1 /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ 2 3 /*- 4 * SPDX-License-Identifier: BSD-3-Clause 5 * 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 /* 35 * This code is referd to RFC 2367 36 */ 37 38 #include "opt_inet.h" 39 #include "opt_inet6.h" 40 #include "opt_ipsec.h" 41 42 #include <sys/types.h> 43 #include <sys/param.h> 44 #include <sys/systm.h> 45 #include <sys/kernel.h> 46 #include <sys/fnv_hash.h> 47 #include <sys/lock.h> 48 #include <sys/mutex.h> 49 #include <sys/mbuf.h> 50 #include <sys/domain.h> 51 #include <sys/protosw.h> 52 #include <sys/malloc.h> 53 #include <sys/rmlock.h> 54 #include <sys/socket.h> 55 #include <sys/socketvar.h> 56 #include <sys/sysctl.h> 57 #include <sys/errno.h> 58 #include <sys/proc.h> 59 #include <sys/queue.h> 60 #include <sys/refcount.h> 61 #include <sys/syslog.h> 62 63 #include <vm/uma.h> 64 65 #include <net/if.h> 66 #include <net/if_var.h> 67 #include <net/vnet.h> 68 69 #include <netinet/in.h> 70 #include <netinet/in_systm.h> 71 #include <netinet/ip.h> 72 #include <netinet/in_var.h> 73 #include <netinet/udp.h> 74 75 #ifdef INET6 76 #include <netinet/ip6.h> 77 #include <netinet6/in6_var.h> 78 #include <netinet6/ip6_var.h> 79 #endif /* INET6 */ 80 81 #include <net/pfkeyv2.h> 82 #include <netipsec/keydb.h> 83 #include <netipsec/key.h> 84 #include <netipsec/keysock.h> 85 #include <netipsec/key_debug.h> 86 87 #include <netipsec/ipsec.h> 88 #ifdef INET6 89 #include <netipsec/ipsec6.h> 90 #endif 91 92 #include <netipsec/xform.h> 93 #include <machine/in_cksum.h> 94 #include <machine/stdarg.h> 95 96 /* randomness */ 97 #include <sys/random.h> 98 99 #define FULLMASK 0xff 100 #define _BITS(bytes) ((bytes) << 3) 101 102 #define UINT32_80PCT 0xcccccccc 103 /* 104 * Note on SA reference counting: 105 * - SAs that are not in DEAD state will have (total external reference + 1) 106 * following value in reference count field. they cannot be freed and are 107 * referenced from SA header. 108 * - SAs that are in DEAD state will have (total external reference) 109 * in reference count field. they are ready to be freed. reference from 110 * SA header will be removed in key_delsav(), when the reference count 111 * field hits 0 (= no external reference other than from SA header. 112 */ 113 114 VNET_DEFINE(u_int32_t, key_debug_level) = 0; 115 VNET_DEFINE_STATIC(u_int, key_spi_trycnt) = 1000; 116 VNET_DEFINE_STATIC(u_int32_t, key_spi_minval) = 0x100; 117 VNET_DEFINE_STATIC(u_int32_t, key_spi_maxval) = 0x0fffffff; /* XXX */ 118 VNET_DEFINE_STATIC(u_int32_t, policy_id) = 0; 119 /*interval to initialize randseed,1(m)*/ 120 VNET_DEFINE_STATIC(u_int, key_int_random) = 60; 121 /* interval to expire acquiring, 30(s)*/ 122 VNET_DEFINE_STATIC(u_int, key_larval_lifetime) = 30; 123 /* counter for blocking SADB_ACQUIRE.*/ 124 VNET_DEFINE_STATIC(int, key_blockacq_count) = 10; 125 /* lifetime for blocking SADB_ACQUIRE.*/ 126 VNET_DEFINE_STATIC(int, key_blockacq_lifetime) = 20; 127 /* preferred old sa rather than new sa.*/ 128 VNET_DEFINE_STATIC(int, key_preferred_oldsa) = 1; 129 #define V_key_spi_trycnt VNET(key_spi_trycnt) 130 #define V_key_spi_minval VNET(key_spi_minval) 131 #define V_key_spi_maxval VNET(key_spi_maxval) 132 #define V_policy_id VNET(policy_id) 133 #define V_key_int_random VNET(key_int_random) 134 #define V_key_larval_lifetime VNET(key_larval_lifetime) 135 #define V_key_blockacq_count VNET(key_blockacq_count) 136 #define V_key_blockacq_lifetime VNET(key_blockacq_lifetime) 137 #define V_key_preferred_oldsa VNET(key_preferred_oldsa) 138 139 VNET_DEFINE_STATIC(u_int32_t, acq_seq) = 0; 140 #define V_acq_seq VNET(acq_seq) 141 142 VNET_DEFINE_STATIC(uint32_t, sp_genid) = 0; 143 #define V_sp_genid VNET(sp_genid) 144 145 /* SPD */ 146 TAILQ_HEAD(secpolicy_queue, secpolicy); 147 LIST_HEAD(secpolicy_list, secpolicy); 148 VNET_DEFINE_STATIC(struct secpolicy_queue, sptree[IPSEC_DIR_MAX]); 149 VNET_DEFINE_STATIC(struct secpolicy_queue, sptree_ifnet[IPSEC_DIR_MAX]); 150 static struct rmlock sptree_lock; 151 #define V_sptree VNET(sptree) 152 #define V_sptree_ifnet VNET(sptree_ifnet) 153 #define SPTREE_LOCK_INIT() rm_init(&sptree_lock, "sptree") 154 #define SPTREE_LOCK_DESTROY() rm_destroy(&sptree_lock) 155 #define SPTREE_RLOCK_TRACKER struct rm_priotracker sptree_tracker 156 #define SPTREE_RLOCK() rm_rlock(&sptree_lock, &sptree_tracker) 157 #define SPTREE_RUNLOCK() rm_runlock(&sptree_lock, &sptree_tracker) 158 #define SPTREE_RLOCK_ASSERT() rm_assert(&sptree_lock, RA_RLOCKED) 159 #define SPTREE_WLOCK() rm_wlock(&sptree_lock) 160 #define SPTREE_WUNLOCK() rm_wunlock(&sptree_lock) 161 #define SPTREE_WLOCK_ASSERT() rm_assert(&sptree_lock, RA_WLOCKED) 162 #define SPTREE_UNLOCK_ASSERT() rm_assert(&sptree_lock, RA_UNLOCKED) 163 164 /* Hash table for lookup SP using unique id */ 165 VNET_DEFINE_STATIC(struct secpolicy_list *, sphashtbl); 166 VNET_DEFINE_STATIC(u_long, sphash_mask); 167 #define V_sphashtbl VNET(sphashtbl) 168 #define V_sphash_mask VNET(sphash_mask) 169 170 #define SPHASH_NHASH_LOG2 7 171 #define SPHASH_NHASH (1 << SPHASH_NHASH_LOG2) 172 #define SPHASH_HASHVAL(id) (key_u32hash(id) & V_sphash_mask) 173 #define SPHASH_HASH(id) &V_sphashtbl[SPHASH_HASHVAL(id)] 174 175 /* SPD cache */ 176 struct spdcache_entry { 177 struct secpolicyindex spidx; /* secpolicyindex */ 178 struct secpolicy *sp; /* cached policy to be used */ 179 180 LIST_ENTRY(spdcache_entry) chain; 181 }; 182 LIST_HEAD(spdcache_entry_list, spdcache_entry); 183 184 #define SPDCACHE_MAX_ENTRIES_PER_HASH 8 185 186 VNET_DEFINE_STATIC(u_int, key_spdcache_maxentries) = 0; 187 #define V_key_spdcache_maxentries VNET(key_spdcache_maxentries) 188 VNET_DEFINE_STATIC(u_int, key_spdcache_threshold) = 32; 189 #define V_key_spdcache_threshold VNET(key_spdcache_threshold) 190 VNET_DEFINE_STATIC(unsigned long, spd_size) = 0; 191 #define V_spd_size VNET(spd_size) 192 193 #define SPDCACHE_ENABLED() (V_key_spdcache_maxentries != 0) 194 #define SPDCACHE_ACTIVE() \ 195 (SPDCACHE_ENABLED() && V_spd_size >= V_key_spdcache_threshold) 196 197 VNET_DEFINE_STATIC(struct spdcache_entry_list *, spdcachehashtbl); 198 VNET_DEFINE_STATIC(u_long, spdcachehash_mask); 199 #define V_spdcachehashtbl VNET(spdcachehashtbl) 200 #define V_spdcachehash_mask VNET(spdcachehash_mask) 201 202 #define SPDCACHE_HASHVAL(idx) \ 203 (key_addrprotohash(&(idx)->src, &(idx)->dst, &(idx)->ul_proto) & \ 204 V_spdcachehash_mask) 205 206 /* Each cache line is protected by a mutex */ 207 VNET_DEFINE_STATIC(struct mtx *, spdcache_lock); 208 #define V_spdcache_lock VNET(spdcache_lock) 209 210 #define SPDCACHE_LOCK_INIT(a) \ 211 mtx_init(&V_spdcache_lock[a], "spdcache", \ 212 "fast ipsec SPD cache", MTX_DEF|MTX_DUPOK) 213 #define SPDCACHE_LOCK_DESTROY(a) mtx_destroy(&V_spdcache_lock[a]) 214 #define SPDCACHE_LOCK(a) mtx_lock(&V_spdcache_lock[a]); 215 #define SPDCACHE_UNLOCK(a) mtx_unlock(&V_spdcache_lock[a]); 216 217 static struct sx spi_alloc_lock; 218 #define SPI_ALLOC_LOCK_INIT() sx_init(&spi_alloc_lock, "spialloc") 219 #define SPI_ALLOC_LOCK_DESTROY() sx_destroy(&spi_alloc_lock) 220 #define SPI_ALLOC_LOCK() sx_xlock(&spi_alloc_lock) 221 #define SPI_ALLOC_UNLOCK() sx_unlock(&spi_alloc_lock) 222 #define SPI_ALLOC_LOCK_ASSERT() sx_assert(&spi_alloc_lock, SA_XLOCKED) 223 224 /* SAD */ 225 TAILQ_HEAD(secashead_queue, secashead); 226 LIST_HEAD(secashead_list, secashead); 227 VNET_DEFINE_STATIC(struct secashead_queue, sahtree); 228 static struct rmlock sahtree_lock; 229 #define V_sahtree VNET(sahtree) 230 #define SAHTREE_LOCK_INIT() rm_init(&sahtree_lock, "sahtree") 231 #define SAHTREE_LOCK_DESTROY() rm_destroy(&sahtree_lock) 232 #define SAHTREE_RLOCK_TRACKER struct rm_priotracker sahtree_tracker 233 #define SAHTREE_RLOCK() rm_rlock(&sahtree_lock, &sahtree_tracker) 234 #define SAHTREE_RUNLOCK() rm_runlock(&sahtree_lock, &sahtree_tracker) 235 #define SAHTREE_RLOCK_ASSERT() rm_assert(&sahtree_lock, RA_RLOCKED) 236 #define SAHTREE_WLOCK() rm_wlock(&sahtree_lock) 237 #define SAHTREE_WUNLOCK() rm_wunlock(&sahtree_lock) 238 #define SAHTREE_WLOCK_ASSERT() rm_assert(&sahtree_lock, RA_WLOCKED) 239 #define SAHTREE_UNLOCK_ASSERT() rm_assert(&sahtree_lock, RA_UNLOCKED) 240 241 /* Hash table for lookup in SAD using SA addresses */ 242 VNET_DEFINE_STATIC(struct secashead_list *, sahaddrhashtbl); 243 VNET_DEFINE_STATIC(u_long, sahaddrhash_mask); 244 #define V_sahaddrhashtbl VNET(sahaddrhashtbl) 245 #define V_sahaddrhash_mask VNET(sahaddrhash_mask) 246 247 #define SAHHASH_NHASH_LOG2 7 248 #define SAHHASH_NHASH (1 << SAHHASH_NHASH_LOG2) 249 #define SAHADDRHASH_HASHVAL(idx) \ 250 (key_addrprotohash(&(idx)->src, &(idx)->dst, &(idx)->proto) & \ 251 V_sahaddrhash_mask) 252 #define SAHADDRHASH_HASH(saidx) \ 253 &V_sahaddrhashtbl[SAHADDRHASH_HASHVAL(saidx)] 254 255 /* Hash table for lookup in SAD using SPI */ 256 LIST_HEAD(secasvar_list, secasvar); 257 VNET_DEFINE_STATIC(struct secasvar_list *, savhashtbl); 258 VNET_DEFINE_STATIC(u_long, savhash_mask); 259 #define V_savhashtbl VNET(savhashtbl) 260 #define V_savhash_mask VNET(savhash_mask) 261 #define SAVHASH_NHASH_LOG2 7 262 #define SAVHASH_NHASH (1 << SAVHASH_NHASH_LOG2) 263 #define SAVHASH_HASHVAL(spi) (key_u32hash(spi) & V_savhash_mask) 264 #define SAVHASH_HASH(spi) &V_savhashtbl[SAVHASH_HASHVAL(spi)] 265 266 static uint32_t 267 key_addrprotohash(const union sockaddr_union *src, 268 const union sockaddr_union *dst, const uint8_t *proto) 269 { 270 uint32_t hval; 271 272 hval = fnv_32_buf(proto, sizeof(*proto), 273 FNV1_32_INIT); 274 switch (dst->sa.sa_family) { 275 #ifdef INET 276 case AF_INET: 277 hval = fnv_32_buf(&src->sin.sin_addr, 278 sizeof(in_addr_t), hval); 279 hval = fnv_32_buf(&dst->sin.sin_addr, 280 sizeof(in_addr_t), hval); 281 break; 282 #endif 283 #ifdef INET6 284 case AF_INET6: 285 hval = fnv_32_buf(&src->sin6.sin6_addr, 286 sizeof(struct in6_addr), hval); 287 hval = fnv_32_buf(&dst->sin6.sin6_addr, 288 sizeof(struct in6_addr), hval); 289 break; 290 #endif 291 default: 292 hval = 0; 293 ipseclog((LOG_DEBUG, "%s: unknown address family %d\n", 294 __func__, dst->sa.sa_family)); 295 } 296 return (hval); 297 } 298 299 static uint32_t 300 key_u32hash(uint32_t val) 301 { 302 303 return (fnv_32_buf(&val, sizeof(val), FNV1_32_INIT)); 304 } 305 306 /* registed list */ 307 VNET_DEFINE_STATIC(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]); 308 #define V_regtree VNET(regtree) 309 static struct mtx regtree_lock; 310 #define REGTREE_LOCK_INIT() \ 311 mtx_init(®tree_lock, "regtree", "fast ipsec regtree", MTX_DEF) 312 #define REGTREE_LOCK_DESTROY() mtx_destroy(®tree_lock) 313 #define REGTREE_LOCK() mtx_lock(®tree_lock) 314 #define REGTREE_UNLOCK() mtx_unlock(®tree_lock) 315 #define REGTREE_LOCK_ASSERT() mtx_assert(®tree_lock, MA_OWNED) 316 317 /* Acquiring list */ 318 LIST_HEAD(secacq_list, secacq); 319 VNET_DEFINE_STATIC(struct secacq_list, acqtree); 320 #define V_acqtree VNET(acqtree) 321 static struct mtx acq_lock; 322 #define ACQ_LOCK_INIT() \ 323 mtx_init(&acq_lock, "acqtree", "ipsec SA acquiring list", MTX_DEF) 324 #define ACQ_LOCK_DESTROY() mtx_destroy(&acq_lock) 325 #define ACQ_LOCK() mtx_lock(&acq_lock) 326 #define ACQ_UNLOCK() mtx_unlock(&acq_lock) 327 #define ACQ_LOCK_ASSERT() mtx_assert(&acq_lock, MA_OWNED) 328 329 /* Hash table for lookup in ACQ list using SA addresses */ 330 VNET_DEFINE_STATIC(struct secacq_list *, acqaddrhashtbl); 331 VNET_DEFINE_STATIC(u_long, acqaddrhash_mask); 332 #define V_acqaddrhashtbl VNET(acqaddrhashtbl) 333 #define V_acqaddrhash_mask VNET(acqaddrhash_mask) 334 335 /* Hash table for lookup in ACQ list using SEQ number */ 336 VNET_DEFINE_STATIC(struct secacq_list *, acqseqhashtbl); 337 VNET_DEFINE_STATIC(u_long, acqseqhash_mask); 338 #define V_acqseqhashtbl VNET(acqseqhashtbl) 339 #define V_acqseqhash_mask VNET(acqseqhash_mask) 340 341 #define ACQHASH_NHASH_LOG2 7 342 #define ACQHASH_NHASH (1 << ACQHASH_NHASH_LOG2) 343 #define ACQADDRHASH_HASHVAL(idx) \ 344 (key_addrprotohash(&(idx)->src, &(idx)->dst, &(idx)->proto) & \ 345 V_acqaddrhash_mask) 346 #define ACQSEQHASH_HASHVAL(seq) \ 347 (key_u32hash(seq) & V_acqseqhash_mask) 348 #define ACQADDRHASH_HASH(saidx) \ 349 &V_acqaddrhashtbl[ACQADDRHASH_HASHVAL(saidx)] 350 #define ACQSEQHASH_HASH(seq) \ 351 &V_acqseqhashtbl[ACQSEQHASH_HASHVAL(seq)] 352 /* SP acquiring list */ 353 VNET_DEFINE_STATIC(LIST_HEAD(_spacqtree, secspacq), spacqtree); 354 #define V_spacqtree VNET(spacqtree) 355 static struct mtx spacq_lock; 356 #define SPACQ_LOCK_INIT() \ 357 mtx_init(&spacq_lock, "spacqtree", \ 358 "fast ipsec security policy acquire list", MTX_DEF) 359 #define SPACQ_LOCK_DESTROY() mtx_destroy(&spacq_lock) 360 #define SPACQ_LOCK() mtx_lock(&spacq_lock) 361 #define SPACQ_UNLOCK() mtx_unlock(&spacq_lock) 362 #define SPACQ_LOCK_ASSERT() mtx_assert(&spacq_lock, MA_OWNED) 363 364 static const int minsize[] = { 365 [SADB_EXT_RESERVED] = sizeof(struct sadb_msg), 366 [SADB_EXT_SA] = sizeof(struct sadb_sa), 367 [SADB_EXT_LIFETIME_CURRENT] = sizeof(struct sadb_lifetime), 368 [SADB_EXT_LIFETIME_HARD] = sizeof(struct sadb_lifetime), 369 [SADB_EXT_LIFETIME_SOFT] = sizeof(struct sadb_lifetime), 370 [SADB_EXT_ADDRESS_SRC] = sizeof(struct sadb_address), 371 [SADB_EXT_ADDRESS_DST] = sizeof(struct sadb_address), 372 [SADB_EXT_ADDRESS_PROXY] = sizeof(struct sadb_address), 373 [SADB_EXT_KEY_AUTH] = sizeof(struct sadb_key), 374 [SADB_EXT_KEY_ENCRYPT] = sizeof(struct sadb_key), 375 [SADB_EXT_IDENTITY_SRC] = sizeof(struct sadb_ident), 376 [SADB_EXT_IDENTITY_DST] = sizeof(struct sadb_ident), 377 [SADB_EXT_SENSITIVITY] = sizeof(struct sadb_sens), 378 [SADB_EXT_PROPOSAL] = sizeof(struct sadb_prop), 379 [SADB_EXT_SUPPORTED_AUTH] = sizeof(struct sadb_supported), 380 [SADB_EXT_SUPPORTED_ENCRYPT] = sizeof(struct sadb_supported), 381 [SADB_EXT_SPIRANGE] = sizeof(struct sadb_spirange), 382 [SADB_X_EXT_KMPRIVATE] = 0, 383 [SADB_X_EXT_POLICY] = sizeof(struct sadb_x_policy), 384 [SADB_X_EXT_SA2] = sizeof(struct sadb_x_sa2), 385 [SADB_X_EXT_NAT_T_TYPE] = sizeof(struct sadb_x_nat_t_type), 386 [SADB_X_EXT_NAT_T_SPORT] = sizeof(struct sadb_x_nat_t_port), 387 [SADB_X_EXT_NAT_T_DPORT] = sizeof(struct sadb_x_nat_t_port), 388 [SADB_X_EXT_NAT_T_OAI] = sizeof(struct sadb_address), 389 [SADB_X_EXT_NAT_T_OAR] = sizeof(struct sadb_address), 390 [SADB_X_EXT_NAT_T_FRAG] = sizeof(struct sadb_x_nat_t_frag), 391 [SADB_X_EXT_SA_REPLAY] = sizeof(struct sadb_x_sa_replay), 392 [SADB_X_EXT_NEW_ADDRESS_SRC] = sizeof(struct sadb_address), 393 [SADB_X_EXT_NEW_ADDRESS_DST] = sizeof(struct sadb_address), 394 }; 395 _Static_assert(nitems(minsize) == SADB_EXT_MAX + 1, "minsize size mismatch"); 396 397 static const int maxsize[] = { 398 [SADB_EXT_RESERVED] = sizeof(struct sadb_msg), 399 [SADB_EXT_SA] = sizeof(struct sadb_sa), 400 [SADB_EXT_LIFETIME_CURRENT] = sizeof(struct sadb_lifetime), 401 [SADB_EXT_LIFETIME_HARD] = sizeof(struct sadb_lifetime), 402 [SADB_EXT_LIFETIME_SOFT] = sizeof(struct sadb_lifetime), 403 [SADB_EXT_ADDRESS_SRC] = 0, 404 [SADB_EXT_ADDRESS_DST] = 0, 405 [SADB_EXT_ADDRESS_PROXY] = 0, 406 [SADB_EXT_KEY_AUTH] = 0, 407 [SADB_EXT_KEY_ENCRYPT] = 0, 408 [SADB_EXT_IDENTITY_SRC] = 0, 409 [SADB_EXT_IDENTITY_DST] = 0, 410 [SADB_EXT_SENSITIVITY] = 0, 411 [SADB_EXT_PROPOSAL] = 0, 412 [SADB_EXT_SUPPORTED_AUTH] = 0, 413 [SADB_EXT_SUPPORTED_ENCRYPT] = 0, 414 [SADB_EXT_SPIRANGE] = sizeof(struct sadb_spirange), 415 [SADB_X_EXT_KMPRIVATE] = 0, 416 [SADB_X_EXT_POLICY] = 0, 417 [SADB_X_EXT_SA2] = sizeof(struct sadb_x_sa2), 418 [SADB_X_EXT_NAT_T_TYPE] = sizeof(struct sadb_x_nat_t_type), 419 [SADB_X_EXT_NAT_T_SPORT] = sizeof(struct sadb_x_nat_t_port), 420 [SADB_X_EXT_NAT_T_DPORT] = sizeof(struct sadb_x_nat_t_port), 421 [SADB_X_EXT_NAT_T_OAI] = 0, 422 [SADB_X_EXT_NAT_T_OAR] = 0, 423 [SADB_X_EXT_NAT_T_FRAG] = sizeof(struct sadb_x_nat_t_frag), 424 [SADB_X_EXT_SA_REPLAY] = sizeof(struct sadb_x_sa_replay), 425 [SADB_X_EXT_NEW_ADDRESS_SRC] = 0, 426 [SADB_X_EXT_NEW_ADDRESS_DST] = 0, 427 }; 428 _Static_assert(nitems(maxsize) == SADB_EXT_MAX + 1, "maxsize size mismatch"); 429 430 /* 431 * Internal values for SA flags: 432 * SADB_X_EXT_F_CLONED means that SA was cloned by key_updateaddresses, 433 * thus we will not free the most of SA content in key_delsav(). 434 */ 435 #define SADB_X_EXT_F_CLONED 0x80000000 436 437 #define SADB_CHECKLEN(_mhp, _ext) \ 438 ((_mhp)->extlen[(_ext)] < minsize[(_ext)] || (maxsize[(_ext)] != 0 && \ 439 ((_mhp)->extlen[(_ext)] > maxsize[(_ext)]))) 440 #define SADB_CHECKHDR(_mhp, _ext) ((_mhp)->ext[(_ext)] == NULL) 441 442 VNET_DEFINE_STATIC(int, ipsec_esp_keymin) = 256; 443 VNET_DEFINE_STATIC(int, ipsec_esp_auth) = 0; 444 VNET_DEFINE_STATIC(int, ipsec_ah_keymin) = 128; 445 446 #define V_ipsec_esp_keymin VNET(ipsec_esp_keymin) 447 #define V_ipsec_esp_auth VNET(ipsec_esp_auth) 448 #define V_ipsec_ah_keymin VNET(ipsec_ah_keymin) 449 450 #ifdef IPSEC_DEBUG 451 VNET_DEFINE(int, ipsec_debug) = 1; 452 #else 453 VNET_DEFINE(int, ipsec_debug) = 0; 454 #endif 455 456 #ifdef INET 457 SYSCTL_DECL(_net_inet_ipsec); 458 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, debug, 459 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0, 460 "Enable IPsec debugging output when set."); 461 #endif 462 #ifdef INET6 463 SYSCTL_DECL(_net_inet6_ipsec6); 464 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, debug, 465 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0, 466 "Enable IPsec debugging output when set."); 467 #endif 468 469 SYSCTL_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug, 470 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_debug_level), 0, ""); 471 472 /* max count of trial for the decision of spi value */ 473 SYSCTL_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt, 474 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_spi_trycnt), 0, ""); 475 476 /* minimum spi value to allocate automatically. */ 477 SYSCTL_INT(_net_key, KEYCTL_SPI_MIN_VALUE, spi_minval, 478 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_spi_minval), 0, ""); 479 480 /* maximun spi value to allocate automatically. */ 481 SYSCTL_INT(_net_key, KEYCTL_SPI_MAX_VALUE, spi_maxval, 482 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_spi_maxval), 0, ""); 483 484 /* interval to initialize randseed */ 485 SYSCTL_INT(_net_key, KEYCTL_RANDOM_INT, int_random, 486 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_int_random), 0, ""); 487 488 /* lifetime for larval SA */ 489 SYSCTL_INT(_net_key, KEYCTL_LARVAL_LIFETIME, larval_lifetime, 490 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_larval_lifetime), 0, ""); 491 492 /* counter for blocking to send SADB_ACQUIRE to IKEd */ 493 SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_COUNT, blockacq_count, 494 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_blockacq_count), 0, ""); 495 496 /* lifetime for blocking to send SADB_ACQUIRE to IKEd */ 497 SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME, blockacq_lifetime, 498 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_blockacq_lifetime), 0, ""); 499 500 /* ESP auth */ 501 SYSCTL_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth, 502 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_esp_auth), 0, ""); 503 504 /* minimum ESP key length */ 505 SYSCTL_INT(_net_key, KEYCTL_ESP_KEYMIN, esp_keymin, 506 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_esp_keymin), 0, ""); 507 508 /* minimum AH key length */ 509 SYSCTL_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin, 510 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_ah_keymin), 0, ""); 511 512 /* perfered old SA rather than new SA */ 513 SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, preferred_oldsa, 514 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_preferred_oldsa), 0, ""); 515 516 SYSCTL_NODE(_net_key, OID_AUTO, spdcache, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 517 "SPD cache"); 518 519 SYSCTL_UINT(_net_key_spdcache, OID_AUTO, maxentries, 520 CTLFLAG_VNET | CTLFLAG_RDTUN, &VNET_NAME(key_spdcache_maxentries), 0, 521 "Maximum number of entries in the SPD cache" 522 " (power of 2, 0 to disable)"); 523 524 SYSCTL_UINT(_net_key_spdcache, OID_AUTO, threshold, 525 CTLFLAG_VNET | CTLFLAG_RDTUN, &VNET_NAME(key_spdcache_threshold), 0, 526 "Number of SPs that make the SPD cache active"); 527 528 #define __LIST_CHAINED(elm) \ 529 (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL)) 530 531 MALLOC_DEFINE(M_IPSEC_SA, "secasvar", "ipsec security association"); 532 MALLOC_DEFINE(M_IPSEC_SAH, "sahead", "ipsec sa head"); 533 MALLOC_DEFINE(M_IPSEC_SP, "ipsecpolicy", "ipsec security policy"); 534 MALLOC_DEFINE(M_IPSEC_SR, "ipsecrequest", "ipsec security request"); 535 MALLOC_DEFINE(M_IPSEC_MISC, "ipsec-misc", "ipsec miscellaneous"); 536 MALLOC_DEFINE(M_IPSEC_SAQ, "ipsec-saq", "ipsec sa acquire"); 537 MALLOC_DEFINE(M_IPSEC_SAR, "ipsec-reg", "ipsec sa acquire"); 538 MALLOC_DEFINE(M_IPSEC_SPDCACHE, "ipsec-spdcache", "ipsec SPD cache"); 539 540 static uma_zone_t __read_mostly ipsec_key_lft_zone; 541 542 /* 543 * set parameters into secpolicyindex buffer. 544 * Must allocate secpolicyindex buffer passed to this function. 545 */ 546 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, idx) \ 547 do { \ 548 bzero((idx), sizeof(struct secpolicyindex)); \ 549 (idx)->dir = (_dir); \ 550 (idx)->prefs = (ps); \ 551 (idx)->prefd = (pd); \ 552 (idx)->ul_proto = (ulp); \ 553 bcopy((s), &(idx)->src, ((const struct sockaddr *)(s))->sa_len); \ 554 bcopy((d), &(idx)->dst, ((const struct sockaddr *)(d))->sa_len); \ 555 } while (0) 556 557 /* 558 * set parameters into secasindex buffer. 559 * Must allocate secasindex buffer before calling this function. 560 */ 561 #define KEY_SETSECASIDX(p, m, r, s, d, idx) \ 562 do { \ 563 bzero((idx), sizeof(struct secasindex)); \ 564 (idx)->proto = (p); \ 565 (idx)->mode = (m); \ 566 (idx)->reqid = (r); \ 567 bcopy((s), &(idx)->src, ((const struct sockaddr *)(s))->sa_len); \ 568 bcopy((d), &(idx)->dst, ((const struct sockaddr *)(d))->sa_len); \ 569 key_porttosaddr(&(idx)->src.sa, 0); \ 570 key_porttosaddr(&(idx)->dst.sa, 0); \ 571 } while (0) 572 573 /* key statistics */ 574 struct _keystat { 575 u_long getspi_count; /* the avarage of count to try to get new SPI */ 576 } keystat; 577 578 struct sadb_msghdr { 579 struct sadb_msg *msg; 580 struct sadb_ext *ext[SADB_EXT_MAX + 1]; 581 int extoff[SADB_EXT_MAX + 1]; 582 int extlen[SADB_EXT_MAX + 1]; 583 }; 584 585 static const struct supported_ealgs { 586 int sadb_alg; 587 const struct enc_xform *xform; 588 } supported_ealgs[] = { 589 { SADB_X_EALG_AES, &enc_xform_aes_cbc }, 590 { SADB_EALG_NULL, &enc_xform_null }, 591 { SADB_X_EALG_AESCTR, &enc_xform_aes_icm }, 592 { SADB_X_EALG_AESGCM16, &enc_xform_aes_nist_gcm }, 593 { SADB_X_EALG_AESGMAC, &enc_xform_aes_nist_gmac }, 594 { SADB_X_EALG_CHACHA20POLY1305, &enc_xform_chacha20_poly1305 }, 595 }; 596 597 static const struct supported_aalgs { 598 int sadb_alg; 599 const struct auth_hash *xform; 600 } supported_aalgs[] = { 601 { SADB_X_AALG_NULL, &auth_hash_null }, 602 { SADB_AALG_SHA1HMAC, &auth_hash_hmac_sha1 }, 603 { SADB_X_AALG_SHA2_256, &auth_hash_hmac_sha2_256 }, 604 { SADB_X_AALG_SHA2_384, &auth_hash_hmac_sha2_384 }, 605 { SADB_X_AALG_SHA2_512, &auth_hash_hmac_sha2_512 }, 606 { SADB_X_AALG_AES128GMAC, &auth_hash_nist_gmac_aes_128 }, 607 { SADB_X_AALG_AES192GMAC, &auth_hash_nist_gmac_aes_192 }, 608 { SADB_X_AALG_AES256GMAC, &auth_hash_nist_gmac_aes_256 }, 609 { SADB_X_AALG_CHACHA20POLY1305, &auth_hash_poly1305 }, 610 }; 611 612 static const struct supported_calgs { 613 int sadb_alg; 614 const struct comp_algo *xform; 615 } supported_calgs[] = { 616 { SADB_X_CALG_DEFLATE, &comp_algo_deflate }, 617 }; 618 619 #ifndef IPSEC_DEBUG2 620 static struct callout key_timer; 621 #endif 622 623 static void key_unlink(struct secpolicy *); 624 static void key_detach(struct secpolicy *); 625 static struct secpolicy *key_do_allocsp(struct secpolicyindex *spidx, u_int dir); 626 static struct secpolicy *key_getsp(struct secpolicyindex *); 627 static struct secpolicy *key_getspbyid(u_int32_t); 628 static struct mbuf *key_gather_mbuf(struct mbuf *, 629 const struct sadb_msghdr *, int, int, ...); 630 static int key_spdadd(struct socket *, struct mbuf *, 631 const struct sadb_msghdr *); 632 static uint32_t key_getnewspid(void); 633 static int key_spddelete(struct socket *, struct mbuf *, 634 const struct sadb_msghdr *); 635 static int key_spddelete2(struct socket *, struct mbuf *, 636 const struct sadb_msghdr *); 637 static int key_spdget(struct socket *, struct mbuf *, 638 const struct sadb_msghdr *); 639 static int key_spdflush(struct socket *, struct mbuf *, 640 const struct sadb_msghdr *); 641 static int key_spddump(struct socket *, struct mbuf *, 642 const struct sadb_msghdr *); 643 static struct mbuf *key_setdumpsp(struct secpolicy *, 644 u_int8_t, u_int32_t, u_int32_t); 645 static struct mbuf *key_sp2mbuf(struct secpolicy *); 646 static size_t key_getspreqmsglen(struct secpolicy *); 647 static int key_spdexpire(struct secpolicy *); 648 static struct secashead *key_newsah(struct secasindex *); 649 static void key_freesah(struct secashead **); 650 static void key_delsah(struct secashead *); 651 static struct secasvar *key_newsav(const struct sadb_msghdr *, 652 struct secasindex *, uint32_t, int *); 653 static void key_delsav(struct secasvar *); 654 static void key_unlinksav(struct secasvar *); 655 static struct secashead *key_getsah(struct secasindex *); 656 static int key_checkspidup(uint32_t); 657 static struct secasvar *key_getsavbyspi(uint32_t); 658 static int key_setnatt(struct secasvar *, const struct sadb_msghdr *); 659 static int key_setsaval(struct secasvar *, const struct sadb_msghdr *); 660 static int key_updatelifetimes(struct secasvar *, const struct sadb_msghdr *); 661 static int key_updateaddresses(struct socket *, struct mbuf *, 662 const struct sadb_msghdr *, struct secasvar *, struct secasindex *); 663 664 static struct mbuf *key_setdumpsa(struct secasvar *, u_int8_t, 665 u_int8_t, u_int32_t, u_int32_t); 666 static struct mbuf *key_setsadbmsg(u_int8_t, u_int16_t, u_int8_t, 667 u_int32_t, pid_t, u_int16_t); 668 static struct mbuf *key_setsadbsa(struct secasvar *); 669 static struct mbuf *key_setsadbaddr(u_int16_t, 670 const struct sockaddr *, u_int8_t, u_int16_t); 671 static struct mbuf *key_setsadbxport(u_int16_t, u_int16_t); 672 static struct mbuf *key_setsadbxtype(u_int16_t); 673 static struct mbuf *key_setsadbxsa2(u_int8_t, u_int32_t, u_int32_t); 674 static struct mbuf *key_setsadbxsareplay(u_int32_t); 675 static struct mbuf *key_setsadbxpolicy(u_int16_t, u_int8_t, 676 u_int32_t, u_int32_t); 677 static struct seckey *key_dup_keymsg(const struct sadb_key *, size_t, 678 struct malloc_type *); 679 static struct seclifetime *key_dup_lifemsg(const struct sadb_lifetime *src, 680 struct malloc_type *); 681 682 /* flags for key_cmpsaidx() */ 683 #define CMP_HEAD 1 /* protocol, addresses. */ 684 #define CMP_MODE_REQID 2 /* additionally HEAD, reqid, mode. */ 685 #define CMP_REQID 3 /* additionally HEAD, reaid. */ 686 #define CMP_EXACTLY 4 /* all elements. */ 687 static int key_cmpsaidx(const struct secasindex *, 688 const struct secasindex *, int); 689 static int key_cmpspidx_exactly(struct secpolicyindex *, 690 struct secpolicyindex *); 691 static int key_cmpspidx_withmask(struct secpolicyindex *, 692 struct secpolicyindex *); 693 static int key_bbcmp(const void *, const void *, u_int); 694 static uint8_t key_satype2proto(uint8_t); 695 static uint8_t key_proto2satype(uint8_t); 696 697 static int key_getspi(struct socket *, struct mbuf *, 698 const struct sadb_msghdr *); 699 static uint32_t key_do_getnewspi(struct sadb_spirange *, struct secasindex *); 700 static int key_update(struct socket *, struct mbuf *, 701 const struct sadb_msghdr *); 702 static int key_add(struct socket *, struct mbuf *, 703 const struct sadb_msghdr *); 704 static int key_setident(struct secashead *, const struct sadb_msghdr *); 705 static struct mbuf *key_getmsgbuf_x1(struct mbuf *, 706 const struct sadb_msghdr *); 707 static int key_delete(struct socket *, struct mbuf *, 708 const struct sadb_msghdr *); 709 static int key_delete_all(struct socket *, struct mbuf *, 710 const struct sadb_msghdr *, struct secasindex *); 711 static int key_get(struct socket *, struct mbuf *, 712 const struct sadb_msghdr *); 713 714 static void key_getcomb_setlifetime(struct sadb_comb *); 715 static struct mbuf *key_getcomb_ealg(void); 716 static struct mbuf *key_getcomb_ah(void); 717 static struct mbuf *key_getcomb_ipcomp(void); 718 static struct mbuf *key_getprop(const struct secasindex *); 719 720 static int key_acquire(const struct secasindex *, struct secpolicy *); 721 static uint32_t key_newacq(const struct secasindex *, int *); 722 static uint32_t key_getacq(const struct secasindex *, int *); 723 static int key_acqdone(const struct secasindex *, uint32_t); 724 static int key_acqreset(uint32_t); 725 static struct secspacq *key_newspacq(struct secpolicyindex *); 726 static struct secspacq *key_getspacq(struct secpolicyindex *); 727 static int key_acquire2(struct socket *, struct mbuf *, 728 const struct sadb_msghdr *); 729 static int key_register(struct socket *, struct mbuf *, 730 const struct sadb_msghdr *); 731 static int key_expire(struct secasvar *, int); 732 static int key_flush(struct socket *, struct mbuf *, 733 const struct sadb_msghdr *); 734 static int key_dump(struct socket *, struct mbuf *, 735 const struct sadb_msghdr *); 736 static int key_promisc(struct socket *, struct mbuf *, 737 const struct sadb_msghdr *); 738 static int key_senderror(struct socket *, struct mbuf *, int); 739 static int key_validate_ext(const struct sadb_ext *, int); 740 static int key_align(struct mbuf *, struct sadb_msghdr *); 741 static struct mbuf *key_setlifetime(struct seclifetime *, uint16_t); 742 static struct mbuf *key_setkey(struct seckey *, uint16_t); 743 744 static void spdcache_init(void); 745 static void spdcache_clear(void); 746 static struct spdcache_entry *spdcache_entry_alloc( 747 const struct secpolicyindex *spidx, 748 struct secpolicy *policy); 749 static void spdcache_entry_free(struct spdcache_entry *entry); 750 #ifdef VIMAGE 751 static void spdcache_destroy(void); 752 #endif 753 754 #define DBG_IPSEC_INITREF(t, p) do { \ 755 refcount_init(&(p)->refcnt, 1); \ 756 KEYDBG(KEY_STAMP, \ 757 printf("%s: Initialize refcnt %s(%p) = %u\n", \ 758 __func__, #t, (p), (p)->refcnt)); \ 759 } while (0) 760 #define DBG_IPSEC_ADDREF(t, p) do { \ 761 refcount_acquire(&(p)->refcnt); \ 762 KEYDBG(KEY_STAMP, \ 763 printf("%s: Acquire refcnt %s(%p) -> %u\n", \ 764 __func__, #t, (p), (p)->refcnt)); \ 765 } while (0) 766 #define DBG_IPSEC_DELREF(t, p) do { \ 767 KEYDBG(KEY_STAMP, \ 768 printf("%s: Release refcnt %s(%p) -> %u\n", \ 769 __func__, #t, (p), (p)->refcnt - 1)); \ 770 refcount_release(&(p)->refcnt); \ 771 } while (0) 772 773 #define IPSEC_INITREF(t, p) refcount_init(&(p)->refcnt, 1) 774 #define IPSEC_ADDREF(t, p) refcount_acquire(&(p)->refcnt) 775 #define IPSEC_DELREF(t, p) refcount_release(&(p)->refcnt) 776 777 #define SP_INITREF(p) IPSEC_INITREF(SP, p) 778 #define SP_ADDREF(p) IPSEC_ADDREF(SP, p) 779 #define SP_DELREF(p) IPSEC_DELREF(SP, p) 780 781 #define SAH_INITREF(p) IPSEC_INITREF(SAH, p) 782 #define SAH_ADDREF(p) IPSEC_ADDREF(SAH, p) 783 #define SAH_DELREF(p) IPSEC_DELREF(SAH, p) 784 785 #define SAV_INITREF(p) IPSEC_INITREF(SAV, p) 786 #define SAV_ADDREF(p) IPSEC_ADDREF(SAV, p) 787 #define SAV_DELREF(p) IPSEC_DELREF(SAV, p) 788 789 /* 790 * Update the refcnt while holding the SPTREE lock. 791 */ 792 void 793 key_addref(struct secpolicy *sp) 794 { 795 796 SP_ADDREF(sp); 797 } 798 799 /* 800 * Return 0 when there are known to be no SP's for the specified 801 * direction. Otherwise return 1. This is used by IPsec code 802 * to optimize performance. 803 */ 804 int 805 key_havesp(u_int dir) 806 { 807 808 IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, 809 ("invalid direction %u", dir)); 810 return (TAILQ_FIRST(&V_sptree[dir]) != NULL); 811 } 812 813 int 814 key_havesp_any(void) 815 { 816 817 return (V_spd_size != 0); 818 } 819 820 /* 821 * Allocate a single mbuf with a buffer of the desired length. The buffer is 822 * pre-zeroed to help ensure that uninitialized pad bytes are not leaked. 