| @@ -1,1034 +1,1034 @@ | | | @@ -1,1034 +1,1034 @@ |
1 | /* $NetBSD: key.c,v 1.256 2018/07/04 19:20:25 christos Exp $ */ | | 1 | /* $NetBSD: key.c,v 1.257 2018/08/23 01:55:38 ozaki-r Exp $ */ |
2 | /* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ | | 2 | /* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ |
3 | /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ | | 3 | /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ |
4 | | | 4 | |
5 | /* | | 5 | /* |
6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | | 6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
7 | * All rights reserved. | | 7 | * All rights reserved. |
8 | * | | 8 | * |
9 | * Redistribution and use in source and binary forms, with or without | | 9 | * Redistribution and use in source and binary forms, with or without |
10 | * modification, are permitted provided that the following conditions | | 10 | * modification, are permitted provided that the following conditions |
11 | * are met: | | 11 | * are met: |
12 | * 1. Redistributions of source code must retain the above copyright | | 12 | * 1. Redistributions of source code must retain the above copyright |
13 | * notice, this list of conditions and the following disclaimer. | | 13 | * notice, this list of conditions and the following disclaimer. |
14 | * 2. Redistributions in binary form must reproduce the above copyright | | 14 | * 2. Redistributions in binary form must reproduce the above copyright |
15 | * notice, this list of conditions and the following disclaimer in the | | 15 | * notice, this list of conditions and the following disclaimer in the |
16 | * documentation and/or other materials provided with the distribution. | | 16 | * documentation and/or other materials provided with the distribution. |
17 | * 3. Neither the name of the project nor the names of its contributors | | 17 | * 3. Neither the name of the project nor the names of its contributors |
18 | * may be used to endorse or promote products derived from this software | | 18 | * may be used to endorse or promote products derived from this software |
19 | * without specific prior written permission. | | 19 | * without specific prior written permission. |
20 | * | | 20 | * |
21 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND | | 21 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | | 22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | | 23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | | 24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | | 25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | | 26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | | 27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | | 28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | | 29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | | 30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
31 | * SUCH DAMAGE. | | 31 | * SUCH DAMAGE. |
32 | */ | | 32 | */ |
33 | | | 33 | |
34 | #include <sys/cdefs.h> | | 34 | #include <sys/cdefs.h> |
35 | __KERNEL_RCSID(0, "$NetBSD: key.c,v 1.256 2018/07/04 19:20:25 christos Exp $"); | | 35 | __KERNEL_RCSID(0, "$NetBSD: key.c,v 1.257 2018/08/23 01:55:38 ozaki-r Exp $"); |
36 | | | 36 | |
37 | /* | | 37 | /* |
38 | * This code is referred to RFC 2367 | | 38 | * This code is referred to RFC 2367 |
39 | */ | | 39 | */ |
40 | | | 40 | |
41 | #if defined(_KERNEL_OPT) | | 41 | #if defined(_KERNEL_OPT) |
42 | #include "opt_inet.h" | | 42 | #include "opt_inet.h" |
43 | #include "opt_ipsec.h" | | 43 | #include "opt_ipsec.h" |
44 | #include "opt_gateway.h" | | 44 | #include "opt_gateway.h" |
45 | #include "opt_net_mpsafe.h" | | 45 | #include "opt_net_mpsafe.h" |
46 | #endif | | 46 | #endif |
47 | | | 47 | |
48 | #include <sys/types.h> | | 48 | #include <sys/types.h> |
49 | #include <sys/param.h> | | 49 | #include <sys/param.h> |
50 | #include <sys/systm.h> | | 50 | #include <sys/systm.h> |
51 | #include <sys/callout.h> | | 51 | #include <sys/callout.h> |
52 | #include <sys/kernel.h> | | 52 | #include <sys/kernel.h> |
53 | #include <sys/mbuf.h> | | 53 | #include <sys/mbuf.h> |
54 | #include <sys/domain.h> | | 54 | #include <sys/domain.h> |
55 | #include <sys/socket.h> | | 55 | #include <sys/socket.h> |
56 | #include <sys/socketvar.h> | | 56 | #include <sys/socketvar.h> |
57 | #include <sys/sysctl.h> | | 57 | #include <sys/sysctl.h> |
58 | #include <sys/errno.h> | | 58 | #include <sys/errno.h> |
59 | #include <sys/proc.h> | | 59 | #include <sys/proc.h> |
60 | #include <sys/queue.h> | | 60 | #include <sys/queue.h> |
61 | #include <sys/syslog.h> | | 61 | #include <sys/syslog.h> |
62 | #include <sys/once.h> | | 62 | #include <sys/once.h> |
63 | #include <sys/cprng.h> | | 63 | #include <sys/cprng.h> |
64 | #include <sys/psref.h> | | 64 | #include <sys/psref.h> |
65 | #include <sys/lwp.h> | | 65 | #include <sys/lwp.h> |
66 | #include <sys/workqueue.h> | | 66 | #include <sys/workqueue.h> |
67 | #include <sys/kmem.h> | | 67 | #include <sys/kmem.h> |
68 | #include <sys/cpu.h> | | 68 | #include <sys/cpu.h> |
69 | #include <sys/atomic.h> | | 69 | #include <sys/atomic.h> |
70 | #include <sys/pslist.h> | | 70 | #include <sys/pslist.h> |
71 | #include <sys/mutex.h> | | 71 | #include <sys/mutex.h> |
72 | #include <sys/condvar.h> | | 72 | #include <sys/condvar.h> |
73 | #include <sys/localcount.h> | | 73 | #include <sys/localcount.h> |
74 | #include <sys/pserialize.h> | | 74 | #include <sys/pserialize.h> |
75 | #include <sys/hash.h> | | 75 | #include <sys/hash.h> |
76 | | | 76 | |
77 | #include <net/if.h> | | 77 | #include <net/if.h> |
78 | #include <net/route.h> | | 78 | #include <net/route.h> |
79 | | | 79 | |
80 | #include <netinet/in.h> | | 80 | #include <netinet/in.h> |
81 | #include <netinet/in_systm.h> | | 81 | #include <netinet/in_systm.h> |
82 | #include <netinet/ip.h> | | 82 | #include <netinet/ip.h> |
83 | #include <netinet/in_var.h> | | 83 | #include <netinet/in_var.h> |
84 | #ifdef INET | | 84 | #ifdef INET |
85 | #include <netinet/ip_var.h> | | 85 | #include <netinet/ip_var.h> |
86 | #endif | | 86 | #endif |
87 | | | 87 | |
88 | #ifdef INET6 | | 88 | #ifdef INET6 |
89 | #include <netinet/ip6.h> | | 89 | #include <netinet/ip6.h> |
90 | #include <netinet6/in6_var.h> | | 90 | #include <netinet6/in6_var.h> |
91 | #include <netinet6/ip6_var.h> | | 91 | #include <netinet6/ip6_var.h> |
92 | #endif /* INET6 */ | | 92 | #endif /* INET6 */ |
93 | | | 93 | |
94 | #ifdef INET | | 94 | #ifdef INET |
95 | #include <netinet/in_pcb.h> | | 95 | #include <netinet/in_pcb.h> |
96 | #endif | | 96 | #endif |
97 | #ifdef INET6 | | 97 | #ifdef INET6 |
98 | #include <netinet6/in6_pcb.h> | | 98 | #include <netinet6/in6_pcb.h> |
99 | #endif /* INET6 */ | | 99 | #endif /* INET6 */ |
100 | | | 100 | |
101 | #include <net/pfkeyv2.h> | | 101 | #include <net/pfkeyv2.h> |
102 | #include <netipsec/keydb.h> | | 102 | #include <netipsec/keydb.h> |
103 | #include <netipsec/key.h> | | 103 | #include <netipsec/key.h> |
104 | #include <netipsec/keysock.h> | | 104 | #include <netipsec/keysock.h> |
105 | #include <netipsec/key_debug.h> | | 105 | #include <netipsec/key_debug.h> |
106 | | | 106 | |
107 | #include <netipsec/ipsec.h> | | 107 | #include <netipsec/ipsec.h> |
108 | #ifdef INET6 | | 108 | #ifdef INET6 |
109 | #include <netipsec/ipsec6.h> | | 109 | #include <netipsec/ipsec6.h> |
110 | #endif | | 110 | #endif |
111 | #include <netipsec/ipsec_private.h> | | 111 | #include <netipsec/ipsec_private.h> |
112 | | | 112 | |
113 | #include <netipsec/xform.h> | | 113 | #include <netipsec/xform.h> |
114 | #include <netipsec/ipcomp.h> | | 114 | #include <netipsec/ipcomp.h> |
115 | | | 115 | |
116 | #define FULLMASK 0xffu | | 116 | #define FULLMASK 0xffu |
117 | #define _BITS(bytes) ((bytes) << 3) | | 117 | #define _BITS(bytes) ((bytes) << 3) |
118 | | | 118 | |
119 | #define PORT_NONE 0 | | 119 | #define PORT_NONE 0 |
120 | #define PORT_LOOSE 1 | | 120 | #define PORT_LOOSE 1 |
121 | #define PORT_STRICT 2 | | 121 | #define PORT_STRICT 2 |
122 | | | 122 | |
123 | #ifndef SAHHASH_NHASH | | 123 | #ifndef SAHHASH_NHASH |
124 | #define SAHHASH_NHASH 128 | | 124 | #define SAHHASH_NHASH 128 |
125 | #endif | | 125 | #endif |
126 | | | 126 | |
127 | #ifndef SAVLUT_NHASH | | 127 | #ifndef SAVLUT_NHASH |
128 | #define SAVLUT_NHASH 128 | | 128 | #define SAVLUT_NHASH 128 |
129 | #endif | | 129 | #endif |
130 | | | 130 | |
131 | percpu_t *pfkeystat_percpu; | | 131 | percpu_t *pfkeystat_percpu; |
132 | | | 132 | |
133 | /* | | 133 | /* |
134 | * Note on SA reference counting: | | 134 | * Note on SA reference counting: |
135 | * - SAs that are not in DEAD state will have (total external reference + 1) | | 135 | * - SAs that are not in DEAD state will have (total external reference + 1) |
136 | * following value in reference count field. they cannot be freed and are | | 136 | * following value in reference count field. they cannot be freed and are |
137 | * referenced from SA header. | | 137 | * referenced from SA header. |
138 | * - SAs that are in DEAD state will have (total external reference) | | 138 | * - SAs that are in DEAD state will have (total external reference) |
139 | * in reference count field. they are ready to be freed. reference from | | 139 | * in reference count field. they are ready to be freed. reference from |
140 | * SA header will be removed in key_delsav(), when the reference count | | 140 | * SA header will be removed in key_delsav(), when the reference count |
141 | * field hits 0 (= no external reference other than from SA header. | | 141 | * field hits 0 (= no external reference other than from SA header. |
142 | */ | | 142 | */ |
143 | | | 143 | |
144 | u_int32_t key_debug_level = 0; | | 144 | u_int32_t key_debug_level = 0; |
145 | static u_int key_spi_trycnt = 1000; | | 145 | static u_int key_spi_trycnt = 1000; |
146 | static u_int32_t key_spi_minval = 0x100; | | 146 | static u_int32_t key_spi_minval = 0x100; |
147 | static u_int32_t key_spi_maxval = 0x0fffffff; /* XXX */ | | 147 | static u_int32_t key_spi_maxval = 0x0fffffff; /* XXX */ |
148 | static u_int32_t policy_id = 0; | | 148 | static u_int32_t policy_id = 0; |
149 | static u_int key_int_random = 60; /*interval to initialize randseed,1(m)*/ | | 149 | static u_int key_int_random = 60; /*interval to initialize randseed,1(m)*/ |
150 | static u_int key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/ | | 150 | static u_int key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/ |
151 | static int key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/ | | 151 | static int key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/ |
152 | static int key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/ | | 152 | static int key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/ |
153 | static int key_prefered_oldsa = 0; /* prefered old sa rather than new sa.*/ | | 153 | static int key_prefered_oldsa = 0; /* prefered old sa rather than new sa.*/ |
154 | | | 154 | |
155 | static u_int32_t acq_seq = 0; | | 155 | static u_int32_t acq_seq = 0; |
156 | | | 156 | |
157 | /* | | 157 | /* |
158 | * Locking order: there is no order for now; it means that any locks aren't | | 158 | * Locking order: there is no order for now; it means that any locks aren't |
159 | * overlapped. | | 159 | * overlapped. |
160 | */ | | 160 | */ |
161 | /* | | 161 | /* |
162 | * Locking notes on SPD: | | 162 | * Locking notes on SPD: |
163 | * - Modifications to the key_spd.splist must be done with holding key_spd.lock | | 163 | * - Modifications to the key_spd.splist must be done with holding key_spd.lock |
164 | * which is a adaptive mutex | | 164 | * which is a adaptive mutex |
165 | * - Read accesses to the key_spd.splist must be in pserialize(9) read sections | | 165 | * - Read accesses to the key_spd.splist must be in pserialize(9) read sections |
166 | * - SP's lifetime is managed by localcount(9) | | 166 | * - SP's lifetime is managed by localcount(9) |
167 | * - An SP that has been inserted to the key_spd.splist is initially referenced | | 167 | * - An SP that has been inserted to the key_spd.splist is initially referenced |
168 | * by none, i.e., a reference from the key_spd.splist isn't counted | | 168 | * by none, i.e., a reference from the key_spd.splist isn't counted |
169 | * - When an SP is being destroyed, we change its state as DEAD, wait for | | 169 | * - When an SP is being destroyed, we change its state as DEAD, wait for |
170 | * references to the SP to be released, and then deallocate the SP | | 170 | * references to the SP to be released, and then deallocate the SP |
171 | * (see key_unlink_sp) | | 171 | * (see key_unlink_sp) |
172 | * - Getting an SP | | 172 | * - Getting an SP |
173 | * - Normally we get an SP from the key_spd.splist (see key_lookup_sp_byspidx) | | 173 | * - Normally we get an SP from the key_spd.splist (see key_lookup_sp_byspidx) |
174 | * - Must iterate the list and increment the reference count of a found SP | | 174 | * - Must iterate the list and increment the reference count of a found SP |
175 | * (by key_sp_ref) in a pserialize read section | | 175 | * (by key_sp_ref) in a pserialize read section |
176 | * - We can gain another reference from a held SP only if we check its state | | 176 | * - We can gain another reference from a held SP only if we check its state |
177 | * and take its reference in a pserialize read section | | 177 | * and take its reference in a pserialize read section |
178 | * (see esp_output for example) | | 178 | * (see esp_output for example) |
179 | * - We may get an SP from an SP cache. See below | | 179 | * - We may get an SP from an SP cache. See below |
180 | * - A gotten SP must be released after use by KEY_SP_UNREF (key_sp_unref) | | 180 | * - A gotten SP must be released after use by KEY_SP_UNREF (key_sp_unref) |
181 | * - Updating member variables of an SP | | 181 | * - Updating member variables of an SP |
182 | * - Most member variables of an SP are immutable | | 182 | * - Most member variables of an SP are immutable |
183 | * - Only sp->state and sp->lastused can be changed | | 183 | * - Only sp->state and sp->lastused can be changed |
184 | * - sp->state of an SP is updated only when destroying it under key_spd.lock | | 184 | * - sp->state of an SP is updated only when destroying it under key_spd.lock |
185 | * - SP caches | | 185 | * - SP caches |
186 | * - SPs can be cached in PCBs | | 186 | * - SPs can be cached in PCBs |
187 | * - The lifetime of the caches is controlled by the global generation counter | | 187 | * - The lifetime of the caches is controlled by the global generation counter |
188 | * (ipsec_spdgen) | | 188 | * (ipsec_spdgen) |
189 | * - The global counter value is stored when an SP is cached | | 189 | * - The global counter value is stored when an SP is cached |
190 | * - If the stored value is different from the global counter then the cache | | 190 | * - If the stored value is different from the global counter then the cache |
191 | * is considered invalidated | | 191 | * is considered invalidated |
192 | * - The counter is incremented when an SP is being destroyed | | 192 | * - The counter is incremented when an SP is being destroyed |
193 | * - So checking the generation and taking a reference to an SP should be | | 193 | * - So checking the generation and taking a reference to an SP should be |
194 | * in a pserialize read section | | 194 | * in a pserialize read section |
195 | * - Note that caching doesn't increment the reference counter of an SP | | 195 | * - Note that caching doesn't increment the reference counter of an SP |
196 | * - SPs in sockets | | 196 | * - SPs in sockets |
197 | * - Userland programs can set a policy to a socket by | | 197 | * - Userland programs can set a policy to a socket by |
198 | * setsockopt(IP_IPSEC_POLICY) | | 198 | * setsockopt(IP_IPSEC_POLICY) |
199 | * - Such policies (SPs) are set to a socket (PCB) and also inserted to | | 199 | * - Such policies (SPs) are set to a socket (PCB) and also inserted to |
200 | * the key_spd.socksplist list (not the key_spd.splist) | | 200 | * the key_spd.socksplist list (not the key_spd.splist) |
201 | * - Such a policy is destroyed when a corresponding socket is destroed, | | 201 | * - Such a policy is destroyed when a corresponding socket is destroed, |
202 | * however, a socket can be destroyed in softint so we cannot destroy | | 202 | * however, a socket can be destroyed in softint so we cannot destroy |
203 | * it directly instead we just mark it DEAD and delay the destruction | | 203 | * it directly instead we just mark it DEAD and delay the destruction |
204 | * until GC by the timer | | 204 | * until GC by the timer |
205 | * - SP origin | | 205 | * - SP origin |
206 | * - SPs can be created by both userland programs and kernel components. | | 206 | * - SPs can be created by both userland programs and kernel components. |
207 | * The SPs created in kernel must not be removed by userland programs, | | 207 | * The SPs created in kernel must not be removed by userland programs, |
208 | * although the SPs can be read by userland programs. | | 208 | * although the SPs can be read by userland programs. |
209 | */ | | 209 | */ |
210 | /* | | 210 | /* |
211 | * Locking notes on SAD: | | 211 | * Locking notes on SAD: |
212 | * - Data structures | | 212 | * - Data structures |
213 | * - SAs are managed by the list called key_sad.sahlists and sav lists of | | 213 | * - SAs are managed by the list called key_sad.sahlists and sav lists of |
214 | * sah entries | | 214 | * sah entries |
215 | * - An sav is supposed to be an SA from a viewpoint of users | | 215 | * - An sav is supposed to be an SA from a viewpoint of users |
216 | * - A sah has sav lists for each SA state | | 216 | * - A sah has sav lists for each SA state |
217 | * - Multiple saves with the same saidx can exist | | 217 | * - Multiple saves with the same saidx can exist |
218 | * - Only one entry has MATURE state and others should be DEAD | | 218 | * - Only one entry has MATURE state and others should be DEAD |
219 | * - DEAD entries are just ignored from searching | | 219 | * - DEAD entries are just ignored from searching |
220 | * - All sav whose state is MATURE or DYING are registered to the lookup | | 220 | * - All sav whose state is MATURE or DYING are registered to the lookup |
221 | * table called key_sad.savlut in addition to the savlists. | | 221 | * table called key_sad.savlut in addition to the savlists. |
222 | * - The table is used to search an sav without use of saidx. | | 222 | * - The table is used to search an sav without use of saidx. |
223 | * - Modifications to the key_sad.sahlists, sah.savlist and key_sad.savlut | | 223 | * - Modifications to the key_sad.sahlists, sah.savlist and key_sad.savlut |
224 | * must be done with holding key_sad.lock which is a adaptive mutex | | 224 | * must be done with holding key_sad.lock which is a adaptive mutex |
225 | * - Read accesses to the key_sad.sahlists, sah.savlist and key_sad.savlut | | 225 | * - Read accesses to the key_sad.sahlists, sah.savlist and key_sad.savlut |
226 | * must be in pserialize(9) read sections | | 226 | * must be in pserialize(9) read sections |
227 | * - sah's lifetime is managed by localcount(9) | | 227 | * - sah's lifetime is managed by localcount(9) |
228 | * - Getting an sah entry | | 228 | * - Getting an sah entry |
229 | * - We get an sah from the key_sad.sahlists | | 229 | * - We get an sah from the key_sad.sahlists |
230 | * - Must iterate the list and increment the reference count of a found sah | | 230 | * - Must iterate the list and increment the reference count of a found sah |
231 | * (by key_sah_ref) in a pserialize read section | | 231 | * (by key_sah_ref) in a pserialize read section |
232 | * - A gotten sah must be released after use by key_sah_unref | | 232 | * - A gotten sah must be released after use by key_sah_unref |
233 | * - An sah is destroyed when its state become DEAD and no sav is | | 233 | * - An sah is destroyed when its state become DEAD and no sav is |
234 | * listed to the sah | | 234 | * listed to the sah |
235 | * - The destruction is done only in the timer (see key_timehandler_sad) | | 235 | * - The destruction is done only in the timer (see key_timehandler_sad) |
236 | * - sav's lifetime is managed by localcount(9) | | 236 | * - sav's lifetime is managed by localcount(9) |
237 | * - Getting an sav entry | | 237 | * - Getting an sav entry |
238 | * - First get an sah by saidx and get an sav from either of sah's savlists | | 238 | * - First get an sah by saidx and get an sav from either of sah's savlists |
239 | * - Must iterate the list and increment the reference count of a found sav | | 239 | * - Must iterate the list and increment the reference count of a found sav |
240 | * (by key_sa_ref) in a pserialize read section | | 240 | * (by key_sa_ref) in a pserialize read section |
241 | * - We can gain another reference from a held SA only if we check its state | | 241 | * - We can gain another reference from a held SA only if we check its state |
242 | * and take its reference in a pserialize read section | | 242 | * and take its reference in a pserialize read section |
243 | * (see esp_output for example) | | 243 | * (see esp_output for example) |
244 | * - A gotten sav must be released after use by key_sa_unref | | 244 | * - A gotten sav must be released after use by key_sa_unref |
245 | * - An sav is destroyed when its state become DEAD | | 245 | * - An sav is destroyed when its state become DEAD |
246 | */ | | 246 | */ |
247 | /* | | 247 | /* |
248 | * Locking notes on misc data: | | 248 | * Locking notes on misc data: |
249 | * - All lists of key_misc are protected by key_misc.lock | | 249 | * - All lists of key_misc are protected by key_misc.lock |
250 | * - key_misc.lock must be held even for read accesses | | 250 | * - key_misc.lock must be held even for read accesses |
251 | */ | | 251 | */ |
252 | | | 252 | |
253 | /* SPD */ | | 253 | /* SPD */ |
254 | static struct { | | 254 | static struct { |
255 | kmutex_t lock; | | 255 | kmutex_t lock; |
256 | kcondvar_t cv_lc; | | 256 | kcondvar_t cv_lc; |
257 | struct pslist_head splist[IPSEC_DIR_MAX]; | | 257 | struct pslist_head splist[IPSEC_DIR_MAX]; |
258 | /* | | 258 | /* |
259 | * The list has SPs that are set to a socket via | | 259 | * The list has SPs that are set to a socket via |
260 | * setsockopt(IP_IPSEC_POLICY) from userland. See ipsec_set_policy. | | 260 | * setsockopt(IP_IPSEC_POLICY) from userland. See ipsec_set_policy. |
261 | */ | | 261 | */ |
262 | struct pslist_head socksplist; | | 262 | struct pslist_head socksplist; |
263 | | | 263 | |
264 | pserialize_t psz; | | 264 | pserialize_t psz; |
265 | kcondvar_t cv_psz; | | 265 | kcondvar_t cv_psz; |
266 | bool psz_performing; | | 266 | bool psz_performing; |
267 | } key_spd __cacheline_aligned; | | 267 | } key_spd __cacheline_aligned; |
268 | | | 268 | |
269 | /* SAD */ | | 269 | /* SAD */ |
270 | static struct { | | 270 | static struct { |
271 | kmutex_t lock; | | 271 | kmutex_t lock; |
272 | kcondvar_t cv_lc; | | 272 | kcondvar_t cv_lc; |
273 | struct pslist_head *sahlists; | | 273 | struct pslist_head *sahlists; |
274 | u_long sahlistmask; | | 274 | u_long sahlistmask; |
275 | struct pslist_head *savlut; | | 275 | struct pslist_head *savlut; |
276 | u_long savlutmask; | | 276 | u_long savlutmask; |
277 | | | 277 | |
278 | pserialize_t psz; | | 278 | pserialize_t psz; |
279 | kcondvar_t cv_psz; | | 279 | kcondvar_t cv_psz; |
280 | bool psz_performing; | | 280 | bool psz_performing; |
281 | } key_sad __cacheline_aligned; | | 281 | } key_sad __cacheline_aligned; |
282 | | | 282 | |
283 | /* Misc data */ | | 283 | /* Misc data */ |
284 | static struct { | | 284 | static struct { |
285 | kmutex_t lock; | | 285 | kmutex_t lock; |
286 | /* registed list */ | | 286 | /* registed list */ |
287 | LIST_HEAD(_reglist, secreg) reglist[SADB_SATYPE_MAX + 1]; | | 287 | LIST_HEAD(_reglist, secreg) reglist[SADB_SATYPE_MAX + 1]; |
288 | #ifndef IPSEC_NONBLOCK_ACQUIRE | | 288 | #ifndef IPSEC_NONBLOCK_ACQUIRE |
289 | /* acquiring list */ | | 289 | /* acquiring list */ |
290 | LIST_HEAD(_acqlist, secacq) acqlist; | | 290 | LIST_HEAD(_acqlist, secacq) acqlist; |
291 | #endif | | 291 | #endif |
292 | #ifdef notyet | | 292 | #ifdef notyet |
293 | /* SP acquiring list */ | | 293 | /* SP acquiring list */ |
294 | LIST_HEAD(_spacqlist, secspacq) spacqlist; | | 294 | LIST_HEAD(_spacqlist, secspacq) spacqlist; |
295 | #endif | | 295 | #endif |
296 | } key_misc __cacheline_aligned; | | 296 | } key_misc __cacheline_aligned; |
297 | | | 297 | |
298 | /* Macros for key_spd.splist */ | | 298 | /* Macros for key_spd.splist */ |
299 | #define SPLIST_ENTRY_INIT(sp) \ | | 299 | #define SPLIST_ENTRY_INIT(sp) \ |
300 | PSLIST_ENTRY_INIT((sp), pslist_entry) | | 300 | PSLIST_ENTRY_INIT((sp), pslist_entry) |
301 | #define SPLIST_ENTRY_DESTROY(sp) \ | | 301 | #define SPLIST_ENTRY_DESTROY(sp) \ |
302 | PSLIST_ENTRY_DESTROY((sp), pslist_entry) | | 302 | PSLIST_ENTRY_DESTROY((sp), pslist_entry) |
303 | #define SPLIST_WRITER_REMOVE(sp) \ | | 303 | #define SPLIST_WRITER_REMOVE(sp) \ |
304 | PSLIST_WRITER_REMOVE((sp), pslist_entry) | | 304 | PSLIST_WRITER_REMOVE((sp), pslist_entry) |
305 | #define SPLIST_READER_EMPTY(dir) \ | | 305 | #define SPLIST_READER_EMPTY(dir) \ |
306 | (PSLIST_READER_FIRST(&key_spd.splist[(dir)], struct secpolicy, \ | | 306 | (PSLIST_READER_FIRST(&key_spd.splist[(dir)], struct secpolicy, \ |
307 | pslist_entry) == NULL) | | 307 | pslist_entry) == NULL) |
308 | #define SPLIST_READER_FOREACH(sp, dir) \ | | 308 | #define SPLIST_READER_FOREACH(sp, dir) \ |
309 | PSLIST_READER_FOREACH((sp), &key_spd.splist[(dir)], \ | | 309 | PSLIST_READER_FOREACH((sp), &key_spd.splist[(dir)], \ |
310 | struct secpolicy, pslist_entry) | | 310 | struct secpolicy, pslist_entry) |
311 | #define SPLIST_WRITER_FOREACH(sp, dir) \ | | 311 | #define SPLIST_WRITER_FOREACH(sp, dir) \ |
312 | PSLIST_WRITER_FOREACH((sp), &key_spd.splist[(dir)], \ | | 312 | PSLIST_WRITER_FOREACH((sp), &key_spd.splist[(dir)], \ |
313 | struct secpolicy, pslist_entry) | | 313 | struct secpolicy, pslist_entry) |
314 | #define SPLIST_WRITER_INSERT_AFTER(sp, new) \ | | 314 | #define SPLIST_WRITER_INSERT_AFTER(sp, new) \ |
315 | PSLIST_WRITER_INSERT_AFTER((sp), (new), pslist_entry) | | 315 | PSLIST_WRITER_INSERT_AFTER((sp), (new), pslist_entry) |
316 | #define SPLIST_WRITER_EMPTY(dir) \ | | 316 | #define SPLIST_WRITER_EMPTY(dir) \ |
317 | (PSLIST_WRITER_FIRST(&key_spd.splist[(dir)], struct secpolicy, \ | | 317 | (PSLIST_WRITER_FIRST(&key_spd.splist[(dir)], struct secpolicy, \ |
