key.c - OpenGrok cross reference for /freebsd/sys/netipsec/key.c

Deleted Added

sdiffudifftextold (c398230b..)new (a0196c3c..)

key.c (c398230b64aea809cb7c5cea8db580af7097920c)	key.c (a0196c3c891ccf2ee88854f9798fd8e44d0e9f16)
1/* $FreeBSD$ / 2/ $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ / 3 4/- 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without --- 406 unchanged lines hidden (view full) --- 415static struct mbuf key_setsadbmsg __P((u_int8_t, u_int16_t, u_int8_t, 416 u_int32_t, pid_t, u_int16_t)); 417static struct mbuf key_setsadbsa __P((struct secasvar )); 418static struct mbuf key_setsadbaddr __P((u_int16_t, 419 const struct sockaddr , u_int8_t, u_int16_t)); 420static struct mbuf key_setsadbxsa2 __P((u_int8_t, u_int32_t, u_int32_t)); 421static struct mbuf *key_setsadbxpolicy __P((u_int16_t, u_int8_t, 422 u_int32_t));	1/* $FreeBSD$ / 2/ $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ / 3 4/- 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without --- 406 unchanged lines hidden (view full) --- 415static struct mbuf key_setsadbmsg __P((u_int8_t, u_int16_t, u_int8_t, 416 u_int32_t, pid_t, u_int16_t)); 417static struct mbuf key_setsadbsa __P((struct secasvar )); 418static struct mbuf key_setsadbaddr __P((u_int16_t, 419 const struct sockaddr , u_int8_t, u_int16_t)); 420static struct mbuf key_setsadbxsa2 __P((u_int8_t, u_int32_t, u_int32_t)); 421static struct mbuf *key_setsadbxpolicy __P((u_int16_t, u_int8_t, 422 u_int32_t));
423static void key_dup(const void , u_int, struct malloc_type *);	423static struct seckey key_dup_keymsg(const struct sadb_key , u_int, 424 struct malloc_type ); 425static struct seclifetime key_dup_lifemsg(const struct sadb_lifetime src, 426 struct malloc_type type);
424#ifdef INET6 425static int key_ismyaddr6 __P((struct sockaddr_in6 )); 426#endif 427 428/ flags for key_cmpsaidx() / 429#define CMP_HEAD 1 / protocol, addresses. / 430#define CMP_MODE_REQID 2 / additionally HEAD, reqid, mode. / 431#define CMP_REQID 3 / additionally HEAD, reaid. / --- 51 unchanged lines hidden* (view full) --- 483 const struct sadb_msghdr )); 484static int key_dump __P((struct socket , struct mbuf , 485 const struct sadb_msghdr )); 486static int key_promisc __P((struct socket , struct mbuf , 487 const struct sadb_msghdr )); 488static int key_senderror __P((struct socket , struct mbuf , int)); 489static int key_validate_ext __P((const struct sadb_ext , int)); 490static int key_align __P((struct mbuf , struct sadb_msghdr ));	427#ifdef INET6 428static int key_ismyaddr6 __P((struct sockaddr_in6 )); 429#endif 430 431/ flags for key_cmpsaidx() / 432#define CMP_HEAD 1 / protocol, addresses. / 433#define CMP_MODE_REQID 2 / additionally HEAD, reqid, mode. / 434#define CMP_REQID 3 / additionally HEAD, reaid. / --- 51 unchanged lines hidden* (view full) --- 486 const struct sadb_msghdr )); 487static int key_dump __P((struct socket , struct mbuf , 488 const struct sadb_msghdr )); 489static int key_promisc __P((struct socket , struct mbuf , 490 const struct sadb_msghdr )); 491static int key_senderror __P((struct socket , struct mbuf , int)); 492static int key_validate_ext __P((const struct sadb_ext , int)); 493static int key_align __P((struct mbuf , struct sadb_msghdr ));
	494static struct mbuf key_setlifetime(struct seclifetime src, 495 u_int16_t exttype); 496static struct mbuf key_setkey(struct seckey src, u_int16_t exttype); 497
491#if 0 492static const char key_getfqdn __P((void)); 493static const char key_getuserfqdn __P((void)); 494#endif 495static void key_sa_chgstate __P((struct secasvar , u_int8_t)); 496static struct mbuf key_alloc_mbuf __P((int)); 497 498#define SA_ADDREF(p) do { \ --- 405 unchanged lines hidden (view full) --- 904 /* Which SA is the better ? / 905 906 IPSEC_ASSERT(candidate->lft_c != NULL, 907 ("null candidate lifetime")); 908 IPSEC_ASSERT(sav->lft_c != NULL, ("null sav lifetime")); 909 910 / What the best method is to compare ? */ 911 if (key_preferred_oldsa) {	498#if 0 499static const char key_getfqdn __P((void)); 500static const char key_getuserfqdn __P((void)); 501#endif 502static void key_sa_chgstate __P((struct secasvar , u_int8_t)); 503static struct mbuf key_alloc_mbuf __P((int)); 504 505#define SA_ADDREF(p) do { \ --- 405 unchanged lines hidden (view full) --- 911 /* Which SA is the better ? / 912 913 IPSEC_ASSERT(candidate->lft_c != NULL, 914 ("null candidate lifetime")); 915 IPSEC_ASSERT(sav->lft_c != NULL, ("null sav lifetime")); 916 917 / What the best method is to compare ? */ 918 if (key_preferred_oldsa) {