823 */ 824 static struct mbuf * 825 key_mget(u_int len) 826 { 827 struct mbuf *m; 828 829 KASSERT(len <= MCLBYTES, 830 ("%s: invalid buffer length %u", __func__, len)); 831 832 m = m_get2(len, M_NOWAIT, MT_DATA, M_PKTHDR); 833 if (m == NULL) 834 return (NULL); 835 memset(mtod(m, void *), 0, len); 836 return (m); 837 } 838 839 /* %%% IPsec policy management */ 840 /* 841 * Return current SPDB generation. 842 */ 843 uint32_t 844 key_getspgen(void) 845 { 846 847 return (V_sp_genid); 848 } 849 850 void 851 key_bumpspgen(void) 852 { 853 854 V_sp_genid++; 855 } 856 857 static int 858 key_checksockaddrs(struct sockaddr *src, struct sockaddr *dst) 859 { 860 861 /* family match */ 862 if (src->sa_family != dst->sa_family) 863 return (EINVAL); 864 /* sa_len match */ 865 if (src->sa_len != dst->sa_len) 866 return (EINVAL); 867 switch (src->sa_family) { 868 #ifdef INET 869 case AF_INET: 870 if (src->sa_len != sizeof(struct sockaddr_in)) 871 return (EINVAL); 872 break; 873 #endif 874 #ifdef INET6 875 case AF_INET6: 876 if (src->sa_len != sizeof(struct sockaddr_in6)) 877 return (EINVAL); 878 break; 879 #endif 880 default: 881 return (EAFNOSUPPORT); 882 } 883 return (0); 884 } 885 886 struct secpolicy * 887 key_do_allocsp(struct secpolicyindex *spidx, u_int dir) 888 { 889 SPTREE_RLOCK_TRACKER; 890 struct secpolicy *sp; 891 892 IPSEC_ASSERT(spidx != NULL, ("null spidx")); 893 IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, 894 ("invalid direction %u", dir)); 895 896 SPTREE_RLOCK(); 897 TAILQ_FOREACH(sp, &V_sptree[dir], chain) { 898 if (key_cmpspidx_withmask(&sp->spidx, spidx)) { 899 SP_ADDREF(sp); 900 break; 901 } 902 } 903 SPTREE_RUNLOCK(); 904 return (sp); 905 } 906 907 /* 908 * allocating a SP for OUTBOUND or INBOUND packet. 909 * Must call key_freesp() later. 910 * OUT: NULL: not found 911 * others: found and return the pointer. 912 */ 913 struct secpolicy * 914 key_allocsp(struct secpolicyindex *spidx, u_int dir) 915 { 916 struct spdcache_entry *entry, *lastentry, *tmpentry; 917 struct secpolicy *sp; 918 uint32_t hashv; 919 time_t ts; 920 int nb_entries; 921 922 if (!SPDCACHE_ACTIVE()) { 923 sp = key_do_allocsp(spidx, dir); 924 goto out; 925 } 926 927 hashv = SPDCACHE_HASHVAL(spidx); 928 SPDCACHE_LOCK(hashv); 929 nb_entries = 0; 930 LIST_FOREACH_SAFE(entry, &V_spdcachehashtbl[hashv], chain, tmpentry) { 931 /* Removed outdated entries */ 932 if (entry->sp != NULL && 933 entry->sp->state == IPSEC_SPSTATE_DEAD) { 934 LIST_REMOVE(entry, chain); 935 spdcache_entry_free(entry); 936 continue; 937 } 938 939 nb_entries++; 940 if (!key_cmpspidx_exactly(&entry->spidx, spidx)) { 941 lastentry = entry; 942 continue; 943 } 944 945 sp = entry->sp; 946 if (entry->sp != NULL) 947 SP_ADDREF(sp); 948 949 /* IPSECSTAT_INC(ips_spdcache_hits); */ 950 951 SPDCACHE_UNLOCK(hashv); 952 goto out; 953 } 954 955 /* IPSECSTAT_INC(ips_spdcache_misses); */ 956 957 sp = key_do_allocsp(spidx, dir); 958 entry = spdcache_entry_alloc(spidx, sp); 959 if (entry != NULL) { 960 if (nb_entries >= SPDCACHE_MAX_ENTRIES_PER_HASH) { 961 LIST_REMOVE(lastentry, chain); 962 spdcache_entry_free(lastentry); 963 } 964 965 LIST_INSERT_HEAD(&V_spdcachehashtbl[hashv], entry, chain); 966 } 967 968 SPDCACHE_UNLOCK(hashv); 969 970 out: 971 if (sp != NULL) { /* found a SPD entry */ 972 ts = time_second; 973 if (__predict_false(sp->lastused != ts)) 974 sp->lastused = ts; 975 KEYDBG(IPSEC_STAMP, 976 printf("%s: return SP(%p)\n", __func__, sp)); 977 KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp)); 978 } else { 979 KEYDBG(IPSEC_DATA, 980 printf("%s: lookup failed for ", __func__); 981 kdebug_secpolicyindex(spidx, NULL)); 982 } 983 return (sp); 984 } 985 986 /* 987 * Allocating an SA entry for an *INBOUND* or *OUTBOUND* TCP packet, signed 988 * or should be signed by MD5 signature. 989 * We don't use key_allocsa() for such lookups, because we don't know SPI. 990 * Unlike ESP and AH protocols, SPI isn't transmitted in the TCP header with 991 * signed packet. We use SADB only as storage for password. 992 * OUT: positive: corresponding SA for given saidx found. 993 * NULL: SA not found 994 */ 995 struct secasvar * 996 key_allocsa_tcpmd5(struct secasindex *saidx) 997 { 998 SAHTREE_RLOCK_TRACKER; 999 struct secashead *sah; 1000 struct secasvar *sav; 1001 1002 IPSEC_ASSERT(saidx->proto == IPPROTO_TCP, 1003 ("unexpected security protocol %u", saidx->proto)); 1004 IPSEC_ASSERT(saidx->mode == IPSEC_MODE_TCPMD5, 1005 ("unexpected mode %u", saidx->mode)); 1006 1007 SAHTREE_RLOCK(); 1008 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { 1009 KEYDBG(IPSEC_DUMP, 1010 printf("%s: checking SAH\n", __func__); 1011 kdebug_secash(sah, " ")); 1012 if (sah->saidx.proto != IPPROTO_TCP) 1013 continue; 1014 if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) && 1015 !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0)) 1016 break; 1017 } 1018 if (sah != NULL) { 1019 if (V_key_preferred_oldsa) 1020 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue); 1021 else 1022 sav = TAILQ_FIRST(&sah->savtree_alive); 1023 if (sav != NULL) 1024 SAV_ADDREF(sav); 1025 } else 1026 sav = NULL; 1027 SAHTREE_RUNLOCK(); 1028 1029 if (sav != NULL) { 1030 KEYDBG(IPSEC_STAMP, 1031 printf("%s: return SA(%p)\n", __func__, sav)); 1032 KEYDBG(IPSEC_DATA, kdebug_secasv(sav)); 1033 } else { 1034 KEYDBG(IPSEC_STAMP, 1035 printf("%s: SA not found\n", __func__)); 1036 KEYDBG(IPSEC_DATA, kdebug_secasindex(saidx, NULL)); 1037 } 1038 return (sav); 1039 } 1040 1041 /* 1042 * Allocating an SA entry for an *OUTBOUND* packet. 1043 * OUT: positive: corresponding SA for given saidx found. 1044 * NULL: SA not found, but will be acquired, check *error 1045 * for acquiring status. 1046 */ 1047 struct secasvar * 1048 key_allocsa_policy(struct secpolicy *sp, const struct secasindex *saidx, 1049 int *error) 1050 { 1051 SAHTREE_RLOCK_TRACKER; 1052 struct secashead *sah; 1053 struct secasvar *sav; 1054 1055 IPSEC_ASSERT(saidx != NULL, ("null saidx")); 1056 IPSEC_ASSERT(saidx->mode == IPSEC_MODE_TRANSPORT || 1057 saidx->mode == IPSEC_MODE_TUNNEL, 1058 ("unexpected policy %u", saidx->mode)); 1059 1060 /* 1061 * We check new SA in the IPsec request because a different 1062 * SA may be involved each time this request is checked, either 1063 * because new SAs are being configured, or this request is 1064 * associated with an unconnected datagram socket, or this request 1065 * is associated with a system default policy. 1066 */ 1067 SAHTREE_RLOCK(); 1068 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { 1069 KEYDBG(IPSEC_DUMP, 1070 printf("%s: checking SAH\n", __func__); 1071 kdebug_secash(sah, " ")); 1072 if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID)) 1073 break; 1074 } 1075 if (sah != NULL) { 1076 /* 1077 * Allocate the oldest SA available according to 1078 * draft-jenkins-ipsec-rekeying-03. 1079 */ 1080 if (V_key_preferred_oldsa) 1081 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue); 1082 else 1083 sav = TAILQ_FIRST(&sah->savtree_alive); 1084 if (sav != NULL) 1085 SAV_ADDREF(sav); 1086 } else 1087 sav = NULL; 1088 SAHTREE_RUNLOCK(); 1089 1090 if (sav != NULL) { 1091 *error = 0; 1092 KEYDBG(IPSEC_STAMP, 1093 printf("%s: chosen SA(%p) for SP(%p)\n", __func__, 1094 sav, sp)); 1095 KEYDBG(IPSEC_DATA, kdebug_secasv(sav)); 1096 return (sav); /* return referenced SA */ 1097 } 1098 1099 /* there is no SA */ 1100 *error = key_acquire(saidx, sp); 1101 if ((*error) != 0) 1102 ipseclog((LOG_DEBUG, 1103 "%s: error %d returned from key_acquire()\n", 1104 __func__, *error)); 1105 KEYDBG(IPSEC_STAMP, 1106 printf("%s: acquire SA for SP(%p), error %d\n", 1107 __func__, sp, *error)); 1108 KEYDBG(IPSEC_DATA, kdebug_secasindex(saidx, NULL)); 1109 return (NULL); 1110 } 1111 1112 /* 1113 * allocating a usable SA entry for a *INBOUND* packet. 1114 * Must call key_freesav() later. 1115 * OUT: positive: pointer to a usable sav (i.e. MATURE or DYING state). 1116 * NULL: not found, or error occurred. 1117 * 1118 * According to RFC 2401 SA is uniquely identified by a triple SPI, 1119 * destination address, and security protocol. But according to RFC 4301, 1120 * SPI by itself suffices to specify an SA. 1121 * 1122 * Note that, however, we do need to keep source address in IPsec SA. 1123 * IKE specification and PF_KEY specification do assume that we 1124 * keep source address in IPsec SA. We see a tricky situation here. 1125 */ 1126 struct secasvar * 1127 key_allocsa(union sockaddr_union *dst, uint8_t proto, uint32_t spi) 1128 { 1129 SAHTREE_RLOCK_TRACKER; 1130 struct secasvar *sav; 1131 1132 IPSEC_ASSERT(proto == IPPROTO_ESP || proto == IPPROTO_AH || 1133 proto == IPPROTO_IPCOMP, ("unexpected security protocol %u", 1134 proto)); 1135 1136 SAHTREE_RLOCK(); 1137 LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) { 1138 if (sav->spi == spi) 1139 break; 1140 } 1141 /* 1142 * We use single SPI namespace for all protocols, so it is 1143 * impossible to have SPI duplicates in the SAVHASH. 1144 */ 1145 if (sav != NULL) { 1146 if (sav->state != SADB_SASTATE_LARVAL && 1147 sav->sah->saidx.proto == proto && 1148 key_sockaddrcmp(&dst->sa, 1149 &sav->sah->saidx.dst.sa, 0) == 0) 1150 SAV_ADDREF(sav); 1151 else 1152 sav = NULL; 1153 } 1154 SAHTREE_RUNLOCK(); 1155 1156 if (sav == NULL) { 1157 KEYDBG(IPSEC_STAMP, 1158 char buf[IPSEC_ADDRSTRLEN]; 1159 printf("%s: SA not found for spi %u proto %u dst %s\n", 1160 __func__, ntohl(spi), proto, ipsec_address(dst, buf, 1161 sizeof(buf)))); 1162 } else { 1163 KEYDBG(IPSEC_STAMP, 1164 printf("%s: return SA(%p)\n", __func__, sav)); 1165 KEYDBG(IPSEC_DATA, kdebug_secasv(sav)); 1166 } 1167 return (sav); 1168 } 1169 1170 struct secasvar * 1171 key_allocsa_tunnel(union sockaddr_union *src, union sockaddr_union *dst, 1172 uint8_t proto) 1173 { 1174 SAHTREE_RLOCK_TRACKER; 1175 struct secasindex saidx; 1176 struct secashead *sah; 1177 struct secasvar *sav; 1178 1179 IPSEC_ASSERT(src != NULL, ("null src address")); 1180 IPSEC_ASSERT(dst != NULL, ("null dst address")); 1181 1182 KEY_SETSECASIDX(proto, IPSEC_MODE_TUNNEL, 0, &src->sa, 1183 &dst->sa, &saidx); 1184 1185 sav = NULL; 1186 SAHTREE_RLOCK(); 1187 LIST_FOREACH(sah, SAHADDRHASH_HASH(&saidx), addrhash) { 1188 if (IPSEC_MODE_TUNNEL != sah->saidx.mode) 1189 continue; 1190 if (proto != sah->saidx.proto) 1191 continue; 1192 if (key_sockaddrcmp(&src->sa, &sah->saidx.src.sa, 0) != 0) 1193 continue; 1194 if (key_sockaddrcmp(&dst->sa, &sah->saidx.dst.sa, 0) != 0) 1195 continue; 1196 /* XXXAE: is key_preferred_oldsa reasonably?*/ 1197 if (V_key_preferred_oldsa) 1198 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue); 1199 else 1200 sav = TAILQ_FIRST(&sah->savtree_alive); 1201 if (sav != NULL) { 1202 SAV_ADDREF(sav); 1203 break; 1204 } 1205 } 1206 SAHTREE_RUNLOCK(); 1207 KEYDBG(IPSEC_STAMP, 1208 printf("%s: return SA(%p)\n", __func__, sav)); 1209 if (sav != NULL) 1210 KEYDBG(IPSEC_DATA, kdebug_secasv(sav)); 1211 return (sav); 1212 } 1213 1214 /* 1215 * Must be called after calling key_allocsp(). 1216 */ 1217 void 1218 key_freesp(struct secpolicy **spp) 1219 { 1220 struct secpolicy *sp = *spp; 1221 1222 IPSEC_ASSERT(sp != NULL, ("null sp")); 1223 if (SP_DELREF(sp) == 0) 1224 return; 1225 1226 KEYDBG(IPSEC_STAMP, 1227 printf("%s: last reference to SP(%p)\n", __func__, sp)); 1228 KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp)); 1229 1230 *spp = NULL; 1231 while (sp->tcount > 0) 1232 ipsec_delisr(sp->req[--sp->tcount]); 1233 free(sp, M_IPSEC_SP); 1234 } 1235 1236 static void 1237 key_unlink(struct secpolicy *sp) 1238 { 1239 SPTREE_WLOCK(); 1240 key_detach(sp); 1241 SPTREE_WUNLOCK(); 1242 if (SPDCACHE_ENABLED()) 1243 spdcache_clear(); 1244 key_freesp(&sp); 1245 } 1246 1247 static void 1248 key_detach(struct secpolicy *sp) 1249 { 1250 IPSEC_ASSERT(sp->spidx.dir == IPSEC_DIR_INBOUND || 1251 sp->spidx.dir == IPSEC_DIR_OUTBOUND, 1252 ("invalid direction %u", sp->spidx.dir)); 1253 SPTREE_WLOCK_ASSERT(); 1254 1255 KEYDBG(KEY_STAMP, 1256 printf("%s: SP(%p)\n", __func__, sp)); 1257 if (sp->state != IPSEC_SPSTATE_ALIVE) { 1258 /* SP is already unlinked */ 1259 return; 1260 } 1261 sp->state = IPSEC_SPSTATE_DEAD; 1262 TAILQ_REMOVE(&V_sptree[sp->spidx.dir], sp, chain); 1263 V_spd_size--; 1264 LIST_REMOVE(sp, idhash); 1265 V_sp_genid++; 1266 } 1267 1268 /* 1269 * insert a secpolicy into the SP database. Lower priorities first 1270 */ 1271 static void 1272 key_insertsp(struct secpolicy *newsp) 1273 { 1274 struct secpolicy *sp; 1275 1276 SPTREE_WLOCK_ASSERT(); 1277 TAILQ_FOREACH(sp, &V_sptree[newsp->spidx.dir], chain) { 1278 if (newsp->priority < sp->priority) { 1279 TAILQ_INSERT_BEFORE(sp, newsp, chain); 1280 goto done; 1281 } 1282 } 1283 TAILQ_INSERT_TAIL(&V_sptree[newsp->spidx.dir], newsp, chain); 1284 done: 1285 LIST_INSERT_HEAD(SPHASH_HASH(newsp->id), newsp, idhash); 1286 newsp->state = IPSEC_SPSTATE_ALIVE; 1287 V_spd_size++; 1288 V_sp_genid++; 1289 } 1290 1291 /* 1292 * Insert a bunch of VTI secpolicies into the SPDB. 1293 * We keep VTI policies in the separate list due to following reasons: 1294 * 1) they should be immutable to user's or some deamon's attempts to 1295 * delete. The only way delete such policies - destroy or unconfigure 1296 * corresponding virtual inteface. 1297 * 2) such policies have traffic selector that matches all traffic per 1298 * address family. 1299 * Since all VTI policies have the same priority, we don't care about 1300 * policies order. 1301 */ 1302 int 1303 key_register_ifnet(struct secpolicy **spp, u_int count) 1304 { 1305 struct mbuf *m; 1306 u_int i; 1307 1308 SPTREE_WLOCK(); 1309 /* 1310 * First of try to acquire id for each SP. 1311 */ 1312 for (i = 0; i < count; i++) { 1313 IPSEC_ASSERT(spp[i]->spidx.dir == IPSEC_DIR_INBOUND || 1314 spp[i]->spidx.dir == IPSEC_DIR_OUTBOUND, 1315 ("invalid direction %u", spp[i]->spidx.dir)); 1316 1317 if ((spp[i]->id = key_getnewspid()) == 0) { 1318 SPTREE_WUNLOCK(); 1319 return (EAGAIN); 1320 } 1321 } 1322 for (i = 0; i < count; i++) { 1323 TAILQ_INSERT_TAIL(&V_sptree_ifnet[spp[i]->spidx.dir], 1324 spp[i], chain); 1325 /* 1326 * NOTE: despite the fact that we keep VTI SP in the 1327 * separate list, SPHASH contains policies from both 1328 * sources. Thus SADB_X_SPDGET will correctly return 1329 * SP by id, because it uses SPHASH for lookups. 1330 */ 1331 LIST_INSERT_HEAD(SPHASH_HASH(spp[i]->id), spp[i], idhash); 1332 spp[i]->state = IPSEC_SPSTATE_IFNET; 1333 } 1334 SPTREE_WUNLOCK(); 1335 /* 1336 * Notify user processes about new SP. 1337 */ 1338 for (i = 0; i < count; i++) { 1339 m = key_setdumpsp(spp[i], SADB_X_SPDADD, 0, 0); 1340 if (m != NULL) 1341 key_sendup_mbuf(NULL, m, KEY_SENDUP_ALL); 1342 } 1343 return (0); 1344 } 1345 1346 void 1347 key_unregister_ifnet(struct secpolicy **spp, u_int count) 1348 { 1349 struct mbuf *m; 1350 u_int i; 1351 1352 SPTREE_WLOCK(); 1353 for (i = 0; i < count; i++) { 1354 IPSEC_ASSERT(spp[i]->spidx.dir == IPSEC_DIR_INBOUND || 1355 spp[i]->spidx.dir == IPSEC_DIR_OUTBOUND, 1356 ("invalid direction %u", spp[i]->spidx.dir)); 1357 1358 if (spp[i]->state != IPSEC_SPSTATE_IFNET) 1359 continue; 1360 spp[i]->state = IPSEC_SPSTATE_DEAD; 1361 TAILQ_REMOVE(&V_sptree_ifnet[spp[i]->spidx.dir], 1362 spp[i], chain); 1363 V_spd_size--; 1364 LIST_REMOVE(spp[i], idhash); 1365 } 1366 SPTREE_WUNLOCK(); 1367 if (SPDCACHE_ENABLED()) 1368 spdcache_clear(); 1369 1370 for (i = 0; i < count; i++) { 1371 m = key_setdumpsp(spp[i], SADB_X_SPDDELETE, 0, 0); 1372 if (m != NULL) 1373 key_sendup_mbuf(NULL, m, KEY_SENDUP_ALL); 1374 } 1375 } 1376 1377 /* 1378 * Must be called after calling key_allocsa(). 1379 * This function is called by key_freesp() to free some SA allocated 1380 * for a policy. 1381 */ 1382 void 1383 key_freesav(struct secasvar **psav) 1384 { 1385 struct secasvar *sav = *psav; 1386 1387 IPSEC_ASSERT(sav != NULL, ("null sav")); 1388 CURVNET_ASSERT_SET(); 1389 if (SAV_DELREF(sav) == 0) 1390 return; 1391 1392 KEYDBG(IPSEC_STAMP, 1393 printf("%s: last reference to SA(%p)\n", __func__, sav)); 1394 1395 *psav = NULL; 1396 key_delsav(sav); 1397 } 1398 1399 /* 1400 * Unlink SA from SAH and SPI hash under SAHTREE_WLOCK. 1401 * Expect that SA has extra reference due to lookup. 1402 * Release this references, also release SAH reference after unlink. 1403 */ 1404 static void 1405 key_unlinksav(struct secasvar *sav) 1406 { 1407 struct secashead *sah; 1408 1409 KEYDBG(KEY_STAMP, 1410 printf("%s: SA(%p)\n", __func__, sav)); 1411 1412 CURVNET_ASSERT_SET(); 1413 SAHTREE_UNLOCK_ASSERT(); 1414 SAHTREE_WLOCK(); 1415 if (sav->state == SADB_SASTATE_DEAD) { 1416 /* SA is already unlinked */ 1417 SAHTREE_WUNLOCK(); 1418 return; 1419 } 1420 /* Unlink from SAH */ 1421 if (sav->state == SADB_SASTATE_LARVAL) 1422 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain); 1423 else 1424 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain); 1425 /* Unlink from SPI hash */ 1426 LIST_REMOVE(sav, spihash); 1427 sav->state = SADB_SASTATE_DEAD; 1428 sah = sav->sah; 1429 SAHTREE_WUNLOCK(); 1430 key_freesav(&sav); 1431 /* Since we are unlinked, release reference to SAH */ 1432 key_freesah(&sah); 1433 } 1434 1435 /* %%% SPD management */ 1436 /* 1437 * search SPD 1438 * OUT: NULL : not found 1439 * others : found, pointer to a SP. 1440 */ 1441 static struct secpolicy * 1442 key_getsp(struct secpolicyindex *spidx) 1443 { 1444 SPTREE_RLOCK_TRACKER; 1445 struct secpolicy *sp; 1446 1447 IPSEC_ASSERT(spidx != NULL, ("null spidx")); 1448 1449 SPTREE_RLOCK(); 1450 TAILQ_FOREACH(sp, &V_sptree[spidx->dir], chain) { 1451 if (key_cmpspidx_exactly(spidx, &sp->spidx)) { 1452 SP_ADDREF(sp); 1453 break; 1454 } 1455 } 1456 SPTREE_RUNLOCK(); 1457 1458 return sp; 1459 } 1460 1461 /* 1462 * get SP by index. 1463 * OUT: NULL : not found 1464 * others : found, pointer to referenced SP. 1465 */ 1466 static struct secpolicy * 1467 key_getspbyid(uint32_t id) 1468 { 1469 SPTREE_RLOCK_TRACKER; 1470 struct secpolicy *sp; 1471 1472 SPTREE_RLOCK(); 1473 LIST_FOREACH(sp, SPHASH_HASH(id), idhash) { 1474 if (sp->id == id) { 1475 SP_ADDREF(sp); 1476 break; 1477 } 1478 } 1479 SPTREE_RUNLOCK(); 1480 return (sp); 1481 } 1482 1483 struct secpolicy * 1484 key_newsp(void) 1485 { 1486 struct secpolicy *sp; 1487 1488 sp = malloc(sizeof(*sp), M_IPSEC_SP, M_NOWAIT | M_ZERO); 1489 if (sp != NULL) 1490 SP_INITREF(sp); 1491 return (sp); 1492 } 1493 1494 struct ipsecrequest * 1495 ipsec_newisr(void) 1496 { 1497 1498 return (malloc(sizeof(struct ipsecrequest), M_IPSEC_SR, 1499 M_NOWAIT | M_ZERO)); 1500 } 1501 1502 void 1503 ipsec_delisr(struct ipsecrequest *p) 1504 { 1505 1506 free(p, M_IPSEC_SR); 1507 } 1508 1509 /* 1510 * create secpolicy structure from sadb_x_policy structure. 1511 * NOTE: `state', `secpolicyindex' and 'id' in secpolicy structure 1512 * are not set, so must be set properly later. 1513 */ 1514 struct secpolicy * 1515 key_msg2sp(struct sadb_x_policy *xpl0, size_t len, int *error) 1516 { 1517 struct secpolicy *newsp; 1518 1519 IPSEC_ASSERT(xpl0 != NULL, ("null xpl0")); 1520 IPSEC_ASSERT(len >= sizeof(*xpl0), ("policy too short: %zu", len)); 1521 1522 if (len != PFKEY_EXTLEN(xpl0)) { 1523 ipseclog((LOG_DEBUG, "%s: Invalid msg length.\n", __func__)); 1524 *error = EINVAL; 1525 return NULL; 1526 } 1527 1528 if ((newsp = key_newsp()) == NULL) { 1529 *error = ENOBUFS; 1530 return NULL; 1531 } 1532 1533 newsp->spidx.dir = xpl0->sadb_x_policy_dir; 1534 newsp->policy = xpl0->sadb_x_policy_type; 1535 newsp->priority = xpl0->sadb_x_policy_priority; 1536 newsp->tcount = 0; 1537 1538 /* check policy */ 1539 switch (xpl0->sadb_x_policy_type) { 1540 case IPSEC_POLICY_DISCARD: 1541 case IPSEC_POLICY_NONE: 1542 case IPSEC_POLICY_ENTRUST: 1543 case IPSEC_POLICY_BYPASS: 1544 break; 1545 1546 case IPSEC_POLICY_IPSEC: 1547 { 1548 struct sadb_x_ipsecrequest *xisr; 1549 struct ipsecrequest *isr; 1550 int tlen; 1551 1552 /* validity check */ 1553 if (PFKEY_EXTLEN(xpl0) < sizeof(*xpl0)) { 1554 ipseclog((LOG_DEBUG, "%s: Invalid msg length.\n", 1555 __func__)); 1556 key_freesp(&newsp); 1557 *error = EINVAL; 1558 return NULL; 1559 } 1560 1561 tlen = PFKEY_EXTLEN(xpl0) - sizeof(*xpl0); 1562 xisr = (struct sadb_x_ipsecrequest *)(xpl0 + 1); 1563 1564 while (tlen > 0) { 1565 /* length check */ 1566 if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr) || 1567 xisr->sadb_x_ipsecrequest_len > tlen) { 1568 ipseclog((LOG_DEBUG, "%s: invalid ipsecrequest " 1569 "length.\n", __func__)); 1570 key_freesp(&newsp); 1571 *error = EINVAL; 1572 return NULL; 1573 } 1574 1575 if (newsp->tcount >= IPSEC_MAXREQ) { 1576 ipseclog((LOG_DEBUG, 1577 "%s: too many ipsecrequests.\n", 1578 __func__)); 1579 key_freesp(&newsp); 1580 *error = EINVAL; 1581 return (NULL); 1582 } 1583 1584 /* allocate request buffer */ 1585 /* NB: data structure is zero'd */ 1586 isr = ipsec_newisr(); 1587 if (isr == NULL) { 1588 ipseclog((LOG_DEBUG, 1589 "%s: No more memory.\n", __func__)); 1590 key_freesp(&newsp); 1591 *error = ENOBUFS; 1592 return NULL; 1593 } 1594 1595 newsp->req[newsp->tcount++] = isr; 1596 1597 /* set values */ 1598 switch (xisr->sadb_x_ipsecrequest_proto) { 1599 case IPPROTO_ESP: 1600 case IPPROTO_AH: 1601 case IPPROTO_IPCOMP: 1602 break; 1603 default: 1604 ipseclog((LOG_DEBUG, 1605 "%s: invalid proto type=%u\n", __func__, 1606 xisr->sadb_x_ipsecrequest_proto)); 1607 key_freesp(&newsp); 1608 *error = EPROTONOSUPPORT; 1609 return NULL; 1610 } 1611 isr->saidx.proto = 1612 (uint8_t)xisr->sadb_x_ipsecrequest_proto; 1613 1614 switch (xisr->sadb_x_ipsecrequest_mode) { 1615 case IPSEC_MODE_TRANSPORT: 1616 case IPSEC_MODE_TUNNEL: 1617 break; 1618 case IPSEC_MODE_ANY: 1619 default: 1620 ipseclog((LOG_DEBUG, 1621 "%s: invalid mode=%u\n", __func__, 1622 xisr->sadb_x_ipsecrequest_mode)); 1623 key_freesp(&newsp); 1624 *error = EINVAL; 1625 return NULL; 1626 } 1627 isr->saidx.mode = xisr->sadb_x_ipsecrequest_mode; 1628 1629 switch (xisr->sadb_x_ipsecrequest_level) { 1630 case IPSEC_LEVEL_DEFAULT: 1631 case IPSEC_LEVEL_USE: 1632 case IPSEC_LEVEL_REQUIRE: 1633 break; 1634 case IPSEC_LEVEL_UNIQUE: 1635 /* validity check */ 1636 /* 1637 * If range violation of reqid, kernel will 1638 * update it, don't refuse it. 1639 */ 1640 if (xisr->sadb_x_ipsecrequest_reqid 1641 > IPSEC_MANUAL_REQID_MAX) { 1642 ipseclog((LOG_DEBUG, 1643 "%s: reqid=%d range " 1644 "violation, updated by kernel.\n", 1645 __func__, 1646 xisr->sadb_x_ipsecrequest_reqid)); 1647 xisr->sadb_x_ipsecrequest_reqid = 0; 1648 } 1649 1650 /* allocate new reqid id if reqid is zero. */ 1651 if (xisr->sadb_x_ipsecrequest_reqid == 0) { 1652 u_int32_t reqid; 1653 if ((reqid = key_newreqid()) == 0) { 1654 key_freesp(&newsp); 1655 *error = ENOBUFS; 1656 return NULL; 1657 } 1658 isr->saidx.reqid = reqid; 1659 xisr->sadb_x_ipsecrequest_reqid = reqid; 1660 } else { 1661 /* set it for manual keying. */ 1662 isr->saidx.reqid = 1663 xisr->sadb_x_ipsecrequest_reqid; 1664 } 1665 break; 1666 1667 default: 1668 ipseclog((LOG_DEBUG, "%s: invalid level=%u\n", 1669 __func__, 1670 xisr->sadb_x_ipsecrequest_level)); 1671 key_freesp(&newsp); 1672 *error = EINVAL; 1673 return NULL; 1674 } 1675 isr->level = xisr->sadb_x_ipsecrequest_level; 1676 1677 /* set IP addresses if there */ 1678 if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { 1679 struct sockaddr *paddr; 1680 1681 len = tlen - sizeof(*xisr); 1682 paddr = (struct sockaddr *)(xisr + 1); 1683 /* validity check */ 1684 if (len < sizeof(struct sockaddr) || 1685 len < 2 * paddr->sa_len || 1686 paddr->sa_len > sizeof(isr->saidx.src)) { 1687 ipseclog((LOG_DEBUG, "%s: invalid " 1688 "request address length.\n", 1689 __func__)); 1690 key_freesp(&newsp); 1691 *error = EINVAL; 1692 return NULL; 1693 } 1694 /* 1695 * Request length should be enough to keep 1696 * source and destination addresses. 1697 */ 1698 if (xisr->sadb_x_ipsecrequest_len < 1699 sizeof(*xisr) + 2 * paddr->sa_len) { 1700 ipseclog((LOG_DEBUG, "%s: invalid " 1701 "ipsecrequest length.\n", 1702 __func__)); 1703 key_freesp(&newsp); 1704 *error = EINVAL; 1705 return (NULL); 1706 } 1707 bcopy(paddr, &isr->saidx.src, paddr->sa_len); 1708 paddr = (struct sockaddr *)((caddr_t)paddr + 1709 paddr->sa_len); 1710 1711 /* validity check */ 1712 if (paddr->sa_len != 1713 isr->saidx.src.sa.sa_len) { 1714 ipseclog((LOG_DEBUG, "%s: invalid " 1715 "request address length.\n", 1716 __func__)); 1717 key_freesp(&newsp); 1718 *error = EINVAL; 1719 return NULL; 1720 } 1721 /* AF family should match */ 1722 if (paddr->sa_family != 1723 isr->saidx.src.sa.sa_family) { 1724 ipseclog((LOG_DEBUG, "%s: address " 1725 "family doesn't match.\n", 1726 __func__)); 1727 key_freesp(&newsp); 1728 *error = EINVAL; 1729 return (NULL); 1730 } 1731 bcopy(paddr, &isr->saidx.dst, paddr->sa_len); 1732 } else { 1733 /* 1734 * Addresses for TUNNEL mode requests are 1735 * mandatory. 1736 */ 1737 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 1738 ipseclog((LOG_DEBUG, "%s: missing " 1739 "request addresses.\n", __func__)); 1740 key_freesp(&newsp); 1741 *error = EINVAL; 1742 return (NULL); 1743 } 1744 } 1745 tlen -= xisr->sadb_x_ipsecrequest_len; 1746 1747 /* validity check */ 1748 if (tlen < 0) { 1749 ipseclog((LOG_DEBUG, "%s: becoming tlen < 0.\n", 1750 __func__)); 1751 key_freesp(&newsp); 1752 *error = EINVAL; 1753 return NULL; 1754 } 1755 1756 xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr 1757 + xisr->sadb_x_ipsecrequest_len); 1758 } 1759 /* XXXAE: LARVAL SP */ 1760 if (newsp->tcount < 1) { 1761 ipseclog((LOG_DEBUG, "%s: valid IPSEC transforms " 1762 "not found.\n", __func__)); 1763 key_freesp(&newsp); 1764 *error = EINVAL; 1765 return (NULL); 1766 } 1767 } 1768 break; 1769 default: 1770 ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__)); 1771 key_freesp(&newsp); 1772 *error = EINVAL; 1773 return NULL; 1774 } 1775 1776 *error = 0; 1777 return (newsp); 1778 } 1779 1780 uint32_t 1781 key_newreqid(void) 1782 { 1783 static uint32_t auto_reqid = IPSEC_MANUAL_REQID_MAX + 1; 1784 1785 if (auto_reqid == ~0) 1786 auto_reqid = IPSEC_MANUAL_REQID_MAX + 1; 1787 else 1788 auto_reqid++; 1789 1790 /* XXX should be unique check */ 1791 return (auto_reqid); 1792 } 1793 1794 /* 1795 * copy secpolicy struct to sadb_x_policy structure indicated. 1796 */ 1797 static struct mbuf * 1798 key_sp2mbuf(struct secpolicy *sp) 1799 { 1800 struct mbuf *m; 1801 size_t tlen; 1802 1803 tlen = key_getspreqmsglen(sp); 1804 m = m_get2(tlen, M_NOWAIT, MT_DATA, 0); 1805 if (m == NULL) 1806 return (NULL); 1807 m_align(m, tlen); 1808 m->m_len = tlen; 1809 if (key_sp2msg(sp, m->m_data, &tlen) != 0) { 1810 m_freem(m); 1811 return (NULL); 1812 } 1813 return (m); 1814 } 1815 1816 int 1817 key_sp2msg(struct secpolicy *sp, void *request, size_t *len) 1818 { 1819 struct sadb_x_ipsecrequest *xisr; 1820 struct sadb_x_policy *xpl; 1821 struct ipsecrequest *isr; 1822 size_t xlen, ilen; 1823 caddr_t p; 1824 int error, i; 1825 1826 IPSEC_ASSERT(sp != NULL, ("null policy")); 1827 1828 xlen = sizeof(*xpl); 1829 if (*len < xlen) 1830 return (EINVAL); 1831 1832 error = 0; 1833 bzero(request, *len); 1834 xpl = (struct sadb_x_policy *)request; 1835 xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY; 1836 xpl->sadb_x_policy_type = sp->policy; 1837 xpl->sadb_x_policy_dir = sp->spidx.dir; 1838 xpl->sadb_x_policy_id = sp->id; 1839 xpl->sadb_x_policy_priority = sp->priority; 1840 switch (sp->state) { 1841 case IPSEC_SPSTATE_IFNET: 1842 xpl->sadb_x_policy_scope = IPSEC_POLICYSCOPE_IFNET; 1843 break; 1844 case IPSEC_SPSTATE_PCB: 1845 xpl->sadb_x_policy_scope = IPSEC_POLICYSCOPE_PCB; 1846 break; 1847 default: 1848 xpl->sadb_x_policy_scope = IPSEC_POLICYSCOPE_GLOBAL; 1849 } 1850 1851 /* if is the policy for ipsec ? */ 1852 if (sp->policy == IPSEC_POLICY_IPSEC) { 1853 p = (caddr_t)xpl + sizeof(*xpl); 1854 for (i = 0; i < sp->tcount; i++) { 1855 isr = sp->req[i]; 1856 ilen = PFKEY_ALIGN8(sizeof(*xisr) + 1857 isr->saidx.src.sa.sa_len + 1858 isr->saidx.dst.sa.sa_len); 1859 xlen += ilen; 1860 if (xlen > *len) { 1861 error = ENOBUFS; 1862 /* Calculate needed size */ 1863 continue; 1864 } 1865 xisr = (struct sadb_x_ipsecrequest *)p; 1866 xisr->sadb_x_ipsecrequest_len = ilen; 1867 xisr->sadb_x_ipsecrequest_proto = isr->saidx.proto; 1868 xisr->sadb_x_ipsecrequest_mode = isr->saidx.mode; 1869 xisr->sadb_x_ipsecrequest_level = isr->level; 1870 xisr->sadb_x_ipsecrequest_reqid = isr->saidx.reqid; 1871 1872 p += sizeof(*xisr); 1873 bcopy(&isr->saidx.src, p, isr->saidx.src.sa.sa_len); 1874 p += isr->saidx.src.sa.sa_len; 1875 bcopy(&isr->saidx.dst, p, isr->saidx.dst.sa.sa_len); 1876 p += isr->saidx.dst.sa.sa_len; 1877 } 1878 } 1879 xpl->sadb_x_policy_len = PFKEY_UNIT64(xlen); 1880 if (error == 0) 1881 *len = xlen; 1882 else 1883 *len = sizeof(*xpl); 1884 return (error); 1885 } 1886 1887 /* m will not be freed nor modified */ 1888 static struct mbuf * 1889 key_gather_mbuf(struct mbuf *m, const struct sadb_msghdr *mhp, 1890 int ndeep, int nitem, ...) 1891 { 1892 va_list ap; 1893 int idx; 1894 int i; 1895 struct mbuf *result = NULL, *n; 1896 int len; 1897 1898 IPSEC_ASSERT(m != NULL, ("null mbuf")); 1899 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 1900 1901 va_start(ap, nitem); 1902 for (i = 0; i < nitem; i++) { 1903 idx = va_arg(ap, int); 1904 if (idx < 0 || idx > SADB_EXT_MAX) 1905 goto fail; 1906 /* don't attempt to pull empty extension */ 1907 if (idx == SADB_EXT_RESERVED && mhp->msg == NULL) 1908 continue; 1909 if (idx != SADB_EXT_RESERVED && 1910 (mhp->ext[idx] == NULL || mhp->extlen[idx] == 0)) 1911 continue; 1912 1913 if (idx == SADB_EXT_RESERVED) { 1914 len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); 1915 1916 IPSEC_ASSERT(len <= MHLEN, ("header too big %u", len)); 1917 1918 MGETHDR(n, M_NOWAIT, MT_DATA); 1919 if (!n) 1920 goto fail; 1921 n->m_len = len; 1922 n->m_next = NULL; 1923 m_copydata(m, 0, sizeof(struct sadb_msg), 1924 mtod(n, caddr_t)); 1925 } else if (i < ndeep) { 1926 len = mhp->extlen[idx]; 1927 n = m_get2(len, M_NOWAIT, MT_DATA, 0); 1928 if (n == NULL) 1929 goto fail; 1930 m_align(n, len); 1931 n->m_len = len; 1932 m_copydata(m, mhp->extoff[idx], mhp->extlen[idx], 1933 mtod(n, caddr_t)); 1934 } else { 1935 n = m_copym(m, mhp->extoff[idx], mhp->extlen[idx], 1936 M_NOWAIT); 1937 } 1938 if (n == NULL) 1939 goto fail; 1940 1941 if (result) 1942 m_cat(result, n); 1943 else 1944 result = n; 1945 } 1946 va_end(ap); 1947 1948 if ((result->m_flags & M_PKTHDR) != 0) { 1949 result->m_pkthdr.len = 0; 1950 for (n = result; n; n = n->m_next) 1951 result->m_pkthdr.len += n->m_len; 1952 } 1953 1954 return result; 1955 1956 fail: 1957 m_freem(result); 1958 va_end(ap); 1959 return NULL; 1960 } 1961 1962 /* 1963 * SADB_X_SPDADD, SADB_X_SPDSETIDX or SADB_X_SPDUPDATE processing 1964 * add an entry to SP database, when received 1965 * <base, address(SD), (lifetime(H),) policy> 1966 * from the user(?). 1967 * Adding to SP database, 1968 * and send 1969 * <base, address(SD), (lifetime(H),) policy> 1970 * to the socket which was send. 1971 * 1972 * SPDADD set a unique policy entry. 1973 * SPDSETIDX like SPDADD without a part of policy requests. 1974 * SPDUPDATE replace a unique policy entry. 1975 * 1976 * XXXAE: serialize this in PF_KEY to avoid races. 1977 * m will always be freed. 1978 */ 1979 static int 1980 key_spdadd(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 1981 { 1982 struct secpolicyindex spidx; 1983 struct sadb_address *src0, *dst0; 1984 struct sadb_x_policy *xpl0, *xpl; 1985 struct sadb_lifetime *lft = NULL; 1986 struct secpolicy *newsp, *oldsp; 1987 int error; 1988 1989 IPSEC_ASSERT(so != NULL, ("null socket")); 1990 IPSEC_ASSERT(m != NULL, ("null mbuf")); 1991 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 1992 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 1993 1994 if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 1995 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || 1996 SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY)) { 1997 ipseclog((LOG_DEBUG, 1998 "%s: invalid message: missing required header.\n", 1999 __func__)); 2000 return key_senderror(so, m, EINVAL); 2001 } 2002 if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 2003 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) || 2004 SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) { 2005 ipseclog((LOG_DEBUG, 2006 "%s: invalid message: wrong header size.\n", __func__)); 2007 return key_senderror(so, m, EINVAL); 2008 } 2009 if (!SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD)) { 2010 if (SADB_CHECKLEN(mhp, SADB_EXT_LIFETIME_HARD)) { 2011 ipseclog((LOG_DEBUG, 2012 "%s: invalid message: wrong header size.