1 | #include <machine/rtems-bsd-kernel-space.h> |
---|
2 | |
---|
3 | /* $FreeBSD$ */ |
---|
4 | /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ |
---|
5 | |
---|
6 | /*- |
---|
7 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
---|
8 | * All rights reserved. |
---|
9 | * |
---|
10 | * Redistribution and use in source and binary forms, with or without |
---|
11 | * modification, are permitted provided that the following conditions |
---|
12 | * are met: |
---|
13 | * 1. Redistributions of source code must retain the above copyright |
---|
14 | * notice, this list of conditions and the following disclaimer. |
---|
15 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
16 | * notice, this list of conditions and the following disclaimer in the |
---|
17 | * documentation and/or other materials provided with the distribution. |
---|
18 | * 3. Neither the name of the project nor the names of its contributors |
---|
19 | * may be used to endorse or promote products derived from this software |
---|
20 | * without specific prior written permission. |
---|
21 | * |
---|
22 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
---|
23 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
---|
24 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
---|
25 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
---|
26 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
---|
27 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
---|
28 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
---|
29 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
---|
30 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
---|
31 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
---|
32 | * SUCH DAMAGE. |
---|
33 | */ |
---|
34 | |
---|
35 | /* |
---|
36 | * This code is referd to RFC 2367 |
---|
37 | */ |
---|
38 | |
---|
39 | #include <rtems/bsd/local/opt_inet.h> |
---|
40 | #include <rtems/bsd/local/opt_inet6.h> |
---|
41 | #include <rtems/bsd/local/opt_ipsec.h> |
---|
42 | |
---|
43 | #include <rtems/bsd/sys/types.h> |
---|
44 | #include <rtems/bsd/sys/param.h> |
---|
45 | #include <sys/systm.h> |
---|
46 | #include <sys/kernel.h> |
---|
47 | #include <rtems/bsd/sys/lock.h> |
---|
48 | #include <sys/mutex.h> |
---|
49 | #include <sys/mbuf.h> |
---|
50 | #include <sys/domain.h> |
---|
51 | #include <sys/protosw.h> |
---|
52 | #include <sys/malloc.h> |
---|
53 | #include <sys/socket.h> |
---|
54 | #include <sys/socketvar.h> |
---|
55 | #include <sys/sysctl.h> |
---|
56 | #include <rtems/bsd/sys/errno.h> |
---|
57 | #include <sys/proc.h> |
---|
58 | #include <sys/queue.h> |
---|
59 | #include <sys/refcount.h> |
---|
60 | #include <sys/syslog.h> |
---|
61 | |
---|
62 | #include <net/if.h> |
---|
63 | #include <net/route.h> |
---|
64 | #include <net/raw_cb.h> |
---|
65 | #include <net/vnet.h> |
---|
66 | |
---|
67 | #include <netinet/in.h> |
---|
68 | #include <netinet/in_systm.h> |
---|
69 | #include <netinet/ip.h> |
---|
70 | #include <netinet/in_var.h> |
---|
71 | |
---|
72 | #ifdef INET6 |
---|
73 | #include <netinet/ip6.h> |
---|
74 | #include <netinet6/in6_var.h> |
---|
75 | #include <netinet6/ip6_var.h> |
---|
76 | #endif /* INET6 */ |
---|
77 | |
---|
78 | #if defined(INET) || defined(INET6) |
---|
79 | #include <netinet/in_pcb.h> |
---|
80 | #endif |
---|
81 | #ifdef INET6 |
---|
82 | #include <netinet6/in6_pcb.h> |
---|
83 | #endif /* INET6 */ |
---|
84 | |
---|
85 | #include <net/pfkeyv2.h> |
---|
86 | #include <netipsec/keydb.h> |
---|
87 | #include <netipsec/key.h> |
---|
88 | #include <netipsec/keysock.h> |
---|
89 | #include <netipsec/key_debug.h> |
---|
90 | |
---|
91 | #include <netipsec/ipsec.h> |
---|
92 | #ifdef INET6 |
---|
93 | #include <netipsec/ipsec6.h> |
---|
94 | #endif |
---|
95 | |
---|
96 | #include <netipsec/xform.h> |
---|
97 | |
---|
98 | #include <machine/stdarg.h> |
---|
99 | |
---|
100 | /* randomness */ |
---|
101 | #include <sys/random.h> |
---|
102 | |
---|
103 | #define FULLMASK 0xff |
---|
104 | #define _BITS(bytes) ((bytes) << 3) |
---|
105 | |
---|
106 | /* |
---|
107 | * Note on SA reference counting: |
---|
108 | * - SAs that are not in DEAD state will have (total external reference + 1) |
---|
109 | * following value in reference count field. they cannot be freed and are |
---|
110 | * referenced from SA header. |
---|
111 | * - SAs that are in DEAD state will have (total external reference) |
---|
112 | * in reference count field. they are ready to be freed. reference from |
---|
113 | * SA header will be removed in key_delsav(), when the reference count |
---|
114 | * field hits 0 (= no external reference other than from SA header. |
---|
115 | */ |
---|
116 | |
---|
117 | VNET_DEFINE(u_int32_t, key_debug_level) = 0; |
---|
118 | static VNET_DEFINE(u_int, key_spi_trycnt) = 1000; |
---|
119 | static VNET_DEFINE(u_int32_t, key_spi_minval) = 0x100; |
---|
120 | static VNET_DEFINE(u_int32_t, key_spi_maxval) = 0x0fffffff; /* XXX */ |
---|
121 | static VNET_DEFINE(u_int32_t, policy_id) = 0; |
---|
122 | /*interval to initialize randseed,1(m)*/ |
---|
123 | static VNET_DEFINE(u_int, key_int_random) = 60; |
---|
124 | /* interval to expire acquiring, 30(s)*/ |
---|
125 | static VNET_DEFINE(u_int, key_larval_lifetime) = 30; |
---|
126 | /* counter for blocking SADB_ACQUIRE.*/ |
---|
127 | static VNET_DEFINE(int, key_blockacq_count) = 10; |
---|
128 | /* lifetime for blocking SADB_ACQUIRE.*/ |
---|
129 | static VNET_DEFINE(int, key_blockacq_lifetime) = 20; |
---|
130 | /* preferred old sa rather than new sa.*/ |
---|
131 | static VNET_DEFINE(int, key_preferred_oldsa) = 1; |
---|
132 | #define V_key_spi_trycnt VNET(key_spi_trycnt) |
---|
133 | #define V_key_spi_minval VNET(key_spi_minval) |
---|
134 | #define V_key_spi_maxval VNET(key_spi_maxval) |
---|
135 | #define V_policy_id VNET(policy_id) |
---|
136 | #define V_key_int_random VNET(key_int_random) |
---|
137 | #define V_key_larval_lifetime VNET(key_larval_lifetime) |
---|
138 | #define V_key_blockacq_count VNET(key_blockacq_count) |
---|
139 | #define V_key_blockacq_lifetime VNET(key_blockacq_lifetime) |
---|
140 | #define V_key_preferred_oldsa VNET(key_preferred_oldsa) |
---|
141 | |
---|
142 | static VNET_DEFINE(u_int32_t, acq_seq) = 0; |
---|
143 | #define V_acq_seq VNET(acq_seq) |
---|
144 | |
---|
145 | /* SPD */ |
---|
146 | static VNET_DEFINE(LIST_HEAD(_sptree, secpolicy), sptree[IPSEC_DIR_MAX]); |
---|
147 | #define V_sptree VNET(sptree) |
---|
148 | static struct mtx sptree_lock; |
---|
149 | #define SPTREE_LOCK_INIT() \ |
---|
150 | mtx_init(&sptree_lock, "sptree", \ |
---|
151 | "fast ipsec security policy database", MTX_DEF) |
---|
152 | #define SPTREE_LOCK_DESTROY() mtx_destroy(&sptree_lock) |
---|
153 | #define SPTREE_LOCK() mtx_lock(&sptree_lock) |
---|
154 | #define SPTREE_UNLOCK() mtx_unlock(&sptree_lock) |
---|
155 | #define SPTREE_LOCK_ASSERT() mtx_assert(&sptree_lock, MA_OWNED) |
---|
156 | |
---|
157 | static VNET_DEFINE(LIST_HEAD(_sahtree, secashead), sahtree); /* SAD */ |
---|
158 | #define V_sahtree VNET(sahtree) |
---|
159 | static struct mtx sahtree_lock; |
---|
160 | #define SAHTREE_LOCK_INIT() \ |
---|
161 | mtx_init(&sahtree_lock, "sahtree", \ |
---|
162 | "fast ipsec security association database", MTX_DEF) |
---|
163 | #define SAHTREE_LOCK_DESTROY() mtx_destroy(&sahtree_lock) |
---|
164 | #define SAHTREE_LOCK() mtx_lock(&sahtree_lock) |
---|
165 | #define SAHTREE_UNLOCK() mtx_unlock(&sahtree_lock) |
---|
166 | #define SAHTREE_LOCK_ASSERT() mtx_assert(&sahtree_lock, MA_OWNED) |
---|
167 | |
---|
168 | /* registed list */ |
---|
169 | static VNET_DEFINE(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]); |
---|
170 | #define V_regtree VNET(regtree) |
---|
171 | static struct mtx regtree_lock; |
---|
172 | #define REGTREE_LOCK_INIT() \ |
---|
173 | mtx_init(®tree_lock, "regtree", "fast ipsec regtree", MTX_DEF) |
---|
174 | #define REGTREE_LOCK_DESTROY() mtx_destroy(®tree_lock) |
---|
175 | #define REGTREE_LOCK() mtx_lock(®tree_lock) |
---|
176 | #define REGTREE_UNLOCK() mtx_unlock(®tree_lock) |
---|
177 | #define REGTREE_LOCK_ASSERT() mtx_assert(®tree_lock, MA_OWNED) |
---|
178 | |
---|
179 | static VNET_DEFINE(LIST_HEAD(_acqtree, secacq), acqtree); /* acquiring list */ |
---|
180 | #define V_acqtree VNET(acqtree) |
---|
181 | static struct mtx acq_lock; |
---|
182 | #define ACQ_LOCK_INIT() \ |
---|
183 | mtx_init(&acq_lock, "acqtree", "fast ipsec acquire list", MTX_DEF) |
---|
184 | #define ACQ_LOCK_DESTROY() mtx_destroy(&acq_lock) |
---|
185 | #define ACQ_LOCK() mtx_lock(&acq_lock) |
---|
186 | #define ACQ_UNLOCK() mtx_unlock(&acq_lock) |
---|
187 | #define ACQ_LOCK_ASSERT() mtx_assert(&acq_lock, MA_OWNED) |
---|
188 | |
---|
189 | /* SP acquiring list */ |
---|
190 | static VNET_DEFINE(LIST_HEAD(_spacqtree, secspacq), spacqtree); |
---|
191 | #define V_spacqtree VNET(spacqtree) |
---|
192 | static struct mtx spacq_lock; |
---|
193 | #define SPACQ_LOCK_INIT() \ |
---|
194 | mtx_init(&spacq_lock, "spacqtree", \ |
---|
195 | "fast ipsec security policy acquire list", MTX_DEF) |
---|
196 | #define SPACQ_LOCK_DESTROY() mtx_destroy(&spacq_lock) |
---|
197 | #define SPACQ_LOCK() mtx_lock(&spacq_lock) |
---|
198 | #define SPACQ_UNLOCK() mtx_unlock(&spacq_lock) |
---|
199 | #define SPACQ_LOCK_ASSERT() mtx_assert(&spacq_lock, MA_OWNED) |
---|
200 | |
---|
201 | /* search order for SAs */ |
---|
202 | static const u_int saorder_state_valid_prefer_old[] = { |
---|
203 | SADB_SASTATE_DYING, SADB_SASTATE_MATURE, |
---|
204 | }; |
---|
205 | static const u_int saorder_state_valid_prefer_new[] = { |
---|
206 | SADB_SASTATE_MATURE, SADB_SASTATE_DYING, |
---|
207 | }; |
---|
208 | static const u_int saorder_state_alive[] = { |
---|
209 | /* except DEAD */ |
---|
210 | SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL |
---|
211 | }; |
---|
212 | static const u_int saorder_state_any[] = { |
---|
213 | SADB_SASTATE_MATURE, SADB_SASTATE_DYING, |
---|
214 | SADB_SASTATE_LARVAL, SADB_SASTATE_DEAD |
---|
215 | }; |
---|
216 | |
---|
217 | static const int minsize[] = { |
---|
218 | sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */ |
---|
219 | sizeof(struct sadb_sa), /* SADB_EXT_SA */ |
---|
220 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */ |
---|
221 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */ |
---|
222 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */ |
---|
223 | sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_SRC */ |
---|
224 | sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_DST */ |
---|
225 | sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_PROXY */ |
---|
226 | sizeof(struct sadb_key), /* SADB_EXT_KEY_AUTH */ |
---|
227 | sizeof(struct sadb_key), /* SADB_EXT_KEY_ENCRYPT */ |
---|
228 | sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_SRC */ |
---|
229 | sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_DST */ |
---|
230 | sizeof(struct sadb_sens), /* SADB_EXT_SENSITIVITY */ |
---|
231 | sizeof(struct sadb_prop), /* SADB_EXT_PROPOSAL */ |
---|
232 | sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_AUTH */ |
---|
233 | sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_ENCRYPT */ |
---|
234 | sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */ |
---|
235 | 0, /* SADB_X_EXT_KMPRIVATE */ |
---|
236 | sizeof(struct sadb_x_policy), /* SADB_X_EXT_POLICY */ |
---|
237 | sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ |
---|
238 | sizeof(struct sadb_x_nat_t_type),/* SADB_X_EXT_NAT_T_TYPE */ |
---|
239 | sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_SPORT */ |
---|
240 | sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_DPORT */ |
---|
241 | sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAI */ |
---|
242 | sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAR */ |
---|
243 | sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */ |
---|
244 | }; |
---|
245 | static const int maxsize[] = { |
---|
246 | sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */ |
---|
247 | sizeof(struct sadb_sa), /* SADB_EXT_SA */ |
---|
248 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */ |
---|
249 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */ |
---|
250 | sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */ |
---|
251 | 0, /* SADB_EXT_ADDRESS_SRC */ |
---|
252 | 0, /* SADB_EXT_ADDRESS_DST */ |
---|
253 | 0, /* SADB_EXT_ADDRESS_PROXY */ |
---|
254 | 0, /* SADB_EXT_KEY_AUTH */ |
---|
255 | 0, /* SADB_EXT_KEY_ENCRYPT */ |
---|
256 | 0, /* SADB_EXT_IDENTITY_SRC */ |
---|
257 | 0, /* SADB_EXT_IDENTITY_DST */ |
---|
258 | 0, /* SADB_EXT_SENSITIVITY */ |
---|
259 | 0, /* SADB_EXT_PROPOSAL */ |
---|
260 | 0, /* SADB_EXT_SUPPORTED_AUTH */ |
---|
261 | 0, /* SADB_EXT_SUPPORTED_ENCRYPT */ |
---|
262 | sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */ |
---|
263 | 0, /* SADB_X_EXT_KMPRIVATE */ |
---|
264 | 0, /* SADB_X_EXT_POLICY */ |
---|
265 | sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ |
---|
266 | sizeof(struct sadb_x_nat_t_type),/* SADB_X_EXT_NAT_T_TYPE */ |
---|
267 | sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_SPORT */ |
---|
268 | sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_DPORT */ |
---|
269 | 0, /* SADB_X_EXT_NAT_T_OAI */ |
---|
270 | 0, /* SADB_X_EXT_NAT_T_OAR */ |
---|
271 | sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */ |
---|
272 | }; |
---|
273 | |
---|
274 | static VNET_DEFINE(int, ipsec_esp_keymin) = 256; |
---|
275 | static VNET_DEFINE(int, ipsec_esp_auth) = 0; |
---|
276 | static VNET_DEFINE(int, ipsec_ah_keymin) = 128; |
---|
277 | |
---|
278 | #define V_ipsec_esp_keymin VNET(ipsec_esp_keymin) |
---|
279 | #define V_ipsec_esp_auth VNET(ipsec_esp_auth) |
---|
280 | #define V_ipsec_ah_keymin VNET(ipsec_ah_keymin) |
---|
281 | |
---|
282 | #ifdef SYSCTL_DECL |
---|
283 | SYSCTL_DECL(_net_key); |
---|
284 | #endif |
---|
285 | |
---|
286 | SYSCTL_VNET_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug, |
---|
287 | CTLFLAG_RW, &VNET_NAME(key_debug_level), 0, ""); |
---|
288 | |
---|
289 | /* max count of trial for the decision of spi value */ |
---|
290 | SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt, |
---|
291 | CTLFLAG_RW, &VNET_NAME(key_spi_trycnt), 0, ""); |
---|
292 | |
---|
293 | /* minimum spi value to allocate automatically. */ |
---|
294 | SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_MIN_VALUE, |
---|
295 | spi_minval, CTLFLAG_RW, &VNET_NAME(key_spi_minval), 0, ""); |
---|
296 | |
---|
297 | /* maximun spi value to allocate automatically. */ |
---|
298 | SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_MAX_VALUE, |
---|
299 | spi_maxval, CTLFLAG_RW, &VNET_NAME(key_spi_maxval), 0, ""); |
---|
300 | |
---|
301 | /* interval to initialize randseed */ |
---|
302 | SYSCTL_VNET_INT(_net_key, KEYCTL_RANDOM_INT, |
---|
303 | int_random, CTLFLAG_RW, &VNET_NAME(key_int_random), 0, ""); |
---|
304 | |
---|
305 | /* lifetime for larval SA */ |
---|
306 | SYSCTL_VNET_INT(_net_key, KEYCTL_LARVAL_LIFETIME, |
---|
307 | larval_lifetime, CTLFLAG_RW, &VNET_NAME(key_larval_lifetime), 0, ""); |
---|
308 | |
---|
309 | /* counter for blocking to send SADB_ACQUIRE to IKEd */ |
---|
310 | SYSCTL_VNET_INT(_net_key, KEYCTL_BLOCKACQ_COUNT, |
---|
311 | blockacq_count, CTLFLAG_RW, &VNET_NAME(key_blockacq_count), 0, ""); |
---|
312 | |
---|
313 | /* lifetime for blocking to send SADB_ACQUIRE to IKEd */ |
---|
314 | SYSCTL_VNET_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME, |
---|
315 | blockacq_lifetime, CTLFLAG_RW, &VNET_NAME(key_blockacq_lifetime), 0, ""); |
---|
316 | |
---|
317 | /* ESP auth */ |
---|
318 | SYSCTL_VNET_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth, |
---|
319 | CTLFLAG_RW, &VNET_NAME(ipsec_esp_auth), 0, ""); |
---|
320 | |
---|
321 | /* minimum ESP key length */ |
---|
322 | SYSCTL_VNET_INT(_net_key, KEYCTL_ESP_KEYMIN, |
---|
323 | esp_keymin, CTLFLAG_RW, &VNET_NAME(ipsec_esp_keymin), 0, ""); |
---|
324 | |
---|
325 | /* minimum AH key length */ |
---|
326 | SYSCTL_VNET_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin, |
---|
327 | CTLFLAG_RW, &VNET_NAME(ipsec_ah_keymin), 0, ""); |
---|
328 | |
---|
329 | /* perfered old SA rather than new SA */ |
---|
330 | SYSCTL_VNET_INT(_net_key, KEYCTL_PREFERED_OLDSA, |
---|
331 | preferred_oldsa, CTLFLAG_RW, &VNET_NAME(key_preferred_oldsa), 0, ""); |
---|
332 | |
---|
333 | #define __LIST_CHAINED(elm) \ |
---|
334 | (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL)) |
---|
335 | #define LIST_INSERT_TAIL(head, elm, type, field) \ |
---|
336 | do {\ |
---|
337 | struct type *curelm = LIST_FIRST(head); \ |
---|
338 | if (curelm == NULL) {\ |
---|
339 | LIST_INSERT_HEAD(head, elm, field); \ |
---|
340 | } else { \ |
---|
341 | while (LIST_NEXT(curelm, field)) \ |
---|
342 | curelm = LIST_NEXT(curelm, field);\ |
---|
343 | LIST_INSERT_AFTER(curelm, elm, field);\ |
---|
344 | }\ |
---|
345 | } while (0) |
---|
346 | |
---|
347 | #define KEY_CHKSASTATE(head, sav, name) \ |
---|
348 | do { \ |
---|
349 | if ((head) != (sav)) { \ |
---|
350 | ipseclog((LOG_DEBUG, "%s: state mismatched (TREE=%d SA=%d)\n", \ |
---|
351 | (name), (head), (sav))); \ |
---|
352 | continue; \ |
---|
353 | } \ |
---|
354 | } while (0) |
---|
355 | |
---|
356 | #define KEY_CHKSPDIR(head, sp, name) \ |
---|
357 | do { \ |
---|
358 | if ((head) != (sp)) { \ |
---|
359 | ipseclog((LOG_DEBUG, "%s: direction mismatched (TREE=%d SP=%d), " \ |
---|
360 | "anyway continue.\n", \ |
---|
361 | (name), (head), (sp))); \ |
---|
362 | } \ |
---|
363 | } while (0) |
---|
364 | |
---|
365 | MALLOC_DEFINE(M_IPSEC_SA, "secasvar", "ipsec security association"); |
---|
366 | MALLOC_DEFINE(M_IPSEC_SAH, "sahead", "ipsec sa head"); |
---|
367 | MALLOC_DEFINE(M_IPSEC_SP, "ipsecpolicy", "ipsec security policy"); |
---|
368 | MALLOC_DEFINE(M_IPSEC_SR, "ipsecrequest", "ipsec security request"); |
---|
369 | MALLOC_DEFINE(M_IPSEC_MISC, "ipsec-misc", "ipsec miscellaneous"); |
---|
370 | MALLOC_DEFINE(M_IPSEC_SAQ, "ipsec-saq", "ipsec sa acquire"); |
---|
371 | MALLOC_DEFINE(M_IPSEC_SAR, "ipsec-reg", "ipsec sa acquire"); |
---|
372 | |
---|
373 | /* |
---|
374 | * set parameters into secpolicyindex buffer. |
---|
375 | * Must allocate secpolicyindex buffer passed to this function. |
---|
376 | */ |
---|
377 | #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, idx) \ |
---|
378 | do { \ |
---|
379 | bzero((idx), sizeof(struct secpolicyindex)); \ |
---|
380 | (idx)->dir = (_dir); \ |
---|
381 | (idx)->prefs = (ps); \ |
---|
382 | (idx)->prefd = (pd); \ |
---|
383 | (idx)->ul_proto = (ulp); \ |
---|
384 | bcopy((s), &(idx)->src, ((const struct sockaddr *)(s))->sa_len); \ |
---|
385 | bcopy((d), &(idx)->dst, ((const struct sockaddr *)(d))->sa_len); \ |
---|
386 | } while (0) |
---|
387 | |
---|
388 | /* |
---|
389 | * set parameters into secasindex buffer. |
---|
390 | * Must allocate secasindex buffer before calling this function. |
---|
391 | */ |
---|
392 | #define KEY_SETSECASIDX(p, m, r, s, d, idx) \ |
---|
393 | do { \ |
---|
394 | bzero((idx), sizeof(struct secasindex)); \ |
---|
395 | (idx)->proto = (p); \ |
---|
396 | (idx)->mode = (m); \ |
---|
397 | (idx)->reqid = (r); \ |
---|
398 | bcopy((s), &(idx)->src, ((const struct sockaddr *)(s))->sa_len); \ |
---|
399 | bcopy((d), &(idx)->dst, ((const struct sockaddr *)(d))->sa_len); \ |
---|
400 | } while (0) |
---|
401 | |
---|
402 | /* key statistics */ |
---|
403 | struct _keystat { |
---|
404 | u_long getspi_count; /* the avarage of count to try to get new SPI */ |
---|
405 | } keystat; |
---|
406 | |
---|
407 | struct sadb_msghdr { |
---|
408 | struct sadb_msg *msg; |
---|
409 | struct sadb_ext *ext[SADB_EXT_MAX + 1]; |
---|
410 | int extoff[SADB_EXT_MAX + 1]; |
---|
411 | int extlen[SADB_EXT_MAX + 1]; |
---|
412 | }; |
---|
413 | |
---|
414 | static struct secasvar *key_allocsa_policy __P((const struct secasindex *)); |
---|
415 | static void key_freesp_so __P((struct secpolicy **)); |
---|
416 | static struct secasvar *key_do_allocsa_policy __P((struct secashead *, u_int)); |
---|
417 | static void key_delsp __P((struct secpolicy *)); |
---|
418 | static struct secpolicy *key_getsp __P((struct secpolicyindex *)); |
---|
419 | static void _key_delsp(struct secpolicy *sp); |
---|
420 | static struct secpolicy *key_getspbyid __P((u_int32_t)); |
---|
421 | static u_int32_t key_newreqid __P((void)); |
---|
422 | static struct mbuf *key_gather_mbuf __P((struct mbuf *, |
---|
423 | const struct sadb_msghdr *, int, int, ...)); |
---|
424 | static int key_spdadd __P((struct socket *, struct mbuf *, |
---|
425 | const struct sadb_msghdr *)); |
---|
426 | static u_int32_t key_getnewspid __P((void)); |
---|
427 | static int key_spddelete __P((struct socket *, struct mbuf *, |
---|
428 | const struct sadb_msghdr *)); |
---|
429 | static int key_spddelete2 __P((struct socket *, struct mbuf *, |
---|
430 | const struct sadb_msghdr *)); |
---|
431 | static int key_spdget __P((struct socket *, struct mbuf *, |
---|
432 | const struct sadb_msghdr *)); |
---|
433 | static int key_spdflush __P((struct socket *, struct mbuf *, |
---|
434 | const struct sadb_msghdr *)); |
---|
435 | static int key_spddump __P((struct socket *, struct mbuf *, |
---|
436 | const struct sadb_msghdr *)); |
---|
437 | static struct mbuf *key_setdumpsp __P((struct secpolicy *, |
---|
438 | u_int8_t, u_int32_t, u_int32_t)); |
---|
439 | static u_int key_getspreqmsglen __P((struct secpolicy *)); |
---|
440 | static int key_spdexpire __P((struct secpolicy *)); |
---|
441 | static struct secashead *key_newsah __P((struct secasindex *)); |
---|
442 | static void key_delsah __P((struct secashead *)); |
---|
443 | static struct secasvar *key_newsav __P((struct mbuf *, |
---|
444 | const struct sadb_msghdr *, struct secashead *, int *, |
---|
445 | const char*, int)); |
---|
446 | #define KEY_NEWSAV(m, sadb, sah, e) \ |
---|
447 | key_newsav(m, sadb, sah, e, __FILE__, __LINE__) |
---|
448 | static void key_delsav __P((struct secasvar *)); |
---|
449 | static struct secashead *key_getsah __P((struct secasindex *)); |
---|
450 | static struct secasvar *key_checkspidup __P((struct secasindex *, u_int32_t)); |
---|
451 | static struct secasvar *key_getsavbyspi __P((struct secashead *, u_int32_t)); |
---|
452 | static int key_setsaval __P((struct secasvar *, struct mbuf *, |
---|
453 | const struct sadb_msghdr *)); |
---|
454 | static int key_mature __P((struct secasvar *)); |
---|
455 | static struct mbuf *key_setdumpsa __P((struct secasvar *, u_int8_t, |
---|
456 | u_int8_t, u_int32_t, u_int32_t)); |
---|
457 | static struct mbuf *key_setsadbmsg __P((u_int8_t, u_int16_t, u_int8_t, |
---|
458 | u_int32_t, pid_t, u_int16_t)); |
---|
459 | static struct mbuf *key_setsadbsa __P((struct secasvar *)); |
---|
460 | static struct mbuf *key_setsadbaddr __P((u_int16_t, |
---|
461 | const struct sockaddr *, u_int8_t, u_int16_t)); |
---|
462 | #ifdef IPSEC_NAT_T |
---|
463 | static struct mbuf *key_setsadbxport(u_int16_t, u_int16_t); |
---|
464 | static struct mbuf *key_setsadbxtype(u_int16_t); |
---|
465 | #endif |
---|
466 | static void key_porttosaddr(struct sockaddr *, u_int16_t); |
---|
467 | #define KEY_PORTTOSADDR(saddr, port) \ |
---|
468 | key_porttosaddr((struct sockaddr *)(saddr), (port)) |
---|
469 | static struct mbuf *key_setsadbxsa2 __P((u_int8_t, u_int32_t, u_int32_t)); |
---|
470 | static struct mbuf *key_setsadbxpolicy __P((u_int16_t, u_int8_t, |
---|
471 | u_int32_t)); |
---|
472 | static struct seckey *key_dup_keymsg(const struct sadb_key *, u_int, |
---|
473 | struct malloc_type *); |
---|
474 | static struct seclifetime *key_dup_lifemsg(const struct sadb_lifetime *src, |
---|
475 | struct malloc_type *type); |
---|
476 | #ifdef INET6 |
---|
477 | static int key_ismyaddr6 __P((struct sockaddr_in6 *)); |
---|
478 | #endif |
---|
479 | |
---|
480 | /* flags for key_cmpsaidx() */ |
---|
481 | #define CMP_HEAD 1 /* protocol, addresses. */ |
---|
482 | #define CMP_MODE_REQID 2 /* additionally HEAD, reqid, mode. */ |
---|
483 | #define CMP_REQID 3 /* additionally HEAD, reaid. */ |
---|
484 | #define CMP_EXACTLY 4 /* all elements. */ |
---|
485 | static int key_cmpsaidx |
---|
486 | __P((const struct secasindex *, const struct secasindex *, int)); |
---|
487 | |
---|
488 | static int key_cmpspidx_exactly |
---|
489 | __P((struct secpolicyindex *, struct secpolicyindex *)); |
---|
490 | static int key_cmpspidx_withmask |
---|
491 | __P((struct secpolicyindex *, struct secpolicyindex *)); |
---|
492 | static int key_sockaddrcmp __P((const struct sockaddr *, const struct sockaddr *, int)); |
---|
493 | static int key_bbcmp __P((const void *, const void *, u_int)); |
---|
494 | static u_int16_t key_satype2proto __P((u_int8_t)); |
---|
495 | static u_int8_t key_proto2satype __P((u_int16_t)); |
---|
496 | |
---|
497 | static int key_getspi __P((struct socket *, struct mbuf *, |
---|
498 | const struct sadb_msghdr *)); |
---|
499 | static u_int32_t key_do_getnewspi __P((struct sadb_spirange *, |
---|
500 | struct secasindex *)); |
---|
501 | static int key_update __P((struct socket *, struct mbuf *, |
---|
502 | const struct sadb_msghdr *)); |
---|
503 | #ifdef IPSEC_DOSEQCHECK |
---|
504 | static struct secasvar *key_getsavbyseq __P((struct secashead *, u_int32_t)); |
---|
505 | #endif |
---|
506 | static int key_add __P((struct socket *, struct mbuf *, |
---|
507 | const struct sadb_msghdr *)); |
---|
508 | static int key_setident __P((struct secashead *, struct mbuf *, |
---|
509 | const struct sadb_msghdr *)); |
---|
510 | static struct mbuf *key_getmsgbuf_x1 __P((struct mbuf *, |
---|
511 | const struct sadb_msghdr *)); |
---|
512 | static int key_delete __P((struct socket *, struct mbuf *, |
---|
513 | const struct sadb_msghdr *)); |
---|
514 | static int key_get __P((struct socket *, struct mbuf *, |
---|
515 | const struct sadb_msghdr *)); |
---|
516 | |
---|
517 | static void key_getcomb_setlifetime __P((struct sadb_comb *)); |
---|
518 | static struct mbuf *key_getcomb_esp __P((void)); |
---|
519 | static struct mbuf *key_getcomb_ah __P((void)); |
---|
520 | static struct mbuf *key_getcomb_ipcomp __P((void)); |
---|
521 | static struct mbuf *key_getprop __P((const struct secasindex *)); |
---|
522 | |
---|
523 | static int key_acquire __P((const struct secasindex *, struct secpolicy *)); |
---|
524 | static struct secacq *key_newacq __P((const struct secasindex *)); |
---|
525 | static struct secacq *key_getacq __P((const struct secasindex *)); |
---|
526 | static struct secacq *key_getacqbyseq __P((u_int32_t)); |
---|
527 | static struct secspacq *key_newspacq __P((struct secpolicyindex *)); |
---|
528 | static struct secspacq *key_getspacq __P((struct secpolicyindex *)); |
---|
529 | static int key_acquire2 __P((struct socket *, struct mbuf *, |
---|
530 | const struct sadb_msghdr *)); |
---|
531 | static int key_register __P((struct socket *, struct mbuf *, |
---|
532 | const struct sadb_msghdr *)); |
---|
533 | static int key_expire __P((struct secasvar *)); |
---|
534 | static int key_flush __P((struct socket *, struct mbuf *, |
---|
535 | const struct sadb_msghdr *)); |
---|
536 | static int key_dump __P((struct socket *, struct mbuf *, |
---|
537 | const struct sadb_msghdr *)); |
---|
538 | static int key_promisc __P((struct socket *, struct mbuf *, |
---|
539 | const struct sadb_msghdr *)); |
---|
540 | static int key_senderror __P((struct socket *, struct mbuf *, int)); |
---|
541 | static int key_validate_ext __P((const struct sadb_ext *, int)); |
---|
542 | static int key_align __P((struct mbuf *, struct sadb_msghdr *)); |
---|
543 | static struct mbuf *key_setlifetime(struct seclifetime *src, |
---|
544 | u_int16_t exttype); |
---|
545 | static struct mbuf *key_setkey(struct seckey *src, u_int16_t exttype); |
---|
546 | |
---|
547 | #if 0 |
---|
548 | static const char *key_getfqdn __P((void)); |
---|
549 | static const char *key_getuserfqdn __P((void)); |
---|
550 | #endif |
---|
551 | static void key_sa_chgstate __P((struct secasvar *, u_int8_t)); |
---|
552 | static struct mbuf *key_alloc_mbuf __P((int)); |
---|
553 | |
---|
554 | static __inline void |
---|
555 | sa_initref(struct secasvar *sav) |
---|
556 | { |
---|
557 | |
---|
558 | refcount_init(&sav->refcnt, 1); |
---|
559 | } |
---|
560 | static __inline void |
---|
561 | sa_addref(struct secasvar *sav) |
---|
562 | { |
---|
563 | |
---|
564 | refcount_acquire(&sav->refcnt); |
---|
565 | IPSEC_ASSERT(sav->refcnt != 0, ("SA refcnt overflow")); |
---|
566 | } |
---|
567 | static __inline int |
---|
568 | sa_delref(struct secasvar *sav) |
---|
569 | { |
---|
570 | |
---|
571 | IPSEC_ASSERT(sav->refcnt > 0, ("SA refcnt underflow")); |
---|
572 | return (refcount_release(&sav->refcnt)); |
---|
573 | } |
---|
574 | |
---|
575 | #define SP_ADDREF(p) do { \ |
---|
576 | (p)->refcnt++; \ |
---|
577 | IPSEC_ASSERT((p)->refcnt != 0, ("SP refcnt overflow")); \ |
---|
578 | } while (0) |
---|
579 | #define SP_DELREF(p) do { \ |
---|
580 | IPSEC_ASSERT((p)->refcnt > 0, ("SP refcnt underflow")); \ |
---|
581 | (p)->refcnt--; \ |
---|
582 | } while (0) |
---|
583 | |
---|
584 | |
---|
585 | /* |
---|
586 | * Update the refcnt while holding the SPTREE lock. |
---|
587 | */ |
---|
588 | void |
---|
589 | key_addref(struct secpolicy *sp) |
---|
590 | { |
---|
591 | SPTREE_LOCK(); |
---|
592 | SP_ADDREF(sp); |
---|
593 | SPTREE_UNLOCK(); |
---|
594 | } |
---|
595 | |
---|
596 | /* |
---|
597 | * Return 0 when there are known to be no SP's for the specified |
---|
598 | * direction. Otherwise return 1. This is used by IPsec code |
---|
599 | * to optimize performance. |
---|
600 | */ |
---|
601 | int |
---|
602 | key_havesp(u_int dir) |
---|
603 | { |
---|
604 | |
---|
605 | return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ? |
---|
606 | LIST_FIRST(&V_sptree[dir]) != NULL : 1); |
---|
607 | } |
---|
608 | |
---|
609 | /* %%% IPsec policy management */ |
---|
610 | /* |
---|
611 | * allocating a SP for OUTBOUND or INBOUND packet. |
---|
612 | * Must call key_freesp() later. |
---|
613 | * OUT: NULL: not found |
---|
614 | * others: found and return the pointer. |
---|
615 | */ |
---|
616 | struct secpolicy * |
---|
617 | key_allocsp(struct secpolicyindex *spidx, u_int dir, const char* where, int tag) |
---|
618 | { |
---|
619 | struct secpolicy *sp; |
---|
620 | |
---|
621 | IPSEC_ASSERT(spidx != NULL, ("null spidx")); |
---|
622 | IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, |
---|
623 | ("invalid direction %u", dir)); |
---|
624 | |
---|
625 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
626 | printf("DP %s from %s:%u\n", __func__, where, tag)); |
---|
627 | |
---|
628 | /* get a SP entry */ |
---|
629 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
---|
630 | printf("*** objects\n"); |
---|
631 | kdebug_secpolicyindex(spidx)); |
---|
632 | |
---|
633 | SPTREE_LOCK(); |
---|
634 | LIST_FOREACH(sp, &V_sptree[dir], chain) { |
---|
635 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
---|
636 | printf("*** in SPD\n"); |
---|
637 | kdebug_secpolicyindex(&sp->spidx)); |
---|
638 | |
---|
639 | if (sp->state == IPSEC_SPSTATE_DEAD) |
---|
640 | continue; |
---|
641 | if (key_cmpspidx_withmask(&sp->spidx, spidx)) |
---|
642 | goto found; |
---|
643 | } |
---|
644 | sp = NULL; |
---|
645 | found: |
---|
646 | if (sp) { |
---|
647 | /* sanity check */ |
---|
648 | KEY_CHKSPDIR(sp->spidx.dir, dir, __func__); |
---|
649 | |
---|
650 | /* found a SPD entry */ |
---|
651 | sp->lastused = time_second; |
---|
652 | SP_ADDREF(sp); |
---|
653 | } |
---|
654 | SPTREE_UNLOCK(); |
---|
655 | |
---|
656 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
657 | printf("DP %s return SP:%p (ID=%u) refcnt %u\n", __func__, |
---|
658 | sp, sp ? sp->id : 0, sp ? sp->refcnt : 0)); |
---|
659 | return sp; |
---|
660 | } |
---|
661 | |
---|
662 | /* |
---|
663 | * allocating a SP for OUTBOUND or INBOUND packet. |
---|
664 | * Must call key_freesp() later. |
---|
665 | * OUT: NULL: not found |
---|
666 | * others: found and return the pointer. |
---|
667 | */ |
---|
668 | struct secpolicy * |
---|
669 | key_allocsp2(u_int32_t spi, |
---|
670 | union sockaddr_union *dst, |
---|
671 | u_int8_t proto, |
---|
672 | u_int dir, |
---|
673 | const char* where, int tag) |
---|
674 | { |
---|
675 | struct secpolicy *sp; |
---|
676 | |
---|
677 | IPSEC_ASSERT(dst != NULL, ("null dst")); |
---|
678 | IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, |
---|
679 | ("invalid direction %u", dir)); |
---|
680 | |
---|
681 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
682 | printf("DP %s from %s:%u\n", __func__, where, tag)); |
---|
683 | |
---|
684 | /* get a SP entry */ |
---|
685 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
---|
686 | printf("*** objects\n"); |
---|
687 | printf("spi %u proto %u dir %u\n", spi, proto, dir); |
---|
688 | kdebug_sockaddr(&dst->sa)); |
---|
689 | |
---|
690 | SPTREE_LOCK(); |
---|
691 | LIST_FOREACH(sp, &V_sptree[dir], chain) { |
---|
692 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
---|
693 | printf("*** in SPD\n"); |
---|
694 | kdebug_secpolicyindex(&sp->spidx)); |
---|
695 | |
---|
696 | if (sp->state == IPSEC_SPSTATE_DEAD) |
---|
697 | continue; |
---|
698 | /* compare simple values, then dst address */ |
---|
699 | if (sp->spidx.ul_proto != proto) |
---|
700 | continue; |
---|
701 | /* NB: spi's must exist and match */ |
---|
702 | if (!sp->req || !sp->req->sav || sp->req->sav->spi != spi) |
---|
703 | continue; |
---|
704 | if (key_sockaddrcmp(&sp->spidx.dst.sa, &dst->sa, 1) == 0) |
---|
705 | goto found; |
---|
706 | } |
---|
707 | sp = NULL; |
---|
708 | found: |
---|
709 | if (sp) { |
---|
710 | /* sanity check */ |
---|
711 | KEY_CHKSPDIR(sp->spidx.dir, dir, __func__); |
---|
712 | |
---|
713 | /* found a SPD entry */ |
---|
714 | sp->lastused = time_second; |
---|
715 | SP_ADDREF(sp); |
---|
716 | } |
---|
717 | SPTREE_UNLOCK(); |
---|
718 | |
---|
719 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
720 | printf("DP %s return SP:%p (ID=%u) refcnt %u\n", __func__, |
---|
721 | sp, sp ? sp->id : 0, sp ? sp->refcnt : 0)); |
---|
722 | return sp; |
---|
723 | } |
---|
724 | |
---|
725 | #if 0 |
---|
726 | /* |
---|
727 | * return a policy that matches this particular inbound packet. |
---|
728 | * XXX slow |
---|
729 | */ |
---|
730 | struct secpolicy * |
---|
731 | key_gettunnel(const struct sockaddr *osrc, |
---|
732 | const struct sockaddr *odst, |
---|
733 | const struct sockaddr *isrc, |
---|
734 | const struct sockaddr *idst, |
---|
735 | const char* where, int tag) |
---|
736 | { |
---|
737 | struct secpolicy *sp; |
---|
738 | const int dir = IPSEC_DIR_INBOUND; |
---|
739 | struct ipsecrequest *r1, *r2, *p; |
---|
740 | struct secpolicyindex spidx; |
---|
741 | |
---|
742 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
743 | printf("DP %s from %s:%u\n", __func__, where, tag)); |
---|
744 | |
---|
745 | if (isrc->sa_family != idst->sa_family) { |
---|
746 | ipseclog((LOG_ERR, "%s: protocol family mismatched %d != %d\n.", |
---|
747 | __func__, isrc->sa_family, idst->sa_family)); |
---|
748 | sp = NULL; |
---|
749 | goto done; |
---|
750 | } |
---|
751 | |
---|
752 | SPTREE_LOCK(); |
---|
753 | LIST_FOREACH(sp, &V_sptree[dir], chain) { |
---|
754 | if (sp->state == IPSEC_SPSTATE_DEAD) |
---|
755 | continue; |
---|
756 | |
---|
757 | r1 = r2 = NULL; |
---|
758 | for (p = sp->req; p; p = p->next) { |
---|
759 | if (p->saidx.mode != IPSEC_MODE_TUNNEL) |
---|
760 | continue; |
---|
761 | |
---|
762 | r1 = r2; |
---|
763 | r2 = p; |
---|
764 | |
---|
765 | if (!r1) { |
---|
766 | /* here we look at address matches only */ |
---|
767 | spidx = sp->spidx; |
---|
768 | if (isrc->sa_len > sizeof(spidx.src) || |
---|
769 | idst->sa_len > sizeof(spidx.dst)) |
---|
770 | continue; |
---|
771 | bcopy(isrc, &spidx.src, isrc->sa_len); |
---|
772 | bcopy(idst, &spidx.dst, idst->sa_len); |
---|
773 | if (!key_cmpspidx_withmask(&sp->spidx, &spidx)) |
---|
774 | continue; |
---|
775 | } else { |
---|
776 | if (key_sockaddrcmp(&r1->saidx.src.sa, isrc, 0) || |
---|
777 | key_sockaddrcmp(&r1->saidx.dst.sa, idst, 0)) |
---|
778 | continue; |
---|
779 | } |
---|
780 | |
---|
781 | if (key_sockaddrcmp(&r2->saidx.src.sa, osrc, 0) || |
---|
782 | key_sockaddrcmp(&r2->saidx.dst.sa, odst, 0)) |
---|
783 | continue; |
---|
784 | |
---|
785 | goto found; |
---|
786 | } |
---|
787 | } |
---|
788 | sp = NULL; |
---|
789 | found: |
---|
790 | if (sp) { |
---|
791 | sp->lastused = time_second; |
---|
792 | SP_ADDREF(sp); |
---|
793 | } |
---|
794 | SPTREE_UNLOCK(); |
---|
795 | done: |
---|
796 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
797 | printf("DP %s return SP:%p (ID=%u) refcnt %u\n", __func__, |
---|
798 | sp, sp ? sp->id : 0, sp ? sp->refcnt : 0)); |
---|
799 | return sp; |
---|
800 | } |
---|
801 | #endif |
---|
802 | |
---|
803 | /* |
---|
804 | * allocating an SA entry for an *OUTBOUND* packet. |
---|
805 | * checking each request entries in SP, and acquire an SA if need. |
---|
806 | * OUT: 0: there are valid requests. |
---|
807 | * ENOENT: policy may be valid, but SA with REQUIRE is on acquiring. |
---|
808 | */ |
---|
809 | int |
---|
810 | key_checkrequest(struct ipsecrequest *isr, const struct secasindex *saidx) |
---|
811 | { |
---|
812 | u_int level; |
---|
813 | int error; |
---|
814 | struct secasvar *sav; |
---|
815 | |
---|
816 | IPSEC_ASSERT(isr != NULL, ("null isr")); |
---|
817 | IPSEC_ASSERT(saidx != NULL, ("null saidx")); |
---|
818 | IPSEC_ASSERT(saidx->mode == IPSEC_MODE_TRANSPORT || |
---|
819 | saidx->mode == IPSEC_MODE_TUNNEL, |
---|
820 | ("unexpected policy %u", saidx->mode)); |
---|
821 | |
---|
822 | /* |
---|
