FreeBSD/Linux Kernel Cross Reference
sys/net/pfkeyv2.c
1 /* $OpenBSD: pfkeyv2.c,v 1.255 2023/01/08 10:26:36 mvs Exp $ */
2
3 /*
4 * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995
5 *
6 * NRL grants permission for redistribution and use in source and binary
7 * forms, with or without modification, of the software and documentation
8 * created at NRL provided that the following conditions are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. All advertising materials mentioning features or use of this software
16 * must display the following acknowledgements:
17 * This product includes software developed by the University of
18 * California, Berkeley and its contributors.
19 * This product includes software developed at the Information
20 * Technology Division, US Naval Research Laboratory.
21 * 4. Neither the name of the NRL nor the names of its contributors
22 * may be used to endorse or promote products derived from this software
23 * without specific prior written permission.
24 *
25 * THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS
26 * IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
27 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
28 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NRL OR
29 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
30 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
31 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
32 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
33 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
34 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
35 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36 *
37 * The views and conclusions contained in the software and documentation
38 * are those of the authors and should not be interpreted as representing
39 * official policies, either expressed or implied, of the US Naval
40 * Research Laboratory (NRL).
41 */
42
43 /*
44 * Copyright (c) 1995, 1996, 1997, 1998, 1999 Craig Metz. All rights reserved.
45 *
46 * Redistribution and use in source and binary forms, with or without
47 * modification, are permitted provided that the following conditions
48 * are met:
49 * 1. Redistributions of source code must retain the above copyright
50 * notice, this list of conditions and the following disclaimer.
51 * 2. Redistributions in binary form must reproduce the above copyright
52 * notice, this list of conditions and the following disclaimer in the
53 * documentation and/or other materials provided with the distribution.
54 * 3. Neither the name of the author nor the names of any contributors
55 * may be used to endorse or promote products derived from this software
56 * without specific prior written permission.
57 *
58 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
59 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
60 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
61 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
62 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
63 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
64 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
65 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
66 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
67 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
68 * SUCH DAMAGE.
69 */
70
71 #include "pf.h"
72
73 #include <sys/param.h>
74 #include <sys/socket.h>
75 #include <sys/socketvar.h>
76 #include <sys/protosw.h>
77 #include <sys/domain.h>
78 #include <sys/systm.h>
79 #include <sys/mbuf.h>
80 #include <sys/kernel.h>
81 #include <sys/proc.h>
82 #include <sys/pool.h>
83 #include <sys/mutex.h>
84
85 #include <net/route.h>
86 #include <netinet/ip_ipsp.h>
87 #include <net/pfkeyv2.h>
88 #include <net/radix.h>
89 #include <netinet/ip_ah.h>
90 #include <netinet/ip_esp.h>
91 #include <netinet/ip_ipcomp.h>
92 #include <crypto/blf.h>
93
94 #if NPF > 0
95 #include <net/if.h>
96 #include <net/pfvar.h>
97 #endif
98
99 #define PFKEYSNDQ 8192
100 #define PFKEYRCVQ 8192
101
102 static const struct sadb_alg ealgs[] = {
103 { SADB_EALG_NULL, 0, 0, 0 },
104 { SADB_EALG_3DESCBC, 64, 192, 192 },
105 { SADB_X_EALG_BLF, 64, 40, BLF_MAXKEYLEN * 8},
106 { SADB_X_EALG_CAST, 64, 40, 128},
107 { SADB_X_EALG_AES, 128, 128, 256},
108 { SADB_X_EALG_AESCTR, 128, 128 + 32, 256 + 32}
109 };
110
111 static const struct sadb_alg aalgs[] = {
112 { SADB_AALG_SHA1HMAC, 0, 160, 160 },
113 { SADB_AALG_MD5HMAC, 0, 128, 128 },
114 { SADB_X_AALG_RIPEMD160HMAC, 0, 160, 160 },
115 { SADB_X_AALG_SHA2_256, 0, 256, 256 },
116 { SADB_X_AALG_SHA2_384, 0, 384, 384 },
117 { SADB_X_AALG_SHA2_512, 0, 512, 512 }
118 };
119
120 static const struct sadb_alg calgs[] = {
121 { SADB_X_CALG_DEFLATE, 0, 0, 0}
122 };
123
124 struct pool pkpcb_pool;
125 #define PFKEY_MSG_MAXSZ 4096
126 const struct sockaddr pfkey_addr = { 2, PF_KEY, };
127 const struct domain pfkeydomain;
128
129 /*
130 * pfkey PCB
131 *
132 * Locks used to protect struct members in this file:
133 * I immutable after creation
134 * a atomic operations
135 * l pkptable's lock
136 * s socket lock
137 */
138 struct pkpcb {
139 struct socket *kcb_socket; /* [I] associated socket */
140
141 SRPL_ENTRY(pkpcb) kcb_list; /* [l] */
142 struct refcnt kcb_refcnt; /* [a] */
143 int kcb_flags; /* [s] */
144 uint32_t kcb_reg; /* [s] Inc if SATYPE_MAX > 31 */
145 uint32_t kcb_pid; /* [I] */
146 unsigned int kcb_rdomain; /* [I] routing domain */
147 };
148 #define sotokeycb(so) ((struct pkpcb *)(so)->so_pcb)
149 #define keylock(kp) solock((kp)->kcb_socket)
150 #define keyunlock(kp) sounlock((kp)->kcb_socket)
151
152
153 struct dump_state {
154 struct sadb_msg *sadb_msg;
155 struct socket *socket;
156 };
157
158 struct pkptable {
159 SRPL_HEAD(, pkpcb) pkp_list;
160 struct srpl_rc pkp_rc;
161 struct rwlock pkp_lk;
162 };
163
164 struct pkptable pkptable;
165 struct mutex pfkeyv2_mtx = MUTEX_INITIALIZER(IPL_MPFLOOR);
166 static uint32_t pfkeyv2_seq = 1;
167 static int nregistered = 0;
168 static int npromisc = 0;
169
170 void pfkey_init(void);
171
172 int pfkeyv2_attach(struct socket *, int, int);
173 int pfkeyv2_detach(struct socket *);
174 int pfkeyv2_disconnect(struct socket *);
175 int pfkeyv2_shutdown(struct socket *);
176 int pfkeyv2_send(struct socket *, struct mbuf *, struct mbuf *,
177 struct mbuf *);
178 int pfkeyv2_sockaddr(struct socket *, struct mbuf *);
179 int pfkeyv2_peeraddr(struct socket *, struct mbuf *);
180 int pfkeyv2_output(struct mbuf *, struct socket *);
181 int pfkey_sendup(struct pkpcb *, struct mbuf *, int);
182 int pfkeyv2_sa_flush(struct tdb *, void *, int);
183 int pfkeyv2_policy_flush(struct ipsec_policy *, void *, unsigned int);
184 int pfkeyv2_sysctl_policydumper(struct ipsec_policy *, void *, unsigned int);
185
186 void keycb_ref(void *, void *);
187 void keycb_unref(void *, void *);
188
189 /*
190 * Wrapper around m_devget(); copy data from contiguous buffer to mbuf
191 * chain.
192 */
193 int
194 pfdatatopacket(void *data, int len, struct mbuf **packet)
195 {
196 if (!(*packet = m_devget(data, len, 0)))
197 return (ENOMEM);
198
199 /* Make sure, all data gets zeroized on free */
200 (*packet)->m_flags |= M_ZEROIZE;
201
202 return (0);
203 }
204
205 const struct pr_usrreqs pfkeyv2_usrreqs = {
206 .pru_attach = pfkeyv2_attach,
207 .pru_detach = pfkeyv2_detach,
208 .pru_disconnect = pfkeyv2_disconnect,
209 .pru_shutdown = pfkeyv2_shutdown,
210 .pru_send = pfkeyv2_send,
211 .pru_sockaddr = pfkeyv2_sockaddr,
212 .pru_peeraddr = pfkeyv2_peeraddr,
213 };
214
215 const struct protosw pfkeysw[] = {
216 {
217 .pr_type = SOCK_RAW,
218 .pr_domain = &pfkeydomain,
219 .pr_protocol = PF_KEY_V2,
220 .pr_flags = PR_ATOMIC | PR_ADDR,
221 .pr_usrreqs = &pfkeyv2_usrreqs,
222 .pr_sysctl = pfkeyv2_sysctl,
223 }
224 };
225
226 const struct domain pfkeydomain = {
227 .dom_family = PF_KEY,
228 .dom_name = "PF_KEY",
229 .dom_init = pfkey_init,
230 .dom_protosw = pfkeysw,
231 .dom_protoswNPROTOSW = &pfkeysw[nitems(pfkeysw)],
232 };
233
234 void
235 keycb_ref(void *null, void *v)
236 {
237 struct pkpcb *kp = v;
238
239 refcnt_take(&kp->kcb_refcnt);
240 }
241
242 void
243 keycb_unref(void *null, void *v)
244 {
245 struct pkpcb *kp = v;
246
247 refcnt_rele_wake(&kp->kcb_refcnt);
248 }
249
250 void
251 pfkey_init(void)
252 {
253 rn_init(sizeof(struct sockaddr_encap));
254 srpl_rc_init(&pkptable.pkp_rc, keycb_ref, keycb_unref, NULL);
255 rw_init(&pkptable.pkp_lk, "pfkey");
256 SRPL_INIT(&pkptable.pkp_list);
257 pool_init(&pkpcb_pool, sizeof(struct pkpcb), 0,
258 IPL_SOFTNET, PR_WAITOK, "pkpcb", NULL);
259 pool_init(&ipsec_policy_pool, sizeof(struct ipsec_policy), 0,
260 IPL_SOFTNET, 0, "ipsec policy", NULL);
261 pool_init(&ipsec_acquire_pool, sizeof(struct ipsec_acquire), 0,
262 IPL_SOFTNET, 0, "ipsec acquire", NULL);
263 }
264
265
266 /*
267 * Attach a new PF_KEYv2 socket.
268 */
269 int
270 pfkeyv2_attach(struct socket *so, int proto, int wait)
271 {
272 struct pkpcb *kp;
273 int error;
274
275 if ((so->so_state & SS_PRIV) == 0)
276 return EACCES;
277
278 error = soreserve(so, PFKEYSNDQ, PFKEYRCVQ);
279 if (error)
280 return (error);
281
282 kp = pool_get(&pkpcb_pool, (wait == M_WAIT ? PR_WAITOK : PR_NOWAIT) |
283 PR_ZERO);
284 if (kp == NULL)
285 return (ENOBUFS);
286 so->so_pcb = kp;
287 refcnt_init(&kp->kcb_refcnt);
288 kp->kcb_socket = so;
289 kp->kcb_pid = curproc->p_p->ps_pid;
290 kp->kcb_rdomain = rtable_l2(curproc->p_p->ps_rtableid);
291
292 so->so_options |= SO_USELOOPBACK;
293 soisconnected(so);
294
295 rw_enter(&pkptable.pkp_lk, RW_WRITE);
296 SRPL_INSERT_HEAD_LOCKED(&pkptable.pkp_rc, &pkptable.pkp_list, kp, kcb_list);
297 rw_exit(&pkptable.pkp_lk);
298
299 return (0);
300 }
301
302 /*
303 * Close a PF_KEYv2 socket.
304 */
305 int
306 pfkeyv2_detach(struct socket *so)
307 {
308 struct pkpcb *kp;
309
310 soassertlocked(so);
311
312 kp = sotokeycb(so);
313 if (kp == NULL)
314 return ENOTCONN;
315
316 if (kp->kcb_flags &
317 (PFKEYV2_SOCKETFLAGS_REGISTERED|PFKEYV2_SOCKETFLAGS_PROMISC)) {
318 mtx_enter(&pfkeyv2_mtx);
319 if (kp->kcb_flags & PFKEYV2_SOCKETFLAGS_REGISTERED)
320 nregistered--;
321
322 if (kp->kcb_flags & PFKEYV2_SOCKETFLAGS_PROMISC)
323 npromisc--;
324 mtx_leave(&pfkeyv2_mtx);
325 }
326
327 rw_enter(&pkptable.pkp_lk, RW_WRITE);
328 SRPL_REMOVE_LOCKED(&pkptable.pkp_rc, &pkptable.pkp_list, kp, pkpcb,
329 kcb_list);
330 rw_exit(&pkptable.pkp_lk);
331
332 sounlock(so);
333 /* wait for all references to drop */
334 refcnt_finalize(&kp->kcb_refcnt, "pfkeyrefs");
335 solock(so);
336
337 so->so_pcb = NULL;
338 KASSERT((so->so_state & SS_NOFDREF) == 0);
339 pool_put(&pkpcb_pool, kp);
340
341 return (0);
342 }
343
344 int
345 pfkeyv2_disconnect(struct socket *so)
346 {
347 soisdisconnected(so);
348 return (0);
349 }
350
351 int
352 pfkeyv2_shutdown(struct socket *so)
353 {
354 socantsendmore(so);
355 return (0);
356 }
357
358 int
359 pfkeyv2_send(struct socket *so, struct mbuf *m, struct mbuf *nam,
360 struct mbuf *control)
361 {
362 int error;
363
364 soassertlocked(so);
365
366 if (control && control->m_len) {
367 error = EOPNOTSUPP;
368 goto out;
369 }
370
371 if (nam) {
372 error = EISCONN;
373 goto out;
374 }
375
376 error = pfkeyv2_output(m, so);
377 m = NULL;
378
379 out:
380 m_freem(control);
381 m_freem(m);
382
383 return (error);
384 }
385
386 int
387 pfkeyv2_sockaddr(struct socket *so, struct mbuf *nam)
388 {
389 return (EINVAL);
390 }
391
392 int
393 pfkeyv2_peeraddr(struct socket *so, struct mbuf *nam)
394 {
395 /* minimal support, just implement a fake peer address */
396 bcopy(&pfkey_addr, mtod(nam, caddr_t), pfkey_addr.sa_len);
397 nam->m_len = pfkey_addr.sa_len;
398 return (0);
399 }
400
401 int
402 pfkeyv2_output(struct mbuf *mbuf, struct socket *so)
403 {
404 void *message;
405 int error = 0;
406
407 #ifdef DIAGNOSTIC
408 if (!mbuf || !(mbuf->m_flags & M_PKTHDR)) {
409 error = EINVAL;
410 goto ret;
411 }
412 #endif /* DIAGNOSTIC */
413
414 if (mbuf->m_pkthdr.len > PFKEY_MSG_MAXSZ) {
415 error = EMSGSIZE;
416 goto ret;
417 }
418
419 if (!(message = malloc((unsigned long) mbuf->m_pkthdr.len,
420 M_PFKEY, M_DONTWAIT))) {
421 error = ENOMEM;
422 goto ret;
423 }
424
425 m_copydata(mbuf, 0, mbuf->m_pkthdr.len, message);
426
427 /*
428 * The socket can't be closed concurrently because the file
429 * descriptor reference is still held.