318 | pslist_entry) == NULL) | | 318 | pslist_entry) == NULL) |
319 | #define SPLIST_WRITER_INSERT_HEAD(dir, sp) \ | | 319 | #define SPLIST_WRITER_INSERT_HEAD(dir, sp) \ |
320 | PSLIST_WRITER_INSERT_HEAD(&key_spd.splist[(dir)], (sp), \ | | 320 | PSLIST_WRITER_INSERT_HEAD(&key_spd.splist[(dir)], (sp), \ |
321 | pslist_entry) | | 321 | pslist_entry) |
322 | #define SPLIST_WRITER_NEXT(sp) \ | | 322 | #define SPLIST_WRITER_NEXT(sp) \ |
323 | PSLIST_WRITER_NEXT((sp), struct secpolicy, pslist_entry) | | 323 | PSLIST_WRITER_NEXT((sp), struct secpolicy, pslist_entry) |
324 | #define SPLIST_WRITER_INSERT_TAIL(dir, new) \ | | 324 | #define SPLIST_WRITER_INSERT_TAIL(dir, new) \ |
325 | do { \ | | 325 | do { \ |
326 | if (SPLIST_WRITER_EMPTY((dir))) { \ | | 326 | if (SPLIST_WRITER_EMPTY((dir))) { \ |
327 | SPLIST_WRITER_INSERT_HEAD((dir), (new)); \ | | 327 | SPLIST_WRITER_INSERT_HEAD((dir), (new)); \ |
328 | } else { \ | | 328 | } else { \ |
329 | struct secpolicy *__sp; \ | | 329 | struct secpolicy *__sp; \ |
330 | SPLIST_WRITER_FOREACH(__sp, (dir)) { \ | | 330 | SPLIST_WRITER_FOREACH(__sp, (dir)) { \ |
331 | if (SPLIST_WRITER_NEXT(__sp) == NULL) { \ | | 331 | if (SPLIST_WRITER_NEXT(__sp) == NULL) { \ |
332 | SPLIST_WRITER_INSERT_AFTER(__sp,\ | | 332 | SPLIST_WRITER_INSERT_AFTER(__sp,\ |
333 | (new)); \ | | 333 | (new)); \ |
334 | break; \ | | 334 | break; \ |
335 | } \ | | 335 | } \ |
336 | } \ | | 336 | } \ |
337 | } \ | | 337 | } \ |
338 | } while (0) | | 338 | } while (0) |
339 | | | 339 | |
340 | /* Macros for key_spd.socksplist */ | | 340 | /* Macros for key_spd.socksplist */ |
341 | #define SOCKSPLIST_WRITER_FOREACH(sp) \ | | 341 | #define SOCKSPLIST_WRITER_FOREACH(sp) \ |
342 | PSLIST_WRITER_FOREACH((sp), &key_spd.socksplist, \ | | 342 | PSLIST_WRITER_FOREACH((sp), &key_spd.socksplist, \ |
343 | struct secpolicy, pslist_entry) | | 343 | struct secpolicy, pslist_entry) |
344 | #define SOCKSPLIST_READER_EMPTY() \ | | 344 | #define SOCKSPLIST_READER_EMPTY() \ |
345 | (PSLIST_READER_FIRST(&key_spd.socksplist, struct secpolicy, \ | | 345 | (PSLIST_READER_FIRST(&key_spd.socksplist, struct secpolicy, \ |
346 | pslist_entry) == NULL) | | 346 | pslist_entry) == NULL) |
347 | | | 347 | |
348 | /* Macros for key_sad.sahlist */ | | 348 | /* Macros for key_sad.sahlist */ |
349 | #define SAHLIST_ENTRY_INIT(sah) \ | | 349 | #define SAHLIST_ENTRY_INIT(sah) \ |
350 | PSLIST_ENTRY_INIT((sah), pslist_entry) | | 350 | PSLIST_ENTRY_INIT((sah), pslist_entry) |
351 | #define SAHLIST_ENTRY_DESTROY(sah) \ | | 351 | #define SAHLIST_ENTRY_DESTROY(sah) \ |
352 | PSLIST_ENTRY_DESTROY((sah), pslist_entry) | | 352 | PSLIST_ENTRY_DESTROY((sah), pslist_entry) |
353 | #define SAHLIST_WRITER_REMOVE(sah) \ | | 353 | #define SAHLIST_WRITER_REMOVE(sah) \ |
354 | PSLIST_WRITER_REMOVE((sah), pslist_entry) | | 354 | PSLIST_WRITER_REMOVE((sah), pslist_entry) |
355 | #define SAHLIST_READER_FOREACH(sah) \ | | 355 | #define SAHLIST_READER_FOREACH(sah) \ |
356 | for(int _i_sah = 0; _i_sah <= key_sad.sahlistmask; _i_sah++) \ | | 356 | for(int _i_sah = 0; _i_sah <= key_sad.sahlistmask; _i_sah++) \ |
357 | PSLIST_READER_FOREACH((sah), &key_sad.sahlists[_i_sah], \ | | 357 | PSLIST_READER_FOREACH((sah), &key_sad.sahlists[_i_sah], \ |
358 | struct secashead, pslist_entry) | | 358 | struct secashead, pslist_entry) |
359 | #define SAHLIST_READER_FOREACH_SAIDX(sah, saidx) \ | | 359 | #define SAHLIST_READER_FOREACH_SAIDX(sah, saidx) \ |
360 | PSLIST_READER_FOREACH((sah), \ | | 360 | PSLIST_READER_FOREACH((sah), \ |
361 | &key_sad.sahlists[key_saidxhash((saidx), \ | | 361 | &key_sad.sahlists[key_saidxhash((saidx), \ |
362 | key_sad.sahlistmask)], \ | | 362 | key_sad.sahlistmask)], \ |
363 | struct secashead, pslist_entry) | | 363 | struct secashead, pslist_entry) |
364 | #define SAHLIST_WRITER_FOREACH(sah) \ | | 364 | #define SAHLIST_WRITER_FOREACH(sah) \ |
365 | for(int _i_sah = 0; _i_sah <= key_sad.sahlistmask; _i_sah++) \ | | 365 | for(int _i_sah = 0; _i_sah <= key_sad.sahlistmask; _i_sah++) \ |
366 | PSLIST_WRITER_FOREACH((sah), &key_sad.sahlists[_i_sah], \ | | 366 | PSLIST_WRITER_FOREACH((sah), &key_sad.sahlists[_i_sah], \ |
367 | struct secashead, pslist_entry) | | 367 | struct secashead, pslist_entry) |
368 | #define SAHLIST_WRITER_INSERT_HEAD(sah) \ | | 368 | #define SAHLIST_WRITER_INSERT_HEAD(sah) \ |
369 | PSLIST_WRITER_INSERT_HEAD( \ | | 369 | PSLIST_WRITER_INSERT_HEAD( \ |
370 | &key_sad.sahlists[key_saidxhash(&(sah)->saidx, \ | | 370 | &key_sad.sahlists[key_saidxhash(&(sah)->saidx, \ |
371 | key_sad.sahlistmask)], \ | | 371 | key_sad.sahlistmask)], \ |
372 | (sah), pslist_entry) | | 372 | (sah), pslist_entry) |
373 | | | 373 | |
374 | /* Macros for key_sad.sahlist#savlist */ | | 374 | /* Macros for key_sad.sahlist#savlist */ |
375 | #define SAVLIST_ENTRY_INIT(sav) \ | | 375 | #define SAVLIST_ENTRY_INIT(sav) \ |
376 | PSLIST_ENTRY_INIT((sav), pslist_entry) | | 376 | PSLIST_ENTRY_INIT((sav), pslist_entry) |
377 | #define SAVLIST_ENTRY_DESTROY(sav) \ | | 377 | #define SAVLIST_ENTRY_DESTROY(sav) \ |
378 | PSLIST_ENTRY_DESTROY((sav), pslist_entry) | | 378 | PSLIST_ENTRY_DESTROY((sav), pslist_entry) |
379 | #define SAVLIST_READER_FIRST(sah, state) \ | | 379 | #define SAVLIST_READER_FIRST(sah, state) \ |
380 | PSLIST_READER_FIRST(&(sah)->savlist[(state)], struct secasvar, \ | | 380 | PSLIST_READER_FIRST(&(sah)->savlist[(state)], struct secasvar, \ |
381 | pslist_entry) | | 381 | pslist_entry) |
382 | #define SAVLIST_WRITER_REMOVE(sav) \ | | 382 | #define SAVLIST_WRITER_REMOVE(sav) \ |
383 | PSLIST_WRITER_REMOVE((sav), pslist_entry) | | 383 | PSLIST_WRITER_REMOVE((sav), pslist_entry) |
384 | #define SAVLIST_READER_FOREACH(sav, sah, state) \ | | 384 | #define SAVLIST_READER_FOREACH(sav, sah, state) \ |
385 | PSLIST_READER_FOREACH((sav), &(sah)->savlist[(state)], \ | | 385 | PSLIST_READER_FOREACH((sav), &(sah)->savlist[(state)], \ |
386 | struct secasvar, pslist_entry) | | 386 | struct secasvar, pslist_entry) |
387 | #define SAVLIST_WRITER_FOREACH(sav, sah, state) \ | | 387 | #define SAVLIST_WRITER_FOREACH(sav, sah, state) \ |
388 | PSLIST_WRITER_FOREACH((sav), &(sah)->savlist[(state)], \ | | 388 | PSLIST_WRITER_FOREACH((sav), &(sah)->savlist[(state)], \ |
389 | struct secasvar, pslist_entry) | | 389 | struct secasvar, pslist_entry) |
390 | #define SAVLIST_WRITER_INSERT_BEFORE(sav, new) \ | | 390 | #define SAVLIST_WRITER_INSERT_BEFORE(sav, new) \ |
391 | PSLIST_WRITER_INSERT_BEFORE((sav), (new), pslist_entry) | | 391 | PSLIST_WRITER_INSERT_BEFORE((sav), (new), pslist_entry) |
392 | #define SAVLIST_WRITER_INSERT_AFTER(sav, new) \ | | 392 | #define SAVLIST_WRITER_INSERT_AFTER(sav, new) \ |
393 | PSLIST_WRITER_INSERT_AFTER((sav), (new), pslist_entry) | | 393 | PSLIST_WRITER_INSERT_AFTER((sav), (new), pslist_entry) |
394 | #define SAVLIST_WRITER_EMPTY(sah, state) \ | | 394 | #define SAVLIST_WRITER_EMPTY(sah, state) \ |
395 | (PSLIST_WRITER_FIRST(&(sah)->savlist[(state)], struct secasvar, \ | | 395 | (PSLIST_WRITER_FIRST(&(sah)->savlist[(state)], struct secasvar, \ |
396 | pslist_entry) == NULL) | | 396 | pslist_entry) == NULL) |
397 | #define SAVLIST_WRITER_INSERT_HEAD(sah, state, sav) \ | | 397 | #define SAVLIST_WRITER_INSERT_HEAD(sah, state, sav) \ |
398 | PSLIST_WRITER_INSERT_HEAD(&(sah)->savlist[(state)], (sav), \ | | 398 | PSLIST_WRITER_INSERT_HEAD(&(sah)->savlist[(state)], (sav), \ |
399 | pslist_entry) | | 399 | pslist_entry) |
400 | #define SAVLIST_WRITER_NEXT(sav) \ | | 400 | #define SAVLIST_WRITER_NEXT(sav) \ |
401 | PSLIST_WRITER_NEXT((sav), struct secasvar, pslist_entry) | | 401 | PSLIST_WRITER_NEXT((sav), struct secasvar, pslist_entry) |
402 | #define SAVLIST_WRITER_INSERT_TAIL(sah, state, new) \ | | 402 | #define SAVLIST_WRITER_INSERT_TAIL(sah, state, new) \ |
403 | do { \ | | 403 | do { \ |
404 | if (SAVLIST_WRITER_EMPTY((sah), (state))) { \ | | 404 | if (SAVLIST_WRITER_EMPTY((sah), (state))) { \ |
405 | SAVLIST_WRITER_INSERT_HEAD((sah), (state), (new));\ | | 405 | SAVLIST_WRITER_INSERT_HEAD((sah), (state), (new));\ |
406 | } else { \ | | 406 | } else { \ |
407 | struct secasvar *__sav; \ | | 407 | struct secasvar *__sav; \ |
408 | SAVLIST_WRITER_FOREACH(__sav, (sah), (state)) { \ | | 408 | SAVLIST_WRITER_FOREACH(__sav, (sah), (state)) { \ |
409 | if (SAVLIST_WRITER_NEXT(__sav) == NULL) {\ | | 409 | if (SAVLIST_WRITER_NEXT(__sav) == NULL) {\ |
410 | SAVLIST_WRITER_INSERT_AFTER(__sav,\ | | 410 | SAVLIST_WRITER_INSERT_AFTER(__sav,\ |
411 | (new)); \ | | 411 | (new)); \ |
412 | break; \ | | 412 | break; \ |
413 | } \ | | 413 | } \ |
414 | } \ | | 414 | } \ |
415 | } \ | | 415 | } \ |
416 | } while (0) | | 416 | } while (0) |
417 | #define SAVLIST_READER_NEXT(sav) \ | | 417 | #define SAVLIST_READER_NEXT(sav) \ |
418 | PSLIST_READER_NEXT((sav), struct secasvar, pslist_entry) | | 418 | PSLIST_READER_NEXT((sav), struct secasvar, pslist_entry) |
419 | | | 419 | |
420 | /* Macros for key_sad.savlut */ | | 420 | /* Macros for key_sad.savlut */ |
421 | #define SAVLUT_ENTRY_INIT(sav) \ | | 421 | #define SAVLUT_ENTRY_INIT(sav) \ |
422 | PSLIST_ENTRY_INIT((sav), pslist_entry_savlut) | | 422 | PSLIST_ENTRY_INIT((sav), pslist_entry_savlut) |
423 | #define SAVLUT_READER_FOREACH(sav, dst, proto, hash_key) \ | | 423 | #define SAVLUT_READER_FOREACH(sav, dst, proto, hash_key) \ |
424 | PSLIST_READER_FOREACH((sav), \ | | 424 | PSLIST_READER_FOREACH((sav), \ |
425 | &key_sad.savlut[key_savluthash(dst, proto, hash_key, \ | | 425 | &key_sad.savlut[key_savluthash(dst, proto, hash_key, \ |
426 | key_sad.savlutmask)], \ | | 426 | key_sad.savlutmask)], \ |
427 | struct secasvar, pslist_entry_savlut) | | 427 | struct secasvar, pslist_entry_savlut) |
428 | #define SAVLUT_WRITER_INSERT_HEAD(sav) \ | | 428 | #define SAVLUT_WRITER_INSERT_HEAD(sav) \ |
429 | key_savlut_writer_insert_head((sav)) | | 429 | key_savlut_writer_insert_head((sav)) |
430 | #define SAVLUT_WRITER_REMOVE(sav) \ | | 430 | #define SAVLUT_WRITER_REMOVE(sav) \ |
431 | do { \ | | 431 | do { \ |
432 | if (!(sav)->savlut_added) \ | | 432 | if (!(sav)->savlut_added) \ |
433 | break; \ | | 433 | break; \ |
434 | PSLIST_WRITER_REMOVE((sav), pslist_entry_savlut); \ | | 434 | PSLIST_WRITER_REMOVE((sav), pslist_entry_savlut); \ |
435 | (sav)->savlut_added = false; \ | | 435 | (sav)->savlut_added = false; \ |
436 | } while(0) | | 436 | } while(0) |
437 | | | 437 | |
438 | /* search order for SAs */ | | 438 | /* search order for SAs */ |
439 | /* | | 439 | /* |
440 | * This order is important because we must select the oldest SA | | 440 | * This order is important because we must select the oldest SA |
441 | * for outbound processing. For inbound, This is not important. | | 441 | * for outbound processing. For inbound, This is not important. |
442 | */ | | 442 | */ |
443 | static const u_int saorder_state_valid_prefer_old[] = { | | 443 | static const u_int saorder_state_valid_prefer_old[] = { |
444 | SADB_SASTATE_DYING, SADB_SASTATE_MATURE, | | 444 | SADB_SASTATE_DYING, SADB_SASTATE_MATURE, |
445 | }; | | 445 | }; |
446 | static const u_int saorder_state_valid_prefer_new[] = { | | 446 | static const u_int saorder_state_valid_prefer_new[] = { |
447 | SADB_SASTATE_MATURE, SADB_SASTATE_DYING, | | 447 | SADB_SASTATE_MATURE, SADB_SASTATE_DYING, |
448 | }; | | 448 | }; |
449 | | | 449 | |
450 | static const u_int saorder_state_alive[] = { | | 450 | static const u_int saorder_state_alive[] = { |
451 | /* except DEAD */ | | 451 | /* except DEAD */ |
452 | SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL | | 452 | SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL |
453 | }; | | 453 | }; |
454 | static const u_int saorder_state_any[] = { | | 454 | static const u_int saorder_state_any[] = { |
455 | SADB_SASTATE_MATURE, SADB_SASTATE_DYING, | | 455 | SADB_SASTATE_MATURE, SADB_SASTATE_DYING, |
456 | SADB_SASTATE_LARVAL, SADB_SASTATE_DEAD | | 456 | SADB_SASTATE_LARVAL, SADB_SASTATE_DEAD |
457 | }; | | 457 | }; |
458 | | | 458 | |
459 | #define SASTATE_ALIVE_FOREACH(s) \ | | 459 | #define SASTATE_ALIVE_FOREACH(s) \ |
460 | for (int _i = 0; \ | | 460 | for (int _i = 0; \ |
461 | _i < __arraycount(saorder_state_alive) ? \ | | 461 | _i < __arraycount(saorder_state_alive) ? \ |
462 | (s) = saorder_state_alive[_i], true : false; \ | | 462 | (s) = saorder_state_alive[_i], true : false; \ |
463 | _i++) | | 463 | _i++) |
464 | #define SASTATE_ANY_FOREACH(s) \ | | 464 | #define SASTATE_ANY_FOREACH(s) \ |
465 | for (int _i = 0; \ | | 465 | for (int _i = 0; \ |
466 | _i < __arraycount(saorder_state_any) ? \ | | 466 | _i < __arraycount(saorder_state_any) ? \ |
467 | (s) = saorder_state_any[_i], true : false; \ | | 467 | (s) = saorder_state_any[_i], true : false; \ |
468 | _i++) | | 468 | _i++) |
469 | #define SASTATE_USABLE_FOREACH(s) \ | | 469 | #define SASTATE_USABLE_FOREACH(s) \ |
470 | for (int _i = 0; \ | | 470 | for (int _i = 0; \ |
471 | _i < __arraycount(saorder_state_valid_prefer_new) ? \ | | 471 | _i < __arraycount(saorder_state_valid_prefer_new) ? \ |
472 | (s) = saorder_state_valid_prefer_new[_i], \ | | 472 | (s) = saorder_state_valid_prefer_new[_i], \ |
473 | true : false; \ | | 473 | true : false; \ |
474 | _i++) | | 474 | _i++) |
475 | | | 475 | |
476 | static const int minsize[] = { | | 476 | static const int minsize[] = { |
477 | sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */ | | 477 | sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */ |
478 | sizeof(struct sadb_sa), /* SADB_EXT_SA */ | | 478 | sizeof(struct sadb_sa), /* SADB_EXT_SA */ |
479 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */ | | 479 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */ |
480 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */ | | 480 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */ |
481 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */ | | 481 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */ |
482 | sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_SRC */ | | 482 | sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_SRC */ |
483 | sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_DST */ | | 483 | sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_DST */ |
484 | sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_PROXY */ | | 484 | sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_PROXY */ |
485 | sizeof(struct sadb_key), /* SADB_EXT_KEY_AUTH */ | | 485 | sizeof(struct sadb_key), /* SADB_EXT_KEY_AUTH */ |
486 | sizeof(struct sadb_key), /* SADB_EXT_KEY_ENCRYPT */ | | 486 | sizeof(struct sadb_key), /* SADB_EXT_KEY_ENCRYPT */ |
487 | sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_SRC */ | | 487 | sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_SRC */ |
488 | sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_DST */ | | 488 | sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_DST */ |
489 | sizeof(struct sadb_sens), /* SADB_EXT_SENSITIVITY */ | | 489 | sizeof(struct sadb_sens), /* SADB_EXT_SENSITIVITY */ |
490 | sizeof(struct sadb_prop), /* SADB_EXT_PROPOSAL */ | | 490 | sizeof(struct sadb_prop), /* SADB_EXT_PROPOSAL */ |
491 | sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_AUTH */ | | 491 | sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_AUTH */ |
492 | sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_ENCRYPT */ | | 492 | sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_ENCRYPT */ |
493 | sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */ | | 493 | sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */ |
494 | 0, /* SADB_X_EXT_KMPRIVATE */ | | 494 | 0, /* SADB_X_EXT_KMPRIVATE */ |
495 | sizeof(struct sadb_x_policy), /* SADB_X_EXT_POLICY */ | | 495 | sizeof(struct sadb_x_policy), /* SADB_X_EXT_POLICY */ |
496 | sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ | | 496 | sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ |
497 | sizeof(struct sadb_x_nat_t_type), /* SADB_X_EXT_NAT_T_TYPE */ | | 497 | sizeof(struct sadb_x_nat_t_type), /* SADB_X_EXT_NAT_T_TYPE */ |
498 | sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_SPORT */ | | 498 | sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_SPORT */ |
499 | sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_DPORT */ | | 499 | sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_DPORT */ |
500 | sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAI */ | | 500 | sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAI */ |
501 | sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAR */ | | 501 | sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAR */ |
502 | sizeof(struct sadb_x_nat_t_frag), /* SADB_X_EXT_NAT_T_FRAG */ | | 502 | sizeof(struct sadb_x_nat_t_frag), /* SADB_X_EXT_NAT_T_FRAG */ |
503 | }; | | 503 | }; |
504 | static const int maxsize[] = { | | 504 | static const int maxsize[] = { |
505 | sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */ | | 505 | sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */ |
506 | sizeof(struct sadb_sa), /* SADB_EXT_SA */ | | 506 | sizeof(struct sadb_sa), /* SADB_EXT_SA */ |
507 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */ | | 507 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */ |
508 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */ | | 508 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */ |
509 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */ | | 509 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */ |
510 | 0, /* SADB_EXT_ADDRESS_SRC */ | | 510 | 0, /* SADB_EXT_ADDRESS_SRC */ |
511 | 0, /* SADB_EXT_ADDRESS_DST */ | | 511 | 0, /* SADB_EXT_ADDRESS_DST */ |
512 | 0, /* SADB_EXT_ADDRESS_PROXY */ | | 512 | 0, /* SADB_EXT_ADDRESS_PROXY */ |
513 | 0, /* SADB_EXT_KEY_AUTH */ | | 513 | 0, /* SADB_EXT_KEY_AUTH */ |
514 | 0, /* SADB_EXT_KEY_ENCRYPT */ | | 514 | 0, /* SADB_EXT_KEY_ENCRYPT */ |
515 | 0, /* SADB_EXT_IDENTITY_SRC */ | | 515 | 0, /* SADB_EXT_IDENTITY_SRC */ |
516 | 0, /* SADB_EXT_IDENTITY_DST */ | | 516 | 0, /* SADB_EXT_IDENTITY_DST */ |
517 | 0, /* SADB_EXT_SENSITIVITY */ | | 517 | 0, /* SADB_EXT_SENSITIVITY */ |
518 | 0, /* SADB_EXT_PROPOSAL */ | | 518 | 0, /* SADB_EXT_PROPOSAL */ |
519 | 0, /* SADB_EXT_SUPPORTED_AUTH */ | | 519 | 0, /* SADB_EXT_SUPPORTED_AUTH */ |
520 | 0, /* SADB_EXT_SUPPORTED_ENCRYPT */ | | 520 | 0, /* SADB_EXT_SUPPORTED_ENCRYPT */ |
521 | sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */ | | 521 | sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */ |
522 | 0, /* SADB_X_EXT_KMPRIVATE */ | | 522 | 0, /* SADB_X_EXT_KMPRIVATE */ |
523 | 0, /* SADB_X_EXT_POLICY */ | | 523 | 0, /* SADB_X_EXT_POLICY */ |
524 | sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ | | 524 | sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ |
525 | sizeof(struct sadb_x_nat_t_type), /* SADB_X_EXT_NAT_T_TYPE */ | | 525 | sizeof(struct sadb_x_nat_t_type), /* SADB_X_EXT_NAT_T_TYPE */ |
526 | sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_SPORT */ | | 526 | sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_SPORT */ |
527 | sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_DPORT */ | | 527 | sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_DPORT */ |
528 | 0, /* SADB_X_EXT_NAT_T_OAI */ | | 528 | 0, /* SADB_X_EXT_NAT_T_OAI */ |
529 | 0, /* SADB_X_EXT_NAT_T_OAR */ | | 529 | 0, /* SADB_X_EXT_NAT_T_OAR */ |
530 | sizeof(struct sadb_x_nat_t_frag), /* SADB_X_EXT_NAT_T_FRAG */ | | 530 | sizeof(struct sadb_x_nat_t_frag), /* SADB_X_EXT_NAT_T_FRAG */ |
531 | }; | | 531 | }; |
532 | | | 532 | |
533 | static int ipsec_esp_keymin = 256; | | 533 | static int ipsec_esp_keymin = 256; |
534 | static int ipsec_esp_auth = 0; | | 534 | static int ipsec_esp_auth = 0; |
535 | static int ipsec_ah_keymin = 128; | | 535 | static int ipsec_ah_keymin = 128; |
536 | | | 536 | |
537 | #ifdef SYSCTL_DECL | | 537 | #ifdef SYSCTL_DECL |
538 | SYSCTL_DECL(_net_key); | | 538 | SYSCTL_DECL(_net_key); |
539 | #endif | | 539 | #endif |
540 | | | 540 | |
541 | #ifdef SYSCTL_INT | | 541 | #ifdef SYSCTL_INT |
542 | SYSCTL_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug, CTLFLAG_RW, \ | | 542 | SYSCTL_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug, CTLFLAG_RW, \ |
543 | &key_debug_level, 0, ""); | | 543 | &key_debug_level, 0, ""); |
544 | | | 544 | |
545 | /* max count of trial for the decision of spi value */ | | 545 | /* max count of trial for the decision of spi value */ |
546 | SYSCTL_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt, CTLFLAG_RW, \ | | 546 | SYSCTL_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt, CTLFLAG_RW, \ |
547 | &key_spi_trycnt, 0, ""); | | 547 | &key_spi_trycnt, 0, ""); |
548 | | | 548 | |
549 | /* minimum spi value to allocate automatically. */ | | 549 | /* minimum spi value to allocate automatically. */ |
550 | SYSCTL_INT(_net_key, KEYCTL_SPI_MIN_VALUE, spi_minval, CTLFLAG_RW, \ | | 550 | SYSCTL_INT(_net_key, KEYCTL_SPI_MIN_VALUE, spi_minval, CTLFLAG_RW, \ |
551 | &key_spi_minval, 0, ""); | | 551 | &key_spi_minval, 0, ""); |
552 | | | 552 | |
553 | /* maximun spi value to allocate automatically. */ | | 553 | /* maximun spi value to allocate automatically. */ |
554 | SYSCTL_INT(_net_key, KEYCTL_SPI_MAX_VALUE, spi_maxval, CTLFLAG_RW, \ | | 554 | SYSCTL_INT(_net_key, KEYCTL_SPI_MAX_VALUE, spi_maxval, CTLFLAG_RW, \ |
555 | &key_spi_maxval, 0, ""); | | 555 | &key_spi_maxval, 0, ""); |
556 | | | 556 | |
557 | /* interval to initialize randseed */ | | 557 | /* interval to initialize randseed */ |
558 | SYSCTL_INT(_net_key, KEYCTL_RANDOM_INT, int_random, CTLFLAG_RW, \ | | 558 | SYSCTL_INT(_net_key, KEYCTL_RANDOM_INT, int_random, CTLFLAG_RW, \ |
559 | &key_int_random, 0, ""); | | 559 | &key_int_random, 0, ""); |
560 | | | 560 | |
561 | /* lifetime for larval SA */ | | 561 | /* lifetime for larval SA */ |
562 | SYSCTL_INT(_net_key, KEYCTL_LARVAL_LIFETIME, larval_lifetime, CTLFLAG_RW, \ | | 562 | SYSCTL_INT(_net_key, KEYCTL_LARVAL_LIFETIME, larval_lifetime, CTLFLAG_RW, \ |
563 | &key_larval_lifetime, 0, ""); | | 563 | &key_larval_lifetime, 0, ""); |
564 | | | 564 | |
565 | /* counter for blocking to send SADB_ACQUIRE to IKEd */ | | 565 | /* counter for blocking to send SADB_ACQUIRE to IKEd */ |
566 | SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_COUNT, blockacq_count, CTLFLAG_RW, \ | | 566 | SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_COUNT, blockacq_count, CTLFLAG_RW, \ |
567 | &key_blockacq_count, 0, ""); | | 567 | &key_blockacq_count, 0, ""); |
568 | | | 568 | |
569 | /* lifetime for blocking to send SADB_ACQUIRE to IKEd */ | | 569 | /* lifetime for blocking to send SADB_ACQUIRE to IKEd */ |
570 | SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME, blockacq_lifetime, CTLFLAG_RW, \ | | 570 | SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME, blockacq_lifetime, CTLFLAG_RW, \ |
571 | &key_blockacq_lifetime, 0, ""); | | 571 | &key_blockacq_lifetime, 0, ""); |
572 | | | 572 | |
573 | /* ESP auth */ | | 573 | /* ESP auth */ |
574 | SYSCTL_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth, CTLFLAG_RW, \ | | 574 | SYSCTL_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth, CTLFLAG_RW, \ |
575 | &ipsec_esp_auth, 0, ""); | | 575 | &ipsec_esp_auth, 0, ""); |
576 | | | 576 | |
577 | /* minimum ESP key length */ | | 577 | /* minimum ESP key length */ |
578 | SYSCTL_INT(_net_key, KEYCTL_ESP_KEYMIN, esp_keymin, CTLFLAG_RW, \ | | 578 | SYSCTL_INT(_net_key, KEYCTL_ESP_KEYMIN, esp_keymin, CTLFLAG_RW, \ |
579 | &ipsec_esp_keymin, 0, ""); | | 579 | &ipsec_esp_keymin, 0, ""); |
580 | | | 580 | |
581 | /* minimum AH key length */ | | 581 | /* minimum AH key length */ |
582 | SYSCTL_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin, CTLFLAG_RW, \ | | 582 | SYSCTL_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin, CTLFLAG_RW, \ |
583 | &ipsec_ah_keymin, 0, ""); | | 583 | &ipsec_ah_keymin, 0, ""); |
584 | | | 584 | |
585 | /* perfered old SA rather than new SA */ | | 585 | /* perfered old SA rather than new SA */ |
586 | SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, prefered_oldsa, CTLFLAG_RW,\ | | 586 | SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, prefered_oldsa, CTLFLAG_RW,\ |
587 | &key_prefered_oldsa, 0, ""); | | 587 | &key_prefered_oldsa, 0, ""); |
588 | #endif /* SYSCTL_INT */ | | 588 | #endif /* SYSCTL_INT */ |
589 | | | 589 | |
590 | #define __LIST_CHAINED(elm) \ | | 590 | #define __LIST_CHAINED(elm) \ |
591 | (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL)) | | 591 | (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL)) |
592 | #define LIST_INSERT_TAIL(head, elm, type, field) \ | | 592 | #define LIST_INSERT_TAIL(head, elm, type, field) \ |
593 | do {\ | | 593 | do {\ |
594 | struct type *curelm = LIST_FIRST(head); \ | | 594 | struct type *curelm = LIST_FIRST(head); \ |
595 | if (curelm == NULL) {\ | | 595 | if (curelm == NULL) {\ |
596 | LIST_INSERT_HEAD(head, elm, field); \ | | 596 | LIST_INSERT_HEAD(head, elm, field); \ |
597 | } else { \ | | 597 | } else { \ |
598 | while (LIST_NEXT(curelm, field)) \ | | 598 | while (LIST_NEXT(curelm, field)) \ |
599 | curelm = LIST_NEXT(curelm, field);\ | | 599 | curelm = LIST_NEXT(curelm, field);\ |
600 | LIST_INSERT_AFTER(curelm, elm, field);\ | | 600 | LIST_INSERT_AFTER(curelm, elm, field);\ |
601 | }\ | | 601 | }\ |
602 | } while (0) | | 602 | } while (0) |
603 | | | 603 | |
604 | #define KEY_CHKSASTATE(head, sav) \ | | 604 | #define KEY_CHKSASTATE(head, sav) \ |
605 | /* do */ { \ | | 605 | /* do */ { \ |
606 | if ((head) != (sav)) { \ | | 606 | if ((head) != (sav)) { \ |
607 | IPSECLOG(LOG_DEBUG, \ | | 607 | IPSECLOG(LOG_DEBUG, \ |
608 | "state mismatched (TREE=%d SA=%d)\n", \ | | 608 | "state mismatched (TREE=%d SA=%d)\n", \ |
609 | (head), (sav)); \ | | 609 | (head), (sav)); \ |
610 | continue; \ | | 610 | continue; \ |
611 | } \ | | 611 | } \ |
612 | } /* while (0) */ | | 612 | } /* while (0) */ |
613 | | | 613 | |
614 | #define KEY_CHKSPDIR(head, sp) \ | | 614 | #define KEY_CHKSPDIR(head, sp) \ |
615 | do { \ | | 615 | do { \ |
616 | if ((head) != (sp)) { \ | | 616 | if ((head) != (sp)) { \ |
617 | IPSECLOG(LOG_DEBUG, \ | | 617 | IPSECLOG(LOG_DEBUG, \ |
618 | "direction mismatched (TREE=%d SP=%d), anyway continue.\n",\ | | 618 | "direction mismatched (TREE=%d SP=%d), anyway continue.\n",\ |
619 | (head), (sp)); \ | | 619 | (head), (sp)); \ |
620 | } \ | | 620 | } \ |
621 | } while (0) | | 621 | } while (0) |
622 | | | 622 | |
623 | /* | | 623 | /* |
624 | * set parameters into secasindex buffer. | | 624 | * set parameters into secasindex buffer. |
625 | * Must allocate secasindex buffer before calling this function. | | 625 | * Must allocate secasindex buffer before calling this function. |
