Lines Matching refs:sav
102 void (*ipsec_accel_sa_newkey_p)(struct secasvar *sav);
103 void (*ipsec_accel_forget_sav_p)(struct secasvar *sav);
106 int (*ipsec_accel_sa_lifetime_op_p)(struct secasvar *sav,
110 bool (*ipsec_accel_is_accel_sav_p)(struct secasvar *sav);
111 struct mbuf *(*ipsec_accel_key_setaccelif_p)(struct secasvar *sav);
113 void (*ipsec_accel_drv_sa_lifetime_update_p)(struct secasvar *sav, if_t ifp,
115 int (*ipsec_accel_drv_sa_lifetime_fetch_p)(struct secasvar *sav, if_t ifp,
1025 struct secasvar *sav;
1045 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue);
1047 sav = TAILQ_FIRST(&sah->savtree_alive);
1048 if (sav != NULL)
1049 SAV_ADDREF(sav);
1051 sav = NULL;
1054 if (sav != NULL) {
1056 printf("%s: return SA(%p)\n", __func__, sav));
1057 KEYDBG(IPSEC_DATA, kdebug_secasv(sav));
1063 return (sav);
1078 struct secasvar *sav;
1106 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue);
1108 sav = TAILQ_FIRST(&sah->savtree_alive);
1109 if (sav != NULL)
1110 SAV_ADDREF(sav);
1112 sav = NULL;
1115 if (sav != NULL) {
1119 sav, sp));
1120 KEYDBG(IPSEC_DATA, kdebug_secasv(sav));
1121 return (sav); /* return referenced SA */
1140 * OUT: positive: pointer to a usable sav (i.e. MATURE or DYING state).
1155 struct secasvar *sav;
1162 LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) {
1163 if (sav->spi == spi)
1170 if (sav != NULL) {
1171 if (sav->state != SADB_SASTATE_LARVAL &&
1172 sav->sah->saidx.proto == proto &&
1174 &sav->sah->saidx.dst.sa, 0) == 0)
1175 SAV_ADDREF(sav);
1177 sav = NULL;
1181 if (sav == NULL) {
1189 printf("%s: return SA(%p)\n", __func__, sav));
1190 KEYDBG(IPSEC_DATA, kdebug_secasv(sav));
1192 return (sav);
1202 struct secasvar *sav;
1210 sav = NULL;
1223 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue);
1225 sav = TAILQ_FIRST(&sah->savtree_alive);
1226 if (sav != NULL) {
1227 SAV_ADDREF(sav);
1233 printf("%s: return SA(%p)\n", __func__, sav));
1234 if (sav != NULL)
1235 KEYDBG(IPSEC_DATA, kdebug_secasv(sav));
1236 return (sav);
1421 struct secasvar *sav = *psav;
1423 IPSEC_ASSERT(sav != NULL, ("null sav"));
1425 if (SAV_DELREF(sav) == 0)
1429 printf("%s: last reference to SA(%p)\n", __func__, sav));
1432 key_delsav(sav);
1441 key_unlinksav(struct secasvar *sav)
1446 printf("%s: SA(%p)\n", __func__, sav));
1451 if (sav->state == SADB_SASTATE_DEAD) {
1457 if (sav->state == SADB_SASTATE_LARVAL)
1458 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain);
1460 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain);
1462 LIST_REMOVE(sav, spihash);
1463 sav->state = SADB_SASTATE_DEAD;
1464 ipsec_accel_forget_sav(sav);
1465 sah = sav->sah;
1467 key_freesav(&sav);
3038 struct secasvar *sav;
3046 sav = NULL;
3066 sav = malloc(sizeof(struct secasvar), M_IPSEC_SA, M_NOWAIT | M_ZERO);
3067 if (sav == NULL) {
3071 sav->lock = malloc_aligned(max(sizeof(struct rmlock),
3074 if (sav->lock == NULL) {
3078 rm_init(sav->lock, "ipsec association");
3079 sav->lft_c = uma_zalloc_pcpu(ipsec_key_lft_zone, M_NOWAIT | M_ZERO);
3080 if (sav->lft_c == NULL) {
3085 sav->spi = spi;
