Thu Aug 23 01:55:38 2018 UTC ()
Don't call key_ismyaddr, which may sleep, in a pserialize read section

Use mutex here instead of pserialize because using mutex is simpler than
using psz+ref, which is another solution, and key_checkspidup isn't called in
any performance-sensitive paths.


(ozaki-r)
diff -r1.256 -r1.257 src/sys/netipsec/key.c
cvs diff -r1.256 -r1.257 src/sys/netipsec/key.c (switch to unified diff)

--- src/sys/netipsec/key.c 2018/07/04 19:20:25 1.256
+++ src/sys/netipsec/key.c 2018/08/23 01:55:38 1.257
@@ -1,1034 +1,1034 @@ @@ -1,1034 +1,1034 @@
1/* $NetBSD: key.c,v 1.256 2018/07/04 19:20:25 christos Exp $ */ 1/* $NetBSD: key.c,v 1.257 2018/08/23 01:55:38 ozaki-r Exp $ */
2/* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ 2/* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
3/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ 3/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
4 4
5/* 5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved. 7 * All rights reserved.
8 * 8 *
9 * Redistribution and use in source and binary forms, with or without 9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions 10 * modification, are permitted provided that the following conditions
11 * are met: 11 * are met:
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright 14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the 15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution. 16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors 17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software 18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission. 19 * without specific prior written permission.
20 * 20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE. 31 * SUCH DAMAGE.
32 */ 32 */
33 33
34#include <sys/cdefs.h> 34#include <sys/cdefs.h>
35__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.256 2018/07/04 19:20:25 christos Exp $"); 35__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.257 2018/08/23 01:55:38 ozaki-r Exp $");
36 36
37/* 37/*
38 * This code is referred to RFC 2367 38 * This code is referred to RFC 2367
39 */ 39 */
40 40
41#if defined(_KERNEL_OPT) 41#if defined(_KERNEL_OPT)
42#include "opt_inet.h" 42#include "opt_inet.h"
43#include "opt_ipsec.h" 43#include "opt_ipsec.h"
44#include "opt_gateway.h" 44#include "opt_gateway.h"
45#include "opt_net_mpsafe.h" 45#include "opt_net_mpsafe.h"
46#endif 46#endif
47 47
48#include <sys/types.h> 48#include <sys/types.h>
49#include <sys/param.h> 49#include <sys/param.h>
50#include <sys/systm.h> 50#include <sys/systm.h>
51#include <sys/callout.h> 51#include <sys/callout.h>
52#include <sys/kernel.h> 52#include <sys/kernel.h>
53#include <sys/mbuf.h> 53#include <sys/mbuf.h>
54#include <sys/domain.h> 54#include <sys/domain.h>
55#include <sys/socket.h> 55#include <sys/socket.h>
56#include <sys/socketvar.h> 56#include <sys/socketvar.h>
57#include <sys/sysctl.h> 57#include <sys/sysctl.h>
58#include <sys/errno.h> 58#include <sys/errno.h>
59#include <sys/proc.h> 59#include <sys/proc.h>
60#include <sys/queue.h> 60#include <sys/queue.h>
61#include <sys/syslog.h> 61#include <sys/syslog.h>
62#include <sys/once.h> 62#include <sys/once.h>
63#include <sys/cprng.h> 63#include <sys/cprng.h>
64#include <sys/psref.h> 64#include <sys/psref.h>
65#include <sys/lwp.h> 65#include <sys/lwp.h>
66#include <sys/workqueue.h> 66#include <sys/workqueue.h>
67#include <sys/kmem.h> 67#include <sys/kmem.h>
68#include <sys/cpu.h> 68#include <sys/cpu.h>
69#include <sys/atomic.h> 69#include <sys/atomic.h>
70#include <sys/pslist.h> 70#include <sys/pslist.h>
71#include <sys/mutex.h> 71#include <sys/mutex.h>
72#include <sys/condvar.h> 72#include <sys/condvar.h>
73#include <sys/localcount.h> 73#include <sys/localcount.h>
74#include <sys/pserialize.h> 74#include <sys/pserialize.h>
75#include <sys/hash.h> 75#include <sys/hash.h>
76 76
77#include <net/if.h> 77#include <net/if.h>
78#include <net/route.h> 78#include <net/route.h>
79 79
80#include <netinet/in.h> 80#include <netinet/in.h>
81#include <netinet/in_systm.h> 81#include <netinet/in_systm.h>
82#include <netinet/ip.h> 82#include <netinet/ip.h>
83#include <netinet/in_var.h> 83#include <netinet/in_var.h>
84#ifdef INET 84#ifdef INET
85#include <netinet/ip_var.h> 85#include <netinet/ip_var.h>
86#endif 86#endif
87 87
88#ifdef INET6 88#ifdef INET6
89#include <netinet/ip6.h> 89#include <netinet/ip6.h>
90#include <netinet6/in6_var.h> 90#include <netinet6/in6_var.h>
91#include <netinet6/ip6_var.h> 91#include <netinet6/ip6_var.h>
92#endif /* INET6 */ 92#endif /* INET6 */
93 93
94#ifdef INET 94#ifdef INET
95#include <netinet/in_pcb.h> 95#include <netinet/in_pcb.h>
96#endif 96#endif
97#ifdef INET6 97#ifdef INET6
98#include <netinet6/in6_pcb.h> 98#include <netinet6/in6_pcb.h>
99#endif /* INET6 */ 99#endif /* INET6 */
100 100
101#include <net/pfkeyv2.h> 101#include <net/pfkeyv2.h>
102#include <netipsec/keydb.h> 102#include <netipsec/keydb.h>
103#include <netipsec/key.h> 103#include <netipsec/key.h>
104#include <netipsec/keysock.h> 104#include <netipsec/keysock.h>
105#include <netipsec/key_debug.h> 105#include <netipsec/key_debug.h>
106 106
107#include <netipsec/ipsec.h> 107#include <netipsec/ipsec.h>
108#ifdef INET6 108#ifdef INET6
109#include <netipsec/ipsec6.h> 109#include <netipsec/ipsec6.h>
110#endif 110#endif
111#include <netipsec/ipsec_private.h> 111#include <netipsec/ipsec_private.h>
112 112
113#include <netipsec/xform.h> 113#include <netipsec/xform.h>
114#include <netipsec/ipcomp.h> 114#include <netipsec/ipcomp.h>
115 115
116#define FULLMASK 0xffu 116#define FULLMASK 0xffu
117#define _BITS(bytes) ((bytes) << 3) 117#define _BITS(bytes) ((bytes) << 3)
118 118
119#define PORT_NONE 0 119#define PORT_NONE 0
120#define PORT_LOOSE 1 120#define PORT_LOOSE 1
121#define PORT_STRICT 2 121#define PORT_STRICT 2
122 122
123#ifndef SAHHASH_NHASH 123#ifndef SAHHASH_NHASH
124#define SAHHASH_NHASH 128 124#define SAHHASH_NHASH 128
125#endif 125#endif
126 126
127#ifndef SAVLUT_NHASH 127#ifndef SAVLUT_NHASH
128#define SAVLUT_NHASH 128 128#define SAVLUT_NHASH 128
129#endif 129#endif
130 130
131percpu_t *pfkeystat_percpu; 131percpu_t *pfkeystat_percpu;
132 132
133/* 133/*
134 * Note on SA reference counting: 134 * Note on SA reference counting:
135 * - SAs that are not in DEAD state will have (total external reference + 1) 135 * - SAs that are not in DEAD state will have (total external reference + 1)
136 * following value in reference count field. they cannot be freed and are 136 * following value in reference count field. they cannot be freed and are
137 * referenced from SA header. 137 * referenced from SA header.
138 * - SAs that are in DEAD state will have (total external reference) 138 * - SAs that are in DEAD state will have (total external reference)
139 * in reference count field. they are ready to be freed. reference from 139 * in reference count field. they are ready to be freed. reference from
140 * SA header will be removed in key_delsav(), when the reference count 140 * SA header will be removed in key_delsav(), when the reference count
141 * field hits 0 (= no external reference other than from SA header. 141 * field hits 0 (= no external reference other than from SA header.
142 */ 142 */
143 143
144u_int32_t key_debug_level = 0; 144u_int32_t key_debug_level = 0;
145static u_int key_spi_trycnt = 1000; 145static u_int key_spi_trycnt = 1000;
146static u_int32_t key_spi_minval = 0x100; 146static u_int32_t key_spi_minval = 0x100;
147static u_int32_t key_spi_maxval = 0x0fffffff; /* XXX */ 147static u_int32_t key_spi_maxval = 0x0fffffff; /* XXX */
148static u_int32_t policy_id = 0; 148static u_int32_t policy_id = 0;
149static u_int key_int_random = 60; /*interval to initialize randseed,1(m)*/ 149static u_int key_int_random = 60; /*interval to initialize randseed,1(m)*/
150static u_int key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/ 150static u_int key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/
151static int key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/ 151static int key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/
152static int key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/ 152static int key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/
153static int key_prefered_oldsa = 0; /* prefered old sa rather than new sa.*/ 153static int key_prefered_oldsa = 0; /* prefered old sa rather than new sa.*/
154 154
155static u_int32_t acq_seq = 0; 155static u_int32_t acq_seq = 0;
156 156
157/* 157/*
158 * Locking order: there is no order for now; it means that any locks aren't 158 * Locking order: there is no order for now; it means that any locks aren't
159 * overlapped. 159 * overlapped.
160 */ 160 */
161/* 161/*
162 * Locking notes on SPD: 162 * Locking notes on SPD:
163 * - Modifications to the key_spd.splist must be done with holding key_spd.lock 163 * - Modifications to the key_spd.splist must be done with holding key_spd.lock
164 * which is a adaptive mutex 164 * which is a adaptive mutex
165 * - Read accesses to the key_spd.splist must be in pserialize(9) read sections 165 * - Read accesses to the key_spd.splist must be in pserialize(9) read sections
166 * - SP's lifetime is managed by localcount(9) 166 * - SP's lifetime is managed by localcount(9)
167 * - An SP that has been inserted to the key_spd.splist is initially referenced 167 * - An SP that has been inserted to the key_spd.splist is initially referenced
168 * by none, i.e., a reference from the key_spd.splist isn't counted 168 * by none, i.e., a reference from the key_spd.splist isn't counted
169 * - When an SP is being destroyed, we change its state as DEAD, wait for 169 * - When an SP is being destroyed, we change its state as DEAD, wait for
170 * references to the SP to be released, and then deallocate the SP 170 * references to the SP to be released, and then deallocate the SP
171 * (see key_unlink_sp) 171 * (see key_unlink_sp)
172 * - Getting an SP 172 * - Getting an SP
173 * - Normally we get an SP from the key_spd.splist (see key_lookup_sp_byspidx) 173 * - Normally we get an SP from the key_spd.splist (see key_lookup_sp_byspidx)
174 * - Must iterate the list and increment the reference count of a found SP 174 * - Must iterate the list and increment the reference count of a found SP
175 * (by key_sp_ref) in a pserialize read section 175 * (by key_sp_ref) in a pserialize read section
176 * - We can gain another reference from a held SP only if we check its state 176 * - We can gain another reference from a held SP only if we check its state
177 * and take its reference in a pserialize read section 177 * and take its reference in a pserialize read section
178 * (see esp_output for example) 178 * (see esp_output for example)
179 * - We may get an SP from an SP cache. See below 179 * - We may get an SP from an SP cache. See below
180 * - A gotten SP must be released after use by KEY_SP_UNREF (key_sp_unref) 180 * - A gotten SP must be released after use by KEY_SP_UNREF (key_sp_unref)
181 * - Updating member variables of an SP 181 * - Updating member variables of an SP
182 * - Most member variables of an SP are immutable 182 * - Most member variables of an SP are immutable
183 * - Only sp->state and sp->lastused can be changed 183 * - Only sp->state and sp->lastused can be changed
184 * - sp->state of an SP is updated only when destroying it under key_spd.lock 184 * - sp->state of an SP is updated only when destroying it under key_spd.lock
185 * - SP caches 185 * - SP caches
186 * - SPs can be cached in PCBs 186 * - SPs can be cached in PCBs
187 * - The lifetime of the caches is controlled by the global generation counter 187 * - The lifetime of the caches is controlled by the global generation counter
188 * (ipsec_spdgen) 188 * (ipsec_spdgen)
189 * - The global counter value is stored when an SP is cached 189 * - The global counter value is stored when an SP is cached
190 * - If the stored value is different from the global counter then the cache 190 * - If the stored value is different from the global counter then the cache
191 * is considered invalidated 191 * is considered invalidated
192 * - The counter is incremented when an SP is being destroyed 192 * - The counter is incremented when an SP is being destroyed
193 * - So checking the generation and taking a reference to an SP should be 193 * - So checking the generation and taking a reference to an SP should be
194 * in a pserialize read section 194 * in a pserialize read section
195 * - Note that caching doesn't increment the reference counter of an SP 195 * - Note that caching doesn't increment the reference counter of an SP
196 * - SPs in sockets 196 * - SPs in sockets
197 * - Userland programs can set a policy to a socket by 197 * - Userland programs can set a policy to a socket by
198 * setsockopt(IP_IPSEC_POLICY) 198 * setsockopt(IP_IPSEC_POLICY)
199 * - Such policies (SPs) are set to a socket (PCB) and also inserted to 199 * - Such policies (SPs) are set to a socket (PCB) and also inserted to
200 * the key_spd.socksplist list (not the key_spd.splist) 200 * the key_spd.socksplist list (not the key_spd.splist)
201 * - Such a policy is destroyed when a corresponding socket is destroed, 201 * - Such a policy is destroyed when a corresponding socket is destroed,
202 * however, a socket can be destroyed in softint so we cannot destroy 202 * however, a socket can be destroyed in softint so we cannot destroy
203 * it directly instead we just mark it DEAD and delay the destruction 203 * it directly instead we just mark it DEAD and delay the destruction
204 * until GC by the timer 204 * until GC by the timer
205 * - SP origin 205 * - SP origin
206 * - SPs can be created by both userland programs and kernel components. 206 * - SPs can be created by both userland programs and kernel components.
207 * The SPs created in kernel must not be removed by userland programs, 207 * The SPs created in kernel must not be removed by userland programs,
208 * although the SPs can be read by userland programs. 208 * although the SPs can be read by userland programs.
209 */ 209 */
210/* 210/*
211 * Locking notes on SAD: 211 * Locking notes on SAD:
212 * - Data structures 212 * - Data structures
213 * - SAs are managed by the list called key_sad.sahlists and sav lists of 213 * - SAs are managed by the list called key_sad.sahlists and sav lists of
214 * sah entries 214 * sah entries
215 * - An sav is supposed to be an SA from a viewpoint of users 215 * - An sav is supposed to be an SA from a viewpoint of users
216 * - A sah has sav lists for each SA state 216 * - A sah has sav lists for each SA state
217 * - Multiple saves with the same saidx can exist 217 * - Multiple saves with the same saidx can exist
218 * - Only one entry has MATURE state and others should be DEAD 218 * - Only one entry has MATURE state and others should be DEAD
219 * - DEAD entries are just ignored from searching 219 * - DEAD entries are just ignored from searching
220 * - All sav whose state is MATURE or DYING are registered to the lookup 220 * - All sav whose state is MATURE or DYING are registered to the lookup
221 * table called key_sad.savlut in addition to the savlists. 221 * table called key_sad.savlut in addition to the savlists.
222 * - The table is used to search an sav without use of saidx. 222 * - The table is used to search an sav without use of saidx.
223 * - Modifications to the key_sad.sahlists, sah.savlist and key_sad.savlut 223 * - Modifications to the key_sad.sahlists, sah.savlist and key_sad.savlut
224 * must be done with holding key_sad.lock which is a adaptive mutex 224 * must be done with holding key_sad.lock which is a adaptive mutex
225 * - Read accesses to the key_sad.sahlists, sah.savlist and key_sad.savlut 225 * - Read accesses to the key_sad.sahlists, sah.savlist and key_sad.savlut
226 * must be in pserialize(9) read sections 226 * must be in pserialize(9) read sections
227 * - sah's lifetime is managed by localcount(9) 227 * - sah's lifetime is managed by localcount(9)
228 * - Getting an sah entry 228 * - Getting an sah entry
229 * - We get an sah from the key_sad.sahlists 229 * - We get an sah from the key_sad.sahlists
230 * - Must iterate the list and increment the reference count of a found sah 230 * - Must iterate the list and increment the reference count of a found sah
231 * (by key_sah_ref) in a pserialize read section 231 * (by key_sah_ref) in a pserialize read section
232 * - A gotten sah must be released after use by key_sah_unref 232 * - A gotten sah must be released after use by key_sah_unref
233 * - An sah is destroyed when its state become DEAD and no sav is 233 * - An sah is destroyed when its state become DEAD and no sav is
234 * listed to the sah 234 * listed to the sah
235 * - The destruction is done only in the timer (see key_timehandler_sad) 235 * - The destruction is done only in the timer (see key_timehandler_sad)
236 * - sav's lifetime is managed by localcount(9) 236 * - sav's lifetime is managed by localcount(9)
237 * - Getting an sav entry 237 * - Getting an sav entry
238 * - First get an sah by saidx and get an sav from either of sah's savlists 238 * - First get an sah by saidx and get an sav from either of sah's savlists
239 * - Must iterate the list and increment the reference count of a found sav 239 * - Must iterate the list and increment the reference count of a found sav
240 * (by key_sa_ref) in a pserialize read section 240 * (by key_sa_ref) in a pserialize read section
241 * - We can gain another reference from a held SA only if we check its state 241 * - We can gain another reference from a held SA only if we check its state
242 * and take its reference in a pserialize read section 242 * and take its reference in a pserialize read section
243 * (see esp_output for example) 243 * (see esp_output for example)
244 * - A gotten sav must be released after use by key_sa_unref 244 * - A gotten sav must be released after use by key_sa_unref
245 * - An sav is destroyed when its state become DEAD 245 * - An sav is destroyed when its state become DEAD
246 */ 246 */
247/* 247/*
248 * Locking notes on misc data: 248 * Locking notes on misc data:
249 * - All lists of key_misc are protected by key_misc.lock 249 * - All lists of key_misc are protected by key_misc.lock
250 * - key_misc.lock must be held even for read accesses 250 * - key_misc.lock must be held even for read accesses
251 */ 251 */
252 252
253/* SPD */ 253/* SPD */
254static struct { 254static struct {
255 kmutex_t lock; 255 kmutex_t lock;
256 kcondvar_t cv_lc; 256 kcondvar_t cv_lc;
257 struct pslist_head splist[IPSEC_DIR_MAX]; 257 struct pslist_head splist[IPSEC_DIR_MAX];
258 /* 258 /*
259 * The list has SPs that are set to a socket via 259 * The list has SPs that are set to a socket via
260 * setsockopt(IP_IPSEC_POLICY) from userland. See ipsec_set_policy. 260 * setsockopt(IP_IPSEC_POLICY) from userland. See ipsec_set_policy.
261 */ 261 */
262 struct pslist_head socksplist; 262 struct pslist_head socksplist;
263 263
264 pserialize_t psz; 264 pserialize_t psz;
265 kcondvar_t cv_psz; 265 kcondvar_t cv_psz;
266 bool psz_performing; 266 bool psz_performing;
267} key_spd __cacheline_aligned; 267} key_spd __cacheline_aligned;
268 268
269/* SAD */ 269/* SAD */
270static struct { 270static struct {
271 kmutex_t lock; 271 kmutex_t lock;
272 kcondvar_t cv_lc; 272 kcondvar_t cv_lc;
273 struct pslist_head *sahlists; 273 struct pslist_head *sahlists;
274 u_long sahlistmask; 274 u_long sahlistmask;
275 struct pslist_head *savlut; 275 struct pslist_head *savlut;
276 u_long savlutmask; 276 u_long savlutmask;
277 277
278 pserialize_t psz; 278 pserialize_t psz;
279 kcondvar_t cv_psz; 279 kcondvar_t cv_psz;
280 bool psz_performing; 280 bool psz_performing;
281} key_sad __cacheline_aligned; 281} key_sad __cacheline_aligned;
282 282
283/* Misc data */ 283/* Misc data */
284static struct { 284static struct {
285 kmutex_t lock; 285 kmutex_t lock;
286 /* registed list */ 286 /* registed list */
287 LIST_HEAD(_reglist, secreg) reglist[SADB_SATYPE_MAX + 1]; 287 LIST_HEAD(_reglist, secreg) reglist[SADB_SATYPE_MAX + 1];
288#ifndef IPSEC_NONBLOCK_ACQUIRE 288#ifndef IPSEC_NONBLOCK_ACQUIRE
289 /* acquiring list */ 289 /* acquiring list */
290 LIST_HEAD(_acqlist, secacq) acqlist; 290 LIST_HEAD(_acqlist, secacq) acqlist;
291#endif 291#endif
292#ifdef notyet 292#ifdef notyet
293 /* SP acquiring list */ 293 /* SP acquiring list */
294 LIST_HEAD(_spacqlist, secspacq) spacqlist; 294 LIST_HEAD(_spacqlist, secspacq) spacqlist;
295#endif 295#endif
296} key_misc __cacheline_aligned; 296} key_misc __cacheline_aligned;
297 297
298/* Macros for key_spd.splist */ 298/* Macros for key_spd.splist */
299#define SPLIST_ENTRY_INIT(sp) \ 299#define SPLIST_ENTRY_INIT(sp) \
300 PSLIST_ENTRY_INIT((sp), pslist_entry) 300 PSLIST_ENTRY_INIT((sp), pslist_entry)
301#define SPLIST_ENTRY_DESTROY(sp) \ 301#define SPLIST_ENTRY_DESTROY(sp) \
302 PSLIST_ENTRY_DESTROY((sp), pslist_entry) 302 PSLIST_ENTRY_DESTROY((sp), pslist_entry)
303#define SPLIST_WRITER_REMOVE(sp) \ 303#define SPLIST_WRITER_REMOVE(sp) \
304 PSLIST_WRITER_REMOVE((sp), pslist_entry) 304 PSLIST_WRITER_REMOVE((sp), pslist_entry)
305#define SPLIST_READER_EMPTY(dir) \ 305#define SPLIST_READER_EMPTY(dir) \
306 (PSLIST_READER_FIRST(&key_spd.splist[(dir)], struct secpolicy, \ 306 (PSLIST_READER_FIRST(&key_spd.splist[(dir)], struct secpolicy, \
307 pslist_entry) == NULL) 307 pslist_entry) == NULL)
308#define SPLIST_READER_FOREACH(sp, dir) \ 308#define SPLIST_READER_FOREACH(sp, dir) \
309 PSLIST_READER_FOREACH((sp), &key_spd.splist[(dir)], \ 309 PSLIST_READER_FOREACH((sp), &key_spd.splist[(dir)], \
310 struct secpolicy, pslist_entry) 310 struct secpolicy, pslist_entry)
311#define SPLIST_WRITER_FOREACH(sp, dir) \ 311#define SPLIST_WRITER_FOREACH(sp, dir) \
312 PSLIST_WRITER_FOREACH((sp), &key_spd.splist[(dir)], \ 312 PSLIST_WRITER_FOREACH((sp), &key_spd.splist[(dir)], \
313 struct secpolicy, pslist_entry) 313 struct secpolicy, pslist_entry)
314#define SPLIST_WRITER_INSERT_AFTER(sp, new) \ 314#define SPLIST_WRITER_INSERT_AFTER(sp, new) \
315 PSLIST_WRITER_INSERT_AFTER((sp), (new), pslist_entry) 315 PSLIST_WRITER_INSERT_AFTER((sp), (new), pslist_entry)
316#define SPLIST_WRITER_EMPTY(dir) \ 316#define SPLIST_WRITER_EMPTY(dir) \
317 (PSLIST_WRITER_FIRST(&key_spd.splist[(dir)], struct secpolicy, \ 317 (PSLIST_WRITER_FIRST(&key_spd.splist[(dir)], struct secpolicy, \
318 pslist_entry) == NULL) 318 pslist_entry) == NULL)
319#define SPLIST_WRITER_INSERT_HEAD(dir, sp) \ 319#define SPLIST_WRITER_INSERT_HEAD(dir, sp) \
320 PSLIST_WRITER_INSERT_HEAD(&key_spd.splist[(dir)], (sp), \ 320 PSLIST_WRITER_INSERT_HEAD(&key_spd.splist[(dir)], (sp), \
321 pslist_entry) 321 pslist_entry)
322#define SPLIST_WRITER_NEXT(sp) \ 322#define SPLIST_WRITER_NEXT(sp) \
323 PSLIST_WRITER_NEXT((sp), struct secpolicy, pslist_entry) 323 PSLIST_WRITER_NEXT((sp), struct secpolicy, pslist_entry)
