (dst->key_data != NULL) {
3960 bcopy((const char *)src + sizeof(struct sadb_key),
3961 dst->key_data, len);
3963 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
3969 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
3976 /* Take a lifetime message (sadb_lifetime) passed in on a socket and
3977 * turn it into one of the kernel's lifetime structures (seclifetime).
3979 * IN: pointer to the destination, source and malloc type
3980 * OUT: NULL, no more memory
3983 static struct seclifetime *
3984 key_dup_lifemsg(const struct sadb_lifetime *src, struct malloc_type *type)
3986 struct seclifetime *dst = NULL;
3988 dst = (struct seclifetime *)malloc(sizeof(struct seclifetime),
3992 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
3994 dst->allocations = src->sadb_lifetime_allocations;
3995 dst->bytes = src->sadb_lifetime_bytes;
3996 dst->addtime = src->sadb_lifetime_addtime;
3997 dst->usetime = src->sadb_lifetime_usetime;
4002 /* compare my own address
4003 * OUT: 1: true, i.e. my address.
4007 key_ismyaddr(struct sockaddr *sa)
4010 IPSEC_ASSERT(sa != NULL, ("null sockaddr"));
4011 switch (sa->sa_family) {
4014 return (in_localip(satosin(sa)->sin_addr));
4018 return key_ismyaddr6((struct sockaddr_in6 *)sa);
4027 * compare my own address for IPv6.
4032 key_ismyaddr6(struct sockaddr_in6 *sin6)
4034 struct in6_addr in6;
4036 if (!IN6_IS_SCOPE_LINKLOCAL(&sin6->sin6_addr))
4037 return (in6_localip(&sin6->sin6_addr));
4039 /* Convert address into kernel-internal form */
4040 in6 = sin6->sin6_addr;
4041 in6.s6_addr16[1] = htons(sin6->sin6_scope_id & 0xffff);
4042 return (in6_localip(&in6));
4047 * compare two secasindex structure.
4048 * flag can specify to compare 2 saidxes.
4049 * compare two secasindex structure without both mode and reqid.
4050 * don't compare port.
4052 * saidx0: source, it can be in SAD.
4059 key_cmpsaidx(const struct secasindex *saidx0, const struct secasindex *saidx1,
4065 if (saidx0 == NULL && saidx1 == NULL)
4068 if (saidx0 == NULL || saidx1 == NULL)
4071 if (saidx0->proto != saidx1->proto)
4074 if (flag == CMP_EXACTLY) {
4075 if (saidx0->mode != saidx1->mode)
4077 if (saidx0->reqid != saidx1->reqid)
4079 if (bcmp(&saidx0->src, &saidx1->src, saidx0->src.sa.sa_len) != 0 ||
4080 bcmp(&saidx0->dst, &saidx1->dst, saidx0->dst.sa.sa_len) != 0)
4084 /* CMP_MODE_REQID, CMP_REQID, CMP_HEAD */
4085 if (flag == CMP_MODE_REQID
4086 ||flag == CMP_REQID) {
4088 * If reqid of SPD is non-zero, unique SA is required.
4089 * The result must be of same reqid in this case.
4091 if (saidx1->reqid != 0 && saidx0->reqid != saidx1->reqid)
4095 if (flag == CMP_MODE_REQID) {
4096 if (saidx0->mode != IPSEC_MODE_ANY
4097 && saidx0->mode != saidx1->mode)
4103 * If NAT-T is enabled, check ports for tunnel mode.
4104 * Do not check ports if they are set to zero in the SPD.
4105 * Also do not do it for native transport mode, as there
4106 * is no port information available in the SP.
4108 if ((saidx1->mode == IPSEC_MODE_TUNNEL ||
4109 (saidx1->mode == IPSEC_MODE_TRANSPORT &&
4110 saidx1->proto == IPPROTO_ESP)) &&
4111 saidx1->src.sa.sa_family == AF_INET &&
4112 saidx1->dst.sa.sa_family == AF_INET &&
4113 ((const struct sockaddr_in *)(&saidx1->src))->sin_port &&
4114 ((const struct sockaddr_in *)(&saidx1->dst))->sin_port)
4116 #endif /* IPSEC_NAT_T */
4118 if (key_sockaddrcmp(&saidx0->src.sa, &saidx1->src.sa, chkport) != 0) {
4121 if (key_sockaddrcmp(&saidx0->dst.sa, &saidx1->dst.sa, chkport) != 0) {
4130 * compare two secindex structure exactly.
4132 * spidx0: source, it is often in SPD.
4133 * spidx1: object, it is often from PFKEY message.
4139 key_cmpspidx_exactly(struct secpolicyindex *spidx0,
4140 struct secpolicyindex *spidx1)
4143 if (spidx0 == NULL && spidx1 == NULL)
4146 if (spidx0 == NULL || spidx1 == NULL)
4149 if (spidx0->prefs != spidx1->prefs
4150 || spidx0->prefd != spidx1->prefd
4151 || spidx0->ul_proto != spidx1->ul_proto)
4154 return key_sockaddrcmp(&spidx0->src.sa, &spidx1->src.sa, 1) == 0 &&
4155 key_sockaddrcmp(&spidx0->dst.sa, &spidx1->dst.sa, 1) == 0;
4159 * compare two secindex structure with mask.
4161 * spidx0: source, it is often in SPD.
4162 * spidx1: object, it is often from IP header.
4168 key_cmpspidx_withmask(struct secpolicyindex *spidx0,
4169 struct secpolicyindex *spidx1)
4172 if (spidx0 == NULL && spidx1 == NULL)
4175 if (spidx0 == NULL || spidx1 == NULL)
4178 if (spidx0->src.sa.sa_family != spidx1->src.sa.sa_family ||
4179 spidx0->dst.sa.sa_family != spidx1->dst.sa.sa_family ||
4180 spidx0->src.sa.sa_len != spidx1->src.sa.sa_len ||
4181 spidx0->dst.sa.sa_len != spidx1->dst.sa.sa_len)
4184 /* if spidx.ul_proto == IPSEC_ULPROTO_ANY, ignore. */
4185 if (spidx0->ul_proto != (u_int16_t)IPSEC_ULPROTO_ANY
4186 && spidx0->ul_proto != spidx1->ul_proto)
4189 switch (spidx0->src.sa.sa_family) {
4191 if (spidx0->src.sin.sin_port != IPSEC_PORT_ANY
4192 && spidx0->src.sin.sin_port != spidx1->src.sin.sin_port)
4194 if (!key_bbcmp(&spidx0->src.sin.sin_addr,
4195 &spidx1->src.sin.sin_addr, spidx0->prefs))
4199 if (spidx0->src.sin6.sin6_port != IPSEC_PORT_ANY
4200 && spidx0->src.sin6.sin6_port != spidx1->src.sin6.sin6_port)
4203 * scope_id check. if sin6_scope_id is 0, we regard it
4204 * as a wildcard scope, which matches any scope zone ID.
4206 if (spidx0->src.sin6.sin6_scope_id &&
4207 spidx1->src.sin6.sin6_scope_id &&
4208 spidx0->src.sin6.sin6_scope_id != spidx1->src.sin6.sin6_scope_id)
4210 if (!key_bbcmp(&spidx0->src.sin6.sin6_addr,
4211 &spidx1->src.sin6.sin6_addr, spidx0->prefs))
4216 if (bcmp(&spidx0->src, &spidx1->src, spidx0->src.sa.sa_len) != 0)
4221 switch (spidx0->dst.sa.sa_family) {
4223 if (spidx0->dst.sin.sin_port != IPSEC_PORT_ANY
4224 && spidx0->dst.sin.sin_port != spidx1->dst.sin.sin_port)
4226 if (!key_bbcmp(&spidx0->dst.sin.sin_addr,
4227 &spidx1->dst.sin.sin_addr, spidx0->prefd))
4231 if (spidx0->dst.sin6.sin6_port != IPSEC_PORT_ANY
4232 && spidx0->dst.sin6.sin6_port != spidx1->dst.sin6.sin6_port)
4235 * scope_id check. if sin6_scope_id is 0, we regard it
4236 * as a wildcard scope, which matches any scope zone ID.
4238 if (spidx0->dst.sin6.sin6_scope_id &&
4239 spidx1->dst.sin6.sin6_scope_id &&
4240 spidx0->dst.sin6.sin6_scope_id != spidx1->dst.sin6.sin6_scope_id)
4242 if (!key_bbcmp(&spidx0->dst.sin6.sin6_addr,
4243 &spidx1->dst.sin6.sin6_addr, spidx0->prefd))
4248 if (bcmp(&spidx0->dst, &spidx1->dst, spidx0->dst.sa.sa_len) != 0)
4253 /* XXX Do we check other field ? e.g. flowinfo */
4258 /* returns 0 on match */
4260 key_sockaddrcmp(const struct sockaddr *sa1, const struct sockaddr *sa2,
4266 #define satosin(s) ((const struct sockaddr_in *)s)
4270 #define satosin6(s) ((const struct sockaddr_in6 *)s)
4271 if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len)
4274 switch (sa1->sa_family) {
4276 if (sa1->sa_len != sizeof(struct sockaddr_in))
4278 if (satosin(sa1)->sin_addr.s_addr !=
4279 satosin(sa2)->sin_addr.s_addr) {
4282 if (port && satosin(sa1)->sin_port != satosin(sa2)->sin_port)
4286 if (sa1->sa_len != sizeof(struct sockaddr_in6))
4287 return 1; /*EINVAL*/
4288 if (satosin6(sa1)->sin6_scope_id !=
4289 satosin6(sa2)->sin6_scope_id) {
4292 if (!IN6_ARE_ADDR_EQUAL(&satosin6(sa1)->sin6_addr,
4293 &satosin6(sa2)->sin6_addr)) {
4297 satosin6(sa1)->sin6_port != satosin6(sa2)->sin6_port) {
4302 if (bcmp(sa1, sa2, sa1->sa_len) != 0)
4313 * compare two buffers with mask.
4317 * bits: Number of bits to compare
4323 key_bbcmp(const void *a1, const void *a2, u_int bits)
4325 const unsigned char *p1 = a1;
4326 const unsigned char *p2 = a2;
4328 /* XXX: This could be considerably faster if we compare a word
4329 * at a time, but it is complicated on LSB Endian machines */
4331 /* Handle null pointers */
4332 if (p1 == NULL || p2 == NULL)
4342 u_int8_t mask = ~((1<<(8-bits))-1);
4343 if ((*p1 & mask) != (*p2 & mask))
4346 return 1; /* Match! */
4350 key_flush_spd(time_t now)
4352 SPTREE_RLOCK_TRACKER;
4353 struct secpolicy *sp;
4357 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
4360 TAILQ_FOREACH(sp, &V_sptree[dir], chain) {
4361 if (sp->lifetime == 0 && sp->validtime == 0)
4363 if ((sp->lifetime &&
4364 now - sp->created > sp->lifetime) ||
4366 now - sp->lastused > sp->validtime)) {
4380 key_flush_sad(time_t now)
4382 struct secashead *sah, *nextsah;
4383 struct secasvar *sav, *nextsav;
4387 LIST_FOREACH_SAFE(sah, &V_sahtree, chain, nextsah) {
4388 /* if sah has been dead, then delete it and process next sah. */
4389 if (sah->state == SADB_SASTATE_DEAD) {
4394 /* if LARVAL entry doesn't become MATURE, delete it. */
4395 LIST_FOREACH_SAFE(sav, &sah->savtree[SADB_SASTATE_LARVAL], chain, nextsav) {
4396 /* Need to also check refcnt for a larval SA ??? */
4397 if (now - sav->created > V_key_larval_lifetime)
4402 * check MATURE entry to start to send expire message
4405 LIST_FOREACH_SAFE(sav, &sah->savtree[SADB_SASTATE_MATURE], chain, nextsav) {
4406 /* we don't need to check. */
4407 if (sav->lft_s == NULL)
4411 if (sav->lft_c == NULL) {
4412 ipseclog((LOG_DEBUG,"%s: there is no CURRENT "
4413 "time, why?\n", __func__));
4418 * HARD lifetimes MUST take precedence over SOFT
4419 * lifetimes, meaning if the HARD and SOFT lifetimes
4420 * are the same, the HARD lifetime will appear on the
4423 /* check HARD lifetime */
4424 if ((sav->lft_h->addtime != 0 &&
4425 now - sav->created > sav->lft_h->addtime) ||
4426 (sav->lft_h->bytes != 0 &&
4427 sav->lft_h->bytes < sav->lft_c->bytes)) {
4428 key_sa_chgstate(sav, SADB_SASTATE_DEAD);
4432 /* check SOFT lifetime */
4433 else if ((sav->lft_s->addtime != 0 &&
4434 now - sav->created > sav->lft_s->addtime) ||
4435 (sav->lft_s->bytes != 0 &&
4436 sav->lft_s->bytes < sav->lft_c->bytes)) {
4437 key_sa_chgstate(sav, SADB_SASTATE_DYING);
4442 /* check DYING entry to change status to DEAD. */
4443 LIST_FOREACH_SAFE(sav, &sah->savtree[SADB_SASTATE_DYING], chain, nextsav) {
4444 /* we don't need to check. */
4445 if (sav->lft_h == NULL)
4449 if (sav->lft_c == NULL) {
4450 ipseclog((LOG_DEBUG, "%s: there is no CURRENT "
4451 "time, why?\n", __func__));
4455 if (sav->lft_h->addtime != 0 &&
4456 now - sav->created > sav->lft_h->addtime) {
4457 key_sa_chgstate(sav, SADB_SASTATE_DEAD);
4461 #if 0 /* XXX Should we keep to send expire message until HARD lifetime ? */
4462 else if (sav->lft_s != NULL
4463 && sav->lft_s->addtime != 0
4464 && now - sav->created > sav->lft_s->addtime) {
4466 * XXX: should be checked to be
4467 * installed the valid SA.
