1 /* $FreeBSD$ */ 2 /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ 3 4 /*- 5 * SPDX-License-Identifier: BSD-3-Clause 6 * 7 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the project nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 /* 36 * This code is referd to RFC 2367 37 */ 38 39 #include "opt_inet.h" 40 #include "opt_inet6.h" 41 #include "opt_ipsec.h" 42 43 #include <sys/types.h> 44 #include <sys/param.h> 45 #include <sys/systm.h> 46 #include <sys/kernel.h> 47 #include <sys/fnv_hash.h> 48 #include <sys/lock.h> 49 #include <sys/mutex.h> 50 #include <sys/mbuf.h> 51 #include <sys/domain.h> 52 #include <sys/protosw.h> 53 #include <sys/malloc.h> 54 #include <sys/rmlock.h> 55 #include <sys/socket.h> 56 #include <sys/socketvar.h> 57 #include <sys/sysctl.h> 58 #include <sys/errno.h> 59 #include <sys/proc.h> 60 #include <sys/queue.h> 61 #include <sys/refcount.h> 62 #include <sys/syslog.h> 63 64 #include <vm/uma.h> 65 66 #include <net/if.h> 67 #include <net/if_var.h> 68 #include <net/vnet.h> 69 70 #include <netinet/in.h> 71 #include <netinet/in_systm.h> 72 #include <netinet/ip.h> 73 #include <netinet/in_var.h> 74 #include <netinet/udp.h> 75 76 #ifdef INET6 77 #include <netinet/ip6.h> 78 #include <netinet6/in6_var.h> 79 #include <netinet6/ip6_var.h> 80 #endif /* INET6 */ 81 82 #include <net/pfkeyv2.h> 83 #include <netipsec/keydb.h> 84 #include <netipsec/key.h> 85 #include <netipsec/keysock.h> 86 #include <netipsec/key_debug.h> 87 88 #include <netipsec/ipsec.h> 89 #ifdef INET6 90 #include <netipsec/ipsec6.h> 91 #endif 92 93 #include <netipsec/xform.h> 94 #include <machine/in_cksum.h> 95 #include <machine/stdarg.h> 96 97 /* randomness */ 98 #include <sys/random.h> 99 100 #define FULLMASK 0xff 101 #define _BITS(bytes) ((bytes) << 3) 102 103 #define UINT32_80PCT 0xcccccccc 104 /* 105 * Note on SA reference counting: 106 * - SAs that are not in DEAD state will have (total external reference + 1) 107 * following value in reference count field. they cannot be freed and are 108 * referenced from SA header. 109 * - SAs that are in DEAD state will have (total external reference) 110 * in reference count field. they are ready to be freed. reference from 111 * SA header will be removed in key_delsav(), when the reference count 112 * field hits 0 (= no external reference other than from SA header. 113 */ 114 115 VNET_DEFINE(u_int32_t, key_debug_level) = 0; 116 VNET_DEFINE_STATIC(u_int, key_spi_trycnt) = 1000; 117 VNET_DEFINE_STATIC(u_int32_t, key_spi_minval) = 0x100; 118 VNET_DEFINE_STATIC(u_int32_t, key_spi_maxval) = 0x0fffffff; /* XXX */ 119 VNET_DEFINE_STATIC(u_int32_t, policy_id) = 0; 120 /*interval to initialize randseed,1(m)*/ 121 VNET_DEFINE_STATIC(u_int, key_int_random) = 60; 122 /* interval to expire acquiring, 30(s)*/ 123 VNET_DEFINE_STATIC(u_int, key_larval_lifetime) = 30; 124 /* counter for blocking SADB_ACQUIRE.*/ 125 VNET_DEFINE_STATIC(int, key_blockacq_count) = 10; 126 /* lifetime for blocking SADB_ACQUIRE.*/ 127 VNET_DEFINE_STATIC(int, key_blockacq_lifetime) = 20; 128 /* preferred old sa rather than new sa.*/ 129 VNET_DEFINE_STATIC(int, key_preferred_oldsa) = 1; 130 #define V_key_spi_trycnt VNET(key_spi_trycnt) 131 #define V_key_spi_minval VNET(key_spi_minval) 132 #define V_key_spi_maxval VNET(key_spi_maxval) 133 #define V_policy_id VNET(policy_id) 134 #define V_key_int_random VNET(key_int_random) 135 #define V_key_larval_lifetime VNET(key_larval_lifetime) 136 #define V_key_blockacq_count VNET(key_blockacq_count) 137 #define V_key_blockacq_lifetime VNET(key_blockacq_lifetime) 138 #define V_key_preferred_oldsa VNET(key_preferred_oldsa) 139 140 VNET_DEFINE_STATIC(u_int32_t, acq_seq) = 0; 141 #define V_acq_seq VNET(acq_seq) 142 143 VNET_DEFINE_STATIC(uint32_t, sp_genid) = 0; 144 #define V_sp_genid VNET(sp_genid) 145 146 /* SPD */ 147 TAILQ_HEAD(secpolicy_queue, secpolicy); 148 LIST_HEAD(secpolicy_list, secpolicy); 149 VNET_DEFINE_STATIC(struct secpolicy_queue, sptree[IPSEC_DIR_MAX]); 150 VNET_DEFINE_STATIC(struct secpolicy_queue, sptree_ifnet[IPSEC_DIR_MAX]); 151 static struct rmlock sptree_lock; 152 #define V_sptree VNET(sptree) 153 #define V_sptree_ifnet VNET(sptree_ifnet) 154 #define SPTREE_LOCK_INIT() rm_init(&sptree_lock, "sptree") 155 #define SPTREE_LOCK_DESTROY() rm_destroy(&sptree_lock) 156 #define SPTREE_RLOCK_TRACKER struct rm_priotracker sptree_tracker 157 #define SPTREE_RLOCK() rm_rlock(&sptree_lock, &sptree_tracker) 158 #define SPTREE_RUNLOCK() rm_runlock(&sptree_lock, &sptree_tracker) 159 #define SPTREE_RLOCK_ASSERT() rm_assert(&sptree_lock, RA_RLOCKED) 160 #define SPTREE_WLOCK() rm_wlock(&sptree_lock) 161 #define SPTREE_WUNLOCK() rm_wunlock(&sptree_lock) 162 #define SPTREE_WLOCK_ASSERT() rm_assert(&sptree_lock, RA_WLOCKED) 163 #define SPTREE_UNLOCK_ASSERT() rm_assert(&sptree_lock, RA_UNLOCKED) 164 165 /* Hash table for lookup SP using unique id */ 166 VNET_DEFINE_STATIC(struct secpolicy_list *, sphashtbl); 167 VNET_DEFINE_STATIC(u_long, sphash_mask); 168 #define V_sphashtbl VNET(sphashtbl) 169 #define V_sphash_mask VNET(sphash_mask) 170 171 #define SPHASH_NHASH_LOG2 7 172 #define SPHASH_NHASH (1 << SPHASH_NHASH_LOG2) 173 #define SPHASH_HASHVAL(id) (key_u32hash(id) & V_sphash_mask) 174 #define SPHASH_HASH(id) &V_sphashtbl[SPHASH_HASHVAL(id)] 175 176 /* SPD cache */ 177 struct spdcache_entry { 178 struct secpolicyindex spidx; /* secpolicyindex */ 179 struct secpolicy *sp; /* cached policy to be used */ 180 181 LIST_ENTRY(spdcache_entry) chain; 182 }; 183 LIST_HEAD(spdcache_entry_list, spdcache_entry); 184 185 #define SPDCACHE_MAX_ENTRIES_PER_HASH 8 186 187 VNET_DEFINE_STATIC(u_int, key_spdcache_maxentries) = 0; 188 #define V_key_spdcache_maxentries VNET(key_spdcache_maxentries) 189 VNET_DEFINE_STATIC(u_int, key_spdcache_threshold) = 32; 190 #define V_key_spdcache_threshold VNET(key_spdcache_threshold) 191 VNET_DEFINE_STATIC(unsigned long, spd_size) = 0; 192 #define V_spd_size VNET(spd_size) 193 194 #define SPDCACHE_ENABLED() (V_key_spdcache_maxentries != 0) 195 #define SPDCACHE_ACTIVE() \ 196 (SPDCACHE_ENABLED() && V_spd_size >= V_key_spdcache_threshold) 197 198 VNET_DEFINE_STATIC(struct spdcache_entry_list *, spdcachehashtbl); 199 VNET_DEFINE_STATIC(u_long, spdcachehash_mask); 200 #define V_spdcachehashtbl VNET(spdcachehashtbl) 201 #define V_spdcachehash_mask VNET(spdcachehash_mask) 202 203 #define SPDCACHE_HASHVAL(idx) \ 204 (key_addrprotohash(&(idx)->src, &(idx)->dst, &(idx)->ul_proto) & \ 205 V_spdcachehash_mask) 206 207 /* Each cache line is protected by a mutex */ 208 VNET_DEFINE_STATIC(struct mtx *, spdcache_lock); 209 #define V_spdcache_lock VNET(spdcache_lock) 210 211 #define SPDCACHE_LOCK_INIT(a) \ 212 mtx_init(&V_spdcache_lock[a], "spdcache", \ 213 "fast ipsec SPD cache", MTX_DEF|MTX_DUPOK) 214 #define SPDCACHE_LOCK_DESTROY(a) mtx_destroy(&V_spdcache_lock[a]) 215 #define SPDCACHE_LOCK(a) mtx_lock(&V_spdcache_lock[a]); 216 #define SPDCACHE_UNLOCK(a) mtx_unlock(&V_spdcache_lock[a]); 217 218 static struct sx spi_alloc_lock; 219 #define SPI_ALLOC_LOCK_INIT() sx_init(&spi_alloc_lock, "spialloc") 220 #define SPI_ALLOC_LOCK_DESTROY() sx_destroy(&spi_alloc_lock) 221 #define SPI_ALLOC_LOCK() sx_xlock(&spi_alloc_lock) 222 #define SPI_ALLOC_UNLOCK() sx_unlock(&spi_alloc_lock) 223 #define SPI_ALLOC_LOCK_ASSERT() sx_assert(&spi_alloc_lock, SA_XLOCKED) 224 225 /* SAD */ 226 TAILQ_HEAD(secashead_queue, secashead); 227 LIST_HEAD(secashead_list, secashead); 228 VNET_DEFINE_STATIC(struct secashead_queue, sahtree); 229 static struct rmlock sahtree_lock; 230 #define V_sahtree VNET(sahtree) 231 #define SAHTREE_LOCK_INIT() rm_init(&sahtree_lock, "sahtree") 232 #define SAHTREE_LOCK_DESTROY() rm_destroy(&sahtree_lock) 233 #define SAHTREE_RLOCK_TRACKER struct rm_priotracker sahtree_tracker 234 #define SAHTREE_RLOCK() rm_rlock(&sahtree_lock, &sahtree_tracker) 235 #define SAHTREE_RUNLOCK() rm_runlock(&sahtree_lock, &sahtree_tracker) 236 #define SAHTREE_RLOCK_ASSERT() rm_assert(&sahtree_lock, RA_RLOCKED) 237 #define SAHTREE_WLOCK() rm_wlock(&sahtree_lock) 238 #define SAHTREE_WUNLOCK() rm_wunlock(&sahtree_lock) 239 #define SAHTREE_WLOCK_ASSERT() rm_assert(&sahtree_lock, RA_WLOCKED) 240 #define SAHTREE_UNLOCK_ASSERT() rm_assert(&sahtree_lock, RA_UNLOCKED) 241 242 /* Hash table for lookup in SAD using SA addresses */ 243 VNET_DEFINE_STATIC(struct secashead_list *, sahaddrhashtbl); 244 VNET_DEFINE_STATIC(u_long, sahaddrhash_mask); 245 #define V_sahaddrhashtbl VNET(sahaddrhashtbl) 246 #define V_sahaddrhash_mask VNET(sahaddrhash_mask) 247 248 #define SAHHASH_NHASH_LOG2 7 249 #define SAHHASH_NHASH (1 << SAHHASH_NHASH_LOG2) 250 #define SAHADDRHASH_HASHVAL(idx) \ 251 (key_addrprotohash(&(idx)->src, &(idx)->dst, &(idx)->proto) & \ 252 V_sahaddrhash_mask) 253 #define SAHADDRHASH_HASH(saidx) \ 254 &V_sahaddrhashtbl[SAHADDRHASH_HASHVAL(saidx)] 255 256 /* Hash table for lookup in SAD using SPI */ 257 LIST_HEAD(secasvar_list, secasvar); 258 VNET_DEFINE_STATIC(struct secasvar_list *, savhashtbl); 259 VNET_DEFINE_STATIC(u_long, savhash_mask); 260 #define V_savhashtbl VNET(savhashtbl) 261 #define V_savhash_mask VNET(savhash_mask) 262 #define SAVHASH_NHASH_LOG2 7 263 #define SAVHASH_NHASH (1 << SAVHASH_NHASH_LOG2) 264 #define SAVHASH_HASHVAL(spi) (key_u32hash(spi) & V_savhash_mask) 265 #define SAVHASH_HASH(spi) &V_savhashtbl[SAVHASH_HASHVAL(spi)] 266 267 static uint32_t 268 key_addrprotohash(const union sockaddr_union *src, 269 const union sockaddr_union *dst, const uint8_t *proto) 270 { 271 uint32_t hval; 272 273 hval = fnv_32_buf(proto, sizeof(*proto), 274 FNV1_32_INIT); 275 switch (dst->sa.sa_family) { 276 #ifdef INET 277 case AF_INET: 278 hval = fnv_32_buf(&src->sin.sin_addr, 279 sizeof(in_addr_t), hval); 280 hval = fnv_32_buf(&dst->sin.sin_addr, 281 sizeof(in_addr_t), hval); 282 break; 283 #endif 284 #ifdef INET6 285 case AF_INET6: 286 hval = fnv_32_buf(&src->sin6.sin6_addr, 287 sizeof(struct in6_addr), hval); 288 hval = fnv_32_buf(&dst->sin6.sin6_addr, 289 sizeof(struct in6_addr), hval); 290 break; 291 #endif 292 default: 293 hval = 0; 294 ipseclog((LOG_DEBUG, "%s: unknown address family %d\n", 295 __func__, dst->sa.sa_family)); 296 } 297 return (hval); 298 } 299 300 static uint32_t 301 key_u32hash(uint32_t val) 302 { 303 304 return (fnv_32_buf(&val, sizeof(val), FNV1_32_INIT)); 305 } 306 307 /* registed list */ 308 VNET_DEFINE_STATIC(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]); 309 #define V_regtree VNET(regtree) 310 static struct mtx regtree_lock; 311 #define REGTREE_LOCK_INIT() \ 312 mtx_init(®tree_lock, "regtree", "fast ipsec regtree", MTX_DEF) 313 #define REGTREE_LOCK_DESTROY() mtx_destroy(®tree_lock) 314 #define REGTREE_LOCK() mtx_lock(®tree_lock) 315 #define REGTREE_UNLOCK() mtx_unlock(®tree_lock) 316 #define REGTREE_LOCK_ASSERT() mtx_assert(®tree_lock, MA_OWNED) 317 318 /* Acquiring list */ 319 LIST_HEAD(secacq_list, secacq); 320 VNET_DEFINE_STATIC(struct secacq_list, acqtree); 321 #define V_acqtree VNET(acqtree) 322 static struct mtx acq_lock; 323 #define ACQ_LOCK_INIT() \ 324 mtx_init(&acq_lock, "acqtree", "ipsec SA acquiring list", MTX_DEF) 325 #define ACQ_LOCK_DESTROY() mtx_destroy(&acq_lock) 326 #define ACQ_LOCK() mtx_lock(&acq_lock) 327 #define ACQ_UNLOCK() mtx_unlock(&acq_lock) 328 #define ACQ_LOCK_ASSERT() mtx_assert(&acq_lock, MA_OWNED) 329 330 /* Hash table for lookup in ACQ list using SA addresses */ 331 VNET_DEFINE_STATIC(struct secacq_list *, acqaddrhashtbl); 332 VNET_DEFINE_STATIC(u_long, acqaddrhash_mask); 333 #define V_acqaddrhashtbl VNET(acqaddrhashtbl) 334 #define V_acqaddrhash_mask VNET(acqaddrhash_mask) 335 336 /* Hash table for lookup in ACQ list using SEQ number */ 337 VNET_DEFINE_STATIC(struct secacq_list *, acqseqhashtbl); 338 VNET_DEFINE_STATIC(u_long, acqseqhash_mask); 339 #define V_acqseqhashtbl VNET(acqseqhashtbl) 340 #define V_acqseqhash_mask VNET(acqseqhash_mask) 341 342 #define ACQHASH_NHASH_LOG2 7 343 #define ACQHASH_NHASH (1 << ACQHASH_NHASH_LOG2) 344 #define ACQADDRHASH_HASHVAL(idx) \ 345 (key_addrprotohash(&(idx)->src, &(idx)->dst, &(idx)->proto) & \ 346 V_acqaddrhash_mask) 347 #define ACQSEQHASH_HASHVAL(seq) \ 348 (key_u32hash(seq) & V_acqseqhash_mask) 349 #define ACQADDRHASH_HASH(saidx) \ 350 &V_acqaddrhashtbl[ACQADDRHASH_HASHVAL(saidx)] 351 #define ACQSEQHASH_HASH(seq) \ 352 &V_acqseqhashtbl[ACQSEQHASH_HASHVAL(seq)] 353 /* SP acquiring list */ 354 VNET_DEFINE_STATIC(LIST_HEAD(_spacqtree, secspacq), spacqtree); 355 #define V_spacqtree VNET(spacqtree) 356 static struct mtx spacq_lock; 357 #define SPACQ_LOCK_INIT() \ 358 mtx_init(&spacq_lock, "spacqtree", \ 359 "fast ipsec security policy acquire list", MTX_DEF) 360 #define SPACQ_LOCK_DESTROY() mtx_destroy(&spacq_lock) 361 #define SPACQ_LOCK() mtx_lock(&spacq_lock) 362 #define SPACQ_UNLOCK() mtx_unlock(&spacq_lock) 363 #define SPACQ_LOCK_ASSERT() mtx_assert(&spacq_lock, MA_OWNED) 364 365 static const int minsize[] = { 366 sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */ 367 sizeof(struct sadb_sa), /* SADB_EXT_SA */ 368 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */ 369 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */ 370 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */ 371 sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_SRC */ 372 sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_DST */ 373 sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_PROXY */ 374 sizeof(struct sadb_key), /* SADB_EXT_KEY_AUTH */ 375 sizeof(struct sadb_key), /* SADB_EXT_KEY_ENCRYPT */ 376 sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_SRC */ 377 sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_DST */ 378 sizeof(struct sadb_sens), /* SADB_EXT_SENSITIVITY */ 379 sizeof(struct sadb_prop), /* SADB_EXT_PROPOSAL */ 380 sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_AUTH */ 381 sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_ENCRYPT */ 382 sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */ 383 0, /* SADB_X_EXT_KMPRIVATE */ 384 sizeof(struct sadb_x_policy), /* SADB_X_EXT_POLICY */ 385 sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ 386 sizeof(struct sadb_x_nat_t_type),/* SADB_X_EXT_NAT_T_TYPE */ 387 sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_SPORT */ 388 sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_DPORT */ 389 sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAI */ 390 sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAR */ 391 sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */ 392 sizeof(struct sadb_x_sa_replay), /* SADB_X_EXT_SA_REPLAY */ 393 sizeof(struct sadb_address), /* SADB_X_EXT_NEW_ADDRESS_SRC */ 394 sizeof(struct sadb_address), /* SADB_X_EXT_NEW_ADDRESS_DST */ 395 }; 396 _Static_assert(sizeof(minsize)/sizeof(int) == SADB_EXT_MAX + 1, "minsize size mismatch"); 397 398 static const int maxsize[] = { 399 sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */ 400 sizeof(struct sadb_sa), /* SADB_EXT_SA */ 401 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */ 402 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */ 403 sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */ 404 0, /* SADB_EXT_ADDRESS_SRC */ 405 0, /* SADB_EXT_ADDRESS_DST */ 406 0, /* SADB_EXT_ADDRESS_PROXY */ 407 0, /* SADB_EXT_KEY_AUTH */ 408 0, /* SADB_EXT_KEY_ENCRYPT */ 409 0, /* SADB_EXT_IDENTITY_SRC */ 410 0, /* SADB_EXT_IDENTITY_DST */ 411 0, /* SADB_EXT_SENSITIVITY */ 412 0, /* SADB_EXT_PROPOSAL */ 413 0, /* SADB_EXT_SUPPORTED_AUTH */ 414 0, /* SADB_EXT_SUPPORTED_ENCRYPT */ 415 sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */ 416 0, /* SADB_X_EXT_KMPRIVATE */ 417 0, /* SADB_X_EXT_POLICY */ 418 sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ 419 sizeof(struct sadb_x_nat_t_type),/* SADB_X_EXT_NAT_T_TYPE */ 420 sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_SPORT */ 421 sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_DPORT */ 422 0, /* SADB_X_EXT_NAT_T_OAI */ 423 0, /* SADB_X_EXT_NAT_T_OAR */ 424 sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */ 425 sizeof(struct sadb_x_sa_replay), /* SADB_X_EXT_SA_REPLAY */ 426 0, /* SADB_X_EXT_NEW_ADDRESS_SRC */ 427 0, /* SADB_X_EXT_NEW_ADDRESS_DST */ 428 }; 429 _Static_assert(sizeof(maxsize)/sizeof(int) == SADB_EXT_MAX + 1, "minsize size mismatch"); 430 431 /* 432 * Internal values for SA flags: 433 * SADB_X_EXT_F_CLONED means that SA was cloned by key_updateaddresses, 434 * thus we will not free the most of SA content in key_delsav(). 435 */ 436 #define SADB_X_EXT_F_CLONED 0x80000000 437 438 #define SADB_CHECKLEN(_mhp, _ext) \ 439 ((_mhp)->extlen[(_ext)] < minsize[(_ext)] || (maxsize[(_ext)] != 0 && \ 440 ((_mhp)->extlen[(_ext)] > maxsize[(_ext)]))) 441 #define SADB_CHECKHDR(_mhp, _ext) ((_mhp)->ext[(_ext)] == NULL) 442 443 VNET_DEFINE_STATIC(int, ipsec_esp_keymin) = 256; 444 VNET_DEFINE_STATIC(int, ipsec_esp_auth) = 0; 445 VNET_DEFINE_STATIC(int, ipsec_ah_keymin) = 128; 446 447 #define V_ipsec_esp_keymin VNET(ipsec_esp_keymin) 448 #define V_ipsec_esp_auth VNET(ipsec_esp_auth) 449 #define V_ipsec_ah_keymin VNET(ipsec_ah_keymin) 450 451 #ifdef IPSEC_DEBUG 452 VNET_DEFINE(int, ipsec_debug) = 1; 453 #else 454 VNET_DEFINE(int, ipsec_debug) = 0; 455 #endif 456 457 #ifdef INET 458 SYSCTL_DECL(_net_inet_ipsec); 459 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, debug, 460 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0, 461 "Enable IPsec debugging output when set."); 462 #endif 463 #ifdef INET6 464 SYSCTL_DECL(_net_inet6_ipsec6); 465 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, debug, 466 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0, 467 "Enable IPsec debugging output when set."); 468 #endif 469 470 SYSCTL_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug, 471 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_debug_level), 0, ""); 472 473 /* max count of trial for the decision of spi value */ 474 SYSCTL_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt, 475 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_spi_trycnt), 0, ""); 476 477 /* minimum spi value to allocate automatically. */ 478 SYSCTL_INT(_net_key, KEYCTL_SPI_MIN_VALUE, spi_minval, 479 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_spi_minval), 0, ""); 480 481 /* maximun spi value to allocate automatically. */ 482 SYSCTL_INT(_net_key, KEYCTL_SPI_MAX_VALUE, spi_maxval, 483 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_spi_maxval), 0, ""); 484 485 /* interval to initialize randseed */ 486 SYSCTL_INT(_net_key, KEYCTL_RANDOM_INT, int_random, 487 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_int_random), 0, ""); 488 489 /* lifetime for larval SA */ 490 SYSCTL_INT(_net_key, KEYCTL_LARVAL_LIFETIME, larval_lifetime, 491 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_larval_lifetime), 0, ""); 492 493 /* counter for blocking to send SADB_ACQUIRE to IKEd */ 494 SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_COUNT, blockacq_count, 495 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_blockacq_count), 0, ""); 496 497 /* lifetime for blocking to send SADB_ACQUIRE to IKEd */ 498 SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME, blockacq_lifetime, 499 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_blockacq_lifetime), 0, ""); 500 501 /* ESP auth */ 502 SYSCTL_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth, 503 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_esp_auth), 0, ""); 504 505 /* minimum ESP key length */ 506 SYSCTL_INT(_net_key, KEYCTL_ESP_KEYMIN, esp_keymin, 507 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_esp_keymin), 0, ""); 508 509 /* minimum AH key length */ 510 SYSCTL_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin, 511 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_ah_keymin), 0, ""); 512 513 /* perfered old SA rather than new SA */ 514 SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, preferred_oldsa, 515 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_preferred_oldsa), 0, ""); 516 517 SYSCTL_NODE(_net_key, OID_AUTO, spdcache, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 518 "SPD cache"); 519 520 SYSCTL_UINT(_net_key_spdcache, OID_AUTO, maxentries, 521 CTLFLAG_VNET | CTLFLAG_RDTUN, &VNET_NAME(key_spdcache_maxentries), 0, 522 "Maximum number of entries in the SPD cache" 523 " (power of 2, 0 to disable)"); 524 525 SYSCTL_UINT(_net_key_spdcache, OID_AUTO, threshold, 526 CTLFLAG_VNET | CTLFLAG_RDTUN, &VNET_NAME(key_spdcache_threshold), 0, 527 "Number of SPs that make the SPD cache active"); 528 529 #define __LIST_CHAINED(elm) \ 530 (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL)) 531 532 MALLOC_DEFINE(M_IPSEC_SA, "secasvar", "ipsec security association"); 533 MALLOC_DEFINE(M_IPSEC_SAH, "sahead", "ipsec sa head"); 534 MALLOC_DEFINE(M_IPSEC_SP, "ipsecpolicy", "ipsec security policy"); 535 MALLOC_DEFINE(M_IPSEC_SR, "ipsecrequest", "ipsec security request"); 536 MALLOC_DEFINE(M_IPSEC_MISC, "ipsec-misc", "ipsec miscellaneous"); 537 MALLOC_DEFINE(M_IPSEC_SAQ, "ipsec-saq", "ipsec sa acquire"); 538 MALLOC_DEFINE(M_IPSEC_SAR, "ipsec-reg", "ipsec sa acquire"); 539 MALLOC_DEFINE(M_IPSEC_SPDCACHE, "ipsec-spdcache", "ipsec SPD cache"); 540 541 static uma_zone_t __read_mostly ipsec_key_lft_zone; 542 543 /* 544 * set parameters into secpolicyindex buffer. 545 * Must allocate secpolicyindex buffer passed to this function. 546 */ 547 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, idx) \ 548 do { \ 549 bzero((idx), sizeof(struct secpolicyindex)); \ 550 (idx)->dir = (_dir); \ 551 (idx)->prefs = (ps); \ 552 (idx)->prefd = (pd); \ 553 (idx)->ul_proto = (ulp); \ 554 bcopy((s), &(idx)->src, ((const struct sockaddr *)(s))->sa_len); \ 555 bcopy((d), &(idx)->dst, ((const struct sockaddr *)(d))->sa_len); \ 556 } while (0) 557 558 /* 559 * set parameters into secasindex buffer. 560 * Must allocate secasindex buffer before calling this function. 561 */ 562 #define KEY_SETSECASIDX(p, m, r, s, d, idx) \ 563 do { \ 564 bzero((idx), sizeof(struct secasindex)); \ 565 (idx)->proto = (p); \ 566 (idx)->mode = (m); \ 567 (idx)->reqid = (r); \ 568 bcopy((s), &(idx)->src, ((const struct sockaddr *)(s))->sa_len); \ 569 bcopy((d), &(idx)->dst, ((const struct sockaddr *)(d))->sa_len); \ 570 key_porttosaddr(&(idx)->src.sa, 0); \ 571 key_porttosaddr(&(idx)->dst.sa, 0); \ 572 } while (0) 573 574 /* key statistics */ 575 struct _keystat { 576 u_long getspi_count; /* the avarage of count to try to get new SPI */ 577 } keystat; 578 579 struct sadb_msghdr { 580 struct sadb_msg *msg; 581 struct sadb_ext *ext[SADB_EXT_MAX + 1]; 582 int extoff[SADB_EXT_MAX + 1]; 583 int extlen[SADB_EXT_MAX + 1]; 584 }; 585 586 static struct supported_ealgs { 587 int sadb_alg; 588 const struct enc_xform *xform; 589 } supported_ealgs[] = { 590 { SADB_X_EALG_AES, &enc_xform_aes_cbc }, 591 { SADB_EALG_NULL, &enc_xform_null }, 592 { SADB_X_EALG_AESCTR, &enc_xform_aes_icm }, 593 { SADB_X_EALG_AESGCM16, &enc_xform_aes_nist_gcm }, 594 { SADB_X_EALG_AESGMAC, &enc_xform_aes_nist_gmac }, 595 }; 596 597 static struct supported_aalgs { 598 int sadb_alg; 599 const struct auth_hash *xform; 600 } supported_aalgs[] = { 601 { SADB_X_AALG_NULL, &auth_hash_null }, 602 { SADB_AALG_SHA1HMAC, &auth_hash_hmac_sha1 }, 603 { SADB_X_AALG_SHA2_256, &auth_hash_hmac_sha2_256 }, 604 { SADB_X_AALG_SHA2_384, &auth_hash_hmac_sha2_384 }, 605 { SADB_X_AALG_SHA2_512, &auth_hash_hmac_sha2_512 }, 606 { SADB_X_AALG_AES128GMAC, &auth_hash_nist_gmac_aes_128 }, 607 { SADB_X_AALG_AES192GMAC, &auth_hash_nist_gmac_aes_192 }, 608 { SADB_X_AALG_AES256GMAC, &auth_hash_nist_gmac_aes_256 }, 609 }; 610 611 static struct supported_calgs { 612 int sadb_alg; 613 const struct comp_algo *xform; 614 } supported_calgs[] = { 615 { SADB_X_CALG_DEFLATE, &comp_algo_deflate }, 616 }; 617 618 #ifndef IPSEC_DEBUG2 619 static struct callout key_timer; 620 #endif 621 622 static void key_unlink(struct secpolicy *); 623 static void key_detach(struct secpolicy *); 624 static struct secpolicy *key_do_allocsp(struct secpolicyindex *spidx, u_int dir); 625 static struct secpolicy *key_getsp(struct secpolicyindex *); 626 static struct secpolicy *key_getspbyid(u_int32_t); 627 static struct mbuf *key_gather_mbuf(struct mbuf *, 628 const struct sadb_msghdr *, int, int, ...); 629 static int key_spdadd(struct socket *, struct mbuf *, 630 const struct sadb_msghdr *); 631 static uint32_t key_getnewspid(void); 632 static int key_spddelete(struct socket *, struct mbuf *, 633 const struct sadb_msghdr *); 634 static int key_spddelete2(struct socket *, struct mbuf *, 635 const struct sadb_msghdr *); 636 static int key_spdget(struct socket *, struct mbuf *, 637 const struct sadb_msghdr *); 638 static int key_spdflush(struct socket *, struct mbuf *, 639 const struct sadb_msghdr *); 640 static int key_spddump(struct socket *, struct mbuf *, 641 const struct sadb_msghdr *); 642 static struct mbuf *key_setdumpsp(struct secpolicy *, 643 u_int8_t, u_int32_t, u_int32_t); 644 static struct mbuf *key_sp2mbuf(struct secpolicy *); 645 static size_t key_getspreqmsglen(struct secpolicy *); 646 static int key_spdexpire(struct secpolicy *); 647 static struct secashead *key_newsah(struct secasindex *); 648 static void key_freesah(struct secashead **); 649 static void key_delsah(struct secashead *); 650 static struct secasvar *key_newsav(const struct sadb_msghdr *, 651 struct secasindex *, uint32_t, int *); 652 static void key_delsav(struct secasvar *); 653 static void key_unlinksav(struct secasvar *); 654 static struct secashead *key_getsah(struct secasindex *); 655 static int key_checkspidup(uint32_t); 656 static struct secasvar *key_getsavbyspi(uint32_t); 657 static int key_setnatt(struct secasvar *, const struct sadb_msghdr *); 658 static int key_setsaval(struct secasvar *, const struct sadb_msghdr *); 659 static int key_updatelifetimes(struct secasvar *, const struct sadb_msghdr *); 660 static int key_updateaddresses(struct socket *, struct mbuf *, 661 const struct sadb_msghdr *, struct secasvar *, struct secasindex *); 662 663 static struct mbuf *key_setdumpsa(struct secasvar *, u_int8_t, 664 u_int8_t, u_int32_t, u_int32_t); 665 static struct mbuf *key_setsadbmsg(u_int8_t, u_int16_t, u_int8_t, 666 u_int32_t, pid_t, u_int16_t); 667 static struct mbuf *key_setsadbsa(struct secasvar *); 668 static struct mbuf *key_setsadbaddr(u_int16_t, 669 const struct sockaddr *, u_int8_t, u_int16_t); 670 static struct mbuf *key_setsadbxport(u_int16_t, u_int16_t); 671 static struct mbuf *key_setsadbxtype(u_int16_t); 672 static struct mbuf *key_setsadbxsa2(u_int8_t, u_int32_t, u_int32_t); 673 static struct mbuf *key_setsadbxsareplay(u_int32_t); 674 static struct mbuf *key_setsadbxpolicy(u_int16_t, u_int8_t, 675 u_int32_t, u_int32_t); 676 static struct seckey *key_dup_keymsg(const struct sadb_key *, size_t, 677 struct malloc_type *); 678 static struct seclifetime *key_dup_lifemsg(const struct sadb_lifetime *src, 679 struct malloc_type *); 680 681 /* flags for key_cmpsaidx() */ 682 #define CMP_HEAD 1 /* protocol, addresses. */ 683 #define CMP_MODE_REQID 2 /* additionally HEAD, reqid, mode. */ 684 #define CMP_REQID 3 /* additionally HEAD, reaid. */ 685 #define CMP_EXACTLY 4 /* all elements. */ 686 static int key_cmpsaidx(const struct secasindex *, 687 const struct secasindex *, int); 688 static int key_cmpspidx_exactly(struct secpolicyindex *, 689 struct secpolicyindex *); 690 static int key_cmpspidx_withmask(struct secpolicyindex *, 691 struct secpolicyindex *); 692 static int key_bbcmp(const void *, const void *, u_int); 693 static uint8_t key_satype2proto(uint8_t); 694 static uint8_t key_proto2satype(uint8_t); 695 696 static int key_getspi(struct socket *, struct mbuf *, 697 const struct sadb_msghdr *); 698 static uint32_t key_do_getnewspi(struct sadb_spirange *, struct secasindex *); 699 static int key_update(struct socket *, struct mbuf *, 700 const struct sadb_msghdr *); 701 static int key_add(struct socket *, struct mbuf *, 702 const struct sadb_msghdr *); 703 static int key_setident(struct secashead *, const struct sadb_msghdr *); 704 static struct mbuf *key_getmsgbuf_x1(struct mbuf *, 705 const struct sadb_msghdr *); 706 static int key_delete(struct socket *, struct mbuf *, 707 const struct sadb_msghdr *); 708 static int key_delete_all(struct socket *, struct mbuf *, 709 const struct sadb_msghdr *, struct secasindex *); 710 static int key_get(struct socket *, struct mbuf *, 711 const struct sadb_msghdr *); 712 713 static void key_getcomb_setlifetime(struct sadb_comb *); 714 static struct mbuf *key_getcomb_ealg(void); 715 static struct mbuf *key_getcomb_ah(void); 716 static struct mbuf *key_getcomb_ipcomp(void); 717 static struct mbuf *key_getprop(const struct secasindex *); 718 719 static int key_acquire(const struct secasindex *, struct secpolicy *); 720 static uint32_t key_newacq(const struct secasindex *, int *); 721 static uint32_t key_getacq(const struct secasindex *, int *); 722 static int key_acqdone(const struct secasindex *, uint32_t); 723 static int key_acqreset(uint32_t); 724 static struct secspacq *key_newspacq(struct secpolicyindex *); 725 static struct secspacq *key_getspacq(struct secpolicyindex *); 726 static int key_acquire2(struct socket *, struct mbuf *, 727 const struct sadb_msghdr *); 728 static int key_register(struct socket *, struct mbuf *, 729 const struct sadb_msghdr *); 730 static int key_expire(struct secasvar *, int); 731 static int key_flush(struct socket *, struct mbuf *, 732 const struct sadb_msghdr *); 733 static int key_dump(struct socket *, struct mbuf *, 734 const struct sadb_msghdr *); 735 static int key_promisc(struct socket *, struct mbuf *, 736 const struct sadb_msghdr *); 737 static int key_senderror(struct socket *, struct mbuf *, int); 738 static int key_validate_ext(const struct sadb_ext *, int); 739 static int key_align(struct mbuf *, struct sadb_msghdr *); 740 static struct mbuf *key_setlifetime(struct seclifetime *, uint16_t); 741 static struct mbuf *key_setkey(struct seckey *, uint16_t); 742 743 static void spdcache_init(void); 744 static void spdcache_clear(void); 745 static struct spdcache_entry *spdcache_entry_alloc( 746 const struct secpolicyindex *spidx, 747 struct secpolicy *policy); 748 static void spdcache_entry_free(struct spdcache_entry *entry); 749 #ifdef VIMAGE 750 static void spdcache_destroy(void); 751 #endif 752 753 #define DBG_IPSEC_INITREF(t, p) do { \ 754 refcount_init(&(p)->refcnt, 1); \ 755 KEYDBG(KEY_STAMP, \ 756 printf("%s: Initialize refcnt %s(%p) = %u\n", \ 757 __func__, #t, (p), (p)->refcnt)); \ 758 } while (0) 759 #define DBG_IPSEC_ADDREF(t, p) do { \ 760 refcount_acquire(&(p)->refcnt); \ 761 KEYDBG(KEY_STAMP, \ 762 printf("%s: Acquire refcnt %s(%p) -> %u\n", \ 763 __func__, #t, (p), (p)->refcnt)); \ 764 } while (0) 765 #define DBG_IPSEC_DELREF(t, p) do { \ 766 KEYDBG(KEY_STAMP, \ 767 printf("%s: Release refcnt %s(%p) -> %u\n", \ 768 __func__, #t, (p), (p)->refcnt - 1)); \ 769 refcount_release(&(p)->refcnt); \ 770 } while (0) 771 772 #define IPSEC_INITREF(t, p) refcount_init(&(p)->refcnt, 1) 773 #define IPSEC_ADDREF(t, p) refcount_acquire(&(p)->refcnt) 774 #define IPSEC_DELREF(t, p) refcount_release(&(p)->refcnt) 775 776 #define SP_INITREF(p) IPSEC_INITREF(SP, p) 777 #define SP_ADDREF(p) IPSEC_ADDREF(SP, p) 778 #define SP_DELREF(p) IPSEC_DELREF(SP, p) 779 780 #define SAH_INITREF(p) IPSEC_INITREF(SAH, p) 781 #define SAH_ADDREF(p) IPSEC_ADDREF(SAH, p) 782 #define SAH_DELREF(p) IPSEC_DELREF(SAH, p) 783 784 #define SAV_INITREF(p) IPSEC_INITREF(SAV, p) 785 #define SAV_ADDREF(p) IPSEC_ADDREF(SAV, p) 786 #define SAV_DELREF(p) IPSEC_DELREF(SAV, p) 787 788 /* 789 * Update the refcnt while holding the SPTREE lock. 790 */ 791 void 792 key_addref(struct secpolicy *sp) 793 { 794 795 SP_ADDREF(sp); 796 } 797 798 /* 799 * Return 0 when there are known to be no SP's for the specified 800 * direction. Otherwise return 1. This is used by IPsec code 801 * to optimize performance. 802 */ 803 int 804 key_havesp(u_int dir) 805 { 806 807 return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ? 808 TAILQ_FIRST(&V_sptree[dir]) != NULL : 1); 809 } 810 811 /* %%% IPsec policy management */ 812 /* 813 * Return current SPDB generation. 