2 * Copyright (c) 2008-2016 Apple Inc. All rights reserved.
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
29 /* $FreeBSD: src/sys/netkey/key.c,v 1.16.2.13 2002/07/24 18:17:40 ume Exp $ */
30 /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
33 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
34 * All rights reserved.
36 * Redistribution and use in source and binary forms, with or without
37 * modification, are permitted provided that the following conditions
39 * 1. Redistributions of source code must retain the above copyright
40 * notice, this list of conditions and the following disclaimer.
41 * 2. Redistributions in binary form must reproduce the above copyright
42 * notice, this list of conditions and the following disclaimer in the
43 * documentation and/or other materials provided with the distribution.
44 * 3. Neither the name of the project nor the names of its contributors
45 * may be used to endorse or promote products derived from this software
46 * without specific prior written permission.
48 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
62 * This code is referd to RFC 2367
65 #include <machine/endian.h>
66 #include <sys/types.h>
67 #include <sys/param.h>
68 #include <sys/systm.h>
69 #include <sys/kernel.h>
71 #include <sys/domain.h>
72 #include <sys/protosw.h>
73 #include <sys/malloc.h>
74 #include <sys/socket.h>
75 #include <sys/socketvar.h>
76 #include <sys/sysctl.h>
77 #include <sys/errno.h>
79 #include <sys/queue.h>
80 #include <sys/syslog.h>
81 #include <sys/mcache.h>
83 #include <kern/locks.h>
86 #include <net/route.h>
87 #include <net/raw_cb.h>
89 #include <netinet/in.h>
90 #include <netinet/in_systm.h>
91 #include <netinet/ip.h>
92 #include <netinet/in_var.h>
95 #include <netinet/ip6.h>
96 #include <netinet6/in6_var.h>
97 #include <netinet6/ip6_var.h>
100 #include <net/pfkeyv2.h>
101 #include <netkey/keydb.h>
102 #include <netkey/key.h>
103 #include <netkey/keysock.h>
104 #include <netkey/key_debug.h>
106 #include <libkern/crypto/rand.h>
108 #include <netinet6/ipsec.h>
110 #include <netinet6/ipsec6.h>
112 #include <netinet6/ah.h>
114 #include <netinet6/ah6.h>
117 #include <netinet6/esp.h>
119 #include <netinet6/esp6.h>
125 #include <sys/random.h>
127 #include <net/net_osdep.h>
129 #define FULLMASK 0xff
131 lck_grp_t
*sadb_mutex_grp
;
132 lck_grp_attr_t
*sadb_mutex_grp_attr
;
133 lck_attr_t
*sadb_mutex_attr
;
134 decl_lck_mtx_data(, sadb_mutex_data
);
135 lck_mtx_t
*sadb_mutex
= &sadb_mutex_data
;
137 lck_grp_t
*pfkey_stat_mutex_grp
;
138 lck_grp_attr_t
*pfkey_stat_mutex_grp_attr
;
139 lck_attr_t
*pfkey_stat_mutex_attr
;
140 decl_lck_mtx_data(, pfkey_stat_mutex_data
);
141 lck_mtx_t
*pfkey_stat_mutex
= &pfkey_stat_mutex_data
;
144 * Note on SA reference counting:
145 * - SAs that are not in DEAD state will have (total external reference + 1)
146 * following value in reference count field. they cannot be freed and are
147 * referenced from SA header.
148 * - SAs that are in DEAD state will have (total external reference)
149 * in reference count field. they are ready to be freed. reference from
150 * SA header will be removed in key_delsav(), when the reference count
151 * field hits 0 (= no external reference other than from SA header.
154 u_int32_t key_debug_level
= 0; //### our sysctl is not dynamic
155 static int key_timehandler_running
= 0;
156 static u_int key_spi_trycnt
= 1000;
157 static u_int32_t key_spi_minval
= 0x100;
158 static u_int32_t key_spi_maxval
= 0x0fffffff; /* XXX */
159 static u_int32_t policy_id
= 0;
160 static u_int key_int_random
= 60; /*interval to initialize randseed,1(m)*/
161 static u_int key_larval_lifetime
= 30; /* interval to expire acquiring, 30(s)*/
162 static int key_blockacq_count
= 10; /* counter for blocking SADB_ACQUIRE.*/
163 static int key_blockacq_lifetime
= 20; /* lifetime for blocking SADB_ACQUIRE.*/
164 static int key_preferred_oldsa
= 0; /* preferred old sa rather than new sa.*/
165 __private_extern__
int natt_keepalive_interval
= 20; /* interval between natt keepalives.*/
166 __private_extern__
int ipsec_policy_count
= 0;
167 static int ipsec_sav_count
= 0;
169 static u_int32_t acq_seq
= 0;
170 static int key_tick_init_random
= 0;
171 static u_int64_t up_time
= 0;
172 __private_extern__ u_int64_t natt_now
= 0;
174 static LIST_HEAD(_sptree
, secpolicy
) sptree
[IPSEC_DIR_MAX
]; /* SPD */
175 static LIST_HEAD(_sahtree
, secashead
) sahtree
; /* SAD */
176 static LIST_HEAD(_regtree
, secreg
) regtree
[SADB_SATYPE_MAX
+ 1];
179 #define SPIHASHSIZE 128
180 #define SPIHASH(x) (((x) ^ ((x) >> 16)) % SPIHASHSIZE)
181 static LIST_HEAD(_spihash
, secasvar
) spihash
[SPIHASHSIZE
];
183 #ifndef IPSEC_NONBLOCK_ACQUIRE
184 static LIST_HEAD(_acqtree
, secacq
) acqtree
; /* acquiring list */
186 static LIST_HEAD(_spacqtree
, secspacq
) spacqtree
; /* SP acquiring list */
188 struct key_cb key_cb
;
190 /* search order for SAs */
191 static const u_int saorder_state_valid_prefer_old
[] = {
192 SADB_SASTATE_DYING
, SADB_SASTATE_MATURE
,
194 static const u_int saorder_state_valid_prefer_new
[] = {
195 SADB_SASTATE_MATURE
, SADB_SASTATE_DYING
,
197 static const u_int saorder_state_alive
[] = {
199 SADB_SASTATE_MATURE
, SADB_SASTATE_DYING
, SADB_SASTATE_LARVAL
201 static const u_int saorder_state_any
[] = {
202 SADB_SASTATE_MATURE
, SADB_SASTATE_DYING
,
203 SADB_SASTATE_LARVAL
, SADB_SASTATE_DEAD
206 static const int minsize
[] = {
207 sizeof(struct sadb_msg
), /* SADB_EXT_RESERVED */
208 sizeof(struct sadb_sa
), /* SADB_EXT_SA */
209 sizeof(struct sadb_lifetime
), /* SADB_EXT_LIFETIME_CURRENT */
210 sizeof(struct sadb_lifetime
), /* SADB_EXT_LIFETIME_HARD */
211 sizeof(struct sadb_lifetime
), /* SADB_EXT_LIFETIME_SOFT */
212 sizeof(struct sadb_address
), /* SADB_EXT_ADDRESS_SRC */
213 sizeof(struct sadb_address
), /* SADB_EXT_ADDRESS_DST */
214 sizeof(struct sadb_address
), /* SADB_EXT_ADDRESS_PROXY */
215 sizeof(struct sadb_key
), /* SADB_EXT_KEY_AUTH */
216 sizeof(struct sadb_key
), /* SADB_EXT_KEY_ENCRYPT */
217 sizeof(struct sadb_ident
), /* SADB_EXT_IDENTITY_SRC */
218 sizeof(struct sadb_ident
), /* SADB_EXT_IDENTITY_DST */
219 sizeof(struct sadb_sens
), /* SADB_EXT_SENSITIVITY */
220 sizeof(struct sadb_prop
), /* SADB_EXT_PROPOSAL */
221 sizeof(struct sadb_supported
), /* SADB_EXT_SUPPORTED_AUTH */
222 sizeof(struct sadb_supported
), /* SADB_EXT_SUPPORTED_ENCRYPT */
223 sizeof(struct sadb_spirange
), /* SADB_EXT_SPIRANGE */
224 0, /* SADB_X_EXT_KMPRIVATE */
225 sizeof(struct sadb_x_policy
), /* SADB_X_EXT_POLICY */
226 sizeof(struct sadb_x_sa2
), /* SADB_X_SA2 */
227 sizeof(struct sadb_session_id
), /* SADB_EXT_SESSION_ID */
228 sizeof(struct sadb_sastat
), /* SADB_EXT_SASTAT */
229 sizeof(struct sadb_x_ipsecif
), /* SADB_X_EXT_IPSECIF */
230 sizeof(struct sadb_address
), /* SADB_X_EXT_ADDR_RANGE_SRC_START */
231 sizeof(struct sadb_address
), /* SADB_X_EXT_ADDR_RANGE_SRC_END */
232 sizeof(struct sadb_address
), /* SADB_X_EXT_ADDR_RANGE_DST_START */
233 sizeof(struct sadb_address
), /* SADB_X_EXT_ADDR_RANGE_DST_END */
234 sizeof(struct sadb_address
), /* SADB_EXT_MIGRATE_ADDRESS_SRC */
235 sizeof(struct sadb_address
), /* SADB_EXT_MIGRATE_ADDRESS_DST */
236 sizeof(struct sadb_x_ipsecif
), /* SADB_X_EXT_MIGRATE_IPSECIF */
238 static const int maxsize
[] = {
239 sizeof(struct sadb_msg
), /* SADB_EXT_RESERVED */
240 sizeof(struct sadb_sa_2
), /* SADB_EXT_SA */
241 sizeof(struct sadb_lifetime
), /* SADB_EXT_LIFETIME_CURRENT */
242 sizeof(struct sadb_lifetime
), /* SADB_EXT_LIFETIME_HARD */
243 sizeof(struct sadb_lifetime
), /* SADB_EXT_LIFETIME_SOFT */
244 0, /* SADB_EXT_ADDRESS_SRC */
245 0, /* SADB_EXT_ADDRESS_DST */
246 0, /* SADB_EXT_ADDRESS_PROXY */
247 0, /* SADB_EXT_KEY_AUTH */
248 0, /* SADB_EXT_KEY_ENCRYPT */
249 0, /* SADB_EXT_IDENTITY_SRC */
250 0, /* SADB_EXT_IDENTITY_DST */
251 0, /* SADB_EXT_SENSITIVITY */
252 0, /* SADB_EXT_PROPOSAL */
253 0, /* SADB_EXT_SUPPORTED_AUTH */
254 0, /* SADB_EXT_SUPPORTED_ENCRYPT */
255 sizeof(struct sadb_spirange
), /* SADB_EXT_SPIRANGE */
256 0, /* SADB_X_EXT_KMPRIVATE */
257 0, /* SADB_X_EXT_POLICY */
258 sizeof(struct sadb_x_sa2
), /* SADB_X_SA2 */
259 0, /* SADB_EXT_SESSION_ID */
260 0, /* SADB_EXT_SASTAT */
261 sizeof(struct sadb_x_ipsecif
), /* SADB_X_EXT_IPSECIF */
262 0, /* SADB_X_EXT_ADDR_RANGE_SRC_START */
263 0, /* SADB_X_EXT_ADDR_RANGE_SRC_END */
264 0, /* SADB_X_EXT_ADDR_RANGE_DST_START */
265 0, /* SADB_X_EXT_ADDR_RANGE_DST_END */
266 0, /* SADB_EXT_MIGRATE_ADDRESS_SRC */
267 0, /* SADB_EXT_MIGRATE_ADDRESS_DST */
268 sizeof(struct sadb_x_ipsecif
), /* SADB_X_EXT_MIGRATE_IPSECIF */
271 static int ipsec_esp_keymin
= 256;
272 static int ipsec_esp_auth
= 0;
273 static int ipsec_ah_keymin
= 128;
275 SYSCTL_DECL(_net_key
);
276 /* Thread safe: no accumulated state */
277 SYSCTL_INT(_net_key
, KEYCTL_DEBUG_LEVEL
, debug
, CTLFLAG_RW
| CTLFLAG_LOCKED
, \
278 &key_debug_level
, 0, "");
281 /* max count of trial for the decision of spi value */
282 SYSCTL_INT(_net_key
, KEYCTL_SPI_TRY
, spi_trycnt
, CTLFLAG_RW
| CTLFLAG_LOCKED
, \
283 &key_spi_trycnt
, 0, "");
285 /* minimum spi value to allocate automatically. */
286 SYSCTL_INT(_net_key
, KEYCTL_SPI_MIN_VALUE
, spi_minval
, CTLFLAG_RW
| CTLFLAG_LOCKED
, \
287 &key_spi_minval
, 0, "");
289 /* maximun spi value to allocate automatically. */
290 SYSCTL_INT(_net_key
, KEYCTL_SPI_MAX_VALUE
, spi_maxval
, CTLFLAG_RW
| CTLFLAG_LOCKED
, \
291 &key_spi_maxval
, 0, "");
293 /* interval to initialize randseed */
294 SYSCTL_INT(_net_key
, KEYCTL_RANDOM_INT
, int_random
, CTLFLAG_RW
| CTLFLAG_LOCKED
, \
295 &key_int_random
, 0, "");
297 /* lifetime for larval SA; thread safe due to > compare */
298 SYSCTL_INT(_net_key
, KEYCTL_LARVAL_LIFETIME
, larval_lifetime
, CTLFLAG_RW
| CTLFLAG_LOCKED
, \
299 &key_larval_lifetime
, 0, "");
301 /* counter for blocking to send SADB_ACQUIRE to IKEd */
302 SYSCTL_INT(_net_key
, KEYCTL_BLOCKACQ_COUNT
, blockacq_count
, CTLFLAG_RW
| CTLFLAG_LOCKED
, \
303 &key_blockacq_count
, 0, "");
305 /* lifetime for blocking to send SADB_ACQUIRE to IKEd: Thread safe, > compare */
306 SYSCTL_INT(_net_key
, KEYCTL_BLOCKACQ_LIFETIME
, blockacq_lifetime
, CTLFLAG_RW
| CTLFLAG_LOCKED
, \
307 &key_blockacq_lifetime
, 0, "");
310 SYSCTL_INT(_net_key
, KEYCTL_ESP_AUTH
, esp_auth
, CTLFLAG_RW
| CTLFLAG_LOCKED
, \
311 &ipsec_esp_auth
, 0, "");
313 /* minimum ESP key length */
314 SYSCTL_INT(_net_key
, KEYCTL_ESP_KEYMIN
, esp_keymin
, CTLFLAG_RW
| CTLFLAG_LOCKED
, \
315 &ipsec_esp_keymin
, 0, "");
317 /* minimum AH key length */
318 SYSCTL_INT(_net_key
, KEYCTL_AH_KEYMIN
, ah_keymin
, CTLFLAG_RW
| CTLFLAG_LOCKED
, \
319 &ipsec_ah_keymin
, 0, "");
321 /* perfered old SA rather than new SA */
322 SYSCTL_INT(_net_key
, KEYCTL_PREFERED_OLDSA
, prefered_oldsa
, CTLFLAG_RW
| CTLFLAG_LOCKED
, \
323 &key_preferred_oldsa
, 0, "");
325 /* time between NATT keepalives in seconds, 0 disabled */
326 SYSCTL_INT(_net_key
, KEYCTL_NATT_KEEPALIVE_INTERVAL
, natt_keepalive_interval
, CTLFLAG_RW
| CTLFLAG_LOCKED
, \
327 &natt_keepalive_interval
, 0, "");
329 /* PF_KEY statistics */
330 SYSCTL_STRUCT(_net_key
, KEYCTL_PFKEYSTAT
, pfkeystat
, CTLFLAG_RD
| CTLFLAG_LOCKED
, \
331 &pfkeystat
, pfkeystat
, "");
334 #define LIST_FOREACH(elm, head, field) \
335 for (elm = LIST_FIRST(head); elm; elm = LIST_NEXT(elm, field))
337 #define __LIST_CHAINED(elm) \
338 (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL))
339 #define LIST_INSERT_TAIL(head, elm, type, field) \
341 struct type *curelm = LIST_FIRST(head); \
342 if (curelm == NULL) {\
343 LIST_INSERT_HEAD(head, elm, field); \
345 while (LIST_NEXT(curelm, field)) \
346 curelm = LIST_NEXT(curelm, field);\
347 LIST_INSERT_AFTER(curelm, elm, field);\
351 #define KEY_CHKSASTATE(head, sav, name) \
353 if ((head) != (sav)) { \
354 ipseclog((LOG_DEBUG, "%s: state mismatched (TREE=%d SA=%d)\n", \
355 (name), (head), (sav))); \
360 #define KEY_CHKSPDIR(head, sp, name) \
362 if ((head) != (sp)) { \
363 ipseclog((LOG_DEBUG, "%s: direction mismatched (TREE=%d SP=%d), " \
364 "anyway continue.\n", \
365 (name), (head), (sp))); \
370 #define KMALLOC_WAIT(p, t, n) \
371 ((p) = (t) _MALLOC((u_int32_t)(n), M_SECA, M_WAITOK))
372 #define KMALLOC_NOWAIT(p, t, n) \
373 ((p) = (t) _MALLOC((u_int32_t)(n), M_SECA, M_NOWAIT))
375 _FREE((caddr_t)(p), M_SECA);
377 #define KMALLOC_WAIT(p, t, n) \
379 ((p) = (t)_MALLOC((u_int32_t)(n), M_SECA, M_WAITOK)); \
380 printf("%s %d: %p <- KMALLOC_WAIT(%s, %d)\n", \
381 __FILE__, __LINE__, (p), #t, n); \
383 #define KMALLOC_NOWAIT(p, t, n) \
385 ((p) = (t)_MALLOC((u_int32_t)(n), M_SECA, M_NOWAIT)); \
386 printf("%s %d: %p <- KMALLOC_NOWAIT(%s, %d)\n", \
387 __FILE__, __LINE__, (p), #t, n); \
392 printf("%s %d: %p -> KFREE()\n", __FILE__, __LINE__, (p)); \
393 _FREE((caddr_t)(p), M_SECA); \
398 * set parameters into secpolicyindex buffer.
399 * Must allocate secpolicyindex buffer passed to this function.
401 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, ifp, s_s, s_e, d_s, d_e, idx) \
403 bzero((idx), sizeof(struct secpolicyindex)); \
404 (idx)->dir = (_dir); \
405 (idx)->prefs = (ps); \
406 (idx)->prefd = (pd); \
407 (idx)->ul_proto = (ulp); \
408 (idx)->internal_if = (ifp); \
409 if (s) bcopy((s), &(idx)->src, ((struct sockaddr *)(s))->sa_len); \
410 if (d) bcopy((d), &(idx)->dst, ((struct sockaddr *)(d))->sa_len); \
411 if (s_s) bcopy((s_s), &(idx)->src_range.start, ((struct sockaddr *)(s_s))->sa_len); \
412 if (s_e) bcopy((s_e), &(idx)->src_range.end, ((struct sockaddr *)(s_e))->sa_len); \
413 if (d_s) bcopy((d_s), &(idx)->dst_range.start, ((struct sockaddr *)(d_s))->sa_len); \
414 if (d_e) bcopy((d_e), &(idx)->dst_range.end, ((struct sockaddr *)(d_e))->sa_len); \
418 * set parameters into secasindex buffer.
419 * Must allocate secasindex buffer before calling this function.
421 #define KEY_SETSECASIDX(p, m, r, s, d, ifi, idx) \
423 bzero((idx), sizeof(struct secasindex)); \
424 (idx)->proto = (p); \
426 (idx)->reqid = (r); \
427 bcopy((s), &(idx)->src, ((const struct sockaddr *)(s))->sa_len); \
428 bcopy((d), &(idx)->dst, ((const struct sockaddr *)(d))->sa_len); \
429 (idx)->ipsec_ifindex = (ifi); \
434 u_int32_t getspi_count
; /* the avarage of count to try to get new SPI */
438 struct sadb_msg
*msg
;
439 struct sadb_ext
*ext
[SADB_EXT_MAX
+ 1];
440 int extoff
[SADB_EXT_MAX
+ 1];
441 int extlen
[SADB_EXT_MAX
+ 1];
444 static struct secpolicy
*__key_getspbyid(u_int32_t id
);
445 static struct secasvar
*key_do_allocsa_policy(struct secashead
*, u_int
, u_int16_t
);
446 static int key_do_get_translated_port(struct secashead
*, struct secasvar
*, u_int
);
447 static void key_delsp(struct secpolicy
*);
448 static struct secpolicy
*key_getsp(struct secpolicyindex
*);
449 static u_int32_t
key_newreqid(void);
450 static struct mbuf
*key_gather_mbuf(struct mbuf
*,
451 const struct sadb_msghdr
*, int, int, int *);
452 static int key_spdadd(struct socket
*, struct mbuf
*,
453 const struct sadb_msghdr
*);
454 static u_int32_t
key_getnewspid(void);
455 static int key_spddelete(struct socket
*, struct mbuf
*,
456 const struct sadb_msghdr
*);
457 static int key_spddelete2(struct socket
*, struct mbuf
*,
458 const struct sadb_msghdr
*);
459 static int key_spdenable(struct socket
*, struct mbuf
*,
460 const struct sadb_msghdr
*);
461 static int key_spddisable(struct socket
*, struct mbuf
*,
462 const struct sadb_msghdr
*);
463 static int key_spdget(struct socket
*, struct mbuf
*,
464 const struct sadb_msghdr
*);
465 static int key_spdflush(struct socket
*, struct mbuf
*,
466 const struct sadb_msghdr
*);
467 static int key_spddump(struct socket
*, struct mbuf
*,
468 const struct sadb_msghdr
*);
469 static struct mbuf
*key_setdumpsp(struct secpolicy
*,
470 u_int8_t
, u_int32_t
, u_int32_t
);
471 static u_int
key_getspreqmsglen(struct secpolicy
*);
472 static int key_spdexpire(struct secpolicy
*);
473 static struct secashead
*key_newsah(struct secasindex
*, ifnet_t
, u_int
, u_int8_t
);
474 static struct secasvar
*key_newsav(struct mbuf
*,
475 const struct sadb_msghdr
*, struct secashead
*, int *,
477 static struct secashead
*key_getsah(struct secasindex
*);
478 static struct secasvar
*key_checkspidup(struct secasindex
*, u_int32_t
);
479 static void key_setspi
__P((struct secasvar
*, u_int32_t
));
480 static struct secasvar
*key_getsavbyspi(struct secashead
*, u_int32_t
);
481 static int key_setsaval(struct secasvar
*, struct mbuf
*,
482 const struct sadb_msghdr
*);
483 static int key_mature(struct secasvar
*);
484 static struct mbuf
*key_setdumpsa(struct secasvar
*, u_int8_t
,
485 u_int8_t
, u_int32_t
, u_int32_t
);
486 static struct mbuf
*key_setsadbmsg(u_int8_t
, u_int16_t
, u_int8_t
,
487 u_int32_t
, pid_t
, u_int16_t
);
488 static struct mbuf
*key_setsadbsa(struct secasvar
*);
489 static struct mbuf
*key_setsadbaddr(u_int16_t
,
490 struct sockaddr
*, u_int8_t
, u_int16_t
);
491 static struct mbuf
*key_setsadbipsecif(ifnet_t
, ifnet_t
, ifnet_t
, int);
493 static struct mbuf
*key_setsadbident(u_int16_t
, u_int16_t
, caddr_t
,
496 static struct mbuf
*key_setsadbxsa2(u_int8_t
, u_int32_t
, u_int32_t
, u_int16_t
);
497 static struct mbuf
*key_setsadbxpolicy(u_int16_t
, u_int8_t
,
499 static void *key_newbuf(const void *, u_int
);
501 static int key_ismyaddr6(struct sockaddr_in6
*);
503 static void key_update_natt_keepalive_timestamp(struct secasvar
*, struct secasvar
*);
505 /* flags for key_cmpsaidx() */
506 #define CMP_HEAD 0x1 /* protocol, addresses. */
507 #define CMP_PORT 0x2 /* additionally HEAD, reqid, mode. */
508 #define CMP_REQID 0x4 /* additionally HEAD, reqid. */
509 #define CMP_MODE 0x8 /* additionally mode. */
510 #define CMP_EXACTLY 0xF /* all elements. */
511 static int key_cmpsaidx(struct secasindex
*, struct secasindex
*, int);
513 static int key_cmpspidx_exactly(struct secpolicyindex
*,
514 struct secpolicyindex
*);
515 static int key_cmpspidx_withmask(struct secpolicyindex
*,
516 struct secpolicyindex
*);
517 static int key_sockaddrcmp(struct sockaddr
*, struct sockaddr
*, int);
518 static int key_is_addr_in_range(struct sockaddr_storage
*, struct secpolicyaddrrange
*);
519 static int key_bbcmp(caddr_t
, caddr_t
, u_int
);
520 static void key_srandom(void);
521 static u_int16_t
key_satype2proto(u_int8_t
);
522 static u_int8_t
key_proto2satype(u_int16_t
);
524 static int key_getspi(struct socket
*, struct mbuf
*,
525 const struct sadb_msghdr
*);
526 static u_int32_t
key_do_getnewspi(struct sadb_spirange
*, struct secasindex
*);
527 static int key_update(struct socket
*, struct mbuf
*,
528 const struct sadb_msghdr
*);
530 static struct secasvar
*key_getsavbyseq(struct secashead
*, u_int32_t
);
532 static int key_add(struct socket
*, struct mbuf
*, const struct sadb_msghdr
*);
533 static int key_setident(struct secashead
*, struct mbuf
*,
534 const struct sadb_msghdr
*);
535 static struct mbuf
*key_getmsgbuf_x1(struct mbuf
*, const struct sadb_msghdr
*);
536 static int key_delete(struct socket
*, struct mbuf
*,
537 const struct sadb_msghdr
*);
538 static int key_get(struct socket
*, struct mbuf
*, const struct sadb_msghdr
*);
540 static void key_getcomb_setlifetime(struct sadb_comb
*);
542 static struct mbuf
*key_getcomb_esp(void);
544 static struct mbuf
*key_getcomb_ah(void);
545 static struct mbuf
*key_getprop(const struct secasindex
*);
547 static int key_acquire(struct secasindex
*, struct secpolicy
*);
548 #ifndef IPSEC_NONBLOCK_ACQUIRE
549 static struct secacq
*key_newacq(struct secasindex
*);
550 static struct secacq
*key_getacq(struct secasindex
*);
551 static struct secacq
*key_getacqbyseq(u_int32_t
);
553 static struct secspacq
*key_newspacq(struct secpolicyindex
*);
554 static struct secspacq
*key_getspacq(struct secpolicyindex
*);
555 static int key_acquire2(struct socket
*, struct mbuf
*,
556 const struct sadb_msghdr
*);
557 static int key_register(struct socket
*, struct mbuf
*,
558 const struct sadb_msghdr
*);
559 static int key_expire(struct secasvar
*);
560 static int key_flush(struct socket
*, struct mbuf
*,
561 const struct sadb_msghdr
*);
562 static int key_dump(struct socket
*, struct mbuf
*, const struct sadb_msghdr
*);
563 static int key_promisc(struct socket
*, struct mbuf
*,
564 const struct sadb_msghdr
*);
565 static int key_senderror(struct socket
*, struct mbuf
*, int);
566 static int key_validate_ext(const struct sadb_ext
*, int);
567 static int key_align(struct mbuf
*, struct sadb_msghdr
*);
568 static struct mbuf
*key_alloc_mbuf(int);
569 static int key_getsastat(struct socket
*, struct mbuf
*, const struct sadb_msghdr
*);
570 static int key_migrate(struct socket
*, struct mbuf
*, const struct sadb_msghdr
*);
571 static int key_setsaval2(struct secasvar
*sav
,
577 struct sadb_key
*key_auth
,
578 u_int16_t key_auth_len
,
579 struct sadb_key
*key_enc
,
580 u_int16_t key_enc_len
,
585 struct sadb_lifetime
*lifetime_hard
,
586 struct sadb_lifetime
*lifetime_soft
);
587 static void bzero_keys(const struct sadb_msghdr
*);
589 extern int ipsec_bypass
;
590 extern int esp_udp_encap_port
;
591 int ipsec_send_natt_keepalive(struct secasvar
*sav
);
592 bool ipsec_fill_offload_frame(ifnet_t ifp
, struct secasvar
*sav
, struct ifnet_keepalive_offload_frame
*frame
, size_t frame_data_offset
);
594 void key_init(struct protosw
*, struct domain
*);
598 * setup locks, call raw_init(), and then init timer and associated data
602 key_init(struct protosw
*pp
, struct domain
*dp
)
604 static int key_initialized
= 0;
607 VERIFY((pp
->pr_flags
& (PR_INITIALIZED
| PR_ATTACHED
)) == PR_ATTACHED
);
609 _CASSERT(PFKEY_ALIGN8(sizeof(struct sadb_msg
)) <= _MHLEN
);
610 _CASSERT(MAX_REPLAY_WINDOWS
== MBUF_TC_MAX
);
612 if (key_initialized
) {
617 sadb_mutex_grp_attr
= lck_grp_attr_alloc_init();
618 sadb_mutex_grp
= lck_grp_alloc_init("sadb", sadb_mutex_grp_attr
);
619 sadb_mutex_attr
= lck_attr_alloc_init();
621 lck_mtx_init(sadb_mutex
, sadb_mutex_grp
, sadb_mutex_attr
);
623 pfkey_stat_mutex_grp_attr
= lck_grp_attr_alloc_init();
624 pfkey_stat_mutex_grp
= lck_grp_alloc_init("pfkey_stat", pfkey_stat_mutex_grp_attr
);
625 pfkey_stat_mutex_attr
= lck_attr_alloc_init();
627 lck_mtx_init(pfkey_stat_mutex
, pfkey_stat_mutex_grp
, pfkey_stat_mutex_attr
);
629 for (i
= 0; i
< SPIHASHSIZE
; i
++) {
630 LIST_INIT(&spihash
[i
]);
635 bzero((caddr_t
)&key_cb
, sizeof(key_cb
));
637 for (i
= 0; i
< IPSEC_DIR_MAX
; i
++) {
638 LIST_INIT(&sptree
[i
]);
640 ipsec_policy_count
= 0;
644 for (i
= 0; i
<= SADB_SATYPE_MAX
; i
++) {
645 LIST_INIT(®tree
[i
]);
649 #ifndef IPSEC_NONBLOCK_ACQUIRE
652 LIST_INIT(&spacqtree
);
656 ip4_def_policy
.policy
= IPSEC_POLICY_NONE
;
657 ip4_def_policy
.refcnt
++; /*never reclaim this*/
660 ip6_def_policy
.policy
= IPSEC_POLICY_NONE
;
661 ip6_def_policy
.refcnt
++; /*never reclaim this*/
664 key_timehandler_running
= 0;
666 /* initialize key statistics */
667 keystat
.getspi_count
= 1;
671 printf("IPsec: Initialized Security Association Processing.\n");
676 key_start_timehandler(void)
678 /* must be called while locked */
679 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
680 if (key_timehandler_running
== 0) {
681 key_timehandler_running
= 1;
682 (void)timeout((void *)key_timehandler
, (void *)0, hz
);
685 /* Turn off the ipsec bypass */
686 if (ipsec_bypass
!= 0) {
691 /* %%% IPsec policy management */
693 * allocating a SP for OUTBOUND or INBOUND packet.
694 * Must call key_freesp() later.
695 * OUT: NULL: not found
696 * others: found and return the pointer.
700 struct secpolicyindex
*spidx
,
703 struct secpolicy
*sp
;
706 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
709 panic("key_allocsp: NULL pointer is passed.\n");
712 /* check direction */
714 case IPSEC_DIR_INBOUND
:
715 case IPSEC_DIR_OUTBOUND
:
718 panic("key_allocsp: Invalid direction is passed.\n");
722 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
723 printf("*** objects\n");
724 kdebug_secpolicyindex(spidx
));
726 lck_mtx_lock(sadb_mutex
);
727 LIST_FOREACH(sp
, &sptree
[dir
], chain
) {
728 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
729 printf("*** in SPD\n");
730 kdebug_secpolicyindex(&sp
->spidx
));
732 if (sp
->state
== IPSEC_SPSTATE_DEAD
) {
736 /* If the policy is disabled, skip */
737 if (sp
->disabled
> 0) {
741 /* If the incoming spidx specifies bound if,
742 * ignore unbound policies*/
743 if (spidx
->internal_if
!= NULL
744 && (sp
->spidx
.internal_if
== NULL
|| sp
->ipsec_if
== NULL
)) {
748 if (key_cmpspidx_withmask(&sp
->spidx
, spidx
)) {
752 lck_mtx_unlock(sadb_mutex
);
757 /* found a SPD entry */
759 sp
->lastused
= tv
.tv_sec
;
761 lck_mtx_unlock(sadb_mutex
);
764 KEY_CHKSPDIR(sp
->spidx
.dir
, dir
, "key_allocsp");
765 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
766 printf("DP key_allocsp cause refcnt++:%d SP:0x%llx\n",
767 sp
->refcnt
, (uint64_t)VM_KERNEL_ADDRPERM(sp
)));
772 * return a policy that matches this particular inbound packet.
777 struct sockaddr
*osrc
,
778 struct sockaddr
*odst
,
779 struct sockaddr
*isrc
,
780 struct sockaddr
*idst
)
782 struct secpolicy
*sp
;
783 const int dir
= IPSEC_DIR_INBOUND
;
785 struct ipsecrequest
*r1
, *r2
, *p
;
786 struct sockaddr
*os
, *od
, *is
, *id
;
787 struct secpolicyindex spidx
;
789 if (isrc
->sa_family
!= idst
->sa_family
) {
790 ipseclog((LOG_ERR
, "protocol family mismatched %d != %d\n.",
791 isrc
->sa_family
, idst
->sa_family
));
795 lck_mtx_lock(sadb_mutex
);
796 LIST_FOREACH(sp
, &sptree
[dir
], chain
) {
797 if (sp
->state
== IPSEC_SPSTATE_DEAD
) {
802 for (p
= sp
->req
; p
; p
= p
->next
) {
803 if (p
->saidx
.mode
!= IPSEC_MODE_TUNNEL
) {
811 /* here we look at address matches only */
813 if (isrc
->sa_len
> sizeof(spidx
.src
) ||
814 idst
->sa_len
> sizeof(spidx
.dst
)) {
817 bcopy(isrc
, &spidx
.src
, isrc
->sa_len
);
818 bcopy(idst
, &spidx
.dst
, idst
->sa_len
);
819 if (!key_cmpspidx_withmask(&sp
->spidx
, &spidx
)) {
823 is
= (struct sockaddr
*)&r1
->saidx
.src
;
824 id
= (struct sockaddr
*)&r1
->saidx
.dst
;
825 if (key_sockaddrcmp(is
, isrc
, 0) ||
826 key_sockaddrcmp(id
, idst
, 0)) {
831 os
= (struct sockaddr
*)&r2
->saidx
.src
;
832 od
= (struct sockaddr
*)&r2
->saidx
.dst
;
833 if (key_sockaddrcmp(os
, osrc
, 0) ||
834 key_sockaddrcmp(od
, odst
, 0)) {
841 lck_mtx_unlock(sadb_mutex
);
846 sp
->lastused
= tv
.tv_sec
;
848 lck_mtx_unlock(sadb_mutex
);
853 key_alloc_outbound_sav_for_interface(ifnet_t interface
, int family
,
854 struct sockaddr
*src
,
855 struct sockaddr
*dst
)
857 struct secashead
*sah
;
858 struct secasvar
*sav
;
861 const u_int
*saorder_state_valid
;
863 struct sockaddr_in
*sin
;
867 if (interface
== NULL
) {
871 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
873 lck_mtx_lock(sadb_mutex
);
876 LIST_FOREACH(sah
, &sahtree
, chain
) {
877 if (sah
->state
== SADB_SASTATE_DEAD
) {
880 if (sah
->ipsec_if
== interface
&&
881 (family
== AF_INET6
|| family
== AF_INET
) &&
882 sah
->dir
== IPSEC_DIR_OUTBOUND
) {
884 sah
->saidx
.mode
== IPSEC_MODE_TRANSPORT
&&
885 src
!= NULL
&& dst
!= NULL
) {
886 // Validate addresses for transport mode
887 if (key_sockaddrcmp((struct sockaddr
*)&sah
->saidx
.src
, src
, 0) != 0) {
888 // Source doesn't match
892 if (key_sockaddrcmp((struct sockaddr
*)&sah
->saidx
.dst
, dst
, 0) != 0) {
893 // Destination doesn't match
898 /* This SAH is linked to the IPsec interface, and the right family. We found it! */
899 if (key_preferred_oldsa
) {
900 saorder_state_valid
= saorder_state_valid_prefer_old
;
901 arraysize
= _ARRAYLEN(saorder_state_valid_prefer_old
);
903 saorder_state_valid
= saorder_state_valid_prefer_new
;
904 arraysize
= _ARRAYLEN(saorder_state_valid_prefer_new
);
907 sin
= (struct sockaddr_in
*)&sah
->saidx
.dst
;
908 dstport
= sin
->sin_port
;
909 if (sah
->saidx
.mode
== IPSEC_MODE_TRANSPORT
) {
910 sin
->sin_port
= IPSEC_PORT_ANY
;
913 for (stateidx
= 0; stateidx
< arraysize
; stateidx
++) {
914 state
= saorder_state_valid
[stateidx
];
915 sav
= key_do_allocsa_policy(sah
, state
, dstport
);
917 lck_mtx_unlock(sadb_mutex
);
926 // If we didn't find anything, try again without strict
929 // We already were on the second try, bail
934 lck_mtx_unlock(sadb_mutex
);
939 * allocating an SA entry for an *OUTBOUND* packet.
940 * checking each request entries in SP, and acquire an SA if need.
941 * OUT: 0: there are valid requests.
942 * ENOENT: policy may be valid, but SA with REQUIRE is on acquiring.
946 struct ipsecrequest
*isr
,
947 struct secasindex
*saidx
,
948 struct secasvar
**sav
)
952 struct sockaddr_in
*sin
;
954 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
959 if (isr
== NULL
|| saidx
== NULL
) {
960 panic("key_checkrequest: NULL pointer is passed.\n");
964 switch (saidx
->mode
) {
965 case IPSEC_MODE_TRANSPORT
:
966 case IPSEC_MODE_TUNNEL
:
970 panic("key_checkrequest: Invalid policy defined.\n");
973 /* get current level */
974 level
= ipsec_get_reqlevel(isr
);
978 * key_allocsa_policy should allocate the oldest SA available.
979 * See key_do_allocsa_policy(), and draft-jenkins-ipsec-rekeying-03.txt.
982 *sav
= key_allocsa_policy(saidx
);
985 /* When there is SA. */
992 * Remove dst port - used for special natt support - don't call
993 * key_acquire with it.
995 if (saidx
->mode
== IPSEC_MODE_TRANSPORT
) {
996 sin
= (struct sockaddr_in
*)&saidx
->dst
;
997 sin
->sin_port
= IPSEC_PORT_ANY
;
999 if ((error
= key_acquire(saidx
, isr
->sp
)) != 0) {
1000 /* XXX What should I do ? */
1001 ipseclog((LOG_DEBUG
, "key_checkrequest: error %d returned "
1002 "from key_acquire.\n", error
));
1006 return level
== IPSEC_LEVEL_REQUIRE
? ENOENT
: 0;
1010 * allocating a SA for policy entry from SAD.
1011 * NOTE: searching SAD of aliving state.
1012 * OUT: NULL: not found.
1013 * others: found and return the pointer.
1015 u_int32_t sah_search_calls
= 0;
1016 u_int32_t sah_search_count
= 0;
1019 struct secasindex
*saidx
)
1021 struct secashead
*sah
;
1022 struct secasvar
*sav
;
1023 u_int stateidx
, state
;
1024 const u_int
*saorder_state_valid
;
1026 struct sockaddr_in
*sin
;
1029 lck_mtx_lock(sadb_mutex
);
1031 LIST_FOREACH(sah
, &sahtree
, chain
) {
1033 if (sah
->state
== SADB_SASTATE_DEAD
) {
1036 if (key_cmpsaidx(&sah
->saidx
, saidx
, CMP_MODE
| CMP_REQID
)) {
1040 lck_mtx_unlock(sadb_mutex
);
1046 * search a valid state list for outbound packet.
1047 * This search order is important.
1049 if (key_preferred_oldsa
) {
1050 saorder_state_valid
= saorder_state_valid_prefer_old
;
1051 arraysize
= _ARRAYLEN(saorder_state_valid_prefer_old
);
1053 saorder_state_valid
= saorder_state_valid_prefer_new
;
1054 arraysize
= _ARRAYLEN(saorder_state_valid_prefer_new
);
1058 sin
= (struct sockaddr_in
*)&saidx
->dst
;
1059 dstport
= sin
->sin_port
;
1060 if (saidx
->mode
== IPSEC_MODE_TRANSPORT
) {
1061 sin
->sin_port
= IPSEC_PORT_ANY
;
1064 for (stateidx
= 0; stateidx
< arraysize
; stateidx
++) {
1065 state
= saorder_state_valid
[stateidx
];
1067 sav
= key_do_allocsa_policy(sah
, state
, dstport
);
1069 lck_mtx_unlock(sadb_mutex
);
1073 lck_mtx_unlock(sadb_mutex
);
1078 key_send_delete(struct secasvar
*sav
)
1080 struct mbuf
*m
, *result
;
1083 key_sa_chgstate(sav
, SADB_SASTATE_DEAD
);
1085 if ((satype
= key_proto2satype(sav
->sah
->saidx
.proto
)) == 0) {
1086 panic("key_do_allocsa_policy: invalid proto is passed.\n");
1089 m
= key_setsadbmsg(SADB_DELETE
, 0,
1090 satype
, 0, 0, sav
->refcnt
- 1);
1096 /* set sadb_address for saidx's. */
1097 m
= key_setsadbaddr(SADB_EXT_ADDRESS_SRC
,
1098 (struct sockaddr
*)&sav
->sah
->saidx
.src
,
1099 sav
->sah
->saidx
.src
.ss_len
<< 3,
1106 /* set sadb_address for saidx's. */
1107 m
= key_setsadbaddr(SADB_EXT_ADDRESS_DST
,
1108 (struct sockaddr
*)&sav
->sah
->saidx
.dst
,
1109 sav
->sah
->saidx
.src
.ss_len
<< 3,
1116 /* create SA extension */
1117 m
= key_setsadbsa(sav
);
1123 if (result
->m_len
< sizeof(struct sadb_msg
)) {
1124 result
= m_pullup(result
,
1125 sizeof(struct sadb_msg
));
1126 if (result
== NULL
) {
1131 result
->m_pkthdr
.len
= 0;
1132 for (m
= result
; m
; m
= m
->m_next
) {
1133 result
->m_pkthdr
.len
+= m
->m_len
;
1135 mtod(result
, struct sadb_msg
*)->sadb_msg_len
=
1136 PFKEY_UNIT64(result
->m_pkthdr
.len
);
1138 if (key_sendup_mbuf(NULL
, result
,
1139 KEY_SENDUP_REGISTERED
)) {
1143 key_freesav(sav
, KEY_SADB_LOCKED
);
1147 * searching SAD with direction, protocol, mode and state.
