diff options
author | Jason Wright <jason@cvs.openbsd.org> | 2003-02-16 19:54:21 +0000 |
---|---|---|
committer | Jason Wright <jason@cvs.openbsd.org> | 2003-02-16 19:54:21 +0000 |
commit | ca464888ff0bb2738c5ff4f1e6025280e0ea6d19 (patch) | |
tree | feadcb09f522c8597ede02d3a50521e9ef3a1ca3 /sys | |
parent | 0ee786dc6bdc3a051e9700a9437bca89821fc1a2 (diff) |
KNF
Diffstat (limited to 'sys')
-rw-r--r-- | sys/net/pfkey.c | 359 | ||||
-rw-r--r-- | sys/net/pfkeyv2.c | 3035 | ||||
-rw-r--r-- | sys/net/pfkeyv2.h | 209 | ||||
-rw-r--r-- | sys/net/pfkeyv2_parsemessage.c | 400 |
4 files changed, 1944 insertions, 2059 deletions
diff --git a/sys/net/pfkey.c b/sys/net/pfkey.c index 1d3d09b3054..628c0028b67 100644 --- a/sys/net/pfkey.c +++ b/sys/net/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.12 2002/12/11 21:48:40 fgsch Exp $ */ +/* $OpenBSD: pfkey.c,v 1.13 2003/02/16 19:54:20 jason Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -83,7 +83,8 @@ #include <net/raw_cb.h> #define PFKEY_PROTOCOL_MAX 3 -static struct pfkey_version *pfkey_versions[PFKEY_PROTOCOL_MAX+1] = { NULL, NULL, NULL, NULL }; +static struct pfkey_version *pfkey_versions[PFKEY_PROTOCOL_MAX+1] = + { NULL, NULL, NULL, NULL }; #define PFKEY_MSG_MAXSZ 4096 @@ -91,262 +92,268 @@ struct sockaddr pfkey_addr = { 2, PF_KEY, }; /* static struct domain pfkey_domain; */ static int pfkey_usrreq(struct socket *socket, int req, struct mbuf *mbuf, - struct mbuf *nam, struct mbuf *control); + struct mbuf *nam, struct mbuf *control); static int pfkey_output(struct mbuf *mbuf, struct socket *socket); int pfkey_register(struct pfkey_version *version); int pfkey_unregister(struct pfkey_version *version); int pfkey_sendup(struct socket *socket, struct mbuf *packet, int more); void pfkey_init(void); -static int pfkey_buildprotosw(void); +int pfkey_buildprotosw(void); int pfkey_register(struct pfkey_version *version) { - int rval; + int rval; - if ((version->protocol > PFKEY_PROTOCOL_MAX) || (version->protocol < 0)) - return EPROTONOSUPPORT; + if ((version->protocol > PFKEY_PROTOCOL_MAX) || + (version->protocol < 0)) + return (EPROTONOSUPPORT); - if (pfkey_versions[version->protocol]) - return EADDRINUSE; + if (pfkey_versions[version->protocol]) + return (EADDRINUSE); - pfkey_versions[version->protocol] = version; + pfkey_versions[version->protocol] = version; - if ((rval = pfkey_buildprotosw()) != 0) { - pfkey_versions[version->protocol] = NULL; - return rval; - } + if ((rval = pfkey_buildprotosw()) != 0) { + pfkey_versions[version->protocol] = NULL; + return (rval); + } - return 0; + return (0); } int pfkey_unregister(struct pfkey_version *version) { - int rval; + int rval; - if ((rval = pfkey_buildprotosw()) != 0) - return rval; + if ((rval = pfkey_buildprotosw()) != 0) + return (rval); - pfkey_versions[version->protocol] = NULL; - return 0; + pfkey_versions[version->protocol] = NULL; + return (0); } int pfkey_sendup(struct socket *socket, struct mbuf *packet, int more) { - struct mbuf *packet2; - int s; - - if (more) { - if (!(packet2 = m_copym2(packet, 0, M_COPYALL, M_DONTWAIT))) - return ENOMEM; - } else - packet2 = packet; - - s = spltdb(); - if (!sbappendaddr(&socket->so_rcv, &pfkey_addr, packet2, NULL)) { - m_freem(packet2); - splx(s); - return ENOBUFS; - } - splx(s); - - sorwakeup(socket); - return 0; + struct mbuf *packet2; + int s; + + if (more) { + if (!(packet2 = m_copym2(packet, 0, M_COPYALL, M_DONTWAIT))) + return (ENOMEM); + } else + packet2 = packet; + + s = spltdb(); + if (!sbappendaddr(&socket->so_rcv, &pfkey_addr, packet2, NULL)) { + m_freem(packet2); + splx(s); + return (ENOBUFS); + } + splx(s); + + sorwakeup(socket); + return (0); } static int pfkey_output(struct mbuf *mbuf, struct socket *socket) { - void *message; - int error = 0; + void *message; + int error = 0; #if DIAGNOSTIC - if (!mbuf || !(mbuf->m_flags & M_PKTHDR)) { - error = EINVAL; - goto ret; - } + if (!mbuf || !(mbuf->m_flags & M_PKTHDR)) { + error = EINVAL; + goto ret; + } #endif /* DIAGNOSTIC */ - if (mbuf->m_pkthdr.len > PFKEY_MSG_MAXSZ) { - error = EMSGSIZE; - goto ret; - } + if (mbuf->m_pkthdr.len > PFKEY_MSG_MAXSZ) { + error = EMSGSIZE; + goto ret; + } - if (!(message = malloc((unsigned long) mbuf->m_pkthdr.len, M_PFKEY, - M_DONTWAIT))) { - error = ENOMEM; - goto ret; - } + if (!(message = malloc((unsigned long) mbuf->m_pkthdr.len, + M_PFKEY, M_DONTWAIT))) { + error = ENOMEM; + goto ret; + } - m_copydata(mbuf, 0, mbuf->m_pkthdr.len, message); + m_copydata(mbuf, 0, mbuf->m_pkthdr.len, message); - error = - pfkey_versions[socket->so_proto->pr_protocol]->send(socket, message, - mbuf->m_pkthdr.len); + error = pfkey_versions[socket->so_proto->pr_protocol]->send(socket, + message, mbuf->m_pkthdr.len); - ret: - if (mbuf) - m_freem (mbuf); - return error; +ret: + if (mbuf) + m_freem (mbuf); + return (error); } static int pfkey_attach(struct socket *socket, struct mbuf *proto) { - int rval; - int s; + int rval; + int s; - if (!(socket->so_pcb = malloc(sizeof(struct rawcb), M_PCB, M_DONTWAIT))) - return ENOMEM; - bzero(socket->so_pcb, sizeof(struct rawcb)); + if (!(socket->so_pcb = malloc(sizeof(struct rawcb), + M_PCB, M_DONTWAIT))) + return (ENOMEM); + bzero(socket->so_pcb, sizeof(struct rawcb)); - s = splnet(); - rval = raw_usrreq(socket, PRU_ATTACH, NULL, proto, NULL); - splx(s); - if (rval) - goto ret; + s = splnet(); + rval = raw_usrreq(socket, PRU_ATTACH, NULL, proto, NULL); + splx(s); + if (rval) + goto ret; - ((struct rawcb *)socket->so_pcb)->rcb_faddr = &pfkey_addr; - soisconnected(socket); + ((struct rawcb *)socket->so_pcb)->rcb_faddr = &pfkey_addr; + soisconnected(socket); - socket->so_options |= SO_USELOOPBACK; - if ((rval = pfkey_versions[socket->so_proto->pr_protocol]->create(socket)) - != 0) - goto ret; + socket->so_options |= SO_USELOOPBACK; + if ((rval = + pfkey_versions[socket->so_proto->pr_protocol]->create(socket)) != 0) + goto ret; - return 0; + return (0); ret: - free(socket->so_pcb, M_PCB); - return rval; + free(socket->so_pcb, M_PCB); + return (rval); } static int pfkey_detach(struct socket *socket) { - int rval, i, s; + int rval, i, s; - rval = pfkey_versions[socket->so_proto->pr_protocol]->release(socket); - s = splnet(); - i = raw_usrreq(socket, PRU_DETACH, NULL, NULL, NULL); - splx(s); + rval = pfkey_versions[socket->so_proto->pr_protocol]->release(socket); + s = splnet(); + i = raw_usrreq(socket, PRU_DETACH, NULL, NULL, NULL); + splx(s); - if (!rval) - rval = i; + if (!rval) + rval = i; - return rval; + return (rval); } static int pfkey_usrreq(struct socket *socket, int req, struct mbuf *mbuf, - struct mbuf *nam, struct mbuf *control) + struct mbuf *nam, struct mbuf *control) { - int rval; - int s; + int rval; + int s; - if ((socket->so_proto->pr_protocol > PFKEY_PROTOCOL_MAX) || - (socket->so_proto->pr_protocol < 0) || - !pfkey_versions[socket->so_proto->pr_protocol]) - return EPROTONOSUPPORT; + if ((socket->so_proto->pr_protocol > PFKEY_PROTOCOL_MAX) || + (socket->so_proto->pr_protocol < 0) || + !pfkey_versions[socket->so_proto->pr_protocol]) + return (EPROTONOSUPPORT); - switch(req) { - case PRU_ATTACH: - return pfkey_attach(socket, nam); + switch(req) { + case PRU_ATTACH: + return (pfkey_attach(socket, nam)); - case PRU_DETACH: - return pfkey_detach(socket); + case PRU_DETACH: + return (pfkey_detach(socket)); - default: - s = splnet(); - rval = raw_usrreq(socket, req, mbuf, nam, control); - splx(s); - } + default: + s = splnet(); + rval = raw_usrreq(socket, req, mbuf, nam, control); + splx(s); + } - return rval; + return (rval); } static struct domain pfkey_domain = { - PF_KEY, - "PF_KEY", - NULL, /* init */ - NULL, /* externalize */ - NULL, /* dispose */ - NULL, /* protosw */ - NULL, /* protoswNPROTOSW */ - NULL, /* dom_next */ - rn_inithead, /* dom_rtattach */ - 16, /* rtoffset */ - sizeof(struct sockaddr_encap) /* maxrtkey */ + PF_KEY, + "PF_KEY", + NULL, /* init */ + NULL, /* externalize */ + NULL, /* dispose */ + NULL, /* protosw */ + NULL, /* protoswNPROTOSW */ + NULL, /* dom_next */ + rn_inithead, /* dom_rtattach */ + 16, /* rtoffset */ + sizeof(struct sockaddr_encap) /* maxrtkey */ }; static struct protosw pfkey_protosw_template = { - SOCK_RAW, - &pfkey_domain, - -1, /* protocol */ - PR_ATOMIC | PR_ADDR, - (void *) raw_input, - (void *) pfkey_output, - (void *) raw_ctlinput, - NULL, /* ctloutput */ - pfkey_usrreq, - NULL, /* init */ - NULL, /* fasttimo */ - NULL, /* slowtimo */ - NULL, /* drain */ - NULL /* sysctl */ + SOCK_RAW, + &pfkey_domain, + -1, /* protocol */ + PR_ATOMIC | PR_ADDR, + (void *) raw_input, + (void *) pfkey_output, + (void *) raw_ctlinput, + NULL, /* ctloutput */ + pfkey_usrreq, + NULL, /* init */ + NULL, /* fasttimo */ + NULL, /* slowtimo */ + NULL, /* drain */ + NULL /* sysctl */ }; -static int +int pfkey_buildprotosw(void) { - struct protosw *protosw, *p; - int i, j; - - for (i = j = 0; i <= PFKEY_PROTOCOL_MAX; i++) - if (pfkey_versions[i]) - j++; - - if (j) { - if (!(protosw = malloc(j * sizeof(struct protosw), M_PFKEY, M_DONTWAIT))) - return ENOMEM; - - for (i = 0, p = protosw; i <= PFKEY_PROTOCOL_MAX; i++) - if (pfkey_versions[i]) { - bcopy(&pfkey_protosw_template, p, sizeof(struct protosw)); - p->pr_protocol = pfkey_versions[i]->protocol; - p++; - } - - if (pfkey_domain.dom_protosw) - free(pfkey_domain.dom_protosw, M_PFKEY); - - pfkey_domain.dom_protosw = protosw; - pfkey_domain.dom_protoswNPROTOSW = p; - } else { - if (!(protosw = malloc(sizeof(struct protosw), M_PFKEY, M_DONTWAIT))) - return ENOMEM; - - bcopy(&pfkey_protosw_template, protosw, sizeof(struct protosw)); - - if (pfkey_domain.dom_protosw) - free(pfkey_domain.dom_protosw, M_PFKEY); - - pfkey_domain.dom_protosw = protosw; - pfkey_domain.dom_protoswNPROTOSW = protosw; - } - - return 0; + struct protosw *protosw, *p; + int i, j; + + for (i = j = 0; i <= PFKEY_PROTOCOL_MAX; i++) + if (pfkey_versions[i]) + j++; + + if (j) { + if (!(protosw = malloc(j * sizeof(struct protosw), + M_PFKEY, M_DONTWAIT))) + return (ENOMEM); + + for (i = 0, p = protosw; i <= PFKEY_PROTOCOL_MAX; i++) + if (pfkey_versions[i]) { + bcopy(&pfkey_protosw_template, p, + sizeof(struct protosw)); + p->pr_protocol = pfkey_versions[i]->protocol; + p++; + } + + if (pfkey_domain.dom_protosw) + free(pfkey_domain.dom_protosw, M_PFKEY); + + pfkey_domain.dom_protosw = protosw; + pfkey_domain.dom_protoswNPROTOSW = p; + } else { + if (!(protosw = malloc(sizeof(struct protosw), M_PFKEY, + M_DONTWAIT))) + return (ENOMEM); + + bcopy(&pfkey_protosw_template, protosw, + sizeof(struct protosw)); + + if (pfkey_domain.dom_protosw) + free(pfkey_domain.dom_protosw, M_PFKEY); + + pfkey_domain.dom_protosw = protosw; + pfkey_domain.dom_protoswNPROTOSW = protosw; + } + + return (0); } -void pfkey_init(void) +void +pfkey_init(void) { - if (pfkey_buildprotosw() != 0) - return; + if (pfkey_buildprotosw() != 0) + return; - pfkey_domain.dom_next = domains; - domains = &pfkey_domain; - pfkeyv2_init(); + pfkey_domain.dom_next = domains; + domains = &pfkey_domain; + pfkeyv2_init(); } diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index 02ce61ecfa3..b8bc47c8d0f 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.85 2003/02/15 22:57:58 jason Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.86 2003/02/16 19:54:20 jason Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -93,27 +93,24 @@ static uint32_t pfkeyv2_seq = 1; static int nregistered = 0; static int npromisc = 0; -static struct sadb_alg ealgs[] = -{ - { SADB_EALG_DESCBC, 64, 64, 64 }, - { SADB_EALG_3DESCBC, 64, 192, 192 }, - { SADB_X_EALG_BLF, 64, 40, BLF_MAXKEYLEN * 8}, - { SADB_X_EALG_CAST, 64, 40, 128}, - { SADB_X_EALG_SKIPJACK, 64, 80, 80}, - { SADB_X_EALG_AES, 128, 64, 256}, +static const struct sadb_alg ealgs[] = { + { SADB_EALG_DESCBC, 64, 64, 64 }, + { SADB_EALG_3DESCBC, 64, 192, 192 }, + { SADB_X_EALG_BLF, 64, 40, BLF_MAXKEYLEN * 8}, + { SADB_X_EALG_CAST, 64, 40, 128}, + { SADB_X_EALG_SKIPJACK, 64, 80, 80}, + { SADB_X_EALG_AES, 128, 64, 256}, }; -static struct sadb_alg aalgs[] = -{ - { SADB_AALG_SHA1HMAC, 0, 160, 160 }, - { SADB_AALG_MD5HMAC, 0, 128, 128 }, - { SADB_AALG_RIPEMD160HMAC, 0, 160, 160 } +static const struct sadb_alg aalgs[] = { + { SADB_AALG_SHA1HMAC, 0, 160, 160 }, + { SADB_AALG_MD5HMAC, 0, 128, 128 }, + { SADB_AALG_RIPEMD160HMAC, 0, 160, 160 } }; -static struct sadb_alg calgs[] = -{ - { SADB_X_CALG_DEFLATE, 0, 0, 0}, - { SADB_X_CALG_LZS, 0, 0, 0}, +static const struct sadb_alg calgs[] = { + { SADB_X_CALG_DEFLATE, 0, 0, 0}, + { SADB_X_CALG_LZS, 0, 0, 0}, }; extern uint32_t sadb_exts_allowed_out[SADB_MAX+1]; @@ -126,34 +123,31 @@ extern struct pool ipsec_policy_pool; * chain. */ int -pfdatatopacket(void *data, int len, struct mbuf **packet) -{ - if (!