\n", 2013 __func__)); 2014 return key_senderror(so, m, EINVAL); 2015 } 2016 lft = (struct sadb_lifetime *)mhp->ext[SADB_EXT_LIFETIME_HARD]; 2017 } 2018 2019 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; 2020 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; 2021 xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY]; 2022 2023 /* check the direciton */ 2024 switch (xpl0->sadb_x_policy_dir) { 2025 case IPSEC_DIR_INBOUND: 2026 case IPSEC_DIR_OUTBOUND: 2027 break; 2028 default: 2029 ipseclog((LOG_DEBUG, "%s: invalid SP direction.\n", __func__)); 2030 return key_senderror(so, m, EINVAL); 2031 } 2032 /* key_spdadd() accepts DISCARD, NONE and IPSEC. */ 2033 if (xpl0->sadb_x_policy_type != IPSEC_POLICY_DISCARD && 2034 xpl0->sadb_x_policy_type != IPSEC_POLICY_NONE && 2035 xpl0->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { 2036 ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__)); 2037 return key_senderror(so, m, EINVAL); 2038 } 2039 2040 /* policy requests are mandatory when action is ipsec. */ 2041 if (xpl0->sadb_x_policy_type == IPSEC_POLICY_IPSEC && 2042 mhp->extlen[SADB_X_EXT_POLICY] <= sizeof(*xpl0)) { 2043 ipseclog((LOG_DEBUG, 2044 "%s: policy requests required.\n", __func__)); 2045 return key_senderror(so, m, EINVAL); 2046 } 2047 2048 error = key_checksockaddrs((struct sockaddr *)(src0 + 1), 2049 (struct sockaddr *)(dst0 + 1)); 2050 if (error != 0 || 2051 src0->sadb_address_proto != dst0->sadb_address_proto) { 2052 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 2053 return key_senderror(so, m, error); 2054 } 2055 /* make secindex */ 2056 KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir, 2057 src0 + 1, 2058 dst0 + 1, 2059 src0->sadb_address_prefixlen, 2060 dst0->sadb_address_prefixlen, 2061 src0->sadb_address_proto, 2062 &spidx); 2063 /* Checking there is SP already or not. */ 2064 oldsp = key_getsp(&spidx); 2065 if (oldsp != NULL) { 2066 if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) { 2067 KEYDBG(KEY_STAMP, 2068 printf("%s: unlink SP(%p) for SPDUPDATE\n", 2069 __func__, oldsp)); 2070 KEYDBG(KEY_DATA, kdebug_secpolicy(oldsp)); 2071 } else { 2072 key_freesp(&oldsp); 2073 ipseclog((LOG_DEBUG, 2074 "%s: a SP entry exists already.\n", __func__)); 2075 return (key_senderror(so, m, EEXIST)); 2076 } 2077 } 2078 2079 /* allocate new SP entry */ 2080 if ((newsp = key_msg2sp(xpl0, PFKEY_EXTLEN(xpl0), &error)) == NULL) { 2081 if (oldsp != NULL) { 2082 key_unlink(oldsp); 2083 key_freesp(&oldsp); /* second for our reference */ 2084 } 2085 return key_senderror(so, m, error); 2086 } 2087 2088 newsp->lastused = newsp->created = time_second; 2089 newsp->lifetime = lft ? lft->sadb_lifetime_addtime : 0; 2090 newsp->validtime = lft ? lft->sadb_lifetime_usetime : 0; 2091 bcopy(&spidx, &newsp->spidx, sizeof(spidx)); 2092 2093 SPTREE_WLOCK(); 2094 if ((newsp->id = key_getnewspid()) == 0) { 2095 if (oldsp != NULL) 2096 key_detach(oldsp); 2097 SPTREE_WUNLOCK(); 2098 if (oldsp != NULL) { 2099 key_freesp(&oldsp); /* first for key_detach */ 2100 IPSEC_ASSERT(oldsp != NULL, ("null oldsp: refcount bug")); 2101 key_freesp(&oldsp); /* second for our reference */ 2102 if (SPDCACHE_ENABLED()) /* refresh cache because of key_detach */ 2103 spdcache_clear(); 2104 } 2105 key_freesp(&newsp); 2106 return key_senderror(so, m, ENOBUFS); 2107 } 2108 if (oldsp != NULL) 2109 key_detach(oldsp); 2110 key_insertsp(newsp); 2111 SPTREE_WUNLOCK(); 2112 if (oldsp != NULL) { 2113 key_freesp(&oldsp); /* first for key_detach */ 2114 IPSEC_ASSERT(oldsp != NULL, ("null oldsp: refcount bug")); 2115 key_freesp(&oldsp); /* second for our reference */ 2116 } 2117 if (SPDCACHE_ENABLED()) 2118 spdcache_clear(); 2119 KEYDBG(KEY_STAMP, 2120 printf("%s: SP(%p)\n", __func__, newsp)); 2121 KEYDBG(KEY_DATA, kdebug_secpolicy(newsp)); 2122 2123 { 2124 struct mbuf *n, *mpolicy; 2125 struct sadb_msg *newmsg; 2126 int off; 2127 2128 /* create new sadb_msg to reply. */ 2129 if (lft) { 2130 n = key_gather_mbuf(m, mhp, 2, 5, SADB_EXT_RESERVED, 2131 SADB_X_EXT_POLICY, SADB_EXT_LIFETIME_HARD, 2132 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); 2133 } else { 2134 n = key_gather_mbuf(m, mhp, 2, 4, SADB_EXT_RESERVED, 2135 SADB_X_EXT_POLICY, 2136 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); 2137 } 2138 if (!n) 2139 return key_senderror(so, m, ENOBUFS); 2140 2141 if (n->m_len < sizeof(*newmsg)) { 2142 n = m_pullup(n, sizeof(*newmsg)); 2143 if (!n) 2144 return key_senderror(so, m, ENOBUFS); 2145 } 2146 newmsg = mtod(n, struct sadb_msg *); 2147 newmsg->sadb_msg_errno = 0; 2148 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); 2149 2150 off = 0; 2151 mpolicy = m_pulldown(n, PFKEY_ALIGN8(sizeof(struct sadb_msg)), 2152 sizeof(*xpl), &off); 2153 if (mpolicy == NULL) { 2154 /* n is already freed */ 2155 return key_senderror(so, m, ENOBUFS); 2156 } 2157 xpl = (struct sadb_x_policy *)(mtod(mpolicy, caddr_t) + off); 2158 if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) { 2159 m_freem(n); 2160 return key_senderror(so, m, EINVAL); 2161 } 2162 xpl->sadb_x_policy_id = newsp->id; 2163 2164 m_freem(m); 2165 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 2166 } 2167 } 2168 2169 /* 2170 * get new policy id. 2171 * OUT: 2172 * 0: failure. 2173 * others: success. 2174 */ 2175 static uint32_t 2176 key_getnewspid(void) 2177 { 2178 struct secpolicy *sp; 2179 uint32_t newid = 0; 2180 int tries, limit; 2181 2182 SPTREE_WLOCK_ASSERT(); 2183 2184 limit = atomic_load_int(&V_key_spi_trycnt); 2185 for (tries = 0; tries < limit; tries++) { 2186 if (V_policy_id == ~0) /* overflowed */ 2187 newid = V_policy_id = 1; 2188 else 2189 newid = ++V_policy_id; 2190 LIST_FOREACH(sp, SPHASH_HASH(newid), idhash) { 2191 if (sp->id == newid) 2192 break; 2193 } 2194 if (sp == NULL) 2195 break; 2196 } 2197 if (tries == limit || newid == 0) { 2198 ipseclog((LOG_DEBUG, "%s: failed to allocate policy id.\n", 2199 __func__)); 2200 return (0); 2201 } 2202 return (newid); 2203 } 2204 2205 /* 2206 * SADB_SPDDELETE processing 2207 * receive 2208 * <base, address(SD), policy(*)> 2209 * from the user(?), and set SADB_SASTATE_DEAD, 2210 * and send, 2211 * <base, address(SD), policy(*)> 2212 * to the ikmpd. 2213 * policy(*) including direction of policy. 2214 * 2215 * m will always be freed. 2216 */ 2217 static int 2218 key_spddelete(struct socket *so, struct mbuf *m, 2219 const struct sadb_msghdr *mhp) 2220 { 2221 struct secpolicyindex spidx; 2222 struct sadb_address *src0, *dst0; 2223 struct sadb_x_policy *xpl0; 2224 struct secpolicy *sp; 2225 2226 IPSEC_ASSERT(so != NULL, ("null so")); 2227 IPSEC_ASSERT(m != NULL, ("null mbuf")); 2228 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 2229 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 2230 2231 if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 2232 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || 2233 SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY)) { 2234 ipseclog((LOG_DEBUG, 2235 "%s: invalid message: missing required header.\n", 2236 __func__)); 2237 return key_senderror(so, m, EINVAL); 2238 } 2239 if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 2240 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) || 2241 SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) { 2242 ipseclog((LOG_DEBUG, 2243 "%s: invalid message: wrong header size.\n", __func__)); 2244 return key_senderror(so, m, EINVAL); 2245 } 2246 2247 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; 2248 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; 2249 xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY]; 2250 2251 /* check the direciton */ 2252 switch (xpl0->sadb_x_policy_dir) { 2253 case IPSEC_DIR_INBOUND: 2254 case IPSEC_DIR_OUTBOUND: 2255 break; 2256 default: 2257 ipseclog((LOG_DEBUG, "%s: invalid SP direction.\n", __func__)); 2258 return key_senderror(so, m, EINVAL); 2259 } 2260 /* Only DISCARD, NONE and IPSEC are allowed */ 2261 if (xpl0->sadb_x_policy_type != IPSEC_POLICY_DISCARD && 2262 xpl0->sadb_x_policy_type != IPSEC_POLICY_NONE && 2263 xpl0->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { 2264 ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__)); 2265 return key_senderror(so, m, EINVAL); 2266 } 2267 if (key_checksockaddrs((struct sockaddr *)(src0 + 1), 2268 (struct sockaddr *)(dst0 + 1)) != 0 || 2269 src0->sadb_address_proto != dst0->sadb_address_proto) { 2270 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 2271 return key_senderror(so, m, EINVAL); 2272 } 2273 /* make secindex */ 2274 KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir, 2275 src0 + 1, 2276 dst0 + 1, 2277 src0->sadb_address_prefixlen, 2278 dst0->sadb_address_prefixlen, 2279 src0->sadb_address_proto, 2280 &spidx); 2281 2282 /* Is there SP in SPD ? */ 2283 if ((sp = key_getsp(&spidx)) == NULL) { 2284 ipseclog((LOG_DEBUG, "%s: no SP found.\n", __func__)); 2285 return key_senderror(so, m, EINVAL); 2286 } 2287 2288 /* save policy id to buffer to be returned. */ 2289 xpl0->sadb_x_policy_id = sp->id; 2290 2291 KEYDBG(KEY_STAMP, 2292 printf("%s: SP(%p)\n", __func__, sp)); 2293 KEYDBG(KEY_DATA, kdebug_secpolicy(sp)); 2294 key_unlink(sp); 2295 key_freesp(&sp); 2296 2297 { 2298 struct mbuf *n; 2299 struct sadb_msg *newmsg; 2300 2301 /* create new sadb_msg to reply. */ 2302 n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED, 2303 SADB_X_EXT_POLICY, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); 2304 if (!n) 2305 return key_senderror(so, m, ENOBUFS); 2306 2307 newmsg = mtod(n, struct sadb_msg *); 2308 newmsg->sadb_msg_errno = 0; 2309 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); 2310 2311 m_freem(m); 2312 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 2313 } 2314 } 2315 2316 /* 2317 * SADB_SPDDELETE2 processing 2318 * receive 2319 * <base, policy(*)> 2320 * from the user(?), and set SADB_SASTATE_DEAD, 2321 * and send, 2322 * <base, policy(*)> 2323 * to the ikmpd. 2324 * policy(*) including direction of policy. 2325 * 2326 * m will always be freed. 2327 */ 2328 static int 2329 key_spddelete2(struct socket *so, struct mbuf *m, 2330 const struct sadb_msghdr *mhp) 2331 { 2332 struct secpolicy *sp; 2333 uint32_t id; 2334 2335 IPSEC_ASSERT(so != NULL, ("null socket")); 2336 IPSEC_ASSERT(m != NULL, ("null mbuf")); 2337 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 2338 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 2339 2340 if (SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY) || 2341 SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) { 2342 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", 2343 __func__)); 2344 return key_senderror(so, m, EINVAL); 2345 } 2346 2347 id = ((struct sadb_x_policy *) 2348 mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id; 2349 2350 /* Is there SP in SPD ? */ 2351 if ((sp = key_getspbyid(id)) == NULL) { 2352 ipseclog((LOG_DEBUG, "%s: no SP found for id %u.\n", 2353 __func__, id)); 2354 return key_senderror(so, m, EINVAL); 2355 } 2356 2357 KEYDBG(KEY_STAMP, 2358 printf("%s: SP(%p)\n", __func__, sp)); 2359 KEYDBG(KEY_DATA, kdebug_secpolicy(sp)); 2360 key_unlink(sp); 2361 if (sp->state != IPSEC_SPSTATE_DEAD) { 2362 ipseclog((LOG_DEBUG, "%s: failed to delete SP with id %u.\n", 2363 __func__, id)); 2364 key_freesp(&sp); 2365 return (key_senderror(so, m, EACCES)); 2366 } 2367 key_freesp(&sp); 2368 2369 { 2370 struct mbuf *n, *nn; 2371 struct sadb_msg *newmsg; 2372 int off, len; 2373 2374 /* create new sadb_msg to reply. */ 2375 len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); 2376 2377 n = key_mget(len); 2378 if (n == NULL) 2379 return key_senderror(so, m, ENOBUFS); 2380 2381 n->m_len = len; 2382 n->m_next = NULL; 2383 off = 0; 2384 2385 m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off); 2386 off += PFKEY_ALIGN8(sizeof(struct sadb_msg)); 2387 2388 IPSEC_ASSERT(off == len, ("length inconsistency (off %u len %u)", 2389 off, len)); 2390 2391 n->m_next = m_copym(m, mhp->extoff[SADB_X_EXT_POLICY], 2392 mhp->extlen[SADB_X_EXT_POLICY], M_NOWAIT); 2393 if (!n->m_next) { 2394 m_freem(n); 2395 return key_senderror(so, m, ENOBUFS); 2396 } 2397 2398 n->m_pkthdr.len = 0; 2399 for (nn = n; nn; nn = nn->m_next) 2400 n->m_pkthdr.len += nn->m_len; 2401 2402 newmsg = mtod(n, struct sadb_msg *); 2403 newmsg->sadb_msg_errno = 0; 2404 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); 2405 2406 m_freem(m); 2407 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 2408 } 2409 } 2410 2411 /* 2412 * SADB_X_SPDGET processing 2413 * receive 2414 * <base, policy(*)> 2415 * from the user(?), 2416 * and send, 2417 * <base, address(SD), policy> 2418 * to the ikmpd. 2419 * policy(*) including direction of policy. 2420 * 2421 * m will always be freed. 2422 */ 2423 static int 2424 key_spdget(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 2425 { 2426 struct secpolicy *sp; 2427 struct mbuf *n; 2428 uint32_t id; 2429 2430 IPSEC_ASSERT(so != NULL, ("null socket")); 2431 IPSEC_ASSERT(m != NULL, ("null mbuf")); 2432 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 2433 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 2434 2435 if (SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY) || 2436 SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) { 2437 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", 2438 __func__)); 2439 return key_senderror(so, m, EINVAL); 2440 } 2441 2442 id = ((struct sadb_x_policy *) 2443 mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id; 2444 2445 /* Is there SP in SPD ? */ 2446 if ((sp = key_getspbyid(id)) == NULL) { 2447 ipseclog((LOG_DEBUG, "%s: no SP found for id %u.\n", 2448 __func__, id)); 2449 return key_senderror(so, m, ENOENT); 2450 } 2451 2452 n = key_setdumpsp(sp, SADB_X_SPDGET, mhp->msg->sadb_msg_seq, 2453 mhp->msg->sadb_msg_pid); 2454 key_freesp(&sp); 2455 if (n != NULL) { 2456 m_freem(m); 2457 return key_sendup_mbuf(so, n, KEY_SENDUP_ONE); 2458 } else 2459 return key_senderror(so, m, ENOBUFS); 2460 } 2461 2462 /* 2463 * SADB_X_SPDACQUIRE processing. 2464 * Acquire policy and SA(s) for a *OUTBOUND* packet. 2465 * send 2466 * <base, policy(*)> 2467 * to KMD, and expect to receive 2468 * <base> with SADB_X_SPDACQUIRE if error occurred, 2469 * or 2470 * <base, policy> 2471 * with SADB_X_SPDUPDATE from KMD by PF_KEY. 2472 * policy(*) is without policy requests. 2473 * 2474 * 0 : succeed 2475 * others: error number 2476 */ 2477 int 2478 key_spdacquire(struct secpolicy *sp) 2479 { 2480 struct mbuf *result = NULL, *m; 2481 struct secspacq *newspacq; 2482 2483 IPSEC_ASSERT(sp != NULL, ("null secpolicy")); 2484 IPSEC_ASSERT(sp->req == NULL, ("policy exists")); 2485 IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC, 2486 ("policy not IPSEC %u", sp->policy)); 2487 2488 /* Get an entry to check whether sent message or not. */ 2489 newspacq = key_getspacq(&sp->spidx); 2490 if (newspacq != NULL) { 2491 if (V_key_blockacq_count < newspacq->count) { 2492 /* reset counter and do send message. */ 2493 newspacq->count = 0; 2494 } else { 2495 /* increment counter and do nothing. */ 2496 newspacq->count++; 2497 SPACQ_UNLOCK(); 2498 return (0); 2499 } 2500 SPACQ_UNLOCK(); 2501 } else { 2502 /* make new entry for blocking to send SADB_ACQUIRE. */ 2503 newspacq = key_newspacq(&sp->spidx); 2504 if (newspacq == NULL) 2505 return ENOBUFS; 2506 } 2507 2508 /* create new sadb_msg to reply. */ 2509 m = key_setsadbmsg(SADB_X_SPDACQUIRE, 0, 0, 0, 0, 0); 2510 if (!m) 2511 return ENOBUFS; 2512 2513 result = m; 2514 2515 result->m_pkthdr.len = 0; 2516 for (m = result; m; m = m->m_next) 2517 result->m_pkthdr.len += m->m_len; 2518 2519 mtod(result, struct sadb_msg *)->sadb_msg_len = 2520 PFKEY_UNIT64(result->m_pkthdr.len); 2521 2522 return key_sendup_mbuf(NULL, m, KEY_SENDUP_REGISTERED); 2523 } 2524 2525 /* 2526 * SADB_SPDFLUSH processing 2527 * receive 2528 * <base> 2529 * from the user, and free all entries in secpctree. 2530 * and send, 2531 * <base> 2532 * to the user. 2533 * NOTE: what to do is only marking SADB_SASTATE_DEAD. 2534 * 2535 * m will always be freed. 2536 */ 2537 static int 2538 key_spdflush(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 2539 { 2540 struct secpolicy_queue drainq; 2541 struct sadb_msg *newmsg; 2542 struct secpolicy *sp, *nextsp; 2543 u_int dir; 2544 2545 IPSEC_ASSERT(so != NULL, ("null socket")); 2546 IPSEC_ASSERT(m != NULL, ("null mbuf")); 2547 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 2548 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 2549 2550 if (m->m_len != PFKEY_ALIGN8(sizeof(struct sadb_msg))) 2551 return key_senderror(so, m, EINVAL); 2552 2553 TAILQ_INIT(&drainq); 2554 SPTREE_WLOCK(); 2555 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { 2556 TAILQ_CONCAT(&drainq, &V_sptree[dir], chain); 2557 } 2558 /* 2559 * We need to set state to DEAD for each policy to be sure, 2560 * that another thread won't try to unlink it. 2561 * Also remove SP from sphash. 2562 */ 2563 TAILQ_FOREACH(sp, &drainq, chain) { 2564 sp->state = IPSEC_SPSTATE_DEAD; 2565 LIST_REMOVE(sp, idhash); 2566 } 2567 V_sp_genid++; 2568 V_spd_size = 0; 2569 SPTREE_WUNLOCK(); 2570 if (SPDCACHE_ENABLED()) 2571 spdcache_clear(); 2572 sp = TAILQ_FIRST(&drainq); 2573 while (sp != NULL) { 2574 nextsp = TAILQ_NEXT(sp, chain); 2575 key_freesp(&sp); 2576 sp = nextsp; 2577 } 2578 2579 if (sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) { 2580 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 2581 return key_senderror(so, m, ENOBUFS); 2582 } 2583 2584 if (m->m_next) 2585 m_freem(m->m_next); 2586 m->m_next = NULL; 2587 m->m_pkthdr.len = m->m_len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); 2588 newmsg = mtod(m, struct sadb_msg *); 2589 newmsg->sadb_msg_errno = 0; 2590 newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); 2591 2592 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); 2593 } 2594 2595 static uint8_t 2596 key_satype2scopemask(uint8_t satype) 2597 { 2598 2599 if (satype == IPSEC_POLICYSCOPE_ANY) 2600 return (0xff); 2601 return (satype); 2602 } 2603 /* 2604 * SADB_SPDDUMP processing 2605 * receive 2606 * <base> 2607 * from the user, and dump all SP leaves and send, 2608 * <base> ..... 2609 * to the ikmpd. 2610 * 2611 * NOTE: 2612 * sadb_msg_satype is considered as mask of policy scopes. 2613 * m will always be freed. 2614 */ 2615 static int 2616 key_spddump(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 2617 { 2618 SPTREE_RLOCK_TRACKER; 2619 struct secpolicy *sp; 2620 struct mbuf *n; 2621 int cnt; 2622 u_int dir, scope; 2623 2624 IPSEC_ASSERT(so != NULL, ("null socket")); 2625 IPSEC_ASSERT(m != NULL, ("null mbuf")); 2626 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 2627 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 2628 2629 /* search SPD entry and get buffer size. */ 2630 cnt = 0; 2631 scope = key_satype2scopemask(mhp->msg->sadb_msg_satype); 2632 SPTREE_RLOCK(); 2633 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { 2634 if (scope & IPSEC_POLICYSCOPE_GLOBAL) { 2635 TAILQ_FOREACH(sp, &V_sptree[dir], chain) 2636 cnt++; 2637 } 2638 if (scope & IPSEC_POLICYSCOPE_IFNET) { 2639 TAILQ_FOREACH(sp, &V_sptree_ifnet[dir], chain) 2640 cnt++; 2641 } 2642 } 2643 2644 if (cnt == 0) { 2645 SPTREE_RUNLOCK(); 2646 return key_senderror(so, m, ENOENT); 2647 } 2648 2649 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { 2650 if (scope & IPSEC_POLICYSCOPE_GLOBAL) { 2651 TAILQ_FOREACH(sp, &V_sptree[dir], chain) { 2652 --cnt; 2653 n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt, 2654 mhp->msg->sadb_msg_pid); 2655 2656 if (n != NULL) 2657 key_sendup_mbuf(so, n, KEY_SENDUP_ONE); 2658 } 2659 } 2660 if (scope & IPSEC_POLICYSCOPE_IFNET) { 2661 TAILQ_FOREACH(sp, &V_sptree_ifnet[dir], chain) { 2662 --cnt; 2663 n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt, 2664 mhp->msg->sadb_msg_pid); 2665 2666 if (n != NULL) 2667 key_sendup_mbuf(so, n, KEY_SENDUP_ONE); 2668 } 2669 } 2670 } 2671 2672 SPTREE_RUNLOCK(); 2673 m_freem(m); 2674 return (0); 2675 } 2676 2677 static struct mbuf * 2678 key_setdumpsp(struct secpolicy *sp, u_int8_t type, u_int32_t seq, 2679 u_int32_t pid) 2680 { 2681 struct mbuf *result = NULL, *m; 2682 struct seclifetime lt; 2683 2684 m = key_setsadbmsg(type, 0, SADB_SATYPE_UNSPEC, seq, pid, sp->refcnt); 2685 if (!m) 2686 goto fail; 2687 result = m; 2688 2689 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, 2690 &sp->spidx.src.sa, sp->spidx.prefs, 2691 sp->spidx.ul_proto); 2692 if (!m) 2693 goto fail; 2694 m_cat(result, m); 2695 2696 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, 2697 &sp->spidx.dst.sa, sp->spidx.prefd, 2698 sp->spidx.ul_proto); 2699 if (!m) 2700 goto fail; 2701 m_cat(result, m); 2702 2703 m = key_sp2mbuf(sp); 2704 if (!m) 2705 goto fail; 2706 m_cat(result, m); 2707 2708 if(sp->lifetime){ 2709 lt.addtime=sp->created; 2710 lt.usetime= sp->lastused; 2711 m = key_setlifetime(<, SADB_EXT_LIFETIME_CURRENT); 2712 if (!m) 2713 goto fail; 2714 m_cat(result, m); 2715 2716 lt.addtime=sp->lifetime; 2717 lt.usetime= sp->validtime; 2718 m = key_setlifetime(<, SADB_EXT_LIFETIME_HARD); 2719 if (!m) 2720 goto fail; 2721 m_cat(result, m); 2722 } 2723 2724 if ((result->m_flags & M_PKTHDR) == 0) 2725 goto fail; 2726 2727 if (result->m_len < sizeof(struct sadb_msg)) { 2728 result = m_pullup(result, sizeof(struct sadb_msg)); 2729 if (result == NULL) 2730 goto fail; 2731 } 2732 2733 result->m_pkthdr.len = 0; 2734 for (m = result; m; m = m->m_next) 2735 result->m_pkthdr.len += m->m_len; 2736 2737 mtod(result, struct sadb_msg *)->sadb_msg_len = 2738 PFKEY_UNIT64(result->m_pkthdr.len); 2739 2740 return result; 2741 2742 fail: 2743 m_freem(result); 2744 return NULL; 2745 } 2746 /* 2747 * get PFKEY message length for security policy and request. 2748 */ 2749 static size_t 2750 key_getspreqmsglen(struct secpolicy *sp) 2751 { 2752 size_t tlen, len; 2753 int i; 2754 2755 tlen = sizeof(struct sadb_x_policy); 2756 /* if is the policy for ipsec ? */ 2757 if (sp->policy != IPSEC_POLICY_IPSEC) 2758 return (tlen); 2759 2760 /* get length of ipsec requests */ 2761 for (i = 0; i < sp->tcount; i++) { 2762 len = sizeof(struct sadb_x_ipsecrequest) 2763 + sp->req[i]->saidx.src.sa.sa_len 2764 + sp->req[i]->saidx.dst.sa.sa_len; 2765 2766 tlen += PFKEY_ALIGN8(len); 2767 } 2768 return (tlen); 2769 } 2770 2771 /* 2772 * SADB_SPDEXPIRE processing 2773 * send 2774 * <base, address(SD), lifetime(CH), policy> 2775 * to KMD by PF_KEY. 2776 * 2777 * OUT: 0 : succeed 2778 * others : error number 2779 */ 2780 static int 2781 key_spdexpire(struct secpolicy *sp) 2782 { 2783 struct sadb_lifetime *lt; 2784 struct mbuf *result = NULL, *m; 2785 int len, error = -1; 2786 2787 IPSEC_ASSERT(sp != NULL, ("null secpolicy")); 2788 2789 KEYDBG(KEY_STAMP, 2790 printf("%s: SP(%p)\n", __func__, sp)); 2791 KEYDBG(KEY_DATA, kdebug_secpolicy(sp)); 2792 2793 /* set msg header */ 2794 m = key_setsadbmsg(SADB_X_SPDEXPIRE, 0, 0, 0, 0, 0); 2795 if (!m) { 2796 error = ENOBUFS; 2797 goto fail; 2798 } 2799 result = m; 2800 2801 /* create lifetime extension (current and hard) */ 2802 len = PFKEY_ALIGN8(sizeof(*lt)) * 2; 2803 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 2804 if (m == NULL) { 2805 error = ENOBUFS; 2806 goto fail; 2807 } 2808 m_align(m, len); 2809 m->m_len = len; 2810 bzero(mtod(m, caddr_t), len); 2811 lt = mtod(m, struct sadb_lifetime *); 2812 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); 2813 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 2814 lt->sadb_lifetime_allocations = 0; 2815 lt->sadb_lifetime_bytes = 0; 2816 lt->sadb_lifetime_addtime = sp->created; 2817 lt->sadb_lifetime_usetime = sp->lastused; 2818 lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2); 2819 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); 2820 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 2821 lt->sadb_lifetime_allocations = 0; 2822 lt->sadb_lifetime_bytes = 0; 2823 lt->sadb_lifetime_addtime = sp->lifetime; 2824 lt->sadb_lifetime_usetime = sp->validtime; 2825 m_cat(result, m); 2826 2827 /* set sadb_address for source */ 2828 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, 2829 &sp->spidx.src.sa, 2830 sp->spidx.prefs, sp->spidx.ul_proto); 2831 if (!m) { 2832 error = ENOBUFS; 2833 goto fail; 2834 } 2835 m_cat(result, m); 2836 2837 /* set sadb_address for destination */ 2838 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, 2839 &sp->spidx.dst.sa, 2840 sp->spidx.prefd, sp->spidx.ul_proto); 2841 if (!m) { 2842 error = ENOBUFS; 2843 goto fail; 2844 } 2845 m_cat(result, m); 2846 2847 /* set secpolicy */ 2848 m = key_sp2mbuf(sp); 2849 if (!m) { 2850 error = ENOBUFS; 2851 goto fail; 2852 } 2853 m_cat(result, m); 2854 2855 if ((result->m_flags & M_PKTHDR) == 0) { 2856 error = EINVAL; 2857 goto fail; 2858 } 2859 2860 if (result->m_len < sizeof(struct sadb_msg)) { 2861 result = m_pullup(result, sizeof(struct sadb_msg)); 2862 if (result == NULL) { 2863 error = ENOBUFS; 2864 goto fail; 2865 } 2866 } 2867 2868 result->m_pkthdr.len = 0; 2869 for (m = result; m; m = m->m_next) 2870 result->m_pkthdr.len += m->m_len; 2871 2872 mtod(result, struct sadb_msg *)->sadb_msg_len = 2873 PFKEY_UNIT64(result->m_pkthdr.len); 2874 2875 return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED); 2876 2877 fail: 2878 if (result) 2879 m_freem(result); 2880 return error; 2881 } 2882 2883 /* %%% SAD management */ 2884 /* 2885 * allocating and initialize new SA head. 2886 * OUT: NULL : failure due to the lack of memory. 2887 * others : pointer to new SA head. 2888 */ 2889 static struct secashead * 2890 key_newsah(struct secasindex *saidx) 2891 { 2892 struct secashead *sah; 2893 2894 sah = malloc(sizeof(struct secashead), M_IPSEC_SAH, 2895 M_NOWAIT | M_ZERO); 2896 if (sah == NULL) { 2897 PFKEYSTAT_INC(in_nomem); 2898 return (NULL); 2899 } 2900 TAILQ_INIT(&sah->savtree_larval); 2901 TAILQ_INIT(&sah->savtree_alive); 2902 sah->saidx = *saidx; 2903 sah->state = SADB_SASTATE_DEAD; 2904 SAH_INITREF(sah); 2905 2906 KEYDBG(KEY_STAMP, 2907 printf("%s: SAH(%p)\n", __func__, sah)); 2908 KEYDBG(KEY_DATA, kdebug_secash(sah, NULL)); 2909 return (sah); 2910 } 2911 2912 static void 2913 key_freesah(struct secashead **psah) 2914 { 2915 struct secashead *sah = *psah; 2916 2917 CURVNET_ASSERT_SET(); 2918 2919 if (SAH_DELREF(sah) == 0) 2920 return; 2921 2922 KEYDBG(KEY_STAMP, 2923 printf("%s: last reference to SAH(%p)\n", __func__, sah)); 2924 KEYDBG(KEY_DATA, kdebug_secash(sah, NULL)); 2925 2926 *psah = NULL; 2927 key_delsah(sah); 2928 } 2929 2930 static void 2931 key_delsah(struct secashead *sah) 2932 { 2933 IPSEC_ASSERT(sah != NULL, ("NULL sah")); 2934 IPSEC_ASSERT(sah->state == SADB_SASTATE_DEAD, 2935 ("Attempt to free non DEAD SAH %p", sah)); 2936 IPSEC_ASSERT(TAILQ_EMPTY(&sah->savtree_larval), 2937 ("Attempt to free SAH %p with LARVAL SA", sah)); 2938 IPSEC_ASSERT(TAILQ_EMPTY(&sah->savtree_alive), 2939 ("Attempt to free SAH %p with ALIVE SA", sah)); 2940 2941 free(sah, M_IPSEC_SAH); 2942 } 2943 2944 /* 2945 * allocating a new SA for key_add() and key_getspi() call, 2946 * and copy the values of mhp into new buffer. 2947 * When SAD message type is SADB_GETSPI set SA state to LARVAL. 2948 * For SADB_ADD create and initialize SA with MATURE state. 2949 * OUT: NULL : fail 2950 * others : pointer to new secasvar. 2951 */ 2952 static struct secasvar * 2953 key_newsav(const struct sadb_msghdr *mhp, struct secasindex *saidx, 2954 uint32_t spi, int *errp) 2955 { 2956 struct secashead *sah; 2957 struct secasvar *sav; 2958 int isnew; 2959 2960 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 2961 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 2962 IPSEC_ASSERT(mhp->msg->sadb_msg_type == SADB_GETSPI || 2963 mhp->msg->sadb_msg_type == SADB_ADD, ("wrong message type")); 2964 2965 sav = NULL; 2966 sah = NULL; 2967 /* check SPI value */ 2968 switch (saidx->proto) { 2969 case IPPROTO_ESP: 2970 case IPPROTO_AH: 2971 /* 2972 * RFC 4302, 2.4. Security Parameters Index (SPI), SPI values 2973 * 1-255 reserved by IANA for future use, 2974 * 0 for implementation specific, local use. 2975 */ 2976 if (ntohl(spi) <= 255) { 2977 ipseclog((LOG_DEBUG, "%s: illegal range of SPI %u.\n", 2978 __func__, ntohl(spi))); 2979 *errp = EINVAL; 2980 goto done; 2981 } 2982 break; 2983 } 2984 2985 sav = malloc(sizeof(struct secasvar), M_IPSEC_SA, M_NOWAIT | M_ZERO); 2986 if (sav == NULL) { 2987 *errp = ENOBUFS; 2988 goto done; 2989 } 2990 sav->lock = malloc_aligned(max(sizeof(struct rmlock), 2991 CACHE_LINE_SIZE), CACHE_LINE_SIZE, M_IPSEC_MISC, 2992 M_NOWAIT | M_ZERO); 2993 if (sav->lock == NULL) { 2994 *errp = ENOBUFS; 2995 goto done; 2996 } 2997 rm_init(sav->lock, "ipsec association"); 2998 sav->lft_c = uma_zalloc_pcpu(ipsec_key_lft_zone, M_NOWAIT | M_ZERO); 2999 if (sav->lft_c == NULL) { 3000 *errp = ENOBUFS; 3001 goto done; 3002 } 3003 3004 sav->spi = spi; 3005 sav->seq = mhp->msg->sadb_msg_seq; 3006 sav->state = SADB_SASTATE_LARVAL; 3007 sav->pid = (pid_t)mhp->msg->sadb_msg_pid; 3008 SAV_INITREF(sav); 3009 again: 3010 sah = key_getsah(saidx); 3011 if (sah == NULL) { 3012 /* create a new SA index */ 3013 sah = key_newsah(saidx); 3014 if (sah == NULL) { 3015 ipseclog((LOG_DEBUG, 3016 "%s: No more memory.\n", __func__)); 3017 *errp = ENOBUFS; 3018 goto done; 3019 } 3020 isnew = 1; 3021 } else 3022 isnew = 0; 3023 3024 sav->sah = sah; 3025 if (mhp->msg->sadb_msg_type == SADB_GETSPI) { 3026 sav->created = time_second; 3027 } else if (sav->state == SADB_SASTATE_LARVAL) { 3028 /* 3029 * Do not call key_setsaval() second time in case 3030 * of `goto again`. We will have MATURE state. 3031 */ 3032 *errp = key_setsaval(sav, mhp); 3033 if (*errp != 0) 3034 goto done; 3035 sav->state = SADB_SASTATE_MATURE; 3036 } 3037 3038 SAHTREE_WLOCK(); 3039 /* 3040 * Check that existing SAH wasn't unlinked. 3041 * Since we didn't hold the SAHTREE lock, it is possible, 3042 * that callout handler or key_flush() or key_delete() could 3043 * unlink this SAH. 3044 */ 3045 if (isnew == 0 && sah->state == SADB_SASTATE_DEAD) { 3046 SAHTREE_WUNLOCK(); 3047 key_freesah(&sah); /* reference from key_getsah() */ 3048 goto again; 3049 } 3050 if (isnew != 0) { 3051 /* 3052 * Add new SAH into SADB. 3053 * 3054 * XXXAE: we can serialize key_add and key_getspi calls, so 3055 * several threads will not fight in the race. 3056 * Otherwise we should check under SAHTREE lock, that this 3057 * SAH would not added twice. 3058 */ 3059 TAILQ_INSERT_HEAD(&V_sahtree, sah, chain); 3060 /* Add new SAH into hash by addresses */ 3061 LIST_INSERT_HEAD(SAHADDRHASH_HASH(saidx), sah, addrhash); 3062 /* Now we are linked in the chain */ 3063 sah->state = SADB_SASTATE_MATURE; 3064 /* 3065 * SAV references this new SAH. 3066 * In case of existing SAH we reuse reference 3067 * from key_getsah(). 3068 */ 3069 SAH_ADDREF(sah); 3070 } 3071 /* Link SAV with SAH */ 3072 if (sav->state == SADB_SASTATE_MATURE) 3073 TAILQ_INSERT_HEAD(&sah->savtree_alive, sav, chain); 3074 else 3075 TAILQ_INSERT_HEAD(&sah->savtree_larval, sav, chain); 3076 /* Add SAV into SPI hash */ 3077 LIST_INSERT_HEAD(SAVHASH_HASH(sav->spi), sav, spihash); 3078 SAHTREE_WUNLOCK(); 3079 *errp = 0; /* success */ 3080 done: 3081 if (*errp != 0) { 3082 if (sav != NULL) { 3083 if (sav->lock != NULL) { 3084 rm_destroy(sav->lock); 3085 free(sav->lock, M_IPSEC_MISC); 3086 } 3087 if (sav->lft_c != NULL) 3088 uma_zfree_pcpu(ipsec_key_lft_zone, sav->lft_c); 3089 free(sav, M_IPSEC_SA), sav = NULL; 3090 } 3091 if (sah != NULL) 3092 key_freesah(&sah); 3093 if (*errp == ENOBUFS) { 3094 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 3095 __func__)); 3096 PFKEYSTAT_INC(in_nomem); 3097 } 3098 } 3099 return (sav); 3100 } 3101 3102 /* 3103 * free() SA variable entry. 3104 */ 3105 static void 3106 key_cleansav(struct secasvar *sav) 3107 { 3108 3109 if (sav->natt != NULL) { 3110 free(sav->natt, M_IPSEC_MISC); 3111 sav->natt = NULL; 3112 } 3113 if (sav->flags & SADB_X_EXT_F_CLONED) 3114 return; 3115 if (sav->tdb_xform != NULL) { 3116 sav->tdb_xform->xf_cleanup(sav); 3117 sav->tdb_xform = NULL; 3118 } 3119 if (sav->key_auth != NULL) { 3120 zfree(sav->key_auth->key_data, M_IPSEC_MISC); 3121 free(sav->key_auth, M_IPSEC_MISC); 3122 sav->key_auth = NULL; 3123 } 3124 if (sav->key_enc != NULL) { 3125 zfree(sav->key_enc->key_data, M_IPSEC_MISC); 3126 free(sav->key_enc, M_IPSEC_MISC); 3127 sav->key_enc = NULL; 3128 } 3129 if (sav->replay != NULL) { 3130 mtx_destroy(&sav->replay->lock); 3131 if (sav->replay->bitmap != NULL) 3132 free(sav->replay->bitmap, M_IPSEC_MISC); 3133 free(sav->replay, M_IPSEC_MISC); 3134 sav->replay = NULL; 3135 } 3136 if (sav->lft_h != NULL) { 3137 free(sav->lft_h, M_IPSEC_MISC); 3138 sav->lft_h = NULL; 3139 } 3140 if (sav->lft_s != NULL) { 3141 free(sav->lft_s, M_IPSEC_MISC); 3142 sav->lft_s = NULL; 3143 } 3144 } 3145 3146 /* 3147 * free() SA variable entry. 