1148 * called by key_allocsa_policy().
1151 * others : found, pointer to a SA.
1153 static struct secasvar
*
1154 key_do_allocsa_policy(
1155 struct secashead
*sah
,
1159 struct secasvar
*sav
, *nextsav
, *candidate
, *natt_candidate
, *no_natt_candidate
, *d
;
1161 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
1165 natt_candidate
= NULL
;
1166 no_natt_candidate
= NULL
;
1168 for (sav
= LIST_FIRST(&sah
->savtree
[state
]);
1171 nextsav
= LIST_NEXT(sav
, chain
);
1174 KEY_CHKSASTATE(sav
->state
, state
, "key_do_allocsa_policy");
1176 if (sah
->saidx
.mode
== IPSEC_MODE_TUNNEL
&& dstport
&&
1177 ((sav
->flags
& SADB_X_EXT_NATT
) != 0) &&
1178 ntohs(dstport
) != sav
->remote_ike_port
) {
1182 if (sah
->saidx
.mode
== IPSEC_MODE_TRANSPORT
&&
1183 ((sav
->flags
& SADB_X_EXT_NATT_MULTIPLEUSERS
) != 0) &&
1184 ntohs(dstport
) != sav
->remote_ike_port
) {
1185 continue; /* skip this one - not a match - or not UDP */
1187 if ((sah
->saidx
.mode
== IPSEC_MODE_TUNNEL
&&
1188 ((sav
->flags
& SADB_X_EXT_NATT
) != 0)) ||
1189 (sah
->saidx
.mode
== IPSEC_MODE_TRANSPORT
&&
1190 ((sav
->flags
& SADB_X_EXT_NATT_MULTIPLEUSERS
) != 0))) {
1191 if (natt_candidate
== NULL
) {
1192 natt_candidate
= sav
;
1195 candidate
= natt_candidate
;
1198 if (no_natt_candidate
== NULL
) {
1199 no_natt_candidate
= sav
;
1202 candidate
= no_natt_candidate
;
1206 /* Which SA is the better ? */
1208 /* sanity check 2 */
1209 if (candidate
->lft_c
== NULL
|| sav
->lft_c
== NULL
) {
1210 panic("key_do_allocsa_policy: "
1211 "lifetime_current is NULL.\n");
1214 /* What the best method is to compare ? */
1215 if (key_preferred_oldsa
) {
1216 if (candidate
->lft_c
->sadb_lifetime_addtime
>
1217 sav
->lft_c
->sadb_lifetime_addtime
) {
1218 if ((sav
->flags
& SADB_X_EXT_NATT_MULTIPLEUSERS
) != 0) {
1219 natt_candidate
= sav
;
1221 no_natt_candidate
= sav
;
1228 /* prefered new sa rather than old sa */
1229 if (candidate
->lft_c
->sadb_lifetime_addtime
<
1230 sav
->lft_c
->sadb_lifetime_addtime
) {
1232 if ((sah
->saidx
.mode
== IPSEC_MODE_TUNNEL
&&
1233 ((sav
->flags
& SADB_X_EXT_NATT
) != 0)) ||
1234 (sah
->saidx
.mode
== IPSEC_MODE_TRANSPORT
&&
1235 ((sav
->flags
& SADB_X_EXT_NATT_MULTIPLEUSERS
) != 0))) {
1236 natt_candidate
= sav
;
1238 no_natt_candidate
= sav
;
1245 * prepared to delete the SA when there is more
1246 * suitable candidate and the lifetime of the SA is not
1249 if (d
->lft_c
->sadb_lifetime_addtime
!= 0) {
1254 /* choose latest if both types present */
1255 if (natt_candidate
== NULL
) {
1256 candidate
= no_natt_candidate
;
1257 } else if (no_natt_candidate
== NULL
) {
1258 candidate
= natt_candidate
;
1259 } else if (sah
->saidx
.mode
== IPSEC_MODE_TUNNEL
&& dstport
) {
1260 candidate
= natt_candidate
;
1261 } else if (natt_candidate
->lft_c
->sadb_lifetime_addtime
>
1262 no_natt_candidate
->lft_c
->sadb_lifetime_addtime
) {
1263 candidate
= natt_candidate
;
1265 candidate
= no_natt_candidate
;
1269 candidate
->refcnt
++;
1270 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
1271 printf("DP allocsa_policy cause "
1272 "refcnt++:%d SA:0x%llx\n", candidate
->refcnt
,
1273 (uint64_t)VM_KERNEL_ADDRPERM(candidate
)));
1279 * allocating a SA entry for a *INBOUND* packet.
1280 * Must call key_freesav() later.
1281 * OUT: positive: pointer to a sav.
1282 * NULL: not found, or error occurred.
1284 * In the comparison, source address will be ignored for RFC2401 conformance.
1285 * To quote, from section 4.1:
1286 * A security association is uniquely identified by a triple consisting
1287 * of a Security Parameter Index (SPI), an IP Destination Address, and a
1288 * security protocol (AH or ESP) identifier.
1289 * Note that, however, we do need to keep source address in IPsec SA.
1290 * IKE specification and PF_KEY specification do assume that we
1291 * keep source address in IPsec SA. We see a tricky situation here.
1301 return key_allocsa_extended(family
, src
, dst
, proto
, spi
, NULL
);
1305 key_allocsa_extended(u_int family
,
1312 struct secasvar
*sav
, *match
;
1313 u_int stateidx
, state
, tmpidx
, matchidx
;
1314 struct sockaddr_in sin
;
1315 struct sockaddr_in6 sin6
;
1316 const u_int
*saorder_state_valid
;
1319 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
1322 if (src
== NULL
|| dst
== NULL
) {
1323 panic("key_allocsa: NULL pointer is passed.\n");
1327 * when both systems employ similar strategy to use a SA.
1328 * the search order is important even in the inbound case.
1330 if (key_preferred_oldsa
) {
1331 saorder_state_valid
= saorder_state_valid_prefer_old
;
1332 arraysize
= _ARRAYLEN(saorder_state_valid_prefer_old
);
1334 saorder_state_valid
= saorder_state_valid_prefer_new
;
1335 arraysize
= _ARRAYLEN(saorder_state_valid_prefer_new
);
1340 * XXX: to be checked internal IP header somewhere. Also when
1341 * IPsec tunnel packet is received. But ESP tunnel mode is
1342 * encrypted so we can't check internal IP header.
1345 * search a valid state list for inbound packet.
1346 * the search order is not important.
1349 matchidx
= arraysize
;
1350 lck_mtx_lock(sadb_mutex
);
1351 LIST_FOREACH(sav
, &spihash
[SPIHASH(spi
)], spihash
) {
1352 if (sav
->spi
!= spi
) {
1355 if (interface
!= NULL
&&
1356 sav
->sah
->ipsec_if
!= interface
) {
1359 if (proto
!= sav
->sah
->saidx
.proto
) {
1362 if (family
!= sav
->sah
->saidx
.src
.ss_family
||
1363 family
!= sav
->sah
->saidx
.dst
.ss_family
) {
1367 for (stateidx
= 0; stateidx
< matchidx
; stateidx
++) {
1368 state
= saorder_state_valid
[stateidx
];
1369 if (sav
->state
== state
) {
1374 if (tmpidx
>= matchidx
) {
1378 #if 0 /* don't check src */
1379 /* check src address */
1382 bzero(&sin
, sizeof(sin
));
1383 sin
.sin_family
= AF_INET
;
1384 sin
.sin_len
= sizeof(sin
);
1385 bcopy(src
, &sin
.sin_addr
,
1386 sizeof(sin
.sin_addr
));
1387 if (key_sockaddrcmp((struct sockaddr
*)&sin
,
1388 (struct sockaddr
*)&sav
->sah
->saidx
.src
, 0) != 0) {
1393 bzero(&sin6
, sizeof(sin6
));
1394 sin6
.sin6_family
= AF_INET6
;
1395 sin6
.sin6_len
= sizeof(sin6
);
1396 bcopy(src
, &sin6
.sin6_addr
,
1397 sizeof(sin6
.sin6_addr
));
1398 if (IN6_IS_SCOPE_LINKLOCAL(&sin6
.sin6_addr
)) {
1399 /* kame fake scopeid */
1400 sin6
.sin6_scope_id
=
1401 ntohs(sin6
.sin6_addr
.s6_addr16
[1]);
1402 sin6
.sin6_addr
.s6_addr16
[1] = 0;
1404 if (key_sockaddrcmp((struct sockaddr
*)&sin6
,
1405 (struct sockaddr
*)&sav
->sah
->saidx
.src
, 0) != 0) {
1410 ipseclog((LOG_DEBUG
, "key_allocsa: "
1411 "unknown address family=%d.\n",
1417 /* check dst address */
1420 bzero(&sin
, sizeof(sin
));
1421 sin
.sin_family
= AF_INET
;
1422 sin
.sin_len
= sizeof(sin
);
1423 bcopy(dst
, &sin
.sin_addr
,
1424 sizeof(sin
.sin_addr
));
1425 if (key_sockaddrcmp((struct sockaddr
*)&sin
,
1426 (struct sockaddr
*)&sav
->sah
->saidx
.dst
, 0) != 0) {
1432 bzero(&sin6
, sizeof(sin6
));
1433 sin6
.sin6_family
= AF_INET6
;
1434 sin6
.sin6_len
= sizeof(sin6
);
1435 bcopy(dst
, &sin6
.sin6_addr
,
1436 sizeof(sin6
.sin6_addr
));
1437 if (IN6_IS_SCOPE_LINKLOCAL(&sin6
.sin6_addr
)) {
1438 /* kame fake scopeid */
1439 sin6
.sin6_scope_id
=
1440 ntohs(sin6
.sin6_addr
.s6_addr16
[1]);
1441 sin6
.sin6_addr
.s6_addr16
[1] = 0;
1443 if (key_sockaddrcmp((struct sockaddr
*)&sin6
,
1444 (struct sockaddr
*)&sav
->sah
->saidx
.dst
, 0) != 0) {
1449 ipseclog((LOG_DEBUG
, "key_allocsa: "
1450 "unknown address family=%d.\n", family
));
1462 lck_mtx_unlock(sadb_mutex
);
1467 lck_mtx_unlock(sadb_mutex
);
1468 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
1469 printf("DP allocsa cause refcnt++:%d SA:0x%llx\n",
1470 match
->refcnt
, (uint64_t)VM_KERNEL_ADDRPERM(match
)));
1475 * This function checks whether a UDP packet with a random local port
1476 * and a remote port of 4500 matches an SA in the kernel. If does match,
1477 * send the packet to the ESP engine. If not, send the packet to the UDP protocol.
1480 key_checksa_present(u_int family
,
1482 caddr_t remote_addr
,
1483 u_int16_t local_port
,
1484 u_int16_t remote_port
)
1486 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
1489 if (local_addr
== NULL
|| remote_addr
== NULL
) {
1490 panic("key_allocsa: NULL pointer is passed.\n");
1495 * XXX: to be checked internal IP header somewhere. Also when
1496 * IPsec tunnel packet is received. But ESP tunnel mode is
1497 * encrypted so we can't check internal IP header.
1500 * search a valid state list for inbound packet.
1501 * the search order is not important.
1503 struct secashead
*sah
= NULL
;
1504 bool found_sa
= false;
1506 lck_mtx_lock(sadb_mutex
);
1507 LIST_FOREACH(sah
, &sahtree
, chain
) {
1508 if (sah
->state
== SADB_SASTATE_DEAD
) {
1512 if (sah
->dir
!= IPSEC_DIR_OUTBOUND
) {
1516 if (family
!= sah
->saidx
.src
.ss_family
) {
1520 struct sockaddr_in src_in
= {};
1521 struct sockaddr_in6 src_in6
= {};
1523 /* check src address */
1526 src_in
.sin_family
= AF_INET
;
1527 src_in
.sin_len
= sizeof(src_in
);
1528 memcpy(&src_in
.sin_addr
, local_addr
, sizeof(src_in
.sin_addr
));
1529 if (key_sockaddrcmp((struct sockaddr
*)&src_in
,
1530 (struct sockaddr
*)&sah
->saidx
.src
, 0) != 0) {
1535 src_in6
.sin6_family
= AF_INET6
;
1536 src_in6
.sin6_len
= sizeof(src_in6
);
1537 memcpy(&src_in6
.sin6_addr
, local_addr
, sizeof(src_in6
.sin6_addr
));
1538 if (IN6_IS_SCOPE_LINKLOCAL(&src_in6
.sin6_addr
)) {
1539 /* kame fake scopeid */
1540 src_in6
.sin6_scope_id
=
1541 ntohs(src_in6
.sin6_addr
.s6_addr16
[1]);
1542 src_in6
.sin6_addr
.s6_addr16
[1] = 0;
1544 if (key_sockaddrcmp((struct sockaddr
*)&src_in6
,
1545 (struct sockaddr
*)&sah
->saidx
.src
, 0) != 0) {
1550 ipseclog((LOG_DEBUG
, "key_checksa_present: "
1551 "unknown address family=%d.\n",
1556 struct sockaddr_in dest_in
= {};
1557 struct sockaddr_in6 dest_in6
= {};
1559 /* check dst address */
1562 dest_in
.sin_family
= AF_INET
;
1563 dest_in
.sin_len
= sizeof(dest_in
);
1564 memcpy(&dest_in
.sin_addr
, remote_addr
, sizeof(dest_in
.sin_addr
));
1565 if (key_sockaddrcmp((struct sockaddr
*)&dest_in
,
1566 (struct sockaddr
*)&sah
->saidx
.dst
, 0) != 0) {
1572 dest_in6
.sin6_family
= AF_INET6
;
1573 dest_in6
.sin6_len
= sizeof(dest_in6
);
1574 memcpy(&dest_in6
.sin6_addr
, remote_addr
, sizeof(dest_in6
.sin6_addr
));
1575 if (IN6_IS_SCOPE_LINKLOCAL(&dest_in6
.sin6_addr
)) {
1576 /* kame fake scopeid */
1577 dest_in6
.sin6_scope_id
=
1578 ntohs(dest_in6
.sin6_addr
.s6_addr16
[1]);
1579 dest_in6
.sin6_addr
.s6_addr16
[1] = 0;
1581 if (key_sockaddrcmp((struct sockaddr
*)&dest_in6
,
1582 (struct sockaddr
*)&sah
->saidx
.dst
, 0) != 0) {
1588 ipseclog((LOG_DEBUG
, "key_checksa_present: "
1589 "unknown address family=%d.\n", family
));
1593 struct secasvar
*nextsav
= NULL
;
1594 for (u_int stateidx
= 0; stateidx
< _ARRAYLEN(saorder_state_alive
); stateidx
++) {
1595 u_int state
= saorder_state_alive
[stateidx
];
1596 for (struct secasvar
*sav
= LIST_FIRST(&sah
->savtree
[state
]); sav
!= NULL
; sav
= nextsav
) {
1597 nextsav
= LIST_NEXT(sav
, chain
);
1599 if (sav
->state
!= state
) {
1600 ipseclog((LOG_DEBUG
, "key_checksa_present: "
1601 "invalid sav->state "
1602 "(state: %d SA: %d)\n",
1603 state
, sav
->state
));
1607 if (sav
->remote_ike_port
!= ntohs(remote_port
)) {
1611 if (sav
->natt_encapsulated_src_port
!= local_port
) {
1621 lck_mtx_unlock(sadb_mutex
);
1626 key_natt_get_translated_port(
1627 struct secasvar
*outsav
)
1629 struct secasindex saidx
;
1630 struct secashead
*sah
;
1631 u_int stateidx
, state
;
1632 const u_int
*saorder_state_valid
;
1635 /* get sa for incoming */
1636 saidx
.mode
= outsav
->sah
->saidx
.mode
;
1638 saidx
.proto
= outsav
->sah
->saidx
.proto
;
1639 bcopy(&outsav
->sah
->saidx
.src
, &saidx
.dst
, sizeof(struct sockaddr_in
));
1640 bcopy(&outsav
->sah
->saidx
.dst
, &saidx
.src
, sizeof(struct sockaddr_in
));
1642 lck_mtx_lock(sadb_mutex
);
1643 LIST_FOREACH(sah
, &sahtree
, chain
) {
1644 if (sah
->state
== SADB_SASTATE_DEAD
) {
1647 if (key_cmpsaidx(&sah
->saidx
, &saidx
, CMP_MODE
)) {
1651 lck_mtx_unlock(sadb_mutex
);
1656 * Found sah - now go thru list of SAs and find
1657 * matching remote ike port. If found - set
1658 * sav->natt_encapsulated_src_port and return the port.
1661 * search a valid state list for outbound packet.
1662 * This search order is important.
1664 if (key_preferred_oldsa
) {
1665 saorder_state_valid
= saorder_state_valid_prefer_old
;
1666 arraysize
= _ARRAYLEN(saorder_state_valid_prefer_old
);
1668 saorder_state_valid
= saorder_state_valid_prefer_new
;
1669 arraysize
= _ARRAYLEN(saorder_state_valid_prefer_new
);
1672 for (stateidx
= 0; stateidx
< arraysize
; stateidx
++) {
1673 state
= saorder_state_valid
[stateidx
];
1674 if (key_do_get_translated_port(sah
, outsav
, state
)) {
1675 lck_mtx_unlock(sadb_mutex
);
1676 return outsav
->natt_encapsulated_src_port
;
1679 lck_mtx_unlock(sadb_mutex
);
1684 key_do_get_translated_port(
1685 struct secashead
*sah
,
1686 struct secasvar
*outsav
,
1689 struct secasvar
*currsav
, *nextsav
, *candidate
;
1692 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
1697 for (currsav
= LIST_FIRST(&sah
->savtree
[state
]);
1699 currsav
= nextsav
) {
1700 nextsav
= LIST_NEXT(currsav
, chain
);
1703 KEY_CHKSASTATE(currsav
->state
, state
, "key_do_get_translated_port");
1705 if ((currsav
->flags
& SADB_X_EXT_NATT_MULTIPLEUSERS
) == 0 ||
1706 currsav
->remote_ike_port
!= outsav
->remote_ike_port
) {
1710 if (candidate
== NULL
) {
1711 candidate
= currsav
;
1715 /* Which SA is the better ? */
1717 /* sanity check 2 */
1718 if (candidate
->lft_c
== NULL
|| currsav
->lft_c
== NULL
) {
1719 panic("key_do_get_translated_port: "
1720 "lifetime_current is NULL.\n");
1723 /* What the best method is to compare ? */
1724 if (key_preferred_oldsa
) {
1725 if (candidate
->lft_c
->sadb_lifetime_addtime
>
1726 currsav
->lft_c
->sadb_lifetime_addtime
) {
1727 candidate
= currsav
;
1733 /* prefered new sa rather than old sa */
1734 if (candidate
->lft_c
->sadb_lifetime_addtime
<
1735 currsav
->lft_c
->sadb_lifetime_addtime
) {
1736 candidate
= currsav
;
1741 outsav
->natt_encapsulated_src_port
= candidate
->natt_encapsulated_src_port
;
1749 * Must be called after calling key_allocsp().
1753 struct secpolicy
*sp
,
1758 panic("key_freesp: NULL pointer is passed.\n");
1762 lck_mtx_lock(sadb_mutex
);
1764 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
1767 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
1768 printf("DP freesp cause refcnt--:%d SP:0x%llx\n",
1769 sp
->refcnt
, (uint64_t)VM_KERNEL_ADDRPERM(sp
)));
1771 if (sp
->refcnt
== 0) {
1775 lck_mtx_unlock(sadb_mutex
);
1781 * Must be called after calling key_allocsa().
1782 * This function is called by key_freesp() to free some SA allocated
1787 struct secasvar
*sav
,
1792 panic("key_freesav: NULL pointer is passed.\n");
1796 lck_mtx_lock(sadb_mutex
);
1798 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
1801 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
1802 printf("DP freesav cause refcnt--:%d SA:0x%llx SPI %u\n",
1803 sav
->refcnt
, (uint64_t)VM_KERNEL_ADDRPERM(sav
),
1804 (u_int32_t
)ntohl(sav
->spi
)));
1806 if (sav
->refcnt
== 0) {
1810 lck_mtx_unlock(sadb_mutex
);
1815 /* %%% SPD management */
1817 * free security policy entry.
1821 struct secpolicy
*sp
)
1825 panic("key_delsp: NULL pointer is passed.\n");
1828 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
1829 sp
->state
= IPSEC_SPSTATE_DEAD
;
1831 if (sp
->refcnt
> 0) {
1832 return; /* can't free */
1834 /* remove from SP index */
1835 if (__LIST_CHAINED(sp
)) {
1836 LIST_REMOVE(sp
, chain
);
1837 ipsec_policy_count
--;
1840 if (sp
->spidx
.internal_if
) {
1841 ifnet_release(sp
->spidx
.internal_if
);
1842 sp
->spidx
.internal_if
= NULL
;
1846 ifnet_release(sp
->ipsec_if
);
1847 sp
->ipsec_if
= NULL
;
1850 if (sp
->outgoing_if
) {
1851 ifnet_release(sp
->outgoing_if
);
1852 sp
->outgoing_if
= NULL
;
1856 struct ipsecrequest
*isr
= sp
->req
, *nextisr
;
1858 while (isr
!= NULL
) {
1859 nextisr
= isr
->next
;
1864 keydb_delsecpolicy(sp
);
1871 * OUT: NULL : not found
1872 * others : found, pointer to a SP.
1874 static struct secpolicy
*
1876 struct secpolicyindex
*spidx
)
1878 struct secpolicy
*sp
;
1880 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
1883 if (spidx
== NULL
) {
1884 panic("key_getsp: NULL pointer is passed.\n");
1887 LIST_FOREACH(sp
, &sptree
[spidx
->dir
], chain
) {
1888 if (sp
->state
== IPSEC_SPSTATE_DEAD
) {
1891 if (key_cmpspidx_exactly(spidx
, &sp
->spidx
)) {
1902 * OUT: NULL : not found
1903 * others : found, pointer to a SP.
1909 struct secpolicy
*sp
;
1911 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
1913 lck_mtx_lock(sadb_mutex
);
1914 sp
= __key_getspbyid(id
);
1915 lck_mtx_unlock(sadb_mutex
);
1920 static struct secpolicy
*
1921 __key_getspbyid(u_int32_t id
)
1923 struct secpolicy
*sp
;
1925 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
1927 LIST_FOREACH(sp
, &sptree
[IPSEC_DIR_INBOUND
], chain
) {
1928 if (sp
->state
== IPSEC_SPSTATE_DEAD
) {
1937 LIST_FOREACH(sp
, &sptree
[IPSEC_DIR_OUTBOUND
], chain
) {
1938 if (sp
->state
== IPSEC_SPSTATE_DEAD
) {
1953 struct secpolicy
*newsp
= NULL
;
1955 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
1956 newsp
= keydb_newsecpolicy();
1968 * create secpolicy structure from sadb_x_policy structure.
1969 * NOTE: `state', `secpolicyindex' in secpolicy structure are not set,
1970 * so must be set properly later.
1974 struct sadb_x_policy
*xpl0
,
1978 struct secpolicy
*newsp
;
1980 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
1984 panic("key_msg2sp: NULL pointer was passed.\n");
1986 if (len
< sizeof(*xpl0
)) {
1987 panic("key_msg2sp: invalid length.\n");
1989 if (len
!= PFKEY_EXTLEN(xpl0
)) {
1990 ipseclog((LOG_DEBUG
, "key_msg2sp: Invalid msg length.\n"));
1995 if ((newsp
= key_newsp()) == NULL
) {
2000 newsp
->spidx
.dir
= xpl0
->sadb_x_policy_dir
;
2001 newsp
->policy
= xpl0
->sadb_x_policy_type
;
2004 switch (xpl0
->sadb_x_policy_type
) {
2005 case IPSEC_POLICY_DISCARD
:
2006 case IPSEC_POLICY_GENERATE
:
2007 case IPSEC_POLICY_NONE
:
2008 case IPSEC_POLICY_ENTRUST
:
2009 case IPSEC_POLICY_BYPASS
:
2013 case IPSEC_POLICY_IPSEC
:
2016 struct sadb_x_ipsecrequest
*xisr
;
2017 struct ipsecrequest
**p_isr
= &newsp
->req
;
2019 /* validity check */
2020 if (PFKEY_EXTLEN(xpl0
) < sizeof(*xpl0
)) {
2021 ipseclog((LOG_DEBUG
,
2022 "key_msg2sp: Invalid msg length.\n"));
2023 key_freesp(newsp
, KEY_SADB_UNLOCKED
);
2028 tlen
= PFKEY_EXTLEN(xpl0
) - sizeof(*xpl0
);
2029 xisr
= (struct sadb_x_ipsecrequest
*)(xpl0
+ 1);
2032 if (tlen
< sizeof(*xisr
)) {
2033 ipseclog((LOG_DEBUG
, "key_msg2sp: "
2034 "invalid ipsecrequest.\n"));
2035 key_freesp(newsp
, KEY_SADB_UNLOCKED
);
2041 if (xisr
->sadb_x_ipsecrequest_len
< sizeof(*xisr
)) {
2042 ipseclog((LOG_DEBUG
, "key_msg2sp: "
2043 "invalid ipsecrequest length.\n"));
2044 key_freesp(newsp
, KEY_SADB_UNLOCKED
);
2049 /* allocate request buffer */
2050 KMALLOC_WAIT(*p_isr
, struct ipsecrequest
*, sizeof(**p_isr
));
2051 if ((*p_isr
) == NULL
) {
2052 ipseclog((LOG_DEBUG
,
2053 "key_msg2sp: No more memory.\n"));
2054 key_freesp(newsp
, KEY_SADB_UNLOCKED
);
2058 bzero(*p_isr
, sizeof(**p_isr
));
2061 (*p_isr
)->next
= NULL
;
2063 switch (xisr
->sadb_x_ipsecrequest_proto
) {
2068 ipseclog((LOG_DEBUG
,
2069 "key_msg2sp: invalid proto type=%u\n",
2070 xisr
->sadb_x_ipsecrequest_proto
));
2071 key_freesp(newsp
, KEY_SADB_UNLOCKED
);
2072 *error
= EPROTONOSUPPORT
;
2075 (*p_isr
)->saidx
.proto
= xisr
->sadb_x_ipsecrequest_proto
;
2077 switch (xisr
->sadb_x_ipsecrequest_mode
) {
2078 case IPSEC_MODE_TRANSPORT
:
2079 case IPSEC_MODE_TUNNEL
:
2081 case IPSEC_MODE_ANY
:
2083 ipseclog((LOG_DEBUG
,
2084 "key_msg2sp: invalid mode=%u\n",
2085 xisr
->sadb_x_ipsecrequest_mode
));
2086 key_freesp(newsp
, KEY_SADB_UNLOCKED
);
2090 (*p_isr
)->saidx
.mode
= xisr
->sadb_x_ipsecrequest_mode
;
2092 switch (xisr
->sadb_x_ipsecrequest_level
) {
2093 case IPSEC_LEVEL_DEFAULT
:
2094 case IPSEC_LEVEL_USE
:
2095 case IPSEC_LEVEL_REQUIRE
:
2097 case IPSEC_LEVEL_UNIQUE
:
2098 /* validity check */
2100 * If range violation of reqid, kernel will
2101 * update it, don't refuse it.
2103 if (xisr
->sadb_x_ipsecrequest_reqid
2104 > IPSEC_MANUAL_REQID_MAX
) {
2105 ipseclog((LOG_DEBUG
,
2106 "key_msg2sp: reqid=%d range "
2107 "violation, updated by kernel.\n",
2108 xisr
->sadb_x_ipsecrequest_reqid
));
2109 xisr
->sadb_x_ipsecrequest_reqid
= 0;
2112 /* allocate new reqid id if reqid is zero. */
2113 if (xisr
->sadb_x_ipsecrequest_reqid
== 0) {
2115 if ((reqid
= key_newreqid()) == 0) {
2116 key_freesp(newsp
, KEY_SADB_UNLOCKED
);
2120 (*p_isr
)->saidx
.reqid
= reqid
;
2121 xisr
->sadb_x_ipsecrequest_reqid
= reqid
;
2123 /* set it for manual keying. */
2124 (*p_isr
)->saidx
.reqid
=
2125 xisr
->sadb_x_ipsecrequest_reqid
;
2130 ipseclog((LOG_DEBUG
, "key_msg2sp: invalid level=%u\n",
2131 xisr
->sadb_x_ipsecrequest_level
));
2132 key_freesp(newsp
, KEY_SADB_UNLOCKED
);
2136 (*p_isr
)->level
= xisr
->sadb_x_ipsecrequest_level
;
2138 /* set IP addresses if there */
2139 if (xisr
->sadb_x_ipsecrequest_len
> sizeof(*xisr
)) {
2140 struct sockaddr
*paddr
;
2142 if (tlen
< xisr
->sadb_x_ipsecrequest_len
) {
2143 ipseclog((LOG_DEBUG
, "key_msg2sp: invalid request "
2144 "address length.\n"));
2145 key_freesp(newsp
, KEY_SADB_UNLOCKED
);
2150 paddr
= (struct sockaddr
*)(xisr
+ 1);
2151 uint8_t src_len
= paddr
->sa_len
;
2153 /* +sizeof(uint8_t) for dst_len below */
2154 if (xisr
->sadb_x_ipsecrequest_len
< sizeof(*xisr
) + src_len
+ sizeof(uint8_t)) {
2155 ipseclog((LOG_DEBUG
, "key_msg2sp: invalid request "
2156 "invalid source address length.\n"));
2157 key_freesp(newsp
, KEY_SADB_UNLOCKED
);
2162 /* validity check */
2164 > sizeof((*p_isr
)->saidx
.src
)) {
2165 ipseclog((LOG_DEBUG
, "key_msg2sp: invalid request "
2166 "address length.\n"));
2167 key_freesp(newsp
, KEY_SADB_UNLOCKED
);
2172 bcopy(paddr
, &(*p_isr
)->saidx
.src
,
2173 MIN(paddr
->sa_len
, sizeof((*p_isr
)->saidx
.src
)));
2175 paddr
= (struct sockaddr
*)((caddr_t
)paddr
+ paddr
->sa_len
);
2176 uint8_t dst_len
= paddr
->sa_len
;
2178 if (xisr
->sadb_x_ipsecrequest_len
< sizeof(*xisr
) + src_len
+ dst_len
) {
2179 ipseclog((LOG_DEBUG
, "key_msg2sp: invalid request "
2180 "invalid dest address length.\n"));
2181 key_freesp(newsp
, KEY_SADB_UNLOCKED
);
2186 /* validity check */
2188 > sizeof((*p_isr
)->saidx
.dst
)) {
2189 ipseclog((LOG_DEBUG
, "key_msg2sp: invalid request "
2190 "address length.\n"));
2191 key_freesp(newsp
, KEY_SADB_UNLOCKED
);
2196 bcopy(paddr
, &(*p_isr
)->saidx
.dst
,
2197 MIN(paddr
->sa_len
, sizeof((*p_isr
)->saidx
.dst
)));
2200 (*p_isr
)->sp
= newsp
;
2202 /* initialization for the next. */
2203 p_isr
= &(*p_isr
)->next
;
2204 tlen
-= xisr
->sadb_x_ipsecrequest_len
;
2206 /* validity check */
2208 ipseclog((LOG_DEBUG
, "key_msg2sp: becoming tlen < 0.\n"));
2209 key_freesp(newsp
, KEY_SADB_UNLOCKED
);
2214 xisr
= (struct sadb_x_ipsecrequest
*)(void *)
2215 ((caddr_t
)xisr
+ xisr
->sadb_x_ipsecrequest_len
);
2220 ipseclog((LOG_DEBUG
, "key_msg2sp: invalid policy type.\n"));
2221 key_freesp(newsp
, KEY_SADB_UNLOCKED
);
2233 lck_mtx_lock(sadb_mutex
);
2234 static u_int32_t auto_reqid
= IPSEC_MANUAL_REQID_MAX
+ 1;
2237 /* The reqid must be limited to 16 bits because the PF_KEY message format only uses
2238 * 16 bits for this field. Once it becomes larger than 16 bits - ipsec fails to
2239 * work anymore. Changing the PF_KEY message format would introduce compatibility
2240 * issues. This code now tests to see if the tentative reqid is in use */
2243 struct secpolicy
*sp
;
2244 struct ipsecrequest
*isr
;
2247 auto_reqid
= (auto_reqid
== 0xFFFF
2248 ? IPSEC_MANUAL_REQID_MAX
+ 1 : auto_reqid
+ 1);
2250 /* check for uniqueness */
2252 for (dir
= 0; dir
< IPSEC_DIR_MAX
; dir
++) {
2253 LIST_FOREACH(sp
, &sptree
[dir
], chain
) {
2254 for (isr
= sp
->req
; isr
!= NULL
; isr
= isr
->next
) {
2255 if (isr
->saidx
.reqid
== auto_reqid
) {
2270 lck_mtx_unlock(sadb_mutex
);
2275 * copy secpolicy struct to sadb_x_policy structure indicated.
2279 struct secpolicy
*sp
)
2281 struct sadb_x_policy
*xpl
;
2288 panic("key_sp2msg: NULL pointer was passed.\n");
2291 tlen
= key_getspreqmsglen(sp
);
2293 m
= key_alloc_mbuf(tlen
);
2294 if (!m
|| m
->m_next
) { /*XXX*/
2303 xpl
= mtod(m
, struct sadb_x_policy
*);
2306 xpl
->sadb_x_policy_len
= PFKEY_UNIT64(tlen
);
2307 xpl
->sadb_x_policy_exttype
= SADB_X_EXT_POLICY
;
2308 xpl
->sadb_x_policy_type
= sp
->policy
;
2309 xpl
->sadb_x_policy_dir
= sp
->spidx
.dir
;
2310 xpl
->sadb_x_policy_id
= sp
->id
;
2311 p
= (caddr_t
)xpl
+ sizeof(*xpl
);
2313 /* if is the policy for ipsec ? */
2314 if (sp
->policy
== IPSEC_POLICY_IPSEC
) {
2315 struct sadb_x_ipsecrequest
*xisr
;
2316 struct ipsecrequest
*isr
;
2318 for (isr
= sp
->req
; isr
!= NULL
; isr
= isr
->next
) {
2319 xisr
= (struct sadb_x_ipsecrequest
*)(void *)p
;
2321 xisr
->sadb_x_ipsecrequest_proto
= isr
->saidx
.proto
;
2322 xisr
->sadb_x_ipsecrequest_mode
= isr
->saidx
.mode
;
2323 xisr
->sadb_x_ipsecrequest_level
= isr
->level
;
2324 xisr
->sadb_x_ipsecrequest_reqid
= isr
->saidx
.reqid
;
2327 bcopy(&isr
->saidx
.src
, p
, isr
->saidx
.src
.ss_len
);
2328 p
+= isr
->saidx
.src
.ss_len
;
2329 bcopy(&isr
->saidx
.dst
, p
, isr
->saidx
.dst
.ss_len
);
2330 p
+= isr
->saidx
.src
.ss_len
;
2332 xisr
->sadb_x_ipsecrequest_len
=
2333 PFKEY_ALIGN8(sizeof(*xisr
)
2334 + isr
->saidx
.src
.ss_len
2335 + isr
->saidx
.dst
.ss_len
);
2342 /* m will not be freed nor modified */
2343 static struct mbuf
*
2344 key_gather_mbuf(struct mbuf
*m
, const struct sadb_msghdr
*mhp
,
2345 int ndeep
, int nitem
, int *items
)
2349 struct mbuf
*result
= NULL
, *n
;
2352 if (m
== NULL
|| mhp
== NULL
) {
2353 panic("null pointer passed to key_gather");
2356 for (i
= 0; i
< nitem
; i
++) {
2358 if (idx
< 0 || idx
> SADB_EXT_MAX
) {
2361 /* don't attempt to pull empty extension */
2362 if (idx
== SADB_EXT_RESERVED
&& mhp
->msg
== NULL
) {
2365 if (idx
!= SADB_EXT_RESERVED
&&
2366 (mhp
->ext
[idx
] == NULL
|| mhp
->extlen
[idx
] == 0)) {
2370 if (idx
== SADB_EXT_RESERVED
) {
2371 len
= PFKEY_ALIGN8(sizeof(struct sadb_msg
));
2372 MGETHDR(n
, M_WAITOK
, MT_DATA
); // sadb_msg len < MHLEN - enforced by _CASSERT
2378 m_copydata(m
, 0, sizeof(struct sadb_msg
),
2380 } else if (i
< ndeep
) {
2381 len
= mhp
->extlen
[idx
];
2382 n
= key_alloc_mbuf(len
);
2383 if (!n
|| n
->m_next
) { /*XXX*/
2389 m_copydata(m
, mhp
->extoff
[idx
], mhp
->extlen
[idx
],
2392 n
= m_copym(m
, mhp
->extoff
[idx
], mhp
->extlen
[idx
],
2406 if ((result
->m_flags
& M_PKTHDR
) != 0) {
2407 result
->m_pkthdr
.len
= 0;
2408 for (n
= result
; n
; n
= n
->m_next
) {
2409 result
->m_pkthdr
.len
+= n
->m_len
;
2421 * SADB_X_SPDADD, SADB_X_SPDSETIDX or SADB_X_SPDUPDATE processing
2422 * add a entry to SP database, when received
2423 * <base, address(SD), (lifetime(H),) policy>
2425 * Adding to SP database,
2427 * <base, address(SD), (lifetime(H),) policy>
2428 * to the socket which was send.
2430 * SPDADD set a unique policy entry.
2431 * SPDSETIDX like SPDADD without a part of policy requests.
2432 * SPDUPDATE replace a unique policy entry.
2434 * m will always be freed.
2440 const struct sadb_msghdr
*mhp
)
2442 struct sadb_address
*src0
, *dst0
, *src1
= NULL
, *dst1
= NULL
;
2443 struct sadb_x_policy
*xpl0
, *xpl
;
2444 struct sadb_lifetime
*lft
= NULL
;
2445 struct secpolicyindex spidx
;
2446 struct secpolicy
*newsp
;
2448 ifnet_t internal_if
= NULL
;
2449 char *outgoing_if
= NULL
;
2450 char *ipsec_if
= NULL
;
2451 struct sadb_x_ipsecif
*ipsecifopts
= NULL
;
2453 int use_src_range
= 0;
2454 int use_dst_range
= 0;
2455 int init_disabled
= 0;
2456 int address_family
, address_len
;
2458 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
2461 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
2462 panic("key_spdadd: NULL pointer is passed.\n");
2465 if (mhp
->ext
[SADB_X_EXT_ADDR_RANGE_SRC_START
] != NULL
&& mhp
->ext
[SADB_X_EXT_ADDR_RANGE_SRC_END
] != NULL
) {
2468 if (mhp
->ext
[SADB_X_EXT_ADDR_RANGE_DST_START
] != NULL
&& mhp
->ext
[SADB_X_EXT_ADDR_RANGE_DST_END
] != NULL
) {
2472 if ((!use_src_range
&& mhp
->ext
[SADB_EXT_ADDRESS_SRC
] == NULL
) ||
2473 (!use_dst_range
&& mhp
->ext
[SADB_EXT_ADDRESS_DST
] == NULL
) ||
2474 mhp
->ext
[SADB_X_EXT_POLICY
] == NULL
) {
2475 ipseclog((LOG_DEBUG
, "key_spdadd: invalid message is passed.\n"));
2476 return key_senderror(so
, m
, EINVAL
);
2478 if ((use_src_range
&& (mhp
->extlen
[SADB_X_EXT_ADDR_RANGE_SRC_START
] < sizeof(struct sadb_address
)
2479 || mhp
->extlen
[SADB_X_EXT_ADDR_RANGE_SRC_END
] < sizeof(struct sadb_address
))) ||
2480 (!use_src_range
&& mhp
->extlen
[SADB_EXT_ADDRESS_SRC
] < sizeof(struct sadb_address
)) ||
2481 (use_dst_range
&& (mhp
->extlen
[SADB_X_EXT_ADDR_RANGE_DST_START
] < sizeof(struct sadb_address
)
2482 || mhp
->extlen
[SADB_X_EXT_ADDR_RANGE_DST_END
] < sizeof(struct sadb_address
))) ||
2483 (!use_dst_range
&& mhp
->extlen
[SADB_EXT_ADDRESS_DST
] < sizeof(struct sadb_address
)) ||
2484 mhp
->extlen
[SADB_X_EXT_POLICY
] < sizeof(struct sadb_x_policy
)) {
2485 ipseclog((LOG_DEBUG
, "key_spdadd: invalid message is passed.\n"));
2486 return key_senderror(so
, m
, EINVAL
);
2488 if (mhp
->ext
[SADB_EXT_LIFETIME_HARD
] != NULL
) {
2489 if (mhp
->extlen
[SADB_EXT_LIFETIME_HARD
]
2490 < sizeof(struct sadb_lifetime
)) {
2491 ipseclog((LOG_DEBUG
, "key_spdadd: invalid message is passed.\n"));
2492 return key_senderror(so
, m
, EINVAL
);
2494 lft
= (struct sadb_lifetime
*)
2495 (void *)mhp
->ext
[SADB_EXT_LIFETIME_HARD
];
2497 if (mhp
->ext
[SADB_X_EXT_IPSECIF
] != NULL
) {
2498 if (mhp
->extlen
[SADB_X_EXT_IPSECIF
] < sizeof(struct sadb_x_ipsecif
)) {
2499 ipseclog((LOG_DEBUG
, "key_spdadd: invalid message is passed.\n"));
2500 return key_senderror(so
, m
, EINVAL
);
2504 if (use_src_range
) {
2505 src0
= (struct sadb_address
*)mhp
->ext
[SADB_X_EXT_ADDR_RANGE_SRC_START
];
2506 src1
= (struct sadb_address
*)mhp
->ext
[SADB_X_EXT_ADDR_RANGE_SRC_END
];
2508 src0
= (struct sadb_address
*)mhp
->ext
[SADB_EXT_ADDRESS_SRC
];
2510 if (use_dst_range
) {
2511 dst0
= (struct sadb_address
*)mhp
->ext
[SADB_X_EXT_ADDR_RANGE_DST_START
];
2512 dst1
= (struct sadb_address
*)mhp
->ext
[SADB_X_EXT_ADDR_RANGE_DST_END
];
2514 dst0
= (struct sadb_address
*)mhp
->ext
[SADB_EXT_ADDRESS_DST
];
2516 xpl0
= (struct sadb_x_policy
*)(void *)mhp
->ext
[SADB_X_EXT_POLICY
];
2517 ipsecifopts
= (struct sadb_x_ipsecif
*)(void *)mhp
->ext
[SADB_X_EXT_IPSECIF
];
2519 /* check addresses */
2520 address_family
= ((struct sockaddr
*)(src0
+ 1))->sa_family
;
2521 address_len
= ((struct sockaddr
*)(src0
+ 1))->sa_len
;
2522 if (use_src_range
) {
2523 if (((struct sockaddr
*)(src1
+ 1))->sa_family
!= address_family
||
2524 ((struct sockaddr
*)(src1
+ 1))->sa_len
!= address_len
) {
2525 return key_senderror(so
, m
, EINVAL
);
2528 if (((struct sockaddr
*)(dst0
+ 1))->sa_family
!= address_family
||
2529 ((struct sockaddr
*)(dst0
+ 1))->sa_len
!= address_len
) {
2530 return key_senderror(so
, m
, EINVAL
);
2532 if (use_dst_range
) {
2533 if (((struct sockaddr
*)(dst1
+ 1))->sa_family
!= address_family
||
2534 ((struct sockaddr
*)(dst1
+ 1))->sa_len
!= address_len
) {
2535 return key_senderror(so
, m
, EINVAL
);
2539 /* checking the direction. */
2540 switch (xpl0
->sadb_x_policy_dir
) {
2541 case IPSEC_DIR_INBOUND
:
2542 case IPSEC_DIR_OUTBOUND
:
2545 ipseclog((LOG_DEBUG
, "key_spdadd: Invalid SP direction.\n"));
2546 mhp
->msg
->sadb_msg_errno
= EINVAL
;
2551 /* key_spdadd() accepts DISCARD, NONE and IPSEC. */
2552 if (xpl0
->sadb_x_policy_type
== IPSEC_POLICY_ENTRUST
2553 || xpl0
->sadb_x_policy_type
== IPSEC_POLICY_BYPASS
) {
2554 ipseclog((LOG_DEBUG
, "key_spdadd: Invalid policy type.\n"));
2555 return key_senderror(so
, m
, EINVAL
);
2558 /* policy requests are mandatory when action is ipsec. */
2559 if (mhp
->msg
->sadb_msg_type
!= SADB_X_SPDSETIDX
2560 && xpl0
->sadb_x_policy_type
== IPSEC_POLICY_IPSEC
2561 && mhp
->extlen
[SADB_X_EXT_POLICY
] <= sizeof(*xpl0
)) {
2562 ipseclog((LOG_DEBUG
, "key_spdadd: some policy requests part required.\n"));
2563 return key_senderror(so
, m
, EINVAL
);
2566 /* Process interfaces */
2567 if (ipsecifopts
!= NULL
) {
2568 if (ipsecifopts
->sadb_x_ipsecif_internal_if
[0]) {
2569 ifnet_find_by_name(ipsecifopts
->sadb_x_ipsecif_internal_if
, &internal_if
);
2571 if (ipsecifopts
->sadb_x_ipsecif_outgoing_if
[0]) {
2572 outgoing_if
= ipsecifopts
->sadb_x_ipsecif_outgoing_if
;
2574 if (ipsecifopts
->sadb_x_ipsecif_ipsec_if
[0]) {
2575 ipsec_if
= ipsecifopts
->sadb_x_ipsecif_ipsec_if
;
2577 init_disabled
= ipsecifopts
->sadb_x_ipsecif_init_disabled
;
2581 /* XXX boundary check against sa_len */
2582 KEY_SETSECSPIDX(xpl0
->sadb_x_policy_dir
,
2585 src0
->sadb_address_prefixlen
,
2586 dst0
->sadb_address_prefixlen
,
2587 src0
->sadb_address_proto
,
2589 use_src_range
? src0
+ 1 : NULL
,
2590 use_src_range
? src1
+ 1 : NULL
,
2591 use_dst_range
? dst0
+ 1 : NULL
,
2592 use_dst_range
? dst1
+ 1 : NULL
,
2596 * checking there is SP already or not.