(*packet = m_devget(data, len, 0, NULL, NULL))) - return ENOMEM; - - return 0; +pfdatatopacket(void *data, int len, struct mbuf **packet) { + if (!(*packet = m_devget(data, len, 0, NULL, NULL))) + return (ENOMEM); + return (0); } /* * Create a new PF_KEYv2 socket. */ int -pfkeyv2_create(struct socket *socket) -{ - struct pfkeyv2_socket *pfkeyv2_socket; +pfkeyv2_create(struct socket *socket) { + struct pfkeyv2_socket *pfkeyv2_socket; - if (!(pfkeyv2_socket = malloc(sizeof(struct pfkeyv2_socket), M_PFKEY, - M_DONTWAIT))) - return ENOMEM; + if (!(pfkeyv2_socket = malloc(sizeof(struct pfkeyv2_socket), + M_PFKEY, M_DONTWAIT))) + return (ENOMEM); - bzero(pfkeyv2_socket, sizeof(struct pfkeyv2_socket)); - pfkeyv2_socket->next = pfkeyv2_sockets; - pfkeyv2_socket->socket = socket; - pfkeyv2_socket->pid = curproc->p_pid; + bzero(pfkeyv2_socket, sizeof(struct pfkeyv2_socket)); + pfkeyv2_socket->next = pfkeyv2_sockets; + pfkeyv2_socket->socket = socket; + pfkeyv2_socket->pid = curproc->p_pid; - pfkeyv2_sockets = pfkeyv2_socket; + pfkeyv2_sockets = pfkeyv2_socket; - return 0; + return (0); } /* @@ -162,30 +156,28 @@ pfkeyv2_create(struct socket *socket) int pfkeyv2_release(struct socket *socket) { - struct pfkeyv2_socket **pp; + struct pfkeyv2_socket **pp; - for (pp = &pfkeyv2_sockets; - *pp && ((*pp)->socket != socket); - pp = &((*pp)->next)) - ; + for (pp = &pfkeyv2_sockets; *pp && ((*pp)->socket != socket); + pp = &((*pp)->next)) + /*EMPTY*/; - if (*pp) - { - struct pfkeyv2_socket *pfkeyv2_socket; + if (*pp) { + struct pfkeyv2_socket *pfkeyv2_socket; - pfkeyv2_socket = *pp; - *pp = (*pp)->next; + pfkeyv2_socket = *pp; + *pp = (*pp)->next; - if (pfkeyv2_socket->flags & PFKEYV2_SOCKETFLAGS_REGISTERED) - nregistered--; + if (pfkeyv2_socket->flags & PFKEYV2_SOCKETFLAGS_REGISTERED) + nregistered--; - if (pfkeyv2_socket->flags & PFKEYV2_SOCKETFLAGS_PROMISC) - npromisc--; + if (pfkeyv2_socket->flags & PFKEYV2_SOCKETFLAGS_PROMISC) + npromisc--; - free(pfkeyv2_socket, M_PFKEY); - } + free(pfkeyv2_socket, M_PFKEY); + } - return 0; + return (0); } /* @@ -195,49 +187,48 @@ pfkeyv2_release(struct socket *socket) */ int pfkeyv2_sendmessage(void **headers, int mode, struct socket *socket, - u_int8_t satype, int count) + u_int8_t satype, int count) { - int i, j, rval; - void *p, *buffer = NULL; - struct mbuf *packet; - struct pfkeyv2_socket *s; - struct sadb_msg *smsg; - - /* Find out how much space we'll need... */ - j = sizeof(struct sadb_msg); - - for (i = 1; i <= SADB_EXT_MAX; i++) - if (headers[i]) - j += ((struct sadb_ext *)headers[i])->sadb_ext_len * sizeof(uint64_t); - - /* ...and allocate it */ - if (!(buffer = malloc(j + sizeof(struct sadb_msg), M_PFKEY, M_DONTWAIT))) - { - rval = ENOMEM; - goto ret; - } + int i, j, rval; + void *p, *buffer = NULL; + struct mbuf *packet; + struct pfkeyv2_socket *s; + struct sadb_msg *smsg; + + /* Find out how much space we'll need... */ + j = sizeof(struct sadb_msg); + + for (i = 1; i <= SADB_EXT_MAX; i++) + if (headers[i]) + j += ((struct sadb_ext *)headers[i])->sadb_ext_len * + sizeof(uint64_t); + + /* ...and allocate it */ + if (!(buffer = malloc(j + sizeof(struct sadb_msg), M_PFKEY, + M_DONTWAIT))) { + rval = ENOMEM; + goto ret; + } + + p = buffer + sizeof(struct sadb_msg); + bcopy(headers[0], p, sizeof(struct sadb_msg)); + ((struct sadb_msg *) p)->sadb_msg_len = j / sizeof(uint64_t); + p += sizeof(struct sadb_msg); + + /* Copy payloads in the packet */ + for (i = 1; i <= SADB_EXT_MAX; i++) + if (headers[i]) { + ((struct sadb_ext *) headers[i])->sadb_ext_type = i; + bcopy(headers[i], p, EXTLEN(headers[i])); + p += EXTLEN(headers[i]); + } - p = buffer + sizeof(struct sadb_msg); - bcopy(headers[0], p, sizeof(struct sadb_msg)); - ((struct sadb_msg *) p)->sadb_msg_len = j / sizeof(uint64_t); - p += sizeof(struct sadb_msg); - - /* Copy payloads in the packet */ - for (i = 1; i <= SADB_EXT_MAX; i++) - if (headers[i]) - { - ((struct sadb_ext *) headers[i])->sadb_ext_type = i; - bcopy(headers[i], p, EXTLEN(headers[i])); - p += EXTLEN(headers[i]); - } - - if ((rval = pfdatatopacket(buffer + sizeof(struct sadb_msg), - j, &packet)) != 0) - goto ret; - - switch(mode) - { - case PFKEYV2_SENDMESSAGE_UNICAST: + if ((rval = pfdatatopacket(buffer + sizeof(struct sadb_msg), + j, &packet)) != 0) + goto ret; + + switch(mode) { + case PFKEYV2_SENDMESSAGE_UNICAST: /* * Send message to the specified socket, plus all * promiscuous listeners. @@ -253,45 +244,43 @@ pfkeyv2_sendmessage(void **headers, int mode, struct socket *socket, smsg->sadb_msg_version = PF_KEY_V2; smsg->sadb_msg_type = SADB_X_PROMISC; smsg->sadb_msg_len = (sizeof(struct sadb_msg) + j) / - sizeof(uint64_t); + sizeof(uint64_t); smsg->sadb_msg_seq = 0; /* Copy to mbuf chain */ if ((rval = pfdatatopacket(buffer, sizeof(struct sadb_msg) + j, - &packet)) != 0) - goto ret; + &packet)) != 0) + goto ret; /* * Search for promiscuous listeners, skipping the * original destination. */ for (s = pfkeyv2_sockets; s; s = s->next) - if ((s->flags & PFKEYV2_SOCKETFLAGS_PROMISC) && - (s->socket != socket)) - pfkey_sendup(s->socket, packet, 1); + if ((s->flags & PFKEYV2_SOCKETFLAGS_PROMISC) && + (s->socket != socket)) + pfkey_sendup(s->socket, packet, 1); /* Done, let's be a bit paranoid */ m_zero(packet); m_freem(packet); break; - case PFKEYV2_SENDMESSAGE_REGISTERED: + case PFKEYV2_SENDMESSAGE_REGISTERED: /* * Send the message to all registered sockets that match * the specified satype (e.g., all IPSEC-ESP negotiators) */ for (s = pfkeyv2_sockets; s; s = s->next) - if (s->flags & PFKEYV2_SOCKETFLAGS_REGISTERED) - { - if (!satype) /* Just send to everyone registered */ - pfkey_sendup(s->socket, packet, 1); - else - { - /* Check for specified satype */ - if ((1 << satype) & s->registration) - pfkey_sendup(s->socket, packet, 1); - } - } + if (s->flags & PFKEYV2_SOCKETFLAGS_REGISTERED) { + if (!satype) /* Just send to everyone registered */ + pfkey_sendup(s->socket, packet, 1); + else { + /* Check for specified satype */ + if ((1 << satype) & s->registration) + pfkey_sendup(s->socket, packet, 1); + } + } /* Free last/original copy of the packet */ m_freem(packet); @@ -302,40 +291,39 @@ pfkeyv2_sendmessage(void **headers, int mode, struct socket *socket, smsg->sadb_msg_version = PF_KEY_V2; smsg->sadb_msg_type = SADB_X_PROMISC; smsg->sadb_msg_len = (sizeof(struct sadb_msg) + j) / - sizeof(uint64_t); + sizeof(uint64_t); smsg->sadb_msg_seq = 0; /* Convert to mbuf chain */ if ((rval = pfdatatopacket(buffer, sizeof(struct sadb_msg) + j, - &packet)) != 0) - goto ret; + &packet)) != 0) + goto ret; /* Send to all registered promiscuous listeners */ for (s = pfkeyv2_sockets; s; s = s->next) - if ((s->flags & PFKEYV2_SOCKETFLAGS_PROMISC) && - !(s->flags & PFKEYV2_SOCKETFLAGS_REGISTERED)) - pfkey_sendup(s->socket, packet, 1); + if ((s->flags & PFKEYV2_SOCKETFLAGS_PROMISC) && + !(s->flags & PFKEYV2_SOCKETFLAGS_REGISTERED)) + pfkey_sendup(s->socket, packet, 1); m_freem(packet); break; - case PFKEYV2_SENDMESSAGE_BROADCAST: + case PFKEYV2_SENDMESSAGE_BROADCAST: /* Send message to all sockets */ for (s = pfkeyv2_sockets; s; s = s->next) - pfkey_sendup(s->socket, packet, 1); + pfkey_sendup(s->socket, packet, 1); m_freem(packet); break; } - ret: - if (buffer != NULL) - { - bzero(buffer, j + sizeof(struct sadb_msg)); - free(buffer, M_PFKEY); +ret: + if (buffer != NULL) { + bzero(buffer, j + sizeof(struct sadb_msg)); + free(buffer, M_PFKEY); } - return rval; + return (rval); } /* @@ -346,164 +334,156 @@ pfkeyv2_sendmessage(void **headers, int mode, struct socket *socket, int pfkeyv2_policy(struct ipsec_acquire *ipa, void **headers, void **buffer) { - union sockaddr_union sunion; - struct sadb_protocol *sp; - int rval, i, dir; - void *p; + union sockaddr_union sunion; + struct sadb_protocol *sp; + int rval, i, dir; + void *p; - /* Find out how big a buffer we need */ - i = 4 * sizeof(struct sadb_address) + sizeof(struct sadb_protocol); - bzero(&sunion, sizeof(union sockaddr_union)); + /* Find out how big a buffer we need */ + i = 4 * sizeof(struct sadb_address) + sizeof(struct sadb_protocol); + bzero(&sunion, sizeof(union sockaddr_union)); - switch (ipa->ipa_info.sen_type) - { + switch (ipa->ipa_info.sen_type) { #ifdef INET case SENT_IP4: - i += 4 * PADUP(sizeof(struct sockaddr_in)); - sunion.sa.sa_family = AF_INET; - sunion.sa.sa_len = sizeof(struct sockaddr_in); - dir = ipa->ipa_info.sen_direction; - break; + i += 4 * PADUP(sizeof(struct sockaddr_in)); + sunion.sa.sa_family = AF_INET; + sunion.sa.sa_len = sizeof(struct sockaddr_in); + dir = ipa->ipa_info.sen_direction; + break; #endif /* INET */ #ifdef INET6 case SENT_IP6: - i += 4 * PADUP(sizeof(struct sockaddr_in6)); - sunion.sa.sa_family = AF_INET6; - sunion.sa.sa_len = sizeof(struct sockaddr_in6); - dir = ipa->ipa_info.sen_ip6_direction; - break; + i += 4 * PADUP(sizeof(struct sockaddr_in6)); + sunion.sa.sa_family = AF_INET6; + sunion.sa.sa_len = sizeof(struct sockaddr_in6); + dir = ipa->ipa_info.sen_ip6_direction; + break; #endif /* INET6 */ default: - return EINVAL; - } + return (EINVAL); + } - if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) - { - rval = ENOMEM; - goto ret; - } - else - { - *buffer = p; - bzero(p, i); - } + if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) { + rval = ENOMEM; + goto ret; + } else { + *buffer = p; + bzero(p, i); + } - if (dir == IPSP_DIRECTION_OUT) - headers[SADB_X_EXT_SRC_FLOW] = p; - else - headers[SADB_X_EXT_DST_FLOW] = p; - switch (sunion.sa.sa_family) - { + if (dir == IPSP_DIRECTION_OUT) + headers[SADB_X_EXT_SRC_FLOW] = p; + else + headers[SADB_X_EXT_DST_FLOW] = p; + switch (sunion.sa.sa_family) { #ifdef INET case AF_INET: - sunion.sin.sin_addr = ipa->ipa_info.sen_ip_src; - sunion.sin.sin_port = ipa->ipa_info.sen_sport; - break; + sunion.sin.sin_addr = ipa->ipa_info.sen_ip_src; + sunion.sin.sin_port = ipa->ipa_info.sen_sport; + break; #endif /* INET */ #ifdef INET6 case AF_INET6: - sunion.sin6.sin6_addr = ipa->ipa_info.sen_ip6_src; - sunion.sin6.sin6_port = ipa->ipa_info.sen_ip6_sport; - break; + sunion.sin6.sin6_addr = ipa->ipa_info.sen_ip6_src; + sunion.sin6.sin6_port = ipa->ipa_info.sen_ip6_sport; + break; #endif /* INET6 */ - } - export_address(&p, (struct sockaddr *) &sunion); - - if (dir == IPSP_DIRECTION_OUT) - headers[SADB_X_EXT_SRC_MASK] = p; - else - headers[SADB_X_EXT_DST_MASK] = p; - switch (sunion.sa.sa_family) - { + } + export_address(&p, (struct sockaddr *) &sunion); + + if (dir == IPSP_DIRECTION_OUT) + headers[SADB_X_EXT_SRC_MASK] = p; + else + headers[SADB_X_EXT_DST_MASK] = p; + switch (sunion.sa.sa_family) { #ifdef INET case AF_INET: - sunion.sin.sin_addr = ipa->ipa_mask.sen_ip_src; - sunion.sin.sin_port = ipa->ipa_mask.sen_sport; - break; + sunion.sin.sin_addr = ipa->ipa_mask.sen_ip_src; + sunion.sin.sin_port = ipa->ipa_mask.sen_sport; + break; #endif /* INET */ #ifdef INET6 case AF_INET6: - sunion.sin6.sin6_addr = ipa->ipa_mask.sen_ip6_src; - sunion.sin6.sin6_port = ipa->ipa_mask.sen_ip6_sport; - break; + sunion.sin6.sin6_addr = ipa->ipa_mask.sen_ip6_src; + sunion.sin6.sin6_port = ipa->ipa_mask.sen_ip6_sport; + break; #endif /* INET6 */ - } - export_address(&p, (struct sockaddr *) &sunion); - - if (dir == IPSP_DIRECTION_OUT) - headers[SADB_X_EXT_DST_FLOW] = p; - else - headers[SADB_X_EXT_SRC_FLOW] = p; - switch (sunion.sa.sa_family) - { + } + export_address(&p, (struct sockaddr *) &sunion); + + if (dir == IPSP_DIRECTION_OUT) + headers[SADB_X_EXT_DST_FLOW] = p; + else + headers[SADB_X_EXT_SRC_FLOW] = p; + switch (sunion.sa.sa_family) { #ifdef INET case AF_INET: - sunion.sin.sin_addr = ipa->ipa_info.sen_ip_dst; - sunion.sin.sin_port = ipa->ipa_info.sen_dport; - break; + sunion.sin.sin_addr = ipa->ipa_info.sen_ip_dst; + sunion.sin.sin_port = ipa->ipa_info.sen_dport; + break; #endif /* INET */ #ifdef INET6 case AF_INET6: - sunion.sin6.sin6_addr = ipa->ipa_info.sen_ip6_dst; - sunion.sin6.sin6_port = ipa->ipa_info.sen_ip6_dport; - break; + sunion.sin6.sin6_addr = ipa->ipa_info.sen_ip6_dst; + sunion.sin6.sin6_port = ipa->ipa_info.sen_ip6_dport; + break; #endif /* INET6 */ - } - export_address(&p, (struct sockaddr *) &sunion); - - if (dir == IPSP_DIRECTION_OUT) - headers[SADB_X_EXT_DST_MASK] = p; - else - headers[SADB_X_EXT_SRC_MASK] = p; - switch (sunion.sa.sa_family) - { + } + export_address(&p, (struct sockaddr *) &sunion); + + if (dir == IPSP_DIRECTION_OUT) + headers[SADB_X_EXT_DST_MASK] = p; + else + headers[SADB_X_EXT_SRC_MASK] = p; + switch (sunion.sa.sa_family) { #ifdef INET case AF_INET: - sunion.sin.sin_addr = ipa->ipa_mask.sen_ip_dst; - sunion.sin.sin_port = ipa->ipa_mask.sen_dport; - break; + sunion.sin.sin_addr = ipa->ipa_mask.sen_ip_dst; + sunion.sin.sin_port = ipa->ipa_mask.sen_dport; + break; #endif /* INET */ #ifdef INET6 case AF_INET6: - sunion.sin6.sin6_addr = ipa->ipa_mask.sen_ip6_dst; - sunion.sin6.sin6_port = ipa->ipa_mask.sen_ip6_dport; - break; + sunion.sin6.sin6_addr = ipa->ipa_mask.sen_ip6_dst; + sunion.sin6.sin6_port = ipa->ipa_mask.sen_ip6_dport; + break; #endif /* INET6 */ - } - export_address(&p, (struct sockaddr *) &sunion); + } + export_address(&p, (struct sockaddr *) &sunion); - headers[SADB_X_EXT_FLOW_TYPE] = p; - sp = p; - sp->sadb_protocol_len = sizeof(struct sadb_protocol) / sizeof(u_int64_t); - switch (sunion.sa.sa_family) - { + headers[SADB_X_EXT_FLOW_TYPE] = p; + sp = p; + sp->sadb_protocol_len = sizeof(struct sadb_protocol) / + sizeof(u_int64_t); + switch (sunion.sa.sa_family) { #ifdef INET case AF_INET: - if (ipa->ipa_mask.sen_proto) - sp->sadb_protocol_proto = ipa->ipa_info.sen_proto; - sp->sadb_protocol_direction = ipa->ipa_info.sen_direction; - break; + if (ipa->ipa_mask.sen_proto) + sp->sadb_protocol_proto = ipa->ipa_info.sen_proto; + sp->sadb_protocol_direction = ipa->ipa_info.sen_direction; + break; #endif /* INET */ #ifdef INET6 case AF_INET6: - if (ipa->ipa_mask.sen_ip6_proto) - sp->sadb_protocol_proto = ipa->ipa_info.sen_ip6_proto; - sp->sadb_protocol_direction = ipa->ipa_info.sen_ip6_direction; - break; + if (ipa->ipa_mask.sen_ip6_proto) + sp->sadb_protocol_proto = ipa->ipa_info.sen_ip6_proto; + sp->sadb_protocol_direction = ipa->ipa_info.sen_ip6_direction; + break; #endif /* INET6 */ - } + } - rval = 0; + rval = 0; - ret: - return rval; +ret: + return (rval); } /* @@ -512,159 +492,145 @@ pfkeyv2_policy(struct ipsec_acquire *ipa, void **headers, void **buffer) int pfkeyv2_get(struct tdb *sa, void **headers, void **buffer) { - int rval, i; - void *p; + int rval, i; + void *p; - /* Find how much space we need */ - i = sizeof(struct sadb_sa) + sizeof(struct sadb_lifetime); + /* Find how much space we need */ + i = sizeof(struct sadb_sa) + sizeof(struct sadb_lifetime); - if (sa->tdb_soft_allocations || sa->tdb_soft_bytes || - sa->tdb_soft_timeout || sa->tdb_soft_first_use) - i += sizeof(struct sadb_lifetime); + if (sa->tdb_soft_allocations || sa->tdb_soft_bytes || + sa->tdb_soft_timeout || sa->tdb_soft_first_use) + i += sizeof(struct sadb_lifetime); - if (sa->tdb_exp_allocations || sa->tdb_exp_bytes || - sa->tdb_exp_timeout || sa->tdb_exp_first_use) - i += sizeof(struct sadb_lifetime); + if (sa->tdb_exp_allocations || sa->tdb_exp_bytes || + sa->tdb_exp_timeout || sa->tdb_exp_first_use) + i += sizeof(struct sadb_lifetime); - if (sa->tdb_src.sa.sa_family) - i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_src.sa)); + if (sa->tdb_src.sa.sa_family) + i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_src.sa)); - if (sa->tdb_dst.sa.sa_family) - i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_dst.sa)); + if (sa->tdb_dst.sa.sa_family) + i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_dst.sa)); - if (sa->tdb_proxy.sa.sa_family) - i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_proxy.sa)); + if (sa->tdb_proxy.sa.sa_family) + i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_proxy.sa)); - if (sa->tdb_srcid) - i += PADUP(sa->tdb_srcid->ref_len) + sizeof(struct sadb_ident); + if (sa->tdb_srcid) + i += PADUP(sa->tdb_srcid->ref_len) + sizeof(struct sadb_ident); - if (sa->tdb_dstid) - i += PADUP(sa->tdb_dstid->ref_len) + sizeof(struct sadb_ident); + if (sa->tdb_dstid) + i += PADUP(sa->tdb_dstid->ref_len) + sizeof(struct sadb_ident); - if (sa->tdb_local_cred) - i += PADUP(sa->tdb_local_cred->ref_len) + sizeof(struct sadb_x_cred); + if (sa->tdb_local_cred) + i += PADUP(sa->tdb_local_cred->ref_len) + sizeof(struct sadb_x_cred); - if (sa->tdb_remote_cred) - i += PADUP(sa->tdb_remote_cred->ref_len) + sizeof(struct sadb_x_cred); + if (sa->tdb_remote_cred) + i += PADUP(sa->tdb_remote_cred->ref_len) + sizeof(struct sadb_x_cred); - if (sa->tdb_local_auth) - i += PADUP(sa->tdb_local_auth->ref_len) + sizeof(struct sadb_x_cred); + if (sa->tdb_local_auth) + i += PADUP(sa->tdb_local_auth->ref_len) + sizeof(struct sadb_x_cred); - if (sa->tdb_remote_auth) - i += PADUP(sa->tdb_remote_auth->ref_len) + sizeof(struct sadb_x_cred); + if (sa->tdb_remote_auth) + i += PADUP(sa->tdb_remote_auth->ref_len) + sizeof(struct sadb_x_cred); - if (sa->tdb_amxkey) - i+= PADUP(sa->tdb_amxkeylen) + sizeof(struct sadb_key); + if (sa->tdb_amxkey) + i+= PADUP(sa->tdb_amxkeylen) + sizeof(struct sadb_key); - if (sa->tdb_emxkey) - i+= PADUP(sa->tdb_emxkeylen) + sizeof(struct sadb_key); + if (sa->tdb_emxkey) + i+= PADUP(sa->tdb_emxkeylen) + sizeof(struct sadb_key); - if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) - { - rval = ENOMEM; - goto ret; - } - else - { - *buffer = p; - bzero(p, i); - } + if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) { + rval = ENOMEM; + goto ret; + } else { + *buffer = p; + bzero(p, i); + } - headers[SADB_EXT_SA] = p; + headers[SADB_EXT_SA] = p; - export_sa(&p, sa); /* Export SA information (mostly flags) */ + export_sa(&p, sa); /* Export SA information (mostly flags) */ - /* Export lifetimes where applicable */ - headers[SADB_EXT_LIFETIME_CURRENT] = p; - export_lifetime(&p, sa, PFKEYV2_LIFETIME_CURRENT); + /* Export lifetimes where applicable */ + headers[SADB_EXT_LIFETIME_CURRENT] = p; + export_lifetime(&p, sa, PFKEYV2_LIFETIME_CURRENT); - if (sa->tdb_soft_allocations || sa->tdb_soft_bytes || - sa->tdb_soft_first_use || sa->tdb_soft_timeout) - { - headers[SADB_EXT_LIFETIME_SOFT] = p; - export_lifetime(&p, sa, PFKEYV2_LIFETIME_SOFT); - } + if (sa->tdb_soft_allocations || sa->tdb_soft_bytes || + sa->tdb_soft_first_use || sa->tdb_soft_timeout) { + headers[SADB_EXT_LIFETIME_SOFT] = p; + export_lifetime(&p, sa, PFKEYV2_LIFETIME_SOFT); + } - if (sa->tdb_exp_allocations || sa->tdb_exp_bytes || - sa->tdb_exp_first_use || sa->tdb_exp_timeout) - { - headers[SADB_EXT_LIFETIME_HARD] = p; - export_lifetime(&p, sa, PFKEYV2_LIFETIME_HARD); - } + if (sa->tdb_exp_allocations || sa->tdb_exp_bytes || + sa->tdb_exp_first_use || sa->tdb_exp_timeout) { + headers[SADB_EXT_LIFETIME_HARD] = p; + export_lifetime(&p, sa, PFKEYV2_LIFETIME_HARD); + } - /* Export TDB source address */ - headers[SADB_EXT_ADDRESS_SRC] = p; - export_address(&p, (struct sockaddr *) &sa->tdb_src); + /* Export TDB source address */ + headers[SADB_EXT_ADDRESS_SRC] = p; + export_address(&p, (struct sockaddr *) &sa->tdb_src); - /* Export TDB destination address */ - headers[SADB_EXT_ADDRESS_DST] = p; - export_address(&p, (struct sockaddr *) &sa->tdb_dst); + /* Export TDB destination address */ + headers[SADB_EXT_ADDRESS_DST] = p; + export_address(&p, (struct sockaddr *) &sa->tdb_dst); - /* Export TDB proxy address, if present */ - if (SA_LEN(&sa->tdb_proxy.sa)) - { - headers[SADB_EXT_ADDRESS_PROXY] = p; - export_address(&p, (struct sockaddr *) &sa->tdb_proxy); - } + /* Export TDB proxy address, if present */ + if (SA_LEN(&sa->tdb_proxy.sa)) { + headers[SADB_EXT_ADDRESS_PROXY] = p; + export_address(&p, (struct sockaddr *) &sa->tdb_proxy); + } - /* Export source identity, if present */ - if (sa->tdb_srcid) - { - headers[SADB_EXT_IDENTITY_SRC] = p; - export_identity(&p, sa, PFKEYV2_IDENTITY_SRC); - } + /* Export source identity, if present */ + if (sa->tdb_srcid) { + headers[SADB_EXT_IDENTITY_SRC] = p; + export_identity(&p, sa, PFKEYV2_IDENTITY_SRC); + } - /* Export destination identity, if present */ - if (sa->tdb_dstid) - { - headers[SADB_EXT_IDENTITY_DST] = p; - export_identity(&p, sa, PFKEYV2_IDENTITY_DST); - } + /* Export destination identity, if present */ + if (sa->tdb_dstid) { + headers[SADB_EXT_IDENTITY_DST] = p; + export_identity(&p, sa, PFKEYV2_IDENTITY_DST); + } - /* Export credentials, if present */ - if (sa->tdb_local_cred) - { - headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p; - export_credentials(&p, sa, PFKEYV2_CRED_LOCAL); - } + /* Export credentials, if present */ + if (sa->tdb_local_cred) { + headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p; + export_credentials(&p, sa, PFKEYV2_CRED_LOCAL); + } - if (sa->tdb_remote_cred) - { - headers[SADB_X_EXT_REMOTE_CREDENTIALS] = p; - export_credentials(&p, sa, PFKEYV2_CRED_REMOTE); - } + if (sa->tdb_remote_cred) { + headers[SADB_X_EXT_REMOTE_CREDENTIALS] = p; + export_credentials(&p, sa, PFKEYV2_CRED_REMOTE); + } - /* Export authentication information, if present */ - if (sa->tdb_local_auth) - { - headers[SADB_X_EXT_LOCAL_AUTH] = p; - export_auth(&p, sa, PFKEYV2_AUTH_LOCAL); - } + /* Export authentication information, if present */ + if (sa->tdb_local_auth) { + headers[SADB_X_EXT_LOCAL_AUTH] = p; + export_auth(&p, sa, PFKEYV2_AUTH_LOCAL); + } - if (sa->tdb_remote_auth) - { - headers[SADB_X_EXT_REMOTE_AUTH] = p; - export_auth(&p, sa, PFKEYV2_AUTH_REMOTE); - } + if (sa->tdb_remote_auth) { + headers[SADB_X_EXT_REMOTE_AUTH] = p; + export_auth(&p, sa, PFKEYV2_AUTH_REMOTE); + } - /* Export authentication key, if present */ - if (sa->tdb_amxkey) - { - headers[SADB_EXT_KEY_AUTH] = p; - export_key(&p, sa, PFKEYV2_AUTHENTICATION_KEY); - } + /* Export authentication key, if present */ + if (sa->tdb_amxkey) { + headers[SADB_EXT_KEY_AUTH] = p; + export_key(&p, sa, PFKEYV2_AUTHENTICATION_KEY); + } - /* Export encryption key, if present */ - if (sa->tdb_emxkey) - { - headers[SADB_EXT_KEY_ENCRYPT] = p; - export_key(&p, sa, PFKEYV2_ENCRYPTION_KEY); - } + /* Export encryption key, if present */ + if (sa->tdb_emxkey) { + headers[SADB_EXT_KEY_ENCRYPT] = p; + export_key(&p, sa, PFKEYV2_ENCRYPTION_KEY); + } - rval = 0; + rval = 0; ret: - return rval; + return (rval); } /* @@ -673,34 +639,33 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer) int pfkeyv2_dump_walker(struct tdb *sa, void *state, int last) { - struct dump_state *dump_state = (struct dump_state *) state; - void *headers[SADB_EXT_MAX+1], *buffer; - int rval; - - /* If not satype was specified, dump all TDBs */ - if (!dump_state->sadb_msg->sadb_msg_satype || - (sa->tdb_satype == dump_state->sadb_msg->sadb_msg_satype)) - { - bzero(headers, sizeof(headers)); - headers[0] = (void *) dump_state->sadb_msg; + struct dump_state *dump_state = (struct dump_state *) state; + void *headers[SADB_EXT_MAX+1], *buffer; + int rval; - /* Get the information from the TDB to a PFKEYv2 message */ - if ((rval = pfkeyv2_get(sa, headers, &buffer)) != 0) - return rval; + /* If not satype was specified, dump all TDBs */ + if (!dump_state->sadb_msg->sadb_msg_satype || + (sa->tdb_satype == dump_state->sadb_msg->sadb_msg_satype)) { + bzero(headers, sizeof(headers)); + headers[0] = (void *) dump_state->sadb_msg; - if (last) - ((struct sadb_msg *)headers[0])->sadb_msg_seq = 0; + /* Get the information from the TDB to a PFKEYv2 message */ + if ((rval = pfkeyv2_get(sa, headers, &buffer)) != 0) + return (rval); - /* Send the message to the specified socket */ - rval = pfkeyv2_sendmessage(headers, PFKEYV2_SENDMESSAGE_UNICAST, - dump_state->socket, 0, 0); + if (last) + ((struct sadb_msg *)headers[0])->sadb_msg_seq = 0; - free(buffer, M_PFKEY); - if (rval) - return rval; - } + /* Send the message to the specified socket */ + rval = pfkeyv2_sendmessage(headers, + PFKEYV2_SENDMESSAGE_UNICAST, dump_state->socket, 0, 0); + + free(buffer, M_PFKEY); + if (rval) + return (rval); + } - return 0; + return (0); } /* @@ -709,11 +674,10 @@ pfkeyv2_dump_walker(struct tdb *sa, void *state, int last) int pfkeyv2_flush_walker(struct tdb *sa, void *satype_vp, int last) { - if (!(*((u_int8_t *) satype_vp)) || - sa->tdb_satype == *((u_int8_t *) satype_vp)) - tdb_delete(sa); - - return 0; + if (!