912 if (candidate->lft_c->sadb_lifetime_addtime > 913 sav->lft_c->sadb_lifetime_addtime) {	919 if (candidate->lft_c->addtime > 920 sav->lft_c->addtime) {
914 candidate = sav; 915 } 916 continue; 917 /NOTREACHED/ 918 } 919 920 /* preferred new sa rather than old sa */	921 candidate = sav; 922 } 923 continue; 924 /NOTREACHED/ 925 } 926 927 /* preferred new sa rather than old sa */
921 if (candidate->lft_c->sadb_lifetime_addtime < 922 sav->lft_c->sadb_lifetime_addtime) {	928 if (candidate->lft_c->addtime < 929 sav->lft_c->addtime) {
923 d = candidate; 924 candidate = sav; 925 } else 926 d = sav; 927 928 /* 929 * prepared to delete the SA when there is more 930 * suitable candidate and the lifetime of the SA is not 931 * permanent. 932 */	930 d = candidate; 931 candidate = sav; 932 } else 933 d = sav; 934 935 /* 936 * prepared to delete the SA when there is more 937 * suitable candidate and the lifetime of the SA is not 938 * permanent. 939 */
933 if (d->lft_c->sadb_lifetime_addtime != 0) {	940 if (d->lft_c->addtime != 0) {
934 struct mbuf m, result; 935 u_int8_t satype; 936 937 key_sa_chgstate(d, SADB_SASTATE_DEAD); 938 939 IPSEC_ASSERT(d->refcnt > 0, ("bogus ref count")); 940 941 satype = key_proto2satype(d->sah->saidx.proto); --- 1840 unchanged lines hidden (view full) --- 2782 * keys to be cleared; otherwise we must do it ourself. 2783 */ 2784 if (sav->tdb_xform != NULL) { 2785 sav->tdb_xform->xf_zeroize(sav); 2786 sav->tdb_xform = NULL; 2787 } else { 2788 KASSERT(sav->iv == NULL, ("iv but no xform")); 2789 if (sav->key_auth != NULL)	941 struct mbuf m, result; 942 u_int8_t satype; 943 944 key_sa_chgstate(d, SADB_SASTATE_DEAD); 945 946 IPSEC_ASSERT(d->refcnt > 0, ("bogus ref count")); 947 948 satype = key_proto2satype(d->sah->saidx.proto); --- 1840 unchanged lines hidden (view full) --- 2789 * keys to be cleared; otherwise we must do it ourself. 2790 */ 2791 if (sav->tdb_xform != NULL) { 2792 sav->tdb_xform->xf_zeroize(sav); 2793 sav->tdb_xform = NULL; 2794 } else { 2795 KASSERT(sav->iv == NULL, ("iv but no xform")); 2796 if (sav->key_auth != NULL)
2790 bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));	2797 bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
2791 if (sav->key_enc != NULL)	2798 if (sav->key_enc != NULL)
2792 bzero(_KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc));	2799 bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc));
2793 } 2794 if (sav->key_auth != NULL) {	2800 } 2801 if (sav->key_auth != NULL) {
	2802 if (sav->key_auth->key_data != NULL) 2803 free(sav->key_auth->key_data, M_IPSEC_MISC);
2795 free(sav->key_auth, M_IPSEC_MISC); 2796 sav->key_auth = NULL; 2797 } 2798 if (sav->key_enc != NULL) {	2804 free(sav->key_auth, M_IPSEC_MISC); 2805 sav->key_auth = NULL; 2806 } 2807 if (sav->key_enc != NULL) {
	2808 if (sav->key_enc->key_data != NULL) 2809 free(sav->key_enc->key_data, M_IPSEC_MISC);
2799 free(sav->key_enc, M_IPSEC_MISC); 2800 sav->key_enc = NULL; 2801 } 2802 if (sav->sched) { 2803 bzero(sav->sched, sav->schedlen); 2804 free(sav->sched, M_IPSEC_MISC); 2805 sav->sched = NULL; 2806 } --- 226 unchanged lines hidden (view full) --- 3033 break; 3034 } 3035 if (error) { 3036 ipseclog((LOG_DEBUG, "%s: invalid key_auth values.\n", 3037 __func__)); 3038 goto fail; 3039 } 3040	2810 free(sav->key_enc, M_IPSEC_MISC); 2811 sav->key_enc = NULL; 2812 } 2813 if (sav->sched) { 2814 bzero(sav->sched, sav->schedlen); 2815 free(sav->sched, M_IPSEC_MISC); 2816 sav->sched = NULL; 2817 } --- 226 unchanged lines hidden (view full) --- 3044 break; 3045 } 3046 if (error) { 3047 ipseclog((LOG_DEBUG, "%s: invalid key_auth values.\n", 3048 __func__)); 3049 goto fail; 3050 } 3051
3041 sav->key_auth = key_dup(key0, len, M_IPSEC_MISC); 3042 if (sav->key_auth == NULL) { 3043 ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__));	3052 sav->key_auth = (struct seckey *)key_dup_keymsg(key0, len, 3053 M_IPSEC_MISC); 3054 if (sav->key_auth == NULL ) { 3055 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 3056 __func__));
