Lines Matching +full:spi +full:- +full:lsb +full:- +full:first
3 /*-
4 * SPDX-License-Identifier: BSD-3-Clause
127 * - SAs that are not in DEAD state will have (total external reference + 1)
130 * - SAs that are in DEAD state will have (total external reference)
225 (key_addrprotohash(&(idx)->src, &(idx)->dst, &(idx)->ul_proto) & \
272 (key_addrprotohash(&(idx)->src, &(idx)->dst, &(idx)->proto) & \
277 /* Hash table for lookup in SAD using SPI */
285 #define SAVHASH_HASHVAL(spi) (key_u32hash(spi) & V_savhash_mask) argument
286 #define SAVHASH_HASH(spi) &V_savhashtbl[SAVHASH_HASHVAL(spi)] argument
296 switch (dst->sa.sa_family) { in key_addrprotohash()
299 hval = fnv_32_buf(&src->sin.sin_addr, in key_addrprotohash()
301 hval = fnv_32_buf(&dst->sin.sin_addr, in key_addrprotohash()
307 hval = fnv_32_buf(&src->sin6.sin6_addr, in key_addrprotohash()
309 hval = fnv_32_buf(&dst->sin6.sin6_addr, in key_addrprotohash()
316 __func__, dst->sa.sa_family)); in key_addrprotohash()
366 (key_addrprotohash(&(idx)->src, &(idx)->dst, &(idx)->proto) & \
466 ((_mhp)->extlen[(_ext)] < minsize[(_ext)] || (maxsize[(_ext)] != 0 && \
467 ((_mhp)->extlen[(_ext)] > maxsize[(_ext)])))
468 #define SADB_CHECKHDR(_mhp, _ext) ((_mhp)->ext[(_ext)] == NULL)
500 /* max count of trial for the decision of spi value */
504 /* minimum spi value to allocate automatically. */
508 /* maximun spi value to allocate automatically. */
557 (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL))
563 MALLOC_DEFINE(M_IPSEC_MISC, "ipsec-misc", "ipsec miscellaneous");
564 MALLOC_DEFINE(M_IPSEC_SAQ, "ipsec-saq", "ipsec sa acquire");
565 MALLOC_DEFINE(M_IPSEC_SAR, "ipsec-reg", "ipsec sa acquire");
566 MALLOC_DEFINE(M_IPSEC_SPDCACHE, "ipsec-spdcache", "ipsec SPD cache");
577 (idx)->dir = (_dir); \
578 (idx)->prefs = (ps); \
579 (idx)->prefd = (pd); \
580 (idx)->ul_proto = (ulp); \
581 bcopy((s), &(idx)->src, ((const struct sockaddr *)(s))->sa_len); \
582 bcopy((d), &(idx)->dst, ((const struct sockaddr *)(d))->sa_len); \
592 (idx)->proto = (p); \
593 (idx)->mode = (m); \
594 (idx)->reqid = (r); \
595 bcopy((s), &(idx)->src, ((const struct sockaddr *)(s))->sa_len); \
596 bcopy((d), &(idx)->dst, ((const struct sockaddr *)(d))->sa_len); \
597 key_porttosaddr(&(idx)->src.sa, 0); \
598 key_porttosaddr(&(idx)->dst.sa, 0); \
603 u_long getspi_count; /* the avarage of count to try to get new SPI */
782 refcount_init(&(p)->refcnt, 1); \
785 __func__, #t, (p), (p)->refcnt)); \
788 refcount_acquire(&(p)->refcnt); \
790 printf("%s: Acquire refcnt %s(%p) -> %u\n", \
791 __func__, #t, (p), (p)->refcnt)); \
795 printf("%s: Release refcnt %s(%p) -> %u\n", \
796 __func__, #t, (p), (p)->refcnt - 1)); \
797 refcount_release(&(p)->refcnt); \
800 #define IPSEC_INITREF(t, p) refcount_init(&(p)->refcnt, 1)
801 #define IPSEC_ADDREF(t, p) refcount_acquire(&(p)->refcnt)
802 #define IPSEC_DELREF(t, p) refcount_release(&(p)->refcnt)
849 * pre-zeroed to help ensure that uninitialized pad bytes are not leaked.
889 if (src->sa_family != dst->sa_family) in key_checksockaddrs()
892 if (src->sa_len != dst->sa_len) in key_checksockaddrs()
894 switch (src->sa_family) { in key_checksockaddrs()
897 if (src->sa_len != sizeof(struct sockaddr_in)) in key_checksockaddrs()
903 if (src->sa_len != sizeof(struct sockaddr_in6)) in key_checksockaddrs()
925 if (key_cmpspidx_withmask(&sp->spidx, spidx)) { in key_do_allocsp()
959 if (entry->sp != NULL && in key_allocsp()
960 entry->sp->state == IPSEC_SPSTATE_DEAD) { in key_allocsp()
967 if (!key_cmpspidx_exactly(&entry->spidx, spidx)) { in key_allocsp()
972 sp = entry->sp; in key_allocsp()
973 if (entry->sp != NULL) in key_allocsp()
1000 if (__predict_false(sp->lastused != ts)) in key_allocsp()
1001 sp->lastused = ts; in key_allocsp()
1016 * We don't use key_allocsa() for such lookups, because we don't know SPI.
1017 * Unlike ESP and AH protocols, SPI isn't transmitted in the TCP header with
1029 IPSEC_ASSERT(saidx->proto == IPPROTO_TCP, in key_allocsa_tcpmd5()
1030 ("unexpected security protocol %u", saidx->proto)); in key_allocsa_tcpmd5()
1031 IPSEC_ASSERT(saidx->mode == IPSEC_MODE_TCPMD5, in key_allocsa_tcpmd5()
1032 ("unexpected mode %u", saidx->mode)); in key_allocsa_tcpmd5()
1039 if (sah->saidx.proto != IPPROTO_TCP) in key_allocsa_tcpmd5()
1041 if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) && in key_allocsa_tcpmd5()
1042 !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0)) in key_allocsa_tcpmd5()
1047 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue); in key_allocsa_tcpmd5()
1049 sav = TAILQ_FIRST(&sah->savtree_alive); in key_allocsa_tcpmd5()
1083 IPSEC_ASSERT(saidx->mode == IPSEC_MODE_TRANSPORT || in key_allocsa_policy()
1084 saidx->mode == IPSEC_MODE_TUNNEL, in key_allocsa_policy()
1085 ("unexpected policy %u", saidx->mode)); in key_allocsa_policy()
1099 if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID)) in key_allocsa_policy()
1105 * draft-jenkins-ipsec-rekeying-03. in key_allocsa_policy()
1108 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue); in key_allocsa_policy()
1110 sav = TAILQ_FIRST(&sah->savtree_alive); in key_allocsa_policy()
1145 * According to RFC 2401 SA is uniquely identified by a triple SPI,
1147 * SPI by itself suffices to specify an SA.
1154 key_allocsa(union sockaddr_union *dst, uint8_t proto, uint32_t spi) in key_allocsa() argument
1164 LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) { in key_allocsa()
1165 if (sav->spi == spi) in key_allocsa()
1169 * We use single SPI namespace for all protocols, so it is in key_allocsa()
1170 * impossible to have SPI duplicates in the SAVHASH. in key_allocsa()
1173 if (sav->state != SADB_SASTATE_LARVAL && in key_allocsa()
1174 sav->sah->saidx.proto == proto && in key_allocsa()
1175 key_sockaddrcmp(&dst->sa, in key_allocsa()
1176 &sav->sah->saidx.dst.sa, 0) == 0) in key_allocsa()
1186 printf("%s: SA not found for spi %u proto %u dst %s\n", in key_allocsa()
1187 __func__, ntohl(spi), proto, ipsec_address(dst, buf, in key_allocsa()
1209 KEY_SETSECASIDX(proto, IPSEC_MODE_TUNNEL, 0, &src->sa, in key_allocsa_tunnel()
1210 &dst->sa, &saidx); in key_allocsa_tunnel()
1215 if (IPSEC_MODE_TUNNEL != sah->saidx.mode) in key_allocsa_tunnel()
1217 if (proto != sah->saidx.proto) in key_allocsa_tunnel()
1219 if (key_sockaddrcmp(&src->sa, &sah->saidx.src.sa, 0) != 0) in key_allocsa_tunnel()
1221 if (key_sockaddrcmp(&dst->sa, &sah->saidx.dst.sa, 0) != 0) in key_allocsa_tunnel()
1225 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue); in key_allocsa_tunnel()
1227 sav = TAILQ_FIRST(&sah->savtree_alive); in key_allocsa_tunnel()
1259 KASSERT(CK_LIST_EMPTY(&sp->accel_ifps), in key_freesp()
1261 free(__DECONST(char *, sp->accel_ifname), M_IPSEC_MISC); in key_freesp()
1263 while (sp->tcount > 0) in key_freesp()
1264 ipsec_delisr(sp->req[--sp->tcount]); in key_freesp()
1283 IPSEC_ASSERT(sp->spidx.dir == IPSEC_DIR_INBOUND || in key_detach()
1284 sp->spidx.dir == IPSEC_DIR_OUTBOUND, in key_detach()
1285 ("invalid direction %u", sp->spidx.dir)); in key_detach()
1290 if (sp->state != IPSEC_SPSTATE_ALIVE) { in key_detach()
1294 sp->state = IPSEC_SPSTATE_DEAD; in key_detach()
1296 TAILQ_REMOVE(&V_sptree[sp->spidx.dir], sp, chain); in key_detach()
1297 V_spd_size--; in key_detach()
1303 * insert a secpolicy into the SP database. Lower priorities first
1311 TAILQ_FOREACH(sp, &V_sptree[newsp->spidx.dir], chain) { in key_insertsp()
1312 if (newsp->priority < sp->priority) { in key_insertsp()
1317 TAILQ_INSERT_TAIL(&V_sptree[newsp->spidx.dir], newsp, chain); in key_insertsp()
1319 LIST_INSERT_HEAD(SPHASH_HASH(newsp->id), newsp, idhash); in key_insertsp()
1320 newsp->state = IPSEC_SPSTATE_ALIVE; in key_insertsp()
1330 * delete. The only way delete such policies - destroy or unconfigure
1345 * First of try to acquire id for each SP. in key_register_ifnet()
1348 IPSEC_ASSERT(spp[i]->spidx.dir == IPSEC_DIR_INBOUND || in key_register_ifnet()
1349 spp[i]->spidx.dir == IPSEC_DIR_OUTBOUND, in key_register_ifnet()
1350 ("invalid direction %u", spp[i]->spidx.dir)); in key_register_ifnet()
1352 if ((spp[i]->id = key_getnewspid()) == 0) { in key_register_ifnet()
1358 TAILQ_INSERT_TAIL(&V_sptree_ifnet[spp[i]->spidx.dir], in key_register_ifnet()
1366 LIST_INSERT_HEAD(SPHASH_HASH(spp[i]->id), spp[i], idhash); in key_register_ifnet()
1367 spp[i]->state = IPSEC_SPSTATE_IFNET; in key_register_ifnet()
1390 IPSEC_ASSERT(spp[i]->spidx.dir == IPSEC_DIR_INBOUND || in key_unregister_ifnet()
1391 spp[i]->spidx.dir == IPSEC_DIR_OUTBOUND, in key_unregister_ifnet()
1392 ("invalid direction %u", spp[i]->spidx.dir)); in key_unregister_ifnet()
1394 if (spp[i]->state != IPSEC_SPSTATE_IFNET) in key_unregister_ifnet()
1396 spp[i]->state = IPSEC_SPSTATE_DEAD; in key_unregister_ifnet()
1398 TAILQ_REMOVE(&V_sptree_ifnet[spp[i]->spidx.dir], in key_unregister_ifnet()
1400 V_spd_size--; in key_unregister_ifnet()
1438 * Unlink SA from SAH and SPI hash under SAHTREE_WLOCK.
