1 /* $OpenBSD: pfkeyv2.c,v 1.119 2008/05/09 15:48:15 claudio Exp $ */ 2 3 /* 4 * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 5 * 6 * NRL grants permission for redistribution and use in source and binary 7 * forms, with or without modification, of the software and documentation 8 * created at NRL provided that the following conditions are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgements: 17 * This product includes software developed by the University of 18 * California, Berkeley and its contributors. 19 * This product includes software developed at the Information 20 * Technology Division, US Naval Research Laboratory. 21 * 4. Neither the name of the NRL nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS 26 * IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 27 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 28 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NRL OR 29 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 30 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 31 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 32 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 33 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 34 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 35 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36 * 37 * The views and conclusions contained in the software and documentation 38 * are those of the authors and should not be interpreted as representing 39 * official policies, either expressed or implied, of the US Naval 40 * Research Laboratory (NRL). 41 */ 42 43 /* 44 * Copyright (c) 1995, 1996, 1997, 1998, 1999 Craig Metz. All rights reserved. 45 * 46 * Redistribution and use in source and binary forms, with or without 47 * modification, are permitted provided that the following conditions 48 * are met: 49 * 1. Redistributions of source code must retain the above copyright 50 * notice, this list of conditions and the following disclaimer. 51 * 2. Redistributions in binary form must reproduce the above copyright 52 * notice, this list of conditions and the following disclaimer in the 53 * documentation and/or other materials provided with the distribution. 54 * 3. Neither the name of the author nor the names of any contributors 55 * may be used to endorse or promote products derived from this software 56 * without specific prior written permission. 57 * 58 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 59 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 60 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 61 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 62 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 63 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 64 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 65 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 66 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 67 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 68 * SUCH DAMAGE. 69 */ 70 71 #include "pf.h" 72 73 #include <sys/types.h> 74 #include <sys/param.h> 75 #include <sys/socket.h> 76 #include <sys/systm.h> 77 #include <sys/mbuf.h> 78 #include <sys/kernel.h> 79 #include <sys/proc.h> 80 #include <sys/pool.h> 81 #include <net/route.h> 82 #include <netinet/ip_ipsp.h> 83 #include <net/pfkeyv2.h> 84 #include <netinet/ip_ah.h> 85 #include <netinet/ip_esp.h> 86 #include <netinet/ip_ipcomp.h> 87 #include <crypto/blf.h> 88 89 #if NPF > 0 90 #include <net/if.h> 91 #include <net/pfvar.h> 92 #endif 93 94 #define PFKEYV2_PROTOCOL 2 95 #define GETSPI_TRIES 10 96 97 /* Static globals */ 98 static struct pfkeyv2_socket *pfkeyv2_sockets = NULL; 99 static struct pfkey_version pfkeyv2_version; 100 static uint32_t pfkeyv2_seq = 1; 101 static int nregistered = 0; 102 static int npromisc = 0; 103 104 static const struct sadb_alg ealgs[] = { 105 { SADB_EALG_NULL, 0, 0, 0 }, 106 { SADB_EALG_DESCBC, 64, 64, 64 }, 107 { SADB_EALG_3DESCBC, 64, 192, 192 }, 108 { SADB_X_EALG_BLF, 64, 40, BLF_MAXKEYLEN * 8}, 109 { SADB_X_EALG_CAST, 64, 40, 128}, 110 { SADB_X_EALG_SKIPJACK, 64, 80, 80}, 111 { SADB_X_EALG_AES, 128, 128, 256}, 112 { SADB_X_EALG_AESCTR, 128, 128 + 32, 256 + 32} 113 }; 114 115 static const struct sadb_alg aalgs[] = { 116 { SADB_AALG_SHA1HMAC, 0, 160, 160 }, 117 { SADB_AALG_MD5HMAC, 0, 128, 128 }, 118 { SADB_X_AALG_RIPEMD160HMAC, 0, 160, 160 }, 119 { SADB_X_AALG_SHA2_256, 0, 256, 256 }, 120 { SADB_X_AALG_SHA2_384, 0, 384, 384 }, 121 { SADB_X_AALG_SHA2_512, 0, 512, 512 } 122 }; 123 124 static const struct sadb_alg calgs[] = { 125 { SADB_X_CALG_DEFLATE, 0, 0, 0}, 126 { SADB_X_CALG_LZS, 0, 0, 0} 127 }; 128 129 extern uint64_t sadb_exts_allowed_out[SADB_MAX+1]; 130 extern uint64_t sadb_exts_required_out[SADB_MAX+1]; 131 132 extern struct pool ipsec_policy_pool; 133 134 /* 135 * Wrapper around m_devget(); copy data from contiguous buffer to mbuf 136 * chain. 137 */ 138 int 139 pfdatatopacket(void *data, int len, struct mbuf **packet) 140 { 141 if (!(*packet = m_devget(data, len, 0, NULL, NULL))) 142 return (ENOMEM); 143 return (0); 144 } 145 146 /* 147 * Create a new PF_KEYv2 socket. 148 */ 149 int 150 pfkeyv2_create(struct socket *socket) 151 { 152 struct pfkeyv2_socket *pfkeyv2_socket; 153 154 if (!(pfkeyv2_socket = malloc(sizeof(struct pfkeyv2_socket), 155 M_PFKEY, M_DONTWAIT | M_ZERO))) 156 return (ENOMEM); 157 158 pfkeyv2_socket->next = pfkeyv2_sockets; 159 pfkeyv2_socket->socket = socket; 160 pfkeyv2_socket->pid = curproc->p_pid; 161 162 pfkeyv2_sockets = pfkeyv2_socket; 163 164 return (0); 165 } 166 167 /* 168 * Close a PF_KEYv2 socket. 169 */ 170 int 171 pfkeyv2_release(struct socket *socket) 172 { 173 struct pfkeyv2_socket **pp; 174 175 for (pp = &pfkeyv2_sockets; *pp && ((*pp)->socket != socket); 176 pp = &((*pp)->next)) 177 /*EMPTY*/; 178 179 if (*pp) { 180 struct pfkeyv2_socket *pfkeyv2_socket; 181 182 pfkeyv2_socket = *pp; 183 *pp = (*pp)->next; 184 185 if (pfkeyv2_socket->flags & PFKEYV2_SOCKETFLAGS_REGISTERED) 186 nregistered--; 187 188 if (pfkeyv2_socket->flags & PFKEYV2_SOCKETFLAGS_PROMISC) 189 npromisc--; 190 191 free(pfkeyv2_socket, M_PFKEY); 192 } 193 194 return (0); 195 } 196 197 /* 198 * Send a PFKEYv2 message, possibly to many receivers, based on the 199 * satype of the socket (which is set by the REGISTER message), and the 200 * third argument. 201 */ 202 int 203 pfkeyv2_sendmessage(void **headers, int mode, struct socket *socket, 204 u_int8_t satype, int count) 205 { 206 int i, j, rval; 207 void *p, *buffer = NULL; 208 struct mbuf *packet; 209 struct pfkeyv2_socket *s; 210 struct sadb_msg *smsg; 211 212 /* Find out how much space we'll need... */ 213 j = sizeof(struct sadb_msg); 214 215 for (i = 1; i <= SADB_EXT_MAX; i++) 216 if (headers[i]) 217 j += ((struct sadb_ext *)headers[i])->sadb_ext_len * 218 sizeof(uint64_t); 219 220 /* ...and allocate it */ 221 if (!(buffer = malloc(j + sizeof(struct sadb_msg), M_PFKEY, 222 M_DONTWAIT))) { 223 rval = ENOMEM; 224 goto ret; 225 } 226 227 p = buffer + sizeof(struct sadb_msg); 228 bcopy(headers[0], p, sizeof(struct sadb_msg)); 229 ((struct sadb_msg *) p)->sadb_msg_len = j / sizeof(uint64_t); 230 p += sizeof(struct sadb_msg); 231 232 /* Copy payloads in the packet */ 233 for (i = 1; i <= SADB_EXT_MAX; i++) 234 if (headers[i]) { 235 ((struct sadb_ext *) headers[i])->sadb_ext_type = i; 236 bcopy(headers[i], p, EXTLEN(headers[i])); 237 p += EXTLEN(headers[i]); 238 } 239 240 if ((rval = pfdatatopacket(buffer + sizeof(struct sadb_msg), 241 j, &packet)) != 0) 242 goto ret; 243 244 switch (mode) { 245 case PFKEYV2_SENDMESSAGE_UNICAST: 246 /* 247 * Send message to the specified socket, plus all 248 * promiscuous listeners. 249 */ 250 pfkey_sendup(socket, packet, 0); 251 252 /* 253 * Promiscuous messages contain the original message 254 * encapsulated in another sadb_msg header. 255 */ 256 bzero(buffer, sizeof(struct sadb_msg)); 257 smsg = (struct sadb_msg *) buffer; 258 smsg->sadb_msg_version = PF_KEY_V2; 259 smsg->sadb_msg_type = SADB_X_PROMISC; 260 smsg->sadb_msg_len = (sizeof(struct sadb_msg) + j) / 261 sizeof(uint64_t); 262 smsg->sadb_msg_seq = 0; 263 264 /* Copy to mbuf chain */ 265 if ((rval = pfdatatopacket(buffer, sizeof(struct sadb_msg) + j, 266 &packet)) != 0) 267 goto ret; 268 269 /* 270 * Search for promiscuous listeners, skipping the 271 * original destination. 272 */ 273 for (s = pfkeyv2_sockets; s; s = s->next) 274 if ((s->flags & PFKEYV2_SOCKETFLAGS_PROMISC) && 275 (s->socket != socket)) 276 pfkey_sendup(s->socket, packet, 1); 277 278 /* Done, let's be a bit paranoid */ 279 m_zero(packet); 280 m_freem(packet); 281 break; 282 283 case PFKEYV2_SENDMESSAGE_REGISTERED: 284 /* 285 * Send the message to all registered sockets that match 286 * the specified satype (e.g., all IPSEC-ESP negotiators) 287 */ 288 for (s = pfkeyv2_sockets; s; s = s->next) 289 if (s->flags & PFKEYV2_SOCKETFLAGS_REGISTERED) { 290 if (!satype) /* Just send to everyone registered */ 291 pfkey_sendup(s->socket, packet, 1); 292 else { 293 /* Check for specified satype */ 294 if ((1 << satype) & s->registration) 295 pfkey_sendup(s->socket, packet, 1); 296 } 297 } 298 299 /* Free last/original copy of the packet */ 300 m_freem(packet); 301 302 /* Encapsulate the original message "inside" an sadb_msg header */ 303 bzero(buffer, sizeof(struct sadb_msg)); 304 smsg = (struct sadb_msg *) buffer; 305 smsg->sadb_msg_version = PF_KEY_V2; 306 smsg->sadb_msg_type = SADB_X_PROMISC; 307 smsg->sadb_msg_len = (sizeof(struct sadb_msg) + j) / 308 sizeof(uint64_t); 309 smsg->sadb_msg_seq = 0; 310 311 /* Convert to mbuf chain */ 312 if ((rval = pfdatatopacket(buffer, sizeof(struct sadb_msg) + j, 313 &packet)) != 0) 314 goto ret; 315 316 /* Send to all registered promiscuous listeners */ 317 for (s = pfkeyv2_sockets; s; s = s->next) 318 if ((s->flags & PFKEYV2_SOCKETFLAGS_PROMISC) && 319 !