First steps towards IPSec cleanup.
Make the kernel side of FAST_IPSEC not depend on the shared structures defined in /usr/include/net/pfkeyv2.h The kernel now defines all the necessary in kernel structures in sys/netipsec/keydb.h and does the proper massaging when moving messages around. Sponsored By: Secure Computing
This commit is contained in:
parent
90d1d883e9
commit
a0196c3c89
@ -92,6 +92,7 @@
|
||||
|
||||
#include <machine/in_cksum.h>
|
||||
|
||||
#define IPSEC_DEBUG
|
||||
#ifdef IPSEC_DEBUG
|
||||
int ipsec_debug = 1;
|
||||
#else
|
||||
|
@ -420,7 +420,10 @@ static struct mbuf *key_setsadbaddr __P((u_int16_t,
|
||||
static struct mbuf *key_setsadbxsa2 __P((u_int8_t, u_int32_t, u_int32_t));
|
||||
static struct mbuf *key_setsadbxpolicy __P((u_int16_t, u_int8_t,
|
||||
u_int32_t));
|
||||
static void *key_dup(const void *, u_int, struct malloc_type *);
|
||||
static struct seckey *key_dup_keymsg(const struct sadb_key *, u_int,
|
||||
struct malloc_type *);
|
||||
static struct seclifetime *key_dup_lifemsg(const struct sadb_lifetime *src,
|
||||
struct malloc_type *type);
|
||||
#ifdef INET6
|
||||
static int key_ismyaddr6 __P((struct sockaddr_in6 *));
|
||||
#endif
|
||||
@ -488,6 +491,10 @@ static int key_promisc __P((struct socket *, struct mbuf *,
|
||||
static int key_senderror __P((struct socket *, struct mbuf *, int));
|
||||
static int key_validate_ext __P((const struct sadb_ext *, int));
|
||||
static int key_align __P((struct mbuf *, struct sadb_msghdr *));
|
||||
static struct mbuf *key_setlifetime(struct seclifetime *src,
|
||||
u_int16_t exttype);
|
||||
static struct mbuf *key_setkey(struct seckey *src, u_int16_t exttype);
|
||||
|
||||
#if 0
|
||||
static const char *key_getfqdn __P((void));
|
||||
static const char *key_getuserfqdn __P((void));
|
||||
@ -909,8 +916,8 @@ key_do_allocsa_policy(struct secashead *sah, u_int state)
|
||||
|
||||
/* What the best method is to compare ? */
|
||||
if (key_preferred_oldsa) {
|
||||
if (candidate->lft_c->sadb_lifetime_addtime >
|
||||
sav->lft_c->sadb_lifetime_addtime) {
|
||||
if (candidate->lft_c->addtime >
|
||||
sav->lft_c->addtime) {
|
||||
candidate = sav;
|
||||
}
|
||||
continue;
|
||||
@ -918,8 +925,8 @@ key_do_allocsa_policy(struct secashead *sah, u_int state)
|
||||
}
|
||||
|
||||
/* preferred new sa rather than old sa */
|
||||
if (candidate->lft_c->sadb_lifetime_addtime <
|
||||
sav->lft_c->sadb_lifetime_addtime) {
|
||||
if (candidate->lft_c->addtime <
|
||||
sav->lft_c->addtime) {
|
||||
d = candidate;
|
||||
candidate = sav;
|
||||
} else
|
||||
@ -930,7 +937,7 @@ key_do_allocsa_policy(struct secashead *sah, u_int state)
|
||||
* suitable candidate and the lifetime of the SA is not
|
||||
* permanent.