823 | * XXX guard against protocol callbacks from the crypto |
---|
824 | * thread as they reference ipsecrequest.sav which we |
---|
825 | * temporarily null out below. Need to rethink how we |
---|
826 | * handle bundled SA's in the callback thread. |
---|
827 | */ |
---|
828 | IPSECREQUEST_LOCK_ASSERT(isr); |
---|
829 | |
---|
830 | /* get current level */ |
---|
831 | level = ipsec_get_reqlevel(isr); |
---|
832 | |
---|
833 | /* |
---|
834 | * We check new SA in the IPsec request because a different |
---|
835 | * SA may be involved each time this request is checked, either |
---|
836 | * because new SAs are being configured, or this request is |
---|
837 | * associated with an unconnected datagram socket, or this request |
---|
838 | * is associated with a system default policy. |
---|
839 | * |
---|
840 | * key_allocsa_policy should allocate the oldest SA available. |
---|
841 | * See key_do_allocsa_policy(), and draft-jenkins-ipsec-rekeying-03.txt. |
---|
842 | */ |
---|
843 | sav = key_allocsa_policy(saidx); |
---|
844 | if (sav != isr->sav) { |
---|
845 | /* SA need to be updated. */ |
---|
846 | if (!IPSECREQUEST_UPGRADE(isr)) { |
---|
847 | /* Kick everyone off. */ |
---|
848 | IPSECREQUEST_UNLOCK(isr); |
---|
849 | IPSECREQUEST_WLOCK(isr); |
---|
850 | } |
---|
851 | if (isr->sav != NULL) |
---|
852 | KEY_FREESAV(&isr->sav); |
---|
853 | isr->sav = sav; |
---|
854 | IPSECREQUEST_DOWNGRADE(isr); |
---|
855 | } else if (sav != NULL) |
---|
856 | KEY_FREESAV(&sav); |
---|
857 | |
---|
858 | /* When there is SA. */ |
---|
859 | if (isr->sav != NULL) { |
---|
860 | if (isr->sav->state != SADB_SASTATE_MATURE && |
---|
861 | isr->sav->state != SADB_SASTATE_DYING) |
---|
862 | return EINVAL; |
---|
863 | return 0; |
---|
864 | } |
---|
865 | |
---|
866 | /* there is no SA */ |
---|
867 | error = key_acquire(saidx, isr->sp); |
---|
868 | if (error != 0) { |
---|
869 | /* XXX What should I do ? */ |
---|
870 | ipseclog((LOG_DEBUG, "%s: error %d returned from key_acquire\n", |
---|
871 | __func__, error)); |
---|
872 | return error; |
---|
873 | } |
---|
874 | |
---|
875 | if (level != IPSEC_LEVEL_REQUIRE) { |
---|
876 | /* XXX sigh, the interface to this routine is botched */ |
---|
877 | IPSEC_ASSERT(isr->sav == NULL, ("unexpected SA")); |
---|
878 | return 0; |
---|
879 | } else { |
---|
880 | return ENOENT; |
---|
881 | } |
---|
882 | } |
---|
883 | |
---|
884 | /* |
---|
885 | * allocating a SA for policy entry from SAD. |
---|
886 | * NOTE: searching SAD of aliving state. |
---|
887 | * OUT: NULL: not found. |
---|
888 | * others: found and return the pointer. |
---|
889 | */ |
---|
890 | static struct secasvar * |
---|
891 | key_allocsa_policy(const struct secasindex *saidx) |
---|
892 | { |
---|
893 | #define N(a) _ARRAYLEN(a) |
---|
894 | struct secashead *sah; |
---|
895 | struct secasvar *sav; |
---|
896 | u_int stateidx, arraysize; |
---|
897 | const u_int *state_valid; |
---|
898 | |
---|
899 | state_valid = NULL; /* silence gcc */ |
---|
900 | arraysize = 0; /* silence gcc */ |
---|
901 | |
---|
902 | SAHTREE_LOCK(); |
---|
903 | LIST_FOREACH(sah, &V_sahtree, chain) { |
---|
904 | if (sah->state == SADB_SASTATE_DEAD) |
---|
905 | continue; |
---|
906 | if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID)) { |
---|
907 | if (V_key_preferred_oldsa) { |
---|
908 | state_valid = saorder_state_valid_prefer_old; |
---|
909 | arraysize = N(saorder_state_valid_prefer_old); |
---|
910 | } else { |
---|
911 | state_valid = saorder_state_valid_prefer_new; |
---|
912 | arraysize = N(saorder_state_valid_prefer_new); |
---|
913 | } |
---|
914 | break; |
---|
915 | } |
---|
916 | } |
---|
917 | SAHTREE_UNLOCK(); |
---|
918 | if (sah == NULL) |
---|
919 | return NULL; |
---|
920 | |
---|
921 | /* search valid state */ |
---|
922 | for (stateidx = 0; stateidx < arraysize; stateidx++) { |
---|
923 | sav = key_do_allocsa_policy(sah, state_valid[stateidx]); |
---|
924 | if (sav != NULL) |
---|
925 | return sav; |
---|
926 | } |
---|
927 | |
---|
928 | return NULL; |
---|
929 | #undef N |
---|
930 | } |
---|
931 | |
---|
932 | /* |
---|
933 | * searching SAD with direction, protocol, mode and state. |
---|
934 | * called by key_allocsa_policy(). |
---|
935 | * OUT: |
---|
936 | * NULL : not found |
---|
937 | * others : found, pointer to a SA. |
---|
938 | */ |
---|
939 | static struct secasvar * |
---|
940 | key_do_allocsa_policy(struct secashead *sah, u_int state) |
---|
941 | { |
---|
942 | struct secasvar *sav, *nextsav, *candidate, *d; |
---|
943 | |
---|
944 | /* initilize */ |
---|
945 | candidate = NULL; |
---|
946 | |
---|
947 | SAHTREE_LOCK(); |
---|
948 | for (sav = LIST_FIRST(&sah->savtree[state]); |
---|
949 | sav != NULL; |
---|
950 | sav = nextsav) { |
---|
951 | |
---|
952 | nextsav = LIST_NEXT(sav, chain); |
---|
953 | |
---|
954 | /* sanity check */ |
---|
955 | KEY_CHKSASTATE(sav->state, state, __func__); |
---|
956 | |
---|
957 | /* initialize */ |
---|
958 | if (candidate == NULL) { |
---|
959 | candidate = sav; |
---|
960 | continue; |
---|
961 | } |
---|
962 | |
---|
963 | /* Which SA is the better ? */ |
---|
964 | |
---|
965 | IPSEC_ASSERT(candidate->lft_c != NULL, |
---|
966 | ("null candidate lifetime")); |
---|
967 | IPSEC_ASSERT(sav->lft_c != NULL, ("null sav lifetime")); |
---|
968 | |
---|
969 | /* What the best method is to compare ? */ |
---|
970 | if (V_key_preferred_oldsa) { |
---|
971 | if (candidate->lft_c->addtime > |
---|
972 | sav->lft_c->addtime) { |
---|
973 | candidate = sav; |
---|
974 | } |
---|
975 | continue; |
---|
976 | /*NOTREACHED*/ |
---|
977 | } |
---|
978 | |
---|
979 | /* preferred new sa rather than old sa */ |
---|
980 | if (candidate->lft_c->addtime < |
---|
981 | sav->lft_c->addtime) { |
---|
982 | d = candidate; |
---|
983 | candidate = sav; |
---|
984 | } else |
---|
985 | d = sav; |
---|
986 | |
---|
987 | /* |
---|
988 | * prepared to delete the SA when there is more |
---|
989 | * suitable candidate and the lifetime of the SA is not |
---|
990 | * permanent. |
---|
991 | */ |
---|
992 | if (d->lft_h->addtime != 0) { |
---|
993 | struct mbuf *m, *result; |
---|
994 | u_int8_t satype; |
---|
995 | |
---|
996 | key_sa_chgstate(d, SADB_SASTATE_DEAD); |
---|
997 | |
---|
998 | IPSEC_ASSERT(d->refcnt > 0, ("bogus ref count")); |
---|
999 | |
---|
1000 | satype = key_proto2satype(d->sah->saidx.proto); |
---|
1001 | if (satype == 0) |
---|
1002 | goto msgfail; |
---|
1003 | |
---|
1004 | m = key_setsadbmsg(SADB_DELETE, 0, |
---|
1005 | satype, 0, 0, d->refcnt - 1); |
---|
1006 | if (!m) |
---|
1007 | goto msgfail; |
---|
1008 | result = m; |
---|
1009 | |
---|
1010 | /* set sadb_address for saidx's. */ |
---|
1011 | m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, |
---|
1012 | &d->sah->saidx.src.sa, |
---|
1013 | d->sah->saidx.src.sa.sa_len << 3, |
---|
1014 | IPSEC_ULPROTO_ANY); |
---|
1015 | if (!m) |
---|
1016 | goto msgfail; |
---|
1017 | m_cat(result, m); |
---|
1018 | |
---|
1019 | /* set sadb_address for saidx's. */ |
---|
1020 | m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, |
---|
1021 | &d->sah->saidx.dst.sa, |
---|
1022 | d->sah->saidx.dst.sa.sa_len << 3, |
---|
1023 | IPSEC_ULPROTO_ANY); |
---|
1024 | if (!m) |
---|
1025 | goto msgfail; |
---|
1026 | m_cat(result, m); |
---|
1027 | |
---|
1028 | /* create SA extension */ |
---|
1029 | m = key_setsadbsa(d); |
---|
1030 | if (!m) |
---|
1031 | goto msgfail; |
---|
1032 | m_cat(result, m); |
---|
1033 | |
---|
1034 | if (result->m_len < sizeof(struct sadb_msg)) { |
---|
1035 | result = m_pullup(result, |
---|
1036 | sizeof(struct sadb_msg)); |
---|
1037 | if (result == NULL) |
---|
1038 | goto msgfail; |
---|
1039 | } |
---|
1040 | |
---|
1041 | result->m_pkthdr.len = 0; |
---|
1042 | for (m = result; m; m = m->m_next) |
---|
1043 | result->m_pkthdr.len += m->m_len; |
---|
1044 | mtod(result, struct sadb_msg *)->sadb_msg_len = |
---|
1045 | PFKEY_UNIT64(result->m_pkthdr.len); |
---|
1046 | |
---|
1047 | if (key_sendup_mbuf(NULL, result, |
---|
1048 | KEY_SENDUP_REGISTERED)) |
---|
1049 | goto msgfail; |
---|
1050 | msgfail: |
---|
1051 | KEY_FREESAV(&d); |
---|
1052 | } |
---|
1053 | } |
---|
1054 | if (candidate) { |
---|
1055 | sa_addref(candidate); |
---|
1056 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
1057 | printf("DP %s cause refcnt++:%d SA:%p\n", |
---|
1058 | __func__, candidate->refcnt, candidate)); |
---|
1059 | } |
---|
1060 | SAHTREE_UNLOCK(); |
---|
1061 | |
---|
1062 | return candidate; |
---|
1063 | } |
---|
1064 | |
---|
1065 | /* |
---|
1066 | * allocating a usable SA entry for a *INBOUND* packet. |
---|
1067 | * Must call key_freesav() later. |
---|
1068 | * OUT: positive: pointer to a usable sav (i.e. MATURE or DYING state). |
---|
1069 | * NULL: not found, or error occured. |
---|
1070 | * |
---|
1071 | * In the comparison, no source address is used--for RFC2401 conformance. |
---|
1072 | * To quote, from section 4.1: |
---|
1073 | * A security association is uniquely identified by a triple consisting |
---|
1074 | * of a Security Parameter Index (SPI), an IP Destination Address, and a |
---|
1075 | * security protocol (AH or ESP) identifier. |
---|
1076 | * Note that, however, we do need to keep source address in IPsec SA. |
---|
1077 | * IKE specification and PF_KEY specification do assume that we |
---|
1078 | * keep source address in IPsec SA. We see a tricky situation here. |
---|
1079 | */ |
---|
1080 | struct secasvar * |
---|
1081 | key_allocsa( |
---|
1082 | union sockaddr_union *dst, |
---|
1083 | u_int proto, |
---|
1084 | u_int32_t spi, |
---|
1085 | const char* where, int tag) |
---|
1086 | { |
---|
1087 | struct secashead *sah; |
---|
1088 | struct secasvar *sav; |
---|
1089 | u_int stateidx, arraysize, state; |
---|
1090 | const u_int *saorder_state_valid; |
---|
1091 | int chkport; |
---|
1092 | |
---|
1093 | IPSEC_ASSERT(dst != NULL, ("null dst address")); |
---|
1094 | |
---|
1095 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
1096 | printf("DP %s from %s:%u\n", __func__, where, tag)); |
---|
1097 | |
---|
1098 | #ifdef IPSEC_NAT_T |
---|
1099 | chkport = (dst->sa.sa_family == AF_INET && |
---|
1100 | dst->sa.sa_len == sizeof(struct sockaddr_in) && |
---|
1101 | dst->sin.sin_port != 0); |
---|
1102 | #else |
---|
1103 | chkport = 0; |
---|
1104 | #endif |
---|
1105 | |
---|
1106 | /* |
---|
1107 | * searching SAD. |
---|
1108 | * XXX: to be checked internal IP header somewhere. Also when |
---|
1109 | * IPsec tunnel packet is received. But ESP tunnel mode is |
---|
1110 | * encrypted so we can't check internal IP header. |
---|
1111 | */ |
---|
1112 | SAHTREE_LOCK(); |
---|
1113 | if (V_key_preferred_oldsa) { |
---|
1114 | saorder_state_valid = saorder_state_valid_prefer_old; |
---|
1115 | arraysize = _ARRAYLEN(saorder_state_valid_prefer_old); |
---|
1116 | } else { |
---|
1117 | saorder_state_valid = saorder_state_valid_prefer_new; |
---|
1118 | arraysize = _ARRAYLEN(saorder_state_valid_prefer_new); |
---|
1119 | } |
---|
1120 | LIST_FOREACH(sah, &V_sahtree, chain) { |
---|
1121 | /* search valid state */ |
---|
1122 | for (stateidx = 0; stateidx < arraysize; stateidx++) { |
---|
1123 | state = saorder_state_valid[stateidx]; |
---|
1124 | LIST_FOREACH(sav, &sah->savtree[state], chain) { |
---|
1125 | /* sanity check */ |
---|
1126 | KEY_CHKSASTATE(sav->state, state, __func__); |
---|
1127 | /* do not return entries w/ unusable state */ |
---|
1128 | if (sav->state != SADB_SASTATE_MATURE && |
---|
1129 | sav->state != SADB_SASTATE_DYING) |
---|
1130 | continue; |
---|
1131 | if (proto != sav->sah->saidx.proto) |
---|
1132 | continue; |
---|
1133 | if (spi != sav->spi) |
---|
1134 | continue; |
---|
1135 | #if 0 /* don't check src */ |
---|
1136 | /* check src address */ |
---|
1137 | if (key_sockaddrcmp(&src->sa, &sav->sah->saidx.src.sa, chkport) != 0) |
---|
1138 | continue; |
---|
1139 | #endif |
---|
1140 | /* check dst address */ |
---|
1141 | if (key_sockaddrcmp(&dst->sa, &sav->sah->saidx.dst.sa, chkport) != 0) |
---|
1142 | continue; |
---|
1143 | sa_addref(sav); |
---|
1144 | goto done; |
---|
1145 | } |
---|
1146 | } |
---|
1147 | } |
---|
1148 | sav = NULL; |
---|
1149 | done: |
---|
1150 | SAHTREE_UNLOCK(); |
---|
1151 | |
---|
1152 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
1153 | printf("DP %s return SA:%p; refcnt %u\n", __func__, |
---|
1154 | sav, sav ? sav->refcnt : 0)); |
---|
1155 | return sav; |
---|
1156 | } |
---|
1157 | |
---|
1158 | /* |
---|
1159 | * Must be called after calling key_allocsp(). |
---|
1160 | * For both the packet without socket and key_freeso(). |
---|
1161 | */ |
---|
1162 | void |
---|
1163 | _key_freesp(struct secpolicy **spp, const char* where, int tag) |
---|
1164 | { |
---|
1165 | struct secpolicy *sp = *spp; |
---|
1166 | |
---|
1167 | IPSEC_ASSERT(sp != NULL, ("null sp")); |
---|
1168 | |
---|
1169 | SPTREE_LOCK(); |
---|
1170 | SP_DELREF(sp); |
---|
1171 | |
---|
1172 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
1173 | printf("DP %s SP:%p (ID=%u) from %s:%u; refcnt now %u\n", |
---|
1174 | __func__, sp, sp->id, where, tag, sp->refcnt)); |
---|
1175 | |
---|
1176 | if (sp->refcnt == 0) { |
---|
1177 | *spp = NULL; |
---|
1178 | key_delsp(sp); |
---|
1179 | } |
---|
1180 | SPTREE_UNLOCK(); |
---|
1181 | } |
---|
1182 | |
---|
1183 | /* |
---|
1184 | * Must be called after calling key_allocsp(). |
---|
1185 | * For the packet with socket. |
---|
1186 | */ |
---|
1187 | void |
---|
1188 | key_freeso(struct socket *so) |
---|
1189 | { |
---|
1190 | IPSEC_ASSERT(so != NULL, ("null so")); |
---|
1191 | |
---|
1192 | switch (so->so_proto->pr_domain->dom_family) { |
---|
1193 | #if defined(INET) || defined(INET6) |
---|
1194 | #ifdef INET |
---|
1195 | case PF_INET: |
---|
1196 | #endif |
---|
1197 | #ifdef INET6 |
---|
1198 | case PF_INET6: |
---|
1199 | #endif |
---|
1200 | { |
---|
1201 | struct inpcb *pcb = sotoinpcb(so); |
---|
1202 | |
---|
1203 | /* Does it have a PCB ? */ |
---|
1204 | if (pcb == NULL) |
---|
1205 | return; |
---|
1206 | key_freesp_so(&pcb->inp_sp->sp_in); |
---|
1207 | key_freesp_so(&pcb->inp_sp->sp_out); |
---|
1208 | } |
---|
1209 | break; |
---|
1210 | #endif /* INET || INET6 */ |
---|
1211 | default: |
---|
1212 | ipseclog((LOG_DEBUG, "%s: unknown address family=%d.\n", |
---|
1213 | __func__, so->so_proto->pr_domain->dom_family)); |
---|
1214 | return; |
---|
1215 | } |
---|
1216 | } |
---|
1217 | |
---|
1218 | static void |
---|
1219 | key_freesp_so(struct secpolicy **sp) |
---|
1220 | { |
---|
1221 | IPSEC_ASSERT(sp != NULL && *sp != NULL, ("null sp")); |
---|
1222 | |
---|
1223 | if ((*sp)->policy == IPSEC_POLICY_ENTRUST || |
---|
1224 | (*sp)->policy == IPSEC_POLICY_BYPASS) |
---|
1225 | return; |
---|
1226 | |
---|
1227 | IPSEC_ASSERT((*sp)->policy == IPSEC_POLICY_IPSEC, |
---|
1228 | ("invalid policy %u", (*sp)->policy)); |
---|
1229 | KEY_FREESP(sp); |
---|
1230 | } |
---|
1231 | |
---|
1232 | void |
---|
1233 | key_addrefsa(struct secasvar *sav, const char* where, int tag) |
---|
1234 | { |
---|
1235 | |
---|
1236 | IPSEC_ASSERT(sav != NULL, ("null sav")); |
---|
1237 | IPSEC_ASSERT(sav->refcnt > 0, ("refcount must exist")); |
---|
1238 | |
---|
1239 | sa_addref(sav); |
---|
1240 | } |
---|
1241 | |
---|
1242 | /* |
---|
1243 | * Must be called after calling key_allocsa(). |
---|
1244 | * This function is called by key_freesp() to free some SA allocated |
---|
1245 | * for a policy. |
---|
1246 | */ |
---|
1247 | void |
---|
1248 | key_freesav(struct secasvar **psav, const char* where, int tag) |
---|
1249 | { |
---|
1250 | struct secasvar *sav = *psav; |
---|
1251 | |
---|
1252 | IPSEC_ASSERT(sav != NULL, ("null sav")); |
---|
1253 | |
---|
1254 | if (sa_delref(sav)) { |
---|
1255 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
1256 | printf("DP %s SA:%p (SPI %u) from %s:%u; refcnt now %u\n", |
---|
1257 | __func__, sav, ntohl(sav->spi), where, tag, sav->refcnt)); |
---|
1258 | *psav = NULL; |
---|
1259 | key_delsav(sav); |
---|
1260 | } else { |
---|
1261 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
1262 | printf("DP %s SA:%p (SPI %u) from %s:%u; refcnt now %u\n", |
---|
1263 | __func__, sav, ntohl(sav->spi), where, tag, sav->refcnt)); |
---|
1264 | } |
---|
1265 | } |
---|
1266 | |
---|
1267 | /* %%% SPD management */ |
---|
1268 | /* |
---|
1269 | * free security policy entry. |
---|
1270 | */ |
---|
1271 | static void |
---|
1272 | key_delsp(struct secpolicy *sp) |
---|
1273 | { |
---|
1274 | struct ipsecrequest *isr, *nextisr; |
---|
1275 | |
---|
1276 | IPSEC_ASSERT(sp != NULL, ("null sp")); |
---|
1277 | SPTREE_LOCK_ASSERT(); |
---|
1278 | |
---|
1279 | sp->state = IPSEC_SPSTATE_DEAD; |
---|
1280 | |
---|
1281 | IPSEC_ASSERT(sp->refcnt == 0, |
---|
1282 | ("SP with references deleted (refcnt %u)", sp->refcnt)); |
---|
1283 | |
---|
1284 | /* remove from SP index */ |
---|
1285 | if (__LIST_CHAINED(sp)) |
---|
1286 | LIST_REMOVE(sp, chain); |
---|
1287 | |
---|
1288 | for (isr = sp->req; isr != NULL; isr = nextisr) { |
---|
1289 | if (isr->sav != NULL) { |
---|
1290 | KEY_FREESAV(&isr->sav); |
---|
1291 | isr->sav = NULL; |
---|
1292 | } |
---|
1293 | |
---|
1294 | nextisr = isr->next; |
---|
1295 | ipsec_delisr(isr); |
---|
1296 | } |
---|
1297 | _key_delsp(sp); |
---|
1298 | } |
---|
1299 | |
---|
1300 | /* |
---|
1301 | * search SPD |
---|
1302 | * OUT: NULL : not found |
---|
1303 | * others : found, pointer to a SP. |
---|
1304 | */ |
---|
1305 | static struct secpolicy * |
---|
1306 | key_getsp(struct secpolicyindex *spidx) |
---|
1307 | { |
---|
1308 | struct secpolicy *sp; |
---|
1309 | |
---|
1310 | IPSEC_ASSERT(spidx != NULL, ("null spidx")); |
---|
1311 | |
---|
1312 | SPTREE_LOCK(); |
---|
1313 | LIST_FOREACH(sp, &V_sptree[spidx->dir], chain) { |
---|
1314 | if (sp->state == IPSEC_SPSTATE_DEAD) |
---|
1315 | continue; |
---|
1316 | if (key_cmpspidx_exactly(spidx, &sp->spidx)) { |
---|
1317 | SP_ADDREF(sp); |
---|
1318 | break; |
---|
1319 | } |
---|
1320 | } |
---|
1321 | SPTREE_UNLOCK(); |
---|
1322 | |
---|
1323 | return sp; |
---|
1324 | } |
---|
1325 | |
---|
1326 | /* |
---|
1327 | * get SP by index. |
---|
1328 | * OUT: NULL : not found |
---|
1329 | * others : found, pointer to a SP. |
---|
1330 | */ |
---|
1331 | static struct secpolicy * |
---|
1332 | key_getspbyid(u_int32_t id) |
---|
1333 | { |
---|
1334 | struct secpolicy *sp; |
---|
1335 | |
---|
1336 | SPTREE_LOCK(); |
---|
1337 | LIST_FOREACH(sp, &V_sptree[IPSEC_DIR_INBOUND], chain) { |
---|
1338 | if (sp->state == IPSEC_SPSTATE_DEAD) |
---|
1339 | continue; |
---|
1340 | if (sp->id == id) { |
---|
1341 | SP_ADDREF(sp); |
---|
1342 | goto done; |
---|
1343 | } |
---|
1344 | } |
---|
1345 | |
---|
1346 | LIST_FOREACH(sp, &V_sptree[IPSEC_DIR_OUTBOUND], chain) { |
---|
1347 | if (sp->state == IPSEC_SPSTATE_DEAD) |
---|
1348 | continue; |
---|
1349 | if (sp->id == id) { |
---|
1350 | SP_ADDREF(sp); |
---|
1351 | goto done; |
---|
1352 | } |
---|
1353 | } |
---|
1354 | done: |
---|
1355 | SPTREE_UNLOCK(); |
---|
1356 | |
---|
1357 | return sp; |
---|
1358 | } |
---|
1359 | |
---|
1360 | struct secpolicy * |
---|
1361 | key_newsp(const char* where, int tag) |
---|
1362 | { |
---|
1363 | struct secpolicy *newsp = NULL; |
---|
1364 | |
---|
1365 | newsp = (struct secpolicy *) |
---|
1366 | malloc(sizeof(struct secpolicy), M_IPSEC_SP, M_NOWAIT|M_ZERO); |
---|
1367 | if (newsp) { |
---|
1368 | SECPOLICY_LOCK_INIT(newsp); |
---|
1369 | newsp->refcnt = 1; |
---|
1370 | newsp->req = NULL; |
---|
1371 | } |
---|
1372 | |
---|
1373 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
1374 | printf("DP %s from %s:%u return SP:%p\n", __func__, |
---|
1375 | where, tag, newsp)); |
---|
1376 | return newsp; |
---|
1377 | } |
---|
1378 | |
---|
1379 | static void |
---|
1380 | _key_delsp(struct secpolicy *sp) |
---|
1381 | { |
---|
1382 | SECPOLICY_LOCK_DESTROY(sp); |
---|
1383 | free(sp, M_IPSEC_SP); |
---|
1384 | } |
---|
1385 | |
---|
1386 | /* |
---|
1387 | * create secpolicy structure from sadb_x_policy structure. |
---|
1388 | * NOTE: `state', `secpolicyindex' in secpolicy structure are not set, |
---|
1389 | * so must be set properly later. |
---|
1390 | */ |
---|
1391 | struct secpolicy * |
---|
1392 | key_msg2sp(xpl0, len, error) |
---|
1393 | struct sadb_x_policy *xpl0; |
---|
1394 | size_t len; |
---|
1395 | int *error; |
---|
1396 | { |
---|
1397 | struct secpolicy *newsp; |
---|
1398 | |
---|
1399 | IPSEC_ASSERT(xpl0 != NULL, ("null xpl0")); |
---|
1400 | IPSEC_ASSERT(len >= sizeof(*xpl0), ("policy too short: %zu", len)); |
---|
1401 | |
---|
1402 | if (len != PFKEY_EXTLEN(xpl0)) { |
---|
1403 | ipseclog((LOG_DEBUG, "%s: Invalid msg length.\n", __func__)); |
---|
1404 | *error = EINVAL; |
---|
1405 | return NULL; |
---|
1406 | } |
---|
1407 | |
---|
1408 | if ((newsp = KEY_NEWSP()) == NULL) { |
---|
1409 | *error = ENOBUFS; |
---|
1410 | return NULL; |
---|
1411 | } |
---|
1412 | |
---|
1413 | newsp->spidx.dir = xpl0->sadb_x_policy_dir; |
---|
1414 | newsp->policy = xpl0->sadb_x_policy_type; |
---|
1415 | |
---|
1416 | /* check policy */ |
---|
1417 | switch (xpl0->sadb_x_policy_type) { |
---|
1418 | case IPSEC_POLICY_DISCARD: |
---|
1419 | case IPSEC_POLICY_NONE: |
---|
1420 | case IPSEC_POLICY_ENTRUST: |
---|
1421 | case IPSEC_POLICY_BYPASS: |
---|
1422 | newsp->req = NULL; |
---|
1423 | break; |
---|
1424 | |
---|
1425 | case IPSEC_POLICY_IPSEC: |
---|
1426 | { |
---|
1427 | int tlen; |
---|
1428 | struct sadb_x_ipsecrequest *xisr; |
---|
1429 | struct ipsecrequest **p_isr = &newsp->req; |
---|
1430 | |
---|
1431 | /* validity check */ |
---|
1432 | if (PFKEY_EXTLEN(xpl0) < sizeof(*xpl0)) { |
---|
1433 | ipseclog((LOG_DEBUG, "%s: Invalid msg length.\n", |
---|
1434 | __func__)); |
---|
1435 | KEY_FREESP(&newsp); |
---|
1436 | *error = EINVAL; |
---|
1437 | return NULL; |
---|
1438 | } |
---|
1439 | |
---|
1440 | tlen = PFKEY_EXTLEN(xpl0) - sizeof(*xpl0); |
---|
1441 | xisr = (struct sadb_x_ipsecrequest *)(xpl0 + 1); |
---|
1442 | |
---|
1443 | while (tlen > 0) { |
---|
1444 | /* length check */ |
---|
1445 | if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) { |
---|
1446 | ipseclog((LOG_DEBUG, "%s: invalid ipsecrequest " |
---|
1447 | "length.\n", __func__)); |
---|
1448 | KEY_FREESP(&newsp); |
---|
1449 | *error = EINVAL; |
---|
1450 | return NULL; |
---|
1451 | } |
---|
1452 | |
---|
1453 | /* allocate request buffer */ |
---|
1454 | /* NB: data structure is zero'd */ |
---|
1455 | *p_isr = ipsec_newisr(); |
---|
1456 | if ((*p_isr) == NULL) { |
---|
1457 | ipseclog((LOG_DEBUG, |
---|
1458 | "%s: No more memory.\n", __func__)); |
---|
1459 | KEY_FREESP(&newsp); |
---|
1460 | *error = ENOBUFS; |
---|
1461 | return NULL; |
---|
1462 | } |
---|
1463 | |
---|
1464 | /* set values */ |
---|
1465 | switch (xisr->sadb_x_ipsecrequest_proto) { |
---|
1466 | case IPPROTO_ESP: |
---|
1467 | case IPPROTO_AH: |
---|
1468 | case IPPROTO_IPCOMP: |
---|
1469 | break; |
---|
1470 | default: |
---|
1471 | ipseclog((LOG_DEBUG, |
---|
1472 | "%s: invalid proto type=%u\n", __func__, |
---|
1473 | xisr->sadb_x_ipsecrequest_proto)); |
---|
1474 | KEY_FREESP(&newsp); |
---|
1475 | *error = EPROTONOSUPPORT; |
---|
1476 | return NULL; |
---|
1477 | } |
---|
1478 | (*p_isr)->saidx.proto = xisr->sadb_x_ipsecrequest_proto; |
---|
1479 | |
---|
1480 | switch (xisr->sadb_x_ipsecrequest_mode) { |
---|
1481 | case IPSEC_MODE_TRANSPORT: |
---|
1482 | case IPSEC_MODE_TUNNEL: |
---|
1483 | break; |
---|
1484 | case IPSEC_MODE_ANY: |
---|
1485 | default: |
---|
1486 | ipseclog((LOG_DEBUG, |
---|
1487 | "%s: invalid mode=%u\n", __func__, |
---|
1488 | xisr->sadb_x_ipsecrequest_mode)); |
---|
1489 | KEY_FREESP(&newsp); |
---|
1490 | *error = EINVAL; |
---|
1491 | return NULL; |
---|
1492 | } |
---|
1493 | (*p_isr)->saidx.mode = xisr->sadb_x_ipsecrequest_mode; |
---|
1494 | |
---|
1495 | switch (xisr->sadb_x_ipsecrequest_level) { |
---|
1496 | case IPSEC_LEVEL_DEFAULT: |
---|
1497 | case IPSEC_LEVEL_USE: |
---|
1498 | case IPSEC_LEVEL_REQUIRE: |
---|
1499 | break; |
---|
1500 | case IPSEC_LEVEL_UNIQUE: |
---|
1501 | /* validity check */ |
---|
1502 | /* |
---|
1503 | * If range violation of reqid, kernel will |
---|
1504 | * update it, don't refuse it. |
---|
1505 | */ |
---|
1506 | if (xisr->sadb_x_ipsecrequest_reqid |
---|
1507 | > IPSEC_MANUAL_REQID_MAX) { |
---|
1508 | ipseclog((LOG_DEBUG, |
---|
1509 | "%s: reqid=%d range " |
---|
1510 | "violation, updated by kernel.\n", |
---|
1511 | __func__, |
---|
1512 | xisr->sadb_x_ipsecrequest_reqid)); |
---|
1513 | xisr->sadb_x_ipsecrequest_reqid = 0; |
---|
1514 | } |
---|
1515 | |
---|
1516 | /* allocate new reqid id if reqid is zero. */ |
---|
1517 | if (xisr->sadb_x_ipsecrequest_reqid == 0) { |
---|
1518 | u_int32_t reqid; |
---|
1519 | if ((reqid = key_newreqid()) == 0) { |
---|
1520 | KEY_FREESP(&newsp); |
---|
1521 | *error = ENOBUFS; |
---|
1522 | return NULL; |
---|
1523 | } |
---|
1524 | (*p_isr)->saidx.reqid = reqid; |
---|
1525 | xisr->sadb_x_ipsecrequest_reqid = reqid; |
---|
1526 | } else { |
---|
1527 | /* set it for manual keying. */ |
---|
1528 | (*p_isr)->saidx.reqid = |
---|
1529 | xisr->sadb_x_ipsecrequest_reqid; |
---|
1530 | } |
---|
1531 | break; |
---|
1532 | |
---|
1533 | default: |
---|
1534 | ipseclog((LOG_DEBUG, "%s: invalid level=%u\n", |
---|
1535 | __func__, |
---|
1536 | xisr->sadb_x_ipsecrequest_level)); |
---|
1537 | KEY_FREESP(&newsp); |
---|
1538 | *error = EINVAL; |
---|
1539 | return NULL; |
---|
1540 | } |
---|
1541 | (*p_isr)->level = xisr->sadb_x_ipsecrequest_level; |
---|
1542 | |
---|
1543 | /* set IP addresses if there */ |
---|
1544 | if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { |
---|
1545 | struct sockaddr *paddr; |
---|
1546 | |
---|
1547 | paddr = (struct sockaddr *)(xisr + 1); |
---|
1548 | |
---|
1549 | /* validity check */ |
---|
1550 | if (paddr->sa_len |
---|
1551 | > sizeof((*p_isr)->saidx.src)) { |
---|
1552 | ipseclog((LOG_DEBUG, "%s: invalid " |
---|
1553 | "request address length.\n", |
---|
1554 | __func__)); |
---|
1555 | KEY_FREESP(&newsp); |
---|
1556 | *error = EINVAL; |
---|
1557 | return NULL; |
---|
1558 | } |
---|
1559 | bcopy(paddr, &(*p_isr)->saidx.src, |
---|
1560 | paddr->sa_len); |
---|
1561 | |
---|
1562 | paddr = (struct sockaddr *)((caddr_t)paddr |
---|
1563 | + paddr->sa_len); |
---|
1564 | |
---|
1565 | /* validity check */ |
---|
1566 | if (paddr->sa_len |
---|
1567 | > sizeof((*p_isr)->saidx.dst)) { |
---|
1568 | ipseclog((LOG_DEBUG, "%s: invalid " |
---|
1569 | "request address length.\n", |
---|
1570 | __func__)); |
---|
1571 | KEY_FREESP(&newsp); |
---|
1572 | *error = EINVAL; |
---|
1573 | return NULL; |
---|
1574 | } |
---|
1575 | bcopy(paddr, &(*p_isr)->saidx.dst, |
---|
1576 | paddr->sa_len); |
---|
1577 | } |
---|
1578 | |
---|
1579 | (*p_isr)->sp = newsp; |
---|
1580 | |
---|
1581 | /* initialization for the next. */ |
---|
1582 | p_isr = &(*p_isr)->next; |
---|
1583 | tlen -= xisr->sadb_x_ipsecrequest_len; |
---|
1584 | |
---|
1585 | /* validity check */ |
---|
1586 | if (tlen < 0) { |
---|
1587 | ipseclog((LOG_DEBUG, "%s: becoming tlen < 0.\n", |
---|
1588 | __func__)); |
---|
1589 | KEY_FREESP(&newsp); |
---|
1590 | *error = EINVAL; |
---|
1591 | return NULL; |
---|
1592 | } |
---|
1593 | |
---|
1594 | xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr |
---|
1595 | + xisr->sadb_x_ipsecrequest_len); |
---|
1596 | } |
---|
1597 | } |
---|
1598 | break; |
---|
1599 | default: |
---|
1600 | ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__)); |
---|
1601 | KEY_FREESP(&newsp); |
---|
1602 | *error = EINVAL; |
---|
1603 | return NULL; |
---|
1604 | } |
---|
1605 | |
---|
1606 | *error = 0; |
---|
1607 | return newsp; |
---|
1608 | } |
---|
1609 | |
---|
1610 | static u_int32_t |
---|
1611 | key_newreqid() |
---|
1612 | { |
---|
1613 | static u_int32_t auto_reqid = IPSEC_MANUAL_REQID_MAX + 1; |
---|
1614 | |
---|
1615 | auto_reqid = (auto_reqid == ~0 |
---|
1616 | ? IPSEC_MANUAL_REQID_MAX + 1 : auto_reqid + 1); |
---|
1617 | |
---|
1618 | /* XXX should be unique check */ |
---|
1619 | |
---|
1620 | return auto_reqid; |
---|
1621 | } |
---|
1622 | |
---|
1623 | /* |
---|
1624 | * copy secpolicy struct to sadb_x_policy structure indicated. |
---|
1625 | */ |
---|
1626 | struct mbuf * |
---|
1627 | key_sp2msg(sp) |
---|
1628 | struct secpolicy *sp; |
---|
1629 | { |
---|
1630 | struct sadb_x_policy *xpl; |
---|
1631 | int tlen; |
---|
1632 | caddr_t p; |
---|
1633 | struct mbuf *m; |
---|
1634 | |
---|
1635 | IPSEC_ASSERT(sp != NULL, ("null policy")); |
---|
1636 | |
---|
1637 | tlen = key_getspreqmsglen(sp); |
---|
1638 | |
---|
1639 | m = key_alloc_mbuf(tlen); |
---|
1640 | if (!m || m->m_next) { /*XXX*/ |
---|
1641 | if (m) |
---|
1642 | m_freem(m); |
---|
1643 | return NULL; |
---|
1644 | } |
---|
1645 | |
---|
1646 | m->m_len = tlen; |
---|
1647 | m->m_next = NULL; |
---|
1648 | xpl = mtod(m, struct sadb_x_policy *); |
---|
1649 | bzero(xpl, tlen); |
---|
1650 | |
---|
1651 | xpl->sadb_x_policy_len = PFKEY_UNIT64(tlen); |
---|
1652 | xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY; |
---|
1653 | xpl->sadb_x_policy_type = sp->policy; |
---|
1654 | xpl->sadb_x_policy_dir = sp->spidx.dir; |
---|
1655 | xpl->sadb_x_policy_id = sp->id; |
---|
1656 | p = (caddr_t)xpl + sizeof(*xpl); |
---|
1657 | |
---|
1658 | /* if is the policy for ipsec ? */ |
---|
1659 | if (sp->policy == IPSEC_POLICY_IPSEC) { |
---|
1660 | struct sadb_x_ipsecrequest *xisr; |
---|
1661 | struct ipsecrequest *isr; |
---|
1662 | |
---|
1663 | for (isr = sp->req; isr != NULL; isr = isr->next) { |
---|
1664 | |
---|
1665 | xisr = (struct sadb_x_ipsecrequest *)p; |
---|
1666 | |
---|
1667 | xisr->sadb_x_ipsecrequest_proto = isr->saidx.proto; |
---|
1668 | xisr->sadb_x_ipsecrequest_mode = isr->saidx.mode; |
---|
1669 | xisr->sadb_x_ipsecrequest_level = isr->level; |
---|
1670 | xisr->sadb_x_ipsecrequest_reqid = isr->saidx.reqid; |
---|
1671 | |
---|
1672 | p += sizeof(*xisr); |
---|
1673 | bcopy(&isr->saidx.src, p, isr->saidx.src.sa.sa_len); |
---|
1674 | p += isr->saidx.src.sa.sa_len; |
---|
1675 | bcopy(&isr->saidx.dst, p, isr->saidx.dst.sa.sa_len); |
---|
1676 | p += isr->saidx.src.sa.sa_len; |
---|
1677 | |
---|
1678 | xisr->sadb_x_ipsecrequest_len = |
---|
1679 | PFKEY_ALIGN8(sizeof(*xisr) |
---|
1680 | + isr->saidx.src.sa.sa_len |
---|
1681 | + isr->saidx.dst.sa.sa_len); |
---|
1682 | } |
---|
1683 | } |
---|
1684 | |
---|
1685 | return m; |
---|
1686 | } |
---|
1687 | |
---|
1688 | /* m will not be freed nor modified */ |
---|
1689 | static struct mbuf * |
---|
1690 | #ifdef __STDC__ |
---|
1691 | key_gather_mbuf(struct mbuf *m, const struct sadb_msghdr *mhp, |
---|
1692 | int ndeep, int nitem, ...) |
---|
1693 | #else |
---|
1694 | key_gather_mbuf(m, mhp, ndeep, nitem, va_alist) |
---|
1695 | struct mbuf *m; |
---|
1696 | const struct sadb_msghdr *mhp; |
---|
1697 | int ndeep; |
---|
1698 | int nitem; |
---|
1699 | va_dcl |
---|
1700 | #endif |
---|
1701 | { |
---|
1702 | va_list ap; |
---|
1703 | int idx; |
---|
1704 | int i; |
---|
1705 | struct mbuf *result = NULL, *n; |
---|
1706 | int len; |
---|
1707 | |
---|
1708 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
1709 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
1710 | |
---|
1711 | va_start(ap, nitem); |
---|
1712 | for (i = 0; i < nitem; i++) { |
---|
1713 | idx = va_arg(ap, int); |
---|
1714 | if (idx < 0 || idx > SADB_EXT_MAX) |
---|
1715 | goto fail; |
---|
1716 | /* don't attempt to pull empty extension */ |
---|
1717 | if (idx == SADB_EXT_RESERVED && mhp->msg == NULL) |
---|
1718 | continue; |
---|
1719 | if (idx != SADB_EXT_RESERVED && |
---|
1720 | (mhp->ext[idx] == NULL || mhp->extlen[idx] == 0)) |
---|
1721 | continue; |
---|
1722 | |
---|
1723 | if (idx == SADB_EXT_RESERVED) { |
---|
1724 | len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); |
---|
1725 | |
---|
1726 | IPSEC_ASSERT(len <= MHLEN, ("header too big %u", len)); |
---|
1727 | |
---|
1728 | MGETHDR(n, M_DONTWAIT, MT_DATA); |
---|
1729 | if (!n) |
---|
1730 | goto fail; |
---|
1731 | n->m_len = len; |
---|
1732 | n->m_next = NULL; |
---|
1733 | m_copydata(m, 0, sizeof(struct sadb_msg), |
---|
1734 | mtod(n, caddr_t)); |
---|
1735 | } else if (i < ndeep) { |
---|
1736 | len = mhp->extlen[idx]; |
---|
1737 | n = key_alloc_mbuf(len); |
---|
1738 | if (!n || n->m_next) { /*XXX*/ |
---|
1739 | if (n) |
---|
1740 | m_freem(n); |
---|
1741 | goto fail; |
---|
1742 | } |
---|
1743 | m_copydata(m, mhp->extoff[idx], mhp->extlen[idx], |
---|
1744 | mtod(n, caddr_t)); |
---|
1745 | } else { |
---|
1746 | n = m_copym(m, mhp->extoff[idx], mhp->extlen[idx], |
---|
1747 | M_DONTWAIT); |
---|
1748 | } |
---|
1749 | if (n == NULL) |
---|
1750 | goto fail; |
---|
1751 | |
---|
1752 | if (result) |
---|
1753 | m_cat(result, n); |
---|
1754 | else |
---|
1755 | result = n; |
---|
1756 | } |
---|
1757 | va_end(ap); |
---|
1758 | |
---|
1759 | if ((result->m_flags & M_PKTHDR) != 0) { |
---|
1760 | result->m_pkthdr.len = 0; |
---|
1761 | for (n = result; n; n = n->m_next) |
---|
1762 | result->m_pkthdr.len += n->m_len; |
---|
1763 | } |
---|
1764 | |
---|
1765 | return result; |
---|
1766 | |
---|
1767 | fail: |
---|
1768 | m_freem(result); |
---|
1769 | va_end(ap); |
---|
1770 | return NULL; |
---|
1771 | } |
---|
1772 | |
---|
1773 | /* |
---|
1774 | * SADB_X_SPDADD, SADB_X_SPDSETIDX or SADB_X_SPDUPDATE processing |
---|
1775 | * add an entry to SP database, when received |
---|
1776 | * <base, address(SD), (lifetime(H),) policy> |
---|
1777 | * from the user(?). |
---|
1778 | * Adding to SP database, |
---|
1779 | * and send |
---|
1780 | * <base, address(SD), (lifetime(H),) policy> |
---|
1781 | * to the socket which was send. |
---|
1782 | * |
---|
1783 | * SPDADD set a unique policy entry. |
---|
1784 | * SPDSETIDX like SPDADD without a part of policy requests. |
---|
1785 | * SPDUPDATE replace a unique policy entry. |
---|
1786 | * |
---|
1787 | * m will always be freed. |
---|
1788 | */ |
---|
1789 | static int |
---|
1790 | key_spdadd(so, m, mhp) |
---|
1791 | struct socket *so; |
---|
1792 | struct mbuf *m; |
---|
1793 | const struct sadb_msghdr *mhp; |
---|
1794 | { |
---|
1795 | struct sadb_address *src0, *dst0; |
---|
1796 | struct sadb_x_policy *xpl0, *xpl; |
---|
1797 | struct sadb_lifetime *lft = NULL; |
---|
1798 | struct secpolicyindex spidx; |
---|
1799 | struct secpolicy *newsp; |
---|
1800 | int error; |
---|
1801 | |
---|
1802 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
1803 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
1804 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
1805 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
1806 | |
---|
1807 | if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || |
---|
1808 | mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || |
---|
1809 | mhp->ext[SADB_X_EXT_POLICY] == NULL) { |
---|
1810 | ipseclog((LOG_DEBUG, "key_spdadd: invalid message is passed.\n")); |
---|
1811 | return key_senderror(so, m, EINVAL); |
---|
1812 | } |
---|
1813 | if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || |
---|
1814 | mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) || |
---|
1815 | mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { |
---|
1816 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
1817 | __func__)); |
---|
1818 | return key_senderror(so, m, EINVAL); |
---|
1819 | } |
---|
1820 | if (mhp->ext[SADB_EXT_LIFETIME_HARD] != NULL) { |
---|
1821 | if (mhp->extlen[SADB_EXT_LIFETIME_HARD] |
---|
1822 | < sizeof(struct sadb_lifetime)) { |
---|
1823 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
1824 | __func__)); |
---|
1825 | return key_senderror(so, m, EINVAL); |
---|
1826 | } |
---|
1827 | lft = (struct sadb_lifetime *)mhp->ext[SADB_EXT_LIFETIME_HARD]; |
---|
1828 | } |
---|
1829 | |
---|
1830 | src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; |
---|
1831 | dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; |
---|
1832 | xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY]; |
---|
1833 | |
---|
1834 | /* |
---|
1835 | * Note: do not parse SADB_X_EXT_NAT_T_* here: |
---|
1836 | * we are processing traffic endpoints. |
---|
1837 | */ |
---|
1838 | |
---|
1839 | /* make secindex */ |
---|
1840 | /* XXX boundary check against sa_len */ |
---|
1841 | KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir, |
---|
1842 | src0 + 1, |
---|
1843 | dst0 + 1, |
---|
1844 | src0->sadb_address_prefixlen, |
---|
1845 | dst0->sadb_address_prefixlen, |
---|
1846 | src0->sadb_address_proto, |
---|
1847 | &spidx); |
---|
1848 | |
---|
1849 | /* checking the direciton. */ |
---|
1850 | switch (xpl0->sadb_x_policy_dir) { |
---|
1851 | case IPSEC_DIR_INBOUND: |
---|
1852 | case IPSEC_DIR_OUTBOUND: |
---|
1853 | break; |
---|
1854 | default: |
---|
1855 | ipseclog((LOG_DEBUG, "%s: Invalid SP direction.\n", __func__)); |
---|
1856 | mhp->msg->sadb_msg_errno = EINVAL; |
---|
1857 | return 0; |
---|
1858 | } |
---|
1859 | |
---|
1860 | /* check policy */ |
---|
1861 | /* key_spdadd() accepts DISCARD, NONE and IPSEC. */ |
---|
1862 | if (xpl0->sadb_x_policy_type == IPSEC_POLICY_ENTRUST |
---|
1863 | || xpl0->sadb_x_policy_type == IPSEC_POLICY_BYPASS) { |
---|
1864 | ipseclog((LOG_DEBUG, "%s: Invalid policy type.\n", __func__)); |
---|
1865 | return key_senderror(so, m, EINVAL); |
---|
1866 | } |
---|
1867 | |
---|
1868 | /* policy requests are mandatory when action is ipsec. */ |
---|
1869 | if (mhp->msg->sadb_msg_type != SADB_X_SPDSETIDX |
---|
1870 | && xpl0->sadb_x_policy_type == IPSEC_POLICY_IPSEC |
---|
1871 | && mhp->extlen[SADB_X_EXT_POLICY] <= sizeof(*xpl0)) { |
---|
1872 | ipseclog((LOG_DEBUG, "%s: some policy requests part required\n", |
