The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netipsec/key.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*      $FreeBSD: releng/11.2/sys/netipsec/key.c 331722 2018-03-29 02:50:57Z eadler $   */
    2 /*      $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $   */
    3 
    4 /*-
    5  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
    6  * All rights reserved.
    7  *
    8  * Redistribution and use in source and binary forms, with or without
    9  * modification, are permitted provided that the following conditions
   10  * are met:
   11  * 1. Redistributions of source code must retain the above copyright
   12  *    notice, this list of conditions and the following disclaimer.
   13  * 2. Redistributions in binary form must reproduce the above copyright
   14  *    notice, this list of conditions and the following disclaimer in the
   15  *    documentation and/or other materials provided with the distribution.
   16  * 3. Neither the name of the project nor the names of its contributors
   17  *    may be used to endorse or promote products derived from this software
   18  *    without specific prior written permission.
   19  *
   20  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
   21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
   24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   30  * SUCH DAMAGE.
   31  */
   32 
   33 /*
   34  * This code is referd to RFC 2367
   35  */
   36 
   37 #include "opt_inet.h"
   38 #include "opt_inet6.h"
   39 #include "opt_ipsec.h"
   40 
   41 #include <sys/types.h>
   42 #include <sys/param.h>
   43 #include <sys/systm.h>
   44 #include <sys/kernel.h>
   45 #include <sys/fnv_hash.h>
   46 #include <sys/lock.h>
   47 #include <sys/mutex.h>
   48 #include <sys/mbuf.h>
   49 #include <sys/domain.h>
   50 #include <sys/protosw.h>
   51 #include <sys/malloc.h>
   52 #include <sys/rmlock.h>
   53 #include <sys/socket.h>
   54 #include <sys/socketvar.h>
   55 #include <sys/sysctl.h>
   56 #include <sys/errno.h>
   57 #include <sys/proc.h>
   58 #include <sys/queue.h>
   59 #include <sys/refcount.h>
   60 #include <sys/syslog.h>
   61 
   62 #include <vm/uma.h>
   63 
   64 #include <net/if.h>
   65 #include <net/if_var.h>
   66 #include <net/vnet.h>
   67 #include <net/raw_cb.h>
   68 
   69 #include <netinet/in.h>
   70 #include <netinet/in_systm.h>
   71 #include <netinet/ip.h>
   72 #include <netinet/in_var.h>
   73 #include <netinet/udp.h>
   74 
   75 #ifdef INET6
   76 #include <netinet/ip6.h>
   77 #include <netinet6/in6_var.h>
   78 #include <netinet6/ip6_var.h>
   79 #endif /* INET6 */
   80 
   81 #include <net/pfkeyv2.h>
   82 #include <netipsec/keydb.h>
   83 #include <netipsec/key.h>
   84 #include <netipsec/keysock.h>
   85 #include <netipsec/key_debug.h>
   86 
   87 #include <netipsec/ipsec.h>
   88 #ifdef INET6
   89 #include <netipsec/ipsec6.h>
   90 #endif
   91 
   92 #include <netipsec/xform.h>
   93 #include <machine/in_cksum.h>
   94 #include <machine/stdarg.h>
   95 
   96 /* randomness */
   97 #include <sys/random.h>
   98 
   99 #define FULLMASK        0xff
  100 #define _BITS(bytes)    ((bytes) << 3)
  101 
  102 /*
  103  * Note on SA reference counting:
  104  * - SAs that are not in DEAD state will have (total external reference + 1)
  105  *   following value in reference count field.  they cannot be freed and are
  106  *   referenced from SA header.
  107  * - SAs that are in DEAD state will have (total external reference)
  108  *   in reference count field.  they are ready to be freed.  reference from
  109  *   SA header will be removed in key_delsav(), when the reference count
  110  *   field hits 0 (= no external reference other than from SA header.
  111  */
  112 
  113 VNET_DEFINE(u_int32_t, key_debug_level) = 0;
  114 static VNET_DEFINE(u_int, key_spi_trycnt) = 1000;
  115 static VNET_DEFINE(u_int32_t, key_spi_minval) = 0x100;
  116 static VNET_DEFINE(u_int32_t, key_spi_maxval) = 0x0fffffff;     /* XXX */
  117 static VNET_DEFINE(u_int32_t, policy_id) = 0;
  118 /*interval to initialize randseed,1(m)*/
  119 static VNET_DEFINE(u_int, key_int_random) = 60;
  120 /* interval to expire acquiring, 30(s)*/
  121 static VNET_DEFINE(u_int, key_larval_lifetime) = 30;
  122 /* counter for blocking SADB_ACQUIRE.*/
  123 static VNET_DEFINE(int, key_blockacq_count) = 10;
  124 /* lifetime for blocking SADB_ACQUIRE.*/
  125 static VNET_DEFINE(int, key_blockacq_lifetime) = 20;
  126 /* preferred old sa rather than new sa.*/
  127 static VNET_DEFINE(int, key_preferred_oldsa) = 1;
  128 #define V_key_spi_trycnt        VNET(key_spi_trycnt)
  129 #define V_key_spi_minval        VNET(key_spi_minval)
  130 #define V_key_spi_maxval        VNET(key_spi_maxval)
  131 #define V_policy_id             VNET(policy_id)
  132 #define V_key_int_random        VNET(key_int_random)
  133 #define V_key_larval_lifetime   VNET(key_larval_lifetime)
  134 #define V_key_blockacq_count    VNET(key_blockacq_count)
  135 #define V_key_blockacq_lifetime VNET(key_blockacq_lifetime)
  136 #define V_key_preferred_oldsa   VNET(key_preferred_oldsa)
  137 
  138 static VNET_DEFINE(u_int32_t, acq_seq) = 0;
  139 #define V_acq_seq               VNET(acq_seq)
  140 
  141 static VNET_DEFINE(uint32_t, sp_genid) = 0;
  142 #define V_sp_genid              VNET(sp_genid)
  143 
  144 /* SPD */
  145 TAILQ_HEAD(secpolicy_queue, secpolicy);
  146 LIST_HEAD(secpolicy_list, secpolicy);
  147 static VNET_DEFINE(struct secpolicy_queue, sptree[IPSEC_DIR_MAX]);
  148 static VNET_DEFINE(struct secpolicy_queue, sptree_ifnet[IPSEC_DIR_MAX]);
  149 static struct rmlock sptree_lock;
  150 #define V_sptree                VNET(sptree)
  151 #define V_sptree_ifnet          VNET(sptree_ifnet)
  152 #define SPTREE_LOCK_INIT()      rm_init(&sptree_lock, "sptree")
  153 #define SPTREE_LOCK_DESTROY()   rm_destroy(&sptree_lock)
  154 #define SPTREE_RLOCK_TRACKER    struct rm_priotracker sptree_tracker
  155 #define SPTREE_RLOCK()          rm_rlock(&sptree_lock, &sptree_tracker)
  156 #define SPTREE_RUNLOCK()        rm_runlock(&sptree_lock, &sptree_tracker)
  157 #define SPTREE_RLOCK_ASSERT()   rm_assert(&sptree_lock, RA_RLOCKED)
  158 #define SPTREE_WLOCK()          rm_wlock(&sptree_lock)
  159 #define SPTREE_WUNLOCK()        rm_wunlock(&sptree_lock)
  160 #define SPTREE_WLOCK_ASSERT()   rm_assert(&sptree_lock, RA_WLOCKED)
  161 #define SPTREE_UNLOCK_ASSERT()  rm_assert(&sptree_lock, RA_UNLOCKED)
  162 
  163 /* Hash table for lookup SP using unique id */
  164 static VNET_DEFINE(struct secpolicy_list *, sphashtbl);
  165 static VNET_DEFINE(u_long, sphash_mask);
  166 #define V_sphashtbl             VNET(sphashtbl)
  167 #define V_sphash_mask           VNET(sphash_mask)
  168 
  169 #define SPHASH_NHASH_LOG2       7
  170 #define SPHASH_NHASH            (1 << SPHASH_NHASH_LOG2)
  171 #define SPHASH_HASHVAL(id)      (key_u32hash(id) & V_sphash_mask)
  172 #define SPHASH_HASH(id)         &V_sphashtbl[SPHASH_HASHVAL(id)]
  173 
  174 /* SAD */
  175 TAILQ_HEAD(secashead_queue, secashead);
  176 LIST_HEAD(secashead_list, secashead);
  177 static VNET_DEFINE(struct secashead_queue, sahtree);
  178 static struct rmlock sahtree_lock;
  179 #define V_sahtree               VNET(sahtree)
  180 #define SAHTREE_LOCK_INIT()     rm_init(&sahtree_lock, "sahtree")
  181 #define SAHTREE_LOCK_DESTROY()  rm_destroy(&sahtree_lock)
  182 #define SAHTREE_RLOCK_TRACKER   struct rm_priotracker sahtree_tracker
  183 #define SAHTREE_RLOCK()         rm_rlock(&sahtree_lock, &sahtree_tracker)
  184 #define SAHTREE_RUNLOCK()       rm_runlock(&sahtree_lock, &sahtree_tracker)
  185 #define SAHTREE_RLOCK_ASSERT()  rm_assert(&sahtree_lock, RA_RLOCKED)
  186 #define SAHTREE_WLOCK()         rm_wlock(&sahtree_lock)
  187 #define SAHTREE_WUNLOCK()       rm_wunlock(&sahtree_lock)
  188 #define SAHTREE_WLOCK_ASSERT()  rm_assert(&sahtree_lock, RA_WLOCKED)
  189 #define SAHTREE_UNLOCK_ASSERT() rm_assert(&sahtree_lock, RA_UNLOCKED)
  190 
  191 /* Hash table for lookup in SAD using SA addresses */
  192 static VNET_DEFINE(struct secashead_list *, sahaddrhashtbl);
  193 static VNET_DEFINE(u_long, sahaddrhash_mask);
  194 #define V_sahaddrhashtbl        VNET(sahaddrhashtbl)
  195 #define V_sahaddrhash_mask      VNET(sahaddrhash_mask)
  196 
  197 #define SAHHASH_NHASH_LOG2      7
  198 #define SAHHASH_NHASH           (1 << SAHHASH_NHASH_LOG2)
  199 #define SAHADDRHASH_HASHVAL(saidx)      \
  200     (key_saidxhash(saidx) & V_sahaddrhash_mask)
  201 #define SAHADDRHASH_HASH(saidx)         \
  202     &V_sahaddrhashtbl[SAHADDRHASH_HASHVAL(saidx)]
  203 
  204 /* Hash table for lookup in SAD using SPI */
  205 LIST_HEAD(secasvar_list, secasvar);
  206 static VNET_DEFINE(struct secasvar_list *, savhashtbl);
  207 static VNET_DEFINE(u_long, savhash_mask);
  208 #define V_savhashtbl            VNET(savhashtbl)
  209 #define V_savhash_mask          VNET(savhash_mask)
  210 #define SAVHASH_NHASH_LOG2      7
  211 #define SAVHASH_NHASH           (1 << SAVHASH_NHASH_LOG2)
  212 #define SAVHASH_HASHVAL(spi)    (key_u32hash(spi) & V_savhash_mask)
  213 #define SAVHASH_HASH(spi)       &V_savhashtbl[SAVHASH_HASHVAL(spi)]
  214 
  215 static uint32_t
  216 key_saidxhash(const struct secasindex *saidx)
  217 {
  218         uint32_t hval;
  219 
  220         hval = fnv_32_buf(&saidx->proto, sizeof(saidx->proto),
  221             FNV1_32_INIT);
  222         switch (saidx->dst.sa.sa_family) {
  223 #ifdef INET
  224         case AF_INET:
  225                 hval = fnv_32_buf(&saidx->src.sin.sin_addr,
  226                     sizeof(in_addr_t), hval);
  227                 hval = fnv_32_buf(&saidx->dst.sin.sin_addr,
  228                     sizeof(in_addr_t), hval);
  229                 break;
  230 #endif
  231 #ifdef INET6
  232         case AF_INET6:
  233                 hval = fnv_32_buf(&saidx->src.sin6.sin6_addr,
  234                     sizeof(struct in6_addr), hval);
  235                 hval = fnv_32_buf(&saidx->dst.sin6.sin6_addr,
  236                     sizeof(struct in6_addr), hval);
  237                 break;
  238 #endif
  239         default:
  240                 hval = 0;
  241                 ipseclog((LOG_DEBUG, "%s: unknown address family %d",
  242                     __func__, saidx->dst.sa.sa_family));
  243         }
  244         return (hval);
  245 }
  246 
  247 static uint32_t
  248 key_u32hash(uint32_t val)
  249 {
  250 
  251         return (fnv_32_buf(&val, sizeof(val), FNV1_32_INIT));
  252 }
  253 
  254                                                         /* registed list */
  255 static VNET_DEFINE(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]);
  256 #define V_regtree               VNET(regtree)
  257 static struct mtx regtree_lock;
  258 #define REGTREE_LOCK_INIT() \
  259         mtx_init(&regtree_lock, "regtree", "fast ipsec regtree", MTX_DEF)
  260 #define REGTREE_LOCK_DESTROY()  mtx_destroy(&regtree_lock)
  261 #define REGTREE_LOCK()          mtx_lock(&regtree_lock)
  262 #define REGTREE_UNLOCK()        mtx_unlock(&regtree_lock)
  263 #define REGTREE_LOCK_ASSERT()   mtx_assert(&regtree_lock, MA_OWNED)
  264 
  265 /* Acquiring list */
  266 LIST_HEAD(secacq_list, secacq);
  267 static VNET_DEFINE(struct secacq_list, acqtree);
  268 #define V_acqtree               VNET(acqtree)
  269 static struct mtx acq_lock;
  270 #define ACQ_LOCK_INIT() \
  271     mtx_init(&acq_lock, "acqtree", "ipsec SA acquiring list", MTX_DEF)
  272 #define ACQ_LOCK_DESTROY()      mtx_destroy(&acq_lock)
  273 #define ACQ_LOCK()              mtx_lock(&acq_lock)
  274 #define ACQ_UNLOCK()            mtx_unlock(&acq_lock)
  275 #define ACQ_LOCK_ASSERT()       mtx_assert(&acq_lock, MA_OWNED)
  276 
  277 /* Hash table for lookup in ACQ list using SA addresses */
  278 static VNET_DEFINE(struct secacq_list *, acqaddrhashtbl);
  279 static VNET_DEFINE(u_long, acqaddrhash_mask);
  280 #define V_acqaddrhashtbl        VNET(acqaddrhashtbl)
  281 #define V_acqaddrhash_mask      VNET(acqaddrhash_mask)
  282 
  283 /* Hash table for lookup in ACQ list using SEQ number */
  284 static VNET_DEFINE(struct secacq_list *, acqseqhashtbl);
  285 static VNET_DEFINE(u_long, acqseqhash_mask);
  286 #define V_acqseqhashtbl         VNET(acqseqhashtbl)
  287 #define V_acqseqhash_mask       VNET(acqseqhash_mask)
  288 
  289 #define ACQHASH_NHASH_LOG2      7
  290 #define ACQHASH_NHASH           (1 << ACQHASH_NHASH_LOG2)
  291 #define ACQADDRHASH_HASHVAL(saidx)      \
  292     (key_saidxhash(saidx) & V_acqaddrhash_mask)
  293 #define ACQSEQHASH_HASHVAL(seq)         \
  294     (key_u32hash(seq) & V_acqseqhash_mask)
  295 #define ACQADDRHASH_HASH(saidx) \
  296     &V_acqaddrhashtbl[ACQADDRHASH_HASHVAL(saidx)]
  297 #define ACQSEQHASH_HASH(seq)    \
  298     &V_acqseqhashtbl[ACQSEQHASH_HASHVAL(seq)]
  299                                                         /* SP acquiring list */
  300 static VNET_DEFINE(LIST_HEAD(_spacqtree, secspacq), spacqtree);
  301 #define V_spacqtree             VNET(spacqtree)
  302 static struct mtx spacq_lock;
  303 #define SPACQ_LOCK_INIT() \
  304         mtx_init(&spacq_lock, "spacqtree", \
  305                 "fast ipsec security policy acquire list", MTX_DEF)
  306 #define SPACQ_LOCK_DESTROY()    mtx_destroy(&spacq_lock)
  307 #define SPACQ_LOCK()            mtx_lock(&spacq_lock)
  308 #define SPACQ_UNLOCK()          mtx_unlock(&spacq_lock)
  309 #define SPACQ_LOCK_ASSERT()     mtx_assert(&spacq_lock, MA_OWNED)
  310 
  311 static const int minsize[] = {
  312         sizeof(struct sadb_msg),        /* SADB_EXT_RESERVED */
  313         sizeof(struct sadb_sa),         /* SADB_EXT_SA */
  314         sizeof(struct sadb_lifetime),   /* SADB_EXT_LIFETIME_CURRENT */
  315         sizeof(struct sadb_lifetime),   /* SADB_EXT_LIFETIME_HARD */
  316         sizeof(struct sadb_lifetime),   /* SADB_EXT_LIFETIME_SOFT */
  317         sizeof(struct sadb_address),    /* SADB_EXT_ADDRESS_SRC */
  318         sizeof(struct sadb_address),    /* SADB_EXT_ADDRESS_DST */
  319         sizeof(struct sadb_address),    /* SADB_EXT_ADDRESS_PROXY */
  320         sizeof(struct sadb_key),        /* SADB_EXT_KEY_AUTH */
  321         sizeof(struct sadb_key),        /* SADB_EXT_KEY_ENCRYPT */
  322         sizeof(struct sadb_ident),      /* SADB_EXT_IDENTITY_SRC */
  323         sizeof(struct sadb_ident),      /* SADB_EXT_IDENTITY_DST */
  324         sizeof(struct sadb_sens),       /* SADB_EXT_SENSITIVITY */
  325         sizeof(struct sadb_prop),       /* SADB_EXT_PROPOSAL */
  326         sizeof(struct sadb_supported),  /* SADB_EXT_SUPPORTED_AUTH */
  327         sizeof(struct sadb_supported),  /* SADB_EXT_SUPPORTED_ENCRYPT */
  328         sizeof(struct sadb_spirange),   /* SADB_EXT_SPIRANGE */
  329         0,                              /* SADB_X_EXT_KMPRIVATE */
  330         sizeof(struct sadb_x_policy),   /* SADB_X_EXT_POLICY */
  331         sizeof(struct sadb_x_sa2),      /* SADB_X_SA2 */
  332         sizeof(struct sadb_x_nat_t_type),/* SADB_X_EXT_NAT_T_TYPE */
  333         sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_SPORT */
  334         sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_DPORT */
  335         sizeof(struct sadb_address),    /* SADB_X_EXT_NAT_T_OAI */
  336         sizeof(struct sadb_address),    /* SADB_X_EXT_NAT_T_OAR */
  337         sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */
  338         sizeof(struct sadb_x_sa_replay), /* SADB_X_EXT_SA_REPLAY */
  339         sizeof(struct sadb_address),    /* SADB_X_EXT_NEW_ADDRESS_SRC */
  340         sizeof(struct sadb_address),    /* SADB_X_EXT_NEW_ADDRESS_DST */
  341 };
  342 _Static_assert(sizeof(minsize)/sizeof(int) == SADB_EXT_MAX + 1, "minsize size mismatch");
  343 
  344 static const int maxsize[] = {
  345         sizeof(struct sadb_msg),        /* SADB_EXT_RESERVED */
  346         sizeof(struct sadb_sa),         /* SADB_EXT_SA */
  347         sizeof(struct sadb_lifetime),   /* SADB_EXT_LIFETIME_CURRENT */
  348         sizeof(struct sadb_lifetime),   /* SADB_EXT_LIFETIME_HARD */
  349         sizeof(struct sadb_lifetime),   /* SADB_EXT_LIFETIME_SOFT */
  350         0,                              /* SADB_EXT_ADDRESS_SRC */
  351         0,                              /* SADB_EXT_ADDRESS_DST */
  352         0,                              /* SADB_EXT_ADDRESS_PROXY */
  353         0,                              /* SADB_EXT_KEY_AUTH */
  354         0,                              /* SADB_EXT_KEY_ENCRYPT */
  355         0,                              /* SADB_EXT_IDENTITY_SRC */
  356         0,                              /* SADB_EXT_IDENTITY_DST */
  357         0,                              /* SADB_EXT_SENSITIVITY */
  358         0,                              /* SADB_EXT_PROPOSAL */
  359         0,                              /* SADB_EXT_SUPPORTED_AUTH */
  360         0,                              /* SADB_EXT_SUPPORTED_ENCRYPT */
  361         sizeof(struct sadb_spirange),   /* SADB_EXT_SPIRANGE */
  362         0,                              /* SADB_X_EXT_KMPRIVATE */
  363         0,                              /* SADB_X_EXT_POLICY */
  364         sizeof(struct sadb_x_sa2),      /* SADB_X_SA2 */
  365         sizeof(struct sadb_x_nat_t_type),/* SADB_X_EXT_NAT_T_TYPE */
  366         sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_SPORT */
  367         sizeof(struct sadb_x_nat_t_port),/* SADB_X_EXT_NAT_T_DPORT */
  368         0,                              /* SADB_X_EXT_NAT_T_OAI */
  369         0,                              /* SADB_X_EXT_NAT_T_OAR */
  370         sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */
  371         sizeof(struct sadb_x_sa_replay), /* SADB_X_EXT_SA_REPLAY */
  372         0,                              /* SADB_X_EXT_NEW_ADDRESS_SRC */
  373         0,                              /* SADB_X_EXT_NEW_ADDRESS_DST */
  374 };
  375 _Static_assert(sizeof(maxsize)/sizeof(int) == SADB_EXT_MAX + 1, "minsize size mismatch");
  376 
  377 /*
  378  * Internal values for SA flags:
  379  * SADB_X_EXT_F_CLONED means that SA was cloned by key_updateaddresses,
  380  *      thus we will not free the most of SA content in key_delsav().
  381  */
  382 #define SADB_X_EXT_F_CLONED     0x80000000
  383 
  384 #define SADB_CHECKLEN(_mhp, _ext)                       \
  385     ((_mhp)->extlen[(_ext)] < minsize[(_ext)] || (maxsize[(_ext)] != 0 && \
  386         ((_mhp)->extlen[(_ext)] > maxsize[(_ext)])))
  387 #define SADB_CHECKHDR(_mhp, _ext)       ((_mhp)->ext[(_ext)] == NULL)
  388 
  389 static VNET_DEFINE(int, ipsec_esp_keymin) = 256;
  390 static VNET_DEFINE(int, ipsec_esp_auth) = 0;
  391 static VNET_DEFINE(int, ipsec_ah_keymin) = 128;
  392 
  393 #define V_ipsec_esp_keymin      VNET(ipsec_esp_keymin)
  394 #define V_ipsec_esp_auth        VNET(ipsec_esp_auth)
  395 #define V_ipsec_ah_keymin       VNET(ipsec_ah_keymin)
  396 
  397 #ifdef IPSEC_DEBUG
  398 VNET_DEFINE(int, ipsec_debug) = 1;
  399 #else
  400 VNET_DEFINE(int, ipsec_debug) = 0;
  401 #endif
  402 
  403 #ifdef INET
  404 SYSCTL_DECL(_net_inet_ipsec);
  405 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, debug,
  406     CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0,
  407     "Enable IPsec debugging output when set.");
  408 #endif
  409 #ifdef INET6
  410 SYSCTL_DECL(_net_inet6_ipsec6);
  411 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, debug,
  412     CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0,
  413     "Enable IPsec debugging output when set.");
  414 #endif
  415 
  416 SYSCTL_DECL(_net_key);
  417 SYSCTL_INT(_net_key, KEYCTL_DEBUG_LEVEL,        debug,
  418         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_debug_level), 0, "");
  419 
  420 /* max count of trial for the decision of spi value */
  421 SYSCTL_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt,
  422         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_spi_trycnt), 0, "");
  423 
  424 /* minimum spi value to allocate automatically. */
  425 SYSCTL_INT(_net_key, KEYCTL_SPI_MIN_VALUE, spi_minval,
  426         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_spi_minval), 0, "");
  427 
  428 /* maximun spi value to allocate automatically. */
  429 SYSCTL_INT(_net_key, KEYCTL_SPI_MAX_VALUE, spi_maxval,
  430         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_spi_maxval), 0, "");
  431 
  432 /* interval to initialize randseed */
  433 SYSCTL_INT(_net_key, KEYCTL_RANDOM_INT, int_random,
  434         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_int_random), 0, "");
  435 
  436 /* lifetime for larval SA */
  437 SYSCTL_INT(_net_key, KEYCTL_LARVAL_LIFETIME, larval_lifetime,
  438         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_larval_lifetime), 0, "");
  439 
  440 /* counter for blocking to send SADB_ACQUIRE to IKEd */
  441 SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_COUNT, blockacq_count,
  442         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_blockacq_count), 0, "");
  443 
  444 /* lifetime for blocking to send SADB_ACQUIRE to IKEd */
  445 SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME, blockacq_lifetime,
  446         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_blockacq_lifetime), 0, "");
  447 
  448 /* ESP auth */
  449 SYSCTL_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth,
  450         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_esp_auth), 0, "");
  451 
  452 /* minimum ESP key length */
  453 SYSCTL_INT(_net_key, KEYCTL_ESP_KEYMIN, esp_keymin,
  454         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_esp_keymin), 0, "");
  455 
  456 /* minimum AH key length */
  457 SYSCTL_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin,
  458         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_ah_keymin), 0, "");
  459 
  460 /* perfered old SA rather than new SA */
  461 SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, preferred_oldsa,
  462         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_preferred_oldsa), 0, "");
  463 
  464 #define __LIST_CHAINED(elm) \
  465         (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL))
  466 
  467 MALLOC_DEFINE(M_IPSEC_SA, "secasvar", "ipsec security association");
  468 MALLOC_DEFINE(M_IPSEC_SAH, "sahead", "ipsec sa head");
  469 MALLOC_DEFINE(M_IPSEC_SP, "ipsecpolicy", "ipsec security policy");
  470 MALLOC_DEFINE(M_IPSEC_SR, "ipsecrequest", "ipsec security request");
  471 MALLOC_DEFINE(M_IPSEC_MISC, "ipsec-misc", "ipsec miscellaneous");
  472 MALLOC_DEFINE(M_IPSEC_SAQ, "ipsec-saq", "ipsec sa acquire");
  473 MALLOC_DEFINE(M_IPSEC_SAR, "ipsec-reg", "ipsec sa acquire");
  474 
  475 static VNET_DEFINE(uma_zone_t, key_lft_zone);
  476 #define V_key_lft_zone          VNET(key_lft_zone)
  477 
  478 static LIST_HEAD(xforms_list, xformsw) xforms = LIST_HEAD_INITIALIZER();
  479 static struct mtx xforms_lock;
  480 #define XFORMS_LOCK_INIT()      \
  481     mtx_init(&xforms_lock, "xforms_list", "IPsec transforms list", MTX_DEF)
  482 #define XFORMS_LOCK_DESTROY()   mtx_destroy(&xforms_lock)
  483 #define XFORMS_LOCK()           mtx_lock(&xforms_lock)
  484 #define XFORMS_UNLOCK()         mtx_unlock(&xforms_lock)
  485 
  486 /*
  487  * set parameters into secpolicyindex buffer.
  488  * Must allocate secpolicyindex buffer passed to this function.
  489  */
  490 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, idx) \
  491 do { \
  492         bzero((idx), sizeof(struct secpolicyindex));                         \
  493         (idx)->dir = (_dir);                                                 \
  494         (idx)->prefs = (ps);                                                 \
  495         (idx)->prefd = (pd);                                                 \
  496         (idx)->ul_proto = (ulp);                                             \
  497         bcopy((s), &(idx)->src, ((const struct sockaddr *)(s))->sa_len);     \
  498         bcopy((d), &(idx)->dst, ((const struct sockaddr *)(d))->sa_len);     \
  499 } while (0)
  500 
  501 /*
  502  * set parameters into secasindex buffer.
  503  * Must allocate secasindex buffer before calling this function.