814 */ 815 uint32_t 816 key_getspgen(void) 817 { 818 819 return (V_sp_genid); 820 } 821 822 void 823 key_bumpspgen(void) 824 { 825 826 V_sp_genid++; 827 } 828 829 static int 830 key_checksockaddrs(struct sockaddr *src, struct sockaddr *dst) 831 { 832 833 /* family match */ 834 if (src->sa_family != dst->sa_family) 835 return (EINVAL); 836 /* sa_len match */ 837 if (src->sa_len != dst->sa_len) 838 return (EINVAL); 839 switch (src->sa_family) { 840 #ifdef INET 841 case AF_INET: 842 if (src->sa_len != sizeof(struct sockaddr_in)) 843 return (EINVAL); 844 break; 845 #endif 846 #ifdef INET6 847 case AF_INET6: 848 if (src->sa_len != sizeof(struct sockaddr_in6)) 849 return (EINVAL); 850 break; 851 #endif 852 default: 853 return (EAFNOSUPPORT); 854 } 855 return (0); 856 } 857 858 struct secpolicy * 859 key_do_allocsp(struct secpolicyindex *spidx, u_int dir) 860 { 861 SPTREE_RLOCK_TRACKER; 862 struct secpolicy *sp; 863 864 IPSEC_ASSERT(spidx != NULL, ("null spidx")); 865 IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, 866 ("invalid direction %u", dir)); 867 868 SPTREE_RLOCK(); 869 TAILQ_FOREACH(sp, &V_sptree[dir], chain) { 870 if (key_cmpspidx_withmask(&sp->spidx, spidx)) { 871 SP_ADDREF(sp); 872 break; 873 } 874 } 875 SPTREE_RUNLOCK(); 876 return (sp); 877 } 878 879 /* 880 * allocating a SP for OUTBOUND or INBOUND packet. 881 * Must call key_freesp() later. 882 * OUT: NULL: not found 883 * others: found and return the pointer. 884 */ 885 struct secpolicy * 886 key_allocsp(struct secpolicyindex *spidx, u_int dir) 887 { 888 struct spdcache_entry *entry, *lastentry, *tmpentry; 889 struct secpolicy *sp; 890 uint32_t hashv; 891 int nb_entries; 892 893 if (!SPDCACHE_ACTIVE()) { 894 sp = key_do_allocsp(spidx, dir); 895 goto out; 896 } 897 898 hashv = SPDCACHE_HASHVAL(spidx); 899 SPDCACHE_LOCK(hashv); 900 nb_entries = 0; 901 LIST_FOREACH_SAFE(entry, &V_spdcachehashtbl[hashv], chain, tmpentry) { 902 /* Removed outdated entries */ 903 if (entry->sp != NULL && 904 entry->sp->state == IPSEC_SPSTATE_DEAD) { 905 LIST_REMOVE(entry, chain); 906 spdcache_entry_free(entry); 907 continue; 908 } 909 910 nb_entries++; 911 if (!key_cmpspidx_exactly(&entry->spidx, spidx)) { 912 lastentry = entry; 913 continue; 914 } 915 916 sp = entry->sp; 917 if (entry->sp != NULL) 918 SP_ADDREF(sp); 919 920 /* IPSECSTAT_INC(ips_spdcache_hits); */ 921 922 SPDCACHE_UNLOCK(hashv); 923 goto out; 924 } 925 926 /* IPSECSTAT_INC(ips_spdcache_misses); */ 927 928 sp = key_do_allocsp(spidx, dir); 929 entry = spdcache_entry_alloc(spidx, sp); 930 if (entry != NULL) { 931 if (nb_entries >= SPDCACHE_MAX_ENTRIES_PER_HASH) { 932 LIST_REMOVE(lastentry, chain); 933 spdcache_entry_free(lastentry); 934 } 935 936 LIST_INSERT_HEAD(&V_spdcachehashtbl[hashv], entry, chain); 937 } 938 939 SPDCACHE_UNLOCK(hashv); 940 941 out: 942 if (sp != NULL) { /* found a SPD entry */ 943 sp->lastused = time_second; 944 KEYDBG(IPSEC_STAMP, 945 printf("%s: return SP(%p)\n", __func__, sp)); 946 KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp)); 947 } else { 948 KEYDBG(IPSEC_DATA, 949 printf("%s: lookup failed for ", __func__); 950 kdebug_secpolicyindex(spidx, NULL)); 951 } 952 return (sp); 953 } 954 955 /* 956 * Allocating an SA entry for an *INBOUND* or *OUTBOUND* TCP packet, signed 957 * or should be signed by MD5 signature. 958 * We don't use key_allocsa() for such lookups, because we don't know SPI. 959 * Unlike ESP and AH protocols, SPI isn't transmitted in the TCP header with 960 * signed packet. We use SADB only as storage for password. 961 * OUT: positive: corresponding SA for given saidx found. 962 * NULL: SA not found 963 */ 964 struct secasvar * 965 key_allocsa_tcpmd5(struct secasindex *saidx) 966 { 967 SAHTREE_RLOCK_TRACKER; 968 struct secashead *sah; 969 struct secasvar *sav; 970 971 IPSEC_ASSERT(saidx->proto == IPPROTO_TCP, 972 ("unexpected security protocol %u", saidx->proto)); 973 IPSEC_ASSERT(saidx->mode == IPSEC_MODE_TCPMD5, 974 ("unexpected mode %u", saidx->mode)); 975 976 SAHTREE_RLOCK(); 977 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { 978 KEYDBG(IPSEC_DUMP, 979 printf("%s: checking SAH\n", __func__); 980 kdebug_secash(sah, " ")); 981 if (sah->saidx.proto != IPPROTO_TCP) 982 continue; 983 if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) && 984 !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0)) 985 break; 986 } 987 if (sah != NULL) { 988 if (V_key_preferred_oldsa) 989 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue); 990 else 991 sav = TAILQ_FIRST(&sah->savtree_alive); 992 if (sav != NULL) 993 SAV_ADDREF(sav); 994 } else 995 sav = NULL; 996 SAHTREE_RUNLOCK(); 997 998 if (sav != NULL) { 999 KEYDBG(IPSEC_STAMP, 1000 printf("%s: return SA(%p)\n", __func__, sav)); 1001 KEYDBG(IPSEC_DATA, kdebug_secasv(sav)); 1002 } else { 1003 KEYDBG(IPSEC_STAMP, 1004 printf("%s: SA not found\n", __func__)); 1005 KEYDBG(IPSEC_DATA, kdebug_secasindex(saidx, NULL)); 1006 } 1007 return (sav); 1008 } 1009 1010 /* 1011 * Allocating an SA entry for an *OUTBOUND* packet. 1012 * OUT: positive: corresponding SA for given saidx found. 1013 * NULL: SA not found, but will be acquired, check *error 1014 * for acquiring status. 1015 */ 1016 struct secasvar * 1017 key_allocsa_policy(struct secpolicy *sp, const struct secasindex *saidx, 1018 int *error) 1019 { 1020 SAHTREE_RLOCK_TRACKER; 1021 struct secashead *sah; 1022 struct secasvar *sav; 1023 1024 IPSEC_ASSERT(saidx != NULL, ("null saidx")); 1025 IPSEC_ASSERT(saidx->mode == IPSEC_MODE_TRANSPORT || 1026 saidx->mode == IPSEC_MODE_TUNNEL, 1027 ("unexpected policy %u", saidx->mode)); 1028 1029 /* 1030 * We check new SA in the IPsec request because a different 1031 * SA may be involved each time this request is checked, either 1032 * because new SAs are being configured, or this request is 1033 * associated with an unconnected datagram socket, or this request 1034 * is associated with a system default policy. 1035 */ 1036 SAHTREE_RLOCK(); 1037 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { 1038 KEYDBG(IPSEC_DUMP, 1039 printf("%s: checking SAH\n", __func__); 1040 kdebug_secash(sah, " ")); 1041 if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID)) 1042 break; 1043 } 1044 if (sah != NULL) { 1045 /* 1046 * Allocate the oldest SA available according to 1047 * draft-jenkins-ipsec-rekeying-03. 1048 */ 1049 if (V_key_preferred_oldsa) 1050 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue); 1051 else 1052 sav = TAILQ_FIRST(&sah->savtree_alive); 1053 if (sav != NULL) 1054 SAV_ADDREF(sav); 1055 } else 1056 sav = NULL; 1057 SAHTREE_RUNLOCK(); 1058 1059 if (sav != NULL) { 1060 *error = 0; 1061 KEYDBG(IPSEC_STAMP, 1062 printf("%s: chosen SA(%p) for SP(%p)\n", __func__, 1063 sav, sp)); 1064 KEYDBG(IPSEC_DATA, kdebug_secasv(sav)); 1065 return (sav); /* return referenced SA */ 1066 } 1067 1068 /* there is no SA */ 1069 *error = key_acquire(saidx, sp); 1070 if ((*error) != 0) 1071 ipseclog((LOG_DEBUG, 1072 "%s: error %d returned from key_acquire()\n", 1073 __func__, *error)); 1074 KEYDBG(IPSEC_STAMP, 1075 printf("%s: acquire SA for SP(%p), error %d\n", 1076 __func__, sp, *error)); 1077 KEYDBG(IPSEC_DATA, kdebug_secasindex(saidx, NULL)); 1078 return (NULL); 1079 } 1080 1081 /* 1082 * allocating a usable SA entry for a *INBOUND* packet. 1083 * Must call key_freesav() later. 1084 * OUT: positive: pointer to a usable sav (i.e. MATURE or DYING state). 1085 * NULL: not found, or error occurred. 1086 * 1087 * According to RFC 2401 SA is uniquely identified by a triple SPI, 1088 * destination address, and security protocol. But according to RFC 4301, 1089 * SPI by itself suffices to specify an SA. 1090 * 1091 * Note that, however, we do need to keep source address in IPsec SA. 1092 * IKE specification and PF_KEY specification do assume that we 1093 * keep source address in IPsec SA. We see a tricky situation here. 1094 */ 1095 struct secasvar * 1096 key_allocsa(union sockaddr_union *dst, uint8_t proto, uint32_t spi) 1097 { 1098 SAHTREE_RLOCK_TRACKER; 1099 struct secasvar *sav; 1100 1101 IPSEC_ASSERT(proto == IPPROTO_ESP || proto == IPPROTO_AH || 1102 proto == IPPROTO_IPCOMP, ("unexpected security protocol %u", 1103 proto)); 1104 1105 SAHTREE_RLOCK(); 1106 LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) { 1107 if (sav->spi == spi) 1108 break; 1109 } 1110 /* 1111 * We use single SPI namespace for all protocols, so it is 1112 * impossible to have SPI duplicates in the SAVHASH. 1113 */ 1114 if (sav != NULL) { 1115 if (sav->state != SADB_SASTATE_LARVAL && 1116 sav->sah->saidx.proto == proto && 1117 key_sockaddrcmp(&dst->sa, 1118 &sav->sah->saidx.dst.sa, 0) == 0) 1119 SAV_ADDREF(sav); 1120 else 1121 sav = NULL; 1122 } 1123 SAHTREE_RUNLOCK(); 1124 1125 if (sav == NULL) { 1126 KEYDBG(IPSEC_STAMP, 1127 char buf[IPSEC_ADDRSTRLEN]; 1128 printf("%s: SA not found for spi %u proto %u dst %s\n", 1129 __func__, ntohl(spi), proto, ipsec_address(dst, buf, 1130 sizeof(buf)))); 1131 } else { 1132 KEYDBG(IPSEC_STAMP, 1133 printf("%s: return SA(%p)\n", __func__, sav)); 1134 KEYDBG(IPSEC_DATA, kdebug_secasv(sav)); 1135 } 1136 return (sav); 1137 } 1138 1139 struct secasvar * 1140 key_allocsa_tunnel(union sockaddr_union *src, union sockaddr_union *dst, 1141 uint8_t proto) 1142 { 1143 SAHTREE_RLOCK_TRACKER; 1144 struct secasindex saidx; 1145 struct secashead *sah; 1146 struct secasvar *sav; 1147 1148 IPSEC_ASSERT(src != NULL, ("null src address")); 1149 IPSEC_ASSERT(dst != NULL, ("null dst address")); 1150 1151 KEY_SETSECASIDX(proto, IPSEC_MODE_TUNNEL, 0, &src->sa, 1152 &dst->sa, &saidx); 1153 1154 sav = NULL; 1155 SAHTREE_RLOCK(); 1156 LIST_FOREACH(sah, SAHADDRHASH_HASH(&saidx), addrhash) { 1157 if (IPSEC_MODE_TUNNEL != sah->saidx.mode) 1158 continue; 1159 if (proto != sah->saidx.proto) 1160 continue; 1161 if (key_sockaddrcmp(&src->sa, &sah->saidx.src.sa, 0) != 0) 1162 continue; 1163 if (key_sockaddrcmp(&dst->sa, &sah->saidx.dst.sa, 0) != 0) 1164 continue; 1165 /* XXXAE: is key_preferred_oldsa reasonably?*/ 1166 if (V_key_preferred_oldsa) 1167 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue); 1168 else 1169 sav = TAILQ_FIRST(&sah->savtree_alive); 1170 if (sav != NULL) { 1171 SAV_ADDREF(sav); 1172 break; 1173 } 1174 } 1175 SAHTREE_RUNLOCK(); 1176 KEYDBG(IPSEC_STAMP, 1177 printf("%s: return SA(%p)\n", __func__, sav)); 1178 if (sav != NULL) 1179 KEYDBG(IPSEC_DATA, kdebug_secasv(sav)); 1180 return (sav); 1181 } 1182 1183 /* 1184 * Must be called after calling key_allocsp(). 1185 */ 1186 void 1187 key_freesp(struct secpolicy **spp) 1188 { 1189 struct secpolicy *sp = *spp; 1190 1191 IPSEC_ASSERT(sp != NULL, ("null sp")); 1192 if (SP_DELREF(sp) == 0) 1193 return; 1194 1195 KEYDBG(IPSEC_STAMP, 1196 printf("%s: last reference to SP(%p)\n", __func__, sp)); 1197 KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp)); 1198 1199 *spp = NULL; 1200 while (sp->tcount > 0) 1201 ipsec_delisr(sp->req[--sp->tcount]); 1202 free(sp, M_IPSEC_SP); 1203 } 1204 1205 static void 1206 key_unlink(struct secpolicy *sp) 1207 { 1208 SPTREE_WLOCK(); 1209 key_detach(sp); 1210 SPTREE_WUNLOCK(); 1211 if (SPDCACHE_ENABLED()) 1212 spdcache_clear(); 1213 key_freesp(&sp); 1214 } 1215 1216 static void 1217 key_detach(struct secpolicy *sp) 1218 { 1219 IPSEC_ASSERT(sp->spidx.dir == IPSEC_DIR_INBOUND || 1220 sp->spidx.dir == IPSEC_DIR_OUTBOUND, 1221 ("invalid direction %u", sp->spidx.dir)); 1222 SPTREE_WLOCK_ASSERT(); 1223 1224 KEYDBG(KEY_STAMP, 1225 printf("%s: SP(%p)\n", __func__, sp)); 1226 if (sp->state != IPSEC_SPSTATE_ALIVE) { 1227 /* SP is already unlinked */ 1228 return; 1229 } 1230 sp->state = IPSEC_SPSTATE_DEAD; 1231 TAILQ_REMOVE(&V_sptree[sp->spidx.dir], sp, chain); 1232 V_spd_size--; 1233 LIST_REMOVE(sp, idhash); 1234 V_sp_genid++; 1235 } 1236 1237 /* 1238 * insert a secpolicy into the SP database. Lower priorities first 1239 */ 1240 static void 1241 key_insertsp(struct secpolicy *newsp) 1242 { 1243 struct secpolicy *sp; 1244 1245 SPTREE_WLOCK_ASSERT(); 1246 TAILQ_FOREACH(sp, &V_sptree[newsp->spidx.dir], chain) { 1247 if (newsp->priority < sp->priority) { 1248 TAILQ_INSERT_BEFORE(sp, newsp, chain); 1249 goto done; 1250 } 1251 } 1252 TAILQ_INSERT_TAIL(&V_sptree[newsp->spidx.dir], newsp, chain); 1253 done: 1254 LIST_INSERT_HEAD(SPHASH_HASH(newsp->id), newsp, idhash); 1255 newsp->state = IPSEC_SPSTATE_ALIVE; 1256 V_spd_size++; 1257 V_sp_genid++; 1258 } 1259 1260 /* 1261 * Insert a bunch of VTI secpolicies into the SPDB. 1262 * We keep VTI policies in the separate list due to following reasons: 1263 * 1) they should be immutable to user's or some deamon's attempts to 1264 * delete. The only way delete such policies - destroy or unconfigure 1265 * corresponding virtual inteface. 1266 * 2) such policies have traffic selector that matches all traffic per 1267 * address family. 1268 * Since all VTI policies have the same priority, we don't care about 1269 * policies order. 1270 */ 1271 int 1272 key_register_ifnet(struct secpolicy **spp, u_int count) 1273 { 1274 struct mbuf *m; 1275 u_int i; 1276 1277 SPTREE_WLOCK(); 1278 /* 1279 * First of try to acquire id for each SP. 1280 */ 1281 for (i = 0; i < count; i++) { 1282 IPSEC_ASSERT(spp[i]->spidx.dir == IPSEC_DIR_INBOUND || 1283 spp[i]->spidx.dir == IPSEC_DIR_OUTBOUND, 1284 ("invalid direction %u", spp[i]->spidx.dir)); 1285 1286 if ((spp[i]->id = key_getnewspid()) == 0) { 1287 SPTREE_WUNLOCK(); 1288 return (EAGAIN); 1289 } 1290 } 1291 for (i = 0; i < count; i++) { 1292 TAILQ_INSERT_TAIL(&V_sptree_ifnet[spp[i]->spidx.dir], 1293 spp[i], chain); 1294 /* 1295 * NOTE: despite the fact that we keep VTI SP in the 1296 * separate list, SPHASH contains policies from both 1297 * sources. Thus SADB_X_SPDGET will correctly return 1298 * SP by id, because it uses SPHASH for lookups. 1299 */ 1300 LIST_INSERT_HEAD(SPHASH_HASH(spp[i]->id), spp[i], idhash); 1301 spp[i]->state = IPSEC_SPSTATE_IFNET; 1302 } 1303 SPTREE_WUNLOCK(); 1304 /* 1305 * Notify user processes about new SP. 1306 */ 1307 for (i = 0; i < count; i++) { 1308 m = key_setdumpsp(spp[i], SADB_X_SPDADD, 0, 0); 1309 if (m != NULL) 1310 key_sendup_mbuf(NULL, m, KEY_SENDUP_ALL); 1311 } 1312 return (0); 1313 } 1314 1315 void 1316 key_unregister_ifnet(struct secpolicy **spp, u_int count) 1317 { 1318 struct mbuf *m; 1319 u_int i; 1320 1321 SPTREE_WLOCK(); 1322 for (i = 0; i < count; i++) { 1323 IPSEC_ASSERT(spp[i]->spidx.dir == IPSEC_DIR_INBOUND || 1324 spp[i]->spidx.dir == IPSEC_DIR_OUTBOUND, 1325 ("invalid direction %u", spp[i]->spidx.dir)); 1326 1327 if (spp[i]->state != IPSEC_SPSTATE_IFNET) 1328 continue; 1329 spp[i]->state = IPSEC_SPSTATE_DEAD; 1330 TAILQ_REMOVE(&V_sptree_ifnet[spp[i]->spidx.dir], 1331 spp[i], chain); 1332 V_spd_size--; 1333 LIST_REMOVE(spp[i], idhash); 1334 } 1335 SPTREE_WUNLOCK(); 1336 if (SPDCACHE_ENABLED()) 1337 spdcache_clear(); 1338 1339 for (i = 0; i < count; i++) { 1340 m = key_setdumpsp(spp[i], SADB_X_SPDDELETE, 0, 0); 1341 if (m != NULL) 1342 key_sendup_mbuf(NULL, m, KEY_SENDUP_ALL); 1343 } 1344 } 1345 1346 /* 1347 * Must be called after calling key_allocsa(). 1348 * This function is called by key_freesp() to free some SA allocated 1349 * for a policy. 1350 */ 1351 void 1352 key_freesav(struct secasvar **psav) 1353 { 1354 struct secasvar *sav = *psav; 1355 1356 IPSEC_ASSERT(sav != NULL, ("null sav")); 1357 CURVNET_ASSERT_SET(); 1358 if (SAV_DELREF(sav) == 0) 1359 return; 1360 1361 KEYDBG(IPSEC_STAMP, 1362 printf("%s: last reference to SA(%p)\n", __func__, sav)); 1363 1364 *psav = NULL; 1365 key_delsav(sav); 1366 } 1367 1368 /* 1369 * Unlink SA from SAH and SPI hash under SAHTREE_WLOCK. 1370 * Expect that SA has extra reference due to lookup. 1371 * Release this references, also release SAH reference after unlink. 1372 */ 1373 static void 1374 key_unlinksav(struct secasvar *sav) 1375 { 1376 struct secashead *sah; 1377 1378 KEYDBG(KEY_STAMP, 1379 printf("%s: SA(%p)\n", __func__, sav)); 1380 1381 CURVNET_ASSERT_SET(); 1382 SAHTREE_UNLOCK_ASSERT(); 1383 SAHTREE_WLOCK(); 1384 if (sav->state == SADB_SASTATE_DEAD) { 1385 /* SA is already unlinked */ 1386 SAHTREE_WUNLOCK(); 1387 return; 1388 } 1389 /* Unlink from SAH */ 1390 if (sav->state == SADB_SASTATE_LARVAL) 1391 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain); 1392 else 1393 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain); 1394 /* Unlink from SPI hash */ 1395 LIST_REMOVE(sav, spihash); 1396 sav->state = SADB_SASTATE_DEAD; 1397 sah = sav->sah; 1398 SAHTREE_WUNLOCK(); 1399 key_freesav(&sav); 1400 /* Since we are unlinked, release reference to SAH */ 1401 key_freesah(&sah); 1402 } 1403 1404 /* %%% SPD management */ 1405 /* 1406 * search SPD 1407 * OUT: NULL : not found 1408 * others : found, pointer to a SP. 1409 */ 1410 static struct secpolicy * 1411 key_getsp(struct secpolicyindex *spidx) 1412 { 1413 SPTREE_RLOCK_TRACKER; 1414 struct secpolicy *sp; 1415 1416 IPSEC_ASSERT(spidx != NULL, ("null spidx")); 1417 1418 SPTREE_RLOCK(); 1419 TAILQ_FOREACH(sp, &V_sptree[spidx->dir], chain) { 1420 if (key_cmpspidx_exactly(spidx, &sp->spidx)) { 1421 SP_ADDREF(sp); 1422 break; 1423 } 1424 } 1425 SPTREE_RUNLOCK(); 1426 1427 return sp; 1428 } 1429 1430 /* 1431 * get SP by index. 1432 * OUT: NULL : not found 1433 * others : found, pointer to referenced SP. 1434 */ 1435 static struct secpolicy * 1436 key_getspbyid(uint32_t id) 1437 { 1438 SPTREE_RLOCK_TRACKER; 1439 struct secpolicy *sp; 1440 1441 SPTREE_RLOCK(); 1442 LIST_FOREACH(sp, SPHASH_HASH(id), idhash) { 1443 if (sp->id == id) { 1444 SP_ADDREF(sp); 1445 break; 1446 } 1447 } 1448 SPTREE_RUNLOCK(); 1449 return (sp); 1450 } 1451 1452 struct secpolicy * 1453 key_newsp(void) 1454 { 1455 struct secpolicy *sp; 1456 1457 sp = malloc(sizeof(*sp), M_IPSEC_SP, M_NOWAIT | M_ZERO); 1458 if (sp != NULL) 1459 SP_INITREF(sp); 1460 return (sp); 1461 } 1462 1463 struct ipsecrequest * 1464 ipsec_newisr(void) 1465 { 1466 1467 return (malloc(sizeof(struct ipsecrequest), M_IPSEC_SR, 1468 M_NOWAIT | M_ZERO)); 1469 } 1470 1471 void 1472 ipsec_delisr(struct ipsecrequest *p) 1473 { 1474 1475 free(p, M_IPSEC_SR); 1476 } 1477 1478 /* 1479 * create secpolicy structure from sadb_x_policy structure. 1480 * NOTE: `state', `secpolicyindex' and 'id' in secpolicy structure 1481 * are not set, so must be set properly later. 1482 */ 1483 struct secpolicy * 1484 key_msg2sp(struct sadb_x_policy *xpl0, size_t len, int *error) 1485 { 1486 struct secpolicy *newsp; 1487 1488 IPSEC_ASSERT(xpl0 != NULL, ("null xpl0")); 1489 IPSEC_ASSERT(len >= sizeof(*xpl0), ("policy too short: %zu", len)); 1490 1491 if (len != PFKEY_EXTLEN(xpl0)) { 1492 ipseclog((LOG_DEBUG, "%s: Invalid msg length.\n", __func__)); 1493 *error = EINVAL; 1494 return NULL; 1495 } 1496 1497 if ((newsp = key_newsp()) == NULL) { 1498 *error = ENOBUFS; 1499 return NULL; 1500 } 1501 1502 newsp->spidx.dir = xpl0->sadb_x_policy_dir; 1503 newsp->policy = xpl0->sadb_x_policy_type; 1504 newsp->priority = xpl0->sadb_x_policy_priority; 1505 newsp->tcount = 0; 1506 1507 /* check policy */ 1508 switch (xpl0->sadb_x_policy_type) { 1509 case IPSEC_POLICY_DISCARD: 1510 case IPSEC_POLICY_NONE: 1511 case IPSEC_POLICY_ENTRUST: 1512 case IPSEC_POLICY_BYPASS: 1513 break; 1514 1515 case IPSEC_POLICY_IPSEC: 1516 { 1517 struct sadb_x_ipsecrequest *xisr; 1518 struct ipsecrequest *isr; 1519 int tlen; 1520 1521 /* validity check */ 1522 if (PFKEY_EXTLEN(xpl0) < sizeof(*xpl0)) { 1523 ipseclog((LOG_DEBUG, "%s: Invalid msg length.\n", 1524 __func__)); 1525 key_freesp(&newsp); 1526 *error = EINVAL; 1527 return NULL; 1528 } 1529 1530 tlen = PFKEY_EXTLEN(xpl0) - sizeof(*xpl0); 1531 xisr = (struct sadb_x_ipsecrequest *)(xpl0 + 1); 1532 1533 while (tlen > 0) { 1534 /* length check */ 1535 if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr) || 1536 xisr->sadb_x_ipsecrequest_len > tlen) { 1537 ipseclog((LOG_DEBUG, "%s: invalid ipsecrequest " 1538 "length.\n", __func__)); 1539 key_freesp(&newsp); 1540 *error = EINVAL; 1541 return NULL; 1542 } 1543 1544 if (newsp->tcount >= IPSEC_MAXREQ) { 1545 ipseclog((LOG_DEBUG, 1546 "%s: too many ipsecrequests.\n", 1547 __func__)); 1548 key_freesp(&newsp); 1549 *error = EINVAL; 1550 return (NULL); 1551 } 1552 1553 /* allocate request buffer */ 1554 /* NB: data structure is zero'd */ 1555 isr = ipsec_newisr(); 1556 if (isr == NULL) { 1557 ipseclog((LOG_DEBUG, 1558 "%s: No more memory.\n", __func__)); 1559 key_freesp(&newsp); 1560 *error = ENOBUFS; 1561 return NULL; 1562 } 1563 1564 newsp->req[newsp->tcount++] = isr; 1565 1566 /* set values */ 1567 switch (xisr->sadb_x_ipsecrequest_proto) { 1568 case IPPROTO_ESP: 1569 case IPPROTO_AH: 1570 case IPPROTO_IPCOMP: 1571 break; 1572 default: 1573 ipseclog((LOG_DEBUG, 1574 "%s: invalid proto type=%u\n", __func__, 1575 xisr->sadb_x_ipsecrequest_proto)); 1576 key_freesp(&newsp); 1577 *error = EPROTONOSUPPORT; 1578 return NULL; 1579 } 1580 isr->saidx.proto = 1581 (uint8_t)xisr->sadb_x_ipsecrequest_proto; 1582 1583 switch (xisr->sadb_x_ipsecrequest_mode) { 1584 case IPSEC_MODE_TRANSPORT: 1585 case IPSEC_MODE_TUNNEL: 1586 break; 1587 case IPSEC_MODE_ANY: 1588 default: 1589 ipseclog((LOG_DEBUG, 1590 "%s: invalid mode=%u\n", __func__, 1591 xisr->sadb_x_ipsecrequest_mode)); 1592 key_freesp(&newsp); 1593 *error = EINVAL; 1594 return NULL; 1595 } 1596 isr->saidx.mode = xisr->sadb_x_ipsecrequest_mode; 1597 1598 switch (xisr->sadb_x_ipsecrequest_level) { 1599 case IPSEC_LEVEL_DEFAULT: 1600 case IPSEC_LEVEL_USE: 1601 case IPSEC_LEVEL_REQUIRE: 1602 break; 1603 case IPSEC_LEVEL_UNIQUE: 1604 /* validity check */ 1605 /* 1606 * If range violation of reqid, kernel will 1607 * update it, don't refuse it. 1608 */ 1609 if (xisr->sadb_x_ipsecrequest_reqid 1610 > IPSEC_MANUAL_REQID_MAX) { 1611 ipseclog((LOG_DEBUG, 1612 "%s: reqid=%d range " 1613 "violation, updated by kernel.\n", 1614 __func__, 1615 xisr->sadb_x_ipsecrequest_reqid)); 1616 xisr->sadb_x_ipsecrequest_reqid = 0; 1617 } 1618 1619 /* allocate new reqid id if reqid is zero. */ 1620 if (xisr->sadb_x_ipsecrequest_reqid == 0) { 1621 u_int32_t reqid; 1622 if ((reqid = key_newreqid()) == 0) { 1623 key_freesp(&newsp); 1624 *error = ENOBUFS; 1625 return NULL; 1626 } 1627 isr->saidx.reqid = reqid; 1628 xisr->sadb_x_ipsecrequest_reqid = reqid; 1629 } else { 1630 /* set it for manual keying. */ 1631 isr->saidx.reqid = 1632 xisr->sadb_x_ipsecrequest_reqid; 1633 } 1634 break; 1635 1636 default: 1637 ipseclog((LOG_DEBUG, "%s: invalid level=%u\n", 1638 __func__, 1639 xisr->sadb_x_ipsecrequest_level)); 1640 key_freesp(&newsp); 1641 *error = EINVAL; 1642 return NULL; 1643 } 1644 isr->level = xisr->sadb_x_ipsecrequest_level; 1645 1646 /* set IP addresses if there */ 1647 if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { 1648 struct sockaddr *paddr; 1649 1650 len = tlen - sizeof(*xisr); 1651 paddr = (struct sockaddr *)(xisr + 1); 1652 /* validity check */ 1653 if (len < sizeof(struct sockaddr) || 1654 len < 2 * paddr->sa_len || 1655 paddr->sa_len > sizeof(isr->saidx.src)) { 1656 ipseclog((LOG_DEBUG, "%s: invalid " 1657 "request address length.\n", 1658 __func__)); 1659 key_freesp(&newsp); 1660 *error = EINVAL; 1661 return NULL; 1662 } 1663 /* 1664 * Request length should be enough to keep 1665 * source and destination addresses. 1666 */ 1667 if (xisr->sadb_x_ipsecrequest_len < 1668 sizeof(*xisr) + 2 * paddr->sa_len) { 1669 ipseclog((LOG_DEBUG, "%s: invalid " 1670 "ipsecrequest length.\n", 1671 __func__)); 1672 key_freesp(&newsp); 1673 *error = EINVAL; 1674 return (NULL); 1675 } 1676 bcopy(paddr, &isr->saidx.src, paddr->sa_len); 1677 paddr = (struct sockaddr *)((caddr_t)paddr + 1678 paddr->sa_len); 1679 1680 /* validity check */ 1681 if (paddr->sa_len != 1682 isr->saidx.src.sa.sa_len) { 1683 ipseclog((LOG_DEBUG, "%s: invalid " 1684 "request address length.\n", 1685 __func__)); 1686 key_freesp(&newsp); 1687 *error = EINVAL; 1688 return NULL; 1689 } 1690 /* AF family should match */ 1691 if (paddr->sa_family != 1692 isr->saidx.src.sa.sa_family) { 1693 ipseclog((LOG_DEBUG, "%s: address " 1694 "family doesn't match.\n", 1695 __func__)); 1696 key_freesp(&newsp); 1697 *error = EINVAL; 1698 return (NULL); 1699 } 1700 bcopy(paddr, &isr->saidx.dst, paddr->sa_len); 1701 } else { 1702 /* 1703 * Addresses for TUNNEL mode requests are 1704 * mandatory. 1705 */ 1706 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 1707 ipseclog((LOG_DEBUG, "%s: missing " 1708 "request addresses.\n", __func__)); 1709 key_freesp(&newsp); 1710 *error = EINVAL; 1711 return (NULL); 1712 } 1713 } 1714 tlen -= xisr->sadb_x_ipsecrequest_len; 1715 1716 /* validity check */ 1717 if (tlen < 0) { 1718 ipseclog((LOG_DEBUG, "%s: becoming tlen < 0.\n", 1719 __func__)); 1720 key_freesp(&newsp); 1721 *error = EINVAL; 1722 return NULL; 1723 } 1724 1725 xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr 1726 + xisr->sadb_x_ipsecrequest_len); 1727 } 1728 /* XXXAE: LARVAL SP */ 1729 if (newsp->tcount < 1) { 1730 ipseclog((LOG_DEBUG, "%s: valid IPSEC transforms " 1731 "not found.\n", __func__)); 1732 key_freesp(&newsp); 1733 *error = EINVAL; 1734 return (NULL); 1735 } 1736 } 1737 break; 1738 default: 1739 ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__)); 1740 key_freesp(&newsp); 1741 *error = EINVAL; 1742 return NULL; 1743 } 1744 1745 *error = 0; 1746 return (newsp); 1747 } 1748 1749 uint32_t 1750 key_newreqid(void) 1751 { 1752 static uint32_t auto_reqid = IPSEC_MANUAL_REQID_MAX + 1; 1753 1754 if (auto_reqid == ~0) 1755 auto_reqid = IPSEC_MANUAL_REQID_MAX + 1; 1756 else 1757 auto_reqid++; 1758 1759 /* XXX should be unique check */ 1760 return (auto_reqid); 1761 } 1762 1763 /* 1764 * copy secpolicy struct to sadb_x_policy structure indicated. 1765 */ 1766 static struct mbuf * 1767 key_sp2mbuf(struct secpolicy *sp) 1768 { 1769 struct mbuf *m; 1770 size_t tlen; 1771 1772 tlen = key_getspreqmsglen(sp); 1773 m = m_get2(tlen, M_NOWAIT, MT_DATA, 0); 1774 if (m == NULL) 1775 return (NULL); 1776 m_align(m, tlen); 1777 m->m_len = tlen; 1778 if (key_sp2msg(sp, m->m_data, &tlen) != 0) { 1779 m_freem(m); 1780 return (NULL); 1781 } 1782 return (m); 1783 } 1784 1785 int 1786 key_sp2msg(struct secpolicy *sp, void *request, size_t *len) 1787 { 1788 struct sadb_x_ipsecrequest *xisr; 1789 struct sadb_x_policy *xpl; 1790 struct ipsecrequest *isr; 1791 size_t xlen, ilen; 1792 caddr_t p; 1793 int error, i; 1794 1795 IPSEC_ASSERT(sp != NULL, ("null policy")); 1796 1797 xlen = sizeof(*xpl); 1798 if (*len < xlen) 1799 return (EINVAL); 1800 1801 error = 0; 1802 bzero(request, *len); 1803 xpl = (struct sadb_x_policy *)request; 1804 xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY; 1805 xpl->sadb_x_policy_type = sp->policy; 1806 xpl->sadb_x_policy_dir = sp->spidx.dir; 1807 xpl->sadb_x_policy_id = sp->id; 1808 xpl->sadb_x_policy_priority = sp->priority; 1809 switch (sp->state) { 1810 case IPSEC_SPSTATE_IFNET: 1811 xpl->sadb_x_policy_scope = IPSEC_POLICYSCOPE_IFNET; 1812 break; 1813 case IPSEC_SPSTATE_PCB: 1814 xpl->sadb_x_policy_scope = IPSEC_POLICYSCOPE_PCB; 1815 break; 1816 default: 1817 xpl->sadb_x_policy_scope = IPSEC_POLICYSCOPE_GLOBAL; 1818 } 1819 1820 /* if is the policy for ipsec ? */ 1821 if (sp->policy == IPSEC_POLICY_IPSEC) { 1822 p = (caddr_t)xpl + sizeof(*xpl); 1823 for (i = 0; i < sp->tcount; i++) { 1824 isr = sp->req[i]; 1825 ilen = PFKEY_ALIGN8(sizeof(*xisr) + 1826 isr->saidx.src.sa.sa_len + 1827 isr->saidx.dst.sa.sa_len); 1828 xlen += ilen; 1829 if (xlen > *len) { 1830 error = ENOBUFS; 1831 /* Calculate needed size */ 1832 continue; 1833 } 1834 xisr = (struct sadb_x_ipsecrequest *)p; 1835 xisr->sadb_x_ipsecrequest_len = ilen; 1836 xisr->sadb_x_ipsecrequest_proto = isr->saidx.proto; 1837 xisr->sadb_x_ipsecrequest_mode = isr->saidx.mode; 1838 xisr->sadb_x_ipsecrequest_level = isr->level; 1839 xisr->sadb_x_ipsecrequest_reqid = isr->saidx.reqid; 1840 1841 p += sizeof(*xisr); 1842 bcopy(&isr->saidx.src, p, isr->saidx.src.sa.sa_len); 1843 p += isr->saidx.src.sa.sa_len; 1844 bcopy(&isr->saidx.dst, p, isr->saidx.dst.sa.sa_len); 1845 p += isr->saidx.dst.sa.sa_len; 1846 } 1847 } 1848 xpl->sadb_x_policy_len = PFKEY_UNIT64(xlen); 1849 if (error == 0) 1850 *len = xlen; 1851 else 1852 *len = sizeof(*xpl); 1853 return (error); 1854 } 1855 1856 /* m will not be freed nor modified */ 1857 static struct mbuf * 1858 key_gather_mbuf(struct mbuf *m, const struct sadb_msghdr *mhp, 1859 int ndeep, int nitem, ...) 1860 { 1861 va_list ap; 1862 int idx; 1863 int i; 1864 struct mbuf *result = NULL, *n; 1865 int len; 1866 1867 IPSEC_ASSERT(m != NULL, ("null mbuf")); 1868 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 1869 1870 va_start(ap, nitem); 1871 for (i = 0; i < nitem; i++) { 1872 idx = va_arg(ap, int); 1873 if (idx < 0 || idx > SADB_EXT_MAX) 1874 goto fail; 1875 /* don't attempt to pull empty extension */ 1876 if (idx == SADB_EXT_RESERVED && mhp->msg == NULL) 1877 continue; 1878 if (idx != SADB_EXT_RESERVED && 1879 (mhp->ext[idx] == NULL || mhp->extlen[idx] == 0)) 1880 continue; 1881 1882 if (idx == SADB_EXT_RESERVED) { 1883 len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); 1884 1885 IPSEC_ASSERT(len <= MHLEN, ("header too big %u", len)); 1886 1887 MGETHDR(n, M_NOWAIT, MT_DATA); 1888 if (!n) 1889 goto fail; 1890 n->m_len = len; 1891 n->m_next = NULL; 1892 m_copydata(m, 0, sizeof(struct sadb_msg), 1893 mtod(n, caddr_t)); 1894 } else if (i < ndeep) { 1895 len = mhp->extlen[idx]; 1896 n = m_get2(len, M_NOWAIT, MT_DATA, 0); 1897 if (n == NULL) 1898 goto fail; 1899 m_align(n, len); 1900 n->m_len = len; 1901 m_copydata(m, mhp->extoff[idx], mhp->extlen[idx], 1902 mtod(n, caddr_t)); 1903 } else { 1904 n = m_copym(m, mhp->extoff[idx], mhp->extlen[idx], 1905 M_NOWAIT); 1906 } 1907 if (n == NULL) 1908 goto fail; 1909 1910 if (result) 1911 m_cat(result, n); 1912 else 1913 result = n; 1914 } 1915 va_end(ap); 1916 1917 if ((result->m_flags & M_PKTHDR) != 0) { 1918 result->m_pkthdr.len = 0; 1919 for (n = result; n; n = n->m_next) 1920 result->m_pkthdr.len += n->m_len; 1921 } 1922 1923 return result; 1924 1925 fail: 1926 m_freem(result); 1927 va_end(ap); 1928 return NULL; 1929 } 1930 1931 /* 1932 * SADB_X_SPDADD, SADB_X_SPDSETIDX or SADB_X_SPDUPDATE processing 1933 * add an entry to SP database, when received 1934 * <base, address(SD), (lifetime(H),) policy> 1935 * from the user(?). 1936 * Adding to SP database, 1937 * and send 1938 * <base, address(SD), (lifetime(H),) policy> 1939 * to the socket which was send. 1940 * 1941 * SPDADD set a unique policy entry. 1942 * SPDSETIDX like SPDADD without a part of policy requests. 1943 * SPDUPDATE replace a unique policy entry. 1944 * 1945 * XXXAE: serialize this in PF_KEY to avoid races. 1946 * m will always be freed. 1947 */ 1948 static int 1949 key_spdadd(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 1950 { 1951 struct secpolicyindex spidx; 1952 struct sadb_address *src0, *dst0; 1953 struct sadb_x_policy *xpl0, *xpl; 1954 struct sadb_lifetime *lft = NULL; 1955 struct secpolicy *newsp, *oldsp; 1956 int error; 1957 1958 IPSEC_ASSERT(so != NULL, ("null socket")); 1959 IPSEC_ASSERT(m != NULL, ("null mbuf")); 1960 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 1961 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 1962 1963 if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 1964 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || 1965 SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY)) { 1966 ipseclog((LOG_DEBUG, 1967 "%s: invalid message: missing required header.\n", 1968 __func__)); 1969 return key_senderror(so, m, EINVAL); 1970 } 1971 if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 1972 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) || 1973 SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) { 1974 ipseclog((LOG_DEBUG, 1975 "%s: invalid message: wrong header size.\n", __func__)); 1976 return key_senderror(so, m, EINVAL); 1977 } 1978 if (!SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD)) { 1979 if (SADB_CHECKLEN(mhp, SADB_EXT_LIFETIME_HARD)) { 1980 ipseclog((LOG_DEBUG, 1981 "%s: invalid message: wrong header size.