---|
1873 | __func__)); |
---|
1874 | return key_senderror(so, m, EINVAL); |
---|
1875 | } |
---|
1876 | |
---|
1877 | /* |
---|
1878 | * checking there is SP already or not. |
---|
1879 | * SPDUPDATE doesn't depend on whether there is a SP or not. |
---|
1880 | * If the type is either SPDADD or SPDSETIDX AND a SP is found, |
---|
1881 | * then error. |
---|
1882 | */ |
---|
1883 | newsp = key_getsp(&spidx); |
---|
1884 | if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) { |
---|
1885 | if (newsp) { |
---|
1886 | SPTREE_LOCK(); |
---|
1887 | newsp->state = IPSEC_SPSTATE_DEAD; |
---|
1888 | SPTREE_UNLOCK(); |
---|
1889 | KEY_FREESP(&newsp); |
---|
1890 | } |
---|
1891 | } else { |
---|
1892 | if (newsp != NULL) { |
---|
1893 | KEY_FREESP(&newsp); |
---|
1894 | ipseclog((LOG_DEBUG, "%s: a SP entry exists already.\n", |
---|
1895 | __func__)); |
---|
1896 | return key_senderror(so, m, EEXIST); |
---|
1897 | } |
---|
1898 | } |
---|
1899 | |
---|
1900 | /* allocation new SP entry */ |
---|
1901 | if ((newsp = key_msg2sp(xpl0, PFKEY_EXTLEN(xpl0), &error)) == NULL) { |
---|
1902 | return key_senderror(so, m, error); |
---|
1903 | } |
---|
1904 | |
---|
1905 | if ((newsp->id = key_getnewspid()) == 0) { |
---|
1906 | _key_delsp(newsp); |
---|
1907 | return key_senderror(so, m, ENOBUFS); |
---|
1908 | } |
---|
1909 | |
---|
1910 | /* XXX boundary check against sa_len */ |
---|
1911 | KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir, |
---|
1912 | src0 + 1, |
---|
1913 | dst0 + 1, |
---|
1914 | src0->sadb_address_prefixlen, |
---|
1915 | dst0->sadb_address_prefixlen, |
---|
1916 | src0->sadb_address_proto, |
---|
1917 | &newsp->spidx); |
---|
1918 | |
---|
1919 | /* sanity check on addr pair */ |
---|
1920 | if (((struct sockaddr *)(src0 + 1))->sa_family != |
---|
1921 | ((struct sockaddr *)(dst0+ 1))->sa_family) { |
---|
1922 | _key_delsp(newsp); |
---|
1923 | return key_senderror(so, m, EINVAL); |
---|
1924 | } |
---|
1925 | if (((struct sockaddr *)(src0 + 1))->sa_len != |
---|
1926 | ((struct sockaddr *)(dst0+ 1))->sa_len) { |
---|
1927 | _key_delsp(newsp); |
---|
1928 | return key_senderror(so, m, EINVAL); |
---|
1929 | } |
---|
1930 | #if 1 |
---|
1931 | if (newsp->req && newsp->req->saidx.src.sa.sa_family && newsp->req->saidx.dst.sa.sa_family) { |
---|
1932 | if (newsp->req->saidx.src.sa.sa_family != newsp->req->saidx.dst.sa.sa_family) { |
---|
1933 | _key_delsp(newsp); |
---|
1934 | return key_senderror(so, m, EINVAL); |
---|
1935 | } |
---|
1936 | } |
---|
1937 | #endif |
---|
1938 | |
---|
1939 | newsp->created = time_second; |
---|
1940 | newsp->lastused = newsp->created; |
---|
1941 | newsp->lifetime = lft ? lft->sadb_lifetime_addtime : 0; |
---|
1942 | newsp->validtime = lft ? lft->sadb_lifetime_usetime : 0; |
---|
1943 | |
---|
1944 | newsp->refcnt = 1; /* do not reclaim until I say I do */ |
---|
1945 | newsp->state = IPSEC_SPSTATE_ALIVE; |
---|
1946 | LIST_INSERT_TAIL(&V_sptree[newsp->spidx.dir], newsp, secpolicy, chain); |
---|
1947 | |
---|
1948 | /* delete the entry in spacqtree */ |
---|
1949 | if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) { |
---|
1950 | struct secspacq *spacq = key_getspacq(&spidx); |
---|
1951 | if (spacq != NULL) { |
---|
1952 | /* reset counter in order to deletion by timehandler. */ |
---|
1953 | spacq->created = time_second; |
---|
1954 | spacq->count = 0; |
---|
1955 | SPACQ_UNLOCK(); |
---|
1956 | } |
---|
1957 | } |
---|
1958 | |
---|
1959 | { |
---|
1960 | struct mbuf *n, *mpolicy; |
---|
1961 | struct sadb_msg *newmsg; |
---|
1962 | int off; |
---|
1963 | |
---|
1964 | /* |
---|
1965 | * Note: do not send SADB_X_EXT_NAT_T_* here: |
---|
1966 | * we are sending traffic endpoints. |
---|
1967 | */ |
---|
1968 | |
---|
1969 | /* create new sadb_msg to reply. */ |
---|
1970 | if (lft) { |
---|
1971 | n = key_gather_mbuf(m, mhp, 2, 5, SADB_EXT_RESERVED, |
---|
1972 | SADB_X_EXT_POLICY, SADB_EXT_LIFETIME_HARD, |
---|
1973 | SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); |
---|
1974 | } else { |
---|
1975 | n = key_gather_mbuf(m, mhp, 2, 4, SADB_EXT_RESERVED, |
---|
1976 | SADB_X_EXT_POLICY, |
---|
1977 | SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); |
---|
1978 | } |
---|
1979 | if (!n) |
---|
1980 | return key_senderror(so, m, ENOBUFS); |
---|
1981 | |
---|
1982 | if (n->m_len < sizeof(*newmsg)) { |
---|
1983 | n = m_pullup(n, sizeof(*newmsg)); |
---|
1984 | if (!n) |
---|
1985 | return key_senderror(so, m, ENOBUFS); |
---|
1986 | } |
---|
1987 | newmsg = mtod(n, struct sadb_msg *); |
---|
1988 | newmsg->sadb_msg_errno = 0; |
---|
1989 | newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); |
---|
1990 | |
---|
1991 | off = 0; |
---|
1992 | mpolicy = m_pulldown(n, PFKEY_ALIGN8(sizeof(struct sadb_msg)), |
---|
1993 | sizeof(*xpl), &off); |
---|
1994 | if (mpolicy == NULL) { |
---|
1995 | /* n is already freed */ |
---|
1996 | return key_senderror(so, m, ENOBUFS); |
---|
1997 | } |
---|
1998 | xpl = (struct sadb_x_policy *)(mtod(mpolicy, caddr_t) + off); |
---|
1999 | if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) { |
---|
2000 | m_freem(n); |
---|
2001 | return key_senderror(so, m, EINVAL); |
---|
2002 | } |
---|
2003 | xpl->sadb_x_policy_id = newsp->id; |
---|
2004 | |
---|
2005 | m_freem(m); |
---|
2006 | return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); |
---|
2007 | } |
---|
2008 | } |
---|
2009 | |
---|
2010 | /* |
---|
2011 | * get new policy id. |
---|
2012 | * OUT: |
---|
2013 | * 0: failure. |
---|
2014 | * others: success. |
---|
2015 | */ |
---|
2016 | static u_int32_t |
---|
2017 | key_getnewspid() |
---|
2018 | { |
---|
2019 | u_int32_t newid = 0; |
---|
2020 | int count = V_key_spi_trycnt; /* XXX */ |
---|
2021 | struct secpolicy *sp; |
---|
2022 | |
---|
2023 | /* when requesting to allocate spi ranged */ |
---|
2024 | while (count--) { |
---|
2025 | newid = (V_policy_id = (V_policy_id == ~0 ? 1 : V_policy_id + 1)); |
---|
2026 | |
---|
2027 | if ((sp = key_getspbyid(newid)) == NULL) |
---|
2028 | break; |
---|
2029 | |
---|
2030 | KEY_FREESP(&sp); |
---|
2031 | } |
---|
2032 | |
---|
2033 | if (count == 0 || newid == 0) { |
---|
2034 | ipseclog((LOG_DEBUG, "%s: to allocate policy id is failed.\n", |
---|
2035 | __func__)); |
---|
2036 | return 0; |
---|
2037 | } |
---|
2038 | |
---|
2039 | return newid; |
---|
2040 | } |
---|
2041 | |
---|
2042 | /* |
---|
2043 | * SADB_SPDDELETE processing |
---|
2044 | * receive |
---|
2045 | * <base, address(SD), policy(*)> |
---|
2046 | * from the user(?), and set SADB_SASTATE_DEAD, |
---|
2047 | * and send, |
---|
2048 | * <base, address(SD), policy(*)> |
---|
2049 | * to the ikmpd. |
---|
2050 | * policy(*) including direction of policy. |
---|
2051 | * |
---|
2052 | * m will always be freed. |
---|
2053 | */ |
---|
2054 | static int |
---|
2055 | key_spddelete(so, m, mhp) |
---|
2056 | struct socket *so; |
---|
2057 | struct mbuf *m; |
---|
2058 | const struct sadb_msghdr *mhp; |
---|
2059 | { |
---|
2060 | struct sadb_address *src0, *dst0; |
---|
2061 | struct sadb_x_policy *xpl0; |
---|
2062 | struct secpolicyindex spidx; |
---|
2063 | struct secpolicy *sp; |
---|
2064 | |
---|
2065 | IPSEC_ASSERT(so != NULL, ("null so")); |
---|
2066 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
2067 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
2068 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
2069 | |
---|
2070 | if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || |
---|
2071 | mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || |
---|
2072 | mhp->ext[SADB_X_EXT_POLICY] == NULL) { |
---|
2073 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
2074 | __func__)); |
---|
2075 | return key_senderror(so, m, EINVAL); |
---|
2076 | } |
---|
2077 | if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || |
---|
2078 | mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) || |
---|
2079 | mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { |
---|
2080 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
2081 | __func__)); |
---|
2082 | return key_senderror(so, m, EINVAL); |
---|
2083 | } |
---|
2084 | |
---|
2085 | src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; |
---|
2086 | dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; |
---|
2087 | xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY]; |
---|
2088 | |
---|
2089 | /* |
---|
2090 | * Note: do not parse SADB_X_EXT_NAT_T_* here: |
---|
2091 | * we are processing traffic endpoints. |
---|
2092 | */ |
---|
2093 | |
---|
2094 | /* make secindex */ |
---|
2095 | /* XXX boundary check against sa_len */ |
---|
2096 | KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir, |
---|
2097 | src0 + 1, |
---|
2098 | dst0 + 1, |
---|
2099 | src0->sadb_address_prefixlen, |
---|
2100 | dst0->sadb_address_prefixlen, |
---|
2101 | src0->sadb_address_proto, |
---|
2102 | &spidx); |
---|
2103 | |
---|
2104 | /* checking the direciton. */ |
---|
2105 | switch (xpl0->sadb_x_policy_dir) { |
---|
2106 | case IPSEC_DIR_INBOUND: |
---|
2107 | case IPSEC_DIR_OUTBOUND: |
---|
2108 | break; |
---|
2109 | default: |
---|
2110 | ipseclog((LOG_DEBUG, "%s: Invalid SP direction.\n", __func__)); |
---|
2111 | return key_senderror(so, m, EINVAL); |
---|
2112 | } |
---|
2113 | |
---|
2114 | /* Is there SP in SPD ? */ |
---|
2115 | if ((sp = key_getsp(&spidx)) == NULL) { |
---|
2116 | ipseclog((LOG_DEBUG, "%s: no SP found.\n", __func__)); |
---|
2117 | return key_senderror(so, m, EINVAL); |
---|
2118 | } |
---|
2119 | |
---|
2120 | /* save policy id to buffer to be returned. */ |
---|
2121 | xpl0->sadb_x_policy_id = sp->id; |
---|
2122 | |
---|
2123 | SPTREE_LOCK(); |
---|
2124 | sp->state = IPSEC_SPSTATE_DEAD; |
---|
2125 | SPTREE_UNLOCK(); |
---|
2126 | KEY_FREESP(&sp); |
---|
2127 | |
---|
2128 | { |
---|
2129 | struct mbuf *n; |
---|
2130 | struct sadb_msg *newmsg; |
---|
2131 | |
---|
2132 | /* |
---|
2133 | * Note: do not send SADB_X_EXT_NAT_T_* here: |
---|
2134 | * we are sending traffic endpoints. |
---|
2135 | */ |
---|
2136 | |
---|
2137 | /* create new sadb_msg to reply. */ |
---|
2138 | n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED, |
---|
2139 | SADB_X_EXT_POLICY, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); |
---|
2140 | if (!n) |
---|
2141 | return key_senderror(so, m, ENOBUFS); |
---|
2142 | |
---|
2143 | newmsg = mtod(n, struct sadb_msg *); |
---|
2144 | newmsg->sadb_msg_errno = 0; |
---|
2145 | newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); |
---|
2146 | |
---|
2147 | m_freem(m); |
---|
2148 | return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); |
---|
2149 | } |
---|
2150 | } |
---|
2151 | |
---|
2152 | /* |
---|
2153 | * SADB_SPDDELETE2 processing |
---|
2154 | * receive |
---|
2155 | * <base, policy(*)> |
---|
2156 | * from the user(?), and set SADB_SASTATE_DEAD, |
---|
2157 | * and send, |
---|
2158 | * <base, policy(*)> |
---|
2159 | * to the ikmpd. |
---|
2160 | * policy(*) including direction of policy. |
---|
2161 | * |
---|
2162 | * m will always be freed. |
---|
2163 | */ |
---|
2164 | static int |
---|
2165 | key_spddelete2(so, m, mhp) |
---|
2166 | struct socket *so; |
---|
2167 | struct mbuf *m; |
---|
2168 | const struct sadb_msghdr *mhp; |
---|
2169 | { |
---|
2170 | u_int32_t id; |
---|
2171 | struct secpolicy *sp; |
---|
2172 | |
---|
2173 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
2174 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
2175 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
2176 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
2177 | |
---|
2178 | if (mhp->ext[SADB_X_EXT_POLICY] == NULL || |
---|
2179 | mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { |
---|
2180 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", __func__)); |
---|
2181 | return key_senderror(so, m, EINVAL); |
---|
2182 | } |
---|
2183 | |
---|
2184 | id = ((struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id; |
---|
2185 | |
---|
2186 | /* Is there SP in SPD ? */ |
---|
2187 | if ((sp = key_getspbyid(id)) == NULL) { |
---|
2188 | ipseclog((LOG_DEBUG, "%s: no SP found id:%u.\n", __func__, id)); |
---|
2189 | return key_senderror(so, m, EINVAL); |
---|
2190 | } |
---|
2191 | |
---|
2192 | SPTREE_LOCK(); |
---|
2193 | sp->state = IPSEC_SPSTATE_DEAD; |
---|
2194 | SPTREE_UNLOCK(); |
---|
2195 | KEY_FREESP(&sp); |
---|
2196 | |
---|
2197 | { |
---|
2198 | struct mbuf *n, *nn; |
---|
2199 | struct sadb_msg *newmsg; |
---|
2200 | int off, len; |
---|
2201 | |
---|
2202 | /* create new sadb_msg to reply. */ |
---|
2203 | len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); |
---|
2204 | |
---|
2205 | MGETHDR(n, M_DONTWAIT, MT_DATA); |
---|
2206 | if (n && len > MHLEN) { |
---|
2207 | MCLGET(n, M_DONTWAIT); |
---|
2208 | if ((n->m_flags & M_EXT) == 0) { |
---|
2209 | m_freem(n); |
---|
2210 | n = NULL; |
---|
2211 | } |
---|
2212 | } |
---|
2213 | if (!n) |
---|
2214 | return key_senderror(so, m, ENOBUFS); |
---|
2215 | |
---|
2216 | n->m_len = len; |
---|
2217 | n->m_next = NULL; |
---|
2218 | off = 0; |
---|
2219 | |
---|
2220 | m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off); |
---|
2221 | off += PFKEY_ALIGN8(sizeof(struct sadb_msg)); |
---|
2222 | |
---|
2223 | IPSEC_ASSERT(off == len, ("length inconsistency (off %u len %u)", |
---|
2224 | off, len)); |
---|
2225 | |
---|
2226 | n->m_next = m_copym(m, mhp->extoff[SADB_X_EXT_POLICY], |
---|
2227 | mhp->extlen[SADB_X_EXT_POLICY], M_DONTWAIT); |
---|
2228 | if (!n->m_next) { |
---|
2229 | m_freem(n); |
---|
2230 | return key_senderror(so, m, ENOBUFS); |
---|
2231 | } |
---|
2232 | |
---|
2233 | n->m_pkthdr.len = 0; |
---|
2234 | for (nn = n; nn; nn = nn->m_next) |
---|
2235 | n->m_pkthdr.len += nn->m_len; |
---|
2236 | |
---|
2237 | newmsg = mtod(n, struct sadb_msg *); |
---|
2238 | newmsg->sadb_msg_errno = 0; |
---|
2239 | newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); |
---|
2240 | |
---|
2241 | m_freem(m); |
---|
2242 | return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); |
---|
2243 | } |
---|
2244 | } |
---|
2245 | |
---|
2246 | /* |
---|
2247 | * SADB_X_GET processing |
---|
2248 | * receive |
---|
2249 | * <base, policy(*)> |
---|
2250 | * from the user(?), |
---|
2251 | * and send, |
---|
2252 | * <base, address(SD), policy> |
---|
2253 | * to the ikmpd. |
---|
2254 | * policy(*) including direction of policy. |
---|
2255 | * |
---|
2256 | * m will always be freed. |
---|
2257 | */ |
---|
2258 | static int |
---|
2259 | key_spdget(so, m, mhp) |
---|
2260 | struct socket *so; |
---|
2261 | struct mbuf *m; |
---|
2262 | const struct sadb_msghdr *mhp; |
---|
2263 | { |
---|
2264 | u_int32_t id; |
---|
2265 | struct secpolicy *sp; |
---|
2266 | struct mbuf *n; |
---|
2267 | |
---|
2268 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
2269 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
2270 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
2271 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
2272 | |
---|
2273 | if (mhp->ext[SADB_X_EXT_POLICY] == NULL || |
---|
2274 | mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { |
---|
2275 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
2276 | __func__)); |
---|
2277 | return key_senderror(so, m, EINVAL); |
---|
2278 | } |
---|
2279 | |
---|
2280 | id = ((struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id; |
---|
2281 | |
---|
2282 | /* Is there SP in SPD ? */ |
---|
2283 | if ((sp = key_getspbyid(id)) == NULL) { |
---|
2284 | ipseclog((LOG_DEBUG, "%s: no SP found id:%u.\n", __func__, id)); |
---|
2285 | return key_senderror(so, m, ENOENT); |
---|
2286 | } |
---|
2287 | |
---|
2288 | n = key_setdumpsp(sp, SADB_X_SPDGET, 0, mhp->msg->sadb_msg_pid); |
---|
2289 | KEY_FREESP(&sp); |
---|
2290 | if (n != NULL) { |
---|
2291 | m_freem(m); |
---|
2292 | return key_sendup_mbuf(so, n, KEY_SENDUP_ONE); |
---|
2293 | } else |
---|
2294 | return key_senderror(so, m, ENOBUFS); |
---|
2295 | } |
---|
2296 | |
---|
2297 | /* |
---|
2298 | * SADB_X_SPDACQUIRE processing. |
---|
2299 | * Acquire policy and SA(s) for a *OUTBOUND* packet. |
---|
2300 | * send |
---|
2301 | * <base, policy(*)> |
---|
2302 | * to KMD, and expect to receive |
---|
2303 | * <base> with SADB_X_SPDACQUIRE if error occured, |
---|
2304 | * or |
---|
2305 | * <base, policy> |
---|
2306 | * with SADB_X_SPDUPDATE from KMD by PF_KEY. |
---|
2307 | * policy(*) is without policy requests. |
---|
2308 | * |
---|
2309 | * 0 : succeed |
---|
2310 | * others: error number |
---|
2311 | */ |
---|
2312 | int |
---|
2313 | key_spdacquire(sp) |
---|
2314 | struct secpolicy *sp; |
---|
2315 | { |
---|
2316 | struct mbuf *result = NULL, *m; |
---|
2317 | struct secspacq *newspacq; |
---|
2318 | |
---|
2319 | IPSEC_ASSERT(sp != NULL, ("null secpolicy")); |
---|
2320 | IPSEC_ASSERT(sp->req == NULL, ("policy exists")); |
---|
2321 | IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC, |
---|
2322 | ("policy not IPSEC %u", sp->policy)); |
---|
2323 | |
---|
2324 | /* Get an entry to check whether sent message or not. */ |
---|
2325 | newspacq = key_getspacq(&sp->spidx); |
---|
2326 | if (newspacq != NULL) { |
---|
2327 | if (V_key_blockacq_count < newspacq->count) { |
---|
2328 | /* reset counter and do send message. */ |
---|
2329 | newspacq->count = 0; |
---|
2330 | } else { |
---|
2331 | /* increment counter and do nothing. */ |
---|
2332 | newspacq->count++; |
---|
2333 | return 0; |
---|
2334 | } |
---|
2335 | SPACQ_UNLOCK(); |
---|
2336 | } else { |
---|
2337 | /* make new entry for blocking to send SADB_ACQUIRE. */ |
---|
2338 | newspacq = key_newspacq(&sp->spidx); |
---|
2339 | if (newspacq == NULL) |
---|
2340 | return ENOBUFS; |
---|
2341 | } |
---|
2342 | |
---|
2343 | /* create new sadb_msg to reply. */ |
---|
2344 | m = key_setsadbmsg(SADB_X_SPDACQUIRE, 0, 0, 0, 0, 0); |
---|
2345 | if (!m) |
---|
2346 | return ENOBUFS; |
---|
2347 | |
---|
2348 | result = m; |
---|
2349 | |
---|
2350 | result->m_pkthdr.len = 0; |
---|
2351 | for (m = result; m; m = m->m_next) |
---|
2352 | result->m_pkthdr.len += m->m_len; |
---|
2353 | |
---|
2354 | mtod(result, struct sadb_msg *)->sadb_msg_len = |
---|
2355 | PFKEY_UNIT64(result->m_pkthdr.len); |
---|
2356 | |
---|
2357 | return key_sendup_mbuf(NULL, m, KEY_SENDUP_REGISTERED); |
---|
2358 | } |
---|
2359 | |
---|
2360 | /* |
---|
2361 | * SADB_SPDFLUSH processing |
---|
2362 | * receive |
---|
2363 | * <base> |
---|
2364 | * from the user, and free all entries in secpctree. |
---|
2365 | * and send, |
---|
2366 | * <base> |
---|
2367 | * to the user. |
---|
2368 | * NOTE: what to do is only marking SADB_SASTATE_DEAD. |
---|
2369 | * |
---|
2370 | * m will always be freed. |
---|
2371 | */ |
---|
2372 | static int |
---|
2373 | key_spdflush(so, m, mhp) |
---|
2374 | struct socket *so; |
---|
2375 | struct mbuf *m; |
---|
2376 | const struct sadb_msghdr *mhp; |
---|
2377 | { |
---|
2378 | struct sadb_msg *newmsg; |
---|
2379 | struct secpolicy *sp; |
---|
2380 | u_int dir; |
---|
2381 | |
---|
2382 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
2383 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
2384 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
2385 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
2386 | |
---|
2387 | if (m->m_len != PFKEY_ALIGN8(sizeof(struct sadb_msg))) |
---|
2388 | return key_senderror(so, m, EINVAL); |
---|
2389 | |
---|
2390 | for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { |
---|
2391 | SPTREE_LOCK(); |
---|
2392 | LIST_FOREACH(sp, &V_sptree[dir], chain) |
---|
2393 | sp->state = IPSEC_SPSTATE_DEAD; |
---|
2394 | SPTREE_UNLOCK(); |
---|
2395 | } |
---|
2396 | |
---|
2397 | if (sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) { |
---|
2398 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); |
---|
2399 | return key_senderror(so, m, ENOBUFS); |
---|
2400 | } |
---|
2401 | |
---|
2402 | if (m->m_next) |
---|
2403 | m_freem(m->m_next); |
---|
2404 | m->m_next = NULL; |
---|
2405 | m->m_pkthdr.len = m->m_len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); |
---|
2406 | newmsg = mtod(m, struct sadb_msg *); |
---|
2407 | newmsg->sadb_msg_errno = 0; |
---|
2408 | newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); |
---|
2409 | |
---|
2410 | return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); |
---|
2411 | } |
---|
2412 | |
---|
2413 | /* |
---|
2414 | * SADB_SPDDUMP processing |
---|
2415 | * receive |
---|
2416 | * <base> |
---|
2417 | * from the user, and dump all SP leaves |
---|
2418 | * and send, |
---|
2419 | * <base> ..... |
---|
2420 | * to the ikmpd. |
---|
2421 | * |
---|
2422 | * m will always be freed. |
---|
2423 | */ |
---|
2424 | static int |
---|
2425 | key_spddump(so, m, mhp) |
---|
2426 | struct socket *so; |
---|
2427 | struct mbuf *m; |
---|
2428 | const struct sadb_msghdr *mhp; |
---|
2429 | { |
---|
2430 | struct secpolicy *sp; |
---|
2431 | int cnt; |
---|
2432 | u_int dir; |
---|
2433 | struct mbuf *n; |
---|
2434 | |
---|
2435 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
2436 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
2437 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
2438 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
2439 | |
---|
2440 | /* search SPD entry and get buffer size. */ |
---|
2441 | cnt = 0; |
---|
2442 | SPTREE_LOCK(); |
---|
2443 | for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { |
---|
2444 | LIST_FOREACH(sp, &V_sptree[dir], chain) { |
---|
2445 | cnt++; |
---|
2446 | } |
---|
2447 | } |
---|
2448 | |
---|
2449 | if (cnt == 0) { |
---|
2450 | SPTREE_UNLOCK(); |
---|
2451 | return key_senderror(so, m, ENOENT); |
---|
2452 | } |
---|
2453 | |
---|
2454 | for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { |
---|
2455 | LIST_FOREACH(sp, &V_sptree[dir], chain) { |
---|
2456 | --cnt; |
---|
2457 | n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt, |
---|
2458 | mhp->msg->sadb_msg_pid); |
---|
2459 | |
---|
2460 | if (n) |
---|
2461 | key_sendup_mbuf(so, n, KEY_SENDUP_ONE); |
---|
2462 | } |
---|
2463 | } |
---|
2464 | |
---|
2465 | SPTREE_UNLOCK(); |
---|
2466 | m_freem(m); |
---|
2467 | return 0; |
---|
2468 | } |
---|
2469 | |
---|
2470 | static struct mbuf * |
---|
2471 | key_setdumpsp(struct secpolicy *sp, u_int8_t type, u_int32_t seq, u_int32_t pid) |
---|
2472 | { |
---|
2473 | struct mbuf *result = NULL, *m; |
---|
2474 | struct seclifetime lt; |
---|
2475 | |
---|
2476 | m = key_setsadbmsg(type, 0, SADB_SATYPE_UNSPEC, seq, pid, sp->refcnt); |
---|
2477 | if (!m) |
---|
2478 | goto fail; |
---|
2479 | result = m; |
---|
2480 | |
---|
2481 | /* |
---|
2482 | * Note: do not send SADB_X_EXT_NAT_T_* here: |
---|
2483 | * we are sending traffic endpoints. |
---|
2484 | */ |
---|
2485 | m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, |
---|
2486 | &sp->spidx.src.sa, sp->spidx.prefs, |
---|
2487 | sp->spidx.ul_proto); |
---|
2488 | if (!m) |
---|
2489 | goto fail; |
---|
2490 | m_cat(result, m); |
---|
2491 | |
---|
2492 | m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, |
---|
2493 | &sp->spidx.dst.sa, sp->spidx.prefd, |
---|
2494 | sp->spidx.ul_proto); |
---|
2495 | if (!m) |
---|
2496 | goto fail; |
---|
2497 | m_cat(result, m); |
---|
2498 | |
---|
2499 | m = key_sp2msg(sp); |
---|
2500 | if (!m) |
---|
2501 | goto fail; |
---|
2502 | m_cat(result, m); |
---|
2503 | |
---|
2504 | if(sp->lifetime){ |
---|
2505 | lt.addtime=sp->created; |
---|
2506 | lt.usetime= sp->lastused; |
---|
2507 | m = key_setlifetime(<, SADB_EXT_LIFETIME_CURRENT); |
---|
2508 | if (!m) |
---|
2509 | goto fail; |
---|
2510 | m_cat(result, m); |
---|
2511 | |
---|
2512 | lt.addtime=sp->lifetime; |
---|
2513 | lt.usetime= sp->validtime; |
---|
2514 | m = key_setlifetime(<, SADB_EXT_LIFETIME_HARD); |
---|
2515 | if (!m) |
---|
2516 | goto fail; |
---|
2517 | m_cat(result, m); |
---|
2518 | } |
---|
2519 | |
---|
2520 | if ((result->m_flags & M_PKTHDR) == 0) |
---|
2521 | goto fail; |
---|
2522 | |
---|
2523 | if (result->m_len < sizeof(struct sadb_msg)) { |
---|
2524 | result = m_pullup(result, sizeof(struct sadb_msg)); |
---|
2525 | if (result == NULL) |
---|
2526 | goto fail; |
---|
2527 | } |
---|
2528 | |
---|
2529 | result->m_pkthdr.len = 0; |
---|
2530 | for (m = result; m; m = m->m_next) |
---|
2531 | result->m_pkthdr.len += m->m_len; |
---|
2532 | |
---|
2533 | mtod(result, struct sadb_msg *)->sadb_msg_len = |
---|
2534 | PFKEY_UNIT64(result->m_pkthdr.len); |
---|
2535 | |
---|
2536 | return result; |
---|
2537 | |
---|
2538 | fail: |
---|
2539 | m_freem(result); |
---|
2540 | return NULL; |
---|
2541 | } |
---|
2542 | |
---|
2543 | /* |
---|
2544 | * get PFKEY message length for security policy and request. |
---|
2545 | */ |
---|
2546 | static u_int |
---|
2547 | key_getspreqmsglen(sp) |
---|
2548 | struct secpolicy *sp; |
---|
2549 | { |
---|
2550 | u_int tlen; |
---|
2551 | |
---|
2552 | tlen = sizeof(struct sadb_x_policy); |
---|
2553 | |
---|
2554 | /* if is the policy for ipsec ? */ |
---|
2555 | if (sp->policy != IPSEC_POLICY_IPSEC) |
---|
2556 | return tlen; |
---|
2557 | |
---|
2558 | /* get length of ipsec requests */ |
---|
2559 | { |
---|
2560 | struct ipsecrequest *isr; |
---|
2561 | int len; |
---|
2562 | |
---|
2563 | for (isr = sp->req; isr != NULL; isr = isr->next) { |
---|
2564 | len = sizeof(struct sadb_x_ipsecrequest) |
---|
2565 | + isr->saidx.src.sa.sa_len |
---|
2566 | + isr->saidx.dst.sa.sa_len; |
---|
2567 | |
---|
2568 | tlen += PFKEY_ALIGN8(len); |
---|
2569 | } |
---|
2570 | } |
---|
2571 | |
---|
2572 | return tlen; |
---|
2573 | } |
---|
2574 | |
---|
2575 | /* |
---|
2576 | * SADB_SPDEXPIRE processing |
---|
2577 | * send |
---|
2578 | * <base, address(SD), lifetime(CH), policy> |
---|
2579 | * to KMD by PF_KEY. |
---|
2580 | * |
---|
2581 | * OUT: 0 : succeed |
---|
2582 | * others : error number |
---|
2583 | */ |
---|
2584 | static int |
---|
2585 | key_spdexpire(sp) |
---|
2586 | struct secpolicy *sp; |
---|
2587 | { |
---|
2588 | struct mbuf *result = NULL, *m; |
---|
2589 | int len; |
---|
2590 | int error = -1; |
---|
2591 | struct sadb_lifetime *lt; |
---|
2592 | |
---|
2593 | /* XXX: Why do we lock ? */ |
---|
2594 | |
---|
2595 | IPSEC_ASSERT(sp != NULL, ("null secpolicy")); |
---|
2596 | |
---|
2597 | /* set msg header */ |
---|
2598 | m = key_setsadbmsg(SADB_X_SPDEXPIRE, 0, 0, 0, 0, 0); |
---|
2599 | if (!m) { |
---|
2600 | error = ENOBUFS; |
---|
2601 | goto fail; |
---|
2602 | } |
---|
2603 | result = m; |
---|
2604 | |
---|
2605 | /* create lifetime extension (current and hard) */ |
---|
2606 | len = PFKEY_ALIGN8(sizeof(*lt)) * 2; |
---|
2607 | m = key_alloc_mbuf(len); |
---|
2608 | if (!m || m->m_next) { /*XXX*/ |
---|
2609 | if (m) |
---|
2610 | m_freem(m); |
---|
2611 | error = ENOBUFS; |
---|
2612 | goto fail; |
---|
2613 | } |
---|
2614 | bzero(mtod(m, caddr_t), len); |
---|
2615 | lt = mtod(m, struct sadb_lifetime *); |
---|
2616 | lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); |
---|
2617 | lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; |
---|
2618 | lt->sadb_lifetime_allocations = 0; |
---|
2619 | lt->sadb_lifetime_bytes = 0; |
---|
2620 | lt->sadb_lifetime_addtime = sp->created; |
---|
2621 | lt->sadb_lifetime_usetime = sp->lastused; |
---|
2622 | lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2); |
---|
2623 | lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); |
---|
2624 | lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; |
---|
2625 | lt->sadb_lifetime_allocations = 0; |
---|
2626 | lt->sadb_lifetime_bytes = 0; |
---|
2627 | lt->sadb_lifetime_addtime = sp->lifetime; |
---|
2628 | lt->sadb_lifetime_usetime = sp->validtime; |
---|
2629 | m_cat(result, m); |
---|
2630 | |
---|
2631 | /* |
---|
2632 | * Note: do not send SADB_X_EXT_NAT_T_* here: |
---|
2633 | * we are sending traffic endpoints. |
---|
2634 | */ |
---|
2635 | |
---|
2636 | /* set sadb_address for source */ |
---|
2637 | m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, |
---|
2638 | &sp->spidx.src.sa, |
---|
2639 | sp->spidx.prefs, sp->spidx.ul_proto); |
---|
2640 | if (!m) { |
---|
2641 | error = ENOBUFS; |
---|
2642 | goto fail; |
---|
2643 | } |
---|
2644 | m_cat(result, m); |
---|
2645 | |
---|
2646 | /* set sadb_address for destination */ |
---|
2647 | m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, |
---|
2648 | &sp->spidx.dst.sa, |
---|
2649 | sp->spidx.prefd, sp->spidx.ul_proto); |
---|
2650 | if (!m) { |
---|
2651 | error = ENOBUFS; |
---|
2652 | goto fail; |
---|
2653 | } |
---|
2654 | m_cat(result, m); |
---|
2655 | |
---|
2656 | /* set secpolicy */ |
---|
2657 | m = key_sp2msg(sp); |
---|
2658 | if (!m) { |
---|
2659 | error = ENOBUFS; |
---|
2660 | goto fail; |
---|
2661 | } |
---|
2662 | m_cat(result, m); |
---|
2663 | |
---|
2664 | if ((result->m_flags & M_PKTHDR) == 0) { |
---|
2665 | error = EINVAL; |
---|
2666 | goto fail; |
---|
2667 | } |
---|
2668 | |
---|
2669 | if (result->m_len < sizeof(struct sadb_msg)) { |
---|
2670 | result = m_pullup(result, sizeof(struct sadb_msg)); |
---|
2671 | if (result == NULL) { |
---|
2672 | error = ENOBUFS; |
---|
2673 | goto fail; |
---|
2674 | } |
---|
2675 | } |
---|
2676 | |
---|
2677 | result->m_pkthdr.len = 0; |
---|
2678 | for (m = result; m; m = m->m_next) |
---|
2679 | result->m_pkthdr.len += m->m_len; |
---|
2680 | |
---|
2681 | mtod(result, struct sadb_msg *)->sadb_msg_len = |
---|
2682 | PFKEY_UNIT64(result->m_pkthdr.len); |
---|
2683 | |
---|
2684 | return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED); |
---|
2685 | |
---|
2686 | fail: |
---|
2687 | if (result) |
---|
2688 | m_freem(result); |
---|
2689 | return error; |
---|
2690 | } |
---|
2691 | |
---|
2692 | /* %%% SAD management */ |
---|
2693 | /* |
---|
2694 | * allocating a memory for new SA head, and copy from the values of mhp. |
---|
2695 | * OUT: NULL : failure due to the lack of memory. |
---|
2696 | * others : pointer to new SA head. |
---|
2697 | */ |
---|
2698 | static struct secashead * |
---|
2699 | key_newsah(saidx) |
---|
2700 | struct secasindex *saidx; |
---|
2701 | { |
---|
2702 | struct secashead *newsah; |
---|
2703 | |
---|
2704 | IPSEC_ASSERT(saidx != NULL, ("null saidx")); |
---|
2705 | |
---|
2706 | newsah = malloc(sizeof(struct secashead), M_IPSEC_SAH, M_NOWAIT|M_ZERO); |
---|
2707 | if (newsah != NULL) { |
---|
2708 | int i; |
---|
2709 | for (i = 0; i < sizeof(newsah->savtree)/sizeof(newsah->savtree[0]); i++) |
---|
2710 | LIST_INIT(&newsah->savtree[i]); |
---|
2711 | newsah->saidx = *saidx; |
---|
2712 | |
---|
2713 | /* add to saidxtree */ |
---|
2714 | newsah->state = SADB_SASTATE_MATURE; |
---|
2715 | |
---|
2716 | SAHTREE_LOCK(); |
---|
2717 | LIST_INSERT_HEAD(&V_sahtree, newsah, chain); |
---|
2718 | SAHTREE_UNLOCK(); |
---|
2719 | } |
---|
2720 | return(newsah); |
---|
2721 | } |
---|
2722 | |
---|
2723 | /* |
---|
2724 | * delete SA index and all SA registerd. |
---|
2725 | */ |
---|
2726 | static void |
---|
2727 | key_delsah(sah) |
---|
2728 | struct secashead *sah; |
---|
2729 | { |
---|
2730 | struct secasvar *sav, *nextsav; |
---|
2731 | u_int stateidx; |
---|
2732 | int zombie = 0; |
---|
2733 | |
---|
2734 | IPSEC_ASSERT(sah != NULL, ("NULL sah")); |
---|
2735 | SAHTREE_LOCK_ASSERT(); |
---|
2736 | |
---|
2737 | /* searching all SA registerd in the secindex. */ |
---|
2738 | for (stateidx = 0; |
---|
2739 | stateidx < _ARRAYLEN(saorder_state_any); |
---|
2740 | stateidx++) { |
---|
2741 | u_int state = saorder_state_any[stateidx]; |
---|
2742 | LIST_FOREACH_SAFE(sav, &sah->savtree[state], chain, nextsav) { |
---|
2743 | if (sav->refcnt == 0) { |
---|
2744 | /* sanity check */ |
---|
2745 | KEY_CHKSASTATE(state, sav->state, __func__); |
---|
2746 | /* |
---|
2747 | * do NOT call KEY_FREESAV here: |
---|
2748 | * it will only delete the sav if refcnt == 1, |
---|
2749 | * where we already know that refcnt == 0 |
---|
2750 | */ |
---|
2751 | key_delsav(sav); |
---|
2752 | } else { |
---|
2753 | /* give up to delete this sa */ |
---|
2754 | zombie++; |
---|
2755 | } |
---|
2756 | } |
---|
2757 | } |
---|
2758 | if (!zombie) { /* delete only if there are savs */ |
---|
2759 | /* remove from tree of SA index */ |
---|
2760 | if (__LIST_CHAINED(sah)) |
---|
2761 | LIST_REMOVE(sah, chain); |
---|
2762 | if (sah->route_cache.sa_route.ro_rt) { |
---|
2763 | RTFREE(sah->route_cache.sa_route.ro_rt); |
---|
2764 | sah->route_cache.sa_route.ro_rt = (struct rtentry *)NULL; |
---|
2765 | } |
---|
2766 | free(sah, M_IPSEC_SAH); |
---|
2767 | } |
---|
2768 | } |
---|
2769 | |
---|
2770 | /* |
---|
2771 | * allocating a new SA with LARVAL state. key_add() and key_getspi() call, |
---|
2772 | * and copy the values of mhp into new buffer. |
---|
2773 | * When SAD message type is GETSPI: |
---|
2774 | * to set sequence number from acq_seq++, |
---|
2775 | * to set zero to SPI. |
---|
2776 | * not to call key_setsava(). |
---|
2777 | * OUT: NULL : fail |
---|
2778 | * others : pointer to new secasvar. |
---|
2779 | * |
---|
2780 | * does not modify mbuf. does not free mbuf on error. |
---|
2781 | */ |
---|
2782 | static struct secasvar * |
---|
2783 | key_newsav(m, mhp, sah, errp, where, tag) |
---|
2784 | struct mbuf *m; |
---|
2785 | const struct sadb_msghdr *mhp; |
---|
2786 | struct secashead *sah; |
---|
2787 | int *errp; |
---|
2788 | const char* where; |
---|
2789 | int tag; |
---|
2790 | { |
---|
2791 | struct secasvar *newsav; |
---|
2792 | const struct sadb_sa *xsa; |
---|
2793 | |
---|
2794 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
2795 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
2796 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
2797 | IPSEC_ASSERT(sah != NULL, ("null secashead")); |
---|
2798 | |
---|
2799 | newsav = malloc(sizeof(struct secasvar), M_IPSEC_SA, M_NOWAIT|M_ZERO); |
---|
2800 | if (newsav == NULL) { |
---|
2801 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); |
---|
2802 | *errp = ENOBUFS; |
---|
2803 | goto done; |
---|
2804 | } |
---|
2805 | |
---|
2806 | switch (mhp->msg->sadb_msg_type) { |
---|
2807 | case SADB_GETSPI: |
---|
2808 | newsav->spi = 0; |
---|
2809 | |
---|
2810 | #ifdef IPSEC_DOSEQCHECK |
---|
2811 | /* sync sequence number */ |
---|
2812 | if (mhp->msg->sadb_msg_seq == 0) |
---|
2813 | newsav->seq = |
---|
2814 | (V_acq_seq = (V_acq_seq == ~0 ? 1 : ++V_acq_seq)); |
---|
2815 | else |
---|
2816 | #endif |
---|
2817 | newsav->seq = mhp->msg->sadb_msg_seq; |
---|
2818 | break; |
---|
2819 | |
---|
2820 | case SADB_ADD: |
---|
2821 | /* sanity check */ |
---|
2822 | if (mhp->ext[SADB_EXT_SA] == NULL) { |
---|
2823 | free(newsav, M_IPSEC_SA); |
---|
2824 | newsav = NULL; |
---|
2825 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
2826 | __func__)); |
---|
2827 | *errp = EINVAL; |
---|
2828 | goto done; |
---|
2829 | } |
---|
2830 | xsa = (const struct sadb_sa *)mhp->ext[SADB_EXT_SA]; |
---|
2831 | newsav->spi = xsa->sadb_sa_spi; |
---|
2832 | newsav->seq = mhp->msg->sadb_msg_seq; |
---|
2833 | break; |
---|
2834 | default: |
---|
2835 | free(newsav, M_IPSEC_SA); |
---|
2836 | newsav = NULL; |
---|
2837 | *errp = EINVAL; |
---|
2838 | goto done; |
---|
2839 | } |
---|
2840 | |
---|
2841 | |
---|
2842 | /* copy sav values */ |
---|
2843 | if (mhp->msg->sadb_msg_type != SADB_GETSPI) { |
---|
2844 | *errp = key_setsaval(newsav, m, mhp); |
---|
2845 | if (*errp) { |
---|
2846 | free(newsav, M_IPSEC_SA); |
---|
2847 | newsav = NULL; |
---|
2848 | goto done; |
---|
2849 | } |
---|
2850 | } |
---|
2851 | |
---|
2852 | SECASVAR_LOCK_INIT(newsav); |
---|
2853 | |
---|
2854 | /* reset created */ |
---|
2855 | newsav->created = time_second; |
---|
2856 | newsav->pid = mhp->msg->sadb_msg_pid; |
---|
2857 | |
---|
2858 | /* add to satree */ |
---|
2859 | newsav->sah = sah; |
---|
2860 | sa_initref(newsav); |
---|
2861 | newsav->state = SADB_SASTATE_LARVAL; |
---|
2862 | |
---|
2863 | SAHTREE_LOCK(); |
---|
2864 | LIST_INSERT_TAIL(&sah->savtree[SADB_SASTATE_LARVAL], newsav, |
---|
2865 | secasvar, chain); |
---|
2866 | SAHTREE_UNLOCK(); |
---|
2867 | done: |
---|
2868 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
2869 | printf("DP %s from %s:%u return SP:%p\n", __func__, |
---|
2870 | where, tag, newsav)); |
---|
2871 | |
---|
2872 | return newsav; |
---|
2873 | } |
---|
2874 | |
---|
2875 | /* |
---|
2876 | * free() SA variable entry. |
---|
2877 | */ |
---|
2878 | static void |
---|
2879 | key_cleansav(struct secasvar *sav) |
---|
2880 | { |
---|
2881 | /* |
---|
2882 | * Cleanup xform state. Note that zeroize'ing causes the |
---|
2883 | * keys to be cleared; otherwise we must do it ourself. |
---|
2884 | */ |
---|
2885 | if (sav->tdb_xform != NULL) { |
---|
2886 | sav->tdb_xform->xf_zeroize(sav); |
---|
2887 | sav->tdb_xform = NULL; |
---|
2888 | } else { |
---|
2889 | KASSERT(sav->iv == NULL, ("iv but no xform")); |
---|
2890 | if (sav->key_auth != NULL) |
---|
2891 | bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth)); |
---|
2892 | if (sav->key_enc != NULL) |
---|
2893 | bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc)); |
---|
2894 | } |
---|
2895 | if (sav->key_auth != NULL) { |
---|
2896 | if (sav->key_auth->key_data != NULL) |
---|
2897 | free(sav->key_auth->key_data, M_IPSEC_MISC); |
---|
2898 | free(sav->key_auth, M_IPSEC_MISC); |
---|
2899 | sav->key_auth = NULL; |
---|
2900 | } |
---|
2901 | if (sav->key_enc != NULL) { |
---|
2902 | if (sav->key_enc->key_data != NULL) |
---|
2903 | free(sav->key_enc->key_data, M_IPSEC_MISC); |
---|
2904 | free(sav->key_enc, M_IPSEC_MISC); |
---|
2905 | sav->key_enc = NULL; |
---|
2906 | } |
---|
2907 | if (sav->sched) { |
---|
2908 | bzero(sav->sched, sav->schedlen); |
---|
2909 | free(sav->sched, M_IPSEC_MISC); |
