Lines Matching defs:env
227 struct iked *env = iked_env;
229 ibuf_free(env->sc_certreq);
230 env->sc_certreq = NULL;
231 config_doreset(env, RESET_ALL);
237 struct iked *env = iked_env;
243 return (config_getreset(env, imsg));
246 return (config_getcoupled(env, imsg->hdr.type));
249 if (config_getmode(env, imsg->hdr.type) == -1)
251 config_enablesocket(env);
252 timer_del(env, &env->sc_inittmr);
253 TAILQ_FOREACH(pol, &env->sc_policies, pol_entry) {
258 RB_FOREACH_SAFE(sa, iked_sas, &env->sc_sas, satmp) {
260 sa_state(env, sa, IKEV2_STATE_CLOSING);
262 sa_free(env, sa);
267 if (policy_lookup_sa(env, sa) == -1) {
271 ikev2_ikesa_delete(env, sa, sa->sa_hdr.sh_initiator);
276 policy_unref(env, old);
277 policy_ref(env, sa->sa_policy);
281 if (!env->sc_passive) {
282 timer_set(env, &env->sc_inittmr, ikev2_init_ike_sa,
284 timer_add(env, &env->sc_inittmr,
287 iked_radius_acct_on(env);
290 return (config_getsocket(env, imsg, ikev2_msg_cb));
292 return (config_getpfkey(env, imsg));
294 return (config_getpolicy(env, imsg));
296 return (config_getflow(env, imsg));
298 return (config_getuser(env, imsg));
300 return (config_getradauth(env, imsg));
302 return (config_getradacct(env, imsg));
304 return (config_getradserver(env, imsg));
306 return (config_getradcfgmap(env, imsg));
308 return (config_getraddae(env, imsg));
310 return (config_getradclient(env, imsg));
312 return (config_getcompile(env));
314 return (config_getstatic(env, imsg));
325 struct iked *env = iked_env;
343 ibuf_free(env->sc_certreq);
344 env->sc_certreqtype = type;
345 env->sc_certreq = ibuf_new(ptr,
350 ibuf_length(env->sc_certreq));
356 if ((sa = ikev2_getimsgdata(env, imsg,
378 if (sa->sa_peerauth.id_type && ikev2_auth_verify(env, sa))
384 if (ikev2_ike_auth(env, sa) != 0)
389 ikev2_send_auth_failed(env, sa);
393 if ((sa = ikev2_getimsgdata(env, imsg,
432 if (ikev2_ike_auth(env, sa) != 0)
436 if ((sa = ikev2_getimsgdata(env, imsg,
481 if ((sa = ikev2_getimsgdata(env, imsg,
512 if (ikev2_ike_auth(env, sa) != 0)
525 struct iked *env = iked_env;
529 ikev2_ctl_reset_id(env, imsg, imsg->hdr.type);
532 ikev2_ctl_show_sa(env, imsg);
535 ikev2_ctl_show_stats(env, imsg);
546 ikev2_ike_sa_delete(struct iked *env, struct iked_sa *sa)
552 ikev2_disable_timer(env, sa);
554 ikev2_ikesa_delete(env, sa, 1);
555 timer_add(env, &sa->sa_timer, 0);
560 ikev2_ctl_reset_id(struct iked *env, struct imsg *imsg, unsigned int type)
570 RB_FOREACH(sa, iked_sas, &env->sc_sas) {
578 ikev2_disable_timer(env, sa);
584 ikev2_ikesa_delete(env, sa, 1);
586 timer_add(env, &sa->sa_timer, 3 * IKED_RETRANSMIT_TIMEOUT);
592 ikev2_ctl_show_sa(struct iked *env, struct imsg *imsg)
594 ikev2_info(env, imsg, 0);
598 ikev2_ctl_show_stats(struct iked *env, struct imsg *imsg)
600 proc_compose_imsg(&env->sc_ps, PROC_CONTROL, -1,
602 &env->sc_stats, sizeof(env->sc_stats));
606 ikev2_getimsgdata(struct iked *env, struct imsg *imsg, struct iked_sahdr *sh,
626 sa = sa_lookup(env, sh->sh_ispi, sh->sh_rspi, sh->sh_initiator);
654 ikev2_recv(struct iked *env, struct iked_message *msg)
668 ikestat_inc(env, ikes_msg_rcvd);
673 msg->msg_sa = sa_lookup(env,
677 if (policy_lookup(env, msg, NULL, NULL, 0) != 0) {
679 ikestat_inc(env, ikes_msg_rcvd_dropped);
711 ikestat_inc(env, ikes_msg_rcvd_dropped);
717 ikestat_inc(env, ikes_msg_rcvd_dropped);
720 mr = ikev2_msg_lookup(env, &sa->sa_requests, msg,
724 ikestat_inc(env, ikes_msg_rcvd_dropped);
729 ikestat_inc(env, ikes_msg_rcvd_dropped);
742 ikev2_msg_dispose(env, &sa->sa_requests, mr);
