2 * modified by Jun-ichiro itojun Itoh <itojun@itojun.org>, 1997
4 /*----------------------------------------------------------------------
5 key.c : Key Management Engine for BSD
7 Copyright 1995 by Bao Phan, Randall Atkinson, & Dan McDonald,
8 All Rights Reserved. All Rights have been assigned to the US
9 Naval Research Laboratory (NRL). The NRL Copyright Notice and
10 License governs distribution and use of this software.
12 Patents are pending on this technology. NRL grants a license
13 to use this technology at no cost under the terms below with
14 the additional requirement that software, hardware, and
15 documentation relating to use of this technology must include
17 This product includes technology developed at and
18 licensed from the Information Technology Division,
19 US Naval Research Laboratory.
21 ----------------------------------------------------------------------*/
22 /*----------------------------------------------------------------------
23 # @(#)COPYRIGHT 1.1a (NRL) 17 August 1995
27 All of the documentation and software included in this software
28 distribution from the US Naval Research Laboratory (NRL) are
29 copyrighted by their respective developers.
31 This software and documentation were developed at NRL by various
32 people. Those developers have each copyrighted the portions that they
33 developed at NRL and have assigned All Rights for those portions to
34 NRL. Outside the USA, NRL also has copyright on the software
35 developed at NRL. The affected files all contain specific copyright
36 notices and those notices must be retained in any derived work.
40 NRL grants permission for redistribution and use in source and binary
41 forms, with or without modification, of the software and documentation
42 created at NRL provided that the following conditions are met:
44 1. Redistributions of source code must retain the above copyright
45 notice, this list of conditions and the following disclaimer.
46 2. Redistributions in binary form must reproduce the above copyright
47 notice, this list of conditions and the following disclaimer in the
48 documentation and/or other materials provided with the distribution.
49 3. All advertising materials mentioning features or use of this software
50 must display the following acknowledgement:
52 This product includes software developed at the Information
53 Technology Division, US Naval Research Laboratory.
55 4. Neither the name of the NRL nor the names of its contributors
56 may be used to endorse or promote products derived from this software
57 without specific prior written permission.
59 THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS
60 IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
61 TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
62 PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NRL OR
63 CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
64 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
65 PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
66 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
67 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
68 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
69 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
71 The views and conclusions contained in the software and documentation
72 are those of the authors and should not be interpreted as representing
73 official policies, either expressed or implied, of the US Naval
74 Research Laboratory (NRL).
76 ----------------------------------------------------------------------*/
82 #include <sys/param.h>
83 #include <sys/systm.h>
84 #include <sys/kernel.h>
85 #include <sys/domain.h>
86 #include <sys/malloc.h>
89 #include <sys/protosw.h>
90 #include <sys/socket.h>
91 #include <sys/socketvar.h>
93 #include <net/raw_cb.h>
95 #include <net/if_dl.h>
96 #include <net/route.h>
98 #include <netinet/in.h>
99 #include <netinet/in_var.h>
100 #include <netinet/in_pcb.h>
103 #include <netinet6/in6.h>
104 #include <netinet6/in6_var.h>
107 #include <netkey/key.h>
108 #include <netkey/key_debug.h>
110 static MALLOC_DEFINE(M_SECA, "key mgmt", "security associations, key management");
112 #define KMALLOC(p, t, n) (p = (t) malloc((unsigned long)(n), M_SECA, M_DONTWAIT))
113 #define KFREE(p) free((caddr_t)p, M_SECA);
115 #define CRITICAL_DCL int critical_s;
116 #define CRITICAL_START critical_s = splnet()
117 #define CRITICAL_END splx(critical_s)
120 #define MAXHASHKEYLEN (2 * sizeof(int) + 2 * sizeof(struct sockaddr_in6))
122 #define MAXHASHKEYLEN (2 * sizeof(int) + 2 * sizeof(struct sockaddr_in))
126 * Not clear whether these values should be
127 * tweakable at kernel config time.
129 #define KEYTBLSIZE 61
130 #define KEYALLOCTBLSIZE 61
131 #define SO2SPITBLSIZE 61
134 * These values should be tweakable...
135 * perhaps by using sysctl
138 #define MAXLARVALTIME 240; /* Lifetime of a larval key table entry */
139 #define MAXKEYACQUIRE 1; /* Max number of key acquire messages sent */
140 /* per destination address */
141 #define MAXACQUIRETIME 15; /* Lifetime of acquire message */
144 * Key engine tables and global variables
147 struct key_tblnode keytable[KEYTBLSIZE];
148 struct key_allocnode keyalloctbl[KEYALLOCTBLSIZE];
149 struct key_so2spinode so2spitbl[SO2SPITBLSIZE];
151 struct keyso_cb keyso_cb;
152 struct key_tblnode nullkeynode;
153 struct key_registry *keyregtable;
154 struct key_acquirelist *key_acquirelist;
155 u_long maxlarvallifetime = MAXLARVALTIME;
156 int maxkeyacquire = MAXKEYACQUIRE;
157 u_long maxacquiretime = MAXACQUIRETIME;
159 extern struct sockaddr key_addr;
162 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
163 #define ADVANCE(x, n) \
166 static int addrpart_equal __P((struct sockaddr *, struct sockaddr *));
167 static int key_freetables __P((void));
168 static int key_gethashval __P((char *, int, int));
169 static int key_createkey __P((char *, u_int, struct sockaddr *,
170 struct sockaddr *, u_int32_t, u_int));
171 static struct key_so2spinode *key_sosearch __P((u_int, struct sockaddr *,
172 struct sockaddr *, struct socket *));
173 static void key_deleteacquire __P((u_int, struct sockaddr *));
174 static struct key_tblnode *key_search __P((u_int, struct sockaddr *,
175 struct sockaddr *, u_int32_t, int, struct key_tblnode **));
176 static struct key_tblnode *key_addnode __P((int, struct key_secassoc *));
177 static int key_alloc __P((u_int, struct sockaddr *, struct sockaddr *,
178 struct socket *, u_int, struct key_tblnode **));
179 static int key_xdata __P((struct key_msghdr *, struct key_msgdata *, int));
180 static int key_sendup __P((struct socket *, struct key_msghdr *));
181 static void key_init __P((void));
182 static int my_addr __P((struct sockaddr *));
183 static int key_output __P((struct mbuf *, struct socket *));
184 static int key_attach __P((struct socket *, int, struct proc *));
185 static int key_detach __P((struct socket *));
186 static void key_cbinit __P((void));
188 /*----------------------------------------------------------------------
189 * key_secassoc2msghdr():
190 * Copy info from a security association into a key message buffer.
191 * Assume message buffer is sufficiently large to hold all security
192 * association information including src, dst, from, key and iv.
193 ----------------------------------------------------------------------*/
195 key_secassoc2msghdr(secassoc, km, keyinfo)
196 struct key_secassoc *secassoc;
197 struct key_msghdr *km;
198 struct key_msgdata *keyinfo;
201 DPRINTF(IDL_FINISHED, ("Entering key_secassoc2msghdr\n"));
203 if ((km == 0) || (keyinfo == 0) || (secassoc == 0))
206 km->type = secassoc->type;
207 km->vers = secassoc->vers;
208 km->state = secassoc->state;
209 km->label = secassoc->label;
210 km->spi = secassoc->spi;
211 km->keylen = secassoc->keylen;
212 km->ekeylen = secassoc->ekeylen;
213 km->ivlen = secassoc->ivlen;
214 km->algorithm = secassoc->algorithm;
215 km->lifetype = secassoc->lifetype;
216 km->lifetime1 = secassoc->lifetime1;
217 km->lifetime2 = secassoc->lifetime2;
218 km->antireplay = secassoc->antireplay;
221 * Stuff src/dst/from/key/iv/ekey in buffer after
222 * the message header.