(s->flags & PFKEYV2_SOCKETFLAGS_REGISTERED)) 320 pfkey_sendup(s->socket, packet, 1); 321 322 m_freem(packet); 323 break; 324 325 case PFKEYV2_SENDMESSAGE_BROADCAST: 326 /* Send message to all sockets */ 327 for (s = pfkeyv2_sockets; s; s = s->next) 328 pfkey_sendup(s->socket, packet, 1); 329 330 m_freem(packet); 331 break; 332 } 333 334 ret: 335 if (buffer != NULL) { 336 bzero(buffer, j + sizeof(struct sadb_msg)); 337 free(buffer, M_PFKEY); 338 } 339 340 return (rval); 341 } 342 343 /* 344 * Get SPD information for an ACQUIRE. We setup the message such that 345 * the SRC/DST payloads are relative to us (regardless of whether the 346 * SPD rule was for incoming or outgoing packets). 347 */ 348 int 349 pfkeyv2_policy(struct ipsec_acquire *ipa, void **headers, void **buffer) 350 { 351 union sockaddr_union sunion; 352 struct sadb_protocol *sp; 353 int rval, i, dir; 354 void *p; 355 356 /* Find out how big a buffer we need */ 357 i = 4 * sizeof(struct sadb_address) + sizeof(struct sadb_protocol); 358 bzero(&sunion, sizeof(union sockaddr_union)); 359 360 switch (ipa->ipa_info.sen_type) { 361 #ifdef INET 362 case SENT_IP4: 363 i += 4 * PADUP(sizeof(struct sockaddr_in)); 364 sunion.sa.sa_family = AF_INET; 365 sunion.sa.sa_len = sizeof(struct sockaddr_in); 366 dir = ipa->ipa_info.sen_direction; 367 break; 368 #endif /* INET */ 369 370 #ifdef INET6 371 case SENT_IP6: 372 i += 4 * PADUP(sizeof(struct sockaddr_in6)); 373 sunion.sa.sa_family = AF_INET6; 374 sunion.sa.sa_len = sizeof(struct sockaddr_in6); 375 dir = ipa->ipa_info.sen_ip6_direction; 376 break; 377 #endif /* INET6 */ 378 379 default: 380 return (EINVAL); 381 } 382 383 if (!(p = malloc(i, M_PFKEY, M_DONTWAIT | M_ZERO))) { 384 rval = ENOMEM; 385 goto ret; 386 } else 387 *buffer = p; 388 389 if (dir == IPSP_DIRECTION_OUT) 390 headers[SADB_X_EXT_SRC_FLOW] = p; 391 else 392 headers[SADB_X_EXT_DST_FLOW] = p; 393 switch (sunion.sa.sa_family) { 394 #ifdef INET 395 case AF_INET: 396 sunion.sin.sin_addr = ipa->ipa_info.sen_ip_src; 397 sunion.sin.sin_port = ipa->ipa_info.sen_sport; 398 break; 399 #endif /* INET */ 400 401 #ifdef INET6 402 case AF_INET6: 403 sunion.sin6.sin6_addr = ipa->ipa_info.sen_ip6_src; 404 sunion.sin6.sin6_port = ipa->ipa_info.sen_ip6_sport; 405 break; 406 #endif /* INET6 */ 407 } 408 export_address(&p, (struct sockaddr *) &sunion); 409 410 if (dir == IPSP_DIRECTION_OUT) 411 headers[SADB_X_EXT_SRC_MASK] = p; 412 else 413 headers[SADB_X_EXT_DST_MASK] = p; 414 switch (sunion.sa.sa_family) { 415 #ifdef INET 416 case AF_INET: 417 sunion.sin.sin_addr = ipa->ipa_mask.sen_ip_src; 418 sunion.sin.sin_port = ipa->ipa_mask.sen_sport; 419 break; 420 #endif /* INET */ 421 422 #ifdef INET6 423 case AF_INET6: 424 sunion.sin6.sin6_addr = ipa->ipa_mask.sen_ip6_src; 425 sunion.sin6.sin6_port = ipa->ipa_mask.sen_ip6_sport; 426 break; 427 #endif /* INET6 */ 428 } 429 export_address(&p, (struct sockaddr *) &sunion); 430 431 if (dir == IPSP_DIRECTION_OUT) 432 headers[SADB_X_EXT_DST_FLOW] = p; 433 else 434 headers[SADB_X_EXT_SRC_FLOW] = p; 435 switch (sunion.sa.sa_family) { 436 #ifdef INET 437 case AF_INET: 438 sunion.sin.sin_addr = ipa->ipa_info.sen_ip_dst; 439 sunion.sin.sin_port = ipa->ipa_info.sen_dport; 440 break; 441 #endif /* INET */ 442 443 #ifdef INET6 444 case AF_INET6: 445 sunion.sin6.sin6_addr = ipa->ipa_info.sen_ip6_dst; 446 sunion.sin6.sin6_port = ipa->ipa_info.sen_ip6_dport; 447 break; 448 #endif /* INET6 */ 449 } 450 export_address(&p, (struct sockaddr *) &sunion); 451 452 if (dir == IPSP_DIRECTION_OUT) 453 headers[SADB_X_EXT_DST_MASK] = p; 454 else 455 headers[SADB_X_EXT_SRC_MASK] = p; 456 switch (sunion.sa.sa_family) { 457 #ifdef INET 458 case AF_INET: 459 sunion.sin.sin_addr = ipa->ipa_mask.sen_ip_dst; 460 sunion.sin.sin_port = ipa->ipa_mask.sen_dport; 461 break; 462 #endif /* INET */ 463 464 #ifdef INET6 465 case AF_INET6: 466 sunion.sin6.sin6_addr = ipa->ipa_mask.sen_ip6_dst; 467 sunion.sin6.sin6_port = ipa->ipa_mask.sen_ip6_dport; 468 break; 469 #endif /* INET6 */ 470 } 471 export_address(&p, (struct sockaddr *) &sunion); 472 473 headers[SADB_X_EXT_FLOW_TYPE] = p; 474 sp = p; 475 sp->sadb_protocol_len = sizeof(struct sadb_protocol) / 476 sizeof(u_int64_t); 477 switch (sunion.sa.sa_family) { 478 #ifdef INET 479 case AF_INET: 480 if (ipa->ipa_mask.sen_proto) 481 sp->sadb_protocol_proto = ipa->ipa_info.sen_proto; 482 sp->sadb_protocol_direction = ipa->ipa_info.sen_direction; 483 break; 484 #endif /* INET */ 485 486 #ifdef INET6 487 case AF_INET6: 488 if (ipa->ipa_mask.sen_ip6_proto) 489 sp->sadb_protocol_proto = ipa->ipa_info.sen_ip6_proto; 490 sp->sadb_protocol_direction = ipa->ipa_info.sen_ip6_direction; 491 break; 492 #endif /* INET6 */ 493 } 494 495 rval = 0; 496 497 ret: 498 return (rval); 499 } 500 501 /* 502 * Get all the information contained in an SA to a PFKEYV2 message. 503 */ 504 int 505 pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp) 506 { 507 int rval, i; 508 void *p; 509 510 /* Find how much space we need */ 511 i = sizeof(struct sadb_sa) + sizeof(struct sadb_lifetime); 512 513 if (sa->tdb_soft_allocations || sa->tdb_soft_bytes || 514 sa->tdb_soft_timeout || sa->tdb_soft_first_use) 515 i += sizeof(struct sadb_lifetime); 516 517 if (sa->tdb_exp_allocations || sa->tdb_exp_bytes || 518 sa->tdb_exp_timeout || sa->tdb_exp_first_use) 519 i += sizeof(struct sadb_lifetime); 520 521 if (sa->tdb_last_used) 522 i += sizeof(struct sadb_lifetime); 523 524 if (sa->tdb_src.sa.sa_family) 525 i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_src.sa)); 526 527 if (sa->tdb_dst.sa.sa_family) 528 i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_dst.sa)); 529 530 if (sa->tdb_proxy.sa.sa_family) 531 i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_proxy.sa)); 532 533 if (sa->tdb_srcid) 534 i += PADUP(sa->tdb_srcid->ref_len) + sizeof(struct sadb_ident); 535 536 if (sa->tdb_dstid) 537 i += PADUP(sa->tdb_dstid->ref_len) + sizeof(struct sadb_ident); 538 539 if (sa->tdb_local_cred) 540 i += PADUP(sa->tdb_local_cred->ref_len) + sizeof(struct sadb_x_cred); 541 542 if (sa->tdb_remote_cred) 543 i += PADUP(sa->tdb_remote_cred->ref_len) + sizeof(struct sadb_x_cred); 544 545 if (sa->tdb_local_auth) 546 i += PADUP(sa->tdb_local_auth->ref_len) + sizeof(struct sadb_x_cred); 547 548 if (sa->tdb_remote_auth) 549 i += PADUP(sa->tdb_remote_auth->ref_len) + sizeof(struct sadb_x_cred); 550 551 if (sa->tdb_amxkey) 552 i+= PADUP(sa->tdb_amxkeylen) + sizeof(struct sadb_key); 553 554 if (sa->tdb_emxkey) 555 i+= PADUP(sa->tdb_emxkeylen) + sizeof(struct sadb_key); 556 557 if (sa->tdb_filter.sen_type) { 558 i += 2 * sizeof(struct sadb_protocol); 559 560 /* We'll need four of them: src, src mask, dst, dst mask. */ 561 switch (sa->tdb_filter.sen_type) { 562 #ifdef INET 563 case SENT_IP4: 564 i += 4 * PADUP(sizeof(struct sockaddr_in)); 565 i += 4 * sizeof(struct sadb_address); 566 break; 567 #endif /* INET */ 568 #ifdef INET6 569 case SENT_IP6: 570 i += 4 * PADUP(sizeof(struct sockaddr_in6)); 571 i += 4 * sizeof(struct sadb_address); 572 break; 573 #endif /* INET6 */ 574 default: 575 rval = EINVAL; 576 goto ret; 577 } 578 } 579 580 if (sa->tdb_udpencap_port) 581 i+= sizeof(struct sadb_x_udpencap); 582 583 #if NPF > 0 584 if (sa->tdb_tag) 585 i+= PADUP(PF_TAG_NAME_SIZE) + sizeof(struct sadb_x_tag); 586 #endif 587 588 if (lenp) 589 *lenp = i; 590 591 if (buffer == NULL) { 592 rval = 0; 593 goto ret; 594 } 595 596 if (!