1 /* $OpenBSD: pfkeyv2.c,v 1.89 2003/07/24 09:59:02 itojun Exp $ */ 2 3 /* 4 * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 5 * 6 * NRL grants permission for redistribution and use in source and binary 7 * forms, with or without modification, of the software and documentation 8 * created at NRL provided that the following conditions are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgements: 17 * This product includes software developed by the University of 18 * California, Berkeley and its contributors. 19 * This product includes software developed at the Information 20 * Technology Division, US Naval Research Laboratory. 21 * 4. Neither the name of the NRL nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS 26 * IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 27 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 28 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NRL OR 29 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 30 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 31 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 32 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 33 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 34 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 35 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36 * 37 * The views and conclusions contained in the software and documentation 38 * are those of the authors and should not be interpreted as representing 39 * official policies, either expressed or implied, of the US Naval 40 * Research Laboratory (NRL). 41 */ 42 43 /* 44 * Copyright (c) 1995, 1996, 1997, 1998, 1999 Craig Metz. All rights reserved. 45 * 46 * Redistribution and use in source and binary forms, with or without 47 * modification, are permitted provided that the following conditions 48 * are met: 49 * 1. Redistributions of source code must retain the above copyright 50 * notice, this list of conditions and the following disclaimer. 51 * 2. Redistributions in binary form must reproduce the above copyright 52 * notice, this list of conditions and the following disclaimer in the 53 * documentation and/or other materials provided with the distribution. 54 * 3. Neither the name of the author nor the names of any contributors 55 * may be used to endorse or promote products derived from this software 56 * without specific prior written permission. 57 * 58 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 59 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 60 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 61 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 62 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 63 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 64 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 65 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 66 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 67 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 68 * SUCH DAMAGE. 69 */ 70 71 #include <sys/types.h> 72 #include <sys/param.h> 73 #include <sys/socket.h> 74 #include <sys/systm.h> 75 #include <sys/mbuf.h> 76 #include <sys/kernel.h> 77 #include <sys/proc.h> 78 #include <net/route.h> 79 #include <netinet/ip_ipsp.h> 80 #include <net/pfkeyv2.h> 81 #include <netinet/ip_ah.h> 82 #include <netinet/ip_esp.h> 83 #include <netinet/ip_ipcomp.h> 84 #include <crypto/blf.h> 85 86 #define PFKEYV2_PROTOCOL 2 87 #define GETSPI_TRIES 10 88 89 /* Static globals */ 90 static struct pfkeyv2_socket *pfkeyv2_sockets = NULL; 91 static struct pfkey_version pfkeyv2_version; 92 static uint32_t pfkeyv2_seq = 1; 93 static int nregistered = 0; 94 static int npromisc = 0; 95 96 static const struct sadb_alg ealgs[] = { 97 { SADB_EALG_DESCBC, 64, 64, 64 }, 98 { SADB_EALG_3DESCBC, 64, 192, 192 }, 99 { SADB_X_EALG_BLF, 64, 40, BLF_MAXKEYLEN * 8}, 100 { SADB_X_EALG_CAST, 64, 40, 128}, 101 { SADB_X_EALG_SKIPJACK, 64, 80, 80}, 102 { SADB_X_EALG_AES, 128, 64, 256} 103 }; 104 105 static const struct sadb_alg aalgs[] = { 106 { SADB_AALG_SHA1HMAC, 0, 160, 160 }, 107 { SADB_AALG_MD5HMAC, 0, 128, 128 }, 108 { SADB_X_AALG_RIPEMD160HMAC, 0, 160, 160 }, 109 { SADB_X_AALG_SHA2_256, 0, 256, 256 }, 110 { SADB_X_AALG_SHA2_384, 0, 384, 384 }, 111 { SADB_X_AALG_SHA2_512, 0, 512, 512 } 112 }; 113 114 static const struct sadb_alg calgs[] = { 115 { SADB_X_CALG_DEFLATE, 0, 0, 0}, 116 { SADB_X_CALG_LZS, 0, 0, 0} 117 }; 118 119 extern uint32_t sadb_exts_allowed_out[SADB_MAX+1]; 120 extern uint32_t sadb_exts_required_out[SADB_MAX+1]; 121 122 extern struct pool ipsec_policy_pool; 123 124 /* 125 * Wrapper around m_devget(); copy data from contiguous buffer to mbuf 126 * chain. 127 */ 128 int 129 pfdatatopacket(void *data, int len, struct mbuf **packet) { 130 if (!(*packet = m_devget(data, len, 0, NULL, NULL))) 131 return (ENOMEM); 132 return (0); 133 } 134 135 /* 136 * Create a new PF_KEYv2 socket. 137 */ 138 int 139 pfkeyv2_create(struct socket *socket) { 140 struct pfkeyv2_socket *pfkeyv2_socket; 141 142 if (!(pfkeyv2_socket = malloc(sizeof(struct pfkeyv2_socket), 143 M_PFKEY, M_DONTWAIT))) 144 return (ENOMEM); 145 146 bzero(pfkeyv2_socket, sizeof(struct pfkeyv2_socket)); 147 pfkeyv2_socket->next = pfkeyv2_sockets; 148 pfkeyv2_socket->socket = socket; 149 pfkeyv2_socket->pid = curproc->p_pid; 150 151 pfkeyv2_sockets = pfkeyv2_socket; 152 153 return (0); 154 } 155 156 /* 157 * Close a PF_KEYv2 socket. 158 */ 159 int 160 pfkeyv2_release(struct socket *socket) 161 { 162 struct pfkeyv2_socket **pp; 163 164 for (pp = &pfkeyv2_sockets; *pp && ((*pp)->socket != socket); 165 pp = &((*pp)->next)) 166 /*EMPTY*/; 167 168 if (*pp) { 169 struct pfkeyv2_socket *pfkeyv2_socket; 170 171 pfkeyv2_socket = *pp; 172 *pp = (*pp)->next; 173 174 if (pfkeyv2_socket->flags & PFKEYV2_SOCKETFLAGS_REGISTERED) 175 nregistered--; 176 177 if (pfkeyv2_socket->flags & PFKEYV2_SOCKETFLAGS_PROMISC) 178 npromisc--; 179 180 free(pfkeyv2_socket, M_PFKEY); 181 } 182 183 return (0); 184 } 185 186 /* 187 * Send a PFKEYv2 message, possibly to many receivers, based on the 188 * satype of the socket (which is set by the REGISTER message), and the 189 * third argument. 190 */ 191 int 192 pfkeyv2_sendmessage(void **headers, int mode, struct socket *socket, 193 u_int8_t satype, int count) 194 { 195 int i, j, rval; 196 void *p, *buffer = NULL; 197 struct mbuf *packet; 198 struct pfkeyv2_socket *s; 199 struct sadb_msg *smsg; 200 201 /* Find out how much space we'll need... */ 202 j = sizeof(struct sadb_msg); 203 204 for (i = 1; i <= SADB_EXT_MAX; i++) 205 if (headers[i]) 206 j += ((struct sadb_ext *)headers[i])->sadb_ext_len * 207 sizeof(uint64_t); 208 209 /* ...and allocate it */ 210 if (!(buffer = malloc(j + sizeof(struct sadb_msg), M_PFKEY, 211 M_DONTWAIT))) { 212 rval = ENOMEM; 213 goto ret; 214 } 215 216 p = buffer + sizeof(struct sadb_msg); 217 bcopy(headers[0], p, sizeof(struct sadb_msg)); 218 ((struct sadb_msg *) p)->sadb_msg_len = j / sizeof(uint64_t); 219 p += sizeof(struct sadb_msg); 220 221 /* Copy payloads in the packet */ 222 for (i = 1; i <= SADB_EXT_MAX; i++) 223 if (headers[i]) { 224 ((struct sadb_ext *) headers[i])->sadb_ext_type = i; 225 bcopy(headers[i], p, EXTLEN(headers[i])); 226 p += EXTLEN(headers[i]); 227 } 228 229 if ((rval = pfdatatopacket(buffer + sizeof(struct sadb_msg), 230 j, &packet)) != 0) 231 goto ret; 232 233 switch (mode) { 234 case PFKEYV2_SENDMESSAGE_UNICAST: 235 /* 236 * Send message to the specified socket, plus all 237 * promiscuous listeners. 238 */ 239 pfkey_sendup(socket, packet, 0); 240 241 /* 242 * Promiscuous messages contain the original message 243 * encapsulated in another sadb_msg header. 