1453 if (sav->state == SADB_SASTATE_DEAD) { in key_unlinksav()
1459 if (sav->state == SADB_SASTATE_LARVAL) in key_unlinksav()
1460 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain); in key_unlinksav()
1462 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain); in key_unlinksav()
1463 /* Unlink from SPI hash */ in key_unlinksav()
1465 sav->state = SADB_SASTATE_DEAD; in key_unlinksav()
1467 sah = sav->sah; in key_unlinksav()
1489 TAILQ_FOREACH(sp, &V_sptree[spidx->dir], chain) { in key_getsp()
1490 if (key_cmpspidx_exactly(spidx, &sp->spidx)) { in key_getsp()
1513 if (sp->id == id) { in key_getspbyid()
1572 newsp->spidx.dir = xpl0->sadb_x_policy_dir; in key_msg2sp()
1573 newsp->policy = xpl0->sadb_x_policy_type; in key_msg2sp()
1574 newsp->priority = xpl0->sadb_x_policy_priority; in key_msg2sp()
1575 newsp->tcount = 0; in key_msg2sp()
1578 switch (xpl0->sadb_x_policy_type) { in key_msg2sp()
1600 tlen = PFKEY_EXTLEN(xpl0) - sizeof(*xpl0); in key_msg2sp()
1605 if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr) || in key_msg2sp()
1606 xisr->sadb_x_ipsecrequest_len > tlen) { in key_msg2sp()
1614 if (newsp->tcount >= IPSEC_MAXREQ) { in key_msg2sp()
1634 newsp->req[newsp->tcount++] = isr; in key_msg2sp()
1637 switch (xisr->sadb_x_ipsecrequest_proto) { in key_msg2sp()
1645 xisr->sadb_x_ipsecrequest_proto)); in key_msg2sp()
1650 isr->saidx.proto = in key_msg2sp()
1651 (uint8_t)xisr->sadb_x_ipsecrequest_proto; in key_msg2sp()
1653 switch (xisr->sadb_x_ipsecrequest_mode) { in key_msg2sp()
1661 xisr->sadb_x_ipsecrequest_mode)); in key_msg2sp()
1666 isr->saidx.mode = xisr->sadb_x_ipsecrequest_mode; in key_msg2sp()
1668 switch (xisr->sadb_x_ipsecrequest_level) { in key_msg2sp()
1679 if (xisr->sadb_x_ipsecrequest_reqid in key_msg2sp()
1685 xisr->sadb_x_ipsecrequest_reqid)); in key_msg2sp()
1686 xisr->sadb_x_ipsecrequest_reqid = 0; in key_msg2sp()
1690 if (xisr->sadb_x_ipsecrequest_reqid == 0) { in key_msg2sp()
1697 isr->saidx.reqid = reqid; in key_msg2sp()
1698 xisr->sadb_x_ipsecrequest_reqid = reqid; in key_msg2sp()
1701 isr->saidx.reqid = in key_msg2sp()
1702 xisr->sadb_x_ipsecrequest_reqid; in key_msg2sp()
1709 xisr->sadb_x_ipsecrequest_level)); in key_msg2sp()
1714 isr->level = xisr->sadb_x_ipsecrequest_level; in key_msg2sp()
1717 if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { in key_msg2sp()
1720 len = tlen - sizeof(*xisr); in key_msg2sp()
1724 len < 2 * paddr->sa_len || in key_msg2sp()
1725 paddr->sa_len > sizeof(isr->saidx.src)) { in key_msg2sp()
1737 if (xisr->sadb_x_ipsecrequest_len < in key_msg2sp()
1738 sizeof(*xisr) + 2 * paddr->sa_len) { in key_msg2sp()
1746 bcopy(paddr, &isr->saidx.src, paddr->sa_len); in key_msg2sp()
1748 paddr->sa_len); in key_msg2sp()
1751 if (paddr->sa_len != in key_msg2sp()
1752 isr->saidx.src.sa.sa_len) { in key_msg2sp()
1761 if (paddr->sa_family != in key_msg2sp()
1762 isr->saidx.src.sa.sa_family) { in key_msg2sp()
1770 bcopy(paddr, &isr->saidx.dst, paddr->sa_len); in key_msg2sp()
1776 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { in key_msg2sp()
1784 tlen -= xisr->sadb_x_ipsecrequest_len; in key_msg2sp()
1796 + xisr->sadb_x_ipsecrequest_len); in key_msg2sp()
1799 if (newsp->tcount < 1) { in key_msg2sp()
1847 m->m_len = tlen; in key_sp2mbuf()
1848 if (key_sp2msg(sp, m->m_data, &tlen) != 0) { in key_sp2mbuf()
1877 xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY; in key_sp2msg()
1878 xpl->sadb_x_policy_type = sp->policy; in key_sp2msg()
1879 xpl->sadb_x_policy_dir = sp->spidx.dir; in key_sp2msg()
1880 xpl->sadb_x_policy_id = sp->id; in key_sp2msg()
1881 xpl->sadb_x_policy_priority = sp->priority; in key_sp2msg()
1882 switch (sp->state) { in key_sp2msg()
1884 xpl->sadb_x_policy_scope = IPSEC_POLICYSCOPE_IFNET; in key_sp2msg()
1887 xpl->sadb_x_policy_scope = IPSEC_POLICYSCOPE_PCB; in key_sp2msg()
1890 xpl->sadb_x_policy_scope = IPSEC_POLICYSCOPE_GLOBAL; in key_sp2msg()
1894 if (sp->policy == IPSEC_POLICY_IPSEC) { in key_sp2msg()
1896 for (i = 0; i < sp->tcount; i++) { in key_sp2msg()
1897 isr = sp->req[i]; in key_sp2msg()
1899 isr->saidx.src.sa.sa_len + in key_sp2msg()
1900 isr->saidx.dst.sa.sa_len); in key_sp2msg()
1908 xisr->sadb_x_ipsecrequest_len = ilen; in key_sp2msg()
1909 xisr->sadb_x_ipsecrequest_proto = isr->saidx.proto; in key_sp2msg()
1910 xisr->sadb_x_ipsecrequest_mode = isr->saidx.mode; in key_sp2msg()
1911 xisr->sadb_x_ipsecrequest_level = isr->level; in key_sp2msg()
1912 xisr->sadb_x_ipsecrequest_reqid = isr->saidx.reqid; in key_sp2msg()
1915 bcopy(&isr->saidx.src, p, isr->saidx.src.sa.sa_len); in key_sp2msg()
1916 p += isr->saidx.src.sa.sa_len; in key_sp2msg()
1917 bcopy(&isr->saidx.dst, p, isr->saidx.dst.sa.sa_len); in key_sp2msg()
1918 p += isr->saidx.dst.sa.sa_len; in key_sp2msg()
1921 xpl->sadb_x_policy_len = PFKEY_UNIT64(xlen); in key_sp2msg()
1923 if (error == 0 && sp->accel_ifname != NULL) { in key_sp2msg()
1926 xif->sadb_x_if_hw_offl_len = PFKEY_UNIT64(sizeof(*xif)); in key_sp2msg()
1927 xif->sadb_x_if_hw_offl_exttype = SADB_X_EXT_IF_HW_OFFL; in key_sp2msg()
1928 xif->sadb_x_if_hw_offl_flags = 0; in key_sp2msg()
1929 strncpy(xif->sadb_x_if_hw_offl_if, sp->accel_ifname, in key_sp2msg()
1930 sizeof(xif->sadb_x_if_hw_offl_if)); in key_sp2msg()
1961 if (idx == SADB_EXT_RESERVED && mhp->msg == NULL) in key_gather_mbuf()
1964 (mhp->ext[idx] == NULL || mhp->extlen[idx] == 0)) in key_gather_mbuf()
1975 n->m_len = len; in key_gather_mbuf()
1976 n->m_next = NULL; in key_gather_mbuf()
1980 len = mhp->extlen[idx]; in key_gather_mbuf()
1985 n->m_len = len; in key_gather_mbuf()
1986 m_copydata(m, mhp->extoff[idx], mhp->extlen[idx], in key_gather_mbuf()
1989 n = m_copym(m, mhp->extoff[idx], mhp->extlen[idx], in key_gather_mbuf()
2002 if ((result->m_flags & M_PKTHDR) != 0) { in key_gather_mbuf()
2003 result->m_pkthdr.len = 0; in key_gather_mbuf()
2004 for (n = result; n; n = n->m_next) in key_gather_mbuf()
2005 result->m_pkthdr.len += n->m_len; in key_gather_mbuf()
2046 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_spdadd()
2070 lft = (struct sadb_lifetime *)mhp->ext[SADB_EXT_LIFETIME_HARD]; in key_spdadd()
2073 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; in key_spdadd()
2074 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; in key_spdadd()
2075 xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY]; in key_spdadd()
2078 switch (xpl0->sadb_x_policy_dir) { in key_spdadd()
2087 if (xpl0->sadb_x_policy_type != IPSEC_POLICY_DISCARD && in key_spdadd()
2088 xpl0->sadb_x_policy_type != IPSEC_POLICY_NONE && in key_spdadd()
2089 xpl0->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { in key_spdadd()
2095 if (xpl0->sadb_x_policy_type == IPSEC_POLICY_IPSEC && in key_spdadd()
2096 mhp->extlen[SADB_X_EXT_POLICY] <= sizeof(*xpl0)) { in key_spdadd()
2105 src0->sadb_address_proto != dst0->sadb_address_proto) { in key_spdadd()
2110 KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir, in key_spdadd()
2113 src0->sadb_address_prefixlen, in key_spdadd()
2114 dst0->sadb_address_prefixlen, in key_spdadd()
2115 src0->sadb_address_proto, in key_spdadd()
2120 if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) { in key_spdadd()
2142 newsp->lastused = newsp->created = time_second; in key_spdadd()
2143 newsp->lifetime = lft ? lft->sadb_lifetime_addtime : 0; in key_spdadd()
2144 newsp->validtime = lft ? lft->sadb_lifetime_usetime : 0; in key_spdadd()
2145 bcopy(&spidx, &newsp->spidx, sizeof(spidx)); in key_spdadd()
2151 xof = (struct sadb_x_if_hw_offl *)mhp->ext[ in key_spdadd()
2153 newsp->accel_ifname = malloc(sizeof(xof->sadb_x_if_hw_offl_if), in key_spdadd()
2155 if (newsp->accel_ifname == NULL) { in key_spdadd()
2161 strncpy(__DECONST(char *, newsp->accel_ifname), in key_spdadd()
2162 xof->sadb_x_if_hw_offl_if, in key_spdadd()
2163 sizeof(xof->sadb_x_if_hw_offl_if)); in key_spdadd()
2169 if ((newsp->id = key_getnewspid()) == 0) { in key_spdadd()
2175 key_freesp(&oldsp); /* first for key_detach */ in key_spdadd()
2190 key_freesp(&oldsp); /* first for key_detach */ in key_spdadd()
2218 if (n->m_len < sizeof(*newmsg)) { in key_spdadd()
2224 newmsg->sadb_msg_errno = 0; in key_spdadd()
2225 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); in key_spdadd()
2235 if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) { in key_spdadd()
2239 xpl->sadb_x_policy_id = newsp->id; in key_spdadd()
2268 if (sp->id == newid) in key_getnewspid()
2306 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_spddelete()
2324 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; in key_spddelete()
2325 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; in key_spddelete()
2326 xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY]; in key_spddelete()
2329 switch (xpl0->sadb_x_policy_dir) { in key_spddelete()
2338 if (xpl0->sadb_x_policy_type != IPSEC_POLICY_DISCARD && in key_spddelete()
2339 xpl0->sadb_x_policy_type != IPSEC_POLICY_NONE && in key_spddelete()
2340 xpl0->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { in key_spddelete()
2346 src0->sadb_address_proto != dst0->sadb_address_proto) { in key_spddelete()
2351 KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir, in key_spddelete()
2354 src0->sadb_address_prefixlen, in key_spddelete()
2355 dst0->sadb_address_prefixlen, in key_spddelete()
2356 src0->sadb_address_proto, in key_spddelete()
2366 xpl0->sadb_x_policy_id = sp->id; in key_spddelete()
2386 newmsg->sadb_msg_errno = 0; in key_spddelete()
2387 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); in key_spddelete()
2416 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_spddelete2()
2426 mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id; in key_spddelete2()
2439 if (sp->state != IPSEC_SPSTATE_DEAD) { in key_spddelete2()
2459 n->m_len = len; in key_spddelete2()
2460 n->m_next = NULL; in key_spddelete2()
2469 n->m_next = m_copym(m, mhp->extoff[SADB_X_EXT_POLICY], in key_spddelete2()
2470 mhp->extlen[SADB_X_EXT_POLICY], M_NOWAIT); in key_spddelete2()
2471 if (!n->m_next) { in key_spddelete2()
2476 n->m_pkthdr.len = 0; in key_spddelete2()
2477 for (nn = n; nn; nn = nn->m_next) in key_spddelete2()
2478 n->m_pkthdr.len += nn->m_len; in key_spddelete2()
2481 newmsg->sadb_msg_errno = 0; in key_spddelete2()
2482 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); in key_spddelete2()
2511 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_spdget()
2521 mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id; in key_spdget()
2530 n = key_setdumpsp(sp, SADB_X_SPDGET, mhp->msg->sadb_msg_seq, in key_spdget()
2531 mhp->msg->sadb_msg_pid); in key_spdget()
2562 IPSEC_ASSERT(sp->req == NULL, ("policy exists")); in key_spdacquire()
2563 IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC, in key_spdacquire()
2564 ("policy not IPSEC %u", sp->policy)); in key_spdacquire()
2567 newspacq = key_getspacq(&sp->spidx); in key_spdacquire()
2569 if (V_key_blockacq_count < newspacq->count) { in key_spdacquire()
2571 newspacq->count = 0; in key_spdacquire()
2574 newspacq->count++; in key_spdacquire()
2581 newspacq = key_newspacq(&sp->spidx); in key_spdacquire()
2593 result->m_pkthdr.len = 0; in key_spdacquire()