2597 * SPDUPDATE doesn't depend on whether there is a SP or not.
2598 * If the type is either SPDADD or SPDSETIDX AND a SP is found,
2601 lck_mtx_lock(sadb_mutex
);
2602 newsp
= key_getsp(&spidx
);
2603 if (mhp
->msg
->sadb_msg_type
== SADB_X_SPDUPDATE
) {
2605 newsp
->state
= IPSEC_SPSTATE_DEAD
;
2606 key_freesp(newsp
, KEY_SADB_LOCKED
);
2609 if (newsp
!= NULL
) {
2610 key_freesp(newsp
, KEY_SADB_LOCKED
);
2611 ipseclog((LOG_DEBUG
, "key_spdadd: a SP entry exists already.\n"));
2612 lck_mtx_unlock(sadb_mutex
);
2614 ifnet_release(internal_if
);
2617 return key_senderror(so
, m
, EEXIST
);
2620 lck_mtx_unlock(sadb_mutex
);
2622 /* allocation new SP entry */
2623 if ((newsp
= key_msg2sp(xpl0
, PFKEY_EXTLEN(xpl0
), &error
)) == NULL
) {
2625 ifnet_release(internal_if
);
2628 return key_senderror(so
, m
, error
);
2631 if ((newsp
->id
= key_getnewspid()) == 0) {
2632 keydb_delsecpolicy(newsp
);
2634 ifnet_release(internal_if
);
2637 return key_senderror(so
, m
, ENOBUFS
);
2640 /* XXX boundary check against sa_len */
2641 KEY_SETSECSPIDX(xpl0
->sadb_x_policy_dir
,
2644 src0
->sadb_address_prefixlen
,
2645 dst0
->sadb_address_prefixlen
,
2646 src0
->sadb_address_proto
,
2648 use_src_range
? src0
+ 1 : NULL
,
2649 use_src_range
? src1
+ 1 : NULL
,
2650 use_dst_range
? dst0
+ 1 : NULL
,
2651 use_dst_range
? dst1
+ 1 : NULL
,
2656 * allow IPv6 over IPv4 or IPv4 over IPv6 tunnels using ESP -
2657 * otherwise reject if inner and outer address families not equal
2659 if (newsp
->req
&& newsp
->req
->saidx
.src
.ss_family
) {
2660 struct sockaddr
*sa
;
2661 sa
= (struct sockaddr
*)(src0
+ 1);
2662 if (sa
->sa_family
!= newsp
->req
->saidx
.src
.ss_family
) {
2663 if (newsp
->req
->saidx
.mode
!= IPSEC_MODE_TUNNEL
|| newsp
->req
->saidx
.proto
!= IPPROTO_ESP
) {
2664 keydb_delsecpolicy(newsp
);
2666 ifnet_release(internal_if
);
2669 return key_senderror(so
, m
, EINVAL
);
2673 if (newsp
->req
&& newsp
->req
->saidx
.dst
.ss_family
) {
2674 struct sockaddr
*sa
;
2675 sa
= (struct sockaddr
*)(dst0
+ 1);
2676 if (sa
->sa_family
!= newsp
->req
->saidx
.dst
.ss_family
) {
2677 if (newsp
->req
->saidx
.mode
!= IPSEC_MODE_TUNNEL
|| newsp
->req
->saidx
.proto
!= IPPROTO_ESP
) {
2678 keydb_delsecpolicy(newsp
);
2680 ifnet_release(internal_if
);
2683 return key_senderror(so
, m
, EINVAL
);
2690 newsp
->created
= tv
.tv_sec
;
2691 newsp
->lastused
= tv
.tv_sec
;
2692 newsp
->lifetime
= lft
? lft
->sadb_lifetime_addtime
: 0;
2693 newsp
->validtime
= lft
? lft
->sadb_lifetime_usetime
: 0;
2695 if (outgoing_if
!= NULL
) {
2696 ifnet_find_by_name(outgoing_if
, &newsp
->outgoing_if
);
2698 if (ipsec_if
!= NULL
) {
2699 ifnet_find_by_name(ipsec_if
, &newsp
->ipsec_if
);
2701 if (init_disabled
> 0) {
2702 newsp
->disabled
= 1;
2705 newsp
->refcnt
= 1; /* do not reclaim until I say I do */
2706 newsp
->state
= IPSEC_SPSTATE_ALIVE
;
2707 lck_mtx_lock(sadb_mutex
);
2709 * policies of type generate should be at the end of the SPD
2710 * because they function as default discard policies
2711 * Don't start timehandler for generate policies
2713 if (newsp
->policy
== IPSEC_POLICY_GENERATE
) {
2714 LIST_INSERT_TAIL(&sptree
[newsp
->spidx
.dir
], newsp
, secpolicy
, chain
);
2715 } else { /* XXX until we have policy ordering in the kernel */
2716 struct secpolicy
*tmpsp
;
2718 LIST_FOREACH(tmpsp
, &sptree
[newsp
->spidx
.dir
], chain
)
2719 if (tmpsp
->policy
== IPSEC_POLICY_GENERATE
) {
2723 LIST_INSERT_BEFORE(tmpsp
, newsp
, chain
);
2725 LIST_INSERT_TAIL(&sptree
[newsp
->spidx
.dir
], newsp
, secpolicy
, chain
);
2727 key_start_timehandler();
2730 ipsec_policy_count
++;
2731 /* Turn off the ipsec bypass */
2732 if (ipsec_bypass
!= 0) {
2736 /* delete the entry in spacqtree */
2737 if (mhp
->msg
->sadb_msg_type
== SADB_X_SPDUPDATE
) {
2738 struct secspacq
*spacq
;
2739 if ((spacq
= key_getspacq(&spidx
)) != NULL
) {
2740 /* reset counter in order to deletion by timehandler. */
2742 spacq
->created
= tv
.tv_sec
;
2746 lck_mtx_unlock(sadb_mutex
);
2749 struct mbuf
*n
, *mpolicy
;
2750 struct sadb_msg
*newmsg
;
2753 /* create new sadb_msg to reply. */
2755 int mbufItems
[] = {SADB_EXT_RESERVED
, SADB_X_EXT_POLICY
,
2756 SADB_EXT_LIFETIME_HARD
, SADB_EXT_ADDRESS_SRC
,
2757 SADB_EXT_ADDRESS_DST
, SADB_X_EXT_ADDR_RANGE_SRC_START
, SADB_X_EXT_ADDR_RANGE_SRC_END
,
2758 SADB_X_EXT_ADDR_RANGE_DST_START
, SADB_X_EXT_ADDR_RANGE_DST_END
};
2759 n
= key_gather_mbuf(m
, mhp
, 2, sizeof(mbufItems
) / sizeof(int), mbufItems
);
2761 int mbufItems
[] = {SADB_EXT_RESERVED
, SADB_X_EXT_POLICY
,
2762 SADB_EXT_ADDRESS_SRC
, SADB_EXT_ADDRESS_DST
,
2763 SADB_X_EXT_ADDR_RANGE_SRC_START
, SADB_X_EXT_ADDR_RANGE_SRC_END
,
2764 SADB_X_EXT_ADDR_RANGE_DST_START
, SADB_X_EXT_ADDR_RANGE_DST_END
};
2765 n
= key_gather_mbuf(m
, mhp
, 2, sizeof(mbufItems
) / sizeof(int), mbufItems
);
2768 return key_senderror(so
, m
, ENOBUFS
);
2771 if (n
->m_len
< sizeof(*newmsg
)) {
2772 n
= m_pullup(n
, sizeof(*newmsg
));
2774 return key_senderror(so
, m
, ENOBUFS
);
2777 newmsg
= mtod(n
, struct sadb_msg
*);
2778 newmsg
->sadb_msg_errno
= 0;
2779 newmsg
->sadb_msg_len
= PFKEY_UNIT64(n
->m_pkthdr
.len
);
2782 mpolicy
= m_pulldown(n
, PFKEY_ALIGN8(sizeof(struct sadb_msg
)),
2783 sizeof(*xpl
), &off
);
2784 if (mpolicy
== NULL
) {
2785 /* n is already freed */
2786 return key_senderror(so
, m
, ENOBUFS
);
2788 xpl
= (struct sadb_x_policy
*)(void *)(mtod(mpolicy
, caddr_t
) + off
);
2789 if (xpl
->sadb_x_policy_exttype
!= SADB_X_EXT_POLICY
) {
2791 return key_senderror(so
, m
, EINVAL
);
2793 xpl
->sadb_x_policy_id
= newsp
->id
;
2796 return key_sendup_mbuf(so
, n
, KEY_SENDUP_ALL
);
2801 * get new policy id.
2807 key_getnewspid(void)
2809 u_int32_t newid
= 0;
2810 int count
= key_spi_trycnt
; /* XXX */
2811 struct secpolicy
*sp
;
2813 /* when requesting to allocate spi ranged */
2814 lck_mtx_lock(sadb_mutex
);
2816 newid
= (policy_id
= (policy_id
== ~0 ? 1 : policy_id
+ 1));
2818 if ((sp
= __key_getspbyid(newid
)) == NULL
) {
2822 key_freesp(sp
, KEY_SADB_LOCKED
);
2824 lck_mtx_unlock(sadb_mutex
);
2825 if (count
== 0 || newid
== 0) {
2826 ipseclog((LOG_DEBUG
, "key_getnewspid: to allocate policy id is failed.\n"));
2834 * SADB_SPDDELETE processing
2836 * <base, address(SD), policy(*)>
2837 * from the user(?), and set SADB_SASTATE_DEAD,
2839 * <base, address(SD), policy(*)>
2841 * policy(*) including direction of policy.
2843 * m will always be freed.
2849 const struct sadb_msghdr
*mhp
)
2851 struct sadb_address
*src0
, *dst0
, *src1
= NULL
, *dst1
= NULL
;
2852 struct sadb_x_policy
*xpl0
;
2853 struct secpolicyindex spidx
;
2854 struct secpolicy
*sp
;
2855 ifnet_t internal_if
= NULL
;
2856 struct sadb_x_ipsecif
*ipsecifopts
= NULL
;
2857 int use_src_range
= 0;
2858 int use_dst_range
= 0;
2860 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
2863 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
2864 panic("key_spddelete: NULL pointer is passed.\n");
2867 if (mhp
->ext
[SADB_X_EXT_ADDR_RANGE_SRC_START
] != NULL
&& mhp
->ext
[SADB_X_EXT_ADDR_RANGE_SRC_END
] != NULL
) {
2870 if (mhp
->ext
[SADB_X_EXT_ADDR_RANGE_DST_START
] != NULL
&& mhp
->ext
[SADB_X_EXT_ADDR_RANGE_DST_END
] != NULL
) {
2874 if ((!use_src_range
&& mhp
->ext
[SADB_EXT_ADDRESS_SRC
] == NULL
) ||
2875 (!use_dst_range
&& mhp
->ext
[SADB_EXT_ADDRESS_DST
] == NULL
) ||
2876 mhp
->ext
[SADB_X_EXT_POLICY
] == NULL
) {
2877 ipseclog((LOG_DEBUG
, "key_spddelete: invalid message is passed.\n"));
2878 return key_senderror(so
, m
, EINVAL
);
2880 if ((use_src_range
&& (mhp
->extlen
[SADB_X_EXT_ADDR_RANGE_SRC_START
] < sizeof(struct sadb_address
)
2881 || mhp
->extlen
[SADB_X_EXT_ADDR_RANGE_SRC_END
] < sizeof(struct sadb_address
))) ||
2882 (!use_src_range
&& mhp
->extlen
[SADB_EXT_ADDRESS_SRC
] < sizeof(struct sadb_address
)) ||
2883 (use_dst_range
&& (mhp
->extlen
[SADB_X_EXT_ADDR_RANGE_DST_START
] < sizeof(struct sadb_address
)
2884 || mhp
->extlen
[SADB_X_EXT_ADDR_RANGE_DST_END
] < sizeof(struct sadb_address
))) ||
2885 (!use_dst_range
&& mhp
->extlen
[SADB_EXT_ADDRESS_DST
] < sizeof(struct sadb_address
)) ||
2886 mhp
->extlen
[SADB_X_EXT_POLICY
] < sizeof(struct sadb_x_policy
)) {
2887 ipseclog((LOG_DEBUG
, "key_spddelete: invalid message is passed.\n"));
2888 return key_senderror(so
, m
, EINVAL
);
2891 if (use_src_range
) {
2892 src0
= (struct sadb_address
*)mhp
->ext
[SADB_X_EXT_ADDR_RANGE_SRC_START
];
2893 src1
= (struct sadb_address
*)mhp
->ext
[SADB_X_EXT_ADDR_RANGE_SRC_END
];
2895 src0
= (struct sadb_address
*)mhp
->ext
[SADB_EXT_ADDRESS_SRC
];
2897 if (use_dst_range
) {
2898 dst0
= (struct sadb_address
*)mhp
->ext
[SADB_X_EXT_ADDR_RANGE_DST_START
];
2899 dst1
= (struct sadb_address
*)mhp
->ext
[SADB_X_EXT_ADDR_RANGE_DST_END
];
2901 dst0
= (struct sadb_address
*)mhp
->ext
[SADB_EXT_ADDRESS_DST
];
2903 xpl0
= (struct sadb_x_policy
*)(void *)mhp
->ext
[SADB_X_EXT_POLICY
];
2904 ipsecifopts
= (struct sadb_x_ipsecif
*)(void *)mhp
->ext
[SADB_X_EXT_IPSECIF
];
2906 /* checking the direction. */
2907 switch (xpl0
->sadb_x_policy_dir
) {
2908 case IPSEC_DIR_INBOUND
:
2909 case IPSEC_DIR_OUTBOUND
:
2912 ipseclog((LOG_DEBUG
, "key_spddelete: Invalid SP direction.\n"));
2913 return key_senderror(so
, m
, EINVAL
);
2916 /* Process interfaces */
2917 if (ipsecifopts
!= NULL
) {
2918 if (ipsecifopts
->sadb_x_ipsecif_internal_if
[0]) {
2919 ifnet_find_by_name(ipsecifopts
->sadb_x_ipsecif_internal_if
, &internal_if
);
2924 /* XXX boundary check against sa_len */
2925 KEY_SETSECSPIDX(xpl0
->sadb_x_policy_dir
,
2928 src0
->sadb_address_prefixlen
,
2929 dst0
->sadb_address_prefixlen
,
2930 src0
->sadb_address_proto
,
2932 use_src_range
? src0
+ 1 : NULL
,
2933 use_src_range
? src1
+ 1 : NULL
,
2934 use_dst_range
? dst0
+ 1 : NULL
,
2935 use_dst_range
? dst1
+ 1 : NULL
,
2938 /* Is there SP in SPD ? */
2939 lck_mtx_lock(sadb_mutex
);
2940 if ((sp
= key_getsp(&spidx
)) == NULL
) {
2941 ipseclog((LOG_DEBUG
, "key_spddelete: no SP found.\n"));
2942 lck_mtx_unlock(sadb_mutex
);
2944 ifnet_release(internal_if
);
2947 return key_senderror(so
, m
, EINVAL
);
2951 ifnet_release(internal_if
);
2955 /* save policy id to buffer to be returned. */
2956 xpl0
->sadb_x_policy_id
= sp
->id
;
2958 sp
->state
= IPSEC_SPSTATE_DEAD
;
2959 key_freesp(sp
, KEY_SADB_LOCKED
);
2960 lck_mtx_unlock(sadb_mutex
);
2965 struct sadb_msg
*newmsg
;
2966 int mbufItems
[] = {SADB_EXT_RESERVED
, SADB_X_EXT_POLICY
,
2967 SADB_EXT_ADDRESS_SRC
, SADB_EXT_ADDRESS_DST
,
2968 SADB_X_EXT_ADDR_RANGE_SRC_START
, SADB_X_EXT_ADDR_RANGE_SRC_END
,
2969 SADB_X_EXT_ADDR_RANGE_DST_START
, SADB_X_EXT_ADDR_RANGE_DST_END
};
2971 /* create new sadb_msg to reply. */
2972 n
= key_gather_mbuf(m
, mhp
, 1, sizeof(mbufItems
) / sizeof(int), mbufItems
);
2974 return key_senderror(so
, m
, ENOBUFS
);
2977 newmsg
= mtod(n
, struct sadb_msg
*);
2978 newmsg
->sadb_msg_errno
= 0;
2979 newmsg
->sadb_msg_len
= PFKEY_UNIT64(n
->m_pkthdr
.len
);
2982 return key_sendup_mbuf(so
, n
, KEY_SENDUP_ALL
);
2987 * SADB_SPDDELETE2 processing
2990 * from the user(?), and set SADB_SASTATE_DEAD,
2994 * policy(*) including direction of policy.
2996 * m will always be freed.
3002 const struct sadb_msghdr
*mhp
)
3005 struct secpolicy
*sp
;
3007 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
3010 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
3011 panic("key_spddelete2: NULL pointer is passed.\n");
3014 if (mhp
->ext
[SADB_X_EXT_POLICY
] == NULL
||
3015 mhp
->extlen
[SADB_X_EXT_POLICY
] < sizeof(struct sadb_x_policy
)) {
3016 ipseclog((LOG_DEBUG
, "key_spddelete2: invalid message is passed.\n"));
3017 key_senderror(so
, m
, EINVAL
);
3021 id
= ((struct sadb_x_policy
*)
3022 (void *)mhp
->ext
[SADB_X_EXT_POLICY
])->sadb_x_policy_id
;
3024 /* Is there SP in SPD ? */
3025 lck_mtx_lock(sadb_mutex
);
3026 if ((sp
= __key_getspbyid(id
)) == NULL
) {
3027 lck_mtx_unlock(sadb_mutex
);
3028 ipseclog((LOG_DEBUG
, "key_spddelete2: no SP found id:%u.\n", id
));
3029 return key_senderror(so
, m
, EINVAL
);
3032 sp
->state
= IPSEC_SPSTATE_DEAD
;
3033 key_freesp(sp
, KEY_SADB_LOCKED
);
3034 lck_mtx_unlock(sadb_mutex
);
3037 struct mbuf
*n
, *nn
;
3038 struct sadb_msg
*newmsg
;
3041 /* create new sadb_msg to reply. */
3042 len
= PFKEY_ALIGN8(sizeof(struct sadb_msg
));
3044 if (len
> MCLBYTES
) {
3045 return key_senderror(so
, m
, ENOBUFS
);
3047 MGETHDR(n
, M_WAITOK
, MT_DATA
);
3048 if (n
&& len
> MHLEN
) {
3049 MCLGET(n
, M_WAITOK
);
3050 if ((n
->m_flags
& M_EXT
) == 0) {
3056 return key_senderror(so
, m
, ENOBUFS
);
3063 m_copydata(m
, 0, sizeof(struct sadb_msg
), mtod(n
, caddr_t
) + off
);
3064 off
+= PFKEY_ALIGN8(sizeof(struct sadb_msg
));
3068 panic("length inconsistency in key_spddelete2");
3072 n
->m_next
= m_copym(m
, mhp
->extoff
[SADB_X_EXT_POLICY
],
3073 mhp
->extlen
[SADB_X_EXT_POLICY
], M_WAITOK
);
3076 return key_senderror(so
, m
, ENOBUFS
);
3079 n
->m_pkthdr
.len
= 0;
3080 for (nn
= n
; nn
; nn
= nn
->m_next
) {
3081 n
->m_pkthdr
.len
+= nn
->m_len
;
3084 newmsg
= mtod(n
, struct sadb_msg
*);
3085 newmsg
->sadb_msg_errno
= 0;
3086 newmsg
->sadb_msg_len
= PFKEY_UNIT64(n
->m_pkthdr
.len
);
3089 return key_sendup_mbuf(so
, n
, KEY_SENDUP_ALL
);
3097 const struct sadb_msghdr
*mhp
)
3100 struct secpolicy
*sp
;
3102 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
3105 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
3106 panic("key_spdenable: NULL pointer is passed.\n");
3109 if (mhp
->ext
[SADB_X_EXT_POLICY
] == NULL
||
3110 mhp
->extlen
[SADB_X_EXT_POLICY
] < sizeof(struct sadb_x_policy
)) {
3111 ipseclog((LOG_DEBUG
, "key_spdenable: invalid message is passed.\n"));
3112 key_senderror(so
, m
, EINVAL
);
3116 id
= ((struct sadb_x_policy
*)
3117 (void *)mhp
->ext
[SADB_X_EXT_POLICY
])->sadb_x_policy_id
;
3119 /* Is there SP in SPD ? */
3120 lck_mtx_lock(sadb_mutex
);
3121 if ((sp
= __key_getspbyid(id
)) == NULL
) {
3122 lck_mtx_unlock(sadb_mutex
);
3123 ipseclog((LOG_DEBUG
, "key_spdenable: no SP found id:%u.\n", id
));
3124 return key_senderror(so
, m
, EINVAL
);
3128 lck_mtx_unlock(sadb_mutex
);
3132 struct sadb_msg
*newmsg
;
3133 int mbufItems
[] = {SADB_EXT_RESERVED
, SADB_X_EXT_POLICY
};
3135 /* create new sadb_msg to reply. */
3136 n
= key_gather_mbuf(m
, mhp
, 1, sizeof(mbufItems
) / sizeof(int), mbufItems
);
3138 return key_senderror(so
, m
, ENOBUFS
);
3141 if (n
->m_len
< sizeof(struct sadb_msg
)) {
3142 n
= m_pullup(n
, sizeof(struct sadb_msg
));
3144 return key_senderror(so
, m
, ENOBUFS
);
3147 newmsg
= mtod(n
, struct sadb_msg
*);
3148 newmsg
->sadb_msg_errno
= 0;
3149 newmsg
->sadb_msg_len
= PFKEY_UNIT64(n
->m_pkthdr
.len
);
3152 return key_sendup_mbuf(so
, n
, KEY_SENDUP_ALL
);
3160 const struct sadb_msghdr
*mhp
)
3163 struct secpolicy
*sp
;
3165 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
3168 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
3169 panic("key_spddisable: NULL pointer is passed.\n");
3172 if (mhp
->ext
[SADB_X_EXT_POLICY
] == NULL
||
3173 mhp
->extlen
[SADB_X_EXT_POLICY
] < sizeof(struct sadb_x_policy
)) {
3174 ipseclog((LOG_DEBUG
, "key_spddisable: invalid message is passed.\n"));
3175 key_senderror(so
, m
, EINVAL
);
3179 id
= ((struct sadb_x_policy
*)
3180 (void *)mhp
->ext
[SADB_X_EXT_POLICY
])->sadb_x_policy_id
;
3182 /* Is there SP in SPD ? */
3183 lck_mtx_lock(sadb_mutex
);
3184 if ((sp
= __key_getspbyid(id
)) == NULL
) {
3185 lck_mtx_unlock(sadb_mutex
);
3186 ipseclog((LOG_DEBUG
, "key_spddisable: no SP found id:%u.\n", id
));
3187 return key_senderror(so
, m
, EINVAL
);
3191 lck_mtx_unlock(sadb_mutex
);
3195 struct sadb_msg
*newmsg
;
3196 int mbufItems
[] = {SADB_EXT_RESERVED
, SADB_X_EXT_POLICY
};
3198 /* create new sadb_msg to reply. */
3199 n
= key_gather_mbuf(m
, mhp
, 1, sizeof(mbufItems
) / sizeof(int), mbufItems
);
3201 return key_senderror(so
, m
, ENOBUFS
);
3204 if (n
->m_len
< sizeof(struct sadb_msg
)) {
3205 n
= m_pullup(n
, sizeof(struct sadb_msg
));
3207 return key_senderror(so
, m
, ENOBUFS
);
3210 newmsg
= mtod(n
, struct sadb_msg
*);
3211 newmsg
->sadb_msg_errno
= 0;
3212 newmsg
->sadb_msg_len
= PFKEY_UNIT64(n
->m_pkthdr
.len
);
3215 return key_sendup_mbuf(so
, n
, KEY_SENDUP_ALL
);
3220 * SADB_X_GET processing
3225 * <base, address(SD), policy>
3227 * policy(*) including direction of policy.
3229 * m will always be freed.
3235 const struct sadb_msghdr
*mhp
)
3238 struct secpolicy
*sp
;
3241 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
3244 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
3245 panic("key_spdget: NULL pointer is passed.\n");
3248 if (mhp
->ext
[SADB_X_EXT_POLICY
] == NULL
||
3249 mhp
->extlen
[SADB_X_EXT_POLICY
] < sizeof(struct sadb_x_policy
)) {
3250 ipseclog((LOG_DEBUG
, "key_spdget: invalid message is passed.\n"));
3251 return key_senderror(so
, m
, EINVAL
);
3254 id
= ((struct sadb_x_policy
*)
3255 (void *)mhp
->ext
[SADB_X_EXT_POLICY
])->sadb_x_policy_id
;
3257 /* Is there SP in SPD ? */
3258 lck_mtx_lock(sadb_mutex
);
3259 if ((sp
= __key_getspbyid(id
)) == NULL
) {
3260 ipseclog((LOG_DEBUG
, "key_spdget: no SP found id:%u.\n", id
));
3261 lck_mtx_unlock(sadb_mutex
);
3262 return key_senderror(so
, m
, ENOENT
);
3264 lck_mtx_unlock(sadb_mutex
);
3265 n
= key_setdumpsp(sp
, SADB_X_SPDGET
, 0, mhp
->msg
->sadb_msg_pid
);
3268 return key_sendup_mbuf(so
, n
, KEY_SENDUP_ONE
);
3270 return key_senderror(so
, m
, ENOBUFS
);
3275 * SADB_X_SPDACQUIRE processing.
3276 * Acquire policy and SA(s) for a *OUTBOUND* packet.
3279 * to KMD, and expect to receive
3280 * <base> with SADB_X_SPDACQUIRE if error occurred,
3283 * with SADB_X_SPDUPDATE from KMD by PF_KEY.
3284 * policy(*) is without policy requests.
3287 * others: error number
3291 struct secpolicy
*sp
)
3293 struct mbuf
*result
= NULL
, *m
;
3294 struct secspacq
*newspacq
;
3297 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
3301 panic("key_spdacquire: NULL pointer is passed.\n");
3303 if (sp
->req
!= NULL
) {
3304 panic("key_spdacquire: called but there is request.\n");
3306 if (sp
->policy
!= IPSEC_POLICY_IPSEC
) {
3307 panic("key_spdacquire: policy mismathed. IPsec is expected.\n");
3310 /* get a entry to check whether sent message or not. */
3311 lck_mtx_lock(sadb_mutex
);
3312 if ((newspacq
= key_getspacq(&sp
->spidx
)) != NULL
) {
3313 if (key_blockacq_count
< newspacq
->count
) {
3314 /* reset counter and do send message. */
3315 newspacq
->count
= 0;
3317 /* increment counter and do nothing. */
3319 lck_mtx_unlock(sadb_mutex
);
3323 /* make new entry for blocking to send SADB_ACQUIRE. */
3324 if ((newspacq
= key_newspacq(&sp
->spidx
)) == NULL
) {
3325 lck_mtx_unlock(sadb_mutex
);
3328 /* add to acqtree */
3329 LIST_INSERT_HEAD(&spacqtree
, newspacq
, chain
);
3330 key_start_timehandler();
3332 lck_mtx_unlock(sadb_mutex
);
3333 /* create new sadb_msg to reply. */
3334 m
= key_setsadbmsg(SADB_X_SPDACQUIRE
, 0, 0, 0, 0, 0);
3341 result
->m_pkthdr
.len
= 0;
3342 for (m
= result
; m
; m
= m
->m_next
) {
3343 result
->m_pkthdr
.len
+= m
->m_len
;
3346 mtod(result
, struct sadb_msg
*)->sadb_msg_len
=
3347 PFKEY_UNIT64(result
->m_pkthdr
.len
);
3349 return key_sendup_mbuf(NULL
, m
, KEY_SENDUP_REGISTERED
);
3359 * SADB_SPDFLUSH processing
3362 * from the user, and free all entries in secpctree.
3366 * NOTE: what to do is only marking SADB_SASTATE_DEAD.
3368 * m will always be freed.
3374 const struct sadb_msghdr
*mhp
)
3376 struct sadb_msg
*newmsg
;
3377 struct secpolicy
*sp
;
3381 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
3382 panic("key_spdflush: NULL pointer is passed.\n");
3385 if (m
->m_len
!= PFKEY_ALIGN8(sizeof(struct sadb_msg
))) {
3386 return key_senderror(so
, m
, EINVAL
);
3389 lck_mtx_lock(sadb_mutex
);
3390 for (dir
= 0; dir
< IPSEC_DIR_MAX
; dir
++) {
3391 LIST_FOREACH(sp
, &sptree
[dir
], chain
) {
3392 sp
->state
= IPSEC_SPSTATE_DEAD
;
3395 lck_mtx_unlock(sadb_mutex
);
3397 if (sizeof(struct sadb_msg
) > m
->m_len
+ M_TRAILINGSPACE(m
)) {
3398 ipseclog((LOG_DEBUG
, "key_spdflush: No more memory.\n"));
3399 return key_senderror(so
, m
, ENOBUFS
);
3406 m
->m_pkthdr
.len
= m
->m_len
= PFKEY_ALIGN8(sizeof(struct sadb_msg
));
3407 newmsg
= mtod(m
, struct sadb_msg
*);
3408 newmsg
->sadb_msg_errno
= 0;
3409 newmsg
->sadb_msg_len
= PFKEY_UNIT64(m
->m_pkthdr
.len
);
3411 return key_sendup_mbuf(so
, m
, KEY_SENDUP_ALL
);
3415 * SADB_SPDDUMP processing
3418 * from the user, and dump all SP leaves
3423 * m will always be freed.
3430 const struct sadb_msghdr
*mhp
)
3432 struct secpolicy
*sp
, **spbuf
= NULL
, **sp_ptr
;
3433 int cnt
= 0, bufcount
;
3439 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
3440 panic("key_spddump: NULL pointer is passed.\n");
3443 if ((bufcount
= ipsec_policy_count
) == 0) {
3447 bufcount
+= 256; /* extra */
3448 KMALLOC_WAIT(spbuf
, struct secpolicy
**, bufcount
* sizeof(struct secpolicy
*));
3449 if (spbuf
== NULL
) {
3450 ipseclog((LOG_DEBUG
, "key_spddump: No more memory.\n"));
3454 lck_mtx_lock(sadb_mutex
);
3455 /* search SPD entry, make list. */
3457 for (dir
= 0; dir
< IPSEC_DIR_MAX
; dir
++) {
3458 LIST_FOREACH(sp
, &sptree
[dir
], chain
) {
3459 if (cnt
== bufcount
) {
3460 break; /* buffer full */
3467 lck_mtx_unlock(sadb_mutex
);
3477 n
= key_setdumpsp(*sp_ptr
++, SADB_X_SPDDUMP
, cnt
,
3478 mhp
->msg
->sadb_msg_pid
);
3481 key_sendup_mbuf(so
, n
, KEY_SENDUP_ONE
);
3485 lck_mtx_lock(sadb_mutex
);
3486 while (sp_ptr
> spbuf
) {
3487 key_freesp(*(--sp_ptr
), KEY_SADB_LOCKED
);
3489 lck_mtx_unlock(sadb_mutex
);
3496 return key_senderror(so
, m
, error
);
3503 static struct mbuf
*
3505 struct secpolicy
*sp
,
3510 struct mbuf
*result
= NULL
, *m
;
3512 m
= key_setsadbmsg(type
, 0, SADB_SATYPE_UNSPEC
, seq
, pid
, sp
->refcnt
);
3518 if (sp
->spidx
.src_range
.start
.ss_len
> 0) {
3519 m
= key_setsadbaddr(SADB_X_EXT_ADDR_RANGE_SRC_START
,
3520 (struct sockaddr
*)&sp
->spidx
.src_range
.start
, sp
->spidx
.prefs
,
3521 sp
->spidx
.ul_proto
);
3527 m
= key_setsadbaddr(SADB_X_EXT_ADDR_RANGE_SRC_END
,
3528 (struct sockaddr
*)&sp
->spidx
.src_range
.end
, sp
->spidx
.prefs
,
3529 sp
->spidx
.ul_proto
);
3535 m
= key_setsadbaddr(SADB_EXT_ADDRESS_SRC
,
3536 (struct sockaddr
*)&sp
->spidx
.src
, sp
->spidx
.prefs
,
3537 sp
->spidx
.ul_proto
);
3544 if (sp
->spidx
.dst_range
.start
.ss_len
> 0) {
3545 m
= key_setsadbaddr(SADB_X_EXT_ADDR_RANGE_DST_START
,
3546 (struct sockaddr
*)&sp
->spidx
.dst_range
.start
, sp
->spidx
.prefd
,
3547 sp
->spidx
.ul_proto
);
3553 m
= key_setsadbaddr(SADB_X_EXT_ADDR_RANGE_DST_END
,
3554 (struct sockaddr
*)&sp
->spidx
.dst_range
.end
, sp
->spidx
.prefd
,
3555 sp
->spidx
.ul_proto
);
3561 m
= key_setsadbaddr(SADB_EXT_ADDRESS_DST
,
3562 (struct sockaddr
*)&sp
->spidx
.dst
, sp
->spidx
.prefd
,
3563 sp
->spidx
.ul_proto
);
3570 if (sp
->spidx
.internal_if
|| sp
->outgoing_if
|| sp
->ipsec_if
|| sp
->disabled
) {
3571 m
= key_setsadbipsecif(sp
->spidx
.internal_if
, sp
->outgoing_if
, sp
->ipsec_if
, sp
->disabled
);
3584 if ((result
->m_flags
& M_PKTHDR
) == 0) {
3588 if (result
->m_len
< sizeof(struct sadb_msg
)) {
3589 result
= m_pullup(result
, sizeof(struct sadb_msg
));
3590 if (result
== NULL
) {
3595 result
->m_pkthdr
.len
= 0;
3596 for (m
= result
; m
; m
= m
->m_next
) {
3597 result
->m_pkthdr
.len
+= m
->m_len
;
3600 mtod(result
, struct sadb_msg
*)->sadb_msg_len
=
3601 PFKEY_UNIT64(result
->m_pkthdr
.len
);
3611 * get PFKEY message length for security policy and request.
3615 struct secpolicy
*sp
)
3619 tlen
= sizeof(struct sadb_x_policy
);
3621 /* if is the policy for ipsec ? */
3622 if (sp
->policy
!= IPSEC_POLICY_IPSEC
) {
3626 /* get length of ipsec requests */
3628 struct ipsecrequest
*isr
;
3631 for (isr
= sp
->req
; isr
!= NULL
; isr
= isr
->next
) {
3632 len
= sizeof(struct sadb_x_ipsecrequest
)
3633 + isr
->saidx
.src
.ss_len
3634 + isr
->saidx
.dst
.ss_len
;
3636 tlen
+= PFKEY_ALIGN8(len
);
3644 * SADB_SPDEXPIRE processing
3646 * <base, address(SD), lifetime(CH), policy>
3650 * others : error number
3654 struct secpolicy
*sp
)
3656 struct mbuf
*result
= NULL
, *m
;
3659 struct sadb_lifetime
*lt
;
3661 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
3665 panic("key_spdexpire: NULL pointer is passed.\n");
3668 /* set msg header */
3669 m
= key_setsadbmsg(SADB_X_SPDEXPIRE
, 0, 0, 0, 0, 0);
3676 /* create lifetime extension (current and hard) */
3677 len
= PFKEY_ALIGN8(sizeof(*lt
)) * 2;
3678 m
= key_alloc_mbuf(len
);
3679 if (!m
|| m
->m_next
) { /*XXX*/
3686 bzero(mtod(m
, caddr_t
), len
);
3687 lt
= mtod(m
, struct sadb_lifetime
*);
3688 lt
->sadb_lifetime_len
= PFKEY_UNIT64(sizeof(struct sadb_lifetime
));
3689 lt
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_CURRENT
;
3690 lt
->sadb_lifetime_allocations
= 0;
3691 lt
->sadb_lifetime_bytes
= 0;
3692 lt
->sadb_lifetime_addtime
= sp
->created
;
3693 lt
->sadb_lifetime_usetime
= sp
->lastused
;
3694 lt
= (struct sadb_lifetime
*)(void *)(mtod(m
, caddr_t
) + len
/ 2);
3695 lt
->sadb_lifetime_len
= PFKEY_UNIT64(sizeof(struct sadb_lifetime
));
3696 lt
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_HARD
;
3697 lt
->sadb_lifetime_allocations
= 0;
3698 lt
->sadb_lifetime_bytes
= 0;
3699 lt
->sadb_lifetime_addtime
= sp
->lifetime
;
3700 lt
->sadb_lifetime_usetime
= sp
->validtime
;
3703 /* set sadb_address(es) for source */
3704 if (sp
->spidx
.src_range
.start
.ss_len
> 0) {
3705 m
= key_setsadbaddr(SADB_X_EXT_ADDR_RANGE_SRC_START
,
3706 (struct sockaddr
*)&sp
->spidx
.src_range
.start
, sp
->spidx
.prefs
,
3707 sp
->spidx
.ul_proto
);
3714 m
= key_setsadbaddr(SADB_X_EXT_ADDR_RANGE_SRC_END
,
3715 (struct sockaddr
*)&sp
->spidx
.src_range
.end
, sp
->spidx
.prefs
,
3716 sp
->spidx
.ul_proto
);
3723 m
= key_setsadbaddr(SADB_EXT_ADDRESS_SRC
,
3724 (struct sockaddr
*)&sp
->spidx
.src
, sp
->spidx
.prefs
,
3725 sp
->spidx
.ul_proto
);
3733 /* set sadb_address(es) for dest */
3734 if (sp
->spidx
.dst_range
.start
.ss_len
> 0) {
3735 m
= key_setsadbaddr(SADB_X_EXT_ADDR_RANGE_DST_START
,
3736 (struct sockaddr
*)&sp
->spidx
.dst_range
.start
, sp
->spidx
.prefd
,
3737 sp
->spidx
.ul_proto
);
3744 m
= key_setsadbaddr(SADB_X_EXT_ADDR_RANGE_DST_END
,
3745 (struct sockaddr
*)&sp
->spidx
.dst_range
.end
, sp
->spidx
.prefd
,
3746 sp
->spidx
.ul_proto
);
3753 m
= key_setsadbaddr(SADB_EXT_ADDRESS_DST
,
3754 (struct sockaddr
*)&sp
->spidx
.dst
, sp
->spidx
.prefd
,
3755 sp
->spidx
.ul_proto
);
3771 if ((result
->m_flags
& M_PKTHDR
) == 0) {
3776 if (result
->m_len
< sizeof(struct sadb_msg
)) {
3777 result
= m_pullup(result
, sizeof(struct sadb_msg
));
3778 if (result
== NULL
) {
3784 result
->m_pkthdr
.len
= 0;
3785 for (m
= result
; m
; m
= m
->m_next
) {
3786 result
->m_pkthdr
.len
+= m
->m_len
;
3789 mtod(result
, struct sadb_msg
*)->sadb_msg_len
=
3790 PFKEY_UNIT64(result
->m_pkthdr
.len
);
3792 return key_sendup_mbuf(NULL
, result
, KEY_SENDUP_REGISTERED
);
3801 /* %%% SAD management */
3803 * allocating a memory for new SA head, and copy from the values of mhp.