758 sa_free(env, sa);
763 ikestat_inc(env, ikes_msg_rcvd_dropped);
772 if ((r = ikev2_msg_retransmit_response(env, sa, msg, hdr))
779 sa_free(env, sa);
787 ikestat_inc(env, ikes_msg_rcvd_busy);
797 ikestat_inc(env, ikes_msg_rcvd_dropped);
808 ikev2_init_recv(env, msg, hdr);
810 ikev2_resp_recv(env, msg, hdr);
821 ikev2_msg_prevail(env, &sa->sa_responses, msg);
827 sa_free(env, sa);
869 ikev2_auth_verify(struct iked *env, struct iked_sa *sa)
901 ikev2_send_auth_failed(env, sa);
907 if ((authmsg = ikev2_msg_auth(env, sa,
911 ikev2_send_auth_failed(env, sa);
916 ret = ikev2_msg_authverify(env, sa, &ikeauth,
924 ikev2_send_auth_failed(env, sa);
929 if ((authmsg = ikev2_msg_auth(env, sa,
938 ret = ikev2_msg_authsign(env, sa, &ikeauth, authmsg);
941 ikev2_send_auth_failed(env, sa);
949 sa_state(env, sa, IKEV2_STATE_EAP_SUCCESS);
957 ikev2_ike_auth_recv(struct iked *env, struct iked_sa *sa,
971 sa_state(env, sa, IKEV2_STATE_AUTH_REQUEST);
976 sa_state(env, sa, IKEV2_STATE_EAP);
988 if (policy_lookup(env, msg, &sa->sa_proposals, NULL, 0) != 0 ||
992 ikev2_send_auth_failed(env, sa);
994 policy_unref(env, old);
1000 policy_unref(env, old);
1003 if (sa_new(env, sa->sa_hdr.sh_ispi,
1007 ikev2_send_auth_failed(env, sa);
1014 if (ikev2_handle_certreq(env, msg) != 0)
1021 if (policy_lookup(env, msg, &sa->sa_proposals, &old->pol_flows,
1030 ikev2_send_auth_failed(env, sa);
1032 policy_unref(env, old);
1048 ikev2_send_auth_failed(env, sa);
1057 if ((authmsg = ikev2_msg_auth(env, sa,
1064 ca_setauth(env, sa, authmsg, PROC_CERT);
1099 ikestat_inc(env, ikes_sa_proposals_negotiate_failures);
1130 ikev2_auth_verify(env, sa);
1139 if (ca_setcert(env, &sa->sa_hdr, id, certtype, cert, certlen, PROC_CERT) == -1)
1155 return ikev2_ike_auth(env, sa);
1159 ikev2_ike_auth(struct iked *env, struct iked_sa *sa)
1163 sa_state(env, sa, IKEV2_STATE_EAP_VALID);
1165 sa_state(env, sa, IKEV2_STATE_VALID);
1169 return (ikev2_init_done(env, sa));
1174 return (ikev2_init_ike_auth(env, sa));
1176 return (ikev2_resp_ike_auth(env, sa));
1180 ikev2_init_recv(struct iked *env, struct iked_message *msg,
1186 if (ikev2_msg_valid_ike_sa(env, hdr, msg) == -1) {
1195 if ((sa = sa_new(env,
1201 sa_free(env, sa);
1216 if (ikev2_pld_parse(env, hdr, msg, msg->msg_offset) != 0) {
1227 if (ikev2_handle_notifies(env, msg) != 0)
1231 ikev2_enable_natt(env, sa, msg, 1);
1237 if (ikev2_init_ike_sa_peer(env, pol,
1248 sa_state(env, sa, IKEV2_STATE_CLOSED);
1252 if (ikev2_handle_certreq(env, msg) != 0)
1255 if (ikev2_init_auth(env, msg) != 0) {
1258 sa_state(env, sa, IKEV2_STATE_CLOSED);
1272 sa_state(env, sa, IKEV2_STATE_CLOSED);
1280 sa_state(env, sa, IKEV2_STATE_CLOSED);
1285 (void)ikev2_ike_auth_recv(env, sa, msg);
1292 sa_state(env, sa, IKEV2_STATE_CLOSED);
1296 (void)ikev2_init_create_child_sa(env, msg);
1309 ikev2_enable_natt(struct iked *env, struct iked_sa *sa,
1315 sock = ikev2_msg_getsocket(env, sa->sa_local.addr_af, 1);
1342 ikev2_init_ike_sa(struct iked *env, void *arg)
1346 TAILQ_FOREACH(pol, &env->sc_policies, pol_entry) {
1357 if (ikev2_init_ike_sa_peer(env, pol, &pol->pol_peer, NULL))
1362 timer_set(env, &env->sc_inittmr, ikev2_init_ike_sa, NULL);
1363 timer_add(env, &env->sc_inittmr, IKED_INITIATOR_INTERVAL);
1367 ikev2_init_ike_sa_timeout(struct iked *env, void *arg)
1376 sa_free(env, sa);
1380 ikev2_init_ike_sa_peer(struct iked *env, struct iked_policy *pol,
1397 if ((sock = ikev2_msg_getsocket(env, peer->addr_af, 0)) == NULL)
1403 sa_state(env, sa, IKEV2_STATE_INIT);