224 cp = (char *)(km + 1);
226 DPRINTF(IDL_FINISHED, ("sa2msghdr: 1\n"));
227 keyinfo->src = (struct sockaddr *)cp;
228 if (secassoc->src->sa_len) {
229 bcopy(secassoc->src, cp, secassoc->src->sa_len);
230 ADVANCE(cp, secassoc->src->sa_len);
232 bzero(cp, MAX_SOCKADDR_SZ);
233 ADVANCE(cp, MAX_SOCKADDR_SZ);
236 DPRINTF(IDL_FINISHED, ("sa2msghdr: 2\n"));
237 keyinfo->dst = (struct sockaddr *)cp;
238 if (secassoc->dst->sa_len) {
239 bcopy(secassoc->dst, cp, secassoc->dst->sa_len);
240 ADVANCE(cp, secassoc->dst->sa_len);
242 bzero(cp, MAX_SOCKADDR_SZ);
243 ADVANCE(cp, MAX_SOCKADDR_SZ);
246 DPRINTF(IDL_FINISHED, ("sa2msghdr: 3\n"));
247 keyinfo->from = (struct sockaddr *)cp;
248 if (secassoc->from->sa_len) {
249 bcopy(secassoc->from, cp, secassoc->from->sa_len);
250 ADVANCE(cp, secassoc->from->sa_len);
252 bzero(cp, MAX_SOCKADDR_SZ);
253 ADVANCE(cp, MAX_SOCKADDR_SZ);
256 DPRINTF(IDL_FINISHED, ("sa2msghdr: 4\n"));
259 keyinfo->keylen = secassoc->keylen;
260 if (secassoc->keylen) {
261 bcopy((char *)(secassoc->key), cp, secassoc->keylen);
262 ADVANCE(cp, secassoc->keylen);
265 DPRINTF(IDL_FINISHED, ("sa2msghdr: 5\n"));
267 keyinfo->ivlen = secassoc->ivlen;
268 if (secassoc->ivlen) {
269 bcopy((char *)(secassoc->iv), cp, secassoc->ivlen);
270 ADVANCE(cp, secassoc->ivlen);
273 DPRINTF(IDL_FINISHED, ("sa2msghdr: 6\n"));
275 keyinfo->ekeylen = secassoc->ekeylen;
276 if (secassoc->ekeylen) {
277 bcopy((char *)(secassoc->ekey), cp, secassoc->ekeylen);
278 ADVANCE(cp, secassoc->ekeylen);
281 DDO(IDL_FINISHED,printf("msgbuf(len=%d):\n",(char *)cp - (char *)km));
282 DDO(IDL_FINISHED,dump_buf((char *)km, (char *)cp - (char *)km));
283 DPRINTF(IDL_FINISHED, ("sa2msghdr: 6\n"));
288 /*----------------------------------------------------------------------
289 * key_msghdr2secassoc():
290 * Copy info from a key message buffer into a key_secassoc
292 ----------------------------------------------------------------------*/
294 key_msghdr2secassoc(secassoc, km, keyinfo)
295 struct key_secassoc *secassoc;
296 struct key_msghdr *km;
297 struct key_msgdata *keyinfo;
299 DPRINTF(IDL_FINISHED, ("Entering key_msghdr2secassoc\n"));
301 if ((km == 0) || (keyinfo == 0) || (secassoc == 0))
304 secassoc->len = sizeof(*secassoc);
305 secassoc->type = km->type;
306 secassoc->vers = km->vers;
307 secassoc->state = km->state;
308 secassoc->label = km->label;
309 secassoc->spi = km->spi;
310 secassoc->keylen = km->keylen;
311 secassoc->ekeylen = km->ekeylen;
312 secassoc->ivlen = km->ivlen;
313 secassoc->algorithm = km->algorithm;
314 secassoc->lifetype = km->lifetype;
315 secassoc->lifetime1 = km->lifetime1;
316 secassoc->lifetime2 = km->lifetime2;
317 secassoc->antireplay = km->antireplay;
320 KMALLOC(secassoc->src, struct sockaddr *, keyinfo->src->sa_len);
321 if (!secassoc->src) {
322 DPRINTF(IDL_ERROR,("msghdr2secassoc: can't allocate mem for src\n"));
325 bcopy((char *)keyinfo->src, (char *)secassoc->src,
326 keyinfo->src->sa_len);
328 secassoc->src = NULL;
331 KMALLOC(secassoc->dst, struct sockaddr *, keyinfo->dst->sa_len);
332 if (!secassoc->dst) {
333 DPRINTF(IDL_ERROR,("msghdr2secassoc: can't allocate mem for dst\n"));
336 bcopy((char *)keyinfo->dst, (char *)secassoc->dst,
337 keyinfo->dst->sa_len);
339 secassoc->dst = NULL;
342 KMALLOC(secassoc->from, struct sockaddr *, keyinfo->from->sa_len);
343 if (!secassoc->from) {
344 DPRINTF(IDL_ERROR,("msghdr2secassoc: can't allocate mem for from\n"));
347 bcopy((char *)keyinfo->from, (char *)secassoc->from,
348 keyinfo->from->sa_len);
350 secassoc->from = NULL;
353 * Make copies of key and iv
355 if (secassoc->ivlen) {
356 KMALLOC(secassoc->iv, caddr_t, secassoc->ivlen);
357 if (secassoc->iv == 0) {
358 DPRINTF(IDL_ERROR,("msghdr2secassoc: can't allocate mem for iv\n"));
361 bcopy((char *)keyinfo->iv, (char *)secassoc->iv, secassoc->ivlen);
365 if (secassoc->keylen) {
366 KMALLOC(secassoc->key, caddr_t, secassoc->keylen);
367 if (secassoc->key == 0) {
368 DPRINTF(IDL_ERROR,("msghdr2secassoc: can't allocate mem for key\n"));
373 bcopy((char *)keyinfo->key, (char *)secassoc->key, secassoc->keylen);
375 secassoc->key = NULL;
377 if (secassoc->ekeylen) {
378 KMALLOC(secassoc->ekey, caddr_t, secassoc->ekeylen);
379 if (secassoc->ekey == 0) {
380 DPRINTF(IDL_ERROR,("msghdr2secassoc: can't allocate mem for ekey\n"));
384 KFREE(secassoc->key);
387 bcopy((char *)keyinfo->ekey, (char *)secassoc->ekey, secassoc->ekeylen);
389 secassoc->ekey = NULL;
395 /*----------------------------------------------------------------------
397 * Determine if the address portion of two sockaddrs are equal.
398 * Currently handles only AF_INET and AF_INET6 address families.
399 ----------------------------------------------------------------------*/
401 addrpart_equal(sa1, sa2)
402 struct sockaddr *sa1;
403 struct sockaddr *sa2;
405 if ((sa1->sa_family != sa2->sa_family) ||
406 (sa1->sa_len != sa2->sa_len))
409 switch(sa1->sa_family) {
411 return (((struct sockaddr_in *)sa1)->sin_addr.s_addr ==
412 ((struct sockaddr_in *)sa2)->sin_addr.s_addr);
415 return (IN6_ARE_ADDR_EQUAL(&((struct sockaddr_in6 *)sa1)->sin6_addr,
416 &((struct sockaddr_in6 *)sa2)->sin6_addr));
422 /*----------------------------------------------------------------------
424 * Allocate space and initialize key engine tables
425 ----------------------------------------------------------------------*/
431 KMALLOC(keyregtable, struct key_registry *, sizeof(struct key_registry));
434 bzero((char *)keyregtable, sizeof(struct key_registry));
435 KMALLOC(key_acquirelist, struct key_acquirelist *,
436 sizeof(struct key_acquirelist));
437 if (!key_acquirelist)
439 bzero((char *)key_acquirelist, sizeof(struct key_acquirelist));
440 for (i = 0; i < KEYTBLSIZE; i++)
441 bzero((char *)&keytable[i], sizeof(struct key_tblnode));
442 for (i = 0; i < KEYALLOCTBLSIZE; i++)
443 bzero((char *)&keyalloctbl[i], sizeof(struct key_allocnode));
444 for (i = 0; i < SO2SPITBLSIZE; i++)
445 bzero((char *)&so2spitbl[i], sizeof(struct key_so2spinode));
455 KFREE(key_acquirelist);
456 key_acquirelist = NULL;
460 /*----------------------------------------------------------------------
462 * Determine keytable hash value.
463 ----------------------------------------------------------------------*/
465 key_gethashval(buf, len, tblsize)
473 * Todo: Use word size xor and check for alignment
474 * and zero pad if necessary. Need to also pick
475 * a good hash function and table size.
478 DPRINTF(IDL_ERROR,("key_gethashval got bogus len!\n"));
481 for(i = 0; i < len; i++) {
482 j ^= (u_int8_t)(*(buf + i));
484 return (j % tblsize);
488 /*----------------------------------------------------------------------
490 * Create hash key for hash function
491 * key is: type+src+dst if keytype = 1
492 * type+src+dst+spi if keytype = 0
493 * Uses only the address portion of the src and dst sockaddrs to
494 * form key. Currently handles only AF_INET and AF_INET6 sockaddrs
495 ----------------------------------------------------------------------*/
497 key_createkey(buf, type, src, dst, spi, keytype)
500 struct sockaddr *src;
501 struct sockaddr *dst;
507 DPRINTF(IDL_FINISHED,("Entering key_createkey\n"));
509 if (!buf || !src || !dst)
513 bcopy((char *)&type, cp, sizeof(type));
518 * Assume only IPv4 and IPv6 addresses.
520 #define ADDRPART(a) \
521 ((a)->sa_family == AF_INET6) ? \
522 (char *)&(((struct sockaddr_in6 *)(a))->sin6_addr) : \
523 (char *)&(((struct sockaddr_in *)(a))->sin_addr)
525 #define ADDRSIZE(a) \
526 ((a)->sa_family == AF_INET6) ? sizeof(struct in6_addr) : \
527 sizeof(struct in_addr)
529 #define ADDRPART(a) (char *)&(((struct sockaddr_in *)(a))->sin_addr)
530 #define ADDRSIZE(a) sizeof(struct in_addr)
533 DPRINTF(IDL_FINISHED,("src addr:\n"));
534 DDO(IDL_FINISHED,dump_smart_sockaddr(src));
535 DPRINTF(IDL_FINISHED,("dst addr:\n"));
536 DDO(IDL_FINISHED,dump_smart_sockaddr(dst));
539 bcopy(p, cp, ADDRSIZE(src));
543 bcopy(p, cp, ADDRSIZE(dst));
550 bcopy((char *)&spi, cp, sizeof(spi));
554 DPRINTF(IDL_FINISHED,("hash key:\n"));
555 DDO(IDL_FINISHED, dump_buf(buf, cp - buf));
560 /*----------------------------------------------------------------------
562 * Search the so2spi table for the security association allocated to
563 * the socket. Returns pointer to a struct key_so2spinode which can
564 * be used to locate the security association entry in the keytable.