2594 for (m = result; m; m = m->m_next) in key_spdacquire()
2595 result->m_pkthdr.len += m->m_len; in key_spdacquire()
2597 mtod(result, struct sadb_msg *)->sadb_msg_len = in key_spdacquire()
2598 PFKEY_UNIT64(result->m_pkthdr.len); in key_spdacquire()
2626 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_spdflush()
2628 if (m->m_len != PFKEY_ALIGN8(sizeof(struct sadb_msg))) in key_spdflush()
2642 sp->state = IPSEC_SPSTATE_DEAD; in key_spdflush()
2658 if (sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) { in key_spdflush()
2663 if (m->m_next) in key_spdflush()
2664 m_freem(m->m_next); in key_spdflush()
2665 m->m_next = NULL; in key_spdflush()
2666 m->m_pkthdr.len = m->m_len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); in key_spdflush()
2668 newmsg->sadb_msg_errno = 0; in key_spdflush()
2669 newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); in key_spdflush()
2706 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_spddump()
2710 scope = key_satype2scopemask(mhp->msg->sadb_msg_satype); in key_spddump()
2731 --cnt; in key_spddump()
2733 mhp->msg->sadb_msg_pid); in key_spddump()
2741 --cnt; in key_spddump()
2743 mhp->msg->sadb_msg_pid); in key_spddump()
2763 m = key_setsadbmsg(type, 0, SADB_SATYPE_UNSPEC, seq, pid, sp->refcnt); in key_setdumpsp()
2769 &sp->spidx.src.sa, sp->spidx.prefs, in key_setdumpsp()
2770 sp->spidx.ul_proto); in key_setdumpsp()
2776 &sp->spidx.dst.sa, sp->spidx.prefd, in key_setdumpsp()
2777 sp->spidx.ul_proto); in key_setdumpsp()
2787 if(sp->lifetime){ in key_setdumpsp()
2788 lt.addtime=sp->created; in key_setdumpsp()
2789 lt.usetime= sp->lastused; in key_setdumpsp()
2795 lt.addtime=sp->lifetime; in key_setdumpsp()
2796 lt.usetime= sp->validtime; in key_setdumpsp()
2803 if ((result->m_flags & M_PKTHDR) == 0) in key_setdumpsp()
2806 if (result->m_len < sizeof(struct sadb_msg)) { in key_setdumpsp()
2812 result->m_pkthdr.len = 0; in key_setdumpsp()
2813 for (m = result; m; m = m->m_next) in key_setdumpsp()
2814 result->m_pkthdr.len += m->m_len; in key_setdumpsp()
2816 mtod(result, struct sadb_msg *)->sadb_msg_len = in key_setdumpsp()
2817 PFKEY_UNIT64(result->m_pkthdr.len); in key_setdumpsp()
2836 if (sp->policy != IPSEC_POLICY_IPSEC) in key_getspreqmsglen()
2840 for (i = 0; i < sp->tcount; i++) { in key_getspreqmsglen()
2842 + sp->req[i]->saidx.src.sa.sa_len in key_getspreqmsglen()
2843 + sp->req[i]->saidx.dst.sa.sa_len; in key_getspreqmsglen()
2848 if (sp->accel_ifname != NULL) in key_getspreqmsglen()
2868 int len, error = -1; in key_spdexpire()
2892 m->m_len = len; in key_spdexpire()
2895 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); in key_spdexpire()
2896 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; in key_spdexpire()
2897 lt->sadb_lifetime_allocations = 0; in key_spdexpire()
2898 lt->sadb_lifetime_bytes = 0; in key_spdexpire()
2899 lt->sadb_lifetime_addtime = sp->created; in key_spdexpire()
2900 lt->sadb_lifetime_usetime = sp->lastused; in key_spdexpire()
2902 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); in key_spdexpire()
2903 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; in key_spdexpire()
2904 lt->sadb_lifetime_allocations = 0; in key_spdexpire()
2905 lt->sadb_lifetime_bytes = 0; in key_spdexpire()
2906 lt->sadb_lifetime_addtime = sp->lifetime; in key_spdexpire()
2907 lt->sadb_lifetime_usetime = sp->validtime; in key_spdexpire()
2912 &sp->spidx.src.sa, in key_spdexpire()
2913 sp->spidx.prefs, sp->spidx.ul_proto); in key_spdexpire()
2922 &sp->spidx.dst.sa, in key_spdexpire()
2923 sp->spidx.prefd, sp->spidx.ul_proto); in key_spdexpire()
2938 if ((result->m_flags & M_PKTHDR) == 0) { in key_spdexpire()
2943 if (result->m_len < sizeof(struct sadb_msg)) { in key_spdexpire()
2951 result->m_pkthdr.len = 0; in key_spdexpire()
2952 for (m = result; m; m = m->m_next) in key_spdexpire()
2953 result->m_pkthdr.len += m->m_len; in key_spdexpire()
2955 mtod(result, struct sadb_msg *)->sadb_msg_len = in key_spdexpire()
2956 PFKEY_UNIT64(result->m_pkthdr.len); in key_spdexpire()
2983 TAILQ_INIT(&sah->savtree_larval); in key_newsah()
2984 TAILQ_INIT(&sah->savtree_alive); in key_newsah()
2985 sah->saidx = *saidx; in key_newsah()
2986 sah->state = SADB_SASTATE_DEAD; in key_newsah()
3017 IPSEC_ASSERT(sah->state == SADB_SASTATE_DEAD, in key_delsah()
3019 IPSEC_ASSERT(TAILQ_EMPTY(&sah->savtree_larval), in key_delsah()
3021 IPSEC_ASSERT(TAILQ_EMPTY(&sah->savtree_alive), in key_delsah()
3037 uint32_t spi, int *errp) in key_newsav() argument
3044 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_newsav()
3045 IPSEC_ASSERT(mhp->msg->sadb_msg_type == SADB_GETSPI || in key_newsav()
3046 mhp->msg->sadb_msg_type == SADB_ADD, ("wrong message type")); in key_newsav()
3050 /* check SPI value */ in key_newsav()
3051 switch (saidx->proto) { in key_newsav()
3055 * RFC 4302, 2.4. Security Parameters Index (SPI), SPI values in key_newsav()
3056 * 1-255 reserved by IANA for future use, in key_newsav()
3059 if (ntohl(spi) <= 255) { in key_newsav()
3060 ipseclog((LOG_DEBUG, "%s: illegal range of SPI %u.\n", in key_newsav()
3061 __func__, ntohl(spi))); in key_newsav()
3073 sav->lock = malloc_aligned(max(sizeof(struct rmlock), in key_newsav()
3076 if (sav->lock == NULL) { in key_newsav()
3080 rm_init(sav->lock, "ipsec association"); in key_newsav()
3081 sav->lft_c = uma_zalloc_pcpu(ipsec_key_lft_zone, M_NOWAIT | M_ZERO); in key_newsav()
3082 if (sav->lft_c == NULL) { in key_newsav()
3087 sav->spi = spi; in key_newsav()
3088 sav->seq = mhp->msg->sadb_msg_seq; in key_newsav()
3089 sav->state = SADB_SASTATE_LARVAL; in key_newsav()
3090 sav->pid = (pid_t)mhp->msg->sadb_msg_pid; in key_newsav()
3093 CK_LIST_INIT(&sav->accel_ifps); in key_newsav()
3094 sav->accel_forget_tq = 0; in key_newsav()
3095 sav->accel_lft_sw = uma_zalloc_pcpu(ipsec_key_lft_zone, in key_newsav()
3097 if (sav->accel_lft_sw == NULL) { in key_newsav()
3105 xof = (struct sadb_x_if_hw_offl *)mhp->ext[ in key_newsav()
3107 sav->accel_ifname = malloc(sizeof(xof->sadb_x_if_hw_offl_if), in key_newsav()
3109 if (sav->accel_ifname == NULL) { in key_newsav()
3113 strncpy(__DECONST(char *, sav->accel_ifname), in key_newsav()
3114 xof->sadb_x_if_hw_offl_if, in key_newsav()
3115 sizeof(xof->sadb_x_if_hw_offl_if)); in key_newsav()
3133 sav->sah = sah; in key_newsav()
3134 if (mhp->msg->sadb_msg_type == SADB_GETSPI) { in key_newsav()
3135 sav->created = time_second; in key_newsav()
3136 } else if (sav->state == SADB_SASTATE_LARVAL) { in key_newsav()
3144 sav->state = SADB_SASTATE_MATURE; in key_newsav()
3154 if (isnew == 0 && sah->state == SADB_SASTATE_DEAD) { in key_newsav()
3172 sah->state = SADB_SASTATE_MATURE; in key_newsav()
3181 if (sav->state == SADB_SASTATE_MATURE) { in key_newsav()
3182 TAILQ_INSERT_HEAD(&sah->savtree_alive, sav, chain); in key_newsav()
3185 TAILQ_INSERT_HEAD(&sah->savtree_larval, sav, chain); in key_newsav()
3186 /* Add SAV into SPI hash */ in key_newsav()
3187 LIST_INSERT_HEAD(SAVHASH_HASH(sav->spi), sav, spihash); in key_newsav()
3193 if (sav->lock != NULL) { in key_newsav()
3194 rm_destroy(sav->lock); in key_newsav()
3195 free(sav->lock, M_IPSEC_MISC); in key_newsav()
3197 if (sav->lft_c != NULL) in key_newsav()
3198 uma_zfree_pcpu(ipsec_key_lft_zone, sav->lft_c); in key_newsav()
3200 if (sav->accel_lft_sw != NULL) in key_newsav()
3202 sav->accel_lft_sw); in key_newsav()
3203 free(__DECONST(char *, sav->accel_ifname), in key_newsav()
3226 if (sav->natt != NULL) { in key_cleansav()
3227 free(sav->natt, M_IPSEC_MISC); in key_cleansav()
3228 sav->natt = NULL; in key_cleansav()
3230 if (sav->flags & SADB_X_EXT_F_CLONED) in key_cleansav()
3232 if (sav->tdb_xform != NULL) { in key_cleansav()
3233 sav->tdb_xform->xf_cleanup(sav); in key_cleansav()
3234 sav->tdb_xform = NULL; in key_cleansav()
3236 if (sav->key_auth != NULL) { in key_cleansav()
3237 zfree(sav->key_auth->key_data, M_IPSEC_MISC); in key_cleansav()
3238 free(sav->key_auth, M_IPSEC_MISC); in key_cleansav()
3239 sav->key_auth = NULL; in key_cleansav()
3241 if (sav->key_enc != NULL) { in key_cleansav()
3242 zfree(sav->key_enc->key_data, M_IPSEC_MISC); in key_cleansav()
3243 free(sav->key_enc, M_IPSEC_MISC); in key_cleansav()
3244 sav->key_enc = NULL; in key_cleansav()
3246 if (sav->replay != NULL) { in key_cleansav()
3247 mtx_destroy(&sav->replay->lock); in key_cleansav()
3248 if (sav->replay->bitmap != NULL) in key_cleansav()
3249 free(sav->replay->bitmap, M_IPSEC_MISC); in key_cleansav()
3250 free(sav->replay, M_IPSEC_MISC); in key_cleansav()
3251 sav->replay = NULL; in key_cleansav()
3253 if (sav->lft_h != NULL) { in key_cleansav()
3254 free(sav->lft_h, M_IPSEC_MISC); in key_cleansav()
3255 sav->lft_h = NULL; in key_cleansav()
3257 if (sav->lft_s != NULL) { in key_cleansav()
3258 free(sav->lft_s, M_IPSEC_MISC); in key_cleansav()
3259 sav->lft_s = NULL; in key_cleansav()
3270 IPSEC_ASSERT(sav->state == SADB_SASTATE_DEAD, in key_delsav()
3272 IPSEC_ASSERT(sav->refcnt == 0, ("reference count %u > 0", in key_delsav()
3273 sav->refcnt)); in key_delsav()
3275 KASSERT(CK_LIST_EMPTY(&sav->accel_ifps), in key_delsav()
3282 * except NAT-T config. in key_delsav()
3285 if ((sav->flags & SADB_X_EXT_F_CLONED) == 0) { in key_delsav()
3286 rm_destroy(sav->lock); in key_delsav()
3287 free(sav->lock, M_IPSEC_MISC); in key_delsav()
3288 uma_zfree_pcpu(ipsec_key_lft_zone, sav->lft_c); in key_delsav()
3292 uma_zfree_pcpu(ipsec_key_lft_zone, sav->accel_lft_sw); in key_delsav()
3293 free(__DECONST(char *, sav->accel_ifname), M_IPSEC_MISC); in key_delsav()
3312 if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID) != 0) { in key_getsah()
3322 * Check not to be duplicated SPI.
3325 * 1 : found SA with given SPI.
3328 key_checkspidup(uint32_t spi) in key_checkspidup() argument
3333 /* Assume SPI is in network byte order */ in key_checkspidup()
3335 LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) { in key_checkspidup()
3336 if (sav->spi == spi) in key_checkspidup()
3344 * Search SA by SPI.
3350 key_getsavbyspi(uint32_t spi) in key_getsavbyspi() argument
3355 /* Assume SPI is in network byte order */ in key_getsavbyspi()
3357 LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) { in key_getsavbyspi()
3358 if (sav->spi != spi) in key_getsavbyspi()
3379 if (sav->state == SADB_SASTATE_MATURE) { in key_updatelifetimes()
3402 mhp->ext[SADB_EXT_LIFETIME_HARD], M_IPSEC_MISC); in key_updatelifetimes()
3409 mhp->ext[SADB_EXT_LIFETIME_SOFT], M_IPSEC_MISC); in key_updatelifetimes()
3417 if (sav->state != SADB_SASTATE_LARVAL) { in key_updatelifetimes()
3423 tmp = sav->lft_h; in key_updatelifetimes()
3424 sav->lft_h = lft_h; in key_updatelifetimes()
3427 tmp = sav->lft_s; in key_updatelifetimes()
3428 sav->lft_s = lft_s; in key_updatelifetimes()
3438 IPSEC_ASSERT(sav->lft_h == NULL, ("lft_h is already initialized\n")); in key_updatelifetimes()
3439 IPSEC_ASSERT(sav->lft_s == NULL, ("lft_s is already initialized\n")); in key_updatelifetimes()
3440 sav->lft_h = lft_h; in key_updatelifetimes()
3441 sav->lft_s = lft_s; in key_updatelifetimes()
3446 * copy SA values from PF_KEY message except *SPI, SEQ, PID and TYPE*.