(*((u_int8_t *) satype_vp)) || + sa->tdb_satype == *((u_int8_t *) satype_vp)) + tdb_delete(sa); + return (0); } /* @@ -724,64 +688,63 @@ pfkeyv2_flush_walker(struct tdb *sa, void *satype_vp, int last) int pfkeyv2_get_proto_alg(u_int8_t satype, u_int8_t *sproto, int *alg) { - switch (satype) - { + switch (satype) { case SADB_SATYPE_AH: - if (!ah_enable) - return EOPNOTSUPP; + if (!ah_enable) + return (EOPNOTSUPP); - *sproto = IPPROTO_AH; + *sproto = IPPROTO_AH; - if(alg != NULL) - *alg = satype = XF_AH; + if(alg != NULL) + *alg = satype = XF_AH; - break; + break; case SADB_SATYPE_ESP: - if (!esp_enable) - return EOPNOTSUPP; + if (!esp_enable) + return (EOPNOTSUPP); - *sproto = IPPROTO_ESP; + *sproto = IPPROTO_ESP; - if(alg != NULL) - *alg = satype = XF_ESP; + if(alg != NULL) + *alg = satype = XF_ESP; - break; + break; case SADB_X_SATYPE_IPIP: - *sproto = IPPROTO_IPIP; + *sproto = IPPROTO_IPIP; - if (alg != NULL) - *alg = XF_IP4; + if (alg != NULL) + *alg = XF_IP4; - break; + break; case SADB_X_SATYPE_IPCOMP: - if (!ipcomp_enable) - return EOPNOTSUPP; + if (!ipcomp_enable) + return (EOPNOTSUPP); - *sproto = IPPROTO_IPCOMP; + *sproto = IPPROTO_IPCOMP; - if(alg != NULL) - *alg = satype = XF_IPCOMP; + if(alg != NULL) + *alg = satype = XF_IPCOMP; - break; + break; #ifdef TCP_SIGNATURE case SADB_X_SATYPE_TCPSIGNATURE: - *sproto = IPPROTO_TCP; + *sproto = IPPROTO_TCP; - if (alg != NULL) - *alg = XF_TCPSIGNATURE; + if (alg != NULL) + *alg = XF_TCPSIGNATURE; - break; + break; #endif /* TCP_SIGNATURE */ default: /* Nothing else supported */ - return EOPNOTSUPP; - } + return (EOPNOTSUPP); + } - return 0; + return (0); } /* @@ -790,553 +753,534 @@ pfkeyv2_get_proto_alg(u_int8_t satype, u_int8_t *sproto, int *alg) int pfkeyv2_send(struct socket *socket, void *message, int len) { - int i, j, rval = 0, mode = PFKEYV2_SENDMESSAGE_BROADCAST, delflag = 0, s; - struct sockaddr_encap encapdst, encapnetmask, encapgw; - struct ipsec_policy *ipo, *tmpipo; - struct ipsec_acquire *ipa; - - struct pfkeyv2_socket *pfkeyv2_socket, *so = NULL; + int i, j, rval = 0, mode = PFKEYV2_SENDMESSAGE_BROADCAST; + int delflag = 0, s; + struct sockaddr_encap encapdst, encapnetmask, encapgw; + struct ipsec_policy *ipo, *tmpipo; + struct ipsec_acquire *ipa; - void *freeme = NULL, *bckptr = NULL; - void *headers[SADB_EXT_MAX + 1]; + struct pfkeyv2_socket *pfkeyv2_socket, *so = NULL; - union sockaddr_union *sunionp; + void *freeme = NULL, *bckptr = NULL; + void *headers[SADB_EXT_MAX + 1]; - struct tdb sa, *sa2 = NULL; + union sockaddr_union *sunionp; - struct sadb_msg *smsg; - struct sadb_spirange *sprng; - struct sadb_sa *ssa; - struct sadb_supported *ssup; - struct sadb_ident *sid; + struct tdb sa, *sa2 = NULL; - /* Verify that we received this over a legitimate pfkeyv2 socket */ - bzero(headers, sizeof(headers)); + struct sadb_msg *smsg; + struct sadb_spirange *sprng; + struct sadb_sa *ssa; + struct sadb_supported *ssup; + struct sadb_ident *sid; - for (pfkeyv2_socket = pfkeyv2_sockets; - pfkeyv2_socket; - pfkeyv2_socket = pfkeyv2_socket->next) - if (pfkeyv2_socket->socket == socket) - break; - - if (!pfkeyv2_socket) - { - rval = EINVAL; - goto ret; - } + /* Verify that we received this over a legitimate pfkeyv2 socket */ + bzero(headers, sizeof(headers)); - /* If we have any promiscuous listeners, send them a copy of the message */ - if (npromisc) - { - struct mbuf *packet; + for (pfkeyv2_socket = pfkeyv2_sockets; pfkeyv2_socket; + pfkeyv2_socket = pfkeyv2_socket->next) + if (pfkeyv2_socket->socket == socket) + break; - if (!(freeme = malloc(sizeof(struct sadb_msg) + len, M_PFKEY, - M_DONTWAIT))) - { - rval = ENOMEM; - goto ret; + if (!pfkeyv2_socket) { + rval = EINVAL; + goto ret; } - /* Initialize encapsulating header */ - bzero(freeme, sizeof(struct sadb_msg)); - smsg = (struct sadb_msg *) freeme; - smsg->sadb_msg_version = PF_KEY_V2; - smsg->sadb_msg_type = SADB_X_PROMISC; - smsg->sadb_msg_len = (sizeof(struct sadb_msg) + len) / - sizeof(uint64_t); - smsg->sadb_msg_seq = curproc->p_pid; - - bcopy(message, freeme + sizeof(struct sadb_msg), len); - - /* Convert to mbuf chain */ - if ((rval = pfdatatopacket(freeme, sizeof(struct sadb_msg) + len, - &packet)) != 0) - goto ret; - - /* Send to all promiscuous listeners */ - for (so = pfkeyv2_sockets; so; so = so->next) - if (so->flags & PFKEYV2_SOCKETFLAGS_PROMISC) - pfkey_sendup(so->socket, packet, 1); - - /* Paranoid */ - m_zero(packet); - m_freem(packet); - - /* Even more paranoid */ - bzero(freeme, sizeof(struct sadb_msg) + len); - free(freeme, M_PFKEY); - freeme = NULL; - } - - /* Validate message format */ - if ((rval = pfkeyv2_parsemessage(message, len, headers)) != 0) - goto ret; + /* If we have any promiscuous listeners, send them a copy of the message */ + if (npromisc) { + struct mbuf *packet; - smsg = (struct sadb_msg *) headers[0]; - switch(smsg->sadb_msg_type) - { - case SADB_GETSPI: /* Reserve an SPI */ - bzero(&sa, sizeof(struct tdb)); - - sa.tdb_satype = smsg->sadb_msg_satype; - if ((rval = pfkeyv2_get_proto_alg(sa.tdb_satype, - &sa.tdb_sproto, 0))) - goto ret; - - import_address((struct sockaddr *) &sa.tdb_src, - headers[SADB_EXT_ADDRESS_SRC]); - import_address((struct sockaddr *) &sa.tdb_dst, - headers[SADB_EXT_ADDRESS_DST]); - - /* Find an unused SA identifier */ - sprng = (struct sadb_spirange *) headers[SADB_EXT_SPIRANGE]; - sa.tdb_spi = reserve_spi(sprng->sadb_spirange_min, - sprng->sadb_spirange_max, - &sa.tdb_src, &sa.tdb_dst, - sa.tdb_sproto, &rval); - if (sa.tdb_spi == 0) - goto ret; - - /* Send a message back telling what the SA (the SPI really) is */ - if (!(freeme = malloc(sizeof(struct sadb_sa), M_PFKEY, - M_DONTWAIT))) - { - rval = ENOMEM; - goto ret; - } + if (!(freeme = malloc(sizeof(struct sadb_msg) + len, M_PFKEY, + M_DONTWAIT))) { + rval = ENOMEM; + goto ret; + } - bzero(freeme, sizeof(struct sadb_sa)); - headers[SADB_EXT_SPIRANGE] = NULL; - headers[SADB_EXT_SA] = freeme; - bckptr = freeme; + /* Initialize encapsulating header */ + bzero(freeme, sizeof(struct sadb_msg)); + smsg = (struct sadb_msg *) freeme; + smsg->sadb_msg_version = PF_KEY_V2; + smsg->sadb_msg_type = SADB_X_PROMISC; + smsg->sadb_msg_len = (sizeof(struct sadb_msg) + len) / + sizeof(uint64_t); + smsg->sadb_msg_seq = curproc->p_pid; - /* We really only care about the SPI, but we'll export the SA */ - export_sa((void **) &bckptr, &sa); - break; + bcopy(message, freeme + sizeof(struct sadb_msg), len); - case SADB_UPDATE: - ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; - sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + - sizeof(struct sadb_address)); - - /* Either all or none of the flow must be included */ - if ((headers[SADB_X_EXT_SRC_FLOW] || - headers[SADB_X_EXT_PROTOCOL] || - headers[SADB_X_EXT_FLOW_TYPE] || - headers[SADB_X_EXT_DST_FLOW] || - headers[SADB_X_EXT_SRC_MASK] || - headers[SADB_X_EXT_DST_MASK]) && - !(headers[SADB_X_EXT_SRC_FLOW] && - headers[SADB_X_EXT_PROTOCOL] && - headers[SADB_X_EXT_FLOW_TYPE] && - headers[SADB_X_EXT_DST_FLOW] && - headers[SADB_X_EXT_SRC_MASK] && - headers[SADB_X_EXT_DST_MASK])) - { - rval = EINVAL; - goto ret; - } + /* Convert to mbuf chain */ + if ((rval = pfdatatopacket(freeme, + sizeof(struct sadb_msg) + len, &packet)) != 0) + goto ret; - s = spltdb(); + /* Send to all promiscuous listeners */ + for (so = pfkeyv2_sockets; so; so = so->next) + if (so->flags & PFKEYV2_SOCKETFLAGS_PROMISC) + pfkey_sendup(so->socket, packet, 1); - /* Find TDB */ - sa2 = gettdb(ssa->sadb_sa_spi, sunionp, - SADB_X_GETSPROTO(smsg->sadb_msg_satype)); + /* Paranoid */ + m_zero(packet); + m_freem(packet); - /* If there's no such SA, we're done */ - if (sa2 == NULL) - { - rval = ESRCH; - goto splxret; - } + /* Even more paranoid */ + bzero(freeme, sizeof(struct sadb_msg) + len); + free(freeme, M_PFKEY); + freeme = NULL; + } - /* If this is a reserved SA */ - if (sa2->tdb_flags & TDBF_INVALID) - { - struct tdb *newsa; - struct ipsecinit ii; - int alg; + /* Validate message format */ + if ((rval = pfkeyv2_parsemessage(message, len, headers)) != 0) + goto ret; - /* Create new TDB */ - freeme = tdb_alloc(); - bzero(&ii, sizeof(struct ipsecinit)); - - newsa = (struct tdb *) freeme; - newsa->tdb_satype = smsg->sadb_msg_satype; - - if ((rval = pfkeyv2_get_proto_alg(newsa->tdb_satype, - &newsa->tdb_sproto, &alg))) - goto splxret; - - /* Initialize SA */ - import_sa(newsa, headers[SADB_EXT_SA], &ii); - import_address((struct sockaddr *) &newsa->tdb_src, - headers[SADB_EXT_ADDRESS_SRC]); - import_address((struct sockaddr *) &newsa->tdb_dst, - headers[SADB_EXT_ADDRESS_DST]); - import_address((struct sockaddr *) &newsa->tdb_proxy, - headers[SADB_EXT_ADDRESS_PROXY]); - import_lifetime(newsa, headers[SADB_EXT_LIFETIME_CURRENT], - PFKEYV2_LIFETIME_CURRENT); - import_lifetime(newsa, headers[SADB_EXT_LIFETIME_SOFT], - PFKEYV2_LIFETIME_SOFT); - import_lifetime(newsa, headers[SADB_EXT_LIFETIME_HARD], - PFKEYV2_LIFETIME_HARD); - import_key(&ii, headers[SADB_EXT_KEY_AUTH], - PFKEYV2_AUTHENTICATION_KEY); - import_key(&ii, headers[SADB_EXT_KEY_ENCRYPT], - PFKEYV2_ENCRYPTION_KEY); - import_identity(newsa, headers[SADB_EXT_IDENTITY_SRC], - PFKEYV2_IDENTITY_SRC); - import_identity(newsa, headers[SADB_EXT_IDENTITY_DST], - PFKEYV2_IDENTITY_DST); - import_credentials(newsa, - headers[SADB_X_EXT_LOCAL_CREDENTIALS], - PFKEYV2_CRED_LOCAL); - import_credentials(newsa, - headers[SADB_X_EXT_REMOTE_CREDENTIALS], - PFKEYV2_CRED_REMOTE); - import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH], - PFKEYV2_AUTH_LOCAL); - import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH], - PFKEYV2_AUTH_REMOTE); - import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask, - headers[SADB_X_EXT_SRC_FLOW], headers[SADB_X_EXT_SRC_MASK], - headers[SADB_X_EXT_DST_FLOW], headers[SADB_X_EXT_DST_MASK], - headers[SADB_X_EXT_PROTOCOL], - headers[SADB_X_EXT_FLOW_TYPE]); + smsg = (struct sadb_msg *) headers[0]; + switch(smsg->sadb_msg_type) { + case SADB_GETSPI: /* Reserve an SPI */ + bzero(&sa, sizeof(struct tdb)); + + sa.tdb_satype = smsg->sadb_msg_satype; + if ((rval = pfkeyv2_get_proto_alg(sa.tdb_satype, + &sa.tdb_sproto, 0))) + goto ret; + + import_address((struct sockaddr *) &sa.tdb_src, + headers[SADB_EXT_ADDRESS_SRC]); + import_address((struct sockaddr *) &sa.tdb_dst, + headers[SADB_EXT_ADDRESS_DST]); + + /* Find an unused SA identifier */ + sprng = (struct sadb_spirange *) headers[SADB_EXT_SPIRANGE]; + sa.tdb_spi = reserve_spi(sprng->sadb_spirange_min, + sprng->sadb_spirange_max, &sa.tdb_src, &sa.tdb_dst, + sa.tdb_sproto, &rval); + if (sa.tdb_spi == 0) + goto ret; + + /* Send a message back telling what the SA (the SPI really) is */ + if (!(freeme = malloc(sizeof(struct sadb_sa), M_PFKEY, + M_DONTWAIT))) { + rval = ENOMEM; + goto ret; + } - headers[SADB_EXT_KEY_AUTH] = NULL; - headers[SADB_EXT_KEY_ENCRYPT] = NULL; - headers[SADB_X_EXT_LOCAL_AUTH] = NULL; + bzero(freeme, sizeof(struct sadb_sa)); + headers[SADB_EXT_SPIRANGE] = NULL; + headers[SADB_EXT_SA] = freeme; + bckptr = freeme; - newsa->tdb_seq = smsg->sadb_msg_seq; + /* We really only care about the SPI, but we'll export the SA */ + export_sa((void **) &bckptr, &sa); + break; - rval = tdb_init(newsa, alg, &ii); - if (rval) - { - rval = EINVAL; - tdb_delete(freeme); - freeme = NULL; - goto splxret; + case SADB_UPDATE: + ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; + sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + + sizeof(struct sadb_address)); + + /* Either all or none of the flow must be included */ + if ((headers[SADB_X_EXT_SRC_FLOW] || + headers[SADB_X_EXT_PROTOCOL] || + headers[SADB_X_EXT_FLOW_TYPE] || + headers[SADB_X_EXT_DST_FLOW] || + headers[SADB_X_EXT_SRC_MASK] || + headers[SADB_X_EXT_DST_MASK]) && + !