3086 sav->seq = mhp->msg->sadb_msg_seq;
3087 sav->state = SADB_SASTATE_LARVAL;
3088 sav->pid = (pid_t)mhp->msg->sadb_msg_pid;
3089 SAV_INITREF(sav);
3091 CK_LIST_INIT(&sav->accel_ifps);
3092 sav->accel_forget_tq = 0;
3093 sav->accel_lft_sw = uma_zalloc_pcpu(ipsec_key_lft_zone,
3095 if (sav->accel_lft_sw == NULL) {
3105 sav->accel_ifname = malloc(sizeof(xof->sadb_x_if_hw_offl_if),
3107 if (sav->accel_ifname == NULL) {
3111 strncpy(__DECONST(char *, sav->accel_ifname),
3131 sav->sah = sah;
3133 sav->created = time_second;
3134 } else if (sav->state == SADB_SASTATE_LARVAL) {
3139 *errp = key_setsaval(sav, mhp);
3142 sav->state = SADB_SASTATE_MATURE;
3179 if (sav->state == SADB_SASTATE_MATURE) {
3180 TAILQ_INSERT_HEAD(&sah->savtree_alive, sav, chain);
3181 ipsec_accel_sa_newkey(sav);
3183 TAILQ_INSERT_HEAD(&sah->savtree_larval, sav, chain);
3185 LIST_INSERT_HEAD(SAVHASH_HASH(sav->spi), sav, spihash);
3190 if (sav != NULL) {
3191 if (sav->lock != NULL) {
3192 rm_destroy(sav->lock);
3193 free(sav->lock, M_IPSEC_MISC);
3195 if (sav->lft_c != NULL)
3196 uma_zfree_pcpu(ipsec_key_lft_zone, sav->lft_c);
3198 if (sav->accel_lft_sw != NULL)
3200 sav->accel_lft_sw);
3201 free(__DECONST(char *, sav->accel_ifname),
3204 free(sav, M_IPSEC_SA), sav = NULL;
3214 return (sav);
3221 key_cleansav(struct secasvar *sav)
3224 if (sav->natt != NULL) {
3225 free(sav->natt, M_IPSEC_MISC);
3226 sav->natt = NULL;
3228 if (sav->flags & SADB_X_EXT_F_CLONED)
3230 if (sav->tdb_xform != NULL) {
3231 sav->tdb_xform->xf_cleanup(sav);
3232 sav->tdb_xform = NULL;
3234 if (sav->key_auth != NULL) {
3235 zfree(sav->key_auth->key_data, M_IPSEC_MISC);
3236 free(sav->key_auth, M_IPSEC_MISC);
3237 sav->key_auth = NULL;
3239 if (sav->key_enc != NULL) {
3240 zfree(sav->key_enc->key_data, M_IPSEC_MISC);
3241 free(sav->key_enc, M_IPSEC_MISC);
3242 sav->key_enc = NULL;
3244 if (sav->replay != NULL) {
3245 mtx_destroy(&sav->replay->lock);
3246 if (sav->replay->bitmap != NULL)
3247 free(sav->replay->bitmap, M_IPSEC_MISC);
3248 free(sav->replay, M_IPSEC_MISC);
3249 sav->replay = NULL;
3251 if (sav->lft_h != NULL) {
3252 free(sav->lft_h, M_IPSEC_MISC);
3253 sav->lft_h = NULL;
3255 if (sav->lft_s != NULL) {
3256 free(sav->lft_s, M_IPSEC_MISC);
3257 sav->lft_s = NULL;
3265 key_delsav(struct secasvar *sav)
3267 IPSEC_ASSERT(sav != NULL, ("null sav"));
3268 IPSEC_ASSERT(sav->state == SADB_SASTATE_DEAD,
3269 ("attempt to free non DEAD SA %p", sav));
3270 IPSEC_ASSERT(sav->refcnt == 0, ("reference count %u > 0",
3271 sav->refcnt));
3273 KASSERT(CK_LIST_EMPTY(&sav->accel_ifps),
3274 ("key_unlinksav: sav %p still offloaded", sav));
3282 key_cleansav(sav);
3283 if ((sav->flags & SADB_X_EXT_F_CLONED) == 0) {
3284 rm_destroy(sav->lock);
3285 free(sav->lock, M_IPSEC_MISC);
3286 uma_zfree_pcpu(ipsec_key_lft_zone, sav->lft_c);
3290 uma_zfree_pcpu(ipsec_key_lft_zone, sav->accel_lft_sw);
3291 free(__DECONST(char *, sav->accel_ifname), M_IPSEC_MISC);
3293 free(sav, M_IPSEC_SA);
3329 struct secasvar *sav;
3333 LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) {
3334 if (sav->spi == spi)
3338 return (sav != NULL);