\n", 1982 __func__)); 1983 return key_senderror(so, m, EINVAL); 1984 } 1985 lft = (struct sadb_lifetime *)mhp->ext[SADB_EXT_LIFETIME_HARD]; 1986 } 1987 1988 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; 1989 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; 1990 xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY]; 1991 1992 /* check the direciton */ 1993 switch (xpl0->sadb_x_policy_dir) { 1994 case IPSEC_DIR_INBOUND: 1995 case IPSEC_DIR_OUTBOUND: 1996 break; 1997 default: 1998 ipseclog((LOG_DEBUG, "%s: invalid SP direction.\n", __func__)); 1999 return key_senderror(so, m, EINVAL); 2000 } 2001 /* key_spdadd() accepts DISCARD, NONE and IPSEC. */ 2002 if (xpl0->sadb_x_policy_type != IPSEC_POLICY_DISCARD && 2003 xpl0->sadb_x_policy_type != IPSEC_POLICY_NONE && 2004 xpl0->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { 2005 ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__)); 2006 return key_senderror(so, m, EINVAL); 2007 } 2008 2009 /* policy requests are mandatory when action is ipsec. */ 2010 if (xpl0->sadb_x_policy_type == IPSEC_POLICY_IPSEC && 2011 mhp->extlen[SADB_X_EXT_POLICY] <= sizeof(*xpl0)) { 2012 ipseclog((LOG_DEBUG, 2013 "%s: policy requests required.\n", __func__)); 2014 return key_senderror(so, m, EINVAL); 2015 } 2016 2017 error = key_checksockaddrs((struct sockaddr *)(src0 + 1), 2018 (struct sockaddr *)(dst0 + 1)); 2019 if (error != 0 || 2020 src0->sadb_address_proto != dst0->sadb_address_proto) { 2021 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 2022 return key_senderror(so, m, error); 2023 } 2024 /* make secindex */ 2025 KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir, 2026 src0 + 1, 2027 dst0 + 1, 2028 src0->sadb_address_prefixlen, 2029 dst0->sadb_address_prefixlen, 2030 src0->sadb_address_proto, 2031 &spidx); 2032 /* Checking there is SP already or not. */ 2033 oldsp = key_getsp(&spidx); 2034 if (oldsp != NULL) { 2035 if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) { 2036 KEYDBG(KEY_STAMP, 2037 printf("%s: unlink SP(%p) for SPDUPDATE\n", 2038 __func__, oldsp)); 2039 KEYDBG(KEY_DATA, kdebug_secpolicy(oldsp)); 2040 } else { 2041 key_freesp(&oldsp); 2042 ipseclog((LOG_DEBUG, 2043 "%s: a SP entry exists already.\n", __func__)); 2044 return (key_senderror(so, m, EEXIST)); 2045 } 2046 } 2047 2048 /* allocate new SP entry */ 2049 if ((newsp = key_msg2sp(xpl0, PFKEY_EXTLEN(xpl0), &error)) == NULL) { 2050 if (oldsp != NULL) { 2051 key_unlink(oldsp); 2052 key_freesp(&oldsp); /* second for our reference */ 2053 } 2054 return key_senderror(so, m, error); 2055 } 2056 2057 newsp->lastused = newsp->created = time_second; 2058 newsp->lifetime = lft ? lft->sadb_lifetime_addtime : 0; 2059 newsp->validtime = lft ? lft->sadb_lifetime_usetime : 0; 2060 bcopy(&spidx, &newsp->spidx, sizeof(spidx)); 2061 2062 SPTREE_WLOCK(); 2063 if ((newsp->id = key_getnewspid()) == 0) { 2064 if (oldsp != NULL) 2065 key_detach(oldsp); 2066 SPTREE_WUNLOCK(); 2067 if (oldsp != NULL) { 2068 key_freesp(&oldsp); /* first for key_detach */ 2069 IPSEC_ASSERT(oldsp != NULL, ("null oldsp: refcount bug")); 2070 key_freesp(&oldsp); /* second for our reference */ 2071 if (SPDCACHE_ENABLED()) /* refresh cache because of key_detach */ 2072 spdcache_clear(); 2073 } 2074 key_freesp(&newsp); 2075 return key_senderror(so, m, ENOBUFS); 2076 } 2077 if (oldsp != NULL) 2078 key_detach(oldsp); 2079 key_insertsp(newsp); 2080 SPTREE_WUNLOCK(); 2081 if (oldsp != NULL) { 2082 key_freesp(&oldsp); /* first for key_detach */ 2083 IPSEC_ASSERT(oldsp != NULL, ("null oldsp: refcount bug")); 2084 key_freesp(&oldsp); /* second for our reference */ 2085 } 2086 if (SPDCACHE_ENABLED()) 2087 spdcache_clear(); 2088 KEYDBG(KEY_STAMP, 2089 printf("%s: SP(%p)\n", __func__, newsp)); 2090 KEYDBG(KEY_DATA, kdebug_secpolicy(newsp)); 2091 2092 { 2093 struct mbuf *n, *mpolicy; 2094 struct sadb_msg *newmsg; 2095 int off; 2096 2097 /* create new sadb_msg to reply. */ 2098 if (lft) { 2099 n = key_gather_mbuf(m, mhp, 2, 5, SADB_EXT_RESERVED, 2100 SADB_X_EXT_POLICY, SADB_EXT_LIFETIME_HARD, 2101 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); 2102 } else { 2103 n = key_gather_mbuf(m, mhp, 2, 4, SADB_EXT_RESERVED, 2104 SADB_X_EXT_POLICY, 2105 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); 2106 } 2107 if (!n) 2108 return key_senderror(so, m, ENOBUFS); 2109 2110 if (n->m_len < sizeof(*newmsg)) { 2111 n = m_pullup(n, sizeof(*newmsg)); 2112 if (!n) 2113 return key_senderror(so, m, ENOBUFS); 2114 } 2115 newmsg = mtod(n, struct sadb_msg *); 2116 newmsg->sadb_msg_errno = 0; 2117 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); 2118 2119 off = 0; 2120 mpolicy = m_pulldown(n, PFKEY_ALIGN8(sizeof(struct sadb_msg)), 2121 sizeof(*xpl), &off); 2122 if (mpolicy == NULL) { 2123 /* n is already freed */ 2124 return key_senderror(so, m, ENOBUFS); 2125 } 2126 xpl = (struct sadb_x_policy *)(mtod(mpolicy, caddr_t) + off); 2127 if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) { 2128 m_freem(n); 2129 return key_senderror(so, m, EINVAL); 2130 } 2131 xpl->sadb_x_policy_id = newsp->id; 2132 2133 m_freem(m); 2134 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 2135 } 2136 } 2137 2138 /* 2139 * get new policy id. 2140 * OUT: 2141 * 0: failure. 2142 * others: success. 2143 */ 2144 static uint32_t 2145 key_getnewspid(void) 2146 { 2147 struct secpolicy *sp; 2148 uint32_t newid = 0; 2149 int tries, limit; 2150 2151 SPTREE_WLOCK_ASSERT(); 2152 2153 limit = atomic_load_int(&V_key_spi_trycnt); 2154 for (tries = 0; tries < limit; tries++) { 2155 if (V_policy_id == ~0) /* overflowed */ 2156 newid = V_policy_id = 1; 2157 else 2158 newid = ++V_policy_id; 2159 LIST_FOREACH(sp, SPHASH_HASH(newid), idhash) { 2160 if (sp->id == newid) 2161 break; 2162 } 2163 if (sp == NULL) 2164 break; 2165 } 2166 if (tries == limit || newid == 0) { 2167 ipseclog((LOG_DEBUG, "%s: failed to allocate policy id.\n", 2168 __func__)); 2169 return (0); 2170 } 2171 return (newid); 2172 } 2173 2174 /* 2175 * SADB_SPDDELETE processing 2176 * receive 2177 * <base, address(SD), policy(*)> 2178 * from the user(?), and set SADB_SASTATE_DEAD, 2179 * and send, 2180 * <base, address(SD), policy(*)> 2181 * to the ikmpd. 2182 * policy(*) including direction of policy. 2183 * 2184 * m will always be freed. 2185 */ 2186 static int 2187 key_spddelete(struct socket *so, struct mbuf *m, 2188 const struct sadb_msghdr *mhp) 2189 { 2190 struct secpolicyindex spidx; 2191 struct sadb_address *src0, *dst0; 2192 struct sadb_x_policy *xpl0; 2193 struct secpolicy *sp; 2194 2195 IPSEC_ASSERT(so != NULL, ("null so")); 2196 IPSEC_ASSERT(m != NULL, ("null mbuf")); 2197 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 2198 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 2199 2200 if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 2201 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || 2202 SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY)) { 2203 ipseclog((LOG_DEBUG, 2204 "%s: invalid message: missing required header.\n", 2205 __func__)); 2206 return key_senderror(so, m, EINVAL); 2207 } 2208 if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 2209 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) || 2210 SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) { 2211 ipseclog((LOG_DEBUG, 2212 "%s: invalid message: wrong header size.\n", __func__)); 2213 return key_senderror(so, m, EINVAL); 2214 } 2215 2216 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; 2217 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; 2218 xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY]; 2219 2220 /* check the direciton */ 2221 switch (xpl0->sadb_x_policy_dir) { 2222 case IPSEC_DIR_INBOUND: 2223 case IPSEC_DIR_OUTBOUND: 2224 break; 2225 default: 2226 ipseclog((LOG_DEBUG, "%s: invalid SP direction.\n", __func__)); 2227 return key_senderror(so, m, EINVAL); 2228 } 2229 /* Only DISCARD, NONE and IPSEC are allowed */ 2230 if (xpl0->sadb_x_policy_type != IPSEC_POLICY_DISCARD && 2231 xpl0->sadb_x_policy_type != IPSEC_POLICY_NONE && 2232 xpl0->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { 2233 ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__)); 2234 return key_senderror(so, m, EINVAL); 2235 } 2236 if (key_checksockaddrs((struct sockaddr *)(src0 + 1), 2237 (struct sockaddr *)(dst0 + 1)) != 0 || 2238 src0->sadb_address_proto != dst0->sadb_address_proto) { 2239 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 2240 return key_senderror(so, m, EINVAL); 2241 } 2242 /* make secindex */ 2243 KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir, 2244 src0 + 1, 2245 dst0 + 1, 2246 src0->sadb_address_prefixlen, 2247 dst0->sadb_address_prefixlen, 2248 src0->sadb_address_proto, 2249 &spidx); 2250 2251 /* Is there SP in SPD ? */ 2252 if ((sp = key_getsp(&spidx)) == NULL) { 2253 ipseclog((LOG_DEBUG, "%s: no SP found.\n", __func__)); 2254 return key_senderror(so, m, EINVAL); 2255 } 2256 2257 /* save policy id to buffer to be returned. */ 2258 xpl0->sadb_x_policy_id = sp->id; 2259 2260 KEYDBG(KEY_STAMP, 2261 printf("%s: SP(%p)\n", __func__, sp)); 2262 KEYDBG(KEY_DATA, kdebug_secpolicy(sp)); 2263 key_unlink(sp); 2264 key_freesp(&sp); 2265 2266 { 2267 struct mbuf *n; 2268 struct sadb_msg *newmsg; 2269 2270 /* create new sadb_msg to reply. */ 2271 n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED, 2272 SADB_X_EXT_POLICY, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); 2273 if (!n) 2274 return key_senderror(so, m, ENOBUFS); 2275 2276 newmsg = mtod(n, struct sadb_msg *); 2277 newmsg->sadb_msg_errno = 0; 2278 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); 2279 2280 m_freem(m); 2281 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 2282 } 2283 } 2284 2285 /* 2286 * SADB_SPDDELETE2 processing 2287 * receive 2288 * <base, policy(*)> 2289 * from the user(?), and set SADB_SASTATE_DEAD, 2290 * and send, 2291 * <base, policy(*)> 2292 * to the ikmpd. 2293 * policy(*) including direction of policy. 2294 * 2295 * m will always be freed. 2296 */ 2297 static int 2298 key_spddelete2(struct socket *so, struct mbuf *m, 2299 const struct sadb_msghdr *mhp) 2300 { 2301 struct secpolicy *sp; 2302 uint32_t id; 2303 2304 IPSEC_ASSERT(so != NULL, ("null socket")); 2305 IPSEC_ASSERT(m != NULL, ("null mbuf")); 2306 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 2307 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 2308 2309 if (SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY) || 2310 SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) { 2311 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", 2312 __func__)); 2313 return key_senderror(so, m, EINVAL); 2314 } 2315 2316 id = ((struct sadb_x_policy *) 2317 mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id; 2318 2319 /* Is there SP in SPD ? */ 2320 if ((sp = key_getspbyid(id)) == NULL) { 2321 ipseclog((LOG_DEBUG, "%s: no SP found for id %u.\n", 2322 __func__, id)); 2323 return key_senderror(so, m, EINVAL); 2324 } 2325 2326 KEYDBG(KEY_STAMP, 2327 printf("%s: SP(%p)\n", __func__, sp)); 2328 KEYDBG(KEY_DATA, kdebug_secpolicy(sp)); 2329 key_unlink(sp); 2330 if (sp->state != IPSEC_SPSTATE_DEAD) { 2331 ipseclog((LOG_DEBUG, "%s: failed to delete SP with id %u.\n", 2332 __func__, id)); 2333 key_freesp(&sp); 2334 return (key_senderror(so, m, EACCES)); 2335 } 2336 key_freesp(&sp); 2337 2338 { 2339 struct mbuf *n, *nn; 2340 struct sadb_msg *newmsg; 2341 int off, len; 2342 2343 /* create new sadb_msg to reply. */ 2344 len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); 2345 2346 MGETHDR(n, M_NOWAIT, MT_DATA); 2347 if (n && len > MHLEN) { 2348 if (!(MCLGET(n, M_NOWAIT))) { 2349 m_freem(n); 2350 n = NULL; 2351 } 2352 } 2353 if (!n) 2354 return key_senderror(so, m, ENOBUFS); 2355 2356 n->m_len = len; 2357 n->m_next = NULL; 2358 off = 0; 2359 2360 m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off); 2361 off += PFKEY_ALIGN8(sizeof(struct sadb_msg)); 2362 2363 IPSEC_ASSERT(off == len, ("length inconsistency (off %u len %u)", 2364 off, len)); 2365 2366 n->m_next = m_copym(m, mhp->extoff[SADB_X_EXT_POLICY], 2367 mhp->extlen[SADB_X_EXT_POLICY], M_NOWAIT); 2368 if (!n->m_next) { 2369 m_freem(n); 2370 return key_senderror(so, m, ENOBUFS); 2371 } 2372 2373 n->m_pkthdr.len = 0; 2374 for (nn = n; nn; nn = nn->m_next) 2375 n->m_pkthdr.len += nn->m_len; 2376 2377 newmsg = mtod(n, struct sadb_msg *); 2378 newmsg->sadb_msg_errno = 0; 2379 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); 2380 2381 m_freem(m); 2382 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 2383 } 2384 } 2385 2386 /* 2387 * SADB_X_SPDGET processing 2388 * receive 2389 * <base, policy(*)> 2390 * from the user(?), 2391 * and send, 2392 * <base, address(SD), policy> 2393 * to the ikmpd. 2394 * policy(*) including direction of policy. 2395 * 2396 * m will always be freed. 2397 */ 2398 static int 2399 key_spdget(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 2400 { 2401 struct secpolicy *sp; 2402 struct mbuf *n; 2403 uint32_t id; 2404 2405 IPSEC_ASSERT(so != NULL, ("null socket")); 2406 IPSEC_ASSERT(m != NULL, ("null mbuf")); 2407 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 2408 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 2409 2410 if (SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY) || 2411 SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) { 2412 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", 2413 __func__)); 2414 return key_senderror(so, m, EINVAL); 2415 } 2416 2417 id = ((struct sadb_x_policy *) 2418 mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id; 2419 2420 /* Is there SP in SPD ? */ 2421 if ((sp = key_getspbyid(id)) == NULL) { 2422 ipseclog((LOG_DEBUG, "%s: no SP found for id %u.\n", 2423 __func__, id)); 2424 return key_senderror(so, m, ENOENT); 2425 } 2426 2427 n = key_setdumpsp(sp, SADB_X_SPDGET, mhp->msg->sadb_msg_seq, 2428 mhp->msg->sadb_msg_pid); 2429 key_freesp(&sp); 2430 if (n != NULL) { 2431 m_freem(m); 2432 return key_sendup_mbuf(so, n, KEY_SENDUP_ONE); 2433 } else 2434 return key_senderror(so, m, ENOBUFS); 2435 } 2436 2437 /* 2438 * SADB_X_SPDACQUIRE processing. 2439 * Acquire policy and SA(s) for a *OUTBOUND* packet. 2440 * send 2441 * <base, policy(*)> 2442 * to KMD, and expect to receive 2443 * <base> with SADB_X_SPDACQUIRE if error occurred, 2444 * or 2445 * <base, policy> 2446 * with SADB_X_SPDUPDATE from KMD by PF_KEY. 2447 * policy(*) is without policy requests. 2448 * 2449 * 0 : succeed 2450 * others: error number 2451 */ 2452 int 2453 key_spdacquire(struct secpolicy *sp) 2454 { 2455 struct mbuf *result = NULL, *m; 2456 struct secspacq *newspacq; 2457 2458 IPSEC_ASSERT(sp != NULL, ("null secpolicy")); 2459 IPSEC_ASSERT(sp->req == NULL, ("policy exists")); 2460 IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC, 2461 ("policy not IPSEC %u", sp->policy)); 2462 2463 /* Get an entry to check whether sent message or not. */ 2464 newspacq = key_getspacq(&sp->spidx); 2465 if (newspacq != NULL) { 2466 if (V_key_blockacq_count < newspacq->count) { 2467 /* reset counter and do send message. */ 2468 newspacq->count = 0; 2469 } else { 2470 /* increment counter and do nothing. */ 2471 newspacq->count++; 2472 SPACQ_UNLOCK(); 2473 return (0); 2474 } 2475 SPACQ_UNLOCK(); 2476 } else { 2477 /* make new entry for blocking to send SADB_ACQUIRE. */ 2478 newspacq = key_newspacq(&sp->spidx); 2479 if (newspacq == NULL) 2480 return ENOBUFS; 2481 } 2482 2483 /* create new sadb_msg to reply. */ 2484 m = key_setsadbmsg(SADB_X_SPDACQUIRE, 0, 0, 0, 0, 0); 2485 if (!m) 2486 return ENOBUFS; 2487 2488 result = m; 2489 2490 result->m_pkthdr.len = 0; 2491 for (m = result; m; m = m->m_next) 2492 result->m_pkthdr.len += m->m_len; 2493 2494 mtod(result, struct sadb_msg *)->sadb_msg_len = 2495 PFKEY_UNIT64(result->m_pkthdr.len); 2496 2497 return key_sendup_mbuf(NULL, m, KEY_SENDUP_REGISTERED); 2498 } 2499 2500 /* 2501 * SADB_SPDFLUSH processing 2502 * receive 2503 * <base> 2504 * from the user, and free all entries in secpctree. 2505 * and send, 2506 * <base> 2507 * to the user. 2508 * NOTE: what to do is only marking SADB_SASTATE_DEAD. 2509 * 2510 * m will always be freed. 2511 */ 2512 static int 2513 key_spdflush(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 2514 { 2515 struct secpolicy_queue drainq; 2516 struct sadb_msg *newmsg; 2517 struct secpolicy *sp, *nextsp; 2518 u_int dir; 2519 2520 IPSEC_ASSERT(so != NULL, ("null socket")); 2521 IPSEC_ASSERT(m != NULL, ("null mbuf")); 2522 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 2523 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 2524 2525 if (m->m_len != PFKEY_ALIGN8(sizeof(struct sadb_msg))) 2526 return key_senderror(so, m, EINVAL); 2527 2528 TAILQ_INIT(&drainq); 2529 SPTREE_WLOCK(); 2530 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { 2531 TAILQ_CONCAT(&drainq, &V_sptree[dir], chain); 2532 } 2533 /* 2534 * We need to set state to DEAD for each policy to be sure, 2535 * that another thread won't try to unlink it. 2536 * Also remove SP from sphash. 2537 */ 2538 TAILQ_FOREACH(sp, &drainq, chain) { 2539 sp->state = IPSEC_SPSTATE_DEAD; 2540 LIST_REMOVE(sp, idhash); 2541 } 2542 V_sp_genid++; 2543 V_spd_size = 0; 2544 SPTREE_WUNLOCK(); 2545 if (SPDCACHE_ENABLED()) 2546 spdcache_clear(); 2547 sp = TAILQ_FIRST(&drainq); 2548 while (sp != NULL) { 2549 nextsp = TAILQ_NEXT(sp, chain); 2550 key_freesp(&sp); 2551 sp = nextsp; 2552 } 2553 2554 if (sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) { 2555 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 2556 return key_senderror(so, m, ENOBUFS); 2557 } 2558 2559 if (m->m_next) 2560 m_freem(m->m_next); 2561 m->m_next = NULL; 2562 m->m_pkthdr.len = m->m_len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); 2563 newmsg = mtod(m, struct sadb_msg *); 2564 newmsg->sadb_msg_errno = 0; 2565 newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); 2566 2567 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); 2568 } 2569 2570 static uint8_t 2571 key_satype2scopemask(uint8_t satype) 2572 { 2573 2574 if (satype == IPSEC_POLICYSCOPE_ANY) 2575 return (0xff); 2576 return (satype); 2577 } 2578 /* 2579 * SADB_SPDDUMP processing 2580 * receive 2581 * <base> 2582 * from the user, and dump all SP leaves and send, 2583 * <base> ..... 2584 * to the ikmpd. 2585 * 2586 * NOTE: 2587 * sadb_msg_satype is considered as mask of policy scopes. 2588 * m will always be freed. 2589 */ 2590 static int 2591 key_spddump(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 2592 { 2593 SPTREE_RLOCK_TRACKER; 2594 struct secpolicy *sp; 2595 struct mbuf *n; 2596 int cnt; 2597 u_int dir, scope; 2598 2599 IPSEC_ASSERT(so != NULL, ("null socket")); 2600 IPSEC_ASSERT(m != NULL, ("null mbuf")); 2601 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 2602 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 2603 2604 /* search SPD entry and get buffer size. */ 2605 cnt = 0; 2606 scope = key_satype2scopemask(mhp->msg->sadb_msg_satype); 2607 SPTREE_RLOCK(); 2608 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { 2609 if (scope & IPSEC_POLICYSCOPE_GLOBAL) { 2610 TAILQ_FOREACH(sp, &V_sptree[dir], chain) 2611 cnt++; 2612 } 2613 if (scope & IPSEC_POLICYSCOPE_IFNET) { 2614 TAILQ_FOREACH(sp, &V_sptree_ifnet[dir], chain) 2615 cnt++; 2616 } 2617 } 2618 2619 if (cnt == 0) { 2620 SPTREE_RUNLOCK(); 2621 return key_senderror(so, m, ENOENT); 2622 } 2623 2624 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { 2625 if (scope & IPSEC_POLICYSCOPE_GLOBAL) { 2626 TAILQ_FOREACH(sp, &V_sptree[dir], chain) { 2627 --cnt; 2628 n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt, 2629 mhp->msg->sadb_msg_pid); 2630 2631 if (n != NULL) 2632 key_sendup_mbuf(so, n, KEY_SENDUP_ONE); 2633 } 2634 } 2635 if (scope & IPSEC_POLICYSCOPE_IFNET) { 2636 TAILQ_FOREACH(sp, &V_sptree_ifnet[dir], chain) { 2637 --cnt; 2638 n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt, 2639 mhp->msg->sadb_msg_pid); 2640 2641 if (n != NULL) 2642 key_sendup_mbuf(so, n, KEY_SENDUP_ONE); 2643 } 2644 } 2645 } 2646 2647 SPTREE_RUNLOCK(); 2648 m_freem(m); 2649 return (0); 2650 } 2651 2652 static struct mbuf * 2653 key_setdumpsp(struct secpolicy *sp, u_int8_t type, u_int32_t seq, 2654 u_int32_t pid) 2655 { 2656 struct mbuf *result = NULL, *m; 2657 struct seclifetime lt; 2658 2659 m = key_setsadbmsg(type, 0, SADB_SATYPE_UNSPEC, seq, pid, sp->refcnt); 2660 if (!m) 2661 goto fail; 2662 result = m; 2663 2664 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, 2665 &sp->spidx.src.sa, sp->spidx.prefs, 2666 sp->spidx.ul_proto); 2667 if (!m) 2668 goto fail; 2669 m_cat(result, m); 2670 2671 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, 2672 &sp->spidx.dst.sa, sp->spidx.prefd, 2673 sp->spidx.ul_proto); 2674 if (!m) 2675 goto fail; 2676 m_cat(result, m); 2677 2678 m = key_sp2mbuf(sp); 2679 if (!m) 2680 goto fail; 2681 m_cat(result, m); 2682 2683 if(sp->lifetime){ 2684 lt.addtime=sp->created; 2685 lt.usetime= sp->lastused; 2686 m = key_setlifetime(<, SADB_EXT_LIFETIME_CURRENT); 2687 if (!m) 2688 goto fail; 2689 m_cat(result, m); 2690 2691 lt.addtime=sp->lifetime; 2692 lt.usetime= sp->validtime; 2693 m = key_setlifetime(<, SADB_EXT_LIFETIME_HARD); 2694 if (!m) 2695 goto fail; 2696 m_cat(result, m); 2697 } 2698 2699 if ((result->m_flags & M_PKTHDR) == 0) 2700 goto fail; 2701 2702 if (result->m_len < sizeof(struct sadb_msg)) { 2703 result = m_pullup(result, sizeof(struct sadb_msg)); 2704 if (result == NULL) 2705 goto fail; 2706 } 2707 2708 result->m_pkthdr.len = 0; 2709 for (m = result; m; m = m->m_next) 2710 result->m_pkthdr.len += m->m_len; 2711 2712 mtod(result, struct sadb_msg *)->sadb_msg_len = 2713 PFKEY_UNIT64(result->m_pkthdr.len); 2714 2715 return result; 2716 2717 fail: 2718 m_freem(result); 2719 return NULL; 2720 } 2721 /* 2722 * get PFKEY message length for security policy and request. 2723 */ 2724 static size_t 2725 key_getspreqmsglen(struct secpolicy *sp) 2726 { 2727 size_t tlen, len; 2728 int i; 2729 2730 tlen = sizeof(struct sadb_x_policy); 2731 /* if is the policy for ipsec ? */ 2732 if (sp->policy != IPSEC_POLICY_IPSEC) 2733 return (tlen); 2734 2735 /* get length of ipsec requests */ 2736 for (i = 0; i < sp->tcount; i++) { 2737 len = sizeof(struct sadb_x_ipsecrequest) 2738 + sp->req[i]->saidx.src.sa.sa_len 2739 + sp->req[i]->saidx.dst.sa.sa_len; 2740 2741 tlen += PFKEY_ALIGN8(len); 2742 } 2743 return (tlen); 2744 } 2745 2746 /* 2747 * SADB_SPDEXPIRE processing 2748 * send 2749 * <base, address(SD), lifetime(CH), policy> 2750 * to KMD by PF_KEY. 2751 * 2752 * OUT: 0 : succeed 2753 * others : error number 2754 */ 2755 static int 2756 key_spdexpire(struct secpolicy *sp) 2757 { 2758 struct sadb_lifetime *lt; 2759 struct mbuf *result = NULL, *m; 2760 int len, error = -1; 2761 2762 IPSEC_ASSERT(sp != NULL, ("null secpolicy")); 2763 2764 KEYDBG(KEY_STAMP, 2765 printf("%s: SP(%p)\n", __func__, sp)); 2766 KEYDBG(KEY_DATA, kdebug_secpolicy(sp)); 2767 2768 /* set msg header */ 2769 m = key_setsadbmsg(SADB_X_SPDEXPIRE, 0, 0, 0, 0, 0); 2770 if (!m) { 2771 error = ENOBUFS; 2772 goto fail; 2773 } 2774 result = m; 2775 2776 /* create lifetime extension (current and hard) */ 2777 len = PFKEY_ALIGN8(sizeof(*lt)) * 2; 2778 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 2779 if (m == NULL) { 2780 error = ENOBUFS; 2781 goto fail; 2782 } 2783 m_align(m, len); 2784 m->m_len = len; 2785 bzero(mtod(m, caddr_t), len); 2786 lt = mtod(m, struct sadb_lifetime *); 2787 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); 2788 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 2789 lt->sadb_lifetime_allocations = 0; 2790 lt->sadb_lifetime_bytes = 0; 2791 lt->sadb_lifetime_addtime = sp->created; 2792 lt->sadb_lifetime_usetime = sp->lastused; 2793 lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2); 2794 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); 2795 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 2796 lt->sadb_lifetime_allocations = 0; 2797 lt->sadb_lifetime_bytes = 0; 2798 lt->sadb_lifetime_addtime = sp->lifetime; 2799 lt->sadb_lifetime_usetime = sp->validtime; 2800 m_cat(result, m); 2801 2802 /* set sadb_address for source */ 2803 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, 2804 &sp->spidx.src.sa, 2805 sp->spidx.prefs, sp->spidx.ul_proto); 2806 if (!m) { 2807 error = ENOBUFS; 2808 goto fail; 2809 } 2810 m_cat(result, m); 2811 2812 /* set sadb_address for destination */ 2813 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, 2814 &sp->spidx.dst.sa, 2815 sp->spidx.prefd, sp->spidx.ul_proto); 2816 if (!m) { 2817 error = ENOBUFS; 2818 goto fail; 2819 } 2820 m_cat(result, m); 2821 2822 /* set secpolicy */ 2823 m = key_sp2mbuf(sp); 2824 if (!m) { 2825 error = ENOBUFS; 2826 goto fail; 2827 } 2828 m_cat(result, m); 2829 2830 if ((result->m_flags & M_PKTHDR) == 0) { 2831 error = EINVAL; 2832 goto fail; 2833 } 2834 2835 if (result->m_len < sizeof(struct sadb_msg)) { 2836 result = m_pullup(result, sizeof(struct sadb_msg)); 2837 if (result == NULL) { 2838 error = ENOBUFS; 2839 goto fail; 2840 } 2841 } 2842 2843 result->m_pkthdr.len = 0; 2844 for (m = result; m; m = m->m_next) 2845 result->m_pkthdr.len += m->m_len; 2846 2847 mtod(result, struct sadb_msg *)->sadb_msg_len = 2848 PFKEY_UNIT64(result->m_pkthdr.len); 2849 2850 return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED); 2851 2852 fail: 2853 if (result) 2854 m_freem(result); 2855 return error; 2856 } 2857 2858 /* %%% SAD management */ 2859 /* 2860 * allocating and initialize new SA head. 2861 * OUT: NULL : failure due to the lack of memory. 2862 * others : pointer to new SA head. 2863 */ 2864 static struct secashead * 2865 key_newsah(struct secasindex *saidx) 2866 { 2867 struct secashead *sah; 2868 2869 sah = malloc(sizeof(struct secashead), M_IPSEC_SAH, 2870 M_NOWAIT | M_ZERO); 2871 if (sah == NULL) { 2872 PFKEYSTAT_INC(in_nomem); 2873 return (NULL); 2874 } 2875 TAILQ_INIT(&sah->savtree_larval); 2876 TAILQ_INIT(&sah->savtree_alive); 2877 sah->saidx = *saidx; 2878 sah->state = SADB_SASTATE_DEAD; 2879 SAH_INITREF(sah); 2880 2881 KEYDBG(KEY_STAMP, 2882 printf("%s: SAH(%p)\n", __func__, sah)); 2883 KEYDBG(KEY_DATA, kdebug_secash(sah, NULL)); 2884 return (sah); 2885 } 2886 2887 static void 2888 key_freesah(struct secashead **psah) 2889 { 2890 struct secashead *sah = *psah; 2891 2892 CURVNET_ASSERT_SET(); 2893 2894 if (SAH_DELREF(sah) == 0) 2895 return; 2896 2897 KEYDBG(KEY_STAMP, 2898 printf("%s: last reference to SAH(%p)\n", __func__, sah)); 2899 KEYDBG(KEY_DATA, kdebug_secash(sah, NULL)); 2900 2901 *psah = NULL; 2902 key_delsah(sah); 2903 } 2904 2905 static void 2906 key_delsah(struct secashead *sah) 2907 { 2908 IPSEC_ASSERT(sah != NULL, ("NULL sah")); 2909 IPSEC_ASSERT(sah->state == SADB_SASTATE_DEAD, 2910 ("Attempt to free non DEAD SAH %p", sah)); 2911 IPSEC_ASSERT(TAILQ_EMPTY(&sah->savtree_larval), 2912 ("Attempt to free SAH %p with LARVAL SA", sah)); 2913 IPSEC_ASSERT(TAILQ_EMPTY(&sah->savtree_alive), 2914 ("Attempt to free SAH %p with ALIVE SA", sah)); 2915 2916 free(sah, M_IPSEC_SAH); 2917 } 2918 2919 /* 2920 * allocating a new SA for key_add() and key_getspi() call, 2921 * and copy the values of mhp into new buffer. 2922 * When SAD message type is SADB_GETSPI set SA state to LARVAL. 2923 * For SADB_ADD create and initialize SA with MATURE state. 2924 * OUT: NULL : fail 2925 * others : pointer to new secasvar. 2926 */ 2927 static struct secasvar * 2928 key_newsav(const struct sadb_msghdr *mhp, struct secasindex *saidx, 2929 uint32_t spi, int *errp) 2930 { 2931 struct secashead *sah; 2932 struct secasvar *sav; 2933 int isnew; 2934 2935 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 2936 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 2937 IPSEC_ASSERT(mhp->msg->sadb_msg_type == SADB_GETSPI || 2938 mhp->msg->sadb_msg_type == SADB_ADD, ("wrong message type")); 2939 2940 sav = NULL; 2941 sah = NULL; 2942 /* check SPI value */ 2943 switch (saidx->proto) { 2944 case IPPROTO_ESP: 2945 case IPPROTO_AH: 2946 /* 2947 * RFC 4302, 2.4. Security Parameters Index (SPI), SPI values 2948 * 1-255 reserved by IANA for future use, 2949 * 0 for implementation specific, local use. 2950 */ 2951 if (ntohl(spi) <= 255) { 2952 ipseclog((LOG_DEBUG, "%s: illegal range of SPI %u.\n", 2953 __func__, ntohl(spi))); 2954 *errp = EINVAL; 2955 goto done; 2956 } 2957 break; 2958 } 2959 2960 sav = malloc(sizeof(struct secasvar), M_IPSEC_SA, M_NOWAIT | M_ZERO); 2961 if (sav == NULL) { 2962 *errp = ENOBUFS; 2963 goto done; 2964 } 2965 sav->lock = malloc_aligned(max(sizeof(struct rmlock), 2966 CACHE_LINE_SIZE), CACHE_LINE_SIZE, M_IPSEC_MISC, 2967 M_NOWAIT | M_ZERO); 2968 if (sav->lock == NULL) { 2969 *errp = ENOBUFS; 2970 goto done; 2971 } 2972 rm_init(sav->lock, "ipsec association"); 2973 sav->lft_c = uma_zalloc_pcpu(ipsec_key_lft_zone, M_NOWAIT | M_ZERO); 2974 if (sav->lft_c == NULL) { 2975 *errp = ENOBUFS; 2976 goto done; 2977 } 2978 2979 sav->spi = spi; 2980 sav->seq = mhp->msg->sadb_msg_seq; 2981 sav->state = SADB_SASTATE_LARVAL; 2982 sav->pid = (pid_t)mhp->msg->sadb_msg_pid; 2983 SAV_INITREF(sav); 2984 again: 2985 sah = key_getsah(saidx); 2986 if (sah == NULL) { 2987 /* create a new SA index */ 2988 sah = key_newsah(saidx); 2989 if (sah == NULL) { 2990 ipseclog((LOG_DEBUG, 2991 "%s: No more memory.\n", __func__)); 2992 *errp = ENOBUFS; 2993 goto done; 2994 } 2995 isnew = 1; 2996 } else 2997 isnew = 0; 2998 2999 sav->sah = sah; 3000 if (mhp->msg->sadb_msg_type == SADB_GETSPI) { 3001 sav->created = time_second; 3002 } else if (sav->state == SADB_SASTATE_LARVAL) { 3003 /* 3004 * Do not call key_setsaval() second time in case 3005 * of `goto again`. We will have MATURE state. 3006 */ 3007 *errp = key_setsaval(sav, mhp); 3008 if (*errp != 0) 3009 goto done; 3010 sav->state = SADB_SASTATE_MATURE; 3011 } 3012 3013 SAHTREE_WLOCK(); 3014 /* 3015 * Check that existing SAH wasn't unlinked. 3016 * Since we didn't hold the SAHTREE lock, it is possible, 3017 * that callout handler or key_flush() or key_delete() could 3018 * unlink this SAH. 3019 */ 3020 if (isnew == 0 && sah->state == SADB_SASTATE_DEAD) { 3021 SAHTREE_WUNLOCK(); 3022 key_freesah(&sah); /* reference from key_getsah() */ 3023 goto again; 3024 } 3025 if (isnew != 0) { 3026 /* 3027 * Add new SAH into SADB. 3028 * 3029 * XXXAE: we can serialize key_add and key_getspi calls, so 3030 * several threads will not fight in the race. 3031 * Otherwise we should check under SAHTREE lock, that this 3032 * SAH would not added twice. 3033 */ 3034 TAILQ_INSERT_HEAD(&V_sahtree, sah, chain); 3035 /* Add new SAH into hash by addresses */ 3036 LIST_INSERT_HEAD(SAHADDRHASH_HASH(saidx), sah, addrhash); 3037 /* Now we are linked in the chain */ 3038 sah->state = SADB_SASTATE_MATURE; 3039 /* 3040 * SAV references this new SAH. 3041 * In case of existing SAH we reuse reference 3042 * from key_getsah(). 3043 */ 3044 SAH_ADDREF(sah); 3045 } 3046 /* Link SAV with SAH */ 3047 if (sav->state == SADB_SASTATE_MATURE) 3048 TAILQ_INSERT_HEAD(&sah->savtree_alive, sav, chain); 3049 else 3050 TAILQ_INSERT_HEAD(&sah->savtree_larval, sav, chain); 3051 /* Add SAV into SPI hash */ 3052 LIST_INSERT_HEAD(SAVHASH_HASH(sav->spi), sav, spihash); 3053 SAHTREE_WUNLOCK(); 3054 *errp = 0; /* success */ 3055 done: 3056 if (*errp != 0) { 3057 if (sav != NULL) { 3058 if (sav->lock != NULL) { 3059 rm_destroy(sav->lock); 3060 free(sav->lock, M_IPSEC_MISC); 3061 } 3062 if (sav->lft_c != NULL) 3063 uma_zfree_pcpu(ipsec_key_lft_zone, sav->lft_c); 3064 free(sav, M_IPSEC_SA), sav = NULL; 3065 } 3066 if (sah != NULL) 3067 key_freesah(&sah); 3068 if (*errp == ENOBUFS) { 3069 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 3070 __func__)); 3071 PFKEYSTAT_INC(in_nomem); 3072 } 3073 } 3074 return (sav); 3075 } 3076 3077 /* 3078 * free() SA variable entry. 3079 */ 3080 static void 3081 key_cleansav(struct secasvar *sav) 3082 { 3083 3084 if (sav->natt != NULL) { 3085 free(sav->natt, M_IPSEC_MISC); 3086 sav->natt = NULL; 3087 } 3088 if (sav->flags & SADB_X_EXT_F_CLONED) 3089 return; 3090 if (sav->tdb_xform != NULL) { 3091 sav->tdb_xform->xf_cleanup(sav); 3092 sav->tdb_xform = NULL; 3093 } 3094 if (sav->key_auth != NULL) { 3095 zfree(sav->key_auth->key_data, M_IPSEC_MISC); 3096 free(sav->key_auth, M_IPSEC_MISC); 3097 sav->key_auth = NULL; 3098 } 3099 if (sav->key_enc != NULL) { 3100 zfree(sav->key_enc->key_data, M_IPSEC_MISC); 3101 free(sav->key_enc, M_IPSEC_MISC); 3102 sav->key_enc = NULL; 3103 } 3104 if (sav->replay != NULL) { 3105 mtx_destroy(&sav->replay->lock); 3106 if (sav->replay->bitmap != NULL) 3107 free(sav->replay->bitmap, M_IPSEC_MISC); 3108 free(sav->replay, M_IPSEC_MISC); 3109 sav->replay = NULL; 3110 } 3111 if (sav->lft_h != NULL) { 3112 free(sav->lft_h, M_IPSEC_MISC); 3113 sav->lft_h = NULL; 3114 } 3115 if (sav->lft_s != NULL) { 3116 free(sav->lft_s, M_IPSEC_MISC); 3117 sav->lft_s = NULL; 3118 } 3119 } 3120 3121 /* 3122 * free() SA variable entry. 