244 */ 245 bzero(buffer, sizeof(struct sadb_msg)); 246 smsg = (struct sadb_msg *) buffer; 247 smsg->sadb_msg_version = PF_KEY_V2; 248 smsg->sadb_msg_type = SADB_X_PROMISC; 249 smsg->sadb_msg_len = (sizeof(struct sadb_msg) + j) / 250 sizeof(uint64_t); 251 smsg->sadb_msg_seq = 0; 252 253 /* Copy to mbuf chain */ 254 if ((rval = pfdatatopacket(buffer, sizeof(struct sadb_msg) + j, 255 &packet)) != 0) 256 goto ret; 257 258 /* 259 * Search for promiscuous listeners, skipping the 260 * original destination. 261 */ 262 for (s = pfkeyv2_sockets; s; s = s->next) 263 if ((s->flags & PFKEYV2_SOCKETFLAGS_PROMISC) && 264 (s->socket != socket)) 265 pfkey_sendup(s->socket, packet, 1); 266 267 /* Done, let's be a bit paranoid */ 268 m_zero(packet); 269 m_freem(packet); 270 break; 271 272 case PFKEYV2_SENDMESSAGE_REGISTERED: 273 /* 274 * Send the message to all registered sockets that match 275 * the specified satype (e.g., all IPSEC-ESP negotiators) 276 */ 277 for (s = pfkeyv2_sockets; s; s = s->next) 278 if (s->flags & PFKEYV2_SOCKETFLAGS_REGISTERED) { 279 if (!satype) /* Just send to everyone registered */ 280 pfkey_sendup(s->socket, packet, 1); 281 else { 282 /* Check for specified satype */ 283 if ((1 << satype) & s->registration) 284 pfkey_sendup(s->socket, packet, 1); 285 } 286 } 287 288 /* Free last/original copy of the packet */ 289 m_freem(packet); 290 291 /* Encapsulate the original message "inside" an sadb_msg header */ 292 bzero(buffer, sizeof(struct sadb_msg)); 293 smsg = (struct sadb_msg *) buffer; 294 smsg->sadb_msg_version = PF_KEY_V2; 295 smsg->sadb_msg_type = SADB_X_PROMISC; 296 smsg->sadb_msg_len = (sizeof(struct sadb_msg) + j) / 297 sizeof(uint64_t); 298 smsg->sadb_msg_seq = 0; 299 300 /* Convert to mbuf chain */ 301 if ((rval = pfdatatopacket(buffer, sizeof(struct sadb_msg) + j, 302 &packet)) != 0) 303 goto ret; 304 305 /* Send to all registered promiscuous listeners */ 306 for (s = pfkeyv2_sockets; s; s = s->next) 307 if ((s->flags & PFKEYV2_SOCKETFLAGS_PROMISC) && 308 !(s->flags & PFKEYV2_SOCKETFLAGS_REGISTERED)) 309 pfkey_sendup(s->socket, packet, 1); 310 311 m_freem(packet); 312 break; 313 314 case PFKEYV2_SENDMESSAGE_BROADCAST: 315 /* Send message to all sockets */ 316 for (s = pfkeyv2_sockets; s; s = s->next) 317 pfkey_sendup(s->socket, packet, 1); 318 319 m_freem(packet); 320 break; 321 } 322 323 ret: 324 if (buffer != NULL) { 325 bzero(buffer, j + sizeof(struct sadb_msg)); 326 free(buffer, M_PFKEY); 327 } 328 329 return (rval); 330 } 331 332 /* 333 * Get SPD information for an ACQUIRE. We setup the message such that 334 * the SRC/DST payloads are relative to us (regardless of whether the 335 * SPD rule was for incoming or outgoing packets). 336 */ 337 int 338 pfkeyv2_policy(struct ipsec_acquire *ipa, void **headers, void **buffer) 339 { 340 union sockaddr_union sunion; 341 struct sadb_protocol *sp; 342 int rval, i, dir; 343 void *p; 344 345 /* Find out how big a buffer we need */ 346 i = 4 * sizeof(struct sadb_address) + sizeof(struct sadb_protocol); 347 bzero(&sunion, sizeof(union sockaddr_union)); 348 349 switch (ipa->ipa_info.sen_type) { 350 #ifdef INET 351 case SENT_IP4: 352 i += 4 * PADUP(sizeof(struct sockaddr_in)); 353 sunion.sa.sa_family = AF_INET; 354 sunion.sa.sa_len = sizeof(struct sockaddr_in); 355 dir = ipa->ipa_info.sen_direction; 356 break; 357 #endif /* INET */ 358 359 #ifdef INET6 360 case SENT_IP6: 361 i += 4 * PADUP(sizeof(struct sockaddr_in6)); 362 sunion.sa.sa_family = AF_INET6; 363 sunion.sa.sa_len = sizeof(struct sockaddr_in6); 364 dir = ipa->ipa_info.sen_ip6_direction; 365 break; 366 #endif /* INET6 */ 367 368 default: 369 return (EINVAL); 370 } 371 372 if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) { 373 rval = ENOMEM; 374 goto ret; 375 } else { 376 *buffer = p; 377 bzero(p, i); 378 } 379 380 if (dir == IPSP_DIRECTION_OUT) 381 headers[SADB_X_EXT_SRC_FLOW] = p; 382 else 383 headers[SADB_X_EXT_DST_FLOW] = p; 384 switch (sunion.sa.sa_family) { 385 #ifdef INET 386 case AF_INET: 387 sunion.sin.sin_addr = ipa->ipa_info.sen_ip_src; 388 sunion.sin.sin_port = ipa->ipa_info.sen_sport; 389 break; 390 #endif /* INET */ 391 392 #ifdef INET6 393 case AF_INET6: 394 sunion.sin6.sin6_addr = ipa->ipa_info.sen_ip6_src; 395 sunion.sin6.sin6_port = ipa->ipa_info.sen_ip6_sport; 396 break; 397 #endif /* INET6 */ 398 } 399 export_address(&p, (struct sockaddr *) &sunion); 400 401 if (dir == IPSP_DIRECTION_OUT) 402 headers[SADB_X_EXT_SRC_MASK] = p; 403 else 404 headers[SADB_X_EXT_DST_MASK] = p; 405 switch (sunion.sa.sa_family) { 406 #ifdef INET 407 case AF_INET: 408 sunion.sin.sin_addr = ipa->ipa_mask.sen_ip_src; 409 sunion.sin.sin_port = ipa->ipa_mask.sen_sport; 410 break; 411 #endif /* INET */ 412 413 #ifdef INET6 414 case AF_INET6: 415 sunion.sin6.sin6_addr = ipa->ipa_mask.sen_ip6_src; 416 sunion.sin6.sin6_port = ipa->ipa_mask.sen_ip6_sport; 417 break; 418 #endif /* INET6 */ 419 } 420 export_address(&p, (struct sockaddr *) &sunion); 421 422 if (dir == IPSP_DIRECTION_OUT) 423 headers[SADB_X_EXT_DST_FLOW] = p; 424 else 425 headers[SADB_X_EXT_SRC_FLOW] = p; 426 switch (sunion.sa.sa_family) { 427 #ifdef INET 428 case AF_INET: 429 sunion.sin.sin_addr = ipa->ipa_info.sen_ip_dst; 430 sunion.sin.sin_port = ipa->ipa_info.sen_dport; 431 break; 432 #endif /* INET */ 433 434 #ifdef INET6 435 case AF_INET6: 436 sunion.sin6.sin6_addr = ipa->ipa_info.sen_ip6_dst; 437 sunion.sin6.sin6_port = ipa->ipa_info.sen_ip6_dport; 438 break; 439 #endif /* INET6 */ 440 } 441 export_address(&p, (struct sockaddr *) &sunion); 442 443 if (dir == IPSP_DIRECTION_OUT) 444 headers[SADB_X_EXT_DST_MASK] = p; 445 else 446 headers[SADB_X_EXT_SRC_MASK] = p; 447 switch (sunion.sa.sa_family) { 448 #ifdef INET 449 case AF_INET: 450 sunion.sin.sin_addr = ipa->ipa_mask.sen_ip_dst; 451 sunion.sin.sin_port = ipa->ipa_mask.sen_dport; 452 break; 453 #endif /* INET */ 454 455 #ifdef INET6 456 case AF_INET6: 457 sunion.sin6.sin6_addr = ipa->ipa_mask.sen_ip6_dst; 458 sunion.sin6.sin6_port = ipa->ipa_mask.sen_ip6_dport; 459 break; 460 #endif /* INET6 */ 461 } 462 export_address(&p, (struct sockaddr *) &sunion); 463 464 headers[SADB_X_EXT_FLOW_TYPE] = p; 465 sp = p; 466 sp->sadb_protocol_len = sizeof(struct sadb_protocol) / 467 sizeof(u_int64_t); 468 switch (sunion.sa.sa_family) { 469 #ifdef INET 470 case AF_INET: 471 if (ipa->ipa_mask.sen_proto) 472 sp->sadb_protocol_proto = ipa->ipa_info.sen_proto; 473 sp->sadb_protocol_direction = ipa->ipa_info.sen_direction; 474 break; 475 #endif /* INET */ 476 477 #ifdef INET6 478 case AF_INET6: 479 if (ipa->ipa_mask.sen_ip6_proto) 480 sp->sadb_protocol_proto = ipa->ipa_info.sen_ip6_proto; 481 sp->sadb_protocol_direction = ipa->ipa_info.sen_ip6_direction; 482 break; 483 #endif /* INET6 */ 484 } 485 486 rval = 0; 487 488 ret: 489 return (rval); 490 } 491 492 /* 493 * Get all the information contained in an SA to a PFKEYV2 message. 