3351 struct secasvar *sav;
3355 LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) {
3356 if (sav->spi != spi)
3358 SAV_ADDREF(sav);
3362 return (sav);
3366 key_updatelifetimes(struct secasvar *sav, const struct sadb_msghdr *mhp)
3377 if (sav->state == SADB_SASTATE_MATURE) {
3415 if (sav->state != SADB_SASTATE_LARVAL) {
3420 SECASVAR_WLOCK(sav);
3421 tmp = sav->lft_h;
3422 sav->lft_h = lft_h;
3425 tmp = sav->lft_s;
3426 sav->lft_s = lft_s;
3428 SECASVAR_WUNLOCK(sav);
3436 IPSEC_ASSERT(sav->lft_h == NULL, ("lft_h is already initialized\n"));
3437 IPSEC_ASSERT(sav->lft_s == NULL, ("lft_s is already initialized\n"));
3438 sav->lft_h = lft_h;
3439 sav->lft_s = lft_s;
3450 key_setsaval(struct secasvar *sav, const struct sadb_msghdr *mhp)
3460 IPSEC_ASSERT(sav->state == SADB_SASTATE_LARVAL,
3464 error = key_setident(sav->sah, mhp);
3475 sav->alg_auth = sa0->sadb_sa_auth;
3476 sav->alg_enc = sa0->sadb_sa_encrypt;
3477 sav->flags = sa0->sadb_sa_flags;
3478 if ((sav->flags & SADB_KEY_FLAGS_MAX) != sav->flags) {
3481 sav->flags));
3508 sav->replay = malloc(sizeof(struct secreplay), M_IPSEC_MISC,
3510 if (sav->replay == NULL) {
3517 mtx_init(&sav->replay->lock, "ipsec replay", NULL, MTX_DEF);
3533 sav->replay->bitmap = malloc(
3536 if (sav->replay->bitmap == NULL) {
3543 sav->replay->bitmap_size = bitmap_size;
3544 sav->replay->wsize = replay;
3562 sav->alg_auth != SADB_X_AALG_NULL)
3576 sav->key_auth = key_dup_keymsg(key0, len, M_IPSEC_MISC);
3577 if (sav->key_auth == NULL ) {
3598 sav->alg_enc != SADB_EALG_NULL) {
3602 sav->key_enc = key_dup_keymsg(key0, len, M_IPSEC_MISC);
3603 if (sav->key_enc == NULL) {
3614 sav->key_enc = NULL; /*just in case*/
3630 sav->ivlen = 0;
3633 if (sav->flags & SADB_X_EXT_DERIV) {
3639 if (sav->alg_enc != SADB_EALG_NONE) {
3645 error = xform_init(sav, XF_AH);
3648 if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_DERIV)) ==
3655 error = xform_init(sav, XF_ESP);
3658 if (sav->alg_auth != SADB_AALG_NONE) {
3664 if ((sav->flags & SADB_X_EXT_RAWCPI) == 0 &&
3665 ntohl(sav->spi) >= 0x10000) {
3671 error = xform_init(sav, XF_IPCOMP);
3674 if (sav->alg_enc != SADB_EALG_NONE) {
3680 error = xform_init(sav, XF_TCPSIGNATURE);
3694 error = key_setnatt(sav, mhp);
3699 sav->firstused = 0;
3700 sav->created = time_second;
3703 error = key_updatelifetimes(sav, mhp);
3707 key_cleansav(sav);
3715 key_setdumpsa(struct secasvar *sav, uint8_t type, uint8_t satype,
3744 m = key_setsadbmsg(type, 0, satype, seq, pid, sav->refcnt);
3753 m = key_setsadbsa(sav);
3759 SECASVAR_RLOCK(sav);
3760 replay_count = sav->replay ? sav->replay->count : 0;
3761 SECASVAR_RUNLOCK(sav);
3762 m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count,
3763 sav->sah->saidx.reqid);
3769 if (sav->replay == NULL ||
3770 sav->replay->wsize <= UINT8_MAX)
3773 m = key_setsadbxsareplay(sav->replay->wsize);
3780 &sav->sah->saidx.src.sa,
3788 &sav->sah->saidx.dst.sa,
3795 if (!sav->key_auth)
3797 m = key_setkey(sav->key_auth, SADB_EXT_KEY_AUTH);
3803 if (!sav->key_enc)
3805 m = key_setkey(sav->key_enc, SADB_EXT_KEY_ENCRYPT);