3123 */ 3124 static void 3125 key_delsav(struct secasvar *sav) 3126 { 3127 IPSEC_ASSERT(sav != NULL, ("null sav")); 3128 IPSEC_ASSERT(sav->state == SADB_SASTATE_DEAD, 3129 ("attempt to free non DEAD SA %p", sav)); 3130 IPSEC_ASSERT(sav->refcnt == 0, ("reference count %u > 0", 3131 sav->refcnt)); 3132 3133 /* 3134 * SA must be unlinked from the chain and hashtbl. 3135 * If SA was cloned, we leave all fields untouched, 3136 * except NAT-T config. 3137 */ 3138 key_cleansav(sav); 3139 if ((sav->flags & SADB_X_EXT_F_CLONED) == 0) { 3140 rm_destroy(sav->lock); 3141 free(sav->lock, M_IPSEC_MISC); 3142 uma_zfree_pcpu(ipsec_key_lft_zone, sav->lft_c); 3143 } 3144 free(sav, M_IPSEC_SA); 3145 } 3146 3147 /* 3148 * search SAH. 3149 * OUT: 3150 * NULL : not found 3151 * others : found, referenced pointer to a SAH. 3152 */ 3153 static struct secashead * 3154 key_getsah(struct secasindex *saidx) 3155 { 3156 SAHTREE_RLOCK_TRACKER; 3157 struct secashead *sah; 3158 3159 SAHTREE_RLOCK(); 3160 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { 3161 if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID) != 0) { 3162 SAH_ADDREF(sah); 3163 break; 3164 } 3165 } 3166 SAHTREE_RUNLOCK(); 3167 return (sah); 3168 } 3169 3170 /* 3171 * Check not to be duplicated SPI. 3172 * OUT: 3173 * 0 : not found 3174 * 1 : found SA with given SPI. 3175 */ 3176 static int 3177 key_checkspidup(uint32_t spi) 3178 { 3179 SAHTREE_RLOCK_TRACKER; 3180 struct secasvar *sav; 3181 3182 /* Assume SPI is in network byte order */ 3183 SAHTREE_RLOCK(); 3184 LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) { 3185 if (sav->spi == spi) 3186 break; 3187 } 3188 SAHTREE_RUNLOCK(); 3189 return (sav != NULL); 3190 } 3191 3192 /* 3193 * Search SA by SPI. 3194 * OUT: 3195 * NULL : not found 3196 * others : found, referenced pointer to a SA. 3197 */ 3198 static struct secasvar * 3199 key_getsavbyspi(uint32_t spi) 3200 { 3201 SAHTREE_RLOCK_TRACKER; 3202 struct secasvar *sav; 3203 3204 /* Assume SPI is in network byte order */ 3205 SAHTREE_RLOCK(); 3206 LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) { 3207 if (sav->spi != spi) 3208 continue; 3209 SAV_ADDREF(sav); 3210 break; 3211 } 3212 SAHTREE_RUNLOCK(); 3213 return (sav); 3214 } 3215 3216 static int 3217 key_updatelifetimes(struct secasvar *sav, const struct sadb_msghdr *mhp) 3218 { 3219 struct seclifetime *lft_h, *lft_s, *tmp; 3220 3221 /* Lifetime extension is optional, check that it is present. */ 3222 if (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) && 3223 SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) { 3224 /* 3225 * In case of SADB_UPDATE we may need to change 3226 * existing lifetimes. 3227 */ 3228 if (sav->state == SADB_SASTATE_MATURE) { 3229 lft_h = lft_s = NULL; 3230 goto reset; 3231 } 3232 return (0); 3233 } 3234 /* Both HARD and SOFT extensions must present */ 3235 if ((SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) && 3236 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) || 3237 (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) && 3238 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD))) { 3239 ipseclog((LOG_DEBUG, 3240 "%s: invalid message: missing required header.\n", 3241 __func__)); 3242 return (EINVAL); 3243 } 3244 if (SADB_CHECKLEN(mhp, SADB_EXT_LIFETIME_HARD) || 3245 SADB_CHECKLEN(mhp, SADB_EXT_LIFETIME_SOFT)) { 3246 ipseclog((LOG_DEBUG, 3247 "%s: invalid message: wrong header size.\n", __func__)); 3248 return (EINVAL); 3249 } 3250 lft_h = key_dup_lifemsg((const struct sadb_lifetime *) 3251 mhp->ext[SADB_EXT_LIFETIME_HARD], M_IPSEC_MISC); 3252 if (lft_h == NULL) { 3253 PFKEYSTAT_INC(in_nomem); 3254 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 3255 return (ENOBUFS); 3256 } 3257 lft_s = key_dup_lifemsg((const struct sadb_lifetime *) 3258 mhp->ext[SADB_EXT_LIFETIME_SOFT], M_IPSEC_MISC); 3259 if (lft_s == NULL) { 3260 PFKEYSTAT_INC(in_nomem); 3261 free(lft_h, M_IPSEC_MISC); 3262 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 3263 return (ENOBUFS); 3264 } 3265 reset: 3266 if (sav->state != SADB_SASTATE_LARVAL) { 3267 /* 3268 * key_update() holds reference to this SA, 3269 * so it won't be deleted in meanwhile. 3270 */ 3271 SECASVAR_WLOCK(sav); 3272 tmp = sav->lft_h; 3273 sav->lft_h = lft_h; 3274 lft_h = tmp; 3275 3276 tmp = sav->lft_s; 3277 sav->lft_s = lft_s; 3278 lft_s = tmp; 3279 SECASVAR_WUNLOCK(sav); 3280 if (lft_h != NULL) 3281 free(lft_h, M_IPSEC_MISC); 3282 if (lft_s != NULL) 3283 free(lft_s, M_IPSEC_MISC); 3284 return (0); 3285 } 3286 /* We can update lifetime without holding a lock */ 3287 IPSEC_ASSERT(sav->lft_h == NULL, ("lft_h is already initialized\n")); 3288 IPSEC_ASSERT(sav->lft_s == NULL, ("lft_s is already initialized\n")); 3289 sav->lft_h = lft_h; 3290 sav->lft_s = lft_s; 3291 return (0); 3292 } 3293 3294 /* 3295 * copy SA values from PF_KEY message except *SPI, SEQ, PID and TYPE*. 3296 * You must update these if need. Expects only LARVAL SAs. 3297 * OUT: 0: success. 3298 * !0: failure. 3299 */ 3300 static int 3301 key_setsaval(struct secasvar *sav, const struct sadb_msghdr *mhp) 3302 { 3303 const struct sadb_sa *sa0; 3304 const struct sadb_key *key0; 3305 uint32_t replay; 3306 size_t len; 3307 int error; 3308 3309 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 3310 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 3311 IPSEC_ASSERT(sav->state == SADB_SASTATE_LARVAL, 3312 ("Attempt to update non LARVAL SA")); 3313 3314 /* XXX rewrite */ 3315 error = key_setident(sav->sah, mhp); 3316 if (error != 0) 3317 goto fail; 3318 3319 /* SA */ 3320 if (!SADB_CHECKHDR(mhp, SADB_EXT_SA)) { 3321 if (SADB_CHECKLEN(mhp, SADB_EXT_SA)) { 3322 error = EINVAL; 3323 goto fail; 3324 } 3325 sa0 = (const struct sadb_sa *)mhp->ext[SADB_EXT_SA]; 3326 sav->alg_auth = sa0->sadb_sa_auth; 3327 sav->alg_enc = sa0->sadb_sa_encrypt; 3328 sav->flags = sa0->sadb_sa_flags; 3329 if ((sav->flags & SADB_KEY_FLAGS_MAX) != sav->flags) { 3330 ipseclog((LOG_DEBUG, 3331 "%s: invalid sa_flags 0x%08x.\n", __func__, 3332 sav->flags)); 3333 error = EINVAL; 3334 goto fail; 3335 } 3336 3337 /* Optional replay window */ 3338 replay = 0; 3339 if ((sa0->sadb_sa_flags & SADB_X_EXT_OLD) == 0) 3340 replay = sa0->sadb_sa_replay; 3341 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_SA_REPLAY)) { 3342 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA_REPLAY)) { 3343 error = EINVAL; 3344 goto fail; 3345 } 3346 replay = ((const struct sadb_x_sa_replay *) 3347 mhp->ext[SADB_X_EXT_SA_REPLAY])->sadb_x_sa_replay_replay; 3348 3349 if (replay > UINT32_MAX - 32) { 3350 ipseclog((LOG_DEBUG, 3351 "%s: replay window too big.\n", __func__)); 3352 error = EINVAL; 3353 goto fail; 3354 } 3355 3356 replay = (replay + 7) >> 3; 3357 } 3358 3359 sav->replay = malloc(sizeof(struct secreplay), M_IPSEC_MISC, 3360 M_NOWAIT | M_ZERO); 3361 if (sav->replay == NULL) { 3362 PFKEYSTAT_INC(in_nomem); 3363 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 3364 __func__)); 3365 error = ENOBUFS; 3366 goto fail; 3367 } 3368 mtx_init(&sav->replay->lock, "ipsec replay", NULL, MTX_DEF); 3369 3370 if (replay != 0) { 3371 /* number of 32b blocks to be allocated */ 3372 uint32_t bitmap_size; 3373 3374 /* RFC 6479: 3375 * - the allocated replay window size must be 3376 * a power of two. 3377 * - use an extra 32b block as a redundant window. 3378 */ 3379 bitmap_size = 1; 3380 while (replay + 4 > bitmap_size) 3381 bitmap_size <<= 1; 3382 bitmap_size = bitmap_size / 4; 3383 3384 sav->replay->bitmap = malloc( 3385 bitmap_size * sizeof(uint32_t), M_IPSEC_MISC, 3386 M_NOWAIT | M_ZERO); 3387 if (sav->replay->bitmap == NULL) { 3388 PFKEYSTAT_INC(in_nomem); 3389 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 3390 __func__)); 3391 error = ENOBUFS; 3392 goto fail; 3393 } 3394 sav->replay->bitmap_size = bitmap_size; 3395 sav->replay->wsize = replay; 3396 } 3397 } 3398 3399 /* Authentication keys */ 3400 if (!SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH)) { 3401 if (SADB_CHECKLEN(mhp, SADB_EXT_KEY_AUTH)) { 3402 error = EINVAL; 3403 goto fail; 3404 } 3405 error = 0; 3406 key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_AUTH]; 3407 len = mhp->extlen[SADB_EXT_KEY_AUTH]; 3408 switch (mhp->msg->sadb_msg_satype) { 3409 case SADB_SATYPE_AH: 3410 case SADB_SATYPE_ESP: 3411 case SADB_X_SATYPE_TCPSIGNATURE: 3412 if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && 3413 sav->alg_auth != SADB_X_AALG_NULL) 3414 error = EINVAL; 3415 break; 3416 case SADB_X_SATYPE_IPCOMP: 3417 default: 3418 error = EINVAL; 3419 break; 3420 } 3421 if (error) { 3422 ipseclog((LOG_DEBUG, "%s: invalid key_auth values.\n", 3423 __func__)); 3424 goto fail; 3425 } 3426 3427 sav->key_auth = key_dup_keymsg(key0, len, M_IPSEC_MISC); 3428 if (sav->key_auth == NULL ) { 3429 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 3430 __func__)); 3431 PFKEYSTAT_INC(in_nomem); 3432 error = ENOBUFS; 3433 goto fail; 3434 } 3435 } 3436 3437 /* Encryption key */ 3438 if (!SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT)) { 3439 if (SADB_CHECKLEN(mhp, SADB_EXT_KEY_ENCRYPT)) { 3440 error = EINVAL; 3441 goto fail; 3442 } 3443 error = 0; 3444 key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_ENCRYPT]; 3445 len = mhp->extlen[SADB_EXT_KEY_ENCRYPT]; 3446 switch (mhp->msg->sadb_msg_satype) { 3447 case SADB_SATYPE_ESP: 3448 if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && 3449 sav->alg_enc != SADB_EALG_NULL) { 3450 error = EINVAL; 3451 break; 3452 } 3453 sav->key_enc = key_dup_keymsg(key0, len, M_IPSEC_MISC); 3454 if (sav->key_enc == NULL) { 3455 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 3456 __func__)); 3457 PFKEYSTAT_INC(in_nomem); 3458 error = ENOBUFS; 3459 goto fail; 3460 } 3461 break; 3462 case SADB_X_SATYPE_IPCOMP: 3463 if (len != PFKEY_ALIGN8(sizeof(struct sadb_key))) 3464 error = EINVAL; 3465 sav->key_enc = NULL; /*just in case*/ 3466 break; 3467 case SADB_SATYPE_AH: 3468 case SADB_X_SATYPE_TCPSIGNATURE: 3469 default: 3470 error = EINVAL; 3471 break; 3472 } 3473 if (error) { 3474 ipseclog((LOG_DEBUG, "%s: invalid key_enc value.\n", 3475 __func__)); 3476 goto fail; 3477 } 3478 } 3479 3480 /* set iv */ 3481 sav->ivlen = 0; 3482 switch (mhp->msg->sadb_msg_satype) { 3483 case SADB_SATYPE_AH: 3484 if (sav->flags & SADB_X_EXT_DERIV) { 3485 ipseclog((LOG_DEBUG, "%s: invalid flag (derived) " 3486 "given to AH SA.\n", __func__)); 3487 error = EINVAL; 3488 goto fail; 3489 } 3490 if (sav->alg_enc != SADB_EALG_NONE) { 3491 ipseclog((LOG_DEBUG, "%s: protocol and algorithm " 3492 "mismated.\n", __func__)); 3493 error = EINVAL; 3494 goto fail; 3495 } 3496 error = xform_init(sav, XF_AH); 3497 break; 3498 case SADB_SATYPE_ESP: 3499 if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_DERIV)) == 3500 (SADB_X_EXT_OLD | SADB_X_EXT_DERIV)) { 3501 ipseclog((LOG_DEBUG, "%s: invalid flag (derived) " 3502 "given to old-esp.\n", __func__)); 3503 error = EINVAL; 3504 goto fail; 3505 } 3506 error = xform_init(sav, XF_ESP); 3507 break; 3508 case SADB_X_SATYPE_IPCOMP: 3509 if (sav->alg_auth != SADB_AALG_NONE) { 3510 ipseclog((LOG_DEBUG, "%s: protocol and algorithm " 3511 "mismated.\n", __func__)); 3512 error = EINVAL; 3513 goto fail; 3514 } 3515 if ((sav->flags & SADB_X_EXT_RAWCPI) == 0 && 3516 ntohl(sav->spi) >= 0x10000) { 3517 ipseclog((LOG_DEBUG, "%s: invalid cpi for IPComp.\n", 3518 __func__)); 3519 error = EINVAL; 3520 goto fail; 3521 } 3522 error = xform_init(sav, XF_IPCOMP); 3523 break; 3524 case SADB_X_SATYPE_TCPSIGNATURE: 3525 if (sav->alg_enc != SADB_EALG_NONE) { 3526 ipseclog((LOG_DEBUG, "%s: protocol and algorithm " 3527 "mismated.\n", __func__)); 3528 error = EINVAL; 3529 goto fail; 3530 } 3531 error = xform_init(sav, XF_TCPSIGNATURE); 3532 break; 3533 default: 3534 ipseclog((LOG_DEBUG, "%s: Invalid satype.\n", __func__)); 3535 error = EPROTONOSUPPORT; 3536 goto fail; 3537 } 3538 if (error) { 3539 ipseclog((LOG_DEBUG, "%s: unable to initialize SA type %u.\n", 3540 __func__, mhp->msg->sadb_msg_satype)); 3541 goto fail; 3542 } 3543 3544 /* Handle NAT-T headers */ 3545 error = key_setnatt(sav, mhp); 3546 if (error != 0) 3547 goto fail; 3548 3549 /* Initialize lifetime for CURRENT */ 3550 sav->firstused = 0; 3551 sav->created = time_second; 3552 3553 /* lifetimes for HARD and SOFT */ 3554 error = key_updatelifetimes(sav, mhp); 3555 if (error == 0) 3556 return (0); 3557 fail: 3558 key_cleansav(sav); 3559 return (error); 3560 } 3561 3562 /* 3563 * subroutine for SADB_GET and SADB_DUMP. 3564 */ 3565 static struct mbuf * 3566 key_setdumpsa(struct secasvar *sav, uint8_t type, uint8_t satype, 3567 uint32_t seq, uint32_t pid) 3568 { 3569 struct seclifetime lft_c; 3570 struct mbuf *result = NULL, *tres = NULL, *m; 3571 int i, dumporder[] = { 3572 SADB_EXT_SA, SADB_X_EXT_SA2, SADB_X_EXT_SA_REPLAY, 3573 SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT, 3574 SADB_EXT_LIFETIME_CURRENT, SADB_EXT_ADDRESS_SRC, 3575 SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, 3576 SADB_EXT_KEY_AUTH, SADB_EXT_KEY_ENCRYPT, 3577 SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST, 3578 SADB_EXT_SENSITIVITY, 3579 SADB_X_EXT_NAT_T_TYPE, 3580 SADB_X_EXT_NAT_T_SPORT, SADB_X_EXT_NAT_T_DPORT, 3581 SADB_X_EXT_NAT_T_OAI, SADB_X_EXT_NAT_T_OAR, 3582 SADB_X_EXT_NAT_T_FRAG, 3583 }; 3584 uint32_t replay_count; 3585 3586 SECASVAR_RLOCK_TRACKER; 3587 3588 m = key_setsadbmsg(type, 0, satype, seq, pid, sav->refcnt); 3589 if (m == NULL) 3590 goto fail; 3591 result = m; 3592 3593 for (i = nitems(dumporder) - 1; i >= 0; i--) { 3594 m = NULL; 3595 switch (dumporder[i]) { 3596 case SADB_EXT_SA: 3597 m = key_setsadbsa(sav); 3598 if (!m) 3599 goto fail; 3600 break; 3601 3602 case SADB_X_EXT_SA2: { 3603 SECASVAR_RLOCK(sav); 3604 replay_count = sav->replay ? sav->replay->count : 0; 3605 SECASVAR_RUNLOCK(sav); 3606 m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count, 3607 sav->sah->saidx.reqid); 3608 if (!m) 3609 goto fail; 3610 break; 3611 } 3612 case SADB_X_EXT_SA_REPLAY: 3613 if (sav->replay == NULL || 3614 sav->replay->wsize <= UINT8_MAX) 3615 continue; 3616 3617 m = key_setsadbxsareplay(sav->replay->wsize); 3618 if (!m) 3619 goto fail; 3620 break; 3621 3622 case SADB_EXT_ADDRESS_SRC: 3623 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, 3624 &sav->sah->saidx.src.sa, 3625 FULLMASK, IPSEC_ULPROTO_ANY); 3626 if (!m) 3627 goto fail; 3628 break; 3629 3630 case SADB_EXT_ADDRESS_DST: 3631 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, 3632 &sav->sah->saidx.dst.sa, 3633 FULLMASK, IPSEC_ULPROTO_ANY); 3634 if (!m) 3635 goto fail; 3636 break; 3637 3638 case SADB_EXT_KEY_AUTH: 3639 if (!sav->key_auth) 3640 continue; 3641 m = key_setkey(sav->key_auth, SADB_EXT_KEY_AUTH); 3642 if (!m) 3643 goto fail; 3644 break; 3645 3646 case SADB_EXT_KEY_ENCRYPT: 3647 if (!sav->key_enc) 3648 continue; 3649 m = key_setkey(sav->key_enc, SADB_EXT_KEY_ENCRYPT); 3650 if (!m) 3651 goto fail; 3652 break; 3653 3654 case SADB_EXT_LIFETIME_CURRENT: 3655 lft_c.addtime = sav->created; 3656 lft_c.allocations = (uint32_t)counter_u64_fetch( 3657 sav->lft_c_allocations); 3658 lft_c.bytes = counter_u64_fetch(sav->lft_c_bytes); 3659 lft_c.usetime = sav->firstused; 3660 m = key_setlifetime(&lft_c, SADB_EXT_LIFETIME_CURRENT); 3661 if (!m) 3662 goto fail; 3663 break; 3664 3665 case SADB_EXT_LIFETIME_HARD: 3666 if (!sav->lft_h) 3667 continue; 3668 m = key_setlifetime(sav->lft_h, 3669 SADB_EXT_LIFETIME_HARD); 3670 if (!m) 3671 goto fail; 3672 break; 3673 3674 case SADB_EXT_LIFETIME_SOFT: 3675 if (!sav->lft_s) 3676 continue; 3677 m = key_setlifetime(sav->lft_s, 3678 SADB_EXT_LIFETIME_SOFT); 3679 3680 if (!m) 3681 goto fail; 3682 break; 3683 3684 case SADB_X_EXT_NAT_T_TYPE: 3685 if (sav->natt == NULL) 3686 continue; 3687 m = key_setsadbxtype(UDP_ENCAP_ESPINUDP); 3688 if (!m) 3689 goto fail; 3690 break; 3691 3692 case SADB_X_EXT_NAT_T_DPORT: 3693 if (sav->natt == NULL) 3694 continue; 3695 m = key_setsadbxport(sav->natt->dport, 3696 SADB_X_EXT_NAT_T_DPORT); 3697 if (!m) 3698 goto fail; 3699 break; 3700 3701 case SADB_X_EXT_NAT_T_SPORT: 3702 if (sav->natt == NULL) 3703 continue; 3704 m = key_setsadbxport(sav->natt->sport, 3705 SADB_X_EXT_NAT_T_SPORT); 3706 if (!m) 3707 goto fail; 3708 break; 3709 3710 case SADB_X_EXT_NAT_T_OAI: 3711 if (sav->natt == NULL || 3712 (sav->natt->flags & IPSEC_NATT_F_OAI) == 0) 3713 continue; 3714 m = key_setsadbaddr(SADB_X_EXT_NAT_T_OAI, 3715 &sav->natt->oai.sa, FULLMASK, IPSEC_ULPROTO_ANY); 3716 if (!m) 3717 goto fail; 3718 break; 3719 case SADB_X_EXT_NAT_T_OAR: 3720 if (sav->natt == NULL || 3721 (sav->natt->flags & IPSEC_NATT_F_OAR) == 0) 3722 continue; 3723 m = key_setsadbaddr(SADB_X_EXT_NAT_T_OAR, 3724 &sav->natt->oar.sa, FULLMASK, IPSEC_ULPROTO_ANY); 3725 if (!m) 3726 goto fail; 3727 break; 3728 case SADB_X_EXT_NAT_T_FRAG: 3729 /* We do not (yet) support those. */ 3730 continue; 3731 3732 case SADB_EXT_ADDRESS_PROXY: 3733 case SADB_EXT_IDENTITY_SRC: 3734 case SADB_EXT_IDENTITY_DST: 3735 /* XXX: should we brought from SPD ? */ 3736 case SADB_EXT_SENSITIVITY: 3737 default: 3738 continue; 3739 } 3740 3741 if (!m) 3742 goto fail; 3743 if (tres) 3744 m_cat(m, tres); 3745 tres = m; 3746 } 3747 3748 m_cat(result, tres); 3749 tres = NULL; 3750 if (result->m_len < sizeof(struct sadb_msg)) { 3751 result = m_pullup(result, sizeof(struct sadb_msg)); 3752 if (result == NULL) 3753 goto fail; 3754 } 3755 3756 result->m_pkthdr.len = 0; 3757 for (m = result; m; m = m->m_next) 3758 result->m_pkthdr.len += m->m_len; 3759 3760 mtod(result, struct sadb_msg *)->sadb_msg_len = 3761 PFKEY_UNIT64(result->m_pkthdr.len); 3762 3763 return result; 3764 3765 fail: 3766 m_freem(result); 3767 m_freem(tres); 3768 return NULL; 3769 } 3770 3771 /* 3772 * set data into sadb_msg. 3773 */ 3774 static struct mbuf * 3775 key_setsadbmsg(u_int8_t type, u_int16_t tlen, u_int8_t satype, u_int32_t seq, 3776 pid_t pid, u_int16_t reserved) 3777 { 3778 struct mbuf *m; 3779 struct sadb_msg *p; 3780 int len; 3781 3782 len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); 3783 if (len > MCLBYTES) 3784 return NULL; 3785 MGETHDR(m, M_NOWAIT, MT_DATA); 3786 if (m && len > MHLEN) { 3787 if (!(MCLGET(m, M_NOWAIT))) { 3788 m_freem(m); 3789 m = NULL; 3790 } 3791 } 3792 if (!m) 3793 return NULL; 3794 m->m_pkthdr.len = m->m_len = len; 3795 m->m_next = NULL; 3796 3797 p = mtod(m, struct sadb_msg *); 3798 3799 bzero(p, len); 3800 p->sadb_msg_version = PF_KEY_V2; 3801 p->sadb_msg_type = type; 3802 p->sadb_msg_errno = 0; 3803 p->sadb_msg_satype = satype; 3804 p->sadb_msg_len = PFKEY_UNIT64(tlen); 3805 p->sadb_msg_reserved = reserved; 3806 p->sadb_msg_seq = seq; 3807 p->sadb_msg_pid = (u_int32_t)pid; 3808 3809 return m; 3810 } 3811 3812 /* 3813 * copy secasvar data into sadb_address. 3814 */ 3815 static struct mbuf * 3816 key_setsadbsa(struct secasvar *sav) 3817 { 3818 struct mbuf *m; 3819 struct sadb_sa *p; 3820 int len; 3821 3822 len = PFKEY_ALIGN8(sizeof(struct sadb_sa)); 3823 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 3824 if (m == NULL) 3825 return (NULL); 3826 m_align(m, len); 3827 m->m_len = len; 3828 p = mtod(m, struct sadb_sa *); 3829 bzero(p, len); 3830 p->sadb_sa_len = PFKEY_UNIT64(len); 3831 p->sadb_sa_exttype = SADB_EXT_SA; 3832 p->sadb_sa_spi = sav->spi; 3833 p->sadb_sa_replay = sav->replay ? 3834 (sav->replay->wsize > UINT8_MAX ? UINT8_MAX : 3835 sav->replay->wsize): 0; 3836 p->sadb_sa_state = sav->state; 3837 p->sadb_sa_auth = sav->alg_auth; 3838 p->sadb_sa_encrypt = sav->alg_enc; 3839 p->sadb_sa_flags = sav->flags & SADB_KEY_FLAGS_MAX; 3840 return (m); 3841 } 3842 3843 /* 3844 * set data into sadb_address. 3845 */ 3846 static struct mbuf * 3847 key_setsadbaddr(u_int16_t exttype, const struct sockaddr *saddr, 3848 u_int8_t prefixlen, u_int16_t ul_proto) 3849 { 3850 struct mbuf *m; 3851 struct sadb_address *p; 3852 size_t len; 3853 3854 len = PFKEY_ALIGN8(sizeof(struct sadb_address)) + 3855 PFKEY_ALIGN8(saddr->sa_len); 3856 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 3857 if (m == NULL) 3858 return (NULL); 3859 m_align(m, len); 3860 m->m_len = len; 3861 p = mtod(m, struct sadb_address *); 3862 3863 bzero(p, len); 3864 p->sadb_address_len = PFKEY_UNIT64(len); 3865 p->sadb_address_exttype = exttype; 3866 p->sadb_address_proto = ul_proto; 3867 if (prefixlen == FULLMASK) { 3868 switch (saddr->sa_family) { 3869 case AF_INET: 3870 prefixlen = sizeof(struct in_addr) << 3; 3871 break; 3872 case AF_INET6: 3873 prefixlen = sizeof(struct in6_addr) << 3; 3874 break; 3875 default: 3876 ; /*XXX*/ 3877 } 3878 } 3879 p->sadb_address_prefixlen = prefixlen; 3880 p->sadb_address_reserved = 0; 3881 3882 bcopy(saddr, 3883 mtod(m, caddr_t) + PFKEY_ALIGN8(sizeof(struct sadb_address)), 3884 saddr->sa_len); 3885 3886 return m; 3887 } 3888 3889 /* 3890 * set data into sadb_x_sa2. 3891 */ 3892 static struct mbuf * 3893 key_setsadbxsa2(u_int8_t mode, u_int32_t seq, u_int32_t reqid) 3894 { 3895 struct mbuf *m; 3896 struct sadb_x_sa2 *p; 3897 size_t len; 3898 3899 len = PFKEY_ALIGN8(sizeof(struct sadb_x_sa2)); 3900 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 3901 if (m == NULL) 3902 return (NULL); 3903 m_align(m, len); 3904 m->m_len = len; 3905 p = mtod(m, struct sadb_x_sa2 *); 3906 3907 bzero(p, len); 3908 p->sadb_x_sa2_len = PFKEY_UNIT64(len); 3909 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; 3910 p->sadb_x_sa2_mode = mode; 3911 p->sadb_x_sa2_reserved1 = 0; 3912 p->sadb_x_sa2_reserved2 = 0; 3913 p->sadb_x_sa2_sequence = seq; 3914 p->sadb_x_sa2_reqid = reqid; 3915 3916 return m; 3917 } 3918 3919 /* 3920 * Set data into sadb_x_sa_replay. 3921 */ 3922 static struct mbuf * 3923 key_setsadbxsareplay(u_int32_t replay) 3924 { 3925 struct mbuf *m; 3926 struct sadb_x_sa_replay *p; 3927 size_t len; 3928 3929 len = PFKEY_ALIGN8(sizeof(struct sadb_x_sa_replay)); 3930 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 3931 if (m == NULL) 3932 return (NULL); 3933 m_align(m, len); 3934 m->m_len = len; 3935 p = mtod(m, struct sadb_x_sa_replay *); 3936 3937 bzero(p, len); 3938 p->sadb_x_sa_replay_len = PFKEY_UNIT64(len); 3939 p->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY; 3940 p->sadb_x_sa_replay_replay = (replay << 3); 3941 3942 return m; 3943 } 3944 3945 /* 3946 * Set a type in sadb_x_nat_t_type. 3947 */ 3948 static struct mbuf * 3949 key_setsadbxtype(u_int16_t type) 3950 { 3951 struct mbuf *m; 3952 size_t len; 3953 struct sadb_x_nat_t_type *p; 3954 3955 len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_type)); 3956 3957 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 3958 if (m == NULL) 3959 return (NULL); 3960 m_align(m, len); 3961 m->m_len = len; 3962 p = mtod(m, struct sadb_x_nat_t_type *); 3963 3964 bzero(p, len); 3965 p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len); 3966 p->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE; 3967 p->sadb_x_nat_t_type_type = type; 3968 3969 return (m); 3970 } 3971 /* 3972 * Set a port in sadb_x_nat_t_port. 3973 * In contrast to default RFC 2367 behaviour, port is in network byte order. 3974 */ 3975 static struct mbuf * 3976 key_setsadbxport(u_int16_t port, u_int16_t type) 3977 { 3978 struct mbuf *m; 3979 size_t len; 3980 struct sadb_x_nat_t_port *p; 3981 3982 len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_port)); 3983 3984 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 3985 if (m == NULL) 3986 return (NULL); 3987 m_align(m, len); 3988 m->m_len = len; 3989 p = mtod(m, struct sadb_x_nat_t_port *); 3990 3991 bzero(p, len); 3992 p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len); 3993 p->sadb_x_nat_t_port_exttype = type; 3994 p->sadb_x_nat_t_port_port = port; 3995 3996 return (m); 3997 } 3998 3999 /* 4000 * Get port from sockaddr. Port is in network byte order. 4001 */ 4002 uint16_t 4003 key_portfromsaddr(struct sockaddr *sa) 4004 { 4005 4006 switch (sa->sa_family) { 4007 #ifdef INET 4008 case AF_INET: 4009 return ((struct sockaddr_in *)sa)->sin_port; 4010 #endif 4011 #ifdef INET6 4012 case AF_INET6: 4013 return ((struct sockaddr_in6 *)sa)->sin6_port; 4014 #endif 4015 } 4016 return (0); 4017 } 4018 4019 /* 4020 * Set port in struct sockaddr. Port is in network byte order. 4021 */ 4022 void 4023 key_porttosaddr(struct sockaddr *sa, uint16_t port) 4024 { 4025 4026 switch (sa->sa_family) { 4027 #ifdef INET 4028 case AF_INET: 4029 ((struct sockaddr_in *)sa)->sin_port = port; 4030 break; 4031 #endif 4032 #ifdef INET6 4033 case AF_INET6: 4034 ((struct sockaddr_in6 *)sa)->sin6_port = port; 4035 break; 4036 #endif 4037 default: 4038 ipseclog((LOG_DEBUG, "%s: unexpected address family %d.\n", 4039 __func__, sa->sa_family)); 4040 break; 4041 } 4042 } 4043 4044 /* 4045 * set data into sadb_x_policy 4046 */ 4047 static struct mbuf * 4048 key_setsadbxpolicy(u_int16_t type, u_int8_t dir, u_int32_t id, u_int32_t priority) 4049 { 4050 struct mbuf *m; 4051 struct sadb_x_policy *p; 4052 size_t len; 4053 4054 len = PFKEY_ALIGN8(sizeof(struct sadb_x_policy)); 4055 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 4056 if (m == NULL) 4057 return (NULL); 4058 m_align(m, len); 4059 m->m_len = len; 4060 p = mtod(m, struct sadb_x_policy *); 4061 4062 bzero(p, len); 4063 p->sadb_x_policy_len = PFKEY_UNIT64(len); 4064 p->sadb_x_policy_exttype = SADB_X_EXT_POLICY; 4065 p->sadb_x_policy_type = type; 4066 p->sadb_x_policy_dir = dir; 4067 p->sadb_x_policy_id = id; 4068 p->sadb_x_policy_priority = priority; 4069 4070 return m; 4071 } 4072 4073 /* %%% utilities */ 4074 /* Take a key message (sadb_key) from the socket and turn it into one 4075 * of the kernel's key structures (seckey). 4076 * 4077 * IN: pointer to the src 4078 * OUT: NULL no more memory 4079 */ 4080 struct seckey * 4081 key_dup_keymsg(const struct sadb_key *src, size_t len, 4082 struct malloc_type *type) 4083 { 4084 struct seckey *dst; 4085 4086 dst = malloc(sizeof(*dst), type, M_NOWAIT); 4087 if (dst != NULL) { 4088 dst->bits = src->sadb_key_bits; 4089 dst->key_data = malloc(len, type, M_NOWAIT); 4090 if (dst->key_data != NULL) { 4091 bcopy((const char *)(src + 1), dst->key_data, len); 4092 } else { 4093 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 4094 __func__)); 4095 free(dst, type); 4096 dst = NULL; 4097 } 4098 } else { 4099 ipseclog((LOG_DEBUG, "%s: No more memory.\n", 4100 __func__)); 4101 } 4102 return (dst); 4103 } 4104 4105 /* Take a lifetime message (sadb_lifetime) passed in on a socket and 4106 * turn it into one of the kernel's lifetime structures (seclifetime). 4107 * 4108 * IN: pointer to the destination, source and malloc type 4109 * OUT: NULL, no more memory 4110 */ 4111 4112 static struct seclifetime * 4113 key_dup_lifemsg(const struct sadb_lifetime *src, struct malloc_type *type) 4114 { 4115 struct seclifetime *dst; 4116 4117 dst = malloc(sizeof(*dst), type, M_NOWAIT); 4118 if (dst == NULL) { 4119 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 4120 return (NULL); 4121 } 4122 dst->allocations = src->sadb_lifetime_allocations; 4123 dst->bytes = src->sadb_lifetime_bytes; 4124 dst->addtime = src->sadb_lifetime_addtime; 4125 dst->usetime = src->sadb_lifetime_usetime; 4126 return (dst); 4127 } 4128 4129 /* 4130 * compare two secasindex structure. 4131 * flag can specify to compare 2 saidxes. 4132 * compare two secasindex structure without both mode and reqid. 4133 * don't compare port. 4134 * IN: 4135 * saidx0: source, it can be in SAD. 4136 * saidx1: object. 4137 * OUT: 4138 * 1 : equal 4139 * 0 : not equal 4140 */ 4141 static int 4142 key_cmpsaidx(const struct secasindex *saidx0, const struct secasindex *saidx1, 4143 int flag) 4144 { 4145 4146 /* sanity */ 4147 if (saidx0 == NULL && saidx1 == NULL) 4148 return 1; 4149 4150 if (saidx0 == NULL || saidx1 == NULL) 4151 return 0; 4152 4153 if (saidx0->proto != saidx1->proto) 4154 return 0; 4155 4156 if (flag == CMP_EXACTLY) { 4157 if (saidx0->mode != saidx1->mode) 4158 return 0; 4159 if (saidx0->reqid != saidx1->reqid) 4160 return 0; 4161 if (bcmp(&saidx0->src, &saidx1->src, 4162 saidx0->src.sa.sa_len) != 0 || 4163 bcmp(&saidx0->dst, &saidx1->dst, 4164 saidx0->dst.sa.sa_len) != 0) 4165 return 0; 4166 } else { 4167 /* CMP_MODE_REQID, CMP_REQID, CMP_HEAD */ 4168 if (flag == CMP_MODE_REQID || flag == CMP_REQID) { 4169 /* 4170 * If reqid of SPD is non-zero, unique SA is required. 4171 * The result must be of same reqid in this case. 4172 */ 4173 if (saidx1->reqid != 0 && 4174 saidx0->reqid != saidx1->reqid) 4175 return 0; 4176 } 4177 4178 if (flag == CMP_MODE_REQID) { 4179 if (saidx0->mode != IPSEC_MODE_ANY 4180 && saidx0->mode != saidx1->mode) 4181 return 0; 4182 } 4183 4184 if (key_sockaddrcmp(&saidx0->src.sa, &saidx1->src.sa, 0) != 0) 4185 return 0; 4186 if (key_sockaddrcmp(&saidx0->dst.sa, &saidx1->dst.sa, 0) != 0) 4187 return 0; 4188 } 4189 4190 return 1; 4191 } 4192 4193 /* 4194 * compare two secindex structure exactly. 4195 * IN: 4196 * spidx0: source, it is often in SPD. 4197 * spidx1: object, it is often from PFKEY message. 4198 * OUT: 4199 * 1 : equal 4200 * 0 : not equal 4201 */ 4202 static int 4203 key_cmpspidx_exactly(struct secpolicyindex *spidx0, 4204 struct secpolicyindex *spidx1) 4205 { 4206 /* sanity */ 4207 if (spidx0 == NULL && spidx1 == NULL) 4208 return 1; 4209 4210 if (spidx0 == NULL || spidx1 == NULL) 4211 return 0; 4212 4213 if (spidx0->prefs != spidx1->prefs 4214 || spidx0->prefd != spidx1->prefd 4215 || spidx0->ul_proto != spidx1->ul_proto 4216 || spidx0->dir != spidx1->dir) 4217 return 0; 4218 4219 return key_sockaddrcmp(&spidx0->src.sa, &spidx1->src.sa, 1) == 0 && 4220 key_sockaddrcmp(&spidx0->dst.sa, &spidx1->dst.sa, 1) == 0; 4221 } 4222 4223 /* 4224 * compare two secindex structure with mask. 4225 * IN: 4226 * spidx0: source, it is often in SPD. 4227 * spidx1: object, it is often from IP header. 