565 ----------------------------------------------------------------------*/
566 static struct key_so2spinode *
567 key_sosearch(type, src, dst, so)
569 struct sockaddr *src;
570 struct sockaddr *dst;
573 struct key_so2spinode *np = 0;
576 DPRINTF(IDL_ERROR,("key_sosearch: got null src or dst pointer!\n"));
580 for (np = so2spitbl[((u_int32_t)so) % SO2SPITBLSIZE].next; np; np = np->next) {
581 if ((so == np->socket) && (type == np->keynode->secassoc->type)
582 && addrpart_equal(src, np->keynode->secassoc->src)
583 && addrpart_equal(dst, np->keynode->secassoc->dst))
590 /*----------------------------------------------------------------------
592 * Delete entries from the so2spi table.
593 * flag = 1 purge all entries
594 * flag = 0 delete entries with socket pointer matching socket
595 ----------------------------------------------------------------------*/
597 key_sodelete(socket, flag)
598 struct socket *socket;
601 struct key_so2spinode *prevnp, *np;
606 DPRINTF(IDL_EVENT,("Entering keysodelete w/so=0x%x flag=%d\n",
607 (unsigned int)socket,flag));
612 for (i = 0; i < SO2SPITBLSIZE; i++)
613 for(np = so2spitbl[i].next; np; np = np->next) {
620 prevnp = &so2spitbl[((u_int32_t)socket) % SO2SPITBLSIZE];
621 for(np = prevnp->next; np; np = np->next) {
622 if (np->socket == socket) {
623 struct socketlist *socklp, *prevsocklp;
625 (np->keynode->alloc_count)--;
628 * If this socket maps to a unique secassoc,
629 * we go ahead and delete the secassoc, since it
630 * can no longer be allocated or used by any other
633 if (np->keynode->secassoc->state & K_UNIQUE) {
634 if (key_delete(np->keynode->secassoc) != 0)
635 panic("key_sodelete");
641 * We traverse the socketlist and remove the entry
644 DPRINTF(IDL_FINISHED,("keysodelete: deleting from socklist..."));
645 prevsocklp = np->keynode->solist;
646 for (socklp = prevsocklp->next; socklp; socklp = socklp->next) {
647 if (socklp->socket == socket) {
648 prevsocklp->next = socklp->next;
654 DPRINTF(IDL_FINISHED,("done\n"));
655 prevnp->next = np->next;
665 /*----------------------------------------------------------------------
666 * key_deleteacquire():
667 * Delete an entry from the key_acquirelist
668 ----------------------------------------------------------------------*/
670 key_deleteacquire(type, target)
672 struct sockaddr *target;
674 struct key_acquirelist *ap, *prev;
676 prev = key_acquirelist;
677 for(ap = key_acquirelist->next; ap; ap = ap->next) {
678 if (addrpart_equal(target, (struct sockaddr *)&(ap->target)) &&
679 (type == ap->type)) {
680 DPRINTF(IDL_EVENT,("Deleting entry from acquire list!\n"));
681 prev->next = ap->next;
690 /*----------------------------------------------------------------------
692 * Search the key table for an entry with same type, src addr, dest
693 * addr, and spi. Returns a pointer to struct key_tblnode if found
695 ----------------------------------------------------------------------*/
696 static struct key_tblnode *
697 key_search(type, src, dst, spi, indx, prevkeynode)
699 struct sockaddr *src;
700 struct sockaddr *dst;
703 struct key_tblnode **prevkeynode;
705 struct key_tblnode *keynode, *prevnode;
707 if (indx > KEYTBLSIZE || indx < 0)
709 if (!(&keytable[indx]))
712 #define sec_type keynode->secassoc->type
713 #define sec_spi keynode->secassoc->spi
714 #define sec_src keynode->secassoc->src
715 #define sec_dst keynode->secassoc->dst
717 prevnode = &keytable[indx];
718 for (keynode = keytable[indx].next; keynode; keynode = keynode->next) {
719 if ((type == sec_type) && (spi == sec_spi) &&
720 addrpart_equal(src, sec_src)
721 && addrpart_equal(dst, sec_dst))
725 *prevkeynode = prevnode;
730 /*----------------------------------------------------------------------
732 * Insert a key_tblnode entry into the key table. Returns a pointer
733 * to the newly created key_tblnode.
734 ----------------------------------------------------------------------*/
735 static struct key_tblnode *
736 key_addnode(indx, secassoc)
738 struct key_secassoc *secassoc;
740 struct key_tblnode *keynode;
742 DPRINTF(IDL_FINISHED,("Entering key_addnode w/indx=%d secassoc=0x%x\n",
743 indx, (unsigned int)secassoc));
745 if (!(&keytable[indx]))
748 panic("key_addnode: Someone passed in a null secassoc!\n");
751 KMALLOC(keynode, struct key_tblnode *, sizeof(struct key_tblnode));
754 bzero((char *)keynode, sizeof(struct key_tblnode));
756 KMALLOC(keynode->solist, struct socketlist *, sizeof(struct socketlist));
757 if (keynode->solist == 0) {
761 bzero((char *)(keynode->solist), sizeof(struct socketlist));
763 keynode->secassoc = secassoc;
764 keynode->solist->next = NULL;
765 keynode->next = keytable[indx].next;
766 keytable[indx].next = keynode;
771 /*----------------------------------------------------------------------
773 * Add a new security association to the key table. Caller is
774 * responsible for allocating memory for the key_secassoc as
775 * well as the buffer space for the key, iv. Assumes the security
776 * association passed in is well-formed.
777 ----------------------------------------------------------------------*/
780 struct key_secassoc *secassoc;
782 char buf[MAXHASHKEYLEN];
786 struct key_tblnode *keynode, *prevkeynode;
787 struct key_allocnode *np = NULL;
790 DPRINTF(IDL_FINISHED, ("Entering key_add w/secassoc=0x%x\n",
791 (unsigned int)secassoc));
794 panic("key_add: who the hell is passing me a null pointer");
798 * Should we allow a null key to be inserted into the table ?
799 * or can we use null key to indicate some policy action...
804 * For esp using des-cbc or tripple-des we call
805 * des_set_odd_parity.
807 if (secassoc->key && (secassoc->type == KEY_TYPE_ESP) &&
808 ((secassoc->algorithm == IPSEC_ALGTYPE_ESP_DES_CBC) ||
809 (secassoc->algorithm == IPSEC_ALGTYPE_ESP_3DES)))
810 des_set_odd_parity(secassoc->key);
814 * initialization for anti-replay services.
816 secassoc->sequence = 0;
817 secassoc->replayright = 0;
818 secassoc->replaywindow = 0;
821 * Check if secassoc with same spi exists before adding
823 bzero((char *)&buf, sizeof(buf));
824 len = key_createkey((char *)&buf, secassoc->type, secassoc->src,
825 secassoc->dst, secassoc->spi, 0);
826 indx = key_gethashval((char *)&buf, len, KEYTBLSIZE);
827 DPRINTF(IDL_FINISHED,("keyadd: keytbl hash position=%d\n", indx));
828 keynode = key_search(secassoc->type, secassoc->src, secassoc->dst,
829 secassoc->spi, indx, &prevkeynode);
831 DPRINTF(IDL_EVENT,("keyadd: secassoc already exists!\n"));
835 inbound = my_addr(secassoc->dst);
836 outbound = my_addr(secassoc->src);
837 DPRINTF(IDL_FINISHED,("inbound=%d outbound=%d\n", inbound, outbound));
840 * We allocate mem for an allocation entry if needed.
841 * This is done here instead of in the allocaton code
842 * segment so that we can easily recover/cleanup from a
843 * memory allocation error.
845 if (outbound || (!inbound && !outbound)) {
846 KMALLOC(np, struct key_allocnode *, sizeof(struct key_allocnode));
848 DPRINTF(IDL_ERROR,("keyadd: can't allocate allocnode!\n"));
855 if ((keynode = key_addnode(indx, secassoc)) == NULL) {
856 DPRINTF(IDL_ERROR,("keyadd: key_addnode failed!\n"));
862 DPRINTF(IDL_GROSS_EVENT,("Added new keynode:\n"));
863 DDO(IDL_FINISHED, dump_keytblnode(keynode));
864 DDO(IDL_FINISHED, dump_secassoc(keynode->secassoc));
867 * We add an entry to the allocation table for
868 * this secassoc if the interfaces are up,
869 * the secassoc is outbound. In the case
870 * where the interfaces are not up, we go ahead
871 * , do it anyways. This wastes an allocation
872 * entry if the secassoc later turned out to be
873 * inbound when the interfaces are ifconfig up.
875 if (outbound || (!inbound && !outbound)) {
876 len = key_createkey((char *)&buf, secassoc->type, secassoc->src,
877 secassoc->dst, 0, 1);
878 indx = key_gethashval((char *)&buf, len, KEYALLOCTBLSIZE);
879 DPRINTF(IDL_FINISHED,("keyadd: keyalloc hash position=%d\n", indx));
880 np->keynode = keynode;
881 np->next = keyalloctbl[indx].next;
882 keyalloctbl[indx].next = np;
885 secassoc->state |= K_INBOUND;
887 secassoc->state |= K_OUTBOUND;
889 key_deleteacquire(secassoc->type, secassoc->dst);
896 /*----------------------------------------------------------------------
898 * Get a security association from the key table.