|
||||
*/
|
||||
if (d->lft_c->sadb_lifetime_addtime != 0) {
|
||||
if (d->lft_c->addtime != 0) {
|
||||
struct mbuf *m, *result;
|
||||
u_int8_t satype;
|
||||
|
||||
@ -2787,15 +2794,19 @@ key_cleansav(struct secasvar *sav)
|
||||
} else {
|
||||
KASSERT(sav->iv == NULL, ("iv but no xform"));
|
||||
if (sav->key_auth != NULL)
|
||||
bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
|
||||
bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
|
||||
if (sav->key_enc != NULL)
|
||||
bzero(_KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc));
|
||||
bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc));
|
||||
}
|
||||
if (sav->key_auth != NULL) {
|
||||
if (sav->key_auth->key_data != NULL)
|
||||
free(sav->key_auth->key_data, M_IPSEC_MISC);
|
||||
free(sav->key_auth, M_IPSEC_MISC);
|
||||
sav->key_auth = NULL;
|
||||
}
|
||||
if (sav->key_enc != NULL) {
|
||||
if (sav->key_enc->key_data != NULL)
|
||||
free(sav->key_enc->key_data, M_IPSEC_MISC);
|
||||
free(sav->key_enc, M_IPSEC_MISC);
|
||||
sav->key_enc = NULL;
|
||||
}
|
||||
@ -3038,9 +3049,11 @@ key_setsaval(sav, m, mhp)
|
||||
goto fail;
|
||||
}
|
||||
|
||||
sav->key_auth = key_dup(key0, len, M_IPSEC_MISC);
|
||||
if (sav->key_auth == NULL) {
|
||||
ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__));
|
||||
sav->key_auth = (struct seckey *)key_dup_keymsg(key0, len,
|
||||
M_IPSEC_MISC);
|
||||
if (sav->key_auth == NULL ) {
|
||||
ipseclog((LOG_DEBUG, "%s: No more memory.\n",
|
||||
__func__));
|
||||
error = ENOBUFS;
|
||||
goto fail;
|
||||
}
|
||||
@ -3066,7 +3079,9 @@ key_setsaval(sav, m, mhp)
|
||||
error = EINVAL;
|
||||
break;
|
||||
}
|
||||
sav->key_enc = key_dup(key0, len, M_IPSEC_MISC);
|
||||
sav->key_enc = (struct seckey *)key_dup_keymsg(key0,
|
||||
len,
|
||||
M_IPSEC_MISC);
|
||||
if (sav->key_enc == NULL) {
|
||||
ipseclog((LOG_DEBUG, "%s: No more memory.\n",
|
||||
__func__));
|
||||
@ -3126,13 +3141,10 @@ key_setsaval(sav, m, mhp)
|
||||
goto fail;
|
||||
}
|
||||
|
||||
sav->lft_c->sadb_lifetime_len =
|
||||
PFKEY_UNIT64(sizeof(struct sadb_lifetime));
|
||||
sav->lft_c->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
|
||||
sav->lft_c->sadb_lifetime_allocations = 0;
|
||||
sav->lft_c->sadb_lifetime_bytes = 0;
|
||||
sav->lft_c->sadb_lifetime_addtime = time_second;
|
||||
sav->lft_c->sadb_lifetime_usetime = 0;
|
||||
sav->lft_c->allocations = 0;
|
||||
sav->lft_c->bytes = 0;
|
||||
sav->lft_c->addtime = time_second;
|
||||
sav->lft_c->usetime = 0;
|
||||
|
||||
/* lifetimes for HARD and SOFT */
|
||||
{
|
||||
@ -3144,7 +3156,7 @@ key_setsaval(sav, m, mhp)
|
||||
error = EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
sav->lft_h = key_dup(lft0, sizeof(*lft0), M_IPSEC_MISC);
|
||||
sav->lft_h = key_dup_lifemsg(lft0, M_IPSEC_MISC);
|
||||
if (sav->lft_h == NULL) {
|
||||
ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__));
|
||||
error = ENOBUFS;
|
||||
@ -3159,7 +3171,7 @@ key_setsaval(sav, m, mhp)
|
||||
error = EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
sav->lft_s = key_dup(lft0, sizeof(*lft0), M_IPSEC_MISC);
|
||||
sav->lft_s = key_dup_lifemsg(lft0, M_IPSEC_MISC);
|
||||
if (sav->lft_s == NULL) {
|
||||
ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__));
