1 /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
2
3 /*-
4 * SPDX-License-Identifier: BSD-3-Clause
5 *
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /*
35 * This code is referd to RFC 2367
36 */
37
38 #include "opt_inet.h"
39 #include "opt_inet6.h"
40 #include "opt_ipsec.h"
41
42 #include <sys/types.h>
43 #include <sys/param.h>
44 #include <sys/systm.h>
45 #include <sys/kernel.h>
46 #include <sys/fnv_hash.h>
47 #include <sys/lock.h>
48 #include <sys/mutex.h>
49 #include <sys/mbuf.h>
50 #include <sys/domain.h>
51 #include <sys/protosw.h>
52 #include <sys/malloc.h>
53 #include <sys/rmlock.h>
54 #include <sys/socket.h>
55 #include <sys/socketvar.h>
56 #include <sys/sysctl.h>
57 #include <sys/errno.h>
58 #include <sys/proc.h>
59 #include <sys/queue.h>
60 #include <sys/refcount.h>
61 #include <sys/stdarg.h>
62 #include <sys/syslog.h>
63
64 #include <vm/uma.h>
65
66 #include <net/if.h>
67 #include <net/if_var.h>
68 #include <net/vnet.h>
69
70 #include <netinet/in.h>
71 #include <netinet/in_systm.h>
72 #include <netinet/ip.h>
73 #include <netinet/in_var.h>
74 #include <netinet/udp.h>
75
76 #ifdef INET6
77 #include <netinet/ip6.h>
78 #include <netinet6/in6_var.h>
79 #include <netinet6/ip6_var.h>
80 #endif /* INET6 */
81
82 #include <net/pfkeyv2.h>
83 #include <netipsec/keydb.h>
84 #include <netipsec/key.h>
85 #include <netipsec/keysock.h>
86 #include <netipsec/key_debug.h>
87 #include <netipsec/ipsec_offload.h>
88
89 #include <netipsec/ipsec.h>
90 #ifdef INET6
91 #include <netipsec/ipsec6.h>
92 #endif
93
94 #include <netipsec/xform.h>
95 #include <netipsec/ipsec_offload.h>
96 #include <machine/in_cksum.h>
97
98 /* randomness */
99 #include <sys/random.h>
100
101 #ifdef IPSEC_OFFLOAD
102 void (*ipsec_accel_sa_newkey_p)(struct secasvar *sav);
103 void (*ipsec_accel_forget_sav_p)(struct secasvar *sav);
104 void (*ipsec_accel_spdadd_p)(struct secpolicy *sp, struct inpcb *inp);
105 void (*ipsec_accel_spddel_p)(struct secpolicy *sp);
106 int (*ipsec_accel_sa_lifetime_op_p)(struct secasvar *sav,
107 struct seclifetime *lft_c, if_t ifp, enum IF_SA_CNT_WHICH op,
108 struct rm_priotracker *sahtree_trackerp);
109 void (*ipsec_accel_sync_p)(void);
110 bool (*ipsec_accel_is_accel_sav_p)(struct secasvar *sav);
111 struct mbuf *(*ipsec_accel_key_setaccelif_p)(struct secasvar *sav);
112 void (*ipsec_accel_on_ifdown_p)(struct ifnet *ifp);
113 void (*ipsec_accel_drv_sa_lifetime_update_p)(struct secasvar *sav, if_t ifp,
114 u_int drv_spi, uint64_t octets, uint64_t allocs);
115 int (*ipsec_accel_drv_sa_lifetime_fetch_p)(struct secasvar *sav, if_t ifp,
116 u_int drv_spi, uint64_t *octets, uint64_t *allocs);
117 bool (*ipsec_accel_fill_xh_p)(if_t ifp, uint32_t drv_spi,
118 struct xform_history *xh);
119 #endif
120
121 #define FULLMASK 0xff
122 #define _BITS(bytes) ((bytes) << 3)
123
124 #define UINT32_80PCT 0xcccccccc
125 /*
126 * Note on SA reference counting:
127 * - SAs that are not in DEAD state will have (total external reference + 1)
128 * following value in reference count field. they cannot be freed and are
129 * referenced from SA header.
130 * - SAs that are in DEAD state will have (total external reference)
131 * in reference count field. they are ready to be freed. reference from
132 * SA header will be removed in key_delsav(), when the reference count
133 * field hits 0 (= no external reference other than from SA header.
134 */
135
136 VNET_DEFINE(u_int32_t, key_debug_level) = 0;
137 VNET_DEFINE_STATIC(u_int, key_spi_trycnt) = 1000;
138 VNET_DEFINE_STATIC(u_int32_t, key_spi_minval) = 0x100;
139 VNET_DEFINE_STATIC(u_int32_t, key_spi_maxval) = 0x0fffffff; /* XXX */
140 VNET_DEFINE_STATIC(u_int32_t, policy_id) = 0;
141 /*interval to initialize randseed,1(m)*/
142 VNET_DEFINE_STATIC(u_int, key_int_random) = 60;
143 /* interval to expire acquiring, 30(s)*/
144 VNET_DEFINE_STATIC(u_int, key_larval_lifetime) = 30;
145 /* counter for blocking SADB_ACQUIRE.*/
146 VNET_DEFINE_STATIC(int, key_blockacq_count) = 10;
147 /* lifetime for blocking SADB_ACQUIRE.*/
148 VNET_DEFINE_STATIC(int, key_blockacq_lifetime) = 20;
149 /* preferred old sa rather than new sa.*/
150 VNET_DEFINE_STATIC(int, key_preferred_oldsa) = 1;
151 #define V_key_spi_trycnt VNET(key_spi_trycnt)
152 #define V_key_spi_minval VNET(key_spi_minval)
153 #define V_key_spi_maxval VNET(key_spi_maxval)
154 #define V_policy_id VNET(policy_id)
155 #define V_key_int_random VNET(key_int_random)
156 #define V_key_larval_lifetime VNET(key_larval_lifetime)
157 #define V_key_blockacq_count VNET(key_blockacq_count)
158 #define V_key_blockacq_lifetime VNET(key_blockacq_lifetime)
159 #define V_key_preferred_oldsa VNET(key_preferred_oldsa)
160
161 VNET_DEFINE_STATIC(u_int32_t, acq_seq) = 0;
162 #define V_acq_seq VNET(acq_seq)
163
164 VNET_DEFINE_STATIC(uint32_t, sp_genid) = 0;
165 #define V_sp_genid VNET(sp_genid)
166
167 /* SPD */
168 TAILQ_HEAD(secpolicy_queue, secpolicy);
169 LIST_HEAD(secpolicy_list, secpolicy);
170 VNET_DEFINE_STATIC(struct secpolicy_queue, sptree[IPSEC_DIR_MAX]);
171 VNET_DEFINE_STATIC(struct secpolicy_queue, sptree_ifnet[IPSEC_DIR_MAX]);
172 static struct rmlock sptree_lock;
173 #define V_sptree VNET(sptree)
174 #define V_sptree_ifnet VNET(sptree_ifnet)
175 #define SPTREE_LOCK_INIT() rm_init(&sptree_lock, "sptree")
176 #define SPTREE_LOCK_DESTROY() rm_destroy(&sptree_lock)
177 #define SPTREE_RLOCK_TRACKER struct rm_priotracker sptree_tracker
178 #define SPTREE_RLOCK() rm_rlock(&sptree_lock, &sptree_tracker)
179 #define SPTREE_RUNLOCK() rm_runlock(&sptree_lock, &sptree_tracker)
180 #define SPTREE_RLOCK_ASSERT() rm_assert(&sptree_lock, RA_RLOCKED)
181 #define SPTREE_WLOCK() rm_wlock(&sptree_lock)
182 #define SPTREE_WUNLOCK() rm_wunlock(&sptree_lock)
183 #define SPTREE_WLOCK_ASSERT() rm_assert(&sptree_lock, RA_WLOCKED)
184 #define SPTREE_UNLOCK_ASSERT() rm_assert(&sptree_lock, RA_UNLOCKED)
185
186 /* Hash table for lookup SP using unique id */
187 VNET_DEFINE_STATIC(struct secpolicy_list *, sphashtbl);
188 VNET_DEFINE_STATIC(u_long, sphash_mask);
189 #define V_sphashtbl VNET(sphashtbl)
190 #define V_sphash_mask VNET(sphash_mask)
191
192 #define SPHASH_NHASH_LOG2 7
193 #define SPHASH_NHASH (1 << SPHASH_NHASH_LOG2)
194 #define SPHASH_HASHVAL(id) (key_u32hash(id) & V_sphash_mask)
195 #define SPHASH_HASH(id) &V_sphashtbl[SPHASH_HASHVAL(id)]
196
197 /* SPD cache */
198 struct spdcache_entry {
199 struct secpolicyindex spidx; /* secpolicyindex */
200 struct secpolicy *sp; /* cached policy to be used */
201
202 LIST_ENTRY(spdcache_entry) chain;
203 };
204 LIST_HEAD(spdcache_entry_list, spdcache_entry);
205
206 #define SPDCACHE_MAX_ENTRIES_PER_HASH 8
207
208 VNET_DEFINE_STATIC(u_int, key_spdcache_maxentries) = 0;
209 #define V_key_spdcache_maxentries VNET(key_spdcache_maxentries)
210 VNET_DEFINE_STATIC(u_int, key_spdcache_threshold) = 32;
211 #define V_key_spdcache_threshold VNET(key_spdcache_threshold)
212 VNET_DEFINE_STATIC(unsigned long, spd_size) = 0;
213 #define V_spd_size VNET(spd_size)
214
215 #define SPDCACHE_ENABLED() (V_key_spdcache_maxentries != 0)
216 #define SPDCACHE_ACTIVE() \
217 (SPDCACHE_ENABLED() && V_spd_size >= V_key_spdcache_threshold)
218
219 VNET_DEFINE_STATIC(struct spdcache_entry_list *, spdcachehashtbl);
220 VNET_DEFINE_STATIC(u_long, spdcachehash_mask);
221 #define V_spdcachehashtbl VNET(spdcachehashtbl)
222 #define V_spdcachehash_mask VNET(spdcachehash_mask)
223
224 #define SPDCACHE_HASHVAL(idx) \
225 (key_addrprotohash(&(idx)->src, &(idx)->dst, &(idx)->ul_proto) & \
226 V_spdcachehash_mask)
227
228 /* Each cache line is protected by a mutex */
229 VNET_DEFINE_STATIC(struct mtx *, spdcache_lock);
230 #define V_spdcache_lock VNET(spdcache_lock)
231
232 #define SPDCACHE_LOCK_INIT(a) \
233 mtx_init(&V_spdcache_lock[a], "spdcache", \
234 "fast ipsec SPD cache", MTX_DEF|MTX_DUPOK)
235 #define SPDCACHE_LOCK_DESTROY(a) mtx_destroy(&V_spdcache_lock[a])
236 #define SPDCACHE_LOCK(a) mtx_lock(&V_spdcache_lock[a]);
237 #define SPDCACHE_UNLOCK(a) mtx_unlock(&V_spdcache_lock[a]);
238
239 static struct sx spi_alloc_lock;
240 #define SPI_ALLOC_LOCK_INIT() sx_init(&spi_alloc_lock, "spialloc")
241 #define SPI_ALLOC_LOCK_DESTROY() sx_destroy(&spi_alloc_lock)
242 #define SPI_ALLOC_LOCK() sx_xlock(&spi_alloc_lock)
243 #define SPI_ALLOC_UNLOCK() sx_unlock(&spi_alloc_lock)
244 #define SPI_ALLOC_LOCK_ASSERT() sx_assert(&spi_alloc_lock, SA_XLOCKED)
245
246 /* SAD */
247 TAILQ_HEAD(secashead_queue, secashead);
248 LIST_HEAD(secashead_list, secashead);
249 VNET_DEFINE_STATIC(struct secashead_queue, sahtree);
250 static struct rmlock sahtree_lock;
251 #define V_sahtree VNET(sahtree)
252 #define SAHTREE_LOCK_INIT() rm_init(&sahtree_lock, "sahtree")
253 #define SAHTREE_LOCK_DESTROY() rm_destroy(&sahtree_lock)
254 #define SAHTREE_RLOCK_TRACKER struct rm_priotracker sahtree_tracker
255 #define SAHTREE_RLOCK() rm_rlock(&sahtree_lock, &sahtree_tracker)
256 #define SAHTREE_RUNLOCK() rm_runlock(&sahtree_lock, &sahtree_tracker)
257 #define SAHTREE_RLOCK_ASSERT() rm_assert(&sahtree_lock, RA_RLOCKED)
258 #define SAHTREE_WLOCK() rm_wlock(&sahtree_lock)
259 #define SAHTREE_WUNLOCK() rm_wunlock(&sahtree_lock)
260 #define SAHTREE_WLOCK_ASSERT() rm_assert(&sahtree_lock, RA_WLOCKED)
261 #define SAHTREE_UNLOCK_ASSERT() rm_assert(&sahtree_lock, RA_UNLOCKED)
262
263 /* Hash table for lookup in SAD using SA addresses */
264 VNET_DEFINE_STATIC(struct secashead_list *, sahaddrhashtbl);
265 VNET_DEFINE_STATIC(u_long, sahaddrhash_mask);
266 #define V_sahaddrhashtbl VNET(sahaddrhashtbl)
267 #define V_sahaddrhash_mask VNET(sahaddrhash_mask)
268
269 #define SAHHASH_NHASH_LOG2 7
270 #define SAHHASH_NHASH (1 << SAHHASH_NHASH_LOG2)
271 #define SAHADDRHASH_HASHVAL(idx) \
272 (key_addrprotohash(&(idx)->src, &(idx)->dst, &(idx)->proto) & \
273 V_sahaddrhash_mask)
274 #define SAHADDRHASH_HASH(saidx) \
275 &V_sahaddrhashtbl[SAHADDRHASH_HASHVAL(saidx)]
276
277 /* Hash table for lookup in SAD using SPI */
278 LIST_HEAD(secasvar_list, secasvar);
279 VNET_DEFINE_STATIC(struct secasvar_list *, savhashtbl);
280 VNET_DEFINE_STATIC(u_long, savhash_mask);
281 #define V_savhashtbl VNET(savhashtbl)
282 #define V_savhash_mask VNET(savhash_mask)
283 #define SAVHASH_NHASH_LOG2 7
284 #define SAVHASH_NHASH (1 << SAVHASH_NHASH_LOG2)
285 #define SAVHASH_HASHVAL(spi) (key_u32hash(spi) & V_savhash_mask)
286 #define SAVHASH_HASH(spi) &V_savhashtbl[SAVHASH_HASHVAL(spi)]
287
288 static uint32_t
key_addrprotohash(const union sockaddr_union * src,const union sockaddr_union * dst,const uint8_t * proto)289 key_addrprotohash(const union sockaddr_union *src,
290 const union sockaddr_union *dst, const uint8_t *proto)
291 {
292 uint32_t hval;
293
294 hval = fnv_32_buf(proto, sizeof(*proto),
295 FNV1_32_INIT);
296 switch (dst->sa.sa_family) {
297 #ifdef INET
298 case AF_INET:
299 hval = fnv_32_buf(&src->sin.sin_addr,
300 sizeof(in_addr_t), hval);
301 hval = fnv_32_buf(&dst->sin.sin_addr,
302 sizeof(in_addr_t), hval);
303 break;
304 #endif
305 #ifdef INET6
306 case AF_INET6:
307 hval = fnv_32_buf(&src->sin6.sin6_addr,
308 sizeof(struct in6_addr), hval);
309 hval = fnv_32_buf(&dst->sin6.sin6_addr,
310 sizeof(struct in6_addr), hval);
311 break;
312 #endif
313 default:
314 hval = 0;
315 ipseclog((LOG_DEBUG, "%s: unknown address family %d\n",
316 __func__, dst->sa.sa_family));
317 }
318 return (hval);
319 }
320
321 static uint32_t
key_u32hash(uint32_t val)322 key_u32hash(uint32_t val)
323 {
324
325 return (fnv_32_buf(&val, sizeof(val), FNV1_32_INIT));
326 }
327
328 /* registed list */
329 VNET_DEFINE_STATIC(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]);
330 #define V_regtree VNET(regtree)
331 static struct mtx regtree_lock;
332 #define REGTREE_LOCK_INIT() \
333 mtx_init(®tree_lock, "regtree", "fast ipsec regtree", MTX_DEF)
334 #define REGTREE_LOCK_DESTROY() mtx_destroy(®tree_lock)
335 #define REGTREE_LOCK() mtx_lock(®tree_lock)
336 #define REGTREE_UNLOCK() mtx_unlock(®tree_lock)
337 #define REGTREE_LOCK_ASSERT() mtx_assert(®tree_lock, MA_OWNED)
338
339 /* Acquiring list */
340 LIST_HEAD(secacq_list, secacq);
341 VNET_DEFINE_STATIC(struct secacq_list, acqtree);
342 #define V_acqtree VNET(acqtree)
343 static struct mtx acq_lock;
344 #define ACQ_LOCK_INIT() \
345 mtx_init(&acq_lock, "acqtree", "ipsec SA acquiring list", MTX_DEF)
346 #define ACQ_LOCK_DESTROY() mtx_destroy(&acq_lock)
347 #define ACQ_LOCK() mtx_lock(&acq_lock)
348 #define ACQ_UNLOCK() mtx_unlock(&acq_lock)
349 #define ACQ_LOCK_ASSERT() mtx_assert(&acq_lock, MA_OWNED)
350
351 /* Hash table for lookup in ACQ list using SA addresses */
352 VNET_DEFINE_STATIC(struct secacq_list *, acqaddrhashtbl);
353 VNET_DEFINE_STATIC(u_long, acqaddrhash_mask);
354 #define V_acqaddrhashtbl VNET(acqaddrhashtbl)
355 #define V_acqaddrhash_mask VNET(acqaddrhash_mask)
356
357 /* Hash table for lookup in ACQ list using SEQ number */
358 VNET_DEFINE_STATIC(struct secacq_list *, acqseqhashtbl);
359 VNET_DEFINE_STATIC(u_long, acqseqhash_mask);
360 #define V_acqseqhashtbl VNET(acqseqhashtbl)
361 #define V_acqseqhash_mask VNET(acqseqhash_mask)
362
363 #define ACQHASH_NHASH_LOG2 7
364 #define ACQHASH_NHASH (1 << ACQHASH_NHASH_LOG2)
365 #define ACQADDRHASH_HASHVAL(idx) \
366 (key_addrprotohash(&(idx)->src, &(idx)->dst, &(idx)->proto) & \
367 V_acqaddrhash_mask)
368 #define ACQSEQHASH_HASHVAL(seq) \
369 (key_u32hash(seq) & V_acqseqhash_mask)
370 #define ACQADDRHASH_HASH(saidx) \
371 &V_acqaddrhashtbl[ACQADDRHASH_HASHVAL(saidx)]
372 #define ACQSEQHASH_HASH(seq) \
373 &V_acqseqhashtbl[ACQSEQHASH_HASHVAL(seq)]
374 /* SP acquiring list */
375 VNET_DEFINE_STATIC(LIST_HEAD(_spacqtree, secspacq), spacqtree);
376 #define V_spacqtree VNET(spacqtree)
377 static struct mtx spacq_lock;
378 #define SPACQ_LOCK_INIT() \
379 mtx_init(&spacq_lock, "spacqtree", \
380 "fast ipsec security policy acquire list", MTX_DEF)
381 #define SPACQ_LOCK_DESTROY() mtx_destroy(&spacq_lock)
382 #define SPACQ_LOCK() mtx_lock(&spacq_lock)
383 #define SPACQ_UNLOCK() mtx_unlock(&spacq_lock)
384 #define SPACQ_LOCK_ASSERT() mtx_assert(&spacq_lock, MA_OWNED)
385
386 static const int minsize[] = {
387 [SADB_EXT_RESERVED] = sizeof(struct sadb_msg),
388 [SADB_EXT_SA] = sizeof(struct sadb_sa),
389 [SADB_EXT_LIFETIME_CURRENT] = sizeof(struct sadb_lifetime),
390 [SADB_EXT_LIFETIME_HARD] = sizeof(struct sadb_lifetime),
391 [SADB_EXT_LIFETIME_SOFT] = sizeof(struct sadb_lifetime),
392 [SADB_EXT_ADDRESS_SRC] = sizeof(struct sadb_address),
393 [SADB_EXT_ADDRESS_DST] = sizeof(struct sadb_address),
394 [SADB_EXT_ADDRESS_PROXY] = sizeof(struct sadb_address),
395 [SADB_EXT_KEY_AUTH] = sizeof(struct sadb_key),
396 [SADB_EXT_KEY_ENCRYPT] = sizeof(struct sadb_key),
397 [SADB_EXT_IDENTITY_SRC] = sizeof(struct sadb_ident),
398 [SADB_EXT_IDENTITY_DST] = sizeof(struct sadb_ident),
399 [SADB_EXT_SENSITIVITY] = sizeof(struct sadb_sens),
400 [SADB_EXT_PROPOSAL] = sizeof(struct sadb_prop),
401 [SADB_EXT_SUPPORTED_AUTH] = sizeof(struct sadb_supported),
402 [SADB_EXT_SUPPORTED_ENCRYPT] = sizeof(struct sadb_supported),
403 [SADB_EXT_SPIRANGE] = sizeof(struct sadb_spirange),
404 [SADB_X_EXT_KMPRIVATE] = 0,
405 [SADB_X_EXT_POLICY] = sizeof(struct sadb_x_policy),
406 [SADB_X_EXT_SA2] = sizeof(struct sadb_x_sa2),
407 [SADB_X_EXT_NAT_T_TYPE] = sizeof(struct sadb_x_nat_t_type),
408 [SADB_X_EXT_NAT_T_SPORT] = sizeof(struct sadb_x_nat_t_port),
409 [SADB_X_EXT_NAT_T_DPORT] = sizeof(struct sadb_x_nat_t_port),
410 [SADB_X_EXT_NAT_T_OAI] = sizeof(struct sadb_address),
411 [SADB_X_EXT_NAT_T_OAR] = sizeof(struct sadb_address),
412 [SADB_X_EXT_NAT_T_FRAG] = sizeof(struct sadb_x_nat_t_frag),
413 [SADB_X_EXT_SA_REPLAY] = sizeof(struct sadb_x_sa_replay),
414 [SADB_X_EXT_NEW_ADDRESS_SRC] = sizeof(struct sadb_address),
415 [SADB_X_EXT_NEW_ADDRESS_DST] = sizeof(struct sadb_address),
416 [SADB_X_EXT_LFT_CUR_SW_OFFL] = sizeof(struct sadb_lifetime),
417 [SADB_X_EXT_LFT_CUR_HW_OFFL] = sizeof(struct sadb_lifetime),
418 [SADB_X_EXT_IF_HW_OFFL] = sizeof(struct sadb_x_if_hw_offl),
419 };
420 _Static_assert(nitems(minsize) == SADB_EXT_MAX + 1, "minsize size mismatch");
421
422 static const int maxsize[] = {
423 [SADB_EXT_RESERVED] = sizeof(struct sadb_msg),
424 [SADB_EXT_SA] = sizeof(struct sadb_sa),
425 [SADB_EXT_LIFETIME_CURRENT] = sizeof(struct sadb_lifetime),
426 [SADB_EXT_LIFETIME_HARD] = sizeof(struct sadb_lifetime),
427 [SADB_EXT_LIFETIME_SOFT] = sizeof(struct sadb_lifetime),
428 [SADB_EXT_ADDRESS_SRC] = 0,
429 [SADB_EXT_ADDRESS_DST] = 0,
430 [SADB_EXT_ADDRESS_PROXY] = 0,
431 [SADB_EXT_KEY_AUTH] = 0,
432 [SADB_EXT_KEY_ENCRYPT] = 0,
433 [SADB_EXT_IDENTITY_SRC] = 0,
434 [SADB_EXT_IDENTITY_DST] = 0,
435 [SADB_EXT_SENSITIVITY] = 0,
436 [SADB_EXT_PROPOSAL] = 0,
437 [SADB_EXT_SUPPORTED_AUTH] = 0,
438 [SADB_EXT_SUPPORTED_ENCRYPT] = 0,
439 [SADB_EXT_SPIRANGE] = sizeof(struct sadb_spirange),
440 [SADB_X_EXT_KMPRIVATE] = 0,
441 [SADB_X_EXT_POLICY] = 0,
442 [SADB_X_EXT_SA2] = sizeof(struct sadb_x_sa2),
443 [SADB_X_EXT_NAT_T_TYPE] = sizeof(struct sadb_x_nat_t_type),
444 [SADB_X_EXT_NAT_T_SPORT] = sizeof(struct sadb_x_nat_t_port),
445 [SADB_X_EXT_NAT_T_DPORT] = sizeof(struct sadb_x_nat_t_port),
446 [SADB_X_EXT_NAT_T_OAI] = 0,
447 [SADB_X_EXT_NAT_T_OAR] = 0,
448 [SADB_X_EXT_NAT_T_FRAG] = sizeof(struct sadb_x_nat_t_frag),
449 [SADB_X_EXT_SA_REPLAY] = sizeof(struct sadb_x_sa_replay),
450 [SADB_X_EXT_NEW_ADDRESS_SRC] = 0,
451 [SADB_X_EXT_NEW_ADDRESS_DST] = 0,
452 [SADB_X_EXT_LFT_CUR_SW_OFFL] = sizeof(struct sadb_lifetime),
453 [SADB_X_EXT_LFT_CUR_HW_OFFL] = sizeof(struct sadb_lifetime),
454 [SADB_X_EXT_IF_HW_OFFL] = sizeof(struct sadb_x_if_hw_offl),
455 };
456 _Static_assert(nitems(maxsize) == SADB_EXT_MAX + 1, "maxsize size mismatch");
457
458 /*
459 * Internal values for SA flags:
460 * SADB_X_EXT_F_CLONED means that SA was cloned by key_updateaddresses,
461 * thus we will not free the most of SA content in key_delsav().
462 */
463 #define SADB_X_EXT_F_CLONED 0x80000000
464
465 #define SADB_CHECKLEN(_mhp, _ext) \
466 ((_mhp)->extlen[(_ext)] < minsize[(_ext)] || (maxsize[(_ext)] != 0 && \
467 ((_mhp)->extlen[(_ext)] > maxsize[(_ext)])))
468 #define SADB_CHECKHDR(_mhp, _ext) ((_mhp)->ext[(_ext)] == NULL)
469
470 VNET_DEFINE_STATIC(int, ipsec_esp_keymin) = 256;
471 VNET_DEFINE_STATIC(int, ipsec_esp_auth) = 0;
472 VNET_DEFINE_STATIC(int, ipsec_ah_keymin) = 128;
473
474 #define V_ipsec_esp_keymin VNET(ipsec_esp_keymin)
475 #define V_ipsec_esp_auth VNET(ipsec_esp_auth)
476 #define V_ipsec_ah_keymin VNET(ipsec_ah_keymin)
477
478 #ifdef IPSEC_DEBUG
479 VNET_DEFINE(int, ipsec_debug) = 1;
480 #else
481 VNET_DEFINE(int, ipsec_debug) = 0;
482 #endif
483
484 #ifdef INET
485 SYSCTL_DECL(_net_inet_ipsec);
486 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, debug,
487 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0,
488 "Enable IPsec debugging output when set.");
489 #endif
490 #ifdef INET6
491 SYSCTL_DECL(_net_inet6_ipsec6);
492 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, debug,
493 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0,
494 "Enable IPsec debugging output when set.");
495 #endif
496
497 SYSCTL_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug,
498 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_debug_level), 0, "");
499
500 /* max count of trial for the decision of spi value */
501 SYSCTL_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt,
502 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_spi_trycnt), 0, "");
503
504 /* minimum spi value to allocate automatically. */
505 SYSCTL_INT(_net_key, KEYCTL_SPI_MIN_VALUE, spi_minval,
506 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_spi_minval), 0, "");
507
508 /* maximun spi value to allocate automatically. */
509 SYSCTL_INT(_net_key, KEYCTL_SPI_MAX_VALUE, spi_maxval,
510 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_spi_maxval), 0, "");
511
512 /* interval to initialize randseed */
513 SYSCTL_INT(_net_key, KEYCTL_RANDOM_INT, int_random,
514 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_int_random), 0, "");
515
516 /* lifetime for larval SA */
517 SYSCTL_INT(_net_key, KEYCTL_LARVAL_LIFETIME, larval_lifetime,
518 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_larval_lifetime), 0, "");
519
520 /* counter for blocking to send SADB_ACQUIRE to IKEd */
521 SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_COUNT, blockacq_count,
522 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_blockacq_count), 0, "");
523
524 /* lifetime for blocking to send SADB_ACQUIRE to IKEd */
525 SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME, blockacq_lifetime,
526 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_blockacq_lifetime), 0, "");
527
528 /* ESP auth */
529 SYSCTL_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth,
530 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_esp_auth), 0, "");
531
532 /* minimum ESP key length */
533 SYSCTL_INT(_net_key, KEYCTL_ESP_KEYMIN, esp_keymin,
534 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_esp_keymin), 0, "");
535
536 /* minimum AH key length */
537 SYSCTL_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin,
538 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_ah_keymin), 0, "");
539
540 /* perfered old SA rather than new SA */
541 SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, preferred_oldsa,
542 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_preferred_oldsa), 0, "");
543
544 SYSCTL_NODE(_net_key, OID_AUTO, spdcache, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
545 "SPD cache");
546
547 SYSCTL_UINT(_net_key_spdcache, OID_AUTO, maxentries,
548 CTLFLAG_VNET | CTLFLAG_RDTUN, &VNET_NAME(key_spdcache_maxentries), 0,
549 "Maximum number of entries in the SPD cache"
550 " (power of 2, 0 to disable)");
551
552 SYSCTL_UINT(_net_key_spdcache, OID_AUTO, threshold,
553 CTLFLAG_VNET | CTLFLAG_RDTUN, &VNET_NAME(key_spdcache_threshold), 0,
554 "Number of SPs that make the SPD cache active");
555
556 #define __LIST_CHAINED(elm) \
557 (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL))
558
559 MALLOC_DEFINE(M_IPSEC_SA, "secasvar", "ipsec security association");
560 MALLOC_DEFINE(M_IPSEC_SAH, "sahead", "ipsec sa head");
561 MALLOC_DEFINE(M_IPSEC_SP, "ipsecpolicy", "ipsec security policy");
562 MALLOC_DEFINE(M_IPSEC_SR, "ipsecrequest", "ipsec security request");
563 MALLOC_DEFINE(M_IPSEC_MISC, "ipsec-misc", "ipsec miscellaneous");
564 MALLOC_DEFINE(M_IPSEC_SAQ, "ipsec-saq", "ipsec sa acquire");
565 MALLOC_DEFINE(M_IPSEC_SAR, "ipsec-reg", "ipsec sa acquire");
566 MALLOC_DEFINE(M_IPSEC_SPDCACHE, "ipsec-spdcache", "ipsec SPD cache");
567
568 static uma_zone_t __read_mostly ipsec_key_lft_zone;
569
570 /*
571 * set parameters into secpolicyindex buffer.
572 * Must allocate secpolicyindex buffer passed to this function.
573 */
574 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, idx) \
575 do { \
576 bzero((idx), sizeof(struct secpolicyindex)); \
577 (idx)->dir = (_dir); \
578 (idx)->prefs = (ps); \
579 (idx)->prefd = (pd); \
580 (idx)->ul_proto = (ulp); \
581 bcopy((s), &(idx)->src, ((const struct sockaddr *)(s))->sa_len); \
582 bcopy((d), &(idx)->dst, ((const struct sockaddr *)(d))->sa_len); \
583 } while (0)
584
585 /*
586 * set parameters into secasindex buffer.
587 * Must allocate secasindex buffer before calling this function.
588 */
589 #define KEY_SETSECASIDX(p, m, r, s, d, idx) \
590 do { \
591 bzero((idx), sizeof(struct secasindex)); \
592 (idx)->proto = (p); \
593 (idx)->mode = (m); \
594 (idx)->reqid = (r); \
595 bcopy((s), &(idx)->src, ((const struct sockaddr *)(s))->sa_len); \
596 bcopy((d), &(idx)->dst, ((const struct sockaddr *)(d))->sa_len); \
597 key_porttosaddr(&(idx)->src.sa, 0); \
598 key_porttosaddr(&(idx)->dst.sa, 0); \
599 } while (0)
600
601 /* key statistics */
602 struct _keystat {
603 u_long getspi_count; /* the avarage of count to try to get new SPI */
604 } keystat;
605
606 struct sadb_msghdr {
607 struct sadb_msg *msg;
608 struct sadb_ext *ext[SADB_EXT_MAX + 1];
609 int extoff[SADB_EXT_MAX + 1];
610 int extlen[SADB_EXT_MAX + 1];
611 };
612
613 static const struct supported_ealgs {
614 int sadb_alg;
615 const struct enc_xform *xform;
616 } supported_ealgs[] = {
617 { SADB_X_EALG_AES, &enc_xform_aes_cbc },
618 { SADB_EALG_NULL, &enc_xform_null },
619 { SADB_X_EALG_AESCTR, &enc_xform_aes_icm },
620 { SADB_X_EALG_AESGCM16, &enc_xform_aes_nist_gcm },
621 { SADB_X_EALG_AESGMAC, &enc_xform_aes_nist_gmac },
622 { SADB_X_EALG_CHACHA20POLY1305, &enc_xform_chacha20_poly1305 },
623 };
624
625 static const struct supported_aalgs {
626 int sadb_alg;
627 const struct auth_hash *xform;
628 } supported_aalgs[] = {
629 { SADB_X_AALG_NULL, &auth_hash_null },
630 { SADB_AALG_SHA1HMAC, &auth_hash_hmac_sha1 },
631 { SADB_X_AALG_SHA2_256, &auth_hash_hmac_sha2_256 },
632 { SADB_X_AALG_SHA2_384, &auth_hash_hmac_sha2_384 },
633 { SADB_X_AALG_SHA2_512, &auth_hash_hmac_sha2_512 },
634 { SADB_X_AALG_AES128GMAC, &auth_hash_nist_gmac_aes_128 },
635 { SADB_X_AALG_AES192GMAC, &auth_hash_nist_gmac_aes_192 },
636 { SADB_X_AALG_AES256GMAC, &auth_hash_nist_gmac_aes_256 },
637 { SADB_X_AALG_CHACHA20POLY1305, &auth_hash_poly1305 },
638 };
639
640 static const struct supported_calgs {
641 int sadb_alg;
642 const struct comp_algo *xform;
643 } supported_calgs[] = {
644 { SADB_X_CALG_DEFLATE, &comp_algo_deflate },
645 };
646
647 #ifndef IPSEC_DEBUG2
648 static struct callout key_timer;
649 #endif
650
651 static void key_unlink(struct secpolicy *);
652 static void key_detach(struct secpolicy *);
653 static struct secpolicy *key_getsp(struct secpolicyindex *);
654 static struct secpolicy *key_getspbyid(u_int32_t);
655 static struct mbuf *key_gather_mbuf(struct mbuf *,
656 const struct sadb_msghdr *, int, int, ...);
657 static int key_spdadd(struct socket *, struct mbuf *,
658 const struct sadb_msghdr *);
659 static uint32_t key_getnewspid(void);
660 static int key_spddelete(struct socket *, struct mbuf *,
661 const struct sadb_msghdr *);
662 static int key_spddelete2(struct socket *, struct mbuf *,
663 const struct sadb_msghdr *);
664 static int key_spdget(struct socket *, struct mbuf *,
665 const struct sadb_msghdr *);
666 static int key_spdflush(struct socket *, struct mbuf *,
667 const struct sadb_msghdr *);
668 static int key_spddump(struct socket *, struct mbuf *,
669 const struct sadb_msghdr *);
670 static struct mbuf *key_setdumpsp(struct secpolicy *,
671 u_int8_t, u_int32_t, u_int32_t);
672 static struct mbuf *key_sp2mbuf(struct secpolicy *);
673 static size_t key_getspreqmsglen(struct secpolicy *);
674 static int key_spdexpire(struct secpolicy *);
675 static struct secashead *key_newsah(struct secasindex *);
676 static void key_freesah(struct secashead **);
677 static void key_delsah(struct secashead *);
678 static struct secasvar *key_newsav(const struct sadb_msghdr *,
679 struct secasindex *, uint32_t, int *);
680 static void key_delsav(struct secasvar *);
681 static void key_unlinksav(struct secasvar *);
682 static struct secashead *key_getsah(struct secasindex *);
683 static int key_checkspidup(uint32_t);
684 static struct secasvar *key_getsavbyspi(uint32_t);
685 static int key_setnatt(struct secasvar *, const struct sadb_msghdr *);
686 static int key_setsaval(struct secasvar *, const struct sadb_msghdr *);
687 static int key_updatelifetimes(struct secasvar *, const struct sadb_msghdr *);
688 static int key_updateaddresses(struct socket *, struct mbuf *,
689 const struct sadb_msghdr *, struct secasvar *, struct secasindex *);
690
691 static struct mbuf *key_setdumpsa(struct secasvar *, u_int8_t,
692 u_int8_t, u_int32_t, u_int32_t, struct rm_priotracker *);
693 static struct mbuf *key_setsadbmsg(u_int8_t, u_int16_t, u_int8_t,
694 u_int32_t, pid_t, u_int16_t);
695 static struct mbuf *key_setsadbsa(struct secasvar *);
696 static struct mbuf *key_setsadbaddr(u_int16_t,
697 const struct sockaddr *, u_int8_t, u_int16_t);
698 static struct mbuf *key_setsadbxport(u_int16_t, u_int16_t);
699 static struct mbuf *key_setsadbxtype(u_int16_t);
700 static struct mbuf *key_setsadbxsa2(u_int8_t, u_int32_t, u_int32_t);
701 static struct mbuf *key_setsadbxsareplay(u_int32_t);
702 static struct mbuf *key_setsadbxpolicy(u_int16_t, u_int8_t,
703 u_int32_t, u_int32_t);
704 static struct seckey *key_dup_keymsg(const struct sadb_key *,
705 struct malloc_type *);
706 static struct seclifetime *key_dup_lifemsg(const struct sadb_lifetime *src,
707 struct malloc_type *);
708
709 /* flags for key_cmpsaidx() */
710 #define CMP_HEAD 1 /* protocol, addresses. */
711 #define CMP_MODE_REQID 2 /* additionally HEAD, reqid, mode. */
712 #define CMP_REQID 3 /* additionally HEAD, reaid. */
713 #define CMP_EXACTLY 4 /* all elements. */
714 static int key_cmpsaidx(const struct secasindex *,
715 const struct secasindex *, int);
716 static int key_cmpspidx_exactly(struct secpolicyindex *,
717 struct secpolicyindex *);
718 static int key_cmpspidx_withmask(struct secpolicyindex *,
719 struct secpolicyindex *);
720 static int key_bbcmp(const void *, const void *, u_int);
721 static uint8_t key_satype2proto(uint8_t);
722 static uint8_t key_proto2satype(uint8_t);
723
724 static int key_getspi(struct socket *, struct mbuf *,
725 const struct sadb_msghdr *);
726 static uint32_t key_do_getnewspi(struct sadb_spirange *, struct secasindex *);
727 static int key_update(struct socket *, struct mbuf *,
728 const struct sadb_msghdr *);
729 static int key_add(struct socket *, struct mbuf *,
730 const struct sadb_msghdr *);
731 static int key_setident(struct secashead *, const struct sadb_msghdr *);
732 static struct mbuf *key_getmsgbuf_x1(struct mbuf *,
733 const struct sadb_msghdr *);
734 static int key_delete(struct socket *, struct mbuf *,
735 const struct sadb_msghdr *);
736 static int key_delete_all(struct socket *, struct mbuf *,
737 const struct sadb_msghdr *, struct secasindex *);
738 static int key_get(struct socket *, struct mbuf *,
739 const struct sadb_msghdr *);
740
741 static void key_getcomb_setlifetime(struct sadb_comb *);
742 static struct mbuf *key_getcomb_ealg(void);
743 static struct mbuf *key_getcomb_ah(void);
744 static struct mbuf *key_getcomb_ipcomp(void);
745 static struct mbuf *key_getprop(const struct secasindex *);
746
747 static int key_acquire(const struct secasindex *, struct secpolicy *);
748 static uint32_t key_newacq(const struct secasindex *, int *);
749 static uint32_t key_getacq(const struct secasindex *, int *);
750 static int key_acqdone(const struct secasindex *, uint32_t);
751 static int key_acqreset(uint32_t);
752 static struct secspacq *key_newspacq(struct secpolicyindex *);
753 static struct secspacq *key_getspacq(struct secpolicyindex *);
754 static int key_acquire2(struct socket *, struct mbuf *,
755 const struct sadb_msghdr *);
756 static int key_register(struct socket *, struct mbuf *,
757 const struct sadb_msghdr *);
758 static int key_expire(struct secasvar *, int);
759 static int key_flush(struct socket *, struct mbuf *,
760 const struct sadb_msghdr *);
761 static int key_dump(struct socket *, struct mbuf *,
762 const struct sadb_msghdr *);
763 static int key_promisc(struct socket *, struct mbuf *,
764 const struct sadb_msghdr *);
765 static int key_senderror(struct socket *, struct mbuf *, int);
766 static int key_validate_ext(const struct sadb_ext *, int);
767 static int key_align(struct mbuf *, struct sadb_msghdr *);
768 static struct mbuf *key_setlifetime(struct seclifetime *, uint16_t);
769 static struct mbuf *key_setkey(struct seckey *, uint16_t);
770
771 static void spdcache_init(void);
772 static void spdcache_clear(void);
773 static struct spdcache_entry *spdcache_entry_alloc(
774 const struct secpolicyindex *spidx,
775 struct secpolicy *policy);
776 static void spdcache_entry_free(struct spdcache_entry *entry);
777 #ifdef VIMAGE
778 static void spdcache_destroy(void);
779 #endif
780
781 #define DBG_IPSEC_INITREF(t, p) do { \
782 refcount_init(&(p)->refcnt, 1); \
783 KEYDBG(KEY_STAMP, \
784 printf("%s: Initialize refcnt %s(%p) = %u\n", \
785 __func__, #t, (p), (p)->refcnt)); \
786 } while (0)
787 #define DBG_IPSEC_ADDREF(t, p) do { \
788 refcount_acquire(&(p)->refcnt); \
789 KEYDBG(KEY_STAMP, \
790 printf("%s: Acquire refcnt %s(%p) -> %u\n", \
791 __func__, #t, (p), (p)->refcnt)); \
792 } while (0)
793 #define DBG_IPSEC_DELREF(t, p) do { \
794 KEYDBG(KEY_STAMP, \
795 printf("%s: Release refcnt %s(%p) -> %u\n", \
796 __func__, #t, (p), (p)->refcnt - 1)); \
797 refcount_release(&(p)->refcnt); \
798 } while (0)
799
800 #define IPSEC_INITREF(t, p) refcount_init(&(p)->refcnt, 1)
801 #define IPSEC_ADDREF(t, p) refcount_acquire(&(p)->refcnt)
802 #define IPSEC_DELREF(t, p) refcount_release(&(p)->refcnt)
803
804 #define SP_INITREF(p) IPSEC_INITREF(SP, p)
805 #define SP_ADDREF(p) IPSEC_ADDREF(SP, p)
806 #define SP_DELREF(p) IPSEC_DELREF(SP, p)
807
808 #define SAH_INITREF(p) IPSEC_INITREF(SAH, p)
809 #define SAH_ADDREF(p) IPSEC_ADDREF(SAH, p)
810 #define SAH_DELREF(p) IPSEC_DELREF(SAH, p)
811
812 #define SAV_INITREF(p) IPSEC_INITREF(SAV, p)
813 #define SAV_ADDREF(p) IPSEC_ADDREF(SAV, p)
814 #define SAV_DELREF(p) IPSEC_DELREF(SAV, p)
815
816 /*
817 * Update the refcnt while holding the SPTREE lock.
818 */
819 void
key_addref(struct secpolicy * sp)820 key_addref(struct secpolicy *sp)
821 {
822
823 SP_ADDREF(sp);
824 }
825
826 /*
827 * Return 0 when there are known to be no SP's for the specified
828 * direction. Otherwise return 1. This is used by IPsec code
829 * to optimize performance.