324#define SPLIST_WRITER_INSERT_TAIL(dir, new) \ 324#define SPLIST_WRITER_INSERT_TAIL(dir, new) \
325 do { \ 325 do { \
326 if (SPLIST_WRITER_EMPTY((dir))) { \ 326 if (SPLIST_WRITER_EMPTY((dir))) { \
327 SPLIST_WRITER_INSERT_HEAD((dir), (new)); \ 327 SPLIST_WRITER_INSERT_HEAD((dir), (new)); \
328 } else { \ 328 } else { \
329 struct secpolicy *__sp; \ 329 struct secpolicy *__sp; \
330 SPLIST_WRITER_FOREACH(__sp, (dir)) { \ 330 SPLIST_WRITER_FOREACH(__sp, (dir)) { \
331 if (SPLIST_WRITER_NEXT(__sp) == NULL) { \ 331 if (SPLIST_WRITER_NEXT(__sp) == NULL) { \
332 SPLIST_WRITER_INSERT_AFTER(__sp,\ 332 SPLIST_WRITER_INSERT_AFTER(__sp,\
333 (new)); \ 333 (new)); \
334 break; \ 334 break; \
335 } \ 335 } \
336 } \ 336 } \
337 } \ 337 } \
338 } while (0) 338 } while (0)
339 339
340/* Macros for key_spd.socksplist */ 340/* Macros for key_spd.socksplist */
341#define SOCKSPLIST_WRITER_FOREACH(sp) \ 341#define SOCKSPLIST_WRITER_FOREACH(sp) \
342 PSLIST_WRITER_FOREACH((sp), &key_spd.socksplist, \ 342 PSLIST_WRITER_FOREACH((sp), &key_spd.socksplist, \
343 struct secpolicy, pslist_entry) 343 struct secpolicy, pslist_entry)
344#define SOCKSPLIST_READER_EMPTY() \ 344#define SOCKSPLIST_READER_EMPTY() \
345 (PSLIST_READER_FIRST(&key_spd.socksplist, struct secpolicy, \ 345 (PSLIST_READER_FIRST(&key_spd.socksplist, struct secpolicy, \
346 pslist_entry) == NULL) 346 pslist_entry) == NULL)
347 347
348/* Macros for key_sad.sahlist */ 348/* Macros for key_sad.sahlist */
349#define SAHLIST_ENTRY_INIT(sah) \ 349#define SAHLIST_ENTRY_INIT(sah) \
350 PSLIST_ENTRY_INIT((sah), pslist_entry) 350 PSLIST_ENTRY_INIT((sah), pslist_entry)
351#define SAHLIST_ENTRY_DESTROY(sah) \ 351#define SAHLIST_ENTRY_DESTROY(sah) \
352 PSLIST_ENTRY_DESTROY((sah), pslist_entry) 352 PSLIST_ENTRY_DESTROY((sah), pslist_entry)
353#define SAHLIST_WRITER_REMOVE(sah) \ 353#define SAHLIST_WRITER_REMOVE(sah) \
354 PSLIST_WRITER_REMOVE((sah), pslist_entry) 354 PSLIST_WRITER_REMOVE((sah), pslist_entry)
355#define SAHLIST_READER_FOREACH(sah) \ 355#define SAHLIST_READER_FOREACH(sah) \
356 for(int _i_sah = 0; _i_sah <= key_sad.sahlistmask; _i_sah++) \ 356 for(int _i_sah = 0; _i_sah <= key_sad.sahlistmask; _i_sah++) \
357 PSLIST_READER_FOREACH((sah), &key_sad.sahlists[_i_sah], \ 357 PSLIST_READER_FOREACH((sah), &key_sad.sahlists[_i_sah], \
358 struct secashead, pslist_entry) 358 struct secashead, pslist_entry)
359#define SAHLIST_READER_FOREACH_SAIDX(sah, saidx) \ 359#define SAHLIST_READER_FOREACH_SAIDX(sah, saidx) \
360 PSLIST_READER_FOREACH((sah), \ 360 PSLIST_READER_FOREACH((sah), \
361 &key_sad.sahlists[key_saidxhash((saidx), \ 361 &key_sad.sahlists[key_saidxhash((saidx), \
362 key_sad.sahlistmask)], \ 362 key_sad.sahlistmask)], \
363 struct secashead, pslist_entry) 363 struct secashead, pslist_entry)
364#define SAHLIST_WRITER_FOREACH(sah) \ 364#define SAHLIST_WRITER_FOREACH(sah) \
365 for(int _i_sah = 0; _i_sah <= key_sad.sahlistmask; _i_sah++) \ 365 for(int _i_sah = 0; _i_sah <= key_sad.sahlistmask; _i_sah++) \
366 PSLIST_WRITER_FOREACH((sah), &key_sad.sahlists[_i_sah], \ 366 PSLIST_WRITER_FOREACH((sah), &key_sad.sahlists[_i_sah], \
367 struct secashead, pslist_entry) 367 struct secashead, pslist_entry)
368#define SAHLIST_WRITER_INSERT_HEAD(sah) \ 368#define SAHLIST_WRITER_INSERT_HEAD(sah) \
369 PSLIST_WRITER_INSERT_HEAD( \ 369 PSLIST_WRITER_INSERT_HEAD( \
370 &key_sad.sahlists[key_saidxhash(&(sah)->saidx, \ 370 &key_sad.sahlists[key_saidxhash(&(sah)->saidx, \
371 key_sad.sahlistmask)], \ 371 key_sad.sahlistmask)], \
372 (sah), pslist_entry) 372 (sah), pslist_entry)
373 373
374/* Macros for key_sad.sahlist#savlist */ 374/* Macros for key_sad.sahlist#savlist */
375#define SAVLIST_ENTRY_INIT(sav) \ 375#define SAVLIST_ENTRY_INIT(sav) \
376 PSLIST_ENTRY_INIT((sav), pslist_entry) 376 PSLIST_ENTRY_INIT((sav), pslist_entry)
377#define SAVLIST_ENTRY_DESTROY(sav) \ 377#define SAVLIST_ENTRY_DESTROY(sav) \
378 PSLIST_ENTRY_DESTROY((sav), pslist_entry) 378 PSLIST_ENTRY_DESTROY((sav), pslist_entry)
379#define SAVLIST_READER_FIRST(sah, state) \ 379#define SAVLIST_READER_FIRST(sah, state) \
380 PSLIST_READER_FIRST(&(sah)->savlist[(state)], struct secasvar, \ 380 PSLIST_READER_FIRST(&(sah)->savlist[(state)], struct secasvar, \
381 pslist_entry) 381 pslist_entry)
382#define SAVLIST_WRITER_REMOVE(sav) \ 382#define SAVLIST_WRITER_REMOVE(sav) \
383 PSLIST_WRITER_REMOVE((sav), pslist_entry) 383 PSLIST_WRITER_REMOVE((sav), pslist_entry)
384#define SAVLIST_READER_FOREACH(sav, sah, state) \ 384#define SAVLIST_READER_FOREACH(sav, sah, state) \
385 PSLIST_READER_FOREACH((sav), &(sah)->savlist[(state)], \ 385 PSLIST_READER_FOREACH((sav), &(sah)->savlist[(state)], \
386 struct secasvar, pslist_entry) 386 struct secasvar, pslist_entry)
387#define SAVLIST_WRITER_FOREACH(sav, sah, state) \ 387#define SAVLIST_WRITER_FOREACH(sav, sah, state) \
388 PSLIST_WRITER_FOREACH((sav), &(sah)->savlist[(state)], \ 388 PSLIST_WRITER_FOREACH((sav), &(sah)->savlist[(state)], \
389 struct secasvar, pslist_entry) 389 struct secasvar, pslist_entry)
390#define SAVLIST_WRITER_INSERT_BEFORE(sav, new) \ 390#define SAVLIST_WRITER_INSERT_BEFORE(sav, new) \
391 PSLIST_WRITER_INSERT_BEFORE((sav), (new), pslist_entry) 391 PSLIST_WRITER_INSERT_BEFORE((sav), (new), pslist_entry)
392#define SAVLIST_WRITER_INSERT_AFTER(sav, new) \ 392#define SAVLIST_WRITER_INSERT_AFTER(sav, new) \
393 PSLIST_WRITER_INSERT_AFTER((sav), (new), pslist_entry) 393 PSLIST_WRITER_INSERT_AFTER((sav), (new), pslist_entry)
394#define SAVLIST_WRITER_EMPTY(sah, state) \ 394#define SAVLIST_WRITER_EMPTY(sah, state) \
395 (PSLIST_WRITER_FIRST(&(sah)->savlist[(state)], struct secasvar, \ 395 (PSLIST_WRITER_FIRST(&(sah)->savlist[(state)], struct secasvar, \
396 pslist_entry) == NULL) 396 pslist_entry) == NULL)
397#define SAVLIST_WRITER_INSERT_HEAD(sah, state, sav) \ 397#define SAVLIST_WRITER_INSERT_HEAD(sah, state, sav) \
398 PSLIST_WRITER_INSERT_HEAD(&(sah)->savlist[(state)], (sav), \ 398 PSLIST_WRITER_INSERT_HEAD(&(sah)->savlist[(state)], (sav), \
399 pslist_entry) 399 pslist_entry)
400#define SAVLIST_WRITER_NEXT(sav) \ 400#define SAVLIST_WRITER_NEXT(sav) \
401 PSLIST_WRITER_NEXT((sav), struct secasvar, pslist_entry) 401 PSLIST_WRITER_NEXT((sav), struct secasvar, pslist_entry)
402#define SAVLIST_WRITER_INSERT_TAIL(sah, state, new) \ 402#define SAVLIST_WRITER_INSERT_TAIL(sah, state, new) \
403 do { \ 403 do { \
404 if (SAVLIST_WRITER_EMPTY((sah), (state))) { \ 404 if (SAVLIST_WRITER_EMPTY((sah), (state))) { \
405 SAVLIST_WRITER_INSERT_HEAD((sah), (state), (new));\ 405 SAVLIST_WRITER_INSERT_HEAD((sah), (state), (new));\
406 } else { \ 406 } else { \
407 struct secasvar *__sav; \ 407 struct secasvar *__sav; \
408 SAVLIST_WRITER_FOREACH(__sav, (sah), (state)) { \ 408 SAVLIST_WRITER_FOREACH(__sav, (sah), (state)) { \
409 if (SAVLIST_WRITER_NEXT(__sav) == NULL) {\ 409 if (SAVLIST_WRITER_NEXT(__sav) == NULL) {\
410 SAVLIST_WRITER_INSERT_AFTER(__sav,\ 410 SAVLIST_WRITER_INSERT_AFTER(__sav,\
411 (new)); \ 411 (new)); \
412 break; \ 412 break; \
413 } \ 413 } \
414 } \ 414 } \
415 } \ 415 } \
416 } while (0) 416 } while (0)
417#define SAVLIST_READER_NEXT(sav) \ 417#define SAVLIST_READER_NEXT(sav) \
418 PSLIST_READER_NEXT((sav), struct secasvar, pslist_entry) 418 PSLIST_READER_NEXT((sav), struct secasvar, pslist_entry)
419 419
420/* Macros for key_sad.savlut */ 420/* Macros for key_sad.savlut */
421#define SAVLUT_ENTRY_INIT(sav) \ 421#define SAVLUT_ENTRY_INIT(sav) \
422 PSLIST_ENTRY_INIT((sav), pslist_entry_savlut) 422 PSLIST_ENTRY_INIT((sav), pslist_entry_savlut)
423#define SAVLUT_READER_FOREACH(sav, dst, proto, hash_key) \ 423#define SAVLUT_READER_FOREACH(sav, dst, proto, hash_key) \
424 PSLIST_READER_FOREACH((sav), \ 424 PSLIST_READER_FOREACH((sav), \
425 &key_sad.savlut[key_savluthash(dst, proto, hash_key, \ 425 &key_sad.savlut[key_savluthash(dst, proto, hash_key, \
426 key_sad.savlutmask)], \ 426 key_sad.savlutmask)], \
427 struct secasvar, pslist_entry_savlut) 427 struct secasvar, pslist_entry_savlut)
428#define SAVLUT_WRITER_INSERT_HEAD(sav) \ 428#define SAVLUT_WRITER_INSERT_HEAD(sav) \
429 key_savlut_writer_insert_head((sav)) 429 key_savlut_writer_insert_head((sav))
430#define SAVLUT_WRITER_REMOVE(sav) \ 430#define SAVLUT_WRITER_REMOVE(sav) \
431 do { \ 431 do { \
432 if (!(sav)->savlut_added) \ 432 if (!(sav)->savlut_added) \
433 break; \ 433 break; \
434 PSLIST_WRITER_REMOVE((sav), pslist_entry_savlut); \ 434 PSLIST_WRITER_REMOVE((sav), pslist_entry_savlut); \
435 (sav)->savlut_added = false; \ 435 (sav)->savlut_added = false; \
436 } while(0) 436 } while(0)
437 437
438/* search order for SAs */ 438/* search order for SAs */
439 /* 439 /*
440 * This order is important because we must select the oldest SA 440 * This order is important because we must select the oldest SA
441 * for outbound processing. For inbound, This is not important. 441 * for outbound processing. For inbound, This is not important.
442 */ 442 */
443static const u_int saorder_state_valid_prefer_old[] = { 443static const u_int saorder_state_valid_prefer_old[] = {
444 SADB_SASTATE_DYING, SADB_SASTATE_MATURE, 444 SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
445}; 445};
446static const u_int saorder_state_valid_prefer_new[] = { 446static const u_int saorder_state_valid_prefer_new[] = {
447 SADB_SASTATE_MATURE, SADB_SASTATE_DYING, 447 SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
448}; 448};
449 449
450static const u_int saorder_state_alive[] = { 450static const u_int saorder_state_alive[] = {
451 /* except DEAD */ 451 /* except DEAD */
452 SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL 452 SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL
453}; 453};
454static const u_int saorder_state_any[] = { 454static const u_int saorder_state_any[] = {
455 SADB_SASTATE_MATURE, SADB_SASTATE_DYING, 455 SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
456 SADB_SASTATE_LARVAL, SADB_SASTATE_DEAD 456 SADB_SASTATE_LARVAL, SADB_SASTATE_DEAD
457}; 457};
458 458
459#define SASTATE_ALIVE_FOREACH(s) \ 459#define SASTATE_ALIVE_FOREACH(s) \
460 for (int _i = 0; \ 460 for (int _i = 0; \
461 _i < __arraycount(saorder_state_alive) ? \ 461 _i < __arraycount(saorder_state_alive) ? \
462 (s) = saorder_state_alive[_i], true : false; \ 462 (s) = saorder_state_alive[_i], true : false; \
463 _i++) 463 _i++)
464#define SASTATE_ANY_FOREACH(s) \ 464#define SASTATE_ANY_FOREACH(s) \
465 for (int _i = 0; \ 465 for (int _i = 0; \
466 _i < __arraycount(saorder_state_any) ? \ 466 _i < __arraycount(saorder_state_any) ? \
467 (s) = saorder_state_any[_i], true : false; \ 467 (s) = saorder_state_any[_i], true : false; \
468 _i++) 468 _i++)
469#define SASTATE_USABLE_FOREACH(s) \ 469#define SASTATE_USABLE_FOREACH(s) \
470 for (int _i = 0; \ 470 for (int _i = 0; \
471 _i < __arraycount(saorder_state_valid_prefer_new) ? \ 471 _i < __arraycount(saorder_state_valid_prefer_new) ? \
472 (s) = saorder_state_valid_prefer_new[_i], \ 472 (s) = saorder_state_valid_prefer_new[_i], \
473 true : false; \ 473 true : false; \
474 _i++) 474 _i++)
475 475
476static const int minsize[] = { 476static const int minsize[] = {
477 sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */ 477 sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */
478 sizeof(struct sadb_sa), /* SADB_EXT_SA */ 478 sizeof(struct sadb_sa), /* SADB_EXT_SA */
479 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */ 479 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */
480 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */ 480 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */
481 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */ 481 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */
482 sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_SRC */ 482 sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_SRC */
483 sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_DST */ 483 sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_DST */
484 sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_PROXY */ 484 sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_PROXY */
485 sizeof(struct sadb_key), /* SADB_EXT_KEY_AUTH */ 485 sizeof(struct sadb_key), /* SADB_EXT_KEY_AUTH */
486 sizeof(struct sadb_key), /* SADB_EXT_KEY_ENCRYPT */ 486 sizeof(struct sadb_key), /* SADB_EXT_KEY_ENCRYPT */
487 sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_SRC */ 487 sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_SRC */
488 sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_DST */ 488 sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_DST */
489 sizeof(struct sadb_sens), /* SADB_EXT_SENSITIVITY */ 489 sizeof(struct sadb_sens), /* SADB_EXT_SENSITIVITY */
490 sizeof(struct sadb_prop), /* SADB_EXT_PROPOSAL */ 490 sizeof(struct sadb_prop), /* SADB_EXT_PROPOSAL */
491 sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_AUTH */ 491 sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_AUTH */
492 sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_ENCRYPT */ 492 sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_ENCRYPT */
493 sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */ 493 sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */
494 0, /* SADB_X_EXT_KMPRIVATE */ 494 0, /* SADB_X_EXT_KMPRIVATE */
495 sizeof(struct sadb_x_policy), /* SADB_X_EXT_POLICY */ 495 sizeof(struct sadb_x_policy), /* SADB_X_EXT_POLICY */
496 sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ 496 sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */
497 sizeof(struct sadb_x_nat_t_type), /* SADB_X_EXT_NAT_T_TYPE */ 497 sizeof(struct sadb_x_nat_t_type), /* SADB_X_EXT_NAT_T_TYPE */
498 sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_SPORT */ 498 sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_SPORT */
499 sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_DPORT */ 499 sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_DPORT */
500 sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAI */ 500 sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAI */
501 sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAR */ 501 sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAR */
502 sizeof(struct sadb_x_nat_t_frag), /* SADB_X_EXT_NAT_T_FRAG */ 502 sizeof(struct sadb_x_nat_t_frag), /* SADB_X_EXT_NAT_T_FRAG */
503}; 503};
504static const int maxsize[] = { 504static const int maxsize[] = {
505 sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */ 505 sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */
506 sizeof(struct sadb_sa), /* SADB_EXT_SA */ 506 sizeof(struct sadb_sa), /* SADB_EXT_SA */
507 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */ 507 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */
508 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */ 508 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */
509 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */ 509 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */
510 0, /* SADB_EXT_ADDRESS_SRC */ 510 0, /* SADB_EXT_ADDRESS_SRC */
511 0, /* SADB_EXT_ADDRESS_DST */ 511 0, /* SADB_EXT_ADDRESS_DST */
512 0, /* SADB_EXT_ADDRESS_PROXY */ 512 0, /* SADB_EXT_ADDRESS_PROXY */
513 0, /* SADB_EXT_KEY_AUTH */ 513 0, /* SADB_EXT_KEY_AUTH */
514 0, /* SADB_EXT_KEY_ENCRYPT */ 514 0, /* SADB_EXT_KEY_ENCRYPT */
515 0, /* SADB_EXT_IDENTITY_SRC */ 515 0, /* SADB_EXT_IDENTITY_SRC */
516 0, /* SADB_EXT_IDENTITY_DST */ 516 0, /* SADB_EXT_IDENTITY_DST */
517 0, /* SADB_EXT_SENSITIVITY */ 517 0, /* SADB_EXT_SENSITIVITY */
518 0, /* SADB_EXT_PROPOSAL */ 518 0, /* SADB_EXT_PROPOSAL */
519 0, /* SADB_EXT_SUPPORTED_AUTH */ 519 0, /* SADB_EXT_SUPPORTED_AUTH */
520 0, /* SADB_EXT_SUPPORTED_ENCRYPT */ 520 0, /* SADB_EXT_SUPPORTED_ENCRYPT */
521 sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */ 521 sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */
522 0, /* SADB_X_EXT_KMPRIVATE */ 522 0, /* SADB_X_EXT_KMPRIVATE */
523 0, /* SADB_X_EXT_POLICY */ 523 0, /* SADB_X_EXT_POLICY */
524 sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ 524 sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */
525 sizeof(struct sadb_x_nat_t_type), /* SADB_X_EXT_NAT_T_TYPE */ 525 sizeof(struct sadb_x_nat_t_type), /* SADB_X_EXT_NAT_T_TYPE */
526 sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_SPORT */ 526 sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_SPORT */
527 sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_DPORT */ 527 sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_DPORT */
528 0, /* SADB_X_EXT_NAT_T_OAI */ 528 0, /* SADB_X_EXT_NAT_T_OAI */
529 0, /* SADB_X_EXT_NAT_T_OAR */ 529 0, /* SADB_X_EXT_NAT_T_OAR */
530 sizeof(struct sadb_x_nat_t_frag), /* SADB_X_EXT_NAT_T_FRAG */ 530 sizeof(struct sadb_x_nat_t_frag), /* SADB_X_EXT_NAT_T_FRAG */
531}; 531};
532 532
533static int ipsec_esp_keymin = 256; 533static int ipsec_esp_keymin = 256;
534static int ipsec_esp_auth = 0; 534static int ipsec_esp_auth = 0;
535static int ipsec_ah_keymin = 128; 535static int ipsec_ah_keymin = 128;
536 536
537#ifdef SYSCTL_DECL 537#ifdef SYSCTL_DECL
538SYSCTL_DECL(_net_key); 538SYSCTL_DECL(_net_key);
539#endif 539#endif
540 540
541#ifdef SYSCTL_INT 541#ifdef SYSCTL_INT
542SYSCTL_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug, CTLFLAG_RW, \ 542SYSCTL_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug, CTLFLAG_RW, \
543 &key_debug_level, 0, ""); 543 &key_debug_level, 0, "");
544 544
545/* max count of trial for the decision of spi value */ 545/* max count of trial for the decision of spi value */
546SYSCTL_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt, CTLFLAG_RW, \ 546SYSCTL_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt, CTLFLAG_RW, \
547 &key_spi_trycnt, 0, ""); 547 &key_spi_trycnt, 0, "");
548 548
549/* minimum spi value to allocate automatically. */ 549/* minimum spi value to allocate automatically. */
550SYSCTL_INT(_net_key, KEYCTL_SPI_MIN_VALUE, spi_minval, CTLFLAG_RW, \ 550SYSCTL_INT(_net_key, KEYCTL_SPI_MIN_VALUE, spi_minval, CTLFLAG_RW, \
551 &key_spi_minval, 0, ""); 551 &key_spi_minval, 0, "");
552 552
553/* maximun spi value to allocate automatically. */ 553/* maximun spi value to allocate automatically. */
554SYSCTL_INT(_net_key, KEYCTL_SPI_MAX_VALUE, spi_maxval, CTLFLAG_RW, \ 554SYSCTL_INT(_net_key, KEYCTL_SPI_MAX_VALUE, spi_maxval, CTLFLAG_RW, \
555 &key_spi_maxval, 0, ""); 555 &key_spi_maxval, 0, "");
556 556
557/* interval to initialize randseed */ 557/* interval to initialize randseed */
558SYSCTL_INT(_net_key, KEYCTL_RANDOM_INT, int_random, CTLFLAG_RW, \ 558SYSCTL_INT(_net_key, KEYCTL_RANDOM_INT, int_random, CTLFLAG_RW, \
559 &key_int_random, 0, ""); 559 &key_int_random, 0, "");
560 560
561/* lifetime for larval SA */ 561/* lifetime for larval SA */
562SYSCTL_INT(_net_key, KEYCTL_LARVAL_LIFETIME, larval_lifetime, CTLFLAG_RW, \ 562SYSCTL_INT(_net_key, KEYCTL_LARVAL_LIFETIME, larval_lifetime, CTLFLAG_RW, \
563 &key_larval_lifetime, 0, ""); 563 &key_larval_lifetime, 0, "");
564 564
565/* counter for blocking to send SADB_ACQUIRE to IKEd */ 565/* counter for blocking to send SADB_ACQUIRE to IKEd */
566SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_COUNT, blockacq_count, CTLFLAG_RW, \ 566SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_COUNT, blockacq_count, CTLFLAG_RW, \
567 &key_blockacq_count, 0, ""); 567 &key_blockacq_count, 0, "");
568 568
569/* lifetime for blocking to send SADB_ACQUIRE to IKEd */ 569/* lifetime for blocking to send SADB_ACQUIRE to IKEd */
570SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME, blockacq_lifetime, CTLFLAG_RW, \ 570SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME, blockacq_lifetime, CTLFLAG_RW, \
571 &key_blockacq_lifetime, 0, ""); 571 &key_blockacq_lifetime, 0, "");
572 572
573/* ESP auth */ 573/* ESP auth */
574SYSCTL_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth, CTLFLAG_RW, \ 574SYSCTL_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth, CTLFLAG_RW, \
575 &ipsec_esp_auth, 0, ""); 575 &ipsec_esp_auth, 0, "");
576 576
577/* minimum ESP key length */ 577/* minimum ESP key length */
578SYSCTL_INT(_net_key, KEYCTL_ESP_KEYMIN, esp_keymin, CTLFLAG_RW, \ 578SYSCTL_INT(_net_key, KEYCTL_ESP_KEYMIN, esp_keymin, CTLFLAG_RW, \
579 &ipsec_esp_keymin, 0, ""); 579 &ipsec_esp_keymin, 0, "");
580 580
581/* minimum AH key length */ 581/* minimum AH key length */
582SYSCTL_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin, CTLFLAG_RW, \ 582SYSCTL_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin, CTLFLAG_RW, \
583 &ipsec_ah_keymin, 0, ""); 583 &ipsec_ah_keymin, 0, "");
584 584
585/* perfered old SA rather than new SA */ 585/* perfered old SA rather than new SA */
586SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, prefered_oldsa, CTLFLAG_RW,\ 586SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, prefered_oldsa, CTLFLAG_RW,\
587 &key_prefered_oldsa, 0, ""); 587 &key_prefered_oldsa, 0, "");
588#endif /* SYSCTL_INT */ 588#endif /* SYSCTL_INT */
589 589
590#define __LIST_CHAINED(elm) \ 590#define __LIST_CHAINED(elm) \
591 (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL)) 591 (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL))
592#define LIST_INSERT_TAIL(head, elm, type, field) \ 592#define LIST_INSERT_TAIL(head, elm, type, field) \
593do {\ 593do {\
594 struct type *curelm = LIST_FIRST(head); \ 594 struct type *curelm = LIST_FIRST(head); \
595 if (curelm == NULL) {\ 595 if (curelm == NULL) {\
596 LIST_INSERT_HEAD(head, elm, field); \ 596 LIST_INSERT_HEAD(head, elm, field); \
597 } else { \ 597 } else { \
598 while (LIST_NEXT(curelm, field)) \ 598 while (LIST_NEXT(curelm, field)) \
599 curelm = LIST_NEXT(curelm, field);\ 599 curelm = LIST_NEXT(curelm, field);\
600 LIST_INSERT_AFTER(curelm, elm, field);\ 600 LIST_INSERT_AFTER(curelm, elm, field);\
601 }\ 601 }\
602} while (0) 602} while (0)
603 603
604#define KEY_CHKSASTATE(head, sav) \ 604#define KEY_CHKSASTATE(head, sav) \
605/* do */ { \ 605/* do */ { \
606 if ((head) != (sav)) { \ 606 if ((head) != (sav)) { \
607 IPSECLOG(LOG_DEBUG, \ 607 IPSECLOG(LOG_DEBUG, \
608 "state mismatched (TREE=%d SA=%d)\n", \ 608 "state mismatched (TREE=%d SA=%d)\n", \
609 (head), (sav)); \ 609 (head), (sav)); \
610 continue; \ 610 continue; \
611 } \ 611 } \
612} /* while (0) */ 612} /* while (0) */
613 613
614#define KEY_CHKSPDIR(head, sp) \ 614#define KEY_CHKSPDIR(head, sp) \
615do { \ 615do { \
616 if ((head) != (sp)) { \ 616 if ((head) != (sp)) { \
617 IPSECLOG(LOG_DEBUG, \ 617 IPSECLOG(LOG_DEBUG, \
618 "direction mismatched (TREE=%d SP=%d), anyway continue.\n",\ 618 "direction mismatched (TREE=%d SP=%d), anyway continue.\n",\
619 (head), (sp)); \ 619 (head), (sp)); \
620 } \ 620 } \
621} while (0) 621} while (0)
622 622
623/* 623/*
624 * set parameters into secasindex buffer. 624 * set parameters into secasindex buffer.
625 * Must allocate secasindex buffer before calling this function. 625 * Must allocate secasindex buffer before calling this function.