|
||||
error = ENOBUFS;
|
||||
@ -3271,9 +3283,7 @@ key_setdumpsa(sav, type, satype, seq, pid)
|
||||
u_int32_t seq, pid;
|
||||
{
|
||||
struct mbuf *result = NULL, *tres = NULL, *m;
|
||||
int l = 0;
|
||||
int i;
|
||||
void *p;
|
||||
int dumporder[] = {
|
||||
SADB_EXT_SA, SADB_X_EXT_SA2,
|
||||
SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT,
|
||||
@ -3290,7 +3300,6 @@ key_setdumpsa(sav, type, satype, seq, pid)
|
||||
|
||||
for (i = sizeof(dumporder)/sizeof(dumporder[0]) - 1; i >= 0; i--) {
|
||||
m = NULL;
|
||||
p = NULL;
|
||||
switch (dumporder[i]) {
|
||||
case SADB_EXT_SA:
|
||||
m = key_setsadbsa(sav);
|
||||
@ -3325,36 +3334,45 @@ key_setdumpsa(sav, type, satype, seq, pid)
|
||||
case SADB_EXT_KEY_AUTH:
|
||||
if (!sav->key_auth)
|
||||
continue;
|
||||
l = PFKEY_UNUNIT64(sav->key_auth->sadb_key_len);
|
||||
p = sav->key_auth;
|
||||
m = key_setkey(sav->key_auth, SADB_EXT_KEY_AUTH);
|
||||
if (!m)
|
||||
goto fail;
|
||||
break;
|
||||
|
||||
case SADB_EXT_KEY_ENCRYPT:
|
||||
if (!sav->key_enc)
|
||||
continue;
|
||||
l = PFKEY_UNUNIT64(sav->key_enc->sadb_key_len);
|
||||
p = sav->key_enc;
|
||||
m = key_setkey(sav->key_enc, SADB_EXT_KEY_ENCRYPT);
|
||||
if (!m)
|
||||
goto fail;
|
||||
break;
|
||||
|
||||
case SADB_EXT_LIFETIME_CURRENT:
|
||||
if (!sav->lft_c)
|
||||
continue;
|
||||
l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_c)->sadb_ext_len);
|
||||
p = sav->lft_c;
|
||||
m = key_setlifetime(sav->lft_c,
|
||||
SADB_EXT_LIFETIME_CURRENT);
|
||||
if (!m)
|
||||
goto fail;
|
||||
break;
|
||||
|
||||
case SADB_EXT_LIFETIME_HARD:
|
||||
if (!sav->lft_h)
|
||||
continue;
|
||||
l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_h)->sadb_ext_len);
|
||||
p = sav->lft_h;
|
||||
m = key_setlifetime(sav->lft_h,
|
||||
SADB_EXT_LIFETIME_HARD);
|
||||
if (!m)
|
||||
goto fail;
|
||||
break;
|
||||
|
||||
case SADB_EXT_LIFETIME_SOFT:
|
||||
if (!sav->lft_s)
|
||||
continue;
|
||||
l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_s)->sadb_ext_len);
|
||||
p = sav->lft_s;
|
||||
m = key_setlifetime(sav->lft_h,
|
||||
SADB_EXT_LIFETIME_SOFT);
|
||||
|
||||
if (!m)
|
||||
goto fail;
|
||||
break;
|
||||
|
||||
case SADB_EXT_ADDRESS_PROXY:
|
||||
@ -3366,29 +3384,15 @@ key_setdumpsa(sav, type, satype, seq, pid)
|
||||
continue;
|
||||
}
|
||||
|
||||
if ((!m && !p) || (m && p))
|
||||
if (!m)
|
||||
goto fail;
|
||||
if (p && tres) {
|
||||
M_PREPEND(tres, l, M_DONTWAIT);
|
||||
if (!tres)
|
||||
goto fail;
|
||||
bcopy(p, mtod(tres, caddr_t), l);
|
||||
continue;
|
||||
}
|
||||
if (p) {
|
||||
m = key_alloc_mbuf(l);
|
||||
if (!m)
|
||||
goto fail;
|
||||
m_copyback(m, 0, l, p);
|
||||
}
|
||||
|
||||
if (tres)
|
||||
m_cat(m, tres);
|
||||
tres = m;
|
||||
|
||||
}
|
||||
|
||||
m_cat(result, tres);
|
||||
|
||||
if (result->m_len < sizeof(struct sadb_msg)) {
|
||||
result = m_pullup(result, sizeof(struct sadb_msg));
|
||||
if (result == NULL)
|
||||
@ -3609,21 +3613,63 @@ key_setsadbxpolicy(type, dir, id)
|
||||
}
|
||||
|
||||
/* %%% utilities */
|
||||
/*
|
||||
* copy a buffer into the new buffer allocated.
|
||||
/* Take a key message (sadb_key) from the socket and turn it into one
|
||||
* of the kernel's key structures (seckey).