(headers[SADB_X_EXT_SRC_FLOW] && + headers[SADB_X_EXT_PROTOCOL] && + headers[SADB_X_EXT_FLOW_TYPE] && + headers[SADB_X_EXT_DST_FLOW] && + headers[SADB_X_EXT_SRC_MASK] && + headers[SADB_X_EXT_DST_MASK])) { + rval = EINVAL; + goto ret; } - newsa->tdb_cur_allocations = sa2->tdb_cur_allocations; + s = spltdb(); - /* Delete old version of the SA, insert new one */ - tdb_delete(sa2); - puttdb((struct tdb *) freeme); - sa2 = freeme = NULL; - } - else - { - /* - * The SA is already initialized, so we're only allowed to - * change lifetimes and some other information; we're - * not allowed to change keys, addresses or identities. - */ - if (headers[SADB_EXT_ADDRESS_PROXY] || - headers[SADB_EXT_KEY_AUTH] || - headers[SADB_EXT_KEY_ENCRYPT] || - headers[SADB_EXT_IDENTITY_SRC] || - headers[SADB_EXT_IDENTITY_DST] || - headers[SADB_EXT_SENSITIVITY]) - { - rval = EINVAL; - goto splxret; + /* Find TDB */ + sa2 = gettdb(ssa->sadb_sa_spi, sunionp, + SADB_X_GETSPROTO(smsg->sadb_msg_satype)); + + /* If there's no such SA, we're done */ + if (sa2 == NULL) { + rval = ESRCH; + goto splxret; } - import_sa(sa2, headers[SADB_EXT_SA], NULL); - import_lifetime(sa2, headers[SADB_EXT_LIFETIME_CURRENT], - PFKEYV2_LIFETIME_CURRENT); - import_lifetime(sa2, headers[SADB_EXT_LIFETIME_SOFT], - PFKEYV2_LIFETIME_SOFT); - import_lifetime(sa2, headers[SADB_EXT_LIFETIME_HARD], - PFKEYV2_LIFETIME_HARD); - } + /* If this is a reserved SA */ + if (sa2->tdb_flags & TDBF_INVALID) { + struct tdb *newsa; + struct ipsecinit ii; + int alg; + + /* Create new TDB */ + freeme = tdb_alloc(); + bzero(&ii, sizeof(struct ipsecinit)); + + newsa = (struct tdb *) freeme; + newsa->tdb_satype = smsg->sadb_msg_satype; + + if ((rval = pfkeyv2_get_proto_alg(newsa->tdb_satype, + &newsa->tdb_sproto, &alg))) + goto splxret; + + /* Initialize SA */ + import_sa(newsa, headers[SADB_EXT_SA], &ii); + import_address((struct sockaddr *) &newsa->tdb_src, + headers[SADB_EXT_ADDRESS_SRC]); + import_address((struct sockaddr *) &newsa->tdb_dst, + headers[SADB_EXT_ADDRESS_DST]); + import_address((struct sockaddr *) &newsa->tdb_proxy, + headers[SADB_EXT_ADDRESS_PROXY]); + import_lifetime(newsa, + headers[SADB_EXT_LIFETIME_CURRENT], + PFKEYV2_LIFETIME_CURRENT); + import_lifetime(newsa, headers[SADB_EXT_LIFETIME_SOFT], + PFKEYV2_LIFETIME_SOFT); + import_lifetime(newsa, headers[SADB_EXT_LIFETIME_HARD], + PFKEYV2_LIFETIME_HARD); + import_key(&ii, headers[SADB_EXT_KEY_AUTH], + PFKEYV2_AUTHENTICATION_KEY); + import_key(&ii, headers[SADB_EXT_KEY_ENCRYPT], + PFKEYV2_ENCRYPTION_KEY); + import_identity(newsa, headers[SADB_EXT_IDENTITY_SRC], + PFKEYV2_IDENTITY_SRC); + import_identity(newsa, headers[SADB_EXT_IDENTITY_DST], + PFKEYV2_IDENTITY_DST); + import_credentials(newsa, + headers[SADB_X_EXT_LOCAL_CREDENTIALS], + PFKEYV2_CRED_LOCAL); + import_credentials(newsa, + headers[SADB_X_EXT_REMOTE_CREDENTIALS], + PFKEYV2_CRED_REMOTE); + import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH], + PFKEYV2_AUTH_LOCAL); + import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH], + PFKEYV2_AUTH_REMOTE); + import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask, + headers[SADB_X_EXT_SRC_FLOW], + headers[SADB_X_EXT_SRC_MASK], + headers[SADB_X_EXT_DST_FLOW], + headers[SADB_X_EXT_DST_MASK], + headers[SADB_X_EXT_PROTOCOL], + headers[SADB_X_EXT_FLOW_TYPE]); + + headers[SADB_EXT_KEY_AUTH] = NULL; + headers[SADB_EXT_KEY_ENCRYPT] = NULL; + headers[SADB_X_EXT_LOCAL_AUTH] = NULL; + + newsa->tdb_seq = smsg->sadb_msg_seq; + + rval = tdb_init(newsa, alg, &ii); + if (rval) { + rval = EINVAL; + tdb_delete(freeme); + freeme = NULL; + goto splxret; + } + + newsa->tdb_cur_allocations = sa2->tdb_cur_allocations; + + /* Delete old version of the SA, insert new one */ + tdb_delete(sa2); + puttdb((struct tdb *) freeme); + sa2 = freeme = NULL; + } else { + /* + * The SA is already initialized, so we're only allowed to + * change lifetimes and some other information; we're + * not allowed to change keys, addresses or identities. + */ + if (headers[SADB_EXT_ADDRESS_PROXY] || + headers[SADB_EXT_KEY_AUTH] || + headers[SADB_EXT_KEY_ENCRYPT] || + headers[SADB_EXT_IDENTITY_SRC] || + headers[SADB_EXT_IDENTITY_DST] || + headers[SADB_EXT_SENSITIVITY]) { + rval = EINVAL; + goto splxret; + } + + import_sa(sa2, headers[SADB_EXT_SA], NULL); + import_lifetime(sa2, + headers[SADB_EXT_LIFETIME_CURRENT], + PFKEYV2_LIFETIME_CURRENT); + import_lifetime(sa2, headers[SADB_EXT_LIFETIME_SOFT], + PFKEYV2_LIFETIME_SOFT); + import_lifetime(sa2, headers[SADB_EXT_LIFETIME_HARD], + PFKEYV2_LIFETIME_HARD); + } - splx(s); - break; + splx(s); + break; case SADB_ADD: - ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; - sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + - sizeof(struct sadb_address)); - - /* Either all or none of the flow must be included */ - if ((headers[SADB_X_EXT_SRC_FLOW] || - headers[SADB_X_EXT_PROTOCOL] || - headers[SADB_X_EXT_FLOW_TYPE] || - headers[SADB_X_EXT_DST_FLOW] || - headers[SADB_X_EXT_SRC_MASK] || - headers[SADB_X_EXT_DST_MASK]) && - !(headers[SADB_X_EXT_SRC_FLOW] && - headers[SADB_X_EXT_PROTOCOL] && - headers[SADB_X_EXT_FLOW_TYPE] && - headers[SADB_X_EXT_DST_FLOW] && - headers[SADB_X_EXT_SRC_MASK] && - headers[SADB_X_EXT_DST_MASK])) - { - rval = EINVAL; - goto ret; - } - - s = spltdb(); + ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; + sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + + sizeof(struct sadb_address)); + + /* Either all or none of the flow must be included */ + if ((headers[SADB_X_EXT_SRC_FLOW] || + headers[SADB_X_EXT_PROTOCOL] || + headers[SADB_X_EXT_FLOW_TYPE] || + headers[SADB_X_EXT_DST_FLOW] || + headers[SADB_X_EXT_SRC_MASK] || + headers[SADB_X_EXT_DST_MASK]) && + !(headers[SADB_X_EXT_SRC_FLOW] && + headers[SADB_X_EXT_PROTOCOL] && + headers[SADB_X_EXT_FLOW_TYPE] && + headers[SADB_X_EXT_DST_FLOW] && + headers[SADB_X_EXT_SRC_MASK] && + headers[SADB_X_EXT_DST_MASK])) { + rval = EINVAL; + goto ret; + } - sa2 = gettdb(ssa->sadb_sa_spi, sunionp, - SADB_X_GETSPROTO(smsg->sadb_msg_satype)); + s = spltdb(); - /* We can't add an existing SA! */ - if (sa2 != NULL) - { - rval = EEXIST; - goto splxret; - } + sa2 = gettdb(ssa->sadb_sa_spi, sunionp, + SADB_X_GETSPROTO(smsg->sadb_msg_satype)); - /* We can only add "mature" SAs */ - if (ssa->sadb_sa_state != SADB_SASTATE_MATURE) - { - rval = EINVAL; - goto splxret; - } - - /* Allocate and initialize new TDB */ - freeme = tdb_alloc(); - - { - struct tdb *newsa = (struct tdb *) freeme; - struct ipsecinit ii; - int alg; - - bzero(&ii, sizeof(struct ipsecinit)); - - newsa->tdb_satype = smsg->sadb_msg_satype; - if ((rval = pfkeyv2_get_proto_alg(newsa->tdb_satype, - &newsa->tdb_sproto, &alg))) - goto splxret; - - import_sa(newsa, headers[SADB_EXT_SA], &ii); - import_address((struct sockaddr *) &newsa->tdb_src, - headers[SADB_EXT_ADDRESS_SRC]); - import_address((struct sockaddr *) &newsa->tdb_dst, - headers[SADB_EXT_ADDRESS_DST]); - import_address((struct sockaddr *) &newsa->tdb_proxy, - headers[SADB_EXT_ADDRESS_PROXY]); - - import_lifetime(newsa, headers[SADB_EXT_LIFETIME_CURRENT], - PFKEYV2_LIFETIME_CURRENT); - import_lifetime(newsa, headers[SADB_EXT_LIFETIME_SOFT], - PFKEYV2_LIFETIME_SOFT); - import_lifetime(newsa, headers[SADB_EXT_LIFETIME_HARD], - PFKEYV2_LIFETIME_HARD); - - import_key(&ii, headers[SADB_EXT_KEY_AUTH], - PFKEYV2_AUTHENTICATION_KEY); - import_key(&ii, headers[SADB_EXT_KEY_ENCRYPT], - PFKEYV2_ENCRYPTION_KEY); - - import_identity(newsa, headers[SADB_EXT_IDENTITY_SRC], - PFKEYV2_IDENTITY_SRC); - import_identity(newsa, headers[SADB_EXT_IDENTITY_DST], - PFKEYV2_IDENTITY_DST); - - import_credentials(newsa, - headers[SADB_X_EXT_LOCAL_CREDENTIALS], - PFKEYV2_CRED_LOCAL); - import_credentials(newsa, - headers[SADB_X_EXT_REMOTE_CREDENTIALS], - PFKEYV2_CRED_REMOTE); - import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH], - PFKEYV2_AUTH_LOCAL); - import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH], - PFKEYV2_AUTH_REMOTE); - import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask, - headers[SADB_X_EXT_SRC_FLOW], headers[SADB_X_EXT_SRC_MASK], - headers[SADB_X_EXT_DST_FLOW], headers[SADB_X_EXT_DST_MASK], - headers[SADB_X_EXT_PROTOCOL], - headers[SADB_X_EXT_FLOW_TYPE]); + /* We can't add an existing SA! */ + if (sa2 != NULL) { + rval = EEXIST; + goto splxret; + } - headers[SADB_EXT_KEY_AUTH] = NULL; - headers[SADB_EXT_KEY_ENCRYPT] = NULL; - headers[SADB_X_EXT_LOCAL_AUTH] = NULL; + /* We can only add "mature" SAs */ + if (ssa->sadb_sa_state != SADB_SASTATE_MATURE) { + rval = EINVAL; + goto splxret; + } - newsa->tdb_seq = smsg->sadb_msg_seq; + /* Allocate and initialize new TDB */ + freeme = tdb_alloc(); - rval = tdb_init(newsa, alg, &ii); - if (rval) { - rval = EINVAL; - tdb_delete(freeme); - freeme = NULL; - goto splxret; + struct tdb *newsa = (struct tdb *) freeme; + struct ipsecinit ii; + int alg; + + bzero(&ii, sizeof(struct ipsecinit)); + + newsa->tdb_satype = smsg->sadb_msg_satype; + if ((rval = pfkeyv2_get_proto_alg(newsa->tdb_satype, + &newsa->tdb_sproto, &alg))) + goto splxret; + + import_sa(newsa, headers[SADB_EXT_SA], &ii); + import_address((struct sockaddr *) &newsa->tdb_src, + headers[SADB_EXT_ADDRESS_SRC]); + import_address((struct sockaddr *) &newsa->tdb_dst, + headers[SADB_EXT_ADDRESS_DST]); + import_address((struct sockaddr *) &newsa->tdb_proxy, + headers[SADB_EXT_ADDRESS_PROXY]); + + import_lifetime(newsa, + headers[SADB_EXT_LIFETIME_CURRENT], + PFKEYV2_LIFETIME_CURRENT); + import_lifetime(newsa, headers[SADB_EXT_LIFETIME_SOFT], + PFKEYV2_LIFETIME_SOFT); + import_lifetime(newsa, headers[SADB_EXT_LIFETIME_HARD], + PFKEYV2_LIFETIME_HARD); + + import_key(&ii, headers[SADB_EXT_KEY_AUTH], + PFKEYV2_AUTHENTICATION_KEY); + import_key(&ii, headers[SADB_EXT_KEY_ENCRYPT], + PFKEYV2_ENCRYPTION_KEY); + + import_identity(newsa, headers[SADB_EXT_IDENTITY_SRC], + PFKEYV2_IDENTITY_SRC); + import_identity(newsa, headers[SADB_EXT_IDENTITY_DST], + PFKEYV2_IDENTITY_DST); + + import_credentials(newsa, + headers[SADB_X_EXT_LOCAL_CREDENTIALS], + PFKEYV2_CRED_LOCAL); + import_credentials(newsa, + headers[SADB_X_EXT_REMOTE_CREDENTIALS], + PFKEYV2_CRED_REMOTE); + import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH], + PFKEYV2_AUTH_LOCAL); + import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH], + PFKEYV2_AUTH_REMOTE); + import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask, + headers[SADB_X_EXT_SRC_FLOW], + headers[SADB_X_EXT_SRC_MASK], + headers[SADB_X_EXT_DST_FLOW], + headers[SADB_X_EXT_DST_MASK], + headers[SADB_X_EXT_PROTOCOL], + headers[SADB_X_EXT_FLOW_TYPE]); + + headers[SADB_EXT_KEY_AUTH] = NULL; + headers[SADB_EXT_KEY_ENCRYPT] = NULL; + headers[SADB_X_EXT_LOCAL_AUTH] = NULL; + + newsa->tdb_seq = smsg->sadb_msg_seq; + + rval = tdb_init(newsa, alg, &ii); + if (rval) { + rval = EINVAL; + tdb_delete(freeme); + freeme = NULL; + goto splxret; + } } - } - /* Add TDB in table */ - puttdb((struct tdb *) freeme); + /* Add TDB in table */ + puttdb((struct tdb *) freeme); - splx(s); + splx(s); - freeme = NULL; - break; + freeme = NULL; + break; case SADB_DELETE: - ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; - sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + - sizeof(struct sadb_address)); - s = spltdb(); - - sa2 = gettdb(ssa->sadb_sa_spi, sunionp, - SADB_X_GETSPROTO(smsg->sadb_msg_satype)); - if (sa2 == NULL) - { - rval = ESRCH; - goto splxret; - } + ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; + sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + + sizeof(struct sadb_address)); + s = spltdb(); + + sa2 = gettdb(ssa->sadb_sa_spi, sunionp, + SADB_X_GETSPROTO(smsg->sadb_msg_satype)); + if (sa2 == NULL) { + rval = ESRCH; + goto splxret; + } - tdb_delete(sa2); + tdb_delete(sa2); - splx(s); + splx(s); - sa2 = NULL; - break; + sa2 = NULL; + break; case SADB_X_ASKPOLICY: - /* Get the relevant policy */ - ipa = ipsec_get_acquire(((struct sadb_x_policy *) headers[SADB_X_EXT_POLICY])->sadb_x_policy_seq); - if (ipa == NULL) - { - rval = ESRCH; - goto ret; - } + /* Get the relevant policy */ + ipa = ipsec_get_acquire(((struct sadb_x_policy *) headers[SADB_X_EXT_POLICY])->sadb_x_policy_seq); + if (ipa == NULL) { + rval = ESRCH; + goto ret; + } - rval = pfkeyv2_policy(ipa, headers, &freeme); - if (rval) - mode = PFKEYV2_SENDMESSAGE_UNICAST; + rval = pfkeyv2_policy(ipa, headers, &freeme); + if (rval) + mode = PFKEYV2_SENDMESSAGE_UNICAST; - break; + break; case SADB_GET: - ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; - sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + - sizeof(struct sadb_address)); - s = spltdb(); - - sa2 = gettdb(ssa->sadb_sa_spi, sunionp, - SADB_X_GETSPROTO(smsg->sadb_msg_satype)); - if (sa2 == NULL) - { - rval = ESRCH; - goto splxret; - } + ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; + sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + + sizeof(struct sadb_address)); + s = spltdb(); + + sa2 = gettdb(ssa->sadb_sa_spi, sunionp, + SADB_X_GETSPROTO(smsg->sadb_msg_satype)); + if (sa2 == NULL) { + rval = ESRCH; + goto splxret; + } - rval = pfkeyv2_get(sa2, headers, &freeme); - if (rval) - mode = PFKEYV2_SENDMESSAGE_UNICAST; + rval = pfkeyv2_get(sa2, headers, &freeme); + if (rval) + mode = PFKEYV2_SENDMESSAGE_UNICAST; - splx(s); + splx(s); - break; + break; case SADB_REGISTER: - pfkeyv2_socket->flags |= PFKEYV2_SOCKETFLAGS_REGISTERED; - nregistered++; + pfkeyv2_socket->flags |= PFKEYV2_SOCKETFLAGS_REGISTERED; + nregistered++; - i = sizeof(struct sadb_supported) + sizeof(ealgs); + i = sizeof(struct sadb_supported) + sizeof(ealgs); - if (!(freeme = malloc(i, M_PFKEY, M_DONTWAIT))) - { - rval = ENOMEM; - goto ret; - } + if (!