1408 (sa = sa_new(env, 0, 0, 1, pol)) == NULL)
1420 if (ikev2_sa_initiator(env, sa, NULL, NULL) == -1)
1429 if ((buf = ikev2_msg_init(env, &req, &peer->addr, peer->addr.ss_len,
1441 req.msg_msgid = ikev2_msg_id(env, sa);
1473 if ((len = ikev2_add_proposals(env, sa, buf, &pol->pol_proposals,
1504 if (env->sc_vendorid != 0) {
1513 if (env->sc_frag) {
1519 if (env->sc_nattmode != NATT_DISABLE) {
1520 if (ntohs(port) == env->sc_nattport) {
1525 if ((len = ikev2_add_nat_detection(env, buf, &pld, &req, len))
1539 (void)ikev2_pld_parse(env, hdr, &req, 0);
1547 if ((ret = ikev2_msg_send(env, &req)) == 0)
1548 sa_state(env, sa, IKEV2_STATE_SA_INIT);
1551 timer_set(env, &sa->sa_timer, ikev2_init_ike_sa_timeout, sa);
1552 timer_add(env, &sa->sa_timer, IKED_IKE_SA_EXCHANGE_TIMEOUT);
1555 ikev2_msg_cleanup(env, &req);
1560 sa_free(env, sa);
1568 ikev2_init_auth(struct iked *env, struct iked_message *msg)
1576 if (ikev2_sa_initiator(env, sa, NULL, msg) == -1) {
1581 if ((authmsg = ikev2_msg_auth(env, sa,
1587 if (ca_setauth(env, sa, authmsg, PROC_CERT) == -1) {
1594 return (ikev2_init_ike_auth(env, sa));
1598 ikev2_init_ike_auth(struct iked *env, struct iked_sa *sa)
1682 len, env->sc_certreq, env->sc_certreqtype)) == -1)
1685 if (env->sc_certreqtype != pol->pol_certreqtype &&
1710 if ((len = ikev2_init_add_cp(env, sa, e)) == -1)
1715 (len = ikev2_add_ipcompnotify(env, e, &pld, len, sa, 1)) == -1)
1718 (len = ikev2_add_transport_mode(env, e, &pld, len, sa)) == -1)
1727 if ((len = ikev2_add_proposals(env, sa, e, &pol->pol_proposals, 0,
1737 ret = ikev2_msg_send_encrypt(env, sa, &e,
1747 ikev2_enable_timer(struct iked *env, struct iked_sa *sa)
1750 timer_set(env, &sa->sa_timer, ikev2_ike_sa_alive, sa);
1751 if (env->sc_alive_timeout > 0)
1752 timer_add(env, &sa->sa_timer, env->sc_alive_timeout);
1753 timer_set(env, &sa->sa_keepalive, ikev2_ike_sa_keepalive, sa);
1755 timer_add(env, &sa->sa_keepalive,
1757 timer_set(env, &sa->sa_rekey, ikev2_ike_sa_rekey, sa);
1759 ikev2_ike_sa_rekey_schedule(env, sa);
1763 ikev2_reset_alive_timer(struct iked *env)
1767 RB_FOREACH(sa, iked_sas, &env->sc_sas) {
1770 timer_del(env, &sa->sa_timer);
1771 if (env->sc_alive_timeout > 0)
1772 timer_add(env, &sa->sa_timer, env->sc_alive_timeout);
1777 ikev2_disable_timer(struct iked *env, struct iked_sa *sa)
1779 timer_del(env, &sa->sa_timer);
1780 timer_del(env, &sa->sa_keepalive);
1781 timer_del(env, &sa->sa_rekey);
1785 ikev2_init_done(struct iked *env, struct iked_sa *sa)
1792 ret = ikev2_childsa_negotiate(env, sa, &sa->sa_kex, &sa->sa_proposals,
1795 ret = ikev2_childsa_enable(env, sa);
1797 sa_state(env, sa, IKEV2_STATE_ESTABLISHED);
1798 iked_radius_acct_start(env, sa);
1800 timer_del(env, &sa->sa_timer);
1801 ikev2_enable_timer(env, sa);
1803 ikev2_record_dstid(env, sa);
1804 sa_configure_iface(env, sa, 1);
1808 ikev2_childsa_delete(env, sa, 0, 0, NULL, 1);
2142 ikev2_add_ipcompnotify(struct iked *env, struct ibuf *e,
2164 if (pfkey_sa_init(env, &csa, &spi) == -1)
2294 ikev2_add_transport_mode(struct iked *env, struct ibuf *e,
2321 ikev2_nat_detection(struct iked *env, struct iked_message *msg,
2404 if (env->sc_nattmode == NATT_FORCE)
2431 ikev2_add_nat_detection(struct iked *env, struct ibuf *buf,
2448 len = ikev2_nat_detection(env, msg, NULL, 0, 0, 0);
2451 if ((len = ikev2_nat_detection(env, msg, ptr, len,
2464 len = ikev2_nat_detection(env, msg, NULL, 0, 0, 0);
2467 if ((len = ikev2_nat_detection(env, msg, ptr, len,