430 */
431
432 sounlock(so);
433 error = pfkeyv2_dosend(so, message, mbuf->m_pkthdr.len);
434 solock(so);
435
436 ret:
437 m_freem(mbuf);
438 return (error);
439 }
440
441 int
442 pfkey_sendup(struct pkpcb *kp, struct mbuf *m0, int more)
443 {
444 struct socket *so = kp->kcb_socket;
445 struct mbuf *m;
446
447 soassertlocked(so);
448
449 if (more) {
450 if (!(m = m_dup_pkt(m0, 0, M_DONTWAIT)))
451 return (ENOMEM);
452 } else
453 m = m0;
454
455 if (!sbappendaddr(so, &so->so_rcv, &pfkey_addr, m, NULL)) {
456 m_freem(m);
457 return (ENOBUFS);
458 }
459
460 sorwakeup(so);
461 return (0);
462 }
463
464 /*
465 * Send a PFKEYv2 message, possibly to many receivers, based on the
466 * satype of the socket (which is set by the REGISTER message), and the
467 * third argument.
468 */
469 int
470 pfkeyv2_sendmessage(void **headers, int mode, struct socket *so,
471 u_int8_t satype, int count, u_int rdomain)
472 {
473 int i, j, rval;
474 void *p, *buffer = NULL;
475 struct mbuf *packet;
476 struct pkpcb *kp;
477 struct sadb_msg *smsg;
478 struct srp_ref sr;
479
480 /* Find out how much space we'll need... */
481 j = sizeof(struct sadb_msg);
482
483 for (i = 1; i <= SADB_EXT_MAX; i++)
484 if (headers[i])
485 j += ((struct sadb_ext *)headers[i])->sadb_ext_len *
486 sizeof(uint64_t);
487
488 /* ...and allocate it */
489 if (!(buffer = malloc(j + sizeof(struct sadb_msg), M_PFKEY,
490 M_NOWAIT))) {
491 rval = ENOMEM;
492 goto ret;
493 }
494
495 p = buffer + sizeof(struct sadb_msg);
496 bcopy(headers[0], p, sizeof(struct sadb_msg));
497 ((struct sadb_msg *) p)->sadb_msg_len = j / sizeof(uint64_t);
498 p += sizeof(struct sadb_msg);
499
500 /* Copy payloads in the packet */
501 for (i = 1; i <= SADB_EXT_MAX; i++)
502 if (headers[i]) {
503 ((struct sadb_ext *) headers[i])->sadb_ext_type = i;
504 bcopy(headers[i], p, EXTLEN(headers[i]));
505 p += EXTLEN(headers[i]);
506 }
507
508 if ((rval = pfdatatopacket(buffer + sizeof(struct sadb_msg),
509 j, &packet)) != 0)
510 goto ret;
511
512 switch (mode) {
513 case PFKEYV2_SENDMESSAGE_UNICAST:
514 /*
515 * Send message to the specified socket, plus all
516 * promiscuous listeners.
517 */
518 solock(so);
519 pfkey_sendup(sotokeycb(so), packet, 0);
520 sounlock(so);
521
522 /*
523 * Promiscuous messages contain the original message
524 * encapsulated in another sadb_msg header.
525 */
526 bzero(buffer, sizeof(struct sadb_msg));
527 smsg = (struct sadb_msg *) buffer;
528 smsg->sadb_msg_version = PF_KEY_V2;
529 smsg->sadb_msg_type = SADB_X_PROMISC;
530 smsg->sadb_msg_len = (sizeof(struct sadb_msg) + j) /
531 sizeof(uint64_t);
532 smsg->sadb_msg_seq = 0;
533
534 /* Copy to mbuf chain */
535 if ((rval = pfdatatopacket(buffer, sizeof(struct sadb_msg) + j,
536 &packet)) != 0)
537 goto ret;
538
539 /*
540 * Search for promiscuous listeners, skipping the
541 * original destination.
542 */
543 SRPL_FOREACH(kp, &sr, &pkptable.pkp_list, kcb_list) {
544 if (kp->kcb_socket == so || kp->kcb_rdomain != rdomain)
545 continue;
546
547 keylock(kp);
548 if (kp->kcb_flags & PFKEYV2_SOCKETFLAGS_PROMISC)
549 pfkey_sendup(kp, packet, 1);
550 keyunlock(kp);
551 }
552 SRPL_LEAVE(&sr);
553 m_freem(packet);
554 break;
555
556 case PFKEYV2_SENDMESSAGE_REGISTERED:
557 /*
558 * Send the message to all registered sockets that match
559 * the specified satype (e.g., all IPSEC-ESP negotiators)
560 */
561 SRPL_FOREACH(kp, &sr, &pkptable.pkp_list, kcb_list) {
562 if (kp->kcb_rdomain != rdomain)
563 continue;
564
565 keylock(kp);
566 if (kp->kcb_flags & PFKEYV2_SOCKETFLAGS_REGISTERED) {
567 if (!satype) {
568 /* Just send to everyone registered */
569 pfkey_sendup(kp, packet, 1);
570 } else {
571 /* Check for specified satype */
572 if ((1 << satype) & kp->kcb_reg)
573 pfkey_sendup(kp, packet, 1);
574 }
575 }
576 keyunlock(kp);
577 }
578 SRPL_LEAVE(&sr);
579 /* Free last/original copy of the packet */
580 m_freem(packet);
581
582 /* Encapsulate the original message "inside" an sadb_msg header */
583 bzero(buffer, sizeof(struct sadb_msg));
584 smsg = (struct sadb_msg *) buffer;
585 smsg->sadb_msg_version = PF_KEY_V2;
586 smsg->sadb_msg_type = SADB_X_PROMISC;
587 smsg->sadb_msg_len = (sizeof(struct sadb_msg) + j) /
588 sizeof(uint64_t);
589 smsg->sadb_msg_seq = 0;
590
591 /* Convert to mbuf chain */
592 if ((rval = pfdatatopacket(buffer, sizeof(struct sadb_msg) + j,
593 &packet)) != 0)
594 goto ret;
595
596 /* Send to all registered promiscuous listeners */
597 SRPL_FOREACH(kp, &sr, &pkptable.pkp_list, kcb_list) {
598 if (kp->kcb_rdomain != rdomain)
599 continue;
600
601 keylock(kp);
602 if ((kp->kcb_flags & PFKEYV2_SOCKETFLAGS_PROMISC) &&
603 !(kp->kcb_flags & PFKEYV2_SOCKETFLAGS_REGISTERED))
604 pfkey_sendup(kp, packet, 1);
605 keyunlock(kp);
606 }
607 SRPL_LEAVE(&sr);
608 m_freem(packet);
609 break;
610
611 case PFKEYV2_SENDMESSAGE_BROADCAST:
612 /* Send message to all sockets */
613 SRPL_FOREACH(kp, &sr, &pkptable.pkp_list, kcb_list) {
614 if (kp->kcb_rdomain != rdomain)
615 continue;
616
617 keylock(kp);
618 pfkey_sendup(kp, packet, 1);
619 keyunlock(kp);
620 }
621 SRPL_LEAVE(&sr);
622 m_freem(packet);
623 break;
624 }
625
626 ret:
627 if (buffer != NULL) {
628 explicit_bzero(buffer, j + sizeof(struct sadb_msg));
629 free(buffer, M_PFKEY, j + sizeof(struct sadb_msg));
630 }
631
632 return (rval);
633 }
634
635 /*
636 * Get SPD information for an ACQUIRE. We setup the message such that
637 * the SRC/DST payloads are relative to us (regardless of whether the
638 * SPD rule was for incoming or outgoing packets).
639 */
640 int
641 pfkeyv2_policy(struct ipsec_acquire *ipa, void **headers, void **buffer,
642 int *bufferlen)
643 {
644 union sockaddr_union sunion;
645 struct sadb_protocol *sp;
646 int rval, i, dir;
647 void *p;
648
649 /* Find out how big a buffer we need */
650 i = 4 * sizeof(struct sadb_address) + sizeof(struct sadb_protocol);
651 bzero(&sunion, sizeof(union sockaddr_union));
652
653 switch (ipa->ipa_info.sen_type) {
654 case SENT_IP4:
655 i += 4 * PADUP(sizeof(struct sockaddr_in));
656 sunion.sa.sa_family = AF_INET;
657 sunion.sa.sa_len = sizeof(struct sockaddr_in);
658 dir = ipa->ipa_info.sen_direction;
659 break;
660
661 #ifdef INET6
662 case SENT_IP6:
663 i += 4 * PADUP(sizeof(struct sockaddr_in6));
664 sunion.sa.sa_family = AF_INET6;
665 sunion.sa.sa_len = sizeof(struct sockaddr_in6);
666 dir = ipa->ipa_info.sen_ip6_direction;
667 break;
668 #endif /* INET6 */
669
670 default:
671 return (EINVAL);
672 }
673
674 if (!(p = malloc(i, M_PFKEY, M_NOWAIT | M_ZERO))) {
675 rval = ENOMEM;
676 goto ret;
677 } else {
678 *buffer = p;
679 *bufferlen = i;
680 }
681
682 if (dir == IPSP_DIRECTION_OUT)
683 headers[SADB_X_EXT_SRC_FLOW] = p;
684 else
685 headers[SADB_X_EXT_DST_FLOW] = p;
686 switch (sunion.sa.sa_family) {
687 case AF_INET:
688 sunion.sin.sin_addr = ipa->ipa_info.sen_ip_src;
689 sunion.sin.sin_port = ipa->ipa_info.sen_sport;
690 break;
691
692 #ifdef INET6
693 case AF_INET6:
694 sunion.sin6.sin6_addr = ipa->ipa_info.sen_ip6_src;
695 sunion.sin6.sin6_port = ipa->ipa_info.sen_ip6_sport;
696 break;
697 #endif /* INET6 */
698 }
699 export_address(&p, &sunion.sa);
700
701 if (dir == IPSP_DIRECTION_OUT)
702 headers[SADB_X_EXT_SRC_MASK] = p;
703 else
704 headers[SADB_X_EXT_DST_MASK] = p;
705 switch (sunion.sa.sa_family) {
706 case AF_INET:
707 sunion.sin.sin_addr = ipa->ipa_mask.sen_ip_src;
708 sunion.sin.sin_port = ipa->ipa_mask.sen_sport;
709 break;
710
711 #ifdef INET6
712 case AF_INET6:
713 sunion.sin6.sin6_addr = ipa->ipa_mask.sen_ip6_src;
714 sunion.sin6.sin6_port = ipa->ipa_mask.sen_ip6_sport;
715 break;
716 #endif /* INET6 */
717 }
718 export_address(&p, &sunion.sa);
719
720 if (dir == IPSP_DIRECTION_OUT)
721 headers[SADB_X_EXT_DST_FLOW] = p;
722 else
723 headers[SADB_X_EXT_SRC_FLOW] = p;
724 switch (sunion.sa.sa_family) {
725 case AF_INET:
726 sunion.sin.sin_addr = ipa->ipa_info.sen_ip_dst;
727 sunion.sin.sin_port = ipa->ipa_info.sen_dport;
728 break;
729
730 #ifdef INET6
731 case AF_INET6:
732 sunion.sin6.sin6_addr = ipa->ipa_info.sen_ip6_dst;
733 sunion.sin6.sin6_port = ipa->ipa_info.sen_ip6_dport;
734 break;
735 #endif /* INET6 */
736 }
737 export_address(&p, &sunion.sa);
738
739 if (dir == IPSP_DIRECTION_OUT)
740 headers[SADB_X_EXT_DST_MASK] = p;
741 else
742 headers[SADB_X_EXT_SRC_MASK] = p;
743 switch (sunion.sa.sa_family) {
744 case AF_INET:
745 sunion.sin.sin_addr = ipa->ipa_mask.sen_ip_dst;
746 sunion.sin.sin_port = ipa->ipa_mask.sen_dport;
747 break;
748
749 #ifdef INET6
750 case AF_INET6:
751 sunion.sin6.sin6_addr = ipa->ipa_mask.sen_ip6_dst;
752 sunion.sin6.sin6_port = ipa->ipa_mask.sen_ip6_dport;
753 break;
754 #endif /* INET6 */
755 }
756 export_address(&p, &sunion.sa);
757
758 headers[SADB_X_EXT_FLOW_TYPE] = p;
759 sp = p;
760 sp->sadb_protocol_len = sizeof(struct sadb_protocol) /
761 sizeof(u_int64_t);
762 switch (sunion.sa.sa_family) {
763 case AF_INET:
764 if (ipa->ipa_mask.sen_proto)
765 sp->sadb_protocol_proto = ipa->ipa_info.sen_proto;
766 sp->sadb_protocol_direction = ipa->ipa_info.sen_direction;
767 break;
768
769 #ifdef INET6
770 case AF_INET6:
771 if (ipa->ipa_mask.sen_ip6_proto)
772 sp->sadb_protocol_proto = ipa->ipa_info.sen_ip6_proto;
773 sp->sadb_protocol_direction = ipa->ipa_info.sen_ip6_direction;
774 break;
775 #endif /* INET6 */
776 }
777
778 rval = 0;
779
780 ret:
781 return (rval);
782 }
783
784 /*
785 * Get all the information contained in an SA to a PFKEYV2 message.