494 */ 495 int 496 pfkeyv2_get(struct tdb *sa, void **headers, void **buffer) 497 { 498 int rval, i; 499 void *p; 500 501 /* Find how much space we need */ 502 i = sizeof(struct sadb_sa) + sizeof(struct sadb_lifetime); 503 504 if (sa->tdb_soft_allocations || sa->tdb_soft_bytes || 505 sa->tdb_soft_timeout || sa->tdb_soft_first_use) 506 i += sizeof(struct sadb_lifetime); 507 508 if (sa->tdb_exp_allocations || sa->tdb_exp_bytes || 509 sa->tdb_exp_timeout || sa->tdb_exp_first_use) 510 i += sizeof(struct sadb_lifetime); 511 512 if (sa->tdb_src.sa.sa_family) 513 i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_src.sa)); 514 515 if (sa->tdb_dst.sa.sa_family) 516 i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_dst.sa)); 517 518 if (sa->tdb_proxy.sa.sa_family) 519 i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_proxy.sa)); 520 521 if (sa->tdb_srcid) 522 i += PADUP(sa->tdb_srcid->ref_len) + sizeof(struct sadb_ident); 523 524 if (sa->tdb_dstid) 525 i += PADUP(sa->tdb_dstid->ref_len) + sizeof(struct sadb_ident); 526 527 if (sa->tdb_local_cred) 528 i += PADUP(sa->tdb_local_cred->ref_len) + sizeof(struct sadb_x_cred); 529 530 if (sa->tdb_remote_cred) 531 i += PADUP(sa->tdb_remote_cred->ref_len) + sizeof(struct sadb_x_cred); 532 533 if (sa->tdb_local_auth) 534 i += PADUP(sa->tdb_local_auth->ref_len) + sizeof(struct sadb_x_cred); 535 536 if (sa->tdb_remote_auth) 537 i += PADUP(sa->tdb_remote_auth->ref_len) + sizeof(struct sadb_x_cred); 538 539 if (sa->tdb_amxkey) 540 i+= PADUP(sa->tdb_amxkeylen) + sizeof(struct sadb_key); 541 542 if (sa->tdb_emxkey) 543 i+= PADUP(sa->tdb_emxkeylen) + sizeof(struct sadb_key); 544 545 if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) { 546 rval = ENOMEM; 547 goto ret; 548 } else { 549 *buffer = p; 550 bzero(p, i); 551 } 552 553 headers[SADB_EXT_SA] = p; 554 555 export_sa(&p, sa); /* Export SA information (mostly flags) */ 556 557 /* Export lifetimes where applicable */ 558 headers[SADB_EXT_LIFETIME_CURRENT] = p; 559 export_lifetime(&p, sa, PFKEYV2_LIFETIME_CURRENT); 560 561 if (sa->tdb_soft_allocations || sa->tdb_soft_bytes || 562 sa->tdb_soft_first_use || sa->tdb_soft_timeout) { 563 headers[SADB_EXT_LIFETIME_SOFT] = p; 564 export_lifetime(&p, sa, PFKEYV2_LIFETIME_SOFT); 565 } 566 567 if (sa->tdb_exp_allocations || sa->tdb_exp_bytes || 568 sa->tdb_exp_first_use || sa->tdb_exp_timeout) { 569 headers[SADB_EXT_LIFETIME_HARD] = p; 570 export_lifetime(&p, sa, PFKEYV2_LIFETIME_HARD); 571 } 572 573 /* Export TDB source address */ 574 headers[SADB_EXT_ADDRESS_SRC] = p; 575 export_address(&p, (struct sockaddr *) &sa->tdb_src); 576 577 /* Export TDB destination address */ 578 headers[SADB_EXT_ADDRESS_DST] = p; 579 export_address(&p, (struct sockaddr *) &sa->tdb_dst); 580 581 /* Export TDB proxy address, if present */ 582 if (SA_LEN(&sa->tdb_proxy.sa)) { 583 headers[SADB_EXT_ADDRESS_PROXY] = p; 584 export_address(&p, (struct sockaddr *) &sa->tdb_proxy); 585 } 586 587 /* Export source identity, if present */ 588 if (sa->tdb_srcid) { 589 headers[SADB_EXT_IDENTITY_SRC] = p; 590 export_identity(&p, sa, PFKEYV2_IDENTITY_SRC); 591 } 592 593 /* Export destination identity, if present */ 594 if (sa->tdb_dstid) { 595 headers[SADB_EXT_IDENTITY_DST] = p; 596 export_identity(&p, sa, PFKEYV2_IDENTITY_DST); 597 } 598 599 /* Export credentials, if present */ 600 if (sa->tdb_local_cred) { 601 headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p; 602 export_credentials(&p, sa, PFKEYV2_CRED_LOCAL); 603 } 604 605 if (sa->tdb_remote_cred) { 606 headers[SADB_X_EXT_REMOTE_CREDENTIALS] = p; 607 export_credentials(&p, sa, PFKEYV2_CRED_REMOTE); 608 } 609 610 /* Export authentication information, if present */ 611 if (sa->tdb_local_auth) { 612 headers[SADB_X_EXT_LOCAL_AUTH] = p; 613 export_auth(&p, sa, PFKEYV2_AUTH_LOCAL); 614 } 615 616 if (sa->tdb_remote_auth) { 617 headers[SADB_X_EXT_REMOTE_AUTH] = p; 618 export_auth(&p, sa, PFKEYV2_AUTH_REMOTE); 619 } 620 621 /* Export authentication key, if present */ 622 if (sa->tdb_amxkey) { 623 headers[SADB_EXT_KEY_AUTH] = p; 624 export_key(&p, sa, PFKEYV2_AUTHENTICATION_KEY); 625 } 626 627 /* Export encryption key, if present */ 628 if (sa->tdb_emxkey) { 629 headers[SADB_EXT_KEY_ENCRYPT] = p; 630 export_key(&p, sa, PFKEYV2_ENCRYPTION_KEY); 631 } 632 633 rval = 0; 634 635 ret: 636 return (rval); 637 } 638 639 /* 640 * Dump a TDB. 641 */ 642 int 643 pfkeyv2_dump_walker(struct tdb *sa, void *state, int last) 644 { 645 struct dump_state *dump_state = (struct dump_state *) state; 646 void *headers[SADB_EXT_MAX+1], *buffer; 647 int rval; 648 649 /* If not satype was specified, dump all TDBs */ 650 if (!dump_state->sadb_msg->sadb_msg_satype || 651 (sa->tdb_satype == dump_state->sadb_msg->sadb_msg_satype)) { 652 bzero(headers, sizeof(headers)); 653 headers[0] = (void *) dump_state->sadb_msg; 654 655 /* Get the information from the TDB to a PFKEYv2 message */ 656 if ((rval = pfkeyv2_get(sa, headers, &buffer)) != 0) 657 return (rval); 658 659 if (last) 660 ((struct sadb_msg *)headers[0])->sadb_msg_seq = 0; 661 662 /* Send the message to the specified socket */ 663 rval = pfkeyv2_sendmessage(headers, 664 PFKEYV2_SENDMESSAGE_UNICAST, dump_state->socket, 0, 0); 665 666 free(buffer, M_PFKEY); 667 if (rval) 668 return (rval); 669 } 670 671 return (0); 672 } 673 674 /* 675 * Delete an SA. 676 */ 677 int 678 pfkeyv2_flush_walker(struct tdb *sa, void *satype_vp, int last) 679 { 680 if (!(*((u_int8_t *) satype_vp)) || 681 sa->tdb_satype == *((u_int8_t *) satype_vp)) 682 tdb_delete(sa); 683 return (0); 684 } 685 686 /* 687 * Convert between SATYPEs and IPsec protocols, taking into consideration 688 * sysctl variables enabling/disabling ESP/AH and the presence of the old 689 * IPsec transforms. 690 */ 691 int 692 pfkeyv2_get_proto_alg(u_int8_t satype, u_int8_t *sproto, int *alg) 693 { 694 switch (satype) { 695 case SADB_SATYPE_AH: 696 if (!ah_enable) 697 return (EOPNOTSUPP); 698 699 *sproto = IPPROTO_AH; 700 701 if(alg != NULL) 702 *alg = satype = XF_AH; 703 704 break; 705 706 case SADB_SATYPE_ESP: 707 if (!esp_enable) 708 return (EOPNOTSUPP); 709 710 *sproto = IPPROTO_ESP; 711 712 if(alg != NULL) 713 *alg = satype = XF_ESP; 714 715 break; 716 717 case SADB_X_SATYPE_IPIP: 718 *sproto = IPPROTO_IPIP; 719 720 if (alg != NULL) 721 *alg = XF_IP4; 722 723 break; 724 725 case SADB_X_SATYPE_IPCOMP: 726 if (!ipcomp_enable) 727 return (EOPNOTSUPP); 728 729 *sproto = IPPROTO_IPCOMP; 730 731 if(alg != NULL) 732 *alg = satype = XF_IPCOMP; 733 734 break; 735 736 #ifdef TCP_SIGNATURE 737 case SADB_X_SATYPE_TCPSIGNATURE: 738 *sproto = IPPROTO_TCP; 739 740 if (alg != NULL) 741 *alg = XF_TCPSIGNATURE; 742 743 break; 744 #endif /* TCP_SIGNATURE */ 745 746 default: /* Nothing else supported */ 747 return (EOPNOTSUPP); 748 } 749 750 return (0); 751 } 752 753 /* 754 * Handle all messages from userland to kernel. 755 */ 756 int 757 pfkeyv2_send(struct socket *socket, void *message, int len) 758 { 759 int i, j, rval = 0, mode = PFKEYV2_SENDMESSAGE_BROADCAST; 760 int delflag = 0, s; 761 struct sockaddr_encap encapdst, encapnetmask, encapgw; 762 struct ipsec_policy *ipo, *tmpipo; 763 struct ipsec_acquire *ipa; 764 765 struct pfkeyv2_socket *pfkeyv2_socket, *so = NULL; 766 767 void *freeme = NULL, *bckptr = NULL; 768 void *headers[SADB_EXT_MAX + 1]; 769 770 union sockaddr_union *sunionp; 771 772 struct tdb sa, *sa2 = NULL; 773 774 struct sadb_msg *smsg; 775 struct sadb_spirange *sprng; 776 struct sadb_sa *ssa; 777 struct sadb_supported *ssup; 778 struct sadb_ident *sid; 779 780 /* Verify that we received this over a legitimate pfkeyv2 socket */ 781 bzero(headers, sizeof(headers)); 782 783 for (pfkeyv2_socket = pfkeyv2_sockets; pfkeyv2_socket; 784 pfkeyv2_socket = pfkeyv2_socket->next) 785 if (pfkeyv2_socket->socket == socket) 786 break; 787 788 if (!pfkeyv2_socket) { 789 rval = EINVAL; 790 goto ret; 791 } 792 793 /* If we have any promiscuous listeners, send them a copy of the message */ 794 if (npromisc) { 795 struct mbuf *packet; 796 797 if (!