830 */
831 int
key_havesp(u_int dir)832 key_havesp(u_int dir)
833 {
834
835 IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
836 ("invalid direction %u", dir));
837 return (TAILQ_FIRST(&V_sptree[dir]) != NULL);
838 }
839
840 int
key_havesp_any(void)841 key_havesp_any(void)
842 {
843
844 return (V_spd_size != 0);
845 }
846
847 /*
848 * Allocate a single mbuf with a buffer of the desired length. The buffer is
849 * pre-zeroed to help ensure that uninitialized pad bytes are not leaked.
850 */
851 static struct mbuf *
key_mget(u_int len)852 key_mget(u_int len)
853 {
854 struct mbuf *m;
855
856 KASSERT(len <= MCLBYTES,
857 ("%s: invalid buffer length %u", __func__, len));
858
859 m = m_get2(len, M_NOWAIT, MT_DATA, M_PKTHDR);
860 if (m == NULL)
861 return (NULL);
862 memset(mtod(m, void *), 0, len);
863 return (m);
864 }
865
866 /* %%% IPsec policy management */
867 /*
868 * Return current SPDB generation.
869 */
870 uint32_t
key_getspgen(void)871 key_getspgen(void)
872 {
873
874 return (V_sp_genid);
875 }
876
877 void
key_bumpspgen(void)878 key_bumpspgen(void)
879 {
880
881 V_sp_genid++;
882 }
883
884 static int
key_checksockaddrs(struct sockaddr * src,struct sockaddr * dst)885 key_checksockaddrs(struct sockaddr *src, struct sockaddr *dst)
886 {
887
888 /* family match */
889 if (src->sa_family != dst->sa_family)
890 return (EINVAL);
891 /* sa_len match */
892 if (src->sa_len != dst->sa_len)
893 return (EINVAL);
894 switch (src->sa_family) {
895 #ifdef INET
896 case AF_INET:
897 if (src->sa_len != sizeof(struct sockaddr_in))
898 return (EINVAL);
899 break;
900 #endif
901 #ifdef INET6
902 case AF_INET6:
903 if (src->sa_len != sizeof(struct sockaddr_in6))
904 return (EINVAL);
905 break;
906 #endif
907 default:
908 return (EAFNOSUPPORT);
909 }
910 return (0);
911 }
912
913 struct secpolicy *
key_do_allocsp(struct secpolicyindex * spidx,u_int dir)914 key_do_allocsp(struct secpolicyindex *spidx, u_int dir)
915 {
916 SPTREE_RLOCK_TRACKER;
917 struct secpolicy *sp;
918
919 IPSEC_ASSERT(spidx != NULL, ("null spidx"));
920 IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
921 ("invalid direction %u", dir));
922
923 SPTREE_RLOCK();
924 TAILQ_FOREACH(sp, &V_sptree[dir], chain) {
925 if (key_cmpspidx_withmask(&sp->spidx, spidx)) {
926 SP_ADDREF(sp);
927 break;
928 }
929 }
930 SPTREE_RUNLOCK();
931 return (sp);
932 }
933
934 /*
935 * allocating a SP for OUTBOUND or INBOUND packet.
936 * Must call key_freesp() later.
937 * OUT: NULL: not found
938 * others: found and return the pointer.
939 */
940 struct secpolicy *
key_allocsp(struct secpolicyindex * spidx,u_int dir)941 key_allocsp(struct secpolicyindex *spidx, u_int dir)
942 {
943 struct spdcache_entry *entry, *lastentry, *tmpentry;
944 struct secpolicy *sp;
945 uint32_t hashv;
946 time_t ts;
947 int nb_entries;
948
949 if (!SPDCACHE_ACTIVE()) {
950 sp = key_do_allocsp(spidx, dir);
951 goto out;
952 }
953
954 hashv = SPDCACHE_HASHVAL(spidx);
955 SPDCACHE_LOCK(hashv);
956 nb_entries = 0;
957 LIST_FOREACH_SAFE(entry, &V_spdcachehashtbl[hashv], chain, tmpentry) {
958 /* Removed outdated entries */
959 if (entry->sp != NULL &&
960 entry->sp->state == IPSEC_SPSTATE_DEAD) {
961 LIST_REMOVE(entry, chain);
962 spdcache_entry_free(entry);
963 continue;
964 }
965
966 nb_entries++;
967 if (!key_cmpspidx_exactly(&entry->spidx, spidx)) {
968 lastentry = entry;
969 continue;
970 }
971
972 sp = entry->sp;
973 if (entry->sp != NULL)
974 SP_ADDREF(sp);
975
976 /* IPSECSTAT_INC(ips_spdcache_hits); */
977
978 SPDCACHE_UNLOCK(hashv);
979 goto out;
980 }
981
982 /* IPSECSTAT_INC(ips_spdcache_misses); */
983
984 sp = key_do_allocsp(spidx, dir);
985 entry = spdcache_entry_alloc(spidx, sp);
986 if (entry != NULL) {
987 if (nb_entries >= SPDCACHE_MAX_ENTRIES_PER_HASH) {
988 LIST_REMOVE(lastentry, chain);
989 spdcache_entry_free(lastentry);
990 }
991
992 LIST_INSERT_HEAD(&V_spdcachehashtbl[hashv], entry, chain);
993 }
994
995 SPDCACHE_UNLOCK(hashv);
996
997 out:
998 if (sp != NULL) { /* found a SPD entry */
999 ts = time_second;
1000 if (__predict_false(sp->lastused != ts))
1001 sp->lastused = ts;
1002 KEYDBG(IPSEC_STAMP,
1003 printf("%s: return SP(%p)\n", __func__, sp));
1004 KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp));
1005 } else {
1006 KEYDBG(IPSEC_DATA,
1007 printf("%s: lookup failed for ", __func__);
1008 kdebug_secpolicyindex(spidx, NULL));
1009 }
1010 return (sp);
1011 }
1012
1013 /*
1014 * Allocating an SA entry for an *INBOUND* or *OUTBOUND* TCP packet, signed
1015 * or should be signed by MD5 signature.
1016 * We don't use key_allocsa() for such lookups, because we don't know SPI.
1017 * Unlike ESP and AH protocols, SPI isn't transmitted in the TCP header with
1018 * signed packet. We use SADB only as storage for password.
1019 * OUT: positive: corresponding SA for given saidx found.
1020 * NULL: SA not found
1021 */
1022 struct secasvar *
key_allocsa_tcpmd5(struct secasindex * saidx)1023 key_allocsa_tcpmd5(struct secasindex *saidx)
1024 {
1025 SAHTREE_RLOCK_TRACKER;
1026 struct secashead *sah;
1027 struct secasvar *sav;
1028
1029 IPSEC_ASSERT(saidx->proto == IPPROTO_TCP,
1030 ("unexpected security protocol %u", saidx->proto));
1031 IPSEC_ASSERT(saidx->mode == IPSEC_MODE_TCPMD5,
1032 ("unexpected mode %u", saidx->mode));
1033
1034 SAHTREE_RLOCK();
1035 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
1036 KEYDBG(IPSEC_DUMP,
1037 printf("%s: checking SAH\n", __func__);
1038 kdebug_secash(sah, " "));
1039 if (sah->saidx.proto != IPPROTO_TCP)
1040 continue;
1041 if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
1042 !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
1043 break;
1044 }
1045 if (sah != NULL) {
1046 if (V_key_preferred_oldsa)
1047 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue);
1048 else
1049 sav = TAILQ_FIRST(&sah->savtree_alive);
1050 if (sav != NULL)
1051 SAV_ADDREF(sav);
1052 } else
1053 sav = NULL;
1054 SAHTREE_RUNLOCK();
1055
1056 if (sav != NULL) {
1057 KEYDBG(IPSEC_STAMP,
1058 printf("%s: return SA(%p)\n", __func__, sav));
1059 KEYDBG(IPSEC_DATA, kdebug_secasv(sav));
1060 } else {
1061 KEYDBG(IPSEC_STAMP,
1062 printf("%s: SA not found\n", __func__));
1063 KEYDBG(IPSEC_DATA, kdebug_secasindex(saidx, NULL));
1064 }
1065 return (sav);
1066 }
1067
1068 /*
1069 * Allocating an SA entry for an *OUTBOUND* packet.
1070 * OUT: positive: corresponding SA for given saidx found.
1071 * NULL: SA not found, but will be acquired, check *error
1072 * for acquiring status.
1073 */
1074 struct secasvar *
key_allocsa_policy(struct secpolicy * sp,const struct secasindex * saidx,int * error)1075 key_allocsa_policy(struct secpolicy *sp, const struct secasindex *saidx,
1076 int *error)
1077 {
1078 SAHTREE_RLOCK_TRACKER;
1079 struct secashead *sah;
1080 struct secasvar *sav;
1081
1082 IPSEC_ASSERT(saidx != NULL, ("null saidx"));
1083 IPSEC_ASSERT(saidx->mode == IPSEC_MODE_TRANSPORT ||
1084 saidx->mode == IPSEC_MODE_TUNNEL,
1085 ("unexpected policy %u", saidx->mode));
1086
1087 /*
1088 * We check new SA in the IPsec request because a different
1089 * SA may be involved each time this request is checked, either
1090 * because new SAs are being configured, or this request is
1091 * associated with an unconnected datagram socket, or this request
1092 * is associated with a system default policy.
1093 */
1094 SAHTREE_RLOCK();
1095 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
1096 KEYDBG(IPSEC_DUMP,
1097 printf("%s: checking SAH\n", __func__);
1098 kdebug_secash(sah, " "));
1099 if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID))
1100 break;
1101 }
1102 if (sah != NULL) {
1103 /*
1104 * Allocate the oldest SA available according to
1105 * draft-jenkins-ipsec-rekeying-03.
1106 */
1107 if (V_key_preferred_oldsa)
1108 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue);
1109 else
1110 sav = TAILQ_FIRST(&sah->savtree_alive);
1111 if (sav != NULL)
1112 SAV_ADDREF(sav);
1113 } else
1114 sav = NULL;
1115 SAHTREE_RUNLOCK();
1116
1117 if (sav != NULL) {
1118 *error = 0;
1119 KEYDBG(IPSEC_STAMP,
1120 printf("%s: chosen SA(%p) for SP(%p)\n", __func__,
1121 sav, sp));
1122 KEYDBG(IPSEC_DATA, kdebug_secasv(sav));
1123 return (sav); /* return referenced SA */
1124 }
1125
1126 /* there is no SA */
1127 *error = key_acquire(saidx, sp);
1128 if ((*error) != 0)
1129 ipseclog((LOG_DEBUG,
1130 "%s: error %d returned from key_acquire()\n",
1131 __func__, *error));
1132 KEYDBG(IPSEC_STAMP,
1133 printf("%s: acquire SA for SP(%p), error %d\n",
1134 __func__, sp, *error));
1135 KEYDBG(IPSEC_DATA, kdebug_secasindex(saidx, NULL));
1136 return (NULL);
1137 }
1138
1139 /*
1140 * allocating a usable SA entry for a *INBOUND* packet.
1141 * Must call key_freesav() later.
1142 * OUT: positive: pointer to a usable sav (i.e. MATURE or DYING state).
1143 * NULL: not found, or error occurred.
1144 *
1145 * According to RFC 2401 SA is uniquely identified by a triple SPI,
1146 * destination address, and security protocol. But according to RFC 4301,
1147 * SPI by itself suffices to specify an SA.
1148 *
1149 * Note that, however, we do need to keep source address in IPsec SA.
1150 * IKE specification and PF_KEY specification do assume that we
1151 * keep source address in IPsec SA. We see a tricky situation here.
1152 */
1153 struct secasvar *
key_allocsa(union sockaddr_union * dst,uint8_t proto,uint32_t spi)1154 key_allocsa(union sockaddr_union *dst, uint8_t proto, uint32_t spi)
1155 {
1156 SAHTREE_RLOCK_TRACKER;
1157 struct secasvar *sav;
1158
1159 IPSEC_ASSERT(proto == IPPROTO_ESP || proto == IPPROTO_AH ||
1160 proto == IPPROTO_IPCOMP, ("unexpected security protocol %u",
1161 proto));
1162
1163 SAHTREE_RLOCK();
1164 LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) {
1165 if (sav->spi == spi)
1166 break;
1167 }
1168 /*
1169 * We use single SPI namespace for all protocols, so it is
1170 * impossible to have SPI duplicates in the SAVHASH.
1171 */
1172 if (sav != NULL) {
1173 if (sav->state != SADB_SASTATE_LARVAL &&
1174 sav->sah->saidx.proto == proto &&
1175 key_sockaddrcmp(&dst->sa,
1176 &sav->sah->saidx.dst.sa, 0) == 0)
1177 SAV_ADDREF(sav);
1178 else
1179 sav = NULL;
1180 }
1181 SAHTREE_RUNLOCK();
1182
1183 if (sav == NULL) {
1184 KEYDBG(IPSEC_STAMP,
1185 char buf[IPSEC_ADDRSTRLEN];
1186 printf("%s: SA not found for spi %u proto %u dst %s\n",
1187 __func__, ntohl(spi), proto, ipsec_address(dst, buf,
1188 sizeof(buf))));
1189 } else {
1190 KEYDBG(IPSEC_STAMP,
1191 printf("%s: return SA(%p)\n", __func__, sav));
1192 KEYDBG(IPSEC_DATA, kdebug_secasv(sav));
1193 }
1194 return (sav);
1195 }
1196
1197 struct secasvar *
key_allocsa_tunnel(union sockaddr_union * src,union sockaddr_union * dst,uint8_t proto)1198 key_allocsa_tunnel(union sockaddr_union *src, union sockaddr_union *dst,
1199 uint8_t proto)
1200 {
1201 SAHTREE_RLOCK_TRACKER;
1202 struct secasindex saidx;
1203 struct secashead *sah;
1204 struct secasvar *sav;
1205
1206 IPSEC_ASSERT(src != NULL, ("null src address"));
1207 IPSEC_ASSERT(dst != NULL, ("null dst address"));
1208
1209 KEY_SETSECASIDX(proto, IPSEC_MODE_TUNNEL, 0, &src->sa,
1210 &dst->sa, &saidx);
1211
1212 sav = NULL;
1213 SAHTREE_RLOCK();
1214 LIST_FOREACH(sah, SAHADDRHASH_HASH(&saidx), addrhash) {
1215 if (IPSEC_MODE_TUNNEL != sah->saidx.mode)
1216 continue;
1217 if (proto != sah->saidx.proto)
1218 continue;
1219 if (key_sockaddrcmp(&src->sa, &sah->saidx.src.sa, 0) != 0)
1220 continue;
1221 if (key_sockaddrcmp(&dst->sa, &sah->saidx.dst.sa, 0) != 0)
1222 continue;
1223 /* XXXAE: is key_preferred_oldsa reasonably?*/
1224 if (V_key_preferred_oldsa)
1225 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue);
1226 else
1227 sav = TAILQ_FIRST(&sah->savtree_alive);
1228 if (sav != NULL) {
1229 SAV_ADDREF(sav);
1230 break;
1231 }
1232 }
1233 SAHTREE_RUNLOCK();
1234 KEYDBG(IPSEC_STAMP,
1235 printf("%s: return SA(%p)\n", __func__, sav));
1236 if (sav != NULL)
1237 KEYDBG(IPSEC_DATA, kdebug_secasv(sav));
1238 return (sav);
1239 }
1240
1241 /*
1242 * Must be called after calling key_allocsp().
1243 */
1244 void
key_freesp(struct secpolicy ** spp)1245 key_freesp(struct secpolicy **spp)
1246 {
1247 struct secpolicy *sp = *spp;
1248
1249 IPSEC_ASSERT(sp != NULL, ("null sp"));
1250 if (SP_DELREF(sp) == 0)
1251 return;
1252
1253 KEYDBG(IPSEC_STAMP,
1254 printf("%s: last reference to SP(%p)\n", __func__, sp));
1255 KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp));
1256
1257 *spp = NULL;
1258 #ifdef IPSEC_OFFLOAD
1259 KASSERT(CK_LIST_EMPTY(&sp->accel_ifps),
1260 ("key_freesp: sp %p still offloaded", sp));
1261 free(__DECONST(char *, sp->accel_ifname), M_IPSEC_MISC);
1262 #endif
1263 while (sp->tcount > 0)
1264 ipsec_delisr(sp->req[--sp->tcount]);
1265 free(sp, M_IPSEC_SP);
1266 }
1267
1268 static void
key_unlink(struct secpolicy * sp)1269 key_unlink(struct secpolicy *sp)
1270 {
1271 SPTREE_WLOCK();
1272 key_detach(sp);
1273 SPTREE_WUNLOCK();
1274 if (SPDCACHE_ENABLED())
1275 spdcache_clear();
1276 ipsec_accel_sync();
1277 key_freesp(&sp);
1278 }
1279
1280 static void
key_detach(struct secpolicy * sp)1281 key_detach(struct secpolicy *sp)
1282 {
1283 IPSEC_ASSERT(sp->spidx.dir == IPSEC_DIR_INBOUND ||
1284 sp->spidx.dir == IPSEC_DIR_OUTBOUND,
1285 ("invalid direction %u", sp->spidx.dir));
1286 SPTREE_WLOCK_ASSERT();
1287
1288 KEYDBG(KEY_STAMP,
1289 printf("%s: SP(%p)\n", __func__, sp));
1290 if (sp->state != IPSEC_SPSTATE_ALIVE) {
1291 /* SP is already unlinked */
1292 return;
1293 }
1294 sp->state = IPSEC_SPSTATE_DEAD;
1295 ipsec_accel_spddel(sp);
1296 TAILQ_REMOVE(&V_sptree[sp->spidx.dir], sp, chain);
1297 V_spd_size--;
1298 LIST_REMOVE(sp, idhash);
1299 V_sp_genid++;
1300 }
1301
1302 /*
1303 * insert a secpolicy into the SP database. Lower priorities first
1304 */
1305 static void
key_insertsp(struct secpolicy * newsp)1306 key_insertsp(struct secpolicy *newsp)
1307 {
1308 struct secpolicy *sp;
1309
1310 SPTREE_WLOCK_ASSERT();
1311 TAILQ_FOREACH(sp, &V_sptree[newsp->spidx.dir], chain) {
1312 if (newsp->priority < sp->priority) {
1313 TAILQ_INSERT_BEFORE(sp, newsp, chain);
1314 goto done;
1315 }
1316 }
1317 TAILQ_INSERT_TAIL(&V_sptree[newsp->spidx.dir], newsp, chain);
1318 done:
1319 LIST_INSERT_HEAD(SPHASH_HASH(newsp->id), newsp, idhash);
1320 newsp->state = IPSEC_SPSTATE_ALIVE;
1321 V_spd_size++;
1322 V_sp_genid++;
1323 ipsec_accel_spdadd(newsp, NULL);
1324 }
1325
1326 /*
1327 * Insert a bunch of VTI secpolicies into the SPDB.
1328 * We keep VTI policies in the separate list due to following reasons:
1329 * 1) they should be immutable to user's or some deamon's attempts to
1330 * delete. The only way delete such policies - destroy or unconfigure
1331 * corresponding virtual inteface.
1332 * 2) such policies have traffic selector that matches all traffic per
1333 * address family.
1334 * Since all VTI policies have the same priority, we don't care about
1335 * policies order.
1336 */
1337 int
key_register_ifnet(struct secpolicy ** spp,u_int count)1338 key_register_ifnet(struct secpolicy **spp, u_int count)
1339 {
1340 struct mbuf *m;
1341 u_int i;
1342
1343 SPTREE_WLOCK();
1344 /*
1345 * First of try to acquire id for each SP.
1346 */
1347 for (i = 0; i < count; i++) {
1348 IPSEC_ASSERT(spp[i]->spidx.dir == IPSEC_DIR_INBOUND ||
1349 spp[i]->spidx.dir == IPSEC_DIR_OUTBOUND,
1350 ("invalid direction %u", spp[i]->spidx.dir));
1351
1352 if ((spp[i]->id = key_getnewspid()) == 0) {
1353 SPTREE_WUNLOCK();
1354 return (EAGAIN);
1355 }
1356 }
1357 for (i = 0; i < count; i++) {
1358 TAILQ_INSERT_TAIL(&V_sptree_ifnet[spp[i]->spidx.dir],
1359 spp[i], chain);
1360 /*
1361 * NOTE: despite the fact that we keep VTI SP in the
1362 * separate list, SPHASH contains policies from both
1363 * sources. Thus SADB_X_SPDGET will correctly return
1364 * SP by id, because it uses SPHASH for lookups.
1365 */
1366 LIST_INSERT_HEAD(SPHASH_HASH(spp[i]->id), spp[i], idhash);
1367 spp[i]->state = IPSEC_SPSTATE_IFNET;
1368 ipsec_accel_spdadd(spp[i], NULL);
1369 }
1370 SPTREE_WUNLOCK();
1371 /*
1372 * Notify user processes about new SP.
1373 */
1374 for (i = 0; i < count; i++) {
1375 m = key_setdumpsp(spp[i], SADB_X_SPDADD, 0, 0);
1376 if (m != NULL)
1377 key_sendup_mbuf(NULL, m, KEY_SENDUP_ALL);
1378 }
1379 return (0);
1380 }
1381
1382 void
key_unregister_ifnet(struct secpolicy ** spp,u_int count)1383 key_unregister_ifnet(struct secpolicy **spp, u_int count)
1384 {
1385 struct mbuf *m;
1386 u_int i;
1387
1388 SPTREE_WLOCK();
1389 for (i = 0; i < count; i++) {
1390 IPSEC_ASSERT(spp[i]->spidx.dir == IPSEC_DIR_INBOUND ||
1391 spp[i]->spidx.dir == IPSEC_DIR_OUTBOUND,
1392 ("invalid direction %u", spp[i]->spidx.dir));
1393
1394 if (spp[i]->state != IPSEC_SPSTATE_IFNET)
1395 continue;
1396 spp[i]->state = IPSEC_SPSTATE_DEAD;
1397 ipsec_accel_spddel(spp[i]);
1398 TAILQ_REMOVE(&V_sptree_ifnet[spp[i]->spidx.dir],
1399 spp[i], chain);
1400 V_spd_size--;
1401 LIST_REMOVE(spp[i], idhash);
1402 }
1403 SPTREE_WUNLOCK();
1404 if (SPDCACHE_ENABLED())
1405 spdcache_clear();
1406 ipsec_accel_sync();
1407
1408 for (i = 0; i < count; i++) {
1409 m = key_setdumpsp(spp[i], SADB_X_SPDDELETE, 0, 0);
1410 if (m != NULL)
1411 key_sendup_mbuf(NULL, m, KEY_SENDUP_ALL);
1412 }
1413 }
1414
1415 /*
1416 * Must be called after calling key_allocsa().
1417 * This function is called by key_freesp() to free some SA allocated
1418 * for a policy.
1419 */
1420 void
key_freesav(struct secasvar ** psav)1421 key_freesav(struct secasvar **psav)
1422 {
1423 struct secasvar *sav = *psav;
1424
1425 IPSEC_ASSERT(sav != NULL, ("null sav"));
1426 CURVNET_ASSERT_SET();
1427 if (SAV_DELREF(sav) == 0)
1428 return;
1429
1430 KEYDBG(IPSEC_STAMP,
1431 printf("%s: last reference to SA(%p)\n", __func__, sav));
1432
1433 *psav = NULL;
1434 key_delsav(sav);
1435 }
1436
1437 /*
1438 * Unlink SA from SAH and SPI hash under SAHTREE_WLOCK.
1439 * Expect that SA has extra reference due to lookup.
1440 * Release this references, also release SAH reference after unlink.
1441 */
1442 static void
key_unlinksav(struct secasvar * sav)1443 key_unlinksav(struct secasvar *sav)
1444 {
1445 struct secashead *sah;
1446
1447 KEYDBG(KEY_STAMP,
1448 printf("%s: SA(%p)\n", __func__, sav));
1449
1450 CURVNET_ASSERT_SET();
1451 SAHTREE_UNLOCK_ASSERT();
1452 SAHTREE_WLOCK();
1453 if (sav->state == SADB_SASTATE_DEAD) {
1454 /* SA is already unlinked */
1455 SAHTREE_WUNLOCK();
1456 return;
1457 }
1458 /* Unlink from SAH */
1459 if (sav->state == SADB_SASTATE_LARVAL)
1460 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain);
1461 else
1462 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain);
1463 /* Unlink from SPI hash */
1464 LIST_REMOVE(sav, spihash);
1465 sav->state = SADB_SASTATE_DEAD;
1466 ipsec_accel_forget_sav(sav);
1467 sah = sav->sah;
1468 SAHTREE_WUNLOCK();
1469 key_freesav(&sav);
1470 /* Since we are unlinked, release reference to SAH */
1471 key_freesah(&sah);
1472 }
1473
1474 /* %%% SPD management */
1475 /*
1476 * search SPD
1477 * OUT: NULL : not found
1478 * others : found, pointer to a SP.
1479 */
1480 static struct secpolicy *
key_getsp(struct secpolicyindex * spidx)1481 key_getsp(struct secpolicyindex *spidx)
1482 {
1483 SPTREE_RLOCK_TRACKER;
1484 struct secpolicy *sp;
1485
1486 IPSEC_ASSERT(spidx != NULL, ("null spidx"));
1487
1488 SPTREE_RLOCK();
1489 TAILQ_FOREACH(sp, &V_sptree[spidx->dir], chain) {
1490 if (key_cmpspidx_exactly(spidx, &sp->spidx)) {
1491 SP_ADDREF(sp);
1492 break;
1493 }
1494 }
1495 SPTREE_RUNLOCK();
1496
1497 return sp;
1498 }
1499
1500 /*
1501 * get SP by index.
1502 * OUT: NULL : not found
1503 * others : found, pointer to referenced SP.
1504 */
1505 static struct secpolicy *
key_getspbyid(uint32_t id)1506 key_getspbyid(uint32_t id)
1507 {
1508 SPTREE_RLOCK_TRACKER;
1509 struct secpolicy *sp;
1510
1511 SPTREE_RLOCK();
1512 LIST_FOREACH(sp, SPHASH_HASH(id), idhash) {
1513 if (sp->id == id) {
1514 SP_ADDREF(sp);
1515 break;
1516 }
1517 }
1518 SPTREE_RUNLOCK();
1519 return (sp);
1520 }
1521
1522 struct secpolicy *
key_newsp(void)1523 key_newsp(void)
1524 {
1525 struct secpolicy *sp;
1526
1527 sp = malloc(sizeof(*sp), M_IPSEC_SP, M_NOWAIT | M_ZERO);
1528 if (sp != NULL)
1529 SP_INITREF(sp);
1530 return (sp);
1531 }
1532
1533 struct ipsecrequest *
ipsec_newisr(void)1534 ipsec_newisr(void)
1535 {
1536
1537 return (malloc(sizeof(struct ipsecrequest), M_IPSEC_SR,
1538 M_NOWAIT | M_ZERO));
1539 }
1540
1541 void
ipsec_delisr(struct ipsecrequest * p)1542 ipsec_delisr(struct ipsecrequest *p)
1543 {
1544
1545 free(p, M_IPSEC_SR);
1546 }
1547
1548 /*
1549 * create secpolicy structure from sadb_x_policy structure.
1550 * NOTE: `state', `secpolicyindex' and 'id' in secpolicy structure
1551 * are not set, so must be set properly later.
1552 */
1553 struct secpolicy *
key_msg2sp(struct sadb_x_policy * xpl0,size_t len,int * error)1554 key_msg2sp(struct sadb_x_policy *xpl0, size_t len, int *error)
1555 {
1556 struct secpolicy *newsp;
1557
1558 IPSEC_ASSERT(xpl0 != NULL, ("null xpl0"));
1559 IPSEC_ASSERT(len >= sizeof(*xpl0), ("policy too short: %zu", len));
1560
1561 if (len != PFKEY_EXTLEN(xpl0)) {
1562 ipseclog((LOG_DEBUG, "%s: Invalid msg length.\n", __func__));
1563 *error = EINVAL;
1564 return NULL;
1565 }
1566
1567 if ((newsp = key_newsp()) == NULL) {
1568 *error = ENOBUFS;
1569 return NULL;
1570 }
1571
1572 newsp->spidx.dir = xpl0->sadb_x_policy_dir;
1573 newsp->policy = xpl0->sadb_x_policy_type;
1574 newsp->priority = xpl0->sadb_x_policy_priority;
1575 newsp->tcount = 0;
1576
1577 /* check policy */
1578 switch (xpl0->sadb_x_policy_type) {
1579 case IPSEC_POLICY_DISCARD:
1580 case IPSEC_POLICY_NONE:
1581 case IPSEC_POLICY_ENTRUST:
1582 case IPSEC_POLICY_BYPASS:
1583 break;
1584
1585 case IPSEC_POLICY_IPSEC:
1586 {
1587 struct sadb_x_ipsecrequest *xisr;
1588 struct ipsecrequest *isr;
1589 int tlen;
1590
1591 /* validity check */
1592 if (PFKEY_EXTLEN(xpl0) < sizeof(*xpl0)) {
1593 ipseclog((LOG_DEBUG, "%s: Invalid msg length.\n",
1594 __func__));
1595 key_freesp(&newsp);
1596 *error = EINVAL;
1597 return NULL;
1598 }
1599
1600 tlen = PFKEY_EXTLEN(xpl0) - sizeof(*xpl0);
1601 xisr = (struct sadb_x_ipsecrequest *)(xpl0 + 1);
1602
1603 while (tlen > 0) {
1604 /* length check */
1605 if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr) ||
1606 xisr->sadb_x_ipsecrequest_len > tlen) {
1607 ipseclog((LOG_DEBUG, "%s: invalid ipsecrequest "
1608 "length.\n", __func__));
1609 key_freesp(&newsp);
1610 *error = EINVAL;
1611 return NULL;
1612 }
1613
1614 if (newsp->tcount >= IPSEC_MAXREQ) {
1615 ipseclog((LOG_DEBUG,
1616 "%s: too many ipsecrequests.\n",
1617 __func__));
1618 key_freesp(&newsp);
1619 *error = EINVAL;
1620 return (NULL);
1621 }
1622
1623 /* allocate request buffer */
1624 /* NB: data structure is zero'd */
1625 isr = ipsec_newisr();
1626 if (isr == NULL) {
1627 ipseclog((LOG_DEBUG,
1628 "%s: No more memory.\n", __func__));
1629 key_freesp(&newsp);
1630 *error = ENOBUFS;
1631 return NULL;
1632 }
1633
1634 newsp->req[newsp->tcount++] = isr;
1635
1636 /* set values */
1637 switch (xisr->sadb_x_ipsecrequest_proto) {
1638 case IPPROTO_ESP:
1639 case IPPROTO_AH:
1640 case IPPROTO_IPCOMP:
1641 break;
1642 default:
1643 ipseclog((LOG_DEBUG,
1644 "%s: invalid proto type=%u\n", __func__,
1645 xisr->sadb_x_ipsecrequest_proto));
1646 key_freesp(&newsp);
1647 *error = EPROTONOSUPPORT;
1648 return NULL;
1649 }
1650 isr->saidx.proto =
1651 (uint8_t)xisr->sadb_x_ipsecrequest_proto;
1652
1653 switch (xisr->sadb_x_ipsecrequest_mode) {
1654 case IPSEC_MODE_TRANSPORT:
1655 case IPSEC_MODE_TUNNEL:
1656 break;
1657 case IPSEC_MODE_ANY:
1658 default:
1659 ipseclog((LOG_DEBUG,
1660 "%s: invalid mode=%u\n", __func__,
1661 xisr->sadb_x_ipsecrequest_mode));
1662 key_freesp(&newsp);
1663 *error = EINVAL;
1664 return NULL;
1665 }
1666 isr->saidx.mode = xisr->sadb_x_ipsecrequest_mode;
1667
1668 switch (xisr->sadb_x_ipsecrequest_level) {
1669 case IPSEC_LEVEL_DEFAULT:
1670 case IPSEC_LEVEL_USE:
1671 case IPSEC_LEVEL_REQUIRE:
1672 break;
1673 case IPSEC_LEVEL_UNIQUE:
1674 /* validity check */
1675 /*
1676 * If range violation of reqid, kernel will
1677 * update it, don't refuse it.
1678 */
1679 if (xisr->sadb_x_ipsecrequest_reqid
1680 > IPSEC_MANUAL_REQID_MAX) {
1681 ipseclog((LOG_DEBUG,
1682 "%s: reqid=%d range "
1683 "violation, updated by kernel.\n",
1684 __func__,
1685 xisr->sadb_x_ipsecrequest_reqid));
1686 xisr->sadb_x_ipsecrequest_reqid = 0;
1687 }
1688
1689 /* allocate new reqid id if reqid is zero. */
1690 if (xisr->sadb_x_ipsecrequest_reqid == 0) {
1691 u_int32_t reqid;
1692 if ((reqid = key_newreqid()) == 0) {
1693 key_freesp(&newsp);
1694 *error = ENOBUFS;
1695 return NULL;
1696 }
1697 isr->saidx.reqid = reqid;
1698 xisr->sadb_x_ipsecrequest_reqid = reqid;
1699 } else {
1700 /* set it for manual keying. */
1701 isr->saidx.reqid =
1702 xisr->sadb_x_ipsecrequest_reqid;
1703 }
1704 break;
1705
1706 default:
1707 ipseclog((LOG_DEBUG, "%s: invalid level=%u\n",
1708 __func__,
1709 xisr->sadb_x_ipsecrequest_level));
1710 key_freesp(&newsp);
1711 *error = EINVAL;
1712 return NULL;
1713 }
1714 isr->level = xisr->sadb_x_ipsecrequest_level;
1715
1716 /* set IP addresses if there */
1717 if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
1718 struct sockaddr *paddr;
1719
1720 len = tlen - sizeof(*xisr);
1721 paddr = (struct sockaddr *)(xisr + 1);
1722 /* validity check */
1723 if (len < sizeof(struct sockaddr) ||
1724 len < 2 * paddr->sa_len ||
1725 paddr->sa_len > sizeof(isr->saidx.src)) {
1726 ipseclog((LOG_DEBUG, "%s: invalid "
1727 "request address length.\n",
1728 __func__));
1729 key_freesp(&newsp);
1730 *error = EINVAL;
1731 return NULL;
1732 }
1733 /*
1734 * Request length should be enough to keep
1735 * source and destination addresses.
1736 */
1737 if (xisr->sadb_x_ipsecrequest_len <
1738 sizeof(*xisr) + 2 * paddr->sa_len) {
1739 ipseclog((LOG_DEBUG, "%s: invalid "
1740 "ipsecrequest length.\n",
1741 __func__));
1742 key_freesp(&newsp);
1743 *error = EINVAL;
1744 return (NULL);
1745 }
1746 bcopy(paddr, &isr->saidx.src, paddr->sa_len);
1747 paddr = (struct sockaddr *)((caddr_t)paddr +
1748 paddr->sa_len);
1749
1750 /* validity check */
1751 if (paddr->sa_len !=
1752 isr->saidx.src.sa.sa_len) {
1753 ipseclog((LOG_DEBUG, "%s: invalid "
1754 "request address length.\n",
1755 __func__));
1756 key_freesp(&newsp);
1757 *error = EINVAL;
1758 return NULL;
1759 }
1760 /* AF family should match */
1761 if (paddr->sa_family !=
1762 isr->saidx.src.sa.sa_family) {
1763 ipseclog((LOG_DEBUG, "%s: address "
1764 "family doesn't match.\n",
1765 __func__));
1766 key_freesp(&newsp);
1767 *error = EINVAL;
1768 return (NULL);
1769 }
1770 bcopy(paddr, &isr->saidx.dst, paddr->sa_len);
1771 } else {
1772 /*
1773 * Addresses for TUNNEL mode requests are
1774 * mandatory.
1775 */
1776 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1777 ipseclog((LOG_DEBUG, "%s: missing "
1778 "request addresses.\n", __func__));
1779 key_freesp(&newsp);
1780 *error = EINVAL;
1781 return (NULL);
1782 }
1783 }
1784 tlen -= xisr->sadb_x_ipsecrequest_len;
1785
1786 /* validity check */
1787 if (tlen < 0) {
1788 ipseclog((LOG_DEBUG, "%s: becoming tlen < 0.\n",
1789 __func__));
1790 key_freesp(&newsp);
1791 *error = EINVAL;
1792 return NULL;
1793 }
1794
1795 xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
1796 + xisr->sadb_x_ipsecrequest_len);
1797 }
1798 /* XXXAE: LARVAL SP */
1799 if (newsp->tcount < 1) {
1800 ipseclog((LOG_DEBUG, "%s: valid IPSEC transforms "
1801 "not found.\n", __func__));
1802 key_freesp(&newsp);
1803 *error = EINVAL;
1804 return (NULL);
1805 }
1806 }
1807 break;
1808 default:
1809 ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__));
1810 key_freesp(&newsp);
1811 *error = EINVAL;
1812 return NULL;
1813 }
1814
1815 *error = 0;
1816 return (newsp);
1817 }
1818
1819 uint32_t
key_newreqid(void)1820 key_newreqid(void)
1821 {
1822 static uint32_t auto_reqid = IPSEC_MANUAL_REQID_MAX + 1;
1823
1824 if (auto_reqid == ~0)
1825 auto_reqid = IPSEC_MANUAL_REQID_MAX + 1;
1826 else
1827 auto_reqid++;
1828
1829 /* XXX should be unique check */
1830 return (auto_reqid);
1831 }
1832
1833 /*
1834 * copy secpolicy struct to sadb_x_policy structure indicated.
1835 */
1836 static struct mbuf *
key_sp2mbuf(struct secpolicy * sp)1837 key_sp2mbuf(struct secpolicy *sp)
1838 {
1839 struct mbuf *m;
1840 size_t tlen;
1841
1842 tlen = key_getspreqmsglen(sp);
1843 m = m_get2(tlen, M_NOWAIT, MT_DATA, 0);
1844 if (m == NULL)
1845 return (NULL);
1846 m_align(m, tlen);
1847 m->m_len = tlen;
1848 if (key_sp2msg(sp, m->m_data, &tlen) != 0) {
1849 m_freem(m);
1850 return (NULL);
1851 }
1852 return (m);
1853 }
1854
1855 int
key_sp2msg(struct secpolicy * sp,void * request,size_t * len)1856 key_sp2msg(struct secpolicy *sp, void *request, size_t *len)
1857 {
1858 struct sadb_x_ipsecrequest *xisr;
1859 struct sadb_x_policy *xpl;
1860 struct ipsecrequest *isr;
1861 size_t xlen, ilen;
1862 caddr_t p;
1863 int error, i;
1864 #ifdef IPSEC_OFFLOAD
1865 struct sadb_x_if_hw_offl *xif;
1866 #endif
1867
1868 IPSEC_ASSERT(sp != NULL, ("null policy"));
1869
1870 xlen = sizeof(*xpl);
1871 if (*len < xlen)
1872 return (EINVAL);
1873
1874 error = 0;
1875 bzero(request, *len);
1876 xpl = (struct sadb_x_policy *)request;
1877 xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1878 xpl->sadb_x_policy_type = sp->policy;
1879 xpl->sadb_x_policy_dir = sp->spidx.dir;
1880 xpl->sadb_x_policy_id = sp->id;
1881 xpl->sadb_x_policy_priority = sp->priority;
1882 switch (sp->state) {
1883 case IPSEC_SPSTATE_IFNET:
1884 xpl->sadb_x_policy_scope = IPSEC_POLICYSCOPE_IFNET;
1885 break;
1886 case IPSEC_SPSTATE_PCB:
1887 xpl->sadb_x_policy_scope = IPSEC_POLICYSCOPE_PCB;
1888 break;
1889 default:
1890 xpl->sadb_x_policy_scope = IPSEC_POLICYSCOPE_GLOBAL;
1891 }
1892
1893 /* if is the policy for ipsec ? */
1894 if (sp->policy == IPSEC_POLICY_IPSEC) {
1895 p = (caddr_t)xpl + sizeof(*xpl);
1896 for (i = 0; i < sp->tcount; i++) {
1897 isr = sp->req[i];
1898 ilen = PFKEY_ALIGN8(sizeof(*xisr) +
1899 isr->saidx.src.sa.sa_len +
1900 isr->saidx.dst.sa.sa_len);
1901 xlen += ilen;
1902 if (xlen > *len) {
1903 error = ENOBUFS;
1904 /* Calculate needed size */
1905 continue;
1906 }
1907 xisr = (struct sadb_x_ipsecrequest *)p;
1908 xisr->sadb_x_ipsecrequest_len = ilen;
1909 xisr->sadb_x_ipsecrequest_proto = isr->saidx.proto;
1910 xisr->sadb_x_ipsecrequest_mode = isr->saidx.mode;
1911 xisr->sadb_x_ipsecrequest_level = isr->level;
1912 xisr->sadb_x_ipsecrequest_reqid = isr->saidx.reqid;
1913
1914 p += sizeof(*xisr);
1915 bcopy(&isr->saidx.src, p, isr->saidx.src.sa.sa_len);
1916 p += isr->saidx.src.sa.sa_len;
1917 bcopy(&isr->saidx.dst, p, isr->saidx.dst.sa.sa_len);
1918 p += isr->saidx.dst.sa.sa_len;
1919 }
1920 }
1921 xpl->sadb_x_policy_len = PFKEY_UNIT64(xlen);
1922 #ifdef IPSEC_OFFLOAD
1923 if (error == 0 && sp->accel_ifname != NULL) {
1924 xif = (struct sadb_x_if_hw_offl *)(xpl + 1);
1925 bzero(xif, sizeof(*xif));
1926 xif->sadb_x_if_hw_offl_len = PFKEY_UNIT64(sizeof(*xif));
1927 xif->sadb_x_if_hw_offl_exttype = SADB_X_EXT_IF_HW_OFFL;
1928 xif->sadb_x_if_hw_offl_flags = 0;
1929 strncpy(xif->sadb_x_if_hw_offl_if, sp->accel_ifname,
1930 sizeof(xif->sadb_x_if_hw_offl_if));
1931 xlen += sizeof(*xif);
1932 }
1933 #endif
1934 if (error == 0)
1935 *len = xlen;
1936 else
1937 *len = sizeof(*xpl);
1938 return (error);
1939 }
1940
1941 /* m will not be freed nor modified */
1942 static struct mbuf *
key_gather_mbuf(struct mbuf * m,const struct sadb_msghdr * mhp,int ndeep,int nitem,...)1943 key_gather_mbuf(struct mbuf *m, const struct sadb_msghdr *mhp,
1944 int ndeep, int nitem, ...)
1945 {
1946 va_list ap;
1947 int idx;
1948 int i;
1949 struct mbuf *result = NULL, *n;
1950 int len;
1951
1952 IPSEC_ASSERT(m != NULL, ("null mbuf"));
1953 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
1954
1955 va_start(ap, nitem);
1956 for (i = 0; i < nitem; i++) {
1957 idx = va_arg(ap, int);
1958 if (idx < 0 || idx > SADB_EXT_MAX)
1959 goto fail;
1960 /* don't attempt to pull empty extension */
1961 if (idx == SADB_EXT_RESERVED && mhp->msg == NULL)
1962 continue;
1963 if (idx != SADB_EXT_RESERVED &&
1964 (mhp->ext[idx] == NULL || mhp->extlen[idx] == 0))
1965 continue;
1966
1967 if (idx == SADB_EXT_RESERVED) {
1968 len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
1969
1970 IPSEC_ASSERT(len <= MHLEN, ("header too big %u", len));
1971
1972 MGETHDR(n, M_NOWAIT, MT_DATA);
1973 if (!n)
1974 goto fail;
1975 n->m_len = len;
1976 n->m_next = NULL;
1977 m_copydata(m, 0, sizeof(struct sadb_msg),
1978 mtod(n, caddr_t));
1979 } else if (i < ndeep) {
1980 len = mhp->extlen[idx];
1981 n = m_get2(len, M_NOWAIT, MT_DATA, 0);
1982 if (n == NULL)
1983 goto fail;
1984 m_align(n, len);
1985 n->m_len = len;
1986 m_copydata(m, mhp->extoff[idx], mhp->extlen[idx],
1987 mtod(n, caddr_t));
1988 } else {
1989 n = m_copym(m, mhp->extoff[idx], mhp->extlen[idx],
1990 M_NOWAIT);
1991 }
1992 if (n == NULL)
1993 goto fail;
1994
1995 if (result)
1996 m_cat(result, n);
1997 else
1998 result = n;
1999 }
2000 va_end(ap);
2001
2002 if ((result->m_flags & M_PKTHDR) != 0) {
2003 result->m_pkthdr.len = 0;
2004 for (n = result; n; n = n->m_next)
2005 result->m_pkthdr.len += n->m_len;
2006 }
2007
2008 return result;
2009
2010 fail:
2011 m_freem(result);
2012 va_end(ap);
2013 return NULL;
2014 }
2015
2016 /*
2017 * SADB_X_SPDADD, SADB_X_SPDSETIDX or SADB_X_SPDUPDATE processing
2018 * add an entry to SP database, when received
2019 * <base, address(SD), (lifetime(H),) policy>
2020 * from the user(?).