626 | */ | | 626 | */ |
627 | static int | | 627 | static int |
628 | key_setsecasidx(int, int, int, const struct sockaddr *, | | 628 | key_setsecasidx(int, int, int, const struct sockaddr *, |
629 | const struct sockaddr *, struct secasindex *); | | 629 | const struct sockaddr *, struct secasindex *); |
630 | | | 630 | |
631 | /* key statistics */ | | 631 | /* key statistics */ |
632 | struct _keystat { | | 632 | struct _keystat { |
633 | u_long getspi_count; /* the avarage of count to try to get new SPI */ | | 633 | u_long getspi_count; /* the avarage of count to try to get new SPI */ |
634 | } keystat; | | 634 | } keystat; |
635 | | | 635 | |
636 | static void | | 636 | static void |
637 | key_init_spidx_bymsghdr(struct secpolicyindex *, const struct sadb_msghdr *); | | 637 | key_init_spidx_bymsghdr(struct secpolicyindex *, const struct sadb_msghdr *); |
638 | | | 638 | |
639 | static const struct sockaddr * | | 639 | static const struct sockaddr * |
640 | key_msghdr_get_sockaddr(const struct sadb_msghdr *mhp, int idx) | | 640 | key_msghdr_get_sockaddr(const struct sadb_msghdr *mhp, int idx) |
641 | { | | 641 | { |
642 | | | 642 | |
643 | return PFKEY_ADDR_SADDR(mhp->ext[idx]); | | 643 | return PFKEY_ADDR_SADDR(mhp->ext[idx]); |
644 | } | | 644 | } |
645 | | | 645 | |
646 | static void | | 646 | static void |
647 | key_fill_replymsg(struct mbuf *m, int seq) | | 647 | key_fill_replymsg(struct mbuf *m, int seq) |
648 | { | | 648 | { |
649 | struct sadb_msg *msg; | | 649 | struct sadb_msg *msg; |
650 | | | 650 | |
651 | KASSERT(m->m_len >= sizeof(*msg)); | | 651 | KASSERT(m->m_len >= sizeof(*msg)); |
652 | | | 652 | |
653 | msg = mtod(m, struct sadb_msg *); | | 653 | msg = mtod(m, struct sadb_msg *); |
654 | msg->sadb_msg_errno = 0; | | 654 | msg->sadb_msg_errno = 0; |
655 | msg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); | | 655 | msg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); |
656 | if (seq != 0) | | 656 | if (seq != 0) |
657 | msg->sadb_msg_seq = seq; | | 657 | msg->sadb_msg_seq = seq; |
658 | } | | 658 | } |
659 | | | 659 | |
660 | #if 0 | | 660 | #if 0 |
661 | static void key_freeso(struct socket *); | | 661 | static void key_freeso(struct socket *); |
662 | static void key_freesp_so(struct secpolicy **); | | 662 | static void key_freesp_so(struct secpolicy **); |
663 | #endif | | 663 | #endif |
664 | static struct secpolicy *key_getsp (const struct secpolicyindex *); | | 664 | static struct secpolicy *key_getsp (const struct secpolicyindex *); |
665 | static struct secpolicy *key_getspbyid (u_int32_t); | | 665 | static struct secpolicy *key_getspbyid (u_int32_t); |
666 | static struct secpolicy *key_lookup_and_remove_sp(const struct secpolicyindex *, bool); | | 666 | static struct secpolicy *key_lookup_and_remove_sp(const struct secpolicyindex *, bool); |
667 | static struct secpolicy *key_lookupbyid_and_remove_sp(u_int32_t, bool); | | 667 | static struct secpolicy *key_lookupbyid_and_remove_sp(u_int32_t, bool); |
668 | static void key_destroy_sp(struct secpolicy *); | | 668 | static void key_destroy_sp(struct secpolicy *); |
669 | static struct mbuf *key_gather_mbuf (struct mbuf *, | | 669 | static struct mbuf *key_gather_mbuf (struct mbuf *, |
670 | const struct sadb_msghdr *, int, int, ...); | | 670 | const struct sadb_msghdr *, int, int, ...); |
671 | static int key_api_spdadd(struct socket *, struct mbuf *, | | 671 | static int key_api_spdadd(struct socket *, struct mbuf *, |
672 | const struct sadb_msghdr *); | | 672 | const struct sadb_msghdr *); |
673 | static u_int32_t key_getnewspid (void); | | 673 | static u_int32_t key_getnewspid (void); |
674 | static int key_api_spddelete(struct socket *, struct mbuf *, | | 674 | static int key_api_spddelete(struct socket *, struct mbuf *, |
675 | const struct sadb_msghdr *); | | 675 | const struct sadb_msghdr *); |
676 | static int key_api_spddelete2(struct socket *, struct mbuf *, | | 676 | static int key_api_spddelete2(struct socket *, struct mbuf *, |
677 | const struct sadb_msghdr *); | | 677 | const struct sadb_msghdr *); |
678 | static int key_api_spdget(struct socket *, struct mbuf *, | | 678 | static int key_api_spdget(struct socket *, struct mbuf *, |
679 | const struct sadb_msghdr *); | | 679 | const struct sadb_msghdr *); |
680 | static int key_api_spdflush(struct socket *, struct mbuf *, | | 680 | static int key_api_spdflush(struct socket *, struct mbuf *, |
681 | const struct sadb_msghdr *); | | 681 | const struct sadb_msghdr *); |
682 | static int key_api_spddump(struct socket *, struct mbuf *, | | 682 | static int key_api_spddump(struct socket *, struct mbuf *, |
683 | const struct sadb_msghdr *); | | 683 | const struct sadb_msghdr *); |
684 | static struct mbuf * key_setspddump (int *errorp, pid_t); | | 684 | static struct mbuf * key_setspddump (int *errorp, pid_t); |
685 | static struct mbuf * key_setspddump_chain (int *errorp, int *lenp, pid_t pid); | | 685 | static struct mbuf * key_setspddump_chain (int *errorp, int *lenp, pid_t pid); |
686 | static int key_api_nat_map(struct socket *, struct mbuf *, | | 686 | static int key_api_nat_map(struct socket *, struct mbuf *, |
687 | const struct sadb_msghdr *); | | 687 | const struct sadb_msghdr *); |
688 | static struct mbuf *key_setdumpsp (struct secpolicy *, | | 688 | static struct mbuf *key_setdumpsp (struct secpolicy *, |
689 | u_int8_t, u_int32_t, pid_t); | | 689 | u_int8_t, u_int32_t, pid_t); |
690 | static u_int key_getspreqmsglen (const struct secpolicy *); | | 690 | static u_int key_getspreqmsglen (const struct secpolicy *); |
691 | static int key_spdexpire (struct secpolicy *); | | 691 | static int key_spdexpire (struct secpolicy *); |
692 | static struct secashead *key_newsah (const struct secasindex *); | | 692 | static struct secashead *key_newsah (const struct secasindex *); |
693 | static void key_unlink_sah(struct secashead *); | | 693 | static void key_unlink_sah(struct secashead *); |
694 | static void key_destroy_sah(struct secashead *); | | 694 | static void key_destroy_sah(struct secashead *); |
695 | static bool key_sah_has_sav(struct secashead *); | | 695 | static bool key_sah_has_sav(struct secashead *); |
696 | static void key_sah_ref(struct secashead *); | | 696 | static void key_sah_ref(struct secashead *); |
697 | static void key_sah_unref(struct secashead *); | | 697 | static void key_sah_unref(struct secashead *); |
698 | static void key_init_sav(struct secasvar *); | | 698 | static void key_init_sav(struct secasvar *); |
699 | static void key_destroy_sav(struct secasvar *); | | 699 | static void key_destroy_sav(struct secasvar *); |
700 | static void key_destroy_sav_with_ref(struct secasvar *); | | 700 | static void key_destroy_sav_with_ref(struct secasvar *); |
701 | static struct secasvar *key_newsav(struct mbuf *, | | 701 | static struct secasvar *key_newsav(struct mbuf *, |
702 | const struct sadb_msghdr *, int *, const char*, int); | | 702 | const struct sadb_msghdr *, int *, const char*, int); |
703 | #define KEY_NEWSAV(m, sadb, e) \ | | 703 | #define KEY_NEWSAV(m, sadb, e) \ |
704 | key_newsav(m, sadb, e, __func__, __LINE__) | | 704 | key_newsav(m, sadb, e, __func__, __LINE__) |
705 | static void key_delsav (struct secasvar *); | | 705 | static void key_delsav (struct secasvar *); |
706 | static struct secashead *key_getsah(const struct secasindex *, int); | | 706 | static struct secashead *key_getsah(const struct secasindex *, int); |
707 | static struct secashead *key_getsah_ref(const struct secasindex *, int); | | 707 | static struct secashead *key_getsah_ref(const struct secasindex *, int); |
708 | static bool key_checkspidup(const struct secasindex *, u_int32_t); | | 708 | static bool key_checkspidup(const struct secasindex *, u_int32_t); |
709 | static struct secasvar *key_getsavbyspi (struct secashead *, u_int32_t); | | 709 | static struct secasvar *key_getsavbyspi (struct secashead *, u_int32_t); |
710 | static int key_setsaval (struct secasvar *, struct mbuf *, | | 710 | static int key_setsaval (struct secasvar *, struct mbuf *, |
711 | const struct sadb_msghdr *); | | 711 | const struct sadb_msghdr *); |
712 | static void key_freesaval(struct secasvar *); | | 712 | static void key_freesaval(struct secasvar *); |
713 | static int key_init_xform(struct secasvar *); | | 713 | static int key_init_xform(struct secasvar *); |
714 | static void key_clear_xform(struct secasvar *); | | 714 | static void key_clear_xform(struct secasvar *); |
715 | static struct mbuf *key_setdumpsa (struct secasvar *, u_int8_t, | | 715 | static struct mbuf *key_setdumpsa (struct secasvar *, u_int8_t, |
716 | u_int8_t, u_int32_t, u_int32_t); | | 716 | u_int8_t, u_int32_t, u_int32_t); |
717 | static struct mbuf *key_setsadbxport (u_int16_t, u_int16_t); | | 717 | static struct mbuf *key_setsadbxport (u_int16_t, u_int16_t); |
718 | static struct mbuf *key_setsadbxtype (u_int16_t); | | 718 | static struct mbuf *key_setsadbxtype (u_int16_t); |
719 | static struct mbuf *key_setsadbxfrag (u_int16_t); | | 719 | static struct mbuf *key_setsadbxfrag (u_int16_t); |
720 | static void key_porttosaddr (union sockaddr_union *, u_int16_t); | | 720 | static void key_porttosaddr (union sockaddr_union *, u_int16_t); |
721 | static int key_checksalen (const union sockaddr_union *); | | 721 | static int key_checksalen (const union sockaddr_union *); |
722 | static struct mbuf *key_setsadbmsg (u_int8_t, u_int16_t, u_int8_t, | | 722 | static struct mbuf *key_setsadbmsg (u_int8_t, u_int16_t, u_int8_t, |
723 | u_int32_t, pid_t, u_int16_t, int); | | 723 | u_int32_t, pid_t, u_int16_t, int); |
724 | static struct mbuf *key_setsadbsa (struct secasvar *); | | 724 | static struct mbuf *key_setsadbsa (struct secasvar *); |
725 | static struct mbuf *key_setsadbaddr(u_int16_t, | | 725 | static struct mbuf *key_setsadbaddr(u_int16_t, |
726 | const struct sockaddr *, u_int8_t, u_int16_t, int); | | 726 | const struct sockaddr *, u_int8_t, u_int16_t, int); |
727 | #if 0 | | 727 | #if 0 |
728 | static struct mbuf *key_setsadbident (u_int16_t, u_int16_t, void *, | | 728 | static struct mbuf *key_setsadbident (u_int16_t, u_int16_t, void *, |
729 | int, u_int64_t); | | 729 | int, u_int64_t); |
730 | #endif | | 730 | #endif |
731 | static struct mbuf *key_setsadbxsa2 (u_int8_t, u_int32_t, u_int16_t); | | 731 | static struct mbuf *key_setsadbxsa2 (u_int8_t, u_int32_t, u_int16_t); |
732 | static struct mbuf *key_setsadbxpolicy (u_int16_t, u_int8_t, | | 732 | static struct mbuf *key_setsadbxpolicy (u_int16_t, u_int8_t, |
733 | u_int32_t, int); | | 733 | u_int32_t, int); |
734 | static void *key_newbuf (const void *, u_int); | | 734 | static void *key_newbuf (const void *, u_int); |
735 | #ifdef INET6 | | 735 | #ifdef INET6 |
736 | static int key_ismyaddr6 (const struct sockaddr_in6 *); | | 736 | static int key_ismyaddr6 (const struct sockaddr_in6 *); |
737 | #endif | | 737 | #endif |
738 | | | 738 | |
739 | static void sysctl_net_keyv2_setup(struct sysctllog **); | | 739 | static void sysctl_net_keyv2_setup(struct sysctllog **); |
740 | static void sysctl_net_key_compat_setup(struct sysctllog **); | | 740 | static void sysctl_net_key_compat_setup(struct sysctllog **); |
741 | | | 741 | |
742 | /* flags for key_saidx_match() */ | | 742 | /* flags for key_saidx_match() */ |
743 | #define CMP_HEAD 1 /* protocol, addresses. */ | | 743 | #define CMP_HEAD 1 /* protocol, addresses. */ |
744 | #define CMP_MODE_REQID 2 /* additionally HEAD, reqid, mode. */ | | 744 | #define CMP_MODE_REQID 2 /* additionally HEAD, reqid, mode. */ |
745 | #define CMP_REQID 3 /* additionally HEAD, reaid. */ | | 745 | #define CMP_REQID 3 /* additionally HEAD, reaid. */ |
746 | #define CMP_EXACTLY 4 /* all elements. */ | | 746 | #define CMP_EXACTLY 4 /* all elements. */ |
747 | static int key_saidx_match(const struct secasindex *, | | 747 | static int key_saidx_match(const struct secasindex *, |
748 | const struct secasindex *, int); | | 748 | const struct secasindex *, int); |
749 | | | 749 | |
750 | static int key_sockaddr_match(const struct sockaddr *, | | 750 | static int key_sockaddr_match(const struct sockaddr *, |
751 | const struct sockaddr *, int); | | 751 | const struct sockaddr *, int); |
752 | static int key_bb_match_withmask(const void *, const void *, u_int); | | 752 | static int key_bb_match_withmask(const void *, const void *, u_int); |
753 | static u_int16_t key_satype2proto (u_int8_t); | | 753 | static u_int16_t key_satype2proto (u_int8_t); |
754 | static u_int8_t key_proto2satype (u_int16_t); | | 754 | static u_int8_t key_proto2satype (u_int16_t); |
755 | | | 755 | |
756 | static int key_spidx_match_exactly(const struct secpolicyindex *, | | 756 | static int key_spidx_match_exactly(const struct secpolicyindex *, |
757 | const struct secpolicyindex *); | | 757 | const struct secpolicyindex *); |
758 | static int key_spidx_match_withmask(const struct secpolicyindex *, | | 758 | static int key_spidx_match_withmask(const struct secpolicyindex *, |
759 | const struct secpolicyindex *); | | 759 | const struct secpolicyindex *); |
760 | | | 760 | |
761 | static int key_api_getspi(struct socket *, struct mbuf *, | | 761 | static int key_api_getspi(struct socket *, struct mbuf *, |
762 | const struct sadb_msghdr *); | | 762 | const struct sadb_msghdr *); |
763 | static u_int32_t key_do_getnewspi (const struct sadb_spirange *, | | 763 | static u_int32_t key_do_getnewspi (const struct sadb_spirange *, |
764 | const struct secasindex *); | | 764 | const struct secasindex *); |
765 | static int key_handle_natt_info (struct secasvar *, | | 765 | static int key_handle_natt_info (struct secasvar *, |
766 | const struct sadb_msghdr *); | | 766 | const struct sadb_msghdr *); |
767 | static int key_set_natt_ports (union sockaddr_union *, | | 767 | static int key_set_natt_ports (union sockaddr_union *, |
768 | union sockaddr_union *, | | 768 | union sockaddr_union *, |
769 | const struct sadb_msghdr *); | | 769 | const struct sadb_msghdr *); |
770 | static int key_api_update(struct socket *, struct mbuf *, | | 770 | static int key_api_update(struct socket *, struct mbuf *, |
771 | const struct sadb_msghdr *); | | 771 | const struct sadb_msghdr *); |
772 | #ifdef IPSEC_DOSEQCHECK | | 772 | #ifdef IPSEC_DOSEQCHECK |
773 | static struct secasvar *key_getsavbyseq (struct secashead *, u_int32_t); | | 773 | static struct secasvar *key_getsavbyseq (struct secashead *, u_int32_t); |
774 | #endif | | 774 | #endif |
775 | static int key_api_add(struct socket *, struct mbuf *, | | 775 | static int key_api_add(struct socket *, struct mbuf *, |
776 | const struct sadb_msghdr *); | | 776 | const struct sadb_msghdr *); |
777 | static int key_setident (struct secashead *, struct mbuf *, | | 777 | static int key_setident (struct secashead *, struct mbuf *, |
778 | const struct sadb_msghdr *); | | 778 | const struct sadb_msghdr *); |
779 | static struct mbuf *key_getmsgbuf_x1 (struct mbuf *, | | 779 | static struct mbuf *key_getmsgbuf_x1 (struct mbuf *, |
780 | const struct sadb_msghdr *); | | 780 | const struct sadb_msghdr *); |
781 | static int key_api_delete(struct socket *, struct mbuf *, | | 781 | static int key_api_delete(struct socket *, struct mbuf *, |
782 | const struct sadb_msghdr *); | | 782 | const struct sadb_msghdr *); |
783 | static int key_api_get(struct socket *, struct mbuf *, | | 783 | static int key_api_get(struct socket *, struct mbuf *, |
784 | const struct sadb_msghdr *); | | 784 | const struct sadb_msghdr *); |
785 | | | 785 | |
786 | static void key_getcomb_setlifetime (struct sadb_comb *); | | 786 | static void key_getcomb_setlifetime (struct sadb_comb *); |
787 | static struct mbuf *key_getcomb_esp(int); | | 787 | static struct mbuf *key_getcomb_esp(int); |
788 | static struct mbuf *key_getcomb_ah(int); | | 788 | static struct mbuf *key_getcomb_ah(int); |
789 | static struct mbuf *key_getcomb_ipcomp(int); | | 789 | static struct mbuf *key_getcomb_ipcomp(int); |
790 | static struct mbuf *key_getprop(const struct secasindex *, int); | | 790 | static struct mbuf *key_getprop(const struct secasindex *, int); |
791 | | | 791 | |
792 | static int key_acquire(const struct secasindex *, const struct secpolicy *, | | 792 | static int key_acquire(const struct secasindex *, const struct secpolicy *, |
793 | int); | | 793 | int); |
794 | static int key_acquire_sendup_mbuf_later(struct mbuf *); | | 794 | static int key_acquire_sendup_mbuf_later(struct mbuf *); |
795 | static void key_acquire_sendup_pending_mbuf(void); | | 795 | static void key_acquire_sendup_pending_mbuf(void); |
796 | #ifndef IPSEC_NONBLOCK_ACQUIRE | | 796 | #ifndef IPSEC_NONBLOCK_ACQUIRE |
797 | static struct secacq *key_newacq (const struct secasindex *); | | 797 | static struct secacq *key_newacq (const struct secasindex *); |
798 | static struct secacq *key_getacq (const struct secasindex *); | | 798 | static struct secacq *key_getacq (const struct secasindex *); |
799 | static struct secacq *key_getacqbyseq (u_int32_t); | | 799 | static struct secacq *key_getacqbyseq (u_int32_t); |
800 | #endif | | 800 | #endif |
801 | #ifdef notyet | | 801 | #ifdef notyet |
802 | static struct secspacq *key_newspacq (const struct secpolicyindex *); | | 802 | static struct secspacq *key_newspacq (const struct secpolicyindex *); |
803 | static struct secspacq *key_getspacq (const struct secpolicyindex *); | | 803 | static struct secspacq *key_getspacq (const struct secpolicyindex *); |
804 | #endif | | 804 | #endif |
805 | static int key_api_acquire(struct socket *, struct mbuf *, | | 805 | static int key_api_acquire(struct socket *, struct mbuf *, |
806 | const struct sadb_msghdr *); | | 806 | const struct sadb_msghdr *); |
807 | static int key_api_register(struct socket *, struct mbuf *, | | 807 | static int key_api_register(struct socket *, struct mbuf *, |
808 | const struct sadb_msghdr *); | | 808 | const struct sadb_msghdr *); |
809 | static int key_expire (struct secasvar *); | | 809 | static int key_expire (struct secasvar *); |
810 | static int key_api_flush(struct socket *, struct mbuf *, | | 810 | static int key_api_flush(struct socket *, struct mbuf *, |
811 | const struct sadb_msghdr *); | | 811 | const struct sadb_msghdr *); |
812 | static struct mbuf *key_setdump_chain (u_int8_t req_satype, int *errorp, | | 812 | static struct mbuf *key_setdump_chain (u_int8_t req_satype, int *errorp, |
813 | int *lenp, pid_t pid); | | 813 | int *lenp, pid_t pid); |
814 | static int key_api_dump(struct socket *, struct mbuf *, | | 814 | static int key_api_dump(struct socket *, struct mbuf *, |
815 | const struct sadb_msghdr *); | | 815 | const struct sadb_msghdr *); |
816 | static int key_api_promisc(struct socket *, struct mbuf *, | | 816 | static int key_api_promisc(struct socket *, struct mbuf *, |
817 | const struct sadb_msghdr *); | | 817 | const struct sadb_msghdr *); |
818 | static int key_senderror (struct socket *, struct mbuf *, int); | | 818 | static int key_senderror (struct socket *, struct mbuf *, int); |
819 | static int key_validate_ext (const struct sadb_ext *, int); | | 819 | static int key_validate_ext (const struct sadb_ext *, int); |
820 | static int key_align (struct mbuf *, struct sadb_msghdr *); | | 820 | static int key_align (struct mbuf *, struct sadb_msghdr *); |
821 | #if 0 | | 821 | #if 0 |
822 | static const char *key_getfqdn (void); | | 822 | static const char *key_getfqdn (void); |
823 | static const char *key_getuserfqdn (void); | | 823 | static const char *key_getuserfqdn (void); |
824 | #endif | | 824 | #endif |
825 | static void key_sa_chgstate (struct secasvar *, u_int8_t); | | 825 | static void key_sa_chgstate (struct secasvar *, u_int8_t); |
826 | | | 826 | |
827 | static struct mbuf *key_alloc_mbuf(int, int); | | 827 | static struct mbuf *key_alloc_mbuf(int, int); |
828 | static struct mbuf *key_alloc_mbuf_simple(int, int); | | 828 | static struct mbuf *key_alloc_mbuf_simple(int, int); |
829 | | | 829 | |
830 | static void key_timehandler(void *); | | 830 | static void key_timehandler(void *); |
831 | static void key_timehandler_work(struct work *, void *); | | 831 | static void key_timehandler_work(struct work *, void *); |
832 | static struct callout key_timehandler_ch; | | 832 | static struct callout key_timehandler_ch; |
833 | static struct workqueue *key_timehandler_wq; | | 833 | static struct workqueue *key_timehandler_wq; |
834 | static struct work key_timehandler_wk; | | 834 | static struct work key_timehandler_wk; |
835 | | | 835 | |
836 | static inline void | | 836 | static inline void |
837 | key_savlut_writer_insert_head(struct secasvar *sav); | | 837 | key_savlut_writer_insert_head(struct secasvar *sav); |
838 | static inline uint32_t | | 838 | static inline uint32_t |
839 | key_saidxhash(const struct secasindex *, u_long); | | 839 | key_saidxhash(const struct secasindex *, u_long); |
840 | static inline uint32_t | | 840 | static inline uint32_t |
841 | key_savluthash(const struct sockaddr *, | | 841 | key_savluthash(const struct sockaddr *, |
842 | uint32_t, uint32_t, u_long); | | 842 | uint32_t, uint32_t, u_long); |
843 | | | 843 | |
844 | /* | | 844 | /* |
845 | * Utilities for percpu counters for sadb_lifetime_allocations and | | 845 | * Utilities for percpu counters for sadb_lifetime_allocations and |
846 | * sadb_lifetime_bytes. | | 846 | * sadb_lifetime_bytes. |
847 | */ | | 847 | */ |
848 | #define LIFETIME_COUNTER_ALLOCATIONS 0 | | 848 | #define LIFETIME_COUNTER_ALLOCATIONS 0 |
849 | #define LIFETIME_COUNTER_BYTES 1 | | 849 | #define LIFETIME_COUNTER_BYTES 1 |
850 | #define LIFETIME_COUNTER_SIZE 2 | | 850 | #define LIFETIME_COUNTER_SIZE 2 |
851 | | | 851 | |
852 | typedef uint64_t lifetime_counters_t[LIFETIME_COUNTER_SIZE]; | | 852 | typedef uint64_t lifetime_counters_t[LIFETIME_COUNTER_SIZE]; |
853 | | | 853 | |
854 | static void | | 854 | static void |
855 | key_sum_lifetime_counters(void *p, void *arg, struct cpu_info *ci __unused) | | 855 | key_sum_lifetime_counters(void *p, void *arg, struct cpu_info *ci __unused) |
856 | { | | 856 | { |
857 | lifetime_counters_t *one = p; | | 857 | lifetime_counters_t *one = p; |
858 | lifetime_counters_t *sum = arg; | | 858 | lifetime_counters_t *sum = arg; |
859 | | | 859 | |
860 | (*sum)[LIFETIME_COUNTER_ALLOCATIONS] += (*one)[LIFETIME_COUNTER_ALLOCATIONS]; | | 860 | (*sum)[LIFETIME_COUNTER_ALLOCATIONS] += (*one)[LIFETIME_COUNTER_ALLOCATIONS]; |
861 | (*sum)[LIFETIME_COUNTER_BYTES] += (*one)[LIFETIME_COUNTER_BYTES]; | | 861 | (*sum)[LIFETIME_COUNTER_BYTES] += (*one)[LIFETIME_COUNTER_BYTES]; |
862 | } | | 862 | } |
863 | | | 863 | |
864 | u_int | | 864 | u_int |
865 | key_sp_refcnt(const struct secpolicy *sp) | | 865 | key_sp_refcnt(const struct secpolicy *sp) |
866 | { | | 866 | { |
867 | | | 867 | |
868 | /* FIXME */ | | 868 | /* FIXME */ |
869 | return 0; | | 869 | return 0; |
870 | } | | 870 | } |
871 | | | 871 | |
872 | static void | | 872 | static void |
873 | key_spd_pserialize_perform(void) | | 873 | key_spd_pserialize_perform(void) |
874 | { | | 874 | { |
875 | | | 875 | |
876 | KASSERT(mutex_owned(&key_spd.lock)); | | 876 | KASSERT(mutex_owned(&key_spd.lock)); |
877 | | | 877 | |
878 | while (key_spd.psz_performing) | | 878 | while (key_spd.psz_performing) |
879 | cv_wait(&key_spd.cv_psz, &key_spd.lock); | | 879 | cv_wait(&key_spd.cv_psz, &key_spd.lock); |
880 | key_spd.psz_performing = true; | | 880 | key_spd.psz_performing = true; |
881 | mutex_exit(&key_spd.lock); | | 881 | mutex_exit(&key_spd.lock); |
882 | | | 882 | |
883 | pserialize_perform(key_spd.psz); | | 883 | pserialize_perform(key_spd.psz); |
884 | | | 884 | |
885 | mutex_enter(&key_spd.lock); | | 885 | mutex_enter(&key_spd.lock); |
886 | key_spd.psz_performing = false; | | 886 | key_spd.psz_performing = false; |
887 | cv_broadcast(&key_spd.cv_psz); | | 887 | cv_broadcast(&key_spd.cv_psz); |
888 | } | | 888 | } |
889 | | | 889 | |
890 | /* | | 890 | /* |
891 | * Remove the sp from the key_spd.splist and wait for references to the sp | | 891 | * Remove the sp from the key_spd.splist and wait for references to the sp |
892 | * to be released. key_spd.lock must be held. | | 892 | * to be released. key_spd.lock must be held. |
893 | */ | | 893 | */ |
894 | static void | | 894 | static void |
895 | key_unlink_sp(struct secpolicy *sp) | | 895 | key_unlink_sp(struct secpolicy *sp) |
896 | { | | 896 | { |
897 | | | 897 | |
898 | KASSERT(mutex_owned(&key_spd.lock)); | | 898 | KASSERT(mutex_owned(&key_spd.lock)); |
899 | | | 899 | |
900 | sp->state = IPSEC_SPSTATE_DEAD; | | 900 | sp->state = IPSEC_SPSTATE_DEAD; |
901 | SPLIST_WRITER_REMOVE(sp); | | 901 | SPLIST_WRITER_REMOVE(sp); |
902 | | | 902 | |
903 | /* Invalidate all cached SPD pointers in the PCBs. */ | | 903 | /* Invalidate all cached SPD pointers in the PCBs. */ |
904 | ipsec_invalpcbcacheall(); | | 904 | ipsec_invalpcbcacheall(); |
905 | | | 905 | |
906 | KDASSERT(mutex_ownable(softnet_lock)); | | 906 | KDASSERT(mutex_ownable(softnet_lock)); |
907 | key_spd_pserialize_perform(); | | 907 | key_spd_pserialize_perform(); |
908 | | | 908 | |
909 | localcount_drain(&sp->localcount, &key_spd.cv_lc, &key_spd.lock); | | 909 | localcount_drain(&sp->localcount, &key_spd.cv_lc, &key_spd.lock); |
910 | } | | 910 | } |
911 | | | 911 | |
912 | /* | | 912 | /* |
913 | * Return 0 when there are known to be no SP's for the specified | | 913 | * Return 0 when there are known to be no SP's for the specified |
914 | * direction. Otherwise return 1. This is used by IPsec code | | 914 | * direction. Otherwise return 1. This is used by IPsec code |
915 | * to optimize performance. | | 915 | * to optimize performance. |
916 | */ | | 916 | */ |
917 | int | | 917 | int |
918 | key_havesp(u_int dir) | | 918 | key_havesp(u_int dir) |
919 | { | | 919 | { |
920 | return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ? | | 920 | return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ? |
921 | !SPLIST_READER_EMPTY(dir) : 1); | | 921 | !SPLIST_READER_EMPTY(dir) : 1); |
922 | } | | 922 | } |
923 | | | 923 | |
924 | /* %%% IPsec policy management */ | | 924 | /* %%% IPsec policy management */ |
925 | /* | | 925 | /* |
926 | * allocating a SP for OUTBOUND or INBOUND packet. | | 926 | * allocating a SP for OUTBOUND or INBOUND packet. |
927 | * Must call key_freesp() later. | | 927 | * Must call key_freesp() later. |
928 | * OUT: NULL: not found | | 928 | * OUT: NULL: not found |
929 | * others: found and return the pointer. | | 929 | * others: found and return the pointer. |
930 | */ | | 930 | */ |
931 | struct secpolicy * | | 931 | struct secpolicy * |