(freeme = malloc(sizeof(struct sadb_msg) + len, M_PFKEY, 798 M_DONTWAIT))) { 799 rval = ENOMEM; 800 goto ret; 801 } 802 803 /* Initialize encapsulating header */ 804 bzero(freeme, sizeof(struct sadb_msg)); 805 smsg = (struct sadb_msg *) freeme; 806 smsg->sadb_msg_version = PF_KEY_V2; 807 smsg->sadb_msg_type = SADB_X_PROMISC; 808 smsg->sadb_msg_len = (sizeof(struct sadb_msg) + len) / 809 sizeof(uint64_t); 810 smsg->sadb_msg_seq = curproc->p_pid; 811 812 bcopy(message, freeme + sizeof(struct sadb_msg), len); 813 814 /* Convert to mbuf chain */ 815 if ((rval = pfdatatopacket(freeme, 816 sizeof(struct sadb_msg) + len, &packet)) != 0) 817 goto ret; 818 819 /* Send to all promiscuous listeners */ 820 for (so = pfkeyv2_sockets; so; so = so->next) 821 if (so->flags & PFKEYV2_SOCKETFLAGS_PROMISC) 822 pfkey_sendup(so->socket, packet, 1); 823 824 /* Paranoid */ 825 m_zero(packet); 826 m_freem(packet); 827 828 /* Even more paranoid */ 829 bzero(freeme, sizeof(struct sadb_msg) + len); 830 free(freeme, M_PFKEY); 831 freeme = NULL; 832 } 833 834 /* Validate message format */ 835 if ((rval = pfkeyv2_parsemessage(message, len, headers)) != 0) 836 goto ret; 837 838 smsg = (struct sadb_msg *) headers[0]; 839 switch (smsg->sadb_msg_type) { 840 case SADB_GETSPI: /* Reserve an SPI */ 841 bzero(&sa, sizeof(struct tdb)); 842 843 sa.tdb_satype = smsg->sadb_msg_satype; 844 if ((rval = pfkeyv2_get_proto_alg(sa.tdb_satype, 845 &sa.tdb_sproto, 0))) 846 goto ret; 847 848 import_address((struct sockaddr *) &sa.tdb_src, 849 headers[SADB_EXT_ADDRESS_SRC]); 850 import_address((struct sockaddr *) &sa.tdb_dst, 851 headers[SADB_EXT_ADDRESS_DST]); 852 853 /* Find an unused SA identifier */ 854 sprng = (struct sadb_spirange *) headers[SADB_EXT_SPIRANGE]; 855 sa.tdb_spi = reserve_spi(sprng->sadb_spirange_min, 856 sprng->sadb_spirange_max, &sa.tdb_src, &sa.tdb_dst, 857 sa.tdb_sproto, &rval); 858 if (sa.tdb_spi == 0) 859 goto ret; 860 861 /* Send a message back telling what the SA (the SPI really) is */ 862 if (!(freeme = malloc(sizeof(struct sadb_sa), M_PFKEY, 863 M_DONTWAIT))) { 864 rval = ENOMEM; 865 goto ret; 866 } 867 868 bzero(freeme, sizeof(struct sadb_sa)); 869 headers[SADB_EXT_SPIRANGE] = NULL; 870 headers[SADB_EXT_SA] = freeme; 871 bckptr = freeme; 872 873 /* We really only care about the SPI, but we'll export the SA */ 874 export_sa((void **) &bckptr, &sa); 875 break; 876 877 case SADB_UPDATE: 878 ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; 879 sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + 880 sizeof(struct sadb_address)); 881 882 /* Either all or none of the flow must be included */ 883 if ((headers[SADB_X_EXT_SRC_FLOW] || 884 headers[SADB_X_EXT_PROTOCOL] || 885 headers[SADB_X_EXT_FLOW_TYPE] || 886 headers[SADB_X_EXT_DST_FLOW] || 887 headers[SADB_X_EXT_SRC_MASK] || 888 headers[SADB_X_EXT_DST_MASK]) && 889 !(headers[SADB_X_EXT_SRC_FLOW] && 890 headers[SADB_X_EXT_PROTOCOL] && 891 headers[SADB_X_EXT_FLOW_TYPE] && 892 headers[SADB_X_EXT_DST_FLOW] && 893 headers[SADB_X_EXT_SRC_MASK] && 894 headers[SADB_X_EXT_DST_MASK])) { 895 rval = EINVAL; 896 goto ret; 897 } 898 899 s = spltdb(); 900 901 /* Find TDB */ 902 sa2 = gettdb(ssa->sadb_sa_spi, sunionp, 903 SADB_X_GETSPROTO(smsg->sadb_msg_satype)); 904 905 /* If there's no such SA, we're done */ 906 if (sa2 == NULL) { 907 rval = ESRCH; 908 goto splxret; 909 } 910 911 /* If this is a reserved SA */ 912 if (sa2->tdb_flags & TDBF_INVALID) { 913 struct tdb *newsa; 914 struct ipsecinit ii; 915 int alg; 916 917 /* Create new TDB */ 918 freeme = tdb_alloc(); 919 bzero(&ii, sizeof(struct ipsecinit)); 920 921 newsa = (struct tdb *) freeme; 922 newsa->tdb_satype = smsg->sadb_msg_satype; 923 924 if ((rval = pfkeyv2_get_proto_alg(newsa->tdb_satype, 925 &newsa->tdb_sproto, &alg))) 926 goto splxret; 927 928 /* Initialize SA */ 929 import_sa(newsa, headers[SADB_EXT_SA], &ii); 930 import_address((struct sockaddr *) &newsa->tdb_src, 931 headers[SADB_EXT_ADDRESS_SRC]); 932 import_address((struct sockaddr *) &newsa->tdb_dst, 933 headers[SADB_EXT_ADDRESS_DST]); 934 import_address((struct sockaddr *) &newsa->tdb_proxy, 935 headers[SADB_EXT_ADDRESS_PROXY]); 936 import_lifetime(newsa, 937 headers[SADB_EXT_LIFETIME_CURRENT], 938 PFKEYV2_LIFETIME_CURRENT); 939 import_lifetime(newsa, headers[SADB_EXT_LIFETIME_SOFT], 940 PFKEYV2_LIFETIME_SOFT); 941 import_lifetime(newsa, headers[SADB_EXT_LIFETIME_HARD], 942 PFKEYV2_LIFETIME_HARD); 943 import_key(&ii, headers[SADB_EXT_KEY_AUTH], 944 PFKEYV2_AUTHENTICATION_KEY); 945 import_key(&ii, headers[SADB_EXT_KEY_ENCRYPT], 946 PFKEYV2_ENCRYPTION_KEY); 947 import_identity(newsa, headers[SADB_EXT_IDENTITY_SRC], 948 PFKEYV2_IDENTITY_SRC); 949 import_identity(newsa, headers[SADB_EXT_IDENTITY_DST], 950 PFKEYV2_IDENTITY_DST); 951 import_credentials(newsa, 952 headers[SADB_X_EXT_LOCAL_CREDENTIALS], 953 PFKEYV2_CRED_LOCAL); 954 import_credentials(newsa, 955 headers[SADB_X_EXT_REMOTE_CREDENTIALS], 956 PFKEYV2_CRED_REMOTE); 957 import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH], 958 PFKEYV2_AUTH_LOCAL); 959 import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH], 960 PFKEYV2_AUTH_REMOTE); 961 import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask, 962 headers[SADB_X_EXT_SRC_FLOW], 963 headers[SADB_X_EXT_SRC_MASK], 964 headers[SADB_X_EXT_DST_FLOW], 965 headers[SADB_X_EXT_DST_MASK], 966 headers[SADB_X_EXT_PROTOCOL], 967 headers[SADB_X_EXT_FLOW_TYPE]); 968 969 headers[SADB_EXT_KEY_AUTH] = NULL; 970 headers[SADB_EXT_KEY_ENCRYPT] = NULL; 971 headers[SADB_X_EXT_LOCAL_AUTH] = NULL; 972 973 newsa->tdb_seq = smsg->sadb_msg_seq; 974 975 rval = tdb_init(newsa, alg, &ii); 976 if (rval) { 977 rval = EINVAL; 978 tdb_delete(freeme); 979 freeme = NULL; 980 goto splxret; 981 } 982 983 newsa->tdb_cur_allocations = sa2->tdb_cur_allocations; 984 985 /* Delete old version of the SA, insert new one */ 986 tdb_delete(sa2); 987 puttdb((struct tdb *) freeme); 988 sa2 = freeme = NULL; 989 } else { 990 /* 991 * The SA is already initialized, so we're only allowed to 992 * change lifetimes and some other information; we're 993 * not allowed to change keys, addresses or identities. 994 */ 995 if (headers[SADB_EXT_ADDRESS_PROXY] || 996 headers[SADB_EXT_KEY_AUTH] || 997 headers[SADB_EXT_KEY_ENCRYPT] || 998 headers[SADB_EXT_IDENTITY_SRC] || 999 headers[SADB_EXT_IDENTITY_DST] || 1000 headers[SADB_EXT_SENSITIVITY]) { 1001 rval = EINVAL; 1002 goto splxret; 1003 } 1004 1005 import_sa(sa2, headers[SADB_EXT_SA], NULL); 1006 import_lifetime(sa2, 1007 headers[SADB_EXT_LIFETIME_CURRENT], 1008 PFKEYV2_LIFETIME_CURRENT); 1009 import_lifetime(sa2, headers[SADB_EXT_LIFETIME_SOFT], 1010 PFKEYV2_LIFETIME_SOFT); 1011 import_lifetime(sa2, headers[SADB_EXT_LIFETIME_HARD], 1012 PFKEYV2_LIFETIME_HARD); 1013 } 1014 1015 splx(s); 1016 break; 1017 case SADB_ADD: 1018 ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; 1019 sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + 1020 sizeof(struct sadb_address)); 1021 1022 /* Either all or none of the flow must be included */ 1023 if ((headers[SADB_X_EXT_SRC_FLOW] || 1024 headers[SADB_X_EXT_PROTOCOL] || 1025 headers[SADB_X_EXT_FLOW_TYPE] || 1026 headers[SADB_X_EXT_DST_FLOW] || 1027 headers[SADB_X_EXT_SRC_MASK] || 1028 headers[SADB_X_EXT_DST_MASK]) && 1029 !