4471 * If there is no SA then sending
4477 /* check HARD lifetime by bytes */
4478 else if (sav->lft_h->bytes != 0 &&
4479 sav->lft_h->bytes < sav->lft_c->bytes) {
4480 key_sa_chgstate(sav, SADB_SASTATE_DEAD);
4486 /* delete entry in DEAD */
4487 LIST_FOREACH_SAFE(sav, &sah->savtree[SADB_SASTATE_DEAD], chain, nextsav) {
4489 if (sav->state != SADB_SASTATE_DEAD) {
4490 ipseclog((LOG_DEBUG, "%s: invalid sav->state "
4491 "(queue: %d SA: %d): kill it anyway\n",
4493 SADB_SASTATE_DEAD, sav->state));
4496 * do not call key_freesav() here.
4497 * sav should already be freed, and sav->refcnt
4498 * shows other references to sav
4499 * (such as from SPD).
4507 key_flush_acq(time_t now)
4509 struct secacq *acq, *nextacq;
4513 for (acq = LIST_FIRST(&V_acqtree); acq != NULL; acq = nextacq) {
4514 nextacq = LIST_NEXT(acq, chain);
4515 if (now - acq->created > V_key_blockacq_lifetime
4516 && __LIST_CHAINED(acq)) {
4517 LIST_REMOVE(acq, chain);
4518 free(acq, M_IPSEC_SAQ);
4525 key_flush_spacq(time_t now)
4527 struct secspacq *acq, *nextacq;
4531 for (acq = LIST_FIRST(&V_spacqtree); acq != NULL; acq = nextacq) {
4532 nextacq = LIST_NEXT(acq, chain);
4533 if (now - acq->created > V_key_blockacq_lifetime
4534 && __LIST_CHAINED(acq)) {
4535 LIST_REMOVE(acq, chain);
4536 free(acq, M_IPSEC_SAQ);
4544 * scanning SPD and SAD to check status for each entries,
4545 * and do to remove or to expire.
4546 * XXX: year 2038 problem may remain.
4549 key_timehandler(void *arg)
4551 VNET_ITERATOR_DECL(vnet_iter);
4552 time_t now = time_second;
4554 VNET_LIST_RLOCK_NOSLEEP();
4555 VNET_FOREACH(vnet_iter) {
4556 CURVNET_SET(vnet_iter);
4560 key_flush_spacq(now);
4563 VNET_LIST_RUNLOCK_NOSLEEP();
4565 #ifndef IPSEC_DEBUG2
4566 /* do exchange to tick time !! */
4567 callout_schedule(&key_timer, hz);
4568 #endif /* IPSEC_DEBUG2 */
4576 key_randomfill(&value, sizeof(value));
4581 key_randomfill(void *p, size_t l)
4585 static int warn = 1;
4588 n = (size_t)read_random(p, (u_int)l);
4592 bcopy(&v, (u_int8_t *)p + n,
4593 l - n < sizeof(v) ? l - n : sizeof(v));
4597 printf("WARNING: pseudo-random number generator "
4598 "used for IPsec processing\n");
4605 * map SADB_SATYPE_* to IPPROTO_*.
4606 * if satype == SADB_SATYPE then satype is mapped to ~0.
4608 * 0: invalid satype.
4611 key_satype2proto(u_int8_t satype)
4614 case SADB_SATYPE_UNSPEC:
4615 return IPSEC_PROTO_ANY;
4616 case SADB_SATYPE_AH:
4618 case SADB_SATYPE_ESP:
4620 case SADB_X_SATYPE_IPCOMP:
4621 return IPPROTO_IPCOMP;
4622 case SADB_X_SATYPE_TCPSIGNATURE:
4631 * map IPPROTO_* to SADB_SATYPE_*
4633 * 0: invalid protocol type.
4636 key_proto2satype(u_int16_t proto)
4640 return SADB_SATYPE_AH;
4642 return SADB_SATYPE_ESP;
4643 case IPPROTO_IPCOMP:
4644 return SADB_X_SATYPE_IPCOMP;
4646 return SADB_X_SATYPE_TCPSIGNATURE;
4655 * SADB_GETSPI processing is to receive
4656 * <base, (SA2), src address, dst address, (SPI range)>
4657 * from the IKMPd, to assign a unique spi value, to hang on the INBOUND
4658 * tree with the status of LARVAL, and send
4659 * <base, SA(*), address(SD)>
4662 * IN: mhp: pointer to the pointer to each header.
4663 * OUT: NULL if fail.
4664 * other if success, return pointer to the message to send.
4667 key_getspi(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
4669 struct sadb_address *src0, *dst0;
4670 struct secasindex saidx;
4671 struct secashead *newsah;
4672 struct secasvar *newsav;
4679 IPSEC_ASSERT(so != NULL, ("null socket"));
4680 IPSEC_ASSERT(m != NULL, ("null mbuf"));
4681 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
4682 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
4684 if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL ||
4685 mhp->ext[SADB_EXT_ADDRESS_DST] == NULL) {
4686 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
4688 return key_senderror(so, m, EINVAL);
4690 if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) ||
4691 mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) {
4692 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
4694 return key_senderror(so, m, EINVAL);
4696 if (mhp->ext[SADB_X_EXT_SA2] != NULL) {
4697 mode = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
4698 reqid = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid;
4700 mode = IPSEC_MODE_ANY;
4704 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]);
4705 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]);
4707 /* map satype to proto */
4708 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
4709 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
4711 return key_senderror(so, m, EINVAL);
4715 * Make sure the port numbers are zero.
4716 * In case of NAT-T we will update them later if needed.
4718 switch (((struct sockaddr *)(src0 + 1))->sa_family) {
4720 if (((struct sockaddr *)(src0 + 1))->sa_len !=
4721 sizeof(struct sockaddr_in))
4722 return key_senderror(so, m, EINVAL);
4723 ((struct sockaddr_in *)(src0 + 1))->sin_port = 0;
4726 if (((struct sockaddr *)(src0 + 1))->sa_len !=
4727 sizeof(struct sockaddr_in6))
4728 return key_senderror(so, m, EINVAL);
4729 ((struct sockaddr_in6 *)(src0 + 1))->sin6_port = 0;
4734 switch (((struct sockaddr *)(dst0 + 1))->sa_family) {
4736 if (((struct sockaddr *)(dst0 + 1))->sa_len !=
4737 sizeof(struct sockaddr_in))
4738 return key_senderror(so, m, EINVAL);
4739 ((struct sockaddr_in *)(dst0 + 1))->sin_port = 0;
4742 if (((struct sockaddr *)(dst0 + 1))->sa_len !=
4743 sizeof(struct sockaddr_in6))
4744 return key_senderror(so, m, EINVAL);
4745 ((struct sockaddr_in6 *)(dst0 + 1))->sin6_port = 0;
4751 /* XXX boundary check against sa_len */
4752 KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx);
4756 * Handle NAT-T info if present.
4757 * We made sure the port numbers are zero above, so we do
4758 * not have to worry in case we do not update them.
4760 if (mhp->ext[SADB_X_EXT_NAT_T_OAI] != NULL)
4761 ipseclog((LOG_DEBUG, "%s: NAT-T OAi present\n", __func__));
4762 if (mhp->ext[SADB_X_EXT_NAT_T_OAR] != NULL)
4763 ipseclog((LOG_DEBUG, "%s: NAT-T OAr present\n", __func__));
4765 if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] != NULL &&
4766 mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL &&
4767 mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) {
4768 struct sadb_x_nat_t_type *type;
4769 struct sadb_x_nat_t_port *sport, *dport;
4771 if (mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type) ||
4772 mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) ||
4773 mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) {
4774 ipseclog((LOG_DEBUG, "%s: invalid nat-t message "
4775 "passed.\n", __func__));
4776 return key_senderror(so, m, EINVAL);
4779 sport = (struct sadb_x_nat_t_port *)
4780 mhp->ext[SADB_X_EXT_NAT_T_SPORT];
4781 dport = (struct sadb_x_nat_t_port *)
4782 mhp->ext[SADB_X_EXT_NAT_T_DPORT];
4785 KEY_PORTTOSADDR(&saidx.src, sport->sadb_x_nat_t_port_port);
4787 KEY_PORTTOSADDR(&saidx.dst, dport->sadb_x_nat_t_port_port);
4791 /* SPI allocation */
4792 spi = key_do_getnewspi((struct sadb_spirange *)mhp->ext[SADB_EXT_SPIRANGE],
4795 return key_senderror(so, m, EINVAL);
4797 /* get a SA index */
4798 if ((newsah = key_getsah(&saidx)) == NULL) {
4799 /* create a new SA index */
4800 if ((newsah = key_newsah(&saidx)) == NULL) {
4801 ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__));
4802 return key_senderror(so, m, ENOBUFS);
4808 newsav = KEY_NEWSAV(m, mhp, newsah, &error);
4809 if (newsav == NULL) {
4810 /* XXX don't free new SA index allocated in above. */
4811 return key_senderror(so, m, error);
4815 newsav->spi = htonl(spi);
4817 /* delete the entry in acqtree */
4818 if (mhp->msg->sadb_msg_seq != 0) {
4820 if ((acq = key_getacqbyseq(mhp->msg->sadb_msg_seq)) != NULL) {
4821 /* reset counter in order to deletion by timehandler. */
4822 acq->created = time_second;
4828 struct mbuf *n, *nn;
4829 struct sadb_sa *m_sa;
4830 struct sadb_msg *newmsg;
4833 /* create new sadb_msg to reply. */
4834 len = PFKEY_ALIGN8(sizeof(struct sadb_msg)) +
4835 PFKEY_ALIGN8(sizeof(struct sadb_sa));
4837 MGETHDR(n, M_NOWAIT, MT_DATA);
4839 if (!(MCLGET(n, M_NOWAIT))) {
4845 return key_senderror(so, m, ENOBUFS);
4851 m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off);
4852 off += PFKEY_ALIGN8(sizeof(struct sadb_msg));
4854 m_sa = (struct sadb_sa *)(mtod(n, caddr_t) + off);
4855 m_sa->sadb_sa_len = PFKEY_UNIT64(sizeof(struct sadb_sa));
4856 m_sa->sadb_sa_exttype = SADB_EXT_SA;
4857 m_sa->sadb_sa_spi = htonl(spi);
4858 off += PFKEY_ALIGN8(sizeof(struct sadb_sa));
4860 IPSEC_ASSERT(off == len,
4861 ("length inconsistency (off %u len %u)", off, len));
4863 n->m_next = key_gather_mbuf(m, mhp, 0, 2, SADB_EXT_ADDRESS_SRC,
4864 SADB_EXT_ADDRESS_DST);
4867 return key_senderror(so, m, ENOBUFS);
4870 if (n->m_len < sizeof(struct sadb_msg)) {
4871 n = m_pullup(n, sizeof(struct sadb_msg));
4873 return key_sendup_mbuf(so, m, KEY_SENDUP_ONE);
4876 n->m_pkthdr.len = 0;
4877 for (nn = n; nn; nn = nn->m_next)
4878 n->m_pkthdr.len += nn->m_len;
4880 newmsg = mtod(n, struct sadb_msg *);
4881 newmsg->sadb_msg_seq = newsav->seq;
4882 newmsg->sadb_msg_errno = 0;
4883 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
4886 return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
4891 * allocating new SPI
4892 * called by key_getspi().
4898 key_do_getnewspi(struct sadb_spirange *spirange, struct secasindex *saidx)
4902 int count = V_key_spi_trycnt;
4904 /* set spi range to allocate */
4905 if (spirange != NULL) {
4906 min = spirange->sadb_spirange_min;
4907 max = spirange->sadb_spirange_max;
4909 min = V_key_spi_minval;
4910 max = V_key_spi_maxval;
4912 /* IPCOMP needs 2-byte SPI */
4913 if (saidx->proto == IPPROTO_IPCOMP) {
4920 t = min; min = max; max = t;
4925 if (key_checkspidup(saidx, min) != NULL) {
4926 ipseclog((LOG_DEBUG, "%s: SPI %u exists already.\n",
4931 count--; /* taking one cost. */
4939 /* when requesting to allocate spi ranged */
4941 /* generate pseudo-random SPI value ranged. */
4942 newspi = min + (key_random() % (max - min + 1));
4944 if (key_checkspidup(saidx, newspi) == NULL)
4948 if (count == 0 || newspi == 0) {
4949 ipseclog((LOG_DEBUG, "%s: to allocate spi is failed.\n",
4956 keystat.getspi_count =
4957 (keystat.getspi_count + V_key_spi_trycnt - count) / 2;
4963 * SADB_UPDATE processing
4965 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
4966 * key(AE), (identity(SD),) (sensitivity)>
4967 * from the ikmpd, and update a secasvar entry whose status is SADB_SASTATE_LARVAL.
4969 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
4970 * (identity(SD),) (sensitivity)>
4973 * m will always be freed.