---|
2910 | sav->sched = NULL; |
---|
2911 | } |
---|
2912 | if (sav->replay != NULL) { |
---|
2913 | free(sav->replay, M_IPSEC_MISC); |
---|
2914 | sav->replay = NULL; |
---|
2915 | } |
---|
2916 | if (sav->lft_c != NULL) { |
---|
2917 | free(sav->lft_c, M_IPSEC_MISC); |
---|
2918 | sav->lft_c = NULL; |
---|
2919 | } |
---|
2920 | if (sav->lft_h != NULL) { |
---|
2921 | free(sav->lft_h, M_IPSEC_MISC); |
---|
2922 | sav->lft_h = NULL; |
---|
2923 | } |
---|
2924 | if (sav->lft_s != NULL) { |
---|
2925 | free(sav->lft_s, M_IPSEC_MISC); |
---|
2926 | sav->lft_s = NULL; |
---|
2927 | } |
---|
2928 | } |
---|
2929 | |
---|
2930 | /* |
---|
2931 | * free() SA variable entry. |
---|
2932 | */ |
---|
2933 | static void |
---|
2934 | key_delsav(sav) |
---|
2935 | struct secasvar *sav; |
---|
2936 | { |
---|
2937 | IPSEC_ASSERT(sav != NULL, ("null sav")); |
---|
2938 | IPSEC_ASSERT(sav->refcnt == 0, ("reference count %u > 0", sav->refcnt)); |
---|
2939 | |
---|
2940 | /* remove from SA header */ |
---|
2941 | if (__LIST_CHAINED(sav)) |
---|
2942 | LIST_REMOVE(sav, chain); |
---|
2943 | key_cleansav(sav); |
---|
2944 | SECASVAR_LOCK_DESTROY(sav); |
---|
2945 | free(sav, M_IPSEC_SA); |
---|
2946 | } |
---|
2947 | |
---|
2948 | /* |
---|
2949 | * search SAD. |
---|
2950 | * OUT: |
---|
2951 | * NULL : not found |
---|
2952 | * others : found, pointer to a SA. |
---|
2953 | */ |
---|
2954 | static struct secashead * |
---|
2955 | key_getsah(saidx) |
---|
2956 | struct secasindex *saidx; |
---|
2957 | { |
---|
2958 | struct secashead *sah; |
---|
2959 | |
---|
2960 | SAHTREE_LOCK(); |
---|
2961 | LIST_FOREACH(sah, &V_sahtree, chain) { |
---|
2962 | if (sah->state == SADB_SASTATE_DEAD) |
---|
2963 | continue; |
---|
2964 | if (key_cmpsaidx(&sah->saidx, saidx, CMP_REQID)) |
---|
2965 | break; |
---|
2966 | } |
---|
2967 | SAHTREE_UNLOCK(); |
---|
2968 | |
---|
2969 | return sah; |
---|
2970 | } |
---|
2971 | |
---|
2972 | /* |
---|
2973 | * check not to be duplicated SPI. |
---|
2974 | * NOTE: this function is too slow due to searching all SAD. |
---|
2975 | * OUT: |
---|
2976 | * NULL : not found |
---|
2977 | * others : found, pointer to a SA. |
---|
2978 | */ |
---|
2979 | static struct secasvar * |
---|
2980 | key_checkspidup(saidx, spi) |
---|
2981 | struct secasindex *saidx; |
---|
2982 | u_int32_t spi; |
---|
2983 | { |
---|
2984 | struct secashead *sah; |
---|
2985 | struct secasvar *sav; |
---|
2986 | |
---|
2987 | /* check address family */ |
---|
2988 | if (saidx->src.sa.sa_family != saidx->dst.sa.sa_family) { |
---|
2989 | ipseclog((LOG_DEBUG, "%s: address family mismatched.\n", |
---|
2990 | __func__)); |
---|
2991 | return NULL; |
---|
2992 | } |
---|
2993 | |
---|
2994 | sav = NULL; |
---|
2995 | /* check all SAD */ |
---|
2996 | SAHTREE_LOCK(); |
---|
2997 | LIST_FOREACH(sah, &V_sahtree, chain) { |
---|
2998 | if (!key_ismyaddr((struct sockaddr *)&sah->saidx.dst)) |
---|
2999 | continue; |
---|
3000 | sav = key_getsavbyspi(sah, spi); |
---|
3001 | if (sav != NULL) |
---|
3002 | break; |
---|
3003 | } |
---|
3004 | SAHTREE_UNLOCK(); |
---|
3005 | |
---|
3006 | return sav; |
---|
3007 | } |
---|
3008 | |
---|
3009 | /* |
---|
3010 | * search SAD litmited alive SA, protocol, SPI. |
---|
3011 | * OUT: |
---|
3012 | * NULL : not found |
---|
3013 | * others : found, pointer to a SA. |
---|
3014 | */ |
---|
3015 | static struct secasvar * |
---|
3016 | key_getsavbyspi(sah, spi) |
---|
3017 | struct secashead *sah; |
---|
3018 | u_int32_t spi; |
---|
3019 | { |
---|
3020 | struct secasvar *sav; |
---|
3021 | u_int stateidx, state; |
---|
3022 | |
---|
3023 | sav = NULL; |
---|
3024 | SAHTREE_LOCK_ASSERT(); |
---|
3025 | /* search all status */ |
---|
3026 | for (stateidx = 0; |
---|
3027 | stateidx < _ARRAYLEN(saorder_state_alive); |
---|
3028 | stateidx++) { |
---|
3029 | |
---|
3030 | state = saorder_state_alive[stateidx]; |
---|
3031 | LIST_FOREACH(sav, &sah->savtree[state], chain) { |
---|
3032 | |
---|
3033 | /* sanity check */ |
---|
3034 | if (sav->state != state) { |
---|
3035 | ipseclog((LOG_DEBUG, "%s: " |
---|
3036 | "invalid sav->state (queue: %d SA: %d)\n", |
---|
3037 | __func__, state, sav->state)); |
---|
3038 | continue; |
---|
3039 | } |
---|
3040 | |
---|
3041 | if (sav->spi == spi) |
---|
3042 | return sav; |
---|
3043 | } |
---|
3044 | } |
---|
3045 | |
---|
3046 | return NULL; |
---|
3047 | } |
---|
3048 | |
---|
3049 | /* |
---|
3050 | * copy SA values from PF_KEY message except *SPI, SEQ, PID, STATE and TYPE*. |
---|
3051 | * You must update these if need. |
---|
3052 | * OUT: 0: success. |
---|
3053 | * !0: failure. |
---|
3054 | * |
---|
3055 | * does not modify mbuf. does not free mbuf on error. |
---|
3056 | */ |
---|
3057 | static int |
---|
3058 | key_setsaval(sav, m, mhp) |
---|
3059 | struct secasvar *sav; |
---|
3060 | struct mbuf *m; |
---|
3061 | const struct sadb_msghdr *mhp; |
---|
3062 | { |
---|
3063 | int error = 0; |
---|
3064 | |
---|
3065 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
3066 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
3067 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
3068 | |
---|
3069 | /* initialization */ |
---|
3070 | sav->replay = NULL; |
---|
3071 | sav->key_auth = NULL; |
---|
3072 | sav->key_enc = NULL; |
---|
3073 | sav->sched = NULL; |
---|
3074 | sav->schedlen = 0; |
---|
3075 | sav->iv = NULL; |
---|
3076 | sav->lft_c = NULL; |
---|
3077 | sav->lft_h = NULL; |
---|
3078 | sav->lft_s = NULL; |
---|
3079 | sav->tdb_xform = NULL; /* transform */ |
---|
3080 | sav->tdb_encalgxform = NULL; /* encoding algorithm */ |
---|
3081 | sav->tdb_authalgxform = NULL; /* authentication algorithm */ |
---|
3082 | sav->tdb_compalgxform = NULL; /* compression algorithm */ |
---|
3083 | /* Initialize even if NAT-T not compiled in: */ |
---|
3084 | sav->natt_type = 0; |
---|
3085 | sav->natt_esp_frag_len = 0; |
---|
3086 | |
---|
3087 | /* SA */ |
---|
3088 | if (mhp->ext[SADB_EXT_SA] != NULL) { |
---|
3089 | const struct sadb_sa *sa0; |
---|
3090 | |
---|
3091 | sa0 = (const struct sadb_sa *)mhp->ext[SADB_EXT_SA]; |
---|
3092 | if (mhp->extlen[SADB_EXT_SA] < sizeof(*sa0)) { |
---|
3093 | error = EINVAL; |
---|
3094 | goto fail; |
---|
3095 | } |
---|
3096 | |
---|
3097 | sav->alg_auth = sa0->sadb_sa_auth; |
---|
3098 | sav->alg_enc = sa0->sadb_sa_encrypt; |
---|
3099 | sav->flags = sa0->sadb_sa_flags; |
---|
3100 | |
---|
3101 | /* replay window */ |
---|
3102 | if ((sa0->sadb_sa_flags & SADB_X_EXT_OLD) == 0) { |
---|
3103 | sav->replay = (struct secreplay *) |
---|
3104 | malloc(sizeof(struct secreplay)+sa0->sadb_sa_replay, M_IPSEC_MISC, M_NOWAIT|M_ZERO); |
---|
3105 | if (sav->replay == NULL) { |
---|
3106 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", |
---|
3107 | __func__)); |
---|
3108 | error = ENOBUFS; |
---|
3109 | goto fail; |
---|
3110 | } |
---|
3111 | if (sa0->sadb_sa_replay != 0) |
---|
3112 | sav->replay->bitmap = (caddr_t)(sav->replay+1); |
---|
3113 | sav->replay->wsize = sa0->sadb_sa_replay; |
---|
3114 | } |
---|
3115 | } |
---|
3116 | |
---|
3117 | /* Authentication keys */ |
---|
3118 | if (mhp->ext[SADB_EXT_KEY_AUTH] != NULL) { |
---|
3119 | const struct sadb_key *key0; |
---|
3120 | int len; |
---|
3121 | |
---|
3122 | key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_AUTH]; |
---|
3123 | len = mhp->extlen[SADB_EXT_KEY_AUTH]; |
---|
3124 | |
---|
3125 | error = 0; |
---|
3126 | if (len < sizeof(*key0)) { |
---|
3127 | error = EINVAL; |
---|
3128 | goto fail; |
---|
3129 | } |
---|
3130 | switch (mhp->msg->sadb_msg_satype) { |
---|
3131 | case SADB_SATYPE_AH: |
---|
3132 | case SADB_SATYPE_ESP: |
---|
3133 | case SADB_X_SATYPE_TCPSIGNATURE: |
---|
3134 | if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && |
---|
3135 | sav->alg_auth != SADB_X_AALG_NULL) |
---|
3136 | error = EINVAL; |
---|
3137 | break; |
---|
3138 | case SADB_X_SATYPE_IPCOMP: |
---|
3139 | default: |
---|
3140 | error = EINVAL; |
---|
3141 | break; |
---|
3142 | } |
---|
3143 | if (error) { |
---|
3144 | ipseclog((LOG_DEBUG, "%s: invalid key_auth values.\n", |
---|
3145 | __func__)); |
---|
3146 | goto fail; |
---|
3147 | } |
---|
3148 | |
---|
3149 | sav->key_auth = (struct seckey *)key_dup_keymsg(key0, len, |
---|
3150 | M_IPSEC_MISC); |
---|
3151 | if (sav->key_auth == NULL ) { |
---|
3152 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", |
---|
3153 | __func__)); |
---|
3154 | error = ENOBUFS; |
---|
3155 | goto fail; |
---|
3156 | } |
---|
3157 | } |
---|
3158 | |
---|
3159 | /* Encryption key */ |
---|
3160 | if (mhp->ext[SADB_EXT_KEY_ENCRYPT] != NULL) { |
---|
3161 | const struct sadb_key *key0; |
---|
3162 | int len; |
---|
3163 | |
---|
3164 | key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_ENCRYPT]; |
---|
3165 | len = mhp->extlen[SADB_EXT_KEY_ENCRYPT]; |
---|
3166 | |
---|
3167 | error = 0; |
---|
3168 | if (len < sizeof(*key0)) { |
---|
3169 | error = EINVAL; |
---|
3170 | goto fail; |
---|
3171 | } |
---|
3172 | switch (mhp->msg->sadb_msg_satype) { |
---|
3173 | case SADB_SATYPE_ESP: |
---|
3174 | if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && |
---|
3175 | sav->alg_enc != SADB_EALG_NULL) { |
---|
3176 | error = EINVAL; |
---|
3177 | break; |
---|
3178 | } |
---|
3179 | sav->key_enc = (struct seckey *)key_dup_keymsg(key0, |
---|
3180 | len, |
---|
3181 | M_IPSEC_MISC); |
---|
3182 | if (sav->key_enc == NULL) { |
---|
3183 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", |
---|
3184 | __func__)); |
---|
3185 | error = ENOBUFS; |
---|
3186 | goto fail; |
---|
3187 | } |
---|
3188 | break; |
---|
3189 | case SADB_X_SATYPE_IPCOMP: |
---|
3190 | if (len != PFKEY_ALIGN8(sizeof(struct sadb_key))) |
---|
3191 | error = EINVAL; |
---|
3192 | sav->key_enc = NULL; /*just in case*/ |
---|
3193 | break; |
---|
3194 | case SADB_SATYPE_AH: |
---|
3195 | case SADB_X_SATYPE_TCPSIGNATURE: |
---|
3196 | default: |
---|
3197 | error = EINVAL; |
---|
3198 | break; |
---|
3199 | } |
---|
3200 | if (error) { |
---|
3201 | ipseclog((LOG_DEBUG, "%s: invalid key_enc value.\n", |
---|
3202 | __func__)); |
---|
3203 | goto fail; |
---|
3204 | } |
---|
3205 | } |
---|
3206 | |
---|
3207 | /* set iv */ |
---|
3208 | sav->ivlen = 0; |
---|
3209 | |
---|
3210 | switch (mhp->msg->sadb_msg_satype) { |
---|
3211 | case SADB_SATYPE_AH: |
---|
3212 | error = xform_init(sav, XF_AH); |
---|
3213 | break; |
---|
3214 | case SADB_SATYPE_ESP: |
---|
3215 | error = xform_init(sav, XF_ESP); |
---|
3216 | break; |
---|
3217 | case SADB_X_SATYPE_IPCOMP: |
---|
3218 | error = xform_init(sav, XF_IPCOMP); |
---|
3219 | break; |
---|
3220 | case SADB_X_SATYPE_TCPSIGNATURE: |
---|
3221 | error = xform_init(sav, XF_TCPSIGNATURE); |
---|
3222 | break; |
---|
3223 | } |
---|
3224 | if (error) { |
---|
3225 | ipseclog((LOG_DEBUG, "%s: unable to initialize SA type %u.\n", |
---|
3226 | __func__, mhp->msg->sadb_msg_satype)); |
---|
3227 | goto fail; |
---|
3228 | } |
---|
3229 | |
---|
3230 | /* reset created */ |
---|
3231 | sav->created = time_second; |
---|
3232 | |
---|
3233 | /* make lifetime for CURRENT */ |
---|
3234 | sav->lft_c = malloc(sizeof(struct seclifetime), M_IPSEC_MISC, M_NOWAIT); |
---|
3235 | if (sav->lft_c == NULL) { |
---|
3236 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); |
---|
3237 | error = ENOBUFS; |
---|
3238 | goto fail; |
---|
3239 | } |
---|
3240 | |
---|
3241 | sav->lft_c->allocations = 0; |
---|
3242 | sav->lft_c->bytes = 0; |
---|
3243 | sav->lft_c->addtime = time_second; |
---|
3244 | sav->lft_c->usetime = 0; |
---|
3245 | |
---|
3246 | /* lifetimes for HARD and SOFT */ |
---|
3247 | { |
---|
3248 | const struct sadb_lifetime *lft0; |
---|
3249 | |
---|
3250 | lft0 = (struct sadb_lifetime *)mhp->ext[SADB_EXT_LIFETIME_HARD]; |
---|
3251 | if (lft0 != NULL) { |
---|
3252 | if (mhp->extlen[SADB_EXT_LIFETIME_HARD] < sizeof(*lft0)) { |
---|
3253 | error = EINVAL; |
---|
3254 | goto fail; |
---|
3255 | } |
---|
3256 | sav->lft_h = key_dup_lifemsg(lft0, M_IPSEC_MISC); |
---|
3257 | if (sav->lft_h == NULL) { |
---|
3258 | ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__)); |
---|
3259 | error = ENOBUFS; |
---|
3260 | goto fail; |
---|
3261 | } |
---|
3262 | /* to be initialize ? */ |
---|
3263 | } |
---|
3264 | |
---|
3265 | lft0 = (struct sadb_lifetime *)mhp->ext[SADB_EXT_LIFETIME_SOFT]; |
---|
3266 | if (lft0 != NULL) { |
---|
3267 | if (mhp->extlen[SADB_EXT_LIFETIME_SOFT] < sizeof(*lft0)) { |
---|
3268 | error = EINVAL; |
---|
3269 | goto fail; |
---|
3270 | } |
---|
3271 | sav->lft_s = key_dup_lifemsg(lft0, M_IPSEC_MISC); |
---|
3272 | if (sav->lft_s == NULL) { |
---|
3273 | ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__)); |
---|
3274 | error = ENOBUFS; |
---|
3275 | goto fail; |
---|
3276 | } |
---|
3277 | /* to be initialize ? */ |
---|
3278 | } |
---|
3279 | } |
---|
3280 | |
---|
3281 | return 0; |
---|
3282 | |
---|
3283 | fail: |
---|
3284 | /* initialization */ |
---|
3285 | key_cleansav(sav); |
---|
3286 | |
---|
3287 | return error; |
---|
3288 | } |
---|
3289 | |
---|
3290 | /* |
---|
3291 | * validation with a secasvar entry, and set SADB_SATYPE_MATURE. |
---|
3292 | * OUT: 0: valid |
---|
3293 | * other: errno |
---|
3294 | */ |
---|
3295 | static int |
---|
3296 | key_mature(struct secasvar *sav) |
---|
3297 | { |
---|
3298 | int error; |
---|
3299 | |
---|
3300 | /* check SPI value */ |
---|
3301 | switch (sav->sah->saidx.proto) { |
---|
3302 | case IPPROTO_ESP: |
---|
3303 | case IPPROTO_AH: |
---|
3304 | /* |
---|
3305 | * RFC 4302, 2.4. Security Parameters Index (SPI), SPI values |
---|
3306 | * 1-255 reserved by IANA for future use, |
---|
3307 | * 0 for implementation specific, local use. |
---|
3308 | */ |
---|
3309 | if (ntohl(sav->spi) <= 255) { |
---|
3310 | ipseclog((LOG_DEBUG, "%s: illegal range of SPI %u.\n", |
---|
3311 | __func__, (u_int32_t)ntohl(sav->spi))); |
---|
3312 | return EINVAL; |
---|
3313 | } |
---|
3314 | break; |
---|
3315 | } |
---|
3316 | |
---|
3317 | /* check satype */ |
---|
3318 | switch (sav->sah->saidx.proto) { |
---|
3319 | case IPPROTO_ESP: |
---|
3320 | /* check flags */ |
---|
3321 | if ((sav->flags & (SADB_X_EXT_OLD|SADB_X_EXT_DERIV)) == |
---|
3322 | (SADB_X_EXT_OLD|SADB_X_EXT_DERIV)) { |
---|
3323 | ipseclog((LOG_DEBUG, "%s: invalid flag (derived) " |
---|
3324 | "given to old-esp.\n", __func__)); |
---|
3325 | return EINVAL; |
---|
3326 | } |
---|
3327 | error = xform_init(sav, XF_ESP); |
---|
3328 | break; |
---|
3329 | case IPPROTO_AH: |
---|
3330 | /* check flags */ |
---|
3331 | if (sav->flags & SADB_X_EXT_DERIV) { |
---|
3332 | ipseclog((LOG_DEBUG, "%s: invalid flag (derived) " |
---|
3333 | "given to AH SA.\n", __func__)); |
---|
3334 | return EINVAL; |
---|
3335 | } |
---|
3336 | if (sav->alg_enc != SADB_EALG_NONE) { |
---|
3337 | ipseclog((LOG_DEBUG, "%s: protocol and algorithm " |
---|
3338 | "mismated.\n", __func__)); |
---|
3339 | return(EINVAL); |
---|
3340 | } |
---|
3341 | error = xform_init(sav, XF_AH); |
---|
3342 | break; |
---|
3343 | case IPPROTO_IPCOMP: |
---|
3344 | if (sav->alg_auth != SADB_AALG_NONE) { |
---|
3345 | ipseclog((LOG_DEBUG, "%s: protocol and algorithm " |
---|
3346 | "mismated.\n", __func__)); |
---|
3347 | return(EINVAL); |
---|
3348 | } |
---|
3349 | if ((sav->flags & SADB_X_EXT_RAWCPI) == 0 |
---|
3350 | && ntohl(sav->spi) >= 0x10000) { |
---|
3351 | ipseclog((LOG_DEBUG, "%s: invalid cpi for IPComp.\n", |
---|
3352 | __func__)); |
---|
3353 | return(EINVAL); |
---|
3354 | } |
---|
3355 | error = xform_init(sav, XF_IPCOMP); |
---|
3356 | break; |
---|
3357 | case IPPROTO_TCP: |
---|
3358 | if (sav->alg_enc != SADB_EALG_NONE) { |
---|
3359 | ipseclog((LOG_DEBUG, "%s: protocol and algorithm " |
---|
3360 | "mismated.\n", __func__)); |
---|
3361 | return(EINVAL); |
---|
3362 | } |
---|
3363 | error = xform_init(sav, XF_TCPSIGNATURE); |
---|
3364 | break; |
---|
3365 | default: |
---|
3366 | ipseclog((LOG_DEBUG, "%s: Invalid satype.\n", __func__)); |
---|
3367 | error = EPROTONOSUPPORT; |
---|
3368 | break; |
---|
3369 | } |
---|
3370 | if (error == 0) { |
---|
3371 | SAHTREE_LOCK(); |
---|
3372 | key_sa_chgstate(sav, SADB_SASTATE_MATURE); |
---|
3373 | SAHTREE_UNLOCK(); |
---|
3374 | } |
---|
3375 | return (error); |
---|
3376 | } |
---|
3377 | |
---|
3378 | /* |
---|
3379 | * subroutine for SADB_GET and SADB_DUMP. |
---|
3380 | */ |
---|
3381 | static struct mbuf * |
---|
3382 | key_setdumpsa(struct secasvar *sav, u_int8_t type, u_int8_t satype, |
---|
3383 | u_int32_t seq, u_int32_t pid) |
---|
3384 | { |
---|
3385 | struct mbuf *result = NULL, *tres = NULL, *m; |
---|
3386 | int i; |
---|
3387 | int dumporder[] = { |
---|
3388 | SADB_EXT_SA, SADB_X_EXT_SA2, |
---|
3389 | SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT, |
---|
3390 | SADB_EXT_LIFETIME_CURRENT, SADB_EXT_ADDRESS_SRC, |
---|
3391 | SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_EXT_KEY_AUTH, |
---|
3392 | SADB_EXT_KEY_ENCRYPT, SADB_EXT_IDENTITY_SRC, |
---|
3393 | SADB_EXT_IDENTITY_DST, SADB_EXT_SENSITIVITY, |
---|
3394 | #ifdef IPSEC_NAT_T |
---|
3395 | SADB_X_EXT_NAT_T_TYPE, |
---|
3396 | SADB_X_EXT_NAT_T_SPORT, SADB_X_EXT_NAT_T_DPORT, |
---|
3397 | SADB_X_EXT_NAT_T_OAI, SADB_X_EXT_NAT_T_OAR, |
---|
3398 | SADB_X_EXT_NAT_T_FRAG, |
---|
3399 | #endif |
---|
3400 | }; |
---|
3401 | |
---|
3402 | m = key_setsadbmsg(type, 0, satype, seq, pid, sav->refcnt); |
---|
3403 | if (m == NULL) |
---|
3404 | goto fail; |
---|
3405 | result = m; |
---|
3406 | |
---|
3407 | for (i = sizeof(dumporder)/sizeof(dumporder[0]) - 1; i >= 0; i--) { |
---|
3408 | m = NULL; |
---|
3409 | switch (dumporder[i]) { |
---|
3410 | case SADB_EXT_SA: |
---|
3411 | m = key_setsadbsa(sav); |
---|
3412 | if (!m) |
---|
3413 | goto fail; |
---|
3414 | break; |
---|
3415 | |
---|
3416 | case SADB_X_EXT_SA2: |
---|
3417 | m = key_setsadbxsa2(sav->sah->saidx.mode, |
---|
3418 | sav->replay ? sav->replay->count : 0, |
---|
3419 | sav->sah->saidx.reqid); |
---|
3420 | if (!m) |
---|
3421 | goto fail; |
---|
3422 | break; |
---|
3423 | |
---|
3424 | case SADB_EXT_ADDRESS_SRC: |
---|
3425 | m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, |
---|
3426 | &sav->sah->saidx.src.sa, |
---|
3427 | FULLMASK, IPSEC_ULPROTO_ANY); |
---|
3428 | if (!m) |
---|
3429 | goto fail; |
---|
3430 | break; |
---|
3431 | |
---|
3432 | case SADB_EXT_ADDRESS_DST: |
---|
3433 | m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, |
---|
3434 | &sav->sah->saidx.dst.sa, |
---|
3435 | FULLMASK, IPSEC_ULPROTO_ANY); |
---|
3436 | if (!m) |
---|
3437 | goto fail; |
---|
3438 | break; |
---|
3439 | |
---|
3440 | case SADB_EXT_KEY_AUTH: |
---|
3441 | if (!sav->key_auth) |
---|
3442 | continue; |
---|
3443 | m = key_setkey(sav->key_auth, SADB_EXT_KEY_AUTH); |
---|
3444 | if (!m) |
---|
3445 | goto fail; |
---|
3446 | break; |
---|
3447 | |
---|
3448 | case SADB_EXT_KEY_ENCRYPT: |
---|
3449 | if (!sav->key_enc) |
---|
3450 | continue; |
---|
3451 | m = key_setkey(sav->key_enc, SADB_EXT_KEY_ENCRYPT); |
---|
3452 | if (!m) |
---|
3453 | goto fail; |
---|
3454 | break; |
---|
3455 | |
---|
3456 | case SADB_EXT_LIFETIME_CURRENT: |
---|
3457 | if (!sav->lft_c) |
---|
3458 | continue; |
---|
3459 | m = key_setlifetime(sav->lft_c, |
---|
3460 | SADB_EXT_LIFETIME_CURRENT); |
---|
3461 | if (!m) |
---|
3462 | goto fail; |
---|
3463 | break; |
---|
3464 | |
---|
3465 | case SADB_EXT_LIFETIME_HARD: |
---|
3466 | if (!sav->lft_h) |
---|
3467 | continue; |
---|
3468 | m = key_setlifetime(sav->lft_h, |
---|
3469 | SADB_EXT_LIFETIME_HARD); |
---|
3470 | if (!m) |
---|
3471 | goto fail; |
---|
3472 | break; |
---|
3473 | |
---|
3474 | case SADB_EXT_LIFETIME_SOFT: |
---|
3475 | if (!sav->lft_s) |
---|
3476 | continue; |
---|
3477 | m = key_setlifetime(sav->lft_s, |
---|
3478 | SADB_EXT_LIFETIME_SOFT); |
---|
3479 | |
---|
3480 | if (!m) |
---|
3481 | goto fail; |
---|
3482 | break; |
---|
3483 | |
---|
3484 | #ifdef IPSEC_NAT_T |
---|
3485 | case SADB_X_EXT_NAT_T_TYPE: |
---|
3486 | m = key_setsadbxtype(sav->natt_type); |
---|
3487 | if (!m) |
---|
3488 | goto fail; |
---|
3489 | break; |
---|
3490 | |
---|
3491 | case SADB_X_EXT_NAT_T_DPORT: |
---|
3492 | m = key_setsadbxport( |
---|
3493 | KEY_PORTFROMSADDR(&sav->sah->saidx.dst), |
---|
3494 | SADB_X_EXT_NAT_T_DPORT); |
---|
3495 | if (!m) |
---|
3496 | goto fail; |
---|
3497 | break; |
---|
3498 | |
---|
3499 | case SADB_X_EXT_NAT_T_SPORT: |
---|
3500 | m = key_setsadbxport( |
---|
3501 | KEY_PORTFROMSADDR(&sav->sah->saidx.src), |
---|
3502 | SADB_X_EXT_NAT_T_SPORT); |
---|
3503 | if (!m) |
---|
3504 | goto fail; |
---|
3505 | break; |
---|
3506 | |
---|
3507 | case SADB_X_EXT_NAT_T_OAI: |
---|
3508 | case SADB_X_EXT_NAT_T_OAR: |
---|
3509 | case SADB_X_EXT_NAT_T_FRAG: |
---|
3510 | /* We do not (yet) support those. */ |
---|
3511 | continue; |
---|
3512 | #endif |
---|
3513 | |
---|
3514 | case SADB_EXT_ADDRESS_PROXY: |
---|
3515 | case SADB_EXT_IDENTITY_SRC: |
---|
3516 | case SADB_EXT_IDENTITY_DST: |
---|
3517 | /* XXX: should we brought from SPD ? */ |
---|
3518 | case SADB_EXT_SENSITIVITY: |
---|
3519 | default: |
---|
3520 | continue; |
---|
3521 | } |
---|
3522 | |
---|
3523 | if (!m) |
---|
3524 | goto fail; |
---|
3525 | if (tres) |
---|
3526 | m_cat(m, tres); |
---|
3527 | tres = m; |
---|
3528 | |
---|
3529 | } |
---|
3530 | |
---|
3531 | m_cat(result, tres); |
---|
3532 | if (result->m_len < sizeof(struct sadb_msg)) { |
---|
3533 | result = m_pullup(result, sizeof(struct sadb_msg)); |
---|
3534 | if (result == NULL) |
---|
3535 | goto fail; |
---|
3536 | } |
---|
3537 | |
---|
3538 | result->m_pkthdr.len = 0; |
---|
3539 | for (m = result; m; m = m->m_next) |
---|
3540 | result->m_pkthdr.len += m->m_len; |
---|
3541 | |
---|
3542 | mtod(result, struct sadb_msg *)->sadb_msg_len = |
---|
3543 | PFKEY_UNIT64(result->m_pkthdr.len); |
---|
3544 | |
---|
3545 | return result; |
---|
3546 | |
---|
3547 | fail: |
---|
3548 | m_freem(result); |
---|
3549 | m_freem(tres); |
---|
3550 | return NULL; |
---|
3551 | } |
---|
3552 | |
---|
3553 | /* |
---|
3554 | * set data into sadb_msg. |
---|
3555 | */ |
---|
3556 | static struct mbuf * |
---|
3557 | key_setsadbmsg(u_int8_t type, u_int16_t tlen, u_int8_t satype, u_int32_t seq, |
---|
3558 | pid_t pid, u_int16_t reserved) |
---|
3559 | { |
---|
3560 | struct mbuf *m; |
---|
3561 | struct sadb_msg *p; |
---|
3562 | int len; |
---|
3563 | |
---|
3564 | len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); |
---|
3565 | if (len > MCLBYTES) |
---|
3566 | return NULL; |
---|
3567 | MGETHDR(m, M_DONTWAIT, MT_DATA); |
---|
3568 | if (m && len > MHLEN) { |
---|
3569 | MCLGET(m, M_DONTWAIT); |
---|
3570 | if ((m->m_flags & M_EXT) == 0) { |
---|
3571 | m_freem(m); |
---|
3572 | m = NULL; |
---|
3573 | } |
---|
3574 | } |
---|
3575 | if (!m) |
---|
3576 | return NULL; |
---|
3577 | m->m_pkthdr.len = m->m_len = len; |
---|
3578 | m->m_next = NULL; |
---|
3579 | |
---|
3580 | p = mtod(m, struct sadb_msg *); |
---|
3581 | |
---|
3582 | bzero(p, len); |
---|
3583 | p->sadb_msg_version = PF_KEY_V2; |
---|
3584 | p->sadb_msg_type = type; |
---|
3585 | p->sadb_msg_errno = 0; |
---|
3586 | p->sadb_msg_satype = satype; |
---|
3587 | p->sadb_msg_len = PFKEY_UNIT64(tlen); |
---|
3588 | p->sadb_msg_reserved = reserved; |
---|
3589 | p->sadb_msg_seq = seq; |
---|
3590 | p->sadb_msg_pid = (u_int32_t)pid; |
---|
3591 | |
---|
3592 | return m; |
---|
3593 | } |
---|
3594 | |
---|
3595 | /* |
---|
3596 | * copy secasvar data into sadb_address. |
---|
3597 | */ |
---|
3598 | static struct mbuf * |
---|
3599 | key_setsadbsa(sav) |
---|
3600 | struct secasvar *sav; |
---|
3601 | { |
---|
3602 | struct mbuf *m; |
---|
3603 | struct sadb_sa *p; |
---|
3604 | int len; |
---|
3605 | |
---|
3606 | len = PFKEY_ALIGN8(sizeof(struct sadb_sa)); |
---|
3607 | m = key_alloc_mbuf(len); |
---|
3608 | if (!m || m->m_next) { /*XXX*/ |
---|
3609 | if (m) |
---|
3610 | m_freem(m); |
---|
3611 | return NULL; |
---|
3612 | } |
---|
3613 | |
---|
3614 | p = mtod(m, struct sadb_sa *); |
---|
3615 | |
---|
3616 | bzero(p, len); |
---|
3617 | p->sadb_sa_len = PFKEY_UNIT64(len); |
---|
3618 | p->sadb_sa_exttype = SADB_EXT_SA; |
---|
3619 | p->sadb_sa_spi = sav->spi; |
---|
3620 | p->sadb_sa_replay = (sav->replay != NULL ? sav->replay->wsize : 0); |
---|
3621 | p->sadb_sa_state = sav->state; |
---|
3622 | p->sadb_sa_auth = sav->alg_auth; |
---|
3623 | p->sadb_sa_encrypt = sav->alg_enc; |
---|
3624 | p->sadb_sa_flags = sav->flags; |
---|
3625 | |
---|
3626 | return m; |
---|
3627 | } |
---|
3628 | |
---|
3629 | /* |
---|
3630 | * set data into sadb_address. |
---|
3631 | */ |
---|
3632 | static struct mbuf * |
---|
3633 | key_setsadbaddr(u_int16_t exttype, const struct sockaddr *saddr, u_int8_t prefixlen, u_int16_t ul_proto) |
---|
3634 | { |
---|
3635 | struct mbuf *m; |
---|
3636 | struct sadb_address *p; |
---|
3637 | size_t len; |
---|
3638 | |
---|
3639 | len = PFKEY_ALIGN8(sizeof(struct sadb_address)) + |
---|
3640 | PFKEY_ALIGN8(saddr->sa_len); |
---|
3641 | m = key_alloc_mbuf(len); |
---|
3642 | if (!m || m->m_next) { /*XXX*/ |
---|
3643 | if (m) |
---|
3644 | m_freem(m); |
---|
3645 | return NULL; |
---|
3646 | } |
---|
3647 | |
---|
3648 | p = mtod(m, struct sadb_address *); |
---|
3649 | |
---|
3650 | bzero(p, len); |
---|
3651 | p->sadb_address_len = PFKEY_UNIT64(len); |
---|
3652 | p->sadb_address_exttype = exttype; |
---|
3653 | p->sadb_address_proto = ul_proto; |
---|
3654 | if (prefixlen == FULLMASK) { |
---|
3655 | switch (saddr->sa_family) { |
---|
3656 | case AF_INET: |
---|
3657 | prefixlen = sizeof(struct in_addr) << 3; |
---|
3658 | break; |
---|
3659 | case AF_INET6: |
---|
3660 | prefixlen = sizeof(struct in6_addr) << 3; |
---|
3661 | break; |
---|
3662 | default: |
---|
3663 | ; /*XXX*/ |
---|
3664 | } |
---|
3665 | } |
---|
3666 | p->sadb_address_prefixlen = prefixlen; |
---|
3667 | p->sadb_address_reserved = 0; |
---|
3668 | |
---|
3669 | bcopy(saddr, |
---|
3670 | mtod(m, caddr_t) + PFKEY_ALIGN8(sizeof(struct sadb_address)), |
---|
3671 | saddr->sa_len); |
---|
3672 | |
---|
3673 | return m; |
---|
3674 | } |
---|
3675 | |
---|
3676 | /* |
---|
3677 | * set data into sadb_x_sa2. |
---|
3678 | */ |
---|
3679 | static struct mbuf * |
---|
3680 | key_setsadbxsa2(u_int8_t mode, u_int32_t seq, u_int32_t reqid) |
---|
3681 | { |
---|
3682 | struct mbuf *m; |
---|
3683 | struct sadb_x_sa2 *p; |
---|
3684 | size_t len; |
---|
3685 | |
---|
3686 | len = PFKEY_ALIGN8(sizeof(struct sadb_x_sa2)); |
---|
3687 | m = key_alloc_mbuf(len); |
---|
3688 | if (!m || m->m_next) { /*XXX*/ |
---|
3689 | if (m) |
---|
3690 | m_freem(m); |
---|
3691 | return NULL; |
---|
3692 | } |
---|
3693 | |
---|
3694 | p = mtod(m, struct sadb_x_sa2 *); |
---|
3695 | |
---|
3696 | bzero(p, len); |
---|
3697 | p->sadb_x_sa2_len = PFKEY_UNIT64(len); |
---|
3698 | p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; |
---|
3699 | p->sadb_x_sa2_mode = mode; |
---|
3700 | p->sadb_x_sa2_reserved1 = 0; |
---|
3701 | p->sadb_x_sa2_reserved2 = 0; |
---|
3702 | p->sadb_x_sa2_sequence = seq; |
---|
3703 | p->sadb_x_sa2_reqid = reqid; |
---|
3704 | |
---|
3705 | return m; |
---|
3706 | } |
---|
3707 | |
---|
3708 | #ifdef IPSEC_NAT_T |
---|
3709 | /* |
---|
3710 | * Set a type in sadb_x_nat_t_type. |
---|
3711 | */ |
---|
3712 | static struct mbuf * |
---|
3713 | key_setsadbxtype(u_int16_t type) |
---|
3714 | { |
---|
3715 | struct mbuf *m; |
---|
3716 | size_t len; |
---|
3717 | struct sadb_x_nat_t_type *p; |
---|
3718 | |
---|
3719 | len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_type)); |
---|
3720 | |
---|
3721 | m = key_alloc_mbuf(len); |
---|
3722 | if (!m || m->m_next) { /*XXX*/ |
---|
3723 | if (m) |
---|
3724 | m_freem(m); |
---|
3725 | return (NULL); |
---|
3726 | } |
---|
3727 | |
---|
3728 | p = mtod(m, struct sadb_x_nat_t_type *); |
---|
3729 | |
---|
3730 | bzero(p, len); |
---|
3731 | p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len); |
---|
3732 | p->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE; |
---|
3733 | p->sadb_x_nat_t_type_type = type; |
---|
3734 | |
---|
3735 | return (m); |
---|
3736 | } |
---|
3737 | /* |
---|
3738 | * Set a port in sadb_x_nat_t_port. |
---|
3739 | * In contrast to default RFC 2367 behaviour, port is in network byte order. |
---|
3740 | */ |
---|
3741 | static struct mbuf * |
---|
3742 | key_setsadbxport(u_int16_t port, u_int16_t type) |
---|
3743 | { |
---|
3744 | struct mbuf *m; |
---|
3745 | size_t len; |
---|
3746 | struct sadb_x_nat_t_port *p; |
---|
3747 | |
---|
3748 | len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_port)); |
---|
3749 | |
---|
3750 | m = key_alloc_mbuf(len); |
---|
3751 | if (!m || m->m_next) { /*XXX*/ |
---|
3752 | if (m) |
---|
3753 | m_freem(m); |
---|
3754 | return (NULL); |
---|
3755 | } |
---|
3756 | |
---|
3757 | p = mtod(m, struct sadb_x_nat_t_port *); |
---|
3758 | |
---|
3759 | bzero(p, len); |
---|
3760 | p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len); |
---|
3761 | p->sadb_x_nat_t_port_exttype = type; |
---|
3762 | p->sadb_x_nat_t_port_port = port; |
---|
3763 | |
---|
3764 | return (m); |
---|
3765 | } |
---|
3766 | |
---|
3767 | /* |
---|
3768 | * Get port from sockaddr. Port is in network byte order. |
---|
3769 | */ |
---|
3770 | u_int16_t |
---|
3771 | key_portfromsaddr(struct sockaddr *sa) |
---|
3772 | { |
---|
3773 | |
---|
3774 | switch (sa->sa_family) { |
---|
3775 | #ifdef INET |
---|
3776 | case AF_INET: |
---|
3777 | return ((struct sockaddr_in *)sa)->sin_port; |
---|
3778 | #endif |
---|
3779 | #ifdef INET6 |
---|
3780 | case AF_INET6: |
---|
3781 | return ((struct sockaddr_in6 *)sa)->sin6_port; |
---|
3782 | #endif |
---|
3783 | } |
---|
3784 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
3785 | printf("DP %s unexpected address family %d\n", |
---|
3786 | __func__, sa->sa_family)); |
---|
3787 | return (0); |
---|
3788 | } |
---|
3789 | #endif /* IPSEC_NAT_T */ |
---|
3790 | |
---|
3791 | /* |
---|
3792 | * Set port in struct sockaddr. Port is in network byte order. |
---|
3793 | */ |
---|
3794 | static void |
---|
3795 | key_porttosaddr(struct sockaddr *sa, u_int16_t port) |
---|
3796 | { |
---|
3797 | |
---|
3798 | switch (sa->sa_family) { |
---|
3799 | #ifdef INET |
---|
3800 | case AF_INET: |
---|
3801 | ((struct sockaddr_in *)sa)->sin_port = port; |
---|
3802 | break; |
---|
3803 | #endif |
---|
3804 | #ifdef INET6 |
---|
3805 | case AF_INET6: |
---|
3806 | ((struct sockaddr_in6 *)sa)->sin6_port = port; |
---|
3807 | break; |
---|
3808 | #endif |
---|
3809 | default: |
---|
3810 | ipseclog((LOG_DEBUG, "%s: unexpected address family %d.\n", |
---|
3811 | __func__, sa->sa_family)); |
---|
3812 | break; |
---|
3813 | } |
---|
3814 | } |
---|
3815 | |
---|
3816 | /* |
---|
3817 | * set data into sadb_x_policy |
---|
3818 | */ |
---|
3819 | static struct mbuf * |
---|
3820 | key_setsadbxpolicy(u_int16_t type, u_int8_t dir, u_int32_t id) |
---|
3821 | { |
---|
3822 | struct mbuf *m; |
---|
3823 | struct sadb_x_policy *p; |
---|
3824 | size_t len; |
---|
3825 | |
---|
3826 | len = PFKEY_ALIGN8(sizeof(struct sadb_x_policy)); |
---|
3827 | m = key_alloc_mbuf(len); |
---|
3828 | if (!m || m->m_next) { /*XXX*/ |
---|
3829 | if (m) |
---|
3830 | m_freem(m); |
---|
3831 | return NULL; |
---|
3832 | } |
---|
3833 | |
---|
3834 | p = mtod(m, struct sadb_x_policy *); |
---|
3835 | |
---|
3836 | bzero(p, len); |
---|
3837 | p->sadb_x_policy_len = PFKEY_UNIT64(len); |
---|
3838 | p->sadb_x_policy_exttype = SADB_X_EXT_POLICY; |
---|
3839 | p->sadb_x_policy_type = type; |
---|
3840 | p->sadb_x_policy_dir = dir; |
---|
3841 | p->sadb_x_policy_id = id; |
---|
3842 | |
---|
3843 | return m; |
---|
3844 | } |
---|
3845 | |
---|
3846 | /* %%% utilities */ |
---|
3847 | /* Take a key message (sadb_key) from the socket and turn it into one |
---|
3848 | * of the kernel's key structures (seckey). |
---|
3849 | * |
---|
3850 | * IN: pointer to the src |
---|
3851 | * OUT: NULL no more memory |
---|
3852 | */ |
---|
3853 | struct seckey * |
---|
3854 | key_dup_keymsg(const struct sadb_key *src, u_int len, |
---|
3855 | struct malloc_type *type) |
---|
3856 | { |
---|
3857 | struct seckey *dst; |
---|
3858 | dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT); |
---|
3859 | if (dst != NULL) { |
---|
3860 | dst->bits = src->sadb_key_bits; |
---|
3861 | dst->key_data = (char *)malloc(len, type, M_NOWAIT); |
---|
3862 | if (dst->key_data != NULL) { |
---|
3863 | bcopy((const char *)src + sizeof(struct sadb_key), |
---|
3864 | dst->key_data, len); |
---|
3865 | } else { |
---|
3866 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", |
---|
3867 | __func__)); |
---|
3868 | free(dst, type); |
---|
3869 | dst = NULL; |
---|
3870 | } |
---|
3871 | } else { |
---|
3872 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", |
---|
3873 | __func__)); |
---|
3874 | |
---|
3875 | } |
---|
3876 | return dst; |
---|
3877 | } |
---|
3878 | |
---|
3879 | /* Take a lifetime message (sadb_lifetime) passed in on a socket and |
---|
3880 | * turn it into one of the kernel's lifetime structures (seclifetime). |
---|
3881 | * |
---|
3882 | * IN: pointer to the destination, source and malloc type |
---|
3883 | * OUT: NULL, no more memory |
---|
3884 | */ |
---|
3885 | |
---|
3886 | static struct seclifetime * |
---|
3887 | key_dup_lifemsg(const struct sadb_lifetime *src, |
---|
3888 | struct malloc_type *type) |
---|
3889 | { |
---|
3890 | struct seclifetime *dst = NULL; |
---|
3891 | |
---|
3892 | dst = (struct seclifetime *)malloc(sizeof(struct seclifetime), |
---|
3893 | type, M_NOWAIT); |
---|
3894 | if (dst == NULL) { |
---|
3895 | /* XXX counter */ |
---|
3896 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); |
---|
3897 | } else { |
---|
3898 | dst->allocations = src->sadb_lifetime_allocations; |
---|
3899 | dst->bytes = src->sadb_lifetime_bytes; |
---|
3900 | dst->addtime = src->sadb_lifetime_addtime; |
---|
3901 | dst->usetime = src->sadb_lifetime_usetime; |
---|
3902 | } |
---|
3903 | return dst; |
---|
3904 | } |
---|
3905 | |
---|
3906 | /* compare my own address |
---|
3907 | * OUT: 1: true, i.e. my address. |
---|
3908 | * 0: false |
---|
3909 | */ |
---|
3910 | int |
---|
3911 | key_ismyaddr(sa) |
---|
3912 | struct sockaddr *sa; |
---|
3913 | { |
---|
3914 | #ifdef INET |
---|
3915 | struct sockaddr_in *sin; |
---|
3916 | struct in_ifaddr *ia; |
---|
3917 | #endif |
---|
3918 | |
---|
3919 | IPSEC_ASSERT(sa != NULL, ("null sockaddr")); |
---|
3920 | |
---|
3921 | switch (sa->sa_family) { |
---|
3922 | #ifdef INET |
---|
3923 | case AF_INET: |
---|
3924 | sin = (struct sockaddr_in *)sa; |
---|
3925 | IN_IFADDR_RLOCK(); |
---|
3926 | for (ia = V_in_ifaddrhead.tqh_first; ia; |
---|
3927 | ia = ia->ia_link.tqe_next) |
---|
3928 | { |
---|
3929 | if (sin->sin_family == ia->ia_addr.sin_family && |
---|
3930 | sin->sin_len == ia->ia_addr.sin_len && |
---|
3931 | sin->sin_addr.s_addr == ia->ia_addr.sin_addr.s_addr) |
---|
3932 | { |
---|
3933 | IN_IFADDR_RUNLOCK(); |
---|
3934 | return 1; |
---|
3935 | } |
---|
3936 | } |
---|
3937 | IN_IFADDR_RUNLOCK(); |
---|
3938 | break; |
---|
3939 | #endif |
---|
3940 | #ifdef INET6 |
---|
3941 | case AF_INET6: |
---|
3942 | return key_ismyaddr6((struct sockaddr_in6 *)sa); |
---|
3943 | #endif |
---|
3944 | } |
---|
3945 | |
---|
3946 | return 0; |
---|
3947 | } |
---|
3948 | |
---|
3949 | #ifdef INET6 |
---|
3950 | /* |
---|
3951 | * compare my own address for IPv6. |
---|
3952 | * 1: ours |
---|
3953 | * 0: other |
---|
3954 | * NOTE: derived ip6_input() in KAME. This is necessary to modify more. |
---|
3955 | */ |
---|
3956 | #include <netinet6/in6_var.h> |
---|
3957 | |
---|
3958 | static int |
---|
3959 | key_ismyaddr6(sin6) |
---|
3960 | struct sockaddr_in6 *sin6; |
---|
3961 | { |
---|
3962 | struct in6_ifaddr *ia; |
---|
3963 | #if 0 |
---|
3964 | struct in6_multi *in6m; |
---|
3965 | #endif |
---|
3966 | |
---|
3967 | IN6_IFADDR_RLOCK(); |
---|
3968 | TAILQ_FOREACH(ia, &V_in6_ifaddrhead, ia_link) { |
---|
3969 | if (key_sockaddrcmp((struct sockaddr *)&sin6, |
---|
3970 | (struct sockaddr *)&ia->ia_addr, 0) == 0) { |
---|
3971 | IN6_IFADDR_RUNLOCK(); |
---|
3972 | return 1; |
---|
3973 | } |
---|
3974 | |
---|
3975 | #if 0 |
---|
3976 | /* |
---|
3977 | * XXX Multicast |
---|
3978 | * XXX why do we care about multlicast here while we don't care |
---|
3979 | * about IPv4 multicast?? |
---|
3980 | * XXX scope |
---|
3981 | */ |
---|
3982 | in6m = NULL; |
---|
3983 | IN6_LOOKUP_MULTI(sin6->sin6_addr, ia->ia_ifp, in6m); |
---|
3984 | if (in6m) { |
---|
3985 | IN6_IFADDR_RUNLOCK(); |
---|
3986 | return 1; |
---|
3987 | } |
---|
3988 | #endif |
---|
3989 | } |
---|
3990 | IN6_IFADDR_RUNLOCK(); |
---|
3991 | |
---|
3992 | /* loopback, just for safety */ |
---|
3993 | if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr)) |
---|
3994 | return 1; |
---|
3995 | |
---|
3996 | return 0; |
---|
3997 | } |
---|
3998 | #endif /*INET6*/ |
---|
3999 | |
---|
4000 | /* |
---|
4001 | * compare two secasindex structure. |
---|
4002 | * flag can specify to compare 2 saidxes. |
---|
4003 | * compare two secasindex structure without both mode and reqid. |
---|
4004 | * don't compare port. |
---|
4005 | * IN: |
---|
4006 | * saidx0: source, it can be in SAD. |
---|
4007 | * saidx1: object. |
---|
4008 | * OUT: |
---|
4009 | * 1 : equal |
---|
4010 | * 0 : not equal |
---|
4011 | */ |
---|
4012 | static int |
---|
4013 | key_cmpsaidx( |
---|
4014 | const struct secasindex *saidx0, |
---|
4015 | const struct secasindex *saidx1, |
---|
4016 | int flag) |
---|
4017 | { |
---|
4018 | int chkport = 0; |
---|
4019 | |
---|
4020 | /* sanity */ |
---|
4021 | if (saidx0 == NULL && saidx1 == NULL) |
---|
4022 | return 1; |