626 */ 626 */
627static int 627static int
628key_setsecasidx(int, int, int, const struct sockaddr *, 628key_setsecasidx(int, int, int, const struct sockaddr *,
629 const struct sockaddr *, struct secasindex *); 629 const struct sockaddr *, struct secasindex *);
630 630
631/* key statistics */ 631/* key statistics */
632struct _keystat { 632struct _keystat {
633 u_long getspi_count; /* the avarage of count to try to get new SPI */ 633 u_long getspi_count; /* the avarage of count to try to get new SPI */
634} keystat; 634} keystat;
635 635
636static void 636static void
637key_init_spidx_bymsghdr(struct secpolicyindex *, const struct sadb_msghdr *); 637key_init_spidx_bymsghdr(struct secpolicyindex *, const struct sadb_msghdr *);
638 638
639static const struct sockaddr * 639static const struct sockaddr *
640key_msghdr_get_sockaddr(const struct sadb_msghdr *mhp, int idx) 640key_msghdr_get_sockaddr(const struct sadb_msghdr *mhp, int idx)
641{ 641{
642 642
643 return PFKEY_ADDR_SADDR(mhp->ext[idx]); 643 return PFKEY_ADDR_SADDR(mhp->ext[idx]);
644} 644}
645 645
646static void 646static void
647key_fill_replymsg(struct mbuf *m, int seq) 647key_fill_replymsg(struct mbuf *m, int seq)
648{ 648{
649 struct sadb_msg *msg; 649 struct sadb_msg *msg;
650 650
651 KASSERT(m->m_len >= sizeof(*msg)); 651 KASSERT(m->m_len >= sizeof(*msg));
652 652
653 msg = mtod(m, struct sadb_msg *); 653 msg = mtod(m, struct sadb_msg *);
654 msg->sadb_msg_errno = 0; 654 msg->sadb_msg_errno = 0;
655 msg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); 655 msg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
656 if (seq != 0) 656 if (seq != 0)
657 msg->sadb_msg_seq = seq; 657 msg->sadb_msg_seq = seq;
658} 658}
659 659
660#if 0 660#if 0
661static void key_freeso(struct socket *); 661static void key_freeso(struct socket *);
662static void key_freesp_so(struct secpolicy **); 662static void key_freesp_so(struct secpolicy **);
663#endif 663#endif
664static struct secpolicy *key_getsp (const struct secpolicyindex *); 664static struct secpolicy *key_getsp (const struct secpolicyindex *);
665static struct secpolicy *key_getspbyid (u_int32_t); 665static struct secpolicy *key_getspbyid (u_int32_t);
666static struct secpolicy *key_lookup_and_remove_sp(const struct secpolicyindex *, bool); 666static struct secpolicy *key_lookup_and_remove_sp(const struct secpolicyindex *, bool);
667static struct secpolicy *key_lookupbyid_and_remove_sp(u_int32_t, bool); 667static struct secpolicy *key_lookupbyid_and_remove_sp(u_int32_t, bool);
668static void key_destroy_sp(struct secpolicy *); 668static void key_destroy_sp(struct secpolicy *);
669static struct mbuf *key_gather_mbuf (struct mbuf *, 669static struct mbuf *key_gather_mbuf (struct mbuf *,
670 const struct sadb_msghdr *, int, int, ...); 670 const struct sadb_msghdr *, int, int, ...);
671static int key_api_spdadd(struct socket *, struct mbuf *, 671static int key_api_spdadd(struct socket *, struct mbuf *,
672 const struct sadb_msghdr *); 672 const struct sadb_msghdr *);
673static u_int32_t key_getnewspid (void); 673static u_int32_t key_getnewspid (void);
674static int key_api_spddelete(struct socket *, struct mbuf *, 674static int key_api_spddelete(struct socket *, struct mbuf *,
675 const struct sadb_msghdr *); 675 const struct sadb_msghdr *);
676static int key_api_spddelete2(struct socket *, struct mbuf *, 676static int key_api_spddelete2(struct socket *, struct mbuf *,
677 const struct sadb_msghdr *); 677 const struct sadb_msghdr *);
678static int key_api_spdget(struct socket *, struct mbuf *, 678static int key_api_spdget(struct socket *, struct mbuf *,
679 const struct sadb_msghdr *); 679 const struct sadb_msghdr *);
680static int key_api_spdflush(struct socket *, struct mbuf *, 680static int key_api_spdflush(struct socket *, struct mbuf *,
681 const struct sadb_msghdr *); 681 const struct sadb_msghdr *);
682static int key_api_spddump(struct socket *, struct mbuf *, 682static int key_api_spddump(struct socket *, struct mbuf *,
683 const struct sadb_msghdr *); 683 const struct sadb_msghdr *);
684static struct mbuf * key_setspddump (int *errorp, pid_t); 684static struct mbuf * key_setspddump (int *errorp, pid_t);
685static struct mbuf * key_setspddump_chain (int *errorp, int *lenp, pid_t pid); 685static struct mbuf * key_setspddump_chain (int *errorp, int *lenp, pid_t pid);
686static int key_api_nat_map(struct socket *, struct mbuf *, 686static int key_api_nat_map(struct socket *, struct mbuf *,
687 const struct sadb_msghdr *); 687 const struct sadb_msghdr *);
688static struct mbuf *key_setdumpsp (struct secpolicy *, 688static struct mbuf *key_setdumpsp (struct secpolicy *,
689 u_int8_t, u_int32_t, pid_t); 689 u_int8_t, u_int32_t, pid_t);
690static u_int key_getspreqmsglen (const struct secpolicy *); 690static u_int key_getspreqmsglen (const struct secpolicy *);
691static int key_spdexpire (struct secpolicy *); 691static int key_spdexpire (struct secpolicy *);
692static struct secashead *key_newsah (const struct secasindex *); 692static struct secashead *key_newsah (const struct secasindex *);
693static void key_unlink_sah(struct secashead *); 693static void key_unlink_sah(struct secashead *);
694static void key_destroy_sah(struct secashead *); 694static void key_destroy_sah(struct secashead *);
695static bool key_sah_has_sav(struct secashead *); 695static bool key_sah_has_sav(struct secashead *);
696static void key_sah_ref(struct secashead *); 696static void key_sah_ref(struct secashead *);
697static void key_sah_unref(struct secashead *); 697static void key_sah_unref(struct secashead *);
698static void key_init_sav(struct secasvar *); 698static void key_init_sav(struct secasvar *);
699static void key_destroy_sav(struct secasvar *); 699static void key_destroy_sav(struct secasvar *);
700static void key_destroy_sav_with_ref(struct secasvar *); 700static void key_destroy_sav_with_ref(struct secasvar *);
701static struct secasvar *key_newsav(struct mbuf *, 701static struct secasvar *key_newsav(struct mbuf *,
702 const struct sadb_msghdr *, int *, const char*, int); 702 const struct sadb_msghdr *, int *, const char*, int);
703#define KEY_NEWSAV(m, sadb, e) \ 703#define KEY_NEWSAV(m, sadb, e) \
704 key_newsav(m, sadb, e, __func__, __LINE__) 704 key_newsav(m, sadb, e, __func__, __LINE__)
705static void key_delsav (struct secasvar *); 705static void key_delsav (struct secasvar *);
706static struct secashead *key_getsah(const struct secasindex *, int); 706static struct secashead *key_getsah(const struct secasindex *, int);
707static struct secashead *key_getsah_ref(const struct secasindex *, int); 707static struct secashead *key_getsah_ref(const struct secasindex *, int);
708static bool key_checkspidup(const struct secasindex *, u_int32_t); 708static bool key_checkspidup(const struct secasindex *, u_int32_t);
709static struct secasvar *key_getsavbyspi (struct secashead *, u_int32_t); 709static struct secasvar *key_getsavbyspi (struct secashead *, u_int32_t);
710static int key_setsaval (struct secasvar *, struct mbuf *, 710static int key_setsaval (struct secasvar *, struct mbuf *,
711 const struct sadb_msghdr *); 711 const struct sadb_msghdr *);
712static void key_freesaval(struct secasvar *); 712static void key_freesaval(struct secasvar *);
713static int key_init_xform(struct secasvar *); 713static int key_init_xform(struct secasvar *);
714static void key_clear_xform(struct secasvar *); 714static void key_clear_xform(struct secasvar *);
715static struct mbuf *key_setdumpsa (struct secasvar *, u_int8_t, 715static struct mbuf *key_setdumpsa (struct secasvar *, u_int8_t,
716 u_int8_t, u_int32_t, u_int32_t); 716 u_int8_t, u_int32_t, u_int32_t);
717static struct mbuf *key_setsadbxport (u_int16_t, u_int16_t); 717static struct mbuf *key_setsadbxport (u_int16_t, u_int16_t);
718static struct mbuf *key_setsadbxtype (u_int16_t); 718static struct mbuf *key_setsadbxtype (u_int16_t);
719static struct mbuf *key_setsadbxfrag (u_int16_t); 719static struct mbuf *key_setsadbxfrag (u_int16_t);
720static void key_porttosaddr (union sockaddr_union *, u_int16_t); 720static void key_porttosaddr (union sockaddr_union *, u_int16_t);
721static int key_checksalen (const union sockaddr_union *); 721static int key_checksalen (const union sockaddr_union *);
722static struct mbuf *key_setsadbmsg (u_int8_t, u_int16_t, u_int8_t, 722static struct mbuf *key_setsadbmsg (u_int8_t, u_int16_t, u_int8_t,
723 u_int32_t, pid_t, u_int16_t, int); 723 u_int32_t, pid_t, u_int16_t, int);
724static struct mbuf *key_setsadbsa (struct secasvar *); 724static struct mbuf *key_setsadbsa (struct secasvar *);
725static struct mbuf *key_setsadbaddr(u_int16_t, 725static struct mbuf *key_setsadbaddr(u_int16_t,
726 const struct sockaddr *, u_int8_t, u_int16_t, int); 726 const struct sockaddr *, u_int8_t, u_int16_t, int);
727#if 0 727#if 0
728static struct mbuf *key_setsadbident (u_int16_t, u_int16_t, void *, 728static struct mbuf *key_setsadbident (u_int16_t, u_int16_t, void *,
729 int, u_int64_t); 729 int, u_int64_t);
730#endif 730#endif
731static struct mbuf *key_setsadbxsa2 (u_int8_t, u_int32_t, u_int16_t); 731static struct mbuf *key_setsadbxsa2 (u_int8_t, u_int32_t, u_int16_t);
732static struct mbuf *key_setsadbxpolicy (u_int16_t, u_int8_t, 732static struct mbuf *key_setsadbxpolicy (u_int16_t, u_int8_t,
733 u_int32_t, int); 733 u_int32_t, int);
734static void *key_newbuf (const void *, u_int); 734static void *key_newbuf (const void *, u_int);
735#ifdef INET6 735#ifdef INET6
736static int key_ismyaddr6 (const struct sockaddr_in6 *); 736static int key_ismyaddr6 (const struct sockaddr_in6 *);
737#endif 737#endif
738 738
739static void sysctl_net_keyv2_setup(struct sysctllog **); 739static void sysctl_net_keyv2_setup(struct sysctllog **);
740static void sysctl_net_key_compat_setup(struct sysctllog **); 740static void sysctl_net_key_compat_setup(struct sysctllog **);
741 741
742/* flags for key_saidx_match() */ 742/* flags for key_saidx_match() */
743#define CMP_HEAD 1 /* protocol, addresses. */ 743#define CMP_HEAD 1 /* protocol, addresses. */
744#define CMP_MODE_REQID 2 /* additionally HEAD, reqid, mode. */ 744#define CMP_MODE_REQID 2 /* additionally HEAD, reqid, mode. */
745#define CMP_REQID 3 /* additionally HEAD, reaid. */ 745#define CMP_REQID 3 /* additionally HEAD, reaid. */
746#define CMP_EXACTLY 4 /* all elements. */ 746#define CMP_EXACTLY 4 /* all elements. */
747static int key_saidx_match(const struct secasindex *, 747static int key_saidx_match(const struct secasindex *,
748 const struct secasindex *, int); 748 const struct secasindex *, int);
749 749
750static int key_sockaddr_match(const struct sockaddr *, 750static int key_sockaddr_match(const struct sockaddr *,
751 const struct sockaddr *, int); 751 const struct sockaddr *, int);
752static int key_bb_match_withmask(const void *, const void *, u_int); 752static int key_bb_match_withmask(const void *, const void *, u_int);
753static u_int16_t key_satype2proto (u_int8_t); 753static u_int16_t key_satype2proto (u_int8_t);
754static u_int8_t key_proto2satype (u_int16_t); 754static u_int8_t key_proto2satype (u_int16_t);
755 755
756static int key_spidx_match_exactly(const struct secpolicyindex *, 756static int key_spidx_match_exactly(const struct secpolicyindex *,
757 const struct secpolicyindex *); 757 const struct secpolicyindex *);
758static int key_spidx_match_withmask(const struct secpolicyindex *, 758static int key_spidx_match_withmask(const struct secpolicyindex *,
759 const struct secpolicyindex *); 759 const struct secpolicyindex *);
760 760
761static int key_api_getspi(struct socket *, struct mbuf *, 761static int key_api_getspi(struct socket *, struct mbuf *,
762 const struct sadb_msghdr *); 762 const struct sadb_msghdr *);
763static u_int32_t key_do_getnewspi (const struct sadb_spirange *, 763static u_int32_t key_do_getnewspi (const struct sadb_spirange *,
764 const struct secasindex *); 764 const struct secasindex *);
765static int key_handle_natt_info (struct secasvar *, 765static int key_handle_natt_info (struct secasvar *,
766 const struct sadb_msghdr *); 766 const struct sadb_msghdr *);
767static int key_set_natt_ports (union sockaddr_union *, 767static int key_set_natt_ports (union sockaddr_union *,
768 union sockaddr_union *, 768 union sockaddr_union *,
769 const struct sadb_msghdr *); 769 const struct sadb_msghdr *);
770static int key_api_update(struct socket *, struct mbuf *, 770static int key_api_update(struct socket *, struct mbuf *,
771 const struct sadb_msghdr *); 771 const struct sadb_msghdr *);
772#ifdef IPSEC_DOSEQCHECK 772#ifdef IPSEC_DOSEQCHECK
773static struct secasvar *key_getsavbyseq (struct secashead *, u_int32_t); 773static struct secasvar *key_getsavbyseq (struct secashead *, u_int32_t);
774#endif 774#endif
775static int key_api_add(struct socket *, struct mbuf *, 775static int key_api_add(struct socket *, struct mbuf *,
776 const struct sadb_msghdr *); 776 const struct sadb_msghdr *);
777static int key_setident (struct secashead *, struct mbuf *, 777static int key_setident (struct secashead *, struct mbuf *,
778 const struct sadb_msghdr *); 778 const struct sadb_msghdr *);
779static struct mbuf *key_getmsgbuf_x1 (struct mbuf *, 779static struct mbuf *key_getmsgbuf_x1 (struct mbuf *,
780 const struct sadb_msghdr *); 780 const struct sadb_msghdr *);
781static int key_api_delete(struct socket *, struct mbuf *, 781static int key_api_delete(struct socket *, struct mbuf *,
782 const struct sadb_msghdr *); 782 const struct sadb_msghdr *);
783static int key_api_get(struct socket *, struct mbuf *, 783static int key_api_get(struct socket *, struct mbuf *,
784 const struct sadb_msghdr *); 784 const struct sadb_msghdr *);
785 785
786static void key_getcomb_setlifetime (struct sadb_comb *); 786static void key_getcomb_setlifetime (struct sadb_comb *);
787static struct mbuf *key_getcomb_esp(int); 787static struct mbuf *key_getcomb_esp(int);
788static struct mbuf *key_getcomb_ah(int); 788static struct mbuf *key_getcomb_ah(int);
789static struct mbuf *key_getcomb_ipcomp(int); 789static struct mbuf *key_getcomb_ipcomp(int);
790static struct mbuf *key_getprop(const struct secasindex *, int); 790static struct mbuf *key_getprop(const struct secasindex *, int);
791 791
792static int key_acquire(const struct secasindex *, const struct secpolicy *, 792static int key_acquire(const struct secasindex *, const struct secpolicy *,
793 int); 793 int);
794static int key_acquire_sendup_mbuf_later(struct mbuf *); 794static int key_acquire_sendup_mbuf_later(struct mbuf *);
795static void key_acquire_sendup_pending_mbuf(void); 795static void key_acquire_sendup_pending_mbuf(void);
796#ifndef IPSEC_NONBLOCK_ACQUIRE 796#ifndef IPSEC_NONBLOCK_ACQUIRE
797static struct secacq *key_newacq (const struct secasindex *); 797static struct secacq *key_newacq (const struct secasindex *);
798static struct secacq *key_getacq (const struct secasindex *); 798static struct secacq *key_getacq (const struct secasindex *);
799static struct secacq *key_getacqbyseq (u_int32_t); 799static struct secacq *key_getacqbyseq (u_int32_t);
800#endif 800#endif
801#ifdef notyet 801#ifdef notyet
802static struct secspacq *key_newspacq (const struct secpolicyindex *); 802static struct secspacq *key_newspacq (const struct secpolicyindex *);
803static struct secspacq *key_getspacq (const struct secpolicyindex *); 803static struct secspacq *key_getspacq (const struct secpolicyindex *);
804#endif 804#endif
805static int key_api_acquire(struct socket *, struct mbuf *, 805static int key_api_acquire(struct socket *, struct mbuf *,
806 const struct sadb_msghdr *); 806 const struct sadb_msghdr *);
807static int key_api_register(struct socket *, struct mbuf *, 807static int key_api_register(struct socket *, struct mbuf *,
808 const struct sadb_msghdr *); 808 const struct sadb_msghdr *);
809static int key_expire (struct secasvar *); 809static int key_expire (struct secasvar *);
810static int key_api_flush(struct socket *, struct mbuf *, 810static int key_api_flush(struct socket *, struct mbuf *,
811 const struct sadb_msghdr *); 811 const struct sadb_msghdr *);
812static struct mbuf *key_setdump_chain (u_int8_t req_satype, int *errorp, 812static struct mbuf *key_setdump_chain (u_int8_t req_satype, int *errorp,
813 int *lenp, pid_t pid); 813 int *lenp, pid_t pid);
814static int key_api_dump(struct socket *, struct mbuf *, 814static int key_api_dump(struct socket *, struct mbuf *,
815 const struct sadb_msghdr *); 815 const struct sadb_msghdr *);
816static int key_api_promisc(struct socket *, struct mbuf *, 816static int key_api_promisc(struct socket *, struct mbuf *,
817 const struct sadb_msghdr *); 817 const struct sadb_msghdr *);
818static int key_senderror (struct socket *, struct mbuf *, int); 818static int key_senderror (struct socket *, struct mbuf *, int);
819static int key_validate_ext (const struct sadb_ext *, int); 819static int key_validate_ext (const struct sadb_ext *, int);
820static int key_align (struct mbuf *, struct sadb_msghdr *); 820static int key_align (struct mbuf *, struct sadb_msghdr *);
821#if 0 821#if 0
822static const char *key_getfqdn (void); 822static const char *key_getfqdn (void);
823static const char *key_getuserfqdn (void); 823static const char *key_getuserfqdn (void);
824#endif 824#endif
825static void key_sa_chgstate (struct secasvar *, u_int8_t); 825static void key_sa_chgstate (struct secasvar *, u_int8_t);
826 826
827static struct mbuf *key_alloc_mbuf(int, int); 827static struct mbuf *key_alloc_mbuf(int, int);
828static struct mbuf *key_alloc_mbuf_simple(int, int); 828static struct mbuf *key_alloc_mbuf_simple(int, int);
829 829
830static void key_timehandler(void *); 830static void key_timehandler(void *);
831static void key_timehandler_work(struct work *, void *); 831static void key_timehandler_work(struct work *, void *);
832static struct callout key_timehandler_ch; 832static struct callout key_timehandler_ch;
833static struct workqueue *key_timehandler_wq; 833static struct workqueue *key_timehandler_wq;
834static struct work key_timehandler_wk; 834static struct work key_timehandler_wk;
835 835
836static inline void 836static inline void
837 key_savlut_writer_insert_head(struct secasvar *sav); 837 key_savlut_writer_insert_head(struct secasvar *sav);
838static inline uint32_t 838static inline uint32_t
839 key_saidxhash(const struct secasindex *, u_long); 839 key_saidxhash(const struct secasindex *, u_long);
840static inline uint32_t 840static inline uint32_t
841 key_savluthash(const struct sockaddr *, 841 key_savluthash(const struct sockaddr *,
842 uint32_t, uint32_t, u_long); 842 uint32_t, uint32_t, u_long);
843 843
844/* 844/*
845 * Utilities for percpu counters for sadb_lifetime_allocations and 845 * Utilities for percpu counters for sadb_lifetime_allocations and
846 * sadb_lifetime_bytes. 846 * sadb_lifetime_bytes.
847 */ 847 */
848#define LIFETIME_COUNTER_ALLOCATIONS 0 848#define LIFETIME_COUNTER_ALLOCATIONS 0
849#define LIFETIME_COUNTER_BYTES 1 849#define LIFETIME_COUNTER_BYTES 1
850#define LIFETIME_COUNTER_SIZE 2 850#define LIFETIME_COUNTER_SIZE 2
851 851
852typedef uint64_t lifetime_counters_t[LIFETIME_COUNTER_SIZE]; 852typedef uint64_t lifetime_counters_t[LIFETIME_COUNTER_SIZE];
853 853
854static void 854static void
855key_sum_lifetime_counters(void *p, void *arg, struct cpu_info *ci __unused) 855key_sum_lifetime_counters(void *p, void *arg, struct cpu_info *ci __unused)
856{ 856{
857 lifetime_counters_t *one = p; 857 lifetime_counters_t *one = p;
858 lifetime_counters_t *sum = arg; 858 lifetime_counters_t *sum = arg;
859 859
860 (*sum)[LIFETIME_COUNTER_ALLOCATIONS] += (*one)[LIFETIME_COUNTER_ALLOCATIONS]; 860 (*sum)[LIFETIME_COUNTER_ALLOCATIONS] += (*one)[LIFETIME_COUNTER_ALLOCATIONS];
861 (*sum)[LIFETIME_COUNTER_BYTES] += (*one)[LIFETIME_COUNTER_BYTES]; 861 (*sum)[LIFETIME_COUNTER_BYTES] += (*one)[LIFETIME_COUNTER_BYTES];
862} 862}
863 863
864u_int 864u_int
865key_sp_refcnt(const struct secpolicy *sp) 865key_sp_refcnt(const struct secpolicy *sp)
866{ 866{
867 867
868 /* FIXME */ 868 /* FIXME */
869 return 0; 869 return 0;
870} 870}
871 871
872static void 872static void
873key_spd_pserialize_perform(void) 873key_spd_pserialize_perform(void)
874{ 874{
875 875
876 KASSERT(mutex_owned(&key_spd.lock)); 876 KASSERT(mutex_owned(&key_spd.lock));
877 877
878 while (key_spd.psz_performing) 878 while (key_spd.psz_performing)
879 cv_wait(&key_spd.cv_psz, &key_spd.lock); 879 cv_wait(&key_spd.cv_psz, &key_spd.lock);
880 key_spd.psz_performing = true; 880 key_spd.psz_performing = true;
881 mutex_exit(&key_spd.lock); 881 mutex_exit(&key_spd.lock);
882 882
883 pserialize_perform(key_spd.psz); 883 pserialize_perform(key_spd.psz);
884 884
885 mutex_enter(&key_spd.lock); 885 mutex_enter(&key_spd.lock);
886 key_spd.psz_performing = false; 886 key_spd.psz_performing = false;
887 cv_broadcast(&key_spd.cv_psz); 887 cv_broadcast(&key_spd.cv_psz);
888} 888}
889 889
890/* 890/*
891 * Remove the sp from the key_spd.splist and wait for references to the sp 891 * Remove the sp from the key_spd.splist and wait for references to the sp
892 * to be released. key_spd.lock must be held. 892 * to be released. key_spd.lock must be held.
893 */ 893 */
894static void 894static void
895key_unlink_sp(struct secpolicy *sp) 895key_unlink_sp(struct secpolicy *sp)
896{ 896{
897 897
898 KASSERT(mutex_owned(&key_spd.lock)); 898 KASSERT(mutex_owned(&key_spd.lock));
899 899
900 sp->state = IPSEC_SPSTATE_DEAD; 900 sp->state = IPSEC_SPSTATE_DEAD;
901 SPLIST_WRITER_REMOVE(sp); 901 SPLIST_WRITER_REMOVE(sp);
902 902
903 /* Invalidate all cached SPD pointers in the PCBs. */ 903 /* Invalidate all cached SPD pointers in the PCBs. */
904 ipsec_invalpcbcacheall(); 904 ipsec_invalpcbcacheall();
905 905
906 KDASSERT(mutex_ownable(softnet_lock)); 906 KDASSERT(mutex_ownable(softnet_lock));
907 key_spd_pserialize_perform(); 907 key_spd_pserialize_perform();
908 908
909 localcount_drain(&sp->localcount, &key_spd.cv_lc, &key_spd.lock); 909 localcount_drain(&sp->localcount, &key_spd.cv_lc, &key_spd.lock);
910} 910}
911 911
912/* 912/*
913 * Return 0 when there are known to be no SP's for the specified 913 * Return 0 when there are known to be no SP's for the specified
914 * direction. Otherwise return 1. This is used by IPsec code 914 * direction. Otherwise return 1. This is used by IPsec code
915 * to optimize performance. 915 * to optimize performance.
916 */ 916 */
917int 917int
918key_havesp(u_int dir) 918key_havesp(u_int dir)
919{ 919{
920 return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ? 920 return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ?
921 !SPLIST_READER_EMPTY(dir) : 1); 921 !SPLIST_READER_EMPTY(dir) : 1);
922} 922}
923 923
924/* %%% IPsec policy management */ 924/* %%% IPsec policy management */
925/* 925/*
926 * allocating a SP for OUTBOUND or INBOUND packet. 926 * allocating a SP for OUTBOUND or INBOUND packet.
927 * Must call key_freesp() later. 927 * Must call key_freesp() later.
928 * OUT: NULL: not found 928 * OUT: NULL: not found
929 * others: found and return the pointer. 929 * others: found and return the pointer.
930 */ 930 */
931struct secpolicy * 931struct secpolicy *
932key_lookup_sp_byspidx(const struct secpolicyindex *spidx, 932key_lookup_sp_byspidx(const struct secpolicyindex *spidx,
933 u_int dir, const char* where, int tag) 933 u_int dir, const char* where, int tag)
934{ 934{
935 struct secpolicy *sp; 935 struct secpolicy *sp;
936 int s; 936 int s;
937 937
938 KASSERT(spidx != NULL); 938 KASSERT(spidx != NULL);
939 KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir); 939 KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir);
940 940
941 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag); 941 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag);
942 942
943 /* get a SP entry */ 943 /* get a SP entry */
944 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) { 944 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
945 kdebug_secpolicyindex("objects", spidx); 945 kdebug_secpolicyindex("objects", spidx);
946 } 946 }
947 947
948 s = pserialize_read_enter(); 948 s = pserialize_read_enter();
949 SPLIST_READER_FOREACH(sp, dir) { 949 SPLIST_READER_FOREACH(sp, dir) {
950 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) { 950 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
951 kdebug_secpolicyindex("in SPD", &sp->spidx); 951 kdebug_secpolicyindex("in SPD", &sp->spidx);
952 } 952 }
953 953
954 if (sp->state == IPSEC_SPSTATE_DEAD) 954 if (sp->state == IPSEC_SPSTATE_DEAD)
955 continue; 955 continue;
956 if (key_spidx_match_withmask(&sp->spidx, spidx)) 956 if (key_spidx_match_withmask(&sp->spidx, spidx))
957 goto found; 957 goto found;
958 } 958 }
959 sp = NULL; 959 sp = NULL;
960found: 960found:
961 if (sp) { 961 if (sp) {
962 /* sanity check */ 962 /* sanity check */
963 KEY_CHKSPDIR(sp->spidx.dir, dir); 963 KEY_CHKSPDIR(sp->spidx.dir, dir);
964 964
965 /* found a SPD entry */ 965 /* found a SPD entry */
966 sp->lastused = time_uptime; 966 sp->lastused = time_uptime;
967 key_sp_ref(sp, where, tag); 967 key_sp_ref(sp, where, tag);
968 } 968 }
969 pserialize_read_exit(s); 969 pserialize_read_exit(s);
970 970
971 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, 971 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
972 "DP return SP:%p (ID=%u) refcnt %u\n", 972 "DP return SP:%p (ID=%u) refcnt %u\n",
973 sp, sp ? sp->id : 0, key_sp_refcnt(sp)); 973 sp, sp ? sp->id : 0, key_sp_refcnt(sp));
974 return sp; 974 return sp;
975} 975}
976 976
977/* 977/*
978 * return a policy that matches this particular inbound packet. 978 * return a policy that matches this particular inbound packet.