(p = malloc(i, M_PFKEY, M_DONTWAIT | M_ZERO))) { 597 rval = ENOMEM; 598 goto ret; 599 } else 600 *buffer = p; 601 602 headers[SADB_EXT_SA] = p; 603 604 export_sa(&p, sa); /* Export SA information (mostly flags) */ 605 606 /* Export lifetimes where applicable */ 607 headers[SADB_EXT_LIFETIME_CURRENT] = p; 608 export_lifetime(&p, sa, PFKEYV2_LIFETIME_CURRENT); 609 610 if (sa->tdb_soft_allocations || sa->tdb_soft_bytes || 611 sa->tdb_soft_first_use || sa->tdb_soft_timeout) { 612 headers[SADB_EXT_LIFETIME_SOFT] = p; 613 export_lifetime(&p, sa, PFKEYV2_LIFETIME_SOFT); 614 } 615 616 if (sa->tdb_exp_allocations || sa->tdb_exp_bytes || 617 sa->tdb_exp_first_use || sa->tdb_exp_timeout) { 618 headers[SADB_EXT_LIFETIME_HARD] = p; 619 export_lifetime(&p, sa, PFKEYV2_LIFETIME_HARD); 620 } 621 622 if (sa->tdb_last_used) { 623 headers[SADB_X_EXT_LIFETIME_LASTUSE] = p; 624 export_lifetime(&p, sa, PFKEYV2_LIFETIME_LASTUSE); 625 } 626 627 /* Export TDB source address */ 628 headers[SADB_EXT_ADDRESS_SRC] = p; 629 export_address(&p, (struct sockaddr *) &sa->tdb_src); 630 631 /* Export TDB destination address */ 632 headers[SADB_EXT_ADDRESS_DST] = p; 633 export_address(&p, (struct sockaddr *) &sa->tdb_dst); 634 635 /* Export TDB proxy address, if present */ 636 if (SA_LEN(&sa->tdb_proxy.sa)) { 637 headers[SADB_EXT_ADDRESS_PROXY] = p; 638 export_address(&p, (struct sockaddr *) &sa->tdb_proxy); 639 } 640 641 /* Export source identity, if present */ 642 if (sa->tdb_srcid) { 643 headers[SADB_EXT_IDENTITY_SRC] = p; 644 export_identity(&p, sa, PFKEYV2_IDENTITY_SRC); 645 } 646 647 /* Export destination identity, if present */ 648 if (sa->tdb_dstid) { 649 headers[SADB_EXT_IDENTITY_DST] = p; 650 export_identity(&p, sa, PFKEYV2_IDENTITY_DST); 651 } 652 653 /* Export credentials, if present */ 654 if (sa->tdb_local_cred) { 655 headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p; 656 export_credentials(&p, sa, PFKEYV2_CRED_LOCAL); 657 } 658 659 if (sa->tdb_remote_cred) { 660 headers[SADB_X_EXT_REMOTE_CREDENTIALS] = p; 661 export_credentials(&p, sa, PFKEYV2_CRED_REMOTE); 662 } 663 664 /* Export authentication information, if present */ 665 if (sa->tdb_local_auth) { 666 headers[SADB_X_EXT_LOCAL_AUTH] = p; 667 export_auth(&p, sa, PFKEYV2_AUTH_LOCAL); 668 } 669 670 if (sa->tdb_remote_auth) { 671 headers[SADB_X_EXT_REMOTE_AUTH] = p; 672 export_auth(&p, sa, PFKEYV2_AUTH_REMOTE); 673 } 674 675 /* Export authentication key, if present */ 676 if (sa->tdb_amxkey) { 677 headers[SADB_EXT_KEY_AUTH] = p; 678 export_key(&p, sa, PFKEYV2_AUTHENTICATION_KEY); 679 } 680 681 /* Export encryption key, if present */ 682 if (sa->tdb_emxkey) { 683 headers[SADB_EXT_KEY_ENCRYPT] = p; 684 export_key(&p, sa, PFKEYV2_ENCRYPTION_KEY); 685 } 686 687 /* Export flow/filter, if present */ 688 if (sa->tdb_filter.sen_type) 689 export_flow(&p, IPSP_IPSEC_USE, &sa->tdb_filter, 690 &sa->tdb_filtermask, headers); 691 692 /* Export UDP encapsulation port, if present */ 693 if (sa->tdb_udpencap_port) { 694 headers[SADB_X_EXT_UDPENCAP] = p; 695 export_udpencap(&p, sa); 696 } 697 698 #if NPF > 0 699 /* Export tag information, if present */ 700 if (sa->tdb_tag) { 701 headers[SADB_X_EXT_TAG] = p; 702 export_tag(&p, sa); 703 } 704 #endif 705 706 rval = 0; 707 708 ret: 709 return (rval); 710 } 711 712 /* 713 * Dump a TDB. 714 */ 715 int 716 pfkeyv2_dump_walker(struct tdb *sa, void *state, int last) 717 { 718 struct dump_state *dump_state = (struct dump_state *) state; 719 void *headers[SADB_EXT_MAX+1], *buffer; 720 int rval; 721 722 /* If not satype was specified, dump all TDBs */ 723 if (!dump_state->sadb_msg->sadb_msg_satype || 724 (sa->tdb_satype == dump_state->sadb_msg->sadb_msg_satype)) { 725 bzero(headers, sizeof(headers)); 726 headers[0] = (void *) dump_state->sadb_msg; 727 728 /* Get the information from the TDB to a PFKEYv2 message */ 729 if ((rval = pfkeyv2_get(sa, headers, &buffer, NULL)) != 0) 730 return (rval); 731 732 if (last) 733 ((struct sadb_msg *)headers[0])->sadb_msg_seq = 0; 734 735 /* Send the message to the specified socket */ 736 rval = pfkeyv2_sendmessage(headers, 737 PFKEYV2_SENDMESSAGE_UNICAST, dump_state->socket, 0, 0); 738 739 free(buffer, M_PFKEY); 740 if (rval) 741 return (rval); 742 } 743 744 return (0); 745 } 746 747 /* 748 * Delete an SA. 749 */ 750 int 751 pfkeyv2_flush_walker(struct tdb *sa, void *satype_vp, int last) 752 { 753 if (!(*((u_int8_t *) satype_vp)) || 754 sa->tdb_satype == *((u_int8_t *) satype_vp)) 755 tdb_delete(sa); 756 return (0); 757 } 758 759 /* 760 * Convert between SATYPEs and IPsec protocols, taking into consideration 761 * sysctl variables enabling/disabling ESP/AH and the presence of the old 762 * IPsec transforms. 763 */ 764 int 765 pfkeyv2_get_proto_alg(u_int8_t satype, u_int8_t *sproto, int *alg) 766 { 767 switch (satype) { 768 #ifdef IPSEC 769 case SADB_SATYPE_AH: 770 if (!ah_enable) 771 return (EOPNOTSUPP); 772 773 *sproto = IPPROTO_AH; 774 775 if(alg != NULL) 776 *alg = satype = XF_AH; 777 778 break; 779 780 case SADB_SATYPE_ESP: 781 if (!esp_enable) 782 return (EOPNOTSUPP); 783 784 *sproto = IPPROTO_ESP; 785 786 if(alg != NULL) 787 *alg = satype = XF_ESP; 788 789 break; 790 791 case SADB_X_SATYPE_IPIP: 792 *sproto = IPPROTO_IPIP; 793 794 if (alg != NULL) 795 *alg = XF_IP4; 796 797 break; 798 799 case SADB_X_SATYPE_IPCOMP: 800 if (!ipcomp_enable) 801 return (EOPNOTSUPP); 802 803 *sproto = IPPROTO_IPCOMP; 804 805 if(alg != NULL) 806 *alg = satype = XF_IPCOMP; 807 808 break; 809 #endif /* IPSEC */ 810 #ifdef TCP_SIGNATURE 811 case SADB_X_SATYPE_TCPSIGNATURE: 812 *sproto = IPPROTO_TCP; 813 814 if (alg != NULL) 815 *alg = XF_TCPSIGNATURE; 816 817 break; 818 #endif /* TCP_SIGNATURE */ 819 820 default: /* Nothing else supported */ 821 return (EOPNOTSUPP); 822 } 823 824 return (0); 825 } 826 827 /* 828 * Handle all messages from userland to kernel. 829 */ 830 int 831 pfkeyv2_send(struct socket *socket, void *message, int len) 832 { 833 int i, j, rval = 0, mode = PFKEYV2_SENDMESSAGE_BROADCAST; 834 int delflag = 0, s; 835 struct sockaddr_encap encapdst, encapnetmask, encapgw; 836 struct ipsec_policy *ipo, *tmpipo; 837 struct ipsec_acquire *ipa; 838 839 struct pfkeyv2_socket *pfkeyv2_socket, *so = NULL; 840 841 void *freeme = NULL, *bckptr = NULL; 842 void *headers[SADB_EXT_MAX + 1]; 843 844 union sockaddr_union *sunionp; 845 846 struct tdb sa, *sa2 = NULL; 847 848 struct sadb_msg *smsg; 849 struct sadb_spirange *sprng; 850 struct sadb_sa *ssa; 851 struct sadb_supported *ssup; 852 struct sadb_ident *sid; 853 854 /* Verify that we received this over a legitimate pfkeyv2 socket */ 855 bzero(headers, sizeof(headers)); 856 857 for (pfkeyv2_socket = pfkeyv2_sockets; pfkeyv2_socket; 858 pfkeyv2_socket = pfkeyv2_socket->next) 859 if (pfkeyv2_socket->socket == socket) 860 break; 861 862 if (!pfkeyv2_socket) { 863 rval = EINVAL; 864 goto ret; 865 } 866 867 /* If we have any promiscuous listeners, send them a copy of the message */ 868 if (npromisc) { 869 struct mbuf *packet; 870 871 if (!(freeme = malloc(sizeof(struct sadb_msg) + len, M_PFKEY, 872 M_DONTWAIT))) { 873 rval = ENOMEM; 874 goto ret; 875 } 876 877 /* Initialize encapsulating header */ 878 bzero(freeme, sizeof(struct sadb_msg)); 879 smsg = (struct sadb_msg *) freeme; 880 smsg->sadb_msg_version = PF_KEY_V2; 881 smsg->sadb_msg_type = SADB_X_PROMISC; 882 smsg->sadb_msg_len = (sizeof(struct sadb_msg) + len) / 883 sizeof(uint64_t); 884 smsg->sadb_msg_seq = curproc->p_pid; 885 886 bcopy(message, freeme + sizeof(struct sadb_msg), len); 887 888 /* Convert to mbuf chain */ 889 if ((rval = pfdatatopacket(freeme, 890 sizeof(struct sadb_msg) + len, &packet)) != 0) 891 goto ret; 892 893 /* Send to all promiscuous listeners */ 894 for (so = pfkeyv2_sockets; so; so = so->next) 895 if (so->flags & PFKEYV2_SOCKETFLAGS_PROMISC) 896 pfkey_sendup(so->socket, packet, 1); 897 898 /* Paranoid */ 899 m_zero(packet); 900 m_freem(packet); 901 902 /* Even more paranoid */ 903 bzero(freeme, sizeof(struct sadb_msg) + len); 904 free(freeme, M_PFKEY); 905 freeme = NULL; 906 } 907 908 /* Validate message format */ 909 if ((rval = pfkeyv2_parsemessage(message, len, headers)) != 0) 910 goto ret; 911 912 smsg = (struct sadb_msg *) headers[0]; 913 switch (smsg->sadb_msg_type) { 914 case SADB_GETSPI: /* Reserve an SPI */ 915 bzero(&sa, sizeof(struct tdb)); 916 917 sa.tdb_satype = smsg->sadb_msg_satype; 918 if ((rval = pfkeyv2_get_proto_alg(sa.tdb_satype, 919 &sa.tdb_sproto, 0))) 920 goto ret; 921 922 import_address((struct sockaddr *) &sa.tdb_src, 923 headers[SADB_EXT_ADDRESS_SRC]); 924 import_address((struct sockaddr *) &sa.tdb_dst, 925 headers[SADB_EXT_ADDRESS_DST]); 926 927 /* Find an unused SA identifier */ 928 sprng = (struct sadb_spirange *) headers[SADB_EXT_SPIRANGE]; 929 sa.tdb_spi = reserve_spi(sprng->sadb_spirange_min, 930 sprng->sadb_spirange_max, &sa.tdb_src, &sa.tdb_dst, 931 sa.tdb_sproto, &rval); 932 if (sa.tdb_spi == 0) 933 goto ret; 934 935 /* Send a message back telling what the SA (the SPI really) is */ 936 if (!(freeme = malloc(sizeof(struct sadb_sa), M_PFKEY, 937 M_DONTWAIT | M_ZERO))) { 938 rval = ENOMEM; 939 goto ret; 940 } 941 942 headers[SADB_EXT_SPIRANGE] = NULL; 943 headers[SADB_EXT_SA] = freeme; 944 bckptr = freeme; 945 946 /* We really only care about the SPI, but we'll export the SA */ 947 export_sa((void **) &bckptr, &sa); 948 break; 949 950 case SADB_UPDATE: 951 ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; 952 sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + 953 sizeof(struct sadb_address)); 954 955 /* Either all or none of the flow must be included */ 956 if ((headers[SADB_X_EXT_SRC_FLOW] || 957 headers[SADB_X_EXT_PROTOCOL] || 958 headers[SADB_X_EXT_FLOW_TYPE] || 959 headers[SADB_X_EXT_DST_FLOW] || 960 headers[SADB_X_EXT_SRC_MASK] || 961 headers[SADB_X_EXT_DST_MASK]) && 962 !