3811 lft_c.addtime = sav->created;
3813 sav->lft_c_allocations);
3814 lft_c.bytes = counter_u64_fetch(sav->lft_c_bytes);
3815 lft_c.usetime = sav->firstused;
3822 if (!sav->lft_h)
3824 m = key_setlifetime(sav->lft_h,
3831 if (!sav->lft_s)
3833 m = key_setlifetime(sav->lft_s,
3841 if (sav->natt == NULL)
3849 if (sav->natt == NULL)
3851 m = key_setsadbxport(sav->natt->dport,
3858 if (sav->natt == NULL)
3860 m = key_setsadbxport(sav->natt->sport,
3867 if (sav->natt == NULL ||
3868 (sav->natt->flags & IPSEC_NATT_F_OAI) == 0)
3871 &sav->natt->oai.sa, FULLMASK, IPSEC_ULPROTO_ANY);
3876 if (sav->natt == NULL ||
3877 (sav->natt->flags & IPSEC_NATT_F_OAR) == 0)
3880 &sav->natt->oar.sa, FULLMASK, IPSEC_ULPROTO_ANY);
3889 if (!ipsec_accel_is_accel_sav(sav))
3891 SAV_ADDREF(sav);
3892 error = ipsec_accel_sa_lifetime_op(sav, &lft_c,
3901 key_freesav(&sav);
3902 if (sav == NULL) {
3908 if (!ipsec_accel_is_accel_sav(sav))
3911 lft_c.bytes = sav->accel_hw_octets;
3912 lft_c.allocations = sav->accel_hw_allocs;
3918 if (!ipsec_accel_is_accel_sav(sav))
3920 m = ipsec_accel_key_setaccelif(sav);
4004 key_setsadbsa(struct secasvar *sav)
4020 p->sadb_sa_spi = sav->spi;
4021 p->sadb_sa_replay = sav->replay ?
4022 (sav->replay->wsize > UINT8_MAX ? UINT8_MAX :
4023 sav->replay->wsize): 0;
4024 p->sadb_sa_state = sav->state;
4025 p->sadb_sa_auth = sav->alg_auth;
4026 p->sadb_sa_encrypt = sav->alg_enc;
4027 p->sadb_sa_flags = sav->flags & SADB_KEY_FLAGS_MAX;
4700 struct secasvar *sav, *nextsav;
4719 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) {
4720 if (now - sav->created < V_key_larval_lifetime)
4722 SAV_ADDREF(sav);
4723 LIST_INSERT_HEAD(&drainq, sav, drainq);
4725 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) {
4727 if (sav->lft_h == NULL)
4729 SECASVAR_RLOCK(sav);
4734 if (sav->lft_h == NULL) {
4735 SECASVAR_RUNLOCK(sav);
4746 if ((sav->lft_h->addtime != 0 &&
4747 now - sav->created > sav->lft_h->addtime) ||
4748 (sav->lft_h->usetime != 0 && sav->firstused &&
4749 now - sav->firstused > sav->lft_h->usetime) ||
4750 (sav->lft_h->bytes != 0 && counter_u64_fetch(
4751 sav->lft_c_bytes) > sav->lft_h->bytes)) {
4752 SECASVAR_RUNLOCK(sav);
4753 SAV_ADDREF(sav);
4754 LIST_INSERT_HEAD(&hexpireq, sav, drainq);
4758 if (sav->state == SADB_SASTATE_MATURE && (
4759 (sav->lft_s->addtime != 0 &&
4760 now - sav->created > sav->lft_s->addtime) ||
4761 (sav->lft_s->usetime != 0 && sav->firstused &&
4762 now - sav->firstused > sav->lft_s->usetime) ||
4763 (sav->lft_s->bytes != 0 && counter_u64_fetch(
4764 sav->lft_c_bytes) > sav->lft_s->bytes) ||
4765 (!(sav->flags & SADB_X_SAFLAGS_ESN) &&
4766 (sav->replay != NULL) && (
4767 (sav->replay->count > UINT32_80PCT) ||
4768 (sav->replay->last > UINT32_80PCT))))) {
4769 SECASVAR_RUNLOCK(sav);
4770 SAV_ADDREF(sav);
4771 LIST_INSERT_HEAD(&sexpireq, sav, drainq);
4774 SECASVAR_RUNLOCK(sav);
4786 sav = LIST_FIRST(&drainq);
4787 while (sav != NULL) {
4788 nextsav = LIST_NEXT(sav, drainq);
4790 if (sav->state != SADB_SASTATE_LARVAL) {
4791 LIST_REMOVE(sav, drainq);
4792 LIST_INSERT_HEAD(&freeq, sav, drainq);
4793 sav = nextsav;