  504  */
  505 #define KEY_SETSECASIDX(p, m, r, s, d, idx) \
  506 do { \
  507         bzero((idx), sizeof(struct secasindex));                             \
  508         (idx)->proto = (p);                                                  \
  509         (idx)->mode = (m);                                                   \
  510         (idx)->reqid = (r);                                                  \
  511         bcopy((s), &(idx)->src, ((const struct sockaddr *)(s))->sa_len);     \
  512         bcopy((d), &(idx)->dst, ((const struct sockaddr *)(d))->sa_len);     \
  513         key_porttosaddr(&(idx)->src.sa, 0);                                  \
  514         key_porttosaddr(&(idx)->dst.sa, 0);                                  \
  515 } while (0)
  516 
  517 /* key statistics */
  518 struct _keystat {
  519         u_long getspi_count; /* the avarage of count to try to get new SPI */
  520 } keystat;
  521 
  522 struct sadb_msghdr {
  523         struct sadb_msg *msg;
  524         struct sadb_ext *ext[SADB_EXT_MAX + 1];
  525         int extoff[SADB_EXT_MAX + 1];
  526         int extlen[SADB_EXT_MAX + 1];
  527 };
  528 
  529 static struct supported_ealgs {
  530         int sadb_alg;
  531         const struct enc_xform *xform;
  532 } supported_ealgs[] = {
  533         { SADB_EALG_DESCBC,             &enc_xform_des },
  534         { SADB_EALG_3DESCBC,            &enc_xform_3des },
  535         { SADB_X_EALG_AES,              &enc_xform_rijndael128 },
  536         { SADB_X_EALG_BLOWFISHCBC,      &enc_xform_blf },
  537         { SADB_X_EALG_CAST128CBC,       &enc_xform_cast5 },
  538         { SADB_EALG_NULL,               &enc_xform_null },
  539         { SADB_X_EALG_CAMELLIACBC,      &enc_xform_camellia },
  540         { SADB_X_EALG_AESCTR,           &enc_xform_aes_icm },
  541         { SADB_X_EALG_AESGCM16,         &enc_xform_aes_nist_gcm },
  542         { SADB_X_EALG_AESGMAC,          &enc_xform_aes_nist_gmac },
  543 };
  544 
  545 static struct supported_aalgs {
  546         int sadb_alg;
  547         const struct auth_hash *xform;
  548 } supported_aalgs[] = {
  549         { SADB_X_AALG_NULL,             &auth_hash_null },
  550         { SADB_AALG_MD5HMAC,            &auth_hash_hmac_md5 },
  551         { SADB_AALG_SHA1HMAC,           &auth_hash_hmac_sha1 },
  552         { SADB_X_AALG_RIPEMD160HMAC,    &auth_hash_hmac_ripemd_160 },
  553         { SADB_X_AALG_MD5,              &auth_hash_key_md5 },
  554         { SADB_X_AALG_SHA,              &auth_hash_key_sha1 },
  555         { SADB_X_AALG_SHA2_256,         &auth_hash_hmac_sha2_256 },
  556         { SADB_X_AALG_SHA2_384,         &auth_hash_hmac_sha2_384 },
  557         { SADB_X_AALG_SHA2_512,         &auth_hash_hmac_sha2_512 },
  558         { SADB_X_AALG_AES128GMAC,       &auth_hash_nist_gmac_aes_128 },
  559         { SADB_X_AALG_AES192GMAC,       &auth_hash_nist_gmac_aes_192 },
  560         { SADB_X_AALG_AES256GMAC,       &auth_hash_nist_gmac_aes_256 },
  561 };
  562 
  563 static struct supported_calgs {
  564         int sadb_alg;
  565         const struct comp_algo *xform;
  566 } supported_calgs[] = {
  567         { SADB_X_CALG_DEFLATE,          &comp_algo_deflate },
  568 };
  569 
  570 #ifndef IPSEC_DEBUG2
  571 static struct callout key_timer;
  572 #endif
  573 
  574 static void key_unlink(struct secpolicy *);
  575 static struct secpolicy *key_getsp(struct secpolicyindex *);
  576 static struct secpolicy *key_getspbyid(u_int32_t);
  577 static struct mbuf *key_gather_mbuf(struct mbuf *,
  578         const struct sadb_msghdr *, int, int, ...);
  579 static int key_spdadd(struct socket *, struct mbuf *,
  580         const struct sadb_msghdr *);
  581 static uint32_t key_getnewspid(void);
  582 static int key_spddelete(struct socket *, struct mbuf *,
  583         const struct sadb_msghdr *);
  584 static int key_spddelete2(struct socket *, struct mbuf *,
  585         const struct sadb_msghdr *);
  586 static int key_spdget(struct socket *, struct mbuf *,
  587         const struct sadb_msghdr *);
  588 static int key_spdflush(struct socket *, struct mbuf *,
  589         const struct sadb_msghdr *);
  590 static int key_spddump(struct socket *, struct mbuf *,
  591         const struct sadb_msghdr *);
  592 static struct mbuf *key_setdumpsp(struct secpolicy *,
  593         u_int8_t, u_int32_t, u_int32_t);
  594 static struct mbuf *key_sp2mbuf(struct secpolicy *);
  595 static size_t key_getspreqmsglen(struct secpolicy *);
  596 static int key_spdexpire(struct secpolicy *);
  597 static struct secashead *key_newsah(struct secasindex *);
  598 static void key_freesah(struct secashead **);
  599 static void key_delsah(struct secashead *);
  600 static struct secasvar *key_newsav(const struct sadb_msghdr *,
  601     struct secasindex *, uint32_t, int *);
  602 static void key_delsav(struct secasvar *);
  603 static void key_unlinksav(struct secasvar *);
  604 static struct secashead *key_getsah(struct secasindex *);
  605 static int key_checkspidup(uint32_t);
  606 static struct secasvar *key_getsavbyspi(uint32_t);
  607 static int key_setnatt(struct secasvar *, const struct sadb_msghdr *);
  608 static int key_setsaval(struct secasvar *, const struct sadb_msghdr *);
  609 static int key_updatelifetimes(struct secasvar *, const struct sadb_msghdr *);
  610 static int key_updateaddresses(struct socket *, struct mbuf *,
  611     const struct sadb_msghdr *, struct secasvar *, struct secasindex *);
  612 
  613 static struct mbuf *key_setdumpsa(struct secasvar *, u_int8_t,
  614         u_int8_t, u_int32_t, u_int32_t);
  615 static struct mbuf *key_setsadbmsg(u_int8_t, u_int16_t, u_int8_t,
  616         u_int32_t, pid_t, u_int16_t);
  617 static struct mbuf *key_setsadbsa(struct secasvar *);
  618 static struct mbuf *key_setsadbaddr(u_int16_t,
  619         const struct sockaddr *, u_int8_t, u_int16_t);
  620 static struct mbuf *key_setsadbxport(u_int16_t, u_int16_t);
  621 static struct mbuf *key_setsadbxtype(u_int16_t);
  622 static struct mbuf *key_setsadbxsa2(u_int8_t, u_int32_t, u_int32_t);
  623 static struct mbuf *key_setsadbxsareplay(u_int32_t);
  624 static struct mbuf *key_setsadbxpolicy(u_int16_t, u_int8_t,
  625         u_int32_t, u_int32_t);
  626 static struct seckey *key_dup_keymsg(const struct sadb_key *, size_t,
  627     struct malloc_type *);
  628 static struct seclifetime *key_dup_lifemsg(const struct sadb_lifetime *src,
  629     struct malloc_type *);
  630 
  631 /* flags for key_cmpsaidx() */
  632 #define CMP_HEAD        1       /* protocol, addresses. */
  633 #define CMP_MODE_REQID  2       /* additionally HEAD, reqid, mode. */
  634 #define CMP_REQID       3       /* additionally HEAD, reaid. */
  635 #define CMP_EXACTLY     4       /* all elements. */
  636 static int key_cmpsaidx(const struct secasindex *,
  637     const struct secasindex *, int);
  638 static int key_cmpspidx_exactly(struct secpolicyindex *,
  639     struct secpolicyindex *);
  640 static int key_cmpspidx_withmask(struct secpolicyindex *,
  641     struct secpolicyindex *);
  642 static int key_bbcmp(const void *, const void *, u_int);
  643 static uint8_t key_satype2proto(uint8_t);
  644 static uint8_t key_proto2satype(uint8_t);
  645 
  646 static int key_getspi(struct socket *, struct mbuf *,
  647         const struct sadb_msghdr *);
  648 static uint32_t key_do_getnewspi(struct sadb_spirange *, struct secasindex *);
  649 static int key_update(struct socket *, struct mbuf *,
  650         const struct sadb_msghdr *);
  651 static int key_add(struct socket *, struct mbuf *,
  652         const struct sadb_msghdr *);
  653 static int key_setident(struct secashead *, const struct sadb_msghdr *);
  654 static struct mbuf *key_getmsgbuf_x1(struct mbuf *,
  655         const struct sadb_msghdr *);
  656 static int key_delete(struct socket *, struct mbuf *,
  657         const struct sadb_msghdr *);
  658 static int key_delete_all(struct socket *, struct mbuf *,
  659         const struct sadb_msghdr *, struct secasindex *);
  660 static void key_delete_xform(const struct xformsw *);
  661 static int key_get(struct socket *, struct mbuf *,
  662         const struct sadb_msghdr *);
  663 
  664 static void key_getcomb_setlifetime(struct sadb_comb *);
  665 static struct mbuf *key_getcomb_ealg(void);
  666 static struct mbuf *key_getcomb_ah(void);
  667 static struct mbuf *key_getcomb_ipcomp(void);
  668 static struct mbuf *key_getprop(const struct secasindex *);
  669 
  670 static int key_acquire(const struct secasindex *, struct secpolicy *);
  671 static uint32_t key_newacq(const struct secasindex *, int *);
  672 static uint32_t key_getacq(const struct secasindex *, int *);
  673 static int key_acqdone(const struct secasindex *, uint32_t);
  674 static int key_acqreset(uint32_t);
  675 static struct secspacq *key_newspacq(struct secpolicyindex *);
  676 static struct secspacq *key_getspacq(struct secpolicyindex *);
  677 static int key_acquire2(struct socket *, struct mbuf *,
  678         const struct sadb_msghdr *);
  679 static int key_register(struct socket *, struct mbuf *,
  680         const struct sadb_msghdr *);
  681 static int key_expire(struct secasvar *, int);
  682 static int key_flush(struct socket *, struct mbuf *,
  683         const struct sadb_msghdr *);
  684 static int key_dump(struct socket *, struct mbuf *,
  685         const struct sadb_msghdr *);
  686 static int key_promisc(struct socket *, struct mbuf *,
  687         const struct sadb_msghdr *);
  688 static int key_senderror(struct socket *, struct mbuf *, int);
  689 static int key_validate_ext(const struct sadb_ext *, int);
  690 static int key_align(struct mbuf *, struct sadb_msghdr *);
  691 static struct mbuf *key_setlifetime(struct seclifetime *, uint16_t);
  692 static struct mbuf *key_setkey(struct seckey *, uint16_t);
  693 static int xform_init(struct secasvar *, u_short);
  694 
  695 #define DBG_IPSEC_INITREF(t, p) do {                            \
  696         refcount_init(&(p)->refcnt, 1);                         \
  697         KEYDBG(KEY_STAMP,                                       \
  698             printf("%s: Initialize refcnt %s(%p) = %u\n",       \
  699             __func__, #t, (p), (p)->refcnt));                   \
  700 } while (0)
  701 #define DBG_IPSEC_ADDREF(t, p)  do {                            \
  702         refcount_acquire(&(p)->refcnt);                         \
  703         KEYDBG(KEY_STAMP,                                       \
  704             printf("%s: Acquire refcnt %s(%p) -> %u\n",         \
  705             __func__, #t, (p), (p)->refcnt));                   \
  706 } while (0)
  707 #define DBG_IPSEC_DELREF(t, p)  do {                            \
  708         KEYDBG(KEY_STAMP,                                       \
  709             printf("%s: Release refcnt %s(%p) -> %u\n",         \
  710             __func__, #t, (p), (p)->refcnt - 1));               \
  711         refcount_release(&(p)->refcnt);                         \
  712 } while (0)
  713 
  714 #define IPSEC_INITREF(t, p)     refcount_init(&(p)->refcnt, 1)
  715 #define IPSEC_ADDREF(t, p)      refcount_acquire(&(p)->refcnt)
  716 #define IPSEC_DELREF(t, p)      refcount_release(&(p)->refcnt)
  717 
  718 #define SP_INITREF(p)   IPSEC_INITREF(SP, p)
  719 #define SP_ADDREF(p)    IPSEC_ADDREF(SP, p)
  720 #define SP_DELREF(p)    IPSEC_DELREF(SP, p)
  721 
  722 #define SAH_INITREF(p)  IPSEC_INITREF(SAH, p)
  723 #define SAH_ADDREF(p)   IPSEC_ADDREF(SAH, p)
  724 #define SAH_DELREF(p)   IPSEC_DELREF(SAH, p)
  725 
  726 #define SAV_INITREF(p)  IPSEC_INITREF(SAV, p)
  727 #define SAV_ADDREF(p)   IPSEC_ADDREF(SAV, p)
  728 #define SAV_DELREF(p)   IPSEC_DELREF(SAV, p)
  729 
  730 /*
  731  * Update the refcnt while holding the SPTREE lock.
  732  */
  733 void
  734 key_addref(struct secpolicy *sp)
  735 {
  736 
  737         SP_ADDREF(sp);
  738 }
  739 
  740 /*
  741  * Return 0 when there are known to be no SP's for the specified
  742  * direction.  Otherwise return 1.  This is used by IPsec code
  743  * to optimize performance.
  744  */
  745 int
  746 key_havesp(u_int dir)
  747 {
  748 
  749         return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ?
  750                 TAILQ_FIRST(&V_sptree[dir]) != NULL : 1);
  751 }
  752 
  753 /* %%% IPsec policy management */
  754 /*
  755  * Return current SPDB generation.
  756  */
  757 uint32_t
  758 key_getspgen(void)
  759 {
  760 
  761         return (V_sp_genid);
  762 }
  763 
  764 void
  765 key_bumpspgen(void)
  766 {
  767 
  768         V_sp_genid++;
  769 }
  770 
  771 static int
  772 key_checksockaddrs(struct sockaddr *src, struct sockaddr *dst)
  773 {
  774 
  775         /* family match */
  776         if (src->sa_family != dst->sa_family)
  777                 return (EINVAL);
  778         /* sa_len match */
  779         if (src->sa_len != dst->sa_len)
  780                 return (EINVAL);
  781         switch (src->sa_family) {
  782 #ifdef INET
  783         case AF_INET:
  784                 if (src->sa_len != sizeof(struct sockaddr_in))
  785                         return (EINVAL);
  786                 break;
  787 #endif
  788 #ifdef INET6
  789         case AF_INET6:
  790                 if (src->sa_len != sizeof(struct sockaddr_in6))
  791                         return (EINVAL);
  792                 break;
  793 #endif
  794         default:
  795                 return (EAFNOSUPPORT);
  796         }
  797         return (0);
  798 }
  799 
  800 /*
  801  * allocating a SP for OUTBOUND or INBOUND packet.
  802  * Must call key_freesp() later.
  803  * OUT: NULL:   not found
  804  *      others: found and return the pointer.
  805  */
  806 struct secpolicy *
  807 key_allocsp(struct secpolicyindex *spidx, u_int dir)
  808 {
  809         SPTREE_RLOCK_TRACKER;
  810         struct secpolicy *sp;
  811 
  812         IPSEC_ASSERT(spidx != NULL, ("null spidx"));
  813         IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
  814                 ("invalid direction %u", dir));
  815 
  816         SPTREE_RLOCK();
  817         TAILQ_FOREACH(sp, &V_sptree[dir], chain) {
  818                 if (key_cmpspidx_withmask(&sp->spidx, spidx)) {
  819                         SP_ADDREF(sp);
  820                         break;
  821                 }
  822         }
  823         SPTREE_RUNLOCK();
  824 
  825         if (sp != NULL) {       /* found a SPD entry */
  826                 sp->lastused = time_second;
  827                 KEYDBG(IPSEC_STAMP,
  828                     printf("%s: return SP(%p)\n", __func__, sp));
  829                 KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp));
  830         } else {
  831                 KEYDBG(IPSEC_DATA,
  832                     printf("%s: lookup failed for ", __func__);
  833                     kdebug_secpolicyindex(spidx, NULL));
  834         }
  835         return (sp);
  836 }
  837 
  838 /*
  839  * Allocating an SA entry for an *INBOUND* or *OUTBOUND* TCP packet, signed
  840  * or should be signed by MD5 signature.
  841  * We don't use key_allocsa() for such lookups, because we don't know SPI.
  842  * Unlike ESP and AH protocols, SPI isn't transmitted in the TCP header with
  843  * signed packet. We use SADB only as storage for password.
  844  * OUT: positive:       corresponding SA for given saidx found.
  845  *      NULL:           SA not found
  846  */
  847 struct secasvar *
  848 key_allocsa_tcpmd5(struct secasindex *saidx)
  849 {
  850         SAHTREE_RLOCK_TRACKER;
  851         struct secashead *sah;
  852         struct secasvar *sav;
  853 
  854         IPSEC_ASSERT(saidx->proto == IPPROTO_TCP,
  855             ("unexpected security protocol %u", saidx->proto));
  856         IPSEC_ASSERT(saidx->mode == IPSEC_MODE_TCPMD5,
  857             ("unexpected mode %u", saidx->mode));
  858 
  859         SAHTREE_RLOCK();
  860         LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
  861                 KEYDBG(IPSEC_DUMP,
  862                     printf("%s: checking SAH\n", __func__);
  863                     kdebug_secash(sah, "  "));
  864                 if (sah->saidx.proto != IPPROTO_TCP)
  865                         continue;
  866                 if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
  867                     !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
  868                         break;
  869         }
  870         if (sah != NULL) {
  871                 if (V_key_preferred_oldsa)
  872                         sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue);
  873                 else
  874                         sav = TAILQ_FIRST(&sah->savtree_alive);
  875                 if (sav != NULL)
  876                         SAV_ADDREF(sav);
  877         } else
  878                 sav = NULL;
  879         SAHTREE_RUNLOCK();
  880 
  881         if (sav != NULL) {
  882                 KEYDBG(IPSEC_STAMP,
  883                     printf("%s: return SA(%p)\n", __func__, sav));
  884                 KEYDBG(IPSEC_DATA, kdebug_secasv(sav));
  885         } else {
  886                 KEYDBG(IPSEC_STAMP,
  887                     printf("%s: SA not found\n", __func__));
  888                 KEYDBG(IPSEC_DATA, kdebug_secasindex(saidx, NULL));
  889         }
  890         return (sav);
  891 }
  892 
  893 /*
  894  * Allocating an SA entry for an *OUTBOUND* packet.
  895  * OUT: positive:       corresponding SA for given saidx found.
  896  *      NULL:           SA not found, but will be acquired, check *error
  897  *                      for acquiring status.
  898  */
  899 struct secasvar *
  900 key_allocsa_policy(struct secpolicy *sp, const struct secasindex *saidx,
  901     int *error)
  902 {
  903         SAHTREE_RLOCK_TRACKER;
  904         struct secashead *sah;
  905         struct secasvar *sav;
  906 
  907         IPSEC_ASSERT(saidx != NULL, ("null saidx"));
  908         IPSEC_ASSERT(saidx->mode == IPSEC_MODE_TRANSPORT ||
  909                 saidx->mode == IPSEC_MODE_TUNNEL,
  910                 ("unexpected policy %u", saidx->mode));
  911 
  912         /*
  913          * We check new SA in the IPsec request because a different
  914          * SA may be involved each time this request is checked, either
  915          * because new SAs are being configured, or this request is
  916          * associated with an unconnected datagram socket, or this request
  917          * is associated with a system default policy.
  918          */
  919         SAHTREE_RLOCK();
  920         LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
  921                 KEYDBG(IPSEC_DUMP,
  922                     printf("%s: checking SAH\n", __func__);
  923                     kdebug_secash(sah, "  "));
  924                 if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID))
  925                         break;
  926 
  927         }
  928         if (sah != NULL) {
  929                 /*
  930                  * Allocate the oldest SA available according to
  931                  * draft-jenkins-ipsec-rekeying-03.
  932                  */
  933                 if (V_key_preferred_oldsa)
  934                         sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue);
  935                 else
  936                         sav = TAILQ_FIRST(&sah->savtree_alive);
  937                 if (sav != NULL)
  938                         SAV_ADDREF(sav);
  939         } else
  940                 sav = NULL;
  941         SAHTREE_RUNLOCK();
  942 
  943         if (sav != NULL) {
  944                 *error = 0;
  945                 KEYDBG(IPSEC_STAMP,
  946                     printf("%s: chosen SA(%p) for SP(%p)\n", __func__,
  947                         sav, sp));
  948                 KEYDBG(IPSEC_DATA, kdebug_secasv(sav));
  949                 return (sav); /* return referenced SA */
  950         }
  951 
  952         /* there is no SA */
  953         *error = key_acquire(saidx, sp);
  954         if ((*error) != 0)
  955                 ipseclog((LOG_DEBUG,
  956                     "%s: error %d returned from key_acquire()\n",
  957                         __func__, *error));
  958         KEYDBG(IPSEC_STAMP,
  959             printf("%s: acquire SA for SP(%p), error %d\n",
  960                 __func__, sp, *error));
  961         KEYDBG(IPSEC_DATA, kdebug_secasindex(saidx, NULL));
  962         return (NULL);
  963 }
  964 
  965 /*
  966  * allocating a usable SA entry for a *INBOUND* packet.
  967  * Must call key_freesav() later.
  968  * OUT: positive:       pointer to a usable sav (i.e. MATURE or DYING state).
  969  *      NULL:           not found, or error occurred.
  970  *
  971  * According to RFC 2401 SA is uniquely identified by a triple SPI,
  972  * destination address, and security protocol. But according to RFC 4301,
  973  * SPI by itself suffices to specify an SA.
  974  *
  975  * Note that, however, we do need to keep source address in IPsec SA.
  976  * IKE specification and PF_KEY specification do assume that we
  977  * keep source address in IPsec SA.  We see a tricky situation here.
  978  */
  979 struct secasvar *
  980 key_allocsa(union sockaddr_union *dst, uint8_t proto, uint32_t spi)
  981 {
  982         SAHTREE_RLOCK_TRACKER;
  983         struct secasvar *sav;
  984 
  985         IPSEC_ASSERT(proto == IPPROTO_ESP || proto == IPPROTO_AH ||
  986             proto == IPPROTO_IPCOMP, ("unexpected security protocol %u",
  987             proto));
  988 
  989         SAHTREE_RLOCK();
  990         LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) {
  991                 if (sav->spi == spi)
  992                         break;
  993         }
  994         /*
  995          * We use single SPI namespace for all protocols, so it is
  996          * impossible to have SPI duplicates in the SAVHASH.
  997          */
  998         if (sav != NULL) {
  999                 if (sav->state != SADB_SASTATE_LARVAL &&
 1000                     sav->sah->saidx.proto == proto &&
 1001                     key_sockaddrcmp(&dst->sa,
 1002                         &sav->sah->saidx.dst.sa, 0) == 0)
 1003                         SAV_ADDREF(sav);
 1004                 else
 1005                         sav = NULL;
 1006         }
 1007         SAHTREE_RUNLOCK();
 1008 
 1009         if (sav == NULL) {
 1010                 KEYDBG(IPSEC_STAMP,
 1011                     char buf[IPSEC_ADDRSTRLEN];
 1012                     printf("%s: SA not found for spi %u proto %u dst %s\n",
 1013                         __func__, ntohl(spi), proto, ipsec_address(dst, buf,
 1014                         sizeof(buf))));
 1015         } else {
 1016                 KEYDBG(IPSEC_STAMP,
 1017                     printf("%s: return SA(%p)\n", __func__, sav));
 1018                 KEYDBG(IPSEC_DATA, kdebug_secasv(sav));
 1019         }
 1020         return (sav);
 1021 }
 1022 
 1023 struct secasvar *
 1024 key_allocsa_tunnel(union sockaddr_union *src, union sockaddr_union *dst,
 1025     uint8_t proto)
 1026 {
 1027         SAHTREE_RLOCK_TRACKER;
 1028         struct secasindex saidx;
 1029         struct secashead *sah;
 1030         struct secasvar *sav;
 1031 
 1032         IPSEC_ASSERT(src != NULL, ("null src address"));
 1033         IPSEC_ASSERT(dst != NULL, ("null dst address"));
 1034 
 1035         KEY_SETSECASIDX(proto, IPSEC_MODE_TUNNEL, 0, &src->sa,
 1036             &dst->sa, &saidx);
 1037 
 1038         sav = NULL;
 1039         SAHTREE_RLOCK();
 1040         LIST_FOREACH(sah, SAHADDRHASH_HASH(&saidx), addrhash) {
 1041                 if (IPSEC_MODE_TUNNEL != sah->saidx.mode)
 1042                         continue;
 1043                 if (proto != sah->saidx.proto)
 1044                         continue;
 1045                 if (key_sockaddrcmp(&src->sa, &sah->saidx.src.sa, 0) != 0)
 1046                         continue;
 1047                 if (key_sockaddrcmp(&dst->sa, &sah->saidx.dst.sa, 0) != 0)
 1048                         continue;
 1049                 /* XXXAE: is key_preferred_oldsa reasonably?*/
 1050                 if (V_key_preferred_oldsa)
 1051                         sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue);
 1052                 else
 1053                         sav = TAILQ_FIRST(&sah->savtree_alive);
 1054                 if (sav != NULL) {
 1055                         SAV_ADDREF(sav);
 1056                         break;
 1057                 }
 1058         }
 1059         SAHTREE_RUNLOCK();
 1060         KEYDBG(IPSEC_STAMP,
 1061             printf("%s: return SA(%p)\n", __func__, sav));
 1062         if (sav != NULL)
 1063                 KEYDBG(IPSEC_DATA, kdebug_secasv(sav));
 1064         return (sav);
 1065 }
 1066 
 1067 /*
 1068  * Must be called after calling key_allocsp().
 1069  */
 1070 void
 1071 key_freesp(struct secpolicy **spp)
 1072 {
 1073         struct secpolicy *sp = *spp;
 1074 
 1075         IPSEC_ASSERT(sp != NULL, ("null sp"));
 1076         if (SP_DELREF(sp) == 0)
 1077                 return;
 1078 
 1079         KEYDBG(IPSEC_STAMP,
 1080             printf("%s: last reference to SP(%p)\n", __func__, sp));
 1081         KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp));
 1082 
 1083         *spp = NULL;
 1084         while (sp->tcount > 0)
 1085                 ipsec_delisr(sp->req[--sp->tcount]);
 1086         free(sp, M_IPSEC_SP);
 1087 }
 1088 
 1089 static void
 1090 key_unlink(struct secpolicy *sp)
 1091 {
 1092 
 1093         IPSEC_ASSERT(sp->spidx.dir == IPSEC_DIR_INBOUND ||
 1094             sp->spidx.dir == IPSEC_DIR_OUTBOUND,
 1095             ("invalid direction %u", sp->spidx.dir));
 1096         SPTREE_UNLOCK_ASSERT();
 1097 
 1098         KEYDBG(KEY_STAMP,
 1099             printf("%s: SP(%p)\n", __func__, sp));
 1100         SPTREE_WLOCK();
 1101         if (sp->state != IPSEC_SPSTATE_ALIVE) {
 1102                 /* SP is already unlinked */
 1103                 SPTREE_WUNLOCK();
 1104                 return;
 1105         }
 1106         sp->state = IPSEC_SPSTATE_DEAD;
 1107         TAILQ_REMOVE(&V_sptree[sp->spidx.dir], sp, chain);
 1108         LIST_REMOVE(sp, idhash);
 1109         V_sp_genid++;
 1110         SPTREE_WUNLOCK();
 1111         key_freesp(&sp);
 1112 }
 1113 
 1114 /*
 1115  * insert a secpolicy into the SP database. Lower priorities first
 1116  */
 1117 static void
 1118 key_insertsp(struct secpolicy *newsp)
 1119 {
 1120         struct secpolicy *sp;
 1121 
 1122         SPTREE_WLOCK_ASSERT();
 1123         TAILQ_FOREACH(sp, &V_sptree[newsp->spidx.dir], chain) {
 1124                 if (newsp->priority < sp->priority) {
 1125                         TAILQ_INSERT_BEFORE(sp, newsp, chain);
 1126                         goto done;
 1127                 }
 1128         }
 1129         TAILQ_INSERT_TAIL(&V_sptree[newsp->spidx.dir], newsp, chain);
 1130 done:
 1131         LIST_INSERT_HEAD(SPHASH_HASH(newsp->id), newsp, idhash);
 1132         newsp->state = IPSEC_SPSTATE_ALIVE;
 1133         V_sp_genid++;
 1134 }
 1135 
 1136 /*
 1137  * Insert a bunch of VTI secpolicies into the SPDB.
 1138  * We keep VTI policies in the separate list due to following reasons:
 1139  * 1) they should be immutable to user's or some deamon's attempts to
 1140  *    delete. The only way delete such policies - destroy or unconfigure
 1141  *    corresponding virtual inteface.
 1142  * 2) such policies have traffic selector that matches all traffic per
 1143  *    address family.
 1144  * Since all VTI policies have the same priority, we don't care about
 1145  * policies order.
 1146  */
 1147 int
 1148 key_register_ifnet(struct secpolicy **spp, u_int count)
 1149 {
 1150         struct mbuf *m;
 1151         u_int i;
 1152 
 1153         SPTREE_WLOCK();
 1154         /*
 1155          * First of try to acquire id for each SP.
 1156          */
 1157         for (i = 0; i < count; i++) {
 1158                 IPSEC_ASSERT(spp[i]->spidx.dir == IPSEC_DIR_INBOUND ||
 1159                     spp[i]->spidx.dir == IPSEC_DIR_OUTBOUND,
 1160                     ("invalid direction %u", spp[i]->spidx.dir));
 1161 
 1162                 if ((spp[i]->id = key_getnewspid()) == 0) {
 1163                         SPTREE_WUNLOCK();
 1164                         return (EAGAIN);
 1165                 }
 1166         }
 1167         for (i = 0; i < count; i++) {
 1168                 TAILQ_INSERT_TAIL(&V_sptree_ifnet[spp[i]->spidx.dir],
 1169                     spp[i], chain);
 1170                 /*
 1171                  * NOTE: despite the fact that we keep VTI SP in the
 1172                  * separate list, SPHASH contains policies from both
 1173                  * sources. Thus SADB_X_SPDGET will correctly return
 1174                  * SP by id, because it uses SPHASH for lookups.
 1175                  */
 1176                 LIST_INSERT_HEAD(SPHASH_HASH(spp[i]->id), spp[i], idhash);
 1177                 spp[i]->state = IPSEC_SPSTATE_IFNET;
 1178         }
 1179         SPTREE_WUNLOCK();
 1180         /*
 1181          * Notify user processes about new SP.
 1182          */
 1183         for (i = 0; i < count; i++) {
 1184                 m = key_setdumpsp(spp[i], SADB_X_SPDADD, 0, 0);
 1185                 if (m != NULL)
 1186                         key_sendup_mbuf(NULL, m, KEY_SENDUP_ALL);
 1187         }
 1188         return (0);
 1189 }
 1190 
 1191 void
 1192 key_unregister_ifnet(struct secpolicy **spp, u_int count)
 1193 {
 1194         struct mbuf *m;
 1195         u_int i;
 1196 
 1197         SPTREE_WLOCK();
 1198         for (i = 0; i < count; i++) {
 1199                 IPSEC_ASSERT(spp[i]->spidx.dir == IPSEC_DIR_INBOUND ||
 1200                     spp[i]->spidx.dir == IPSEC_DIR_OUTBOUND,
 1201                     ("invalid direction %u", spp[i]->spidx.dir));
 1202 
 1203                 if (spp[i]->state != IPSEC_SPSTATE_IFNET)
 1204                         continue;
 1205                 spp[i]->state = IPSEC_SPSTATE_DEAD;
 1206                 TAILQ_REMOVE(&V_sptree_ifnet[spp[i]->spidx.dir],
 1207                     spp[i], chain);
 1208                 LIST_REMOVE(spp[i], idhash);
 1209         }
 1210         SPTREE_WUNLOCK();
 1211 
 1212         for (i = 0; i < count; i++) {
 1213                 m = key_setdumpsp(spp[i], SADB_X_SPDDELETE, 0, 0);
 1214                 if (m != NULL)
 1215                         key_sendup_mbuf(NULL, m, KEY_SENDUP_ALL);
 1216         }
 1217 }
 1218 
 1219 /*
 1220  * Must be called after calling key_allocsa().
 1221  * This function is called by key_freesp() to free some SA allocated
 1222  * for a policy.
 1223  */
 1224 void
 1225 key_freesav(struct secasvar **psav)
 1226 {
 1227         struct secasvar *sav = *psav;
 1228 
 1229         IPSEC_ASSERT(sav != NULL, ("null sav"));
 1230         if (SAV_DELREF(sav) == 0)
 1231                 return;
 1232 
 1233         KEYDBG(IPSEC_STAMP,
 1234             printf("%s: last reference to SA(%p)\n", __func__, sav));
 1235 
 1236         *psav = NULL;
 1237         key_delsav(sav);
 1238 }
 1239 
 1240 /*
 1241  * Unlink SA from SAH and SPI hash under SAHTREE_WLOCK.
 1242  * Expect that SA has extra reference due to lookup.
 1243  * Release this references, also release SAH reference after unlink.
 1244  */
 1245 static void
 1246 key_unlinksav(struct secasvar *sav)
 1247 {
 1248         struct secashead *sah;
 1249 
 1250         KEYDBG(KEY_STAMP,
 1251             printf("%s: SA(%p)\n", __func__, sav));
 1252 
 1253         SAHTREE_UNLOCK_ASSERT();
 1254         SAHTREE_WLOCK();
 1255         if (sav->state == SADB_SASTATE_DEAD) {
 1256                 /* SA is already unlinked */
 1257                 SAHTREE_WUNLOCK();
 1258                 return;
 1259         }
 1260         /* Unlink from SAH */
 1261         if (sav->state == SADB_SASTATE_LARVAL)
 1262                 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain);
 1263         else
 1264                 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain);
 1265         /* Unlink from SPI hash */
 1266         LIST_REMOVE(sav, spihash);
 1267         sav->state = SADB_SASTATE_DEAD;
 1268         sah = sav->sah;
 1269         SAHTREE_WUNLOCK();
 1270         key_freesav(&sav);
 1271         /* Since we are unlinked, release reference to SAH */
 1272         key_freesah(&sah);
 1273 }
 1274 
 1275 /* %%% SPD management */
 1276 /*
 1277  * search SPD
 1278  * OUT: NULL    : not found
 1279  *      others  : found, pointer to a SP.
 1280  */
 1281 static struct secpolicy *
 1282 key_getsp(struct secpolicyindex *spidx)
 1283 {
 1284         SPTREE_RLOCK_TRACKER;
 1285         struct secpolicy *sp;
 1286 
 1287         IPSEC_ASSERT(spidx != NULL, ("null spidx"));
 1288 
 1289         SPTREE_RLOCK();
 1290         TAILQ_FOREACH(sp, &V_sptree[spidx->dir], chain) {
 1291                 if (key_cmpspidx_exactly(spidx, &sp->spidx)) {
 1292                         SP_ADDREF(sp);
 1293                         break;
 1294                 }
 1295         }
 1296         SPTREE_RUNLOCK();
 1297 
 1298         return sp;
 1299 }
 1300 
 1301 /*
 1302  * get SP by index.
 1303  * OUT: NULL    : not found
 1304  *      others  : found, pointer to referenced SP.
 1305  */
 1306 static struct secpolicy *
 1307 key_getspbyid(uint32_t id)
 1308 {
 1309         SPTREE_RLOCK_TRACKER;
 1310         struct secpolicy *sp;
 1311 
 1312         SPTREE_RLOCK();
 1313         LIST_FOREACH(sp, SPHASH_HASH(id), idhash) {
 1314                 if (sp->id == id) {
 1315                         SP_ADDREF(sp);
 1316                         break;
 1317                 }
 1318         }
 1319         SPTREE_RUNLOCK();
 1320         return (sp);
 1321 }
 1322 
 1323 struct secpolicy *
 1324 key_newsp(void)
 1325 {
 1326         struct secpolicy *sp;
 1327 
 1328         sp = malloc(sizeof(*sp), M_IPSEC_SP, M_NOWAIT | M_ZERO);
 1329         if (sp != NULL)
 1330                 SP_INITREF(sp);
 1331         return (sp);
 1332 }
 1333 
 1334 struct ipsecrequest *
 1335 ipsec_newisr(void)
 1336 {
 1337 
 1338         return (malloc(sizeof(struct ipsecrequest), M_IPSEC_SR,
 1339             M_NOWAIT | M_ZERO));
 1340 }
 1341 
 1342 void
 1343 ipsec_delisr(struct ipsecrequest *p)
 1344 {
 1345 
 1346         free(p, M_IPSEC_SR);
 1347 }
 1348 
 1349 /*
 1350  * create secpolicy structure from sadb_x_policy structure.