3148 */ 3149 static void 3150 key_delsav(struct secasvar *sav) 3151 { 3152 IPSEC_ASSERT(sav != NULL, ("null sav")); 3153 IPSEC_ASSERT(sav->state == SADB_SASTATE_DEAD, 3154 ("attempt to free non DEAD SA %p", sav)); 3155 IPSEC_ASSERT(sav->refcnt == 0, ("reference count %u > 0", 3156 sav->refcnt)); 3157 3158 /* 3159 * SA must be unlinked from the chain and hashtbl. 3160 * If SA was cloned, we leave all fields untouched, 3161 * except NAT-T config. 3162 */ 3163 key_cleansav(sav); 3164 if ((sav->flags & SADB_X_EXT_F_CLONED) == 0) { 3165 rm_destroy(sav->lock); 3166 free(sav->lock, M_IPSEC_MISC); 3167 uma_zfree_pcpu(ipsec_key_lft_zone, sav->lft_c); 3168 } 3169 free(sav, M_IPSEC_SA); 3170 } 3171 3172 /* 3173 * search SAH. 3174 * OUT: 3175 * NULL : not found 3176 * others : found, referenced pointer to a SAH. 3177 */ 3178 static struct secashead * 3179 key_getsah(struct secasindex *saidx) 3180 { 3181 SAHTREE_RLOCK_TRACKER; 3182 struct secashead *sah; 3183 3184 SAHTREE_RLOCK(); 3185 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { 3186 if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID) != 0) { 3187 SAH_ADDREF(sah); 3188 break; 3189 } 3190 } 3191 SAHTREE_RUNLOCK(); 3192 return (sah); 3193 } 3194 3195 /* 3196 * Check not to be duplicated SPI. 3197 * OUT: 3198 * 0 : not found 3199 * 1 : found SA with given SPI. 3200 */ 3201 static int 3202 key_checkspidup(uint32_t spi) 3203 { 3204 SAHTREE_RLOCK_TRACKER; 3205 struct secasvar *sav; 3206 3207 /* Assume SPI is in network byte order */ 3208 SAHTREE_RLOCK(); 3209 LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) { 3210 if (sav->spi == spi) 3211 break; 3212 } 3213 SAHTREE_RUNLOCK(); 3214 return (sav != NULL); 3215 } 3216 3217 /* 3218 * Search SA by SPI. 3219 * OUT: 3220 * NULL : not found 3221 * others : found, referenced pointer to a SA. 3222 */ 3223 static struct secasvar * 3224 key_getsavbyspi(uint32_t spi) 3225 { 3226 SAHTREE_RLOCK_TRACKER; 3227 struct secasvar *sav; 3228 3229 /* Assume SPI is in network byte order */ 3230 SAHTREE_RLOCK(); 3231 LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) { 3232 if (sav->spi != spi) 3233 continue; 3234 SAV_ADDREF(sav); 3235 break; 3236 } 3237 SAHTREE_RUNLOCK(); 3238 return (sav); 3239 } 3240 3241 static int 3242 key_updatelifetimes(struct secasvar *sav, const struct sadb_msghdr *mhp) 3243 { 3244 struct seclifetime *lft_h, *lft_s, *tmp; 3245 3246 /* Lifetime extension is optional, check that it is present. */ 3247 if (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) && 3248 SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) { 3249 /* 3250 * In case of SADB_UPDATE we may need to change 3251 * existing lifetimes. 3252 */ 3253 if (sav->state == SADB_SASTATE_MATURE) { 3254 lft_h = lft_s = NULL; 3255 goto reset; 3256 } 3257 return (0); 3258 } 3259 /* Both HARD and SOFT extensions must present */ 3260 if ((SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) && 3261 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) || 3262 (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) && 3263 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD))) { 3264 ipseclog((LOG_DEBUG, 3265 "%s: invalid message: missing required header.\n", 3266 __func__)); 3267 return (EINVAL); 3268 } 3269 if (SADB_CHECKLEN(mhp, SADB_EXT_LIFETIME_HARD) || 3270 SADB_CHECKLEN(mhp, SADB_EXT_LIFETIME_SOFT)) { 3271 ipseclog((LOG_DEBUG, 3272 "%s: invalid message: wrong header size.\n", __func__)); 3273 return (EINVAL); 3274 } 3275 lft_h = key_dup_lifemsg((const struct sadb_lifetime *) 3276 mhp->ext[SADB_EXT_LIFETIME_HARD], M_IPSEC_MISC); 3277 if (lft_h == NULL) { 3278 PFKEYSTAT_INC(in_nomem); 3279 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 3280 return (ENOBUFS); 3281 } 3282 lft_s = key_dup_lifemsg((const struct sadb_lifetime *) 3283 mhp->ext[SADB_EXT_LIFETIME_SOFT], M_IPSEC_MISC); 3284 if (lft_s == NULL) { 3285 PFKEYSTAT_INC(in_nomem); 3286 free(lft_h, M_IPSEC_MISC); 3287 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 3288 return (ENOBUFS); 3289 } 3290 reset: 3291 if (sav->state != SADB_SASTATE_LARVAL) { 3292 /* 3293 * key_update() holds reference to this SA, 3294 * so it won't be deleted in meanwhile. 3295 */ 3296 SECASVAR_WLOCK(sav); 3297 tmp = sav->lft_h; 3298 sav->lft_h = lft_h; 3299 lft_h = tmp; 3300 3301 tmp = sav->lft_s; 3302 sav->lft_s = lft_s; 3303 lft_s = tmp; 3304 SECASVAR_WUNLOCK(sav); 3305 if (lft_h != NULL) 3306 free(lft_h, M_IPSEC_MISC); 3307 if (lft_s != NULL) 3308 free(lft_s, M_IPSEC_MISC); 3309 return (0); 3310 } 3311 /* We can update lifetime without holding a lock */ 3312 IPSEC_ASSERT(sav->lft_h == NULL, ("lft_h is already initialized\n")); 3313 IPSEC_ASSERT(sav->lft_s == NULL, ("lft_s is already initialized\n")); 3314 sav->lft_h = lft_h; 3315 sav->lft_s = lft_s; 3316 return (0); 3317 } 3318 3319 /* 3320 * copy SA values from PF_KEY message except *SPI, SEQ, PID and TYPE*. 3321 * You must update these if need. Expects only LARVAL SAs. 3322 * OUT: 0: success. 3323 * !0: failure. 3324 */ 3325 static int 3326 key_setsaval(struct secasvar *sav, const struct sadb_msghdr *mhp) 3327 { 3328 const struct sadb_sa *sa0; 3329 const struct sadb_key *key0; 3330 uint32_t replay; 3331 size_t len; 3332 int error; 3333 3334 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 3335 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 3336 IPSEC_ASSERT(sav->state == SADB_SASTATE_LARVAL, 3337 ("Attempt to update non LARVAL SA")); 3338 3339 /* XXX rewrite */ 3340 error = key_setident(sav->sah, mhp); 3341 if (error != 0) 3342 goto fail; 3343 3344 /* SA */ 3345 if (!SADB_CHECKHDR(mhp, SADB_EXT_SA)) { 3346 if (SADB_CHECKLEN(mhp, SADB_EXT_SA)) { 3347 error = EINVAL; 3348 goto fail; 3349 } 3350 sa0 = (const struct sadb_sa *)mhp->ext[SADB_EXT_SA]; 3351 sav->alg_auth = sa0->sadb_sa_auth; 3352 sav->alg_enc = sa0->sadb_sa_encrypt; 3353 sav->flags = sa0->sadb_sa_flags; 3354 if ((sav->flags & SADB_KEY_FLAGS_MAX) != sav->flags) { 3355 ipseclog((LOG_DEBUG, 3356 "%s: invalid sa_flags 0x%08x.\n", __func__, 3357 sav->flags)); 3358 error = EINVAL; 3359 goto fail; 3360 } 3361 3362 /* Optional replay window */ 3363 replay = 0; 3364 if ((sa0->sadb_sa_flags & SADB_X_EXT_OLD) == 0) 3365 replay = sa0->sadb_sa_replay; 3366 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_SA_REPLAY)) { 3367 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA_REPLAY)) { 3368 error = EINVAL; 3369 goto fail; 3370 } 3371 replay = ((const struct sadb_x_sa_replay *) 3372 mhp->ext[SADB_X_EXT_SA_REPLAY])->sadb_x_sa_replay_replay; 3373 3374 if (replay > UINT32_MAX - 32) { 3375 ipseclog((LOG_DEBUG, 3376 "%s: replay window too big.\n", __func__)); 3377 error = EINVAL; 3378 goto fail; 3379 } 3380 3381 replay = (replay + 7) >> 3; 3382 } 3383 3384 sav->replay = malloc(sizeof(struct secreplay), M_IPSEC_MISC, 3385 M_NOWAIT | M_ZERO); 3386 if (sav->replay == NULL) { 3387 PFKEYSTAT_INC(in_nomem); 3388 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 3389 __func__)); 3390 error = ENOBUFS; 3391 goto fail; 3392 } 3393 mtx_init(&sav->replay->lock, "ipsec replay", NULL, MTX_DEF); 3394 3395 if (replay != 0) { 3396 /* number of 32b blocks to be allocated */ 3397 uint32_t bitmap_size; 3398 3399 /* RFC 6479: 3400 * - the allocated replay window size must be 3401 * a power of two. 3402 * - use an extra 32b block as a redundant window. 3403 */ 3404 bitmap_size = 1; 3405 while (replay + 4 > bitmap_size) 3406 bitmap_size <<= 1; 3407 bitmap_size = bitmap_size / 4; 3408 3409 sav->replay->bitmap = malloc( 3410 bitmap_size * sizeof(uint32_t), M_IPSEC_MISC, 3411 M_NOWAIT | M_ZERO); 3412 if (sav->replay->bitmap == NULL) { 3413 PFKEYSTAT_INC(in_nomem); 3414 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 3415 __func__)); 3416 error = ENOBUFS; 3417 goto fail; 3418 } 3419 sav->replay->bitmap_size = bitmap_size; 3420 sav->replay->wsize = replay; 3421 } 3422 } 3423 3424 /* Authentication keys */ 3425 if (!SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH)) { 3426 if (SADB_CHECKLEN(mhp, SADB_EXT_KEY_AUTH)) { 3427 error = EINVAL; 3428 goto fail; 3429 } 3430 error = 0; 3431 key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_AUTH]; 3432 len = mhp->extlen[SADB_EXT_KEY_AUTH]; 3433 switch (mhp->msg->sadb_msg_satype) { 3434 case SADB_SATYPE_AH: 3435 case SADB_SATYPE_ESP: 3436 case SADB_X_SATYPE_TCPSIGNATURE: 3437 if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && 3438 sav->alg_auth != SADB_X_AALG_NULL) 3439 error = EINVAL; 3440 break; 3441 case SADB_X_SATYPE_IPCOMP: 3442 default: 3443 error = EINVAL; 3444 break; 3445 } 3446 if (error) { 3447 ipseclog((LOG_DEBUG, "%s: invalid key_auth values.\n", 3448 __func__)); 3449 goto fail; 3450 } 3451 3452 sav->key_auth = key_dup_keymsg(key0, len, M_IPSEC_MISC); 3453 if (sav->key_auth == NULL ) { 3454 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 3455 __func__)); 3456 PFKEYSTAT_INC(in_nomem); 3457 error = ENOBUFS; 3458 goto fail; 3459 } 3460 } 3461 3462 /* Encryption key */ 3463 if (!SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT)) { 3464 if (SADB_CHECKLEN(mhp, SADB_EXT_KEY_ENCRYPT)) { 3465 error = EINVAL; 3466 goto fail; 3467 } 3468 error = 0; 3469 key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_ENCRYPT]; 3470 len = mhp->extlen[SADB_EXT_KEY_ENCRYPT]; 3471 switch (mhp->msg->sadb_msg_satype) { 3472 case SADB_SATYPE_ESP: 3473 if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && 3474 sav->alg_enc != SADB_EALG_NULL) { 3475 error = EINVAL; 3476 break; 3477 } 3478 sav->key_enc = key_dup_keymsg(key0, len, M_IPSEC_MISC); 3479 if (sav->key_enc == NULL) { 3480 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 3481 __func__)); 3482 PFKEYSTAT_INC(in_nomem); 3483 error = ENOBUFS; 3484 goto fail; 3485 } 3486 break; 3487 case SADB_X_SATYPE_IPCOMP: 3488 if (len != PFKEY_ALIGN8(sizeof(struct sadb_key))) 3489 error = EINVAL; 3490 sav->key_enc = NULL; /*just in case*/ 3491 break; 3492 case SADB_SATYPE_AH: 3493 case SADB_X_SATYPE_TCPSIGNATURE: 3494 default: 3495 error = EINVAL; 3496 break; 3497 } 3498 if (error) { 3499 ipseclog((LOG_DEBUG, "%s: invalid key_enc value.\n", 3500 __func__)); 3501 goto fail; 3502 } 3503 } 3504 3505 /* set iv */ 3506 sav->ivlen = 0; 3507 switch (mhp->msg->sadb_msg_satype) { 3508 case SADB_SATYPE_AH: 3509 if (sav->flags & SADB_X_EXT_DERIV) { 3510 ipseclog((LOG_DEBUG, "%s: invalid flag (derived) " 3511 "given to AH SA.\n", __func__)); 3512 error = EINVAL; 3513 goto fail; 3514 } 3515 if (sav->alg_enc != SADB_EALG_NONE) { 3516 ipseclog((LOG_DEBUG, "%s: protocol and algorithm " 3517 "mismated.\n", __func__)); 3518 error = EINVAL; 3519 goto fail; 3520 } 3521 error = xform_init(sav, XF_AH); 3522 break; 3523 case SADB_SATYPE_ESP: 3524 if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_DERIV)) == 3525 (SADB_X_EXT_OLD | SADB_X_EXT_DERIV)) { 3526 ipseclog((LOG_DEBUG, "%s: invalid flag (derived) " 3527 "given to old-esp.\n", __func__)); 3528 error = EINVAL; 3529 goto fail; 3530 } 3531 error = xform_init(sav, XF_ESP); 3532 break; 3533 case SADB_X_SATYPE_IPCOMP: 3534 if (sav->alg_auth != SADB_AALG_NONE) { 3535 ipseclog((LOG_DEBUG, "%s: protocol and algorithm " 3536 "mismated.\n", __func__)); 3537 error = EINVAL; 3538 goto fail; 3539 } 3540 if ((sav->flags & SADB_X_EXT_RAWCPI) == 0 && 3541 ntohl(sav->spi) >= 0x10000) { 3542 ipseclog((LOG_DEBUG, "%s: invalid cpi for IPComp.\n", 3543 __func__)); 3544 error = EINVAL; 3545 goto fail; 3546 } 3547 error = xform_init(sav, XF_IPCOMP); 3548 break; 3549 case SADB_X_SATYPE_TCPSIGNATURE: 3550 if (sav->alg_enc != SADB_EALG_NONE) { 3551 ipseclog((LOG_DEBUG, "%s: protocol and algorithm " 3552 "mismated.\n", __func__)); 3553 error = EINVAL; 3554 goto fail; 3555 } 3556 error = xform_init(sav, XF_TCPSIGNATURE); 3557 break; 3558 default: 3559 ipseclog((LOG_DEBUG, "%s: Invalid satype.\n", __func__)); 3560 error = EPROTONOSUPPORT; 3561 goto fail; 3562 } 3563 if (error) { 3564 ipseclog((LOG_DEBUG, "%s: unable to initialize SA type %u.\n", 3565 __func__, mhp->msg->sadb_msg_satype)); 3566 goto fail; 3567 } 3568 3569 /* Handle NAT-T headers */ 3570 error = key_setnatt(sav, mhp); 3571 if (error != 0) 3572 goto fail; 3573 3574 /* Initialize lifetime for CURRENT */ 3575 sav->firstused = 0; 3576 sav->created = time_second; 3577 3578 /* lifetimes for HARD and SOFT */ 3579 error = key_updatelifetimes(sav, mhp); 3580 if (error == 0) 3581 return (0); 3582 fail: 3583 key_cleansav(sav); 3584 return (error); 3585 } 3586 3587 /* 3588 * subroutine for SADB_GET and SADB_DUMP. 3589 */ 3590 static struct mbuf * 3591 key_setdumpsa(struct secasvar *sav, uint8_t type, uint8_t satype, 3592 uint32_t seq, uint32_t pid) 3593 { 3594 struct seclifetime lft_c; 3595 struct mbuf *result = NULL, *tres = NULL, *m; 3596 int i, dumporder[] = { 3597 SADB_EXT_SA, SADB_X_EXT_SA2, SADB_X_EXT_SA_REPLAY, 3598 SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT, 3599 SADB_EXT_LIFETIME_CURRENT, SADB_EXT_ADDRESS_SRC, 3600 SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, 3601 SADB_EXT_KEY_AUTH, SADB_EXT_KEY_ENCRYPT, 3602 SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST, 3603 SADB_EXT_SENSITIVITY, 3604 SADB_X_EXT_NAT_T_TYPE, 3605 SADB_X_EXT_NAT_T_SPORT, SADB_X_EXT_NAT_T_DPORT, 3606 SADB_X_EXT_NAT_T_OAI, SADB_X_EXT_NAT_T_OAR, 3607 SADB_X_EXT_NAT_T_FRAG, 3608 }; 3609 uint32_t replay_count; 3610 3611 SECASVAR_RLOCK_TRACKER; 3612 3613 m = key_setsadbmsg(type, 0, satype, seq, pid, sav->refcnt); 3614 if (m == NULL) 3615 goto fail; 3616 result = m; 3617 3618 for (i = nitems(dumporder) - 1; i >= 0; i--) { 3619 m = NULL; 3620 switch (dumporder[i]) { 3621 case SADB_EXT_SA: 3622 m = key_setsadbsa(sav); 3623 if (!m) 3624 goto fail; 3625 break; 3626 3627 case SADB_X_EXT_SA2: { 3628 SECASVAR_RLOCK(sav); 3629 replay_count = sav->replay ? sav->replay->count : 0; 3630 SECASVAR_RUNLOCK(sav); 3631 m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count, 3632 sav->sah->saidx.reqid); 3633 if (!m) 3634 goto fail; 3635 break; 3636 } 3637 case SADB_X_EXT_SA_REPLAY: 3638 if (sav->replay == NULL || 3639 sav->replay->wsize <= UINT8_MAX) 3640 continue; 3641 3642 m = key_setsadbxsareplay(sav->replay->wsize); 3643 if (!m) 3644 goto fail; 3645 break; 3646 3647 case SADB_EXT_ADDRESS_SRC: 3648 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, 3649 &sav->sah->saidx.src.sa, 3650 FULLMASK, IPSEC_ULPROTO_ANY); 3651 if (!m) 3652 goto fail; 3653 break; 3654 3655 case SADB_EXT_ADDRESS_DST: 3656 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, 3657 &sav->sah->saidx.dst.sa, 3658 FULLMASK, IPSEC_ULPROTO_ANY); 3659 if (!m) 3660 goto fail; 3661 break; 3662 3663 case SADB_EXT_KEY_AUTH: 3664 if (!sav->key_auth) 3665 continue; 3666 m = key_setkey(sav->key_auth, SADB_EXT_KEY_AUTH); 3667 if (!m) 3668 goto fail; 3669 break; 3670 3671 case SADB_EXT_KEY_ENCRYPT: 3672 if (!sav->key_enc) 3673 continue; 3674 m = key_setkey(sav->key_enc, SADB_EXT_KEY_ENCRYPT); 3675 if (!m) 3676 goto fail; 3677 break; 3678 3679 case SADB_EXT_LIFETIME_CURRENT: 3680 lft_c.addtime = sav->created; 3681 lft_c.allocations = (uint32_t)counter_u64_fetch( 3682 sav->lft_c_allocations); 3683 lft_c.bytes = counter_u64_fetch(sav->lft_c_bytes); 3684 lft_c.usetime = sav->firstused; 3685 m = key_setlifetime(&lft_c, SADB_EXT_LIFETIME_CURRENT); 3686 if (!m) 3687 goto fail; 3688 break; 3689 3690 case SADB_EXT_LIFETIME_HARD: 3691 if (!sav->lft_h) 3692 continue; 3693 m = key_setlifetime(sav->lft_h, 3694 SADB_EXT_LIFETIME_HARD); 3695 if (!m) 3696 goto fail; 3697 break; 3698 3699 case SADB_EXT_LIFETIME_SOFT: 3700 if (!sav->lft_s) 3701 continue; 3702 m = key_setlifetime(sav->lft_s, 3703 SADB_EXT_LIFETIME_SOFT); 3704 3705 if (!m) 3706 goto fail; 3707 break; 3708 3709 case SADB_X_EXT_NAT_T_TYPE: 3710 if (sav->natt == NULL) 3711 continue; 3712 m = key_setsadbxtype(UDP_ENCAP_ESPINUDP); 3713 if (!m) 3714 goto fail; 3715 break; 3716 3717 case SADB_X_EXT_NAT_T_DPORT: 3718 if (sav->natt == NULL) 3719 continue; 3720 m = key_setsadbxport(sav->natt->dport, 3721 SADB_X_EXT_NAT_T_DPORT); 3722 if (!m) 3723 goto fail; 3724 break; 3725 3726 case SADB_X_EXT_NAT_T_SPORT: 3727 if (sav->natt == NULL) 3728 continue; 3729 m = key_setsadbxport(sav->natt->sport, 3730 SADB_X_EXT_NAT_T_SPORT); 3731 if (!m) 3732 goto fail; 3733 break; 3734 3735 case SADB_X_EXT_NAT_T_OAI: 3736 if (sav->natt == NULL || 3737 (sav->natt->flags & IPSEC_NATT_F_OAI) == 0) 3738 continue; 3739 m = key_setsadbaddr(SADB_X_EXT_NAT_T_OAI, 3740 &sav->natt->oai.sa, FULLMASK, IPSEC_ULPROTO_ANY); 3741 if (!m) 3742 goto fail; 3743 break; 3744 case SADB_X_EXT_NAT_T_OAR: 3745 if (sav->natt == NULL || 3746 (sav->natt->flags & IPSEC_NATT_F_OAR) == 0) 3747 continue; 3748 m = key_setsadbaddr(SADB_X_EXT_NAT_T_OAR, 3749 &sav->natt->oar.sa, FULLMASK, IPSEC_ULPROTO_ANY); 3750 if (!m) 3751 goto fail; 3752 break; 3753 case SADB_X_EXT_NAT_T_FRAG: 3754 /* We do not (yet) support those. */ 3755 continue; 3756 3757 case SADB_EXT_ADDRESS_PROXY: 3758 case SADB_EXT_IDENTITY_SRC: 3759 case SADB_EXT_IDENTITY_DST: 3760 /* XXX: should we brought from SPD ? */ 3761 case SADB_EXT_SENSITIVITY: 3762 default: 3763 continue; 3764 } 3765 3766 if (!m) 3767 goto fail; 3768 if (tres) 3769 m_cat(m, tres); 3770 tres = m; 3771 } 3772 3773 m_cat(result, tres); 3774 tres = NULL; 3775 if (result->m_len < sizeof(struct sadb_msg)) { 3776 result = m_pullup(result, sizeof(struct sadb_msg)); 3777 if (result == NULL) 3778 goto fail; 3779 } 3780 3781 result->m_pkthdr.len = 0; 3782 for (m = result; m; m = m->m_next) 3783 result->m_pkthdr.len += m->m_len; 3784 3785 mtod(result, struct sadb_msg *)->sadb_msg_len = 3786 PFKEY_UNIT64(result->m_pkthdr.len); 3787 3788 return result; 3789 3790 fail: 3791 m_freem(result); 3792 m_freem(tres); 3793 return NULL; 3794 } 3795 3796 /* 3797 * set data into sadb_msg. 3798 */ 3799 static struct mbuf * 3800 key_setsadbmsg(u_int8_t type, u_int16_t tlen, u_int8_t satype, u_int32_t seq, 3801 pid_t pid, u_int16_t reserved) 3802 { 3803 struct mbuf *m; 3804 struct sadb_msg *p; 3805 int len; 3806 3807 len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); 3808 if (len > MCLBYTES) 3809 return NULL; 3810 m = key_mget(len); 3811 if (m == NULL) 3812 return NULL; 3813 m->m_pkthdr.len = m->m_len = len; 3814 m->m_next = NULL; 3815 3816 p = mtod(m, struct sadb_msg *); 3817 3818 bzero(p, len); 3819 p->sadb_msg_version = PF_KEY_V2; 3820 p->sadb_msg_type = type; 3821 p->sadb_msg_errno = 0; 3822 p->sadb_msg_satype = satype; 3823 p->sadb_msg_len = PFKEY_UNIT64(tlen); 3824 p->sadb_msg_reserved = reserved; 3825 p->sadb_msg_seq = seq; 3826 p->sadb_msg_pid = (u_int32_t)pid; 3827 3828 return m; 3829 } 3830 3831 /* 3832 * copy secasvar data into sadb_address. 3833 */ 3834 static struct mbuf * 3835 key_setsadbsa(struct secasvar *sav) 3836 { 3837 struct mbuf *m; 3838 struct sadb_sa *p; 3839 int len; 3840 3841 len = PFKEY_ALIGN8(sizeof(struct sadb_sa)); 3842 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 3843 if (m == NULL) 3844 return (NULL); 3845 m_align(m, len); 3846 m->m_len = len; 3847 p = mtod(m, struct sadb_sa *); 3848 bzero(p, len); 3849 p->sadb_sa_len = PFKEY_UNIT64(len); 3850 p->sadb_sa_exttype = SADB_EXT_SA; 3851 p->sadb_sa_spi = sav->spi; 3852 p->sadb_sa_replay = sav->replay ? 3853 (sav->replay->wsize > UINT8_MAX ? UINT8_MAX : 3854 sav->replay->wsize): 0; 3855 p->sadb_sa_state = sav->state; 3856 p->sadb_sa_auth = sav->alg_auth; 3857 p->sadb_sa_encrypt = sav->alg_enc; 3858 p->sadb_sa_flags = sav->flags & SADB_KEY_FLAGS_MAX; 3859 return (m); 3860 } 3861 3862 /* 3863 * set data into sadb_address. 3864 */ 3865 static struct mbuf * 3866 key_setsadbaddr(u_int16_t exttype, const struct sockaddr *saddr, 3867 u_int8_t prefixlen, u_int16_t ul_proto) 3868 { 3869 struct mbuf *m; 3870 struct sadb_address *p; 3871 size_t len; 3872 3873 len = PFKEY_ALIGN8(sizeof(struct sadb_address)) + 3874 PFKEY_ALIGN8(saddr->sa_len); 3875 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 3876 if (m == NULL) 3877 return (NULL); 3878 m_align(m, len); 3879 m->m_len = len; 3880 p = mtod(m, struct sadb_address *); 3881 3882 bzero(p, len); 3883 p->sadb_address_len = PFKEY_UNIT64(len); 3884 p->sadb_address_exttype = exttype; 3885 p->sadb_address_proto = ul_proto; 3886 if (prefixlen == FULLMASK) { 3887 switch (saddr->sa_family) { 3888 case AF_INET: 3889 prefixlen = sizeof(struct in_addr) << 3; 3890 break; 3891 case AF_INET6: 3892 prefixlen = sizeof(struct in6_addr) << 3; 3893 break; 3894 default: 3895 ; /*XXX*/ 3896 } 3897 } 3898 p->sadb_address_prefixlen = prefixlen; 3899 p->sadb_address_reserved = 0; 3900 3901 bcopy(saddr, 3902 mtod(m, caddr_t) + PFKEY_ALIGN8(sizeof(struct sadb_address)), 3903 saddr->sa_len); 3904 3905 return m; 3906 } 3907 3908 /* 3909 * set data into sadb_x_sa2. 3910 */ 3911 static struct mbuf * 3912 key_setsadbxsa2(u_int8_t mode, u_int32_t seq, u_int32_t reqid) 3913 { 3914 struct mbuf *m; 3915 struct sadb_x_sa2 *p; 3916 size_t len; 3917 3918 len = PFKEY_ALIGN8(sizeof(struct sadb_x_sa2)); 3919 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 3920 if (m == NULL) 3921 return (NULL); 3922 m_align(m, len); 3923 m->m_len = len; 3924 p = mtod(m, struct sadb_x_sa2 *); 3925 3926 bzero(p, len); 3927 p->sadb_x_sa2_len = PFKEY_UNIT64(len); 3928 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; 3929 p->sadb_x_sa2_mode = mode; 3930 p->sadb_x_sa2_reserved1 = 0; 3931 p->sadb_x_sa2_reserved2 = 0; 3932 p->sadb_x_sa2_sequence = seq; 3933 p->sadb_x_sa2_reqid = reqid; 3934 3935 return m; 3936 } 3937 3938 /* 3939 * Set data into sadb_x_sa_replay. 3940 */ 3941 static struct mbuf * 3942 key_setsadbxsareplay(u_int32_t replay) 3943 { 3944 struct mbuf *m; 3945 struct sadb_x_sa_replay *p; 3946 size_t len; 3947 3948 len = PFKEY_ALIGN8(sizeof(struct sadb_x_sa_replay)); 3949 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 3950 if (m == NULL) 3951 return (NULL); 3952 m_align(m, len); 3953 m->m_len = len; 3954 p = mtod(m, struct sadb_x_sa_replay *); 3955 3956 bzero(p, len); 3957 p->sadb_x_sa_replay_len = PFKEY_UNIT64(len); 3958 p->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY; 3959 p->sadb_x_sa_replay_replay = (replay << 3); 3960 3961 return m; 3962 } 3963 3964 /* 3965 * Set a type in sadb_x_nat_t_type. 3966 */ 3967 static struct mbuf * 3968 key_setsadbxtype(u_int16_t type) 3969 { 3970 struct mbuf *m; 3971 size_t len; 3972 struct sadb_x_nat_t_type *p; 3973 3974 len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_type)); 3975 3976 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 3977 if (m == NULL) 3978 return (NULL); 3979 m_align(m, len); 3980 m->m_len = len; 3981 p = mtod(m, struct sadb_x_nat_t_type *); 3982 3983 bzero(p, len); 3984 p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len); 3985 p->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE; 3986 p->sadb_x_nat_t_type_type = type; 3987 3988 return (m); 3989 } 3990 /* 3991 * Set a port in sadb_x_nat_t_port. 3992 * In contrast to default RFC 2367 behaviour, port is in network byte order. 3993 */ 3994 static struct mbuf * 3995 key_setsadbxport(u_int16_t port, u_int16_t type) 3996 { 3997 struct mbuf *m; 3998 size_t len; 3999 struct sadb_x_nat_t_port *p; 4000 4001 len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_port)); 4002 4003 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 4004 if (m == NULL) 4005 return (NULL); 4006 m_align(m, len); 4007 m->m_len = len; 4008 p = mtod(m, struct sadb_x_nat_t_port *); 4009 4010 bzero(p, len); 4011 p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len); 4012 p->sadb_x_nat_t_port_exttype = type; 4013 p->sadb_x_nat_t_port_port = port; 4014 4015 return (m); 4016 } 4017 4018 /* 4019 * Get port from sockaddr. Port is in network byte order. 4020 */ 4021 uint16_t 4022 key_portfromsaddr(struct sockaddr *sa) 4023 { 4024 4025 switch (sa->sa_family) { 4026 #ifdef INET 4027 case AF_INET: 4028 return ((struct sockaddr_in *)sa)->sin_port; 4029 #endif 4030 #ifdef INET6 4031 case AF_INET6: 4032 return ((struct sockaddr_in6 *)sa)->sin6_port; 4033 #endif 4034 } 4035 return (0); 4036 } 4037 4038 /* 4039 * Set port in struct sockaddr. Port is in network byte order. 4040 */ 4041 void 4042 key_porttosaddr(struct sockaddr *sa, uint16_t port) 4043 { 4044 4045 switch (sa->sa_family) { 4046 #ifdef INET 4047 case AF_INET: 4048 ((struct sockaddr_in *)sa)->sin_port = port; 4049 break; 4050 #endif 4051 #ifdef INET6 4052 case AF_INET6: 4053 ((struct sockaddr_in6 *)sa)->sin6_port = port; 4054 break; 4055 #endif 4056 default: 4057 ipseclog((LOG_DEBUG, "%s: unexpected address family %d.\n", 4058 __func__, sa->sa_family)); 4059 break; 4060 } 4061 } 4062 4063 /* 4064 * set data into sadb_x_policy 4065 */ 4066 static struct mbuf * 4067 key_setsadbxpolicy(u_int16_t type, u_int8_t dir, u_int32_t id, u_int32_t priority) 4068 { 4069 struct mbuf *m; 4070 struct sadb_x_policy *p; 4071 size_t len; 4072 4073 len = PFKEY_ALIGN8(sizeof(struct sadb_x_policy)); 4074 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 4075 if (m == NULL) 4076 return (NULL); 4077 m_align(m, len); 4078 m->m_len = len; 4079 p = mtod(m, struct sadb_x_policy *); 4080 4081 bzero(p, len); 4082 p->sadb_x_policy_len = PFKEY_UNIT64(len); 4083 p->sadb_x_policy_exttype = SADB_X_EXT_POLICY; 4084 p->sadb_x_policy_type = type; 4085 p->sadb_x_policy_dir = dir; 4086 p->sadb_x_policy_id = id; 4087 p->sadb_x_policy_priority = priority; 4088 4089 return m; 4090 } 4091 4092 /* %%% utilities */ 4093 /* Take a key message (sadb_key) from the socket and turn it into one 4094 * of the kernel's key structures (seckey). 4095 * 4096 * IN: pointer to the src 4097 * OUT: NULL no more memory 4098 */ 4099 struct seckey * 4100 key_dup_keymsg(const struct sadb_key *src, size_t len, 4101 struct malloc_type *type) 4102 { 4103 struct seckey *dst; 4104 4105 dst = malloc(sizeof(*dst), type, M_NOWAIT); 4106 if (dst != NULL) { 4107 dst->bits = src->sadb_key_bits; 4108 dst->key_data = malloc(len, type, M_NOWAIT); 4109 if (dst->key_data != NULL) { 4110 bcopy((const char *)(src + 1), dst->key_data, len); 4111 } else { 4112 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 4113 __func__)); 4114 free(dst, type); 4115 dst = NULL; 4116 } 4117 } else { 4118 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 4119 __func__)); 4120 } 4121 return (dst); 4122 } 4123 4124 /* Take a lifetime message (sadb_lifetime) passed in on a socket and 4125 * turn it into one of the kernel's lifetime structures (seclifetime). 4126 * 4127 * IN: pointer to the destination, source and malloc type 4128 * OUT: NULL, no more memory 4129 */ 4130 4131 static struct seclifetime * 4132 key_dup_lifemsg(const struct sadb_lifetime *src, struct malloc_type *type) 4133 { 4134 struct seclifetime *dst; 4135 4136 dst = malloc(sizeof(*dst), type, M_NOWAIT); 4137 if (dst == NULL) { 4138 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 4139 return (NULL); 4140 } 4141 dst->allocations = src->sadb_lifetime_allocations; 4142 dst->bytes = src->sadb_lifetime_bytes; 4143 dst->addtime = src->sadb_lifetime_addtime; 4144 dst->usetime = src->sadb_lifetime_usetime; 4145 return (dst); 4146 } 4147 4148 /* 4149 * compare two secasindex structure. 4150 * flag can specify to compare 2 saidxes. 4151 * compare two secasindex structure without both mode and reqid. 4152 * don't compare port. 4153 * IN: 4154 * saidx0: source, it can be in SAD. 4155 * saidx1: object. 4156 * OUT: 4157 * 1 : equal 4158 * 0 : not equal 4159 */ 4160 static int 4161 key_cmpsaidx(const struct secasindex *saidx0, const struct secasindex *saidx1, 4162 int flag) 4163 { 4164 4165 /* sanity */ 4166 if (saidx0 == NULL && saidx1 == NULL) 4167 return 1; 4168 4169 if (saidx0 == NULL || saidx1 == NULL) 4170 return 0; 4171 4172 if (saidx0->proto != saidx1->proto) 4173 return 0; 4174 4175 if (flag == CMP_EXACTLY) { 4176 if (saidx0->mode != saidx1->mode) 4177 return 0; 4178 if (saidx0->reqid != saidx1->reqid) 4179 return 0; 4180 if (bcmp(&saidx0->src, &saidx1->src, 4181 saidx0->src.sa.sa_len) != 0 || 4182 bcmp(&saidx0->dst, &saidx1->dst, 4183 saidx0->dst.sa.sa_len) != 0) 4184 return 0; 4185 } else { 4186 /* CMP_MODE_REQID, CMP_REQID, CMP_HEAD */ 4187 if (flag == CMP_MODE_REQID || flag == CMP_REQID) { 4188 /* 4189 * If reqid of SPD is non-zero, unique SA is required. 4190 * The result must be of same reqid in this case. 4191 */ 4192 if (saidx1->reqid != 0 && 4193 saidx0->reqid != saidx1->reqid) 4194 return 0; 4195 } 4196 4197 if (flag == CMP_MODE_REQID) { 4198 if (saidx0->mode != IPSEC_MODE_ANY 4199 && saidx0->mode != saidx1->mode) 4200 return 0; 4201 } 4202 4203 if (key_sockaddrcmp(&saidx0->src.sa, &saidx1->src.sa, 0) != 0) 4204 return 0; 4205 if (key_sockaddrcmp(&saidx0->dst.sa, &saidx1->dst.sa, 0) != 0) 4206 return 0; 4207 } 4208 4209 return 1; 4210 } 4211 4212 /* 4213 * compare two secindex structure exactly. 4214 * IN: 4215 * spidx0: source, it is often in SPD. 4216 * spidx1: object, it is often from PFKEY message. 4217 * OUT: 4218 * 1 : equal 4219 * 0 : not equal 4220 */ 4221 static int 4222 key_cmpspidx_exactly(struct secpolicyindex *spidx0, 4223 struct secpolicyindex *spidx1) 4224 { 4225 /* sanity */ 4226 if (spidx0 == NULL && spidx1 == NULL) 4227 return 1; 4228 4229 if (spidx0 == NULL || spidx1 == NULL) 4230 return 0; 4231 4232 if (spidx0->prefs != spidx1->prefs 4233 || spidx0->prefd != spidx1->prefd 4234 || spidx0->ul_proto != spidx1->ul_proto 4235 || spidx0->dir != spidx1->dir) 4236 return 0; 4237 4238 return key_sockaddrcmp(&spidx0->src.sa, &spidx1->src.sa, 1) == 0 && 4239 key_sockaddrcmp(&spidx0->dst.sa, &spidx1->dst.sa, 1) == 0; 4240 } 4241 4242 /* 4243 * compare two secindex structure with mask. 4244 * IN: 4245 * spidx0: source, it is often in SPD. 4246 * spidx1: object, it is often from IP header. 