3461 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_setsaval()
3462 IPSEC_ASSERT(sav->state == SADB_SASTATE_LARVAL, in key_setsaval()
3466 error = key_setident(sav->sah, mhp); in key_setsaval()
3476 sa0 = (const struct sadb_sa *)mhp->ext[SADB_EXT_SA]; in key_setsaval()
3477 sav->alg_auth = sa0->sadb_sa_auth; in key_setsaval()
3478 sav->alg_enc = sa0->sadb_sa_encrypt; in key_setsaval()
3479 sav->flags = sa0->sadb_sa_flags; in key_setsaval()
3480 if ((sav->flags & SADB_KEY_FLAGS_MAX) != sav->flags) { in key_setsaval()
3483 sav->flags)); in key_setsaval()
3490 if ((sa0->sadb_sa_flags & SADB_X_EXT_OLD) == 0) in key_setsaval()
3491 replay = sa0->sadb_sa_replay; in key_setsaval()
3498 mhp->ext[SADB_X_EXT_SA_REPLAY])->sadb_x_sa_replay_replay; in key_setsaval()
3500 if (replay > UINT32_MAX - 32) { in key_setsaval()
3510 sav->replay = malloc(sizeof(struct secreplay), M_IPSEC_MISC, in key_setsaval()
3512 if (sav->replay == NULL) { in key_setsaval()
3519 mtx_init(&sav->replay->lock, "ipsec replay", NULL, MTX_DEF); in key_setsaval()
3526 * - the allocated replay window size must be in key_setsaval()
3528 * - use an extra 32b block as a redundant window. in key_setsaval()
3535 sav->replay->bitmap = malloc( in key_setsaval()
3538 if (sav->replay->bitmap == NULL) { in key_setsaval()
3545 sav->replay->bitmap_size = bitmap_size; in key_setsaval()
3546 sav->replay->wsize = replay; in key_setsaval()
3557 key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_AUTH]; in key_setsaval()
3558 len = mhp->extlen[SADB_EXT_KEY_AUTH]; in key_setsaval()
3559 switch (mhp->msg->sadb_msg_satype) { in key_setsaval()
3564 sav->alg_auth != SADB_X_AALG_NULL) in key_setsaval()
3566 if (key0->sadb_key_bits == 0 || (sizeof(struct sadb_key) + in key_setsaval()
3567 (key0->sadb_key_bits >> 3)) > len) in key_setsaval()
3581 sav->key_auth = key_dup_keymsg(key0, M_IPSEC_MISC); in key_setsaval()
3582 if (sav->key_auth == NULL ) { in key_setsaval()
3598 key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_ENCRYPT]; in key_setsaval()
3599 len = mhp->extlen[SADB_EXT_KEY_ENCRYPT]; in key_setsaval()
3600 switch (mhp->msg->sadb_msg_satype) { in key_setsaval()
3603 sav->alg_enc != SADB_EALG_NULL) { in key_setsaval()
3607 if (key0->sadb_key_bits == 0 || (sizeof(struct sadb_key) + in key_setsaval()
3608 (key0->sadb_key_bits >> 3)) > len) { in key_setsaval()
3612 sav->key_enc = key_dup_keymsg(key0, M_IPSEC_MISC); in key_setsaval()
3613 if (sav->key_enc == NULL) { in key_setsaval()
3624 sav->key_enc = NULL; /*just in case*/ in key_setsaval()
3640 sav->ivlen = 0; in key_setsaval()
3641 switch (mhp->msg->sadb_msg_satype) { in key_setsaval()
3643 if (sav->flags & SADB_X_EXT_DERIV) { in key_setsaval()
3649 if (sav->alg_enc != SADB_EALG_NONE) { in key_setsaval()
3658 if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_DERIV)) == in key_setsaval()
3661 "given to old-esp.\n", __func__)); in key_setsaval()
3668 if (sav->alg_auth != SADB_AALG_NONE) { in key_setsaval()
3674 if ((sav->flags & SADB_X_EXT_RAWCPI) == 0 && in key_setsaval()
3675 ntohl(sav->spi) >= 0x10000) { in key_setsaval()
3684 if (sav->alg_enc != SADB_EALG_NONE) { in key_setsaval()
3699 __func__, mhp->msg->sadb_msg_satype)); in key_setsaval()
3703 /* Handle NAT-T headers */ in key_setsaval()
3709 sav->firstused = 0; in key_setsaval()
3710 sav->created = time_second; in key_setsaval()
3754 m = key_setsadbmsg(type, 0, satype, seq, pid, sav->refcnt); in key_setdumpsa()
3759 for (i = nitems(dumporder) - 1; i >= 0; i--) { in key_setdumpsa()
3770 replay_count = sav->replay ? sav->replay->count : 0; in key_setdumpsa()
3772 m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count, in key_setdumpsa()
3773 sav->sah->saidx.reqid); in key_setdumpsa()
3779 if (sav->replay == NULL || in key_setdumpsa()
3780 sav->replay->wsize <= UINT8_MAX) in key_setdumpsa()
3783 m = key_setsadbxsareplay(sav->replay->wsize); in key_setdumpsa()
3790 &sav->sah->saidx.src.sa, in key_setdumpsa()
3798 &sav->sah->saidx.dst.sa, in key_setdumpsa()
3805 if (!sav->key_auth) in key_setdumpsa()
3807 m = key_setkey(sav->key_auth, SADB_EXT_KEY_AUTH); in key_setdumpsa()
3813 if (!sav->key_enc) in key_setdumpsa()
3815 m = key_setkey(sav->key_enc, SADB_EXT_KEY_ENCRYPT); in key_setdumpsa()
3821 lft_c.addtime = sav->created; in key_setdumpsa()
3823 sav->lft_c_allocations); in key_setdumpsa()
3824 lft_c.bytes = counter_u64_fetch(sav->lft_c_bytes); in key_setdumpsa()
3825 lft_c.usetime = sav->firstused; in key_setdumpsa()
3832 if (!sav->lft_h) in key_setdumpsa()
3834 m = key_setlifetime(sav->lft_h, in key_setdumpsa()
3841 if (!sav->lft_s) in key_setdumpsa()
3843 m = key_setlifetime(sav->lft_s, in key_setdumpsa()
3851 if (sav->natt == NULL) in key_setdumpsa()
3859 if (sav->natt == NULL) in key_setdumpsa()
3861 m = key_setsadbxport(sav->natt->dport, in key_setdumpsa()
3868 if (sav->natt == NULL) in key_setdumpsa()
3870 m = key_setsadbxport(sav->natt->sport, in key_setdumpsa()
3877 if (sav->natt == NULL || in key_setdumpsa()
3878 (sav->natt->flags & IPSEC_NATT_F_OAI) == 0) in key_setdumpsa()
3881 &sav->natt->oai.sa, FULLMASK, IPSEC_ULPROTO_ANY); in key_setdumpsa()
3886 if (sav->natt == NULL || in key_setdumpsa()
3887 (sav->natt->flags & IPSEC_NATT_F_OAR) == 0) in key_setdumpsa()
3890 &sav->natt->oar.sa, FULLMASK, IPSEC_ULPROTO_ANY); in key_setdumpsa()
3921 lft_c.bytes = sav->accel_hw_octets; in key_setdumpsa()
3922 lft_c.allocations = sav->accel_hw_allocs; in key_setdumpsa()
3954 if (result->m_len < sizeof(struct sadb_msg)) { in key_setdumpsa()
3960 result->m_pkthdr.len = 0; in key_setdumpsa()
3961 for (m = result; m; m = m->m_next) in key_setdumpsa()
3962 result->m_pkthdr.len += m->m_len; in key_setdumpsa()
3964 mtod(result, struct sadb_msg *)->sadb_msg_len = in key_setdumpsa()
3965 PFKEY_UNIT64(result->m_pkthdr.len); in key_setdumpsa()
3992 m->m_pkthdr.len = m->m_len = len; in key_setsadbmsg()
3993 m->m_next = NULL; in key_setsadbmsg()
3998 p->sadb_msg_version = PF_KEY_V2; in key_setsadbmsg()
3999 p->sadb_msg_type = type; in key_setsadbmsg()
4000 p->sadb_msg_errno = 0; in key_setsadbmsg()
4001 p->sadb_msg_satype = satype; in key_setsadbmsg()
4002 p->sadb_msg_len = PFKEY_UNIT64(tlen); in key_setsadbmsg()
4003 p->sadb_msg_reserved = reserved; in key_setsadbmsg()
4004 p->sadb_msg_seq = seq; in key_setsadbmsg()
4005 p->sadb_msg_pid = (u_int32_t)pid; in key_setsadbmsg()
4025 m->m_len = len; in key_setsadbsa()
4028 p->sadb_sa_len = PFKEY_UNIT64(len); in key_setsadbsa()
4029 p->sadb_sa_exttype = SADB_EXT_SA; in key_setsadbsa()
4030 p->sadb_sa_spi = sav->spi; in key_setsadbsa()
4031 p->sadb_sa_replay = sav->replay ? in key_setsadbsa()
4032 (sav->replay->wsize > UINT8_MAX ? UINT8_MAX : in key_setsadbsa()
4033 sav->replay->wsize): 0; in key_setsadbsa()
4034 p->sadb_sa_state = sav->state; in key_setsadbsa()
4035 p->sadb_sa_auth = sav->alg_auth; in key_setsadbsa()
4036 p->sadb_sa_encrypt = sav->alg_enc; in key_setsadbsa()
4037 p->sadb_sa_flags = sav->flags & SADB_KEY_FLAGS_MAX; in key_setsadbsa()
4053 PFKEY_ALIGN8(saddr->sa_len); in key_setsadbaddr()
4058 m->m_len = len; in key_setsadbaddr()
4062 p->sadb_address_len = PFKEY_UNIT64(len); in key_setsadbaddr()
4063 p->sadb_address_exttype = exttype; in key_setsadbaddr()
4064 p->sadb_address_proto = ul_proto; in key_setsadbaddr()
4066 switch (saddr->sa_family) { in key_setsadbaddr()
4077 p->sadb_address_prefixlen = prefixlen; in key_setsadbaddr()
4078 p->sadb_address_reserved = 0; in key_setsadbaddr()
4082 saddr->sa_len); in key_setsadbaddr()
4102 m->m_len = len; in key_setsadbxsa2()
4106 p->sadb_x_sa2_len = PFKEY_UNIT64(len); in key_setsadbxsa2()
4107 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; in key_setsadbxsa2()
4108 p->sadb_x_sa2_mode = mode; in key_setsadbxsa2()
4109 p->sadb_x_sa2_reserved1 = 0; in key_setsadbxsa2()
4110 p->sadb_x_sa2_reserved2 = 0; in key_setsadbxsa2()
4111 p->sadb_x_sa2_sequence = seq; in key_setsadbxsa2()
4112 p->sadb_x_sa2_reqid = reqid; in key_setsadbxsa2()
4132 m->m_len = len; in key_setsadbxsareplay()
4136 p->sadb_x_sa_replay_len = PFKEY_UNIT64(len); in key_setsadbxsareplay()
4137 p->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY; in key_setsadbxsareplay()
4138 p->sadb_x_sa_replay_replay = (replay << 3); in key_setsadbxsareplay()
4159 m->m_len = len; in key_setsadbxtype()
4163 p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len); in key_setsadbxtype()
4164 p->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE; in key_setsadbxtype()
4165 p->sadb_x_nat_t_type_type = type; in key_setsadbxtype()
4186 m->m_len = len; in key_setsadbxport()
4190 p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len); in key_setsadbxport()
4191 p->sadb_x_nat_t_port_exttype = type; in key_setsadbxport()
4192 p->sadb_x_nat_t_port_port = port; in key_setsadbxport()
4204 switch (sa->sa_family) { in key_portfromsaddr()
4207 return ((struct sockaddr_in *)sa)->sin_port; in key_portfromsaddr()
4211 return ((struct sockaddr_in6 *)sa)->sin6_port; in key_portfromsaddr()
4224 switch (sa->sa_family) { in key_porttosaddr()
4227 ((struct sockaddr_in *)sa)->sin_port = port; in key_porttosaddr()
4232 ((struct sockaddr_in6 *)sa)->sin6_port = port; in key_porttosaddr()
4237 __func__, sa->sa_family)); in key_porttosaddr()
4257 m->m_len = len; in key_setsadbxpolicy()
4261 p->sadb_x_policy_len = PFKEY_UNIT64(len); in key_setsadbxpolicy()
4262 p->sadb_x_policy_exttype = SADB_X_EXT_POLICY; in key_setsadbxpolicy()
4263 p->sadb_x_policy_type = type; in key_setsadbxpolicy()
4264 p->sadb_x_policy_dir = dir; in key_setsadbxpolicy()
4265 p->sadb_x_policy_id = id; in key_setsadbxpolicy()
4266 p->sadb_x_policy_priority = priority; in key_setsadbxpolicy()
4286 len = src->sadb_key_bits >> 3; in key_dup_keymsg()
4287 dst->bits = src->sadb_key_bits; in key_dup_keymsg()
4288 dst->key_data = malloc(len, type, M_NOWAIT); in key_dup_keymsg()
4289 if (dst->key_data != NULL) { in key_dup_keymsg()
4290 bcopy((const char *)(src + 1), dst->key_data, len); in key_dup_keymsg()
4321 dst->allocations = src->sadb_lifetime_allocations; in key_dup_lifemsg()
4322 dst->bytes = src->sadb_lifetime_bytes; in key_dup_lifemsg()
4323 dst->addtime = src->sadb_lifetime_addtime; in key_dup_lifemsg()
4324 dst->usetime = src->sadb_lifetime_usetime; in key_dup_lifemsg()
4352 if (saidx0->proto != saidx1->proto) in key_cmpsaidx()
4356 if (saidx0->mode != saidx1->mode) in key_cmpsaidx()
4358 if (saidx0->reqid != saidx1->reqid) in key_cmpsaidx()
4360 if (bcmp(&saidx0->src, &saidx1->src, in key_cmpsaidx()
4361 saidx0->src.sa.sa_len) != 0 || in key_cmpsaidx()
4362 bcmp(&saidx0->dst, &saidx1->dst, in key_cmpsaidx()
4363 saidx0->dst.sa.sa_len) != 0) in key_cmpsaidx()
4369 * If reqid of SPD is non-zero, unique SA is required. in key_cmpsaidx()
4372 if (saidx1->reqid != 0 && in key_cmpsaidx()
4373 saidx0->reqid != saidx1->reqid) in key_cmpsaidx()
4378 if (saidx0->mode != IPSEC_MODE_ANY in key_cmpsaidx()
4379 && saidx0->mode != saidx1->mode) in key_cmpsaidx()