932 | key_lookup_sp_byspidx(const struct secpolicyindex *spidx, | | 932 | key_lookup_sp_byspidx(const struct secpolicyindex *spidx, |
933 | u_int dir, const char* where, int tag) | | 933 | u_int dir, const char* where, int tag) |
934 | { | | 934 | { |
935 | struct secpolicy *sp; | | 935 | struct secpolicy *sp; |
936 | int s; | | 936 | int s; |
937 | | | 937 | |
938 | KASSERT(spidx != NULL); | | 938 | KASSERT(spidx != NULL); |
939 | KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir); | | 939 | KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir); |
940 | | | 940 | |
941 | KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag); | | 941 | KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag); |
942 | | | 942 | |
943 | /* get a SP entry */ | | 943 | /* get a SP entry */ |
944 | if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) { | | 944 | if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) { |
945 | kdebug_secpolicyindex("objects", spidx); | | 945 | kdebug_secpolicyindex("objects", spidx); |
946 | } | | 946 | } |
947 | | | 947 | |
948 | s = pserialize_read_enter(); | | 948 | s = pserialize_read_enter(); |
949 | SPLIST_READER_FOREACH(sp, dir) { | | 949 | SPLIST_READER_FOREACH(sp, dir) { |
950 | if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) { | | 950 | if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) { |
951 | kdebug_secpolicyindex("in SPD", &sp->spidx); | | 951 | kdebug_secpolicyindex("in SPD", &sp->spidx); |
952 | } | | 952 | } |
953 | | | 953 | |
954 | if (sp->state == IPSEC_SPSTATE_DEAD) | | 954 | if (sp->state == IPSEC_SPSTATE_DEAD) |
955 | continue; | | 955 | continue; |
956 | if (key_spidx_match_withmask(&sp->spidx, spidx)) | | 956 | if (key_spidx_match_withmask(&sp->spidx, spidx)) |
957 | goto found; | | 957 | goto found; |
958 | } | | 958 | } |
959 | sp = NULL; | | 959 | sp = NULL; |
960 | found: | | 960 | found: |
961 | if (sp) { | | 961 | if (sp) { |
962 | /* sanity check */ | | 962 | /* sanity check */ |
963 | KEY_CHKSPDIR(sp->spidx.dir, dir); | | 963 | KEY_CHKSPDIR(sp->spidx.dir, dir); |
964 | | | 964 | |
965 | /* found a SPD entry */ | | 965 | /* found a SPD entry */ |
966 | sp->lastused = time_uptime; | | 966 | sp->lastused = time_uptime; |
967 | key_sp_ref(sp, where, tag); | | 967 | key_sp_ref(sp, where, tag); |
968 | } | | 968 | } |
969 | pserialize_read_exit(s); | | 969 | pserialize_read_exit(s); |
970 | | | 970 | |
971 | KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, | | 971 | KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, |
972 | "DP return SP:%p (ID=%u) refcnt %u\n", | | 972 | "DP return SP:%p (ID=%u) refcnt %u\n", |
973 | sp, sp ? sp->id : 0, key_sp_refcnt(sp)); | | 973 | sp, sp ? sp->id : 0, key_sp_refcnt(sp)); |
974 | return sp; | | 974 | return sp; |
975 | } | | 975 | } |
976 | | | 976 | |
977 | /* | | 977 | /* |
978 | * return a policy that matches this particular inbound packet. | | 978 | * return a policy that matches this particular inbound packet. |
979 | * XXX slow | | 979 | * XXX slow |
980 | */ | | 980 | */ |
981 | struct secpolicy * | | 981 | struct secpolicy * |
982 | key_gettunnel(const struct sockaddr *osrc, | | 982 | key_gettunnel(const struct sockaddr *osrc, |
983 | const struct sockaddr *odst, | | 983 | const struct sockaddr *odst, |
984 | const struct sockaddr *isrc, | | 984 | const struct sockaddr *isrc, |
985 | const struct sockaddr *idst, | | 985 | const struct sockaddr *idst, |
986 | const char* where, int tag) | | 986 | const char* where, int tag) |
987 | { | | 987 | { |
988 | struct secpolicy *sp; | | 988 | struct secpolicy *sp; |
989 | const int dir = IPSEC_DIR_INBOUND; | | 989 | const int dir = IPSEC_DIR_INBOUND; |
990 | int s; | | 990 | int s; |
991 | struct ipsecrequest *r1, *r2, *p; | | 991 | struct ipsecrequest *r1, *r2, *p; |
992 | struct secpolicyindex spidx; | | 992 | struct secpolicyindex spidx; |
993 | | | 993 | |
994 | KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag); | | 994 | KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag); |
995 | | | 995 | |
996 | if (isrc->sa_family != idst->sa_family) { | | 996 | if (isrc->sa_family != idst->sa_family) { |
997 | IPSECLOG(LOG_ERR, | | 997 | IPSECLOG(LOG_ERR, |
998 | "address family mismatched src %u, dst %u.\n", | | 998 | "address family mismatched src %u, dst %u.\n", |
999 | isrc->sa_family, idst->sa_family); | | 999 | isrc->sa_family, idst->sa_family); |
1000 | sp = NULL; | | 1000 | sp = NULL; |
1001 | goto done; | | 1001 | goto done; |
1002 | } | | 1002 | } |
1003 | | | 1003 | |
1004 | s = pserialize_read_enter(); | | 1004 | s = pserialize_read_enter(); |
1005 | SPLIST_READER_FOREACH(sp, dir) { | | 1005 | SPLIST_READER_FOREACH(sp, dir) { |
1006 | if (sp->state == IPSEC_SPSTATE_DEAD) | | 1006 | if (sp->state == IPSEC_SPSTATE_DEAD) |
1007 | continue; | | 1007 | continue; |
1008 | | | 1008 | |
1009 | r1 = r2 = NULL; | | 1009 | r1 = r2 = NULL; |
1010 | for (p = sp->req; p; p = p->next) { | | 1010 | for (p = sp->req; p; p = p->next) { |
1011 | if (p->saidx.mode != IPSEC_MODE_TUNNEL) | | 1011 | if (p->saidx.mode != IPSEC_MODE_TUNNEL) |
1012 | continue; | | 1012 | continue; |
1013 | | | 1013 | |
1014 | r1 = r2; | | 1014 | r1 = r2; |
1015 | r2 = p; | | 1015 | r2 = p; |
1016 | | | 1016 | |
1017 | if (!r1) { | | 1017 | if (!r1) { |
1018 | /* here we look at address matches only */ | | 1018 | /* here we look at address matches only */ |
1019 | spidx = sp->spidx; | | 1019 | spidx = sp->spidx; |
1020 | if (isrc->sa_len > sizeof(spidx.src) || | | 1020 | if (isrc->sa_len > sizeof(spidx.src) || |
1021 | idst->sa_len > sizeof(spidx.dst)) | | 1021 | idst->sa_len > sizeof(spidx.dst)) |
1022 | continue; | | 1022 | continue; |
1023 | memcpy(&spidx.src, isrc, isrc->sa_len); | | 1023 | memcpy(&spidx.src, isrc, isrc->sa_len); |
1024 | memcpy(&spidx.dst, idst, idst->sa_len); | | 1024 | memcpy(&spidx.dst, idst, idst->sa_len); |
1025 | if (!key_spidx_match_withmask(&sp->spidx, &spidx)) | | 1025 | if (!key_spidx_match_withmask(&sp->spidx, &spidx)) |
1026 | continue; | | 1026 | continue; |
1027 | } else { | | 1027 | } else { |
1028 | if (!key_sockaddr_match(&r1->saidx.src.sa, isrc, PORT_NONE) || | | 1028 | if (!key_sockaddr_match(&r1->saidx.src.sa, isrc, PORT_NONE) || |
1029 | !key_sockaddr_match(&r1->saidx.dst.sa, idst, PORT_NONE)) | | 1029 | !key_sockaddr_match(&r1->saidx.dst.sa, idst, PORT_NONE)) |
1030 | continue; | | 1030 | continue; |
1031 | } | | 1031 | } |
1032 | | | 1032 | |
1033 | if (!key_sockaddr_match(&r2->saidx.src.sa, osrc, PORT_NONE) || | | 1033 | if (!key_sockaddr_match(&r2->saidx.src.sa, osrc, PORT_NONE) || |
1034 | !key_sockaddr_match(&r2->saidx.dst.sa, odst, PORT_NONE)) | | 1034 | !key_sockaddr_match(&r2->saidx.dst.sa, odst, PORT_NONE)) |
| @@ -2459,2021 +2459,2021 @@ key_getnewspid(void) | | | @@ -2459,2021 +2459,2021 @@ key_getnewspid(void) |
2459 | KEY_SP_UNREF(&sp); | | 2459 | KEY_SP_UNREF(&sp); |
2460 | } | | 2460 | } |
2461 | | | 2461 | |
2462 | if (count == 0 || newid == 0) { | | 2462 | if (count == 0 || newid == 0) { |
2463 | IPSECLOG(LOG_DEBUG, "to allocate policy id is failed.\n"); | | 2463 | IPSECLOG(LOG_DEBUG, "to allocate policy id is failed.\n"); |
2464 | return 0; | | 2464 | return 0; |
2465 | } | | 2465 | } |
2466 | | | 2466 | |
2467 | return newid; | | 2467 | return newid; |
2468 | } | | 2468 | } |
2469 | | | 2469 | |
2470 | /* | | 2470 | /* |
2471 | * SADB_SPDDELETE processing | | 2471 | * SADB_SPDDELETE processing |
2472 | * receive | | 2472 | * receive |
2473 | * <base, address(SD), policy(*)> | | 2473 | * <base, address(SD), policy(*)> |
2474 | * from the user(?), and set SADB_SASTATE_DEAD, | | 2474 | * from the user(?), and set SADB_SASTATE_DEAD, |
2475 | * and send, | | 2475 | * and send, |
2476 | * <base, address(SD), policy(*)> | | 2476 | * <base, address(SD), policy(*)> |
2477 | * to the ikmpd. | | 2477 | * to the ikmpd. |
2478 | * policy(*) including direction of policy. | | 2478 | * policy(*) including direction of policy. |
2479 | * | | 2479 | * |
2480 | * m will always be freed. | | 2480 | * m will always be freed. |
2481 | */ | | 2481 | */ |
2482 | static int | | 2482 | static int |
2483 | key_api_spddelete(struct socket *so, struct mbuf *m, | | 2483 | key_api_spddelete(struct socket *so, struct mbuf *m, |
2484 | const struct sadb_msghdr *mhp) | | 2484 | const struct sadb_msghdr *mhp) |
2485 | { | | 2485 | { |
2486 | struct sadb_x_policy *xpl0; | | 2486 | struct sadb_x_policy *xpl0; |
2487 | struct secpolicyindex spidx; | | 2487 | struct secpolicyindex spidx; |
2488 | struct secpolicy *sp; | | 2488 | struct secpolicy *sp; |
2489 | | | 2489 | |
2490 | if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || | | 2490 | if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || |
2491 | mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || | | 2491 | mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || |
2492 | mhp->ext[SADB_X_EXT_POLICY] == NULL) { | | 2492 | mhp->ext[SADB_X_EXT_POLICY] == NULL) { |
2493 | IPSECLOG(LOG_DEBUG, "invalid message is passed.\n"); | | 2493 | IPSECLOG(LOG_DEBUG, "invalid message is passed.\n"); |
2494 | return key_senderror(so, m, EINVAL); | | 2494 | return key_senderror(so, m, EINVAL); |
2495 | } | | 2495 | } |
2496 | if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || | | 2496 | if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || |
2497 | mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) || | | 2497 | mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) || |
2498 | mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { | | 2498 | mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { |
2499 | IPSECLOG(LOG_DEBUG, "invalid message is passed.\n"); | | 2499 | IPSECLOG(LOG_DEBUG, "invalid message is passed.\n"); |
2500 | return key_senderror(so, m, EINVAL); | | 2500 | return key_senderror(so, m, EINVAL); |
2501 | } | | 2501 | } |
2502 | | | 2502 | |
2503 | xpl0 = mhp->ext[SADB_X_EXT_POLICY]; | | 2503 | xpl0 = mhp->ext[SADB_X_EXT_POLICY]; |
2504 | | | 2504 | |
2505 | /* checking the directon. */ | | 2505 | /* checking the directon. */ |
2506 | switch (xpl0->sadb_x_policy_dir) { | | 2506 | switch (xpl0->sadb_x_policy_dir) { |
2507 | case IPSEC_DIR_INBOUND: | | 2507 | case IPSEC_DIR_INBOUND: |
2508 | case IPSEC_DIR_OUTBOUND: | | 2508 | case IPSEC_DIR_OUTBOUND: |
2509 | break; | | 2509 | break; |
2510 | default: | | 2510 | default: |
2511 | IPSECLOG(LOG_DEBUG, "Invalid SP direction.\n"); | | 2511 | IPSECLOG(LOG_DEBUG, "Invalid SP direction.\n"); |
2512 | return key_senderror(so, m, EINVAL); | | 2512 | return key_senderror(so, m, EINVAL); |
2513 | } | | 2513 | } |
2514 | | | 2514 | |
2515 | /* make secindex */ | | 2515 | /* make secindex */ |
2516 | key_init_spidx_bymsghdr(&spidx, mhp); | | 2516 | key_init_spidx_bymsghdr(&spidx, mhp); |
2517 | | | 2517 | |
2518 | /* Is there SP in SPD ? */ | | 2518 | /* Is there SP in SPD ? */ |
2519 | sp = key_lookup_and_remove_sp(&spidx, false); | | 2519 | sp = key_lookup_and_remove_sp(&spidx, false); |
2520 | if (sp == NULL) { | | 2520 | if (sp == NULL) { |
2521 | IPSECLOG(LOG_DEBUG, "no SP found.\n"); | | 2521 | IPSECLOG(LOG_DEBUG, "no SP found.\n"); |
2522 | return key_senderror(so, m, EINVAL); | | 2522 | return key_senderror(so, m, EINVAL); |
2523 | } | | 2523 | } |
2524 | | | 2524 | |
2525 | /* save policy id to buffer to be returned. */ | | 2525 | /* save policy id to buffer to be returned. */ |
2526 | xpl0->sadb_x_policy_id = sp->id; | | 2526 | xpl0->sadb_x_policy_id = sp->id; |
2527 | | | 2527 | |
2528 | key_destroy_sp(sp); | | 2528 | key_destroy_sp(sp); |
2529 | | | 2529 | |
2530 | /* We're deleting policy; no need to invalidate the ipflow cache. */ | | 2530 | /* We're deleting policy; no need to invalidate the ipflow cache. */ |
2531 | | | 2531 | |
2532 | { | | 2532 | { |
2533 | struct mbuf *n; | | 2533 | struct mbuf *n; |
2534 | | | 2534 | |
2535 | /* create new sadb_msg to reply. */ | | 2535 | /* create new sadb_msg to reply. */ |
2536 | n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED, | | 2536 | n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED, |
2537 | SADB_X_EXT_POLICY, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); | | 2537 | SADB_X_EXT_POLICY, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); |
2538 | key_fill_replymsg(n, 0); | | 2538 | key_fill_replymsg(n, 0); |
2539 | m_freem(m); | | 2539 | m_freem(m); |
2540 | return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); | | 2540 | return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); |
2541 | } | | 2541 | } |
2542 | } | | 2542 | } |
2543 | | | 2543 | |
2544 | static struct mbuf * | | 2544 | static struct mbuf * |
2545 | key_alloc_mbuf_simple(int len, int mflag) | | 2545 | key_alloc_mbuf_simple(int len, int mflag) |
2546 | { | | 2546 | { |
2547 | struct mbuf *n; | | 2547 | struct mbuf *n; |
2548 | | | 2548 | |
2549 | KASSERT(mflag == M_NOWAIT || (mflag == M_WAITOK && !cpu_softintr_p())); | | 2549 | KASSERT(mflag == M_NOWAIT || (mflag == M_WAITOK && !cpu_softintr_p())); |
2550 | | | 2550 | |
2551 | MGETHDR(n, mflag, MT_DATA); | | 2551 | MGETHDR(n, mflag, MT_DATA); |
2552 | if (n && len > MHLEN) { | | 2552 | if (n && len > MHLEN) { |
2553 | MCLGET(n, mflag); | | 2553 | MCLGET(n, mflag); |
2554 | if ((n->m_flags & M_EXT) == 0) { | | 2554 | if ((n->m_flags & M_EXT) == 0) { |
2555 | m_freem(n); | | 2555 | m_freem(n); |
2556 | n = NULL; | | 2556 | n = NULL; |
2557 | } | | 2557 | } |
2558 | } | | 2558 | } |
2559 | return n; | | 2559 | return n; |
2560 | } | | 2560 | } |
2561 | | | 2561 | |
2562 | /* | | 2562 | /* |
2563 | * SADB_SPDDELETE2 processing | | 2563 | * SADB_SPDDELETE2 processing |
2564 | * receive | | 2564 | * receive |
2565 | * <base, policy(*)> | | 2565 | * <base, policy(*)> |
2566 | * from the user(?), and set SADB_SASTATE_DEAD, | | 2566 | * from the user(?), and set SADB_SASTATE_DEAD, |
2567 | * and send, | | 2567 | * and send, |
2568 | * <base, policy(*)> | | 2568 | * <base, policy(*)> |
2569 | * to the ikmpd. | | 2569 | * to the ikmpd. |
2570 | * policy(*) including direction of policy. | | 2570 | * policy(*) including direction of policy. |
2571 | * | | 2571 | * |
2572 | * m will always be freed. | | 2572 | * m will always be freed. |
2573 | */ | | 2573 | */ |
2574 | static int | | 2574 | static int |
2575 | key_spddelete2(struct socket *so, struct mbuf *m, | | 2575 | key_spddelete2(struct socket *so, struct mbuf *m, |
2576 | const struct sadb_msghdr *mhp, bool from_kernel) | | 2576 | const struct sadb_msghdr *mhp, bool from_kernel) |
2577 | { | | 2577 | { |
2578 | u_int32_t id; | | 2578 | u_int32_t id; |
2579 | struct secpolicy *sp; | | 2579 | struct secpolicy *sp; |
2580 | const struct sadb_x_policy *xpl; | | 2580 | const struct sadb_x_policy *xpl; |
2581 | | | 2581 | |
2582 | if (mhp->ext[SADB_X_EXT_POLICY] == NULL || | | 2582 | if (mhp->ext[SADB_X_EXT_POLICY] == NULL || |
2583 | mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { | | 2583 | mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { |
2584 | IPSECLOG(LOG_DEBUG, "invalid message is passed.\n"); | | 2584 | IPSECLOG(LOG_DEBUG, "invalid message is passed.\n"); |
2585 | return key_senderror(so, m, EINVAL); | | 2585 | return key_senderror(so, m, EINVAL); |
2586 | } | | 2586 | } |
2587 | | | 2587 | |
2588 | xpl = mhp->ext[SADB_X_EXT_POLICY]; | | 2588 | xpl = mhp->ext[SADB_X_EXT_POLICY]; |
2589 | id = xpl->sadb_x_policy_id; | | 2589 | id = xpl->sadb_x_policy_id; |
2590 | | | 2590 | |
2591 | /* Is there SP in SPD ? */ | | 2591 | /* Is there SP in SPD ? */ |
2592 | sp = key_lookupbyid_and_remove_sp(id, from_kernel); | | 2592 | sp = key_lookupbyid_and_remove_sp(id, from_kernel); |
2593 | if (sp == NULL) { | | 2593 | if (sp == NULL) { |
2594 | IPSECLOG(LOG_DEBUG, "no SP found id:%u.\n", id); | | 2594 | IPSECLOG(LOG_DEBUG, "no SP found id:%u.\n", id); |
2595 | return key_senderror(so, m, EINVAL); | | 2595 | return key_senderror(so, m, EINVAL); |
2596 | } | | 2596 | } |
2597 | | | 2597 | |
2598 | key_destroy_sp(sp); | | 2598 | key_destroy_sp(sp); |
2599 | | | 2599 | |
2600 | /* We're deleting policy; no need to invalidate the ipflow cache. */ | | 2600 | /* We're deleting policy; no need to invalidate the ipflow cache. */ |
2601 | | | 2601 | |
2602 | { | | 2602 | { |
2603 | struct mbuf *n, *nn; | | 2603 | struct mbuf *n, *nn; |
2604 | int off, len; | | 2604 | int off, len; |
2605 | | | 2605 | |
2606 | CTASSERT(PFKEY_ALIGN8(sizeof(struct sadb_msg)) <= MCLBYTES); | | 2606 | CTASSERT(PFKEY_ALIGN8(sizeof(struct sadb_msg)) <= MCLBYTES); |
2607 | | | 2607 | |
2608 | /* create new sadb_msg to reply. */ | | 2608 | /* create new sadb_msg to reply. */ |
2609 | len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); | | 2609 | len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); |
2610 | | | 2610 | |
2611 | n = key_alloc_mbuf_simple(len, M_WAITOK); | | 2611 | n = key_alloc_mbuf_simple(len, M_WAITOK); |
2612 | n->m_len = len; | | 2612 | n->m_len = len; |
2613 | n->m_next = NULL; | | 2613 | n->m_next = NULL; |
2614 | off = 0; | | 2614 | off = 0; |
2615 | | | 2615 | |
2616 | m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, char *) + off); | | 2616 | m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, char *) + off); |
2617 | off += PFKEY_ALIGN8(sizeof(struct sadb_msg)); | | 2617 | off += PFKEY_ALIGN8(sizeof(struct sadb_msg)); |
2618 | | | 2618 | |
2619 | KASSERTMSG(off == len, "length inconsistency"); | | 2619 | KASSERTMSG(off == len, "length inconsistency"); |
2620 | | | 2620 | |
2621 | n->m_next = m_copym(m, mhp->extoff[SADB_X_EXT_POLICY], | | 2621 | n->m_next = m_copym(m, mhp->extoff[SADB_X_EXT_POLICY], |
2622 | mhp->extlen[SADB_X_EXT_POLICY], M_WAITOK); | | 2622 | mhp->extlen[SADB_X_EXT_POLICY], M_WAITOK); |
2623 | | | 2623 | |
2624 | n->m_pkthdr.len = 0; | | 2624 | n->m_pkthdr.len = 0; |
2625 | for (nn = n; nn; nn = nn->m_next) | | 2625 | for (nn = n; nn; nn = nn->m_next) |
2626 | n->m_pkthdr.len += nn->m_len; | | 2626 | n->m_pkthdr.len += nn->m_len; |
2627 | | | 2627 | |
2628 | key_fill_replymsg(n, 0); | | 2628 | key_fill_replymsg(n, 0); |
2629 | m_freem(m); | | 2629 | m_freem(m); |
2630 | return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); | | 2630 | return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); |
2631 | } | | 2631 | } |
2632 | } | | 2632 | } |
2633 | | | 2633 | |
2634 | /* | | 2634 | /* |
2635 | * SADB_SPDDELETE2 processing | | 2635 | * SADB_SPDDELETE2 processing |
2636 | * receive | | 2636 | * receive |
2637 | * <base, policy(*)> | | 2637 | * <base, policy(*)> |
2638 | * from the user(?), and set SADB_SASTATE_DEAD, | | 2638 | * from the user(?), and set SADB_SASTATE_DEAD, |
2639 | * and send, | | 2639 | * and send, |
2640 | * <base, policy(*)> | | 2640 | * <base, policy(*)> |
2641 | * to the ikmpd. | | 2641 | * to the ikmpd. |
2642 | * policy(*) including direction of policy. | | 2642 | * policy(*) including direction of policy. |
2643 | * | | 2643 | * |
2644 | * m will always be freed. | | 2644 | * m will always be freed. |
2645 | */ | | 2645 | */ |
2646 | static int | | 2646 | static int |
2647 | key_api_spddelete2(struct socket *so, struct mbuf *m, | | 2647 | key_api_spddelete2(struct socket *so, struct mbuf *m, |
2648 | const struct sadb_msghdr *mhp) | | 2648 | const struct sadb_msghdr *mhp) |
2649 | { | | 2649 | { |
2650 | | | 2650 | |
2651 | return key_spddelete2(so, m, mhp, false); | | 2651 | return key_spddelete2(so, m, mhp, false); |
2652 | } | | 2652 | } |
2653 | | | 2653 | |
2654 | int | | 2654 | int |
2655 | key_kpi_spddelete2(struct mbuf *m) | | 2655 | key_kpi_spddelete2(struct mbuf *m) |
2656 | { | | 2656 | { |
2657 | struct sadb_msghdr mh; | | 2657 | struct sadb_msghdr mh; |
2658 | int error; | | 2658 | int error; |
2659 | | | 2659 | |
2660 | error = key_align(m, &mh); | | 2660 | error = key_align(m, &mh); |
2661 | if (error) | | 2661 | if (error) |
2662 | return EINVAL; | | 2662 | return EINVAL; |
2663 | | | 2663 | |
2664 | return key_spddelete2(NULL, m, &mh, true); | | 2664 | return key_spddelete2(NULL, m, &mh, true); |
2665 | } | | 2665 | } |
2666 | | | 2666 | |
2667 | /* | | 2667 | /* |
2668 | * SADB_X_GET processing | | 2668 | * SADB_X_GET processing |
2669 | * receive | | 2669 | * receive |
2670 | * <base, policy(*)> | | 2670 | * <base, policy(*)> |
2671 | * from the user(?), | | 2671 | * from the user(?), |
2672 | * and send, | | 2672 | * and send, |
2673 | * <base, address(SD), policy> | | 2673 | * <base, address(SD), policy> |
2674 | * to the ikmpd. | | 2674 | * to the ikmpd. |
2675 | * policy(*) including direction of policy. | | 2675 | * policy(*) including direction of policy. |
2676 | * | | 2676 | * |
2677 | * m will always be freed. | | 2677 | * m will always be freed. |
2678 | */ | | 2678 | */ |
2679 | static int | | 2679 | static int |
2680 | key_api_spdget(struct socket *so, struct mbuf *m, | | 2680 | key_api_spdget(struct socket *so, struct mbuf *m, |
2681 | const struct sadb_msghdr *mhp) | | 2681 | const struct sadb_msghdr *mhp) |
2682 | { | | 2682 | { |
2683 | u_int32_t id; | | 2683 | u_int32_t id; |
2684 | struct secpolicy *sp; | | 2684 | struct secpolicy *sp; |
2685 | struct mbuf *n; | | 2685 | struct mbuf *n; |
2686 | const struct sadb_x_policy *xpl; | | 2686 | const struct sadb_x_policy *xpl; |
2687 | | | 2687 | |
2688 | if (mhp->ext[SADB_X_EXT_POLICY] == NULL || | | 2688 | if (mhp->ext[SADB_X_EXT_POLICY] == NULL || |
2689 | mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { | | 2689 | mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { |
2690 | IPSECLOG(LOG_DEBUG, "invalid message is passed.\n"); | | 2690 | IPSECLOG(LOG_DEBUG, "invalid message is passed.\n"); |
2691 | return key_senderror(so, m, EINVAL); | | 2691 | return key_senderror(so, m, EINVAL); |
2692 | } | | 2692 | } |
2693 | | | 2693 | |
2694 | xpl = mhp->ext[SADB_X_EXT_POLICY]; | | 2694 | xpl = mhp->ext[SADB_X_EXT_POLICY]; |
2695 | id = xpl->sadb_x_policy_id; | | 2695 | id = xpl->sadb_x_policy_id; |
2696 | | | 2696 | |
2697 | /* Is there SP in SPD ? */ | | 2697 | /* Is there SP in SPD ? */ |
2698 | sp = key_getspbyid(id); | | 2698 | sp = key_getspbyid(id); |
2699 | if (sp == NULL) { | | 2699 | if (sp == NULL) { |
2700 | IPSECLOG(LOG_DEBUG, "no SP found id:%u.\n", id); | | 2700 | IPSECLOG(LOG_DEBUG, "no SP found id:%u.\n", id); |
2701 | return key_senderror(so, m, ENOENT); | | 2701 | return key_senderror(so, m, ENOENT); |
2702 | } | | 2702 | } |
2703 | | | 2703 | |
2704 | n = key_setdumpsp(sp, SADB_X_SPDGET, mhp->msg->sadb_msg_seq, | | 2704 | n = key_setdumpsp(sp, SADB_X_SPDGET, mhp->msg->sadb_msg_seq, |
2705 | mhp->msg->sadb_msg_pid); | | 2705 | mhp->msg->sadb_msg_pid); |
2706 | KEY_SP_UNREF(&sp); /* ref gained by key_getspbyid */ | | 2706 | KEY_SP_UNREF(&sp); /* ref gained by key_getspbyid */ |
2707 | m_freem(m); | | 2707 | m_freem(m); |
2708 | return key_sendup_mbuf(so, n, KEY_SENDUP_ONE); | | 2708 | return key_sendup_mbuf(so, n, KEY_SENDUP_ONE); |
2709 | } | | 2709 | } |
2710 | | | 2710 | |
2711 | #ifdef notyet | | 2711 | #ifdef notyet |
2712 | /* | | 2712 | /* |
2713 | * SADB_X_SPDACQUIRE processing. | | 2713 | * SADB_X_SPDACQUIRE processing. |
2714 | * Acquire policy and SA(s) for a *OUTBOUND* packet. | | 2714 | * Acquire policy and SA(s) for a *OUTBOUND* packet. |
2715 | * send | | 2715 | * send |
2716 | * <base, policy(*)> | | 2716 | * <base, policy(*)> |
2717 | * to KMD, and expect to receive | | 2717 | * to KMD, and expect to receive |
2718 | * <base> with SADB_X_SPDACQUIRE if error occurred, | | 2718 | * <base> with SADB_X_SPDACQUIRE if error occurred, |
2719 | * or | | 2719 | * or |
2720 | * <base, policy> | | 2720 | * <base, policy> |
2721 | * with SADB_X_SPDUPDATE from KMD by PF_KEY. | | 2721 | * with SADB_X_SPDUPDATE from KMD by PF_KEY. |
2722 | * policy(*) is without policy requests. | | 2722 | * policy(*) is without policy requests. |
2723 | * | | 2723 | * |
2724 | * 0 : succeed | | 2724 | * 0 : succeed |
2725 | * others: error number | | 2725 | * others: error number |
2726 | */ | | 2726 | */ |
2727 | int | | 2727 | int |
2728 | key_spdacquire(const struct secpolicy *sp) | | 2728 | key_spdacquire(const struct secpolicy *sp) |
2729 | { | | 2729 | { |
2730 | struct mbuf *result = NULL, *m; | | 2730 | struct mbuf *result = NULL, *m; |
2731 | struct secspacq *newspacq; | | 2731 | struct secspacq *newspacq; |
2732 | int error; | | 2732 | int error; |
2733 | | | 2733 | |
2734 | KASSERT(sp != NULL); | | 2734 | KASSERT(sp != NULL); |
2735 | KASSERTMSG(sp->req == NULL, "called but there is request"); | | 2735 | KASSERTMSG(sp->req == NULL, "called but there is request"); |
2736 | KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC, | | 2736 | KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC, |
2737 | "policy mismathed. IPsec is expected"); | | 2737 | "policy mismathed. IPsec is expected"); |
2738 | | | 2738 | |
2739 | /* Get an entry to check whether sent message or not. */ | | 2739 | /* Get an entry to check whether sent message or not. */ |
2740 | newspacq = key_getspacq(&sp->spidx); | | 2740 | newspacq = key_getspacq(&sp->spidx); |
2741 | if (newspacq != NULL) { | | 2741 | if (newspacq != NULL) { |
2742 | if (key_blockacq_count < newspacq->count) { | | 2742 | if (key_blockacq_count < newspacq->count) { |
2743 | /* reset counter and do send message. */ | | 2743 | /* reset counter and do send message. */ |
2744 | newspacq->count = 0; | | 2744 | newspacq->count = 0; |
2745 | } else { | | 2745 | } else { |
2746 | /* increment counter and do nothing. */ | | 2746 | /* increment counter and do nothing. */ |
2747 | newspacq->count++; | | 2747 | newspacq->count++; |
2748 | return 0; | | 2748 | return 0; |
2749 | } | | 2749 | } |
2750 | } else { | | 2750 | } else { |
2751 | /* make new entry for blocking to send SADB_ACQUIRE. */ | | 2751 | /* make new entry for blocking to send SADB_ACQUIRE. */ |
2752 | newspacq = key_newspacq(&sp->spidx); | | 2752 | newspacq = key_newspacq(&sp->spidx); |
2753 | if (newspacq == NULL) | | 2753 | if (newspacq == NULL) |
2754 | return ENOBUFS; | | 2754 | return ENOBUFS; |
2755 | | | 2755 | |
2756 | /* add to key_misc.acqlist */ | | 2756 | /* add to key_misc.acqlist */ |
2757 | LIST_INSERT_HEAD(&key_misc.spacqlist, newspacq, chain); | | 2757 | LIST_INSERT_HEAD(&key_misc.spacqlist, newspacq, chain); |
2758 | } | | 2758 | } |
2759 | | | 2759 | |
2760 | /* create new sadb_msg to reply. */ | | 2760 | /* create new sadb_msg to reply. */ |
2761 | m = key_setsadbmsg(SADB_X_SPDACQUIRE, 0, 0, 0, 0, 0); | | 2761 | m = key_setsadbmsg(SADB_X_SPDACQUIRE, 0, 0, 0, 0, 0); |
2762 | if (!m) { | | 2762 | if (!m) { |
2763 | error = ENOBUFS; | | 2763 | error = ENOBUFS; |
2764 | goto fail; | | 2764 | goto fail; |
2765 | } | | 2765 | } |