3804 * OUT: NULL : failure due to the lack of memory.
3805 * others : pointer to new SA head.
3807 static struct secashead
*
3808 key_newsah(struct secasindex
*saidx
,
3813 struct secashead
*newsah
;
3816 if (saidx
== NULL
) {
3817 panic("key_newsaidx: NULL pointer is passed.\n");
3820 newsah
= keydb_newsecashead();
3821 if (newsah
== NULL
) {
3825 bcopy(saidx
, &newsah
->saidx
, sizeof(newsah
->saidx
));
3827 /* remove the ports */
3828 switch (saidx
->src
.ss_family
) {
3830 ((struct sockaddr_in
*)(&newsah
->saidx
.src
))->sin_port
= IPSEC_PORT_ANY
;
3833 ((struct sockaddr_in6
*)(&newsah
->saidx
.src
))->sin6_port
= IPSEC_PORT_ANY
;
3838 switch (saidx
->dst
.ss_family
) {
3840 ((struct sockaddr_in
*)(&newsah
->saidx
.dst
))->sin_port
= IPSEC_PORT_ANY
;
3843 ((struct sockaddr_in6
*)(&newsah
->saidx
.dst
))->sin6_port
= IPSEC_PORT_ANY
;
3849 newsah
->outgoing_if
= outgoing_if
;
3851 ifnet_reference(ipsec_if
);
3852 newsah
->ipsec_if
= ipsec_if
;
3855 /* add to saidxtree */
3856 newsah
->state
= SADB_SASTATE_MATURE
;
3857 LIST_INSERT_HEAD(&sahtree
, newsah
, chain
);
3858 key_start_timehandler();
3864 * delete SA index and all SA registerd.
3868 struct secashead
*sah
)
3870 struct secasvar
*sav
, *nextsav
;
3871 u_int stateidx
, state
;
3874 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
3878 panic("key_delsah: NULL pointer is passed.\n");
3881 /* searching all SA registerd in the secindex. */
3883 stateidx
< _ARRAYLEN(saorder_state_any
);
3885 state
= saorder_state_any
[stateidx
];
3886 for (sav
= (struct secasvar
*)LIST_FIRST(&sah
->savtree
[state
]);
3889 nextsav
= LIST_NEXT(sav
, chain
);
3891 if (sav
->refcnt
> 0) {
3892 /* give up to delete this sa */
3898 KEY_CHKSASTATE(state
, sav
->state
, "key_delsah");
3900 key_freesav(sav
, KEY_SADB_LOCKED
);
3902 /* remove back pointer */
3908 /* don't delete sah only if there are savs. */
3913 ROUTE_RELEASE(&sah
->sa_route
);
3915 if (sah
->ipsec_if
) {
3916 ifnet_release(sah
->ipsec_if
);
3917 sah
->ipsec_if
= NULL
;
3928 /* remove from tree of SA index */
3929 if (__LIST_CHAINED(sah
)) {
3930 LIST_REMOVE(sah
, chain
);
3939 * allocating a new SA with LARVAL state. key_add() and key_getspi() call,
3940 * and copy the values of mhp into new buffer.
3941 * When SAD message type is GETSPI:
3942 * to set sequence number from acq_seq++,
3943 * to set zero to SPI.
3944 * not to call key_setsava().
3946 * others : pointer to new secasvar.
3948 * does not modify mbuf. does not free mbuf on error.
3950 static struct secasvar
*
3953 const struct sadb_msghdr
*mhp
,
3954 struct secashead
*sah
,
3958 struct secasvar
*newsav
;
3959 const struct sadb_sa
*xsa
;
3961 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
3964 if (m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
|| sah
== NULL
) {
3965 panic("key_newsa: NULL pointer is passed.\n");
3968 KMALLOC_NOWAIT(newsav
, struct secasvar
*, sizeof(struct secasvar
));
3969 if (newsav
== NULL
) {
3970 lck_mtx_unlock(sadb_mutex
);
3971 KMALLOC_WAIT(newsav
, struct secasvar
*, sizeof(struct secasvar
));
3972 lck_mtx_lock(sadb_mutex
);
3973 if (newsav
== NULL
) {
3974 ipseclog((LOG_DEBUG
, "key_newsa: No more memory.\n"));
3979 bzero((caddr_t
)newsav
, sizeof(struct secasvar
));
3981 switch (mhp
->msg
->sadb_msg_type
) {
3983 key_setspi(newsav
, 0);
3985 #if IPSEC_DOSEQCHECK
3986 /* sync sequence number */
3987 if (mhp
->msg
->sadb_msg_seq
== 0) {
3989 (acq_seq
= (acq_seq
== ~0 ? 1 : ++acq_seq
));
3992 newsav
->seq
= mhp
->msg
->sadb_msg_seq
;
3997 if (mhp
->ext
[SADB_EXT_SA
] == NULL
) {
3999 ipseclog((LOG_DEBUG
, "key_newsa: invalid message is passed.\n"));
4003 xsa
= (struct sadb_sa
*)(void *)mhp
->ext
[SADB_EXT_SA
];
4004 key_setspi(newsav
, xsa
->sadb_sa_spi
);
4005 newsav
->seq
= mhp
->msg
->sadb_msg_seq
;
4013 if (mhp
->ext
[SADB_X_EXT_SA2
] != NULL
) {
4014 if (((struct sadb_x_sa2
*)(void *)mhp
->ext
[SADB_X_EXT_SA2
])->sadb_x_sa2_alwaysexpire
) {
4015 newsav
->always_expire
= 1;
4017 newsav
->flags2
= ((struct sadb_x_sa2
*)(void *)mhp
->ext
[SADB_X_EXT_SA2
])->sadb_x_sa2_flags
;
4018 if (newsav
->flags2
& SADB_X_EXT_SA2_DELETE_ON_DETACH
) {
4023 /* copy sav values */
4024 if (mhp
->msg
->sadb_msg_type
!= SADB_GETSPI
) {
4025 *errp
= key_setsaval(newsav
, m
, mhp
);
4031 /* For get SPI, if has a hard lifetime, apply */
4032 const struct sadb_lifetime
*lft0
;
4035 lft0
= (struct sadb_lifetime
*)(void *)mhp
->ext
[SADB_EXT_LIFETIME_HARD
];
4037 /* make lifetime for CURRENT */
4038 KMALLOC_NOWAIT(newsav
->lft_c
, struct sadb_lifetime
*,
4039 sizeof(struct sadb_lifetime
));
4040 if (newsav
->lft_c
== NULL
) {
4041 lck_mtx_unlock(sadb_mutex
);
4042 KMALLOC_WAIT(newsav
->lft_c
, struct sadb_lifetime
*,
4043 sizeof(struct sadb_lifetime
));
4044 lck_mtx_lock(sadb_mutex
);
4045 if (newsav
->lft_c
== NULL
) {
4046 ipseclog((LOG_DEBUG
, "key_newsa: No more memory.\n"));
4055 newsav
->lft_c
->sadb_lifetime_len
= PFKEY_UNIT64(sizeof(struct sadb_lifetime
));
4056 newsav
->lft_c
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_CURRENT
;
4057 newsav
->lft_c
->sadb_lifetime_allocations
= 0;
4058 newsav
->lft_c
->sadb_lifetime_bytes
= 0;
4059 newsav
->lft_c
->sadb_lifetime_addtime
= tv
.tv_sec
;
4060 newsav
->lft_c
->sadb_lifetime_usetime
= 0;
4062 if (mhp
->extlen
[SADB_EXT_LIFETIME_HARD
] < sizeof(*lft0
)) {
4063 ipseclog((LOG_DEBUG
, "key_newsa: invalid hard lifetime ext len.\n"));
4068 newsav
->lft_h
= (struct sadb_lifetime
*)key_newbuf(lft0
, sizeof(*lft0
));
4069 if (newsav
->lft_h
== NULL
) {
4070 ipseclog((LOG_DEBUG
, "key_newsa: No more memory.\n"));
4082 newsav
->created
= tv
.tv_sec
;
4085 newsav
->pid
= mhp
->msg
->sadb_msg_pid
;
4090 newsav
->state
= SADB_SASTATE_LARVAL
;
4091 LIST_INSERT_TAIL(&sah
->savtree
[SADB_SASTATE_LARVAL
], newsav
,
4094 ipsec_monitor_sleep_wake();
4100 * allocating a new SA with LARVAL state. key_add() and key_getspi() call,
4101 * and copy the values passed into new buffer.
4102 * When SAD message type is GETSPI:
4103 * to set sequence number from acq_seq++,
4104 * to set zero to SPI.
4105 * not to call key_setsava().
4107 * others : pointer to new secasvar.
4110 key_newsav2(struct secashead
*sah
,
4116 struct sadb_key
*key_auth
,
4117 u_int16_t key_auth_len
,
4118 struct sadb_key
*key_enc
,
4119 u_int16_t key_enc_len
,
4120 u_int16_t natt_port
,
4124 struct sadb_lifetime
*lifetime_hard
,
4125 struct sadb_lifetime
*lifetime_soft
)
4127 struct secasvar
*newsav
;
4129 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
4133 panic("key_newsa: NULL pointer is passed.\n");
4136 KMALLOC_NOWAIT(newsav
, struct secasvar
*, sizeof(struct secasvar
));
4137 if (newsav
== NULL
) {
4138 lck_mtx_unlock(sadb_mutex
);
4139 KMALLOC_WAIT(newsav
, struct secasvar
*, sizeof(struct secasvar
));
4140 lck_mtx_lock(sadb_mutex
);
4141 if (newsav
== NULL
) {
4142 ipseclog((LOG_DEBUG
, "key_newsa: No more memory.\n"));
4146 bzero((caddr_t
)newsav
, sizeof(struct secasvar
));
4148 #if IPSEC_DOSEQCHECK
4149 /* sync sequence number */
4151 newsav
->seq
= (acq_seq
= (acq_seq
== ~0 ? 1 : ++acq_seq
));
4155 key_setspi(newsav
, spi
);
4157 if (key_setsaval2(newsav
,
4181 newsav
->created
= tv
.tv_sec
;
4189 if (spi
&& key_auth
&& key_auth_len
&& key_enc
&& key_enc_len
) {
4190 newsav
->state
= SADB_SASTATE_MATURE
;
4191 LIST_INSERT_TAIL(&sah
->savtree
[SADB_SASTATE_MATURE
], newsav
,
4194 newsav
->state
= SADB_SASTATE_LARVAL
;
4195 LIST_INSERT_TAIL(&sah
->savtree
[SADB_SASTATE_LARVAL
], newsav
,
4204 key_migratesav(struct secasvar
*sav
,
4205 struct secashead
*newsah
)
4207 if (sav
== NULL
|| newsah
== NULL
|| sav
->state
!= SADB_SASTATE_MATURE
) {
4211 /* remove from SA header */
4212 if (__LIST_CHAINED(sav
)) {
4213 LIST_REMOVE(sav
, chain
);
4217 LIST_INSERT_TAIL(&newsah
->savtree
[SADB_SASTATE_MATURE
], sav
, secasvar
, chain
);
4222 * free() SA variable entry.
4226 struct secasvar
*sav
)
4228 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
4232 panic("key_delsav: NULL pointer is passed.\n");
4235 if (sav
->refcnt
> 0) {
4236 return; /* can't free */
4238 /* remove from SA header */
4239 if (__LIST_CHAINED(sav
)) {
4240 LIST_REMOVE(sav
, chain
);
4244 if (sav
->spihash
.le_prev
|| sav
->spihash
.le_next
) {
4245 LIST_REMOVE(sav
, spihash
);
4248 if (sav
->key_auth
!= NULL
) {
4249 bzero(_KEYBUF(sav
->key_auth
), _KEYLEN(sav
->key_auth
));
4250 KFREE(sav
->key_auth
);
4251 sav
->key_auth
= NULL
;
4253 if (sav
->key_enc
!= NULL
) {
4254 bzero(_KEYBUF(sav
->key_enc
), _KEYLEN(sav
->key_enc
));
4255 KFREE(sav
->key_enc
);
4256 sav
->key_enc
= NULL
;
4259 bzero(sav
->sched
, sav
->schedlen
);
4264 for (int i
= 0; i
< MAX_REPLAY_WINDOWS
; i
++) {
4265 if (sav
->replay
[i
] != NULL
) {
4266 keydb_delsecreplay(sav
->replay
[i
]);
4267 sav
->replay
[i
] = NULL
;
4270 if (sav
->lft_c
!= NULL
) {
4274 if (sav
->lft_h
!= NULL
) {
4278 if (sav
->lft_s
!= NULL
) {
4282 if (sav
->iv
!= NULL
) {
4296 * others : found, pointer to a SA.
4298 static struct secashead
*
4299 key_getsah(struct secasindex
*saidx
)
4301 struct secashead
*sah
;
4303 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
4305 LIST_FOREACH(sah
, &sahtree
, chain
) {
4306 if (sah
->state
== SADB_SASTATE_DEAD
) {
4309 if (key_cmpsaidx(&sah
->saidx
, saidx
, CMP_REQID
)) {
4318 key_newsah2(struct secasindex
*saidx
,
4321 struct secashead
*sah
;
4323 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
4325 sah
= key_getsah(saidx
);
4327 return key_newsah(saidx
, NULL
, 0, dir
);
4333 * check not to be duplicated SPI.
4334 * NOTE: this function is too slow due to searching all SAD.
4337 * others : found, pointer to a SA.
4339 static struct secasvar
*
4341 struct secasindex
*saidx
,
4344 struct secasvar
*sav
;
4345 u_int stateidx
, state
;
4347 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
4349 /* check address family */
4350 if (saidx
->src
.ss_family
!= saidx
->dst
.ss_family
) {
4351 ipseclog((LOG_DEBUG
, "key_checkspidup: address family mismatched.\n"));
4356 LIST_FOREACH(sav
, &spihash
[SPIHASH(spi
)], spihash
) {
4357 if (sav
->spi
!= spi
) {
4361 stateidx
< _ARRAYLEN(saorder_state_alive
);
4363 state
= saorder_state_alive
[stateidx
];
4364 if (sav
->state
== state
&&
4365 key_ismyaddr((struct sockaddr
*)&sav
->sah
->saidx
.dst
)) {
4376 struct secasvar
*sav
,
4379 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
4381 if (sav
->spihash
.le_prev
|| sav
->spihash
.le_next
) {
4382 LIST_REMOVE(sav
, spihash
);
4384 LIST_INSERT_HEAD(&spihash
[SPIHASH(spi
)], sav
, spihash
);
4389 * search SAD litmited alive SA, protocol, SPI.
4392 * others : found, pointer to a SA.
4394 static struct secasvar
*
4396 struct secashead
*sah
,
4399 struct secasvar
*sav
, *match
;
4400 u_int stateidx
, state
, matchidx
;
4402 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
4404 matchidx
= _ARRAYLEN(saorder_state_alive
);
4405 LIST_FOREACH(sav
, &spihash
[SPIHASH(spi
)], spihash
) {
4406 if (sav
->spi
!= spi
) {
4409 if (sav
->sah
!= sah
) {
4412 for (stateidx
= 0; stateidx
< matchidx
; stateidx
++) {
4413 state
= saorder_state_alive
[stateidx
];
4414 if (sav
->state
== state
) {
4416 matchidx
= stateidx
;
4426 * copy SA values from PF_KEY message except *SPI, SEQ, PID, STATE and TYPE*.
4427 * You must update these if need.
4431 * does not modify mbuf. does not free mbuf on error.
4435 struct secasvar
*sav
,
4437 const struct sadb_msghdr
*mhp
)
4440 const struct esp_algorithm
*algo
;
4445 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
4448 if (m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
4449 panic("key_setsaval: NULL pointer is passed.\n");
4452 /* initialization */
4453 for (int i
= 0; i
< MAX_REPLAY_WINDOWS
; i
++) {
4454 sav
->replay
[i
] = NULL
;
4456 sav
->key_auth
= NULL
;
4457 sav
->key_enc
= NULL
;
4464 sav
->remote_ike_port
= 0;
4465 sav
->natt_last_activity
= natt_now
;
4466 sav
->natt_encapsulated_src_port
= 0;
4469 if (mhp
->ext
[SADB_EXT_SA
] != NULL
) {
4470 const struct sadb_sa
*sa0
;
4472 sa0
= (struct sadb_sa
*)(void *)mhp
->ext
[SADB_EXT_SA
];
4473 if (mhp
->extlen
[SADB_EXT_SA
] < sizeof(*sa0
)) {
4474 ipseclog((LOG_DEBUG
, "key_setsaval: invalid message size.\n"));
4479 sav
->alg_auth
= sa0
->sadb_sa_auth
;
4480 sav
->alg_enc
= sa0
->sadb_sa_encrypt
;
4481 sav
->flags
= sa0
->sadb_sa_flags
;
4484 * Verify that a nat-traversal port was specified if
4485 * the nat-traversal flag is set.
4487 if ((sav
->flags
& SADB_X_EXT_NATT
) != 0) {
4488 if (mhp
->extlen
[SADB_EXT_SA
] < sizeof(struct sadb_sa_2
) ||
4489 ((const struct sadb_sa_2
*)(sa0
))->sadb_sa_natt_port
== 0) {
4490 ipseclog((LOG_DEBUG
, "key_setsaval: natt port not set.\n"));
4494 sav
->natt_encapsulated_src_port
= ((const struct sadb_sa_2
*)(sa0
))->sadb_sa_natt_src_port
;
4495 sav
->remote_ike_port
= ((const struct sadb_sa_2
*)(sa0
))->sadb_sa_natt_port
;
4496 sav
->natt_interval
= ((const struct sadb_sa_2
*)(sa0
))->sadb_sa_natt_interval
;
4497 sav
->natt_offload_interval
= ((const struct sadb_sa_2
*)(sa0
))->sadb_sa_natt_offload_interval
;
4501 * Verify if SADB_X_EXT_NATT_MULTIPLEUSERS flag is set that
4502 * SADB_X_EXT_NATT is set and SADB_X_EXT_NATT_KEEPALIVE is not
4503 * set (we're not behind nat) - otherwise clear it.
4505 if ((sav
->flags
& SADB_X_EXT_NATT_MULTIPLEUSERS
) != 0) {
4506 if ((sav
->flags
& SADB_X_EXT_NATT
) == 0 ||
4507 (sav
->flags
& SADB_X_EXT_NATT_KEEPALIVE
) != 0) {
4508 sav
->flags
&= ~SADB_X_EXT_NATT_MULTIPLEUSERS
;
4513 if ((sa0
->sadb_sa_flags
& SADB_X_EXT_OLD
) == 0) {
4514 if ((sav
->flags2
& SADB_X_EXT_SA2_SEQ_PER_TRAFFIC_CLASS
) ==
4515 SADB_X_EXT_SA2_SEQ_PER_TRAFFIC_CLASS
) {
4516 uint32_t range
= (1ULL << (sizeof(((struct secreplay
*)0)->count
) * 8)) / MAX_REPLAY_WINDOWS
;
4517 for (int i
= 0; i
< MAX_REPLAY_WINDOWS
; i
++) {
4518 sav
->replay
[i
] = keydb_newsecreplay(sa0
->sadb_sa_replay
);
4519 if (sav
->replay
[i
] == NULL
) {
4520 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4524 /* Allowed range for sequence per traffic class */
4525 sav
->replay
[i
]->count
= i
* range
;
4526 sav
->replay
[i
]->lastseq
= ((i
+ 1) * range
) - 1;
4529 sav
->replay
[0] = keydb_newsecreplay(sa0
->sadb_sa_replay
);
4530 if (sav
->replay
[0] == NULL
) {
4531 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4535 sav
->replay
[0]->lastseq
= ~0;
4540 /* Authentication keys */
4541 if (mhp
->ext
[SADB_EXT_KEY_AUTH
] != NULL
) {
4542 const struct sadb_key
*key0
;
4545 key0
= (const struct sadb_key
*)mhp
->ext
[SADB_EXT_KEY_AUTH
];
4546 len
= mhp
->extlen
[SADB_EXT_KEY_AUTH
];
4549 if (len
< sizeof(*key0
)) {
4550 ipseclog((LOG_DEBUG
, "key_setsaval: invalid auth key ext len. len = %d\n", len
));
4554 switch (mhp
->msg
->sadb_msg_satype
) {
4555 case SADB_SATYPE_AH
:
4556 case SADB_SATYPE_ESP
:
4557 if (len
== PFKEY_ALIGN8(sizeof(struct sadb_key
)) &&
4558 sav
->alg_auth
!= SADB_X_AALG_NULL
) {
4567 ipseclog((LOG_DEBUG
, "key_setsaval: invalid key_auth values.\n"));
4571 sav
->key_auth
= (struct sadb_key
*)key_newbuf(key0
, len
);
4572 if (sav
->key_auth
== NULL
) {
4573 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4579 /* Encryption key */
4580 if (mhp
->ext
[SADB_EXT_KEY_ENCRYPT
] != NULL
) {
4581 const struct sadb_key
*key0
;
4584 key0
= (const struct sadb_key
*)mhp
->ext
[SADB_EXT_KEY_ENCRYPT
];
4585 len
= mhp
->extlen
[SADB_EXT_KEY_ENCRYPT
];
4588 if (len
< sizeof(*key0
)) {
4589 ipseclog((LOG_DEBUG
, "key_setsaval: invalid encryption key ext len. len = %d\n", len
));
4593 switch (mhp
->msg
->sadb_msg_satype
) {
4594 case SADB_SATYPE_ESP
:
4595 if (len
== PFKEY_ALIGN8(sizeof(struct sadb_key
)) &&
4596 sav
->alg_enc
!= SADB_EALG_NULL
) {
4597 ipseclog((LOG_DEBUG
, "key_setsaval: invalid ESP algorithm.\n"));
4601 sav
->key_enc
= (struct sadb_key
*)key_newbuf(key0
, len
);
4602 if (sav
->key_enc
== NULL
) {
4603 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4608 case SADB_SATYPE_AH
:
4614 ipseclog((LOG_DEBUG
, "key_setsaval: invalid key_enc value.\n"));
4622 switch (mhp
->msg
->sadb_msg_satype
) {
4623 case SADB_SATYPE_ESP
:
4625 algo
= esp_algorithm_lookup(sav
->alg_enc
);
4626 if (algo
&& algo
->ivlen
) {
4627 sav
->ivlen
= (*algo
->ivlen
)(algo
, sav
);
4629 if (sav
->ivlen
== 0) {
4632 KMALLOC_NOWAIT(sav
->iv
, caddr_t
, sav
->ivlen
);
4634 lck_mtx_unlock(sadb_mutex
);
4635 KMALLOC_WAIT(sav
->iv
, caddr_t
, sav
->ivlen
);
4636 lck_mtx_lock(sadb_mutex
);
4638 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4645 if (sav
->alg_enc
== SADB_X_EALG_AES_GCM
) {
4646 bzero(sav
->iv
, sav
->ivlen
);
4648 key_randomfill(sav
->iv
, sav
->ivlen
);
4652 case SADB_SATYPE_AH
:
4655 ipseclog((LOG_DEBUG
, "key_setsaval: invalid SA type.\n"));
4662 sav
->created
= tv
.tv_sec
;
4664 /* make lifetime for CURRENT */
4665 KMALLOC_NOWAIT(sav
->lft_c
, struct sadb_lifetime
*,
4666 sizeof(struct sadb_lifetime
));
4667 if (sav
->lft_c
== NULL
) {
4668 lck_mtx_unlock(sadb_mutex
);
4669 KMALLOC_WAIT(sav
->lft_c
, struct sadb_lifetime
*,
4670 sizeof(struct sadb_lifetime
));
4671 lck_mtx_lock(sadb_mutex
);
4672 if (sav
->lft_c
== NULL
) {
4673 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4681 sav
->lft_c
->sadb_lifetime_len
=
4682 PFKEY_UNIT64(sizeof(struct sadb_lifetime
));
4683 sav
->lft_c
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_CURRENT
;
4684 sav
->lft_c
->sadb_lifetime_allocations
= 0;
4685 sav
->lft_c
->sadb_lifetime_bytes
= 0;
4686 sav
->lft_c
->sadb_lifetime_addtime
= tv
.tv_sec
;
4687 sav
->lft_c
->sadb_lifetime_usetime
= 0;
4689 /* lifetimes for HARD and SOFT */
4691 const struct sadb_lifetime
*lft0
;
4693 lft0
= (struct sadb_lifetime
*)
4694 (void *)mhp
->ext
[SADB_EXT_LIFETIME_HARD
];
4696 if (mhp
->extlen
[SADB_EXT_LIFETIME_HARD
] < sizeof(*lft0
)) {
4697 ipseclog((LOG_DEBUG
, "key_setsaval: invalid hard lifetime ext len.\n"));
4701 sav
->lft_h
= (struct sadb_lifetime
*)key_newbuf(lft0
,
4703 if (sav
->lft_h
== NULL
) {
4704 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4708 /* to be initialize ? */
4711 lft0
= (struct sadb_lifetime
*)
4712 (void *)mhp
->ext
[SADB_EXT_LIFETIME_SOFT
];
4714 if (mhp
->extlen
[SADB_EXT_LIFETIME_SOFT
] < sizeof(*lft0
)) {
4715 ipseclog((LOG_DEBUG
, "key_setsaval: invalid soft lifetime ext len.\n"));
4719 sav
->lft_s
= (struct sadb_lifetime
*)key_newbuf(lft0
,
4721 if (sav
->lft_s
== NULL
) {
4722 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4726 /* to be initialize ? */
4733 /* initialization */
4734 for (int i
= 0; i
< MAX_REPLAY_WINDOWS
; i
++) {
4735 if (sav
->replay
[i
] != NULL
) {
4736 keydb_delsecreplay(sav
->replay
[i
]);
4737 sav
->replay
[i
] = NULL
;
4740 if (sav
->key_auth
!= NULL
) {
4741 bzero(_KEYBUF(sav
->key_auth
), _KEYLEN(sav
->key_auth
));
4742 KFREE(sav
->key_auth
);
4743 sav
->key_auth
= NULL
;
4745 if (sav
->key_enc
!= NULL
) {
4746 bzero(_KEYBUF(sav
->key_enc
), _KEYLEN(sav
->key_enc
));
4747 KFREE(sav
->key_enc
);
4748 sav
->key_enc
= NULL
;
4751 bzero(sav
->sched
, sav
->schedlen
);
4755 if (sav
->iv
!= NULL
) {
4759 if (sav
->lft_c
!= NULL
) {
4763 if (sav
->lft_h
!= NULL
) {
4767 if (sav
->lft_s
!= NULL
) {
4776 * copy SA values from PF_KEY message except *SPI, SEQ, PID, STATE and TYPE*.
4777 * You must update these if need.
4781 * does not modify mbuf. does not free mbuf on error.
4784 key_setsaval2(struct secasvar
*sav
,
4790 struct sadb_key
*key_auth
,
4791 u_int16_t key_auth_len
,
4792 struct sadb_key
*key_enc
,
4793 u_int16_t key_enc_len
,
4794 u_int16_t natt_port
,
4798 struct sadb_lifetime
*lifetime_hard
,
4799 struct sadb_lifetime
*lifetime_soft
)
4802 const struct esp_algorithm
*algo
;
4807 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
4809 /* initialization */
4810 for (int i
= 0; i
< MAX_REPLAY_WINDOWS
; i
++) {
4811 sav
->replay
[i
] = NULL
;
4814 sav
->key_auth
= NULL
;
4815 sav
->key_enc
= NULL
;
4822 sav
->remote_ike_port
= 0;
4823 sav
->natt_last_activity
= natt_now
;
4824 sav
->natt_encapsulated_src_port
= 0;
4826 sav
->alg_auth
= alg_auth
;
4827 sav
->alg_enc
= alg_enc
;
4831 key_setspi(sav
, htonl(spi
));
4834 * Verify that a nat-traversal port was specified if
4835 * the nat-traversal flag is set.
4837 if ((sav
->flags
& SADB_X_EXT_NATT
) != 0) {
4838 if (natt_port
== 0) {
4839 ipseclog((LOG_DEBUG
, "key_setsaval2: natt port not set.\n"));
4843 sav
->remote_ike_port
= natt_port
;
4847 * Verify if SADB_X_EXT_NATT_MULTIPLEUSERS flag is set that
4848 * SADB_X_EXT_NATT is set and SADB_X_EXT_NATT_KEEPALIVE is not
4849 * set (we're not behind nat) - otherwise clear it.
4851 if ((sav
->flags
& SADB_X_EXT_NATT_MULTIPLEUSERS
) != 0) {
4852 if ((sav
->flags
& SADB_X_EXT_NATT
) == 0 ||
4853 (sav
->flags
& SADB_X_EXT_NATT_KEEPALIVE
) != 0) {
4854 sav
->flags
&= ~SADB_X_EXT_NATT_MULTIPLEUSERS
;
4859 if ((flags
& SADB_X_EXT_OLD
) == 0) {
4860 if ((sav
->flags2
& SADB_X_EXT_SA2_SEQ_PER_TRAFFIC_CLASS
) ==
4861 SADB_X_EXT_SA2_SEQ_PER_TRAFFIC_CLASS
) {
4862 uint32_t range
= (1ULL << (sizeof(((struct secreplay
*)0)->count
) * 8)) / MAX_REPLAY_WINDOWS
;
4863 for (int i
= 0; i
< MAX_REPLAY_WINDOWS
; i
++) {
4864 sav
->replay
[i
] = keydb_newsecreplay(replay
);
4865 if (sav
->replay
[i
] == NULL
) {
4866 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4870 /* Allowed range for sequence per traffic class */
4871 sav
->replay
[i
]->count
= i
* range
;
4872 sav
->replay
[i
]->lastseq
= ((i
+ 1) * range
) - 1;
4875 sav
->replay
[0] = keydb_newsecreplay(replay
);
4876 if (sav
->replay
[0] == NULL
) {
4877 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4881 sav
->replay
[0]->lastseq
= ~0;
4885 /* Authentication keys */
4886 sav
->key_auth
= (__typeof__(sav
->key_auth
))key_newbuf(key_auth
, key_auth_len
);
4887 if (sav
->key_auth
== NULL
) {
4888 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4893 /* Encryption key */
4894 sav
->key_enc
= (__typeof__(sav
->key_enc
))key_newbuf(key_enc
, key_enc_len
);
4895 if (sav
->key_enc
== NULL
) {
4896 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4904 if (satype
== SADB_SATYPE_ESP
) {
4906 algo
= esp_algorithm_lookup(sav
->alg_enc
);
4907 if (algo
&& algo
->ivlen
) {
4908 sav
->ivlen
= (*algo
->ivlen
)(algo
, sav
);
4910 if (sav
->ivlen
!= 0) {
4911 KMALLOC_NOWAIT(sav
->iv
, caddr_t
, sav
->ivlen
);
4913 lck_mtx_unlock(sadb_mutex
);
4914 KMALLOC_WAIT(sav
->iv
, caddr_t
, sav
->ivlen
);
4915 lck_mtx_lock(sadb_mutex
);
4917 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4923 if (sav
->alg_enc
== SADB_X_EALG_AES_GCM
) {
4924 bzero(sav
->iv
, sav
->ivlen
);
4926 key_randomfill(sav
->iv
, sav
->ivlen
);
4934 sav
->created
= tv
.tv_sec
;
4936 /* make lifetime for CURRENT */
4937 KMALLOC_NOWAIT(sav
->lft_c
, struct sadb_lifetime
*,
4938 sizeof(struct sadb_lifetime
));
4939 if (sav
->lft_c
== NULL
) {
4940 lck_mtx_unlock(sadb_mutex
);
4941 KMALLOC_WAIT(sav
->lft_c
, struct sadb_lifetime
*,
4942 sizeof(struct sadb_lifetime
));
4943 lck_mtx_lock(sadb_mutex
);
4944 if (sav
->lft_c
== NULL
) {
4945 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4953 sav
->lft_c
->sadb_lifetime_len
=
4954 PFKEY_UNIT64(sizeof(struct sadb_lifetime
));
4955 sav
->lft_c
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_CURRENT
;
4956 sav
->lft_c
->sadb_lifetime_allocations
= 0;
4957 sav
->lft_c
->sadb_lifetime_bytes
= 0;
4958 sav
->lft_c
->sadb_lifetime_addtime
= tv
.tv_sec
;
4959 sav
->lft_c
->sadb_lifetime_usetime
= 0;
4961 /* lifetimes for HARD and SOFT */
4962 sav
->lft_h
= (__typeof__(sav
->lft_h
))key_newbuf(lifetime_hard
,
4963 sizeof(*lifetime_hard
));
4964 if (sav
->lft_h
== NULL
) {
4965 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4969 sav
->lft_s
= (__typeof__(sav
->lft_s
))key_newbuf(lifetime_soft
,
4970 sizeof(*lifetime_soft
));
4971 if (sav
->lft_s
== NULL
) {
4972 ipseclog((LOG_DEBUG
, "key_setsaval: No more memory.\n"));
4980 /* initialization */
4981 for (int i
= 0; i
< MAX_REPLAY_WINDOWS
; i
++) {
4982 if (sav
->replay
[i
] != NULL
) {
4983 keydb_delsecreplay(sav
->replay
[i
]);
4984 sav
->replay
[i
] = NULL
;
4987 if (sav
->key_auth
!= NULL
) {
4988 bzero(_KEYBUF(sav
->key_auth
), _KEYLEN(sav
->key_auth
));
4989 KFREE(sav
->key_auth
);
4990 sav
->key_auth
= NULL
;
4992 if (sav
->key_enc
!= NULL
) {
4993 bzero(_KEYBUF(sav
->key_enc
), _KEYLEN(sav
->key_enc
));
4994 KFREE(sav
->key_enc
);
4995 sav
->key_enc
= NULL
;
4998 bzero(sav
->sched
, sav
->schedlen
);
5002 if (sav
->iv
!= NULL
) {
5006 if (sav
->lft_c
!= NULL
) {
5010 if (sav
->lft_h
!= NULL
) {
5014 if (sav
->lft_s
!= NULL
) {
5023 * validation with a secasvar entry, and set SADB_SATYPE_MATURE.
5029 struct secasvar
*sav
)
5032 int checkmask
= 0; /* 2^0: ealg 2^1: aalg 2^2: calg */
5033 int mustmask
= 0; /* 2^0: ealg 2^1: aalg 2^2: calg */
5037 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
5039 /* check SPI value */
5040 switch (sav
->sah
->saidx
.proto
) {
5044 /* No reason to test if this is >= 0, because ntohl(sav->spi) is unsigned. */
5045 if (ntohl(sav
->spi
) <= 255) {
5046 ipseclog((LOG_DEBUG
,
5047 "key_mature: illegal range of SPI %u.\n",
5048 (u_int32_t
)ntohl(sav
->spi
)));
5055 switch (sav
->sah
->saidx
.proto
) {
5058 if ((sav
->flags
& SADB_X_EXT_OLD
)
5059 && (sav
->flags
& SADB_X_EXT_DERIV
)) {
5060 ipseclog((LOG_DEBUG
, "key_mature: "
5061 "invalid flag (derived) given to old-esp.\n"));
5064 if (sav
->alg_auth
== SADB_AALG_NONE
) {
5073 if (sav
->flags
& SADB_X_EXT_DERIV
) {
5074 ipseclog((LOG_DEBUG
, "key_mature: "
5075 "invalid flag (derived) given to AH SA.\n"));
5078 if (sav
->alg_enc
!= SADB_EALG_NONE
) {
5079 ipseclog((LOG_DEBUG
, "key_mature: "
5080 "protocol and algorithm mismated.\n"));
5087 ipseclog((LOG_DEBUG
, "key_mature: Invalid satype.\n"));
5088 return EPROTONOSUPPORT
;
5091 /* check authentication algorithm */
5092 if ((checkmask
& 2) != 0) {
5093 const struct ah_algorithm
*algo
;
5096 algo
= ah_algorithm_lookup(sav
->alg_auth
);
5098 ipseclog((LOG_DEBUG
, "key_mature: "
5099 "unknown authentication algorithm.\n"));
5103 /* algorithm-dependent check */
5104 if (sav
->key_auth
) {
5105 keylen
= sav
->key_auth
->sadb_key_bits
;
5109 if (keylen
< algo
->keymin
|| algo
->keymax
< keylen
) {
5110 ipseclog((LOG_DEBUG
,
5111 "key_mature: invalid AH key length %d "
5112 "(%d-%d allowed)\n",
5113 keylen
, algo
->keymin
, algo
->keymax
));
5118 if ((*algo
->mature
)(sav
)) {
5119 /* message generated in per-algorithm function*/
5122 mature
= SADB_SATYPE_AH
;
5126 if ((mustmask
& 2) != 0 && mature
!= SADB_SATYPE_AH
) {
5127 ipseclog((LOG_DEBUG
, "key_mature: no satisfy algorithm for AH\n"));
5132 /* check encryption algorithm */
5133 if ((checkmask
& 1) != 0) {
5135 const struct esp_algorithm
*algo
;
5138 algo
= esp_algorithm_lookup(sav
->alg_enc
);
5140 ipseclog((LOG_DEBUG
, "key_mature: unknown encryption algorithm.\n"));
5144 /* algorithm-dependent check */
5146 keylen
= sav
->key_enc
->sadb_key_bits
;
5150 if (keylen
< algo
->keymin
|| algo
->keymax
< keylen
) {
5151 ipseclog((LOG_DEBUG
,
5152 "key_mature: invalid ESP key length %d "
5153 "(%d-%d allowed)\n",
5154 keylen
, algo
->keymin
, algo
->keymax
));
5159 if ((*algo
->mature
)(sav
)) {
5160 /* message generated in per-algorithm function*/
5163 mature
= SADB_SATYPE_ESP
;
5167 if ((mustmask
& 1) != 0 && mature
!= SADB_SATYPE_ESP
) {
5168 ipseclog((LOG_DEBUG
, "key_mature: no satisfy algorithm for ESP\n"));
5172 ipseclog((LOG_DEBUG
, "key_mature: ESP not supported in this configuration\n"));
5177 key_sa_chgstate(sav
, SADB_SASTATE_MATURE
);
5183 * subroutine for SADB_GET and SADB_DUMP.
5185 static struct mbuf
*
5187 struct secasvar
*sav
,
5193 struct mbuf
*result
= NULL
, *tres
= NULL
, *m
;
5198 SADB_EXT_SA
, SADB_X_EXT_SA2
,
5199 SADB_EXT_LIFETIME_HARD
, SADB_EXT_LIFETIME_SOFT
,
5200 SADB_EXT_LIFETIME_CURRENT
, SADB_EXT_ADDRESS_SRC
,
5201 SADB_EXT_ADDRESS_DST
, SADB_EXT_ADDRESS_PROXY
, SADB_EXT_KEY_AUTH
,
5202 SADB_EXT_KEY_ENCRYPT
, SADB_EXT_IDENTITY_SRC
,
5203 SADB_EXT_IDENTITY_DST
, SADB_EXT_SENSITIVITY
,
5206 m
= key_setsadbmsg(type
, 0, satype
, seq
, pid
, sav
->refcnt
);
5212 for (i
= sizeof(dumporder
) / sizeof(dumporder
[0]) - 1; i
>= 0; i
--) {
5215 switch (dumporder
[i
]) {
5217 m
= key_setsadbsa(sav
);
5223 case SADB_X_EXT_SA2
:
5224 m
= key_setsadbxsa2(sav
->sah
->saidx
.mode
,
5225 sav
->replay
[0] ? sav
->replay
[0]->count
: 0,
5226 sav
->sah
->saidx
.reqid
,
5233 case SADB_EXT_ADDRESS_SRC
:
5234 m
= key_setsadbaddr(SADB_EXT_ADDRESS_SRC
,
5235 (struct sockaddr
*)&sav
->sah
->saidx
.src
,
5236 FULLMASK
, IPSEC_ULPROTO_ANY
);
5242 case SADB_EXT_ADDRESS_DST
:
5243 m
= key_setsadbaddr(SADB_EXT_ADDRESS_DST
,
5244 (struct sockaddr
*)&sav
->sah
->saidx
.dst
,
5245 FULLMASK
, IPSEC_ULPROTO_ANY
);
5251 case SADB_EXT_KEY_AUTH
:
5252 if (!sav
->key_auth
) {
5255 l
= PFKEY_UNUNIT64(sav
->key_auth
->sadb_key_len
);
5259 case SADB_EXT_KEY_ENCRYPT
:
5260 if (!sav
->key_enc
) {
5263 l
= PFKEY_UNUNIT64(sav
->key_enc
->sadb_key_len
);
5267 case SADB_EXT_LIFETIME_CURRENT
:
5271 l
= PFKEY_UNUNIT64(((struct sadb_ext
*)sav
->lft_c
)->sadb_ext_len
);
5275 case SADB_EXT_LIFETIME_HARD
:
5279 l
= PFKEY_UNUNIT64(((struct sadb_ext
*)sav
->lft_h
)->sadb_ext_len
);
5283 case SADB_EXT_LIFETIME_SOFT
:
5287 l
= PFKEY_UNUNIT64(((struct sadb_ext
*)sav
->lft_s
)->sadb_ext_len
);
5291 case SADB_EXT_ADDRESS_PROXY
:
5292 case SADB_EXT_IDENTITY_SRC
:
5293 case SADB_EXT_IDENTITY_DST
:
5294 /* XXX: should we brought from SPD ? */
5295 case SADB_EXT_SENSITIVITY
:
5300 if ((!m
&& !p
) || (m
&& p
)) {
5304 M_PREPEND(tres
, l
, M_WAITOK
, 1);
5308 bcopy(p
, mtod(tres
, caddr_t
), l
);
5312 m
= key_alloc_mbuf(l
);
5316 m_copyback(m
, 0, l
, p
);
5325 m_cat(result
, tres
);
5327 if (sav
->sah
&& (sav
->sah
->outgoing_if
|| sav
->sah
->ipsec_if
)) {
5328 m
= key_setsadbipsecif(NULL
, ifindex2ifnet
[sav
->sah
->outgoing_if
], sav
->sah
->ipsec_if
, 0);
5335 if (result
->m_len
< sizeof(struct sadb_msg
)) {
5336 result
= m_pullup(result
, sizeof(struct sadb_msg
));
5337 if (result
== NULL
) {
5342 result
->m_pkthdr
.len
= 0;
5343 for (m
= result
; m
; m
= m
->m_next
) {
5344 result
->m_pkthdr
.len
+= m
->m_len
;
5347 mtod(result
, struct sadb_msg
*)->sadb_msg_len
=
5348 PFKEY_UNIT64(result
->m_pkthdr
.len
);
5359 * set data into sadb_msg.