4383 if (key_sockaddrcmp(&saidx0->src.sa, &saidx1->src.sa, 0) != 0) in key_cmpsaidx()
4385 if (key_sockaddrcmp(&saidx0->dst.sa, &saidx1->dst.sa, 0) != 0) in key_cmpsaidx()
4412 if (spidx0->prefs != spidx1->prefs in key_cmpspidx_exactly()
4413 || spidx0->prefd != spidx1->prefd in key_cmpspidx_exactly()
4414 || spidx0->ul_proto != spidx1->ul_proto in key_cmpspidx_exactly()
4415 || spidx0->dir != spidx1->dir) in key_cmpspidx_exactly()
4418 return key_sockaddrcmp(&spidx0->src.sa, &spidx1->src.sa, 1) == 0 && in key_cmpspidx_exactly()
4419 key_sockaddrcmp(&spidx0->dst.sa, &spidx1->dst.sa, 1) == 0; in key_cmpspidx_exactly()
4442 if (spidx0->src.sa.sa_family != spidx1->src.sa.sa_family || in key_cmpspidx_withmask()
4443 spidx0->dst.sa.sa_family != spidx1->dst.sa.sa_family || in key_cmpspidx_withmask()
4444 spidx0->src.sa.sa_len != spidx1->src.sa.sa_len || in key_cmpspidx_withmask()
4445 spidx0->dst.sa.sa_len != spidx1->dst.sa.sa_len) in key_cmpspidx_withmask()
4449 if (spidx0->ul_proto != (u_int16_t)IPSEC_ULPROTO_ANY in key_cmpspidx_withmask()
4450 && spidx0->ul_proto != spidx1->ul_proto) in key_cmpspidx_withmask()
4453 switch (spidx0->src.sa.sa_family) { in key_cmpspidx_withmask()
4455 if (spidx0->src.sin.sin_port != IPSEC_PORT_ANY in key_cmpspidx_withmask()
4456 && spidx0->src.sin.sin_port != spidx1->src.sin.sin_port) in key_cmpspidx_withmask()
4458 if (!key_bbcmp(&spidx0->src.sin.sin_addr, in key_cmpspidx_withmask()
4459 &spidx1->src.sin.sin_addr, spidx0->prefs)) in key_cmpspidx_withmask()
4463 if (spidx0->src.sin6.sin6_port != IPSEC_PORT_ANY in key_cmpspidx_withmask()
4464 && spidx0->src.sin6.sin6_port != spidx1->src.sin6.sin6_port) in key_cmpspidx_withmask()
4470 if (spidx0->src.sin6.sin6_scope_id && in key_cmpspidx_withmask()
4471 spidx1->src.sin6.sin6_scope_id && in key_cmpspidx_withmask()
4472 spidx0->src.sin6.sin6_scope_id != spidx1->src.sin6.sin6_scope_id) in key_cmpspidx_withmask()
4474 if (!key_bbcmp(&spidx0->src.sin6.sin6_addr, in key_cmpspidx_withmask()
4475 &spidx1->src.sin6.sin6_addr, spidx0->prefs)) in key_cmpspidx_withmask()
4480 if (bcmp(&spidx0->src, &spidx1->src, spidx0->src.sa.sa_len) != 0) in key_cmpspidx_withmask()
4485 switch (spidx0->dst.sa.sa_family) { in key_cmpspidx_withmask()
4487 if (spidx0->dst.sin.sin_port != IPSEC_PORT_ANY in key_cmpspidx_withmask()
4488 && spidx0->dst.sin.sin_port != spidx1->dst.sin.sin_port) in key_cmpspidx_withmask()
4490 if (!key_bbcmp(&spidx0->dst.sin.sin_addr, in key_cmpspidx_withmask()
4491 &spidx1->dst.sin.sin_addr, spidx0->prefd)) in key_cmpspidx_withmask()
4495 if (spidx0->dst.sin6.sin6_port != IPSEC_PORT_ANY in key_cmpspidx_withmask()
4496 && spidx0->dst.sin6.sin6_port != spidx1->dst.sin6.sin6_port) in key_cmpspidx_withmask()
4502 if (spidx0->dst.sin6.sin6_scope_id && in key_cmpspidx_withmask()
4503 spidx1->dst.sin6.sin6_scope_id && in key_cmpspidx_withmask()
4504 spidx0->dst.sin6.sin6_scope_id != spidx1->dst.sin6.sin6_scope_id) in key_cmpspidx_withmask()
4506 if (!key_bbcmp(&spidx0->dst.sin6.sin6_addr, in key_cmpspidx_withmask()
4507 &spidx1->dst.sin6.sin6_addr, spidx0->prefd)) in key_cmpspidx_withmask()
4512 if (bcmp(&spidx0->dst, &spidx1->dst, spidx0->dst.sa.sa_len) != 0) in key_cmpspidx_withmask()
4535 if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len) in key_sockaddrcmp()
4538 switch (sa1->sa_family) { in key_sockaddrcmp()
4541 if (sa1->sa_len != sizeof(struct sockaddr_in)) in key_sockaddrcmp()
4543 if (satosin(sa1)->sin_addr.s_addr != in key_sockaddrcmp()
4544 satosin(sa2)->sin_addr.s_addr) { in key_sockaddrcmp()
4547 if (port && satosin(sa1)->sin_port != satosin(sa2)->sin_port) in key_sockaddrcmp()
4553 if (sa1->sa_len != sizeof(struct sockaddr_in6)) in key_sockaddrcmp()
4555 if (satosin6(sa1)->sin6_scope_id != in key_sockaddrcmp()
4556 satosin6(sa2)->sin6_scope_id) { in key_sockaddrcmp()
4559 if (!IN6_ARE_ADDR_EQUAL(&satosin6(sa1)->sin6_addr, in key_sockaddrcmp()
4560 &satosin6(sa2)->sin6_addr)) { in key_sockaddrcmp()
4564 satosin6(sa1)->sin6_port != satosin6(sa2)->sin6_port) { in key_sockaddrcmp()
4570 if (bcmp(sa1, sa2, sa1->sa_len) != 0) in key_sockaddrcmp()
4583 if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len) in key_sockaddrcmp_withmask()
4586 switch (sa1->sa_family) { in key_sockaddrcmp_withmask()
4589 return (!key_bbcmp(&satosin(sa1)->sin_addr, in key_sockaddrcmp_withmask()
4590 &satosin(sa2)->sin_addr, mask)); in key_sockaddrcmp_withmask()
4594 if (satosin6(sa1)->sin6_scope_id != in key_sockaddrcmp_withmask()
4595 satosin6(sa2)->sin6_scope_id) in key_sockaddrcmp_withmask()
4597 return (!key_bbcmp(&satosin6(sa1)->sin6_addr, in key_sockaddrcmp_withmask()
4598 &satosin6(sa2)->sin6_addr, mask)); in key_sockaddrcmp_withmask()
4623 * at a time, but it is complicated on LSB Endian machines */ in key_bbcmp()
4632 bits -= 8; in key_bbcmp()
4636 u_int8_t mask = ~((1<<(8-bits))-1); in key_bbcmp()
4655 if (sp->lifetime == 0 && sp->validtime == 0) in key_flush_spd()
4657 if ((sp->lifetime && in key_flush_spd()
4658 now - sp->created > sp->lifetime) || in key_flush_spd()
4659 (sp->validtime && in key_flush_spd()
4660 now - sp->lastused > sp->validtime)) { in key_flush_spd()
4676 if (sp->state != IPSEC_SPSTATE_ALIVE) { in key_flush_spd()
4682 TAILQ_REMOVE(&V_sptree[sp->spidx.dir], sp, chain); in key_flush_spd()
4683 V_spd_size--; in key_flush_spd()
4685 sp->state = IPSEC_SPSTATE_DEAD; in key_flush_spd()
4723 if (TAILQ_EMPTY(&sah->savtree_larval) && in key_flush_sad()
4724 TAILQ_EMPTY(&sah->savtree_alive)) { in key_flush_sad()
4730 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { in key_flush_sad()
4731 if (now - sav->created < V_key_larval_lifetime) in key_flush_sad()
4736 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { in key_flush_sad()
4738 if (sav->lft_h == NULL) in key_flush_sad()
4745 if (sav->lft_h == NULL) { in key_flush_sad()
4757 if ((sav->lft_h->addtime != 0 && in key_flush_sad()
4758 now - sav->created > sav->lft_h->addtime) || in key_flush_sad()
4759 (sav->lft_h->usetime != 0 && sav->firstused && in key_flush_sad()
4760 now - sav->firstused > sav->lft_h->usetime) || in key_flush_sad()
4761 (sav->lft_h->bytes != 0 && counter_u64_fetch( in key_flush_sad()
4762 sav->lft_c_bytes) > sav->lft_h->bytes)) { in key_flush_sad()
4769 if (sav->state == SADB_SASTATE_MATURE && ( in key_flush_sad()
4770 (sav->lft_s->addtime != 0 && in key_flush_sad()
4771 now - sav->created > sav->lft_s->addtime) || in key_flush_sad()
4772 (sav->lft_s->usetime != 0 && sav->firstused && in key_flush_sad()
4773 now - sav->firstused > sav->lft_s->usetime) || in key_flush_sad()
4774 (sav->lft_s->bytes != 0 && counter_u64_fetch( in key_flush_sad()
4775 sav->lft_c_bytes) > sav->lft_s->bytes) || in key_flush_sad()
4776 (!(sav->flags & SADB_X_SAFLAGS_ESN) && in key_flush_sad()
4777 (sav->replay != NULL) && ( in key_flush_sad()
4778 (sav->replay->count > UINT32_80PCT) || in key_flush_sad()
4779 (sav->replay->last > UINT32_80PCT))))) { in key_flush_sad()
4801 if (sav->state != SADB_SASTATE_LARVAL) { in key_flush_sad()
4807 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain); in key_flush_sad()
4809 sav->state = SADB_SASTATE_DEAD; in key_flush_sad()
4818 if (sav->state == SADB_SASTATE_DEAD) { in key_flush_sad()
4824 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain); in key_flush_sad()
4826 sav->state = SADB_SASTATE_DEAD; in key_flush_sad()
4835 if (sav->state == SADB_SASTATE_DEAD) { in key_flush_sad()
4844 sav->state = SADB_SASTATE_DYING; in key_flush_sad()
4852 if (sah->state == SADB_SASTATE_DEAD || in key_flush_sad()
4853 !TAILQ_EMPTY(&sah->savtree_larval) || in key_flush_sad()
4854 !TAILQ_EMPTY(&sah->savtree_alive)) { in key_flush_sad()
4862 sah->state = SADB_SASTATE_DEAD; in key_flush_sad()
4872 key_freesah(&sav->sah); /* release reference from SAV */ in key_flush_sad()
4888 key_freesah(&sav->sah); /* release reference from SAV */ in key_flush_sad()
4920 if (now - acq->created > V_key_blockacq_lifetime) { in key_flush_acq()
4940 if (now - acq->created > V_key_blockacq_lifetime in key_flush_spacq()
5039 * <base, (SA2), src address, dst address, (SPI range)>
5040 * from the IKMPd, to assign a unique spi value, to hang on the INBOUND
5055 uint32_t reqid, spi; in key_getspi() local
5062 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_getspi()
5099 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; in key_getspi()
5101 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; in key_getspi()
5104 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); in key_getspi()
5105 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); in key_getspi()
5108 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { in key_getspi()
5123 /* SPI allocation */ in key_getspi()
5125 spi = key_do_getnewspi( in key_getspi()
5126 (struct sadb_spirange *)mhp->ext[SADB_EXT_SPIRANGE], &saidx); in key_getspi()
5127 if (spi == 0) { in key_getspi()
5129 * Requested SPI or SPI range is not available or in key_getspi()
5136 sav = key_newsav(mhp, &saidx, spi, &error); in key_getspi()
5141 if (sav->seq != 0) { in key_getspi()
5145 * kernel-generated SADB_ACQUIRE, the sadb_msg_seq in key_getspi()
5158 key_acqdone(&saidx, sav->seq); in key_getspi()
5180 n->m_len = len; in key_getspi()
5181 n->m_next = NULL; in key_getspi()
5188 m_sa->sadb_sa_len = PFKEY_UNIT64(sizeof(struct sadb_sa)); in key_getspi()
5189 m_sa->sadb_sa_exttype = SADB_EXT_SA; in key_getspi()
5190 m_sa->sadb_sa_spi = spi; /* SPI is already in network byte order */ in key_getspi()
5196 n->m_next = key_gather_mbuf(m, mhp, 0, 2, SADB_EXT_ADDRESS_SRC, in key_getspi()
5198 if (!n->m_next) { in key_getspi()
5204 if (n->m_len < sizeof(struct sadb_msg)) { in key_getspi()
5210 n->m_pkthdr.len = 0; in key_getspi()
5211 for (nn = n; nn; nn = nn->m_next) in key_getspi()
5212 n->m_pkthdr.len += nn->m_len; in key_getspi()
5215 newmsg->sadb_msg_seq = sav->seq; in key_getspi()
5216 newmsg->sadb_msg_errno = 0; in key_getspi()
5217 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); in key_getspi()
5228 * allocating new SPI
5232 * others: success, SPI in network byte order.
5242 /* set spi range to allocate */ in key_do_getnewspi()
5244 min = spirange->sadb_spirange_min; in key_do_getnewspi()
5245 max = spirange->sadb_spirange_max; in key_do_getnewspi()
5250 /* IPCOMP needs 2-byte SPI */ in key_do_getnewspi()
5251 if (saidx->proto == IPPROTO_IPCOMP) { in key_do_getnewspi()
5263 ipseclog((LOG_DEBUG, "%s: SPI %u exists already.\n", in key_do_getnewspi()
5271 /* init SPI */ in key_do_getnewspi()
5275 /* when requesting to allocate spi ranged */ in key_do_getnewspi()
5277 /* generate pseudo-random SPI value ranged. */ in key_do_getnewspi()
5278 newspi = min + (key_random() % (max - min + 1)); in key_do_getnewspi()
5285 "%s: failed to allocate SPI.\n", __func__)); in key_do_getnewspi()
5298 * Find TCP-MD5 SA with corresponding secasindex.
5299 * If not found, return NULL and fill SPI with usable value if needed.