 1351  * NOTE: `state', `secpolicyindex' and 'id' in secpolicy structure
 1352  * are not set, so must be set properly later.
 1353  */
 1354 struct secpolicy *
 1355 key_msg2sp(struct sadb_x_policy *xpl0, size_t len, int *error)
 1356 {
 1357         struct secpolicy *newsp;
 1358 
 1359         IPSEC_ASSERT(xpl0 != NULL, ("null xpl0"));
 1360         IPSEC_ASSERT(len >= sizeof(*xpl0), ("policy too short: %zu", len));
 1361 
 1362         if (len != PFKEY_EXTLEN(xpl0)) {
 1363                 ipseclog((LOG_DEBUG, "%s: Invalid msg length.\n", __func__));
 1364                 *error = EINVAL;
 1365                 return NULL;
 1366         }
 1367 
 1368         if ((newsp = key_newsp()) == NULL) {
 1369                 *error = ENOBUFS;
 1370                 return NULL;
 1371         }
 1372 
 1373         newsp->spidx.dir = xpl0->sadb_x_policy_dir;
 1374         newsp->policy = xpl0->sadb_x_policy_type;
 1375         newsp->priority = xpl0->sadb_x_policy_priority;
 1376         newsp->tcount = 0;
 1377 
 1378         /* check policy */
 1379         switch (xpl0->sadb_x_policy_type) {
 1380         case IPSEC_POLICY_DISCARD:
 1381         case IPSEC_POLICY_NONE:
 1382         case IPSEC_POLICY_ENTRUST:
 1383         case IPSEC_POLICY_BYPASS:
 1384                 break;
 1385 
 1386         case IPSEC_POLICY_IPSEC:
 1387             {
 1388                 struct sadb_x_ipsecrequest *xisr;
 1389                 struct ipsecrequest *isr;
 1390                 int tlen;
 1391 
 1392                 /* validity check */
 1393                 if (PFKEY_EXTLEN(xpl0) < sizeof(*xpl0)) {
 1394                         ipseclog((LOG_DEBUG, "%s: Invalid msg length.\n",
 1395                                 __func__));
 1396                         key_freesp(&newsp);
 1397                         *error = EINVAL;
 1398                         return NULL;
 1399                 }
 1400 
 1401                 tlen = PFKEY_EXTLEN(xpl0) - sizeof(*xpl0);
 1402                 xisr = (struct sadb_x_ipsecrequest *)(xpl0 + 1);
 1403 
 1404                 while (tlen > 0) {
 1405                         /* length check */
 1406                         if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr) ||
 1407                             xisr->sadb_x_ipsecrequest_len > tlen) {
 1408                                 ipseclog((LOG_DEBUG, "%s: invalid ipsecrequest "
 1409                                         "length.\n", __func__));
 1410                                 key_freesp(&newsp);
 1411                                 *error = EINVAL;
 1412                                 return NULL;
 1413                         }
 1414 
 1415                         if (newsp->tcount >= IPSEC_MAXREQ) {
 1416                                 ipseclog((LOG_DEBUG,
 1417                                     "%s: too many ipsecrequests.\n",
 1418                                     __func__));
 1419                                 key_freesp(&newsp);
 1420                                 *error = EINVAL;
 1421                                 return (NULL);
 1422                         }
 1423 
 1424                         /* allocate request buffer */
 1425                         /* NB: data structure is zero'd */
 1426                         isr = ipsec_newisr();
 1427                         if (isr == NULL) {
 1428                                 ipseclog((LOG_DEBUG,
 1429                                     "%s: No more memory.\n", __func__));
 1430                                 key_freesp(&newsp);
 1431                                 *error = ENOBUFS;
 1432                                 return NULL;
 1433                         }
 1434 
 1435                         newsp->req[newsp->tcount++] = isr;
 1436 
 1437                         /* set values */
 1438                         switch (xisr->sadb_x_ipsecrequest_proto) {
 1439                         case IPPROTO_ESP:
 1440                         case IPPROTO_AH:
 1441                         case IPPROTO_IPCOMP:
 1442                                 break;
 1443                         default:
 1444                                 ipseclog((LOG_DEBUG,
 1445                                     "%s: invalid proto type=%u\n", __func__,
 1446                                     xisr->sadb_x_ipsecrequest_proto));
 1447                                 key_freesp(&newsp);
 1448                                 *error = EPROTONOSUPPORT;
 1449                                 return NULL;
 1450                         }
 1451                         isr->saidx.proto =
 1452                             (uint8_t)xisr->sadb_x_ipsecrequest_proto;
 1453 
 1454                         switch (xisr->sadb_x_ipsecrequest_mode) {
 1455                         case IPSEC_MODE_TRANSPORT:
 1456                         case IPSEC_MODE_TUNNEL:
 1457                                 break;
 1458                         case IPSEC_MODE_ANY:
 1459                         default:
 1460                                 ipseclog((LOG_DEBUG,
 1461                                     "%s: invalid mode=%u\n", __func__,
 1462                                     xisr->sadb_x_ipsecrequest_mode));
 1463                                 key_freesp(&newsp);
 1464                                 *error = EINVAL;
 1465                                 return NULL;
 1466                         }
 1467                         isr->saidx.mode = xisr->sadb_x_ipsecrequest_mode;
 1468 
 1469                         switch (xisr->sadb_x_ipsecrequest_level) {
 1470                         case IPSEC_LEVEL_DEFAULT:
 1471                         case IPSEC_LEVEL_USE:
 1472                         case IPSEC_LEVEL_REQUIRE:
 1473                                 break;
 1474                         case IPSEC_LEVEL_UNIQUE:
 1475                                 /* validity check */
 1476                                 /*
 1477                                  * If range violation of reqid, kernel will
 1478                                  * update it, don't refuse it.
 1479                                  */
 1480                                 if (xisr->sadb_x_ipsecrequest_reqid
 1481                                                 > IPSEC_MANUAL_REQID_MAX) {
 1482                                         ipseclog((LOG_DEBUG,
 1483                                             "%s: reqid=%d range "
 1484                                             "violation, updated by kernel.\n",
 1485                                             __func__,
 1486                                             xisr->sadb_x_ipsecrequest_reqid));
 1487                                         xisr->sadb_x_ipsecrequest_reqid = 0;
 1488                                 }
 1489 
 1490                                 /* allocate new reqid id if reqid is zero. */
 1491                                 if (xisr->sadb_x_ipsecrequest_reqid == 0) {
 1492                                         u_int32_t reqid;
 1493                                         if ((reqid = key_newreqid()) == 0) {
 1494                                                 key_freesp(&newsp);
 1495                                                 *error = ENOBUFS;
 1496                                                 return NULL;
 1497                                         }
 1498                                         isr->saidx.reqid = reqid;
 1499                                         xisr->sadb_x_ipsecrequest_reqid = reqid;
 1500                                 } else {
 1501                                 /* set it for manual keying. */
 1502                                         isr->saidx.reqid =
 1503                                             xisr->sadb_x_ipsecrequest_reqid;
 1504                                 }
 1505                                 break;
 1506 
 1507                         default:
 1508                                 ipseclog((LOG_DEBUG, "%s: invalid level=%u\n",
 1509                                         __func__,
 1510                                         xisr->sadb_x_ipsecrequest_level));
 1511                                 key_freesp(&newsp);
 1512                                 *error = EINVAL;
 1513                                 return NULL;
 1514                         }
 1515                         isr->level = xisr->sadb_x_ipsecrequest_level;
 1516 
 1517                         /* set IP addresses if there */
 1518                         if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
 1519                                 struct sockaddr *paddr;
 1520 
 1521                                 len = tlen - sizeof(*xisr);
 1522                                 paddr = (struct sockaddr *)(xisr + 1);
 1523                                 /* validity check */
 1524                                 if (len < sizeof(struct sockaddr) ||
 1525                                     len < 2 * paddr->sa_len ||
 1526                                     paddr->sa_len > sizeof(isr->saidx.src)) {
 1527                                         ipseclog((LOG_DEBUG, "%s: invalid "
 1528                                                 "request address length.\n",
 1529                                                 __func__));
 1530                                         key_freesp(&newsp);
 1531                                         *error = EINVAL;
 1532                                         return NULL;
 1533                                 }
 1534                                 /*
 1535                                  * Request length should be enough to keep
 1536                                  * source and destination addresses.
 1537                                  */
 1538                                 if (xisr->sadb_x_ipsecrequest_len <
 1539                                     sizeof(*xisr) + 2 * paddr->sa_len) {
 1540                                         ipseclog((LOG_DEBUG, "%s: invalid "
 1541                                             "ipsecrequest length.\n",
 1542                                             __func__));
 1543                                         key_freesp(&newsp);
 1544                                         *error = EINVAL;
 1545                                         return (NULL);
 1546                                 }
 1547                                 bcopy(paddr, &isr->saidx.src, paddr->sa_len);
 1548                                 paddr = (struct sockaddr *)((caddr_t)paddr +
 1549                                     paddr->sa_len);
 1550 
 1551                                 /* validity check */
 1552                                 if (paddr->sa_len !=
 1553                                     isr->saidx.src.sa.sa_len) {
 1554                                         ipseclog((LOG_DEBUG, "%s: invalid "
 1555                                                 "request address length.\n",
 1556                                                 __func__));
 1557                                         key_freesp(&newsp);
 1558                                         *error = EINVAL;
 1559                                         return NULL;
 1560                                 }
 1561                                 /* AF family should match */
 1562                                 if (paddr->sa_family !=
 1563                                     isr->saidx.src.sa.sa_family) {
 1564                                         ipseclog((LOG_DEBUG, "%s: address "
 1565                                             "family doesn't match.\n",
 1566                                                 __func__));
 1567                                         key_freesp(&newsp);
 1568                                         *error = EINVAL;
 1569                                         return (NULL);
 1570                                 }
 1571                                 bcopy(paddr, &isr->saidx.dst, paddr->sa_len);
 1572                         } else {
 1573                                 /*
 1574                                  * Addresses for TUNNEL mode requests are
 1575                                  * mandatory.
 1576                                  */
 1577                                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 1578                                         ipseclog((LOG_DEBUG, "%s: missing "
 1579                                             "request addresses.\n", __func__));
 1580                                         key_freesp(&newsp);
 1581                                         *error = EINVAL;
 1582                                         return (NULL);
 1583                                 }
 1584                         }
 1585                         tlen -= xisr->sadb_x_ipsecrequest_len;
 1586 
 1587                         /* validity check */
 1588                         if (tlen < 0) {
 1589                                 ipseclog((LOG_DEBUG, "%s: becoming tlen < 0.\n",
 1590                                         __func__));
 1591                                 key_freesp(&newsp);
 1592                                 *error = EINVAL;
 1593                                 return NULL;
 1594                         }
 1595 
 1596                         xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
 1597                                          + xisr->sadb_x_ipsecrequest_len);
 1598                 }
 1599                 /* XXXAE: LARVAL SP */
 1600                 if (newsp->tcount < 1) {
 1601                         ipseclog((LOG_DEBUG, "%s: valid IPSEC transforms "
 1602                             "not found.\n", __func__));
 1603                         key_freesp(&newsp);
 1604                         *error = EINVAL;
 1605                         return (NULL);
 1606                 }
 1607             }
 1608                 break;
 1609         default:
 1610                 ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__));
 1611                 key_freesp(&newsp);
 1612                 *error = EINVAL;
 1613                 return NULL;
 1614         }
 1615 
 1616         *error = 0;
 1617         return (newsp);
 1618 }
 1619 
 1620 uint32_t
 1621 key_newreqid(void)
 1622 {
 1623         static uint32_t auto_reqid = IPSEC_MANUAL_REQID_MAX + 1;
 1624 
 1625         if (auto_reqid == ~0)
 1626                 auto_reqid = IPSEC_MANUAL_REQID_MAX + 1;
 1627         else
 1628                 auto_reqid++;
 1629 
 1630         /* XXX should be unique check */
 1631         return (auto_reqid);
 1632 }
 1633 
 1634 /*
 1635  * copy secpolicy struct to sadb_x_policy structure indicated.
 1636  */
 1637 static struct mbuf *
 1638 key_sp2mbuf(struct secpolicy *sp)
 1639 {
 1640         struct mbuf *m;
 1641         size_t tlen;
 1642 
 1643         tlen = key_getspreqmsglen(sp);
 1644         m = m_get2(tlen, M_NOWAIT, MT_DATA, 0);
 1645         if (m == NULL)
 1646                 return (NULL);
 1647         m_align(m, tlen);
 1648         m->m_len = tlen;
 1649         if (key_sp2msg(sp, m->m_data, &tlen) != 0) {
 1650                 m_freem(m);
 1651                 return (NULL);
 1652         }
 1653         return (m);
 1654 }
 1655 
 1656 int
 1657 key_sp2msg(struct secpolicy *sp, void *request, size_t *len)
 1658 {
 1659         struct sadb_x_ipsecrequest *xisr;
 1660         struct sadb_x_policy *xpl;
 1661         struct ipsecrequest *isr;
 1662         size_t xlen, ilen;
 1663         caddr_t p;
 1664         int error, i;
 1665 
 1666         IPSEC_ASSERT(sp != NULL, ("null policy"));
 1667 
 1668         xlen = sizeof(*xpl);
 1669         if (*len < xlen)
 1670                 return (EINVAL);
 1671 
 1672         error = 0;
 1673         bzero(request, *len);
 1674         xpl = (struct sadb_x_policy *)request;
 1675         xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 1676         xpl->sadb_x_policy_type = sp->policy;
 1677         xpl->sadb_x_policy_dir = sp->spidx.dir;
 1678         xpl->sadb_x_policy_id = sp->id;
 1679         xpl->sadb_x_policy_priority = sp->priority;
 1680         switch (sp->state) {
 1681         case IPSEC_SPSTATE_IFNET:
 1682                 xpl->sadb_x_policy_scope = IPSEC_POLICYSCOPE_IFNET;
 1683                 break;
 1684         case IPSEC_SPSTATE_PCB:
 1685                 xpl->sadb_x_policy_scope = IPSEC_POLICYSCOPE_PCB;
 1686                 break;
 1687         default:
 1688                 xpl->sadb_x_policy_scope = IPSEC_POLICYSCOPE_GLOBAL;
 1689         }
 1690 
 1691         /* if is the policy for ipsec ? */
 1692         if (sp->policy == IPSEC_POLICY_IPSEC) {
 1693                 p = (caddr_t)xpl + sizeof(*xpl);
 1694                 for (i = 0; i < sp->tcount; i++) {
 1695                         isr = sp->req[i];
 1696                         ilen = PFKEY_ALIGN8(sizeof(*xisr) +
 1697                             isr->saidx.src.sa.sa_len +
 1698                             isr->saidx.dst.sa.sa_len);
 1699                         xlen += ilen;
 1700                         if (xlen > *len) {
 1701                                 error = ENOBUFS;
 1702                                 /* Calculate needed size */
 1703                                 continue;
 1704                         }
 1705                         xisr = (struct sadb_x_ipsecrequest *)p;
 1706                         xisr->sadb_x_ipsecrequest_len = ilen;
 1707                         xisr->sadb_x_ipsecrequest_proto = isr->saidx.proto;
 1708                         xisr->sadb_x_ipsecrequest_mode = isr->saidx.mode;
 1709                         xisr->sadb_x_ipsecrequest_level = isr->level;
 1710                         xisr->sadb_x_ipsecrequest_reqid = isr->saidx.reqid;
 1711 
 1712                         p += sizeof(*xisr);
 1713                         bcopy(&isr->saidx.src, p, isr->saidx.src.sa.sa_len);
 1714                         p += isr->saidx.src.sa.sa_len;
 1715                         bcopy(&isr->saidx.dst, p, isr->saidx.dst.sa.sa_len);
 1716                         p += isr->saidx.dst.sa.sa_len;
 1717                 }
 1718         }
 1719         xpl->sadb_x_policy_len = PFKEY_UNIT64(xlen);
 1720         if (error == 0)
 1721                 *len = xlen;
 1722         else
 1723                 *len = sizeof(*xpl);
 1724         return (error);
 1725 }
 1726 
 1727 /* m will not be freed nor modified */
 1728 static struct mbuf *
 1729 key_gather_mbuf(struct mbuf *m, const struct sadb_msghdr *mhp,
 1730     int ndeep, int nitem, ...)
 1731 {
 1732         va_list ap;
 1733         int idx;
 1734         int i;
 1735         struct mbuf *result = NULL, *n;
 1736         int len;
 1737 
 1738         IPSEC_ASSERT(m != NULL, ("null mbuf"));
 1739         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 1740 
 1741         va_start(ap, nitem);
 1742         for (i = 0; i < nitem; i++) {
 1743                 idx = va_arg(ap, int);
 1744                 if (idx < 0 || idx > SADB_EXT_MAX)
 1745                         goto fail;
 1746                 /* don't attempt to pull empty extension */
 1747                 if (idx == SADB_EXT_RESERVED && mhp->msg == NULL)
 1748                         continue;
 1749                 if (idx != SADB_EXT_RESERVED  &&
 1750                     (mhp->ext[idx] == NULL || mhp->extlen[idx] == 0))
 1751                         continue;
 1752 
 1753                 if (idx == SADB_EXT_RESERVED) {
 1754                         len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
 1755 
 1756                         IPSEC_ASSERT(len <= MHLEN, ("header too big %u", len));
 1757 
 1758                         MGETHDR(n, M_NOWAIT, MT_DATA);
 1759                         if (!n)
 1760                                 goto fail;
 1761                         n->m_len = len;
 1762                         n->m_next = NULL;
 1763                         m_copydata(m, 0, sizeof(struct sadb_msg),
 1764                             mtod(n, caddr_t));
 1765                 } else if (i < ndeep) {
 1766                         len = mhp->extlen[idx];
 1767                         n = m_get2(len, M_NOWAIT, MT_DATA, 0);
 1768                         if (n == NULL)
 1769                                 goto fail;
 1770                         m_align(n, len);
 1771                         n->m_len = len;
 1772                         m_copydata(m, mhp->extoff[idx], mhp->extlen[idx],
 1773                             mtod(n, caddr_t));
 1774                 } else {
 1775                         n = m_copym(m, mhp->extoff[idx], mhp->extlen[idx],
 1776                             M_NOWAIT);
 1777                 }
 1778                 if (n == NULL)
 1779                         goto fail;
 1780 
 1781                 if (result)
 1782                         m_cat(result, n);
 1783                 else
 1784                         result = n;
 1785         }
 1786         va_end(ap);
 1787 
 1788         if ((result->m_flags & M_PKTHDR) != 0) {
 1789                 result->m_pkthdr.len = 0;
 1790                 for (n = result; n; n = n->m_next)
 1791                         result->m_pkthdr.len += n->m_len;
 1792         }
 1793 
 1794         return result;
 1795 
 1796 fail:
 1797         m_freem(result);
 1798         va_end(ap);
 1799         return NULL;
 1800 }
 1801 
 1802 /*
 1803  * SADB_X_SPDADD, SADB_X_SPDSETIDX or SADB_X_SPDUPDATE processing
 1804  * add an entry to SP database, when received
 1805  *   <base, address(SD), (lifetime(H),) policy>
 1806  * from the user(?).
 1807  * Adding to SP database,
 1808  * and send
 1809  *   <base, address(SD), (lifetime(H),) policy>
 1810  * to the socket which was send.
 1811  *
 1812  * SPDADD set a unique policy entry.
 1813  * SPDSETIDX like SPDADD without a part of policy requests.
 1814  * SPDUPDATE replace a unique policy entry.
 1815  *
 1816  * XXXAE: serialize this in PF_KEY to avoid races.
 1817  * m will always be freed.
 1818  */
 1819 static int
 1820 key_spdadd(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
 1821 {
 1822         struct secpolicyindex spidx;
 1823         struct sadb_address *src0, *dst0;
 1824         struct sadb_x_policy *xpl0, *xpl;
 1825         struct sadb_lifetime *lft = NULL;
 1826         struct secpolicy *newsp;
 1827         int error;
 1828 
 1829         IPSEC_ASSERT(so != NULL, ("null socket"));
 1830         IPSEC_ASSERT(m != NULL, ("null mbuf"));
 1831         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 1832         IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
 1833 
 1834         if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
 1835             SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) ||
 1836             SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY)) {
 1837                 ipseclog((LOG_DEBUG,
 1838                     "%s: invalid message: missing required header.\n",
 1839                     __func__));
 1840                 return key_senderror(so, m, EINVAL);
 1841         }
 1842         if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
 1843             SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) ||
 1844             SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) {
 1845                 ipseclog((LOG_DEBUG,
 1846                     "%s: invalid message: wrong header size.\n", __func__));
 1847                 return key_senderror(so, m, EINVAL);
 1848         }
 1849         if (!SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD)) {
 1850                 if (SADB_CHECKLEN(mhp, SADB_EXT_LIFETIME_HARD)) {
 1851                         ipseclog((LOG_DEBUG,
 1852                             "%s: invalid message: wrong header size.\n",
 1853                             __func__));
 1854                         return key_senderror(so, m, EINVAL);
 1855                 }
 1856                 lft = (struct sadb_lifetime *)mhp->ext[SADB_EXT_LIFETIME_HARD];
 1857         }
 1858 
 1859         src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC];
 1860         dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST];
 1861         xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY];
 1862 
 1863         /* check the direciton */
 1864         switch (xpl0->sadb_x_policy_dir) {
 1865         case IPSEC_DIR_INBOUND:
 1866         case IPSEC_DIR_OUTBOUND:
 1867                 break;
 1868         default:
 1869                 ipseclog((LOG_DEBUG, "%s: invalid SP direction.\n", __func__));
 1870                 return key_senderror(so, m, EINVAL);
 1871         }
 1872         /* key_spdadd() accepts DISCARD, NONE and IPSEC. */
 1873         if (xpl0->sadb_x_policy_type != IPSEC_POLICY_DISCARD &&
 1874             xpl0->sadb_x_policy_type != IPSEC_POLICY_NONE &&
 1875             xpl0->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
 1876                 ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__));
 1877                 return key_senderror(so, m, EINVAL);
 1878         }
 1879 
 1880         /* policy requests are mandatory when action is ipsec. */
 1881         if (xpl0->sadb_x_policy_type == IPSEC_POLICY_IPSEC &&
 1882             mhp->extlen[SADB_X_EXT_POLICY] <= sizeof(*xpl0)) {
 1883                 ipseclog((LOG_DEBUG,
 1884                     "%s: policy requests required.\n", __func__));
 1885                 return key_senderror(so, m, EINVAL);
 1886         }
 1887 
 1888         error = key_checksockaddrs((struct sockaddr *)(src0 + 1),
 1889             (struct sockaddr *)(dst0 + 1));
 1890         if (error != 0 ||
 1891             src0->sadb_address_proto != dst0->sadb_address_proto) {
 1892                 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
 1893                 return key_senderror(so, m, error);
 1894         }
 1895         /* make secindex */
 1896         KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir,
 1897                         src0 + 1,
 1898                         dst0 + 1,
 1899                         src0->sadb_address_prefixlen,
 1900                         dst0->sadb_address_prefixlen,
 1901                         src0->sadb_address_proto,
 1902                         &spidx);
 1903         /* Checking there is SP already or not. */
 1904         newsp = key_getsp(&spidx);
 1905         if (newsp != NULL) {
 1906                 if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) {
 1907                         KEYDBG(KEY_STAMP,
 1908                             printf("%s: unlink SP(%p) for SPDUPDATE\n",
 1909                                 __func__, newsp));
 1910                         KEYDBG(KEY_DATA, kdebug_secpolicy(newsp));
 1911                         key_unlink(newsp);
 1912                         key_freesp(&newsp);
 1913                 } else {
 1914                         key_freesp(&newsp);
 1915                         ipseclog((LOG_DEBUG, "%s: a SP entry exists already.",
 1916                             __func__));
 1917                         return (key_senderror(so, m, EEXIST));
 1918                 }
 1919         }
 1920 
 1921         /* allocate new SP entry */
 1922         if ((newsp = key_msg2sp(xpl0, PFKEY_EXTLEN(xpl0), &error)) == NULL) {
 1923                 return key_senderror(so, m, error);
 1924         }
 1925 
 1926         newsp->lastused = newsp->created = time_second;
 1927         newsp->lifetime = lft ? lft->sadb_lifetime_addtime : 0;
 1928         newsp->validtime = lft ? lft->sadb_lifetime_usetime : 0;
 1929         bcopy(&spidx, &newsp->spidx, sizeof(spidx));
 1930 
 1931         /* XXXAE: there is race between key_getsp() and key_insertsp() */
 1932         SPTREE_WLOCK();
 1933         if ((newsp->id = key_getnewspid()) == 0) {
 1934                 SPTREE_WUNLOCK();
 1935                 key_freesp(&newsp);
 1936                 return key_senderror(so, m, ENOBUFS);
 1937         }
 1938         key_insertsp(newsp);
 1939         SPTREE_WUNLOCK();
 1940 
 1941         KEYDBG(KEY_STAMP,
 1942             printf("%s: SP(%p)\n", __func__, newsp));
 1943         KEYDBG(KEY_DATA, kdebug_secpolicy(newsp));
 1944 
 1945     {
 1946         struct mbuf *n, *mpolicy;
 1947         struct sadb_msg *newmsg;
 1948         int off;
 1949 
 1950         /* create new sadb_msg to reply. */
 1951         if (lft) {
 1952                 n = key_gather_mbuf(m, mhp, 2, 5, SADB_EXT_RESERVED,
 1953                     SADB_X_EXT_POLICY, SADB_EXT_LIFETIME_HARD,
 1954                     SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
 1955         } else {
 1956                 n = key_gather_mbuf(m, mhp, 2, 4, SADB_EXT_RESERVED,
 1957                     SADB_X_EXT_POLICY,
 1958                     SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
 1959         }
 1960         if (!n)
 1961                 return key_senderror(so, m, ENOBUFS);
 1962 
 1963         if (n->m_len < sizeof(*newmsg)) {
 1964                 n = m_pullup(n, sizeof(*newmsg));
 1965                 if (!n)
 1966                         return key_senderror(so, m, ENOBUFS);
 1967         }
 1968         newmsg = mtod(n, struct sadb_msg *);
 1969         newmsg->sadb_msg_errno = 0;
 1970         newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
 1971 
 1972         off = 0;
 1973         mpolicy = m_pulldown(n, PFKEY_ALIGN8(sizeof(struct sadb_msg)),
 1974             sizeof(*xpl), &off);
 1975         if (mpolicy == NULL) {
 1976                 /* n is already freed */
 1977                 return key_senderror(so, m, ENOBUFS);
 1978         }
 1979         xpl = (struct sadb_x_policy *)(mtod(mpolicy, caddr_t) + off);
 1980         if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) {
 1981                 m_freem(n);
 1982                 return key_senderror(so, m, EINVAL);
 1983         }
 1984         xpl->sadb_x_policy_id = newsp->id;
 1985 
 1986         m_freem(m);
 1987         return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
 1988     }
 1989 }
 1990 
 1991 /*
 1992  * get new policy id.
 1993  * OUT:
 1994  *      0:      failure.
 1995  *      others: success.
 1996  */
 1997 static uint32_t
 1998 key_getnewspid(void)
 1999 {
 2000         struct secpolicy *sp;
 2001         uint32_t newid = 0;
 2002         int count = V_key_spi_trycnt;   /* XXX */
 2003 
 2004         SPTREE_WLOCK_ASSERT();
 2005         while (count--) {
 2006                 if (V_policy_id == ~0) /* overflowed */
 2007                         newid = V_policy_id = 1;
 2008                 else
 2009                         newid = ++V_policy_id;
 2010                 LIST_FOREACH(sp, SPHASH_HASH(newid), idhash) {
 2011                         if (sp->id == newid)
 2012                                 break;
 2013                 }
 2014                 if (sp == NULL)
 2015                         break;
 2016         }
 2017         if (count == 0 || newid == 0) {
 2018                 ipseclog((LOG_DEBUG, "%s: failed to allocate policy id.\n",
 2019                     __func__));
 2020                 return (0);
 2021         }
 2022         return (newid);
 2023 }
 2024 
 2025 /*
 2026  * SADB_SPDDELETE processing
 2027  * receive
 2028  *   <base, address(SD), policy(*)>
 2029  * from the user(?), and set SADB_SASTATE_DEAD,
 2030  * and send,
 2031  *   <base, address(SD), policy(*)>
 2032  * to the ikmpd.
 2033  * policy(*) including direction of policy.
 2034  *
 2035  * m will always be freed.
 2036  */
 2037 static int
 2038 key_spddelete(struct socket *so, struct mbuf *m,
 2039     const struct sadb_msghdr *mhp)
 2040 {
 2041         struct secpolicyindex spidx;
 2042         struct sadb_address *src0, *dst0;
 2043         struct sadb_x_policy *xpl0;
 2044         struct secpolicy *sp;
 2045 
 2046         IPSEC_ASSERT(so != NULL, ("null so"));
 2047         IPSEC_ASSERT(m != NULL, ("null mbuf"));
 2048         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 2049         IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
 2050 
 2051         if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
 2052             SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) ||
 2053             SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY)) {
 2054                 ipseclog((LOG_DEBUG,
 2055                     "%s: invalid message: missing required header.\n",
 2056                     __func__));
 2057                 return key_senderror(so, m, EINVAL);
 2058         }
 2059         if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
 2060             SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) ||
 2061             SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) {
 2062                 ipseclog((LOG_DEBUG,
 2063                     "%s: invalid message: wrong header size.\n", __func__));
 2064                 return key_senderror(so, m, EINVAL);
 2065         }
 2066 
 2067         src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC];
 2068         dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST];
 2069         xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY];
 2070 
 2071         /* check the direciton */
 2072         switch (xpl0->sadb_x_policy_dir) {
 2073         case IPSEC_DIR_INBOUND:
 2074         case IPSEC_DIR_OUTBOUND:
 2075                 break;
 2076         default:
 2077                 ipseclog((LOG_DEBUG, "%s: invalid SP direction.\n", __func__));
 2078                 return key_senderror(so, m, EINVAL);
 2079         }
 2080         /* Only DISCARD, NONE and IPSEC are allowed */
 2081         if (xpl0->sadb_x_policy_type != IPSEC_POLICY_DISCARD &&
 2082             xpl0->sadb_x_policy_type != IPSEC_POLICY_NONE &&
 2083             xpl0->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
 2084                 ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__));
 2085                 return key_senderror(so, m, EINVAL);
 2086         }
 2087         if (key_checksockaddrs((struct sockaddr *)(src0 + 1),
 2088             (struct sockaddr *)(dst0 + 1)) != 0 ||
 2089             src0->sadb_address_proto != dst0->sadb_address_proto) {
 2090                 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
 2091                 return key_senderror(so, m, EINVAL);
 2092         }
 2093         /* make secindex */
 2094         KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir,
 2095                         src0 + 1,
 2096                         dst0 + 1,
 2097                         src0->sadb_address_prefixlen,
 2098                         dst0->sadb_address_prefixlen,
 2099                         src0->sadb_address_proto,
 2100                         &spidx);
 2101 
 2102         /* Is there SP in SPD ? */
 2103         if ((sp = key_getsp(&spidx)) == NULL) {
 2104                 ipseclog((LOG_DEBUG, "%s: no SP found.\n", __func__));
 2105                 return key_senderror(so, m, EINVAL);
 2106         }
 2107 
 2108         /* save policy id to buffer to be returned. */
 2109         xpl0->sadb_x_policy_id = sp->id;
 2110 
 2111         KEYDBG(KEY_STAMP,
 2112             printf("%s: SP(%p)\n", __func__, sp));
 2113         KEYDBG(KEY_DATA, kdebug_secpolicy(sp));
 2114         key_unlink(sp);
 2115         key_freesp(&sp);
 2116 
 2117     {
 2118         struct mbuf *n;
 2119         struct sadb_msg *newmsg;
 2120 
 2121         /* create new sadb_msg to reply. */
 2122         n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED,
 2123             SADB_X_EXT_POLICY, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
 2124         if (!n)
 2125                 return key_senderror(so, m, ENOBUFS);
 2126 
 2127         newmsg = mtod(n, struct sadb_msg *);
 2128         newmsg->sadb_msg_errno = 0;
 2129         newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
 2130 
 2131         m_freem(m);
 2132         return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
 2133     }
 2134 }
 2135 
 2136 /*
 2137  * SADB_SPDDELETE2 processing
 2138  * receive
 2139  *   <base, policy(*)>
 2140  * from the user(?), and set SADB_SASTATE_DEAD,
 2141  * and send,
 2142  *   <base, policy(*)>
 2143  * to the ikmpd.