(headers[SADB_X_EXT_SRC_FLOW] && 963 headers[SADB_X_EXT_PROTOCOL] && 964 headers[SADB_X_EXT_FLOW_TYPE] && 965 headers[SADB_X_EXT_DST_FLOW] && 966 headers[SADB_X_EXT_SRC_MASK] && 967 headers[SADB_X_EXT_DST_MASK])) { 968 rval = EINVAL; 969 goto ret; 970 } 971 #ifdef IPSEC 972 /* UDP encap has to be enabled and is only supported for ESP */ 973 if (headers[SADB_X_EXT_UDPENCAP] && 974 (!udpencap_enable || 975 smsg->sadb_msg_satype != SADB_SATYPE_ESP)) { 976 rval = EINVAL; 977 goto ret; 978 } 979 #endif /* IPSEC */ 980 981 s = spltdb(); 982 983 /* Find TDB */ 984 sa2 = gettdb(ssa->sadb_sa_spi, sunionp, 985 SADB_X_GETSPROTO(smsg->sadb_msg_satype)); 986 987 /* If there's no such SA, we're done */ 988 if (sa2 == NULL) { 989 rval = ESRCH; 990 goto splxret; 991 } 992 993 /* If this is a reserved SA */ 994 if (sa2->tdb_flags & TDBF_INVALID) { 995 struct tdb *newsa; 996 struct ipsecinit ii; 997 int alg; 998 999 /* Create new TDB */ 1000 freeme = tdb_alloc(); 1001 bzero(&ii, sizeof(struct ipsecinit)); 1002 1003 newsa = (struct tdb *) freeme; 1004 newsa->tdb_satype = smsg->sadb_msg_satype; 1005 1006 if ((rval = pfkeyv2_get_proto_alg(newsa->tdb_satype, 1007 &newsa->tdb_sproto, &alg))) { 1008 tdb_free(freeme); 1009 freeme = NULL; 1010 goto splxret; 1011 } 1012 1013 /* Initialize SA */ 1014 import_sa(newsa, headers[SADB_EXT_SA], &ii); 1015 import_address((struct sockaddr *) &newsa->tdb_src, 1016 headers[SADB_EXT_ADDRESS_SRC]); 1017 import_address((struct sockaddr *) &newsa->tdb_dst, 1018 headers[SADB_EXT_ADDRESS_DST]); 1019 import_address((struct sockaddr *) &newsa->tdb_proxy, 1020 headers[SADB_EXT_ADDRESS_PROXY]); 1021 import_lifetime(newsa, 1022 headers[SADB_EXT_LIFETIME_CURRENT], 1023 PFKEYV2_LIFETIME_CURRENT); 1024 import_lifetime(newsa, headers[SADB_EXT_LIFETIME_SOFT], 1025 PFKEYV2_LIFETIME_SOFT); 1026 import_lifetime(newsa, headers[SADB_EXT_LIFETIME_HARD], 1027 PFKEYV2_LIFETIME_HARD); 1028 import_key(&ii, headers[SADB_EXT_KEY_AUTH], 1029 PFKEYV2_AUTHENTICATION_KEY); 1030 import_key(&ii, headers[SADB_EXT_KEY_ENCRYPT], 1031 PFKEYV2_ENCRYPTION_KEY); 1032 import_identity(newsa, headers[SADB_EXT_IDENTITY_SRC], 1033 PFKEYV2_IDENTITY_SRC); 1034 import_identity(newsa, headers[SADB_EXT_IDENTITY_DST], 1035 PFKEYV2_IDENTITY_DST); 1036 import_credentials(newsa, 1037 headers[SADB_X_EXT_LOCAL_CREDENTIALS], 1038 PFKEYV2_CRED_LOCAL); 1039 import_credentials(newsa, 1040 headers[SADB_X_EXT_REMOTE_CREDENTIALS], 1041 PFKEYV2_CRED_REMOTE); 1042 import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH], 1043 PFKEYV2_AUTH_LOCAL); 1044 import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH], 1045 PFKEYV2_AUTH_REMOTE); 1046 import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask, 1047 headers[SADB_X_EXT_SRC_FLOW], 1048 headers[SADB_X_EXT_SRC_MASK], 1049 headers[SADB_X_EXT_DST_FLOW], 1050 headers[SADB_X_EXT_DST_MASK], 1051 headers[SADB_X_EXT_PROTOCOL], 1052 headers[SADB_X_EXT_FLOW_TYPE]); 1053 import_udpencap(newsa, headers[SADB_X_EXT_UDPENCAP]); 1054 #if NPF > 0 1055 import_tag(newsa, headers[SADB_X_EXT_TAG]); 1056 #endif 1057 1058 headers[SADB_EXT_KEY_AUTH] = NULL; 1059 headers[SADB_EXT_KEY_ENCRYPT] = NULL; 1060 headers[SADB_X_EXT_LOCAL_AUTH] = NULL; 1061 1062 newsa->tdb_seq = smsg->sadb_msg_seq; 1063 1064 rval = tdb_init(newsa, alg, &ii); 1065 if (rval) { 1066 rval = EINVAL; 1067 tdb_free(freeme); 1068 freeme = NULL; 1069 goto splxret; 1070 } 1071 1072 newsa->tdb_cur_allocations = sa2->tdb_cur_allocations; 1073 1074 /* Delete old version of the SA, insert new one */ 1075 tdb_delete(sa2); 1076 puttdb((struct tdb *) freeme); 1077 sa2 = freeme = NULL; 1078 } else { 1079 /* 1080 * The SA is already initialized, so we're only allowed to 1081 * change lifetimes and some other information; we're 1082 * not allowed to change keys, addresses or identities. 1083 */ 1084 if (headers[SADB_EXT_ADDRESS_PROXY] || 1085 headers[SADB_EXT_KEY_AUTH] || 1086 headers[SADB_EXT_KEY_ENCRYPT] || 1087 headers[SADB_EXT_IDENTITY_SRC] || 1088 headers[SADB_EXT_IDENTITY_DST] || 1089 headers[SADB_EXT_SENSITIVITY]) { 1090 rval = EINVAL; 1091 goto splxret; 1092 } 1093 1094 import_sa(sa2, headers[SADB_EXT_SA], NULL); 1095 import_lifetime(sa2, 1096 headers[SADB_EXT_LIFETIME_CURRENT], 1097 PFKEYV2_LIFETIME_CURRENT); 1098 import_lifetime(sa2, headers[SADB_EXT_LIFETIME_SOFT], 1099 PFKEYV2_LIFETIME_SOFT); 1100 import_lifetime(sa2, headers[SADB_EXT_LIFETIME_HARD], 1101 PFKEYV2_LIFETIME_HARD); 1102 import_udpencap(sa2, headers[SADB_X_EXT_UDPENCAP]); 1103 #if NPF > 0 1104 import_tag(sa2, headers[SADB_X_EXT_TAG]); 1105 #endif 1106 } 1107 1108 splx(s); 1109 break; 1110 case SADB_ADD: 1111 ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; 1112 sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + 1113 sizeof(struct sadb_address)); 1114 1115 /* Either all or none of the flow must be included */ 1116 if ((headers[SADB_X_EXT_SRC_FLOW] || 1117 headers[SADB_X_EXT_PROTOCOL] || 1118 headers[SADB_X_EXT_FLOW_TYPE] || 1119 headers[SADB_X_EXT_DST_FLOW] || 1120 headers[SADB_X_EXT_SRC_MASK] || 1121 headers[SADB_X_EXT_DST_MASK]) && 1122 !(headers[SADB_X_EXT_SRC_FLOW] && 1123 headers[SADB_X_EXT_PROTOCOL] && 1124 headers[SADB_X_EXT_FLOW_TYPE] && 1125 headers[SADB_X_EXT_DST_FLOW] && 1126 headers[SADB_X_EXT_SRC_MASK] && 1127 headers[SADB_X_EXT_DST_MASK])) { 1128 rval = EINVAL; 1129 goto ret; 1130 } 1131 #ifdef IPSEC 1132 /* UDP encap has to be enabled and is only supported for ESP */ 1133 if (headers[SADB_X_EXT_UDPENCAP] && 1134 (!udpencap_enable || 1135 smsg->sadb_msg_satype != SADB_SATYPE_ESP)) { 1136 rval = EINVAL; 1137 goto ret; 1138 } 1139 #endif /* IPSEC */ 1140 1141 s = spltdb(); 1142 1143 sa2 = gettdb(ssa->sadb_sa_spi, sunionp, 1144 SADB_X_GETSPROTO(smsg->sadb_msg_satype)); 1145 1146 /* We can't add an existing SA! */ 1147 if (sa2 != NULL) { 1148 rval = EEXIST; 1149 goto splxret; 1150 } 1151 1152 /* We can only add "mature" SAs */ 1153 if (ssa->sadb_sa_state != SADB_SASTATE_MATURE) { 1154 rval = EINVAL; 1155 goto splxret; 1156 } 1157 1158 /* Allocate and initialize new TDB */ 1159 freeme = tdb_alloc(); 1160 1161 { 1162 struct tdb *newsa = (struct tdb *) freeme; 1163 struct ipsecinit ii; 1164 int alg; 1165 1166 bzero(&ii, sizeof(struct ipsecinit)); 1167 1168 newsa->tdb_satype = smsg->sadb_msg_satype; 1169 if ((rval = pfkeyv2_get_proto_alg(newsa->tdb_satype, 1170 &newsa->tdb_sproto, &alg))) { 1171 tdb_free(freeme); 1172 freeme = NULL; 1173 goto splxret; 1174 } 1175 1176 import_sa(newsa, headers[SADB_EXT_SA], &ii); 1177 import_address((struct sockaddr *) &newsa->tdb_src, 1178 headers[SADB_EXT_ADDRESS_SRC]); 1179 import_address((struct sockaddr *) &newsa->tdb_dst, 1180 headers[SADB_EXT_ADDRESS_DST]); 1181 import_address((struct sockaddr *) &newsa->tdb_proxy, 1182 headers[SADB_EXT_ADDRESS_PROXY]); 1183 1184 import_lifetime(newsa, 1185 headers[SADB_EXT_LIFETIME_CURRENT], 1186 PFKEYV2_LIFETIME_CURRENT); 1187 import_lifetime(newsa, headers[SADB_EXT_LIFETIME_SOFT], 1188 PFKEYV2_LIFETIME_SOFT); 1189 import_lifetime(newsa, headers[SADB_EXT_LIFETIME_HARD], 1190 PFKEYV2_LIFETIME_HARD); 1191 1192 import_key(&ii, headers[SADB_EXT_KEY_AUTH], 1193 PFKEYV2_AUTHENTICATION_KEY); 1194 import_key(&ii, headers[SADB_EXT_KEY_ENCRYPT], 1195 PFKEYV2_ENCRYPTION_KEY); 1196 1197 import_identity(newsa, headers[SADB_EXT_IDENTITY_SRC], 1198 PFKEYV2_IDENTITY_SRC); 1199 import_identity(newsa, headers[SADB_EXT_IDENTITY_DST], 1200 PFKEYV2_IDENTITY_DST); 1201 1202 import_credentials(newsa, 1203 headers[SADB_X_EXT_LOCAL_CREDENTIALS], 1204 PFKEYV2_CRED_LOCAL); 1205 import_credentials(newsa, 1206 headers[SADB_X_EXT_REMOTE_CREDENTIALS], 1207 PFKEYV2_CRED_REMOTE); 1208 import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH], 1209 PFKEYV2_AUTH_LOCAL); 1210 import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH], 1211 PFKEYV2_AUTH_REMOTE); 1212 import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask, 1213 headers[SADB_X_EXT_SRC_FLOW], 1214 headers[SADB_X_EXT_SRC_MASK], 1215 headers[SADB_X_EXT_DST_FLOW], 1216 headers[SADB_X_EXT_DST_MASK], 1217 headers[SADB_X_EXT_PROTOCOL], 1218 headers[SADB_X_EXT_FLOW_TYPE]); 1219 import_udpencap(newsa, headers[SADB_X_EXT_UDPENCAP]); 1220 #if NPF > 0 1221 import_tag(newsa, headers[SADB_X_EXT_TAG]); 1222 #endif 1223 1224 headers[SADB_EXT_KEY_AUTH] = NULL; 1225 headers[SADB_EXT_KEY_ENCRYPT] = NULL; 1226 headers[SADB_X_EXT_LOCAL_AUTH] = NULL; 1227 1228 newsa->tdb_seq = smsg->sadb_msg_seq; 1229 1230 rval = tdb_init(newsa, alg, &ii); 1231 if (rval) { 1232 rval = EINVAL; 1233 tdb_free(freeme); 1234 freeme = NULL; 1235 goto splxret; 1236 } 1237 } 1238 1239 /* Add TDB in table */ 1240 puttdb((struct tdb *) freeme); 1241 1242 splx(s); 1243 1244 freeme = NULL; 1245 break; 1246 1247 case SADB_DELETE: 1248 ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; 1249 sunionp = 1250 (union sockaddr_union *)(headers[SADB_EXT_ADDRESS_DST] + 1251 sizeof(struct sadb_address)); 1252 s = spltdb(); 1253 1254 sa2 = gettdb(ssa->sadb_sa_spi, sunionp, 1255 SADB_X_GETSPROTO(smsg->sadb_msg_satype)); 1256 if (sa2 == NULL) { 1257 rval = ESRCH; 1258 goto splxret; 1259 } 1260 1261 tdb_delete(sa2); 1262 1263 splx(s); 1264 1265 sa2 = NULL; 1266 break; 1267 1268 case SADB_X_ASKPOLICY: 1269 /* Get the relevant policy */ 1270 ipa = ipsec_get_acquire(((struct sadb_x_policy *) headers[SADB_X_EXT_POLICY])->sadb_x_policy_seq); 1271 if (ipa == NULL) { 1272 rval = ESRCH; 1273 goto ret; 1274 } 1275 1276 rval = pfkeyv2_policy(ipa, headers, &freeme); 1277 if (rval) 1278 mode = PFKEYV2_SENDMESSAGE_UNICAST; 1279 1280 break; 1281 1282 case SADB_GET: 1283 ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; 1284 sunionp = 1285 (union sockaddr_union *)(headers[SADB_EXT_ADDRESS_DST] + 1286 sizeof(struct sadb_address)); 1287 1288 s = spltdb(); 1289 1290 sa2 = gettdb(ssa->sadb_sa_spi, sunionp, 1291 SADB_X_GETSPROTO(smsg->sadb_msg_satype)); 1292 if (sa2 == NULL) { 1293 rval = ESRCH; 1294 goto splxret; 1295 } 1296 1297 rval = pfkeyv2_get(sa2, headers, &freeme, NULL); 1298 if (rval) 1299 mode = PFKEYV2_SENDMESSAGE_UNICAST; 1300 1301 splx(s); 1302 1303 break; 1304 1305 case SADB_REGISTER: 1306 if (!