|
||||
*
|
||||
* IN: pointer to the src
|
||||
* OUT: NULL no more memory
|
||||
*/
|
||||
static void *
|
||||
key_dup(const void *src, u_int len, struct malloc_type *type)
|
||||
struct seckey *
|
||||
key_dup_keymsg(const struct sadb_key *src, u_int len,
|
||||
struct malloc_type *type)
|
||||
{
|
||||
void *copy;
|
||||
struct seckey *dst;
|
||||
dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT);
|
||||
if (dst != NULL) {
|
||||
dst->bits = src->sadb_key_bits;
|
||||
dst->key_data = (char *)malloc(len, type, M_NOWAIT);
|
||||
if (dst->key_data != NULL) {
|
||||
bcopy((const char *)src + sizeof(struct sadb_key),
|
||||
dst->key_data, len);
|
||||
} else {
|
||||
ipseclog((LOG_DEBUG, "%s: No more memory.\n",
|
||||
__func__));
|
||||
free(dst, type);
|
||||
dst = NULL;
|
||||
}
|
||||
} else {
|
||||
ipseclog((LOG_DEBUG, "%s: No more memory.\n",
|
||||
__func__));
|
||||
|
||||
copy = malloc(len, type, M_NOWAIT);
|
||||
if (copy == NULL) {
|
||||
}
|
||||
return dst;
|
||||
}
|
||||
|
||||
/* Take a lifetime message (sadb_lifetime) passed in on a socket and
|
||||
* turn it into one of the kernel's lifetime structures (seclifetime).
|
||||
*
|
||||
* IN: pointer to the destination, source and malloc type
|
||||
* OUT: NULL, no more memory
|
||||
*/
|
||||
|
||||
static struct seclifetime *
|
||||
key_dup_lifemsg(const struct sadb_lifetime *src,
|
||||
struct malloc_type *type)
|
||||
{
|
||||
struct seclifetime *dst = NULL;
|
||||
|
||||
dst = (struct seclifetime *)malloc(sizeof(struct seclifetime),
|
||||
type, M_NOWAIT);
|
||||
if (dst == NULL) {
|
||||
/* XXX counter */
|
||||
ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
|
||||
} else
|
||||
bcopy(src, copy, len);
|
||||
return copy;
|
||||
} else {
|
||||
dst->allocations = src->sadb_lifetime_allocations;
|
||||
dst->bytes = src->sadb_lifetime_bytes;
|
||||
dst->addtime = src->sadb_lifetime_addtime;
|
||||
dst->usetime = src->sadb_lifetime_usetime;
|
||||
}
|
||||
return dst;
|
||||
}
|
||||
|
||||
/* compare my own address
|
||||
@ -4071,13 +4117,13 @@ key_flush_sad(time_t now)
|
||||
}
|
||||
|
||||
/* check SOFT lifetime */
|
||||
if (sav->lft_s->sadb_lifetime_addtime != 0 &&
|
||||
now - sav->created > sav->lft_s->sadb_lifetime_addtime) {
|
||||
if (sav->lft_s->addtime != 0 &&
|
||||
now - sav->created > sav->lft_s->addtime) {
|
||||
/*
|
||||
* check SA to be used whether or not.
|
||||
* when SA hasn't been used, delete it.
|
||||
*/
|
||||
if (sav->lft_c->sadb_lifetime_usetime == 0) {
|
||||
if (sav->lft_c->usetime == 0) {
|
||||
key_sa_chgstate(sav, SADB_SASTATE_DEAD);
|
||||
KEY_FREESAV(&sav);
|
||||
} else {
|
||||
@ -4096,8 +4142,8 @@ key_flush_sad(time_t now)
|
||||
* when new SA is installed. Caution when it's
|
||||
* installed too big lifetime by time.
|
||||
*/
|
||||
else if (sav->lft_s->sadb_lifetime_bytes != 0 &&
|
||||
sav->lft_s->sadb_lifetime_bytes < sav->lft_c->sadb_lifetime_bytes) {
|
||||
else if (sav->lft_s->bytes != 0 &&
|
||||
sav->lft_s->bytes < sav->lft_c->bytes) {
|
||||
|
||||
key_sa_chgstate(sav, SADB_SASTATE_DYING);
|
||||
/*
|
||||
@ -4122,15 +4168,15 @@ key_flush_sad(time_t now)
|
||||
continue;
|
||||
}
|
||||
|
||||
if (sav->lft_h->sadb_lifetime_addtime != 0 &&
|
||||
now - sav->created > sav->lft_h->sadb_lifetime_addtime) {
|
||||
if (sav->lft_h->addtime != 0 &&
|
||||
now - sav->created > sav->lft_h->addtime) {
|
||||
key_sa_chgstate(sav, SADB_SASTATE_DEAD);
|
||||
KEY_FREESAV(&sav);
|
||||
}
|
||||
#if 0 /* XXX Should we keep to send expire message until HARD lifetime ? */
|
||||
else if (sav->lft_s != NULL
|
||||
&& sav->lft_s->sadb_lifetime_addtime != 0
|
||||
&& now - sav->created > sav->lft_s->sadb_lifetime_addtime) {
|
||||
&& sav->lft_s->addtime != 0
|
||||
&& now - sav->created > sav->lft_s->addtime) {
|
||||
/*
|
||||
* XXX: should be checked to be
|
||||
* installed the valid SA.