979 * XXX slow 979 * XXX slow
980 */ 980 */
981struct secpolicy * 981struct secpolicy *
982key_gettunnel(const struct sockaddr *osrc, 982key_gettunnel(const struct sockaddr *osrc,
983 const struct sockaddr *odst, 983 const struct sockaddr *odst,
984 const struct sockaddr *isrc, 984 const struct sockaddr *isrc,
985 const struct sockaddr *idst, 985 const struct sockaddr *idst,
986 const char* where, int tag) 986 const char* where, int tag)
987{ 987{
988 struct secpolicy *sp; 988 struct secpolicy *sp;
989 const int dir = IPSEC_DIR_INBOUND; 989 const int dir = IPSEC_DIR_INBOUND;
990 int s; 990 int s;
991 struct ipsecrequest *r1, *r2, *p; 991 struct ipsecrequest *r1, *r2, *p;
992 struct secpolicyindex spidx; 992 struct secpolicyindex spidx;
993 993
994 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag); 994 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag);
995 995
996 if (isrc->sa_family != idst->sa_family) { 996 if (isrc->sa_family != idst->sa_family) {
997 IPSECLOG(LOG_ERR, 997 IPSECLOG(LOG_ERR,
998 "address family mismatched src %u, dst %u.\n", 998 "address family mismatched src %u, dst %u.\n",
999 isrc->sa_family, idst->sa_family); 999 isrc->sa_family, idst->sa_family);
1000 sp = NULL; 1000 sp = NULL;
1001 goto done; 1001 goto done;
1002 } 1002 }
1003 1003
1004 s = pserialize_read_enter(); 1004 s = pserialize_read_enter();
1005 SPLIST_READER_FOREACH(sp, dir) { 1005 SPLIST_READER_FOREACH(sp, dir) {
1006 if (sp->state == IPSEC_SPSTATE_DEAD) 1006 if (sp->state == IPSEC_SPSTATE_DEAD)
1007 continue; 1007 continue;
1008 1008
1009 r1 = r2 = NULL; 1009 r1 = r2 = NULL;
1010 for (p = sp->req; p; p = p->next) { 1010 for (p = sp->req; p; p = p->next) {
1011 if (p->saidx.mode != IPSEC_MODE_TUNNEL) 1011 if (p->saidx.mode != IPSEC_MODE_TUNNEL)
1012 continue; 1012 continue;
1013 1013
1014 r1 = r2; 1014 r1 = r2;
1015 r2 = p; 1015 r2 = p;
1016 1016
1017 if (!r1) { 1017 if (!r1) {
1018 /* here we look at address matches only */ 1018 /* here we look at address matches only */
1019 spidx = sp->spidx; 1019 spidx = sp->spidx;
1020 if (isrc->sa_len > sizeof(spidx.src) || 1020 if (isrc->sa_len > sizeof(spidx.src) ||
1021 idst->sa_len > sizeof(spidx.dst)) 1021 idst->sa_len > sizeof(spidx.dst))
1022 continue; 1022 continue;
1023 memcpy(&spidx.src, isrc, isrc->sa_len); 1023 memcpy(&spidx.src, isrc, isrc->sa_len);
1024 memcpy(&spidx.dst, idst, idst->sa_len); 1024 memcpy(&spidx.dst, idst, idst->sa_len);
1025 if (!key_spidx_match_withmask(&sp->spidx, &spidx)) 1025 if (!key_spidx_match_withmask(&sp->spidx, &spidx))
1026 continue; 1026 continue;
1027 } else { 1027 } else {
1028 if (!key_sockaddr_match(&r1->saidx.src.sa, isrc, PORT_NONE) || 1028 if (!key_sockaddr_match(&r1->saidx.src.sa, isrc, PORT_NONE) ||
1029 !key_sockaddr_match(&r1->saidx.dst.sa, idst, PORT_NONE)) 1029 !key_sockaddr_match(&r1->saidx.dst.sa, idst, PORT_NONE))
1030 continue; 1030 continue;
1031 } 1031 }
1032 1032
1033 if (!key_sockaddr_match(&r2->saidx.src.sa, osrc, PORT_NONE) || 1033 if (!key_sockaddr_match(&r2->saidx.src.sa, osrc, PORT_NONE) ||
1034 !key_sockaddr_match(&r2->saidx.dst.sa, odst, PORT_NONE)) 1034 !key_sockaddr_match(&r2->saidx.dst.sa, odst, PORT_NONE))
@@ -2459,2021 +2459,2021 @@ key_getnewspid(void) @@ -2459,2021 +2459,2021 @@ key_getnewspid(void)
2459 KEY_SP_UNREF(&sp); 2459 KEY_SP_UNREF(&sp);
2460 } 2460 }
2461 2461
2462 if (count == 0 || newid == 0) { 2462 if (count == 0 || newid == 0) {
2463 IPSECLOG(LOG_DEBUG, "to allocate policy id is failed.\n"); 2463 IPSECLOG(LOG_DEBUG, "to allocate policy id is failed.\n");
2464 return 0; 2464 return 0;
2465 } 2465 }
2466 2466
2467 return newid; 2467 return newid;
2468} 2468}
2469 2469
2470/* 2470/*
2471 * SADB_SPDDELETE processing 2471 * SADB_SPDDELETE processing
2472 * receive 2472 * receive
2473 * <base, address(SD), policy(*)> 2473 * <base, address(SD), policy(*)>
2474 * from the user(?), and set SADB_SASTATE_DEAD, 2474 * from the user(?), and set SADB_SASTATE_DEAD,
2475 * and send, 2475 * and send,
2476 * <base, address(SD), policy(*)> 2476 * <base, address(SD), policy(*)>
2477 * to the ikmpd. 2477 * to the ikmpd.
2478 * policy(*) including direction of policy. 2478 * policy(*) including direction of policy.
2479 * 2479 *
2480 * m will always be freed. 2480 * m will always be freed.
2481 */ 2481 */
2482static int 2482static int
2483key_api_spddelete(struct socket *so, struct mbuf *m, 2483key_api_spddelete(struct socket *so, struct mbuf *m,
2484 const struct sadb_msghdr *mhp) 2484 const struct sadb_msghdr *mhp)
2485{ 2485{
2486 struct sadb_x_policy *xpl0; 2486 struct sadb_x_policy *xpl0;
2487 struct secpolicyindex spidx; 2487 struct secpolicyindex spidx;
2488 struct secpolicy *sp; 2488 struct secpolicy *sp;
2489 2489
2490 if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || 2490 if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL ||
2491 mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || 2491 mhp->ext[SADB_EXT_ADDRESS_DST] == NULL ||
2492 mhp->ext[SADB_X_EXT_POLICY] == NULL) { 2492 mhp->ext[SADB_X_EXT_POLICY] == NULL) {
2493 IPSECLOG(LOG_DEBUG, "invalid message is passed.\n"); 2493 IPSECLOG(LOG_DEBUG, "invalid message is passed.\n");
2494 return key_senderror(so, m, EINVAL); 2494 return key_senderror(so, m, EINVAL);
2495 } 2495 }
2496 if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || 2496 if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) ||
2497 mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) || 2497 mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) ||
2498 mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { 2498 mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) {
2499 IPSECLOG(LOG_DEBUG, "invalid message is passed.\n"); 2499 IPSECLOG(LOG_DEBUG, "invalid message is passed.\n");
2500 return key_senderror(so, m, EINVAL); 2500 return key_senderror(so, m, EINVAL);
2501 } 2501 }
2502 2502
2503 xpl0 = mhp->ext[SADB_X_EXT_POLICY]; 2503 xpl0 = mhp->ext[SADB_X_EXT_POLICY];
2504 2504
2505 /* checking the directon. */ 2505 /* checking the directon. */
2506 switch (xpl0->sadb_x_policy_dir) { 2506 switch (xpl0->sadb_x_policy_dir) {
2507 case IPSEC_DIR_INBOUND: 2507 case IPSEC_DIR_INBOUND:
2508 case IPSEC_DIR_OUTBOUND: 2508 case IPSEC_DIR_OUTBOUND:
2509 break; 2509 break;
2510 default: 2510 default:
2511 IPSECLOG(LOG_DEBUG, "Invalid SP direction.\n"); 2511 IPSECLOG(LOG_DEBUG, "Invalid SP direction.\n");
2512 return key_senderror(so, m, EINVAL); 2512 return key_senderror(so, m, EINVAL);
2513 } 2513 }
2514 2514
2515 /* make secindex */ 2515 /* make secindex */
2516 key_init_spidx_bymsghdr(&spidx, mhp); 2516 key_init_spidx_bymsghdr(&spidx, mhp);
2517 2517
2518 /* Is there SP in SPD ? */ 2518 /* Is there SP in SPD ? */
2519 sp = key_lookup_and_remove_sp(&spidx, false); 2519 sp = key_lookup_and_remove_sp(&spidx, false);
2520 if (sp == NULL) { 2520 if (sp == NULL) {
2521 IPSECLOG(LOG_DEBUG, "no SP found.\n"); 2521 IPSECLOG(LOG_DEBUG, "no SP found.\n");
2522 return key_senderror(so, m, EINVAL); 2522 return key_senderror(so, m, EINVAL);
2523 } 2523 }
2524 2524
2525 /* save policy id to buffer to be returned. */ 2525 /* save policy id to buffer to be returned. */
2526 xpl0->sadb_x_policy_id = sp->id; 2526 xpl0->sadb_x_policy_id = sp->id;
2527 2527
2528 key_destroy_sp(sp); 2528 key_destroy_sp(sp);
2529 2529
2530 /* We're deleting policy; no need to invalidate the ipflow cache. */ 2530 /* We're deleting policy; no need to invalidate the ipflow cache. */
2531 2531
2532 { 2532 {
2533 struct mbuf *n; 2533 struct mbuf *n;
2534 2534
2535 /* create new sadb_msg to reply. */ 2535 /* create new sadb_msg to reply. */
2536 n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED, 2536 n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED,
2537 SADB_X_EXT_POLICY, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); 2537 SADB_X_EXT_POLICY, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
2538 key_fill_replymsg(n, 0); 2538 key_fill_replymsg(n, 0);
2539 m_freem(m); 2539 m_freem(m);
2540 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 2540 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
2541 } 2541 }
2542} 2542}
2543 2543
2544static struct mbuf * 2544static struct mbuf *
2545key_alloc_mbuf_simple(int len, int mflag) 2545key_alloc_mbuf_simple(int len, int mflag)
2546{ 2546{
2547 struct mbuf *n; 2547 struct mbuf *n;
2548 2548
2549 KASSERT(mflag == M_NOWAIT || (mflag == M_WAITOK && !cpu_softintr_p())); 2549 KASSERT(mflag == M_NOWAIT || (mflag == M_WAITOK && !cpu_softintr_p()));
2550 2550
2551 MGETHDR(n, mflag, MT_DATA); 2551 MGETHDR(n, mflag, MT_DATA);
2552 if (n && len > MHLEN) { 2552 if (n && len > MHLEN) {
2553 MCLGET(n, mflag); 2553 MCLGET(n, mflag);
2554 if ((n->m_flags & M_EXT) == 0) { 2554 if ((n->m_flags & M_EXT) == 0) {
2555 m_freem(n); 2555 m_freem(n);
2556 n = NULL; 2556 n = NULL;
2557 } 2557 }
2558 } 2558 }
2559 return n; 2559 return n;
2560} 2560}
2561 2561
2562/* 2562/*
2563 * SADB_SPDDELETE2 processing 2563 * SADB_SPDDELETE2 processing
2564 * receive 2564 * receive
2565 * <base, policy(*)> 2565 * <base, policy(*)>
2566 * from the user(?), and set SADB_SASTATE_DEAD, 2566 * from the user(?), and set SADB_SASTATE_DEAD,
2567 * and send, 2567 * and send,
2568 * <base, policy(*)> 2568 * <base, policy(*)>
2569 * to the ikmpd. 2569 * to the ikmpd.
2570 * policy(*) including direction of policy. 2570 * policy(*) including direction of policy.
2571 * 2571 *
2572 * m will always be freed. 2572 * m will always be freed.
2573 */ 2573 */
2574static int 2574static int
2575key_spddelete2(struct socket *so, struct mbuf *m, 2575key_spddelete2(struct socket *so, struct mbuf *m,
2576 const struct sadb_msghdr *mhp, bool from_kernel) 2576 const struct sadb_msghdr *mhp, bool from_kernel)
2577{ 2577{
2578 u_int32_t id; 2578 u_int32_t id;
2579 struct secpolicy *sp; 2579 struct secpolicy *sp;
2580 const struct sadb_x_policy *xpl; 2580 const struct sadb_x_policy *xpl;
2581 2581
2582 if (mhp->ext[SADB_X_EXT_POLICY] == NULL || 2582 if (mhp->ext[SADB_X_EXT_POLICY] == NULL ||
2583 mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { 2583 mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) {
2584 IPSECLOG(LOG_DEBUG, "invalid message is passed.\n"); 2584 IPSECLOG(LOG_DEBUG, "invalid message is passed.\n");
2585 return key_senderror(so, m, EINVAL); 2585 return key_senderror(so, m, EINVAL);
2586 } 2586 }
2587 2587
2588 xpl = mhp->ext[SADB_X_EXT_POLICY]; 2588 xpl = mhp->ext[SADB_X_EXT_POLICY];
2589 id = xpl->sadb_x_policy_id; 2589 id = xpl->sadb_x_policy_id;
2590 2590
2591 /* Is there SP in SPD ? */ 2591 /* Is there SP in SPD ? */
2592 sp = key_lookupbyid_and_remove_sp(id, from_kernel); 2592 sp = key_lookupbyid_and_remove_sp(id, from_kernel);
2593 if (sp == NULL) { 2593 if (sp == NULL) {
2594 IPSECLOG(LOG_DEBUG, "no SP found id:%u.\n", id); 2594 IPSECLOG(LOG_DEBUG, "no SP found id:%u.\n", id);
2595 return key_senderror(so, m, EINVAL); 2595 return key_senderror(so, m, EINVAL);
2596 } 2596 }
2597 2597
2598 key_destroy_sp(sp); 2598 key_destroy_sp(sp);
2599 2599
2600 /* We're deleting policy; no need to invalidate the ipflow cache. */ 2600 /* We're deleting policy; no need to invalidate the ipflow cache. */
2601 2601
2602 { 2602 {
2603 struct mbuf *n, *nn; 2603 struct mbuf *n, *nn;
2604 int off, len; 2604 int off, len;
2605 2605
2606 CTASSERT(PFKEY_ALIGN8(sizeof(struct sadb_msg)) <= MCLBYTES); 2606 CTASSERT(PFKEY_ALIGN8(sizeof(struct sadb_msg)) <= MCLBYTES);
2607 2607
2608 /* create new sadb_msg to reply. */ 2608 /* create new sadb_msg to reply. */
2609 len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); 2609 len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
2610 2610
2611 n = key_alloc_mbuf_simple(len, M_WAITOK); 2611 n = key_alloc_mbuf_simple(len, M_WAITOK);
2612 n->m_len = len; 2612 n->m_len = len;
2613 n->m_next = NULL; 2613 n->m_next = NULL;
2614 off = 0; 2614 off = 0;
2615 2615
2616 m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, char *) + off); 2616 m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, char *) + off);
2617 off += PFKEY_ALIGN8(sizeof(struct sadb_msg)); 2617 off += PFKEY_ALIGN8(sizeof(struct sadb_msg));
2618 2618
2619 KASSERTMSG(off == len, "length inconsistency"); 2619 KASSERTMSG(off == len, "length inconsistency");
2620 2620
2621 n->m_next = m_copym(m, mhp->extoff[SADB_X_EXT_POLICY], 2621 n->m_next = m_copym(m, mhp->extoff[SADB_X_EXT_POLICY],
2622 mhp->extlen[SADB_X_EXT_POLICY], M_WAITOK); 2622 mhp->extlen[SADB_X_EXT_POLICY], M_WAITOK);
2623 2623
2624 n->m_pkthdr.len = 0; 2624 n->m_pkthdr.len = 0;
2625 for (nn = n; nn; nn = nn->m_next) 2625 for (nn = n; nn; nn = nn->m_next)
2626 n->m_pkthdr.len += nn->m_len; 2626 n->m_pkthdr.len += nn->m_len;
2627 2627
2628 key_fill_replymsg(n, 0); 2628 key_fill_replymsg(n, 0);
2629 m_freem(m); 2629 m_freem(m);
2630 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 2630 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
2631 } 2631 }
2632} 2632}
2633 2633
2634/* 2634/*
2635 * SADB_SPDDELETE2 processing 2635 * SADB_SPDDELETE2 processing
2636 * receive 2636 * receive
2637 * <base, policy(*)> 2637 * <base, policy(*)>
2638 * from the user(?), and set SADB_SASTATE_DEAD, 2638 * from the user(?), and set SADB_SASTATE_DEAD,
2639 * and send, 2639 * and send,
2640 * <base, policy(*)> 2640 * <base, policy(*)>
2641 * to the ikmpd. 2641 * to the ikmpd.
2642 * policy(*) including direction of policy. 2642 * policy(*) including direction of policy.
2643 * 2643 *
2644 * m will always be freed. 2644 * m will always be freed.
2645 */ 2645 */
2646static int 2646static int
2647key_api_spddelete2(struct socket *so, struct mbuf *m, 2647key_api_spddelete2(struct socket *so, struct mbuf *m,
2648 const struct sadb_msghdr *mhp) 2648 const struct sadb_msghdr *mhp)
2649{ 2649{
2650 2650
2651 return key_spddelete2(so, m, mhp, false); 2651 return key_spddelete2(so, m, mhp, false);
2652} 2652}
2653 2653
2654int 2654int
2655key_kpi_spddelete2(struct mbuf *m) 2655key_kpi_spddelete2(struct mbuf *m)
2656{ 2656{
2657 struct sadb_msghdr mh; 2657 struct sadb_msghdr mh;
2658 int error; 2658 int error;
2659 2659
2660 error = key_align(m, &mh); 2660 error = key_align(m, &mh);
2661 if (error) 2661 if (error)
2662 return EINVAL; 2662 return EINVAL;
2663 2663
2664 return key_spddelete2(NULL, m, &mh, true); 2664 return key_spddelete2(NULL, m, &mh, true);
2665} 2665}
2666 2666
2667/* 2667/*
2668 * SADB_X_GET processing 2668 * SADB_X_GET processing
2669 * receive 2669 * receive
2670 * <base, policy(*)> 2670 * <base, policy(*)>
2671 * from the user(?), 2671 * from the user(?),
2672 * and send, 2672 * and send,
2673 * <base, address(SD), policy> 2673 * <base, address(SD), policy>
2674 * to the ikmpd. 2674 * to the ikmpd.
2675 * policy(*) including direction of policy. 2675 * policy(*) including direction of policy.
2676 * 2676 *
2677 * m will always be freed. 2677 * m will always be freed.
2678 */ 2678 */
2679static int 2679static int
2680key_api_spdget(struct socket *so, struct mbuf *m, 2680key_api_spdget(struct socket *so, struct mbuf *m,
2681 const struct sadb_msghdr *mhp) 2681 const struct sadb_msghdr *mhp)
2682{ 2682{
2683 u_int32_t id; 2683 u_int32_t id;
2684 struct secpolicy *sp; 2684 struct secpolicy *sp;
2685 struct mbuf *n; 2685 struct mbuf *n;
2686 const struct sadb_x_policy *xpl; 2686 const struct sadb_x_policy *xpl;
2687 2687
2688 if (mhp->ext[SADB_X_EXT_POLICY] == NULL || 2688 if (mhp->ext[SADB_X_EXT_POLICY] == NULL ||
2689 mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { 2689 mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) {
2690 IPSECLOG(LOG_DEBUG, "invalid message is passed.\n"); 2690 IPSECLOG(LOG_DEBUG, "invalid message is passed.\n");
2691 return key_senderror(so, m, EINVAL); 2691 return key_senderror(so, m, EINVAL);
2692 } 2692 }
2693 2693
2694 xpl = mhp->ext[SADB_X_EXT_POLICY]; 2694 xpl = mhp->ext[SADB_X_EXT_POLICY];
2695 id = xpl->sadb_x_policy_id; 2695 id = xpl->sadb_x_policy_id;
2696 2696
2697 /* Is there SP in SPD ? */ 2697 /* Is there SP in SPD ? */
2698 sp = key_getspbyid(id); 2698 sp = key_getspbyid(id);
2699 if (sp == NULL) { 2699 if (sp == NULL) {
2700 IPSECLOG(LOG_DEBUG, "no SP found id:%u.\n", id); 2700 IPSECLOG(LOG_DEBUG, "no SP found id:%u.\n", id);
2701 return key_senderror(so, m, ENOENT); 2701 return key_senderror(so, m, ENOENT);
2702 } 2702 }
2703 2703
2704 n = key_setdumpsp(sp, SADB_X_SPDGET, mhp->msg->sadb_msg_seq, 2704 n = key_setdumpsp(sp, SADB_X_SPDGET, mhp->msg->sadb_msg_seq,
2705 mhp->msg->sadb_msg_pid); 2705 mhp->msg->sadb_msg_pid);
2706 KEY_SP_UNREF(&sp); /* ref gained by key_getspbyid */ 2706 KEY_SP_UNREF(&sp); /* ref gained by key_getspbyid */
2707 m_freem(m); 2707 m_freem(m);
2708 return key_sendup_mbuf(so, n, KEY_SENDUP_ONE); 2708 return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
2709} 2709}
2710 2710
2711#ifdef notyet 2711#ifdef notyet
2712/* 2712/*
2713 * SADB_X_SPDACQUIRE processing. 2713 * SADB_X_SPDACQUIRE processing.
2714 * Acquire policy and SA(s) for a *OUTBOUND* packet. 2714 * Acquire policy and SA(s) for a *OUTBOUND* packet.
2715 * send 2715 * send
2716 * <base, policy(*)> 2716 * <base, policy(*)>
2717 * to KMD, and expect to receive 2717 * to KMD, and expect to receive
2718 * <base> with SADB_X_SPDACQUIRE if error occurred, 2718 * <base> with SADB_X_SPDACQUIRE if error occurred,
2719 * or 2719 * or
2720 * <base, policy> 2720 * <base, policy>
2721 * with SADB_X_SPDUPDATE from KMD by PF_KEY. 2721 * with SADB_X_SPDUPDATE from KMD by PF_KEY.
2722 * policy(*) is without policy requests. 2722 * policy(*) is without policy requests.
2723 * 2723 *
2724 * 0 : succeed 2724 * 0 : succeed
2725 * others: error number 2725 * others: error number
2726 */ 2726 */
2727int 2727int
2728key_spdacquire(const struct secpolicy *sp) 2728key_spdacquire(const struct secpolicy *sp)
2729{ 2729{
2730 struct mbuf *result = NULL, *m; 2730 struct mbuf *result = NULL, *m;
2731 struct secspacq *newspacq; 2731 struct secspacq *newspacq;
2732 int error; 2732 int error;
2733 2733
2734 KASSERT(sp != NULL); 2734 KASSERT(sp != NULL);
2735 KASSERTMSG(sp->req == NULL, "called but there is request"); 2735 KASSERTMSG(sp->req == NULL, "called but there is request");
2736 KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC, 2736 KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC,
2737 "policy mismathed. IPsec is expected"); 2737 "policy mismathed. IPsec is expected");
2738 2738
2739 /* Get an entry to check whether sent message or not. */ 2739 /* Get an entry to check whether sent message or not. */
2740 newspacq = key_getspacq(&sp->spidx); 2740 newspacq = key_getspacq(&sp->spidx);
2741 if (newspacq != NULL) { 2741 if (newspacq != NULL) {
2742 if (key_blockacq_count < newspacq->count) { 2742 if (key_blockacq_count < newspacq->count) {
2743 /* reset counter and do send message. */ 2743 /* reset counter and do send message. */
2744 newspacq->count = 0; 2744 newspacq->count = 0;
2745 } else { 2745 } else {
2746 /* increment counter and do nothing. */ 2746 /* increment counter and do nothing. */
2747 newspacq->count++; 2747 newspacq->count++;
2748 return 0; 2748 return 0;
2749 } 2749 }
2750 } else { 2750 } else {
2751 /* make new entry for blocking to send SADB_ACQUIRE. */ 2751 /* make new entry for blocking to send SADB_ACQUIRE. */
2752 newspacq = key_newspacq(&sp->spidx); 2752 newspacq = key_newspacq(&sp->spidx);
2753 if (newspacq == NULL) 2753 if (newspacq == NULL)
2754 return ENOBUFS; 2754 return ENOBUFS;
2755 2755
2756 /* add to key_misc.acqlist */ 2756 /* add to key_misc.acqlist */
2757 LIST_INSERT_HEAD(&key_misc.spacqlist, newspacq, chain); 2757 LIST_INSERT_HEAD(&key_misc.spacqlist, newspacq, chain);
2758 } 2758 }
2759 2759
2760 /* create new sadb_msg to reply. */ 2760 /* create new sadb_msg to reply. */
2761 m = key_setsadbmsg(SADB_X_SPDACQUIRE, 0, 0, 0, 0, 0); 2761 m = key_setsadbmsg(SADB_X_SPDACQUIRE, 0, 0, 0, 0, 0);
2762 if (!m) { 2762 if (!m) {
2763 error = ENOBUFS; 2763 error = ENOBUFS;
2764 goto fail; 2764 goto fail;
2765 } 2765 }
2766 result = m; 2766 result = m;
2767 2767
2768 result->m_pkthdr.len = 0; 2768 result->m_pkthdr.len = 0;
2769 for (m = result; m; m = m->m_next) 2769 for (m = result; m; m = m->m_next)
2770 result->m_pkthdr.len += m->m_len; 2770 result->m_pkthdr.len += m->m_len;
2771 2771
2772 mtod(result, struct sadb_msg *)->sadb_msg_len = 2772 mtod(result, struct sadb_msg *)->sadb_msg_len =
2773 PFKEY_UNIT64(result->m_pkthdr.len); 2773 PFKEY_UNIT64(result->m_pkthdr.len);
2774 2774
2775 return key_sendup_mbuf(NULL, m, KEY_SENDUP_REGISTERED); 2775 return key_sendup_mbuf(NULL, m, KEY_SENDUP_REGISTERED);
2776 2776
2777fail: 2777fail:
2778 if (result) 2778 if (result)
2779 m_freem(result); 2779 m_freem(result);
2780 return error; 2780 return error;
2781} 2781}
2782#endif /* notyet */ 2782#endif /* notyet */
2783 2783
2784/* 2784/*
2785 * SADB_SPDFLUSH processing 2785 * SADB_SPDFLUSH processing
2786 * receive 2786 * receive
2787 * <base> 2787 * <base>
2788 * from the user, and free all entries in secpctree. 2788 * from the user, and free all entries in secpctree.
2789 * and send, 2789 * and send,
2790 * <base> 2790 * <base>
2791 * to the user. 2791 * to the user.
2792 * NOTE: what to do is only marking SADB_SASTATE_DEAD. 2792 * NOTE: what to do is only marking SADB_SASTATE_DEAD.
2793 * 2793 *
2794 * m will always be freed. 2794 * m will always be freed.
2795 */ 2795 */
2796static int 2796static int
2797key_api_spdflush(struct socket *so, struct mbuf *m, 2797key_api_spdflush(struct socket *so, struct mbuf *m,
2798 const struct sadb_msghdr *mhp) 2798 const struct sadb_msghdr *mhp)
2799{ 2799{
2800 struct sadb_msg *newmsg; 2800 struct sadb_msg *newmsg;
2801 struct secpolicy *sp; 2801 struct secpolicy *sp;
2802 u_int dir; 2802 u_int dir;
2803 2803
2804 if (m->m_len != PFKEY_ALIGN8(sizeof(struct sadb_msg))) 2804 if (m->m_len != PFKEY_ALIGN8(sizeof(struct sadb_msg)))
2805 return key_senderror(so, m, EINVAL); 2805 return key_senderror(so, m, EINVAL);
2806 2806
2807 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { 2807 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
2808 retry: 2808 retry:
2809 mutex_enter(&key_spd.lock); 2809 mutex_enter(&key_spd.lock);
2810 SPLIST_WRITER_FOREACH(sp, dir) { 2810 SPLIST_WRITER_FOREACH(sp, dir) {
2811 KASSERT(sp->state != IPSEC_SPSTATE_DEAD); 2811 KASSERT(sp->state != IPSEC_SPSTATE_DEAD);
2812 /* 2812 /*
2813 * Userlang programs can remove SPs created by userland 2813 * Userlang programs can remove SPs created by userland
2814 * probrams only, that is, they cannot remove SPs 2814 * probrams only, that is, they cannot remove SPs
2815 * created in kernel(e.g. ipsec(4) I/F). 2815 * created in kernel(e.g. ipsec(4) I/F).