(pfkeyv2_socket->flags & PFKEYV2_SOCKETFLAGS_REGISTERED)) { 1307 pfkeyv2_socket->flags |= PFKEYV2_SOCKETFLAGS_REGISTERED; 1308 nregistered++; 1309 } 1310 1311 i = sizeof(struct sadb_supported) + sizeof(ealgs); 1312 1313 if (!(freeme = malloc(i, M_PFKEY, M_DONTWAIT | M_ZERO))) { 1314 rval = ENOMEM; 1315 goto ret; 1316 } 1317 1318 ssup = (struct sadb_supported *) freeme; 1319 ssup->sadb_supported_len = i / sizeof(uint64_t); 1320 1321 { 1322 void *p = freeme + sizeof(struct sadb_supported); 1323 1324 bcopy(&ealgs[0], p, sizeof(ealgs)); 1325 } 1326 1327 headers[SADB_EXT_SUPPORTED_ENCRYPT] = freeme; 1328 1329 i = sizeof(struct sadb_supported) + sizeof(aalgs); 1330 1331 if (!(freeme = malloc(i, M_PFKEY, M_DONTWAIT | M_ZERO))) { 1332 rval = ENOMEM; 1333 goto ret; 1334 } 1335 1336 /* Keep track what this socket has registered for */ 1337 pfkeyv2_socket->registration |= (1 << ((struct sadb_msg *)message)->sadb_msg_satype); 1338 1339 ssup = (struct sadb_supported *) freeme; 1340 ssup->sadb_supported_len = i / sizeof(uint64_t); 1341 1342 { 1343 void *p = freeme + sizeof(struct sadb_supported); 1344 1345 bcopy(&aalgs[0], p, sizeof(aalgs)); 1346 } 1347 1348 headers[SADB_EXT_SUPPORTED_AUTH] = freeme; 1349 1350 i = sizeof(struct sadb_supported) + sizeof(calgs); 1351 1352 if (!(freeme = malloc(i, M_PFKEY, M_DONTWAIT | M_ZERO))) { 1353 rval = ENOMEM; 1354 goto ret; 1355 } 1356 1357 ssup = (struct sadb_supported *) freeme; 1358 ssup->sadb_supported_len = i / sizeof(uint64_t); 1359 1360 { 1361 void *p = freeme + sizeof(struct sadb_supported); 1362 1363 bcopy(&calgs[0], p, sizeof(calgs)); 1364 } 1365 1366 headers[SADB_X_EXT_SUPPORTED_COMP] = freeme; 1367 1368 break; 1369 1370 case SADB_ACQUIRE: 1371 case SADB_EXPIRE: 1372 /* Nothing to handle */ 1373 rval = 0; 1374 break; 1375 1376 case SADB_FLUSH: 1377 rval = 0; 1378 1379 switch (smsg->sadb_msg_satype) { 1380 case SADB_SATYPE_UNSPEC: 1381 s = spltdb(); 1382 1383 /* 1384 * Go through the list of policies, delete those that 1385 * are not socket-attached. 1386 */ 1387 for (ipo = TAILQ_FIRST(&ipsec_policy_head); 1388 ipo != NULL; ipo = tmpipo) { 1389 tmpipo = TAILQ_NEXT(ipo, ipo_list); 1390 if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET)) 1391 ipsec_delete_policy(ipo); 1392 } 1393 splx(s); 1394 /* FALLTHROUGH */ 1395 case SADB_SATYPE_AH: 1396 case SADB_SATYPE_ESP: 1397 case SADB_X_SATYPE_IPIP: 1398 case SADB_X_SATYPE_IPCOMP: 1399 #ifdef TCP_SIGNATURE 1400 case SADB_X_SATYPE_TCPSIGNATURE: 1401 #endif /* TCP_SIGNATURE */ 1402 s = spltdb(); 1403 1404 tdb_walk(pfkeyv2_flush_walker, 1405 (u_int8_t *) &(smsg->sadb_msg_satype)); 1406 1407 splx(s); 1408 break; 1409 1410 default: 1411 rval = EINVAL; /* Unknown/unsupported type */ 1412 } 1413 1414 break; 1415 1416 case SADB_DUMP: 1417 { 1418 struct dump_state dump_state; 1419 dump_state.sadb_msg = (struct sadb_msg *) headers[0]; 1420 dump_state.socket = socket; 1421 1422 s = spltdb(); 1423 rval = tdb_walk(pfkeyv2_dump_walker, &dump_state); 1424 splx(s); 1425 1426 if (!rval) 1427 goto realret; 1428 1429 if ((rval == ENOMEM) || (rval == ENOBUFS)) 1430 rval = 0; 1431 } 1432 break; 1433 1434 case SADB_X_GRPSPIS: 1435 { 1436 struct tdb *tdb1, *tdb2, *tdb3; 1437 struct sadb_protocol *sa_proto; 1438 1439 ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; 1440 sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + 1441 sizeof(struct sadb_address)); 1442 1443 s = spltdb(); 1444 1445 tdb1 = gettdb(ssa->sadb_sa_spi, sunionp, 1446 SADB_X_GETSPROTO(smsg->sadb_msg_satype)); 1447 if (tdb1 == NULL) { 1448 rval = ESRCH; 1449 goto splxret; 1450 } 1451 1452 ssa = (struct sadb_sa *) headers[SADB_X_EXT_SA2]; 1453 sunionp = (union sockaddr_union *) (headers[SADB_X_EXT_DST2] + 1454 sizeof(struct sadb_address)); 1455 sa_proto = ((struct sadb_protocol *) headers[SADB_X_EXT_PROTOCOL]); 1456 1457 tdb2 = gettdb(ssa->sadb_sa_spi, sunionp, 1458 SADB_X_GETSPROTO(sa_proto->sadb_protocol_proto)); 1459 if (tdb2 == NULL) { 1460 rval = ESRCH; 1461 goto splxret; 1462 } 1463 1464 /* Detect cycles */ 1465 for (tdb3 = tdb2; tdb3; tdb3 = tdb3->tdb_onext) 1466 if (tdb3 == tdb1) { 1467 rval = ESRCH; 1468 goto splxret; 1469 } 1470 1471 /* Maintenance */ 1472 if ((tdb1->tdb_onext) && 1473 (tdb1->tdb_onext->tdb_inext == tdb1)) 1474 tdb1->tdb_onext->tdb_inext = NULL; 1475 1476 if ((tdb2->tdb_inext) && 1477 (tdb2->tdb_inext->tdb_onext == tdb2)) 1478 tdb2->tdb_inext->tdb_onext = NULL; 1479 1480 /* Link them */ 1481 tdb1->tdb_onext = tdb2; 1482 tdb2->tdb_inext = tdb1; 1483 1484 splx(s); 1485 } 1486 break; 1487 1488 case SADB_X_DELFLOW: 1489 delflag = 1; 1490 /*FALLTHROUGH*/ 1491 case SADB_X_ADDFLOW: 1492 { 1493 struct sadb_protocol *sab; 1494 union sockaddr_union *ssrc; 1495 struct route_enc re; 1496 int exists = 0; 1497 1498 sab = (struct sadb_protocol *) headers[SADB_X_EXT_FLOW_TYPE]; 1499 1500 if ((sab->sadb_protocol_direction != IPSP_DIRECTION_IN) && 1501 (sab->sadb_protocol_direction != IPSP_DIRECTION_OUT)) { 1502 rval = EINVAL; 1503 goto ret; 1504 } 1505 1506 /* If the security protocol wasn't specified, pretend it was ESP */ 1507 if (smsg->sadb_msg_satype == 0) 1508 smsg->sadb_msg_satype = SADB_SATYPE_ESP; 1509 1510 if (headers[SADB_EXT_ADDRESS_DST]) 1511 sunionp = (union sockaddr_union *) 1512 (headers[SADB_EXT_ADDRESS_DST] + 1513 sizeof(struct sadb_address)); 1514 else 1515 sunionp = NULL; 1516 1517 if (headers[SADB_EXT_ADDRESS_SRC]) 1518 ssrc = (union sockaddr_union *) 1519 (headers[SADB_EXT_ADDRESS_SRC] + 1520 sizeof(struct sadb_address)); 1521 else 1522 ssrc = NULL; 1523 1524 import_flow(&encapdst, &encapnetmask, 1525 headers[SADB_X_EXT_SRC_FLOW], headers[SADB_X_EXT_SRC_MASK], 1526 headers[SADB_X_EXT_DST_FLOW], headers[SADB_X_EXT_DST_MASK], 1527 headers[SADB_X_EXT_PROTOCOL], headers[SADB_X_EXT_FLOW_TYPE]); 1528 1529 /* Determine whether the exact same SPD entry already exists. */ 1530 bzero(&encapgw, sizeof(struct sockaddr_encap)); 1531 bzero(&re, sizeof(struct route_enc)); 1532 bcopy(&encapdst, &re.re_dst, sizeof(struct sockaddr_encap)); 1533 1534 s = spltdb(); 1535 1536 rtalloc((struct route *) &re); 1537 if (re.re_rt != NULL) { 1538 ipo = ((struct sockaddr_encap *) re.re_rt->rt_gateway)->sen_ipsp; 1539 RTFREE(re.re_rt); 1540 1541 /* Verify that the entry is identical */ 1542 if (bcmp(&ipo->ipo_addr, &encapdst, 1543 sizeof(struct sockaddr_encap)) || 1544 bcmp(&ipo->ipo_mask, &encapnetmask, 1545 sizeof(struct sockaddr_encap))) 1546 ipo = NULL; /* Fall through */ 1547 else 1548 exists = 1; 1549 } else 1550 ipo = NULL; 1551 1552 /* 1553 * If the existing policy is static, only delete or update 1554 * it if the new one is also static. 1555 */ 1556 if (exists && (ipo->ipo_flags & IPSP_POLICY_STATIC)) { 1557 if (!(sab->sadb_protocol_flags & 1558 SADB_X_POLICYFLAGS_POLICY)) { 1559 splx(s); 1560 goto ret; 1561 } 1562 } 1563 1564 /* Delete ? */ 1565 if (delflag) { 1566 if (exists) { 1567 rval = ipsec_delete_policy(ipo); 1568 splx(s); 1569 goto ret; 1570 } 1571 1572 /* If we were asked to delete something non-existent, error. */ 1573 splx(s); 1574 rval = ESRCH; 1575 break; 1576 } 1577 1578 if (!exists) { 1579 if (ipsec_policy_pool_initialized == 0) { 1580 ipsec_policy_pool_initialized = 1; 1581 pool_init(&ipsec_policy_pool, 1582 sizeof(struct ipsec_policy), 0, 0, 0, 1583 "ipsec policy", NULL); 1584 } 1585 1586 /* Allocate policy entry */ 1587 ipo = pool_get(&ipsec_policy_pool, 0); 1588 if (ipo == NULL) { 1589 splx(s); 1590 rval = ENOMEM; 1591 goto ret; 1592 } 1593 1594 bzero(ipo, sizeof(struct ipsec_policy)); 1595 ipo->ipo_ref_count = 1; 1596 TAILQ_INIT(&ipo->ipo_acquires); 1597 1598 /* Finish initialization of SPD entry */ 1599 encapgw.sen_len = SENT_LEN; 1600 encapgw.sen_family = PF_KEY; 1601 encapgw.sen_type = SENT_IPSP; 1602 encapgw.sen_ipsp = ipo; 1603 1604 /* Initialize policy entry */ 1605 bcopy(&encapdst, &ipo->ipo_addr, 1606 sizeof(struct sockaddr_encap)); 1607 bcopy(&encapnetmask, &ipo->ipo_mask, 1608 sizeof(struct sockaddr_encap)); 1609 } 1610 1611 switch (((struct sadb_protocol *) headers[SADB_X_EXT_FLOW_TYPE])->sadb_protocol_proto) { 1612 case SADB_X_FLOW_TYPE_USE: 1613 ipo->ipo_type = IPSP_IPSEC_USE; 1614 break; 1615 1616 case SADB_X_FLOW_TYPE_ACQUIRE: 1617 ipo->ipo_type = IPSP_IPSEC_ACQUIRE; 1618 break; 1619 1620 case SADB_X_FLOW_TYPE_REQUIRE: 1621 ipo->ipo_type = IPSP_IPSEC_REQUIRE; 1622 break; 1623 1624 case SADB_X_FLOW_TYPE_DENY: 1625 ipo->ipo_type = IPSP_DENY; 1626 break; 1627 1628 case SADB_X_FLOW_TYPE_BYPASS: 1629 ipo->ipo_type = IPSP_PERMIT; 1630 break; 1631 1632 case SADB_X_FLOW_TYPE_DONTACQ: 1633 ipo->ipo_type = IPSP_IPSEC_DONTACQ; 1634 