5361 static struct mbuf
*
5374 len
= PFKEY_ALIGN8(sizeof(struct sadb_msg
));
5375 if (len
> MCLBYTES
) {
5378 MGETHDR(m
, M_DONTWAIT
, MT_DATA
);
5379 if (m
&& len
> MHLEN
) {
5380 MCLGET(m
, M_DONTWAIT
);
5381 if ((m
->m_flags
& M_EXT
) == 0) {
5389 m
->m_pkthdr
.len
= m
->m_len
= len
;
5392 p
= mtod(m
, struct sadb_msg
*);
5395 p
->sadb_msg_version
= PF_KEY_V2
;
5396 p
->sadb_msg_type
= type
;
5397 p
->sadb_msg_errno
= 0;
5398 p
->sadb_msg_satype
= satype
;
5399 p
->sadb_msg_len
= PFKEY_UNIT64(tlen
);
5400 p
->sadb_msg_reserved
= reserved
;
5401 p
->sadb_msg_seq
= seq
;
5402 p
->sadb_msg_pid
= (u_int32_t
)pid
;
5408 * copy secasvar data into sadb_address.
5410 static struct mbuf
*
5412 struct secasvar
*sav
)
5418 len
= PFKEY_ALIGN8(sizeof(struct sadb_sa
));
5419 m
= key_alloc_mbuf(len
);
5420 if (!m
|| m
->m_next
) { /*XXX*/
5427 p
= mtod(m
, struct sadb_sa
*);
5430 p
->sadb_sa_len
= PFKEY_UNIT64(len
);
5431 p
->sadb_sa_exttype
= SADB_EXT_SA
;
5432 p
->sadb_sa_spi
= sav
->spi
;
5433 p
->sadb_sa_replay
= (sav
->replay
[0] != NULL
? sav
->replay
[0]->wsize
: 0);
5434 p
->sadb_sa_state
= sav
->state
;
5435 p
->sadb_sa_auth
= sav
->alg_auth
;
5436 p
->sadb_sa_encrypt
= sav
->alg_enc
;
5437 p
->sadb_sa_flags
= sav
->flags
;
5443 * set data into sadb_address.
5445 static struct mbuf
*
5448 struct sockaddr
*saddr
,
5453 struct sadb_address
*p
;
5456 len
= PFKEY_ALIGN8(sizeof(struct sadb_address
)) +
5457 PFKEY_ALIGN8(saddr
->sa_len
);
5458 m
= key_alloc_mbuf(len
);
5459 if (!m
|| m
->m_next
) { /*XXX*/
5466 p
= mtod(m
, struct sadb_address
*);
5469 p
->sadb_address_len
= PFKEY_UNIT64(len
);
5470 p
->sadb_address_exttype
= exttype
;
5471 p
->sadb_address_proto
= ul_proto
;
5472 if (prefixlen
== FULLMASK
) {
5473 switch (saddr
->sa_family
) {
5475 prefixlen
= sizeof(struct in_addr
) << 3;
5478 prefixlen
= sizeof(struct in6_addr
) << 3;
5484 p
->sadb_address_prefixlen
= prefixlen
;
5485 p
->sadb_address_reserved
= 0;
5488 mtod(m
, caddr_t
) + PFKEY_ALIGN8(sizeof(struct sadb_address
)),
5494 static struct mbuf
*
5495 key_setsadbipsecif(ifnet_t internal_if
,
5496 ifnet_t outgoing_if
,
5501 struct sadb_x_ipsecif
*p
;
5504 len
= PFKEY_ALIGN8(sizeof(struct sadb_x_ipsecif
));
5505 m
= key_alloc_mbuf(len
);
5506 if (!m
|| m
->m_next
) { /*XXX*/
5513 p
= mtod(m
, struct sadb_x_ipsecif
*);
5516 p
->sadb_x_ipsecif_len
= PFKEY_UNIT64(len
);
5517 p
->sadb_x_ipsecif_exttype
= SADB_X_EXT_IPSECIF
;
5519 if (internal_if
&& internal_if
->if_xname
) {
5520 strlcpy(p
->sadb_x_ipsecif_internal_if
, internal_if
->if_xname
, IFXNAMSIZ
);
5522 if (outgoing_if
&& outgoing_if
->if_xname
) {
5523 strlcpy(p
->sadb_x_ipsecif_outgoing_if
, outgoing_if
->if_xname
, IFXNAMSIZ
);
5525 if (ipsec_if
&& ipsec_if
->if_xname
) {
5526 strlcpy(p
->sadb_x_ipsecif_ipsec_if
, ipsec_if
->if_xname
, IFXNAMSIZ
);
5529 p
->sadb_x_ipsecif_init_disabled
= init_disabled
;
5535 * set data into sadb_session_id
5537 static struct mbuf
*
5538 key_setsadbsession_id(u_int64_t session_ids
[])
5541 struct sadb_session_id
*p
;
5544 len
= PFKEY_ALIGN8(sizeof(*p
));
5545 m
= key_alloc_mbuf(len
);
5546 if (!m
|| m
->m_next
) { /*XXX*/
5553 p
= mtod(m
, __typeof__(p
));
5556 p
->sadb_session_id_len
= PFKEY_UNIT64(len
);
5557 p
->sadb_session_id_exttype
= SADB_EXT_SESSION_ID
;
5558 p
->sadb_session_id_v
[0] = session_ids
[0];
5559 p
->sadb_session_id_v
[1] = session_ids
[1];
5565 * copy stats data into sadb_sastat type.
5567 static struct mbuf
*
5568 key_setsadbsastat(u_int32_t dir
,
5569 struct sastat
*stats
,
5570 u_int32_t max_stats
)
5573 struct sadb_sastat
*p
;
5580 list_len
= sizeof(*stats
) * max_stats
;
5581 len
= PFKEY_ALIGN8(sizeof(*p
)) + PFKEY_ALIGN8(list_len
);
5582 m
= key_alloc_mbuf(len
);
5583 if (!m
|| m
->m_next
) { /*XXX*/
5590 p
= mtod(m
, __typeof__(p
));
5593 p
->sadb_sastat_len
= PFKEY_UNIT64(len
);
5594 p
->sadb_sastat_exttype
= SADB_EXT_SASTAT
;
5595 p
->sadb_sastat_dir
= dir
;
5596 p
->sadb_sastat_list_len
= max_stats
;
5599 mtod(m
, caddr_t
) + PFKEY_ALIGN8(sizeof(*p
)),
5608 * set data into sadb_ident.
5610 static struct mbuf
*
5619 struct sadb_ident
*p
;
5622 len
= PFKEY_ALIGN8(sizeof(struct sadb_ident
)) + PFKEY_ALIGN8(stringlen
);
5623 m
= key_alloc_mbuf(len
);
5624 if (!m
|| m
->m_next
) { /*XXX*/
5631 p
= mtod(m
, struct sadb_ident
*);
5634 p
->sadb_ident_len
= PFKEY_UNIT64(len
);
5635 p
->sadb_ident_exttype
= exttype
;
5636 p
->sadb_ident_type
= idtype
;
5637 p
->sadb_ident_reserved
= 0;
5638 p
->sadb_ident_id
= id
;
5641 mtod(m
, caddr_t
) + PFKEY_ALIGN8(sizeof(struct sadb_ident
)),
5649 * set data into sadb_x_sa2.
5651 static struct mbuf
*
5659 struct sadb_x_sa2
*p
;
5662 len
= PFKEY_ALIGN8(sizeof(struct sadb_x_sa2
));
5663 m
= key_alloc_mbuf(len
);
5664 if (!m
|| m
->m_next
) { /*XXX*/
5671 p
= mtod(m
, struct sadb_x_sa2
*);
5674 p
->sadb_x_sa2_len
= PFKEY_UNIT64(len
);
5675 p
->sadb_x_sa2_exttype
= SADB_X_EXT_SA2
;
5676 p
->sadb_x_sa2_mode
= mode
;
5677 p
->sadb_x_sa2_reserved1
= 0;
5678 p
->sadb_x_sa2_reserved2
= 0;
5679 p
->sadb_x_sa2_sequence
= seq
;
5680 p
->sadb_x_sa2_reqid
= reqid
;
5681 p
->sadb_x_sa2_flags
= flags
;
5687 * set data into sadb_x_policy
5689 static struct mbuf
*
5696 struct sadb_x_policy
*p
;
5699 len
= PFKEY_ALIGN8(sizeof(struct sadb_x_policy
));
5700 m
= key_alloc_mbuf(len
);
5701 if (!m
|| m
->m_next
) { /*XXX*/
5708 p
= mtod(m
, struct sadb_x_policy
*);
5711 p
->sadb_x_policy_len
= PFKEY_UNIT64(len
);
5712 p
->sadb_x_policy_exttype
= SADB_X_EXT_POLICY
;
5713 p
->sadb_x_policy_type
= type
;
5714 p
->sadb_x_policy_dir
= dir
;
5715 p
->sadb_x_policy_id
= id
;
5722 * copy a buffer into the new buffer allocated.
5731 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
5732 KMALLOC_NOWAIT(new, caddr_t
, len
);
5734 lck_mtx_unlock(sadb_mutex
);
5735 KMALLOC_WAIT(new, caddr_t
, len
);
5736 lck_mtx_lock(sadb_mutex
);
5738 ipseclog((LOG_DEBUG
, "key_newbuf: No more memory.\n"));
5742 bcopy(src
, new, len
);
5747 /* compare my own address
5748 * OUT: 1: true, i.e. my address.
5753 struct sockaddr
*sa
)
5756 struct sockaddr_in
*sin
;
5757 struct in_ifaddr
*ia
;
5762 panic("key_ismyaddr: NULL pointer is passed.\n");
5765 switch (sa
->sa_family
) {
5768 lck_rw_lock_shared(in_ifaddr_rwlock
);
5769 sin
= (struct sockaddr_in
*)(void *)sa
;
5770 for (ia
= in_ifaddrhead
.tqh_first
; ia
;
5771 ia
= ia
->ia_link
.tqe_next
) {
5772 IFA_LOCK_SPIN(&ia
->ia_ifa
);
5773 if (sin
->sin_family
== ia
->ia_addr
.sin_family
&&
5774 sin
->sin_len
== ia
->ia_addr
.sin_len
&&
5775 sin
->sin_addr
.s_addr
== ia
->ia_addr
.sin_addr
.s_addr
) {
5776 IFA_UNLOCK(&ia
->ia_ifa
);
5777 lck_rw_done(in_ifaddr_rwlock
);
5780 IFA_UNLOCK(&ia
->ia_ifa
);
5782 lck_rw_done(in_ifaddr_rwlock
);
5787 return key_ismyaddr6((struct sockaddr_in6
*)(void *)sa
);
5796 * compare my own address for IPv6.
5799 * NOTE: derived ip6_input() in KAME. This is necessary to modify more.
5801 #include <netinet6/in6_var.h>
5805 struct sockaddr_in6
*sin6
)
5807 struct in6_ifaddr
*ia
;
5808 struct in6_multi
*in6m
;
5810 lck_rw_lock_shared(&in6_ifaddr_rwlock
);
5811 for (ia
= in6_ifaddrs
; ia
; ia
= ia
->ia_next
) {
5812 IFA_LOCK(&ia
->ia_ifa
);
5813 if (key_sockaddrcmp((struct sockaddr
*)&sin6
,
5814 (struct sockaddr
*)&ia
->ia_addr
, 0) == 0) {
5815 IFA_UNLOCK(&ia
->ia_ifa
);
5816 lck_rw_done(&in6_ifaddr_rwlock
);
5819 IFA_UNLOCK(&ia
->ia_ifa
);
5823 * XXX why do we care about multlicast here while we don't care
5824 * about IPv4 multicast??
5828 in6_multihead_lock_shared();
5829 IN6_LOOKUP_MULTI(&sin6
->sin6_addr
, ia
->ia_ifp
, in6m
);
5830 in6_multihead_lock_done();
5832 lck_rw_done(&in6_ifaddr_rwlock
);
5837 lck_rw_done(&in6_ifaddr_rwlock
);
5839 /* loopback, just for safety */
5840 if (IN6_IS_ADDR_LOOPBACK(&sin6
->sin6_addr
)) {
5849 * compare two secasindex structure.
5850 * flag can specify to compare 2 saidxes.
5851 * compare two secasindex structure without both mode and reqid.
5852 * don't compare port.
5854 * saidx0: source, it can be in SAD.
5862 struct secasindex
*saidx0
,
5863 struct secasindex
*saidx1
,
5867 if (saidx0
== NULL
&& saidx1
== NULL
) {
5871 if (saidx0
== NULL
|| saidx1
== NULL
) {
5875 if (saidx0
->ipsec_ifindex
!= 0 && saidx0
->ipsec_ifindex
!= saidx1
->ipsec_ifindex
) {
5879 if (saidx0
->proto
!= saidx1
->proto
) {
5883 if (flag
== CMP_EXACTLY
) {
5884 if (saidx0
->mode
!= saidx1
->mode
) {
5887 if (saidx0
->reqid
!= saidx1
->reqid
) {
5890 if (bcmp(&saidx0
->src
, &saidx1
->src
, saidx0
->src
.ss_len
) != 0 ||
5891 bcmp(&saidx0
->dst
, &saidx1
->dst
, saidx0
->dst
.ss_len
) != 0) {
5895 /* CMP_MODE_REQID, CMP_REQID, CMP_HEAD */
5896 if (flag
& CMP_REQID
) {
5898 * If reqid of SPD is non-zero, unique SA is required.
5899 * The result must be of same reqid in this case.
5901 if (saidx1
->reqid
!= 0 && saidx0
->reqid
!= saidx1
->reqid
) {
5906 if (flag
& CMP_MODE
) {
5907 if (saidx0
->mode
!= IPSEC_MODE_ANY
5908 && saidx0
->mode
!= saidx1
->mode
) {
5913 if (key_sockaddrcmp((struct sockaddr
*)&saidx0
->src
,
5914 (struct sockaddr
*)&saidx1
->src
, flag
& CMP_PORT
? 1 : 0) != 0) {
5917 if (key_sockaddrcmp((struct sockaddr
*)&saidx0
->dst
,
5918 (struct sockaddr
*)&saidx1
->dst
, flag
& CMP_PORT
? 1 : 0) != 0) {
5927 * compare two secindex structure exactly.
5929 * spidx0: source, it is often in SPD.
5930 * spidx1: object, it is often from PFKEY message.
5936 key_cmpspidx_exactly(
5937 struct secpolicyindex
*spidx0
,
5938 struct secpolicyindex
*spidx1
)
5941 if (spidx0
== NULL
&& spidx1
== NULL
) {
5945 if (spidx0
== NULL
|| spidx1
== NULL
) {
5949 if (spidx0
->prefs
!= spidx1
->prefs
5950 || spidx0
->prefd
!= spidx1
->prefd
5951 || spidx0
->ul_proto
!= spidx1
->ul_proto
5952 || spidx0
->internal_if
!= spidx1
->internal_if
) {
5956 if (key_sockaddrcmp((struct sockaddr
*)&spidx0
->src
,
5957 (struct sockaddr
*)&spidx1
->src
, 1) != 0) {
5960 if (key_sockaddrcmp((struct sockaddr
*)&spidx0
->dst
,
5961 (struct sockaddr
*)&spidx1
->dst
, 1) != 0) {
5965 if (key_sockaddrcmp((struct sockaddr
*)&spidx0
->src_range
.start
,
5966 (struct sockaddr
*)&spidx1
->src_range
.start
, 1) != 0) {
5969 if (key_sockaddrcmp((struct sockaddr
*)&spidx0
->src_range
.end
,
5970 (struct sockaddr
*)&spidx1
->src_range
.end
, 1) != 0) {
5973 if (key_sockaddrcmp((struct sockaddr
*)&spidx0
->dst_range
.start
,
5974 (struct sockaddr
*)&spidx1
->dst_range
.start
, 1) != 0) {
5977 if (key_sockaddrcmp((struct sockaddr
*)&spidx0
->dst_range
.end
,
5978 (struct sockaddr
*)&spidx1
->dst_range
.end
, 1) != 0) {
5986 * compare two secindex structure with mask.
5988 * spidx0: source, it is often in SPD.
5989 * spidx1: object, it is often from IP header.
5995 key_cmpspidx_withmask(
5996 struct secpolicyindex
*spidx0
,
5997 struct secpolicyindex
*spidx1
)
5999 int spidx0_src_is_range
= 0;
6000 int spidx0_dst_is_range
= 0;
6003 if (spidx0
== NULL
&& spidx1
== NULL
) {
6007 if (spidx0
== NULL
|| spidx1
== NULL
) {
6011 if (spidx0
->src_range
.start
.ss_len
> 0) {
6012 spidx0_src_is_range
= 1;
6015 if (spidx0
->dst_range
.start
.ss_len
> 0) {
6016 spidx0_dst_is_range
= 1;
6019 if ((spidx0_src_is_range
? spidx0
->src_range
.start
.ss_family
: spidx0
->src
.ss_family
) != spidx1
->src
.ss_family
||
6020 (spidx0_dst_is_range
? spidx0
->dst_range
.start
.ss_family
: spidx0
->dst
.ss_family
) != spidx1
->dst
.ss_family
||
6021 (spidx0_src_is_range
? spidx0
->src_range
.start
.ss_len
: spidx0
->src
.ss_len
) != spidx1
->src
.ss_len
||
6022 (spidx0_dst_is_range
? spidx0
->dst_range
.start
.ss_len
: spidx0
->dst
.ss_len
) != spidx1
->dst
.ss_len
) {
6026 /* if spidx.ul_proto == IPSEC_ULPROTO_ANY, ignore. */
6027 if (spidx0
->ul_proto
!= (u_int16_t
)IPSEC_ULPROTO_ANY
6028 && spidx0
->ul_proto
!= spidx1
->ul_proto
) {
6032 /* If spidx1 specifies interface, ignore src addr */
6033 if (spidx1
->internal_if
!= NULL
) {
6034 if (spidx0
->internal_if
== NULL
6035 || spidx0
->internal_if
!= spidx1
->internal_if
) {
6039 /* Still check ports */
6040 switch (spidx0
->src
.ss_family
) {
6042 if (spidx0_src_is_range
&&
6043 (satosin(&spidx1
->src
)->sin_port
< satosin(&spidx0
->src_range
.start
)->sin_port
6044 || satosin(&spidx1
->src
)->sin_port
> satosin(&spidx0
->src_range
.end
)->sin_port
)) {
6046 } else if (satosin(&spidx0
->src
)->sin_port
!= IPSEC_PORT_ANY
6047 && satosin(&spidx0
->src
)->sin_port
!=
6048 satosin(&spidx1
->src
)->sin_port
) {
6053 if (spidx0_src_is_range
&&
6054 (satosin6(&spidx1
->src
)->sin6_port
< satosin6(&spidx0
->src_range
.start
)->sin6_port
6055 || satosin6(&spidx1
->src
)->sin6_port
> satosin6(&spidx0
->src_range
.end
)->sin6_port
)) {
6057 } else if (satosin6(&spidx0
->src
)->sin6_port
!= IPSEC_PORT_ANY
6058 && satosin6(&spidx0
->src
)->sin6_port
!=
6059 satosin6(&spidx1
->src
)->sin6_port
) {
6066 } else if (spidx0_src_is_range
) {
6067 if (!key_is_addr_in_range(&spidx1
->src
, &spidx0
->src_range
)) {
6071 switch (spidx0
->src
.ss_family
) {
6073 if (satosin(&spidx0
->src
)->sin_port
!= IPSEC_PORT_ANY
6074 && satosin(&spidx0
->src
)->sin_port
!=
6075 satosin(&spidx1
->src
)->sin_port
) {
6078 if (!key_bbcmp((caddr_t
)&satosin(&spidx0
->src
)->sin_addr
,
6079 (caddr_t
)&satosin(&spidx1
->src
)->sin_addr
, spidx0
->prefs
)) {
6084 if (satosin6(&spidx0
->src
)->sin6_port
!= IPSEC_PORT_ANY
6085 && satosin6(&spidx0
->src
)->sin6_port
!=
6086 satosin6(&spidx1
->src
)->sin6_port
) {
6090 * scope_id check. if sin6_scope_id is 0, we regard it
6091 * as a wildcard scope, which matches any scope zone ID.
6093 if (satosin6(&spidx0
->src
)->sin6_scope_id
&&
6094 satosin6(&spidx1
->src
)->sin6_scope_id
&&
6095 satosin6(&spidx0
->src
)->sin6_scope_id
!=
6096 satosin6(&spidx1
->src
)->sin6_scope_id
) {
6099 if (!key_bbcmp((caddr_t
)&satosin6(&spidx0
->src
)->sin6_addr
,
6100 (caddr_t
)&satosin6(&spidx1
->src
)->sin6_addr
, spidx0
->prefs
)) {
6106 if (bcmp(&spidx0
->src
, &spidx1
->src
, spidx0
->src
.ss_len
) != 0) {
6113 if (spidx0_dst_is_range
) {
6114 if (!key_is_addr_in_range(&spidx1
->dst
, &spidx0
->dst_range
)) {
6118 switch (spidx0
->dst
.ss_family
) {
6120 if (satosin(&spidx0
->dst
)->sin_port
!= IPSEC_PORT_ANY
6121 && satosin(&spidx0
->dst
)->sin_port
!=
6122 satosin(&spidx1
->dst
)->sin_port
) {
6125 if (!key_bbcmp((caddr_t
)&satosin(&spidx0
->dst
)->sin_addr
,
6126 (caddr_t
)&satosin(&spidx1
->dst
)->sin_addr
, spidx0
->prefd
)) {
6131 if (satosin6(&spidx0
->dst
)->sin6_port
!= IPSEC_PORT_ANY
6132 && satosin6(&spidx0
->dst
)->sin6_port
!=
6133 satosin6(&spidx1
->dst
)->sin6_port
) {
6137 * scope_id check. if sin6_scope_id is 0, we regard it
6138 * as a wildcard scope, which matches any scope zone ID.
6140 if (satosin6(&spidx0
->src
)->sin6_scope_id
&&
6141 satosin6(&spidx1
->src
)->sin6_scope_id
&&
6142 satosin6(&spidx0
->dst
)->sin6_scope_id
!=
6143 satosin6(&spidx1
->dst
)->sin6_scope_id
) {
6146 if (!key_bbcmp((caddr_t
)&satosin6(&spidx0
->dst
)->sin6_addr
,
6147 (caddr_t
)&satosin6(&spidx1
->dst
)->sin6_addr
, spidx0
->prefd
)) {
6153 if (bcmp(&spidx0
->dst
, &spidx1
->dst
, spidx0
->dst
.ss_len
) != 0) {
6160 /* XXX Do we check other field ? e.g. flowinfo */
6166 key_is_addr_in_range(struct sockaddr_storage
*addr
, struct secpolicyaddrrange
*addr_range
)
6170 if (addr
== NULL
|| addr_range
== NULL
) {
6174 /* Must be greater than or equal to start */
6175 cmp
= key_sockaddrcmp((struct sockaddr
*)addr
, (struct sockaddr
*)&addr_range
->start
, 1);
6176 if (cmp
!= 0 && cmp
!= 1) {
6180 /* Must be less than or equal to end */
6181 cmp
= key_sockaddrcmp((struct sockaddr
*)addr
, (struct sockaddr
*)&addr_range
->end
, 1);
6182 if (cmp
!= 0 && cmp
!= -1) {
6194 * 2: Not comparable or error
6198 struct sockaddr
*sa1
,
6199 struct sockaddr
*sa2
,
6203 int port_result
= 0;
6205 if (sa1
->sa_family
!= sa2
->sa_family
|| sa1
->sa_len
!= sa2
->sa_len
) {
6209 if (sa1
->sa_len
== 0) {
6213 switch (sa1
->sa_family
) {
6215 if (sa1
->sa_len
!= sizeof(struct sockaddr_in
)) {
6219 result
= memcmp(&satosin(sa1
)->sin_addr
.s_addr
, &satosin(sa2
)->sin_addr
.s_addr
, sizeof(satosin(sa1
)->sin_addr
.s_addr
));
6222 if (satosin(sa1
)->sin_port
< satosin(sa2
)->sin_port
) {
6224 } else if (satosin(sa1
)->sin_port
> satosin(sa2
)->sin_port
) {
6229 result
= port_result
;
6230 } else if ((result
> 0 && port_result
< 0) || (result
< 0 && port_result
> 0)) {
6237 if (sa1
->sa_len
!= sizeof(struct sockaddr_in6
)) {
6238 return 2; /*EINVAL*/
6240 if (satosin6(sa1
)->sin6_scope_id
!=
6241 satosin6(sa2
)->sin6_scope_id
) {
6245 result
= memcmp(&satosin6(sa1
)->sin6_addr
.s6_addr
[0], &satosin6(sa2
)->sin6_addr
.s6_addr
[0], sizeof(struct in6_addr
));
6248 if (satosin6(sa1
)->sin6_port
< satosin6(sa2
)->sin6_port
) {
6250 } else if (satosin6(sa1
)->sin6_port
> satosin6(sa2
)->sin6_port
) {
6255 result
= port_result
;
6256 } else if ((result
> 0 && port_result
< 0) || (result
< 0 && port_result
> 0)) {
6263 result
= memcmp(sa1
, sa2
, sa1
->sa_len
);
6269 } else if (result
> 0) {
6277 * compare two buffers with mask.
6281 * bits: Number of bits to compare
6294 /* XXX: This could be considerably faster if we compare a word
6295 * at a time, but it is complicated on LSB Endian machines */
6297 /* Handle null pointers */
6298 if (p1
== NULL
|| p2
== NULL
) {
6303 if (*p1
++ != *p2
++) {
6310 mask
= ~((1 << (8 - bits
)) - 1);
6311 if ((*p1
& mask
) != (*p2
& mask
)) {
6315 return 1; /* Match! */
6320 * scanning SPD and SAD to check status for each entries,
6321 * and do to remove or to expire.
6322 * XXX: year 2038 problem may remain.
6324 int key_timehandler_debug
= 0;
6325 u_int32_t spd_count
= 0, sah_count
= 0, dead_sah_count
= 0, empty_sah_count
= 0, larval_sav_count
= 0, mature_sav_count
= 0, dying_sav_count
= 0, dead_sav_count
= 0;
6326 u_int64_t total_sav_count
= 0;
6328 key_timehandler(void)
6332 struct secpolicy
**spbuf
= NULL
, **spptr
= NULL
;
6333 struct secasvar
**savexbuf
= NULL
, **savexptr
= NULL
;
6334 struct secasvar
**savkabuf
= NULL
, **savkaptr
= NULL
;
6335 int spbufcount
= 0, savbufcount
= 0, spcount
= 0, savexcount
= 0, savkacount
= 0, cnt
;
6336 int stop_handler
= 1; /* stop the timehandler */
6340 /* pre-allocate buffers before taking the lock */
6341 /* if allocation failures occur - portions of the processing will be skipped */
6342 if ((spbufcount
= ipsec_policy_count
) != 0) {
6344 KMALLOC_WAIT(spbuf
, struct secpolicy
**, spbufcount
* sizeof(struct secpolicy
*));
6349 if ((savbufcount
= ipsec_sav_count
) != 0) {
6351 KMALLOC_WAIT(savexbuf
, struct secasvar
**, savbufcount
* sizeof(struct secasvar
*));
6353 savexptr
= savexbuf
;
6355 KMALLOC_WAIT(savkabuf
, struct secasvar
**, savbufcount
* sizeof(struct secasvar
*));
6357 savkaptr
= savkabuf
;
6360 lck_mtx_lock(sadb_mutex
);
6363 struct secpolicy
*sp
, *nextsp
;
6365 for (dir
= 0; dir
< IPSEC_DIR_MAX
; dir
++) {
6366 for (sp
= LIST_FIRST(&sptree
[dir
]);
6369 /* don't prevent timehandler from stopping for generate policy */
6370 if (sp
->policy
!= IPSEC_POLICY_GENERATE
) {
6374 nextsp
= LIST_NEXT(sp
, chain
);
6376 if (sp
->state
== IPSEC_SPSTATE_DEAD
) {
6377 key_freesp(sp
, KEY_SADB_LOCKED
);
6381 if (sp
->lifetime
== 0 && sp
->validtime
== 0) {
6384 if (spbuf
&& spcount
< spbufcount
) {
6385 /* the deletion will occur next time */
6387 && tv
.tv_sec
- sp
->created
> sp
->lifetime
)
6389 && tv
.tv_sec
- sp
->lastused
> sp
->validtime
)) {
6390 //key_spdexpire(sp);
6391 sp
->state
= IPSEC_SPSTATE_DEAD
;
6403 struct secashead
*sah
, *nextsah
;
6404 struct secasvar
*sav
, *nextsav
;
6406 for (sah
= LIST_FIRST(&sahtree
);
6410 nextsah
= LIST_NEXT(sah
, chain
);
6412 /* if sah has been dead, then delete it and process next sah. */
6413 if (sah
->state
== SADB_SASTATE_DEAD
) {
6419 if (LIST_FIRST(&sah
->savtree
[SADB_SASTATE_LARVAL
]) == NULL
&&
6420 LIST_FIRST(&sah
->savtree
[SADB_SASTATE_MATURE
]) == NULL
&&
6421 LIST_FIRST(&sah
->savtree
[SADB_SASTATE_DYING
]) == NULL
&&
6422 LIST_FIRST(&sah
->savtree
[SADB_SASTATE_DEAD
]) == NULL
) {
6428 if (savbufcount
== 0) {
6434 /* if LARVAL entry doesn't become MATURE, delete it. */
6435 for (sav
= LIST_FIRST(&sah
->savtree
[SADB_SASTATE_LARVAL
]);
6440 nextsav
= LIST_NEXT(sav
, chain
);
6442 if (sav
->lft_h
!= NULL
) {
6443 /* If a hard lifetime is defined for the LARVAL SA, use it */
6444 if (sav
->lft_h
->sadb_lifetime_addtime
!= 0
6445 && tv
.tv_sec
- sav
->created
> sav
->lft_h
->sadb_lifetime_addtime
) {
6446 if (sav
->always_expire
) {
6447 key_send_delete(sav
);
6450 key_sa_chgstate(sav
, SADB_SASTATE_DEAD
);
6451 key_freesav(sav
, KEY_SADB_LOCKED
);
6456 if (tv
.tv_sec
- sav
->created
> key_larval_lifetime
) {
6457 key_freesav(sav
, KEY_SADB_LOCKED
);
6463 * If this is a NAT traversal SA with no activity,
6464 * we need to send a keep alive.
6466 * Performed outside of the loop before so we will
6467 * only ever send one keepalive. The first SA on
6468 * the list is the one that will be used for sending
6469 * traffic, so this is the one we use for determining
6470 * when to send the keepalive.
6472 if (savkabuf
&& savkacount
< savbufcount
) {
6473 sav
= LIST_FIRST(&sah
->savtree
[SADB_SASTATE_MATURE
]); //%%% should we check dying list if this is empty???
6474 if (sav
&& (natt_keepalive_interval
|| sav
->natt_interval
) &&
6475 (sav
->flags
& (SADB_X_EXT_NATT_KEEPALIVE
| SADB_X_EXT_ESP_KEEPALIVE
)) != 0) {
6483 * check MATURE entry to start to send expire message
6486 for (sav
= LIST_FIRST(&sah
->savtree
[SADB_SASTATE_MATURE
]);
6491 nextsav
= LIST_NEXT(sav
, chain
);
6493 /* we don't need to check. */
6494 if (sav
->lft_s
== NULL
) {
6499 if (sav
->lft_c
== NULL
) {
6500 ipseclog((LOG_DEBUG
, "key_timehandler: "
6501 "There is no CURRENT time, why?\n"));
6505 /* check SOFT lifetime */
6506 if (sav
->lft_s
->sadb_lifetime_addtime
!= 0
6507 && tv
.tv_sec
- sav
->created
> sav
->lft_s
->sadb_lifetime_addtime
) {
6509 * If always_expire is set, expire. Otherwise,
6510 * if the SA has not been used, delete immediately.
6512 if (sav
->lft_c
->sadb_lifetime_usetime
== 0
6513 && sav
->always_expire
== 0) {
6514 key_sa_chgstate(sav
, SADB_SASTATE_DEAD
);
6515 key_freesav(sav
, KEY_SADB_LOCKED
);
6517 } else if (savexbuf
&& savexcount
< savbufcount
) {
6518 key_sa_chgstate(sav
, SADB_SASTATE_DYING
);
6524 /* check SOFT lifetime by bytes */
6526 * XXX I don't know the way to delete this SA
6527 * when new SA is installed. Caution when it's
6528 * installed too big lifetime by time.
6530 else if (savexbuf
&& savexcount
< savbufcount
6531 && sav
->lft_s
->sadb_lifetime_bytes
!= 0
6532 && sav
->lft_s
->sadb_lifetime_bytes
< sav
->lft_c
->sadb_lifetime_bytes
) {
6534 * XXX If we keep to send expire
6535 * message in the status of
6536 * DYING. Do remove below code.
6539 key_sa_chgstate(sav
, SADB_SASTATE_DYING
);
6546 /* check DYING entry to change status to DEAD. */
6547 for (sav
= LIST_FIRST(&sah
->savtree
[SADB_SASTATE_DYING
]);
6552 nextsav
= LIST_NEXT(sav
, chain
);
6554 /* we don't need to check. */
6555 if (sav
->lft_h
== NULL
) {
6560 if (sav
->lft_c
== NULL
) {
6561 ipseclog((LOG_DEBUG
, "key_timehandler: "
6562 "There is no CURRENT time, why?\n"));
6566 if (sav
->lft_h
->sadb_lifetime_addtime
!= 0
6567 && tv
.tv_sec
- sav
->created
> sav
->lft_h
->sadb_lifetime_addtime
) {
6568 if (sav
->always_expire
) {
6569 key_send_delete(sav
);
6572 key_sa_chgstate(sav
, SADB_SASTATE_DEAD
);
6573 key_freesav(sav
, KEY_SADB_LOCKED
);
6577 #if 0 /* XXX Should we keep to send expire message until HARD lifetime ? */
6578 else if (savbuf
&& savexcount
< savbufcount
6579 && sav
->lft_s
!= NULL
6580 && sav
->lft_s
->sadb_lifetime_addtime
!= 0
6581 && tv
.tv_sec
- sav
->created
> sav
->lft_s
->sadb_lifetime_addtime
) {
6583 * XXX: should be checked to be
6584 * installed the valid SA.
6588 * If there is no SA then sending
6597 /* check HARD lifetime by bytes */
6598 else if (sav
->lft_h
->sadb_lifetime_bytes
!= 0
6599 && sav
->lft_h
->sadb_lifetime_bytes
< sav
->lft_c
->sadb_lifetime_bytes
) {
6600 key_sa_chgstate(sav
, SADB_SASTATE_DEAD
);
6601 key_freesav(sav
, KEY_SADB_LOCKED
);
6606 /* delete entry in DEAD */
6607 for (sav
= LIST_FIRST(&sah
->savtree
[SADB_SASTATE_DEAD
]);
6612 nextsav
= LIST_NEXT(sav
, chain
);
6615 if (sav
->state
!= SADB_SASTATE_DEAD
) {
6616 ipseclog((LOG_DEBUG
, "key_timehandler: "
6617 "invalid sav->state "
6618 "(queue: %d SA: %d): "
6620 SADB_SASTATE_DEAD
, sav
->state
));
6624 * do not call key_freesav() here.
6625 * sav should already be freed, and sav->refcnt
6626 * shows other references to sav
6627 * (such as from SPD).
6633 if (++key_timehandler_debug
>= 300) {
6634 if (key_debug_level
) {
6635 printf("%s: total stats for %u calls\n", __FUNCTION__
, key_timehandler_debug
);
6636 printf("%s: walked %u SPDs\n", __FUNCTION__
, spd_count
);
6637 printf("%s: walked %llu SAs: LARVAL SAs %u, MATURE SAs %u, DYING SAs %u, DEAD SAs %u\n", __FUNCTION__
,
6638 total_sav_count
, larval_sav_count
, mature_sav_count
, dying_sav_count
, dead_sav_count
);
6639 printf("%s: walked %u SAHs: DEAD SAHs %u, EMPTY SAHs %u\n", __FUNCTION__
,
6640 sah_count
, dead_sah_count
, empty_sah_count
);
6641 if (sah_search_calls
) {
6642 printf("%s: SAH search cost %d iters per call\n", __FUNCTION__
,
6643 (sah_search_count
/ sah_search_calls
));
6649 empty_sah_count
= 0;
6650 larval_sav_count
= 0;
6651 mature_sav_count
= 0;
6652 dying_sav_count
= 0;
6654 total_sav_count
= 0;
6655 sah_search_count
= 0;
6656 sah_search_calls
= 0;
6657 key_timehandler_debug
= 0;
6659 #ifndef IPSEC_NONBLOCK_ACQUIRE
6662 struct secacq
*acq
, *nextacq
;
6664 for (acq
= LIST_FIRST(&acqtree
);
6668 nextacq
= LIST_NEXT(acq
, chain
);
6670 if (tv
.tv_sec
- acq
->created
> key_blockacq_lifetime
6671 && __LIST_CHAINED(acq
)) {
6672 LIST_REMOVE(acq
, chain
);
6681 struct secspacq
*acq
, *nextacq
;
6683 for (acq
= LIST_FIRST(&spacqtree
);
6687 nextacq
= LIST_NEXT(acq
, chain
);
6689 if (tv
.tv_sec
- acq
->created
> key_blockacq_lifetime
6690 && __LIST_CHAINED(acq
)) {
6691 LIST_REMOVE(acq
, chain
);
6697 /* initialize random seed */
6698 if (key_tick_init_random
++ > key_int_random
) {
6699 key_tick_init_random
= 0;
6703 uint64_t acc_sleep_time
= 0;
6704 absolutetime_to_nanoseconds(mach_absolutetime_asleep
, &acc_sleep_time
);
6705 natt_now
= ++up_time
+ (acc_sleep_time
/ NSEC_PER_SEC
);
6707 lck_mtx_unlock(sadb_mutex
);
6709 /* send messages outside of sadb_mutex */
6710 if (spbuf
&& spcount
> 0) {
6713 key_spdexpire(*(--spptr
));
6716 if (savkabuf
&& savkacount
> 0) {
6717 struct secasvar
**savkaptr_sav
= savkaptr
;
6718 int cnt_send
= savkacount
;
6720 while (cnt_send
--) {
6721 if (ipsec_send_natt_keepalive(*(--savkaptr
))) {
6722 // <rdar://6768487> iterate (all over again) and update timestamps
6723 struct secasvar
**savkaptr_update
= savkaptr_sav
;
6724 int cnt_update
= savkacount
;
6725 while (cnt_update
--) {
6726 key_update_natt_keepalive_timestamp(*savkaptr
,
6727 *(--savkaptr_update
));
6732 if (savexbuf
&& savexcount
> 0) {
6735 key_expire(*(--savexptr
));
6739 /* decrement ref counts and free buffers */
6740 lck_mtx_lock(sadb_mutex
);
6743 key_freesp(*spptr
++, KEY_SADB_LOCKED
);
6748 while (savkacount
--) {
6749 key_freesav(*savkaptr
++, KEY_SADB_LOCKED
);
6754 while (savexcount
--) {
6755 key_freesav(*savexptr
++, KEY_SADB_LOCKED
);
6761 key_timehandler_running
= 0;
6762 /* Turn on the ipsec bypass */
6765 /* do exchange to tick time !! */
6766 (void)timeout((void *)key_timehandler
, (void *)0, hz
);
6769 lck_mtx_unlock(sadb_mutex
);
6774 * to initialize a seed for random()
6780 /* Our PRNG is based on Yarrow and doesn't need to be seeded */
6787 srandom(tv
.tv_usec
);
6798 key_randomfill(&value
, sizeof(value
));
6808 cc_rand_generate(p
, l
);
6812 static int warn
= 1;
6815 n
= (size_t)read_random(p
, (u_int
)l
);
6819 bcopy(&v
, (u_int8_t
*)p
+ n
,
6820 l
- n
< sizeof(v
) ? l
- n
: sizeof(v
));
6824 printf("WARNING: pseudo-random number generator "
6825 "used for IPsec processing\n");
6833 * map SADB_SATYPE_* to IPPROTO_*.
6834 * if satype == SADB_SATYPE then satype is mapped to ~0.
6836 * 0: invalid satype.
6843 case SADB_SATYPE_UNSPEC
:
6844 return IPSEC_PROTO_ANY
;
6845 case SADB_SATYPE_AH
:
6847 case SADB_SATYPE_ESP
:
6856 * map IPPROTO_* to SADB_SATYPE_*
6858 * 0: invalid protocol type.
6866 return SADB_SATYPE_AH
;
6868 return SADB_SATYPE_ESP
;
6876 key_get_ipsec_if_from_message(const struct sadb_msghdr
*mhp
, int message_type
)
6878 struct sadb_x_ipsecif
*ipsecifopts
= NULL
;
6879 ifnet_t ipsec_if
= NULL
;
6881 ipsecifopts
= (struct sadb_x_ipsecif
*)(void *)mhp
->ext
[message_type
];
6882 if (ipsecifopts
!= NULL
) {
6883 if (ipsecifopts
->sadb_x_ipsecif_ipsec_if
[0]) {
6884 ifnet_find_by_name(ipsecifopts
->sadb_x_ipsecif_ipsec_if
, &ipsec_if
);
6892 key_get_outgoing_ifindex_from_message(const struct sadb_msghdr
*mhp
, int message_type
)
6894 struct sadb_x_ipsecif
*ipsecifopts
= NULL
;
6895 ifnet_t outgoing_if
= NULL
;
6897 ipsecifopts
= (struct sadb_x_ipsecif
*)(void *)mhp
->ext
[message_type
];
6898 if (ipsecifopts
!= NULL
) {
6899 if (ipsecifopts
->sadb_x_ipsecif_outgoing_if
[0]) {
6900 ifnet_find_by_name(ipsecifopts
->sadb_x_ipsecif_outgoing_if
, &outgoing_if
);
6904 return outgoing_if
? outgoing_if
->if_index
: 0;
6909 * SADB_GETSPI processing is to receive
6910 * <base, (SA2), src address, dst address, (SPI range)>
6911 * from the IKMPd, to assign a unique spi value, to hang on the INBOUND
6912 * tree with the status of LARVAL, and send
6913 * <base, SA(*), address(SD)>
6916 * IN: mhp: pointer to the pointer to each header.
6917 * OUT: NULL if fail.
6918 * other if success, return pointer to the message to send.