4976 key_update(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
4978 struct sadb_sa *sa0;
4979 struct sadb_address *src0, *dst0;
4981 struct sadb_x_nat_t_type *type;
4982 struct sadb_x_nat_t_port *sport, *dport;
4983 struct sadb_address *iaddr, *raddr;
4984 struct sadb_x_nat_t_frag *frag;
4986 struct secasindex saidx;
4987 struct secashead *sah;
4988 struct secasvar *sav;
4994 IPSEC_ASSERT(so != NULL, ("null socket"));
4995 IPSEC_ASSERT(m != NULL, ("null mbuf"));
4996 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
4997 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
4999 /* map satype to proto */
5000 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
5001 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
5003 return key_senderror(so, m, EINVAL);
5006 if (mhp->ext[SADB_EXT_SA] == NULL ||
5007 mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL ||
5008 mhp->ext[SADB_EXT_ADDRESS_DST] == NULL ||
5009 (mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP &&
5010 mhp->ext[SADB_EXT_KEY_ENCRYPT] == NULL) ||
5011 (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH &&
5012 mhp->ext[SADB_EXT_KEY_AUTH] == NULL) ||
5013 (mhp->ext[SADB_EXT_LIFETIME_HARD] != NULL &&
5014 mhp->ext[SADB_EXT_LIFETIME_SOFT] == NULL) ||
5015 (mhp->ext[SADB_EXT_LIFETIME_HARD] == NULL &&
5016 mhp->ext[SADB_EXT_LIFETIME_SOFT] != NULL)) {
5017 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
5019 return key_senderror(so, m, EINVAL);
5021 if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa) ||
5022 mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) ||
5023 mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) {
5024 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
5026 return key_senderror(so, m, EINVAL);
5028 if (mhp->ext[SADB_X_EXT_SA2] != NULL) {
5029 mode = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
5030 reqid = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid;
5032 mode = IPSEC_MODE_ANY;
5035 /* XXX boundary checking for other extensions */
5037 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA];
5038 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]);
5039 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]);
5041 /* XXX boundary check against sa_len */
5042 KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx);
5045 * Make sure the port numbers are zero.
5046 * In case of NAT-T we will update them later if needed.
5048 KEY_PORTTOSADDR(&saidx.src, 0);
5049 KEY_PORTTOSADDR(&saidx.dst, 0);
5053 * Handle NAT-T info if present.
5055 if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] != NULL &&
5056 mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL &&
5057 mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) {
5059 if (mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type) ||
5060 mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) ||
5061 mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) {
5062 ipseclog((LOG_DEBUG, "%s: invalid message.\n",
5064 return key_senderror(so, m, EINVAL);
5067 type = (struct sadb_x_nat_t_type *)
5068 mhp->ext[SADB_X_EXT_NAT_T_TYPE];
5069 sport = (struct sadb_x_nat_t_port *)
5070 mhp->ext[SADB_X_EXT_NAT_T_SPORT];
5071 dport = (struct sadb_x_nat_t_port *)
5072 mhp->ext[SADB_X_EXT_NAT_T_DPORT];
5075 sport = dport = NULL;
5077 if (mhp->ext[SADB_X_EXT_NAT_T_OAI] != NULL &&
5078 mhp->ext[SADB_X_EXT_NAT_T_OAR] != NULL) {
5079 if (mhp->extlen[SADB_X_EXT_NAT_T_OAI] < sizeof(*iaddr) ||
5080 mhp->extlen[SADB_X_EXT_NAT_T_OAR] < sizeof(*raddr)) {
5081 ipseclog((LOG_DEBUG, "%s: invalid message\n",
5083 return key_senderror(so, m, EINVAL);
5085 iaddr = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAI];
5086 raddr = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAR];
5087 ipseclog((LOG_DEBUG, "%s: NAT-T OAi/r present\n", __func__));
5089 iaddr = raddr = NULL;
5091 if (mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) {
5092 if (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag)) {
5093 ipseclog((LOG_DEBUG, "%s: invalid message\n",
5095 return key_senderror(so, m, EINVAL);
5097 frag = (struct sadb_x_nat_t_frag *)
5098 mhp->ext[SADB_X_EXT_NAT_T_FRAG];
5104 /* get a SA header */
5105 if ((sah = key_getsah(&saidx)) == NULL) {
5106 ipseclog((LOG_DEBUG, "%s: no SA index found.\n", __func__));
5107 return key_senderror(so, m, ENOENT);
5110 /* set spidx if there */
5112 error = key_setident(sah, m, mhp);
5114 return key_senderror(so, m, error);
5116 /* find a SA with sequence number. */
5117 #ifdef IPSEC_DOSEQCHECK
5118 if (mhp->msg->sadb_msg_seq != 0
5119 && (sav = key_getsavbyseq(sah, mhp->msg->sadb_msg_seq)) == NULL) {
5120 ipseclog((LOG_DEBUG, "%s: no larval SA with sequence %u "
5121 "exists.\n", __func__, mhp->msg->sadb_msg_seq));
5122 return key_senderror(so, m, ENOENT);
5126 sav = key_getsavbyspi(sah, sa0->sadb_sa_spi);
5129 ipseclog((LOG_DEBUG, "%s: no such a SA found (spi:%u)\n",
5130 __func__, (u_int32_t)ntohl(sa0->sadb_sa_spi)));
5131 return key_senderror(so, m, EINVAL);
5135 /* validity check */
5136 if (sav->sah->saidx.proto != proto) {
5137 ipseclog((LOG_DEBUG, "%s: protocol mismatched "
5138 "(DB=%u param=%u)\n", __func__,
5139 sav->sah->saidx.proto, proto));
5140 return key_senderror(so, m, EINVAL);
5142 #ifdef IPSEC_DOSEQCHECK
5143 if (sav->spi != sa0->sadb_sa_spi) {
5144 ipseclog((LOG_DEBUG, "%s: SPI mismatched (DB:%u param:%u)\n",
5146 (u_int32_t)ntohl(sav->spi),
5147 (u_int32_t)ntohl(sa0->sadb_sa_spi)));
5148 return key_senderror(so, m, EINVAL);
5151 if (sav->pid != mhp->msg->sadb_msg_pid) {
5152 ipseclog((LOG_DEBUG, "%s: pid mismatched (DB:%u param:%u)\n",
5153 __func__, sav->pid, mhp->msg->sadb_msg_pid));
5154 return key_senderror(so, m, EINVAL);
5157 /* copy sav values */
5158 error = key_setsaval(sav, m, mhp);
5161 return key_senderror(so, m, error);
5166 * Handle more NAT-T info if present,
5167 * now that we have a sav to fill.
5170 sav->natt_type = type->sadb_x_nat_t_type_type;
5173 KEY_PORTTOSADDR(&sav->sah->saidx.src,
5174 sport->sadb_x_nat_t_port_port);
5176 KEY_PORTTOSADDR(&sav->sah->saidx.dst,
5177 dport->sadb_x_nat_t_port_port);
5181 * In case SADB_X_EXT_NAT_T_FRAG was not given, leave it at 0.
5182 * We should actually check for a minimum MTU here, if we
5183 * want to support it in ip_output.
5186 sav->natt_esp_frag_len = frag->sadb_x_nat_t_frag_fraglen;
5190 /* check SA values to be mature. */
5191 if ((mhp->msg->sadb_msg_errno = key_mature(sav)) != 0) {
5193 return key_senderror(so, m, 0);
5199 /* set msg buf from mhp */
5200 n = key_getmsgbuf_x1(m, mhp);
5202 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
5203 return key_senderror(so, m, ENOBUFS);
5207 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
5212 * search SAD with sequence for a SA which state is SADB_SASTATE_LARVAL.
5213 * only called by key_update().
5216 * others : found, pointer to a SA.
5218 #ifdef IPSEC_DOSEQCHECK
5219 static struct secasvar *
5220 key_getsavbyseq(struct secashead *sah, u_int32_t seq)
5222 struct secasvar *sav;
5225 state = SADB_SASTATE_LARVAL;
5227 /* search SAD with sequence number ? */
5228 LIST_FOREACH(sav, &sah->savtree[state], chain) {
5230 KEY_CHKSASTATE(state, sav->state, __func__);
5232 if (sav->seq == seq) {
5234 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
5235 printf("DP %s cause refcnt++:%d SA:%p\n",
5236 __func__, sav->refcnt, sav));
5246 * SADB_ADD processing
5247 * add an entry to SA database, when received
5248 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
5249 * key(AE), (identity(SD),) (sensitivity)>
5252 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
5253 * (identity(SD),) (sensitivity)>
5256 * IGNORE identity and sensitivity messages.
5258 * m will always be freed.
5261 key_add(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
5263 struct sadb_sa *sa0;
5264 struct sadb_address *src0, *dst0;
5266 struct sadb_x_nat_t_type *type;
5267 struct sadb_address *iaddr, *raddr;
5268 struct sadb_x_nat_t_frag *frag;
5270 struct secasindex saidx;
5271 struct secashead *newsah;
5272 struct secasvar *newsav;
5278 IPSEC_ASSERT(so != NULL, ("null socket"));
5279 IPSEC_ASSERT(m != NULL, ("null mbuf"));
5280 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
5281 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
5283 /* map satype to proto */
5284 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
5285 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
5287 return key_senderror(so, m, EINVAL);
5290 if (mhp->ext[SADB_EXT_SA] == NULL ||
5291 mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL ||
5292 mhp->ext[SADB_EXT_ADDRESS_DST] == NULL ||
5293 (mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP &&
5294 mhp->ext[SADB_EXT_KEY_ENCRYPT] == NULL) ||
5295 (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH &&
5296 mhp->ext[SADB_EXT_KEY_AUTH] == NULL) ||
5297 (mhp->ext[SADB_EXT_LIFETIME_HARD] != NULL &&
5298 mhp->ext[SADB_EXT_LIFETIME_SOFT] == NULL) ||
5299 (mhp->ext[SADB_EXT_LIFETIME_HARD] == NULL &&
5300 mhp->ext[SADB_EXT_LIFETIME_SOFT] != NULL)) {
5301 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
5303 return key_senderror(so, m, EINVAL);
5305 if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa) ||
5306 mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) ||
5307 mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) {
5309 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
5311 return key_senderror(so, m, EINVAL);
5313 if (mhp->ext[SADB_X_EXT_SA2] != NULL) {
5314 mode = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
5315 reqid = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid;
5317 mode = IPSEC_MODE_ANY;
5321 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA];
5322 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC];
5323 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST];
5325 /* XXX boundary check against sa_len */
5326 KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx);
5329 * Make sure the port numbers are zero.
5330 * In case of NAT-T we will update them later if needed.
5332 KEY_PORTTOSADDR(&saidx.src, 0);
5333 KEY_PORTTOSADDR(&saidx.dst, 0);
5337 * Handle NAT-T info if present.
5339 if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] != NULL &&
5340 mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL &&
5341 mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) {
5342 struct sadb_x_nat_t_port *sport, *dport;
5344 if (mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type) ||
5345 mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) ||
5346 mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) {
5347 ipseclog((LOG_DEBUG, "%s: invalid message.\n",
5349 return key_senderror(so, m, EINVAL);
5352 type = (struct sadb_x_nat_t_type *)
5353 mhp->ext[SADB_X_EXT_NAT_T_TYPE];
5354 sport = (struct sadb_x_nat_t_port *)
5355 mhp->ext[SADB_X_EXT_NAT_T_SPORT];
5356 dport = (struct sadb_x_nat_t_port *)
5357 mhp->ext[SADB_X_EXT_NAT_T_DPORT];
5360 KEY_PORTTOSADDR(&saidx.src,
5361 sport->sadb_x_nat_t_port_port);
5363 KEY_PORTTOSADDR(&saidx.dst,
5364 dport->sadb_x_nat_t_port_port);
5368 if (mhp->ext[SADB_X_EXT_NAT_T_OAI] != NULL &&
5369 mhp->ext[SADB_X_EXT_NAT_T_OAR] != NULL) {
5370 if (mhp->extlen[SADB_X_EXT_NAT_T_OAI] < sizeof(*iaddr) ||
5371 mhp->extlen[SADB_X_EXT_NAT_T_OAR] < sizeof(*raddr)) {
5372 ipseclog((LOG_DEBUG, "%s: invalid message\n",
5374 return key_senderror(so, m, EINVAL);
5376 iaddr = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAI];
5377 raddr = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAR];
5378 ipseclog((LOG_DEBUG, "%s: NAT-T OAi/r present\n", __func__));
5380 iaddr = raddr = NULL;
5382 if (mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) {
5383 if (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag)) {
5384 ipseclog((LOG_DEBUG, "%s: invalid message\n",
5386 return key_senderror(so, m, EINVAL);
5388 frag = (struct sadb_x_nat_t_frag *)
5389 mhp->ext[SADB_X_EXT_NAT_T_FRAG];
5395 /* get a SA header */
5396 if ((newsah = key_getsah(&saidx)) == NULL) {
5397 /* create a new SA header */
5398 if ((newsah = key_newsah(&saidx)) == NULL) {
5399 ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__));
5400 return key_senderror(so, m, ENOBUFS);
5404 /* set spidx if there */
5406 error = key_setident(newsah, m, mhp);
5408 return key_senderror(so, m, error);
5411 /* create new SA entry. */
5412 /* We can create new SA only if SPI is differenct. */
5414 newsav = key_getsavbyspi(newsah, sa0->sadb_sa_spi);
5416 if (newsav != NULL) {
5417 ipseclog((LOG_DEBUG, "%s: SA already exists.\n", __func__));
5418 return key_senderror(so, m, EEXIST);
5420 newsav = KEY_NEWSAV(m, mhp, newsah, &error);
5421 if (newsav == NULL) {
5422 return key_senderror(so, m, error);
5427 * Handle more NAT-T info if present,
5428 * now that we have a sav to fill.
5431 newsav->natt_type = type->sadb_x_nat_t_type_type;
5435 * In case SADB_X_EXT_NAT_T_FRAG was not given, leave it at 0.
5436 * We should actually check for a minimum MTU here, if we
5437 * want to support it in ip_output.
5440 newsav->natt_esp_frag_len = frag->sadb_x_nat_t_frag_fraglen;
5444 /* check SA values to be mature. */
5445 if ((error = key_mature(newsav)) != 0) {
5446 KEY_FREESAV(&newsav);
5447 return key_senderror(so, m, error);
5451 * don't call key_freesav() here, as we would like to keep the SA
5452 * in the database on success.