2816 */ 2816 */
2817 if (sp->origin == IPSEC_SPORIGIN_USER) { 2817 if (sp->origin == IPSEC_SPORIGIN_USER) {
2818 key_unlink_sp(sp); 2818 key_unlink_sp(sp);
2819 mutex_exit(&key_spd.lock); 2819 mutex_exit(&key_spd.lock);
2820 key_destroy_sp(sp); 2820 key_destroy_sp(sp);
2821 goto retry; 2821 goto retry;
2822 } 2822 }
2823 } 2823 }
2824 mutex_exit(&key_spd.lock); 2824 mutex_exit(&key_spd.lock);
2825 } 2825 }
2826 2826
2827 /* We're deleting policy; no need to invalidate the ipflow cache. */ 2827 /* We're deleting policy; no need to invalidate the ipflow cache. */
2828 2828
2829 if (sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) { 2829 if (sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) {
2830 IPSECLOG(LOG_DEBUG, "No more memory.\n"); 2830 IPSECLOG(LOG_DEBUG, "No more memory.\n");
2831 return key_senderror(so, m, ENOBUFS); 2831 return key_senderror(so, m, ENOBUFS);
2832 } 2832 }
2833 2833
2834 if (m->m_next) 2834 if (m->m_next)
2835 m_freem(m->m_next); 2835 m_freem(m->m_next);
2836 m->m_next = NULL; 2836 m->m_next = NULL;
2837 m->m_pkthdr.len = m->m_len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); 2837 m->m_pkthdr.len = m->m_len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
2838 newmsg = mtod(m, struct sadb_msg *); 2838 newmsg = mtod(m, struct sadb_msg *);
2839 newmsg->sadb_msg_errno = 0; 2839 newmsg->sadb_msg_errno = 0;
2840 newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); 2840 newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
2841 2841
2842 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); 2842 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL);
2843} 2843}
2844 2844
2845static struct sockaddr key_src = { 2845static struct sockaddr key_src = {
2846 .sa_len = 2, 2846 .sa_len = 2,
2847 .sa_family = PF_KEY, 2847 .sa_family = PF_KEY,
2848}; 2848};
2849 2849
2850static struct mbuf * 2850static struct mbuf *
2851key_setspddump_chain(int *errorp, int *lenp, pid_t pid) 2851key_setspddump_chain(int *errorp, int *lenp, pid_t pid)
2852{ 2852{
2853 struct secpolicy *sp; 2853 struct secpolicy *sp;
2854 int cnt; 2854 int cnt;
2855 u_int dir; 2855 u_int dir;
2856 struct mbuf *m, *n, *prev; 2856 struct mbuf *m, *n, *prev;
2857 int totlen; 2857 int totlen;
2858 2858
2859 KASSERT(mutex_owned(&key_spd.lock)); 2859 KASSERT(mutex_owned(&key_spd.lock));
2860 2860
2861 *lenp = 0; 2861 *lenp = 0;
2862 2862
2863 /* search SPD entry and get buffer size. */ 2863 /* search SPD entry and get buffer size. */
2864 cnt = 0; 2864 cnt = 0;
2865 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { 2865 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
2866 SPLIST_WRITER_FOREACH(sp, dir) { 2866 SPLIST_WRITER_FOREACH(sp, dir) {
2867 cnt++; 2867 cnt++;
2868 } 2868 }
2869 } 2869 }
2870 2870
2871 if (cnt == 0) { 2871 if (cnt == 0) {
2872 *errorp = ENOENT; 2872 *errorp = ENOENT;
2873 return (NULL); 2873 return (NULL);
2874 } 2874 }
2875 2875
2876 m = NULL; 2876 m = NULL;
2877 prev = m; 2877 prev = m;
2878 totlen = 0; 2878 totlen = 0;
2879 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { 2879 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
2880 SPLIST_WRITER_FOREACH(sp, dir) { 2880 SPLIST_WRITER_FOREACH(sp, dir) {
2881 --cnt; 2881 --cnt;
2882 n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt, pid); 2882 n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt, pid);
2883 2883
2884 totlen += n->m_pkthdr.len; 2884 totlen += n->m_pkthdr.len;
2885 if (!m) { 2885 if (!m) {
2886 m = n; 2886 m = n;
2887 } else { 2887 } else {
2888 prev->m_nextpkt = n; 2888 prev->m_nextpkt = n;
2889 } 2889 }
2890 prev = n; 2890 prev = n;
2891 } 2891 }
2892 } 2892 }
2893 2893
2894 *lenp = totlen; 2894 *lenp = totlen;
2895 *errorp = 0; 2895 *errorp = 0;
2896 return (m); 2896 return (m);
2897} 2897}
2898 2898
2899/* 2899/*
2900 * SADB_SPDDUMP processing 2900 * SADB_SPDDUMP processing
2901 * receive 2901 * receive
2902 * <base> 2902 * <base>
2903 * from the user, and dump all SP leaves 2903 * from the user, and dump all SP leaves
2904 * and send, 2904 * and send,
2905 * <base> ..... 2905 * <base> .....
2906 * to the ikmpd. 2906 * to the ikmpd.
2907 * 2907 *
2908 * m will always be freed. 2908 * m will always be freed.
2909 */ 2909 */
2910static int 2910static int
2911key_api_spddump(struct socket *so, struct mbuf *m0, 2911key_api_spddump(struct socket *so, struct mbuf *m0,
2912 const struct sadb_msghdr *mhp) 2912 const struct sadb_msghdr *mhp)
2913{ 2913{
2914 struct mbuf *n; 2914 struct mbuf *n;
2915 int error, len; 2915 int error, len;
2916 int ok; 2916 int ok;
2917 pid_t pid; 2917 pid_t pid;
2918 2918
2919 pid = mhp->msg->sadb_msg_pid; 2919 pid = mhp->msg->sadb_msg_pid;
2920 /* 2920 /*
2921 * If the requestor has insufficient socket-buffer space 2921 * If the requestor has insufficient socket-buffer space
2922 * for the entire chain, nobody gets any response to the DUMP. 2922 * for the entire chain, nobody gets any response to the DUMP.
2923 * XXX For now, only the requestor ever gets anything. 2923 * XXX For now, only the requestor ever gets anything.
2924 * Moreover, if the requestor has any space at all, they receive 2924 * Moreover, if the requestor has any space at all, they receive
2925 * the entire chain, otherwise the request is refused with ENOBUFS. 2925 * the entire chain, otherwise the request is refused with ENOBUFS.
2926 */ 2926 */
2927 if (sbspace(&so->so_rcv) <= 0) { 2927 if (sbspace(&so->so_rcv) <= 0) {
2928 return key_senderror(so, m0, ENOBUFS); 2928 return key_senderror(so, m0, ENOBUFS);
2929 } 2929 }
2930 2930
2931 mutex_enter(&key_spd.lock); 2931 mutex_enter(&key_spd.lock);
2932 n = key_setspddump_chain(&error, &len, pid); 2932 n = key_setspddump_chain(&error, &len, pid);
2933 mutex_exit(&key_spd.lock); 2933 mutex_exit(&key_spd.lock);
2934 2934
2935 if (n == NULL) { 2935 if (n == NULL) {
2936 return key_senderror(so, m0, ENOENT); 2936 return key_senderror(so, m0, ENOENT);
2937 } 2937 }
2938 { 2938 {
2939 uint64_t *ps = PFKEY_STAT_GETREF(); 2939 uint64_t *ps = PFKEY_STAT_GETREF();
2940 ps[PFKEY_STAT_IN_TOTAL]++; 2940 ps[PFKEY_STAT_IN_TOTAL]++;
2941 ps[PFKEY_STAT_IN_BYTES] += len; 2941 ps[PFKEY_STAT_IN_BYTES] += len;
2942 PFKEY_STAT_PUTREF(); 2942 PFKEY_STAT_PUTREF();
2943 } 2943 }
2944 2944
2945 /* 2945 /*
2946 * PF_KEY DUMP responses are no longer broadcast to all PF_KEY sockets. 2946 * PF_KEY DUMP responses are no longer broadcast to all PF_KEY sockets.
2947 * The requestor receives either the entire chain, or an 2947 * The requestor receives either the entire chain, or an
2948 * error message with ENOBUFS. 2948 * error message with ENOBUFS.
2949 */ 2949 */
2950 2950
2951 /* 2951 /*
2952 * sbappendchainwith record takes the chain of entries, one 2952 * sbappendchainwith record takes the chain of entries, one
2953 * packet-record per SPD entry, prepends the key_src sockaddr 2953 * packet-record per SPD entry, prepends the key_src sockaddr
2954 * to each packet-record, links the sockaddr mbufs into a new 2954 * to each packet-record, links the sockaddr mbufs into a new
2955 * list of records, then appends the entire resulting 2955 * list of records, then appends the entire resulting
2956 * list to the requesting socket. 2956 * list to the requesting socket.
2957 */ 2957 */
2958 ok = sbappendaddrchain(&so->so_rcv, (struct sockaddr *)&key_src, n, 2958 ok = sbappendaddrchain(&so->so_rcv, (struct sockaddr *)&key_src, n,
2959 SB_PRIO_ONESHOT_OVERFLOW); 2959 SB_PRIO_ONESHOT_OVERFLOW);
2960 2960
2961 if (!ok) { 2961 if (!ok) {
2962 PFKEY_STATINC(PFKEY_STAT_IN_NOMEM); 2962 PFKEY_STATINC(PFKEY_STAT_IN_NOMEM);
2963 m_freem(n); 2963 m_freem(n);
2964 return key_senderror(so, m0, ENOBUFS); 2964 return key_senderror(so, m0, ENOBUFS);
2965 } 2965 }
2966 2966
2967 m_freem(m0); 2967 m_freem(m0);
2968 return error; 2968 return error;
2969} 2969}
2970 2970
2971/* 2971/*
2972 * SADB_X_NAT_T_NEW_MAPPING. Unused by racoon as of 2005/04/23 2972 * SADB_X_NAT_T_NEW_MAPPING. Unused by racoon as of 2005/04/23
2973 */ 2973 */
2974static int 2974static int
2975key_api_nat_map(struct socket *so, struct mbuf *m, 2975key_api_nat_map(struct socket *so, struct mbuf *m,
2976 const struct sadb_msghdr *mhp) 2976 const struct sadb_msghdr *mhp)
2977{ 2977{
2978 struct sadb_x_nat_t_type *type; 2978 struct sadb_x_nat_t_type *type;
2979 struct sadb_x_nat_t_port *sport; 2979 struct sadb_x_nat_t_port *sport;
2980 struct sadb_x_nat_t_port *dport; 2980 struct sadb_x_nat_t_port *dport;
2981 struct sadb_address *iaddr, *raddr; 2981 struct sadb_address *iaddr, *raddr;
2982 struct sadb_x_nat_t_frag *frag; 2982 struct sadb_x_nat_t_frag *frag;
2983 2983
2984 if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] == NULL || 2984 if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] == NULL ||
2985 mhp->ext[SADB_X_EXT_NAT_T_SPORT] == NULL || 2985 mhp->ext[SADB_X_EXT_NAT_T_SPORT] == NULL ||
2986 mhp->ext[SADB_X_EXT_NAT_T_DPORT] == NULL) { 2986 mhp->ext[SADB_X_EXT_NAT_T_DPORT] == NULL) {
2987 IPSECLOG(LOG_DEBUG, "invalid message.\n"); 2987 IPSECLOG(LOG_DEBUG, "invalid message.\n");
2988 return key_senderror(so, m, EINVAL); 2988 return key_senderror(so, m, EINVAL);
2989 } 2989 }
2990 if ((mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type)) || 2990 if ((mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type)) ||
2991 (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport)) || 2991 (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport)) ||
2992 (mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport))) { 2992 (mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport))) {
2993 IPSECLOG(LOG_DEBUG, "invalid message.\n"); 2993 IPSECLOG(LOG_DEBUG, "invalid message.\n");
2994 return key_senderror(so, m, EINVAL); 2994 return key_senderror(so, m, EINVAL);
2995 } 2995 }
2996 2996
2997 if ((mhp->ext[SADB_X_EXT_NAT_T_OAI] != NULL) && 2997 if ((mhp->ext[SADB_X_EXT_NAT_T_OAI] != NULL) &&
2998 (mhp->extlen[SADB_X_EXT_NAT_T_OAI] < sizeof(*iaddr))) { 2998 (mhp->extlen[SADB_X_EXT_NAT_T_OAI] < sizeof(*iaddr))) {
2999 IPSECLOG(LOG_DEBUG, "invalid message\n"); 2999 IPSECLOG(LOG_DEBUG, "invalid message\n");
3000 return key_senderror(so, m, EINVAL); 3000 return key_senderror(so, m, EINVAL);
3001 } 3001 }
3002 3002
3003 if ((mhp->ext[SADB_X_EXT_NAT_T_OAR] != NULL) && 3003 if ((mhp->ext[SADB_X_EXT_NAT_T_OAR] != NULL) &&
3004 (mhp->extlen[SADB_X_EXT_NAT_T_OAR] < sizeof(*raddr))) { 3004 (mhp->extlen[SADB_X_EXT_NAT_T_OAR] < sizeof(*raddr))) {
3005 IPSECLOG(LOG_DEBUG, "invalid message\n"); 3005 IPSECLOG(LOG_DEBUG, "invalid message\n");
3006 return key_senderror(so, m, EINVAL); 3006 return key_senderror(so, m, EINVAL);
3007 } 3007 }
3008 3008
3009 if ((mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) && 3009 if ((mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) &&
3010 (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag))) { 3010 (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag))) {
3011 IPSECLOG(LOG_DEBUG, "invalid message\n"); 3011 IPSECLOG(LOG_DEBUG, "invalid message\n");
3012 return key_senderror(so, m, EINVAL); 3012 return key_senderror(so, m, EINVAL);
3013 } 3013 }
3014 3014
3015 type = mhp->ext[SADB_X_EXT_NAT_T_TYPE]; 3015 type = mhp->ext[SADB_X_EXT_NAT_T_TYPE];
3016 sport = mhp->ext[SADB_X_EXT_NAT_T_SPORT]; 3016 sport = mhp->ext[SADB_X_EXT_NAT_T_SPORT];
3017 dport = mhp->ext[SADB_X_EXT_NAT_T_DPORT]; 3017 dport = mhp->ext[SADB_X_EXT_NAT_T_DPORT];
3018 iaddr = mhp->ext[SADB_X_EXT_NAT_T_OAI]; 3018 iaddr = mhp->ext[SADB_X_EXT_NAT_T_OAI];
3019 raddr = mhp->ext[SADB_X_EXT_NAT_T_OAR]; 3019 raddr = mhp->ext[SADB_X_EXT_NAT_T_OAR];
3020 frag = mhp->ext[SADB_X_EXT_NAT_T_FRAG]; 3020 frag = mhp->ext[SADB_X_EXT_NAT_T_FRAG];
3021 3021
3022 /* 3022 /*
3023 * XXX handle that, it should also contain a SA, or anything 3023 * XXX handle that, it should also contain a SA, or anything
3024 * that enable to update the SA information. 3024 * that enable to update the SA information.
3025 */ 3025 */
3026 3026
3027 return 0; 3027 return 0;
3028} 3028}
3029 3029
3030/* 3030/*
3031 * Never return NULL. 3031 * Never return NULL.
3032 */ 3032 */
3033static struct mbuf * 3033static struct mbuf *
3034key_setdumpsp(struct secpolicy *sp, u_int8_t type, u_int32_t seq, pid_t pid) 3034key_setdumpsp(struct secpolicy *sp, u_int8_t type, u_int32_t seq, pid_t pid)
3035{ 3035{
3036 struct mbuf *result = NULL, *m; 3036 struct mbuf *result = NULL, *m;
3037 3037
3038 KASSERT(!cpu_softintr_p()); 3038 KASSERT(!cpu_softintr_p());
3039 3039
3040 m = key_setsadbmsg(type, 0, SADB_SATYPE_UNSPEC, seq, pid, 3040 m = key_setsadbmsg(type, 0, SADB_SATYPE_UNSPEC, seq, pid,
3041 key_sp_refcnt(sp), M_WAITOK); 3041 key_sp_refcnt(sp), M_WAITOK);
3042 result = m; 3042 result = m;
3043 3043
3044 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, 3044 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC,
3045 &sp->spidx.src.sa, sp->spidx.prefs, sp->spidx.ul_proto, M_WAITOK); 3045 &sp->spidx.src.sa, sp->spidx.prefs, sp->spidx.ul_proto, M_WAITOK);
3046 m_cat(result, m); 3046 m_cat(result, m);
3047 3047
3048 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, 3048 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
3049 &sp->spidx.dst.sa, sp->spidx.prefd, sp->spidx.ul_proto, M_WAITOK); 3049 &sp->spidx.dst.sa, sp->spidx.prefd, sp->spidx.ul_proto, M_WAITOK);
3050 m_cat(result, m); 3050 m_cat(result, m);
3051 3051
3052 m = key_sp2msg(sp, M_WAITOK); 3052 m = key_sp2msg(sp, M_WAITOK);
3053 m_cat(result, m); 3053 m_cat(result, m);
3054 3054
3055 KASSERT(result->m_flags & M_PKTHDR); 3055 KASSERT(result->m_flags & M_PKTHDR);
3056 KASSERT(result->m_len >= sizeof(struct sadb_msg)); 3056 KASSERT(result->m_len >= sizeof(struct sadb_msg));
3057 3057
3058 result->m_pkthdr.len = 0; 3058 result->m_pkthdr.len = 0;
3059 for (m = result; m; m = m->m_next) 3059 for (m = result; m; m = m->m_next)
3060 result->m_pkthdr.len += m->m_len; 3060 result->m_pkthdr.len += m->m_len;
3061 3061
3062 mtod(result, struct sadb_msg *)->sadb_msg_len = 3062 mtod(result, struct sadb_msg *)->sadb_msg_len =
3063 PFKEY_UNIT64(result->m_pkthdr.len); 3063 PFKEY_UNIT64(result->m_pkthdr.len);
3064 3064
3065 return result; 3065 return result;
3066} 3066}
3067 3067
3068/* 3068/*
3069 * get PFKEY message length for security policy and request. 3069 * get PFKEY message length for security policy and request.
3070 */ 3070 */
3071static u_int 3071static u_int
3072key_getspreqmsglen(const struct secpolicy *sp) 3072key_getspreqmsglen(const struct secpolicy *sp)
3073{ 3073{
3074 u_int tlen; 3074 u_int tlen;
3075 3075
3076 tlen = sizeof(struct sadb_x_policy); 3076 tlen = sizeof(struct sadb_x_policy);
3077 3077
3078 /* if is the policy for ipsec ? */ 3078 /* if is the policy for ipsec ? */
3079 if (sp->policy != IPSEC_POLICY_IPSEC) 3079 if (sp->policy != IPSEC_POLICY_IPSEC)
3080 return tlen; 3080 return tlen;
3081 3081
3082 /* get length of ipsec requests */ 3082 /* get length of ipsec requests */
3083 { 3083 {
3084 const struct ipsecrequest *isr; 3084 const struct ipsecrequest *isr;
3085 int len; 3085 int len;
3086 3086
3087 for (isr = sp->req; isr != NULL; isr = isr->next) { 3087 for (isr = sp->req; isr != NULL; isr = isr->next) {
3088 len = sizeof(struct sadb_x_ipsecrequest) 3088 len = sizeof(struct sadb_x_ipsecrequest)
3089 + isr->saidx.src.sa.sa_len + isr->saidx.dst.sa.sa_len; 3089 + isr->saidx.src.sa.sa_len + isr->saidx.dst.sa.sa_len;
3090 3090
3091 tlen += PFKEY_ALIGN8(len); 3091 tlen += PFKEY_ALIGN8(len);
3092 } 3092 }
3093 } 3093 }
3094 3094
3095 return tlen; 3095 return tlen;
3096} 3096}
3097 3097
3098/* 3098/*
3099 * SADB_SPDEXPIRE processing 3099 * SADB_SPDEXPIRE processing
3100 * send 3100 * send
3101 * <base, address(SD), lifetime(CH), policy> 3101 * <base, address(SD), lifetime(CH), policy>
3102 * to KMD by PF_KEY. 3102 * to KMD by PF_KEY.
3103 * 3103 *
3104 * OUT: 0 : succeed 3104 * OUT: 0 : succeed
3105 * others : error number 3105 * others : error number
3106 */ 3106 */
3107static int 3107static int
3108key_spdexpire(struct secpolicy *sp) 3108key_spdexpire(struct secpolicy *sp)
3109{ 3109{
3110 int s; 3110 int s;
3111 struct mbuf *result = NULL, *m; 3111 struct mbuf *result = NULL, *m;
3112 int len; 3112 int len;
3113 int error = -1; 3113 int error = -1;
3114 struct sadb_lifetime *lt; 3114 struct sadb_lifetime *lt;
3115 3115
3116 /* XXX: Why do we lock ? */ 3116 /* XXX: Why do we lock ? */
3117 s = splsoftnet(); /*called from softclock()*/ 3117 s = splsoftnet(); /*called from softclock()*/
3118 3118
3119 KASSERT(sp != NULL); 3119 KASSERT(sp != NULL);
3120 3120
3121 /* set msg header */ 3121 /* set msg header */
3122 m = key_setsadbmsg(SADB_X_SPDEXPIRE, 0, 0, 0, 0, 0, M_WAITOK); 3122 m = key_setsadbmsg(SADB_X_SPDEXPIRE, 0, 0, 0, 0, 0, M_WAITOK);
3123 result = m; 3123 result = m;
3124 3124
3125 /* create lifetime extension (current and hard) */ 3125 /* create lifetime extension (current and hard) */
3126 len = PFKEY_ALIGN8(sizeof(*lt)) * 2; 3126 len = PFKEY_ALIGN8(sizeof(*lt)) * 2;
3127 m = key_alloc_mbuf(len, M_WAITOK); 3127 m = key_alloc_mbuf(len, M_WAITOK);
3128 KASSERT(m->m_next == NULL); 3128 KASSERT(m->m_next == NULL);
3129 3129
3130 memset(mtod(m, void *), 0, len); 3130 memset(mtod(m, void *), 0, len);
3131 lt = mtod(m, struct sadb_lifetime *); 3131 lt = mtod(m, struct sadb_lifetime *);
3132 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); 3132 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
3133 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 3133 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
3134 lt->sadb_lifetime_allocations = 0; 3134 lt->sadb_lifetime_allocations = 0;
3135 lt->sadb_lifetime_bytes = 0; 3135 lt->sadb_lifetime_bytes = 0;
3136 lt->sadb_lifetime_addtime = time_mono_to_wall(sp->created); 3136 lt->sadb_lifetime_addtime = time_mono_to_wall(sp->created);
3137 lt->sadb_lifetime_usetime = time_mono_to_wall(sp->lastused); 3137 lt->sadb_lifetime_usetime = time_mono_to_wall(sp->lastused);
3138 lt = (struct sadb_lifetime *)(mtod(m, char *) + len / 2); 3138 lt = (struct sadb_lifetime *)(mtod(m, char *) + len / 2);
3139 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); 3139 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
3140 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 3140 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
3141 lt->sadb_lifetime_allocations = 0; 3141 lt->sadb_lifetime_allocations = 0;
3142 lt->sadb_lifetime_bytes = 0; 3142 lt->sadb_lifetime_bytes = 0;
3143 lt->sadb_lifetime_addtime = sp->lifetime; 3143 lt->sadb_lifetime_addtime = sp->lifetime;
3144 lt->sadb_lifetime_usetime = sp->validtime; 3144 lt->sadb_lifetime_usetime = sp->validtime;
3145 m_cat(result, m); 3145 m_cat(result, m);
3146 3146
3147 /* set sadb_address for source */ 3147 /* set sadb_address for source */
3148 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, &sp->spidx.src.sa, 3148 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, &sp->spidx.src.sa,
3149 sp->spidx.prefs, sp->spidx.ul_proto, M_WAITOK); 3149 sp->spidx.prefs, sp->spidx.ul_proto, M_WAITOK);
3150 m_cat(result, m); 3150 m_cat(result, m);
3151 3151
3152 /* set sadb_address for destination */ 3152 /* set sadb_address for destination */
3153 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, &sp->spidx.dst.sa, 3153 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, &sp->spidx.dst.sa,
3154 sp->spidx.prefd, sp->spidx.ul_proto, M_WAITOK); 3154 sp->spidx.prefd, sp->spidx.ul_proto, M_WAITOK);
3155 m_cat(result, m); 3155 m_cat(result, m);
3156 3156
3157 /* set secpolicy */ 3157 /* set secpolicy */
3158 m = key_sp2msg(sp, M_WAITOK); 3158 m = key_sp2msg(sp, M_WAITOK);
3159 m_cat(result, m); 3159 m_cat(result, m);
3160 3160
3161 KASSERT(result->m_flags & M_PKTHDR); 3161 KASSERT(result->m_flags & M_PKTHDR);
3162 KASSERT(result->m_len >= sizeof(struct sadb_msg)); 3162 KASSERT(result->m_len >= sizeof(struct sadb_msg));
3163 3163
3164 result->m_pkthdr.len = 0; 3164 result->m_pkthdr.len = 0;
3165 for (m = result; m; m = m->m_next) 3165 for (m = result; m; m = m->m_next)
3166 result->m_pkthdr.len += m->m_len; 3166 result->m_pkthdr.len += m->m_len;
3167 3167
3168 mtod(result, struct sadb_msg *)->sadb_msg_len = 3168 mtod(result, struct sadb_msg *)->sadb_msg_len =
3169 PFKEY_UNIT64(result->m_pkthdr.len); 3169 PFKEY_UNIT64(result->m_pkthdr.len);
3170 3170
3171 error = key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED); 3171 error = key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED);
3172 splx(s); 3172 splx(s);
3173 return error; 3173 return error;
3174} 3174}
3175 3175
3176/* %%% SAD management */ 3176/* %%% SAD management */
3177/* 3177/*
3178 * allocating a memory for new SA head, and copy from the values of mhp. 3178 * allocating a memory for new SA head, and copy from the values of mhp.
3179 * OUT: NULL : failure due to the lack of memory. 3179 * OUT: NULL : failure due to the lack of memory.
3180 * others : pointer to new SA head. 3180 * others : pointer to new SA head.
3181 */ 3181 */
3182static struct secashead * 3182static struct secashead *
3183key_newsah(const struct secasindex *saidx) 3183key_newsah(const struct secasindex *saidx)
3184{ 3184{
3185 struct secashead *newsah; 3185 struct secashead *newsah;
3186 int i; 3186 int i;
3187 3187
3188 KASSERT(saidx != NULL); 3188 KASSERT(saidx != NULL);
3189 3189
3190 newsah = kmem_zalloc(sizeof(struct secashead), KM_SLEEP); 3190 newsah = kmem_zalloc(sizeof(struct secashead), KM_SLEEP);
3191 for (i = 0; i < __arraycount(newsah->savlist); i++) 3191 for (i = 0; i < __arraycount(newsah->savlist); i++)
3192 PSLIST_INIT(&newsah->savlist[i]); 3192 PSLIST_INIT(&newsah->savlist[i]);
3193 newsah->saidx = *saidx; 3193 newsah->saidx = *saidx;
3194 3194
3195 localcount_init(&newsah->localcount); 3195 localcount_init(&newsah->localcount);
3196 /* Take a reference for the caller */ 3196 /* Take a reference for the caller */
3197 localcount_acquire(&newsah->localcount); 3197 localcount_acquire(&newsah->localcount);
3198 3198
3199 /* Add to the sah list */ 3199 /* Add to the sah list */
3200 SAHLIST_ENTRY_INIT(newsah); 3200 SAHLIST_ENTRY_INIT(newsah);
3201 newsah->state = SADB_SASTATE_MATURE; 3201 newsah->state = SADB_SASTATE_MATURE;
3202 mutex_enter(&key_sad.lock); 3202 mutex_enter(&key_sad.lock);
3203 SAHLIST_WRITER_INSERT_HEAD(newsah); 3203 SAHLIST_WRITER_INSERT_HEAD(newsah);
3204 mutex_exit(&key_sad.lock); 3204 mutex_exit(&key_sad.lock);
3205 3205
3206 return newsah; 3206 return newsah;
3207} 3207}
3208 3208
3209static bool 3209static bool
3210key_sah_has_sav(struct secashead *sah) 3210key_sah_has_sav(struct secashead *sah)
3211{ 3211{
3212 u_int state; 3212 u_int state;
3213 3213
3214 KASSERT(mutex_owned(&key_sad.lock)); 3214 KASSERT(mutex_owned(&key_sad.lock));
3215 3215
3216 SASTATE_ANY_FOREACH(state) { 3216 SASTATE_ANY_FOREACH(state) {
3217 if (!SAVLIST_WRITER_EMPTY(sah, state)) 3217 if (!SAVLIST_WRITER_EMPTY(sah, state))
3218 return true; 3218 return true;
3219 } 3219 }
3220 3220
3221 return false; 3221 return false;
3222} 3222}
3223 3223
3224static void 3224static void
3225key_unlink_sah(struct secashead *sah) 3225key_unlink_sah(struct secashead *sah)
3226{ 3226{
3227 3227
3228 KASSERT(!cpu_softintr_p()); 3228 KASSERT(!cpu_softintr_p());
3229 KASSERT(mutex_owned(&key_sad.lock)); 3229 KASSERT(mutex_owned(&key_sad.lock));
3230 KASSERT(sah->state == SADB_SASTATE_DEAD); 3230 KASSERT(sah->state == SADB_SASTATE_DEAD);
3231 3231
3232 /* Remove from the sah list */ 3232 /* Remove from the sah list */
3233 SAHLIST_WRITER_REMOVE(sah); 3233 SAHLIST_WRITER_REMOVE(sah);
3234 3234
3235 KDASSERT(mutex_ownable(softnet_lock)); 3235 KDASSERT(mutex_ownable(softnet_lock));
3236 key_sad_pserialize_perform(); 3236 key_sad_pserialize_perform();
3237 3237
3238 localcount_drain(&sah->localcount, &key_sad.cv_lc, &key_sad.lock); 3238 localcount_drain(&sah->localcount, &key_sad.cv_lc, &key_sad.lock);
3239} 3239}
3240 3240
3241static void 3241static void
3242key_destroy_sah(struct secashead *sah) 3242key_destroy_sah(struct secashead *sah)
3243{ 3243{
3244 3244
3245 rtcache_free(&sah->sa_route); 3245 rtcache_free(&sah->sa_route);
3246 3246
3247 SAHLIST_ENTRY_DESTROY(sah); 3247 SAHLIST_ENTRY_DESTROY(sah);
3248 localcount_fini(&sah->localcount); 3248 localcount_fini(&sah->localcount);
3249 3249
3250 if (sah->idents != NULL) 3250 if (sah->idents != NULL)
3251 kmem_free(sah->idents, sah->idents_len); 3251 kmem_free(sah->idents, sah->idents_len);
3252 if (sah->identd != NULL) 3252 if (sah->identd != NULL)
3253 kmem_free(sah->identd, sah->identd_len); 3253 kmem_free(sah->identd, sah->identd_len);
3254 3254
3255 kmem_free(sah, sizeof(*sah)); 3255 kmem_free(sah, sizeof(*sah));
3256} 3256}
3257 3257
3258/* 3258/*
3259 * allocating a new SA with LARVAL state. 3259 * allocating a new SA with LARVAL state.