 2144  * policy(*) including direction of policy.
 2145  *
 2146  * m will always be freed.
 2147  */
 2148 static int
 2149 key_spddelete2(struct socket *so, struct mbuf *m,
 2150     const struct sadb_msghdr *mhp)
 2151 {
 2152         struct secpolicy *sp;
 2153         uint32_t id;
 2154 
 2155         IPSEC_ASSERT(so != NULL, ("null socket"));
 2156         IPSEC_ASSERT(m != NULL, ("null mbuf"));
 2157         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 2158         IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
 2159 
 2160         if (SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY) ||
 2161             SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) {
 2162                 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
 2163                     __func__));
 2164                 return key_senderror(so, m, EINVAL);
 2165         }
 2166 
 2167         id = ((struct sadb_x_policy *)
 2168             mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id;
 2169 
 2170         /* Is there SP in SPD ? */
 2171         if ((sp = key_getspbyid(id)) == NULL) {
 2172                 ipseclog((LOG_DEBUG, "%s: no SP found for id %u.\n",
 2173                     __func__, id));
 2174                 return key_senderror(so, m, EINVAL);
 2175         }
 2176 
 2177         KEYDBG(KEY_STAMP,
 2178             printf("%s: SP(%p)\n", __func__, sp));
 2179         KEYDBG(KEY_DATA, kdebug_secpolicy(sp));
 2180         key_unlink(sp);
 2181         if (sp->state != IPSEC_SPSTATE_DEAD) {
 2182                 ipseclog((LOG_DEBUG, "%s: failed to delete SP with id %u.\n",
 2183                     __func__, id));
 2184                 key_freesp(&sp);
 2185                 return (key_senderror(so, m, EACCES));
 2186         }
 2187         key_freesp(&sp);
 2188 
 2189     {
 2190         struct mbuf *n, *nn;
 2191         struct sadb_msg *newmsg;
 2192         int off, len;
 2193 
 2194         /* create new sadb_msg to reply. */
 2195         len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
 2196 
 2197         MGETHDR(n, M_NOWAIT, MT_DATA);
 2198         if (n && len > MHLEN) {
 2199                 if (!(MCLGET(n, M_NOWAIT))) {
 2200                         m_freem(n);
 2201                         n = NULL;
 2202                 }
 2203         }
 2204         if (!n)
 2205                 return key_senderror(so, m, ENOBUFS);
 2206 
 2207         n->m_len = len;
 2208         n->m_next = NULL;
 2209         off = 0;
 2210 
 2211         m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off);
 2212         off += PFKEY_ALIGN8(sizeof(struct sadb_msg));
 2213 
 2214         IPSEC_ASSERT(off == len, ("length inconsistency (off %u len %u)",
 2215                 off, len));
 2216 
 2217         n->m_next = m_copym(m, mhp->extoff[SADB_X_EXT_POLICY],
 2218             mhp->extlen[SADB_X_EXT_POLICY], M_NOWAIT);
 2219         if (!n->m_next) {
 2220                 m_freem(n);
 2221                 return key_senderror(so, m, ENOBUFS);
 2222         }
 2223 
 2224         n->m_pkthdr.len = 0;
 2225         for (nn = n; nn; nn = nn->m_next)
 2226                 n->m_pkthdr.len += nn->m_len;
 2227 
 2228         newmsg = mtod(n, struct sadb_msg *);
 2229         newmsg->sadb_msg_errno = 0;
 2230         newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
 2231 
 2232         m_freem(m);
 2233         return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
 2234     }
 2235 }
 2236 
 2237 /*
 2238  * SADB_X_SPDGET processing
 2239  * receive
 2240  *   <base, policy(*)>
 2241  * from the user(?),
 2242  * and send,
 2243  *   <base, address(SD), policy>
 2244  * to the ikmpd.
 2245  * policy(*) including direction of policy.
 2246  *
 2247  * m will always be freed.
 2248  */
 2249 static int
 2250 key_spdget(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
 2251 {
 2252         struct secpolicy *sp;
 2253         struct mbuf *n;
 2254         uint32_t id;
 2255 
 2256         IPSEC_ASSERT(so != NULL, ("null socket"));
 2257         IPSEC_ASSERT(m != NULL, ("null mbuf"));
 2258         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 2259         IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
 2260 
 2261         if (SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY) ||
 2262             SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) {
 2263                 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
 2264                     __func__));
 2265                 return key_senderror(so, m, EINVAL);
 2266         }
 2267 
 2268         id = ((struct sadb_x_policy *)
 2269             mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id;
 2270 
 2271         /* Is there SP in SPD ? */
 2272         if ((sp = key_getspbyid(id)) == NULL) {
 2273                 ipseclog((LOG_DEBUG, "%s: no SP found for id %u.\n",
 2274                     __func__, id));
 2275                 return key_senderror(so, m, ENOENT);
 2276         }
 2277 
 2278         n = key_setdumpsp(sp, SADB_X_SPDGET, mhp->msg->sadb_msg_seq,
 2279             mhp->msg->sadb_msg_pid);
 2280         key_freesp(&sp);
 2281         if (n != NULL) {
 2282                 m_freem(m);
 2283                 return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
 2284         } else
 2285                 return key_senderror(so, m, ENOBUFS);
 2286 }
 2287 
 2288 /*
 2289  * SADB_X_SPDACQUIRE processing.
 2290  * Acquire policy and SA(s) for a *OUTBOUND* packet.
 2291  * send
 2292  *   <base, policy(*)>
 2293  * to KMD, and expect to receive
 2294  *   <base> with SADB_X_SPDACQUIRE if error occurred,
 2295  * or
 2296  *   <base, policy>
 2297  * with SADB_X_SPDUPDATE from KMD by PF_KEY.
 2298  * policy(*) is without policy requests.
 2299  *
 2300  *    0     : succeed
 2301  *    others: error number
 2302  */
 2303 int
 2304 key_spdacquire(struct secpolicy *sp)
 2305 {
 2306         struct mbuf *result = NULL, *m;
 2307         struct secspacq *newspacq;
 2308 
 2309         IPSEC_ASSERT(sp != NULL, ("null secpolicy"));
 2310         IPSEC_ASSERT(sp->req == NULL, ("policy exists"));
 2311         IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC,
 2312                 ("policy not IPSEC %u", sp->policy));
 2313 
 2314         /* Get an entry to check whether sent message or not. */
 2315         newspacq = key_getspacq(&sp->spidx);
 2316         if (newspacq != NULL) {
 2317                 if (V_key_blockacq_count < newspacq->count) {
 2318                         /* reset counter and do send message. */
 2319                         newspacq->count = 0;
 2320                 } else {
 2321                         /* increment counter and do nothing. */
 2322                         newspacq->count++;
 2323                         SPACQ_UNLOCK();
 2324                         return (0);
 2325                 }
 2326                 SPACQ_UNLOCK();
 2327         } else {
 2328                 /* make new entry for blocking to send SADB_ACQUIRE. */
 2329                 newspacq = key_newspacq(&sp->spidx);
 2330                 if (newspacq == NULL)
 2331                         return ENOBUFS;
 2332         }
 2333 
 2334         /* create new sadb_msg to reply. */
 2335         m = key_setsadbmsg(SADB_X_SPDACQUIRE, 0, 0, 0, 0, 0);
 2336         if (!m)
 2337                 return ENOBUFS;
 2338 
 2339         result = m;
 2340 
 2341         result->m_pkthdr.len = 0;
 2342         for (m = result; m; m = m->m_next)
 2343                 result->m_pkthdr.len += m->m_len;
 2344 
 2345         mtod(result, struct sadb_msg *)->sadb_msg_len =
 2346             PFKEY_UNIT64(result->m_pkthdr.len);
 2347 
 2348         return key_sendup_mbuf(NULL, m, KEY_SENDUP_REGISTERED);
 2349 }
 2350 
 2351 /*
 2352  * SADB_SPDFLUSH processing
 2353  * receive
 2354  *   <base>
 2355  * from the user, and free all entries in secpctree.
 2356  * and send,
 2357  *   <base>
 2358  * to the user.
 2359  * NOTE: what to do is only marking SADB_SASTATE_DEAD.
 2360  *
 2361  * m will always be freed.
 2362  */
 2363 static int
 2364 key_spdflush(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
 2365 {
 2366         struct secpolicy_queue drainq;
 2367         struct sadb_msg *newmsg;
 2368         struct secpolicy *sp, *nextsp;
 2369         u_int dir;
 2370 
 2371         IPSEC_ASSERT(so != NULL, ("null socket"));
 2372         IPSEC_ASSERT(m != NULL, ("null mbuf"));
 2373         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 2374         IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
 2375 
 2376         if (m->m_len != PFKEY_ALIGN8(sizeof(struct sadb_msg)))
 2377                 return key_senderror(so, m, EINVAL);
 2378 
 2379         TAILQ_INIT(&drainq);
 2380         SPTREE_WLOCK();
 2381         for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
 2382                 TAILQ_CONCAT(&drainq, &V_sptree[dir], chain);
 2383         }
 2384         /*
 2385          * We need to set state to DEAD for each policy to be sure,
 2386          * that another thread won't try to unlink it.
 2387          * Also remove SP from sphash.
 2388          */
 2389         TAILQ_FOREACH(sp, &drainq, chain) {
 2390                 sp->state = IPSEC_SPSTATE_DEAD;
 2391                 LIST_REMOVE(sp, idhash);
 2392         }
 2393         V_sp_genid++;
 2394         SPTREE_WUNLOCK();
 2395         sp = TAILQ_FIRST(&drainq);
 2396         while (sp != NULL) {
 2397                 nextsp = TAILQ_NEXT(sp, chain);
 2398                 key_freesp(&sp);
 2399                 sp = nextsp;
 2400         }
 2401 
 2402         if (sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) {
 2403                 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
 2404                 return key_senderror(so, m, ENOBUFS);
 2405         }
 2406 
 2407         if (m->m_next)
 2408                 m_freem(m->m_next);
 2409         m->m_next = NULL;
 2410         m->m_pkthdr.len = m->m_len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
 2411         newmsg = mtod(m, struct sadb_msg *);
 2412         newmsg->sadb_msg_errno = 0;
 2413         newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
 2414 
 2415         return key_sendup_mbuf(so, m, KEY_SENDUP_ALL);
 2416 }
 2417 
 2418 static uint8_t
 2419 key_satype2scopemask(uint8_t satype)
 2420 {
 2421 
 2422         if (satype == IPSEC_POLICYSCOPE_ANY)
 2423                 return (0xff);
 2424         return (satype);
 2425 }
 2426 /*
 2427  * SADB_SPDDUMP processing
 2428  * receive
 2429  *   <base>
 2430  * from the user, and dump all SP leaves and send,
 2431  *   <base> .....
 2432  * to the ikmpd.
 2433  *
 2434  * NOTE:
 2435  *   sadb_msg_satype is considered as mask of policy scopes.
 2436  *   m will always be freed.
 2437  */
 2438 static int
 2439 key_spddump(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
 2440 {
 2441         SPTREE_RLOCK_TRACKER;
 2442         struct secpolicy *sp;
 2443         struct mbuf *n;
 2444         int cnt;
 2445         u_int dir, scope;
 2446 
 2447         IPSEC_ASSERT(so != NULL, ("null socket"));
 2448         IPSEC_ASSERT(m != NULL, ("null mbuf"));
 2449         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 2450         IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
 2451 
 2452         /* search SPD entry and get buffer size. */
 2453         cnt = 0;
 2454         scope = key_satype2scopemask(mhp->msg->sadb_msg_satype);
 2455         SPTREE_RLOCK();
 2456         for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
 2457                 if (scope & IPSEC_POLICYSCOPE_GLOBAL) {
 2458                         TAILQ_FOREACH(sp, &V_sptree[dir], chain)
 2459                                 cnt++;
 2460                 }
 2461                 if (scope & IPSEC_POLICYSCOPE_IFNET) {
 2462                         TAILQ_FOREACH(sp, &V_sptree_ifnet[dir], chain)
 2463                                 cnt++;
 2464                 }
 2465         }
 2466 
 2467         if (cnt == 0) {
 2468                 SPTREE_RUNLOCK();
 2469                 return key_senderror(so, m, ENOENT);
 2470         }
 2471 
 2472         for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
 2473                 if (scope & IPSEC_POLICYSCOPE_GLOBAL) {
 2474                         TAILQ_FOREACH(sp, &V_sptree[dir], chain) {
 2475                                 --cnt;
 2476                                 n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt,
 2477                                     mhp->msg->sadb_msg_pid);
 2478 
 2479                                 if (n != NULL)
 2480                                         key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
 2481                         }
 2482                 }
 2483                 if (scope & IPSEC_POLICYSCOPE_IFNET) {
 2484                         TAILQ_FOREACH(sp, &V_sptree_ifnet[dir], chain) {
 2485                                 --cnt;
 2486                                 n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt,
 2487                                     mhp->msg->sadb_msg_pid);
 2488 
 2489                                 if (n != NULL)
 2490                                         key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
 2491                         }
 2492                 }
 2493         }
 2494 
 2495         SPTREE_RUNLOCK();
 2496         m_freem(m);
 2497         return (0);
 2498 }
 2499 
 2500 static struct mbuf *
 2501 key_setdumpsp(struct secpolicy *sp, u_int8_t type, u_int32_t seq,
 2502     u_int32_t pid)
 2503 {
 2504         struct mbuf *result = NULL, *m;
 2505         struct seclifetime lt;
 2506 
 2507         m = key_setsadbmsg(type, 0, SADB_SATYPE_UNSPEC, seq, pid, sp->refcnt);
 2508         if (!m)
 2509                 goto fail;
 2510         result = m;
 2511 
 2512         m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC,
 2513             &sp->spidx.src.sa, sp->spidx.prefs,
 2514             sp->spidx.ul_proto);
 2515         if (!m)
 2516                 goto fail;
 2517         m_cat(result, m);
 2518 
 2519         m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
 2520             &sp->spidx.dst.sa, sp->spidx.prefd,
 2521             sp->spidx.ul_proto);
 2522         if (!m)
 2523                 goto fail;
 2524         m_cat(result, m);
 2525 
 2526         m = key_sp2mbuf(sp);
 2527         if (!m)
 2528                 goto fail;
 2529         m_cat(result, m);
 2530 
 2531         if(sp->lifetime){
 2532                 lt.addtime=sp->created;
 2533                 lt.usetime= sp->lastused;
 2534                 m = key_setlifetime(&lt, SADB_EXT_LIFETIME_CURRENT);
 2535                 if (!m)
 2536                         goto fail;
 2537                 m_cat(result, m);
 2538                 
 2539                 lt.addtime=sp->lifetime;
 2540                 lt.usetime= sp->validtime;
 2541                 m = key_setlifetime(&lt, SADB_EXT_LIFETIME_HARD);
 2542                 if (!m)
 2543                         goto fail;
 2544                 m_cat(result, m);
 2545         }
 2546 
 2547         if ((result->m_flags & M_PKTHDR) == 0)
 2548                 goto fail;
 2549 
 2550         if (result->m_len < sizeof(struct sadb_msg)) {
 2551                 result = m_pullup(result, sizeof(struct sadb_msg));
 2552                 if (result == NULL)
 2553                         goto fail;
 2554         }
 2555 
 2556         result->m_pkthdr.len = 0;
 2557         for (m = result; m; m = m->m_next)
 2558                 result->m_pkthdr.len += m->m_len;
 2559 
 2560         mtod(result, struct sadb_msg *)->sadb_msg_len =
 2561             PFKEY_UNIT64(result->m_pkthdr.len);
 2562 
 2563         return result;
 2564 
 2565 fail:
 2566         m_freem(result);
 2567         return NULL;
 2568 }
 2569 /*
 2570  * get PFKEY message length for security policy and request.
 2571  */
 2572 static size_t
 2573 key_getspreqmsglen(struct secpolicy *sp)
 2574 {
 2575         size_t tlen, len;
 2576         int i;
 2577 
 2578         tlen = sizeof(struct sadb_x_policy);
 2579         /* if is the policy for ipsec ? */
 2580         if (sp->policy != IPSEC_POLICY_IPSEC)
 2581                 return (tlen);
 2582 
 2583         /* get length of ipsec requests */
 2584         for (i = 0; i < sp->tcount; i++) {
 2585                 len = sizeof(struct sadb_x_ipsecrequest)
 2586                         + sp->req[i]->saidx.src.sa.sa_len
 2587                         + sp->req[i]->saidx.dst.sa.sa_len;
 2588 
 2589                 tlen += PFKEY_ALIGN8(len);
 2590         }
 2591         return (tlen);
 2592 }
 2593 
 2594 /*
 2595  * SADB_SPDEXPIRE processing
 2596  * send
 2597  *   <base, address(SD), lifetime(CH), policy>
 2598  * to KMD by PF_KEY.
 2599  *
 2600  * OUT: 0       : succeed
 2601  *      others  : error number
 2602  */
 2603 static int
 2604 key_spdexpire(struct secpolicy *sp)
 2605 {
 2606         struct sadb_lifetime *lt;
 2607         struct mbuf *result = NULL, *m;
 2608         int len, error = -1;
 2609 
 2610         IPSEC_ASSERT(sp != NULL, ("null secpolicy"));
 2611 
 2612         KEYDBG(KEY_STAMP,
 2613             printf("%s: SP(%p)\n", __func__, sp));
 2614         KEYDBG(KEY_DATA, kdebug_secpolicy(sp));
 2615 
 2616         /* set msg header */
 2617         m = key_setsadbmsg(SADB_X_SPDEXPIRE, 0, 0, 0, 0, 0);
 2618         if (!m) {
 2619                 error = ENOBUFS;
 2620                 goto fail;
 2621         }
 2622         result = m;
 2623 
 2624         /* create lifetime extension (current and hard) */
 2625         len = PFKEY_ALIGN8(sizeof(*lt)) * 2;
 2626         m = m_get2(len, M_NOWAIT, MT_DATA, 0);
 2627         if (m == NULL) {
 2628                 error = ENOBUFS;
 2629                 goto fail;
 2630         }
 2631         m_align(m, len);
 2632         m->m_len = len;
 2633         bzero(mtod(m, caddr_t), len);
 2634         lt = mtod(m, struct sadb_lifetime *);
 2635         lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
 2636         lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
 2637         lt->sadb_lifetime_allocations = 0;
 2638         lt->sadb_lifetime_bytes = 0;
 2639         lt->sadb_lifetime_addtime = sp->created;
 2640         lt->sadb_lifetime_usetime = sp->lastused;
 2641         lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2);
 2642         lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
 2643         lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
 2644         lt->sadb_lifetime_allocations = 0;
 2645         lt->sadb_lifetime_bytes = 0;
 2646         lt->sadb_lifetime_addtime = sp->lifetime;
 2647         lt->sadb_lifetime_usetime = sp->validtime;
 2648         m_cat(result, m);
 2649 
 2650         /* set sadb_address for source */
 2651         m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC,
 2652             &sp->spidx.src.sa,
 2653             sp->spidx.prefs, sp->spidx.ul_proto);
 2654         if (!m) {
 2655                 error = ENOBUFS;
 2656                 goto fail;
 2657         }
 2658         m_cat(result, m);
 2659 
 2660         /* set sadb_address for destination */
 2661         m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
 2662             &sp->spidx.dst.sa,
 2663             sp->spidx.prefd, sp->spidx.ul_proto);
 2664         if (!m) {
 2665                 error = ENOBUFS;
 2666                 goto fail;
 2667         }
 2668         m_cat(result, m);
 2669 
 2670         /* set secpolicy */
 2671         m = key_sp2mbuf(sp);
 2672         if (!m) {
 2673                 error = ENOBUFS;
 2674                 goto fail;
 2675         }
 2676         m_cat(result, m);
 2677 
 2678         if ((result->m_flags & M_PKTHDR) == 0) {
 2679                 error = EINVAL;
 2680                 goto fail;
 2681         }
 2682 
 2683         if (result->m_len < sizeof(struct sadb_msg)) {
 2684                 result = m_pullup(result, sizeof(struct sadb_msg));
 2685                 if (result == NULL) {
 2686                         error = ENOBUFS;
 2687                         goto fail;
 2688                 }
 2689         }
 2690 
 2691         result->m_pkthdr.len = 0;
 2692         for (m = result; m; m = m->m_next)
 2693                 result->m_pkthdr.len += m->m_len;
 2694 
 2695         mtod(result, struct sadb_msg *)->sadb_msg_len =
 2696             PFKEY_UNIT64(result->m_pkthdr.len);
 2697 
 2698         return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED);
 2699 
 2700  fail:
 2701         if (result)
 2702                 m_freem(result);
 2703         return error;
 2704 }
 2705 
 2706 /* %%% SAD management */
 2707 /*
 2708  * allocating and initialize new SA head.
 2709  * OUT: NULL    : failure due to the lack of memory.
 2710  *      others  : pointer to new SA head.
 2711  */
 2712 static struct secashead *
 2713 key_newsah(struct secasindex *saidx)
 2714 {
 2715         struct secashead *sah;
 2716 
 2717         sah = malloc(sizeof(struct secashead), M_IPSEC_SAH,
 2718             M_NOWAIT | M_ZERO);
 2719         if (sah == NULL) {
 2720                 PFKEYSTAT_INC(in_nomem);
 2721                 return (NULL);
 2722         }
 2723         TAILQ_INIT(&sah->savtree_larval);
 2724         TAILQ_INIT(&sah->savtree_alive);
 2725         sah->saidx = *saidx;
 2726         sah->state = SADB_SASTATE_DEAD;
 2727         SAH_INITREF(sah);
 2728 
 2729         KEYDBG(KEY_STAMP,
 2730             printf("%s: SAH(%p)\n", __func__, sah));
 2731         KEYDBG(KEY_DATA, kdebug_secash(sah, NULL));
 2732         return (sah);
 2733 }
 2734 
 2735 static void
 2736 key_freesah(struct secashead **psah)
 2737 {
 2738         struct secashead *sah = *psah;
 2739 
 2740         if (SAH_DELREF(sah) == 0)
 2741                 return;
 2742 
 2743         KEYDBG(KEY_STAMP,
 2744             printf("%s: last reference to SAH(%p)\n", __func__, sah));
 2745         KEYDBG(KEY_DATA, kdebug_secash(sah, NULL));
 2746 
 2747         *psah = NULL;
 2748         key_delsah(sah);
 2749 }
 2750 
 2751 static void
 2752 key_delsah(struct secashead *sah)
 2753 {
 2754         IPSEC_ASSERT(sah != NULL, ("NULL sah"));
 2755         IPSEC_ASSERT(sah->state == SADB_SASTATE_DEAD,
 2756             ("Attempt to free non DEAD SAH %p", sah));
 2757         IPSEC_ASSERT(TAILQ_EMPTY(&sah->savtree_larval),
 2758             ("Attempt to free SAH %p with LARVAL SA", sah));
 2759         IPSEC_ASSERT(TAILQ_EMPTY(&sah->savtree_alive),
 2760             ("Attempt to free SAH %p with ALIVE SA", sah));
 2761 
 2762         free(sah, M_IPSEC_SAH);
 2763 }
 2764 
 2765 /*
 2766  * allocating a new SA for key_add() and key_getspi() call,
 2767  * and copy the values of mhp into new buffer.
 2768  * When SAD message type is SADB_GETSPI set SA state to LARVAL.
 2769  * For SADB_ADD create and initialize SA with MATURE state.
 2770  * OUT: NULL    : fail
 2771  *      others  : pointer to new secasvar.
 2772  */
 2773 static struct secasvar *
 2774 key_newsav(const struct sadb_msghdr *mhp, struct secasindex *saidx,
 2775     uint32_t spi, int *errp)
 2776 {
 2777         struct secashead *sah;
 2778         struct secasvar *sav;
 2779         int isnew;
 2780 
 2781         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 2782         IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
 2783         IPSEC_ASSERT(mhp->msg->sadb_msg_type == SADB_GETSPI ||
 2784             mhp->msg->sadb_msg_type == SADB_ADD, ("wrong message type"));
 2785 
 2786         sav = NULL;
 2787         sah = NULL;
 2788         /* check SPI value */
 2789         switch (saidx->proto) {
 2790         case IPPROTO_ESP:
 2791         case IPPROTO_AH:
 2792                 /*
 2793                  * RFC 4302, 2.4. Security Parameters Index (SPI), SPI values
 2794                  * 1-255 reserved by IANA for future use,
 2795                  * 0 for implementation specific, local use.
 2796                  */
 2797                 if (ntohl(spi) <= 255) {
 2798                         ipseclog((LOG_DEBUG, "%s: illegal range of SPI %u.\n",
 2799                             __func__, ntohl(spi)));
 2800                         *errp = EINVAL;
 2801                         goto done;
 2802                 }
 2803                 break;
 2804         }
 2805 
 2806         sav = malloc(sizeof(struct secasvar), M_IPSEC_SA, M_NOWAIT | M_ZERO);
 2807         if (sav == NULL) {
 2808                 *errp = ENOBUFS;
 2809                 goto done;
 2810         }
 2811         sav->lock = malloc(sizeof(struct mtx), M_IPSEC_MISC,
 2812             M_NOWAIT | M_ZERO);
 2813         if (sav->lock == NULL) {
 2814                 *errp = ENOBUFS;
 2815                 goto done;
 2816         }
 2817         mtx_init(sav->lock, "ipsec association", NULL, MTX_DEF);
 2818         sav->lft_c = uma_zalloc(V_key_lft_zone, M_NOWAIT);
 2819         if (sav->lft_c == NULL) {
 2820                 *errp = ENOBUFS;
 2821                 goto done;
 2822         }
 2823         counter_u64_zero(sav->lft_c_allocations);
 2824         counter_u64_zero(sav->lft_c_bytes);
 2825 
 2826         sav->spi = spi;
 2827         sav->seq = mhp->msg->sadb_msg_seq;
 2828         sav->state = SADB_SASTATE_LARVAL;
 2829         sav->pid = (pid_t)mhp->msg->sadb_msg_pid;
 2830         SAV_INITREF(sav);
 2831 again:
 2832         sah = key_getsah(saidx);
 2833         if (sah == NULL) {
 2834                 /* create a new SA index */
 2835                 sah = key_newsah(saidx);
 2836                 if (sah == NULL) {
 2837                         ipseclog((LOG_DEBUG,
 2838                             "%s: No more memory.\n", __func__));
 2839                         *errp = ENOBUFS;
 2840                         goto done;
 2841                 }
 2842                 isnew = 1;
 2843         } else
 2844                 isnew = 0;
 2845 
 2846         sav->sah = sah;
 2847         if (mhp->msg->sadb_msg_type == SADB_GETSPI) {
 2848                 sav->created = time_second;
 2849         } else if (sav->state == SADB_SASTATE_LARVAL) {
 2850                 /*
 2851                  * Do not call key_setsaval() second time in case
 2852                  * of `goto again`. We will have MATURE state.
 2853                  */
 2854                 *errp = key_setsaval(sav, mhp);
 2855                 if (*errp != 0)
 2856                         goto done;
 2857                 sav->state = SADB_SASTATE_MATURE;
 2858         }
 2859 
 2860         SAHTREE_WLOCK();
 2861         /*
 2862          * Check that existing SAH wasn't unlinked.
 2863          * Since we didn't hold the SAHTREE lock, it is possible,
 2864          * that callout handler or key_flush() or key_delete() could
 2865          * unlink this SAH.
 2866          */
 2867         if (isnew == 0 && sah->state == SADB_SASTATE_DEAD) {
 2868                 SAHTREE_WUNLOCK();
 2869                 key_freesah(&sah);      /* reference from key_getsah() */
 2870                 goto again;
 2871         }
 2872         if (isnew != 0) {
 2873                 /*
 2874                  * Add new SAH into SADB.
 2875                  *
 2876                  * XXXAE: we can serialize key_add and key_getspi calls, so
 2877                  * several threads will not fight in the race.
 2878                  * Otherwise we should check under SAHTREE lock, that this
 2879                  * SAH would not added twice.
 2880                  */
 2881                 TAILQ_INSERT_HEAD(&V_sahtree, sah, chain);
 2882                 /* Add new SAH into hash by addresses */
 2883                 LIST_INSERT_HEAD(SAHADDRHASH_HASH(saidx), sah, addrhash);
 2884                 /* Now we are linked in the chain */
 2885                 sah->state = SADB_SASTATE_MATURE;
 2886                 /*
 2887                  * SAV references this new SAH.
 2888                  * In case of existing SAH we reuse reference
 2889                  * from key_getsah().
 2890                  */
 2891                 SAH_ADDREF(sah);
 2892         }
 2893         /* Link SAV with SAH */
 2894         if (sav->state == SADB_SASTATE_MATURE)
 2895                 TAILQ_INSERT_HEAD(&sah->savtree_alive, sav, chain);
 2896         else
 2897                 TAILQ_INSERT_HEAD(&sah->savtree_larval, sav, chain);
 2898         /* Add SAV into SPI hash */
 2899         LIST_INSERT_HEAD(SAVHASH_HASH(sav->spi), sav, spihash);
 2900         SAHTREE_WUNLOCK();
 2901         *errp = 0;      /* success */
 2902 done:
 2903         if (*errp != 0) {
 2904                 if (sav != NULL) {
 2905                         if (sav->lock != NULL) {
 2906                                 mtx_destroy(sav->lock);
 2907                                 free(sav->lock, M_IPSEC_MISC);
 2908                         }
 2909                         if (sav->lft_c != NULL)
 2910                                 uma_zfree(V_key_lft_zone, sav->lft_c);
 2911                         free(sav, M_IPSEC_SA), sav = NULL;
 2912                 }
 2913                 if (sah != NULL)
 2914                         key_freesah(&sah);
 2915                 if (*errp == ENOBUFS) {
 2916                         ipseclog((LOG_DEBUG, "%s: No more memory.\n",
 2917                             __func__));
 2918                         PFKEYSTAT_INC(in_nomem);
 2919                 }
 2920         }
 2921         return (sav);
 2922 }
 2923 
 2924 /*
 2925  * free() SA variable entry.
 2926  */
 2927 static void
 2928 key_cleansav(struct secasvar *sav)
 2929 {
 2930 
 2931         if (sav->natt != NULL) {
 2932                 free(sav->natt, M_IPSEC_MISC);
 2933                 sav->natt = NULL;
 2934         }
 2935         if (sav->flags & SADB_X_EXT_F_CLONED)
 2936                 return;
 2937         /*
 2938          * Cleanup xform state.  Note that zeroize'ing causes the
 2939          * keys to be cleared; otherwise we must do it ourself.
 2940          */
 2941         if (sav->tdb_xform != NULL) {
 2942                 sav->tdb_xform->xf_zeroize(sav);
 2943                 sav->tdb_xform = NULL;
 2944         } else {
 2945                 if (sav->key_auth != NULL)
 2946                         bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
 2947                 if (sav->key_enc != NULL)
 2948                         bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc));
 2949         }
 2950         if (sav->key_auth != NULL) {
 2951                 if (sav->key_auth->key_data != NULL)
 2952                         free(sav->key_auth->key_data, M_IPSEC_MISC);
 2953                 free(sav->key_auth, M_IPSEC_MISC);
 2954                 sav->key_auth = NULL;
 2955         }
 2956         if (sav->key_enc != NULL) {
 2957                 if (sav->key_enc->key_data != NULL)
 2958                         free(sav->key_enc->key_data, M_IPSEC_MISC);
 2959                 free(sav->key_enc, M_IPSEC_MISC);
 2960                 sav->key_enc = NULL;
 2961         }
 2962         if (sav->replay != NULL) {
 2963                 if (sav->replay->bitmap != NULL)
 2964                         free(sav->replay->bitmap, M_IPSEC_MISC);
 2965                 free(sav->replay, M_IPSEC_MISC);
 2966                 sav->replay = NULL;
 2967         }
 2968         if (sav->lft_h != NULL) {
 2969                 free(sav->lft_h, M_IPSEC_MISC);
 2970                 sav->lft_h = NULL;
 2971         }
 2972         if (sav->lft_s != NULL) {
 2973                 free(sav->lft_s, M_IPSEC_MISC);
 2974                 sav->lft_s = NULL;
 2975         }
 2976 }
 2977 
 2978 /*
 2979  * free() SA variable entry.