5458 /* set msg buf from mhp */
5459 n = key_getmsgbuf_x1(m, mhp);
5461 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
5462 return key_senderror(so, m, ENOBUFS);
5466 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
5472 key_setident(struct secashead *sah, struct mbuf *m,
5473 const struct sadb_msghdr *mhp)
5475 const struct sadb_ident *idsrc, *iddst;
5476 int idsrclen, iddstlen;
5478 IPSEC_ASSERT(sah != NULL, ("null secashead"));
5479 IPSEC_ASSERT(m != NULL, ("null mbuf"));
5480 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
5481 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
5483 /* don't make buffer if not there */
5484 if (mhp->ext[SADB_EXT_IDENTITY_SRC] == NULL &&
5485 mhp->ext[SADB_EXT_IDENTITY_DST] == NULL) {
5491 if (mhp->ext[SADB_EXT_IDENTITY_SRC] == NULL ||
5492 mhp->ext[SADB_EXT_IDENTITY_DST] == NULL) {
5493 ipseclog((LOG_DEBUG, "%s: invalid identity.\n", __func__));
5497 idsrc = (const struct sadb_ident *)mhp->ext[SADB_EXT_IDENTITY_SRC];
5498 iddst = (const struct sadb_ident *)mhp->ext[SADB_EXT_IDENTITY_DST];
5499 idsrclen = mhp->extlen[SADB_EXT_IDENTITY_SRC];
5500 iddstlen = mhp->extlen[SADB_EXT_IDENTITY_DST];
5502 /* validity check */
5503 if (idsrc->sadb_ident_type != iddst->sadb_ident_type) {
5504 ipseclog((LOG_DEBUG, "%s: ident type mismatch.\n", __func__));
5508 switch (idsrc->sadb_ident_type) {
5509 case SADB_IDENTTYPE_PREFIX:
5510 case SADB_IDENTTYPE_FQDN:
5511 case SADB_IDENTTYPE_USERFQDN:
5513 /* XXX do nothing */
5519 /* make structure */
5520 sah->idents = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT);
5521 if (sah->idents == NULL) {
5522 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
5525 sah->identd = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT);
5526 if (sah->identd == NULL) {
5527 free(sah->idents, M_IPSEC_MISC);
5529 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
5532 sah->idents->type = idsrc->sadb_ident_type;
5533 sah->idents->id = idsrc->sadb_ident_id;
5535 sah->identd->type = iddst->sadb_ident_type;
5536 sah->identd->id = iddst->sadb_ident_id;
5542 * m will not be freed on return.
5543 * it is caller's responsibility to free the result.
5545 static struct mbuf *
5546 key_getmsgbuf_x1(struct mbuf *m, const struct sadb_msghdr *mhp)
5550 IPSEC_ASSERT(m != NULL, ("null mbuf"));
5551 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
5552 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
5554 /* create new sadb_msg to reply. */
5555 n = key_gather_mbuf(m, mhp, 1, 9, SADB_EXT_RESERVED,
5556 SADB_EXT_SA, SADB_X_EXT_SA2,
5557 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST,
5558 SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT,
5559 SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST);
5563 if (n->m_len < sizeof(struct sadb_msg)) {
5564 n = m_pullup(n, sizeof(struct sadb_msg));
5568 mtod(n, struct sadb_msg *)->sadb_msg_errno = 0;
5569 mtod(n, struct sadb_msg *)->sadb_msg_len =
5570 PFKEY_UNIT64(n->m_pkthdr.len);
5576 * SADB_DELETE processing
5578 * <base, SA(*), address(SD)>
5579 * from the ikmpd, and set SADB_SASTATE_DEAD,
5581 * <base, SA(*), address(SD)>
5584 * m will always be freed.
5587 key_delete(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
5589 struct sadb_sa *sa0;
5590 struct sadb_address *src0, *dst0;
5591 struct secasindex saidx;
5592 struct secashead *sah;
5593 struct secasvar *sav = NULL;
5596 IPSEC_ASSERT(so != NULL, ("null socket"));
5597 IPSEC_ASSERT(m != NULL, ("null mbuf"));
5598 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
5599 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
5601 /* map satype to proto */
5602 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
5603 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
5605 return key_senderror(so, m, EINVAL);
5608 if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL ||
5609 mhp->ext[SADB_EXT_ADDRESS_DST] == NULL) {
5610 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
5612 return key_senderror(so, m, EINVAL);
5615 if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) ||
5616 mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) {
5617 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
5619 return key_senderror(so, m, EINVAL);
5622 if (mhp->ext[SADB_EXT_SA] == NULL) {
5624 * Caller wants us to delete all non-LARVAL SAs
5625 * that match the src/dst. This is used during
5626 * IKE INITIAL-CONTACT.
5628 ipseclog((LOG_DEBUG, "%s: doing delete all.\n", __func__));
5629 return key_delete_all(so, m, mhp, proto);
5630 } else if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa)) {
5631 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
5633 return key_senderror(so, m, EINVAL);
5636 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA];
5637 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]);
5638 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]);
5640 /* XXX boundary check against sa_len */
5641 KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx);
5644 * Make sure the port numbers are zero.
5645 * In case of NAT-T we will update them later if needed.
5647 KEY_PORTTOSADDR(&saidx.src, 0);
5648 KEY_PORTTOSADDR(&saidx.dst, 0);
5652 * Handle NAT-T info if present.
5654 if (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL &&
5655 mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) {
5656 struct sadb_x_nat_t_port *sport, *dport;
5658 if (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) ||
5659 mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) {
5660 ipseclog((LOG_DEBUG, "%s: invalid message.\n",
5662 return key_senderror(so, m, EINVAL);
5665 sport = (struct sadb_x_nat_t_port *)
5666 mhp->ext[SADB_X_EXT_NAT_T_SPORT];
5667 dport = (struct sadb_x_nat_t_port *)
5668 mhp->ext[SADB_X_EXT_NAT_T_DPORT];
5671 KEY_PORTTOSADDR(&saidx.src,
5672 sport->sadb_x_nat_t_port_port);
5674 KEY_PORTTOSADDR(&saidx.dst,
5675 dport->sadb_x_nat_t_port_port);
5679 /* get a SA header */
5681 LIST_FOREACH(sah, &V_sahtree, chain) {
5682 if (sah->state == SADB_SASTATE_DEAD)
5684 if (key_cmpsaidx(&sah->saidx, &saidx, CMP_HEAD) == 0)
5687 /* get a SA with SPI. */
5688 sav = key_getsavbyspi(sah, sa0->sadb_sa_spi);
5694 ipseclog((LOG_DEBUG, "%s: no SA found.\n", __func__));
5695 return key_senderror(so, m, ENOENT);
5698 key_sa_chgstate(sav, SADB_SASTATE_DEAD);
5704 struct sadb_msg *newmsg;
5706 /* create new sadb_msg to reply. */
5707 /* XXX-BZ NAT-T extensions? */
5708 n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED,
5709 SADB_EXT_SA, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
5711 return key_senderror(so, m, ENOBUFS);
5713 if (n->m_len < sizeof(struct sadb_msg)) {
5714 n = m_pullup(n, sizeof(struct sadb_msg));
5716 return key_senderror(so, m, ENOBUFS);
5718 newmsg = mtod(n, struct sadb_msg *);
5719 newmsg->sadb_msg_errno = 0;
5720 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
5723 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
5728 * delete all SAs for src/dst. Called from key_delete().
5731 key_delete_all(struct socket *so, struct mbuf *m,
5732 const struct sadb_msghdr *mhp, u_int16_t proto)
5734 struct sadb_address *src0, *dst0;
5735 struct secasindex saidx;
5736 struct secashead *sah;
5737 struct secasvar *sav, *nextsav;
5738 u_int stateidx, state;
5740 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]);
5741 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]);
5743 /* XXX boundary check against sa_len */
5744 KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx);
5747 * Make sure the port numbers are zero.
5748 * In case of NAT-T we will update them later if needed.
5750 KEY_PORTTOSADDR(&saidx.src, 0);
5751 KEY_PORTTOSADDR(&saidx.dst, 0);
5755 * Handle NAT-T info if present.
5758 if (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL &&
5759 mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) {
5760 struct sadb_x_nat_t_port *sport, *dport;
5762 if (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) ||
5763 mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) {
5764 ipseclog((LOG_DEBUG, "%s: invalid message.\n",
5766 return key_senderror(so, m, EINVAL);
5769 sport = (struct sadb_x_nat_t_port *)
5770 mhp->ext[SADB_X_EXT_NAT_T_SPORT];
5771 dport = (struct sadb_x_nat_t_port *)
5772 mhp->ext[SADB_X_EXT_NAT_T_DPORT];
5775 KEY_PORTTOSADDR(&saidx.src,
5776 sport->sadb_x_nat_t_port_port);
5778 KEY_PORTTOSADDR(&saidx.dst,
5779 dport->sadb_x_nat_t_port_port);
5784 LIST_FOREACH(sah, &V_sahtree, chain) {
5785 if (sah->state == SADB_SASTATE_DEAD)
5787 if (key_cmpsaidx(&sah->saidx, &saidx, CMP_HEAD) == 0)
5790 /* Delete all non-LARVAL SAs. */
5792 stateidx < _ARRAYLEN(saorder_state_alive);
5794 state = saorder_state_alive[stateidx];
5795 if (state == SADB_SASTATE_LARVAL)
5797 for (sav = LIST_FIRST(&sah->savtree[state]);
5798 sav != NULL; sav = nextsav) {
5799 nextsav = LIST_NEXT(sav, chain);
5801 if (sav->state != state) {
5802 ipseclog((LOG_DEBUG, "%s: invalid "
5803 "sav->state (queue %d SA %d)\n",
5804 __func__, state, sav->state));
5808 key_sa_chgstate(sav, SADB_SASTATE_DEAD);
5816 struct sadb_msg *newmsg;
5818 /* create new sadb_msg to reply. */
5819 /* XXX-BZ NAT-T extensions? */
5820 n = key_gather_mbuf(m, mhp, 1, 3, SADB_EXT_RESERVED,
5821 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
5823 return key_senderror(so, m, ENOBUFS);
5825 if (n->m_len < sizeof(struct sadb_msg)) {
5826 n = m_pullup(n, sizeof(struct sadb_msg));
5828 return key_senderror(so, m, ENOBUFS);
5830 newmsg = mtod(n, struct sadb_msg *);
5831 newmsg->sadb_msg_errno = 0;
5832 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
5835 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
5840 * SADB_GET processing
5842 * <base, SA(*), address(SD)>
5843 * from the ikmpd, and get a SP and a SA to respond,
5845 * <base, SA, (lifetime(HSC),) address(SD), (address(P),) key(AE),
5846 * (identity(SD),) (sensitivity)>
5849 * m will always be freed.
5852 key_get(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
5854 struct sadb_sa *sa0;
5855 struct sadb_address *src0, *dst0;
5856 struct secasindex saidx;
5857 struct secashead *sah;
5858 struct secasvar *sav = NULL;
5861 IPSEC_ASSERT(so != NULL, ("null socket"));
5862 IPSEC_ASSERT(m != NULL, ("null mbuf"));
5863 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
5864 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
5866 /* map satype to proto */
5867 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
5868 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
5870 return key_senderror(so, m, EINVAL);
5873 if (mhp->ext[SADB_EXT_SA] == NULL ||
5874 mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL ||
5875 mhp->ext[SADB_EXT_ADDRESS_DST] == NULL) {
5876 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
5878 return key_senderror(so, m, EINVAL);
5880 if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa) ||
5881 mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) ||
5882 mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) {
5883 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
5885 return key_senderror(so, m, EINVAL);
5888 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA];
5889 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC];
5890 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST];
5892 /* XXX boundary check against sa_len */
5893 KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx);
5896 * Make sure the port numbers are zero.
5897 * In case of NAT-T we will update them later if needed.
5899 KEY_PORTTOSADDR(&saidx.src, 0);
5900 KEY_PORTTOSADDR(&saidx.dst, 0);
5904 * Handle NAT-T info if present.