4247 * OUT: 4248 * 1 : equal 4249 * 0 : not equal 4250 */ 4251 static int 4252 key_cmpspidx_withmask(struct secpolicyindex *spidx0, 4253 struct secpolicyindex *spidx1) 4254 { 4255 /* sanity */ 4256 if (spidx0 == NULL && spidx1 == NULL) 4257 return 1; 4258 4259 if (spidx0 == NULL || spidx1 == NULL) 4260 return 0; 4261 4262 if (spidx0->src.sa.sa_family != spidx1->src.sa.sa_family || 4263 spidx0->dst.sa.sa_family != spidx1->dst.sa.sa_family || 4264 spidx0->src.sa.sa_len != spidx1->src.sa.sa_len || 4265 spidx0->dst.sa.sa_len != spidx1->dst.sa.sa_len) 4266 return 0; 4267 4268 /* if spidx.ul_proto == IPSEC_ULPROTO_ANY, ignore. */ 4269 if (spidx0->ul_proto != (u_int16_t)IPSEC_ULPROTO_ANY 4270 && spidx0->ul_proto != spidx1->ul_proto) 4271 return 0; 4272 4273 switch (spidx0->src.sa.sa_family) { 4274 case AF_INET: 4275 if (spidx0->src.sin.sin_port != IPSEC_PORT_ANY 4276 && spidx0->src.sin.sin_port != spidx1->src.sin.sin_port) 4277 return 0; 4278 if (!key_bbcmp(&spidx0->src.sin.sin_addr, 4279 &spidx1->src.sin.sin_addr, spidx0->prefs)) 4280 return 0; 4281 break; 4282 case AF_INET6: 4283 if (spidx0->src.sin6.sin6_port != IPSEC_PORT_ANY 4284 && spidx0->src.sin6.sin6_port != spidx1->src.sin6.sin6_port) 4285 return 0; 4286 /* 4287 * scope_id check. if sin6_scope_id is 0, we regard it 4288 * as a wildcard scope, which matches any scope zone ID. 4289 */ 4290 if (spidx0->src.sin6.sin6_scope_id && 4291 spidx1->src.sin6.sin6_scope_id && 4292 spidx0->src.sin6.sin6_scope_id != spidx1->src.sin6.sin6_scope_id) 4293 return 0; 4294 if (!key_bbcmp(&spidx0->src.sin6.sin6_addr, 4295 &spidx1->src.sin6.sin6_addr, spidx0->prefs)) 4296 return 0; 4297 break; 4298 default: 4299 /* XXX */ 4300 if (bcmp(&spidx0->src, &spidx1->src, spidx0->src.sa.sa_len) != 0) 4301 return 0; 4302 break; 4303 } 4304 4305 switch (spidx0->dst.sa.sa_family) { 4306 case AF_INET: 4307 if (spidx0->dst.sin.sin_port != IPSEC_PORT_ANY 4308 && spidx0->dst.sin.sin_port != spidx1->dst.sin.sin_port) 4309 return 0; 4310 if (!key_bbcmp(&spidx0->dst.sin.sin_addr, 4311 &spidx1->dst.sin.sin_addr, spidx0->prefd)) 4312 return 0; 4313 break; 4314 case AF_INET6: 4315 if (spidx0->dst.sin6.sin6_port != IPSEC_PORT_ANY 4316 && spidx0->dst.sin6.sin6_port != spidx1->dst.sin6.sin6_port) 4317 return 0; 4318 /* 4319 * scope_id check. if sin6_scope_id is 0, we regard it 4320 * as a wildcard scope, which matches any scope zone ID. 4321 */ 4322 if (spidx0->dst.sin6.sin6_scope_id && 4323 spidx1->dst.sin6.sin6_scope_id && 4324 spidx0->dst.sin6.sin6_scope_id != spidx1->dst.sin6.sin6_scope_id) 4325 return 0; 4326 if (!key_bbcmp(&spidx0->dst.sin6.sin6_addr, 4327 &spidx1->dst.sin6.sin6_addr, spidx0->prefd)) 4328 return 0; 4329 break; 4330 default: 4331 /* XXX */ 4332 if (bcmp(&spidx0->dst, &spidx1->dst, spidx0->dst.sa.sa_len) != 0) 4333 return 0; 4334 break; 4335 } 4336 4337 /* XXX Do we check other field ? e.g. flowinfo */ 4338 4339 return 1; 4340 } 4341 4342 #ifdef satosin 4343 #undef satosin 4344 #endif 4345 #define satosin(s) ((const struct sockaddr_in *)s) 4346 #ifdef satosin6 4347 #undef satosin6 4348 #endif 4349 #define satosin6(s) ((const struct sockaddr_in6 *)s) 4350 /* returns 0 on match */ 4351 int 4352 key_sockaddrcmp(const struct sockaddr *sa1, const struct sockaddr *sa2, 4353 int port) 4354 { 4355 if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len) 4356 return 1; 4357 4358 switch (sa1->sa_family) { 4359 #ifdef INET 4360 case AF_INET: 4361 if (sa1->sa_len != sizeof(struct sockaddr_in)) 4362 return 1; 4363 if (satosin(sa1)->sin_addr.s_addr != 4364 satosin(sa2)->sin_addr.s_addr) { 4365 return 1; 4366 } 4367 if (port && satosin(sa1)->sin_port != satosin(sa2)->sin_port) 4368 return 1; 4369 break; 4370 #endif 4371 #ifdef INET6 4372 case AF_INET6: 4373 if (sa1->sa_len != sizeof(struct sockaddr_in6)) 4374 return 1; /*EINVAL*/ 4375 if (satosin6(sa1)->sin6_scope_id != 4376 satosin6(sa2)->sin6_scope_id) { 4377 return 1; 4378 } 4379 if (!IN6_ARE_ADDR_EQUAL(&satosin6(sa1)->sin6_addr, 4380 &satosin6(sa2)->sin6_addr)) { 4381 return 1; 4382 } 4383 if (port && 4384 satosin6(sa1)->sin6_port != satosin6(sa2)->sin6_port) { 4385 return 1; 4386 } 4387 break; 4388 #endif 4389 default: 4390 if (bcmp(sa1, sa2, sa1->sa_len) != 0) 4391 return 1; 4392 break; 4393 } 4394 4395 return 0; 4396 } 4397 4398 /* returns 0 on match */ 4399 int 4400 key_sockaddrcmp_withmask(const struct sockaddr *sa1, 4401 const struct sockaddr *sa2, size_t mask) 4402 { 4403 if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len) 4404 return (1); 4405 4406 switch (sa1->sa_family) { 4407 #ifdef INET 4408 case AF_INET: 4409 return (!key_bbcmp(&satosin(sa1)->sin_addr, 4410 &satosin(sa2)->sin_addr, mask)); 4411 #endif 4412 #ifdef INET6 4413 case AF_INET6: 4414 if (satosin6(sa1)->sin6_scope_id != 4415 satosin6(sa2)->sin6_scope_id) 4416 return (1); 4417 return (!key_bbcmp(&satosin6(sa1)->sin6_addr, 4418 &satosin6(sa2)->sin6_addr, mask)); 4419 #endif 4420 } 4421 return (1); 4422 } 4423 #undef satosin 4424 #undef satosin6 4425 4426 /* 4427 * compare two buffers with mask. 4428 * IN: 4429 * addr1: source 4430 * addr2: object 4431 * bits: Number of bits to compare 4432 * OUT: 4433 * 1 : equal 4434 * 0 : not equal 4435 */ 4436 static int 4437 key_bbcmp(const void *a1, const void *a2, u_int bits) 4438 { 4439 const unsigned char *p1 = a1; 4440 const unsigned char *p2 = a2; 4441 4442 /* XXX: This could be considerably faster if we compare a word 4443 * at a time, but it is complicated on LSB Endian machines */ 4444 4445 /* Handle null pointers */ 4446 if (p1 == NULL || p2 == NULL) 4447 return (p1 == p2); 4448 4449 while (bits >= 8) { 4450 if (*p1++ != *p2++) 4451 return 0; 4452 bits -= 8; 4453 } 4454 4455 if (bits > 0) { 4456 u_int8_t mask = ~((1<<(8-bits))-1); 4457 if ((*p1 & mask) != (*p2 & mask)) 4458 return 0; 4459 } 4460 return 1; /* Match! */ 4461 } 4462 4463 static void 4464 key_flush_spd(time_t now) 4465 { 4466 SPTREE_RLOCK_TRACKER; 4467 struct secpolicy_list drainq; 4468 struct secpolicy *sp, *nextsp; 4469 u_int dir; 4470 4471 LIST_INIT(&drainq); 4472 SPTREE_RLOCK(); 4473 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { 4474 TAILQ_FOREACH(sp, &V_sptree[dir], chain) { 4475 if (sp->lifetime == 0 && sp->validtime == 0) 4476 continue; 4477 if ((sp->lifetime && 4478 now - sp->created > sp->lifetime) || 4479 (sp->validtime && 4480 now - sp->lastused > sp->validtime)) { 4481 /* Hold extra reference to send SPDEXPIRE */ 4482 SP_ADDREF(sp); 4483 LIST_INSERT_HEAD(&drainq, sp, drainq); 4484 } 4485 } 4486 } 4487 SPTREE_RUNLOCK(); 4488 if (LIST_EMPTY(&drainq)) 4489 return; 4490 4491 SPTREE_WLOCK(); 4492 sp = LIST_FIRST(&drainq); 4493 while (sp != NULL) { 4494 nextsp = LIST_NEXT(sp, drainq); 4495 /* Check that SP is still linked */ 4496 if (sp->state != IPSEC_SPSTATE_ALIVE) { 4497 LIST_REMOVE(sp, drainq); 4498 key_freesp(&sp); /* release extra reference */ 4499 sp = nextsp; 4500 continue; 4501 } 4502 TAILQ_REMOVE(&V_sptree[sp->spidx.dir], sp, chain); 4503 V_spd_size--; 4504 LIST_REMOVE(sp, idhash); 4505 sp->state = IPSEC_SPSTATE_DEAD; 4506 sp = nextsp; 4507 } 4508 V_sp_genid++; 4509 SPTREE_WUNLOCK(); 4510 if (SPDCACHE_ENABLED()) 4511 spdcache_clear(); 4512 4513 sp = LIST_FIRST(&drainq); 4514 while (sp != NULL) { 4515 nextsp = LIST_NEXT(sp, drainq); 4516 key_spdexpire(sp); 4517 key_freesp(&sp); /* release extra reference */ 4518 key_freesp(&sp); /* release last reference */ 4519 sp = nextsp; 4520 } 4521 } 4522 4523 static void 4524 key_flush_sad(time_t now) 4525 { 4526 SAHTREE_RLOCK_TRACKER; 4527 struct secashead_list emptyq; 4528 struct secasvar_list drainq, hexpireq, sexpireq, freeq; 4529 struct secashead *sah, *nextsah; 4530 struct secasvar *sav, *nextsav; 4531 4532 SECASVAR_RLOCK_TRACKER; 4533 4534 LIST_INIT(&drainq); 4535 LIST_INIT(&hexpireq); 4536 LIST_INIT(&sexpireq); 4537 LIST_INIT(&emptyq); 4538 4539 SAHTREE_RLOCK(); 4540 TAILQ_FOREACH(sah, &V_sahtree, chain) { 4541 /* Check for empty SAH */ 4542 if (TAILQ_EMPTY(&sah->savtree_larval) && 4543 TAILQ_EMPTY(&sah->savtree_alive)) { 4544 SAH_ADDREF(sah); 4545 LIST_INSERT_HEAD(&emptyq, sah, drainq); 4546 continue; 4547 } 4548 /* Add all stale LARVAL SAs into drainq */ 4549 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { 4550 if (now - sav->created < V_key_larval_lifetime) 4551 continue; 4552 SAV_ADDREF(sav); 4553 LIST_INSERT_HEAD(&drainq, sav, drainq); 4554 } 4555 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { 4556 /* lifetimes aren't specified */ 4557 if (sav->lft_h == NULL) 4558 continue; 4559 SECASVAR_RLOCK(sav); 4560 /* 4561 * Check again with lock held, because it may 4562 * be updated by SADB_UPDATE. 4563 */ 4564 if (sav->lft_h == NULL) { 4565 SECASVAR_RUNLOCK(sav); 4566 continue; 4567 } 4568 /* 4569 * RFC 2367: 4570 * HARD lifetimes MUST take precedence over SOFT 4571 * lifetimes, meaning if the HARD and SOFT lifetimes 4572 * are the same, the HARD lifetime will appear on the 4573 * EXPIRE message. 4574 */ 4575 /* check HARD lifetime */ 4576 if ((sav->lft_h->addtime != 0 && 4577 now - sav->created > sav->lft_h->addtime) || 4578 (sav->lft_h->usetime != 0 && sav->firstused && 4579 now - sav->firstused > sav->lft_h->usetime) || 4580 (sav->lft_h->bytes != 0 && counter_u64_fetch( 4581 sav->lft_c_bytes) > sav->lft_h->bytes)) { 4582 SECASVAR_RUNLOCK(sav); 4583 SAV_ADDREF(sav); 4584 LIST_INSERT_HEAD(&hexpireq, sav, drainq); 4585 continue; 4586 } 4587 /* check SOFT lifetime (only for MATURE SAs) */ 4588 if (sav->state == SADB_SASTATE_MATURE && ( 4589 (sav->lft_s->addtime != 0 && 4590 now - sav->created > sav->lft_s->addtime) || 4591 (sav->lft_s->usetime != 0 && sav->firstused && 4592 now - sav->firstused > sav->lft_s->usetime) || 4593 (sav->lft_s->bytes != 0 && counter_u64_fetch( 4594 sav->lft_c_bytes) > sav->lft_s->bytes) || 4595 (!(sav->flags & SADB_X_SAFLAGS_ESN) && 4596 (sav->replay != NULL) && ( 4597 (sav->replay->count > UINT32_80PCT) || 4598 (sav->replay->last > UINT32_80PCT))))) { 4599 SECASVAR_RUNLOCK(sav); 4600 SAV_ADDREF(sav); 4601 LIST_INSERT_HEAD(&sexpireq, sav, drainq); 4602 continue; 4603 } 4604 SECASVAR_RUNLOCK(sav); 4605 } 4606 } 4607 SAHTREE_RUNLOCK(); 4608 4609 if (LIST_EMPTY(&emptyq) && LIST_EMPTY(&drainq) && 4610 LIST_EMPTY(&hexpireq) && LIST_EMPTY(&sexpireq)) 4611 return; 4612 4613 LIST_INIT(&freeq); 4614 SAHTREE_WLOCK(); 4615 /* Unlink stale LARVAL SAs */ 4616 sav = LIST_FIRST(&drainq); 4617 while (sav != NULL) { 4618 nextsav = LIST_NEXT(sav, drainq); 4619 /* Check that SA is still LARVAL */ 4620 if (sav->state != SADB_SASTATE_LARVAL) { 4621 LIST_REMOVE(sav, drainq); 4622 LIST_INSERT_HEAD(&freeq, sav, drainq); 4623 sav = nextsav; 4624 continue; 4625 } 4626 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain); 4627 LIST_REMOVE(sav, spihash); 4628 sav->state = SADB_SASTATE_DEAD; 4629 sav = nextsav; 4630 } 4631 /* Unlink all SAs with expired HARD lifetime */ 4632 sav = LIST_FIRST(&hexpireq); 4633 while (sav != NULL) { 4634 nextsav = LIST_NEXT(sav, drainq); 4635 /* Check that SA is not unlinked */ 4636 if (sav->state == SADB_SASTATE_DEAD) { 4637 LIST_REMOVE(sav, drainq); 4638 LIST_INSERT_HEAD(&freeq, sav, drainq); 4639 sav = nextsav; 4640 continue; 4641 } 4642 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain); 4643 LIST_REMOVE(sav, spihash); 4644 sav->state = SADB_SASTATE_DEAD; 4645 sav = nextsav; 4646 } 4647 /* Mark all SAs with expired SOFT lifetime as DYING */ 4648 sav = LIST_FIRST(&sexpireq); 4649 while (sav != NULL) { 4650 nextsav = LIST_NEXT(sav, drainq); 4651 /* Check that SA is not unlinked */ 4652 if (sav->state == SADB_SASTATE_DEAD) { 4653 LIST_REMOVE(sav, drainq); 4654 LIST_INSERT_HEAD(&freeq, sav, drainq); 4655 sav = nextsav; 4656 continue; 4657 } 4658 /* 4659 * NOTE: this doesn't change SA order in the chain. 4660 */ 4661 sav->state = SADB_SASTATE_DYING; 4662 sav = nextsav; 4663 } 4664 /* Unlink empty SAHs */ 4665 sah = LIST_FIRST(&emptyq); 4666 while (sah != NULL) { 4667 nextsah = LIST_NEXT(sah, drainq); 4668 /* Check that SAH is still empty and not unlinked */ 4669 if (sah->state == SADB_SASTATE_DEAD || 4670 !TAILQ_EMPTY(&sah->savtree_larval) || 4671 !TAILQ_EMPTY(&sah->savtree_alive)) { 4672 LIST_REMOVE(sah, drainq); 4673 key_freesah(&sah); /* release extra reference */ 4674 sah = nextsah; 4675 continue; 4676 } 4677 TAILQ_REMOVE(&V_sahtree, sah, chain); 4678 LIST_REMOVE(sah, addrhash); 4679 sah->state = SADB_SASTATE_DEAD; 4680 sah = nextsah; 4681 } 4682 SAHTREE_WUNLOCK(); 4683 4684 /* Send SPDEXPIRE messages */ 4685 sav = LIST_FIRST(&hexpireq); 4686 while (sav != NULL) { 4687 nextsav = LIST_NEXT(sav, drainq); 4688 key_expire(sav, 1); 4689 key_freesah(&sav->sah); /* release reference from SAV */ 4690 key_freesav(&sav); /* release extra reference */ 4691 key_freesav(&sav); /* release last reference */ 4692 sav = nextsav; 4693 } 4694 sav = LIST_FIRST(&sexpireq); 4695 while (sav != NULL) { 4696 nextsav = LIST_NEXT(sav, drainq); 4697 key_expire(sav, 0); 4698 key_freesav(&sav); /* release extra reference */ 4699 sav = nextsav; 4700 } 4701 /* Free stale LARVAL SAs */ 4702 sav = LIST_FIRST(&drainq); 4703 while (sav != NULL) { 4704 nextsav = LIST_NEXT(sav, drainq); 4705 key_freesah(&sav->sah); /* release reference from SAV */ 4706 key_freesav(&sav); /* release extra reference */ 4707 key_freesav(&sav); /* release last reference */ 4708 sav = nextsav; 4709 } 4710 /* Free SAs that were unlinked/changed by someone else */ 4711 sav = LIST_FIRST(&freeq); 4712 while (sav != NULL) { 4713 nextsav = LIST_NEXT(sav, drainq); 4714 key_freesav(&sav); /* release extra reference */ 4715 sav = nextsav; 4716 } 4717 /* Free empty SAH */ 4718 sah = LIST_FIRST(&emptyq); 4719 while (sah != NULL) { 4720 nextsah = LIST_NEXT(sah, drainq); 4721 key_freesah(&sah); /* release extra reference */ 4722 key_freesah(&sah); /* release last reference */ 4723 sah = nextsah; 4724 } 4725 } 4726 4727 static void 4728 key_flush_acq(time_t now) 4729 { 4730 struct secacq *acq, *nextacq; 4731 4732 /* ACQ tree */ 4733 ACQ_LOCK(); 4734 acq = LIST_FIRST(&V_acqtree); 4735 while (acq != NULL) { 4736 nextacq = LIST_NEXT(acq, chain); 4737 if (now - acq->created > V_key_blockacq_lifetime) { 4738 LIST_REMOVE(acq, chain); 4739 LIST_REMOVE(acq, addrhash); 4740 LIST_REMOVE(acq, seqhash); 4741 free(acq, M_IPSEC_SAQ); 4742 } 4743 acq = nextacq; 4744 } 4745 ACQ_UNLOCK(); 4746 } 4747 4748 static void 4749 key_flush_spacq(time_t now) 4750 { 4751 struct secspacq *acq, *nextacq; 4752 4753 /* SP ACQ tree */ 4754 SPACQ_LOCK(); 4755 for (acq = LIST_FIRST(&V_spacqtree); acq != NULL; acq = nextacq) { 4756 nextacq = LIST_NEXT(acq, chain); 4757 if (now - acq->created > V_key_blockacq_lifetime 4758 && __LIST_CHAINED(acq)) { 4759 LIST_REMOVE(acq, chain); 4760 free(acq, M_IPSEC_SAQ); 4761 } 4762 } 4763 SPACQ_UNLOCK(); 4764 } 4765 4766 /* 4767 * time handler. 4768 * scanning SPD and SAD to check status for each entries, 4769 * and do to remove or to expire. 4770 * XXX: year 2038 problem may remain. 4771 */ 4772 static void 4773 key_timehandler(void *arg) 4774 { 4775 VNET_ITERATOR_DECL(vnet_iter); 4776 time_t now = time_second; 4777 4778 VNET_LIST_RLOCK_NOSLEEP(); 4779 VNET_FOREACH(vnet_iter) { 4780 CURVNET_SET(vnet_iter); 4781 key_flush_spd(now); 4782 key_flush_sad(now); 4783 key_flush_acq(now); 4784 key_flush_spacq(now); 4785 CURVNET_RESTORE(); 4786 } 4787 VNET_LIST_RUNLOCK_NOSLEEP(); 4788 4789 #ifndef IPSEC_DEBUG2 4790 /* do exchange to tick time !! */ 4791 callout_schedule(&key_timer, hz); 4792 #endif /* IPSEC_DEBUG2 */ 4793 } 4794 4795 u_long 4796 key_random(void) 4797 { 4798 u_long value; 4799 4800 arc4random_buf(&value, sizeof(value)); 4801 return value; 4802 } 4803 4804 /* 4805 * map SADB_SATYPE_* to IPPROTO_*. 4806 * if satype == SADB_SATYPE then satype is mapped to ~0. 4807 * OUT: 4808 * 0: invalid satype. 4809 */ 4810 static uint8_t 4811 key_satype2proto(uint8_t satype) 4812 { 4813 switch (satype) { 4814 case SADB_SATYPE_UNSPEC: 4815 return IPSEC_PROTO_ANY; 4816 case SADB_SATYPE_AH: 4817 return IPPROTO_AH; 4818 case SADB_SATYPE_ESP: 4819 return IPPROTO_ESP; 4820 case SADB_X_SATYPE_IPCOMP: 4821 return IPPROTO_IPCOMP; 4822 case SADB_X_SATYPE_TCPSIGNATURE: 4823 return IPPROTO_TCP; 4824 default: 4825 return 0; 4826 } 4827 /* NOTREACHED */ 4828 } 4829 4830 /* 4831 * map IPPROTO_* to SADB_SATYPE_* 4832 * OUT: 4833 * 0: invalid protocol type. 4834 */ 4835 static uint8_t 4836 key_proto2satype(uint8_t proto) 4837 { 4838 switch (proto) { 4839 case IPPROTO_AH: 4840 return SADB_SATYPE_AH; 4841 case IPPROTO_ESP: 4842 return SADB_SATYPE_ESP; 4843 case IPPROTO_IPCOMP: 4844 return SADB_X_SATYPE_IPCOMP; 4845 case IPPROTO_TCP: 4846 return SADB_X_SATYPE_TCPSIGNATURE; 4847 default: 4848 return 0; 4849 } 4850 /* NOTREACHED */ 4851 } 4852 4853 /* %%% PF_KEY */ 4854 /* 4855 * SADB_GETSPI processing is to receive 4856 * <base, (SA2), src address, dst address, (SPI range)> 4857 * from the IKMPd, to assign a unique spi value, to hang on the INBOUND 4858 * tree with the status of LARVAL, and send 4859 * <base, SA(*), address(SD)> 4860 * to the IKMPd. 4861 * 4862 * IN: mhp: pointer to the pointer to each header. 4863 * OUT: NULL if fail. 4864 * other if success, return pointer to the message to send. 4865 */ 4866 static int 4867 key_getspi(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 4868 { 4869 struct secasindex saidx; 4870 struct sadb_address *src0, *dst0; 4871 struct secasvar *sav; 4872 uint32_t reqid, spi; 4873 int error; 4874 uint8_t mode, proto; 4875 4876 IPSEC_ASSERT(so != NULL, ("null socket")); 4877 IPSEC_ASSERT(m != NULL, ("null mbuf")); 4878 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 4879 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 4880 4881 if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 4882 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) 4883 #ifdef PFKEY_STRICT_CHECKS 4884 || SADB_CHECKHDR(mhp, SADB_EXT_SPIRANGE) 4885 #endif 4886 ) { 4887 ipseclog((LOG_DEBUG, 4888 "%s: invalid message: missing required header.\n", 4889 __func__)); 4890 error = EINVAL; 4891 goto fail; 4892 } 4893 if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 4894 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) 4895 #ifdef PFKEY_STRICT_CHECKS 4896 || SADB_CHECKLEN(mhp, SADB_EXT_SPIRANGE) 4897 #endif 4898 ) { 4899 ipseclog((LOG_DEBUG, 4900 "%s: invalid message: wrong header size.\n", __func__)); 4901 error = EINVAL; 4902 goto fail; 4903 } 4904 if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) { 4905 mode = IPSEC_MODE_ANY; 4906 reqid = 0; 4907 } else { 4908 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) { 4909 ipseclog((LOG_DEBUG, 4910 "%s: invalid message: wrong header size.\n", 4911 __func__)); 4912 error = EINVAL; 4913 goto fail; 4914 } 4915 mode = ((struct sadb_x_sa2 *) 4916 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; 4917 reqid = ((struct sadb_x_sa2 *) 4918 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; 4919 } 4920 4921 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); 4922 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); 4923 4924 /* map satype to proto */ 4925 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 4926 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 4927 __func__)); 4928 error = EINVAL; 4929 goto fail; 4930 } 4931 error = key_checksockaddrs((struct sockaddr *)(src0 + 1), 4932 (struct sockaddr *)(dst0 + 1)); 4933 if (error != 0) { 4934 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 4935 error = EINVAL; 4936 goto fail; 4937 } 4938 KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); 4939 4940 /* SPI allocation */ 4941 SPI_ALLOC_LOCK(); 4942 spi = key_do_getnewspi( 4943 (struct sadb_spirange *)mhp->ext[SADB_EXT_SPIRANGE], &saidx); 4944 if (spi == 0) { 4945 /* 4946 * Requested SPI or SPI range is not available or 4947 * already used. 4948 */ 4949 SPI_ALLOC_UNLOCK(); 4950 error = EEXIST; 4951 goto fail; 4952 } 4953 sav = key_newsav(mhp, &saidx, spi, &error); 4954 SPI_ALLOC_UNLOCK(); 4955 if (sav == NULL) 4956 goto fail; 4957 4958 if (sav->seq != 0) { 4959 /* 4960 * RFC2367: 4961 * If the SADB_GETSPI message is in response to a 4962 * kernel-generated SADB_ACQUIRE, the sadb_msg_seq 4963 * MUST be the same as the SADB_ACQUIRE message. 4964 * 4965 * XXXAE: However it doesn't definethe behaviour how to 4966 * check this and what to do if it doesn't match. 4967 * Also what we should do if it matches? 4968 * 4969 * We can compare saidx used in SADB_ACQUIRE with saidx 4970 * used in SADB_GETSPI, but this probably can break 4971 * existing software. For now just warn if it doesn't match. 4972 * 4973 * XXXAE: anyway it looks useless. 4974 */ 4975 key_acqdone(&saidx, sav->seq); 4976 } 4977 KEYDBG(KEY_STAMP, 4978 printf("%s: SA(%p)\n", __func__, sav)); 4979 KEYDBG(KEY_DATA, kdebug_secasv(sav)); 4980 4981 { 4982 struct mbuf *n, *nn; 4983 struct sadb_sa *m_sa; 4984 struct sadb_msg *newmsg; 4985 int off, len; 4986 4987 /* create new sadb_msg to reply. */ 4988 len = PFKEY_ALIGN8(sizeof(struct sadb_msg)) + 4989 PFKEY_ALIGN8(sizeof(struct sadb_sa)); 4990 4991 n = key_mget(len); 4992 if (n == NULL) { 4993 error = ENOBUFS; 4994 goto fail; 4995 } 4996 4997 n->m_len = len; 4998 n->m_next = NULL; 4999 off = 0; 5000 5001 m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off); 5002 off += PFKEY_ALIGN8(sizeof(struct sadb_msg)); 5003 5004 m_sa = (struct sadb_sa *)(mtod(n, caddr_t) + off); 5005 m_sa->sadb_sa_len = PFKEY_UNIT64(sizeof(struct sadb_sa)); 5006 m_sa->sadb_sa_exttype = SADB_EXT_SA; 5007 m_sa->sadb_sa_spi = spi; /* SPI is already in network byte order */ 5008 off += PFKEY_ALIGN8(sizeof(struct sadb_sa)); 5009 5010 IPSEC_ASSERT(off == len, 5011 ("length inconsistency (off %u len %u)", off, len)); 5012 5013 n->m_next = key_gather_mbuf(m, mhp, 0, 2, SADB_EXT_ADDRESS_SRC, 5014 SADB_EXT_ADDRESS_DST); 5015 if (!n->m_next) { 5016 m_freem(n); 5017 error = ENOBUFS; 5018 goto fail; 5019 } 5020 5021 if (n->m_len < sizeof(struct sadb_msg)) { 5022 n = m_pullup(n, sizeof(struct sadb_msg)); 5023 if (n == NULL) 5024 return key_sendup_mbuf(so, m, KEY_SENDUP_ONE); 5025 } 5026 5027 n->m_pkthdr.len = 0; 5028 for (nn = n; nn; nn = nn->m_next) 5029 n->m_pkthdr.len += nn->m_len; 5030 5031 newmsg = mtod(n, struct sadb_msg *); 5032 newmsg->sadb_msg_seq = sav->seq; 5033 newmsg->sadb_msg_errno = 0; 5034 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); 5035 5036 m_freem(m); 5037 return key_sendup_mbuf(so, n, KEY_SENDUP_ONE); 5038 } 5039 5040 fail: 5041 return (key_senderror(so, m, error)); 5042 } 5043 5044 /* 5045 * allocating new SPI 5046 * called by key_getspi(). 5047 * OUT: 5048 * 0: failure. 5049 * others: success, SPI in network byte order. 5050 */ 5051 static uint32_t 5052 key_do_getnewspi(struct sadb_spirange *spirange, struct secasindex *saidx) 5053 { 5054 uint32_t min, max, newspi, t; 5055 int tries, limit; 5056 5057 SPI_ALLOC_LOCK_ASSERT(); 5058 5059 /* set spi range to allocate */ 5060 if (spirange != NULL) { 5061 min = spirange->sadb_spirange_min; 5062 max = spirange->sadb_spirange_max; 5063 } else { 5064 min = V_key_spi_minval; 5065 max = V_key_spi_maxval; 5066 } 5067 /* IPCOMP needs 2-byte SPI */ 5068 if (saidx->proto == IPPROTO_IPCOMP) { 5069 if (min >= 0x10000) 5070 min = 0xffff; 5071 if (max >= 0x10000) 5072 max = 0xffff; 5073 if (min > max) { 5074 t = min; min = max; max = t; 5075 } 5076 } 5077 5078 if (min == max) { 5079 if (key_checkspidup(htonl(min))) { 5080 ipseclog((LOG_DEBUG, "%s: SPI %u exists already.\n", 5081 __func__, min)); 5082 return 0; 5083 } 5084 5085 tries = 1; 5086 newspi = min; 5087 } else { 5088 /* init SPI */ 5089 newspi = 0; 5090 5091 limit = atomic_load_int(&V_key_spi_trycnt); 5092 /* when requesting to allocate spi ranged */ 5093 for (tries = 0; tries < limit; tries++) { 5094 /* generate pseudo-random SPI value ranged. */ 5095 newspi = min + (key_random() % (max - min + 1)); 5096 if (!key_checkspidup(htonl(newspi))) 5097 break; 5098 } 5099 5100 if (tries == limit || newspi == 0) { 5101 ipseclog((LOG_DEBUG, 5102 "%s: failed to allocate SPI.\n", __func__)); 5103 return 0; 5104 } 5105 } 5106 5107 /* statistics */ 5108 keystat.getspi_count = 5109 (keystat.getspi_count + tries) / 2; 5110 5111 return (htonl(newspi)); 5112 } 5113 5114 /* 5115 * Find TCP-MD5 SA with corresponding secasindex. 5116 * If not found, return NULL and fill SPI with usable value if needed. 5117 */ 5118 static struct secasvar * 5119 key_getsav_tcpmd5(struct secasindex *saidx, uint32_t *spi) 5120 { 5121 SAHTREE_RLOCK_TRACKER; 5122 struct secashead *sah; 5123 struct secasvar *sav; 5124 5125 IPSEC_ASSERT(saidx->proto == IPPROTO_TCP, ("wrong proto")); 5126 SAHTREE_RLOCK(); 5127 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { 5128 if (sah->saidx.proto != IPPROTO_TCP) 5129 continue; 5130 if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) && 5131 !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0)) 5132 break; 5133 } 5134 if (sah != NULL) { 5135 if (V_key_preferred_oldsa) 5136 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue); 5137 else 5138 sav = TAILQ_FIRST(&sah->savtree_alive); 5139 if (sav != NULL) { 5140 SAV_ADDREF(sav); 5141 SAHTREE_RUNLOCK(); 5142 return (sav); 5143 } 5144 } 5145 if (spi == NULL) { 5146 /* No SPI required */ 5147 SAHTREE_RUNLOCK(); 5148 return (NULL); 5149 } 5150 /* Check that SPI is unique */ 5151 LIST_FOREACH(sav, SAVHASH_HASH(*spi), spihash) { 5152 if (sav->spi == *spi) 5153 break; 5154 } 5155 if (sav == NULL) { 5156 SAHTREE_RUNLOCK(); 5157 /* SPI is already unique */ 5158 return (NULL); 5159 } 5160 SAHTREE_RUNLOCK(); 5161 /* XXX: not optimal */ 5162 *spi = key_do_getnewspi(NULL, saidx); 5163 return (NULL); 5164 } 5165 5166 static int 5167 key_updateaddresses(struct socket *so, struct mbuf *m, 5168 const struct sadb_msghdr *mhp, struct secasvar *sav, 5169 struct secasindex *saidx) 5170 { 5171 struct sockaddr *newaddr; 5172 struct secashead *sah; 5173 struct secasvar *newsav, *tmp; 5174 struct mbuf *n; 5175 int error, isnew; 5176 5177 /* Check that we need to change SAH */ 5178 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_SRC)) { 5179 newaddr = (struct sockaddr *)( 5180 ((struct sadb_address *) 5181 mhp->ext[SADB_X_EXT_NEW_ADDRESS_SRC]) + 1); 5182 bcopy(newaddr, &saidx->src, newaddr->sa_len); 5183 key_porttosaddr(&saidx->src.sa, 0); 5184 } 5185 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_DST)) { 5186 newaddr = (struct sockaddr *)( 5187 ((struct sadb_address *) 5188 mhp->ext[SADB_X_EXT_NEW_ADDRESS_DST]) + 1); 5189 bcopy(newaddr, &saidx->dst, newaddr->sa_len); 5190 key_porttosaddr(&saidx->dst.sa, 0); 5191 } 5192 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_SRC) || 5193 !SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_DST)) { 5194 error = key_checksockaddrs(&saidx->src.sa, &saidx->dst.sa); 5195 if (error != 0) { 5196 ipseclog((LOG_DEBUG, "%s: invalid new sockaddr.\n", 5197 __func__)); 5198 return (error); 5199 } 5200 5201 sah = key_getsah(saidx); 5202 if (sah == NULL) { 5203 /* create a new SA index */ 5204 sah = key_newsah(saidx); 5205 if (sah == NULL) { 5206 ipseclog((LOG_DEBUG, 5207 "%s: No more memory.\n", __func__)); 5208 return (ENOBUFS); 5209 } 5210 isnew = 2; /* SAH is new */ 5211 } else 5212 isnew = 1; /* existing SAH is referenced */ 5213 } else { 5214 /* 5215 * src and dst addresses are still the same. 5216 * Do we want to change NAT-T config? 5217 */ 5218 if (sav->sah->saidx.proto != IPPROTO_ESP || 5219 SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_TYPE) || 5220 SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_SPORT) || 5221 SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_DPORT)) { 5222 ipseclog((LOG_DEBUG, 5223 "%s: invalid message: missing required header.\n", 5224 __func__)); 5225 return (EINVAL); 5226 } 5227 /* We hold reference to SA, thus SAH will be referenced too. */ 5228 sah = sav->sah; 5229 isnew = 0; 5230 } 5231 5232 newsav = malloc(sizeof(struct secasvar), M_IPSEC_SA, 5233 M_NOWAIT | M_ZERO); 5234 if (newsav == NULL) { 5235 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 5236 error = ENOBUFS; 5237 goto fail; 5238 } 5239 5240 /* Clone SA's content into newsav */ 5241 SAV_INITREF(newsav); 5242 bcopy(sav, newsav, offsetof(struct secasvar, chain)); 5243 /* 5244 * We create new NAT-T config if it is needed. 5245 * Old NAT-T config will be freed by key_cleansav() when 5246 * last reference to SA will be released. 5247 */ 5248 newsav->natt = NULL; 5249 newsav->sah = sah; 5250 newsav->state = SADB_SASTATE_MATURE; 5251 error = key_setnatt(newsav, mhp); 5252 if (error != 0) 5253 goto fail; 5254 5255 SAHTREE_WLOCK(); 5256 /* Check that SA is still alive */ 5257 if (sav->state == SADB_SASTATE_DEAD) { 5258 /* SA was unlinked */ 5259 SAHTREE_WUNLOCK(); 5260 error = ESRCH; 5261 goto fail; 5262 } 5263 5264 /* Unlink SA from SAH and SPI hash */ 5265 IPSEC_ASSERT((sav->flags & SADB_X_EXT_F_CLONED) == 0, 5266 ("SA is already cloned")); 5267 IPSEC_ASSERT(sav->state == SADB_SASTATE_MATURE || 5268 sav->state == SADB_SASTATE_DYING, 5269 ("Wrong SA state %u\n", sav->state)); 5270 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain); 5271 LIST_REMOVE(sav, spihash); 5272 sav->state = SADB_SASTATE_DEAD; 5273 5274 /* 5275 * Link new SA with SAH. Keep SAs ordered by 5276 * create time (newer are first). 5277 */ 5278 TAILQ_FOREACH(tmp, &sah->savtree_alive, chain) { 5279 if (newsav->created > tmp->created) { 5280 TAILQ_INSERT_BEFORE(tmp, newsav, chain); 5281 break; 5282 } 5283 } 5284 if (tmp == NULL) 5285 TAILQ_INSERT_TAIL(&sah->savtree_alive, newsav, chain); 5286 5287 /* Add new SA into SPI hash. */ 5288 LIST_INSERT_HEAD(SAVHASH_HASH(newsav->spi), newsav, spihash); 5289 5290 /* Add new SAH into SADB. */ 5291 if (isnew == 2) { 5292 TAILQ_INSERT_HEAD(&V_sahtree, sah, chain); 5293 LIST_INSERT_HEAD(SAHADDRHASH_HASH(saidx), sah, addrhash); 5294 sah->state = SADB_SASTATE_MATURE; 5295 SAH_ADDREF(sah); /* newsav references new SAH */ 5296 } 5297 /* 5298 * isnew == 1 -> @sah was referenced by key_getsah(). 5299 * isnew == 0 -> we use the same @sah, that was used by @sav, 5300 * and we use its reference for @newsav. 5301 */ 5302 SECASVAR_WLOCK(sav); 5303 /* XXX: replace cntr with pointer? */ 5304 newsav->cntr = sav->cntr; 5305 sav->flags |= SADB_X_EXT_F_CLONED; 5306 SECASVAR_WUNLOCK(sav); 5307 5308 SAHTREE_WUNLOCK(); 5309 5310 KEYDBG(KEY_STAMP, 5311 printf("%s: SA(%p) cloned into SA(%p)\n", 5312 __func__, sav, newsav)); 5313 KEYDBG(KEY_DATA, kdebug_secasv(newsav)); 5314 5315 key_freesav(&sav); /* release last reference */ 5316 5317 /* set msg buf from mhp */ 5318 n = key_getmsgbuf_x1(m, mhp); 5319 if (n == NULL) { 5320 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 5321 return (ENOBUFS); 5322 } 5323 m_freem(m); 5324 key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 5325 return (0); 5326 fail: 5327 if (isnew != 0) 5328 key_freesah(&sah); 5329 if (newsav != NULL) { 5330 if (newsav->natt != NULL) 5331 free(newsav->natt, M_IPSEC_MISC); 5332 free(newsav, M_IPSEC_SA); 5333 } 5334 return (error); 5335 } 5336 5337 /* 5338 * SADB_UPDATE processing 5339 * receive 5340 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),) 5341 * key(AE), (identity(SD),) (sensitivity)> 5342 * from the ikmpd, and update a secasvar entry whose status is SADB_SASTATE_LARVAL. 5343 * and send 5344 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),) 5345 * (identity(SD),) (sensitivity)> 5346 * to the ikmpd. 5347 * 5348 * m will always be freed. 5349 */ 5350 static int 5351 key_update(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 5352 { 5353 struct secasindex saidx; 5354 struct sadb_address *src0, *dst0; 5355 struct sadb_sa *sa0; 5356 struct secasvar *sav; 5357 uint32_t reqid; 5358 int error; 5359 uint8_t mode, proto; 5360 5361 IPSEC_ASSERT(so != NULL, ("null socket")); 5362 IPSEC_ASSERT(m != NULL, ("null mbuf")); 5363 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 5364 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 5365 5366 /* map satype to proto */ 5367 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 5368 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 5369 __func__)); 5370 return key_senderror(so, m, EINVAL); 5371 } 5372 5373 if (SADB_CHECKHDR(mhp, SADB_EXT_SA) || 5374 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 5375 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || 5376 (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) && 5377 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) || 5378 (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) && 5379 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD))) { 5380 ipseclog((LOG_DEBUG, 5381 "%s: invalid message: missing required header.\n", 5382 __func__)); 5383 return key_senderror(so, m, EINVAL); 5384 } 5385 if (SADB_CHECKLEN(mhp, SADB_EXT_SA) || 5386 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 5387 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) { 5388 ipseclog((LOG_DEBUG, 5389 "%s: invalid message: wrong header size.\n", __func__)); 5390 return key_senderror(so, m, EINVAL); 5391 } 5392 if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) { 5393 mode = IPSEC_MODE_ANY; 5394 reqid = 0; 5395 } else { 5396 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) { 5397 ipseclog((LOG_DEBUG, 5398 "%s: invalid message: wrong header size.\n", 5399 __func__)); 5400 return key_senderror(so, m, EINVAL); 5401 } 5402 mode = ((struct sadb_x_sa2 *) 5403 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; 5404 reqid = ((struct sadb_x_sa2 *) 5405 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; 5406 } 5407 5408 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; 5409 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); 5410 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); 5411 5412 /* 5413 * Only SADB_SASTATE_MATURE SAs may be submitted in an 5414 * SADB_UPDATE message. 5415 */ 5416 if (sa0->sadb_sa_state != SADB_SASTATE_MATURE) { 5417 ipseclog((LOG_DEBUG, "%s: invalid state.\n", __func__)); 5418 #ifdef PFKEY_STRICT_CHECKS 5419 return key_senderror(so, m, EINVAL); 5420 #endif 5421 } 5422 error = key_checksockaddrs((struct sockaddr *)(src0 + 1), 5423 (struct sockaddr *)(dst0 + 1)); 5424 if (error != 0) { 5425 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 5426 return key_senderror(so, m, error); 5427 } 5428 KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); 5429 sav = key_getsavbyspi(sa0->sadb_sa_spi); 5430 if (sav == NULL) { 5431 ipseclog((LOG_DEBUG, "%s: no SA found for SPI %u\n", 5432 __func__, ntohl(sa0->sadb_sa_spi))); 5433 return key_senderror(so, m, EINVAL); 5434 } 5435 /* 5436 * Check that SADB_UPDATE issued by the same process that did 5437 * SADB_GETSPI or SADB_ADD. 5438 */ 5439 if (sav->pid != mhp->msg->sadb_msg_pid) { 5440 ipseclog((LOG_DEBUG, 5441 "%s: pid mismatched (SPI %u, pid %u vs. %u)\n", __func__, 5442 ntohl(sav->spi), sav->pid, mhp->msg->sadb_msg_pid)); 5443 key_freesav(&sav); 5444 return key_senderror(so, m, EINVAL); 5445 } 5446 /* saidx should match with SA. */ 5447 if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_MODE_REQID) == 0) { 5448 ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u\n", 5449 __func__, ntohl(sav->spi))); 5450 key_freesav(&sav); 5451 return key_senderror(so, m, ESRCH); 5452 } 5453 5454 if (sav->state == SADB_SASTATE_LARVAL) { 5455 if ((mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP && 5456 SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT)) || 5457 (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH && 5458 SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH))) { 5459 ipseclog((LOG_DEBUG, 5460 "%s: invalid message: missing required header.