(freeme = malloc(i, M_PFKEY, M_DONTWAIT))) { + rval = ENOMEM; + goto ret; + } - bzero(freeme, i); + bzero(freeme, i); - ssup = (struct sadb_supported *) freeme; - ssup->sadb_supported_len = i / sizeof(uint64_t); + ssup = (struct sadb_supported *) freeme; + ssup->sadb_supported_len = i / sizeof(uint64_t); - { - void *p = freeme + sizeof(struct sadb_supported); + { + void *p = freeme + sizeof(struct sadb_supported); - bcopy(&ealgs[0], p, sizeof(ealgs)); - } + bcopy(&ealgs[0], p, sizeof(ealgs)); + } - headers[SADB_EXT_SUPPORTED_ENCRYPT] = freeme; + headers[SADB_EXT_SUPPORTED_ENCRYPT] = freeme; - i = sizeof(struct sadb_supported) + sizeof(aalgs); + i = sizeof(struct sadb_supported) + sizeof(aalgs); - if (!(freeme = malloc(i, M_PFKEY, M_DONTWAIT))) - { - rval = ENOMEM; - goto ret; - } + if (!(freeme = malloc(i, M_PFKEY, M_DONTWAIT))) { + rval = ENOMEM; + goto ret; + } - /* Keep track what this socket has registered for */ - pfkeyv2_socket->registration |= (1 << ((struct sadb_msg *)message)->sadb_msg_satype); + /* Keep track what this socket has registered for */ + pfkeyv2_socket->registration |= (1 << ((struct sadb_msg *)message)->sadb_msg_satype); - bzero(freeme, i); + bzero(freeme, i); - ssup = (struct sadb_supported *) freeme; - ssup->sadb_supported_len = i / sizeof(uint64_t); + ssup = (struct sadb_supported *) freeme; + ssup->sadb_supported_len = i / sizeof(uint64_t); - { - void *p = freeme + sizeof(struct sadb_supported); + { + void *p = freeme + sizeof(struct sadb_supported); - bcopy(&aalgs[0], p, sizeof(aalgs)); - } + bcopy(&aalgs[0], p, sizeof(aalgs)); + } - headers[SADB_EXT_SUPPORTED_AUTH] = freeme; + headers[SADB_EXT_SUPPORTED_AUTH] = freeme; - i = sizeof(struct sadb_supported) + sizeof(calgs); + i = sizeof(struct sadb_supported) + sizeof(calgs); - if (!(freeme = malloc(i, M_PFKEY, M_DONTWAIT))) - { - rval = ENOMEM; - goto ret; - } + if (!(freeme = malloc(i, M_PFKEY, M_DONTWAIT))) { + rval = ENOMEM; + goto ret; + } - bzero(freeme, i); + bzero(freeme, i); - ssup = (struct sadb_supported *) freeme; - ssup->sadb_supported_len = i / sizeof(uint64_t); + ssup = (struct sadb_supported *) freeme; + ssup->sadb_supported_len = i / sizeof(uint64_t); - { - void *p = freeme + sizeof(struct sadb_supported); + { + void *p = freeme + sizeof(struct sadb_supported); - bcopy(&calgs[0], p, sizeof(calgs)); - } + bcopy(&calgs[0], p, sizeof(calgs)); + } - headers[SADB_X_EXT_SUPPORTED_COMP] = freeme; + headers[SADB_X_EXT_SUPPORTED_COMP] = freeme; - break; + break; case SADB_ACQUIRE: case SADB_EXPIRE: - /* Nothing to handle */ - rval = 0; - break; + /* Nothing to handle */ + rval = 0; + break; case SADB_FLUSH: - rval = 0; + rval = 0; - switch(smsg->sadb_msg_satype) - { + switch(smsg->sadb_msg_satype) { case SADB_SATYPE_UNSPEC: - s = spltdb(); - - /* - * Go through the list of policies, delete those that - * are not socket-attached. - */ - for (ipo = TAILQ_FIRST(&ipsec_policy_head); - ipo != NULL; - ipo = tmpipo) - { - tmpipo = TAILQ_NEXT(ipo, ipo_list); - if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET)) - ipsec_delete_policy(ipo); - } - splx(s); - /* Fall through */ + s = spltdb(); + + /* + * Go through the list of policies, delete those that + * are not socket-attached. + */ + for (ipo = TAILQ_FIRST(&ipsec_policy_head); + ipo != NULL; ipo = tmpipo) { + tmpipo = TAILQ_NEXT(ipo, ipo_list); + if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET)) + ipsec_delete_policy(ipo); + } + splx(s); + /* Fall through */ case SADB_SATYPE_AH: case SADB_SATYPE_ESP: case SADB_X_SATYPE_IPIP: @@ -1344,467 +1288,441 @@ pfkeyv2_send(struct socket *socket, void *message, int len) #ifdef TCP_SIGNATURE case SADB_X_SATYPE_TCPSIGNATURE: #endif /* TCP_SIGNATURE */ - s = spltdb(); + s = spltdb(); - tdb_walk(pfkeyv2_flush_walker, - (u_int8_t *) &(smsg->sadb_msg_satype)); + tdb_walk(pfkeyv2_flush_walker, + (u_int8_t *) &(smsg->sadb_msg_satype)); - splx(s); - break; + splx(s); + break; default: - rval = EINVAL; /* Unknown/unsupported type */ - } + rval = EINVAL; /* Unknown/unsupported type */ + } - break; + break; case SADB_DUMP: { - struct dump_state dump_state; - dump_state.sadb_msg = (struct sadb_msg *) headers[0]; - dump_state.socket = socket; + struct dump_state dump_state; + dump_state.sadb_msg = (struct sadb_msg *) headers[0]; + dump_state.socket = socket; - if (!(rval = tdb_walk(pfkeyv2_dump_walker, &dump_state))) - goto realret; + if (!(rval = tdb_walk(pfkeyv2_dump_walker, &dump_state))) + goto realret; - if ((rval == ENOMEM) || (rval == ENOBUFS)) - rval = 0; + if ((rval == ENOMEM) || (rval == ENOBUFS)) + rval = 0; } - - break; + break; case SADB_X_GRPSPIS: { - struct tdb *tdb1, *tdb2, *tdb3; - struct sadb_protocol *sa_proto; + struct tdb *tdb1, *tdb2, *tdb3; + struct sadb_protocol *sa_proto; - ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; - sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + - sizeof(struct sadb_address)); + ssa = (struct sadb_sa *) headers[SADB_EXT_SA]; + sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] + + sizeof(struct sadb_address)); - s = spltdb(); + s = spltdb(); - tdb1 = gettdb(ssa->sadb_sa_spi, sunionp, - SADB_X_GETSPROTO(smsg->sadb_msg_satype)); - if (tdb1 == NULL) - { - rval = ESRCH; - goto splxret; - } - - ssa = (struct sadb_sa *) headers[SADB_X_EXT_SA2]; - sunionp = (union sockaddr_union *) (headers[SADB_X_EXT_DST2] + - sizeof(struct sadb_address)); - sa_proto = ((struct sadb_protocol *) headers[SADB_X_EXT_PROTOCOL]); - - tdb2 = gettdb(ssa->sadb_sa_spi, sunionp, - SADB_X_GETSPROTO(sa_proto->sadb_protocol_proto)); - if (tdb2 == NULL) - { - rval = ESRCH; - goto splxret; - } - - /* Detect cycles */ - for (tdb3 = tdb2; tdb3; tdb3 = tdb3->tdb_onext) - if (tdb3 == tdb1) - { - rval = ESRCH; - goto splxret; - } - - /* Maintenance */ - if ((tdb1->tdb_onext) && - (tdb1->tdb_onext->tdb_inext == tdb1)) - tdb1->tdb_onext->tdb_inext = NULL; - - if ((tdb2->tdb_inext) && - (tdb2->tdb_inext->tdb_onext == tdb2)) - tdb2->tdb_inext->tdb_onext = NULL; - - /* Link them */ - tdb1->tdb_onext = tdb2; - tdb2->tdb_inext = tdb1; - - splx(s); + tdb1 = gettdb(ssa->sadb_sa_spi, sunionp, + SADB_X_GETSPROTO(smsg->sadb_msg_satype)); + if (tdb1 == NULL) { + rval = ESRCH; + goto splxret; + } + + ssa = (struct sadb_sa *) headers[SADB_X_EXT_SA2]; + sunionp = (union sockaddr_union *) (headers[SADB_X_EXT_DST2] + + sizeof(struct sadb_address)); + sa_proto = ((struct sadb_protocol *) headers[SADB_X_EXT_PROTOCOL]); + + tdb2 = gettdb(ssa->sadb_sa_spi, sunionp, + SADB_X_GETSPROTO(sa_proto->sadb_protocol_proto)); + if (tdb2 == NULL) { + rval = ESRCH; + goto splxret; + } + + /* Detect cycles */ + for (tdb3 = tdb2; tdb3; tdb3 = tdb3->tdb_onext) + if (tdb3 == tdb1) { + rval = ESRCH; + goto splxret; + } + + /* Maintenance */ + if ((tdb1->tdb_onext) && + (tdb1->tdb_onext->tdb_inext == tdb1)) + tdb1->tdb_onext->tdb_inext = NULL; + + if ((tdb2->tdb_inext) && + (tdb2->tdb_inext->tdb_onext == tdb2)) + tdb2->tdb_inext->tdb_onext = NULL; + + /* Link them */ + tdb1->tdb_onext = tdb2; + tdb2->tdb_inext = tdb1; + + splx(s); } - break; + break; case SADB_X_DELFLOW: - delflag = 1; /* fall through */ - + delflag = 1; + /*FALLTHROUGH*/ case SADB_X_ADDFLOW: { - struct sadb_protocol *sab; - union sockaddr_union *ssrc; - struct route_enc re; - int exists = 0; + struct sadb_protocol *sab; + union sockaddr_union *ssrc; + struct route_enc re; + int exists = 0; - sab = (struct sadb_protocol *) headers[SADB_X_EXT_FLOW_TYPE]; + sab = (struct sadb_protocol *) headers[SADB_X_EXT_FLOW_TYPE]; - if ((sab->sadb_protocol_direction != IPSP_DIRECTION_IN) && - (sab->sadb_protocol_direction != IPSP_DIRECTION_OUT)) - { - rval = EINVAL; - goto ret; - } - - /* If the security protocol wasn't specified, pretend it was ESP */ - if (smsg->sadb_msg_satype == 0) - smsg->sadb_msg_satype = SADB_SATYPE_ESP; - - if (headers[SADB_EXT_ADDRESS_DST]) - sunionp = (union sockaddr_union *) - (headers[SADB_EXT_ADDRESS_DST] + - sizeof(struct sadb_address)); - else - sunionp = NULL; - - if (headers[SADB_EXT_ADDRESS_SRC]) - ssrc = (union sockaddr_union *) - (headers[SADB_EXT_ADDRESS_SRC] + - sizeof(struct sadb_address)); - else - ssrc = NULL; - - import_flow(&encapdst, &encapnetmask, - headers[SADB_X_EXT_SRC_FLOW], headers[SADB_X_EXT_SRC_MASK], - headers[SADB_X_EXT_DST_FLOW], headers[SADB_X_EXT_DST_MASK], - headers[SADB_X_EXT_PROTOCOL], headers[SADB_X_EXT_FLOW_TYPE]); - - /* Determine whether the exact same SPD entry already exists. */ - bzero(&encapgw, sizeof(struct sockaddr_encap)); - bzero(&re, sizeof(struct route_enc)); - bcopy(&encapdst, &re.re_dst, sizeof(struct sockaddr_encap)); - - s = spltdb(); - - rtalloc((struct route *) &re); - if (re.re_rt != NULL) - { - ipo = ((struct sockaddr_encap *) re.re_rt->rt_gateway)->sen_ipsp; - RTFREE(re.re_rt); - - /* Verify that the entry is identical */ - if (bcmp(&ipo->ipo_addr, &encapdst, - sizeof(struct sockaddr_encap)) || - bcmp(&ipo->ipo_mask, &encapnetmask, - sizeof(struct sockaddr_encap))) - ipo = NULL; /* Fall through */ + if ((sab->sadb_protocol_direction != IPSP_DIRECTION_IN) && + (sab->sadb_protocol_direction != IPSP_DIRECTION_OUT)) { + rval = EINVAL; + goto ret; + } + + /* If the security protocol wasn't specified, pretend it was ESP */ + if (smsg->sadb_msg_satype == 0) + smsg->sadb_msg_satype = SADB_SATYPE_ESP; + + if (headers[SADB_EXT_ADDRESS_DST]) + sunionp = (union sockaddr_union *) + (headers[SADB_EXT_ADDRESS_DST] + + sizeof(struct sadb_address)); else - exists = 1; - } - else - ipo = NULL; + sunionp = NULL; - /* - * If the existing policy is static, only delete or update - * it if the new one is also static. - */ - if (exists && (ipo->ipo_flags & IPSP_POLICY_STATIC)) - { - if (!(sab->sadb_protocol_flags & SADB_X_POLICYFLAGS_POLICY)) - { - splx(s); - goto ret; - } - } + if (headers[SADB_EXT_ADDRESS_SRC]) + ssrc = (union sockaddr_union *) + (headers[SADB_EXT_ADDRESS_SRC] + + sizeof(struct sadb_address)); + else + ssrc = NULL; - /* Delete ? */ - if (delflag) - { - if (exists) - { - rval = ipsec_delete_policy(ipo); - splx(s); - goto ret; - } + import_flow(&encapdst, &encapnetmask, + headers[SADB_X_EXT_SRC_FLOW], headers[SADB_X_EXT_SRC_MASK], + headers[SADB_X_EXT_DST_FLOW], headers[SADB_X_EXT_DST_MASK], + headers[SADB_X_EXT_PROTOCOL], headers[SADB_X_EXT_FLOW_TYPE]); + + /* Determine whether the exact same SPD entry already exists. */ + bzero(&encapgw, sizeof(struct sockaddr_encap)); + bzero(&re, sizeof(struct route_enc)); + bcopy(&encapdst, &re.re_dst, sizeof(struct sockaddr_encap)); + + s = spltdb(); + + rtalloc((struct route *) &re); + if (re.re_rt != NULL) { + ipo = ((struct sockaddr_encap *) re.re_rt->rt_gateway)->sen_ipsp; + RTFREE(re.re_rt); + + /* Verify that the entry is identical */ + if (bcmp(&ipo->ipo_addr, &encapdst, + sizeof(struct sockaddr_encap)) || + bcmp(&ipo->ipo_mask, &encapnetmask, + sizeof(struct sockaddr_encap))) + ipo = NULL; /* Fall through */ + else + exists = 1; + } else + ipo = NULL; - /* If we were asked to delete something non-existant, error. */ - splx(s); - rval = ESRCH; - break; - } + /* + * If the existing policy is static, only delete or update + * it if the new one is also static. + */ + if (exists && (ipo->ipo_flags & IPSP_POLICY_STATIC)) { + if (!