4796 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain);
4797 LIST_REMOVE(sav, spihash);
4798 sav->state = SADB_SASTATE_DEAD;
4799 ipsec_accel_forget_sav(sav);
4800 sav = nextsav;
4803 sav = LIST_FIRST(&hexpireq);
4804 while (sav != NULL) {
4805 nextsav = LIST_NEXT(sav, drainq);
4807 if (sav->state == SADB_SASTATE_DEAD) {
4808 LIST_REMOVE(sav, drainq);
4809 LIST_INSERT_HEAD(&freeq, sav, drainq);
4810 sav = nextsav;
4813 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain);
4814 LIST_REMOVE(sav, spihash);
4815 sav->state = SADB_SASTATE_DEAD;
4816 ipsec_accel_forget_sav(sav);
4817 sav = nextsav;
4820 sav = LIST_FIRST(&sexpireq);
4821 while (sav != NULL) {
4822 nextsav = LIST_NEXT(sav, drainq);
4824 if (sav->state == SADB_SASTATE_DEAD) {
4825 LIST_REMOVE(sav, drainq);
4826 LIST_INSERT_HEAD(&freeq, sav, drainq);
4827 sav = nextsav;
4833 sav->state = SADB_SASTATE_DYING;
4834 sav = nextsav;
4857 sav = LIST_FIRST(&hexpireq);
4858 while (sav != NULL) {
4859 nextsav = LIST_NEXT(sav, drainq);
4860 key_expire(sav, 1);
4861 key_freesah(&sav->sah); /* release reference from SAV */
4862 key_freesav(&sav); /* release extra reference */
4863 key_freesav(&sav); /* release last reference */
4864 sav = nextsav;
4866 sav = LIST_FIRST(&sexpireq);
4867 while (sav != NULL) {
4868 nextsav = LIST_NEXT(sav, drainq);
4869 key_expire(sav, 0);
4870 key_freesav(&sav); /* release extra reference */
4871 sav = nextsav;
4874 sav = LIST_FIRST(&drainq);
4875 while (sav != NULL) {
4876 nextsav = LIST_NEXT(sav, drainq);
4877 key_freesah(&sav->sah); /* release reference from SAV */
4878 key_freesav(&sav); /* release extra reference */
4879 key_freesav(&sav); /* release last reference */
4880 sav = nextsav;
4883 sav = LIST_FIRST(&freeq);
4884 while (sav != NULL) {
4885 nextsav = LIST_NEXT(sav, drainq);
4886 key_freesav(&sav); /* release extra reference */
4887 sav = nextsav;
5043 struct secasvar *sav;
5125 sav = key_newsav(mhp, &saidx, spi, &error);
5127 if (sav == NULL)
5130 if (sav->seq != 0) {
5147 key_acqdone(&saidx, sav->seq);
5150 printf("%s: SA(%p)\n", __func__, sav));
5151 KEYDBG(KEY_DATA, kdebug_secasv(sav));
5204 newmsg->sadb_msg_seq = sav->seq;
5295 struct secasvar *sav;
5308 sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue);
5310 sav = TAILQ_FIRST(&sah->savtree_alive);
5311 if (sav != NULL) {
5312 SAV_ADDREF(sav);
5314 return (sav);
5323 LIST_FOREACH(sav, SAVHASH_HASH(*spi), spihash) {
5324 if (sav->spi == *spi)
5327 if (sav == NULL) {
5340 const struct sadb_msghdr *mhp, struct secasvar *sav,
5390 if (sav->sah->saidx.proto != IPPROTO_ESP ||
5400 sah = sav->sah;
5414 bcopy(sav, newsav, offsetof(struct secasvar, chain));
5424 if (sav->accel_ifname != NULL) {
5433 strncpy(__DECONST(char *, sav->accel_ifname),
5453 if (sav->state == SADB_SASTATE_DEAD) {
5461 IPSEC_ASSERT((sav->flags & SADB_X_EXT_F_CLONED) == 0,
5463 IPSEC_ASSERT(sav->state == SADB_SASTATE_MATURE ||
5464 sav->state == SADB_SASTATE_DYING,
5465 ("Wrong SA state %u\n", sav->state));
5466 TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain);
5467 LIST_REMOVE(sav, spihash);