786 */
787 int
788 pfkeyv2_get(struct tdb *tdb, void **headers, void **buffer, int *lenp,
789 int *lenused)
790 {
791 int rval, i;
792 void *p;
793
794 NET_ASSERT_LOCKED();
795
796 /* Find how much space we need */
797 i = sizeof(struct sadb_sa) + sizeof(struct sadb_lifetime) +
798 sizeof(struct sadb_x_counter);
799
800 if (tdb->tdb_soft_allocations || tdb->tdb_soft_bytes ||
801 tdb->tdb_soft_timeout || tdb->tdb_soft_first_use)
802 i += sizeof(struct sadb_lifetime);
803
804 if (tdb->tdb_exp_allocations || tdb->tdb_exp_bytes ||
805 tdb->tdb_exp_timeout || tdb->tdb_exp_first_use)
806 i += sizeof(struct sadb_lifetime);
807
808 if (tdb->tdb_last_used)
809 i += sizeof(struct sadb_lifetime);
810
811 i += sizeof(struct sadb_address) + PADUP(tdb->tdb_src.sa.sa_len);
812 i += sizeof(struct sadb_address) + PADUP(tdb->tdb_dst.sa.sa_len);
813
814 if (tdb->tdb_ids) {
815 i += sizeof(struct sadb_ident) + PADUP(tdb->tdb_ids->id_local->len);
816 i += sizeof(struct sadb_ident) + PADUP(tdb->tdb_ids->id_remote->len);
817 }
818
819 if (tdb->tdb_amxkey)
820 i += sizeof(struct sadb_key) + PADUP(tdb->tdb_amxkeylen);
821
822 if (tdb->tdb_emxkey)
823 i += sizeof(struct sadb_key) + PADUP(tdb->tdb_emxkeylen);
824
825 if (tdb->tdb_filter.sen_type) {
826 i += 2 * sizeof(struct sadb_protocol);
827
828 /* We'll need four of them: src, src mask, dst, dst mask. */
829 switch (tdb->tdb_filter.sen_type) {
830 case SENT_IP4:
831 i += 4 * PADUP(sizeof(struct sockaddr_in));
832 i += 4 * sizeof(struct sadb_address);
833 break;
834 #ifdef INET6
835 case SENT_IP6:
836 i += 4 * PADUP(sizeof(struct sockaddr_in6));
837 i += 4 * sizeof(struct sadb_address);
838 break;
839 #endif /* INET6 */
840 default:
841 rval = EINVAL;
842 goto ret;
843 }
844 }
845
846 if (tdb->tdb_onext) {
847 i += sizeof(struct sadb_sa);
848 i += sizeof(struct sadb_address) +
849 PADUP(tdb->tdb_onext->tdb_dst.sa.sa_len);
850 i += sizeof(struct sadb_protocol);
851 }
852
853 if (tdb->tdb_udpencap_port)
854 i += sizeof(struct sadb_x_udpencap);
855
856 i += sizeof(struct sadb_x_replay);
857
858 if (tdb->tdb_mtu > 0)
859 i+= sizeof(struct sadb_x_mtu);
860
861 if (tdb->tdb_rdomain != tdb->tdb_rdomain_post)
862 i += sizeof(struct sadb_x_rdomain);
863
864 #if NPF > 0
865 if (tdb->tdb_tag)
866 i += sizeof(struct sadb_x_tag) + PADUP(PF_TAG_NAME_SIZE);
867 if (tdb->tdb_tap)
868 i += sizeof(struct sadb_x_tap);
869 #endif
870
871 if (lenp)
872 *lenp = i;
873
874 if (buffer == NULL) {
875 rval = 0;
876 goto ret;
877 }
878
879 if (!(p = malloc(i, M_PFKEY, M_NOWAIT | M_ZERO))) {
880 rval = ENOMEM;
881 goto ret;
882 } else
883 *buffer = p;
884
885 headers[SADB_EXT_SA] = p;
886
887 export_sa(&p, tdb); /* Export SA information (mostly flags) */
888
889 /* Export lifetimes where applicable */
890 headers[SADB_EXT_LIFETIME_CURRENT] = p;
891 export_lifetime(&p, tdb, PFKEYV2_LIFETIME_CURRENT);
892
893 if (tdb->tdb_soft_allocations || tdb->tdb_soft_bytes ||
894 tdb->tdb_soft_first_use || tdb->tdb_soft_timeout) {
895 headers[SADB_EXT_LIFETIME_SOFT] = p;
896 export_lifetime(&p, tdb, PFKEYV2_LIFETIME_SOFT);
897 }
898
899 if (tdb->tdb_exp_allocations || tdb->tdb_exp_bytes ||
900 tdb->tdb_exp_first_use || tdb->tdb_exp_timeout) {
901 headers[SADB_EXT_LIFETIME_HARD] = p;
902 export_lifetime(&p, tdb, PFKEYV2_LIFETIME_HARD);
903 }
904
905 if (tdb->tdb_last_used) {
906 headers[SADB_X_EXT_LIFETIME_LASTUSE] = p;
907 export_lifetime(&p, tdb, PFKEYV2_LIFETIME_LASTUSE);
908 }
909
910 /* Export TDB source address */
911 headers[SADB_EXT_ADDRESS_SRC] = p;
912 export_address(&p, &tdb->tdb_src.sa);
913
914 /* Export TDB destination address */
915 headers[SADB_EXT_ADDRESS_DST] = p;
916 export_address(&p, &tdb->tdb_dst.sa);
917
918 /* Export source/destination identities, if present */
919 if (tdb->tdb_ids)
920 export_identities(&p, tdb->tdb_ids, tdb->tdb_ids_swapped, headers);
921
922 /* Export authentication key, if present */
923 if (tdb->tdb_amxkey) {
924 headers[SADB_EXT_KEY_AUTH] = p;
925 export_key(&p, tdb, PFKEYV2_AUTHENTICATION_KEY);
926 }
927
928 /* Export encryption key, if present */
929 if (tdb->tdb_emxkey) {
930 headers[SADB_EXT_KEY_ENCRYPT] = p;
931 export_key(&p, tdb, PFKEYV2_ENCRYPTION_KEY);
932 }
933
934 /* Export flow/filter, if present */
935 if (tdb->tdb_filter.sen_type)
936 export_flow(&p, IPSP_IPSEC_USE, &tdb->tdb_filter,
937 &tdb->tdb_filtermask, headers);
938
939 if (tdb->tdb_onext) {
940 headers[SADB_X_EXT_SA2] = p;
941 export_sa(&p, tdb->tdb_onext);
942 headers[SADB_X_EXT_DST2] = p;
943 export_address(&p, &tdb->tdb_onext->tdb_dst.sa);
944 headers[SADB_X_EXT_SATYPE2] = p;
945 export_satype(&p, tdb->tdb_onext);
946 }
947
948 /* Export UDP encapsulation port, if present */
949 if (tdb->tdb_udpencap_port) {
950 headers[SADB_X_EXT_UDPENCAP] = p;
951 export_udpencap(&p, tdb);
952 }
953
954 headers[SADB_X_EXT_REPLAY] = p;
955 export_replay(&p, tdb);
956
957 if (tdb->tdb_mtu > 0) {
958 headers[SADB_X_EXT_MTU] = p;
959 export_mtu(&p, tdb);
960 }
961
962 /* Export rdomain switch, if present */
963 if (tdb->tdb_rdomain != tdb->tdb_rdomain_post) {
964 headers[SADB_X_EXT_RDOMAIN] = p;
965 export_rdomain(&p, tdb);
966 }
967
968 #if NPF > 0
969 /* Export tag information, if present */
970 if (tdb->tdb_tag) {
971 headers[SADB_X_EXT_TAG] = p;
972 export_tag(&p, tdb);
973 }
974
975 /* Export tap enc(4) device information, if present */
976 if (tdb->tdb_tap) {
977 headers[SADB_X_EXT_TAP] = p;
978 export_tap(&p, tdb);
979 }
980 #endif
981
982 headers[SADB_X_EXT_COUNTER] = p;
983 export_counter(&p, tdb);
984
985 if (lenused)
986 *lenused = p - *buffer;
987 rval = 0;
988
989 ret:
990 return (rval);
991 }
992
993 /*
994 * Dump a TDB.
995 */
996 int
997 pfkeyv2_dump_walker(struct tdb *tdb, void *state, int last)
998 {
999 struct dump_state *dump_state = (struct dump_state *) state;
1000 void *headers[SADB_EXT_MAX+1], *buffer;
1001 int buflen;
1002 int rval;
1003
1004 /* If not satype was specified, dump all TDBs */
1005 if (!dump_state->sadb_msg->sadb_msg_satype ||
1006 (tdb->tdb_satype == dump_state->sadb_msg->sadb_msg_satype)) {
1007 bzero(headers, sizeof(headers));
1008 headers[0] = (void *) dump_state->sadb_msg;
1009
1010 /* Get the information from the TDB to a PFKEYv2 message */
1011 if ((rval = pfkeyv2_get(tdb, headers, &buffer, &buflen, NULL)) != 0)
1012 return (rval);
1013
1014 if (last)
1015 ((struct sadb_msg *)headers[0])->sadb_msg_seq = 0;
1016
1017 /* Send the message to the specified socket */
1018 rval = pfkeyv2_sendmessage(headers,
1019 PFKEYV2_SENDMESSAGE_UNICAST, dump_state->socket, 0, 0,
1020 tdb->tdb_rdomain);
1021
1022 explicit_bzero(buffer, buflen);
1023 free(buffer, M_PFKEY, buflen);
1024 if (rval)
1025 return (rval);
1026 }
1027
1028 return (0);
1029 }
1030
1031 /*
1032 * Delete an SA.
1033 */
1034 int
1035 pfkeyv2_sa_flush(struct tdb *tdb, void *satype_vp, int last)
1036 {
1037 if (!(*((u_int8_t *) satype_vp)) ||
1038 tdb->tdb_satype == *((u_int8_t *) satype_vp))
1039 tdb_delete(tdb);
1040 return (0);
1041 }
1042
1043 /*
1044 * Convert between SATYPEs and IPsec protocols, taking into consideration
1045 * sysctl variables enabling/disabling ESP/AH and the presence of the old
1046 * IPsec transforms.
1047 */
1048 int
1049 pfkeyv2_get_proto_alg(u_int8_t satype, u_int8_t *sproto, int *alg)
1050 {
1051 switch (satype) {
1052 #ifdef IPSEC
1053 case SADB_SATYPE_AH:
1054 if (!ah_enable)
1055 return (EOPNOTSUPP);
1056
1057 *sproto = IPPROTO_AH;
1058
1059 if(alg != NULL)
1060 *alg = satype = XF_AH;
1061
1062 break;
1063
1064 case SADB_SATYPE_ESP:
1065 if (!esp_enable)
1066 return (EOPNOTSUPP);
1067
1068 *sproto = IPPROTO_ESP;
1069
1070 if(alg != NULL)
1071 *alg = satype = XF_ESP;
1072
1073 break;
1074
1075 case SADB_X_SATYPE_IPIP:
1076 *sproto = IPPROTO_IPIP;
1077
1078 if (alg != NULL)
1079 *alg = XF_IP4;
1080
1081 break;
1082
1083 case SADB_X_SATYPE_IPCOMP:
1084 if (!ipcomp_enable)
1085 return (EOPNOTSUPP);
1086
1087 *sproto = IPPROTO_IPCOMP;
1088
1089 if(alg != NULL)
1090 *alg = satype = XF_IPCOMP;
1091
1092 break;
1093 #endif /* IPSEC */
1094 #ifdef TCP_SIGNATURE
1095 case SADB_X_SATYPE_TCPSIGNATURE:
1096 *sproto = IPPROTO_TCP;
1097
1098 if (alg != NULL)
1099 *alg = XF_TCPSIGNATURE;
1100
1101 break;
1102 #endif /* TCP_SIGNATURE */
1103
1104 default: /* Nothing else supported */
1105 return (EOPNOTSUPP);
1106 }
1107
1108 return (0);
1109 }
1110
1111 /*
1112 * Handle all messages from userland to kernel.