5907 if (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL &&
5908 mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) {
5909 struct sadb_x_nat_t_port *sport, *dport;
5911 if (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) ||
5912 mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) {
5913 ipseclog((LOG_DEBUG, "%s: invalid message.\n",
5915 return key_senderror(so, m, EINVAL);
5918 sport = (struct sadb_x_nat_t_port *)
5919 mhp->ext[SADB_X_EXT_NAT_T_SPORT];
5920 dport = (struct sadb_x_nat_t_port *)
5921 mhp->ext[SADB_X_EXT_NAT_T_DPORT];
5924 KEY_PORTTOSADDR(&saidx.src,
5925 sport->sadb_x_nat_t_port_port);
5927 KEY_PORTTOSADDR(&saidx.dst,
5928 dport->sadb_x_nat_t_port_port);
5932 /* get a SA header */
5934 LIST_FOREACH(sah, &V_sahtree, chain) {
5935 if (sah->state == SADB_SASTATE_DEAD)
5937 if (key_cmpsaidx(&sah->saidx, &saidx, CMP_HEAD) == 0)
5940 /* get a SA with SPI. */
5941 sav = key_getsavbyspi(sah, sa0->sadb_sa_spi);
5947 ipseclog((LOG_DEBUG, "%s: no SA found.\n", __func__));
5948 return key_senderror(so, m, ENOENT);
5955 /* map proto to satype */
5956 if ((satype = key_proto2satype(sah->saidx.proto)) == 0) {
5957 ipseclog((LOG_DEBUG, "%s: there was invalid proto in SAD.\n",
5959 return key_senderror(so, m, EINVAL);
5962 /* create new sadb_msg to reply. */
5963 n = key_setdumpsa(sav, SADB_GET, satype, mhp->msg->sadb_msg_seq,
5964 mhp->msg->sadb_msg_pid);
5966 return key_senderror(so, m, ENOBUFS);
5969 return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
5973 /* XXX make it sysctl-configurable? */
5975 key_getcomb_setlifetime(struct sadb_comb *comb)
5978 comb->sadb_comb_soft_allocations = 1;
5979 comb->sadb_comb_hard_allocations = 1;
5980 comb->sadb_comb_soft_bytes = 0;
5981 comb->sadb_comb_hard_bytes = 0;
5982 comb->sadb_comb_hard_addtime = 86400; /* 1 day */
5983 comb->sadb_comb_soft_addtime = comb->sadb_comb_soft_addtime * 80 / 100;
5984 comb->sadb_comb_soft_usetime = 28800; /* 8 hours */
5985 comb->sadb_comb_hard_usetime = comb->sadb_comb_hard_usetime * 80 / 100;
5989 * XXX reorder combinations by preference
5990 * XXX no idea if the user wants ESP authentication or not
5992 static struct mbuf *
5995 struct sadb_comb *comb;
5996 struct enc_xform *algo;
5997 struct mbuf *result = NULL, *m, *n;
6001 const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb));
6004 for (i = 1; i <= SADB_EALG_MAX; i++) {
6005 algo = esp_algorithm_lookup(i);
6009 /* discard algorithms with key size smaller than system min */
6010 if (_BITS(algo->maxkey) < V_ipsec_esp_keymin)
6012 if (_BITS(algo->minkey) < V_ipsec_esp_keymin)
6013 encmin = V_ipsec_esp_keymin;
6015 encmin = _BITS(algo->minkey);
6017 if (V_ipsec_esp_auth)
6018 m = key_getcomb_ah();
6020 IPSEC_ASSERT(l <= MLEN,
6021 ("l=%u > MLEN=%lu", l, (u_long) MLEN));
6022 MGET(m, M_NOWAIT, MT_DATA);
6027 bzero(mtod(m, caddr_t), m->m_len);
6034 for (n = m; n; n = n->m_next)
6036 IPSEC_ASSERT((totlen % l) == 0, ("totlen=%u, l=%u", totlen, l));
6038 for (off = 0; off < totlen; off += l) {
6039 n = m_pulldown(m, off, l, &o);
6041 /* m is already freed */
6044 comb = (struct sadb_comb *)(mtod(n, caddr_t) + o);
6045 bzero(comb, sizeof(*comb));
6046 key_getcomb_setlifetime(comb);
6047 comb->sadb_comb_encrypt = i;
6048 comb->sadb_comb_encrypt_minbits = encmin;
6049 comb->sadb_comb_encrypt_maxbits = _BITS(algo->maxkey);
6067 key_getsizes_ah(const struct auth_hash *ah, int alg, u_int16_t* min,
6071 *min = *max = ah->keysize;
6072 if (ah->keysize == 0) {
6074 * Transform takes arbitrary key size but algorithm
6075 * key size is restricted. Enforce this here.
6078 case SADB_X_AALG_MD5: *min = *max = 16; break;
6079 case SADB_X_AALG_SHA: *min = *max = 20; break;
6080 case SADB_X_AALG_NULL: *min = 1; *max = 256; break;
6081 case SADB_X_AALG_SHA2_256: *min = *max = 32; break;
6082 case SADB_X_AALG_SHA2_384: *min = *max = 48; break;
6083 case SADB_X_AALG_SHA2_512: *min = *max = 64; break;
6085 DPRINTF(("%s: unknown AH algorithm %u\n",
6093 * XXX reorder combinations by preference
6095 static struct mbuf *
6098 struct sadb_comb *comb;
6099 struct auth_hash *algo;
6101 u_int16_t minkeysize, maxkeysize;
6103 const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb));
6106 for (i = 1; i <= SADB_AALG_MAX; i++) {
6108 /* we prefer HMAC algorithms, not old algorithms */
6109 if (i != SADB_AALG_SHA1HMAC &&
6110 i != SADB_AALG_MD5HMAC &&
6111 i != SADB_X_AALG_SHA2_256 &&
6112 i != SADB_X_AALG_SHA2_384 &&
6113 i != SADB_X_AALG_SHA2_512)
6116 algo = ah_algorithm_lookup(i);
6119 key_getsizes_ah(algo, i, &minkeysize, &maxkeysize);
6120 /* discard algorithms with key size smaller than system min */
6121 if (_BITS(minkeysize) < V_ipsec_ah_keymin)
6125 IPSEC_ASSERT(l <= MLEN,
6126 ("l=%u > MLEN=%lu", l, (u_long) MLEN));
6127 MGET(m, M_NOWAIT, MT_DATA);
6134 M_PREPEND(m, l, M_NOWAIT);
6138 comb = mtod(m, struct sadb_comb *);
6139 bzero(comb, sizeof(*comb));
6140 key_getcomb_setlifetime(comb);
6141 comb->sadb_comb_auth = i;
6142 comb->sadb_comb_auth_minbits = _BITS(minkeysize);
6143 comb->sadb_comb_auth_maxbits = _BITS(maxkeysize);
6150 * not really an official behavior. discussed in pf_key@inner.net in Sep2000.
6151 * XXX reorder combinations by preference
6153 static struct mbuf *
6154 key_getcomb_ipcomp()
6156 struct sadb_comb *comb;
6157 struct comp_algo *algo;
6160 const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb));
6163 for (i = 1; i <= SADB_X_CALG_MAX; i++) {
6164 algo = ipcomp_algorithm_lookup(i);
6169 IPSEC_ASSERT(l <= MLEN,
6170 ("l=%u > MLEN=%lu", l, (u_long) MLEN));
6171 MGET(m, M_NOWAIT, MT_DATA);
6178 M_PREPEND(m, l, M_NOWAIT);
6182 comb = mtod(m, struct sadb_comb *);
6183 bzero(comb, sizeof(*comb));
6184 key_getcomb_setlifetime(comb);
6185 comb->sadb_comb_encrypt = i;
6186 /* what should we set into sadb_comb_*_{min,max}bits? */
6193 * XXX no way to pass mode (transport/tunnel) to userland
6194 * XXX replay checking?
6195 * XXX sysctl interface to ipsec_{ah,esp}_keymin
6197 static struct mbuf *
6198 key_getprop(const struct secasindex *saidx)
6200 struct sadb_prop *prop;
6202 const int l = PFKEY_ALIGN8(sizeof(struct sadb_prop));
6205 switch (saidx->proto) {
6207 m = key_getcomb_esp();
6210 m = key_getcomb_ah();
6212 case IPPROTO_IPCOMP:
6213 m = key_getcomb_ipcomp();
6221 M_PREPEND(m, l, M_NOWAIT);
6226 for (n = m; n; n = n->m_next)
6229 prop = mtod(m, struct sadb_prop *);
6230 bzero(prop, sizeof(*prop));
6231 prop->sadb_prop_len = PFKEY_UNIT64(totlen);
6232 prop->sadb_prop_exttype = SADB_EXT_PROPOSAL;
6233 prop->sadb_prop_replay = 32; /* XXX */
6239 * SADB_ACQUIRE processing called by key_checkrequest() and key_acquire2().
6241 * <base, SA, address(SD), (address(P)), x_policy,
6242 * (identity(SD),) (sensitivity,) proposal>
6243 * to KMD, and expect to receive
6244 * <base> with SADB_ACQUIRE if error occurred,
6246 * <base, src address, dst address, (SPI range)> with SADB_GETSPI
6247 * from KMD by PF_KEY.
6249 * XXX x_policy is outside of RFC2367 (KAME extension).
6250 * XXX sensitivity is not supported.
6251 * XXX for ipcomp, RFC2367 does not define how to fill in proposal.
6252 * see comment for key_getcomb_ipcomp().
6256 * others: error number
6259 key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
6261 union sockaddr_union addr;
6262 struct mbuf *result, *m;
6263 struct secacq *newacq;
6267 u_int8_t mask, satype;
6269 IPSEC_ASSERT(saidx != NULL, ("null saidx"));
6270 satype = key_proto2satype(saidx->proto);
6271 IPSEC_ASSERT(satype != 0, ("null satype, protocol %u", saidx->proto));
6275 ul_proto = IPSEC_ULPROTO_ANY;
6277 * We never do anything about acquirng SA. There is anather
6278 * solution that kernel blocks to send SADB_ACQUIRE message until
6279 * getting something message from IKEd. In later case, to be
6280 * managed with ACQUIRING list.
6282 /* Get an entry to check whether sending message or not. */
6283 if ((newacq = key_getacq(saidx)) != NULL) {
6284 if (V_key_blockacq_count < newacq->count) {
6285 /* reset counter and do send message. */
6288 /* increment counter and do nothing. */
6293 /* make new entry for blocking to send SADB_ACQUIRE. */
6294 if ((newacq = key_newacq(saidx)) == NULL)
6300 m = key_setsadbmsg(SADB_ACQUIRE, 0, satype, seq, 0, 0);
6308 * No SADB_X_EXT_NAT_T_* here: we do not know
6309 * anything related to NAT-T at this time.
6313 * set sadb_address for saidx's.
6315 * Note that if sp is supplied, then we're being called from
6316 * key_checkrequest and should supply port and protocol information.
6318 if (sp != NULL && (sp->spidx.ul_proto == IPPROTO_TCP ||
6319 sp->spidx.ul_proto == IPPROTO_UDP))
6320 ul_proto = sp->spidx.ul_proto;
6324 if (ul_proto != IPSEC_ULPROTO_ANY) {
6325 switch (sp->spidx.src.sa.sa_family) {
6327 if (sp->spidx.src.sin.sin_port != IPSEC_PORT_ANY) {
6328 addr.sin.sin_port = sp->spidx.src.sin.sin_port;
6329 mask = sp->spidx.prefs;
6333 if (sp->spidx.src.sin6.sin6_port != IPSEC_PORT_ANY) {
6334 addr.sin6.sin6_port = sp->spidx.src.sin6.sin6_port;
6335 mask = sp->spidx.prefs;
6342 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, &addr.sa, mask, ul_proto);
6351 if (ul_proto != IPSEC_ULPROTO_ANY) {
6352 switch (sp->spidx.dst.sa.sa_family) {
6354 if (sp->spidx.dst.sin.sin_port != IPSEC_PORT_ANY) {
6355 addr.sin.sin_port = sp->spidx.dst.sin.sin_port;
6356 mask = sp->spidx.prefd;
6360 if (sp->spidx.dst.sin6.sin6_port != IPSEC_PORT_ANY) {
6361 addr.sin6.sin6_port = sp->spidx.dst.sin6.sin6_port;
6362 mask = sp->spidx.prefd;
6369 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, &addr.sa, mask, ul_proto);
6376 /* XXX proxy address (optional) */
6378 /* set sadb_x_policy */
6380 m = key_setsadbxpolicy(sp->policy, sp->spidx.dir, sp->id, sp->priority);
6388 /* XXX identity (optional) */
6390 if (idexttype && fqdn) {
6391 /* create identity extension (FQDN) */
6392 struct sadb_ident *id;
6395 fqdnlen = strlen(fqdn) + 1; /* +1 for terminating-NUL */
6396 id = (struct sadb_ident *)p;
6397 bzero(id, sizeof(*id) + PFKEY_ALIGN8(fqdnlen));
6398 id->sadb_ident_len = PFKEY_UNIT64(sizeof(*id) + PFKEY_ALIGN8(fqdnlen));
6399 id->sadb_ident_exttype = idexttype;
6400 id->sadb_ident_type = SADB_IDENTTYPE_FQDN;
6401 bcopy(fqdn, id + 1, fqdnlen);
6402 p += sizeof(struct sadb_ident) + PFKEY_ALIGN8(fqdnlen);
6406 /* create identity extension (USERFQDN) */
6407 struct sadb_ident *id;
6411 /* +1 for terminating-NUL */
6412 userfqdnlen = strlen(userfqdn) + 1;
6415 id = (struct sadb_ident *)p;
6416 bzero(id, sizeof(*id) + PFKEY_ALIGN8(userfqdnlen));
6417 id->sadb_ident_len = PFKEY_UNIT64(sizeof(*id) + PFKEY_ALIGN8(userfqdnlen));
6418 id->sadb_ident_exttype = idexttype;
6419 id->sadb_ident_type = SADB_IDENTTYPE_USERFQDN;
6420 /* XXX is it correct? */
6421 if (curproc && curproc->p_cred)
6422 id->sadb_ident_id = curproc->p_cred->p_ruid;
6423 if (userfqdn && userfqdnlen)
6424 bcopy(userfqdn, id + 1, userfqdnlen);
6425 p += sizeof(struct sadb_ident) + PFKEY_ALIGN8(userfqdnlen);
6429 /* XXX sensitivity (optional) */
6431 /* create proposal/combination extension */
6432 m = key_getprop(saidx);
6435 * spec conformant: always attach proposal/combination extension,
6436 * the problem is that we have no way to attach it for ipcomp,
6437 * due to the way sadb_comb is declared in RFC2367.
6446 * outside of spec; make proposal/combination extension optional.