2021 * Adding to SP database,
2022 * and send
2023 * <base, address(SD), (lifetime(H),) policy>
2024 * to the socket which was send.
2025 *
2026 * SPDADD set a unique policy entry.
2027 * SPDSETIDX like SPDADD without a part of policy requests.
2028 * SPDUPDATE replace a unique policy entry.
2029 *
2030 * XXXAE: serialize this in PF_KEY to avoid races.
2031 * m will always be freed.
2032 */
2033 static int
key_spdadd(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)2034 key_spdadd(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
2035 {
2036 struct secpolicyindex spidx;
2037 struct sadb_address *src0, *dst0;
2038 struct sadb_x_policy *xpl0, *xpl;
2039 struct sadb_lifetime *lft = NULL;
2040 struct secpolicy *newsp, *oldsp;
2041 int error;
2042
2043 IPSEC_ASSERT(so != NULL, ("null socket"));
2044 IPSEC_ASSERT(m != NULL, ("null mbuf"));
2045 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
2046 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
2047
2048 if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
2049 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) ||
2050 SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY)) {
2051 ipseclog((LOG_DEBUG,
2052 "%s: invalid message: missing required header.\n",
2053 __func__));
2054 return key_senderror(so, m, EINVAL);
2055 }
2056 if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
2057 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) ||
2058 SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) {
2059 ipseclog((LOG_DEBUG,
2060 "%s: invalid message: wrong header size.\n", __func__));
2061 return key_senderror(so, m, EINVAL);
2062 }
2063 if (!SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD)) {
2064 if (SADB_CHECKLEN(mhp, SADB_EXT_LIFETIME_HARD)) {
2065 ipseclog((LOG_DEBUG,
2066 "%s: invalid message: wrong header size.\n",
2067 __func__));
2068 return key_senderror(so, m, EINVAL);
2069 }
2070 lft = (struct sadb_lifetime *)mhp->ext[SADB_EXT_LIFETIME_HARD];
2071 }
2072
2073 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC];
2074 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST];
2075 xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY];
2076
2077 /* check the direciton */
2078 switch (xpl0->sadb_x_policy_dir) {
2079 case IPSEC_DIR_INBOUND:
2080 case IPSEC_DIR_OUTBOUND:
2081 break;
2082 default:
2083 ipseclog((LOG_DEBUG, "%s: invalid SP direction.\n", __func__));
2084 return key_senderror(so, m, EINVAL);
2085 }
2086 /* key_spdadd() accepts DISCARD, NONE and IPSEC. */
2087 if (xpl0->sadb_x_policy_type != IPSEC_POLICY_DISCARD &&
2088 xpl0->sadb_x_policy_type != IPSEC_POLICY_NONE &&
2089 xpl0->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
2090 ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__));
2091 return key_senderror(so, m, EINVAL);
2092 }
2093
2094 /* policy requests are mandatory when action is ipsec. */
2095 if (xpl0->sadb_x_policy_type == IPSEC_POLICY_IPSEC &&
2096 mhp->extlen[SADB_X_EXT_POLICY] <= sizeof(*xpl0)) {
2097 ipseclog((LOG_DEBUG,
2098 "%s: policy requests required.\n", __func__));
2099 return key_senderror(so, m, EINVAL);
2100 }
2101
2102 error = key_checksockaddrs((struct sockaddr *)(src0 + 1),
2103 (struct sockaddr *)(dst0 + 1));
2104 if (error != 0 ||
2105 src0->sadb_address_proto != dst0->sadb_address_proto) {
2106 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
2107 return key_senderror(so, m, error);
2108 }
2109 /* make secindex */
2110 KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir,
2111 src0 + 1,
2112 dst0 + 1,
2113 src0->sadb_address_prefixlen,
2114 dst0->sadb_address_prefixlen,
2115 src0->sadb_address_proto,
2116 &spidx);
2117 /* Checking there is SP already or not. */
2118 oldsp = key_getsp(&spidx);
2119 if (oldsp != NULL) {
2120 if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) {
2121 KEYDBG(KEY_STAMP,
2122 printf("%s: unlink SP(%p) for SPDUPDATE\n",
2123 __func__, oldsp));
2124 KEYDBG(KEY_DATA, kdebug_secpolicy(oldsp));
2125 } else {
2126 key_freesp(&oldsp);
2127 ipseclog((LOG_DEBUG,
2128 "%s: a SP entry exists already.\n", __func__));
2129 return (key_senderror(so, m, EEXIST));
2130 }
2131 }
2132
2133 /* allocate new SP entry */
2134 if ((newsp = key_msg2sp(xpl0, PFKEY_EXTLEN(xpl0), &error)) == NULL) {
2135 if (oldsp != NULL) {
2136 key_unlink(oldsp);
2137 key_freesp(&oldsp); /* second for our reference */
2138 }
2139 return key_senderror(so, m, error);
2140 }
2141
2142 newsp->lastused = newsp->created = time_second;
2143 newsp->lifetime = lft ? lft->sadb_lifetime_addtime : 0;
2144 newsp->validtime = lft ? lft->sadb_lifetime_usetime : 0;
2145 bcopy(&spidx, &newsp->spidx, sizeof(spidx));
2146 #ifdef IPSEC_OFFLOAD
2147 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_IF_HW_OFFL) &&
2148 !SADB_CHECKLEN(mhp, SADB_X_EXT_IF_HW_OFFL)) {
2149 struct sadb_x_if_hw_offl *xof;
2150
2151 xof = (struct sadb_x_if_hw_offl *)mhp->ext[
2152 SADB_X_EXT_IF_HW_OFFL];
2153 newsp->accel_ifname = malloc(sizeof(xof->sadb_x_if_hw_offl_if),
2154 M_IPSEC_MISC, M_NOWAIT);
2155 if (newsp->accel_ifname == NULL) {
2156 ipseclog((LOG_DEBUG, "%s: cannot alloc accel_ifname.\n",
2157 __func__));
2158 key_freesp(&newsp);
2159 return (key_senderror(so, m, error));
2160 }
2161 strncpy(__DECONST(char *, newsp->accel_ifname),
2162 xof->sadb_x_if_hw_offl_if,
2163 sizeof(xof->sadb_x_if_hw_offl_if));
2164 }
2165
2166 #endif
2167
2168 SPTREE_WLOCK();
2169 if ((newsp->id = key_getnewspid()) == 0) {
2170 if (oldsp != NULL)
2171 key_detach(oldsp);
2172 SPTREE_WUNLOCK();
2173 if (oldsp != NULL) {
2174 ipsec_accel_sync();
2175 key_freesp(&oldsp); /* first for key_detach */
2176 IPSEC_ASSERT(oldsp != NULL, ("null oldsp: refcount bug"));
2177 key_freesp(&oldsp); /* second for our reference */
2178 if (SPDCACHE_ENABLED()) /* refresh cache because of key_detach */
2179 spdcache_clear();
2180 }
2181 key_freesp(&newsp);
2182 return key_senderror(so, m, ENOBUFS);
2183 }
2184 if (oldsp != NULL)
2185 key_detach(oldsp);
2186 key_insertsp(newsp);
2187 SPTREE_WUNLOCK();
2188 if (oldsp != NULL) {
2189 ipsec_accel_sync();
2190 key_freesp(&oldsp); /* first for key_detach */
2191 IPSEC_ASSERT(oldsp != NULL, ("null oldsp: refcount bug"));
2192 key_freesp(&oldsp); /* second for our reference */
2193 }
2194 if (SPDCACHE_ENABLED())
2195 spdcache_clear();
2196 KEYDBG(KEY_STAMP,
2197 printf("%s: SP(%p)\n", __func__, newsp));
2198 KEYDBG(KEY_DATA, kdebug_secpolicy(newsp));
2199
2200 {
2201 struct mbuf *n, *mpolicy;
2202 struct sadb_msg *newmsg;
2203 int off;
2204
2205 /* create new sadb_msg to reply. */
2206 if (lft) {
2207 n = key_gather_mbuf(m, mhp, 2, 5, SADB_EXT_RESERVED,
2208 SADB_X_EXT_POLICY, SADB_EXT_LIFETIME_HARD,
2209 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
2210 } else {
2211 n = key_gather_mbuf(m, mhp, 2, 4, SADB_EXT_RESERVED,
2212 SADB_X_EXT_POLICY,
2213 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
2214 }
2215 if (!n)
2216 return key_senderror(so, m, ENOBUFS);
2217
2218 if (n->m_len < sizeof(*newmsg)) {
2219 n = m_pullup(n, sizeof(*newmsg));
2220 if (!n)
2221 return key_senderror(so, m, ENOBUFS);
2222 }
2223 newmsg = mtod(n, struct sadb_msg *);
2224 newmsg->sadb_msg_errno = 0;
2225 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
2226
2227 off = 0;
2228 mpolicy = m_pulldown(n, PFKEY_ALIGN8(sizeof(struct sadb_msg)),
2229 sizeof(*xpl), &off);
2230 if (mpolicy == NULL) {
2231 /* n is already freed */
2232 return key_senderror(so, m, ENOBUFS);
2233 }
2234 xpl = (struct sadb_x_policy *)(mtod(mpolicy, caddr_t) + off);
2235 if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) {
2236 m_freem(n);
2237 return key_senderror(so, m, EINVAL);
2238 }
2239 xpl->sadb_x_policy_id = newsp->id;
2240
2241 m_freem(m);
2242 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
2243 }
2244 }
2245
2246 /*
2247 * get new policy id.
2248 * OUT:
2249 * 0: failure.
2250 * others: success.
2251 */
2252 static uint32_t
key_getnewspid(void)2253 key_getnewspid(void)
2254 {
2255 struct secpolicy *sp;
2256 uint32_t newid = 0;
2257 int tries, limit;
2258
2259 SPTREE_WLOCK_ASSERT();
2260
2261 limit = atomic_load_int(&V_key_spi_trycnt);
2262 for (tries = 0; tries < limit; tries++) {
2263 if (V_policy_id == ~0) /* overflowed */
2264 newid = V_policy_id = 1;
2265 else
2266 newid = ++V_policy_id;
2267 LIST_FOREACH(sp, SPHASH_HASH(newid), idhash) {
2268 if (sp->id == newid)
2269 break;
2270 }
2271 if (sp == NULL)
2272 break;
2273 }
2274 if (tries == limit || newid == 0) {
2275 ipseclog((LOG_DEBUG, "%s: failed to allocate policy id.\n",
2276 __func__));
2277 return (0);
2278 }
2279 return (newid);
2280 }
2281
2282 /*
2283 * SADB_SPDDELETE processing
2284 * receive
2285 * <base, address(SD), policy(*)>
2286 * from the user(?), and set SADB_SASTATE_DEAD,
2287 * and send,
2288 * <base, address(SD), policy(*)>
2289 * to the ikmpd.
2290 * policy(*) including direction of policy.
2291 *
2292 * m will always be freed.
2293 */
2294 static int
key_spddelete(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)2295 key_spddelete(struct socket *so, struct mbuf *m,
2296 const struct sadb_msghdr *mhp)
2297 {
2298 struct secpolicyindex spidx;
2299 struct sadb_address *src0, *dst0;
2300 struct sadb_x_policy *xpl0;
2301 struct secpolicy *sp;
2302
2303 IPSEC_ASSERT(so != NULL, ("null so"));
2304 IPSEC_ASSERT(m != NULL, ("null mbuf"));
2305 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
2306 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
2307
2308 if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
2309 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) ||
2310 SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY)) {
2311 ipseclog((LOG_DEBUG,
2312 "%s: invalid message: missing required header.\n",
2313 __func__));
2314 return key_senderror(so, m, EINVAL);
2315 }
2316 if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
2317 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) ||
2318 SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) {
2319 ipseclog((LOG_DEBUG,
2320 "%s: invalid message: wrong header size.\n", __func__));
2321 return key_senderror(so, m, EINVAL);
2322 }
2323
2324 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC];
2325 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST];
2326 xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY];
2327
2328 /* check the direciton */
2329 switch (xpl0->sadb_x_policy_dir) {
2330 case IPSEC_DIR_INBOUND:
2331 case IPSEC_DIR_OUTBOUND:
2332 break;
2333 default:
2334 ipseclog((LOG_DEBUG, "%s: invalid SP direction.\n", __func__));
2335 return key_senderror(so, m, EINVAL);
2336 }
2337 /* Only DISCARD, NONE and IPSEC are allowed */
2338 if (xpl0->sadb_x_policy_type != IPSEC_POLICY_DISCARD &&
2339 xpl0->sadb_x_policy_type != IPSEC_POLICY_NONE &&
2340 xpl0->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
2341 ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__));
2342 return key_senderror(so, m, EINVAL);
2343 }
2344 if (key_checksockaddrs((struct sockaddr *)(src0 + 1),
2345 (struct sockaddr *)(dst0 + 1)) != 0 ||
2346 src0->sadb_address_proto != dst0->sadb_address_proto) {
2347 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
2348 return key_senderror(so, m, EINVAL);
2349 }
2350 /* make secindex */
2351 KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir,
2352 src0 + 1,
2353 dst0 + 1,
2354 src0->sadb_address_prefixlen,
2355 dst0->sadb_address_prefixlen,
2356 src0->sadb_address_proto,
2357 &spidx);
2358
2359 /* Is there SP in SPD ? */
2360 if ((sp = key_getsp(&spidx)) == NULL) {
2361 ipseclog((LOG_DEBUG, "%s: no SP found.\n", __func__));
2362 return key_senderror(so, m, EINVAL);
2363 }
2364
2365 /* save policy id to buffer to be returned. */
2366 xpl0->sadb_x_policy_id = sp->id;
2367
2368 KEYDBG(KEY_STAMP,
2369 printf("%s: SP(%p)\n", __func__, sp));
2370 KEYDBG(KEY_DATA, kdebug_secpolicy(sp));
2371 ipsec_accel_spddel(sp);
2372 key_unlink(sp);
2373 key_freesp(&sp);
2374
2375 {
2376 struct mbuf *n;
2377 struct sadb_msg *newmsg;
2378
2379 /* create new sadb_msg to reply. */
2380 n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED,
2381 SADB_X_EXT_POLICY, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
2382 if (!n)
2383 return key_senderror(so, m, ENOBUFS);
2384
2385 newmsg = mtod(n, struct sadb_msg *);
2386 newmsg->sadb_msg_errno = 0;
2387 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
2388
2389 m_freem(m);
2390 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
2391 }
2392 }
2393
2394 /*
2395 * SADB_SPDDELETE2 processing
2396 * receive
2397 * <base, policy(*)>
2398 * from the user(?), and set SADB_SASTATE_DEAD,
2399 * and send,
2400 * <base, policy(*)>
2401 * to the ikmpd.
2402 * policy(*) including direction of policy.
2403 *
2404 * m will always be freed.
2405 */
2406 static int
key_spddelete2(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)2407 key_spddelete2(struct socket *so, struct mbuf *m,
2408 const struct sadb_msghdr *mhp)
2409 {
2410 struct secpolicy *sp;
2411 uint32_t id;
2412
2413 IPSEC_ASSERT(so != NULL, ("null socket"));
2414 IPSEC_ASSERT(m != NULL, ("null mbuf"));
2415 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
2416 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
2417
2418 if (SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY) ||
2419 SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) {
2420 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
2421 __func__));
2422 return key_senderror(so, m, EINVAL);
2423 }
2424
2425 id = ((struct sadb_x_policy *)
2426 mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id;
2427
2428 /* Is there SP in SPD ? */
2429 if ((sp = key_getspbyid(id)) == NULL) {
2430 ipseclog((LOG_DEBUG, "%s: no SP found for id %u.\n",
2431 __func__, id));
2432 return key_senderror(so, m, EINVAL);
2433 }
2434
2435 KEYDBG(KEY_STAMP,
2436 printf("%s: SP(%p)\n", __func__, sp));
2437 KEYDBG(KEY_DATA, kdebug_secpolicy(sp));
2438 key_unlink(sp);
2439 if (sp->state != IPSEC_SPSTATE_DEAD) {
2440 ipseclog((LOG_DEBUG, "%s: failed to delete SP with id %u.\n",
2441 __func__, id));
2442 key_freesp(&sp);
2443 return (key_senderror(so, m, EACCES));
2444 }
2445 key_freesp(&sp);
2446
2447 {
2448 struct mbuf *n, *nn;
2449 struct sadb_msg *newmsg;
2450 int off, len;
2451
2452 /* create new sadb_msg to reply. */
2453 len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
2454
2455 n = key_mget(len);
2456 if (n == NULL)
2457 return key_senderror(so, m, ENOBUFS);
2458
2459 n->m_len = len;
2460 n->m_next = NULL;
2461 off = 0;
2462
2463 m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off);
2464 off += PFKEY_ALIGN8(sizeof(struct sadb_msg));
2465
2466 IPSEC_ASSERT(off == len, ("length inconsistency (off %u len %u)",
2467 off, len));
2468
2469 n->m_next = m_copym(m, mhp->extoff[SADB_X_EXT_POLICY],
2470 mhp->extlen[SADB_X_EXT_POLICY], M_NOWAIT);
2471 if (!n->m_next) {
2472 m_freem(n);
2473 return key_senderror(so, m, ENOBUFS);
2474 }
2475
2476 n->m_pkthdr.len = 0;
2477 for (nn = n; nn; nn = nn->m_next)
2478 n->m_pkthdr.len += nn->m_len;
2479
2480 newmsg = mtod(n, struct sadb_msg *);
2481 newmsg->sadb_msg_errno = 0;
2482 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
2483
2484 m_freem(m);
2485 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
2486 }
2487 }
2488
2489 /*
2490 * SADB_X_SPDGET processing
2491 * receive
2492 * <base, policy(*)>
2493 * from the user(?),
2494 * and send,
2495 * <base, address(SD), policy>
2496 * to the ikmpd.
2497 * policy(*) including direction of policy.
2498 *
2499 * m will always be freed.
2500 */
2501 static int
key_spdget(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)2502 key_spdget(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
2503 {
2504 struct secpolicy *sp;
2505 struct mbuf *n;
2506 uint32_t id;
2507
2508 IPSEC_ASSERT(so != NULL, ("null socket"));
2509 IPSEC_ASSERT(m != NULL, ("null mbuf"));
2510 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
2511 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
2512
2513 if (SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY) ||
2514 SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) {
2515 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
2516 __func__));
2517 return key_senderror(so, m, EINVAL);
2518 }
2519
2520 id = ((struct sadb_x_policy *)
2521 mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id;
2522
2523 /* Is there SP in SPD ? */
2524 if ((sp = key_getspbyid(id)) == NULL) {
2525 ipseclog((LOG_DEBUG, "%s: no SP found for id %u.\n",
2526 __func__, id));
2527 return key_senderror(so, m, ENOENT);
2528 }
2529
2530 n = key_setdumpsp(sp, SADB_X_SPDGET, mhp->msg->sadb_msg_seq,
2531 mhp->msg->sadb_msg_pid);
2532 key_freesp(&sp);
2533 if (n != NULL) {
2534 m_freem(m);
2535 return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
2536 } else
2537 return key_senderror(so, m, ENOBUFS);
2538 }
2539
2540 /*
2541 * SADB_X_SPDACQUIRE processing.
2542 * Acquire policy and SA(s) for a *OUTBOUND* packet.
2543 * send
2544 * <base, policy(*)>
2545 * to KMD, and expect to receive
2546 * <base> with SADB_X_SPDACQUIRE if error occurred,
2547 * or
2548 * <base, policy>
2549 * with SADB_X_SPDUPDATE from KMD by PF_KEY.
2550 * policy(*) is without policy requests.
2551 *
2552 * 0 : succeed
2553 * others: error number
2554 */
2555 int
key_spdacquire(struct secpolicy * sp)2556 key_spdacquire(struct secpolicy *sp)
2557 {
2558 struct mbuf *result = NULL, *m;
2559 struct secspacq *newspacq;
2560
2561 IPSEC_ASSERT(sp != NULL, ("null secpolicy"));
2562 IPSEC_ASSERT(sp->req == NULL, ("policy exists"));
2563 IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC,
2564 ("policy not IPSEC %u", sp->policy));
2565
2566 /* Get an entry to check whether sent message or not. */
2567 newspacq = key_getspacq(&sp->spidx);
2568 if (newspacq != NULL) {
2569 if (V_key_blockacq_count < newspacq->count) {
2570 /* reset counter and do send message. */
2571 newspacq->count = 0;
2572 } else {
2573 /* increment counter and do nothing. */
2574 newspacq->count++;
2575 SPACQ_UNLOCK();
2576 return (0);
2577 }
2578 SPACQ_UNLOCK();
2579 } else {
2580 /* make new entry for blocking to send SADB_ACQUIRE. */
2581 newspacq = key_newspacq(&sp->spidx);
2582 if (newspacq == NULL)
2583 return ENOBUFS;
2584 }
2585
2586 /* create new sadb_msg to reply. */
2587 m = key_setsadbmsg(SADB_X_SPDACQUIRE, 0, 0, 0, 0, 0);
2588 if (!m)
2589 return ENOBUFS;
2590
2591 result = m;
2592
2593 result->m_pkthdr.len = 0;
2594 for (m = result; m; m = m->m_next)
2595 result->m_pkthdr.len += m->m_len;
2596
2597 mtod(result, struct sadb_msg *)->sadb_msg_len =
2598 PFKEY_UNIT64(result->m_pkthdr.len);
2599
2600 return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED);
2601 }
2602
2603 /*
2604 * SADB_SPDFLUSH processing
2605 * receive
2606 * <base>
2607 * from the user, and free all entries in secpctree.
2608 * and send,
2609 * <base>
2610 * to the user.
2611 * NOTE: what to do is only marking SADB_SASTATE_DEAD.
2612 *
2613 * m will always be freed.
2614 */
2615 static int
key_spdflush(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)2616 key_spdflush(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
2617 {
2618 struct secpolicy_queue drainq;
2619 struct sadb_msg *newmsg;
2620 struct secpolicy *sp, *nextsp;
2621 u_int dir;
2622
2623 IPSEC_ASSERT(so != NULL, ("null socket"));
2624 IPSEC_ASSERT(m != NULL, ("null mbuf"));
2625 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
2626 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
2627
2628 if (m->m_len != PFKEY_ALIGN8(sizeof(struct sadb_msg)))
2629 return key_senderror(so, m, EINVAL);
2630
2631 TAILQ_INIT(&drainq);
2632 SPTREE_WLOCK();
2633 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
2634 TAILQ_CONCAT(&drainq, &V_sptree[dir], chain);
2635 }
2636 /*
2637 * We need to set state to DEAD for each policy to be sure,
2638 * that another thread won't try to unlink it.
2639 * Also remove SP from sphash.
2640 */
2641 TAILQ_FOREACH(sp, &drainq, chain) {
2642 sp->state = IPSEC_SPSTATE_DEAD;
2643 ipsec_accel_spddel(sp);
2644 LIST_REMOVE(sp, idhash);
2645 }
2646 V_sp_genid++;
2647 V_spd_size = 0;
2648 SPTREE_WUNLOCK();
2649 if (SPDCACHE_ENABLED())
2650 spdcache_clear();
2651 sp = TAILQ_FIRST(&drainq);
2652 while (sp != NULL) {
2653 nextsp = TAILQ_NEXT(sp, chain);
2654 key_freesp(&sp);
2655 sp = nextsp;
2656 }
2657
2658 if (sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) {
2659 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
2660 return key_senderror(so, m, ENOBUFS);
2661 }
2662
2663 if (m->m_next)
2664 m_freem(m->m_next);
2665 m->m_next = NULL;
2666 m->m_pkthdr.len = m->m_len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
2667 newmsg = mtod(m, struct sadb_msg *);
2668 newmsg->sadb_msg_errno = 0;
2669 newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
2670
2671 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL);
2672 }
2673
2674 static uint8_t
key_satype2scopemask(uint8_t satype)2675 key_satype2scopemask(uint8_t satype)
2676 {
2677
2678 if (satype == IPSEC_POLICYSCOPE_ANY)
2679 return (0xff);
2680 return (satype);
2681 }
2682 /*
2683 * SADB_SPDDUMP processing
2684 * receive
2685 * <base>
2686 * from the user, and dump all SP leaves and send,
2687 * <base> .....
2688 * to the ikmpd.
2689 *
2690 * NOTE:
2691 * sadb_msg_satype is considered as mask of policy scopes.
2692 * m will always be freed.
2693 */
2694 static int
key_spddump(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)2695 key_spddump(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
2696 {
2697 SPTREE_RLOCK_TRACKER;
2698 struct secpolicy *sp;
2699 struct mbuf *n;
2700 int cnt;
2701 u_int dir, scope;
2702
2703 IPSEC_ASSERT(so != NULL, ("null socket"));
2704 IPSEC_ASSERT(m != NULL, ("null mbuf"));
2705 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
2706 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
2707
2708 /* search SPD entry and get buffer size. */
2709 cnt = 0;
2710 scope = key_satype2scopemask(mhp->msg->sadb_msg_satype);
2711 SPTREE_RLOCK();
2712 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
2713 if (scope & IPSEC_POLICYSCOPE_GLOBAL) {
2714 TAILQ_FOREACH(sp, &V_sptree[dir], chain)
2715 cnt++;
2716 }
2717 if (scope & IPSEC_POLICYSCOPE_IFNET) {
2718 TAILQ_FOREACH(sp, &V_sptree_ifnet[dir], chain)
2719 cnt++;
2720 }
2721 }
2722
2723 if (cnt == 0) {
2724 SPTREE_RUNLOCK();
2725 return key_senderror(so, m, ENOENT);
2726 }
2727
2728 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
2729 if (scope & IPSEC_POLICYSCOPE_GLOBAL) {
2730 TAILQ_FOREACH(sp, &V_sptree[dir], chain) {
2731 --cnt;
2732 n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt,
2733 mhp->msg->sadb_msg_pid);
2734
2735 if (n != NULL)
2736 key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
2737 }
2738 }
2739 if (scope & IPSEC_POLICYSCOPE_IFNET) {
2740 TAILQ_FOREACH(sp, &V_sptree_ifnet[dir], chain) {
2741 --cnt;
2742 n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt,
2743 mhp->msg->sadb_msg_pid);
2744
2745 if (n != NULL)
2746 key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
2747 }
2748 }
2749 }
2750
2751 SPTREE_RUNLOCK();
2752 m_freem(m);
2753 return (0);
2754 }
2755
2756 static struct mbuf *
key_setdumpsp(struct secpolicy * sp,u_int8_t type,u_int32_t seq,u_int32_t pid)2757 key_setdumpsp(struct secpolicy *sp, u_int8_t type, u_int32_t seq,
2758 u_int32_t pid)
2759 {
2760 struct mbuf *result = NULL, *m;
2761 struct seclifetime lt;
2762
2763 m = key_setsadbmsg(type, 0, SADB_SATYPE_UNSPEC, seq, pid, sp->refcnt);
2764 if (!m)
2765 goto fail;
2766 result = m;
2767
2768 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC,
2769 &sp->spidx.src.sa, sp->spidx.prefs,
2770 sp->spidx.ul_proto);
2771 if (!m)
2772 goto fail;
2773 m_cat(result, m);
2774
2775 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
2776 &sp->spidx.dst.sa, sp->spidx.prefd,
2777 sp->spidx.ul_proto);
2778 if (!m)
2779 goto fail;
2780 m_cat(result, m);
2781
2782 m = key_sp2mbuf(sp);
2783 if (!m)
2784 goto fail;
2785 m_cat(result, m);
2786
2787 if(sp->lifetime){
2788 lt.addtime=sp->created;
2789 lt.usetime= sp->lastused;
2790 m = key_setlifetime(<, SADB_EXT_LIFETIME_CURRENT);
2791 if (!m)
2792 goto fail;
2793 m_cat(result, m);
2794
2795 lt.addtime=sp->lifetime;
2796 lt.usetime= sp->validtime;
2797 m = key_setlifetime(<, SADB_EXT_LIFETIME_HARD);
2798 if (!m)
2799 goto fail;
2800 m_cat(result, m);
2801 }
2802
2803 if ((result->m_flags & M_PKTHDR) == 0)
2804 goto fail;
2805
2806 if (result->m_len < sizeof(struct sadb_msg)) {
2807 result = m_pullup(result, sizeof(struct sadb_msg));
2808 if (result == NULL)
2809 goto fail;
2810 }
2811
2812 result->m_pkthdr.len = 0;
2813 for (m = result; m; m = m->m_next)
2814 result->m_pkthdr.len += m->m_len;
2815
2816 mtod(result, struct sadb_msg *)->sadb_msg_len =
2817 PFKEY_UNIT64(result->m_pkthdr.len);
2818
2819 return result;
2820
2821 fail:
2822 m_freem(result);
2823 return NULL;
2824 }
2825 /*
2826 * get PFKEY message length for security policy and request.
2827 */
2828 static size_t
key_getspreqmsglen(struct secpolicy * sp)2829 key_getspreqmsglen(struct secpolicy *sp)
2830 {
2831 size_t tlen, len;
2832 int i;
2833
2834 tlen = sizeof(struct sadb_x_policy);
2835 /* if is the policy for ipsec ? */
2836 if (sp->policy != IPSEC_POLICY_IPSEC)
2837 return (tlen);
2838
2839 /* get length of ipsec requests */
2840 for (i = 0; i < sp->tcount; i++) {
2841 len = sizeof(struct sadb_x_ipsecrequest)
2842 + sp->req[i]->saidx.src.sa.sa_len
2843 + sp->req[i]->saidx.dst.sa.sa_len;
2844
2845 tlen += PFKEY_ALIGN8(len);
2846 }
2847 #ifdef IPSEC_OFFLOAD
2848 if (sp->accel_ifname != NULL)
2849 tlen += sizeof(struct sadb_x_if_hw_offl);
2850 #endif
2851 return (tlen);
2852 }
2853
2854 /*
2855 * SADB_SPDEXPIRE processing
2856 * send
2857 * <base, address(SD), lifetime(CH), policy>
2858 * to KMD by PF_KEY.
2859 *
2860 * OUT: 0 : succeed
2861 * others : error number
2862 */
2863 static int
key_spdexpire(struct secpolicy * sp)2864 key_spdexpire(struct secpolicy *sp)
2865 {
2866 struct sadb_lifetime *lt;
2867 struct mbuf *result = NULL, *m;
2868 int len, error = -1;
2869
2870 IPSEC_ASSERT(sp != NULL, ("null secpolicy"));
2871
2872 KEYDBG(KEY_STAMP,
2873 printf("%s: SP(%p)\n", __func__, sp));
2874 KEYDBG(KEY_DATA, kdebug_secpolicy(sp));
2875
2876 /* set msg header */
2877 m = key_setsadbmsg(SADB_X_SPDEXPIRE, 0, 0, 0, 0, 0);
2878 if (!m) {
2879 error = ENOBUFS;
2880 goto fail;
2881 }
2882 result = m;
2883
2884 /* create lifetime extension (current and hard) */
2885 len = PFKEY_ALIGN8(sizeof(*lt)) * 2;
2886 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
2887 if (m == NULL) {
2888 error = ENOBUFS;
2889 goto fail;
2890 }
2891 m_align(m, len);
2892 m->m_len = len;
2893 bzero(mtod(m, caddr_t), len);
2894 lt = mtod(m, struct sadb_lifetime *);
2895 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
2896 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
2897 lt->sadb_lifetime_allocations = 0;
2898 lt->sadb_lifetime_bytes = 0;
2899 lt->sadb_lifetime_addtime = sp->created;
2900 lt->sadb_lifetime_usetime = sp->lastused;
2901 lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2);
2902 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
2903 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
2904 lt->sadb_lifetime_allocations = 0;
2905 lt->sadb_lifetime_bytes = 0;
2906 lt->sadb_lifetime_addtime = sp->lifetime;
2907 lt->sadb_lifetime_usetime = sp->validtime;
2908 m_cat(result, m);
2909
2910 /* set sadb_address for source */
2911 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC,
2912 &sp->spidx.src.sa,
2913 sp->spidx.prefs, sp->spidx.ul_proto);
2914 if (!m) {
2915 error = ENOBUFS;
2916 goto fail;
2917 }
2918 m_cat(result, m);
2919
2920 /* set sadb_address for destination */
2921 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
2922 &sp->spidx.dst.sa,
2923 sp->spidx.prefd, sp->spidx.ul_proto);
2924 if (!m) {
2925 error = ENOBUFS;
2926 goto fail;
2927 }
2928 m_cat(result, m);
2929
2930 /* set secpolicy */
2931 m = key_sp2mbuf(sp);
2932 if (!m) {
2933 error = ENOBUFS;
2934 goto fail;
2935 }
2936 m_cat(result, m);
2937
2938 if ((result->m_flags & M_PKTHDR) == 0) {
2939 error = EINVAL;
2940 goto fail;
2941 }
2942
2943 if (result->m_len < sizeof(struct sadb_msg)) {
2944 result = m_pullup(result, sizeof(struct sadb_msg));
2945 if (result == NULL) {
2946 error = ENOBUFS;
2947 goto fail;
2948 }
2949 }
2950
2951 result->m_pkthdr.len = 0;
2952 for (m = result; m; m = m->m_next)
2953 result->m_pkthdr.len += m->m_len;
2954
2955 mtod(result, struct sadb_msg *)->sadb_msg_len =
2956 PFKEY_UNIT64(result->m_pkthdr.len);
2957
2958 return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED);
2959
2960 fail:
2961 if (result)
2962 m_freem(result);
2963 return error;
2964 }
2965
2966 /* %%% SAD management */
2967 /*
2968 * allocating and initialize new SA head.
2969 * OUT: NULL : failure due to the lack of memory.
2970 * others : pointer to new SA head.
2971 */
2972 static struct secashead *
key_newsah(struct secasindex * saidx)2973 key_newsah(struct secasindex *saidx)
2974 {
2975 struct secashead *sah;
2976
2977 sah = malloc(sizeof(struct secashead), M_IPSEC_SAH,
2978 M_NOWAIT | M_ZERO);
2979 if (sah == NULL) {
2980 PFKEYSTAT_INC(in_nomem);
2981 return (NULL);
2982 }
2983 TAILQ_INIT(&sah->savtree_larval);
2984 TAILQ_INIT(&sah->savtree_alive);
2985 sah->saidx = *saidx;
2986 sah->state = SADB_SASTATE_DEAD;
2987 SAH_INITREF(sah);
2988
2989 KEYDBG(KEY_STAMP,
2990 printf("%s: SAH(%p)\n", __func__, sah));
2991 KEYDBG(KEY_DATA, kdebug_secash(sah, NULL));
2992 return (sah);
2993 }
2994
2995 static void
key_freesah(struct secashead ** psah)2996 key_freesah(struct secashead **psah)
2997 {
2998 struct secashead *sah = *psah;
2999
3000 CURVNET_ASSERT_SET();
3001
3002 if (SAH_DELREF(sah) == 0)
3003 return;
3004
3005 KEYDBG(KEY_STAMP,
3006 printf("%s: last reference to SAH(%p)\n", __func__, sah));
3007 KEYDBG(KEY_DATA, kdebug_secash(sah, NULL));
3008
3009 *psah = NULL;
3010 key_delsah(sah);
3011 }
3012
3013 static void
key_delsah(struct secashead * sah)3014 key_delsah(struct secashead *sah)
3015 {
3016 IPSEC_ASSERT(sah != NULL, ("NULL sah"));
3017 IPSEC_ASSERT(sah->state == SADB_SASTATE_DEAD,
3018 ("Attempt to free non DEAD SAH %p", sah));
3019 IPSEC_ASSERT(TAILQ_EMPTY(&sah->savtree_larval),
3020 ("Attempt to free SAH %p with LARVAL SA", sah));
3021 IPSEC_ASSERT(TAILQ_EMPTY(&sah->savtree_alive),
3022 ("Attempt to free SAH %p with ALIVE SA", sah));
3023
3024 free(sah, M_IPSEC_SAH);
3025 }
3026
3027 /*
3028 * allocating a new SA for key_add() and key_getspi() call,
3029 * and copy the values of mhp into new buffer.
3030 * When SAD message type is SADB_GETSPI set SA state to LARVAL.
3031 * For SADB_ADD create and initialize SA with MATURE state.
3032 * OUT: NULL : fail
3033 * others : pointer to new secasvar.
3034 */
3035 static struct secasvar *
key_newsav(const struct sadb_msghdr * mhp,struct secasindex * saidx,uint32_t spi,int * errp)3036 key_newsav(const struct sadb_msghdr *mhp, struct secasindex *saidx,
3037 uint32_t spi, int *errp)
3038 {
3039 struct secashead *sah;
3040 struct secasvar *sav;
3041 int isnew;
3042
3043 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
3044 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
3045 IPSEC_ASSERT(mhp->msg->sadb_msg_type == SADB_GETSPI ||
3046 mhp->msg->sadb_msg_type == SADB_ADD, ("wrong message type"));
3047
3048 sav = NULL;
3049 sah = NULL;
3050 /* check SPI value */
3051 switch (saidx->proto) {
3052 case IPPROTO_ESP:
3053 case IPPROTO_AH:
3054 /*
3055 * RFC 4302, 2.4. Security Parameters Index (SPI), SPI values
3056 * 1-255 reserved by IANA for future use,
3057 * 0 for implementation specific, local use.
3058 */
3059 if (ntohl(spi) <= 255) {
3060 ipseclog((LOG_DEBUG, "%s: illegal range of SPI %u.\n",
3061 __func__, ntohl(spi)));
3062 *errp = EINVAL;
3063 goto done;
3064 }
3065 break;
3066 }
3067
3068 sav = malloc(sizeof(struct secasvar), M_IPSEC_SA, M_NOWAIT | M_ZERO);
3069 if (sav == NULL) {
3070 *errp = ENOBUFS;
3071 goto done;
3072 }
3073 sav->lock = malloc_aligned(max(sizeof(struct rmlock),
3074 CACHE_LINE_SIZE), CACHE_LINE_SIZE, M_IPSEC_MISC,
3075 M_NOWAIT | M_ZERO);
3076 if (sav->lock == NULL) {
3077 *errp = ENOBUFS;
3078 goto done;
3079 }
3080 rm_init(sav->lock, "ipsec association");
3081 sav->lft_c = uma_zalloc_pcpu(ipsec_key_lft_zone, M_NOWAIT | M_ZERO);
3082 if (sav->lft_c == NULL) {
3083 *errp = ENOBUFS;
3084 goto done;
3085 }
3086
3087 sav->spi = spi;
3088 sav->seq = mhp->msg->sadb_msg_seq;
3089 sav->state = SADB_SASTATE_LARVAL;
3090 sav->pid = (pid_t)mhp->msg->sadb_msg_pid;
3091 SAV_INITREF(sav);
3092 #ifdef IPSEC_OFFLOAD
3093 CK_LIST_INIT(&sav->accel_ifps);
3094 sav->accel_forget_tq = 0;
3095 sav->accel_lft_sw = uma_zalloc_pcpu(ipsec_key_lft_zone,
3096 M_NOWAIT | M_ZERO);
3097 if (sav->accel_lft_sw == NULL) {
3098 *errp = ENOBUFS;
3099 goto done;
3100 }
3101 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_IF_HW_OFFL) &&
3102 !SADB_CHECKLEN(mhp, SADB_X_EXT_IF_HW_OFFL)) {
3103 struct sadb_x_if_hw_offl *xof;
3104
3105 xof = (struct sadb_x_if_hw_offl *)mhp->ext[
3106 SADB_X_EXT_IF_HW_OFFL];
3107 sav->accel_ifname = malloc(sizeof(xof->sadb_x_if_hw_offl_if),
3108 M_IPSEC_MISC, M_NOWAIT);
3109 if (sav->accel_ifname == NULL) {
3110 *errp = ENOBUFS;
3111 goto done;
3112 }
3113 strncpy(__DECONST(char *, sav->accel_ifname),
3114 xof->sadb_x_if_hw_offl_if,
3115 sizeof(xof->sadb_x_if_hw_offl_if));
3116 }
3117 #endif
3118 again:
3119 sah = key_getsah(saidx);
3120 if (sah == NULL) {
3121 /* create a new SA index */
3122 sah = key_newsah(saidx);
3123 if (sah == NULL) {
3124 ipseclog((LOG_DEBUG,
3125 "%s: No more memory.\n", __func__));
3126 *errp = ENOBUFS;
3127 goto done;
3128 }
3129 isnew = 1;
3130 } else
3131 isnew = 0;
3132
3133 sav->sah = sah;
3134 if (mhp->msg->sadb_msg_type == SADB_GETSPI) {
3135 sav->created = time_second;
3136 } else if (sav->state == SADB_SASTATE_LARVAL) {
3137 /*
3138 * Do not call key_setsaval() second time in case
3139 * of `goto again`. We will have MATURE state.
3140 */
3141 *errp = key_setsaval(sav, mhp);
3142 if (*errp != 0)
3143 goto done;
3144 sav->state = SADB_SASTATE_MATURE;
3145 }
3146
3147 SAHTREE_WLOCK();
3148 /*
3149 * Check that existing SAH wasn't unlinked.
3150 * Since we didn't hold the SAHTREE lock, it is possible,
3151 * that callout handler or key_flush() or key_delete() could
3152 * unlink this SAH.
3153 */
3154 if (isnew == 0 && sah->state == SADB_SASTATE_DEAD) {
3155 SAHTREE_WUNLOCK();
3156 key_freesah(&sah); /* reference from key_getsah() */
3157 goto again;
3158 }
3159 if (isnew != 0) {
3160 /*
3161 * Add new SAH into SADB.
3162 *
3163 * XXXAE: we can serialize key_add and key_getspi calls, so
3164 * several threads will not fight in the race.
3165 * Otherwise we should check under SAHTREE lock, that this
3166 * SAH would not added twice.
3167 */
3168 TAILQ_INSERT_HEAD(&V_sahtree, sah, chain);
3169 /* Add new SAH into hash by addresses */
3170 LIST_INSERT_HEAD(SAHADDRHASH_HASH(saidx), sah, addrhash);
3171 /* Now we are linked in the chain */
3172 sah->state = SADB_SASTATE_MATURE;
3173 /*
3174 * SAV references this new SAH.
3175 * In case of existing SAH we reuse reference
3176 * from key_getsah().
3177 */
3178 SAH_ADDREF(sah);
3179 }
3180 /* Link SAV with SAH */
3181 if (sav->state == SADB_SASTATE_MATURE) {
3182 TAILQ_INSERT_HEAD(&sah->savtree_alive, sav, chain);
3183 ipsec_accel_sa_newkey(sav);
3184 } else
3185 TAILQ_INSERT_HEAD(&sah->savtree_larval, sav, chain);
3186 /* Add SAV into SPI hash */
3187 LIST_INSERT_HEAD(SAVHASH_HASH(sav->spi), sav, spihash);
3188 SAHTREE_WUNLOCK();
3189 *errp = 0; /* success */
3190 done:
3191 if (*errp != 0) {
3192 if (sav != NULL) {
3193 if (sav->lock != NULL) {
3194 rm_destroy(sav->lock);
3195 free(sav->lock, M_IPSEC_MISC);
3196 }
3197 if (sav->lft_c != NULL)
3198 uma_zfree_pcpu(ipsec_key_lft_zone, sav->lft_c);
3199 #ifdef IPSEC_OFFLOAD
3200 if (sav->accel_lft_sw != NULL)
3201 uma_zfree_pcpu(ipsec_key_lft_zone,
3202 sav->accel_lft_sw);
3203 free(__DECONST(char *, sav->accel_ifname),
3204 M_IPSEC_MISC);
3205 #endif
3206 free(sav, M_IPSEC_SA), sav = NULL;
3207 }
3208 if (sah != NULL)
3209 key_freesah(&sah);
3210 if (*errp == ENOBUFS) {
3211 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
3212 __func__));
3213 PFKEYSTAT_INC(in_nomem);
3214 }
3215 }
3216 return (sav);
3217 }
3218
3219 /*
3220 * free() SA variable entry.