|
||||
@ -4144,8 +4190,8 @@ key_flush_sad(time_t now)
|
||||
}
|
||||
#endif
|
||||
/* check HARD lifetime by bytes */
|
||||
else if (sav->lft_h->sadb_lifetime_bytes != 0 &&
|
||||
sav->lft_h->sadb_lifetime_bytes < sav->lft_c->sadb_lifetime_bytes) {
|
||||
else if (sav->lft_h->bytes != 0 &&
|
||||
sav->lft_h->bytes < sav->lft_c->bytes) {
|
||||
key_sa_chgstate(sav, SADB_SASTATE_DEAD);
|
||||
KEY_FREESAV(&sav);
|
||||
}
|
||||
@ -4977,20 +5023,23 @@ key_setident(sah, m, mhp)
|
||||
}
|
||||
|
||||
/* make structure */
|
||||
sah->idents = malloc(idsrclen, M_IPSEC_MISC, M_NOWAIT);
|
||||
sah->idents = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT);
|
||||
if (sah->idents == NULL) {
|
||||
ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
|
||||
return ENOBUFS;
|
||||
}
|
||||
sah->identd = malloc(iddstlen, M_IPSEC_MISC, M_NOWAIT);
|
||||
sah->identd = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT);
|
||||
if (sah->identd == NULL) {
|
||||
free(sah->idents, M_IPSEC_MISC);
|
||||
sah->idents = NULL;
|
||||
ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
|
||||
return ENOBUFS;
|
||||
}
|
||||
bcopy(idsrc, sah->idents, idsrclen);
|
||||
bcopy(iddst, sah->identd, iddstlen);
|
||||
sah->idents->type = idsrc->sadb_ident_type;
|
||||
sah->idents->id = idsrc->sadb_ident_id;
|
||||
|
||||
sah->identd->type = iddst->sadb_ident_type;
|
||||
sah->identd->id = iddst->sadb_ident_id;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -6262,10 +6311,10 @@ key_expire(struct secasvar *sav)
|
||||
lt = mtod(m, struct sadb_lifetime *);
|
||||
lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
|
||||
lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
|
||||
lt->sadb_lifetime_allocations = sav->lft_c->sadb_lifetime_allocations;
|
||||
lt->sadb_lifetime_bytes = sav->lft_c->sadb_lifetime_bytes;
|
||||
lt->sadb_lifetime_addtime = sav->lft_c->sadb_lifetime_addtime;
|
||||
lt->sadb_lifetime_usetime = sav->lft_c->sadb_lifetime_usetime;
|
||||
lt->sadb_lifetime_allocations = sav->lft_c->allocations;
|
||||
lt->sadb_lifetime_bytes = sav->lft_c->bytes;
|
||||
lt->sadb_lifetime_addtime = sav->lft_c->addtime;
|
||||
lt->sadb_lifetime_usetime = sav->lft_c->usetime;
|
||||
lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2);
|
||||
bcopy(sav->lft_s, lt, sizeof(*lt));
|
||||
m_cat(result, m);
|
||||
@ -7103,21 +7152,21 @@ key_sa_recordxfer(sav, m)
|
||||
* XXX Currently, there is a difference of bytes size
|
||||
* between inbound and outbound processing.
|
||||
*/
|
||||
sav->lft_c->sadb_lifetime_bytes += m->m_pkthdr.len;
|
||||
sav->lft_c->bytes += m->m_pkthdr.len;
|
||||
/* to check bytes lifetime is done in key_timehandler(). */
|
||||
|
||||
/*
|
||||
* We use the number of packets as the unit of
|
||||
* sadb_lifetime_allocations. We increment the variable
|
||||
* allocations. We increment the variable
|
||||
* whenever {esp,ah}_{in,out}put is called.