3044 error = ENOBUFS; 3045 goto fail; 3046 } 3047 } 3048 3049 /* Encryption key / 3050 if (mhp->ext[SADB_EXT_KEY_ENCRYPT] != NULL) { 3051 const struct sadb_key key0; --- 9 unchanged lines hidden (view full) --- 3061 } 3062 switch (mhp->msg->sadb_msg_satype) { 3063 case SADB_SATYPE_ESP: 3064 if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && 3065 sav->alg_enc != SADB_EALG_NULL) { 3066 error = EINVAL; 3067 break; 3068 }	3057 error = ENOBUFS; 3058 goto fail; 3059 } 3060 } 3061 3062 /* Encryption key / 3063 if (mhp->ext[SADB_EXT_KEY_ENCRYPT] != NULL) { 3064 const struct sadb_key key0; --- 9 unchanged lines hidden (view full) --- 3074 } 3075 switch (mhp->msg->sadb_msg_satype) { 3076 case SADB_SATYPE_ESP: 3077 if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && 3078 sav->alg_enc != SADB_EALG_NULL) { 3079 error = EINVAL; 3080 break; 3081 }
3069 sav->key_enc = key_dup(key0, len, M_IPSEC_MISC);	3082 sav->key_enc = (struct seckey *)key_dup_keymsg(key0, 3083 len, 3084 M_IPSEC_MISC);
3070 if (sav->key_enc == NULL) { 3071 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 3072 __func__)); 3073 error = ENOBUFS; 3074 goto fail; 3075 } 3076 break; 3077 case SADB_X_SATYPE_IPCOMP: --- 43 unchanged lines hidden (view full) --- 3121 /* make lifetime for CURRENT */ 3122 sav->lft_c = malloc(sizeof(struct sadb_lifetime), M_IPSEC_MISC, M_NOWAIT); 3123 if (sav->lft_c == NULL) { 3124 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 3125 error = ENOBUFS; 3126 goto fail; 3127 } 3128	3085 if (sav->key_enc == NULL) { 3086 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 3087 __func__)); 3088 error = ENOBUFS; 3089 goto fail; 3090 } 3091 break; 3092 case SADB_X_SATYPE_IPCOMP: --- 43 unchanged lines hidden (view full) --- 3136 /* make lifetime for CURRENT */ 3137 sav->lft_c = malloc(sizeof(struct sadb_lifetime), M_IPSEC_MISC, M_NOWAIT); 3138 if (sav->lft_c == NULL) { 3139 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 3140 error = ENOBUFS; 3141 goto fail; 3142 } 3143
3129 sav->lft_c->sadb_lifetime_len = 3130 PFKEY_UNIT64(sizeof(struct sadb_lifetime)); 3131 sav->lft_c->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 3132 sav->lft_c->sadb_lifetime_allocations = 0; 3133 sav->lft_c->sadb_lifetime_bytes = 0; 3134 sav->lft_c->sadb_lifetime_addtime = time_second; 3135 sav->lft_c->sadb_lifetime_usetime = 0;	3144 sav->lft_c->allocations = 0; 3145 sav->lft_c->bytes = 0; 3146 sav->lft_c->addtime = time_second; 3147 sav->lft_c->usetime = 0;
3136 3137 /* lifetimes for HARD and SOFT / 3138 { 3139 const struct sadb_lifetime lft0; 3140 3141 lft0 = (struct sadb_lifetime )mhp->ext[SADB_EXT_LIFETIME_HARD]; 3142 if (lft0 != NULL) { 3143 if (mhp->extlen[SADB_EXT_LIFETIME_HARD] < sizeof(lft0)) { 3144 error = EINVAL; 3145 goto fail; 3146 }	3148 3149 /* lifetimes for HARD and SOFT / 3150 { 3151 const struct sadb_lifetime lft0; 3152 3153 lft0 = (struct sadb_lifetime )mhp->ext[SADB_EXT_LIFETIME_HARD]; 3154 if (lft0 != NULL) { 3155 if (mhp->extlen[SADB_EXT_LIFETIME_HARD] < sizeof(lft0)) { 3156 error = EINVAL; 3157 goto fail; 3158 }
3147 sav->lft_h = key_dup(lft0, sizeof(*lft0), M_IPSEC_MISC);	3159 sav->lft_h = key_dup_lifemsg(lft0, M_IPSEC_MISC);
3148 if (sav->lft_h == NULL) { 3149 ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__)); 3150 error = ENOBUFS; 3151 goto fail; 3152 } 3153 /* to be initialize ? / 3154 } 3155 3156 lft0 = (struct sadb_lifetime )mhp->ext[SADB_EXT_LIFETIME_SOFT]; 3157 if (lft0 != NULL) { 3158 if (mhp->extlen[SADB_EXT_LIFETIME_SOFT] < sizeof(*lft0)) { 3159 error = EINVAL; 3160 goto fail; 3161 }	3160 if (sav->lft_h == NULL) { 3161 ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__)); 3162 error = ENOBUFS; 3163 goto fail; 3164 } 3165 /* to be initialize ? / 3166 } 3167 3168 lft0 = (struct sadb_lifetime )mhp->ext[SADB_EXT_LIFETIME_SOFT]; 3169 if (lft0 != NULL) { 3170 if (mhp->extlen[SADB_EXT_LIFETIME_SOFT] < sizeof(*lft0)) { 3171 error = EINVAL; 3172 goto fail; 3173 }
3162 sav->lft_s = key_dup(lft0, sizeof(*lft0), M_IPSEC_MISC);	3174 sav->lft_s = key_dup_lifemsg(lft0, M_IPSEC_MISC);