3221 */
3222 static void
key_cleansav(struct secasvar * sav)3223 key_cleansav(struct secasvar *sav)
3224 {
3225
3226 if (sav->natt != NULL) {
3227 free(sav->natt, M_IPSEC_MISC);
3228 sav->natt = NULL;
3229 }
3230 if (sav->flags & SADB_X_EXT_F_CLONED)
3231 return;
3232 if (sav->tdb_xform != NULL) {
3233 sav->tdb_xform->xf_cleanup(sav);
3234 sav->tdb_xform = NULL;
3235 }
3236 if (sav->key_auth != NULL) {
3237 zfree(sav->key_auth->key_data, M_IPSEC_MISC);
3238 free(sav->key_auth, M_IPSEC_MISC);
3239 sav->key_auth = NULL;
3240 }
3241 if (sav->key_enc != NULL) {
3242 zfree(sav->key_enc->key_data, M_IPSEC_MISC);
3243 free(sav->key_enc, M_IPSEC_MISC);
3244 sav->key_enc = NULL;
3245 }
3246 if (sav->replay != NULL) {
3247 mtx_destroy(&sav->replay->lock);
3248 if (sav->replay->bitmap != NULL)
3249 free(sav->replay->bitmap, M_IPSEC_MISC);
3250 free(sav->replay, M_IPSEC_MISC);
3251 sav->replay = NULL;
3252 }
3253 if (sav->lft_h != NULL) {
3254 free(sav->lft_h, M_IPSEC_MISC);
3255 sav->lft_h = NULL;
3256 }
3257 if (sav->lft_s != NULL) {
3258 free(sav->lft_s, M_IPSEC_MISC);
3259 sav->lft_s = NULL;
3260 }
3261 }
3262
3263 /*
3264 * free() SA variable entry.
3265 */
3266 static void
key_delsav(struct secasvar * sav)3267 key_delsav(struct secasvar *sav)
3268 {
3269 IPSEC_ASSERT(sav != NULL, ("null sav"));
3270 IPSEC_ASSERT(sav->state == SADB_SASTATE_DEAD,
3271 ("attempt to free non DEAD SA %p", sav));
3272 IPSEC_ASSERT(sav->refcnt == 0, ("reference count %u > 0",
3273 sav->refcnt));
3274 #ifdef IPSEC_OFFLOAD
3275 KASSERT(CK_LIST_EMPTY(&sav->accel_ifps),
3276 ("key_unlinksav: sav %p still offloaded", sav));
3277 #endif
3278
3279 /*
3280 * SA must be unlinked from the chain and hashtbl.
3281 * If SA was cloned, we leave all fields untouched,
3282 * except NAT-T config.
3283 */
3284 key_cleansav(sav);
3285 if ((sav->flags & SADB_X_EXT_F_CLONED) == 0) {
3286 rm_destroy(sav->lock);
3287 free(sav->lock, M_IPSEC_MISC);
3288 uma_zfree_pcpu(ipsec_key_lft_zone, sav->lft_c);
3289 }
3290 #ifdef IPSEC_OFFLOAD
3291 /* XXXKIB should this be moved to key_cleansav()? */
3292 uma_zfree_pcpu(ipsec_key_lft_zone, sav->accel_lft_sw);
3293 free(__DECONST(char *, sav->accel_ifname), M_IPSEC_MISC);
3294 #endif
3295 free(sav, M_IPSEC_SA);
3296 }
3297
3298 /*
3299 * search SAH.
3300 * OUT:
3301 * NULL : not found
3302 * others : found, referenced pointer to a SAH.
3303 */
3304 static struct secashead *
key_getsah(struct secasindex * saidx)3305 key_getsah(struct secasindex *saidx)
3306 {
3307 SAHTREE_RLOCK_TRACKER;
3308 struct secashead *sah;
3309
3310 SAHTREE_RLOCK();
3311 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
3312 if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID) != 0) {
3313 SAH_ADDREF(sah);
3314 break;
3315 }
3316 }
3317 SAHTREE_RUNLOCK();
3318 return (sah);
3319 }
3320
3321 /*
3322 * Check not to be duplicated SPI.
3323 * OUT:
3324 * 0 : not found
3325 * 1 : found SA with given SPI.
3326 */
3327 static int
key_checkspidup(uint32_t spi)3328 key_checkspidup(uint32_t spi)
3329 {
3330 SAHTREE_RLOCK_TRACKER;
3331 struct secasvar *sav;
3332
3333 /* Assume SPI is in network byte order */
3334 SAHTREE_RLOCK();
3335 LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) {
3336 if (sav->spi == spi)
3337 break;
3338 }
3339 SAHTREE_RUNLOCK();
3340 return (sav != NULL);
3341 }
3342
3343 /*
3344 * Search SA by SPI.
3345 * OUT:
3346 * NULL : not found
3347 * others : found, referenced pointer to a SA.
3348 */
3349 static struct secasvar *
key_getsavbyspi(uint32_t spi)3350 key_getsavbyspi(uint32_t spi)
3351 {
3352 SAHTREE_RLOCK_TRACKER;
3353 struct secasvar *sav;
3354
3355 /* Assume SPI is in network byte order */
3356 SAHTREE_RLOCK();
3357 LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) {
3358 if (sav->spi != spi)
3359 continue;
3360 SAV_ADDREF(sav);
3361 break;
3362 }
3363 SAHTREE_RUNLOCK();
3364 return (sav);
3365 }
3366
3367 static int
key_updatelifetimes(struct secasvar * sav,const struct sadb_msghdr * mhp)3368 key_updatelifetimes(struct secasvar *sav, const struct sadb_msghdr *mhp)
3369 {
3370 struct seclifetime *lft_h, *lft_s, *tmp;
3371
3372 /* Lifetime extension is optional, check that it is present. */
3373 if (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) &&
3374 SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) {
3375 /*
3376 * In case of SADB_UPDATE we may need to change
3377 * existing lifetimes.
3378 */
3379 if (sav->state == SADB_SASTATE_MATURE) {
3380 lft_h = lft_s = NULL;
3381 goto reset;
3382 }
3383 return (0);
3384 }
3385 /* Both HARD and SOFT extensions must present */
3386 if ((SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) &&
3387 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) ||
3388 (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) &&
3389 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD))) {
3390 ipseclog((LOG_DEBUG,
3391 "%s: invalid message: missing required header.\n",
3392 __func__));
3393 return (EINVAL);
3394 }
3395 if (SADB_CHECKLEN(mhp, SADB_EXT_LIFETIME_HARD) ||
3396 SADB_CHECKLEN(mhp, SADB_EXT_LIFETIME_SOFT)) {
3397 ipseclog((LOG_DEBUG,
3398 "%s: invalid message: wrong header size.\n", __func__));
3399 return (EINVAL);
3400 }
3401 lft_h = key_dup_lifemsg((const struct sadb_lifetime *)
3402 mhp->ext[SADB_EXT_LIFETIME_HARD], M_IPSEC_MISC);
3403 if (lft_h == NULL) {
3404 PFKEYSTAT_INC(in_nomem);
3405 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
3406 return (ENOBUFS);
3407 }
3408 lft_s = key_dup_lifemsg((const struct sadb_lifetime *)
3409 mhp->ext[SADB_EXT_LIFETIME_SOFT], M_IPSEC_MISC);
3410 if (lft_s == NULL) {
3411 PFKEYSTAT_INC(in_nomem);
3412 free(lft_h, M_IPSEC_MISC);
3413 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
3414 return (ENOBUFS);
3415 }
3416 reset:
3417 if (sav->state != SADB_SASTATE_LARVAL) {
3418 /*
3419 * key_update() holds reference to this SA,
3420 * so it won't be deleted in meanwhile.
3421 */
3422 SECASVAR_WLOCK(sav);
3423 tmp = sav->lft_h;
3424 sav->lft_h = lft_h;
3425 lft_h = tmp;
3426
3427 tmp = sav->lft_s;
3428 sav->lft_s = lft_s;
3429 lft_s = tmp;
3430 SECASVAR_WUNLOCK(sav);
3431 if (lft_h != NULL)
3432 free(lft_h, M_IPSEC_MISC);
3433 if (lft_s != NULL)
3434 free(lft_s, M_IPSEC_MISC);
3435 return (0);
3436 }
3437 /* We can update lifetime without holding a lock */
3438 IPSEC_ASSERT(sav->lft_h == NULL, ("lft_h is already initialized\n"));
3439 IPSEC_ASSERT(sav->lft_s == NULL, ("lft_s is already initialized\n"));
3440 sav->lft_h = lft_h;
3441 sav->lft_s = lft_s;
3442 return (0);
3443 }
3444
3445 /*
3446 * copy SA values from PF_KEY message except *SPI, SEQ, PID and TYPE*.
3447 * You must update these if need. Expects only LARVAL SAs.
3448 * OUT: 0: success.
3449 * !0: failure.
3450 */
3451 static int
key_setsaval(struct secasvar * sav,const struct sadb_msghdr * mhp)3452 key_setsaval(struct secasvar *sav, const struct sadb_msghdr *mhp)
3453 {
3454 const struct sadb_sa *sa0;
3455 const struct sadb_key *key0;
3456 uint32_t replay;
3457 size_t len;
3458 int error;
3459
3460 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
3461 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
3462 IPSEC_ASSERT(sav->state == SADB_SASTATE_LARVAL,
3463 ("Attempt to update non LARVAL SA"));
3464
3465 /* XXX rewrite */
3466 error = key_setident(sav->sah, mhp);
3467 if (error != 0)
3468 goto fail;
3469
3470 /* SA */
3471 if (!SADB_CHECKHDR(mhp, SADB_EXT_SA)) {
3472 if (SADB_CHECKLEN(mhp, SADB_EXT_SA)) {
3473 error = EINVAL;
3474 goto fail;
3475 }
3476 sa0 = (const struct sadb_sa *)mhp->ext[SADB_EXT_SA];
3477 sav->alg_auth = sa0->sadb_sa_auth;
3478 sav->alg_enc = sa0->sadb_sa_encrypt;
3479 sav->flags = sa0->sadb_sa_flags;
3480 if ((sav->flags & SADB_KEY_FLAGS_MAX) != sav->flags) {
3481 ipseclog((LOG_DEBUG,
3482 "%s: invalid sa_flags 0x%08x.\n", __func__,
3483 sav->flags));
3484 error = EINVAL;
3485 goto fail;
3486 }
3487
3488 /* Optional replay window */
3489 replay = 0;
3490 if ((sa0->sadb_sa_flags & SADB_X_EXT_OLD) == 0)
3491 replay = sa0->sadb_sa_replay;
3492 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_SA_REPLAY)) {
3493 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA_REPLAY)) {
3494 error = EINVAL;
3495 goto fail;
3496 }
3497 replay = ((const struct sadb_x_sa_replay *)
3498 mhp->ext[SADB_X_EXT_SA_REPLAY])->sadb_x_sa_replay_replay;
3499
3500 if (replay > UINT32_MAX - 32) {
3501 ipseclog((LOG_DEBUG,
3502 "%s: replay window too big.\n", __func__));
3503 error = EINVAL;
3504 goto fail;
3505 }
3506
3507 replay = (replay + 7) >> 3;
3508 }
3509
3510 sav->replay = malloc(sizeof(struct secreplay), M_IPSEC_MISC,
3511 M_NOWAIT | M_ZERO);
3512 if (sav->replay == NULL) {
3513 PFKEYSTAT_INC(in_nomem);
3514 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
3515 __func__));
3516 error = ENOBUFS;
3517 goto fail;
3518 }
3519 mtx_init(&sav->replay->lock, "ipsec replay", NULL, MTX_DEF);
3520
3521 if (replay != 0) {
3522 /* number of 32b blocks to be allocated */
3523 uint32_t bitmap_size;
3524
3525 /* RFC 6479:
3526 * - the allocated replay window size must be
3527 * a power of two.
3528 * - use an extra 32b block as a redundant window.
3529 */
3530 bitmap_size = 1;
3531 while (replay + 4 > bitmap_size)
3532 bitmap_size <<= 1;
3533 bitmap_size = bitmap_size / 4;
3534
3535 sav->replay->bitmap = malloc(
3536 bitmap_size * sizeof(uint32_t), M_IPSEC_MISC,
3537 M_NOWAIT | M_ZERO);
3538 if (sav->replay->bitmap == NULL) {
3539 PFKEYSTAT_INC(in_nomem);
3540 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
3541 __func__));
3542 error = ENOBUFS;
3543 goto fail;
3544 }
3545 sav->replay->bitmap_size = bitmap_size;
3546 sav->replay->wsize = replay;
3547 }
3548 }
3549
3550 /* Authentication keys */
3551 if (!SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH)) {
3552 if (SADB_CHECKLEN(mhp, SADB_EXT_KEY_AUTH)) {
3553 error = EINVAL;
3554 goto fail;
3555 }
3556 error = 0;
3557 key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_AUTH];
3558 len = mhp->extlen[SADB_EXT_KEY_AUTH];
3559 switch (mhp->msg->sadb_msg_satype) {
3560 case SADB_SATYPE_AH:
3561 case SADB_SATYPE_ESP:
3562 case SADB_X_SATYPE_TCPSIGNATURE:
3563 if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) &&
3564 sav->alg_auth != SADB_X_AALG_NULL)
3565 error = EINVAL;
3566 if (key0->sadb_key_bits == 0 || (sizeof(struct sadb_key) +
3567 (key0->sadb_key_bits >> 3)) > len)
3568 error = EINVAL;
3569 break;
3570 case SADB_X_SATYPE_IPCOMP:
3571 default:
3572 error = EINVAL;
3573 break;
3574 }
3575 if (error) {
3576 ipseclog((LOG_DEBUG, "%s: invalid key_auth values.\n",
3577 __func__));
3578 goto fail;
3579 }
3580
3581 sav->key_auth = key_dup_keymsg(key0, M_IPSEC_MISC);
3582 if (sav->key_auth == NULL ) {
3583 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
3584 __func__));
3585 PFKEYSTAT_INC(in_nomem);
3586 error = ENOBUFS;
3587 goto fail;
3588 }
3589 }
3590
3591 /* Encryption key */
3592 if (!SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT)) {
3593 if (SADB_CHECKLEN(mhp, SADB_EXT_KEY_ENCRYPT)) {
3594 error = EINVAL;
3595 goto fail;
3596 }
3597 error = 0;
3598 key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_ENCRYPT];
3599 len = mhp->extlen[SADB_EXT_KEY_ENCRYPT];
3600 switch (mhp->msg->sadb_msg_satype) {
3601 case SADB_SATYPE_ESP:
3602 if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) &&
3603 sav->alg_enc != SADB_EALG_NULL) {
3604 error = EINVAL;
3605 break;
3606 }
3607 if (key0->sadb_key_bits == 0 || (sizeof(struct sadb_key) +
3608 (key0->sadb_key_bits >> 3)) > len) {
3609 error = EINVAL;
3610 break;
3611 }
3612 sav->key_enc = key_dup_keymsg(key0, M_IPSEC_MISC);
3613 if (sav->key_enc == NULL) {
3614 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
3615 __func__));
3616 PFKEYSTAT_INC(in_nomem);
3617 error = ENOBUFS;
3618 goto fail;
3619 }
3620 break;
3621 case SADB_X_SATYPE_IPCOMP:
3622 if (len != PFKEY_ALIGN8(sizeof(struct sadb_key)))
3623 error = EINVAL;
3624 sav->key_enc = NULL; /*just in case*/
3625 break;
3626 case SADB_SATYPE_AH:
3627 case SADB_X_SATYPE_TCPSIGNATURE:
3628 default:
3629 error = EINVAL;
3630 break;
3631 }
3632 if (error) {
3633 ipseclog((LOG_DEBUG, "%s: invalid key_enc value.\n",
3634 __func__));
3635 goto fail;
3636 }
3637 }
3638
3639 /* set iv */
3640 sav->ivlen = 0;
3641 switch (mhp->msg->sadb_msg_satype) {
3642 case SADB_SATYPE_AH:
3643 if (sav->flags & SADB_X_EXT_DERIV) {
3644 ipseclog((LOG_DEBUG, "%s: invalid flag (derived) "
3645 "given to AH SA.\n", __func__));
3646 error = EINVAL;
3647 goto fail;
3648 }
3649 if (sav->alg_enc != SADB_EALG_NONE) {
3650 ipseclog((LOG_DEBUG, "%s: protocol and algorithm "
3651 "mismated.\n", __func__));
3652 error = EINVAL;
3653 goto fail;
3654 }
3655 error = xform_init(sav, XF_AH);
3656 break;
3657 case SADB_SATYPE_ESP:
3658 if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_DERIV)) ==
3659 (SADB_X_EXT_OLD | SADB_X_EXT_DERIV)) {
3660 ipseclog((LOG_DEBUG, "%s: invalid flag (derived) "
3661 "given to old-esp.\n", __func__));
3662 error = EINVAL;
3663 goto fail;
3664 }
3665 error = xform_init(sav, XF_ESP);
3666 break;
3667 case SADB_X_SATYPE_IPCOMP:
3668 if (sav->alg_auth != SADB_AALG_NONE) {
3669 ipseclog((LOG_DEBUG, "%s: protocol and algorithm "
3670 "mismated.\n", __func__));
3671 error = EINVAL;
3672 goto fail;
3673 }
3674 if ((sav->flags & SADB_X_EXT_RAWCPI) == 0 &&
3675 ntohl(sav->spi) >= 0x10000) {
3676 ipseclog((LOG_DEBUG, "%s: invalid cpi for IPComp.\n",
3677 __func__));
3678 error = EINVAL;
3679 goto fail;
3680 }
3681 error = xform_init(sav, XF_IPCOMP);
3682 break;
3683 case SADB_X_SATYPE_TCPSIGNATURE:
3684 if (sav->alg_enc != SADB_EALG_NONE) {
3685 ipseclog((LOG_DEBUG, "%s: protocol and algorithm "
3686 "mismated.\n", __func__));
3687 error = EINVAL;
3688 goto fail;
3689 }
3690 error = xform_init(sav, XF_TCPSIGNATURE);
3691 break;
3692 default:
3693 ipseclog((LOG_DEBUG, "%s: Invalid satype.\n", __func__));
3694 error = EPROTONOSUPPORT;
3695 goto fail;
3696 }
3697 if (error) {
3698 ipseclog((LOG_DEBUG, "%s: unable to initialize SA type %u.\n",
3699 __func__, mhp->msg->sadb_msg_satype));
3700 goto fail;
3701 }
3702
3703 /* Handle NAT-T headers */
3704 error = key_setnatt(sav, mhp);
3705 if (error != 0)
3706 goto fail;
3707
3708 /* Initialize lifetime for CURRENT */
3709 sav->firstused = 0;
3710 sav->created = time_second;
3711
3712 /* lifetimes for HARD and SOFT */
3713 error = key_updatelifetimes(sav, mhp);
3714 if (error == 0)
3715 return (0);
3716 fail:
3717 key_cleansav(sav);
3718 return (error);
3719 }
3720
3721 /*
3722 * subroutine for SADB_GET and SADB_DUMP.
3723 */
3724 static struct mbuf *
key_setdumpsa(struct secasvar * sav,uint8_t type,uint8_t satype,uint32_t seq,uint32_t pid,struct rm_priotracker * sahtree_trackerp)3725 key_setdumpsa(struct secasvar *sav, uint8_t type, uint8_t satype,
3726 uint32_t seq, uint32_t pid, struct rm_priotracker *sahtree_trackerp)
3727 {
3728 struct seclifetime lft_c;
3729 struct mbuf *result = NULL, *tres = NULL, *m;
3730 int i, dumporder[] = {
3731 SADB_EXT_SA, SADB_X_EXT_SA2, SADB_X_EXT_SA_REPLAY,
3732 SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT,
3733 SADB_EXT_LIFETIME_CURRENT, SADB_EXT_ADDRESS_SRC,
3734 SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY,
3735 SADB_EXT_KEY_AUTH, SADB_EXT_KEY_ENCRYPT,
3736 SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST,
3737 SADB_EXT_SENSITIVITY,
3738 SADB_X_EXT_NAT_T_TYPE,
3739 SADB_X_EXT_NAT_T_SPORT, SADB_X_EXT_NAT_T_DPORT,
3740 SADB_X_EXT_NAT_T_OAI, SADB_X_EXT_NAT_T_OAR,
3741 SADB_X_EXT_NAT_T_FRAG,
3742 #ifdef IPSEC_OFFLOAD
3743 SADB_X_EXT_LFT_CUR_SW_OFFL, SADB_X_EXT_LFT_CUR_HW_OFFL,
3744 SADB_X_EXT_IF_HW_OFFL,
3745 #endif
3746 };
3747 uint32_t replay_count;
3748 #ifdef IPSEC_OFFLOAD
3749 int error;
3750 #endif
3751
3752 SECASVAR_RLOCK_TRACKER;
3753
3754 m = key_setsadbmsg(type, 0, satype, seq, pid, sav->refcnt);
3755 if (m == NULL)
3756 goto fail;
3757 result = m;
3758
3759 for (i = nitems(dumporder) - 1; i >= 0; i--) {
3760 m = NULL;
3761 switch (dumporder[i]) {
3762 case SADB_EXT_SA:
3763 m = key_setsadbsa(sav);
3764 if (!m)
3765 goto fail;
3766 break;
3767
3768 case SADB_X_EXT_SA2: {
3769 SECASVAR_RLOCK(sav);
3770 replay_count = sav->replay ? sav->replay->count : 0;
3771 SECASVAR_RUNLOCK(sav);
3772 m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count,
3773 sav->sah->saidx.reqid);
3774 if (!m)
3775 goto fail;
3776 break;
3777 }
3778 case SADB_X_EXT_SA_REPLAY:
3779 if (sav->replay == NULL ||
3780 sav->replay->wsize <= UINT8_MAX)
3781 continue;
3782
3783 m = key_setsadbxsareplay(sav->replay->wsize);
3784 if (!m)
3785 goto fail;
3786 break;
3787
3788 case SADB_EXT_ADDRESS_SRC:
3789 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC,
3790 &sav->sah->saidx.src.sa,
3791 FULLMASK, IPSEC_ULPROTO_ANY);
3792 if (!m)
3793 goto fail;
3794 break;
3795
3796 case SADB_EXT_ADDRESS_DST:
3797 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
3798 &sav->sah->saidx.dst.sa,
3799 FULLMASK, IPSEC_ULPROTO_ANY);
3800 if (!m)
3801 goto fail;
3802 break;
3803
3804 case SADB_EXT_KEY_AUTH:
3805 if (!sav->key_auth)
3806 continue;
3807 m = key_setkey(sav->key_auth, SADB_EXT_KEY_AUTH);
3808 if (!m)
3809 goto fail;
3810 break;
3811
3812 case SADB_EXT_KEY_ENCRYPT:
3813 if (!sav->key_enc)
3814 continue;
3815 m = key_setkey(sav->key_enc, SADB_EXT_KEY_ENCRYPT);
3816 if (!m)
3817 goto fail;
3818 break;
3819
3820 case SADB_EXT_LIFETIME_CURRENT:
3821 lft_c.addtime = sav->created;
3822 lft_c.allocations = (uint32_t)counter_u64_fetch(
3823 sav->lft_c_allocations);
3824 lft_c.bytes = counter_u64_fetch(sav->lft_c_bytes);
3825 lft_c.usetime = sav->firstused;
3826 m = key_setlifetime(&lft_c, SADB_EXT_LIFETIME_CURRENT);
3827 if (!m)
3828 goto fail;
3829 break;
3830
3831 case SADB_EXT_LIFETIME_HARD:
3832 if (!sav->lft_h)
3833 continue;
3834 m = key_setlifetime(sav->lft_h,
3835 SADB_EXT_LIFETIME_HARD);
3836 if (!m)
3837 goto fail;
3838 break;
3839
3840 case SADB_EXT_LIFETIME_SOFT:
3841 if (!sav->lft_s)
3842 continue;
3843 m = key_setlifetime(sav->lft_s,
3844 SADB_EXT_LIFETIME_SOFT);
3845
3846 if (!m)
3847 goto fail;
3848 break;
3849
3850 case SADB_X_EXT_NAT_T_TYPE:
3851 if (sav->natt == NULL)
3852 continue;
3853 m = key_setsadbxtype(UDP_ENCAP_ESPINUDP);
3854 if (!m)
3855 goto fail;
3856 break;
3857
3858 case SADB_X_EXT_NAT_T_DPORT:
3859 if (sav->natt == NULL)
3860 continue;
3861 m = key_setsadbxport(sav->natt->dport,
3862 SADB_X_EXT_NAT_T_DPORT);
3863 if (!m)
3864 goto fail;
3865 break;
3866
3867 case SADB_X_EXT_NAT_T_SPORT:
3868 if (sav->natt == NULL)
3869 continue;
3870 m = key_setsadbxport(sav->natt->sport,
3871 SADB_X_EXT_NAT_T_SPORT);
3872 if (!m)
3873 goto fail;
3874 break;
3875
3876 case SADB_X_EXT_NAT_T_OAI:
3877 if (sav->natt == NULL ||
3878 (sav->natt->flags & IPSEC_NATT_F_OAI) == 0)
3879 continue;
3880 m = key_setsadbaddr(SADB_X_EXT_NAT_T_OAI,
3881 &sav->natt->oai.sa, FULLMASK, IPSEC_ULPROTO_ANY);
3882 if (!m)
3883 goto fail;
3884 break;
3885 case SADB_X_EXT_NAT_T_OAR:
3886 if (sav->natt == NULL ||
3887 (sav->natt->flags & IPSEC_NATT_F_OAR) == 0)
3888 continue;
3889 m = key_setsadbaddr(SADB_X_EXT_NAT_T_OAR,
3890 &sav->natt->oar.sa, FULLMASK, IPSEC_ULPROTO_ANY);
3891 if (!m)
3892 goto fail;
3893 break;
3894 case SADB_X_EXT_NAT_T_FRAG:
3895 /* We do not (yet) support those. */
3896 continue;
3897 #ifdef IPSEC_OFFLOAD
3898 case SADB_X_EXT_LFT_CUR_SW_OFFL:
3899 if (!ipsec_accel_is_accel_sav(sav))
3900 continue;
3901 SAV_ADDREF(sav);
3902 error = ipsec_accel_sa_lifetime_op(sav, &lft_c,
3903 NULL, IF_SA_CNT_TOTAL_SW_VAL, sahtree_trackerp);
3904 if (error != 0) {
3905 m = NULL;
3906 goto fail;
3907 }
3908 m = key_setlifetime(&lft_c, dumporder[i]);
3909 if (m == NULL)
3910 goto fail;
3911 key_freesav(&sav);
3912 if (sav == NULL) {
3913 m_freem(m);
3914 goto fail;
3915 }
3916 break;
3917 case SADB_X_EXT_LFT_CUR_HW_OFFL:
3918 if (!ipsec_accel_is_accel_sav(sav))
3919 continue;
3920 memset(&lft_c, 0, sizeof(lft_c));
3921 lft_c.bytes = sav->accel_hw_octets;
3922 lft_c.allocations = sav->accel_hw_allocs;
3923 m = key_setlifetime(&lft_c, dumporder[i]);
3924 if (m == NULL)
3925 goto fail;
3926 break;
3927 case SADB_X_EXT_IF_HW_OFFL:
3928 if (!ipsec_accel_is_accel_sav(sav))
3929 continue;
3930 m = ipsec_accel_key_setaccelif(sav);
3931 if (m == NULL)
3932 continue; /* benigh */
3933 break;
3934 #endif
3935
3936 case SADB_EXT_ADDRESS_PROXY:
3937 case SADB_EXT_IDENTITY_SRC:
3938 case SADB_EXT_IDENTITY_DST:
3939 /* XXX: should we brought from SPD ? */
3940 case SADB_EXT_SENSITIVITY:
3941 default:
3942 continue;
3943 }
3944
3945 if (!m)
3946 goto fail;
3947 if (tres)
3948 m_cat(m, tres);
3949 tres = m;
3950 }
3951
3952 m_cat(result, tres);
3953 tres = NULL;
3954 if (result->m_len < sizeof(struct sadb_msg)) {
3955 result = m_pullup(result, sizeof(struct sadb_msg));
3956 if (result == NULL)
3957 goto fail;
3958 }
3959
3960 result->m_pkthdr.len = 0;
3961 for (m = result; m; m = m->m_next)
3962 result->m_pkthdr.len += m->m_len;
3963
3964 mtod(result, struct sadb_msg *)->sadb_msg_len =
3965 PFKEY_UNIT64(result->m_pkthdr.len);
3966
3967 return result;
3968
3969 fail:
3970 m_freem(result);
3971 m_freem(tres);
3972 return NULL;
3973 }
3974
3975 /*
3976 * set data into sadb_msg.
3977 */
3978 static struct mbuf *
key_setsadbmsg(u_int8_t type,u_int16_t tlen,u_int8_t satype,u_int32_t seq,pid_t pid,u_int16_t reserved)3979 key_setsadbmsg(u_int8_t type, u_int16_t tlen, u_int8_t satype, u_int32_t seq,
3980 pid_t pid, u_int16_t reserved)
3981 {
3982 struct mbuf *m;
3983 struct sadb_msg *p;
3984 int len;
3985
3986 len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
3987 if (len > MCLBYTES)
3988 return NULL;
3989 m = key_mget(len);
3990 if (m == NULL)
3991 return NULL;
3992 m->m_pkthdr.len = m->m_len = len;
3993 m->m_next = NULL;
3994
3995 p = mtod(m, struct sadb_msg *);
3996
3997 bzero(p, len);
3998 p->sadb_msg_version = PF_KEY_V2;
3999 p->sadb_msg_type = type;
4000 p->sadb_msg_errno = 0;
4001 p->sadb_msg_satype = satype;
4002 p->sadb_msg_len = PFKEY_UNIT64(tlen);
4003 p->sadb_msg_reserved = reserved;
4004 p->sadb_msg_seq = seq;
4005 p->sadb_msg_pid = (u_int32_t)pid;
4006
4007 return m;
4008 }
4009
4010 /*
4011 * copy secasvar data into sadb_address.
4012 */
4013 static struct mbuf *
key_setsadbsa(struct secasvar * sav)4014 key_setsadbsa(struct secasvar *sav)
4015 {
4016 struct mbuf *m;
4017 struct sadb_sa *p;
4018 int len;
4019
4020 len = PFKEY_ALIGN8(sizeof(struct sadb_sa));
4021 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
4022 if (m == NULL)
4023 return (NULL);
4024 m_align(m, len);
4025 m->m_len = len;
4026 p = mtod(m, struct sadb_sa *);
4027 bzero(p, len);
4028 p->sadb_sa_len = PFKEY_UNIT64(len);
4029 p->sadb_sa_exttype = SADB_EXT_SA;
4030 p->sadb_sa_spi = sav->spi;
4031 p->sadb_sa_replay = sav->replay ?
4032 (sav->replay->wsize > UINT8_MAX ? UINT8_MAX :
4033 sav->replay->wsize): 0;
4034 p->sadb_sa_state = sav->state;
4035 p->sadb_sa_auth = sav->alg_auth;
4036 p->sadb_sa_encrypt = sav->alg_enc;
4037 p->sadb_sa_flags = sav->flags & SADB_KEY_FLAGS_MAX;
4038 return (m);
4039 }
4040
4041 /*
4042 * set data into sadb_address.
4043 */
4044 static struct mbuf *
key_setsadbaddr(u_int16_t exttype,const struct sockaddr * saddr,u_int8_t prefixlen,u_int16_t ul_proto)4045 key_setsadbaddr(u_int16_t exttype, const struct sockaddr *saddr,
4046 u_int8_t prefixlen, u_int16_t ul_proto)
4047 {
4048 struct mbuf *m;
4049 struct sadb_address *p;
4050 size_t len;
4051
4052 len = PFKEY_ALIGN8(sizeof(struct sadb_address)) +
4053 PFKEY_ALIGN8(saddr->sa_len);
4054 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
4055 if (m == NULL)
4056 return (NULL);
4057 m_align(m, len);
4058 m->m_len = len;
4059 p = mtod(m, struct sadb_address *);
4060
4061 bzero(p, len);
4062 p->sadb_address_len = PFKEY_UNIT64(len);
4063 p->sadb_address_exttype = exttype;
4064 p->sadb_address_proto = ul_proto;
4065 if (prefixlen == FULLMASK) {
4066 switch (saddr->sa_family) {
4067 case AF_INET:
4068 prefixlen = sizeof(struct in_addr) << 3;
4069 break;
4070 case AF_INET6:
4071 prefixlen = sizeof(struct in6_addr) << 3;
4072 break;
4073 default:
4074 ; /*XXX*/
4075 }
4076 }
4077 p->sadb_address_prefixlen = prefixlen;
4078 p->sadb_address_reserved = 0;
4079
4080 bcopy(saddr,
4081 mtod(m, caddr_t) + PFKEY_ALIGN8(sizeof(struct sadb_address)),
4082 saddr->sa_len);
4083
4084 return m;
4085 }
4086
4087 /*
4088 * set data into sadb_x_sa2.
4089 */
4090 static struct mbuf *
key_setsadbxsa2(u_int8_t mode,u_int32_t seq,u_int32_t reqid)4091 key_setsadbxsa2(u_int8_t mode, u_int32_t seq, u_int32_t reqid)
4092 {
4093 struct mbuf *m;
4094 struct sadb_x_sa2 *p;
4095 size_t len;
4096
4097 len = PFKEY_ALIGN8(sizeof(struct sadb_x_sa2));
4098 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
4099 if (m == NULL)
4100 return (NULL);
4101 m_align(m, len);
4102 m->m_len = len;
4103 p = mtod(m, struct sadb_x_sa2 *);
4104
4105 bzero(p, len);
4106 p->sadb_x_sa2_len = PFKEY_UNIT64(len);
4107 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
4108 p->sadb_x_sa2_mode = mode;
4109 p->sadb_x_sa2_reserved1 = 0;
4110 p->sadb_x_sa2_reserved2 = 0;
4111 p->sadb_x_sa2_sequence = seq;
4112 p->sadb_x_sa2_reqid = reqid;
4113
4114 return m;
4115 }
4116
4117 /*
4118 * Set data into sadb_x_sa_replay.
4119 */
4120 static struct mbuf *
key_setsadbxsareplay(u_int32_t replay)4121 key_setsadbxsareplay(u_int32_t replay)
4122 {
4123 struct mbuf *m;
4124 struct sadb_x_sa_replay *p;
4125 size_t len;
4126
4127 len = PFKEY_ALIGN8(sizeof(struct sadb_x_sa_replay));
4128 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
4129 if (m == NULL)
4130 return (NULL);
4131 m_align(m, len);
4132 m->m_len = len;
4133 p = mtod(m, struct sadb_x_sa_replay *);
4134
4135 bzero(p, len);
4136 p->sadb_x_sa_replay_len = PFKEY_UNIT64(len);
4137 p->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY;
4138 p->sadb_x_sa_replay_replay = (replay << 3);
4139
4140 return m;
4141 }
4142
4143 /*
4144 * Set a type in sadb_x_nat_t_type.
4145 */
4146 static struct mbuf *
key_setsadbxtype(u_int16_t type)4147 key_setsadbxtype(u_int16_t type)
4148 {
4149 struct mbuf *m;
4150 size_t len;
4151 struct sadb_x_nat_t_type *p;
4152
4153 len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_type));
4154
4155 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
4156 if (m == NULL)
4157 return (NULL);
4158 m_align(m, len);
4159 m->m_len = len;
4160 p = mtod(m, struct sadb_x_nat_t_type *);
4161
4162 bzero(p, len);
4163 p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len);
4164 p->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
4165 p->sadb_x_nat_t_type_type = type;
4166
4167 return (m);
4168 }
4169 /*
4170 * Set a port in sadb_x_nat_t_port.
4171 * In contrast to default RFC 2367 behaviour, port is in network byte order.
4172 */
4173 static struct mbuf *
key_setsadbxport(u_int16_t port,u_int16_t type)4174 key_setsadbxport(u_int16_t port, u_int16_t type)
4175 {
4176 struct mbuf *m;
4177 size_t len;
4178 struct sadb_x_nat_t_port *p;
4179
4180 len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_port));
4181
4182 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
4183 if (m == NULL)
4184 return (NULL);
4185 m_align(m, len);
4186 m->m_len = len;
4187 p = mtod(m, struct sadb_x_nat_t_port *);
4188
4189 bzero(p, len);
4190 p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len);
4191 p->sadb_x_nat_t_port_exttype = type;
4192 p->sadb_x_nat_t_port_port = port;
4193
4194 return (m);
4195 }
4196
4197 /*
4198 * Get port from sockaddr. Port is in network byte order.
4199 */
4200 uint16_t
key_portfromsaddr(struct sockaddr * sa)4201 key_portfromsaddr(struct sockaddr *sa)
4202 {
4203
4204 switch (sa->sa_family) {
4205 #ifdef INET
4206 case AF_INET:
4207 return ((struct sockaddr_in *)sa)->sin_port;
4208 #endif
4209 #ifdef INET6
4210 case AF_INET6:
4211 return ((struct sockaddr_in6 *)sa)->sin6_port;
4212 #endif
4213 }
4214 return (0);
4215 }
4216
4217 /*
4218 * Set port in struct sockaddr. Port is in network byte order.
4219 */
4220 void
key_porttosaddr(struct sockaddr * sa,uint16_t port)4221 key_porttosaddr(struct sockaddr *sa, uint16_t port)
4222 {
4223
4224 switch (sa->sa_family) {
4225 #ifdef INET
4226 case AF_INET:
4227 ((struct sockaddr_in *)sa)->sin_port = port;
4228 break;
4229 #endif
4230 #ifdef INET6
4231 case AF_INET6:
4232 ((struct sockaddr_in6 *)sa)->sin6_port = port;
4233 break;
4234 #endif
4235 default:
4236 ipseclog((LOG_DEBUG, "%s: unexpected address family %d.\n",
4237 __func__, sa->sa_family));
4238 break;
4239 }
4240 }
4241
4242 /*
4243 * set data into sadb_x_policy
4244 */
4245 static struct mbuf *
key_setsadbxpolicy(u_int16_t type,u_int8_t dir,u_int32_t id,u_int32_t priority)4246 key_setsadbxpolicy(u_int16_t type, u_int8_t dir, u_int32_t id, u_int32_t priority)
4247 {
4248 struct mbuf *m;
4249 struct sadb_x_policy *p;
4250 size_t len;
4251
4252 len = PFKEY_ALIGN8(sizeof(struct sadb_x_policy));
4253 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
4254 if (m == NULL)
4255 return (NULL);
4256 m_align(m, len);
4257 m->m_len = len;
4258 p = mtod(m, struct sadb_x_policy *);
4259
4260 bzero(p, len);
4261 p->sadb_x_policy_len = PFKEY_UNIT64(len);
4262 p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
4263 p->sadb_x_policy_type = type;
4264 p->sadb_x_policy_dir = dir;
4265 p->sadb_x_policy_id = id;
4266 p->sadb_x_policy_priority = priority;
4267
4268 return m;
4269 }
4270
4271 /* %%% utilities */
4272 /* Take a key message (sadb_key) from the socket and turn it into one
4273 * of the kernel's key structures (seckey).
4274 *
4275 * IN: pointer to the src
4276 * OUT: NULL no more memory
4277 */
4278 struct seckey *
key_dup_keymsg(const struct sadb_key * src,struct malloc_type * type)4279 key_dup_keymsg(const struct sadb_key *src, struct malloc_type *type)
4280 {
4281 struct seckey *dst;
4282 size_t len;
4283
4284 dst = malloc(sizeof(*dst), type, M_NOWAIT);
4285 if (dst != NULL) {
4286 len = src->sadb_key_bits >> 3;
4287 dst->bits = src->sadb_key_bits;
4288 dst->key_data = malloc(len, type, M_NOWAIT);
4289 if (dst->key_data != NULL) {
4290 bcopy((const char *)(src + 1), dst->key_data, len);
4291 } else {
4292 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
4293 __func__));
4294 free(dst, type);
4295 dst = NULL;
4296 }
4297 } else {
4298 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
4299 __func__));
4300 }
4301 return (dst);
4302 }
4303
4304 /* Take a lifetime message (sadb_lifetime) passed in on a socket and
4305 * turn it into one of the kernel's lifetime structures (seclifetime).
4306 *
4307 * IN: pointer to the destination, source and malloc type
4308 * OUT: NULL, no more memory
4309 */
4310
4311 static struct seclifetime *
key_dup_lifemsg(const struct sadb_lifetime * src,struct malloc_type * type)4312 key_dup_lifemsg(const struct sadb_lifetime *src, struct malloc_type *type)
4313 {
4314 struct seclifetime *dst;
4315
4316 dst = malloc(sizeof(*dst), type, M_NOWAIT);
4317 if (dst == NULL) {
4318 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
4319 return (NULL);
4320 }
4321 dst->allocations = src->sadb_lifetime_allocations;
4322 dst->bytes = src->sadb_lifetime_bytes;
4323 dst->addtime = src->sadb_lifetime_addtime;
4324 dst->usetime = src->sadb_lifetime_usetime;
4325 return (dst);
4326 }
4327
4328 /*
4329 * compare two secasindex structure.
4330 * flag can specify to compare 2 saidxes.
4331 * compare two secasindex structure without both mode and reqid.
4332 * don't compare port.
4333 * IN:
4334 * saidx0: source, it can be in SAD.
4335 * saidx1: object.
4336 * OUT:
4337 * 1 : equal
4338 * 0 : not equal
4339 */
4340 static int
key_cmpsaidx(const struct secasindex * saidx0,const struct secasindex * saidx1,int flag)4341 key_cmpsaidx(const struct secasindex *saidx0, const struct secasindex *saidx1,
4342 int flag)
4343 {
4344
4345 /* sanity */
4346 if (saidx0 == NULL && saidx1 == NULL)
4347 return 1;
4348
4349 if (saidx0 == NULL || saidx1 == NULL)
4350 return 0;
4351
4352 if (saidx0->proto != saidx1->proto)
4353 return 0;
4354
4355 if (flag == CMP_EXACTLY) {
4356 if (saidx0->mode != saidx1->mode)
4357 return 0;
4358 if (saidx0->reqid != saidx1->reqid)
4359 return 0;
4360 if (bcmp(&saidx0->src, &saidx1->src,
4361 saidx0->src.sa.sa_len) != 0 ||
4362 bcmp(&saidx0->dst, &saidx1->dst,
4363 saidx0->dst.sa.sa_len) != 0)
4364 return 0;
4365 } else {
4366 /* CMP_MODE_REQID, CMP_REQID, CMP_HEAD */
4367 if (flag == CMP_MODE_REQID || flag == CMP_REQID) {
4368 /*
4369 * If reqid of SPD is non-zero, unique SA is required.
4370 * The result must be of same reqid in this case.
4371 */
4372 if (saidx1->reqid != 0 &&
4373 saidx0->reqid != saidx1->reqid)
4374 return 0;
4375 }
4376
4377 if (flag == CMP_MODE_REQID) {
4378 if (saidx0->mode != IPSEC_MODE_ANY
4379 && saidx0->mode != saidx1->mode)
4380 return 0;
4381 }
4382
4383 if (key_sockaddrcmp(&saidx0->src.sa, &saidx1->src.sa, 0) != 0)
4384 return 0;
4385 if (key_sockaddrcmp(&saidx0->dst.sa, &saidx1->dst.sa, 0) != 0)
4386 return 0;
4387 }
4388
4389 return 1;
4390 }
4391
4392 /*
4393 * compare two secindex structure exactly.
4394 * IN:
4395 * spidx0: source, it is often in SPD.