(sab->sadb_protocol_flags & + SADB_X_POLICYFLAGS_POLICY)) { + splx(s); + goto ret; + } + } - if (!exists) - { - if (ipsec_policy_pool_initialized == 0) - { - ipsec_policy_pool_initialized = 1; - pool_init(&ipsec_policy_pool, sizeof(struct ipsec_policy), - 0, 0, 0, "ipsec policy", NULL); + /* Delete ? */ + if (delflag) { + if (exists) { + rval = ipsec_delete_policy(ipo); + splx(s); + goto ret; + } + + /* If we were asked to delete something non-existant, error. */ + splx(s); + rval = ESRCH; + break; } - /* Allocate policy entry */ - ipo = pool_get(&ipsec_policy_pool, 0); - if (ipo == NULL) - { - splx(s); - rval = ENOMEM; - goto ret; + if (!exists) { + if (ipsec_policy_pool_initialized == 0) { + ipsec_policy_pool_initialized = 1; + pool_init(&ipsec_policy_pool, + sizeof(struct ipsec_policy), 0, 0, 0, + "ipsec policy", NULL); + } + + /* Allocate policy entry */ + ipo = pool_get(&ipsec_policy_pool, 0); + if (ipo == NULL) { + splx(s); + rval = ENOMEM; + goto ret; + } + + bzero(ipo, sizeof(struct ipsec_policy)); + ipo->ipo_ref_count = 1; + TAILQ_INIT(&ipo->ipo_acquires); + + /* Finish initialization of SPD entry */ + encapgw.sen_len = SENT_LEN; + encapgw.sen_family = PF_KEY; + encapgw.sen_type = SENT_IPSP; + encapgw.sen_ipsp = ipo; + + /* Initialize policy entry */ + bcopy(&encapdst, &ipo->ipo_addr, + sizeof(struct sockaddr_encap)); + bcopy(&encapnetmask, &ipo->ipo_mask, + sizeof(struct sockaddr_encap)); } - bzero(ipo, sizeof(struct ipsec_policy)); - ipo->ipo_ref_count = 1; - TAILQ_INIT(&ipo->ipo_acquires); - - /* Finish initialization of SPD entry */ - encapgw.sen_len = SENT_LEN; - encapgw.sen_family = PF_KEY; - encapgw.sen_type = SENT_IPSP; - encapgw.sen_ipsp = ipo; - - /* Initialize policy entry */ - bcopy(&encapdst, &ipo->ipo_addr, - sizeof(struct sockaddr_encap)); - bcopy(&encapnetmask, &ipo->ipo_mask, - sizeof(struct sockaddr_encap)); - } - - switch (((struct sadb_protocol *) headers[SADB_X_EXT_FLOW_TYPE])->sadb_protocol_proto) - { + switch (((struct sadb_protocol *) headers[SADB_X_EXT_FLOW_TYPE])->sadb_protocol_proto) { case SADB_X_FLOW_TYPE_USE: - ipo->ipo_type = IPSP_IPSEC_USE; - break; + ipo->ipo_type = IPSP_IPSEC_USE; + break; case SADB_X_FLOW_TYPE_ACQUIRE: - ipo->ipo_type = IPSP_IPSEC_ACQUIRE; - break; + ipo->ipo_type = IPSP_IPSEC_ACQUIRE; + break; case SADB_X_FLOW_TYPE_REQUIRE: - ipo->ipo_type = IPSP_IPSEC_REQUIRE; - break; + ipo->ipo_type = IPSP_IPSEC_REQUIRE; + break; case SADB_X_FLOW_TYPE_DENY: - ipo->ipo_type = IPSP_DENY; - break; + ipo->ipo_type = IPSP_DENY; + break; case SADB_X_FLOW_TYPE_BYPASS: - ipo->ipo_type = IPSP_PERMIT; - break; + ipo->ipo_type = IPSP_PERMIT; + break; case SADB_X_FLOW_TYPE_DONTACQ: - ipo->ipo_type = IPSP_IPSEC_DONTACQ; - break; + ipo->ipo_type = IPSP_IPSEC_DONTACQ; + break; default: - if (!exists) - pool_put(&ipsec_policy_pool, ipo); - else - ipsec_delete_policy(ipo); - - splx(s); - rval = EINVAL; - goto ret; - } - - if (sab->sadb_protocol_flags & SADB_X_POLICYFLAGS_POLICY) - ipo->ipo_flags |= IPSP_POLICY_STATIC; - - if (sunionp) - bcopy(sunionp, &ipo->ipo_dst, sizeof(union sockaddr_union)); - else - bzero(&ipo->ipo_dst, sizeof(union sockaddr_union)); - - if (ssrc) - bcopy(ssrc, &ipo->ipo_src, sizeof(union sockaddr_union)); - else - bzero(&ipo->ipo_src, sizeof(union sockaddr_union)); - - ipo->ipo_sproto = SADB_X_GETSPROTO(smsg->sadb_msg_satype); - - if (ipo->ipo_srcid) - { - ipsp_reffree(ipo->ipo_srcid); - ipo->ipo_srcid = NULL; - } - - if (ipo->ipo_dstid) - { - ipsp_reffree(ipo->ipo_dstid); - ipo->ipo_dstid = NULL; - } - - if ((sid = headers[SADB_EXT_IDENTITY_SRC]) != NULL) - { - int clen = (sid->sadb_ident_len * sizeof(u_int64_t)) - - sizeof(struct sadb_ident); - - MALLOC(ipo->ipo_srcid, struct ipsec_ref *, clen + - sizeof(struct ipsec_ref), M_CREDENTIALS, M_DONTWAIT); - if (ipo->ipo_srcid == NULL) - { - if (exists) - ipsec_delete_policy(ipo); - else - pool_put(&ipsec_policy_pool, ipo); - splx(s); - rval = ENOBUFS; - goto ret; + if (!exists) + pool_put(&ipsec_policy_pool, ipo); + else + ipsec_delete_policy(ipo); + + splx(s); + rval = EINVAL; + goto ret; } - ipo->ipo_srcid->ref_type = sid->sadb_ident_type; - ipo->ipo_srcid->ref_len = clen; - ipo->ipo_srcid->ref_count = 1; - ipo->ipo_srcid->ref_malloctype = M_CREDENTIALS; - bcopy(sid + 1, ipo->ipo_srcid + 1, ipo->ipo_srcid->ref_len); - } - - if ((sid = headers[SADB_EXT_IDENTITY_DST]) != NULL) - { - int clen = (sid->sadb_ident_len * sizeof(u_int64_t)) - - sizeof(struct sadb_ident); - - MALLOC(ipo->ipo_dstid, struct ipsec_ref *, clen + - sizeof(struct ipsec_ref), M_CREDENTIALS, M_DONTWAIT); - if (ipo->ipo_dstid == NULL) - { - if (exists) - ipsec_delete_policy(ipo); - else - { - if (ipo->ipo_dstid) - ipsp_reffree(ipo->ipo_dstid); - pool_put(&ipsec_policy_pool, ipo); - } - splx(s); - rval = ENOBUFS; - goto ret; - } - ipo->ipo_dstid->ref_type = sid->sadb_ident_type; - ipo->ipo_dstid->ref_len = clen; - ipo->ipo_dstid->ref_count = 1; - ipo->ipo_dstid->ref_malloctype = M_CREDENTIALS; - bcopy(sid + 1, ipo->ipo_dstid + 1, ipo->ipo_dstid->ref_len); - } - - /* Flow type */ - if (!exists) - { - /* Add SPD entry */ - if ((rval = rtrequest(RTM_ADD, (struct sockaddr *) &encapdst, - (struct sockaddr *) &encapgw, - (struct sockaddr *) &encapnetmask, - RTF_UP | RTF_GATEWAY | RTF_STATIC, - (struct rtentry **) 0)) != 0) - { - /* Remove from linked list of policies on TDB */ - if (ipo->ipo_tdb) - TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, - ipo_tdb_next); - - if (ipo->ipo_srcid) - ipsp_reffree(ipo->ipo_srcid); - if (ipo->ipo_dstid) - ipsp_reffree(ipo->ipo_dstid); - pool_put(&ipsec_policy_pool, ipo); - - splx(s); - goto ret; - } + if (sab->sadb_protocol_flags & SADB_X_POLICYFLAGS_POLICY) + ipo->ipo_flags |= IPSP_POLICY_STATIC; - TAILQ_INSERT_HEAD(&ipsec_policy_head, ipo, ipo_list); - ipsec_in_use++; - } - else - { - ipo->ipo_last_searched = ipo->ipo_flags = 0; - } + if (sunionp) + bcopy(sunionp, &ipo->ipo_dst, + sizeof(union sockaddr_union)); + else + bzero(&ipo->ipo_dst, sizeof(union sockaddr_union)); - splx(s); - } - break; + if (ssrc) + bcopy(ssrc, &ipo->ipo_src, + sizeof(union sockaddr_union)); + else + bzero(&ipo->ipo_src, sizeof(union sockaddr_union)); - case SADB_X_PROMISC: - if (len >= 2 * sizeof(struct sadb_msg)) - { - struct mbuf *packet; + ipo->ipo_sproto = SADB_X_GETSPROTO(smsg->sadb_msg_satype); - if ((rval = pfdatatopacket(message, len, &packet)) != 0) - goto ret; + if (ipo->ipo_srcid) { + ipsp_reffree(ipo->ipo_srcid); + ipo->ipo_srcid = NULL; + } - for (so = pfkeyv2_sockets; so; so = so->next) - if ((so != pfkeyv2_socket) && - (!smsg->sadb_msg_seq || - (smsg->sadb_msg_seq == pfkeyv2_socket->pid))) - pfkey_sendup(so->socket, packet, 1); + if (ipo->ipo_dstid) { + ipsp_reffree(ipo->ipo_dstid); + ipo->ipo_dstid = NULL; + } - m_freem(packet); - } - else - { - if (len != sizeof(struct sadb_msg)) - { - rval = EINVAL; - goto ret; + if ((sid = headers[SADB_EXT_IDENTITY_SRC]) != NULL) { + int clen = (sid->sadb_ident_len * sizeof(u_int64_t)) - + sizeof(struct sadb_ident); + + MALLOC(ipo->ipo_srcid, struct ipsec_ref *, clen + + sizeof(struct ipsec_ref), M_CREDENTIALS, M_DONTWAIT); + if (ipo->ipo_srcid == NULL) { + if (exists) + ipsec_delete_policy(ipo); + else + pool_put(&ipsec_policy_pool, ipo); + splx(s); + rval = ENOBUFS; + goto ret; + } + ipo->ipo_srcid->ref_type = sid->sadb_ident_type; + ipo->ipo_srcid->ref_len = clen; + ipo->ipo_srcid->ref_count = 1; + ipo->ipo_srcid->ref_malloctype = M_CREDENTIALS; + bcopy(sid + 1, ipo->ipo_srcid + 1, ipo->ipo_srcid->ref_len); } - i = (pfkeyv2_socket->flags & - PFKEYV2_SOCKETFLAGS_PROMISC) ? 1 : 0; - j = smsg->sadb_msg_satype ? 1 : 0; + if ((sid = headers[SADB_EXT_IDENTITY_DST]) != NULL) { + int clen = (sid->sadb_ident_len * sizeof(u_int64_t)) - + sizeof(struct sadb_ident); + + MALLOC(ipo->ipo_dstid, struct ipsec_ref *, + clen + sizeof(struct ipsec_ref), + M_CREDENTIALS, M_DONTWAIT); + if (ipo->ipo_dstid == NULL) { + if (exists) + ipsec_delete_policy(ipo); + else { + if (ipo->ipo_dstid) + ipsp_reffree(ipo->ipo_dstid); + pool_put(&ipsec_policy_pool, ipo); + } + + splx(s); + rval = ENOBUFS; + goto ret; + } + ipo->ipo_dstid->ref_type = sid->sadb_ident_type; + ipo->ipo_dstid->ref_len = clen; + ipo->ipo_dstid->ref_count = 1; + ipo->ipo_dstid->ref_malloctype = M_CREDENTIALS; + bcopy(sid + 1, ipo->ipo_dstid + 1, + ipo->ipo_dstid->ref_len); + } - if (i ^ j) - { - if (j) - { - pfkeyv2_socket->flags |= PFKEYV2_SOCKETFLAGS_PROMISC; - npromisc++; - } - else - { - pfkeyv2_socket->flags &= ~PFKEYV2_SOCKETFLAGS_PROMISC; - npromisc--; - } + /* Flow type */ + if (!exists) { + /* Add SPD entry */ + if ((rval = rtrequest(RTM_ADD, + (struct sockaddr *) &encapdst, + (struct sockaddr *) &encapgw, + (struct sockaddr *) &encapnetmask, + RTF_UP | RTF_GATEWAY | RTF_STATIC, + (struct rtentry **) 0)) != 0) { + /* Remove from linked list of policies on TDB */ + if (ipo->ipo_tdb) + TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, + ipo, ipo_tdb_next); + + if (ipo->ipo_srcid) + ipsp_reffree(ipo->ipo_srcid); + if (ipo->ipo_dstid) + ipsp_reffree(ipo->ipo_dstid); + pool_put(&ipsec_policy_pool, ipo); + + splx(s); + goto ret; + } + + TAILQ_INSERT_HEAD(&ipsec_policy_head, ipo, ipo_list); + ipsec_in_use++; + } else { + ipo->ipo_last_searched = ipo->ipo_flags = 0; } - } - break; + splx(s); + } + break; + + case SADB_X_PROMISC: + if (len >= 2 * sizeof(struct sadb_msg)) { + struct mbuf *packet; + + if ((rval = pfdatatopacket(message, len, &packet)) != 0) + goto ret; + + for (so = pfkeyv2_sockets; so; so = so->next) + if ((so != pfkeyv2_socket) && + (!smsg->sadb_msg_seq || + (smsg->sadb_msg_seq == pfkeyv2_socket->pid))) + pfkey_sendup(so->socket, packet, 1); + + m_freem(packet); + } else { + if (len != sizeof(struct sadb_msg)) { + rval = EINVAL; + goto ret; + } + + i = (pfkeyv2_socket->flags & + PFKEYV2_SOCKETFLAGS_PROMISC) ? 1 : 0; + j = smsg->sadb_msg_satype ? 1 : 0; + + if (i ^ j) { + if (j) { + pfkeyv2_socket->flags |= + PFKEYV2_SOCKETFLAGS_PROMISC; + npromisc++; + } + } else { + pfkeyv2_socket->flags &= + ~PFKEYV2_SOCKETFLAGS_PROMISC; + npromisc--; + } + } + + + break; default: - rval = EINVAL; - goto ret; - } + rval = EINVAL; + goto ret; + } ret: - if (rval) - { - if ((rval == EINVAL) || (rval == ENOMEM) || (rval == ENOBUFS)) - goto realret; + if (rval) { + if ((rval == EINVAL) || (rval == ENOMEM) || (rval == ENOBUFS)) + goto realret; - for (i = 1; i <= SADB_EXT_MAX; i++) - headers[i] = NULL; + for (i = 1; i <= SADB_EXT_MAX; i++) + headers[i] = NULL; - smsg->sadb_msg_errno = abs(rval); - } - else - { - uint32_t seen = 0; + smsg->sadb_msg_errno = abs(rval); + } else { + uint32_t seen = 0; - for (i = 1; i <= SADB_EXT_MAX; i++) - if (headers[i]) - seen |= (1 << i); + for (i = 1; i <= SADB_EXT_MAX; i++) + if (headers[i]) + seen |= (1 << i); - if ((seen & sadb_exts_allowed_out[smsg->sadb_msg_type]) != seen) - goto realret; + if ((seen & sadb_exts_allowed_out[smsg->sadb_msg_type]) + != seen) + goto realret; - if ((seen & sadb_exts_required_out[smsg->sadb_msg_type]) != - sadb_exts_required_out[smsg->sadb_msg_type]) - goto realret; - } + if ((seen & sadb_exts_required_out[smsg->sadb_msg_type]) != + sadb_exts_required_out[smsg->sadb_msg_type]) + goto realret; + } - rval = pfkeyv2_sendmessage(headers, mode, socket, 0, 0); + rval = pfkeyv2_sendmessage(headers, mode, socket, 0, 0); realret: - if (freeme) - free(freeme, M_PFKEY); + if (freeme) + free(freeme, M_PFKEY); - free(message, M_PFKEY); + free(message, M_PFKEY); - return rval; + return (rval); splxret: - splx(s); - goto ret; + splx(s); + goto ret; } /* @@ -1815,289 +1733,253 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, union sockaddr_union *laddr, u_int32_t *seq, struct sockaddr_encap *ddst) { - void *p, *headers[SADB_EXT_MAX + 1], *buffer = NULL; - struct sadb_ident *srcid, *dstid; - struct sadb_x_cred *lcred, *lauth; - struct sadb_comb *sadb_comb; - struct sadb_address *sadd; - struct sadb_prop *sa_prop; - struct sadb_msg *smsg; - int rval = 0; - int i, j; - - *seq = pfkeyv2_seq++; - - if (!nregistered) - { - rval = ESRCH; - goto ret; - } + void *p, *headers[SADB_EXT_MAX + 1], *buffer = NULL; + struct sadb_ident *srcid, *dstid; + struct sadb_x_cred *lcred, *lauth; + struct sadb_comb *sadb_comb; + struct sadb_address *sadd; + struct sadb_prop *sa_prop; + struct sadb_msg *smsg; + int rval = 0; + int i, j; + + *seq = pfkeyv2_seq++; + + if (!nregistered) { + rval = ESRCH; + goto ret; + } - /* How large a buffer do we need... XXX we only do one proposal for now */ - i = sizeof(struct sadb_msg) + - (laddr == NULL ? 0 : sizeof(struct sadb_address) + - PADUP(SA_LEN(&ipo->ipo_src.sa))) + - sizeof(struct sadb_address) + PADUP(SA_LEN(&gw->sa)) + - sizeof(struct sadb_prop) + 1 * sizeof(struct sadb_comb); + /* How large a buffer do we need... XXX we only do one proposal for now */ + i = sizeof(struct sadb_msg) + + (laddr == NULL ? 