\n", 5461 __func__)); 5462 key_freesav(&sav); 5463 return key_senderror(so, m, EINVAL); 5464 } 5465 /* 5466 * We can set any values except src, dst and SPI. 5467 */ 5468 error = key_setsaval(sav, mhp); 5469 if (error != 0) { 5470 key_freesav(&sav); 5471 return (key_senderror(so, m, error)); 5472 } 5473 /* Change SA state to MATURE */ 5474 SAHTREE_WLOCK(); 5475 if (sav->state != SADB_SASTATE_LARVAL) { 5476 /* SA was deleted or another thread made it MATURE. */ 5477 SAHTREE_WUNLOCK(); 5478 key_freesav(&sav); 5479 return (key_senderror(so, m, ESRCH)); 5480 } 5481 /* 5482 * NOTE: we keep SAs in savtree_alive ordered by created 5483 * time. When SA's state changed from LARVAL to MATURE, 5484 * we update its created time in key_setsaval() and move 5485 * it into head of savtree_alive. 5486 */ 5487 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain); 5488 TAILQ_INSERT_HEAD(&sav->sah->savtree_alive, sav, chain); 5489 sav->state = SADB_SASTATE_MATURE; 5490 SAHTREE_WUNLOCK(); 5491 } else { 5492 /* 5493 * For DYING and MATURE SA we can change only state 5494 * and lifetimes. Report EINVAL if something else attempted 5495 * to change. 5496 */ 5497 if (!SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT) || 5498 !SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH)) { 5499 key_freesav(&sav); 5500 return (key_senderror(so, m, EINVAL)); 5501 } 5502 error = key_updatelifetimes(sav, mhp); 5503 if (error != 0) { 5504 key_freesav(&sav); 5505 return (key_senderror(so, m, error)); 5506 } 5507 /* 5508 * This is FreeBSD extension to RFC2367. 5509 * IKEd can specify SADB_X_EXT_NEW_ADDRESS_SRC and/or 5510 * SADB_X_EXT_NEW_ADDRESS_DST when it wants to change 5511 * SA addresses (for example to implement MOBIKE protocol 5512 * as described in RFC4555). Also we allow to change 5513 * NAT-T config. 5514 */ 5515 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_SRC) || 5516 !SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_DST) || 5517 !SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_TYPE) || 5518 sav->natt != NULL) { 5519 error = key_updateaddresses(so, m, mhp, sav, &saidx); 5520 key_freesav(&sav); 5521 if (error != 0) 5522 return (key_senderror(so, m, error)); 5523 return (0); 5524 } 5525 /* Check that SA is still alive */ 5526 SAHTREE_WLOCK(); 5527 if (sav->state == SADB_SASTATE_DEAD) { 5528 /* SA was unlinked */ 5529 SAHTREE_WUNLOCK(); 5530 key_freesav(&sav); 5531 return (key_senderror(so, m, ESRCH)); 5532 } 5533 /* 5534 * NOTE: there is possible state moving from DYING to MATURE, 5535 * but this doesn't change created time, so we won't reorder 5536 * this SA. 5537 */ 5538 sav->state = SADB_SASTATE_MATURE; 5539 SAHTREE_WUNLOCK(); 5540 } 5541 KEYDBG(KEY_STAMP, 5542 printf("%s: SA(%p)\n", __func__, sav)); 5543 KEYDBG(KEY_DATA, kdebug_secasv(sav)); 5544 key_freesav(&sav); 5545 5546 { 5547 struct mbuf *n; 5548 5549 /* set msg buf from mhp */ 5550 n = key_getmsgbuf_x1(m, mhp); 5551 if (n == NULL) { 5552 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 5553 return key_senderror(so, m, ENOBUFS); 5554 } 5555 5556 m_freem(m); 5557 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 5558 } 5559 } 5560 5561 /* 5562 * SADB_ADD processing 5563 * add an entry to SA database, when received 5564 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),) 5565 * key(AE), (identity(SD),) (sensitivity)> 5566 * from the ikmpd, 5567 * and send 5568 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),) 5569 * (identity(SD),) (sensitivity)> 5570 * to the ikmpd. 5571 * 5572 * IGNORE identity and sensitivity messages. 5573 * 5574 * m will always be freed. 5575 */ 5576 static int 5577 key_add(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 5578 { 5579 struct secasindex saidx; 5580 struct sadb_address *src0, *dst0; 5581 struct sadb_sa *sa0; 5582 struct secasvar *sav; 5583 uint32_t reqid, spi; 5584 uint8_t mode, proto; 5585 int error; 5586 5587 IPSEC_ASSERT(so != NULL, ("null socket")); 5588 IPSEC_ASSERT(m != NULL, ("null mbuf")); 5589 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 5590 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 5591 5592 /* map satype to proto */ 5593 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 5594 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 5595 __func__)); 5596 return key_senderror(so, m, EINVAL); 5597 } 5598 5599 if (SADB_CHECKHDR(mhp, SADB_EXT_SA) || 5600 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 5601 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || 5602 (mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP && ( 5603 SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT) || 5604 SADB_CHECKLEN(mhp, SADB_EXT_KEY_ENCRYPT))) || 5605 (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH && ( 5606 SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH) || 5607 SADB_CHECKLEN(mhp, SADB_EXT_KEY_AUTH))) || 5608 (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) && 5609 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) || 5610 (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) && 5611 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD))) { 5612 ipseclog((LOG_DEBUG, 5613 "%s: invalid message: missing required header.\n", 5614 __func__)); 5615 return key_senderror(so, m, EINVAL); 5616 } 5617 if (SADB_CHECKLEN(mhp, SADB_EXT_SA) || 5618 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 5619 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) { 5620 ipseclog((LOG_DEBUG, 5621 "%s: invalid message: wrong header size.\n", __func__)); 5622 return key_senderror(so, m, EINVAL); 5623 } 5624 if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) { 5625 mode = IPSEC_MODE_ANY; 5626 reqid = 0; 5627 } else { 5628 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) { 5629 ipseclog((LOG_DEBUG, 5630 "%s: invalid message: wrong header size.\n", 5631 __func__)); 5632 return key_senderror(so, m, EINVAL); 5633 } 5634 mode = ((struct sadb_x_sa2 *) 5635 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; 5636 reqid = ((struct sadb_x_sa2 *) 5637 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; 5638 } 5639 5640 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; 5641 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; 5642 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; 5643 5644 /* 5645 * Only SADB_SASTATE_MATURE SAs may be submitted in an 5646 * SADB_ADD message. 5647 */ 5648 if (sa0->sadb_sa_state != SADB_SASTATE_MATURE) { 5649 ipseclog((LOG_DEBUG, "%s: invalid state.\n", __func__)); 5650 #ifdef PFKEY_STRICT_CHECKS 5651 return key_senderror(so, m, EINVAL); 5652 #endif 5653 } 5654 error = key_checksockaddrs((struct sockaddr *)(src0 + 1), 5655 (struct sockaddr *)(dst0 + 1)); 5656 if (error != 0) { 5657 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 5658 return key_senderror(so, m, error); 5659 } 5660 KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); 5661 spi = sa0->sadb_sa_spi; 5662 /* 5663 * For TCP-MD5 SAs we don't use SPI. Check the uniqueness using 5664 * secasindex. 5665 * XXXAE: IPComp seems also doesn't use SPI. 5666 */ 5667 SPI_ALLOC_LOCK(); 5668 if (proto == IPPROTO_TCP) { 5669 sav = key_getsav_tcpmd5(&saidx, &spi); 5670 if (sav == NULL && spi == 0) { 5671 SPI_ALLOC_UNLOCK(); 5672 /* Failed to allocate SPI */ 5673 ipseclog((LOG_DEBUG, "%s: SA already exists.\n", 5674 __func__)); 5675 return key_senderror(so, m, EEXIST); 5676 } 5677 /* XXX: SPI that we report back can have another value */ 5678 } else { 5679 /* We can create new SA only if SPI is different. */ 5680 sav = key_getsavbyspi(spi); 5681 } 5682 if (sav != NULL) { 5683 SPI_ALLOC_UNLOCK(); 5684 key_freesav(&sav); 5685 ipseclog((LOG_DEBUG, "%s: SA already exists.\n", __func__)); 5686 return key_senderror(so, m, EEXIST); 5687 } 5688 5689 sav = key_newsav(mhp, &saidx, spi, &error); 5690 SPI_ALLOC_UNLOCK(); 5691 if (sav == NULL) 5692 return key_senderror(so, m, error); 5693 KEYDBG(KEY_STAMP, 5694 printf("%s: return SA(%p)\n", __func__, sav)); 5695 KEYDBG(KEY_DATA, kdebug_secasv(sav)); 5696 /* 5697 * If SADB_ADD was in response to SADB_ACQUIRE, we need to schedule 5698 * ACQ for deletion. 5699 */ 5700 if (sav->seq != 0) 5701 key_acqdone(&saidx, sav->seq); 5702 5703 { 5704 /* 5705 * Don't call key_freesav() on error here, as we would like to 5706 * keep the SA in the database. 5707 */ 5708 struct mbuf *n; 5709 5710 /* set msg buf from mhp */ 5711 n = key_getmsgbuf_x1(m, mhp); 5712 if (n == NULL) { 5713 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 5714 return key_senderror(so, m, ENOBUFS); 5715 } 5716 5717 m_freem(m); 5718 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 5719 } 5720 } 5721 5722 /* 5723 * NAT-T support. 5724 * IKEd may request the use ESP in UDP encapsulation when it detects the 5725 * presence of NAT. It uses NAT-T extension headers for such SAs to specify 5726 * parameters needed for encapsulation and decapsulation. These PF_KEY 5727 * extension headers are not standardized, so this comment addresses our 5728 * implementation. 5729 * SADB_X_EXT_NAT_T_TYPE specifies type of encapsulation, we support only 5730 * UDP_ENCAP_ESPINUDP as described in RFC3948. 5731 * SADB_X_EXT_NAT_T_SPORT/DPORT specifies source and destination ports for 5732 * UDP header. We use these ports in UDP encapsulation procedure, also we 5733 * can check them in UDP decapsulation procedure. 5734 * SADB_X_EXT_NAT_T_OA[IR] specifies original address of initiator or 5735 * responder. These addresses can be used for transport mode to adjust 5736 * checksum after decapsulation and decryption. Since original IP addresses 5737 * used by peer usually different (we detected presence of NAT), TCP/UDP 5738 * pseudo header checksum and IP header checksum was calculated using original 5739 * addresses. After decapsulation and decryption we need to adjust checksum 5740 * to have correct datagram. 5741 * 5742 * We expect presence of NAT-T extension headers only in SADB_ADD and 5743 * SADB_UPDATE messages. We report NAT-T extension headers in replies 5744 * to SADB_ADD, SADB_UPDATE, SADB_GET, and SADB_DUMP messages. 5745 */ 5746 static int 5747 key_setnatt(struct secasvar *sav, const struct sadb_msghdr *mhp) 5748 { 5749 struct sadb_x_nat_t_port *port; 5750 struct sadb_x_nat_t_type *type; 5751 struct sadb_address *oai, *oar; 5752 struct sockaddr *sa; 5753 uint32_t addr; 5754 uint16_t cksum; 5755 int i; 5756 5757 IPSEC_ASSERT(sav->natt == NULL, ("natt is already initialized")); 5758 /* 5759 * Ignore NAT-T headers if sproto isn't ESP. 5760 */ 5761 if (sav->sah->saidx.proto != IPPROTO_ESP) 5762 return (0); 5763 5764 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_TYPE) && 5765 !SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_SPORT) && 5766 !SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_DPORT)) { 5767 if (SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_TYPE) || 5768 SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_SPORT) || 5769 SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_DPORT)) { 5770 ipseclog((LOG_DEBUG, 5771 "%s: invalid message: wrong header size.\n", 5772 __func__)); 5773 return (EINVAL); 5774 } 5775 } else 5776 return (0); 5777 5778 type = (struct sadb_x_nat_t_type *)mhp->ext[SADB_X_EXT_NAT_T_TYPE]; 5779 if (type->sadb_x_nat_t_type_type != UDP_ENCAP_ESPINUDP) { 5780 ipseclog((LOG_DEBUG, "%s: unsupported NAT-T type %u.\n", 5781 __func__, type->sadb_x_nat_t_type_type)); 5782 return (EINVAL); 5783 } 5784 /* 5785 * Allocate storage for NAT-T config. 5786 * On error it will be released by key_cleansav(). 5787 */ 5788 sav->natt = malloc(sizeof(struct secnatt), M_IPSEC_MISC, 5789 M_NOWAIT | M_ZERO); 5790 if (sav->natt == NULL) { 5791 PFKEYSTAT_INC(in_nomem); 5792 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 5793 return (ENOBUFS); 5794 } 5795 port = (struct sadb_x_nat_t_port *)mhp->ext[SADB_X_EXT_NAT_T_SPORT]; 5796 if (port->sadb_x_nat_t_port_port == 0) { 5797 ipseclog((LOG_DEBUG, "%s: invalid NAT-T sport specified.\n", 5798 __func__)); 5799 return (EINVAL); 5800 } 5801 sav->natt->sport = port->sadb_x_nat_t_port_port; 5802 port = (struct sadb_x_nat_t_port *)mhp->ext[SADB_X_EXT_NAT_T_DPORT]; 5803 if (port->sadb_x_nat_t_port_port == 0) { 5804 ipseclog((LOG_DEBUG, "%s: invalid NAT-T dport specified.\n", 5805 __func__)); 5806 return (EINVAL); 5807 } 5808 sav->natt->dport = port->sadb_x_nat_t_port_port; 5809 5810 /* 5811 * SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR are optional 5812 * and needed only for transport mode IPsec. 5813 * Usually NAT translates only one address, but it is possible, 5814 * that both addresses could be translated. 5815 * NOTE: Value of SADB_X_EXT_NAT_T_OAI is equal to SADB_X_EXT_NAT_T_OA. 5816 */ 5817 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_OAI)) { 5818 if (SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_OAI)) { 5819 ipseclog((LOG_DEBUG, 5820 "%s: invalid message: wrong header size.\n", 5821 __func__)); 5822 return (EINVAL); 5823 } 5824 oai = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAI]; 5825 } else 5826 oai = NULL; 5827 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_OAR)) { 5828 if (SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_OAR)) { 5829 ipseclog((LOG_DEBUG, 5830 "%s: invalid message: wrong header size.\n", 5831 __func__)); 5832 return (EINVAL); 5833 } 5834 oar = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAR]; 5835 } else 5836 oar = NULL; 5837 5838 /* Initialize addresses only for transport mode */ 5839 if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL) { 5840 cksum = 0; 5841 if (oai != NULL) { 5842 sa = (struct sockaddr *)(oai + 1); 5843 switch (sa->sa_family) { 5844 #ifdef AF_INET 5845 case AF_INET: 5846 if (sa->sa_len != sizeof(struct sockaddr_in)) { 5847 ipseclog((LOG_DEBUG, 5848 "%s: wrong NAT-OAi header.\n", 5849 __func__)); 5850 return (EINVAL); 5851 } 5852 /* Ignore address if it the same */ 5853 if (((struct sockaddr_in *)sa)->sin_addr.s_addr != 5854 sav->sah->saidx.src.sin.sin_addr.s_addr) { 5855 bcopy(sa, &sav->natt->oai.sa, sa->sa_len); 5856 sav->natt->flags |= IPSEC_NATT_F_OAI; 5857 /* Calculate checksum delta */ 5858 addr = sav->sah->saidx.src.sin.sin_addr.s_addr; 5859 cksum = in_addword(cksum, ~addr >> 16); 5860 cksum = in_addword(cksum, ~addr & 0xffff); 5861 addr = sav->natt->oai.sin.sin_addr.s_addr; 5862 cksum = in_addword(cksum, addr >> 16); 5863 cksum = in_addword(cksum, addr & 0xffff); 5864 } 5865 break; 5866 #endif 5867 #ifdef AF_INET6 5868 case AF_INET6: 5869 if (sa->sa_len != sizeof(struct sockaddr_in6)) { 5870 ipseclog((LOG_DEBUG, 5871 "%s: wrong NAT-OAi header.\n", 5872 __func__)); 5873 return (EINVAL); 5874 } 5875 /* Ignore address if it the same */ 5876 if (memcmp(&((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr, 5877 &sav->sah->saidx.src.sin6.sin6_addr.s6_addr, 5878 sizeof(struct in6_addr)) != 0) { 5879 bcopy(sa, &sav->natt->oai.sa, sa->sa_len); 5880 sav->natt->flags |= IPSEC_NATT_F_OAI; 5881 /* Calculate checksum delta */ 5882 for (i = 0; i < 8; i++) { 5883 cksum = in_addword(cksum, 5884 ~sav->sah->saidx.src.sin6.sin6_addr.s6_addr16[i]); 5885 cksum = in_addword(cksum, 5886 sav->natt->oai.sin6.sin6_addr.s6_addr16[i]); 5887 } 5888 } 5889 break; 5890 #endif 5891 default: 5892 ipseclog((LOG_DEBUG, 5893 "%s: wrong NAT-OAi header.\n", 5894 __func__)); 5895 return (EINVAL); 5896 } 5897 } 5898 if (oar != NULL) { 5899 sa = (struct sockaddr *)(oar + 1); 5900 switch (sa->sa_family) { 5901 #ifdef AF_INET 5902 case AF_INET: 5903 if (sa->sa_len != sizeof(struct sockaddr_in)) { 5904 ipseclog((LOG_DEBUG, 5905 "%s: wrong NAT-OAr header.\n", 5906 __func__)); 5907 return (EINVAL); 5908 } 5909 /* Ignore address if it the same */ 5910 if (((struct sockaddr_in *)sa)->sin_addr.s_addr != 5911 sav->sah->saidx.dst.sin.sin_addr.s_addr) { 5912 bcopy(sa, &sav->natt->oar.sa, sa->sa_len); 5913 sav->natt->flags |= IPSEC_NATT_F_OAR; 5914 /* Calculate checksum delta */ 5915 addr = sav->sah->saidx.dst.sin.sin_addr.s_addr; 5916 cksum = in_addword(cksum, ~addr >> 16); 5917 cksum = in_addword(cksum, ~addr & 0xffff); 5918 addr = sav->natt->oar.sin.sin_addr.s_addr; 5919 cksum = in_addword(cksum, addr >> 16); 5920 cksum = in_addword(cksum, addr & 0xffff); 5921 } 5922 break; 5923 #endif 5924 #ifdef AF_INET6 5925 case AF_INET6: 5926 if (sa->sa_len != sizeof(struct sockaddr_in6)) { 5927 ipseclog((LOG_DEBUG, 5928 "%s: wrong NAT-OAr header.\n", 5929 __func__)); 5930 return (EINVAL); 5931 } 5932 /* Ignore address if it the same */ 5933 if (memcmp(&((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr, 5934 &sav->sah->saidx.dst.sin6.sin6_addr.s6_addr, 16) != 0) { 5935 bcopy(sa, &sav->natt->oar.sa, sa->sa_len); 5936 sav->natt->flags |= IPSEC_NATT_F_OAR; 5937 /* Calculate checksum delta */ 5938 for (i = 0; i < 8; i++) { 5939 cksum = in_addword(cksum, 5940 ~sav->sah->saidx.dst.sin6.sin6_addr.s6_addr16[i]); 5941 cksum = in_addword(cksum, 5942 sav->natt->oar.sin6.sin6_addr.s6_addr16[i]); 5943 } 5944 } 5945 break; 5946 #endif 5947 default: 5948 ipseclog((LOG_DEBUG, 5949 "%s: wrong NAT-OAr header.\n", 5950 __func__)); 5951 return (EINVAL); 5952 } 5953 } 5954 sav->natt->cksum = cksum; 5955 } 5956 return (0); 5957 } 5958 5959 static int 5960 key_setident(struct secashead *sah, const struct sadb_msghdr *mhp) 5961 { 5962 const struct sadb_ident *idsrc, *iddst; 5963 5964 IPSEC_ASSERT(sah != NULL, ("null secashead")); 5965 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 5966 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 5967 5968 /* don't make buffer if not there */ 5969 if (SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_SRC) && 5970 SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_DST)) { 5971 sah->idents = NULL; 5972 sah->identd = NULL; 5973 return (0); 5974 } 5975 5976 if (SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_SRC) || 5977 SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_DST)) { 5978 ipseclog((LOG_DEBUG, "%s: invalid identity.\n", __func__)); 5979 return (EINVAL); 5980 } 5981 5982 idsrc = (const struct sadb_ident *)mhp->ext[SADB_EXT_IDENTITY_SRC]; 5983 iddst = (const struct sadb_ident *)mhp->ext[SADB_EXT_IDENTITY_DST]; 5984 5985 /* validity check */ 5986 if (idsrc->sadb_ident_type != iddst->sadb_ident_type) { 5987 ipseclog((LOG_DEBUG, "%s: ident type mismatch.\n", __func__)); 5988 return EINVAL; 5989 } 5990 5991 switch (idsrc->sadb_ident_type) { 5992 case SADB_IDENTTYPE_PREFIX: 5993 case SADB_IDENTTYPE_FQDN: 5994 case SADB_IDENTTYPE_USERFQDN: 5995 default: 5996 /* XXX do nothing */ 5997 sah->idents = NULL; 5998 sah->identd = NULL; 5999 return 0; 6000 } 6001 6002 /* make structure */ 6003 sah->idents = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT); 6004 if (sah->idents == NULL) { 6005 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 6006 return ENOBUFS; 6007 } 6008 sah->identd = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT); 6009 if (sah->identd == NULL) { 6010 free(sah->idents, M_IPSEC_MISC); 6011 sah->idents = NULL; 6012 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 6013 return ENOBUFS; 6014 } 6015 sah->idents->type = idsrc->sadb_ident_type; 6016 sah->idents->id = idsrc->sadb_ident_id; 6017 6018 sah->identd->type = iddst->sadb_ident_type; 6019 sah->identd->id = iddst->sadb_ident_id; 6020 6021 return 0; 6022 } 6023 6024 /* 6025 * m will not be freed on return. 6026 * it is caller's responsibility to free the result. 6027 * 6028 * Called from SADB_ADD and SADB_UPDATE. Reply will contain headers 6029 * from the request in defined order. 6030 */ 6031 static struct mbuf * 6032 key_getmsgbuf_x1(struct mbuf *m, const struct sadb_msghdr *mhp) 6033 { 6034 struct mbuf *n; 6035 6036 IPSEC_ASSERT(m != NULL, ("null mbuf")); 6037 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 6038 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 6039 6040 /* create new sadb_msg to reply. */ 6041 n = key_gather_mbuf(m, mhp, 1, 16, SADB_EXT_RESERVED, 6042 SADB_EXT_SA, SADB_X_EXT_SA2, 6043 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST, 6044 SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT, 6045 SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST, 6046 SADB_X_EXT_NAT_T_TYPE, SADB_X_EXT_NAT_T_SPORT, 6047 SADB_X_EXT_NAT_T_DPORT, SADB_X_EXT_NAT_T_OAI, 6048 SADB_X_EXT_NAT_T_OAR, SADB_X_EXT_NEW_ADDRESS_SRC, 6049 SADB_X_EXT_NEW_ADDRESS_DST); 6050 if (!n) 6051 return NULL; 6052 6053 if (n->m_len < sizeof(struct sadb_msg)) { 6054 n = m_pullup(n, sizeof(struct sadb_msg)); 6055 if (n == NULL) 6056 return NULL; 6057 } 6058 mtod(n, struct sadb_msg *)->sadb_msg_errno = 0; 6059 mtod(n, struct sadb_msg *)->sadb_msg_len = 6060 PFKEY_UNIT64(n->m_pkthdr.len); 6061 6062 return n; 6063 } 6064 6065 /* 6066 * SADB_DELETE processing 6067 * receive 6068 * <base, SA(*), address(SD)> 6069 * from the ikmpd, and set SADB_SASTATE_DEAD, 6070 * and send, 6071 * <base, SA(*), address(SD)> 6072 * to the ikmpd. 6073 * 6074 * m will always be freed. 6075 */ 6076 static int 6077 key_delete(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 6078 { 6079 struct secasindex saidx; 6080 struct sadb_address *src0, *dst0; 6081 struct secasvar *sav; 6082 struct sadb_sa *sa0; 6083 uint8_t proto; 6084 6085 IPSEC_ASSERT(so != NULL, ("null socket")); 6086 IPSEC_ASSERT(m != NULL, ("null mbuf")); 6087 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 6088 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 6089 6090 /* map satype to proto */ 6091 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 6092 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 6093 __func__)); 6094 return key_senderror(so, m, EINVAL); 6095 } 6096 6097 if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 6098 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || 6099 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 6100 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) { 6101 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", 6102 __func__)); 6103 return key_senderror(so, m, EINVAL); 6104 } 6105 6106 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); 6107 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); 6108 6109 if (key_checksockaddrs((struct sockaddr *)(src0 + 1), 6110 (struct sockaddr *)(dst0 + 1)) != 0) { 6111 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 6112 return (key_senderror(so, m, EINVAL)); 6113 } 6114 KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); 6115 if (SADB_CHECKHDR(mhp, SADB_EXT_SA)) { 6116 /* 6117 * Caller wants us to delete all non-LARVAL SAs 6118 * that match the src/dst. This is used during 6119 * IKE INITIAL-CONTACT. 6120 * XXXAE: this looks like some extension to RFC2367. 6121 */ 6122 ipseclog((LOG_DEBUG, "%s: doing delete all.\n", __func__)); 6123 return (key_delete_all(so, m, mhp, &saidx)); 6124 } 6125 if (SADB_CHECKLEN(mhp, SADB_EXT_SA)) { 6126 ipseclog((LOG_DEBUG, 6127 "%s: invalid message: wrong header size.\n", __func__)); 6128 return (key_senderror(so, m, EINVAL)); 6129 } 6130 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; 6131 SPI_ALLOC_LOCK(); 6132 if (proto == IPPROTO_TCP) 6133 sav = key_getsav_tcpmd5(&saidx, NULL); 6134 else 6135 sav = key_getsavbyspi(sa0->sadb_sa_spi); 6136 SPI_ALLOC_UNLOCK(); 6137 if (sav == NULL) { 6138 ipseclog((LOG_DEBUG, "%s: no SA found for SPI %u.\n", 6139 __func__, ntohl(sa0->sadb_sa_spi))); 6140 return (key_senderror(so, m, ESRCH)); 6141 } 6142 if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_HEAD) == 0) { 6143 ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u.\n", 6144 __func__, ntohl(sav->spi))); 6145 key_freesav(&sav); 6146 return (key_senderror(so, m, ESRCH)); 6147 } 6148 KEYDBG(KEY_STAMP, 6149 printf("%s: SA(%p)\n", __func__, sav)); 6150 KEYDBG(KEY_DATA, kdebug_secasv(sav)); 6151 key_unlinksav(sav); 6152 key_freesav(&sav); 6153 6154 { 6155 struct mbuf *n; 6156 struct sadb_msg *newmsg; 6157 6158 /* create new sadb_msg to reply. */ 6159 n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED, 6160 SADB_EXT_SA, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); 6161 if (!n) 6162 return key_senderror(so, m, ENOBUFS); 6163 6164 if (n->m_len < sizeof(struct sadb_msg)) { 6165 n = m_pullup(n, sizeof(struct sadb_msg)); 6166 if (n == NULL) 6167 return key_senderror(so, m, ENOBUFS); 6168 } 6169 newmsg = mtod(n, struct sadb_msg *); 6170 newmsg->sadb_msg_errno = 0; 6171 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); 6172 6173 m_freem(m); 6174 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 6175 } 6176 } 6177 6178 /* 6179 * delete all SAs for src/dst. Called from key_delete(). 6180 */ 6181 static int 6182 key_delete_all(struct socket *so, struct mbuf *m, 6183 const struct sadb_msghdr *mhp, struct secasindex *saidx) 6184 { 6185 struct secasvar_queue drainq; 6186 struct secashead *sah; 6187 struct secasvar *sav, *nextsav; 6188 6189 TAILQ_INIT(&drainq); 6190 SAHTREE_WLOCK(); 6191 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { 6192 if (key_cmpsaidx(&sah->saidx, saidx, CMP_HEAD) == 0) 6193 continue; 6194 /* Move all ALIVE SAs into drainq */ 6195 TAILQ_CONCAT(&drainq, &sah->savtree_alive, chain); 6196 } 6197 /* Unlink all queued SAs from SPI hash */ 6198 TAILQ_FOREACH(sav, &drainq, chain) { 6199 sav->state = SADB_SASTATE_DEAD; 6200 LIST_REMOVE(sav, spihash); 6201 } 6202 SAHTREE_WUNLOCK(); 6203 /* Now we can release reference for all SAs in drainq */ 6204 sav = TAILQ_FIRST(&drainq); 6205 while (sav != NULL) { 6206 KEYDBG(KEY_STAMP, 6207 printf("%s: SA(%p)\n", __func__, sav)); 6208 KEYDBG(KEY_DATA, kdebug_secasv(sav)); 6209 nextsav = TAILQ_NEXT(sav, chain); 6210 key_freesah(&sav->sah); /* release reference from SAV */ 6211 key_freesav(&sav); /* release last reference */ 6212 sav = nextsav; 6213 } 6214 6215 { 6216 struct mbuf *n; 6217 struct sadb_msg *newmsg; 6218 6219 /* create new sadb_msg to reply. */ 6220 n = key_gather_mbuf(m, mhp, 1, 3, SADB_EXT_RESERVED, 6221 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); 6222 if (!n) 6223 return key_senderror(so, m, ENOBUFS); 6224 6225 if (n->m_len < sizeof(struct sadb_msg)) { 6226 n = m_pullup(n, sizeof(struct sadb_msg)); 6227 if (n == NULL) 6228 return key_senderror(so, m, ENOBUFS); 6229 } 6230 newmsg = mtod(n, struct sadb_msg *); 6231 newmsg->sadb_msg_errno = 0; 6232 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); 6233 6234 m_freem(m); 6235 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 6236 } 6237 } 6238 6239 /* 6240 * Delete all alive SAs for corresponding xform. 6241 * Larval SAs have not initialized tdb_xform, so it is safe to leave them 6242 * here when xform disappears. 6243 */ 6244 void 6245 key_delete_xform(const struct xformsw *xsp) 6246 { 6247 struct secasvar_queue drainq; 6248 struct secashead *sah; 6249 struct secasvar *sav, *nextsav; 6250 6251 TAILQ_INIT(&drainq); 6252 SAHTREE_WLOCK(); 6253 TAILQ_FOREACH(sah, &V_sahtree, chain) { 6254 sav = TAILQ_FIRST(&sah->savtree_alive); 6255 if (sav == NULL) 6256 continue; 6257 if (sav->tdb_xform != xsp) 6258 continue; 6259 /* 6260 * It is supposed that all SAs in the chain are related to 6261 * one xform. 6262 */ 6263 TAILQ_CONCAT(&drainq, &sah->savtree_alive, chain); 6264 } 6265 /* Unlink all queued SAs from SPI hash */ 6266 TAILQ_FOREACH(sav, &drainq, chain) { 6267 sav->state = SADB_SASTATE_DEAD; 6268 LIST_REMOVE(sav, spihash); 6269 } 6270 SAHTREE_WUNLOCK(); 6271 6272 /* Now we can release reference for all SAs in drainq */ 6273 sav = TAILQ_FIRST(&drainq); 6274 while (sav != NULL) { 6275 KEYDBG(KEY_STAMP, 6276 printf("%s: SA(%p)\n", __func__, sav)); 6277 KEYDBG(KEY_DATA, kdebug_secasv(sav)); 6278 nextsav = TAILQ_NEXT(sav, chain); 6279 key_freesah(&sav->sah); /* release reference from SAV */ 6280 key_freesav(&sav); /* release last reference */ 6281 sav = nextsav; 6282 } 6283 } 6284 6285 /* 6286 * SADB_GET processing 6287 * receive 6288 * <base, SA(*), address(SD)> 6289 * from the ikmpd, and get a SP and a SA to respond, 6290 * and send, 6291 * <base, SA, (lifetime(HSC),) address(SD), (address(P),) key(AE), 6292 * (identity(SD),) (sensitivity)> 6293 * to the ikmpd. 6294 * 6295 * m will always be freed. 6296 */ 6297 static int 6298 key_get(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 6299 { 6300 struct secasindex saidx; 6301 struct sadb_address *src0, *dst0; 6302 struct sadb_sa *sa0; 6303 struct secasvar *sav; 6304 uint8_t proto; 6305 6306 IPSEC_ASSERT(so != NULL, ("null socket")); 6307 IPSEC_ASSERT(m != NULL, ("null mbuf")); 6308 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 6309 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 6310 6311 /* map satype to proto */ 6312 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 6313 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 6314 __func__)); 6315 return key_senderror(so, m, EINVAL); 6316 } 6317 6318 if (SADB_CHECKHDR(mhp, SADB_EXT_SA) || 6319 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 6320 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST)) { 6321 ipseclog((LOG_DEBUG, 6322 "%s: invalid message: missing required header.\n", 6323 __func__)); 6324 return key_senderror(so, m, EINVAL); 6325 } 6326 if (SADB_CHECKLEN(mhp, SADB_EXT_SA) || 6327 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 6328 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) { 6329 ipseclog((LOG_DEBUG, 6330 "%s: invalid message: wrong header size.\n", __func__)); 6331 return key_senderror(so, m, EINVAL); 6332 } 6333 6334 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; 6335 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; 6336 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; 6337 6338 if (key_checksockaddrs((struct sockaddr *)(src0 + 1), 6339 (struct sockaddr *)(dst0 + 1)) != 0) { 6340 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 6341 return key_senderror(so, m, EINVAL); 6342 } 6343 KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); 6344 6345 SPI_ALLOC_LOCK(); 6346 if (proto == IPPROTO_TCP) 6347 sav = key_getsav_tcpmd5(&saidx, NULL); 6348 else 6349 sav = key_getsavbyspi(sa0->sadb_sa_spi); 6350 SPI_ALLOC_UNLOCK(); 6351 if (sav == NULL) { 6352 ipseclog((LOG_DEBUG, "%s: no SA found.\n", __func__)); 6353 return key_senderror(so, m, ESRCH); 6354 } 6355 if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_HEAD) == 0) { 6356 ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u.\n", 6357 __func__, ntohl(sa0->sadb_sa_spi))); 6358 key_freesav(&sav); 6359 return (key_senderror(so, m, ESRCH)); 6360 } 6361 6362 { 6363 struct mbuf *n; 6364 uint8_t satype; 6365 6366 /* map proto to satype */ 6367 if ((satype = key_proto2satype(sav->sah->saidx.proto)) == 0) { 6368 ipseclog((LOG_DEBUG, "%s: there was invalid proto in SAD.