4396 * spidx1: object, it is often from PFKEY message.
4397 * OUT:
4398 * 1 : equal
4399 * 0 : not equal
4400 */
4401 static int
key_cmpspidx_exactly(struct secpolicyindex * spidx0,struct secpolicyindex * spidx1)4402 key_cmpspidx_exactly(struct secpolicyindex *spidx0,
4403 struct secpolicyindex *spidx1)
4404 {
4405 /* sanity */
4406 if (spidx0 == NULL && spidx1 == NULL)
4407 return 1;
4408
4409 if (spidx0 == NULL || spidx1 == NULL)
4410 return 0;
4411
4412 if (spidx0->prefs != spidx1->prefs
4413 || spidx0->prefd != spidx1->prefd
4414 || spidx0->ul_proto != spidx1->ul_proto
4415 || spidx0->dir != spidx1->dir)
4416 return 0;
4417
4418 return key_sockaddrcmp(&spidx0->src.sa, &spidx1->src.sa, 1) == 0 &&
4419 key_sockaddrcmp(&spidx0->dst.sa, &spidx1->dst.sa, 1) == 0;
4420 }
4421
4422 /*
4423 * compare two secindex structure with mask.
4424 * IN:
4425 * spidx0: source, it is often in SPD.
4426 * spidx1: object, it is often from IP header.
4427 * OUT:
4428 * 1 : equal
4429 * 0 : not equal
4430 */
4431 static int
key_cmpspidx_withmask(struct secpolicyindex * spidx0,struct secpolicyindex * spidx1)4432 key_cmpspidx_withmask(struct secpolicyindex *spidx0,
4433 struct secpolicyindex *spidx1)
4434 {
4435 /* sanity */
4436 if (spidx0 == NULL && spidx1 == NULL)
4437 return 1;
4438
4439 if (spidx0 == NULL || spidx1 == NULL)
4440 return 0;
4441
4442 if (spidx0->src.sa.sa_family != spidx1->src.sa.sa_family ||
4443 spidx0->dst.sa.sa_family != spidx1->dst.sa.sa_family ||
4444 spidx0->src.sa.sa_len != spidx1->src.sa.sa_len ||
4445 spidx0->dst.sa.sa_len != spidx1->dst.sa.sa_len)
4446 return 0;
4447
4448 /* if spidx.ul_proto == IPSEC_ULPROTO_ANY, ignore. */
4449 if (spidx0->ul_proto != (u_int16_t)IPSEC_ULPROTO_ANY
4450 && spidx0->ul_proto != spidx1->ul_proto)
4451 return 0;
4452
4453 switch (spidx0->src.sa.sa_family) {
4454 case AF_INET:
4455 if (spidx0->src.sin.sin_port != IPSEC_PORT_ANY
4456 && spidx0->src.sin.sin_port != spidx1->src.sin.sin_port)
4457 return 0;
4458 if (!key_bbcmp(&spidx0->src.sin.sin_addr,
4459 &spidx1->src.sin.sin_addr, spidx0->prefs))
4460 return 0;
4461 break;
4462 case AF_INET6:
4463 if (spidx0->src.sin6.sin6_port != IPSEC_PORT_ANY
4464 && spidx0->src.sin6.sin6_port != spidx1->src.sin6.sin6_port)
4465 return 0;
4466 /*
4467 * scope_id check. if sin6_scope_id is 0, we regard it
4468 * as a wildcard scope, which matches any scope zone ID.
4469 */
4470 if (spidx0->src.sin6.sin6_scope_id &&
4471 spidx1->src.sin6.sin6_scope_id &&
4472 spidx0->src.sin6.sin6_scope_id != spidx1->src.sin6.sin6_scope_id)
4473 return 0;
4474 if (!key_bbcmp(&spidx0->src.sin6.sin6_addr,
4475 &spidx1->src.sin6.sin6_addr, spidx0->prefs))
4476 return 0;
4477 break;
4478 default:
4479 /* XXX */
4480 if (bcmp(&spidx0->src, &spidx1->src, spidx0->src.sa.sa_len) != 0)
4481 return 0;
4482 break;
4483 }
4484
4485 switch (spidx0->dst.sa.sa_family) {
4486 case AF_INET:
4487 if (spidx0->dst.sin.sin_port != IPSEC_PORT_ANY
4488 && spidx0->dst.sin.sin_port != spidx1->dst.sin.sin_port)
4489 return 0;
4490 if (!key_bbcmp(&spidx0->dst.sin.sin_addr,
4491 &spidx1->dst.sin.sin_addr, spidx0->prefd))
4492 return 0;
4493 break;
4494 case AF_INET6:
4495 if (spidx0->dst.sin6.sin6_port != IPSEC_PORT_ANY
4496 && spidx0->dst.sin6.sin6_port != spidx1->dst.sin6.sin6_port)
4497 return 0;
4498 /*
4499 * scope_id check. if sin6_scope_id is 0, we regard it
4500 * as a wildcard scope, which matches any scope zone ID.
4501 */
4502 if (spidx0->dst.sin6.sin6_scope_id &&
4503 spidx1->dst.sin6.sin6_scope_id &&
4504 spidx0->dst.sin6.sin6_scope_id != spidx1->dst.sin6.sin6_scope_id)
4505 return 0;
4506 if (!key_bbcmp(&spidx0->dst.sin6.sin6_addr,
4507 &spidx1->dst.sin6.sin6_addr, spidx0->prefd))
4508 return 0;
4509 break;
4510 default:
4511 /* XXX */
4512 if (bcmp(&spidx0->dst, &spidx1->dst, spidx0->dst.sa.sa_len) != 0)
4513 return 0;
4514 break;
4515 }
4516
4517 /* XXX Do we check other field ? e.g. flowinfo */
4518
4519 return 1;
4520 }
4521
4522 #ifdef satosin
4523 #undef satosin
4524 #endif
4525 #define satosin(s) ((const struct sockaddr_in *)s)
4526 #ifdef satosin6
4527 #undef satosin6
4528 #endif
4529 #define satosin6(s) ((const struct sockaddr_in6 *)s)
4530 /* returns 0 on match */
4531 int
key_sockaddrcmp(const struct sockaddr * sa1,const struct sockaddr * sa2,int port)4532 key_sockaddrcmp(const struct sockaddr *sa1, const struct sockaddr *sa2,
4533 int port)
4534 {
4535 if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len)
4536 return 1;
4537
4538 switch (sa1->sa_family) {
4539 #ifdef INET
4540 case AF_INET:
4541 if (sa1->sa_len != sizeof(struct sockaddr_in))
4542 return 1;
4543 if (satosin(sa1)->sin_addr.s_addr !=
4544 satosin(sa2)->sin_addr.s_addr) {
4545 return 1;
4546 }
4547 if (port && satosin(sa1)->sin_port != satosin(sa2)->sin_port)
4548 return 1;
4549 break;
4550 #endif
4551 #ifdef INET6
4552 case AF_INET6:
4553 if (sa1->sa_len != sizeof(struct sockaddr_in6))
4554 return 1; /*EINVAL*/
4555 if (satosin6(sa1)->sin6_scope_id !=
4556 satosin6(sa2)->sin6_scope_id) {
4557 return 1;
4558 }
4559 if (!IN6_ARE_ADDR_EQUAL(&satosin6(sa1)->sin6_addr,
4560 &satosin6(sa2)->sin6_addr)) {
4561 return 1;
4562 }
4563 if (port &&
4564 satosin6(sa1)->sin6_port != satosin6(sa2)->sin6_port) {
4565 return 1;
4566 }
4567 break;
4568 #endif
4569 default:
4570 if (bcmp(sa1, sa2, sa1->sa_len) != 0)
4571 return 1;
4572 break;
4573 }
4574
4575 return 0;
4576 }
4577
4578 /* returns 0 on match */
4579 int
key_sockaddrcmp_withmask(const struct sockaddr * sa1,const struct sockaddr * sa2,size_t mask)4580 key_sockaddrcmp_withmask(const struct sockaddr *sa1,
4581 const struct sockaddr *sa2, size_t mask)
4582 {
4583 if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len)
4584 return (1);
4585
4586 switch (sa1->sa_family) {
4587 #ifdef INET
4588 case AF_INET:
4589 return (!key_bbcmp(&satosin(sa1)->sin_addr,
4590 &satosin(sa2)->sin_addr, mask));
4591 #endif
4592 #ifdef INET6
4593 case AF_INET6:
4594 if (satosin6(sa1)->sin6_scope_id !=
4595 satosin6(sa2)->sin6_scope_id)
4596 return (1);
4597 return (!key_bbcmp(&satosin6(sa1)->sin6_addr,
4598 &satosin6(sa2)->sin6_addr, mask));
4599 #endif
4600 }
4601 return (1);
4602 }
4603 #undef satosin
4604 #undef satosin6
4605
4606 /*
4607 * compare two buffers with mask.
4608 * IN:
4609 * addr1: source
4610 * addr2: object
4611 * bits: Number of bits to compare
4612 * OUT:
4613 * 1 : equal
4614 * 0 : not equal
4615 */
4616 static int
key_bbcmp(const void * a1,const void * a2,u_int bits)4617 key_bbcmp(const void *a1, const void *a2, u_int bits)
4618 {
4619 const unsigned char *p1 = a1;
4620 const unsigned char *p2 = a2;
4621
4622 /* XXX: This could be considerably faster if we compare a word
4623 * at a time, but it is complicated on LSB Endian machines */
4624
4625 /* Handle null pointers */
4626 if (p1 == NULL || p2 == NULL)
4627 return (p1 == p2);
4628
4629 while (bits >= 8) {
4630 if (*p1++ != *p2++)
4631 return 0;
4632 bits -= 8;
4633 }
4634
4635 if (bits > 0) {
4636 u_int8_t mask = ~((1<<(8-bits))-1);
4637 if ((*p1 & mask) != (*p2 & mask))
4638 return 0;
4639 }
4640 return 1; /* Match! */
4641 }
4642
4643 static void
key_flush_spd(time_t now)4644 key_flush_spd(time_t now)
4645 {
4646 SPTREE_RLOCK_TRACKER;
4647 struct secpolicy_list drainq;
4648 struct secpolicy *sp, *nextsp;
4649 u_int dir;
4650
4651 LIST_INIT(&drainq);
4652 SPTREE_RLOCK();
4653 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
4654 TAILQ_FOREACH(sp, &V_sptree[dir], chain) {
4655 if (sp->lifetime == 0 && sp->validtime == 0)
4656 continue;
4657 if ((sp->lifetime &&
4658 now - sp->created > sp->lifetime) ||
4659 (sp->validtime &&
4660 now - sp->lastused > sp->validtime)) {
4661 /* Hold extra reference to send SPDEXPIRE */
4662 SP_ADDREF(sp);
4663 LIST_INSERT_HEAD(&drainq, sp, drainq);
4664 }
4665 }
4666 }
4667 SPTREE_RUNLOCK();
4668 if (LIST_EMPTY(&drainq))
4669 return;
4670
4671 SPTREE_WLOCK();
4672 sp = LIST_FIRST(&drainq);
4673 while (sp != NULL) {
4674 nextsp = LIST_NEXT(sp, drainq);
4675 /* Check that SP is still linked */
4676 if (sp->state != IPSEC_SPSTATE_ALIVE) {
4677 LIST_REMOVE(sp, drainq);
4678 key_freesp(&sp); /* release extra reference */
4679 sp = nextsp;
4680 continue;
4681 }
4682 TAILQ_REMOVE(&V_sptree[sp->spidx.dir], sp, chain);
4683 V_spd_size--;
4684 LIST_REMOVE(sp, idhash);
4685 sp->state = IPSEC_SPSTATE_DEAD;
4686 ipsec_accel_spddel(sp);
4687 sp = nextsp;
4688 }
4689 V_sp_genid++;
4690 SPTREE_WUNLOCK();
4691 if (SPDCACHE_ENABLED())
4692 spdcache_clear();
4693
4694 sp = LIST_FIRST(&drainq);
4695 while (sp != NULL) {
4696 nextsp = LIST_NEXT(sp, drainq);
4697 key_spdexpire(sp);
4698 key_freesp(&sp); /* release extra reference */
4699 key_freesp(&sp); /* release last reference */
4700 sp = nextsp;
4701 }
4702 }
4703
4704 static void
key_flush_sad(time_t now)4705 key_flush_sad(time_t now)
4706 {
4707 SAHTREE_RLOCK_TRACKER;
4708 struct secashead_list emptyq;
4709 struct secasvar_list drainq, hexpireq, sexpireq, freeq;
4710 struct secashead *sah, *nextsah;
4711 struct secasvar *sav, *nextsav;
4712
4713 SECASVAR_RLOCK_TRACKER;
4714
4715 LIST_INIT(&drainq);
4716 LIST_INIT(&hexpireq);
4717 LIST_INIT(&sexpireq);
4718 LIST_INIT(&emptyq);
4719
4720 SAHTREE_RLOCK();
4721 TAILQ_FOREACH(sah, &V_sahtree, chain) {
4722 /* Check for empty SAH */
4723 if (TAILQ_EMPTY(&sah->savtree_larval) &&
4724 TAILQ_EMPTY(&sah->savtree_alive)) {
4725 SAH_ADDREF(sah);
4726 LIST_INSERT_HEAD(&emptyq, sah, drainq);
4727 continue;
4728 }
4729 /* Add all stale LARVAL SAs into drainq */
4730 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) {
4731 if (now - sav->created < V_key_larval_lifetime)
4732 continue;
4733 SAV_ADDREF(sav);
4734 LIST_INSERT_HEAD(&drainq, sav, drainq);
4735 }
4736 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) {
4737 /* lifetimes aren't specified */
4738 if (sav->lft_h == NULL)
4739 continue;
4740 SECASVAR_RLOCK(sav);
4741 /*
4742 * Check again with lock held, because it may
4743 * be updated by SADB_UPDATE.
4744 */
4745 if (sav->lft_h == NULL) {
4746 SECASVAR_RUNLOCK(sav);
4747 continue;
4748 }
4749 /*
4750 * RFC 2367:
4751 * HARD lifetimes MUST take precedence over SOFT
4752 * lifetimes, meaning if the HARD and SOFT lifetimes
4753 * are the same, the HARD lifetime will appear on the
4754 * EXPIRE message.
4755 */
4756 /* check HARD lifetime */
4757 if ((sav->lft_h->addtime != 0 &&
4758 now - sav->created > sav->lft_h->addtime) ||
4759 (sav->lft_h->usetime != 0 && sav->firstused &&
4760 now - sav->firstused > sav->lft_h->usetime) ||
4761 (sav->lft_h->bytes != 0 && counter_u64_fetch(
4762 sav->lft_c_bytes) > sav->lft_h->bytes)) {
4763 SECASVAR_RUNLOCK(sav);
4764 SAV_ADDREF(sav);
4765 LIST_INSERT_HEAD(&hexpireq, sav, drainq);
4766 continue;
4767 }
4768 /* check SOFT lifetime (only for MATURE SAs) */
4769 if (sav->state == SADB_SASTATE_MATURE && (
4770 (sav->lft_s->addtime != 0 &&
4771 now - sav->created > sav->lft_s->addtime) ||
4772 (sav->lft_s->usetime != 0 && sav->firstused &&
4773 now - sav->firstused > sav->lft_s->usetime) ||
4774 (sav->lft_s->bytes != 0 && counter_u64_fetch(
4775 sav->lft_c_bytes) > sav->lft_s->bytes) ||
4776 (!(sav->flags & SADB_X_SAFLAGS_ESN) &&
4777 (sav->replay != NULL) && (
4778 (sav->replay->count > UINT32_80PCT) ||
4779 (sav->replay->last > UINT32_80PCT))))) {
4780 SECASVAR_RUNLOCK(sav);
4781 SAV_ADDREF(sav);
4782 LIST_INSERT_HEAD(&sexpireq, sav, drainq);
4783 continue;
4784 }
4785 SECASVAR_RUNLOCK(sav);
4786 }
4787 }
4788 SAHTREE_RUNLOCK();
4789
4790 if (LIST_EMPTY(&emptyq) && LIST_EMPTY(&drainq) &&
4791 LIST_EMPTY(&hexpireq) && LIST_EMPTY(&sexpireq))
4792 return;
4793
4794 LIST_INIT(&freeq);
4795 SAHTREE_WLOCK();
4796 /* Unlink stale LARVAL SAs */
4797 sav = LIST_FIRST(&drainq);
4798 while (sav != NULL) {
4799 nextsav = LIST_NEXT(sav, drainq);
4800 /* Check that SA is still LARVAL */
4801 if (sav->state != SADB_SASTATE_LARVAL) {
4802 LIST_REMOVE(sav, drainq);
4803 LIST_INSERT_HEAD(&freeq, sav, drainq);
4804 sav = nextsav;
4805 continue;
4806 }
4807 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain);
4808 LIST_REMOVE(sav, spihash);
4809 sav->state = SADB_SASTATE_DEAD;
4810 ipsec_accel_forget_sav(sav);
4811 sav = nextsav;
4812 }
4813 /* Unlink all SAs with expired HARD lifetime */
4814 sav = LIST_FIRST(&hexpireq);
4815 while (sav != NULL) {
4816 nextsav = LIST_NEXT(sav, drainq);
4817 /* Check that SA is not unlinked */
4818 if (sav->state == SADB_SASTATE_DEAD) {
4819 LIST_REMOVE(sav, drainq);
4820 LIST_INSERT_HEAD(&freeq, sav, drainq);
4821 sav = nextsav;
4822 continue;
4823 }
4824 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain);
4825 LIST_REMOVE(sav, spihash);
4826 sav->state = SADB_SASTATE_DEAD;
4827 ipsec_accel_forget_sav(sav);
4828 sav = nextsav;
4829 }
4830 /* Mark all SAs with expired SOFT lifetime as DYING */
4831 sav = LIST_FIRST(&sexpireq);
4832 while (sav != NULL) {
4833 nextsav = LIST_NEXT(sav, drainq);
4834 /* Check that SA is not unlinked */
4835 if (sav->state == SADB_SASTATE_DEAD) {
4836 LIST_REMOVE(sav, drainq);
4837 LIST_INSERT_HEAD(&freeq, sav, drainq);
4838 sav = nextsav;
4839 continue;
4840 }
4841 /*
4842 * NOTE: this doesn't change SA order in the chain.
4843 */
4844 sav->state = SADB_SASTATE_DYING;
4845 sav = nextsav;
4846 }
4847 /* Unlink empty SAHs */
4848 sah = LIST_FIRST(&emptyq);
4849 while (sah != NULL) {
4850 nextsah = LIST_NEXT(sah, drainq);
4851 /* Check that SAH is still empty and not unlinked */
4852 if (sah->state == SADB_SASTATE_DEAD ||
4853 !TAILQ_EMPTY(&sah->savtree_larval) ||
4854 !TAILQ_EMPTY(&sah->savtree_alive)) {
4855 LIST_REMOVE(sah, drainq);
4856 key_freesah(&sah); /* release extra reference */
4857 sah = nextsah;
4858 continue;
4859 }
4860 TAILQ_REMOVE(&V_sahtree, sah, chain);
4861 LIST_REMOVE(sah, addrhash);
4862 sah->state = SADB_SASTATE_DEAD;
4863 sah = nextsah;
4864 }
4865 SAHTREE_WUNLOCK();
4866
4867 /* Send SPDEXPIRE messages */
4868 sav = LIST_FIRST(&hexpireq);
4869 while (sav != NULL) {
4870 nextsav = LIST_NEXT(sav, drainq);
4871 key_expire(sav, 1);
4872 key_freesah(&sav->sah); /* release reference from SAV */
4873 key_freesav(&sav); /* release extra reference */
4874 key_freesav(&sav); /* release last reference */
4875 sav = nextsav;
4876 }
4877 sav = LIST_FIRST(&sexpireq);
4878 while (sav != NULL) {
4879 nextsav = LIST_NEXT(sav, drainq);
4880 key_expire(sav, 0);
4881 key_freesav(&sav); /* release extra reference */
4882 sav = nextsav;
4883 }
4884 /* Free stale LARVAL SAs */
4885 sav = LIST_FIRST(&drainq);
4886 while (sav != NULL) {
4887 nextsav = LIST_NEXT(sav, drainq);
4888 key_freesah(&sav->sah); /* release reference from SAV */
4889 key_freesav(&sav); /* release extra reference */
4890 key_freesav(&sav); /* release last reference */
4891 sav = nextsav;
4892 }
4893 /* Free SAs that were unlinked/changed by someone else */
4894 sav = LIST_FIRST(&freeq);
4895 while (sav != NULL) {
4896 nextsav = LIST_NEXT(sav, drainq);
4897 key_freesav(&sav); /* release extra reference */
4898 sav = nextsav;
4899 }
4900 /* Free empty SAH */
4901 sah = LIST_FIRST(&emptyq);
4902 while (sah != NULL) {
4903 nextsah = LIST_NEXT(sah, drainq);
4904 key_freesah(&sah); /* release extra reference */
4905 key_freesah(&sah); /* release last reference */
4906 sah = nextsah;
4907 }
4908 }
4909
4910 static void
key_flush_acq(time_t now)4911 key_flush_acq(time_t now)
4912 {
4913 struct secacq *acq, *nextacq;
4914
4915 /* ACQ tree */
4916 ACQ_LOCK();
4917 acq = LIST_FIRST(&V_acqtree);
4918 while (acq != NULL) {
4919 nextacq = LIST_NEXT(acq, chain);
4920 if (now - acq->created > V_key_blockacq_lifetime) {
4921 LIST_REMOVE(acq, chain);
4922 LIST_REMOVE(acq, addrhash);
4923 LIST_REMOVE(acq, seqhash);
4924 free(acq, M_IPSEC_SAQ);
4925 }
4926 acq = nextacq;
4927 }
4928 ACQ_UNLOCK();
4929 }
4930
4931 static void
key_flush_spacq(time_t now)4932 key_flush_spacq(time_t now)
4933 {
4934 struct secspacq *acq, *nextacq;
4935
4936 /* SP ACQ tree */
4937 SPACQ_LOCK();
4938 for (acq = LIST_FIRST(&V_spacqtree); acq != NULL; acq = nextacq) {
4939 nextacq = LIST_NEXT(acq, chain);
4940 if (now - acq->created > V_key_blockacq_lifetime
4941 && __LIST_CHAINED(acq)) {
4942 LIST_REMOVE(acq, chain);
4943 free(acq, M_IPSEC_SAQ);
4944 }
4945 }
4946 SPACQ_UNLOCK();
4947 }
4948
4949 /*
4950 * time handler.
4951 * scanning SPD and SAD to check status for each entries,
4952 * and do to remove or to expire.
4953 * XXX: year 2038 problem may remain.
4954 */
4955 static void
key_timehandler(void * arg)4956 key_timehandler(void *arg)
4957 {
4958 VNET_ITERATOR_DECL(vnet_iter);
4959 time_t now = time_second;
4960
4961 VNET_LIST_RLOCK_NOSLEEP();
4962 VNET_FOREACH(vnet_iter) {
4963 CURVNET_SET(vnet_iter);
4964 key_flush_spd(now);
4965 key_flush_sad(now);
4966 key_flush_acq(now);
4967 key_flush_spacq(now);
4968 CURVNET_RESTORE();
4969 }
4970 VNET_LIST_RUNLOCK_NOSLEEP();
4971
4972 #ifndef IPSEC_DEBUG2
4973 /* do exchange to tick time !! */
4974 callout_schedule(&key_timer, hz);
4975 #endif /* IPSEC_DEBUG2 */
4976 }
4977
4978 u_long
key_random(void)4979 key_random(void)
4980 {
4981 u_long value;
4982
4983 arc4random_buf(&value, sizeof(value));
4984 return value;
4985 }
4986
4987 /*
4988 * map SADB_SATYPE_* to IPPROTO_*.
4989 * if satype == SADB_SATYPE then satype is mapped to ~0.
4990 * OUT:
4991 * 0: invalid satype.
4992 */
4993 static uint8_t
key_satype2proto(uint8_t satype)4994 key_satype2proto(uint8_t satype)
4995 {
4996 switch (satype) {
4997 case SADB_SATYPE_UNSPEC:
4998 return IPSEC_PROTO_ANY;
4999 case SADB_SATYPE_AH:
5000 return IPPROTO_AH;
5001 case SADB_SATYPE_ESP:
5002 return IPPROTO_ESP;
5003 case SADB_X_SATYPE_IPCOMP:
5004 return IPPROTO_IPCOMP;
5005 case SADB_X_SATYPE_TCPSIGNATURE:
5006 return IPPROTO_TCP;
5007 default:
5008 return 0;
5009 }
5010 /* NOTREACHED */
5011 }
5012
5013 /*
5014 * map IPPROTO_* to SADB_SATYPE_*
5015 * OUT:
5016 * 0: invalid protocol type.
5017 */
5018 static uint8_t
key_proto2satype(uint8_t proto)5019 key_proto2satype(uint8_t proto)
5020 {
5021 switch (proto) {
5022 case IPPROTO_AH:
5023 return SADB_SATYPE_AH;
5024 case IPPROTO_ESP:
5025 return SADB_SATYPE_ESP;
5026 case IPPROTO_IPCOMP:
5027 return SADB_X_SATYPE_IPCOMP;
5028 case IPPROTO_TCP:
5029 return SADB_X_SATYPE_TCPSIGNATURE;
5030 default:
5031 return 0;
5032 }
5033 /* NOTREACHED */
5034 }
5035
5036 /* %%% PF_KEY */
5037 /*
5038 * SADB_GETSPI processing is to receive
5039 * <base, (SA2), src address, dst address, (SPI range)>
5040 * from the IKMPd, to assign a unique spi value, to hang on the INBOUND
5041 * tree with the status of LARVAL, and send
5042 * <base, SA(*), address(SD)>
5043 * to the IKMPd.
5044 *
5045 * IN: mhp: pointer to the pointer to each header.
5046 * OUT: NULL if fail.
5047 * other if success, return pointer to the message to send.
5048 */
5049 static int
key_getspi(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)5050 key_getspi(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
5051 {
5052 struct secasindex saidx;
5053 struct sadb_address *src0, *dst0;
5054 struct secasvar *sav;
5055 uint32_t reqid, spi;
5056 int error;
5057 uint8_t mode, proto;
5058
5059 IPSEC_ASSERT(so != NULL, ("null socket"));
5060 IPSEC_ASSERT(m != NULL, ("null mbuf"));
5061 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
5062 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
5063
5064 if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
5065 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST)
5066 #ifdef PFKEY_STRICT_CHECKS
5067 || SADB_CHECKHDR(mhp, SADB_EXT_SPIRANGE)
5068 #endif
5069 ) {
5070 ipseclog((LOG_DEBUG,
5071 "%s: invalid message: missing required header.\n",
5072 __func__));
5073 error = EINVAL;
5074 goto fail;
5075 }
5076 if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
5077 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)
5078 #ifdef PFKEY_STRICT_CHECKS
5079 || SADB_CHECKLEN(mhp, SADB_EXT_SPIRANGE)
5080 #endif
5081 ) {
5082 ipseclog((LOG_DEBUG,
5083 "%s: invalid message: wrong header size.\n", __func__));
5084 error = EINVAL;
5085 goto fail;
5086 }
5087 if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) {
5088 mode = IPSEC_MODE_ANY;
5089 reqid = 0;
5090 } else {
5091 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) {
5092 ipseclog((LOG_DEBUG,
5093 "%s: invalid message: wrong header size.\n",
5094 __func__));
5095 error = EINVAL;
5096 goto fail;
5097 }
5098 mode = ((struct sadb_x_sa2 *)
5099 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
5100 reqid = ((struct sadb_x_sa2 *)
5101 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid;
5102 }
5103
5104 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]);
5105 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]);
5106
5107 /* map satype to proto */
5108 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
5109 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
5110 __func__));
5111 error = EINVAL;
5112 goto fail;
5113 }
5114 error = key_checksockaddrs((struct sockaddr *)(src0 + 1),
5115 (struct sockaddr *)(dst0 + 1));
5116 if (error != 0) {
5117 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
5118 error = EINVAL;
5119 goto fail;
5120 }
5121 KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx);
5122
5123 /* SPI allocation */
5124 SPI_ALLOC_LOCK();
5125 spi = key_do_getnewspi(
5126 (struct sadb_spirange *)mhp->ext[SADB_EXT_SPIRANGE], &saidx);
5127 if (spi == 0) {
5128 /*
5129 * Requested SPI or SPI range is not available or
5130 * already used.
5131 */
5132 SPI_ALLOC_UNLOCK();
5133 error = EEXIST;
5134 goto fail;
5135 }
5136 sav = key_newsav(mhp, &saidx, spi, &error);
5137 SPI_ALLOC_UNLOCK();
5138 if (sav == NULL)
5139 goto fail;
5140
5141 if (sav->seq != 0) {
5142 /*
5143 * RFC2367:
5144 * If the SADB_GETSPI message is in response to a
5145 * kernel-generated SADB_ACQUIRE, the sadb_msg_seq
5146 * MUST be the same as the SADB_ACQUIRE message.
5147 *
5148 * XXXAE: However it doesn't definethe behaviour how to
5149 * check this and what to do if it doesn't match.
5150 * Also what we should do if it matches?
5151 *
5152 * We can compare saidx used in SADB_ACQUIRE with saidx
5153 * used in SADB_GETSPI, but this probably can break
5154 * existing software. For now just warn if it doesn't match.
5155 *
5156 * XXXAE: anyway it looks useless.
5157 */
5158 key_acqdone(&saidx, sav->seq);
5159 }
5160 KEYDBG(KEY_STAMP,
5161 printf("%s: SA(%p)\n", __func__, sav));
5162 KEYDBG(KEY_DATA, kdebug_secasv(sav));
5163
5164 {
5165 struct mbuf *n, *nn;
5166 struct sadb_sa *m_sa;
5167 struct sadb_msg *newmsg;
5168 int off, len;
5169
5170 /* create new sadb_msg to reply. */
5171 len = PFKEY_ALIGN8(sizeof(struct sadb_msg)) +
5172 PFKEY_ALIGN8(sizeof(struct sadb_sa));
5173
5174 n = key_mget(len);
5175 if (n == NULL) {
5176 error = ENOBUFS;
5177 goto fail;
5178 }
5179
5180 n->m_len = len;
5181 n->m_next = NULL;
5182 off = 0;
5183
5184 m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off);
5185 off += PFKEY_ALIGN8(sizeof(struct sadb_msg));
5186
5187 m_sa = (struct sadb_sa *)(mtod(n, caddr_t) + off);
5188 m_sa->sadb_sa_len = PFKEY_UNIT64(sizeof(struct sadb_sa));
5189 m_sa->sadb_sa_exttype = SADB_EXT_SA;
5190 m_sa->sadb_sa_spi = spi; /* SPI is already in network byte order */
5191 off += PFKEY_ALIGN8(sizeof(struct sadb_sa));
5192
5193 IPSEC_ASSERT(off == len,
5194 ("length inconsistency (off %u len %u)", off, len));
5195
5196 n->m_next = key_gather_mbuf(m, mhp, 0, 2, SADB_EXT_ADDRESS_SRC,
5197 SADB_EXT_ADDRESS_DST);
5198 if (!n->m_next) {
5199 m_freem(n);
5200 error = ENOBUFS;
5201 goto fail;
5202 }
5203
5204 if (n->m_len < sizeof(struct sadb_msg)) {
5205 n = m_pullup(n, sizeof(struct sadb_msg));
5206 if (n == NULL)
5207 return key_sendup_mbuf(so, m, KEY_SENDUP_ONE);
5208 }
5209
5210 n->m_pkthdr.len = 0;
5211 for (nn = n; nn; nn = nn->m_next)
5212 n->m_pkthdr.len += nn->m_len;
5213
5214 newmsg = mtod(n, struct sadb_msg *);
5215 newmsg->sadb_msg_seq = sav->seq;
5216 newmsg->sadb_msg_errno = 0;
5217 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
5218
5219 m_freem(m);
5220 return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
5221 }
5222
5223 fail:
5224 return (key_senderror(so, m, error));
5225 }
5226
5227 /*
5228 * allocating new SPI
5229 * called by key_getspi().
5230 * OUT:
5231 * 0: failure.
5232 * others: success, SPI in network byte order.
5233 */
5234 static uint32_t
key_do_getnewspi(struct sadb_spirange * spirange,struct secasindex * saidx)5235 key_do_getnewspi(struct sadb_spirange *spirange, struct secasindex *saidx)
5236 {
5237 uint32_t min, max, newspi, t;
5238 int tries, limit;
5239
5240 SPI_ALLOC_LOCK_ASSERT();
5241
5242 /* set spi range to allocate */
5243 if (spirange != NULL) {
5244 min = spirange->sadb_spirange_min;
5245 max = spirange->sadb_spirange_max;
5246 } else {
5247 min = V_key_spi_minval;
5248 max = V_key_spi_maxval;
5249 }
5250 /* IPCOMP needs 2-byte SPI */
5251 if (saidx->proto == IPPROTO_IPCOMP) {
5252 if (min >= 0x10000)
5253 min = 0xffff;
5254 if (max >= 0x10000)
5255 max = 0xffff;
5256 if (min > max) {
5257 t = min; min = max; max = t;
5258 }
5259 }
5260
5261 if (min == max) {
5262 if (key_checkspidup(htonl(min))) {
5263 ipseclog((LOG_DEBUG, "%s: SPI %u exists already.\n",
5264 __func__, min));
5265 return 0;
5266 }
5267
5268 tries = 1;
5269 newspi = min;
5270 } else {
5271 /* init SPI */
5272 newspi = 0;
5273
5274 limit = atomic_load_int(&V_key_spi_trycnt);
5275 /* when requesting to allocate spi ranged */
5276 for (tries = 0; tries < limit; tries++) {
5277 /* generate pseudo-random SPI value ranged. */
5278 newspi = min + (key_random() % (max - min + 1));
5279 if (!key_checkspidup(htonl(newspi)))
5280 break;
5281 }
5282
5283 if (tries == limit || newspi == 0) {
5284 ipseclog((LOG_DEBUG,
5285 "%s: failed to allocate SPI.\n", __func__));
5286 return 0;
5287 }
5288 }
5289
5290 /* statistics */
5291 keystat.getspi_count =
5292 (keystat.getspi_count + tries) / 2;
5293
5294 return (htonl(newspi));
5295 }
5296
5297 /*
5298 * Find TCP-MD5 SA with corresponding secasindex.
5299 * If not found, return NULL and fill SPI with usable value if needed.
5300 */
5301 static struct secasvar *
key_getsav_tcpmd5(struct secasindex * saidx,uint32_t * spi)5302 key_getsav_tcpmd5(struct secasindex *saidx, uint32_t *spi)
5303 {
5304 SAHTREE_RLOCK_TRACKER;
5305 struct secashead *sah;
5306 struct secasvar *sav;
5307
5308 IPSEC_ASSERT(saidx->proto == IPPROTO_TCP, ("wrong proto"));
5309 SAHTREE_RLOCK();
5310 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
5311 if (sah->saidx.proto != IPPROTO_TCP)
5312 continue;
5313 if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
5314 !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
5315 break;
5316 }
5317 if (sah != NULL) {
5318 if (V_key_preferred_oldsa)
5319 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue);
5320 else
5321 sav = TAILQ_FIRST(&sah->savtree_alive);
5322 if (sav != NULL) {
5323 SAV_ADDREF(sav);
5324 SAHTREE_RUNLOCK();
5325 return (sav);
5326 }
5327 }
5328 if (spi == NULL) {
5329 /* No SPI required */
5330 SAHTREE_RUNLOCK();
5331 return (NULL);
5332 }
5333 /* Check that SPI is unique */
5334 LIST_FOREACH(sav, SAVHASH_HASH(*spi), spihash) {
5335 if (sav->spi == *spi)
5336 break;
5337 }
5338 if (sav == NULL) {
5339 SAHTREE_RUNLOCK();
5340 /* SPI is already unique */
5341 return (NULL);
5342 }
5343 SAHTREE_RUNLOCK();
5344 /* XXX: not optimal */
5345 *spi = key_do_getnewspi(NULL, saidx);
5346 return (NULL);
5347 }
5348
5349 static int
key_updateaddresses(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp,struct secasvar * sav,struct secasindex * saidx)5350 key_updateaddresses(struct socket *so, struct mbuf *m,
5351 const struct sadb_msghdr *mhp, struct secasvar *sav,
5352 struct secasindex *saidx)
5353 {
5354 struct sockaddr *newaddr;
5355 struct secashead *sah;
5356 struct secasvar *newsav, *tmp;
5357 struct mbuf *n;
5358 int error, isnew;
5359
5360 /* Check that we need to change SAH */
5361 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_SRC)) {
5362 newaddr = (struct sockaddr *)(
5363 ((struct sadb_address *)
5364 mhp->ext[SADB_X_EXT_NEW_ADDRESS_SRC]) + 1);
5365 bcopy(newaddr, &saidx->src, newaddr->sa_len);
5366 key_porttosaddr(&saidx->src.sa, 0);
5367 }
5368 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_DST)) {
5369 newaddr = (struct sockaddr *)(
5370 ((struct sadb_address *)
5371 mhp->ext[SADB_X_EXT_NEW_ADDRESS_DST]) + 1);
5372 bcopy(newaddr, &saidx->dst, newaddr->sa_len);
5373 key_porttosaddr(&saidx->dst.sa, 0);
5374 }
5375 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_SRC) ||
5376 !SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_DST)) {
5377 error = key_checksockaddrs(&saidx->src.sa, &saidx->dst.sa);
5378 if (error != 0) {
5379 ipseclog((LOG_DEBUG, "%s: invalid new sockaddr.\n",
5380 __func__));
5381 return (error);
5382 }
5383
5384 sah = key_getsah(saidx);
5385 if (sah == NULL) {
5386 /* create a new SA index */
5387 sah = key_newsah(saidx);
5388 if (sah == NULL) {
5389 ipseclog((LOG_DEBUG,
5390 "%s: No more memory.\n", __func__));
5391 return (ENOBUFS);
5392 }
5393 isnew = 2; /* SAH is new */
5394 } else
5395 isnew = 1; /* existing SAH is referenced */
5396 } else {
5397 /*
5398 * src and dst addresses are still the same.
5399 * Do we want to change NAT-T config?
5400 */
5401 if (sav->sah->saidx.proto != IPPROTO_ESP ||
5402 SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_TYPE) ||
5403 SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_SPORT) ||
5404 SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_DPORT)) {
5405 ipseclog((LOG_DEBUG,
5406 "%s: invalid message: missing required header.\n",
5407 __func__));
5408 return (EINVAL);
5409 }
5410 /* We hold reference to SA, thus SAH will be referenced too. */
5411 sah = sav->sah;
5412 isnew = 0;
5413 }
5414
5415 newsav = malloc(sizeof(struct secasvar), M_IPSEC_SA,
5416 M_NOWAIT | M_ZERO);
5417 if (newsav == NULL) {
5418 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
5419 error = ENOBUFS;
5420 goto fail;
5421 }
5422
5423 /* Clone SA's content into newsav */
5424 SAV_INITREF(newsav);
5425 bcopy(sav, newsav, offsetof(struct secasvar, chain));
5426 #ifdef IPSEC_OFFLOAD
5427 CK_LIST_INIT(&newsav->accel_ifps);
5428 newsav->accel_forget_tq = 0;
5429 newsav->accel_lft_sw = uma_zalloc_pcpu(ipsec_key_lft_zone,
5430 M_NOWAIT | M_ZERO);
5431 if (newsav->accel_lft_sw == NULL) {
5432 error = ENOBUFS;
5433 goto fail;
5434 }
5435 if (sav->accel_ifname != NULL) {
5436 struct sadb_x_if_hw_offl xof;
5437
5438 newsav->accel_ifname = malloc(sizeof(xof.sadb_x_if_hw_offl_if),
5439 M_IPSEC_MISC, M_NOWAIT);
5440 if (newsav->accel_ifname == NULL) {
5441 error = ENOBUFS;
5442 goto fail;
5443 }
5444 strncpy(__DECONST(char *, sav->accel_ifname),
5445 newsav->accel_ifname,
5446 sizeof(xof.sadb_x_if_hw_offl_if));
5447 }
5448 #endif
5449
5450 /*
5451 * We create new NAT-T config if it is needed.
5452 * Old NAT-T config will be freed by key_cleansav() when
5453 * last reference to SA will be released.
5454 */
5455 newsav->natt = NULL;
5456 newsav->sah = sah;
5457 newsav->state = SADB_SASTATE_MATURE;
5458 error = key_setnatt(newsav, mhp);
5459 if (error != 0)
5460 goto fail;
5461
5462 SAHTREE_WLOCK();
5463 /* Check that SA is still alive */
5464 if (sav->state == SADB_SASTATE_DEAD) {
5465 /* SA was unlinked */
5466 SAHTREE_WUNLOCK();
5467 error = ESRCH;
5468 goto fail;
5469 }
5470
5471 /* Unlink SA from SAH and SPI hash */
5472 IPSEC_ASSERT((sav->flags & SADB_X_EXT_F_CLONED) == 0,
5473 ("SA is already cloned"));
5474 IPSEC_ASSERT(sav->state == SADB_SASTATE_MATURE ||
5475 sav->state == SADB_SASTATE_DYING,
5476 ("Wrong SA state %u\n", sav->state));
5477 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain);
5478 LIST_REMOVE(sav, spihash);
5479 sav->state = SADB_SASTATE_DEAD;
5480 ipsec_accel_forget_sav(sav);
5481
5482 /*
5483 * Link new SA with SAH. Keep SAs ordered by
5484 * create time (newer are first).
5485 */
5486 TAILQ_FOREACH(tmp, &sah->savtree_alive, chain) {
5487 if (newsav->created > tmp->created) {
5488 TAILQ_INSERT_BEFORE(tmp, newsav, chain);
5489 break;
5490 }
5491 }
5492 if (tmp == NULL)
5493 TAILQ_INSERT_TAIL(&sah->savtree_alive, newsav, chain);
5494
5495 /* Add new SA into SPI hash. */
5496 LIST_INSERT_HEAD(SAVHASH_HASH(newsav->spi), newsav, spihash);
5497
5498 /* Add new SAH into SADB. */
5499 if (isnew == 2) {
5500 TAILQ_INSERT_HEAD(&V_sahtree, sah, chain);
5501 LIST_INSERT_HEAD(SAHADDRHASH_HASH(saidx), sah, addrhash);
5502 sah->state = SADB_SASTATE_MATURE;
5503 SAH_ADDREF(sah); /* newsav references new SAH */
5504 }
5505 /*
5506 * isnew == 1 -> @sah was referenced by key_getsah().
5507 * isnew == 0 -> we use the same @sah, that was used by @sav,
5508 * and we use its reference for @newsav.
5509 */
5510 SECASVAR_WLOCK(sav);
5511 /* XXX: replace cntr with pointer? */
5512 newsav->cntr = sav->cntr;
5513 sav->flags |= SADB_X_EXT_F_CLONED;
5514 SECASVAR_WUNLOCK(sav);
5515
5516 SAHTREE_WUNLOCK();
5517
5518 KEYDBG(KEY_STAMP,
5519 printf("%s: SA(%p) cloned into SA(%p)\n",
5520 __func__, sav, newsav));
5521 KEYDBG(KEY_DATA, kdebug_secasv(newsav));
5522
5523 key_freesav(&sav); /* release last reference */
5524
5525 /* set msg buf from mhp */
5526 n = key_getmsgbuf_x1(m, mhp);
5527 if (n == NULL) {
5528 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
5529 return (ENOBUFS);
5530 }
5531 m_freem(m);
5532 key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
5533 return (0);
5534 fail:
5535 if (isnew != 0)
5536 key_freesah(&sah);
5537 if (newsav != NULL) {
5538 #ifdef IPSEC_OFFLOAD
5539 uma_zfree_pcpu(ipsec_key_lft_zone, newsav->accel_lft_sw);
5540 free(__DECONST(char *, newsav->accel_ifname), M_IPSEC_MISC);
5541 #endif
5542 if (newsav->natt != NULL)
5543 free(newsav->natt, M_IPSEC_MISC);
5544 free(newsav, M_IPSEC_SA);
5545 }
5546 return (error);
5547 }
5548
5549 /*
5550 * SADB_UPDATE processing
5551 * receive
5552 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
5553 * key(AE), (identity(SD),) (sensitivity)>
5554 * from the ikmpd, and update a secasvar entry whose status is SADB_SASTATE_LARVAL.