4228 * OUT: 4229 * 1 : equal 4230 * 0 : not equal 4231 */ 4232 static int 4233 key_cmpspidx_withmask(struct secpolicyindex *spidx0, 4234 struct secpolicyindex *spidx1) 4235 { 4236 /* sanity */ 4237 if (spidx0 == NULL && spidx1 == NULL) 4238 return 1; 4239 4240 if (spidx0 == NULL || spidx1 == NULL) 4241 return 0; 4242 4243 if (spidx0->src.sa.sa_family != spidx1->src.sa.sa_family || 4244 spidx0->dst.sa.sa_family != spidx1->dst.sa.sa_family || 4245 spidx0->src.sa.sa_len != spidx1->src.sa.sa_len || 4246 spidx0->dst.sa.sa_len != spidx1->dst.sa.sa_len) 4247 return 0; 4248 4249 /* if spidx.ul_proto == IPSEC_ULPROTO_ANY, ignore. */ 4250 if (spidx0->ul_proto != (u_int16_t)IPSEC_ULPROTO_ANY 4251 && spidx0->ul_proto != spidx1->ul_proto) 4252 return 0; 4253 4254 switch (spidx0->src.sa.sa_family) { 4255 case AF_INET: 4256 if (spidx0->src.sin.sin_port != IPSEC_PORT_ANY 4257 && spidx0->src.sin.sin_port != spidx1->src.sin.sin_port) 4258 return 0; 4259 if (!key_bbcmp(&spidx0->src.sin.sin_addr, 4260 &spidx1->src.sin.sin_addr, spidx0->prefs)) 4261 return 0; 4262 break; 4263 case AF_INET6: 4264 if (spidx0->src.sin6.sin6_port != IPSEC_PORT_ANY 4265 && spidx0->src.sin6.sin6_port != spidx1->src.sin6.sin6_port) 4266 return 0; 4267 /* 4268 * scope_id check. if sin6_scope_id is 0, we regard it 4269 * as a wildcard scope, which matches any scope zone ID. 4270 */ 4271 if (spidx0->src.sin6.sin6_scope_id && 4272 spidx1->src.sin6.sin6_scope_id && 4273 spidx0->src.sin6.sin6_scope_id != spidx1->src.sin6.sin6_scope_id) 4274 return 0; 4275 if (!key_bbcmp(&spidx0->src.sin6.sin6_addr, 4276 &spidx1->src.sin6.sin6_addr, spidx0->prefs)) 4277 return 0; 4278 break; 4279 default: 4280 /* XXX */ 4281 if (bcmp(&spidx0->src, &spidx1->src, spidx0->src.sa.sa_len) != 0) 4282 return 0; 4283 break; 4284 } 4285 4286 switch (spidx0->dst.sa.sa_family) { 4287 case AF_INET: 4288 if (spidx0->dst.sin.sin_port != IPSEC_PORT_ANY 4289 && spidx0->dst.sin.sin_port != spidx1->dst.sin.sin_port) 4290 return 0; 4291 if (!key_bbcmp(&spidx0->dst.sin.sin_addr, 4292 &spidx1->dst.sin.sin_addr, spidx0->prefd)) 4293 return 0; 4294 break; 4295 case AF_INET6: 4296 if (spidx0->dst.sin6.sin6_port != IPSEC_PORT_ANY 4297 && spidx0->dst.sin6.sin6_port != spidx1->dst.sin6.sin6_port) 4298 return 0; 4299 /* 4300 * scope_id check. if sin6_scope_id is 0, we regard it 4301 * as a wildcard scope, which matches any scope zone ID. 4302 */ 4303 if (spidx0->dst.sin6.sin6_scope_id && 4304 spidx1->dst.sin6.sin6_scope_id && 4305 spidx0->dst.sin6.sin6_scope_id != spidx1->dst.sin6.sin6_scope_id) 4306 return 0; 4307 if (!key_bbcmp(&spidx0->dst.sin6.sin6_addr, 4308 &spidx1->dst.sin6.sin6_addr, spidx0->prefd)) 4309 return 0; 4310 break; 4311 default: 4312 /* XXX */ 4313 if (bcmp(&spidx0->dst, &spidx1->dst, spidx0->dst.sa.sa_len) != 0) 4314 return 0; 4315 break; 4316 } 4317 4318 /* XXX Do we check other field ? e.g. flowinfo */ 4319 4320 return 1; 4321 } 4322 4323 #ifdef satosin 4324 #undef satosin 4325 #endif 4326 #define satosin(s) ((const struct sockaddr_in *)s) 4327 #ifdef satosin6 4328 #undef satosin6 4329 #endif 4330 #define satosin6(s) ((const struct sockaddr_in6 *)s) 4331 /* returns 0 on match */ 4332 int 4333 key_sockaddrcmp(const struct sockaddr *sa1, const struct sockaddr *sa2, 4334 int port) 4335 { 4336 if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len) 4337 return 1; 4338 4339 switch (sa1->sa_family) { 4340 #ifdef INET 4341 case AF_INET: 4342 if (sa1->sa_len != sizeof(struct sockaddr_in)) 4343 return 1; 4344 if (satosin(sa1)->sin_addr.s_addr != 4345 satosin(sa2)->sin_addr.s_addr) { 4346 return 1; 4347 } 4348 if (port && satosin(sa1)->sin_port != satosin(sa2)->sin_port) 4349 return 1; 4350 break; 4351 #endif 4352 #ifdef INET6 4353 case AF_INET6: 4354 if (sa1->sa_len != sizeof(struct sockaddr_in6)) 4355 return 1; /*EINVAL*/ 4356 if (satosin6(sa1)->sin6_scope_id != 4357 satosin6(sa2)->sin6_scope_id) { 4358 return 1; 4359 } 4360 if (!IN6_ARE_ADDR_EQUAL(&satosin6(sa1)->sin6_addr, 4361 &satosin6(sa2)->sin6_addr)) { 4362 return 1; 4363 } 4364 if (port && 4365 satosin6(sa1)->sin6_port != satosin6(sa2)->sin6_port) { 4366 return 1; 4367 } 4368 break; 4369 #endif 4370 default: 4371 if (bcmp(sa1, sa2, sa1->sa_len) != 0) 4372 return 1; 4373 break; 4374 } 4375 4376 return 0; 4377 } 4378 4379 /* returns 0 on match */ 4380 int 4381 key_sockaddrcmp_withmask(const struct sockaddr *sa1, 4382 const struct sockaddr *sa2, size_t mask) 4383 { 4384 if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len) 4385 return (1); 4386 4387 switch (sa1->sa_family) { 4388 #ifdef INET 4389 case AF_INET: 4390 return (!key_bbcmp(&satosin(sa1)->sin_addr, 4391 &satosin(sa2)->sin_addr, mask)); 4392 #endif 4393 #ifdef INET6 4394 case AF_INET6: 4395 if (satosin6(sa1)->sin6_scope_id != 4396 satosin6(sa2)->sin6_scope_id) 4397 return (1); 4398 return (!key_bbcmp(&satosin6(sa1)->sin6_addr, 4399 &satosin6(sa2)->sin6_addr, mask)); 4400 #endif 4401 } 4402 return (1); 4403 } 4404 #undef satosin 4405 #undef satosin6 4406 4407 /* 4408 * compare two buffers with mask. 4409 * IN: 4410 * addr1: source 4411 * addr2: object 4412 * bits: Number of bits to compare 4413 * OUT: 4414 * 1 : equal 4415 * 0 : not equal 4416 */ 4417 static int 4418 key_bbcmp(const void *a1, const void *a2, u_int bits) 4419 { 4420 const unsigned char *p1 = a1; 4421 const unsigned char *p2 = a2; 4422 4423 /* XXX: This could be considerably faster if we compare a word 4424 * at a time, but it is complicated on LSB Endian machines */ 4425 4426 /* Handle null pointers */ 4427 if (p1 == NULL || p2 == NULL) 4428 return (p1 == p2); 4429 4430 while (bits >= 8) { 4431 if (*p1++ != *p2++) 4432 return 0; 4433 bits -= 8; 4434 } 4435 4436 if (bits > 0) { 4437 u_int8_t mask = ~((1<<(8-bits))-1); 4438 if ((*p1 & mask) != (*p2 & mask)) 4439 return 0; 4440 } 4441 return 1; /* Match! */ 4442 } 4443 4444 static void 4445 key_flush_spd(time_t now) 4446 { 4447 SPTREE_RLOCK_TRACKER; 4448 struct secpolicy_list drainq; 4449 struct secpolicy *sp, *nextsp; 4450 u_int dir; 4451 4452 LIST_INIT(&drainq); 4453 SPTREE_RLOCK(); 4454 for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { 4455 TAILQ_FOREACH(sp, &V_sptree[dir], chain) { 4456 if (sp->lifetime == 0 && sp->validtime == 0) 4457 continue; 4458 if ((sp->lifetime && 4459 now - sp->created > sp->lifetime) || 4460 (sp->validtime && 4461 now - sp->lastused > sp->validtime)) { 4462 /* Hold extra reference to send SPDEXPIRE */ 4463 SP_ADDREF(sp); 4464 LIST_INSERT_HEAD(&drainq, sp, drainq); 4465 } 4466 } 4467 } 4468 SPTREE_RUNLOCK(); 4469 if (LIST_EMPTY(&drainq)) 4470 return; 4471 4472 SPTREE_WLOCK(); 4473 sp = LIST_FIRST(&drainq); 4474 while (sp != NULL) { 4475 nextsp = LIST_NEXT(sp, drainq); 4476 /* Check that SP is still linked */ 4477 if (sp->state != IPSEC_SPSTATE_ALIVE) { 4478 LIST_REMOVE(sp, drainq); 4479 key_freesp(&sp); /* release extra reference */ 4480 sp = nextsp; 4481 continue; 4482 } 4483 TAILQ_REMOVE(&V_sptree[sp->spidx.dir], sp, chain); 4484 V_spd_size--; 4485 LIST_REMOVE(sp, idhash); 4486 sp->state = IPSEC_SPSTATE_DEAD; 4487 sp = nextsp; 4488 } 4489 V_sp_genid++; 4490 SPTREE_WUNLOCK(); 4491 if (SPDCACHE_ENABLED()) 4492 spdcache_clear(); 4493 4494 sp = LIST_FIRST(&drainq); 4495 while (sp != NULL) { 4496 nextsp = LIST_NEXT(sp, drainq); 4497 key_spdexpire(sp); 4498 key_freesp(&sp); /* release extra reference */ 4499 key_freesp(&sp); /* release last reference */ 4500 sp = nextsp; 4501 } 4502 } 4503 4504 static void 4505 key_flush_sad(time_t now) 4506 { 4507 SAHTREE_RLOCK_TRACKER; 4508 struct secashead_list emptyq; 4509 struct secasvar_list drainq, hexpireq, sexpireq, freeq; 4510 struct secashead *sah, *nextsah; 4511 struct secasvar *sav, *nextsav; 4512 4513 SECASVAR_RLOCK_TRACKER; 4514 4515 LIST_INIT(&drainq); 4516 LIST_INIT(&hexpireq); 4517 LIST_INIT(&sexpireq); 4518 LIST_INIT(&emptyq); 4519 4520 SAHTREE_RLOCK(); 4521 TAILQ_FOREACH(sah, &V_sahtree, chain) { 4522 /* Check for empty SAH */ 4523 if (TAILQ_EMPTY(&sah->savtree_larval) && 4524 TAILQ_EMPTY(&sah->savtree_alive)) { 4525 SAH_ADDREF(sah); 4526 LIST_INSERT_HEAD(&emptyq, sah, drainq); 4527 continue; 4528 } 4529 /* Add all stale LARVAL SAs into drainq */ 4530 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { 4531 if (now - sav->created < V_key_larval_lifetime) 4532 continue; 4533 SAV_ADDREF(sav); 4534 LIST_INSERT_HEAD(&drainq, sav, drainq); 4535 } 4536 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { 4537 /* lifetimes aren't specified */ 4538 if (sav->lft_h == NULL) 4539 continue; 4540 SECASVAR_RLOCK(sav); 4541 /* 4542 * Check again with lock held, because it may 4543 * be updated by SADB_UPDATE. 4544 */ 4545 if (sav->lft_h == NULL) { 4546 SECASVAR_RUNLOCK(sav); 4547 continue; 4548 } 4549 /* 4550 * RFC 2367: 4551 * HARD lifetimes MUST take precedence over SOFT 4552 * lifetimes, meaning if the HARD and SOFT lifetimes 4553 * are the same, the HARD lifetime will appear on the 4554 * EXPIRE message. 4555 */ 4556 /* check HARD lifetime */ 4557 if ((sav->lft_h->addtime != 0 && 4558 now - sav->created > sav->lft_h->addtime) || 4559 (sav->lft_h->usetime != 0 && sav->firstused && 4560 now - sav->firstused > sav->lft_h->usetime) || 4561 (sav->lft_h->bytes != 0 && counter_u64_fetch( 4562 sav->lft_c_bytes) > sav->lft_h->bytes)) { 4563 SECASVAR_RUNLOCK(sav); 4564 SAV_ADDREF(sav); 4565 LIST_INSERT_HEAD(&hexpireq, sav, drainq); 4566 continue; 4567 } 4568 /* check SOFT lifetime (only for MATURE SAs) */ 4569 if (sav->state == SADB_SASTATE_MATURE && ( 4570 (sav->lft_s->addtime != 0 && 4571 now - sav->created > sav->lft_s->addtime) || 4572 (sav->lft_s->usetime != 0 && sav->firstused && 4573 now - sav->firstused > sav->lft_s->usetime) || 4574 (sav->lft_s->bytes != 0 && counter_u64_fetch( 4575 sav->lft_c_bytes) > sav->lft_s->bytes) || 4576 (!(sav->flags & SADB_X_SAFLAGS_ESN) && 4577 (sav->replay != NULL) && ( 4578 (sav->replay->count > UINT32_80PCT) || 4579 (sav->replay->last > UINT32_80PCT))))) { 4580 SECASVAR_RUNLOCK(sav); 4581 SAV_ADDREF(sav); 4582 LIST_INSERT_HEAD(&sexpireq, sav, drainq); 4583 continue; 4584 } 4585 SECASVAR_RUNLOCK(sav); 4586 } 4587 } 4588 SAHTREE_RUNLOCK(); 4589 4590 if (LIST_EMPTY(&emptyq) && LIST_EMPTY(&drainq) && 4591 LIST_EMPTY(&hexpireq) && LIST_EMPTY(&sexpireq)) 4592 return; 4593 4594 LIST_INIT(&freeq); 4595 SAHTREE_WLOCK(); 4596 /* Unlink stale LARVAL SAs */ 4597 sav = LIST_FIRST(&drainq); 4598 while (sav != NULL) { 4599 nextsav = LIST_NEXT(sav, drainq); 4600 /* Check that SA is still LARVAL */ 4601 if (sav->state != SADB_SASTATE_LARVAL) { 4602 LIST_REMOVE(sav, drainq); 4603 LIST_INSERT_HEAD(&freeq, sav, drainq); 4604 sav = nextsav; 4605 continue; 4606 } 4607 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain); 4608 LIST_REMOVE(sav, spihash); 4609 sav->state = SADB_SASTATE_DEAD; 4610 sav = nextsav; 4611 } 4612 /* Unlink all SAs with expired HARD lifetime */ 4613 sav = LIST_FIRST(&hexpireq); 4614 while (sav != NULL) { 4615 nextsav = LIST_NEXT(sav, drainq); 4616 /* Check that SA is not unlinked */ 4617 if (sav->state == SADB_SASTATE_DEAD) { 4618 LIST_REMOVE(sav, drainq); 4619 LIST_INSERT_HEAD(&freeq, sav, drainq); 4620 sav = nextsav; 4621 continue; 4622 } 4623 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain); 4624 LIST_REMOVE(sav, spihash); 4625 sav->state = SADB_SASTATE_DEAD; 4626 sav = nextsav; 4627 } 4628 /* Mark all SAs with expired SOFT lifetime as DYING */ 4629 sav = LIST_FIRST(&sexpireq); 4630 while (sav != NULL) { 4631 nextsav = LIST_NEXT(sav, drainq); 4632 /* Check that SA is not unlinked */ 4633 if (sav->state == SADB_SASTATE_DEAD) { 4634 LIST_REMOVE(sav, drainq); 4635 LIST_INSERT_HEAD(&freeq, sav, drainq); 4636 sav = nextsav; 4637 continue; 4638 } 4639 /* 4640 * NOTE: this doesn't change SA order in the chain. 4641 */ 4642 sav->state = SADB_SASTATE_DYING; 4643 sav = nextsav; 4644 } 4645 /* Unlink empty SAHs */ 4646 sah = LIST_FIRST(&emptyq); 4647 while (sah != NULL) { 4648 nextsah = LIST_NEXT(sah, drainq); 4649 /* Check that SAH is still empty and not unlinked */ 4650 if (sah->state == SADB_SASTATE_DEAD || 4651 !TAILQ_EMPTY(&sah->savtree_larval) || 4652 !TAILQ_EMPTY(&sah->savtree_alive)) { 4653 LIST_REMOVE(sah, drainq); 4654 key_freesah(&sah); /* release extra reference */ 4655 sah = nextsah; 4656 continue; 4657 } 4658 TAILQ_REMOVE(&V_sahtree, sah, chain); 4659 LIST_REMOVE(sah, addrhash); 4660 sah->state = SADB_SASTATE_DEAD; 4661 sah = nextsah; 4662 } 4663 SAHTREE_WUNLOCK(); 4664 4665 /* Send SPDEXPIRE messages */ 4666 sav = LIST_FIRST(&hexpireq); 4667 while (sav != NULL) { 4668 nextsav = LIST_NEXT(sav, drainq); 4669 key_expire(sav, 1); 4670 key_freesah(&sav->sah); /* release reference from SAV */ 4671 key_freesav(&sav); /* release extra reference */ 4672 key_freesav(&sav); /* release last reference */ 4673 sav = nextsav; 4674 } 4675 sav = LIST_FIRST(&sexpireq); 4676 while (sav != NULL) { 4677 nextsav = LIST_NEXT(sav, drainq); 4678 key_expire(sav, 0); 4679 key_freesav(&sav); /* release extra reference */ 4680 sav = nextsav; 4681 } 4682 /* Free stale LARVAL SAs */ 4683 sav = LIST_FIRST(&drainq); 4684 while (sav != NULL) { 4685 nextsav = LIST_NEXT(sav, drainq); 4686 key_freesah(&sav->sah); /* release reference from SAV */ 4687 key_freesav(&sav); /* release extra reference */ 4688 key_freesav(&sav); /* release last reference */ 4689 sav = nextsav; 4690 } 4691 /* Free SAs that were unlinked/changed by someone else */ 4692 sav = LIST_FIRST(&freeq); 4693 while (sav != NULL) { 4694 nextsav = LIST_NEXT(sav, drainq); 4695 key_freesav(&sav); /* release extra reference */ 4696 sav = nextsav; 4697 } 4698 /* Free empty SAH */ 4699 sah = LIST_FIRST(&emptyq); 4700 while (sah != NULL) { 4701 nextsah = LIST_NEXT(sah, drainq); 4702 key_freesah(&sah); /* release extra reference */ 4703 key_freesah(&sah); /* release last reference */ 4704 sah = nextsah; 4705 } 4706 } 4707 4708 static void 4709 key_flush_acq(time_t now) 4710 { 4711 struct secacq *acq, *nextacq; 4712 4713 /* ACQ tree */ 4714 ACQ_LOCK(); 4715 acq = LIST_FIRST(&V_acqtree); 4716 while (acq != NULL) { 4717 nextacq = LIST_NEXT(acq, chain); 4718 if (now - acq->created > V_key_blockacq_lifetime) { 4719 LIST_REMOVE(acq, chain); 4720 LIST_REMOVE(acq, addrhash); 4721 LIST_REMOVE(acq, seqhash); 4722 free(acq, M_IPSEC_SAQ); 4723 } 4724 acq = nextacq; 4725 } 4726 ACQ_UNLOCK(); 4727 } 4728 4729 static void 4730 key_flush_spacq(time_t now) 4731 { 4732 struct secspacq *acq, *nextacq; 4733 4734 /* SP ACQ tree */ 4735 SPACQ_LOCK(); 4736 for (acq = LIST_FIRST(&V_spacqtree); acq != NULL; acq = nextacq) { 4737 nextacq = LIST_NEXT(acq, chain); 4738 if (now - acq->created > V_key_blockacq_lifetime 4739 && __LIST_CHAINED(acq)) { 4740 LIST_REMOVE(acq, chain); 4741 free(acq, M_IPSEC_SAQ); 4742 } 4743 } 4744 SPACQ_UNLOCK(); 4745 } 4746 4747 /* 4748 * time handler. 4749 * scanning SPD and SAD to check status for each entries, 4750 * and do to remove or to expire. 4751 * XXX: year 2038 problem may remain. 4752 */ 4753 static void 4754 key_timehandler(void *arg) 4755 { 4756 VNET_ITERATOR_DECL(vnet_iter); 4757 time_t now = time_second; 4758 4759 VNET_LIST_RLOCK_NOSLEEP(); 4760 VNET_FOREACH(vnet_iter) { 4761 CURVNET_SET(vnet_iter); 4762 key_flush_spd(now); 4763 key_flush_sad(now); 4764 key_flush_acq(now); 4765 key_flush_spacq(now); 4766 CURVNET_RESTORE(); 4767 } 4768 VNET_LIST_RUNLOCK_NOSLEEP(); 4769 4770 #ifndef IPSEC_DEBUG2 4771 /* do exchange to tick time !! */ 4772 callout_schedule(&key_timer, hz); 4773 #endif /* IPSEC_DEBUG2 */ 4774 } 4775 4776 u_long 4777 key_random(void) 4778 { 4779 u_long value; 4780 4781 arc4random_buf(&value, sizeof(value)); 4782 return value; 4783 } 4784 4785 /* 4786 * map SADB_SATYPE_* to IPPROTO_*. 4787 * if satype == SADB_SATYPE then satype is mapped to ~0. 4788 * OUT: 4789 * 0: invalid satype. 4790 */ 4791 static uint8_t 4792 key_satype2proto(uint8_t satype) 4793 { 4794 switch (satype) { 4795 case SADB_SATYPE_UNSPEC: 4796 return IPSEC_PROTO_ANY; 4797 case SADB_SATYPE_AH: 4798 return IPPROTO_AH; 4799 case SADB_SATYPE_ESP: 4800 return IPPROTO_ESP; 4801 case SADB_X_SATYPE_IPCOMP: 4802 return IPPROTO_IPCOMP; 4803 case SADB_X_SATYPE_TCPSIGNATURE: 4804 return IPPROTO_TCP; 4805 default: 4806 return 0; 4807 } 4808 /* NOTREACHED */ 4809 } 4810 4811 /* 4812 * map IPPROTO_* to SADB_SATYPE_* 4813 * OUT: 4814 * 0: invalid protocol type. 4815 */ 4816 static uint8_t 4817 key_proto2satype(uint8_t proto) 4818 { 4819 switch (proto) { 4820 case IPPROTO_AH: 4821 return SADB_SATYPE_AH; 4822 case IPPROTO_ESP: 4823 return SADB_SATYPE_ESP; 4824 case IPPROTO_IPCOMP: 4825 return SADB_X_SATYPE_IPCOMP; 4826 case IPPROTO_TCP: 4827 return SADB_X_SATYPE_TCPSIGNATURE; 4828 default: 4829 return 0; 4830 } 4831 /* NOTREACHED */ 4832 } 4833 4834 /* %%% PF_KEY */ 4835 /* 4836 * SADB_GETSPI processing is to receive 4837 * <base, (SA2), src address, dst address, (SPI range)> 4838 * from the IKMPd, to assign a unique spi value, to hang on the INBOUND 4839 * tree with the status of LARVAL, and send 4840 * <base, SA(*), address(SD)> 4841 * to the IKMPd. 4842 * 4843 * IN: mhp: pointer to the pointer to each header. 4844 * OUT: NULL if fail. 4845 * other if success, return pointer to the message to send. 4846 */ 4847 static int 4848 key_getspi(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 4849 { 4850 struct secasindex saidx; 4851 struct sadb_address *src0, *dst0; 4852 struct secasvar *sav; 4853 uint32_t reqid, spi; 4854 int error; 4855 uint8_t mode, proto; 4856 4857 IPSEC_ASSERT(so != NULL, ("null socket")); 4858 IPSEC_ASSERT(m != NULL, ("null mbuf")); 4859 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 4860 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 4861 4862 if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 4863 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) 4864 #ifdef PFKEY_STRICT_CHECKS 4865 || SADB_CHECKHDR(mhp, SADB_EXT_SPIRANGE) 4866 #endif 4867 ) { 4868 ipseclog((LOG_DEBUG, 4869 "%s: invalid message: missing required header.\n", 4870 __func__)); 4871 error = EINVAL; 4872 goto fail; 4873 } 4874 if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 4875 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) 4876 #ifdef PFKEY_STRICT_CHECKS 4877 || SADB_CHECKLEN(mhp, SADB_EXT_SPIRANGE) 4878 #endif 4879 ) { 4880 ipseclog((LOG_DEBUG, 4881 "%s: invalid message: wrong header size.\n", __func__)); 4882 error = EINVAL; 4883 goto fail; 4884 } 4885 if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) { 4886 mode = IPSEC_MODE_ANY; 4887 reqid = 0; 4888 } else { 4889 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) { 4890 ipseclog((LOG_DEBUG, 4891 "%s: invalid message: wrong header size.\n", 4892 __func__)); 4893 error = EINVAL; 4894 goto fail; 4895 } 4896 mode = ((struct sadb_x_sa2 *) 4897 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; 4898 reqid = ((struct sadb_x_sa2 *) 4899 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; 4900 } 4901 4902 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); 4903 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); 4904 4905 /* map satype to proto */ 4906 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 4907 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 4908 __func__)); 4909 error = EINVAL; 4910 goto fail; 4911 } 4912 error = key_checksockaddrs((struct sockaddr *)(src0 + 1), 4913 (struct sockaddr *)(dst0 + 1)); 4914 if (error != 0) { 4915 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 4916 error = EINVAL; 4917 goto fail; 4918 } 4919 KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); 4920 4921 /* SPI allocation */ 4922 SPI_ALLOC_LOCK(); 4923 spi = key_do_getnewspi( 4924 (struct sadb_spirange *)mhp->ext[SADB_EXT_SPIRANGE], &saidx); 4925 if (spi == 0) { 4926 /* 4927 * Requested SPI or SPI range is not available or 4928 * already used. 4929 */ 4930 SPI_ALLOC_UNLOCK(); 4931 error = EEXIST; 4932 goto fail; 4933 } 4934 sav = key_newsav(mhp, &saidx, spi, &error); 4935 SPI_ALLOC_UNLOCK(); 4936 if (sav == NULL) 4937 goto fail; 4938 4939 if (sav->seq != 0) { 4940 /* 4941 * RFC2367: 4942 * If the SADB_GETSPI message is in response to a 4943 * kernel-generated SADB_ACQUIRE, the sadb_msg_seq 4944 * MUST be the same as the SADB_ACQUIRE message. 4945 * 4946 * XXXAE: However it doesn't definethe behaviour how to 4947 * check this and what to do if it doesn't match. 4948 * Also what we should do if it matches? 4949 * 4950 * We can compare saidx used in SADB_ACQUIRE with saidx 4951 * used in SADB_GETSPI, but this probably can break 4952 * existing software. For now just warn if it doesn't match. 4953 * 4954 * XXXAE: anyway it looks useless. 4955 */ 4956 key_acqdone(&saidx, sav->seq); 4957 } 4958 KEYDBG(KEY_STAMP, 4959 printf("%s: SA(%p)\n", __func__, sav)); 4960 KEYDBG(KEY_DATA, kdebug_secasv(sav)); 4961 4962 { 4963 struct mbuf *n, *nn; 4964 struct sadb_sa *m_sa; 4965 struct sadb_msg *newmsg; 4966 int off, len; 4967 4968 /* create new sadb_msg to reply. */ 4969 len = PFKEY_ALIGN8(sizeof(struct sadb_msg)) + 4970 PFKEY_ALIGN8(sizeof(struct sadb_sa)); 4971 4972 MGETHDR(n, M_NOWAIT, MT_DATA); 4973 if (len > MHLEN) { 4974 if (!(MCLGET(n, M_NOWAIT))) { 4975 m_freem(n); 4976 n = NULL; 4977 } 4978 } 4979 if (!n) { 4980 error = ENOBUFS; 4981 goto fail; 4982 } 4983 4984 n->m_len = len; 4985 n->m_next = NULL; 4986 off = 0; 4987 4988 m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off); 4989 off += PFKEY_ALIGN8(sizeof(struct sadb_msg)); 4990 4991 m_sa = (struct sadb_sa *)(mtod(n, caddr_t) + off); 4992 m_sa->sadb_sa_len = PFKEY_UNIT64(sizeof(struct sadb_sa)); 4993 m_sa->sadb_sa_exttype = SADB_EXT_SA; 4994 m_sa->sadb_sa_spi = spi; /* SPI is already in network byte order */ 4995 off += PFKEY_ALIGN8(sizeof(struct sadb_sa)); 4996 4997 IPSEC_ASSERT(off == len, 4998 ("length inconsistency (off %u len %u)", off, len)); 4999 5000 n->m_next = key_gather_mbuf(m, mhp, 0, 2, SADB_EXT_ADDRESS_SRC, 5001 SADB_EXT_ADDRESS_DST); 5002 if (!n->m_next) { 5003 m_freem(n); 5004 error = ENOBUFS; 5005 goto fail; 5006 } 5007 5008 if (n->m_len < sizeof(struct sadb_msg)) { 5009 n = m_pullup(n, sizeof(struct sadb_msg)); 5010 if (n == NULL) 5011 return key_sendup_mbuf(so, m, KEY_SENDUP_ONE); 5012 } 5013 5014 n->m_pkthdr.len = 0; 5015 for (nn = n; nn; nn = nn->m_next) 5016 n->m_pkthdr.len += nn->m_len; 5017 5018 newmsg = mtod(n, struct sadb_msg *); 5019 newmsg->sadb_msg_seq = sav->seq; 5020 newmsg->sadb_msg_errno = 0; 5021 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); 5022 5023 m_freem(m); 5024 return key_sendup_mbuf(so, n, KEY_SENDUP_ONE); 5025 } 5026 5027 fail: 5028 return (key_senderror(so, m, error)); 5029 } 5030 5031 /* 5032 * allocating new SPI 5033 * called by key_getspi(). 5034 * OUT: 5035 * 0: failure. 5036 * others: success, SPI in network byte order. 5037 */ 5038 static uint32_t 5039 key_do_getnewspi(struct sadb_spirange *spirange, struct secasindex *saidx) 5040 { 5041 uint32_t min, max, newspi, t; 5042 int tries, limit; 5043 5044 SPI_ALLOC_LOCK_ASSERT(); 5045 5046 /* set spi range to allocate */ 5047 if (spirange != NULL) { 5048 min = spirange->sadb_spirange_min; 5049 max = spirange->sadb_spirange_max; 5050 } else { 5051 min = V_key_spi_minval; 5052 max = V_key_spi_maxval; 5053 } 5054 /* IPCOMP needs 2-byte SPI */ 5055 if (saidx->proto == IPPROTO_IPCOMP) { 5056 if (min >= 0x10000) 5057 min = 0xffff; 5058 if (max >= 0x10000) 5059 max = 0xffff; 5060 if (min > max) { 5061 t = min; min = max; max = t; 5062 } 5063 } 5064 5065 if (min == max) { 5066 if (key_checkspidup(htonl(min))) { 5067 ipseclog((LOG_DEBUG, "%s: SPI %u exists already.\n", 5068 __func__, min)); 5069 return 0; 5070 } 5071 5072 tries = 1; 5073 newspi = min; 5074 } else { 5075 /* init SPI */ 5076 newspi = 0; 5077 5078 limit = atomic_load_int(&V_key_spi_trycnt); 5079 /* when requesting to allocate spi ranged */ 5080 for (tries = 0; tries < limit; tries++) { 5081 /* generate pseudo-random SPI value ranged. */ 5082 newspi = min + (key_random() % (max - min + 1)); 5083 if (!key_checkspidup(htonl(newspi))) 5084 break; 5085 } 5086 5087 if (tries == limit || newspi == 0) { 5088 ipseclog((LOG_DEBUG, 5089 "%s: failed to allocate SPI.\n", __func__)); 5090 return 0; 5091 } 5092 } 5093 5094 /* statistics */ 5095 keystat.getspi_count = 5096 (keystat.getspi_count + tries) / 2; 5097 5098 return (htonl(newspi)); 5099 } 5100 5101 /* 5102 * Find TCP-MD5 SA with corresponding secasindex. 5103 * If not found, return NULL and fill SPI with usable value if needed. 5104 */ 5105 static struct secasvar * 5106 key_getsav_tcpmd5(struct secasindex *saidx, uint32_t *spi) 5107 { 5108 SAHTREE_RLOCK_TRACKER; 5109 struct secashead *sah; 5110 struct secasvar *sav; 5111 5112 IPSEC_ASSERT(saidx->proto == IPPROTO_TCP, ("wrong proto")); 5113 SAHTREE_RLOCK(); 5114 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { 5115 if (sah->saidx.proto != IPPROTO_TCP) 5116 continue; 5117 if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) && 5118 !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0)) 5119 break; 5120 } 5121 if (sah != NULL) { 5122 if (V_key_preferred_oldsa) 5123 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue); 5124 else 5125 sav = TAILQ_FIRST(&sah->savtree_alive); 5126 if (sav != NULL) { 5127 SAV_ADDREF(sav); 5128 SAHTREE_RUNLOCK(); 5129 return (sav); 5130 } 5131 } 5132 if (spi == NULL) { 5133 /* No SPI required */ 5134 SAHTREE_RUNLOCK(); 5135 return (NULL); 5136 } 5137 /* Check that SPI is unique */ 5138 LIST_FOREACH(sav, SAVHASH_HASH(*spi), spihash) { 5139 if (sav->spi == *spi) 5140 break; 5141 } 5142 if (sav == NULL) { 5143 SAHTREE_RUNLOCK(); 5144 /* SPI is already unique */ 5145 return (NULL); 5146 } 5147 SAHTREE_RUNLOCK(); 5148 /* XXX: not optimal */ 5149 *spi = key_do_getnewspi(NULL, saidx); 5150 return (NULL); 5151 } 5152 5153 static int 5154 key_updateaddresses(struct socket *so, struct mbuf *m, 5155 const struct sadb_msghdr *mhp, struct secasvar *sav, 5156 struct secasindex *saidx) 5157 { 5158 struct sockaddr *newaddr; 5159 struct secashead *sah; 5160 struct secasvar *newsav, *tmp; 5161 struct mbuf *n; 5162 int error, isnew; 5163 5164 /* Check that we need to change SAH */ 5165 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_SRC)) { 5166 newaddr = (struct sockaddr *)( 5167 ((struct sadb_address *) 5168 mhp->ext[SADB_X_EXT_NEW_ADDRESS_SRC]) + 1); 5169 bcopy(newaddr, &saidx->src, newaddr->sa_len); 5170 key_porttosaddr(&saidx->src.sa, 0); 5171 } 5172 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_DST)) { 5173 newaddr = (struct sockaddr *)( 5174 ((struct sadb_address *) 5175 mhp->ext[SADB_X_EXT_NEW_ADDRESS_DST]) + 1); 5176 bcopy(newaddr, &saidx->dst, newaddr->sa_len); 5177 key_porttosaddr(&saidx->dst.sa, 0); 5178 } 5179 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_SRC) || 5180 !SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_DST)) { 5181 error = key_checksockaddrs(&saidx->src.sa, &saidx->dst.sa); 5182 if (error != 0) { 5183 ipseclog((LOG_DEBUG, "%s: invalid new sockaddr.\n", 5184 __func__)); 5185 return (error); 5186 } 5187 5188 sah = key_getsah(saidx); 5189 if (sah == NULL) { 5190 /* create a new SA index */ 5191 sah = key_newsah(saidx); 5192 if (sah == NULL) { 5193 ipseclog((LOG_DEBUG, 5194 "%s: No more memory.\n", __func__)); 5195 return (ENOBUFS); 5196 } 5197 isnew = 2; /* SAH is new */ 5198 } else 5199 isnew = 1; /* existing SAH is referenced */ 5200 } else { 5201 /* 5202 * src and dst addresses are still the same. 5203 * Do we want to change NAT-T config? 5204 */ 5205 if (sav->sah->saidx.proto != IPPROTO_ESP || 5206 SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_TYPE) || 5207 SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_SPORT) || 5208 SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_DPORT)) { 5209 ipseclog((LOG_DEBUG, 5210 "%s: invalid message: missing required header.\n", 5211 __func__)); 5212 return (EINVAL); 5213 } 5214 /* We hold reference to SA, thus SAH will be referenced too. */ 5215 sah = sav->sah; 5216 isnew = 0; 5217 } 5218 5219 newsav = malloc(sizeof(struct secasvar), M_IPSEC_SA, 5220 M_NOWAIT | M_ZERO); 5221 if (newsav == NULL) { 5222 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 5223 error = ENOBUFS; 5224 goto fail; 5225 } 5226 5227 /* Clone SA's content into newsav */ 5228 SAV_INITREF(newsav); 5229 bcopy(sav, newsav, offsetof(struct secasvar, chain)); 5230 /* 5231 * We create new NAT-T config if it is needed. 5232 * Old NAT-T config will be freed by key_cleansav() when 5233 * last reference to SA will be released. 5234 */ 5235 newsav->natt = NULL; 5236 newsav->sah = sah; 5237 newsav->state = SADB_SASTATE_MATURE; 5238 error = key_setnatt(newsav, mhp); 5239 if (error != 0) 5240 goto fail; 5241 5242 SAHTREE_WLOCK(); 5243 /* Check that SA is still alive */ 5244 if (sav->state == SADB_SASTATE_DEAD) { 5245 /* SA was unlinked */ 5246 SAHTREE_WUNLOCK(); 5247 error = ESRCH; 5248 goto fail; 5249 } 5250 5251 /* Unlink SA from SAH and SPI hash */ 5252 IPSEC_ASSERT((sav->flags & SADB_X_EXT_F_CLONED) == 0, 5253 ("SA is already cloned")); 5254 IPSEC_ASSERT(sav->state == SADB_SASTATE_MATURE || 5255 sav->state == SADB_SASTATE_DYING, 5256 ("Wrong SA state %u\n", sav->state)); 5257 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain); 5258 LIST_REMOVE(sav, spihash); 5259 sav->state = SADB_SASTATE_DEAD; 5260 5261 /* 5262 * Link new SA with SAH. Keep SAs ordered by 5263 * create time (newer are first). 5264 */ 5265 TAILQ_FOREACH(tmp, &sah->savtree_alive, chain) { 5266 if (newsav->created > tmp->created) { 5267 TAILQ_INSERT_BEFORE(tmp, newsav, chain); 5268 break; 5269 } 5270 } 5271 if (tmp == NULL) 5272 TAILQ_INSERT_TAIL(&sah->savtree_alive, newsav, chain); 5273 5274 /* Add new SA into SPI hash. */ 5275 LIST_INSERT_HEAD(SAVHASH_HASH(newsav->spi), newsav, spihash); 5276 5277 /* Add new SAH into SADB. */ 5278 if (isnew == 2) { 5279 TAILQ_INSERT_HEAD(&V_sahtree, sah, chain); 5280 LIST_INSERT_HEAD(SAHADDRHASH_HASH(saidx), sah, addrhash); 5281 sah->state = SADB_SASTATE_MATURE; 5282 SAH_ADDREF(sah); /* newsav references new SAH */ 5283 } 5284 /* 5285 * isnew == 1 -> @sah was referenced by key_getsah(). 5286 * isnew == 0 -> we use the same @sah, that was used by @sav, 5287 * and we use its reference for @newsav. 5288 */ 5289 SECASVAR_WLOCK(sav); 5290 /* XXX: replace cntr with pointer? */ 5291 newsav->cntr = sav->cntr; 5292 sav->flags |= SADB_X_EXT_F_CLONED; 5293 SECASVAR_WUNLOCK(sav); 5294 5295 SAHTREE_WUNLOCK(); 5296 5297 KEYDBG(KEY_STAMP, 5298 printf("%s: SA(%p) cloned into SA(%p)\n", 5299 __func__, sav, newsav)); 5300 KEYDBG(KEY_DATA, kdebug_secasv(newsav)); 5301 5302 key_freesav(&sav); /* release last reference */ 5303 5304 /* set msg buf from mhp */ 5305 n = key_getmsgbuf_x1(m, mhp); 5306 if (n == NULL) { 5307 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 5308 return (ENOBUFS); 5309 } 5310 m_freem(m); 5311 key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 5312 return (0); 5313 fail: 5314 if (isnew != 0) 5315 key_freesah(&sah); 5316 if (newsav != NULL) { 5317 if (newsav->natt != NULL) 5318 free(newsav->natt, M_IPSEC_MISC); 5319 free(newsav, M_IPSEC_SA); 5320 } 5321 return (error); 5322 } 5323 5324 /* 5325 * SADB_UPDATE processing 5326 * receive 5327 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),) 5328 * key(AE), (identity(SD),) (sensitivity)> 5329 * from the ikmpd, and update a secasvar entry whose status is SADB_SASTATE_LARVAL. 5330 * and send 5331 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),) 5332 * (identity(SD),) (sensitivity)> 5333 * to the ikmpd. 5334 * 5335 * m will always be freed. 5336 */ 5337 static int 5338 key_update(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 5339 { 5340 struct secasindex saidx; 5341 struct sadb_address *src0, *dst0; 5342 struct sadb_sa *sa0; 5343 struct secasvar *sav; 5344 uint32_t reqid; 5345 int error; 5346 uint8_t mode, proto; 5347 5348 IPSEC_ASSERT(so != NULL, ("null socket")); 5349 IPSEC_ASSERT(m != NULL, ("null mbuf")); 5350 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 5351 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 5352 5353 /* map satype to proto */ 5354 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 5355 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 5356 __func__)); 5357 return key_senderror(so, m, EINVAL); 5358 } 5359 5360 if (SADB_CHECKHDR(mhp, SADB_EXT_SA) || 5361 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 5362 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || 5363 (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) && 5364 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) || 5365 (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) && 5366 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD))) { 5367 ipseclog((LOG_DEBUG, 5368 "%s: invalid message: missing required header.\n", 5369 __func__)); 5370 return key_senderror(so, m, EINVAL); 5371 } 5372 if (SADB_CHECKLEN(mhp, SADB_EXT_SA) || 5373 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 5374 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) { 5375 ipseclog((LOG_DEBUG, 5376 "%s: invalid message: wrong header size.\n", __func__)); 5377 return key_senderror(so, m, EINVAL); 5378 } 5379 if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) { 5380 mode = IPSEC_MODE_ANY; 5381 reqid = 0; 5382 } else { 5383 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) { 5384 ipseclog((LOG_DEBUG, 5385 "%s: invalid message: wrong header size.\n", 5386 __func__)); 5387 return key_senderror(so, m, EINVAL); 5388 } 5389 mode = ((struct sadb_x_sa2 *) 5390 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; 5391 reqid = ((struct sadb_x_sa2 *) 5392 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; 5393 } 5394 5395 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; 5396 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); 5397 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); 5398 5399 /* 5400 * Only SADB_SASTATE_MATURE SAs may be submitted in an 5401 * SADB_UPDATE message. 5402 */ 5403 if (sa0->sadb_sa_state != SADB_SASTATE_MATURE) { 5404 ipseclog((LOG_DEBUG, "%s: invalid state.