|
||||
*/
|
||||
sav->lft_c->sadb_lifetime_allocations++;
|
||||
sav->lft_c->allocations++;
|
||||
/* XXX check for expires? */
|
||||
|
||||
/*
|
||||
* NOTE: We record CURRENT sadb_lifetime_usetime by using wall clock,
|
||||
* NOTE: We record CURRENT usetime by using wall clock,
|
||||
* in seconds. HARD and SOFT lifetime are measured by the time
|
||||
* difference (again in seconds) from sadb_lifetime_usetime.
|
||||
* difference (again in seconds) from usetime.
|
||||
*
|
||||
* usetime
|
||||
* v expire expire
|
||||
@ -7125,7 +7174,7 @@ key_sa_recordxfer(sav, m)
|
||||
* <--------------> HARD
|
||||
* <-----> SOFT
|
||||
*/
|
||||
sav->lft_c->sadb_lifetime_usetime = time_second;
|
||||
sav->lft_c->usetime = time_second;
|
||||
/* XXX check for expires? */
|
||||
|
||||
return;
|
||||
@ -7214,3 +7263,80 @@ key_alloc_mbuf(l)
|
||||
|
||||
return m;
|
||||
}
|
||||
|
||||
/*
|
||||
* Take one of the kernel's security keys and convert it into a PF_KEY
|
||||
* structure within an mbuf, suitable for sending up to a waiting
|
||||
* application in user land.
|
||||
*
|
||||
* IN:
|
||||
* src: A pointer to a kernel security key.
|
||||
* exttype: Which type of key this is. Refer to the PF_KEY data structures.
|
||||
* OUT:
|
||||
* a valid mbuf or NULL indicating an error
|
||||
*
|
||||
*/
|
||||
|
||||
static struct mbuf *
|
||||
key_setkey(struct seckey *src, u_int16_t exttype)
|
||||
{
|
||||
struct mbuf *m;
|
||||
struct sadb_key *p;
|
||||
int len = PFKEY_ALIGN8(sizeof(struct sadb_key) + _KEYLEN(src));
|
||||
|
||||
if (src == NULL)
|
||||
return NULL;
|
||||
|
||||
m = key_alloc_mbuf(len);
|
||||
if (m == NULL)
|
||||
return NULL;
|
||||
p = mtod(m, struct sadb_key *);
|
||||
bzero(p, len);
|
||||
p->sadb_key_len = PFKEY_UNIT64(len);
|
||||
p->sadb_key_exttype = exttype;
|
||||
p->sadb_key_bits = src->bits;
|
||||
bcopy(src->key_data, _KEYBUF(p), _KEYLEN(src));
|
||||
|
||||
return m;
|
||||
}
|
||||
|
||||
/*
|
||||
* Take one of the kernel's lifetime data structures and convert it
|
||||
* into a PF_KEY structure within an mbuf, suitable for sending up to
|
||||
* a waiting application in user land.
|
||||
*
|
||||
* IN:
|
||||
* src: A pointer to a kernel lifetime structure.
|
||||
* exttype: Which type of lifetime this is. Refer to the PF_KEY
|
||||
* data structures for more information.