break; 1635 1636 default: 1637 if (!exists) 1638 pool_put(&ipsec_policy_pool, ipo); 1639 else 1640 ipsec_delete_policy(ipo); 1641 1642 splx(s); 1643 rval = EINVAL; 1644 goto ret; 1645 } 1646 1647 if (sab->sadb_protocol_flags & SADB_X_POLICYFLAGS_POLICY) 1648 ipo->ipo_flags |= IPSP_POLICY_STATIC; 1649 1650 if (sunionp) 1651 bcopy(sunionp, &ipo->ipo_dst, 1652 sizeof(union sockaddr_union)); 1653 else 1654 bzero(&ipo->ipo_dst, sizeof(union sockaddr_union)); 1655 1656 if (ssrc) 1657 bcopy(ssrc, &ipo->ipo_src, 1658 sizeof(union sockaddr_union)); 1659 else 1660 bzero(&ipo->ipo_src, sizeof(union sockaddr_union)); 1661 1662 ipo->ipo_sproto = SADB_X_GETSPROTO(smsg->sadb_msg_satype); 1663 1664 if (ipo->ipo_srcid) { 1665 ipsp_reffree(ipo->ipo_srcid); 1666 ipo->ipo_srcid = NULL; 1667 } 1668 1669 if (ipo->ipo_dstid) { 1670 ipsp_reffree(ipo->ipo_dstid); 1671 ipo->ipo_dstid = NULL; 1672 } 1673 1674 if ((sid = headers[SADB_EXT_IDENTITY_SRC]) != NULL) { 1675 int clen = (sid->sadb_ident_len * sizeof(u_int64_t)) - 1676 sizeof(struct sadb_ident); 1677 1678 ipo->ipo_srcid = malloc(clen + sizeof(struct ipsec_ref), 1679 M_CREDENTIALS, M_DONTWAIT); 1680 if (ipo->ipo_srcid == NULL) { 1681 if (exists) 1682 ipsec_delete_policy(ipo); 1683 else 1684 pool_put(&ipsec_policy_pool, ipo); 1685 splx(s); 1686 rval = ENOBUFS; 1687 goto ret; 1688 } 1689 ipo->ipo_srcid->ref_type = sid->sadb_ident_type; 1690 ipo->ipo_srcid->ref_len = clen; 1691 ipo->ipo_srcid->ref_count = 1; 1692 ipo->ipo_srcid->ref_malloctype = M_CREDENTIALS; 1693 bcopy(sid + 1, ipo->ipo_srcid + 1, ipo->ipo_srcid->ref_len); 1694 } 1695 1696 if ((sid = headers[SADB_EXT_IDENTITY_DST]) != NULL) { 1697 int clen = (sid->sadb_ident_len * sizeof(u_int64_t)) - 1698 sizeof(struct sadb_ident); 1699 1700 ipo->ipo_dstid = malloc(clen + sizeof(struct ipsec_ref), 1701 M_CREDENTIALS, M_DONTWAIT); 1702 if (ipo->ipo_dstid == NULL) { 1703 if (exists) 1704 ipsec_delete_policy(ipo); 1705 else { 1706 if (ipo->ipo_dstid) 1707 ipsp_reffree(ipo->ipo_dstid); 1708 pool_put(&ipsec_policy_pool, ipo); 1709 } 1710 1711 splx(s); 1712 rval = ENOBUFS; 1713 goto ret; 1714 } 1715 ipo->ipo_dstid->ref_type = sid->sadb_ident_type; 1716 ipo->ipo_dstid->ref_len = clen; 1717 ipo->ipo_dstid->ref_count = 1; 1718 ipo->ipo_dstid->ref_malloctype = M_CREDENTIALS; 1719 bcopy(sid + 1, ipo->ipo_dstid + 1, 1720 ipo->ipo_dstid->ref_len); 1721 } 1722 1723 /* Flow type */ 1724 if (!exists) { 1725 /* Add SPD entry */ 1726 struct rt_addrinfo info; 1727 1728 bzero(&info, sizeof(info)); 1729 info.rti_info[RTAX_DST] = (struct sockaddr *)&encapdst; 1730 info.rti_info[RTAX_GATEWAY] = 1731 (struct sockaddr *)&encapgw; 1732 info.rti_info[RTAX_NETMASK] = 1733 (struct sockaddr *)&encapnetmask; 1734 info.rti_flags = RTF_UP | RTF_GATEWAY | RTF_STATIC; 1735 if ((rval = rtrequest1(RTM_ADD, &info, RTP_DEFAULT, 1736 NULL, 0)) != 0) { 1737 /* Remove from linked list of policies on TDB */ 1738 if (ipo->ipo_tdb) 1739 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, 1740 ipo, ipo_tdb_next); 1741 1742 if (ipo->ipo_srcid) 1743 ipsp_reffree(ipo->ipo_srcid); 1744 if (ipo->ipo_dstid) 1745 ipsp_reffree(ipo->ipo_dstid); 1746 pool_put(&ipsec_policy_pool, ipo); 1747 1748 splx(s); 1749 goto ret; 1750 } 1751 1752 TAILQ_INSERT_HEAD(&ipsec_policy_head, ipo, ipo_list); 1753 ipsec_in_use++; 1754 } else { 1755 ipo->ipo_last_searched = ipo->ipo_flags = 0; 1756 } 1757 1758 splx(s); 1759 } 1760 break; 1761 1762 case SADB_X_PROMISC: 1763 if (len >= 2 * sizeof(struct sadb_msg)) { 1764 struct mbuf *packet; 1765 1766 if ((rval = pfdatatopacket(message, len, &packet)) != 0) 1767 goto ret; 1768 1769 for (so = pfkeyv2_sockets; so; so = so->next) 1770 if ((so != pfkeyv2_socket) && 1771 (!smsg->sadb_msg_seq || 1772 (smsg->sadb_msg_seq == pfkeyv2_socket->pid))) 1773 pfkey_sendup(so->socket, packet, 1); 1774 1775 m_freem(packet); 1776 } else { 1777 if (len != sizeof(struct sadb_msg)) { 1778 rval = EINVAL; 1779 goto ret; 1780 } 1781 1782 i = (pfkeyv2_socket->flags & 1783 PFKEYV2_SOCKETFLAGS_PROMISC) ? 1 : 0; 1784 j = smsg->sadb_msg_satype ? 1 : 0; 1785 1786 if (i ^ j) { 1787 if (j) { 1788 pfkeyv2_socket->flags |= 1789 PFKEYV2_SOCKETFLAGS_PROMISC; 1790 npromisc++; 1791 } else { 1792 pfkeyv2_socket->flags &= 1793 ~PFKEYV2_SOCKETFLAGS_PROMISC; 1794 npromisc--; 1795 } 1796 } 1797 } 1798 1799 1800 break; 1801 1802 default: 1803 rval = EINVAL; 1804 goto ret; 1805 } 1806 1807 ret: 1808 if (rval) { 1809 if ((rval == EINVAL) || (rval == ENOMEM) || (rval == ENOBUFS)) 1810 goto realret; 1811 1812 for (i = 1; i <= SADB_EXT_MAX; i++) 1813 headers[i] = NULL; 1814 1815 smsg->sadb_msg_errno = abs(rval); 1816 } else { 1817 uint64_t seen = 0LL; 1818 1819 for (i = 1; i <= SADB_EXT_MAX; i++) 1820 if (headers[i]) 1821 seen |= (1LL << i); 1822 1823 if ((seen & sadb_exts_allowed_out[smsg->sadb_msg_type]) 1824 != seen) 1825 goto realret; 1826 1827 if ((seen & sadb_exts_required_out[smsg->sadb_msg_type]) != 1828 sadb_exts_required_out[smsg->sadb_msg_type]) 1829 goto realret; 1830 } 1831 1832 rval = pfkeyv2_sendmessage(headers, mode, socket, 0, 0); 1833 1834 realret: 1835 if (freeme) 1836 free(freeme, M_PFKEY); 1837 1838 free(message, M_PFKEY); 1839 1840 return (rval); 1841 1842 splxret: 1843 splx(s); 1844 goto ret; 1845 } 1846 1847 /* 1848 * Send an ACQUIRE message to key management, to get a new SA. 1849 */ 1850 int 1851 pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, 1852 union sockaddr_union *laddr, u_int32_t *seq, struct sockaddr_encap *ddst) 1853 { 1854 void *p, *headers[SADB_EXT_MAX + 1], *buffer = NULL; 1855 struct sadb_ident *srcid, *dstid; 1856 struct sadb_x_cred *lcred, *lauth; 1857 struct sadb_comb *sadb_comb; 1858 struct sadb_address *sadd; 1859 struct sadb_prop *sa_prop; 1860 struct sadb_msg *smsg; 1861 int rval = 0; 1862 int i, j; 1863 1864 *seq = pfkeyv2_seq++; 1865 1866 if (!nregistered) { 1867 rval = ESRCH; 1868 goto ret; 1869 } 1870 1871 /* How large a buffer do we need... XXX we only do one proposal for now */ 1872 i = sizeof(struct sadb_msg) + 1873 (laddr == NULL ? 0 : sizeof(struct sadb_address) + 1874 PADUP(SA_LEN(&ipo->ipo_src.sa))) + 1875 sizeof(struct sadb_address) + PADUP(SA_LEN(&gw->sa)) + 1876 sizeof(struct sadb_prop) + 1 * sizeof(struct sadb_comb); 1877 1878 if (ipo->ipo_srcid) 1879 i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid->ref_len); 1880 1881 if (ipo->ipo_dstid) 1882 i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len); 1883 1884 if (ipo->ipo_local_cred) 1885 i += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len); 1886 1887 if (ipo->ipo_local_auth) 1888 i += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len); 1889 1890 /* Allocate */ 1891 if (!(p = malloc(i, M_PFKEY, M_DONTWAIT | M_ZERO))) { 1892 rval = ENOMEM; 1893 goto ret; 1894 } 1895 1896 bzero(headers, sizeof(headers)); 1897 1898 buffer = p; 1899 1900 headers[0] = p; 1901 p += sizeof(struct sadb_msg); 1902 1903 smsg = (struct sadb_msg *) headers[0]; 1904 smsg->sadb_msg_version = PF_KEY_V2; 1905 smsg->sadb_msg_type = SADB_ACQUIRE; 1906 smsg->sadb_msg_len = i / sizeof(uint64_t); 1907 smsg->sadb_msg_seq = *seq; 1908 1909 if (ipo->ipo_sproto == IPPROTO_ESP) 1910 smsg->sadb_msg_satype = SADB_SATYPE_ESP; 1911 else if (ipo->ipo_sproto == IPPROTO_AH) 1912 smsg->sadb_msg_satype = SADB_SATYPE_AH; 1913 else if (ipo->ipo_sproto == IPPROTO_IPCOMP) 1914 smsg->sadb_msg_satype = SADB_X_SATYPE_IPCOMP; 1915 1916 if (laddr) { 1917 headers[SADB_EXT_ADDRESS_SRC] = p; 1918 p += sizeof(struct sadb_address) + PADUP(SA_LEN(&laddr->sa)); 1919 sadd = (struct sadb_address *) headers[SADB_EXT_ADDRESS_SRC]; 1920 sadd->sadb_address_len = (sizeof(struct sadb_address) + 1921 SA_LEN(&laddr->sa) + sizeof(uint64_t) - 1) / 1922 sizeof(uint64_t); 1923 bcopy(laddr, headers[SADB_EXT_ADDRESS_SRC] + 1924 sizeof(struct sadb_address), SA_LEN(&laddr->sa)); 1925 } 1926 1927 headers[SADB_EXT_ADDRESS_DST] = p; 1928 p += sizeof(struct sadb_address) + PADUP(SA_LEN(&gw->sa)); 1929 sadd = (struct sadb_address *) headers[SADB_EXT_ADDRESS_DST]; 1930 sadd->sadb_address_len = (sizeof(struct sadb_address) + 1931 SA_LEN(&gw->sa) + sizeof(uint64_t) - 1) / sizeof(uint64_t); 1932 bcopy(gw, headers[SADB_EXT_ADDRESS_DST] + sizeof(struct sadb_address), 1933 SA_LEN(&gw->sa)); 1934 1935 if (ipo->ipo_srcid) { 1936 headers[SADB_EXT_IDENTITY_SRC] = p; 1937 p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid->ref_len); 1938 srcid = (struct sadb_ident *) headers[SADB_EXT_IDENTITY_SRC]; 1939 srcid->sadb_ident_len = (sizeof(struct sadb_ident) + 1940 PADUP(ipo->ipo_srcid->ref_len)) / sizeof(u_int64_t); 1941 srcid->sadb_ident_type = ipo->ipo_srcid->ref_type; 1942 bcopy(ipo->ipo_srcid + 1, headers[SADB_EXT_IDENTITY_SRC] + 1943 sizeof(struct sadb_ident), ipo->ipo_srcid->ref_len); 1944 } 1945 1946 if (ipo->ipo_dstid) { 1947 headers[SADB_EXT_IDENTITY_DST] = p; 1948 p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len); 1949 dstid = (struct sadb_ident *) headers[SADB_EXT_IDENTITY_DST]; 1950 dstid->sadb_ident_len = (sizeof(struct sadb_ident) + 1951 PADUP(ipo->ipo_dstid->ref_len)) / sizeof(u_int64_t); 1952 dstid->sadb_ident_type = ipo->ipo_dstid->ref_type; 1953 bcopy(ipo->ipo_dstid + 