\n", 6369 __func__)); 6370 key_freesav(&sav); 6371 return key_senderror(so, m, EINVAL); 6372 } 6373 6374 /* create new sadb_msg to reply. */ 6375 n = key_setdumpsa(sav, SADB_GET, satype, mhp->msg->sadb_msg_seq, 6376 mhp->msg->sadb_msg_pid); 6377 6378 key_freesav(&sav); 6379 if (!n) 6380 return key_senderror(so, m, ENOBUFS); 6381 6382 m_freem(m); 6383 return key_sendup_mbuf(so, n, KEY_SENDUP_ONE); 6384 } 6385 } 6386 6387 /* XXX make it sysctl-configurable? */ 6388 static void 6389 key_getcomb_setlifetime(struct sadb_comb *comb) 6390 { 6391 6392 comb->sadb_comb_soft_allocations = 1; 6393 comb->sadb_comb_hard_allocations = 1; 6394 comb->sadb_comb_soft_bytes = 0; 6395 comb->sadb_comb_hard_bytes = 0; 6396 comb->sadb_comb_hard_addtime = 86400; /* 1 day */ 6397 comb->sadb_comb_soft_addtime = comb->sadb_comb_soft_addtime * 80 / 100; 6398 comb->sadb_comb_soft_usetime = 28800; /* 8 hours */ 6399 comb->sadb_comb_hard_usetime = comb->sadb_comb_hard_usetime * 80 / 100; 6400 } 6401 6402 /* 6403 * XXX reorder combinations by preference 6404 * XXX no idea if the user wants ESP authentication or not 6405 */ 6406 static struct mbuf * 6407 key_getcomb_ealg(void) 6408 { 6409 struct sadb_comb *comb; 6410 const struct enc_xform *algo; 6411 struct mbuf *result = NULL, *m, *n; 6412 int encmin; 6413 int i, off, o; 6414 int totlen; 6415 const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb)); 6416 6417 m = NULL; 6418 for (i = 1; i <= SADB_EALG_MAX; i++) { 6419 algo = enc_algorithm_lookup(i); 6420 if (algo == NULL) 6421 continue; 6422 6423 /* discard algorithms with key size smaller than system min */ 6424 if (_BITS(algo->maxkey) < V_ipsec_esp_keymin) 6425 continue; 6426 if (_BITS(algo->minkey) < V_ipsec_esp_keymin) 6427 encmin = V_ipsec_esp_keymin; 6428 else 6429 encmin = _BITS(algo->minkey); 6430 6431 if (V_ipsec_esp_auth) 6432 m = key_getcomb_ah(); 6433 else { 6434 IPSEC_ASSERT(l <= MLEN, 6435 ("l=%u > MLEN=%lu", l, (u_long) MLEN)); 6436 MGET(m, M_NOWAIT, MT_DATA); 6437 if (m) { 6438 M_ALIGN(m, l); 6439 m->m_len = l; 6440 m->m_next = NULL; 6441 bzero(mtod(m, caddr_t), m->m_len); 6442 } 6443 } 6444 if (!m) 6445 goto fail; 6446 6447 totlen = 0; 6448 for (n = m; n; n = n->m_next) 6449 totlen += n->m_len; 6450 IPSEC_ASSERT((totlen % l) == 0, ("totlen=%u, l=%u", totlen, l)); 6451 6452 for (off = 0; off < totlen; off += l) { 6453 n = m_pulldown(m, off, l, &o); 6454 if (!n) { 6455 /* m is already freed */ 6456 goto fail; 6457 } 6458 comb = (struct sadb_comb *)(mtod(n, caddr_t) + o); 6459 bzero(comb, sizeof(*comb)); 6460 key_getcomb_setlifetime(comb); 6461 comb->sadb_comb_encrypt = i; 6462 comb->sadb_comb_encrypt_minbits = encmin; 6463 comb->sadb_comb_encrypt_maxbits = _BITS(algo->maxkey); 6464 } 6465 6466 if (!result) 6467 result = m; 6468 else 6469 m_cat(result, m); 6470 } 6471 6472 return result; 6473 6474 fail: 6475 if (result) 6476 m_freem(result); 6477 return NULL; 6478 } 6479 6480 static void 6481 key_getsizes_ah(const struct auth_hash *ah, int alg, u_int16_t* min, 6482 u_int16_t* max) 6483 { 6484 6485 *min = *max = ah->hashsize; 6486 if (ah->keysize == 0) { 6487 /* 6488 * Transform takes arbitrary key size but algorithm 6489 * key size is restricted. Enforce this here. 6490 */ 6491 switch (alg) { 6492 case SADB_X_AALG_NULL: *min = 1; *max = 256; break; 6493 case SADB_X_AALG_SHA2_256: *min = *max = 32; break; 6494 case SADB_X_AALG_SHA2_384: *min = *max = 48; break; 6495 case SADB_X_AALG_SHA2_512: *min = *max = 64; break; 6496 default: 6497 DPRINTF(("%s: unknown AH algorithm %u\n", 6498 __func__, alg)); 6499 break; 6500 } 6501 } 6502 } 6503 6504 /* 6505 * XXX reorder combinations by preference 6506 */ 6507 static struct mbuf * 6508 key_getcomb_ah(void) 6509 { 6510 const struct auth_hash *algo; 6511 struct sadb_comb *comb; 6512 struct mbuf *m; 6513 u_int16_t minkeysize, maxkeysize; 6514 int i; 6515 const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb)); 6516 6517 m = NULL; 6518 for (i = 1; i <= SADB_AALG_MAX; i++) { 6519 #if 1 6520 /* we prefer HMAC algorithms, not old algorithms */ 6521 if (i != SADB_AALG_SHA1HMAC && 6522 i != SADB_X_AALG_SHA2_256 && 6523 i != SADB_X_AALG_SHA2_384 && 6524 i != SADB_X_AALG_SHA2_512) 6525 continue; 6526 #endif 6527 algo = auth_algorithm_lookup(i); 6528 if (!algo) 6529 continue; 6530 key_getsizes_ah(algo, i, &minkeysize, &maxkeysize); 6531 /* discard algorithms with key size smaller than system min */ 6532 if (_BITS(minkeysize) < V_ipsec_ah_keymin) 6533 continue; 6534 6535 if (!m) { 6536 IPSEC_ASSERT(l <= MLEN, 6537 ("l=%u > MLEN=%lu", l, (u_long) MLEN)); 6538 MGET(m, M_NOWAIT, MT_DATA); 6539 if (m) { 6540 M_ALIGN(m, l); 6541 m->m_len = l; 6542 m->m_next = NULL; 6543 } 6544 } else 6545 M_PREPEND(m, l, M_NOWAIT); 6546 if (!m) 6547 return NULL; 6548 6549 comb = mtod(m, struct sadb_comb *); 6550 bzero(comb, sizeof(*comb)); 6551 key_getcomb_setlifetime(comb); 6552 comb->sadb_comb_auth = i; 6553 comb->sadb_comb_auth_minbits = _BITS(minkeysize); 6554 comb->sadb_comb_auth_maxbits = _BITS(maxkeysize); 6555 } 6556 6557 return m; 6558 } 6559 6560 /* 6561 * not really an official behavior. discussed in pf_key@inner.net in Sep2000. 6562 * XXX reorder combinations by preference 6563 */ 6564 static struct mbuf * 6565 key_getcomb_ipcomp(void) 6566 { 6567 const struct comp_algo *algo; 6568 struct sadb_comb *comb; 6569 struct mbuf *m; 6570 int i; 6571 const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb)); 6572 6573 m = NULL; 6574 for (i = 1; i <= SADB_X_CALG_MAX; i++) { 6575 algo = comp_algorithm_lookup(i); 6576 if (!algo) 6577 continue; 6578 6579 if (!m) { 6580 IPSEC_ASSERT(l <= MLEN, 6581 ("l=%u > MLEN=%lu", l, (u_long) MLEN)); 6582 MGET(m, M_NOWAIT, MT_DATA); 6583 if (m) { 6584 M_ALIGN(m, l); 6585 m->m_len = l; 6586 m->m_next = NULL; 6587 } 6588 } else 6589 M_PREPEND(m, l, M_NOWAIT); 6590 if (!m) 6591 return NULL; 6592 6593 comb = mtod(m, struct sadb_comb *); 6594 bzero(comb, sizeof(*comb)); 6595 key_getcomb_setlifetime(comb); 6596 comb->sadb_comb_encrypt = i; 6597 /* what should we set into sadb_comb_*_{min,max}bits? */ 6598 } 6599 6600 return m; 6601 } 6602 6603 /* 6604 * XXX no way to pass mode (transport/tunnel) to userland 6605 * XXX replay checking? 6606 * XXX sysctl interface to ipsec_{ah,esp}_keymin 6607 */ 6608 static struct mbuf * 6609 key_getprop(const struct secasindex *saidx) 6610 { 6611 struct sadb_prop *prop; 6612 struct mbuf *m, *n; 6613 const int l = PFKEY_ALIGN8(sizeof(struct sadb_prop)); 6614 int totlen; 6615 6616 switch (saidx->proto) { 6617 case IPPROTO_ESP: 6618 m = key_getcomb_ealg(); 6619 break; 6620 case IPPROTO_AH: 6621 m = key_getcomb_ah(); 6622 break; 6623 case IPPROTO_IPCOMP: 6624 m = key_getcomb_ipcomp(); 6625 break; 6626 default: 6627 return NULL; 6628 } 6629 6630 if (!m) 6631 return NULL; 6632 M_PREPEND(m, l, M_NOWAIT); 6633 if (!m) 6634 return NULL; 6635 6636 totlen = 0; 6637 for (n = m; n; n = n->m_next) 6638 totlen += n->m_len; 6639 6640 prop = mtod(m, struct sadb_prop *); 6641 bzero(prop, sizeof(*prop)); 6642 prop->sadb_prop_len = PFKEY_UNIT64(totlen); 6643 prop->sadb_prop_exttype = SADB_EXT_PROPOSAL; 6644 prop->sadb_prop_replay = 32; /* XXX */ 6645 6646 return m; 6647 } 6648 6649 /* 6650 * SADB_ACQUIRE processing called by key_checkrequest() and key_acquire2(). 6651 * send 6652 * <base, SA, address(SD), (address(P)), x_policy, 6653 * (identity(SD),) (sensitivity,) proposal> 6654 * to KMD, and expect to receive 6655 * <base> with SADB_ACQUIRE if error occurred, 6656 * or 6657 * <base, src address, dst address, (SPI range)> with SADB_GETSPI 6658 * from KMD by PF_KEY. 6659 * 6660 * XXX x_policy is outside of RFC2367 (KAME extension). 6661 * XXX sensitivity is not supported. 6662 * XXX for ipcomp, RFC2367 does not define how to fill in proposal. 6663 * see comment for key_getcomb_ipcomp(). 6664 * 6665 * OUT: 6666 * 0 : succeed 6667 * others: error number 6668 */ 6669 static int 6670 key_acquire(const struct secasindex *saidx, struct secpolicy *sp) 6671 { 6672 union sockaddr_union addr; 6673 struct mbuf *result, *m; 6674 uint32_t seq; 6675 int error; 6676 uint16_t ul_proto; 6677 uint8_t mask, satype; 6678 6679 IPSEC_ASSERT(saidx != NULL, ("null saidx")); 6680 satype = key_proto2satype(saidx->proto); 6681 IPSEC_ASSERT(satype != 0, ("null satype, protocol %u", saidx->proto)); 6682 6683 error = -1; 6684 result = NULL; 6685 ul_proto = IPSEC_ULPROTO_ANY; 6686 6687 /* Get seq number to check whether sending message or not. */ 6688 seq = key_getacq(saidx, &error); 6689 if (seq == 0) 6690 return (error); 6691 6692 m = key_setsadbmsg(SADB_ACQUIRE, 0, satype, seq, 0, 0); 6693 if (!m) { 6694 error = ENOBUFS; 6695 goto fail; 6696 } 6697 result = m; 6698 6699 /* 6700 * set sadb_address for saidx's. 6701 * 6702 * Note that if sp is supplied, then we're being called from 6703 * key_allocsa_policy() and should supply port and protocol 6704 * information. 6705 * XXXAE: why only TCP and UDP? ICMP and SCTP looks applicable too. 6706 * XXXAE: probably we can handle this in the ipsec[46]_allocsa(). 6707 * XXXAE: it looks like we should save this info in the ACQ entry. 6708 */ 6709 if (sp != NULL && (sp->spidx.ul_proto == IPPROTO_TCP || 6710 sp->spidx.ul_proto == IPPROTO_UDP)) 6711 ul_proto = sp->spidx.ul_proto; 6712 6713 addr = saidx->src; 6714 mask = FULLMASK; 6715 if (ul_proto != IPSEC_ULPROTO_ANY) { 6716 switch (sp->spidx.src.sa.sa_family) { 6717 case AF_INET: 6718 if (sp->spidx.src.sin.sin_port != IPSEC_PORT_ANY) { 6719 addr.sin.sin_port = sp->spidx.src.sin.sin_port; 6720 mask = sp->spidx.prefs; 6721 } 6722 break; 6723 case AF_INET6: 6724 if (sp->spidx.src.sin6.sin6_port != IPSEC_PORT_ANY) { 6725 addr.sin6.sin6_port = 6726 sp->spidx.src.sin6.sin6_port; 6727 mask = sp->spidx.prefs; 6728 } 6729 break; 6730 default: 6731 break; 6732 } 6733 } 6734 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, &addr.sa, mask, ul_proto); 6735 if (!m) { 6736 error = ENOBUFS; 6737 goto fail; 6738 } 6739 m_cat(result, m); 6740 6741 addr = saidx->dst; 6742 mask = FULLMASK; 6743 if (ul_proto != IPSEC_ULPROTO_ANY) { 6744 switch (sp->spidx.dst.sa.sa_family) { 6745 case AF_INET: 6746 if (sp->spidx.dst.sin.sin_port != IPSEC_PORT_ANY) { 6747 addr.sin.sin_port = sp->spidx.dst.sin.sin_port; 6748 mask = sp->spidx.prefd; 6749 } 6750 break; 6751 case AF_INET6: 6752 if (sp->spidx.dst.sin6.sin6_port != IPSEC_PORT_ANY) { 6753 addr.sin6.sin6_port = 6754 sp->spidx.dst.sin6.sin6_port; 6755 mask = sp->spidx.prefd; 6756 } 6757 break; 6758 default: 6759 break; 6760 } 6761 } 6762 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, &addr.sa, mask, ul_proto); 6763 if (!m) { 6764 error = ENOBUFS; 6765 goto fail; 6766 } 6767 m_cat(result, m); 6768 6769 /* XXX proxy address (optional) */ 6770 6771 /* 6772 * Set sadb_x_policy. This is KAME extension to RFC2367. 6773 */ 6774 if (sp != NULL) { 6775 m = key_setsadbxpolicy(sp->policy, sp->spidx.dir, sp->id, 6776 sp->priority); 6777 if (!m) { 6778 error = ENOBUFS; 6779 goto fail; 6780 } 6781 m_cat(result, m); 6782 } 6783 6784 /* 6785 * Set sadb_x_sa2 extension if saidx->reqid is not zero. 6786 * This is FreeBSD extension to RFC2367. 6787 */ 6788 if (saidx->reqid != 0) { 6789 m = key_setsadbxsa2(saidx->mode, 0, saidx->reqid); 6790 if (m == NULL) { 6791 error = ENOBUFS; 6792 goto fail; 6793 } 6794 m_cat(result, m); 6795 } 6796 /* XXX identity (optional) */ 6797 #if 0 6798 if (idexttype && fqdn) { 6799 /* create identity extension (FQDN) */ 6800 struct sadb_ident *id; 6801 int fqdnlen; 6802 6803 fqdnlen = strlen(fqdn) + 1; /* +1 for terminating-NUL */ 6804 id = (struct sadb_ident *)p; 6805 bzero(id, sizeof(*id) + PFKEY_ALIGN8(fqdnlen)); 6806 id->sadb_ident_len = PFKEY_UNIT64(sizeof(*id) + PFKEY_ALIGN8(fqdnlen)); 6807 id->sadb_ident_exttype = idexttype; 6808 id->sadb_ident_type = SADB_IDENTTYPE_FQDN; 6809 bcopy(fqdn, id + 1, fqdnlen); 6810 p += sizeof(struct sadb_ident) + PFKEY_ALIGN8(fqdnlen); 6811 } 6812 6813 if (idexttype) { 6814 /* create identity extension (USERFQDN) */ 6815 struct sadb_ident *id; 6816 int userfqdnlen; 6817 6818 if (userfqdn) { 6819 /* +1 for terminating-NUL */ 6820 userfqdnlen = strlen(userfqdn) + 1; 6821 } else 6822 userfqdnlen = 0; 6823 id = (struct sadb_ident *)p; 6824 bzero(id, sizeof(*id) + PFKEY_ALIGN8(userfqdnlen)); 6825 id->sadb_ident_len = PFKEY_UNIT64(sizeof(*id) + PFKEY_ALIGN8(userfqdnlen)); 6826 id->sadb_ident_exttype = idexttype; 6827 id->sadb_ident_type = SADB_IDENTTYPE_USERFQDN; 6828 /* XXX is it correct? */ 6829 if (curproc && curproc->p_cred) 6830 id->sadb_ident_id = curproc->p_cred->p_ruid; 6831 if (userfqdn && userfqdnlen) 6832 bcopy(userfqdn, id + 1, userfqdnlen); 6833 p += sizeof(struct sadb_ident) + PFKEY_ALIGN8(userfqdnlen); 6834 } 6835 #endif 6836 6837 /* XXX sensitivity (optional) */ 6838 6839 /* create proposal/combination extension */ 6840 m = key_getprop(saidx); 6841 #if 0 6842 /* 6843 * spec conformant: always attach proposal/combination extension, 6844 * the problem is that we have no way to attach it for ipcomp, 6845 * due to the way sadb_comb is declared in RFC2367. 6846 */ 6847 if (!m) { 6848 error = ENOBUFS; 6849 goto fail; 6850 } 6851 m_cat(result, m); 6852 #else 6853 /* 6854 * outside of spec; make proposal/combination extension optional. 6855 */ 6856 if (m) 6857 m_cat(result, m); 6858 #endif 6859 6860 if ((result->m_flags & M_PKTHDR) == 0) { 6861 error = EINVAL; 6862 goto fail; 6863 } 6864 6865 if (result->m_len < sizeof(struct sadb_msg)) { 6866 result = m_pullup(result, sizeof(struct sadb_msg)); 6867 if (result == NULL) { 6868 error = ENOBUFS; 6869 goto fail; 6870 } 6871 } 6872 6873 result->m_pkthdr.len = 0; 6874 for (m = result; m; m = m->m_next) 6875 result->m_pkthdr.len += m->m_len; 6876 6877 mtod(result, struct sadb_msg *)->sadb_msg_len = 6878 PFKEY_UNIT64(result->m_pkthdr.len); 6879 6880 KEYDBG(KEY_STAMP, 6881 printf("%s: SP(%p)\n", __func__, sp)); 6882 KEYDBG(KEY_DATA, kdebug_secasindex(saidx, NULL)); 6883 6884 return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED); 6885 6886 fail: 6887 if (result) 6888 m_freem(result); 6889 return error; 6890 } 6891 6892 static uint32_t 6893 key_newacq(const struct secasindex *saidx, int *perror) 6894 { 6895 struct secacq *acq; 6896 uint32_t seq; 6897 6898 acq = malloc(sizeof(*acq), M_IPSEC_SAQ, M_NOWAIT | M_ZERO); 6899 if (acq == NULL) { 6900 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 6901 *perror = ENOBUFS; 6902 return (0); 6903 } 6904 6905 /* copy secindex */ 6906 bcopy(saidx, &acq->saidx, sizeof(acq->saidx)); 6907 acq->created = time_second; 6908 acq->count = 0; 6909 6910 /* add to acqtree */ 6911 ACQ_LOCK(); 6912 seq = acq->seq = (V_acq_seq == ~0 ? 1 : ++V_acq_seq); 6913 LIST_INSERT_HEAD(&V_acqtree, acq, chain); 6914 LIST_INSERT_HEAD(ACQADDRHASH_HASH(saidx), acq, addrhash); 6915 LIST_INSERT_HEAD(ACQSEQHASH_HASH(seq), acq, seqhash); 6916 ACQ_UNLOCK(); 6917 *perror = 0; 6918 return (seq); 6919 } 6920 6921 static uint32_t 6922 key_getacq(const struct secasindex *saidx, int *perror) 6923 { 6924 struct secacq *acq; 6925 uint32_t seq; 6926 6927 ACQ_LOCK(); 6928 LIST_FOREACH(acq, ACQADDRHASH_HASH(saidx), addrhash) { 6929 if (key_cmpsaidx(&acq->saidx, saidx, CMP_EXACTLY)) { 6930 if (acq->count > V_key_blockacq_count) { 6931 /* 6932 * Reset counter and send message. 6933 * Also reset created time to keep ACQ for 6934 * this saidx. 6935 */ 6936 acq->created = time_second; 6937 acq->count = 0; 6938 seq = acq->seq; 6939 } else { 6940 /* 6941 * Increment counter and do nothing. 6942 * We send SADB_ACQUIRE message only 6943 * for each V_key_blockacq_count packet. 6944 */ 6945 acq->count++; 6946 seq = 0; 6947 } 6948 break; 6949 } 6950 } 6951 ACQ_UNLOCK(); 6952 if (acq != NULL) { 6953 *perror = 0; 6954 return (seq); 6955 } 6956 /* allocate new entry */ 6957 return (key_newacq(saidx, perror)); 6958 } 6959 6960 static int 6961 key_acqreset(uint32_t seq) 6962 { 6963 struct secacq *acq; 6964 6965 ACQ_LOCK(); 6966 LIST_FOREACH(acq, ACQSEQHASH_HASH(seq), seqhash) { 6967 if (acq->seq == seq) { 6968 acq->count = 0; 6969 acq->created = time_second; 6970 break; 6971 } 6972 } 6973 ACQ_UNLOCK(); 6974 if (acq == NULL) 6975 return (ESRCH); 6976 return (0); 6977 } 6978 /* 6979 * Mark ACQ entry as stale to remove it in key_flush_acq(). 6980 * Called after successful SADB_GETSPI message. 6981 */ 6982 static int 6983 key_acqdone(const struct secasindex *saidx, uint32_t seq) 6984 { 6985 struct secacq *acq; 6986 6987 ACQ_LOCK(); 6988 LIST_FOREACH(acq, ACQSEQHASH_HASH(seq), seqhash) { 6989 if (acq->seq == seq) 6990 break; 6991 } 6992 if (acq != NULL) { 6993 if (key_cmpsaidx(&acq->saidx, saidx, CMP_EXACTLY) == 0) { 6994 ipseclog((LOG_DEBUG, 6995 "%s: Mismatched saidx for ACQ %u\n", __func__, seq)); 6996 acq = NULL; 6997 } else { 6998 acq->created = 0; 6999 } 7000 } else { 7001 ipseclog((LOG_DEBUG, 7002 "%s: ACQ %u is not found.\n", __func__, seq)); 7003 } 7004 ACQ_UNLOCK(); 7005 if (acq == NULL) 7006 return (ESRCH); 7007 return (0); 7008 } 7009 7010 static struct secspacq * 7011 key_newspacq(struct secpolicyindex *spidx) 7012 { 7013 struct secspacq *acq; 7014 7015 /* get new entry */ 7016 acq = malloc(sizeof(struct secspacq), M_IPSEC_SAQ, M_NOWAIT|M_ZERO); 7017 if (acq == NULL) { 7018 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 7019 return NULL; 7020 } 7021 7022 /* copy secindex */ 7023 bcopy(spidx, &acq->spidx, sizeof(acq->spidx)); 7024 acq->created = time_second; 7025 acq->count = 0; 7026 7027 /* add to spacqtree */ 7028 SPACQ_LOCK(); 7029 LIST_INSERT_HEAD(&V_spacqtree, acq, chain); 7030 SPACQ_UNLOCK(); 7031 7032 return acq; 7033 } 7034 7035 static struct secspacq * 7036 key_getspacq(struct secpolicyindex *spidx) 7037 { 7038 struct secspacq *acq; 7039 7040 SPACQ_LOCK(); 7041 LIST_FOREACH(acq, &V_spacqtree, chain) { 7042 if (key_cmpspidx_exactly(spidx, &acq->spidx)) { 7043 /* NB: return holding spacq_lock */ 7044 return acq; 7045 } 7046 } 7047 SPACQ_UNLOCK(); 7048 7049 return NULL; 7050 } 7051 7052 /* 7053 * SADB_ACQUIRE processing, 7054 * in first situation, is receiving 7055 * <base> 7056 * from the ikmpd, and clear sequence of its secasvar entry. 7057 * 7058 * In second situation, is receiving 7059 * <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal> 7060 * from a user land process, and return 7061 * <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal> 7062 * to the socket. 7063 * 7064 * m will always be freed. 7065 */ 7066 static int 7067 key_acquire2(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 7068 { 7069 SAHTREE_RLOCK_TRACKER; 7070 struct sadb_address *src0, *dst0; 7071 struct secasindex saidx; 7072 struct secashead *sah; 7073 uint32_t reqid; 7074 int error; 7075 uint8_t mode, proto; 7076 7077 IPSEC_ASSERT(so != NULL, ("null socket")); 7078 IPSEC_ASSERT(m != NULL, ("null mbuf")); 7079 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 7080 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 7081 7082 /* 7083 * Error message from KMd. 7084 * We assume that if error was occurred in IKEd, the length of PFKEY 7085 * message is equal to the size of sadb_msg structure. 7086 * We do not raise error even if error occurred in this function. 7087 */ 7088 if (mhp->msg->sadb_msg_len == PFKEY_UNIT64(sizeof(struct sadb_msg))) { 7089 /* check sequence number */ 7090 if (mhp->msg->sadb_msg_seq == 0 || 7091 mhp->msg->sadb_msg_errno == 0) { 7092 ipseclog((LOG_DEBUG, "%s: must specify sequence " 7093 "number and errno.\n", __func__)); 7094 } else { 7095 /* 7096 * IKEd reported that error occurred. 7097 * XXXAE: what it expects from the kernel? 7098 * Probably we should send SADB_ACQUIRE again? 7099 * If so, reset ACQ's state. 7100 * XXXAE: it looks useless. 7101 */ 7102 key_acqreset(mhp->msg->sadb_msg_seq); 7103 } 7104 m_freem(m); 7105 return (0); 7106 } 7107 7108 /* 7109 * This message is from user land. 7110 */ 7111 7112 /* map satype to proto */ 7113 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 7114 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 7115 __func__)); 7116 return key_senderror(so, m, EINVAL); 7117 } 7118 7119 if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 7120 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || 7121 SADB_CHECKHDR(mhp, SADB_EXT_PROPOSAL)) { 7122 ipseclog((LOG_DEBUG, 7123 "%s: invalid message: missing required header.\n", 7124 __func__)); 7125 return key_senderror(so, m, EINVAL); 7126 } 7127 if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 7128 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) || 7129 SADB_CHECKLEN(mhp, SADB_EXT_PROPOSAL)) { 7130 ipseclog((LOG_DEBUG, 7131 "%s: invalid message: wrong header size.\n", __func__)); 7132 return key_senderror(so, m, EINVAL); 7133 } 7134 7135 if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) { 7136 mode = IPSEC_MODE_ANY; 7137 reqid = 0; 7138 } else { 7139 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) { 7140 ipseclog((LOG_DEBUG, 7141 "%s: invalid message: wrong header size.\n", 7142 __func__)); 7143 return key_senderror(so, m, EINVAL); 7144 } 7145 mode = ((struct sadb_x_sa2 *) 7146 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; 7147 reqid = ((struct sadb_x_sa2 *) 7148 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; 7149 } 7150 7151 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; 7152 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; 7153 7154 error = key_checksockaddrs((struct sockaddr *)(src0 + 1), 7155 (struct sockaddr *)(dst0 + 1)); 7156 if (error != 0) { 7157 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 7158 return key_senderror(so, m, EINVAL); 7159 } 7160 KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); 7161 7162 /* get a SA index */ 7163 SAHTREE_RLOCK(); 7164 LIST_FOREACH(sah, SAHADDRHASH_HASH(&saidx), addrhash) { 7165 if (key_cmpsaidx(&sah->saidx, &saidx, CMP_MODE_REQID)) 7166 break; 7167 } 7168 SAHTREE_RUNLOCK(); 7169 if (sah != NULL) { 7170 ipseclog((LOG_DEBUG, "%s: a SA exists already.\n", __func__)); 7171 return key_senderror(so, m, EEXIST); 7172 } 7173 7174 error = key_acquire(&saidx, NULL); 7175 if (error != 0) { 7176 ipseclog((LOG_DEBUG, 7177 "%s: error %d returned from key_acquire()\n", 7178 __func__, error)); 7179 return key_senderror(so, m, error); 7180 } 7181 m_freem(m); 7182 return (0); 7183 } 7184 7185 /* 7186 * SADB_REGISTER processing. 7187 * If SATYPE_UNSPEC has been passed as satype, only return sabd_supported. 7188 * receive 7189 * <base> 7190 * from the ikmpd, and register a socket to send PF_KEY messages, 7191 * and send 7192 * <base, supported> 7193 * to KMD by PF_KEY. 7194 * If socket is detached, must free from regnode. 7195 * 7196 * m will always be freed. 7197 */ 7198 static int 7199 key_register(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 7200 { 7201 struct secreg *reg, *newreg = NULL; 7202 7203 IPSEC_ASSERT(so != NULL, ("null socket")); 7204 IPSEC_ASSERT(m != NULL, ("null mbuf")); 7205 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 7206 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 7207 7208 /* check for invalid register message */ 7209 if (mhp->msg->sadb_msg_satype >= sizeof(V_regtree)/sizeof(V_regtree[0])) 7210 return key_senderror(so, m, EINVAL); 7211 7212 /* When SATYPE_UNSPEC is specified, only return sabd_supported. */ 7213 if (mhp->msg->sadb_msg_satype == SADB_SATYPE_UNSPEC) 7214 goto setmsg; 7215 7216 /* check whether existing or not */ 7217 REGTREE_LOCK(); 7218 LIST_FOREACH(reg, &V_regtree[mhp->msg->sadb_msg_satype], chain) { 7219 if (reg->so == so) { 7220 REGTREE_UNLOCK(); 7221 ipseclog((LOG_DEBUG, "%s: socket exists already.\n", 7222 __func__)); 7223 return key_senderror(so, m, EEXIST); 7224 } 7225 } 7226 7227 /* create regnode */ 7228 newreg = malloc(sizeof(struct secreg), M_IPSEC_SAR, M_NOWAIT|M_ZERO); 7229 if (newreg == NULL) { 7230 REGTREE_UNLOCK(); 7231 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 7232 return key_senderror(so, m, ENOBUFS); 7233 } 7234 7235 newreg->so = so; 7236 ((struct keycb *)(so->so_pcb))->kp_registered++; 7237 7238 /* add regnode to regtree. */ 7239 LIST_INSERT_HEAD(&V_regtree[mhp->msg->sadb_msg_satype], newreg, chain); 7240 REGTREE_UNLOCK(); 7241 7242 setmsg: 7243 { 7244 struct mbuf *n; 7245 struct sadb_msg *newmsg; 7246 struct sadb_supported *sup; 7247 u_int len, alen, elen; 7248 int off; 7249 int i; 7250 struct sadb_alg *alg; 7251 7252 /* create new sadb_msg to reply. */ 7253 alen = 0; 7254 for (i = 1; i <= SADB_AALG_MAX; i++) { 7255 if (auth_algorithm_lookup(i)) 7256 alen += sizeof(struct sadb_alg); 7257 } 7258 if (alen) 7259 alen += sizeof(struct sadb_supported); 7260 elen = 0; 7261 for (i = 1; i <= SADB_EALG_MAX; i++) { 7262 if (enc_algorithm_lookup(i)) 7263 elen += sizeof(struct sadb_alg); 7264 } 7265 if (elen) 7266 elen += sizeof(struct sadb_supported); 7267 7268 len = sizeof(struct sadb_msg) + alen + elen; 7269 7270 if (len > MCLBYTES) 7271 return key_senderror(so, m, ENOBUFS); 7272 7273 n = key_mget(len); 7274 if (n == NULL) 7275 return key_senderror(so, m, ENOBUFS); 7276 7277 n->m_pkthdr.len = n->m_len = len; 7278 n->m_next = NULL; 7279 off = 0; 7280 7281 m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off); 7282 newmsg = mtod(n, struct sadb_msg *); 7283 newmsg->sadb_msg_errno = 0; 7284 newmsg->sadb_msg_len = PFKEY_UNIT64(len); 7285 off += PFKEY_ALIGN8(sizeof(struct sadb_msg)); 7286 7287 /* for authentication algorithm */ 7288 if (alen) { 7289 sup = (struct sadb_supported *)(mtod(n, caddr_t) + off); 7290 sup->sadb_supported_len = PFKEY_UNIT64(alen); 7291 sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_AUTH; 7292 off += PFKEY_ALIGN8(sizeof(*sup)); 7293 7294 for (i = 1; i <= SADB_AALG_MAX; i++) { 7295 const struct auth_hash *aalgo; 7296 u_int16_t minkeysize, maxkeysize; 7297 7298 aalgo = auth_algorithm_lookup(i); 7299 if (!aalgo) 7300 continue; 7301 alg = (struct sadb_alg *)(mtod(n, caddr_t) + off); 7302 alg->sadb_alg_id = i; 7303 alg->sadb_alg_ivlen = 0; 7304 key_getsizes_ah(aalgo, i, &minkeysize, &maxkeysize); 7305 alg->sadb_alg_minbits = _BITS(minkeysize); 7306 alg->sadb_alg_maxbits = _BITS(maxkeysize); 7307 off += PFKEY_ALIGN8(sizeof(*alg)); 7308 } 7309 } 7310 7311 /* for encryption algorithm */ 7312 if (elen) { 7313 sup = (struct sadb_supported *)(mtod(n, caddr_t) + off); 7314 sup->sadb_supported_len = PFKEY_UNIT64(elen); 7315 sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_ENCRYPT; 7316 off += PFKEY_ALIGN8(sizeof(*sup)); 7317 7318 for (i = 1; i <= SADB_EALG_MAX; i++) { 7319 const struct enc_xform *ealgo; 7320 7321 ealgo = enc_algorithm_lookup(i); 7322 if (!ealgo) 7323 continue; 7324 alg = (struct sadb_alg *)(mtod(n, caddr_t) + off); 7325 alg->sadb_alg_id = i; 7326 alg->sadb_alg_ivlen = ealgo->ivsize; 7327 alg->sadb_alg_minbits = _BITS(ealgo->minkey); 7328 alg->sadb_alg_maxbits = _BITS(ealgo->maxkey); 7329 off += PFKEY_ALIGN8(sizeof(struct sadb_alg)); 7330 } 7331 } 7332 7333 IPSEC_ASSERT(off == len, 7334 ("length assumption failed (off %u len %u)", off, len)); 7335 7336 m_freem(m); 7337 return key_sendup_mbuf(so, n, KEY_SENDUP_REGISTERED); 7338 } 7339 } 7340 7341 /* 7342 * free secreg entry registered. 7343 * XXX: I want to do free a socket marked done SADB_RESIGER to socket. 7344 */ 7345 void 7346 key_freereg(struct socket *so) 7347 { 7348 struct secreg *reg; 7349 int i; 7350 7351 IPSEC_ASSERT(so != NULL, ("NULL so")); 7352 7353 /* 7354 * check whether existing or not. 7355 * check all type of SA, because there is a potential that 7356 * one socket is registered to multiple type of SA. 7357 */ 7358 REGTREE_LOCK(); 7359 for (i = 0; i <= SADB_SATYPE_MAX; i++) { 7360 LIST_FOREACH(reg, &V_regtree[i], chain) { 7361 if (reg->so == so && __LIST_CHAINED(reg)) { 7362 LIST_REMOVE(reg, chain); 7363 free(reg, M_IPSEC_SAR); 7364 break; 7365 } 7366 } 7367 } 7368 REGTREE_UNLOCK(); 7369 } 7370 7371 /* 7372 * SADB_EXPIRE processing 7373 * send 7374 * <base, SA, SA2, lifetime(C and one of HS), address(SD)> 7375 * to KMD by PF_KEY. 7376 * NOTE: We send only soft lifetime extension. 7377 * 7378 * OUT: 0 : succeed 7379 * others : error number 7380 */ 7381 static int 7382 key_expire(struct secasvar *sav, int hard) 7383 { 7384 struct mbuf *result = NULL, *m; 7385 struct sadb_lifetime *lt; 7386 uint32_t replay_count; 7387 int error, len; 7388 uint8_t satype; 7389 7390 SECASVAR_RLOCK_TRACKER; 7391 7392 IPSEC_ASSERT (sav != NULL, ("null sav")); 7393 IPSEC_ASSERT (sav->sah != NULL, ("null sa header")); 7394 7395 KEYDBG(KEY_STAMP, 7396 printf("%s: SA(%p) expired %s lifetime\n", __func__, 7397 sav, hard ? "hard": "soft")); 7398 KEYDBG(KEY_DATA, kdebug_secasv(sav)); 7399 /* set msg header */ 7400 satype = key_proto2satype(sav->sah->saidx.proto); 7401 IPSEC_ASSERT(satype != 0, ("invalid proto, satype %u", satype)); 7402 m = key_setsadbmsg(SADB_EXPIRE, 0, satype, sav->seq, 0, sav->refcnt); 7403 if (!m) { 7404 error = ENOBUFS; 7405 goto fail; 7406 } 7407 result = m; 7408 7409 /* create SA extension */ 7410 m = key_setsadbsa(sav); 7411 if (!m) { 7412 error = ENOBUFS; 7413 goto fail; 7414 } 7415 m_cat(result, m); 7416 7417 /* create SA extension */ 7418 SECASVAR_RLOCK(sav); 7419 replay_count = sav->replay ? sav->replay->count : 0; 7420 SECASVAR_RUNLOCK(sav); 7421 7422 m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count, 7423 sav->sah->saidx.reqid); 7424 if (!m) { 7425 error = ENOBUFS; 7426 goto fail; 7427 } 7428 m_cat(result, m); 7429 7430 if (sav->replay && sav->replay->wsize > UINT8_MAX) { 7431 m = key_setsadbxsareplay(sav->replay->wsize); 7432 if (!m) { 7433 error = ENOBUFS; 7434 goto fail; 7435 } 7436 m_cat(result, m); 7437 } 7438 7439 /* create lifetime extension (current and soft) */ 7440 len = PFKEY_ALIGN8(sizeof(*lt)) * 2; 7441 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 7442 if (m == NULL) { 7443 error = ENOBUFS; 7444 goto fail; 7445 } 7446 m_align(m, len); 7447 m->m_len = len; 7448 bzero(mtod(m, caddr_t), len); 7449 lt = mtod(m, struct sadb_lifetime *); 7450 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); 7451 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 7452 lt->sadb_lifetime_allocations = 7453 (uint32_t)counter_u64_fetch(sav->lft_c_allocations); 7454 lt->sadb_lifetime_bytes = 7455 counter_u64_fetch(sav->lft_c_bytes); 7456 lt->sadb_lifetime_addtime = sav->created; 7457 lt->sadb_lifetime_usetime = sav->firstused; 7458 lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2); 7459 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); 7460 if (hard) { 7461 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 7462 lt->sadb_lifetime_allocations = sav->lft_h->allocations; 7463 lt->sadb_lifetime_bytes = sav->lft_h->bytes; 7464 lt->sadb_lifetime_addtime = sav->lft_h->addtime; 7465 lt->sadb_lifetime_usetime = sav->lft_h->usetime; 7466 } else { 7467 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 7468 lt->sadb_lifetime_allocations = sav->lft_s->allocations; 7469 lt->sadb_lifetime_bytes = sav->lft_s->bytes; 7470 lt->sadb_lifetime_addtime = sav->lft_s->addtime; 7471 lt->sadb_lifetime_usetime = sav->lft_s->usetime; 7472 } 7473 m_cat(result, m); 7474 7475 /* set sadb_address for source */ 7476 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, 7477 &sav->sah->saidx.src.sa, 7478 FULLMASK, IPSEC_ULPROTO_ANY); 7479 if (!m) { 7480 error = ENOBUFS; 7481 goto fail; 7482 } 7483 m_cat(result, m); 7484 7485 /* set sadb_address for destination */ 7486 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, 7487 &sav->sah->saidx.dst.sa, 7488 FULLMASK, IPSEC_ULPROTO_ANY); 7489 if (!m) { 7490 error = ENOBUFS; 7491 goto fail; 7492 } 7493 m_cat(result, m); 7494 7495 /* 7496 * XXX-BZ Handle NAT-T extensions here. 7497 * XXXAE: it doesn't seem quite useful. IKEs should not depend on 7498 * this information, we report only significant SA fields. 7499 */ 7500 7501 if ((result->m_flags & M_PKTHDR) == 0) { 7502 error = EINVAL; 7503 goto fail; 7504 } 7505 7506 if (result->m_len < sizeof(struct sadb_msg)) { 7507 result = m_pullup(result, sizeof(struct sadb_msg)); 7508 if (result == NULL) { 7509 error = ENOBUFS; 7510 goto fail; 7511 } 7512 } 7513 7514 result->m_pkthdr.len = 0; 7515 for (m = result; m; m = m->m_next) 7516 result->m_pkthdr.len += m->m_len; 7517 7518 mtod(result, struct sadb_msg *)->sadb_msg_len = 7519 PFKEY_UNIT64(result->m_pkthdr.len); 7520 7521 return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED); 7522 7523 fail: 7524 if (result) 7525 m_freem(result); 7526 return error; 7527 } 7528 7529 static void 7530 key_freesah_flushed(struct secashead_queue *flushq) 7531 { 7532 struct secashead *sah, *nextsah; 7533 struct secasvar *sav, *nextsav; 7534 7535 sah = TAILQ_FIRST(flushq); 7536 while (sah != NULL) { 7537 sav = TAILQ_FIRST(&sah->savtree_larval); 7538 while (sav != NULL) { 7539 nextsav = TAILQ_NEXT(sav, chain); 7540 TAILQ_REMOVE(&sah->savtree_larval, sav, chain); 7541 key_freesav(&sav); /* release last reference */ 7542 key_freesah(&sah); /* release reference from SAV */ 7543 sav = nextsav; 7544 } 7545 sav = TAILQ_FIRST(&sah->savtree_alive); 7546 while (sav != NULL) { 7547 nextsav = TAILQ_NEXT(sav, chain); 7548 TAILQ_REMOVE(&sah->savtree_alive, sav, chain); 7549 key_freesav(&sav); /* release last reference */ 7550 key_freesah(&sah); /* release reference from SAV */ 7551 sav = nextsav; 7552 } 7553 nextsah = TAILQ_NEXT(sah, chain); 7554 key_freesah(&sah); /* release last reference */ 7555 sah = nextsah; 7556 } 7557 } 7558 7559 /* 7560 * SADB_FLUSH processing 7561 * receive 7562 * <base> 7563 * from the ikmpd, and free all entries in secastree. 7564 * and send, 7565 * <base> 7566 * to the ikmpd. 7567 * NOTE: to do is only marking SADB_SASTATE_DEAD. 7568 * 7569 * m will always be freed. 