899 ----------------------------------------------------------------------*/
901 key_get(type, src, dst, spi, secassoc)
903 struct sockaddr *src;
904 struct sockaddr *dst;
906 struct key_secassoc **secassoc;
908 char buf[MAXHASHKEYLEN];
909 struct key_tblnode *keynode, *prevkeynode;
912 bzero(&buf, sizeof(buf));
914 len = key_createkey((char *)&buf, type, src, dst, spi, 0);
915 indx = key_gethashval((char *)&buf, len, KEYTBLSIZE);
916 DPRINTF(IDL_FINISHED,("keyget: indx=%d\n",indx));
917 keynode = key_search(type, src, dst, spi, indx, &prevkeynode);
919 DPRINTF(IDL_GROSS_EVENT,("keyget: found it! keynode=0x%x",
920 (unsigned int)keynode));
921 *secassoc = keynode->secassoc;
924 return(-1); /* Not found */
928 /*----------------------------------------------------------------------
930 * Dump all valid entries in the keytable to a pf_key socket. Each
931 * security associaiton is sent one at a time in a pf_key message. A
932 * message with seqno = 0 signifies the end of the dump transaction.
933 ----------------------------------------------------------------------*/
940 struct key_msgdata keyinfo;
941 struct key_msghdr *km;
942 struct key_tblnode *keynode;
946 * Routine to dump the key table to a routing socket
947 * Use for debugging only!
950 kmlen = sizeof(struct key_msghdr) + 3 * MAX_SOCKADDR_SZ + MAX_KEY_SZ
952 KMALLOC(km, struct key_msghdr *, kmlen);
956 DPRINTF(IDL_FINISHED,("Entering key_dump()"));
958 * We need to speed this up later. Fortunately, key_dump
959 * messages are not sent often.
961 for (i = 0; i < KEYTBLSIZE; i++) {
962 for (keynode = keytable[i].next; keynode; keynode = keynode->next) {
964 * We exclude dead/larval/zombie security associations for now
965 * but it may be useful to also send these up for debugging purposes
967 if (keynode->secassoc->state & (K_DEAD | K_LARVAL | K_ZOMBIE))
970 len = (sizeof(struct key_msghdr) +
971 ROUNDUP(keynode->secassoc->src->sa_len) +
972 ROUNDUP(keynode->secassoc->dst->sa_len) +
973 ROUNDUP(keynode->secassoc->from->sa_len) +
974 ROUNDUP(keynode->secassoc->keylen) +
975 ROUNDUP(keynode->secassoc->ivlen) +
976 ROUNDUP(keynode->secassoc->ekeylen));
981 KMALLOC(km, struct key_msghdr *, kmlen);
986 if (key_secassoc2msghdr(keynode->secassoc, km, &keyinfo) != 0)
989 km->key_msglen = len;
990 km->key_msgvers = KEY_VERSION;
991 km->key_msgtype = KEY_DUMP;
992 km->key_pid = curproc->p_pid;
999 bzero((char *)km, sizeof(struct key_msghdr));
1000 km->key_msglen = sizeof(struct key_msghdr);
1001 km->key_msgvers = KEY_VERSION;
1002 km->key_msgtype = KEY_DUMP;
1003 km->key_pid = curproc->p_pid;
1009 DPRINTF(IDL_FINISHED,("Leaving key_dump()\n"));
1013 /*----------------------------------------------------------------------
1015 * Delete a security association from the key table.
1016 ----------------------------------------------------------------------*/
1018 key_delete(secassoc)
1019 struct key_secassoc *secassoc;
1021 char buf[MAXHASHKEYLEN];
1023 struct key_tblnode *keynode = 0;
1024 struct key_tblnode *prevkeynode = 0;
1025 struct socketlist *socklp, *deadsocklp;
1026 struct key_so2spinode *np, *prevnp;
1027 struct key_allocnode *ap, *prevap;
1030 DPRINTF(IDL_FINISHED,("Entering key_delete w/secassoc=0x%x\n",
1031 (unsigned int)secassoc));
1033 bzero((char *)&buf, sizeof(buf));
1034 len = key_createkey((char *)&buf, secassoc->type, secassoc->src,
1035 secassoc->dst, secassoc->spi, 0);
1036 indx = key_gethashval((char *)&buf, len, KEYTBLSIZE);
1037 DPRINTF(IDL_FINISHED,("keydelete: keytbl hash position=%d\n", indx));
1038 keynode = key_search(secassoc->type, secassoc->src, secassoc->dst,
1039 secassoc->spi, indx, &prevkeynode);
1043 DPRINTF(IDL_GROSS_EVENT,("keydelete: found keynode to delete\n"));
1044 keynode->secassoc->state |= K_DEAD;
1046 if (keynode->ref_count > 0) {
1047 DPRINTF(IDL_EVENT,("keydelete: secassoc still held, marking for deletion only!\n"));
1052 prevkeynode->next = keynode->next;
1055 * Walk the socketlist, delete the
1056 * entries mapping sockets to this secassoc
1057 * from the so2spi table.
1059 DPRINTF(IDL_FINISHED,("keydelete: deleting socklist..."));
1060 for(socklp = keynode->solist->next; socklp; ) {
1061 prevnp = &so2spitbl[((u_int32_t)(socklp->socket)) % SO2SPITBLSIZE];
1062 for(np = prevnp->next; np; np = np->next) {
1063 if ((np->socket == socklp->socket) && (np->keynode == keynode)) {
1064 prevnp->next = np->next;
1070 deadsocklp = socklp;
1071 socklp = socklp->next;
1074 DPRINTF(IDL_FINISHED,("done\n"));
1076 * If an allocation entry exist for this
1077 * secassoc, delete it.
1079 bzero((char *)&buf, sizeof(buf));
1080 len = key_createkey((char *)&buf, secassoc->type, secassoc->src,
1081 secassoc->dst, 0, 1);
1082 indx = key_gethashval((char *)&buf, len, KEYALLOCTBLSIZE);
1083 DPRINTF(IDL_FINISHED,("keydelete: alloctbl hash position=%d\n", indx));
1084 prevap = &keyalloctbl[indx];
1085 for (ap = prevap->next; ap; ap = ap->next) {
1086 if (ap->keynode == keynode) {
1087 prevap->next = ap->next;
1094 if (keynode->secassoc->iv)
1095 KFREE(keynode->secassoc->iv);
1096 if (keynode->secassoc->key)
1097 KFREE(keynode->secassoc->key);
1098 if (keynode->secassoc->ekey)
1099 KFREE(keynode->secassoc->ekey);
1100 KFREE(keynode->secassoc);
1101 if (keynode->solist)
1102 KFREE(keynode->solist);
1111 /*----------------------------------------------------------------------
1113 * Delete all entries from the key table.
1114 ----------------------------------------------------------------------*/
1118 struct key_tblnode *keynode;
1125 * This is slow, but simple.
1127 DPRINTF(IDL_FINISHED,("Flushing key table..."));
1128 for (i = 0; i < KEYTBLSIZE; i++) {
1130 while ((keynode = keytable[i].next)) {
1131 if (key_delete(keynode->secassoc) != 0)
1135 printf("key_flush: timo exceeds limit; terminate the loop to prevent hangup\n");
1140 DPRINTF(IDL_FINISHED,("done\n"));
1144 /*----------------------------------------------------------------------
1146 * Get a unique spi value for a key management daemon/program. The
1147 * spi value, once assigned, cannot be assigned again (as long as the
1148 * entry with that same spi value remains in the table).
1149 ----------------------------------------------------------------------*/
1151 key_getspi(type, vers, src, dst, lowval, highval, spi)
1154 struct sockaddr *src;
1155 struct sockaddr *dst;
1160 struct key_secassoc *secassoc;
1161 struct key_tblnode *keynode, *prevkeynode;
1162 int count, done, len, indx;
1163 int maxcount = 1000;
1165 char buf[MAXHASHKEYLEN];
1168 DPRINTF(IDL_EVENT,("Entering getspi w/type=%d,low=%u,high=%u\n",
1169 type, lowval, highval));
1173 if ((lowval == 0) || (highval == 0))
1176 if (lowval > highval) {
1187 * This may not be "random enough".
1189 val = lowval + (random() % (highval - lowval + 1));
1191 if (lowval == highval)
1193 DPRINTF(IDL_FINISHED,("%u ",val));
1195 DPRINTF(IDL_FINISHED,("\n"));
1196 bzero(&buf, sizeof(buf));
1197 len = key_createkey((char *)&buf, type, src, dst, val, 0);
1198 indx = key_gethashval((char *)&buf, len, KEYTBLSIZE);
1199 if (!key_search(type, src, dst, val, indx, &prevkeynode)) {
1201 KMALLOC(secassoc, struct key_secassoc *, sizeof(struct key_secassoc));
1202 if (secassoc == 0) {
1203 DPRINTF(IDL_ERROR,("key_getspi: can't allocate memory\n"));
1207 bzero((char *)secassoc, sizeof(*secassoc));
1209 DPRINTF(IDL_FINISHED,("getspi: indx=%d\n",indx));
1210 secassoc->len = sizeof(struct key_secassoc);
1211 secassoc->type = type;
1212 secassoc->vers = vers;
1213 secassoc->spi = val;
1214 secassoc->state |= K_LARVAL;
1216 secassoc->state |= K_INBOUND;
1218 secassoc->state |= K_OUTBOUND;
1220 KMALLOC(secassoc->src, struct sockaddr *, src->sa_len);
1221 if (!secassoc->src) {
1222 DPRINTF(IDL_ERROR,("key_getspi: can't allocate memory\n"));
1227 bcopy((char *)src, (char *)secassoc->src, src->sa_len);
1228 KMALLOC(secassoc->dst, struct sockaddr *, dst->sa_len);
1229 if (!secassoc->dst) {
1230 DPRINTF(IDL_ERROR,("key_getspi: can't allocate memory\n"));
1231 KFREE(secassoc->src);
1236 bcopy((char *)dst, (char *)secassoc->dst, dst->sa_len);
1238 /* We fill this in with a plausable value now to insure
1239 that other routines don't break. These will get
1240 overwritten later with the correct values. */
1243 secassoc->from->sa_family = AF_INET6;
1244 secassoc->from->sa_len = sizeof(struct sockaddr_in6);
1246 secassoc->from->sa_family = AF_INET;
1247 secassoc->from->sa_len = sizeof(struct sockaddr_in);
1252 * We need to add code to age these larval key table
1253 * entries so they don't linger forever waiting for
1254 * a KEY_UPDATE message that may not come for various
1255 * reasons. This is another task that key_reaper can
1256 * do once we have it coded.