1, headers[SADB_EXT_IDENTITY_DST] + 1954 sizeof(struct sadb_ident), ipo->ipo_dstid->ref_len); 1955 } 1956 1957 if (ipo->ipo_local_cred) { 1958 headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p; 1959 p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len); 1960 lcred = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_CREDENTIALS]; 1961 lcred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + 1962 PADUP(ipo->ipo_local_cred->ref_len)) / sizeof(u_int64_t); 1963 switch (ipo->ipo_local_cred->ref_type) { 1964 case IPSP_CRED_KEYNOTE: 1965 lcred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE; 1966 break; 1967 case IPSP_CRED_X509: 1968 lcred->sadb_x_cred_type = SADB_X_CREDTYPE_X509; 1969 break; 1970 } 1971 bcopy(ipo->ipo_local_cred + 1, headers[SADB_X_EXT_LOCAL_CREDENTIALS] + 1972 sizeof(struct sadb_x_cred), ipo->ipo_local_cred->ref_len); 1973 } 1974 1975 if (ipo->ipo_local_auth) { 1976 headers[SADB_X_EXT_LOCAL_AUTH] = p; 1977 p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len); 1978 lauth = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_AUTH]; 1979 lauth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + 1980 PADUP(ipo->ipo_local_auth->ref_len)) / sizeof(u_int64_t); 1981 switch (ipo->ipo_local_auth->ref_type) { 1982 case IPSP_AUTH_PASSPHRASE: 1983 lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE; 1984 break; 1985 case IPSP_AUTH_RSA: 1986 lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA; 1987 break; 1988 } 1989 1990 bcopy(ipo->ipo_local_auth + 1, headers[SADB_X_EXT_LOCAL_AUTH] + 1991 sizeof(struct sadb_x_cred), ipo->ipo_local_auth->ref_len); 1992 } 1993 1994 headers[SADB_EXT_PROPOSAL] = p; 1995 p += sizeof(struct sadb_prop); 1996 sa_prop = (struct sadb_prop *) headers[SADB_EXT_PROPOSAL]; 1997 sa_prop->sadb_prop_num = 1; /* XXX One proposal only */ 1998 sa_prop->sadb_prop_len = (sizeof(struct sadb_prop) + 1999 (sizeof(struct sadb_comb) * sa_prop->sadb_prop_num)) / 2000 sizeof(uint64_t); 2001 2002 sadb_comb = p; 2003 2004 /* XXX Should actually ask the crypto layer what's supported */ 2005 for (j = 0; j < sa_prop->sadb_prop_num; j++) { 2006 sadb_comb->sadb_comb_flags = 0; 2007 2008 if (ipsec_require_pfs) 2009 sadb_comb->sadb_comb_flags |= SADB_SAFLAGS_PFS; 2010 2011 /* Set the encryption algorithm */ 2012 if (ipo->ipo_sproto == IPPROTO_ESP) { 2013 if (!strncasecmp(ipsec_def_enc, "aes", 2014 sizeof("aes"))) { 2015 sadb_comb->sadb_comb_encrypt = SADB_X_EALG_AES; 2016 sadb_comb->sadb_comb_encrypt_minbits = 128; 2017 sadb_comb->sadb_comb_encrypt_maxbits = 256; 2018 } else if (!strncasecmp(ipsec_def_enc, "aesctr", 2019 sizeof("aesctr"))) { 2020 sadb_comb->sadb_comb_encrypt = SADB_X_EALG_AESCTR; 2021 sadb_comb->sadb_comb_encrypt_minbits = 128+32; 2022 sadb_comb->sadb_comb_encrypt_maxbits = 256+32; 2023 } else if (!strncasecmp(ipsec_def_enc, "3des", 2024 sizeof("3des"))) { 2025 sadb_comb->sadb_comb_encrypt = SADB_EALG_3DESCBC; 2026 sadb_comb->sadb_comb_encrypt_minbits = 192; 2027 sadb_comb->sadb_comb_encrypt_maxbits = 192; 2028 } else if (!strncasecmp(ipsec_def_enc, "des", 2029 sizeof("des"))) { 2030 sadb_comb->sadb_comb_encrypt = SADB_EALG_DESCBC; 2031 sadb_comb->sadb_comb_encrypt_minbits = 64; 2032 sadb_comb->sadb_comb_encrypt_maxbits = 64; 2033 } else if (!strncasecmp(ipsec_def_enc, "blowfish", 2034 sizeof("blowfish"))) { 2035 sadb_comb->sadb_comb_encrypt = SADB_X_EALG_BLF; 2036 sadb_comb->sadb_comb_encrypt_minbits = 40; 2037 sadb_comb->sadb_comb_encrypt_maxbits = BLF_MAXKEYLEN * 8; 2038 } else if (!strncasecmp(ipsec_def_enc, "skipjack", 2039 sizeof("skipjack"))) { 2040 sadb_comb->sadb_comb_encrypt = SADB_X_EALG_SKIPJACK; 2041 sadb_comb->sadb_comb_encrypt_minbits = 80; 2042 sadb_comb->sadb_comb_encrypt_maxbits = 80; 2043 } else if (!strncasecmp(ipsec_def_enc, "cast128", 2044 sizeof("cast128"))) { 2045 sadb_comb->sadb_comb_encrypt = SADB_X_EALG_CAST; 2046 sadb_comb->sadb_comb_encrypt_minbits = 40; 2047 sadb_comb->sadb_comb_encrypt_maxbits = 128; 2048 } 2049 } else if (ipo->ipo_sproto == IPPROTO_IPCOMP) { 2050 /* Set the compression algorithm */ 2051 if (!strncasecmp(ipsec_def_comp, "deflate", 2052 sizeof("deflate"))) { 2053 sadb_comb->sadb_comb_encrypt = SADB_X_CALG_DEFLATE; 2054 sadb_comb->sadb_comb_encrypt_minbits = 0; 2055 sadb_comb->sadb_comb_encrypt_maxbits = 0; 2056 } else if (!strncasecmp(ipsec_def_comp, "lzs", 2057 sizeof("lzs"))) { 2058 sadb_comb->sadb_comb_encrypt = SADB_X_CALG_LZS; 2059 sadb_comb->sadb_comb_encrypt_minbits = 0; 2060 sadb_comb->sadb_comb_encrypt_maxbits = 0; 2061 } 2062 } 2063 2064 /* Set the authentication algorithm */ 2065 if (!strncasecmp(ipsec_def_auth, "hmac-sha1", 2066 sizeof("hmac-sha1"))) { 2067 sadb_comb->sadb_comb_auth = SADB_AALG_SHA1HMAC; 2068 sadb_comb->sadb_comb_auth_minbits = 160; 2069 sadb_comb->sadb_comb_auth_maxbits = 160; 2070 } else if (!strncasecmp(ipsec_def_auth, "hmac-ripemd160", 2071 sizeof("hmac_ripemd160"))) { 2072 sadb_comb->sadb_comb_auth = SADB_X_AALG_RIPEMD160HMAC; 2073 sadb_comb->sadb_comb_auth_minbits = 160; 2074 sadb_comb->sadb_comb_auth_maxbits = 160; 2075 } else if (!strncasecmp(ipsec_def_auth, "hmac-md5", 2076 sizeof("hmac-md5"))) { 2077 sadb_comb->sadb_comb_auth = SADB_AALG_MD5HMAC; 2078 sadb_comb->sadb_comb_auth_minbits = 128; 2079 sadb_comb->sadb_comb_auth_maxbits = 128; 2080 } else if (!strncasecmp(ipsec_def_auth, "hmac-sha2-256", 2081 sizeof("hmac-sha2-256"))) { 2082 sadb_comb->sadb_comb_auth = SADB_X_AALG_SHA2_256; 2083 sadb_comb->sadb_comb_auth_minbits = 256; 2084 sadb_comb->sadb_comb_auth_maxbits = 256; 2085 } else if (!strncasecmp(ipsec_def_auth, "hmac-sha2-384", 2086 sizeof("hmac-sha2-384"))) { 2087 sadb_comb->sadb_comb_auth = SADB_X_AALG_SHA2_384; 2088 sadb_comb->sadb_comb_auth_minbits = 384; 2089 sadb_comb->sadb_comb_auth_maxbits = 384; 2090 } else if (!strncasecmp(ipsec_def_auth, "hmac-sha2-512", 2091 sizeof("hmac-sha2-512"))) { 2092 sadb_comb->sadb_comb_auth = SADB_X_AALG_SHA2_512; 2093 sadb_comb->sadb_comb_auth_minbits = 512; 2094 sadb_comb->sadb_comb_auth_maxbits = 512; 2095 } 2096 2097 sadb_comb->sadb_comb_soft_allocations = ipsec_soft_allocations; 2098 sadb_comb->sadb_comb_hard_allocations = ipsec_exp_allocations; 2099 2100 sadb_comb->sadb_comb_soft_bytes = ipsec_soft_bytes; 2101 sadb_comb->sadb_comb_hard_bytes = ipsec_exp_bytes; 2102 2103 sadb_comb->sadb_comb_soft_addtime = ipsec_soft_timeout; 2104 sadb_comb->sadb_comb_hard_addtime = ipsec_exp_timeout; 2105 2106 sadb_comb->sadb_comb_soft_usetime = ipsec_soft_first_use; 2107 sadb_comb->sadb_comb_hard_usetime = ipsec_exp_first_use; 2108 sadb_comb++; 2109 } 2110 2111 /* Send the ACQUIRE message to all compliant registered listeners. */ 2112 if ((rval = pfkeyv2_sendmessage(headers, 2113 PFKEYV2_SENDMESSAGE_REGISTERED, NULL, smsg->sadb_msg_satype, 0)) 2114 != 0) 2115 goto ret; 2116 2117 rval = 0; 2118 ret: 2119 if (buffer != NULL) { 2120 bzero(buffer, i); 2121 free(buffer, M_PFKEY); 2122 } 2123 2124 return (rval); 2125 } 2126 2127 /* 2128 * Notify key management that an expiration went off. The second argument 2129 * specifies the type of expiration (soft or hard). 2130 */ 2131 int 2132 pfkeyv2_expire(struct tdb *sa, u_int16_t type) 2133 { 2134 void *p, *headers[SADB_EXT_MAX+1], *buffer = NULL; 2135 struct sadb_msg *smsg; 2136 int rval = 0; 2137 int i; 2138 2139 switch (sa->tdb_sproto) { 2140 case IPPROTO_AH: 2141 case IPPROTO_ESP: 2142 case IPPROTO_IPIP: 2143 case IPPROTO_IPCOMP: 2144 #ifdef TCP_SIGNATURE 2145 case IPPROTO_TCP: 2146 #endif /* TCP_SIGNATURE */ 2147 break; 2148 2149 default: 2150 rval = EOPNOTSUPP; 2151 goto ret; 2152 } 2153 2154 i = sizeof(struct sadb_msg) + sizeof(struct sadb_sa) + 2155 2 * sizeof(struct sadb_lifetime) + 2156 sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_src.sa)) + 2157 sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_dst.sa)); 2158 2159 if (!(p = malloc(i, M_PFKEY, M_DONTWAIT | M_ZERO))) { 2160 rval = ENOMEM; 2161 goto ret; 2162 } 2163 2164 bzero(headers, sizeof(headers)); 2165 2166 buffer = p; 2167 2168 headers[0] = p; 2169 p += sizeof(struct sadb_msg); 2170 2171 smsg = (struct sadb_msg *) headers[0]; 2172 smsg->sadb_msg_version = PF_KEY_V2; 2173 smsg->sadb_msg_type = SADB_EXPIRE; 2174 smsg->sadb_msg_satype = sa->tdb_satype; 2175 smsg->sadb_msg_len = i / sizeof(uint64_t); 2176 smsg->sadb_msg_seq = pfkeyv2_seq++; 2177 2178 headers[SADB_EXT_SA] = p; 2179 export_sa(&p, sa); 2180 2181 headers[SADB_EXT_LIFETIME_CURRENT] = p; 2182 export_lifetime(&p, sa, 2); 2183 2184 headers[type] = p; 2185 export_lifetime(&p, sa, type == SADB_EXT_LIFETIME_SOFT ? 