6924 const struct sadb_msghdr
*mhp
)
6926 struct sadb_address
*src0
, *dst0
;
6927 struct secasindex saidx
;
6928 struct secashead
*newsah
;
6929 struct secasvar
*newsav
;
6930 ifnet_t ipsec_if
= NULL
;
6937 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
6940 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
6941 panic("key_getspi: NULL pointer is passed.\n");
6944 if (mhp
->ext
[SADB_EXT_ADDRESS_SRC
] == NULL
||
6945 mhp
->ext
[SADB_EXT_ADDRESS_DST
] == NULL
) {
6946 ipseclog((LOG_DEBUG
, "key_getspi: invalid message is passed.\n"));
6947 return key_senderror(so
, m
, EINVAL
);
6949 if (mhp
->extlen
[SADB_EXT_ADDRESS_SRC
] < sizeof(struct sadb_address
) ||
6950 mhp
->extlen
[SADB_EXT_ADDRESS_DST
] < sizeof(struct sadb_address
)) {
6951 ipseclog((LOG_DEBUG
, "key_getspi: invalid message is passed.\n"));
6952 return key_senderror(so
, m
, EINVAL
);
6954 if (mhp
->ext
[SADB_X_EXT_SA2
] != NULL
) {
6955 mode
= ((struct sadb_x_sa2
*)
6956 (void *)mhp
->ext
[SADB_X_EXT_SA2
])->sadb_x_sa2_mode
;
6957 reqid
= ((struct sadb_x_sa2
*)
6958 (void *)mhp
->ext
[SADB_X_EXT_SA2
])->sadb_x_sa2_reqid
;
6960 mode
= IPSEC_MODE_ANY
;
6964 src0
= (struct sadb_address
*)(mhp
->ext
[SADB_EXT_ADDRESS_SRC
]);
6965 dst0
= (struct sadb_address
*)(mhp
->ext
[SADB_EXT_ADDRESS_DST
]);
6967 ipsec_if
= key_get_ipsec_if_from_message(mhp
, SADB_X_EXT_IPSECIF
);
6969 /* map satype to proto */
6970 if ((proto
= key_satype2proto(mhp
->msg
->sadb_msg_satype
)) == 0) {
6971 ipseclog((LOG_DEBUG
, "key_getspi: invalid satype is passed.\n"));
6972 return key_senderror(so
, m
, EINVAL
);
6975 /* make sure if port number is zero. */
6976 switch (((struct sockaddr
*)(src0
+ 1))->sa_family
) {
6978 if (((struct sockaddr
*)(src0
+ 1))->sa_len
!=
6979 sizeof(struct sockaddr_in
)) {
6980 return key_senderror(so
, m
, EINVAL
);
6982 ((struct sockaddr_in
*)(void *)(src0
+ 1))->sin_port
= 0;
6985 if (((struct sockaddr
*)(src0
+ 1))->sa_len
!=
6986 sizeof(struct sockaddr_in6
)) {
6987 return key_senderror(so
, m
, EINVAL
);
6989 ((struct sockaddr_in6
*)(void *)(src0
+ 1))->sin6_port
= 0;
6994 switch (((struct sockaddr
*)(dst0
+ 1))->sa_family
) {
6996 if (((struct sockaddr
*)(dst0
+ 1))->sa_len
!=
6997 sizeof(struct sockaddr_in
)) {
6998 return key_senderror(so
, m
, EINVAL
);
7000 ((struct sockaddr_in
*)(void *)(dst0
+ 1))->sin_port
= 0;
7003 if (((struct sockaddr
*)(dst0
+ 1))->sa_len
!=
7004 sizeof(struct sockaddr_in6
)) {
7005 return key_senderror(so
, m
, EINVAL
);
7007 ((struct sockaddr_in6
*)(void *)(dst0
+ 1))->sin6_port
= 0;
7013 /* XXX boundary check against sa_len */
7014 KEY_SETSECASIDX(proto
, mode
, reqid
, src0
+ 1, dst0
+ 1, ipsec_if
? ipsec_if
->if_index
: 0, &saidx
);
7016 lck_mtx_lock(sadb_mutex
);
7018 /* SPI allocation */
7019 spi
= key_do_getnewspi((struct sadb_spirange
*)
7020 (void *)mhp
->ext
[SADB_EXT_SPIRANGE
], &saidx
);
7022 lck_mtx_unlock(sadb_mutex
);
7023 return key_senderror(so
, m
, EINVAL
);
7026 /* get a SA index */
7027 if ((newsah
= key_getsah(&saidx
)) == NULL
) {
7028 /* create a new SA index: key_addspi is always used for inbound spi */
7029 if ((newsah
= key_newsah(&saidx
, ipsec_if
, key_get_outgoing_ifindex_from_message(mhp
, SADB_X_EXT_IPSECIF
), IPSEC_DIR_INBOUND
)) == NULL
) {
7030 lck_mtx_unlock(sadb_mutex
);
7031 ipseclog((LOG_DEBUG
, "key_getspi: No more memory.\n"));
7032 return key_senderror(so
, m
, ENOBUFS
);
7038 newsav
= key_newsav(m
, mhp
, newsah
, &error
, so
);
7039 if (newsav
== NULL
) {
7040 /* XXX don't free new SA index allocated in above. */
7041 lck_mtx_unlock(sadb_mutex
);
7042 return key_senderror(so
, m
, error
);
7046 key_setspi(newsav
, htonl(spi
));
7048 #ifndef IPSEC_NONBLOCK_ACQUIRE
7049 /* delete the entry in acqtree */
7050 if (mhp
->msg
->sadb_msg_seq
!= 0) {
7052 if ((acq
= key_getacqbyseq(mhp
->msg
->sadb_msg_seq
)) != NULL
) {
7053 /* reset counter in order to deletion by timehandler. */
7056 acq
->created
= tv
.tv_sec
;
7062 lck_mtx_unlock(sadb_mutex
);
7065 struct mbuf
*n
, *nn
;
7066 struct sadb_sa
*m_sa
;
7067 struct sadb_msg
*newmsg
;
7070 /* create new sadb_msg to reply. */
7071 len
= PFKEY_ALIGN8(sizeof(struct sadb_msg
)) +
7072 PFKEY_ALIGN8(sizeof(struct sadb_sa
));
7073 if (len
> MCLBYTES
) {
7074 return key_senderror(so
, m
, ENOBUFS
);
7077 MGETHDR(n
, M_WAITOK
, MT_DATA
);
7078 if (n
&& len
> MHLEN
) {
7079 MCLGET(n
, M_WAITOK
);
7080 if ((n
->m_flags
& M_EXT
) == 0) {
7086 return key_senderror(so
, m
, ENOBUFS
);
7093 m_copydata(m
, 0, sizeof(struct sadb_msg
), mtod(n
, caddr_t
) + off
);
7094 off
+= PFKEY_ALIGN8(sizeof(struct sadb_msg
));
7096 m_sa
= (struct sadb_sa
*)(void *)(mtod(n
, caddr_t
) + off
);
7097 m_sa
->sadb_sa_len
= PFKEY_UNIT64(sizeof(struct sadb_sa
));
7098 m_sa
->sadb_sa_exttype
= SADB_EXT_SA
;
7099 m_sa
->sadb_sa_spi
= htonl(spi
);
7100 off
+= PFKEY_ALIGN8(sizeof(struct sadb_sa
));
7104 panic("length inconsistency in key_getspi");
7108 int mbufItems
[] = {SADB_EXT_ADDRESS_SRC
, SADB_EXT_ADDRESS_DST
};
7109 n
->m_next
= key_gather_mbuf(m
, mhp
, 0, sizeof(mbufItems
) / sizeof(int), mbufItems
);
7112 return key_senderror(so
, m
, ENOBUFS
);
7116 if (n
->m_len
< sizeof(struct sadb_msg
)) {
7117 n
= m_pullup(n
, sizeof(struct sadb_msg
));
7119 return key_sendup_mbuf(so
, m
, KEY_SENDUP_ONE
);
7123 n
->m_pkthdr
.len
= 0;
7124 for (nn
= n
; nn
; nn
= nn
->m_next
) {
7125 n
->m_pkthdr
.len
+= nn
->m_len
;
7128 newmsg
= mtod(n
, struct sadb_msg
*);
7129 newmsg
->sadb_msg_seq
= newsav
->seq
;
7130 newmsg
->sadb_msg_errno
= 0;
7131 newmsg
->sadb_msg_len
= PFKEY_UNIT64(n
->m_pkthdr
.len
);
7134 return key_sendup_mbuf(so
, n
, KEY_SENDUP_ONE
);
7139 key_getspi2(struct sockaddr
*src
,
7140 struct sockaddr
*dst
,
7144 struct sadb_spirange
*spirange
)
7147 struct secasindex saidx
;
7149 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
7151 /* XXX boundary check against sa_len */
7152 KEY_SETSECASIDX(proto
, mode
, reqid
, src
, dst
, 0, &saidx
);
7154 /* make sure if port number is zero. */
7155 switch (((struct sockaddr
*)&saidx
.src
)->sa_family
) {
7157 if (((struct sockaddr
*)&saidx
.src
)->sa_len
!= sizeof(struct sockaddr_in
)) {
7160 ((struct sockaddr_in
*)&saidx
.src
)->sin_port
= 0;
7163 if (((struct sockaddr
*)&saidx
.src
)->sa_len
!= sizeof(struct sockaddr_in6
)) {
7166 ((struct sockaddr_in6
*)&saidx
.src
)->sin6_port
= 0;
7171 switch (((struct sockaddr
*)&saidx
.dst
)->sa_family
) {
7173 if (((struct sockaddr
*)&saidx
.dst
)->sa_len
!= sizeof(struct sockaddr_in
)) {
7176 ((struct sockaddr_in
*)&saidx
.dst
)->sin_port
= 0;
7179 if (((struct sockaddr
*)&saidx
.dst
)->sa_len
!= sizeof(struct sockaddr_in6
)) {
7182 ((struct sockaddr_in6
*)&saidx
.dst
)->sin6_port
= 0;
7188 lck_mtx_lock(sadb_mutex
);
7190 /* SPI allocation */
7191 spi
= key_do_getnewspi(spirange
, &saidx
);
7193 lck_mtx_unlock(sadb_mutex
);
7199 * allocating new SPI
7200 * called by key_getspi() and key_getspi2().
7207 struct sadb_spirange
*spirange
,
7208 struct secasindex
*saidx
)
7211 u_int32_t keymin
, keymax
;
7212 int count
= key_spi_trycnt
;
7214 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
7216 /* set spi range to allocate */
7217 if (spirange
!= NULL
) {
7218 keymin
= spirange
->sadb_spirange_min
;
7219 keymax
= spirange
->sadb_spirange_max
;
7221 keymin
= key_spi_minval
;
7222 keymax
= key_spi_maxval
;
7224 if (keymin
== keymax
) {
7225 if (key_checkspidup(saidx
, keymin
) != NULL
) {
7226 ipseclog((LOG_DEBUG
, "key_do_getnewspi: SPI %u exists already.\n", keymin
));
7230 count
--; /* taking one cost. */
7233 u_int32_t range
= keymax
- keymin
+ 1; /* overflow value of zero means full range */
7238 /* when requesting to allocate spi ranged */
7240 u_int32_t rand_val
= key_random();
7242 /* generate pseudo-random SPI value ranged. */
7243 newspi
= (range
== 0 ? rand_val
: keymin
+ (rand_val
% range
));
7245 if (key_checkspidup(saidx
, newspi
) == NULL
) {
7250 if (count
== 0 || newspi
== 0) {
7251 ipseclog((LOG_DEBUG
, "key_do_getnewspi: to allocate spi is failed.\n"));
7257 keystat
.getspi_count
=
7258 (keystat
.getspi_count
+ key_spi_trycnt
- count
) / 2;
7264 * SADB_UPDATE processing
7266 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
7267 * key(AE), (identity(SD),) (sensitivity)>
7268 * from the ikmpd, and update a secasvar entry whose status is SADB_SASTATE_LARVAL.
7270 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
7271 * (identity(SD),) (sensitivity)>
7274 * m will always be freed.
7280 const struct sadb_msghdr
*mhp
)
7282 struct sadb_sa
*sa0
;
7283 struct sadb_address
*src0
, *dst0
;
7284 ifnet_t ipsec_if
= NULL
;
7285 struct secasindex saidx
;
7286 struct secashead
*sah
;
7287 struct secasvar
*sav
;
7294 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
7297 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
7298 panic("key_update: NULL pointer is passed.\n");
7301 /* map satype to proto */
7302 if ((proto
= key_satype2proto(mhp
->msg
->sadb_msg_satype
)) == 0) {
7303 ipseclog((LOG_DEBUG
, "key_update: invalid satype is passed.\n"));
7304 return key_senderror(so
, m
, EINVAL
);
7307 if (mhp
->ext
[SADB_EXT_SA
] == NULL
||
7308 mhp
->ext
[SADB_EXT_ADDRESS_SRC
] == NULL
||
7309 mhp
->ext
[SADB_EXT_ADDRESS_DST
] == NULL
||
7310 (mhp
->msg
->sadb_msg_satype
== SADB_SATYPE_ESP
&&
7311 mhp
->ext
[SADB_EXT_KEY_ENCRYPT
] == NULL
) ||
7312 (mhp
->msg
->sadb_msg_satype
== SADB_SATYPE_AH
&&
7313 mhp
->ext
[SADB_EXT_KEY_AUTH
] == NULL
) ||
7314 (mhp
->ext
[SADB_EXT_LIFETIME_HARD
] != NULL
&&
7315 mhp
->ext
[SADB_EXT_LIFETIME_SOFT
] == NULL
) ||
7316 (mhp
->ext
[SADB_EXT_LIFETIME_HARD
] == NULL
&&
7317 mhp
->ext
[SADB_EXT_LIFETIME_SOFT
] != NULL
)) {
7318 ipseclog((LOG_DEBUG
, "key_update: invalid message is passed.\n"));
7319 return key_senderror(so
, m
, EINVAL
);
7321 if (mhp
->extlen
[SADB_EXT_SA
] < sizeof(struct sadb_sa
) ||
7322 mhp
->extlen
[SADB_EXT_ADDRESS_SRC
] < sizeof(struct sadb_address
) ||
7323 mhp
->extlen
[SADB_EXT_ADDRESS_DST
] < sizeof(struct sadb_address
)) {
7324 ipseclog((LOG_DEBUG
, "key_update: invalid message is passed.\n"));
7325 return key_senderror(so
, m
, EINVAL
);
7327 if (mhp
->ext
[SADB_X_EXT_SA2
] != NULL
) {
7328 mode
= ((struct sadb_x_sa2
*)
7329 (void *)mhp
->ext
[SADB_X_EXT_SA2
])->sadb_x_sa2_mode
;
7330 reqid
= ((struct sadb_x_sa2
*)
7331 (void *)mhp
->ext
[SADB_X_EXT_SA2
])->sadb_x_sa2_reqid
;
7332 flags2
= ((struct sadb_x_sa2
*)(void *)mhp
->ext
[SADB_X_EXT_SA2
])->sadb_x_sa2_flags
;
7334 mode
= IPSEC_MODE_ANY
;
7338 /* XXX boundary checking for other extensions */
7340 sa0
= (struct sadb_sa
*)(void *)mhp
->ext
[SADB_EXT_SA
];
7341 src0
= (struct sadb_address
*)(mhp
->ext
[SADB_EXT_ADDRESS_SRC
]);
7342 dst0
= (struct sadb_address
*)(mhp
->ext
[SADB_EXT_ADDRESS_DST
]);
7343 ipsec_if
= key_get_ipsec_if_from_message(mhp
, SADB_X_EXT_IPSECIF
);
7345 /* XXX boundary check against sa_len */
7346 KEY_SETSECASIDX(proto
, mode
, reqid
, src0
+ 1, dst0
+ 1, ipsec_if
? ipsec_if
->if_index
: 0, &saidx
);
7348 lck_mtx_lock(sadb_mutex
);
7350 /* get a SA header */
7351 if ((sah
= key_getsah(&saidx
)) == NULL
) {
7352 lck_mtx_unlock(sadb_mutex
);
7353 ipseclog((LOG_DEBUG
, "key_update: no SA index found.\n"));
7354 return key_senderror(so
, m
, ENOENT
);
7357 /* set spidx if there */
7359 error
= key_setident(sah
, m
, mhp
);
7361 lck_mtx_unlock(sadb_mutex
);
7362 return key_senderror(so
, m
, error
);
7365 /* find a SA with sequence number. */
7366 #if IPSEC_DOSEQCHECK
7367 if (mhp
->msg
->sadb_msg_seq
!= 0
7368 && (sav
= key_getsavbyseq(sah
, mhp
->msg
->sadb_msg_seq
)) == NULL
) {
7369 lck_mtx_unlock(sadb_mutex
);
7370 ipseclog((LOG_DEBUG
,
7371 "key_update: no larval SA with sequence %u exists.\n",
7372 mhp
->msg
->sadb_msg_seq
));
7373 return key_senderror(so
, m
, ENOENT
);
7376 if ((sav
= key_getsavbyspi(sah
, sa0
->sadb_sa_spi
)) == NULL
) {
7377 lck_mtx_unlock(sadb_mutex
);
7378 ipseclog((LOG_DEBUG
,
7379 "key_update: no such a SA found (spi:%u)\n",
7380 (u_int32_t
)ntohl(sa0
->sadb_sa_spi
)));
7381 return key_senderror(so
, m
, EINVAL
);
7385 /* validity check */
7386 if (sav
->sah
->saidx
.proto
!= proto
) {
7387 lck_mtx_unlock(sadb_mutex
);
7388 ipseclog((LOG_DEBUG
,
7389 "key_update: protocol mismatched (DB=%u param=%u)\n",
7390 sav
->sah
->saidx
.proto
, proto
));
7391 return key_senderror(so
, m
, EINVAL
);
7393 #if IPSEC_DOSEQCHECK
7394 if (sav
->spi
!= sa0
->sadb_sa_spi
) {
7395 lck_mtx_unlock(sadb_mutex
);
7396 ipseclog((LOG_DEBUG
,
7397 "key_update: SPI mismatched (DB:%u param:%u)\n",
7398 (u_int32_t
)ntohl(sav
->spi
),
7399 (u_int32_t
)ntohl(sa0
->sadb_sa_spi
)));
7400 return key_senderror(so
, m
, EINVAL
);
7403 if (sav
->pid
!= mhp
->msg
->sadb_msg_pid
) {
7404 lck_mtx_unlock(sadb_mutex
);
7405 ipseclog((LOG_DEBUG
,
7406 "key_update: pid mismatched (DB:%u param:%u)\n",
7407 sav
->pid
, mhp
->msg
->sadb_msg_pid
));
7408 return key_senderror(so
, m
, EINVAL
);
7411 /* copy sav values */
7412 error
= key_setsaval(sav
, m
, mhp
);
7414 key_freesav(sav
, KEY_SADB_LOCKED
);
7415 lck_mtx_unlock(sadb_mutex
);
7416 return key_senderror(so
, m
, error
);
7419 sav
->flags2
= flags2
;
7420 if (flags2
& SADB_X_EXT_SA2_DELETE_ON_DETACH
) {
7425 * Verify if SADB_X_EXT_NATT_MULTIPLEUSERS flag is set that
7426 * this SA is for transport mode - otherwise clear it.
7428 if ((sav
->flags
& SADB_X_EXT_NATT_MULTIPLEUSERS
) != 0 &&
7429 (sav
->sah
->saidx
.mode
!= IPSEC_MODE_TRANSPORT
||
7430 sav
->sah
->saidx
.src
.ss_family
!= AF_INET
)) {
7431 sav
->flags
&= ~SADB_X_EXT_NATT_MULTIPLEUSERS
;
7434 /* check SA values to be mature. */
7435 if ((error
= key_mature(sav
)) != 0) {
7436 key_freesav(sav
, KEY_SADB_LOCKED
);
7437 lck_mtx_unlock(sadb_mutex
);
7438 return key_senderror(so
, m
, error
);
7441 lck_mtx_unlock(sadb_mutex
);
7446 /* set msg buf from mhp */
7447 n
= key_getmsgbuf_x1(m
, mhp
);
7449 ipseclog((LOG_DEBUG
, "key_update: No more memory.\n"));
7450 return key_senderror(so
, m
, ENOBUFS
);
7454 return key_sendup_mbuf(so
, n
, KEY_SENDUP_ALL
);
7459 key_migrate(struct socket
*so
,
7461 const struct sadb_msghdr
*mhp
)
7463 struct sadb_sa
*sa0
= NULL
;
7464 struct sadb_address
*src0
= NULL
;
7465 struct sadb_address
*dst0
= NULL
;
7466 struct sadb_address
*src1
= NULL
;
7467 struct sadb_address
*dst1
= NULL
;
7468 ifnet_t ipsec_if0
= NULL
;
7469 ifnet_t ipsec_if1
= NULL
;
7470 struct secasindex saidx0
;
7471 struct secasindex saidx1
;
7472 struct secashead
*sah
= NULL
;
7473 struct secashead
*newsah
= NULL
;
7474 struct secasvar
*sav
= NULL
;
7477 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
7480 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
7481 panic("key_migrate: NULL pointer is passed.\n");
7484 /* map satype to proto */
7485 if ((proto
= key_satype2proto(mhp
->msg
->sadb_msg_satype
)) == 0) {
7486 ipseclog((LOG_DEBUG
, "key_migrate: invalid satype is passed.\n"));
7487 return key_senderror(so
, m
, EINVAL
);
7490 if (mhp
->ext
[SADB_EXT_SA
] == NULL
||
7491 mhp
->ext
[SADB_EXT_ADDRESS_SRC
] == NULL
||
7492 mhp
->ext
[SADB_EXT_ADDRESS_DST
] == NULL
||
7493 mhp
->ext
[SADB_EXT_MIGRATE_ADDRESS_SRC
] == NULL
||
7494 mhp
->ext
[SADB_EXT_MIGRATE_ADDRESS_DST
] == NULL
) {
7495 ipseclog((LOG_DEBUG
, "key_migrate: invalid message is passed.\n"));
7496 return key_senderror(so
, m
, EINVAL
);
7499 if (mhp
->extlen
[SADB_EXT_SA
] < sizeof(struct sadb_sa
) ||
7500 mhp
->extlen
[SADB_EXT_ADDRESS_SRC
] < sizeof(struct sadb_address
) ||
7501 mhp
->extlen
[SADB_EXT_ADDRESS_DST
] < sizeof(struct sadb_address
) ||
7502 mhp
->extlen
[SADB_EXT_MIGRATE_ADDRESS_SRC
] < sizeof(struct sadb_address
) ||
7503 mhp
->extlen
[SADB_EXT_MIGRATE_ADDRESS_DST
] < sizeof(struct sadb_address
)) {
7504 ipseclog((LOG_DEBUG
, "key_migrate: invalid message is passed.\n"));
7505 return key_senderror(so
, m
, EINVAL
);
7508 lck_mtx_lock(sadb_mutex
);
7510 sa0
= (struct sadb_sa
*)(void *)mhp
->ext
[SADB_EXT_SA
];
7511 src0
= (struct sadb_address
*)(mhp
->ext
[SADB_EXT_ADDRESS_SRC
]);
7512 dst0
= (struct sadb_address
*)(mhp
->ext
[SADB_EXT_ADDRESS_DST
]);
7513 src1
= (struct sadb_address
*)(mhp
->ext
[SADB_EXT_MIGRATE_ADDRESS_SRC
]);
7514 dst1
= (struct sadb_address
*)(mhp
->ext
[SADB_EXT_MIGRATE_ADDRESS_DST
]);
7515 ipsec_if0
= key_get_ipsec_if_from_message(mhp
, SADB_X_EXT_IPSECIF
);
7516 ipsec_if1
= key_get_ipsec_if_from_message(mhp
, SADB_X_EXT_MIGRATE_IPSECIF
);
7518 /* Find existing SAH and SAV */
7519 KEY_SETSECASIDX(proto
, IPSEC_MODE_ANY
, 0, src0
+ 1, dst0
+ 1, ipsec_if0
? ipsec_if0
->if_index
: 0, &saidx0
);
7521 LIST_FOREACH(sah
, &sahtree
, chain
) {
7522 if (sah
->state
!= SADB_SASTATE_MATURE
) {
7525 if (key_cmpsaidx(&sah
->saidx
, &saidx0
, CMP_HEAD
) == 0) {
7529 sav
= key_getsavbyspi(sah
, sa0
->sadb_sa_spi
);
7530 if (sav
&& sav
->state
== SADB_SASTATE_MATURE
) {
7535 lck_mtx_unlock(sadb_mutex
);
7536 ipseclog((LOG_DEBUG
, "key_migrate: no mature SAH found.\n"));
7537 return key_senderror(so
, m
, ENOENT
);
7541 lck_mtx_unlock(sadb_mutex
);
7542 ipseclog((LOG_DEBUG
, "key_migrate: no SA found.\n"));
7543 return key_senderror(so
, m
, ENOENT
);
7546 /* Find or create new SAH */
7547 KEY_SETSECASIDX(proto
, sah
->saidx
.mode
, sah
->saidx
.reqid
, src1
+ 1, dst1
+ 1, ipsec_if1
? ipsec_if1
->if_index
: 0, &saidx1
);
7549 if ((newsah
= key_getsah(&saidx1
)) == NULL
) {
7550 if ((newsah
= key_newsah(&saidx1
, ipsec_if1
, key_get_outgoing_ifindex_from_message(mhp
, SADB_X_EXT_MIGRATE_IPSECIF
), sah
->dir
)) == NULL
) {
7551 lck_mtx_unlock(sadb_mutex
);
7552 ipseclog((LOG_DEBUG
, "key_migrate: No more memory.\n"));
7553 return key_senderror(so
, m
, ENOBUFS
);
7557 /* Migrate SAV in to new SAH */
7558 if (key_migratesav(sav
, newsah
) != 0) {
7559 lck_mtx_unlock(sadb_mutex
);
7560 ipseclog((LOG_DEBUG
, "key_migrate: Failed to migrate SA to new SAH.\n"));
7561 return key_senderror(so
, m
, EINVAL
);
7564 /* Reset NAT values */
7565 sav
->flags
= sa0
->sadb_sa_flags
;
7566 sav
->natt_encapsulated_src_port
= ((const struct sadb_sa_2
*)(sa0
))->sadb_sa_natt_src_port
;
7567 sav
->remote_ike_port
= ((const struct sadb_sa_2
*)(sa0
))->sadb_sa_natt_port
;
7568 sav
->natt_interval
= ((const struct sadb_sa_2
*)(sa0
))->sadb_sa_natt_interval
;
7569 sav
->natt_offload_interval
= ((const struct sadb_sa_2
*)(sa0
))->sadb_sa_natt_offload_interval
;
7570 sav
->natt_last_activity
= natt_now
;
7573 * Verify if SADB_X_EXT_NATT_MULTIPLEUSERS flag is set that
7574 * SADB_X_EXT_NATT is set and SADB_X_EXT_NATT_KEEPALIVE is not
7575 * set (we're not behind nat) - otherwise clear it.
7577 if ((sav
->flags
& SADB_X_EXT_NATT_MULTIPLEUSERS
) != 0) {
7578 if ((sav
->flags
& SADB_X_EXT_NATT
) == 0 ||
7579 (sav
->flags
& SADB_X_EXT_NATT_KEEPALIVE
) != 0) {
7580 sav
->flags
&= ~SADB_X_EXT_NATT_MULTIPLEUSERS
;
7584 lck_mtx_unlock(sadb_mutex
);
7587 struct sadb_msg
*newmsg
;
7588 int mbufItems
[] = {SADB_EXT_RESERVED
, SADB_EXT_SA
,
7589 SADB_EXT_ADDRESS_SRC
, SADB_EXT_ADDRESS_DST
, SADB_X_EXT_IPSECIF
,
7590 SADB_EXT_MIGRATE_ADDRESS_SRC
, SADB_EXT_MIGRATE_ADDRESS_DST
, SADB_X_EXT_MIGRATE_IPSECIF
};
7592 /* create new sadb_msg to reply. */
7593 n
= key_gather_mbuf(m
, mhp
, 1, sizeof(mbufItems
) / sizeof(int), mbufItems
);
7595 return key_senderror(so
, m
, ENOBUFS
);
7598 if (n
->m_len
< sizeof(struct sadb_msg
)) {
7599 n
= m_pullup(n
, sizeof(struct sadb_msg
));
7601 return key_senderror(so
, m
, ENOBUFS
);
7604 newmsg
= mtod(n
, struct sadb_msg
*);
7605 newmsg
->sadb_msg_errno
= 0;
7606 newmsg
->sadb_msg_len
= PFKEY_UNIT64(n
->m_pkthdr
.len
);
7609 return key_sendup_mbuf(so
, n
, KEY_SENDUP_ALL
);
7614 * search SAD with sequence for a SA which state is SADB_SASTATE_LARVAL.
7615 * only called by key_update().
7618 * others : found, pointer to a SA.
7620 #if IPSEC_DOSEQCHECK
7621 static struct secasvar
*
7623 struct secashead
*sah
,
7626 struct secasvar
*sav
;
7629 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
7631 state
= SADB_SASTATE_LARVAL
;
7633 /* search SAD with sequence number ? */
7634 LIST_FOREACH(sav
, &sah
->savtree
[state
], chain
) {
7635 KEY_CHKSASTATE(state
, sav
->state
, "key_getsabyseq");
7637 if (sav
->seq
== seq
) {
7639 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
7640 printf("DP key_getsavbyseq cause "
7641 "refcnt++:%d SA:0x%llx\n", sav
->refcnt
,
7642 (uint64_t)VM_KERNEL_ADDRPERM(sav
)));
7652 * SADB_ADD processing
7653 * add a entry to SA database, when received
7654 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
7655 * key(AE), (identity(SD),) (sensitivity)>
7658 * <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
7659 * (identity(SD),) (sensitivity)>
7662 * IGNORE identity and sensitivity messages.
7664 * m will always be freed.
7670 const struct sadb_msghdr
*mhp
)
7672 struct sadb_sa
*sa0
;
7673 struct sadb_address
*src0
, *dst0
;
7674 ifnet_t ipsec_if
= NULL
;
7675 struct secasindex saidx
;
7676 struct secashead
*newsah
;
7677 struct secasvar
*newsav
;
7683 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
7686 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
7687 panic("key_add: NULL pointer is passed.\n");
7690 /* map satype to proto */
7691 if ((proto
= key_satype2proto(mhp
->msg
->sadb_msg_satype
)) == 0) {
7692 ipseclog((LOG_DEBUG
, "key_add: invalid satype is passed.\n"));
7694 return key_senderror(so
, m
, EINVAL
);
7697 if (mhp
->ext
[SADB_EXT_SA
] == NULL
||
7698 mhp
->ext
[SADB_EXT_ADDRESS_SRC
] == NULL
||
7699 mhp
->ext
[SADB_EXT_ADDRESS_DST
] == NULL
||
7700 (mhp
->msg
->sadb_msg_satype
== SADB_SATYPE_ESP
&&
7701 mhp
->ext
[SADB_EXT_KEY_ENCRYPT
] == NULL
) ||
7702 (mhp
->msg
->sadb_msg_satype
== SADB_SATYPE_AH
&&
7703 mhp
->ext
[SADB_EXT_KEY_AUTH
] == NULL
) ||
7704 (mhp
->ext
[SADB_EXT_LIFETIME_HARD
] != NULL
&&
7705 mhp
->ext
[SADB_EXT_LIFETIME_SOFT
] == NULL
) ||
7706 (mhp
->ext
[SADB_EXT_LIFETIME_HARD
] == NULL
&&
7707 mhp
->ext
[SADB_EXT_LIFETIME_SOFT
] != NULL
)) {
7708 ipseclog((LOG_DEBUG
, "key_add: invalid message is passed.\n"));
7710 return key_senderror(so
, m
, EINVAL
);
7712 if (mhp
->extlen
[SADB_EXT_SA
] < sizeof(struct sadb_sa
) ||
7713 mhp
->extlen
[SADB_EXT_ADDRESS_SRC
] < sizeof(struct sadb_address
) ||
7714 mhp
->extlen
[SADB_EXT_ADDRESS_DST
] < sizeof(struct sadb_address
)) {
7716 ipseclog((LOG_DEBUG
, "key_add: invalid message is passed.\n"));
7718 return key_senderror(so
, m
, EINVAL
);
7720 if (mhp
->ext
[SADB_X_EXT_SA2
] != NULL
) {
7721 mode
= ((struct sadb_x_sa2
*)
7722 (void *)mhp
->ext
[SADB_X_EXT_SA2
])->sadb_x_sa2_mode
;
7723 reqid
= ((struct sadb_x_sa2
*)
7724 (void *)mhp
->ext
[SADB_X_EXT_SA2
])->sadb_x_sa2_reqid
;
7726 mode
= IPSEC_MODE_ANY
;
7730 sa0
= (struct sadb_sa
*)(void *)mhp
->ext
[SADB_EXT_SA
];
7731 src0
= (struct sadb_address
*)mhp
->ext
[SADB_EXT_ADDRESS_SRC
];
7732 dst0
= (struct sadb_address
*)mhp
->ext
[SADB_EXT_ADDRESS_DST
];
7733 ipsec_if
= key_get_ipsec_if_from_message(mhp
, SADB_X_EXT_IPSECIF
);
7735 /* XXX boundary check against sa_len */
7736 KEY_SETSECASIDX(proto
, mode
, reqid
, src0
+ 1, dst0
+ 1, ipsec_if
? ipsec_if
->if_index
: 0, &saidx
);
7738 lck_mtx_lock(sadb_mutex
);
7740 /* get a SA header */
7741 if ((newsah
= key_getsah(&saidx
)) == NULL
) {
7742 /* create a new SA header: key_addspi is always used for outbound spi */
7743 if ((newsah
= key_newsah(&saidx
, ipsec_if
, key_get_outgoing_ifindex_from_message(mhp
, SADB_X_EXT_IPSECIF
), IPSEC_DIR_OUTBOUND
)) == NULL
) {
7744 lck_mtx_unlock(sadb_mutex
);
7745 ipseclog((LOG_DEBUG
, "key_add: No more memory.\n"));
7747 return key_senderror(so
, m
, ENOBUFS
);
7751 /* set spidx if there */
7753 error
= key_setident(newsah
, m
, mhp
);
7755 lck_mtx_unlock(sadb_mutex
);
7757 return key_senderror(so
, m
, error
);
7760 /* create new SA entry. */
7761 /* We can create new SA only if SPI is different. */
7762 if (key_getsavbyspi(newsah
, sa0
->sadb_sa_spi
)) {
7763 lck_mtx_unlock(sadb_mutex
);
7764 ipseclog((LOG_DEBUG
, "key_add: SA already exists.\n"));
7766 return key_senderror(so
, m
, EEXIST
);
7768 newsav
= key_newsav(m
, mhp
, newsah
, &error
, so
);
7769 if (newsav
== NULL
) {
7770 lck_mtx_unlock(sadb_mutex
);
7772 return key_senderror(so
, m
, error
);
7776 * Verify if SADB_X_EXT_NATT_MULTIPLEUSERS flag is set that
7777 * this SA is for transport mode - otherwise clear it.
7779 if ((newsav
->flags
& SADB_X_EXT_NATT_MULTIPLEUSERS
) != 0 &&
7780 (newsah
->saidx
.mode
!= IPSEC_MODE_TRANSPORT
||
7781 newsah
->saidx
.dst
.ss_family
!= AF_INET
)) {
7782 newsav
->flags
&= ~SADB_X_EXT_NATT_MULTIPLEUSERS
;
7785 /* check SA values to be mature. */
7786 if ((error
= key_mature(newsav
)) != 0) {
7787 key_freesav(newsav
, KEY_SADB_LOCKED
);
7788 lck_mtx_unlock(sadb_mutex
);
7790 return key_senderror(so
, m
, error
);
7793 lck_mtx_unlock(sadb_mutex
);
7796 * don't call key_freesav() here, as we would like to keep the SA
7797 * in the database on success.
7803 /* set msg buf from mhp */
7804 n
= key_getmsgbuf_x1(m
, mhp
);
7806 ipseclog((LOG_DEBUG
, "key_update: No more memory.\n"));
7808 return key_senderror(so
, m
, ENOBUFS
);
7811 // mh.ext points to the mbuf content.
7812 // Zero out Encryption and Integrity keys if present.
7815 return key_sendup_mbuf(so
, n
, KEY_SENDUP_ALL
);
7822 struct secashead
*sah
,
7824 const struct sadb_msghdr
*mhp
)
7826 const struct sadb_ident
*idsrc
, *iddst
;
7827 int idsrclen
, iddstlen
;
7829 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
7832 if (sah
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
7833 panic("key_setident: NULL pointer is passed.\n");
7836 /* don't make buffer if not there */
7837 if (mhp
->ext
[SADB_EXT_IDENTITY_SRC
] == NULL
&&
7838 mhp
->ext
[SADB_EXT_IDENTITY_DST
] == NULL
) {
7844 if (mhp
->ext
[SADB_EXT_IDENTITY_SRC
] == NULL
||
7845 mhp
->ext
[SADB_EXT_IDENTITY_DST
] == NULL
) {
7846 ipseclog((LOG_DEBUG
, "key_setident: invalid identity.\n"));
7850 idsrc
= (const struct sadb_ident
*)
7851 (void *)mhp
->ext
[SADB_EXT_IDENTITY_SRC
];
7852 iddst
= (const struct sadb_ident
*)
7853 (void *)mhp
->ext
[SADB_EXT_IDENTITY_DST
];
7854 idsrclen
= mhp
->extlen
[SADB_EXT_IDENTITY_SRC
];
7855 iddstlen
= mhp
->extlen
[SADB_EXT_IDENTITY_DST
];
7857 /* validity check */
7858 if (idsrc
->sadb_ident_type
!= iddst
->sadb_ident_type
) {
7859 ipseclog((LOG_DEBUG
, "key_setident: ident type mismatch.\n"));
7863 switch (idsrc
->sadb_ident_type
) {
7864 case SADB_IDENTTYPE_PREFIX
:
7865 case SADB_IDENTTYPE_FQDN
:
7866 case SADB_IDENTTYPE_USERFQDN
:
7868 /* XXX do nothing */
7874 /* make structure */
7875 KMALLOC_NOWAIT(sah
->idents
, struct sadb_ident
*, idsrclen
);
7876 if (sah
->idents
== NULL
) {
7877 lck_mtx_unlock(sadb_mutex
);
7878 KMALLOC_WAIT(sah
->idents
, struct sadb_ident
*, idsrclen
);
7879 lck_mtx_lock(sadb_mutex
);
7880 if (sah
->idents
== NULL
) {
7881 ipseclog((LOG_DEBUG
, "key_setident: No more memory.\n"));
7885 KMALLOC_NOWAIT(sah
->identd
, struct sadb_ident
*, iddstlen
);
7886 if (sah
->identd
== NULL
) {
7887 lck_mtx_unlock(sadb_mutex
);
7888 KMALLOC_WAIT(sah
->identd
, struct sadb_ident
*, iddstlen
);
7889 lck_mtx_lock(sadb_mutex
);
7890 if (sah
->identd
== NULL
) {
7893 ipseclog((LOG_DEBUG
, "key_setident: No more memory.\n"));
7897 bcopy(idsrc
, sah
->idents
, idsrclen
);
7898 bcopy(iddst
, sah
->identd
, iddstlen
);
7904 * m will not be freed on return.
7905 * it is caller's responsibility to free the result.
7907 static struct mbuf
*
7910 const struct sadb_msghdr
*mhp
)
7913 int mbufItems
[] = {SADB_EXT_RESERVED
, SADB_EXT_SA
,
7914 SADB_X_EXT_SA2
, SADB_EXT_ADDRESS_SRC
,
7915 SADB_EXT_ADDRESS_DST
, SADB_EXT_LIFETIME_HARD
,
7916 SADB_EXT_LIFETIME_SOFT
, SADB_EXT_IDENTITY_SRC
,
7917 SADB_EXT_IDENTITY_DST
};
7920 if (m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
7921 panic("key_getmsgbuf_x1: NULL pointer is passed.\n");
7924 /* create new sadb_msg to reply. */
7925 n
= key_gather_mbuf(m
, mhp
, 1, sizeof(mbufItems
) / sizeof(int), mbufItems
);
7930 if (n
->m_len
< sizeof(struct sadb_msg
)) {
7931 n
= m_pullup(n
, sizeof(struct sadb_msg
));
7936 mtod(n
, struct sadb_msg
*)->sadb_msg_errno
= 0;
7937 mtod(n
, struct sadb_msg
*)->sadb_msg_len
=
7938 PFKEY_UNIT64(n
->m_pkthdr
.len
);
7943 static int key_delete_all(struct socket
*, struct mbuf
*,
7944 const struct sadb_msghdr
*, u_int16_t
);
7947 * SADB_DELETE processing
7949 * <base, SA(*), address(SD)>
7950 * from the ikmpd, and set SADB_SASTATE_DEAD,
7952 * <base, SA(*), address(SD)>
7955 * m will always be freed.
7961 const struct sadb_msghdr
*mhp
)
7963 struct sadb_sa
*sa0
;
7964 struct sadb_address
*src0
, *dst0
;
7965 ifnet_t ipsec_if
= NULL
;
7966 struct secasindex saidx
;
7967 struct secashead
*sah
;
7968 struct secasvar
*sav
= NULL
;
7971 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
7974 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
7975 panic("key_delete: NULL pointer is passed.\n");
7978 /* map satype to proto */
7979 if ((proto
= key_satype2proto(mhp
->msg
->sadb_msg_satype
)) == 0) {
7980 ipseclog((LOG_DEBUG
, "key_delete: invalid satype is passed.\n"));
7981 return key_senderror(so
, m
, EINVAL
);
7984 if (mhp
->ext
[SADB_EXT_ADDRESS_SRC
] == NULL
||
7985 mhp
->ext
[SADB_EXT_ADDRESS_DST
] == NULL
) {
7986 ipseclog((LOG_DEBUG
, "key_delete: invalid message is passed.\n"));
7987 return key_senderror(so
, m
, EINVAL
);
7990 if (mhp
->extlen
[SADB_EXT_ADDRESS_SRC
] < sizeof(struct sadb_address
) ||
7991 mhp
->extlen
[SADB_EXT_ADDRESS_DST
] < sizeof(struct sadb_address
)) {
7992 ipseclog((LOG_DEBUG
, "key_delete: invalid message is passed.\n"));
7993 return key_senderror(so
, m
, EINVAL
);
7996 lck_mtx_lock(sadb_mutex
);
7998 if (mhp
->ext
[SADB_EXT_SA
] == NULL
) {
8000 * Caller wants us to delete all non-LARVAL SAs
8001 * that match the src/dst. This is used during
8002 * IKE INITIAL-CONTACT.