 2980  */
 2981 static void
 2982 key_delsav(struct secasvar *sav)
 2983 {
 2984         IPSEC_ASSERT(sav != NULL, ("null sav"));
 2985         IPSEC_ASSERT(sav->state == SADB_SASTATE_DEAD,
 2986             ("attempt to free non DEAD SA %p", sav));
 2987         IPSEC_ASSERT(sav->refcnt == 0, ("reference count %u > 0",
 2988             sav->refcnt));
 2989 
 2990         /*
 2991          * SA must be unlinked from the chain and hashtbl.
 2992          * If SA was cloned, we leave all fields untouched,
 2993          * except NAT-T config.
 2994          */
 2995         key_cleansav(sav);
 2996         if ((sav->flags & SADB_X_EXT_F_CLONED) == 0) {
 2997                 mtx_destroy(sav->lock);
 2998                 free(sav->lock, M_IPSEC_MISC);
 2999                 uma_zfree(V_key_lft_zone, sav->lft_c);
 3000         }
 3001         free(sav, M_IPSEC_SA);
 3002 }
 3003 
 3004 /*
 3005  * search SAH.
 3006  * OUT:
 3007  *      NULL    : not found
 3008  *      others  : found, referenced pointer to a SAH.
 3009  */
 3010 static struct secashead *
 3011 key_getsah(struct secasindex *saidx)
 3012 {
 3013         SAHTREE_RLOCK_TRACKER;
 3014         struct secashead *sah;
 3015 
 3016         SAHTREE_RLOCK();
 3017         LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
 3018             if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID) != 0) {
 3019                     SAH_ADDREF(sah);
 3020                     break;
 3021             }
 3022         }
 3023         SAHTREE_RUNLOCK();
 3024         return (sah);
 3025 }
 3026 
 3027 /*
 3028  * Check not to be duplicated SPI.
 3029  * OUT:
 3030  *      0       : not found
 3031  *      1       : found SA with given SPI.
 3032  */
 3033 static int
 3034 key_checkspidup(uint32_t spi)
 3035 {
 3036         SAHTREE_RLOCK_TRACKER;
 3037         struct secasvar *sav;
 3038 
 3039         /* Assume SPI is in network byte order */
 3040         SAHTREE_RLOCK();
 3041         LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) {
 3042                 if (sav->spi == spi)
 3043                         break;
 3044         }
 3045         SAHTREE_RUNLOCK();
 3046         return (sav != NULL);
 3047 }
 3048 
 3049 /*
 3050  * Search SA by SPI.
 3051  * OUT:
 3052  *      NULL    : not found
 3053  *      others  : found, referenced pointer to a SA.
 3054  */
 3055 static struct secasvar *
 3056 key_getsavbyspi(uint32_t spi)
 3057 {
 3058         SAHTREE_RLOCK_TRACKER;
 3059         struct secasvar *sav;
 3060 
 3061         /* Assume SPI is in network byte order */
 3062         SAHTREE_RLOCK();
 3063         LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) {
 3064                 if (sav->spi != spi)
 3065                         continue;
 3066                 SAV_ADDREF(sav);
 3067                 break;
 3068         }
 3069         SAHTREE_RUNLOCK();
 3070         return (sav);
 3071 }
 3072 
 3073 static int
 3074 key_updatelifetimes(struct secasvar *sav, const struct sadb_msghdr *mhp)
 3075 {
 3076         struct seclifetime *lft_h, *lft_s, *tmp;
 3077 
 3078         /* Lifetime extension is optional, check that it is present. */
 3079         if (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) &&
 3080             SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) {
 3081                 /*
 3082                  * In case of SADB_UPDATE we may need to change
 3083                  * existing lifetimes.
 3084                  */
 3085                 if (sav->state == SADB_SASTATE_MATURE) {
 3086                         lft_h = lft_s = NULL;
 3087                         goto reset;
 3088                 }
 3089                 return (0);
 3090         }
 3091         /* Both HARD and SOFT extensions must present */
 3092         if ((SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) &&
 3093             !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) ||
 3094             (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) &&
 3095             !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD))) {
 3096                 ipseclog((LOG_DEBUG,
 3097                     "%s: invalid message: missing required header.\n",
 3098                     __func__));
 3099                 return (EINVAL);
 3100         }
 3101         if (SADB_CHECKLEN(mhp, SADB_EXT_LIFETIME_HARD) ||
 3102             SADB_CHECKLEN(mhp, SADB_EXT_LIFETIME_SOFT)) {
 3103                 ipseclog((LOG_DEBUG,
 3104                     "%s: invalid message: wrong header size.\n", __func__));
 3105                 return (EINVAL);
 3106         }
 3107         lft_h = key_dup_lifemsg((const struct sadb_lifetime *)
 3108             mhp->ext[SADB_EXT_LIFETIME_HARD], M_IPSEC_MISC);
 3109         if (lft_h == NULL) {
 3110                 PFKEYSTAT_INC(in_nomem);
 3111                 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
 3112                 return (ENOBUFS);
 3113         }
 3114         lft_s = key_dup_lifemsg((const struct sadb_lifetime *)
 3115             mhp->ext[SADB_EXT_LIFETIME_SOFT], M_IPSEC_MISC);
 3116         if (lft_s == NULL) {
 3117                 PFKEYSTAT_INC(in_nomem);
 3118                 free(lft_h, M_IPSEC_MISC);
 3119                 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
 3120                 return (ENOBUFS);
 3121         }
 3122 reset:
 3123         if (sav->state != SADB_SASTATE_LARVAL) {
 3124                 /*
 3125                  * key_update() holds reference to this SA,
 3126                  * so it won't be deleted in meanwhile.
 3127                  */
 3128                 SECASVAR_LOCK(sav);
 3129                 tmp = sav->lft_h;
 3130                 sav->lft_h = lft_h;
 3131                 lft_h = tmp;
 3132 
 3133                 tmp = sav->lft_s;
 3134                 sav->lft_s = lft_s;
 3135                 lft_s = tmp;
 3136                 SECASVAR_UNLOCK(sav);
 3137                 if (lft_h != NULL)
 3138                         free(lft_h, M_IPSEC_MISC);
 3139                 if (lft_s != NULL)
 3140                         free(lft_s, M_IPSEC_MISC);
 3141                 return (0);
 3142         }
 3143         /* We can update lifetime without holding a lock */
 3144         IPSEC_ASSERT(sav->lft_h == NULL, ("lft_h is already initialized\n"));
 3145         IPSEC_ASSERT(sav->lft_s == NULL, ("lft_s is already initialized\n"));
 3146         sav->lft_h = lft_h;
 3147         sav->lft_s = lft_s;
 3148         return (0);
 3149 }
 3150 
 3151 /*
 3152  * copy SA values from PF_KEY message except *SPI, SEQ, PID and TYPE*.
 3153  * You must update these if need. Expects only LARVAL SAs.
 3154  * OUT: 0:      success.
 3155  *      !0:     failure.
 3156  */
 3157 static int
 3158 key_setsaval(struct secasvar *sav, const struct sadb_msghdr *mhp)
 3159 {
 3160         const struct sadb_sa *sa0;
 3161         const struct sadb_key *key0;
 3162         uint32_t replay;
 3163         size_t len;
 3164         int error;
 3165 
 3166         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 3167         IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
 3168         IPSEC_ASSERT(sav->state == SADB_SASTATE_LARVAL,
 3169             ("Attempt to update non LARVAL SA"));
 3170 
 3171         /* XXX rewrite */
 3172         error = key_setident(sav->sah, mhp);
 3173         if (error != 0)
 3174                 goto fail;
 3175 
 3176         /* SA */
 3177         if (!SADB_CHECKHDR(mhp, SADB_EXT_SA)) {
 3178                 if (SADB_CHECKLEN(mhp, SADB_EXT_SA)) {
 3179                         error = EINVAL;
 3180                         goto fail;
 3181                 }
 3182                 sa0 = (const struct sadb_sa *)mhp->ext[SADB_EXT_SA];
 3183                 sav->alg_auth = sa0->sadb_sa_auth;
 3184                 sav->alg_enc = sa0->sadb_sa_encrypt;
 3185                 sav->flags = sa0->sadb_sa_flags;
 3186                 if ((sav->flags & SADB_KEY_FLAGS_MAX) != sav->flags) {
 3187                         ipseclog((LOG_DEBUG,
 3188                             "%s: invalid sa_flags 0x%08x.\n", __func__,
 3189                             sav->flags));
 3190                         error = EINVAL;
 3191                         goto fail;
 3192                 }
 3193 
 3194                 /* Optional replay window */
 3195                 replay = 0;
 3196                 if ((sa0->sadb_sa_flags & SADB_X_EXT_OLD) == 0)
 3197                         replay = sa0->sadb_sa_replay;
 3198                 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_SA_REPLAY)) {
 3199                         if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA_REPLAY)) {
 3200                                 error = EINVAL;
 3201                                 goto fail;
 3202                         }
 3203                         replay = ((const struct sadb_x_sa_replay *)
 3204                             mhp->ext[SADB_X_EXT_SA_REPLAY])->sadb_x_sa_replay_replay;
 3205 
 3206                         if (replay > UINT32_MAX - 32) {
 3207                                 ipseclog((LOG_DEBUG,
 3208                                     "%s: replay window too big.\n", __func__));
 3209                                 error = EINVAL;
 3210                                 goto fail;
 3211                         }
 3212 
 3213                         replay = (replay + 7) >> 3;
 3214                 }
 3215 
 3216                 sav->replay = malloc(sizeof(struct secreplay), M_IPSEC_MISC,
 3217                     M_NOWAIT | M_ZERO);
 3218                 if (sav->replay == NULL) {
 3219                         PFKEYSTAT_INC(in_nomem);
 3220                         ipseclog((LOG_DEBUG, "%s: No more memory.\n",
 3221                             __func__));
 3222                         error = ENOBUFS;
 3223                         goto fail;
 3224                 }
 3225 
 3226                 if (replay != 0) {
 3227                         /* number of 32b blocks to be allocated */
 3228                         uint32_t bitmap_size;
 3229 
 3230                         /* RFC 6479:
 3231                          * - the allocated replay window size must be
 3232                          *   a power of two.
 3233                          * - use an extra 32b block as a redundant window.
 3234                          */
 3235                         bitmap_size = 1;
 3236                         while (replay + 4 > bitmap_size)
 3237                                 bitmap_size <<= 1;
 3238                         bitmap_size = bitmap_size / 4;
 3239 
 3240                         sav->replay->bitmap = malloc(
 3241                             bitmap_size * sizeof(uint32_t), M_IPSEC_MISC,
 3242                             M_NOWAIT | M_ZERO);
 3243                         if (sav->replay->bitmap == NULL) {
 3244                                 PFKEYSTAT_INC(in_nomem);
 3245                                 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
 3246                                         __func__));
 3247                                 error = ENOBUFS;
 3248                                 goto fail;
 3249                         }
 3250                         sav->replay->bitmap_size = bitmap_size;
 3251                         sav->replay->wsize = replay;
 3252                 }
 3253         }
 3254 
 3255         /* Authentication keys */
 3256         if (!SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH)) {
 3257                 if (SADB_CHECKLEN(mhp, SADB_EXT_KEY_AUTH)) {
 3258                         error = EINVAL;
 3259                         goto fail;
 3260                 }
 3261                 error = 0;
 3262                 key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_AUTH];
 3263                 len = mhp->extlen[SADB_EXT_KEY_AUTH];
 3264                 switch (mhp->msg->sadb_msg_satype) {
 3265                 case SADB_SATYPE_AH:
 3266                 case SADB_SATYPE_ESP:
 3267                 case SADB_X_SATYPE_TCPSIGNATURE:
 3268                         if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) &&
 3269                             sav->alg_auth != SADB_X_AALG_NULL)
 3270                                 error = EINVAL;
 3271                         break;
 3272                 case SADB_X_SATYPE_IPCOMP:
 3273                 default:
 3274                         error = EINVAL;
 3275                         break;
 3276                 }
 3277                 if (error) {
 3278                         ipseclog((LOG_DEBUG, "%s: invalid key_auth values.\n",
 3279                                 __func__));
 3280                         goto fail;
 3281                 }
 3282 
 3283                 sav->key_auth = key_dup_keymsg(key0, len, M_IPSEC_MISC);
 3284                 if (sav->key_auth == NULL ) {
 3285                         ipseclog((LOG_DEBUG, "%s: No more memory.\n",
 3286                                   __func__));
 3287                         PFKEYSTAT_INC(in_nomem);
 3288                         error = ENOBUFS;
 3289                         goto fail;
 3290                 }
 3291         }
 3292 
 3293         /* Encryption key */
 3294         if (!SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT)) {
 3295                 if (SADB_CHECKLEN(mhp, SADB_EXT_KEY_ENCRYPT)) {
 3296                         error = EINVAL;
 3297                         goto fail;
 3298                 }
 3299                 error = 0;
 3300                 key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_ENCRYPT];
 3301                 len = mhp->extlen[SADB_EXT_KEY_ENCRYPT];
 3302                 switch (mhp->msg->sadb_msg_satype) {
 3303                 case SADB_SATYPE_ESP:
 3304                         if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) &&
 3305                             sav->alg_enc != SADB_EALG_NULL) {
 3306                                 error = EINVAL;
 3307                                 break;
 3308                         }
 3309                         sav->key_enc = key_dup_keymsg(key0, len, M_IPSEC_MISC);
 3310                         if (sav->key_enc == NULL) {
 3311                                 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
 3312                                         __func__));
 3313                                 PFKEYSTAT_INC(in_nomem);
 3314                                 error = ENOBUFS;
 3315                                 goto fail;
 3316                         }
 3317                         break;
 3318                 case SADB_X_SATYPE_IPCOMP:
 3319                         if (len != PFKEY_ALIGN8(sizeof(struct sadb_key)))
 3320                                 error = EINVAL;
 3321                         sav->key_enc = NULL;    /*just in case*/
 3322                         break;
 3323                 case SADB_SATYPE_AH:
 3324                 case SADB_X_SATYPE_TCPSIGNATURE:
 3325                 default:
 3326                         error = EINVAL;
 3327                         break;
 3328                 }
 3329                 if (error) {
 3330                         ipseclog((LOG_DEBUG, "%s: invalid key_enc value.\n",
 3331                                 __func__));
 3332                         goto fail;
 3333                 }
 3334         }
 3335 
 3336         /* set iv */
 3337         sav->ivlen = 0;
 3338         switch (mhp->msg->sadb_msg_satype) {
 3339         case SADB_SATYPE_AH:
 3340                 if (sav->flags & SADB_X_EXT_DERIV) {
 3341                         ipseclog((LOG_DEBUG, "%s: invalid flag (derived) "
 3342                             "given to AH SA.\n", __func__));
 3343                         error = EINVAL;
 3344                         goto fail;
 3345                 }
 3346                 if (sav->alg_enc != SADB_EALG_NONE) {
 3347                         ipseclog((LOG_DEBUG, "%s: protocol and algorithm "
 3348                             "mismated.\n", __func__));
 3349                         error = EINVAL;
 3350                         goto fail;
 3351                 }
 3352                 error = xform_init(sav, XF_AH);
 3353                 break;
 3354         case SADB_SATYPE_ESP:
 3355                 if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_DERIV)) ==
 3356                     (SADB_X_EXT_OLD | SADB_X_EXT_DERIV)) {
 3357                         ipseclog((LOG_DEBUG, "%s: invalid flag (derived) "
 3358                             "given to old-esp.\n", __func__));
 3359                         error = EINVAL;
 3360                         goto fail;
 3361                 }
 3362                 error = xform_init(sav, XF_ESP);
 3363                 break;
 3364         case SADB_X_SATYPE_IPCOMP:
 3365                 if (sav->alg_auth != SADB_AALG_NONE) {
 3366                         ipseclog((LOG_DEBUG, "%s: protocol and algorithm "
 3367                             "mismated.\n", __func__));
 3368                         error = EINVAL;
 3369                         goto fail;
 3370                 }
 3371                 if ((sav->flags & SADB_X_EXT_RAWCPI) == 0 &&
 3372                     ntohl(sav->spi) >= 0x10000) {
 3373                         ipseclog((LOG_DEBUG, "%s: invalid cpi for IPComp.\n",
 3374                             __func__));
 3375                         error = EINVAL;
 3376                         goto fail;
 3377                 }
 3378                 error = xform_init(sav, XF_IPCOMP);
 3379                 break;
 3380         case SADB_X_SATYPE_TCPSIGNATURE:
 3381                 if (sav->alg_enc != SADB_EALG_NONE) {
 3382                         ipseclog((LOG_DEBUG, "%s: protocol and algorithm "
 3383                             "mismated.\n", __func__));
 3384                         error = EINVAL;
 3385                         goto fail;
 3386                 }
 3387                 error = xform_init(sav, XF_TCPSIGNATURE);
 3388                 break;
 3389         default:
 3390                 ipseclog((LOG_DEBUG, "%s: Invalid satype.\n", __func__));
 3391                 error = EPROTONOSUPPORT;
 3392                 goto fail;
 3393         }
 3394         if (error) {
 3395                 ipseclog((LOG_DEBUG, "%s: unable to initialize SA type %u.\n",
 3396                     __func__, mhp->msg->sadb_msg_satype));
 3397                 goto fail;
 3398         }
 3399 
 3400         /* Handle NAT-T headers */
 3401         error = key_setnatt(sav, mhp);
 3402         if (error != 0)
 3403                 goto fail;
 3404 
 3405         /* Initialize lifetime for CURRENT */
 3406         sav->firstused = 0;
 3407         sav->created = time_second;
 3408 
 3409         /* lifetimes for HARD and SOFT */
 3410         error = key_updatelifetimes(sav, mhp);
 3411         if (error == 0)
 3412                 return (0);
 3413 fail:
 3414         key_cleansav(sav);
 3415         return (error);
 3416 }
 3417 
 3418 /*
 3419  * subroutine for SADB_GET and SADB_DUMP.
 3420  */
 3421 static struct mbuf *
 3422 key_setdumpsa(struct secasvar *sav, uint8_t type, uint8_t satype,
 3423     uint32_t seq, uint32_t pid)
 3424 {
 3425         struct seclifetime lft_c;
 3426         struct mbuf *result = NULL, *tres = NULL, *m;
 3427         int i, dumporder[] = {
 3428                 SADB_EXT_SA, SADB_X_EXT_SA2, SADB_X_EXT_SA_REPLAY,
 3429                 SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT,
 3430                 SADB_EXT_LIFETIME_CURRENT, SADB_EXT_ADDRESS_SRC,
 3431                 SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY,
 3432                 SADB_EXT_KEY_AUTH, SADB_EXT_KEY_ENCRYPT,
 3433                 SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST,
 3434                 SADB_EXT_SENSITIVITY,
 3435                 SADB_X_EXT_NAT_T_TYPE,
 3436                 SADB_X_EXT_NAT_T_SPORT, SADB_X_EXT_NAT_T_DPORT,
 3437                 SADB_X_EXT_NAT_T_OAI, SADB_X_EXT_NAT_T_OAR,
 3438                 SADB_X_EXT_NAT_T_FRAG,
 3439         };
 3440         uint32_t replay_count;
 3441 
 3442         m = key_setsadbmsg(type, 0, satype, seq, pid, sav->refcnt);
 3443         if (m == NULL)
 3444                 goto fail;
 3445         result = m;
 3446 
 3447         for (i = nitems(dumporder) - 1; i >= 0; i--) {
 3448                 m = NULL;
 3449                 switch (dumporder[i]) {
 3450                 case SADB_EXT_SA:
 3451                         m = key_setsadbsa(sav);
 3452                         if (!m)
 3453                                 goto fail;
 3454                         break;
 3455 
 3456                 case SADB_X_EXT_SA2:
 3457                         SECASVAR_LOCK(sav);
 3458                         replay_count = sav->replay ? sav->replay->count : 0;
 3459                         SECASVAR_UNLOCK(sav);
 3460                         m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count,
 3461                                         sav->sah->saidx.reqid);
 3462                         if (!m)
 3463                                 goto fail;
 3464                         break;
 3465 
 3466                 case SADB_X_EXT_SA_REPLAY:
 3467                         if (sav->replay == NULL ||
 3468                             sav->replay->wsize <= UINT8_MAX)
 3469                                 continue;
 3470 
 3471                         m = key_setsadbxsareplay(sav->replay->wsize);
 3472                         if (!m)
 3473                                 goto fail;
 3474                         break;
 3475 
 3476                 case SADB_EXT_ADDRESS_SRC:
 3477                         m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC,
 3478                             &sav->sah->saidx.src.sa,
 3479                             FULLMASK, IPSEC_ULPROTO_ANY);
 3480                         if (!m)
 3481                                 goto fail;
 3482                         break;
 3483 
 3484                 case SADB_EXT_ADDRESS_DST:
 3485                         m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
 3486                             &sav->sah->saidx.dst.sa,
 3487                             FULLMASK, IPSEC_ULPROTO_ANY);
 3488                         if (!m)
 3489                                 goto fail;
 3490                         break;
 3491 
 3492                 case SADB_EXT_KEY_AUTH:
 3493                         if (!sav->key_auth)
 3494                                 continue;
 3495                         m = key_setkey(sav->key_auth, SADB_EXT_KEY_AUTH);
 3496                         if (!m)
 3497                                 goto fail;
 3498                         break;
 3499 
 3500                 case SADB_EXT_KEY_ENCRYPT:
 3501                         if (!sav->key_enc)
 3502                                 continue;
 3503                         m = key_setkey(sav->key_enc, SADB_EXT_KEY_ENCRYPT);
 3504                         if (!m)
 3505                                 goto fail;
 3506                         break;
 3507 
 3508                 case SADB_EXT_LIFETIME_CURRENT:
 3509                         lft_c.addtime = sav->created;
 3510                         lft_c.allocations = (uint32_t)counter_u64_fetch(
 3511                             sav->lft_c_allocations);
 3512                         lft_c.bytes = counter_u64_fetch(sav->lft_c_bytes);
 3513                         lft_c.usetime = sav->firstused;
 3514                         m = key_setlifetime(&lft_c, SADB_EXT_LIFETIME_CURRENT);
 3515                         if (!m)
 3516                                 goto fail;
 3517                         break;
 3518 
 3519                 case SADB_EXT_LIFETIME_HARD:
 3520                         if (!sav->lft_h)
 3521                                 continue;
 3522                         m = key_setlifetime(sav->lft_h, 
 3523                                             SADB_EXT_LIFETIME_HARD);
 3524                         if (!m)
 3525                                 goto fail;
 3526                         break;
 3527 
 3528                 case SADB_EXT_LIFETIME_SOFT:
 3529                         if (!sav->lft_s)
 3530                                 continue;
 3531                         m = key_setlifetime(sav->lft_s, 
 3532                                             SADB_EXT_LIFETIME_SOFT);
 3533 
 3534                         if (!m)
 3535                                 goto fail;
 3536                         break;
 3537 
 3538                 case SADB_X_EXT_NAT_T_TYPE:
 3539                         if (sav->natt == NULL)
 3540                                 continue;
 3541                         m = key_setsadbxtype(UDP_ENCAP_ESPINUDP);
 3542                         if (!m)
 3543                                 goto fail;
 3544                         break;
 3545 
 3546                 case SADB_X_EXT_NAT_T_DPORT:
 3547                         if (sav->natt == NULL)
 3548                                 continue;
 3549                         m = key_setsadbxport(sav->natt->dport,
 3550                             SADB_X_EXT_NAT_T_DPORT);
 3551                         if (!m)
 3552                                 goto fail;
 3553                         break;
 3554 
 3555                 case SADB_X_EXT_NAT_T_SPORT:
 3556                         if (sav->natt == NULL)
 3557                                 continue;
 3558                         m = key_setsadbxport(sav->natt->sport,
 3559                             SADB_X_EXT_NAT_T_SPORT);
 3560                         if (!m)
 3561                                 goto fail;
 3562                         break;
 3563 
 3564                 case SADB_X_EXT_NAT_T_OAI:
 3565                         if (sav->natt == NULL ||
 3566                             (sav->natt->flags & IPSEC_NATT_F_OAI) == 0)
 3567                                 continue;
 3568                         m = key_setsadbaddr(SADB_X_EXT_NAT_T_OAI,
 3569                             &sav->natt->oai.sa, FULLMASK, IPSEC_ULPROTO_ANY);
 3570                         if (!m)
 3571                                 goto fail;
 3572                         break;
 3573                 case SADB_X_EXT_NAT_T_OAR:
 3574                         if (sav->natt == NULL ||
 3575                             (sav->natt->flags & IPSEC_NATT_F_OAR) == 0)
 3576                                 continue;
 3577                         m = key_setsadbaddr(SADB_X_EXT_NAT_T_OAR,
 3578                             &sav->natt->oar.sa, FULLMASK, IPSEC_ULPROTO_ANY);
 3579                         if (!m)
 3580                                 goto fail;
 3581                         break;
 3582                 case SADB_X_EXT_NAT_T_FRAG:
 3583                         /* We do not (yet) support those. */
 3584                         continue;
 3585 
 3586                 case SADB_EXT_ADDRESS_PROXY:
 3587                 case SADB_EXT_IDENTITY_SRC:
 3588                 case SADB_EXT_IDENTITY_DST:
 3589                         /* XXX: should we brought from SPD ? */
 3590                 case SADB_EXT_SENSITIVITY:
 3591                 default:
 3592                         continue;
 3593                 }
 3594 
 3595                 if (!m)
 3596                         goto fail;
 3597                 if (tres)
 3598                         m_cat(m, tres);
 3599                 tres = m;
 3600         }
 3601 
 3602         m_cat(result, tres);
 3603         tres = NULL;
 3604         if (result->m_len < sizeof(struct sadb_msg)) {
 3605                 result = m_pullup(result, sizeof(struct sadb_msg));
 3606                 if (result == NULL)
 3607                         goto fail;
 3608         }
 3609 
 3610         result->m_pkthdr.len = 0;
 3611         for (m = result; m; m = m->m_next)
 3612                 result->m_pkthdr.len += m->m_len;
 3613 
 3614         mtod(result, struct sadb_msg *)->sadb_msg_len =
 3615             PFKEY_UNIT64(result->m_pkthdr.len);
 3616 
 3617         return result;
 3618 
 3619 fail:
 3620         m_freem(result);
 3621         m_freem(tres);
 3622         return NULL;
 3623 }
 3624 
 3625 /*
 3626  * set data into sadb_msg.
 3627  */
 3628 static struct mbuf *
 3629 key_setsadbmsg(u_int8_t type, u_int16_t tlen, u_int8_t satype, u_int32_t seq,
 3630     pid_t pid, u_int16_t reserved)
 3631 {
 3632         struct mbuf *m;
 3633         struct sadb_msg *p;
 3634         int len;
 3635 
 3636         len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
 3637         if (len > MCLBYTES)
 3638                 return NULL;
 3639         MGETHDR(m, M_NOWAIT, MT_DATA);
 3640         if (m && len > MHLEN) {
 3641                 if (!(MCLGET(m, M_NOWAIT))) {
 3642                         m_freem(m);
 3643                         m = NULL;
 3644                 }
 3645         }
 3646         if (!m)
 3647                 return NULL;
 3648         m->m_pkthdr.len = m->m_len = len;
 3649         m->m_next = NULL;
 3650 
 3651         p = mtod(m, struct sadb_msg *);
 3652 
 3653         bzero(p, len);
 3654         p->sadb_msg_version = PF_KEY_V2;
 3655         p->sadb_msg_type = type;
 3656         p->sadb_msg_errno = 0;
 3657         p->sadb_msg_satype = satype;
 3658         p->sadb_msg_len = PFKEY_UNIT64(tlen);
 3659         p->sadb_msg_reserved = reserved;
 3660         p->sadb_msg_seq = seq;
 3661         p->sadb_msg_pid = (u_int32_t)pid;
 3662 
 3663         return m;
 3664 }
 3665 
 3666 /*
 3667  * copy secasvar data into sadb_address.
 3668  */
 3669 static struct mbuf *
 3670 key_setsadbsa(struct secasvar *sav)
 3671 {
 3672         struct mbuf *m;
 3673         struct sadb_sa *p;
 3674         int len;
 3675 
 3676         len = PFKEY_ALIGN8(sizeof(struct sadb_sa));
 3677         m = m_get2(len, M_NOWAIT, MT_DATA, 0);
 3678         if (m == NULL)
 3679                 return (NULL);
 3680         m_align(m, len);
 3681         m->m_len = len;
 3682         p = mtod(m, struct sadb_sa *);
 3683         bzero(p, len);
 3684         p->sadb_sa_len = PFKEY_UNIT64(len);
 3685         p->sadb_sa_exttype = SADB_EXT_SA;
 3686         p->sadb_sa_spi = sav->spi;
 3687         p->sadb_sa_replay = sav->replay ?
 3688             (sav->replay->wsize > UINT8_MAX ? UINT8_MAX :
 3689                 sav->replay->wsize): 0;
 3690         p->sadb_sa_state = sav->state;
 3691         p->sadb_sa_auth = sav->alg_auth;
 3692         p->sadb_sa_encrypt = sav->alg_enc;
 3693         p->sadb_sa_flags = sav->flags & SADB_KEY_FLAGS_MAX;
 3694         return (m);
 3695 }
 3696 
 3697 /*
 3698  * set data into sadb_address.
 3699  */
 3700 static struct mbuf *
 3701 key_setsadbaddr(u_int16_t exttype, const struct sockaddr *saddr,
 3702     u_int8_t prefixlen, u_int16_t ul_proto)
 3703 {
 3704         struct mbuf *m;
 3705         struct sadb_address *p;
 3706         size_t len;
 3707 
 3708         len = PFKEY_ALIGN8(sizeof(struct sadb_address)) +
 3709             PFKEY_ALIGN8(saddr->sa_len);
 3710         m = m_get2(len, M_NOWAIT, MT_DATA, 0);
 3711         if (m == NULL)
 3712                 return (NULL);
 3713         m_align(m, len);
 3714         m->m_len = len;
 3715         p = mtod(m, struct sadb_address *);
 3716 
 3717         bzero(p, len);
 3718         p->sadb_address_len = PFKEY_UNIT64(len);
 3719         p->sadb_address_exttype = exttype;
 3720         p->sadb_address_proto = ul_proto;
 3721         if (prefixlen == FULLMASK) {
 3722                 switch (saddr->sa_family) {
 3723                 case AF_INET:
 3724                         prefixlen = sizeof(struct in_addr) << 3;
 3725                         break;
 3726                 case AF_INET6:
 3727                         prefixlen = sizeof(struct in6_addr) << 3;
 3728                         break;
 3729                 default:
 3730                         ; /*XXX*/
 3731                 }
 3732         }
 3733         p->sadb_address_prefixlen = prefixlen;
 3734         p->sadb_address_reserved = 0;
 3735 
 3736         bcopy(saddr,
 3737             mtod(m, caddr_t) + PFKEY_ALIGN8(sizeof(struct sadb_address)),
 3738             saddr->sa_len);
 3739 
 3740         return m;
 3741 }
 3742 
 3743 /*
 3744  * set data into sadb_x_sa2.
 3745  */
 3746 static struct mbuf *
 3747 key_setsadbxsa2(u_int8_t mode, u_int32_t seq, u_int32_t reqid)
 3748 {
 3749         struct mbuf *m;
 3750         struct sadb_x_sa2 *p;
 3751         size_t len;
 3752 
 3753         len = PFKEY_ALIGN8(sizeof(struct sadb_x_sa2));
 3754         m = m_get2(len, M_NOWAIT, MT_DATA, 0);
 3755         if (m == NULL)
 3756                 return (NULL);
 3757         m_align(m, len);
 3758         m->m_len = len;
 3759         p = mtod(m, struct sadb_x_sa2 *);
 3760 
 3761         bzero(p, len);
 3762         p->sadb_x_sa2_len = PFKEY_UNIT64(len);
 3763         p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
 3764         p->sadb_x_sa2_mode = mode;
 3765         p->sadb_x_sa2_reserved1 = 0;
 3766         p->sadb_x_sa2_reserved2 = 0;
 3767         p->sadb_x_sa2_sequence = seq;
 3768         p->sadb_x_sa2_reqid = reqid;
 3769 
 3770         return m;
 3771 }
 3772 
 3773 /*
 3774  * Set data into sadb_x_sa_replay.