7570 */ 7571 static int 7572 key_flush(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 7573 { 7574 struct secashead_queue flushq; 7575 struct sadb_msg *newmsg; 7576 struct secashead *sah, *nextsah; 7577 struct secasvar *sav; 7578 uint8_t proto; 7579 int i; 7580 7581 IPSEC_ASSERT(so != NULL, ("null socket")); 7582 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 7583 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 7584 7585 /* map satype to proto */ 7586 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 7587 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 7588 __func__)); 7589 return key_senderror(so, m, EINVAL); 7590 } 7591 KEYDBG(KEY_STAMP, 7592 printf("%s: proto %u\n", __func__, proto)); 7593 7594 TAILQ_INIT(&flushq); 7595 if (proto == IPSEC_PROTO_ANY) { 7596 /* no SATYPE specified, i.e. flushing all SA. */ 7597 SAHTREE_WLOCK(); 7598 /* Move all SAHs into flushq */ 7599 TAILQ_CONCAT(&flushq, &V_sahtree, chain); 7600 /* Flush all buckets in SPI hash */ 7601 for (i = 0; i < V_savhash_mask + 1; i++) 7602 LIST_INIT(&V_savhashtbl[i]); 7603 /* Flush all buckets in SAHADDRHASH */ 7604 for (i = 0; i < V_sahaddrhash_mask + 1; i++) 7605 LIST_INIT(&V_sahaddrhashtbl[i]); 7606 /* Mark all SAHs as unlinked */ 7607 TAILQ_FOREACH(sah, &flushq, chain) { 7608 sah->state = SADB_SASTATE_DEAD; 7609 /* 7610 * Callout handler makes its job using 7611 * RLOCK and drain queues. In case, when this 7612 * function will be called just before it 7613 * acquires WLOCK, we need to mark SAs as 7614 * unlinked to prevent second unlink. 7615 */ 7616 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { 7617 sav->state = SADB_SASTATE_DEAD; 7618 } 7619 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { 7620 sav->state = SADB_SASTATE_DEAD; 7621 } 7622 } 7623 SAHTREE_WUNLOCK(); 7624 } else { 7625 SAHTREE_WLOCK(); 7626 sah = TAILQ_FIRST(&V_sahtree); 7627 while (sah != NULL) { 7628 IPSEC_ASSERT(sah->state != SADB_SASTATE_DEAD, 7629 ("DEAD SAH %p in SADB_FLUSH", sah)); 7630 nextsah = TAILQ_NEXT(sah, chain); 7631 if (sah->saidx.proto != proto) { 7632 sah = nextsah; 7633 continue; 7634 } 7635 sah->state = SADB_SASTATE_DEAD; 7636 TAILQ_REMOVE(&V_sahtree, sah, chain); 7637 LIST_REMOVE(sah, addrhash); 7638 /* Unlink all SAs from SPI hash */ 7639 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { 7640 LIST_REMOVE(sav, spihash); 7641 sav->state = SADB_SASTATE_DEAD; 7642 } 7643 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { 7644 LIST_REMOVE(sav, spihash); 7645 sav->state = SADB_SASTATE_DEAD; 7646 } 7647 /* Add SAH into flushq */ 7648 TAILQ_INSERT_HEAD(&flushq, sah, chain); 7649 sah = nextsah; 7650 } 7651 SAHTREE_WUNLOCK(); 7652 } 7653 7654 key_freesah_flushed(&flushq); 7655 /* Free all queued SAs and SAHs */ 7656 if (m->m_len < sizeof(struct sadb_msg) || 7657 sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) { 7658 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 7659 return key_senderror(so, m, ENOBUFS); 7660 } 7661 7662 if (m->m_next) 7663 m_freem(m->m_next); 7664 m->m_next = NULL; 7665 m->m_pkthdr.len = m->m_len = sizeof(struct sadb_msg); 7666 newmsg = mtod(m, struct sadb_msg *); 7667 newmsg->sadb_msg_errno = 0; 7668 newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); 7669 7670 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); 7671 } 7672 7673 /* 7674 * SADB_DUMP processing 7675 * dump all entries including status of DEAD in SAD. 7676 * receive 7677 * <base> 7678 * from the ikmpd, and dump all secasvar leaves 7679 * and send, 7680 * <base> ..... 7681 * to the ikmpd. 7682 * 7683 * m will always be freed. 7684 */ 7685 static int 7686 key_dump(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 7687 { 7688 SAHTREE_RLOCK_TRACKER; 7689 struct secashead *sah; 7690 struct secasvar *sav; 7691 struct mbuf *n; 7692 uint32_t cnt; 7693 uint8_t proto, satype; 7694 7695 IPSEC_ASSERT(so != NULL, ("null socket")); 7696 IPSEC_ASSERT(m != NULL, ("null mbuf")); 7697 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 7698 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 7699 7700 /* map satype to proto */ 7701 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 7702 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 7703 __func__)); 7704 return key_senderror(so, m, EINVAL); 7705 } 7706 7707 /* count sav entries to be sent to the userland. */ 7708 cnt = 0; 7709 SAHTREE_RLOCK(); 7710 TAILQ_FOREACH(sah, &V_sahtree, chain) { 7711 if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC && 7712 proto != sah->saidx.proto) 7713 continue; 7714 7715 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) 7716 cnt++; 7717 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) 7718 cnt++; 7719 } 7720 7721 if (cnt == 0) { 7722 SAHTREE_RUNLOCK(); 7723 return key_senderror(so, m, ENOENT); 7724 } 7725 7726 /* send this to the userland, one at a time. */ 7727 TAILQ_FOREACH(sah, &V_sahtree, chain) { 7728 if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC && 7729 proto != sah->saidx.proto) 7730 continue; 7731 7732 /* map proto to satype */ 7733 if ((satype = key_proto2satype(sah->saidx.proto)) == 0) { 7734 SAHTREE_RUNLOCK(); 7735 ipseclog((LOG_DEBUG, "%s: there was invalid proto in " 7736 "SAD.\n", __func__)); 7737 return key_senderror(so, m, EINVAL); 7738 } 7739 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { 7740 n = key_setdumpsa(sav, SADB_DUMP, satype, 7741 --cnt, mhp->msg->sadb_msg_pid); 7742 if (n == NULL) { 7743 SAHTREE_RUNLOCK(); 7744 return key_senderror(so, m, ENOBUFS); 7745 } 7746 key_sendup_mbuf(so, n, KEY_SENDUP_ONE); 7747 } 7748 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { 7749 n = key_setdumpsa(sav, SADB_DUMP, satype, 7750 --cnt, mhp->msg->sadb_msg_pid); 7751 if (n == NULL) { 7752 SAHTREE_RUNLOCK(); 7753 return key_senderror(so, m, ENOBUFS); 7754 } 7755 key_sendup_mbuf(so, n, KEY_SENDUP_ONE); 7756 } 7757 } 7758 SAHTREE_RUNLOCK(); 7759 m_freem(m); 7760 return (0); 7761 } 7762 /* 7763 * SADB_X_PROMISC processing 7764 * 7765 * m will always be freed. 7766 */ 7767 static int 7768 key_promisc(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 7769 { 7770 int olen; 7771 7772 IPSEC_ASSERT(so != NULL, ("null socket")); 7773 IPSEC_ASSERT(m != NULL, ("null mbuf")); 7774 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 7775 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 7776 7777 olen = PFKEY_UNUNIT64(mhp->msg->sadb_msg_len); 7778 7779 if (olen < sizeof(struct sadb_msg)) { 7780 #if 1 7781 return key_senderror(so, m, EINVAL); 7782 #else 7783 m_freem(m); 7784 return 0; 7785 #endif 7786 } else if (olen == sizeof(struct sadb_msg)) { 7787 /* enable/disable promisc mode */ 7788 struct keycb *kp; 7789 7790 if ((kp = so->so_pcb) == NULL) 7791 return key_senderror(so, m, EINVAL); 7792 mhp->msg->sadb_msg_errno = 0; 7793 switch (mhp->msg->sadb_msg_satype) { 7794 case 0: 7795 case 1: 7796 kp->kp_promisc = mhp->msg->sadb_msg_satype; 7797 break; 7798 default: 7799 return key_senderror(so, m, EINVAL); 7800 } 7801 7802 /* send the original message back to everyone */ 7803 mhp->msg->sadb_msg_errno = 0; 7804 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); 7805 } else { 7806 /* send packet as is */ 7807 7808 m_adj(m, PFKEY_ALIGN8(sizeof(struct sadb_msg))); 7809 7810 /* TODO: if sadb_msg_seq is specified, send to specific pid */ 7811 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); 7812 } 7813 } 7814 7815 static int (*key_typesw[])(struct socket *, struct mbuf *, 7816 const struct sadb_msghdr *) = { 7817 [SADB_RESERVED] = NULL, 7818 [SADB_GETSPI] = key_getspi, 7819 [SADB_UPDATE] = key_update, 7820 [SADB_ADD] = key_add, 7821 [SADB_DELETE] = key_delete, 7822 [SADB_GET] = key_get, 7823 [SADB_ACQUIRE] = key_acquire2, 7824 [SADB_REGISTER] = key_register, 7825 [SADB_EXPIRE] = NULL, 7826 [SADB_FLUSH] = key_flush, 7827 [SADB_DUMP] = key_dump, 7828 [SADB_X_PROMISC] = key_promisc, 7829 [SADB_X_PCHANGE] = NULL, 7830 [SADB_X_SPDUPDATE] = key_spdadd, 7831 [SADB_X_SPDADD] = key_spdadd, 7832 [SADB_X_SPDDELETE] = key_spddelete, 7833 [SADB_X_SPDGET] = key_spdget, 7834 [SADB_X_SPDACQUIRE] = NULL, 7835 [SADB_X_SPDDUMP] = key_spddump, 7836 [SADB_X_SPDFLUSH] = key_spdflush, 7837 [SADB_X_SPDSETIDX] = key_spdadd, 7838 [SADB_X_SPDEXPIRE] = NULL, 7839 [SADB_X_SPDDELETE2] = key_spddelete2, 7840 }; 7841 7842 /* 7843 * parse sadb_msg buffer to process PFKEYv2, 7844 * and create a data to response if needed. 7845 * I think to be dealed with mbuf directly. 7846 * IN: 7847 * msgp : pointer to pointer to a received buffer pulluped. 7848 * This is rewrited to response. 7849 * so : pointer to socket. 7850 * OUT: 7851 * length for buffer to send to user process. 7852 */ 7853 int 7854 key_parse(struct mbuf *m, struct socket *so) 7855 { 7856 struct sadb_msg *msg; 7857 struct sadb_msghdr mh; 7858 u_int orglen; 7859 int error; 7860 int target; 7861 7862 IPSEC_ASSERT(so != NULL, ("null socket")); 7863 IPSEC_ASSERT(m != NULL, ("null mbuf")); 7864 7865 if (m->m_len < sizeof(struct sadb_msg)) { 7866 m = m_pullup(m, sizeof(struct sadb_msg)); 7867 if (!m) 7868 return ENOBUFS; 7869 } 7870 msg = mtod(m, struct sadb_msg *); 7871 orglen = PFKEY_UNUNIT64(msg->sadb_msg_len); 7872 target = KEY_SENDUP_ONE; 7873 7874 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len != orglen) { 7875 ipseclog((LOG_DEBUG, "%s: invalid message length.\n",__func__)); 7876 PFKEYSTAT_INC(out_invlen); 7877 error = EINVAL; 7878 goto senderror; 7879 } 7880 7881 if (msg->sadb_msg_version != PF_KEY_V2) { 7882 ipseclog((LOG_DEBUG, "%s: PF_KEY version %u is mismatched.\n", 7883 __func__, msg->sadb_msg_version)); 7884 PFKEYSTAT_INC(out_invver); 7885 error = EINVAL; 7886 goto senderror; 7887 } 7888 7889 if (msg->sadb_msg_type > SADB_MAX) { 7890 ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n", 7891 __func__, msg->sadb_msg_type)); 7892 PFKEYSTAT_INC(out_invmsgtype); 7893 error = EINVAL; 7894 goto senderror; 7895 } 7896 7897 /* for old-fashioned code - should be nuked */ 7898 if (m->m_pkthdr.len > MCLBYTES) { 7899 m_freem(m); 7900 return ENOBUFS; 7901 } 7902 if (m->m_next) { 7903 struct mbuf *n; 7904 7905 n = key_mget(m->m_pkthdr.len); 7906 if (n == NULL) { 7907 m_freem(m); 7908 return ENOBUFS; 7909 } 7910 m_copydata(m, 0, m->m_pkthdr.len, mtod(n, caddr_t)); 7911 n->m_pkthdr.len = n->m_len = m->m_pkthdr.len; 7912 n->m_next = NULL; 7913 m_freem(m); 7914 m = n; 7915 } 7916 7917 /* align the mbuf chain so that extensions are in contiguous region. */ 7918 error = key_align(m, &mh); 7919 if (error) 7920 return error; 7921 7922 msg = mh.msg; 7923 7924 /* We use satype as scope mask for spddump */ 7925 if (msg->sadb_msg_type == SADB_X_SPDDUMP) { 7926 switch (msg->sadb_msg_satype) { 7927 case IPSEC_POLICYSCOPE_ANY: 7928 case IPSEC_POLICYSCOPE_GLOBAL: 7929 case IPSEC_POLICYSCOPE_IFNET: 7930 case IPSEC_POLICYSCOPE_PCB: 7931 break; 7932 default: 7933 ipseclog((LOG_DEBUG, "%s: illegal satype=%u\n", 7934 __func__, msg->sadb_msg_type)); 7935 PFKEYSTAT_INC(out_invsatype); 7936 error = EINVAL; 7937 goto senderror; 7938 } 7939 } else { 7940 switch (msg->sadb_msg_satype) { /* check SA type */ 7941 case SADB_SATYPE_UNSPEC: 7942 switch (msg->sadb_msg_type) { 7943 case SADB_GETSPI: 7944 case SADB_UPDATE: 7945 case SADB_ADD: 7946 case SADB_DELETE: 7947 case SADB_GET: 7948 case SADB_ACQUIRE: 7949 case SADB_EXPIRE: 7950 ipseclog((LOG_DEBUG, "%s: must specify satype " 7951 "when msg type=%u.\n", __func__, 7952 msg->sadb_msg_type)); 7953 PFKEYSTAT_INC(out_invsatype); 7954 error = EINVAL; 7955 goto senderror; 7956 } 7957 break; 7958 case SADB_SATYPE_AH: 7959 case SADB_SATYPE_ESP: 7960 case SADB_X_SATYPE_IPCOMP: 7961 case SADB_X_SATYPE_TCPSIGNATURE: 7962 switch (msg->sadb_msg_type) { 7963 case SADB_X_SPDADD: 7964 case SADB_X_SPDDELETE: 7965 case SADB_X_SPDGET: 7966 case SADB_X_SPDFLUSH: 7967 case SADB_X_SPDSETIDX: 7968 case SADB_X_SPDUPDATE: 7969 case SADB_X_SPDDELETE2: 7970 ipseclog((LOG_DEBUG, "%s: illegal satype=%u\n", 7971 __func__, msg->sadb_msg_type)); 7972 PFKEYSTAT_INC(out_invsatype); 7973 error = EINVAL; 7974 goto senderror; 7975 } 7976 break; 7977 case SADB_SATYPE_RSVP: 7978 case SADB_SATYPE_OSPFV2: 7979 case SADB_SATYPE_RIPV2: 7980 case SADB_SATYPE_MIP: 7981 ipseclog((LOG_DEBUG, "%s: type %u isn't supported.\n", 7982 __func__, msg->sadb_msg_satype)); 7983 PFKEYSTAT_INC(out_invsatype); 7984 error = EOPNOTSUPP; 7985 goto senderror; 7986 case 1: /* XXX: What does it do? */ 7987 if (msg->sadb_msg_type == SADB_X_PROMISC) 7988 break; 7989 /*FALLTHROUGH*/ 7990 default: 7991 ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n", 7992 __func__, msg->sadb_msg_satype)); 7993 PFKEYSTAT_INC(out_invsatype); 7994 error = EINVAL; 7995 goto senderror; 7996 } 7997 } 7998 7999 /* check field of upper layer protocol and address family */ 8000 if (mh.ext[SADB_EXT_ADDRESS_SRC] != NULL 8001 && mh.ext[SADB_EXT_ADDRESS_DST] != NULL) { 8002 struct sadb_address *src0, *dst0; 8003 u_int plen; 8004 8005 src0 = (struct sadb_address *)(mh.ext[SADB_EXT_ADDRESS_SRC]); 8006 dst0 = (struct sadb_address *)(mh.ext[SADB_EXT_ADDRESS_DST]); 8007 8008 /* check upper layer protocol */ 8009 if (src0->sadb_address_proto != dst0->sadb_address_proto) { 8010 ipseclog((LOG_DEBUG, "%s: upper layer protocol " 8011 "mismatched.\n", __func__)); 8012 PFKEYSTAT_INC(out_invaddr); 8013 error = EINVAL; 8014 goto senderror; 8015 } 8016 8017 /* check family */ 8018 if (PFKEY_ADDR_SADDR(src0)->sa_family != 8019 PFKEY_ADDR_SADDR(dst0)->sa_family) { 8020 ipseclog((LOG_DEBUG, "%s: address family mismatched.\n", 8021 __func__)); 8022 PFKEYSTAT_INC(out_invaddr); 8023 error = EINVAL; 8024 goto senderror; 8025 } 8026 if (PFKEY_ADDR_SADDR(src0)->sa_len != 8027 PFKEY_ADDR_SADDR(dst0)->sa_len) { 8028 ipseclog((LOG_DEBUG, "%s: address struct size " 8029 "mismatched.\n", __func__)); 8030 PFKEYSTAT_INC(out_invaddr); 8031 error = EINVAL; 8032 goto senderror; 8033 } 8034 8035 switch (PFKEY_ADDR_SADDR(src0)->sa_family) { 8036 case AF_INET: 8037 if (PFKEY_ADDR_SADDR(src0)->sa_len != 8038 sizeof(struct sockaddr_in)) { 8039 PFKEYSTAT_INC(out_invaddr); 8040 error = EINVAL; 8041 goto senderror; 8042 } 8043 break; 8044 case AF_INET6: 8045 if (PFKEY_ADDR_SADDR(src0)->sa_len != 8046 sizeof(struct sockaddr_in6)) { 8047 PFKEYSTAT_INC(out_invaddr); 8048 error = EINVAL; 8049 goto senderror; 8050 } 8051 break; 8052 default: 8053 ipseclog((LOG_DEBUG, "%s: unsupported address family\n", 8054 __func__)); 8055 PFKEYSTAT_INC(out_invaddr); 8056 error = EAFNOSUPPORT; 8057 goto senderror; 8058 } 8059 8060 switch (PFKEY_ADDR_SADDR(src0)->sa_family) { 8061 case AF_INET: 8062 plen = sizeof(struct in_addr) << 3; 8063 break; 8064 case AF_INET6: 8065 plen = sizeof(struct in6_addr) << 3; 8066 break; 8067 default: 8068 plen = 0; /*fool gcc*/ 8069 break; 8070 } 8071 8072 /* check max prefix length */ 8073 if (src0->sadb_address_prefixlen > plen || 8074 dst0->sadb_address_prefixlen > plen) { 8075 ipseclog((LOG_DEBUG, "%s: illegal prefixlen.\n", 8076 __func__)); 8077 PFKEYSTAT_INC(out_invaddr); 8078 error = EINVAL; 8079 goto senderror; 8080 } 8081 8082 /* 8083 * prefixlen == 0 is valid because there can be a case when 8084 * all addresses are matched. 8085 */ 8086 } 8087 8088 if (msg->sadb_msg_type >= nitems(key_typesw) || 8089 key_typesw[msg->sadb_msg_type] == NULL) { 8090 PFKEYSTAT_INC(out_invmsgtype); 8091 error = EINVAL; 8092 goto senderror; 8093 } 8094 8095 return (*key_typesw[msg->sadb_msg_type])(so, m, &mh); 8096 8097 senderror: 8098 msg->sadb_msg_errno = error; 8099 return key_sendup_mbuf(so, m, target); 8100 } 8101 8102 static int 8103 key_senderror(struct socket *so, struct mbuf *m, int code) 8104 { 8105 struct sadb_msg *msg; 8106 8107 IPSEC_ASSERT(m->m_len >= sizeof(struct sadb_msg), 8108 ("mbuf too small, len %u", m->m_len)); 8109 8110 msg = mtod(m, struct sadb_msg *); 8111 msg->sadb_msg_errno = code; 8112 return key_sendup_mbuf(so, m, KEY_SENDUP_ONE); 8113 } 8114 8115 /* 8116 * set the pointer to each header into message buffer. 8117 * m will be freed on error. 8118 * XXX larger-than-MCLBYTES extension? 8119 */ 8120 static int 8121 key_align(struct mbuf *m, struct sadb_msghdr *mhp) 8122 { 8123 struct mbuf *n; 8124 struct sadb_ext *ext; 8125 size_t off, end; 8126 int extlen; 8127 int toff; 8128 8129 IPSEC_ASSERT(m != NULL, ("null mbuf")); 8130 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 8131 IPSEC_ASSERT(m->m_len >= sizeof(struct sadb_msg), 8132 ("mbuf too small, len %u", m->m_len)); 8133 8134 /* initialize */ 8135 bzero(mhp, sizeof(*mhp)); 8136 8137 mhp->msg = mtod(m, struct sadb_msg *); 8138 mhp->ext[0] = (struct sadb_ext *)mhp->msg; /*XXX backward compat */ 8139 8140 end = PFKEY_UNUNIT64(mhp->msg->sadb_msg_len); 8141 extlen = end; /*just in case extlen is not updated*/ 8142 for (off = sizeof(struct sadb_msg); off < end; off += extlen) { 8143 n = m_pulldown(m, off, sizeof(struct sadb_ext), &toff); 8144 if (!n) { 8145 /* m is already freed */ 8146 return ENOBUFS; 8147 } 8148 ext = (struct sadb_ext *)(mtod(n, caddr_t) + toff); 8149 8150 /* set pointer */ 8151 switch (ext->sadb_ext_type) { 8152 case SADB_EXT_SA: 8153 case SADB_EXT_ADDRESS_SRC: 8154 case SADB_EXT_ADDRESS_DST: 8155 case SADB_EXT_ADDRESS_PROXY: 8156 case SADB_EXT_LIFETIME_CURRENT: 8157 case SADB_EXT_LIFETIME_HARD: 8158 case SADB_EXT_LIFETIME_SOFT: 8159 case SADB_EXT_KEY_AUTH: 8160 case SADB_EXT_KEY_ENCRYPT: 8161 case SADB_EXT_IDENTITY_SRC: 8162 case SADB_EXT_IDENTITY_DST: 8163 case SADB_EXT_SENSITIVITY: 8164 case SADB_EXT_PROPOSAL: 8165 case SADB_EXT_SUPPORTED_AUTH: 8166 case SADB_EXT_SUPPORTED_ENCRYPT: 8167 case SADB_EXT_SPIRANGE: 8168 case SADB_X_EXT_POLICY: 8169 case SADB_X_EXT_SA2: 8170 case SADB_X_EXT_NAT_T_TYPE: 8171 case SADB_X_EXT_NAT_T_SPORT: 8172 case SADB_X_EXT_NAT_T_DPORT: 8173 case SADB_X_EXT_NAT_T_OAI: 8174 case SADB_X_EXT_NAT_T_OAR: 8175 case SADB_X_EXT_NAT_T_FRAG: 8176 case SADB_X_EXT_SA_REPLAY: 8177 case SADB_X_EXT_NEW_ADDRESS_SRC: 8178 case SADB_X_EXT_NEW_ADDRESS_DST: 8179 /* duplicate check */ 8180 /* 8181 * XXX Are there duplication payloads of either 8182 * KEY_AUTH or KEY_ENCRYPT ? 8183 */ 8184 if (mhp->ext[ext->sadb_ext_type] != NULL) { 8185 ipseclog((LOG_DEBUG, "%s: duplicate ext_type " 8186 "%u\n", __func__, ext->sadb_ext_type)); 8187 m_freem(m); 8188 PFKEYSTAT_INC(out_dupext); 8189 return EINVAL; 8190 } 8191 break; 8192 default: 8193 ipseclog((LOG_DEBUG, "%s: invalid ext_type %u\n", 8194 __func__, ext->sadb_ext_type)); 8195 m_freem(m); 8196 PFKEYSTAT_INC(out_invexttype); 8197 return EINVAL; 8198 } 8199 8200 extlen = PFKEY_UNUNIT64(ext->sadb_ext_len); 8201 8202 if (key_validate_ext(ext, extlen)) { 8203 m_freem(m); 8204 PFKEYSTAT_INC(out_invlen); 8205 return EINVAL; 8206 } 8207 8208 n = m_pulldown(m, off, extlen, &toff); 8209 if (!n) { 8210 /* m is already freed */ 8211 return ENOBUFS; 8212 } 8213 ext = (struct sadb_ext *)(mtod(n, caddr_t) + toff); 8214 8215 mhp->ext[ext->sadb_ext_type] = ext; 8216 mhp->extoff[ext->sadb_ext_type] = off; 8217 mhp->extlen[ext->sadb_ext_type] = extlen; 8218 } 8219 8220 if (off != end) { 8221 m_freem(m); 8222 PFKEYSTAT_INC(out_invlen); 8223 return EINVAL; 8224 } 8225 8226 return 0; 8227 } 8228 8229 static int 8230 key_validate_ext(const struct sadb_ext *ext, int len) 8231 { 8232 const struct sockaddr *sa; 8233 enum { NONE, ADDR } checktype = NONE; 8234 int baselen = 0; 8235 const int sal = offsetof(struct sockaddr, sa_len) + sizeof(sa->sa_len); 8236 8237 if (len != PFKEY_UNUNIT64(ext->sadb_ext_len)) 8238 return EINVAL; 8239 8240 /* if it does not match minimum/maximum length, bail */ 8241 if (ext->sadb_ext_type >= nitems(minsize) || 8242 ext->sadb_ext_type >= nitems(maxsize)) 8243 return EINVAL; 8244 if (!minsize[ext->sadb_ext_type] || len < minsize[ext->sadb_ext_type]) 8245 return EINVAL; 8246 if (maxsize[ext->sadb_ext_type] && len > maxsize[ext->sadb_ext_type]) 8247 return EINVAL; 8248 8249 /* more checks based on sadb_ext_type XXX need more */ 8250 switch (ext->sadb_ext_type) { 8251 case SADB_EXT_ADDRESS_SRC: 8252 case SADB_EXT_ADDRESS_DST: 8253 case SADB_EXT_ADDRESS_PROXY: 8254 case SADB_X_EXT_NAT_T_OAI: 8255 case SADB_X_EXT_NAT_T_OAR: 8256 case SADB_X_EXT_NEW_ADDRESS_SRC: 8257 case SADB_X_EXT_NEW_ADDRESS_DST: 8258 baselen = PFKEY_ALIGN8(sizeof(struct sadb_address)); 8259 checktype = ADDR; 8260 break; 8261 case SADB_EXT_IDENTITY_SRC: 8262 case SADB_EXT_IDENTITY_DST: 8263 if (((const struct sadb_ident *)ext)->sadb_ident_type == 8264 SADB_X_IDENTTYPE_ADDR) { 8265 baselen = PFKEY_ALIGN8(sizeof(struct sadb_ident)); 8266 checktype = ADDR; 8267 } else 8268 checktype = NONE; 8269 break; 8270 default: 8271 checktype = NONE; 8272 break; 8273 } 8274 8275 switch (checktype) { 8276 case NONE: 8277 break; 8278 case ADDR: 8279 sa = (const struct sockaddr *)(((const u_int8_t*)ext)+baselen); 8280 if (len < baselen + sal) 8281 return EINVAL; 8282 if (baselen + PFKEY_ALIGN8(sa->sa_len) != len) 8283 return EINVAL; 8284 break; 8285 } 8286 8287 return 0; 8288 } 8289 8290 void 8291 spdcache_init(void) 8292 { 8293 int i; 8294 8295 TUNABLE_INT_FETCH("net.key.spdcache.maxentries", 8296 &V_key_spdcache_maxentries); 8297 TUNABLE_INT_FETCH("net.key.spdcache.threshold", 8298 &V_key_spdcache_threshold); 8299 8300 if (V_key_spdcache_maxentries) { 8301 V_key_spdcache_maxentries = MAX(V_key_spdcache_maxentries, 8302 SPDCACHE_MAX_ENTRIES_PER_HASH); 8303 V_spdcachehashtbl = hashinit(V_key_spdcache_maxentries / 8304 SPDCACHE_MAX_ENTRIES_PER_HASH, 8305 M_IPSEC_SPDCACHE, &V_spdcachehash_mask); 8306 V_key_spdcache_maxentries = (V_spdcachehash_mask + 1) 8307 * SPDCACHE_MAX_ENTRIES_PER_HASH; 8308 8309 V_spdcache_lock = malloc(sizeof(struct mtx) * 8310 (V_spdcachehash_mask + 1), 8311 M_IPSEC_SPDCACHE, M_WAITOK | M_ZERO); 8312 8313 for (i = 0; i < V_spdcachehash_mask + 1; ++i) 8314 SPDCACHE_LOCK_INIT(i); 8315 } 8316 } 8317 8318 struct spdcache_entry * 8319 spdcache_entry_alloc(const struct secpolicyindex *spidx, struct secpolicy *sp) 8320 { 8321 struct spdcache_entry *entry; 8322 8323 entry = malloc(sizeof(struct spdcache_entry), M_IPSEC_SPDCACHE, 8324 M_NOWAIT | M_ZERO); 8325 if (entry == NULL) 8326 return (NULL); 8327 8328 if (sp != NULL) 8329 SP_ADDREF(sp); 8330 8331 entry->spidx = *spidx; 8332 entry->sp = sp; 8333 8334 return (entry); 8335 } 8336 8337 void 8338 spdcache_entry_free(struct spdcache_entry *entry) 8339 { 8340 8341 if (entry->sp != NULL) 8342 key_freesp(&entry->sp); 8343 free(entry, M_IPSEC_SPDCACHE); 8344 } 8345 8346 void 8347 spdcache_clear(void) 8348 { 8349 struct spdcache_entry *entry; 8350 int i; 8351 8352 for (i = 0; i < V_spdcachehash_mask + 1; ++i) { 8353 SPDCACHE_LOCK(i); 8354 while (!LIST_EMPTY(&V_spdcachehashtbl[i])) { 8355 entry = LIST_FIRST(&V_spdcachehashtbl[i]); 8356 LIST_REMOVE(entry, chain); 8357 spdcache_entry_free(entry); 8358 } 8359 SPDCACHE_UNLOCK(i); 8360 } 8361 } 8362 8363 #ifdef VIMAGE 8364 void 8365 spdcache_destroy(void) 8366 { 8367 int i; 8368 8369 if (SPDCACHE_ENABLED()) { 8370 spdcache_clear(); 8371 hashdestroy(V_spdcachehashtbl, M_IPSEC_SPDCACHE, V_spdcachehash_mask); 8372 8373 for (i = 0; i < V_spdcachehash_mask + 1; ++i) 8374 SPDCACHE_LOCK_DESTROY(i); 8375 8376 free(V_spdcache_lock, M_IPSEC_SPDCACHE); 8377 } 8378 } 8379 #endif 8380 8381 static void 8382 key_vnet_init(void *arg __unused) 8383 { 8384 int i; 8385 8386 for (i = 0; i < IPSEC_DIR_MAX; i++) { 8387 TAILQ_INIT(&V_sptree[i]); 8388 TAILQ_INIT(&V_sptree_ifnet[i]); 8389 } 8390 8391 TAILQ_INIT(&V_sahtree); 8392 V_sphashtbl = hashinit(SPHASH_NHASH, M_IPSEC_SP, &V_sphash_mask); 8393 V_savhashtbl = hashinit(SAVHASH_NHASH, M_IPSEC_SA, &V_savhash_mask); 8394 V_sahaddrhashtbl = hashinit(SAHHASH_NHASH, M_IPSEC_SAH, 8395 &V_sahaddrhash_mask); 8396 V_acqaddrhashtbl = hashinit(ACQHASH_NHASH, M_IPSEC_SAQ, 8397 &V_acqaddrhash_mask); 8398 V_acqseqhashtbl = hashinit(ACQHASH_NHASH, M_IPSEC_SAQ, 8399 &V_acqseqhash_mask); 8400 8401 spdcache_init(); 8402 8403 for (i = 0; i <= SADB_SATYPE_MAX; i++) 8404 LIST_INIT(&V_regtree[i]); 8405 8406 LIST_INIT(&V_acqtree); 8407 LIST_INIT(&V_spacqtree); 8408 } 8409 VNET_SYSINIT(key_vnet_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_SECOND, 8410 key_vnet_init, NULL); 8411 8412 static void 8413 key_init(void *arg __unused) 8414 { 8415 8416 ipsec_key_lft_zone = uma_zcreate("IPsec SA lft_c", 8417 sizeof(uint64_t) * 2, NULL, NULL, NULL, NULL, 8418 UMA_ALIGN_PTR, UMA_ZONE_PCPU); 8419 8420 SPTREE_LOCK_INIT(); 8421 REGTREE_LOCK_INIT(); 8422 SAHTREE_LOCK_INIT(); 8423 ACQ_LOCK_INIT(); 8424 SPACQ_LOCK_INIT(); 8425 SPI_ALLOC_LOCK_INIT(); 8426 8427 #ifndef IPSEC_DEBUG2 8428 callout_init(&key_timer, 1); 8429 callout_reset(&key_timer, hz, key_timehandler, NULL); 8430 #endif /*IPSEC_DEBUG2*/ 8431 8432 /* initialize key statistics */ 8433 keystat.getspi_count = 1; 8434 8435 if (bootverbose) 8436 printf("IPsec: Initialized Security Association Processing.\n"); 8437 } 8438 SYSINIT(key_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, key_init, NULL); 8439 8440 #ifdef VIMAGE 8441 static void 8442 key_vnet_destroy(void *arg __unused) 8443 { 8444 struct secashead_queue sahdrainq; 8445 struct secpolicy_queue drainq; 8446 struct secpolicy *sp, *nextsp; 8447 struct secacq *acq, *nextacq; 8448 struct secspacq *spacq, *nextspacq; 8449 struct secashead *sah; 8450 struct secasvar *sav; 8451 struct secreg *reg; 8452 int i; 8453 8454 /* 8455 * XXX: can we just call free() for each object without 8456 * walking through safe way with releasing references? 8457 */ 8458 TAILQ_INIT(&drainq); 8459 SPTREE_WLOCK(); 8460 for (i = 0; i < IPSEC_DIR_MAX; i++) { 8461 TAILQ_CONCAT(&drainq, &V_sptree[i], chain); 8462 TAILQ_CONCAT(&drainq, &V_sptree_ifnet[i], chain); 8463 } 8464 for (i = 0; i < V_sphash_mask + 1; i++) 8465 LIST_INIT(&V_sphashtbl[i]); 8466 SPTREE_WUNLOCK(); 8467 spdcache_destroy(); 8468 8469 sp = TAILQ_FIRST(&drainq); 8470 while (sp != NULL) { 8471 nextsp = TAILQ_NEXT(sp, chain); 8472 key_freesp(&sp); 8473 sp = nextsp; 8474 } 8475 8476 TAILQ_INIT(&sahdrainq); 8477 SAHTREE_WLOCK(); 8478 TAILQ_CONCAT(&sahdrainq, &V_sahtree, chain); 8479 for (i = 0; i < V_savhash_mask + 1; i++) 8480 LIST_INIT(&V_savhashtbl[i]); 8481 for (i = 0; i < V_sahaddrhash_mask + 1; i++) 8482 LIST_INIT(&V_sahaddrhashtbl[i]); 8483 TAILQ_FOREACH(sah, &sahdrainq, chain) { 8484 sah->state = SADB_SASTATE_DEAD; 8485 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { 8486 sav->state = SADB_SASTATE_DEAD; 8487 } 8488 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { 8489 sav->state = SADB_SASTATE_DEAD; 8490 } 8491 } 8492 SAHTREE_WUNLOCK(); 8493 8494 key_freesah_flushed(&sahdrainq); 8495 hashdestroy(V_sphashtbl, M_IPSEC_SP, V_sphash_mask); 8496 hashdestroy(V_savhashtbl, M_IPSEC_SA, V_savhash_mask); 8497 hashdestroy(V_sahaddrhashtbl, M_IPSEC_SAH, V_sahaddrhash_mask); 8498 8499 REGTREE_LOCK(); 8500 for (i = 0; i <= SADB_SATYPE_MAX; i++) { 8501 LIST_FOREACH(reg, &V_regtree[i], chain) { 8502 if (__LIST_CHAINED(reg)) { 8503 LIST_REMOVE(reg, chain); 8504 free(reg, M_IPSEC_SAR); 8505 break; 8506 } 8507 } 8508 } 8509 REGTREE_UNLOCK(); 8510 8511 ACQ_LOCK(); 8512 acq = LIST_FIRST(&V_acqtree); 8513 while (acq != NULL) { 8514 nextacq = LIST_NEXT(acq, chain); 8515 LIST_REMOVE(acq, chain); 8516 free(acq, M_IPSEC_SAQ); 8517 acq = nextacq; 8518 } 8519 for (i = 0; i < V_acqaddrhash_mask + 1; i++) 8520 LIST_INIT(&V_acqaddrhashtbl[i]); 8521 for (i = 0; i < V_acqseqhash_mask + 1; i++) 8522 LIST_INIT(&V_acqseqhashtbl[i]); 8523 ACQ_UNLOCK(); 8524 8525 SPACQ_LOCK(); 8526 for (spacq = LIST_FIRST(&V_spacqtree); spacq != NULL; 8527 spacq = nextspacq) { 8528 nextspacq = LIST_NEXT(spacq, chain); 8529 if (__LIST_CHAINED(spacq)) { 8530 LIST_REMOVE(spacq, chain); 8531 free(spacq, M_IPSEC_SAQ); 8532 } 8533 } 8534 SPACQ_UNLOCK(); 8535 hashdestroy(V_acqaddrhashtbl, M_IPSEC_SAQ, V_acqaddrhash_mask); 8536 hashdestroy(V_acqseqhashtbl, M_IPSEC_SAQ, V_acqseqhash_mask); 8537 } 8538 VNET_SYSUNINIT(key_vnet_destroy, SI_SUB_PROTO_DOMAIN, SI_ORDER_SECOND, 8539 key_vnet_destroy, NULL); 8540 #endif 8541 8542 /* 8543 * XXX: as long as domains are not unloadable, this function is never called, 8544 * provided for consistensy and future unload support. 8545 */ 8546 static void 8547 key_destroy(void *arg __unused) 8548 { 8549 uma_zdestroy(ipsec_key_lft_zone); 8550 8551 #ifndef IPSEC_DEBUG2 8552 callout_drain(&key_timer); 8553 #endif 8554 SPTREE_LOCK_DESTROY(); 8555 REGTREE_LOCK_DESTROY(); 8556 SAHTREE_LOCK_DESTROY(); 8557 ACQ_LOCK_DESTROY(); 8558 SPACQ_LOCK_DESTROY(); 8559 SPI_ALLOC_LOCK_DESTROY(); 8560 } 8561 SYSUNINIT(key_destroy, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, key_destroy, NULL); 8562 8563 /* record data transfer on SA, and update timestamps */ 8564 void 8565 key_sa_recordxfer(struct secasvar *sav, struct mbuf *m) 8566 { 8567 IPSEC_ASSERT(sav != NULL, ("Null secasvar")); 8568 IPSEC_ASSERT(m != NULL, ("Null mbuf")); 8569 8570 /* 8571 * XXX Currently, there is a difference of bytes size 8572 * between inbound and outbound processing. 8573 */ 8574 counter_u64_add(sav->lft_c_bytes, m->m_pkthdr.len); 8575 8576 /* 8577 * We use the number of packets as the unit of 8578 * allocations. We increment the variable 8579 * whenever {esp,ah}_{in,out}put is called. 8580 */ 8581 counter_u64_add(sav->lft_c_allocations, 1); 8582 8583 /* 8584 * NOTE: We record CURRENT usetime by using wall clock, 8585 * in seconds. HARD and SOFT lifetime are measured by the time 8586 * difference (again in seconds) from usetime. 8587 * 8588 * usetime 8589 * v expire expire 8590 * -----+-----+--------+---> t 8591 * <--------------> HARD 8592 * <-----> SOFT 8593 */ 8594 if (sav->firstused == 0) 8595 sav->firstused = time_second; 8596 } 8597 8598 /* 8599 * Take one of the kernel's security keys and convert it into a PF_KEY 8600 * structure within an mbuf, suitable for sending up to a waiting 8601 * application in user land. 8602 * 8603 * IN: 8604 * src: A pointer to a kernel security key. 8605 * exttype: Which type of key this is. Refer to the PF_KEY data structures. 8606 * OUT: 8607 * a valid mbuf or NULL indicating an error 8608 * 8609 */ 8610 8611 static struct mbuf * 8612 key_setkey(struct seckey *src, uint16_t exttype) 8613 { 8614 struct mbuf *m; 8615 struct sadb_key *p; 8616 int len; 8617 8618 if (src == NULL) 8619 return NULL; 8620 8621 len = PFKEY_ALIGN8(sizeof(struct sadb_key) + _KEYLEN(src)); 8622 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 8623 if (m == NULL) 8624 return NULL; 8625 m_align(m, len); 8626 m->m_len = len; 8627 p = mtod(m, struct sadb_key *); 8628 bzero(p, len); 8629 p->sadb_key_len = PFKEY_UNIT64(len); 8630 p->sadb_key_exttype = exttype; 8631 p->sadb_key_bits = src->bits; 8632 bcopy(src->key_data, _KEYBUF(p), _KEYLEN(src)); 8633 8634 return m; 8635 } 8636 8637 /* 8638 * Take one of the kernel's lifetime data structures and convert it 8639 * into a PF_KEY structure within an mbuf, suitable for sending up to 8640 * a waiting application in user land. 8641 * 8642 * IN: 8643 * src: A pointer to a kernel lifetime structure. 8644 * exttype: Which type of lifetime this is. Refer to the PF_KEY 8645 * data structures for more information. 8646 * OUT: 8647 * a valid mbuf or NULL indicating an error 8648 * 8649 */ 8650 8651 static struct mbuf * 8652 key_setlifetime(struct seclifetime *src, uint16_t exttype) 8653 { 8654 struct mbuf *m = NULL; 8655 struct sadb_lifetime *p; 8656 int len = PFKEY_ALIGN8(sizeof(struct sadb_lifetime)); 8657 8658 if (src == NULL) 8659 return NULL; 8660 8661 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 8662 if (m == NULL) 8663 return m; 8664 m_align(m, len); 8665 m->m_len = len; 8666 p = mtod(m, struct sadb_lifetime *); 8667 8668 bzero(p, len); 8669 p->sadb_lifetime_len = PFKEY_UNIT64(len); 8670 p->sadb_lifetime_exttype = exttype; 8671 p->sadb_lifetime_allocations = src->allocations; 8672 p->sadb_lifetime_bytes = src->bytes; 8673 p->sadb_lifetime_addtime = src->addtime; 8674 p->sadb_lifetime_usetime = src->usetime; 8675 8676 return m; 8677 8678 } 8679 8680 const struct enc_xform * 8681 enc_algorithm_lookup(int alg) 8682 { 8683 int i; 8684 8685 for (i = 0; i < nitems(supported_ealgs); i++) 8686 if (alg == supported_ealgs[i].sadb_alg) 8687 return (supported_ealgs[i].xform); 8688 return (NULL); 8689 } 8690 8691 const struct auth_hash * 8692 auth_algorithm_lookup(int alg) 8693 { 8694 int i; 8695 8696 for (i = 0; i < nitems(supported_aalgs); i++) 8697 if (alg == supported_aalgs[i].sadb_alg) 8698 return (supported_aalgs[i].xform); 8699 return (NULL); 8700 } 8701 8702 const struct comp_algo * 8703 comp_algorithm_lookup(int alg) 8704 { 8705 int i; 8706 8707 for (i = 0; i < nitems(supported_calgs); i++) 8708 if (alg == supported_calgs[i].sadb_alg) 8709 return (supported_calgs[i].xform); 8710 return (NULL); 8711 } 8712