---|
4023 | |
---|
4024 | if (saidx0 == NULL || saidx1 == NULL) |
---|
4025 | return 0; |
---|
4026 | |
---|
4027 | if (saidx0->proto != saidx1->proto) |
---|
4028 | return 0; |
---|
4029 | |
---|
4030 | if (flag == CMP_EXACTLY) { |
---|
4031 | if (saidx0->mode != saidx1->mode) |
---|
4032 | return 0; |
---|
4033 | if (saidx0->reqid != saidx1->reqid) |
---|
4034 | return 0; |
---|
4035 | if (bcmp(&saidx0->src, &saidx1->src, saidx0->src.sa.sa_len) != 0 || |
---|
4036 | bcmp(&saidx0->dst, &saidx1->dst, saidx0->dst.sa.sa_len) != 0) |
---|
4037 | return 0; |
---|
4038 | } else { |
---|
4039 | |
---|
4040 | /* CMP_MODE_REQID, CMP_REQID, CMP_HEAD */ |
---|
4041 | if (flag == CMP_MODE_REQID |
---|
4042 | ||flag == CMP_REQID) { |
---|
4043 | /* |
---|
4044 | * If reqid of SPD is non-zero, unique SA is required. |
---|
4045 | * The result must be of same reqid in this case. |
---|
4046 | */ |
---|
4047 | if (saidx1->reqid != 0 && saidx0->reqid != saidx1->reqid) |
---|
4048 | return 0; |
---|
4049 | } |
---|
4050 | |
---|
4051 | if (flag == CMP_MODE_REQID) { |
---|
4052 | if (saidx0->mode != IPSEC_MODE_ANY |
---|
4053 | && saidx0->mode != saidx1->mode) |
---|
4054 | return 0; |
---|
4055 | } |
---|
4056 | |
---|
4057 | #ifdef IPSEC_NAT_T |
---|
4058 | /* |
---|
4059 | * If NAT-T is enabled, check ports for tunnel mode. |
---|
4060 | * Do not check ports if they are set to zero in the SPD. |
---|
4061 | * Also do not do it for transport mode, as there is no |
---|
4062 | * port information available in the SP. |
---|
4063 | */ |
---|
4064 | if (saidx1->mode == IPSEC_MODE_TUNNEL && |
---|
4065 | saidx1->src.sa.sa_family == AF_INET && |
---|
4066 | saidx1->dst.sa.sa_family == AF_INET && |
---|
4067 | ((const struct sockaddr_in *)(&saidx1->src))->sin_port && |
---|
4068 | ((const struct sockaddr_in *)(&saidx1->dst))->sin_port) |
---|
4069 | chkport = 1; |
---|
4070 | #endif /* IPSEC_NAT_T */ |
---|
4071 | |
---|
4072 | if (key_sockaddrcmp(&saidx0->src.sa, &saidx1->src.sa, chkport) != 0) { |
---|
4073 | return 0; |
---|
4074 | } |
---|
4075 | if (key_sockaddrcmp(&saidx0->dst.sa, &saidx1->dst.sa, chkport) != 0) { |
---|
4076 | return 0; |
---|
4077 | } |
---|
4078 | } |
---|
4079 | |
---|
4080 | return 1; |
---|
4081 | } |
---|
4082 | |
---|
4083 | /* |
---|
4084 | * compare two secindex structure exactly. |
---|
4085 | * IN: |
---|
4086 | * spidx0: source, it is often in SPD. |
---|
4087 | * spidx1: object, it is often from PFKEY message. |
---|
4088 | * OUT: |
---|
4089 | * 1 : equal |
---|
4090 | * 0 : not equal |
---|
4091 | */ |
---|
4092 | static int |
---|
4093 | key_cmpspidx_exactly( |
---|
4094 | struct secpolicyindex *spidx0, |
---|
4095 | struct secpolicyindex *spidx1) |
---|
4096 | { |
---|
4097 | /* sanity */ |
---|
4098 | if (spidx0 == NULL && spidx1 == NULL) |
---|
4099 | return 1; |
---|
4100 | |
---|
4101 | if (spidx0 == NULL || spidx1 == NULL) |
---|
4102 | return 0; |
---|
4103 | |
---|
4104 | if (spidx0->prefs != spidx1->prefs |
---|
4105 | || spidx0->prefd != spidx1->prefd |
---|
4106 | || spidx0->ul_proto != spidx1->ul_proto) |
---|
4107 | return 0; |
---|
4108 | |
---|
4109 | return key_sockaddrcmp(&spidx0->src.sa, &spidx1->src.sa, 1) == 0 && |
---|
4110 | key_sockaddrcmp(&spidx0->dst.sa, &spidx1->dst.sa, 1) == 0; |
---|
4111 | } |
---|
4112 | |
---|
4113 | /* |
---|
4114 | * compare two secindex structure with mask. |
---|
4115 | * IN: |
---|
4116 | * spidx0: source, it is often in SPD. |
---|
4117 | * spidx1: object, it is often from IP header. |
---|
4118 | * OUT: |
---|
4119 | * 1 : equal |
---|
4120 | * 0 : not equal |
---|
4121 | */ |
---|
4122 | static int |
---|
4123 | key_cmpspidx_withmask( |
---|
4124 | struct secpolicyindex *spidx0, |
---|
4125 | struct secpolicyindex *spidx1) |
---|
4126 | { |
---|
4127 | /* sanity */ |
---|
4128 | if (spidx0 == NULL && spidx1 == NULL) |
---|
4129 | return 1; |
---|
4130 | |
---|
4131 | if (spidx0 == NULL || spidx1 == NULL) |
---|
4132 | return 0; |
---|
4133 | |
---|
4134 | if (spidx0->src.sa.sa_family != spidx1->src.sa.sa_family || |
---|
4135 | spidx0->dst.sa.sa_family != spidx1->dst.sa.sa_family || |
---|
4136 | spidx0->src.sa.sa_len != spidx1->src.sa.sa_len || |
---|
4137 | spidx0->dst.sa.sa_len != spidx1->dst.sa.sa_len) |
---|
4138 | return 0; |
---|
4139 | |
---|
4140 | /* if spidx.ul_proto == IPSEC_ULPROTO_ANY, ignore. */ |
---|
4141 | if (spidx0->ul_proto != (u_int16_t)IPSEC_ULPROTO_ANY |
---|
4142 | && spidx0->ul_proto != spidx1->ul_proto) |
---|
4143 | return 0; |
---|
4144 | |
---|
4145 | switch (spidx0->src.sa.sa_family) { |
---|
4146 | case AF_INET: |
---|
4147 | if (spidx0->src.sin.sin_port != IPSEC_PORT_ANY |
---|
4148 | && spidx0->src.sin.sin_port != spidx1->src.sin.sin_port) |
---|
4149 | return 0; |
---|
4150 | if (!key_bbcmp(&spidx0->src.sin.sin_addr, |
---|
4151 | &spidx1->src.sin.sin_addr, spidx0->prefs)) |
---|
4152 | return 0; |
---|
4153 | break; |
---|
4154 | case AF_INET6: |
---|
4155 | if (spidx0->src.sin6.sin6_port != IPSEC_PORT_ANY |
---|
4156 | && spidx0->src.sin6.sin6_port != spidx1->src.sin6.sin6_port) |
---|
4157 | return 0; |
---|
4158 | /* |
---|
4159 | * scope_id check. if sin6_scope_id is 0, we regard it |
---|
4160 | * as a wildcard scope, which matches any scope zone ID. |
---|
4161 | */ |
---|
4162 | if (spidx0->src.sin6.sin6_scope_id && |
---|
4163 | spidx1->src.sin6.sin6_scope_id && |
---|
4164 | spidx0->src.sin6.sin6_scope_id != spidx1->src.sin6.sin6_scope_id) |
---|
4165 | return 0; |
---|
4166 | if (!key_bbcmp(&spidx0->src.sin6.sin6_addr, |
---|
4167 | &spidx1->src.sin6.sin6_addr, spidx0->prefs)) |
---|
4168 | return 0; |
---|
4169 | break; |
---|
4170 | default: |
---|
4171 | /* XXX */ |
---|
4172 | if (bcmp(&spidx0->src, &spidx1->src, spidx0->src.sa.sa_len) != 0) |
---|
4173 | return 0; |
---|
4174 | break; |
---|
4175 | } |
---|
4176 | |
---|
4177 | switch (spidx0->dst.sa.sa_family) { |
---|
4178 | case AF_INET: |
---|
4179 | if (spidx0->dst.sin.sin_port != IPSEC_PORT_ANY |
---|
4180 | && spidx0->dst.sin.sin_port != spidx1->dst.sin.sin_port) |
---|
4181 | return 0; |
---|
4182 | if (!key_bbcmp(&spidx0->dst.sin.sin_addr, |
---|
4183 | &spidx1->dst.sin.sin_addr, spidx0->prefd)) |
---|
4184 | return 0; |
---|
4185 | break; |
---|
4186 | case AF_INET6: |
---|
4187 | if (spidx0->dst.sin6.sin6_port != IPSEC_PORT_ANY |
---|
4188 | && spidx0->dst.sin6.sin6_port != spidx1->dst.sin6.sin6_port) |
---|
4189 | return 0; |
---|
4190 | /* |
---|
4191 | * scope_id check. if sin6_scope_id is 0, we regard it |
---|
4192 | * as a wildcard scope, which matches any scope zone ID. |
---|
4193 | */ |
---|
4194 | if (spidx0->dst.sin6.sin6_scope_id && |
---|
4195 | spidx1->dst.sin6.sin6_scope_id && |
---|
4196 | spidx0->dst.sin6.sin6_scope_id != spidx1->dst.sin6.sin6_scope_id) |
---|
4197 | return 0; |
---|
4198 | if (!key_bbcmp(&spidx0->dst.sin6.sin6_addr, |
---|
4199 | &spidx1->dst.sin6.sin6_addr, spidx0->prefd)) |
---|
4200 | return 0; |
---|
4201 | break; |
---|
4202 | default: |
---|
4203 | /* XXX */ |
---|
4204 | if (bcmp(&spidx0->dst, &spidx1->dst, spidx0->dst.sa.sa_len) != 0) |
---|
4205 | return 0; |
---|
4206 | break; |
---|
4207 | } |
---|
4208 | |
---|
4209 | /* XXX Do we check other field ? e.g. flowinfo */ |
---|
4210 | |
---|
4211 | return 1; |
---|
4212 | } |
---|
4213 | |
---|
4214 | /* returns 0 on match */ |
---|
4215 | static int |
---|
4216 | key_sockaddrcmp( |
---|
4217 | const struct sockaddr *sa1, |
---|
4218 | const struct sockaddr *sa2, |
---|
4219 | int port) |
---|
4220 | { |
---|
4221 | #ifdef satosin |
---|
4222 | #undef satosin |
---|
4223 | #endif |
---|
4224 | #define satosin(s) ((const struct sockaddr_in *)s) |
---|
4225 | #ifdef satosin6 |
---|
4226 | #undef satosin6 |
---|
4227 | #endif |
---|
4228 | #define satosin6(s) ((const struct sockaddr_in6 *)s) |
---|
4229 | if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len) |
---|
4230 | return 1; |
---|
4231 | |
---|
4232 | switch (sa1->sa_family) { |
---|
4233 | case AF_INET: |
---|
4234 | if (sa1->sa_len != sizeof(struct sockaddr_in)) |
---|
4235 | return 1; |
---|
4236 | if (satosin(sa1)->sin_addr.s_addr != |
---|
4237 | satosin(sa2)->sin_addr.s_addr) { |
---|
4238 | return 1; |
---|
4239 | } |
---|
4240 | if (port && satosin(sa1)->sin_port != satosin(sa2)->sin_port) |
---|
4241 | return 1; |
---|
4242 | break; |
---|
4243 | case AF_INET6: |
---|
4244 | if (sa1->sa_len != sizeof(struct sockaddr_in6)) |
---|
4245 | return 1; /*EINVAL*/ |
---|
4246 | if (satosin6(sa1)->sin6_scope_id != |
---|
4247 | satosin6(sa2)->sin6_scope_id) { |
---|
4248 | return 1; |
---|
4249 | } |
---|
4250 | if (!IN6_ARE_ADDR_EQUAL(&satosin6(sa1)->sin6_addr, |
---|
4251 | &satosin6(sa2)->sin6_addr)) { |
---|
4252 | return 1; |
---|
4253 | } |
---|
4254 | if (port && |
---|
4255 | satosin6(sa1)->sin6_port != satosin6(sa2)->sin6_port) { |
---|
4256 | return 1; |
---|
4257 | } |
---|
4258 | break; |
---|
4259 | default: |
---|
4260 | if (bcmp(sa1, sa2, sa1->sa_len) != 0) |
---|
4261 | return 1; |
---|
4262 | break; |
---|
4263 | } |
---|
4264 | |
---|
4265 | return 0; |
---|
4266 | #undef satosin |
---|
4267 | #undef satosin6 |
---|
4268 | } |
---|
4269 | |
---|
4270 | /* |
---|
4271 | * compare two buffers with mask. |
---|
4272 | * IN: |
---|
4273 | * addr1: source |
---|
4274 | * addr2: object |
---|
4275 | * bits: Number of bits to compare |
---|
4276 | * OUT: |
---|
4277 | * 1 : equal |
---|
4278 | * 0 : not equal |
---|
4279 | */ |
---|
4280 | static int |
---|
4281 | key_bbcmp(const void *a1, const void *a2, u_int bits) |
---|
4282 | { |
---|
4283 | const unsigned char *p1 = a1; |
---|
4284 | const unsigned char *p2 = a2; |
---|
4285 | |
---|
4286 | /* XXX: This could be considerably faster if we compare a word |
---|
4287 | * at a time, but it is complicated on LSB Endian machines */ |
---|
4288 | |
---|
4289 | /* Handle null pointers */ |
---|
4290 | if (p1 == NULL || p2 == NULL) |
---|
4291 | return (p1 == p2); |
---|
4292 | |
---|
4293 | while (bits >= 8) { |
---|
4294 | if (*p1++ != *p2++) |
---|
4295 | return 0; |
---|
4296 | bits -= 8; |
---|
4297 | } |
---|
4298 | |
---|
4299 | if (bits > 0) { |
---|
4300 | u_int8_t mask = ~((1<<(8-bits))-1); |
---|
4301 | if ((*p1 & mask) != (*p2 & mask)) |
---|
4302 | return 0; |
---|
4303 | } |
---|
4304 | return 1; /* Match! */ |
---|
4305 | } |
---|
4306 | |
---|
4307 | static void |
---|
4308 | key_flush_spd(time_t now) |
---|
4309 | { |
---|
4310 | static u_int16_t sptree_scangen = 0; |
---|
4311 | u_int16_t gen = sptree_scangen++; |
---|
4312 | struct secpolicy *sp; |
---|
4313 | u_int dir; |
---|
4314 | |
---|
4315 | /* SPD */ |
---|
4316 | for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { |
---|
4317 | restart: |
---|
4318 | SPTREE_LOCK(); |
---|
4319 | LIST_FOREACH(sp, &V_sptree[dir], chain) { |
---|
4320 | if (sp->scangen == gen) /* previously handled */ |
---|
4321 | continue; |
---|
4322 | sp->scangen = gen; |
---|
4323 | if (sp->state == IPSEC_SPSTATE_DEAD && |
---|
4324 | sp->refcnt == 1) { |
---|
4325 | /* |
---|
4326 | * Ensure that we only decrease refcnt once, |
---|
4327 | * when we're the last consumer. |
---|
4328 | * Directly call SP_DELREF/key_delsp instead |
---|
4329 | * of KEY_FREESP to avoid unlocking/relocking |
---|
4330 | * SPTREE_LOCK before key_delsp: may refcnt |
---|
4331 | * be increased again during that time ? |
---|
4332 | * NB: also clean entries created by |
---|
4333 | * key_spdflush |
---|
4334 | */ |
---|
4335 | SP_DELREF(sp); |
---|
4336 | key_delsp(sp); |
---|
4337 | SPTREE_UNLOCK(); |
---|
4338 | goto restart; |
---|
4339 | } |
---|
4340 | if (sp->lifetime == 0 && sp->validtime == 0) |
---|
4341 | continue; |
---|
4342 | if ((sp->lifetime && now - sp->created > sp->lifetime) |
---|
4343 | || (sp->validtime && now - sp->lastused > sp->validtime)) { |
---|
4344 | sp->state = IPSEC_SPSTATE_DEAD; |
---|
4345 | SPTREE_UNLOCK(); |
---|
4346 | key_spdexpire(sp); |
---|
4347 | goto restart; |
---|
4348 | } |
---|
4349 | } |
---|
4350 | SPTREE_UNLOCK(); |
---|
4351 | } |
---|
4352 | } |
---|
4353 | |
---|
4354 | static void |
---|
4355 | key_flush_sad(time_t now) |
---|
4356 | { |
---|
4357 | struct secashead *sah, *nextsah; |
---|
4358 | struct secasvar *sav, *nextsav; |
---|
4359 | |
---|
4360 | /* SAD */ |
---|
4361 | SAHTREE_LOCK(); |
---|
4362 | LIST_FOREACH_SAFE(sah, &V_sahtree, chain, nextsah) { |
---|
4363 | /* if sah has been dead, then delete it and process next sah. */ |
---|
4364 | if (sah->state == SADB_SASTATE_DEAD) { |
---|
4365 | key_delsah(sah); |
---|
4366 | continue; |
---|
4367 | } |
---|
4368 | |
---|
4369 | /* if LARVAL entry doesn't become MATURE, delete it. */ |
---|
4370 | LIST_FOREACH_SAFE(sav, &sah->savtree[SADB_SASTATE_LARVAL], chain, nextsav) { |
---|
4371 | /* Need to also check refcnt for a larval SA ??? */ |
---|
4372 | if (now - sav->created > V_key_larval_lifetime) |
---|
4373 | KEY_FREESAV(&sav); |
---|
4374 | } |
---|
4375 | |
---|
4376 | /* |
---|
4377 | * check MATURE entry to start to send expire message |
---|
4378 | * whether or not. |
---|
4379 | */ |
---|
4380 | LIST_FOREACH_SAFE(sav, &sah->savtree[SADB_SASTATE_MATURE], chain, nextsav) { |
---|
4381 | /* we don't need to check. */ |
---|
4382 | if (sav->lft_s == NULL) |
---|
4383 | continue; |
---|
4384 | |
---|
4385 | /* sanity check */ |
---|
4386 | if (sav->lft_c == NULL) { |
---|
4387 | ipseclog((LOG_DEBUG,"%s: there is no CURRENT " |
---|
4388 | "time, why?\n", __func__)); |
---|
4389 | continue; |
---|
4390 | } |
---|
4391 | |
---|
4392 | /* check SOFT lifetime */ |
---|
4393 | if (sav->lft_s->addtime != 0 && |
---|
4394 | now - sav->created > sav->lft_s->addtime) { |
---|
4395 | key_sa_chgstate(sav, SADB_SASTATE_DYING); |
---|
4396 | /* |
---|
4397 | * Actually, only send expire message if |
---|
4398 | * SA has been used, as it was done before, |
---|
4399 | * but should we always send such message, |
---|
4400 | * and let IKE daemon decide if it should be |
---|
4401 | * renegotiated or not ? |
---|
4402 | * XXX expire message will actually NOT be |
---|
4403 | * sent if SA is only used after soft |
---|
4404 | * lifetime has been reached, see below |
---|
4405 | * (DYING state) |
---|
4406 | */ |
---|
4407 | if (sav->lft_c->usetime != 0) |
---|
4408 | key_expire(sav); |
---|
4409 | } |
---|
4410 | /* check SOFT lifetime by bytes */ |
---|
4411 | /* |
---|
4412 | * XXX I don't know the way to delete this SA |
---|
4413 | * when new SA is installed. Caution when it's |
---|
4414 | * installed too big lifetime by time. |
---|
4415 | */ |
---|
4416 | else if (sav->lft_s->bytes != 0 && |
---|
4417 | sav->lft_s->bytes < sav->lft_c->bytes) { |
---|
4418 | |
---|
4419 | key_sa_chgstate(sav, SADB_SASTATE_DYING); |
---|
4420 | /* |
---|
4421 | * XXX If we keep to send expire |
---|
4422 | * message in the status of |
---|
4423 | * DYING. Do remove below code. |
---|
4424 | */ |
---|
4425 | key_expire(sav); |
---|
4426 | } |
---|
4427 | } |
---|
4428 | |
---|
4429 | /* check DYING entry to change status to DEAD. */ |
---|
4430 | LIST_FOREACH_SAFE(sav, &sah->savtree[SADB_SASTATE_DYING], chain, nextsav) { |
---|
4431 | /* we don't need to check. */ |
---|
4432 | if (sav->lft_h == NULL) |
---|
4433 | continue; |
---|
4434 | |
---|
4435 | /* sanity check */ |
---|
4436 | if (sav->lft_c == NULL) { |
---|
4437 | ipseclog((LOG_DEBUG, "%s: there is no CURRENT " |
---|
4438 | "time, why?\n", __func__)); |
---|
4439 | continue; |
---|
4440 | } |
---|
4441 | |
---|
4442 | if (sav->lft_h->addtime != 0 && |
---|
4443 | now - sav->created > sav->lft_h->addtime) { |
---|
4444 | key_sa_chgstate(sav, SADB_SASTATE_DEAD); |
---|
4445 | KEY_FREESAV(&sav); |
---|
4446 | } |
---|
4447 | #if 0 /* XXX Should we keep to send expire message until HARD lifetime ? */ |
---|
4448 | else if (sav->lft_s != NULL |
---|
4449 | && sav->lft_s->addtime != 0 |
---|
4450 | && now - sav->created > sav->lft_s->addtime) { |
---|
4451 | /* |
---|
4452 | * XXX: should be checked to be |
---|
4453 | * installed the valid SA. |
---|
4454 | */ |
---|
4455 | |
---|
4456 | /* |
---|
4457 | * If there is no SA then sending |
---|
4458 | * expire message. |
---|
4459 | */ |
---|
4460 | key_expire(sav); |
---|
4461 | } |
---|
4462 | #endif |
---|
4463 | /* check HARD lifetime by bytes */ |
---|
4464 | else if (sav->lft_h->bytes != 0 && |
---|
4465 | sav->lft_h->bytes < sav->lft_c->bytes) { |
---|
4466 | key_sa_chgstate(sav, SADB_SASTATE_DEAD); |
---|
4467 | KEY_FREESAV(&sav); |
---|
4468 | } |
---|
4469 | } |
---|
4470 | |
---|
4471 | /* delete entry in DEAD */ |
---|
4472 | LIST_FOREACH_SAFE(sav, &sah->savtree[SADB_SASTATE_DEAD], chain, nextsav) { |
---|
4473 | /* sanity check */ |
---|
4474 | if (sav->state != SADB_SASTATE_DEAD) { |
---|
4475 | ipseclog((LOG_DEBUG, "%s: invalid sav->state " |
---|
4476 | "(queue: %d SA: %d): kill it anyway\n", |
---|
4477 | __func__, |
---|
4478 | SADB_SASTATE_DEAD, sav->state)); |
---|
4479 | } |
---|
4480 | /* |
---|
4481 | * do not call key_freesav() here. |
---|
4482 | * sav should already be freed, and sav->refcnt |
---|
4483 | * shows other references to sav |
---|
4484 | * (such as from SPD). |
---|
4485 | */ |
---|
4486 | } |
---|
4487 | } |
---|
4488 | SAHTREE_UNLOCK(); |
---|
4489 | } |
---|
4490 | |
---|
4491 | static void |
---|
4492 | key_flush_acq(time_t now) |
---|
4493 | { |
---|
4494 | struct secacq *acq, *nextacq; |
---|
4495 | |
---|
4496 | /* ACQ tree */ |
---|
4497 | ACQ_LOCK(); |
---|
4498 | for (acq = LIST_FIRST(&V_acqtree); acq != NULL; acq = nextacq) { |
---|
4499 | nextacq = LIST_NEXT(acq, chain); |
---|
4500 | if (now - acq->created > V_key_blockacq_lifetime |
---|
4501 | && __LIST_CHAINED(acq)) { |
---|
4502 | LIST_REMOVE(acq, chain); |
---|
4503 | free(acq, M_IPSEC_SAQ); |
---|
4504 | } |
---|
4505 | } |
---|
4506 | ACQ_UNLOCK(); |
---|
4507 | } |
---|
4508 | |
---|
4509 | static void |
---|
4510 | key_flush_spacq(time_t now) |
---|
4511 | { |
---|
4512 | struct secspacq *acq, *nextacq; |
---|
4513 | |
---|
4514 | /* SP ACQ tree */ |
---|
4515 | SPACQ_LOCK(); |
---|
4516 | for (acq = LIST_FIRST(&V_spacqtree); acq != NULL; acq = nextacq) { |
---|
4517 | nextacq = LIST_NEXT(acq, chain); |
---|
4518 | if (now - acq->created > V_key_blockacq_lifetime |
---|
4519 | && __LIST_CHAINED(acq)) { |
---|
4520 | LIST_REMOVE(acq, chain); |
---|
4521 | free(acq, M_IPSEC_SAQ); |
---|
4522 | } |
---|
4523 | } |
---|
4524 | SPACQ_UNLOCK(); |
---|
4525 | } |
---|
4526 | |
---|
4527 | /* |
---|
4528 | * time handler. |
---|
4529 | * scanning SPD and SAD to check status for each entries, |
---|
4530 | * and do to remove or to expire. |
---|
4531 | * XXX: year 2038 problem may remain. |
---|
4532 | */ |
---|
4533 | void |
---|
4534 | key_timehandler(void) |
---|
4535 | { |
---|
4536 | VNET_ITERATOR_DECL(vnet_iter); |
---|
4537 | time_t now = time_second; |
---|
4538 | |
---|
4539 | VNET_LIST_RLOCK_NOSLEEP(); |
---|
4540 | VNET_FOREACH(vnet_iter) { |
---|
4541 | CURVNET_SET(vnet_iter); |
---|
4542 | key_flush_spd(now); |
---|
4543 | key_flush_sad(now); |
---|
4544 | key_flush_acq(now); |
---|
4545 | key_flush_spacq(now); |
---|
4546 | CURVNET_RESTORE(); |
---|
4547 | } |
---|
4548 | VNET_LIST_RUNLOCK_NOSLEEP(); |
---|
4549 | |
---|
4550 | #ifndef IPSEC_DEBUG2 |
---|
4551 | /* do exchange to tick time !! */ |
---|
4552 | (void)timeout((void *)key_timehandler, (void *)0, hz); |
---|
4553 | #endif /* IPSEC_DEBUG2 */ |
---|
4554 | } |
---|
4555 | |
---|
4556 | u_long |
---|
4557 | key_random() |
---|
4558 | { |
---|
4559 | u_long value; |
---|
4560 | |
---|
4561 | key_randomfill(&value, sizeof(value)); |
---|
4562 | return value; |
---|
4563 | } |
---|
4564 | |
---|
4565 | void |
---|
4566 | key_randomfill(p, l) |
---|
4567 | void *p; |
---|
4568 | size_t l; |
---|
4569 | { |
---|
4570 | size_t n; |
---|
4571 | u_long v; |
---|
4572 | static int warn = 1; |
---|
4573 | |
---|
4574 | n = 0; |
---|
4575 | n = (size_t)read_random(p, (u_int)l); |
---|
4576 | /* last resort */ |
---|
4577 | while (n < l) { |
---|
4578 | v = random(); |
---|
4579 | bcopy(&v, (u_int8_t *)p + n, |
---|
4580 | l - n < sizeof(v) ? l - n : sizeof(v)); |
---|
4581 | n += sizeof(v); |
---|
4582 | |
---|
4583 | if (warn) { |
---|
4584 | printf("WARNING: pseudo-random number generator " |
---|
4585 | "used for IPsec processing\n"); |
---|
4586 | warn = 0; |
---|
4587 | } |
---|
4588 | } |
---|
4589 | } |
---|
4590 | |
---|
4591 | /* |
---|
4592 | * map SADB_SATYPE_* to IPPROTO_*. |
---|
4593 | * if satype == SADB_SATYPE then satype is mapped to ~0. |
---|
4594 | * OUT: |
---|
4595 | * 0: invalid satype. |
---|
4596 | */ |
---|
4597 | static u_int16_t |
---|
4598 | key_satype2proto(u_int8_t satype) |
---|
4599 | { |
---|
4600 | switch (satype) { |
---|
4601 | case SADB_SATYPE_UNSPEC: |
---|
4602 | return IPSEC_PROTO_ANY; |
---|
4603 | case SADB_SATYPE_AH: |
---|
4604 | return IPPROTO_AH; |
---|
4605 | case SADB_SATYPE_ESP: |
---|
4606 | return IPPROTO_ESP; |
---|
4607 | case SADB_X_SATYPE_IPCOMP: |
---|
4608 | return IPPROTO_IPCOMP; |
---|
4609 | case SADB_X_SATYPE_TCPSIGNATURE: |
---|
4610 | return IPPROTO_TCP; |
---|
4611 | default: |
---|
4612 | return 0; |
---|
4613 | } |
---|
4614 | /* NOTREACHED */ |
---|
4615 | } |
---|
4616 | |
---|
4617 | /* |
---|
4618 | * map IPPROTO_* to SADB_SATYPE_* |
---|
4619 | * OUT: |
---|
4620 | * 0: invalid protocol type. |
---|
4621 | */ |
---|
4622 | static u_int8_t |
---|
4623 | key_proto2satype(u_int16_t proto) |
---|
4624 | { |
---|
4625 | switch (proto) { |
---|
4626 | case IPPROTO_AH: |
---|
4627 | return SADB_SATYPE_AH; |
---|
4628 | case IPPROTO_ESP: |
---|
4629 | return SADB_SATYPE_ESP; |
---|
4630 | case IPPROTO_IPCOMP: |
---|
4631 | return SADB_X_SATYPE_IPCOMP; |
---|
4632 | case IPPROTO_TCP: |
---|
4633 | return SADB_X_SATYPE_TCPSIGNATURE; |
---|
4634 | default: |
---|
4635 | return 0; |
---|
4636 | } |
---|
4637 | /* NOTREACHED */ |
---|
4638 | } |
---|
4639 | |
---|
4640 | /* %%% PF_KEY */ |
---|
4641 | /* |
---|
4642 | * SADB_GETSPI processing is to receive |
---|
4643 | * <base, (SA2), src address, dst address, (SPI range)> |
---|
4644 | * from the IKMPd, to assign a unique spi value, to hang on the INBOUND |
---|
4645 | * tree with the status of LARVAL, and send |
---|
4646 | * <base, SA(*), address(SD)> |
---|
4647 | * to the IKMPd. |
---|
4648 | * |
---|
4649 | * IN: mhp: pointer to the pointer to each header. |
---|
4650 | * OUT: NULL if fail. |
---|
4651 | * other if success, return pointer to the message to send. |
---|
4652 | */ |
---|
4653 | static int |
---|
4654 | key_getspi(so, m, mhp) |
---|
4655 | struct socket *so; |
---|
4656 | struct mbuf *m; |
---|
4657 | const struct sadb_msghdr *mhp; |
---|
4658 | { |
---|
4659 | struct sadb_address *src0, *dst0; |
---|
4660 | struct secasindex saidx; |
---|
4661 | struct secashead *newsah; |
---|
4662 | struct secasvar *newsav; |
---|
4663 | u_int8_t proto; |
---|
4664 | u_int32_t spi; |
---|
4665 | u_int8_t mode; |
---|
4666 | u_int32_t reqid; |
---|
4667 | int error; |
---|
4668 | |
---|
4669 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
4670 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
4671 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
4672 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
4673 | |
---|
4674 | if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || |
---|
4675 | mhp->ext[SADB_EXT_ADDRESS_DST] == NULL) { |
---|
4676 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
4677 | __func__)); |
---|
4678 | return key_senderror(so, m, EINVAL); |
---|
4679 | } |
---|
4680 | if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || |
---|
4681 | mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) { |
---|
4682 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
4683 | __func__)); |
---|
4684 | return key_senderror(so, m, EINVAL); |
---|
4685 | } |
---|
4686 | if (mhp->ext[SADB_X_EXT_SA2] != NULL) { |
---|
4687 | mode = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; |
---|
4688 | reqid = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; |
---|
4689 | } else { |
---|
4690 | mode = IPSEC_MODE_ANY; |
---|
4691 | reqid = 0; |
---|
4692 | } |
---|
4693 | |
---|
4694 | src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); |
---|
4695 | dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); |
---|
4696 | |
---|
4697 | /* map satype to proto */ |
---|
4698 | if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { |
---|
4699 | ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", |
---|
4700 | __func__)); |
---|
4701 | return key_senderror(so, m, EINVAL); |
---|
4702 | } |
---|
4703 | |
---|
4704 | /* |
---|
4705 | * Make sure the port numbers are zero. |
---|
4706 | * In case of NAT-T we will update them later if needed. |
---|
4707 | */ |
---|
4708 | switch (((struct sockaddr *)(src0 + 1))->sa_family) { |
---|
4709 | case AF_INET: |
---|
4710 | if (((struct sockaddr *)(src0 + 1))->sa_len != |
---|
4711 | sizeof(struct sockaddr_in)) |
---|
4712 | return key_senderror(so, m, EINVAL); |
---|
4713 | ((struct sockaddr_in *)(src0 + 1))->sin_port = 0; |
---|
4714 | break; |
---|
4715 | case AF_INET6: |
---|
4716 | if (((struct sockaddr *)(src0 + 1))->sa_len != |
---|
4717 | sizeof(struct sockaddr_in6)) |
---|
4718 | return key_senderror(so, m, EINVAL); |
---|
4719 | ((struct sockaddr_in6 *)(src0 + 1))->sin6_port = 0; |
---|
4720 | break; |
---|
4721 | default: |
---|
4722 | ; /*???*/ |
---|
4723 | } |
---|
4724 | switch (((struct sockaddr *)(dst0 + 1))->sa_family) { |
---|
4725 | case AF_INET: |
---|
4726 | if (((struct sockaddr *)(dst0 + 1))->sa_len != |
---|
4727 | sizeof(struct sockaddr_in)) |
---|
4728 | return key_senderror(so, m, EINVAL); |
---|
4729 | ((struct sockaddr_in *)(dst0 + 1))->sin_port = 0; |
---|
4730 | break; |
---|
4731 | case AF_INET6: |
---|
4732 | if (((struct sockaddr *)(dst0 + 1))->sa_len != |
---|
4733 | sizeof(struct sockaddr_in6)) |
---|
4734 | return key_senderror(so, m, EINVAL); |
---|
4735 | ((struct sockaddr_in6 *)(dst0 + 1))->sin6_port = 0; |
---|
4736 | break; |
---|
4737 | default: |
---|
4738 | ; /*???*/ |
---|
4739 | } |
---|
4740 | |
---|
4741 | /* XXX boundary check against sa_len */ |
---|
4742 | KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); |
---|
4743 | |
---|
4744 | #ifdef IPSEC_NAT_T |
---|
4745 | /* |
---|
4746 | * Handle NAT-T info if present. |
---|
4747 | * We made sure the port numbers are zero above, so we do |
---|
4748 | * not have to worry in case we do not update them. |
---|
4749 | */ |
---|
4750 | if (mhp->ext[SADB_X_EXT_NAT_T_OAI] != NULL) |
---|
4751 | ipseclog((LOG_DEBUG, "%s: NAT-T OAi present\n", __func__)); |
---|
4752 | if (mhp->ext[SADB_X_EXT_NAT_T_OAR] != NULL) |
---|
4753 | ipseclog((LOG_DEBUG, "%s: NAT-T OAr present\n", __func__)); |
---|
4754 | |
---|
4755 | if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] != NULL && |
---|
4756 | mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL && |
---|
4757 | mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) { |
---|
4758 | struct sadb_x_nat_t_type *type; |
---|
4759 | struct sadb_x_nat_t_port *sport, *dport; |
---|
4760 | |
---|
4761 | if (mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type) || |
---|
4762 | mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) || |
---|
4763 | mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) { |
---|
4764 | ipseclog((LOG_DEBUG, "%s: invalid nat-t message " |
---|
4765 | "passed.\n", __func__)); |
---|
4766 | return key_senderror(so, m, EINVAL); |
---|
4767 | } |
---|
4768 | |
---|
4769 | sport = (struct sadb_x_nat_t_port *) |
---|
4770 | mhp->ext[SADB_X_EXT_NAT_T_SPORT]; |
---|
4771 | dport = (struct sadb_x_nat_t_port *) |
---|
4772 | mhp->ext[SADB_X_EXT_NAT_T_DPORT]; |
---|
4773 | |
---|
4774 | if (sport) |
---|
4775 | KEY_PORTTOSADDR(&saidx.src, sport->sadb_x_nat_t_port_port); |
---|
4776 | if (dport) |
---|
4777 | KEY_PORTTOSADDR(&saidx.dst, dport->sadb_x_nat_t_port_port); |
---|
4778 | } |
---|
4779 | #endif |
---|
4780 | |
---|
4781 | /* SPI allocation */ |
---|
4782 | spi = key_do_getnewspi((struct sadb_spirange *)mhp->ext[SADB_EXT_SPIRANGE], |
---|
4783 | &saidx); |
---|
4784 | if (spi == 0) |
---|
4785 | return key_senderror(so, m, EINVAL); |
---|
4786 | |
---|
4787 | /* get a SA index */ |
---|
4788 | if ((newsah = key_getsah(&saidx)) == NULL) { |
---|
4789 | /* create a new SA index */ |
---|
4790 | if ((newsah = key_newsah(&saidx)) == NULL) { |
---|
4791 | ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__)); |
---|
4792 | return key_senderror(so, m, ENOBUFS); |
---|
4793 | } |
---|
4794 | } |
---|
4795 | |
---|
4796 | /* get a new SA */ |
---|
4797 | /* XXX rewrite */ |
---|
4798 | newsav = KEY_NEWSAV(m, mhp, newsah, &error); |
---|
4799 | if (newsav == NULL) { |
---|
4800 | /* XXX don't free new SA index allocated in above. */ |
---|
4801 | return key_senderror(so, m, error); |
---|
4802 | } |
---|
4803 | |
---|
4804 | /* set spi */ |
---|
4805 | newsav->spi = htonl(spi); |
---|
4806 | |
---|
4807 | /* delete the entry in acqtree */ |
---|
4808 | if (mhp->msg->sadb_msg_seq != 0) { |
---|
4809 | struct secacq *acq; |
---|
4810 | if ((acq = key_getacqbyseq(mhp->msg->sadb_msg_seq)) != NULL) { |
---|
4811 | /* reset counter in order to deletion by timehandler. */ |
---|
4812 | acq->created = time_second; |
---|
4813 | acq->count = 0; |
---|
4814 | } |
---|
4815 | } |
---|
4816 | |
---|
4817 | { |
---|
4818 | struct mbuf *n, *nn; |
---|
4819 | struct sadb_sa *m_sa; |
---|
4820 | struct sadb_msg *newmsg; |
---|
4821 | int off, len; |
---|
4822 | |
---|
4823 | /* create new sadb_msg to reply. */ |
---|
4824 | len = PFKEY_ALIGN8(sizeof(struct sadb_msg)) + |
---|
4825 | PFKEY_ALIGN8(sizeof(struct sadb_sa)); |
---|
4826 | |
---|
4827 | MGETHDR(n, M_DONTWAIT, MT_DATA); |
---|
4828 | if (len > MHLEN) { |
---|
4829 | MCLGET(n, M_DONTWAIT); |
---|
4830 | if ((n->m_flags & M_EXT) == 0) { |
---|
4831 | m_freem(n); |
---|
4832 | n = NULL; |
---|
4833 | } |
---|
4834 | } |
---|
4835 | if (!n) |
---|
4836 | return key_senderror(so, m, ENOBUFS); |
---|
4837 | |
---|
4838 | n->m_len = len; |
---|
4839 | n->m_next = NULL; |
---|
4840 | off = 0; |
---|
4841 | |
---|
4842 | m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off); |
---|
4843 | off += PFKEY_ALIGN8(sizeof(struct sadb_msg)); |
---|
4844 | |
---|
4845 | m_sa = (struct sadb_sa *)(mtod(n, caddr_t) + off); |
---|
4846 | m_sa->sadb_sa_len = PFKEY_UNIT64(sizeof(struct sadb_sa)); |
---|
4847 | m_sa->sadb_sa_exttype = SADB_EXT_SA; |
---|
4848 | m_sa->sadb_sa_spi = htonl(spi); |
---|
4849 | off += PFKEY_ALIGN8(sizeof(struct sadb_sa)); |
---|
4850 | |
---|
4851 | IPSEC_ASSERT(off == len, |
---|
4852 | ("length inconsistency (off %u len %u)", off, len)); |
---|
4853 | |
---|
4854 | n->m_next = key_gather_mbuf(m, mhp, 0, 2, SADB_EXT_ADDRESS_SRC, |
---|
4855 | SADB_EXT_ADDRESS_DST); |
---|
4856 | if (!n->m_next) { |
---|
4857 | m_freem(n); |
---|
4858 | return key_senderror(so, m, ENOBUFS); |
---|
4859 | } |
---|
4860 | |
---|
4861 | if (n->m_len < sizeof(struct sadb_msg)) { |
---|
4862 | n = m_pullup(n, sizeof(struct sadb_msg)); |
---|
4863 | if (n == NULL) |
---|
4864 | return key_sendup_mbuf(so, m, KEY_SENDUP_ONE); |
---|
4865 | } |
---|
4866 | |
---|
4867 | n->m_pkthdr.len = 0; |
---|
4868 | for (nn = n; nn; nn = nn->m_next) |
---|
4869 | n->m_pkthdr.len += nn->m_len; |
---|
4870 | |
---|
4871 | newmsg = mtod(n, struct sadb_msg *); |
---|
4872 | newmsg->sadb_msg_seq = newsav->seq; |
---|
4873 | newmsg->sadb_msg_errno = 0; |
---|
4874 | newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); |
---|
4875 | |
---|
4876 | m_freem(m); |
---|
4877 | return key_sendup_mbuf(so, n, KEY_SENDUP_ONE); |
---|
4878 | } |
---|
4879 | } |
---|
4880 | |
---|
4881 | /* |
---|
4882 | * allocating new SPI |
---|
4883 | * called by key_getspi(). |
---|
4884 | * OUT: |
---|
4885 | * 0: failure. |
---|
4886 | * others: success. |
---|
4887 | */ |
---|
4888 | static u_int32_t |
---|
4889 | key_do_getnewspi(spirange, saidx) |
---|
4890 | struct sadb_spirange *spirange; |
---|
4891 | struct secasindex *saidx; |
---|
4892 | { |
---|
4893 | u_int32_t newspi; |
---|
4894 | u_int32_t min, max; |
---|
4895 | int count = V_key_spi_trycnt; |
---|
4896 | |
---|
4897 | /* set spi range to allocate */ |
---|
4898 | if (spirange != NULL) { |
---|
4899 | min = spirange->sadb_spirange_min; |
---|
4900 | max = spirange->sadb_spirange_max; |
---|
4901 | } else { |
---|
4902 | min = V_key_spi_minval; |
---|
4903 | max = V_key_spi_maxval; |
---|
4904 | } |
---|
4905 | /* IPCOMP needs 2-byte SPI */ |
---|
4906 | if (saidx->proto == IPPROTO_IPCOMP) { |
---|
4907 | u_int32_t t; |
---|
4908 | if (min >= 0x10000) |
---|
4909 | min = 0xffff; |
---|
4910 | if (max >= 0x10000) |
---|
4911 | max = 0xffff; |
---|
4912 | if (min > max) { |
---|
4913 | t = min; min = max; max = t; |
---|
4914 | } |
---|
4915 | } |
---|
4916 | |
---|
4917 | if (min == max) { |
---|
4918 | if (key_checkspidup(saidx, min) != NULL) { |
---|
4919 | ipseclog((LOG_DEBUG, "%s: SPI %u exists already.\n", |
---|
4920 | __func__, min)); |
---|
4921 | return 0; |
---|
4922 | } |
---|
4923 | |
---|
4924 | count--; /* taking one cost. */ |
---|
4925 | newspi = min; |
---|
4926 | |
---|
4927 | } else { |
---|
4928 | |
---|
4929 | /* init SPI */ |
---|
4930 | newspi = 0; |
---|
4931 | |
---|
4932 | /* when requesting to allocate spi ranged */ |
---|
4933 | while (count--) { |
---|
4934 | /* generate pseudo-random SPI value ranged. */ |
---|
4935 | newspi = min + (key_random() % (max - min + 1)); |
---|
4936 | |
---|
4937 | if (key_checkspidup(saidx, newspi) == NULL) |
---|
4938 | break; |
---|
4939 | } |
---|
4940 | |
---|
4941 | if (count == 0 || newspi == 0) { |
---|
4942 | ipseclog((LOG_DEBUG, "%s: to allocate spi is failed.\n", |
---|
4943 | __func__)); |
---|
4944 | return 0; |
---|
4945 | } |
---|
4946 | } |
---|
4947 | |
---|
4948 | /* statistics */ |
---|
4949 | keystat.getspi_count = |
---|
4950 | (keystat.getspi_count + V_key_spi_trycnt - count) / 2; |
---|
4951 | |
---|
4952 | return newspi; |
---|
4953 | } |
---|
4954 | |
---|
4955 | /* |
---|
4956 | * SADB_UPDATE processing |
---|
4957 | * receive |
---|
4958 | * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),) |
---|
4959 | * key(AE), (identity(SD),) (sensitivity)> |
---|
4960 | * from the ikmpd, and update a secasvar entry whose status is SADB_SASTATE_LARVAL. |
---|
4961 | * and send |
---|
4962 | * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),) |
---|
4963 | * (identity(SD),) (sensitivity)> |
---|
4964 | * to the ikmpd. |
---|
4965 | * |
---|
4966 | * m will always be freed. |
---|
4967 | */ |
---|
4968 | static int |
---|
4969 | key_update(so, m, mhp) |
---|
4970 | struct socket *so; |
---|
4971 | struct mbuf *m; |
---|
4972 | const struct sadb_msghdr *mhp; |
---|
4973 | { |
---|
4974 | struct sadb_sa *sa0; |
---|
4975 | struct sadb_address *src0, *dst0; |
---|
4976 | #ifdef IPSEC_NAT_T |
---|
4977 | struct sadb_x_nat_t_type *type; |
---|
4978 | struct sadb_x_nat_t_port *sport, *dport; |
---|
4979 | struct sadb_address *iaddr, *raddr; |
---|
4980 | struct sadb_x_nat_t_frag *frag; |
---|
4981 | #endif |
---|
4982 | struct secasindex saidx; |
---|
4983 | struct secashead *sah; |
---|
4984 | struct secasvar *sav; |
---|
4985 | u_int16_t proto; |
---|
4986 | u_int8_t mode; |
---|
4987 | u_int32_t reqid; |
---|
4988 | int error; |
---|
4989 | |
---|
4990 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
4991 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
4992 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
4993 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
4994 | |
---|
4995 | /* map satype to proto */ |
---|
4996 | if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { |
---|
4997 | ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", |
---|
4998 | __func__)); |
---|
4999 | return key_senderror(so, m, EINVAL); |
---|
5000 | } |
---|
5001 | |
---|
5002 | if (mhp->ext[SADB_EXT_SA] == NULL || |
---|
5003 | mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || |
---|
5004 | mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || |
---|
5005 | (mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP && |
---|
5006 | mhp->ext[SADB_EXT_KEY_ENCRYPT] == NULL) || |
---|
5007 | (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH && |
---|
5008 | mhp->ext[SADB_EXT_KEY_AUTH] == NULL) || |
---|
5009 | (mhp->ext[SADB_EXT_LIFETIME_HARD] != NULL && |
---|
5010 | mhp->ext[SADB_EXT_LIFETIME_SOFT] == NULL) || |
---|
5011 | (mhp->ext[SADB_EXT_LIFETIME_HARD] == NULL && |
---|
5012 | mhp->ext[SADB_EXT_LIFETIME_SOFT] != NULL)) { |
---|
5013 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
5014 | __func__)); |
---|
5015 | return key_senderror(so, m, EINVAL); |
---|
5016 | } |
---|
5017 | if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa) || |
---|
5018 | mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || |
---|
5019 | mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) { |
---|
5020 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
5021 | __func__)); |
---|
5022 | return key_senderror(so, m, EINVAL); |
---|
5023 | } |
---|
5024 | if (mhp->ext[SADB_X_EXT_SA2] != NULL) { |
---|
5025 | mode = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; |
---|
5026 | reqid = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; |
---|
5027 | } else { |
---|
5028 | mode = IPSEC_MODE_ANY; |
---|
5029 | reqid = 0; |
---|
5030 | } |
---|
5031 | /* XXX boundary checking for other extensions */ |
---|
5032 | |
---|
5033 | sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; |
---|
5034 | src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); |
---|
5035 | dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); |