 3775  */
 3776 static struct mbuf *
 3777 key_setsadbxsareplay(u_int32_t replay)
 3778 {
 3779         struct mbuf *m;
 3780         struct sadb_x_sa_replay *p;
 3781         size_t len;
 3782 
 3783         len = PFKEY_ALIGN8(sizeof(struct sadb_x_sa_replay));
 3784         m = m_get2(len, M_NOWAIT, MT_DATA, 0);
 3785         if (m == NULL)
 3786                 return (NULL);
 3787         m_align(m, len);
 3788         m->m_len = len;
 3789         p = mtod(m, struct sadb_x_sa_replay *);
 3790 
 3791         bzero(p, len);
 3792         p->sadb_x_sa_replay_len = PFKEY_UNIT64(len);
 3793         p->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY;
 3794         p->sadb_x_sa_replay_replay = (replay << 3);
 3795 
 3796         return m;
 3797 }
 3798 
 3799 /*
 3800  * Set a type in sadb_x_nat_t_type.
 3801  */
 3802 static struct mbuf *
 3803 key_setsadbxtype(u_int16_t type)
 3804 {
 3805         struct mbuf *m;
 3806         size_t len;
 3807         struct sadb_x_nat_t_type *p;
 3808 
 3809         len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_type));
 3810 
 3811         m = m_get2(len, M_NOWAIT, MT_DATA, 0);
 3812         if (m == NULL)
 3813                 return (NULL);
 3814         m_align(m, len);
 3815         m->m_len = len;
 3816         p = mtod(m, struct sadb_x_nat_t_type *);
 3817 
 3818         bzero(p, len);
 3819         p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len);
 3820         p->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
 3821         p->sadb_x_nat_t_type_type = type;
 3822 
 3823         return (m);
 3824 }
 3825 /*
 3826  * Set a port in sadb_x_nat_t_port.
 3827  * In contrast to default RFC 2367 behaviour, port is in network byte order.
 3828  */
 3829 static struct mbuf *
 3830 key_setsadbxport(u_int16_t port, u_int16_t type)
 3831 {
 3832         struct mbuf *m;
 3833         size_t len;
 3834         struct sadb_x_nat_t_port *p;
 3835 
 3836         len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_port));
 3837 
 3838         m = m_get2(len, M_NOWAIT, MT_DATA, 0);
 3839         if (m == NULL)
 3840                 return (NULL);
 3841         m_align(m, len);
 3842         m->m_len = len;
 3843         p = mtod(m, struct sadb_x_nat_t_port *);
 3844 
 3845         bzero(p, len);
 3846         p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len);
 3847         p->sadb_x_nat_t_port_exttype = type;
 3848         p->sadb_x_nat_t_port_port = port;
 3849 
 3850         return (m);
 3851 }
 3852 
 3853 /*
 3854  * Get port from sockaddr. Port is in network byte order.
 3855  */
 3856 uint16_t
 3857 key_portfromsaddr(struct sockaddr *sa)
 3858 {
 3859 
 3860         switch (sa->sa_family) {
 3861 #ifdef INET
 3862         case AF_INET:
 3863                 return ((struct sockaddr_in *)sa)->sin_port;
 3864 #endif
 3865 #ifdef INET6
 3866         case AF_INET6:
 3867                 return ((struct sockaddr_in6 *)sa)->sin6_port;
 3868 #endif
 3869         }
 3870         return (0);
 3871 }
 3872 
 3873 /*
 3874  * Set port in struct sockaddr. Port is in network byte order.
 3875  */
 3876 void
 3877 key_porttosaddr(struct sockaddr *sa, uint16_t port)
 3878 {
 3879 
 3880         switch (sa->sa_family) {
 3881 #ifdef INET
 3882         case AF_INET:
 3883                 ((struct sockaddr_in *)sa)->sin_port = port;
 3884                 break;
 3885 #endif
 3886 #ifdef INET6
 3887         case AF_INET6:
 3888                 ((struct sockaddr_in6 *)sa)->sin6_port = port;
 3889                 break;
 3890 #endif
 3891         default:
 3892                 ipseclog((LOG_DEBUG, "%s: unexpected address family %d.\n",
 3893                         __func__, sa->sa_family));
 3894                 break;
 3895         }
 3896 }
 3897 
 3898 /*
 3899  * set data into sadb_x_policy
 3900  */
 3901 static struct mbuf *
 3902 key_setsadbxpolicy(u_int16_t type, u_int8_t dir, u_int32_t id, u_int32_t priority)
 3903 {
 3904         struct mbuf *m;
 3905         struct sadb_x_policy *p;
 3906         size_t len;
 3907 
 3908         len = PFKEY_ALIGN8(sizeof(struct sadb_x_policy));
 3909         m = m_get2(len, M_NOWAIT, MT_DATA, 0);
 3910         if (m == NULL)
 3911                 return (NULL);
 3912         m_align(m, len);
 3913         m->m_len = len;
 3914         p = mtod(m, struct sadb_x_policy *);
 3915 
 3916         bzero(p, len);
 3917         p->sadb_x_policy_len = PFKEY_UNIT64(len);
 3918         p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 3919         p->sadb_x_policy_type = type;
 3920         p->sadb_x_policy_dir = dir;
 3921         p->sadb_x_policy_id = id;
 3922         p->sadb_x_policy_priority = priority;
 3923 
 3924         return m;
 3925 }
 3926 
 3927 /* %%% utilities */
 3928 /* Take a key message (sadb_key) from the socket and turn it into one
 3929  * of the kernel's key structures (seckey).
 3930  *
 3931  * IN: pointer to the src
 3932  * OUT: NULL no more memory
 3933  */
 3934 struct seckey *
 3935 key_dup_keymsg(const struct sadb_key *src, size_t len,
 3936     struct malloc_type *type)
 3937 {
 3938         struct seckey *dst;
 3939 
 3940         dst = malloc(sizeof(*dst), type, M_NOWAIT);
 3941         if (dst != NULL) {
 3942                 dst->bits = src->sadb_key_bits;
 3943                 dst->key_data = malloc(len, type, M_NOWAIT);
 3944                 if (dst->key_data != NULL) {
 3945                         bcopy((const char *)(src + 1), dst->key_data, len);
 3946                 } else {
 3947                         ipseclog((LOG_DEBUG, "%s: No more memory.\n",
 3948                             __func__));
 3949                         free(dst, type);
 3950                         dst = NULL;
 3951                 }
 3952         } else {
 3953                 ipseclog((LOG_DEBUG, "%s: No more memory.\n",
 3954                     __func__));
 3955 
 3956         }
 3957         return (dst);
 3958 }
 3959 
 3960 /* Take a lifetime message (sadb_lifetime) passed in on a socket and
 3961  * turn it into one of the kernel's lifetime structures (seclifetime).
 3962  *
 3963  * IN: pointer to the destination, source and malloc type
 3964  * OUT: NULL, no more memory
 3965  */
 3966 
 3967 static struct seclifetime *
 3968 key_dup_lifemsg(const struct sadb_lifetime *src, struct malloc_type *type)
 3969 {
 3970         struct seclifetime *dst;
 3971 
 3972         dst = malloc(sizeof(*dst), type, M_NOWAIT);
 3973         if (dst == NULL) {
 3974                 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
 3975                 return (NULL);
 3976         }
 3977         dst->allocations = src->sadb_lifetime_allocations;
 3978         dst->bytes = src->sadb_lifetime_bytes;
 3979         dst->addtime = src->sadb_lifetime_addtime;
 3980         dst->usetime = src->sadb_lifetime_usetime;
 3981         return (dst);
 3982 }
 3983 
 3984 /*
 3985  * compare two secasindex structure.
 3986  * flag can specify to compare 2 saidxes.
 3987  * compare two secasindex structure without both mode and reqid.
 3988  * don't compare port.
 3989  * IN:  
 3990  *      saidx0: source, it can be in SAD.
 3991  *      saidx1: object.
 3992  * OUT: 
 3993  *      1 : equal
 3994  *      0 : not equal
 3995  */
 3996 static int
 3997 key_cmpsaidx(const struct secasindex *saidx0, const struct secasindex *saidx1,
 3998     int flag)
 3999 {
 4000 
 4001         /* sanity */
 4002         if (saidx0 == NULL && saidx1 == NULL)
 4003                 return 1;
 4004 
 4005         if (saidx0 == NULL || saidx1 == NULL)
 4006                 return 0;
 4007 
 4008         if (saidx0->proto != saidx1->proto)
 4009                 return 0;
 4010 
 4011         if (flag == CMP_EXACTLY) {
 4012                 if (saidx0->mode != saidx1->mode)
 4013                         return 0;
 4014                 if (saidx0->reqid != saidx1->reqid)
 4015                         return 0;
 4016                 if (bcmp(&saidx0->src, &saidx1->src,
 4017                     saidx0->src.sa.sa_len) != 0 ||
 4018                     bcmp(&saidx0->dst, &saidx1->dst,
 4019                     saidx0->dst.sa.sa_len) != 0)
 4020                         return 0;
 4021         } else {
 4022 
 4023                 /* CMP_MODE_REQID, CMP_REQID, CMP_HEAD */
 4024                 if (flag == CMP_MODE_REQID || flag == CMP_REQID) {
 4025                         /*
 4026                          * If reqid of SPD is non-zero, unique SA is required.
 4027                          * The result must be of same reqid in this case.
 4028                          */
 4029                         if (saidx1->reqid != 0 &&
 4030                             saidx0->reqid != saidx1->reqid)
 4031                                 return 0;
 4032                 }
 4033 
 4034                 if (flag == CMP_MODE_REQID) {
 4035                         if (saidx0->mode != IPSEC_MODE_ANY
 4036                          && saidx0->mode != saidx1->mode)
 4037                                 return 0;
 4038                 }
 4039 
 4040                 if (key_sockaddrcmp(&saidx0->src.sa, &saidx1->src.sa, 0) != 0)
 4041                         return 0;
 4042                 if (key_sockaddrcmp(&saidx0->dst.sa, &saidx1->dst.sa, 0) != 0)
 4043                         return 0;
 4044         }
 4045 
 4046         return 1;
 4047 }
 4048 
 4049 /*
 4050  * compare two secindex structure exactly.
 4051  * IN:
 4052  *      spidx0: source, it is often in SPD.
 4053  *      spidx1: object, it is often from PFKEY message.
 4054  * OUT:
 4055  *      1 : equal
 4056  *      0 : not equal
 4057  */
 4058 static int
 4059 key_cmpspidx_exactly(struct secpolicyindex *spidx0,
 4060     struct secpolicyindex *spidx1)
 4061 {
 4062         /* sanity */
 4063         if (spidx0 == NULL && spidx1 == NULL)
 4064                 return 1;
 4065 
 4066         if (spidx0 == NULL || spidx1 == NULL)
 4067                 return 0;
 4068 
 4069         if (spidx0->prefs != spidx1->prefs
 4070          || spidx0->prefd != spidx1->prefd
 4071          || spidx0->ul_proto != spidx1->ul_proto)
 4072                 return 0;
 4073 
 4074         return key_sockaddrcmp(&spidx0->src.sa, &spidx1->src.sa, 1) == 0 &&
 4075                key_sockaddrcmp(&spidx0->dst.sa, &spidx1->dst.sa, 1) == 0;
 4076 }
 4077 
 4078 /*
 4079  * compare two secindex structure with mask.
 4080  * IN:
 4081  *      spidx0: source, it is often in SPD.
 4082  *      spidx1: object, it is often from IP header.
 4083  * OUT:
 4084  *      1 : equal
 4085  *      0 : not equal
 4086  */
 4087 static int
 4088 key_cmpspidx_withmask(struct secpolicyindex *spidx0,
 4089     struct secpolicyindex *spidx1)
 4090 {
 4091         /* sanity */
 4092         if (spidx0 == NULL && spidx1 == NULL)
 4093                 return 1;
 4094 
 4095         if (spidx0 == NULL || spidx1 == NULL)
 4096                 return 0;
 4097 
 4098         if (spidx0->src.sa.sa_family != spidx1->src.sa.sa_family ||
 4099             spidx0->dst.sa.sa_family != spidx1->dst.sa.sa_family ||
 4100             spidx0->src.sa.sa_len != spidx1->src.sa.sa_len ||
 4101             spidx0->dst.sa.sa_len != spidx1->dst.sa.sa_len)
 4102                 return 0;
 4103 
 4104         /* if spidx.ul_proto == IPSEC_ULPROTO_ANY, ignore. */
 4105         if (spidx0->ul_proto != (u_int16_t)IPSEC_ULPROTO_ANY
 4106          && spidx0->ul_proto != spidx1->ul_proto)
 4107                 return 0;
 4108 
 4109         switch (spidx0->src.sa.sa_family) {
 4110         case AF_INET:
 4111                 if (spidx0->src.sin.sin_port != IPSEC_PORT_ANY
 4112                  && spidx0->src.sin.sin_port != spidx1->src.sin.sin_port)
 4113                         return 0;
 4114                 if (!key_bbcmp(&spidx0->src.sin.sin_addr,
 4115                     &spidx1->src.sin.sin_addr, spidx0->prefs))
 4116                         return 0;
 4117                 break;
 4118         case AF_INET6:
 4119                 if (spidx0->src.sin6.sin6_port != IPSEC_PORT_ANY
 4120                  && spidx0->src.sin6.sin6_port != spidx1->src.sin6.sin6_port)
 4121                         return 0;
 4122                 /*
 4123                  * scope_id check. if sin6_scope_id is 0, we regard it
 4124                  * as a wildcard scope, which matches any scope zone ID. 
 4125                  */
 4126                 if (spidx0->src.sin6.sin6_scope_id &&
 4127                     spidx1->src.sin6.sin6_scope_id &&
 4128                     spidx0->src.sin6.sin6_scope_id != spidx1->src.sin6.sin6_scope_id)
 4129                         return 0;
 4130                 if (!key_bbcmp(&spidx0->src.sin6.sin6_addr,
 4131                     &spidx1->src.sin6.sin6_addr, spidx0->prefs))
 4132                         return 0;
 4133                 break;
 4134         default:
 4135                 /* XXX */
 4136                 if (bcmp(&spidx0->src, &spidx1->src, spidx0->src.sa.sa_len) != 0)
 4137                         return 0;
 4138                 break;
 4139         }
 4140 
 4141         switch (spidx0->dst.sa.sa_family) {
 4142         case AF_INET:
 4143                 if (spidx0->dst.sin.sin_port != IPSEC_PORT_ANY
 4144                  && spidx0->dst.sin.sin_port != spidx1->dst.sin.sin_port)
 4145                         return 0;
 4146                 if (!key_bbcmp(&spidx0->dst.sin.sin_addr,
 4147                     &spidx1->dst.sin.sin_addr, spidx0->prefd))
 4148                         return 0;
 4149                 break;
 4150         case AF_INET6:
 4151                 if (spidx0->dst.sin6.sin6_port != IPSEC_PORT_ANY
 4152                  && spidx0->dst.sin6.sin6_port != spidx1->dst.sin6.sin6_port)
 4153                         return 0;
 4154                 /*
 4155                  * scope_id check. if sin6_scope_id is 0, we regard it
 4156                  * as a wildcard scope, which matches any scope zone ID. 
 4157                  */
 4158                 if (spidx0->dst.sin6.sin6_scope_id &&
 4159                     spidx1->dst.sin6.sin6_scope_id &&
 4160                     spidx0->dst.sin6.sin6_scope_id != spidx1->dst.sin6.sin6_scope_id)
 4161                         return 0;
 4162                 if (!key_bbcmp(&spidx0->dst.sin6.sin6_addr,
 4163                     &spidx1->dst.sin6.sin6_addr, spidx0->prefd))
 4164                         return 0;
 4165                 break;
 4166         default:
 4167                 /* XXX */
 4168                 if (bcmp(&spidx0->dst, &spidx1->dst, spidx0->dst.sa.sa_len) != 0)
 4169                         return 0;
 4170                 break;
 4171         }
 4172 
 4173         /* XXX Do we check other field ?  e.g. flowinfo */
 4174 
 4175         return 1;
 4176 }
 4177 
 4178 #ifdef satosin
 4179 #undef satosin
 4180 #endif
 4181 #define satosin(s) ((const struct sockaddr_in *)s)
 4182 #ifdef satosin6
 4183 #undef satosin6
 4184 #endif
 4185 #define satosin6(s) ((const struct sockaddr_in6 *)s)
 4186 /* returns 0 on match */
 4187 int
 4188 key_sockaddrcmp(const struct sockaddr *sa1, const struct sockaddr *sa2,
 4189     int port)
 4190 {
 4191         if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len)
 4192                 return 1;
 4193 
 4194         switch (sa1->sa_family) {
 4195 #ifdef INET
 4196         case AF_INET:
 4197                 if (sa1->sa_len != sizeof(struct sockaddr_in))
 4198                         return 1;
 4199                 if (satosin(sa1)->sin_addr.s_addr !=
 4200                     satosin(sa2)->sin_addr.s_addr) {
 4201                         return 1;
 4202                 }
 4203                 if (port && satosin(sa1)->sin_port != satosin(sa2)->sin_port)
 4204                         return 1;
 4205                 break;
 4206 #endif
 4207 #ifdef INET6
 4208         case AF_INET6:
 4209                 if (sa1->sa_len != sizeof(struct sockaddr_in6))
 4210                         return 1;       /*EINVAL*/
 4211                 if (satosin6(sa1)->sin6_scope_id !=
 4212                     satosin6(sa2)->sin6_scope_id) {
 4213                         return 1;
 4214                 }
 4215                 if (!IN6_ARE_ADDR_EQUAL(&satosin6(sa1)->sin6_addr,
 4216                     &satosin6(sa2)->sin6_addr)) {
 4217                         return 1;
 4218                 }
 4219                 if (port &&
 4220                     satosin6(sa1)->sin6_port != satosin6(sa2)->sin6_port) {
 4221                         return 1;
 4222                 }
 4223                 break;
 4224 #endif
 4225         default:
 4226                 if (bcmp(sa1, sa2, sa1->sa_len) != 0)
 4227                         return 1;
 4228                 break;
 4229         }
 4230 
 4231         return 0;
 4232 }
 4233 
 4234 /* returns 0 on match */
 4235 int
 4236 key_sockaddrcmp_withmask(const struct sockaddr *sa1,
 4237     const struct sockaddr *sa2, size_t mask)
 4238 {
 4239         if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len)
 4240                 return (1);
 4241 
 4242         switch (sa1->sa_family) {
 4243 #ifdef INET
 4244         case AF_INET:
 4245                 return (!key_bbcmp(&satosin(sa1)->sin_addr,
 4246                     &satosin(sa2)->sin_addr, mask));
 4247 #endif
 4248 #ifdef INET6
 4249         case AF_INET6:
 4250                 if (satosin6(sa1)->sin6_scope_id !=
 4251                     satosin6(sa2)->sin6_scope_id)
 4252                         return (1);
 4253                 return (!key_bbcmp(&satosin6(sa1)->sin6_addr,
 4254                     &satosin6(sa2)->sin6_addr, mask));
 4255 #endif
 4256         }
 4257         return (1);
 4258 }
 4259 #undef satosin
 4260 #undef satosin6
 4261 
 4262 /*
 4263  * compare two buffers with mask.
 4264  * IN:
 4265  *      addr1: source
 4266  *      addr2: object
 4267  *      bits:  Number of bits to compare
 4268  * OUT:
 4269  *      1 : equal
 4270  *      0 : not equal
 4271  */
 4272 static int
 4273 key_bbcmp(const void *a1, const void *a2, u_int bits)
 4274 {
 4275         const unsigned char *p1 = a1;
 4276         const unsigned char *p2 = a2;
 4277 
 4278         /* XXX: This could be considerably faster if we compare a word
 4279          * at a time, but it is complicated on LSB Endian machines */
 4280 
 4281         /* Handle null pointers */
 4282         if (p1 == NULL || p2 == NULL)
 4283                 return (p1 == p2);
 4284 
 4285         while (bits >= 8) {
 4286                 if (*p1++ != *p2++)
 4287                         return 0;
 4288                 bits -= 8;
 4289         }
 4290 
 4291         if (bits > 0) {
 4292                 u_int8_t mask = ~((1<<(8-bits))-1);
 4293                 if ((*p1 & mask) != (*p2 & mask))
 4294                         return 0;
 4295         }
 4296         return 1;       /* Match! */
 4297 }
 4298 
 4299 static void
 4300 key_flush_spd(time_t now)
 4301 {
 4302         SPTREE_RLOCK_TRACKER;
 4303         struct secpolicy_list drainq;
 4304         struct secpolicy *sp, *nextsp;
 4305         u_int dir;
 4306 
 4307         LIST_INIT(&drainq);
 4308         SPTREE_RLOCK();
 4309         for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
 4310                 TAILQ_FOREACH(sp, &V_sptree[dir], chain) {
 4311                         if (sp->lifetime == 0 && sp->validtime == 0)
 4312                                 continue;
 4313                         if ((sp->lifetime &&
 4314                             now - sp->created > sp->lifetime) ||
 4315                             (sp->validtime &&
 4316                             now - sp->lastused > sp->validtime)) {
 4317                                 /* Hold extra reference to send SPDEXPIRE */
 4318                                 SP_ADDREF(sp);
 4319                                 LIST_INSERT_HEAD(&drainq, sp, drainq);
 4320                         }
 4321                 }
 4322         }
 4323         SPTREE_RUNLOCK();
 4324         if (LIST_EMPTY(&drainq))
 4325                 return;
 4326 
 4327         SPTREE_WLOCK();
 4328         sp = LIST_FIRST(&drainq);
 4329         while (sp != NULL) {
 4330                 nextsp = LIST_NEXT(sp, drainq);
 4331                 /* Check that SP is still linked */
 4332                 if (sp->state != IPSEC_SPSTATE_ALIVE) {
 4333                         LIST_REMOVE(sp, drainq);
 4334                         key_freesp(&sp); /* release extra reference */
 4335                         sp = nextsp;
 4336                         continue;
 4337                 }
 4338                 TAILQ_REMOVE(&V_sptree[sp->spidx.dir], sp, chain);
 4339                 LIST_REMOVE(sp, idhash);
 4340                 sp->state = IPSEC_SPSTATE_DEAD;
 4341                 sp = nextsp;
 4342         }
 4343         V_sp_genid++;
 4344         SPTREE_WUNLOCK();
 4345 
 4346         sp = LIST_FIRST(&drainq);
 4347         while (sp != NULL) {
 4348                 nextsp = LIST_NEXT(sp, drainq);
 4349                 key_spdexpire(sp);
 4350                 key_freesp(&sp); /* release extra reference */
 4351                 key_freesp(&sp); /* release last reference */
 4352                 sp = nextsp;
 4353         }
 4354 }
 4355 
 4356 static void
 4357 key_flush_sad(time_t now)
 4358 {
 4359         SAHTREE_RLOCK_TRACKER;
 4360         struct secashead_list emptyq;
 4361         struct secasvar_list drainq, hexpireq, sexpireq, freeq;
 4362         struct secashead *sah, *nextsah;
 4363         struct secasvar *sav, *nextsav;
 4364 
 4365         LIST_INIT(&drainq);
 4366         LIST_INIT(&hexpireq);
 4367         LIST_INIT(&sexpireq);
 4368         LIST_INIT(&emptyq);
 4369 
 4370         SAHTREE_RLOCK();
 4371         TAILQ_FOREACH(sah, &V_sahtree, chain) {
 4372                 /* Check for empty SAH */
 4373                 if (TAILQ_EMPTY(&sah->savtree_larval) &&
 4374                     TAILQ_EMPTY(&sah->savtree_alive)) {
 4375                         SAH_ADDREF(sah);
 4376                         LIST_INSERT_HEAD(&emptyq, sah, drainq);
 4377                         continue;
 4378                 }
 4379                 /* Add all stale LARVAL SAs into drainq */
 4380                 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) {
 4381                         if (now - sav->created < V_key_larval_lifetime)
 4382                                 continue;
 4383                         SAV_ADDREF(sav);
 4384                         LIST_INSERT_HEAD(&drainq, sav, drainq);
 4385                 }
 4386                 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) {
 4387                         /* lifetimes aren't specified */
 4388                         if (sav->lft_h == NULL)
 4389                                 continue;
 4390                         SECASVAR_LOCK(sav);
 4391                         /*
 4392                          * Check again with lock held, because it may
 4393                          * be updated by SADB_UPDATE.
 4394                          */
 4395                         if (sav->lft_h == NULL) {
 4396                                 SECASVAR_UNLOCK(sav);
 4397                                 continue;
 4398                         }
 4399                         /*
 4400                          * RFC 2367:
 4401                          * HARD lifetimes MUST take precedence over SOFT
 4402                          * lifetimes, meaning if the HARD and SOFT lifetimes
 4403                          * are the same, the HARD lifetime will appear on the
 4404                          * EXPIRE message.
 4405                          */
 4406                         /* check HARD lifetime */
 4407                         if ((sav->lft_h->addtime != 0 &&
 4408                             now - sav->created > sav->lft_h->addtime) ||
 4409                             (sav->lft_h->usetime != 0 && sav->firstused &&
 4410                             now - sav->firstused > sav->lft_h->usetime) ||
 4411                             (sav->lft_h->bytes != 0 && counter_u64_fetch(
 4412                                 sav->lft_c_bytes) > sav->lft_h->bytes)) {
 4413                                 SECASVAR_UNLOCK(sav);
 4414                                 SAV_ADDREF(sav);
 4415                                 LIST_INSERT_HEAD(&hexpireq, sav, drainq);
 4416                                 continue;
 4417                         }
 4418                         /* check SOFT lifetime (only for MATURE SAs) */
 4419                         if (sav->state == SADB_SASTATE_MATURE && (
 4420                             (sav->lft_s->addtime != 0 &&
 4421                             now - sav->created > sav->lft_s->addtime) ||
 4422                             (sav->lft_s->usetime != 0 && sav->firstused &&
 4423                             now - sav->firstused > sav->lft_s->usetime) ||
 4424                             (sav->lft_s->bytes != 0 && counter_u64_fetch(
 4425                                 sav->lft_c_bytes) > sav->lft_s->bytes))) {
 4426                                 SECASVAR_UNLOCK(sav);
 4427                                 SAV_ADDREF(sav);
 4428                                 LIST_INSERT_HEAD(&sexpireq, sav, drainq);
 4429                                 continue;
 4430                         }
 4431                         SECASVAR_UNLOCK(sav);
 4432                 }
 4433         }
 4434         SAHTREE_RUNLOCK();
 4435 
 4436         if (LIST_EMPTY(&emptyq) && LIST_EMPTY(&drainq) &&
 4437             LIST_EMPTY(&hexpireq) && LIST_EMPTY(&sexpireq))
 4438                 return;
 4439 
 4440         LIST_INIT(&freeq);
 4441         SAHTREE_WLOCK();
 4442         /* Unlink stale LARVAL SAs */
 4443         sav = LIST_FIRST(&drainq);
 4444         while (sav != NULL) {
 4445                 nextsav = LIST_NEXT(sav, drainq);
 4446                 /* Check that SA is still LARVAL */
 4447                 if (sav->state != SADB_SASTATE_LARVAL) {
 4448                         LIST_REMOVE(sav, drainq);
 4449                         LIST_INSERT_HEAD(&freeq, sav, drainq);
 4450                         sav = nextsav;
 4451                         continue;
 4452                 }
 4453                 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain);
 4454                 LIST_REMOVE(sav, spihash);
 4455                 sav->state = SADB_SASTATE_DEAD;
 4456                 sav = nextsav;
 4457         }
 4458         /* Unlink all SAs with expired HARD lifetime */
 4459         sav = LIST_FIRST(&hexpireq);
 4460         while (sav != NULL) {
 4461                 nextsav = LIST_NEXT(sav, drainq);
 4462                 /* Check that SA is not unlinked */
 4463                 if (sav->state == SADB_SASTATE_DEAD) {
 4464                         LIST_REMOVE(sav, drainq);
 4465                         LIST_INSERT_HEAD(&freeq, sav, drainq);
 4466                         sav = nextsav;
 4467                         continue;
 4468                 }
 4469                 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain);
 4470                 LIST_REMOVE(sav, spihash);
 4471                 sav->state = SADB_SASTATE_DEAD;
 4472                 sav = nextsav;
 4473         }
 4474         /* Mark all SAs with expired SOFT lifetime as DYING */
 4475         sav = LIST_FIRST(&sexpireq);
 4476         while (sav != NULL) {
 4477                 nextsav = LIST_NEXT(sav, drainq);
 4478                 /* Check that SA is not unlinked */
 4479                 if (sav->state == SADB_SASTATE_DEAD) {
 4480                         LIST_REMOVE(sav, drainq);
 4481                         LIST_INSERT_HEAD(&freeq, sav, drainq);
 4482                         sav = nextsav;
 4483                         continue;
 4484                 }
 4485                 /*
 4486                  * NOTE: this doesn't change SA order in the chain.
 4487                  */
 4488                 sav->state = SADB_SASTATE_DYING;
 4489                 sav = nextsav;
 4490         }
 4491         /* Unlink empty SAHs */
 4492         sah = LIST_FIRST(&emptyq);
 4493         while (sah != NULL) {
 4494                 nextsah = LIST_NEXT(sah, drainq);
 4495                 /* Check that SAH is still empty and not unlinked */
 4496                 if (sah->state == SADB_SASTATE_DEAD ||
 4497                     !TAILQ_EMPTY(&sah->savtree_larval) ||
 4498                     !TAILQ_EMPTY(&sah->savtree_alive)) {
 4499                         LIST_REMOVE(sah, drainq);
 4500                         key_freesah(&sah); /* release extra reference */
 4501                         sah = nextsah;
 4502                         continue;
 4503                 }
 4504                 TAILQ_REMOVE(&V_sahtree, sah, chain);
 4505                 LIST_REMOVE(sah, addrhash);
 4506                 sah->state = SADB_SASTATE_DEAD;
 4507                 sah = nextsah;
 4508         }
 4509         SAHTREE_WUNLOCK();
 4510 
 4511         /* Send SPDEXPIRE messages */
 4512         sav = LIST_FIRST(&hexpireq);
 4513         while (sav != NULL) {
 4514                 nextsav = LIST_NEXT(sav, drainq);
 4515                 key_expire(sav, 1);
 4516                 key_freesah(&sav->sah); /* release reference from SAV */
 4517                 key_freesav(&sav); /* release extra reference */
 4518                 key_freesav(&sav); /* release last reference */
 4519                 sav = nextsav;
 4520         }
 4521         sav = LIST_FIRST(&sexpireq);
 4522         while (sav != NULL) {
 4523                 nextsav = LIST_NEXT(sav, drainq);
 4524                 key_expire(sav, 0);
 4525                 key_freesav(&sav); /* release extra reference */
 4526                 sav = nextsav;
 4527         }
 4528         /* Free stale LARVAL SAs */
 4529         sav = LIST_FIRST(&drainq);
 4530         while (sav != NULL) {
 4531                 nextsav = LIST_NEXT(sav, drainq);
 4532                 key_freesah(&sav->sah); /* release reference from SAV */
 4533                 key_freesav(&sav); /* release extra reference */
 4534                 key_freesav(&sav); /* release last reference */
 4535                 sav = nextsav;
 4536         }
 4537         /* Free SAs that were unlinked/changed by someone else */
 4538         sav = LIST_FIRST(&freeq);
 4539         while (sav != NULL) {
 4540                 nextsav = LIST_NEXT(sav, drainq);
 4541                 key_freesav(&sav); /* release extra reference */
 4542                 sav = nextsav;
 4543         }
 4544         /* Free empty SAH */
 4545         sah = LIST_FIRST(&emptyq);
 4546         while (sah != NULL) {
 4547                 nextsah = LIST_NEXT(sah, drainq);
 4548                 key_freesah(&sah); /* release extra reference */
 4549                 key_freesah(&sah); /* release last reference */
 4550                 sah = nextsah;
 4551         }
 4552 }
 4553 
 4554 static void
 4555 key_flush_acq(time_t now)
 4556 {
 4557         struct secacq *acq, *nextacq;
 4558 
 4559         /* ACQ tree */
 4560         ACQ_LOCK();
 4561         acq = LIST_FIRST(&V_acqtree);
 4562         while (acq != NULL) {
 4563                 nextacq = LIST_NEXT(acq, chain);
 4564                 if (now - acq->created > V_key_blockacq_lifetime) {
 4565                         LIST_REMOVE(acq, chain);
 4566                         LIST_REMOVE(acq, addrhash);
 4567                         LIST_REMOVE(acq, seqhash);
 4568                         free(acq, M_IPSEC_SAQ);
 4569                 }
 4570                 acq = nextacq;
 4571         }
 4572         ACQ_UNLOCK();
 4573 }
 4574 
 4575 static void
 4576 key_flush_spacq(time_t now)
 4577 {
 4578         struct secspacq *acq, *nextacq;
 4579 
 4580         /* SP ACQ tree */
 4581         SPACQ_LOCK();
 4582         for (acq = LIST_FIRST(&V_spacqtree); acq != NULL; acq = nextacq) {
 4583                 nextacq = LIST_NEXT(acq, chain);
 4584                 if (now - acq->created > V_key_blockacq_lifetime
 4585                  && __LIST_CHAINED(acq)) {
 4586                         LIST_REMOVE(acq, chain);
 4587                         free(acq, M_IPSEC_SAQ);
 4588                 }
 4589         }
 4590         SPACQ_UNLOCK();
 4591 }
 4592 
 4593 /*
 4594  * time handler.