\n", __func__)); 5405 #ifdef PFKEY_STRICT_CHECKS 5406 return key_senderror(so, m, EINVAL); 5407 #endif 5408 } 5409 error = key_checksockaddrs((struct sockaddr *)(src0 + 1), 5410 (struct sockaddr *)(dst0 + 1)); 5411 if (error != 0) { 5412 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 5413 return key_senderror(so, m, error); 5414 } 5415 KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); 5416 sav = key_getsavbyspi(sa0->sadb_sa_spi); 5417 if (sav == NULL) { 5418 ipseclog((LOG_DEBUG, "%s: no SA found for SPI %u\n", 5419 __func__, ntohl(sa0->sadb_sa_spi))); 5420 return key_senderror(so, m, EINVAL); 5421 } 5422 /* 5423 * Check that SADB_UPDATE issued by the same process that did 5424 * SADB_GETSPI or SADB_ADD. 5425 */ 5426 if (sav->pid != mhp->msg->sadb_msg_pid) { 5427 ipseclog((LOG_DEBUG, 5428 "%s: pid mismatched (SPI %u, pid %u vs. %u)\n", __func__, 5429 ntohl(sav->spi), sav->pid, mhp->msg->sadb_msg_pid)); 5430 key_freesav(&sav); 5431 return key_senderror(so, m, EINVAL); 5432 } 5433 /* saidx should match with SA. */ 5434 if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_MODE_REQID) == 0) { 5435 ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u\n", 5436 __func__, ntohl(sav->spi))); 5437 key_freesav(&sav); 5438 return key_senderror(so, m, ESRCH); 5439 } 5440 5441 if (sav->state == SADB_SASTATE_LARVAL) { 5442 if ((mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP && 5443 SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT)) || 5444 (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH && 5445 SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH))) { 5446 ipseclog((LOG_DEBUG, 5447 "%s: invalid message: missing required header.\n", 5448 __func__)); 5449 key_freesav(&sav); 5450 return key_senderror(so, m, EINVAL); 5451 } 5452 /* 5453 * We can set any values except src, dst and SPI. 5454 */ 5455 error = key_setsaval(sav, mhp); 5456 if (error != 0) { 5457 key_freesav(&sav); 5458 return (key_senderror(so, m, error)); 5459 } 5460 /* Change SA state to MATURE */ 5461 SAHTREE_WLOCK(); 5462 if (sav->state != SADB_SASTATE_LARVAL) { 5463 /* SA was deleted or another thread made it MATURE. */ 5464 SAHTREE_WUNLOCK(); 5465 key_freesav(&sav); 5466 return (key_senderror(so, m, ESRCH)); 5467 } 5468 /* 5469 * NOTE: we keep SAs in savtree_alive ordered by created 5470 * time. When SA's state changed from LARVAL to MATURE, 5471 * we update its created time in key_setsaval() and move 5472 * it into head of savtree_alive. 5473 */ 5474 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain); 5475 TAILQ_INSERT_HEAD(&sav->sah->savtree_alive, sav, chain); 5476 sav->state = SADB_SASTATE_MATURE; 5477 SAHTREE_WUNLOCK(); 5478 } else { 5479 /* 5480 * For DYING and MATURE SA we can change only state 5481 * and lifetimes. Report EINVAL if something else attempted 5482 * to change. 5483 */ 5484 if (!SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT) || 5485 !SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH)) { 5486 key_freesav(&sav); 5487 return (key_senderror(so, m, EINVAL)); 5488 } 5489 error = key_updatelifetimes(sav, mhp); 5490 if (error != 0) { 5491 key_freesav(&sav); 5492 return (key_senderror(so, m, error)); 5493 } 5494 /* 5495 * This is FreeBSD extension to RFC2367. 5496 * IKEd can specify SADB_X_EXT_NEW_ADDRESS_SRC and/or 5497 * SADB_X_EXT_NEW_ADDRESS_DST when it wants to change 5498 * SA addresses (for example to implement MOBIKE protocol 5499 * as described in RFC4555). Also we allow to change 5500 * NAT-T config. 5501 */ 5502 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_SRC) || 5503 !SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_DST) || 5504 !SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_TYPE) || 5505 sav->natt != NULL) { 5506 error = key_updateaddresses(so, m, mhp, sav, &saidx); 5507 key_freesav(&sav); 5508 if (error != 0) 5509 return (key_senderror(so, m, error)); 5510 return (0); 5511 } 5512 /* Check that SA is still alive */ 5513 SAHTREE_WLOCK(); 5514 if (sav->state == SADB_SASTATE_DEAD) { 5515 /* SA was unlinked */ 5516 SAHTREE_WUNLOCK(); 5517 key_freesav(&sav); 5518 return (key_senderror(so, m, ESRCH)); 5519 } 5520 /* 5521 * NOTE: there is possible state moving from DYING to MATURE, 5522 * but this doesn't change created time, so we won't reorder 5523 * this SA. 5524 */ 5525 sav->state = SADB_SASTATE_MATURE; 5526 SAHTREE_WUNLOCK(); 5527 } 5528 KEYDBG(KEY_STAMP, 5529 printf("%s: SA(%p)\n", __func__, sav)); 5530 KEYDBG(KEY_DATA, kdebug_secasv(sav)); 5531 key_freesav(&sav); 5532 5533 { 5534 struct mbuf *n; 5535 5536 /* set msg buf from mhp */ 5537 n = key_getmsgbuf_x1(m, mhp); 5538 if (n == NULL) { 5539 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 5540 return key_senderror(so, m, ENOBUFS); 5541 } 5542 5543 m_freem(m); 5544 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 5545 } 5546 } 5547 5548 /* 5549 * SADB_ADD processing 5550 * add an entry to SA database, when received 5551 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),) 5552 * key(AE), (identity(SD),) (sensitivity)> 5553 * from the ikmpd, 5554 * and send 5555 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),) 5556 * (identity(SD),) (sensitivity)> 5557 * to the ikmpd. 5558 * 5559 * IGNORE identity and sensitivity messages. 5560 * 5561 * m will always be freed. 5562 */ 5563 static int 5564 key_add(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 5565 { 5566 struct secasindex saidx; 5567 struct sadb_address *src0, *dst0; 5568 struct sadb_sa *sa0; 5569 struct secasvar *sav; 5570 uint32_t reqid, spi; 5571 uint8_t mode, proto; 5572 int error; 5573 5574 IPSEC_ASSERT(so != NULL, ("null socket")); 5575 IPSEC_ASSERT(m != NULL, ("null mbuf")); 5576 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 5577 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 5578 5579 /* map satype to proto */ 5580 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 5581 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 5582 __func__)); 5583 return key_senderror(so, m, EINVAL); 5584 } 5585 5586 if (SADB_CHECKHDR(mhp, SADB_EXT_SA) || 5587 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 5588 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || 5589 (mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP && ( 5590 SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT) || 5591 SADB_CHECKLEN(mhp, SADB_EXT_KEY_ENCRYPT))) || 5592 (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH && ( 5593 SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH) || 5594 SADB_CHECKLEN(mhp, SADB_EXT_KEY_AUTH))) || 5595 (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) && 5596 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) || 5597 (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) && 5598 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD))) { 5599 ipseclog((LOG_DEBUG, 5600 "%s: invalid message: missing required header.\n", 5601 __func__)); 5602 return key_senderror(so, m, EINVAL); 5603 } 5604 if (SADB_CHECKLEN(mhp, SADB_EXT_SA) || 5605 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 5606 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) { 5607 ipseclog((LOG_DEBUG, 5608 "%s: invalid message: wrong header size.\n", __func__)); 5609 return key_senderror(so, m, EINVAL); 5610 } 5611 if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) { 5612 mode = IPSEC_MODE_ANY; 5613 reqid = 0; 5614 } else { 5615 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) { 5616 ipseclog((LOG_DEBUG, 5617 "%s: invalid message: wrong header size.\n", 5618 __func__)); 5619 return key_senderror(so, m, EINVAL); 5620 } 5621 mode = ((struct sadb_x_sa2 *) 5622 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; 5623 reqid = ((struct sadb_x_sa2 *) 5624 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; 5625 } 5626 5627 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; 5628 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; 5629 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; 5630 5631 /* 5632 * Only SADB_SASTATE_MATURE SAs may be submitted in an 5633 * SADB_ADD message. 5634 */ 5635 if (sa0->sadb_sa_state != SADB_SASTATE_MATURE) { 5636 ipseclog((LOG_DEBUG, "%s: invalid state.\n", __func__)); 5637 #ifdef PFKEY_STRICT_CHECKS 5638 return key_senderror(so, m, EINVAL); 5639 #endif 5640 } 5641 error = key_checksockaddrs((struct sockaddr *)(src0 + 1), 5642 (struct sockaddr *)(dst0 + 1)); 5643 if (error != 0) { 5644 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 5645 return key_senderror(so, m, error); 5646 } 5647 KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); 5648 spi = sa0->sadb_sa_spi; 5649 /* 5650 * For TCP-MD5 SAs we don't use SPI. Check the uniqueness using 5651 * secasindex. 5652 * XXXAE: IPComp seems also doesn't use SPI. 5653 */ 5654 SPI_ALLOC_LOCK(); 5655 if (proto == IPPROTO_TCP) { 5656 sav = key_getsav_tcpmd5(&saidx, &spi); 5657 if (sav == NULL && spi == 0) { 5658 SPI_ALLOC_UNLOCK(); 5659 /* Failed to allocate SPI */ 5660 ipseclog((LOG_DEBUG, "%s: SA already exists.\n", 5661 __func__)); 5662 return key_senderror(so, m, EEXIST); 5663 } 5664 /* XXX: SPI that we report back can have another value */ 5665 } else { 5666 /* We can create new SA only if SPI is different. */ 5667 sav = key_getsavbyspi(spi); 5668 } 5669 if (sav != NULL) { 5670 SPI_ALLOC_UNLOCK(); 5671 key_freesav(&sav); 5672 ipseclog((LOG_DEBUG, "%s: SA already exists.\n", __func__)); 5673 return key_senderror(so, m, EEXIST); 5674 } 5675 5676 sav = key_newsav(mhp, &saidx, spi, &error); 5677 SPI_ALLOC_UNLOCK(); 5678 if (sav == NULL) 5679 return key_senderror(so, m, error); 5680 KEYDBG(KEY_STAMP, 5681 printf("%s: return SA(%p)\n", __func__, sav)); 5682 KEYDBG(KEY_DATA, kdebug_secasv(sav)); 5683 /* 5684 * If SADB_ADD was in response to SADB_ACQUIRE, we need to schedule 5685 * ACQ for deletion. 5686 */ 5687 if (sav->seq != 0) 5688 key_acqdone(&saidx, sav->seq); 5689 5690 { 5691 /* 5692 * Don't call key_freesav() on error here, as we would like to 5693 * keep the SA in the database. 5694 */ 5695 struct mbuf *n; 5696 5697 /* set msg buf from mhp */ 5698 n = key_getmsgbuf_x1(m, mhp); 5699 if (n == NULL) { 5700 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 5701 return key_senderror(so, m, ENOBUFS); 5702 } 5703 5704 m_freem(m); 5705 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 5706 } 5707 } 5708 5709 /* 5710 * NAT-T support. 5711 * IKEd may request the use ESP in UDP encapsulation when it detects the 5712 * presence of NAT. It uses NAT-T extension headers for such SAs to specify 5713 * parameters needed for encapsulation and decapsulation. These PF_KEY 5714 * extension headers are not standardized, so this comment addresses our 5715 * implementation. 5716 * SADB_X_EXT_NAT_T_TYPE specifies type of encapsulation, we support only 5717 * UDP_ENCAP_ESPINUDP as described in RFC3948. 5718 * SADB_X_EXT_NAT_T_SPORT/DPORT specifies source and destination ports for 5719 * UDP header. We use these ports in UDP encapsulation procedure, also we 5720 * can check them in UDP decapsulation procedure. 5721 * SADB_X_EXT_NAT_T_OA[IR] specifies original address of initiator or 5722 * responder. These addresses can be used for transport mode to adjust 5723 * checksum after decapsulation and decryption. Since original IP addresses 5724 * used by peer usually different (we detected presence of NAT), TCP/UDP 5725 * pseudo header checksum and IP header checksum was calculated using original 5726 * addresses. After decapsulation and decryption we need to adjust checksum 5727 * to have correct datagram. 5728 * 5729 * We expect presence of NAT-T extension headers only in SADB_ADD and 5730 * SADB_UPDATE messages. We report NAT-T extension headers in replies 5731 * to SADB_ADD, SADB_UPDATE, SADB_GET, and SADB_DUMP messages. 5732 */ 5733 static int 5734 key_setnatt(struct secasvar *sav, const struct sadb_msghdr *mhp) 5735 { 5736 struct sadb_x_nat_t_port *port; 5737 struct sadb_x_nat_t_type *type; 5738 struct sadb_address *oai, *oar; 5739 struct sockaddr *sa; 5740 uint32_t addr; 5741 uint16_t cksum; 5742 5743 IPSEC_ASSERT(sav->natt == NULL, ("natt is already initialized")); 5744 /* 5745 * Ignore NAT-T headers if sproto isn't ESP. 5746 */ 5747 if (sav->sah->saidx.proto != IPPROTO_ESP) 5748 return (0); 5749 5750 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_TYPE) && 5751 !SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_SPORT) && 5752 !SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_DPORT)) { 5753 if (SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_TYPE) || 5754 SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_SPORT) || 5755 SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_DPORT)) { 5756 ipseclog((LOG_DEBUG, 5757 "%s: invalid message: wrong header size.\n", 5758 __func__)); 5759 return (EINVAL); 5760 } 5761 } else 5762 return (0); 5763 5764 type = (struct sadb_x_nat_t_type *)mhp->ext[SADB_X_EXT_NAT_T_TYPE]; 5765 if (type->sadb_x_nat_t_type_type != UDP_ENCAP_ESPINUDP) { 5766 ipseclog((LOG_DEBUG, "%s: unsupported NAT-T type %u.\n", 5767 __func__, type->sadb_x_nat_t_type_type)); 5768 return (EINVAL); 5769 } 5770 /* 5771 * Allocate storage for NAT-T config. 5772 * On error it will be released by key_cleansav(). 5773 */ 5774 sav->natt = malloc(sizeof(struct secnatt), M_IPSEC_MISC, 5775 M_NOWAIT | M_ZERO); 5776 if (sav->natt == NULL) { 5777 PFKEYSTAT_INC(in_nomem); 5778 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 5779 return (ENOBUFS); 5780 } 5781 port = (struct sadb_x_nat_t_port *)mhp->ext[SADB_X_EXT_NAT_T_SPORT]; 5782 if (port->sadb_x_nat_t_port_port == 0) { 5783 ipseclog((LOG_DEBUG, "%s: invalid NAT-T sport specified.\n", 5784 __func__)); 5785 return (EINVAL); 5786 } 5787 sav->natt->sport = port->sadb_x_nat_t_port_port; 5788 port = (struct sadb_x_nat_t_port *)mhp->ext[SADB_X_EXT_NAT_T_DPORT]; 5789 if (port->sadb_x_nat_t_port_port == 0) { 5790 ipseclog((LOG_DEBUG, "%s: invalid NAT-T dport specified.\n", 5791 __func__)); 5792 return (EINVAL); 5793 } 5794 sav->natt->dport = port->sadb_x_nat_t_port_port; 5795 5796 /* 5797 * SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR are optional 5798 * and needed only for transport mode IPsec. 5799 * Usually NAT translates only one address, but it is possible, 5800 * that both addresses could be translated. 5801 * NOTE: Value of SADB_X_EXT_NAT_T_OAI is equal to SADB_X_EXT_NAT_T_OA. 5802 */ 5803 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_OAI)) { 5804 if (SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_OAI)) { 5805 ipseclog((LOG_DEBUG, 5806 "%s: invalid message: wrong header size.\n", 5807 __func__)); 5808 return (EINVAL); 5809 } 5810 oai = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAI]; 5811 } else 5812 oai = NULL; 5813 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_OAR)) { 5814 if (SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_OAR)) { 5815 ipseclog((LOG_DEBUG, 5816 "%s: invalid message: wrong header size.\n", 5817 __func__)); 5818 return (EINVAL); 5819 } 5820 oar = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAR]; 5821 } else 5822 oar = NULL; 5823 5824 /* Initialize addresses only for transport mode */ 5825 if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL) { 5826 cksum = 0; 5827 if (oai != NULL) { 5828 /* Currently we support only AF_INET */ 5829 sa = (struct sockaddr *)(oai + 1); 5830 if (sa->sa_family != AF_INET || 5831 sa->sa_len != sizeof(struct sockaddr_in)) { 5832 ipseclog((LOG_DEBUG, 5833 "%s: wrong NAT-OAi header.\n", 5834 __func__)); 5835 return (EINVAL); 5836 } 5837 /* Ignore address if it the same */ 5838 if (((struct sockaddr_in *)sa)->sin_addr.s_addr != 5839 sav->sah->saidx.src.sin.sin_addr.s_addr) { 5840 bcopy(sa, &sav->natt->oai.sa, sa->sa_len); 5841 sav->natt->flags |= IPSEC_NATT_F_OAI; 5842 /* Calculate checksum delta */ 5843 addr = sav->sah->saidx.src.sin.sin_addr.s_addr; 5844 cksum = in_addword(cksum, ~addr >> 16); 5845 cksum = in_addword(cksum, ~addr & 0xffff); 5846 addr = sav->natt->oai.sin.sin_addr.s_addr; 5847 cksum = in_addword(cksum, addr >> 16); 5848 cksum = in_addword(cksum, addr & 0xffff); 5849 } 5850 } 5851 if (oar != NULL) { 5852 /* Currently we support only AF_INET */ 5853 sa = (struct sockaddr *)(oar + 1); 5854 if (sa->sa_family != AF_INET || 5855 sa->sa_len != sizeof(struct sockaddr_in)) { 5856 ipseclog((LOG_DEBUG, 5857 "%s: wrong NAT-OAr header.\n", 5858 __func__)); 5859 return (EINVAL); 5860 } 5861 /* Ignore address if it the same */ 5862 if (((struct sockaddr_in *)sa)->sin_addr.s_addr != 5863 sav->sah->saidx.dst.sin.sin_addr.s_addr) { 5864 bcopy(sa, &sav->natt->oar.sa, sa->sa_len); 5865 sav->natt->flags |= IPSEC_NATT_F_OAR; 5866 /* Calculate checksum delta */ 5867 addr = sav->sah->saidx.dst.sin.sin_addr.s_addr; 5868 cksum = in_addword(cksum, ~addr >> 16); 5869 cksum = in_addword(cksum, ~addr & 0xffff); 5870 addr = sav->natt->oar.sin.sin_addr.s_addr; 5871 cksum = in_addword(cksum, addr >> 16); 5872 cksum = in_addword(cksum, addr & 0xffff); 5873 } 5874 } 5875 sav->natt->cksum = cksum; 5876 } 5877 return (0); 5878 } 5879 5880 static int 5881 key_setident(struct secashead *sah, const struct sadb_msghdr *mhp) 5882 { 5883 const struct sadb_ident *idsrc, *iddst; 5884 5885 IPSEC_ASSERT(sah != NULL, ("null secashead")); 5886 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 5887 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 5888 5889 /* don't make buffer if not there */ 5890 if (SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_SRC) && 5891 SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_DST)) { 5892 sah->idents = NULL; 5893 sah->identd = NULL; 5894 return (0); 5895 } 5896 5897 if (SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_SRC) || 5898 SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_DST)) { 5899 ipseclog((LOG_DEBUG, "%s: invalid identity.\n", __func__)); 5900 return (EINVAL); 5901 } 5902 5903 idsrc = (const struct sadb_ident *)mhp->ext[SADB_EXT_IDENTITY_SRC]; 5904 iddst = (const struct sadb_ident *)mhp->ext[SADB_EXT_IDENTITY_DST]; 5905 5906 /* validity check */ 5907 if (idsrc->sadb_ident_type != iddst->sadb_ident_type) { 5908 ipseclog((LOG_DEBUG, "%s: ident type mismatch.\n", __func__)); 5909 return EINVAL; 5910 } 5911 5912 switch (idsrc->sadb_ident_type) { 5913 case SADB_IDENTTYPE_PREFIX: 5914 case SADB_IDENTTYPE_FQDN: 5915 case SADB_IDENTTYPE_USERFQDN: 5916 default: 5917 /* XXX do nothing */ 5918 sah->idents = NULL; 5919 sah->identd = NULL; 5920 return 0; 5921 } 5922 5923 /* make structure */ 5924 sah->idents = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT); 5925 if (sah->idents == NULL) { 5926 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 5927 return ENOBUFS; 5928 } 5929 sah->identd = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT); 5930 if (sah->identd == NULL) { 5931 free(sah->idents, M_IPSEC_MISC); 5932 sah->idents = NULL; 5933 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 5934 return ENOBUFS; 5935 } 5936 sah->idents->type = idsrc->sadb_ident_type; 5937 sah->idents->id = idsrc->sadb_ident_id; 5938 5939 sah->identd->type = iddst->sadb_ident_type; 5940 sah->identd->id = iddst->sadb_ident_id; 5941 5942 return 0; 5943 } 5944 5945 /* 5946 * m will not be freed on return. 5947 * it is caller's responsibility to free the result. 5948 * 5949 * Called from SADB_ADD and SADB_UPDATE. Reply will contain headers 5950 * from the request in defined order. 5951 */ 5952 static struct mbuf * 5953 key_getmsgbuf_x1(struct mbuf *m, const struct sadb_msghdr *mhp) 5954 { 5955 struct mbuf *n; 5956 5957 IPSEC_ASSERT(m != NULL, ("null mbuf")); 5958 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 5959 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 5960 5961 /* create new sadb_msg to reply. */ 5962 n = key_gather_mbuf(m, mhp, 1, 16, SADB_EXT_RESERVED, 5963 SADB_EXT_SA, SADB_X_EXT_SA2, 5964 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST, 5965 SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT, 5966 SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST, 5967 SADB_X_EXT_NAT_T_TYPE, SADB_X_EXT_NAT_T_SPORT, 5968 SADB_X_EXT_NAT_T_DPORT, SADB_X_EXT_NAT_T_OAI, 5969 SADB_X_EXT_NAT_T_OAR, SADB_X_EXT_NEW_ADDRESS_SRC, 5970 SADB_X_EXT_NEW_ADDRESS_DST); 5971 if (!n) 5972 return NULL; 5973 5974 if (n->m_len < sizeof(struct sadb_msg)) { 5975 n = m_pullup(n, sizeof(struct sadb_msg)); 5976 if (n == NULL) 5977 return NULL; 5978 } 5979 mtod(n, struct sadb_msg *)->sadb_msg_errno = 0; 5980 mtod(n, struct sadb_msg *)->sadb_msg_len = 5981 PFKEY_UNIT64(n->m_pkthdr.len); 5982 5983 return n; 5984 } 5985 5986 /* 5987 * SADB_DELETE processing 5988 * receive 5989 * <base, SA(*), address(SD)> 5990 * from the ikmpd, and set SADB_SASTATE_DEAD, 5991 * and send, 5992 * <base, SA(*), address(SD)> 5993 * to the ikmpd. 5994 * 5995 * m will always be freed. 5996 */ 5997 static int 5998 key_delete(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 5999 { 6000 struct secasindex saidx; 6001 struct sadb_address *src0, *dst0; 6002 struct secasvar *sav; 6003 struct sadb_sa *sa0; 6004 uint8_t proto; 6005 6006 IPSEC_ASSERT(so != NULL, ("null socket")); 6007 IPSEC_ASSERT(m != NULL, ("null mbuf")); 6008 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 6009 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 6010 6011 /* map satype to proto */ 6012 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 6013 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 6014 __func__)); 6015 return key_senderror(so, m, EINVAL); 6016 } 6017 6018 if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 6019 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || 6020 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 6021 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) { 6022 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", 6023 __func__)); 6024 return key_senderror(so, m, EINVAL); 6025 } 6026 6027 src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); 6028 dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); 6029 6030 if (key_checksockaddrs((struct sockaddr *)(src0 + 1), 6031 (struct sockaddr *)(dst0 + 1)) != 0) { 6032 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 6033 return (key_senderror(so, m, EINVAL)); 6034 } 6035 KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); 6036 if (SADB_CHECKHDR(mhp, SADB_EXT_SA)) { 6037 /* 6038 * Caller wants us to delete all non-LARVAL SAs 6039 * that match the src/dst. This is used during 6040 * IKE INITIAL-CONTACT. 6041 * XXXAE: this looks like some extension to RFC2367. 6042 */ 6043 ipseclog((LOG_DEBUG, "%s: doing delete all.\n", __func__)); 6044 return (key_delete_all(so, m, mhp, &saidx)); 6045 } 6046 if (SADB_CHECKLEN(mhp, SADB_EXT_SA)) { 6047 ipseclog((LOG_DEBUG, 6048 "%s: invalid message: wrong header size.\n", __func__)); 6049 return (key_senderror(so, m, EINVAL)); 6050 } 6051 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; 6052 SPI_ALLOC_LOCK(); 6053 if (proto == IPPROTO_TCP) 6054 sav = key_getsav_tcpmd5(&saidx, NULL); 6055 else 6056 sav = key_getsavbyspi(sa0->sadb_sa_spi); 6057 SPI_ALLOC_UNLOCK(); 6058 if (sav == NULL) { 6059 ipseclog((LOG_DEBUG, "%s: no SA found for SPI %u.\n", 6060 __func__, ntohl(sa0->sadb_sa_spi))); 6061 return (key_senderror(so, m, ESRCH)); 6062 } 6063 if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_HEAD) == 0) { 6064 ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u.\n", 6065 __func__, ntohl(sav->spi))); 6066 key_freesav(&sav); 6067 return (key_senderror(so, m, ESRCH)); 6068 } 6069 KEYDBG(KEY_STAMP, 6070 printf("%s: SA(%p)\n", __func__, sav)); 6071 KEYDBG(KEY_DATA, kdebug_secasv(sav)); 6072 key_unlinksav(sav); 6073 key_freesav(&sav); 6074 6075 { 6076 struct mbuf *n; 6077 struct sadb_msg *newmsg; 6078 6079 /* create new sadb_msg to reply. */ 6080 n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED, 6081 SADB_EXT_SA, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); 6082 if (!n) 6083 return key_senderror(so, m, ENOBUFS); 6084 6085 if (n->m_len < sizeof(struct sadb_msg)) { 6086 n = m_pullup(n, sizeof(struct sadb_msg)); 6087 if (n == NULL) 6088 return key_senderror(so, m, ENOBUFS); 6089 } 6090 newmsg = mtod(n, struct sadb_msg *); 6091 newmsg->sadb_msg_errno = 0; 6092 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); 6093 6094 m_freem(m); 6095 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 6096 } 6097 } 6098 6099 /* 6100 * delete all SAs for src/dst. Called from key_delete(). 6101 */ 6102 static int 6103 key_delete_all(struct socket *so, struct mbuf *m, 6104 const struct sadb_msghdr *mhp, struct secasindex *saidx) 6105 { 6106 struct secasvar_queue drainq; 6107 struct secashead *sah; 6108 struct secasvar *sav, *nextsav; 6109 6110 TAILQ_INIT(&drainq); 6111 SAHTREE_WLOCK(); 6112 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { 6113 if (key_cmpsaidx(&sah->saidx, saidx, CMP_HEAD) == 0) 6114 continue; 6115 /* Move all ALIVE SAs into drainq */ 6116 TAILQ_CONCAT(&drainq, &sah->savtree_alive, chain); 6117 } 6118 /* Unlink all queued SAs from SPI hash */ 6119 TAILQ_FOREACH(sav, &drainq, chain) { 6120 sav->state = SADB_SASTATE_DEAD; 6121 LIST_REMOVE(sav, spihash); 6122 } 6123 SAHTREE_WUNLOCK(); 6124 /* Now we can release reference for all SAs in drainq */ 6125 sav = TAILQ_FIRST(&drainq); 6126 while (sav != NULL) { 6127 KEYDBG(KEY_STAMP, 6128 printf("%s: SA(%p)\n", __func__, sav)); 6129 KEYDBG(KEY_DATA, kdebug_secasv(sav)); 6130 nextsav = TAILQ_NEXT(sav, chain); 6131 key_freesah(&sav->sah); /* release reference from SAV */ 6132 key_freesav(&sav); /* release last reference */ 6133 sav = nextsav; 6134 } 6135 6136 { 6137 struct mbuf *n; 6138 struct sadb_msg *newmsg; 6139 6140 /* create new sadb_msg to reply. */ 6141 n = key_gather_mbuf(m, mhp, 1, 3, SADB_EXT_RESERVED, 6142 SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST); 6143 if (!n) 6144 return key_senderror(so, m, ENOBUFS); 6145 6146 if (n->m_len < sizeof(struct sadb_msg)) { 6147 n = m_pullup(n, sizeof(struct sadb_msg)); 6148 if (n == NULL) 6149 return key_senderror(so, m, ENOBUFS); 6150 } 6151 newmsg = mtod(n, struct sadb_msg *); 6152 newmsg->sadb_msg_errno = 0; 6153 newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); 6154 6155 m_freem(m); 6156 return key_sendup_mbuf(so, n, KEY_SENDUP_ALL); 6157 } 6158 } 6159 6160 /* 6161 * Delete all alive SAs for corresponding xform. 6162 * Larval SAs have not initialized tdb_xform, so it is safe to leave them 6163 * here when xform disappears. 6164 */ 6165 void 6166 key_delete_xform(const struct xformsw *xsp) 6167 { 6168 struct secasvar_queue drainq; 6169 struct secashead *sah; 6170 struct secasvar *sav, *nextsav; 6171 6172 TAILQ_INIT(&drainq); 6173 SAHTREE_WLOCK(); 6174 TAILQ_FOREACH(sah, &V_sahtree, chain) { 6175 sav = TAILQ_FIRST(&sah->savtree_alive); 6176 if (sav == NULL) 6177 continue; 6178 if (sav->tdb_xform != xsp) 6179 continue; 6180 /* 6181 * It is supposed that all SAs in the chain are related to 6182 * one xform. 6183 */ 6184 TAILQ_CONCAT(&drainq, &sah->savtree_alive, chain); 6185 } 6186 /* Unlink all queued SAs from SPI hash */ 6187 TAILQ_FOREACH(sav, &drainq, chain) { 6188 sav->state = SADB_SASTATE_DEAD; 6189 LIST_REMOVE(sav, spihash); 6190 } 6191 SAHTREE_WUNLOCK(); 6192 6193 /* Now we can release reference for all SAs in drainq */ 6194 sav = TAILQ_FIRST(&drainq); 6195 while (sav != NULL) { 6196 KEYDBG(KEY_STAMP, 6197 printf("%s: SA(%p)\n", __func__, sav)); 6198 KEYDBG(KEY_DATA, kdebug_secasv(sav)); 6199 nextsav = TAILQ_NEXT(sav, chain); 6200 key_freesah(&sav->sah); /* release reference from SAV */ 6201 key_freesav(&sav); /* release last reference */ 6202 sav = nextsav; 6203 } 6204 } 6205 6206 /* 6207 * SADB_GET processing 6208 * receive 6209 * <base, SA(*), address(SD)> 6210 * from the ikmpd, and get a SP and a SA to respond, 6211 * and send, 6212 * <base, SA, (lifetime(HSC),) address(SD), (address(P),) key(AE), 6213 * (identity(SD),) (sensitivity)> 6214 * to the ikmpd. 6215 * 6216 * m will always be freed. 6217 */ 6218 static int 6219 key_get(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 6220 { 6221 struct secasindex saidx; 6222 struct sadb_address *src0, *dst0; 6223 struct sadb_sa *sa0; 6224 struct secasvar *sav; 6225 uint8_t proto; 6226 6227 IPSEC_ASSERT(so != NULL, ("null socket")); 6228 IPSEC_ASSERT(m != NULL, ("null mbuf")); 6229 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 6230 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 6231 6232 /* map satype to proto */ 6233 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 6234 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 6235 __func__)); 6236 return key_senderror(so, m, EINVAL); 6237 } 6238 6239 if (SADB_CHECKHDR(mhp, SADB_EXT_SA) || 6240 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 6241 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST)) { 6242 ipseclog((LOG_DEBUG, 6243 "%s: invalid message: missing required header.\n", 6244 __func__)); 6245 return key_senderror(so, m, EINVAL); 6246 } 6247 if (SADB_CHECKLEN(mhp, SADB_EXT_SA) || 6248 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 6249 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) { 6250 ipseclog((LOG_DEBUG, 6251 "%s: invalid message: wrong header size.\n", __func__)); 6252 return key_senderror(so, m, EINVAL); 6253 } 6254 6255 sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; 6256 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; 6257 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; 6258 6259 if (key_checksockaddrs((struct sockaddr *)(src0 + 1), 6260 (struct sockaddr *)(dst0 + 1)) != 0) { 6261 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 6262 return key_senderror(so, m, EINVAL); 6263 } 6264 KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); 6265 6266 SPI_ALLOC_LOCK(); 6267 if (proto == IPPROTO_TCP) 6268 sav = key_getsav_tcpmd5(&saidx, NULL); 6269 else 6270 sav = key_getsavbyspi(sa0->sadb_sa_spi); 6271 SPI_ALLOC_UNLOCK(); 6272 if (sav == NULL) { 6273 ipseclog((LOG_DEBUG, "%s: no SA found.\n", __func__)); 6274 return key_senderror(so, m, ESRCH); 6275 } 6276 if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_HEAD) == 0) { 6277 ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u.\n", 6278 __func__, ntohl(sa0->sadb_sa_spi))); 6279 key_freesav(&sav); 6280 return (key_senderror(so, m, ESRCH)); 6281 } 6282 6283 { 6284 struct mbuf *n; 6285 uint8_t satype; 6286 6287 /* map proto to satype */ 6288 if ((satype = key_proto2satype(sav->sah->saidx.proto)) == 0) { 6289 ipseclog((LOG_DEBUG, "%s: there was invalid proto in SAD.