5555 * and send
5556 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
5557 * (identity(SD),) (sensitivity)>
5558 * to the ikmpd.
5559 *
5560 * m will always be freed.
5561 */
5562 static int
key_update(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)5563 key_update(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
5564 {
5565 struct secasindex saidx;
5566 struct sadb_address *src0, *dst0;
5567 struct sadb_sa *sa0;
5568 struct secasvar *sav;
5569 uint32_t reqid;
5570 int error;
5571 uint8_t mode, proto;
5572
5573 IPSEC_ASSERT(so != NULL, ("null socket"));
5574 IPSEC_ASSERT(m != NULL, ("null mbuf"));
5575 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
5576 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
5577
5578 /* map satype to proto */
5579 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
5580 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
5581 __func__));
5582 return key_senderror(so, m, EINVAL);
5583 }
5584
5585 if (SADB_CHECKHDR(mhp, SADB_EXT_SA) ||
5586 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
5587 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) ||
5588 (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) &&
5589 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) ||
5590 (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) &&
5591 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD))) {
5592 ipseclog((LOG_DEBUG,
5593 "%s: invalid message: missing required header.\n",
5594 __func__));
5595 return key_senderror(so, m, EINVAL);
5596 }
5597 if (SADB_CHECKLEN(mhp, SADB_EXT_SA) ||
5598 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
5599 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) {
5600 ipseclog((LOG_DEBUG,
5601 "%s: invalid message: wrong header size.\n", __func__));
5602 return key_senderror(so, m, EINVAL);
5603 }
5604 if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) {
5605 mode = IPSEC_MODE_ANY;
5606 reqid = 0;
5607 } else {
5608 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) {
5609 ipseclog((LOG_DEBUG,
5610 "%s: invalid message: wrong header size.\n",
5611 __func__));
5612 return key_senderror(so, m, EINVAL);
5613 }
5614 mode = ((struct sadb_x_sa2 *)
5615 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
5616 reqid = ((struct sadb_x_sa2 *)
5617 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid;
5618 }
5619
5620 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA];
5621 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]);
5622 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]);
5623
5624 /*
5625 * Only SADB_SASTATE_MATURE SAs may be submitted in an
5626 * SADB_UPDATE message.
5627 */
5628 if (sa0->sadb_sa_state != SADB_SASTATE_MATURE) {
5629 ipseclog((LOG_DEBUG, "%s: invalid state.\n", __func__));
5630 #ifdef PFKEY_STRICT_CHECKS
5631 return key_senderror(so, m, EINVAL);
5632 #endif
5633 }
5634 error = key_checksockaddrs((struct sockaddr *)(src0 + 1),
5635 (struct sockaddr *)(dst0 + 1));
5636 if (error != 0) {
5637 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
5638 return key_senderror(so, m, error);
5639 }
5640 KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx);
5641 sav = key_getsavbyspi(sa0->sadb_sa_spi);
5642 if (sav == NULL) {
5643 ipseclog((LOG_DEBUG, "%s: no SA found for SPI %u\n",
5644 __func__, ntohl(sa0->sadb_sa_spi)));
5645 return key_senderror(so, m, EINVAL);
5646 }
5647 /*
5648 * Check that SADB_UPDATE issued by the same process that did
5649 * SADB_GETSPI or SADB_ADD.
5650 */
5651 if (sav->pid != mhp->msg->sadb_msg_pid) {
5652 ipseclog((LOG_DEBUG,
5653 "%s: pid mismatched (SPI %u, pid %u vs. %u)\n", __func__,
5654 ntohl(sav->spi), sav->pid, mhp->msg->sadb_msg_pid));
5655 key_freesav(&sav);
5656 return key_senderror(so, m, EINVAL);
5657 }
5658 /* saidx should match with SA. */
5659 if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_MODE_REQID) == 0) {
5660 ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u\n",
5661 __func__, ntohl(sav->spi)));
5662 key_freesav(&sav);
5663 return key_senderror(so, m, ESRCH);
5664 }
5665
5666 if (sav->state == SADB_SASTATE_LARVAL) {
5667 if ((mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP &&
5668 SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT)) ||
5669 (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH &&
5670 SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH))) {
5671 ipseclog((LOG_DEBUG,
5672 "%s: invalid message: missing required header.\n",
5673 __func__));
5674 key_freesav(&sav);
5675 return key_senderror(so, m, EINVAL);
5676 }
5677 /*
5678 * We can set any values except src, dst and SPI.
5679 */
5680 error = key_setsaval(sav, mhp);
5681 if (error != 0) {
5682 key_freesav(&sav);
5683 return (key_senderror(so, m, error));
5684 }
5685 /* Change SA state to MATURE */
5686 SAHTREE_WLOCK();
5687 if (sav->state != SADB_SASTATE_LARVAL) {
5688 /* SA was deleted or another thread made it MATURE. */
5689 SAHTREE_WUNLOCK();
5690 key_freesav(&sav);
5691 return (key_senderror(so, m, ESRCH));
5692 }
5693 /*
5694 * NOTE: we keep SAs in savtree_alive ordered by created
5695 * time. When SA's state changed from LARVAL to MATURE,
5696 * we update its created time in key_setsaval() and move
5697 * it into head of savtree_alive.
5698 */
5699 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain);
5700 TAILQ_INSERT_HEAD(&sav->sah->savtree_alive, sav, chain);
5701 sav->state = SADB_SASTATE_MATURE;
5702 SAHTREE_WUNLOCK();
5703 } else {
5704 /*
5705 * For DYING and MATURE SA we can change only state
5706 * and lifetimes. Report EINVAL if something else attempted
5707 * to change.
5708 */
5709 if (!SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT) ||
5710 !SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH)) {
5711 key_freesav(&sav);
5712 return (key_senderror(so, m, EINVAL));
5713 }
5714 error = key_updatelifetimes(sav, mhp);
5715 if (error != 0) {
5716 key_freesav(&sav);
5717 return (key_senderror(so, m, error));
5718 }
5719 /*
5720 * This is FreeBSD extension to RFC2367.
5721 * IKEd can specify SADB_X_EXT_NEW_ADDRESS_SRC and/or
5722 * SADB_X_EXT_NEW_ADDRESS_DST when it wants to change
5723 * SA addresses (for example to implement MOBIKE protocol
5724 * as described in RFC4555). Also we allow to change
5725 * NAT-T config.
5726 */
5727 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_SRC) ||
5728 !SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_DST) ||
5729 !SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_TYPE) ||
5730 sav->natt != NULL) {
5731 error = key_updateaddresses(so, m, mhp, sav, &saidx);
5732 key_freesav(&sav);
5733 if (error != 0)
5734 return (key_senderror(so, m, error));
5735 return (0);
5736 }
5737 /* Check that SA is still alive */
5738 SAHTREE_WLOCK();
5739 if (sav->state == SADB_SASTATE_DEAD) {
5740 /* SA was unlinked */
5741 SAHTREE_WUNLOCK();
5742 key_freesav(&sav);
5743 return (key_senderror(so, m, ESRCH));
5744 }
5745 /*
5746 * NOTE: there is possible state moving from DYING to MATURE,
5747 * but this doesn't change created time, so we won't reorder
5748 * this SA.
5749 */
5750 sav->state = SADB_SASTATE_MATURE;
5751 SAHTREE_WUNLOCK();
5752 }
5753 KEYDBG(KEY_STAMP,
5754 printf("%s: SA(%p)\n", __func__, sav));
5755 KEYDBG(KEY_DATA, kdebug_secasv(sav));
5756 ipsec_accel_sa_newkey(sav);
5757 key_freesav(&sav);
5758
5759 {
5760 struct mbuf *n;
5761
5762 /* set msg buf from mhp */
5763 n = key_getmsgbuf_x1(m, mhp);
5764 if (n == NULL) {
5765 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
5766 return key_senderror(so, m, ENOBUFS);
5767 }
5768
5769 m_freem(m);
5770 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
5771 }
5772 }
5773
5774 /*
5775 * SADB_ADD processing
5776 * add an entry to SA database, when received
5777 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
5778 * key(AE), (identity(SD),) (sensitivity)>
5779 * from the ikmpd,
5780 * and send
5781 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
5782 * (identity(SD),) (sensitivity)>
5783 * to the ikmpd.
5784 *
5785 * IGNORE identity and sensitivity messages.
5786 *
5787 * m will always be freed.
5788 */
5789 static int
key_add(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)5790 key_add(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
5791 {
5792 struct secasindex saidx;
5793 struct sadb_address *src0, *dst0;
5794 struct sadb_sa *sa0;
5795 struct secasvar *sav;
5796 uint32_t reqid, spi;
5797 uint8_t mode, proto;
5798 int error;
5799
5800 IPSEC_ASSERT(so != NULL, ("null socket"));
5801 IPSEC_ASSERT(m != NULL, ("null mbuf"));
5802 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
5803 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
5804
5805 /* map satype to proto */
5806 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
5807 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
5808 __func__));
5809 return key_senderror(so, m, EINVAL);
5810 }
5811
5812 if (SADB_CHECKHDR(mhp, SADB_EXT_SA) ||
5813 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
5814 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) ||
5815 (mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP && (
5816 SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT) ||
5817 SADB_CHECKLEN(mhp, SADB_EXT_KEY_ENCRYPT))) ||
5818 (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH && (
5819 SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH) ||
5820 SADB_CHECKLEN(mhp, SADB_EXT_KEY_AUTH))) ||
5821 (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) &&
5822 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) ||
5823 (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) &&
5824 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD))) {
5825 ipseclog((LOG_DEBUG,
5826 "%s: invalid message: missing required header.\n",
5827 __func__));
5828 return key_senderror(so, m, EINVAL);
5829 }
5830 if (SADB_CHECKLEN(mhp, SADB_EXT_SA) ||
5831 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
5832 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) {
5833 ipseclog((LOG_DEBUG,
5834 "%s: invalid message: wrong header size.\n", __func__));
5835 return key_senderror(so, m, EINVAL);
5836 }
5837 if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) {
5838 mode = IPSEC_MODE_ANY;
5839 reqid = 0;
5840 } else {
5841 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) {
5842 ipseclog((LOG_DEBUG,
5843 "%s: invalid message: wrong header size.\n",
5844 __func__));
5845 return key_senderror(so, m, EINVAL);
5846 }
5847 mode = ((struct sadb_x_sa2 *)
5848 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
5849 reqid = ((struct sadb_x_sa2 *)
5850 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid;
5851 }
5852
5853 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA];
5854 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC];
5855 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST];
5856
5857 /*
5858 * Only SADB_SASTATE_MATURE SAs may be submitted in an
5859 * SADB_ADD message.
5860 */
5861 if (sa0->sadb_sa_state != SADB_SASTATE_MATURE) {
5862 ipseclog((LOG_DEBUG, "%s: invalid state.\n", __func__));
5863 #ifdef PFKEY_STRICT_CHECKS
5864 return key_senderror(so, m, EINVAL);
5865 #endif
5866 }
5867 error = key_checksockaddrs((struct sockaddr *)(src0 + 1),
5868 (struct sockaddr *)(dst0 + 1));
5869 if (error != 0) {
5870 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
5871 return key_senderror(so, m, error);
5872 }
5873 KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx);
5874 spi = sa0->sadb_sa_spi;
5875 /*
5876 * For TCP-MD5 SAs we don't use SPI. Check the uniqueness using
5877 * secasindex.
5878 * XXXAE: IPComp seems also doesn't use SPI.
5879 */
5880 SPI_ALLOC_LOCK();
5881 if (proto == IPPROTO_TCP) {
5882 sav = key_getsav_tcpmd5(&saidx, &spi);
5883 if (sav == NULL && spi == 0) {
5884 SPI_ALLOC_UNLOCK();
5885 /* Failed to allocate SPI */
5886 ipseclog((LOG_DEBUG, "%s: SA already exists.\n",
5887 __func__));
5888 return key_senderror(so, m, EEXIST);
5889 }
5890 /* XXX: SPI that we report back can have another value */
5891 } else {
5892 /* We can create new SA only if SPI is different. */
5893 sav = key_getsavbyspi(spi);
5894 }
5895 if (sav != NULL) {
5896 SPI_ALLOC_UNLOCK();
5897 key_freesav(&sav);
5898 ipseclog((LOG_DEBUG, "%s: SA already exists.\n", __func__));
5899 return key_senderror(so, m, EEXIST);
5900 }
5901
5902 sav = key_newsav(mhp, &saidx, spi, &error);
5903 SPI_ALLOC_UNLOCK();
5904 if (sav == NULL)
5905 return key_senderror(so, m, error);
5906 KEYDBG(KEY_STAMP,
5907 printf("%s: return SA(%p)\n", __func__, sav));
5908 KEYDBG(KEY_DATA, kdebug_secasv(sav));
5909 ipsec_accel_sa_newkey(sav);
5910 /*
5911 * If SADB_ADD was in response to SADB_ACQUIRE, we need to schedule
5912 * ACQ for deletion.
5913 */
5914 if (sav->seq != 0)
5915 key_acqdone(&saidx, sav->seq);
5916
5917 {
5918 /*
5919 * Don't call key_freesav() on error here, as we would like to
5920 * keep the SA in the database.
5921 */
5922 struct mbuf *n;
5923
5924 /* set msg buf from mhp */
5925 n = key_getmsgbuf_x1(m, mhp);
5926 if (n == NULL) {
5927 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
5928 return key_senderror(so, m, ENOBUFS);
5929 }
5930
5931 m_freem(m);
5932 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
5933 }
5934 }
5935
5936 /*
5937 * NAT-T support.
5938 * IKEd may request the use ESP in UDP encapsulation when it detects the
5939 * presence of NAT. It uses NAT-T extension headers for such SAs to specify
5940 * parameters needed for encapsulation and decapsulation. These PF_KEY
5941 * extension headers are not standardized, so this comment addresses our
5942 * implementation.
5943 * SADB_X_EXT_NAT_T_TYPE specifies type of encapsulation, we support only
5944 * UDP_ENCAP_ESPINUDP as described in RFC3948.
5945 * SADB_X_EXT_NAT_T_SPORT/DPORT specifies source and destination ports for
5946 * UDP header. We use these ports in UDP encapsulation procedure, also we
5947 * can check them in UDP decapsulation procedure.
5948 * SADB_X_EXT_NAT_T_OA[IR] specifies original address of initiator or
5949 * responder. These addresses can be used for transport mode to adjust
5950 * checksum after decapsulation and decryption. Since original IP addresses
5951 * used by peer usually different (we detected presence of NAT), TCP/UDP
5952 * pseudo header checksum and IP header checksum was calculated using original
5953 * addresses. After decapsulation and decryption we need to adjust checksum
5954 * to have correct datagram.
5955 *
5956 * We expect presence of NAT-T extension headers only in SADB_ADD and
5957 * SADB_UPDATE messages. We report NAT-T extension headers in replies
5958 * to SADB_ADD, SADB_UPDATE, SADB_GET, and SADB_DUMP messages.
5959 */
5960 static int
key_setnatt(struct secasvar * sav,const struct sadb_msghdr * mhp)5961 key_setnatt(struct secasvar *sav, const struct sadb_msghdr *mhp)
5962 {
5963 struct sadb_x_nat_t_port *port;
5964 struct sadb_x_nat_t_type *type;
5965 struct sadb_address *oai, *oar;
5966 struct sockaddr *sa;
5967 uint32_t addr;
5968 uint16_t cksum;
5969 int i;
5970
5971 IPSEC_ASSERT(sav->natt == NULL, ("natt is already initialized"));
5972 /*
5973 * Ignore NAT-T headers if sproto isn't ESP.
5974 */
5975 if (sav->sah->saidx.proto != IPPROTO_ESP)
5976 return (0);
5977
5978 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_TYPE) &&
5979 !SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_SPORT) &&
5980 !SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_DPORT)) {
5981 if (SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_TYPE) ||
5982 SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_SPORT) ||
5983 SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_DPORT)) {
5984 ipseclog((LOG_DEBUG,
5985 "%s: invalid message: wrong header size.\n",
5986 __func__));
5987 return (EINVAL);
5988 }
5989 } else
5990 return (0);
5991
5992 type = (struct sadb_x_nat_t_type *)mhp->ext[SADB_X_EXT_NAT_T_TYPE];
5993 if (type->sadb_x_nat_t_type_type != UDP_ENCAP_ESPINUDP) {
5994 ipseclog((LOG_DEBUG, "%s: unsupported NAT-T type %u.\n",
5995 __func__, type->sadb_x_nat_t_type_type));
5996 return (EINVAL);
5997 }
5998 /*
5999 * Allocate storage for NAT-T config.
6000 * On error it will be released by key_cleansav().
6001 */
6002 sav->natt = malloc(sizeof(struct secnatt), M_IPSEC_MISC,
6003 M_NOWAIT | M_ZERO);
6004 if (sav->natt == NULL) {
6005 PFKEYSTAT_INC(in_nomem);
6006 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
6007 return (ENOBUFS);
6008 }
6009 port = (struct sadb_x_nat_t_port *)mhp->ext[SADB_X_EXT_NAT_T_SPORT];
6010 if (port->sadb_x_nat_t_port_port == 0) {
6011 ipseclog((LOG_DEBUG, "%s: invalid NAT-T sport specified.\n",
6012 __func__));
6013 return (EINVAL);
6014 }
6015 sav->natt->sport = port->sadb_x_nat_t_port_port;
6016 port = (struct sadb_x_nat_t_port *)mhp->ext[SADB_X_EXT_NAT_T_DPORT];
6017 if (port->sadb_x_nat_t_port_port == 0) {
6018 ipseclog((LOG_DEBUG, "%s: invalid NAT-T dport specified.\n",
6019 __func__));
6020 return (EINVAL);
6021 }
6022 sav->natt->dport = port->sadb_x_nat_t_port_port;
6023
6024 /*
6025 * SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR are optional
6026 * and needed only for transport mode IPsec.
6027 * Usually NAT translates only one address, but it is possible,
6028 * that both addresses could be translated.
6029 * NOTE: Value of SADB_X_EXT_NAT_T_OAI is equal to SADB_X_EXT_NAT_T_OA.
6030 */
6031 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_OAI)) {
6032 if (SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_OAI)) {
6033 ipseclog((LOG_DEBUG,
6034 "%s: invalid message: wrong header size.\n",
6035 __func__));
6036 return (EINVAL);
6037 }
6038 oai = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAI];
6039 } else
6040 oai = NULL;
6041 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_OAR)) {
6042 if (SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_OAR)) {
6043 ipseclog((LOG_DEBUG,
6044 "%s: invalid message: wrong header size.\n",
6045 __func__));
6046 return (EINVAL);
6047 }
6048 oar = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAR];
6049 } else
6050 oar = NULL;
6051
6052 /* Initialize addresses only for transport mode */
6053 if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL) {
6054 cksum = 0;
6055 if (oai != NULL) {
6056 sa = (struct sockaddr *)(oai + 1);
6057 switch (sa->sa_family) {
6058 #ifdef AF_INET
6059 case AF_INET:
6060 if (sa->sa_len != sizeof(struct sockaddr_in)) {
6061 ipseclog((LOG_DEBUG,
6062 "%s: wrong NAT-OAi header.\n",
6063 __func__));
6064 return (EINVAL);
6065 }
6066 /* Ignore address if it the same */
6067 if (((struct sockaddr_in *)sa)->sin_addr.s_addr !=
6068 sav->sah->saidx.src.sin.sin_addr.s_addr) {
6069 bcopy(sa, &sav->natt->oai.sa, sa->sa_len);
6070 sav->natt->flags |= IPSEC_NATT_F_OAI;
6071 /* Calculate checksum delta */
6072 addr = sav->sah->saidx.src.sin.sin_addr.s_addr;
6073 cksum = in_addword(cksum, ~addr >> 16);
6074 cksum = in_addword(cksum, ~addr & 0xffff);
6075 addr = sav->natt->oai.sin.sin_addr.s_addr;
6076 cksum = in_addword(cksum, addr >> 16);
6077 cksum = in_addword(cksum, addr & 0xffff);
6078 }
6079 break;
6080 #endif
6081 #ifdef AF_INET6
6082 case AF_INET6:
6083 if (sa->sa_len != sizeof(struct sockaddr_in6)) {
6084 ipseclog((LOG_DEBUG,
6085 "%s: wrong NAT-OAi header.\n",
6086 __func__));
6087 return (EINVAL);
6088 }
6089 /* Ignore address if it the same */
6090 if (memcmp(&((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr,
6091 &sav->sah->saidx.src.sin6.sin6_addr.s6_addr,
6092 sizeof(struct in6_addr)) != 0) {
6093 bcopy(sa, &sav->natt->oai.sa, sa->sa_len);
6094 sav->natt->flags |= IPSEC_NATT_F_OAI;
6095 /* Calculate checksum delta */
6096 for (i = 0; i < 8; i++) {
6097 cksum = in_addword(cksum,
6098 ~sav->sah->saidx.src.sin6.sin6_addr.s6_addr16[i]);
6099 cksum = in_addword(cksum,
6100 sav->natt->oai.sin6.sin6_addr.s6_addr16[i]);
6101 }
6102 }
6103 break;
6104 #endif
6105 default:
6106 ipseclog((LOG_DEBUG,
6107 "%s: wrong NAT-OAi header.\n",
6108 __func__));
6109 return (EINVAL);
6110 }
6111 }
6112 if (oar != NULL) {
6113 sa = (struct sockaddr *)(oar + 1);
6114 switch (sa->sa_family) {
6115 #ifdef AF_INET
6116 case AF_INET:
6117 if (sa->sa_len != sizeof(struct sockaddr_in)) {
6118 ipseclog((LOG_DEBUG,
6119 "%s: wrong NAT-OAr header.\n",
6120 __func__));
6121 return (EINVAL);
6122 }
6123 /* Ignore address if it the same */
6124 if (((struct sockaddr_in *)sa)->sin_addr.s_addr !=
6125 sav->sah->saidx.dst.sin.sin_addr.s_addr) {
6126 bcopy(sa, &sav->natt->oar.sa, sa->sa_len);
6127 sav->natt->flags |= IPSEC_NATT_F_OAR;
6128 /* Calculate checksum delta */
6129 addr = sav->sah->saidx.dst.sin.sin_addr.s_addr;
6130 cksum = in_addword(cksum, ~addr >> 16);
6131 cksum = in_addword(cksum, ~addr & 0xffff);
6132 addr = sav->natt->oar.sin.sin_addr.s_addr;
6133 cksum = in_addword(cksum, addr >> 16);
6134 cksum = in_addword(cksum, addr & 0xffff);
6135 }
6136 break;
6137 #endif
6138 #ifdef AF_INET6
6139 case AF_INET6:
6140 if (sa->sa_len != sizeof(struct sockaddr_in6)) {
6141 ipseclog((LOG_DEBUG,
6142 "%s: wrong NAT-OAr header.\n",
6143 __func__));
6144 return (EINVAL);
6145 }
6146 /* Ignore address if it the same */
6147 if (memcmp(&((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr,
6148 &sav->sah->saidx.dst.sin6.sin6_addr.s6_addr, 16) != 0) {
6149 bcopy(sa, &sav->natt->oar.sa, sa->sa_len);
6150 sav->natt->flags |= IPSEC_NATT_F_OAR;
6151 /* Calculate checksum delta */
6152 for (i = 0; i < 8; i++) {
6153 cksum = in_addword(cksum,
6154 ~sav->sah->saidx.dst.sin6.sin6_addr.s6_addr16[i]);
6155 cksum = in_addword(cksum,
6156 sav->natt->oar.sin6.sin6_addr.s6_addr16[i]);
6157 }
6158 }
6159 break;
6160 #endif
6161 default:
6162 ipseclog((LOG_DEBUG,
6163 "%s: wrong NAT-OAr header.\n",
6164 __func__));
6165 return (EINVAL);
6166 }
6167 }
6168 sav->natt->cksum = cksum;
6169 }
6170 return (0);
6171 }
6172
6173 static int
key_setident(struct secashead * sah,const struct sadb_msghdr * mhp)6174 key_setident(struct secashead *sah, const struct sadb_msghdr *mhp)
6175 {
6176 const struct sadb_ident *idsrc, *iddst;
6177
6178 IPSEC_ASSERT(sah != NULL, ("null secashead"));
6179 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
6180 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
6181
6182 /* don't make buffer if not there */
6183 if (SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_SRC) &&
6184 SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_DST)) {
6185 sah->idents = NULL;
6186 sah->identd = NULL;
6187 return (0);
6188 }
6189
6190 if (SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_SRC) ||
6191 SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_DST)) {
6192 ipseclog((LOG_DEBUG, "%s: invalid identity.\n", __func__));
6193 return (EINVAL);
6194 }
6195
6196 idsrc = (const struct sadb_ident *)mhp->ext[SADB_EXT_IDENTITY_SRC];
6197 iddst = (const struct sadb_ident *)mhp->ext[SADB_EXT_IDENTITY_DST];
6198
6199 /* validity check */
6200 if (idsrc->sadb_ident_type != iddst->sadb_ident_type) {
6201 ipseclog((LOG_DEBUG, "%s: ident type mismatch.\n", __func__));
6202 return EINVAL;
6203 }
6204
6205 switch (idsrc->sadb_ident_type) {
6206 case SADB_IDENTTYPE_PREFIX:
6207 case SADB_IDENTTYPE_FQDN:
6208 case SADB_IDENTTYPE_USERFQDN:
6209 default:
6210 /* XXX do nothing */
6211 sah->idents = NULL;
6212 sah->identd = NULL;
6213 return 0;
6214 }
6215
6216 /* make structure */
6217 sah->idents = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT);
6218 if (sah->idents == NULL) {
6219 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
6220 return ENOBUFS;
6221 }
6222 sah->identd = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT);
6223 if (sah->identd == NULL) {
6224 free(sah->idents, M_IPSEC_MISC);
6225 sah->idents = NULL;
6226 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
6227 return ENOBUFS;
6228 }
6229 sah->idents->type = idsrc->sadb_ident_type;
6230 sah->idents->id = idsrc->sadb_ident_id;
6231
6232 sah->identd->type = iddst->sadb_ident_type;
6233 sah->identd->id = iddst->sadb_ident_id;
6234
6235 return 0;
6236 }
6237
6238 /*
6239 * m will not be freed on return.
6240 * it is caller's responsibility to free the result.
6241 *
6242 * Called from SADB_ADD and SADB_UPDATE. Reply will contain headers
6243 * from the request in defined order.
6244 */
6245 static struct mbuf *
key_getmsgbuf_x1(struct mbuf * m,const struct sadb_msghdr * mhp)6246 key_getmsgbuf_x1(struct mbuf *m, const struct sadb_msghdr *mhp)
6247 {
6248 struct mbuf *n;
6249
6250 IPSEC_ASSERT(m != NULL, ("null mbuf"));
6251 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
6252 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
6253
6254 /* create new sadb_msg to reply. */
6255 n = key_gather_mbuf(m, mhp, 1, 16, SADB_EXT_RESERVED,
6256 SADB_EXT_SA, SADB_X_EXT_SA2,
6257 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST,
6258 SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT,
6259 SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST,
6260 SADB_X_EXT_NAT_T_TYPE, SADB_X_EXT_NAT_T_SPORT,
6261 SADB_X_EXT_NAT_T_DPORT, SADB_X_EXT_NAT_T_OAI,
6262 SADB_X_EXT_NAT_T_OAR, SADB_X_EXT_NEW_ADDRESS_SRC,
6263 SADB_X_EXT_NEW_ADDRESS_DST);
6264 if (!n)
6265 return NULL;
6266
6267 if (n->m_len < sizeof(struct sadb_msg)) {
6268 n = m_pullup(n, sizeof(struct sadb_msg));
6269 if (n == NULL)
6270 return NULL;
6271 }
6272 mtod(n, struct sadb_msg *)->sadb_msg_errno = 0;
6273 mtod(n, struct sadb_msg *)->sadb_msg_len =
6274 PFKEY_UNIT64(n->m_pkthdr.len);
6275
6276 return n;
6277 }
6278
6279 /*
6280 * SADB_DELETE processing
6281 * receive
6282 * <base, SA(*), address(SD)>
6283 * from the ikmpd, and set SADB_SASTATE_DEAD,
6284 * and send,
6285 * <base, SA(*), address(SD)>
6286 * to the ikmpd.
6287 *
6288 * m will always be freed.
6289 */
6290 static int
key_delete(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)6291 key_delete(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
6292 {
6293 struct secasindex saidx;
6294 struct sadb_address *src0, *dst0;
6295 struct secasvar *sav;
6296 struct sadb_sa *sa0;
6297 uint8_t proto;
6298
6299 IPSEC_ASSERT(so != NULL, ("null socket"));
6300 IPSEC_ASSERT(m != NULL, ("null mbuf"));
6301 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
6302 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
6303
6304 /* map satype to proto */
6305 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
6306 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
6307 __func__));
6308 return key_senderror(so, m, EINVAL);
6309 }
6310
6311 if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
6312 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) ||
6313 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
6314 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) {
6315 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
6316 __func__));
6317 return key_senderror(so, m, EINVAL);
6318 }
6319
6320 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]);
6321 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]);
6322
6323 if (key_checksockaddrs((struct sockaddr *)(src0 + 1),
6324 (struct sockaddr *)(dst0 + 1)) != 0) {
6325 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
6326 return (key_senderror(so, m, EINVAL));
6327 }
6328 KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx);
6329 if (SADB_CHECKHDR(mhp, SADB_EXT_SA)) {
6330 /*
6331 * Caller wants us to delete all non-LARVAL SAs
6332 * that match the src/dst. This is used during
6333 * IKE INITIAL-CONTACT.
6334 * XXXAE: this looks like some extension to RFC2367.
6335 */
6336 ipseclog((LOG_DEBUG, "%s: doing delete all.\n", __func__));
6337 return (key_delete_all(so, m, mhp, &saidx));
6338 }
6339 if (SADB_CHECKLEN(mhp, SADB_EXT_SA)) {
6340 ipseclog((LOG_DEBUG,
6341 "%s: invalid message: wrong header size.\n", __func__));
6342 return (key_senderror(so, m, EINVAL));
6343 }
6344 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA];
6345 SPI_ALLOC_LOCK();
6346 if (proto == IPPROTO_TCP)
6347 sav = key_getsav_tcpmd5(&saidx, NULL);
6348 else
6349 sav = key_getsavbyspi(sa0->sadb_sa_spi);
6350 SPI_ALLOC_UNLOCK();
6351 if (sav == NULL) {
6352 ipseclog((LOG_DEBUG, "%s: no SA found for SPI %u.\n",
6353 __func__, ntohl(sa0->sadb_sa_spi)));
6354 return (key_senderror(so, m, ESRCH));
6355 }
6356 if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_HEAD) == 0) {
6357 ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u.\n",
6358 __func__, ntohl(sav->spi)));
6359 key_freesav(&sav);
6360 return (key_senderror(so, m, ESRCH));
6361 }
6362 KEYDBG(KEY_STAMP,
6363 printf("%s: SA(%p)\n", __func__, sav));
6364 KEYDBG(KEY_DATA, kdebug_secasv(sav));
6365 key_unlinksav(sav);
6366 key_freesav(&sav);
6367
6368 {
6369 struct mbuf *n;
6370 struct sadb_msg *newmsg;
6371
6372 /* create new sadb_msg to reply. */
6373 n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED,
6374 SADB_EXT_SA, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
6375 if (!n)
6376 return key_senderror(so, m, ENOBUFS);
6377
6378 if (n->m_len < sizeof(struct sadb_msg)) {
6379 n = m_pullup(n, sizeof(struct sadb_msg));
6380 if (n == NULL)
6381 return key_senderror(so, m, ENOBUFS);
6382 }
6383 newmsg = mtod(n, struct sadb_msg *);
6384 newmsg->sadb_msg_errno = 0;
6385 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
6386
6387 m_freem(m);
6388 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
6389 }
6390 }
6391
6392 /*
6393 * delete all SAs for src/dst. Called from key_delete().
6394 */
6395 static int
key_delete_all(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp,struct secasindex * saidx)6396 key_delete_all(struct socket *so, struct mbuf *m,
6397 const struct sadb_msghdr *mhp, struct secasindex *saidx)
6398 {
6399 struct secasvar_queue drainq;
6400 struct secashead *sah;
6401 struct secasvar *sav, *nextsav;
6402
6403 TAILQ_INIT(&drainq);
6404 SAHTREE_WLOCK();
6405 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
6406 if (key_cmpsaidx(&sah->saidx, saidx, CMP_HEAD) == 0)
6407 continue;
6408 /* Move all ALIVE SAs into drainq */
6409 TAILQ_CONCAT(&drainq, &sah->savtree_alive, chain);
6410 }
6411 /* Unlink all queued SAs from SPI hash */
6412 TAILQ_FOREACH(sav, &drainq, chain) {
6413 sav->state = SADB_SASTATE_DEAD;
6414 ipsec_accel_forget_sav(sav);
6415 LIST_REMOVE(sav, spihash);
6416 }
6417 SAHTREE_WUNLOCK();
6418 /* Now we can release reference for all SAs in drainq */
6419 sav = TAILQ_FIRST(&drainq);
6420 while (sav != NULL) {
6421 KEYDBG(KEY_STAMP,
6422 printf("%s: SA(%p)\n", __func__, sav));
6423 KEYDBG(KEY_DATA, kdebug_secasv(sav));
6424 nextsav = TAILQ_NEXT(sav, chain);
6425 key_freesah(&sav->sah); /* release reference from SAV */
6426 key_freesav(&sav); /* release last reference */
6427 sav = nextsav;
6428 }
6429
6430 {
6431 struct mbuf *n;
6432 struct sadb_msg *newmsg;
6433
6434 /* create new sadb_msg to reply. */
6435 n = key_gather_mbuf(m, mhp, 1, 3, SADB_EXT_RESERVED,
6436 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
6437 if (!n)
6438 return key_senderror(so, m, ENOBUFS);
6439
6440 if (n->m_len < sizeof(struct sadb_msg)) {
6441 n = m_pullup(n, sizeof(struct sadb_msg));
6442 if (n == NULL)
6443 return key_senderror(so, m, ENOBUFS);
6444 }
6445 newmsg = mtod(n, struct sadb_msg *);
6446 newmsg->sadb_msg_errno = 0;
6447 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
6448
6449 m_freem(m);
6450 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
6451 }
6452 }
6453
6454 /*
6455 * Delete all alive SAs for corresponding xform.
6456 * Larval SAs have not initialized tdb_xform, so it is safe to leave them
6457 * here when xform disappears.
6458 */
6459 void
key_delete_xform(const struct xformsw * xsp)6460 key_delete_xform(const struct xformsw *xsp)
6461 {
6462 struct secasvar_queue drainq;
6463 struct secashead *sah;
6464 struct secasvar *sav, *nextsav;
6465
6466 TAILQ_INIT(&drainq);
6467 SAHTREE_WLOCK();
6468 TAILQ_FOREACH(sah, &V_sahtree, chain) {
6469 sav = TAILQ_FIRST(&sah->savtree_alive);
6470 if (sav == NULL)
6471 continue;
6472 if (sav->tdb_xform != xsp)
6473 continue;
6474 /*
6475 * It is supposed that all SAs in the chain are related to
6476 * one xform.
6477 */
6478 TAILQ_CONCAT(&drainq, &sah->savtree_alive, chain);
6479 }
6480 /* Unlink all queued SAs from SPI hash */
6481 TAILQ_FOREACH(sav, &drainq, chain) {
6482 sav->state = SADB_SASTATE_DEAD;
6483 ipsec_accel_forget_sav(sav);
6484 LIST_REMOVE(sav, spihash);
6485 }
6486 SAHTREE_WUNLOCK();
6487
6488 /* Now we can release reference for all SAs in drainq */
6489 sav = TAILQ_FIRST(&drainq);
6490 while (sav != NULL) {
6491 KEYDBG(KEY_STAMP,
6492 printf("%s: SA(%p)\n", __func__, sav));
6493 KEYDBG(KEY_DATA, kdebug_secasv(sav));
6494 nextsav = TAILQ_NEXT(sav, chain);
6495 key_freesah(&sav->sah); /* release reference from SAV */
6496 key_freesav(&sav); /* release last reference */
6497 sav = nextsav;
6498 }
6499 }
6500
6501 /*
6502 * SADB_GET processing
6503 * receive
6504 * <base, SA(*), address(SD)>
6505 * from the ikmpd, and get a SP and a SA to respond,
6506 * and send,
6507 * <base, SA, (lifetime(HSC),) address(SD), (address(P),) key(AE),
6508 * (identity(SD),) (sensitivity)>
6509 * to the ikmpd.
6510 *
6511 * m will always be freed.
6512 */
6513 static int
key_get(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)6514 key_get(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
6515 {
6516 struct secasindex saidx;
6517 struct sadb_address *src0, *dst0;
6518 struct sadb_sa *sa0;
6519 struct secasvar *sav;
6520 uint8_t proto;
6521
6522 IPSEC_ASSERT(so != NULL, ("null socket"));
6523 IPSEC_ASSERT(m != NULL, ("null mbuf"));
6524 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
6525 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
6526
6527 /* map satype to proto */
6528 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
6529 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
6530 __func__));
6531 return key_senderror(so, m, EINVAL);
6532 }
6533
6534 if (SADB_CHECKHDR(mhp, SADB_EXT_SA) ||
6535 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
6536 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST)) {
6537 ipseclog((LOG_DEBUG,
6538 "%s: invalid message: missing required header.\n",
6539 __func__));
6540 return key_senderror(so, m, EINVAL);
6541 }
6542 if (SADB_CHECKLEN(mhp, SADB_EXT_SA) ||
6543 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
6544 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) {
6545 ipseclog((LOG_DEBUG,
6546 "%s: invalid message: wrong header size.\n", __func__));
6547 return key_senderror(so, m, EINVAL);
6548 }
6549
6550 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA];
6551 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC];
6552 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST];
6553
6554 if (key_checksockaddrs((struct sockaddr *)(src0 + 1),
6555 (struct sockaddr *)(dst0 + 1)) != 0) {
6556 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
6557 return key_senderror(so, m, EINVAL);
6558 }
6559 KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx);
6560
6561 SPI_ALLOC_LOCK();
6562 if (proto == IPPROTO_TCP)
6563 sav = key_getsav_tcpmd5(&saidx, NULL);
6564 else
6565 sav = key_getsavbyspi(sa0->sadb_sa_spi);
6566 SPI_ALLOC_UNLOCK();
6567 if (sav == NULL) {
6568 ipseclog((LOG_DEBUG, "%s: no SA found.\n", __func__));
6569 return key_senderror(so, m, ESRCH);
6570 }
6571 if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_HEAD) == 0) {
6572 ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u.\n",
6573 __func__, ntohl(sa0->sadb_sa_spi)));
6574 key_freesav(&sav);
6575 return (key_senderror(so, m, ESRCH));
6576 }
6577
6578 {
6579 struct mbuf *n;
6580 uint8_t satype;
6581
6582 /* map proto to satype */
6583 if ((satype = key_proto2satype(sav->sah->saidx.proto)) == 0) {
6584 ipseclog((LOG_DEBUG, "%s: there was invalid proto in SAD.\n",
6585 __func__));
6586 key_freesav(&sav);
6587 return key_senderror(so, m, EINVAL);
6588 }
6589
6590 /* create new sadb_msg to reply. */
6591 n = key_setdumpsa(sav, SADB_GET, satype, mhp->msg->sadb_msg_seq,
6592 mhp->msg->sadb_msg_pid, NULL);
6593
6594 key_freesav(&sav);
6595 if (!n)
6596 return key_senderror(so, m, ENOBUFS);
6597
6598 m_freem(m);
6599 return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
6600 }
6601 }
6602
6603 /* XXX make it sysctl-configurable? */
6604 static void
key_getcomb_setlifetime(struct sadb_comb * comb)6605 key_getcomb_setlifetime(struct sadb_comb *comb)
6606 {
6607
6608 comb->sadb_comb_soft_allocations = 1;
6609 comb->sadb_comb_hard_allocations = 1;
6610 comb->sadb_comb_soft_bytes = 0;
6611 comb->sadb_comb_hard_bytes = 0;
6612 comb->sadb_comb_hard_addtime = 86400; /* 1 day */
6613 comb->sadb_comb_soft_addtime = comb->sadb_comb_soft_addtime * 80 / 100;
6614 comb->sadb_comb_soft_usetime = 28800; /* 8 hours */
6615 comb->sadb_comb_hard_usetime = comb->sadb_comb_hard_usetime * 80 / 100;
6616 }
6617
6618 /*
6619 * XXX reorder combinations by preference
6620 * XXX no idea if the user wants ESP authentication or not
6621 */
6622 static struct mbuf *
key_getcomb_ealg(void)6623 key_getcomb_ealg(void)
6624 {
6625 struct sadb_comb *comb;
6626 const struct enc_xform *algo;
6627 struct mbuf *result = NULL, *m, *n;
6628 int encmin;
6629 int i, off, o;
6630 int totlen;
6631 const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb));
6632
6633 m = NULL;
6634 for (i = 1; i <= SADB_EALG_MAX; i++) {
6635 algo = enc_algorithm_lookup(i);
6636 if (algo == NULL)
6637 continue;
6638
6639 /* discard algorithms with key size smaller than system min */
6640 if (_BITS(algo->maxkey) < V_ipsec_esp_keymin)
6641 continue;
6642 if (_BITS(algo->minkey) < V_ipsec_esp_keymin)
6643 encmin = V_ipsec_esp_keymin;
6644 else
6645 encmin = _BITS(algo->minkey);
6646
6647 if (V_ipsec_esp_auth)
6648 m = key_getcomb_ah();
6649 else {
6650 IPSEC_ASSERT(l <= MLEN,
6651 ("l=%u > MLEN=%lu", l, (u_long) MLEN));
6652 MGET(m, M_NOWAIT, MT_DATA);
6653 if (m) {
6654 M_ALIGN(m, l);
6655 m->m_len = l;
6656 m->m_next = NULL;
6657 bzero(mtod(m, caddr_t), m->m_len);
6658 }
6659 }
6660 if (!m)
6661 goto fail;
6662
6663 totlen = 0;
6664 for (n = m; n; n = n->m_next)
6665 totlen += n->m_len;
6666 IPSEC_ASSERT((totlen % l) == 0, ("totlen=%u, l=%u", totlen, l));
6667
6668 for (off = 0; off < totlen; off += l) {
6669 n = m_pulldown(m, off, l, &o);
6670 if (!n) {
6671 /* m is already freed */
6672 goto fail;
6673 }
6674 comb = (struct sadb_comb *)(mtod(n, caddr_t) + o);
6675 bzero(comb, sizeof(*comb));
6676 key_getcomb_setlifetime(comb);
6677 comb->sadb_comb_encrypt = i;
6678 comb->sadb_comb_encrypt_minbits = encmin;
6679 comb->sadb_comb_encrypt_maxbits = _BITS(algo->maxkey);
6680 }
6681
6682 if (!result)
6683 result = m;
6684 else
6685 m_cat(result, m);
6686 }
6687
6688 return result;
6689
6690 fail:
6691 if (result)
6692 m_freem(result);
6693 return NULL;
6694 }
6695
6696 static void
key_getsizes_ah(const struct auth_hash * ah,int alg,u_int16_t * min,u_int16_t * max)6697 key_getsizes_ah(const struct auth_hash *ah, int alg, u_int16_t* min,
6698 u_int16_t* max)
6699 {
6700
6701 *min = *max = ah->hashsize;
6702 if (ah->keysize == 0) {
6703 /*
6704 * Transform takes arbitrary key size but algorithm
6705 * key size is restricted. Enforce this here.