5468 sav->state = SADB_SASTATE_DEAD;
5469 ipsec_accel_forget_sav(sav);
5496 * isnew == 0 -> we use the same @sah, that was used by @sav,
5499 SECASVAR_WLOCK(sav);
5501 newsav->cntr = sav->cntr;
5502 sav->flags |= SADB_X_EXT_F_CLONED;
5503 SECASVAR_WUNLOCK(sav);
5509 __func__, sav, newsav));
5512 key_freesav(&sav); /* release last reference */
5557 struct secasvar *sav;
5630 sav = key_getsavbyspi(sa0->sadb_sa_spi);
5631 if (sav == NULL) {
5640 if (sav->pid != mhp->msg->sadb_msg_pid) {
5643 ntohl(sav->spi), sav->pid, mhp->msg->sadb_msg_pid));
5644 key_freesav(&sav);
5648 if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_MODE_REQID) == 0) {
5650 __func__, ntohl(sav->spi)));
5651 key_freesav(&sav);
5655 if (sav->state == SADB_SASTATE_LARVAL) {
5663 key_freesav(&sav);
5669 error = key_setsaval(sav, mhp);
5671 key_freesav(&sav);
5676 if (sav->state != SADB_SASTATE_LARVAL) {
5679 key_freesav(&sav);
5688 TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain);
5689 TAILQ_INSERT_HEAD(&sav->sah->savtree_alive, sav, chain);
5690 sav->state = SADB_SASTATE_MATURE;
5700 key_freesav(&sav);
5703 error = key_updatelifetimes(sav, mhp);
5705 key_freesav(&sav);
5719 sav->natt != NULL) {
5720 error = key_updateaddresses(so, m, mhp, sav, &saidx);
5721 key_freesav(&sav);
5728 if (sav->state == SADB_SASTATE_DEAD) {
5731 key_freesav(&sav);
5739 sav->state = SADB_SASTATE_MATURE;
5743 printf("%s: SA(%p)\n", __func__, sav));
5744 KEYDBG(KEY_DATA, kdebug_secasv(sav));
5745 ipsec_accel_sa_newkey(sav);
5746 key_freesav(&sav);
5784 struct secasvar *sav;
5871 sav = key_getsav_tcpmd5(&saidx, &spi);
5872 if (sav == NULL && spi == 0) {
5882 sav = key_getsavbyspi(spi);
5884 if (sav != NULL) {
5886 key_freesav(&sav);
5891 sav = key_newsav(mhp, &saidx, spi, &error);
5893 if (sav == NULL)
5896 printf("%s: return SA(%p)\n", __func__, sav));
5897 KEYDBG(KEY_DATA, kdebug_secasv(sav));
5898 ipsec_accel_sa_newkey(sav);
5903 if (sav->seq != 0)
5904 key_acqdone(&saidx, sav->seq);
5950 key_setnatt(struct secasvar *sav, const struct sadb_msghdr *mhp)
5960 IPSEC_ASSERT(sav->natt == NULL, ("natt is already initialized"));
5964 if (sav->sah->saidx.proto != IPPROTO_ESP)
5991 sav->natt = malloc(sizeof(struct secnatt), M_IPSEC_MISC,
5993 if (sav->natt == NULL) {
6004 sav->natt->sport = port->sadb_x_nat_t_port_port;
6011 sav->natt->dport = port->sadb_x_nat_t_port_port;
6042 if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL) {
6057 sav->sah->saidx.src.sin.sin_addr.s_addr) {
6058 bcopy(sa, &sav->natt->oai.sa, sa->sa_len);
6059 sav->natt->flags |= IPSEC_NATT_F_OAI;
6061 addr = sav->sah->saidx.src.sin.sin_addr.s_addr;
6064 addr = sav->natt->oai.sin.sin_addr.s_addr;
6080 &sav->sah->saidx.src.sin6.sin6_addr.s6_addr,
6082 bcopy(sa, &sav->natt->oai.sa, sa->sa_len);
6083 sav->natt->flags |= IPSEC_NATT_F_OAI;
6087 ~sav->sah->saidx.src.sin6.sin6_addr.s6_addr16[i]);
6089 sav->natt->oai.sin6.sin6_addr.s6_addr16[i]);
6114 sav->sah->saidx.dst.sin.sin_addr.s_addr) {
6115 bcopy(sa, &sav->natt->oar.sa, sa->sa_len);
6116 sav->natt->flags |= IPSEC_NATT_F_OAR;