(headers[SADB_X_EXT_SRC_FLOW] && 1030 headers[SADB_X_EXT_PROTOCOL] && 1031 headers[SADB_X_EXT_FLOW_TYPE] && 1032 headers[SADB_X_EXT_DST_FLOW] && 1033 headers[SADB_X_EXT_SRC_MASK] && 1034 headers[SADB_X_EXT_DST_MASK])) { 1035 rval = EINVAL; 1036 goto ret; 1037 } 1038 1039 s = spltdb(); 1040 1041 sa2 = gettdb(ssa->sadb_sa_spi, sunionp, 1042 SADB_X_GETSPROTO(smsg->sadb_msg_satype)); 1043 1044 /* We can't add an existing SA! */ 1045 if (sa2 != NULL) { 1046 rval = EEXIST; 1047 goto splxret; 1048 } 1049 1050 /* We can only add "mature" SAs */ 1051 if (ssa->sadb_sa_state != SADB_SASTATE_MATURE) { 1052 rval = EINVAL; 1053 goto splxret; 1054 } 1055 1056 /* Allocate and initialize new TDB */ 1057 freeme = tdb_alloc(); 1058 1059 { 1060 struct tdb *newsa = (struct tdb *) freeme; 1061 struct ipsecinit ii; 1062 int alg; 1063 1064 bzero(&ii, sizeof(struct ipsecinit)); 1065 1066 newsa->tdb_satype = smsg->sadb_msg_satype; 1067 if ((rval = pfkeyv2_get_proto_alg(newsa->tdb_satype, 1068 &newsa->tdb_sproto, &alg))) 1069 goto splxret; 1070 1071 import_sa(newsa, headers[SADB_EXT_SA], &ii); 1072 import_address((struct sockaddr *) &newsa->tdb_src, 1073 headers[SADB_EXT_ADDRESS_SRC]); 1074 import_address((struct sockaddr *) &newsa->tdb_dst, 1075 headers[SADB_EXT_ADDRESS_DST]); 1076 import_address((struct sockaddr *) &newsa->tdb_proxy, 1077 headers[SADB_EXT_ADDRESS_PROXY]); 1078 1079 import_lifetime(newsa, 1080 headers[SADB_EXT_LIFETIME_CURRENT], 1081 PFKEYV2_LIFETIME_CURRENT); 1082 import_lifetime(newsa, headers[SADB_EXT_LIFETIME_SOFT], 1083 PFKEYV2_LIFETIME_SOFT); 1084 import_lifetime(newsa, headers[SADB_EXT_LIFETIME_HARD], 1085 PFKEYV2_LIFETIME_HARD); 1086 1087 import_key(&ii, headers[SADB_EXT_KEY_AUTH], 1088 PFKEYV2_AUTHENTICATION_KEY); 1089 import_key(&ii, headers[SADB_EXT_KEY_ENCRYPT], 1090 PFKEYV2_ENCRYPTION_KEY); 1091 1092 import_identity(newsa, headers[SADB_EXT_IDENTITY_SRC], 1093 PFKEYV2_IDENTITY_SRC); 1094 import_identity(newsa, headers[SADB_EXT_IDENTITY_DST], 1095 PFKEYV2_IDENTITY_DST); 1096 1097 import_credentials(newsa, 1098 headers[SADB_X_EXT_LOCAL_CREDENTIALS], 1099 PFKEYV2_CRED_LOCAL); 1100 import_credentials(newsa, 1101 headers[SADB_X_EXT_REMOTE_CREDENTIALS], 1102 PFKEYV2_CRED_REMOTE); 1103 import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH], 1104 PFKEYV2_AUTH_LOCAL); 1105 import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH], 1106 PFKEYV2_AUTH_REMOTE); 1107 import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask, 1108 headers[SADB_X_EXT_SRC_FLOW], 1109 headers[SADB_X_EXT_SRC_MASK], 1110 headers[SADB_X_EXT_DST_FLOW], 1111 headers[SADB_X_EXT_DST_MASK], 1112 headers[SADB_X_EXT_PROTOCOL], 1113 headers[SADB_X_EXT_FLOW_TYPE]); 1114 1115 headers[SADB_EXT_KEY_AUTH] = NULL; 1116 headers[SADB_EXT_KEY_ENCRYPT] = NULL; 1117 headers[SADB_X_EXT_LOCAL_AUTH] = NULL; 1118 1119 newsa->tdb_seq = smsg->sadb_msg_seq; 1120 1121 rval = tdb_init(newsa, alg, &ii); 1122 if (rval) { 1123 rval = EINVAL; 1124 tdb_delete(freeme); 1125 freeme = NULL; 1126 goto splxret; 1127 } 1128 } 1129 1130 /* Add TDB in table */ 1131 puttdb((struct tdb *) freeme); 1132 1133 splx(s); 1134 1135 freeme = NULL; 1136 break; 1137 1138 case SADB_DELETE: 1139 ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; 1140 sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + 1141 sizeof(struct sadb_address)); 1142 s = spltdb(); 1143 1144 sa2 = gettdb(ssa->sadb_sa_spi, sunionp, 1145 SADB_X_GETSPROTO(smsg->sadb_msg_satype)); 1146 if (sa2 == NULL) { 1147 rval = ESRCH; 1148 goto splxret; 1149 } 1150 1151 tdb_delete(sa2); 1152 1153 splx(s); 1154 1155 sa2 = NULL; 1156 break; 1157 1158 case SADB_X_ASKPOLICY: 1159 /* Get the relevant policy */ 1160 ipa = ipsec_get_acquire(((struct sadb_x_policy *) headers[SADB_X_EXT_POLICY])->sadb_x_policy_seq); 1161 if (ipa == NULL) { 1162 rval = ESRCH; 1163 goto ret; 1164 } 1165 1166 rval = pfkeyv2_policy(ipa, headers, &freeme); 1167 if (rval) 1168 mode = PFKEYV2_SENDMESSAGE_UNICAST; 1169 1170 break; 1171 1172 case SADB_GET: 1173 ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; 1174 sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + 1175 sizeof(struct sadb_address)); 1176 s = spltdb(); 1177 1178 sa2 = gettdb(ssa->sadb_sa_spi, sunionp, 1179 SADB_X_GETSPROTO(smsg->sadb_msg_satype)); 1180 if (sa2 == NULL) { 1181 rval = ESRCH; 1182 goto splxret; 1183 } 1184 1185 rval = pfkeyv2_get(sa2, headers, &freeme); 1186 if (rval) 1187 mode = PFKEYV2_SENDMESSAGE_UNICAST; 1188 1189 splx(s); 1190 1191 break; 1192 1193 case SADB_REGISTER: 1194 pfkeyv2_socket->flags |= PFKEYV2_SOCKETFLAGS_REGISTERED; 1195 nregistered++; 1196 1197 i = sizeof(struct sadb_supported) + sizeof(ealgs); 1198 1199 if (!(freeme = malloc(i, M_PFKEY, M_DONTWAIT))) { 1200 rval = ENOMEM; 1201 goto ret; 1202 } 1203 1204 bzero(freeme, i); 1205 1206 ssup = (struct sadb_supported *) freeme; 1207 ssup->sadb_supported_len = i / sizeof(uint64_t); 1208 1209 { 1210 void *p = freeme + sizeof(struct sadb_supported); 1211 1212 bcopy(&ealgs[0], p, sizeof(ealgs)); 1213 } 1214 1215 headers[SADB_EXT_SUPPORTED_ENCRYPT] = freeme; 1216 1217 i = sizeof(struct sadb_supported) + sizeof(aalgs); 1218 1219 if (!(freeme = malloc(i, M_PFKEY, M_DONTWAIT))) { 1220 rval = ENOMEM; 1221 goto ret; 1222 } 1223 1224 /* Keep track what this socket has registered for */ 1225 pfkeyv2_socket->registration |= (1 << ((struct sadb_msg *)message)->sadb_msg_satype); 1226 1227 bzero(freeme, i); 1228 1229 ssup = (struct sadb_supported *) freeme; 1230 ssup->sadb_supported_len = i / sizeof(uint64_t); 1231 1232 { 1233 void *p = freeme + sizeof(struct sadb_supported); 1234 1235 bcopy(&aalgs[0], p, sizeof(aalgs)); 1236 } 1237 1238 headers[SADB_EXT_SUPPORTED_AUTH] = freeme; 1239 1240 i = sizeof(struct sadb_supported) + sizeof(calgs); 1241 1242 if (!(freeme = malloc(i, M_PFKEY, M_DONTWAIT))) { 1243 rval = ENOMEM; 1244 goto ret; 1245 } 1246 1247 bzero(freeme, i); 1248 1249 ssup = (struct sadb_supported *) freeme; 1250 ssup->sadb_supported_len = i / sizeof(uint64_t); 1251 1252 { 1253 void *p = freeme + sizeof(struct sadb_supported); 1254 1255 bcopy(&calgs[0], p, sizeof(calgs)); 1256 } 1257 1258 headers[SADB_X_EXT_SUPPORTED_COMP] = freeme; 1259 1260 break; 1261 1262 case SADB_ACQUIRE: 1263 case SADB_EXPIRE: 1264 /* Nothing to handle */ 1265 rval = 0; 1266 break; 1267 1268 case SADB_FLUSH: 1269 rval = 0; 1270 1271 switch (smsg->sadb_msg_satype) { 1272 case SADB_SATYPE_UNSPEC: 1273 s = spltdb(); 1274 1275 /* 1276 * Go through the list of policies, delete those that 1277 * are not socket-attached. 1278 */ 1279 for (ipo = TAILQ_FIRST(&ipsec_policy_head); 1280 ipo != NULL; ipo = tmpipo) { 1281 tmpipo = TAILQ_NEXT(ipo, ipo_list); 1282 if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET)) 1283 ipsec_delete_policy(ipo); 1284 } 1285 splx(s); 1286 /* Fall through */ 1287 case SADB_SATYPE_AH: 1288 case SADB_SATYPE_ESP: 1289 case SADB_X_SATYPE_IPIP: 1290 case SADB_X_SATYPE_IPCOMP: 1291 #ifdef TCP_SIGNATURE 1292 case SADB_X_SATYPE_TCPSIGNATURE: 1293 #endif /* TCP_SIGNATURE */ 1294 s = spltdb(); 1295 1296 tdb_walk(pfkeyv2_flush_walker, 1297 (u_int8_t *) &(smsg->sadb_msg_satype)); 1298 1299 splx(s); 1300 break; 1301 1302 default: 1303 rval = EINVAL; /* Unknown/unsupported type */ 1304 } 1305 1306 break; 1307 1308 case SADB_DUMP: 1309 { 1310 struct dump_state dump_state; 1311 dump_state.sadb_msg = (struct sadb_msg *) headers[0]; 1312 dump_state.socket = socket; 1313 1314 if (!