---|
5036 | |
---|
5037 | /* XXX boundary check against sa_len */ |
---|
5038 | KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); |
---|
5039 | |
---|
5040 | /* |
---|
5041 | * Make sure the port numbers are zero. |
---|
5042 | * In case of NAT-T we will update them later if needed. |
---|
5043 | */ |
---|
5044 | KEY_PORTTOSADDR(&saidx.src, 0); |
---|
5045 | KEY_PORTTOSADDR(&saidx.dst, 0); |
---|
5046 | |
---|
5047 | #ifdef IPSEC_NAT_T |
---|
5048 | /* |
---|
5049 | * Handle NAT-T info if present. |
---|
5050 | */ |
---|
5051 | if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] != NULL && |
---|
5052 | mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL && |
---|
5053 | mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) { |
---|
5054 | |
---|
5055 | if (mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type) || |
---|
5056 | mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) || |
---|
5057 | mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) { |
---|
5058 | ipseclog((LOG_DEBUG, "%s: invalid message.\n", |
---|
5059 | __func__)); |
---|
5060 | return key_senderror(so, m, EINVAL); |
---|
5061 | } |
---|
5062 | |
---|
5063 | type = (struct sadb_x_nat_t_type *) |
---|
5064 | mhp->ext[SADB_X_EXT_NAT_T_TYPE]; |
---|
5065 | sport = (struct sadb_x_nat_t_port *) |
---|
5066 | mhp->ext[SADB_X_EXT_NAT_T_SPORT]; |
---|
5067 | dport = (struct sadb_x_nat_t_port *) |
---|
5068 | mhp->ext[SADB_X_EXT_NAT_T_DPORT]; |
---|
5069 | } else { |
---|
5070 | type = 0; |
---|
5071 | sport = dport = 0; |
---|
5072 | } |
---|
5073 | if (mhp->ext[SADB_X_EXT_NAT_T_OAI] != NULL && |
---|
5074 | mhp->ext[SADB_X_EXT_NAT_T_OAR] != NULL) { |
---|
5075 | if (mhp->extlen[SADB_X_EXT_NAT_T_OAI] < sizeof(*iaddr) || |
---|
5076 | mhp->extlen[SADB_X_EXT_NAT_T_OAR] < sizeof(*raddr)) { |
---|
5077 | ipseclog((LOG_DEBUG, "%s: invalid message\n", |
---|
5078 | __func__)); |
---|
5079 | return key_senderror(so, m, EINVAL); |
---|
5080 | } |
---|
5081 | iaddr = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAI]; |
---|
5082 | raddr = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAR]; |
---|
5083 | ipseclog((LOG_DEBUG, "%s: NAT-T OAi/r present\n", __func__)); |
---|
5084 | } else { |
---|
5085 | iaddr = raddr = NULL; |
---|
5086 | } |
---|
5087 | if (mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) { |
---|
5088 | if (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag)) { |
---|
5089 | ipseclog((LOG_DEBUG, "%s: invalid message\n", |
---|
5090 | __func__)); |
---|
5091 | return key_senderror(so, m, EINVAL); |
---|
5092 | } |
---|
5093 | frag = (struct sadb_x_nat_t_frag *) |
---|
5094 | mhp->ext[SADB_X_EXT_NAT_T_FRAG]; |
---|
5095 | } else { |
---|
5096 | frag = 0; |
---|
5097 | } |
---|
5098 | #endif |
---|
5099 | |
---|
5100 | /* get a SA header */ |
---|
5101 | if ((sah = key_getsah(&saidx)) == NULL) { |
---|
5102 | ipseclog((LOG_DEBUG, "%s: no SA index found.\n", __func__)); |
---|
5103 | return key_senderror(so, m, ENOENT); |
---|
5104 | } |
---|
5105 | |
---|
5106 | /* set spidx if there */ |
---|
5107 | /* XXX rewrite */ |
---|
5108 | error = key_setident(sah, m, mhp); |
---|
5109 | if (error) |
---|
5110 | return key_senderror(so, m, error); |
---|
5111 | |
---|
5112 | /* find a SA with sequence number. */ |
---|
5113 | #ifdef IPSEC_DOSEQCHECK |
---|
5114 | if (mhp->msg->sadb_msg_seq != 0 |
---|
5115 | && (sav = key_getsavbyseq(sah, mhp->msg->sadb_msg_seq)) == NULL) { |
---|
5116 | ipseclog((LOG_DEBUG, "%s: no larval SA with sequence %u " |
---|
5117 | "exists.\n", __func__, mhp->msg->sadb_msg_seq)); |
---|
5118 | return key_senderror(so, m, ENOENT); |
---|
5119 | } |
---|
5120 | #else |
---|
5121 | SAHTREE_LOCK(); |
---|
5122 | sav = key_getsavbyspi(sah, sa0->sadb_sa_spi); |
---|
5123 | SAHTREE_UNLOCK(); |
---|
5124 | if (sav == NULL) { |
---|
5125 | ipseclog((LOG_DEBUG, "%s: no such a SA found (spi:%u)\n", |
---|
5126 | __func__, (u_int32_t)ntohl(sa0->sadb_sa_spi))); |
---|
5127 | return key_senderror(so, m, EINVAL); |
---|
5128 | } |
---|
5129 | #endif |
---|
5130 | |
---|
5131 | /* validity check */ |
---|
5132 | if (sav->sah->saidx.proto != proto) { |
---|
5133 | ipseclog((LOG_DEBUG, "%s: protocol mismatched " |
---|
5134 | "(DB=%u param=%u)\n", __func__, |
---|
5135 | sav->sah->saidx.proto, proto)); |
---|
5136 | return key_senderror(so, m, EINVAL); |
---|
5137 | } |
---|
5138 | #ifdef IPSEC_DOSEQCHECK |
---|
5139 | if (sav->spi != sa0->sadb_sa_spi) { |
---|
5140 | ipseclog((LOG_DEBUG, "%s: SPI mismatched (DB:%u param:%u)\n", |
---|
5141 | __func__, |
---|
5142 | (u_int32_t)ntohl(sav->spi), |
---|
5143 | (u_int32_t)ntohl(sa0->sadb_sa_spi))); |
---|
5144 | return key_senderror(so, m, EINVAL); |
---|
5145 | } |
---|
5146 | #endif |
---|
5147 | if (sav->pid != mhp->msg->sadb_msg_pid) { |
---|
5148 | ipseclog((LOG_DEBUG, "%s: pid mismatched (DB:%u param:%u)\n", |
---|
5149 | __func__, sav->pid, mhp->msg->sadb_msg_pid)); |
---|
5150 | return key_senderror(so, m, EINVAL); |
---|
5151 | } |
---|
5152 | |
---|
5153 | /* copy sav values */ |
---|
5154 | error = key_setsaval(sav, m, mhp); |
---|
5155 | if (error) { |
---|
5156 | KEY_FREESAV(&sav); |
---|
5157 | return key_senderror(so, m, error); |
---|
5158 | } |
---|
5159 | |
---|
5160 | #ifdef IPSEC_NAT_T |
---|
5161 | /* |
---|
5162 | * Handle more NAT-T info if present, |
---|
5163 | * now that we have a sav to fill. |
---|
5164 | */ |
---|
5165 | if (type) |
---|
5166 | sav->natt_type = type->sadb_x_nat_t_type_type; |
---|
5167 | |
---|
5168 | if (sport) |
---|
5169 | KEY_PORTTOSADDR(&sav->sah->saidx.src, |
---|
5170 | sport->sadb_x_nat_t_port_port); |
---|
5171 | if (dport) |
---|
5172 | KEY_PORTTOSADDR(&sav->sah->saidx.dst, |
---|
5173 | dport->sadb_x_nat_t_port_port); |
---|
5174 | |
---|
5175 | #if 0 |
---|
5176 | /* |
---|
5177 | * In case SADB_X_EXT_NAT_T_FRAG was not given, leave it at 0. |
---|
5178 | * We should actually check for a minimum MTU here, if we |
---|
5179 | * want to support it in ip_output. |
---|
5180 | */ |
---|
5181 | if (frag) |
---|
5182 | sav->natt_esp_frag_len = frag->sadb_x_nat_t_frag_fraglen; |
---|
5183 | #endif |
---|
5184 | #endif |
---|
5185 | |
---|
5186 | /* check SA values to be mature. */ |
---|
5187 | if ((mhp->msg->sadb_msg_errno = key_mature(sav)) != 0) { |
---|
5188 | KEY_FREESAV(&sav); |
---|
5189 | return key_senderror(so, m, 0); |
---|
5190 | } |
---|
5191 | |
---|
5192 | { |
---|
5193 | struct mbuf *n; |
---|
5194 | |
---|
5195 | /* set msg buf from mhp */ |
---|
5196 | n = key_getmsgbuf_x1(m, mhp); |
---|
5197 | if (n == NULL) { |
---|
5198 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); |
---|
5199 | return key_senderror(so, m, ENOBUFS); |
---|
5200 | } |
---|
5201 | |
---|
5202 | m_freem(m); |
---|
5203 | return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); |
---|
5204 | } |
---|
5205 | } |
---|
5206 | |
---|
5207 | /* |
---|
5208 | * search SAD with sequence for a SA which state is SADB_SASTATE_LARVAL. |
---|
5209 | * only called by key_update(). |
---|
5210 | * OUT: |
---|
5211 | * NULL : not found |
---|
5212 | * others : found, pointer to a SA. |
---|
5213 | */ |
---|
5214 | #ifdef IPSEC_DOSEQCHECK |
---|
5215 | static struct secasvar * |
---|
5216 | key_getsavbyseq(sah, seq) |
---|
5217 | struct secashead *sah; |
---|
5218 | u_int32_t seq; |
---|
5219 | { |
---|
5220 | struct secasvar *sav; |
---|
5221 | u_int state; |
---|
5222 | |
---|
5223 | state = SADB_SASTATE_LARVAL; |
---|
5224 | |
---|
5225 | /* search SAD with sequence number ? */ |
---|
5226 | LIST_FOREACH(sav, &sah->savtree[state], chain) { |
---|
5227 | |
---|
5228 | KEY_CHKSASTATE(state, sav->state, __func__); |
---|
5229 | |
---|
5230 | if (sav->seq == seq) { |
---|
5231 | sa_addref(sav); |
---|
5232 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
---|
5233 | printf("DP %s cause refcnt++:%d SA:%p\n", |
---|
5234 | __func__, sav->refcnt, sav)); |
---|
5235 | return sav; |
---|
5236 | } |
---|
5237 | } |
---|
5238 | |
---|
5239 | return NULL; |
---|
5240 | } |
---|
5241 | #endif |
---|
5242 | |
---|
5243 | /* |
---|
5244 | * SADB_ADD processing |
---|
5245 | * add an entry to SA database, when received |
---|
5246 | * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),) |
---|
5247 | * key(AE), (identity(SD),) (sensitivity)> |
---|
5248 | * from the ikmpd, |
---|
5249 | * and send |
---|
5250 | * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),) |
---|
5251 | * (identity(SD),) (sensitivity)> |
---|
5252 | * to the ikmpd. |
---|
5253 | * |
---|
5254 | * IGNORE identity and sensitivity messages. |
---|
5255 | * |
---|
5256 | * m will always be freed. |
---|
5257 | */ |
---|
5258 | static int |
---|
5259 | key_add(so, m, mhp) |
---|
5260 | struct socket *so; |
---|
5261 | struct mbuf *m; |
---|
5262 | const struct sadb_msghdr *mhp; |
---|
5263 | { |
---|
5264 | struct sadb_sa *sa0; |
---|
5265 | struct sadb_address *src0, *dst0; |
---|
5266 | #ifdef IPSEC_NAT_T |
---|
5267 | struct sadb_x_nat_t_type *type; |
---|
5268 | struct sadb_address *iaddr, *raddr; |
---|
5269 | struct sadb_x_nat_t_frag *frag; |
---|
5270 | #endif |
---|
5271 | struct secasindex saidx; |
---|
5272 | struct secashead *newsah; |
---|
5273 | struct secasvar *newsav; |
---|
5274 | u_int16_t proto; |
---|
5275 | u_int8_t mode; |
---|
5276 | u_int32_t reqid; |
---|
5277 | int error; |
---|
5278 | |
---|
5279 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
5280 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
5281 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
5282 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
5283 | |
---|
5284 | /* map satype to proto */ |
---|
5285 | if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { |
---|
5286 | ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", |
---|
5287 | __func__)); |
---|
5288 | return key_senderror(so, m, EINVAL); |
---|
5289 | } |
---|
5290 | |
---|
5291 | if (mhp->ext[SADB_EXT_SA] == NULL || |
---|
5292 | mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || |
---|
5293 | mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || |
---|
5294 | (mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP && |
---|
5295 | mhp->ext[SADB_EXT_KEY_ENCRYPT] == NULL) || |
---|
5296 | (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH && |
---|
5297 | mhp->ext[SADB_EXT_KEY_AUTH] == NULL) || |
---|
5298 | (mhp->ext[SADB_EXT_LIFETIME_HARD] != NULL && |
---|
5299 | mhp->ext[SADB_EXT_LIFETIME_SOFT] == NULL) || |
---|
5300 | (mhp->ext[SADB_EXT_LIFETIME_HARD] == NULL && |
---|
5301 | mhp->ext[SADB_EXT_LIFETIME_SOFT] != NULL)) { |
---|
5302 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
5303 | __func__)); |
---|
5304 | return key_senderror(so, m, EINVAL); |
---|
5305 | } |
---|
5306 | if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa) || |
---|
5307 | mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || |
---|
5308 | mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) { |
---|
5309 | /* XXX need more */ |
---|
5310 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
5311 | __func__)); |
---|
5312 | return key_senderror(so, m, EINVAL); |
---|
5313 | } |
---|
5314 | if (mhp->ext[SADB_X_EXT_SA2] != NULL) { |
---|
5315 | mode = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; |
---|
5316 | reqid = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; |
---|
5317 | } else { |
---|
5318 | mode = IPSEC_MODE_ANY; |
---|
5319 | reqid = 0; |
---|
5320 | } |
---|
5321 | |
---|
5322 | sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; |
---|
5323 | src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; |
---|
5324 | dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; |
---|
5325 | |
---|
5326 | /* XXX boundary check against sa_len */ |
---|
5327 | KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); |
---|
5328 | |
---|
5329 | /* |
---|
5330 | * Make sure the port numbers are zero. |
---|
5331 | * In case of NAT-T we will update them later if needed. |
---|
5332 | */ |
---|
5333 | KEY_PORTTOSADDR(&saidx.src, 0); |
---|
5334 | KEY_PORTTOSADDR(&saidx.dst, 0); |
---|
5335 | |
---|
5336 | #ifdef IPSEC_NAT_T |
---|
5337 | /* |
---|
5338 | * Handle NAT-T info if present. |
---|
5339 | */ |
---|
5340 | if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] != NULL && |
---|
5341 | mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL && |
---|
5342 | mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) { |
---|
5343 | struct sadb_x_nat_t_port *sport, *dport; |
---|
5344 | |
---|
5345 | if (mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type) || |
---|
5346 | mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) || |
---|
5347 | mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) { |
---|
5348 | ipseclog((LOG_DEBUG, "%s: invalid message.\n", |
---|
5349 | __func__)); |
---|
5350 | return key_senderror(so, m, EINVAL); |
---|
5351 | } |
---|
5352 | |
---|
5353 | type = (struct sadb_x_nat_t_type *) |
---|
5354 | mhp->ext[SADB_X_EXT_NAT_T_TYPE]; |
---|
5355 | sport = (struct sadb_x_nat_t_port *) |
---|
5356 | mhp->ext[SADB_X_EXT_NAT_T_SPORT]; |
---|
5357 | dport = (struct sadb_x_nat_t_port *) |
---|
5358 | mhp->ext[SADB_X_EXT_NAT_T_DPORT]; |
---|
5359 | |
---|
5360 | if (sport) |
---|
5361 | KEY_PORTTOSADDR(&saidx.src, |
---|
5362 | sport->sadb_x_nat_t_port_port); |
---|
5363 | if (dport) |
---|
5364 | KEY_PORTTOSADDR(&saidx.dst, |
---|
5365 | dport->sadb_x_nat_t_port_port); |
---|
5366 | } else { |
---|
5367 | type = 0; |
---|
5368 | } |
---|
5369 | if (mhp->ext[SADB_X_EXT_NAT_T_OAI] != NULL && |
---|
5370 | mhp->ext[SADB_X_EXT_NAT_T_OAR] != NULL) { |
---|
5371 | if (mhp->extlen[SADB_X_EXT_NAT_T_OAI] < sizeof(*iaddr) || |
---|
5372 | mhp->extlen[SADB_X_EXT_NAT_T_OAR] < sizeof(*raddr)) { |
---|
5373 | ipseclog((LOG_DEBUG, "%s: invalid message\n", |
---|
5374 | __func__)); |
---|
5375 | return key_senderror(so, m, EINVAL); |
---|
5376 | } |
---|
5377 | iaddr = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAI]; |
---|
5378 | raddr = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAR]; |
---|
5379 | ipseclog((LOG_DEBUG, "%s: NAT-T OAi/r present\n", __func__)); |
---|
5380 | } else { |
---|
5381 | iaddr = raddr = NULL; |
---|
5382 | } |
---|
5383 | if (mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) { |
---|
5384 | if (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag)) { |
---|
5385 | ipseclog((LOG_DEBUG, "%s: invalid message\n", |
---|
5386 | __func__)); |
---|
5387 | return key_senderror(so, m, EINVAL); |
---|
5388 | } |
---|
5389 | frag = (struct sadb_x_nat_t_frag *) |
---|
5390 | mhp->ext[SADB_X_EXT_NAT_T_FRAG]; |
---|
5391 | } else { |
---|
5392 | frag = 0; |
---|
5393 | } |
---|
5394 | #endif |
---|
5395 | |
---|
5396 | /* get a SA header */ |
---|
5397 | if ((newsah = key_getsah(&saidx)) == NULL) { |
---|
5398 | /* create a new SA header */ |
---|
5399 | if ((newsah = key_newsah(&saidx)) == NULL) { |
---|
5400 | ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__)); |
---|
5401 | return key_senderror(so, m, ENOBUFS); |
---|
5402 | } |
---|
5403 | } |
---|
5404 | |
---|
5405 | /* set spidx if there */ |
---|
5406 | /* XXX rewrite */ |
---|
5407 | error = key_setident(newsah, m, mhp); |
---|
5408 | if (error) { |
---|
5409 | return key_senderror(so, m, error); |
---|
5410 | } |
---|
5411 | |
---|
5412 | /* create new SA entry. */ |
---|
5413 | /* We can create new SA only if SPI is differenct. */ |
---|
5414 | SAHTREE_LOCK(); |
---|
5415 | newsav = key_getsavbyspi(newsah, sa0->sadb_sa_spi); |
---|
5416 | SAHTREE_UNLOCK(); |
---|
5417 | if (newsav != NULL) { |
---|
5418 | ipseclog((LOG_DEBUG, "%s: SA already exists.\n", __func__)); |
---|
5419 | return key_senderror(so, m, EEXIST); |
---|
5420 | } |
---|
5421 | newsav = KEY_NEWSAV(m, mhp, newsah, &error); |
---|
5422 | if (newsav == NULL) { |
---|
5423 | return key_senderror(so, m, error); |
---|
5424 | } |
---|
5425 | |
---|
5426 | #ifdef IPSEC_NAT_T |
---|
5427 | /* |
---|
5428 | * Handle more NAT-T info if present, |
---|
5429 | * now that we have a sav to fill. |
---|
5430 | */ |
---|
5431 | if (type) |
---|
5432 | newsav->natt_type = type->sadb_x_nat_t_type_type; |
---|
5433 | |
---|
5434 | #if 0 |
---|
5435 | /* |
---|
5436 | * In case SADB_X_EXT_NAT_T_FRAG was not given, leave it at 0. |
---|
5437 | * We should actually check for a minimum MTU here, if we |
---|
5438 | * want to support it in ip_output. |
---|
5439 | */ |
---|
5440 | if (frag) |
---|
5441 | newsav->natt_esp_frag_len = frag->sadb_x_nat_t_frag_fraglen; |
---|
5442 | #endif |
---|
5443 | #endif |
---|
5444 | |
---|
5445 | /* check SA values to be mature. */ |
---|
5446 | if ((error = key_mature(newsav)) != 0) { |
---|
5447 | KEY_FREESAV(&newsav); |
---|
5448 | return key_senderror(so, m, error); |
---|
5449 | } |
---|
5450 | |
---|
5451 | /* |
---|
5452 | * don't call key_freesav() here, as we would like to keep the SA |
---|
5453 | * in the database on success. |
---|
5454 | */ |
---|
5455 | |
---|
5456 | { |
---|
5457 | struct mbuf *n; |
---|
5458 | |
---|
5459 | /* set msg buf from mhp */ |
---|
5460 | n = key_getmsgbuf_x1(m, mhp); |
---|
5461 | if (n == NULL) { |
---|
5462 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); |
---|
5463 | return key_senderror(so, m, ENOBUFS); |
---|
5464 | } |
---|
5465 | |
---|
5466 | m_freem(m); |
---|
5467 | return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); |
---|
5468 | } |
---|
5469 | } |
---|
5470 | |
---|
5471 | /* m is retained */ |
---|
5472 | static int |
---|
5473 | key_setident(sah, m, mhp) |
---|
5474 | struct secashead *sah; |
---|
5475 | struct mbuf *m; |
---|
5476 | const struct sadb_msghdr *mhp; |
---|
5477 | { |
---|
5478 | const struct sadb_ident *idsrc, *iddst; |
---|
5479 | int idsrclen, iddstlen; |
---|
5480 | |
---|
5481 | IPSEC_ASSERT(sah != NULL, ("null secashead")); |
---|
5482 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
5483 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
5484 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
5485 | |
---|
5486 | /* don't make buffer if not there */ |
---|
5487 | if (mhp->ext[SADB_EXT_IDENTITY_SRC] == NULL && |
---|
5488 | mhp->ext[SADB_EXT_IDENTITY_DST] == NULL) { |
---|
5489 | sah->idents = NULL; |
---|
5490 | sah->identd = NULL; |
---|
5491 | return 0; |
---|
5492 | } |
---|
5493 | |
---|
5494 | if (mhp->ext[SADB_EXT_IDENTITY_SRC] == NULL || |
---|
5495 | mhp->ext[SADB_EXT_IDENTITY_DST] == NULL) { |
---|
5496 | ipseclog((LOG_DEBUG, "%s: invalid identity.\n", __func__)); |
---|
5497 | return EINVAL; |
---|
5498 | } |
---|
5499 | |
---|
5500 | idsrc = (const struct sadb_ident *)mhp->ext[SADB_EXT_IDENTITY_SRC]; |
---|
5501 | iddst = (const struct sadb_ident *)mhp->ext[SADB_EXT_IDENTITY_DST]; |
---|
5502 | idsrclen = mhp->extlen[SADB_EXT_IDENTITY_SRC]; |
---|
5503 | iddstlen = mhp->extlen[SADB_EXT_IDENTITY_DST]; |
---|
5504 | |
---|
5505 | /* validity check */ |
---|
5506 | if (idsrc->sadb_ident_type != iddst->sadb_ident_type) { |
---|
5507 | ipseclog((LOG_DEBUG, "%s: ident type mismatch.\n", __func__)); |
---|
5508 | return EINVAL; |
---|
5509 | } |
---|
5510 | |
---|
5511 | switch (idsrc->sadb_ident_type) { |
---|
5512 | case SADB_IDENTTYPE_PREFIX: |
---|
5513 | case SADB_IDENTTYPE_FQDN: |
---|
5514 | case SADB_IDENTTYPE_USERFQDN: |
---|
5515 | default: |
---|
5516 | /* XXX do nothing */ |
---|
5517 | sah->idents = NULL; |
---|
5518 | sah->identd = NULL; |
---|
5519 | return 0; |
---|
5520 | } |
---|
5521 | |
---|
5522 | /* make structure */ |
---|
5523 | sah->idents = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT); |
---|
5524 | if (sah->idents == NULL) { |
---|
5525 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); |
---|
5526 | return ENOBUFS; |
---|
5527 | } |
---|
5528 | sah->identd = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT); |
---|
5529 | if (sah->identd == NULL) { |
---|
5530 | free(sah->idents, M_IPSEC_MISC); |
---|
5531 | sah->idents = NULL; |
---|
5532 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); |
---|
5533 | return ENOBUFS; |
---|
5534 | } |
---|
5535 | sah->idents->type = idsrc->sadb_ident_type; |
---|
5536 | sah->idents->id = idsrc->sadb_ident_id; |
---|
5537 | |
---|
5538 | sah->identd->type = iddst->sadb_ident_type; |
---|
5539 | sah->identd->id = iddst->sadb_ident_id; |
---|
5540 | |
---|
5541 | return 0; |
---|
5542 | } |
---|
5543 | |
---|
5544 | /* |
---|
5545 | * m will not be freed on return. |
---|
5546 | * it is caller's responsibility to free the result. |
---|
5547 | */ |
---|
5548 | static struct mbuf * |
---|
5549 | key_getmsgbuf_x1(m, mhp) |
---|
5550 | struct mbuf *m; |
---|
5551 | const struct sadb_msghdr *mhp; |
---|
5552 | { |
---|
5553 | struct mbuf *n; |
---|
5554 | |
---|
5555 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
5556 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
5557 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
5558 | |
---|
5559 | /* create new sadb_msg to reply. */ |
---|
5560 | n = key_gather_mbuf(m, mhp, 1, 9, SADB_EXT_RESERVED, |
---|
5561 | SADB_EXT_SA, SADB_X_EXT_SA2, |
---|
5562 | SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST, |
---|
5563 | SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT, |
---|
5564 | SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST); |
---|
5565 | if (!n) |
---|
5566 | return NULL; |
---|
5567 | |
---|
5568 | if (n->m_len < sizeof(struct sadb_msg)) { |
---|
5569 | n = m_pullup(n, sizeof(struct sadb_msg)); |
---|
5570 | if (n == NULL) |
---|
5571 | return NULL; |
---|
5572 | } |
---|
5573 | mtod(n, struct sadb_msg *)->sadb_msg_errno = 0; |
---|
5574 | mtod(n, struct sadb_msg *)->sadb_msg_len = |
---|
5575 | PFKEY_UNIT64(n->m_pkthdr.len); |
---|
5576 | |
---|
5577 | return n; |
---|
5578 | } |
---|
5579 | |
---|
5580 | static int key_delete_all __P((struct socket *, struct mbuf *, |
---|
5581 | const struct sadb_msghdr *, u_int16_t)); |
---|
5582 | |
---|
5583 | /* |
---|
5584 | * SADB_DELETE processing |
---|
5585 | * receive |
---|
5586 | * <base, SA(*), address(SD)> |
---|
5587 | * from the ikmpd, and set SADB_SASTATE_DEAD, |
---|
5588 | * and send, |
---|
5589 | * <base, SA(*), address(SD)> |
---|
5590 | * to the ikmpd. |
---|
5591 | * |
---|
5592 | * m will always be freed. |
---|
5593 | */ |
---|
5594 | static int |
---|
5595 | key_delete(so, m, mhp) |
---|
5596 | struct socket *so; |
---|
5597 | struct mbuf *m; |
---|
5598 | const struct sadb_msghdr *mhp; |
---|
5599 | { |
---|
5600 | struct sadb_sa *sa0; |
---|
5601 | struct sadb_address *src0, *dst0; |
---|
5602 | struct secasindex saidx; |
---|
5603 | struct secashead *sah; |
---|
5604 | struct secasvar *sav = NULL; |
---|
5605 | u_int16_t proto; |
---|
5606 | |
---|
5607 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
5608 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
5609 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
5610 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
5611 | |
---|
5612 | /* map satype to proto */ |
---|
5613 | if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { |
---|
5614 | ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", |
---|
5615 | __func__)); |
---|
5616 | return key_senderror(so, m, EINVAL); |
---|
5617 | } |
---|
5618 | |
---|
5619 | if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || |
---|
5620 | mhp->ext[SADB_EXT_ADDRESS_DST] == NULL) { |
---|
5621 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
5622 | __func__)); |
---|
5623 | return key_senderror(so, m, EINVAL); |
---|
5624 | } |
---|
5625 | |
---|
5626 | if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || |
---|
5627 | mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) { |
---|
5628 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
5629 | __func__)); |
---|
5630 | return key_senderror(so, m, EINVAL); |
---|
5631 | } |
---|
5632 | |
---|
5633 | if (mhp->ext[SADB_EXT_SA] == NULL) { |
---|
5634 | /* |
---|
5635 | * Caller wants us to delete all non-LARVAL SAs |
---|
5636 | * that match the src/dst. This is used during |
---|
5637 | * IKE INITIAL-CONTACT. |
---|
5638 | */ |
---|
5639 | ipseclog((LOG_DEBUG, "%s: doing delete all.\n", __func__)); |
---|
5640 | return key_delete_all(so, m, mhp, proto); |
---|
5641 | } else if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa)) { |
---|
5642 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
5643 | __func__)); |
---|
5644 | return key_senderror(so, m, EINVAL); |
---|
5645 | } |
---|
5646 | |
---|
5647 | sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; |
---|
5648 | src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); |
---|
5649 | dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); |
---|
5650 | |
---|
5651 | /* XXX boundary check against sa_len */ |
---|
5652 | KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); |
---|
5653 | |
---|
5654 | /* |
---|
5655 | * Make sure the port numbers are zero. |
---|
5656 | * In case of NAT-T we will update them later if needed. |
---|
5657 | */ |
---|
5658 | KEY_PORTTOSADDR(&saidx.src, 0); |
---|
5659 | KEY_PORTTOSADDR(&saidx.dst, 0); |
---|
5660 | |
---|
5661 | #ifdef IPSEC_NAT_T |
---|
5662 | /* |
---|
5663 | * Handle NAT-T info if present. |
---|
5664 | */ |
---|
5665 | if (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL && |
---|
5666 | mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) { |
---|
5667 | struct sadb_x_nat_t_port *sport, *dport; |
---|
5668 | |
---|
5669 | if (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) || |
---|
5670 | mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) { |
---|
5671 | ipseclog((LOG_DEBUG, "%s: invalid message.\n", |
---|
5672 | __func__)); |
---|
5673 | return key_senderror(so, m, EINVAL); |
---|
5674 | } |
---|
5675 | |
---|
5676 | sport = (struct sadb_x_nat_t_port *) |
---|
5677 | mhp->ext[SADB_X_EXT_NAT_T_SPORT]; |
---|
5678 | dport = (struct sadb_x_nat_t_port *) |
---|
5679 | mhp->ext[SADB_X_EXT_NAT_T_DPORT]; |
---|
5680 | |
---|
5681 | if (sport) |
---|
5682 | KEY_PORTTOSADDR(&saidx.src, |
---|
5683 | sport->sadb_x_nat_t_port_port); |
---|
5684 | if (dport) |
---|
5685 | KEY_PORTTOSADDR(&saidx.dst, |
---|
5686 | dport->sadb_x_nat_t_port_port); |
---|
5687 | } |
---|
5688 | #endif |
---|
5689 | |
---|
5690 | /* get a SA header */ |
---|
5691 | SAHTREE_LOCK(); |
---|
5692 | LIST_FOREACH(sah, &V_sahtree, chain) { |
---|
5693 | if (sah->state == SADB_SASTATE_DEAD) |
---|
5694 | continue; |
---|
5695 | if (key_cmpsaidx(&sah->saidx, &saidx, CMP_HEAD) == 0) |
---|
5696 | continue; |
---|
5697 | |
---|
5698 | /* get a SA with SPI. */ |
---|
5699 | sav = key_getsavbyspi(sah, sa0->sadb_sa_spi); |
---|
5700 | if (sav) |
---|
5701 | break; |
---|
5702 | } |
---|
5703 | if (sah == NULL) { |
---|
5704 | SAHTREE_UNLOCK(); |
---|
5705 | ipseclog((LOG_DEBUG, "%s: no SA found.\n", __func__)); |
---|
5706 | return key_senderror(so, m, ENOENT); |
---|
5707 | } |
---|
5708 | |
---|
5709 | key_sa_chgstate(sav, SADB_SASTATE_DEAD); |
---|
5710 | KEY_FREESAV(&sav); |
---|
5711 | SAHTREE_UNLOCK(); |
---|
5712 | |
---|
5713 | { |
---|
5714 | struct mbuf *n; |
---|
5715 | struct sadb_msg *newmsg; |
---|
5716 | |
---|
5717 | /* create new sadb_msg to reply. */ |
---|
5718 | /* XXX-BZ NAT-T extensions? */ |
---|
5719 | n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED, |
---|
5720 | SADB_EXT_SA, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); |
---|
5721 | if (!n) |
---|
5722 | return key_senderror(so, m, ENOBUFS); |
---|
5723 | |
---|
5724 | if (n->m_len < sizeof(struct sadb_msg)) { |
---|
5725 | n = m_pullup(n, sizeof(struct sadb_msg)); |
---|
5726 | if (n == NULL) |
---|
5727 | return key_senderror(so, m, ENOBUFS); |
---|
5728 | } |
---|
5729 | newmsg = mtod(n, struct sadb_msg *); |
---|
5730 | newmsg->sadb_msg_errno = 0; |
---|
5731 | newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); |
---|
5732 | |
---|
5733 | m_freem(m); |
---|
5734 | return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); |
---|
5735 | } |
---|
5736 | } |
---|
5737 | |
---|
5738 | /* |
---|
5739 | * delete all SAs for src/dst. Called from key_delete(). |
---|
5740 | */ |
---|
5741 | static int |
---|
5742 | key_delete_all(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp, |
---|
5743 | u_int16_t proto) |
---|
5744 | { |
---|
5745 | struct sadb_address *src0, *dst0; |
---|
5746 | struct secasindex saidx; |
---|
5747 | struct secashead *sah; |
---|
5748 | struct secasvar *sav, *nextsav; |
---|
5749 | u_int stateidx, state; |
---|
5750 | |
---|
5751 | src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); |
---|
5752 | dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); |
---|
5753 | |
---|
5754 | /* XXX boundary check against sa_len */ |
---|
5755 | KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); |
---|
5756 | |
---|
5757 | /* |
---|
5758 | * Make sure the port numbers are zero. |
---|
5759 | * In case of NAT-T we will update them later if needed. |
---|
5760 | */ |
---|
5761 | KEY_PORTTOSADDR(&saidx.src, 0); |
---|
5762 | KEY_PORTTOSADDR(&saidx.dst, 0); |
---|
5763 | |
---|
5764 | #ifdef IPSEC_NAT_T |
---|
5765 | /* |
---|
5766 | * Handle NAT-T info if present. |
---|
5767 | */ |
---|
5768 | |
---|
5769 | if (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL && |
---|
5770 | mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) { |
---|
5771 | struct sadb_x_nat_t_port *sport, *dport; |
---|
5772 | |
---|
5773 | if (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) || |
---|
5774 | mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) { |
---|
5775 | ipseclog((LOG_DEBUG, "%s: invalid message.\n", |
---|
5776 | __func__)); |
---|
5777 | return key_senderror(so, m, EINVAL); |
---|
5778 | } |
---|
5779 | |
---|
5780 | sport = (struct sadb_x_nat_t_port *) |
---|
5781 | mhp->ext[SADB_X_EXT_NAT_T_SPORT]; |
---|
5782 | dport = (struct sadb_x_nat_t_port *) |
---|
5783 | mhp->ext[SADB_X_EXT_NAT_T_DPORT]; |
---|
5784 | |
---|
5785 | if (sport) |
---|
5786 | KEY_PORTTOSADDR(&saidx.src, |
---|
5787 | sport->sadb_x_nat_t_port_port); |
---|
5788 | if (dport) |
---|
5789 | KEY_PORTTOSADDR(&saidx.dst, |
---|
5790 | dport->sadb_x_nat_t_port_port); |
---|
5791 | } |
---|
5792 | #endif |
---|
5793 | |
---|
5794 | SAHTREE_LOCK(); |
---|
5795 | LIST_FOREACH(sah, &V_sahtree, chain) { |
---|
5796 | if (sah->state == SADB_SASTATE_DEAD) |
---|
5797 | continue; |
---|
5798 | if (key_cmpsaidx(&sah->saidx, &saidx, CMP_HEAD) == 0) |
---|
5799 | continue; |
---|
5800 | |
---|
5801 | /* Delete all non-LARVAL SAs. */ |
---|
5802 | for (stateidx = 0; |
---|
5803 | stateidx < _ARRAYLEN(saorder_state_alive); |
---|
5804 | stateidx++) { |
---|
5805 | state = saorder_state_alive[stateidx]; |
---|
5806 | if (state == SADB_SASTATE_LARVAL) |
---|
5807 | continue; |
---|
5808 | for (sav = LIST_FIRST(&sah->savtree[state]); |
---|
5809 | sav != NULL; sav = nextsav) { |
---|
5810 | nextsav = LIST_NEXT(sav, chain); |
---|
5811 | /* sanity check */ |
---|
5812 | if (sav->state != state) { |
---|
5813 | ipseclog((LOG_DEBUG, "%s: invalid " |
---|
5814 | "sav->state (queue %d SA %d)\n", |
---|
5815 | __func__, state, sav->state)); |
---|
5816 | continue; |
---|
5817 | } |
---|
5818 | |
---|
5819 | key_sa_chgstate(sav, SADB_SASTATE_DEAD); |
---|
5820 | KEY_FREESAV(&sav); |
---|
5821 | } |
---|
5822 | } |
---|
5823 | } |
---|
5824 | SAHTREE_UNLOCK(); |
---|
5825 | { |
---|
5826 | struct mbuf *n; |
---|
5827 | struct sadb_msg *newmsg; |
---|
5828 | |
---|
5829 | /* create new sadb_msg to reply. */ |
---|
5830 | /* XXX-BZ NAT-T extensions? */ |
---|
5831 | n = key_gather_mbuf(m, mhp, 1, 3, SADB_EXT_RESERVED, |
---|
5832 | SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); |
---|
5833 | if (!n) |
---|
5834 | return key_senderror(so, m, ENOBUFS); |
---|
5835 | |
---|
5836 | if (n->m_len < sizeof(struct sadb_msg)) { |
---|
5837 | n = m_pullup(n, sizeof(struct sadb_msg)); |
---|
5838 | if (n == NULL) |
---|
5839 | return key_senderror(so, m, ENOBUFS); |
---|
5840 | } |
---|
5841 | newmsg = mtod(n, struct sadb_msg *); |
---|
5842 | newmsg->sadb_msg_errno = 0; |
---|
5843 | newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); |
---|
5844 | |
---|
5845 | m_freem(m); |
---|
5846 | return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); |
---|
5847 | } |
---|
5848 | } |
---|
5849 | |
---|
5850 | /* |
---|
5851 | * SADB_GET processing |
---|
5852 | * receive |
---|
5853 | * <base, SA(*), address(SD)> |
---|
5854 | * from the ikmpd, and get a SP and a SA to respond, |
---|
5855 | * and send, |
---|
5856 | * <base, SA, (lifetime(HSC),) address(SD), (address(P),) key(AE), |
---|
5857 | * (identity(SD),) (sensitivity)> |
---|
5858 | * to the ikmpd. |
---|
5859 | * |
---|
5860 | * m will always be freed. |
---|
5861 | */ |
---|
5862 | static int |
---|
5863 | key_get(so, m, mhp) |
---|
5864 | struct socket *so; |
---|
5865 | struct mbuf *m; |
---|
5866 | const struct sadb_msghdr *mhp; |
---|
5867 | { |
---|
5868 | struct sadb_sa *sa0; |
---|
5869 | struct sadb_address *src0, *dst0; |
---|
5870 | struct secasindex saidx; |
---|
5871 | struct secashead *sah; |
---|
5872 | struct secasvar *sav = NULL; |
---|
5873 | u_int16_t proto; |
---|
5874 | |
---|
5875 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
5876 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
5877 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
5878 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
5879 | |
---|
5880 | /* map satype to proto */ |
---|
5881 | if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { |
---|
5882 | ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", |
---|
5883 | __func__)); |
---|
5884 | return key_senderror(so, m, EINVAL); |
---|
5885 | } |
---|
5886 | |
---|
5887 | if (mhp->ext[SADB_EXT_SA] == NULL || |
---|
5888 | mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || |
---|
5889 | mhp->ext[SADB_EXT_ADDRESS_DST] == NULL) { |
---|
5890 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
5891 | __func__)); |
---|
5892 | return key_senderror(so, m, EINVAL); |
---|
5893 | } |
---|
5894 | if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa) || |
---|
5895 | mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || |
---|
5896 | mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) { |
---|
5897 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
5898 | __func__)); |
---|
5899 | return key_senderror(so, m, EINVAL); |
---|
5900 | } |
---|
5901 | |
---|
5902 | sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; |
---|
5903 | src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; |
---|
5904 | dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; |
---|
5905 | |
---|
5906 | /* XXX boundary check against sa_len */ |
---|
5907 | KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); |
---|
5908 | |
---|
5909 | /* |
---|
5910 | * Make sure the port numbers are zero. |
---|
5911 | * In case of NAT-T we will update them later if needed. |
---|
5912 | */ |
---|
5913 | KEY_PORTTOSADDR(&saidx.src, 0); |
---|
5914 | KEY_PORTTOSADDR(&saidx.dst, 0); |
---|
5915 | |
---|
5916 | #ifdef IPSEC_NAT_T |
---|
5917 | /* |
---|
5918 | * Handle NAT-T info if present. |
---|
5919 | */ |
---|
5920 | |
---|
5921 | if (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL && |
---|
5922 | mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) { |
---|
5923 | struct sadb_x_nat_t_port *sport, *dport; |
---|
5924 | |
---|
5925 | if (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) || |
---|
5926 | mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) { |
---|
5927 | ipseclog((LOG_DEBUG, "%s: invalid message.\n", |
---|
5928 | __func__)); |
---|
5929 | return key_senderror(so, m, EINVAL); |
---|
5930 | } |
---|
5931 | |
---|
5932 | sport = (struct sadb_x_nat_t_port *) |
---|
5933 | mhp->ext[SADB_X_EXT_NAT_T_SPORT]; |
---|
5934 | dport = (struct sadb_x_nat_t_port *) |
---|
5935 | mhp->ext[SADB_X_EXT_NAT_T_DPORT]; |
---|
5936 | |
---|
5937 | if (sport) |
---|
5938 | KEY_PORTTOSADDR(&saidx.src, |
---|
5939 | sport->sadb_x_nat_t_port_port); |
---|
5940 | if (dport) |
---|
5941 | KEY_PORTTOSADDR(&saidx.dst, |
---|
5942 | dport->sadb_x_nat_t_port_port); |
---|
5943 | } |
---|
5944 | #endif |
---|
5945 | |
---|
5946 | /* get a SA header */ |
---|
5947 | SAHTREE_LOCK(); |
---|
5948 | LIST_FOREACH(sah, &V_sahtree, chain) { |
---|
5949 | if (sah->state == SADB_SASTATE_DEAD) |
---|
5950 | continue; |
---|
5951 | if (key_cmpsaidx(&sah->saidx, &saidx, CMP_HEAD) == 0) |
---|
5952 | continue; |
---|
5953 | |
---|
5954 | /* get a SA with SPI. */ |
---|
5955 | sav = key_getsavbyspi(sah, sa0->sadb_sa_spi); |
---|
5956 | if (sav) |
---|
5957 | break; |
---|
5958 | } |
---|
5959 | SAHTREE_UNLOCK(); |
---|
5960 | if (sah == NULL) { |
---|
5961 | ipseclog((LOG_DEBUG, "%s: no SA found.\n", __func__)); |
---|
5962 | return key_senderror(so, m, ENOENT); |
---|
5963 | } |
---|
5964 | |
---|
5965 | { |
---|
5966 | struct mbuf *n; |
---|
5967 | u_int8_t satype; |
---|
5968 | |
---|
5969 | /* map proto to satype */ |
---|
5970 | if ((satype = key_proto2satype(sah->saidx.proto)) == 0) { |
---|
5971 | ipseclog((LOG_DEBUG, "%s: there was invalid proto in SAD.\n", |
---|
5972 | __func__)); |
---|
5973 | return key_senderror(so, m, EINVAL); |
---|
5974 | } |
---|
5975 | |
---|
5976 | /* create new sadb_msg to reply. */ |
---|
5977 | n = key_setdumpsa(sav, SADB_GET, satype, mhp->msg->sadb_msg_seq, |
---|
5978 | mhp->msg->sadb_msg_pid); |
---|
5979 | if (!n) |
---|
5980 | return key_senderror(so, m, ENOBUFS); |
---|
5981 | |
---|
5982 | m_freem(m); |
---|
5983 | return key_sendup_mbuf(so, n, KEY_SENDUP_ONE); |
---|
5984 | } |
---|
5985 | } |
---|
5986 | |
---|
5987 | /* XXX make it sysctl-configurable? */ |
---|
5988 | static void |
---|
5989 | key_getcomb_setlifetime(comb) |