1258 secassoc->lifetime1 += time_second + maxlarvallifetime;
1260 if (!(keynode = key_addnode(indx, secassoc))) {
1261 DPRINTF(IDL_ERROR,("key_getspi: can't add node\n"));
1265 DPRINTF(IDL_FINISHED,("key_getspi: added node 0x%x\n",
1266 (unsigned int)keynode));
1271 } while ((count < maxcount) && !done);
1272 DPRINTF(IDL_EVENT,("getspi returns w/spi=%u,count=%d\n",val,count));
1278 return(EADDRNOTAVAIL);
1283 /*----------------------------------------------------------------------
1285 * Update a keytable entry that has an spi value assigned but is
1286 * incomplete (e.g. no key/iv).
1287 ----------------------------------------------------------------------*/
1289 key_update(secassoc)
1290 struct key_secassoc *secassoc;
1292 struct key_tblnode *keynode, *prevkeynode;
1293 struct key_allocnode *np = 0;
1295 int len, indx, inbound, outbound;
1296 char buf[MAXHASHKEYLEN];
1299 bzero(&buf, sizeof(buf));
1300 len = key_createkey((char *)&buf, secassoc->type, secassoc->src,
1301 secassoc->dst, secassoc->spi, 0);
1302 indx = key_gethashval((char *)&buf, len, KEYTBLSIZE);
1303 if(!(keynode = key_search(secassoc->type, secassoc->src, secassoc->dst,
1304 secassoc->spi, indx, &prevkeynode))) {
1307 if (keynode->secassoc->state & K_DEAD)
1310 /* Should we also restrict updating of only LARVAL entries ? */
1314 inbound = my_addr(secassoc->dst);
1315 outbound = my_addr(secassoc->src);
1317 newstate = keynode->secassoc->state;
1318 newstate &= ~K_LARVAL;
1321 newstate |= K_INBOUND;
1323 newstate |= K_OUTBOUND;
1325 if (outbound || (!inbound && !outbound)) {
1326 KMALLOC(np, struct key_allocnode *, sizeof(struct key_allocnode));
1328 DPRINTF(IDL_ERROR,("keyupdate: can't allocate allocnode!\n"));
1335 * Free the old key, iv if they're there.
1337 if (keynode->secassoc->key)
1338 KFREE(keynode->secassoc->key);
1339 if (keynode->secassoc->iv)
1340 KFREE(keynode->secassoc->iv);
1341 if (keynode->secassoc->ekey)
1342 KFREE(keynode->secassoc->ekey);
1345 * We now copy the secassoc over. We don't need to copy
1346 * the key, iv into new buffers since the calling routine
1347 * does that already.
1350 *(keynode->secassoc) = *secassoc;
1351 keynode->secassoc->state = newstate;
1354 * Should we allow a null key to be inserted into the table ?
1355 * or can we use null key to indicate some policy action...
1359 if (keynode->secassoc->key &&
1360 (keynode->secassoc->type == KEY_TYPE_ESP) &&
1361 ((keynode->secassoc->algorithm == IPSEC_ALGTYPE_ESP_DES_CBC) ||
1362 (keynode->secassoc->algorithm == IPSEC_ALGTYPE_ESP_3DES)))
1363 des_set_odd_parity(keynode->secassoc->key);
1367 * We now add an entry to the allocation table for this
1368 * updated key table entry.
1370 if (outbound || (!inbound && !outbound)) {
1371 len = key_createkey((char *)&buf, secassoc->type, secassoc->src,
1372 secassoc->dst, 0, 1);
1373 indx = key_gethashval((char *)&buf, len, KEYALLOCTBLSIZE);
1374 DPRINTF(IDL_FINISHED,("keyupdate: keyalloc hash position=%d\n", indx));
1375 np->keynode = keynode;
1376 np->next = keyalloctbl[indx].next;
1377 keyalloctbl[indx].next = np;
1380 key_deleteacquire(secassoc->type, (struct sockaddr *)&(secassoc->dst));
1386 /*----------------------------------------------------------------------
1388 * Register a socket as one capable of acquiring security associations
1390 ----------------------------------------------------------------------*/
1392 key_register(socket, type)
1393 struct socket *socket;
1396 struct key_registry *p, *new;
1401 DPRINTF(IDL_EVENT,("Entering key_register w/so=0x%x,type=%d\n",
1402 (unsigned int)socket,type));
1404 if (!(keyregtable && socket))
1405 panic("key_register");
1408 * Make sure entry is not already in table
1410 for(p = keyregtable->next; p; p = p->next) {
1411 if ((p->type == type) && (p->socket == socket)) {
1417 KMALLOC(new, struct key_registry *, sizeof(struct key_registry));
1423 new->socket = socket;
1424 new->next = keyregtable->next;
1425 keyregtable->next = new;
1430 /*----------------------------------------------------------------------
1432 * Delete entries from the registry list.
1433 * allflag = 1 : delete all entries with matching socket
1434 * allflag = 0 : delete only the entry matching socket, type
1435 ----------------------------------------------------------------------*/
1437 key_unregister(socket, type, allflag)
1438 struct socket *socket;
1442 struct key_registry *p, *prev;
1447 DPRINTF(IDL_EVENT,("Entering key_unregister w/so=0x%x,type=%d,flag=%d\n",
1448 (unsigned int)socket, type, allflag));
1450 if (!(keyregtable && socket))
1451 panic("key_register");
1453 for(p = keyregtable->next; p; p = p->next) {
1454 if ((allflag && (p->socket == socket)) ||
1455 ((p->type == type) && (p->socket == socket))) {
1456 prev->next = p->next;
1466 /*----------------------------------------------------------------------
1468 * Send a key_acquire message to all registered key mgnt daemons
1469 * capable of acquire security association of type type.
1471 * Return: 0 if succesfully called key mgnt. daemon(s)
1472 * -1 if not successfull.
1473 ----------------------------------------------------------------------*/
1475 key_acquire(type, src, dst)
1477 struct sockaddr *src;
1478 struct sockaddr *dst;
1480 struct key_registry *p;
1481 struct key_acquirelist *ap, *prevap;
1482 int success = 0, created = 0;
1484 struct key_msghdr *km = NULL;
1487 DPRINTF(IDL_EVENT,("Entering key_acquire()\n"));
1489 if (!keyregtable || !src || !dst)
1493 * We first check the acquirelist to see if a key_acquire
1494 * message has been sent for this destination.
1497 prevap = key_acquirelist;
1498 for(ap = key_acquirelist->next; ap; ap = ap->next) {
1499 if (addrpart_equal(dst, ap->target) &&
1500 (etype == ap->type)) {
1501 DPRINTF(IDL_EVENT,("acquire message previously sent!\n"));
1502 if (ap->expiretime < time_second) {
1503 DPRINTF(IDL_EVENT,("acquire message has expired!\n"));
1507 if (ap->count < maxkeyacquire) {
1508 DPRINTF(IDL_EVENT,("max acquire messages not yet exceeded!\n"));
1512 } else if (ap->expiretime < time_second) {
1514 * Since we're already looking at the list, we may as
1515 * well delete expired entries as we scan through the list.
1516 * This should really be done by a function like key_reaper()
1517 * but until we code key_reaper(), this is a quick, dirty
1520 DPRINTF(IDL_EVENT,("found an expired entry...deleting it!\n"));
1521 prevap->next = ap->next;
1529 * Scan registry, send KEY_ACQUIRE message to
1530 * appropriate key management daemons.
1532 for(p = keyregtable->next; p; p = p->next) {
1533 if (p->type != type)
1537 len = sizeof(struct key_msghdr) + ROUNDUP(src->sa_len) +
1538 ROUNDUP(dst->sa_len);
1539 KMALLOC(km, struct key_msghdr *, len);
1541 DPRINTF(IDL_ERROR,("key_acquire: no memory\n"));
1544 DPRINTF(IDL_FINISHED,("key_acquire/created: 1\n"));
1545 bzero((char *)km, len);
1546 km->key_msglen = len;
1547 km->key_msgvers = KEY_VERSION;
1548 km->key_msgtype = KEY_ACQUIRE;
1550 DPRINTF(IDL_FINISHED,("key_acquire/created: 2\n"));
1552 * This is inefficient, slow.
1556 * We zero out sin_zero here for AF_INET addresses because
1557 * ip_output() currently does not do it for performance reasons.