3163 if (sav->lft_s == NULL) { 3164 ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__)); 3165 error = ENOBUFS; 3166 goto fail; 3167 } 3168 /* to be initialize ? / 3169 } 3170 } --- 95 unchanged lines hidden* (view full) --- 3266 / 3267static struct mbuf 3268key_setdumpsa(sav, type, satype, seq, pid) 3269 struct secasvar sav; 3270 u_int8_t type, satype; 3271 u_int32_t seq, pid; 3272{ 3273 struct mbuf result = NULL, tres = NULL, m;	3175 if (sav->lft_s == NULL) { 3176 ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__)); 3177 error = ENOBUFS; 3178 goto fail; 3179 } 3180 /* to be initialize ? / 3181 } 3182 } --- 95 unchanged lines hidden* (view full) --- 3278 / 3279static struct mbuf 3280key_setdumpsa(sav, type, satype, seq, pid) 3281 struct secasvar sav; 3282 u_int8_t type, satype; 3283 u_int32_t seq, pid; 3284{ 3285 struct mbuf result = NULL, tres = NULL, m;
3274 int l = 0;
3275 int i;	3286 int i;
3276 void *p;
3277 int dumporder[] = { 3278 SADB_EXT_SA, SADB_X_EXT_SA2, 3279 SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT, 3280 SADB_EXT_LIFETIME_CURRENT, SADB_EXT_ADDRESS_SRC, 3281 SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_EXT_KEY_AUTH, 3282 SADB_EXT_KEY_ENCRYPT, SADB_EXT_IDENTITY_SRC, 3283 SADB_EXT_IDENTITY_DST, SADB_EXT_SENSITIVITY, 3284 }; 3285 3286 m = key_setsadbmsg(type, 0, satype, seq, pid, sav->refcnt); 3287 if (m == NULL) 3288 goto fail; 3289 result = m; 3290 3291 for (i = sizeof(dumporder)/sizeof(dumporder[0]) - 1; i >= 0; i--) { 3292 m = NULL;	3287 int dumporder[] = { 3288 SADB_EXT_SA, SADB_X_EXT_SA2, 3289 SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT, 3290 SADB_EXT_LIFETIME_CURRENT, SADB_EXT_ADDRESS_SRC, 3291 SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_EXT_KEY_AUTH, 3292 SADB_EXT_KEY_ENCRYPT, SADB_EXT_IDENTITY_SRC, 3293 SADB_EXT_IDENTITY_DST, SADB_EXT_SENSITIVITY, 3294 }; 3295 3296 m = key_setsadbmsg(type, 0, satype, seq, pid, sav->refcnt); 3297 if (m == NULL) 3298 goto fail; 3299 result = m; 3300 3301 for (i = sizeof(dumporder)/sizeof(dumporder[0]) - 1; i >= 0; i--) { 3302 m = NULL;
3293 p = NULL;
3294 switch (dumporder[i]) { 3295 case SADB_EXT_SA: 3296 m = key_setsadbsa(sav); 3297 if (!m) 3298 goto fail; 3299 break; 3300 3301 case SADB_X_EXT_SA2: --- 18 unchanged lines hidden (view full) --- 3320 FULLMASK, IPSEC_ULPROTO_ANY); 3321 if (!m) 3322 goto fail; 3323 break; 3324 3325 case SADB_EXT_KEY_AUTH: 3326 if (!sav->key_auth) 3327 continue;	3303 switch (dumporder[i]) { 3304 case SADB_EXT_SA: 3305 m = key_setsadbsa(sav); 3306 if (!m) 3307 goto fail; 3308 break; 3309 3310 case SADB_X_EXT_SA2: --- 18 unchanged lines hidden (view full) --- 3329 FULLMASK, IPSEC_ULPROTO_ANY); 3330 if (!m) 3331 goto fail; 3332 break; 3333 3334 case SADB_EXT_KEY_AUTH: 3335 if (!sav->key_auth) 3336 continue;
3328 l = PFKEY_UNUNIT64(sav->key_auth->sadb_key_len); 3329 p = sav->key_auth;	3337 m = key_setkey(sav->key_auth, SADB_EXT_KEY_AUTH); 3338 if (!m) 3339 goto fail;
3330 break; 3331 3332 case SADB_EXT_KEY_ENCRYPT: 3333 if (!sav->key_enc) 3334 continue;	3340 break; 3341 3342 case SADB_EXT_KEY_ENCRYPT: 3343 if (!sav->key_enc) 3344 continue;
3335 l = PFKEY_UNUNIT64(sav->key_enc->sadb_key_len); 3336 p = sav->key_enc;	3345 m = key_setkey(sav->key_enc, SADB_EXT_KEY_ENCRYPT); 3346 if (!m) 3347 goto fail;
3337 break; 3338 3339 case SADB_EXT_LIFETIME_CURRENT: 3340 if (!sav->lft_c) 3341 continue;	3348 break; 3349 3350 case SADB_EXT_LIFETIME_CURRENT: 3351 if (!sav->lft_c) 3352 continue;
3342 l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_c)->sadb_ext_len); 3343 p = sav->lft_c;	3353 m = key_setlifetime(sav->lft_c, 3354 SADB_EXT_LIFETIME_CURRENT); 3355 if (!m) 3356 goto fail;
3344 break; 3345 3346 case SADB_EXT_LIFETIME_HARD: 3347 if (!sav->lft_h) 3348 continue;	3357 break; 3358 3359 case SADB_EXT_LIFETIME_HARD: 3360 if (!sav->lft_h) 3361 continue;
3349 l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_h)->sadb_ext_len); 3350 p = sav->lft_h;	3362 m = key_setlifetime(sav->lft_h, 3363 SADB_EXT_LIFETIME_HARD); 3364 if (!m) 3365 goto fail;
3351 break; 3352 3353 case SADB_EXT_LIFETIME_SOFT: 3354 if (!sav->lft_s) 3355 continue;	3366 break; 3367 3368 case SADB_EXT_LIFETIME_SOFT: 3369 if (!sav->lft_s) 3370 continue;
3356 l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_s)->sadb_ext_len); 3357 p = sav->lft_s;	3371 m = key_setlifetime(sav->lft_h, 3372 SADB_EXT_LIFETIME_SOFT); 3373 3374 if (!m) 3375 goto fail;