2475 ikev2_add_cp(struct iked *env, struct iked_sa *sa, int type, struct ibuf *buf)
2639 ikev2_init_add_cp(struct iked *env, struct iked_sa *sa, struct ibuf *buf)
2641 return (ikev2_add_cp(env, sa, IKEV2_CP_REQUEST, buf));
2645 ikev2_resp_add_cp(struct iked *env, struct iked_sa *sa, struct ibuf *buf)
2651 ret = ikev2_add_cp(env, sa, IKEV2_CP_REPLY, buf);
2664 ikev2_add_proposals(struct iked *env, struct iked_sa *sa, struct ibuf *buf,
2693 if (pfkey_sa_init(env, &csa, &spi) == -1)
2859 ikev2_resp_informational(struct iked *env, struct iked_sa *sa,
2876 if ((len = ikev2_handle_delete(env, msg, buf, &pld,
2887 len = ikev2_add_nat_detection(env, buf, &pld, msg, len);
2917 ret = ikev2_msg_send_encrypt(env, sa, &buf,
2928 sa_state(env, sa, IKEV2_STATE_CLOSED);
2936 ikev2_resp_recv(struct iked *env, struct iked_message *msg,
2947 if ((msg->msg_sa = sa_new(env,
2954 timer_set(env, &msg->msg_sa->sa_timer,
2956 timer_add(env, &msg->msg_sa->sa_timer,
2960 if (ikev2_msg_valid_ike_sa(env, hdr, msg) == -1)
2969 if (ikev2_msg_valid_ike_sa(env, hdr, msg) == -1)
2978 if (ikev2_pld_parse(env, hdr, msg, msg->msg_offset) != 0) {
2987 if (ikev2_handle_notifies(env, msg) != 0)
3005 if (ikev2_sa_responder(env, sa, NULL, msg) != 0) {
3010 ikev2_send_init_error(env, msg);
3012 sa_state(env, sa, IKEV2_STATE_CLOSED);
3015 if (ikev2_resp_ike_sa_init(env, msg) != 0) {
3018 sa_state(env, sa, IKEV2_STATE_CLOSED);
3026 sa_state(env, sa, IKEV2_STATE_CLOSED);
3032 if (ikev2_resp_ike_eap(env, sa, msg)) {
3036 sa_state(env, sa, IKEV2_STATE_CLOSED);
3042 if (ikev2_ike_auth_recv(env, sa, msg) != 0) {
3044 ikev2_send_error(env, sa, msg, hdr->ike_exchange);
3046 sa_state(env, sa, IKEV2_STATE_CLOSED);
3051 if (ikev2_resp_create_child_sa(env, msg) != 0) {
3054 ikev2_send_error(env, sa, msg, hdr->ike_exchange);
3059 ikev2_update_sa_addresses(env, sa);
3060 (void)ikev2_resp_informational(env, sa, msg);
3068 ikev2_handle_delete(struct iked *env, struct iked_message *msg,
3103 ikev2_ikesa_recv_delete(env, sa);
3151 if (ikev2_childsa_delete(env, sa, msg->msg_del_protoid, spi,
3224 ikev2_handle_notifies(struct iked *env, struct iked_message *msg)
3239 if ((msg->msg_flags & IKED_MSG_FLAGS_FRAGMENTATION) && env->sc_frag) {
3244 if ((msg->msg_flags & IKED_MSG_FLAGS_MOBIKE) && env->sc_mobike) {
3249 ikev2_enable_natt(env, sa, msg, 0);
3255 ikev2_disable_rekeying(env, sa);
3266 sa_state(env, sa, IKEV2_STATE_CLOSED);
3279 sa_state(env, sa, IKEV2_STATE_CLOSED);
3289 sa_state(env, sa, IKEV2_STATE_CLOSED);
3295 sa_state(env, sa, IKEV2_STATE_CLOSED);
3298 timer_set(env, &env->sc_inittmr, ikev2_init_ike_sa, NULL);
3299 timer_add(env, &env->sc_inittmr, IKED_INITIATOR_INITIAL);
3316 sa_state(env, sa, IKEV2_STATE_CLOSED);
3325 (void)ikev2_send_create_child_sa(env, sa,
3333 timer_set(env, &sa->sa_rekey,
3335 timer_add(env, &sa->sa_rekey, 0);
3373 ikev2_resp_ike_sa_init(struct iked *env, struct iked_message *msg)
3396 if ((buf = ikev2_msg_init(env, &resp,
3416 if ((len = ikev2_add_proposals(env, sa, buf, &sa->sa_proposals,
3447 if (env->sc_vendorid != 0) {
3462 if ((env->sc_nattmode != NATT_DISABLE) &&
3464 if ((len = ikev2_add_nat_detection(env, buf, &pld, &resp, len))
3471 len, env->sc_certreq, env->sc_certreqtype)) == -1)
3474 if (env->sc_certreqtype != sa->sa_policy->pol_certreqtype &&
3490 (void)ikev2_pld_parse(env, hdr, &resp, 0);
3498 ret = ikev2_msg_send(env, &resp);
3502 ikev2_msg_cleanup(env, &resp);
3508 ikev2_send_auth_failed(struct iked *env, struct iked_sa *sa)