(rval = tdb_walk(pfkeyv2_dump_walker, &dump_state))) 1315 goto realret; 1316 1317 if ((rval == ENOMEM) || (rval == ENOBUFS)) 1318 rval = 0; 1319 } 1320 break; 1321 1322 case SADB_X_GRPSPIS: 1323 { 1324 struct tdb *tdb1, *tdb2, *tdb3; 1325 struct sadb_protocol *sa_proto; 1326 1327 ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; 1328 sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + 1329 sizeof(struct sadb_address)); 1330 1331 s = spltdb(); 1332 1333 tdb1 = gettdb(ssa->sadb_sa_spi, sunionp, 1334 SADB_X_GETSPROTO(smsg->sadb_msg_satype)); 1335 if (tdb1 == NULL) { 1336 rval = ESRCH; 1337 goto splxret; 1338 } 1339 1340 ssa = (struct sadb_sa *) headers[SADB_X_EXT_SA2]; 1341 sunionp = (union sockaddr_union *) (headers[SADB_X_EXT_DST2] + 1342 sizeof(struct sadb_address)); 1343 sa_proto = ((struct sadb_protocol *) headers[SADB_X_EXT_PROTOCOL]); 1344 1345 tdb2 = gettdb(ssa->sadb_sa_spi, sunionp, 1346 SADB_X_GETSPROTO(sa_proto->sadb_protocol_proto)); 1347 if (tdb2 == NULL) { 1348 rval = ESRCH; 1349 goto splxret; 1350 } 1351 1352 /* Detect cycles */ 1353 for (tdb3 = tdb2; tdb3; tdb3 = tdb3->tdb_onext) 1354 if (tdb3 == tdb1) { 1355 rval = ESRCH; 1356 goto splxret; 1357 } 1358 1359 /* Maintenance */ 1360 if ((tdb1->tdb_onext) && 1361 (tdb1->tdb_onext->tdb_inext == tdb1)) 1362 tdb1->tdb_onext->tdb_inext = NULL; 1363 1364 if ((tdb2->tdb_inext) && 1365 (tdb2->tdb_inext->tdb_onext == tdb2)) 1366 tdb2->tdb_inext->tdb_onext = NULL; 1367 1368 /* Link them */ 1369 tdb1->tdb_onext = tdb2; 1370 tdb2->tdb_inext = tdb1; 1371 1372 splx(s); 1373 } 1374 break; 1375 1376 case SADB_X_DELFLOW: 1377 delflag = 1; 1378 /*FALLTHROUGH*/ 1379 case SADB_X_ADDFLOW: 1380 { 1381 struct sadb_protocol *sab; 1382 union sockaddr_union *ssrc; 1383 struct route_enc re; 1384 int exists = 0; 1385 1386 sab = (struct sadb_protocol *) headers[SADB_X_EXT_FLOW_TYPE]; 1387 1388 if ((sab->sadb_protocol_direction != IPSP_DIRECTION_IN) && 1389 (sab->sadb_protocol_direction != IPSP_DIRECTION_OUT)) { 1390 rval = EINVAL; 1391 goto ret; 1392 } 1393 1394 /* If the security protocol wasn't specified, pretend it was ESP */ 1395 if (smsg->sadb_msg_satype == 0) 1396 smsg->sadb_msg_satype = SADB_SATYPE_ESP; 1397 1398 if (headers[SADB_EXT_ADDRESS_DST]) 1399 sunionp = (union sockaddr_union *) 1400 (headers[SADB_EXT_ADDRESS_DST] + 1401 sizeof(struct sadb_address)); 1402 else 1403 sunionp = NULL; 1404 1405 if (headers[SADB_EXT_ADDRESS_SRC]) 1406 ssrc = (union sockaddr_union *) 1407 (headers[SADB_EXT_ADDRESS_SRC] + 1408 sizeof(struct sadb_address)); 1409 else 1410 ssrc = NULL; 1411 1412 import_flow(&encapdst, &encapnetmask, 1413 headers[SADB_X_EXT_SRC_FLOW], headers[SADB_X_EXT_SRC_MASK], 1414 headers[SADB_X_EXT_DST_FLOW], headers[SADB_X_EXT_DST_MASK], 1415 headers[SADB_X_EXT_PROTOCOL], headers[SADB_X_EXT_FLOW_TYPE]); 1416 1417 /* Determine whether the exact same SPD entry already exists. */ 1418 bzero(&encapgw, sizeof(struct sockaddr_encap)); 1419 bzero(&re, sizeof(struct route_enc)); 1420 bcopy(&encapdst, &re.re_dst, sizeof(struct sockaddr_encap)); 1421 1422 s = spltdb(); 1423 1424 rtalloc((struct route *) &re); 1425 if (re.re_rt != NULL) { 1426 ipo = ((struct sockaddr_encap *) re.re_rt->rt_gateway)->sen_ipsp; 1427 RTFREE(re.re_rt); 1428 1429 /* Verify that the entry is identical */ 1430 if (bcmp(&ipo->ipo_addr, &encapdst, 1431 sizeof(struct sockaddr_encap)) || 1432 bcmp(&ipo->ipo_mask, &encapnetmask, 1433 sizeof(struct sockaddr_encap))) 1434 ipo = NULL; /* Fall through */ 1435 else 1436 exists = 1; 1437 } else 1438 ipo = NULL; 1439 1440 /* 1441 * If the existing policy is static, only delete or update 1442 * it if the new one is also static. 1443 */ 1444 if (exists && (ipo->ipo_flags & IPSP_POLICY_STATIC)) { 1445 if (!(sab->sadb_protocol_flags & 1446 SADB_X_POLICYFLAGS_POLICY)) { 1447 splx(s); 1448 goto ret; 1449 } 1450 } 1451 1452 /* Delete ? */ 1453 if (delflag) { 1454 if (exists) { 1455 rval = ipsec_delete_policy(ipo); 1456 splx(s); 1457 goto ret; 1458 } 1459 1460 /* If we were asked to delete something non-existant, error. */ 1461 splx(s); 1462 rval = ESRCH; 1463 break; 1464 } 1465 1466 if (!exists) { 1467 if (ipsec_policy_pool_initialized == 0) { 1468 ipsec_policy_pool_initialized = 1; 1469 pool_init(&ipsec_policy_pool, 1470 sizeof(struct ipsec_policy), 0, 0, 0, 1471 "ipsec policy", NULL); 1472 } 1473 1474 /* Allocate policy entry */ 1475 ipo = pool_get(&ipsec_policy_pool, 0); 1476 if (ipo == NULL) { 1477 splx(s); 1478 rval = ENOMEM; 1479 goto ret; 1480 } 1481 1482 bzero(ipo, sizeof(struct ipsec_policy)); 1483 ipo->ipo_ref_count = 1; 1484 TAILQ_INIT(&ipo->ipo_acquires); 1485 1486 /* Finish initialization of SPD entry */ 1487 encapgw.sen_len = SENT_LEN; 1488 encapgw.sen_family = PF_KEY; 1489 encapgw.sen_type = SENT_IPSP; 1490 encapgw.sen_ipsp = ipo; 1491 1492 /* Initialize policy entry */ 1493 bcopy(&encapdst, &ipo->ipo_addr, 1494 sizeof(struct sockaddr_encap)); 1495 bcopy(&encapnetmask, &ipo->ipo_mask, 1496 sizeof(struct sockaddr_encap)); 1497 } 1498 1499 switch (((struct sadb_protocol *) headers[SADB_X_EXT_FLOW_TYPE])->sadb_protocol_proto) { 1500 case SADB_X_FLOW_TYPE_USE: 1501 ipo->ipo_type = IPSP_IPSEC_USE; 1502 break; 1503 1504 case SADB_X_FLOW_TYPE_ACQUIRE: 1505 ipo->ipo_type = IPSP_IPSEC_ACQUIRE; 1506 break; 1507 1508 case SADB_X_FLOW_TYPE_REQUIRE: 1509 ipo->ipo_type = IPSP_IPSEC_REQUIRE; 1510 break; 1511 1512 case SADB_X_FLOW_TYPE_DENY: 1513 ipo->ipo_type = IPSP_DENY; 1514 break; 1515 1516 case SADB_X_FLOW_TYPE_BYPASS: 1517 ipo->ipo_type = IPSP_PERMIT; 1518 break; 1519 1520 case SADB_X_FLOW_TYPE_DONTACQ: 1521 ipo->ipo_type = IPSP_IPSEC_DONTACQ; 1522 break; 1523 1524 default: 1525 if (!exists) 1526 pool_put(&ipsec_policy_pool, ipo); 1527 else 1528 ipsec_delete_policy(ipo); 1529 1530 splx(s); 1531 rval = EINVAL; 1532 goto ret; 1533 } 1534 1535 if (sab->sadb_protocol_flags & SADB_X_POLICYFLAGS_POLICY) 1536 ipo->ipo_flags |= IPSP_POLICY_STATIC; 1537 1538 if (sunionp) 1539 bcopy(sunionp, &ipo->ipo_dst, 1540 sizeof(union sockaddr_union)); 1541 else 1542 bzero(&ipo->ipo_dst, sizeof(union sockaddr_union)); 1543 1544 if (ssrc) 1545 bcopy(ssrc, &ipo->ipo_src, 1546 sizeof(union sockaddr_union)); 1547 else 1548 bzero(&ipo->ipo_src, sizeof(union sockaddr_union)); 1549 1550 ipo->ipo_sproto = SADB_X_GETSPROTO(smsg->sadb_msg_satype); 1551 1552 if (ipo->ipo_srcid) { 1553 ipsp_reffree(ipo->ipo_srcid); 1554 ipo->ipo_srcid = NULL; 1555 } 1556 1557 if (ipo->ipo_dstid) { 1558 ipsp_reffree(ipo->ipo_dstid); 1559 ipo->ipo_dstid = NULL; 1560 } 1561 1562 if ((sid = headers[SADB_EXT_IDENTITY_SRC]) != NULL) { 1563 int clen = (sid->sadb_ident_len * sizeof(u_int64_t)) - 1564 sizeof(struct sadb_ident); 1565 1566 MALLOC(ipo->ipo_srcid, struct ipsec_ref *, clen + 1567 sizeof(struct ipsec_ref), M_CREDENTIALS, M_DONTWAIT); 1568 if (ipo->ipo_srcid == NULL) { 1569 if (exists) 1570 ipsec_delete_policy(ipo); 1571 else 1572 pool_put(&ipsec_policy_pool, ipo); 1573 splx(s); 1574 rval = ENOBUFS; 1575 goto ret; 1576 } 1577 ipo->ipo_srcid->ref_type = sid->sadb_ident_type; 1578 ipo->ipo_srcid->ref_len = clen; 1579 ipo->ipo_srcid->ref_count = 1; 1580 ipo->ipo_srcid->ref_malloctype = M_CREDENTIALS; 1581 bcopy(sid + 1, ipo->ipo_srcid + 1, ipo->ipo_srcid->ref_len); 1582 } 1583 1584 if ((sid = headers[SADB_EXT_IDENTITY_DST]) != NULL) { 1585 int clen = (sid->sadb_ident_len * sizeof(u_int64_t)) - 1586 sizeof(struct sadb_ident); 1587 1588 MALLOC(ipo->ipo_dstid, struct ipsec_ref *, 1589 clen + sizeof(struct ipsec_ref), 1590 M_CREDENTIALS, M_DONTWAIT); 1591 if (ipo->ipo_dstid == NULL) { 1592 if (exists) 1593 ipsec_delete_policy(ipo); 1594 else { 1595 if (ipo->ipo_dstid) 1596 ipsp_reffree(ipo->ipo_dstid); 1597 pool_put(&ipsec_policy_pool, ipo); 1598 } 1599 1600 splx(s); 1601 rval = ENOBUFS; 1602 goto ret; 1603 } 1604 ipo->ipo_dstid->ref_type = sid->sadb_ident_type; 1605 ipo->ipo_dstid->ref_len = clen; 1606 ipo->ipo_dstid->ref_count = 1; 1607 ipo->ipo_dstid->ref_malloctype = M_CREDENTIALS; 1608 bcopy(sid + 1, ipo->ipo_dstid + 1, 1609 ipo->ipo_dstid->ref_len); 1610 } 1611 1612 /* Flow type */ 1613 if (!exists) { 1614 /* Add SPD entry */ 1615 if ((rval = rtrequest(RTM_ADD, 1616 (struct sockaddr *) &encapdst, 1617 (struct sockaddr *) &encapgw, 1618 (struct sockaddr *) &encapnetmask, 1619 RTF_UP | RTF_GATEWAY | RTF_STATIC, 1620 (struct rtentry **) 0)) != 0) { 1621 /* Remove from linked list of policies on TDB */ 1622 if (ipo->ipo_tdb) 1623 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, 1624 ipo, ipo_tdb_next); 1625 1626 if (ipo->ipo_srcid) 1627 ipsp_reffree(ipo->ipo_srcid); 1628 if (ipo->ipo_dstid) 1629 ipsp_reffree(ipo->ipo_dstid); 1630 pool_put(&ipsec_policy_pool, ipo); 1631 1632 splx(s); 1633 goto ret; 1634 } 1635 1636 TAILQ_INSERT_HEAD(&ipsec_policy_head, ipo, ipo_list); 1637 ipsec_in_use++; 1638 } else { 1639 ipo->ipo_last_searched = ipo->ipo_flags = 0; 1640 } 1641 1642 splx(s); 1643 } 1644 break; 1645 1646 case SADB_X_PROMISC: 1647 if (len >= 2 * sizeof(struct sadb_msg)) { 1648 struct mbuf *packet; 1649 1650 if ((rval = pfdatatopacket(message, len, &packet)) != 0) 1651 goto ret; 1652 1653 for (so = pfkeyv2_sockets; so; so = so->next) 1654 if ((so != pfkeyv2_socket) && 1655 (!smsg->sadb_msg_seq || 1656 (smsg->sadb_msg_seq == pfkeyv2_socket->pid))) 1657 pfkey_sendup(so->socket, packet, 1); 1658 1659 m_freem(packet); 1660 } else { 1661 if (len != sizeof(struct sadb_msg)) { 1662 rval = EINVAL; 1663 goto ret; 1664 } 1665 1666 i = (pfkeyv2_socket->flags & 1667 PFKEYV2_SOCKETFLAGS_PROMISC) ? 