1113 */
1114 int
1115 pfkeyv2_dosend(struct socket *so, void *message, int len)
1116 {
1117 int i, j, rval = 0, mode = PFKEYV2_SENDMESSAGE_BROADCAST;
1118 int delflag = 0;
1119 struct sockaddr_encap encapdst, encapnetmask;
1120 struct ipsec_policy *ipo;
1121 struct ipsec_acquire *ipa;
1122 struct radix_node_head *rnh;
1123 struct radix_node *rn = NULL;
1124 struct pkpcb *kp, *bkp;
1125 void *freeme = NULL, *freeme2 = NULL, *freeme3 = NULL;
1126 int freeme_sz = 0, freeme2_sz = 0, freeme3_sz = 0;
1127 void *bckptr = NULL;
1128 void *headers[SADB_EXT_MAX + 1];
1129 union sockaddr_union *sunionp;
1130 struct tdb *sa1 = NULL, *sa2 = NULL;
1131 struct sadb_msg *smsg;
1132 struct sadb_spirange *sprng;
1133 struct sadb_sa *ssa;
1134 struct sadb_supported *ssup;
1135 struct sadb_ident *sid, *did;
1136 struct srp_ref sr;
1137 struct sadb_x_rdomain *srdomain;
1138 u_int rdomain = 0;
1139 int promisc;
1140
1141 mtx_enter(&pfkeyv2_mtx);
1142 promisc = npromisc;
1143 mtx_leave(&pfkeyv2_mtx);
1144
1145 /* Verify that we received this over a legitimate pfkeyv2 socket */
1146 bzero(headers, sizeof(headers));
1147
1148 kp = sotokeycb(so);
1149 if (!kp) {
1150 rval = EINVAL;
1151 goto ret;
1152 }
1153
1154 rdomain = kp->kcb_rdomain;
1155
1156 /* If we have any promiscuous listeners, send them a copy of the message */
1157 if (promisc) {
1158 struct mbuf *packet;
1159
1160 freeme_sz = sizeof(struct sadb_msg) + len;
1161 if (!(freeme = malloc(freeme_sz, M_PFKEY, M_NOWAIT))) {
1162 rval = ENOMEM;
1163 goto ret;
1164 }
1165
1166 /* Initialize encapsulating header */
1167 bzero(freeme, sizeof(struct sadb_msg));
1168 smsg = (struct sadb_msg *) freeme;
1169 smsg->sadb_msg_version = PF_KEY_V2;
1170 smsg->sadb_msg_type = SADB_X_PROMISC;
1171 smsg->sadb_msg_len = (sizeof(struct sadb_msg) + len) /
1172 sizeof(uint64_t);
1173 smsg->sadb_msg_seq = curproc->p_p->ps_pid;
1174
1175 bcopy(message, freeme + sizeof(struct sadb_msg), len);
1176
1177 /* Convert to mbuf chain */
1178 if ((rval = pfdatatopacket(freeme, freeme_sz, &packet)) != 0)
1179 goto ret;
1180
1181 /* Send to all promiscuous listeners */
1182 SRPL_FOREACH(bkp, &sr, &pkptable.pkp_list, kcb_list) {
1183 if (bkp->kcb_rdomain != kp->kcb_rdomain)
1184 continue;
1185
1186 keylock(bkp);
1187 if (bkp->kcb_flags & PFKEYV2_SOCKETFLAGS_PROMISC)
1188 pfkey_sendup(bkp, packet, 1);
1189 keyunlock(bkp);
1190 }
1191 SRPL_LEAVE(&sr);
1192
1193 m_freem(packet);
1194
1195 /* Paranoid */
1196 explicit_bzero(freeme, freeme_sz);
1197 free(freeme, M_PFKEY, freeme_sz);
1198 freeme = NULL;
1199 freeme_sz = 0;
1200 }
1201
1202 /* Validate message format */
1203 if ((rval = pfkeyv2_parsemessage(message, len, headers)) != 0)
1204 goto ret;
1205
1206 /* use specified rdomain */
1207 srdomain = (struct sadb_x_rdomain *) headers[SADB_X_EXT_RDOMAIN];
1208 if (srdomain) {
1209 if (!rtable_exists(srdomain->sadb_x_rdomain_dom1) ||
1210 !rtable_exists(srdomain->sadb_x_rdomain_dom2)) {
1211 rval = EINVAL;
1212 goto ret;
1213 }
1214 rdomain = srdomain->sadb_x_rdomain_dom1;
1215 }
1216
1217 smsg = (struct sadb_msg *) headers[0];
1218 switch (smsg->sadb_msg_type) {
1219 case SADB_GETSPI: /* Reserve an SPI */
1220 sa1 = malloc(sizeof (*sa1), M_PFKEY, M_NOWAIT | M_ZERO);
1221 if (sa1 == NULL) {
1222 rval = ENOMEM;
1223 goto ret;
1224 }
1225
1226 sa1->tdb_satype = smsg->sadb_msg_satype;
1227 if ((rval = pfkeyv2_get_proto_alg(sa1->tdb_satype,
1228 &sa1->tdb_sproto, 0)))
1229 goto ret;
1230
1231 import_address(&sa1->tdb_src.sa, headers[SADB_EXT_ADDRESS_SRC]);
1232 import_address(&sa1->tdb_dst.sa, headers[SADB_EXT_ADDRESS_DST]);
1233
1234 /* Find an unused SA identifier */
1235 sprng = (struct sadb_spirange *) headers[SADB_EXT_SPIRANGE];
1236 NET_LOCK();
1237 sa1->tdb_spi = reserve_spi(rdomain,
1238 sprng->sadb_spirange_min, sprng->sadb_spirange_max,
1239 &sa1->tdb_src, &sa1->tdb_dst, sa1->tdb_sproto, &rval);
1240 if (sa1->tdb_spi == 0) {
1241 NET_UNLOCK();
1242 goto ret;
1243 }
1244
1245 /* Send a message back telling what the SA (the SPI really) is */
1246 freeme_sz = sizeof(struct sadb_sa);
1247 if (!(freeme = malloc(freeme_sz, M_PFKEY, M_NOWAIT | M_ZERO))) {
1248 rval = ENOMEM;
1249 NET_UNLOCK();
1250 goto ret;
1251 }
1252
1253 headers[SADB_EXT_SPIRANGE] = NULL;
1254 headers[SADB_EXT_SA] = freeme;
1255 bckptr = freeme;
1256
1257 /* We really only care about the SPI, but we'll export the SA */
1258 export_sa((void **) &bckptr, sa1);
1259 NET_UNLOCK();
1260 break;
1261
1262 case SADB_UPDATE:
1263 ssa = (struct sadb_sa *) headers[SADB_EXT_SA];
1264 sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] +
1265 sizeof(struct sadb_address));
1266
1267 /* Either all or none of the flow must be included */
1268 if ((headers[SADB_X_EXT_SRC_FLOW] ||
1269 headers[SADB_X_EXT_PROTOCOL] ||
1270 headers[SADB_X_EXT_FLOW_TYPE] ||
1271 headers[SADB_X_EXT_DST_FLOW] ||
1272 headers[SADB_X_EXT_SRC_MASK] ||
1273 headers[SADB_X_EXT_DST_MASK]) &&
1274 !(headers[SADB_X_EXT_SRC_FLOW] &&
1275 headers[SADB_X_EXT_PROTOCOL] &&
1276 headers[SADB_X_EXT_FLOW_TYPE] &&
1277 headers[SADB_X_EXT_DST_FLOW] &&
1278 headers[SADB_X_EXT_SRC_MASK] &&
1279 headers[SADB_X_EXT_DST_MASK])) {
1280 rval = EINVAL;
1281 goto ret;
1282 }
1283 #ifdef IPSEC
1284 /* UDP encap has to be enabled and is only supported for ESP */
1285 if (headers[SADB_X_EXT_UDPENCAP] &&
1286 (!udpencap_enable ||
1287 smsg->sadb_msg_satype != SADB_SATYPE_ESP)) {
1288 rval = EINVAL;
1289 goto ret;
1290 }
1291 #endif /* IPSEC */
1292
1293 /* Find TDB */
1294 NET_LOCK();
1295 sa2 = gettdb(rdomain, ssa->sadb_sa_spi, sunionp,
1296 SADB_X_GETSPROTO(smsg->sadb_msg_satype));
1297
1298 /* If there's no such SA, we're done */
1299 if (sa2 == NULL) {
1300 rval = ESRCH;
1301 NET_UNLOCK();
1302 goto ret;
1303 }
1304
1305 /* If this is a reserved SA */
1306 if (sa2->tdb_flags & TDBF_INVALID) {
1307 struct tdb *newsa;
1308 struct ipsecinit ii;
1309 int alg;
1310
1311 /* Create new TDB */
1312 newsa = tdb_alloc(rdomain);
1313 newsa->tdb_satype = smsg->sadb_msg_satype;
1314
1315 if ((rval = pfkeyv2_get_proto_alg(newsa->tdb_satype,
1316 &newsa->tdb_sproto, &alg))) {
1317 tdb_unref(newsa);
1318 NET_UNLOCK();
1319 goto ret;
1320 }
1321
1322 /* Initialize SA */
1323 bzero(&ii, sizeof(struct ipsecinit));
1324 import_sa(newsa, headers[SADB_EXT_SA], &ii);
1325 import_address(&newsa->tdb_src.sa,
1326 headers[SADB_EXT_ADDRESS_SRC]);
1327 import_address(&newsa->tdb_dst.sa,
1328 headers[SADB_EXT_ADDRESS_DST]);
1329 import_lifetime(newsa,
1330 headers[SADB_EXT_LIFETIME_CURRENT],
1331 PFKEYV2_LIFETIME_CURRENT);
1332 import_lifetime(newsa, headers[SADB_EXT_LIFETIME_SOFT],
1333 PFKEYV2_LIFETIME_SOFT);
1334 import_lifetime(newsa, headers[SADB_EXT_LIFETIME_HARD],
1335 PFKEYV2_LIFETIME_HARD);
1336 import_key(&ii, headers[SADB_EXT_KEY_AUTH],
1337 PFKEYV2_AUTHENTICATION_KEY);
1338 import_key(&ii, headers[SADB_EXT_KEY_ENCRYPT],
1339 PFKEYV2_ENCRYPTION_KEY);
1340 newsa->tdb_ids_swapped = 1; /* only on TDB_UPDATE */
1341 import_identities(&newsa->tdb_ids,
1342 newsa->tdb_ids_swapped,
1343 headers[SADB_EXT_IDENTITY_SRC],
1344 headers[SADB_EXT_IDENTITY_DST]);
1345 if ((rval = import_flow(&newsa->tdb_filter,
1346 &newsa->tdb_filtermask,
1347 headers[SADB_X_EXT_SRC_FLOW],
1348 headers[SADB_X_EXT_SRC_MASK],
1349 headers[SADB_X_EXT_DST_FLOW],
1350 headers[SADB_X_EXT_DST_MASK],
1351 headers[SADB_X_EXT_PROTOCOL],
1352 headers[SADB_X_EXT_FLOW_TYPE]))) {
1353 tdb_unref(newsa);
1354 NET_UNLOCK();
1355 goto ret;
1356 }
1357 import_udpencap(newsa, headers[SADB_X_EXT_UDPENCAP]);
1358 import_rdomain(newsa, headers[SADB_X_EXT_RDOMAIN]);
1359 #if NPF > 0
1360 import_tag(newsa, headers[SADB_X_EXT_TAG]);
1361 import_tap(newsa, headers[SADB_X_EXT_TAP]);
1362 #endif
1363
1364 /* Exclude sensitive data from reply message. */
1365 headers[SADB_EXT_KEY_AUTH] = NULL;
1366 headers[SADB_EXT_KEY_ENCRYPT] = NULL;
1367 headers[SADB_X_EXT_LOCAL_AUTH] = NULL;
1368 headers[SADB_X_EXT_REMOTE_AUTH] = NULL;
1369
1370 newsa->tdb_seq = smsg->sadb_msg_seq;
1371
1372 rval = tdb_init(newsa, alg, &ii);
1373 if (rval) {
1374 rval = EINVAL;
1375 tdb_unref(newsa);
1376 NET_UNLOCK();
1377 goto ret;
1378 }
1379
1380 newsa->tdb_cur_allocations = sa2->tdb_cur_allocations;
1381
1382 /* Delete old version of the SA, insert new one */
1383 tdb_delete(sa2);
1384 puttdb(newsa);
1385 } else {
1386 /*
1387 * The SA is already initialized, so we're only allowed to
1388 * change lifetimes and some other information; we're
1389 * not allowed to change keys, addresses or identities.
