Changeset View
Changeset View
Standalone View
Standalone View
netipsec/key.c
Show First 20 Lines • Show All 2,934 Lines • ▼ Show 20 Lines | if (sav->key_enc != NULL) { | ||||
sav->key_enc = NULL; | sav->key_enc = NULL; | ||||
} | } | ||||
if (sav->sched) { | if (sav->sched) { | ||||
bzero(sav->sched, sav->schedlen); | bzero(sav->sched, sav->schedlen); | ||||
free(sav->sched, M_IPSEC_MISC); | free(sav->sched, M_IPSEC_MISC); | ||||
sav->sched = NULL; | sav->sched = NULL; | ||||
} | } | ||||
if (sav->replay != NULL) { | if (sav->replay != NULL) { | ||||
if (sav->replay->bitmap != NULL) | |||||
free(sav->replay->bitmap, M_IPSEC_MISC); | |||||
free(sav->replay, M_IPSEC_MISC); | free(sav->replay, M_IPSEC_MISC); | ||||
sav->replay = NULL; | sav->replay = NULL; | ||||
} | } | ||||
if (sav->lft_c != NULL) { | if (sav->lft_c != NULL) { | ||||
free(sav->lft_c, M_IPSEC_MISC); | free(sav->lft_c, M_IPSEC_MISC); | ||||
sav->lft_c = NULL; | sav->lft_c = NULL; | ||||
} | } | ||||
if (sav->lft_h != NULL) { | if (sav->lft_h != NULL) { | ||||
▲ Show 20 Lines • Show All 165 Lines • ▼ Show 20 Lines | if (mhp->ext[SADB_EXT_SA] != NULL) { | ||||
} | } | ||||
sav->alg_auth = sa0->sadb_sa_auth; | sav->alg_auth = sa0->sadb_sa_auth; | ||||
sav->alg_enc = sa0->sadb_sa_encrypt; | sav->alg_enc = sa0->sadb_sa_encrypt; | ||||
sav->flags = sa0->sadb_sa_flags; | sav->flags = sa0->sadb_sa_flags; | ||||
/* replay window */ | /* replay window */ | ||||
if ((sa0->sadb_sa_flags & SADB_X_EXT_OLD) == 0) { | if ((sa0->sadb_sa_flags & SADB_X_EXT_OLD) == 0) { | ||||
sav->replay = (struct secreplay *) | sav->replay = (struct secreplay *) | ||||
malloc(sizeof(struct secreplay)+sa0->sadb_sa_replay, M_IPSEC_MISC, M_NOWAIT|M_ZERO); | malloc(sizeof(struct secreplay), M_IPSEC_MISC, M_NOWAIT|M_ZERO); | ||||
if (sav->replay == NULL) { | if (sav->replay == NULL) { | ||||
ipseclog((LOG_DEBUG, "%s: No more memory.\n", | ipseclog((LOG_DEBUG, "%s: No more memory.\n", | ||||
__func__)); | __func__)); | ||||
error = ENOBUFS; | error = ENOBUFS; | ||||
goto fail; | goto fail; | ||||
} | } | ||||
if (sa0->sadb_sa_replay != 0) | |||||
sav->replay->bitmap = (caddr_t)(sav->replay+1); | if (sa0->sadb_sa_replay != 0) { | ||||
u_int32_t bitmap_size; /* number of 32b blocks to be allocated */ | |||||
if (sa0->sadb_sa_replay > IPSEC_MAX_REPLAY_WSIZE) { | |||||
error = EINVAL; | |||||
goto fail; | |||||
} | |||||
/* RFC 6479: | |||||
* - the allocated replay window size must be a power of two | |||||
* - use an extra 32b block as a redundant window | |||||
*/ | |||||
bitmap_size = 1; | |||||
while (sa0->sadb_sa_replay + 4 > bitmap_size) | |||||
bitmap_size <<= 1; | |||||
bitmap_size = bitmap_size/4; | |||||
sav->replay->bitmap = malloc(bitmap_size*sizeof(u_int32_t), M_IPSEC_MISC, M_NOWAIT|M_ZERO); | |||||
if (sav->replay->bitmap == NULL) { | |||||
ipseclog((LOG_DEBUG, "%s: No more memory.\n", | |||||
__func__)); | |||||
error = ENOBUFS; | |||||
goto fail; | |||||
} | |||||
sav->replay->bitmap_size = bitmap_size; | |||||
} | |||||