\n", 6290 __func__)); 6291 key_freesav(&sav); 6292 return key_senderror(so, m, EINVAL); 6293 } 6294 6295 /* create new sadb_msg to reply. */ 6296 n = key_setdumpsa(sav, SADB_GET, satype, mhp->msg->sadb_msg_seq, 6297 mhp->msg->sadb_msg_pid); 6298 6299 key_freesav(&sav); 6300 if (!n) 6301 return key_senderror(so, m, ENOBUFS); 6302 6303 m_freem(m); 6304 return key_sendup_mbuf(so, n, KEY_SENDUP_ONE); 6305 } 6306 } 6307 6308 /* XXX make it sysctl-configurable? */ 6309 static void 6310 key_getcomb_setlifetime(struct sadb_comb *comb) 6311 { 6312 6313 comb->sadb_comb_soft_allocations = 1; 6314 comb->sadb_comb_hard_allocations = 1; 6315 comb->sadb_comb_soft_bytes = 0; 6316 comb->sadb_comb_hard_bytes = 0; 6317 comb->sadb_comb_hard_addtime = 86400; /* 1 day */ 6318 comb->sadb_comb_soft_addtime = comb->sadb_comb_soft_addtime * 80 / 100; 6319 comb->sadb_comb_soft_usetime = 28800; /* 8 hours */ 6320 comb->sadb_comb_hard_usetime = comb->sadb_comb_hard_usetime * 80 / 100; 6321 } 6322 6323 /* 6324 * XXX reorder combinations by preference 6325 * XXX no idea if the user wants ESP authentication or not 6326 */ 6327 static struct mbuf * 6328 key_getcomb_ealg(void) 6329 { 6330 struct sadb_comb *comb; 6331 const struct enc_xform *algo; 6332 struct mbuf *result = NULL, *m, *n; 6333 int encmin; 6334 int i, off, o; 6335 int totlen; 6336 const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb)); 6337 6338 m = NULL; 6339 for (i = 1; i <= SADB_EALG_MAX; i++) { 6340 algo = enc_algorithm_lookup(i); 6341 if (algo == NULL) 6342 continue; 6343 6344 /* discard algorithms with key size smaller than system min */ 6345 if (_BITS(algo->maxkey) < V_ipsec_esp_keymin) 6346 continue; 6347 if (_BITS(algo->minkey) < V_ipsec_esp_keymin) 6348 encmin = V_ipsec_esp_keymin; 6349 else 6350 encmin = _BITS(algo->minkey); 6351 6352 if (V_ipsec_esp_auth) 6353 m = key_getcomb_ah(); 6354 else { 6355 IPSEC_ASSERT(l <= MLEN, 6356 ("l=%u > MLEN=%lu", l, (u_long) MLEN)); 6357 MGET(m, M_NOWAIT, MT_DATA); 6358 if (m) { 6359 M_ALIGN(m, l); 6360 m->m_len = l; 6361 m->m_next = NULL; 6362 bzero(mtod(m, caddr_t), m->m_len); 6363 } 6364 } 6365 if (!m) 6366 goto fail; 6367 6368 totlen = 0; 6369 for (n = m; n; n = n->m_next) 6370 totlen += n->m_len; 6371 IPSEC_ASSERT((totlen % l) == 0, ("totlen=%u, l=%u", totlen, l)); 6372 6373 for (off = 0; off < totlen; off += l) { 6374 n = m_pulldown(m, off, l, &o); 6375 if (!n) { 6376 /* m is already freed */ 6377 goto fail; 6378 } 6379 comb = (struct sadb_comb *)(mtod(n, caddr_t) + o); 6380 bzero(comb, sizeof(*comb)); 6381 key_getcomb_setlifetime(comb); 6382 comb->sadb_comb_encrypt = i; 6383 comb->sadb_comb_encrypt_minbits = encmin; 6384 comb->sadb_comb_encrypt_maxbits = _BITS(algo->maxkey); 6385 } 6386 6387 if (!result) 6388 result = m; 6389 else 6390 m_cat(result, m); 6391 } 6392 6393 return result; 6394 6395 fail: 6396 if (result) 6397 m_freem(result); 6398 return NULL; 6399 } 6400 6401 static void 6402 key_getsizes_ah(const struct auth_hash *ah, int alg, u_int16_t* min, 6403 u_int16_t* max) 6404 { 6405 6406 *min = *max = ah->hashsize; 6407 if (ah->keysize == 0) { 6408 /* 6409 * Transform takes arbitrary key size but algorithm 6410 * key size is restricted. Enforce this here. 6411 */ 6412 switch (alg) { 6413 case SADB_X_AALG_NULL: *min = 1; *max = 256; break; 6414 case SADB_X_AALG_SHA2_256: *min = *max = 32; break; 6415 case SADB_X_AALG_SHA2_384: *min = *max = 48; break; 6416 case SADB_X_AALG_SHA2_512: *min = *max = 64; break; 6417 default: 6418 DPRINTF(("%s: unknown AH algorithm %u\n", 6419 __func__, alg)); 6420 break; 6421 } 6422 } 6423 } 6424 6425 /* 6426 * XXX reorder combinations by preference 6427 */ 6428 static struct mbuf * 6429 key_getcomb_ah(void) 6430 { 6431 const struct auth_hash *algo; 6432 struct sadb_comb *comb; 6433 struct mbuf *m; 6434 u_int16_t minkeysize, maxkeysize; 6435 int i; 6436 const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb)); 6437 6438 m = NULL; 6439 for (i = 1; i <= SADB_AALG_MAX; i++) { 6440 #if 1 6441 /* we prefer HMAC algorithms, not old algorithms */ 6442 if (i != SADB_AALG_SHA1HMAC && 6443 i != SADB_X_AALG_SHA2_256 && 6444 i != SADB_X_AALG_SHA2_384 && 6445 i != SADB_X_AALG_SHA2_512) 6446 continue; 6447 #endif 6448 algo = auth_algorithm_lookup(i); 6449 if (!algo) 6450 continue; 6451 key_getsizes_ah(algo, i, &minkeysize, &maxkeysize); 6452 /* discard algorithms with key size smaller than system min */ 6453 if (_BITS(minkeysize) < V_ipsec_ah_keymin) 6454 continue; 6455 6456 if (!m) { 6457 IPSEC_ASSERT(l <= MLEN, 6458 ("l=%u > MLEN=%lu", l, (u_long) MLEN)); 6459 MGET(m, M_NOWAIT, MT_DATA); 6460 if (m) { 6461 M_ALIGN(m, l); 6462 m->m_len = l; 6463 m->m_next = NULL; 6464 } 6465 } else 6466 M_PREPEND(m, l, M_NOWAIT); 6467 if (!m) 6468 return NULL; 6469 6470 comb = mtod(m, struct sadb_comb *); 6471 bzero(comb, sizeof(*comb)); 6472 key_getcomb_setlifetime(comb); 6473 comb->sadb_comb_auth = i; 6474 comb->sadb_comb_auth_minbits = _BITS(minkeysize); 6475 comb->sadb_comb_auth_maxbits = _BITS(maxkeysize); 6476 } 6477 6478 return m; 6479 } 6480 6481 /* 6482 * not really an official behavior. discussed in pf_key@inner.net in Sep2000. 6483 * XXX reorder combinations by preference 6484 */ 6485 static struct mbuf * 6486 key_getcomb_ipcomp(void) 6487 { 6488 const struct comp_algo *algo; 6489 struct sadb_comb *comb; 6490 struct mbuf *m; 6491 int i; 6492 const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb)); 6493 6494 m = NULL; 6495 for (i = 1; i <= SADB_X_CALG_MAX; i++) { 6496 algo = comp_algorithm_lookup(i); 6497 if (!algo) 6498 continue; 6499 6500 if (!m) { 6501 IPSEC_ASSERT(l <= MLEN, 6502 ("l=%u > MLEN=%lu", l, (u_long) MLEN)); 6503 MGET(m, M_NOWAIT, MT_DATA); 6504 if (m) { 6505 M_ALIGN(m, l); 6506 m->m_len = l; 6507 m->m_next = NULL; 6508 } 6509 } else 6510 M_PREPEND(m, l, M_NOWAIT); 6511 if (!m) 6512 return NULL; 6513 6514 comb = mtod(m, struct sadb_comb *); 6515 bzero(comb, sizeof(*comb)); 6516 key_getcomb_setlifetime(comb); 6517 comb->sadb_comb_encrypt = i; 6518 /* what should we set into sadb_comb_*_{min,max}bits? */ 6519 } 6520 6521 return m; 6522 } 6523 6524 /* 6525 * XXX no way to pass mode (transport/tunnel) to userland 6526 * XXX replay checking? 6527 * XXX sysctl interface to ipsec_{ah,esp}_keymin 6528 */ 6529 static struct mbuf * 6530 key_getprop(const struct secasindex *saidx) 6531 { 6532 struct sadb_prop *prop; 6533 struct mbuf *m, *n; 6534 const int l = PFKEY_ALIGN8(sizeof(struct sadb_prop)); 6535 int totlen; 6536 6537 switch (saidx->proto) { 6538 case IPPROTO_ESP: 6539 m = key_getcomb_ealg(); 6540 break; 6541 case IPPROTO_AH: 6542 m = key_getcomb_ah(); 6543 break; 6544 case IPPROTO_IPCOMP: 6545 m = key_getcomb_ipcomp(); 6546 break; 6547 default: 6548 return NULL; 6549 } 6550 6551 if (!m) 6552 return NULL; 6553 M_PREPEND(m, l, M_NOWAIT); 6554 if (!m) 6555 return NULL; 6556 6557 totlen = 0; 6558 for (n = m; n; n = n->m_next) 6559 totlen += n->m_len; 6560 6561 prop = mtod(m, struct sadb_prop *); 6562 bzero(prop, sizeof(*prop)); 6563 prop->sadb_prop_len = PFKEY_UNIT64(totlen); 6564 prop->sadb_prop_exttype = SADB_EXT_PROPOSAL; 6565 prop->sadb_prop_replay = 32; /* XXX */ 6566 6567 return m; 6568 } 6569 6570 /* 6571 * SADB_ACQUIRE processing called by key_checkrequest() and key_acquire2(). 6572 * send 6573 * <base, SA, address(SD), (address(P)), x_policy, 6574 * (identity(SD),) (sensitivity,) proposal> 6575 * to KMD, and expect to receive 6576 * <base> with SADB_ACQUIRE if error occurred, 6577 * or 6578 * <base, src address, dst address, (SPI range)> with SADB_GETSPI 6579 * from KMD by PF_KEY. 6580 * 6581 * XXX x_policy is outside of RFC2367 (KAME extension). 6582 * XXX sensitivity is not supported. 6583 * XXX for ipcomp, RFC2367 does not define how to fill in proposal. 6584 * see comment for key_getcomb_ipcomp(). 6585 * 6586 * OUT: 6587 * 0 : succeed 6588 * others: error number 6589 */ 6590 static int 6591 key_acquire(const struct secasindex *saidx, struct secpolicy *sp) 6592 { 6593 union sockaddr_union addr; 6594 struct mbuf *result, *m; 6595 uint32_t seq; 6596 int error; 6597 uint16_t ul_proto; 6598 uint8_t mask, satype; 6599 6600 IPSEC_ASSERT(saidx != NULL, ("null saidx")); 6601 satype = key_proto2satype(saidx->proto); 6602 IPSEC_ASSERT(satype != 0, ("null satype, protocol %u", saidx->proto)); 6603 6604 error = -1; 6605 result = NULL; 6606 ul_proto = IPSEC_ULPROTO_ANY; 6607 6608 /* Get seq number to check whether sending message or not. */ 6609 seq = key_getacq(saidx, &error); 6610 if (seq == 0) 6611 return (error); 6612 6613 m = key_setsadbmsg(SADB_ACQUIRE, 0, satype, seq, 0, 0); 6614 if (!m) { 6615 error = ENOBUFS; 6616 goto fail; 6617 } 6618 result = m; 6619 6620 /* 6621 * set sadb_address for saidx's. 6622 * 6623 * Note that if sp is supplied, then we're being called from 6624 * key_allocsa_policy() and should supply port and protocol 6625 * information. 6626 * XXXAE: why only TCP and UDP? ICMP and SCTP looks applicable too. 6627 * XXXAE: probably we can handle this in the ipsec[46]_allocsa(). 6628 * XXXAE: it looks like we should save this info in the ACQ entry. 6629 */ 6630 if (sp != NULL && (sp->spidx.ul_proto == IPPROTO_TCP || 6631 sp->spidx.ul_proto == IPPROTO_UDP)) 6632 ul_proto = sp->spidx.ul_proto; 6633 6634 addr = saidx->src; 6635 mask = FULLMASK; 6636 if (ul_proto != IPSEC_ULPROTO_ANY) { 6637 switch (sp->spidx.src.sa.sa_family) { 6638 case AF_INET: 6639 if (sp->spidx.src.sin.sin_port != IPSEC_PORT_ANY) { 6640 addr.sin.sin_port = sp->spidx.src.sin.sin_port; 6641 mask = sp->spidx.prefs; 6642 } 6643 break; 6644 case AF_INET6: 6645 if (sp->spidx.src.sin6.sin6_port != IPSEC_PORT_ANY) { 6646 addr.sin6.sin6_port = 6647 sp->spidx.src.sin6.sin6_port; 6648 mask = sp->spidx.prefs; 6649 } 6650 break; 6651 default: 6652 break; 6653 } 6654 } 6655 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, &addr.sa, mask, ul_proto); 6656 if (!m) { 6657 error = ENOBUFS; 6658 goto fail; 6659 } 6660 m_cat(result, m); 6661 6662 addr = saidx->dst; 6663 mask = FULLMASK; 6664 if (ul_proto != IPSEC_ULPROTO_ANY) { 6665 switch (sp->spidx.dst.sa.sa_family) { 6666 case AF_INET: 6667 if (sp->spidx.dst.sin.sin_port != IPSEC_PORT_ANY) { 6668 addr.sin.sin_port = sp->spidx.dst.sin.sin_port; 6669 mask = sp->spidx.prefd; 6670 } 6671 break; 6672 case AF_INET6: 6673 if (sp->spidx.dst.sin6.sin6_port != IPSEC_PORT_ANY) { 6674 addr.sin6.sin6_port = 6675 sp->spidx.dst.sin6.sin6_port; 6676 mask = sp->spidx.prefd; 6677 } 6678 break; 6679 default: 6680 break; 6681 } 6682 } 6683 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, &addr.sa, mask, ul_proto); 6684 if (!m) { 6685 error = ENOBUFS; 6686 goto fail; 6687 } 6688 m_cat(result, m); 6689 6690 /* XXX proxy address (optional) */ 6691 6692 /* 6693 * Set sadb_x_policy. This is KAME extension to RFC2367. 6694 */ 6695 if (sp != NULL) { 6696 m = key_setsadbxpolicy(sp->policy, sp->spidx.dir, sp->id, 6697 sp->priority); 6698 if (!m) { 6699 error = ENOBUFS; 6700 goto fail; 6701 } 6702 m_cat(result, m); 6703 } 6704 6705 /* 6706 * Set sadb_x_sa2 extension if saidx->reqid is not zero. 6707 * This is FreeBSD extension to RFC2367. 6708 */ 6709 if (saidx->reqid != 0) { 6710 m = key_setsadbxsa2(saidx->mode, 0, saidx->reqid); 6711 if (m == NULL) { 6712 error = ENOBUFS; 6713 goto fail; 6714 } 6715 m_cat(result, m); 6716 } 6717 /* XXX identity (optional) */ 6718 #if 0 6719 if (idexttype && fqdn) { 6720 /* create identity extension (FQDN) */ 6721 struct sadb_ident *id; 6722 int fqdnlen; 6723 6724 fqdnlen = strlen(fqdn) + 1; /* +1 for terminating-NUL */ 6725 id = (struct sadb_ident *)p; 6726 bzero(id, sizeof(*id) + PFKEY_ALIGN8(fqdnlen)); 6727 id->sadb_ident_len = PFKEY_UNIT64(sizeof(*id) + PFKEY_ALIGN8(fqdnlen)); 6728 id->sadb_ident_exttype = idexttype; 6729 id->sadb_ident_type = SADB_IDENTTYPE_FQDN; 6730 bcopy(fqdn, id + 1, fqdnlen); 6731 p += sizeof(struct sadb_ident) + PFKEY_ALIGN8(fqdnlen); 6732 } 6733 6734 if (idexttype) { 6735 /* create identity extension (USERFQDN) */ 6736 struct sadb_ident *id; 6737 int userfqdnlen; 6738 6739 if (userfqdn) { 6740 /* +1 for terminating-NUL */ 6741 userfqdnlen = strlen(userfqdn) + 1; 6742 } else 6743 userfqdnlen = 0; 6744 id = (struct sadb_ident *)p; 6745 bzero(id, sizeof(*id) + PFKEY_ALIGN8(userfqdnlen)); 6746 id->sadb_ident_len = PFKEY_UNIT64(sizeof(*id) + PFKEY_ALIGN8(userfqdnlen)); 6747 id->sadb_ident_exttype = idexttype; 6748 id->sadb_ident_type = SADB_IDENTTYPE_USERFQDN; 6749 /* XXX is it correct? */ 6750 if (curproc && curproc->p_cred) 6751 id->sadb_ident_id = curproc->p_cred->p_ruid; 6752 if (userfqdn && userfqdnlen) 6753 bcopy(userfqdn, id + 1, userfqdnlen); 6754 p += sizeof(struct sadb_ident) + PFKEY_ALIGN8(userfqdnlen); 6755 } 6756 #endif 6757 6758 /* XXX sensitivity (optional) */ 6759 6760 /* create proposal/combination extension */ 6761 m = key_getprop(saidx); 6762 #if 0 6763 /* 6764 * spec conformant: always attach proposal/combination extension, 6765 * the problem is that we have no way to attach it for ipcomp, 6766 * due to the way sadb_comb is declared in RFC2367. 6767 */ 6768 if (!m) { 6769 error = ENOBUFS; 6770 goto fail; 6771 } 6772 m_cat(result, m); 6773 #else 6774 /* 6775 * outside of spec; make proposal/combination extension optional. 6776 */ 6777 if (m) 6778 m_cat(result, m); 6779 #endif 6780 6781 if ((result->m_flags & M_PKTHDR) == 0) { 6782 error = EINVAL; 6783 goto fail; 6784 } 6785 6786 if (result->m_len < sizeof(struct sadb_msg)) { 6787 result = m_pullup(result, sizeof(struct sadb_msg)); 6788 if (result == NULL) { 6789 error = ENOBUFS; 6790 goto fail; 6791 } 6792 } 6793 6794 result->m_pkthdr.len = 0; 6795 for (m = result; m; m = m->m_next) 6796 result->m_pkthdr.len += m->m_len; 6797 6798 mtod(result, struct sadb_msg *)->sadb_msg_len = 6799 PFKEY_UNIT64(result->m_pkthdr.len); 6800 6801 KEYDBG(KEY_STAMP, 6802 printf("%s: SP(%p)\n", __func__, sp)); 6803 KEYDBG(KEY_DATA, kdebug_secasindex(saidx, NULL)); 6804 6805 return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED); 6806 6807 fail: 6808 if (result) 6809 m_freem(result); 6810 return error; 6811 } 6812 6813 static uint32_t 6814 key_newacq(const struct secasindex *saidx, int *perror) 6815 { 6816 struct secacq *acq; 6817 uint32_t seq; 6818 6819 acq = malloc(sizeof(*acq), M_IPSEC_SAQ, M_NOWAIT | M_ZERO); 6820 if (acq == NULL) { 6821 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 6822 *perror = ENOBUFS; 6823 return (0); 6824 } 6825 6826 /* copy secindex */ 6827 bcopy(saidx, &acq->saidx, sizeof(acq->saidx)); 6828 acq->created = time_second; 6829 acq->count = 0; 6830 6831 /* add to acqtree */ 6832 ACQ_LOCK(); 6833 seq = acq->seq = (V_acq_seq == ~0 ? 1 : ++V_acq_seq); 6834 LIST_INSERT_HEAD(&V_acqtree, acq, chain); 6835 LIST_INSERT_HEAD(ACQADDRHASH_HASH(saidx), acq, addrhash); 6836 LIST_INSERT_HEAD(ACQSEQHASH_HASH(seq), acq, seqhash); 6837 ACQ_UNLOCK(); 6838 *perror = 0; 6839 return (seq); 6840 } 6841 6842 static uint32_t 6843 key_getacq(const struct secasindex *saidx, int *perror) 6844 { 6845 struct secacq *acq; 6846 uint32_t seq; 6847 6848 ACQ_LOCK(); 6849 LIST_FOREACH(acq, ACQADDRHASH_HASH(saidx), addrhash) { 6850 if (key_cmpsaidx(&acq->saidx, saidx, CMP_EXACTLY)) { 6851 if (acq->count > V_key_blockacq_count) { 6852 /* 6853 * Reset counter and send message. 6854 * Also reset created time to keep ACQ for 6855 * this saidx. 6856 */ 6857 acq->created = time_second; 6858 acq->count = 0; 6859 seq = acq->seq; 6860 } else { 6861 /* 6862 * Increment counter and do nothing. 6863 * We send SADB_ACQUIRE message only 6864 * for each V_key_blockacq_count packet. 6865 */ 6866 acq->count++; 6867 seq = 0; 6868 } 6869 break; 6870 } 6871 } 6872 ACQ_UNLOCK(); 6873 if (acq != NULL) { 6874 *perror = 0; 6875 return (seq); 6876 } 6877 /* allocate new entry */ 6878 return (key_newacq(saidx, perror)); 6879 } 6880 6881 static int 6882 key_acqreset(uint32_t seq) 6883 { 6884 struct secacq *acq; 6885 6886 ACQ_LOCK(); 6887 LIST_FOREACH(acq, ACQSEQHASH_HASH(seq), seqhash) { 6888 if (acq->seq == seq) { 6889 acq->count = 0; 6890 acq->created = time_second; 6891 break; 6892 } 6893 } 6894 ACQ_UNLOCK(); 6895 if (acq == NULL) 6896 return (ESRCH); 6897 return (0); 6898 } 6899 /* 6900 * Mark ACQ entry as stale to remove it in key_flush_acq(). 6901 * Called after successful SADB_GETSPI message. 6902 */ 6903 static int 6904 key_acqdone(const struct secasindex *saidx, uint32_t seq) 6905 { 6906 struct secacq *acq; 6907 6908 ACQ_LOCK(); 6909 LIST_FOREACH(acq, ACQSEQHASH_HASH(seq), seqhash) { 6910 if (acq->seq == seq) 6911 break; 6912 } 6913 if (acq != NULL) { 6914 if (key_cmpsaidx(&acq->saidx, saidx, CMP_EXACTLY) == 0) { 6915 ipseclog((LOG_DEBUG, 6916 "%s: Mismatched saidx for ACQ %u\n", __func__, seq)); 6917 acq = NULL; 6918 } else { 6919 acq->created = 0; 6920 } 6921 } else { 6922 ipseclog((LOG_DEBUG, 6923 "%s: ACQ %u is not found.\n", __func__, seq)); 6924 } 6925 ACQ_UNLOCK(); 6926 if (acq == NULL) 6927 return (ESRCH); 6928 return (0); 6929 } 6930 6931 static struct secspacq * 6932 key_newspacq(struct secpolicyindex *spidx) 6933 { 6934 struct secspacq *acq; 6935 6936 /* get new entry */ 6937 acq = malloc(sizeof(struct secspacq), M_IPSEC_SAQ, M_NOWAIT|M_ZERO); 6938 if (acq == NULL) { 6939 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 6940 return NULL; 6941 } 6942 6943 /* copy secindex */ 6944 bcopy(spidx, &acq->spidx, sizeof(acq->spidx)); 6945 acq->created = time_second; 6946 acq->count = 0; 6947 6948 /* add to spacqtree */ 6949 SPACQ_LOCK(); 6950 LIST_INSERT_HEAD(&V_spacqtree, acq, chain); 6951 SPACQ_UNLOCK(); 6952 6953 return acq; 6954 } 6955 6956 static struct secspacq * 6957 key_getspacq(struct secpolicyindex *spidx) 6958 { 6959 struct secspacq *acq; 6960 6961 SPACQ_LOCK(); 6962 LIST_FOREACH(acq, &V_spacqtree, chain) { 6963 if (key_cmpspidx_exactly(spidx, &acq->spidx)) { 6964 /* NB: return holding spacq_lock */ 6965 return acq; 6966 } 6967 } 6968 SPACQ_UNLOCK(); 6969 6970 return NULL; 6971 } 6972 6973 /* 6974 * SADB_ACQUIRE processing, 6975 * in first situation, is receiving 6976 * <base> 6977 * from the ikmpd, and clear sequence of its secasvar entry. 6978 * 6979 * In second situation, is receiving 6980 * <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal> 6981 * from a user land process, and return 6982 * <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal> 6983 * to the socket. 6984 * 6985 * m will always be freed. 6986 */ 6987 static int 6988 key_acquire2(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 6989 { 6990 SAHTREE_RLOCK_TRACKER; 6991 struct sadb_address *src0, *dst0; 6992 struct secasindex saidx; 6993 struct secashead *sah; 6994 uint32_t reqid; 6995 int error; 6996 uint8_t mode, proto; 6997 6998 IPSEC_ASSERT(so != NULL, ("null socket")); 6999 IPSEC_ASSERT(m != NULL, ("null mbuf")); 7000 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 7001 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 7002 7003 /* 7004 * Error message from KMd. 7005 * We assume that if error was occurred in IKEd, the length of PFKEY 7006 * message is equal to the size of sadb_msg structure. 7007 * We do not raise error even if error occurred in this function. 7008 */ 7009 if (mhp->msg->sadb_msg_len == PFKEY_UNIT64(sizeof(struct sadb_msg))) { 7010 /* check sequence number */ 7011 if (mhp->msg->sadb_msg_seq == 0 || 7012 mhp->msg->sadb_msg_errno == 0) { 7013 ipseclog((LOG_DEBUG, "%s: must specify sequence " 7014 "number and errno.\n", __func__)); 7015 } else { 7016 /* 7017 * IKEd reported that error occurred. 7018 * XXXAE: what it expects from the kernel? 7019 * Probably we should send SADB_ACQUIRE again? 7020 * If so, reset ACQ's state. 7021 * XXXAE: it looks useless. 7022 */ 7023 key_acqreset(mhp->msg->sadb_msg_seq); 7024 } 7025 m_freem(m); 7026 return (0); 7027 } 7028 7029 /* 7030 * This message is from user land. 7031 */ 7032 7033 /* map satype to proto */ 7034 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 7035 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 7036 __func__)); 7037 return key_senderror(so, m, EINVAL); 7038 } 7039 7040 if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || 7041 SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || 7042 SADB_CHECKHDR(mhp, SADB_EXT_PROPOSAL)) { 7043 ipseclog((LOG_DEBUG, 7044 "%s: invalid message: missing required header.\n", 7045 __func__)); 7046 return key_senderror(so, m, EINVAL); 7047 } 7048 if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || 7049 SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) || 7050 SADB_CHECKLEN(mhp, SADB_EXT_PROPOSAL)) { 7051 ipseclog((LOG_DEBUG, 7052 "%s: invalid message: wrong header size.\n", __func__)); 7053 return key_senderror(so, m, EINVAL); 7054 } 7055 7056 if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) { 7057 mode = IPSEC_MODE_ANY; 7058 reqid = 0; 7059 } else { 7060 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) { 7061 ipseclog((LOG_DEBUG, 7062 "%s: invalid message: wrong header size.\n", 7063 __func__)); 7064 return key_senderror(so, m, EINVAL); 7065 } 7066 mode = ((struct sadb_x_sa2 *) 7067 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; 7068 reqid = ((struct sadb_x_sa2 *) 7069 mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; 7070 } 7071 7072 src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; 7073 dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; 7074 7075 error = key_checksockaddrs((struct sockaddr *)(src0 + 1), 7076 (struct sockaddr *)(dst0 + 1)); 7077 if (error != 0) { 7078 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); 7079 return key_senderror(so, m, EINVAL); 7080 } 7081 KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); 7082 7083 /* get a SA index */ 7084 SAHTREE_RLOCK(); 7085 LIST_FOREACH(sah, SAHADDRHASH_HASH(&saidx), addrhash) { 7086 if (key_cmpsaidx(&sah->saidx, &saidx, CMP_MODE_REQID)) 7087 break; 7088 } 7089 SAHTREE_RUNLOCK(); 7090 if (sah != NULL) { 7091 ipseclog((LOG_DEBUG, "%s: a SA exists already.\n", __func__)); 7092 return key_senderror(so, m, EEXIST); 7093 } 7094 7095 error = key_acquire(&saidx, NULL); 7096 if (error != 0) { 7097 ipseclog((LOG_DEBUG, 7098 "%s: error %d returned from key_acquire()\n", 7099 __func__, error)); 7100 return key_senderror(so, m, error); 7101 } 7102 m_freem(m); 7103 return (0); 7104 } 7105 7106 /* 7107 * SADB_REGISTER processing. 7108 * If SATYPE_UNSPEC has been passed as satype, only return sabd_supported. 7109 * receive 7110 * <base> 7111 * from the ikmpd, and register a socket to send PF_KEY messages, 7112 * and send 7113 * <base, supported> 7114 * to KMD by PF_KEY. 7115 * If socket is detached, must free from regnode. 7116 * 7117 * m will always be freed. 7118 */ 7119 static int 7120 key_register(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 7121 { 7122 struct secreg *reg, *newreg = NULL; 7123 7124 IPSEC_ASSERT(so != NULL, ("null socket")); 7125 IPSEC_ASSERT(m != NULL, ("null mbuf")); 7126 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 7127 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 7128 7129 /* check for invalid register message */ 7130 if (mhp->msg->sadb_msg_satype >= sizeof(V_regtree)/sizeof(V_regtree[0])) 7131 return key_senderror(so, m, EINVAL); 7132 7133 /* When SATYPE_UNSPEC is specified, only return sabd_supported. */ 7134 if (mhp->msg->sadb_msg_satype == SADB_SATYPE_UNSPEC) 7135 goto setmsg; 7136 7137 /* check whether existing or not */ 7138 REGTREE_LOCK(); 7139 LIST_FOREACH(reg, &V_regtree[mhp->msg->sadb_msg_satype], chain) { 7140 if (reg->so == so) { 7141 REGTREE_UNLOCK(); 7142 ipseclog((LOG_DEBUG, "%s: socket exists already.\n", 7143 __func__)); 7144 return key_senderror(so, m, EEXIST); 7145 } 7146 } 7147 7148 /* create regnode */ 7149 newreg = malloc(sizeof(struct secreg), M_IPSEC_SAR, M_NOWAIT|M_ZERO); 7150 if (newreg == NULL) { 7151 REGTREE_UNLOCK(); 7152 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 7153 return key_senderror(so, m, ENOBUFS); 7154 } 7155 7156 newreg->so = so; 7157 ((struct keycb *)(so->so_pcb))->kp_registered++; 7158 7159 /* add regnode to regtree. */ 7160 LIST_INSERT_HEAD(&V_regtree[mhp->msg->sadb_msg_satype], newreg, chain); 7161 REGTREE_UNLOCK(); 7162 7163 setmsg: 7164 { 7165 struct mbuf *n; 7166 struct sadb_msg *newmsg; 7167 struct sadb_supported *sup; 7168 u_int len, alen, elen; 7169 int off; 7170 int i; 7171 struct sadb_alg *alg; 7172 7173 /* create new sadb_msg to reply. */ 7174 alen = 0; 7175 for (i = 1; i <= SADB_AALG_MAX; i++) { 7176 if (auth_algorithm_lookup(i)) 7177 alen += sizeof(struct sadb_alg); 7178 } 7179 if (alen) 7180 alen += sizeof(struct sadb_supported); 7181 elen = 0; 7182 for (i = 1; i <= SADB_EALG_MAX; i++) { 7183 if (enc_algorithm_lookup(i)) 7184 elen += sizeof(struct sadb_alg); 7185 } 7186 if (elen) 7187 elen += sizeof(struct sadb_supported); 7188 7189 len = sizeof(struct sadb_msg) + alen + elen; 7190 7191 if (len > MCLBYTES) 7192 return key_senderror(so, m, ENOBUFS); 7193 7194 MGETHDR(n, M_NOWAIT, MT_DATA); 7195 if (n != NULL && len > MHLEN) { 7196 if (!(MCLGET(n, M_NOWAIT))) { 7197 m_freem(n); 7198 n = NULL; 7199 } 7200 } 7201 if (!n) 7202 return key_senderror(so, m, ENOBUFS); 7203 7204 n->m_pkthdr.len = n->m_len = len; 7205 n->m_next = NULL; 7206 off = 0; 7207 7208 m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off); 7209 newmsg = mtod(n, struct sadb_msg *); 7210 newmsg->sadb_msg_errno = 0; 7211 newmsg->sadb_msg_len = PFKEY_UNIT64(len); 7212 off += PFKEY_ALIGN8(sizeof(struct sadb_msg)); 7213 7214 /* for authentication algorithm */ 7215 if (alen) { 7216 sup = (struct sadb_supported *)(mtod(n, caddr_t) + off); 7217 sup->sadb_supported_len = PFKEY_UNIT64(alen); 7218 sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_AUTH; 7219 off += PFKEY_ALIGN8(sizeof(*sup)); 7220 7221 for (i = 1; i <= SADB_AALG_MAX; i++) { 7222 const struct auth_hash *aalgo; 7223 u_int16_t minkeysize, maxkeysize; 7224 7225 aalgo = auth_algorithm_lookup(i); 7226 if (!aalgo) 7227 continue; 7228 alg = (struct sadb_alg *)(mtod(n, caddr_t) + off); 7229 alg->sadb_alg_id = i; 7230 alg->sadb_alg_ivlen = 0; 7231 key_getsizes_ah(aalgo, i, &minkeysize, &maxkeysize); 7232 alg->sadb_alg_minbits = _BITS(minkeysize); 7233 alg->sadb_alg_maxbits = _BITS(maxkeysize); 7234 off += PFKEY_ALIGN8(sizeof(*alg)); 7235 } 7236 } 7237 7238 /* for encryption algorithm */ 7239 if (elen) { 7240 sup = (struct sadb_supported *)(mtod(n, caddr_t) + off); 7241 sup->sadb_supported_len = PFKEY_UNIT64(elen); 7242 sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_ENCRYPT; 7243 off += PFKEY_ALIGN8(sizeof(*sup)); 7244 7245 for (i = 1; i <= SADB_EALG_MAX; i++) { 7246 const struct enc_xform *ealgo; 7247 7248 ealgo = enc_algorithm_lookup(i); 7249 if (!ealgo) 7250 continue; 7251 alg = (struct sadb_alg *)(mtod(n, caddr_t) + off); 7252 alg->sadb_alg_id = i; 7253 alg->sadb_alg_ivlen = ealgo->ivsize; 7254 alg->sadb_alg_minbits = _BITS(ealgo->minkey); 7255 alg->sadb_alg_maxbits = _BITS(ealgo->maxkey); 7256 off += PFKEY_ALIGN8(sizeof(struct sadb_alg)); 7257 } 7258 } 7259 7260 IPSEC_ASSERT(off == len, 7261 ("length assumption failed (off %u len %u)", off, len)); 7262 7263 m_freem(m); 7264 return key_sendup_mbuf(so, n, KEY_SENDUP_REGISTERED); 7265 } 7266 } 7267 7268 /* 7269 * free secreg entry registered. 7270 * XXX: I want to do free a socket marked done SADB_RESIGER to socket. 7271 */ 7272 void 7273 key_freereg(struct socket *so) 7274 { 7275 struct secreg *reg; 7276 int i; 7277 7278 IPSEC_ASSERT(so != NULL, ("NULL so")); 7279 7280 /* 7281 * check whether existing or not. 7282 * check all type of SA, because there is a potential that 7283 * one socket is registered to multiple type of SA. 7284 */ 7285 REGTREE_LOCK(); 7286 for (i = 0; i <= SADB_SATYPE_MAX; i++) { 7287 LIST_FOREACH(reg, &V_regtree[i], chain) { 7288 if (reg->so == so && __LIST_CHAINED(reg)) { 7289 LIST_REMOVE(reg, chain); 7290 free(reg, M_IPSEC_SAR); 7291 break; 7292 } 7293 } 7294 } 7295 REGTREE_UNLOCK(); 7296 } 7297 7298 /* 7299 * SADB_EXPIRE processing 7300 * send 7301 * <base, SA, SA2, lifetime(C and one of HS), address(SD)> 7302 * to KMD by PF_KEY. 7303 * NOTE: We send only soft lifetime extension. 7304 * 7305 * OUT: 0 : succeed 7306 * others : error number 7307 */ 7308 static int 7309 key_expire(struct secasvar *sav, int hard) 7310 { 7311 struct mbuf *result = NULL, *m; 7312 struct sadb_lifetime *lt; 7313 uint32_t replay_count; 7314 int error, len; 7315 uint8_t satype; 7316 7317 SECASVAR_RLOCK_TRACKER; 7318 7319 IPSEC_ASSERT (sav != NULL, ("null sav")); 7320 IPSEC_ASSERT (sav->sah != NULL, ("null sa header")); 7321 7322 KEYDBG(KEY_STAMP, 7323 printf("%s: SA(%p) expired %s lifetime\n", __func__, 7324 sav, hard ? "hard": "soft")); 7325 KEYDBG(KEY_DATA, kdebug_secasv(sav)); 7326 /* set msg header */ 7327 satype = key_proto2satype(sav->sah->saidx.proto); 7328 IPSEC_ASSERT(satype != 0, ("invalid proto, satype %u", satype)); 7329 m = key_setsadbmsg(SADB_EXPIRE, 0, satype, sav->seq, 0, sav->refcnt); 7330 if (!m) { 7331 error = ENOBUFS; 7332 goto fail; 7333 } 7334 result = m; 7335 7336 /* create SA extension */ 7337 m = key_setsadbsa(sav); 7338 if (!m) { 7339 error = ENOBUFS; 7340 goto fail; 7341 } 7342 m_cat(result, m); 7343 7344 /* create SA extension */ 7345 SECASVAR_RLOCK(sav); 7346 replay_count = sav->replay ? sav->replay->count : 0; 7347 SECASVAR_RUNLOCK(sav); 7348 7349 m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count, 7350 sav->sah->saidx.reqid); 7351 if (!m) { 7352 error = ENOBUFS; 7353 goto fail; 7354 } 7355 m_cat(result, m); 7356 7357 if (sav->replay && sav->replay->wsize > UINT8_MAX) { 7358 m = key_setsadbxsareplay(sav->replay->wsize); 7359 if (!m) { 7360 error = ENOBUFS; 7361 goto fail; 7362 } 7363 m_cat(result, m); 7364 } 7365 7366 /* create lifetime extension (current and soft) */ 7367 len = PFKEY_ALIGN8(sizeof(*lt)) * 2; 7368 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 7369 if (m == NULL) { 7370 error = ENOBUFS; 7371 goto fail; 7372 } 7373 m_align(m, len); 7374 m->m_len = len; 7375 bzero(mtod(m, caddr_t), len); 7376 lt = mtod(m, struct sadb_lifetime *); 7377 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); 7378 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 7379 lt->sadb_lifetime_allocations = 7380 (uint32_t)counter_u64_fetch(sav->lft_c_allocations); 7381 lt->sadb_lifetime_bytes = 7382 counter_u64_fetch(sav->lft_c_bytes); 7383 lt->sadb_lifetime_addtime = sav->created; 7384 lt->sadb_lifetime_usetime = sav->firstused; 7385 lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2); 7386 lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); 7387 if (hard) { 7388 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 7389 lt->sadb_lifetime_allocations = sav->lft_h->allocations; 7390 lt->sadb_lifetime_bytes = sav->lft_h->bytes; 7391 lt->sadb_lifetime_addtime = sav->lft_h->addtime; 7392 lt->sadb_lifetime_usetime = sav->lft_h->usetime; 7393 } else { 7394 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 7395 lt->sadb_lifetime_allocations = sav->lft_s->allocations; 7396 lt->sadb_lifetime_bytes = sav->lft_s->bytes; 7397 lt->sadb_lifetime_addtime = sav->lft_s->addtime; 7398 lt->sadb_lifetime_usetime = sav->lft_s->usetime; 7399 } 7400 m_cat(result, m); 7401 7402 /* set sadb_address for source */ 7403 m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, 7404 &sav->sah->saidx.src.sa, 7405 FULLMASK, IPSEC_ULPROTO_ANY); 7406 if (!m) { 7407 error = ENOBUFS; 7408 goto fail; 7409 } 7410 m_cat(result, m); 7411 7412 /* set sadb_address for destination */ 7413 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, 7414 &sav->sah->saidx.dst.sa, 7415 FULLMASK, IPSEC_ULPROTO_ANY); 7416 if (!m) { 7417 error = ENOBUFS; 7418 goto fail; 7419 } 7420 m_cat(result, m); 7421 7422 /* 7423 * XXX-BZ Handle NAT-T extensions here. 7424 * XXXAE: it doesn't seem quite useful. IKEs should not depend on 7425 * this information, we report only significant SA fields. 7426 */ 7427 7428 if ((result->m_flags & M_PKTHDR) == 0) { 7429 error = EINVAL; 7430 goto fail; 7431 } 7432 7433 if (result->m_len < sizeof(struct sadb_msg)) { 7434 result = m_pullup(result, sizeof(struct sadb_msg)); 7435 if (result == NULL) { 7436 error = ENOBUFS; 7437 goto fail; 7438 } 7439 } 7440 7441 result->m_pkthdr.len = 0; 7442 for (m = result; m; m = m->m_next) 7443 result->m_pkthdr.len += m->m_len; 7444 7445 mtod(result, struct sadb_msg *)->sadb_msg_len = 7446 PFKEY_UNIT64(result->m_pkthdr.len); 7447 7448 return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED); 7449 7450 fail: 7451 if (result) 7452 m_freem(result); 7453 return error; 7454 } 7455 7456 static void 7457 key_freesah_flushed(struct secashead_queue *flushq) 7458 { 7459 struct secashead *sah, *nextsah; 7460 struct secasvar *sav, *nextsav; 7461 7462 sah = TAILQ_FIRST(flushq); 7463 while (sah != NULL) { 7464 sav = TAILQ_FIRST(&sah->savtree_larval); 7465 while (sav != NULL) { 7466 nextsav = TAILQ_NEXT(sav, chain); 7467 TAILQ_REMOVE(&sah->savtree_larval, sav, chain); 7468 key_freesav(&sav); /* release last reference */ 7469 key_freesah(&sah); /* release reference from SAV */ 7470 sav = nextsav; 7471 } 7472 sav = TAILQ_FIRST(&sah->savtree_alive); 7473 while (sav != NULL) { 7474 nextsav = TAILQ_NEXT(sav, chain); 7475 TAILQ_REMOVE(&sah->savtree_alive, sav, chain); 7476 key_freesav(&sav); /* release last reference */ 7477 key_freesah(&sah); /* release reference from SAV */ 7478 sav = nextsav; 7479 } 7480 nextsah = TAILQ_NEXT(sah, chain); 7481 key_freesah(&sah); /* release last reference */ 7482 sah = nextsah; 7483 } 7484 } 7485 7486 /* 7487 * SADB_FLUSH processing 7488 * receive 7489 * <base> 7490 * from the ikmpd, and free all entries in secastree. 7491 * and send, 7492 * <base> 7493 * to the ikmpd. 7494 * NOTE: to do is only marking SADB_SASTATE_DEAD. 7495 * 7496 * m will always be freed. 