3539 ret = ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_NOTIFY,
3547 sa_state(env, sa, IKEV2_STATE_CLOSING);
3548 timer_del(env, &sa->sa_timer);
3549 timer_set(env, &sa->sa_timer, ikev2_ike_sa_timeout, sa);
3550 timer_add(env, &sa->sa_timer, IKED_IKE_SA_DELETE_TIMEOUT);
3558 ikev2_add_error(struct iked *env, struct ibuf *buf, struct iked_message *msg)
3629 ikev2_record_dstid(struct iked *env, struct iked_sa *sa)
3633 osa = sa_dstid_lookup(env, sa);
3637 sa_dstid_remove(env, osa);
3638 if (env->sc_enforcesingleikesa &&
3644 ikev2_disable_timer(env, osa);
3646 ikev2_ikesa_delete(env, osa, 0);
3647 timer_add(env, &osa->sa_timer,
3651 osa = sa_dstid_insert(env, sa);
3663 ikev2_send_error(struct iked *env, struct iked_sa *sa,
3673 if (ikev2_add_error(env, buf, msg) == 0)
3675 ret = ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_NOTIFY,
3687 ikev2_send_init_error(struct iked *env, struct iked_message *msg)
3704 if ((buf = ikev2_msg_init(env, &resp,
3724 if ((len = ikev2_add_error(env, buf, msg)) == 0)
3731 (void)ikev2_pld_parse(env, hdr, &resp, 0);
3732 ret = ikev2_msg_send(env, &resp);
3735 ikev2_msg_cleanup(env, &resp);
3741 ikev2_handle_certreq(struct iked* env, struct iked_message *msg)
3770 crtype = env->sc_certreqtype;
3771 ca_setreq(env, sa, &sa->sa_policy->pol_localid,
3772 crtype, 0, ibuf_data(env->sc_certreq),
3773 ibuf_size(env->sc_certreq), PROC_CERT);
3781 ca_setreq(env, sa, &sa->sa_policy->pol_localid,
3796 ikev2_resp_ike_eap_mschap(struct iked *env, struct iked_sa *sa,
3811 return (eap_challenge_request(env, sa, eap->eam_id));
3823 if ((usr = user_lookup(env, name)) == NULL) {
3863 ret = eap_mschap_challenge(env, sa, eap->eam_id, eap->eam_msrid,
3866 sa_state(env, sa, IKEV2_STATE_AUTH_SUCCESS);
3869 return (eap_mschap_success(env, sa, eap->eam_id));
3873 return (eap_success(env, sa, msg->msg_eap.eam_id));
3882 ikev2_resp_ike_eap(struct iked *env, struct iked_sa *sa,
3890 return ikev2_resp_ike_eap_mschap(env, sa, msg);
3892 return iked_radius_request(env, sa, msg);
3898 ikev2_resp_ike_auth(struct iked *env, struct iked_sa *sa)
3914 return (eap_identity_request(env, sa));
3919 if (ikev2_cp_setaddr(env, sa, AF_INET) < 0 ||
3920 ikev2_cp_setaddr(env, sa, AF_INET6) < 0)
3923 if (ikev2_childsa_negotiate(env, sa, &sa->sa_kex, &sa->sa_proposals,
3933 sa_state(env, sa, IKEV2_STATE_AUTH_SUCCESS);
4010 if ((len = ikev2_resp_add_cp(env, sa, e)) == -1)
4015 (len = ikev2_add_ipcompnotify(env, e, &pld, len, sa, 0)) == -1)
4018 (len = ikev2_add_transport_mode(env, e, &pld, len, sa)) == -1)
4032 if ((len = ikev2_add_proposals(env, sa, e, &sa->sa_proposals, 0,
4042 ret = ikev2_msg_send_encrypt(env, sa, &e,
4045 ret = ikev2_childsa_enable(env, sa);
4047 sa_state(env, sa, IKEV2_STATE_ESTABLISHED);
4048 iked_radius_acct_start(env, sa);
4050 timer_del(env, &sa->sa_timer);
4051 ikev2_enable_timer(env, sa);
4053 ikev2_record_dstid(env, sa);
4058 ikev2_childsa_delete(env, sa, 0, 0, NULL, 1);
4064 ikev2_send_ike_e(struct iked *env, struct iked_sa *sa, struct ibuf *buf,
4087 ret = ikev2_msg_send_encrypt(env, sa, &e, exchange, firstpayload,
4124 ikev2_send_create_child_sa(struct iked *env, struct iked_sa *sa,
4181 (len = ikev2_add_ipcompnotify(env, e, &pld, 0, sa, 1)) == -1)
4184 (len = ikev2_add_transport_mode(env, e, &pld, len, sa)) == -1)
4208 if ((len = ikev2_add_proposals(env, sa, e, &sa->sa_proposals,
4281 ret = ikev2_msg_send_encrypt(env, sa, &e,
4302 ikev2_ike_sa_rekey(struct iked *env, void *arg)
4328 ikev2_ike_sa_rekey_schedule_fast(env, sa);