3358 break; 3359 3360 case SADB_EXT_ADDRESS_PROXY: 3361 case SADB_EXT_IDENTITY_SRC: 3362 case SADB_EXT_IDENTITY_DST: 3363 /* XXX: should we brought from SPD ? */ 3364 case SADB_EXT_SENSITIVITY: 3365 default: 3366 continue; 3367 } 3368	3376 break; 3377 3378 case SADB_EXT_ADDRESS_PROXY: 3379 case SADB_EXT_IDENTITY_SRC: 3380 case SADB_EXT_IDENTITY_DST: 3381 /* XXX: should we brought from SPD ? */ 3382 case SADB_EXT_SENSITIVITY: 3383 default: 3384 continue; 3385 } 3386
3369 if ((!m && !p) \|\| (m && p))	3387 if (!m)
3370 goto fail;	3388 goto fail;
3371 if (p && tres) { 3372 M_PREPEND(tres, l, M_DONTWAIT); 3373 if (!tres) 3374 goto fail; 3375 bcopy(p, mtod(tres, caddr_t), l); 3376 continue; 3377 } 3378 if (p) { 3379 m = key_alloc_mbuf(l); 3380 if (!m) 3381 goto fail; 3382 m_copyback(m, 0, l, p); 3383 } 3384
3385 if (tres) 3386 m_cat(m, tres); 3387 tres = m;	3389 if (tres) 3390 m_cat(m, tres); 3391 tres = m;
	3392
3388 } 3389 3390 m_cat(result, tres);	3393 } 3394 3395 m_cat(result, tres);
3391
3392 if (result->m_len < sizeof(struct sadb_msg)) { 3393 result = m_pullup(result, sizeof(struct sadb_msg)); 3394 if (result == NULL) 3395 goto fail; 3396 } 3397 3398 result->m_pkthdr.len = 0; 3399 for (m = result; m; m = m->m_next) --- 204 unchanged lines hidden (view full) --- 3604 p->sadb_x_policy_type = type; 3605 p->sadb_x_policy_dir = dir; 3606 p->sadb_x_policy_id = id; 3607 3608 return m; 3609} 3610 3611/* %%% utilities */	3396 if (result->m_len < sizeof(struct sadb_msg)) { 3397 result = m_pullup(result, sizeof(struct sadb_msg)); 3398 if (result == NULL) 3399 goto fail; 3400 } 3401 3402 result->m_pkthdr.len = 0; 3403 for (m = result; m; m = m->m_next) --- 204 unchanged lines hidden (view full) --- 3608 p->sadb_x_policy_type = type; 3609 p->sadb_x_policy_dir = dir; 3610 p->sadb_x_policy_id = id; 3611 3612 return m; 3613} 3614 3615/* %%% utilities */
3612/* 3613 * copy a buffer into the new buffer allocated.	3616/* Take a key message (sadb_key) from the socket and turn it into one 3617 * of the kernel's key structures (seckey). 3618 * 3619 * IN: pointer to the src 3620 * OUT: NULL no more memory
3614 */	3621 */
3615static void * 3616key_dup(const void src, u_int len, struct malloc_type type)	3622struct seckey * 3623key_dup_keymsg(const struct sadb_key src, u_int len, 3624 struct malloc_type type)
3617{	3625{
3618 void *copy;	3626 struct seckey dst; 3627 dst = (struct seckey )malloc(sizeof(struct seckey), type, M_NOWAIT); 3628 if (dst != NULL) { 3629 dst->bits = src->sadb_key_bits; 3630 dst->key_data = (char )malloc(len, type, M_NOWAIT); 3631 if (dst->key_data != NULL) { 3632 bcopy((const char )src + sizeof(struct sadb_key), 3633 dst->key_data, len); 3634 } else { 3635 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 3636 __func__)); 3637 free(dst, type); 3638 dst = NULL; 3639 } 3640 } else { 3641 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 3642 __func__));
3619	3643
3620 copy = malloc(len, type, M_NOWAIT); 3621 if (copy == NULL) {	3644 } 3645 return dst; 3646} 3647 3648/* Take a lifetime message (sadb_lifetime) passed in on a socket and 3649 * turn it into one of the kernel's lifetime structures (seclifetime). 3650 * 3651 * IN: pointer to the destination, source and malloc type 3652 * OUT: NULL, no more memory 3653 / 3654 3655static struct seclifetime 3656key_dup_lifemsg(const struct sadb_lifetime src, 3657 struct malloc_type type) 3658{ 3659 struct seclifetime dst = NULL; 3660 3661 dst = (struct seclifetime )malloc(sizeof(struct seclifetime), 3662 type, M_NOWAIT); 3663 if (dst == NULL) {
3622 /* XXX counter */ 3623 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));	3664 /* XXX counter */ 3665 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
3624 } else 3625 bcopy(src, copy, len); 3626 return copy;	3666 } else { 3667 dst->allocations = src->sadb_lifetime_allocations; 3668 dst->bytes = src->sadb_lifetime_bytes; 3669 dst->addtime = src->sadb_lifetime_addtime; 3670 dst->usetime = src->sadb_lifetime_usetime; 3671 } 3672 return dst;
3627} 3628 3629/* compare my own address 3630 * OUT: 1: true, i.e. my address. 3631 * 0: false 3632 / 3633int 3634key_ismyaddr(sa) --- 431 unchanged lines hidden* (view full) --- 4066 /* sanity check / 4067 if (sav->lft_c == NULL) { 4068 ipseclog((LOG_DEBUG,"%s: there is no CURRENT " 4069 "time, why?\n", __func__)); 4070 continue; 4071 } 4072 4073 / check SOFT lifetime */	3673} 3674 3675/* compare my own address 3676 * OUT: 1: true, i.e. my address. 3677 * 0: false 3678 / 3679int 3680key_ismyaddr(sa) --- 431 unchanged lines hidden* (view full) --- 4112 /* sanity check / 4113 if (sav->lft_c == NULL) { 4114 ipseclog((LOG_DEBUG,"%s: there is no CURRENT " 4115 "time, why?\n", __func__)); 4116 continue; 4117 } 4118 4119 / check SOFT lifetime */