5302 key_getsav_tcpmd5(struct secasindex *saidx, uint32_t *spi) in key_getsav_tcpmd5() argument
5308 IPSEC_ASSERT(saidx->proto == IPPROTO_TCP, ("wrong proto")); in key_getsav_tcpmd5()
5311 if (sah->saidx.proto != IPPROTO_TCP) in key_getsav_tcpmd5()
5313 if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) && in key_getsav_tcpmd5()
5314 !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0)) in key_getsav_tcpmd5()
5319 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue); in key_getsav_tcpmd5()
5321 sav = TAILQ_FIRST(&sah->savtree_alive); in key_getsav_tcpmd5()
5328 if (spi == NULL) { in key_getsav_tcpmd5()
5329 /* No SPI required */ in key_getsav_tcpmd5()
5333 /* Check that SPI is unique */ in key_getsav_tcpmd5()
5334 LIST_FOREACH(sav, SAVHASH_HASH(*spi), spihash) { in key_getsav_tcpmd5()
5335 if (sav->spi == *spi) in key_getsav_tcpmd5()
5340 /* SPI is already unique */ in key_getsav_tcpmd5()
5345 *spi = key_do_getnewspi(NULL, saidx); in key_getsav_tcpmd5()
5364 mhp->ext[SADB_X_EXT_NEW_ADDRESS_SRC]) + 1); in key_updateaddresses()
5365 bcopy(newaddr, &saidx->src, newaddr->sa_len); in key_updateaddresses()
5366 key_porttosaddr(&saidx->src.sa, 0); in key_updateaddresses()
5371 mhp->ext[SADB_X_EXT_NEW_ADDRESS_DST]) + 1); in key_updateaddresses()
5372 bcopy(newaddr, &saidx->dst, newaddr->sa_len); in key_updateaddresses()
5373 key_porttosaddr(&saidx->dst.sa, 0); in key_updateaddresses()
5377 error = key_checksockaddrs(&saidx->src.sa, &saidx->dst.sa); in key_updateaddresses()
5399 * Do we want to change NAT-T config? in key_updateaddresses()
5401 if (sav->sah->saidx.proto != IPPROTO_ESP || in key_updateaddresses()
5411 sah = sav->sah; in key_updateaddresses()
5427 CK_LIST_INIT(&newsav->accel_ifps); in key_updateaddresses()
5428 newsav->accel_forget_tq = 0; in key_updateaddresses()
5429 newsav->accel_lft_sw = uma_zalloc_pcpu(ipsec_key_lft_zone, in key_updateaddresses()
5431 if (newsav->accel_lft_sw == NULL) { in key_updateaddresses()
5435 if (sav->accel_ifname != NULL) { in key_updateaddresses()
5438 newsav->accel_ifname = malloc(sizeof(xof.sadb_x_if_hw_offl_if), in key_updateaddresses()
5440 if (newsav->accel_ifname == NULL) { in key_updateaddresses()
5444 strncpy(__DECONST(char *, sav->accel_ifname), in key_updateaddresses()
5445 newsav->accel_ifname, in key_updateaddresses()
5451 * We create new NAT-T config if it is needed. in key_updateaddresses()
5452 * Old NAT-T config will be freed by key_cleansav() when in key_updateaddresses()
5455 newsav->natt = NULL; in key_updateaddresses()
5456 newsav->sah = sah; in key_updateaddresses()
5457 newsav->state = SADB_SASTATE_MATURE; in key_updateaddresses()
5464 if (sav->state == SADB_SASTATE_DEAD) { in key_updateaddresses()
5471 /* Unlink SA from SAH and SPI hash */ in key_updateaddresses()
5472 IPSEC_ASSERT((sav->flags & SADB_X_EXT_F_CLONED) == 0, in key_updateaddresses()
5474 IPSEC_ASSERT(sav->state == SADB_SASTATE_MATURE || in key_updateaddresses()
5475 sav->state == SADB_SASTATE_DYING, in key_updateaddresses()
5476 ("Wrong SA state %u\n", sav->state)); in key_updateaddresses()
5477 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain); in key_updateaddresses()
5479 sav->state = SADB_SASTATE_DEAD; in key_updateaddresses()
5484 * create time (newer are first). in key_updateaddresses()
5486 TAILQ_FOREACH(tmp, &sah->savtree_alive, chain) { in key_updateaddresses()
5487 if (newsav->created > tmp->created) { in key_updateaddresses()
5493 TAILQ_INSERT_TAIL(&sah->savtree_alive, newsav, chain); in key_updateaddresses()
5495 /* Add new SA into SPI hash. */ in key_updateaddresses()
5496 LIST_INSERT_HEAD(SAVHASH_HASH(newsav->spi), newsav, spihash); in key_updateaddresses()
5502 sah->state = SADB_SASTATE_MATURE; in key_updateaddresses()
5506 * isnew == 1 -> @sah was referenced by key_getsah(). in key_updateaddresses()
5507 * isnew == 0 -> we use the same @sah, that was used by @sav, in key_updateaddresses()
5512 newsav->cntr = sav->cntr; in key_updateaddresses()
5513 sav->flags |= SADB_X_EXT_F_CLONED; in key_updateaddresses()
5539 uma_zfree_pcpu(ipsec_key_lft_zone, newsav->accel_lft_sw); in key_updateaddresses()
5540 free(__DECONST(char *, newsav->accel_ifname), M_IPSEC_MISC); in key_updateaddresses()
5542 if (newsav->natt != NULL) in key_updateaddresses()
5543 free(newsav->natt, M_IPSEC_MISC); in key_updateaddresses()
5576 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_update()
5579 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { in key_update()
5615 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; in key_update()
5617 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; in key_update()
5620 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; in key_update()
5621 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); in key_update()
5622 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); in key_update()
5628 if (sa0->sadb_sa_state != SADB_SASTATE_MATURE) { in key_update()
5641 sav = key_getsavbyspi(sa0->sadb_sa_spi); in key_update()
5643 ipseclog((LOG_DEBUG, "%s: no SA found for SPI %u\n", in key_update()
5644 __func__, ntohl(sa0->sadb_sa_spi))); in key_update()
5651 if (sav->pid != mhp->msg->sadb_msg_pid) { in key_update()
5653 "%s: pid mismatched (SPI %u, pid %u vs. %u)\n", __func__, in key_update()
5654 ntohl(sav->spi), sav->pid, mhp->msg->sadb_msg_pid)); in key_update()
5659 if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_MODE_REQID) == 0) { in key_update()
5660 ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u\n", in key_update()
5661 __func__, ntohl(sav->spi))); in key_update()
5666 if (sav->state == SADB_SASTATE_LARVAL) { in key_update()
5667 if ((mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP && in key_update()
5669 (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH && in key_update()
5678 * We can set any values except src, dst and SPI. in key_update()
5687 if (sav->state != SADB_SASTATE_LARVAL) { in key_update()
5699 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain); in key_update()
5700 TAILQ_INSERT_HEAD(&sav->sah->savtree_alive, sav, chain); in key_update()
5701 sav->state = SADB_SASTATE_MATURE; in key_update()
5725 * NAT-T config. in key_update()
5730 sav->natt != NULL) { in key_update()
5739 if (sav->state == SADB_SASTATE_DEAD) { in key_update()
5750 sav->state = SADB_SASTATE_MATURE; in key_update()
5796 uint32_t reqid, spi; in key_add() local
5803 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_add()
5806 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { in key_add()
5815 (mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP && ( in key_add()
5818 (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH && ( in key_add()
5848 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; in key_add()
5850 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; in key_add()
5853 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; in key_add()
5854 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; in key_add()
5855 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; in key_add()
5861 if (sa0->sadb_sa_state != SADB_SASTATE_MATURE) { in key_add()
5874 spi = sa0->sadb_sa_spi; in key_add()
5876 * For TCP-MD5 SAs we don't use SPI. Check the uniqueness using in key_add()
5878 * XXXAE: IPComp seems also doesn't use SPI. in key_add()
5882 sav = key_getsav_tcpmd5(&saidx, &spi); in key_add()
5883 if (sav == NULL && spi == 0) { in key_add()
5885 /* Failed to allocate SPI */ in key_add()
5890 /* XXX: SPI that we report back can have another value */ in key_add()
5892 /* We can create new SA only if SPI is different. */ in key_add()
5893 sav = key_getsavbyspi(spi); in key_add()
5902 sav = key_newsav(mhp, &saidx, spi, &error); in key_add()
5914 if (sav->seq != 0) in key_add()
5915 key_acqdone(&saidx, sav->seq); in key_add()
5937 * NAT-T support.
5939 * presence of NAT. It uses NAT-T extension headers for such SAs to specify
5956 * We expect presence of NAT-T extension headers only in SADB_ADD and
5957 * SADB_UPDATE messages. We report NAT-T extension headers in replies
5971 IPSEC_ASSERT(sav->natt == NULL, ("natt is already initialized")); in key_setnatt()
5973 * Ignore NAT-T headers if sproto isn't ESP. in key_setnatt()
5975 if (sav->sah->saidx.proto != IPPROTO_ESP) in key_setnatt()
5992 type = (struct sadb_x_nat_t_type *)mhp->ext[SADB_X_EXT_NAT_T_TYPE]; in key_setnatt()
5993 if (type->sadb_x_nat_t_type_type != UDP_ENCAP_ESPINUDP) { in key_setnatt()
5994 ipseclog((LOG_DEBUG, "%s: unsupported NAT-T type %u.\n", in key_setnatt()
5995 __func__, type->sadb_x_nat_t_type_type)); in key_setnatt()
5999 * Allocate storage for NAT-T config. in key_setnatt()
6002 sav->natt = malloc(sizeof(struct secnatt), M_IPSEC_MISC, in key_setnatt()
6004 if (sav->natt == NULL) { in key_setnatt()
6009 port = (struct sadb_x_nat_t_port *)mhp->ext[SADB_X_EXT_NAT_T_SPORT]; in key_setnatt()
6010 if (port->sadb_x_nat_t_port_port == 0) { in key_setnatt()
6011 ipseclog((LOG_DEBUG, "%s: invalid NAT-T sport specified.\n", in key_setnatt()
6015 sav->natt->sport = port->sadb_x_nat_t_port_port; in key_setnatt()
6016 port = (struct sadb_x_nat_t_port *)mhp->ext[SADB_X_EXT_NAT_T_DPORT]; in key_setnatt()
6017 if (port->sadb_x_nat_t_port_port == 0) { in key_setnatt()
6018 ipseclog((LOG_DEBUG, "%s: invalid NAT-T dport specified.\n", in key_setnatt()
6022 sav->natt->dport = port->sadb_x_nat_t_port_port; in key_setnatt()
6038 oai = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAI]; in key_setnatt()
6048 oar = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAR]; in key_setnatt()
6053 if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL) { in key_setnatt()
6057 switch (sa->sa_family) { in key_setnatt()
6060 if (sa->sa_len != sizeof(struct sockaddr_in)) { in key_setnatt()
6062 "%s: wrong NAT-OAi header.\n", in key_setnatt()
6067 if (((struct sockaddr_in *)sa)->sin_addr.s_addr != in key_setnatt()
6068 sav->sah->saidx.src.sin.sin_addr.s_addr) { in key_setnatt()
6069 bcopy(sa, &sav->natt->oai.sa, sa->sa_len); in key_setnatt()
6070 sav->natt->flags |= IPSEC_NATT_F_OAI; in key_setnatt()
6072 addr = sav->sah->saidx.src.sin.sin_addr.s_addr; in key_setnatt()
6075 addr = sav->natt->oai.sin.sin_addr.s_addr; in key_setnatt()
6083 if (sa->sa_len != sizeof(struct sockaddr_in6)) { in key_setnatt()
6085 "%s: wrong NAT-OAi header.\n", in key_setnatt()
6090 if (memcmp(&((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr, in key_setnatt()
6091 &sav->sah->saidx.src.sin6.sin6_addr.s6_addr, in key_setnatt()
6093 bcopy(sa, &sav->natt->oai.sa, sa->sa_len); in key_setnatt()
6094 sav->natt->flags |= IPSEC_NATT_F_OAI; in key_setnatt()
6098 ~sav->sah->saidx.src.sin6.sin6_addr.s6_addr16[i]); in key_setnatt()
6100 sav->natt->oai.sin6.sin6_addr.s6_addr16[i]); in key_setnatt()
6107 "%s: wrong NAT-OAi header.\n", in key_setnatt()
6114 switch (sa->sa_family) { in key_setnatt()
6117 if (sa->sa_len != sizeof(struct sockaddr_in)) { in key_setnatt()
6119 "%s: wrong NAT-OAr header.\n", in key_setnatt()
6124 if (((struct sockaddr_in *)sa)->sin_addr.s_addr != in key_setnatt()
6125 sav->sah->saidx.dst.sin.sin_addr.s_addr) { in key_setnatt()
6126 bcopy(sa, &sav->natt->oar.sa, sa->sa_len); in key_setnatt()
6127 sav->natt->flags |= IPSEC_NATT_F_OAR; in key_setnatt()
6129 addr = sav->sah->saidx.dst.sin.sin_addr.s_addr; in key_setnatt()
6132 addr = sav->natt->oar.sin.sin_addr.s_addr; in key_setnatt()
6140 if (sa->sa_len != sizeof(struct sockaddr_in6)) { in key_setnatt()
6142 "%s: wrong NAT-OAr header.\n", in key_setnatt()
6147 if (memcmp(&((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr, in key_setnatt()
6148 &sav->sah->saidx.dst.sin6.sin6_addr.s6_addr, 16) != 0) { in key_setnatt()
6149 bcopy(sa, &sav->natt->oar.sa, sa->sa_len); in key_setnatt()
6150 sav->natt->flags |= IPSEC_NATT_F_OAR; in key_setnatt()
6154 ~sav->sah->saidx.dst.sin6.sin6_addr.s6_addr16[i]); in key_setnatt()
6156 sav->natt->oar.sin6.sin6_addr.s6_addr16[i]); in key_setnatt()
6163 "%s: wrong NAT-OAr header.\n", in key_setnatt()
6168 sav->natt->cksum = cksum; in key_setnatt()
6180 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_setident()
6185 sah->idents = NULL; in key_setident()
6186 sah->identd = NULL; in key_setident()
6196 idsrc = (const struct sadb_ident *)mhp->ext[SADB_EXT_IDENTITY_SRC]; in key_setident()