2766 | result = m; | | 2766 | result = m; |
2767 | | | 2767 | |
2768 | result->m_pkthdr.len = 0; | | 2768 | result->m_pkthdr.len = 0; |
2769 | for (m = result; m; m = m->m_next) | | 2769 | for (m = result; m; m = m->m_next) |
2770 | result->m_pkthdr.len += m->m_len; | | 2770 | result->m_pkthdr.len += m->m_len; |
2771 | | | 2771 | |
2772 | mtod(result, struct sadb_msg *)->sadb_msg_len = | | 2772 | mtod(result, struct sadb_msg *)->sadb_msg_len = |
2773 | PFKEY_UNIT64(result->m_pkthdr.len); | | 2773 | PFKEY_UNIT64(result->m_pkthdr.len); |
2774 | | | 2774 | |
2775 | return key_sendup_mbuf(NULL, m, KEY_SENDUP_REGISTERED); | | 2775 | return key_sendup_mbuf(NULL, m, KEY_SENDUP_REGISTERED); |
2776 | | | 2776 | |
2777 | fail: | | 2777 | fail: |
2778 | if (result) | | 2778 | if (result) |
2779 | m_freem(result); | | 2779 | m_freem(result); |
2780 | return error; | | 2780 | return error; |
2781 | } | | 2781 | } |
2782 | #endif /* notyet */ | | 2782 | #endif /* notyet */ |
2783 | | | 2783 | |
2784 | /* | | 2784 | /* |
2785 | * SADB_SPDFLUSH processing | | 2785 | * SADB_SPDFLUSH processing |
2786 | * receive | | 2786 | * receive |
2787 | * <base> | | 2787 | * <base> |
2788 | * from the user, and free all entries in secpctree. | | 2788 | * from the user, and free all entries in secpctree. |
2789 | * and send, | | 2789 | * and send, |
2790 | * <base> | | 2790 | * <base> |
2791 | * to the user. | | 2791 | * to the user. |
2792 | * NOTE: what to do is only marking SADB_SASTATE_DEAD. | | 2792 | * NOTE: what to do is only marking SADB_SASTATE_DEAD. |
2793 | * | | 2793 | * |
2794 | * m will always be freed. | | 2794 | * m will always be freed. |
2795 | */ | | 2795 | */ |
2796 | static int | | 2796 | static int |
2797 | key_api_spdflush(struct socket *so, struct mbuf *m, | | 2797 | key_api_spdflush(struct socket *so, struct mbuf *m, |
2798 | const struct sadb_msghdr *mhp) | | 2798 | const struct sadb_msghdr *mhp) |
2799 | { | | 2799 | { |
2800 | struct sadb_msg *newmsg; | | 2800 | struct sadb_msg *newmsg; |
2801 | struct secpolicy *sp; | | 2801 | struct secpolicy *sp; |
2802 | u_int dir; | | 2802 | u_int dir; |
2803 | | | 2803 | |
2804 | if (m->m_len != PFKEY_ALIGN8(sizeof(struct sadb_msg))) | | 2804 | if (m->m_len != PFKEY_ALIGN8(sizeof(struct sadb_msg))) |
2805 | return key_senderror(so, m, EINVAL); | | 2805 | return key_senderror(so, m, EINVAL); |
2806 | | | 2806 | |
2807 | for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { | | 2807 | for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { |
2808 | retry: | | 2808 | retry: |
2809 | mutex_enter(&key_spd.lock); | | 2809 | mutex_enter(&key_spd.lock); |
2810 | SPLIST_WRITER_FOREACH(sp, dir) { | | 2810 | SPLIST_WRITER_FOREACH(sp, dir) { |
2811 | KASSERT(sp->state != IPSEC_SPSTATE_DEAD); | | 2811 | KASSERT(sp->state != IPSEC_SPSTATE_DEAD); |
2812 | /* | | 2812 | /* |
2813 | * Userlang programs can remove SPs created by userland | | 2813 | * Userlang programs can remove SPs created by userland |
2814 | * probrams only, that is, they cannot remove SPs | | 2814 | * probrams only, that is, they cannot remove SPs |
2815 | * created in kernel(e.g. ipsec(4) I/F). | | 2815 | * created in kernel(e.g. ipsec(4) I/F). |
2816 | */ | | 2816 | */ |
2817 | if (sp->origin == IPSEC_SPORIGIN_USER) { | | 2817 | if (sp->origin == IPSEC_SPORIGIN_USER) { |
2818 | key_unlink_sp(sp); | | 2818 | key_unlink_sp(sp); |
2819 | mutex_exit(&key_spd.lock); | | 2819 | mutex_exit(&key_spd.lock); |
2820 | key_destroy_sp(sp); | | 2820 | key_destroy_sp(sp); |
2821 | goto retry; | | 2821 | goto retry; |
2822 | } | | 2822 | } |
2823 | } | | 2823 | } |
2824 | mutex_exit(&key_spd.lock); | | 2824 | mutex_exit(&key_spd.lock); |
2825 | } | | 2825 | } |
2826 | | | 2826 | |
2827 | /* We're deleting policy; no need to invalidate the ipflow cache. */ | | 2827 | /* We're deleting policy; no need to invalidate the ipflow cache. */ |
2828 | | | 2828 | |
2829 | if (sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) { | | 2829 | if (sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) { |
2830 | IPSECLOG(LOG_DEBUG, "No more memory.\n"); | | 2830 | IPSECLOG(LOG_DEBUG, "No more memory.\n"); |
2831 | return key_senderror(so, m, ENOBUFS); | | 2831 | return key_senderror(so, m, ENOBUFS); |
2832 | } | | 2832 | } |
2833 | | | 2833 | |
2834 | if (m->m_next) | | 2834 | if (m->m_next) |
2835 | m_freem(m->m_next); | | 2835 | m_freem(m->m_next); |
2836 | m->m_next = NULL; | | 2836 | m->m_next = NULL; |
2837 | m->m_pkthdr.len = m->m_len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); | | 2837 | m->m_pkthdr.len = m->m_len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); |
2838 | newmsg = mtod(m, struct sadb_msg *); | | 2838 | newmsg = mtod(m, struct sadb_msg *); |
2839 | newmsg->sadb_msg_errno = 0; | | 2839 | newmsg->sadb_msg_errno = 0; |
2840 | newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); | | 2840 | newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); |
2841 | | | 2841 | |
2842 | return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); | | 2842 | return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); |
2843 | } | | 2843 | } |
2844 | | | 2844 | |
2845 | static struct sockaddr key_src = { | | 2845 | static struct sockaddr key_src = { |
2846 | .sa_len = 2, | | 2846 | .sa_len = 2, |
2847 | .sa_family = PF_KEY, | | 2847 | .sa_family = PF_KEY, |
2848 | }; | | 2848 | }; |
2849 | | | 2849 | |
2850 | static struct mbuf * | | 2850 | static struct mbuf * |
2851 | key_setspddump_chain(int *errorp, int *lenp, pid_t pid) | | 2851 | key_setspddump_chain(int *errorp, int *lenp, pid_t pid) |
2852 | { | | 2852 | { |
2853 | struct secpolicy *sp; | | 2853 | struct secpolicy *sp; |
2854 | int cnt; | | 2854 | int cnt; |
2855 | u_int dir; | | 2855 | u_int dir; |
2856 | struct mbuf *m, *n, *prev; | | 2856 | struct mbuf *m, *n, *prev; |
2857 | int totlen; | | 2857 | int totlen; |
2858 | | | 2858 | |
2859 | KASSERT(mutex_owned(&key_spd.lock)); | | 2859 | KASSERT(mutex_owned(&key_spd.lock)); |
2860 | | | 2860 | |
2861 | *lenp = 0; | | 2861 | *lenp = 0; |
2862 | | | 2862 | |
2863 | /* search SPD entry and get buffer size. */ | | 2863 | /* search SPD entry and get buffer size. */ |
2864 | cnt = 0; | | 2864 | cnt = 0; |
2865 | for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { | | 2865 | for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { |
2866 | SPLIST_WRITER_FOREACH(sp, dir) { | | 2866 | SPLIST_WRITER_FOREACH(sp, dir) { |
2867 | cnt++; | | 2867 | cnt++; |
2868 | } | | 2868 | } |
2869 | } | | 2869 | } |
2870 | | | 2870 | |
2871 | if (cnt == 0) { | | 2871 | if (cnt == 0) { |
2872 | *errorp = ENOENT; | | 2872 | *errorp = ENOENT; |
2873 | return (NULL); | | 2873 | return (NULL); |
2874 | } | | 2874 | } |
2875 | | | 2875 | |
2876 | m = NULL; | | 2876 | m = NULL; |
2877 | prev = m; | | 2877 | prev = m; |
2878 | totlen = 0; | | 2878 | totlen = 0; |
2879 | for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { | | 2879 | for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { |
2880 | SPLIST_WRITER_FOREACH(sp, dir) { | | 2880 | SPLIST_WRITER_FOREACH(sp, dir) { |
2881 | --cnt; | | 2881 | --cnt; |
2882 | n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt, pid); | | 2882 | n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt, pid); |
2883 | | | 2883 | |
2884 | totlen += n->m_pkthdr.len; | | 2884 | totlen += n->m_pkthdr.len; |
2885 | if (!m) { | | 2885 | if (!m) { |
2886 | m = n; | | 2886 | m = n; |
2887 | } else { | | 2887 | } else { |
2888 | prev->m_nextpkt = n; | | 2888 | prev->m_nextpkt = n; |
2889 | } | | 2889 | } |
2890 | prev = n; | | 2890 | prev = n; |
2891 | } | | 2891 | } |
2892 | } | | 2892 | } |
2893 | | | 2893 | |
2894 | *lenp = totlen; | | 2894 | *lenp = totlen; |
2895 | *errorp = 0; | | 2895 | *errorp = 0; |
2896 | return (m); | | 2896 | return (m); |
2897 | } | | 2897 | } |
2898 | | | 2898 | |
2899 | /* | | 2899 | /* |
2900 | * SADB_SPDDUMP processing | | 2900 | * SADB_SPDDUMP processing |
2901 | * receive | | 2901 | * receive |
2902 | * <base> | | 2902 | * <base> |
2903 | * from the user, and dump all SP leaves | | 2903 | * from the user, and dump all SP leaves |
2904 | * and send, | | 2904 | * and send, |
2905 | * <base> ..... | | 2905 | * <base> ..... |
2906 | * to the ikmpd. | | 2906 | * to the ikmpd. |
2907 | * | | 2907 | * |
2908 | * m will always be freed. | | 2908 | * m will always be freed. |
2909 | */ | | 2909 | */ |
2910 | static int | | 2910 | static int |
2911 | key_api_spddump(struct socket *so, struct mbuf *m0, | | 2911 | key_api_spddump(struct socket *so, struct mbuf *m0, |
2912 | const struct sadb_msghdr *mhp) | | 2912 | const struct sadb_msghdr *mhp) |
2913 | { | | 2913 | { |
2914 | struct mbuf *n; | | 2914 | struct mbuf *n; |
2915 | int error, len; | | 2915 | int error, len; |
2916 | int ok; | | 2916 | int ok; |
2917 | pid_t pid; | | 2917 | pid_t pid; |
2918 | | | 2918 | |
2919 | pid = mhp->msg->sadb_msg_pid; | | 2919 | pid = mhp->msg->sadb_msg_pid; |
2920 | /* | | 2920 | /* |
2921 | * If the requestor has insufficient socket-buffer space | | 2921 | * If the requestor has insufficient socket-buffer space |
2922 | * for the entire chain, nobody gets any response to the DUMP. | | 2922 | * for the entire chain, nobody gets any response to the DUMP. |
2923 | * XXX For now, only the requestor ever gets anything. | | 2923 | * XXX For now, only the requestor ever gets anything. |
2924 | * Moreover, if the requestor has any space at all, they receive | | 2924 | * Moreover, if the requestor has any space at all, they receive |
2925 | * the entire chain, otherwise the request is refused with ENOBUFS. | | 2925 | * the entire chain, otherwise the request is refused with ENOBUFS. |
2926 | */ | | 2926 | */ |
2927 | if (sbspace(&so->so_rcv) <= 0) { | | 2927 | if (sbspace(&so->so_rcv) <= 0) { |
2928 | return key_senderror(so, m0, ENOBUFS); | | 2928 | return key_senderror(so, m0, ENOBUFS); |
2929 | } | | 2929 | } |
2930 | | | 2930 | |
2931 | mutex_enter(&key_spd.lock); | | 2931 | mutex_enter(&key_spd.lock); |
2932 | n = key_setspddump_chain(&error, &len, pid); | | 2932 | n = key_setspddump_chain(&error, &len, pid); |
2933 | mutex_exit(&key_spd.lock); | | 2933 | mutex_exit(&key_spd.lock); |
2934 | | | 2934 | |
2935 | if (n == NULL) { | | 2935 | if (n == NULL) { |
2936 | return key_senderror(so, m0, ENOENT); | | 2936 | return key_senderror(so, m0, ENOENT); |
2937 | } | | 2937 | } |
2938 | { | | 2938 | { |
2939 | uint64_t *ps = PFKEY_STAT_GETREF(); | | 2939 | uint64_t *ps = PFKEY_STAT_GETREF(); |
2940 | ps[PFKEY_STAT_IN_TOTAL]++; | | 2940 | ps[PFKEY_STAT_IN_TOTAL]++; |
2941 | ps[PFKEY_STAT_IN_BYTES] += len; | | 2941 | ps[PFKEY_STAT_IN_BYTES] += len; |
2942 | PFKEY_STAT_PUTREF(); | | 2942 | PFKEY_STAT_PUTREF(); |
2943 | } | | 2943 | } |
2944 | | | 2944 | |
2945 | /* | | 2945 | /* |
2946 | * PF_KEY DUMP responses are no longer broadcast to all PF_KEY sockets. | | 2946 | * PF_KEY DUMP responses are no longer broadcast to all PF_KEY sockets. |
2947 | * The requestor receives either the entire chain, or an | | 2947 | * The requestor receives either the entire chain, or an |
2948 | * error message with ENOBUFS. | | 2948 | * error message with ENOBUFS. |
2949 | */ | | 2949 | */ |
2950 | | | 2950 | |
2951 | /* | | 2951 | /* |
2952 | * sbappendchainwith record takes the chain of entries, one | | 2952 | * sbappendchainwith record takes the chain of entries, one |
2953 | * packet-record per SPD entry, prepends the key_src sockaddr | | 2953 | * packet-record per SPD entry, prepends the key_src sockaddr |
2954 | * to each packet-record, links the sockaddr mbufs into a new | | 2954 | * to each packet-record, links the sockaddr mbufs into a new |
2955 | * list of records, then appends the entire resulting | | 2955 | * list of records, then appends the entire resulting |
2956 | * list to the requesting socket. | | 2956 | * list to the requesting socket. |
2957 | */ | | 2957 | */ |
2958 | ok = sbappendaddrchain(&so->so_rcv, (struct sockaddr *)&key_src, n, | | 2958 | ok = sbappendaddrchain(&so->so_rcv, (struct sockaddr *)&key_src, n, |
2959 | SB_PRIO_ONESHOT_OVERFLOW); | | 2959 | SB_PRIO_ONESHOT_OVERFLOW); |
2960 | | | 2960 | |
2961 | if (!ok) { | | 2961 | if (!ok) { |
2962 | PFKEY_STATINC(PFKEY_STAT_IN_NOMEM); | | 2962 | PFKEY_STATINC(PFKEY_STAT_IN_NOMEM); |
2963 | m_freem(n); | | 2963 | m_freem(n); |
2964 | return key_senderror(so, m0, ENOBUFS); | | 2964 | return key_senderror(so, m0, ENOBUFS); |
2965 | } | | 2965 | } |
2966 | | | 2966 | |
2967 | m_freem(m0); | | 2967 | m_freem(m0); |
2968 | return error; | | 2968 | return error; |
2969 | } | | 2969 | } |
2970 | | | 2970 | |
2971 | /* | | 2971 | /* |
2972 | * SADB_X_NAT_T_NEW_MAPPING. Unused by racoon as of 2005/04/23 | | 2972 | * SADB_X_NAT_T_NEW_MAPPING. Unused by racoon as of 2005/04/23 |
2973 | */ | | 2973 | */ |
2974 | static int | | 2974 | static int |
2975 | key_api_nat_map(struct socket *so, struct mbuf *m, | | 2975 | key_api_nat_map(struct socket *so, struct mbuf *m, |
2976 | const struct sadb_msghdr *mhp) | | 2976 | const struct sadb_msghdr *mhp) |
2977 | { | | 2977 | { |
2978 | struct sadb_x_nat_t_type *type; | | 2978 | struct sadb_x_nat_t_type *type; |
2979 | struct sadb_x_nat_t_port *sport; | | 2979 | struct sadb_x_nat_t_port *sport; |
2980 | struct sadb_x_nat_t_port *dport; | | 2980 | struct sadb_x_nat_t_port *dport; |
2981 | struct sadb_address *iaddr, *raddr; | | 2981 | struct sadb_address *iaddr, *raddr; |
2982 | struct sadb_x_nat_t_frag *frag; | | 2982 | struct sadb_x_nat_t_frag *frag; |
2983 | | | 2983 | |
2984 | if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] == NULL || | | 2984 | if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] == NULL || |
2985 | mhp->ext[SADB_X_EXT_NAT_T_SPORT] == NULL || | | 2985 | mhp->ext[SADB_X_EXT_NAT_T_SPORT] == NULL || |
2986 | mhp->ext[SADB_X_EXT_NAT_T_DPORT] == NULL) { | | 2986 | mhp->ext[SADB_X_EXT_NAT_T_DPORT] == NULL) { |
2987 | IPSECLOG(LOG_DEBUG, "invalid message.\n"); | | 2987 | IPSECLOG(LOG_DEBUG, "invalid message.\n"); |
2988 | return key_senderror(so, m, EINVAL); | | 2988 | return key_senderror(so, m, EINVAL); |
2989 | } | | 2989 | } |
2990 | if ((mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type)) || | | 2990 | if ((mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type)) || |
2991 | (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport)) || | | 2991 | (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport)) || |
2992 | (mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport))) { | | 2992 | (mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport))) { |
2993 | IPSECLOG(LOG_DEBUG, "invalid message.\n"); | | 2993 | IPSECLOG(LOG_DEBUG, "invalid message.\n"); |
2994 | return key_senderror(so, m, EINVAL); | | 2994 | return key_senderror(so, m, EINVAL); |
2995 | } | | 2995 | } |
2996 | | | 2996 | |
2997 | if ((mhp->ext[SADB_X_EXT_NAT_T_OAI] != NULL) && | | 2997 | if ((mhp->ext[SADB_X_EXT_NAT_T_OAI] != NULL) && |
2998 | (mhp->extlen[SADB_X_EXT_NAT_T_OAI] < sizeof(*iaddr))) { | | 2998 | (mhp->extlen[SADB_X_EXT_NAT_T_OAI] < sizeof(*iaddr))) { |
2999 | IPSECLOG(LOG_DEBUG, "invalid message\n"); | | 2999 | IPSECLOG(LOG_DEBUG, "invalid message\n"); |
3000 | return key_senderror(so, m, EINVAL); | | 3000 | return key_senderror(so, m, EINVAL); |
3001 | } | | 3001 | } |
3002 | | | 3002 | |
3003 | if ((mhp->ext[SADB_X_EXT_NAT_T_OAR] != NULL) && | | 3003 | if ((mhp->ext[SADB_X_EXT_NAT_T_OAR] != NULL) && |
3004 | (mhp->extlen[SADB_X_EXT_NAT_T_OAR] < sizeof(*raddr))) { | | 3004 | (mhp->extlen[SADB_X_EXT_NAT_T_OAR] < sizeof(*raddr))) { |
3005 | IPSECLOG(LOG_DEBUG, "invalid message\n"); | | 3005 | IPSECLOG(LOG_DEBUG, "invalid message\n"); |
3006 | return key_senderror(so, m, EINVAL); | | 3006 | return key_senderror(so, m, EINVAL); |
3007 | } | | 3007 | } |
3008 | | | 3008 | |
3009 | if ((mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) && | | 3009 | if ((mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) && |
3010 | (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag))) { | | 3010 | (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag))) { |
3011 | IPSECLOG(LOG_DEBUG, "invalid message\n"); | | 3011 | IPSECLOG(LOG_DEBUG, "invalid message\n"); |
3012 | return key_senderror(so, m, EINVAL); | | 3012 | return key_senderror(so, m, EINVAL); |
3013 | } | | 3013 | } |
3014 | | | 3014 | |
3015 | type = mhp->ext[SADB_X_EXT_NAT_T_TYPE]; | | 3015 | type = mhp->ext[SADB_X_EXT_NAT_T_TYPE]; |
3016 | sport = mhp->ext[SADB_X_EXT_NAT_T_SPORT]; | | 3016 | sport = mhp->ext[SADB_X_EXT_NAT_T_SPORT]; |
3017 | dport = mhp->ext[SADB_X_EXT_NAT_T_DPORT]; | | 3017 | dport = mhp->ext[SADB_X_EXT_NAT_T_DPORT]; |
3018 | iaddr = mhp->ext[SADB_X_EXT_NAT_T_OAI]; | | 3018 | iaddr = mhp->ext[SADB_X_EXT_NAT_T_OAI]; |
3019 | raddr = mhp->ext[SADB_X_EXT_NAT_T_OAR]; | | 3019 | raddr = mhp->ext[SADB_X_EXT_NAT_T_OAR]; |
3020 | frag = mhp->ext[SADB_X_EXT_NAT_T_FRAG]; | | 3020 | frag = mhp->ext[SADB_X_EXT_NAT_T_FRAG]; |
3021 | | | 3021 | |
3022 | /* | | 3022 | /* |
3023 | * XXX handle that, it should also contain a SA, or anything | | 3023 | * XXX handle that, it should also contain a SA, or anything |
3024 | * that enable to update the SA information. | | 3024 | * that enable to update the SA information. |
3025 | */ | | 3025 | */ |
3026 | | | 3026 | |
3027 | return 0; | | 3027 | return 0; |
3028 | } | | 3028 | } |
3029 | | | 3029 | |
3030 | /* | | 3030 | /* |
3031 | * Never return NULL. | | 3031 | * Never return NULL. |
3032 | */ | | 3032 | */ |
3033 | static struct mbuf * | | 3033 | static struct mbuf * |
3034 | key_setdumpsp(struct secpolicy *sp, u_int8_t type, u_int32_t seq, pid_t pid) | | 3034 | key_setdumpsp(struct secpolicy *sp, u_int8_t type, u_int32_t seq, pid_t pid) |
3035 | { | | 3035 | { |
3036 | struct mbuf *result = NULL, *m; | | 3036 | struct mbuf *result = NULL, *m; |
3037 | | | 3037 | |
3038 | KASSERT(!cpu_softintr_p()); | | 3038 | KASSERT(!cpu_softintr_p()); |
3039 | | | 3039 | |
3040 | m = key_setsadbmsg(type, 0, SADB_SATYPE_UNSPEC, seq, pid, | | 3040 | m = key_setsadbmsg(type, 0, SADB_SATYPE_UNSPEC, seq, pid, |
3041 | key_sp_refcnt(sp), M_WAITOK); | | 3041 | key_sp_refcnt(sp), M_WAITOK); |
3042 | result = m; | | 3042 | result = m; |
3043 | | | 3043 | |
3044 | m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, | | 3044 | m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, |
3045 | &sp->spidx.src.sa, sp->spidx.prefs, sp->spidx.ul_proto, M_WAITOK); | | 3045 | &sp->spidx.src.sa, sp->spidx.prefs, sp->spidx.ul_proto, M_WAITOK); |
3046 | m_cat(result, m); | | 3046 | m_cat(result, m); |
3047 | | | 3047 | |
3048 | m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, | | 3048 | m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, |
3049 | &sp->spidx.dst.sa, sp->spidx.prefd, sp->spidx.ul_proto, M_WAITOK); | | 3049 | &sp->spidx.dst.sa, sp->spidx.prefd, sp->spidx.ul_proto, M_WAITOK); |
3050 | m_cat(result, m); | | 3050 | m_cat(result, m); |
3051 | | | 3051 | |
3052 | m = key_sp2msg(sp, M_WAITOK); | | 3052 | m = key_sp2msg(sp, M_WAITOK); |
3053 | m_cat(result, m); | | 3053 | m_cat(result, m); |
3054 | | | 3054 | |
3055 | KASSERT(result->m_flags & M_PKTHDR); | | 3055 | KASSERT(result->m_flags & M_PKTHDR); |
3056 | KASSERT(result->m_len >= sizeof(struct sadb_msg)); | | 3056 | KASSERT(result->m_len >= sizeof(struct sadb_msg)); |
3057 | | | 3057 | |
3058 | result->m_pkthdr.len = 0; | | 3058 | result->m_pkthdr.len = 0; |
3059 | for (m = result; m; m = m->m_next) | | 3059 | for (m = result; m; m = m->m_next) |
3060 | result->m_pkthdr.len += m->m_len; | | 3060 | result->m_pkthdr.len += m->m_len; |
3061 | | | 3061 | |
3062 | mtod(result, struct sadb_msg *)->sadb_msg_len = | | 3062 | mtod(result, struct sadb_msg *)->sadb_msg_len = |
3063 | PFKEY_UNIT64(result->m_pkthdr.len); | | 3063 | PFKEY_UNIT64(result->m_pkthdr.len); |
3064 | | | 3064 | |
3065 | return result; | | 3065 | return result; |
3066 | } | | 3066 | } |
3067 | | | 3067 | |
3068 | /* | | 3068 | /* |
3069 | * get PFKEY message length for security policy and request. | | 3069 | * get PFKEY message length for security policy and request. |
3070 | */ | | 3070 | */ |
3071 | static u_int | | 3071 | static u_int |
3072 | key_getspreqmsglen(const struct secpolicy *sp) | | 3072 | key_getspreqmsglen(const struct secpolicy *sp) |
3073 | { | | 3073 | { |
3074 | u_int tlen; | | 3074 | u_int tlen; |
3075 | | | 3075 | |
3076 | tlen = sizeof(struct sadb_x_policy); | | 3076 | tlen = sizeof(struct sadb_x_policy); |
3077 | | | 3077 | |
3078 | /* if is the policy for ipsec ? */ | | 3078 | /* if is the policy for ipsec ? */ |
3079 | if (sp->policy != IPSEC_POLICY_IPSEC) | | 3079 | if (sp->policy != IPSEC_POLICY_IPSEC) |
3080 | return tlen; | | 3080 | return tlen; |
3081 | | | 3081 | |
3082 | /* get length of ipsec requests */ | | 3082 | /* get length of ipsec requests */ |
3083 | { | | 3083 | { |
3084 | const struct ipsecrequest *isr; | | 3084 | const struct ipsecrequest *isr; |
3085 | int len; | | 3085 | int len; |
3086 | | | 3086 | |
3087 | for (isr = sp->req; isr != NULL; isr = isr->next) { | | 3087 | for (isr = sp->req; isr != NULL; isr = isr->next) { |
3088 | len = sizeof(struct sadb_x_ipsecrequest) | | 3088 | len = sizeof(struct sadb_x_ipsecrequest) |
3089 | + isr->saidx.src.sa.sa_len + isr->saidx.dst.sa.sa_len; | | 3089 | + isr->saidx.src.sa.sa_len + isr->saidx.dst.sa.sa_len; |
3090 | | | 3090 | |
3091 | tlen += PFKEY_ALIGN8(len); | | 3091 | tlen += PFKEY_ALIGN8(len); |
3092 | } | | 3092 | } |
3093 | } | | 3093 | } |
3094 | | | 3094 | |
3095 | return tlen; | | 3095 | return tlen; |
3096 | } | | 3096 | } |
3097 | | | 3097 | |
3098 | /* | | 3098 | /* |
3099 | * SADB_SPDEXPIRE processing | | 3099 | * SADB_SPDEXPIRE processing |
3100 | * send | | 3100 | * send |
3101 | * <base, address(SD), lifetime(CH), policy> | | 3101 | * <base, address(SD), lifetime(CH), policy> |
3102 | * to KMD by PF_KEY. | | 3102 | * to KMD by PF_KEY. |
3103 | * | | 3103 | * |
3104 | * OUT: 0 : succeed | | 3104 | * OUT: 0 : succeed |
3105 | * others : error number | | 3105 | * others : error number |
3106 | */ | | 3106 | */ |
3107 | static int | | 3107 | static int |
3108 | key_spdexpire(struct secpolicy *sp) | | 3108 | key_spdexpire(struct secpolicy *sp) |
3109 | { | | 3109 | { |
3110 | int s; | | 3110 | int s; |
3111 | struct mbuf *result = NULL, *m; | | 3111 | struct mbuf *result = NULL, *m; |
3112 | int len; | | 3112 | int len; |
3113 | int error = -1; | | 3113 | int error = -1; |
3114 | struct sadb_lifetime *lt; | | 3114 | struct sadb_lifetime *lt; |
3115 | | | 3115 | |
3116 | /* XXX: Why do we lock ? */ | | 3116 | /* XXX: Why do we lock ? */ |
3117 | s = splsoftnet(); /*called from softclock()*/ | | 3117 | s = splsoftnet(); /*called from softclock()*/ |
3118 | | | 3118 | |
3119 | KASSERT(sp != NULL); | | 3119 | KASSERT(sp != NULL); |
3120 | | | 3120 | |
3121 | /* set msg header */ | | 3121 | /* set msg header */ |
3122 | m = key_setsadbmsg(SADB_X_SPDEXPIRE, 0, 0, 0, 0, 0, M_WAITOK); | | 3122 | m = key_setsadbmsg(SADB_X_SPDEXPIRE, 0, 0, 0, 0, 0, M_WAITOK); |
3123 | result = m; | | 3123 | result = m; |
3124 | | | 3124 | |
3125 | /* create lifetime extension (current and hard) */ | | 3125 | /* create lifetime extension (current and hard) */ |
3126 | len = PFKEY_ALIGN8(sizeof(*lt)) * 2; | | 3126 | len = PFKEY_ALIGN8(sizeof(*lt)) * 2; |
3127 | m = key_alloc_mbuf(len, M_WAITOK); | | 3127 | m = key_alloc_mbuf(len, M_WAITOK); |
3128 | KASSERT(m->m_next == NULL); | | 3128 | KASSERT(m->m_next == NULL); |
3129 | | | 3129 | |
3130 | memset(mtod(m, void *), 0, len); | | 3130 | memset(mtod(m, void *), 0, len); |
3131 | lt = mtod(m, struct sadb_lifetime *); | | 3131 | lt = mtod(m, struct sadb_lifetime *); |
3132 | lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); | | 3132 | lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); |
3133 | lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; | | 3133 | lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; |
3134 | lt->sadb_lifetime_allocations = 0; | | 3134 | lt->sadb_lifetime_allocations = 0; |
3135 | lt->sadb_lifetime_bytes = 0; | | 3135 | lt->sadb_lifetime_bytes = 0; |
3136 | lt->sadb_lifetime_addtime = time_mono_to_wall(sp->created); | | 3136 | lt->sadb_lifetime_addtime = time_mono_to_wall(sp->created); |
3137 | lt->sadb_lifetime_usetime = time_mono_to_wall(sp->lastused); | | 3137 | lt->sadb_lifetime_usetime = time_mono_to_wall(sp->lastused); |
3138 | lt = (struct sadb_lifetime *)(mtod(m, char *) + len / 2); | | 3138 | lt = (struct sadb_lifetime *)(mtod(m, char *) + len / 2); |
3139 | lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); | | 3139 | lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); |
3140 | lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; | | 3140 | lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; |
3141 | lt->sadb_lifetime_allocations = 0; | | 3141 | lt->sadb_lifetime_allocations = 0; |
3142 | lt->sadb_lifetime_bytes = 0; | | 3142 | lt->sadb_lifetime_bytes = 0; |
3143 | lt->sadb_lifetime_addtime = sp->lifetime; | | 3143 | lt->sadb_lifetime_addtime = sp->lifetime; |
3144 | lt->sadb_lifetime_usetime = sp->validtime; | | 3144 | lt->sadb_lifetime_usetime = sp->validtime; |
3145 | m_cat(result, m); | | 3145 | m_cat(result, m); |
3146 | | | 3146 | |
3147 | /* set sadb_address for source */ | | 3147 | /* set sadb_address for source */ |
3148 | m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, &sp->spidx.src.sa, | | 3148 | m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, &sp->spidx.src.sa, |
3149 | sp->spidx.prefs, sp->spidx.ul_proto, M_WAITOK); | | 3149 | sp->spidx.prefs, sp->spidx.ul_proto, M_WAITOK); |
3150 | m_cat(result, m); | | 3150 | m_cat(result, m); |
3151 | | | 3151 | |
3152 | /* set sadb_address for destination */ | | 3152 | /* set sadb_address for destination */ |
3153 | m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, &sp->spidx.dst.sa, | | 3153 | m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, &sp->spidx.dst.sa, |
3154 | sp->spidx.prefd, sp->spidx.ul_proto, M_WAITOK); | | 3154 | sp->spidx.prefd, sp->spidx.ul_proto, M_WAITOK); |
3155 | m_cat(result, m); | | 3155 | m_cat(result, m); |
3156 | | | 3156 | |
3157 | /* set secpolicy */ | | 3157 | /* set secpolicy */ |
3158 | m = key_sp2msg(sp, M_WAITOK); | | 3158 | m = key_sp2msg(sp, M_WAITOK); |
3159 | m_cat(result, m); | | 3159 | m_cat(result, m); |
3160 | | | 3160 | |
3161 | KASSERT(result->m_flags & M_PKTHDR); | | 3161 | KASSERT(result->m_flags & M_PKTHDR); |
3162 | KASSERT(result->m_len >= sizeof(struct sadb_msg)); | | 3162 | KASSERT(result->m_len >= sizeof(struct sadb_msg)); |
3163 | | | 3163 | |