|
||||
* OUT:
|
||||
* a valid mbuf or NULL indicating an error
|
||||
*
|
||||
*/
|
||||
|
||||
static struct mbuf *
|
||||
key_setlifetime(struct seclifetime *src, u_int16_t exttype)
|
||||
{
|
||||
struct mbuf *m = NULL;
|
||||
struct sadb_lifetime *p;
|
||||
int len = PFKEY_ALIGN8(sizeof(struct sadb_lifetime));
|
||||
|
||||
if (src == NULL)
|
||||
return NULL;
|
||||
|
||||
m = key_alloc_mbuf(len);
|
||||
if (m == NULL)
|
||||
return m;
|
||||
p = mtod(m, struct sadb_lifetime *);
|
||||
|
||||
bzero(p, len);
|
||||
p->sadb_lifetime_len = PFKEY_UNIT64(len);
|
||||
p->sadb_lifetime_exttype = exttype;
|
||||
p->sadb_lifetime_allocations = src->allocations;
|
||||
p->sadb_lifetime_bytes = src->bytes;
|
||||
p->sadb_lifetime_addtime = src->addtime;
|
||||
p->sadb_lifetime_usetime = src->usetime;
|
||||
|
||||
return m;
|
||||
|
||||
}
|
||||
|
@ -66,8 +66,8 @@
|
||||
|
||||
#ifdef _KERNEL
|
||||
#define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0]))
|
||||
#define _KEYLEN(key) ((u_int)((key)->sadb_key_bits >> 3))
|
||||
#define _KEYBITS(key) ((u_int)((key)->sadb_key_bits))
|
||||
#define _KEYLEN(key) ((u_int)((key)->bits >> 3))
|
||||
#define _KEYBITS(key) ((u_int)((key)->bits))
|
||||
#define _KEYBUF(key) ((caddr_t)((caddr_t)(key) + sizeof(struct sadb_key)))
|
||||
#endif /*_KERNEL*/
|
||||
|
||||
|
@ -60,14 +60,39 @@ struct secasindex {
|
||||
/* see IPSEC_MANUAL_REQID_MAX. */
|
||||
};
|
||||
|
||||
/*
|
||||
* In order to split out the keydb implementation from that of the
|
||||
* PF_KEY sockets we need to define a few structures that while they
|
||||
* may seem common are likely to diverge over time.
|
||||
*/
|
||||
|
||||
/* sadb_identity */
|
||||
struct secident {
|
||||
u_int16_t type;
|
||||
u_int64_t id;
|
||||
};
|
||||
|
||||
/* sadb_key */
|
||||
struct seckey {
|
||||
u_int16_t bits;
|
||||
char *key_data;
|
||||
};
|
||||
|
||||
struct seclifetime {
|
||||
u_int32_t allocations;
|
||||
u_int64_t bytes;
|
||||
u_int64_t addtime;
|
||||
u_int64_t usetime;
|
||||
};
|
||||
|
||||
/* Security Association Data Base */
|
||||
struct secashead {
|
||||
LIST_ENTRY(secashead) chain;
|
||||
|
||||
struct secasindex saidx;
|
||||
|
||||
struct sadb_ident *idents; /* source identity */
|
||||
struct sadb_ident *identd; /* destination identity */
|
||||
struct secident *idents; /* source identity */
|
||||
struct secident *identd; /* destination identity */
|
||||
/* XXX I don't know how to use them. */
|
||||
|
||||
u_int8_t state; /* MATURE or DEAD. */
|
||||
@ -97,8 +122,8 @@ struct secasvar {
|
||||
u_int32_t spi; /* SPI Value, network byte order */
|
||||
u_int32_t flags; /* holder for SADB_KEY_FLAGS */
|
||||
|
||||
struct sadb_key *key_auth; /* Key for Authentication */
|
||||
struct sadb_key *key_enc; /* Key for Encryption */
|
||||
struct seckey *key_auth; /* Key for Authentication */
|
||||
struct seckey *key_enc; /* Key for Encryption */
|
||||
caddr_t iv; /* Initilization Vector */
|
||||
u_int ivlen; /* length of IV */
|
||||
void *sched; /* intermediate encryption key */
|
||||
@ -107,9 +132,9 @@ struct secasvar {
|
||||
struct secreplay *replay; /* replay prevention */
|
||||
time_t created; /* for lifetime */
|
||||
|
||||
struct sadb_lifetime *lft_c; /* CURRENT lifetime, it's constant. */
|
||||
struct sadb_lifetime *lft_h; /* HARD lifetime */
|
||||
struct sadb_lifetime *lft_s; /* SOFT lifetime */
|
||||
struct seclifetime *lft_c; /* CURRENT lifetime, it's constant. */
|
||||
struct seclifetime *lft_h; /* HARD lifetime */
|
||||
struct seclifetime *lft_s; /* SOFT lifetime */
|
||||
|
||||
u_int32_t seq; /* sequence number */
|
||||
pid_t pid; /* message's pid */
|
||||
|
@ -201,7 +201,7 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