6197 iddst = (const struct sadb_ident *)mhp->ext[SADB_EXT_IDENTITY_DST]; in key_setident()
6200 if (idsrc->sadb_ident_type != iddst->sadb_ident_type) { in key_setident()
6205 switch (idsrc->sadb_ident_type) { in key_setident()
6211 sah->idents = NULL; in key_setident()
6212 sah->identd = NULL; in key_setident()
6217 sah->idents = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT); in key_setident()
6218 if (sah->idents == NULL) { in key_setident()
6222 sah->identd = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT); in key_setident()
6223 if (sah->identd == NULL) { in key_setident()
6224 free(sah->idents, M_IPSEC_MISC); in key_setident()
6225 sah->idents = NULL; in key_setident()
6229 sah->idents->type = idsrc->sadb_ident_type; in key_setident()
6230 sah->idents->id = idsrc->sadb_ident_id; in key_setident()
6232 sah->identd->type = iddst->sadb_ident_type; in key_setident()
6233 sah->identd->id = iddst->sadb_ident_id; in key_setident()
6252 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_getmsgbuf_x1()
6267 if (n->m_len < sizeof(struct sadb_msg)) { in key_getmsgbuf_x1()
6272 mtod(n, struct sadb_msg *)->sadb_msg_errno = 0; in key_getmsgbuf_x1()
6273 mtod(n, struct sadb_msg *)->sadb_msg_len = in key_getmsgbuf_x1()
6274 PFKEY_UNIT64(n->m_pkthdr.len); in key_getmsgbuf_x1()
6302 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_delete()
6305 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { in key_delete()
6320 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); in key_delete()
6321 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); in key_delete()
6331 * Caller wants us to delete all non-LARVAL SAs in key_delete()
6333 * IKE INITIAL-CONTACT. in key_delete()
6344 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; in key_delete()
6349 sav = key_getsavbyspi(sa0->sadb_sa_spi); in key_delete()
6352 ipseclog((LOG_DEBUG, "%s: no SA found for SPI %u.\n", in key_delete()
6353 __func__, ntohl(sa0->sadb_sa_spi))); in key_delete()
6356 if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_HEAD) == 0) { in key_delete()
6357 ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u.\n", in key_delete()
6358 __func__, ntohl(sav->spi))); in key_delete()
6378 if (n->m_len < sizeof(struct sadb_msg)) { in key_delete()
6384 newmsg->sadb_msg_errno = 0; in key_delete()
6385 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); in key_delete()
6406 if (key_cmpsaidx(&sah->saidx, saidx, CMP_HEAD) == 0) in key_delete_all()
6409 TAILQ_CONCAT(&drainq, &sah->savtree_alive, chain); in key_delete_all()
6411 /* Unlink all queued SAs from SPI hash */ in key_delete_all()
6413 sav->state = SADB_SASTATE_DEAD; in key_delete_all()
6425 key_freesah(&sav->sah); /* release reference from SAV */ in key_delete_all()
6440 if (n->m_len < sizeof(struct sadb_msg)) { in key_delete_all()
6446 newmsg->sadb_msg_errno = 0; in key_delete_all()
6447 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); in key_delete_all()
6469 sav = TAILQ_FIRST(&sah->savtree_alive); in key_delete_xform()
6472 if (sav->tdb_xform != xsp) in key_delete_xform()
6478 TAILQ_CONCAT(&drainq, &sah->savtree_alive, chain); in key_delete_xform()
6480 /* Unlink all queued SAs from SPI hash */ in key_delete_xform()
6482 sav->state = SADB_SASTATE_DEAD; in key_delete_xform()
6495 key_freesah(&sav->sah); /* release reference from SAV */ in key_delete_xform()
6525 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_get()
6528 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { in key_get()
6550 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; in key_get()
6551 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; in key_get()
6552 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; in key_get()
6565 sav = key_getsavbyspi(sa0->sadb_sa_spi); in key_get()
6571 if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_HEAD) == 0) { in key_get()
6572 ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u.\n", in key_get()
6573 __func__, ntohl(sa0->sadb_sa_spi))); in key_get()
6583 if ((satype = key_proto2satype(sav->sah->saidx.proto)) == 0) { in key_get()
6591 n = key_setdumpsa(sav, SADB_GET, satype, mhp->msg->sadb_msg_seq, in key_get()
6592 mhp->msg->sadb_msg_pid, NULL); in key_get()
6603 /* XXX make it sysctl-configurable? */
6608 comb->sadb_comb_soft_allocations = 1; in key_getcomb_setlifetime()
6609 comb->sadb_comb_hard_allocations = 1; in key_getcomb_setlifetime()
6610 comb->sadb_comb_soft_bytes = 0; in key_getcomb_setlifetime()
6611 comb->sadb_comb_hard_bytes = 0; in key_getcomb_setlifetime()
6612 comb->sadb_comb_hard_addtime = 86400; /* 1 day */ in key_getcomb_setlifetime()
6613 comb->sadb_comb_soft_addtime = comb->sadb_comb_soft_addtime * 80 / 100; in key_getcomb_setlifetime()
6614 comb->sadb_comb_soft_usetime = 28800; /* 8 hours */ in key_getcomb_setlifetime()
6615 comb->sadb_comb_hard_usetime = comb->sadb_comb_hard_usetime * 80 / 100; in key_getcomb_setlifetime()
6640 if (_BITS(algo->maxkey) < V_ipsec_esp_keymin) in key_getcomb_ealg()
6642 if (_BITS(algo->minkey) < V_ipsec_esp_keymin) in key_getcomb_ealg()
6645 encmin = _BITS(algo->minkey); in key_getcomb_ealg()
6655 m->m_len = l; in key_getcomb_ealg()
6656 m->m_next = NULL; in key_getcomb_ealg()
6657 bzero(mtod(m, caddr_t), m->m_len); in key_getcomb_ealg()
6664 for (n = m; n; n = n->m_next) in key_getcomb_ealg()
6665 totlen += n->m_len; in key_getcomb_ealg()
6677 comb->sadb_comb_encrypt = i; in key_getcomb_ealg()
6678 comb->sadb_comb_encrypt_minbits = encmin; in key_getcomb_ealg()
6679 comb->sadb_comb_encrypt_maxbits = _BITS(algo->maxkey); in key_getcomb_ealg()
6701 *min = *max = ah->hashsize; in key_getsizes_ah()
6702 if (ah->keysize == 0) { in key_getsizes_ah()
6757 m->m_len = l; in key_getcomb_ah()
6758 m->m_next = NULL; in key_getcomb_ah()
6768 comb->sadb_comb_auth = i; in key_getcomb_ah()
6769 comb->sadb_comb_auth_minbits = _BITS(minkeysize); in key_getcomb_ah()
6770 comb->sadb_comb_auth_maxbits = _BITS(maxkeysize); in key_getcomb_ah()
6801 m->m_len = l; in key_getcomb_ipcomp()
6802 m->m_next = NULL; in key_getcomb_ipcomp()
6812 comb->sadb_comb_encrypt = i; in key_getcomb_ipcomp()
6832 switch (saidx->proto) { in key_getprop()
6853 for (n = m; n; n = n->m_next) in key_getprop()
6854 totlen += n->m_len; in key_getprop()
6858 prop->sadb_prop_len = PFKEY_UNIT64(totlen); in key_getprop()
6859 prop->sadb_prop_exttype = SADB_EXT_PROPOSAL; in key_getprop()
6860 prop->sadb_prop_replay = 32; /* XXX */ in key_getprop()
6873 * <base, src address, dst address, (SPI range)> with SADB_GETSPI
6896 satype = key_proto2satype(saidx->proto); in key_acquire()
6897 IPSEC_ASSERT(satype != 0, ("null satype, protocol %u", saidx->proto)); in key_acquire()
6899 error = -1; in key_acquire()
6925 if (sp != NULL && (sp->spidx.ul_proto == IPPROTO_TCP || in key_acquire()
6926 sp->spidx.ul_proto == IPPROTO_UDP)) in key_acquire()
6927 ul_proto = sp->spidx.ul_proto; in key_acquire()
6929 addr = saidx->src; in key_acquire()
6932 switch (sp->spidx.src.sa.sa_family) { in key_acquire()
6934 if (sp->spidx.src.sin.sin_port != IPSEC_PORT_ANY) { in key_acquire()
6935 addr.sin.sin_port = sp->spidx.src.sin.sin_port; in key_acquire()
6936 mask = sp->spidx.prefs; in key_acquire()
6940 if (sp->spidx.src.sin6.sin6_port != IPSEC_PORT_ANY) { in key_acquire()
6942 sp->spidx.src.sin6.sin6_port; in key_acquire()
6943 mask = sp->spidx.prefs; in key_acquire()
6957 addr = saidx->dst; in key_acquire()
6960 switch (sp->spidx.dst.sa.sa_family) { in key_acquire()
6962 if (sp->spidx.dst.sin.sin_port != IPSEC_PORT_ANY) { in key_acquire()
6963 addr.sin.sin_port = sp->spidx.dst.sin.sin_port; in key_acquire()
6964 mask = sp->spidx.prefd; in key_acquire()
6968 if (sp->spidx.dst.sin6.sin6_port != IPSEC_PORT_ANY) { in key_acquire()
6970 sp->spidx.dst.sin6.sin6_port; in key_acquire()
6971 mask = sp->spidx.prefd; in key_acquire()
6991 m = key_setsadbxpolicy(sp->policy, sp->spidx.dir, sp->id, in key_acquire()
6992 sp->priority); in key_acquire()
7001 * Set sadb_x_sa2 extension if saidx->reqid is not zero. in key_acquire()
7004 if (saidx->reqid != 0) { in key_acquire()
7005 m = key_setsadbxsa2(saidx->mode, 0, saidx->reqid); in key_acquire()
7019 fqdnlen = strlen(fqdn) + 1; /* +1 for terminating-NUL */ in key_acquire()
7022 id->sadb_ident_len = PFKEY_UNIT64(sizeof(*id) + PFKEY_ALIGN8(fqdnlen)); in key_acquire()
7023 id->sadb_ident_exttype = idexttype; in key_acquire()
7024 id->sadb_ident_type = SADB_IDENTTYPE_FQDN; in key_acquire()
7035 /* +1 for terminating-NUL */ in key_acquire()
7041 id->sadb_ident_len = PFKEY_UNIT64(sizeof(*id) + PFKEY_ALIGN8(userfqdnlen)); in key_acquire()
7042 id->sadb_ident_exttype = idexttype; in key_acquire()
7043 id->sadb_ident_type = SADB_IDENTTYPE_USERFQDN; in key_acquire()
7045 if (curproc && curproc->p_cred) in key_acquire()
7046 id->sadb_ident_id = curproc->p_cred->p_ruid; in key_acquire()
7076 if ((result->m_flags & M_PKTHDR) == 0) { in key_acquire()
7081 if (result->m_len < sizeof(struct sadb_msg)) { in key_acquire()
7089 result->m_pkthdr.len = 0; in key_acquire()
7090 for (m = result; m; m = m->m_next) in key_acquire()
7091 result->m_pkthdr.len += m->m_len; in key_acquire()
7093 mtod(result, struct sadb_msg *)->sadb_msg_len = in key_acquire()
7094 PFKEY_UNIT64(result->m_pkthdr.len); in key_acquire()
7122 bcopy(saidx, &acq->saidx, sizeof(acq->saidx)); in key_newacq()
7123 acq->created = time_second; in key_newacq()
7124 acq->count = 0; in key_newacq()
7128 seq = acq->seq = (V_acq_seq == ~0 ? 1 : ++V_acq_seq); in key_newacq()
7145 if (key_cmpsaidx(&acq->saidx, saidx, CMP_EXACTLY)) { in key_getacq()
7146 if (acq->count > V_key_blockacq_count) { in key_getacq()
7152 acq->created = time_second; in key_getacq()
7153 acq->count = 0; in key_getacq()
7154 seq = acq->seq; in key_getacq()
7161 acq->count++; in key_getacq()
7183 if (acq->seq == seq) { in key_acqreset()
7184 acq->count = 0; in key_acqreset()
7185 acq->created = time_second; in key_acqreset()
7205 if (acq->seq == seq) in key_acqdone()
7209 if (key_cmpsaidx(&acq->saidx, saidx, CMP_EXACTLY) == 0) { in key_acqdone()
7214 acq->created = 0; in key_acqdone()
7239 bcopy(spidx, &acq->spidx, sizeof(acq->spidx)); in key_newspacq()
7240 acq->created = time_second; in key_newspacq()
7241 acq->count = 0; in key_newspacq()
7258 if (key_cmpspidx_exactly(spidx, &acq->spidx)) { in key_getspacq()
7270 * in first situation, is receiving
7296 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_acquire2()
7304 if (mhp->msg->sadb_msg_len == PFKEY_UNIT64(sizeof(struct sadb_msg))) { in key_acquire2()
7306 if (mhp->msg->sadb_msg_seq == 0 || in key_acquire2()
7307 mhp->msg->sadb_msg_errno == 0) { in key_acquire2()
7318 key_acqreset(mhp->msg->sadb_msg_seq); in key_acquire2()
7329 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { in key_acquire2()
7362 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; in key_acquire2()
7364 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; in key_acquire2()
7367 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; in key_acquire2()
7368 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; in key_acquire2()
7381 if (key_cmpsaidx(&sah->saidx, &saidx, CMP_MODE_REQID)) in key_acquire2()
7422 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_register()
7425 if (mhp->msg->sadb_msg_satype >= sizeof(V_regtree)/sizeof(V_regtree[0])) in key_register()
7429 if (mhp->msg->sadb_msg_satype == SADB_SATYPE_UNSPEC) in key_register()
7434 LIST_FOREACH(reg, &V_regtree[mhp->msg->sadb_msg_satype], chain) { in key_register()
7435 if (reg->so == so) { in key_register()
7451 newreg->so = so; in key_register()
7452 ((struct keycb *)(so->so_pcb))->kp_registered++; in key_register()
7455 LIST_INSERT_HEAD(&V_regtree[mhp->msg->sadb_msg_satype], newreg, chain); in key_register()
7493 n->m_pkthdr.len = n->m_len = len; in key_register()
7494 n->m_next = NULL; in key_register()
7499 newmsg->sadb_msg_errno = 0; in key_register()
7500 newmsg->sadb_msg_len = PFKEY_UNIT64(len); in key_register()
7506 sup->sadb_supported_len = PFKEY_UNIT64(alen); in key_register()
7507 sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_AUTH; in key_register()
7518 alg->sadb_alg_id = i; in key_register()
7519 alg->sadb_alg_ivlen = 0; in key_register()
7521 alg->sadb_alg_minbits = _BITS(minkeysize); in key_register()