1 : 0; 1668 j = smsg->sadb_msg_satype ? 1 : 0; 1669 1670 if (i ^ j) { 1671 if (j) { 1672 pfkeyv2_socket->flags |= 1673 PFKEYV2_SOCKETFLAGS_PROMISC; 1674 npromisc++; 1675 } 1676 } else { 1677 pfkeyv2_socket->flags &= 1678 ~PFKEYV2_SOCKETFLAGS_PROMISC; 1679 npromisc--; 1680 } 1681 } 1682 1683 1684 break; 1685 1686 default: 1687 rval = EINVAL; 1688 goto ret; 1689 } 1690 1691 ret: 1692 if (rval) { 1693 if ((rval == EINVAL) || (rval == ENOMEM) || (rval == ENOBUFS)) 1694 goto realret; 1695 1696 for (i = 1; i <= SADB_EXT_MAX; i++) 1697 headers[i] = NULL; 1698 1699 smsg->sadb_msg_errno = abs(rval); 1700 } else { 1701 uint32_t seen = 0; 1702 1703 for (i = 1; i <= SADB_EXT_MAX; i++) 1704 if (headers[i]) 1705 seen |= (1 << i); 1706 1707 if ((seen & sadb_exts_allowed_out[smsg->sadb_msg_type]) 1708 != seen) 1709 goto realret; 1710 1711 if ((seen & sadb_exts_required_out[smsg->sadb_msg_type]) != 1712 sadb_exts_required_out[smsg->sadb_msg_type]) 1713 goto realret; 1714 } 1715 1716 rval = pfkeyv2_sendmessage(headers, mode, socket, 0, 0); 1717 1718 realret: 1719 if (freeme) 1720 free(freeme, M_PFKEY); 1721 1722 free(message, M_PFKEY); 1723 1724 return (rval); 1725 1726 splxret: 1727 splx(s); 1728 goto ret; 1729 } 1730 1731 /* 1732 * Send an ACQUIRE message to key management, to get a new SA. 1733 */ 1734 int 1735 pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, 1736 union sockaddr_union *laddr, u_int32_t *seq, 1737 struct sockaddr_encap *ddst) 1738 { 1739 void *p, *headers[SADB_EXT_MAX + 1], *buffer = NULL; 1740 struct sadb_ident *srcid, *dstid; 1741 struct sadb_x_cred *lcred, *lauth; 1742 struct sadb_comb *sadb_comb; 1743 struct sadb_address *sadd; 1744 struct sadb_prop *sa_prop; 1745 struct sadb_msg *smsg; 1746 int rval = 0; 1747 int i, j; 1748 1749 *seq = pfkeyv2_seq++; 1750 1751 if (!nregistered) { 1752 rval = ESRCH; 1753 goto ret; 1754 } 1755 1756 /* How large a buffer do we need... XXX we only do one proposal for now */ 1757 i = sizeof(struct sadb_msg) + 1758 (laddr == NULL ? 0 : sizeof(struct sadb_address) + 1759 PADUP(SA_LEN(&ipo->ipo_src.sa))) + 1760 sizeof(struct sadb_address) + PADUP(SA_LEN(&gw->sa)) + 1761 sizeof(struct sadb_prop) + 1 * sizeof(struct sadb_comb); 1762 1763 if (ipo->ipo_srcid) 1764 i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid->ref_len); 1765 1766 if (ipo->ipo_dstid) 1767 i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len); 1768 1769 1770 /* Allocate */ 1771 if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) { 1772 rval = ENOMEM; 1773 goto ret; 1774 } 1775 1776 bzero(headers, sizeof(headers)); 1777 1778 buffer = p; 1779 bzero(p, i); 1780 1781 headers[0] = p; 1782 p += sizeof(struct sadb_msg); 1783 1784 smsg = (struct sadb_msg *) headers[0]; 1785 smsg->sadb_msg_version = PF_KEY_V2; 1786 smsg->sadb_msg_type = SADB_ACQUIRE; 1787 smsg->sadb_msg_len = i / sizeof(uint64_t); 1788 smsg->sadb_msg_seq = *seq; 1789 1790 if (ipo->ipo_sproto == IPPROTO_ESP) 1791 smsg->sadb_msg_satype = SADB_SATYPE_ESP; 1792 else if (ipo->ipo_sproto == IPPROTO_AH) 1793 smsg->sadb_msg_satype = SADB_SATYPE_AH; 1794 else if (ipo->ipo_sproto == IPPROTO_IPCOMP) 1795 smsg->sadb_msg_satype = SADB_X_SATYPE_IPCOMP; 1796 1797 if (laddr) { 1798 headers[SADB_EXT_ADDRESS_SRC] = p; 1799 p += sizeof(struct sadb_address) + PADUP(SA_LEN(&laddr->sa)); 1800 sadd = (struct sadb_address *) headers[SADB_EXT_ADDRESS_SRC]; 1801 sadd->sadb_address_len = (sizeof(struct sadb_address) + 1802 SA_LEN(&laddr->sa) + sizeof(uint64_t) - 1) / 1803 sizeof(uint64_t); 1804 bcopy(laddr, headers[SADB_EXT_ADDRESS_SRC] + 1805 sizeof(struct sadb_address), SA_LEN(&laddr->sa)); 1806 } 1807 1808 headers[SADB_EXT_ADDRESS_DST] = p; 1809 p += sizeof(struct sadb_address) + PADUP(SA_LEN(&gw->sa)); 1810 sadd = (struct sadb_address *) headers[SADB_EXT_ADDRESS_DST]; 1811 sadd->sadb_address_len = (sizeof(struct sadb_address) + 1812 SA_LEN(&gw->sa) + sizeof(uint64_t) - 1) / sizeof(uint64_t); 1813 bcopy(gw, headers[SADB_EXT_ADDRESS_DST] + sizeof(struct sadb_address), 1814 SA_LEN(&gw->sa)); 1815 1816 if (ipo->ipo_srcid) { 1817 headers[SADB_EXT_IDENTITY_SRC] = p; 1818 p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid->ref_len); 1819 srcid = (struct sadb_ident *) headers[SADB_EXT_IDENTITY_SRC]; 1820 srcid->sadb_ident_len = (sizeof(struct sadb_ident) + 1821 PADUP(ipo->ipo_srcid->ref_len)) / sizeof(u_int64_t); 1822 srcid->sadb_ident_type = ipo->ipo_srcid->ref_type; 1823 bcopy(ipo->ipo_srcid + 1, headers[SADB_EXT_IDENTITY_SRC] + 1824 sizeof(struct sadb_ident), ipo->ipo_srcid->ref_len); 1825 } 1826 1827 if (ipo->ipo_dstid) { 1828 headers[SADB_EXT_IDENTITY_DST] = p; 1829 p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len); 1830 dstid = (struct sadb_ident *) headers[SADB_EXT_IDENTITY_DST]; 1831 dstid->sadb_ident_len = (sizeof(struct sadb_ident) + 1832 PADUP(ipo->ipo_dstid->ref_len)) / sizeof(u_int64_t); 1833 dstid->sadb_ident_type = ipo->ipo_dstid->ref_type; 1834 bcopy(ipo->ipo_dstid + 1, headers[SADB_EXT_IDENTITY_DST] + 1835 sizeof(struct sadb_ident), ipo->ipo_dstid->ref_len); 1836 } 1837 1838 if (ipo->ipo_local_cred) { 1839 headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p; 1840 p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len); 1841 lcred = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_CREDENTIALS]; 1842 lcred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + 1843 PADUP(ipo->ipo_local_cred->ref_len)) / sizeof(u_int64_t); 1844 switch (ipo->ipo_local_cred->ref_type) { 1845 case IPSP_CRED_KEYNOTE: 1846 lcred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE; 1847 break; 1848 case IPSP_CRED_X509: 1849 lcred->sadb_x_cred_type = SADB_X_CREDTYPE_X509; 1850 break; 1851 } 1852 bcopy(ipo->ipo_local_cred + 1, headers[SADB_X_EXT_LOCAL_CREDENTIALS] + 1853 sizeof(struct sadb_x_cred), ipo->ipo_local_cred->ref_len); 1854 } 1855 1856 if (ipo->ipo_local_auth) { 1857 headers[SADB_X_EXT_LOCAL_AUTH] = p; 1858 p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len); 1859 lauth = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_AUTH]; 1860 lauth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + 1861 PADUP(ipo->ipo_local_auth->ref_len)) / sizeof(u_int64_t); 1862 switch (ipo->ipo_local_auth->ref_type) { 1863 case IPSP_AUTH_PASSPHRASE: 1864 lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE; 1865 break; 1866 case IPSP_AUTH_RSA: 1867 lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA; 1868 break; 1869 } 1870 1871 bcopy(ipo->ipo_local_auth + 1, headers[SADB_X_EXT_LOCAL_AUTH] + 1872 sizeof(struct sadb_x_cred), ipo->ipo_local_auth->ref_len); 1873 } 1874 1875 headers[SADB_EXT_PROPOSAL] = p; 1876 p += sizeof(struct sadb_prop); 1877 sa_prop = (struct sadb_prop *) headers[SADB_EXT_PROPOSAL]; 1878 sa_prop->sadb_prop_num = 1; /* XXX One proposal only */ 1879 sa_prop->sadb_prop_len = (sizeof(struct sadb_prop) + 1880 (sizeof(struct sadb_comb) * sa_prop->sadb_prop_num)) / 1881 sizeof(uint64_t); 1882 1883 sadb_comb = p; 1884 1885 /* XXX Should actually ask the crypto layer what's supported */ 1886 for (j = 0; j < sa_prop->sadb_prop_num; j++) { 1887 sadb_comb->sadb_comb_flags = 0; 1888 1889 if (ipsec_require_pfs) 1890 sadb_comb->sadb_comb_flags |= SADB_SAFLAGS_PFS; 1891 1892 /* Set the encryption algorithm */ 1893 if (ipo->ipo_sproto == IPPROTO_ESP) { 1894 if (!strncasecmp(ipsec_def_enc, "aes", 1895 sizeof("aes"))) { 1896 sadb_comb->sadb_comb_encrypt = SADB_X_EALG_AES; 1897 sadb_comb->sadb_comb_encrypt_minbits = 64; 1898 sadb_comb->sadb_comb_encrypt_maxbits = 256; 1899 } else if (!strncasecmp(ipsec_def_enc, "3des", 1900 sizeof("3des"))) { 1901 sadb_comb->sadb_comb_encrypt = SADB_EALG_3DESCBC; 1902 sadb_comb->sadb_comb_encrypt_minbits = 192; 1903 sadb_comb->sadb_comb_encrypt_maxbits = 192; 1904 } else if (!strncasecmp(ipsec_def_enc, "des", 1905 sizeof("des"))) { 1906 sadb_comb->sadb_comb_encrypt = SADB_EALG_DESCBC; 1907 sadb_comb->sadb_comb_encrypt_minbits = 64; 1908 sadb_comb->sadb_comb_encrypt_maxbits = 64; 1909 } else if (!strncasecmp(ipsec_def_enc, "blowfish", 1910 sizeof("blowfish"))) { 1911 sadb_comb->sadb_comb_encrypt = SADB_X_EALG_BLF; 1912 sadb_comb->sadb_comb_encrypt_minbits = 40; 1913 sadb_comb->sadb_comb_encrypt_maxbits = BLF_MAXKEYLEN * 8; 1914 } else if (!strncasecmp(ipsec_def_enc, "skipjack", 1915 sizeof("skipjack"))) { 1916 sadb_comb->sadb_comb_encrypt = SADB_X_EALG_SKIPJACK; 1917 sadb_comb->sadb_comb_encrypt_minbits = 80; 1918 sadb_comb->sadb_comb_encrypt_maxbits = 80; 1919 } else if (!strncasecmp(ipsec_def_enc, "cast128", 1920 sizeof("cast128"))) { 1921 sadb_comb->sadb_comb_encrypt = SADB_X_EALG_CAST; 1922 sadb_comb->sadb_comb_encrypt_minbits = 40; 1923 sadb_comb->sadb_comb_encrypt_maxbits = 128; 1924 } 1925 } else if (ipo->ipo_sproto == IPPROTO_IPCOMP) { 1926 /* Set the compression algorithm */ 1927 if (!strncasecmp(ipsec_def_comp, "deflate", 1928 sizeof("deflate"))) { 1929 sadb_comb->sadb_comb_encrypt = SADB_X_CALG_DEFLATE; 1930 sadb_comb->sadb_comb_encrypt_minbits = 0; 1931 sadb_comb->sadb_comb_encrypt_maxbits = 0; 1932 } else if (!strncasecmp(ipsec_def_comp, "lzs", 1933 sizeof("lzs"))) { 1934 sadb_comb->sadb_comb_encrypt = SADB_X_CALG_LZS; 1935 sadb_comb->sadb_comb_encrypt_minbits = 0; 1936 sadb_comb->sadb_comb_encrypt_maxbits = 0; 1937 } 1938 } 1939 1940 /* Set the authentication algorithm */ 1941 if (!strncasecmp(ipsec_def_auth, "hmac-sha1", 1942 sizeof("hmac-sha1"))) { 1943 sadb_comb->sadb_comb_auth = SADB_AALG_SHA1HMAC; 1944 sadb_comb->sadb_comb_auth_minbits = 160; 1945 sadb_comb->sadb_comb_auth_maxbits = 160; 1946 } else if (!strncasecmp(ipsec_def_auth, "hmac-ripemd160", 1947 sizeof("hmac_ripemd160"))) { 1948 sadb_comb->sadb_comb_auth = SADB_X_AALG_RIPEMD160HMAC; 1949 sadb_comb->sadb_comb_auth_minbits = 160; 1950 sadb_comb->sadb_comb_auth_maxbits = 160; 1951 } else if (!strncasecmp(ipsec_def_auth, "hmac-md5", 1952 sizeof("hmac-md5"))) { 1953 sadb_comb->sadb_comb_auth = SADB_AALG_MD5HMAC; 1954 sadb_comb->sadb_comb_auth_minbits = 128; 1955 sadb_comb->sadb_comb_auth_maxbits = 128; 1956 } else if (!strncasecmp(ipsec_def_auth, "hmac-sha2-256", 1957 sizeof("hmac-sha2-256"))) { 1958 sadb_comb->sadb_comb_auth = SADB_X_AALG_SHA2_256; 1959 sadb_comb->sadb_comb_auth_minbits = 256; 1960 sadb_comb->sadb_comb_auth_maxbits = 256; 1961 } else if (!strncasecmp(ipsec_def_auth, "hmac-sha2-384", 1962 sizeof("hmac-sha2-384"))) { 1963 sadb_comb->sadb_comb_auth = SADB_X_AALG_SHA2_384; 1964 sadb_comb->sadb_comb_auth_minbits = 384; 1965 sadb_comb->sadb_comb_auth_maxbits = 384; 1966 } else if (!strncasecmp(ipsec_def_auth, "hmac-sha2-512", 1967 sizeof("hmac-sha2-512"))) { 1968 sadb_comb->sadb_comb_auth = SADB_X_AALG_SHA2_512; 1969 sadb_comb->sadb_comb_auth_minbits = 512; 1970 sadb_comb->sadb_comb_auth_maxbits = 512; 1971 } 1972 1973 sadb_comb->sadb_comb_soft_allocations = ipsec_soft_allocations; 1974 sadb_comb->sadb_comb_hard_allocations = ipsec_exp_allocations; 1975 1976 sadb_comb->sadb_comb_soft_bytes = ipsec_soft_bytes; 1977 sadb_comb->sadb_comb_hard_bytes = ipsec_exp_bytes; 1978 1979 sadb_comb->sadb_comb_soft_addtime = ipsec_soft_timeout; 1980 sadb_comb->sadb_comb_hard_addtime = ipsec_exp_timeout; 1981 1982 sadb_comb->sadb_comb_soft_usetime = ipsec_soft_first_use; 1983 sadb_comb->sadb_comb_hard_usetime = ipsec_exp_first_use; 1984 sadb_comb++; 1985 } 1986 1987 /* Send the ACQUIRE message to all compliant registered listeners. */ 1988 if ((rval = pfkeyv2_sendmessage(headers, 1989 PFKEYV2_SENDMESSAGE_REGISTERED, NULL, smsg->sadb_msg_satype, 0)) 1990 != 0) 1991 goto ret; 1992 1993 rval = 0; 1994 ret: 1995 if (buffer != NULL) { 1996 bzero(buffer, i); 1997 free(buffer, M_PFKEY); 1998 } 1999 2000 return (rval); 2001 } 2002 2003 /* 2004 * Notify key management that an expiration went off. The second argument 2005 * specifies the type of expiration (soft or hard). 2006 */ 2007 int 2008 pfkeyv2_expire(struct tdb *sa, u_int16_t type) 2009 { 2010 void *p, *headers[SADB_EXT_MAX+1], *buffer = NULL; 2011 struct sadb_msg *smsg; 2012 int rval = 0; 2013 int i; 2014 2015 switch (sa->tdb_sproto) { 2016 case IPPROTO_AH: 2017 case IPPROTO_ESP: 2018 case IPPROTO_IPIP: 2019 case IPPROTO_IPCOMP: 2020 #ifdef TCP_SIGNATURE 2021 case IPPROTO_TCP: 2022 #endif /* TCP_SIGNATURE */ 2023 break; 2024 2025 default: 2026 rval = EOPNOTSUPP; 2027 goto ret; 2028 } 2029 2030 i = sizeof(struct sadb_msg) + sizeof(struct sadb_sa) + 2031 2 * sizeof(struct sadb_lifetime) + 2032 sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_src.sa)) + 2033 sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_dst.sa)); 2034 2035 if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) { 2036 rval = ENOMEM; 2037 goto ret; 2038 } 2039 2040 bzero(headers, sizeof(headers)); 2041 2042 buffer = p; 2043 bzero(p, i); 2044 2045 headers[0] = p; 2046 p += sizeof(struct sadb_msg); 2047 2048 smsg = (struct sadb_msg *) headers[0]; 2049 smsg->sadb_msg_version = PF_KEY_V2; 2050 smsg->sadb_msg_type = SADB_EXPIRE; 2051 smsg->sadb_msg_satype = sa->tdb_satype; 2052 smsg->sadb_msg_len = i / sizeof(uint64_t); 2053 smsg->sadb_msg_seq = pfkeyv2_seq++; 2054 2055 headers[SADB_EXT_SA] = p; 2056 export_sa(&p, sa); 2057 2058 headers[SADB_EXT_LIFETIME_CURRENT] = p; 2059 export_lifetime(&p, sa, 2); 2060 2061 headers[type] = p; 2062 type = (SADB_EXT_LIFETIME_SOFT ? PFKEYV2_LIFETIME_SOFT : 2063 PFKEYV2_LIFETIME_HARD); 2064 export_lifetime(&p, sa, type); 2065 2066 headers[SADB_EXT_ADDRESS_SRC] = p; 2067 export_address(&p, (struct sockaddr *) &sa->tdb_src); 2068 2069 headers[SADB_EXT_ADDRESS_DST] = p; 2070 export_address(&p, (struct sockaddr *) &sa->tdb_dst); 2071 2072 if ((rval = pfkeyv2_sendmessage(headers, PFKEYV2_SENDMESSAGE_BROADCAST, 2073 NULL, 0, 0)) != 0) 2074 goto ret; 2075 2076 rval = 0; 2077 2078 ret: 2079 if (buffer != NULL) { 2080 bzero(buffer, i); 2081 free(buffer, M_PFKEY); 2082 } 2083 2084 return (rval); 2085 } 2086 2087 int 2088 pfkeyv2_init(void) 2089 { 2090 int rval; 2091 2092 bzero(&pfkeyv2_version, sizeof(struct pfkey_version)); 2093 pfkeyv2_version.protocol = PFKEYV2_PROTOCOL; 2094 pfkeyv2_version.create = &pfkeyv2_create; 2095 pfkeyv2_version.release = &pfkeyv2_release; 2096 pfkeyv2_version.send = &pfkeyv2_send; 2097 2098 rval = pfkey_register(&pfkeyv2_version); 2099 return (rval); 2100 } 2101 2102 int 2103 pfkeyv2_cleanup(void) 2104 { 2105 pfkey_unregister(&pfkeyv2_version); 2106 return (0); 2107 } 2108