3164 | result->m_pkthdr.len = 0; | | 3164 | result->m_pkthdr.len = 0; |
3165 | for (m = result; m; m = m->m_next) | | 3165 | for (m = result; m; m = m->m_next) |
3166 | result->m_pkthdr.len += m->m_len; | | 3166 | result->m_pkthdr.len += m->m_len; |
3167 | | | 3167 | |
3168 | mtod(result, struct sadb_msg *)->sadb_msg_len = | | 3168 | mtod(result, struct sadb_msg *)->sadb_msg_len = |
3169 | PFKEY_UNIT64(result->m_pkthdr.len); | | 3169 | PFKEY_UNIT64(result->m_pkthdr.len); |
3170 | | | 3170 | |
3171 | error = key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED); | | 3171 | error = key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED); |
3172 | splx(s); | | 3172 | splx(s); |
3173 | return error; | | 3173 | return error; |
3174 | } | | 3174 | } |
3175 | | | 3175 | |
3176 | /* %%% SAD management */ | | 3176 | /* %%% SAD management */ |
3177 | /* | | 3177 | /* |
3178 | * allocating a memory for new SA head, and copy from the values of mhp. | | 3178 | * allocating a memory for new SA head, and copy from the values of mhp. |
3179 | * OUT: NULL : failure due to the lack of memory. | | 3179 | * OUT: NULL : failure due to the lack of memory. |
3180 | * others : pointer to new SA head. | | 3180 | * others : pointer to new SA head. |
3181 | */ | | 3181 | */ |
3182 | static struct secashead * | | 3182 | static struct secashead * |
3183 | key_newsah(const struct secasindex *saidx) | | 3183 | key_newsah(const struct secasindex *saidx) |
3184 | { | | 3184 | { |
3185 | struct secashead *newsah; | | 3185 | struct secashead *newsah; |
3186 | int i; | | 3186 | int i; |
3187 | | | 3187 | |
3188 | KASSERT(saidx != NULL); | | 3188 | KASSERT(saidx != NULL); |
3189 | | | 3189 | |
3190 | newsah = kmem_zalloc(sizeof(struct secashead), KM_SLEEP); | | 3190 | newsah = kmem_zalloc(sizeof(struct secashead), KM_SLEEP); |
3191 | for (i = 0; i < __arraycount(newsah->savlist); i++) | | 3191 | for (i = 0; i < __arraycount(newsah->savlist); i++) |
3192 | PSLIST_INIT(&newsah->savlist[i]); | | 3192 | PSLIST_INIT(&newsah->savlist[i]); |
3193 | newsah->saidx = *saidx; | | 3193 | newsah->saidx = *saidx; |
3194 | | | 3194 | |
3195 | localcount_init(&newsah->localcount); | | 3195 | localcount_init(&newsah->localcount); |
3196 | /* Take a reference for the caller */ | | 3196 | /* Take a reference for the caller */ |
3197 | localcount_acquire(&newsah->localcount); | | 3197 | localcount_acquire(&newsah->localcount); |
3198 | | | 3198 | |
3199 | /* Add to the sah list */ | | 3199 | /* Add to the sah list */ |
3200 | SAHLIST_ENTRY_INIT(newsah); | | 3200 | SAHLIST_ENTRY_INIT(newsah); |
3201 | newsah->state = SADB_SASTATE_MATURE; | | 3201 | newsah->state = SADB_SASTATE_MATURE; |
3202 | mutex_enter(&key_sad.lock); | | 3202 | mutex_enter(&key_sad.lock); |
3203 | SAHLIST_WRITER_INSERT_HEAD(newsah); | | 3203 | SAHLIST_WRITER_INSERT_HEAD(newsah); |
3204 | mutex_exit(&key_sad.lock); | | 3204 | mutex_exit(&key_sad.lock); |
3205 | | | 3205 | |
3206 | return newsah; | | 3206 | return newsah; |
3207 | } | | 3207 | } |
3208 | | | 3208 | |
3209 | static bool | | 3209 | static bool |
3210 | key_sah_has_sav(struct secashead *sah) | | 3210 | key_sah_has_sav(struct secashead *sah) |
3211 | { | | 3211 | { |
3212 | u_int state; | | 3212 | u_int state; |
3213 | | | 3213 | |
3214 | KASSERT(mutex_owned(&key_sad.lock)); | | 3214 | KASSERT(mutex_owned(&key_sad.lock)); |
3215 | | | 3215 | |
3216 | SASTATE_ANY_FOREACH(state) { | | 3216 | SASTATE_ANY_FOREACH(state) { |
3217 | if (!SAVLIST_WRITER_EMPTY(sah, state)) | | 3217 | if (!SAVLIST_WRITER_EMPTY(sah, state)) |
3218 | return true; | | 3218 | return true; |
3219 | } | | 3219 | } |
3220 | | | 3220 | |
3221 | return false; | | 3221 | return false; |
3222 | } | | 3222 | } |
3223 | | | 3223 | |
3224 | static void | | 3224 | static void |
3225 | key_unlink_sah(struct secashead *sah) | | 3225 | key_unlink_sah(struct secashead *sah) |
3226 | { | | 3226 | { |
3227 | | | 3227 | |
3228 | KASSERT(!cpu_softintr_p()); | | 3228 | KASSERT(!cpu_softintr_p()); |
3229 | KASSERT(mutex_owned(&key_sad.lock)); | | 3229 | KASSERT(mutex_owned(&key_sad.lock)); |
3230 | KASSERT(sah->state == SADB_SASTATE_DEAD); | | 3230 | KASSERT(sah->state == SADB_SASTATE_DEAD); |
3231 | | | 3231 | |
3232 | /* Remove from the sah list */ | | 3232 | /* Remove from the sah list */ |
3233 | SAHLIST_WRITER_REMOVE(sah); | | 3233 | SAHLIST_WRITER_REMOVE(sah); |
3234 | | | 3234 | |
3235 | KDASSERT(mutex_ownable(softnet_lock)); | | 3235 | KDASSERT(mutex_ownable(softnet_lock)); |
3236 | key_sad_pserialize_perform(); | | 3236 | key_sad_pserialize_perform(); |
3237 | | | 3237 | |
3238 | localcount_drain(&sah->localcount, &key_sad.cv_lc, &key_sad.lock); | | 3238 | localcount_drain(&sah->localcount, &key_sad.cv_lc, &key_sad.lock); |
3239 | } | | 3239 | } |
3240 | | | 3240 | |
3241 | static void | | 3241 | static void |
3242 | key_destroy_sah(struct secashead *sah) | | 3242 | key_destroy_sah(struct secashead *sah) |
3243 | { | | 3243 | { |
3244 | | | 3244 | |
3245 | rtcache_free(&sah->sa_route); | | 3245 | rtcache_free(&sah->sa_route); |
3246 | | | 3246 | |
3247 | SAHLIST_ENTRY_DESTROY(sah); | | 3247 | SAHLIST_ENTRY_DESTROY(sah); |
3248 | localcount_fini(&sah->localcount); | | 3248 | localcount_fini(&sah->localcount); |
3249 | | | 3249 | |
3250 | if (sah->idents != NULL) | | 3250 | if (sah->idents != NULL) |
3251 | kmem_free(sah->idents, sah->idents_len); | | 3251 | kmem_free(sah->idents, sah->idents_len); |
3252 | if (sah->identd != NULL) | | 3252 | if (sah->identd != NULL) |
3253 | kmem_free(sah->identd, sah->identd_len); | | 3253 | kmem_free(sah->identd, sah->identd_len); |
3254 | | | 3254 | |
3255 | kmem_free(sah, sizeof(*sah)); | | 3255 | kmem_free(sah, sizeof(*sah)); |
3256 | } | | 3256 | } |
3257 | | | 3257 | |
3258 | /* | | 3258 | /* |
3259 | * allocating a new SA with LARVAL state. | | 3259 | * allocating a new SA with LARVAL state. |
3260 | * key_api_add() and key_api_getspi() call, | | 3260 | * key_api_add() and key_api_getspi() call, |
3261 | * and copy the values of mhp into new buffer. | | 3261 | * and copy the values of mhp into new buffer. |
3262 | * When SAD message type is GETSPI: | | 3262 | * When SAD message type is GETSPI: |
3263 | * to set sequence number from acq_seq++, | | 3263 | * to set sequence number from acq_seq++, |
3264 | * to set zero to SPI. | | 3264 | * to set zero to SPI. |
3265 | * not to call key_setsava(). | | 3265 | * not to call key_setsava(). |
3266 | * OUT: NULL : fail | | 3266 | * OUT: NULL : fail |
3267 | * others : pointer to new secasvar. | | 3267 | * others : pointer to new secasvar. |
3268 | * | | 3268 | * |
3269 | * does not modify mbuf. does not free mbuf on error. | | 3269 | * does not modify mbuf. does not free mbuf on error. |
3270 | */ | | 3270 | */ |
3271 | static struct secasvar * | | 3271 | static struct secasvar * |
3272 | key_newsav(struct mbuf *m, const struct sadb_msghdr *mhp, | | 3272 | key_newsav(struct mbuf *m, const struct sadb_msghdr *mhp, |
3273 | int *errp, const char* where, int tag) | | 3273 | int *errp, const char* where, int tag) |
3274 | { | | 3274 | { |
3275 | struct secasvar *newsav; | | 3275 | struct secasvar *newsav; |
3276 | const struct sadb_sa *xsa; | | 3276 | const struct sadb_sa *xsa; |
3277 | | | 3277 | |
3278 | KASSERT(!cpu_softintr_p()); | | 3278 | KASSERT(!cpu_softintr_p()); |
3279 | KASSERT(m != NULL); | | 3279 | KASSERT(m != NULL); |
3280 | KASSERT(mhp != NULL); | | 3280 | KASSERT(mhp != NULL); |
3281 | KASSERT(mhp->msg != NULL); | | 3281 | KASSERT(mhp->msg != NULL); |
3282 | | | 3282 | |
3283 | newsav = kmem_zalloc(sizeof(struct secasvar), KM_SLEEP); | | 3283 | newsav = kmem_zalloc(sizeof(struct secasvar), KM_SLEEP); |
3284 | | | 3284 | |
3285 | switch (mhp->msg->sadb_msg_type) { | | 3285 | switch (mhp->msg->sadb_msg_type) { |
3286 | case SADB_GETSPI: | | 3286 | case SADB_GETSPI: |
3287 | newsav->spi = 0; | | 3287 | newsav->spi = 0; |
3288 | | | 3288 | |
3289 | #ifdef IPSEC_DOSEQCHECK | | 3289 | #ifdef IPSEC_DOSEQCHECK |
3290 | /* sync sequence number */ | | 3290 | /* sync sequence number */ |
3291 | if (mhp->msg->sadb_msg_seq == 0) | | 3291 | if (mhp->msg->sadb_msg_seq == 0) |
3292 | newsav->seq = | | 3292 | newsav->seq = |
3293 | (acq_seq = (acq_seq == ~0 ? 1 : ++acq_seq)); | | 3293 | (acq_seq = (acq_seq == ~0 ? 1 : ++acq_seq)); |
3294 | else | | 3294 | else |
3295 | #endif | | 3295 | #endif |
3296 | newsav->seq = mhp->msg->sadb_msg_seq; | | 3296 | newsav->seq = mhp->msg->sadb_msg_seq; |
3297 | break; | | 3297 | break; |
3298 | | | 3298 | |
3299 | case SADB_ADD: | | 3299 | case SADB_ADD: |
3300 | /* sanity check */ | | 3300 | /* sanity check */ |
3301 | if (mhp->ext[SADB_EXT_SA] == NULL) { | | 3301 | if (mhp->ext[SADB_EXT_SA] == NULL) { |
3302 | IPSECLOG(LOG_DEBUG, "invalid message is passed.\n"); | | 3302 | IPSECLOG(LOG_DEBUG, "invalid message is passed.\n"); |
3303 | *errp = EINVAL; | | 3303 | *errp = EINVAL; |
3304 | goto error; | | 3304 | goto error; |
3305 | } | | 3305 | } |
3306 | xsa = mhp->ext[SADB_EXT_SA]; | | 3306 | xsa = mhp->ext[SADB_EXT_SA]; |
3307 | newsav->spi = xsa->sadb_sa_spi; | | 3307 | newsav->spi = xsa->sadb_sa_spi; |
3308 | newsav->seq = mhp->msg->sadb_msg_seq; | | 3308 | newsav->seq = mhp->msg->sadb_msg_seq; |
3309 | break; | | 3309 | break; |
3310 | default: | | 3310 | default: |
3311 | *errp = EINVAL; | | 3311 | *errp = EINVAL; |
3312 | goto error; | | 3312 | goto error; |
3313 | } | | 3313 | } |
3314 | | | 3314 | |
3315 | /* copy sav values */ | | 3315 | /* copy sav values */ |
3316 | if (mhp->msg->sadb_msg_type != SADB_GETSPI) { | | 3316 | if (mhp->msg->sadb_msg_type != SADB_GETSPI) { |
3317 | *errp = key_setsaval(newsav, m, mhp); | | 3317 | *errp = key_setsaval(newsav, m, mhp); |
3318 | if (*errp) | | 3318 | if (*errp) |
3319 | goto error; | | 3319 | goto error; |
3320 | } else { | | 3320 | } else { |
3321 | /* We don't allow lft_c to be NULL */ | | 3321 | /* We don't allow lft_c to be NULL */ |
3322 | newsav->lft_c = kmem_zalloc(sizeof(struct sadb_lifetime), | | 3322 | newsav->lft_c = kmem_zalloc(sizeof(struct sadb_lifetime), |
3323 | KM_SLEEP); | | 3323 | KM_SLEEP); |
3324 | newsav->lft_c_counters_percpu = | | 3324 | newsav->lft_c_counters_percpu = |
3325 | percpu_alloc(sizeof(lifetime_counters_t)); | | 3325 | percpu_alloc(sizeof(lifetime_counters_t)); |
3326 | } | | 3326 | } |
3327 | | | 3327 | |
3328 | /* reset created */ | | 3328 | /* reset created */ |
3329 | newsav->created = time_uptime; | | 3329 | newsav->created = time_uptime; |
3330 | newsav->pid = mhp->msg->sadb_msg_pid; | | 3330 | newsav->pid = mhp->msg->sadb_msg_pid; |
3331 | | | 3331 | |
3332 | KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, | | 3332 | KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, |
3333 | "DP from %s:%u return SA:%p\n", where, tag, newsav); | | 3333 | "DP from %s:%u return SA:%p\n", where, tag, newsav); |
3334 | return newsav; | | 3334 | return newsav; |
3335 | | | 3335 | |
3336 | error: | | 3336 | error: |
3337 | KASSERT(*errp != 0); | | 3337 | KASSERT(*errp != 0); |
3338 | kmem_free(newsav, sizeof(*newsav)); | | 3338 | kmem_free(newsav, sizeof(*newsav)); |
3339 | KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, | | 3339 | KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, |
3340 | "DP from %s:%u return SA:NULL\n", where, tag); | | 3340 | "DP from %s:%u return SA:NULL\n", where, tag); |
3341 | return NULL; | | 3341 | return NULL; |
3342 | } | | 3342 | } |
3343 | | | 3343 | |
3344 | | | 3344 | |
3345 | static void | | 3345 | static void |
3346 | key_clear_xform(struct secasvar *sav) | | 3346 | key_clear_xform(struct secasvar *sav) |
3347 | { | | 3347 | { |
3348 | | | 3348 | |
3349 | /* | | 3349 | /* |
3350 | * Cleanup xform state. Note that zeroize'ing causes the | | 3350 | * Cleanup xform state. Note that zeroize'ing causes the |
3351 | * keys to be cleared; otherwise we must do it ourself. | | 3351 | * keys to be cleared; otherwise we must do it ourself. |
3352 | */ | | 3352 | */ |
3353 | if (sav->tdb_xform != NULL) { | | 3353 | if (sav->tdb_xform != NULL) { |
3354 | sav->tdb_xform->xf_zeroize(sav); | | 3354 | sav->tdb_xform->xf_zeroize(sav); |
3355 | sav->tdb_xform = NULL; | | 3355 | sav->tdb_xform = NULL; |
3356 | } else { | | 3356 | } else { |
3357 | if (sav->key_auth != NULL) | | 3357 | if (sav->key_auth != NULL) |
3358 | explicit_memset(_KEYBUF(sav->key_auth), 0, | | 3358 | explicit_memset(_KEYBUF(sav->key_auth), 0, |
3359 | _KEYLEN(sav->key_auth)); | | 3359 | _KEYLEN(sav->key_auth)); |
3360 | if (sav->key_enc != NULL) | | 3360 | if (sav->key_enc != NULL) |
3361 | explicit_memset(_KEYBUF(sav->key_enc), 0, | | 3361 | explicit_memset(_KEYBUF(sav->key_enc), 0, |
3362 | _KEYLEN(sav->key_enc)); | | 3362 | _KEYLEN(sav->key_enc)); |
3363 | } | | 3363 | } |
3364 | } | | 3364 | } |
3365 | | | 3365 | |
3366 | /* | | 3366 | /* |
3367 | * free() SA variable entry. | | 3367 | * free() SA variable entry. |
3368 | */ | | 3368 | */ |
3369 | static void | | 3369 | static void |
3370 | key_delsav(struct secasvar *sav) | | 3370 | key_delsav(struct secasvar *sav) |
3371 | { | | 3371 | { |
3372 | | | 3372 | |
3373 | key_clear_xform(sav); | | 3373 | key_clear_xform(sav); |
3374 | key_freesaval(sav); | | 3374 | key_freesaval(sav); |
3375 | kmem_free(sav, sizeof(*sav)); | | 3375 | kmem_free(sav, sizeof(*sav)); |
3376 | } | | 3376 | } |
3377 | | | 3377 | |
3378 | /* | | 3378 | /* |
3379 | * Must be called in a pserialize read section. A held sah | | 3379 | * Must be called in a pserialize read section. A held sah |
3380 | * must be released by key_sah_unref after use. | | 3380 | * must be released by key_sah_unref after use. |
3381 | */ | | 3381 | */ |
3382 | static void | | 3382 | static void |
3383 | key_sah_ref(struct secashead *sah) | | 3383 | key_sah_ref(struct secashead *sah) |
3384 | { | | 3384 | { |
3385 | | | 3385 | |
3386 | localcount_acquire(&sah->localcount); | | 3386 | localcount_acquire(&sah->localcount); |
3387 | } | | 3387 | } |
3388 | | | 3388 | |
3389 | /* | | 3389 | /* |
3390 | * Must be called without holding key_sad.lock because the lock | | 3390 | * Must be called without holding key_sad.lock because the lock |
3391 | * would be held in localcount_release. | | 3391 | * would be held in localcount_release. |
3392 | */ | | 3392 | */ |
3393 | static void | | 3393 | static void |
3394 | key_sah_unref(struct secashead *sah) | | 3394 | key_sah_unref(struct secashead *sah) |
3395 | { | | 3395 | { |
3396 | | | 3396 | |
3397 | KDASSERT(mutex_ownable(&key_sad.lock)); | | 3397 | KDASSERT(mutex_ownable(&key_sad.lock)); |
3398 | | | 3398 | |
3399 | localcount_release(&sah->localcount, &key_sad.cv_lc, &key_sad.lock); | | 3399 | localcount_release(&sah->localcount, &key_sad.cv_lc, &key_sad.lock); |
3400 | } | | 3400 | } |
3401 | | | 3401 | |
3402 | /* | | 3402 | /* |
3403 | * Search SAD and return sah. Must be called in a pserialize | | 3403 | * Search SAD and return sah. Must be called in a pserialize |
3404 | * read section. | | 3404 | * read section. |
3405 | * OUT: | | 3405 | * OUT: |
3406 | * NULL : not found | | 3406 | * NULL : not found |
3407 | * others : found, pointer to a SA. | | 3407 | * others : found, pointer to a SA. |
3408 | */ | | 3408 | */ |
3409 | static struct secashead * | | 3409 | static struct secashead * |
3410 | key_getsah(const struct secasindex *saidx, int flag) | | 3410 | key_getsah(const struct secasindex *saidx, int flag) |
3411 | { | | 3411 | { |
3412 | struct secashead *sah; | | 3412 | struct secashead *sah; |
3413 | | | 3413 | |
3414 | SAHLIST_READER_FOREACH_SAIDX(sah, saidx) { | | 3414 | SAHLIST_READER_FOREACH_SAIDX(sah, saidx) { |
3415 | if (sah->state == SADB_SASTATE_DEAD) | | 3415 | if (sah->state == SADB_SASTATE_DEAD) |
3416 | continue; | | 3416 | continue; |
3417 | if (key_saidx_match(&sah->saidx, saidx, flag)) | | 3417 | if (key_saidx_match(&sah->saidx, saidx, flag)) |
3418 | return sah; | | 3418 | return sah; |
3419 | } | | 3419 | } |
3420 | | | 3420 | |
3421 | return NULL; | | 3421 | return NULL; |
3422 | } | | 3422 | } |
3423 | | | 3423 | |
3424 | /* | | 3424 | /* |
3425 | * Search SAD and return sah. If sah is returned, the caller must call | | 3425 | * Search SAD and return sah. If sah is returned, the caller must call |
3426 | * key_sah_unref to releaset a reference. | | 3426 | * key_sah_unref to releaset a reference. |
3427 | * OUT: | | 3427 | * OUT: |
3428 | * NULL : not found | | 3428 | * NULL : not found |
3429 | * others : found, pointer to a SA. | | 3429 | * others : found, pointer to a SA. |
3430 | */ | | 3430 | */ |
3431 | static struct secashead * | | 3431 | static struct secashead * |
3432 | key_getsah_ref(const struct secasindex *saidx, int flag) | | 3432 | key_getsah_ref(const struct secasindex *saidx, int flag) |
3433 | { | | 3433 | { |
3434 | struct secashead *sah; | | 3434 | struct secashead *sah; |
3435 | int s; | | 3435 | int s; |
3436 | | | 3436 | |
3437 | s = pserialize_read_enter(); | | 3437 | s = pserialize_read_enter(); |
3438 | sah = key_getsah(saidx, flag); | | 3438 | sah = key_getsah(saidx, flag); |
3439 | if (sah != NULL) | | 3439 | if (sah != NULL) |
3440 | key_sah_ref(sah); | | 3440 | key_sah_ref(sah); |
3441 | pserialize_read_exit(s); | | 3441 | pserialize_read_exit(s); |
3442 | | | 3442 | |
3443 | return sah; | | 3443 | return sah; |
3444 | } | | 3444 | } |
3445 | | | 3445 | |
3446 | /* | | 3446 | /* |
3447 | * check not to be duplicated SPI. | | 3447 | * check not to be duplicated SPI. |
3448 | * NOTE: this function is too slow due to searching all SAD. | | 3448 | * NOTE: this function is too slow due to searching all SAD. |
3449 | * OUT: | | 3449 | * OUT: |
3450 | * NULL : not found | | 3450 | * NULL : not found |
3451 | * others : found, pointer to a SA. | | 3451 | * others : found, pointer to a SA. |
3452 | */ | | 3452 | */ |
3453 | static bool | | 3453 | static bool |
3454 | key_checkspidup(const struct secasindex *saidx, u_int32_t spi) | | 3454 | key_checkspidup(const struct secasindex *saidx, u_int32_t spi) |
3455 | { | | 3455 | { |
3456 | struct secashead *sah; | | 3456 | struct secashead *sah; |
3457 | struct secasvar *sav; | | 3457 | struct secasvar *sav; |
3458 | int s; | | | |
3459 | | | 3458 | |
3460 | /* check address family */ | | 3459 | /* check address family */ |
3461 | if (saidx->src.sa.sa_family != saidx->dst.sa.sa_family) { | | 3460 | if (saidx->src.sa.sa_family != saidx->dst.sa.sa_family) { |
3462 | IPSECLOG(LOG_DEBUG, | | 3461 | IPSECLOG(LOG_DEBUG, |
3463 | "address family mismatched src %u, dst %u.\n", | | 3462 | "address family mismatched src %u, dst %u.\n", |
3464 | saidx->src.sa.sa_family, saidx->dst.sa.sa_family); | | 3463 | saidx->src.sa.sa_family, saidx->dst.sa.sa_family); |
3465 | return false; | | 3464 | return false; |
3466 | } | | 3465 | } |
3467 | | | 3466 | |
3468 | /* check all SAD */ | | 3467 | /* check all SAD */ |
3469 | s = pserialize_read_enter(); | | 3468 | /* key_ismyaddr may sleep, so use mutex, not pserialize, here. */ |
3470 | SAHLIST_READER_FOREACH(sah) { | | 3469 | mutex_enter(&key_sad.lock); |
| | | 3470 | SAHLIST_WRITER_FOREACH(sah) { |
3471 | if (!key_ismyaddr((struct sockaddr *)&sah->saidx.dst)) | | 3471 | if (!key_ismyaddr((struct sockaddr *)&sah->saidx.dst)) |
3472 | continue; | | 3472 | continue; |
3473 | sav = key_getsavbyspi(sah, spi); | | 3473 | sav = key_getsavbyspi(sah, spi); |
3474 | if (sav != NULL) { | | 3474 | if (sav != NULL) { |
3475 | pserialize_read_exit(s); | | | |
3476 | KEY_SA_UNREF(&sav); | | 3475 | KEY_SA_UNREF(&sav); |
| | | 3476 | mutex_exit(&key_sad.lock); |
3477 | return true; | | 3477 | return true; |
3478 | } | | 3478 | } |
3479 | } | | 3479 | } |
3480 | pserialize_read_exit(s); | | 3480 | mutex_exit(&key_sad.lock); |
3481 | | | 3481 | |
3482 | return false; | | 3482 | return false; |
3483 | } | | 3483 | } |
3484 | | | 3484 | |
3485 | /* | | 3485 | /* |
3486 | * search SAD litmited alive SA, protocol, SPI. | | 3486 | * search SAD litmited alive SA, protocol, SPI. |
3487 | * OUT: | | 3487 | * OUT: |
3488 | * NULL : not found | | 3488 | * NULL : not found |
3489 | * others : found, pointer to a SA. | | 3489 | * others : found, pointer to a SA. |
3490 | */ | | 3490 | */ |
3491 | static struct secasvar * | | 3491 | static struct secasvar * |
3492 | key_getsavbyspi(struct secashead *sah, u_int32_t spi) | | 3492 | key_getsavbyspi(struct secashead *sah, u_int32_t spi) |
3493 | { | | 3493 | { |
3494 | struct secasvar *sav = NULL; | | 3494 | struct secasvar *sav = NULL; |
3495 | u_int state; | | 3495 | u_int state; |
3496 | int s; | | 3496 | int s; |
3497 | | | 3497 | |
3498 | /* search all status */ | | 3498 | /* search all status */ |
3499 | s = pserialize_read_enter(); | | 3499 | s = pserialize_read_enter(); |
3500 | SASTATE_ALIVE_FOREACH(state) { | | 3500 | SASTATE_ALIVE_FOREACH(state) { |
3501 | SAVLIST_READER_FOREACH(sav, sah, state) { | | 3501 | SAVLIST_READER_FOREACH(sav, sah, state) { |
3502 | /* sanity check */ | | 3502 | /* sanity check */ |
3503 | if (sav->state != state) { | | 3503 | if (sav->state != state) { |
3504 | IPSECLOG(LOG_DEBUG, | | 3504 | IPSECLOG(LOG_DEBUG, |
3505 | "invalid sav->state (queue: %d SA: %d)\n", | | 3505 | "invalid sav->state (queue: %d SA: %d)\n", |
3506 | state, sav->state); | | 3506 | state, sav->state); |
3507 | continue; | | 3507 | continue; |
3508 | } | | 3508 | } |
3509 | | | 3509 | |
3510 | if (sav->spi == spi) { | | 3510 | if (sav->spi == spi) { |
3511 | KEY_SA_REF(sav); | | 3511 | KEY_SA_REF(sav); |
3512 | goto out; | | 3512 | goto out; |
3513 | } | | 3513 | } |
3514 | } | | 3514 | } |
3515 | } | | 3515 | } |
3516 | out: | | 3516 | out: |
3517 | pserialize_read_exit(s); | | 3517 | pserialize_read_exit(s); |
3518 | | | 3518 | |
3519 | return sav; | | 3519 | return sav; |
3520 | } | | 3520 | } |
3521 | | | 3521 | |
3522 | /* | | 3522 | /* |
3523 | * Free allocated data to member variables of sav: | | 3523 | * Free allocated data to member variables of sav: |
3524 | * sav->replay, sav->key_* and sav->lft_*. | | 3524 | * sav->replay, sav->key_* and sav->lft_*. |
3525 | */ | | 3525 | */ |
3526 | static void | | 3526 | static void |
3527 | key_freesaval(struct secasvar *sav) | | 3527 | key_freesaval(struct secasvar *sav) |
3528 | { | | 3528 | { |
3529 | | | 3529 | |
3530 | KASSERT(key_sa_refcnt(sav) == 0); | | 3530 | KASSERT(key_sa_refcnt(sav) == 0); |
3531 | | | 3531 | |
3532 | if (sav->replay != NULL) | | 3532 | if (sav->replay != NULL) |
3533 | kmem_intr_free(sav->replay, sav->replay_len); | | 3533 | kmem_intr_free(sav->replay, sav->replay_len); |
3534 | if (sav->key_auth != NULL) | | 3534 | if (sav->key_auth != NULL) |
3535 | kmem_intr_free(sav->key_auth, sav->key_auth_len); | | 3535 | kmem_intr_free(sav->key_auth, sav->key_auth_len); |
3536 | if (sav->key_enc != NULL) | | 3536 | if (sav->key_enc != NULL) |
3537 | kmem_intr_free(sav->key_enc, sav->key_enc_len); | | 3537 | kmem_intr_free(sav->key_enc, sav->key_enc_len); |
3538 | if (sav->lft_c_counters_percpu != NULL) { | | 3538 | if (sav->lft_c_counters_percpu != NULL) { |
3539 | percpu_free(sav->lft_c_counters_percpu, | | 3539 | percpu_free(sav->lft_c_counters_percpu, |
3540 | sizeof(lifetime_counters_t)); | | 3540 | sizeof(lifetime_counters_t)); |
3541 | } | | 3541 | } |
3542 | if (sav->lft_c != NULL) | | 3542 | if (sav->lft_c != NULL) |
3543 | kmem_intr_free(sav->lft_c, sizeof(*(sav->lft_c))); | | 3543 | kmem_intr_free(sav->lft_c, sizeof(*(sav->lft_c))); |
3544 | if (sav->lft_h != NULL) | | 3544 | if (sav->lft_h != NULL) |
3545 | kmem_intr_free(sav->lft_h, sizeof(*(sav->lft_h))); | | 3545 | kmem_intr_free(sav->lft_h, sizeof(*(sav->lft_h))); |
3546 | if (sav->lft_s != NULL) | | 3546 | if (sav->lft_s != NULL) |
3547 | kmem_intr_free(sav->lft_s, sizeof(*(sav->lft_s))); | | 3547 | kmem_intr_free(sav->lft_s, sizeof(*(sav->lft_s))); |
3548 | } | | 3548 | } |
3549 | | | 3549 | |
3550 | /* | | 3550 | /* |
3551 | * copy SA values from PF_KEY message except *SPI, SEQ, PID, STATE and TYPE*. | | 3551 | * copy SA values from PF_KEY message except *SPI, SEQ, PID, STATE and TYPE*. |
3552 | * You must update these if need. | | 3552 | * You must update these if need. |
3553 | * OUT: 0: success. | | 3553 | * OUT: 0: success. |
3554 | * !0: failure. | | 3554 | * !0: failure. |
3555 | * | | 3555 | * |
3556 | * does not modify mbuf. does not free mbuf on error. | | 3556 | * does not modify mbuf. does not free mbuf on error. |
3557 | */ | | 3557 | */ |
3558 | static int | | 3558 | static int |
3559 | key_setsaval(struct secasvar *sav, struct mbuf *m, | | 3559 | key_setsaval(struct secasvar *sav, struct mbuf *m, |
3560 | const struct sadb_msghdr *mhp) | | 3560 | const struct sadb_msghdr *mhp) |
3561 | { | | 3561 | { |
3562 | int error = 0; | | 3562 | int error = 0; |
3563 | | | 3563 | |
3564 | KASSERT(!cpu_softintr_p()); | | 3564 | KASSERT(!cpu_softintr_p()); |
3565 | KASSERT(m != NULL); | | 3565 | KASSERT(m != NULL); |
3566 | KASSERT(mhp != NULL); | | 3566 | KASSERT(mhp != NULL); |
3567 | KASSERT(mhp->msg != NULL); | | 3567 | KASSERT(mhp->msg != NULL); |
3568 | | | 3568 | |
3569 | /* We shouldn't initialize sav variables while someone uses it. */ | | 3569 | /* We shouldn't initialize sav variables while someone uses it. */ |
3570 | KASSERT(key_sa_refcnt(sav) == 0); | | 3570 | KASSERT(key_sa_refcnt(sav) == 0); |
3571 | | | 3571 | |
3572 | /* SA */ | | 3572 | /* SA */ |
3573 | if (mhp->ext[SADB_EXT_SA] != NULL) { | | 3573 | if (mhp->ext[SADB_EXT_SA] != NULL) { |
3574 | const struct sadb_sa *sa0; | | 3574 | const struct sadb_sa *sa0; |
3575 | | | 3575 | |
3576 | sa0 = mhp->ext[SADB_EXT_SA]; | | 3576 | sa0 = mhp->ext[SADB_EXT_SA]; |
3577 | if (mhp->extlen[SADB_EXT_SA] < sizeof(*sa0)) { | | 3577 | if (mhp->extlen[SADB_EXT_SA] < sizeof(*sa0)) { |
3578 | error = EINVAL; | | 3578 | error = EINVAL; |
3579 | goto fail; | | 3579 | goto fail; |
3580 | } | | 3580 | } |
3581 | | | 3581 | |
3582 | sav->alg_auth = sa0->sadb_sa_auth; | | 3582 | sav->alg_auth = sa0->sadb_sa_auth; |
3583 | sav->alg_enc = sa0->sadb_sa_encrypt; | | 3583 | sav->alg_enc = sa0->sadb_sa_encrypt; |
3584 | sav->flags = sa0->sadb_sa_flags; | | 3584 | sav->flags = sa0->sadb_sa_flags; |
3585 | | | 3585 | |
3586 | /* replay window */ | | 3586 | /* replay window */ |
3587 | if ((sa0->sadb_sa_flags & SADB_X_EXT_OLD) == 0) { | | 3587 | if ((sa0->sadb_sa_flags & SADB_X_EXT_OLD) == 0) { |
3588 | size_t len = sizeof(struct secreplay) + | | 3588 | size_t len = sizeof(struct secreplay) + |
3589 | sa0->sadb_sa_replay; | | 3589 | sa0->sadb_sa_replay; |
3590 | sav->replay = kmem_zalloc(len, KM_SLEEP); | | 3590 | sav->replay = kmem_zalloc(len, KM_SLEEP); |
3591 | sav->replay_len = len; | | 3591 | sav->replay_len = len; |