8004 ipseclog((LOG_DEBUG
, "key_delete: doing delete all.\n"));
8005 /* key_delete_all will unlock sadb_mutex */
8006 return key_delete_all(so
, m
, mhp
, proto
);
8007 } else if (mhp
->extlen
[SADB_EXT_SA
] < sizeof(struct sadb_sa
)) {
8008 lck_mtx_unlock(sadb_mutex
);
8009 ipseclog((LOG_DEBUG
, "key_delete: invalid message is passed.\n"));
8010 return key_senderror(so
, m
, EINVAL
);
8013 sa0
= (struct sadb_sa
*)(void *)mhp
->ext
[SADB_EXT_SA
];
8014 src0
= (struct sadb_address
*)(mhp
->ext
[SADB_EXT_ADDRESS_SRC
]);
8015 dst0
= (struct sadb_address
*)(mhp
->ext
[SADB_EXT_ADDRESS_DST
]);
8016 ipsec_if
= key_get_ipsec_if_from_message(mhp
, SADB_X_EXT_IPSECIF
);
8018 /* XXX boundary check against sa_len */
8019 KEY_SETSECASIDX(proto
, IPSEC_MODE_ANY
, 0, src0
+ 1, dst0
+ 1, ipsec_if
? ipsec_if
->if_index
: 0, &saidx
);
8021 /* get a SA header */
8022 LIST_FOREACH(sah
, &sahtree
, chain
) {
8023 if (sah
->state
== SADB_SASTATE_DEAD
) {
8026 if (key_cmpsaidx(&sah
->saidx
, &saidx
, CMP_HEAD
) == 0) {
8030 /* get a SA with SPI. */
8031 sav
= key_getsavbyspi(sah
, sa0
->sadb_sa_spi
);
8037 lck_mtx_unlock(sadb_mutex
);
8038 ipseclog((LOG_DEBUG
, "key_delete: no SA found.\n"));
8039 return key_senderror(so
, m
, ENOENT
);
8042 key_sa_chgstate(sav
, SADB_SASTATE_DEAD
);
8043 key_freesav(sav
, KEY_SADB_LOCKED
);
8045 lck_mtx_unlock(sadb_mutex
);
8050 struct sadb_msg
*newmsg
;
8051 int mbufItems
[] = {SADB_EXT_RESERVED
, SADB_EXT_SA
,
8052 SADB_EXT_ADDRESS_SRC
, SADB_EXT_ADDRESS_DST
};
8054 /* create new sadb_msg to reply. */
8055 n
= key_gather_mbuf(m
, mhp
, 1, sizeof(mbufItems
) / sizeof(int), mbufItems
);
8057 return key_senderror(so
, m
, ENOBUFS
);
8060 if (n
->m_len
< sizeof(struct sadb_msg
)) {
8061 n
= m_pullup(n
, sizeof(struct sadb_msg
));
8063 return key_senderror(so
, m
, ENOBUFS
);
8066 newmsg
= mtod(n
, struct sadb_msg
*);
8067 newmsg
->sadb_msg_errno
= 0;
8068 newmsg
->sadb_msg_len
= PFKEY_UNIT64(n
->m_pkthdr
.len
);
8071 return key_sendup_mbuf(so
, n
, KEY_SENDUP_ALL
);
8076 * delete all SAs for src/dst. Called from key_delete().
8082 const struct sadb_msghdr
*mhp
,
8085 struct sadb_address
*src0
, *dst0
;
8086 ifnet_t ipsec_if
= NULL
;
8087 struct secasindex saidx
;
8088 struct secashead
*sah
;
8089 struct secasvar
*sav
, *nextsav
;
8090 u_int stateidx
, state
;
8092 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
8094 src0
= (struct sadb_address
*)(mhp
->ext
[SADB_EXT_ADDRESS_SRC
]);
8095 dst0
= (struct sadb_address
*)(mhp
->ext
[SADB_EXT_ADDRESS_DST
]);
8096 ipsec_if
= key_get_ipsec_if_from_message(mhp
, SADB_X_EXT_IPSECIF
);
8098 /* XXX boundary check against sa_len */
8099 KEY_SETSECASIDX(proto
, IPSEC_MODE_ANY
, 0, src0
+ 1, dst0
+ 1, ipsec_if
? ipsec_if
->if_index
: 0, &saidx
);
8101 LIST_FOREACH(sah
, &sahtree
, chain
) {
8102 if (sah
->state
== SADB_SASTATE_DEAD
) {
8105 if (key_cmpsaidx(&sah
->saidx
, &saidx
, CMP_HEAD
) == 0) {
8109 /* Delete all non-LARVAL SAs. */
8111 stateidx
< _ARRAYLEN(saorder_state_alive
);
8113 state
= saorder_state_alive
[stateidx
];
8114 if (state
== SADB_SASTATE_LARVAL
) {
8117 for (sav
= LIST_FIRST(&sah
->savtree
[state
]);
8118 sav
!= NULL
; sav
= nextsav
) {
8119 nextsav
= LIST_NEXT(sav
, chain
);
8121 if (sav
->state
!= state
) {
8122 ipseclog((LOG_DEBUG
, "key_delete_all: "
8123 "invalid sav->state "
8124 "(queue: %d SA: %d)\n",
8125 state
, sav
->state
));
8129 key_sa_chgstate(sav
, SADB_SASTATE_DEAD
);
8130 key_freesav(sav
, KEY_SADB_LOCKED
);
8134 lck_mtx_unlock(sadb_mutex
);
8138 struct sadb_msg
*newmsg
;
8139 int mbufItems
[] = {SADB_EXT_RESERVED
, SADB_EXT_ADDRESS_SRC
,
8140 SADB_EXT_ADDRESS_DST
};
8142 /* create new sadb_msg to reply. */
8143 n
= key_gather_mbuf(m
, mhp
, 1, sizeof(mbufItems
) / sizeof(int), mbufItems
);
8145 return key_senderror(so
, m
, ENOBUFS
);
8148 if (n
->m_len
< sizeof(struct sadb_msg
)) {
8149 n
= m_pullup(n
, sizeof(struct sadb_msg
));
8151 return key_senderror(so
, m
, ENOBUFS
);
8154 newmsg
= mtod(n
, struct sadb_msg
*);
8155 newmsg
->sadb_msg_errno
= 0;
8156 newmsg
->sadb_msg_len
= PFKEY_UNIT64(n
->m_pkthdr
.len
);
8159 return key_sendup_mbuf(so
, n
, KEY_SENDUP_ALL
);
8164 * SADB_GET processing
8166 * <base, SA(*), address(SD)>
8167 * from the ikmpd, and get a SP and a SA to respond,
8169 * <base, SA, (lifetime(HSC),) address(SD), (address(P),) key(AE),
8170 * (identity(SD),) (sensitivity)>
8173 * m will always be freed.
8179 const struct sadb_msghdr
*mhp
)
8181 struct sadb_sa
*sa0
;
8182 struct sadb_address
*src0
, *dst0
;
8183 ifnet_t ipsec_if
= NULL
;
8184 struct secasindex saidx
;
8185 struct secashead
*sah
;
8186 struct secasvar
*sav
= NULL
;
8189 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
8192 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
8193 panic("key_get: NULL pointer is passed.\n");
8196 /* map satype to proto */
8197 if ((proto
= key_satype2proto(mhp
->msg
->sadb_msg_satype
)) == 0) {
8198 ipseclog((LOG_DEBUG
, "key_get: invalid satype is passed.\n"));
8199 return key_senderror(so
, m
, EINVAL
);
8202 if (mhp
->ext
[SADB_EXT_SA
] == NULL
||
8203 mhp
->ext
[SADB_EXT_ADDRESS_SRC
] == NULL
||
8204 mhp
->ext
[SADB_EXT_ADDRESS_DST
] == NULL
) {
8205 ipseclog((LOG_DEBUG
, "key_get: invalid message is passed.\n"));
8206 return key_senderror(so
, m
, EINVAL
);
8208 if (mhp
->extlen
[SADB_EXT_SA
] < sizeof(struct sadb_sa
) ||
8209 mhp
->extlen
[SADB_EXT_ADDRESS_SRC
] < sizeof(struct sadb_address
) ||
8210 mhp
->extlen
[SADB_EXT_ADDRESS_DST
] < sizeof(struct sadb_address
)) {
8211 ipseclog((LOG_DEBUG
, "key_get: invalid message is passed.\n"));
8212 return key_senderror(so
, m
, EINVAL
);
8215 sa0
= (struct sadb_sa
*)(void *)mhp
->ext
[SADB_EXT_SA
];
8216 src0
= (struct sadb_address
*)mhp
->ext
[SADB_EXT_ADDRESS_SRC
];
8217 dst0
= (struct sadb_address
*)mhp
->ext
[SADB_EXT_ADDRESS_DST
];
8218 ipsec_if
= key_get_ipsec_if_from_message(mhp
, SADB_X_EXT_IPSECIF
);
8220 /* XXX boundary check against sa_len */
8221 KEY_SETSECASIDX(proto
, IPSEC_MODE_ANY
, 0, src0
+ 1, dst0
+ 1, ipsec_if
? ipsec_if
->if_index
: 0, &saidx
);
8223 lck_mtx_lock(sadb_mutex
);
8225 /* get a SA header */
8226 LIST_FOREACH(sah
, &sahtree
, chain
) {
8227 if (sah
->state
== SADB_SASTATE_DEAD
) {
8230 if (key_cmpsaidx(&sah
->saidx
, &saidx
, CMP_HEAD
) == 0) {
8234 /* get a SA with SPI. */
8235 sav
= key_getsavbyspi(sah
, sa0
->sadb_sa_spi
);
8241 lck_mtx_unlock(sadb_mutex
);
8242 ipseclog((LOG_DEBUG
, "key_get: no SA found.\n"));
8243 return key_senderror(so
, m
, ENOENT
);
8250 /* map proto to satype */
8251 if ((satype
= key_proto2satype(sah
->saidx
.proto
)) == 0) {
8252 lck_mtx_unlock(sadb_mutex
);
8253 ipseclog((LOG_DEBUG
, "key_get: there was invalid proto in SAD.\n"));
8254 return key_senderror(so
, m
, EINVAL
);
8256 lck_mtx_unlock(sadb_mutex
);
8258 /* create new sadb_msg to reply. */
8259 n
= key_setdumpsa(sav
, SADB_GET
, satype
, mhp
->msg
->sadb_msg_seq
,
8260 mhp
->msg
->sadb_msg_pid
);
8265 return key_senderror(so
, m
, ENOBUFS
);
8269 return key_sendup_mbuf(so
, n
, KEY_SENDUP_ONE
);
8274 * get SA stats by spi.
8275 * OUT: -1 : not found
8276 * 0 : found, arg pointer to a SA stats is updated.
8279 key_getsastatbyspi_one(u_int32_t spi
,
8280 struct sastat
*stat
)
8282 struct secashead
*sah
;
8283 struct secasvar
*sav
= NULL
;
8285 if ((void *)stat
== NULL
) {
8289 lck_mtx_lock(sadb_mutex
);
8291 /* get a SA header */
8292 LIST_FOREACH(sah
, &sahtree
, chain
) {
8293 if (sah
->state
== SADB_SASTATE_DEAD
) {
8297 /* get a SA with SPI. */
8298 sav
= key_getsavbyspi(sah
, spi
);
8300 stat
->spi
= sav
->spi
;
8301 stat
->created
= sav
->created
;
8303 bcopy(sav
->lft_c
, &stat
->lft_c
, sizeof(stat
->lft_c
));
8305 bzero(&stat
->lft_c
, sizeof(stat
->lft_c
));
8307 lck_mtx_unlock(sadb_mutex
);
8312 lck_mtx_unlock(sadb_mutex
);
8318 * get SA stats collection by indices.
8319 * OUT: -1 : not found
8320 * 0 : found, arg pointers to a SA stats and 'maximum stats' are updated.
8323 key_getsastatbyspi(struct sastat
*stat_arg
,
8324 u_int32_t max_stat_arg
,
8325 struct sastat
*stat_res
,
8326 u_int32_t stat_res_size
,
8327 u_int32_t
*max_stat_res
)
8331 if (stat_arg
== NULL
||
8333 max_stat_res
== NULL
) {
8337 u_int32_t max_stats
= stat_res_size
/ (sizeof(struct sastat
));
8338 max_stats
= ((max_stat_arg
<= max_stats
) ? max_stat_arg
: max_stats
);
8340 for (cur
= 0; cur
< max_stats
; cur
++) {
8341 if (key_getsastatbyspi_one(stat_arg
[cur
].spi
,
8342 &stat_res
[found
]) == 0) {
8346 *max_stat_res
= found
;
8354 /* XXX make it sysctl-configurable? */
8356 key_getcomb_setlifetime(
8357 struct sadb_comb
*comb
)
8359 comb
->sadb_comb_soft_allocations
= 1;
8360 comb
->sadb_comb_hard_allocations
= 1;
8361 comb
->sadb_comb_soft_bytes
= 0;
8362 comb
->sadb_comb_hard_bytes
= 0;
8363 comb
->sadb_comb_hard_addtime
= 86400; /* 1 day */
8364 comb
->sadb_comb_soft_addtime
= comb
->sadb_comb_soft_addtime
* 80 / 100;
8365 comb
->sadb_comb_soft_usetime
= 28800; /* 8 hours */
8366 comb
->sadb_comb_hard_usetime
= comb
->sadb_comb_hard_usetime
* 80 / 100;
8371 * XXX reorder combinations by preference
8372 * XXX no idea if the user wants ESP authentication or not
8374 static struct mbuf
*
8375 key_getcomb_esp(void)
8377 struct sadb_comb
*comb
;
8378 const struct esp_algorithm
*algo
;
8379 struct mbuf
*result
= NULL
, *m
, *n
;
8383 const int l
= PFKEY_ALIGN8(sizeof(struct sadb_comb
));
8386 for (i
= 1; i
<= SADB_EALG_MAX
; i
++) {
8387 algo
= esp_algorithm_lookup(i
);
8392 if (algo
->keymax
< ipsec_esp_keymin
) {
8395 if (algo
->keymin
< ipsec_esp_keymin
) {
8396 encmin
= ipsec_esp_keymin
;
8398 encmin
= algo
->keymin
;
8401 if (ipsec_esp_auth
) {
8402 m
= key_getcomb_ah();
8406 panic("assumption failed in key_getcomb_esp");
8409 MGET(m
, M_WAITOK
, MT_DATA
);
8414 bzero(mtod(m
, caddr_t
), m
->m_len
);
8422 for (n
= m
; n
; n
= n
->m_next
) {
8427 panic("assumption failed in key_getcomb_esp");
8431 for (off
= 0; off
< totlen
; off
+= l
) {
8432 n
= m_pulldown(m
, off
, l
, &o
);
8434 /* m is already freed */
8437 comb
= (struct sadb_comb
*)
8438 (void *)(mtod(n
, caddr_t
) + o
);
8439 bzero(comb
, sizeof(*comb
));
8440 key_getcomb_setlifetime(comb
);
8441 comb
->sadb_comb_encrypt
= i
;
8442 comb
->sadb_comb_encrypt_minbits
= encmin
;
8443 comb
->sadb_comb_encrypt_maxbits
= algo
->keymax
;
8464 * XXX reorder combinations by preference
8466 static struct mbuf
*
8467 key_getcomb_ah(void)
8469 struct sadb_comb
*comb
;
8470 const struct ah_algorithm
*algo
;
8474 const int l
= PFKEY_ALIGN8(sizeof(struct sadb_comb
));
8477 for (i
= 1; i
<= SADB_AALG_MAX
; i
++) {
8479 /* we prefer HMAC algorithms, not old algorithms */
8480 if (i
!= SADB_AALG_SHA1HMAC
&& i
!= SADB_AALG_MD5HMAC
) {
8484 algo
= ah_algorithm_lookup(i
);
8489 if (algo
->keymax
< ipsec_ah_keymin
) {
8492 if (algo
->keymin
< ipsec_ah_keymin
) {
8493 keymin
= ipsec_ah_keymin
;
8495 keymin
= algo
->keymin
;
8501 panic("assumption failed in key_getcomb_ah");
8504 MGET(m
, M_WAITOK
, MT_DATA
);
8511 M_PREPEND(m
, l
, M_WAITOK
, 1);
8517 comb
= mtod(m
, struct sadb_comb
*);
8518 bzero(comb
, sizeof(*comb
));
8519 key_getcomb_setlifetime(comb
);
8520 comb
->sadb_comb_auth
= i
;
8521 comb
->sadb_comb_auth_minbits
= keymin
;
8522 comb
->sadb_comb_auth_maxbits
= algo
->keymax
;
8529 * XXX no way to pass mode (transport/tunnel) to userland
8530 * XXX replay checking?
8531 * XXX sysctl interface to ipsec_{ah,esp}_keymin
8533 static struct mbuf
*
8535 const struct secasindex
*saidx
)
8537 struct sadb_prop
*prop
;
8539 const int l
= PFKEY_ALIGN8(sizeof(struct sadb_prop
));
8542 switch (saidx
->proto
) {
8545 m
= key_getcomb_esp();
8549 m
= key_getcomb_ah();
8558 M_PREPEND(m
, l
, M_WAITOK
, 1);
8564 for (n
= m
; n
; n
= n
->m_next
) {
8568 prop
= mtod(m
, struct sadb_prop
*);
8569 bzero(prop
, sizeof(*prop
));
8570 prop
->sadb_prop_len
= PFKEY_UNIT64(totlen
);
8571 prop
->sadb_prop_exttype
= SADB_EXT_PROPOSAL
;
8572 prop
->sadb_prop_replay
= 32; /* XXX */
8578 * SADB_ACQUIRE processing called by key_checkrequest() and key_acquire2().
8580 * <base, SA, address(SD), (address(P)), x_policy,
8581 * (identity(SD),) (sensitivity,) proposal>
8582 * to KMD, and expect to receive
8583 * <base> with SADB_ACQUIRE if error occurred,
8585 * <base, src address, dst address, (SPI range)> with SADB_GETSPI
8586 * from KMD by PF_KEY.
8588 * XXX x_policy is outside of RFC2367 (KAME extension).
8589 * XXX sensitivity is not supported.
8593 * others: error number
8597 struct secasindex
*saidx
,
8598 struct secpolicy
*sp
)
8600 struct mbuf
*result
= NULL
, *m
;
8601 #ifndef IPSEC_NONBLOCK_ACQUIRE
8602 struct secacq
*newacq
;
8608 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
8611 if (saidx
== NULL
) {
8612 panic("key_acquire: NULL pointer is passed.\n");
8614 if ((satype
= key_proto2satype(saidx
->proto
)) == 0) {
8615 panic("key_acquire: invalid proto is passed.\n");
8618 #ifndef IPSEC_NONBLOCK_ACQUIRE
8620 * We never do anything about acquirng SA. There is anather
8621 * solution that kernel blocks to send SADB_ACQUIRE message until
8622 * getting something message from IKEd. In later case, to be
8623 * managed with ACQUIRING list.
8625 /* get a entry to check whether sending message or not. */
8626 lck_mtx_lock(sadb_mutex
);
8627 if ((newacq
= key_getacq(saidx
)) != NULL
) {
8628 if (key_blockacq_count
< newacq
->count
) {
8629 /* reset counter and do send message. */
8632 /* increment counter and do nothing. */
8634 lck_mtx_unlock(sadb_mutex
);
8638 /* make new entry for blocking to send SADB_ACQUIRE. */
8639 if ((newacq
= key_newacq(saidx
)) == NULL
) {
8640 lck_mtx_unlock(sadb_mutex
);
8644 /* add to acqtree */
8645 LIST_INSERT_HEAD(&acqtree
, newacq
, chain
);
8646 key_start_timehandler();
8649 lck_mtx_unlock(sadb_mutex
);
8652 seq
= (acq_seq
= (acq_seq
== ~0 ? 1 : ++acq_seq
));
8654 m
= key_setsadbmsg(SADB_ACQUIRE
, 0, satype
, seq
, 0, 0);
8661 /* set sadb_address for saidx's. */
8662 m
= key_setsadbaddr(SADB_EXT_ADDRESS_SRC
,
8663 (struct sockaddr
*)&saidx
->src
, FULLMASK
, IPSEC_ULPROTO_ANY
);
8670 m
= key_setsadbaddr(SADB_EXT_ADDRESS_DST
,
8671 (struct sockaddr
*)&saidx
->dst
, FULLMASK
, IPSEC_ULPROTO_ANY
);
8678 /* XXX proxy address (optional) */
8680 /* set sadb_x_policy */
8682 m
= key_setsadbxpolicy(sp
->policy
, sp
->spidx
.dir
, sp
->id
);
8690 /* XXX identity (optional) */
8692 if (idexttype
&& fqdn
) {
8693 /* create identity extension (FQDN) */
8694 struct sadb_ident
*id
;
8697 fqdnlen
= strlen(fqdn
) + 1; /* +1 for terminating-NUL */
8698 id
= (struct sadb_ident
*)p
;
8699 bzero(id
, sizeof(*id
) + PFKEY_ALIGN8(fqdnlen
));
8700 id
->sadb_ident_len
= PFKEY_UNIT64(sizeof(*id
) + PFKEY_ALIGN8(fqdnlen
));
8701 id
->sadb_ident_exttype
= idexttype
;
8702 id
->sadb_ident_type
= SADB_IDENTTYPE_FQDN
;
8703 bcopy(fqdn
, id
+ 1, fqdnlen
);
8704 p
+= sizeof(struct sadb_ident
) + PFKEY_ALIGN8(fqdnlen
);
8708 /* create identity extension (USERFQDN) */
8709 struct sadb_ident
*id
;
8713 /* +1 for terminating-NUL */
8714 userfqdnlen
= strlen(userfqdn
) + 1;
8718 id
= (struct sadb_ident
*)p
;
8719 bzero(id
, sizeof(*id
) + PFKEY_ALIGN8(userfqdnlen
));
8720 id
->sadb_ident_len
= PFKEY_UNIT64(sizeof(*id
) + PFKEY_ALIGN8(userfqdnlen
));
8721 id
->sadb_ident_exttype
= idexttype
;
8722 id
->sadb_ident_type
= SADB_IDENTTYPE_USERFQDN
;
8723 /* XXX is it correct? */
8724 if (curproc
&& curproc
->p_cred
) {
8725 id
->sadb_ident_id
= curproc
->p_cred
->p_ruid
;
8727 if (userfqdn
&& userfqdnlen
) {
8728 bcopy(userfqdn
, id
+ 1, userfqdnlen
);
8730 p
+= sizeof(struct sadb_ident
) + PFKEY_ALIGN8(userfqdnlen
);
8734 /* XXX sensitivity (optional) */
8736 /* create proposal/combination extension */
8737 m
= key_getprop(saidx
);
8739 * outside of spec; make proposal/combination extension optional.
8745 if ((result
->m_flags
& M_PKTHDR
) == 0) {
8750 if (result
->m_len
< sizeof(struct sadb_msg
)) {
8751 result
= m_pullup(result
, sizeof(struct sadb_msg
));
8752 if (result
== NULL
) {
8758 result
->m_pkthdr
.len
= 0;
8759 for (m
= result
; m
; m
= m
->m_next
) {
8760 result
->m_pkthdr
.len
+= m
->m_len
;
8763 mtod(result
, struct sadb_msg
*)->sadb_msg_len
=
8764 PFKEY_UNIT64(result
->m_pkthdr
.len
);
8766 return key_sendup_mbuf(NULL
, result
, KEY_SENDUP_REGISTERED
);
8775 #ifndef IPSEC_NONBLOCK_ACQUIRE
8776 static struct secacq
*
8778 struct secasindex
*saidx
)
8780 struct secacq
*newacq
;
8784 KMALLOC_NOWAIT(newacq
, struct secacq
*, sizeof(struct secacq
));
8785 if (newacq
== NULL
) {
8786 lck_mtx_unlock(sadb_mutex
);
8787 KMALLOC_WAIT(newacq
, struct secacq
*, sizeof(struct secacq
));
8788 lck_mtx_lock(sadb_mutex
);
8789 if (newacq
== NULL
) {
8790 ipseclog((LOG_DEBUG
, "key_newacq: No more memory.\n"));
8794 bzero(newacq
, sizeof(*newacq
));
8797 bcopy(saidx
, &newacq
->saidx
, sizeof(newacq
->saidx
));
8798 newacq
->seq
= (acq_seq
== ~0 ? 1 : ++acq_seq
);
8800 newacq
->created
= tv
.tv_sec
;
8806 static struct secacq
*
8808 struct secasindex
*saidx
)
8812 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
8814 LIST_FOREACH(acq
, &acqtree
, chain
) {
8815 if (key_cmpsaidx(saidx
, &acq
->saidx
, CMP_EXACTLY
)) {
8823 static struct secacq
*
8829 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
8831 LIST_FOREACH(acq
, &acqtree
, chain
) {
8832 if (acq
->seq
== seq
) {
8841 static struct secspacq
*
8843 struct secpolicyindex
*spidx
)
8845 struct secspacq
*acq
;
8849 KMALLOC_NOWAIT(acq
, struct secspacq
*, sizeof(struct secspacq
));
8851 lck_mtx_unlock(sadb_mutex
);
8852 KMALLOC_WAIT(acq
, struct secspacq
*, sizeof(struct secspacq
));
8853 lck_mtx_lock(sadb_mutex
);
8855 ipseclog((LOG_DEBUG
, "key_newspacq: No more memory.\n"));
8859 bzero(acq
, sizeof(*acq
));
8862 bcopy(spidx
, &acq
->spidx
, sizeof(acq
->spidx
));
8864 acq
->created
= tv
.tv_sec
;
8870 static struct secspacq
*
8872 struct secpolicyindex
*spidx
)
8874 struct secspacq
*acq
;
8876 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
8878 LIST_FOREACH(acq
, &spacqtree
, chain
) {
8879 if (key_cmpspidx_exactly(spidx
, &acq
->spidx
)) {
8888 * SADB_ACQUIRE processing,
8889 * in first situation, is receiving
8891 * from the ikmpd, and clear sequence of its secasvar entry.
8893 * In second situation, is receiving
8894 * <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal>
8895 * from a user land process, and return
8896 * <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal>
8899 * m will always be freed.
8905 const struct sadb_msghdr
*mhp
)
8907 const struct sadb_address
*src0
, *dst0
;
8908 ifnet_t ipsec_if
= NULL
;
8909 struct secasindex saidx
;
8910 struct secashead
*sah
;
8916 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
8917 panic("key_acquire2: NULL pointer is passed.\n");
8921 * Error message from KMd.
8922 * We assume that if error was occurred in IKEd, the length of PFKEY
8923 * message is equal to the size of sadb_msg structure.
8924 * We do not raise error even if error occurred in this function.
8926 lck_mtx_lock(sadb_mutex
);
8928 if (mhp
->msg
->sadb_msg_len
== PFKEY_UNIT64(sizeof(struct sadb_msg
))) {
8929 #ifndef IPSEC_NONBLOCK_ACQUIRE
8933 /* check sequence number */
8934 if (mhp
->msg
->sadb_msg_seq
== 0) {
8935 lck_mtx_unlock(sadb_mutex
);
8936 ipseclog((LOG_DEBUG
, "key_acquire2: must specify sequence number.\n"));
8941 if ((acq
= key_getacqbyseq(mhp
->msg
->sadb_msg_seq
)) == NULL
) {
8943 * the specified larval SA is already gone, or we got
8944 * a bogus sequence number. we can silently ignore it.
8946 lck_mtx_unlock(sadb_mutex
);
8951 /* reset acq counter in order to deletion by timehander. */
8953 acq
->created
= tv
.tv_sec
;
8956 lck_mtx_unlock(sadb_mutex
);
8962 * This message is from user land.
8965 /* map satype to proto */
8966 if ((proto
= key_satype2proto(mhp
->msg
->sadb_msg_satype
)) == 0) {
8967 lck_mtx_unlock(sadb_mutex
);
8968 ipseclog((LOG_DEBUG
, "key_acquire2: invalid satype is passed.\n"));
8969 return key_senderror(so
, m
, EINVAL
);
8972 if (mhp
->ext
[SADB_EXT_ADDRESS_SRC
] == NULL
||
8973 mhp
->ext
[SADB_EXT_ADDRESS_DST
] == NULL
||
8974 mhp
->ext
[SADB_EXT_PROPOSAL
] == NULL
) {
8976 lck_mtx_unlock(sadb_mutex
);
8977 ipseclog((LOG_DEBUG
, "key_acquire2: invalid message is passed.\n"));
8978 return key_senderror(so
, m
, EINVAL
);
8980 if (mhp
->extlen
[SADB_EXT_ADDRESS_SRC
] < sizeof(struct sadb_address
) ||
8981 mhp
->extlen
[SADB_EXT_ADDRESS_DST
] < sizeof(struct sadb_address
) ||
8982 mhp
->extlen
[SADB_EXT_PROPOSAL
] < sizeof(struct sadb_prop
)) {
8984 lck_mtx_unlock(sadb_mutex
);
8985 ipseclog((LOG_DEBUG
, "key_acquire2: invalid message is passed.\n"));
8986 return key_senderror(so
, m
, EINVAL
);
8989 src0
= (const struct sadb_address
*)mhp
->ext
[SADB_EXT_ADDRESS_SRC
];
8990 dst0
= (const struct sadb_address
*)mhp
->ext
[SADB_EXT_ADDRESS_DST
];
8991 ipsec_if
= key_get_ipsec_if_from_message(mhp
, SADB_X_EXT_IPSECIF
);
8993 /* XXX boundary check against sa_len */
8995 KEY_SETSECASIDX(proto
, IPSEC_MODE_ANY
, 0, src0
+ 1, dst0
+ 1, ipsec_if
? ipsec_if
->if_index
: 0, &saidx
);
8997 /* get a SA index */
8998 LIST_FOREACH(sah
, &sahtree
, chain
) {
8999 if (sah
->state
== SADB_SASTATE_DEAD
) {
9002 if (key_cmpsaidx(&sah
->saidx
, &saidx
, CMP_MODE
| CMP_REQID
)) {
9007 lck_mtx_unlock(sadb_mutex
);
9008 ipseclog((LOG_DEBUG
, "key_acquire2: a SA exists already.\n"));
9009 return key_senderror(so
, m
, EEXIST
);
9011 lck_mtx_unlock(sadb_mutex
);
9012 error
= key_acquire(&saidx
, NULL
);
9014 ipseclog((LOG_DEBUG
, "key_acquire2: error %d returned "
9015 "from key_acquire.\n", mhp
->msg
->sadb_msg_errno
));
9016 return key_senderror(so
, m
, error
);
9019 return key_sendup_mbuf(so
, m
, KEY_SENDUP_REGISTERED
);
9023 * SADB_REGISTER processing.
9024 * If SATYPE_UNSPEC has been passed as satype, only return sadb_supported.
9027 * from the ikmpd, and register a socket to send PF_KEY messages,
9031 * If socket is detached, must free from regnode.
9033 * m will always be freed.
9039 const struct sadb_msghdr
*mhp
)
9041 struct secreg
*reg
, *newreg
= 0;
9044 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
9045 panic("key_register: NULL pointer is passed.\n");
9048 /* check for invalid register message */
9049 if (mhp
->msg
->sadb_msg_satype
>= sizeof(regtree
) / sizeof(regtree
[0])) {
9050 return key_senderror(so
, m
, EINVAL
);
9053 /* When SATYPE_UNSPEC is specified, only return sadb_supported. */
9054 if (mhp
->msg
->sadb_msg_satype
== SADB_SATYPE_UNSPEC
) {
9058 /* create regnode */
9059 KMALLOC_WAIT(newreg
, struct secreg
*, sizeof(*newreg
));
9060 if (newreg
== NULL
) {
9061 ipseclog((LOG_DEBUG
, "key_register: No more memory.\n"));
9062 return key_senderror(so
, m
, ENOBUFS
);
9064 bzero((caddr_t
)newreg
, sizeof(*newreg
));
9066 lck_mtx_lock(sadb_mutex
);
9067 /* check whether existing or not */
9068 LIST_FOREACH(reg
, ®tree
[mhp
->msg
->sadb_msg_satype
], chain
) {
9069 if (reg
->so
== so
) {
9070 lck_mtx_unlock(sadb_mutex
);
9071 ipseclog((LOG_DEBUG
, "key_register: socket exists already.\n"));
9073 return key_senderror(so
, m
, EEXIST
);
9079 ((struct keycb
*)sotorawcb(so
))->kp_registered
++;
9080 socket_unlock(so
, 1);
9082 /* add regnode to regtree. */
9083 LIST_INSERT_HEAD(®tree
[mhp
->msg
->sadb_msg_satype
], newreg
, chain
);
9084 lck_mtx_unlock(sadb_mutex
);
9088 struct sadb_msg
*newmsg
;
9089 struct sadb_supported
*sup
;
9090 u_int len
, alen
, elen
;
9093 struct sadb_alg
*alg
;
9095 /* create new sadb_msg to reply. */
9097 for (i
= 1; i
<= SADB_AALG_MAX
; i
++) {
9098 if (ah_algorithm_lookup(i
)) {
9099 alen
+= sizeof(struct sadb_alg
);
9103 alen
+= sizeof(struct sadb_supported
);
9107 for (i
= 1; i
<= SADB_EALG_MAX
; i
++) {
9108 if (esp_algorithm_lookup(i
)) {
9109 elen
+= sizeof(struct sadb_alg
);
9113 elen
+= sizeof(struct sadb_supported
);
9117 len
= sizeof(struct sadb_msg
) + alen
+ elen
;
9119 if (len
> MCLBYTES
) {
9120 return key_senderror(so
, m
, ENOBUFS
);
9123 MGETHDR(n
, M_WAITOK
, MT_DATA
);
9124 if (n
&& len
> MHLEN
) {
9125 MCLGET(n
, M_WAITOK
);
9126 if ((n
->m_flags
& M_EXT
) == 0) {
9132 return key_senderror(so
, m
, ENOBUFS
);
9135 n
->m_pkthdr
.len
= n
->m_len
= len
;
9139 m_copydata(m
, 0, sizeof(struct sadb_msg
), mtod(n
, caddr_t
) + off
);
9140 newmsg
= mtod(n
, struct sadb_msg
*);
9141 newmsg
->sadb_msg_errno
= 0;
9142 newmsg
->sadb_msg_len
= PFKEY_UNIT64(len
);
9143 off
+= PFKEY_ALIGN8(sizeof(struct sadb_msg
));
9145 /* for authentication algorithm */
9147 sup
= (struct sadb_supported
*)(void *)(mtod(n
, caddr_t
) + off
);
9148 sup
->sadb_supported_len
= PFKEY_UNIT64(alen
);
9149 sup
->sadb_supported_exttype
= SADB_EXT_SUPPORTED_AUTH
;
9150 off
+= PFKEY_ALIGN8(sizeof(*sup
));
9152 for (i
= 1; i
<= SADB_AALG_MAX
; i
++) {
9153 const struct ah_algorithm
*aalgo
;
9155 aalgo
= ah_algorithm_lookup(i
);
9159 alg
= (struct sadb_alg
*)
9160 (void *)(mtod(n
, caddr_t
) + off
);
9161 alg
->sadb_alg_id
= i
;
9162 alg
->sadb_alg_ivlen
= 0;
9163 alg
->sadb_alg_minbits
= aalgo
->keymin
;
9164 alg
->sadb_alg_maxbits
= aalgo
->keymax
;
9165 off
+= PFKEY_ALIGN8(sizeof(*alg
));
9170 /* for encryption algorithm */
9172 sup
= (struct sadb_supported
*)(void *)(mtod(n
, caddr_t
) + off
);
9173 sup
->sadb_supported_len
= PFKEY_UNIT64(elen
);
9174 sup
->sadb_supported_exttype
= SADB_EXT_SUPPORTED_ENCRYPT
;
9175 off
+= PFKEY_ALIGN8(sizeof(*sup
));
9177 for (i
= 1; i
<= SADB_EALG_MAX
; i
++) {
9178 const struct esp_algorithm
*ealgo
;
9180 ealgo
= esp_algorithm_lookup(i
);
9184 alg
= (struct sadb_alg
*)
9185 (void *)(mtod(n
, caddr_t
) + off
);
9186 alg
->sadb_alg_id
= i
;
9187 if (ealgo
&& ealgo
->ivlen
) {
9189 * give NULL to get the value preferred by
9190 * algorithm XXX SADB_X_EXT_DERIV ?
9192 alg
->sadb_alg_ivlen
=
9193 (*ealgo
->ivlen
)(ealgo
, NULL
);
9195 alg
->sadb_alg_ivlen
= 0;
9197 alg
->sadb_alg_minbits
= ealgo
->keymin
;
9198 alg
->sadb_alg_maxbits
= ealgo
->keymax
;
9199 off
+= PFKEY_ALIGN8(sizeof(struct sadb_alg
));
9206 panic("length assumption failed in key_register");
9211 return key_sendup_mbuf(so
, n
, KEY_SENDUP_REGISTERED
);
9216 key_delete_all_for_socket(struct socket
*so
)
9218 struct secashead
*sah
, *nextsah
;
9219 struct secasvar
*sav
, *nextsav
;
9223 for (sah
= LIST_FIRST(&sahtree
);
9226 nextsah
= LIST_NEXT(sah
, chain
);
9227 for (stateidx
= 0; stateidx
< _ARRAYLEN(saorder_state_alive
); stateidx
++) {
9228 state
= saorder_state_any
[stateidx
];
9229 for (sav
= LIST_FIRST(&sah
->savtree
[state
]); sav
!= NULL
; sav
= nextsav
) {
9230 nextsav
= LIST_NEXT(sav
, chain
);
9231 if (sav
->flags2
& SADB_X_EXT_SA2_DELETE_ON_DETACH
&&
9233 key_sa_chgstate(sav
, SADB_SASTATE_DEAD
);
9234 key_freesav(sav
, KEY_SADB_LOCKED
);
9242 * free secreg entry registered.
9243 * XXX: I want to do free a socket marked done SADB_RESIGER to socket.
9254 panic("key_freereg: NULL pointer is passed.\n");
9258 * check whether existing or not.
9259 * check all type of SA, because there is a potential that
9260 * one socket is registered to multiple type of SA.
9262 lck_mtx_lock(sadb_mutex
);
9263 key_delete_all_for_socket(so
);
9264 for (i
= 0; i
<= SADB_SATYPE_MAX
; i
++) {
9265 LIST_FOREACH(reg
, ®tree
[i
], chain
) {
9267 && __LIST_CHAINED(reg
)) {
9268 LIST_REMOVE(reg
, chain
);
9274 lck_mtx_unlock(sadb_mutex
);
9279 * SADB_EXPIRE processing
9281 * <base, SA, SA2, lifetime(C and one of HS), address(SD)>
9283 * NOTE: We send only soft lifetime extension.
9286 * others : error number
9290 struct secasvar
*sav
)
9293 struct mbuf
*result
= NULL
, *m
;
9296 struct sadb_lifetime
*lt
;
9298 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
9302 panic("key_expire: NULL pointer is passed.\n");
9304 if (sav
->sah
== NULL
) {
9305 panic("key_expire: Why was SA index in SA NULL.\n");
9307 if ((satype
= key_proto2satype(sav
->sah
->saidx
.proto
)) == 0) {
9308 panic("key_expire: invalid proto is passed.\n");
9311 /* set msg header */
9312 m
= key_setsadbmsg(SADB_EXPIRE
, 0, satype
, sav
->seq
, 0, sav
->refcnt
);
9319 /* create SA extension */
9320 m
= key_setsadbsa(sav
);
9327 /* create SA extension */
9328 m
= key_setsadbxsa2(sav
->sah
->saidx
.mode
,
9329 sav
->replay
[0] ? sav
->replay
[0]->count
: 0,
9330 sav
->sah
->saidx
.reqid
,
9338 /* create lifetime extension (current and soft) */
9339 len
= PFKEY_ALIGN8(sizeof(*lt
)) * 2;
9340 m
= key_alloc_mbuf(len
);
9341 if (!m
|| m
->m_next
) { /*XXX*/
9348 bzero(mtod(m
, caddr_t
), len
);
9349 lt
= mtod(m
, struct sadb_lifetime
*);
9350 lt
->sadb_lifetime_len
= PFKEY_UNIT64(sizeof(struct sadb_lifetime
));
9351 lt
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_CURRENT
;
9352 lt
->sadb_lifetime_allocations
= sav
->lft_c
->sadb_lifetime_allocations
;
9353 lt
->sadb_lifetime_bytes
= sav
->lft_c
->sadb_lifetime_bytes
;
9354 lt
->sadb_lifetime_addtime
= sav
->lft_c
->sadb_lifetime_addtime
;
9355 lt
->sadb_lifetime_usetime
= sav
->lft_c
->sadb_lifetime_usetime
;
9356 lt
= (struct sadb_lifetime
*)(void *)(mtod(m
, caddr_t
) + len
/ 2);
9357 bcopy(sav
->lft_s
, lt
, sizeof(*lt
));
9360 /* set sadb_address for source */
9361 m
= key_setsadbaddr(SADB_EXT_ADDRESS_SRC
,
9362 (struct sockaddr
*)&sav
->sah
->saidx
.src
,
9363 FULLMASK
, IPSEC_ULPROTO_ANY
);
9370 /* set sadb_address for destination */
9371 m
= key_setsadbaddr(SADB_EXT_ADDRESS_DST
,
9372 (struct sockaddr
*)&sav
->sah
->saidx
.dst
,
9373 FULLMASK
, IPSEC_ULPROTO_ANY
);
9380 if ((result
->m_flags
& M_PKTHDR
) == 0) {
9385 if (result
->m_len
< sizeof(struct sadb_msg
)) {
9386 result
= m_pullup(result
, sizeof(struct sadb_msg
));
9387 if (result
== NULL
) {
9393 result
->m_pkthdr
.len
= 0;
9394 for (m
= result
; m
; m
= m
->m_next
) {
9395 result
->m_pkthdr
.len
+= m
->m_len
;
9398 mtod(result
, struct sadb_msg
*)->sadb_msg_len
=
9399 PFKEY_UNIT64(result
->m_pkthdr
.len
);
9401 return key_sendup_mbuf(NULL
, result
, KEY_SENDUP_REGISTERED
);
9411 * SADB_FLUSH processing
9414 * from the ikmpd, and free all entries in secastree.
9418 * NOTE: to do is only marking SADB_SASTATE_DEAD.
9420 * m will always be freed.
9426 const struct sadb_msghdr
*mhp
)
9428 struct sadb_msg
*newmsg
;
9429 struct secashead
*sah
, *nextsah
;
9430 struct secasvar
*sav
, *nextsav
;
9436 if (so
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
9437 panic("key_flush: NULL pointer is passed.\n");
9440 /* map satype to proto */
9441 if ((proto
= key_satype2proto(mhp
->msg
->sadb_msg_satype
)) == 0) {
9442 ipseclog((LOG_DEBUG
, "key_flush: invalid satype is passed.\n"));
9443 return key_senderror(so
, m
, EINVAL
);
9446 lck_mtx_lock(sadb_mutex
);
9448 /* no SATYPE specified, i.e. flushing all SA. */
9449 for (sah
= LIST_FIRST(&sahtree
);
9452 nextsah
= LIST_NEXT(sah
, chain
);
9454 if (mhp
->msg
->sadb_msg_satype
!= SADB_SATYPE_UNSPEC
9455 && proto
!= sah
->saidx
.proto
) {
9460 stateidx
< _ARRAYLEN(saorder_state_alive
);
9462 state
= saorder_state_any
[stateidx
];
9463 for (sav
= LIST_FIRST(&sah
->savtree
[state
]);
9466 nextsav
= LIST_NEXT(sav
, chain
);
9468 key_sa_chgstate(sav
, SADB_SASTATE_DEAD
);
9469 key_freesav(sav
, KEY_SADB_LOCKED
);
9473 sah
->state
= SADB_SASTATE_DEAD
;
9475 lck_mtx_unlock(sadb_mutex
);
9477 if (m
->m_len
< sizeof(struct sadb_msg
) ||
9478 sizeof(struct sadb_msg
) > m
->m_len
+ M_TRAILINGSPACE(m
)) {
9479 ipseclog((LOG_DEBUG
, "key_flush: No more memory.\n"));
9480 return key_senderror(so
, m
, ENOBUFS
);
9487 m
->m_pkthdr
.len
= m
->m_len
= sizeof(struct sadb_msg
);
9488 newmsg
= mtod(m
, struct sadb_msg
*);
9489 newmsg
->sadb_msg_errno
= 0;
9490 newmsg
->sadb_msg_len
= PFKEY_UNIT64(m
->m_pkthdr
.len
);
9492 return key_sendup_mbuf(so
, m
, KEY_SENDUP_ALL
);
9496 * SADB_DUMP processing
9497 * dump all entries including status of DEAD in SAD.