6706 */
6707 switch (alg) {
6708 case SADB_X_AALG_NULL: *min = 1; *max = 256; break;
6709 case SADB_X_AALG_SHA2_256: *min = *max = 32; break;
6710 case SADB_X_AALG_SHA2_384: *min = *max = 48; break;
6711 case SADB_X_AALG_SHA2_512: *min = *max = 64; break;
6712 default:
6713 DPRINTF(("%s: unknown AH algorithm %u\n",
6714 __func__, alg));
6715 break;
6716 }
6717 }
6718 }
6719
6720 /*
6721 * XXX reorder combinations by preference
6722 */
6723 static struct mbuf *
key_getcomb_ah(void)6724 key_getcomb_ah(void)
6725 {
6726 const struct auth_hash *algo;
6727 struct sadb_comb *comb;
6728 struct mbuf *m;
6729 u_int16_t minkeysize, maxkeysize;
6730 int i;
6731 const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb));
6732
6733 m = NULL;
6734 for (i = 1; i <= SADB_AALG_MAX; i++) {
6735 #if 1
6736 /* we prefer HMAC algorithms, not old algorithms */
6737 if (i != SADB_AALG_SHA1HMAC &&
6738 i != SADB_X_AALG_SHA2_256 &&
6739 i != SADB_X_AALG_SHA2_384 &&
6740 i != SADB_X_AALG_SHA2_512)
6741 continue;
6742 #endif
6743 algo = auth_algorithm_lookup(i);
6744 if (!algo)
6745 continue;
6746 key_getsizes_ah(algo, i, &minkeysize, &maxkeysize);
6747 /* discard algorithms with key size smaller than system min */
6748 if (_BITS(minkeysize) < V_ipsec_ah_keymin)
6749 continue;
6750
6751 if (!m) {
6752 IPSEC_ASSERT(l <= MLEN,
6753 ("l=%u > MLEN=%lu", l, (u_long) MLEN));
6754 MGET(m, M_NOWAIT, MT_DATA);
6755 if (m) {
6756 M_ALIGN(m, l);
6757 m->m_len = l;
6758 m->m_next = NULL;
6759 }
6760 } else
6761 M_PREPEND(m, l, M_NOWAIT);
6762 if (!m)
6763 return NULL;
6764
6765 comb = mtod(m, struct sadb_comb *);
6766 bzero(comb, sizeof(*comb));
6767 key_getcomb_setlifetime(comb);
6768 comb->sadb_comb_auth = i;
6769 comb->sadb_comb_auth_minbits = _BITS(minkeysize);
6770 comb->sadb_comb_auth_maxbits = _BITS(maxkeysize);
6771 }
6772
6773 return m;
6774 }
6775
6776 /*
6777 * not really an official behavior. discussed in pf_key@inner.net in Sep2000.
6778 * XXX reorder combinations by preference
6779 */
6780 static struct mbuf *
key_getcomb_ipcomp(void)6781 key_getcomb_ipcomp(void)
6782 {
6783 const struct comp_algo *algo;
6784 struct sadb_comb *comb;
6785 struct mbuf *m;
6786 int i;
6787 const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb));
6788
6789 m = NULL;
6790 for (i = 1; i <= SADB_X_CALG_MAX; i++) {
6791 algo = comp_algorithm_lookup(i);
6792 if (!algo)
6793 continue;
6794
6795 if (!m) {
6796 IPSEC_ASSERT(l <= MLEN,
6797 ("l=%u > MLEN=%lu", l, (u_long) MLEN));
6798 MGET(m, M_NOWAIT, MT_DATA);
6799 if (m) {
6800 M_ALIGN(m, l);
6801 m->m_len = l;
6802 m->m_next = NULL;
6803 }
6804 } else
6805 M_PREPEND(m, l, M_NOWAIT);
6806 if (!m)
6807 return NULL;
6808
6809 comb = mtod(m, struct sadb_comb *);
6810 bzero(comb, sizeof(*comb));
6811 key_getcomb_setlifetime(comb);
6812 comb->sadb_comb_encrypt = i;
6813 /* what should we set into sadb_comb_*_{min,max}bits? */
6814 }
6815
6816 return m;
6817 }
6818
6819 /*
6820 * XXX no way to pass mode (transport/tunnel) to userland
6821 * XXX replay checking?
6822 * XXX sysctl interface to ipsec_{ah,esp}_keymin
6823 */
6824 static struct mbuf *
key_getprop(const struct secasindex * saidx)6825 key_getprop(const struct secasindex *saidx)
6826 {
6827 struct sadb_prop *prop;
6828 struct mbuf *m, *n;
6829 const int l = PFKEY_ALIGN8(sizeof(struct sadb_prop));
6830 int totlen;
6831
6832 switch (saidx->proto) {
6833 case IPPROTO_ESP:
6834 m = key_getcomb_ealg();
6835 break;
6836 case IPPROTO_AH:
6837 m = key_getcomb_ah();
6838 break;
6839 case IPPROTO_IPCOMP:
6840 m = key_getcomb_ipcomp();
6841 break;
6842 default:
6843 return NULL;
6844 }
6845
6846 if (!m)
6847 return NULL;
6848 M_PREPEND(m, l, M_NOWAIT);
6849 if (!m)
6850 return NULL;
6851
6852 totlen = 0;
6853 for (n = m; n; n = n->m_next)
6854 totlen += n->m_len;
6855
6856 prop = mtod(m, struct sadb_prop *);
6857 bzero(prop, sizeof(*prop));
6858 prop->sadb_prop_len = PFKEY_UNIT64(totlen);
6859 prop->sadb_prop_exttype = SADB_EXT_PROPOSAL;
6860 prop->sadb_prop_replay = 32; /* XXX */
6861
6862 return m;
6863 }
6864
6865 /*
6866 * SADB_ACQUIRE processing called by key_checkrequest() and key_acquire2().
6867 * send
6868 * <base, SA, address(SD), (address(P)), x_policy,
6869 * (identity(SD),) (sensitivity,) proposal>
6870 * to KMD, and expect to receive
6871 * <base> with SADB_ACQUIRE if error occurred,
6872 * or
6873 * <base, src address, dst address, (SPI range)> with SADB_GETSPI
6874 * from KMD by PF_KEY.
6875 *
6876 * XXX x_policy is outside of RFC2367 (KAME extension).
6877 * XXX sensitivity is not supported.
6878 * XXX for ipcomp, RFC2367 does not define how to fill in proposal.
6879 * see comment for key_getcomb_ipcomp().
6880 *
6881 * OUT:
6882 * 0 : succeed
6883 * others: error number
6884 */
6885 static int
key_acquire(const struct secasindex * saidx,struct secpolicy * sp)6886 key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
6887 {
6888 union sockaddr_union addr;
6889 struct mbuf *result, *m;
6890 uint32_t seq;
6891 int error;
6892 uint16_t ul_proto;
6893 uint8_t mask, satype;
6894
6895 IPSEC_ASSERT(saidx != NULL, ("null saidx"));
6896 satype = key_proto2satype(saidx->proto);
6897 IPSEC_ASSERT(satype != 0, ("null satype, protocol %u", saidx->proto));
6898
6899 error = -1;
6900 result = NULL;
6901 ul_proto = IPSEC_ULPROTO_ANY;
6902
6903 /* Get seq number to check whether sending message or not. */
6904 seq = key_getacq(saidx, &error);
6905 if (seq == 0)
6906 return (error);
6907
6908 m = key_setsadbmsg(SADB_ACQUIRE, 0, satype, seq, 0, 0);
6909 if (!m) {
6910 error = ENOBUFS;
6911 goto fail;
6912 }
6913 result = m;
6914
6915 /*
6916 * set sadb_address for saidx's.
6917 *
6918 * Note that if sp is supplied, then we're being called from
6919 * key_allocsa_policy() and should supply port and protocol
6920 * information.
6921 * XXXAE: why only TCP and UDP? ICMP and SCTP looks applicable too.
6922 * XXXAE: probably we can handle this in the ipsec[46]_allocsa().
6923 * XXXAE: it looks like we should save this info in the ACQ entry.
6924 */
6925 if (sp != NULL && (sp->spidx.ul_proto == IPPROTO_TCP ||
6926 sp->spidx.ul_proto == IPPROTO_UDP))
6927 ul_proto = sp->spidx.ul_proto;
6928
6929 addr = saidx->src;
6930 mask = FULLMASK;
6931 if (ul_proto != IPSEC_ULPROTO_ANY) {
6932 switch (sp->spidx.src.sa.sa_family) {
6933 case AF_INET:
6934 if (sp->spidx.src.sin.sin_port != IPSEC_PORT_ANY) {
6935 addr.sin.sin_port = sp->spidx.src.sin.sin_port;
6936 mask = sp->spidx.prefs;
6937 }
6938 break;
6939 case AF_INET6:
6940 if (sp->spidx.src.sin6.sin6_port != IPSEC_PORT_ANY) {
6941 addr.sin6.sin6_port =
6942 sp->spidx.src.sin6.sin6_port;
6943 mask = sp->spidx.prefs;
6944 }
6945 break;
6946 default:
6947 break;
6948 }
6949 }
6950 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, &addr.sa, mask, ul_proto);
6951 if (!m) {
6952 error = ENOBUFS;
6953 goto fail;
6954 }
6955 m_cat(result, m);
6956
6957 addr = saidx->dst;
6958 mask = FULLMASK;
6959 if (ul_proto != IPSEC_ULPROTO_ANY) {
6960 switch (sp->spidx.dst.sa.sa_family) {
6961 case AF_INET:
6962 if (sp->spidx.dst.sin.sin_port != IPSEC_PORT_ANY) {
6963 addr.sin.sin_port = sp->spidx.dst.sin.sin_port;
6964 mask = sp->spidx.prefd;
6965 }
6966 break;
6967 case AF_INET6:
6968 if (sp->spidx.dst.sin6.sin6_port != IPSEC_PORT_ANY) {
6969 addr.sin6.sin6_port =
6970 sp->spidx.dst.sin6.sin6_port;
6971 mask = sp->spidx.prefd;
6972 }
6973 break;
6974 default:
6975 break;
6976 }
6977 }
6978 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, &addr.sa, mask, ul_proto);
6979 if (!m) {
6980 error = ENOBUFS;
6981 goto fail;
6982 }
6983 m_cat(result, m);
6984
6985 /* XXX proxy address (optional) */
6986
6987 /*
6988 * Set sadb_x_policy. This is KAME extension to RFC2367.
6989 */
6990 if (sp != NULL) {
6991 m = key_setsadbxpolicy(sp->policy, sp->spidx.dir, sp->id,
6992 sp->priority);
6993 if (!m) {
6994 error = ENOBUFS;
6995 goto fail;
6996 }
6997 m_cat(result, m);
6998 }
6999
7000 /*
7001 * Set sadb_x_sa2 extension if saidx->reqid is not zero.
7002 * This is FreeBSD extension to RFC2367.
7003 */
7004 if (saidx->reqid != 0) {
7005 m = key_setsadbxsa2(saidx->mode, 0, saidx->reqid);
7006 if (m == NULL) {
7007 error = ENOBUFS;
7008 goto fail;
7009 }
7010 m_cat(result, m);
7011 }
7012 /* XXX identity (optional) */
7013 #if 0
7014 if (idexttype && fqdn) {
7015 /* create identity extension (FQDN) */
7016 struct sadb_ident *id;
7017 int fqdnlen;
7018
7019 fqdnlen = strlen(fqdn) + 1; /* +1 for terminating-NUL */
7020 id = (struct sadb_ident *)p;
7021 bzero(id, sizeof(*id) + PFKEY_ALIGN8(fqdnlen));
7022 id->sadb_ident_len = PFKEY_UNIT64(sizeof(*id) + PFKEY_ALIGN8(fqdnlen));
7023 id->sadb_ident_exttype = idexttype;
7024 id->sadb_ident_type = SADB_IDENTTYPE_FQDN;
7025 bcopy(fqdn, id + 1, fqdnlen);
7026 p += sizeof(struct sadb_ident) + PFKEY_ALIGN8(fqdnlen);
7027 }
7028
7029 if (idexttype) {
7030 /* create identity extension (USERFQDN) */
7031 struct sadb_ident *id;
7032 int userfqdnlen;
7033
7034 if (userfqdn) {
7035 /* +1 for terminating-NUL */
7036 userfqdnlen = strlen(userfqdn) + 1;
7037 } else
7038 userfqdnlen = 0;
7039 id = (struct sadb_ident *)p;
7040 bzero(id, sizeof(*id) + PFKEY_ALIGN8(userfqdnlen));
7041 id->sadb_ident_len = PFKEY_UNIT64(sizeof(*id) + PFKEY_ALIGN8(userfqdnlen));
7042 id->sadb_ident_exttype = idexttype;
7043 id->sadb_ident_type = SADB_IDENTTYPE_USERFQDN;
7044 /* XXX is it correct? */
7045 if (curproc && curproc->p_cred)
7046 id->sadb_ident_id = curproc->p_cred->p_ruid;
7047 if (userfqdn && userfqdnlen)
7048 bcopy(userfqdn, id + 1, userfqdnlen);
7049 p += sizeof(struct sadb_ident) + PFKEY_ALIGN8(userfqdnlen);
7050 }
7051 #endif
7052
7053 /* XXX sensitivity (optional) */
7054
7055 /* create proposal/combination extension */
7056 m = key_getprop(saidx);
7057 #if 0
7058 /*
7059 * spec conformant: always attach proposal/combination extension,
7060 * the problem is that we have no way to attach it for ipcomp,
7061 * due to the way sadb_comb is declared in RFC2367.
7062 */
7063 if (!m) {
7064 error = ENOBUFS;
7065 goto fail;
7066 }
7067 m_cat(result, m);
7068 #else
7069 /*
7070 * outside of spec; make proposal/combination extension optional.
7071 */
7072 if (m)
7073 m_cat(result, m);
7074 #endif
7075
7076 if ((result->m_flags & M_PKTHDR) == 0) {
7077 error = EINVAL;
7078 goto fail;
7079 }
7080
7081 if (result->m_len < sizeof(struct sadb_msg)) {
7082 result = m_pullup(result, sizeof(struct sadb_msg));
7083 if (result == NULL) {
7084 error = ENOBUFS;
7085 goto fail;
7086 }
7087 }
7088
7089 result->m_pkthdr.len = 0;
7090 for (m = result; m; m = m->m_next)
7091 result->m_pkthdr.len += m->m_len;
7092
7093 mtod(result, struct sadb_msg *)->sadb_msg_len =
7094 PFKEY_UNIT64(result->m_pkthdr.len);
7095
7096 KEYDBG(KEY_STAMP,
7097 printf("%s: SP(%p)\n", __func__, sp));
7098 KEYDBG(KEY_DATA, kdebug_secasindex(saidx, NULL));
7099
7100 return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED);
7101
7102 fail:
7103 if (result)
7104 m_freem(result);
7105 return error;
7106 }
7107
7108 static uint32_t
key_newacq(const struct secasindex * saidx,int * perror)7109 key_newacq(const struct secasindex *saidx, int *perror)
7110 {
7111 struct secacq *acq;
7112 uint32_t seq;
7113
7114 acq = malloc(sizeof(*acq), M_IPSEC_SAQ, M_NOWAIT | M_ZERO);
7115 if (acq == NULL) {
7116 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
7117 *perror = ENOBUFS;
7118 return (0);
7119 }
7120
7121 /* copy secindex */
7122 bcopy(saidx, &acq->saidx, sizeof(acq->saidx));
7123 acq->created = time_second;
7124 acq->count = 0;
7125
7126 /* add to acqtree */
7127 ACQ_LOCK();
7128 seq = acq->seq = (V_acq_seq == ~0 ? 1 : ++V_acq_seq);
7129 LIST_INSERT_HEAD(&V_acqtree, acq, chain);
7130 LIST_INSERT_HEAD(ACQADDRHASH_HASH(saidx), acq, addrhash);
7131 LIST_INSERT_HEAD(ACQSEQHASH_HASH(seq), acq, seqhash);
7132 ACQ_UNLOCK();
7133 *perror = 0;
7134 return (seq);
7135 }
7136
7137 static uint32_t
key_getacq(const struct secasindex * saidx,int * perror)7138 key_getacq(const struct secasindex *saidx, int *perror)
7139 {
7140 struct secacq *acq;
7141 uint32_t seq;
7142
7143 ACQ_LOCK();
7144 LIST_FOREACH(acq, ACQADDRHASH_HASH(saidx), addrhash) {
7145 if (key_cmpsaidx(&acq->saidx, saidx, CMP_EXACTLY)) {
7146 if (acq->count > V_key_blockacq_count) {
7147 /*
7148 * Reset counter and send message.
7149 * Also reset created time to keep ACQ for
7150 * this saidx.
7151 */
7152 acq->created = time_second;
7153 acq->count = 0;
7154 seq = acq->seq;
7155 } else {
7156 /*
7157 * Increment counter and do nothing.
7158 * We send SADB_ACQUIRE message only
7159 * for each V_key_blockacq_count packet.
7160 */
7161 acq->count++;
7162 seq = 0;
7163 }
7164 break;
7165 }
7166 }
7167 ACQ_UNLOCK();
7168 if (acq != NULL) {
7169 *perror = 0;
7170 return (seq);
7171 }
7172 /* allocate new entry */
7173 return (key_newacq(saidx, perror));
7174 }
7175
7176 static int
key_acqreset(uint32_t seq)7177 key_acqreset(uint32_t seq)
7178 {
7179 struct secacq *acq;
7180
7181 ACQ_LOCK();
7182 LIST_FOREACH(acq, ACQSEQHASH_HASH(seq), seqhash) {
7183 if (acq->seq == seq) {
7184 acq->count = 0;
7185 acq->created = time_second;
7186 break;
7187 }
7188 }
7189 ACQ_UNLOCK();
7190 if (acq == NULL)
7191 return (ESRCH);
7192 return (0);
7193 }
7194 /*
7195 * Mark ACQ entry as stale to remove it in key_flush_acq().
7196 * Called after successful SADB_GETSPI message.
7197 */
7198 static int
key_acqdone(const struct secasindex * saidx,uint32_t seq)7199 key_acqdone(const struct secasindex *saidx, uint32_t seq)
7200 {
7201 struct secacq *acq;
7202
7203 ACQ_LOCK();
7204 LIST_FOREACH(acq, ACQSEQHASH_HASH(seq), seqhash) {
7205 if (acq->seq == seq)
7206 break;
7207 }
7208 if (acq != NULL) {
7209 if (key_cmpsaidx(&acq->saidx, saidx, CMP_EXACTLY) == 0) {
7210 ipseclog((LOG_DEBUG,
7211 "%s: Mismatched saidx for ACQ %u\n", __func__, seq));
7212 acq = NULL;
7213 } else {
7214 acq->created = 0;
7215 }
7216 } else {
7217 ipseclog((LOG_DEBUG,
7218 "%s: ACQ %u is not found.\n", __func__, seq));
7219 }
7220 ACQ_UNLOCK();
7221 if (acq == NULL)
7222 return (ESRCH);
7223 return (0);
7224 }
7225
7226 static struct secspacq *
key_newspacq(struct secpolicyindex * spidx)7227 key_newspacq(struct secpolicyindex *spidx)
7228 {
7229 struct secspacq *acq;
7230
7231 /* get new entry */
7232 acq = malloc(sizeof(struct secspacq), M_IPSEC_SAQ, M_NOWAIT|M_ZERO);
7233 if (acq == NULL) {
7234 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
7235 return NULL;
7236 }
7237
7238 /* copy secindex */
7239 bcopy(spidx, &acq->spidx, sizeof(acq->spidx));
7240 acq->created = time_second;
7241 acq->count = 0;
7242
7243 /* add to spacqtree */
7244 SPACQ_LOCK();
7245 LIST_INSERT_HEAD(&V_spacqtree, acq, chain);
7246 SPACQ_UNLOCK();
7247
7248 return acq;
7249 }
7250
7251 static struct secspacq *
key_getspacq(struct secpolicyindex * spidx)7252 key_getspacq(struct secpolicyindex *spidx)
7253 {
7254 struct secspacq *acq;
7255
7256 SPACQ_LOCK();
7257 LIST_FOREACH(acq, &V_spacqtree, chain) {
7258 if (key_cmpspidx_exactly(spidx, &acq->spidx)) {
7259 /* NB: return holding spacq_lock */
7260 return acq;
7261 }
7262 }
7263 SPACQ_UNLOCK();
7264
7265 return NULL;
7266 }
7267
7268 /*
7269 * SADB_ACQUIRE processing,
7270 * in first situation, is receiving
7271 * <base>
7272 * from the ikmpd, and clear sequence of its secasvar entry.
7273 *
7274 * In second situation, is receiving
7275 * <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal>
7276 * from a user land process, and return
7277 * <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal>
7278 * to the socket.
7279 *
7280 * m will always be freed.
7281 */
7282 static int
key_acquire2(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)7283 key_acquire2(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
7284 {
7285 SAHTREE_RLOCK_TRACKER;
7286 struct sadb_address *src0, *dst0;
7287 struct secasindex saidx;
7288 struct secashead *sah;
7289 uint32_t reqid;
7290 int error;
7291 uint8_t mode, proto;
7292
7293 IPSEC_ASSERT(so != NULL, ("null socket"));
7294 IPSEC_ASSERT(m != NULL, ("null mbuf"));
7295 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
7296 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
7297
7298 /*
7299 * Error message from KMd.
7300 * We assume that if error was occurred in IKEd, the length of PFKEY
7301 * message is equal to the size of sadb_msg structure.
7302 * We do not raise error even if error occurred in this function.
7303 */
7304 if (mhp->msg->sadb_msg_len == PFKEY_UNIT64(sizeof(struct sadb_msg))) {
7305 /* check sequence number */
7306 if (mhp->msg->sadb_msg_seq == 0 ||
7307 mhp->msg->sadb_msg_errno == 0) {
7308 ipseclog((LOG_DEBUG, "%s: must specify sequence "
7309 "number and errno.\n", __func__));
7310 } else {
7311 /*
7312 * IKEd reported that error occurred.
7313 * XXXAE: what it expects from the kernel?
7314 * Probably we should send SADB_ACQUIRE again?
7315 * If so, reset ACQ's state.
7316 * XXXAE: it looks useless.
7317 */
7318 key_acqreset(mhp->msg->sadb_msg_seq);
7319 }
7320 m_freem(m);
7321 return (0);
7322 }
7323
7324 /*
7325 * This message is from user land.
7326 */
7327
7328 /* map satype to proto */
7329 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
7330 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
7331 __func__));
7332 return key_senderror(so, m, EINVAL);
7333 }
7334
7335 if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
7336 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) ||
7337 SADB_CHECKHDR(mhp, SADB_EXT_PROPOSAL)) {
7338 ipseclog((LOG_DEBUG,
7339 "%s: invalid message: missing required header.\n",
7340 __func__));
7341 return key_senderror(so, m, EINVAL);
7342 }
7343 if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
7344 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) ||
7345 SADB_CHECKLEN(mhp, SADB_EXT_PROPOSAL)) {
7346 ipseclog((LOG_DEBUG,
7347 "%s: invalid message: wrong header size.\n", __func__));
7348 return key_senderror(so, m, EINVAL);
7349 }
7350
7351 if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) {
7352 mode = IPSEC_MODE_ANY;
7353 reqid = 0;
7354 } else {
7355 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) {
7356 ipseclog((LOG_DEBUG,
7357 "%s: invalid message: wrong header size.\n",
7358 __func__));
7359 return key_senderror(so, m, EINVAL);
7360 }
7361 mode = ((struct sadb_x_sa2 *)
7362 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
7363 reqid = ((struct sadb_x_sa2 *)
7364 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid;
7365 }
7366
7367 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC];
7368 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST];
7369
7370 error = key_checksockaddrs((struct sockaddr *)(src0 + 1),
7371 (struct sockaddr *)(dst0 + 1));
7372 if (error != 0) {
7373 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
7374 return key_senderror(so, m, EINVAL);
7375 }
7376 KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx);
7377
7378 /* get a SA index */
7379 SAHTREE_RLOCK();
7380 LIST_FOREACH(sah, SAHADDRHASH_HASH(&saidx), addrhash) {
7381 if (key_cmpsaidx(&sah->saidx, &saidx, CMP_MODE_REQID))
7382 break;
7383 }
7384 SAHTREE_RUNLOCK();
7385 if (sah != NULL) {
7386 ipseclog((LOG_DEBUG, "%s: a SA exists already.\n", __func__));
7387 return key_senderror(so, m, EEXIST);
7388 }
7389
7390 error = key_acquire(&saidx, NULL);
7391 if (error != 0) {
7392 ipseclog((LOG_DEBUG,
7393 "%s: error %d returned from key_acquire()\n",
7394 __func__, error));
7395 return key_senderror(so, m, error);
7396 }
7397 m_freem(m);
7398 return (0);
7399 }
7400
7401 /*
7402 * SADB_REGISTER processing.
7403 * If SATYPE_UNSPEC has been passed as satype, only return sabd_supported.
7404 * receive
7405 * <base>
7406 * from the ikmpd, and register a socket to send PF_KEY messages,
7407 * and send
7408 * <base, supported>
7409 * to KMD by PF_KEY.
7410 * If socket is detached, must free from regnode.
7411 *
7412 * m will always be freed.
7413 */
7414 static int
key_register(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)7415 key_register(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
7416 {
7417 struct secreg *reg, *newreg = NULL;
7418
7419 IPSEC_ASSERT(so != NULL, ("null socket"));
7420 IPSEC_ASSERT(m != NULL, ("null mbuf"));
7421 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
7422 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
7423
7424 /* check for invalid register message */
7425 if (mhp->msg->sadb_msg_satype >= sizeof(V_regtree)/sizeof(V_regtree[0]))
7426 return key_senderror(so, m, EINVAL);
7427
7428 /* When SATYPE_UNSPEC is specified, only return sabd_supported. */
7429 if (mhp->msg->sadb_msg_satype == SADB_SATYPE_UNSPEC)
7430 goto setmsg;
7431
7432 /* check whether existing or not */
7433 REGTREE_LOCK();
7434 LIST_FOREACH(reg, &V_regtree[mhp->msg->sadb_msg_satype], chain) {
7435 if (reg->so == so) {
7436 REGTREE_UNLOCK();
7437 ipseclog((LOG_DEBUG, "%s: socket exists already.\n",
7438 __func__));
7439 return key_senderror(so, m, EEXIST);
7440 }
7441 }
7442
7443 /* create regnode */
7444 newreg = malloc(sizeof(struct secreg), M_IPSEC_SAR, M_NOWAIT|M_ZERO);
7445 if (newreg == NULL) {
7446 REGTREE_UNLOCK();
7447 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
7448 return key_senderror(so, m, ENOBUFS);
7449 }
7450
7451 newreg->so = so;
7452 ((struct keycb *)(so->so_pcb))->kp_registered++;
7453
7454 /* add regnode to regtree. */
7455 LIST_INSERT_HEAD(&V_regtree[mhp->msg->sadb_msg_satype], newreg, chain);
7456 REGTREE_UNLOCK();
7457
7458 setmsg:
7459 {
7460 struct mbuf *n;
7461 struct sadb_msg *newmsg;
7462 struct sadb_supported *sup;
7463 u_int len, alen, elen;
7464 int off;
7465 int i;
7466 struct sadb_alg *alg;
7467
7468 /* create new sadb_msg to reply. */
7469 alen = 0;
7470 for (i = 1; i <= SADB_AALG_MAX; i++) {
7471 if (auth_algorithm_lookup(i))
7472 alen += sizeof(struct sadb_alg);
7473 }
7474 if (alen)
7475 alen += sizeof(struct sadb_supported);
7476 elen = 0;
7477 for (i = 1; i <= SADB_EALG_MAX; i++) {
7478 if (enc_algorithm_lookup(i))
7479 elen += sizeof(struct sadb_alg);
7480 }
7481 if (elen)
7482 elen += sizeof(struct sadb_supported);
7483
7484 len = sizeof(struct sadb_msg) + alen + elen;
7485
7486 if (len > MCLBYTES)
7487 return key_senderror(so, m, ENOBUFS);
7488
7489 n = key_mget(len);
7490 if (n == NULL)
7491 return key_senderror(so, m, ENOBUFS);
7492
7493 n->m_pkthdr.len = n->m_len = len;
7494 n->m_next = NULL;
7495 off = 0;
7496
7497 m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off);
7498 newmsg = mtod(n, struct sadb_msg *);
7499 newmsg->sadb_msg_errno = 0;
7500 newmsg->sadb_msg_len = PFKEY_UNIT64(len);
7501 off += PFKEY_ALIGN8(sizeof(struct sadb_msg));
7502
7503 /* for authentication algorithm */
7504 if (alen) {
7505 sup = (struct sadb_supported *)(mtod(n, caddr_t) + off);
7506 sup->sadb_supported_len = PFKEY_UNIT64(alen);
7507 sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_AUTH;
7508 off += PFKEY_ALIGN8(sizeof(*sup));
7509
7510 for (i = 1; i <= SADB_AALG_MAX; i++) {
7511 const struct auth_hash *aalgo;
7512 u_int16_t minkeysize, maxkeysize;
7513
7514 aalgo = auth_algorithm_lookup(i);
7515 if (!aalgo)
7516 continue;
7517 alg = (struct sadb_alg *)(mtod(n, caddr_t) + off);
7518 alg->sadb_alg_id = i;
7519 alg->sadb_alg_ivlen = 0;
7520 key_getsizes_ah(aalgo, i, &minkeysize, &maxkeysize);
7521 alg->sadb_alg_minbits = _BITS(minkeysize);
7522 alg->sadb_alg_maxbits = _BITS(maxkeysize);
7523 off += PFKEY_ALIGN8(sizeof(*alg));
7524 }
7525 }
7526
7527 /* for encryption algorithm */
7528 if (elen) {
7529 sup = (struct sadb_supported *)(mtod(n, caddr_t) + off);
7530 sup->sadb_supported_len = PFKEY_UNIT64(elen);
7531 sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_ENCRYPT;
7532 off += PFKEY_ALIGN8(sizeof(*sup));
7533
7534 for (i = 1; i <= SADB_EALG_MAX; i++) {
7535 const struct enc_xform *ealgo;
7536
7537 ealgo = enc_algorithm_lookup(i);
7538 if (!ealgo)
7539 continue;
7540 alg = (struct sadb_alg *)(mtod(n, caddr_t) + off);
7541 alg->sadb_alg_id = i;
7542 alg->sadb_alg_ivlen = ealgo->ivsize;
7543 alg->sadb_alg_minbits = _BITS(ealgo->minkey);
7544 alg->sadb_alg_maxbits = _BITS(ealgo->maxkey);
7545 off += PFKEY_ALIGN8(sizeof(struct sadb_alg));
7546 }
7547 }
7548
7549 IPSEC_ASSERT(off == len,
7550 ("length assumption failed (off %u len %u)", off, len));
7551
7552 m_freem(m);
7553 return key_sendup_mbuf(so, n, KEY_SENDUP_REGISTERED);
7554 }
7555 }
7556
7557 /*
7558 * free secreg entry registered.
7559 * XXX: I want to do free a socket marked done SADB_RESIGER to socket.
7560 */
7561 void
key_freereg(struct socket * so)7562 key_freereg(struct socket *so)
7563 {
7564 struct secreg *reg;
7565 int i;
7566
7567 IPSEC_ASSERT(so != NULL, ("NULL so"));
7568
7569 /*
7570 * check whether existing or not.
7571 * check all type of SA, because there is a potential that
7572 * one socket is registered to multiple type of SA.
7573 */
7574 REGTREE_LOCK();
7575 for (i = 0; i <= SADB_SATYPE_MAX; i++) {
7576 LIST_FOREACH(reg, &V_regtree[i], chain) {
7577 if (reg->so == so && __LIST_CHAINED(reg)) {
7578 LIST_REMOVE(reg, chain);
7579 free(reg, M_IPSEC_SAR);
7580 break;
7581 }
7582 }
7583 }
7584 REGTREE_UNLOCK();
7585 }
7586
7587 /*
7588 * SADB_EXPIRE processing
7589 * send
7590 * <base, SA, SA2, lifetime(C and one of HS), address(SD)>
7591 * to KMD by PF_KEY.
7592 * NOTE: We send only soft lifetime extension.
7593 *
7594 * OUT: 0 : succeed
7595 * others : error number
7596 */
7597 static int
key_expire(struct secasvar * sav,int hard)7598 key_expire(struct secasvar *sav, int hard)
7599 {
7600 struct mbuf *result = NULL, *m;
7601 struct sadb_lifetime *lt;
7602 uint32_t replay_count;
7603 int error, len;
7604 uint8_t satype;
7605
7606 SECASVAR_RLOCK_TRACKER;
7607
7608 IPSEC_ASSERT (sav != NULL, ("null sav"));
7609 IPSEC_ASSERT (sav->sah != NULL, ("null sa header"));
7610
7611 KEYDBG(KEY_STAMP,
7612 printf("%s: SA(%p) expired %s lifetime\n", __func__,
7613 sav, hard ? "hard": "soft"));
7614 KEYDBG(KEY_DATA, kdebug_secasv(sav));
7615 /* set msg header */
7616 satype = key_proto2satype(sav->sah->saidx.proto);
7617 IPSEC_ASSERT(satype != 0, ("invalid proto, satype %u", satype));
7618 m = key_setsadbmsg(SADB_EXPIRE, 0, satype, sav->seq, 0, sav->refcnt);
7619 if (!m) {
7620 error = ENOBUFS;
7621 goto fail;
7622 }
7623 result = m;
7624
7625 /* create SA extension */
7626 m = key_setsadbsa(sav);
7627 if (!m) {
7628 error = ENOBUFS;
7629 goto fail;
7630 }
7631 m_cat(result, m);
7632
7633 /* create SA extension */
7634 SECASVAR_RLOCK(sav);
7635 replay_count = sav->replay ? sav->replay->count : 0;
7636 SECASVAR_RUNLOCK(sav);
7637
7638 m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count,
7639 sav->sah->saidx.reqid);
7640 if (!m) {
7641 error = ENOBUFS;
7642 goto fail;
7643 }
7644 m_cat(result, m);
7645
7646 if (sav->replay && sav->replay->wsize > UINT8_MAX) {
7647 m = key_setsadbxsareplay(sav->replay->wsize);
7648 if (!m) {
7649 error = ENOBUFS;
7650 goto fail;
7651 }
7652 m_cat(result, m);
7653 }
7654
7655 /* create lifetime extension (current and soft) */
7656 len = PFKEY_ALIGN8(sizeof(*lt)) * 2;
7657 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
7658 if (m == NULL) {
7659 error = ENOBUFS;
7660 goto fail;
7661 }
7662 m_align(m, len);
7663 m->m_len = len;
7664 bzero(mtod(m, caddr_t), len);
7665 lt = mtod(m, struct sadb_lifetime *);
7666 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
7667 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
7668 lt->sadb_lifetime_allocations =
7669 (uint32_t)counter_u64_fetch(sav->lft_c_allocations);
7670 lt->sadb_lifetime_bytes =
7671 counter_u64_fetch(sav->lft_c_bytes);
7672 lt->sadb_lifetime_addtime = sav->created;
7673 lt->sadb_lifetime_usetime = sav->firstused;
7674 lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2);
7675 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
7676 if (hard) {
7677 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
7678 lt->sadb_lifetime_allocations = sav->lft_h->allocations;
7679 lt->sadb_lifetime_bytes = sav->lft_h->bytes;
7680 lt->sadb_lifetime_addtime = sav->lft_h->addtime;
7681 lt->sadb_lifetime_usetime = sav->lft_h->usetime;
7682 } else {
7683 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
7684 lt->sadb_lifetime_allocations = sav->lft_s->allocations;
7685 lt->sadb_lifetime_bytes = sav->lft_s->bytes;
7686 lt->sadb_lifetime_addtime = sav->lft_s->addtime;
7687 lt->sadb_lifetime_usetime = sav->lft_s->usetime;
7688 }
7689 m_cat(result, m);
7690
7691 /* set sadb_address for source */
7692 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC,
7693 &sav->sah->saidx.src.sa,
7694 FULLMASK, IPSEC_ULPROTO_ANY);
7695 if (!m) {
7696 error = ENOBUFS;
7697 goto fail;
7698 }
7699 m_cat(result, m);
7700
7701 /* set sadb_address for destination */
7702 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
7703 &sav->sah->saidx.dst.sa,
7704 FULLMASK, IPSEC_ULPROTO_ANY);
7705 if (!m) {
7706 error = ENOBUFS;
7707 goto fail;
7708 }
7709 m_cat(result, m);
7710
7711 /*
7712 * XXX-BZ Handle NAT-T extensions here.
7713 * XXXAE: it doesn't seem quite useful. IKEs should not depend on
7714 * this information, we report only significant SA fields.
7715 */
7716
7717 if ((result->m_flags & M_PKTHDR) == 0) {
7718 error = EINVAL;
7719 goto fail;
7720 }
7721
7722 if (result->m_len < sizeof(struct sadb_msg)) {
7723 result = m_pullup(result, sizeof(struct sadb_msg));
7724 if (result == NULL) {
7725 error = ENOBUFS;
7726 goto fail;
7727 }
7728 }
7729
7730 result->m_pkthdr.len = 0;
7731 for (m = result; m; m = m->m_next)
7732 result->m_pkthdr.len += m->m_len;
7733
7734 mtod(result, struct sadb_msg *)->sadb_msg_len =
7735 PFKEY_UNIT64(result->m_pkthdr.len);
7736
7737 return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED);
7738
7739 fail:
7740 if (result)
7741 m_freem(result);
7742 return error;
7743 }
7744
7745 static void
key_freesah_flushed(struct secashead_queue * flushq)7746 key_freesah_flushed(struct secashead_queue *flushq)
7747 {
7748 struct secashead *sah, *nextsah;
7749 struct secasvar *sav, *nextsav;
7750
7751 sah = TAILQ_FIRST(flushq);
7752 while (sah != NULL) {
7753 sav = TAILQ_FIRST(&sah->savtree_larval);
7754 while (sav != NULL) {
7755 nextsav = TAILQ_NEXT(sav, chain);
7756 TAILQ_REMOVE(&sah->savtree_larval, sav, chain);
7757 key_freesav(&sav); /* release last reference */
7758 key_freesah(&sah); /* release reference from SAV */
7759 sav = nextsav;
7760 }
7761 sav = TAILQ_FIRST(&sah->savtree_alive);
7762 while (sav != NULL) {
7763 nextsav = TAILQ_NEXT(sav, chain);
7764 TAILQ_REMOVE(&sah->savtree_alive, sav, chain);
7765 key_freesav(&sav); /* release last reference */
7766 key_freesah(&sah); /* release reference from SAV */
7767 sav = nextsav;
7768 }
7769 nextsah = TAILQ_NEXT(sah, chain);
7770 key_freesah(&sah); /* release last reference */
7771 sah = nextsah;
7772 }
7773 }
7774
7775 /*
7776 * SADB_FLUSH processing
7777 * receive
7778 * <base>
7779 * from the ikmpd, and free all entries in secastree.
7780 * and send,
7781 * <base>
7782 * to the ikmpd.
7783 * NOTE: to do is only marking SADB_SASTATE_DEAD.
7784 *
7785 * m will always be freed.
7786 */
7787 static int
key_flush(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)7788 key_flush(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
7789 {
7790 struct secashead_queue flushq;
7791 struct sadb_msg *newmsg;
7792 struct secashead *sah, *nextsah;
7793 struct secasvar *sav;
7794 uint8_t proto;
7795 int i;
7796
7797 IPSEC_ASSERT(so != NULL, ("null socket"));
7798 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
7799 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
7800
7801 /* map satype to proto */
7802 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
7803 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
7804 __func__));
7805 return key_senderror(so, m, EINVAL);
7806 }
7807 KEYDBG(KEY_STAMP,
7808 printf("%s: proto %u\n", __func__, proto));
7809
7810 TAILQ_INIT(&flushq);
7811 if (proto == IPSEC_PROTO_ANY) {
7812 /* no SATYPE specified, i.e. flushing all SA. */
7813 SAHTREE_WLOCK();
7814 /* Move all SAHs into flushq */
7815 TAILQ_CONCAT(&flushq, &V_sahtree, chain);
7816 /* Flush all buckets in SPI hash */
7817 for (i = 0; i < V_savhash_mask + 1; i++)
7818 LIST_INIT(&V_savhashtbl[i]);
7819 /* Flush all buckets in SAHADDRHASH */
7820 for (i = 0; i < V_sahaddrhash_mask + 1; i++)
7821 LIST_INIT(&V_sahaddrhashtbl[i]);
7822 /* Mark all SAHs as unlinked */
7823 TAILQ_FOREACH(sah, &flushq, chain) {
7824 sah->state = SADB_SASTATE_DEAD;
7825 /*
7826 * Callout handler makes its job using
7827 * RLOCK and drain queues. In case, when this
7828 * function will be called just before it
7829 * acquires WLOCK, we need to mark SAs as
7830 * unlinked to prevent second unlink.
7831 */
7832 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) {
7833 sav->state = SADB_SASTATE_DEAD;
7834 ipsec_accel_forget_sav(sav);
7835 }
7836 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) {
7837 sav->state = SADB_SASTATE_DEAD;
7838 ipsec_accel_forget_sav(sav);
7839 }
7840 }
7841 SAHTREE_WUNLOCK();
7842 } else {
7843 SAHTREE_WLOCK();
7844 sah = TAILQ_FIRST(&V_sahtree);
7845 while (sah != NULL) {
7846 IPSEC_ASSERT(sah->state != SADB_SASTATE_DEAD,
7847 ("DEAD SAH %p in SADB_FLUSH", sah));
7848 nextsah = TAILQ_NEXT(sah, chain);
7849 if (sah->saidx.proto != proto) {
7850 sah = nextsah;
7851 continue;
7852 }
7853 sah->state = SADB_SASTATE_DEAD;
7854 TAILQ_REMOVE(&V_sahtree, sah, chain);
7855 LIST_REMOVE(sah, addrhash);
7856 /* Unlink all SAs from SPI hash */
7857 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) {
7858 LIST_REMOVE(sav, spihash);
7859 sav->state = SADB_SASTATE_DEAD;
7860 ipsec_accel_forget_sav(sav);
7861 }
7862 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) {
7863 LIST_REMOVE(sav, spihash);
7864 sav->state = SADB_SASTATE_DEAD;
7865 ipsec_accel_forget_sav(sav);
7866 }
7867 /* Add SAH into flushq */
7868 TAILQ_INSERT_HEAD(&flushq, sah, chain);
7869 sah = nextsah;
7870 }
7871 SAHTREE_WUNLOCK();
7872 }
7873
7874 key_freesah_flushed(&flushq);
7875 /* Free all queued SAs and SAHs */
7876 if (m->m_len < sizeof(struct sadb_msg) ||
7877 sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) {
7878 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
7879 return key_senderror(so, m, ENOBUFS);
7880 }
7881
7882 if (m->m_next)
7883 m_freem(m->m_next);
7884 m->m_next = NULL;
7885 m->m_pkthdr.len = m->m_len = sizeof(struct sadb_msg);
7886 newmsg = mtod(m, struct sadb_msg *);
7887 newmsg->sadb_msg_errno = 0;
7888 newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
7889
7890 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL);
7891 }
7892
7893 /*
7894 * SADB_DUMP processing
7895 * dump all entries including status of DEAD in SAD.
7896 * receive
7897 * <base>
7898 * from the ikmpd, and dump all secasvar leaves
7899 * and send,
7900 * <base> .....
7901 * to the ikmpd.
7902 *
7903 * m will always be freed.