3592 | if (sa0->sadb_sa_replay != 0) | | 3592 | if (sa0->sadb_sa_replay != 0) |
3593 | sav->replay->bitmap = (char*)(sav->replay+1); | | 3593 | sav->replay->bitmap = (char*)(sav->replay+1); |
3594 | sav->replay->wsize = sa0->sadb_sa_replay; | | 3594 | sav->replay->wsize = sa0->sadb_sa_replay; |
3595 | } | | 3595 | } |
3596 | } | | 3596 | } |
3597 | | | 3597 | |
3598 | /* Authentication keys */ | | 3598 | /* Authentication keys */ |
3599 | if (mhp->ext[SADB_EXT_KEY_AUTH] != NULL) { | | 3599 | if (mhp->ext[SADB_EXT_KEY_AUTH] != NULL) { |
3600 | const struct sadb_key *key0; | | 3600 | const struct sadb_key *key0; |
3601 | int len; | | 3601 | int len; |
3602 | | | 3602 | |
3603 | key0 = mhp->ext[SADB_EXT_KEY_AUTH]; | | 3603 | key0 = mhp->ext[SADB_EXT_KEY_AUTH]; |
3604 | len = mhp->extlen[SADB_EXT_KEY_AUTH]; | | 3604 | len = mhp->extlen[SADB_EXT_KEY_AUTH]; |
3605 | | | 3605 | |
3606 | error = 0; | | 3606 | error = 0; |
3607 | if (len < sizeof(*key0)) { | | 3607 | if (len < sizeof(*key0)) { |
3608 | error = EINVAL; | | 3608 | error = EINVAL; |
3609 | goto fail; | | 3609 | goto fail; |
3610 | } | | 3610 | } |
3611 | switch (mhp->msg->sadb_msg_satype) { | | 3611 | switch (mhp->msg->sadb_msg_satype) { |
3612 | case SADB_SATYPE_AH: | | 3612 | case SADB_SATYPE_AH: |
3613 | case SADB_SATYPE_ESP: | | 3613 | case SADB_SATYPE_ESP: |
3614 | case SADB_X_SATYPE_TCPSIGNATURE: | | 3614 | case SADB_X_SATYPE_TCPSIGNATURE: |
3615 | if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && | | 3615 | if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && |
3616 | sav->alg_auth != SADB_X_AALG_NULL) | | 3616 | sav->alg_auth != SADB_X_AALG_NULL) |
3617 | error = EINVAL; | | 3617 | error = EINVAL; |
3618 | break; | | 3618 | break; |
3619 | case SADB_X_SATYPE_IPCOMP: | | 3619 | case SADB_X_SATYPE_IPCOMP: |
3620 | default: | | 3620 | default: |
3621 | error = EINVAL; | | 3621 | error = EINVAL; |
3622 | break; | | 3622 | break; |
3623 | } | | 3623 | } |
3624 | if (error) { | | 3624 | if (error) { |
3625 | IPSECLOG(LOG_DEBUG, "invalid key_auth values.\n"); | | 3625 | IPSECLOG(LOG_DEBUG, "invalid key_auth values.\n"); |
3626 | goto fail; | | 3626 | goto fail; |
3627 | } | | 3627 | } |
3628 | | | 3628 | |
3629 | sav->key_auth = key_newbuf(key0, len); | | 3629 | sav->key_auth = key_newbuf(key0, len); |
3630 | sav->key_auth_len = len; | | 3630 | sav->key_auth_len = len; |
3631 | } | | 3631 | } |
3632 | | | 3632 | |
3633 | /* Encryption key */ | | 3633 | /* Encryption key */ |
3634 | if (mhp->ext[SADB_EXT_KEY_ENCRYPT] != NULL) { | | 3634 | if (mhp->ext[SADB_EXT_KEY_ENCRYPT] != NULL) { |
3635 | const struct sadb_key *key0; | | 3635 | const struct sadb_key *key0; |
3636 | int len; | | 3636 | int len; |
3637 | | | 3637 | |
3638 | key0 = mhp->ext[SADB_EXT_KEY_ENCRYPT]; | | 3638 | key0 = mhp->ext[SADB_EXT_KEY_ENCRYPT]; |
3639 | len = mhp->extlen[SADB_EXT_KEY_ENCRYPT]; | | 3639 | len = mhp->extlen[SADB_EXT_KEY_ENCRYPT]; |
3640 | | | 3640 | |
3641 | error = 0; | | 3641 | error = 0; |
3642 | if (len < sizeof(*key0)) { | | 3642 | if (len < sizeof(*key0)) { |
3643 | error = EINVAL; | | 3643 | error = EINVAL; |
3644 | goto fail; | | 3644 | goto fail; |
3645 | } | | 3645 | } |
3646 | switch (mhp->msg->sadb_msg_satype) { | | 3646 | switch (mhp->msg->sadb_msg_satype) { |
3647 | case SADB_SATYPE_ESP: | | 3647 | case SADB_SATYPE_ESP: |
3648 | if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && | | 3648 | if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && |
3649 | sav->alg_enc != SADB_EALG_NULL) { | | 3649 | sav->alg_enc != SADB_EALG_NULL) { |
3650 | error = EINVAL; | | 3650 | error = EINVAL; |
3651 | break; | | 3651 | break; |
3652 | } | | 3652 | } |
3653 | sav->key_enc = key_newbuf(key0, len); | | 3653 | sav->key_enc = key_newbuf(key0, len); |
3654 | sav->key_enc_len = len; | | 3654 | sav->key_enc_len = len; |
3655 | break; | | 3655 | break; |
3656 | case SADB_X_SATYPE_IPCOMP: | | 3656 | case SADB_X_SATYPE_IPCOMP: |
3657 | if (len != PFKEY_ALIGN8(sizeof(struct sadb_key))) | | 3657 | if (len != PFKEY_ALIGN8(sizeof(struct sadb_key))) |
3658 | error = EINVAL; | | 3658 | error = EINVAL; |
3659 | sav->key_enc = NULL; /*just in case*/ | | 3659 | sav->key_enc = NULL; /*just in case*/ |
3660 | break; | | 3660 | break; |
3661 | case SADB_SATYPE_AH: | | 3661 | case SADB_SATYPE_AH: |
3662 | case SADB_X_SATYPE_TCPSIGNATURE: | | 3662 | case SADB_X_SATYPE_TCPSIGNATURE: |
3663 | default: | | 3663 | default: |
3664 | error = EINVAL; | | 3664 | error = EINVAL; |
3665 | break; | | 3665 | break; |
3666 | } | | 3666 | } |
3667 | if (error) { | | 3667 | if (error) { |
3668 | IPSECLOG(LOG_DEBUG, "invalid key_enc value.\n"); | | 3668 | IPSECLOG(LOG_DEBUG, "invalid key_enc value.\n"); |
3669 | goto fail; | | 3669 | goto fail; |
3670 | } | | 3670 | } |
3671 | } | | 3671 | } |
3672 | | | 3672 | |
3673 | /* set iv */ | | 3673 | /* set iv */ |
3674 | sav->ivlen = 0; | | 3674 | sav->ivlen = 0; |
3675 | | | 3675 | |
3676 | switch (mhp->msg->sadb_msg_satype) { | | 3676 | switch (mhp->msg->sadb_msg_satype) { |
3677 | case SADB_SATYPE_AH: | | 3677 | case SADB_SATYPE_AH: |
3678 | error = xform_init(sav, XF_AH); | | 3678 | error = xform_init(sav, XF_AH); |
3679 | break; | | 3679 | break; |
3680 | case SADB_SATYPE_ESP: | | 3680 | case SADB_SATYPE_ESP: |
3681 | error = xform_init(sav, XF_ESP); | | 3681 | error = xform_init(sav, XF_ESP); |
3682 | break; | | 3682 | break; |
3683 | case SADB_X_SATYPE_IPCOMP: | | 3683 | case SADB_X_SATYPE_IPCOMP: |
3684 | error = xform_init(sav, XF_IPCOMP); | | 3684 | error = xform_init(sav, XF_IPCOMP); |
3685 | break; | | 3685 | break; |
3686 | case SADB_X_SATYPE_TCPSIGNATURE: | | 3686 | case SADB_X_SATYPE_TCPSIGNATURE: |
3687 | error = xform_init(sav, XF_TCPSIGNATURE); | | 3687 | error = xform_init(sav, XF_TCPSIGNATURE); |
3688 | break; | | 3688 | break; |
3689 | } | | 3689 | } |
3690 | if (error) { | | 3690 | if (error) { |
3691 | IPSECLOG(LOG_DEBUG, "unable to initialize SA type %u.\n", | | 3691 | IPSECLOG(LOG_DEBUG, "unable to initialize SA type %u.\n", |
3692 | mhp->msg->sadb_msg_satype); | | 3692 | mhp->msg->sadb_msg_satype); |
3693 | goto fail; | | 3693 | goto fail; |
3694 | } | | 3694 | } |
3695 | | | 3695 | |
3696 | /* reset created */ | | 3696 | /* reset created */ |
3697 | sav->created = time_uptime; | | 3697 | sav->created = time_uptime; |
3698 | | | 3698 | |
3699 | /* make lifetime for CURRENT */ | | 3699 | /* make lifetime for CURRENT */ |
3700 | sav->lft_c = kmem_alloc(sizeof(struct sadb_lifetime), KM_SLEEP); | | 3700 | sav->lft_c = kmem_alloc(sizeof(struct sadb_lifetime), KM_SLEEP); |
3701 | | | 3701 | |
3702 | sav->lft_c->sadb_lifetime_len = | | 3702 | sav->lft_c->sadb_lifetime_len = |
3703 | PFKEY_UNIT64(sizeof(struct sadb_lifetime)); | | 3703 | PFKEY_UNIT64(sizeof(struct sadb_lifetime)); |
3704 | sav->lft_c->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; | | 3704 | sav->lft_c->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; |
3705 | sav->lft_c->sadb_lifetime_allocations = 0; | | 3705 | sav->lft_c->sadb_lifetime_allocations = 0; |
3706 | sav->lft_c->sadb_lifetime_bytes = 0; | | 3706 | sav->lft_c->sadb_lifetime_bytes = 0; |
3707 | sav->lft_c->sadb_lifetime_addtime = time_uptime; | | 3707 | sav->lft_c->sadb_lifetime_addtime = time_uptime; |
3708 | sav->lft_c->sadb_lifetime_usetime = 0; | | 3708 | sav->lft_c->sadb_lifetime_usetime = 0; |
3709 | | | 3709 | |
3710 | sav->lft_c_counters_percpu = percpu_alloc(sizeof(lifetime_counters_t)); | | 3710 | sav->lft_c_counters_percpu = percpu_alloc(sizeof(lifetime_counters_t)); |
3711 | | | 3711 | |
3712 | /* lifetimes for HARD and SOFT */ | | 3712 | /* lifetimes for HARD and SOFT */ |
3713 | { | | 3713 | { |
3714 | const struct sadb_lifetime *lft0; | | 3714 | const struct sadb_lifetime *lft0; |
3715 | | | 3715 | |
3716 | lft0 = mhp->ext[SADB_EXT_LIFETIME_HARD]; | | 3716 | lft0 = mhp->ext[SADB_EXT_LIFETIME_HARD]; |
3717 | if (lft0 != NULL) { | | 3717 | if (lft0 != NULL) { |
3718 | if (mhp->extlen[SADB_EXT_LIFETIME_HARD] < sizeof(*lft0)) { | | 3718 | if (mhp->extlen[SADB_EXT_LIFETIME_HARD] < sizeof(*lft0)) { |
3719 | error = EINVAL; | | 3719 | error = EINVAL; |
3720 | goto fail; | | 3720 | goto fail; |
3721 | } | | 3721 | } |
3722 | sav->lft_h = key_newbuf(lft0, sizeof(*lft0)); | | 3722 | sav->lft_h = key_newbuf(lft0, sizeof(*lft0)); |
3723 | } | | 3723 | } |
3724 | | | 3724 | |
3725 | lft0 = mhp->ext[SADB_EXT_LIFETIME_SOFT]; | | 3725 | lft0 = mhp->ext[SADB_EXT_LIFETIME_SOFT]; |
3726 | if (lft0 != NULL) { | | 3726 | if (lft0 != NULL) { |
3727 | if (mhp->extlen[SADB_EXT_LIFETIME_SOFT] < sizeof(*lft0)) { | | 3727 | if (mhp->extlen[SADB_EXT_LIFETIME_SOFT] < sizeof(*lft0)) { |
3728 | error = EINVAL; | | 3728 | error = EINVAL; |
3729 | goto fail; | | 3729 | goto fail; |
3730 | } | | 3730 | } |
3731 | sav->lft_s = key_newbuf(lft0, sizeof(*lft0)); | | 3731 | sav->lft_s = key_newbuf(lft0, sizeof(*lft0)); |
3732 | /* to be initialize ? */ | | 3732 | /* to be initialize ? */ |
3733 | } | | 3733 | } |
3734 | } | | 3734 | } |
3735 | | | 3735 | |
3736 | return 0; | | 3736 | return 0; |
3737 | | | 3737 | |
3738 | fail: | | 3738 | fail: |
3739 | key_clear_xform(sav); | | 3739 | key_clear_xform(sav); |
3740 | key_freesaval(sav); | | 3740 | key_freesaval(sav); |
3741 | | | 3741 | |
3742 | return error; | | 3742 | return error; |
3743 | } | | 3743 | } |
3744 | | | 3744 | |
3745 | /* | | 3745 | /* |
3746 | * validation with a secasvar entry, and set SADB_SATYPE_MATURE. | | 3746 | * validation with a secasvar entry, and set SADB_SATYPE_MATURE. |
3747 | * OUT: 0: valid | | 3747 | * OUT: 0: valid |
3748 | * other: errno | | 3748 | * other: errno |
3749 | */ | | 3749 | */ |
3750 | static int | | 3750 | static int |
3751 | key_init_xform(struct secasvar *sav) | | 3751 | key_init_xform(struct secasvar *sav) |
3752 | { | | 3752 | { |
3753 | int error; | | 3753 | int error; |
3754 | | | 3754 | |
3755 | /* We shouldn't initialize sav variables while someone uses it. */ | | 3755 | /* We shouldn't initialize sav variables while someone uses it. */ |
3756 | KASSERT(key_sa_refcnt(sav) == 0); | | 3756 | KASSERT(key_sa_refcnt(sav) == 0); |
3757 | | | 3757 | |
3758 | /* check SPI value */ | | 3758 | /* check SPI value */ |
3759 | switch (sav->sah->saidx.proto) { | | 3759 | switch (sav->sah->saidx.proto) { |
3760 | case IPPROTO_ESP: | | 3760 | case IPPROTO_ESP: |
3761 | case IPPROTO_AH: | | 3761 | case IPPROTO_AH: |
3762 | if (ntohl(sav->spi) <= 255) { | | 3762 | if (ntohl(sav->spi) <= 255) { |
3763 | IPSECLOG(LOG_DEBUG, "illegal range of SPI %u.\n", | | 3763 | IPSECLOG(LOG_DEBUG, "illegal range of SPI %u.\n", |
3764 | (u_int32_t)ntohl(sav->spi)); | | 3764 | (u_int32_t)ntohl(sav->spi)); |
3765 | return EINVAL; | | 3765 | return EINVAL; |
3766 | } | | 3766 | } |
3767 | break; | | 3767 | break; |
3768 | } | | 3768 | } |
3769 | | | 3769 | |
3770 | /* check algo */ | | 3770 | /* check algo */ |
3771 | switch (sav->sah->saidx.proto) { | | 3771 | switch (sav->sah->saidx.proto) { |
3772 | case IPPROTO_AH: | | 3772 | case IPPROTO_AH: |
3773 | case IPPROTO_TCP: | | 3773 | case IPPROTO_TCP: |
3774 | if (sav->alg_enc != SADB_EALG_NONE) { | | 3774 | if (sav->alg_enc != SADB_EALG_NONE) { |
3775 | IPSECLOG(LOG_DEBUG, | | 3775 | IPSECLOG(LOG_DEBUG, |
3776 | "protocol %u and algorithm mismatched %u != %u.\n", | | 3776 | "protocol %u and algorithm mismatched %u != %u.\n", |
3777 | sav->sah->saidx.proto, | | 3777 | sav->sah->saidx.proto, |
3778 | sav->alg_enc, SADB_EALG_NONE); | | 3778 | sav->alg_enc, SADB_EALG_NONE); |
3779 | return EINVAL; | | 3779 | return EINVAL; |
3780 | } | | 3780 | } |
3781 | break; | | 3781 | break; |
3782 | case IPPROTO_IPCOMP: | | 3782 | case IPPROTO_IPCOMP: |
3783 | if (sav->alg_auth != SADB_AALG_NONE) { | | 3783 | if (sav->alg_auth != SADB_AALG_NONE) { |
3784 | IPSECLOG(LOG_DEBUG, | | 3784 | IPSECLOG(LOG_DEBUG, |
3785 | "protocol %u and algorithm mismatched %d != %d.\n", | | 3785 | "protocol %u and algorithm mismatched %d != %d.\n", |
3786 | sav->sah->saidx.proto, | | 3786 | sav->sah->saidx.proto, |
3787 | sav->alg_auth, SADB_AALG_NONE); | | 3787 | sav->alg_auth, SADB_AALG_NONE); |
3788 | return(EINVAL); | | 3788 | return(EINVAL); |
3789 | } | | 3789 | } |
3790 | break; | | 3790 | break; |
3791 | default: | | 3791 | default: |
3792 | break; | | 3792 | break; |
3793 | } | | 3793 | } |
3794 | | | 3794 | |
3795 | /* check satype */ | | 3795 | /* check satype */ |
3796 | switch (sav->sah->saidx.proto) { | | 3796 | switch (sav->sah->saidx.proto) { |
3797 | case IPPROTO_ESP: | | 3797 | case IPPROTO_ESP: |
3798 | /* check flags */ | | 3798 | /* check flags */ |
3799 | if ((sav->flags & (SADB_X_EXT_OLD|SADB_X_EXT_DERIV)) == | | 3799 | if ((sav->flags & (SADB_X_EXT_OLD|SADB_X_EXT_DERIV)) == |
3800 | (SADB_X_EXT_OLD|SADB_X_EXT_DERIV)) { | | 3800 | (SADB_X_EXT_OLD|SADB_X_EXT_DERIV)) { |
3801 | IPSECLOG(LOG_DEBUG, | | 3801 | IPSECLOG(LOG_DEBUG, |
3802 | "invalid flag (derived) given to old-esp.\n"); | | 3802 | "invalid flag (derived) given to old-esp.\n"); |
3803 | return EINVAL; | | 3803 | return EINVAL; |
3804 | } | | 3804 | } |
3805 | error = xform_init(sav, XF_ESP); | | 3805 | error = xform_init(sav, XF_ESP); |
3806 | break; | | 3806 | break; |
3807 | case IPPROTO_AH: | | 3807 | case IPPROTO_AH: |
3808 | /* check flags */ | | 3808 | /* check flags */ |
3809 | if (sav->flags & SADB_X_EXT_DERIV) { | | 3809 | if (sav->flags & SADB_X_EXT_DERIV) { |
3810 | IPSECLOG(LOG_DEBUG, | | 3810 | IPSECLOG(LOG_DEBUG, |
3811 | "invalid flag (derived) given to AH SA.\n"); | | 3811 | "invalid flag (derived) given to AH SA.\n"); |
3812 | return EINVAL; | | 3812 | return EINVAL; |
3813 | } | | 3813 | } |
3814 | error = xform_init(sav, XF_AH); | | 3814 | error = xform_init(sav, XF_AH); |
3815 | break; | | 3815 | break; |
3816 | case IPPROTO_IPCOMP: | | 3816 | case IPPROTO_IPCOMP: |
3817 | if ((sav->flags & SADB_X_EXT_RAWCPI) == 0 | | 3817 | if ((sav->flags & SADB_X_EXT_RAWCPI) == 0 |
3818 | && ntohl(sav->spi) >= 0x10000) { | | 3818 | && ntohl(sav->spi) >= 0x10000) { |
3819 | IPSECLOG(LOG_DEBUG, "invalid cpi for IPComp.\n"); | | 3819 | IPSECLOG(LOG_DEBUG, "invalid cpi for IPComp.\n"); |
3820 | return(EINVAL); | | 3820 | return(EINVAL); |
3821 | } | | 3821 | } |
3822 | error = xform_init(sav, XF_IPCOMP); | | 3822 | error = xform_init(sav, XF_IPCOMP); |
3823 | break; | | 3823 | break; |
3824 | case IPPROTO_TCP: | | 3824 | case IPPROTO_TCP: |
3825 | error = xform_init(sav, XF_TCPSIGNATURE); | | 3825 | error = xform_init(sav, XF_TCPSIGNATURE); |
3826 | break; | | 3826 | break; |
3827 | default: | | 3827 | default: |
3828 | IPSECLOG(LOG_DEBUG, "Invalid satype.\n"); | | 3828 | IPSECLOG(LOG_DEBUG, "Invalid satype.\n"); |
3829 | error = EPROTONOSUPPORT; | | 3829 | error = EPROTONOSUPPORT; |
3830 | break; | | 3830 | break; |
3831 | } | | 3831 | } |
3832 | | | 3832 | |
3833 | return error; | | 3833 | return error; |
3834 | } | | 3834 | } |
3835 | | | 3835 | |
3836 | /* | | 3836 | /* |
3837 | * subroutine for SADB_GET and SADB_DUMP. It never return NULL. | | 3837 | * subroutine for SADB_GET and SADB_DUMP. It never return NULL. |
3838 | */ | | 3838 | */ |
3839 | static struct mbuf * | | 3839 | static struct mbuf * |
3840 | key_setdumpsa(struct secasvar *sav, u_int8_t type, u_int8_t satype, | | 3840 | key_setdumpsa(struct secasvar *sav, u_int8_t type, u_int8_t satype, |
3841 | u_int32_t seq, u_int32_t pid) | | 3841 | u_int32_t seq, u_int32_t pid) |
3842 | { | | 3842 | { |
3843 | struct mbuf *result = NULL, *tres = NULL, *m; | | 3843 | struct mbuf *result = NULL, *tres = NULL, *m; |
3844 | int l = 0; | | 3844 | int l = 0; |
3845 | int i; | | 3845 | int i; |
3846 | void *p; | | 3846 | void *p; |
3847 | struct sadb_lifetime lt; | | 3847 | struct sadb_lifetime lt; |
3848 | int dumporder[] = { | | 3848 | int dumporder[] = { |
3849 | SADB_EXT_SA, SADB_X_EXT_SA2, | | 3849 | SADB_EXT_SA, SADB_X_EXT_SA2, |
3850 | SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT, | | 3850 | SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT, |
3851 | SADB_EXT_LIFETIME_CURRENT, SADB_EXT_ADDRESS_SRC, | | 3851 | SADB_EXT_LIFETIME_CURRENT, SADB_EXT_ADDRESS_SRC, |
3852 | SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_EXT_KEY_AUTH, | | 3852 | SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_EXT_KEY_AUTH, |
3853 | SADB_EXT_KEY_ENCRYPT, SADB_EXT_IDENTITY_SRC, | | 3853 | SADB_EXT_KEY_ENCRYPT, SADB_EXT_IDENTITY_SRC, |
3854 | SADB_EXT_IDENTITY_DST, SADB_EXT_SENSITIVITY, | | 3854 | SADB_EXT_IDENTITY_DST, SADB_EXT_SENSITIVITY, |
3855 | SADB_X_EXT_NAT_T_TYPE, | | 3855 | SADB_X_EXT_NAT_T_TYPE, |
3856 | SADB_X_EXT_NAT_T_SPORT, SADB_X_EXT_NAT_T_DPORT, | | 3856 | SADB_X_EXT_NAT_T_SPORT, SADB_X_EXT_NAT_T_DPORT, |
3857 | SADB_X_EXT_NAT_T_OAI, SADB_X_EXT_NAT_T_OAR, | | 3857 | SADB_X_EXT_NAT_T_OAI, SADB_X_EXT_NAT_T_OAR, |
3858 | SADB_X_EXT_NAT_T_FRAG, | | 3858 | SADB_X_EXT_NAT_T_FRAG, |
3859 | | | 3859 | |
3860 | }; | | 3860 | }; |
3861 | | | 3861 | |
3862 | m = key_setsadbmsg(type, 0, satype, seq, pid, key_sa_refcnt(sav), M_WAITOK); | | 3862 | m = key_setsadbmsg(type, 0, satype, seq, pid, key_sa_refcnt(sav), M_WAITOK); |
3863 | result = m; | | 3863 | result = m; |
3864 | | | 3864 | |
3865 | for (i = __arraycount(dumporder) - 1; i >= 0; i--) { | | 3865 | for (i = __arraycount(dumporder) - 1; i >= 0; i--) { |
3866 | m = NULL; | | 3866 | m = NULL; |
3867 | p = NULL; | | 3867 | p = NULL; |
3868 | switch (dumporder[i]) { | | 3868 | switch (dumporder[i]) { |
3869 | case SADB_EXT_SA: | | 3869 | case SADB_EXT_SA: |
3870 | m = key_setsadbsa(sav); | | 3870 | m = key_setsadbsa(sav); |
3871 | break; | | 3871 | break; |
3872 | | | 3872 | |
3873 | case SADB_X_EXT_SA2: | | 3873 | case SADB_X_EXT_SA2: |
3874 | m = key_setsadbxsa2(sav->sah->saidx.mode, | | 3874 | m = key_setsadbxsa2(sav->sah->saidx.mode, |
3875 | sav->replay ? sav->replay->count : 0, | | 3875 | sav->replay ? sav->replay->count : 0, |
3876 | sav->sah->saidx.reqid); | | 3876 | sav->sah->saidx.reqid); |
3877 | break; | | 3877 | break; |
3878 | | | 3878 | |
3879 | case SADB_EXT_ADDRESS_SRC: | | 3879 | case SADB_EXT_ADDRESS_SRC: |
3880 | m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, | | 3880 | m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, |
3881 | &sav->sah->saidx.src.sa, | | 3881 | &sav->sah->saidx.src.sa, |
3882 | FULLMASK, IPSEC_ULPROTO_ANY, M_WAITOK); | | 3882 | FULLMASK, IPSEC_ULPROTO_ANY, M_WAITOK); |
3883 | break; | | 3883 | break; |
3884 | | | 3884 | |
3885 | case SADB_EXT_ADDRESS_DST: | | 3885 | case SADB_EXT_ADDRESS_DST: |
3886 | m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, | | 3886 | m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, |
3887 | &sav->sah->saidx.dst.sa, | | 3887 | &sav->sah->saidx.dst.sa, |
3888 | FULLMASK, IPSEC_ULPROTO_ANY, M_WAITOK); | | 3888 | FULLMASK, IPSEC_ULPROTO_ANY, M_WAITOK); |
3889 | break; | | 3889 | break; |
3890 | | | 3890 | |
3891 | case SADB_EXT_KEY_AUTH: | | 3891 | case SADB_EXT_KEY_AUTH: |
3892 | if (!sav->key_auth) | | 3892 | if (!sav->key_auth) |
3893 | continue; | | 3893 | continue; |
3894 | l = PFKEY_UNUNIT64(sav->key_auth->sadb_key_len); | | 3894 | l = PFKEY_UNUNIT64(sav->key_auth->sadb_key_len); |
3895 | p = sav->key_auth; | | 3895 | p = sav->key_auth; |
3896 | break; | | 3896 | break; |
3897 | | | 3897 | |
3898 | case SADB_EXT_KEY_ENCRYPT: | | 3898 | case SADB_EXT_KEY_ENCRYPT: |
3899 | if (!sav->key_enc) | | 3899 | if (!sav->key_enc) |
3900 | continue; | | 3900 | continue; |
3901 | l = PFKEY_UNUNIT64(sav->key_enc->sadb_key_len); | | 3901 | l = PFKEY_UNUNIT64(sav->key_enc->sadb_key_len); |
3902 | p = sav->key_enc; | | 3902 | p = sav->key_enc; |
3903 | break; | | 3903 | break; |
3904 | | | 3904 | |
3905 | case SADB_EXT_LIFETIME_CURRENT: { | | 3905 | case SADB_EXT_LIFETIME_CURRENT: { |
3906 | lifetime_counters_t sum = {0}; | | 3906 | lifetime_counters_t sum = {0}; |
3907 | | | 3907 | |
3908 | KASSERT(sav->lft_c != NULL); | | 3908 | KASSERT(sav->lft_c != NULL); |
3909 | l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_c)->sadb_ext_len); | | 3909 | l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_c)->sadb_ext_len); |
3910 | memcpy(<, sav->lft_c, sizeof(struct sadb_lifetime)); | | 3910 | memcpy(<, sav->lft_c, sizeof(struct sadb_lifetime)); |
3911 | lt.sadb_lifetime_addtime = | | 3911 | lt.sadb_lifetime_addtime = |
3912 | time_mono_to_wall(lt.sadb_lifetime_addtime); | | 3912 | time_mono_to_wall(lt.sadb_lifetime_addtime); |
3913 | lt.sadb_lifetime_usetime = | | 3913 | lt.sadb_lifetime_usetime = |
3914 | time_mono_to_wall(lt.sadb_lifetime_usetime); | | 3914 | time_mono_to_wall(lt.sadb_lifetime_usetime); |
3915 | percpu_foreach(sav->lft_c_counters_percpu, | | 3915 | percpu_foreach(sav->lft_c_counters_percpu, |
3916 | key_sum_lifetime_counters, sum); | | 3916 | key_sum_lifetime_counters, sum); |
3917 | lt.sadb_lifetime_allocations = | | 3917 | lt.sadb_lifetime_allocations = |
3918 | sum[LIFETIME_COUNTER_ALLOCATIONS]; | | 3918 | sum[LIFETIME_COUNTER_ALLOCATIONS]; |
3919 | lt.sadb_lifetime_bytes = | | 3919 | lt.sadb_lifetime_bytes = |
3920 | sum[LIFETIME_COUNTER_BYTES]; | | 3920 | sum[LIFETIME_COUNTER_BYTES]; |
3921 | p = < | | 3921 | p = < |
3922 | break; | | 3922 | break; |
3923 | } | | 3923 | } |
3924 | | | 3924 | |
3925 | case SADB_EXT_LIFETIME_HARD: | | 3925 | case SADB_EXT_LIFETIME_HARD: |
3926 | if (!sav->lft_h) | | 3926 | if (!sav->lft_h) |
3927 | continue; | | 3927 | continue; |
3928 | l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_h)->sadb_ext_len); | | 3928 | l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_h)->sadb_ext_len); |
3929 | p = sav->lft_h; | | 3929 | p = sav->lft_h; |
3930 | break; | | 3930 | break; |
3931 | | | 3931 | |
3932 | case SADB_EXT_LIFETIME_SOFT: | | 3932 | case SADB_EXT_LIFETIME_SOFT: |
3933 | if (!sav->lft_s) | | 3933 | if (!sav->lft_s) |
3934 | continue; | | 3934 | continue; |
3935 | l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_s)->sadb_ext_len); | | 3935 | l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_s)->sadb_ext_len); |
3936 | p = sav->lft_s; | | 3936 | p = sav->lft_s; |
3937 | break; | | 3937 | break; |
3938 | | | 3938 | |
3939 | case SADB_X_EXT_NAT_T_TYPE: | | 3939 | case SADB_X_EXT_NAT_T_TYPE: |
3940 | m = key_setsadbxtype(sav->natt_type); | | 3940 | m = key_setsadbxtype(sav->natt_type); |
3941 | break; | | 3941 | break; |
3942 | | | 3942 | |
3943 | case SADB_X_EXT_NAT_T_DPORT: | | 3943 | case SADB_X_EXT_NAT_T_DPORT: |
3944 | if (sav->natt_type == 0) | | 3944 | if (sav->natt_type == 0) |
3945 | continue; | | 3945 | continue; |
3946 | m = key_setsadbxport( | | 3946 | m = key_setsadbxport( |
3947 | key_portfromsaddr(&sav->sah->saidx.dst), | | 3947 | key_portfromsaddr(&sav->sah->saidx.dst), |
3948 | SADB_X_EXT_NAT_T_DPORT); | | 3948 | SADB_X_EXT_NAT_T_DPORT); |
3949 | break; | | 3949 | break; |
3950 | | | 3950 | |
3951 | case SADB_X_EXT_NAT_T_SPORT: | | 3951 | case SADB_X_EXT_NAT_T_SPORT: |
3952 | if (sav->natt_type == 0) | | 3952 | if (sav->natt_type == 0) |
3953 | continue; | | 3953 | continue; |
3954 | m = key_setsadbxport( | | 3954 | m = key_setsadbxport( |
3955 | key_portfromsaddr(&sav->sah->saidx.src), | | 3955 | key_portfromsaddr(&sav->sah->saidx.src), |
3956 | SADB_X_EXT_NAT_T_SPORT); | | 3956 | SADB_X_EXT_NAT_T_SPORT); |
3957 | break; | | 3957 | break; |
3958 | | | 3958 | |
3959 | case SADB_X_EXT_NAT_T_FRAG: | | 3959 | case SADB_X_EXT_NAT_T_FRAG: |
3960 | /* don't send frag info if not set */ | | 3960 | /* don't send frag info if not set */ |
3961 | if (sav->natt_type == 0 || sav->esp_frag == IP_MAXPACKET) | | 3961 | if (sav->natt_type == 0 || sav->esp_frag == IP_MAXPACKET) |
3962 | continue; | | 3962 | continue; |
3963 | m = key_setsadbxfrag(sav->esp_frag); | | 3963 | m = key_setsadbxfrag(sav->esp_frag); |
3964 | break; | | 3964 | break; |
3965 | | | 3965 | |
3966 | case SADB_X_EXT_NAT_T_OAI: | | 3966 | case SADB_X_EXT_NAT_T_OAI: |
3967 | case SADB_X_EXT_NAT_T_OAR: | | 3967 | case SADB_X_EXT_NAT_T_OAR: |
3968 | continue; | | 3968 | continue; |
3969 | | | 3969 | |
3970 | case SADB_EXT_ADDRESS_PROXY: | | 3970 | case SADB_EXT_ADDRESS_PROXY: |
3971 | case SADB_EXT_IDENTITY_SRC: | | 3971 | case SADB_EXT_IDENTITY_SRC: |
3972 | case SADB_EXT_IDENTITY_DST: | | 3972 | case SADB_EXT_IDENTITY_DST: |
3973 | /* XXX: should we brought from SPD ? */ | | 3973 | /* XXX: should we brought from SPD ? */ |
3974 | case SADB_EXT_SENSITIVITY: | | 3974 | case SADB_EXT_SENSITIVITY: |
3975 | default: | | 3975 | default: |
3976 | continue; | | 3976 | continue; |
3977 | } | | 3977 | } |
3978 | | | 3978 | |
3979 | KASSERT(!(m && p)); | | 3979 | KASSERT(!(m && p)); |
3980 | KASSERT(m != NULL || p != NULL); | | 3980 | KASSERT(m != NULL || p != NULL); |
3981 | if (p && tres) { | | 3981 | if (p && tres) { |
3982 | M_PREPEND(tres, l, M_WAITOK); | | 3982 | M_PREPEND(tres, l, M_WAITOK); |
3983 | memcpy(mtod(tres, void *), p, l); | | 3983 | memcpy(mtod(tres, void *), p, l); |
3984 | continue; | | 3984 | continue; |
3985 | } | | 3985 | } |
3986 | if (p) { | | 3986 | if (p) { |
3987 | m = key_alloc_mbuf(l, M_WAITOK); | | 3987 | m = key_alloc_mbuf(l, M_WAITOK); |
3988 | m_copyback(m, 0, l, p); | | 3988 | m_copyback(m, 0, l, p); |
3989 | } | | 3989 | } |
3990 | | | 3990 | |
3991 | if (tres) | | 3991 | if (tres) |
3992 | m_cat(m, tres); | | 3992 | m_cat(m, tres); |
3993 | tres = m; | | 3993 | tres = m; |
3994 | } | | 3994 | } |
3995 | | | 3995 | |
3996 | m_cat(result, tres); | | 3996 | m_cat(result, tres); |
3997 | tres = NULL; /* avoid free on error below */ | | 3997 | tres = NULL; /* avoid free on error below */ |
3998 | | | 3998 | |
3999 | KASSERT(result->m_len >= sizeof(struct sadb_msg)); | | 3999 | KASSERT(result->m_len >= sizeof(struct sadb_msg)); |
4000 | | | 4000 | |
4001 | result->m_pkthdr.len = 0; | | 4001 | result->m_pkthdr.len = 0; |
4002 | for (m = result; m; m = m->m_next) | | 4002 | for (m = result; m; m = m->m_next) |
4003 | result->m_pkthdr.len += m->m_len; | | 4003 | result->m_pkthdr.len += m->m_len; |
4004 | | | 4004 | |
4005 | mtod(result, struct sadb_msg *)->sadb_msg_len = | | 4005 | mtod(result, struct sadb_msg *)->sadb_msg_len = |
4006 | PFKEY_UNIT64(result->m_pkthdr.len); | | 4006 | PFKEY_UNIT64(result->m_pkthdr.len); |
4007 | | | 4007 | |
4008 | return result; | | 4008 | return result; |
4009 | } | | 4009 | } |
4010 | | | 4010 | |
4011 | | | 4011 | |
4012 | /* | | 4012 | /* |
4013 | * set a type in sadb_x_nat_t_type | | 4013 | * set a type in sadb_x_nat_t_type |
4014 | */ | | 4014 | */ |
4015 | static struct mbuf * | | 4015 | static struct mbuf * |
4016 | key_setsadbxtype(u_int16_t type) | | 4016 | key_setsadbxtype(u_int16_t type) |
4017 | { | | 4017 | { |