---|
5990 | struct sadb_comb *comb; |
---|
5991 | { |
---|
5992 | |
---|
5993 | comb->sadb_comb_soft_allocations = 1; |
---|
5994 | comb->sadb_comb_hard_allocations = 1; |
---|
5995 | comb->sadb_comb_soft_bytes = 0; |
---|
5996 | comb->sadb_comb_hard_bytes = 0; |
---|
5997 | comb->sadb_comb_hard_addtime = 86400; /* 1 day */ |
---|
5998 | comb->sadb_comb_soft_addtime = comb->sadb_comb_soft_addtime * 80 / 100; |
---|
5999 | comb->sadb_comb_soft_usetime = 28800; /* 8 hours */ |
---|
6000 | comb->sadb_comb_hard_usetime = comb->sadb_comb_hard_usetime * 80 / 100; |
---|
6001 | } |
---|
6002 | |
---|
6003 | /* |
---|
6004 | * XXX reorder combinations by preference |
---|
6005 | * XXX no idea if the user wants ESP authentication or not |
---|
6006 | */ |
---|
6007 | static struct mbuf * |
---|
6008 | key_getcomb_esp() |
---|
6009 | { |
---|
6010 | struct sadb_comb *comb; |
---|
6011 | struct enc_xform *algo; |
---|
6012 | struct mbuf *result = NULL, *m, *n; |
---|
6013 | int encmin; |
---|
6014 | int i, off, o; |
---|
6015 | int totlen; |
---|
6016 | const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb)); |
---|
6017 | |
---|
6018 | m = NULL; |
---|
6019 | for (i = 1; i <= SADB_EALG_MAX; i++) { |
---|
6020 | algo = esp_algorithm_lookup(i); |
---|
6021 | if (algo == NULL) |
---|
6022 | continue; |
---|
6023 | |
---|
6024 | /* discard algorithms with key size smaller than system min */ |
---|
6025 | if (_BITS(algo->maxkey) < V_ipsec_esp_keymin) |
---|
6026 | continue; |
---|
6027 | if (_BITS(algo->minkey) < V_ipsec_esp_keymin) |
---|
6028 | encmin = V_ipsec_esp_keymin; |
---|
6029 | else |
---|
6030 | encmin = _BITS(algo->minkey); |
---|
6031 | |
---|
6032 | if (V_ipsec_esp_auth) |
---|
6033 | m = key_getcomb_ah(); |
---|
6034 | else { |
---|
6035 | IPSEC_ASSERT(l <= MLEN, |
---|
6036 | ("l=%u > MLEN=%lu", l, (u_long) MLEN)); |
---|
6037 | MGET(m, M_DONTWAIT, MT_DATA); |
---|
6038 | if (m) { |
---|
6039 | M_ALIGN(m, l); |
---|
6040 | m->m_len = l; |
---|
6041 | m->m_next = NULL; |
---|
6042 | bzero(mtod(m, caddr_t), m->m_len); |
---|
6043 | } |
---|
6044 | } |
---|
6045 | if (!m) |
---|
6046 | goto fail; |
---|
6047 | |
---|
6048 | totlen = 0; |
---|
6049 | for (n = m; n; n = n->m_next) |
---|
6050 | totlen += n->m_len; |
---|
6051 | IPSEC_ASSERT((totlen % l) == 0, ("totlen=%u, l=%u", totlen, l)); |
---|
6052 | |
---|
6053 | for (off = 0; off < totlen; off += l) { |
---|
6054 | n = m_pulldown(m, off, l, &o); |
---|
6055 | if (!n) { |
---|
6056 | /* m is already freed */ |
---|
6057 | goto fail; |
---|
6058 | } |
---|
6059 | comb = (struct sadb_comb *)(mtod(n, caddr_t) + o); |
---|
6060 | bzero(comb, sizeof(*comb)); |
---|
6061 | key_getcomb_setlifetime(comb); |
---|
6062 | comb->sadb_comb_encrypt = i; |
---|
6063 | comb->sadb_comb_encrypt_minbits = encmin; |
---|
6064 | comb->sadb_comb_encrypt_maxbits = _BITS(algo->maxkey); |
---|
6065 | } |
---|
6066 | |
---|
6067 | if (!result) |
---|
6068 | result = m; |
---|
6069 | else |
---|
6070 | m_cat(result, m); |
---|
6071 | } |
---|
6072 | |
---|
6073 | return result; |
---|
6074 | |
---|
6075 | fail: |
---|
6076 | if (result) |
---|
6077 | m_freem(result); |
---|
6078 | return NULL; |
---|
6079 | } |
---|
6080 | |
---|
6081 | static void |
---|
6082 | key_getsizes_ah( |
---|
6083 | const struct auth_hash *ah, |
---|
6084 | int alg, |
---|
6085 | u_int16_t* min, |
---|
6086 | u_int16_t* max) |
---|
6087 | { |
---|
6088 | |
---|
6089 | *min = *max = ah->keysize; |
---|
6090 | if (ah->keysize == 0) { |
---|
6091 | /* |
---|
6092 | * Transform takes arbitrary key size but algorithm |
---|
6093 | * key size is restricted. Enforce this here. |
---|
6094 | */ |
---|
6095 | switch (alg) { |
---|
6096 | case SADB_X_AALG_MD5: *min = *max = 16; break; |
---|
6097 | case SADB_X_AALG_SHA: *min = *max = 20; break; |
---|
6098 | case SADB_X_AALG_NULL: *min = 1; *max = 256; break; |
---|
6099 | case SADB_X_AALG_SHA2_256: *min = *max = 32; break; |
---|
6100 | case SADB_X_AALG_SHA2_384: *min = *max = 48; break; |
---|
6101 | case SADB_X_AALG_SHA2_512: *min = *max = 64; break; |
---|
6102 | default: |
---|
6103 | DPRINTF(("%s: unknown AH algorithm %u\n", |
---|
6104 | __func__, alg)); |
---|
6105 | break; |
---|
6106 | } |
---|
6107 | } |
---|
6108 | } |
---|
6109 | |
---|
6110 | /* |
---|
6111 | * XXX reorder combinations by preference |
---|
6112 | */ |
---|
6113 | static struct mbuf * |
---|
6114 | key_getcomb_ah() |
---|
6115 | { |
---|
6116 | struct sadb_comb *comb; |
---|
6117 | struct auth_hash *algo; |
---|
6118 | struct mbuf *m; |
---|
6119 | u_int16_t minkeysize, maxkeysize; |
---|
6120 | int i; |
---|
6121 | const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb)); |
---|
6122 | |
---|
6123 | m = NULL; |
---|
6124 | for (i = 1; i <= SADB_AALG_MAX; i++) { |
---|
6125 | #if 1 |
---|
6126 | /* we prefer HMAC algorithms, not old algorithms */ |
---|
6127 | if (i != SADB_AALG_SHA1HMAC && |
---|
6128 | i != SADB_AALG_MD5HMAC && |
---|
6129 | i != SADB_X_AALG_SHA2_256 && |
---|
6130 | i != SADB_X_AALG_SHA2_384 && |
---|
6131 | i != SADB_X_AALG_SHA2_512) |
---|
6132 | continue; |
---|
6133 | #endif |
---|
6134 | algo = ah_algorithm_lookup(i); |
---|
6135 | if (!algo) |
---|
6136 | continue; |
---|
6137 | key_getsizes_ah(algo, i, &minkeysize, &maxkeysize); |
---|
6138 | /* discard algorithms with key size smaller than system min */ |
---|
6139 | if (_BITS(minkeysize) < V_ipsec_ah_keymin) |
---|
6140 | continue; |
---|
6141 | |
---|
6142 | if (!m) { |
---|
6143 | IPSEC_ASSERT(l <= MLEN, |
---|
6144 | ("l=%u > MLEN=%lu", l, (u_long) MLEN)); |
---|
6145 | MGET(m, M_DONTWAIT, MT_DATA); |
---|
6146 | if (m) { |
---|
6147 | M_ALIGN(m, l); |
---|
6148 | m->m_len = l; |
---|
6149 | m->m_next = NULL; |
---|
6150 | } |
---|
6151 | } else |
---|
6152 | M_PREPEND(m, l, M_DONTWAIT); |
---|
6153 | if (!m) |
---|
6154 | return NULL; |
---|
6155 | |
---|
6156 | comb = mtod(m, struct sadb_comb *); |
---|
6157 | bzero(comb, sizeof(*comb)); |
---|
6158 | key_getcomb_setlifetime(comb); |
---|
6159 | comb->sadb_comb_auth = i; |
---|
6160 | comb->sadb_comb_auth_minbits = _BITS(minkeysize); |
---|
6161 | comb->sadb_comb_auth_maxbits = _BITS(maxkeysize); |
---|
6162 | } |
---|
6163 | |
---|
6164 | return m; |
---|
6165 | } |
---|
6166 | |
---|
6167 | /* |
---|
6168 | * not really an official behavior. discussed in pf_key@inner.net in Sep2000. |
---|
6169 | * XXX reorder combinations by preference |
---|
6170 | */ |
---|
6171 | static struct mbuf * |
---|
6172 | key_getcomb_ipcomp() |
---|
6173 | { |
---|
6174 | struct sadb_comb *comb; |
---|
6175 | struct comp_algo *algo; |
---|
6176 | struct mbuf *m; |
---|
6177 | int i; |
---|
6178 | const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb)); |
---|
6179 | |
---|
6180 | m = NULL; |
---|
6181 | for (i = 1; i <= SADB_X_CALG_MAX; i++) { |
---|
6182 | algo = ipcomp_algorithm_lookup(i); |
---|
6183 | if (!algo) |
---|
6184 | continue; |
---|
6185 | |
---|
6186 | if (!m) { |
---|
6187 | IPSEC_ASSERT(l <= MLEN, |
---|
6188 | ("l=%u > MLEN=%lu", l, (u_long) MLEN)); |
---|
6189 | MGET(m, M_DONTWAIT, MT_DATA); |
---|
6190 | if (m) { |
---|
6191 | M_ALIGN(m, l); |
---|
6192 | m->m_len = l; |
---|
6193 | m->m_next = NULL; |
---|
6194 | } |
---|
6195 | } else |
---|
6196 | M_PREPEND(m, l, M_DONTWAIT); |
---|
6197 | if (!m) |
---|
6198 | return NULL; |
---|
6199 | |
---|
6200 | comb = mtod(m, struct sadb_comb *); |
---|
6201 | bzero(comb, sizeof(*comb)); |
---|
6202 | key_getcomb_setlifetime(comb); |
---|
6203 | comb->sadb_comb_encrypt = i; |
---|
6204 | /* what should we set into sadb_comb_*_{min,max}bits? */ |
---|
6205 | } |
---|
6206 | |
---|
6207 | return m; |
---|
6208 | } |
---|
6209 | |
---|
6210 | /* |
---|
6211 | * XXX no way to pass mode (transport/tunnel) to userland |
---|
6212 | * XXX replay checking? |
---|
6213 | * XXX sysctl interface to ipsec_{ah,esp}_keymin |
---|
6214 | */ |
---|
6215 | static struct mbuf * |
---|
6216 | key_getprop(saidx) |
---|
6217 | const struct secasindex *saidx; |
---|
6218 | { |
---|
6219 | struct sadb_prop *prop; |
---|
6220 | struct mbuf *m, *n; |
---|
6221 | const int l = PFKEY_ALIGN8(sizeof(struct sadb_prop)); |
---|
6222 | int totlen; |
---|
6223 | |
---|
6224 | switch (saidx->proto) { |
---|
6225 | case IPPROTO_ESP: |
---|
6226 | m = key_getcomb_esp(); |
---|
6227 | break; |
---|
6228 | case IPPROTO_AH: |
---|
6229 | m = key_getcomb_ah(); |
---|
6230 | break; |
---|
6231 | case IPPROTO_IPCOMP: |
---|
6232 | m = key_getcomb_ipcomp(); |
---|
6233 | break; |
---|
6234 | default: |
---|
6235 | return NULL; |
---|
6236 | } |
---|
6237 | |
---|
6238 | if (!m) |
---|
6239 | return NULL; |
---|
6240 | M_PREPEND(m, l, M_DONTWAIT); |
---|
6241 | if (!m) |
---|
6242 | return NULL; |
---|
6243 | |
---|
6244 | totlen = 0; |
---|
6245 | for (n = m; n; n = n->m_next) |
---|
6246 | totlen += n->m_len; |
---|
6247 | |
---|
6248 | prop = mtod(m, struct sadb_prop *); |
---|
6249 | bzero(prop, sizeof(*prop)); |
---|
6250 | prop->sadb_prop_len = PFKEY_UNIT64(totlen); |
---|
6251 | prop->sadb_prop_exttype = SADB_EXT_PROPOSAL; |
---|
6252 | prop->sadb_prop_replay = 32; /* XXX */ |
---|
6253 | |
---|
6254 | return m; |
---|
6255 | } |
---|
6256 | |
---|
6257 | /* |
---|
6258 | * SADB_ACQUIRE processing called by key_checkrequest() and key_acquire2(). |
---|
6259 | * send |
---|
6260 | * <base, SA, address(SD), (address(P)), x_policy, |
---|
6261 | * (identity(SD),) (sensitivity,) proposal> |
---|
6262 | * to KMD, and expect to receive |
---|
6263 | * <base> with SADB_ACQUIRE if error occured, |
---|
6264 | * or |
---|
6265 | * <base, src address, dst address, (SPI range)> with SADB_GETSPI |
---|
6266 | * from KMD by PF_KEY. |
---|
6267 | * |
---|
6268 | * XXX x_policy is outside of RFC2367 (KAME extension). |
---|
6269 | * XXX sensitivity is not supported. |
---|
6270 | * XXX for ipcomp, RFC2367 does not define how to fill in proposal. |
---|
6271 | * see comment for key_getcomb_ipcomp(). |
---|
6272 | * |
---|
6273 | * OUT: |
---|
6274 | * 0 : succeed |
---|
6275 | * others: error number |
---|
6276 | */ |
---|
6277 | static int |
---|
6278 | key_acquire(const struct secasindex *saidx, struct secpolicy *sp) |
---|
6279 | { |
---|
6280 | struct mbuf *result = NULL, *m; |
---|
6281 | struct secacq *newacq; |
---|
6282 | u_int8_t satype; |
---|
6283 | int error = -1; |
---|
6284 | u_int32_t seq; |
---|
6285 | |
---|
6286 | IPSEC_ASSERT(saidx != NULL, ("null saidx")); |
---|
6287 | satype = key_proto2satype(saidx->proto); |
---|
6288 | IPSEC_ASSERT(satype != 0, ("null satype, protocol %u", saidx->proto)); |
---|
6289 | |
---|
6290 | /* |
---|
6291 | * We never do anything about acquirng SA. There is anather |
---|
6292 | * solution that kernel blocks to send SADB_ACQUIRE message until |
---|
6293 | * getting something message from IKEd. In later case, to be |
---|
6294 | * managed with ACQUIRING list. |
---|
6295 | */ |
---|
6296 | /* Get an entry to check whether sending message or not. */ |
---|
6297 | if ((newacq = key_getacq(saidx)) != NULL) { |
---|
6298 | if (V_key_blockacq_count < newacq->count) { |
---|
6299 | /* reset counter and do send message. */ |
---|
6300 | newacq->count = 0; |
---|
6301 | } else { |
---|
6302 | /* increment counter and do nothing. */ |
---|
6303 | newacq->count++; |
---|
6304 | return 0; |
---|
6305 | } |
---|
6306 | } else { |
---|
6307 | /* make new entry for blocking to send SADB_ACQUIRE. */ |
---|
6308 | if ((newacq = key_newacq(saidx)) == NULL) |
---|
6309 | return ENOBUFS; |
---|
6310 | } |
---|
6311 | |
---|
6312 | |
---|
6313 | seq = newacq->seq; |
---|
6314 | m = key_setsadbmsg(SADB_ACQUIRE, 0, satype, seq, 0, 0); |
---|
6315 | if (!m) { |
---|
6316 | error = ENOBUFS; |
---|
6317 | goto fail; |
---|
6318 | } |
---|
6319 | result = m; |
---|
6320 | |
---|
6321 | /* |
---|
6322 | * No SADB_X_EXT_NAT_T_* here: we do not know |
---|
6323 | * anything related to NAT-T at this time. |
---|
6324 | */ |
---|
6325 | |
---|
6326 | /* set sadb_address for saidx's. */ |
---|
6327 | m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, |
---|
6328 | &saidx->src.sa, FULLMASK, IPSEC_ULPROTO_ANY); |
---|
6329 | if (!m) { |
---|
6330 | error = ENOBUFS; |
---|
6331 | goto fail; |
---|
6332 | } |
---|
6333 | m_cat(result, m); |
---|
6334 | |
---|
6335 | m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, |
---|
6336 | &saidx->dst.sa, FULLMASK, IPSEC_ULPROTO_ANY); |
---|
6337 | if (!m) { |
---|
6338 | error = ENOBUFS; |
---|
6339 | goto fail; |
---|
6340 | } |
---|
6341 | m_cat(result, m); |
---|
6342 | |
---|
6343 | /* XXX proxy address (optional) */ |
---|
6344 | |
---|
6345 | /* set sadb_x_policy */ |
---|
6346 | if (sp) { |
---|
6347 | m = key_setsadbxpolicy(sp->policy, sp->spidx.dir, sp->id); |
---|
6348 | if (!m) { |
---|
6349 | error = ENOBUFS; |
---|
6350 | goto fail; |
---|
6351 | } |
---|
6352 | m_cat(result, m); |
---|
6353 | } |
---|
6354 | |
---|
6355 | /* XXX identity (optional) */ |
---|
6356 | #if 0 |
---|
6357 | if (idexttype && fqdn) { |
---|
6358 | /* create identity extension (FQDN) */ |
---|
6359 | struct sadb_ident *id; |
---|
6360 | int fqdnlen; |
---|
6361 | |
---|
6362 | fqdnlen = strlen(fqdn) + 1; /* +1 for terminating-NUL */ |
---|
6363 | id = (struct sadb_ident *)p; |
---|
6364 | bzero(id, sizeof(*id) + PFKEY_ALIGN8(fqdnlen)); |
---|
6365 | id->sadb_ident_len = PFKEY_UNIT64(sizeof(*id) + PFKEY_ALIGN8(fqdnlen)); |
---|
6366 | id->sadb_ident_exttype = idexttype; |
---|
6367 | id->sadb_ident_type = SADB_IDENTTYPE_FQDN; |
---|
6368 | bcopy(fqdn, id + 1, fqdnlen); |
---|
6369 | p += sizeof(struct sadb_ident) + PFKEY_ALIGN8(fqdnlen); |
---|
6370 | } |
---|
6371 | |
---|
6372 | if (idexttype) { |
---|
6373 | /* create identity extension (USERFQDN) */ |
---|
6374 | struct sadb_ident *id; |
---|
6375 | int userfqdnlen; |
---|
6376 | |
---|
6377 | if (userfqdn) { |
---|
6378 | /* +1 for terminating-NUL */ |
---|
6379 | userfqdnlen = strlen(userfqdn) + 1; |
---|
6380 | } else |
---|
6381 | userfqdnlen = 0; |
---|
6382 | id = (struct sadb_ident *)p; |
---|
6383 | bzero(id, sizeof(*id) + PFKEY_ALIGN8(userfqdnlen)); |
---|
6384 | id->sadb_ident_len = PFKEY_UNIT64(sizeof(*id) + PFKEY_ALIGN8(userfqdnlen)); |
---|
6385 | id->sadb_ident_exttype = idexttype; |
---|
6386 | id->sadb_ident_type = SADB_IDENTTYPE_USERFQDN; |
---|
6387 | /* XXX is it correct? */ |
---|
6388 | if (curproc && curproc->p_cred) |
---|
6389 | id->sadb_ident_id = curproc->p_cred->p_ruid; |
---|
6390 | if (userfqdn && userfqdnlen) |
---|
6391 | bcopy(userfqdn, id + 1, userfqdnlen); |
---|
6392 | p += sizeof(struct sadb_ident) + PFKEY_ALIGN8(userfqdnlen); |
---|
6393 | } |
---|
6394 | #endif |
---|
6395 | |
---|
6396 | /* XXX sensitivity (optional) */ |
---|
6397 | |
---|
6398 | /* create proposal/combination extension */ |
---|
6399 | m = key_getprop(saidx); |
---|
6400 | #if 0 |
---|
6401 | /* |
---|
6402 | * spec conformant: always attach proposal/combination extension, |
---|
6403 | * the problem is that we have no way to attach it for ipcomp, |
---|
6404 | * due to the way sadb_comb is declared in RFC2367. |
---|
6405 | */ |
---|
6406 | if (!m) { |
---|
6407 | error = ENOBUFS; |
---|
6408 | goto fail; |
---|
6409 | } |
---|
6410 | m_cat(result, m); |
---|
6411 | #else |
---|
6412 | /* |
---|
6413 | * outside of spec; make proposal/combination extension optional. |
---|
6414 | */ |
---|
6415 | if (m) |
---|
6416 | m_cat(result, m); |
---|
6417 | #endif |
---|
6418 | |
---|
6419 | if ((result->m_flags & M_PKTHDR) == 0) { |
---|
6420 | error = EINVAL; |
---|
6421 | goto fail; |
---|
6422 | } |
---|
6423 | |
---|
6424 | if (result->m_len < sizeof(struct sadb_msg)) { |
---|
6425 | result = m_pullup(result, sizeof(struct sadb_msg)); |
---|
6426 | if (result == NULL) { |
---|
6427 | error = ENOBUFS; |
---|
6428 | goto fail; |
---|
6429 | } |
---|
6430 | } |
---|
6431 | |
---|
6432 | result->m_pkthdr.len = 0; |
---|
6433 | for (m = result; m; m = m->m_next) |
---|
6434 | result->m_pkthdr.len += m->m_len; |
---|
6435 | |
---|
6436 | mtod(result, struct sadb_msg *)->sadb_msg_len = |
---|
6437 | PFKEY_UNIT64(result->m_pkthdr.len); |
---|
6438 | |
---|
6439 | return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED); |
---|
6440 | |
---|
6441 | fail: |
---|
6442 | if (result) |
---|
6443 | m_freem(result); |
---|
6444 | return error; |
---|
6445 | } |
---|
6446 | |
---|
6447 | static struct secacq * |
---|
6448 | key_newacq(const struct secasindex *saidx) |
---|
6449 | { |
---|
6450 | struct secacq *newacq; |
---|
6451 | |
---|
6452 | /* get new entry */ |
---|
6453 | newacq = malloc(sizeof(struct secacq), M_IPSEC_SAQ, M_NOWAIT|M_ZERO); |
---|
6454 | if (newacq == NULL) { |
---|
6455 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); |
---|
6456 | return NULL; |
---|
6457 | } |
---|
6458 | |
---|
6459 | /* copy secindex */ |
---|
6460 | bcopy(saidx, &newacq->saidx, sizeof(newacq->saidx)); |
---|
6461 | newacq->seq = (V_acq_seq == ~0 ? 1 : ++V_acq_seq); |
---|
6462 | newacq->created = time_second; |
---|
6463 | newacq->count = 0; |
---|
6464 | |
---|
6465 | /* add to acqtree */ |
---|
6466 | ACQ_LOCK(); |
---|
6467 | LIST_INSERT_HEAD(&V_acqtree, newacq, chain); |
---|
6468 | ACQ_UNLOCK(); |
---|
6469 | |
---|
6470 | return newacq; |
---|
6471 | } |
---|
6472 | |
---|
6473 | static struct secacq * |
---|
6474 | key_getacq(const struct secasindex *saidx) |
---|
6475 | { |
---|
6476 | struct secacq *acq; |
---|
6477 | |
---|
6478 | ACQ_LOCK(); |
---|
6479 | LIST_FOREACH(acq, &V_acqtree, chain) { |
---|
6480 | if (key_cmpsaidx(saidx, &acq->saidx, CMP_EXACTLY)) |
---|
6481 | break; |
---|
6482 | } |
---|
6483 | ACQ_UNLOCK(); |
---|
6484 | |
---|
6485 | return acq; |
---|
6486 | } |
---|
6487 | |
---|
6488 | static struct secacq * |
---|
6489 | key_getacqbyseq(seq) |
---|
6490 | u_int32_t seq; |
---|
6491 | { |
---|
6492 | struct secacq *acq; |
---|
6493 | |
---|
6494 | ACQ_LOCK(); |
---|
6495 | LIST_FOREACH(acq, &V_acqtree, chain) { |
---|
6496 | if (acq->seq == seq) |
---|
6497 | break; |
---|
6498 | } |
---|
6499 | ACQ_UNLOCK(); |
---|
6500 | |
---|
6501 | return acq; |
---|
6502 | } |
---|
6503 | |
---|
6504 | static struct secspacq * |
---|
6505 | key_newspacq(spidx) |
---|
6506 | struct secpolicyindex *spidx; |
---|
6507 | { |
---|
6508 | struct secspacq *acq; |
---|
6509 | |
---|
6510 | /* get new entry */ |
---|
6511 | acq = malloc(sizeof(struct secspacq), M_IPSEC_SAQ, M_NOWAIT|M_ZERO); |
---|
6512 | if (acq == NULL) { |
---|
6513 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); |
---|
6514 | return NULL; |
---|
6515 | } |
---|
6516 | |
---|
6517 | /* copy secindex */ |
---|
6518 | bcopy(spidx, &acq->spidx, sizeof(acq->spidx)); |
---|
6519 | acq->created = time_second; |
---|
6520 | acq->count = 0; |
---|
6521 | |
---|
6522 | /* add to spacqtree */ |
---|
6523 | SPACQ_LOCK(); |
---|
6524 | LIST_INSERT_HEAD(&V_spacqtree, acq, chain); |
---|
6525 | SPACQ_UNLOCK(); |
---|
6526 | |
---|
6527 | return acq; |
---|
6528 | } |
---|
6529 | |
---|
6530 | static struct secspacq * |
---|
6531 | key_getspacq(spidx) |
---|
6532 | struct secpolicyindex *spidx; |
---|
6533 | { |
---|
6534 | struct secspacq *acq; |
---|
6535 | |
---|
6536 | SPACQ_LOCK(); |
---|
6537 | LIST_FOREACH(acq, &V_spacqtree, chain) { |
---|
6538 | if (key_cmpspidx_exactly(spidx, &acq->spidx)) { |
---|
6539 | /* NB: return holding spacq_lock */ |
---|
6540 | return acq; |
---|
6541 | } |
---|
6542 | } |
---|
6543 | SPACQ_UNLOCK(); |
---|
6544 | |
---|
6545 | return NULL; |
---|
6546 | } |
---|
6547 | |
---|
6548 | /* |
---|
6549 | * SADB_ACQUIRE processing, |
---|
6550 | * in first situation, is receiving |
---|
6551 | * <base> |
---|
6552 | * from the ikmpd, and clear sequence of its secasvar entry. |
---|
6553 | * |
---|
6554 | * In second situation, is receiving |
---|
6555 | * <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal> |
---|
6556 | * from a user land process, and return |
---|
6557 | * <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal> |
---|
6558 | * to the socket. |
---|
6559 | * |
---|
6560 | * m will always be freed. |
---|
6561 | */ |
---|
6562 | static int |
---|
6563 | key_acquire2(so, m, mhp) |
---|
6564 | struct socket *so; |
---|
6565 | struct mbuf *m; |
---|
6566 | const struct sadb_msghdr *mhp; |
---|
6567 | { |
---|
6568 | const struct sadb_address *src0, *dst0; |
---|
6569 | struct secasindex saidx; |
---|
6570 | struct secashead *sah; |
---|
6571 | u_int16_t proto; |
---|
6572 | int error; |
---|
6573 | |
---|
6574 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
6575 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
6576 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
6577 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
6578 | |
---|
6579 | /* |
---|
6580 | * Error message from KMd. |
---|
6581 | * We assume that if error was occured in IKEd, the length of PFKEY |
---|
6582 | * message is equal to the size of sadb_msg structure. |
---|
6583 | * We do not raise error even if error occured in this function. |
---|
6584 | */ |
---|
6585 | if (mhp->msg->sadb_msg_len == PFKEY_UNIT64(sizeof(struct sadb_msg))) { |
---|
6586 | struct secacq *acq; |
---|
6587 | |
---|
6588 | /* check sequence number */ |
---|
6589 | if (mhp->msg->sadb_msg_seq == 0) { |
---|
6590 | ipseclog((LOG_DEBUG, "%s: must specify sequence " |
---|
6591 | "number.\n", __func__)); |
---|
6592 | m_freem(m); |
---|
6593 | return 0; |
---|
6594 | } |
---|
6595 | |
---|
6596 | if ((acq = key_getacqbyseq(mhp->msg->sadb_msg_seq)) == NULL) { |
---|
6597 | /* |
---|
6598 | * the specified larval SA is already gone, or we got |
---|
6599 | * a bogus sequence number. we can silently ignore it. |
---|
6600 | */ |
---|
6601 | m_freem(m); |
---|
6602 | return 0; |
---|
6603 | } |
---|
6604 | |
---|
6605 | /* reset acq counter in order to deletion by timehander. */ |
---|
6606 | acq->created = time_second; |
---|
6607 | acq->count = 0; |
---|
6608 | m_freem(m); |
---|
6609 | return 0; |
---|
6610 | } |
---|
6611 | |
---|
6612 | /* |
---|
6613 | * This message is from user land. |
---|
6614 | */ |
---|
6615 | |
---|
6616 | /* map satype to proto */ |
---|
6617 | if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { |
---|
6618 | ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", |
---|
6619 | __func__)); |
---|
6620 | return key_senderror(so, m, EINVAL); |
---|
6621 | } |
---|
6622 | |
---|
6623 | if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || |
---|
6624 | mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || |
---|
6625 | mhp->ext[SADB_EXT_PROPOSAL] == NULL) { |
---|
6626 | /* error */ |
---|
6627 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
6628 | __func__)); |
---|
6629 | return key_senderror(so, m, EINVAL); |
---|
6630 | } |
---|
6631 | if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || |
---|
6632 | mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) || |
---|
6633 | mhp->extlen[SADB_EXT_PROPOSAL] < sizeof(struct sadb_prop)) { |
---|
6634 | /* error */ |
---|
6635 | ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", |
---|
6636 | __func__)); |
---|
6637 | return key_senderror(so, m, EINVAL); |
---|
6638 | } |
---|
6639 | |
---|
6640 | src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; |
---|
6641 | dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; |
---|
6642 | |
---|
6643 | /* XXX boundary check against sa_len */ |
---|
6644 | KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); |
---|
6645 | |
---|
6646 | /* |
---|
6647 | * Make sure the port numbers are zero. |
---|
6648 | * In case of NAT-T we will update them later if needed. |
---|
6649 | */ |
---|
6650 | KEY_PORTTOSADDR(&saidx.src, 0); |
---|
6651 | KEY_PORTTOSADDR(&saidx.dst, 0); |
---|
6652 | |
---|
6653 | #ifndef IPSEC_NAT_T |
---|
6654 | /* |
---|
6655 | * Handle NAT-T info if present. |
---|
6656 | */ |
---|
6657 | |
---|
6658 | if (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL && |
---|
6659 | mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) { |
---|
6660 | struct sadb_x_nat_t_port *sport, *dport; |
---|
6661 | |
---|
6662 | if (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) || |
---|
6663 | mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) { |
---|
6664 | ipseclog((LOG_DEBUG, "%s: invalid message.\n", |
---|
6665 | __func__)); |
---|
6666 | return key_senderror(so, m, EINVAL); |
---|
6667 | } |
---|
6668 | |
---|
6669 | sport = (struct sadb_x_nat_t_port *) |
---|
6670 | mhp->ext[SADB_X_EXT_NAT_T_SPORT]; |
---|
6671 | dport = (struct sadb_x_nat_t_port *) |
---|
6672 | mhp->ext[SADB_X_EXT_NAT_T_DPORT]; |
---|
6673 | |
---|
6674 | if (sport) |
---|
6675 | KEY_PORTTOSADDR(&saidx.src, |
---|
6676 | sport->sadb_x_nat_t_port_port); |
---|
6677 | if (dport) |
---|
6678 | KEY_PORTTOSADDR(&saidx.dst, |
---|
6679 | dport->sadb_x_nat_t_port_port); |
---|
6680 | } |
---|
6681 | #endif |
---|
6682 | |
---|
6683 | /* get a SA index */ |
---|
6684 | SAHTREE_LOCK(); |
---|
6685 | LIST_FOREACH(sah, &V_sahtree, chain) { |
---|
6686 | if (sah->state == SADB_SASTATE_DEAD) |
---|
6687 | continue; |
---|
6688 | if (key_cmpsaidx(&sah->saidx, &saidx, CMP_MODE_REQID)) |
---|
6689 | break; |
---|
6690 | } |
---|
6691 | SAHTREE_UNLOCK(); |
---|
6692 | if (sah != NULL) { |
---|
6693 | ipseclog((LOG_DEBUG, "%s: a SA exists already.\n", __func__)); |
---|
6694 | return key_senderror(so, m, EEXIST); |
---|
6695 | } |
---|
6696 | |
---|
6697 | error = key_acquire(&saidx, NULL); |
---|
6698 | if (error != 0) { |
---|
6699 | ipseclog((LOG_DEBUG, "%s: error %d returned from key_acquire\n", |
---|
6700 | __func__, mhp->msg->sadb_msg_errno)); |
---|
6701 | return key_senderror(so, m, error); |
---|
6702 | } |
---|
6703 | |
---|
6704 | return key_sendup_mbuf(so, m, KEY_SENDUP_REGISTERED); |
---|
6705 | } |
---|
6706 | |
---|
6707 | /* |
---|
6708 | * SADB_REGISTER processing. |
---|
6709 | * If SATYPE_UNSPEC has been passed as satype, only return sabd_supported. |
---|
6710 | * receive |
---|
6711 | * <base> |
---|
6712 | * from the ikmpd, and register a socket to send PF_KEY messages, |
---|
6713 | * and send |
---|
6714 | * <base, supported> |
---|
6715 | * to KMD by PF_KEY. |
---|
6716 | * If socket is detached, must free from regnode. |
---|
6717 | * |
---|
6718 | * m will always be freed. |
---|
6719 | */ |
---|
6720 | static int |
---|
6721 | key_register(so, m, mhp) |
---|
6722 | struct socket *so; |
---|
6723 | struct mbuf *m; |
---|
6724 | const struct sadb_msghdr *mhp; |
---|
6725 | { |
---|
6726 | struct secreg *reg, *newreg = 0; |
---|
6727 | |
---|
6728 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
6729 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
6730 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
6731 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
6732 | |
---|
6733 | /* check for invalid register message */ |
---|
6734 | if (mhp->msg->sadb_msg_satype >= sizeof(V_regtree)/sizeof(V_regtree[0])) |
---|
6735 | return key_senderror(so, m, EINVAL); |
---|
6736 | |
---|
6737 | /* When SATYPE_UNSPEC is specified, only return sabd_supported. */ |
---|
6738 | if (mhp->msg->sadb_msg_satype == SADB_SATYPE_UNSPEC) |
---|
6739 | goto setmsg; |
---|
6740 | |
---|
6741 | /* check whether existing or not */ |
---|
6742 | REGTREE_LOCK(); |
---|
6743 | LIST_FOREACH(reg, &V_regtree[mhp->msg->sadb_msg_satype], chain) { |
---|
6744 | if (reg->so == so) { |
---|
6745 | REGTREE_UNLOCK(); |
---|
6746 | ipseclog((LOG_DEBUG, "%s: socket exists already.\n", |
---|
6747 | __func__)); |
---|
6748 | return key_senderror(so, m, EEXIST); |
---|
6749 | } |
---|
6750 | } |
---|
6751 | |
---|
6752 | /* create regnode */ |
---|
6753 | newreg = malloc(sizeof(struct secreg), M_IPSEC_SAR, M_NOWAIT|M_ZERO); |
---|
6754 | if (newreg == NULL) { |
---|
6755 | REGTREE_UNLOCK(); |
---|
6756 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); |
---|
6757 | return key_senderror(so, m, ENOBUFS); |
---|
6758 | } |
---|
6759 | |
---|
6760 | newreg->so = so; |
---|
6761 | ((struct keycb *)sotorawcb(so))->kp_registered++; |
---|
6762 | |
---|
6763 | /* add regnode to regtree. */ |
---|
6764 | LIST_INSERT_HEAD(&V_regtree[mhp->msg->sadb_msg_satype], newreg, chain); |
---|
6765 | REGTREE_UNLOCK(); |
---|
6766 | |
---|
6767 | setmsg: |
---|
6768 | { |
---|
6769 | struct mbuf *n; |
---|
6770 | struct sadb_msg *newmsg; |
---|
6771 | struct sadb_supported *sup; |
---|
6772 | u_int len, alen, elen; |
---|
6773 | int off; |
---|
6774 | int i; |
---|
6775 | struct sadb_alg *alg; |
---|
6776 | |
---|
6777 | /* create new sadb_msg to reply. */ |
---|
6778 | alen = 0; |
---|
6779 | for (i = 1; i <= SADB_AALG_MAX; i++) { |
---|
6780 | if (ah_algorithm_lookup(i)) |
---|
6781 | alen += sizeof(struct sadb_alg); |
---|
6782 | } |
---|
6783 | if (alen) |
---|
6784 | alen += sizeof(struct sadb_supported); |
---|
6785 | elen = 0; |
---|
6786 | for (i = 1; i <= SADB_EALG_MAX; i++) { |
---|
6787 | if (esp_algorithm_lookup(i)) |
---|
6788 | elen += sizeof(struct sadb_alg); |
---|
6789 | } |
---|
6790 | if (elen) |
---|
6791 | elen += sizeof(struct sadb_supported); |
---|
6792 | |
---|
6793 | len = sizeof(struct sadb_msg) + alen + elen; |
---|
6794 | |
---|
6795 | if (len > MCLBYTES) |
---|
6796 | return key_senderror(so, m, ENOBUFS); |
---|
6797 | |
---|
6798 | MGETHDR(n, M_DONTWAIT, MT_DATA); |
---|
6799 | if (len > MHLEN) { |
---|
6800 | MCLGET(n, M_DONTWAIT); |
---|
6801 | if ((n->m_flags & M_EXT) == 0) { |
---|
6802 | m_freem(n); |
---|
6803 | n = NULL; |
---|
6804 | } |
---|
6805 | } |
---|
6806 | if (!n) |
---|
6807 | return key_senderror(so, m, ENOBUFS); |
---|
6808 | |
---|
6809 | n->m_pkthdr.len = n->m_len = len; |
---|
6810 | n->m_next = NULL; |
---|
6811 | off = 0; |
---|
6812 | |
---|
6813 | m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off); |
---|
6814 | newmsg = mtod(n, struct sadb_msg *); |
---|
6815 | newmsg->sadb_msg_errno = 0; |
---|
6816 | newmsg->sadb_msg_len = PFKEY_UNIT64(len); |
---|
6817 | off += PFKEY_ALIGN8(sizeof(struct sadb_msg)); |
---|
6818 | |
---|
6819 | /* for authentication algorithm */ |
---|
6820 | if (alen) { |
---|
6821 | sup = (struct sadb_supported *)(mtod(n, caddr_t) + off); |
---|
6822 | sup->sadb_supported_len = PFKEY_UNIT64(alen); |
---|
6823 | sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_AUTH; |
---|
6824 | off += PFKEY_ALIGN8(sizeof(*sup)); |
---|
6825 | |
---|
6826 | for (i = 1; i <= SADB_AALG_MAX; i++) { |
---|
6827 | struct auth_hash *aalgo; |
---|
6828 | u_int16_t minkeysize, maxkeysize; |
---|
6829 | |
---|
6830 | aalgo = ah_algorithm_lookup(i); |
---|
6831 | if (!aalgo) |
---|
6832 | continue; |
---|
6833 | alg = (struct sadb_alg *)(mtod(n, caddr_t) + off); |
---|
6834 | alg->sadb_alg_id = i; |
---|
6835 | alg->sadb_alg_ivlen = 0; |
---|
6836 | key_getsizes_ah(aalgo, i, &minkeysize, &maxkeysize); |
---|
6837 | alg->sadb_alg_minbits = _BITS(minkeysize); |
---|
6838 | alg->sadb_alg_maxbits = _BITS(maxkeysize); |
---|
6839 | off += PFKEY_ALIGN8(sizeof(*alg)); |
---|
6840 | } |
---|
6841 | } |
---|
6842 | |
---|
6843 | /* for encryption algorithm */ |
---|
6844 | if (elen) { |
---|
6845 | sup = (struct sadb_supported *)(mtod(n, caddr_t) + off); |
---|
6846 | sup->sadb_supported_len = PFKEY_UNIT64(elen); |
---|
6847 | sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_ENCRYPT; |
---|
6848 | off += PFKEY_ALIGN8(sizeof(*sup)); |
---|
6849 | |
---|
6850 | for (i = 1; i <= SADB_EALG_MAX; i++) { |
---|
6851 | struct enc_xform *ealgo; |
---|
6852 | |
---|
6853 | ealgo = esp_algorithm_lookup(i); |
---|
6854 | if (!ealgo) |
---|
6855 | continue; |
---|
6856 | alg = (struct sadb_alg *)(mtod(n, caddr_t) + off); |
---|
6857 | alg->sadb_alg_id = i; |
---|
6858 | alg->sadb_alg_ivlen = ealgo->blocksize; |
---|
6859 | alg->sadb_alg_minbits = _BITS(ealgo->minkey); |
---|
6860 | alg->sadb_alg_maxbits = _BITS(ealgo->maxkey); |
---|
6861 | off += PFKEY_ALIGN8(sizeof(struct sadb_alg)); |
---|
6862 | } |
---|
6863 | } |
---|
6864 | |
---|
6865 | IPSEC_ASSERT(off == len, |
---|
6866 | ("length assumption failed (off %u len %u)", off, len)); |
---|
6867 | |
---|
6868 | m_freem(m); |
---|
6869 | return key_sendup_mbuf(so, n, KEY_SENDUP_REGISTERED); |
---|
6870 | } |
---|
6871 | } |
---|
6872 | |
---|
6873 | /* |
---|
6874 | * free secreg entry registered. |
---|
6875 | * XXX: I want to do free a socket marked done SADB_RESIGER to socket. |
---|
6876 | */ |
---|
6877 | void |
---|
6878 | key_freereg(struct socket *so) |
---|
6879 | { |
---|
6880 | struct secreg *reg; |
---|
6881 | int i; |
---|
6882 | |
---|
6883 | IPSEC_ASSERT(so != NULL, ("NULL so")); |
---|
6884 | |
---|
6885 | /* |
---|
6886 | * check whether existing or not. |
---|
6887 | * check all type of SA, because there is a potential that |
---|
6888 | * one socket is registered to multiple type of SA. |
---|
6889 | */ |
---|
6890 | REGTREE_LOCK(); |
---|
6891 | for (i = 0; i <= SADB_SATYPE_MAX; i++) { |
---|
6892 | LIST_FOREACH(reg, &V_regtree[i], chain) { |
---|
6893 | if (reg->so == so && __LIST_CHAINED(reg)) { |
---|
6894 | LIST_REMOVE(reg, chain); |
---|
6895 | free(reg, M_IPSEC_SAR); |
---|
6896 | break; |
---|
6897 | } |
---|
6898 | } |
---|
6899 | } |
---|
6900 | REGTREE_UNLOCK(); |
---|
6901 | } |
---|
6902 | |
---|
6903 | /* |
---|
6904 | * SADB_EXPIRE processing |
---|
6905 | * send |
---|
6906 | * <base, SA, SA2, lifetime(C and one of HS), address(SD)> |
---|
6907 | * to KMD by PF_KEY. |
---|
6908 | * NOTE: We send only soft lifetime extension. |
---|
6909 | * |
---|
6910 | * OUT: 0 : succeed |
---|
6911 | * others : error number |
---|
6912 | */ |
---|
6913 | static int |
---|
6914 | key_expire(struct secasvar *sav) |
---|
6915 | { |
---|
6916 | int s; |
---|
6917 | int satype; |
---|
6918 | struct mbuf *result = NULL, *m; |
---|
6919 | int len; |
---|
6920 | int error = -1; |
---|
6921 | struct sadb_lifetime *lt; |
---|
6922 | |
---|
6923 | /* XXX: Why do we lock ? */ |
---|
6924 | s = splnet(); /*called from softclock()*/ |
---|
6925 | |
---|
6926 | IPSEC_ASSERT (sav != NULL, ("null sav")); |
---|
6927 | IPSEC_ASSERT (sav->sah != NULL, ("null sa header")); |
---|
6928 | |
---|
6929 | /* set msg header */ |
---|
6930 | satype = key_proto2satype(sav->sah->saidx.proto); |
---|
6931 | IPSEC_ASSERT(satype != 0, ("invalid proto, satype %u", satype)); |
---|
6932 | m = key_setsadbmsg(SADB_EXPIRE, 0, satype, sav->seq, 0, sav->refcnt); |
---|
6933 | if (!m) { |
---|
6934 | error = ENOBUFS; |
---|
6935 | goto fail; |
---|
6936 | } |
---|
6937 | result = m; |
---|
6938 | |
---|
6939 | /* create SA extension */ |
---|
6940 | m = key_setsadbsa(sav); |
---|
6941 | if (!m) { |
---|
6942 | error = ENOBUFS; |
---|
6943 | goto fail; |
---|
6944 | } |
---|
6945 | m_cat(result, m); |
---|
6946 | |
---|
6947 | /* create SA extension */ |
---|
6948 | m = key_setsadbxsa2(sav->sah->saidx.mode, |
---|
6949 | sav->replay ? sav->replay->count : 0, |
---|
6950 | sav->sah->saidx.reqid); |
---|
6951 | if (!m) { |
---|
6952 | error = ENOBUFS; |
---|
6953 | goto fail; |
---|
6954 | } |
---|
6955 | m_cat(result, m); |
---|
6956 | |
---|
6957 | /* create lifetime extension (current and soft) */ |
---|
6958 | len = PFKEY_ALIGN8(sizeof(*lt)) * 2; |
---|
6959 | m = key_alloc_mbuf(len); |
---|
6960 | if (!m || m->m_next) { /*XXX*/ |
---|
6961 | if (m) |
---|
6962 | m_freem(m); |
---|
6963 | error = ENOBUFS; |
---|
6964 | goto fail; |
---|
6965 | } |
---|
6966 | bzero(mtod(m, caddr_t), len); |
---|
6967 | lt = mtod(m, struct sadb_lifetime *); |
---|
6968 | lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); |
---|
6969 | lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; |
---|
6970 | lt->sadb_lifetime_allocations = sav->lft_c->allocations; |
---|
6971 | lt->sadb_lifetime_bytes = sav->lft_c->bytes; |
---|
6972 | lt->sadb_lifetime_addtime = sav->lft_c->addtime; |
---|
6973 | lt->sadb_lifetime_usetime = sav->lft_c->usetime; |
---|
6974 | lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2); |
---|
6975 | lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); |
---|
6976 | lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; |
---|
6977 | lt->sadb_lifetime_allocations = sav->lft_s->allocations; |
---|
6978 | lt->sadb_lifetime_bytes = sav->lft_s->bytes; |
---|
6979 | lt->sadb_lifetime_addtime = sav->lft_s->addtime; |
---|
6980 | lt->sadb_lifetime_usetime = sav->lft_s->usetime; |
---|
6981 | m_cat(result, m); |
---|
6982 | |
---|
6983 | /* set sadb_address for source */ |
---|
6984 | m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, |
---|
6985 | &sav->sah->saidx.src.sa, |
---|
6986 | FULLMASK, IPSEC_ULPROTO_ANY); |
---|
6987 | if (!m) { |
---|
6988 | error = ENOBUFS; |
---|
6989 | goto fail; |
---|
6990 | } |
---|
6991 | m_cat(result, m); |
---|
6992 | |
---|
6993 | /* set sadb_address for destination */ |
---|
6994 | m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, |
---|
6995 | &sav->sah->saidx.dst.sa, |
---|
6996 | FULLMASK, IPSEC_ULPROTO_ANY); |
---|
6997 | if (!m) { |
---|
6998 | error = ENOBUFS; |
---|
6999 | goto fail; |
---|
7000 | } |
---|
7001 | m_cat(result, m); |
---|
7002 | |
---|
7003 | /* |
---|
7004 | * XXX-BZ Handle NAT-T extensions here. |
---|
7005 | */ |
---|
7006 | |
---|
7007 | if ((result->m_flags & M_PKTHDR) == 0) { |
---|
7008 | error = EINVAL; |
---|
7009 | goto fail; |
---|
7010 | } |
---|
7011 | |
---|
7012 | if (result->m_len < sizeof(struct sadb_msg)) { |
---|
7013 | result = m_pullup(result, sizeof(struct sadb_msg)); |
---|
7014 | if (result == NULL) { |
---|
7015 | error = ENOBUFS; |
---|
7016 | goto fail; |
---|
7017 | } |
---|
7018 | } |
---|
7019 | |
---|
7020 | result->m_pkthdr.len = 0; |
---|
7021 | for (m = result; m; m = m->m_next) |
---|
7022 | result->m_pkthdr.len += m->m_len; |
---|
7023 | |
---|