 4595  * scanning SPD and SAD to check status for each entries,
 4596  * and do to remove or to expire.
 4597  * XXX: year 2038 problem may remain.
 4598  */
 4599 static void
 4600 key_timehandler(void *arg)
 4601 {
 4602         VNET_ITERATOR_DECL(vnet_iter);
 4603         time_t now = time_second;
 4604 
 4605         VNET_LIST_RLOCK_NOSLEEP();
 4606         VNET_FOREACH(vnet_iter) {
 4607                 CURVNET_SET(vnet_iter);
 4608                 key_flush_spd(now);
 4609                 key_flush_sad(now);
 4610                 key_flush_acq(now);
 4611                 key_flush_spacq(now);
 4612                 CURVNET_RESTORE();
 4613         }
 4614         VNET_LIST_RUNLOCK_NOSLEEP();
 4615 
 4616 #ifndef IPSEC_DEBUG2
 4617         /* do exchange to tick time !! */
 4618         callout_schedule(&key_timer, hz);
 4619 #endif /* IPSEC_DEBUG2 */
 4620 }
 4621 
 4622 u_long
 4623 key_random()
 4624 {
 4625         u_long value;
 4626 
 4627         key_randomfill(&value, sizeof(value));
 4628         return value;
 4629 }
 4630 
 4631 void
 4632 key_randomfill(void *p, size_t l)
 4633 {
 4634         size_t n;
 4635         u_long v;
 4636         static int warn = 1;
 4637 
 4638         n = 0;
 4639         n = (size_t)read_random(p, (u_int)l);
 4640         /* last resort */
 4641         while (n < l) {
 4642                 v = random();
 4643                 bcopy(&v, (u_int8_t *)p + n,
 4644                     l - n < sizeof(v) ? l - n : sizeof(v));
 4645                 n += sizeof(v);
 4646 
 4647                 if (warn) {
 4648                         printf("WARNING: pseudo-random number generator "
 4649                             "used for IPsec processing\n");
 4650                         warn = 0;
 4651                 }
 4652         }
 4653 }
 4654 
 4655 /*
 4656  * map SADB_SATYPE_* to IPPROTO_*.
 4657  * if satype == SADB_SATYPE then satype is mapped to ~0.
 4658  * OUT:
 4659  *      0: invalid satype.
 4660  */
 4661 static uint8_t
 4662 key_satype2proto(uint8_t satype)
 4663 {
 4664         switch (satype) {
 4665         case SADB_SATYPE_UNSPEC:
 4666                 return IPSEC_PROTO_ANY;
 4667         case SADB_SATYPE_AH:
 4668                 return IPPROTO_AH;
 4669         case SADB_SATYPE_ESP:
 4670                 return IPPROTO_ESP;
 4671         case SADB_X_SATYPE_IPCOMP:
 4672                 return IPPROTO_IPCOMP;
 4673         case SADB_X_SATYPE_TCPSIGNATURE:
 4674                 return IPPROTO_TCP;
 4675         default:
 4676                 return 0;
 4677         }
 4678         /* NOTREACHED */
 4679 }
 4680 
 4681 /*
 4682  * map IPPROTO_* to SADB_SATYPE_*
 4683  * OUT:
 4684  *      0: invalid protocol type.
 4685  */
 4686 static uint8_t
 4687 key_proto2satype(uint8_t proto)
 4688 {
 4689         switch (proto) {
 4690         case IPPROTO_AH:
 4691                 return SADB_SATYPE_AH;
 4692         case IPPROTO_ESP:
 4693                 return SADB_SATYPE_ESP;
 4694         case IPPROTO_IPCOMP:
 4695                 return SADB_X_SATYPE_IPCOMP;
 4696         case IPPROTO_TCP:
 4697                 return SADB_X_SATYPE_TCPSIGNATURE;
 4698         default:
 4699                 return 0;
 4700         }
 4701         /* NOTREACHED */
 4702 }
 4703 
 4704 /* %%% PF_KEY */
 4705 /*
 4706  * SADB_GETSPI processing is to receive
 4707  *      <base, (SA2), src address, dst address, (SPI range)>
 4708  * from the IKMPd, to assign a unique spi value, to hang on the INBOUND
 4709  * tree with the status of LARVAL, and send
 4710  *      <base, SA(*), address(SD)>
 4711  * to the IKMPd.
 4712  *
 4713  * IN:  mhp: pointer to the pointer to each header.
 4714  * OUT: NULL if fail.
 4715  *      other if success, return pointer to the message to send.
 4716  */
 4717 static int
 4718 key_getspi(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
 4719 {
 4720         struct secasindex saidx;
 4721         struct sadb_address *src0, *dst0;
 4722         struct secasvar *sav;
 4723         uint32_t reqid, spi;
 4724         int error;
 4725         uint8_t mode, proto;
 4726 
 4727         IPSEC_ASSERT(so != NULL, ("null socket"));
 4728         IPSEC_ASSERT(m != NULL, ("null mbuf"));
 4729         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 4730         IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
 4731 
 4732         if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
 4733             SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST)
 4734 #ifdef PFKEY_STRICT_CHECKS
 4735             || SADB_CHECKHDR(mhp, SADB_EXT_SPIRANGE)
 4736 #endif
 4737             ) {
 4738                 ipseclog((LOG_DEBUG,
 4739                     "%s: invalid message: missing required header.\n",
 4740                     __func__));
 4741                 error = EINVAL;
 4742                 goto fail;
 4743         }
 4744         if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
 4745             SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)
 4746 #ifdef PFKEY_STRICT_CHECKS
 4747             || SADB_CHECKLEN(mhp, SADB_EXT_SPIRANGE)
 4748 #endif
 4749             ) {
 4750                 ipseclog((LOG_DEBUG,
 4751                     "%s: invalid message: wrong header size.\n", __func__));
 4752                 error = EINVAL;
 4753                 goto fail;
 4754         }
 4755         if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) {
 4756                 mode = IPSEC_MODE_ANY;
 4757                 reqid = 0;
 4758         } else {
 4759                 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) {
 4760                         ipseclog((LOG_DEBUG,
 4761                             "%s: invalid message: wrong header size.\n",
 4762                             __func__));
 4763                         error = EINVAL;
 4764                         goto fail;
 4765                 }
 4766                 mode = ((struct sadb_x_sa2 *)
 4767                     mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
 4768                 reqid = ((struct sadb_x_sa2 *)
 4769                     mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid;
 4770         }
 4771 
 4772         src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]);
 4773         dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]);
 4774 
 4775         /* map satype to proto */
 4776         if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
 4777                 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
 4778                         __func__));
 4779                 error = EINVAL;
 4780                 goto fail;
 4781         }
 4782         error = key_checksockaddrs((struct sockaddr *)(src0 + 1),
 4783             (struct sockaddr *)(dst0 + 1));
 4784         if (error != 0) {
 4785                 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
 4786                 error = EINVAL;
 4787                 goto fail;
 4788         }
 4789         KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx);
 4790 
 4791         /* SPI allocation */
 4792         spi = key_do_getnewspi(
 4793             (struct sadb_spirange *)mhp->ext[SADB_EXT_SPIRANGE], &saidx);
 4794         if (spi == 0) {
 4795                 /*
 4796                  * Requested SPI or SPI range is not available or
 4797                  * already used.
 4798                  */
 4799                 error = EEXIST;
 4800                 goto fail;
 4801         }
 4802         sav = key_newsav(mhp, &saidx, spi, &error);
 4803         if (sav == NULL)
 4804                 goto fail;
 4805 
 4806         if (sav->seq != 0) {
 4807                 /*
 4808                  * RFC2367:
 4809                  * If the SADB_GETSPI message is in response to a
 4810                  * kernel-generated SADB_ACQUIRE, the sadb_msg_seq
 4811                  * MUST be the same as the SADB_ACQUIRE message.
 4812                  *
 4813                  * XXXAE: However it doesn't definethe behaviour how to
 4814                  * check this and what to do if it doesn't match.
 4815                  * Also what we should do if it matches?
 4816                  *
 4817                  * We can compare saidx used in SADB_ACQUIRE with saidx
 4818                  * used in SADB_GETSPI, but this probably can break
 4819                  * existing software. For now just warn if it doesn't match.
 4820                  *
 4821                  * XXXAE: anyway it looks useless.
 4822                  */
 4823                 key_acqdone(&saidx, sav->seq);
 4824         }
 4825         KEYDBG(KEY_STAMP,
 4826             printf("%s: SA(%p)\n", __func__, sav));
 4827         KEYDBG(KEY_DATA, kdebug_secasv(sav));
 4828 
 4829     {
 4830         struct mbuf *n, *nn;
 4831         struct sadb_sa *m_sa;
 4832         struct sadb_msg *newmsg;
 4833         int off, len;
 4834 
 4835         /* create new sadb_msg to reply. */
 4836         len = PFKEY_ALIGN8(sizeof(struct sadb_msg)) +
 4837             PFKEY_ALIGN8(sizeof(struct sadb_sa));
 4838 
 4839         MGETHDR(n, M_NOWAIT, MT_DATA);
 4840         if (len > MHLEN) {
 4841                 if (!(MCLGET(n, M_NOWAIT))) {
 4842                         m_freem(n);
 4843                         n = NULL;
 4844                 }
 4845         }
 4846         if (!n) {
 4847                 error = ENOBUFS;
 4848                 goto fail;
 4849         }
 4850 
 4851         n->m_len = len;
 4852         n->m_next = NULL;
 4853         off = 0;
 4854 
 4855         m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, caddr_t) + off);
 4856         off += PFKEY_ALIGN8(sizeof(struct sadb_msg));
 4857 
 4858         m_sa = (struct sadb_sa *)(mtod(n, caddr_t) + off);
 4859         m_sa->sadb_sa_len = PFKEY_UNIT64(sizeof(struct sadb_sa));
 4860         m_sa->sadb_sa_exttype = SADB_EXT_SA;
 4861         m_sa->sadb_sa_spi = spi; /* SPI is already in network byte order */
 4862         off += PFKEY_ALIGN8(sizeof(struct sadb_sa));
 4863 
 4864         IPSEC_ASSERT(off == len,
 4865                 ("length inconsistency (off %u len %u)", off, len));
 4866 
 4867         n->m_next = key_gather_mbuf(m, mhp, 0, 2, SADB_EXT_ADDRESS_SRC,
 4868             SADB_EXT_ADDRESS_DST);
 4869         if (!n->m_next) {
 4870                 m_freem(n);
 4871                 error = ENOBUFS;
 4872                 goto fail;
 4873         }
 4874 
 4875         if (n->m_len < sizeof(struct sadb_msg)) {
 4876                 n = m_pullup(n, sizeof(struct sadb_msg));
 4877                 if (n == NULL)
 4878                         return key_sendup_mbuf(so, m, KEY_SENDUP_ONE);
 4879         }
 4880 
 4881         n->m_pkthdr.len = 0;
 4882         for (nn = n; nn; nn = nn->m_next)
 4883                 n->m_pkthdr.len += nn->m_len;
 4884 
 4885         newmsg = mtod(n, struct sadb_msg *);
 4886         newmsg->sadb_msg_seq = sav->seq;
 4887         newmsg->sadb_msg_errno = 0;
 4888         newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
 4889 
 4890         m_freem(m);
 4891         return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
 4892     }
 4893 
 4894 fail:
 4895         return (key_senderror(so, m, error));
 4896 }
 4897 
 4898 /*
 4899  * allocating new SPI
 4900  * called by key_getspi().
 4901  * OUT:
 4902  *      0:      failure.
 4903  *      others: success, SPI in network byte order.
 4904  */
 4905 static uint32_t
 4906 key_do_getnewspi(struct sadb_spirange *spirange, struct secasindex *saidx)
 4907 {
 4908         uint32_t min, max, newspi, t;
 4909         int count = V_key_spi_trycnt;
 4910 
 4911         /* set spi range to allocate */
 4912         if (spirange != NULL) {
 4913                 min = spirange->sadb_spirange_min;
 4914                 max = spirange->sadb_spirange_max;
 4915         } else {
 4916                 min = V_key_spi_minval;
 4917                 max = V_key_spi_maxval;
 4918         }
 4919         /* IPCOMP needs 2-byte SPI */
 4920         if (saidx->proto == IPPROTO_IPCOMP) {
 4921                 if (min >= 0x10000)
 4922                         min = 0xffff;
 4923                 if (max >= 0x10000)
 4924                         max = 0xffff;
 4925                 if (min > max) {
 4926                         t = min; min = max; max = t;
 4927                 }
 4928         }
 4929 
 4930         if (min == max) {
 4931                 if (!key_checkspidup(htonl(min))) {
 4932                         ipseclog((LOG_DEBUG, "%s: SPI %u exists already.\n",
 4933                             __func__, min));
 4934                         return 0;
 4935                 }
 4936 
 4937                 count--; /* taking one cost. */
 4938                 newspi = min;
 4939         } else {
 4940 
 4941                 /* init SPI */
 4942                 newspi = 0;
 4943 
 4944                 /* when requesting to allocate spi ranged */
 4945                 while (count--) {
 4946                         /* generate pseudo-random SPI value ranged. */
 4947                         newspi = min + (key_random() % (max - min + 1));
 4948                         if (!key_checkspidup(htonl(newspi)))
 4949                                 break;
 4950                 }
 4951 
 4952                 if (count == 0 || newspi == 0) {
 4953                         ipseclog((LOG_DEBUG,
 4954                             "%s: failed to allocate SPI.\n", __func__));
 4955                         return 0;
 4956                 }
 4957         }
 4958 
 4959         /* statistics */
 4960         keystat.getspi_count =
 4961             (keystat.getspi_count + V_key_spi_trycnt - count) / 2;
 4962 
 4963         return (htonl(newspi));
 4964 }
 4965 
 4966 /*
 4967  * Find TCP-MD5 SA with corresponding secasindex.
 4968  * If not found, return NULL and fill SPI with usable value if needed.
 4969  */
 4970 static struct secasvar *
 4971 key_getsav_tcpmd5(struct secasindex *saidx, uint32_t *spi)
 4972 {
 4973         SAHTREE_RLOCK_TRACKER;
 4974         struct secashead *sah;
 4975         struct secasvar *sav;
 4976 
 4977         IPSEC_ASSERT(saidx->proto == IPPROTO_TCP, ("wrong proto"));
 4978         SAHTREE_RLOCK();
 4979         LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
 4980                 if (sah->saidx.proto != IPPROTO_TCP)
 4981                         continue;
 4982                 if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
 4983                     !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
 4984                         break;
 4985         }
 4986         if (sah != NULL) {
 4987                 if (V_key_preferred_oldsa)
 4988                         sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue);
 4989                 else
 4990                         sav = TAILQ_FIRST(&sah->savtree_alive);
 4991                 if (sav != NULL) {
 4992                         SAV_ADDREF(sav);
 4993                         SAHTREE_RUNLOCK();
 4994                         return (sav);
 4995                 }
 4996         }
 4997         if (spi == NULL) {
 4998                 /* No SPI required */
 4999                 SAHTREE_RUNLOCK();
 5000                 return (NULL);
 5001         }
 5002         /* Check that SPI is unique */
 5003         LIST_FOREACH(sav, SAVHASH_HASH(*spi), spihash) {
 5004                 if (sav->spi == *spi)
 5005                         break;
 5006         }
 5007         if (sav == NULL) {
 5008                 SAHTREE_RUNLOCK();
 5009                 /* SPI is already unique */
 5010                 return (NULL);
 5011         }
 5012         SAHTREE_RUNLOCK();
 5013         /* XXX: not optimal */
 5014         *spi = key_do_getnewspi(NULL, saidx);
 5015         return (NULL);
 5016 }
 5017 
 5018 static int
 5019 key_updateaddresses(struct socket *so, struct mbuf *m,
 5020     const struct sadb_msghdr *mhp, struct secasvar *sav,
 5021     struct secasindex *saidx)
 5022 {
 5023         struct sockaddr *newaddr;
 5024         struct secashead *sah;
 5025         struct secasvar *newsav, *tmp;
 5026         struct mbuf *n;
 5027         int error, isnew;
 5028 
 5029         /* Check that we need to change SAH */
 5030         if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_SRC)) {
 5031                 newaddr = (struct sockaddr *)(
 5032                     ((struct sadb_address *)
 5033                     mhp->ext[SADB_X_EXT_NEW_ADDRESS_SRC]) + 1);
 5034                 bcopy(newaddr, &saidx->src, newaddr->sa_len);
 5035                 key_porttosaddr(&saidx->src.sa, 0);
 5036         }
 5037         if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_DST)) {
 5038                 newaddr = (struct sockaddr *)(
 5039                     ((struct sadb_address *)
 5040                     mhp->ext[SADB_X_EXT_NEW_ADDRESS_DST]) + 1);
 5041                 bcopy(newaddr, &saidx->dst, newaddr->sa_len);
 5042                 key_porttosaddr(&saidx->dst.sa, 0);
 5043         }
 5044         if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_SRC) ||
 5045             !SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_DST)) {
 5046                 error = key_checksockaddrs(&saidx->src.sa, &saidx->dst.sa);
 5047                 if (error != 0) {
 5048                         ipseclog((LOG_DEBUG, "%s: invalid new sockaddr.\n",
 5049                             __func__));
 5050                         return (error);
 5051                 }
 5052 
 5053                 sah = key_getsah(saidx);
 5054                 if (sah == NULL) {
 5055                         /* create a new SA index */
 5056                         sah = key_newsah(saidx);
 5057                         if (sah == NULL) {
 5058                                 ipseclog((LOG_DEBUG,
 5059                                     "%s: No more memory.\n", __func__));
 5060                                 return (ENOBUFS);
 5061                         }
 5062                         isnew = 2; /* SAH is new */
 5063                 } else
 5064                         isnew = 1; /* existing SAH is referenced */
 5065         } else {
 5066                 /*
 5067                  * src and dst addresses are still the same.
 5068                  * Do we want to change NAT-T config?
 5069                  */
 5070                 if (sav->sah->saidx.proto != IPPROTO_ESP ||
 5071                     SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_TYPE) ||
 5072                     SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_SPORT) ||
 5073                     SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_DPORT)) {
 5074                         ipseclog((LOG_DEBUG,
 5075                             "%s: invalid message: missing required header.\n",
 5076                             __func__));
 5077                         return (EINVAL);
 5078                 }
 5079                 /* We hold reference to SA, thus SAH will be referenced too. */
 5080                 sah = sav->sah;
 5081                 isnew = 0;
 5082         }
 5083 
 5084         newsav = malloc(sizeof(struct secasvar), M_IPSEC_SA,
 5085             M_NOWAIT | M_ZERO);
 5086         if (newsav == NULL) {
 5087                 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
 5088                 error = ENOBUFS;
 5089                 goto fail;
 5090         }
 5091 
 5092         /* Clone SA's content into newsav */
 5093         SAV_INITREF(newsav);
 5094         bcopy(sav, newsav, offsetof(struct secasvar, chain));
 5095         /*
 5096          * We create new NAT-T config if it is needed.
 5097          * Old NAT-T config will be freed by key_cleansav() when
 5098          * last reference to SA will be released.
 5099          */
 5100         newsav->natt = NULL;
 5101         newsav->sah = sah;
 5102         newsav->state = SADB_SASTATE_MATURE;
 5103         error = key_setnatt(newsav, mhp);
 5104         if (error != 0)
 5105                 goto fail;
 5106 
 5107         SAHTREE_WLOCK();
 5108         /* Check that SA is still alive */
 5109         if (sav->state == SADB_SASTATE_DEAD) {
 5110                 /* SA was unlinked */
 5111                 SAHTREE_WUNLOCK();
 5112                 error = ESRCH;
 5113                 goto fail;
 5114         }
 5115 
 5116         /* Unlink SA from SAH and SPI hash */
 5117         IPSEC_ASSERT((sav->flags & SADB_X_EXT_F_CLONED) == 0,
 5118             ("SA is already cloned"));
 5119         IPSEC_ASSERT(sav->state == SADB_SASTATE_MATURE ||
 5120             sav->state == SADB_SASTATE_DYING,
 5121             ("Wrong SA state %u\n", sav->state));
 5122         TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain);
 5123         LIST_REMOVE(sav, spihash);
 5124         sav->state = SADB_SASTATE_DEAD;
 5125 
 5126         /*
 5127          * Link new SA with SAH. Keep SAs ordered by
 5128          * create time (newer are first).
 5129          */
 5130         TAILQ_FOREACH(tmp, &sah->savtree_alive, chain) {
 5131                 if (newsav->created > tmp->created) {
 5132                         TAILQ_INSERT_BEFORE(tmp, newsav, chain);
 5133                         break;
 5134                 }
 5135         }
 5136         if (tmp == NULL)
 5137                 TAILQ_INSERT_TAIL(&sah->savtree_alive, newsav, chain);
 5138 
 5139         /* Add new SA into SPI hash. */
 5140         LIST_INSERT_HEAD(SAVHASH_HASH(newsav->spi), newsav, spihash);
 5141 
 5142         /* Add new SAH into SADB. */
 5143         if (isnew == 2) {
 5144                 TAILQ_INSERT_HEAD(&V_sahtree, sah, chain);
 5145                 LIST_INSERT_HEAD(SAHADDRHASH_HASH(saidx), sah, addrhash);
 5146                 sah->state = SADB_SASTATE_MATURE;
 5147                 SAH_ADDREF(sah); /* newsav references new SAH */
 5148         }
 5149         /*
 5150          * isnew == 1 -> @sah was referenced by key_getsah().
 5151          * isnew == 0 -> we use the same @sah, that was used by @sav,
 5152          *      and we use its reference for @newsav.
 5153          */
 5154         SECASVAR_LOCK(sav);
 5155         /* XXX: replace cntr with pointer? */
 5156         newsav->cntr = sav->cntr;
 5157         sav->flags |= SADB_X_EXT_F_CLONED;
 5158         SECASVAR_UNLOCK(sav);
 5159 
 5160         SAHTREE_WUNLOCK();
 5161 
 5162         KEYDBG(KEY_STAMP,
 5163             printf("%s: SA(%p) cloned into SA(%p)\n",
 5164             __func__, sav, newsav));
 5165         KEYDBG(KEY_DATA, kdebug_secasv(newsav));
 5166 
 5167         key_freesav(&sav); /* release last reference */
 5168 
 5169         /* set msg buf from mhp */
 5170         n = key_getmsgbuf_x1(m, mhp);
 5171         if (n == NULL) {
 5172                 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
 5173                 return (ENOBUFS);
 5174         }
 5175         m_freem(m);
 5176         key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
 5177         return (0);
 5178 fail:
 5179         if (isnew != 0)
 5180                 key_freesah(&sah);
 5181         if (newsav != NULL) {
 5182                 if (newsav->natt != NULL)
 5183                         free(newsav->natt, M_IPSEC_MISC);
 5184                 free(newsav, M_IPSEC_SA);
 5185         }
 5186         return (error);
 5187 }
 5188 
 5189 /*
 5190  * SADB_UPDATE processing
 5191  * receive
 5192  *   <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
 5193  *       key(AE), (identity(SD),) (sensitivity)>
 5194  * from the ikmpd, and update a secasvar entry whose status is SADB_SASTATE_LARVAL.
 5195  * and send
 5196  *   <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
 5197  *       (identity(SD),) (sensitivity)>
 5198  * to the ikmpd.
 5199  *
 5200  * m will always be freed.
 5201  */
 5202 static int
 5203 key_update(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
 5204 {
 5205         struct secasindex saidx;
 5206         struct sadb_address *src0, *dst0;
 5207         struct sadb_sa *sa0;
 5208         struct secasvar *sav;
 5209         uint32_t reqid;
 5210         int error;
 5211         uint8_t mode, proto;
 5212 
 5213         IPSEC_ASSERT(so != NULL, ("null socket"));
 5214         IPSEC_ASSERT(m != NULL, ("null mbuf"));
 5215         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 5216         IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
 5217 
 5218         /* map satype to proto */
 5219         if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
 5220                 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
 5221                     __func__));
 5222                 return key_senderror(so, m, EINVAL);
 5223         }
 5224 
 5225         if (SADB_CHECKHDR(mhp, SADB_EXT_SA) ||
 5226             SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
 5227             SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) ||
 5228             (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) &&
 5229                 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) ||
 5230             (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) &&
 5231                 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD))) {
 5232                 ipseclog((LOG_DEBUG,
 5233                     "%s: invalid message: missing required header.\n",
 5234                     __func__));
 5235                 return key_senderror(so, m, EINVAL);
 5236         }
 5237         if (SADB_CHECKLEN(mhp, SADB_EXT_SA) ||
 5238             SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
 5239             SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) {
 5240                 ipseclog((LOG_DEBUG,
 5241                     "%s: invalid message: wrong header size.\n", __func__));
 5242                 return key_senderror(so, m, EINVAL);
 5243         }
 5244         if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) {
 5245                 mode = IPSEC_MODE_ANY;
 5246                 reqid = 0;
 5247         } else {
 5248                 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) {
 5249                         ipseclog((LOG_DEBUG,
 5250                             "%s: invalid message: wrong header size.\n",
 5251                             __func__));
 5252                         return key_senderror(so, m, EINVAL);
 5253                 }
 5254                 mode = ((struct sadb_x_sa2 *)
 5255                     mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
 5256                 reqid = ((struct sadb_x_sa2 *)
 5257                     mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid;
 5258         }
 5259 
 5260         sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA];
 5261         src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]);
 5262         dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]);
 5263 
 5264         /*
 5265          * Only SADB_SASTATE_MATURE SAs may be submitted in an
 5266          * SADB_UPDATE message.
 5267          */
 5268         if (sa0->sadb_sa_state != SADB_SASTATE_MATURE) {
 5269                 ipseclog((LOG_DEBUG, "%s: invalid state.\n", __func__));
 5270 #ifdef PFKEY_STRICT_CHECKS
 5271                 return key_senderror(so, m, EINVAL);
 5272 #endif
 5273         }
 5274         error = key_checksockaddrs((struct sockaddr *)(src0 + 1),
 5275             (struct sockaddr *)(dst0 + 1));
 5276         if (error != 0) {
 5277                 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
 5278                 return key_senderror(so, m, error);
 5279         }
 5280         KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx);
 5281         sav = key_getsavbyspi(sa0->sadb_sa_spi);
 5282         if (sav == NULL) {
 5283                 ipseclog((LOG_DEBUG, "%s: no SA found for SPI %u\n",
 5284                     __func__, ntohl(sa0->sadb_sa_spi)));
 5285                 return key_senderror(so, m, EINVAL);
 5286         }
 5287         /*
 5288          * Check that SADB_UPDATE issued by the same process that did
 5289          * SADB_GETSPI or SADB_ADD.
 5290          */
 5291         if (sav->pid != mhp->msg->sadb_msg_pid) {
 5292                 ipseclog((LOG_DEBUG,
 5293                     "%s: pid mismatched (SPI %u, pid %u vs. %u)\n", __func__,
 5294                     ntohl(sav->spi), sav->pid, mhp->msg->sadb_msg_pid));
 5295                 key_freesav(&sav);
 5296                 return key_senderror(so, m, EINVAL);
 5297         }
 5298         /* saidx should match with SA. */
 5299         if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_MODE_REQID) == 0) {
 5300                 ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u",
 5301                     __func__, ntohl(sav->spi)));
 5302                 key_freesav(&sav);
 5303                 return key_senderror(so, m, ESRCH);
 5304         }
 5305 
 5306         if (sav->state == SADB_SASTATE_LARVAL) {
 5307                 if ((mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP &&
 5308                     SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT)) ||
 5309                     (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH &&
 5310                     SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH))) {
 5311                         ipseclog((LOG_DEBUG,
 5312                             "%s: invalid message: missing required header.\n",
 5313                             __func__));
 5314                         key_freesav(&sav);
 5315                         return key_senderror(so, m, EINVAL);
 5316                 }
 5317                 /*
 5318                  * We can set any values except src, dst and SPI.
 5319                  */
 5320                 error = key_setsaval(sav, mhp);
 5321                 if (error != 0) {
 5322                         key_freesav(&sav);
 5323                         return (key_senderror(so, m, error));
 5324                 }
 5325                 /* Change SA state to MATURE */
 5326                 SAHTREE_WLOCK();
 5327                 if (sav->state != SADB_SASTATE_LARVAL) {
 5328                         /* SA was deleted or another thread made it MATURE. */
 5329                         SAHTREE_WUNLOCK();
 5330                         key_freesav(&sav);
 5331                         return (key_senderror(so, m, ESRCH));
 5332                 }
 5333                 /*
 5334                  * NOTE: we keep SAs in savtree_alive ordered by created
 5335                  * time. When SA's state changed from LARVAL to MATURE,
 5336                  * we update its created time in key_setsaval() and move
 5337                  * it into head of savtree_alive.
 5338                  */
 5339                 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain);
 5340                 TAILQ_INSERT_HEAD(&sav->sah->savtree_alive, sav, chain);
 5341                 sav->state = SADB_SASTATE_MATURE;
 5342                 SAHTREE_WUNLOCK();
 5343         } else {
 5344                 /*
 5345                  * For DYING and MATURE SA we can change only state
 5346                  * and lifetimes. Report EINVAL if something else attempted
 5347                  * to change.
 5348                  */
 5349                 if (!SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT) ||
 5350                     !SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH)) {
 5351                         key_freesav(&sav);
 5352                         return (key_senderror(so, m, EINVAL));
 5353                 }
 5354                 error = key_updatelifetimes(sav, mhp);
 5355                 if (error != 0) {
 5356                         key_freesav(&sav);
 5357                         return (key_senderror(so, m, error));
 5358                 }
 5359                 /*
 5360                  * This is FreeBSD extension to RFC2367.
 5361                  * IKEd can specify SADB_X_EXT_NEW_ADDRESS_SRC and/or
 5362                  * SADB_X_EXT_NEW_ADDRESS_DST when it wants to change
 5363                  * SA addresses (for example to implement MOBIKE protocol
 5364                  * as described in RFC4555). Also we allow to change
 5365                  * NAT-T config.
 5366                  */
 5367                 if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_SRC) ||
 5368                     !SADB_CHECKHDR(mhp, SADB_X_EXT_NEW_ADDRESS_DST) ||
 5369                     !SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_TYPE) ||
 5370                     sav->natt != NULL) {
 5371                         error = key_updateaddresses(so, m, mhp, sav, &saidx);
 5372                         key_freesav(&sav);
 5373                         if (error != 0)
 5374                                 return (key_senderror(so, m, error));
 5375                         return (0);
 5376                 }
 5377                 /* Check that SA is still alive */
 5378                 SAHTREE_WLOCK();
 5379                 if (sav->state == SADB_SASTATE_DEAD) {
 5380                         /* SA was unlinked */
 5381                         SAHTREE_WUNLOCK();
 5382                         key_freesav(&sav);
 5383                         return (key_senderror(so, m, ESRCH));
 5384                 }
 5385                 /*
 5386                  * NOTE: there is possible state moving from DYING to MATURE,
 5387                  * but this doesn't change created time, so we won't reorder
 5388                  * this SA.