1390 */
1391 if (headers[SADB_EXT_KEY_AUTH] ||
1392 headers[SADB_EXT_KEY_ENCRYPT] ||
1393 headers[SADB_EXT_IDENTITY_SRC] ||
1394 headers[SADB_EXT_IDENTITY_DST] ||
1395 headers[SADB_EXT_SENSITIVITY]) {
1396 rval = EINVAL;
1397 NET_UNLOCK();
1398 goto ret;
1399 }
1400
1401 import_sa(sa2, headers[SADB_EXT_SA], NULL);
1402 import_lifetime(sa2,
1403 headers[SADB_EXT_LIFETIME_CURRENT],
1404 PFKEYV2_LIFETIME_CURRENT);
1405 import_lifetime(sa2, headers[SADB_EXT_LIFETIME_SOFT],
1406 PFKEYV2_LIFETIME_SOFT);
1407 import_lifetime(sa2, headers[SADB_EXT_LIFETIME_HARD],
1408 PFKEYV2_LIFETIME_HARD);
1409 import_udpencap(sa2, headers[SADB_X_EXT_UDPENCAP]);
1410 #if NPF > 0
1411 import_tag(sa2, headers[SADB_X_EXT_TAG]);
1412 import_tap(sa2, headers[SADB_X_EXT_TAP]);
1413 #endif
1414 if (headers[SADB_EXT_ADDRESS_SRC] ||
1415 headers[SADB_EXT_ADDRESS_PROXY]) {
1416 mtx_enter(&tdb_sadb_mtx);
1417 tdb_unlink_locked(sa2);
1418 import_address((struct sockaddr *)&sa2->tdb_src,
1419 headers[SADB_EXT_ADDRESS_SRC]);
1420 import_address((struct sockaddr *)&sa2->tdb_dst,
1421 headers[SADB_EXT_ADDRESS_PROXY]);
1422 puttdb_locked(sa2);
1423 mtx_leave(&tdb_sadb_mtx);
1424 }
1425 }
1426 NET_UNLOCK();
1427
1428 break;
1429 case SADB_ADD:
1430 ssa = (struct sadb_sa *) headers[SADB_EXT_SA];
1431 sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] +
1432 sizeof(struct sadb_address));
1433
1434 /* Either all or none of the flow must be included */
1435 if ((headers[SADB_X_EXT_SRC_FLOW] ||
1436 headers[SADB_X_EXT_PROTOCOL] ||
1437 headers[SADB_X_EXT_FLOW_TYPE] ||
1438 headers[SADB_X_EXT_DST_FLOW] ||
1439 headers[SADB_X_EXT_SRC_MASK] ||
1440 headers[SADB_X_EXT_DST_MASK]) &&
1441 !(headers[SADB_X_EXT_SRC_FLOW] &&
1442 headers[SADB_X_EXT_PROTOCOL] &&
1443 headers[SADB_X_EXT_FLOW_TYPE] &&
1444 headers[SADB_X_EXT_DST_FLOW] &&
1445 headers[SADB_X_EXT_SRC_MASK] &&
1446 headers[SADB_X_EXT_DST_MASK])) {
1447 rval = EINVAL;
1448 goto ret;
1449 }
1450 #ifdef IPSEC
1451 /* UDP encap has to be enabled and is only supported for ESP */
1452 if (headers[SADB_X_EXT_UDPENCAP] &&
1453 (!udpencap_enable ||
1454 smsg->sadb_msg_satype != SADB_SATYPE_ESP)) {
1455 rval = EINVAL;
1456 goto ret;
1457 }
1458 #endif /* IPSEC */
1459
1460 NET_LOCK();
1461 sa2 = gettdb(rdomain, ssa->sadb_sa_spi, sunionp,
1462 SADB_X_GETSPROTO(smsg->sadb_msg_satype));
1463
1464 /* We can't add an existing SA! */
1465 if (sa2 != NULL) {
1466 rval = EEXIST;
1467 NET_UNLOCK();
1468 goto ret;
1469 }
1470
1471 /* We can only add "mature" SAs */
1472 if (ssa->sadb_sa_state != SADB_SASTATE_MATURE) {
1473 rval = EINVAL;
1474 NET_UNLOCK();
1475 goto ret;
1476 }
1477
1478 {
1479 struct tdb *newsa;
1480 struct ipsecinit ii;
1481 int alg;
1482
1483 /* Create new TDB */
1484 newsa = tdb_alloc(rdomain);
1485 newsa->tdb_satype = smsg->sadb_msg_satype;
1486
1487 if ((rval = pfkeyv2_get_proto_alg(newsa->tdb_satype,
1488 &newsa->tdb_sproto, &alg))) {
1489 tdb_unref(newsa);
1490 NET_UNLOCK();
1491 goto ret;
1492 }
1493
1494 /* Initialize SA */
1495 bzero(&ii, sizeof(struct ipsecinit));
1496 import_sa(newsa, headers[SADB_EXT_SA], &ii);
1497 import_address(&newsa->tdb_src.sa,
1498 headers[SADB_EXT_ADDRESS_SRC]);
1499 import_address(&newsa->tdb_dst.sa,
1500 headers[SADB_EXT_ADDRESS_DST]);
1501
1502 import_lifetime(newsa,
1503 headers[SADB_EXT_LIFETIME_CURRENT],
1504 PFKEYV2_LIFETIME_CURRENT);
1505 import_lifetime(newsa, headers[SADB_EXT_LIFETIME_SOFT],
1506 PFKEYV2_LIFETIME_SOFT);
1507 import_lifetime(newsa, headers[SADB_EXT_LIFETIME_HARD],
1508 PFKEYV2_LIFETIME_HARD);
1509
1510 import_key(&ii, headers[SADB_EXT_KEY_AUTH],
1511 PFKEYV2_AUTHENTICATION_KEY);
1512 import_key(&ii, headers[SADB_EXT_KEY_ENCRYPT],
1513 PFKEYV2_ENCRYPTION_KEY);
1514
1515 import_identities(&newsa->tdb_ids,
1516 newsa->tdb_ids_swapped,
1517 headers[SADB_EXT_IDENTITY_SRC],
1518 headers[SADB_EXT_IDENTITY_DST]);
1519
1520 if ((rval = import_flow(&newsa->tdb_filter,
1521 &newsa->tdb_filtermask,
1522 headers[SADB_X_EXT_SRC_FLOW],
1523 headers[SADB_X_EXT_SRC_MASK],
1524 headers[SADB_X_EXT_DST_FLOW],
1525 headers[SADB_X_EXT_DST_MASK],
1526 headers[SADB_X_EXT_PROTOCOL],
1527 headers[SADB_X_EXT_FLOW_TYPE]))) {
1528 tdb_unref(newsa);
1529 NET_UNLOCK();
1530 goto ret;
1531 }
1532 import_udpencap(newsa, headers[SADB_X_EXT_UDPENCAP]);
1533 import_rdomain(newsa, headers[SADB_X_EXT_RDOMAIN]);
1534 #if NPF > 0
1535 import_tag(newsa, headers[SADB_X_EXT_TAG]);
1536 import_tap(newsa, headers[SADB_X_EXT_TAP]);
1537 #endif
1538
1539 /* Exclude sensitive data from reply message. */
1540 headers[SADB_EXT_KEY_AUTH] = NULL;
1541 headers[SADB_EXT_KEY_ENCRYPT] = NULL;
1542 headers[SADB_X_EXT_LOCAL_AUTH] = NULL;
1543 headers[SADB_X_EXT_REMOTE_AUTH] = NULL;
1544
1545 newsa->tdb_seq = smsg->sadb_msg_seq;
1546
1547 rval = tdb_init(newsa, alg, &ii);
1548 if (rval) {
1549 rval = EINVAL;
1550 tdb_unref(newsa);
1551 NET_UNLOCK();
1552 goto ret;
1553 }
1554
1555 /* Add TDB in table */
1556 puttdb(newsa);
1557 }
1558 NET_UNLOCK();
1559
1560 break;
1561
1562 case SADB_DELETE:
1563 ssa = (struct sadb_sa *) headers[SADB_EXT_SA];
1564 sunionp =
1565 (union sockaddr_union *)(headers[SADB_EXT_ADDRESS_DST] +
1566 sizeof(struct sadb_address));
1567
1568 NET_LOCK();
1569 sa2 = gettdb(rdomain, ssa->sadb_sa_spi, sunionp,
1570 SADB_X_GETSPROTO(smsg->sadb_msg_satype));
1571 if (sa2 == NULL) {
1572 rval = ESRCH;
1573 NET_UNLOCK();
1574 goto ret;
1575 }
1576
1577 tdb_delete(sa2);
1578 NET_UNLOCK();
1579
1580 break;
1581
1582 case SADB_X_ASKPOLICY:
1583 /* Get the relevant policy */
1584 NET_LOCK();
1585 ipa = ipsec_get_acquire(((struct sadb_x_policy *)
1586 headers[SADB_X_EXT_POLICY])->sadb_x_policy_seq);
1587 if (ipa == NULL) {
1588 rval = ESRCH;
1589 NET_UNLOCK();
1590 goto ret;
1591 }
1592
1593 rval = pfkeyv2_policy(ipa, headers, &freeme, &freeme_sz);
1594 NET_UNLOCK();
1595 ipsec_unref_acquire(ipa);
1596 if (rval)
1597 mode = PFKEYV2_SENDMESSAGE_UNICAST;
1598
1599 break;
1600
1601 case SADB_GET:
1602 ssa = (struct sadb_sa *) headers[SADB_EXT_SA];
1603 sunionp =
1604 (union sockaddr_union *)(headers[SADB_EXT_ADDRESS_DST] +
1605 sizeof(struct sadb_address));
1606
1607 NET_LOCK();
1608 sa2 = gettdb(rdomain, ssa->sadb_sa_spi, sunionp,
1609 SADB_X_GETSPROTO(smsg->sadb_msg_satype));
1610 if (sa2 == NULL) {
1611 rval = ESRCH;
1612 NET_UNLOCK();
1613 goto ret;
1614 }
1615
1616 rval = pfkeyv2_get(sa2, headers, &freeme, &freeme_sz, NULL);
1617 NET_UNLOCK();
1618 if (rval)
1619 mode = PFKEYV2_SENDMESSAGE_UNICAST;
1620
1621 break;
1622
1623 case SADB_REGISTER:
1624 keylock(kp);
1625 if (!(kp->kcb_flags & PFKEYV2_SOCKETFLAGS_REGISTERED)) {
1626 kp->kcb_flags |= PFKEYV2_SOCKETFLAGS_REGISTERED;
1627 mtx_enter(&pfkeyv2_mtx);
1628 nregistered++;
1629 mtx_leave(&pfkeyv2_mtx);
1630 }
1631 keyunlock(kp);
1632
1633 freeme_sz = sizeof(struct sadb_supported) + sizeof(ealgs);
1634 if (!(freeme = malloc(freeme_sz, M_PFKEY, M_NOWAIT | M_ZERO))) {
1635 rval = ENOMEM;
1636 goto ret;
1637 }
1638
1639 ssup = (struct sadb_supported *) freeme;
1640 ssup->sadb_supported_len = freeme_sz / sizeof(uint64_t);
1641
1642 {
1643 void *p = freeme + sizeof(struct sadb_supported);
1644
1645 bcopy(&ealgs[0], p, sizeof(ealgs));
1646 }
1647
1648 headers[SADB_EXT_SUPPORTED_ENCRYPT] = freeme;
1649
1650 freeme2_sz = sizeof(struct sadb_supported) + sizeof(aalgs);
1651 if (!(freeme2 = malloc(freeme2_sz, M_PFKEY,
1652 M_NOWAIT | M_ZERO))) {
1653 rval = ENOMEM;
1654 goto ret;
1655 }
1656
1657 /* Keep track what this socket has registered for */
1658 keylock(kp);
1659 kp->kcb_reg |=
1660 (1 << ((struct sadb_msg *)message)->sadb_msg_satype);
1661 keyunlock(kp);
1662
1663 ssup = (struct sadb_supported *) freeme2;
1664 ssup->sadb_supported_len = freeme2_sz / sizeof(uint64_t);
1665
1666 {
1667 void *p = freeme2 + sizeof(struct sadb_supported);
1668
1669 bcopy(&aalgs[0], p, sizeof(aalgs));
1670 }
1671
1672 headers[SADB_EXT_SUPPORTED_AUTH] = freeme2;
1673
1674 freeme3_sz = sizeof(struct sadb_supported) + sizeof(calgs);
1675 if (!(freeme3 = malloc(freeme3_sz, M_PFKEY,
1676 M_NOWAIT | M_ZERO))) {
1677 rval = ENOMEM;
1678 goto ret;
1679 }
1680
1681 ssup = (struct sadb_supported *) freeme3;
1682 ssup->sadb_supported_len = freeme3_sz / sizeof(uint64_t);
1683
1684 {
1685 void *p = freeme3 + sizeof(struct sadb_supported);
1686
1687 bcopy(&calgs[0], p, sizeof(calgs));
1688 }
1689
1690 headers[SADB_X_EXT_SUPPORTED_COMP] = freeme3;
1691
1692 break;
1693
1694 case SADB_ACQUIRE:
1695 case SADB_EXPIRE:
1696 /* Nothing to handle */
1697 rval = 0;
1698 break;
1699
1700 case SADB_FLUSH:
1701 rval = 0;
1702
1703 NET_LOCK();
1704 switch (smsg->sadb_msg_satype) {
1705 case SADB_SATYPE_UNSPEC:
1706 spd_table_walk(rdomain, pfkeyv2_policy_flush, NULL);
1707 /* FALLTHROUGH */
1708 case SADB_SATYPE_AH:
1709 case SADB_SATYPE_ESP:
1710 case SADB_X_SATYPE_IPIP:
1711 case SADB_X_SATYPE_IPCOMP:
1712 #ifdef TCP_SIGNATURE
1713 case SADB_X_SATYPE_TCPSIGNATURE:
1714 #endif /* TCP_SIGNATURE */
1715 tdb_walk(rdomain, pfkeyv2_sa_flush,
1716 (u_int8_t *) &(smsg->sadb_msg_satype));
1717
1718 break;
1719
1720 default:
1721 rval = EINVAL; /* Unknown/unsupported type */
1722 }
1723 NET_UNLOCK();
1724
1725 break;
1726
1727 case SADB_DUMP:
1728 {
1729 struct dump_state dump_state;
1730 dump_state.sadb_msg = (struct sadb_msg *) headers[0];
1731 dump_state.socket = so;
1732
1733 NET_LOCK();
1734 rval = tdb_walk(rdomain, pfkeyv2_dump_walker, &dump_state);
1735 NET_UNLOCK();
1736 if (!rval)
1737 goto realret;
1738 if ((rval == ENOMEM) || (rval == ENOBUFS))
1739 rval = 0;
1740 }
1741 break;
1742
1743 case SADB_X_GRPSPIS:
1744 {
1745 struct tdb *tdb1, *tdb2, *tdb3;
1746 struct sadb_protocol *sa_proto;
1747