2186 PFKEYV2_LIFETIME_SOFT : PFKEYV2_LIFETIME_HARD); 2187 2188 headers[SADB_EXT_ADDRESS_SRC] = p; 2189 export_address(&p, (struct sockaddr *) &sa->tdb_src); 2190 2191 headers[SADB_EXT_ADDRESS_DST] = p; 2192 export_address(&p, (struct sockaddr *) &sa->tdb_dst); 2193 2194 if ((rval = pfkeyv2_sendmessage(headers, PFKEYV2_SENDMESSAGE_BROADCAST, 2195 NULL, 0, 0)) != 0) 2196 goto ret; 2197 2198 rval = 0; 2199 2200 ret: 2201 if (buffer != NULL) { 2202 bzero(buffer, i); 2203 free(buffer, M_PFKEY); 2204 } 2205 2206 return (rval); 2207 } 2208 2209 struct pfkeyv2_sysctl_walk { 2210 void *w_where; 2211 size_t w_len; 2212 int w_op; 2213 u_int8_t w_satype; 2214 }; 2215 2216 int 2217 pfkeyv2_sysctl_walker(struct tdb *sa, void *arg, int last) 2218 { 2219 struct pfkeyv2_sysctl_walk *w = (struct pfkeyv2_sysctl_walk *)arg; 2220 void *buffer = NULL; 2221 int error = 0; 2222 int buflen, i; 2223 2224 if (w->w_satype != SADB_SATYPE_UNSPEC && 2225 w->w_satype != sa->tdb_satype) 2226 return (0); 2227 2228 if (w->w_where) { 2229 void *headers[SADB_EXT_MAX+1]; 2230 struct sadb_msg msg; 2231 2232 bzero(headers, sizeof(headers)); 2233 if ((error = pfkeyv2_get(sa, headers, &buffer, &buflen)) != 0) 2234 goto done; 2235 if (w->w_len < sizeof(msg) + buflen) { 2236 error = ENOMEM; 2237 goto done; 2238 } 2239 /* prepend header */ 2240 bzero(&msg, sizeof(msg)); 2241 msg.sadb_msg_version = PF_KEY_V2; 2242 msg.sadb_msg_satype = sa->tdb_satype; 2243 msg.sadb_msg_type = SADB_DUMP; 2244 msg.sadb_msg_len = (sizeof(msg) + buflen) / sizeof(uint64_t); 2245 if ((error = copyout(&msg, w->w_where, sizeof(msg))) != 0) 2246 goto done; 2247 w->w_where += sizeof(msg); 2248 w->w_len -= sizeof(msg); 2249 /* set extension type */ 2250 for (i = 1; i <= SADB_EXT_MAX; i++) 2251 if (headers[i]) 2252 ((struct sadb_ext *) 2253 headers[i])->sadb_ext_type = i; 2254 if ((error = copyout(buffer, w->w_where, buflen)) != 0) 2255 goto done; 2256 w->w_where += buflen; 2257 w->w_len -= buflen; 2258 } else { 2259 if ((error = pfkeyv2_get(sa, NULL, NULL, &buflen)) != 0) 2260 return (error); 2261 w->w_len += buflen; 2262 w->w_len += sizeof(struct sadb_msg); 2263 } 2264 2265 done: 2266 if (buffer) 2267 free(buffer, M_PFKEY); 2268 return (error); 2269 } 2270 2271 int 2272 pfkeyv2_dump_policy(struct ipsec_policy *ipo, void **headers, void **buffer, 2273 int *lenp) 2274 { 2275 struct sadb_ident *ident; 2276 int i, rval, perm; 2277 void *p; 2278 2279 /* Find how much space we need. */ 2280 i = 2 * sizeof(struct sadb_protocol); 2281 2282 /* We'll need four of them: src, src mask, dst, dst mask. */ 2283 switch (ipo->ipo_addr.sen_type) { 2284 #ifdef INET 2285 case SENT_IP4: 2286 i += 4 * PADUP(sizeof(struct sockaddr_in)); 2287 i += 4 * sizeof(struct sadb_address); 2288 break; 2289 #endif /* INET */ 2290 #ifdef INET6 2291 case SENT_IP6: 2292 i += 4 * PADUP(sizeof(struct sockaddr_in6)); 2293 i += 4 * sizeof(struct sadb_address); 2294 break; 2295 #endif /* INET6 */ 2296 default: 2297 return (EINVAL); 2298 } 2299 2300 /* Local address, might be zeroed. */ 2301 switch (ipo->ipo_src.sa.sa_family) { 2302 case 0: 2303 break; 2304 #ifdef INET 2305 case AF_INET: 2306 i += PADUP(sizeof(struct sockaddr_in)); 2307 i += sizeof(struct sadb_address); 2308 break; 2309 #endif /* INET */ 2310 #ifdef INET6 2311 case AF_INET6: 2312 i += PADUP(sizeof(struct sockaddr_in6)); 2313 i += sizeof(struct sadb_address); 2314 break; 2315 #endif /* INET6 */ 2316 default: 2317 return (EINVAL); 2318 } 2319 2320 /* Remote address, might be zeroed. XXX ??? */ 2321 switch (ipo->ipo_dst.sa.sa_family) { 2322 case 0: 2323 break; 2324 #ifdef INET 2325 case AF_INET: 2326 i += PADUP(sizeof(struct sockaddr_in)); 2327 i += sizeof(struct sadb_address); 2328 break; 2329 #endif /* INET */ 2330 #ifdef INET6 2331 case AF_INET6: 2332 i += PADUP(sizeof(struct sockaddr_in6)); 2333 i += sizeof(struct sadb_address); 2334 break; 2335 #endif /* INET6 */ 2336 default: 2337 return (EINVAL); 2338 } 2339 2340 if (ipo->ipo_srcid) 2341 i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid->ref_len); 2342 if (ipo->ipo_dstid) 2343 i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len); 2344 2345 if (lenp) 2346 *lenp = i; 2347 2348 if (buffer == NULL) { 2349 rval = 0; 2350 goto ret; 2351 } 2352 2353 if (!(p = malloc(i, M_PFKEY, M_DONTWAIT | M_ZERO))) { 2354 rval = ENOMEM; 2355 goto ret; 2356 } else 2357 *buffer = p; 2358 2359 /* Local address. */ 2360 if (ipo->ipo_src.sa.sa_family) { 2361 headers[SADB_EXT_ADDRESS_SRC] = p; 2362 export_address(&p, (struct sockaddr *)&ipo->ipo_src); 2363 } 2364 2365 /* Remote address. */ 2366 if (ipo->ipo_dst.sa.sa_family) { 2367 headers[SADB_EXT_ADDRESS_DST] = p; 2368 export_address(&p, (struct sockaddr *)&ipo->ipo_dst); 2369 } 2370 2371 /* Get actual flow. */ 2372 export_flow(&p, ipo->ipo_type, &ipo->ipo_addr, &ipo->ipo_mask, 2373 headers); 2374 2375 /* Add ids only when we are root. */ 2376 perm = suser(curproc, 0); 2377 if (perm == 0 && ipo->ipo_srcid) { 2378 headers[SADB_EXT_IDENTITY_SRC] = p; 2379 p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid->ref_len); 2380 ident = (struct sadb_ident *)headers[SADB_EXT_IDENTITY_SRC]; 2381 ident->sadb_ident_len = (sizeof(struct sadb_ident) + 2382 PADUP(ipo->ipo_srcid->ref_len)) / sizeof(uint64_t); 2383 ident->sadb_ident_type = ipo->ipo_srcid->ref_type; 2384 bcopy(ipo->ipo_srcid + 1, headers[SADB_EXT_IDENTITY_SRC] + 2385 sizeof(struct sadb_ident), ipo->ipo_srcid->ref_len); 2386 } 2387 if (perm == 0 && ipo->ipo_dstid) { 2388 headers[SADB_EXT_IDENTITY_DST] = p; 2389 p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len); 2390 ident = (struct sadb_ident *)headers[SADB_EXT_IDENTITY_DST]; 2391 ident->sadb_ident_len = (sizeof(struct sadb_ident) + 2392 PADUP(ipo->ipo_dstid->ref_len)) / sizeof(uint64_t); 2393 ident->sadb_ident_type = ipo->ipo_dstid->ref_type; 2394 bcopy(ipo->ipo_dstid + 1, headers[SADB_EXT_IDENTITY_DST] + 2395 sizeof(struct sadb_ident), ipo->ipo_dstid->ref_len); 2396 } 2397 2398 rval = 0; 2399 ret: 2400 return (rval); 2401 } 2402 2403 /* 2404 * Caller is responsible for setting at least spltdb(). 2405 */ 2406 int 2407 pfkeyv2_ipo_walk(int (*walker)(struct ipsec_policy *, void *), void *arg) 2408 { 2409 int rval = 0; 2410 struct ipsec_policy *ipo; 2411 2412 TAILQ_FOREACH(ipo, &ipsec_policy_head, ipo_list) 2413 rval = walker(ipo, (void *)arg); 2414 return (rval); 2415 } 2416 2417 int 2418 pfkeyv2_sysctl_policydumper(struct ipsec_policy *ipo, void *arg) 2419 { 2420 struct pfkeyv2_sysctl_walk *w = (struct pfkeyv2_sysctl_walk *)arg; 2421 void *buffer = 0; 2422 int i, buflen, error = 0; 2423 2424 /* Do not dump policies attached to a socket. */ 2425 if (ipo->ipo_flags & IPSP_POLICY_SOCKET) 2426 return (0); 2427 2428 if (w->w_where) { 2429 void *headers[SADB_EXT_MAX + 1]; 2430 struct sadb_msg msg; 2431 2432 bzero(headers, sizeof(headers)); 2433 if ((error = pfkeyv2_dump_policy(ipo, headers, &buffer, 2434 &buflen)) != 0) 2435 goto done; 2436 if (w->w_len < buflen) { 2437 error = ENOMEM; 2438 goto done; 2439 } 2440 /* prepend header */ 2441 bzero(&msg, sizeof(msg)); 2442 msg.sadb_msg_version = PF_KEY_V2; 2443 if (ipo->ipo_sproto == IPPROTO_ESP) 2444 msg.sadb_msg_satype = SADB_SATYPE_ESP; 2445 else if (ipo->ipo_sproto == IPPROTO_AH) 2446 msg.sadb_msg_satype = SADB_SATYPE_AH; 2447 else if (ipo->ipo_sproto == IPPROTO_IPCOMP) 2448 msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; 2449 else if (ipo->ipo_sproto == IPPROTO_IPIP) 2450 msg.sadb_msg_satype = SADB_X_SATYPE_IPIP; 2451 msg.sadb_msg_type = SADB_X_SPDDUMP; 2452 msg.sadb_msg_len = (sizeof(msg) + buflen) / sizeof(uint64_t); 2453 if ((error = copyout(&msg, w->w_where, sizeof(msg))) != 0) 2454 goto done; 2455 w->w_where += sizeof(msg); 2456 w->w_len -= sizeof(msg); 2457 /* set extension type */ 2458 for (i = 1; i < SADB_EXT_MAX; i++) 2459 if (headers[i]) 2460 ((struct sadb_ext *) 2461 headers[i])->sadb_ext_type = i; 2462 if ((error = copyout(buffer, w->w_where, buflen)) != 0) 2463 goto done; 2464 w->w_where += buflen; 2465 w->w_len -= buflen; 2466 } else { 2467 if ((error = pfkeyv2_dump_policy(ipo, NULL, NULL, 2468 &buflen)) != 0) 2469 goto done; 2470 w->w_len += buflen; 2471 w->w_len += sizeof(struct sadb_msg); 2472 } 2473 2474 done: 2475 if (buffer) 2476 free(buffer, M_PFKEY); 2477 return (error); 2478 } 2479 2480 int 2481 pfkeyv2_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, 2482 void *new, size_t newlen) 2483 { 2484 struct pfkeyv2_sysctl_walk w; 2485 int s, error = EINVAL; 2486 2487 if (new) 2488 return (EPERM); 2489 if (namelen < 1) 2490 return (EINVAL); 2491 w.w_op = name[0]; 2492 w.w_satype = name[1]; 2493 w.w_where = oldp; 2494 w.w_len = oldp ? *oldlenp : 0; 2495 2496 switch(w.w_op) { 2497 case NET_KEY_SADB_DUMP: 2498 if ((error = suser(curproc, 0)) != 0) 2499 return (error); 2500 s = spltdb(); 2501 error = tdb_walk(pfkeyv2_sysctl_walker, &w); 2502 splx(s); 2503 if (oldp) 2504 *oldlenp = w.w_where - oldp; 2505 else 2506 *oldlenp = w.w_len; 2507 break; 2508 2509 case NET_KEY_SPD_DUMP: 2510 s = spltdb(); 2511 error = pfkeyv2_ipo_walk(pfkeyv2_sysctl_policydumper, &w); 2512 splx(s); 2513 if (oldp) 2514 *oldlenp = w.w_where - oldp; 2515 else 2516 *oldlenp = w.w_len; 2517 break; 2518 } 2519 2520 return (error); 2521 } 2522 2523 int 2524 pfkeyv2_init(void) 2525 { 2526 int rval; 2527 2528 bzero(&pfkeyv2_version, sizeof(struct pfkey_version)); 2529 pfkeyv2_version.protocol = PFKEYV2_PROTOCOL; 2530 pfkeyv2_version.create = &pfkeyv2_create; 2531 pfkeyv2_version.release = &pfkeyv2_release; 2532 pfkeyv2_version.send = &pfkeyv2_send; 2533 pfkeyv2_version.sysctl = &pfkeyv2_sysctl; 2534 2535 rval = pfkey_register(&pfkeyv2_version); 2536 return (rval); 2537 } 2538 2539 int 2540 pfkeyv2_cleanup(void) 2541 { 2542 pfkey_unregister(&pfkeyv2_version); 2543 return (0); 2544 } 2545