|
||||
bzero(cria, sizeof (*cria));
|
||||
cria->cri_alg = sav->tdb_authalgxform->type;
|
||||
cria->cri_klen = _KEYBITS(sav->key_auth);
|
||||
cria->cri_key = _KEYBUF(sav->key_auth);
|
||||
cria->cri_key = sav->key_auth->key_data;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -231,7 +231,7 @@ ah_zeroize(struct secasvar *sav)
|
||||
int err;
|
||||
|
||||
if (sav->key_auth)
|
||||
bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
|
||||
bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
|
||||
|
||||
err = crypto_freesession(sav->tdb_cryptoid);
|
||||
sav->tdb_cryptoid = 0;
|
||||
@ -622,8 +622,8 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
||||
|
||||
/* Authentication operation. */
|
||||
crda->crd_alg = ahx->type;
|
||||
crda->crd_key = _KEYBUF(sav->key_auth);
|
||||
crda->crd_klen = _KEYBITS(sav->key_auth);
|
||||
crda->crd_key = sav->key_auth->key_data;
|
||||
|
||||
/* Find out if we've already done crypto. */
|
||||
for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
|
||||
@ -1020,7 +1020,7 @@ ah_output(
|
||||
|
||||
/* Authentication operation. */
|
||||
crda->crd_alg = ahx->type;
|
||||
crda->crd_key = _KEYBUF(sav->key_auth);
|
||||
crda->crd_key = sav->key_auth->key_data;
|
||||
crda->crd_klen = _KEYBITS(sav->key_auth);
|
||||
|
||||
/* Allocate IPsec-specific opaque crypto info. */
|
||||
|
@ -215,7 +215,7 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
|
||||
bzero(&crie, sizeof (crie));
|
||||
crie.cri_alg = sav->tdb_encalgxform->type;
|
||||
crie.cri_klen = _KEYBITS(sav->key_enc);
|
||||
crie.cri_key = _KEYBUF(sav->key_enc);
|
||||
crie.cri_key = sav->key_enc->key_data;
|
||||
/* XXX Rounds ? */
|
||||
|
||||
if (sav->tdb_authalgxform && sav->tdb_encalgxform) {
|
||||
@ -248,7 +248,7 @@ esp_zeroize(struct secasvar *sav)
|
||||
int error = ah_zeroize(sav);
|
||||
|
||||
if (sav->key_enc)
|
||||
bzero(_KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc));
|
||||
bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc));
|
||||
if (sav->iv) {
|
||||
free(sav->iv, M_XDATA);
|
||||
sav->iv = NULL;
|
||||
@ -381,7 +381,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
||||
crda->crd_inject = m->m_pkthdr.len - alen;
|
||||
|
||||
crda->crd_alg = esph->type;
|
||||
crda->crd_key = _KEYBUF(sav->key_auth);
|
||||
crda->crd_key = sav->key_auth->key_data;
|
||||
crda->crd_klen = _KEYBITS(sav->key_auth);
|
||||
|
||||
/* Copy the authenticator */
|
||||
@ -418,7 +418,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
||||
crde->crd_inject = skip + hlen - sav->ivlen;
|
||||
|
||||
crde->crd_alg = espx->type;
|
||||
crde->crd_key = _KEYBUF(sav->key_enc);
|
||||
crde->crd_key = sav->key_enc->key_data;
|
||||
crde->crd_klen = _KEYBITS(sav->key_enc);
|
||||
/* XXX Rounds ? */
|
||||
}
|
||||
@ -825,7 +825,7 @@ esp_output(
|
||||
|
||||
/* Encryption operation. */
|
||||
crde->crd_alg = espx->type;
|
||||
crde->crd_key = _KEYBUF(sav->key_enc);
|
||||
crde->crd_key = sav->key_enc->key_data;
|
||||
crde->crd_klen = _KEYBITS(sav->key_enc);
|
||||
/* XXX Rounds ? */
|
||||
} else
|
||||
@ -864,7 +864,7 @@ esp_output(
|
||||
|
||||
/* Authentication operation. */
|
||||
crda->crd_alg = esph->type;
|
||||
crda->crd_key = _KEYBUF(sav->key_auth);
|
||||
crda->crd_key = sav->key_auth->key_data;
|
||||
crda->crd_klen = _KEYBITS(sav->key_auth);
|
||||
}
|
||||
|
||||
|
@ -117,7 +117,7 @@ tcpsignature_zeroize(struct secasvar *sav)
|
||||
{
|
||||
|
||||
if (sav->key_auth)
|
||||
bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
|
||||
bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
|
||||
|
||||
sav->tdb_cryptoid = 0;
|
||||
sav->tdb_authalgxform = NULL;
|
||||
|
Loading…
x
Reference in New Issue
Block a user