sav->replay->wsize = sa0->sadb_sa_replay; | sav->replay->wsize = sa0->sadb_sa_replay; | ||||
} | } | ||||
} | } | ||||
/* Authentication keys */ | /* Authentication keys */ | ||||
if (mhp->ext[SADB_EXT_KEY_AUTH] != NULL) { | if (mhp->ext[SADB_EXT_KEY_AUTH] != NULL) { | ||||
const struct sadb_key *key0; | const struct sadb_key *key0; | ||||
int len; | int len; | ||||
▲ Show 20 Lines • Show All 258 Lines • ▼ Show 20 Lines | |||||
* subroutine for SADB_GET and SADB_DUMP. | * subroutine for SADB_GET and SADB_DUMP. | ||||
*/ | */ | ||||
static struct mbuf * | static struct mbuf * | ||||
key_setdumpsa(struct secasvar *sav, u_int8_t type, u_int8_t satype, | key_setdumpsa(struct secasvar *sav, u_int8_t type, u_int8_t satype, | ||||
u_int32_t seq, u_int32_t pid) | u_int32_t seq, u_int32_t pid) | ||||
{ | { | ||||
struct mbuf *result = NULL, *tres = NULL, *m; | struct mbuf *result = NULL, *tres = NULL, *m; | ||||
int i; | int i; | ||||
u_int32_t replay_count; | |||||
int dumporder[] = { | int dumporder[] = { | ||||
SADB_EXT_SA, SADB_X_EXT_SA2, | SADB_EXT_SA, SADB_X_EXT_SA2, | ||||
SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT, | SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT, | ||||
SADB_EXT_LIFETIME_CURRENT, SADB_EXT_ADDRESS_SRC, | SADB_EXT_LIFETIME_CURRENT, SADB_EXT_ADDRESS_SRC, | ||||
SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_EXT_KEY_AUTH, | SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_EXT_KEY_AUTH, | ||||
SADB_EXT_KEY_ENCRYPT, SADB_EXT_IDENTITY_SRC, | SADB_EXT_KEY_ENCRYPT, SADB_EXT_IDENTITY_SRC, | ||||
SADB_EXT_IDENTITY_DST, SADB_EXT_SENSITIVITY, | SADB_EXT_IDENTITY_DST, SADB_EXT_SENSITIVITY, | ||||
#ifdef IPSEC_NAT_T | #ifdef IPSEC_NAT_T | ||||
Show All 14 Lines | for (i = nitems(dumporder) - 1; i >= 0; i--) { | ||||
switch (dumporder[i]) { | switch (dumporder[i]) { | ||||
case SADB_EXT_SA: | case SADB_EXT_SA: | ||||
m = key_setsadbsa(sav); | m = key_setsadbsa(sav); | ||||
if (!m) | if (!m) | ||||
goto fail; | goto fail; | ||||
break; | break; | ||||
case SADB_X_EXT_SA2: | case SADB_X_EXT_SA2: | ||||
m = key_setsadbxsa2(sav->sah->saidx.mode, | SECASVAR_LOCK(sav); | ||||
sav->replay ? sav->replay->count : 0, | replay_count = sav->replay ? sav->replay->count : 0; | ||||
SECASVAR_UNLOCK(sav); | |||||
m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count, | |||||
sav->sah->saidx.reqid); | sav->sah->saidx.reqid); | ||||
if (!m) | if (!m) | ||||
goto fail; | goto fail; | ||||
break; | break; | ||||
case SADB_EXT_ADDRESS_SRC: | case SADB_EXT_ADDRESS_SRC: | ||||
m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, | m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, | ||||
&sav->sah->saidx.src.sa, | &sav->sah->saidx.src.sa, | ||||
▲ Show 20 Lines • Show All 181 Lines • ▼ Show 20 Lines | if (m == NULL) | ||||
return (NULL); | return (NULL); | ||||
m_align(m, len); | m_align(m, len); | ||||
m->m_len = len; | m->m_len = len; | ||||
p = mtod(m, struct sadb_sa *); | p = mtod(m, struct sadb_sa *); | ||||
bzero(p, len); | bzero(p, len); | ||||