3260 * key_api_add() and key_api_getspi() call, 3260 * key_api_add() and key_api_getspi() call,
3261 * and copy the values of mhp into new buffer. 3261 * and copy the values of mhp into new buffer.
3262 * When SAD message type is GETSPI: 3262 * When SAD message type is GETSPI:
3263 * to set sequence number from acq_seq++, 3263 * to set sequence number from acq_seq++,
3264 * to set zero to SPI. 3264 * to set zero to SPI.
3265 * not to call key_setsava(). 3265 * not to call key_setsava().
3266 * OUT: NULL : fail 3266 * OUT: NULL : fail
3267 * others : pointer to new secasvar. 3267 * others : pointer to new secasvar.
3268 * 3268 *
3269 * does not modify mbuf. does not free mbuf on error. 3269 * does not modify mbuf. does not free mbuf on error.
3270 */ 3270 */
3271static struct secasvar * 3271static struct secasvar *
3272key_newsav(struct mbuf *m, const struct sadb_msghdr *mhp, 3272key_newsav(struct mbuf *m, const struct sadb_msghdr *mhp,
3273 int *errp, const char* where, int tag) 3273 int *errp, const char* where, int tag)
3274{ 3274{
3275 struct secasvar *newsav; 3275 struct secasvar *newsav;
3276 const struct sadb_sa *xsa; 3276 const struct sadb_sa *xsa;
3277 3277
3278 KASSERT(!cpu_softintr_p()); 3278 KASSERT(!cpu_softintr_p());
3279 KASSERT(m != NULL); 3279 KASSERT(m != NULL);
3280 KASSERT(mhp != NULL); 3280 KASSERT(mhp != NULL);
3281 KASSERT(mhp->msg != NULL); 3281 KASSERT(mhp->msg != NULL);
3282 3282
3283 newsav = kmem_zalloc(sizeof(struct secasvar), KM_SLEEP); 3283 newsav = kmem_zalloc(sizeof(struct secasvar), KM_SLEEP);
3284 3284
3285 switch (mhp->msg->sadb_msg_type) { 3285 switch (mhp->msg->sadb_msg_type) {
3286 case SADB_GETSPI: 3286 case SADB_GETSPI:
3287 newsav->spi = 0; 3287 newsav->spi = 0;
3288 3288
3289#ifdef IPSEC_DOSEQCHECK 3289#ifdef IPSEC_DOSEQCHECK
3290 /* sync sequence number */ 3290 /* sync sequence number */
3291 if (mhp->msg->sadb_msg_seq == 0) 3291 if (mhp->msg->sadb_msg_seq == 0)
3292 newsav->seq = 3292 newsav->seq =
3293 (acq_seq = (acq_seq == ~0 ? 1 : ++acq_seq)); 3293 (acq_seq = (acq_seq == ~0 ? 1 : ++acq_seq));
3294 else 3294 else
3295#endif 3295#endif
3296 newsav->seq = mhp->msg->sadb_msg_seq; 3296 newsav->seq = mhp->msg->sadb_msg_seq;
3297 break; 3297 break;
3298 3298
3299 case SADB_ADD: 3299 case SADB_ADD:
3300 /* sanity check */ 3300 /* sanity check */
3301 if (mhp->ext[SADB_EXT_SA] == NULL) { 3301 if (mhp->ext[SADB_EXT_SA] == NULL) {
3302 IPSECLOG(LOG_DEBUG, "invalid message is passed.\n"); 3302 IPSECLOG(LOG_DEBUG, "invalid message is passed.\n");
3303 *errp = EINVAL; 3303 *errp = EINVAL;
3304 goto error; 3304 goto error;
3305 } 3305 }
3306 xsa = mhp->ext[SADB_EXT_SA]; 3306 xsa = mhp->ext[SADB_EXT_SA];
3307 newsav->spi = xsa->sadb_sa_spi; 3307 newsav->spi = xsa->sadb_sa_spi;
3308 newsav->seq = mhp->msg->sadb_msg_seq; 3308 newsav->seq = mhp->msg->sadb_msg_seq;
3309 break; 3309 break;
3310 default: 3310 default:
3311 *errp = EINVAL; 3311 *errp = EINVAL;
3312 goto error; 3312 goto error;
3313 } 3313 }
3314 3314
3315 /* copy sav values */ 3315 /* copy sav values */
3316 if (mhp->msg->sadb_msg_type != SADB_GETSPI) { 3316 if (mhp->msg->sadb_msg_type != SADB_GETSPI) {
3317 *errp = key_setsaval(newsav, m, mhp); 3317 *errp = key_setsaval(newsav, m, mhp);
3318 if (*errp) 3318 if (*errp)
3319 goto error; 3319 goto error;
3320 } else { 3320 } else {
3321 /* We don't allow lft_c to be NULL */ 3321 /* We don't allow lft_c to be NULL */
3322 newsav->lft_c = kmem_zalloc(sizeof(struct sadb_lifetime), 3322 newsav->lft_c = kmem_zalloc(sizeof(struct sadb_lifetime),
3323 KM_SLEEP); 3323 KM_SLEEP);
3324 newsav->lft_c_counters_percpu = 3324 newsav->lft_c_counters_percpu =
3325 percpu_alloc(sizeof(lifetime_counters_t)); 3325 percpu_alloc(sizeof(lifetime_counters_t));
3326 } 3326 }
3327 3327
3328 /* reset created */ 3328 /* reset created */
3329 newsav->created = time_uptime; 3329 newsav->created = time_uptime;
3330 newsav->pid = mhp->msg->sadb_msg_pid; 3330 newsav->pid = mhp->msg->sadb_msg_pid;
3331 3331
3332 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, 3332 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
3333 "DP from %s:%u return SA:%p\n", where, tag, newsav); 3333 "DP from %s:%u return SA:%p\n", where, tag, newsav);
3334 return newsav; 3334 return newsav;
3335 3335
3336error: 3336error:
3337 KASSERT(*errp != 0); 3337 KASSERT(*errp != 0);
3338 kmem_free(newsav, sizeof(*newsav)); 3338 kmem_free(newsav, sizeof(*newsav));
3339 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, 3339 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
3340 "DP from %s:%u return SA:NULL\n", where, tag); 3340 "DP from %s:%u return SA:NULL\n", where, tag);
3341 return NULL; 3341 return NULL;
3342} 3342}
3343 3343
3344 3344
3345static void 3345static void
3346key_clear_xform(struct secasvar *sav) 3346key_clear_xform(struct secasvar *sav)
3347{ 3347{
3348 3348
3349 /* 3349 /*
3350 * Cleanup xform state. Note that zeroize'ing causes the 3350 * Cleanup xform state. Note that zeroize'ing causes the
3351 * keys to be cleared; otherwise we must do it ourself. 3351 * keys to be cleared; otherwise we must do it ourself.
3352 */ 3352 */
3353 if (sav->tdb_xform != NULL) { 3353 if (sav->tdb_xform != NULL) {
3354 sav->tdb_xform->xf_zeroize(sav); 3354 sav->tdb_xform->xf_zeroize(sav);
3355 sav->tdb_xform = NULL; 3355 sav->tdb_xform = NULL;
3356 } else { 3356 } else {
3357 if (sav->key_auth != NULL) 3357 if (sav->key_auth != NULL)
3358 explicit_memset(_KEYBUF(sav->key_auth), 0, 3358 explicit_memset(_KEYBUF(sav->key_auth), 0,
3359 _KEYLEN(sav->key_auth)); 3359 _KEYLEN(sav->key_auth));
3360 if (sav->key_enc != NULL) 3360 if (sav->key_enc != NULL)
3361 explicit_memset(_KEYBUF(sav->key_enc), 0, 3361 explicit_memset(_KEYBUF(sav->key_enc), 0,
3362 _KEYLEN(sav->key_enc)); 3362 _KEYLEN(sav->key_enc));
3363 } 3363 }
3364} 3364}
3365 3365
3366/* 3366/*
3367 * free() SA variable entry. 3367 * free() SA variable entry.
3368 */ 3368 */
3369static void 3369static void
3370key_delsav(struct secasvar *sav) 3370key_delsav(struct secasvar *sav)
3371{ 3371{
3372 3372
3373 key_clear_xform(sav); 3373 key_clear_xform(sav);
3374 key_freesaval(sav); 3374 key_freesaval(sav);
3375 kmem_free(sav, sizeof(*sav)); 3375 kmem_free(sav, sizeof(*sav));
3376} 3376}
3377 3377
3378/* 3378/*
3379 * Must be called in a pserialize read section. A held sah 3379 * Must be called in a pserialize read section. A held sah
3380 * must be released by key_sah_unref after use. 3380 * must be released by key_sah_unref after use.
3381 */ 3381 */
3382static void 3382static void
3383key_sah_ref(struct secashead *sah) 3383key_sah_ref(struct secashead *sah)
3384{ 3384{
3385 3385
3386 localcount_acquire(&sah->localcount); 3386 localcount_acquire(&sah->localcount);
3387} 3387}
3388 3388
3389/* 3389/*
3390 * Must be called without holding key_sad.lock because the lock 3390 * Must be called without holding key_sad.lock because the lock
3391 * would be held in localcount_release. 3391 * would be held in localcount_release.
3392 */ 3392 */
3393static void 3393static void
3394key_sah_unref(struct secashead *sah) 3394key_sah_unref(struct secashead *sah)
3395{ 3395{
3396 3396
3397 KDASSERT(mutex_ownable(&key_sad.lock)); 3397 KDASSERT(mutex_ownable(&key_sad.lock));
3398 3398
3399 localcount_release(&sah->localcount, &key_sad.cv_lc, &key_sad.lock); 3399 localcount_release(&sah->localcount, &key_sad.cv_lc, &key_sad.lock);
3400} 3400}
3401 3401
3402/* 3402/*
3403 * Search SAD and return sah. Must be called in a pserialize 3403 * Search SAD and return sah. Must be called in a pserialize
3404 * read section. 3404 * read section.
3405 * OUT: 3405 * OUT:
3406 * NULL : not found 3406 * NULL : not found
3407 * others : found, pointer to a SA. 3407 * others : found, pointer to a SA.
3408 */ 3408 */
3409static struct secashead * 3409static struct secashead *
3410key_getsah(const struct secasindex *saidx, int flag) 3410key_getsah(const struct secasindex *saidx, int flag)
3411{ 3411{
3412 struct secashead *sah; 3412 struct secashead *sah;
3413 3413
3414 SAHLIST_READER_FOREACH_SAIDX(sah, saidx) { 3414 SAHLIST_READER_FOREACH_SAIDX(sah, saidx) {
3415 if (sah->state == SADB_SASTATE_DEAD) 3415 if (sah->state == SADB_SASTATE_DEAD)
3416 continue; 3416 continue;
3417 if (key_saidx_match(&sah->saidx, saidx, flag)) 3417 if (key_saidx_match(&sah->saidx, saidx, flag))
3418 return sah; 3418 return sah;
3419 } 3419 }
3420 3420
3421 return NULL; 3421 return NULL;
3422} 3422}
3423 3423
3424/* 3424/*
3425 * Search SAD and return sah. If sah is returned, the caller must call 3425 * Search SAD and return sah. If sah is returned, the caller must call
3426 * key_sah_unref to releaset a reference. 3426 * key_sah_unref to releaset a reference.
3427 * OUT: 3427 * OUT:
3428 * NULL : not found 3428 * NULL : not found
3429 * others : found, pointer to a SA. 3429 * others : found, pointer to a SA.
3430 */ 3430 */
3431static struct secashead * 3431static struct secashead *
3432key_getsah_ref(const struct secasindex *saidx, int flag) 3432key_getsah_ref(const struct secasindex *saidx, int flag)
3433{ 3433{
3434 struct secashead *sah; 3434 struct secashead *sah;
3435 int s; 3435 int s;
3436 3436
3437 s = pserialize_read_enter(); 3437 s = pserialize_read_enter();
3438 sah = key_getsah(saidx, flag); 3438 sah = key_getsah(saidx, flag);
3439 if (sah != NULL) 3439 if (sah != NULL)
3440 key_sah_ref(sah); 3440 key_sah_ref(sah);
3441 pserialize_read_exit(s); 3441 pserialize_read_exit(s);
3442 3442
3443 return sah; 3443 return sah;
3444} 3444}
3445 3445
3446/* 3446/*
3447 * check not to be duplicated SPI. 3447 * check not to be duplicated SPI.
3448 * NOTE: this function is too slow due to searching all SAD. 3448 * NOTE: this function is too slow due to searching all SAD.
3449 * OUT: 3449 * OUT:
3450 * NULL : not found 3450 * NULL : not found
3451 * others : found, pointer to a SA. 3451 * others : found, pointer to a SA.
3452 */ 3452 */
3453static bool 3453static bool
3454key_checkspidup(const struct secasindex *saidx, u_int32_t spi) 3454key_checkspidup(const struct secasindex *saidx, u_int32_t spi)
3455{ 3455{
3456 struct secashead *sah; 3456 struct secashead *sah;
3457 struct secasvar *sav; 3457 struct secasvar *sav;
3458 int s; 
3459 3458
3460 /* check address family */ 3459 /* check address family */
3461 if (saidx->src.sa.sa_family != saidx->dst.sa.sa_family) { 3460 if (saidx->src.sa.sa_family != saidx->dst.sa.sa_family) {
3462 IPSECLOG(LOG_DEBUG, 3461 IPSECLOG(LOG_DEBUG,
3463 "address family mismatched src %u, dst %u.\n", 3462 "address family mismatched src %u, dst %u.\n",
3464 saidx->src.sa.sa_family, saidx->dst.sa.sa_family); 3463 saidx->src.sa.sa_family, saidx->dst.sa.sa_family);
3465 return false; 3464 return false;
3466 } 3465 }
3467 3466
3468 /* check all SAD */ 3467 /* check all SAD */
3469 s = pserialize_read_enter(); 3468 /* key_ismyaddr may sleep, so use mutex, not pserialize, here. */
3470 SAHLIST_READER_FOREACH(sah) { 3469 mutex_enter(&key_sad.lock);
 3470 SAHLIST_WRITER_FOREACH(sah) {
3471 if (!key_ismyaddr((struct sockaddr *)&sah->saidx.dst)) 3471 if (!key_ismyaddr((struct sockaddr *)&sah->saidx.dst))
3472 continue; 3472 continue;
3473 sav = key_getsavbyspi(sah, spi); 3473 sav = key_getsavbyspi(sah, spi);
3474 if (sav != NULL) { 3474 if (sav != NULL) {
3475 pserialize_read_exit(s); 
3476 KEY_SA_UNREF(&sav); 3475 KEY_SA_UNREF(&sav);
 3476 mutex_exit(&key_sad.lock);
3477 return true; 3477 return true;
3478 } 3478 }
3479 } 3479 }
3480 pserialize_read_exit(s); 3480 mutex_exit(&key_sad.lock);
3481 3481
3482 return false; 3482 return false;
3483} 3483}
3484 3484
3485/* 3485/*
3486 * search SAD litmited alive SA, protocol, SPI. 3486 * search SAD litmited alive SA, protocol, SPI.
3487 * OUT: 3487 * OUT:
3488 * NULL : not found 3488 * NULL : not found
3489 * others : found, pointer to a SA. 3489 * others : found, pointer to a SA.
3490 */ 3490 */
3491static struct secasvar * 3491static struct secasvar *
3492key_getsavbyspi(struct secashead *sah, u_int32_t spi) 3492key_getsavbyspi(struct secashead *sah, u_int32_t spi)
3493{ 3493{
3494 struct secasvar *sav = NULL; 3494 struct secasvar *sav = NULL;
3495 u_int state; 3495 u_int state;
3496 int s; 3496 int s;
3497 3497
3498 /* search all status */ 3498 /* search all status */
3499 s = pserialize_read_enter(); 3499 s = pserialize_read_enter();
3500 SASTATE_ALIVE_FOREACH(state) { 3500 SASTATE_ALIVE_FOREACH(state) {
3501 SAVLIST_READER_FOREACH(sav, sah, state) { 3501 SAVLIST_READER_FOREACH(sav, sah, state) {
3502 /* sanity check */ 3502 /* sanity check */
3503 if (sav->state != state) { 3503 if (sav->state != state) {
3504 IPSECLOG(LOG_DEBUG, 3504 IPSECLOG(LOG_DEBUG,
3505 "invalid sav->state (queue: %d SA: %d)\n", 3505 "invalid sav->state (queue: %d SA: %d)\n",
3506 state, sav->state); 3506 state, sav->state);
3507 continue; 3507 continue;
3508 } 3508 }
3509 3509
3510 if (sav->spi == spi) { 3510 if (sav->spi == spi) {
3511 KEY_SA_REF(sav); 3511 KEY_SA_REF(sav);
3512 goto out; 3512 goto out;
3513 } 3513 }
3514 } 3514 }
3515 } 3515 }
3516out: 3516out:
3517 pserialize_read_exit(s); 3517 pserialize_read_exit(s);
3518 3518
3519 return sav; 3519 return sav;
3520} 3520}
3521 3521
3522/* 3522/*
3523 * Free allocated data to member variables of sav: 3523 * Free allocated data to member variables of sav:
3524 * sav->replay, sav->key_* and sav->lft_*. 3524 * sav->replay, sav->key_* and sav->lft_*.
3525 */ 3525 */
3526static void 3526static void
3527key_freesaval(struct secasvar *sav) 3527key_freesaval(struct secasvar *sav)
3528{ 3528{
3529 3529
3530 KASSERT(key_sa_refcnt(sav) == 0); 3530 KASSERT(key_sa_refcnt(sav) == 0);
3531 3531
3532 if (sav->replay != NULL) 3532 if (sav->replay != NULL)
3533 kmem_intr_free(sav->replay, sav->replay_len); 3533 kmem_intr_free(sav->replay, sav->replay_len);
3534 if (sav->key_auth != NULL) 3534 if (sav->key_auth != NULL)
3535 kmem_intr_free(sav->key_auth, sav->key_auth_len); 3535 kmem_intr_free(sav->key_auth, sav->key_auth_len);
3536 if (sav->key_enc != NULL) 3536 if (sav->key_enc != NULL)
3537 kmem_intr_free(sav->key_enc, sav->key_enc_len); 3537 kmem_intr_free(sav->key_enc, sav->key_enc_len);
3538 if (sav->lft_c_counters_percpu != NULL) { 3538 if (sav->lft_c_counters_percpu != NULL) {
3539 percpu_free(sav->lft_c_counters_percpu, 3539 percpu_free(sav->lft_c_counters_percpu,
3540 sizeof(lifetime_counters_t)); 3540 sizeof(lifetime_counters_t));
3541 } 3541 }
3542 if (sav->lft_c != NULL) 3542 if (sav->lft_c != NULL)
3543 kmem_intr_free(sav->lft_c, sizeof(*(sav->lft_c))); 3543 kmem_intr_free(sav->lft_c, sizeof(*(sav->lft_c)));
3544 if (sav->lft_h != NULL) 3544 if (sav->lft_h != NULL)
3545 kmem_intr_free(sav->lft_h, sizeof(*(sav->lft_h))); 3545 kmem_intr_free(sav->lft_h, sizeof(*(sav->lft_h)));
3546 if (sav->lft_s != NULL) 3546 if (sav->lft_s != NULL)
3547 kmem_intr_free(sav->lft_s, sizeof(*(sav->lft_s))); 3547 kmem_intr_free(sav->lft_s, sizeof(*(sav->lft_s)));
3548} 3548}
3549 3549
3550/* 3550/*
3551 * copy SA values from PF_KEY message except *SPI, SEQ, PID, STATE and TYPE*. 3551 * copy SA values from PF_KEY message except *SPI, SEQ, PID, STATE and TYPE*.
3552 * You must update these if need. 3552 * You must update these if need.
3553 * OUT: 0: success. 3553 * OUT: 0: success.
3554 * !0: failure. 3554 * !0: failure.
3555 * 3555 *
3556 * does not modify mbuf. does not free mbuf on error. 3556 * does not modify mbuf. does not free mbuf on error.
3557 */ 3557 */
3558static int 3558static int
3559key_setsaval(struct secasvar *sav, struct mbuf *m, 3559key_setsaval(struct secasvar *sav, struct mbuf *m,
3560 const struct sadb_msghdr *mhp) 3560 const struct sadb_msghdr *mhp)
3561{ 3561{
3562 int error = 0; 3562 int error = 0;
3563 3563
3564 KASSERT(!cpu_softintr_p()); 3564 KASSERT(!cpu_softintr_p());
3565 KASSERT(m != NULL); 3565 KASSERT(m != NULL);
3566 KASSERT(mhp != NULL); 3566 KASSERT(mhp != NULL);
3567 KASSERT(mhp->msg != NULL); 3567 KASSERT(mhp->msg != NULL);
3568 3568
3569 /* We shouldn't initialize sav variables while someone uses it. */ 3569 /* We shouldn't initialize sav variables while someone uses it. */
3570 KASSERT(key_sa_refcnt(sav) == 0); 3570 KASSERT(key_sa_refcnt(sav) == 0);
3571 3571
3572 /* SA */ 3572 /* SA */
3573 if (mhp->ext[SADB_EXT_SA] != NULL) { 3573 if (mhp->ext[SADB_EXT_SA] != NULL) {
3574 const struct sadb_sa *sa0; 3574 const struct sadb_sa *sa0;
3575 3575
3576 sa0 = mhp->ext[SADB_EXT_SA]; 3576 sa0 = mhp->ext[SADB_EXT_SA];
3577 if (mhp->extlen[SADB_EXT_SA] < sizeof(*sa0)) { 3577 if (mhp->extlen[SADB_EXT_SA] < sizeof(*sa0)) {
3578 error = EINVAL; 3578 error = EINVAL;
3579 goto fail; 3579 goto fail;
3580 } 3580 }
3581 3581
3582 sav->alg_auth = sa0->sadb_sa_auth; 3582 sav->alg_auth = sa0->sadb_sa_auth;
3583 sav->alg_enc = sa0->sadb_sa_encrypt; 3583 sav->alg_enc = sa0->sadb_sa_encrypt;
3584 sav->flags = sa0->sadb_sa_flags; 3584 sav->flags = sa0->sadb_sa_flags;
3585 3585
3586 /* replay window */ 3586 /* replay window */
3587 if ((sa0->sadb_sa_flags & SADB_X_EXT_OLD) == 0) { 3587 if ((sa0->sadb_sa_flags & SADB_X_EXT_OLD) == 0) {
3588 size_t len = sizeof(struct secreplay) + 3588 size_t len = sizeof(struct secreplay) +
3589 sa0->sadb_sa_replay; 3589 sa0->sadb_sa_replay;
3590 sav->replay = kmem_zalloc(len, KM_SLEEP); 3590 sav->replay = kmem_zalloc(len, KM_SLEEP);
3591 sav->replay_len = len; 3591 sav->replay_len = len;
3592 if (sa0->sadb_sa_replay != 0) 3592 if (sa0->sadb_sa_replay != 0)
3593 sav->replay->bitmap = (char*)(sav->replay+1); 3593 sav->replay->bitmap = (char*)(sav->replay+1);
3594 sav->replay->wsize = sa0->sadb_sa_replay; 3594 sav->replay->wsize = sa0->sadb_sa_replay;
3595 } 3595 }
3596 } 3596 }
3597 3597
3598 /* Authentication keys */ 3598 /* Authentication keys */
3599 if (mhp->ext[SADB_EXT_KEY_AUTH] != NULL) { 3599 if (mhp->ext[SADB_EXT_KEY_AUTH] != NULL) {
3600 const struct sadb_key *key0; 3600 const struct sadb_key *key0;
3601 int len; 3601 int len;
3602 3602
3603 key0 = mhp->ext[SADB_EXT_KEY_AUTH]; 3603 key0 = mhp->ext[SADB_EXT_KEY_AUTH];
3604 len = mhp->extlen[SADB_EXT_KEY_AUTH]; 3604 len = mhp->extlen[SADB_EXT_KEY_AUTH];
3605 3605
3606 error = 0; 3606 error = 0;
3607 if (len < sizeof(*key0)) { 3607 if (len < sizeof(*key0)) {
3608 error = EINVAL; 3608 error = EINVAL;
3609 goto fail; 3609 goto fail;
3610 } 3610 }
3611 switch (mhp->msg->sadb_msg_satype) { 3611 switch (mhp->msg->sadb_msg_satype) {
3612 case SADB_SATYPE_AH: 3612 case SADB_SATYPE_AH:
3613 case SADB_SATYPE_ESP: 3613 case SADB_SATYPE_ESP:
3614 case SADB_X_SATYPE_TCPSIGNATURE: 3614 case SADB_X_SATYPE_TCPSIGNATURE:
3615 if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && 3615 if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) &&
3616 sav->alg_auth != SADB_X_AALG_NULL) 3616 sav->alg_auth != SADB_X_AALG_NULL)
3617 error = EINVAL; 3617 error = EINVAL;
3618 break; 3618 break;
3619 case SADB_X_SATYPE_IPCOMP: 3619 case SADB_X_SATYPE_IPCOMP:
3620 default: 3620 default:
3621 error = EINVAL; 3621 error = EINVAL;
3622 break; 3622 break;
3623 } 3623 }
3624 if (error) { 3624 if (error) {
3625 IPSECLOG(LOG_DEBUG, "invalid key_auth values.\n"); 3625 IPSECLOG(LOG_DEBUG, "invalid key_auth values.\n");
3626 goto fail; 3626 goto fail;
3627 } 3627 }
3628 3628
3629 sav->key_auth = key_newbuf(key0, len); 3629 sav->key_auth = key_newbuf(key0, len);
3630 sav->key_auth_len = len; 3630 sav->key_auth_len = len;
3631 } 3631 }
3632 3632
3633 /* Encryption key */ 3633 /* Encryption key */
3634 if (mhp->ext[SADB_EXT_KEY_ENCRYPT] != NULL) { 3634 if (mhp->ext[SADB_EXT_KEY_ENCRYPT] != NULL) {
3635 const struct sadb_key *key0; 3635 const struct sadb_key *key0;
3636 int len; 3636 int len;
3637 3637
3638 key0 = mhp->ext[SADB_EXT_KEY_ENCRYPT]; 3638 key0 = mhp->ext[SADB_EXT_KEY_ENCRYPT];
3639 len = mhp->extlen[SADB_EXT_KEY_ENCRYPT]; 3639 len = mhp->extlen[SADB_EXT_KEY_ENCRYPT];
3640 3640
3641 error = 0; 3641 error = 0;
3642 if (len < sizeof(*key0)) { 3642 if (len < sizeof(*key0)) {
3643 error = EINVAL; 3643 error = EINVAL;
3644 goto fail; 3644 goto fail;
3645 } 3645 }
3646 switch (mhp->msg->sadb_msg_satype) { 3646 switch (mhp->msg->sadb_msg_satype) {
3647 case SADB_SATYPE_ESP: 3647 case SADB_SATYPE_ESP:
3648 if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && 3648 if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) &&
3649 sav->alg_enc != SADB_EALG_NULL) { 3649 sav->alg_enc != SADB_EALG_NULL) {
3650 error = EINVAL; 3650 error = EINVAL;
3651 break; 3651 break;
3652 } 3652 }
3653 sav->key_enc = key_newbuf(key0, len); 3653 sav->key_enc = key_newbuf(key0, len);
3654 sav->key_enc_len = len; 3654 sav->key_enc_len = len;
3655 break; 3655 break;
3656 case SADB_X_SATYPE_IPCOMP: 3656 case SADB_X_SATYPE_IPCOMP:
3657 if (len != PFKEY_ALIGN8(sizeof(struct sadb_key))) 3657 if (len != PFKEY_ALIGN8(sizeof(struct sadb_key)))
3658 error = EINVAL; 3658 error = EINVAL;
3659 sav->key_enc = NULL; /*just in case*/ 3659 sav->key_enc = NULL; /*just in case*/
3660 break; 3660 break;
3661 case SADB_SATYPE_AH: 3661 case SADB_SATYPE_AH:
3662 case SADB_X_SATYPE_TCPSIGNATURE: 3662 case SADB_X_SATYPE_TCPSIGNATURE:
3663 default: 3663 default:
3664 error = EINVAL; 3664 error = EINVAL;
3665 break; 3665 break;
3666 } 3666 }
3667 if (error) { 3667 if (error) {
3668 IPSECLOG(LOG_DEBUG, "invalid key_enc value.\n"); 3668 IPSECLOG(LOG_DEBUG, "invalid key_enc value.\n");
3669 goto fail; 3669 goto fail;
3670 } 3670 }
3671 } 3671 }
3672 3672
3673 /* set iv */ 3673 /* set iv */
3674 sav->ivlen = 0; 3674 sav->ivlen = 0;
3675 3675
3676 switch (mhp->msg->sadb_msg_satype) { 3676 switch (mhp->msg->sadb_msg_satype) {
3677 case SADB_SATYPE_AH: 3677 case SADB_SATYPE_AH:
3678 error = xform_init(sav, XF_AH); 3678 error = xform_init(sav, XF_AH);
3679 break; 3679 break;
3680 case SADB_SATYPE_ESP: 3680 case SADB_SATYPE_ESP:
3681 error = xform_init(sav, XF_ESP); 3681 error = xform_init(sav, XF_ESP);
3682 break; 3682 break;
3683 case SADB_X_SATYPE_IPCOMP: 3683 case SADB_X_SATYPE_IPCOMP:
3684 error = xform_init(sav, XF_IPCOMP); 3684 error = xform_init(sav, XF_IPCOMP);
3685 break; 3685 break;
3686 case SADB_X_SATYPE_TCPSIGNATURE: 3686 case SADB_X_SATYPE_TCPSIGNATURE:
3687 error = xform_init(sav, XF_TCPSIGNATURE); 3687 error = xform_init(sav, XF_TCPSIGNATURE);
3688 break; 3688 break;
3689 } 3689 }
3690 if (error) { 3690 if (error) {
3691 IPSECLOG(LOG_DEBUG, "unable to initialize SA type %u.\n", 3691 IPSECLOG(LOG_DEBUG, "unable to initialize SA type %u.\n",
3692 mhp->msg->sadb_msg_satype); 3692 mhp->msg->sadb_msg_satype);
3693 goto fail; 3693 goto fail;
3694 } 3694 }
3695 3695
3696 /* reset created */ 3696 /* reset created */
3697 sav->created = time_uptime; 3697 sav->created = time_uptime;
3698 3698
3699 /* make lifetime for CURRENT */ 3699 /* make lifetime for CURRENT */
3700 sav->lft_c = kmem_alloc(sizeof(struct sadb_lifetime), KM_SLEEP); 3700 sav->lft_c = kmem_alloc(sizeof(struct sadb_lifetime), KM_SLEEP);
3701 3701
3702 sav->lft_c->sadb_lifetime_len = 3702 sav->lft_c->sadb_lifetime_len =
3703 PFKEY_UNIT64(sizeof(struct sadb_lifetime)); 3703 PFKEY_UNIT64(sizeof(struct sadb_lifetime));
3704 sav->lft_c->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 3704 sav->lft_c->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
3705 sav->lft_c->sadb_lifetime_allocations = 0; 3705 sav->lft_c->sadb_lifetime_allocations = 0;
3706 sav->lft_c->sadb_lifetime_bytes = 0; 3706 sav->lft_c->sadb_lifetime_bytes = 0;
3707 sav->lft_c->sadb_lifetime_addtime = time_uptime; 3707 sav->lft_c->sadb_lifetime_addtime = time_uptime;
3708 sav->lft_c->sadb_lifetime_usetime = 0; 3708 sav->lft_c->sadb_lifetime_usetime = 0;
3709 3709
3710 sav->lft_c_counters_percpu = percpu_alloc(sizeof(lifetime_counters_t)); 3710 sav->lft_c_counters_percpu = percpu_alloc(sizeof(lifetime_counters_t));
3711 3711
3712 /* lifetimes for HARD and SOFT */ 3712 /* lifetimes for HARD and SOFT */
3713 { 3713 {
3714 const struct sadb_lifetime *lft0; 3714 const struct sadb_lifetime *lft0;
3715 3715
3716 lft0 = mhp->ext[SADB_EXT_LIFETIME_HARD]; 3716 lft0 = mhp->ext[SADB_EXT_LIFETIME_HARD];
3717 if (lft0 != NULL) { 3717 if (lft0 != NULL) {
3718 if (mhp->extlen[SADB_EXT_LIFETIME_HARD] < sizeof(*lft0)) { 3718 if (mhp->extlen[SADB_EXT_LIFETIME_HARD] < sizeof(*lft0)) {
3719 error = EINVAL; 3719 error = EINVAL;
3720 goto fail; 3720 goto fail;
3721 } 3721 }
3722 sav->lft_h = key_newbuf(lft0, sizeof(*lft0)); 3722 sav->lft_h = key_newbuf(lft0, sizeof(*lft0));
3723 } 3723 }
3724 3724
3725 lft0 = mhp->ext[SADB_EXT_LIFETIME_SOFT]; 3725 lft0 = mhp->ext[SADB_EXT_LIFETIME_SOFT];
3726 if (lft0 != NULL) { 3726 if (lft0 != NULL) {
3727 if (mhp->extlen[SADB_EXT_LIFETIME_SOFT] < sizeof(*lft0)) { 3727 if (mhp->extlen[SADB_EXT_LIFETIME_SOFT] < sizeof(*lft0)) {
3728 error = EINVAL; 3728 error = EINVAL;
3729 goto fail; 3729 goto fail;
3730 } 3730 }
3731 sav->lft_s = key_newbuf(lft0, sizeof(*lft0)); 3731 sav->lft_s = key_newbuf(lft0, sizeof(*lft0));
3732 /* to be initialize ? */ 3732 /* to be initialize ? */
3733 } 3733 }
3734 } 3734 }
3735 3735
3736 return 0; 3736 return 0;
3737 3737
3738 fail: 3738 fail:
3739 key_clear_xform(sav); 3739 key_clear_xform(sav);
3740 key_freesaval(sav); 3740 key_freesaval(sav);
3741 3741
3742 return error; 3742 return error;
3743} 3743}
3744 3744
3745/* 3745/*
3746 * validation with a secasvar entry, and set SADB_SATYPE_MATURE. 3746 * validation with a secasvar entry, and set SADB_SATYPE_MATURE.