6118 addr = sav->sah->saidx.dst.sin.sin_addr.s_addr;
6121 addr = sav->natt->oar.sin.sin_addr.s_addr;
6137 &sav->sah->saidx.dst.sin6.sin6_addr.s6_addr, 16) != 0) {
6138 bcopy(sa, &sav->natt->oar.sa, sa->sa_len);
6139 sav->natt->flags |= IPSEC_NATT_F_OAR;
6143 ~sav->sah->saidx.dst.sin6.sin6_addr.s6_addr16[i]);
6145 sav->natt->oar.sin6.sin6_addr.s6_addr16[i]);
6157 sav->natt->cksum = cksum;
6284 struct secasvar *sav;
6336 sav = key_getsav_tcpmd5(&saidx, NULL);
6338 sav = key_getsavbyspi(sa0->sadb_sa_spi);
6340 if (sav == NULL) {
6345 if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_HEAD) == 0) {
6347 __func__, ntohl(sav->spi)));
6348 key_freesav(&sav);
6352 printf("%s: SA(%p)\n", __func__, sav));
6353 KEYDBG(KEY_DATA, kdebug_secasv(sav));
6354 key_unlinksav(sav);
6355 key_freesav(&sav);
6390 struct secasvar *sav, *nextsav;
6401 TAILQ_FOREACH(sav, &drainq, chain) {
6402 sav->state = SADB_SASTATE_DEAD;
6403 ipsec_accel_forget_sav(sav);
6404 LIST_REMOVE(sav, spihash);
6408 sav = TAILQ_FIRST(&drainq);
6409 while (sav != NULL) {
6411 printf("%s: SA(%p)\n", __func__, sav));
6412 KEYDBG(KEY_DATA, kdebug_secasv(sav));
6413 nextsav = TAILQ_NEXT(sav, chain);
6414 key_freesah(&sav->sah); /* release reference from SAV */
6415 key_freesav(&sav); /* release last reference */
6416 sav = nextsav;
6453 struct secasvar *sav, *nextsav;
6458 sav = TAILQ_FIRST(&sah->savtree_alive);
6459 if (sav == NULL)
6461 if (sav->tdb_xform != xsp)
6470 TAILQ_FOREACH(sav, &drainq, chain) {
6471 sav->state = SADB_SASTATE_DEAD;
6472 ipsec_accel_forget_sav(sav);
6473 LIST_REMOVE(sav, spihash);
6478 sav = TAILQ_FIRST(&drainq);
6479 while (sav != NULL) {
6481 printf("%s: SA(%p)\n", __func__, sav));
6482 KEYDBG(KEY_DATA, kdebug_secasv(sav));
6483 nextsav = TAILQ_NEXT(sav, chain);
6484 key_freesah(&sav->sah); /* release reference from SAV */
6485 key_freesav(&sav); /* release last reference */
6486 sav = nextsav;
6508 struct secasvar *sav;
6552 sav = key_getsav_tcpmd5(&saidx, NULL);
6554 sav = key_getsavbyspi(sa0->sadb_sa_spi);
6556 if (sav == NULL) {
6560 if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_HEAD) == 0) {
6563 key_freesav(&sav);
6572 if ((satype = key_proto2satype(sav->sah->saidx.proto)) == 0) {
6575 key_freesav(&sav);
6580 n = key_setdumpsa(sav, SADB_GET, satype, mhp->msg->sadb_msg_seq,
6583 key_freesav(&sav);
7587 key_expire(struct secasvar *sav, int hard)
7597 IPSEC_ASSERT (sav != NULL, ("null sav"));
7598 IPSEC_ASSERT (sav->sah != NULL, ("null sa header"));
7602 sav, hard ? "hard": "soft"));
7603 KEYDBG(KEY_DATA, kdebug_secasv(sav));
7605 satype = key_proto2satype(sav->sah->saidx.proto);
7607 m = key_setsadbmsg(SADB_EXPIRE, 0, satype, sav->seq, 0, sav->refcnt);
7615 m = key_setsadbsa(sav);
7623 SECASVAR_RLOCK(sav);
7624 replay_count = sav->replay ? sav->replay->count : 0;
7625 SECASVAR_RUNLOCK(sav);
7627 m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count,
7628 sav->sah->saidx.reqid);
7635 if (sav->replay && sav->replay->wsize > UINT8_MAX) {
7636 m = key_setsadbxsareplay(sav->replay->wsize);
7658 (uint32_t)counter_u64_fetch(sav->lft_c_allocations);