1748 ssa = (struct sadb_sa *) headers[SADB_EXT_SA];
1749 sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] +
1750 sizeof(struct sadb_address));
1751
1752 NET_LOCK();
1753 tdb1 = gettdb(rdomain, ssa->sadb_sa_spi, sunionp,
1754 SADB_X_GETSPROTO(smsg->sadb_msg_satype));
1755 if (tdb1 == NULL) {
1756 rval = ESRCH;
1757 NET_UNLOCK();
1758 goto ret;
1759 }
1760
1761 ssa = (struct sadb_sa *) headers[SADB_X_EXT_SA2];
1762 sunionp = (union sockaddr_union *) (headers[SADB_X_EXT_DST2] +
1763 sizeof(struct sadb_address));
1764 sa_proto = (struct sadb_protocol *) headers[SADB_X_EXT_SATYPE2];
1765
1766 /* optionally fetch tdb2 from rdomain2 */
1767 tdb2 = gettdb(srdomain ? srdomain->sadb_x_rdomain_dom2 : rdomain,
1768 ssa->sadb_sa_spi, sunionp,
1769 SADB_X_GETSPROTO(sa_proto->sadb_protocol_proto));
1770 if (tdb2 == NULL) {
1771 tdb_unref(tdb1);
1772 rval = ESRCH;
1773 NET_UNLOCK();
1774 goto ret;
1775 }
1776
1777 /* Detect cycles */
1778 for (tdb3 = tdb2; tdb3; tdb3 = tdb3->tdb_onext)
1779 if (tdb3 == tdb1) {
1780 tdb_unref(tdb1);
1781 tdb_unref(tdb2);
1782 rval = ESRCH;
1783 NET_UNLOCK();
1784 goto ret;
1785 }
1786
1787 /* Maintenance */
1788 if ((tdb1->tdb_onext) &&
1789 (tdb1->tdb_onext->tdb_inext == tdb1)) {
1790 tdb_unref(tdb1->tdb_onext->tdb_inext);
1791 tdb1->tdb_onext->tdb_inext = NULL;
1792 }
1793
1794 if ((tdb2->tdb_inext) &&
1795 (tdb2->tdb_inext->tdb_onext == tdb2)) {
1796 tdb_unref(tdb2->tdb_inext->tdb_onext);
1797 tdb2->tdb_inext->tdb_onext = NULL;
1798 }
1799
1800 /* Link them */
1801 tdb1->tdb_onext = tdb2;
1802 tdb2->tdb_inext = tdb1;
1803 NET_UNLOCK();
1804 }
1805 break;
1806
1807 case SADB_X_DELFLOW:
1808 delflag = 1;
1809 /*FALLTHROUGH*/
1810 case SADB_X_ADDFLOW:
1811 {
1812 struct sadb_protocol *sab;
1813 union sockaddr_union *ssrc;
1814 int exists = 0;
1815
1816 NET_LOCK();
1817 if ((rnh = spd_table_add(rdomain)) == NULL) {
1818 rval = ENOMEM;
1819 NET_UNLOCK();
1820 goto ret;
1821 }
1822
1823 sab = (struct sadb_protocol *) headers[SADB_X_EXT_FLOW_TYPE];
1824
1825 if ((sab->sadb_protocol_direction != IPSP_DIRECTION_IN) &&
1826 (sab->sadb_protocol_direction != IPSP_DIRECTION_OUT)) {
1827 rval = EINVAL;
1828 NET_UNLOCK();
1829 goto ret;
1830 }
1831
1832 /* If the security protocol wasn't specified, pretend it was ESP */
1833 if (smsg->sadb_msg_satype == 0)
1834 smsg->sadb_msg_satype = SADB_SATYPE_ESP;
1835
1836 if (headers[SADB_EXT_ADDRESS_DST])
1837 sunionp = (union sockaddr_union *)
1838 (headers[SADB_EXT_ADDRESS_DST] +
1839 sizeof(struct sadb_address));
1840 else
1841 sunionp = NULL;
1842
1843 if (headers[SADB_EXT_ADDRESS_SRC])
1844 ssrc = (union sockaddr_union *)
1845 (headers[SADB_EXT_ADDRESS_SRC] +
1846 sizeof(struct sadb_address));
1847 else
1848 ssrc = NULL;
1849
1850 if ((rval = import_flow(&encapdst, &encapnetmask,
1851 headers[SADB_X_EXT_SRC_FLOW], headers[SADB_X_EXT_SRC_MASK],
1852 headers[SADB_X_EXT_DST_FLOW], headers[SADB_X_EXT_DST_MASK],
1853 headers[SADB_X_EXT_PROTOCOL],
1854 headers[SADB_X_EXT_FLOW_TYPE]))) {
1855 NET_UNLOCK();
1856 goto ret;
1857 }
1858
1859 /* Determine whether the exact same SPD entry already exists. */
1860 if ((rn = rn_match(&encapdst, rnh)) != NULL) {
1861 ipo = (struct ipsec_policy *)rn;
1862
1863 /* Verify that the entry is identical */
1864 if (bcmp(&ipo->ipo_addr, &encapdst,
1865 sizeof(struct sockaddr_encap)) ||
1866 bcmp(&ipo->ipo_mask, &encapnetmask,
1867 sizeof(struct sockaddr_encap)))
1868 ipo = NULL; /* Fall through */
1869 else
1870 exists = 1;
1871 } else
1872 ipo = NULL;
1873
1874 /*
1875 * If the existing policy is static, only delete or update
1876 * it if the new one is also static.
1877 */
1878 if (exists && (ipo->ipo_flags & IPSP_POLICY_STATIC)) {
1879 if (!(sab->sadb_protocol_flags &
1880 SADB_X_POLICYFLAGS_POLICY)) {
1881 NET_UNLOCK();
1882 goto ret;
1883 }
1884 }
1885
1886 /* Delete ? */
1887 if (delflag) {
1888 if (exists) {
1889 rval = ipsec_delete_policy(ipo);
1890 NET_UNLOCK();
1891 goto ret;
1892 }
1893
1894 /* If we were asked to delete something non-existent, error. */
1895 rval = ESRCH;
1896 NET_UNLOCK();
1897 break;
1898 }
1899
1900 if (!exists) {
1901 /* Allocate policy entry */
1902 ipo = pool_get(&ipsec_policy_pool, PR_NOWAIT|PR_ZERO);
1903 if (ipo == NULL) {
1904 rval = ENOMEM;
1905 NET_UNLOCK();
1906 goto ret;
1907 }
1908 }
1909
1910 switch (sab->sadb_protocol_proto) {
1911 case SADB_X_FLOW_TYPE_USE:
1912 ipo->ipo_type = IPSP_IPSEC_USE;
1913 break;
1914
1915 case SADB_X_FLOW_TYPE_ACQUIRE:
1916 ipo->ipo_type = IPSP_IPSEC_ACQUIRE;
1917 break;
1918
1919 case SADB_X_FLOW_TYPE_REQUIRE:
1920 ipo->ipo_type = IPSP_IPSEC_REQUIRE;
1921 break;
1922
1923 case SADB_X_FLOW_TYPE_DENY:
1924 ipo->ipo_type = IPSP_DENY;
1925 break;
1926
1927 case SADB_X_FLOW_TYPE_BYPASS:
1928 ipo->ipo_type = IPSP_PERMIT;
1929 break;
1930
1931 case SADB_X_FLOW_TYPE_DONTACQ:
1932 ipo->ipo_type = IPSP_IPSEC_DONTACQ;
1933 break;
1934
1935 default:
1936 if (!exists)
1937 pool_put(&ipsec_policy_pool, ipo);
1938 else
1939 ipsec_delete_policy(ipo);
1940
1941 rval = EINVAL;
1942 NET_UNLOCK();
1943 goto ret;
1944 }
1945
1946 if (sab->sadb_protocol_flags & SADB_X_POLICYFLAGS_POLICY)
1947 ipo->ipo_flags |= IPSP_POLICY_STATIC;
1948
1949 if (sunionp)
1950 bcopy(sunionp, &ipo->ipo_dst,
1951 sizeof(union sockaddr_union));
1952 else
1953 bzero(&ipo->ipo_dst, sizeof(union sockaddr_union));
1954
1955 if (ssrc)
1956 bcopy(ssrc, &ipo->ipo_src,
1957 sizeof(union sockaddr_union));
1958 else
1959 bzero(&ipo->ipo_src, sizeof(union sockaddr_union));
1960
1961 ipo->ipo_sproto = SADB_X_GETSPROTO(smsg->sadb_msg_satype);
1962
1963 if (ipo->ipo_ids) {
1964 ipsp_ids_free(ipo->ipo_ids);
1965 ipo->ipo_ids = NULL;
1966 }
1967
1968 if ((sid = headers[SADB_EXT_IDENTITY_SRC]) != NULL &&
1969 (did = headers[SADB_EXT_IDENTITY_DST]) != NULL) {
1970 import_identities(&ipo->ipo_ids, 0, sid, did);
1971 if (ipo->ipo_ids == NULL) {
1972 if (exists)
1973 ipsec_delete_policy(ipo);
1974 else
1975 pool_put(&ipsec_policy_pool, ipo);
1976 rval = ENOBUFS;
1977 NET_UNLOCK();
1978 goto ret;
1979 }
1980 }
1981
1982 /* Flow type */
1983 if (!exists) {
1984 /* Initialize policy entry */
1985 bcopy(&encapdst, &ipo->ipo_addr,
1986 sizeof(struct sockaddr_encap));
1987 bcopy(&encapnetmask, &ipo->ipo_mask,
1988 sizeof(struct sockaddr_encap));
1989
1990 TAILQ_INIT(&ipo->ipo_acquires);
1991 ipo->ipo_rdomain = rdomain;
1992 refcnt_init(&ipo->ipo_refcnt);
1993
1994 /* Add SPD entry */
1995 if ((rnh = spd_table_get(rdomain)) == NULL ||
1996 (rn = rn_addroute((caddr_t)&ipo->ipo_addr,
1997 (caddr_t)&ipo->ipo_mask, rnh,
1998 ipo->ipo_nodes, 0)) == NULL) {
1999 /* Remove from linked list of policies on TDB */
2000 mtx_enter(&ipo_tdb_mtx);
2001 if (ipo->ipo_tdb != NULL) {
2002 TAILQ_REMOVE(
2003 &ipo->ipo_tdb->tdb_policy_head,
2004 ipo, ipo_tdb_next);
2005 tdb_unref(ipo->ipo_tdb);
2006 ipo->ipo_tdb = NULL;
2007 }
2008 mtx_leave(&ipo_tdb_mtx);
2009 if (ipo->ipo_ids)
2010 ipsp_ids_free(ipo->ipo_ids);
2011 pool_put(&ipsec_policy_pool, ipo);
2012 NET_UNLOCK();
2013 goto ret;
2014 }
2015 TAILQ_INSERT_HEAD(&ipsec_policy_head, ipo, ipo_list);
2016 ipsec_in_use++;
2017 } else {
2018 ipo->ipo_last_searched = ipo->ipo_flags = 0;
2019 }
2020 NET_UNLOCK();
2021 }
2022 break;
2023
2024 case SADB_X_PROMISC:
2025 if (len >= 2 * sizeof(struct sadb_msg)) {
2026 struct mbuf *packet;
2027
2028 if ((rval = pfdatatopacket(message, len, &packet)) != 0)
2029 goto ret;
2030
2031 SRPL_FOREACH(bkp, &sr, &pkptable.pkp_list, kcb_list) {
2032 if (bkp == kp || bkp->kcb_rdomain != kp->kcb_rdomain)
2033 continue;
2034
2035 if (!smsg->sadb_msg_seq ||
2036 (smsg->sadb_msg_seq == kp->kcb_pid)) {
2037 keylock(bkp);
2038 pfkey_sendup(bkp, packet, 1);
2039 keyunlock(bkp);
2040 }
2041 }
2042 SRPL_LEAVE(&sr);
2043
2044 m_freem(packet);
2045 } else {
2046 if (len != sizeof(struct sadb_msg)) {
2047 rval = EINVAL;
2048 goto ret;
2049 }
2050
2051 keylock(kp);
2052 i = (kp->kcb_flags &
2053 PFKEYV2_SOCKETFLAGS_PROMISC) ? 1 : 0;
2054 j = smsg->sadb_msg_satype ? 1 : 0;
2055
2056 if (i ^ j) {
2057 if (j) {
2058 kp->kcb_flags |=
2059 PFKEYV2_SOCKETFLAGS_PROMISC;
2060 mtx_enter(&pfkeyv2_mtx);
2061 npromisc++;
2062 mtx_leave(&pfkeyv2_mtx);
2063 } else {
2064 kp->kcb_flags &=
2065 ~PFKEYV2_SOCKETFLAGS_PROMISC;
2066 mtx_enter(&pfkeyv2_mtx);
2067 npromisc--;
2068 mtx_leave(&pfkeyv2_mtx);
2069 }
2070 }
2071 keyunlock(kp);
2072 }
2073
2074 break;
2075
2076 default:
2077 rval = EINVAL;
2078 goto ret;
2079 }
2080
2081 ret:
2082 if (rval) {
2083 if ((rval == EINVAL) || (rval == ENOMEM) || (rval == ENOBUFS))
2084 goto realret;
2085
2086 for (i = 1; i <= SADB_EXT_MAX; i++)
2087 headers[i] = NULL;
2088
2089 smsg->sadb_msg_errno = abs(rval);
2090 } else {
2091 uint64_t seen = 0LL;
2092
2093 for (i = 1; i <= SADB_EXT_MAX; i++)
2094 if (headers[i])
2095 seen |= (1LL << i);
2096
2097 if ((seen & sadb_exts_allowed_out[smsg->sadb_msg_type])
2098 != seen) {
2099 rval = EPERM;
2100 goto realret;
2101 }
2102
2103 if ((seen & sadb_exts_required_out[smsg->sadb_msg_type]) !=
2104 sadb_exts_required_out[smsg->sadb_msg_type]) {
2105 rval = EPERM;
2106 goto realret;
2107 }
2108 }
2109
2110 rval = pfkeyv2_sendmessage(headers, mode, so, 0, 0, kp->kcb_rdomain);
2111
2112 realret:
2113
2114 if (freeme != NULL)
2115 explicit_bzero(freeme, freeme_sz);
2116 free(freeme, M_PFKEY, freeme_sz);
2117 free(freeme2, M_PFKEY, freeme2_sz);
2118 free(freeme3, M_PFKEY, freeme3_sz);
2119
2120 explicit_bzero(message, len);
2121 free(message, M_PFKEY, len);
2122
2123 free(sa1, M_PFKEY, sizeof(*sa1));
2124
2125 NET_LOCK();
2126 tdb_unref(sa2);
2127 NET_UNLOCK();
2128
2129 return (rval);
2130 }
2131
2132 /*
2133 * Send an ACQUIRE message to key management, to get a new SA.