4333 timer_set(env, &sa->sa_rekey, ikev2_ike_sa_rekey_timeout, sa);
4334 timer_add(env, &sa->sa_rekey, IKED_IKE_SA_REKEY_TIMEOUT);
4336 if ((nsa = sa_new(env, 0, 0, 1, sa->sa_policy)) == NULL) {
4341 if (ikev2_sa_initiator(env, nsa, sa, NULL)) {
4345 sa_state(env, nsa, IKEV2_STATE_AUTH_SUCCESS);
4356 if ((len = ikev2_add_proposals(env, nsa, e, &sa->sa_proposals,
4390 ret = ikev2_msg_send_encrypt(env, sa, &e,
4402 sa_free(env, nsa);
4429 ikev2_init_create_child_sa(struct iked *env, struct iked_message *msg)
4449 sa_free(env, sa->sa_nexti);
4451 timer_set(env, &sa->sa_rekey, ikev2_ike_sa_rekey, sa);
4452 ikev2_ike_sa_rekey_schedule_fast(env, sa);
4466 ikestat_inc(env, ikes_sa_proposals_negotiate_failures);
4490 if ((nsa = sa_new(env, sa->sa_nexti->sa_hdr.sh_ispi,
4496 sa_free(env, nsa);
4499 sa_free(env, sa->sa_nexti);
4503 if (ikev2_sa_initiator(env, nsa, sa, msg) == -1) {
4549 ikev2_ikesa_delete(env, dsa, dsa->sa_hdr.sh_initiator);
4554 return (ikev2_ikesa_enable(env, sa, nsa));
4608 ret = ikev2_childsa_delete_proposed(env, sa,
4614 if (ikev2_childsa_negotiate(env, sa, &sa->sa_kex, &sa->sa_proposals, 1,
4637 if (ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE,
4644 ret = ikev2_childsa_enable(env, sa);
4650 ikev2_childsa_delete(env, sa, 0, 0, NULL, 1);
4653 ikev2_childsa_delete(env, sa, csa->csa_saproto,
4661 ikev2_ikesa_enable(struct iked *env, struct iked_sa *sa, struct iked_sa *nsa)
4756 RB_REMOVE(iked_addrpool, &env->sc_addrpool, sa);
4759 RB_INSERT(iked_addrpool, &env->sc_addrpool, nsa);
4762 RB_REMOVE(iked_addrpool6, &env->sc_addrpool6, sa);
4765 RB_INSERT(iked_addrpool6, &env->sc_addrpool6, nsa);
4776 sa_dstid_remove(env, sa);
4777 sa_dstid_insert(env, nsa);
4798 sa_state(env, nsa, IKEV2_STATE_ESTABLISHED);
4800 iked_radius_acct_start(env, nsa);
4801 ikev2_enable_timer(env, nsa);
4803 ikestat_inc(env, ikes_sa_rekeyed);
4809 ikev2_disable_timer(env, sa);
4812 ikev2_ikesa_delete(env, sa, nsa->sa_hdr.sh_initiator);
4817 ikev2_ikesa_delete(struct iked *env, struct iked_sa *sa, int initiator)
4834 if (ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE,
4841 sa_state(env, sa, IKEV2_STATE_CLOSED);
4843 sa_state(env, sa, IKEV2_STATE_CLOSING);
4847 timer_set(env, &sa->sa_timer, ikev2_ike_sa_timeout, sa);
4848 timer_add(env, &sa->sa_timer, IKED_IKE_SA_DELETE_TIMEOUT);
4853 ikev2_ikesa_recv_delete(struct iked *env, struct iked_sa *sa)
4866 ikev2_ikesa_enable(env, sa, sa->sa_nextr);
4873 sa_free(env, sa->sa_nexti);
4877 if (env->sc_stickyaddress) {
4879 sa_state(env, sa, IKEV2_STATE_CLOSING);
4880 timer_del(env, &sa->sa_timer);
4881 timer_set(env, &sa->sa_timer, ikev2_ike_sa_timeout, sa);
4882 timer_add(env, &sa->sa_timer, 3 * IKED_RETRANSMIT_TIMEOUT);
4884 sa_state(env, sa, IKEV2_STATE_CLOSED);
4889 ikev2_resp_create_child_sa(struct iked *env, struct iked_message *msg)
4954 if ((nsa = sa_new(env, spi->spi, 0, 0,
4960 if (ikev2_sa_responder(env, nsa, sa, msg)) {
4965 sa_state(env, nsa, IKEV2_STATE_AUTH_SUCCESS);
4982 ikestat_inc(env, ikes_sa_proposals_negotiate_failures);
5052 if (ikev2_childsa_negotiate(env, sa, kex, &proposals, 0, pfs)) {
5075 (len = ikev2_add_ipcompnotify(env, e, &pld, 0, sa, 0)) == -1)
5078 (len = ikev2_add_transport_mode(env, e, &pld, len, sa)) == -1)
5092 if ((len = ikev2_add_proposals(env, nsa ? nsa : sa, e,
5134 if ((ret = ikev2_msg_send_encrypt(env, sa, &e,
5153 ret = ikev2_ikesa_enable(env, sa, nsa);
5155 ret = ikev2_childsa_enable(env, sa);
5159 ikev2_childsa_delete(env, sa, 0, 0, NULL, 1);