6452 if ((result->m_flags & M_PKTHDR) == 0) {
6457 if (result->m_len < sizeof(struct sadb_msg)) {
6458 result = m_pullup(result, sizeof(struct sadb_msg));
6459 if (result == NULL) {
6465 result->m_pkthdr.len = 0;
6466 for (m = result; m; m = m->m_next)
6467 result->m_pkthdr.len += m->m_len;
6469 mtod(result, struct sadb_msg *)->sadb_msg_len =
6470 PFKEY_UNIT64(result->m_pkthdr.len);
6472 return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED);
6480 static struct secacq *
6481 key_newacq(const struct secasindex *saidx)
6483 struct secacq *newacq;
6486 newacq = malloc(sizeof(struct secacq), M_IPSEC_SAQ, M_NOWAIT|M_ZERO);
6487 if (newacq == NULL) {
6488 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
6493 bcopy(saidx, &newacq->saidx, sizeof(newacq->saidx));
6494 newacq->seq = (V_acq_seq == ~0 ? 1 : ++V_acq_seq);
6495 newacq->created = time_second;
6498 /* add to acqtree */
6500 LIST_INSERT_HEAD(&V_acqtree, newacq, chain);
6506 static struct secacq *
6507 key_getacq(const struct secasindex *saidx)
6512 LIST_FOREACH(acq, &V_acqtree, chain) {
6513 if (key_cmpsaidx(saidx, &acq->saidx, CMP_EXACTLY))
6521 static struct secacq *
6522 key_getacqbyseq(u_int32_t seq)
6527 LIST_FOREACH(acq, &V_acqtree, chain) {
6528 if (acq->seq == seq)
6536 static struct secspacq *
6537 key_newspacq(struct secpolicyindex *spidx)
6539 struct secspacq *acq;
6542 acq = malloc(sizeof(struct secspacq), M_IPSEC_SAQ, M_NOWAIT|M_ZERO);
6544 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
6549 bcopy(spidx, &acq->spidx, sizeof(acq->spidx));
6550 acq->created = time_second;
6553 /* add to spacqtree */
6555 LIST_INSERT_HEAD(&V_spacqtree, acq, chain);
6561 static struct secspacq *
6562 key_getspacq(struct secpolicyindex *spidx)
6564 struct secspacq *acq;
6567 LIST_FOREACH(acq, &V_spacqtree, chain) {
6568 if (key_cmpspidx_exactly(spidx, &acq->spidx)) {
6569 /* NB: return holding spacq_lock */
6579 * SADB_ACQUIRE processing,
6580 * in first situation, is receiving
6582 * from the ikmpd, and clear sequence of its secasvar entry.
6584 * In second situation, is receiving
6585 * <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal>
6586 * from a user land process, and return
6587 * <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal>
6590 * m will always be freed.
6593 key_acquire2(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
6595 const struct sadb_address *src0, *dst0;
6596 struct secasindex saidx;
6597 struct secashead *sah;
6601 IPSEC_ASSERT(so != NULL, ("null socket"));
6602 IPSEC_ASSERT(m != NULL, ("null mbuf"));
6603 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
6604 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
6607 * Error message from KMd.
6608 * We assume that if error was occurred in IKEd, the length of PFKEY
6609 * message is equal to the size of sadb_msg structure.
6610 * We do not raise error even if error occurred in this function.
6612 if (mhp->msg->sadb_msg_len == PFKEY_UNIT64(sizeof(struct sadb_msg))) {
6615 /* check sequence number */
6616 if (mhp->msg->sadb_msg_seq == 0) {
6617 ipseclog((LOG_DEBUG, "%s: must specify sequence "
6618 "number.\n", __func__));
6623 if ((acq = key_getacqbyseq(mhp->msg->sadb_msg_seq)) == NULL) {
6625 * the specified larval SA is already gone, or we got
6626 * a bogus sequence number. we can silently ignore it.
6632 /* reset acq counter in order to deletion by timehander. */
6633 acq->created = time_second;
6640 * This message is from user land.
6643 /* map satype to proto */
6644 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
6645 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
6647 return key_senderror(so, m, EINVAL);
6650 if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL ||
6651 mhp->ext[SADB_EXT_ADDRESS_DST] == NULL ||
6652 mhp->ext[SADB_EXT_PROPOSAL] == NULL) {
6654 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
6656 return key_senderror(so, m, EINVAL);
6658 if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) ||
6659 mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) ||
6660 mhp->extlen[SADB_EXT_PROPOSAL] < sizeof(struct sadb_prop)) {
6662 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
6664 return key_senderror(so, m, EINVAL);
6667 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC];
6668 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST];
6670 /* XXX boundary check against sa_len */
6671 KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx);
6674 * Make sure the port numbers are zero.
6675 * In case of NAT-T we will update them later if needed.
6677 KEY_PORTTOSADDR(&saidx.src, 0);
6678 KEY_PORTTOSADDR(&saidx.dst, 0);
6682 * Handle NAT-T info if present.
6685 if (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL &&
6686 mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) {
6687 struct sadb_x_nat_t_port *sport, *dport;
6689 if (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) ||
6690 mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) {
6691 ipseclog((LOG_DEBUG, "%s: invalid message.\n",
6693 return key_senderror(so, m, EINVAL);
6696 sport = (struct sadb_x_nat_t_port *)
6697 mhp->ext[SADB_X_EXT_NAT_T_SPORT];
6698 dport = (struct sadb_x_nat_t_port *)
6699 mhp->ext[SADB_X_EXT_NAT_T_DPORT];
6702 KEY_PORTTOSADDR(&saidx.src,
6703 sport->sadb_x_nat_t_port_port);
6705 KEY_PORTTOSADDR(&saidx.dst,
6706 dport->sadb_x_nat_t_port_port);
6710 /* get a SA index */
6712 LIST_FOREACH(sah, &V_sahtree, chain) {
6713 if (sah->state == SADB_SASTATE_DEAD)
6715 if (key_cmpsaidx(&sah->saidx, &saidx, CMP_MODE_REQID))
6720 ipseclog((LOG_DEBUG, "%s: a SA exists already.\n", __func__));
6721 return key_senderror(so, m, EEXIST);
6724 error = key_acquire(&saidx, NULL);
6726 ipseclog((LOG_DEBUG, "%s: error %d returned from key_acquire\n",
6727 __func__, mhp->msg->sadb_msg_errno));
6728 return key_senderror(so, m, error);
6731 return key_sendup_mbuf(so, m, KEY_SENDUP_REGISTERED);
6735 * SADB_REGISTER processing.
6736 * If SATYPE_UNSPEC has been passed as satype, only return sabd_supported.
6739 * from the ikmpd, and register a socket to send PF_KEY messages,
6743 * If socket is detached, must free from regnode.
6745 * m will always be freed.
6748 key_register(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
6750 struct secreg *reg, *newreg = NULL;
6752 IPSEC_ASSERT(so != NULL, ("null socket"));
6753 IPSEC_ASSERT(m != NULL, ("null mbuf"));
6754 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
6755 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
6757 /* check for invalid register message */
6758 if (mhp->msg->sadb_msg_satype >= sizeof(V_regtree)/sizeof(V_regtree[0]))
6759 return key_senderror(so, m, EINVAL);
6761 /* When SATYPE_UNSPEC is specified, only return sabd_supported. */
6762 if (mhp->msg->sadb_msg_satype == SADB_SATYPE_UNSPEC)
6765 /* check whether existing or not */
6767 LIST_FOREACH(reg, &V_regtree[mhp->msg->sadb_msg_satype], chain) {
6768 if (reg->so == so) {
6770 ipseclog((LOG_DEBUG, "%s: socket exists already.\n",
6772 return key_senderror(so, m, EEXIST);
6776 /* create regnode */
6777 newreg = malloc(sizeof(struct secreg), M_IPSEC_SAR, M_NOWAIT|M_ZERO);
6778 if (newreg == NULL) {
6780 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
6781 return key_senderror(so, m, ENOBUFS);
6785 ((struct keycb *)sotorawcb(so))->kp_registered++;
6787 /* add regnode to regtree. */
6788 LIST_INSERT_HEAD(&V_regtree[mhp->msg->sadb_msg_satype], newreg, chain);
6794 struct sadb_msg *newmsg;
6795 struct sadb_supported *sup;
6796 u_int len, alen, elen;
6799 struct sadb_alg *alg;
6801 /* create new sadb_msg to reply. */
6803 for (i = 1; i <= SADB_AALG_MAX; i++) {
6804 if (ah_algorithm_lookup(i))
6805 alen += sizeof(struct sadb_alg);
6808 alen += sizeof(struct sadb_supported);
6810 for (i = 1; i <= SADB_EALG_MAX; i++) {
6811 if (esp_algorithm_lookup(i))
6812 elen += sizeof(struct sadb_alg);
6815 elen += sizeof(struct sadb_supported);
6817 len = sizeof(struct sadb_msg) + alen + elen;
6820 return key_senderror(so, m, ENOBUFS);
6822 MGETHDR(n, M_NOWAIT, MT_DATA);
6824 if (!(MCLGET(n, M_NOWAIT))) {
6830 return key_senderror(so, m, ENOBUFS);
6832 n->m_pkthdr.len = n->m_len = len;
6836 m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off);
6837 newmsg = mtod(n, struct sadb_msg *);
6838 newmsg->sadb_msg_errno = 0;
6839 newmsg->sadb_msg_len = PFKEY_UNIT64(len);
6840 off += PFKEY_ALIGN8(sizeof(struct sadb_msg));
6842 /* for authentication algorithm */
6844 sup = (struct sadb_supported *)(mtod(n, caddr_t) + off);
6845 sup->sadb_supported_len = PFKEY_UNIT64(alen);
6846 sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_AUTH;
6847 off += PFKEY_ALIGN8(sizeof(*sup));
6849 for (i = 1; i <= SADB_AALG_MAX; i++) {
6850 struct auth_hash *aalgo;
6851 u_int16_t minkeysize, maxkeysize;
6853 aalgo = ah_algorithm_lookup(i);
6856 alg = (struct sadb_alg *)(mtod(n, caddr_t) + off);
6857 alg->sadb_alg_id = i;
6858 alg->sadb_alg_ivlen = 0;
6859 key_getsizes_ah(aalgo, i, &minkeysize, &maxkeysize);
6860 alg->sadb_alg_minbits = _BITS(minkeysize);
6861 alg->sadb_alg_maxbits = _BITS(maxkeysize);
6862 off += PFKEY_ALIGN8(sizeof(*alg));
6866 /* for encryption algorithm */
6868 sup = (struct sadb_supported *)(mtod(n, caddr_t) + off);
6869 sup->sadb_supported_len = PFKEY_UNIT64(elen);
6870 sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_ENCRYPT;
6871 off += PFKEY_ALIGN8(sizeof(*sup));
6873 for (i = 1; i <= SADB_EALG_MAX; i++) {
6874 struct enc_xform *ealgo;
6876 ealgo = esp_algorithm_lookup(i);
6879 alg = (struct sadb_alg *)(mtod(n, caddr_t) + off);
6880 alg->sadb_alg_id = i;
6881 alg->sadb_alg_ivlen = ealgo->ivsize;
6882 alg->sadb_alg_minbits = _BITS(ealgo->minkey);
6883 alg->sadb_alg_maxbits = _BITS(ealgo->maxkey);
6884 off += PFKEY_ALIGN8(sizeof(struct sadb_alg));
6888 IPSEC_ASSERT(off == len,
6889 ("length assumption failed (off %u len %u)", off, len));
6892 return key_sendup_mbuf(so, n, KEY_SENDUP_REGISTERED);
6897 * free secreg entry registered.
6898 * XXX: I want to do free a socket marked done SADB_RESIGER to socket.
6901 key_freereg(struct socket *so)
6906 IPSEC_ASSERT(so != NULL, ("NULL so"));
6909 * check whether existing or not.
6910 * check all type of SA, because there is a potential that
6911 * one socket is registered to multiple type of SA.
6914 for (i = 0; i <= SADB_SATYPE_MAX; i++) {
6915 LIST_FOREACH(reg, &V_regtree[i], chain) {
6916 if (reg->so == so && __LIST_CHAINED(reg)) {
6917 LIST_REMOVE(reg, chain);
6918 free(reg, M_IPSEC_SAR);
6927 * SADB_EXPIRE processing
6929 * <base, SA, SA2, lifetime(C and one of HS), address(SD)>
6931 * NOTE: We send only soft lifetime extension.
6934 * others : error number
6937 key_expire(struct secasvar *sav, int hard)
6940 struct mbuf *result = NULL, *m;
6943 struct sadb_lifetime *lt;
6944 u_int32_t replay_count;
6946 IPSEC_ASSERT (sav != NULL, ("null sav"));
6947 IPSEC_ASSERT (sav->sah != NULL, ("null sa header"));
6949 /* set msg header */
6950 satype = key_proto2satype(sav->sah->saidx.proto);
6951 IPSEC_ASSERT(satype != 0, ("invalid proto, satype %u", satype));
6952 m = key_setsadbmsg(SADB_EXPIRE, 0, satype, sav->seq, 0, sav->refcnt);
6959 /* create SA extension */
6960 m = key_setsadbsa(sav);
6967 /* create SA extension */
6969 replay_count = sav->replay ? sav->replay->count : 0;
6970 SECASVAR_UNLOCK(sav);
6972 m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count,
6973 sav->sah->saidx.reqid);
6980 if (sav->replay && sav->replay->wsize > UINT8_MAX) {
6981 m = key_setsadbxsareplay(sav->replay->wsize);
6989 /* create lifetime extension (current and soft) */
6990 len = PFKEY_ALIGN8(sizeof(*lt)) * 2;
6991 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
6998 bzero(mtod(m, caddr_t), len);
6999 lt = mtod(m, struct sadb_lifetime *);
7000 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
7001 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
7002 lt->sadb_lifetime_allocations = sav->lft_c->allocations;
7003 lt->sadb_lifetime_bytes = sav->lft_c->bytes;
7004 lt->sadb_lifetime_addtime = sav->lft_c->addtime;
7005 lt->sadb_lifetime_usetime = sav->lft_c->usetime;
7006 lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2);
7007 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
7009 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
7010 lt->sadb_lifetime_allocations = sav->lft_h->allocations;
7011 lt->sadb_lifetime_bytes = sav->lft_h->bytes;
7012 lt->sadb_lifetime_addtime = sav->lft_h->addtime;
7013 lt->sadb_lifetime_usetime = sav->lft_h->usetime;
7015 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
7016 lt->sadb_lifetime_allocations = sav->lft_s->allocations;
7017 lt->sadb_lifetime_bytes = sav->lft_s->bytes;
7018 lt->sadb_lifetime_addtime = sav->lft_s->addtime;
7019 lt->sadb_lifetime_usetime = sav->lft_s->usetime;
7023 /* set sadb_address for source */
7024 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC,
7025 &sav->sah->saidx.src.sa,
7026 FULLMASK, IPSEC_ULPROTO_ANY);
7033 /* set sadb_address for destination */
7034 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
7035 &sav->sah->saidx.dst.sa,
7036 FULLMASK, IPSEC_ULPROTO_ANY);
7044 * XXX-BZ Handle NAT-T extensions here.