 5389                  */
 5390                 sav->state = SADB_SASTATE_MATURE;
 5391                 SAHTREE_WUNLOCK();
 5392         }
 5393         KEYDBG(KEY_STAMP,
 5394             printf("%s: SA(%p)\n", __func__, sav));
 5395         KEYDBG(KEY_DATA, kdebug_secasv(sav));
 5396         key_freesav(&sav);
 5397 
 5398     {
 5399         struct mbuf *n;
 5400 
 5401         /* set msg buf from mhp */
 5402         n = key_getmsgbuf_x1(m, mhp);
 5403         if (n == NULL) {
 5404                 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
 5405                 return key_senderror(so, m, ENOBUFS);
 5406         }
 5407 
 5408         m_freem(m);
 5409         return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
 5410     }
 5411 }
 5412 
 5413 /*
 5414  * SADB_ADD processing
 5415  * add an entry to SA database, when received
 5416  *   <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
 5417  *       key(AE), (identity(SD),) (sensitivity)>
 5418  * from the ikmpd,
 5419  * and send
 5420  *   <base, SA, (SA2), (lifetime(HSC),) address(SD), (address(P),)
 5421  *       (identity(SD),) (sensitivity)>
 5422  * to the ikmpd.
 5423  *
 5424  * IGNORE identity and sensitivity messages.
 5425  *
 5426  * m will always be freed.
 5427  */
 5428 static int
 5429 key_add(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
 5430 {
 5431         struct secasindex saidx;
 5432         struct sadb_address *src0, *dst0;
 5433         struct sadb_sa *sa0;
 5434         struct secasvar *sav;
 5435         uint32_t reqid, spi;
 5436         uint8_t mode, proto;
 5437         int error;
 5438 
 5439         IPSEC_ASSERT(so != NULL, ("null socket"));
 5440         IPSEC_ASSERT(m != NULL, ("null mbuf"));
 5441         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 5442         IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
 5443 
 5444         /* map satype to proto */
 5445         if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
 5446                 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
 5447                     __func__));
 5448                 return key_senderror(so, m, EINVAL);
 5449         }
 5450 
 5451         if (SADB_CHECKHDR(mhp, SADB_EXT_SA) ||
 5452             SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
 5453             SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) ||
 5454             (mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP && (
 5455                 SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT) ||
 5456                 SADB_CHECKLEN(mhp, SADB_EXT_KEY_ENCRYPT))) ||
 5457             (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH && (
 5458                 SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH) ||
 5459                 SADB_CHECKLEN(mhp, SADB_EXT_KEY_AUTH))) ||
 5460             (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) &&
 5461                 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) ||
 5462             (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) &&
 5463                 !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD))) {
 5464                 ipseclog((LOG_DEBUG,
 5465                     "%s: invalid message: missing required header.\n",
 5466                     __func__));
 5467                 return key_senderror(so, m, EINVAL);
 5468         }
 5469         if (SADB_CHECKLEN(mhp, SADB_EXT_SA) ||
 5470             SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
 5471             SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) {
 5472                 ipseclog((LOG_DEBUG,
 5473                     "%s: invalid message: wrong header size.\n", __func__));
 5474                 return key_senderror(so, m, EINVAL);
 5475         }
 5476         if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) {
 5477                 mode = IPSEC_MODE_ANY;
 5478                 reqid = 0;
 5479         } else {
 5480                 if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) {
 5481                         ipseclog((LOG_DEBUG,
 5482                             "%s: invalid message: wrong header size.\n",
 5483                             __func__));
 5484                         return key_senderror(so, m, EINVAL);
 5485                 }
 5486                 mode = ((struct sadb_x_sa2 *)
 5487                     mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
 5488                 reqid = ((struct sadb_x_sa2 *)
 5489                     mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid;
 5490         }
 5491 
 5492         sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA];
 5493         src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC];
 5494         dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST];
 5495 
 5496         /*
 5497          * Only SADB_SASTATE_MATURE SAs may be submitted in an
 5498          * SADB_ADD message.
 5499          */
 5500         if (sa0->sadb_sa_state != SADB_SASTATE_MATURE) {
 5501                 ipseclog((LOG_DEBUG, "%s: invalid state.\n", __func__));
 5502 #ifdef PFKEY_STRICT_CHECKS
 5503                 return key_senderror(so, m, EINVAL);
 5504 #endif
 5505         }
 5506         error = key_checksockaddrs((struct sockaddr *)(src0 + 1),
 5507             (struct sockaddr *)(dst0 + 1));
 5508         if (error != 0) {
 5509                 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
 5510                 return key_senderror(so, m, error);
 5511         }
 5512         KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx);
 5513         spi = sa0->sadb_sa_spi;
 5514         /*
 5515          * For TCP-MD5 SAs we don't use SPI. Check the uniqueness using
 5516          * secasindex.
 5517          * XXXAE: IPComp seems also doesn't use SPI.
 5518          */
 5519         if (proto == IPPROTO_TCP) {
 5520                 sav = key_getsav_tcpmd5(&saidx, &spi);
 5521                 if (sav == NULL && spi == 0) {
 5522                         /* Failed to allocate SPI */
 5523                         ipseclog((LOG_DEBUG, "%s: SA already exists.\n",
 5524                             __func__));
 5525                         return key_senderror(so, m, EEXIST);
 5526                 }
 5527                 /* XXX: SPI that we report back can have another value */
 5528         } else {
 5529                 /* We can create new SA only if SPI is different. */
 5530                 sav = key_getsavbyspi(spi);
 5531         }
 5532         if (sav != NULL) {
 5533                 key_freesav(&sav);
 5534                 ipseclog((LOG_DEBUG, "%s: SA already exists.\n", __func__));
 5535                 return key_senderror(so, m, EEXIST);
 5536         }
 5537 
 5538         sav = key_newsav(mhp, &saidx, spi, &error);
 5539         if (sav == NULL)
 5540                 return key_senderror(so, m, error);
 5541         KEYDBG(KEY_STAMP,
 5542             printf("%s: return SA(%p)\n", __func__, sav));
 5543         KEYDBG(KEY_DATA, kdebug_secasv(sav));
 5544         /*
 5545          * If SADB_ADD was in response to SADB_ACQUIRE, we need to schedule
 5546          * ACQ for deletion.
 5547          */
 5548         if (sav->seq != 0)
 5549                 key_acqdone(&saidx, sav->seq);
 5550 
 5551     {
 5552         /*
 5553          * Don't call key_freesav() on error here, as we would like to
 5554          * keep the SA in the database.
 5555          */
 5556         struct mbuf *n;
 5557 
 5558         /* set msg buf from mhp */
 5559         n = key_getmsgbuf_x1(m, mhp);
 5560         if (n == NULL) {
 5561                 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
 5562                 return key_senderror(so, m, ENOBUFS);
 5563         }
 5564 
 5565         m_freem(m);
 5566         return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
 5567     }
 5568 }
 5569 
 5570 /*
 5571  * NAT-T support.
 5572  * IKEd may request the use ESP in UDP encapsulation when it detects the
 5573  * presence of NAT. It uses NAT-T extension headers for such SAs to specify
 5574  * parameters needed for encapsulation and decapsulation. These PF_KEY
 5575  * extension headers are not standardized, so this comment addresses our
 5576  * implementation.
 5577  * SADB_X_EXT_NAT_T_TYPE specifies type of encapsulation, we support only
 5578  * UDP_ENCAP_ESPINUDP as described in RFC3948.
 5579  * SADB_X_EXT_NAT_T_SPORT/DPORT specifies source and destination ports for
 5580  * UDP header. We use these ports in UDP encapsulation procedure, also we
 5581  * can check them in UDP decapsulation procedure.
 5582  * SADB_X_EXT_NAT_T_OA[IR] specifies original address of initiator or
 5583  * responder. These addresses can be used for transport mode to adjust
 5584  * checksum after decapsulation and decryption. Since original IP addresses
 5585  * used by peer usually different (we detected presence of NAT), TCP/UDP
 5586  * pseudo header checksum and IP header checksum was calculated using original
 5587  * addresses. After decapsulation and decryption we need to adjust checksum
 5588  * to have correct datagram.
 5589  *
 5590  * We expect presence of NAT-T extension headers only in SADB_ADD and
 5591  * SADB_UPDATE messages. We report NAT-T extension headers in replies
 5592  * to SADB_ADD, SADB_UPDATE, SADB_GET, and SADB_DUMP messages.
 5593  */
 5594 static int
 5595 key_setnatt(struct secasvar *sav, const struct sadb_msghdr *mhp)
 5596 {
 5597         struct sadb_x_nat_t_port *port;
 5598         struct sadb_x_nat_t_type *type;
 5599         struct sadb_address *oai, *oar;
 5600         struct sockaddr *sa;
 5601         uint32_t addr;
 5602         uint16_t cksum;
 5603 
 5604         IPSEC_ASSERT(sav->natt == NULL, ("natt is already initialized"));
 5605         /*
 5606          * Ignore NAT-T headers if sproto isn't ESP.
 5607          */
 5608         if (sav->sah->saidx.proto != IPPROTO_ESP)
 5609                 return (0);
 5610 
 5611         if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_TYPE) &&
 5612             !SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_SPORT) &&
 5613             !SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_DPORT)) {
 5614                 if (SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_TYPE) ||
 5615                     SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_SPORT) ||
 5616                     SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_DPORT)) {
 5617                         ipseclog((LOG_DEBUG,
 5618                             "%s: invalid message: wrong header size.\n",
 5619                             __func__));
 5620                         return (EINVAL);
 5621                 }
 5622         } else
 5623                 return (0);
 5624 
 5625         type = (struct sadb_x_nat_t_type *)mhp->ext[SADB_X_EXT_NAT_T_TYPE];
 5626         if (type->sadb_x_nat_t_type_type != UDP_ENCAP_ESPINUDP) {
 5627                 ipseclog((LOG_DEBUG, "%s: unsupported NAT-T type %u.\n",
 5628                     __func__, type->sadb_x_nat_t_type_type));
 5629                 return (EINVAL);
 5630         }
 5631         /*
 5632          * Allocate storage for NAT-T config.
 5633          * On error it will be released by key_cleansav().
 5634          */
 5635         sav->natt = malloc(sizeof(struct secnatt), M_IPSEC_MISC,
 5636             M_NOWAIT | M_ZERO);
 5637         if (sav->natt == NULL) {
 5638                 PFKEYSTAT_INC(in_nomem);
 5639                 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
 5640                 return (ENOBUFS);
 5641         }
 5642         port = (struct sadb_x_nat_t_port *)mhp->ext[SADB_X_EXT_NAT_T_SPORT];
 5643         if (port->sadb_x_nat_t_port_port == 0) {
 5644                 ipseclog((LOG_DEBUG, "%s: invalid NAT-T sport specified.\n",
 5645                     __func__));
 5646                 return (EINVAL);
 5647         }
 5648         sav->natt->sport = port->sadb_x_nat_t_port_port;
 5649         port = (struct sadb_x_nat_t_port *)mhp->ext[SADB_X_EXT_NAT_T_DPORT];
 5650         if (port->sadb_x_nat_t_port_port == 0) {
 5651                 ipseclog((LOG_DEBUG, "%s: invalid NAT-T dport specified.\n",
 5652                     __func__));
 5653                 return (EINVAL);
 5654         }
 5655         sav->natt->dport = port->sadb_x_nat_t_port_port;
 5656 
 5657         /*
 5658          * SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR are optional
 5659          * and needed only for transport mode IPsec.
 5660          * Usually NAT translates only one address, but it is possible,
 5661          * that both addresses could be translated.
 5662          * NOTE: Value of SADB_X_EXT_NAT_T_OAI is equal to SADB_X_EXT_NAT_T_OA.
 5663          */
 5664         if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_OAI)) {
 5665                 if (SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_OAI)) {
 5666                         ipseclog((LOG_DEBUG,
 5667                             "%s: invalid message: wrong header size.\n",
 5668                             __func__));
 5669                         return (EINVAL);
 5670                 }
 5671                 oai = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAI];
 5672         } else
 5673                 oai = NULL;
 5674         if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_OAR)) {
 5675                 if (SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_OAR)) {
 5676                         ipseclog((LOG_DEBUG,
 5677                             "%s: invalid message: wrong header size.\n",
 5678                             __func__));
 5679                         return (EINVAL);
 5680                 }
 5681                 oar = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAR];
 5682         } else
 5683                 oar = NULL;
 5684 
 5685         /* Initialize addresses only for transport mode */
 5686         if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL) {
 5687                 cksum = 0;
 5688                 if (oai != NULL) {
 5689                         /* Currently we support only AF_INET */
 5690                         sa = (struct sockaddr *)(oai + 1);
 5691                         if (sa->sa_family != AF_INET ||
 5692                             sa->sa_len != sizeof(struct sockaddr_in)) {
 5693                                 ipseclog((LOG_DEBUG,
 5694                                     "%s: wrong NAT-OAi header.\n",
 5695                                     __func__));
 5696                                 return (EINVAL);
 5697                         }
 5698                         /* Ignore address if it the same */
 5699                         if (((struct sockaddr_in *)sa)->sin_addr.s_addr !=
 5700                             sav->sah->saidx.src.sin.sin_addr.s_addr) {
 5701                                 bcopy(sa, &sav->natt->oai.sa, sa->sa_len);
 5702                                 sav->natt->flags |= IPSEC_NATT_F_OAI;
 5703                                 /* Calculate checksum delta */
 5704                                 addr = sav->sah->saidx.src.sin.sin_addr.s_addr;
 5705                                 cksum = in_addword(cksum, ~addr >> 16);
 5706                                 cksum = in_addword(cksum, ~addr & 0xffff);
 5707                                 addr = sav->natt->oai.sin.sin_addr.s_addr;
 5708                                 cksum = in_addword(cksum, addr >> 16);
 5709                                 cksum = in_addword(cksum, addr & 0xffff);
 5710                         }
 5711                 }
 5712                 if (oar != NULL) {
 5713                         /* Currently we support only AF_INET */
 5714                         sa = (struct sockaddr *)(oar + 1);
 5715                         if (sa->sa_family != AF_INET ||
 5716                             sa->sa_len != sizeof(struct sockaddr_in)) {
 5717                                 ipseclog((LOG_DEBUG,
 5718                                     "%s: wrong NAT-OAr header.\n",
 5719                                     __func__));
 5720                                 return (EINVAL);
 5721                         }
 5722                         /* Ignore address if it the same */
 5723                         if (((struct sockaddr_in *)sa)->sin_addr.s_addr !=
 5724                             sav->sah->saidx.dst.sin.sin_addr.s_addr) {
 5725                                 bcopy(sa, &sav->natt->oar.sa, sa->sa_len);
 5726                                 sav->natt->flags |= IPSEC_NATT_F_OAR;
 5727                                 /* Calculate checksum delta */
 5728                                 addr = sav->sah->saidx.dst.sin.sin_addr.s_addr;
 5729                                 cksum = in_addword(cksum, ~addr >> 16);
 5730                                 cksum = in_addword(cksum, ~addr & 0xffff);
 5731                                 addr = sav->natt->oar.sin.sin_addr.s_addr;
 5732                                 cksum = in_addword(cksum, addr >> 16);
 5733                                 cksum = in_addword(cksum, addr & 0xffff);
 5734                         }
 5735                 }
 5736                 sav->natt->cksum = cksum;
 5737         }
 5738         return (0);
 5739 }
 5740 
 5741 static int
 5742 key_setident(struct secashead *sah, const struct sadb_msghdr *mhp)
 5743 {
 5744         const struct sadb_ident *idsrc, *iddst;
 5745         int idsrclen, iddstlen;
 5746 
 5747         IPSEC_ASSERT(sah != NULL, ("null secashead"));
 5748         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 5749         IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
 5750 
 5751         /* don't make buffer if not there */
 5752         if (SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_SRC) &&
 5753             SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_DST)) {
 5754                 sah->idents = NULL;
 5755                 sah->identd = NULL;
 5756                 return (0);
 5757         }
 5758 
 5759         if (SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_SRC) ||
 5760             SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_DST)) {
 5761                 ipseclog((LOG_DEBUG, "%s: invalid identity.\n", __func__));
 5762                 return (EINVAL);
 5763         }
 5764 
 5765         idsrc = (const struct sadb_ident *)mhp->ext[SADB_EXT_IDENTITY_SRC];
 5766         iddst = (const struct sadb_ident *)mhp->ext[SADB_EXT_IDENTITY_DST];
 5767         idsrclen = mhp->extlen[SADB_EXT_IDENTITY_SRC];
 5768         iddstlen = mhp->extlen[SADB_EXT_IDENTITY_DST];
 5769 
 5770         /* validity check */
 5771         if (idsrc->sadb_ident_type != iddst->sadb_ident_type) {
 5772                 ipseclog((LOG_DEBUG, "%s: ident type mismatch.\n", __func__));
 5773                 return EINVAL;
 5774         }
 5775 
 5776         switch (idsrc->sadb_ident_type) {
 5777         case SADB_IDENTTYPE_PREFIX:
 5778         case SADB_IDENTTYPE_FQDN:
 5779         case SADB_IDENTTYPE_USERFQDN:
 5780         default:
 5781                 /* XXX do nothing */
 5782                 sah->idents = NULL;
 5783                 sah->identd = NULL;
 5784                 return 0;
 5785         }
 5786 
 5787         /* make structure */
 5788         sah->idents = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT);
 5789         if (sah->idents == NULL) {
 5790                 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
 5791                 return ENOBUFS;
 5792         }
 5793         sah->identd = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT);
 5794         if (sah->identd == NULL) {
 5795                 free(sah->idents, M_IPSEC_MISC);
 5796                 sah->idents = NULL;
 5797                 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
 5798                 return ENOBUFS;
 5799         }
 5800         sah->idents->type = idsrc->sadb_ident_type;
 5801         sah->idents->id = idsrc->sadb_ident_id;
 5802 
 5803         sah->identd->type = iddst->sadb_ident_type;
 5804         sah->identd->id = iddst->sadb_ident_id;
 5805 
 5806         return 0;
 5807 }
 5808 
 5809 /*
 5810  * m will not be freed on return.
 5811  * it is caller's responsibility to free the result.
 5812  *
 5813  * Called from SADB_ADD and SADB_UPDATE. Reply will contain headers
 5814  * from the request in defined order.
 5815  */
 5816 static struct mbuf *
 5817 key_getmsgbuf_x1(struct mbuf *m, const struct sadb_msghdr *mhp)
 5818 {
 5819         struct mbuf *n;
 5820 
 5821         IPSEC_ASSERT(m != NULL, ("null mbuf"));
 5822         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 5823         IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
 5824 
 5825         /* create new sadb_msg to reply. */
 5826         n = key_gather_mbuf(m, mhp, 1, 16, SADB_EXT_RESERVED,
 5827             SADB_EXT_SA, SADB_X_EXT_SA2,
 5828             SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST,
 5829             SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT,
 5830             SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST,
 5831             SADB_X_EXT_NAT_T_TYPE, SADB_X_EXT_NAT_T_SPORT,
 5832             SADB_X_EXT_NAT_T_DPORT, SADB_X_EXT_NAT_T_OAI,
 5833             SADB_X_EXT_NAT_T_OAR, SADB_X_EXT_NEW_ADDRESS_SRC,
 5834             SADB_X_EXT_NEW_ADDRESS_DST);
 5835         if (!n)
 5836                 return NULL;
 5837 
 5838         if (n->m_len < sizeof(struct sadb_msg)) {
 5839                 n = m_pullup(n, sizeof(struct sadb_msg));
 5840                 if (n == NULL)
 5841                         return NULL;
 5842         }
 5843         mtod(n, struct sadb_msg *)->sadb_msg_errno = 0;
 5844         mtod(n, struct sadb_msg *)->sadb_msg_len =
 5845             PFKEY_UNIT64(n->m_pkthdr.len);
 5846 
 5847         return n;
 5848 }
 5849 
 5850 /*
 5851  * SADB_DELETE processing
 5852  * receive
 5853  *   <base, SA(*), address(SD)>
 5854  * from the ikmpd, and set SADB_SASTATE_DEAD,
 5855  * and send,
 5856  *   <base, SA(*), address(SD)>
 5857  * to the ikmpd.
 5858  *
 5859  * m will always be freed.
 5860  */
 5861 static int
 5862 key_delete(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
 5863 {
 5864         struct secasindex saidx;
 5865         struct sadb_address *src0, *dst0;
 5866         struct secasvar *sav;
 5867         struct sadb_sa *sa0;
 5868         uint8_t proto;
 5869 
 5870         IPSEC_ASSERT(so != NULL, ("null socket"));
 5871         IPSEC_ASSERT(m != NULL, ("null mbuf"));
 5872         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 5873         IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
 5874 
 5875         /* map satype to proto */
 5876         if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
 5877                 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
 5878                     __func__));
 5879                 return key_senderror(so, m, EINVAL);
 5880         }
 5881 
 5882         if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
 5883             SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) ||
 5884             SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
 5885             SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) {
 5886                 ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
 5887                     __func__));
 5888                 return key_senderror(so, m, EINVAL);
 5889         }
 5890 
 5891         src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]);
 5892         dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]);
 5893 
 5894         if (key_checksockaddrs((struct sockaddr *)(src0 + 1),
 5895             (struct sockaddr *)(dst0 + 1)) != 0) {
 5896                 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
 5897                 return (key_senderror(so, m, EINVAL));
 5898         }
 5899         KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx);
 5900         if (SADB_CHECKHDR(mhp, SADB_EXT_SA)) {
 5901                 /*
 5902                  * Caller wants us to delete all non-LARVAL SAs
 5903                  * that match the src/dst.  This is used during
 5904                  * IKE INITIAL-CONTACT.
 5905                  * XXXAE: this looks like some extension to RFC2367.
 5906                  */
 5907                 ipseclog((LOG_DEBUG, "%s: doing delete all.\n", __func__));
 5908                 return (key_delete_all(so, m, mhp, &saidx));
 5909         }
 5910         if (SADB_CHECKLEN(mhp, SADB_EXT_SA)) {
 5911                 ipseclog((LOG_DEBUG,
 5912                     "%s: invalid message: wrong header size.\n", __func__));
 5913                 return (key_senderror(so, m, EINVAL));
 5914         }
 5915         sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA];
 5916         if (proto == IPPROTO_TCP)
 5917                 sav = key_getsav_tcpmd5(&saidx, NULL);
 5918         else
 5919                 sav = key_getsavbyspi(sa0->sadb_sa_spi);
 5920         if (sav == NULL) {
 5921                 ipseclog((LOG_DEBUG, "%s: no SA found for SPI %u.\n",
 5922                     __func__, ntohl(sa0->sadb_sa_spi)));
 5923                 return (key_senderror(so, m, ESRCH));
 5924         }
 5925         if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_HEAD) == 0) {
 5926                 ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u.\n",
 5927                     __func__, ntohl(sav->spi)));
 5928                 key_freesav(&sav);
 5929                 return (key_senderror(so, m, ESRCH));
 5930         }
 5931         KEYDBG(KEY_STAMP,
 5932             printf("%s: SA(%p)\n", __func__, sav));
 5933         KEYDBG(KEY_DATA, kdebug_secasv(sav));
 5934         key_unlinksav(sav);
 5935         key_freesav(&sav);
 5936 
 5937     {
 5938         struct mbuf *n;
 5939         struct sadb_msg *newmsg;
 5940 
 5941         /* create new sadb_msg to reply. */
 5942         n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED,
 5943             SADB_EXT_SA, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
 5944         if (!n)
 5945                 return key_senderror(so, m, ENOBUFS);
 5946 
 5947         if (n->m_len < sizeof(struct sadb_msg)) {
 5948                 n = m_pullup(n, sizeof(struct sadb_msg));
 5949                 if (n == NULL)
 5950                         return key_senderror(so, m, ENOBUFS);
 5951         }
 5952         newmsg = mtod(n, struct sadb_msg *);
 5953         newmsg->sadb_msg_errno = 0;
 5954         newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
 5955 
 5956         m_freem(m);
 5957         return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
 5958     }
 5959 }
 5960 
 5961 /*
 5962  * delete all SAs for src/dst.  Called from key_delete().
 5963  */
 5964 static int
 5965 key_delete_all(struct socket *so, struct mbuf *m,
 5966     const struct sadb_msghdr *mhp, struct secasindex *saidx)
 5967 {
 5968         struct secasvar_queue drainq;
 5969         struct secashead *sah;
 5970         struct secasvar *sav, *nextsav;
 5971 
 5972         TAILQ_INIT(&drainq);
 5973         SAHTREE_WLOCK();
 5974         LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
 5975                 if (key_cmpsaidx(&sah->saidx, saidx, CMP_HEAD) == 0)
 5976                         continue;
 5977                 /* Move all ALIVE SAs into drainq */
 5978                 TAILQ_CONCAT(&drainq, &sah->savtree_alive, chain);
 5979         }
 5980         /* Unlink all queued SAs from SPI hash */
 5981         TAILQ_FOREACH(sav, &drainq, chain) {
 5982                 sav->state = SADB_SASTATE_DEAD;
 5983                 LIST_REMOVE(sav, spihash);
 5984         }
 5985         SAHTREE_WUNLOCK();
 5986         /* Now we can release reference for all SAs in drainq */
 5987         sav = TAILQ_FIRST(&drainq);
 5988         while (sav != NULL) {
 5989                 KEYDBG(KEY_STAMP,
 5990                     printf("%s: SA(%p)\n", __func__, sav));
 5991                 KEYDBG(KEY_DATA, kdebug_secasv(sav));
 5992                 nextsav = TAILQ_NEXT(sav, chain);
 5993                 key_freesah(&sav->sah); /* release reference from SAV */
 5994                 key_freesav(&sav); /* release last reference */
 5995                 sav = nextsav;
 5996         }
 5997 
 5998     {
 5999         struct mbuf *n;
 6000         struct sadb_msg *newmsg;
 6001 
 6002         /* create new sadb_msg to reply. */
 6003         n = key_gather_mbuf(m, mhp, 1, 3, SADB_EXT_RESERVED,
 6004             SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
 6005         if (!n)
 6006                 return key_senderror(so, m, ENOBUFS);
 6007 
 6008         if (n->m_len < sizeof(struct sadb_msg)) {
 6009                 n = m_pullup(n, sizeof(struct sadb_msg));
 6010                 if (n == NULL)
 6011                         return key_senderror(so, m, ENOBUFS);
 6012         }
 6013         newmsg = mtod(n, struct sadb_msg *);
 6014         newmsg->sadb_msg_errno = 0;
 6015         newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len);
 6016 
 6017         m_freem(m);
 6018         return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
 6019     }
 6020 }
 6021 
 6022 /*
 6023  * Delete all alive SAs for corresponding xform.
 6024  * Larval SAs have not initialized tdb_xform, so it is safe to leave them
 6025  * here when xform disappears.
 6026  */
 6027 static void
 6028 key_delete_xform(const struct xformsw *xsp)
 6029 {
 6030         struct secasvar_queue drainq;
 6031         struct secashead *sah;
 6032         struct secasvar *sav, *nextsav;
 6033 
 6034         TAILQ_INIT(&drainq);
 6035         SAHTREE_WLOCK();
 6036         TAILQ_FOREACH(sah, &V_sahtree, chain) {
 6037                 sav = TAILQ_FIRST(&sah->savtree_alive);
 6038                 if (sav == NULL)
 6039                         continue;
 6040                 if (sav->tdb_xform != xsp)
 6041                         continue;
 6042                 /*
 6043                  * It is supposed that all SAs in the chain are related to
 6044                  * one xform.
 6045                  */
 6046                 TAILQ_CONCAT(&drainq, &sah->savtree_alive, chain);
 6047         }
 6048         /* Unlink all queued SAs from SPI hash */
 6049         TAILQ_FOREACH(sav, &drainq, chain) {
 6050                 sav->state = SADB_SASTATE_DEAD;
 6051                 LIST_REMOVE(sav, spihash);
 6052         }
 6053         SAHTREE_WUNLOCK();
 6054 
 6055         /* Now we can release reference for all SAs in drainq */
 6056         sav = TAILQ_FIRST(&drainq);
 6057         while (sav != NULL) {
 6058                 KEYDBG(KEY_STAMP,
 6059                     printf("%s: SA(%p)\n", __func__, sav));
 6060                 KEYDBG(KEY_DATA, kdebug_secasv(sav));
 6061                 nextsav = TAILQ_NEXT(sav, chain);
 6062                 key_freesah(&sav->sah); /* release reference from SAV */
 6063                 key_freesav(&sav); /* release last reference */
 6064                 sav = nextsav;
 6065         }
 6066 }
 6067 
 6068 /*
 6069  * SADB_GET processing
 6070  * receive
 6071  *   <base, SA(*), address(SD)>
 6072  * from the ikmpd, and get a SP and a SA to respond,
 6073  * and send,
 6074  *   <base, SA, (lifetime(HSC),) address(SD), (address(P),) key(AE),
 6075  *       (identity(SD),) (sensitivity)>
 6076  * to the ikmpd.
 6077  *
 6078  * m will always be freed.
 6079  */
 6080 static int
 6081 key_get(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
 6082 {
 6083         struct secasindex saidx;
 6084         struct sadb_address *src0, *dst0;
 6085         struct sadb_sa *sa0;
 6086         struct secasvar *sav;
 6087         uint8_t proto;
 6088 
 6089         IPSEC_ASSERT(so != NULL, ("null socket"));
 6090         IPSEC_ASSERT(m != NULL, ("null mbuf"));
 6091         IPSEC_ASSERT(mhp != NULL, ("null msghdr"));
 6092         IPSEC_ASSERT(mhp->msg != NULL, ("null msg"));
 6093 
 6094         /* map satype to proto */
 6095         if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
 6096                 ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
 6097                         __func__));
 6098                 return key_senderror(so, m, EINVAL);
 6099         }
 6100 
 6101         if (SADB_CHECKHDR(mhp, SADB_EXT_SA) ||
 6102             SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
 6103             SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST)) {
 6104                 ipseclog((LOG_DEBUG,
 6105                     "%s: invalid message: missing required header.\n",
 6106                     __func__));
 6107                 return key_senderror(so, m, EINVAL);
 6108         }
 6109         if (SADB_CHECKLEN(mhp, SADB_EXT_SA) ||
 6110             SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
 6111             SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) {
 6112                 ipseclog((LOG_DEBUG,
 6113                     "%s: invalid message: wrong header size.\n", __func__));
 6114                 return key_senderror(so, m, EINVAL);
 6115         }
 6116 
 6117         sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA];
 6118         src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC];
 6119         dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST];
 6120 
 6121         if (key_checksockaddrs((struct sockaddr *)(src0 + 1),
 6122             (struct sockaddr *)(dst0 + 1)) != 0) {
 6123                 ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
 6124                 return key_senderror(so, m, EINVAL);
 6125         }
 6126         KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx);
 6127 
 6128         if (proto == IPPROTO_TCP)
 6129                 sav = key_getsav_tcpmd5(&saidx, NULL);
 6130         else
 6131                 sav = key_getsavbyspi(sa0->sadb_sa_spi);
 6132         if (sav == NULL) {
 6133                 ipseclog((LOG_DEBUG, "%s: no SA found.\n", __func__));
 6134                 return key_senderror(so, m, ESRCH);
 6135         }
 6136         if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_HEAD) == 0) {
 6137                 ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u.\n",
 6138                     __func__, ntohl(sa0->sadb_sa_spi)));
 6139                 key_freesav(&sav);
 6140                 return (key_senderror(so, m, ESRCH));
 6141         }
 6142 
 6143     {
 6144         struct mbuf *n;
 6145         uint8_t satype;
 6146 
 6147         /* map proto to satype */
 6148         if ((satype = key_proto2satype(sav->sah->saidx.proto)) == 0) {
 6149                 ipseclog((LOG_DEBUG, "%s: there was invalid proto in SAD.\n",
 6150                     __func__));
 6151                 key_freesav(&sav);
 6152                 return key_senderror(so, m, EINVAL);
 6153         }
 6154 
 6155         /* create new sadb_msg to reply. */
 6156         n = key_setdumpsa(sav, SADB_GET, satype, mhp->msg->sadb_msg_seq,
 6157             mhp->msg->sadb_msg_pid);
 6158 
 6159         key_freesav(&sav);
 6160         if (!n)
 6161                 return key_senderror</