4074 if (sav->lft_s->sadb_lifetime_addtime != 0 && 4075 now - sav->created > sav->lft_s->sadb_lifetime_addtime) {	4120 if (sav->lft_s->addtime != 0 && 4121 now - sav->created > sav->lft_s->addtime) {
4076 /* 4077 * check SA to be used whether or not. 4078 * when SA hasn't been used, delete it. 4079 */	4122 /* 4123 * check SA to be used whether or not. 4124 * when SA hasn't been used, delete it. 4125 */
4080 if (sav->lft_c->sadb_lifetime_usetime == 0) {	4126 if (sav->lft_c->usetime == 0) {
4081 key_sa_chgstate(sav, SADB_SASTATE_DEAD); 4082 KEY_FREESAV(&sav); 4083 } else { 4084 key_sa_chgstate(sav, SADB_SASTATE_DYING); 4085 /* 4086 * XXX If we keep to send expire 4087 * message in the status of 4088 * DYING. Do remove below code. 4089 / 4090 key_expire(sav); 4091 } 4092 } 4093 / check SOFT lifetime by bytes / 4094 / 4095 * XXX I don't know the way to delete this SA 4096 * when new SA is installed. Caution when it's 4097 * installed too big lifetime by time. 4098 */	4127 key_sa_chgstate(sav, SADB_SASTATE_DEAD); 4128 KEY_FREESAV(&sav); 4129 } else { 4130 key_sa_chgstate(sav, SADB_SASTATE_DYING); 4131 /* 4132 * XXX If we keep to send expire 4133 * message in the status of 4134 * DYING. Do remove below code. 4135 / 4136 key_expire(sav); 4137 } 4138 } 4139 / check SOFT lifetime by bytes / 4140 / 4141 * XXX I don't know the way to delete this SA 4142 * when new SA is installed. Caution when it's 4143 * installed too big lifetime by time. 4144 */
4099 else if (sav->lft_s->sadb_lifetime_bytes != 0 && 4100 sav->lft_s->sadb_lifetime_bytes < sav->lft_c->sadb_lifetime_bytes) {	4145 else if (sav->lft_s->bytes != 0 && 4146 sav->lft_s->bytes < sav->lft_c->bytes) {
4101 4102 key_sa_chgstate(sav, SADB_SASTATE_DYING); 4103 /* 4104 * XXX If we keep to send expire 4105 * message in the status of 4106 * DYING. Do remove below code. 4107 / 4108 key_expire(sav); --- 8 unchanged lines hidden* (view full) --- 4117 4118 /* sanity check */ 4119 if (sav->lft_c == NULL) { 4120 ipseclog((LOG_DEBUG, "%s: there is no CURRENT " 4121 "time, why?\n", __func__)); 4122 continue; 4123 } 4124	4147 4148 key_sa_chgstate(sav, SADB_SASTATE_DYING); 4149 /* 4150 * XXX If we keep to send expire 4151 * message in the status of 4152 * DYING. Do remove below code. 4153 / 4154 key_expire(sav); --- 8 unchanged lines hidden* (view full) --- 4163 4164 /* sanity check */ 4165 if (sav->lft_c == NULL) { 4166 ipseclog((LOG_DEBUG, "%s: there is no CURRENT " 4167 "time, why?\n", __func__)); 4168 continue; 4169 } 4170
4125 if (sav->lft_h->sadb_lifetime_addtime != 0 && 4126 now - sav->created > sav->lft_h->sadb_lifetime_addtime) {	4171 if (sav->lft_h->addtime != 0 && 4172 now - sav->created > sav->lft_h->addtime) {
4127 key_sa_chgstate(sav, SADB_SASTATE_DEAD); 4128 KEY_FREESAV(&sav); 4129 } 4130#if 0 /* XXX Should we keep to send expire message until HARD lifetime ? */ 4131 else if (sav->lft_s != NULL	4173 key_sa_chgstate(sav, SADB_SASTATE_DEAD); 4174 KEY_FREESAV(&sav); 4175 } 4176#if 0 /* XXX Should we keep to send expire message until HARD lifetime ? */ 4177 else if (sav->lft_s != NULL
4132 && sav->lft_s->sadb_lifetime_addtime != 0 4133 && now - sav->created > sav->lft_s->sadb_lifetime_addtime) {	4178 && sav->lft_s->addtime != 0 4179 && now - sav->created > sav->lft_s->addtime) {
4134 /* 4135 * XXX: should be checked to be 4136 * installed the valid SA. 4137 / 4138 4139 / 4140 * If there is no SA then sending 4141 * expire message. 4142 / 4143 key_expire(sav); 4144 } 4145#endif 4146 / check HARD lifetime by bytes */	4180 /* 4181 * XXX: should be checked to be 4182 * installed the valid SA. 4183 / 4184 4185 / 4186 * If there is no SA then sending 4187 * expire message. 4188 / 4189 key_expire(sav); 4190 } 4191#endif 4192 / check HARD lifetime by bytes */
4147 else if (sav->lft_h->sadb_lifetime_bytes != 0 && 4148 sav->lft_h->sadb_lifetime_bytes < sav->lft_c->sadb_lifetime_bytes) {	4193 else if (sav->lft_h->bytes != 0 && 4194 sav->lft_h->bytes < sav->lft_c->bytes) {