5180 ikev2_ike_sa_timeout(struct iked *env, void *arg)
5186 sa_free(env, sa);
5190 ikev2_ike_sa_rekey_timeout(struct iked *env, void *arg)
5196 sa_free(env, sa);
5200 ikev2_ike_sa_rekey_schedule(struct iked *env, struct iked_sa *sa)
5202 timer_add(env, &sa->sa_rekey, (sa->sa_policy->pol_rekey * 850 +
5208 ikev2_ike_sa_rekey_schedule_fast(struct iked *env, struct iked_sa *sa)
5216 timer_add(env, &sa->sa_rekey, timeout);
5220 ikev2_ike_sa_alive(struct iked *env, void *arg)
5228 if (env->sc_alive_timeout == 0)
5235 if (pfkey_sa_last_used(env, csa, &last_used) != 0)
5242 if (diff < env->sc_alive_timeout) {
5269 ikev2_send_ike_e(env, sa, NULL, IKEV2_PAYLOAD_NONE,
5272 ikestat_inc(env, ikes_dpd_sent);
5276 timer_add(env, &sa->sa_timer, env->sc_alive_timeout);
5280 ikev2_ike_sa_keepalive(struct iked *env, void *arg)
5296 ikestat_inc(env, ikes_keepalive_sent);
5297 timer_add(env, &sa->sa_keepalive, IKED_IKE_SA_KEEPALIVE_TIMEOUT);
5301 ikev2_send_informational(struct iked *env, struct iked_message *msg)
5314 if ((buf = ikev2_msg_init(env, &resp,
5351 resp.msg_msgid = ikev2_msg_id(env, sa);
5363 if ((e = ikev2_msg_encrypt(env, sa, e, buf)) == NULL) {
5377 if (ikev2_msg_integr(env, sa, buf) != 0) {
5391 resp.msg_msgid = ikev2_msg_id(env, &sah);
5408 ret = ikev2_msg_send(env, &resp);
5412 ikev2_msg_cleanup(env, &resp);
5489 ikev2_sa_negotiate_common(struct iked *env, struct iked_sa *sa,
5498 ikestat_inc(env, ikes_sa_proposals_negotiate_failures);
5562 ikev2_sa_initiator(struct iked *env, struct iked_sa *sa,
5590 if (ikev2_sa_negotiate_common(env, sa, msg, -1) != 0)
5600 return (ikev2_sa_keys(env, sa, osa ? osa->sa_key_d : NULL));
5655 ikev2_sa_responder(struct iked *env, struct iked_sa *sa, struct iked_sa *osa,
5664 if (policy_lookup(env, msg, &msg->msg_proposals,
5676 policy_unref(env, old);
5677 policy_ref(env, sa->sa_policy);
5680 sa_state(env, sa, IKEV2_STATE_SA_INIT);
5702 if (ikev2_sa_negotiate_common(env, sa, msg, msg->msg_dhgroup) != 0)
5708 return (ikev2_sa_keys(env, sa, osa ? osa->sa_key_d : NULL));
5712 ikev2_sa_keys(struct iked *env, struct iked_sa *sa, struct ibuf *key)
6104 ikev2_childsa_delete_proposed(struct iked *env, struct iked_sa *sa,
6143 if (ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE,
6155 ikev2_childsa_negotiate(struct iked *env, struct iked_sa *sa,
6345 if ((ret = pfkey_sa_init(env, csa,
6425 if ((ret = pfkey_sa_init(env, csa2,
6459 ikestat_add(env, ikes_csa_created, 2);
6482 ikev2_childsa_enable(struct iked *env, struct iked_sa *sa)
6519 if (pfkey_sa_add(env, csa, NULL) != 0) {
6526 if (pfkey_sa_add(env, ipcomp, csa) != 0) {
6534 if ((ocsa = RB_FIND(iked_activesas, &env->sc_activesas, csa))
6541 RB_REMOVE(iked_activesas, &env->sc_activesas, ocsa);
6544 RB_INSERT(iked_activesas, &env->sc_activesas, csa);
6588 RB_REMOVE(iked_flows, &env->sc_activeflows, flow);
6589 (void)pfkey_flow_delete(env, flow);
6594 if (pfkey_flow_add(env, flow) != 0) {
6599 if ((oflow = RB_FIND(iked_flows, &env->sc_activeflows, flow))
6604 RB_REMOVE(iked_flows, &env->sc_activeflows, oflow);
6607 RB_INSERT(iked_flows, &env->sc_activeflows, flow);
6674 ikev2_childsa_delete(struct iked *env, struct iked_sa *sa, uint8_t saproto,
6689 RB_REMOVE(iked_activesas, &env->sc_activesas, csa);
6691 if (pfkey_sa_delete(env, csa) != 0)
6707 if (pfkey_sa_delete(env, ipcomp) != 0)
6721 ikestat_inc(env, ikes_csa_removed);
6781 ikev2_child_sa_acquire(struct iked *env, struct iked_flow *acquire)
6787 if (env->sc_passive)
6791 flow = RB_FIND(iked_flows, &env->sc_activeflows, acquire);