7497 */ 7498 static int 7499 key_flush(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 7500 { 7501 struct secashead_queue flushq; 7502 struct sadb_msg *newmsg; 7503 struct secashead *sah, *nextsah; 7504 struct secasvar *sav; 7505 uint8_t proto; 7506 int i; 7507 7508 IPSEC_ASSERT(so != NULL, ("null socket")); 7509 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 7510 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 7511 7512 /* map satype to proto */ 7513 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 7514 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 7515 __func__)); 7516 return key_senderror(so, m, EINVAL); 7517 } 7518 KEYDBG(KEY_STAMP, 7519 printf("%s: proto %u\n", __func__, proto)); 7520 7521 TAILQ_INIT(&flushq); 7522 if (proto == IPSEC_PROTO_ANY) { 7523 /* no SATYPE specified, i.e. flushing all SA. */ 7524 SAHTREE_WLOCK(); 7525 /* Move all SAHs into flushq */ 7526 TAILQ_CONCAT(&flushq, &V_sahtree, chain); 7527 /* Flush all buckets in SPI hash */ 7528 for (i = 0; i < V_savhash_mask + 1; i++) 7529 LIST_INIT(&V_savhashtbl[i]); 7530 /* Flush all buckets in SAHADDRHASH */ 7531 for (i = 0; i < V_sahaddrhash_mask + 1; i++) 7532 LIST_INIT(&V_sahaddrhashtbl[i]); 7533 /* Mark all SAHs as unlinked */ 7534 TAILQ_FOREACH(sah, &flushq, chain) { 7535 sah->state = SADB_SASTATE_DEAD; 7536 /* 7537 * Callout handler makes its job using 7538 * RLOCK and drain queues. In case, when this 7539 * function will be called just before it 7540 * acquires WLOCK, we need to mark SAs as 7541 * unlinked to prevent second unlink. 7542 */ 7543 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { 7544 sav->state = SADB_SASTATE_DEAD; 7545 } 7546 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { 7547 sav->state = SADB_SASTATE_DEAD; 7548 } 7549 } 7550 SAHTREE_WUNLOCK(); 7551 } else { 7552 SAHTREE_WLOCK(); 7553 sah = TAILQ_FIRST(&V_sahtree); 7554 while (sah != NULL) { 7555 IPSEC_ASSERT(sah->state != SADB_SASTATE_DEAD, 7556 ("DEAD SAH %p in SADB_FLUSH", sah)); 7557 nextsah = TAILQ_NEXT(sah, chain); 7558 if (sah->saidx.proto != proto) { 7559 sah = nextsah; 7560 continue; 7561 } 7562 sah->state = SADB_SASTATE_DEAD; 7563 TAILQ_REMOVE(&V_sahtree, sah, chain); 7564 LIST_REMOVE(sah, addrhash); 7565 /* Unlink all SAs from SPI hash */ 7566 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { 7567 LIST_REMOVE(sav, spihash); 7568 sav->state = SADB_SASTATE_DEAD; 7569 } 7570 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { 7571 LIST_REMOVE(sav, spihash); 7572 sav->state = SADB_SASTATE_DEAD; 7573 } 7574 /* Add SAH into flushq */ 7575 TAILQ_INSERT_HEAD(&flushq, sah, chain); 7576 sah = nextsah; 7577 } 7578 SAHTREE_WUNLOCK(); 7579 } 7580 7581 key_freesah_flushed(&flushq); 7582 /* Free all queued SAs and SAHs */ 7583 if (m->m_len < sizeof(struct sadb_msg) || 7584 sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) { 7585 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 7586 return key_senderror(so, m, ENOBUFS); 7587 } 7588 7589 if (m->m_next) 7590 m_freem(m->m_next); 7591 m->m_next = NULL; 7592 m->m_pkthdr.len = m->m_len = sizeof(struct sadb_msg); 7593 newmsg = mtod(m, struct sadb_msg *); 7594 newmsg->sadb_msg_errno = 0; 7595 newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); 7596 7597 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); 7598 } 7599 7600 /* 7601 * SADB_DUMP processing 7602 * dump all entries including status of DEAD in SAD. 7603 * receive 7604 * <base> 7605 * from the ikmpd, and dump all secasvar leaves 7606 * and send, 7607 * <base> ..... 7608 * to the ikmpd. 7609 * 7610 * m will always be freed. 7611 */ 7612 static int 7613 key_dump(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 7614 { 7615 SAHTREE_RLOCK_TRACKER; 7616 struct secashead *sah; 7617 struct secasvar *sav; 7618 struct mbuf *n; 7619 uint32_t cnt; 7620 uint8_t proto, satype; 7621 7622 IPSEC_ASSERT(so != NULL, ("null socket")); 7623 IPSEC_ASSERT(m != NULL, ("null mbuf")); 7624 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 7625 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 7626 7627 /* map satype to proto */ 7628 if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { 7629 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", 7630 __func__)); 7631 return key_senderror(so, m, EINVAL); 7632 } 7633 7634 /* count sav entries to be sent to the userland. */ 7635 cnt = 0; 7636 SAHTREE_RLOCK(); 7637 TAILQ_FOREACH(sah, &V_sahtree, chain) { 7638 if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC && 7639 proto != sah->saidx.proto) 7640 continue; 7641 7642 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) 7643 cnt++; 7644 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) 7645 cnt++; 7646 } 7647 7648 if (cnt == 0) { 7649 SAHTREE_RUNLOCK(); 7650 return key_senderror(so, m, ENOENT); 7651 } 7652 7653 /* send this to the userland, one at a time. */ 7654 TAILQ_FOREACH(sah, &V_sahtree, chain) { 7655 if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC && 7656 proto != sah->saidx.proto) 7657 continue; 7658 7659 /* map proto to satype */ 7660 if ((satype = key_proto2satype(sah->saidx.proto)) == 0) { 7661 SAHTREE_RUNLOCK(); 7662 ipseclog((LOG_DEBUG, "%s: there was invalid proto in " 7663 "SAD.\n", __func__)); 7664 return key_senderror(so, m, EINVAL); 7665 } 7666 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { 7667 n = key_setdumpsa(sav, SADB_DUMP, satype, 7668 --cnt, mhp->msg->sadb_msg_pid); 7669 if (n == NULL) { 7670 SAHTREE_RUNLOCK(); 7671 return key_senderror(so, m, ENOBUFS); 7672 } 7673 key_sendup_mbuf(so, n, KEY_SENDUP_ONE); 7674 } 7675 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { 7676 n = key_setdumpsa(sav, SADB_DUMP, satype, 7677 --cnt, mhp->msg->sadb_msg_pid); 7678 if (n == NULL) { 7679 SAHTREE_RUNLOCK(); 7680 return key_senderror(so, m, ENOBUFS); 7681 } 7682 key_sendup_mbuf(so, n, KEY_SENDUP_ONE); 7683 } 7684 } 7685 SAHTREE_RUNLOCK(); 7686 m_freem(m); 7687 return (0); 7688 } 7689 /* 7690 * SADB_X_PROMISC processing 7691 * 7692 * m will always be freed. 7693 */ 7694 static int 7695 key_promisc(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) 7696 { 7697 int olen; 7698 7699 IPSEC_ASSERT(so != NULL, ("null socket")); 7700 IPSEC_ASSERT(m != NULL, ("null mbuf")); 7701 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 7702 IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); 7703 7704 olen = PFKEY_UNUNIT64(mhp->msg->sadb_msg_len); 7705 7706 if (olen < sizeof(struct sadb_msg)) { 7707 #if 1 7708 return key_senderror(so, m, EINVAL); 7709 #else 7710 m_freem(m); 7711 return 0; 7712 #endif 7713 } else if (olen == sizeof(struct sadb_msg)) { 7714 /* enable/disable promisc mode */ 7715 struct keycb *kp; 7716 7717 if ((kp = so->so_pcb) == NULL) 7718 return key_senderror(so, m, EINVAL); 7719 mhp->msg->sadb_msg_errno = 0; 7720 switch (mhp->msg->sadb_msg_satype) { 7721 case 0: 7722 case 1: 7723 kp->kp_promisc = mhp->msg->sadb_msg_satype; 7724 break; 7725 default: 7726 return key_senderror(so, m, EINVAL); 7727 } 7728 7729 /* send the original message back to everyone */ 7730 mhp->msg->sadb_msg_errno = 0; 7731 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); 7732 } else { 7733 /* send packet as is */ 7734 7735 m_adj(m, PFKEY_ALIGN8(sizeof(struct sadb_msg))); 7736 7737 /* TODO: if sadb_msg_seq is specified, send to specific pid */ 7738 return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); 7739 } 7740 } 7741 7742 static int (*key_typesw[])(struct socket *, struct mbuf *, 7743 const struct sadb_msghdr *) = { 7744 NULL, /* SADB_RESERVED */ 7745 key_getspi, /* SADB_GETSPI */ 7746 key_update, /* SADB_UPDATE */ 7747 key_add, /* SADB_ADD */ 7748 key_delete, /* SADB_DELETE */ 7749 key_get, /* SADB_GET */ 7750 key_acquire2, /* SADB_ACQUIRE */ 7751 key_register, /* SADB_REGISTER */ 7752 NULL, /* SADB_EXPIRE */ 7753 key_flush, /* SADB_FLUSH */ 7754 key_dump, /* SADB_DUMP */ 7755 key_promisc, /* SADB_X_PROMISC */ 7756 NULL, /* SADB_X_PCHANGE */ 7757 key_spdadd, /* SADB_X_SPDUPDATE */ 7758 key_spdadd, /* SADB_X_SPDADD */ 7759 key_spddelete, /* SADB_X_SPDDELETE */ 7760 key_spdget, /* SADB_X_SPDGET */ 7761 NULL, /* SADB_X_SPDACQUIRE */ 7762 key_spddump, /* SADB_X_SPDDUMP */ 7763 key_spdflush, /* SADB_X_SPDFLUSH */ 7764 key_spdadd, /* SADB_X_SPDSETIDX */ 7765 NULL, /* SADB_X_SPDEXPIRE */ 7766 key_spddelete2, /* SADB_X_SPDDELETE2 */ 7767 }; 7768 7769 /* 7770 * parse sadb_msg buffer to process PFKEYv2, 7771 * and create a data to response if needed. 7772 * I think to be dealed with mbuf directly. 7773 * IN: 7774 * msgp : pointer to pointer to a received buffer pulluped. 7775 * This is rewrited to response. 7776 * so : pointer to socket. 7777 * OUT: 7778 * length for buffer to send to user process. 7779 */ 7780 int 7781 key_parse(struct mbuf *m, struct socket *so) 7782 { 7783 struct sadb_msg *msg; 7784 struct sadb_msghdr mh; 7785 u_int orglen; 7786 int error; 7787 int target; 7788 7789 IPSEC_ASSERT(so != NULL, ("null socket")); 7790 IPSEC_ASSERT(m != NULL, ("null mbuf")); 7791 7792 if (m->m_len < sizeof(struct sadb_msg)) { 7793 m = m_pullup(m, sizeof(struct sadb_msg)); 7794 if (!m) 7795 return ENOBUFS; 7796 } 7797 msg = mtod(m, struct sadb_msg *); 7798 orglen = PFKEY_UNUNIT64(msg->sadb_msg_len); 7799 target = KEY_SENDUP_ONE; 7800 7801 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len != orglen) { 7802 ipseclog((LOG_DEBUG, "%s: invalid message length.\n",__func__)); 7803 PFKEYSTAT_INC(out_invlen); 7804 error = EINVAL; 7805 goto senderror; 7806 } 7807 7808 if (msg->sadb_msg_version != PF_KEY_V2) { 7809 ipseclog((LOG_DEBUG, "%s: PF_KEY version %u is mismatched.\n", 7810 __func__, msg->sadb_msg_version)); 7811 PFKEYSTAT_INC(out_invver); 7812 error = EINVAL; 7813 goto senderror; 7814 } 7815 7816 if (msg->sadb_msg_type > SADB_MAX) { 7817 ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n", 7818 __func__, msg->sadb_msg_type)); 7819 PFKEYSTAT_INC(out_invmsgtype); 7820 error = EINVAL; 7821 goto senderror; 7822 } 7823 7824 /* for old-fashioned code - should be nuked */ 7825 if (m->m_pkthdr.len > MCLBYTES) { 7826 m_freem(m); 7827 return ENOBUFS; 7828 } 7829 if (m->m_next) { 7830 struct mbuf *n; 7831 7832 MGETHDR(n, M_NOWAIT, MT_DATA); 7833 if (n && m->m_pkthdr.len > MHLEN) { 7834 if (!(MCLGET(n, M_NOWAIT))) { 7835 m_free(n); 7836 n = NULL; 7837 } 7838 } 7839 if (!n) { 7840 m_freem(m); 7841 return ENOBUFS; 7842 } 7843 m_copydata(m, 0, m->m_pkthdr.len, mtod(n, caddr_t)); 7844 n->m_pkthdr.len = n->m_len = m->m_pkthdr.len; 7845 n->m_next = NULL; 7846 m_freem(m); 7847 m = n; 7848 } 7849 7850 /* align the mbuf chain so that extensions are in contiguous region. */ 7851 error = key_align(m, &mh); 7852 if (error) 7853 return error; 7854 7855 msg = mh.msg; 7856 7857 /* We use satype as scope mask for spddump */ 7858 if (msg->sadb_msg_type == SADB_X_SPDDUMP) { 7859 switch (msg->sadb_msg_satype) { 7860 case IPSEC_POLICYSCOPE_ANY: 7861 case IPSEC_POLICYSCOPE_GLOBAL: 7862 case IPSEC_POLICYSCOPE_IFNET: 7863 case IPSEC_POLICYSCOPE_PCB: 7864 break; 7865 default: 7866 ipseclog((LOG_DEBUG, "%s: illegal satype=%u\n", 7867 __func__, msg->sadb_msg_type)); 7868 PFKEYSTAT_INC(out_invsatype); 7869 error = EINVAL; 7870 goto senderror; 7871 } 7872 } else { 7873 switch (msg->sadb_msg_satype) { /* check SA type */ 7874 case SADB_SATYPE_UNSPEC: 7875 switch (msg->sadb_msg_type) { 7876 case SADB_GETSPI: 7877 case SADB_UPDATE: 7878 case SADB_ADD: 7879 case SADB_DELETE: 7880 case SADB_GET: 7881 case SADB_ACQUIRE: 7882 case SADB_EXPIRE: 7883 ipseclog((LOG_DEBUG, "%s: must specify satype " 7884 "when msg type=%u.\n", __func__, 7885 msg->sadb_msg_type)); 7886 PFKEYSTAT_INC(out_invsatype); 7887 error = EINVAL; 7888 goto senderror; 7889 } 7890 break; 7891 case SADB_SATYPE_AH: 7892 case SADB_SATYPE_ESP: 7893 case SADB_X_SATYPE_IPCOMP: 7894 case SADB_X_SATYPE_TCPSIGNATURE: 7895 switch (msg->sadb_msg_type) { 7896 case SADB_X_SPDADD: 7897 case SADB_X_SPDDELETE: 7898 case SADB_X_SPDGET: 7899 case SADB_X_SPDFLUSH: 7900 case SADB_X_SPDSETIDX: 7901 case SADB_X_SPDUPDATE: 7902 case SADB_X_SPDDELETE2: 7903 ipseclog((LOG_DEBUG, "%s: illegal satype=%u\n", 7904 __func__, msg->sadb_msg_type)); 7905 PFKEYSTAT_INC(out_invsatype); 7906 error = EINVAL; 7907 goto senderror; 7908 } 7909 break; 7910 case SADB_SATYPE_RSVP: 7911 case SADB_SATYPE_OSPFV2: 7912 case SADB_SATYPE_RIPV2: 7913 case SADB_SATYPE_MIP: 7914 ipseclog((LOG_DEBUG, "%s: type %u isn't supported.\n", 7915 __func__, msg->sadb_msg_satype)); 7916 PFKEYSTAT_INC(out_invsatype); 7917 error = EOPNOTSUPP; 7918 goto senderror; 7919 case 1: /* XXX: What does it do? */ 7920 if (msg->sadb_msg_type == SADB_X_PROMISC) 7921 break; 7922 /*FALLTHROUGH*/ 7923 default: 7924 ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n", 7925 __func__, msg->sadb_msg_satype)); 7926 PFKEYSTAT_INC(out_invsatype); 7927 error = EINVAL; 7928 goto senderror; 7929 } 7930 } 7931 7932 /* check field of upper layer protocol and address family */ 7933 if (mh.ext[SADB_EXT_ADDRESS_SRC] != NULL 7934 && mh.ext[SADB_EXT_ADDRESS_DST] != NULL) { 7935 struct sadb_address *src0, *dst0; 7936 u_int plen; 7937 7938 src0 = (struct sadb_address *)(mh.ext[SADB_EXT_ADDRESS_SRC]); 7939 dst0 = (struct sadb_address *)(mh.ext[SADB_EXT_ADDRESS_DST]); 7940 7941 /* check upper layer protocol */ 7942 if (src0->sadb_address_proto != dst0->sadb_address_proto) { 7943 ipseclog((LOG_DEBUG, "%s: upper layer protocol " 7944 "mismatched.\n", __func__)); 7945 PFKEYSTAT_INC(out_invaddr); 7946 error = EINVAL; 7947 goto senderror; 7948 } 7949 7950 /* check family */ 7951 if (PFKEY_ADDR_SADDR(src0)->sa_family != 7952 PFKEY_ADDR_SADDR(dst0)->sa_family) { 7953 ipseclog((LOG_DEBUG, "%s: address family mismatched.\n", 7954 __func__)); 7955 PFKEYSTAT_INC(out_invaddr); 7956 error = EINVAL; 7957 goto senderror; 7958 } 7959 if (PFKEY_ADDR_SADDR(src0)->sa_len != 7960 PFKEY_ADDR_SADDR(dst0)->sa_len) { 7961 ipseclog((LOG_DEBUG, "%s: address struct size " 7962 "mismatched.\n", __func__)); 7963 PFKEYSTAT_INC(out_invaddr); 7964 error = EINVAL; 7965 goto senderror; 7966 } 7967 7968 switch (PFKEY_ADDR_SADDR(src0)->sa_family) { 7969 case AF_INET: 7970 if (PFKEY_ADDR_SADDR(src0)->sa_len != 7971 sizeof(struct sockaddr_in)) { 7972 PFKEYSTAT_INC(out_invaddr); 7973 error = EINVAL; 7974 goto senderror; 7975 } 7976 break; 7977 case AF_INET6: 7978 if (PFKEY_ADDR_SADDR(src0)->sa_len != 7979 sizeof(struct sockaddr_in6)) { 7980 PFKEYSTAT_INC(out_invaddr); 7981 error = EINVAL; 7982 goto senderror; 7983 } 7984 break; 7985 default: 7986 ipseclog((LOG_DEBUG, "%s: unsupported address family\n", 7987 __func__)); 7988 PFKEYSTAT_INC(out_invaddr); 7989 error = EAFNOSUPPORT; 7990 goto senderror; 7991 } 7992 7993 switch (PFKEY_ADDR_SADDR(src0)->sa_family) { 7994 case AF_INET: 7995 plen = sizeof(struct in_addr) << 3; 7996 break; 7997 case AF_INET6: 7998 plen = sizeof(struct in6_addr) << 3; 7999 break; 8000 default: 8001 plen = 0; /*fool gcc*/ 8002 break; 8003 } 8004 8005 /* check max prefix length */ 8006 if (src0->sadb_address_prefixlen > plen || 8007 dst0->sadb_address_prefixlen > plen) { 8008 ipseclog((LOG_DEBUG, "%s: illegal prefixlen.\n", 8009 __func__)); 8010 PFKEYSTAT_INC(out_invaddr); 8011 error = EINVAL; 8012 goto senderror; 8013 } 8014 8015 /* 8016 * prefixlen == 0 is valid because there can be a case when 8017 * all addresses are matched. 8018 */ 8019 } 8020 8021 if (msg->sadb_msg_type >= nitems(key_typesw) || 8022 key_typesw[msg->sadb_msg_type] == NULL) { 8023 PFKEYSTAT_INC(out_invmsgtype); 8024 error = EINVAL; 8025 goto senderror; 8026 } 8027 8028 return (*key_typesw[msg->sadb_msg_type])(so, m, &mh); 8029 8030 senderror: 8031 msg->sadb_msg_errno = error; 8032 return key_sendup_mbuf(so, m, target); 8033 } 8034 8035 static int 8036 key_senderror(struct socket *so, struct mbuf *m, int code) 8037 { 8038 struct sadb_msg *msg; 8039 8040 IPSEC_ASSERT(m->m_len >= sizeof(struct sadb_msg), 8041 ("mbuf too small, len %u", m->m_len)); 8042 8043 msg = mtod(m, struct sadb_msg *); 8044 msg->sadb_msg_errno = code; 8045 return key_sendup_mbuf(so, m, KEY_SENDUP_ONE); 8046 } 8047 8048 /* 8049 * set the pointer to each header into message buffer. 8050 * m will be freed on error. 8051 * XXX larger-than-MCLBYTES extension? 8052 */ 8053 static int 8054 key_align(struct mbuf *m, struct sadb_msghdr *mhp) 8055 { 8056 struct mbuf *n; 8057 struct sadb_ext *ext; 8058 size_t off, end; 8059 int extlen; 8060 int toff; 8061 8062 IPSEC_ASSERT(m != NULL, ("null mbuf")); 8063 IPSEC_ASSERT(mhp != NULL, ("null msghdr")); 8064 IPSEC_ASSERT(m->m_len >= sizeof(struct sadb_msg), 8065 ("mbuf too small, len %u", m->m_len)); 8066 8067 /* initialize */ 8068 bzero(mhp, sizeof(*mhp)); 8069 8070 mhp->msg = mtod(m, struct sadb_msg *); 8071 mhp->ext[0] = (struct sadb_ext *)mhp->msg; /*XXX backward compat */ 8072 8073 end = PFKEY_UNUNIT64(mhp->msg->sadb_msg_len); 8074 extlen = end; /*just in case extlen is not updated*/ 8075 for (off = sizeof(struct sadb_msg); off < end; off += extlen) { 8076 n = m_pulldown(m, off, sizeof(struct sadb_ext), &toff); 8077 if (!n) { 8078 /* m is already freed */ 8079 return ENOBUFS; 8080 } 8081 ext = (struct sadb_ext *)(mtod(n, caddr_t) + toff); 8082 8083 /* set pointer */ 8084 switch (ext->sadb_ext_type) { 8085 case SADB_EXT_SA: 8086 case SADB_EXT_ADDRESS_SRC: 8087 case SADB_EXT_ADDRESS_DST: 8088 case SADB_EXT_ADDRESS_PROXY: 8089 case SADB_EXT_LIFETIME_CURRENT: 8090 case SADB_EXT_LIFETIME_HARD: 8091 case SADB_EXT_LIFETIME_SOFT: 8092 case SADB_EXT_KEY_AUTH: 8093 case SADB_EXT_KEY_ENCRYPT: 8094 case SADB_EXT_IDENTITY_SRC: 8095 case SADB_EXT_IDENTITY_DST: 8096 case SADB_EXT_SENSITIVITY: 8097 case SADB_EXT_PROPOSAL: 8098 case SADB_EXT_SUPPORTED_AUTH: 8099 case SADB_EXT_SUPPORTED_ENCRYPT: 8100 case SADB_EXT_SPIRANGE: 8101 case SADB_X_EXT_POLICY: 8102 case SADB_X_EXT_SA2: 8103 case SADB_X_EXT_NAT_T_TYPE: 8104 case SADB_X_EXT_NAT_T_SPORT: 8105 case SADB_X_EXT_NAT_T_DPORT: 8106 case SADB_X_EXT_NAT_T_OAI: 8107 case SADB_X_EXT_NAT_T_OAR: 8108 case SADB_X_EXT_NAT_T_FRAG: 8109 case SADB_X_EXT_SA_REPLAY: 8110 case SADB_X_EXT_NEW_ADDRESS_SRC: 8111 case SADB_X_EXT_NEW_ADDRESS_DST: 8112 /* duplicate check */ 8113 /* 8114 * XXX Are there duplication payloads of either 8115 * KEY_AUTH or KEY_ENCRYPT ? 8116 */ 8117 if (mhp->ext[ext->sadb_ext_type] != NULL) { 8118 ipseclog((LOG_DEBUG, "%s: duplicate ext_type " 8119 "%u\n", __func__, ext->sadb_ext_type)); 8120 m_freem(m); 8121 PFKEYSTAT_INC(out_dupext); 8122 return EINVAL; 8123 } 8124 break; 8125 default: 8126 ipseclog((LOG_DEBUG, "%s: invalid ext_type %u\n", 8127 __func__, ext->sadb_ext_type)); 8128 m_freem(m); 8129 PFKEYSTAT_INC(out_invexttype); 8130 return EINVAL; 8131 } 8132 8133 extlen = PFKEY_UNUNIT64(ext->sadb_ext_len); 8134 8135 if (key_validate_ext(ext, extlen)) { 8136 m_freem(m); 8137 PFKEYSTAT_INC(out_invlen); 8138 return EINVAL; 8139 } 8140 8141 n = m_pulldown(m, off, extlen, &toff); 8142 if (!n) { 8143 /* m is already freed */ 8144 return ENOBUFS; 8145 } 8146 ext = (struct sadb_ext *)(mtod(n, caddr_t) + toff); 8147 8148 mhp->ext[ext->sadb_ext_type] = ext; 8149 mhp->extoff[ext->sadb_ext_type] = off; 8150 mhp->extlen[ext->sadb_ext_type] = extlen; 8151 } 8152 8153 if (off != end) { 8154 m_freem(m); 8155 PFKEYSTAT_INC(out_invlen); 8156 return EINVAL; 8157 } 8158 8159 return 0; 8160 } 8161 8162 static int 8163 key_validate_ext(const struct sadb_ext *ext, int len) 8164 { 8165 const struct sockaddr *sa; 8166 enum { NONE, ADDR } checktype = NONE; 8167 int baselen = 0; 8168 const int sal = offsetof(struct sockaddr, sa_len) + sizeof(sa->sa_len); 8169 8170 if (len != PFKEY_UNUNIT64(ext->sadb_ext_len)) 8171 return EINVAL; 8172 8173 /* if it does not match minimum/maximum length, bail */ 8174 if (ext->sadb_ext_type >= nitems(minsize) || 8175 ext->sadb_ext_type >= nitems(maxsize)) 8176 return EINVAL; 8177 if (!minsize[ext->sadb_ext_type] || len < minsize[ext->sadb_ext_type]) 8178 return EINVAL; 8179 if (maxsize[ext->sadb_ext_type] && len > maxsize[ext->sadb_ext_type]) 8180 return EINVAL; 8181 8182 /* more checks based on sadb_ext_type XXX need more */ 8183 switch (ext->sadb_ext_type) { 8184 case SADB_EXT_ADDRESS_SRC: 8185 case SADB_EXT_ADDRESS_DST: 8186 case SADB_EXT_ADDRESS_PROXY: 8187 case SADB_X_EXT_NAT_T_OAI: 8188 case SADB_X_EXT_NAT_T_OAR: 8189 case SADB_X_EXT_NEW_ADDRESS_SRC: 8190 case SADB_X_EXT_NEW_ADDRESS_DST: 8191 baselen = PFKEY_ALIGN8(sizeof(struct sadb_address)); 8192 checktype = ADDR; 8193 break; 8194 case SADB_EXT_IDENTITY_SRC: 8195 case SADB_EXT_IDENTITY_DST: 8196 if (((const struct sadb_ident *)ext)->sadb_ident_type == 8197 SADB_X_IDENTTYPE_ADDR) { 8198 baselen = PFKEY_ALIGN8(sizeof(struct sadb_ident)); 8199 checktype = ADDR; 8200 } else 8201 checktype = NONE; 8202 break; 8203 default: 8204 checktype = NONE; 8205 break; 8206 } 8207 8208 switch (checktype) { 8209 case NONE: 8210 break; 8211 case ADDR: 8212 sa = (const struct sockaddr *)(((const u_int8_t*)ext)+baselen); 8213 if (len < baselen + sal) 8214 return EINVAL; 8215 if (baselen + PFKEY_ALIGN8(sa->sa_len) != len) 8216 return EINVAL; 8217 break; 8218 } 8219 8220 return 0; 8221 } 8222 8223 void 8224 spdcache_init(void) 8225 { 8226 int i; 8227 8228 TUNABLE_INT_FETCH("net.key.spdcache.maxentries", 8229 &V_key_spdcache_maxentries); 8230 TUNABLE_INT_FETCH("net.key.spdcache.threshold", 8231 &V_key_spdcache_threshold); 8232 8233 if (V_key_spdcache_maxentries) { 8234 V_key_spdcache_maxentries = MAX(V_key_spdcache_maxentries, 8235 SPDCACHE_MAX_ENTRIES_PER_HASH); 8236 V_spdcachehashtbl = hashinit(V_key_spdcache_maxentries / 8237 SPDCACHE_MAX_ENTRIES_PER_HASH, 8238 M_IPSEC_SPDCACHE, &V_spdcachehash_mask); 8239 V_key_spdcache_maxentries = (V_spdcachehash_mask + 1) 8240 * SPDCACHE_MAX_ENTRIES_PER_HASH; 8241 8242 V_spdcache_lock = malloc(sizeof(struct mtx) * 8243 (V_spdcachehash_mask + 1), 8244 M_IPSEC_SPDCACHE, M_WAITOK|M_ZERO); 8245 8246 for (i = 0; i < V_spdcachehash_mask + 1; ++i) 8247 SPDCACHE_LOCK_INIT(i); 8248 } 8249 } 8250 8251 struct spdcache_entry * 8252 spdcache_entry_alloc(const struct secpolicyindex *spidx, struct secpolicy *sp) 8253 { 8254 struct spdcache_entry *entry; 8255 8256 entry = malloc(sizeof(struct spdcache_entry), 8257 M_IPSEC_SPDCACHE, M_NOWAIT|M_ZERO); 8258 if (entry == NULL) 8259 return NULL; 8260 8261 if (sp != NULL) 8262 SP_ADDREF(sp); 8263 8264 entry->spidx = *spidx; 8265 entry->sp = sp; 8266 8267 return (entry); 8268 } 8269 8270 void 8271 spdcache_entry_free(struct spdcache_entry *entry) 8272 { 8273 8274 if (entry->sp != NULL) 8275 key_freesp(&entry->sp); 8276 free(entry, M_IPSEC_SPDCACHE); 8277 } 8278 8279 void 8280 spdcache_clear(void) 8281 { 8282 struct spdcache_entry *entry; 8283 int i; 8284 8285 for (i = 0; i < V_spdcachehash_mask + 1; ++i) { 8286 SPDCACHE_LOCK(i); 8287 while (!LIST_EMPTY(&V_spdcachehashtbl[i])) { 8288 entry = LIST_FIRST(&V_spdcachehashtbl[i]); 8289 LIST_REMOVE(entry, chain); 8290 spdcache_entry_free(entry); 8291 } 8292 SPDCACHE_UNLOCK(i); 8293 } 8294 } 8295 8296 #ifdef VIMAGE 8297 void 8298 spdcache_destroy(void) 8299 { 8300 int i; 8301 8302 if (SPDCACHE_ENABLED()) { 8303 spdcache_clear(); 8304 hashdestroy(V_spdcachehashtbl, M_IPSEC_SPDCACHE, V_spdcachehash_mask); 8305 8306 for (i = 0; i < V_spdcachehash_mask + 1; ++i) 8307 SPDCACHE_LOCK_DESTROY(i); 8308 8309 free(V_spdcache_lock, M_IPSEC_SPDCACHE); 8310 } 8311 } 8312 #endif 8313 8314 static void 8315 key_vnet_init(void *arg __unused) 8316 { 8317 int i; 8318 8319 for (i = 0; i < IPSEC_DIR_MAX; i++) { 8320 TAILQ_INIT(&V_sptree[i]); 8321 TAILQ_INIT(&V_sptree_ifnet[i]); 8322 } 8323 8324 TAILQ_INIT(&V_sahtree); 8325 V_sphashtbl = hashinit(SPHASH_NHASH, M_IPSEC_SP, &V_sphash_mask); 8326 V_savhashtbl = hashinit(SAVHASH_NHASH, M_IPSEC_SA, &V_savhash_mask); 8327 V_sahaddrhashtbl = hashinit(SAHHASH_NHASH, M_IPSEC_SAH, 8328 &V_sahaddrhash_mask); 8329 V_acqaddrhashtbl = hashinit(ACQHASH_NHASH, M_IPSEC_SAQ, 8330 &V_acqaddrhash_mask); 8331 V_acqseqhashtbl = hashinit(ACQHASH_NHASH, M_IPSEC_SAQ, 8332 &V_acqseqhash_mask); 8333 8334 spdcache_init(); 8335 8336 for (i = 0; i <= SADB_SATYPE_MAX; i++) 8337 LIST_INIT(&V_regtree[i]); 8338 8339 LIST_INIT(&V_acqtree); 8340 LIST_INIT(&V_spacqtree); 8341 } 8342 VNET_SYSINIT(key_vnet_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_SECOND, 8343 key_vnet_init, NULL); 8344 8345 static void 8346 key_init(void *arg __unused) 8347 { 8348 8349 ipsec_key_lft_zone = uma_zcreate("IPsec SA lft_c", 8350 sizeof(uint64_t) * 2, NULL, NULL, NULL, NULL, 8351 UMA_ALIGN_PTR, UMA_ZONE_PCPU); 8352 8353 SPTREE_LOCK_INIT(); 8354 REGTREE_LOCK_INIT(); 8355 SAHTREE_LOCK_INIT(); 8356 ACQ_LOCK_INIT(); 8357 SPACQ_LOCK_INIT(); 8358 SPI_ALLOC_LOCK_INIT(); 8359 8360 #ifndef IPSEC_DEBUG2 8361 callout_init(&key_timer, 1); 8362 callout_reset(&key_timer, hz, key_timehandler, NULL); 8363 #endif /*IPSEC_DEBUG2*/ 8364 8365 /* initialize key statistics */ 8366 keystat.getspi_count = 1; 8367 8368 if (bootverbose) 8369 printf("IPsec: Initialized Security Association Processing.\n"); 8370 } 8371 SYSINIT(key_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, key_init, NULL); 8372 8373 #ifdef VIMAGE 8374 static void 8375 key_vnet_destroy(void *arg __unused) 8376 { 8377 struct secashead_queue sahdrainq; 8378 struct secpolicy_queue drainq; 8379 struct secpolicy *sp, *nextsp; 8380 struct secacq *acq, *nextacq; 8381 struct secspacq *spacq, *nextspacq; 8382 struct secashead *sah; 8383 struct secasvar *sav; 8384 struct secreg *reg; 8385 int i; 8386 8387 /* 8388 * XXX: can we just call free() for each object without 8389 * walking through safe way with releasing references? 8390 */ 8391 TAILQ_INIT(&drainq); 8392 SPTREE_WLOCK(); 8393 for (i = 0; i < IPSEC_DIR_MAX; i++) { 8394 TAILQ_CONCAT(&drainq, &V_sptree[i], chain); 8395 TAILQ_CONCAT(&drainq, &V_sptree_ifnet[i], chain); 8396 } 8397 for (i = 0; i < V_sphash_mask + 1; i++) 8398 LIST_INIT(&V_sphashtbl[i]); 8399 SPTREE_WUNLOCK(); 8400 spdcache_destroy(); 8401 8402 sp = TAILQ_FIRST(&drainq); 8403 while (sp != NULL) { 8404 nextsp = TAILQ_NEXT(sp, chain); 8405 key_freesp(&sp); 8406 sp = nextsp; 8407 } 8408 8409 TAILQ_INIT(&sahdrainq); 8410 SAHTREE_WLOCK(); 8411 TAILQ_CONCAT(&sahdrainq, &V_sahtree, chain); 8412 for (i = 0; i < V_savhash_mask + 1; i++) 8413 LIST_INIT(&V_savhashtbl[i]); 8414 for (i = 0; i < V_sahaddrhash_mask + 1; i++) 8415 LIST_INIT(&V_sahaddrhashtbl[i]); 8416 TAILQ_FOREACH(sah, &sahdrainq, chain) { 8417 sah->state = SADB_SASTATE_DEAD; 8418 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { 8419 sav->state = SADB_SASTATE_DEAD; 8420 } 8421 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { 8422 sav->state = SADB_SASTATE_DEAD; 8423 } 8424 } 8425 SAHTREE_WUNLOCK(); 8426 8427 key_freesah_flushed(&sahdrainq); 8428 hashdestroy(V_sphashtbl, M_IPSEC_SP, V_sphash_mask); 8429 hashdestroy(V_savhashtbl, M_IPSEC_SA, V_savhash_mask); 8430 hashdestroy(V_sahaddrhashtbl, M_IPSEC_SAH, V_sahaddrhash_mask); 8431 8432 REGTREE_LOCK(); 8433 for (i = 0; i <= SADB_SATYPE_MAX; i++) { 8434 LIST_FOREACH(reg, &V_regtree[i], chain) { 8435 if (__LIST_CHAINED(reg)) { 8436 LIST_REMOVE(reg, chain); 8437 free(reg, M_IPSEC_SAR); 8438 break; 8439 } 8440 } 8441 } 8442 REGTREE_UNLOCK(); 8443 8444 ACQ_LOCK(); 8445 acq = LIST_FIRST(&V_acqtree); 8446 while (acq != NULL) { 8447 nextacq = LIST_NEXT(acq, chain); 8448 LIST_REMOVE(acq, chain); 8449 free(acq, M_IPSEC_SAQ); 8450 acq = nextacq; 8451 } 8452 for (i = 0; i < V_acqaddrhash_mask + 1; i++) 8453 LIST_INIT(&V_acqaddrhashtbl[i]); 8454 for (i = 0; i < V_acqseqhash_mask + 1; i++) 8455 LIST_INIT(&V_acqseqhashtbl[i]); 8456 ACQ_UNLOCK(); 8457 8458 SPACQ_LOCK(); 8459 for (spacq = LIST_FIRST(&V_spacqtree); spacq != NULL; 8460 spacq = nextspacq) { 8461 nextspacq = LIST_NEXT(spacq, chain); 8462 if (__LIST_CHAINED(spacq)) { 8463 LIST_REMOVE(spacq, chain); 8464 free(spacq, M_IPSEC_SAQ); 8465 } 8466 } 8467 SPACQ_UNLOCK(); 8468 hashdestroy(V_acqaddrhashtbl, M_IPSEC_SAQ, V_acqaddrhash_mask); 8469 hashdestroy(V_acqseqhashtbl, M_IPSEC_SAQ, V_acqseqhash_mask); 8470 } 8471 VNET_SYSUNINIT(key_vnet_destroy, SI_SUB_PROTO_DOMAIN, SI_ORDER_SECOND, 8472 key_vnet_destroy, NULL); 8473 #endif 8474 8475 /* 8476 * XXX: as long as domains are not unloadable, this function is never called, 8477 * provided for consistensy and future unload support. 8478 */ 8479 static void 8480 key_destroy(void *arg __unused) 8481 { 8482 uma_zdestroy(ipsec_key_lft_zone); 8483 8484 #ifndef IPSEC_DEBUG2 8485 callout_drain(&key_timer); 8486 #endif 8487 SPTREE_LOCK_DESTROY(); 8488 REGTREE_LOCK_DESTROY(); 8489 SAHTREE_LOCK_DESTROY(); 8490 ACQ_LOCK_DESTROY(); 8491 SPACQ_LOCK_DESTROY(); 8492 SPI_ALLOC_LOCK_DESTROY(); 8493 } 8494 SYSUNINIT(key_destroy, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, key_destroy, NULL); 8495 8496 /* record data transfer on SA, and update timestamps */ 8497 void 8498 key_sa_recordxfer(struct secasvar *sav, struct mbuf *m) 8499 { 8500 IPSEC_ASSERT(sav != NULL, ("Null secasvar")); 8501 IPSEC_ASSERT(m != NULL, ("Null mbuf")); 8502 8503 /* 8504 * XXX Currently, there is a difference of bytes size 8505 * between inbound and outbound processing. 8506 */ 8507 counter_u64_add(sav->lft_c_bytes, m->m_pkthdr.len); 8508 8509 /* 8510 * We use the number of packets as the unit of 8511 * allocations. We increment the variable 8512 * whenever {esp,ah}_{in,out}put is called. 8513 */ 8514 counter_u64_add(sav->lft_c_allocations, 1); 8515 8516 /* 8517 * NOTE: We record CURRENT usetime by using wall clock, 8518 * in seconds. HARD and SOFT lifetime are measured by the time 8519 * difference (again in seconds) from usetime. 8520 * 8521 * usetime 8522 * v expire expire 8523 * -----+-----+--------+---> t 8524 * <--------------> HARD 8525 * <-----> SOFT 8526 */ 8527 if (sav->firstused == 0) 8528 sav->firstused = time_second; 8529 } 8530 8531 /* 8532 * Take one of the kernel's security keys and convert it into a PF_KEY 8533 * structure within an mbuf, suitable for sending up to a waiting 8534 * application in user land. 8535 * 8536 * IN: 8537 * src: A pointer to a kernel security key. 8538 * exttype: Which type of key this is. Refer to the PF_KEY data structures. 8539 * OUT: 8540 * a valid mbuf or NULL indicating an error 8541 * 8542 */ 8543 8544 static struct mbuf * 8545 key_setkey(struct seckey *src, uint16_t exttype) 8546 { 8547 struct mbuf *m; 8548 struct sadb_key *p; 8549 int len; 8550 8551 if (src == NULL) 8552 return NULL; 8553 8554 len = PFKEY_ALIGN8(sizeof(struct sadb_key) + _KEYLEN(src)); 8555 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 8556 if (m == NULL) 8557 return NULL; 8558 m_align(m, len); 8559 m->m_len = len; 8560 p = mtod(m, struct sadb_key *); 8561 bzero(p, len); 8562 p->sadb_key_len = PFKEY_UNIT64(len); 8563 p->sadb_key_exttype = exttype; 8564 p->sadb_key_bits = src->bits; 8565 bcopy(src->key_data, _KEYBUF(p), _KEYLEN(src)); 8566 8567 return m; 8568 } 8569 8570 /* 8571 * Take one of the kernel's lifetime data structures and convert it 8572 * into a PF_KEY structure within an mbuf, suitable for sending up to 8573 * a waiting application in user land. 8574 * 8575 * IN: 8576 * src: A pointer to a kernel lifetime structure. 8577 * exttype: Which type of lifetime this is. Refer to the PF_KEY 8578 * data structures for more information. 8579 * OUT: 8580 * a valid mbuf or NULL indicating an error 8581 * 8582 */ 8583 8584 static struct mbuf * 8585 key_setlifetime(struct seclifetime *src, uint16_t exttype) 8586 { 8587 struct mbuf *m = NULL; 8588 struct sadb_lifetime *p; 8589 int len = PFKEY_ALIGN8(sizeof(struct sadb_lifetime)); 8590 8591 if (src == NULL) 8592 return NULL; 8593 8594 m = m_get2(len, M_NOWAIT, MT_DATA, 0); 8595 if (m == NULL) 8596 return m; 8597 m_align(m, len); 8598 m->m_len = len; 8599 p = mtod(m, struct sadb_lifetime *); 8600 8601 bzero(p, len); 8602 p->sadb_lifetime_len = PFKEY_UNIT64(len); 8603 p->sadb_lifetime_exttype = exttype; 8604 p->sadb_lifetime_allocations = src->allocations; 8605 p->sadb_lifetime_bytes = src->bytes; 8606 p->sadb_lifetime_addtime = src->addtime; 8607 p->sadb_lifetime_usetime = src->usetime; 8608 8609 return m; 8610 8611 } 8612 8613 const struct enc_xform * 8614 enc_algorithm_lookup(int alg) 8615 { 8616 int i; 8617 8618 for (i = 0; i < nitems(supported_ealgs); i++) 8619 if (alg == supported_ealgs[i].sadb_alg) 8620 return (supported_ealgs[i].xform); 8621 return (NULL); 8622 } 8623 8624 const struct auth_hash * 8625 auth_algorithm_lookup(int alg) 8626 { 8627 int i; 8628 8629 for (i = 0; i < nitems(supported_aalgs); i++) 8630 if (alg == supported_aalgs[i].sadb_alg) 8631 return (supported_aalgs[i].xform); 8632 return (NULL); 8633 } 8634 8635 const struct comp_algo * 8636 comp_algorithm_lookup(int alg) 8637 { 8638 int i; 8639 8640 for (i = 0; i < nitems(supported_calgs); i++) 8641 if (alg == supported_calgs[i].sadb_alg) 8642 return (supported_calgs[i].xform); 8643 return (NULL); 8644 } 8645