2134 */
2135 int
2136 pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw,
2137 union sockaddr_union *laddr, u_int32_t *seq, struct sockaddr_encap *ddst)
2138 {
2139 void *p, *headers[SADB_EXT_MAX + 1], *buffer = NULL;
2140 struct sadb_comb *sadb_comb;
2141 struct sadb_address *sadd;
2142 struct sadb_prop *sa_prop;
2143 struct sadb_msg *smsg;
2144 int rval = 0;
2145 int i, j, registered;
2146
2147 mtx_enter(&pfkeyv2_mtx);
2148 *seq = pfkeyv2_seq++;
2149
2150 registered = nregistered;
2151 mtx_leave(&pfkeyv2_mtx);
2152
2153 if (!registered) {
2154 rval = ESRCH;
2155 goto ret;
2156 }
2157
2158 /* How large a buffer do we need... XXX we only do one proposal for now */
2159 i = sizeof(struct sadb_msg) +
2160 (laddr == NULL ? 0 : sizeof(struct sadb_address) +
2161 PADUP(ipo->ipo_src.sa.sa_len)) +
2162 sizeof(struct sadb_address) + PADUP(gw->sa.sa_len) +
2163 sizeof(struct sadb_prop) + 1 * sizeof(struct sadb_comb);
2164
2165 if (ipo->ipo_ids) {
2166 i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_ids->id_local->len);
2167 i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_ids->id_remote->len);
2168 }
2169
2170 /* Allocate */
2171 if (!(p = malloc(i, M_PFKEY, M_NOWAIT | M_ZERO))) {
2172 rval = ENOMEM;
2173 goto ret;
2174 }
2175
2176 bzero(headers, sizeof(headers));
2177
2178 buffer = p;
2179
2180 headers[0] = p;
2181 p += sizeof(struct sadb_msg);
2182
2183 smsg = (struct sadb_msg *) headers[0];
2184 smsg->sadb_msg_version = PF_KEY_V2;
2185 smsg->sadb_msg_type = SADB_ACQUIRE;
2186 smsg->sadb_msg_len = i / sizeof(uint64_t);
2187 smsg->sadb_msg_seq = *seq;
2188
2189 if (ipo->ipo_sproto == IPPROTO_ESP)
2190 smsg->sadb_msg_satype = SADB_SATYPE_ESP;
2191 else if (ipo->ipo_sproto == IPPROTO_AH)
2192 smsg->sadb_msg_satype = SADB_SATYPE_AH;
2193 else if (ipo->ipo_sproto == IPPROTO_IPCOMP)
2194 smsg->sadb_msg_satype = SADB_X_SATYPE_IPCOMP;
2195
2196 if (laddr) {
2197 headers[SADB_EXT_ADDRESS_SRC] = p;
2198 p += sizeof(struct sadb_address) + PADUP(laddr->sa.sa_len);
2199 sadd = (struct sadb_address *) headers[SADB_EXT_ADDRESS_SRC];
2200 sadd->sadb_address_len = (sizeof(struct sadb_address) +
2201 laddr->sa.sa_len + sizeof(uint64_t) - 1) /
2202 sizeof(uint64_t);
2203 bcopy(laddr, headers[SADB_EXT_ADDRESS_SRC] +
2204 sizeof(struct sadb_address), laddr->sa.sa_len);
2205 }
2206
2207 headers[SADB_EXT_ADDRESS_DST] = p;
2208 p += sizeof(struct sadb_address) + PADUP(gw->sa.sa_len);
2209 sadd = (struct sadb_address *) headers[SADB_EXT_ADDRESS_DST];
2210 sadd->sadb_address_len = (sizeof(struct sadb_address) +
2211 gw->sa.sa_len + sizeof(uint64_t) - 1) / sizeof(uint64_t);
2212 bcopy(gw, headers[SADB_EXT_ADDRESS_DST] + sizeof(struct sadb_address),
2213 gw->sa.sa_len);
2214
2215 if (ipo->ipo_ids)
2216 export_identities(&p, ipo->ipo_ids, 0, headers);
2217
2218 headers[SADB_EXT_PROPOSAL] = p;
2219 p += sizeof(struct sadb_prop);
2220 sa_prop = (struct sadb_prop *) headers[SADB_EXT_PROPOSAL];
2221 sa_prop->sadb_prop_num = 1; /* XXX One proposal only */
2222 sa_prop->sadb_prop_len = (sizeof(struct sadb_prop) +
2223 (sizeof(struct sadb_comb) * sa_prop->sadb_prop_num)) /
2224 sizeof(uint64_t);
2225
2226 sadb_comb = p;
2227
2228 /* XXX Should actually ask the crypto layer what's supported */
2229 for (j = 0; j < sa_prop->sadb_prop_num; j++) {
2230 sadb_comb->sadb_comb_flags = 0;
2231 #ifdef IPSEC
2232 if (ipsec_require_pfs)
2233 sadb_comb->sadb_comb_flags |= SADB_SAFLAGS_PFS;
2234
2235 /* Set the encryption algorithm */
2236 if (ipo->ipo_sproto == IPPROTO_ESP) {
2237 if (!strncasecmp(ipsec_def_enc, "aes",
2238 sizeof("aes"))) {
2239 sadb_comb->sadb_comb_encrypt = SADB_X_EALG_AES;
2240 sadb_comb->sadb_comb_encrypt_minbits = 128;
2241 sadb_comb->sadb_comb_encrypt_maxbits = 256;
2242 } else if (!strncasecmp(ipsec_def_enc, "aesctr",
2243 sizeof("aesctr"))) {
2244 sadb_comb->sadb_comb_encrypt = SADB_X_EALG_AESCTR;
2245 sadb_comb->sadb_comb_encrypt_minbits = 128+32;
2246 sadb_comb->sadb_comb_encrypt_maxbits = 256+32;
2247 } else if (!strncasecmp(ipsec_def_enc, "3des",
2248 sizeof("3des"))) {
2249 sadb_comb->sadb_comb_encrypt = SADB_EALG_3DESCBC;
2250 sadb_comb->sadb_comb_encrypt_minbits = 192;
2251 sadb_comb->sadb_comb_encrypt_maxbits = 192;
2252 } else if (!strncasecmp(ipsec_def_enc, "blowfish",
2253 sizeof("blowfish"))) {
2254 sadb_comb->sadb_comb_encrypt = SADB_X_EALG_BLF;
2255 sadb_comb->sadb_comb_encrypt_minbits = 40;
2256 sadb_comb->sadb_comb_encrypt_maxbits = BLF_MAXKEYLEN * 8;
2257 } else if (!strncasecmp(ipsec_def_enc, "cast128",
2258 sizeof("cast128"))) {
2259 sadb_comb->sadb_comb_encrypt = SADB_X_EALG_CAST;
2260 sadb_comb->sadb_comb_encrypt_minbits = 40;
2261 sadb_comb->sadb_comb_encrypt_maxbits = 128;
2262 }
2263 } else if (ipo->ipo_sproto == IPPROTO_IPCOMP) {
2264 /* Set the compression algorithm */
2265 if (!strncasecmp(ipsec_def_comp, "deflate",
2266 sizeof("deflate"))) {
2267 sadb_comb->sadb_comb_encrypt = SADB_X_CALG_DEFLATE;
2268 sadb_comb->sadb_comb_encrypt_minbits = 0;
2269 sadb_comb->sadb_comb_encrypt_maxbits = 0;
2270 }
2271 }
2272
2273 /* Set the authentication algorithm */
2274 if (!strncasecmp(ipsec_def_auth, "hmac-sha1",
2275 sizeof("hmac-sha1"))) {
2276 sadb_comb->sadb_comb_auth = SADB_AALG_SHA1HMAC;
2277 sadb_comb->sadb_comb_auth_minbits = 160;
2278 sadb_comb->sadb_comb_auth_maxbits = 160;
2279 } else if (!strncasecmp(ipsec_def_auth, "hmac-ripemd160",
2280 sizeof("hmac_ripemd160"))) {
2281 sadb_comb->sadb_comb_auth = SADB_X_AALG_RIPEMD160HMAC;
2282 sadb_comb->sadb_comb_auth_minbits = 160;
2283 sadb_comb->sadb_comb_auth_maxbits = 160;
2284 } else if (!strncasecmp(ipsec_def_auth, "hmac-md5",
2285 sizeof("hmac-md5"))) {
2286 sadb_comb->sadb_comb_auth = SADB_AALG_MD5HMAC;
2287 sadb_comb->sadb_comb_auth_minbits = 128;
2288 sadb_comb->sadb_comb_auth_maxbits = 128;
2289 } else if (!strncasecmp(ipsec_def_auth, "hmac-sha2-256",
2290 sizeof("hmac-sha2-256"))) {
2291 sadb_comb->sadb_comb_auth = SADB_X_AALG_SHA2_256;
2292 sadb_comb->sadb_comb_auth_minbits = 256;
2293 sadb_comb->sadb_comb_auth_maxbits = 256;
2294 } else if (!strncasecmp(ipsec_def_auth, "hmac-sha2-384",
2295 sizeof("hmac-sha2-384"))) {
2296 sadb_comb->sadb_comb_auth = SADB_X_AALG_SHA2_384;
2297 sadb_comb->sadb_comb_auth_minbits = 384;
2298 sadb_comb->sadb_comb_auth_maxbits = 384;
2299 } else if (!strncasecmp(ipsec_def_auth, "hmac-sha2-512",
2300 sizeof("hmac-sha2-512"))) {
2301 sadb_comb->sadb_comb_auth = SADB_X_AALG_SHA2_512;
2302 sadb_comb->sadb_comb_auth_minbits = 512;
2303 sadb_comb->sadb_comb_auth_maxbits = 512;
2304 }
2305
2306 sadb_comb->sadb_comb_soft_allocations = ipsec_soft_allocations;
2307 sadb_comb->sadb_comb_hard_allocations = ipsec_exp_allocations;
2308
2309 sadb_comb->sadb_comb_soft_bytes = ipsec_soft_bytes;
2310 sadb_comb->sadb_comb_hard_bytes = ipsec_exp_bytes;
2311
2312 sadb_comb->sadb_comb_soft_addtime = ipsec_soft_timeout;
2313 sadb_comb->sadb_comb_hard_addtime = ipsec_exp_timeout;
2314
2315 sadb_comb->sadb_comb_soft_usetime = ipsec_soft_first_use;
2316 sadb_comb->sadb_comb_hard_usetime = ipsec_exp_first_use;
2317 #endif
2318 sadb_comb++;
2319 }
2320
2321 /* Send the ACQUIRE message to all compliant registered listeners. */
2322 if ((rval = pfkeyv2_sendmessage(headers,
2323 PFKEYV2_SENDMESSAGE_REGISTERED, NULL, smsg->sadb_msg_satype, 0,
2324 ipo->ipo_rdomain)) != 0)
2325 goto ret;
2326
2327 rval = 0;
2328 ret:
2329 if (buffer != NULL) {
2330 explicit_bzero(buffer, i);
2331 free(buffer, M_PFKEY, i);
2332 }
2333
2334 return (rval);
2335 }
2336
2337 /*
2338 * Notify key management that an expiration went off. The second argument
2339 * specifies the type of expiration (soft or hard).