1559 if (src->sa_family == AF_INET)
1560 bzero((char *)(((struct sockaddr_in *)src)->sin_zero),
1561 sizeof(((struct sockaddr_in *)src)->sin_zero));
1562 if (dst->sa_family == AF_INET)
1563 bzero((char *)(((struct sockaddr_in *)dst)->sin_zero),
1564 sizeof(((struct sockaddr_in *)dst)->sin_zero));
1566 bcopy((char *)src, (char *)(km + 1), src->sa_len);
1567 bcopy((char *)dst, (char *)((int)(km + 1) + ROUNDUP(src->sa_len)),
1569 DPRINTF(IDL_FINISHED,("key_acquire/created: 3\n"));
1572 if (key_sendup(p->socket, km))
1580 * Update the acquirelist
1584 DPRINTF(IDL_EVENT,("Adding new entry in acquirelist\n"));
1585 KMALLOC(ap, struct key_acquirelist *,
1586 sizeof(struct key_acquirelist) + dst->sa_len);
1588 return(success ? 0 : -1);
1589 bzero((char *)ap, sizeof(struct key_acquirelist));
1590 ap->target = (struct sockaddr *)(ap + 1);
1591 bcopy((char *)dst, (char *)ap->target, dst->sa_len);
1593 ap->next = key_acquirelist->next;
1594 key_acquirelist->next = ap;
1596 DPRINTF(IDL_GROSS_EVENT,("Updating acquire counter, expiration time\n"));
1598 ap->expiretime = time_second + maxacquiretime;
1600 DPRINTF(IDL_EVENT,("key_acquire: done! success=%d\n",success));
1601 return(success ? 0 : -1);
1604 /*----------------------------------------------------------------------
1606 * Allocate a security association to a socket. A socket requesting
1607 * unique keying (per-socket keying) is assigned a security assocation
1608 * exclusively for its use. Sockets not requiring unique keying are
1609 * assigned the first security association which may or may not be
1610 * used by another socket.
1611 ----------------------------------------------------------------------*/
1613 key_alloc(type, src, dst, socket, unique_key, keynodep)
1615 struct sockaddr *src;
1616 struct sockaddr *dst;
1617 struct socket *socket;
1619 struct key_tblnode **keynodep;
1621 struct key_tblnode *keynode;
1622 char buf[MAXHASHKEYLEN];
1623 struct key_allocnode *np, *prevnp;
1624 struct key_so2spinode *newnp;
1628 DPRINTF(IDL_FINISHED,("Entering key_alloc w/type=%u!\n",type));
1629 if (!(src && dst)) {
1630 DPRINTF(IDL_ERROR,("key_alloc: received null src or dst!\n"));
1635 * Search key allocation table
1637 bzero((char *)&buf, sizeof(buf));
1638 len = key_createkey((char *)&buf, type, src, dst, 0, 1);
1639 indx = key_gethashval((char *)&buf, len, KEYALLOCTBLSIZE);
1641 #define np_type np->keynode->secassoc->type
1642 #define np_state np->keynode->secassoc->state
1643 #define np_src np->keynode->secassoc->src
1644 #define np_dst np->keynode->secassoc->dst
1646 prevnp = &keyalloctbl[indx];
1647 for (np = keyalloctbl[indx].next; np; np = np->next) {
1648 if ((type == np_type) && addrpart_equal(src, np_src) &&
1649 addrpart_equal(dst, np_dst) &&
1650 !(np_state & (K_LARVAL | K_DEAD | K_UNIQUE))) {
1653 if (!(np_state & K_USED))
1660 struct socketlist *newsp;
1665 DPRINTF(IDL_EVENT,("key_alloc: found node to allocate\n"));
1666 keynode = np->keynode;
1668 KMALLOC(newnp, struct key_so2spinode *, sizeof(struct key_so2spinode));
1670 DPRINTF(IDL_ERROR,("key_alloc: Can't alloc mem for so2spi node!\n"));
1674 KMALLOC(newsp, struct socketlist *, sizeof(struct socketlist));
1676 DPRINTF(IDL_ERROR,("key_alloc: Can't alloc mem for socketlist!\n"));
1684 * Add a hash entry into the so2spi table to
1685 * map socket to allocated secassoc.
1687 DPRINTF(IDL_FINISHED,("key_alloc: adding entry to so2spi table..."));
1688 newnp->keynode = keynode;
1689 newnp->socket = socket;
1690 newnp->next = so2spitbl[((u_int32_t)socket) % SO2SPITBLSIZE].next;
1691 so2spitbl[((u_int32_t)socket) % SO2SPITBLSIZE].next = newnp;
1692 DPRINTF(IDL_FINISHED,("done\n"));
1696 * Need to remove the allocation entry
1697 * since the secassoc is now unique,
1698 * can't be allocated to any other socket
1700 DPRINTF(IDL_EVENT,("key_alloc: making keynode unique..."));
1701 keynode->secassoc->state |= K_UNIQUE;
1702 prevnp->next = np->next;
1704 DPRINTF(IDL_EVENT,("done\n"));
1706 keynode->secassoc->state |= K_USED;
1707 keynode->secassoc->state |= K_OUTBOUND;
1708 keynode->alloc_count++;
1711 * Add socket to list of socket using secassoc.
1713 DPRINTF(IDL_FINISHED,("key_alloc: adding so to solist..."));
1714 newsp->socket = socket;
1715 newsp->next = keynode->solist->next;
1716 keynode->solist->next = newsp;
1717 DPRINTF(IDL_FINISHED,("done\n"));
1718 *keynodep = keynode;
1727 /*----------------------------------------------------------------------
1729 * Decrement the refcount for a key table entry. If the entry is
1730 * marked dead,, the refcount is zero, we go ahead, delete it.
1731 ----------------------------------------------------------------------*/
1734 struct key_tblnode *keynode;
1736 DPRINTF(IDL_GROSS_EVENT,("Entering key_free w/keynode=0x%x\n",
1737 (unsigned int)keynode));
1739 DPRINTF(IDL_ERROR,("Warning: key_free got null pointer\n"));
1742 (keynode->ref_count)--;
1743 if (keynode->ref_count < 0) {
1744 DPRINTF(IDL_ERROR,("Warning: key_free decremented refcount to %d\n",keynode->ref_count));
1746 if ((keynode->secassoc->state & K_DEAD) && (keynode->ref_count <= 0)) {
1747 DPRINTF(IDL_GROSS_EVENT,("key_free: calling key_delete\n"));
1748 key_delete(keynode->secassoc);
1752 /*----------------------------------------------------------------------
1754 * Get a security association for a given type, src, dst,, spi.
1756 * Returns: 0 if sucessfull
1757 * -1 if error/not found
1759 * Caller must convert spi to host order. Function assumes spi is
1761 ----------------------------------------------------------------------*/
1763 getassocbyspi(type, src, dst, spi, keyentry)
1765 struct sockaddr *src;
1766 struct sockaddr *dst;
1768 struct key_tblnode **keyentry;
1770 char buf[MAXHASHKEYLEN];
1772 struct key_tblnode *keynode, *prevkeynode = 0;
1774 DPRINTF(IDL_FINISHED,("Entering getassocbyspi w/type=%u spi=%u\n",type,spi));
1777 bzero(&buf, sizeof(buf));
1778 len = key_createkey((char *)&buf, type, src, dst, spi, 0);
1779 indx = key_gethashval((char *)&buf, len, KEYTBLSIZE);
1780 DPRINTF(IDL_FINISHED,("getassocbyspi: indx=%d\n",indx));
1781 DDO(IDL_FINISHED,dump_sockaddr(src);dump_sockaddr(dst));
1782 keynode = key_search(type, src, dst, spi, indx, &prevkeynode);
1783 DPRINTF(IDL_FINISHED,("getassocbyspi: keysearch ret=0x%x\n",
1784 (unsigned int)keynode));
1785 if (keynode && !(keynode->secassoc->state & (K_DEAD | K_LARVAL))) {
1786 DPRINTF(IDL_GROSS_EVENT,("getassocbyspi: found secassoc!\n"));
1787 (keynode->ref_count)++;
1788 keynode->secassoc->state |= K_USED;
1789 *keyentry = keynode;
1791 DPRINTF(IDL_EVENT,("getassocbyspi: secassoc not found!\n"));
1798 /*----------------------------------------------------------------------
1799 * getassocbysocket():
1800 * Get a security association for a given type, src, dst,, socket.
1801 * If not found, try to allocate one.
1802 * Returns: 0 if successfull
1803 * -1 if error condition/secassoc not found (*keyentry = NULL)
1804 * 1 if secassoc temporarily unavailable (*keynetry = NULL)
1805 * (e.g., key mgnt. daemon(s) called)
1806 ----------------------------------------------------------------------*/
1808 getassocbysocket(type, src, dst, socket, unique_key, keyentry)
1810 struct sockaddr *src;
1811 struct sockaddr *dst;
1812 struct socket *socket;
1814 struct key_tblnode **keyentry;
1816 struct key_tblnode *keynode = 0;
1817 struct key_so2spinode *np;
1820 DPRINTF(IDL_FINISHED,("Entering getassocbysocket w/type=%u so=0x%x\n",
1821 type,(unsigned int)socket));
1824 * We treat esp-transport mode, esp-tunnel mode
1825 * as a single type in the keytable. This has a side
1826 * effect that socket using both esp-transport,
1827 * esp-tunnel will use the same security association
1828 * for both modes. Is this a problem?