6803 if ((p = policy_test(env, &pol)) == NULL) {
6811 if (ikev2_init_ike_sa_peer(env, p,
6825 if (ikev2_send_create_child_sa(env, sa, NULL,
6834 ikev2_disable_rekeying(struct iked *env, struct iked_sa *sa)
6843 (void)ikev2_childsa_delete(env, sa, 0, 0, NULL, 1);
6848 ikev2_child_sa_rekey(struct iked *env, struct iked_spi *rekey)
6854 csa = RB_FIND(iked_activesas, &env->sc_activesas, &key);
6882 if (ikev2_send_create_child_sa(env, sa, rekey, rekey->spi_protoid, 0))
6890 ikev2_child_sa_drop(struct iked *env, struct iked_spi *drop)
6899 csa = RB_FIND(iked_activesas, &env->sc_activesas, &key);
6910 RB_REMOVE(iked_activesas, &env->sc_activesas, csa);
6923 if (ikev2_childsa_delete(env, sa, csa->csa_saproto,
6940 if (ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE,
7062 ikev2_cp_setaddr(struct iked *env, struct iked_sa *sa, sa_family_t family)
7114 if ((ret = ikev2_cp_setaddr_pool(env, sa,
7138 ikev2_cp_setaddr_pool(struct iked *env, struct iked_sa *sa,
7164 if (env->sc_stickyaddress &&
7165 (osa = sa_dstid_lookup(env, sa)) != NULL &&
7170 if (RB_REMOVE(iked_addrpool, &env->sc_addrpool, osa)
7178 if (RB_REMOVE(iked_addrpool6, &env->sc_addrpool6, osa)
7185 sa_dstid_remove(env, osa);
7192 ikev2_disable_timer(env, osa);
7195 ikev2_ikesa_delete(env, osa, 1);
7196 timer_add(env, &osa->sa_timer,
7200 RB_INSERT(iked_addrpool, &env->sc_addrpool, sa);
7208 RB_INSERT(iked_addrpool6, &env->sc_addrpool6, sa);
7240 if (RB_FIND(iked_addrpool, &env->sc_addrpool,
7254 RB_INSERT(iked_addrpool, &env->sc_addrpool, sa);
7313 !RB_FIND(iked_addrpool, &env->sc_addrpool, &key)) ||
7315 !RB_FIND(iked_addrpool6, &env->sc_addrpool6, &key)))
7336 RB_INSERT(iked_addrpool, &env->sc_addrpool, sa);
7344 RB_INSERT(iked_addrpool6, &env->sc_addrpool6, sa);
7449 ikev2_update_sa_addresses(struct iked *env, struct iked_sa *sa)
7466 if (pfkey_sa_update_addresses(env, csa) != 0)
7470 if (pfkey_sa_update_addresses(env, ipcomp)
7478 RB_REMOVE(iked_flows, &env->sc_activeflows, flow);
7479 (void)pfkey_flow_delete(env, flow);
7482 if (pfkey_flow_add(env, flow) != 0)
7486 if ((oflow = RB_FIND(iked_flows, &env->sc_activeflows, flow))
7491 RB_REMOVE(iked_flows, &env->sc_activeflows, oflow);
7493 RB_INSERT(iked_flows, &env->sc_activeflows, flow);
7521 ikev2_info_sa(struct iked *env, struct imsg *imsg, int dolog, const char *msg,
7554 proc_compose_imsg(&env->sc_ps, PROC_CONTROL, -1,
7561 ikev2_info_csa(struct iked *env, struct imsg *imsg, int dolog, const char *msg,
7590 proc_compose_imsg(&env->sc_ps, PROC_CONTROL, -1,
7597 ikev2_info_flow(struct iked *env, struct imsg *imsg, int dolog, const char *msg,
7637 proc_compose_imsg(&env->sc_ps, PROC_CONTROL, -1,
7644 ikev2_info(struct iked *env, struct imsg *imsg, int dolog)
7652 RB_FOREACH(sa, iked_sas, &env->sc_sas) {
7653 ikev2_info_sa(env, imsg, dolog, "iked_sas", sa);
7655 ikev2_info_csa(env, imsg, dolog, " sa_childsas", csa);
7657 ikev2_info_csa(env, imsg, dolog, " ",
7661 ikev2_info_flow(env, imsg, dolog, " sa_flows", flow);
7664 RB_FOREACH(csa, iked_activesas, &env->sc_activesas) {
7665 ikev2_info_csa(env, imsg, dolog, "iked_activesas", csa);
7667 ikev2_info_csa(env, imsg, dolog, " ", ipcomp);
7669 RB_FOREACH(flow, iked_flows, &env->sc_activeflows) {
7670 ikev2_info_flow(env, imsg, dolog, "iked_flows", flow);
7672 RB_FOREACH(sa, iked_dstid_sas, &env->sc_dstid_sas) {
7673 ikev2_info_sa(env, imsg, dolog, "iked_dstid_sas", sa);
7678 proc_compose_imsg(&env->sc_ps, PROC_CONTROL, -1, IMSG_CTL_SHOW_SA,