7047 if ((result->m_flags & M_PKTHDR) == 0) {
7052 if (result->m_len < sizeof(struct sadb_msg)) {
7053 result = m_pullup(result, sizeof(struct sadb_msg));
7054 if (result == NULL) {
7060 result->m_pkthdr.len = 0;
7061 for (m = result; m; m = m->m_next)
7062 result->m_pkthdr.len += m->m_len;
7064 mtod(result, struct sadb_msg *)->sadb_msg_len =
7065 PFKEY_UNIT64(result->m_pkthdr.len);
7067 return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED);
7076 * SADB_FLUSH processing
7079 * from the ikmpd, and free all entries in secastree.
7083 * NOTE: to do is only marking SADB_SASTATE_DEAD.
7085 * m will always be freed.
7088 key_flush(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
7090 struct sadb_msg *newmsg;
7091 struct secashead *sah, *nextsah;
7092 struct secasvar *sav, *nextsav;
7097 IPSEC_ASSERT(so != NULL, ("null socket"));
7098 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
7099 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
7101 /* map satype to proto */
7102 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
7103 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
7105 return key_senderror(so, m, EINVAL);
7108 /* no SATYPE specified, i.e. flushing all SA. */
7110 for (sah = LIST_FIRST(&V_sahtree);
7113 nextsah = LIST_NEXT(sah, chain);
7115 if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC
7116 && proto != sah->saidx.proto)
7120 stateidx < _ARRAYLEN(saorder_state_alive);
7122 state = saorder_state_any[stateidx];
7123 for (sav = LIST_FIRST(&sah->savtree[state]);
7127 nextsav = LIST_NEXT(sav, chain);
7129 key_sa_chgstate(sav, SADB_SASTATE_DEAD);
7134 sah->state = SADB_SASTATE_DEAD;
7138 if (m->m_len < sizeof(struct sadb_msg) ||
7139 sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) {
7140 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
7141 return key_senderror(so, m, ENOBUFS);
7147 m->m_pkthdr.len = m->m_len = sizeof(struct sadb_msg);
7148 newmsg = mtod(m, struct sadb_msg *);
7149 newmsg->sadb_msg_errno = 0;
7150 newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
7152 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL);
7156 * SADB_DUMP processing
7157 * dump all entries including status of DEAD in SAD.
7160 * from the ikmpd, and dump all secasvar leaves
7165 * m will always be freed.
7168 key_dump(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
7170 struct secashead *sah;
7171 struct secasvar *sav;
7177 struct sadb_msg *newmsg;
7180 IPSEC_ASSERT(so != NULL, ("null socket"));
7181 IPSEC_ASSERT(m != NULL, ("null mbuf"));
7182 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
7183 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
7185 /* map satype to proto */
7186 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
7187 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
7189 return key_senderror(so, m, EINVAL);
7192 /* count sav entries to be sent to the userland. */
7195 LIST_FOREACH(sah, &V_sahtree, chain) {
7196 if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC
7197 && proto != sah->saidx.proto)
7201 stateidx < _ARRAYLEN(saorder_state_any);
7203 state = saorder_state_any[stateidx];
7204 LIST_FOREACH(sav, &sah->savtree[state], chain) {
7212 return key_senderror(so, m, ENOENT);
7215 /* send this to the userland, one at a time. */
7217 LIST_FOREACH(sah, &V_sahtree, chain) {
7218 if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC
7219 && proto != sah->saidx.proto)
7222 /* map proto to satype */
7223 if ((satype = key_proto2satype(sah->saidx.proto)) == 0) {
7225 ipseclog((LOG_DEBUG, "%s: there was invalid proto in "
7226 "SAD.\n", __func__));
7227 return key_senderror(so, m, EINVAL);
7231 stateidx < _ARRAYLEN(saorder_state_any);
7233 state = saorder_state_any[stateidx];
7234 LIST_FOREACH(sav, &sah->savtree[state], chain) {
7235 n = key_setdumpsa(sav, SADB_DUMP, satype,
7236 --cnt, mhp->msg->sadb_msg_pid);
7239 return key_senderror(so, m, ENOBUFS);
7241 key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
7252 * SADB_X_PROMISC processing
7254 * m will always be freed.
7257 key_promisc(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
7261 IPSEC_ASSERT(so != NULL, ("null socket"));
7262 IPSEC_ASSERT(m != NULL, ("null mbuf"));
7263 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
7264 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
7266 olen = PFKEY_UNUNIT64(mhp->msg->sadb_msg_len);
7268 if (olen < sizeof(struct sadb_msg)) {
7270 return key_senderror(so, m, EINVAL);
7275 } else if (olen == sizeof(struct sadb_msg)) {
7276 /* enable/disable promisc mode */
7279 if ((kp = (struct keycb *)sotorawcb(so)) == NULL)
7280 return key_senderror(so, m, EINVAL);
7281 mhp->msg->sadb_msg_errno = 0;
7282 switch (mhp->msg->sadb_msg_satype) {
7285 kp->kp_promisc = mhp->msg->sadb_msg_satype;
7288 return key_senderror(so, m, EINVAL);
7291 /* send the original message back to everyone */
7292 mhp->msg->sadb_msg_errno = 0;
7293 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL);
7295 /* send packet as is */
7297 m_adj(m, PFKEY_ALIGN8(sizeof(struct sadb_msg)));
7299 /* TODO: if sadb_msg_seq is specified, send to specific pid */
7300 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL);
7304 static int (*key_typesw[])(struct socket *, struct mbuf *,
7305 const struct sadb_msghdr *) = {
7306 NULL, /* SADB_RESERVED */
7307 key_getspi, /* SADB_GETSPI */
7308 key_update, /* SADB_UPDATE */
7309 key_add, /* SADB_ADD */
7310 key_delete, /* SADB_DELETE */
7311 key_get, /* SADB_GET */
7312 key_acquire2, /* SADB_ACQUIRE */
7313 key_register, /* SADB_REGISTER */
7314 NULL, /* SADB_EXPIRE */
7315 key_flush, /* SADB_FLUSH */
7316 key_dump, /* SADB_DUMP */
7317 key_promisc, /* SADB_X_PROMISC */
7318 NULL, /* SADB_X_PCHANGE */
7319 key_spdadd, /* SADB_X_SPDUPDATE */
7320 key_spdadd, /* SADB_X_SPDADD */
7321 key_spddelete, /* SADB_X_SPDDELETE */
7322 key_spdget, /* SADB_X_SPDGET */
7323 NULL, /* SADB_X_SPDACQUIRE */
7324 key_spddump, /* SADB_X_SPDDUMP */
7325 key_spdflush, /* SADB_X_SPDFLUSH */
7326 key_spdadd, /* SADB_X_SPDSETIDX */
7327 NULL, /* SADB_X_SPDEXPIRE */
7328 key_spddelete2, /* SADB_X_SPDDELETE2 */
7332 * parse sadb_msg buffer to process PFKEYv2,
7333 * and create a data to response if needed.
7334 * I think to be dealed with mbuf directly.
7336 * msgp : pointer to pointer to a received buffer pulluped.
7337 * This is rewrited to response.
7338 * so : pointer to socket.
7340 * length for buffer to send to user process.
7343 key_parse(struct mbuf *m, struct socket *so)
7345 struct sadb_msg *msg;
7346 struct sadb_msghdr mh;
7351 IPSEC_ASSERT(so != NULL, ("null socket"));
7352 IPSEC_ASSERT(m != NULL, ("null mbuf"));
7354 #if 0 /*kdebug_sadb assumes msg in linear buffer*/
7355 KEYDEBUG(KEYDEBUG_KEY_DUMP,
7356 ipseclog((LOG_DEBUG, "%s: passed sadb_msg\n", __func__));
7360 if (m->m_len < sizeof(struct sadb_msg)) {
7361 m = m_pullup(m, sizeof(struct sadb_msg));
7365 msg = mtod(m, struct sadb_msg *);
7366 orglen = PFKEY_UNUNIT64(msg->sadb_msg_len);
7367 target = KEY_SENDUP_ONE;
7369 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len != orglen) {
7370 ipseclog((LOG_DEBUG, "%s: invalid message length.\n",__func__));
7371 PFKEYSTAT_INC(out_invlen);
7376 if (msg->sadb_msg_version != PF_KEY_V2) {
7377 ipseclog((LOG_DEBUG, "%s: PF_KEY version %u is mismatched.\n",
7378 __func__, msg->sadb_msg_version));
7379 PFKEYSTAT_INC(out_invver);
7384 if (msg->sadb_msg_type > SADB_MAX) {
7385 ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n",
7386 __func__, msg->sadb_msg_type));
7387 PFKEYSTAT_INC(out_invmsgtype);
7392 /* for old-fashioned code - should be nuked */
7393 if (m->m_pkthdr.len > MCLBYTES) {
7400 MGETHDR(n, M_NOWAIT, MT_DATA);
7401 if (n && m->m_pkthdr.len > MHLEN) {
7402 if (!(MCLGET(n, M_NOWAIT))) {
7411 m_copydata(m, 0, m->m_pkthdr.len, mtod(n, caddr_t));
7412 n->m_pkthdr.len = n->m_len = m->m_pkthdr.len;
7418 /* align the mbuf chain so that extensions are in contiguous region. */
7419 error = key_align(m, &mh);
7426 switch (msg->sadb_msg_satype) {
7427 case SADB_SATYPE_UNSPEC:
7428 switch (msg->sadb_msg_type) {
7436 ipseclog((LOG_DEBUG, "%s: must specify satype "
7437 "when msg type=%u.\n", __func__,
7438 msg->sadb_msg_type));
7439 PFKEYSTAT_INC(out_invsatype);
7444 case SADB_SATYPE_AH:
7445 case SADB_SATYPE_ESP:
7446 case SADB_X_SATYPE_IPCOMP:
7447 case SADB_X_SATYPE_TCPSIGNATURE:
7448 switch (msg->sadb_msg_type) {
7450 case SADB_X_SPDDELETE:
7452 case SADB_X_SPDDUMP:
7453 case SADB_X_SPDFLUSH:
7454 case SADB_X_SPDSETIDX:
7455 case SADB_X_SPDUPDATE:
7456 case SADB_X_SPDDELETE2:
7457 ipseclog((LOG_DEBUG, "%s: illegal satype=%u\n",
7458 __func__, msg->sadb_msg_type));
7459 PFKEYSTAT_INC(out_invsatype);
7464 case SADB_SATYPE_RSVP:
7465 case SADB_SATYPE_OSPFV2:
7466 case SADB_SATYPE_RIPV2:
7467 case SADB_SATYPE_MIP:
7468 ipseclog((LOG_DEBUG, "%s: type %u isn't supported.\n",
7469 __func__, msg->sadb_msg_satype));
7470 PFKEYSTAT_INC(out_invsatype);
7473 case 1: /* XXX: What does it do? */
7474 if (msg->sadb_msg_type == SADB_X_PROMISC)
7478 ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n",
7479 __func__, msg->sadb_msg_satype));
7480 PFKEYSTAT_INC(out_invsatype);
7485 /* check field of upper layer protocol and address family */
7486 if (mh.ext[SADB_EXT_ADDRESS_SRC] != NULL
7487 && mh.ext[SADB_EXT_ADDRESS_DST] != NULL) {
7488 struct sadb_address *src0, *dst0;
7491 src0 = (struct sadb_address *)(mh.ext[SADB_EXT_ADDRESS_SRC]);
7492 dst0 = (struct sadb_address *)(mh.ext[SADB_EXT_ADDRESS_DST]);
7494 /* check upper layer protocol */
7495 if (src0->sadb_address_proto != dst0->sadb_address_proto) {
7496 ipseclog((LOG_DEBUG, "%s: upper layer protocol "
7497 "mismatched.\n", __func__));
7498 PFKEYSTAT_INC(out_invaddr);
7504 if (PFKEY_ADDR_SADDR(src0)->sa_family !=
7505 PFKEY_ADDR_SADDR(dst0)->sa_family) {
7506 ipseclog((LOG_DEBUG, "%s: address family mismatched.\n",
7508 PFKEYSTAT_INC(out_invaddr);
7512 if (PFKEY_ADDR_SADDR(src0)->sa_len !=
7513 PFKEY_ADDR_SADDR(dst0)->sa_len) {
7514 ipseclog((LOG_DEBUG, "%s: address struct size "
7515 "mismatched.\n", __func__));
7516 PFKEYSTAT_INC(out_invaddr);
7521 switch (PFKEY_ADDR_SADDR(src0)->sa_family) {
7523 if (PFKEY_ADDR_SADDR(src0)->sa_len !=
7524 sizeof(struct sockaddr_in)) {
7525 PFKEYSTAT_INC(out_invaddr);
7531 if (PFKEY_ADDR_SADDR(src0)->sa_len !=
7532 sizeof(struct sockaddr_in6)) {
7533 PFKEYSTAT_INC(out_invaddr);
7539 ipseclog((LOG_DEBUG, "%s: unsupported address family\n",
7541 PFKEYSTAT_INC(out_invaddr);
7542 error = EAFNOSUPPORT;
7546 switch (PFKEY_ADDR_SADDR(src0)->sa_family) {
7548 plen = sizeof(struct in_addr) << 3;
7551 plen = sizeof(struct in6_addr) << 3;
7554 plen = 0; /*fool gcc*/
7558 /* check max prefix length */
7559 if (src0->sadb_address_prefixlen > plen ||
7560 dst0->sadb_address_prefixlen > plen) {
7561 ipseclog((LOG_DEBUG, "%s: illegal prefixlen.\n",
7563 PFKEYSTAT_INC(out_invaddr);
7569 * prefixlen == 0 is valid because there can be a case when
7570 * all addresses are matched.