7904 */
7905 static int
key_dump(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)7906 key_dump(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
7907 {
7908 SAHTREE_RLOCK_TRACKER;
7909 struct secashead *sah;
7910 struct secasvar *sav;
7911 struct mbuf *n;
7912 uint32_t cnt;
7913 uint8_t proto, satype;
7914
7915 IPSEC_ASSERT(so != NULL, ("null socket"));
7916 IPSEC_ASSERT(m != NULL, ("null mbuf"));
7917 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
7918 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
7919
7920 /* map satype to proto */
7921 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
7922 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
7923 __func__));
7924 return key_senderror(so, m, EINVAL);
7925 }
7926
7927 /* count sav entries to be sent to the userland. */
7928 cnt = 0;
7929 IFNET_RLOCK();
7930 SAHTREE_RLOCK();
7931 TAILQ_FOREACH(sah, &V_sahtree, chain) {
7932 if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC &&
7933 proto != sah->saidx.proto)
7934 continue;
7935
7936 TAILQ_FOREACH(sav, &sah->savtree_larval, chain)
7937 cnt++;
7938 TAILQ_FOREACH(sav, &sah->savtree_alive, chain)
7939 cnt++;
7940 }
7941
7942 if (cnt == 0) {
7943 SAHTREE_RUNLOCK();
7944 IFNET_RUNLOCK();
7945 return key_senderror(so, m, ENOENT);
7946 }
7947
7948 /* send this to the userland, one at a time. */
7949 TAILQ_FOREACH(sah, &V_sahtree, chain) {
7950 if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC &&
7951 proto != sah->saidx.proto)
7952 continue;
7953
7954 /* map proto to satype */
7955 if ((satype = key_proto2satype(sah->saidx.proto)) == 0) {
7956 SAHTREE_RUNLOCK();
7957 IFNET_RUNLOCK();
7958 ipseclog((LOG_DEBUG, "%s: there was invalid proto in "
7959 "SAD.\n", __func__));
7960 return key_senderror(so, m, EINVAL);
7961 }
7962 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) {
7963 n = key_setdumpsa(sav, SADB_DUMP, satype,
7964 --cnt, mhp->msg->sadb_msg_pid, &sahtree_tracker);
7965 if (n == NULL) {
7966 SAHTREE_RUNLOCK();
7967 IFNET_RUNLOCK();
7968 return key_senderror(so, m, ENOBUFS);
7969 }
7970 key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
7971 }
7972 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) {
7973 n = key_setdumpsa(sav, SADB_DUMP, satype,
7974 --cnt, mhp->msg->sadb_msg_pid, &sahtree_tracker);
7975 if (n == NULL) {
7976 SAHTREE_RUNLOCK();
7977 IFNET_RUNLOCK();
7978 return key_senderror(so, m, ENOBUFS);
7979 }
7980 key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
7981 }
7982 }
7983 SAHTREE_RUNLOCK();
7984 IFNET_RUNLOCK();
7985 m_freem(m);
7986 return (0);
7987 }
7988 /*
7989 * SADB_X_PROMISC processing
7990 *
7991 * m will always be freed.
7992 */
7993 static int
key_promisc(struct socket * so,struct mbuf * m,const struct sadb_msghdr * mhp)7994 key_promisc(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
7995 {
7996 int olen;
7997
7998 IPSEC_ASSERT(so != NULL, ("null socket"));
7999 IPSEC_ASSERT(m != NULL, ("null mbuf"));
8000 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
8001 IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
8002
8003 olen = PFKEY_UNUNIT64(mhp->msg->sadb_msg_len);
8004
8005 if (olen < sizeof(struct sadb_msg)) {
8006 #if 1
8007 return key_senderror(so, m, EINVAL);
8008 #else
8009 m_freem(m);
8010 return 0;
8011 #endif
8012 } else if (olen == sizeof(struct sadb_msg)) {
8013 /* enable/disable promisc mode */
8014 struct keycb *kp;
8015
8016 if ((kp = so->so_pcb) == NULL)
8017 return key_senderror(so, m, EINVAL);
8018 mhp->msg->sadb_msg_errno = 0;
8019 switch (mhp->msg->sadb_msg_satype) {
8020 case 0:
8021 case 1:
8022 kp->kp_promisc = mhp->msg->sadb_msg_satype;
8023 break;
8024 default:
8025 return key_senderror(so, m, EINVAL);
8026 }
8027
8028 /* send the original message back to everyone */
8029 mhp->msg->sadb_msg_errno = 0;
8030 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL);
8031 } else {
8032 /* send packet as is */
8033
8034 m_adj(m, PFKEY_ALIGN8(sizeof(struct sadb_msg)));
8035
8036 /* TODO: if sadb_msg_seq is specified, send to specific pid */
8037 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL);
8038 }
8039 }
8040
8041 static int (*key_typesw[])(struct socket *, struct mbuf *,
8042 const struct sadb_msghdr *) = {
8043 [SADB_RESERVED] = NULL,
8044 [SADB_GETSPI] = key_getspi,
8045 [SADB_UPDATE] = key_update,
8046 [SADB_ADD] = key_add,
8047 [SADB_DELETE] = key_delete,
8048 [SADB_GET] = key_get,
8049 [SADB_ACQUIRE] = key_acquire2,
8050 [SADB_REGISTER] = key_register,
8051 [SADB_EXPIRE] = NULL,
8052 [SADB_FLUSH] = key_flush,
8053 [SADB_DUMP] = key_dump,
8054 [SADB_X_PROMISC] = key_promisc,
8055 [SADB_X_PCHANGE] = NULL,
8056 [SADB_X_SPDUPDATE] = key_spdadd,
8057 [SADB_X_SPDADD] = key_spdadd,
8058 [SADB_X_SPDDELETE] = key_spddelete,
8059 [SADB_X_SPDGET] = key_spdget,
8060 [SADB_X_SPDACQUIRE] = NULL,
8061 [SADB_X_SPDDUMP] = key_spddump,
8062 [SADB_X_SPDFLUSH] = key_spdflush,
8063 [SADB_X_SPDSETIDX] = key_spdadd,
8064 [SADB_X_SPDEXPIRE] = NULL,
8065 [SADB_X_SPDDELETE2] = key_spddelete2,
8066 };
8067
8068 /*
8069 * parse sadb_msg buffer to process PFKEYv2,
8070 * and create a data to response if needed.
8071 * I think to be dealed with mbuf directly.
8072 * IN:
8073 * msgp : pointer to pointer to a received buffer pulluped.
8074 * This is rewrited to response.
8075 * so : pointer to socket.
8076 * OUT:
8077 * length for buffer to send to user process.
8078 */
8079 int
key_parse(struct mbuf * m,struct socket * so)8080 key_parse(struct mbuf *m, struct socket *so)
8081 {
8082 struct sadb_msg *msg;
8083 struct sadb_msghdr mh;
8084 u_int orglen;
8085 int error;
8086 int target;
8087
8088 IPSEC_ASSERT(so != NULL, ("null socket"));
8089 IPSEC_ASSERT(m != NULL, ("null mbuf"));
8090
8091 if (m->m_len < sizeof(struct sadb_msg)) {
8092 m = m_pullup(m, sizeof(struct sadb_msg));
8093 if (!m)
8094 return ENOBUFS;
8095 }
8096 msg = mtod(m, struct sadb_msg *);
8097 orglen = PFKEY_UNUNIT64(msg->sadb_msg_len);
8098 target = KEY_SENDUP_ONE;
8099
8100 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len != orglen) {
8101 ipseclog((LOG_DEBUG, "%s: invalid message length.\n",__func__));
8102 PFKEYSTAT_INC(out_invlen);
8103 error = EINVAL;
8104 goto senderror;
8105 }
8106
8107 if (msg->sadb_msg_version != PF_KEY_V2) {
8108 ipseclog((LOG_DEBUG, "%s: PF_KEY version %u is mismatched.\n",
8109 __func__, msg->sadb_msg_version));
8110 PFKEYSTAT_INC(out_invver);
8111 error = EINVAL;
8112 goto senderror;
8113 }
8114
8115 if (msg->sadb_msg_type > SADB_MAX) {
8116 ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n",
8117 __func__, msg->sadb_msg_type));
8118 PFKEYSTAT_INC(out_invmsgtype);
8119 error = EINVAL;
8120 goto senderror;
8121 }
8122
8123 /* for old-fashioned code - should be nuked */
8124 if (m->m_pkthdr.len > MCLBYTES) {
8125 m_freem(m);
8126 return ENOBUFS;
8127 }
8128 if (m->m_next) {
8129 struct mbuf *n;
8130
8131 n = key_mget(m->m_pkthdr.len);
8132 if (n == NULL) {
8133 m_freem(m);
8134 return ENOBUFS;
8135 }
8136 m_copydata(m, 0, m->m_pkthdr.len, mtod(n, caddr_t));
8137 n->m_pkthdr.len = n->m_len = m->m_pkthdr.len;
8138 n->m_next = NULL;
8139 m_freem(m);
8140 m = n;
8141 }
8142
8143 /* align the mbuf chain so that extensions are in contiguous region. */
8144 error = key_align(m, &mh);
8145 if (error)
8146 return error;
8147
8148 msg = mh.msg;
8149
8150 /* We use satype as scope mask for spddump */
8151 if (msg->sadb_msg_type == SADB_X_SPDDUMP) {
8152 switch (msg->sadb_msg_satype) {
8153 case IPSEC_POLICYSCOPE_ANY:
8154 case IPSEC_POLICYSCOPE_GLOBAL:
8155 case IPSEC_POLICYSCOPE_IFNET:
8156 case IPSEC_POLICYSCOPE_PCB:
8157 break;
8158 default:
8159 ipseclog((LOG_DEBUG, "%s: illegal satype=%u\n",
8160 __func__, msg->sadb_msg_type));
8161 PFKEYSTAT_INC(out_invsatype);
8162 error = EINVAL;
8163 goto senderror;
8164 }
8165 } else {
8166 switch (msg->sadb_msg_satype) { /* check SA type */
8167 case SADB_SATYPE_UNSPEC:
8168 switch (msg->sadb_msg_type) {
8169 case SADB_GETSPI:
8170 case SADB_UPDATE:
8171 case SADB_ADD:
8172 case SADB_DELETE:
8173 case SADB_GET:
8174 case SADB_ACQUIRE:
8175 case SADB_EXPIRE:
8176 ipseclog((LOG_DEBUG, "%s: must specify satype "
8177 "when msg type=%u.\n", __func__,
8178 msg->sadb_msg_type));
8179 PFKEYSTAT_INC(out_invsatype);
8180 error = EINVAL;
8181 goto senderror;
8182 }
8183 break;
8184 case SADB_SATYPE_AH:
8185 case SADB_SATYPE_ESP:
8186 case SADB_X_SATYPE_IPCOMP:
8187 case SADB_X_SATYPE_TCPSIGNATURE:
8188 switch (msg->sadb_msg_type) {
8189 case SADB_X_SPDADD:
8190 case SADB_X_SPDDELETE:
8191 case SADB_X_SPDGET:
8192 case SADB_X_SPDFLUSH:
8193 case SADB_X_SPDSETIDX:
8194 case SADB_X_SPDUPDATE:
8195 case SADB_X_SPDDELETE2:
8196 ipseclog((LOG_DEBUG, "%s: illegal satype=%u\n",
8197 __func__, msg->sadb_msg_type));
8198 PFKEYSTAT_INC(out_invsatype);
8199 error = EINVAL;
8200 goto senderror;
8201 }
8202 break;
8203 case SADB_SATYPE_RSVP:
8204 case SADB_SATYPE_OSPFV2:
8205 case SADB_SATYPE_RIPV2:
8206 case SADB_SATYPE_MIP:
8207 ipseclog((LOG_DEBUG, "%s: type %u isn't supported.\n",
8208 __func__, msg->sadb_msg_satype));
8209 PFKEYSTAT_INC(out_invsatype);
8210 error = EOPNOTSUPP;
8211 goto senderror;
8212 case 1: /* XXX: What does it do? */
8213 if (msg->sadb_msg_type == SADB_X_PROMISC)
8214 break;
8215 /*FALLTHROUGH*/
8216 default:
8217 ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n",
8218 __func__, msg->sadb_msg_satype));
8219 PFKEYSTAT_INC(out_invsatype);
8220 error = EINVAL;
8221 goto senderror;
8222 }
8223 }
8224
8225 /* check field of upper layer protocol and address family */
8226 if (mh.ext[SADB_EXT_ADDRESS_SRC] != NULL
8227 && mh.ext[SADB_EXT_ADDRESS_DST] != NULL) {
8228 struct sadb_address *src0, *dst0;
8229 u_int plen;
8230
8231 src0 = (struct sadb_address *)(mh.ext[SADB_EXT_ADDRESS_SRC]);
8232 dst0 = (struct sadb_address *)(mh.ext[SADB_EXT_ADDRESS_DST]);
8233
8234 /* check upper layer protocol */
8235 if (src0->sadb_address_proto != dst0->sadb_address_proto) {
8236 ipseclog((LOG_DEBUG, "%s: upper layer protocol "
8237 "mismatched.\n", __func__));
8238 PFKEYSTAT_INC(out_invaddr);
8239 error = EINVAL;
8240 goto senderror;
8241 }
8242
8243 /* check family */
8244 if (PFKEY_ADDR_SADDR(src0)->sa_family !=
8245 PFKEY_ADDR_SADDR(dst0)->sa_family) {
8246 ipseclog((LOG_DEBUG, "%s: address family mismatched.\n",
8247 __func__));
8248 PFKEYSTAT_INC(out_invaddr);
8249 error = EINVAL;
8250 goto senderror;
8251 }
8252 if (PFKEY_ADDR_SADDR(src0)->sa_len !=
8253 PFKEY_ADDR_SADDR(dst0)->sa_len) {
8254 ipseclog((LOG_DEBUG, "%s: address struct size "
8255 "mismatched.\n", __func__));
8256 PFKEYSTAT_INC(out_invaddr);
8257 error = EINVAL;
8258 goto senderror;
8259 }
8260
8261 switch (PFKEY_ADDR_SADDR(src0)->sa_family) {
8262 case AF_INET:
8263 if (PFKEY_ADDR_SADDR(src0)->sa_len !=
8264 sizeof(struct sockaddr_in)) {
8265 PFKEYSTAT_INC(out_invaddr);
8266 error = EINVAL;
8267 goto senderror;
8268 }
8269 break;
8270 case AF_INET6:
8271 if (PFKEY_ADDR_SADDR(src0)->sa_len !=
8272 sizeof(struct sockaddr_in6)) {
8273 PFKEYSTAT_INC(out_invaddr);
8274 error = EINVAL;
8275 goto senderror;
8276 }
8277 break;
8278 default:
8279 ipseclog((LOG_DEBUG, "%s: unsupported address family\n",
8280 __func__));
8281 PFKEYSTAT_INC(out_invaddr);
8282 error = EAFNOSUPPORT;
8283 goto senderror;
8284 }
8285
8286 switch (PFKEY_ADDR_SADDR(src0)->sa_family) {
8287 case AF_INET:
8288 plen = sizeof(struct in_addr) << 3;
8289 break;
8290 case AF_INET6:
8291 plen = sizeof(struct in6_addr) << 3;
8292 break;
8293 default:
8294 plen = 0; /*fool gcc*/
8295 break;
8296 }
8297
8298 /* check max prefix length */
8299 if (src0->sadb_address_prefixlen > plen ||
8300 dst0->sadb_address_prefixlen > plen) {
8301 ipseclog((LOG_DEBUG, "%s: illegal prefixlen.\n",
8302 __func__));
8303 PFKEYSTAT_INC(out_invaddr);
8304 error = EINVAL;
8305 goto senderror;
8306 }
8307
8308 /*
8309 * prefixlen == 0 is valid because there can be a case when
8310 * all addresses are matched.
8311 */
8312 }
8313
8314 if (msg->sadb_msg_type >= nitems(key_typesw) ||
8315 key_typesw[msg->sadb_msg_type] == NULL) {
8316 PFKEYSTAT_INC(out_invmsgtype);
8317 error = EINVAL;
8318 goto senderror;
8319 }
8320
8321 return (*key_typesw[msg->sadb_msg_type])(so, m, &mh);
8322
8323 senderror:
8324 msg->sadb_msg_errno = error;
8325 return key_sendup_mbuf(so, m, target);
8326 }
8327
8328 static int
key_senderror(struct socket * so,struct mbuf * m,int code)8329 key_senderror(struct socket *so, struct mbuf *m, int code)
8330 {
8331 struct sadb_msg *msg;
8332
8333 IPSEC_ASSERT(m->m_len >= sizeof(struct sadb_msg),
8334 ("mbuf too small, len %u", m->m_len));
8335
8336 msg = mtod(m, struct sadb_msg *);
8337 msg->sadb_msg_errno = code;
8338 return key_sendup_mbuf(so, m, KEY_SENDUP_ONE);
8339 }
8340
8341 /*
8342 * set the pointer to each header into message buffer.
8343 * m will be freed on error.
8344 * XXX larger-than-MCLBYTES extension?
8345 */
8346 static int
key_align(struct mbuf * m,struct sadb_msghdr * mhp)8347 key_align(struct mbuf *m, struct sadb_msghdr *mhp)
8348 {
8349 struct mbuf *n;
8350 struct sadb_ext *ext;
8351 size_t off, end;
8352 int extlen;
8353 int toff;
8354
8355 IPSEC_ASSERT(m != NULL, ("null mbuf"));
8356 IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
8357 IPSEC_ASSERT(m->m_len >= sizeof(struct sadb_msg),
8358 ("mbuf too small, len %u", m->m_len));
8359
8360 /* initialize */
8361 bzero(mhp, sizeof(*mhp));
8362
8363 mhp->msg = mtod(m, struct sadb_msg *);
8364 mhp->ext[0] = (struct sadb_ext *)mhp->msg; /*XXX backward compat */
8365
8366 end = PFKEY_UNUNIT64(mhp->msg->sadb_msg_len);
8367 extlen = end; /*just in case extlen is not updated*/
8368 for (off = sizeof(struct sadb_msg); off < end; off += extlen) {
8369 n = m_pulldown(m, off, sizeof(struct sadb_ext), &toff);
8370 if (!n) {
8371 /* m is already freed */
8372 return ENOBUFS;
8373 }
8374 ext = (struct sadb_ext *)(mtod(n, caddr_t) + toff);
8375
8376 /* set pointer */
8377 switch (ext->sadb_ext_type) {
8378 case SADB_EXT_SA:
8379 case SADB_EXT_ADDRESS_SRC:
8380 case SADB_EXT_ADDRESS_DST:
8381 case SADB_EXT_ADDRESS_PROXY:
8382 case SADB_EXT_LIFETIME_CURRENT:
8383 case SADB_EXT_LIFETIME_HARD:
8384 case SADB_EXT_LIFETIME_SOFT:
8385 case SADB_EXT_KEY_AUTH:
8386 case SADB_EXT_KEY_ENCRYPT:
8387 case SADB_EXT_IDENTITY_SRC:
8388 case SADB_EXT_IDENTITY_DST:
8389 case SADB_EXT_SENSITIVITY:
8390 case SADB_EXT_PROPOSAL:
8391 case SADB_EXT_SUPPORTED_AUTH:
8392 case SADB_EXT_SUPPORTED_ENCRYPT:
8393 case SADB_EXT_SPIRANGE:
8394 case SADB_X_EXT_POLICY:
8395 case SADB_X_EXT_SA2:
8396 case SADB_X_EXT_NAT_T_TYPE:
8397 case SADB_X_EXT_NAT_T_SPORT:
8398 case SADB_X_EXT_NAT_T_DPORT:
8399 case SADB_X_EXT_NAT_T_OAI:
8400 case SADB_X_EXT_NAT_T_OAR:
8401 case SADB_X_EXT_NAT_T_FRAG:
8402 case SADB_X_EXT_SA_REPLAY:
8403 case SADB_X_EXT_NEW_ADDRESS_SRC:
8404 case SADB_X_EXT_NEW_ADDRESS_DST:
8405 #ifdef IPSEC_OFFLOAD
8406 case SADB_X_EXT_LFT_CUR_SW_OFFL:
8407 case SADB_X_EXT_LFT_CUR_HW_OFFL:
8408 case SADB_X_EXT_IF_HW_OFFL:
8409 #endif
8410 /* duplicate check */
8411 /*
8412 * XXX Are there duplication payloads of either
8413 * KEY_AUTH or KEY_ENCRYPT ?
8414 */
8415 if (mhp->ext[ext->sadb_ext_type] != NULL) {
8416 ipseclog((LOG_DEBUG, "%s: duplicate ext_type "
8417 "%u\n", __func__, ext->sadb_ext_type));
8418 m_freem(m);
8419 PFKEYSTAT_INC(out_dupext);
8420 return EINVAL;
8421 }
8422 break;
8423 default:
8424 ipseclog((LOG_DEBUG, "%s: invalid ext_type %u\n",
8425 __func__, ext->sadb_ext_type));
8426 m_freem(m);
8427 PFKEYSTAT_INC(out_invexttype);
8428 return EINVAL;
8429 }
8430
8431 extlen = PFKEY_UNUNIT64(ext->sadb_ext_len);
8432
8433 if (key_validate_ext(ext, extlen)) {
8434 m_freem(m);
8435 PFKEYSTAT_INC(out_invlen);
8436 return EINVAL;
8437 }
8438
8439 n = m_pulldown(m, off, extlen, &toff);
8440 if (!n) {
8441 /* m is already freed */
8442 return ENOBUFS;
8443 }
8444 ext = (struct sadb_ext *)(mtod(n, caddr_t) + toff);
8445
8446 mhp->ext[ext->sadb_ext_type] = ext;
8447 mhp->extoff[ext->sadb_ext_type] = off;
8448 mhp->extlen[ext->sadb_ext_type] = extlen;
8449 }
8450
8451 if (off != end) {
8452 m_freem(m);
8453 PFKEYSTAT_INC(out_invlen);
8454 return EINVAL;
8455 }
8456
8457 return 0;
8458 }
8459
8460 static int
key_validate_ext(const struct sadb_ext * ext,int len)8461 key_validate_ext(const struct sadb_ext *ext, int len)
8462 {
8463 const struct sockaddr *sa;
8464 enum { NONE, ADDR } checktype = NONE;
8465 int baselen = 0;
8466 const int sal = offsetof(struct sockaddr, sa_len) + sizeof(sa->sa_len);
8467
8468 if (len != PFKEY_UNUNIT64(ext->sadb_ext_len))
8469 return EINVAL;
8470
8471 /* if it does not match minimum/maximum length, bail */
8472 if (ext->sadb_ext_type >= nitems(minsize) ||
8473 ext->sadb_ext_type >= nitems(maxsize))
8474 return EINVAL;
8475 if (!minsize[ext->sadb_ext_type] || len < minsize[ext->sadb_ext_type])
8476 return EINVAL;
8477 if (maxsize[ext->sadb_ext_type] && len > maxsize[ext->sadb_ext_type])
8478 return EINVAL;
8479
8480 /* more checks based on sadb_ext_type XXX need more */
8481 switch (ext->sadb_ext_type) {
8482 case SADB_EXT_ADDRESS_SRC:
8483 case SADB_EXT_ADDRESS_DST:
8484 case SADB_EXT_ADDRESS_PROXY:
8485 case SADB_X_EXT_NAT_T_OAI:
8486 case SADB_X_EXT_NAT_T_OAR:
8487 case SADB_X_EXT_NEW_ADDRESS_SRC:
8488 case SADB_X_EXT_NEW_ADDRESS_DST:
8489 baselen = PFKEY_ALIGN8(sizeof(struct sadb_address));
8490 checktype = ADDR;
8491 break;
8492 case SADB_EXT_IDENTITY_SRC:
8493 case SADB_EXT_IDENTITY_DST:
8494 if (((const struct sadb_ident *)ext)->sadb_ident_type ==
8495 SADB_X_IDENTTYPE_ADDR) {
8496 baselen = PFKEY_ALIGN8(sizeof(struct sadb_ident));
8497 checktype = ADDR;
8498 } else
8499 checktype = NONE;
8500 break;
8501 default:
8502 checktype = NONE;
8503 break;
8504 }
8505
8506 switch (checktype) {
8507 case NONE:
8508 break;
8509 case ADDR:
8510 sa = (const struct sockaddr *)(((const u_int8_t*)ext)+baselen);
8511 if (len < baselen + sal)
8512 return EINVAL;
8513 if (baselen + PFKEY_ALIGN8(sa->sa_len) != len)
8514 return EINVAL;
8515 break;
8516 }
8517
8518 return 0;
8519 }
8520
8521 void
spdcache_init(void)8522 spdcache_init(void)
8523 {
8524 int i;
8525
8526 TUNABLE_INT_FETCH("net.key.spdcache.maxentries",
8527 &V_key_spdcache_maxentries);
8528 TUNABLE_INT_FETCH("net.key.spdcache.threshold",
8529 &V_key_spdcache_threshold);
8530
8531 if (V_key_spdcache_maxentries) {
8532 V_key_spdcache_maxentries = MAX(V_key_spdcache_maxentries,
8533 SPDCACHE_MAX_ENTRIES_PER_HASH);
8534 V_spdcachehashtbl = hashinit(V_key_spdcache_maxentries /
8535 SPDCACHE_MAX_ENTRIES_PER_HASH,
8536 M_IPSEC_SPDCACHE, &V_spdcachehash_mask);
8537 V_key_spdcache_maxentries = (V_spdcachehash_mask + 1)
8538 * SPDCACHE_MAX_ENTRIES_PER_HASH;
8539
8540 V_spdcache_lock = malloc(sizeof(struct mtx) *
8541 (V_spdcachehash_mask + 1),
8542 M_IPSEC_SPDCACHE, M_WAITOK | M_ZERO);
8543
8544 for (i = 0; i < V_spdcachehash_mask + 1; ++i)
8545 SPDCACHE_LOCK_INIT(i);
8546 }
8547 }
8548
8549 struct spdcache_entry *
spdcache_entry_alloc(const struct secpolicyindex * spidx,struct secpolicy * sp)8550 spdcache_entry_alloc(const struct secpolicyindex *spidx, struct secpolicy *sp)
8551 {
8552 struct spdcache_entry *entry;
8553
8554 entry = malloc(sizeof(struct spdcache_entry), M_IPSEC_SPDCACHE,
8555 M_NOWAIT | M_ZERO);
8556 if (entry == NULL)
8557 return (NULL);
8558
8559 if (sp != NULL)
8560 SP_ADDREF(sp);
8561
8562 entry->spidx = *spidx;
8563 entry->sp = sp;
8564
8565 return (entry);
8566 }
8567
8568 void
spdcache_entry_free(struct spdcache_entry * entry)8569 spdcache_entry_free(struct spdcache_entry *entry)
8570 {
8571
8572 if (entry->sp != NULL)
8573 key_freesp(&entry->sp);
8574 free(entry, M_IPSEC_SPDCACHE);
8575 }
8576
8577 void
spdcache_clear(void)8578 spdcache_clear(void)
8579 {
8580 struct spdcache_entry *entry;
8581 int i;
8582
8583 for (i = 0; i < V_spdcachehash_mask + 1; ++i) {
8584 SPDCACHE_LOCK(i);
8585 while (!LIST_EMPTY(&V_spdcachehashtbl[i])) {
8586 entry = LIST_FIRST(&V_spdcachehashtbl[i]);
8587 LIST_REMOVE(entry, chain);
8588 spdcache_entry_free(entry);
8589 }
8590 SPDCACHE_UNLOCK(i);
8591 }
8592 }
8593
8594 #ifdef VIMAGE
8595 void
spdcache_destroy(void)8596 spdcache_destroy(void)
8597 {
8598 int i;
8599
8600 if (SPDCACHE_ENABLED()) {
8601 spdcache_clear();
8602 hashdestroy(V_spdcachehashtbl, M_IPSEC_SPDCACHE, V_spdcachehash_mask);
8603
8604 for (i = 0; i < V_spdcachehash_mask + 1; ++i)
8605 SPDCACHE_LOCK_DESTROY(i);
8606
8607 free(V_spdcache_lock, M_IPSEC_SPDCACHE);
8608 }
8609 }
8610 #endif
8611
8612 static void
key_vnet_init(void * arg __unused)8613 key_vnet_init(void *arg __unused)
8614 {
8615 int i;
8616
8617 for (i = 0; i < IPSEC_DIR_MAX; i++) {
8618 TAILQ_INIT(&V_sptree[i]);
8619 TAILQ_INIT(&V_sptree_ifnet[i]);
8620 }
8621
8622 TAILQ_INIT(&V_sahtree);
8623 V_sphashtbl = hashinit(SPHASH_NHASH, M_IPSEC_SP, &V_sphash_mask);
8624 V_savhashtbl = hashinit(SAVHASH_NHASH, M_IPSEC_SA, &V_savhash_mask);
8625 V_sahaddrhashtbl = hashinit(SAHHASH_NHASH, M_IPSEC_SAH,
8626 &V_sahaddrhash_mask);
8627 V_acqaddrhashtbl = hashinit(ACQHASH_NHASH, M_IPSEC_SAQ,
8628 &V_acqaddrhash_mask);
8629 V_acqseqhashtbl = hashinit(ACQHASH_NHASH, M_IPSEC_SAQ,
8630 &V_acqseqhash_mask);
8631
8632 spdcache_init();
8633
8634 for (i = 0; i <= SADB_SATYPE_MAX; i++)
8635 LIST_INIT(&V_regtree[i]);
8636
8637 LIST_INIT(&V_acqtree);
8638 LIST_INIT(&V_spacqtree);
8639 }
8640 VNET_SYSINIT(key_vnet_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_SECOND,
8641 key_vnet_init, NULL);
8642
8643 static void
key_init(void * arg __unused)8644 key_init(void *arg __unused)
8645 {
8646
8647 ipsec_key_lft_zone = uma_zcreate("IPsec SA lft_c",
8648 sizeof(uint64_t) * 2, NULL, NULL, NULL, NULL,
8649 UMA_ALIGN_PTR, UMA_ZONE_PCPU);
8650
8651 SPTREE_LOCK_INIT();
8652 REGTREE_LOCK_INIT();
8653 SAHTREE_LOCK_INIT();
8654 ACQ_LOCK_INIT();
8655 SPACQ_LOCK_INIT();
8656 SPI_ALLOC_LOCK_INIT();
8657
8658 #ifndef IPSEC_DEBUG2
8659 callout_init(&key_timer, 1);
8660 callout_reset(&key_timer, hz, key_timehandler, NULL);
8661 #endif /*IPSEC_DEBUG2*/
8662
8663 /* initialize key statistics */
8664 keystat.getspi_count = 1;
8665
8666 if (bootverbose)
8667 printf("IPsec: Initialized Security Association Processing.\n");
8668 }
8669 SYSINIT(key_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, key_init, NULL);
8670
8671 #ifdef VIMAGE
8672 static void
key_vnet_destroy(void * arg __unused)8673 key_vnet_destroy(void *arg __unused)
8674 {
8675 struct secashead_queue sahdrainq;
8676 struct secpolicy_queue drainq;
8677 struct secpolicy *sp, *nextsp;
8678 struct secacq *acq, *nextacq;
8679 struct secspacq *spacq, *nextspacq;
8680 struct secashead *sah;
8681 struct secasvar *sav;
8682 struct secreg *reg;
8683 int i;
8684
8685 /*
8686 * XXX: can we just call free() for each object without
8687 * walking through safe way with releasing references?
8688 */
8689 TAILQ_INIT(&drainq);
8690 SPTREE_WLOCK();
8691 for (i = 0; i < IPSEC_DIR_MAX; i++) {
8692 TAILQ_CONCAT(&drainq, &V_sptree[i], chain);
8693 TAILQ_CONCAT(&drainq, &V_sptree_ifnet[i], chain);
8694 }
8695 for (i = 0; i < V_sphash_mask + 1; i++)
8696 LIST_INIT(&V_sphashtbl[i]);
8697 SPTREE_WUNLOCK();
8698 spdcache_destroy();
8699
8700 sp = TAILQ_FIRST(&drainq);
8701 while (sp != NULL) {
8702 nextsp = TAILQ_NEXT(sp, chain);
8703 key_freesp(&sp);
8704 sp = nextsp;
8705 }
8706
8707 TAILQ_INIT(&sahdrainq);
8708 SAHTREE_WLOCK();
8709 TAILQ_CONCAT(&sahdrainq, &V_sahtree, chain);
8710 for (i = 0; i < V_savhash_mask + 1; i++)
8711 LIST_INIT(&V_savhashtbl[i]);
8712 for (i = 0; i < V_sahaddrhash_mask + 1; i++)
8713 LIST_INIT(&V_sahaddrhashtbl[i]);
8714 TAILQ_FOREACH(sah, &sahdrainq, chain) {
8715 sah->state = SADB_SASTATE_DEAD;
8716 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) {
8717 sav->state = SADB_SASTATE_DEAD;
8718 ipsec_accel_forget_sav(sav);
8719 }
8720 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) {
8721 sav->state = SADB_SASTATE_DEAD;
8722 ipsec_accel_forget_sav(sav);
8723 }
8724 }
8725 SAHTREE_WUNLOCK();
8726
8727 /* Wait for async work referencing this VNET to finish. */
8728 ipsec_accel_sync();
8729
8730 key_freesah_flushed(&sahdrainq);
8731 hashdestroy(V_sphashtbl, M_IPSEC_SP, V_sphash_mask);
8732 hashdestroy(V_savhashtbl, M_IPSEC_SA, V_savhash_mask);
8733 hashdestroy(V_sahaddrhashtbl, M_IPSEC_SAH, V_sahaddrhash_mask);
8734
8735 REGTREE_LOCK();
8736 for (i = 0; i <= SADB_SATYPE_MAX; i++) {
8737 LIST_FOREACH(reg, &V_regtree[i], chain) {
8738 if (__LIST_CHAINED(reg)) {
8739 LIST_REMOVE(reg, chain);
8740 free(reg, M_IPSEC_SAR);
8741 break;
8742 }
8743 }
8744 }
8745 REGTREE_UNLOCK();
8746
8747 ACQ_LOCK();
8748 acq = LIST_FIRST(&V_acqtree);
8749 while (acq != NULL) {
8750 nextacq = LIST_NEXT(acq, chain);
8751 LIST_REMOVE(acq, chain);
8752 free(acq, M_IPSEC_SAQ);
8753 acq = nextacq;
8754 }
8755 for (i = 0; i < V_acqaddrhash_mask + 1; i++)
8756 LIST_INIT(&V_acqaddrhashtbl[i]);
8757 for (i = 0; i < V_acqseqhash_mask + 1; i++)
8758 LIST_INIT(&V_acqseqhashtbl[i]);
8759 ACQ_UNLOCK();
8760
8761 SPACQ_LOCK();
8762 for (spacq = LIST_FIRST(&V_spacqtree); spacq != NULL;
8763 spacq = nextspacq) {
8764 nextspacq = LIST_NEXT(spacq, chain);
8765 if (__LIST_CHAINED(spacq)) {
8766 LIST_REMOVE(spacq, chain);
8767 free(spacq, M_IPSEC_SAQ);
8768 }
8769 }
8770 SPACQ_UNLOCK();
8771 hashdestroy(V_acqaddrhashtbl, M_IPSEC_SAQ, V_acqaddrhash_mask);
8772 hashdestroy(V_acqseqhashtbl, M_IPSEC_SAQ, V_acqseqhash_mask);
8773 }
8774 VNET_SYSUNINIT(key_vnet_destroy, SI_SUB_PROTO_DOMAIN, SI_ORDER_SECOND,
8775 key_vnet_destroy, NULL);
8776 #endif
8777
8778 /*
8779 * XXX: as long as domains are not unloadable, this function is never called,
8780 * provided for consistensy and future unload support.
8781 */
8782 static void
key_destroy(void * arg __unused)8783 key_destroy(void *arg __unused)
8784 {
8785 uma_zdestroy(ipsec_key_lft_zone);
8786
8787 #ifndef IPSEC_DEBUG2
8788 callout_drain(&key_timer);
8789 #endif
8790 SPTREE_LOCK_DESTROY();
8791 REGTREE_LOCK_DESTROY();
8792 SAHTREE_LOCK_DESTROY();
8793 ACQ_LOCK_DESTROY();
8794 SPACQ_LOCK_DESTROY();
8795 SPI_ALLOC_LOCK_DESTROY();
8796 }
8797 SYSUNINIT(key_destroy, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, key_destroy, NULL);
8798
8799 /* record data transfer on SA, and update timestamps */
8800 void
key_sa_recordxfer(struct secasvar * sav,struct mbuf * m)8801 key_sa_recordxfer(struct secasvar *sav, struct mbuf *m)
8802 {
8803 IPSEC_ASSERT(sav != NULL, ("Null secasvar"));
8804 IPSEC_ASSERT(m != NULL, ("Null mbuf"));
8805
8806 /*
8807 * XXX Currently, there is a difference of bytes size
8808 * between inbound and outbound processing.
8809 */
8810 counter_u64_add(sav->lft_c_bytes, m->m_pkthdr.len);
8811
8812 /*
8813 * We use the number of packets as the unit of
8814 * allocations. We increment the variable
8815 * whenever {esp,ah}_{in,out}put is called.
8816 */
8817 counter_u64_add(sav->lft_c_allocations, 1);
8818
8819 /*
8820 * NOTE: We record CURRENT usetime by using wall clock,
8821 * in seconds. HARD and SOFT lifetime are measured by the time
8822 * difference (again in seconds) from usetime.
8823 *
8824 * usetime
8825 * v expire expire
8826 * -----+-----+--------+---> t
8827 * <--------------> HARD
8828 * <-----> SOFT
8829 */
8830 if (sav->firstused == 0)
8831 sav->firstused = time_second;
8832 }
8833
8834 /*
8835 * Take one of the kernel's security keys and convert it into a PF_KEY
8836 * structure within an mbuf, suitable for sending up to a waiting
8837 * application in user land.
8838 *
8839 * IN:
8840 * src: A pointer to a kernel security key.
8841 * exttype: Which type of key this is. Refer to the PF_KEY data structures.
8842 * OUT:
8843 * a valid mbuf or NULL indicating an error
8844 *
8845 */
8846
8847 static struct mbuf *
key_setkey(struct seckey * src,uint16_t exttype)8848 key_setkey(struct seckey *src, uint16_t exttype)
8849 {
8850 struct mbuf *m;
8851 struct sadb_key *p;
8852 int len;
8853
8854 if (src == NULL)
8855 return NULL;
8856
8857 len = PFKEY_ALIGN8(sizeof(struct sadb_key) + _KEYLEN(src));
8858 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
8859 if (m == NULL)
8860 return NULL;
8861 m_align(m, len);
8862 m->m_len = len;
8863 p = mtod(m, struct sadb_key *);
8864 bzero(p, len);
8865 p->sadb_key_len = PFKEY_UNIT64(len);
8866 p->sadb_key_exttype = exttype;
8867 p->sadb_key_bits = src->bits;
8868 bcopy(src->key_data, _KEYBUF(p), _KEYLEN(src));
8869
8870 return m;
8871 }
8872
8873 #ifdef IPSEC_OFFLOAD
8874 struct mbuf *
key_setaccelif(const char * ifname)8875 key_setaccelif(const char *ifname)
8876 {
8877 struct mbuf *m = NULL;
8878 struct sadb_x_if_hw_offl *p;
8879 int len = PFKEY_ALIGN8(sizeof(*p));
8880
8881 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
8882 if (m == NULL)
8883 return (m);
8884 m_align(m, len);
8885 m->m_len = len;
8886 p = mtod(m, struct sadb_x_if_hw_offl *);
8887
8888 bzero(p, len);
8889 p->sadb_x_if_hw_offl_len = PFKEY_UNIT64(len);
8890 p->sadb_x_if_hw_offl_exttype = SADB_X_EXT_IF_HW_OFFL;
8891 p->sadb_x_if_hw_offl_flags = 0;
8892 strncpy(p->sadb_x_if_hw_offl_if, ifname,
8893 sizeof(p->sadb_x_if_hw_offl_if));
8894
8895 return (m);
8896 }
8897 #endif
8898
8899 /*
8900 * Take one of the kernel's lifetime data structures and convert it
8901 * into a PF_KEY structure within an mbuf, suitable for sending up to
8902 * a waiting application in user land.
8903 *
8904 * IN:
8905 * src: A pointer to a kernel lifetime structure.
8906 * exttype: Which type of lifetime this is. Refer to the PF_KEY
8907 * data structures for more information.
8908 * OUT:
8909 * a valid mbuf or NULL indicating an error
8910 *
8911 */
8912
8913 static struct mbuf *
key_setlifetime(struct seclifetime * src,uint16_t exttype)8914 key_setlifetime(struct seclifetime *src, uint16_t exttype)
8915 {
8916 struct mbuf *m = NULL;
8917 struct sadb_lifetime *p;
8918 int len = PFKEY_ALIGN8(sizeof(struct sadb_lifetime));
8919
8920 if (src == NULL)
8921 return NULL;
8922
8923 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
8924 if (m == NULL)
8925 return m;
8926 m_align(m, len);
8927 m->m_len = len;
8928 p = mtod(m, struct sadb_lifetime *);
8929
8930 bzero(p, len);
8931 p->sadb_lifetime_len = PFKEY_UNIT64(len);
8932 p->sadb_lifetime_exttype = exttype;
8933 p->sadb_lifetime_allocations = src->allocations;
8934 p->sadb_lifetime_bytes = src->bytes;
8935 p->sadb_lifetime_addtime = src->addtime;
8936 p->sadb_lifetime_usetime = src->usetime;
8937
8938 return m;
8939
8940 }
8941
8942 const struct enc_xform *
enc_algorithm_lookup(int alg)8943 enc_algorithm_lookup(int alg)
8944 {
8945 int i;
8946
8947 for (i = 0; i < nitems(supported_ealgs); i++)
8948 if (alg == supported_ealgs[i].sadb_alg)
8949 return (supported_ealgs[i].xform);
8950 return (NULL);
8951 }
8952
8953 const struct auth_hash *
auth_algorithm_lookup(int alg)8954 auth_algorithm_lookup(int alg)
8955 {
8956 int i;
8957
8958 for (i = 0; i < nitems(supported_aalgs); i++)
8959 if (alg == supported_aalgs[i].sadb_alg)
8960 return (supported_aalgs[i].xform);
8961 return (NULL);
8962 }
8963
8964 const struct comp_algo *
comp_algorithm_lookup(int alg)8965 comp_algorithm_lookup(int alg)
8966 {
8967 int i;
8968
8969 for (i = 0; i < nitems(supported_calgs); i++)
8970 if (alg == supported_calgs[i].sadb_alg)
8971 return (supported_calgs[i].xform);
8972 return (NULL);
8973 }
8974
8975 void
ipsec_sahtree_runlock(struct rm_priotracker * sahtree_trackerp)8976 ipsec_sahtree_runlock(struct rm_priotracker *sahtree_trackerp)
8977 {
8978 rm_runlock(&sahtree_lock, sahtree_trackerp);
8979 }
8980
8981 void
ipsec_sahtree_rlock(struct rm_priotracker * sahtree_trackerp)8982 ipsec_sahtree_rlock(struct rm_priotracker *sahtree_trackerp)
8983 {
8984 rm_rlock(&sahtree_lock, sahtree_trackerp);
8985 }
8986
8987 #ifdef IPSEC_OFFLOAD
8988 void
ipsec_accel_on_ifdown(struct ifnet * ifp)8989 ipsec_accel_on_ifdown(struct ifnet *ifp)
8990 {
8991 void (*p)(struct ifnet *ifp);
8992
8993 p = atomic_load_ptr(&ipsec_accel_on_ifdown_p);
8994 if (p != NULL)
8995 p(ifp);
8996 }
8997
8998 void
ipsec_accel_drv_sa_lifetime_update(struct secasvar * sav,if_t ifp,u_int drv_spi,uint64_t octets,uint64_t allocs)8999 ipsec_accel_drv_sa_lifetime_update(struct secasvar *sav, if_t ifp,
9000 u_int drv_spi, uint64_t octets, uint64_t allocs)
9001 {
9002 void (*p)(struct secasvar *sav, if_t ifp, u_int drv_spi,
9003 uint64_t octets, uint64_t allocs);
9004
9005 p = atomic_load_ptr(&ipsec_accel_drv_sa_lifetime_update_p);
9006 if (p != NULL)
9007 p(sav, ifp, drv_spi, octets, allocs);
9008 }
9009
9010 int
ipsec_accel_drv_sa_lifetime_fetch(struct secasvar * sav,if_t ifp,u_int drv_spi,uint64_t * octets,uint64_t * allocs)9011 ipsec_accel_drv_sa_lifetime_fetch(struct secasvar *sav,
9012 if_t ifp, u_int drv_spi, uint64_t *octets, uint64_t *allocs)
9013 {
9014 int (*p)(struct secasvar *sav, if_t ifp, u_int drv_spi,
9015 uint64_t *octets, uint64_t *allocs);
9016
9017 p = atomic_load_ptr(&ipsec_accel_drv_sa_lifetime_fetch_p);
9018 if (p == NULL)
9019 return (EOPNOTSUPP);
9020 return (p(sav, ifp, drv_spi, octets, allocs));
9021 }
9022 #endif
9023