1831 if ((np = key_sosearch(type, src, dst, socket))) {
1832 if (np->keynode && np->keynode->secassoc &&
1833 !(np->keynode->secassoc->state & (K_DEAD | K_LARVAL))) {
1834 DPRINTF(IDL_FINISHED,("getassocbysocket: found secassoc!\n"));
1835 (np->keynode->ref_count)++;
1836 *keyentry = np->keynode;
1842 * No secassoc has been allocated to socket,
1843 * so allocate one, if available
1845 DPRINTF(IDL_GROSS_EVENT,("getassocbyso: can't find it, trying to allocate!\n"));
1846 if (key_alloc(realtype, src, dst, socket, unique_key, &keynode) == 0) {
1848 DPRINTF(IDL_GROSS_EVENT,("getassocbyso: key_alloc found secassoc!\n"));
1849 keynode->ref_count++;
1850 *keyentry = keynode;
1854 * Kick key mgnt. daemon(s)
1855 * (this should be done in ipsec_output_policy() instead or
1856 * selectively called based on a flag value)
1858 DPRINTF(IDL_FINISHED,("getassocbyso: calling key mgnt daemons!\n"));
1860 if (key_acquire(realtype, src, dst) == 0)
1870 /*----------------------------------------------------------------------
1872 * Parse message buffer for src/dst/from/iv/key if parseflag = 0
1873 * else parse for src/dst only.
1874 ----------------------------------------------------------------------*/
1876 key_xdata(km, kip, parseflag)
1877 struct key_msghdr *km;
1878 struct key_msgdata *kip;
1883 if (!km || (km->key_msglen <= 0))
1886 cp = (caddr_t)(km + 1);
1887 cpmax = (caddr_t)km + km->key_msglen;
1890 * Assumes user process passes message with
1891 * correct word alignment.
1895 * Need to clean up this code later.
1899 kip->src = (struct sockaddr *)cp;
1900 if (!kip->src->sa_len) {
1901 DPRINTF(IDL_MAJOR_EVENT,("key_xdata couldn't parse src addr\n"));
1905 ADVANCE(cp, kip->src->sa_len);
1907 /* Grab dest addr */
1908 kip->dst = (struct sockaddr *)cp;
1909 if (!kip->dst->sa_len) {
1910 DPRINTF(IDL_MAJOR_EVENT,("key_xdata couldn't parse dest addr\n"));
1914 ADVANCE(cp, kip->dst->sa_len);
1915 if (parseflag == 1) {
1917 kip->key = kip->iv = kip->ekey = 0;
1918 kip->keylen = kip->ivlen = kip->ekeylen = 0;
1922 /* Grab from addr */
1923 kip->from = (struct sockaddr *)cp;
1924 if (!kip->from->sa_len) {
1925 DPRINTF(IDL_MAJOR_EVENT,("key_xdata couldn't parse from addr\n"));
1929 ADVANCE(cp, kip->from->sa_len);
1932 if ((kip->keylen = km->keylen)) {
1934 ADVANCE(cp, km->keylen);
1939 if ((kip->ivlen = km->ivlen)) {
1941 ADVANCE(cp, km->ivlen);
1946 if ((kip->ekeylen = km->ekeylen)) {
1948 ADVANCE(cp, km->ekeylen);
1957 key_parse(kmp, so, dstfamily)
1958 struct key_msghdr **kmp;
1962 int error = 0, keyerror = 0;
1963 struct key_msgdata keyinfo;
1964 struct key_secassoc *secassoc = NULL;
1965 struct key_msghdr *km = *kmp;
1967 DPRINTF(IDL_MAJOR_EVENT, ("Entering key_parse\n"));
1969 #define senderr(e) \
1970 { error = (e); goto flush; }
1972 if (km->key_msgvers != KEY_VERSION) {
1973 DPRINTF(IDL_CRITICAL,("keyoutput: Unsupported key message version!\n"));
1974 senderr(EPROTONOSUPPORT);
1977 km->key_pid = curproc->p_pid;
1979 DDO(IDL_MAJOR_EVENT, printf("keymsghdr:\n"); dump_keymsghdr(km));
1982 * Parse buffer for src addr, dest addr, from addr, key, iv
1984 bzero((char *)&keyinfo, sizeof(keyinfo));
1986 switch (km->key_msgtype) {
1988 DPRINTF(IDL_MAJOR_EVENT,("key_output got KEY_ADD msg\n"));
1990 if (key_xdata(km, &keyinfo, 0) < 0)
1994 * Allocate the secassoc structure to insert
1995 * into key table here.
1997 KMALLOC(secassoc, struct key_secassoc *, sizeof(struct key_secassoc));
1998 if (secassoc == 0) {
1999 DPRINTF(IDL_CRITICAL,("keyoutput: No more memory!\n"));
2003 if (key_msghdr2secassoc(secassoc, km, &keyinfo) < 0) {
2004 DPRINTF(IDL_CRITICAL,("keyoutput: key_msghdr2secassoc failed!\n"));
2008 DPRINTF(IDL_MAJOR_EVENT,("secassoc to add:\n"));
2009 DDO(IDL_MAJOR_EVENT,dump_secassoc(secassoc));
2011 if ((keyerror = key_add(secassoc)) != 0) {
2012 DPRINTF(IDL_CRITICAL,("keyoutput: key_add failed\n"));
2014 KFREE(secassoc->key);
2016 KFREE(secassoc->iv);
2018 KFREE(secassoc->ekey);
2020 if (keyerror == -2) {
2028 DPRINTF(IDL_MAJOR_EVENT,("key_output got KEY_DELETE msg\n"));
2030 if (key_xdata(km, &keyinfo, 1) < 0)
2033 KMALLOC(secassoc, struct key_secassoc *, sizeof(struct key_secassoc));
2034 if (secassoc == 0) {
2037 if (key_msghdr2secassoc(secassoc, km, &keyinfo) < 0) {
2041 if (key_delete(secassoc) != 0) {
2043 KFREE(secassoc->iv);
2045 KFREE(secassoc->key);
2047 KFREE(secassoc->ekey);
2052 KFREE(secassoc->iv);
2054 KFREE(secassoc->key);
2056 KFREE(secassoc->ekey);
2060 DPRINTF(IDL_EVENT,("key_output got KEY_UPDATE msg\n"));
2062 if (key_xdata(km, &keyinfo, 0) < 0)
2065 KMALLOC(secassoc, struct key_secassoc *, sizeof(struct key_secassoc));
2066 if (secassoc == 0) {
2069 if (key_msghdr2secassoc(secassoc, km, &keyinfo) < 0) {
2073 if ((keyerror = key_update(secassoc)) != 0) {
2074 DPRINTF(IDL_CRITICAL,("Error updating key entry\n"));
2076 KFREE(secassoc->iv);
2078 KFREE(secassoc->key);
2080 KFREE(secassoc->ekey);
2087 DPRINTF(IDL_EVENT,("key_output got KEY_GET msg\n"));
2089 if (key_xdata(km, &keyinfo, 1) < 0)
2092 if (key_get(km->type, (struct sockaddr *)keyinfo.src,
2093 (struct sockaddr *)keyinfo.dst,
2094 km->spi, &secassoc) != 0) {
2095 DPRINTF(IDL_EVENT,("keyoutput: can't get key\n"));
2102 DPRINTF(IDL_EVENT,("keyoutput: Found secassoc!\n"));
2103 newlen = sizeof(struct key_msghdr) + ROUNDUP(secassoc->src->sa_len) +
2104 ROUNDUP(secassoc->dst->sa_len) + ROUNDUP(secassoc->from->sa_len) +
2105 ROUNDUP(secassoc->keylen) + ROUNDUP(secassoc->ivlen) +
2106 ROUNDUP(secassoc->ekeylen);
2107 DPRINTF(IDL_EVENT,("keyoutput: newlen=%d\n", newlen));
2108 if (newlen > km->key_msglen) {
2109 struct key_msghdr *newkm;
2111 DPRINTF(IDL_EVENT,("keyoutput: Allocating new buffer!\n"));
2112 KMALLOC(newkm, struct key_msghdr *, newlen);
2116 bcopy((char *)km, (char *)newkm, km->key_msglen);
2117 DPRINTF(IDL_FINISHED,("keyoutput: 1\n"));
2120 DPRINTF(IDL_CRITICAL, ("km->key_msglen = %d, newlen = %d\n",
2121 km->key_msglen, newlen));
2122 km->key_msglen = newlen;
2124 DPRINTF(IDL_FINISHED,("keyoutput: 2\n"));
2125 if (key_secassoc2msghdr(secassoc, km, &keyinfo)) {
2126 DPRINTF(IDL_CRITICAL,("keyoutput: Can't create msghdr!\n"));
2129 DPRINTF(IDL_FINISHED,("keyoutput: 3\n"));
2133 DPRINTF(IDL_EVENT,("key_output got KEY_GETSPI msg\n"));
2135 if (key_xdata(km, &keyinfo, 1) < 0)
2138 if ((keyerror = key_getspi(km->type, km->vers, keyinfo.src, keyinfo.dst,
2139 km->lifetime1, km->lifetime2,
2140 &(km->spi))) != 0) {
2141 DPRINTF(IDL_CRITICAL,("keyoutput: getspi failed error=%d\n", keyerror));
2146 DPRINTF(IDL_EVENT,("key_output got KEY_REGISTER msg\n"));
2147 key_register(so, km->type);
2150 DPRINTF(IDL_EVENT,("key_output got KEY_DUMP msg\n"));
2151 error = key_dump(so);
2155 DPRINTF(IDL_EVENT,("key_output got KEY_FLUSH msg\n"));
2159 DPRINTF(IDL_CRITICAL,("key_output got unsupported msg type=%d\n",
2161 senderr(EOPNOTSUPP);
2172 km->key_errno = error;
2175 *dstfamily = keyinfo.dst ? keyinfo.dst->sa_family : 0;
2177 DPRINTF(IDL_MAJOR_EVENT, ("key_parse exiting with error=%d\n", error));
2182 * Definitions of protocols supported in the KEY domain.