p->sadb_sa_len = PFKEY_UNIT64(len); | p->sadb_sa_len = PFKEY_UNIT64(len); | ||||
p->sadb_sa_exttype = SADB_EXT_SA; | p->sadb_sa_exttype = SADB_EXT_SA; | ||||
p->sadb_sa_spi = sav->spi; | p->sadb_sa_spi = sav->spi; | ||||
SECASVAR_LOCK(sav); | |||||
p->sadb_sa_replay = (sav->replay != NULL ? sav->replay->wsize : 0); | p->sadb_sa_replay = (sav->replay != NULL ? sav->replay->wsize : 0); | ||||
SECASVAR_UNLOCK(sav); | |||||
p->sadb_sa_state = sav->state; | p->sadb_sa_state = sav->state; | ||||
p->sadb_sa_auth = sav->alg_auth; | p->sadb_sa_auth = sav->alg_auth; | ||||
p->sadb_sa_encrypt = sav->alg_enc; | p->sadb_sa_encrypt = sav->alg_enc; | ||||
p->sadb_sa_flags = sav->flags; | p->sadb_sa_flags = sav->flags; | ||||
return m; | return m; | ||||
} | } | ||||
▲ Show 20 Lines • Show All 3,202 Lines • ▼ Show 20 Lines | |||||
static int | static int | ||||
key_expire(struct secasvar *sav, int hard) | key_expire(struct secasvar *sav, int hard) | ||||
{ | { | ||||
int satype; | int satype; | ||||
struct mbuf *result = NULL, *m; | struct mbuf *result = NULL, *m; | ||||
int len; | int len; | ||||
int error = -1; | int error = -1; | ||||
struct sadb_lifetime *lt; | struct sadb_lifetime *lt; | ||||
u_int32_t replay_count; | |||||
IPSEC_ASSERT (sav != NULL, ("null sav")); | IPSEC_ASSERT (sav != NULL, ("null sav")); | ||||
IPSEC_ASSERT (sav->sah != NULL, ("null sa header")); | IPSEC_ASSERT (sav->sah != NULL, ("null sa header")); | ||||
/* set msg header */ | /* set msg header */ | ||||
satype = key_proto2satype(sav->sah->saidx.proto); | satype = key_proto2satype(sav->sah->saidx.proto); | ||||
IPSEC_ASSERT(satype != 0, ("invalid proto, satype %u", satype)); | IPSEC_ASSERT(satype != 0, ("invalid proto, satype %u", satype)); | ||||
m = key_setsadbmsg(SADB_EXPIRE, 0, satype, sav->seq, 0, sav->refcnt); | m = key_setsadbmsg(SADB_EXPIRE, 0, satype, sav->seq, 0, sav->refcnt); | ||||
if (!m) { | if (!m) { | ||||
error = ENOBUFS; | error = ENOBUFS; | ||||
goto fail; | goto fail; | ||||
} | } | ||||
result = m; | result = m; | ||||
/* create SA extension */ | /* create SA extension */ | ||||
m = key_setsadbsa(sav); | m = key_setsadbsa(sav); | ||||
if (!m) { | if (!m) { | ||||
error = ENOBUFS; | error = ENOBUFS; | ||||
goto fail; | goto fail; | ||||
} | } | ||||
m_cat(result, m); | m_cat(result, m); | ||||
/* create SA extension */ | /* create SA extension */ | ||||
m = key_setsadbxsa2(sav->sah->saidx.mode, | SECASVAR_LOCK(sav); | ||||
sav->replay ? sav->replay->count : 0, | replay_count = sav->replay ? sav->replay->count : 0; | ||||
SECASVAR_UNLOCK(sav); | |||||
m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count, | |||||
sav->sah->saidx.reqid); | sav->sah->saidx.reqid); | ||||
if (!m) { | if (!m) { | ||||
error = ENOBUFS; | error = ENOBUFS; | ||||
goto fail; | goto fail; | ||||
} | } | ||||
m_cat(result, m); | m_cat(result, m); | ||||
/* create lifetime extension (current and soft) */ | /* create lifetime extension (current and soft) */ | ||||
▲ Show 20 Lines • Show All 1,043 Lines • Show Last 20 Lines |