7522 alg->sadb_alg_maxbits = _BITS(maxkeysize); in key_register()
7530 sup->sadb_supported_len = PFKEY_UNIT64(elen); in key_register()
7531 sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_ENCRYPT; in key_register()
7541 alg->sadb_alg_id = i; in key_register()
7542 alg->sadb_alg_ivlen = ealgo->ivsize; in key_register()
7543 alg->sadb_alg_minbits = _BITS(ealgo->minkey); in key_register()
7544 alg->sadb_alg_maxbits = _BITS(ealgo->maxkey); in key_register()
7577 if (reg->so == so && __LIST_CHAINED(reg)) { in key_freereg()
7609 IPSEC_ASSERT (sav->sah != NULL, ("null sa header")); in key_expire()
7616 satype = key_proto2satype(sav->sah->saidx.proto); in key_expire()
7618 m = key_setsadbmsg(SADB_EXPIRE, 0, satype, sav->seq, 0, sav->refcnt); in key_expire()
7635 replay_count = sav->replay ? sav->replay->count : 0; in key_expire()
7638 m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count, in key_expire()
7639 sav->sah->saidx.reqid); in key_expire()
7646 if (sav->replay && sav->replay->wsize > UINT8_MAX) { in key_expire()
7647 m = key_setsadbxsareplay(sav->replay->wsize); in key_expire()
7663 m->m_len = len; in key_expire()
7666 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); in key_expire()
7667 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; in key_expire()
7668 lt->sadb_lifetime_allocations = in key_expire()
7669 (uint32_t)counter_u64_fetch(sav->lft_c_allocations); in key_expire()
7670 lt->sadb_lifetime_bytes = in key_expire()
7671 counter_u64_fetch(sav->lft_c_bytes); in key_expire()
7672 lt->sadb_lifetime_addtime = sav->created; in key_expire()
7673 lt->sadb_lifetime_usetime = sav->firstused; in key_expire()
7675 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); in key_expire()
7677 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; in key_expire()
7678 lt->sadb_lifetime_allocations = sav->lft_h->allocations; in key_expire()
7679 lt->sadb_lifetime_bytes = sav->lft_h->bytes; in key_expire()
7680 lt->sadb_lifetime_addtime = sav->lft_h->addtime; in key_expire()
7681 lt->sadb_lifetime_usetime = sav->lft_h->usetime; in key_expire()
7683 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; in key_expire()
7684 lt->sadb_lifetime_allocations = sav->lft_s->allocations; in key_expire()
7685 lt->sadb_lifetime_bytes = sav->lft_s->bytes; in key_expire()
7686 lt->sadb_lifetime_addtime = sav->lft_s->addtime; in key_expire()
7687 lt->sadb_lifetime_usetime = sav->lft_s->usetime; in key_expire()
7693 &sav->sah->saidx.src.sa, in key_expire()
7703 &sav->sah->saidx.dst.sa, in key_expire()
7712 * XXX-BZ Handle NAT-T extensions here. in key_expire()
7717 if ((result->m_flags & M_PKTHDR) == 0) { in key_expire()
7722 if (result->m_len < sizeof(struct sadb_msg)) { in key_expire()
7730 result->m_pkthdr.len = 0; in key_expire()
7731 for (m = result; m; m = m->m_next) in key_expire()
7732 result->m_pkthdr.len += m->m_len; in key_expire()
7734 mtod(result, struct sadb_msg *)->sadb_msg_len = in key_expire()
7735 PFKEY_UNIT64(result->m_pkthdr.len); in key_expire()
7753 sav = TAILQ_FIRST(&sah->savtree_larval); in key_freesah_flushed()
7756 TAILQ_REMOVE(&sah->savtree_larval, sav, chain); in key_freesah_flushed()
7761 sav = TAILQ_FIRST(&sah->savtree_alive); in key_freesah_flushed()
7764 TAILQ_REMOVE(&sah->savtree_alive, sav, chain); in key_freesah_flushed()
7799 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_flush()
7802 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { in key_flush()
7816 /* Flush all buckets in SPI hash */ in key_flush()
7824 sah->state = SADB_SASTATE_DEAD; in key_flush()
7832 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { in key_flush()
7833 sav->state = SADB_SASTATE_DEAD; in key_flush()
7836 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { in key_flush()
7837 sav->state = SADB_SASTATE_DEAD; in key_flush()
7846 IPSEC_ASSERT(sah->state != SADB_SASTATE_DEAD, in key_flush()
7849 if (sah->saidx.proto != proto) { in key_flush()
7853 sah->state = SADB_SASTATE_DEAD; in key_flush()
7856 /* Unlink all SAs from SPI hash */ in key_flush()
7857 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { in key_flush()
7859 sav->state = SADB_SASTATE_DEAD; in key_flush()
7862 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { in key_flush()
7864 sav->state = SADB_SASTATE_DEAD; in key_flush()
7876 if (m->m_len < sizeof(struct sadb_msg) || in key_flush()
7877 sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) { in key_flush()
7882 if (m->m_next) in key_flush()
7883 m_freem(m->m_next); in key_flush()
7884 m->m_next = NULL; in key_flush()
7885 m->m_pkthdr.len = m->m_len = sizeof(struct sadb_msg); in key_flush()
7887 newmsg->sadb_msg_errno = 0; in key_flush()
7888 newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); in key_flush()
7918 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_dump()
7921 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { in key_dump()
7932 if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC && in key_dump()
7933 proto != sah->saidx.proto) in key_dump()
7936 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) in key_dump()
7938 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) in key_dump()
7950 if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC && in key_dump()
7951 proto != sah->saidx.proto) in key_dump()
7955 if ((satype = key_proto2satype(sah->saidx.proto)) == 0) { in key_dump()
7962 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { in key_dump()
7964 --cnt, mhp->msg->sadb_msg_pid, &sahtree_tracker); in key_dump()
7972 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { in key_dump()
7974 --cnt, mhp->msg->sadb_msg_pid, &sahtree_tracker); in key_dump()
8001 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); in key_promisc()
8003 olen = PFKEY_UNUNIT64(mhp->msg->sadb_msg_len); in key_promisc()
8016 if ((kp = so->so_pcb) == NULL) in key_promisc()
8018 mhp->msg->sadb_msg_errno = 0; in key_promisc()
8019 switch (mhp->msg->sadb_msg_satype) { in key_promisc()
8022 kp->kp_promisc = mhp->msg->sadb_msg_satype; in key_promisc()
8029 mhp->msg->sadb_msg_errno = 0; in key_promisc()
8091 if (m->m_len < sizeof(struct sadb_msg)) { in key_parse()
8097 orglen = PFKEY_UNUNIT64(msg->sadb_msg_len); in key_parse()
8100 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len != orglen) { in key_parse()
8107 if (msg->sadb_msg_version != PF_KEY_V2) { in key_parse()
8109 __func__, msg->sadb_msg_version)); in key_parse()
8115 if (msg->sadb_msg_type > SADB_MAX) { in key_parse()
8117 __func__, msg->sadb_msg_type)); in key_parse()
8123 /* for old-fashioned code - should be nuked */ in key_parse()
8124 if (m->m_pkthdr.len > MCLBYTES) { in key_parse()
8128 if (m->m_next) { in key_parse()
8131 n = key_mget(m->m_pkthdr.len); in key_parse()
8136 m_copydata(m, 0, m->m_pkthdr.len, mtod(n, caddr_t)); in key_parse()
8137 n->m_pkthdr.len = n->m_len = m->m_pkthdr.len; in key_parse()
8138 n->m_next = NULL; in key_parse()
8151 if (msg->sadb_msg_type == SADB_X_SPDDUMP) { in key_parse()
8152 switch (msg->sadb_msg_satype) { in key_parse()
8160 __func__, msg->sadb_msg_type)); in key_parse()
8166 switch (msg->sadb_msg_satype) { /* check SA type */ in key_parse()
8168 switch (msg->sadb_msg_type) { in key_parse()
8178 msg->sadb_msg_type)); in key_parse()
8188 switch (msg->sadb_msg_type) { in key_parse()
8197 __func__, msg->sadb_msg_type)); in key_parse()
8208 __func__, msg->sadb_msg_satype)); in key_parse()
8213 if (msg->sadb_msg_type == SADB_X_PROMISC) in key_parse()
8218 __func__, msg->sadb_msg_satype)); in key_parse()
8235 if (src0->sadb_address_proto != dst0->sadb_address_proto) { in key_parse()
8244 if (PFKEY_ADDR_SADDR(src0)->sa_family != in key_parse()
8245 PFKEY_ADDR_SADDR(dst0)->sa_family) { in key_parse()
8252 if (PFKEY_ADDR_SADDR(src0)->sa_len != in key_parse()
8253 PFKEY_ADDR_SADDR(dst0)->sa_len) { in key_parse()
8261 switch (PFKEY_ADDR_SADDR(src0)->sa_family) { in key_parse()
8263 if (PFKEY_ADDR_SADDR(src0)->sa_len != in key_parse()
8271 if (PFKEY_ADDR_SADDR(src0)->sa_len != in key_parse()
8286 switch (PFKEY_ADDR_SADDR(src0)->sa_family) { in key_parse()
8299 if (src0->sadb_address_prefixlen > plen || in key_parse()
8300 dst0->sadb_address_prefixlen > plen) { in key_parse()
8314 if (msg->sadb_msg_type >= nitems(key_typesw) || in key_parse()
8315 key_typesw[msg->sadb_msg_type] == NULL) { in key_parse()
8321 return (*key_typesw[msg->sadb_msg_type])(so, m, &mh); in key_parse()
8324 msg->sadb_msg_errno = error; in key_parse()
8333 IPSEC_ASSERT(m->m_len >= sizeof(struct sadb_msg), in key_senderror()
8334 ("mbuf too small, len %u", m->m_len)); in key_senderror()
8337 msg->sadb_msg_errno = code; in key_senderror()
8344 * XXX larger-than-MCLBYTES extension?
8357 IPSEC_ASSERT(m->m_len >= sizeof(struct sadb_msg), in key_align()
8358 ("mbuf too small, len %u", m->m_len)); in key_align()
8363 mhp->msg = mtod(m, struct sadb_msg *); in key_align()
8364 mhp->ext[0] = (struct sadb_ext *)mhp->msg; /*XXX backward compat */ in key_align()
8366 end = PFKEY_UNUNIT64(mhp->msg->sadb_msg_len); in key_align()
8377 switch (ext->sadb_ext_type) { in key_align()
8415 if (mhp->ext[ext->sadb_ext_type] != NULL) { in key_align()
8417 "%u\n", __func__, ext->sadb_ext_type)); in key_align()
8425 __func__, ext->sadb_ext_type)); in key_align()
8431 extlen = PFKEY_UNUNIT64(ext->sadb_ext_len); in key_align()
8446 mhp->ext[ext->sadb_ext_type] = ext; in key_align()
8447 mhp->extoff[ext->sadb_ext_type] = off; in key_align()
8448 mhp->extlen[ext->sadb_ext_type] = extlen; in key_align()
8466 const int sal = offsetof(struct sockaddr, sa_len) + sizeof(sa->sa_len); in key_validate_ext()
8468 if (len != PFKEY_UNUNIT64(ext->sadb_ext_len)) in key_validate_ext()
8472 if (ext->sadb_ext_type >= nitems(minsize) || in key_validate_ext()
8473 ext->sadb_ext_type >= nitems(maxsize)) in key_validate_ext()
8475 if (!minsize[ext->sadb_ext_type] || len < minsize[ext->sadb_ext_type]) in key_validate_ext()
8477 if (maxsize[ext->sadb_ext_type] && len > maxsize[ext->sadb_ext_type]) in key_validate_ext()
8481 switch (ext->sadb_ext_type) { in key_validate_ext()
8494 if (((const struct sadb_ident *)ext)->sadb_ident_type == in key_validate_ext()
8513 if (baselen + PFKEY_ALIGN8(sa->sa_len) != len) in key_validate_ext()
8562 entry->spidx = *spidx; in spdcache_entry_alloc()
8563 entry->sp = sp; in spdcache_entry_alloc()
8572 if (entry->sp != NULL) in spdcache_entry_free()
8573 key_freesp(&entry->sp); in spdcache_entry_free()
8715 sah->state = SADB_SASTATE_DEAD; in key_vnet_destroy()
8716 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { in key_vnet_destroy()
8717 sav->state = SADB_SASTATE_DEAD; in key_vnet_destroy()
8720 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { in key_vnet_destroy()
8721 sav->state = SADB_SASTATE_DEAD; in key_vnet_destroy()
8810 counter_u64_add(sav->lft_c_bytes, m->m_pkthdr.len); in key_sa_recordxfer()
8817 counter_u64_add(sav->lft_c_allocations, 1); in key_sa_recordxfer()
8826 * -----+-----+--------+---> t in key_sa_recordxfer()
8827 * <--------------> HARD in key_sa_recordxfer()
8828 * <-----> SOFT in key_sa_recordxfer()
8830 if (sav->firstused == 0) in key_sa_recordxfer()
8831 sav->firstused = time_second; in key_sa_recordxfer()
8862 m->m_len = len; in key_setkey()
8865 p->sadb_key_len = PFKEY_UNIT64(len); in key_setkey()
8866 p->sadb_key_exttype = exttype; in key_setkey()
8867 p->sadb_key_bits = src->bits; in key_setkey()
8868 bcopy(src->key_data, _KEYBUF(p), _KEYLEN(src)); in key_setkey()
8885 m->m_len = len; in key_setaccelif()
8889 p->sadb_x_if_hw_offl_len = PFKEY_UNIT64(len); in key_setaccelif()
8890 p->sadb_x_if_hw_offl_exttype = SADB_X_EXT_IF_HW_OFFL; in key_setaccelif()
8891 p->sadb_x_if_hw_offl_flags = 0; in key_setaccelif()
8892 strncpy(p->sadb_x_if_hw_offl_if, ifname, in key_setaccelif()
8893 sizeof(p->sadb_x_if_hw_offl_if)); in key_setaccelif()
8927 m->m_len = len; in key_setlifetime()
8931 p->sadb_lifetime_len = PFKEY_UNIT64(len); in key_setlifetime()
8932 p->sadb_lifetime_exttype = exttype; in key_setlifetime()
8933 p->sadb_lifetime_allocations = src->allocations; in key_setlifetime()
8934 p->sadb_lifetime_bytes = src->bytes; in key_setlifetime()
8935 p->sadb_lifetime_addtime = src->addtime; in key_setlifetime()
8936 p->sadb_lifetime_usetime = src->usetime; in key_setlifetime()