7574 if (msg->sadb_msg_type >= nitems(key_typesw) ||
7575 key_typesw[msg->sadb_msg_type] == NULL) {
7576 PFKEYSTAT_INC(out_invmsgtype);
7581 return (*key_typesw[msg->sadb_msg_type])(so, m, &mh);
7584 msg->sadb_msg_errno = error;
7585 return key_sendup_mbuf(so, m, target);
7589 key_senderror(struct socket *so, struct mbuf *m, int code)
7591 struct sadb_msg *msg;
7593 IPSEC_ASSERT(m->m_len >= sizeof(struct sadb_msg),
7594 ("mbuf too small, len %u", m->m_len));
7596 msg = mtod(m, struct sadb_msg *);
7597 msg->sadb_msg_errno = code;
7598 return key_sendup_mbuf(so, m, KEY_SENDUP_ONE);
7602 * set the pointer to each header into message buffer.
7603 * m will be freed on error.
7604 * XXX larger-than-MCLBYTES extension?
7607 key_align(struct mbuf *m, struct sadb_msghdr *mhp)
7610 struct sadb_ext *ext;
7615 IPSEC_ASSERT(m != NULL, ("null mbuf"));
7616 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
7617 IPSEC_ASSERT(m->m_len >= sizeof(struct sadb_msg),
7618 ("mbuf too small, len %u", m->m_len));
7621 bzero(mhp, sizeof(*mhp));
7623 mhp->msg = mtod(m, struct sadb_msg *);
7624 mhp->ext[0] = (struct sadb_ext *)mhp->msg; /*XXX backward compat */
7626 end = PFKEY_UNUNIT64(mhp->msg->sadb_msg_len);
7627 extlen = end; /*just in case extlen is not updated*/
7628 for (off = sizeof(struct sadb_msg); off < end; off += extlen) {
7629 n = m_pulldown(m, off, sizeof(struct sadb_ext), &toff);
7631 /* m is already freed */
7634 ext = (struct sadb_ext *)(mtod(n, caddr_t) + toff);
7637 switch (ext->sadb_ext_type) {
7639 case SADB_EXT_ADDRESS_SRC:
7640 case SADB_EXT_ADDRESS_DST:
7641 case SADB_EXT_ADDRESS_PROXY:
7642 case SADB_EXT_LIFETIME_CURRENT:
7643 case SADB_EXT_LIFETIME_HARD:
7644 case SADB_EXT_LIFETIME_SOFT:
7645 case SADB_EXT_KEY_AUTH:
7646 case SADB_EXT_KEY_ENCRYPT:
7647 case SADB_EXT_IDENTITY_SRC:
7648 case SADB_EXT_IDENTITY_DST:
7649 case SADB_EXT_SENSITIVITY:
7650 case SADB_EXT_PROPOSAL:
7651 case SADB_EXT_SUPPORTED_AUTH:
7652 case SADB_EXT_SUPPORTED_ENCRYPT:
7653 case SADB_EXT_SPIRANGE:
7654 case SADB_X_EXT_POLICY:
7655 case SADB_X_EXT_SA2:
7657 case SADB_X_EXT_NAT_T_TYPE:
7658 case SADB_X_EXT_NAT_T_SPORT:
7659 case SADB_X_EXT_NAT_T_DPORT:
7660 case SADB_X_EXT_NAT_T_OAI:
7661 case SADB_X_EXT_NAT_T_OAR:
7662 case SADB_X_EXT_NAT_T_FRAG:
7664 case SADB_X_EXT_SA_REPLAY:
7665 /* duplicate check */
7667 * XXX Are there duplication payloads of either
7668 * KEY_AUTH or KEY_ENCRYPT ?
7670 if (mhp->ext[ext->sadb_ext_type] != NULL) {
7671 ipseclog((LOG_DEBUG, "%s: duplicate ext_type "
7672 "%u\n", __func__, ext->sadb_ext_type));
7674 PFKEYSTAT_INC(out_dupext);
7679 ipseclog((LOG_DEBUG, "%s: invalid ext_type %u\n",
7680 __func__, ext->sadb_ext_type));
7682 PFKEYSTAT_INC(out_invexttype);
7686 extlen = PFKEY_UNUNIT64(ext->sadb_ext_len);
7688 if (key_validate_ext(ext, extlen)) {
7690 PFKEYSTAT_INC(out_invlen);
7694 n = m_pulldown(m, off, extlen, &toff);
7696 /* m is already freed */
7699 ext = (struct sadb_ext *)(mtod(n, caddr_t) + toff);
7701 mhp->ext[ext->sadb_ext_type] = ext;
7702 mhp->extoff[ext->sadb_ext_type] = off;
7703 mhp->extlen[ext->sadb_ext_type] = extlen;
7708 PFKEYSTAT_INC(out_invlen);
7716 key_validate_ext(const struct sadb_ext *ext, int len)
7718 const struct sockaddr *sa;
7719 enum { NONE, ADDR } checktype = NONE;
7721 const int sal = offsetof(struct sockaddr, sa_len) + sizeof(sa->sa_len);
7723 if (len != PFKEY_UNUNIT64(ext->sadb_ext_len))
7726 /* if it does not match minimum/maximum length, bail */
7727 if (ext->sadb_ext_type >= nitems(minsize) ||
7728 ext->sadb_ext_type >= nitems(maxsize))
7730 if (!minsize[ext->sadb_ext_type] || len < minsize[ext->sadb_ext_type])
7732 if (maxsize[ext->sadb_ext_type] && len > maxsize[ext->sadb_ext_type])
7735 /* more checks based on sadb_ext_type XXX need more */
7736 switch (ext->sadb_ext_type) {
7737 case SADB_EXT_ADDRESS_SRC:
7738 case SADB_EXT_ADDRESS_DST:
7739 case SADB_EXT_ADDRESS_PROXY:
7740 baselen = PFKEY_ALIGN8(sizeof(struct sadb_address));
7743 case SADB_EXT_IDENTITY_SRC:
7744 case SADB_EXT_IDENTITY_DST:
7745 if (((const struct sadb_ident *)ext)->sadb_ident_type ==
7746 SADB_X_IDENTTYPE_ADDR) {
7747 baselen = PFKEY_ALIGN8(sizeof(struct sadb_ident));
7757 switch (checktype) {
7761 sa = (const struct sockaddr *)(((const u_int8_t*)ext)+baselen);
7762 if (len < baselen + sal)
7764 if (baselen + PFKEY_ALIGN8(sa->sa_len) != len)
7777 for (i = 0; i < IPSEC_DIR_MAX; i++)
7778 TAILQ_INIT(&V_sptree[i]);
7780 LIST_INIT(&V_sahtree);
7782 for (i = 0; i <= SADB_SATYPE_MAX; i++)
7783 LIST_INIT(&V_regtree[i]);
7785 LIST_INIT(&V_acqtree);
7786 LIST_INIT(&V_spacqtree);
7788 if (!IS_DEFAULT_VNET(curvnet))
7792 REGTREE_LOCK_INIT();
7793 SAHTREE_LOCK_INIT();
7797 #ifndef IPSEC_DEBUG2
7798 callout_init(&key_timer, 1);
7799 callout_reset(&key_timer, hz, key_timehandler, NULL);
7800 #endif /*IPSEC_DEBUG2*/
7802 /* initialize key statistics */
7803 keystat.getspi_count = 1;
7806 printf("IPsec: Initialized Security Association Processing.\n");
7813 TAILQ_HEAD(, secpolicy) drainq;
7814 struct secpolicy *sp, *nextsp;
7815 struct secacq *acq, *nextacq;
7816 struct secspacq *spacq, *nextspacq;
7817 struct secashead *sah, *nextsah;
7821 TAILQ_INIT(&drainq);
7823 for (i = 0; i < IPSEC_DIR_MAX; i++) {
7824 TAILQ_CONCAT(&drainq, &V_sptree[i], chain);
7827 sp = TAILQ_FIRST(&drainq);
7828 while (sp != NULL) {
7829 nextsp = TAILQ_NEXT(sp, chain);
7835 for (sah = LIST_FIRST(&V_sahtree); sah != NULL; sah = nextsah) {
7836 nextsah = LIST_NEXT(sah, chain);
7837 if (__LIST_CHAINED(sah)) {
7838 LIST_REMOVE(sah, chain);
7839 free(sah, M_IPSEC_SAH);
7845 for (i = 0; i <= SADB_SATYPE_MAX; i++) {
7846 LIST_FOREACH(reg, &V_regtree[i], chain) {
7847 if (__LIST_CHAINED(reg)) {
7848 LIST_REMOVE(reg, chain);
7849 free(reg, M_IPSEC_SAR);
7857 for (acq = LIST_FIRST(&V_acqtree); acq != NULL; acq = nextacq) {
7858 nextacq = LIST_NEXT(acq, chain);
7859 if (__LIST_CHAINED(acq)) {
7860 LIST_REMOVE(acq, chain);
7861 free(acq, M_IPSEC_SAQ);
7867 for (spacq = LIST_FIRST(&V_spacqtree); spacq != NULL;
7868 spacq = nextspacq) {
7869 nextspacq = LIST_NEXT(spacq, chain);
7870 if (__LIST_CHAINED(spacq)) {
7871 LIST_REMOVE(spacq, chain);
7872 free(spacq, M_IPSEC_SAQ);
7880 * XXX: maybe This function is called after INBOUND IPsec processing.
7882 * Special check for tunnel-mode packets.
7883 * We must make some checks for consistency between inner and outer IP header.
7885 * xxx more checks to be provided
7888 key_checktunnelsanity(struct secasvar *sav, u_int family, caddr_t src,
7891 IPSEC_ASSERT(sav->sah != NULL, ("null SA header"));
7893 /* XXX: check inner IP header */
7898 /* record data transfer on SA, and update timestamps */
7900 key_sa_recordxfer(struct secasvar *sav, struct mbuf *m)
7902 IPSEC_ASSERT(sav != NULL, ("Null secasvar"));
7903 IPSEC_ASSERT(m != NULL, ("Null mbuf"));
7908 * XXX Currently, there is a difference of bytes size
7909 * between inbound and outbound processing.
7911 sav->lft_c->bytes += m->m_pkthdr.len;
7912 /* to check bytes lifetime is done in key_timehandler(). */
7915 * We use the number of packets as the unit of
7916 * allocations. We increment the variable
7917 * whenever {esp,ah}_{in,out}put is called.
7919 sav->lft_c->allocations++;
7920 /* XXX check for expires? */
7923 * NOTE: We record CURRENT usetime by using wall clock,
7924 * in seconds. HARD and SOFT lifetime are measured by the time
7925 * difference (again in seconds) from usetime.
7929 * -----+-----+--------+---> t
7930 * <--------------> HARD
7933 sav->lft_c->usetime = time_second;
7934 /* XXX check for expires? */
7940 key_sa_chgstate(struct secasvar *sav, u_int8_t state)
7942 IPSEC_ASSERT(sav != NULL, ("NULL sav"));
7943 SAHTREE_LOCK_ASSERT();
7945 if (sav->state != state) {
7946 if (__LIST_CHAINED(sav))
7947 LIST_REMOVE(sav, chain);
7949 LIST_INSERT_HEAD(&sav->sah->savtree[state], sav, chain);
7954 * Take one of the kernel's security keys and convert it into a PF_KEY
7955 * structure within an mbuf, suitable for sending up to a waiting
7956 * application in user land.
7959 * src: A pointer to a kernel security key.
7960 * exttype: Which type of key this is. Refer to the PF_KEY data structures.
7962 * a valid mbuf or NULL indicating an error
7966 static struct mbuf *
7967 key_setkey(struct seckey *src, u_int16_t exttype)
7976 len = PFKEY_ALIGN8(sizeof(struct sadb_key) + _KEYLEN(src));
7977 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
7982 p = mtod(m, struct sadb_key *);
7984 p->sadb_key_len = PFKEY_UNIT64(len);
7985 p->sadb_key_exttype = exttype;
7986 p->sadb_key_bits = src->bits;
7987 bcopy(src->key_data, _KEYBUF(p), _KEYLEN(src));
7993 * Take one of the kernel's lifetime data structures and convert it
7994 * into a PF_KEY structure within an mbuf, suitable for sending up to
7995 * a waiting application in user land.
7998 * src: A pointer to a kernel lifetime structure.
7999 * exttype: Which type of lifetime this is. Refer to the PF_KEY
8000 * data structures for more information.
8002 * a valid mbuf or NULL indicating an error
8006 static struct mbuf *
8007 key_setlifetime(struct seclifetime *src, u_int16_t exttype)
8009 struct mbuf *m = NULL;
8010 struct sadb_lifetime *p;
8011 int len = PFKEY_ALIGN8(sizeof(struct sadb_lifetime));
8016 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
8021 p = mtod(m, struct sadb_lifetime *);
8024 p->sadb_lifetime_len = PFKEY_UNIT64(len);
8025 p->sadb_lifetime_exttype = exttype;
8026 p->sadb_lifetime_allocations = src->allocations;
8027 p->sadb_lifetime_bytes = src->bytes;
8028 p->sadb_lifetime_addtime = src->addtime;
8029 p->sadb_lifetime_usetime = src->usetime;