2340 */
2341 int
2342 pfkeyv2_expire(struct tdb *tdb, u_int16_t type)
2343 {
2344 void *p, *headers[SADB_EXT_MAX+1], *buffer = NULL;
2345 struct sadb_msg *smsg;
2346 int rval = 0;
2347 int i;
2348
2349 NET_ASSERT_LOCKED();
2350
2351 switch (tdb->tdb_sproto) {
2352 case IPPROTO_AH:
2353 case IPPROTO_ESP:
2354 case IPPROTO_IPIP:
2355 case IPPROTO_IPCOMP:
2356 #ifdef TCP_SIGNATURE
2357 case IPPROTO_TCP:
2358 #endif /* TCP_SIGNATURE */
2359 break;
2360
2361 default:
2362 rval = EOPNOTSUPP;
2363 goto ret;
2364 }
2365
2366 i = sizeof(struct sadb_msg) + sizeof(struct sadb_sa) +
2367 2 * sizeof(struct sadb_lifetime) +
2368 sizeof(struct sadb_address) + PADUP(tdb->tdb_src.sa.sa_len) +
2369 sizeof(struct sadb_address) + PADUP(tdb->tdb_dst.sa.sa_len);
2370
2371 if (!(p = malloc(i, M_PFKEY, M_NOWAIT | M_ZERO))) {
2372 rval = ENOMEM;
2373 goto ret;
2374 }
2375
2376 bzero(headers, sizeof(headers));
2377
2378 buffer = p;
2379
2380 headers[0] = p;
2381 p += sizeof(struct sadb_msg);
2382
2383 smsg = (struct sadb_msg *) headers[0];
2384 smsg->sadb_msg_version = PF_KEY_V2;
2385 smsg->sadb_msg_type = SADB_EXPIRE;
2386 smsg->sadb_msg_satype = tdb->tdb_satype;
2387 smsg->sadb_msg_len = i / sizeof(uint64_t);
2388
2389 mtx_enter(&pfkeyv2_mtx);
2390 smsg->sadb_msg_seq = pfkeyv2_seq++;
2391 mtx_leave(&pfkeyv2_mtx);
2392
2393 headers[SADB_EXT_SA] = p;
2394 export_sa(&p, tdb);
2395
2396 headers[SADB_EXT_LIFETIME_CURRENT] = p;
2397 export_lifetime(&p, tdb, PFKEYV2_LIFETIME_CURRENT);
2398
2399 headers[type] = p;
2400 export_lifetime(&p, tdb, type == SADB_EXT_LIFETIME_SOFT ?
2401 PFKEYV2_LIFETIME_SOFT : PFKEYV2_LIFETIME_HARD);
2402
2403 headers[SADB_EXT_ADDRESS_SRC] = p;
2404 export_address(&p, &tdb->tdb_src.sa);
2405
2406 headers[SADB_EXT_ADDRESS_DST] = p;
2407 export_address(&p, &tdb->tdb_dst.sa);
2408
2409 if ((rval = pfkeyv2_sendmessage(headers, PFKEYV2_SENDMESSAGE_BROADCAST,
2410 NULL, 0, 0, tdb->tdb_rdomain)) != 0)
2411 goto ret;
2412 /* XXX */
2413 if (tdb->tdb_rdomain != tdb->tdb_rdomain_post)
2414 if ((rval = pfkeyv2_sendmessage(headers,
2415 PFKEYV2_SENDMESSAGE_BROADCAST, NULL, 0, 0,
2416 tdb->tdb_rdomain_post)) != 0)
2417 goto ret;
2418
2419 rval = 0;
2420
2421 ret:
2422 if (buffer != NULL) {
2423 explicit_bzero(buffer, i);
2424 free(buffer, M_PFKEY, i);
2425 }
2426
2427 return (rval);
2428 }
2429
2430 struct pfkeyv2_sysctl_walk {
2431 void *w_where;
2432 size_t w_len;
2433 int w_op;
2434 u_int8_t w_satype;
2435 };
2436
2437 int
2438 pfkeyv2_sysctl_walker(struct tdb *tdb, void *arg, int last)
2439 {
2440 struct pfkeyv2_sysctl_walk *w = (struct pfkeyv2_sysctl_walk *)arg;
2441 void *buffer = NULL;
2442 int error = 0;
2443 int usedlen, buflen, i;
2444
2445 if (w->w_satype != SADB_SATYPE_UNSPEC &&
2446 w->w_satype != tdb->tdb_satype)
2447 return (0);
2448
2449 if (w->w_where) {
2450 void *headers[SADB_EXT_MAX+1];
2451 struct sadb_msg msg;
2452
2453 bzero(headers, sizeof(headers));
2454 if ((error = pfkeyv2_get(tdb, headers, &buffer, &buflen,
2455 &usedlen)) != 0)
2456 goto done;
2457 if (w->w_len < sizeof(msg) + usedlen) {
2458 error = ENOMEM;
2459 goto done;
2460 }
2461 /* prepend header */
2462 bzero(&msg, sizeof(msg));
2463 msg.sadb_msg_version = PF_KEY_V2;
2464 msg.sadb_msg_satype = tdb->tdb_satype;
2465 msg.sadb_msg_type = SADB_DUMP;
2466 msg.sadb_msg_len = (sizeof(msg) + usedlen) / sizeof(uint64_t);
2467 if ((error = copyout(&msg, w->w_where, sizeof(msg))) != 0)
2468 goto done;
2469 w->w_where += sizeof(msg);
2470 w->w_len -= sizeof(msg);
2471 /* set extension type */
2472 for (i = 1; i <= SADB_EXT_MAX; i++)
2473 if (headers[i])
2474 ((struct sadb_ext *)
2475 headers[i])->sadb_ext_type = i;
2476 if ((error = copyout(buffer, w->w_where, usedlen)) != 0)
2477 goto done;
2478 w->w_where += usedlen;
2479 w->w_len -= usedlen;
2480 } else {
2481 if ((error = pfkeyv2_get(tdb, NULL, NULL, &buflen, NULL)) != 0)
2482 return (error);
2483 w->w_len += buflen;
2484 w->w_len += sizeof(struct sadb_msg);
2485 }
2486
2487 done:
2488 if (buffer != NULL) {
2489 explicit_bzero(buffer, buflen);
2490 free(buffer, M_PFKEY, buflen);
2491 }
2492 return (error);
2493 }
2494
2495 int
2496 pfkeyv2_dump_policy(struct ipsec_policy *ipo, void **headers, void **buffer,
2497 int *lenp)
2498 {
2499 int i, rval, perm;
2500 void *p;
2501
2502 /* Find how much space we need. */
2503 i = 2 * sizeof(struct sadb_protocol);
2504
2505 /* We'll need four of them: src, src mask, dst, dst mask. */
2506 switch (ipo->ipo_addr.sen_type) {
2507 case SENT_IP4:
2508 i += 4 * PADUP(sizeof(struct sockaddr_in));
2509 i += 4 * sizeof(struct sadb_address);
2510 break;
2511 #ifdef INET6
2512 case SENT_IP6:
2513 i += 4 * PADUP(sizeof(struct sockaddr_in6));
2514 i += 4 * sizeof(struct sadb_address);
2515 break;
2516 #endif /* INET6 */
2517 default:
2518 return (EINVAL);
2519 }
2520
2521 /* Local address, might be zeroed. */
2522 switch (ipo->ipo_src.sa.sa_family) {
2523 case 0:
2524 break;
2525 case AF_INET:
2526 i += PADUP(sizeof(struct sockaddr_in));
2527 i += sizeof(struct sadb_address);
2528 break;
2529 #ifdef INET6
2530 case AF_INET6:
2531 i += PADUP(sizeof(struct sockaddr_in6));
2532 i += sizeof(struct sadb_address);
2533 break;
2534 #endif /* INET6 */
2535 default:
2536 return (EINVAL);
2537 }
2538
2539 /* Remote address, might be zeroed. XXX ??? */
2540 switch (ipo->ipo_dst.sa.sa_family) {
2541 case 0:
2542 break;
2543 case AF_INET:
2544 i += PADUP(sizeof(struct sockaddr_in));
2545 i += sizeof(struct sadb_address);
2546 break;
2547 #ifdef INET6
2548 case AF_INET6:
2549 i += PADUP(sizeof(struct sockaddr_in6));
2550 i += sizeof(struct sadb_address);
2551 break;
2552 #endif /* INET6 */
2553 default:
2554 return (EINVAL);
2555 }
2556
2557 if (ipo->ipo_ids) {
2558 i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_ids->id_local->len);
2559 i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_ids->id_remote->len);
2560 }
2561
2562 if (lenp)
2563 *lenp = i;
2564
2565 if (buffer == NULL) {
2566 rval = 0;
2567 goto ret;
2568 }
2569
2570 if (!(p = malloc(i, M_PFKEY, M_NOWAIT | M_ZERO))) {
2571 rval = ENOMEM;
2572 goto ret;
2573 } else
2574 *buffer = p;
2575
2576 /* Local address. */
2577 if (ipo->ipo_src.sa.sa_family) {
2578 headers[SADB_EXT_ADDRESS_SRC] = p;
2579 export_address(&p, &ipo->ipo_src.sa);
2580 }
2581
2582 /* Remote address. */
2583 if (ipo->ipo_dst.sa.sa_family) {
2584 headers[SADB_EXT_ADDRESS_DST] = p;
2585 export_address(&p, &ipo->ipo_dst.sa);
2586 }
2587
2588 /* Get actual flow. */
2589 export_flow(&p, ipo->ipo_type, &ipo->ipo_addr, &ipo->ipo_mask,
2590 headers);
2591
2592 /* Add ids only when we are root. */
2593 perm = suser(curproc);
2594 if (perm == 0 && ipo->ipo_ids)
2595 export_identities(&p, ipo->ipo_ids, 0, headers);
2596
2597 rval = 0;
2598 ret:
2599 return (rval);
2600 }
2601
2602 int
2603 pfkeyv2_sysctl_policydumper(struct ipsec_policy *ipo, void *arg,
2604 unsigned int tableid)
2605 {
2606 struct pfkeyv2_sysctl_walk *w = (struct pfkeyv2_sysctl_walk *)arg;
2607 void *buffer = NULL;
2608 int i, buflen, error = 0;
2609
2610 if (w->w_where) {
2611 void *headers[SADB_EXT_MAX + 1];
2612 struct sadb_msg msg;
2613
2614 bzero(headers, sizeof(headers));
2615 if ((error = pfkeyv2_dump_policy(ipo, headers, &buffer,
2616 &buflen)) != 0)
2617 goto done;
2618 if (w->w_len < buflen) {
2619 error = ENOMEM;
2620 goto done;
2621 }
2622 /* prepend header */
2623 bzero(&msg, sizeof(msg));
2624 msg.sadb_msg_version = PF_KEY_V2;
2625 if (ipo->ipo_sproto == IPPROTO_ESP)
2626 msg.sadb_msg_satype = SADB_SATYPE_ESP;
2627 else if (ipo->ipo_sproto == IPPROTO_AH)
2628 msg.sadb_msg_satype = SADB_SATYPE_AH;
2629 else if (ipo->ipo_sproto == IPPROTO_IPCOMP)
2630 msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP;
2631 else if (ipo->ipo_sproto == IPPROTO_IPIP)
2632 msg.sadb_msg_satype = SADB_X_SATYPE_IPIP;
2633 msg.sadb_msg_type = SADB_X_SPDDUMP;
2634 msg.sadb_msg_len = (sizeof(msg) + buflen) / sizeof(uint64_t);
2635 if ((error = copyout(&msg, w->w_where, sizeof(msg))) != 0)
2636 goto done;
2637 w->w_where += sizeof(msg);
2638 w->w_len -= sizeof(msg);
2639 /* set extension type */
2640 for (i = 1; i <= SADB_EXT_MAX; i++)
2641 if (headers[i])
2642 ((struct sadb_ext *)
2643 headers[i])->sadb_ext_type = i;
2644 if ((error = copyout(buffer, w->w_where, buflen)) != 0)
2645 goto done;
2646 w->w_where += buflen;
2647 w->w_len -= buflen;
2648 } else {
2649 if ((error = pfkeyv2_dump_policy(ipo, NULL, NULL,
2650 &buflen)) != 0)
2651 goto done;
2652 w->w_len += buflen;
2653 w->w_len += sizeof(struct sadb_msg);
2654 }
2655
2656 done:
2657 if (buffer)
2658 free(buffer, M_PFKEY, buflen);
2659 return (error);
2660 }
2661
2662 int
2663 pfkeyv2_policy_flush(struct ipsec_policy *ipo, void *arg, unsigned int tableid)
2664 {
2665 int error;
2666
2667 error = ipsec_delete_policy(ipo);
2668 if (error == 0)
2669 error = EAGAIN;
2670
2671 return (error);
2672 }
2673
2674 int
2675 pfkeyv2_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
2676 void *new, size_t newlen)
2677 {
2678 struct pfkeyv2_sysctl_walk w;
2679 int error = EINVAL;
2680 u_int rdomain;
2681 u_int tableid;
2682
2683 if (new)
2684 return (EPERM);
2685 if (namelen < 1)
2686 return (EINVAL);
2687 w.w_op = name[0];
2688 w.w_satype = name[1];
2689 w.w_where = oldp;
2690 w.w_len = oldp ? *oldlenp : 0;
2691
2692 if (namelen == 3) {
2693 tableid = name[2];
2694 if (!rtable_exists(tableid))
2695 return (ENOENT);
2696 } else
2697 tableid = curproc->p_p->ps_rtableid;
2698 rdomain = rtable_l2(tableid);
2699
2700 switch(w.w_op) {
2701 case NET_KEY_SADB_DUMP:
2702 if ((error = suser(curproc)) != 0)
2703 return (error);
2704 NET_LOCK();
2705 error = tdb_walk(rdomain, pfkeyv2_sysctl_walker, &w);
2706 NET_UNLOCK();
2707 if (oldp)
2708 *oldlenp = w.w_where - oldp;
2709 else
2710 *oldlenp = w.w_len;
2711 break;
2712
2713 case NET_KEY_SPD_DUMP:
2714 NET_LOCK();
2715 error = spd_table_walk(rdomain,
2716 pfkeyv2_sysctl_policydumper, &w);
2717 NET_UNLOCK();
2718 if (oldp)
2719 *oldlenp = w.w_where - oldp;
2720 else
2721 *oldlenp = w.w_len;
2722 break;
2723 }
2724
2725 return (error);
2726 }
Cache object: e92d03debd3679b85b774bf19a41d8e2
|