7024 | mtod(result, struct sadb_msg *)->sadb_msg_len = |
---|
7025 | PFKEY_UNIT64(result->m_pkthdr.len); |
---|
7026 | |
---|
7027 | splx(s); |
---|
7028 | return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED); |
---|
7029 | |
---|
7030 | fail: |
---|
7031 | if (result) |
---|
7032 | m_freem(result); |
---|
7033 | splx(s); |
---|
7034 | return error; |
---|
7035 | } |
---|
7036 | |
---|
7037 | /* |
---|
7038 | * SADB_FLUSH processing |
---|
7039 | * receive |
---|
7040 | * <base> |
---|
7041 | * from the ikmpd, and free all entries in secastree. |
---|
7042 | * and send, |
---|
7043 | * <base> |
---|
7044 | * to the ikmpd. |
---|
7045 | * NOTE: to do is only marking SADB_SASTATE_DEAD. |
---|
7046 | * |
---|
7047 | * m will always be freed. |
---|
7048 | */ |
---|
7049 | static int |
---|
7050 | key_flush(so, m, mhp) |
---|
7051 | struct socket *so; |
---|
7052 | struct mbuf *m; |
---|
7053 | const struct sadb_msghdr *mhp; |
---|
7054 | { |
---|
7055 | struct sadb_msg *newmsg; |
---|
7056 | struct secashead *sah, *nextsah; |
---|
7057 | struct secasvar *sav, *nextsav; |
---|
7058 | u_int16_t proto; |
---|
7059 | u_int8_t state; |
---|
7060 | u_int stateidx; |
---|
7061 | |
---|
7062 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
7063 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
7064 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
7065 | |
---|
7066 | /* map satype to proto */ |
---|
7067 | if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { |
---|
7068 | ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", |
---|
7069 | __func__)); |
---|
7070 | return key_senderror(so, m, EINVAL); |
---|
7071 | } |
---|
7072 | |
---|
7073 | /* no SATYPE specified, i.e. flushing all SA. */ |
---|
7074 | SAHTREE_LOCK(); |
---|
7075 | for (sah = LIST_FIRST(&V_sahtree); |
---|
7076 | sah != NULL; |
---|
7077 | sah = nextsah) { |
---|
7078 | nextsah = LIST_NEXT(sah, chain); |
---|
7079 | |
---|
7080 | if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC |
---|
7081 | && proto != sah->saidx.proto) |
---|
7082 | continue; |
---|
7083 | |
---|
7084 | for (stateidx = 0; |
---|
7085 | stateidx < _ARRAYLEN(saorder_state_alive); |
---|
7086 | stateidx++) { |
---|
7087 | state = saorder_state_any[stateidx]; |
---|
7088 | for (sav = LIST_FIRST(&sah->savtree[state]); |
---|
7089 | sav != NULL; |
---|
7090 | sav = nextsav) { |
---|
7091 | |
---|
7092 | nextsav = LIST_NEXT(sav, chain); |
---|
7093 | |
---|
7094 | key_sa_chgstate(sav, SADB_SASTATE_DEAD); |
---|
7095 | KEY_FREESAV(&sav); |
---|
7096 | } |
---|
7097 | } |
---|
7098 | |
---|
7099 | sah->state = SADB_SASTATE_DEAD; |
---|
7100 | } |
---|
7101 | SAHTREE_UNLOCK(); |
---|
7102 | |
---|
7103 | if (m->m_len < sizeof(struct sadb_msg) || |
---|
7104 | sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) { |
---|
7105 | ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); |
---|
7106 | return key_senderror(so, m, ENOBUFS); |
---|
7107 | } |
---|
7108 | |
---|
7109 | if (m->m_next) |
---|
7110 | m_freem(m->m_next); |
---|
7111 | m->m_next = NULL; |
---|
7112 | m->m_pkthdr.len = m->m_len = sizeof(struct sadb_msg); |
---|
7113 | newmsg = mtod(m, struct sadb_msg *); |
---|
7114 | newmsg->sadb_msg_errno = 0; |
---|
7115 | newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); |
---|
7116 | |
---|
7117 | return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); |
---|
7118 | } |
---|
7119 | |
---|
7120 | /* |
---|
7121 | * SADB_DUMP processing |
---|
7122 | * dump all entries including status of DEAD in SAD. |
---|
7123 | * receive |
---|
7124 | * <base> |
---|
7125 | * from the ikmpd, and dump all secasvar leaves |
---|
7126 | * and send, |
---|
7127 | * <base> ..... |
---|
7128 | * to the ikmpd. |
---|
7129 | * |
---|
7130 | * m will always be freed. |
---|
7131 | */ |
---|
7132 | static int |
---|
7133 | key_dump(so, m, mhp) |
---|
7134 | struct socket *so; |
---|
7135 | struct mbuf *m; |
---|
7136 | const struct sadb_msghdr *mhp; |
---|
7137 | { |
---|
7138 | struct secashead *sah; |
---|
7139 | struct secasvar *sav; |
---|
7140 | u_int16_t proto; |
---|
7141 | u_int stateidx; |
---|
7142 | u_int8_t satype; |
---|
7143 | u_int8_t state; |
---|
7144 | int cnt; |
---|
7145 | struct sadb_msg *newmsg; |
---|
7146 | struct mbuf *n; |
---|
7147 | |
---|
7148 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
7149 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
7150 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
7151 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
7152 | |
---|
7153 | /* map satype to proto */ |
---|
7154 | if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { |
---|
7155 | ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", |
---|
7156 | __func__)); |
---|
7157 | return key_senderror(so, m, EINVAL); |
---|
7158 | } |
---|
7159 | |
---|
7160 | /* count sav entries to be sent to the userland. */ |
---|
7161 | cnt = 0; |
---|
7162 | SAHTREE_LOCK(); |
---|
7163 | LIST_FOREACH(sah, &V_sahtree, chain) { |
---|
7164 | if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC |
---|
7165 | && proto != sah->saidx.proto) |
---|
7166 | continue; |
---|
7167 | |
---|
7168 | for (stateidx = 0; |
---|
7169 | stateidx < _ARRAYLEN(saorder_state_any); |
---|
7170 | stateidx++) { |
---|
7171 | state = saorder_state_any[stateidx]; |
---|
7172 | LIST_FOREACH(sav, &sah->savtree[state], chain) { |
---|
7173 | cnt++; |
---|
7174 | } |
---|
7175 | } |
---|
7176 | } |
---|
7177 | |
---|
7178 | if (cnt == 0) { |
---|
7179 | SAHTREE_UNLOCK(); |
---|
7180 | return key_senderror(so, m, ENOENT); |
---|
7181 | } |
---|
7182 | |
---|
7183 | /* send this to the userland, one at a time. */ |
---|
7184 | newmsg = NULL; |
---|
7185 | LIST_FOREACH(sah, &V_sahtree, chain) { |
---|
7186 | if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC |
---|
7187 | && proto != sah->saidx.proto) |
---|
7188 | continue; |
---|
7189 | |
---|
7190 | /* map proto to satype */ |
---|
7191 | if ((satype = key_proto2satype(sah->saidx.proto)) == 0) { |
---|
7192 | SAHTREE_UNLOCK(); |
---|
7193 | ipseclog((LOG_DEBUG, "%s: there was invalid proto in " |
---|
7194 | "SAD.\n", __func__)); |
---|
7195 | return key_senderror(so, m, EINVAL); |
---|
7196 | } |
---|
7197 | |
---|
7198 | for (stateidx = 0; |
---|
7199 | stateidx < _ARRAYLEN(saorder_state_any); |
---|
7200 | stateidx++) { |
---|
7201 | state = saorder_state_any[stateidx]; |
---|
7202 | LIST_FOREACH(sav, &sah->savtree[state], chain) { |
---|
7203 | n = key_setdumpsa(sav, SADB_DUMP, satype, |
---|
7204 | --cnt, mhp->msg->sadb_msg_pid); |
---|
7205 | if (!n) { |
---|
7206 | SAHTREE_UNLOCK(); |
---|
7207 | return key_senderror(so, m, ENOBUFS); |
---|
7208 | } |
---|
7209 | key_sendup_mbuf(so, n, KEY_SENDUP_ONE); |
---|
7210 | } |
---|
7211 | } |
---|
7212 | } |
---|
7213 | SAHTREE_UNLOCK(); |
---|
7214 | |
---|
7215 | m_freem(m); |
---|
7216 | return 0; |
---|
7217 | } |
---|
7218 | |
---|
7219 | /* |
---|
7220 | * SADB_X_PROMISC processing |
---|
7221 | * |
---|
7222 | * m will always be freed. |
---|
7223 | */ |
---|
7224 | static int |
---|
7225 | key_promisc(so, m, mhp) |
---|
7226 | struct socket *so; |
---|
7227 | struct mbuf *m; |
---|
7228 | const struct sadb_msghdr *mhp; |
---|
7229 | { |
---|
7230 | int olen; |
---|
7231 | |
---|
7232 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
7233 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
7234 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
7235 | IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); |
---|
7236 | |
---|
7237 | olen = PFKEY_UNUNIT64(mhp->msg->sadb_msg_len); |
---|
7238 | |
---|
7239 | if (olen < sizeof(struct sadb_msg)) { |
---|
7240 | #if 1 |
---|
7241 | return key_senderror(so, m, EINVAL); |
---|
7242 | #else |
---|
7243 | m_freem(m); |
---|
7244 | return 0; |
---|
7245 | #endif |
---|
7246 | } else if (olen == sizeof(struct sadb_msg)) { |
---|
7247 | /* enable/disable promisc mode */ |
---|
7248 | struct keycb *kp; |
---|
7249 | |
---|
7250 | if ((kp = (struct keycb *)sotorawcb(so)) == NULL) |
---|
7251 | return key_senderror(so, m, EINVAL); |
---|
7252 | mhp->msg->sadb_msg_errno = 0; |
---|
7253 | switch (mhp->msg->sadb_msg_satype) { |
---|
7254 | case 0: |
---|
7255 | case 1: |
---|
7256 | kp->kp_promisc = mhp->msg->sadb_msg_satype; |
---|
7257 | break; |
---|
7258 | default: |
---|
7259 | return key_senderror(so, m, EINVAL); |
---|
7260 | } |
---|
7261 | |
---|
7262 | /* send the original message back to everyone */ |
---|
7263 | mhp->msg->sadb_msg_errno = 0; |
---|
7264 | return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); |
---|
7265 | } else { |
---|
7266 | /* send packet as is */ |
---|
7267 | |
---|
7268 | m_adj(m, PFKEY_ALIGN8(sizeof(struct sadb_msg))); |
---|
7269 | |
---|
7270 | /* TODO: if sadb_msg_seq is specified, send to specific pid */ |
---|
7271 | return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); |
---|
7272 | } |
---|
7273 | } |
---|
7274 | |
---|
7275 | static int (*key_typesw[]) __P((struct socket *, struct mbuf *, |
---|
7276 | const struct sadb_msghdr *)) = { |
---|
7277 | NULL, /* SADB_RESERVED */ |
---|
7278 | key_getspi, /* SADB_GETSPI */ |
---|
7279 | key_update, /* SADB_UPDATE */ |
---|
7280 | key_add, /* SADB_ADD */ |
---|
7281 | key_delete, /* SADB_DELETE */ |
---|
7282 | key_get, /* SADB_GET */ |
---|
7283 | key_acquire2, /* SADB_ACQUIRE */ |
---|
7284 | key_register, /* SADB_REGISTER */ |
---|
7285 | NULL, /* SADB_EXPIRE */ |
---|
7286 | key_flush, /* SADB_FLUSH */ |
---|
7287 | key_dump, /* SADB_DUMP */ |
---|
7288 | key_promisc, /* SADB_X_PROMISC */ |
---|
7289 | NULL, /* SADB_X_PCHANGE */ |
---|
7290 | key_spdadd, /* SADB_X_SPDUPDATE */ |
---|
7291 | key_spdadd, /* SADB_X_SPDADD */ |
---|
7292 | key_spddelete, /* SADB_X_SPDDELETE */ |
---|
7293 | key_spdget, /* SADB_X_SPDGET */ |
---|
7294 | NULL, /* SADB_X_SPDACQUIRE */ |
---|
7295 | key_spddump, /* SADB_X_SPDDUMP */ |
---|
7296 | key_spdflush, /* SADB_X_SPDFLUSH */ |
---|
7297 | key_spdadd, /* SADB_X_SPDSETIDX */ |
---|
7298 | NULL, /* SADB_X_SPDEXPIRE */ |
---|
7299 | key_spddelete2, /* SADB_X_SPDDELETE2 */ |
---|
7300 | }; |
---|
7301 | |
---|
7302 | /* |
---|
7303 | * parse sadb_msg buffer to process PFKEYv2, |
---|
7304 | * and create a data to response if needed. |
---|
7305 | * I think to be dealed with mbuf directly. |
---|
7306 | * IN: |
---|
7307 | * msgp : pointer to pointer to a received buffer pulluped. |
---|
7308 | * This is rewrited to response. |
---|
7309 | * so : pointer to socket. |
---|
7310 | * OUT: |
---|
7311 | * length for buffer to send to user process. |
---|
7312 | */ |
---|
7313 | int |
---|
7314 | key_parse(m, so) |
---|
7315 | struct mbuf *m; |
---|
7316 | struct socket *so; |
---|
7317 | { |
---|
7318 | struct sadb_msg *msg; |
---|
7319 | struct sadb_msghdr mh; |
---|
7320 | u_int orglen; |
---|
7321 | int error; |
---|
7322 | int target; |
---|
7323 | |
---|
7324 | IPSEC_ASSERT(so != NULL, ("null socket")); |
---|
7325 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
7326 | |
---|
7327 | #if 0 /*kdebug_sadb assumes msg in linear buffer*/ |
---|
7328 | KEYDEBUG(KEYDEBUG_KEY_DUMP, |
---|
7329 | ipseclog((LOG_DEBUG, "%s: passed sadb_msg\n", __func__)); |
---|
7330 | kdebug_sadb(msg)); |
---|
7331 | #endif |
---|
7332 | |
---|
7333 | if (m->m_len < sizeof(struct sadb_msg)) { |
---|
7334 | m = m_pullup(m, sizeof(struct sadb_msg)); |
---|
7335 | if (!m) |
---|
7336 | return ENOBUFS; |
---|
7337 | } |
---|
7338 | msg = mtod(m, struct sadb_msg *); |
---|
7339 | orglen = PFKEY_UNUNIT64(msg->sadb_msg_len); |
---|
7340 | target = KEY_SENDUP_ONE; |
---|
7341 | |
---|
7342 | if ((m->m_flags & M_PKTHDR) == 0 || |
---|
7343 | m->m_pkthdr.len != m->m_pkthdr.len) { |
---|
7344 | ipseclog((LOG_DEBUG, "%s: invalid message length.\n",__func__)); |
---|
7345 | PFKEYSTAT_INC(out_invlen); |
---|
7346 | error = EINVAL; |
---|
7347 | goto senderror; |
---|
7348 | } |
---|
7349 | |
---|
7350 | if (msg->sadb_msg_version != PF_KEY_V2) { |
---|
7351 | ipseclog((LOG_DEBUG, "%s: PF_KEY version %u is mismatched.\n", |
---|
7352 | __func__, msg->sadb_msg_version)); |
---|
7353 | PFKEYSTAT_INC(out_invver); |
---|
7354 | error = EINVAL; |
---|
7355 | goto senderror; |
---|
7356 | } |
---|
7357 | |
---|
7358 | if (msg->sadb_msg_type > SADB_MAX) { |
---|
7359 | ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n", |
---|
7360 | __func__, msg->sadb_msg_type)); |
---|
7361 | PFKEYSTAT_INC(out_invmsgtype); |
---|
7362 | error = EINVAL; |
---|
7363 | goto senderror; |
---|
7364 | } |
---|
7365 | |
---|
7366 | /* for old-fashioned code - should be nuked */ |
---|
7367 | if (m->m_pkthdr.len > MCLBYTES) { |
---|
7368 | m_freem(m); |
---|
7369 | return ENOBUFS; |
---|
7370 | } |
---|
7371 | if (m->m_next) { |
---|
7372 | struct mbuf *n; |
---|
7373 | |
---|
7374 | MGETHDR(n, M_DONTWAIT, MT_DATA); |
---|
7375 | if (n && m->m_pkthdr.len > MHLEN) { |
---|
7376 | MCLGET(n, M_DONTWAIT); |
---|
7377 | if ((n->m_flags & M_EXT) == 0) { |
---|
7378 | m_free(n); |
---|
7379 | n = NULL; |
---|
7380 | } |
---|
7381 | } |
---|
7382 | if (!n) { |
---|
7383 | m_freem(m); |
---|
7384 | return ENOBUFS; |
---|
7385 | } |
---|
7386 | m_copydata(m, 0, m->m_pkthdr.len, mtod(n, caddr_t)); |
---|
7387 | n->m_pkthdr.len = n->m_len = m->m_pkthdr.len; |
---|
7388 | n->m_next = NULL; |
---|
7389 | m_freem(m); |
---|
7390 | m = n; |
---|
7391 | } |
---|
7392 | |
---|
7393 | /* align the mbuf chain so that extensions are in contiguous region. */ |
---|
7394 | error = key_align(m, &mh); |
---|
7395 | if (error) |
---|
7396 | return error; |
---|
7397 | |
---|
7398 | msg = mh.msg; |
---|
7399 | |
---|
7400 | /* check SA type */ |
---|
7401 | switch (msg->sadb_msg_satype) { |
---|
7402 | case SADB_SATYPE_UNSPEC: |
---|
7403 | switch (msg->sadb_msg_type) { |
---|
7404 | case SADB_GETSPI: |
---|
7405 | case SADB_UPDATE: |
---|
7406 | case SADB_ADD: |
---|
7407 | case SADB_DELETE: |
---|
7408 | case SADB_GET: |
---|
7409 | case SADB_ACQUIRE: |
---|
7410 | case SADB_EXPIRE: |
---|
7411 | ipseclog((LOG_DEBUG, "%s: must specify satype " |
---|
7412 | "when msg type=%u.\n", __func__, |
---|
7413 | msg->sadb_msg_type)); |
---|
7414 | PFKEYSTAT_INC(out_invsatype); |
---|
7415 | error = EINVAL; |
---|
7416 | goto senderror; |
---|
7417 | } |
---|
7418 | break; |
---|
7419 | case SADB_SATYPE_AH: |
---|
7420 | case SADB_SATYPE_ESP: |
---|
7421 | case SADB_X_SATYPE_IPCOMP: |
---|
7422 | case SADB_X_SATYPE_TCPSIGNATURE: |
---|
7423 | switch (msg->sadb_msg_type) { |
---|
7424 | case SADB_X_SPDADD: |
---|
7425 | case SADB_X_SPDDELETE: |
---|
7426 | case SADB_X_SPDGET: |
---|
7427 | case SADB_X_SPDDUMP: |
---|
7428 | case SADB_X_SPDFLUSH: |
---|
7429 | case SADB_X_SPDSETIDX: |
---|
7430 | case SADB_X_SPDUPDATE: |
---|
7431 | case SADB_X_SPDDELETE2: |
---|
7432 | ipseclog((LOG_DEBUG, "%s: illegal satype=%u\n", |
---|
7433 | __func__, msg->sadb_msg_type)); |
---|
7434 | PFKEYSTAT_INC(out_invsatype); |
---|
7435 | error = EINVAL; |
---|
7436 | goto senderror; |
---|
7437 | } |
---|
7438 | break; |
---|
7439 | case SADB_SATYPE_RSVP: |
---|
7440 | case SADB_SATYPE_OSPFV2: |
---|
7441 | case SADB_SATYPE_RIPV2: |
---|
7442 | case SADB_SATYPE_MIP: |
---|
7443 | ipseclog((LOG_DEBUG, "%s: type %u isn't supported.\n", |
---|
7444 | __func__, msg->sadb_msg_satype)); |
---|
7445 | PFKEYSTAT_INC(out_invsatype); |
---|
7446 | error = EOPNOTSUPP; |
---|
7447 | goto senderror; |
---|
7448 | case 1: /* XXX: What does it do? */ |
---|
7449 | if (msg->sadb_msg_type == SADB_X_PROMISC) |
---|
7450 | break; |
---|
7451 | /*FALLTHROUGH*/ |
---|
7452 | default: |
---|
7453 | ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n", |
---|
7454 | __func__, msg->sadb_msg_satype)); |
---|
7455 | PFKEYSTAT_INC(out_invsatype); |
---|
7456 | error = EINVAL; |
---|
7457 | goto senderror; |
---|
7458 | } |
---|
7459 | |
---|
7460 | /* check field of upper layer protocol and address family */ |
---|
7461 | if (mh.ext[SADB_EXT_ADDRESS_SRC] != NULL |
---|
7462 | && mh.ext[SADB_EXT_ADDRESS_DST] != NULL) { |
---|
7463 | struct sadb_address *src0, *dst0; |
---|
7464 | u_int plen; |
---|
7465 | |
---|
7466 | src0 = (struct sadb_address *)(mh.ext[SADB_EXT_ADDRESS_SRC]); |
---|
7467 | dst0 = (struct sadb_address *)(mh.ext[SADB_EXT_ADDRESS_DST]); |
---|
7468 | |
---|
7469 | /* check upper layer protocol */ |
---|
7470 | if (src0->sadb_address_proto != dst0->sadb_address_proto) { |
---|
7471 | ipseclog((LOG_DEBUG, "%s: upper layer protocol " |
---|
7472 | "mismatched.\n", __func__)); |
---|
7473 | PFKEYSTAT_INC(out_invaddr); |
---|
7474 | error = EINVAL; |
---|
7475 | goto senderror; |
---|
7476 | } |
---|
7477 | |
---|
7478 | /* check family */ |
---|
7479 | if (PFKEY_ADDR_SADDR(src0)->sa_family != |
---|
7480 | PFKEY_ADDR_SADDR(dst0)->sa_family) { |
---|
7481 | ipseclog((LOG_DEBUG, "%s: address family mismatched.\n", |
---|
7482 | __func__)); |
---|
7483 | PFKEYSTAT_INC(out_invaddr); |
---|
7484 | error = EINVAL; |
---|
7485 | goto senderror; |
---|
7486 | } |
---|
7487 | if (PFKEY_ADDR_SADDR(src0)->sa_len != |
---|
7488 | PFKEY_ADDR_SADDR(dst0)->sa_len) { |
---|
7489 | ipseclog((LOG_DEBUG, "%s: address struct size " |
---|
7490 | "mismatched.\n", __func__)); |
---|
7491 | PFKEYSTAT_INC(out_invaddr); |
---|
7492 | error = EINVAL; |
---|
7493 | goto senderror; |
---|
7494 | } |
---|
7495 | |
---|
7496 | switch (PFKEY_ADDR_SADDR(src0)->sa_family) { |
---|
7497 | case AF_INET: |
---|
7498 | if (PFKEY_ADDR_SADDR(src0)->sa_len != |
---|
7499 | sizeof(struct sockaddr_in)) { |
---|
7500 | PFKEYSTAT_INC(out_invaddr); |
---|
7501 | error = EINVAL; |
---|
7502 | goto senderror; |
---|
7503 | } |
---|
7504 | break; |
---|
7505 | case AF_INET6: |
---|
7506 | if (PFKEY_ADDR_SADDR(src0)->sa_len != |
---|
7507 | sizeof(struct sockaddr_in6)) { |
---|
7508 | PFKEYSTAT_INC(out_invaddr); |
---|
7509 | error = EINVAL; |
---|
7510 | goto senderror; |
---|
7511 | } |
---|
7512 | break; |
---|
7513 | default: |
---|
7514 | ipseclog((LOG_DEBUG, "%s: unsupported address family\n", |
---|
7515 | __func__)); |
---|
7516 | PFKEYSTAT_INC(out_invaddr); |
---|
7517 | error = EAFNOSUPPORT; |
---|
7518 | goto senderror; |
---|
7519 | } |
---|
7520 | |
---|
7521 | switch (PFKEY_ADDR_SADDR(src0)->sa_family) { |
---|
7522 | case AF_INET: |
---|
7523 | plen = sizeof(struct in_addr) << 3; |
---|
7524 | break; |
---|
7525 | case AF_INET6: |
---|
7526 | plen = sizeof(struct in6_addr) << 3; |
---|
7527 | break; |
---|
7528 | default: |
---|
7529 | plen = 0; /*fool gcc*/ |
---|
7530 | break; |
---|
7531 | } |
---|
7532 | |
---|
7533 | /* check max prefix length */ |
---|
7534 | if (src0->sadb_address_prefixlen > plen || |
---|
7535 | dst0->sadb_address_prefixlen > plen) { |
---|
7536 | ipseclog((LOG_DEBUG, "%s: illegal prefixlen.\n", |
---|
7537 | __func__)); |
---|
7538 | PFKEYSTAT_INC(out_invaddr); |
---|
7539 | error = EINVAL; |
---|
7540 | goto senderror; |
---|
7541 | } |
---|
7542 | |
---|
7543 | /* |
---|
7544 | * prefixlen == 0 is valid because there can be a case when |
---|
7545 | * all addresses are matched. |
---|
7546 | */ |
---|
7547 | } |
---|
7548 | |
---|
7549 | if (msg->sadb_msg_type >= sizeof(key_typesw)/sizeof(key_typesw[0]) || |
---|
7550 | key_typesw[msg->sadb_msg_type] == NULL) { |
---|
7551 | PFKEYSTAT_INC(out_invmsgtype); |
---|
7552 | error = EINVAL; |
---|
7553 | goto senderror; |
---|
7554 | } |
---|
7555 | |
---|
7556 | return (*key_typesw[msg->sadb_msg_type])(so, m, &mh); |
---|
7557 | |
---|
7558 | senderror: |
---|
7559 | msg->sadb_msg_errno = error; |
---|
7560 | return key_sendup_mbuf(so, m, target); |
---|
7561 | } |
---|
7562 | |
---|
7563 | static int |
---|
7564 | key_senderror(so, m, code) |
---|
7565 | struct socket *so; |
---|
7566 | struct mbuf *m; |
---|
7567 | int code; |
---|
7568 | { |
---|
7569 | struct sadb_msg *msg; |
---|
7570 | |
---|
7571 | IPSEC_ASSERT(m->m_len >= sizeof(struct sadb_msg), |
---|
7572 | ("mbuf too small, len %u", m->m_len)); |
---|
7573 | |
---|
7574 | msg = mtod(m, struct sadb_msg *); |
---|
7575 | msg->sadb_msg_errno = code; |
---|
7576 | return key_sendup_mbuf(so, m, KEY_SENDUP_ONE); |
---|
7577 | } |
---|
7578 | |
---|
7579 | /* |
---|
7580 | * set the pointer to each header into message buffer. |
---|
7581 | * m will be freed on error. |
---|
7582 | * XXX larger-than-MCLBYTES extension? |
---|
7583 | */ |
---|
7584 | static int |
---|
7585 | key_align(m, mhp) |
---|
7586 | struct mbuf *m; |
---|
7587 | struct sadb_msghdr *mhp; |
---|
7588 | { |
---|
7589 | struct mbuf *n; |
---|
7590 | struct sadb_ext *ext; |
---|
7591 | size_t off, end; |
---|
7592 | int extlen; |
---|
7593 | int toff; |
---|
7594 | |
---|
7595 | IPSEC_ASSERT(m != NULL, ("null mbuf")); |
---|
7596 | IPSEC_ASSERT(mhp != NULL, ("null msghdr")); |
---|
7597 | IPSEC_ASSERT(m->m_len >= sizeof(struct sadb_msg), |
---|
7598 | ("mbuf too small, len %u", m->m_len)); |
---|
7599 | |
---|
7600 | /* initialize */ |
---|
7601 | bzero(mhp, sizeof(*mhp)); |
---|
7602 | |
---|
7603 | mhp->msg = mtod(m, struct sadb_msg *); |
---|
7604 | mhp->ext[0] = (struct sadb_ext *)mhp->msg; /*XXX backward compat */ |
---|
7605 | |
---|
7606 | end = PFKEY_UNUNIT64(mhp->msg->sadb_msg_len); |
---|
7607 | extlen = end; /*just in case extlen is not updated*/ |
---|
7608 | for (off = sizeof(struct sadb_msg); off < end; off += extlen) { |
---|
7609 | n = m_pulldown(m, off, sizeof(struct sadb_ext), &toff); |
---|
7610 | if (!n) { |
---|
7611 | /* m is already freed */ |
---|
7612 | return ENOBUFS; |
---|
7613 | } |
---|
7614 | ext = (struct sadb_ext *)(mtod(n, caddr_t) + toff); |
---|
7615 | |
---|
7616 | /* set pointer */ |
---|
7617 | switch (ext->sadb_ext_type) { |
---|
7618 | case SADB_EXT_SA: |
---|
7619 | case SADB_EXT_ADDRESS_SRC: |
---|
7620 | case SADB_EXT_ADDRESS_DST: |
---|
7621 | case SADB_EXT_ADDRESS_PROXY: |
---|
7622 | case SADB_EXT_LIFETIME_CURRENT: |
---|
7623 | case SADB_EXT_LIFETIME_HARD: |
---|
7624 | case SADB_EXT_LIFETIME_SOFT: |
---|
7625 | case SADB_EXT_KEY_AUTH: |
---|
7626 | case SADB_EXT_KEY_ENCRYPT: |
---|
7627 | case SADB_EXT_IDENTITY_SRC: |
---|
7628 | case SADB_EXT_IDENTITY_DST: |
---|
7629 | case SADB_EXT_SENSITIVITY: |
---|
7630 | case SADB_EXT_PROPOSAL: |
---|
7631 | case SADB_EXT_SUPPORTED_AUTH: |
---|
7632 | case SADB_EXT_SUPPORTED_ENCRYPT: |
---|
7633 | case SADB_EXT_SPIRANGE: |
---|
7634 | case SADB_X_EXT_POLICY: |
---|
7635 | case SADB_X_EXT_SA2: |
---|
7636 | #ifdef IPSEC_NAT_T |
---|
7637 | case SADB_X_EXT_NAT_T_TYPE: |
---|
7638 | case SADB_X_EXT_NAT_T_SPORT: |
---|
7639 | case SADB_X_EXT_NAT_T_DPORT: |
---|
7640 | case SADB_X_EXT_NAT_T_OAI: |
---|
7641 | case SADB_X_EXT_NAT_T_OAR: |
---|
7642 | case SADB_X_EXT_NAT_T_FRAG: |
---|
7643 | #endif |
---|
7644 | /* duplicate check */ |
---|
7645 | /* |
---|
7646 | * XXX Are there duplication payloads of either |
---|
7647 | * KEY_AUTH or KEY_ENCRYPT ? |
---|
7648 | */ |
---|
7649 | if (mhp->ext[ext->sadb_ext_type] != NULL) { |
---|
7650 | ipseclog((LOG_DEBUG, "%s: duplicate ext_type " |
---|
7651 | "%u\n", __func__, ext->sadb_ext_type)); |
---|
7652 | m_freem(m); |
---|
7653 | PFKEYSTAT_INC(out_dupext); |
---|
7654 | return EINVAL; |
---|
7655 | } |
---|
7656 | break; |
---|
7657 | default: |
---|
7658 | ipseclog((LOG_DEBUG, "%s: invalid ext_type %u\n", |
---|
7659 | __func__, ext->sadb_ext_type)); |
---|
7660 | m_freem(m); |
---|
7661 | PFKEYSTAT_INC(out_invexttype); |
---|
7662 | return EINVAL; |
---|
7663 | } |
---|
7664 | |
---|
7665 | extlen = PFKEY_UNUNIT64(ext->sadb_ext_len); |
---|
7666 | |
---|
7667 | if (key_validate_ext(ext, extlen)) { |
---|
7668 | m_freem(m); |
---|
7669 | PFKEYSTAT_INC(out_invlen); |
---|
7670 | return EINVAL; |
---|
7671 | } |
---|
7672 | |
---|
7673 | n = m_pulldown(m, off, extlen, &toff); |
---|
7674 | if (!n) { |
---|
7675 | /* m is already freed */ |
---|
7676 | return ENOBUFS; |
---|
7677 | } |
---|
7678 | ext = (struct sadb_ext *)(mtod(n, caddr_t) + toff); |
---|
7679 | |
---|
7680 | mhp->ext[ext->sadb_ext_type] = ext; |
---|
7681 | mhp->extoff[ext->sadb_ext_type] = off; |
---|
7682 | mhp->extlen[ext->sadb_ext_type] = extlen; |
---|
7683 | } |
---|
7684 | |
---|
7685 | if (off != end) { |
---|
7686 | m_freem(m); |
---|
7687 | PFKEYSTAT_INC(out_invlen); |
---|
7688 | return EINVAL; |
---|
7689 | } |
---|
7690 | |
---|
7691 | return 0; |
---|
7692 | } |
---|
7693 | |
---|
7694 | static int |
---|
7695 | key_validate_ext(ext, len) |
---|
7696 | const struct sadb_ext *ext; |
---|
7697 | int len; |
---|
7698 | { |
---|
7699 | const struct sockaddr *sa; |
---|
7700 | enum { NONE, ADDR } checktype = NONE; |
---|
7701 | int baselen = 0; |
---|
7702 | const int sal = offsetof(struct sockaddr, sa_len) + sizeof(sa->sa_len); |
---|
7703 | |
---|
7704 | if (len != PFKEY_UNUNIT64(ext->sadb_ext_len)) |
---|
7705 | return EINVAL; |
---|
7706 | |
---|
7707 | /* if it does not match minimum/maximum length, bail */ |
---|
7708 | if (ext->sadb_ext_type >= sizeof(minsize) / sizeof(minsize[0]) || |
---|
7709 | ext->sadb_ext_type >= sizeof(maxsize) / sizeof(maxsize[0])) |
---|
7710 | return EINVAL; |
---|
7711 | if (!minsize[ext->sadb_ext_type] || len < minsize[ext->sadb_ext_type]) |
---|
7712 | return EINVAL; |
---|
7713 | if (maxsize[ext->sadb_ext_type] && len > maxsize[ext->sadb_ext_type]) |
---|
7714 | return EINVAL; |
---|
7715 | |
---|
7716 | /* more checks based on sadb_ext_type XXX need more */ |
---|
7717 | switch (ext->sadb_ext_type) { |
---|
7718 | case SADB_EXT_ADDRESS_SRC: |
---|
7719 | case SADB_EXT_ADDRESS_DST: |
---|
7720 | case SADB_EXT_ADDRESS_PROXY: |
---|
7721 | baselen = PFKEY_ALIGN8(sizeof(struct sadb_address)); |
---|
7722 | checktype = ADDR; |
---|
7723 | break; |
---|
7724 | case SADB_EXT_IDENTITY_SRC: |
---|
7725 | case SADB_EXT_IDENTITY_DST: |
---|
7726 | if (((const struct sadb_ident *)ext)->sadb_ident_type == |
---|
7727 | SADB_X_IDENTTYPE_ADDR) { |
---|
7728 | baselen = PFKEY_ALIGN8(sizeof(struct sadb_ident)); |
---|
7729 | checktype = ADDR; |
---|
7730 | } else |
---|
7731 | checktype = NONE; |
---|
7732 | break; |
---|
7733 | default: |
---|
7734 | checktype = NONE; |
---|
7735 | break; |
---|
7736 | } |
---|
7737 | |
---|
7738 | switch (checktype) { |
---|
7739 | case NONE: |
---|
7740 | break; |
---|
7741 | case ADDR: |
---|
7742 | sa = (const struct sockaddr *)(((const u_int8_t*)ext)+baselen); |
---|
7743 | if (len < baselen + sal) |
---|
7744 | return EINVAL; |
---|
7745 | if (baselen + PFKEY_ALIGN8(sa->sa_len) != len) |
---|
7746 | return EINVAL; |
---|
7747 | break; |
---|
7748 | } |
---|
7749 | |
---|
7750 | return 0; |
---|
7751 | } |
---|
7752 | |
---|
7753 | void |
---|
7754 | key_init(void) |
---|
7755 | { |
---|
7756 | int i; |
---|
7757 | |
---|
7758 | for (i = 0; i < IPSEC_DIR_MAX; i++) |
---|
7759 | LIST_INIT(&V_sptree[i]); |
---|
7760 | |
---|
7761 | LIST_INIT(&V_sahtree); |
---|
7762 | |
---|
7763 | for (i = 0; i <= SADB_SATYPE_MAX; i++) |
---|
7764 | LIST_INIT(&V_regtree[i]); |
---|
7765 | |
---|
7766 | LIST_INIT(&V_acqtree); |
---|
7767 | LIST_INIT(&V_spacqtree); |
---|
7768 | |
---|
7769 | /* system default */ |
---|
7770 | V_ip4_def_policy.policy = IPSEC_POLICY_NONE; |
---|
7771 | V_ip4_def_policy.refcnt++; /*never reclaim this*/ |
---|
7772 | |
---|
7773 | if (!IS_DEFAULT_VNET(curvnet)) |
---|
7774 | return; |
---|
7775 | |
---|
7776 | SPTREE_LOCK_INIT(); |
---|
7777 | REGTREE_LOCK_INIT(); |
---|
7778 | SAHTREE_LOCK_INIT(); |
---|
7779 | ACQ_LOCK_INIT(); |
---|
7780 | SPACQ_LOCK_INIT(); |
---|
7781 | |
---|
7782 | #ifndef IPSEC_DEBUG2 |
---|
7783 | timeout((void *)key_timehandler, (void *)0, hz); |
---|
7784 | #endif /*IPSEC_DEBUG2*/ |
---|
7785 | |
---|
7786 | /* initialize key statistics */ |
---|
7787 | keystat.getspi_count = 1; |
---|
7788 | |
---|
7789 | printf("IPsec: Initialized Security Association Processing.\n"); |
---|
7790 | } |
---|
7791 | |
---|
7792 | #ifdef VIMAGE |
---|
7793 | void |
---|
7794 | key_destroy(void) |
---|
7795 | { |
---|
7796 | struct secpolicy *sp, *nextsp; |
---|
7797 | struct secacq *acq, *nextacq; |
---|
7798 | struct secspacq *spacq, *nextspacq; |
---|
7799 | struct secashead *sah, *nextsah; |
---|
7800 | struct secreg *reg; |
---|
7801 | int i; |
---|
7802 | |
---|
7803 | SPTREE_LOCK(); |
---|
7804 | for (i = 0; i < IPSEC_DIR_MAX; i++) { |
---|
7805 | for (sp = LIST_FIRST(&V_sptree[i]); |
---|
7806 | sp != NULL; sp = nextsp) { |
---|
7807 | nextsp = LIST_NEXT(sp, chain); |
---|
7808 | if (__LIST_CHAINED(sp)) { |
---|
7809 | LIST_REMOVE(sp, chain); |
---|
7810 | free(sp, M_IPSEC_SP); |
---|
7811 | } |
---|
7812 | } |
---|
7813 | } |
---|
7814 | SPTREE_UNLOCK(); |
---|
7815 | |
---|
7816 | SAHTREE_LOCK(); |
---|
7817 | for (sah = LIST_FIRST(&V_sahtree); sah != NULL; sah = nextsah) { |
---|
7818 | nextsah = LIST_NEXT(sah, chain); |
---|
7819 | if (__LIST_CHAINED(sah)) { |
---|
7820 | LIST_REMOVE(sah, chain); |
---|
7821 | free(sah, M_IPSEC_SAH); |
---|
7822 | } |
---|
7823 | } |
---|
7824 | SAHTREE_UNLOCK(); |
---|
7825 | |
---|
7826 | REGTREE_LOCK(); |
---|
7827 | for (i = 0; i <= SADB_SATYPE_MAX; i++) { |
---|
7828 | LIST_FOREACH(reg, &V_regtree[i], chain) { |
---|
7829 | if (__LIST_CHAINED(reg)) { |
---|
7830 | LIST_REMOVE(reg, chain); |
---|
7831 | free(reg, M_IPSEC_SAR); |
---|
7832 | break; |
---|
7833 | } |
---|
7834 | } |
---|
7835 | } |
---|
7836 | REGTREE_UNLOCK(); |
---|
7837 | |
---|
7838 | ACQ_LOCK(); |
---|
7839 | for (acq = LIST_FIRST(&V_acqtree); acq != NULL; acq = nextacq) { |
---|
7840 | nextacq = LIST_NEXT(acq, chain); |
---|
7841 | if (__LIST_CHAINED(acq)) { |
---|
7842 | LIST_REMOVE(acq, chain); |
---|
7843 | free(acq, M_IPSEC_SAQ); |
---|
7844 | } |
---|
7845 | } |
---|
7846 | ACQ_UNLOCK(); |
---|
7847 | |
---|
7848 | SPACQ_LOCK(); |
---|
7849 | for (spacq = LIST_FIRST(&V_spacqtree); spacq != NULL; |
---|
7850 | spacq = nextspacq) { |
---|
7851 | nextspacq = LIST_NEXT(spacq, chain); |
---|
7852 | if (__LIST_CHAINED(spacq)) { |
---|
7853 | LIST_REMOVE(spacq, chain); |
---|
7854 | free(spacq, M_IPSEC_SAQ); |
---|
7855 | } |
---|
7856 | } |
---|
7857 | SPACQ_UNLOCK(); |
---|
7858 | } |
---|
7859 | #endif |
---|
7860 | |
---|
7861 | /* |
---|
7862 | * XXX: maybe This function is called after INBOUND IPsec processing. |
---|
7863 | * |
---|
7864 | * Special check for tunnel-mode packets. |
---|
7865 | * We must make some checks for consistency between inner and outer IP header. |
---|
7866 | * |
---|
7867 | * xxx more checks to be provided |
---|
7868 | */ |
---|
7869 | int |
---|
7870 | key_checktunnelsanity(sav, family, src, dst) |
---|
7871 | struct secasvar *sav; |
---|
7872 | u_int family; |
---|
7873 | caddr_t src; |
---|
7874 | caddr_t dst; |
---|
7875 | { |
---|
7876 | IPSEC_ASSERT(sav->sah != NULL, ("null SA header")); |
---|
7877 | |
---|
7878 | /* XXX: check inner IP header */ |
---|
7879 | |
---|
7880 | return 1; |
---|
7881 | } |
---|
7882 | |
---|
7883 | /* record data transfer on SA, and update timestamps */ |
---|
7884 | void |
---|
7885 | key_sa_recordxfer(sav, m) |
---|
7886 | struct secasvar *sav; |
---|
7887 | struct mbuf *m; |
---|
7888 | { |
---|
7889 | IPSEC_ASSERT(sav != NULL, ("Null secasvar")); |
---|
7890 | IPSEC_ASSERT(m != NULL, ("Null mbuf")); |
---|
7891 | if (!sav->lft_c) |
---|
7892 | return; |
---|
7893 | |
---|
7894 | /* |
---|
7895 | * XXX Currently, there is a difference of bytes size |
---|
7896 | * between inbound and outbound processing. |
---|
7897 | */ |
---|
7898 | sav->lft_c->bytes += m->m_pkthdr.len; |
---|
7899 | /* to check bytes lifetime is done in key_timehandler(). */ |
---|
7900 | |
---|
7901 | /* |
---|
7902 | * We use the number of packets as the unit of |
---|
7903 | * allocations. We increment the variable |
---|
7904 | * whenever {esp,ah}_{in,out}put is called. |
---|
7905 | */ |
---|
7906 | sav->lft_c->allocations++; |
---|
7907 | /* XXX check for expires? */ |
---|
7908 | |
---|
7909 | /* |
---|
7910 | * NOTE: We record CURRENT usetime by using wall clock, |
---|
7911 | * in seconds. HARD and SOFT lifetime are measured by the time |
---|
7912 | * difference (again in seconds) from usetime. |
---|
7913 | * |
---|
7914 | * usetime |
---|
7915 | * v expire expire |
---|
7916 | * -----+-----+--------+---> t |
---|
7917 | * <--------------> HARD |
---|
7918 | * <-----> SOFT |
---|
7919 | */ |
---|
7920 | sav->lft_c->usetime = time_second; |
---|
7921 | /* XXX check for expires? */ |
---|
7922 | |
---|
7923 | return; |
---|
7924 | } |
---|
7925 | |
---|
7926 | /* dumb version */ |
---|
7927 | void |
---|
7928 | key_sa_routechange(dst) |
---|
7929 | struct sockaddr *dst; |
---|
7930 | { |
---|
7931 | struct secashead *sah; |
---|
7932 | struct route *ro; |
---|
7933 | |
---|
7934 | SAHTREE_LOCK(); |
---|
7935 | LIST_FOREACH(sah, &V_sahtree, chain) { |
---|
7936 | ro = &sah->route_cache.sa_route; |
---|
7937 | if (ro->ro_rt && dst->sa_len == ro->ro_dst.sa_len |
---|
7938 | && bcmp(dst, &ro->ro_dst, dst->sa_len) == 0) { |
---|
7939 | RTFREE(ro->ro_rt); |
---|
7940 | ro->ro_rt = (struct rtentry *)NULL; |
---|
7941 | } |
---|
7942 | } |
---|
7943 | SAHTREE_UNLOCK(); |
---|
7944 | } |
---|
7945 | |
---|
7946 | static void |
---|
7947 | key_sa_chgstate(struct secasvar *sav, u_int8_t state) |
---|
7948 | { |
---|
7949 | IPSEC_ASSERT(sav != NULL, ("NULL sav")); |
---|
7950 | SAHTREE_LOCK_ASSERT(); |
---|
7951 | |
---|
7952 | if (sav->state != state) { |
---|
7953 | if (__LIST_CHAINED(sav)) |
---|
7954 | LIST_REMOVE(sav, chain); |
---|
7955 | sav->state = state; |
---|
7956 | LIST_INSERT_HEAD(&sav->sah->savtree[state], sav, chain); |
---|
7957 | } |
---|
7958 | } |
---|
7959 | |
---|
7960 | void |
---|
7961 | key_sa_stir_iv(sav) |
---|
7962 | struct secasvar *sav; |
---|
7963 | { |
---|
7964 | |
---|
7965 | IPSEC_ASSERT(sav->iv != NULL, ("null IV")); |
---|
7966 | key_randomfill(sav->iv, sav->ivlen); |
---|
7967 | } |
---|
7968 | |
---|
7969 | /* XXX too much? */ |
---|
7970 | static struct mbuf * |
---|
7971 | key_alloc_mbuf(l) |
---|
7972 | int l; |
---|
7973 | { |
---|
7974 | struct mbuf *m = NULL, *n; |
---|
7975 | int len, t; |
---|
7976 | |
---|
7977 | len = l; |
---|
7978 | while (len > 0) { |
---|
7979 | MGET(n, M_DONTWAIT, MT_DATA); |
---|
7980 | if (n && len > MLEN) |
---|
7981 | MCLGET(n, M_DONTWAIT); |
---|
7982 | if (!n) { |
---|
7983 | m_freem(m); |
---|
7984 | return NULL; |
---|
7985 | } |
---|
7986 | |
---|
7987 | n->m_next = NULL; |
---|
7988 | n->m_len = 0; |
---|
7989 | n->m_len = M_TRAILINGSPACE(n); |
---|
7990 | /* use the bottom of mbuf, hoping we can prepend afterwards */ |
---|
7991 | if (n->m_len > len) { |
---|
7992 | t = (n->m_len - len) & ~(sizeof(long) - 1); |
---|
7993 | n->m_data += t; |
---|
7994 | n->m_len = len; |
---|
7995 | } |
---|
7996 | |
---|
7997 | len -= n->m_len; |
---|
7998 | |
---|
7999 | if (m) |
---|
8000 | m_cat(m, n); |
---|
8001 | else |
---|
8002 | m = n; |
---|
8003 | } |
---|
8004 | |
---|
8005 | return m; |
---|
8006 | } |
---|
8007 | |
---|
8008 | /* |
---|
8009 | * Take one of the kernel's security keys and convert it into a PF_KEY |
---|
8010 | * structure within an mbuf, suitable for sending up to a waiting |
---|
8011 | * application in user land. |
---|
8012 | * |
---|
8013 | * IN: |
---|
8014 | * src: A pointer to a kernel security key. |
---|
8015 | * exttype: Which type of key this is. Refer to the PF_KEY data structures. |
---|
8016 | * OUT: |
---|
8017 | * a valid mbuf or NULL indicating an error |
---|
8018 | * |
---|
8019 | */ |
---|
8020 | |
---|
8021 | static struct mbuf * |
---|
8022 | key_setkey(struct seckey *src, u_int16_t exttype) |
---|
8023 | { |
---|
8024 | struct mbuf *m; |
---|
8025 | struct sadb_key *p; |
---|
8026 | int len; |
---|
8027 | |
---|
8028 | if (src == NULL) |
---|
8029 | return NULL; |
---|
8030 | |
---|
8031 | len = PFKEY_ALIGN8(sizeof(struct sadb_key) + _KEYLEN(src)); |
---|
8032 | m = key_alloc_mbuf(len); |
---|
8033 | if (m == NULL) |
---|
8034 | return NULL; |
---|
8035 | p = mtod(m, struct sadb_key *); |
---|
8036 | bzero(p, len); |
---|
8037 | p->sadb_key_len = PFKEY_UNIT64(len); |
---|
8038 | p->sadb_key_exttype = exttype; |
---|
8039 | p->sadb_key_bits = src->bits; |
---|
8040 | bcopy(src->key_data, _KEYBUF(p), _KEYLEN(src)); |
---|
8041 | |
---|
8042 | return m; |
---|
8043 | } |
---|
8044 | |
---|
8045 | /* |
---|
8046 | * Take one of the kernel's lifetime data structures and convert it |
---|
8047 | * into a PF_KEY structure within an mbuf, suitable for sending up to |
---|
8048 | * a waiting application in user land. |
---|
8049 | * |
---|
8050 | * IN: |
---|
8051 | * src: A pointer to a kernel lifetime structure. |
---|
8052 | * exttype: Which type of lifetime this is. Refer to the PF_KEY |
---|
8053 | * data structures for more information. |
---|
8054 | * OUT: |
---|
8055 | * a valid mbuf or NULL indicating an error |
---|
8056 | * |
---|
8057 | */ |
---|
8058 | |
---|
8059 | static struct mbuf * |
---|
8060 | key_setlifetime(struct seclifetime *src, u_int16_t exttype) |
---|
8061 | { |
---|
8062 | struct mbuf *m = NULL; |
---|
8063 | struct sadb_lifetime *p; |
---|
8064 | int len = PFKEY_ALIGN8(sizeof(struct sadb_lifetime)); |
---|
8065 | |
---|
8066 | if (src == NULL) |
---|
8067 | return NULL; |
---|
8068 | |
---|
8069 | m = key_alloc_mbuf(len); |
---|
8070 | if (m == NULL) |
---|
8071 | return m; |
---|
8072 | p = mtod(m, struct sadb_lifetime *); |
---|
8073 | |
---|
8074 | bzero(p, len); |
---|
8075 | p->sadb_lifetime_len = PFKEY_UNIT64(len); |
---|
8076 | p->sadb_lifetime_exttype = exttype; |
---|
8077 | p->sadb_lifetime_allocations = src->allocations; |
---|
8078 | p->sadb_lifetime_bytes = src->bytes; |
---|
8079 | p->sadb_lifetime_addtime = src->addtime; |
---|
8080 | p->sadb_lifetime_usetime = src->usetime; |
---|
8081 | |
---|
8082 | return m; |
---|
8083 | |
---|
8084 | } |
---|