4149 key_sa_chgstate(sav, SADB_SASTATE_DEAD); 4150 KEY_FREESAV(&sav); 4151 } 4152 } 4153 4154 /* delete entry in DEAD / 4155 LIST_FOREACH_SAFE(sav, &sah->savtree[SADB_SASTATE_DEAD], chain, nextsav) { 4156 / sanity check / --- 815 unchanged lines hidden* (view full) --- 4972 default: 4973 /* XXX do nothing / 4974 sah->idents = NULL; 4975 sah->identd = NULL; 4976 return 0; 4977 } 4978 4979 / make structure */	4195 key_sa_chgstate(sav, SADB_SASTATE_DEAD); 4196 KEY_FREESAV(&sav); 4197 } 4198 } 4199 4200 /* delete entry in DEAD / 4201 LIST_FOREACH_SAFE(sav, &sah->savtree[SADB_SASTATE_DEAD], chain, nextsav) { 4202 / sanity check / --- 815 unchanged lines hidden* (view full) --- 5018 default: 5019 /* XXX do nothing / 5020 sah->idents = NULL; 5021 sah->identd = NULL; 5022 return 0; 5023 } 5024 5025 / make structure */
4980 sah->idents = malloc(idsrclen, M_IPSEC_MISC, M_NOWAIT);	5026 sah->idents = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT);
4981 if (sah->idents == NULL) { 4982 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 4983 return ENOBUFS; 4984 }	5027 if (sah->idents == NULL) { 5028 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 5029 return ENOBUFS; 5030 }
4985 sah->identd = malloc(iddstlen, M_IPSEC_MISC, M_NOWAIT);	5031 sah->identd = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT);
4986 if (sah->identd == NULL) { 4987 free(sah->idents, M_IPSEC_MISC); 4988 sah->idents = NULL; 4989 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 4990 return ENOBUFS; 4991 }	5032 if (sah->identd == NULL) { 5033 free(sah->idents, M_IPSEC_MISC); 5034 sah->idents = NULL; 5035 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 5036 return ENOBUFS; 5037 }
4992 bcopy(idsrc, sah->idents, idsrclen); 4993 bcopy(iddst, sah->identd, iddstlen);	5038 sah->idents->type = idsrc->sadb_ident_type; 5039 sah->idents->id = idsrc->sadb_ident_id;
4994	5040
	5041 sah->identd->type = iddst->sadb_ident_type; 5042 sah->identd->id = iddst->sadb_ident_id; 5043
4995 return 0; 4996} 4997 4998/* 4999 * m will not be freed on return. 5000 * it is caller's responsibility to free the result. 5001 / 5002static struct mbuf --- 1254 unchanged lines hidden (view full) --- 6257 m_freem(m); 6258 error = ENOBUFS; 6259 goto fail; 6260 } 6261 bzero(mtod(m, caddr_t), len); 6262 lt = mtod(m, struct sadb_lifetime *); 6263 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); 6264 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;	5044 return 0; 5045} 5046 5047/* 5048 * m will not be freed on return. 5049 * it is caller's responsibility to free the result. 5050 / 5051static struct mbuf --- 1254 unchanged lines hidden (view full) --- 6306 m_freem(m); 6307 error = ENOBUFS; 6308 goto fail; 6309 } 6310 bzero(mtod(m, caddr_t), len); 6311 lt = mtod(m, struct sadb_lifetime *); 6312 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); 6313 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
6265 lt->sadb_lifetime_allocations = sav->lft_c->sadb_lifetime_allocations; 6266 lt->sadb_lifetime_bytes = sav->lft_c->sadb_lifetime_bytes; 6267 lt->sadb_lifetime_addtime = sav->lft_c->sadb_lifetime_addtime; 6268 lt->sadb_lifetime_usetime = sav->lft_c->sadb_lifetime_usetime;	6314 lt->sadb_lifetime_allocations = sav->lft_c->allocations; 6315 lt->sadb_lifetime_bytes = sav->lft_c->bytes; 6316 lt->sadb_lifetime_addtime = sav->lft_c->addtime; 6317 lt->sadb_lifetime_usetime = sav->lft_c->usetime;
6269 lt = (struct sadb_lifetime )(mtod(m, caddr_t) + len / 2); 6270 bcopy(sav->lft_s, lt, sizeof(lt)); 6271 m_cat(result, m); 6272 6273 /* set sadb_address for source / 6274 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, 6275 &sav->sah->saidx.src.sa, 6276 FULLMASK, IPSEC_ULPROTO_ANY); --- 821 unchanged lines hidden* (view full) --- 7098 IPSEC_ASSERT(m != NULL, ("Null mbuf")); 7099 if (!sav->lft_c) 7100 return; 7101 7102 /* 7103 * XXX Currently, there is a difference of bytes size 7104 * between inbound and outbound processing. 7105 */	6318 lt = (struct sadb_lifetime )(mtod(m, caddr_t) + len / 2); 6319 bcopy(sav->lft_s, lt, sizeof(lt)); 6320 m_cat(result, m); 6321 6322 /* set sadb_address for source / 6323 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, 6324 &sav->sah->saidx.src.sa, 6325 FULLMASK, IPSEC_ULPROTO_ANY); --- 821 unchanged lines hidden* (view full) --- 7147 IPSEC_ASSERT(m != NULL, ("Null mbuf")); 7148 if (!sav->lft_c) 7149 return; 7150 7151 /* 7152 * XXX Currently, there is a difference of bytes size 7153 * between inbound and outbound processing. 7154 */