3747 * OUT: 0: valid 3747 * OUT: 0: valid
3748 * other: errno 3748 * other: errno
3749 */ 3749 */
3750static int 3750static int
3751key_init_xform(struct secasvar *sav) 3751key_init_xform(struct secasvar *sav)
3752{ 3752{
3753 int error; 3753 int error;
3754 3754
3755 /* We shouldn't initialize sav variables while someone uses it. */ 3755 /* We shouldn't initialize sav variables while someone uses it. */
3756 KASSERT(key_sa_refcnt(sav) == 0); 3756 KASSERT(key_sa_refcnt(sav) == 0);
3757 3757
3758 /* check SPI value */ 3758 /* check SPI value */
3759 switch (sav->sah->saidx.proto) { 3759 switch (sav->sah->saidx.proto) {
3760 case IPPROTO_ESP: 3760 case IPPROTO_ESP:
3761 case IPPROTO_AH: 3761 case IPPROTO_AH:
3762 if (ntohl(sav->spi) <= 255) { 3762 if (ntohl(sav->spi) <= 255) {
3763 IPSECLOG(LOG_DEBUG, "illegal range of SPI %u.\n", 3763 IPSECLOG(LOG_DEBUG, "illegal range of SPI %u.\n",
3764 (u_int32_t)ntohl(sav->spi)); 3764 (u_int32_t)ntohl(sav->spi));
3765 return EINVAL; 3765 return EINVAL;
3766 } 3766 }
3767 break; 3767 break;
3768 } 3768 }
3769 3769
3770 /* check algo */ 3770 /* check algo */
3771 switch (sav->sah->saidx.proto) { 3771 switch (sav->sah->saidx.proto) {
3772 case IPPROTO_AH: 3772 case IPPROTO_AH:
3773 case IPPROTO_TCP: 3773 case IPPROTO_TCP:
3774 if (sav->alg_enc != SADB_EALG_NONE) { 3774 if (sav->alg_enc != SADB_EALG_NONE) {
3775 IPSECLOG(LOG_DEBUG, 3775 IPSECLOG(LOG_DEBUG,
3776 "protocol %u and algorithm mismatched %u != %u.\n", 3776 "protocol %u and algorithm mismatched %u != %u.\n",
3777 sav->sah->saidx.proto, 3777 sav->sah->saidx.proto,
3778 sav->alg_enc, SADB_EALG_NONE); 3778 sav->alg_enc, SADB_EALG_NONE);
3779 return EINVAL; 3779 return EINVAL;
3780 } 3780 }
3781 break; 3781 break;
3782 case IPPROTO_IPCOMP: 3782 case IPPROTO_IPCOMP:
3783 if (sav->alg_auth != SADB_AALG_NONE) { 3783 if (sav->alg_auth != SADB_AALG_NONE) {
3784 IPSECLOG(LOG_DEBUG, 3784 IPSECLOG(LOG_DEBUG,
3785 "protocol %u and algorithm mismatched %d != %d.\n", 3785 "protocol %u and algorithm mismatched %d != %d.\n",
3786 sav->sah->saidx.proto, 3786 sav->sah->saidx.proto,
3787 sav->alg_auth, SADB_AALG_NONE); 3787 sav->alg_auth, SADB_AALG_NONE);
3788 return(EINVAL); 3788 return(EINVAL);
3789 } 3789 }
3790 break; 3790 break;
3791 default: 3791 default:
3792 break; 3792 break;
3793 } 3793 }
3794 3794
3795 /* check satype */ 3795 /* check satype */
3796 switch (sav->sah->saidx.proto) { 3796 switch (sav->sah->saidx.proto) {
3797 case IPPROTO_ESP: 3797 case IPPROTO_ESP:
3798 /* check flags */ 3798 /* check flags */
3799 if ((sav->flags & (SADB_X_EXT_OLD|SADB_X_EXT_DERIV)) == 3799 if ((sav->flags & (SADB_X_EXT_OLD|SADB_X_EXT_DERIV)) ==
3800 (SADB_X_EXT_OLD|SADB_X_EXT_DERIV)) { 3800 (SADB_X_EXT_OLD|SADB_X_EXT_DERIV)) {
3801 IPSECLOG(LOG_DEBUG, 3801 IPSECLOG(LOG_DEBUG,
3802 "invalid flag (derived) given to old-esp.\n"); 3802 "invalid flag (derived) given to old-esp.\n");
3803 return EINVAL; 3803 return EINVAL;
3804 } 3804 }
3805 error = xform_init(sav, XF_ESP); 3805 error = xform_init(sav, XF_ESP);
3806 break; 3806 break;
3807 case IPPROTO_AH: 3807 case IPPROTO_AH:
3808 /* check flags */ 3808 /* check flags */
3809 if (sav->flags & SADB_X_EXT_DERIV) { 3809 if (sav->flags & SADB_X_EXT_DERIV) {
3810 IPSECLOG(LOG_DEBUG, 3810 IPSECLOG(LOG_DEBUG,
3811 "invalid flag (derived) given to AH SA.\n"); 3811 "invalid flag (derived) given to AH SA.\n");
3812 return EINVAL; 3812 return EINVAL;
3813 } 3813 }
3814 error = xform_init(sav, XF_AH); 3814 error = xform_init(sav, XF_AH);
3815 break; 3815 break;
3816 case IPPROTO_IPCOMP: 3816 case IPPROTO_IPCOMP:
3817 if ((sav->flags & SADB_X_EXT_RAWCPI) == 0 3817 if ((sav->flags & SADB_X_EXT_RAWCPI) == 0
3818 && ntohl(sav->spi) >= 0x10000) { 3818 && ntohl(sav->spi) >= 0x10000) {
3819 IPSECLOG(LOG_DEBUG, "invalid cpi for IPComp.\n"); 3819 IPSECLOG(LOG_DEBUG, "invalid cpi for IPComp.\n");
3820 return(EINVAL); 3820 return(EINVAL);
3821 } 3821 }
3822 error = xform_init(sav, XF_IPCOMP); 3822 error = xform_init(sav, XF_IPCOMP);
3823 break; 3823 break;
3824 case IPPROTO_TCP: 3824 case IPPROTO_TCP:
3825 error = xform_init(sav, XF_TCPSIGNATURE); 3825 error = xform_init(sav, XF_TCPSIGNATURE);
3826 break; 3826 break;
3827 default: 3827 default:
3828 IPSECLOG(LOG_DEBUG, "Invalid satype.\n"); 3828 IPSECLOG(LOG_DEBUG, "Invalid satype.\n");
3829 error = EPROTONOSUPPORT; 3829 error = EPROTONOSUPPORT;
3830 break; 3830 break;
3831 } 3831 }
3832 3832
3833 return error; 3833 return error;
3834} 3834}
3835 3835
3836/* 3836/*
3837 * subroutine for SADB_GET and SADB_DUMP. It never return NULL. 3837 * subroutine for SADB_GET and SADB_DUMP. It never return NULL.
3838 */ 3838 */
3839static struct mbuf * 3839static struct mbuf *
3840key_setdumpsa(struct secasvar *sav, u_int8_t type, u_int8_t satype, 3840key_setdumpsa(struct secasvar *sav, u_int8_t type, u_int8_t satype,
3841 u_int32_t seq, u_int32_t pid) 3841 u_int32_t seq, u_int32_t pid)
3842{ 3842{
3843 struct mbuf *result = NULL, *tres = NULL, *m; 3843 struct mbuf *result = NULL, *tres = NULL, *m;
3844 int l = 0; 3844 int l = 0;
3845 int i; 3845 int i;
3846 void *p; 3846 void *p;
3847 struct sadb_lifetime lt; 3847 struct sadb_lifetime lt;
3848 int dumporder[] = { 3848 int dumporder[] = {
3849 SADB_EXT_SA, SADB_X_EXT_SA2, 3849 SADB_EXT_SA, SADB_X_EXT_SA2,
3850 SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT, 3850 SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT,
3851 SADB_EXT_LIFETIME_CURRENT, SADB_EXT_ADDRESS_SRC, 3851 SADB_EXT_LIFETIME_CURRENT, SADB_EXT_ADDRESS_SRC,
3852 SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_EXT_KEY_AUTH, 3852 SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_EXT_KEY_AUTH,
3853 SADB_EXT_KEY_ENCRYPT, SADB_EXT_IDENTITY_SRC, 3853 SADB_EXT_KEY_ENCRYPT, SADB_EXT_IDENTITY_SRC,
3854 SADB_EXT_IDENTITY_DST, SADB_EXT_SENSITIVITY, 3854 SADB_EXT_IDENTITY_DST, SADB_EXT_SENSITIVITY,
3855 SADB_X_EXT_NAT_T_TYPE, 3855 SADB_X_EXT_NAT_T_TYPE,
3856 SADB_X_EXT_NAT_T_SPORT, SADB_X_EXT_NAT_T_DPORT, 3856 SADB_X_EXT_NAT_T_SPORT, SADB_X_EXT_NAT_T_DPORT,
3857 SADB_X_EXT_NAT_T_OAI, SADB_X_EXT_NAT_T_OAR, 3857 SADB_X_EXT_NAT_T_OAI, SADB_X_EXT_NAT_T_OAR,
3858 SADB_X_EXT_NAT_T_FRAG, 3858 SADB_X_EXT_NAT_T_FRAG,
3859 3859
3860 }; 3860 };
3861 3861
3862 m = key_setsadbmsg(type, 0, satype, seq, pid, key_sa_refcnt(sav), M_WAITOK); 3862 m = key_setsadbmsg(type, 0, satype, seq, pid, key_sa_refcnt(sav), M_WAITOK);
3863 result = m; 3863 result = m;
3864 3864
3865 for (i = __arraycount(dumporder) - 1; i >= 0; i--) { 3865 for (i = __arraycount(dumporder) - 1; i >= 0; i--) {
3866 m = NULL; 3866 m = NULL;
3867 p = NULL; 3867 p = NULL;
3868 switch (dumporder[i]) { 3868 switch (dumporder[i]) {
3869 case SADB_EXT_SA: 3869 case SADB_EXT_SA:
3870 m = key_setsadbsa(sav); 3870 m = key_setsadbsa(sav);
3871 break; 3871 break;
3872 3872
3873 case SADB_X_EXT_SA2: 3873 case SADB_X_EXT_SA2:
3874 m = key_setsadbxsa2(sav->sah->saidx.mode, 3874 m = key_setsadbxsa2(sav->sah->saidx.mode,
3875 sav->replay ? sav->replay->count : 0, 3875 sav->replay ? sav->replay->count : 0,
3876 sav->sah->saidx.reqid); 3876 sav->sah->saidx.reqid);
3877 break; 3877 break;
3878 3878
3879 case SADB_EXT_ADDRESS_SRC: 3879 case SADB_EXT_ADDRESS_SRC:
3880 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, 3880 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC,
3881 &sav->sah->saidx.src.sa, 3881 &sav->sah->saidx.src.sa,
3882 FULLMASK, IPSEC_ULPROTO_ANY, M_WAITOK); 3882 FULLMASK, IPSEC_ULPROTO_ANY, M_WAITOK);
3883 break; 3883 break;
3884 3884
3885 case SADB_EXT_ADDRESS_DST: 3885 case SADB_EXT_ADDRESS_DST:
3886 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, 3886 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
3887 &sav->sah->saidx.dst.sa, 3887 &sav->sah->saidx.dst.sa,
3888 FULLMASK, IPSEC_ULPROTO_ANY, M_WAITOK); 3888 FULLMASK, IPSEC_ULPROTO_ANY, M_WAITOK);
3889 break; 3889 break;
3890 3890
3891 case SADB_EXT_KEY_AUTH: 3891 case SADB_EXT_KEY_AUTH:
3892 if (!sav->key_auth) 3892 if (!sav->key_auth)
3893 continue; 3893 continue;
3894 l = PFKEY_UNUNIT64(sav->key_auth->sadb_key_len); 3894 l = PFKEY_UNUNIT64(sav->key_auth->sadb_key_len);
3895 p = sav->key_auth; 3895 p = sav->key_auth;
3896 break; 3896 break;
3897 3897
3898 case SADB_EXT_KEY_ENCRYPT: 3898 case SADB_EXT_KEY_ENCRYPT:
3899 if (!sav->key_enc) 3899 if (!sav->key_enc)
3900 continue; 3900 continue;
3901 l = PFKEY_UNUNIT64(sav->key_enc->sadb_key_len); 3901 l = PFKEY_UNUNIT64(sav->key_enc->sadb_key_len);
3902 p = sav->key_enc; 3902 p = sav->key_enc;
3903 break; 3903 break;
3904 3904
3905 case SADB_EXT_LIFETIME_CURRENT: { 3905 case SADB_EXT_LIFETIME_CURRENT: {
3906 lifetime_counters_t sum = {0}; 3906 lifetime_counters_t sum = {0};
3907 3907
3908 KASSERT(sav->lft_c != NULL); 3908 KASSERT(sav->lft_c != NULL);
3909 l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_c)->sadb_ext_len); 3909 l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_c)->sadb_ext_len);
3910 memcpy(&lt, sav->lft_c, sizeof(struct sadb_lifetime)); 3910 memcpy(&lt, sav->lft_c, sizeof(struct sadb_lifetime));
3911 lt.sadb_lifetime_addtime = 3911 lt.sadb_lifetime_addtime =
3912 time_mono_to_wall(lt.sadb_lifetime_addtime); 3912 time_mono_to_wall(lt.sadb_lifetime_addtime);
3913 lt.sadb_lifetime_usetime = 3913 lt.sadb_lifetime_usetime =
3914 time_mono_to_wall(lt.sadb_lifetime_usetime); 3914 time_mono_to_wall(lt.sadb_lifetime_usetime);
3915 percpu_foreach(sav->lft_c_counters_percpu, 3915 percpu_foreach(sav->lft_c_counters_percpu,
3916 key_sum_lifetime_counters, sum); 3916 key_sum_lifetime_counters, sum);
3917 lt.sadb_lifetime_allocations = 3917 lt.sadb_lifetime_allocations =
3918 sum[LIFETIME_COUNTER_ALLOCATIONS]; 3918 sum[LIFETIME_COUNTER_ALLOCATIONS];
3919 lt.sadb_lifetime_bytes = 3919 lt.sadb_lifetime_bytes =
3920 sum[LIFETIME_COUNTER_BYTES]; 3920 sum[LIFETIME_COUNTER_BYTES];
3921 p = &lt; 3921 p = &lt;
3922 break; 3922 break;
3923 } 3923 }
3924 3924
3925 case SADB_EXT_LIFETIME_HARD: 3925 case SADB_EXT_LIFETIME_HARD:
3926 if (!sav->lft_h) 3926 if (!sav->lft_h)
3927 continue; 3927 continue;
3928 l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_h)->sadb_ext_len); 3928 l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_h)->sadb_ext_len);
3929 p = sav->lft_h; 3929 p = sav->lft_h;
3930 break; 3930 break;
3931 3931
3932 case SADB_EXT_LIFETIME_SOFT: 3932 case SADB_EXT_LIFETIME_SOFT:
3933 if (!sav->lft_s) 3933 if (!sav->lft_s)
3934 continue; 3934 continue;
3935 l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_s)->sadb_ext_len); 3935 l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_s)->sadb_ext_len);
3936 p = sav->lft_s; 3936 p = sav->lft_s;
3937 break; 3937 break;
3938 3938
3939 case SADB_X_EXT_NAT_T_TYPE: 3939 case SADB_X_EXT_NAT_T_TYPE:
3940 m = key_setsadbxtype(sav->natt_type); 3940 m = key_setsadbxtype(sav->natt_type);
3941 break; 3941 break;
3942 3942
3943 case SADB_X_EXT_NAT_T_DPORT: 3943 case SADB_X_EXT_NAT_T_DPORT:
3944 if (sav->natt_type == 0) 3944 if (sav->natt_type == 0)
3945 continue; 3945 continue;
3946 m = key_setsadbxport( 3946 m = key_setsadbxport(
3947 key_portfromsaddr(&sav->sah->saidx.dst), 3947 key_portfromsaddr(&sav->sah->saidx.dst),
3948 SADB_X_EXT_NAT_T_DPORT); 3948 SADB_X_EXT_NAT_T_DPORT);
3949 break; 3949 break;
3950 3950
3951 case SADB_X_EXT_NAT_T_SPORT: 3951 case SADB_X_EXT_NAT_T_SPORT:
3952 if (sav->natt_type == 0) 3952 if (sav->natt_type == 0)
3953 continue; 3953 continue;
3954 m = key_setsadbxport( 3954 m = key_setsadbxport(
3955 key_portfromsaddr(&sav->sah->saidx.src), 3955 key_portfromsaddr(&sav->sah->saidx.src),
3956 SADB_X_EXT_NAT_T_SPORT); 3956 SADB_X_EXT_NAT_T_SPORT);
3957 break; 3957 break;
3958 3958
3959 case SADB_X_EXT_NAT_T_FRAG: 3959 case SADB_X_EXT_NAT_T_FRAG:
3960 /* don't send frag info if not set */ 3960 /* don't send frag info if not set */
3961 if (sav->natt_type == 0 || sav->esp_frag == IP_MAXPACKET) 3961 if (sav->natt_type == 0 || sav->esp_frag == IP_MAXPACKET)
3962 continue; 3962 continue;
3963 m = key_setsadbxfrag(sav->esp_frag); 3963 m = key_setsadbxfrag(sav->esp_frag);
3964 break; 3964 break;
3965 3965
3966 case SADB_X_EXT_NAT_T_OAI: 3966 case SADB_X_EXT_NAT_T_OAI:
3967 case SADB_X_EXT_NAT_T_OAR: 3967 case SADB_X_EXT_NAT_T_OAR:
3968 continue; 3968 continue;
3969 3969
3970 case SADB_EXT_ADDRESS_PROXY: 3970 case SADB_EXT_ADDRESS_PROXY:
3971 case SADB_EXT_IDENTITY_SRC: 3971 case SADB_EXT_IDENTITY_SRC:
3972 case SADB_EXT_IDENTITY_DST: 3972 case SADB_EXT_IDENTITY_DST:
3973 /* XXX: should we brought from SPD ? */ 3973 /* XXX: should we brought from SPD ? */
3974 case SADB_EXT_SENSITIVITY: 3974 case SADB_EXT_SENSITIVITY:
3975 default: 3975 default:
3976 continue; 3976 continue;
3977 } 3977 }
3978 3978
3979 KASSERT(!(m && p)); 3979 KASSERT(!(m && p));
3980 KASSERT(m != NULL || p != NULL); 3980 KASSERT(m != NULL || p != NULL);
3981 if (p && tres) { 3981 if (p && tres) {
3982 M_PREPEND(tres, l, M_WAITOK); 3982 M_PREPEND(tres, l, M_WAITOK);
3983 memcpy(mtod(tres, void *), p, l); 3983 memcpy(mtod(tres, void *), p, l);
3984 continue; 3984 continue;
3985 } 3985 }
3986 if (p) { 3986 if (p) {
3987 m = key_alloc_mbuf(l, M_WAITOK); 3987 m = key_alloc_mbuf(l, M_WAITOK);
3988 m_copyback(m, 0, l, p); 3988 m_copyback(m, 0, l, p);
3989 } 3989 }
3990 3990
3991 if (tres) 3991 if (tres)
3992 m_cat(m, tres); 3992 m_cat(m, tres);
3993 tres = m; 3993 tres = m;
3994 } 3994 }
3995 3995
3996 m_cat(result, tres); 3996 m_cat(result, tres);
3997 tres = NULL; /* avoid free on error below */ 3997 tres = NULL; /* avoid free on error below */
3998 3998
3999 KASSERT(result->m_len >= sizeof(struct sadb_msg)); 3999 KASSERT(result->m_len >= sizeof(struct sadb_msg));
4000 4000
4001 result->m_pkthdr.len = 0; 4001 result->m_pkthdr.len = 0;
4002 for (m = result; m; m = m->m_next) 4002 for (m = result; m; m = m->m_next)
4003 result->m_pkthdr.len += m->m_len; 4003 result->m_pkthdr.len += m->m_len;
4004 4004
4005 mtod(result, struct sadb_msg *)->sadb_msg_len = 4005 mtod(result, struct sadb_msg *)->sadb_msg_len =
4006 PFKEY_UNIT64(result->m_pkthdr.len); 4006 PFKEY_UNIT64(result->m_pkthdr.len);
4007 4007
4008 return result; 4008 return result;
4009} 4009}
4010 4010
4011 4011
4012/* 4012/*
4013 * set a type in sadb_x_nat_t_type 4013 * set a type in sadb_x_nat_t_type
4014 */ 4014 */
4015static struct mbuf * 4015static struct mbuf *
4016key_setsadbxtype(u_int16_t type) 4016key_setsadbxtype(u_int16_t type)
4017{ 4017{
4018 struct mbuf *m; 4018 struct mbuf *m;
4019 size_t len; 4019 size_t len;
4020 struct sadb_x_nat_t_type *p; 4020 struct sadb_x_nat_t_type *p;
4021 4021
4022 len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_type)); 4022 len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_type));
4023 4023
4024 m = key_alloc_mbuf(len, M_WAITOK); 4024 m = key_alloc_mbuf(len, M_WAITOK);
4025 KASSERT(m->m_next == NULL); 4025 KASSERT(m->m_next == NULL);
4026 4026
4027 p = mtod(m, struct sadb_x_nat_t_type *); 4027 p = mtod(m, struct sadb_x_nat_t_type *);
4028 4028
4029 memset(p, 0, len); 4029 memset(p, 0, len);
4030 p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len); 4030 p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len);
4031 p->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE; 4031 p->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
4032 p->sadb_x_nat_t_type_type = type; 4032 p->sadb_x_nat_t_type_type = type;
4033 4033
4034 return m; 4034 return m;
4035} 4035}
4036/* 4036/*
4037 * set a port in sadb_x_nat_t_port. port is in network order 4037 * set a port in sadb_x_nat_t_port. port is in network order
4038 */ 4038 */
4039static struct mbuf * 4039static struct mbuf *
4040key_setsadbxport(u_int16_t port, u_int16_t type) 4040key_setsadbxport(u_int16_t port, u_int16_t type)
4041{ 4041{
4042 struct mbuf *m; 4042 struct mbuf *m;
4043 size_t len; 4043 size_t len;
4044 struct sadb_x_nat_t_port *p; 4044 struct sadb_x_nat_t_port *p;
4045 4045
4046 len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_port)); 4046 len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_port));
4047 4047
4048 m = key_alloc_mbuf(len, M_WAITOK); 4048 m = key_alloc_mbuf(len, M_WAITOK);
4049 KASSERT(m->m_next == NULL); 4049 KASSERT(m->m_next == NULL);
4050 4050
4051 p = mtod(m, struct sadb_x_nat_t_port *); 4051 p = mtod(m, struct sadb_x_nat_t_port *);
4052 4052
4053 memset(p, 0, len); 4053 memset(p, 0, len);
4054 p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len); 4054 p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len);
4055 p->sadb_x_nat_t_port_exttype = type; 4055 p->sadb_x_nat_t_port_exttype = type;
4056 p->sadb_x_nat_t_port_port = port; 4056 p->sadb_x_nat_t_port_port = port;
4057 4057
4058 return m; 4058 return m;
4059} 4059}
4060 4060
4061/* 4061/*
4062 * set fragmentation info in sadb_x_nat_t_frag 4062 * set fragmentation info in sadb_x_nat_t_frag
4063 */ 4063 */
4064static struct mbuf * 4064static struct mbuf *
4065key_setsadbxfrag(u_int16_t flen) 4065key_setsadbxfrag(u_int16_t flen)
4066{ 4066{
4067 struct mbuf *m; 4067 struct mbuf *m;
4068 size_t len; 4068 size_t len;
4069 struct sadb_x_nat_t_frag *p; 4069 struct sadb_x_nat_t_frag *p;
4070 4070
4071 len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_frag)); 4071 len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_frag));
4072 4072
4073 m = key_alloc_mbuf(len, M_WAITOK); 4073 m = key_alloc_mbuf(len, M_WAITOK);
4074 KASSERT(m->m_next == NULL); 4074 KASSERT(m->m_next == NULL);
4075 4075
4076 p = mtod(m, struct sadb_x_nat_t_frag *); 4076 p = mtod(m, struct sadb_x_nat_t_frag *);
4077 4077
4078 memset(p, 0, len); 4078 memset(p, 0, len);
4079 p->sadb_x_nat_t_frag_len = PFKEY_UNIT64(len); 4079 p->sadb_x_nat_t_frag_len = PFKEY_UNIT64(len);
4080 p->sadb_x_nat_t_frag_exttype = SADB_X_EXT_NAT_T_FRAG; 4080 p->sadb_x_nat_t_frag_exttype = SADB_X_EXT_NAT_T_FRAG;
4081 p->sadb_x_nat_t_frag_fraglen = flen; 4081 p->sadb_x_nat_t_frag_fraglen = flen;
4082 4082
4083 return m; 4083 return m;
4084} 4084}
4085 4085
4086/* 4086/*
4087 * Get port from sockaddr, port is in network order 4087 * Get port from sockaddr, port is in network order
4088 */ 4088 */
4089u_int16_t 4089u_int16_t
4090key_portfromsaddr(const union sockaddr_union *saddr) 4090key_portfromsaddr(const union sockaddr_union *saddr)
4091{ 4091{
4092 u_int16_t port; 4092 u_int16_t port;
4093 4093
4094 switch (saddr->sa.sa_family) { 4094 switch (saddr->sa.sa_family) {
4095 case AF_INET: { 4095 case AF_INET: {
4096 port = saddr->sin.sin_port; 4096 port = saddr->sin.sin_port;
4097 break; 4097 break;
4098 } 4098 }
4099#ifdef INET6 4099#ifdef INET6
4100 case AF_INET6: { 4100 case AF_INET6: {
4101 port = saddr->sin6.sin6_port; 4101 port = saddr->sin6.sin6_port;
4102 break; 4102 break;
4103 } 4103 }
4104#endif 4104#endif
4105 default: 4105 default:
4106 printf("%s: unexpected address family\n", __func__); 4106 printf("%s: unexpected address family\n", __func__);
4107 port = 0; 4107 port = 0;
4108 break; 4108 break;
4109 } 4109 }
4110 4110
4111 return port; 4111 return port;
4112} 4112}
4113 4113
4114 4114
4115/* 4115/*
4116 * Set port is struct sockaddr. port is in network order 4116 * Set port is struct sockaddr. port is in network order
4117 */ 4117 */
4118static void 4118static void
4119key_porttosaddr(union sockaddr_union *saddr, u_int16_t port) 4119key_porttosaddr(union sockaddr_union *saddr, u_int16_t port)
4120{ 4120{
4121 switch (saddr->sa.sa_family) { 4121 switch (saddr->sa.sa_family) {
4122 case AF_INET: { 4122 case AF_INET: {
4123 saddr->sin.sin_port = port; 4123 saddr->sin.sin_port = port;
4124 break; 4124 break;
4125 } 4125 }
4126#ifdef INET6 4126#ifdef INET6
4127 case AF_INET6: { 4127 case AF_INET6: {
4128 saddr->sin6.sin6_port = port; 4128 saddr->sin6.sin6_port = port;
4129 break; 4129 break;
4130 } 4130 }
4131#endif 4131#endif
4132 default: 4132 default:
4133 printf("%s: unexpected address family %d\n", __func__, 4133 printf("%s: unexpected address family %d\n", __func__,
4134 saddr->sa.sa_family); 4134 saddr->sa.sa_family);
4135 break; 4135 break;
4136 } 4136 }
4137 4137
4138 return; 4138 return;
4139} 4139}
4140 4140
4141/* 4141/*
4142 * Safety check sa_len 4142 * Safety check sa_len
4143 */ 4143 */
4144static int 4144static int
4145key_checksalen(const union sockaddr_union *saddr) 4145key_checksalen(const union sockaddr_union *saddr)
4146{ 4146{
4147 switch (saddr->sa.sa_family) { 4147 switch (saddr->sa.sa_family) {
4148 case AF_INET: 4148 case AF_INET:
4149 if (saddr->sa.sa_len != sizeof(struct sockaddr_in)) 4149 if (saddr->sa.sa_len != sizeof(struct sockaddr_in))
4150 return -1; 4150 return -1;
4151 break; 4151 break;
4152#ifdef INET6 4152#ifdef INET6
4153 case AF_INET6: 4153 case AF_INET6:
4154 if (saddr->sa.sa_len != sizeof(struct sockaddr_in6)) 4154 if (saddr->sa.sa_len != sizeof(struct sockaddr_in6))
4155 return -1; 4155 return -1;
4156 break; 4156 break;
4157#endif 4157#endif
4158 default: 4158 default:
4159 printf("%s: unexpected sa_family %d\n", __func__, 4159 printf("%s: unexpected sa_family %d\n", __func__,
4160 saddr->sa.sa_family); 4160 saddr->sa.sa_family);
4161 return -1; 4161 return -1;
4162 break; 4162 break;
4163 } 4163 }
4164 return 0; 4164 return 0;
4165} 4165}
4166 4166
4167 4167
4168/* 4168/*
4169 * set data into sadb_msg. 4169 * set data into sadb_msg.