2185 struct sockaddr key_addr = { 2, PF_KEY, };
2186 struct sockproto key_proto = { PF_KEY, };
2188 #define KEYREAPERINT 120
2193 struct key_msghdr *km;
2198 panic("km == NULL in key_sendup\n");
2199 MGETHDR(m, M_WAIT, MT_DATA);
2200 m->m_len = m->m_pkthdr.len = 0;
2203 m->m_pkthdr.rcvif = 0;
2205 m_copyback(m, 0, km->key_msglen, (caddr_t)km);
2207 if (sbappendaddr(&(s->so_rcv), &key_addr, m, NULL)) {
2218 /*----------------------------------------------------------------------
2220 * Scan key table, nuke unwanted entries
2221 ----------------------------------------------------------------------*/
2223 key_reaper(whocares)
2226 DPRINTF(IDL_GROSS_EVENT,("Entering key_reaper()\n"));
2228 timeout(key_reaper, NULL, KEYREAPERINT * HZ);
2232 /*----------------------------------------------------------------------
2234 * Init routine for key socket, key engine
2235 ----------------------------------------------------------------------*/
2239 DPRINTF(IDL_EVENT,("Called key_init().\n"));
2240 if (key_inittables())
2241 panic("key_inittables failed!\n");
2243 timeout(key_reaper, NULL, HZ);
2245 bzero((char *)&keyso_cb, sizeof(keyso_cb));
2248 /*----------------------------------------------------------------------
2250 * Determine if an address belongs to one of my configured interfaces.
2251 * Currently handles only AF_INET, AF_INET6 addresses.
2252 ----------------------------------------------------------------------*/
2255 struct sockaddr *sa;
2257 struct in6_ifaddr *i6a = 0;
2258 struct in_ifaddr *ia = 0;
2260 switch(sa->sa_family) {
2263 for (i6a = in6_ifaddr; i6a; i6a = i6a->ia_next) { /*XXX*/
2264 if (IN6_ARE_ADDR_EQUAL(&((struct sockaddr_in6 *)sa)->sin6_addr,
2265 &i6a->ia_addr.sin6_addr))
2271 for (ia = in_ifaddrhead.tqh_first; ia; ia = ia->ia_link.tqe_next) {
2272 if (((struct sockaddr_in *)sa)->sin_addr.s_addr ==
2273 ia->ia_addr.sin_addr.s_addr)
2281 /*----------------------------------------------------------------------
2283 * Process outbound pf_key message.
2284 ----------------------------------------------------------------------*/
2290 struct key_msghdr *km = 0;
2291 caddr_t cp, cplimit;
2296 DPRINTF(IDL_EVENT,("key_output() got a message len=%d.\n", m->m_pkthdr.len));
2299 #define senderr(e) \
2300 { error = (e); if (km) km->key_errno = error; goto flush; }
2302 if (m == 0 || ((m->m_len < sizeof(long)) &&
2303 (m = m_pullup(m, sizeof(long))) == 0)) {
2304 DPRINTF(IDL_CRITICAL,("key_output can't pullup mbuf\n"));
2307 if ((m->m_flags & M_PKTHDR) == 0)
2308 panic("key_output");
2310 DDO(IDL_FINISHED,dump_mbuf(m));
2312 len = m->m_pkthdr.len;
2313 if (len < sizeof(*km) || len != mtod(m, struct key_msghdr *)->key_msglen) {
2314 DPRINTF(IDL_CRITICAL,("keyout: Invalid length field/length mismatch!\n"));
2317 KMALLOC(km, struct key_msghdr *, len);
2319 DPRINTF(IDL_CRITICAL,("keyoutput: Can't malloc memory!\n"));
2323 m_copydata(m, 0, len, (caddr_t)km);
2325 km->key_errno = error = key_parse(&km, so, &dstfamily);
2326 DPRINTF(IDL_MAJOR_EVENT, ("Back from key_parse\n"));
2332 struct rawcb *rp = 0;
2335 if ((so->so_options & SO_USELOOPBACK) == 0) {
2336 if (keyso_cb.any_count <= 1) {
2344 DPRINTF(IDL_MAJOR_EVENT, ("key_output: foo\n"));
2345 key_proto.sp_protocol = dstfamily;
2348 m = m_devget(km, len, 0, NULL, NULL);
2352 DPRINTF(IDL_MAJOR_EVENT, ("key_output: bar\n"));
2354 rp->rcb_proto.sp_family = 0; /* Prevent us from receiving message */
2356 raw_input(m, &key_proto, &key_addr, &key_addr);
2359 rp->rcb_proto.sp_family = PF_KEY;
2361 DPRINTF(IDL_MAJOR_EVENT, ("key_output: baz\n"));
2367 /*----------------------------------------------------------------------
2369 * Handles protocol requests for pf_key sockets.
2370 ----------------------------------------------------------------------*/
2373 key_attach(struct socket *so, int proto, struct proc *p)
2375 register int error = 0;
2376 register struct rawcb *rp;
2379 DPRINTF(IDL_EVENT,("Entering key_attach\n"));
2381 MALLOC(rp, struct rawcb *, sizeof(*rp), M_PCB, M_WAITOK);
2383 bzero(rp, sizeof(*rp));
2384 so->so_pcb = (caddr_t)rp;
2387 error = (raw_usrreqs.pru_attach)(so, proto, p);
2388 if (!error) { /* XXX was: if (!so) which didn't make sense */
2393 rp = sotorawcb(so); /* isn't this redundant? */
2395 int af = rp->rcb_proto.sp_protocol;
2397 free((caddr_t)rp, M_PCB);
2402 keyso_cb.ip4_count++;
2404 else if (af == AF_INET6)
2405 keyso_cb.ip6_count++;
2407 keyso_cb.any_count++;
2409 rp->rcb_faddr = &key_addr;
2413 MGET(m, M_DONTWAIT, MT_DATA);
2414 if (m) { /* XXX but what about sin_len here? -PW */
2415 rp->rcb_faddr = mtod(m, struct sockaddr *);
2416 bcopy(&key_addr, rp->rcb_faddr, sizeof(struct sockaddr));
2418 rp->rcb_faddr = NULL;
2421 soisconnected(so); /* Key socket, like routing socket, must be
2424 /* Possibly set other needed flags/options at creation time in here. */
2425 so->so_options |= SO_USELOOPBACK; /* Like routing socket, we turn this */
2433 key_detach(struct socket *so)
2435 register int error = 0;
2436 register struct rawcb *rp;
2439 DPRINTF(IDL_EVENT,("Entering key_detach\n"));
2443 int af = rp->rcb_proto.sp_protocol;
2445 keyso_cb.ip4_count--;
2447 else if (af == AF_INET6)
2448 keyso_cb.ip6_count--;
2450 keyso_cb.any_count--;
2453 error = (raw_usrreqs.pru_detach)(so);
2460 key_abort(struct socket *so)
2462 DPRINTF(IDL_EVENT,("Entering key_abort\n"));
2464 return (raw_usrreqs.pru_abort)(so);
2468 key_bind(struct socket *so, struct sockaddr *nam, struct proc *p)
2470 DPRINTF(IDL_EVENT,("Entering key_bind\n"));
2472 return (raw_usrreqs.pru_bind)(so, nam, p);
2476 key_connect(struct socket *so, struct sockaddr *nam, struct proc *p)
2478 DPRINTF(IDL_EVENT,("Entering key_connect\n"));
2480 return (raw_usrreqs.pru_connect)(so, nam, p);
2484 key_disconnect(struct socket *so)
2486 DPRINTF(IDL_EVENT,("Entering key_disconnect\n"));
2488 return (raw_usrreqs.pru_disconnect)(so);
2492 key_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam,
2493 struct mbuf *control, struct proc *p)
2495 DPRINTF(IDL_EVENT,("Entering key_send\n"));
2497 return (raw_usrreqs.pru_send)(so, flags, m, nam, control, p);
2501 key_shutdown(struct socket *so)
2503 DPRINTF(IDL_EVENT,("Entering key_shutdown\n"));
2505 return (raw_usrreqs.pru_shutdown)(so);
2508 /*----------------------------------------------------------------------
2510 * Control block init routine for key socket
2511 ----------------------------------------------------------------------*/
2516 * This is equivalent to raw_init for the routing socket.
2517 * The key socket uses the same control block as the routing
2520 DPRINTF(IDL_EVENT,("Called key_cbinit().\n"));
2524 * Protoswitch entry for pf_key
2527 extern struct domain keydomain; /* or at least forward */
2529 struct pr_usrreqs key_usrreqs = {
2530 key_abort, pru_accept_notsupp, key_attach, key_bind, key_connect,
2531 pru_connect2_notsupp, in_control, key_detach, key_disconnect,
2532 pru_listen_notsupp, in_setpeeraddr, pru_rcvd_notsupp,
2533 pru_rcvoob_notsupp, key_send, pru_sense_null, key_shutdown,
2534 in_setsockaddr, sosend, soreceive, sopoll
2538 struct protosw keysw[] = {
2539 { SOCK_RAW, &keydomain, 0, PR_ATOMIC|PR_ADDR,
2540 0, key_output, raw_ctlinput, 0,
2542 key_cbinit, 0, 0, 0,
2547 struct domain keydomain =
2548 { PF_KEY, "key", key_init, 0, 0,
2549 keysw, &keysw[sizeof(keysw)/sizeof(keysw[0])] };