9500 * from the ikmpd, and dump all secasvar leaves
9505 * m will always be freed.
9508 struct sav_dump_elem
{
9509 struct secasvar
*sav
;
9517 const struct sadb_msghdr
*mhp
)
9519 struct secashead
*sah
;
9520 struct secasvar
*sav
;
9521 struct sav_dump_elem
*savbuf
= NULL
, *elem_ptr
;
9526 int cnt
= 0, cnt2
, bufcount
;
9530 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
9533 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
9534 panic("key_dump: NULL pointer is passed.\n");
9537 /* map satype to proto */
9538 if ((proto
= key_satype2proto(mhp
->msg
->sadb_msg_satype
)) == 0) {
9539 ipseclog((LOG_DEBUG
, "key_dump: invalid satype is passed.\n"));
9540 return key_senderror(so
, m
, EINVAL
);
9543 if ((bufcount
= ipsec_sav_count
) <= 0) {
9547 bufcount
+= 512; /* extra */
9548 KMALLOC_WAIT(savbuf
, struct sav_dump_elem
*, bufcount
* sizeof(struct sav_dump_elem
));
9549 if (savbuf
== NULL
) {
9550 ipseclog((LOG_DEBUG
, "key_dump: No more memory.\n"));
9555 /* count sav entries to be sent to the userland. */
9556 lck_mtx_lock(sadb_mutex
);
9558 LIST_FOREACH(sah
, &sahtree
, chain
) {
9559 if (mhp
->msg
->sadb_msg_satype
!= SADB_SATYPE_UNSPEC
9560 && proto
!= sah
->saidx
.proto
) {
9564 /* map proto to satype */
9565 if ((satype
= key_proto2satype(sah
->saidx
.proto
)) == 0) {
9566 lck_mtx_unlock(sadb_mutex
);
9567 ipseclog((LOG_DEBUG
, "key_dump: there was invalid proto in SAD.\n"));
9573 stateidx
< _ARRAYLEN(saorder_state_any
);
9575 state
= saorder_state_any
[stateidx
];
9576 LIST_FOREACH(sav
, &sah
->savtree
[state
], chain
) {
9577 if (cnt
== bufcount
) {
9578 break; /* out of buffer space */
9580 elem_ptr
->sav
= sav
;
9581 elem_ptr
->satype
= satype
;
9588 lck_mtx_unlock(sadb_mutex
);
9595 /* send this to the userland, one at a time. */
9599 n
= key_setdumpsa(elem_ptr
->sav
, SADB_DUMP
, elem_ptr
->satype
,
9600 --cnt2
, mhp
->msg
->sadb_msg_pid
);
9607 key_sendup_mbuf(so
, n
, KEY_SENDUP_ONE
);
9615 lck_mtx_lock(sadb_mutex
);
9617 key_freesav((elem_ptr
++)->sav
, KEY_SADB_LOCKED
);
9619 lck_mtx_unlock(sadb_mutex
);
9625 return key_senderror(so
, m
, error
);
9633 * SADB_X_PROMISC processing
9635 * m will always be freed.
9641 const struct sadb_msghdr
*mhp
)
9646 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
9647 panic("key_promisc: NULL pointer is passed.\n");
9650 olen
= PFKEY_UNUNIT64(mhp
->msg
->sadb_msg_len
);
9652 if (olen
< sizeof(struct sadb_msg
)) {
9654 return key_senderror(so
, m
, EINVAL
);
9659 } else if (olen
== sizeof(struct sadb_msg
)) {
9660 /* enable/disable promisc mode */
9664 if ((kp
= (struct keycb
*)sotorawcb(so
)) == NULL
) {
9665 return key_senderror(so
, m
, EINVAL
);
9667 mhp
->msg
->sadb_msg_errno
= 0;
9668 switch (mhp
->msg
->sadb_msg_satype
) {
9671 kp
->kp_promisc
= mhp
->msg
->sadb_msg_satype
;
9674 socket_unlock(so
, 1);
9675 return key_senderror(so
, m
, EINVAL
);
9677 socket_unlock(so
, 1);
9679 /* send the original message back to everyone */
9680 mhp
->msg
->sadb_msg_errno
= 0;
9681 return key_sendup_mbuf(so
, m
, KEY_SENDUP_ALL
);
9683 /* send packet as is */
9685 m_adj(m
, PFKEY_ALIGN8(sizeof(struct sadb_msg
)));
9687 /* TODO: if sadb_msg_seq is specified, send to specific pid */
9688 return key_sendup_mbuf(so
, m
, KEY_SENDUP_ALL
);
9692 static int(*const key_typesw
[])(struct socket
*, struct mbuf
*,
9693 const struct sadb_msghdr
*) = {
9694 NULL
, /* SADB_RESERVED */
9695 key_getspi
, /* SADB_GETSPI */
9696 key_update
, /* SADB_UPDATE */
9697 key_add
, /* SADB_ADD */
9698 key_delete
, /* SADB_DELETE */
9699 key_get
, /* SADB_GET */
9700 key_acquire2
, /* SADB_ACQUIRE */
9701 key_register
, /* SADB_REGISTER */
9702 NULL
, /* SADB_EXPIRE */
9703 key_flush
, /* SADB_FLUSH */
9704 key_dump
, /* SADB_DUMP */
9705 key_promisc
, /* SADB_X_PROMISC */
9706 NULL
, /* SADB_X_PCHANGE */
9707 key_spdadd
, /* SADB_X_SPDUPDATE */
9708 key_spdadd
, /* SADB_X_SPDADD */
9709 key_spddelete
, /* SADB_X_SPDDELETE */
9710 key_spdget
, /* SADB_X_SPDGET */
9711 NULL
, /* SADB_X_SPDACQUIRE */
9712 key_spddump
, /* SADB_X_SPDDUMP */
9713 key_spdflush
, /* SADB_X_SPDFLUSH */
9714 key_spdadd
, /* SADB_X_SPDSETIDX */
9715 NULL
, /* SADB_X_SPDEXPIRE */
9716 key_spddelete2
, /* SADB_X_SPDDELETE2 */
9717 key_getsastat
, /* SADB_GETSASTAT */
9718 key_spdenable
, /* SADB_X_SPDENABLE */
9719 key_spddisable
, /* SADB_X_SPDDISABLE */
9720 key_migrate
, /* SADB_MIGRATE */
9724 bzero_mbuf(struct mbuf
*m
)
9726 struct mbuf
*mptr
= m
;
9727 struct sadb_msg
*msg
= NULL
;
9734 if (mptr
->m_len
>= sizeof(struct sadb_msg
)) {
9735 msg
= mtod(mptr
, struct sadb_msg
*);
9736 if (msg
->sadb_msg_type
!= SADB_ADD
&&
9737 msg
->sadb_msg_type
!= SADB_UPDATE
) {
9740 offset
= sizeof(struct sadb_msg
);
9742 bzero(mptr
->m_data
+ offset
, mptr
->m_len
- offset
);
9743 mptr
= mptr
->m_next
;
9744 while (mptr
!= NULL
) {
9745 bzero(mptr
->m_data
, mptr
->m_len
);
9746 mptr
= mptr
->m_next
;
9751 bzero_keys(const struct sadb_msghdr
*mh
)
9759 offset
= sizeof(struct sadb_key
);
9761 if (mh
->ext
[SADB_EXT_KEY_ENCRYPT
]) {
9762 struct sadb_key
*key
= (struct sadb_key
*)mh
->ext
[SADB_EXT_KEY_ENCRYPT
];
9763 extlen
= key
->sadb_key_bits
>> 3;
9765 if (mh
->extlen
[SADB_EXT_KEY_ENCRYPT
] >= offset
+ extlen
) {
9766 bzero((uint8_t *)mh
->ext
[SADB_EXT_KEY_ENCRYPT
] + offset
, extlen
);
9768 bzero(mh
->ext
[SADB_EXT_KEY_ENCRYPT
], mh
->extlen
[SADB_EXT_KEY_ENCRYPT
]);
9771 if (mh
->ext
[SADB_EXT_KEY_AUTH
]) {
9772 struct sadb_key
*key
= (struct sadb_key
*)mh
->ext
[SADB_EXT_KEY_AUTH
];
9773 extlen
= key
->sadb_key_bits
>> 3;
9775 if (mh
->extlen
[SADB_EXT_KEY_AUTH
] >= offset
+ extlen
) {
9776 bzero((uint8_t *)mh
->ext
[SADB_EXT_KEY_AUTH
] + offset
, extlen
);
9778 bzero(mh
->ext
[SADB_EXT_KEY_AUTH
], mh
->extlen
[SADB_EXT_KEY_AUTH
]);
9784 key_validate_address_pair(struct sadb_address
*src0
,
9785 struct sadb_address
*dst0
)
9789 /* check upper layer protocol */
9790 if (src0
->sadb_address_proto
!= dst0
->sadb_address_proto
) {
9791 ipseclog((LOG_DEBUG
, "key_parse: upper layer protocol mismatched.\n"));
9792 PFKEY_STAT_INCREMENT(pfkeystat
.out_invaddr
);
9797 if (PFKEY_ADDR_SADDR(src0
)->sa_family
!=
9798 PFKEY_ADDR_SADDR(dst0
)->sa_family
) {
9799 ipseclog((LOG_DEBUG
, "key_parse: address family mismatched.\n"));
9800 PFKEY_STAT_INCREMENT(pfkeystat
.out_invaddr
);
9803 if (PFKEY_ADDR_SADDR(src0
)->sa_len
!=
9804 PFKEY_ADDR_SADDR(dst0
)->sa_len
) {
9805 ipseclog((LOG_DEBUG
,
9806 "key_parse: address struct size mismatched.\n"));
9807 PFKEY_STAT_INCREMENT(pfkeystat
.out_invaddr
);
9811 switch (PFKEY_ADDR_SADDR(src0
)->sa_family
) {
9813 if (PFKEY_ADDR_SADDR(src0
)->sa_len
!= sizeof(struct sockaddr_in
)) {
9814 PFKEY_STAT_INCREMENT(pfkeystat
.out_invaddr
);
9819 if (PFKEY_ADDR_SADDR(src0
)->sa_len
!= sizeof(struct sockaddr_in6
)) {
9820 PFKEY_STAT_INCREMENT(pfkeystat
.out_invaddr
);
9825 ipseclog((LOG_DEBUG
,
9826 "key_parse: unsupported address family.\n"));
9827 PFKEY_STAT_INCREMENT(pfkeystat
.out_invaddr
);
9828 return EAFNOSUPPORT
;
9831 switch (PFKEY_ADDR_SADDR(src0
)->sa_family
) {
9833 plen
= sizeof(struct in_addr
) << 3;
9836 plen
= sizeof(struct in6_addr
) << 3;
9839 plen
= 0; /*fool gcc*/
9843 /* check max prefix length */
9844 if (src0
->sadb_address_prefixlen
> plen
||
9845 dst0
->sadb_address_prefixlen
> plen
) {
9846 ipseclog((LOG_DEBUG
,
9847 "key_parse: illegal prefixlen.\n"));
9848 PFKEY_STAT_INCREMENT(pfkeystat
.out_invaddr
);
9853 * prefixlen == 0 is valid because there can be a case when
9854 * all addresses are matched.
9860 * parse sadb_msg buffer to process PFKEYv2,
9861 * and create a data to response if needed.
9862 * I think to be dealed with mbuf directly.
9864 * msgp : pointer to pointer to a received buffer pulluped.
9865 * This is rewrited to response.
9866 * so : pointer to socket.
9868 * length for buffer to send to user process.
9875 struct sadb_msg
*msg
;
9876 struct sadb_msghdr mh
;
9880 Boolean keyAligned
= FALSE
;
9882 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
9885 if (m
== NULL
|| so
== NULL
) {
9886 panic("key_parse: NULL pointer is passed.\n");
9889 #if 0 /*kdebug_sadb assumes msg in linear buffer*/
9890 KEYDEBUG(KEYDEBUG_KEY_DUMP
,
9891 ipseclog((LOG_DEBUG
, "key_parse: passed sadb_msg\n"));
9895 if (m
->m_len
< sizeof(struct sadb_msg
)) {
9896 m
= m_pullup(m
, sizeof(struct sadb_msg
));
9901 msg
= mtod(m
, struct sadb_msg
*);
9902 orglen
= PFKEY_UNUNIT64(msg
->sadb_msg_len
);
9903 target
= KEY_SENDUP_ONE
;
9905 if ((m
->m_flags
& M_PKTHDR
) == 0 ||
9906 m
->m_pkthdr
.len
!= orglen
) {
9907 ipseclog((LOG_DEBUG
, "key_parse: invalid message length.\n"));
9908 PFKEY_STAT_INCREMENT(pfkeystat
.out_invlen
);
9913 if (msg
->sadb_msg_version
!= PF_KEY_V2
) {
9914 ipseclog((LOG_DEBUG
,
9915 "key_parse: PF_KEY version %u is mismatched.\n",
9916 msg
->sadb_msg_version
));
9917 PFKEY_STAT_INCREMENT(pfkeystat
.out_invver
);
9922 if (msg
->sadb_msg_type
> SADB_MAX
) {
9923 ipseclog((LOG_DEBUG
, "key_parse: invalid type %u is passed.\n",
9924 msg
->sadb_msg_type
));
9925 PFKEY_STAT_INCREMENT(pfkeystat
.out_invmsgtype
);
9930 /* for old-fashioned code - should be nuked */
9931 if (m
->m_pkthdr
.len
> MCLBYTES
) {
9938 MGETHDR(n
, M_WAITOK
, MT_DATA
);
9939 if (n
&& m
->m_pkthdr
.len
> MHLEN
) {
9940 MCLGET(n
, M_WAITOK
);
9941 if ((n
->m_flags
& M_EXT
) == 0) {
9951 m_copydata(m
, 0, m
->m_pkthdr
.len
, mtod(n
, caddr_t
));
9952 n
->m_pkthdr
.len
= n
->m_len
= m
->m_pkthdr
.len
;
9959 /* align the mbuf chain so that extensions are in contiguous region. */
9960 error
= key_align(m
, &mh
);
9965 if (m
->m_next
) { /*XXX*/
9975 switch (msg
->sadb_msg_satype
) {
9976 case SADB_SATYPE_UNSPEC
:
9977 switch (msg
->sadb_msg_type
) {
9985 ipseclog((LOG_DEBUG
, "key_parse: must specify satype "
9986 "when msg type=%u.\n", msg
->sadb_msg_type
));
9987 PFKEY_STAT_INCREMENT(pfkeystat
.out_invsatype
);
9992 case SADB_SATYPE_AH
:
9993 case SADB_SATYPE_ESP
:
9994 switch (msg
->sadb_msg_type
) {
9996 case SADB_X_SPDDELETE
:
9998 case SADB_X_SPDDUMP
:
9999 case SADB_X_SPDFLUSH
:
10000 case SADB_X_SPDSETIDX
:
10001 case SADB_X_SPDUPDATE
:
10002 case SADB_X_SPDDELETE2
:
10003 case SADB_X_SPDENABLE
:
10004 case SADB_X_SPDDISABLE
:
10005 ipseclog((LOG_DEBUG
, "key_parse: illegal satype=%u\n",
10006 msg
->sadb_msg_type
));
10007 PFKEY_STAT_INCREMENT(pfkeystat
.out_invsatype
);
10012 case SADB_SATYPE_RSVP
:
10013 case SADB_SATYPE_OSPFV2
:
10014 case SADB_SATYPE_RIPV2
:
10015 case SADB_SATYPE_MIP
:
10016 ipseclog((LOG_DEBUG
, "key_parse: type %u isn't supported.\n",
10017 msg
->sadb_msg_satype
));
10018 PFKEY_STAT_INCREMENT(pfkeystat
.out_invsatype
);
10019 error
= EOPNOTSUPP
;
10021 case 1: /* XXX: What does it do? */
10022 if (msg
->sadb_msg_type
== SADB_X_PROMISC
) {
10027 ipseclog((LOG_DEBUG
, "key_parse: invalid type %u is passed.\n",
10028 msg
->sadb_msg_satype
));
10029 PFKEY_STAT_INCREMENT(pfkeystat
.out_invsatype
);
10034 /* Validate address fields for matching families, lengths, etc. */
10035 void *src0
= mh
.ext
[SADB_EXT_ADDRESS_SRC
];
10036 void *dst0
= mh
.ext
[SADB_EXT_ADDRESS_DST
];
10037 if (mh
.ext
[SADB_X_EXT_ADDR_RANGE_SRC_START
] != NULL
&&
10038 mh
.ext
[SADB_X_EXT_ADDR_RANGE_SRC_END
] != NULL
) {
10039 error
= key_validate_address_pair((struct sadb_address
*)(mh
.ext
[SADB_X_EXT_ADDR_RANGE_SRC_START
]),
10040 (struct sadb_address
*)(mh
.ext
[SADB_X_EXT_ADDR_RANGE_SRC_END
]));
10045 if (src0
== NULL
) {
10046 src0
= mh
.ext
[SADB_X_EXT_ADDR_RANGE_SRC_START
];
10049 if (mh
.ext
[SADB_X_EXT_ADDR_RANGE_DST_START
] != NULL
&&
10050 mh
.ext
[SADB_X_EXT_ADDR_RANGE_DST_END
] != NULL
) {
10051 error
= key_validate_address_pair((struct sadb_address
*)(mh
.ext
[SADB_X_EXT_ADDR_RANGE_DST_START
]),
10052 (struct sadb_address
*)(mh
.ext
[SADB_X_EXT_ADDR_RANGE_DST_END
]));
10057 if (dst0
== NULL
) {
10058 dst0
= mh
.ext
[SADB_X_EXT_ADDR_RANGE_DST_START
];
10061 if (src0
!= NULL
&& dst0
!= NULL
) {
10062 error
= key_validate_address_pair((struct sadb_address
*)(src0
),
10063 (struct sadb_address
*)(dst0
));
10069 if (msg
->sadb_msg_type
>= sizeof(key_typesw
) / sizeof(key_typesw
[0]) ||
10070 key_typesw
[msg
->sadb_msg_type
] == NULL
) {
10071 PFKEY_STAT_INCREMENT(pfkeystat
.out_invmsgtype
);
10076 error
= (*key_typesw
[msg
->sadb_msg_type
])(so
, m
, &mh
);
10086 msg
->sadb_msg_errno
= error
;
10087 return key_sendup_mbuf(so
, m
, target
);
10096 struct sadb_msg
*msg
;
10098 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
10100 if (m
->m_len
< sizeof(struct sadb_msg
)) {
10101 panic("invalid mbuf passed to key_senderror");
10104 msg
= mtod(m
, struct sadb_msg
*);
10105 msg
->sadb_msg_errno
= code
;
10106 return key_sendup_mbuf(so
, m
, KEY_SENDUP_ONE
);
10110 * set the pointer to each header into message buffer.
10111 * m will be freed on error.
10112 * XXX larger-than-MCLBYTES extension?
10117 struct sadb_msghdr
*mhp
)
10120 struct sadb_ext
*ext
;
10126 if (m
== NULL
|| mhp
== NULL
) {
10127 panic("key_align: NULL pointer is passed.\n");
10129 if (m
->m_len
< sizeof(struct sadb_msg
)) {
10130 panic("invalid mbuf passed to key_align");
10134 bzero(mhp
, sizeof(*mhp
));
10136 mhp
->msg
= mtod(m
, struct sadb_msg
*);
10137 mhp
->ext
[0] = (struct sadb_ext
*)mhp
->msg
; /*XXX backward compat */
10139 end
= PFKEY_UNUNIT64(mhp
->msg
->sadb_msg_len
);
10140 extlen
= end
; /*just in case extlen is not updated*/
10141 for (off
= sizeof(struct sadb_msg
); off
< end
; off
+= extlen
) {
10142 n
= m_pulldown(m
, off
, sizeof(struct sadb_ext
), &toff
);
10144 /* m is already freed */
10147 ext
= (struct sadb_ext
*)(void *)(mtod(n
, caddr_t
) + toff
);
10150 switch (ext
->sadb_ext_type
) {
10152 case SADB_EXT_ADDRESS_SRC
:
10153 case SADB_EXT_ADDRESS_DST
:
10154 case SADB_EXT_ADDRESS_PROXY
:
10155 case SADB_EXT_LIFETIME_CURRENT
:
10156 case SADB_EXT_LIFETIME_HARD
:
10157 case SADB_EXT_LIFETIME_SOFT
:
10158 case SADB_EXT_KEY_AUTH
:
10159 case SADB_EXT_KEY_ENCRYPT
:
10160 case SADB_EXT_IDENTITY_SRC
:
10161 case SADB_EXT_IDENTITY_DST
:
10162 case SADB_EXT_SENSITIVITY
:
10163 case SADB_EXT_PROPOSAL
:
10164 case SADB_EXT_SUPPORTED_AUTH
:
10165 case SADB_EXT_SUPPORTED_ENCRYPT
:
10166 case SADB_EXT_SPIRANGE
:
10167 case SADB_X_EXT_POLICY
:
10168 case SADB_X_EXT_SA2
:
10169 case SADB_EXT_SESSION_ID
:
10170 case SADB_EXT_SASTAT
:
10171 case SADB_X_EXT_IPSECIF
:
10172 case SADB_X_EXT_ADDR_RANGE_SRC_START
:
10173 case SADB_X_EXT_ADDR_RANGE_SRC_END
:
10174 case SADB_X_EXT_ADDR_RANGE_DST_START
:
10175 case SADB_X_EXT_ADDR_RANGE_DST_END
:
10176 case SADB_EXT_MIGRATE_ADDRESS_SRC
:
10177 case SADB_EXT_MIGRATE_ADDRESS_DST
:
10178 case SADB_X_EXT_MIGRATE_IPSECIF
:
10179 /* duplicate check */
10181 * XXX Are there duplication payloads of either
10182 * KEY_AUTH or KEY_ENCRYPT ?
10184 if (mhp
->ext
[ext
->sadb_ext_type
] != NULL
) {
10185 ipseclog((LOG_DEBUG
,
10186 "key_align: duplicate ext_type %u "
10187 "is passed.\n", ext
->sadb_ext_type
));
10190 PFKEY_STAT_INCREMENT(pfkeystat
.out_dupext
);
10195 ipseclog((LOG_DEBUG
,
10196 "key_align: invalid ext_type %u is passed.\n",
10197 ext
->sadb_ext_type
));
10200 PFKEY_STAT_INCREMENT(pfkeystat
.out_invexttype
);
10204 extlen
= PFKEY_UNUNIT64(ext
->sadb_ext_len
);
10206 if (key_validate_ext(ext
, extlen
)) {
10209 PFKEY_STAT_INCREMENT(pfkeystat
.out_invlen
);
10213 n
= m_pulldown(m
, off
, extlen
, &toff
);
10215 /* m is already freed */
10218 ext
= (struct sadb_ext
*)(void *)(mtod(n
, caddr_t
) + toff
);
10220 mhp
->ext
[ext
->sadb_ext_type
] = ext
;
10221 mhp
->extoff
[ext
->sadb_ext_type
] = off
;
10222 mhp
->extlen
[ext
->sadb_ext_type
] = extlen
;
10228 PFKEY_STAT_INCREMENT(pfkeystat
.out_invlen
);
10237 const struct sadb_ext
*ext
,
10240 struct sockaddr
*sa
;
10241 enum { NONE
, ADDR
} checktype
= NONE
;
10243 const int sal
= offsetof(struct sockaddr
, sa_len
) + sizeof(sa
->sa_len
);
10245 if (len
!= PFKEY_UNUNIT64(ext
->sadb_ext_len
)) {
10249 /* if it does not match minimum/maximum length, bail */
10250 if (ext
->sadb_ext_type
>= sizeof(minsize
) / sizeof(minsize
[0]) ||
10251 ext
->sadb_ext_type
>= sizeof(maxsize
) / sizeof(maxsize
[0])) {
10254 if (!minsize
[ext
->sadb_ext_type
] || len
< minsize
[ext
->sadb_ext_type
]) {
10257 if (maxsize
[ext
->sadb_ext_type
] && len
> maxsize
[ext
->sadb_ext_type
]) {
10261 /* more checks based on sadb_ext_type XXX need more */
10262 switch (ext
->sadb_ext_type
) {
10263 case SADB_EXT_ADDRESS_SRC
:
10264 case SADB_EXT_ADDRESS_DST
:
10265 case SADB_EXT_ADDRESS_PROXY
:
10266 case SADB_X_EXT_ADDR_RANGE_SRC_START
:
10267 case SADB_X_EXT_ADDR_RANGE_SRC_END
:
10268 case SADB_X_EXT_ADDR_RANGE_DST_START
:
10269 case SADB_X_EXT_ADDR_RANGE_DST_END
:
10270 case SADB_EXT_MIGRATE_ADDRESS_SRC
:
10271 case SADB_EXT_MIGRATE_ADDRESS_DST
:
10272 baselen
= PFKEY_ALIGN8(sizeof(struct sadb_address
));
10275 case SADB_EXT_IDENTITY_SRC
:
10276 case SADB_EXT_IDENTITY_DST
:
10277 if (((struct sadb_ident
*)(uintptr_t)(size_t)ext
)->
10278 sadb_ident_type
== SADB_X_IDENTTYPE_ADDR
) {
10279 baselen
= PFKEY_ALIGN8(sizeof(struct sadb_ident
));
10290 switch (checktype
) {
10294 sa
= (struct sockaddr
*)((caddr_t
)(uintptr_t)ext
+ baselen
);
10296 if (len
< baselen
+ sal
) {
10299 if (baselen
+ PFKEY_ALIGN8(sa
->sa_len
) != len
) {
10305 /* check key bits length */
10306 if (ext
->sadb_ext_type
== SADB_EXT_KEY_AUTH
||
10307 ext
->sadb_ext_type
== SADB_EXT_KEY_ENCRYPT
) {
10308 struct sadb_key
*key
= (struct sadb_key
*)(uintptr_t)ext
;
10309 if (len
< (sizeof(struct sadb_key
) + _KEYLEN(key
))) {
10318 * XXX: maybe This function is called after INBOUND IPsec processing.
10320 * Special check for tunnel-mode packets.
10321 * We must make some checks for consistency between inner and outer IP header.
10323 * xxx more checks to be provided
10326 key_checktunnelsanity(
10327 struct secasvar
*sav
,
10328 __unused u_int family
,
10329 __unused caddr_t src
,
10330 __unused caddr_t dst
)
10333 if (sav
->sah
== NULL
) {
10334 panic("sav->sah == NULL at key_checktunnelsanity");
10337 /* XXX: check inner IP header */
10342 /* record data transfer on SA, and update timestamps */
10345 struct secasvar
*sav
,
10349 panic("key_sa_recordxfer called with sav == NULL");
10352 panic("key_sa_recordxfer called with m == NULL");
10358 lck_mtx_lock(sadb_mutex
);
10360 * XXX Currently, there is a difference of bytes size
10361 * between inbound and outbound processing.
10363 sav
->lft_c
->sadb_lifetime_bytes
+= m
->m_pkthdr
.len
;
10364 /* to check bytes lifetime is done in key_timehandler(). */
10367 * We use the number of packets as the unit of
10368 * sadb_lifetime_allocations. We increment the variable
10369 * whenever {esp,ah}_{in,out}put is called.
10371 sav
->lft_c
->sadb_lifetime_allocations
++;
10372 /* XXX check for expires? */
10375 * NOTE: We record CURRENT sadb_lifetime_usetime by using wall clock,
10376 * in seconds. HARD and SOFT lifetime are measured by the time
10377 * difference (again in seconds) from sadb_lifetime_usetime.
10381 * -----+-----+--------+---> t
10382 * <--------------> HARD
10388 sav
->lft_c
->sadb_lifetime_usetime
= tv
.tv_sec
;
10389 /* XXX check for expires? */
10391 lck_mtx_unlock(sadb_mutex
);
10398 key_sa_routechange(
10399 struct sockaddr
*dst
)
10401 struct secashead
*sah
;
10404 lck_mtx_lock(sadb_mutex
);
10405 LIST_FOREACH(sah
, &sahtree
, chain
) {
10406 ro
= (struct route
*)&sah
->sa_route
;
10407 if (ro
->ro_rt
&& dst
->sa_len
== ro
->ro_dst
.sa_len
10408 && bcmp(dst
, &ro
->ro_dst
, dst
->sa_len
) == 0) {
10412 lck_mtx_unlock(sadb_mutex
);
10419 struct secasvar
*sav
,
10423 panic("key_sa_chgstate called with sav == NULL");
10426 if (sav
->state
== state
) {
10430 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_OWNED
);
10432 if (__LIST_CHAINED(sav
)) {
10433 LIST_REMOVE(sav
, chain
);
10436 sav
->state
= state
;
10437 LIST_INSERT_HEAD(&sav
->sah
->savtree
[state
], sav
, chain
);
10442 struct secasvar
*sav
)
10444 lck_mtx_lock(sadb_mutex
);
10446 panic("key_sa_stir_iv called with sav == NULL");
10448 key_randomfill(sav
->iv
, sav
->ivlen
);
10449 lck_mtx_unlock(sadb_mutex
);
10452 /* XXX too much? */
10453 static struct mbuf
*
10457 struct mbuf
*m
= NULL
, *n
;
10462 MGET(n
, M_DONTWAIT
, MT_DATA
);
10463 if (n
&& len
> MLEN
) {
10464 MCLGET(n
, M_DONTWAIT
);
10473 n
->m_len
= M_TRAILINGSPACE(n
);
10474 /* use the bottom of mbuf, hoping we can prepend afterwards */
10475 if (n
->m_len
> len
) {
10476 t
= (n
->m_len
- len
) & ~(sizeof(long) - 1);
10493 static struct mbuf
*
10494 key_setdumpsastats(u_int32_t dir
,
10495 struct sastat
*stats
,
10496 u_int32_t max_stats
,
10497 u_int64_t session_ids
[],
10501 struct mbuf
*result
= NULL
, *m
= NULL
;
10503 m
= key_setsadbmsg(SADB_GETSASTAT
, 0, 0, seq
, pid
, 0);
10509 m
= key_setsadbsession_id(session_ids
);
10515 m
= key_setsadbsastat(dir
,
10523 if ((result
->m_flags
& M_PKTHDR
) == 0) {
10527 if (result
->m_len
< sizeof(struct sadb_msg
)) {
10528 result
= m_pullup(result
, sizeof(struct sadb_msg
));
10529 if (result
== NULL
) {
10534 result
->m_pkthdr
.len
= 0;
10535 for (m
= result
; m
; m
= m
->m_next
) {
10536 result
->m_pkthdr
.len
+= m
->m_len
;
10539 mtod(result
, struct sadb_msg
*)->sadb_msg_len
=
10540 PFKEY_UNIT64(result
->m_pkthdr
.len
);
10552 * SADB_GETSASTAT processing
10553 * dump all stats for matching entries in SAD.
10555 * m will always be freed.
10559 key_getsastat(struct socket
*so
,
10561 const struct sadb_msghdr
*mhp
)
10563 struct sadb_session_id
*session_id
;
10564 u_int32_t bufsize
, arg_count
, res_count
;
10565 struct sadb_sastat
*sa_stats_arg
;
10566 struct sastat
*sa_stats_sav
= NULL
;
10571 if (so
== NULL
|| m
== NULL
|| mhp
== NULL
|| mhp
->msg
== NULL
) {
10572 panic("%s: NULL pointer is passed.\n", __FUNCTION__
);
10575 if (mhp
->ext
[SADB_EXT_SESSION_ID
] == NULL
) {
10576 printf("%s: invalid message is passed. missing session-id.\n", __FUNCTION__
);
10577 return key_senderror(so
, m
, EINVAL
);
10579 if (mhp
->extlen
[SADB_EXT_SESSION_ID
] < sizeof(struct sadb_session_id
)) {
10580 printf("%s: invalid message is passed. short session-id.\n", __FUNCTION__
);
10581 return key_senderror(so
, m
, EINVAL
);
10583 if (mhp
->ext
[SADB_EXT_SASTAT
] == NULL
) {
10584 printf("%s: invalid message is passed. missing stat args.\n", __FUNCTION__
);
10585 return key_senderror(so
, m
, EINVAL
);
10587 if (mhp
->extlen
[SADB_EXT_SASTAT
] < sizeof(*sa_stats_arg
)) {
10588 printf("%s: invalid message is passed. short stat args.\n", __FUNCTION__
);
10589 return key_senderror(so
, m
, EINVAL
);
10592 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
10594 // exit early if there are no active SAs
10595 if (ipsec_sav_count
<= 0) {
10596 printf("%s: No active SAs.\n", __FUNCTION__
);
10600 bufsize
= (ipsec_sav_count
+ 1) * sizeof(*sa_stats_sav
);
10602 KMALLOC_WAIT(sa_stats_sav
, __typeof__(sa_stats_sav
), bufsize
);
10603 if (sa_stats_sav
== NULL
) {
10604 printf("%s: No more memory.\n", __FUNCTION__
);
10608 bzero(sa_stats_sav
, bufsize
);
10610 sa_stats_arg
= (__typeof__(sa_stats_arg
))
10611 (void *)mhp
->ext
[SADB_EXT_SASTAT
];
10612 arg_count
= sa_stats_arg
->sadb_sastat_list_len
;
10613 // exit early if there are no requested SAs
10614 if (arg_count
== 0) {
10615 printf("%s: No SAs requested.\n", __FUNCTION__
);
10621 if (key_getsastatbyspi((struct sastat
*)(sa_stats_arg
+ 1),
10626 printf("%s: Error finding SAs.\n", __FUNCTION__
);
10631 printf("%s: No SAs found.\n", __FUNCTION__
);
10636 session_id
= (__typeof__(session_id
))
10637 (void *)mhp
->ext
[SADB_EXT_SESSION_ID
];
10639 /* send this to the userland. */
10640 n
= key_setdumpsastats(sa_stats_arg
->sadb_sastat_dir
,
10643 session_id
->sadb_session_id_v
,
10644 mhp
->msg
->sadb_msg_seq
,
10645 mhp
->msg
->sadb_msg_pid
);
10647 printf("%s: No bufs to dump stats.\n", __FUNCTION__
);
10652 key_sendup_mbuf(so
, n
, KEY_SENDUP_ALL
);
10654 if (sa_stats_sav
) {
10655 KFREE(sa_stats_sav
);
10659 return key_senderror(so
, m
, error
);
10667 key_update_natt_keepalive_timestamp(struct secasvar
*sav_sent
,
10668 struct secasvar
*sav_update
)
10670 struct secasindex saidx_swap_sent_addr
;
10672 // exit early if two SAs are identical, or if sav_update is current
10673 if (sav_sent
== sav_update
||
10674 sav_update
->natt_last_activity
== natt_now
) {
10678 // assuming that (sav_update->remote_ike_port != 0 && (esp_udp_encap_port & 0xFFFF) != 0)
10680 bzero(&saidx_swap_sent_addr
, sizeof(saidx_swap_sent_addr
));
10681 memcpy(&saidx_swap_sent_addr
.src
, &sav_sent
->sah
->saidx
.dst
, sizeof(saidx_swap_sent_addr
.src
));
10682 memcpy(&saidx_swap_sent_addr
.dst
, &sav_sent
->sah
->saidx
.src
, sizeof(saidx_swap_sent_addr
.dst
));
10683 saidx_swap_sent_addr
.proto
= sav_sent
->sah
->saidx
.proto
;
10684 saidx_swap_sent_addr
.mode
= sav_sent
->sah
->saidx
.mode
;
10685 // we ignore reqid for split-tunnel setups
10687 if (key_cmpsaidx(&sav_sent
->sah
->saidx
, &sav_update
->sah
->saidx
, CMP_MODE
| CMP_PORT
) ||
10688 key_cmpsaidx(&saidx_swap_sent_addr
, &sav_update
->sah
->saidx
, CMP_MODE
| CMP_PORT
)) {
10689 sav_update
->natt_last_activity
= natt_now
;
10694 key_send_delsp(struct secpolicy
*sp
)
10696 struct mbuf
*result
= NULL
, *m
;
10702 /* set msg header */
10703 m
= key_setsadbmsg(SADB_X_SPDDELETE
, 0, 0, 0, 0, 0);
10709 /* set sadb_address(es) for source */
10710 if (sp
->spidx
.src_range
.start
.ss_len
> 0) {
10711 m
= key_setsadbaddr(SADB_X_EXT_ADDR_RANGE_SRC_START
,
10712 (struct sockaddr
*)&sp
->spidx
.src_range
.start
, sp
->spidx
.prefs
,
10713 sp
->spidx
.ul_proto
);
10719 m
= key_setsadbaddr(SADB_X_EXT_ADDR_RANGE_SRC_END
,
10720 (struct sockaddr
*)&sp
->spidx
.src_range
.end
, sp
->spidx
.prefs
,
10721 sp
->spidx
.ul_proto
);
10727 m
= key_setsadbaddr(SADB_EXT_ADDRESS_SRC
,
10728 (struct sockaddr
*)&sp
->spidx
.src
, sp
->spidx
.prefs
,
10729 sp
->spidx
.ul_proto
);
10736 /* set sadb_address(es) for destination */
10737 if (sp
->spidx
.dst_range
.start
.ss_len
> 0) {
10738 m
= key_setsadbaddr(SADB_X_EXT_ADDR_RANGE_DST_START
,
10739 (struct sockaddr
*)&sp
->spidx
.dst_range
.start
, sp
->spidx
.prefd
,
10740 sp
->spidx
.ul_proto
);
10746 m
= key_setsadbaddr(SADB_X_EXT_ADDR_RANGE_DST_END
,
10747 (struct sockaddr
*)&sp
->spidx
.dst_range
.end
, sp
->spidx
.prefd
,
10748 sp
->spidx
.ul_proto
);
10754 m
= key_setsadbaddr(SADB_EXT_ADDRESS_DST
,
10755 (struct sockaddr
*)&sp
->spidx
.dst
, sp
->spidx
.prefd
,
10756 sp
->spidx
.ul_proto
);
10763 /* set secpolicy */
10764 m
= key_sp2msg(sp
);
10770 if ((result
->m_flags
& M_PKTHDR
) == 0) {
10774 if (result
->m_len
< sizeof(struct sadb_msg
)) {
10775 result
= m_pullup(result
, sizeof(struct sadb_msg
));
10776 if (result
== NULL
) {
10781 result
->m_pkthdr
.len
= 0;
10782 for (m
= result
; m
; m
= m
->m_next
) {
10783 result
->m_pkthdr
.len
+= m
->m_len
;
10786 mtod(result
, struct sadb_msg
*)->sadb_msg_len
= PFKEY_UNIT64(result
->m_pkthdr
.len
);
10788 return key_sendup_mbuf(NULL
, result
, KEY_SENDUP_REGISTERED
);
10798 key_delsp_for_ipsec_if(ifnet_t ipsec_if
)
10800 struct secashead
*sah
;
10801 struct secasvar
*sav
, *nextsav
;
10804 struct secpolicy
*sp
, *nextsp
;
10807 if (ipsec_if
== NULL
) {
10811 LCK_MTX_ASSERT(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
10813 lck_mtx_lock(sadb_mutex
);
10815 for (dir
= 0; dir
< IPSEC_DIR_MAX
; dir
++) {
10816 for (sp
= LIST_FIRST(&sptree
[dir
]);
10819 nextsp
= LIST_NEXT(sp
, chain
);
10821 if (sp
->ipsec_if
== ipsec_if
) {
10822 ifnet_release(sp
->ipsec_if
);
10823 sp
->ipsec_if
= NULL
;
10825 key_send_delsp(sp
);
10827 sp
->state
= IPSEC_SPSTATE_DEAD
;
10828 key_freesp(sp
, KEY_SADB_LOCKED
);
10833 LIST_FOREACH(sah
, &sahtree
, chain
) {
10834 if (sah
->ipsec_if
== ipsec_if
) {
10835 /* This SAH is linked to the IPsec interface. It now needs to close. */
10836 ifnet_release(sah
->ipsec_if
);
10837 sah
->ipsec_if
= NULL
;
10839 for (stateidx
= 0; stateidx
< _ARRAYLEN(saorder_state_alive
); stateidx
++) {
10840 state
= saorder_state_any
[stateidx
];
10841 for (sav
= LIST_FIRST(&sah
->savtree
[state
]); sav
!= NULL
; sav
= nextsav
) {
10842 nextsav
= LIST_NEXT(sav
, chain
);
10844 key_sa_chgstate(sav
, SADB_SASTATE_DEAD
);
10845 key_freesav(sav
, KEY_SADB_LOCKED
);
10849 sah
->state
= SADB_SASTATE_DEAD
;
10853 lck_mtx_unlock(sadb_mutex
);
10856 __private_extern__ u_int32_t
10857 key_fill_offload_frames_for_savs(ifnet_t ifp
,
10858 struct ifnet_keepalive_offload_frame
*frames_array
,
10859 u_int32_t frames_array_count
,
10860 size_t frame_data_offset
)
10862 struct secashead
*sah
= NULL
;
10863 struct secasvar
*sav
= NULL
;
10864 struct ifnet_keepalive_offload_frame
*frame
= frames_array
;
10865 u_int32_t frame_index
= 0;
10867 if (frame
== NULL
|| frames_array_count
== 0) {
10868 return frame_index
;
10871 lck_mtx_lock(sadb_mutex
);
10872 LIST_FOREACH(sah
, &sahtree
, chain
) {
10873 LIST_FOREACH(sav
, &sah
->savtree
[SADB_SASTATE_MATURE
], chain
) {
10874 if (ipsec_fill_offload_frame(ifp
, sav
, frame
, frame_data_offset
)) {
10876 if (frame_index
>= frames_array_count
) {
10877 lck_mtx_unlock(sadb_mutex
);
10878 return frame_index
;
10880 frame
= &(frames_array
[frame_index
]);
10884 lck_mtx_unlock(sadb_mutex
);
10886 return frame_index
;