4170 */ 4170 */
4171static struct mbuf * 4171static struct mbuf *
4172key_setsadbmsg(u_int8_t type, u_int16_t tlen, u_int8_t satype, 4172key_setsadbmsg(u_int8_t type, u_int16_t tlen, u_int8_t satype,
4173 u_int32_t seq, pid_t pid, u_int16_t reserved, int mflag) 4173 u_int32_t seq, pid_t pid, u_int16_t reserved, int mflag)
4174{ 4174{
4175 struct mbuf *m; 4175 struct mbuf *m;
4176 struct sadb_msg *p; 4176 struct sadb_msg *p;
4177 int len; 4177 int len;
4178 4178
4179 CTASSERT(PFKEY_ALIGN8(sizeof(struct sadb_msg)) <= MCLBYTES); 4179 CTASSERT(PFKEY_ALIGN8(sizeof(struct sadb_msg)) <= MCLBYTES);
4180 4180
4181 len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); 4181 len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
4182 4182
4183 m = key_alloc_mbuf_simple(len, mflag); 4183 m = key_alloc_mbuf_simple(len, mflag);
4184 if (!m) 4184 if (!m)
4185 return NULL; 4185 return NULL;
4186 m->m_pkthdr.len = m->m_len = len; 4186 m->m_pkthdr.len = m->m_len = len;
4187 m->m_next = NULL; 4187 m->m_next = NULL;
4188 4188
4189 p = mtod(m, struct sadb_msg *); 4189 p = mtod(m, struct sadb_msg *);
4190 4190
4191 memset(p, 0, len); 4191 memset(p, 0, len);
4192 p->sadb_msg_version = PF_KEY_V2; 4192 p->sadb_msg_version = PF_KEY_V2;
4193 p->sadb_msg_type = type; 4193 p->sadb_msg_type = type;
4194 p->sadb_msg_errno = 0; 4194 p->sadb_msg_errno = 0;
4195 p->sadb_msg_satype = satype; 4195 p->sadb_msg_satype = satype;
4196 p->sadb_msg_len = PFKEY_UNIT64(tlen); 4196 p->sadb_msg_len = PFKEY_UNIT64(tlen);
4197 p->sadb_msg_reserved = reserved; 4197 p->sadb_msg_reserved = reserved;
4198 p->sadb_msg_seq = seq; 4198 p->sadb_msg_seq = seq;
4199 p->sadb_msg_pid = (u_int32_t)pid; 4199 p->sadb_msg_pid = (u_int32_t)pid;
4200 4200
4201 return m; 4201 return m;
4202} 4202}
4203 4203
4204/* 4204/*
4205 * copy secasvar data into sadb_address. 4205 * copy secasvar data into sadb_address.
4206 */ 4206 */
4207static struct mbuf * 4207static struct mbuf *
4208key_setsadbsa(struct secasvar *sav) 4208key_setsadbsa(struct secasvar *sav)
4209{ 4209{
4210 struct mbuf *m; 4210 struct mbuf *m;
4211 struct sadb_sa *p; 4211 struct sadb_sa *p;
4212 int len; 4212 int len;
4213 4213
4214 len = PFKEY_ALIGN8(sizeof(struct sadb_sa)); 4214 len = PFKEY_ALIGN8(sizeof(struct sadb_sa));
4215 m = key_alloc_mbuf(len, M_WAITOK); 4215 m = key_alloc_mbuf(len, M_WAITOK);
4216 KASSERT(m->m_next == NULL); 4216 KASSERT(m->m_next == NULL);
4217 4217
4218 p = mtod(m, struct sadb_sa *); 4218 p = mtod(m, struct sadb_sa *);
4219 4219
4220 memset(p, 0, len); 4220 memset(p, 0, len);
4221 p->sadb_sa_len = PFKEY_UNIT64(len); 4221 p->sadb_sa_len = PFKEY_UNIT64(len);
4222 p->sadb_sa_exttype = SADB_EXT_SA; 4222 p->sadb_sa_exttype = SADB_EXT_SA;
4223 p->sadb_sa_spi = sav->spi; 4223 p->sadb_sa_spi = sav->spi;
4224 p->sadb_sa_replay = (sav->replay != NULL ? sav->replay->wsize : 0); 4224 p->sadb_sa_replay = (sav->replay != NULL ? sav->replay->wsize : 0);
4225 p->sadb_sa_state = sav->state; 4225 p->sadb_sa_state = sav->state;
4226 p->sadb_sa_auth = sav->alg_auth; 4226 p->sadb_sa_auth = sav->alg_auth;
4227 p->sadb_sa_encrypt = sav->alg_enc; 4227 p->sadb_sa_encrypt = sav->alg_enc;
4228 p->sadb_sa_flags = sav->flags; 4228 p->sadb_sa_flags = sav->flags;
4229 4229
4230 return m; 4230 return m;
4231} 4231}
4232 4232
4233static uint8_t 4233static uint8_t
4234key_sabits(const struct sockaddr *saddr) 4234key_sabits(const struct sockaddr *saddr)
4235{ 4235{
4236 switch (saddr->sa_family) { 4236 switch (saddr->sa_family) {
4237 case AF_INET: 4237 case AF_INET:
4238 return _BITS(sizeof(struct in_addr)); 4238 return _BITS(sizeof(struct in_addr));
4239 case AF_INET6: 4239 case AF_INET6:
4240 return _BITS(sizeof(struct in6_addr)); 4240 return _BITS(sizeof(struct in6_addr));
4241 default: 4241 default:
4242 return FULLMASK; 4242 return FULLMASK;
4243 } 4243 }
4244} 4244}
4245 4245
4246/* 4246/*
4247 * set data into sadb_address. 4247 * set data into sadb_address.
4248 */ 4248 */
4249static struct mbuf * 4249static struct mbuf *
4250key_setsadbaddr(u_int16_t exttype, const struct sockaddr *saddr, 4250key_setsadbaddr(u_int16_t exttype, const struct sockaddr *saddr,
4251 u_int8_t prefixlen, u_int16_t ul_proto, int mflag) 4251 u_int8_t prefixlen, u_int16_t ul_proto, int mflag)
4252{ 4252{
4253 struct mbuf *m; 4253 struct mbuf *m;
4254 struct sadb_address *p; 4254 struct sadb_address *p;
4255 size_t len; 4255 size_t len;
4256 4256
4257 len = PFKEY_ALIGN8(sizeof(struct sadb_address)) + 4257 len = PFKEY_ALIGN8(sizeof(struct sadb_address)) +
4258 PFKEY_ALIGN8(saddr->sa_len); 4258 PFKEY_ALIGN8(saddr->sa_len);
4259 m = key_alloc_mbuf(len, mflag); 4259 m = key_alloc_mbuf(len, mflag);
4260 if (!m || m->m_next) { /*XXX*/ 4260 if (!m || m->m_next) { /*XXX*/
4261 if (m) 4261 if (m)
4262 m_freem(m); 4262 m_freem(m);
4263 return NULL; 4263 return NULL;
4264 } 4264 }
4265 4265
4266 p = mtod(m, struct sadb_address *); 4266 p = mtod(m, struct sadb_address *);
4267 4267
4268 memset(p, 0, len); 4268 memset(p, 0, len);
4269 p->sadb_address_len = PFKEY_UNIT64(len); 4269 p->sadb_address_len = PFKEY_UNIT64(len);
4270 p->sadb_address_exttype = exttype; 4270 p->sadb_address_exttype = exttype;
4271 p->sadb_address_proto = ul_proto; 4271 p->sadb_address_proto = ul_proto;
4272 if (prefixlen == FULLMASK) { 4272 if (prefixlen == FULLMASK) {
4273 prefixlen = key_sabits(saddr); 4273 prefixlen = key_sabits(saddr);
4274 } 4274 }
4275 p->sadb_address_prefixlen = prefixlen; 4275 p->sadb_address_prefixlen = prefixlen;
4276 p->sadb_address_reserved = 0; 4276 p->sadb_address_reserved = 0;
4277 4277
4278 memcpy(mtod(m, char *) + PFKEY_ALIGN8(sizeof(struct sadb_address)), 4278 memcpy(mtod(m, char *) + PFKEY_ALIGN8(sizeof(struct sadb_address)),
4279 saddr, saddr->sa_len); 4279 saddr, saddr->sa_len);
4280 4280
4281 return m; 4281 return m;
4282} 4282}
4283 4283
4284#if 0 4284#if 0
4285/* 4285/*
4286 * set data into sadb_ident. 4286 * set data into sadb_ident.
4287 */ 4287 */
4288static struct mbuf * 4288static struct mbuf *
4289key_setsadbident(u_int16_t exttype, u_int16_t idtype, 4289key_setsadbident(u_int16_t exttype, u_int16_t idtype,
4290 void *string, int stringlen, u_int64_t id) 4290 void *string, int stringlen, u_int64_t id)
4291{ 4291{
4292 struct mbuf *m; 4292 struct mbuf *m;
4293 struct sadb_ident *p; 4293 struct sadb_ident *p;
4294 size_t len; 4294 size_t len;
4295 4295
4296 len = PFKEY_ALIGN8(sizeof(struct sadb_ident)) + PFKEY_ALIGN8(stringlen); 4296 len = PFKEY_ALIGN8(sizeof(struct sadb_ident)) + PFKEY_ALIGN8(stringlen);
4297 m = key_alloc_mbuf(len); 4297 m = key_alloc_mbuf(len);
4298 if (!m || m->m_next) { /*XXX*/ 4298 if (!m || m->m_next) { /*XXX*/
4299 if (m) 4299 if (m)
4300 m_freem(m); 4300 m_freem(m);
4301 return NULL; 4301 return NULL;
4302 } 4302 }
4303 4303
4304 p = mtod(m, struct sadb_ident *); 4304 p = mtod(m, struct sadb_ident *);
4305 4305
4306 memset(p, 0, len); 4306 memset(p, 0, len);
4307 p->sadb_ident_len = PFKEY_UNIT64(len); 4307 p->sadb_ident_len = PFKEY_UNIT64(len);
4308 p->sadb_ident_exttype = exttype; 4308 p->sadb_ident_exttype = exttype;
4309 p->sadb_ident_type = idtype; 4309 p->sadb_ident_type = idtype;
4310 p->sadb_ident_reserved = 0; 4310 p->sadb_ident_reserved = 0;
4311 p->sadb_ident_id = id; 4311 p->sadb_ident_id = id;
4312 4312
4313 memcpy(mtod(m, void *) + PFKEY_ALIGN8(sizeof(struct sadb_ident)), 4313 memcpy(mtod(m, void *) + PFKEY_ALIGN8(sizeof(struct sadb_ident)),
4314 string, stringlen); 4314 string, stringlen);
4315 4315
4316 return m; 4316 return m;
4317} 4317}
4318#endif 4318#endif
4319 4319
4320/* 4320/*
4321 * set data into sadb_x_sa2. 4321 * set data into sadb_x_sa2.
4322 */ 4322 */
4323static struct mbuf * 4323static struct mbuf *
4324key_setsadbxsa2(u_int8_t mode, u_int32_t seq, u_int16_t reqid) 4324key_setsadbxsa2(u_int8_t mode, u_int32_t seq, u_int16_t reqid)
4325{ 4325{
4326 struct mbuf *m; 4326 struct mbuf *m;
4327 struct sadb_x_sa2 *p; 4327 struct sadb_x_sa2 *p;
4328 size_t len; 4328 size_t len;
4329 4329
4330 len = PFKEY_ALIGN8(sizeof(struct sadb_x_sa2)); 4330 len = PFKEY_ALIGN8(sizeof(struct sadb_x_sa2));
4331 m = key_alloc_mbuf(len, M_WAITOK); 4331 m = key_alloc_mbuf(len, M_WAITOK);
4332 KASSERT(m->m_next == NULL); 4332 KASSERT(m->m_next == NULL);
4333 4333
4334 p = mtod(m, struct sadb_x_sa2 *); 4334 p = mtod(m, struct sadb_x_sa2 *);
4335 4335
4336 memset(p, 0, len); 4336 memset(p, 0, len);
4337 p->sadb_x_sa2_len = PFKEY_UNIT64(len); 4337 p->sadb_x_sa2_len = PFKEY_UNIT64(len);
4338 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; 4338 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
4339 p->sadb_x_sa2_mode = mode; 4339 p->sadb_x_sa2_mode = mode;
4340 p->sadb_x_sa2_reserved1 = 0; 4340 p->sadb_x_sa2_reserved1 = 0;
4341 p->sadb_x_sa2_reserved2 = 0; 4341 p->sadb_x_sa2_reserved2 = 0;
4342 p->sadb_x_sa2_sequence = seq; 4342 p->sadb_x_sa2_sequence = seq;
4343 p->sadb_x_sa2_reqid = reqid; 4343 p->sadb_x_sa2_reqid = reqid;
4344 4344
4345 return m; 4345 return m;
4346} 4346}
4347 4347
4348/* 4348/*
4349 * set data into sadb_x_policy 4349 * set data into sadb_x_policy
4350 */ 4350 */
4351static struct mbuf * 4351static struct mbuf *
4352key_setsadbxpolicy(const u_int16_t type, const u_int8_t dir, const u_int32_t id, 4352key_setsadbxpolicy(const u_int16_t type, const u_int8_t dir, const u_int32_t id,
4353 int mflag) 4353 int mflag)
4354{ 4354{
4355 struct mbuf *m; 4355 struct mbuf *m;
4356 struct sadb_x_policy *p; 4356 struct sadb_x_policy *p;
4357 size_t len; 4357 size_t len;
4358 4358
4359 len = PFKEY_ALIGN8(sizeof(struct sadb_x_policy)); 4359 len = PFKEY_ALIGN8(sizeof(struct sadb_x_policy));
4360 m = key_alloc_mbuf(len, mflag); 4360 m = key_alloc_mbuf(len, mflag);
4361 if (!m || m->m_next) { /*XXX*/ 4361 if (!m || m->m_next) { /*XXX*/
4362 if (m) 4362 if (m)
4363 m_freem(m); 4363 m_freem(m);
4364 return NULL; 4364 return NULL;
4365 } 4365 }
4366 4366
4367 p = mtod(m, struct sadb_x_policy *); 4367 p = mtod(m, struct sadb_x_policy *);
4368 4368
4369 memset(p, 0, len); 4369 memset(p, 0, len);
4370 p->sadb_x_policy_len = PFKEY_UNIT64(len); 4370 p->sadb_x_policy_len = PFKEY_UNIT64(len);
4371 p->sadb_x_policy_exttype = SADB_X_EXT_POLICY; 4371 p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
4372 p->sadb_x_policy_type = type; 4372 p->sadb_x_policy_type = type;
4373 p->sadb_x_policy_dir = dir; 4373 p->sadb_x_policy_dir = dir;
4374 p->sadb_x_policy_id = id; 4374 p->sadb_x_policy_id = id;
4375 4375
4376 return m; 4376 return m;
4377} 4377}
4378 4378
4379/* %%% utilities */ 4379/* %%% utilities */
4380/* 4380/*
4381 * copy a buffer into the new buffer allocated. 4381 * copy a buffer into the new buffer allocated.
4382 */ 4382 */
4383static void * 4383static void *
4384key_newbuf(const void *src, u_int len) 4384key_newbuf(const void *src, u_int len)
4385{ 4385{
4386 void *new; 4386 void *new;
4387 4387
4388 new = kmem_alloc(len, KM_SLEEP); 4388 new = kmem_alloc(len, KM_SLEEP);
4389 memcpy(new, src, len); 4389 memcpy(new, src, len);
4390 4390
4391 return new; 4391 return new;
4392} 4392}
4393 4393
4394/* compare my own address 4394/* compare my own address
4395 * OUT: 1: true, i.e. my address. 4395 * OUT: 1: true, i.e. my address.
4396 * 0: false 4396 * 0: false
4397 */ 4397 */
4398int 4398int
4399key_ismyaddr(const struct sockaddr *sa) 4399key_ismyaddr(const struct sockaddr *sa)
4400{ 4400{
4401#ifdef INET 4401#ifdef INET
4402 const struct sockaddr_in *sin; 4402 const struct sockaddr_in *sin;
4403 const struct in_ifaddr *ia; 4403 const struct in_ifaddr *ia;
4404 int s; 4404 int s;
4405#endif 4405#endif
4406 4406
4407 KASSERT(sa != NULL); 4407 KASSERT(sa != NULL);
4408 4408
4409 switch (sa->sa_family) { 4409 switch (sa->sa_family) {
4410#ifdef INET 4410#ifdef INET
4411 case AF_INET: 4411 case AF_INET:
4412 sin = (const struct sockaddr_in *)sa; 4412 sin = (const struct sockaddr_in *)sa;
4413 s = pserialize_read_enter(); 4413 s = pserialize_read_enter();
4414 IN_ADDRLIST_READER_FOREACH(ia) { 4414 IN_ADDRLIST_READER_FOREACH(ia) {
4415 if (sin->sin_family == ia->ia_addr.sin_family && 4415 if (sin->sin_family == ia->ia_addr.sin_family &&
4416 sin->sin_len == ia->ia_addr.sin_len && 4416 sin->sin_len == ia->ia_addr.sin_len &&
4417 sin->sin_addr.s_addr == ia->ia_addr.sin_addr.s_addr) 4417 sin->sin_addr.s_addr == ia->ia_addr.sin_addr.s_addr)
4418 { 4418 {
4419 pserialize_read_exit(s); 4419 pserialize_read_exit(s);
4420 return 1; 4420 return 1;
4421 } 4421 }
4422 } 4422 }
4423 pserialize_read_exit(s); 4423 pserialize_read_exit(s);
4424 break; 4424 break;
4425#endif 4425#endif
4426#ifdef INET6 4426#ifdef INET6
4427 case AF_INET6: 4427 case AF_INET6:
4428 return key_ismyaddr6((const struct sockaddr_in6 *)sa); 4428 return key_ismyaddr6((const struct sockaddr_in6 *)sa);
4429#endif 4429#endif
4430 } 4430 }
4431 4431
4432 return 0; 4432 return 0;
4433} 4433}
4434 4434
4435#ifdef INET6 4435#ifdef INET6
4436/* 4436/*
4437 * compare my own address for IPv6. 4437 * compare my own address for IPv6.
4438 * 1: ours 4438 * 1: ours
4439 * 0: other 4439 * 0: other
4440 * NOTE: derived ip6_input() in KAME. This is necessary to modify more. 4440 * NOTE: derived ip6_input() in KAME. This is necessary to modify more.
4441 */ 4441 */
4442#include <netinet6/in6_var.h> 4442#include <netinet6/in6_var.h>
4443 4443
4444static int 4444static int
4445key_ismyaddr6(const struct sockaddr_in6 *sin6) 4445key_ismyaddr6(const struct sockaddr_in6 *sin6)
4446{ 4446{
4447 struct in6_ifaddr *ia; 4447 struct in6_ifaddr *ia;
4448 int s; 4448 int s;
4449 struct psref psref; 4449 struct psref psref;
4450 int bound; 4450 int bound;
4451 int ours = 1; 4451 int ours = 1;
4452 4452
4453 bound = curlwp_bind(); 4453 bound = curlwp_bind();
4454 s = pserialize_read_enter(); 4454 s = pserialize_read_enter();
4455 IN6_ADDRLIST_READER_FOREACH(ia) { 4455 IN6_ADDRLIST_READER_FOREACH(ia) {
4456 bool ingroup; 4456 bool ingroup;
4457 4457
4458 if (key_sockaddr_match((const struct sockaddr *)&sin6, 4458 if (key_sockaddr_match((const struct sockaddr *)&sin6,
4459 (const struct sockaddr *)&ia->ia_addr, 0)) { 4459 (const struct sockaddr *)&ia->ia_addr, 0)) {
4460 pserialize_read_exit(s); 4460 pserialize_read_exit(s);
4461 goto ours; 4461 goto ours;
4462 } 4462 }
4463 ia6_acquire(ia, &psref); 4463 ia6_acquire(ia, &psref);
4464 pserialize_read_exit(s); 4464 pserialize_read_exit(s);
4465 4465
4466 /* 4466 /*
4467 * XXX Multicast 4467 * XXX Multicast
4468 * XXX why do we care about multlicast here while we don't care 4468 * XXX why do we care about multlicast here while we don't care
4469 * about IPv4 multicast?? 4469 * about IPv4 multicast??
4470 * XXX scope 4470 * XXX scope
4471 */ 4471 */
4472 ingroup = in6_multi_group(&sin6->sin6_addr, ia->ia_ifp); 4472 ingroup = in6_multi_group(&sin6->sin6_addr, ia->ia_ifp);
4473 if (ingroup) { 4473 if (ingroup) {
4474 ia6_release(ia, &psref); 4474 ia6_release(ia, &psref);
4475 goto ours; 4475 goto ours;
4476 } 4476 }
4477 4477
4478 s = pserialize_read_enter(); 4478 s = pserialize_read_enter();
4479 ia6_release(ia, &psref); 4479 ia6_release(ia, &psref);