4018 | struct mbuf *m; | | 4018 | struct mbuf *m; |
4019 | size_t len; | | 4019 | size_t len; |
4020 | struct sadb_x_nat_t_type *p; | | 4020 | struct sadb_x_nat_t_type *p; |
4021 | | | 4021 | |
4022 | len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_type)); | | 4022 | len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_type)); |
4023 | | | 4023 | |
4024 | m = key_alloc_mbuf(len, M_WAITOK); | | 4024 | m = key_alloc_mbuf(len, M_WAITOK); |
4025 | KASSERT(m->m_next == NULL); | | 4025 | KASSERT(m->m_next == NULL); |
4026 | | | 4026 | |
4027 | p = mtod(m, struct sadb_x_nat_t_type *); | | 4027 | p = mtod(m, struct sadb_x_nat_t_type *); |
4028 | | | 4028 | |
4029 | memset(p, 0, len); | | 4029 | memset(p, 0, len); |
4030 | p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len); | | 4030 | p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len); |
4031 | p->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE; | | 4031 | p->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE; |
4032 | p->sadb_x_nat_t_type_type = type; | | 4032 | p->sadb_x_nat_t_type_type = type; |
4033 | | | 4033 | |
4034 | return m; | | 4034 | return m; |
4035 | } | | 4035 | } |
4036 | /* | | 4036 | /* |
4037 | * set a port in sadb_x_nat_t_port. port is in network order | | 4037 | * set a port in sadb_x_nat_t_port. port is in network order |
4038 | */ | | 4038 | */ |
4039 | static struct mbuf * | | 4039 | static struct mbuf * |
4040 | key_setsadbxport(u_int16_t port, u_int16_t type) | | 4040 | key_setsadbxport(u_int16_t port, u_int16_t type) |
4041 | { | | 4041 | { |
4042 | struct mbuf *m; | | 4042 | struct mbuf *m; |
4043 | size_t len; | | 4043 | size_t len; |
4044 | struct sadb_x_nat_t_port *p; | | 4044 | struct sadb_x_nat_t_port *p; |
4045 | | | 4045 | |
4046 | len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_port)); | | 4046 | len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_port)); |
4047 | | | 4047 | |
4048 | m = key_alloc_mbuf(len, M_WAITOK); | | 4048 | m = key_alloc_mbuf(len, M_WAITOK); |
4049 | KASSERT(m->m_next == NULL); | | 4049 | KASSERT(m->m_next == NULL); |
4050 | | | 4050 | |
4051 | p = mtod(m, struct sadb_x_nat_t_port *); | | 4051 | p = mtod(m, struct sadb_x_nat_t_port *); |
4052 | | | 4052 | |
4053 | memset(p, 0, len); | | 4053 | memset(p, 0, len); |
4054 | p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len); | | 4054 | p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len); |
4055 | p->sadb_x_nat_t_port_exttype = type; | | 4055 | p->sadb_x_nat_t_port_exttype = type; |
4056 | p->sadb_x_nat_t_port_port = port; | | 4056 | p->sadb_x_nat_t_port_port = port; |
4057 | | | 4057 | |
4058 | return m; | | 4058 | return m; |
4059 | } | | 4059 | } |
4060 | | | 4060 | |
4061 | /* | | 4061 | /* |
4062 | * set fragmentation info in sadb_x_nat_t_frag | | 4062 | * set fragmentation info in sadb_x_nat_t_frag |
4063 | */ | | 4063 | */ |
4064 | static struct mbuf * | | 4064 | static struct mbuf * |
4065 | key_setsadbxfrag(u_int16_t flen) | | 4065 | key_setsadbxfrag(u_int16_t flen) |
4066 | { | | 4066 | { |
4067 | struct mbuf *m; | | 4067 | struct mbuf *m; |
4068 | size_t len; | | 4068 | size_t len; |
4069 | struct sadb_x_nat_t_frag *p; | | 4069 | struct sadb_x_nat_t_frag *p; |
4070 | | | 4070 | |
4071 | len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_frag)); | | 4071 | len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_frag)); |
4072 | | | 4072 | |
4073 | m = key_alloc_mbuf(len, M_WAITOK); | | 4073 | m = key_alloc_mbuf(len, M_WAITOK); |
4074 | KASSERT(m->m_next == NULL); | | 4074 | KASSERT(m->m_next == NULL); |
4075 | | | 4075 | |
4076 | p = mtod(m, struct sadb_x_nat_t_frag *); | | 4076 | p = mtod(m, struct sadb_x_nat_t_frag *); |
4077 | | | 4077 | |
4078 | memset(p, 0, len); | | 4078 | memset(p, 0, len); |
4079 | p->sadb_x_nat_t_frag_len = PFKEY_UNIT64(len); | | 4079 | p->sadb_x_nat_t_frag_len = PFKEY_UNIT64(len); |
4080 | p->sadb_x_nat_t_frag_exttype = SADB_X_EXT_NAT_T_FRAG; | | 4080 | p->sadb_x_nat_t_frag_exttype = SADB_X_EXT_NAT_T_FRAG; |
4081 | p->sadb_x_nat_t_frag_fraglen = flen; | | 4081 | p->sadb_x_nat_t_frag_fraglen = flen; |
4082 | | | 4082 | |
4083 | return m; | | 4083 | return m; |
4084 | } | | 4084 | } |
4085 | | | 4085 | |
4086 | /* | | 4086 | /* |
4087 | * Get port from sockaddr, port is in network order | | 4087 | * Get port from sockaddr, port is in network order |
4088 | */ | | 4088 | */ |
4089 | u_int16_t | | 4089 | u_int16_t |
4090 | key_portfromsaddr(const union sockaddr_union *saddr) | | 4090 | key_portfromsaddr(const union sockaddr_union *saddr) |
4091 | { | | 4091 | { |
4092 | u_int16_t port; | | 4092 | u_int16_t port; |
4093 | | | 4093 | |
4094 | switch (saddr->sa.sa_family) { | | 4094 | switch (saddr->sa.sa_family) { |
4095 | case AF_INET: { | | 4095 | case AF_INET: { |
4096 | port = saddr->sin.sin_port; | | 4096 | port = saddr->sin.sin_port; |
4097 | break; | | 4097 | break; |
4098 | } | | 4098 | } |
4099 | #ifdef INET6 | | 4099 | #ifdef INET6 |
4100 | case AF_INET6: { | | 4100 | case AF_INET6: { |
4101 | port = saddr->sin6.sin6_port; | | 4101 | port = saddr->sin6.sin6_port; |
4102 | break; | | 4102 | break; |
4103 | } | | 4103 | } |
4104 | #endif | | 4104 | #endif |
4105 | default: | | 4105 | default: |
4106 | printf("%s: unexpected address family\n", __func__); | | 4106 | printf("%s: unexpected address family\n", __func__); |
4107 | port = 0; | | 4107 | port = 0; |
4108 | break; | | 4108 | break; |
4109 | } | | 4109 | } |
4110 | | | 4110 | |
4111 | return port; | | 4111 | return port; |
4112 | } | | 4112 | } |
4113 | | | 4113 | |
4114 | | | 4114 | |
4115 | /* | | 4115 | /* |
4116 | * Set port is struct sockaddr. port is in network order | | 4116 | * Set port is struct sockaddr. port is in network order |
4117 | */ | | 4117 | */ |
4118 | static void | | 4118 | static void |
4119 | key_porttosaddr(union sockaddr_union *saddr, u_int16_t port) | | 4119 | key_porttosaddr(union sockaddr_union *saddr, u_int16_t port) |
4120 | { | | 4120 | { |
4121 | switch (saddr->sa.sa_family) { | | 4121 | switch (saddr->sa.sa_family) { |
4122 | case AF_INET: { | | 4122 | case AF_INET: { |
4123 | saddr->sin.sin_port = port; | | 4123 | saddr->sin.sin_port = port; |
4124 | break; | | 4124 | break; |
4125 | } | | 4125 | } |
4126 | #ifdef INET6 | | 4126 | #ifdef INET6 |
4127 | case AF_INET6: { | | 4127 | case AF_INET6: { |
4128 | saddr->sin6.sin6_port = port; | | 4128 | saddr->sin6.sin6_port = port; |
4129 | break; | | 4129 | break; |
4130 | } | | 4130 | } |
4131 | #endif | | 4131 | #endif |
4132 | default: | | 4132 | default: |
4133 | printf("%s: unexpected address family %d\n", __func__, | | 4133 | printf("%s: unexpected address family %d\n", __func__, |
4134 | saddr->sa.sa_family); | | 4134 | saddr->sa.sa_family); |
4135 | break; | | 4135 | break; |
4136 | } | | 4136 | } |
4137 | | | 4137 | |
4138 | return; | | 4138 | return; |
4139 | } | | 4139 | } |
4140 | | | 4140 | |
4141 | /* | | 4141 | /* |
4142 | * Safety check sa_len | | 4142 | * Safety check sa_len |
4143 | */ | | 4143 | */ |
4144 | static int | | 4144 | static int |
4145 | key_checksalen(const union sockaddr_union *saddr) | | 4145 | key_checksalen(const union sockaddr_union *saddr) |
4146 | { | | 4146 | { |
4147 | switch (saddr->sa.sa_family) { | | 4147 | switch (saddr->sa.sa_family) { |
4148 | case AF_INET: | | 4148 | case AF_INET: |
4149 | if (saddr->sa.sa_len != sizeof(struct sockaddr_in)) | | 4149 | if (saddr->sa.sa_len != sizeof(struct sockaddr_in)) |
4150 | return -1; | | 4150 | return -1; |
4151 | break; | | 4151 | break; |
4152 | #ifdef INET6 | | 4152 | #ifdef INET6 |
4153 | case AF_INET6: | | 4153 | case AF_INET6: |
4154 | if (saddr->sa.sa_len != sizeof(struct sockaddr_in6)) | | 4154 | if (saddr->sa.sa_len != sizeof(struct sockaddr_in6)) |
4155 | return -1; | | 4155 | return -1; |
4156 | break; | | 4156 | break; |
4157 | #endif | | 4157 | #endif |
4158 | default: | | 4158 | default: |
4159 | printf("%s: unexpected sa_family %d\n", __func__, | | 4159 | printf("%s: unexpected sa_family %d\n", __func__, |
4160 | saddr->sa.sa_family); | | 4160 | saddr->sa.sa_family); |
4161 | return -1; | | 4161 | return -1; |
4162 | break; | | 4162 | break; |
4163 | } | | 4163 | } |
4164 | return 0; | | 4164 | return 0; |
4165 | } | | 4165 | } |
4166 | | | 4166 | |
4167 | | | 4167 | |
4168 | /* | | 4168 | /* |
4169 | * set data into sadb_msg. | | 4169 | * set data into sadb_msg. |
4170 | */ | | 4170 | */ |
4171 | static struct mbuf * | | 4171 | static struct mbuf * |
4172 | key_setsadbmsg(u_int8_t type, u_int16_t tlen, u_int8_t satype, | | 4172 | key_setsadbmsg(u_int8_t type, u_int16_t tlen, u_int8_t satype, |
4173 | u_int32_t seq, pid_t pid, u_int16_t reserved, int mflag) | | 4173 | u_int32_t seq, pid_t pid, u_int16_t reserved, int mflag) |
4174 | { | | 4174 | { |
4175 | struct mbuf *m; | | 4175 | struct mbuf *m; |
4176 | struct sadb_msg *p; | | 4176 | struct sadb_msg *p; |
4177 | int len; | | 4177 | int len; |
4178 | | | 4178 | |
4179 | CTASSERT(PFKEY_ALIGN8(sizeof(struct sadb_msg)) <= MCLBYTES); | | 4179 | CTASSERT(PFKEY_ALIGN8(sizeof(struct sadb_msg)) <= MCLBYTES); |
4180 | | | 4180 | |
4181 | len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); | | 4181 | len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); |
4182 | | | 4182 | |
4183 | m = key_alloc_mbuf_simple(len, mflag); | | 4183 | m = key_alloc_mbuf_simple(len, mflag); |
4184 | if (!m) | | 4184 | if (!m) |
4185 | return NULL; | | 4185 | return NULL; |
4186 | m->m_pkthdr.len = m->m_len = len; | | 4186 | m->m_pkthdr.len = m->m_len = len; |
4187 | m->m_next = NULL; | | 4187 | m->m_next = NULL; |
4188 | | | 4188 | |
4189 | p = mtod(m, struct sadb_msg *); | | 4189 | p = mtod(m, struct sadb_msg *); |
4190 | | | 4190 | |
4191 | memset(p, 0, len); | | 4191 | memset(p, 0, len); |
4192 | p->sadb_msg_version = PF_KEY_V2; | | 4192 | p->sadb_msg_version = PF_KEY_V2; |
4193 | p->sadb_msg_type = type; | | 4193 | p->sadb_msg_type = type; |
4194 | p->sadb_msg_errno = 0; | | 4194 | p->sadb_msg_errno = 0; |
4195 | p->sadb_msg_satype = satype; | | 4195 | p->sadb_msg_satype = satype; |
4196 | p->sadb_msg_len = PFKEY_UNIT64(tlen); | | 4196 | p->sadb_msg_len = PFKEY_UNIT64(tlen); |
4197 | p->sadb_msg_reserved = reserved; | | 4197 | p->sadb_msg_reserved = reserved; |
4198 | p->sadb_msg_seq = seq; | | 4198 | p->sadb_msg_seq = seq; |
4199 | p->sadb_msg_pid = (u_int32_t)pid; | | 4199 | p->sadb_msg_pid = (u_int32_t)pid; |
4200 | | | 4200 | |
4201 | return m; | | 4201 | return m; |
4202 | } | | 4202 | } |
4203 | | | 4203 | |
4204 | /* | | 4204 | /* |
4205 | * copy secasvar data into sadb_address. | | 4205 | * copy secasvar data into sadb_address. |
4206 | */ | | 4206 | */ |
4207 | static struct mbuf * | | 4207 | static struct mbuf * |
4208 | key_setsadbsa(struct secasvar *sav) | | 4208 | key_setsadbsa(struct secasvar *sav) |
4209 | { | | 4209 | { |
4210 | struct mbuf *m; | | 4210 | struct mbuf *m; |
4211 | struct sadb_sa *p; | | 4211 | struct sadb_sa *p; |
4212 | int len; | | 4212 | int len; |
4213 | | | 4213 | |
4214 | len = PFKEY_ALIGN8(sizeof(struct sadb_sa)); | | 4214 | len = PFKEY_ALIGN8(sizeof(struct sadb_sa)); |
4215 | m = key_alloc_mbuf(len, M_WAITOK); | | 4215 | m = key_alloc_mbuf(len, M_WAITOK); |
4216 | KASSERT(m->m_next == NULL); | | 4216 | KASSERT(m->m_next == NULL); |
4217 | | | 4217 | |
4218 | p = mtod(m, struct sadb_sa *); | | 4218 | p = mtod(m, struct sadb_sa *); |
4219 | | | 4219 | |
4220 | memset(p, 0, len); | | 4220 | memset(p, 0, len); |
4221 | p->sadb_sa_len = PFKEY_UNIT64(len); | | 4221 | p->sadb_sa_len = PFKEY_UNIT64(len); |
4222 | p->sadb_sa_exttype = SADB_EXT_SA; | | 4222 | p->sadb_sa_exttype = SADB_EXT_SA; |
4223 | p->sadb_sa_spi = sav->spi; | | 4223 | p->sadb_sa_spi = sav->spi; |
4224 | p->sadb_sa_replay = (sav->replay != NULL ? sav->replay->wsize : 0); | | 4224 | p->sadb_sa_replay = (sav->replay != NULL ? sav->replay->wsize : 0); |
4225 | p->sadb_sa_state = sav->state; | | 4225 | p->sadb_sa_state = sav->state; |
4226 | p->sadb_sa_auth = sav->alg_auth; | | 4226 | p->sadb_sa_auth = sav->alg_auth; |
4227 | p->sadb_sa_encrypt = sav->alg_enc; | | 4227 | p->sadb_sa_encrypt = sav->alg_enc; |
4228 | p->sadb_sa_flags = sav->flags; | | 4228 | p->sadb_sa_flags = sav->flags; |
4229 | | | 4229 | |
4230 | return m; | | 4230 | return m; |
4231 | } | | 4231 | } |
4232 | | | 4232 | |
4233 | static uint8_t | | 4233 | static uint8_t |
4234 | key_sabits(const struct sockaddr *saddr) | | 4234 | key_sabits(const struct sockaddr *saddr) |
4235 | { | | 4235 | { |
4236 | switch (saddr->sa_family) { | | 4236 | switch (saddr->sa_family) { |
4237 | case AF_INET: | | 4237 | case AF_INET: |
4238 | return _BITS(sizeof(struct in_addr)); | | 4238 | return _BITS(sizeof(struct in_addr)); |
4239 | case AF_INET6: | | 4239 | case AF_INET6: |
4240 | return _BITS(sizeof(struct in6_addr)); | | 4240 | return _BITS(sizeof(struct in6_addr)); |
4241 | default: | | 4241 | default: |
4242 | return FULLMASK; | | 4242 | return FULLMASK; |
4243 | } | | 4243 | } |
4244 | } | | 4244 | } |
4245 | | | 4245 | |
4246 | /* | | 4246 | /* |
4247 | * set data into sadb_address. | | 4247 | * set data into sadb_address. |
4248 | */ | | 4248 | */ |
4249 | static struct mbuf * | | 4249 | static struct mbuf * |
4250 | key_setsadbaddr(u_int16_t exttype, const struct sockaddr *saddr, | | 4250 | key_setsadbaddr(u_int16_t exttype, const struct sockaddr *saddr, |
4251 | u_int8_t prefixlen, u_int16_t ul_proto, int mflag) | | 4251 | u_int8_t prefixlen, u_int16_t ul_proto, int mflag) |
4252 | { | | 4252 | { |
4253 | struct mbuf *m; | | 4253 | struct mbuf *m; |
4254 | struct sadb_address *p; | | 4254 | struct sadb_address *p; |
4255 | size_t len; | | 4255 | size_t len; |
4256 | | | 4256 | |
4257 | len = PFKEY_ALIGN8(sizeof(struct sadb_address)) + | | 4257 | len = PFKEY_ALIGN8(sizeof(struct sadb_address)) + |
4258 | PFKEY_ALIGN8(saddr->sa_len); | | 4258 | PFKEY_ALIGN8(saddr->sa_len); |
4259 | m = key_alloc_mbuf(len, mflag); | | 4259 | m = key_alloc_mbuf(len, mflag); |
4260 | if (!m || m->m_next) { /*XXX*/ | | 4260 | if (!m || m->m_next) { /*XXX*/ |
4261 | if (m) | | 4261 | if (m) |
4262 | m_freem(m); | | 4262 | m_freem(m); |
4263 | return NULL; | | 4263 | return NULL; |
4264 | } | | 4264 | } |
4265 | | | 4265 | |
4266 | p = mtod(m, struct sadb_address *); | | 4266 | p = mtod(m, struct sadb_address *); |
4267 | | | 4267 | |
4268 | memset(p, 0, len); | | 4268 | memset(p, 0, len); |
4269 | p->sadb_address_len = PFKEY_UNIT64(len); | | 4269 | p->sadb_address_len = PFKEY_UNIT64(len); |
4270 | p->sadb_address_exttype = exttype; | | 4270 | p->sadb_address_exttype = exttype; |
4271 | p->sadb_address_proto = ul_proto; | | 4271 | p->sadb_address_proto = ul_proto; |
4272 | if (prefixlen == FULLMASK) { | | 4272 | if (prefixlen == FULLMASK) { |
4273 | prefixlen = key_sabits(saddr); | | 4273 | prefixlen = key_sabits(saddr); |
4274 | } | | 4274 | } |
4275 | p->sadb_address_prefixlen = prefixlen; | | 4275 | p->sadb_address_prefixlen = prefixlen; |
4276 | p->sadb_address_reserved = 0; | | 4276 | p->sadb_address_reserved = 0; |
4277 | | | 4277 | |
4278 | memcpy(mtod(m, char *) + PFKEY_ALIGN8(sizeof(struct sadb_address)), | | 4278 | memcpy(mtod(m, char *) + PFKEY_ALIGN8(sizeof(struct sadb_address)), |
4279 | saddr, saddr->sa_len); | | 4279 | saddr, saddr->sa_len); |
4280 | | | 4280 | |
4281 | return m; | | 4281 | return m; |
4282 | } | | 4282 | } |
4283 | | | 4283 | |
4284 | #if 0 | | 4284 | #if 0 |
4285 | /* | | 4285 | /* |
4286 | * set data into sadb_ident. | | 4286 | * set data into sadb_ident. |
4287 | */ | | 4287 | */ |
4288 | static struct mbuf * | | 4288 | static struct mbuf * |
4289 | key_setsadbident(u_int16_t exttype, u_int16_t idtype, | | 4289 | key_setsadbident(u_int16_t exttype, u_int16_t idtype, |
4290 | void *string, int stringlen, u_int64_t id) | | 4290 | void *string, int stringlen, u_int64_t id) |
4291 | { | | 4291 | { |
4292 | struct mbuf *m; | | 4292 | struct mbuf *m; |
4293 | struct sadb_ident *p; | | 4293 | struct sadb_ident *p; |
4294 | size_t len; | | 4294 | size_t len; |
4295 | | | 4295 | |
4296 | len = PFKEY_ALIGN8(sizeof(struct sadb_ident)) + PFKEY_ALIGN8(stringlen); | | 4296 | len = PFKEY_ALIGN8(sizeof(struct sadb_ident)) + PFKEY_ALIGN8(stringlen); |
4297 | m = key_alloc_mbuf(len); | | 4297 | m = key_alloc_mbuf(len); |
4298 | if (!m || m->m_next) { /*XXX*/ | | 4298 | if (!m || m->m_next) { /*XXX*/ |
4299 | if (m) | | 4299 | if (m) |
4300 | m_freem(m); | | 4300 | m_freem(m); |
4301 | return NULL; | | 4301 | return NULL; |
4302 | } | | 4302 | } |
4303 | | | 4303 | |
4304 | p = mtod(m, struct sadb_ident *); | | 4304 | p = mtod(m, struct sadb_ident *); |
4305 | | | 4305 | |
4306 | memset(p, 0, len); | | 4306 | memset(p, 0, len); |
4307 | p->sadb_ident_len = PFKEY_UNIT64(len); | | 4307 | p->sadb_ident_len = PFKEY_UNIT64(len); |
4308 | p->sadb_ident_exttype = exttype; | | 4308 | p->sadb_ident_exttype = exttype; |
4309 | p->sadb_ident_type = idtype; | | 4309 | p->sadb_ident_type = idtype; |
4310 | p->sadb_ident_reserved = 0; | | 4310 | p->sadb_ident_reserved = 0; |
4311 | p->sadb_ident_id = id; | | 4311 | p->sadb_ident_id = id; |
4312 | | | 4312 | |
4313 | memcpy(mtod(m, void *) + PFKEY_ALIGN8(sizeof(struct sadb_ident)), | | 4313 | memcpy(mtod(m, void *) + PFKEY_ALIGN8(sizeof(struct sadb_ident)), |
4314 | string, stringlen); | | 4314 | string, stringlen); |
4315 | | | 4315 | |
4316 | return m; | | 4316 | return m; |
4317 | } | | 4317 | } |
4318 | #endif | | 4318 | #endif |
4319 | | | 4319 | |
4320 | /* | | 4320 | /* |
4321 | * set data into sadb_x_sa2. | | 4321 | * set data into sadb_x_sa2. |
4322 | */ | | 4322 | */ |
4323 | static struct mbuf * | | 4323 | static struct mbuf * |
4324 | key_setsadbxsa2(u_int8_t mode, u_int32_t seq, u_int16_t reqid) | | 4324 | key_setsadbxsa2(u_int8_t mode, u_int32_t seq, u_int16_t reqid) |
4325 | { | | 4325 | { |
4326 | struct mbuf *m; | | 4326 | struct mbuf *m; |
4327 | struct sadb_x_sa2 *p; | | 4327 | struct sadb_x_sa2 *p; |
4328 | size_t len; | | 4328 | size_t len; |
4329 | | | 4329 | |
4330 | len = PFKEY_ALIGN8(sizeof(struct sadb_x_sa2)); | | 4330 | len = PFKEY_ALIGN8(sizeof(struct sadb_x_sa2)); |
4331 | m = key_alloc_mbuf(len, M_WAITOK); | | 4331 | m = key_alloc_mbuf(len, M_WAITOK); |
4332 | KASSERT(m->m_next == NULL); | | 4332 | KASSERT(m->m_next == NULL); |
4333 | | | 4333 | |
4334 | p = mtod(m, struct sadb_x_sa2 *); | | 4334 | p = mtod(m, struct sadb_x_sa2 *); |
4335 | | | 4335 | |
4336 | memset(p, 0, len); | | 4336 | memset(p, 0, len); |
4337 | p->sadb_x_sa2_len = PFKEY_UNIT64(len); | | 4337 | p->sadb_x_sa2_len = PFKEY_UNIT64(len); |
4338 | p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; | | 4338 | p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; |
4339 | p->sadb_x_sa2_mode = mode; | | 4339 | p->sadb_x_sa2_mode = mode; |
4340 | p->sadb_x_sa2_reserved1 = 0; | | 4340 | p->sadb_x_sa2_reserved1 = 0; |
4341 | p->sadb_x_sa2_reserved2 = 0; | | 4341 | p->sadb_x_sa2_reserved2 = 0; |
4342 | p->sadb_x_sa2_sequence = seq; | | 4342 | p->sadb_x_sa2_sequence = seq; |
4343 | p->sadb_x_sa2_reqid = reqid; | | 4343 | p->sadb_x_sa2_reqid = reqid; |
4344 | | | 4344 | |
4345 | return m; | | 4345 | return m; |
4346 | } | | 4346 | } |
4347 | | | 4347 | |
4348 | /* | | 4348 | /* |
4349 | * set data into sadb_x_policy | | 4349 | * set data into sadb_x_policy |
4350 | */ | | 4350 | */ |
4351 | static struct mbuf * | | 4351 | static struct mbuf * |
4352 | key_setsadbxpolicy(const u_int16_t type, const u_int8_t dir, const u_int32_t id, | | 4352 | key_setsadbxpolicy(const u_int16_t type, const u_int8_t dir, const u_int32_t id, |
4353 | int mflag) | | 4353 | int mflag) |
4354 | { | | 4354 | { |
4355 | struct mbuf *m; | | 4355 | struct mbuf *m; |
4356 | struct sadb_x_policy *p; | | 4356 | struct sadb_x_policy *p; |
4357 | size_t len; | | 4357 | size_t len; |
4358 | | | 4358 | |
4359 | len = PFKEY_ALIGN8(sizeof(struct sadb_x_policy)); | | 4359 | len = PFKEY_ALIGN8(sizeof(struct sadb_x_policy)); |
4360 | m = key_alloc_mbuf(len, mflag); | | 4360 | m = key_alloc_mbuf(len, mflag); |
4361 | if (!m || m->m_next) { /*XXX*/ | | 4361 | if (!m || m->m_next) { /*XXX*/ |
4362 | if (m) | | 4362 | if (m) |
4363 | m_freem(m); | | 4363 | m_freem(m); |
4364 | return NULL; | | 4364 | return NULL; |
4365 | } | | 4365 | } |
4366 | | | 4366 | |
4367 | p = mtod(m, struct sadb_x_policy *); | | 4367 | p = mtod(m, struct sadb_x_policy *); |
4368 | | | 4368 | |
4369 | memset(p, 0, len); | | 4369 | memset(p, 0, len); |
4370 | p->sadb_x_policy_len = PFKEY_UNIT64(len); | | 4370 | p->sadb_x_policy_len = PFKEY_UNIT64(len); |
4371 | p->sadb_x_policy_exttype = SADB_X_EXT_POLICY; | | 4371 | p->sadb_x_policy_exttype = SADB_X_EXT_POLICY; |
4372 | p->sadb_x_policy_type = type; | | 4372 | p->sadb_x_policy_type = type; |
4373 | p->sadb_x_policy_dir = dir; | | 4373 | p->sadb_x_policy_dir = dir; |
4374 | p->sadb_x_policy_id = id; | | 4374 | p->sadb_x_policy_id = id; |
4375 | | | 4375 | |
4376 | return m; | | 4376 | return m; |
4377 | } | | 4377 | } |
4378 | | | 4378 | |
4379 | /* %%% utilities */ | | 4379 | /* %%% utilities */ |
4380 | /* | | 4380 | /* |
4381 | * copy a buffer into the new buffer allocated. | | 4381 | * copy a buffer into the new buffer allocated. |
4382 | */ | | 4382 | */ |
4383 | static void * | | 4383 | static void * |
4384 | key_newbuf(const void *src, u_int len) | | 4384 | key_newbuf(const void *src, u_int len) |
4385 | { | | 4385 | { |
4386 | void *new; | | 4386 | void *new; |
4387 | | | 4387 | |
4388 | new = kmem_alloc(len, KM_SLEEP); | | 4388 | new = kmem_alloc(len, KM_SLEEP); |
4389 | memcpy(new, src, len); | | 4389 | memcpy(new, src, len); |
4390 | | | 4390 | |
4391 | return new; | | 4391 | return new; |
4392 | } | | 4392 | } |
4393 | | | 4393 | |
4394 | /* compare my own address | | 4394 | /* compare my own address |
4395 | * OUT: 1: true, i.e. my address. | | 4395 | * OUT: 1: true, i.e. my address. |
4396 | * 0: false | | 4396 | * 0: false |
4397 | */ | | 4397 | */ |
4398 | int | | 4398 | int |
4399 | key_ismyaddr(const struct sockaddr *sa) | | 4399 | key_ismyaddr(const struct sockaddr *sa) |
4400 | { | | 4400 | { |
4401 | #ifdef INET | | 4401 | #ifdef INET |
4402 | const struct sockaddr_in *sin; | | 4402 | const struct sockaddr_in *sin; |
4403 | const struct in_ifaddr *ia; | | 4403 | const struct in_ifaddr *ia; |
4404 | int s; | | 4404 | int s; |
4405 | #endif | | 4405 | #endif |
4406 | | | 4406 | |
4407 | KASSERT(sa != NULL); | | 4407 | KASSERT(sa != NULL); |
4408 | | | 4408 | |
4409 | switch (sa->sa_family) { | | 4409 | switch (sa->sa_family) { |
4410 | #ifdef INET | | 4410 | #ifdef INET |
4411 | case AF_INET: | | 4411 | case AF_INET: |
4412 | sin = (const struct sockaddr_in *)sa; | | 4412 | sin = (const struct sockaddr_in *)sa; |
4413 | s = pserialize_read_enter(); | | 4413 | s = pserialize_read_enter(); |
4414 | IN_ADDRLIST_READER_FOREACH(ia) { | | 4414 | IN_ADDRLIST_READER_FOREACH(ia) { |
4415 | if (sin->sin_family == ia->ia_addr.sin_family && | | 4415 | if (sin->sin_family == ia->ia_addr.sin_family && |
4416 | sin->sin_len == ia->ia_addr.sin_len && | | 4416 | sin->sin_len == ia->ia_addr.sin_len && |
4417 | sin->sin_addr.s_addr == ia->ia_addr.sin_addr.s_addr) | | 4417 | sin->sin_addr.s_addr == ia->ia_addr.sin_addr.s_addr) |
4418 | { | | 4418 | { |
4419 | pserialize_read_exit(s); | | 4419 | pserialize_read_exit(s); |
4420 | return 1; | | 4420 | return 1; |
4421 | } | | 4421 | } |
4422 | } | | 4422 | } |
4423 | pserialize_read_exit(s); | | 4423 | pserialize_read_exit(s); |
4424 | break; | | 4424 | break; |
4425 | #endif | | 4425 | #endif |
4426 | #ifdef INET6 | | 4426 | #ifdef INET6 |
4427 | case AF_INET6: | | 4427 | case AF_INET6: |
4428 | return key_ismyaddr6((const struct sockaddr_in6 *)sa); | | 4428 | return key_ismyaddr6((const struct sockaddr_in6 *)sa); |
4429 | #endif | | 4429 | #endif |
4430 | } | | 4430 | } |
4431 | | | 4431 | |
4432 | return 0; | | 4432 | return 0; |
4433 | } | | 4433 | } |
4434 | | | 4434 | |
4435 | #ifdef INET6 | | 4435 | #ifdef INET6 |
4436 | /* | | 4436 | /* |
4437 | * compare my own address for IPv6. | | 4437 | * compare my own address for IPv6. |
4438 | * 1: ours | | 4438 | * 1: ours |
4439 | * 0: other | | 4439 | * 0: other |
4440 | * NOTE: derived ip6_input() in KAME. This is necessary to modify more. | | 4440 | * NOTE: derived ip6_input() in KAME. This is necessary to modify more. |
4441 | */ | | 4441 | */ |
4442 | #include <netinet6/in6_var.h> | | 4442 | #include <netinet6/in6_var.h> |
4443 | | | 4443 | |
4444 | static int | | 4444 | static int |
4445 | key_ismyaddr6(const struct sockaddr_in6 *sin6) | | 4445 | key_ismyaddr6(const struct sockaddr_in6 *sin6) |
4446 | { | | 4446 | { |
4447 | struct in6_ifaddr *ia; | | 4447 | struct in6_ifaddr *ia; |
4448 | int s; | | 4448 | int s; |
4449 | struct psref psref; | | 4449 | struct psref psref; |
4450 | int bound; | | 4450 | int bound; |
4451 | int ours = 1; | | 4451 | int ours = 1; |
4452 | | | 4452 | |
4453 | bound = curlwp_bind(); | | 4453 | bound = curlwp_bind(); |
4454 | s = pserialize_read_enter(); | | 4454 | s = pserialize_read_enter(); |
4455 | IN6_ADDRLIST_READER_FOREACH(ia) { | | 4455 | IN6_ADDRLIST_READER_FOREACH(ia) { |
4456 | bool ingroup; | | 4456 | bool ingroup; |
4457 | | | 4457 | |
4458 | if (key_sockaddr_match((const struct sockaddr *)&sin6, | | 4458 | if (key_sockaddr_match((const struct sockaddr *)&sin6, |
4459 | (const struct sockaddr *)&ia->ia_addr, 0)) { | | 4459 | (const struct sockaddr *)&ia->ia_addr, 0)) { |
4460 | pserialize_read_exit(s); | | 4460 | pserialize_read_exit(s); |
4461 | goto ours; | | 4461 | goto ours; |
4462 | } | | 4462 | } |
4463 | ia6_acquire(ia, &psref); | | 4463 | ia6_acquire(ia, &psref); |
4464 | pserialize_read_exit(s); | | 4464 | pserialize_read_exit(s); |
4465 | | | 4465 | |
4466 | /* | | 4466 | /* |
4467 | * XXX Multicast | | 4467 | * XXX Multicast |
4468 | * XXX why do we care about multlicast here while we don't care | | 4468 | * XXX why do we care about multlicast here while we don't care |
4469 | * about IPv4 multicast?? | | 4469 | * about IPv4 multicast?? |
4470 | * XXX scope | | 4470 | * XXX scope |
4471 | */ | | 4471 | */ |
4472 | ingroup = in6_multi_group(&sin6->sin6_addr, ia->ia_ifp); | | 4472 | ingroup = in6_multi_group(&sin6->sin6_addr, ia->ia_ifp); |
4473 | if (ingroup) { | | 4473 | if (ingroup) { |
4474 | ia6_release(ia, &psref); | | 4474 | ia6_release(ia, &psref); |
4475 | goto ours; | | 4475 | goto ours; |
4476 | } | | 4476 | } |
4477 | | | 4477 | |
4478 | s = pserialize_read_enter(); | | 4478 | s = pserialize_read_enter(); |
4479 | ia6_release(ia, &psref); | | 4479 | ia6_release(ia, &psref); |