7660 counter_u64_fetch(sav->lft_c_bytes);
7661 lt->sadb_lifetime_addtime = sav->created;
7662 lt->sadb_lifetime_usetime = sav->firstused;
7667 lt->sadb_lifetime_allocations = sav->lft_h->allocations;
7668 lt->sadb_lifetime_bytes = sav->lft_h->bytes;
7669 lt->sadb_lifetime_addtime = sav->lft_h->addtime;
7670 lt->sadb_lifetime_usetime = sav->lft_h->usetime;
7673 lt->sadb_lifetime_allocations = sav->lft_s->allocations;
7674 lt->sadb_lifetime_bytes = sav->lft_s->bytes;
7675 lt->sadb_lifetime_addtime = sav->lft_s->addtime;
7676 lt->sadb_lifetime_usetime = sav->lft_s->usetime;
7682 &sav->sah->saidx.src.sa,
7692 &sav->sah->saidx.dst.sa,
7738 struct secasvar *sav, *nextsav;
7742 sav = TAILQ_FIRST(&sah->savtree_larval);
7743 while (sav != NULL) {
7744 nextsav = TAILQ_NEXT(sav, chain);
7745 TAILQ_REMOVE(&sah->savtree_larval, sav, chain);
7746 key_freesav(&sav); /* release last reference */
7748 sav = nextsav;
7750 sav = TAILQ_FIRST(&sah->savtree_alive);
7751 while (sav != NULL) {
7752 nextsav = TAILQ_NEXT(sav, chain);
7753 TAILQ_REMOVE(&sah->savtree_alive, sav, chain);
7754 key_freesav(&sav); /* release last reference */
7756 sav = nextsav;
7782 struct secasvar *sav;
7821 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) {
7822 sav->state = SADB_SASTATE_DEAD;
7823 ipsec_accel_forget_sav(sav);
7825 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) {
7826 sav->state = SADB_SASTATE_DEAD;
7827 ipsec_accel_forget_sav(sav);
7846 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) {
7847 LIST_REMOVE(sav, spihash);
7848 sav->state = SADB_SASTATE_DEAD;
7849 ipsec_accel_forget_sav(sav);
7851 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) {
7852 LIST_REMOVE(sav, spihash);
7853 sav->state = SADB_SASTATE_DEAD;
7854 ipsec_accel_forget_sav(sav);
7899 struct secasvar *sav;
7916 /* count sav entries to be sent to the userland. */
7925 TAILQ_FOREACH(sav, &sah->savtree_larval, chain)
7927 TAILQ_FOREACH(sav, &sah->savtree_alive, chain)
7951 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) {
7952 n = key_setdumpsa(sav, SADB_DUMP, satype,
7961 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) {
7962 n = key_setdumpsa(sav, SADB_DUMP, satype,
8670 struct secasvar *sav;
8705 TAILQ_FOREACH(sav, &sah->savtree_larval, chain) {
8706 sav->state = SADB_SASTATE_DEAD;
8707 ipsec_accel_forget_sav(sav);
8709 TAILQ_FOREACH(sav, &sah->savtree_alive, chain) {
8710 sav->state = SADB_SASTATE_DEAD;
8711 ipsec_accel_forget_sav(sav);
8790 key_sa_recordxfer(struct secasvar *sav, struct mbuf *m)
8792 IPSEC_ASSERT(sav != NULL, ("Null secasvar"));
8799 counter_u64_add(sav->lft_c_bytes, m->m_pkthdr.len);
8806 counter_u64_add(sav->lft_c_allocations, 1);
8819 if (sav->firstused == 0)
8820 sav->firstused = time_second;
8988 ipsec_accel_drv_sa_lifetime_update(struct secasvar *sav, if_t ifp,
8991 void (*p)(struct secasvar *sav, if_t ifp, u_int drv_spi,
8996 p(sav, ifp, drv_spi, octets, allocs);
9000 ipsec_accel_drv_sa_lifetime_fetch(struct secasvar *sav,
9003 int (*p)(struct secasvar *sav, if_t ifp, u_int drv_spi,
9009 return (p(sav, ifp, drv_spi, octets, allocs));