7106 sav->lft_c->sadb_lifetime_bytes += m->m_pkthdr.len;	7155 sav->lft_c->bytes += m->m_pkthdr.len;
7107 /* to check bytes lifetime is done in key_timehandler(). / 7108 7109 / 7110 * We use the number of packets as the unit of	7156 /* to check bytes lifetime is done in key_timehandler(). / 7157 7158 / 7159 * We use the number of packets as the unit of
7111 * sadb_lifetime_allocations. We increment the variable	7160 * allocations. We increment the variable
7112 * whenever {esp,ah}_{in,out}put is called. 7113 */	7161 * whenever {esp,ah}_{in,out}put is called. 7162 */
7114 sav->lft_c->sadb_lifetime_allocations++;	7163 sav->lft_c->allocations++;
7115 /* XXX check for expires? / 7116 7117 /	7164 /* XXX check for expires? / 7165 7166 /
7118 * NOTE: We record CURRENT sadb_lifetime_usetime by using wall clock,	7167 * NOTE: We record CURRENT usetime by using wall clock,
7119 * in seconds. HARD and SOFT lifetime are measured by the time	7168 * in seconds. HARD and SOFT lifetime are measured by the time
7120 * difference (again in seconds) from sadb_lifetime_usetime.	7169 * difference (again in seconds) from usetime.
7121 * 7122 * usetime 7123 * v expire expire 7124 * -----+-----+--------+---> t 7125 * <--------------> HARD 7126 * <-----> SOFT 7127 */	7170 * 7171 * usetime 7172 * v expire expire 7173 * -----+-----+--------+---> t 7174 * <--------------> HARD 7175 * <-----> SOFT 7176 */
7128 sav->lft_c->sadb_lifetime_usetime = time_second;	7177 sav->lft_c->usetime = time_second;
7129 /* XXX check for expires? / 7130 7131 return; 7132} 7133 7134/ dumb version / 7135void 7136key_sa_routechange(dst) --- 72 unchanged lines hidden* (view full) --- 7209 if (m) 7210 m_cat(m, n); 7211 else 7212 m = n; 7213 } 7214 7215 return m; 7216}	7178 /* XXX check for expires? / 7179 7180 return; 7181} 7182 7183/ dumb version / 7184void 7185key_sa_routechange(dst) --- 72 unchanged lines hidden* (view full) --- 7258 if (m) 7259 m_cat(m, n); 7260 else 7261 m = n; 7262 } 7263 7264 return m; 7265}
	7266 7267/* 7268 * Take one of the kernel's security keys and convert it into a PF_KEY 7269 * structure within an mbuf, suitable for sending up to a waiting 7270 * application in user land. 7271 * 7272 * IN: 7273 * src: A pointer to a kernel security key. 7274 * exttype: Which type of key this is. Refer to the PF_KEY data structures. 7275 * OUT: 7276 * a valid mbuf or NULL indicating an error 7277 * 7278 / 7279 7280static struct mbuf 7281key_setkey(struct seckey src, u_int16_t exttype) 7282{ 7283 struct mbuf m; 7284 struct sadb_key p; 7285 int len = PFKEY_ALIGN8(sizeof(struct sadb_key) + _KEYLEN(src)); 7286 7287 if (src == NULL) 7288 return NULL; 7289 7290 m = key_alloc_mbuf(len); 7291 if (m == NULL) 7292 return NULL; 7293 p = mtod(m, struct sadb_key ); 7294 bzero(p, len); 7295 p->sadb_key_len = PFKEY_UNIT64(len); 7296 p->sadb_key_exttype = exttype; 7297 p->sadb_key_bits = src->bits; 7298 bcopy(src->key_data, _KEYBUF(p), _KEYLEN(src)); 7299 7300 return m; 7301} 7302 7303/* 7304 * Take one of the kernel's lifetime data structures and convert it 7305 * into a PF_KEY structure within an mbuf, suitable for sending up to 7306 * a waiting application in user land. 7307 * 7308 * IN: 7309 * src: A pointer to a kernel lifetime structure. 7310 * exttype: Which type of lifetime this is. Refer to the PF_KEY 7311 * data structures for more information. 7312 * OUT: 7313 * a valid mbuf or NULL indicating an error 7314 * 7315 / 7316 7317static struct mbuf 7318key_setlifetime(struct seclifetime src, u_int16_t exttype) 7319{ 7320 struct mbuf m = NULL; 7321 struct sadb_lifetime p; 7322 int len = PFKEY_ALIGN8(sizeof(struct sadb_lifetime)); 7323 7324 if (src == NULL) 7325 return NULL; 7326 7327 m = key_alloc_mbuf(len); 7328 if (m == NULL) 7329 return m; 7330 p = mtod(m, struct sadb_lifetime ); 7331 7332 bzero(p, len); 7333 p->sadb_lifetime_len = PFKEY_UNIT64(len); 7334 p->sadb_lifetime_exttype = exttype; 7335 p->sadb_lifetime_allocations = src->allocations; 7336 p->sadb_lifetime_bytes = src->bytes; 7337 p->sadb_lifetime_addtime = src->addtime; 7338 p->sadb_lifetime_usetime = src->usetime; 7339 7340 return m; 7341 7342}