0 : sizeof(struct sadb_address) + + PADUP(SA_LEN(&ipo->ipo_src.sa))) + + sizeof(struct sadb_address) + PADUP(SA_LEN(&gw->sa)) + + sizeof(struct sadb_prop) + 1 * sizeof(struct sadb_comb); - if (ipo->ipo_srcid) - i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid->ref_len); + if (ipo->ipo_srcid) + i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid->ref_len); - if (ipo->ipo_dstid) - i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len); + if (ipo->ipo_dstid) + i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len); - /* Allocate */ - if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) - { - rval = ENOMEM; - goto ret; - } + /* Allocate */ + if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) { + rval = ENOMEM; + goto ret; + } - bzero(headers, sizeof(headers)); - - buffer = p; - bzero(p, i); - - headers[0] = p; - p += sizeof(struct sadb_msg); - - smsg = (struct sadb_msg *) headers[0]; - smsg->sadb_msg_version = PF_KEY_V2; - smsg->sadb_msg_type = SADB_ACQUIRE; - smsg->sadb_msg_len = i / sizeof(uint64_t); - smsg->sadb_msg_seq = *seq; - - if (ipo->ipo_sproto == IPPROTO_ESP) - smsg->sadb_msg_satype = SADB_SATYPE_ESP; - else if (ipo->ipo_sproto == IPPROTO_AH) - smsg->sadb_msg_satype = SADB_SATYPE_AH; - else if (ipo->ipo_sproto == IPPROTO_IPCOMP) - smsg->sadb_msg_satype = SADB_X_SATYPE_IPCOMP; - - if (laddr) - { - headers[SADB_EXT_ADDRESS_SRC] = p; - p += sizeof(struct sadb_address) + PADUP(SA_LEN(&laddr->sa)); - sadd = (struct sadb_address *) headers[SADB_EXT_ADDRESS_SRC]; - sadd->sadb_address_len = (sizeof(struct sadb_address) + - SA_LEN(&laddr->sa) + - sizeof(uint64_t) - 1) / sizeof(uint64_t); - bcopy(laddr, - headers[SADB_EXT_ADDRESS_SRC] + sizeof(struct sadb_address), - SA_LEN(&laddr->sa)); - } + bzero(headers, sizeof(headers)); - headers[SADB_EXT_ADDRESS_DST] = p; - p += sizeof(struct sadb_address) + PADUP(SA_LEN(&gw->sa)); - sadd = (struct sadb_address *) headers[SADB_EXT_ADDRESS_DST]; - sadd->sadb_address_len = (sizeof(struct sadb_address) + - SA_LEN(&gw->sa) + - sizeof(uint64_t) - 1) / sizeof(uint64_t); - bcopy(gw, headers[SADB_EXT_ADDRESS_DST] + sizeof(struct sadb_address), - SA_LEN(&gw->sa)); - - if (ipo->ipo_srcid) - { - headers[SADB_EXT_IDENTITY_SRC] = p; - p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid->ref_len); - srcid = (struct sadb_ident *) headers[SADB_EXT_IDENTITY_SRC]; - srcid->sadb_ident_len = (sizeof(struct sadb_ident) + - PADUP(ipo->ipo_srcid->ref_len)) / - sizeof(u_int64_t); - srcid->sadb_ident_type = ipo->ipo_srcid->ref_type; - bcopy(ipo->ipo_srcid + 1, headers[SADB_EXT_IDENTITY_SRC] + - sizeof(struct sadb_ident), ipo->ipo_srcid->ref_len); - } + buffer = p; + bzero(p, i); - if (ipo->ipo_dstid) - { - headers[SADB_EXT_IDENTITY_DST] = p; - p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len); - dstid = (struct sadb_ident *) headers[SADB_EXT_IDENTITY_DST]; - dstid->sadb_ident_len = (sizeof(struct sadb_ident) + - PADUP(ipo->ipo_dstid->ref_len)) / - sizeof(u_int64_t); - dstid->sadb_ident_type = ipo->ipo_dstid->ref_type; - bcopy(ipo->ipo_dstid + 1, headers[SADB_EXT_IDENTITY_DST] + - sizeof(struct sadb_ident), ipo->ipo_dstid->ref_len); - } + headers[0] = p; + p += sizeof(struct sadb_msg); - if (ipo->ipo_local_cred) - { - headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p; - p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len); - lcred = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_CREDENTIALS]; - lcred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + - PADUP(ipo->ipo_local_cred->ref_len)) / - sizeof(u_int64_t); - switch (ipo->ipo_local_cred->ref_type) - { - case IPSP_CRED_KEYNOTE: - lcred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE; - break; - case IPSP_CRED_X509: - lcred->sadb_x_cred_type = SADB_X_CREDTYPE_X509; - break; + smsg = (struct sadb_msg *) headers[0]; + smsg->sadb_msg_version = PF_KEY_V2; + smsg->sadb_msg_type = SADB_ACQUIRE; + smsg->sadb_msg_len = i / sizeof(uint64_t); + smsg->sadb_msg_seq = *seq; + + if (ipo->ipo_sproto == IPPROTO_ESP) + smsg->sadb_msg_satype = SADB_SATYPE_ESP; + else if (ipo->ipo_sproto == IPPROTO_AH) + smsg->sadb_msg_satype = SADB_SATYPE_AH; + else if (ipo->ipo_sproto == IPPROTO_IPCOMP) + smsg->sadb_msg_satype = SADB_X_SATYPE_IPCOMP; + + if (laddr) { + headers[SADB_EXT_ADDRESS_SRC] = p; + p += sizeof(struct sadb_address) + PADUP(SA_LEN(&laddr->sa)); + sadd = (struct sadb_address *) headers[SADB_EXT_ADDRESS_SRC]; + sadd->sadb_address_len = (sizeof(struct sadb_address) + + SA_LEN(&laddr->sa) + sizeof(uint64_t) - 1) / + sizeof(uint64_t); + bcopy(laddr, headers[SADB_EXT_ADDRESS_SRC] + + sizeof(struct sadb_address), SA_LEN(&laddr->sa)); } - bcopy(ipo->ipo_local_cred + 1, headers[SADB_X_EXT_LOCAL_CREDENTIALS] + - sizeof(struct sadb_x_cred), ipo->ipo_local_cred->ref_len); - } - if (ipo->ipo_local_auth) - { - headers[SADB_X_EXT_LOCAL_AUTH] = p; - p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len); - lauth = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_AUTH]; - lauth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + - PADUP(ipo->ipo_local_auth->ref_len)) / - sizeof(u_int64_t); - switch (ipo->ipo_local_auth->ref_type) - { - case IPSP_AUTH_PASSPHRASE: - lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE; - break; - case IPSP_AUTH_RSA: - lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA; - break; + headers[SADB_EXT_ADDRESS_DST] = p; + p += sizeof(struct sadb_address) + PADUP(SA_LEN(&gw->sa)); + sadd = (struct sadb_address *) headers[SADB_EXT_ADDRESS_DST]; + sadd->sadb_address_len = (sizeof(struct sadb_address) + + SA_LEN(&gw->sa) + sizeof(uint64_t) - 1) / sizeof(uint64_t); + bcopy(gw, headers[SADB_EXT_ADDRESS_DST] + sizeof(struct sadb_address), + SA_LEN(&gw->sa)); + + if (ipo->ipo_srcid) { + headers[SADB_EXT_IDENTITY_SRC] = p; + p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid->ref_len); + srcid = (struct sadb_ident *) headers[SADB_EXT_IDENTITY_SRC]; + srcid->sadb_ident_len = (sizeof(struct sadb_ident) + + PADUP(ipo->ipo_srcid->ref_len)) / sizeof(u_int64_t); + srcid->sadb_ident_type = ipo->ipo_srcid->ref_type; + bcopy(ipo->ipo_srcid + 1, headers[SADB_EXT_IDENTITY_SRC] + + sizeof(struct sadb_ident), ipo->ipo_srcid->ref_len); } - bcopy(ipo->ipo_local_auth + 1, headers[SADB_X_EXT_LOCAL_AUTH] + - sizeof(struct sadb_x_cred), ipo->ipo_local_auth->ref_len); - } + if (ipo->ipo_dstid) { + headers[SADB_EXT_IDENTITY_DST] = p; + p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len); + dstid = (struct sadb_ident *) headers[SADB_EXT_IDENTITY_DST]; + dstid->sadb_ident_len = (sizeof(struct sadb_ident) + + PADUP(ipo->ipo_dstid->ref_len)) / sizeof(u_int64_t); + dstid->sadb_ident_type = ipo->ipo_dstid->ref_type; + bcopy(ipo->ipo_dstid + 1, headers[SADB_EXT_IDENTITY_DST] + + sizeof(struct sadb_ident), ipo->ipo_dstid->ref_len); + } - headers[SADB_EXT_PROPOSAL] = p; - p += sizeof(struct sadb_prop); - sa_prop = (struct sadb_prop *) headers[SADB_EXT_PROPOSAL]; - sa_prop->sadb_prop_num = 1; /* XXX One proposal only */ - sa_prop->sadb_prop_len = (sizeof(struct sadb_prop) + - (sizeof(struct sadb_comb) * - sa_prop->sadb_prop_num)) / sizeof(uint64_t); + if (ipo->ipo_local_cred) { + headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p; + p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len); + lcred = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_CREDENTIALS]; + lcred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + + PADUP(ipo->ipo_local_cred->ref_len)) / sizeof(u_int64_t); + switch (ipo->ipo_local_cred->ref_type) { + case IPSP_CRED_KEYNOTE: + lcred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE; + break; + case IPSP_CRED_X509: + lcred->sadb_x_cred_type = SADB_X_CREDTYPE_X509; + break; + } + bcopy(ipo->ipo_local_cred + 1, headers[SADB_X_EXT_LOCAL_CREDENTIALS] + + sizeof(struct sadb_x_cred), ipo->ipo_local_cred->ref_len); + } - sadb_comb = p; + if (ipo->ipo_local_auth) { + headers[SADB_X_EXT_LOCAL_AUTH] = p; + p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len); + lauth = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_AUTH]; + lauth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + + PADUP(ipo->ipo_local_auth->ref_len)) / sizeof(u_int64_t); + switch (ipo->ipo_local_auth->ref_type) { + case IPSP_AUTH_PASSPHRASE: + lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE; + break; + case IPSP_AUTH_RSA: + lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA; + break; + } - /* XXX Should actually ask the crypto layer what's supported */ - for (j = 0; j < sa_prop->sadb_prop_num; j++) - { - sadb_comb->sadb_comb_flags = 0; + bcopy(ipo->ipo_local_auth + 1, headers[SADB_X_EXT_LOCAL_AUTH] + + sizeof(struct sadb_x_cred), ipo->ipo_local_auth->ref_len); + } - if (ipsec_require_pfs) - sadb_comb->sadb_comb_flags |= SADB_SAFLAGS_PFS; + headers[SADB_EXT_PROPOSAL] = p; + p += sizeof(struct sadb_prop); + sa_prop = (struct sadb_prop *) headers[SADB_EXT_PROPOSAL]; + sa_prop->sadb_prop_num = 1; /* XXX One proposal only */ + sa_prop->sadb_prop_len = (sizeof(struct sadb_prop) + + (sizeof(struct sadb_comb) * sa_prop->sadb_prop_num)) / + sizeof(uint64_t); + + sadb_comb = p; + + /* XXX Should actually ask the crypto layer what's supported */ + for (j = 0; j < sa_prop->sadb_prop_num; j++) { + sadb_comb->sadb_comb_flags = 0; + + if (ipsec_require_pfs) + sadb_comb->sadb_comb_flags |= SADB_SAFLAGS_PFS; + + /* Set the encryption algorithm */ + if (ipo->ipo_sproto == IPPROTO_ESP) { + if (!strncasecmp(ipsec_def_enc, "aes", + sizeof("aes"))) { + sadb_comb->sadb_comb_encrypt = SADB_X_EALG_AES; + sadb_comb->sadb_comb_encrypt_minbits = 64; + sadb_comb->sadb_comb_encrypt_maxbits = 256; + } else if (!strncasecmp(ipsec_def_enc, "3des", + sizeof("3des"))) { + sadb_comb->sadb_comb_encrypt = SADB_EALG_3DESCBC; + sadb_comb->sadb_comb_encrypt_minbits = 192; + sadb_comb->sadb_comb_encrypt_maxbits = 192; + } else if (!strncasecmp(ipsec_def_enc, "des", + sizeof("des"))) { + sadb_comb->sadb_comb_encrypt = SADB_EALG_DESCBC; + sadb_comb->sadb_comb_encrypt_minbits = 64; + sadb_comb->sadb_comb_encrypt_maxbits = 64; + } else if (!strncasecmp(ipsec_def_enc, "blowfish", + sizeof("blowfish"))) { + sadb_comb->sadb_comb_encrypt = SADB_X_EALG_BLF; + sadb_comb->sadb_comb_encrypt_minbits = 40; + sadb_comb->sadb_comb_encrypt_maxbits = BLF_MAXKEYLEN * 8; + } else if (!strncasecmp(ipsec_def_enc, "skipjack", + sizeof("skipjack"))) { + sadb_comb->sadb_comb_encrypt = SADB_X_EALG_SKIPJACK; + sadb_comb->sadb_comb_encrypt_minbits = 80; + sadb_comb->sadb_comb_encrypt_maxbits = 80; + } else if (!strncasecmp(ipsec_def_enc, "cast128", + sizeof("cast128"))) { + sadb_comb->sadb_comb_encrypt = SADB_X_EALG_CAST; + sadb_comb->sadb_comb_encrypt_minbits = 40; + sadb_comb->sadb_comb_encrypt_maxbits = 128; + } + } else if (ipo->ipo_sproto == IPPROTO_IPCOMP) { + /* Set the compression algorithm */ + if (!strncasecmp(ipsec_def_comp, "deflate", + sizeof("deflate"))) { + sadb_comb->sadb_comb_encrypt = SADB_X_CALG_DEFLATE; + sadb_comb->sadb_comb_encrypt_minbits = 0; + sadb_comb->sadb_comb_encrypt_maxbits = 0; + } else if (!strncasecmp(ipsec_def_comp, "lzs", + sizeof("lzs"))) { + sadb_comb->sadb_comb_encrypt = SADB_X_CALG_LZS; + sadb_comb->sadb_comb_encrypt_minbits = 0; + sadb_comb->sadb_comb_encrypt_maxbits = 0; + } + } - /* Set the encryption algorithm */ - if (ipo->ipo_sproto == IPPROTO_ESP) - { - if (!strncasecmp(ipsec_def_enc, "aes", sizeof("aes"))) - { - sadb_comb->sadb_comb_encrypt = SADB_X_EALG_AES; - sadb_comb->sadb_comb_encrypt_minbits = 64; - sadb_comb->sadb_comb_encrypt_maxbits = 256; - } - else - if (!strncasecmp(ipsec_def_enc, "3des", sizeof("3des"))) - { - sadb_comb->sadb_comb_encrypt = SADB_EALG_3DESCBC; - sadb_comb->sadb_comb_encrypt_minbits = 192; - sadb_comb->sadb_comb_encrypt_maxbits = 192; - } - else - if (!strncasecmp(ipsec_def_enc, "des", sizeof("des"))) - { - sadb_comb->sadb_comb_encrypt = SADB_EALG_DESCBC; - sadb_comb->sadb_comb_encrypt_minbits = 64; - sadb_comb->sadb_comb_encrypt_maxbits = 64; + /* Set the authentication algorithm */ + if (!strncasecmp(ipsec_def_auth, "hmac-sha1", + sizeof("hmac-sha1"))) { + sadb_comb->sadb_comb_auth = SADB_AALG_SHA1HMAC; + sadb_comb->sadb_comb_auth_minbits = 160; + sadb_comb->sadb_comb_auth_maxbits = 160; + } else if (!strncasecmp(ipsec_def_auth, "hmac-ripemd160", + sizeof("hmac_ripemd160"))) { + sadb_comb->sadb_comb_auth = SADB_AALG_RIPEMD160HMAC; + sadb_comb->sadb_comb_auth_minbits = 160; + sadb_comb->sadb_comb_auth_maxbits = 160; + } else if (!strncasecmp(ipsec_def_auth, "hmac-md5", + sizeof("hmac-md5"))) { + sadb_comb->sadb_comb_auth = SADB_AALG_MD5HMAC; + sadb_comb->sadb_comb_auth_minbits = 128; + sadb_comb->sadb_comb_auth_maxbits = 128; } - else - if (!strncasecmp(ipsec_def_enc, "blowfish", - sizeof("blowfish"))) - { - sadb_comb->sadb_comb_encrypt = SADB_X_EALG_BLF; - sadb_comb->sadb_comb_encrypt_minbits = 40; - sadb_comb->sadb_comb_encrypt_maxbits = BLF_MAXKEYLEN * 8; - } - else - if (!strncasecmp(ipsec_def_enc, "skipjack", - sizeof("skipjack"))) - { - sadb_comb->sadb_comb_encrypt = SADB_X_EALG_SKIPJACK; - sadb_comb->sadb_comb_encrypt_minbits = 80; - sadb_comb->sadb_comb_encrypt_maxbits = 80; - } - else - if (!strncasecmp(ipsec_def_enc, "cast128", - sizeof("cast128"))) - { - sadb_comb->sadb_comb_encrypt = SADB_X_EALG_CAST; - sadb_comb->sadb_comb_encrypt_minbits = 40; - sadb_comb->sadb_comb_encrypt_maxbits = 128; - } - } - else if (ipo->ipo_sproto == IPPROTO_IPCOMP) - { - /* Set the compression algorithm */ - if (!strncasecmp(ipsec_def_comp, "deflate", sizeof("deflate"))) { - sadb_comb->sadb_comb_encrypt = SADB_X_CALG_DEFLATE; - sadb_comb->sadb_comb_encrypt_minbits = 0; - sadb_comb->sadb_comb_encrypt_maxbits = 0; - } else if (!strncasecmp(ipsec_def_comp, "lzs", sizeof("lzs"))) { - sadb_comb->sadb_comb_encrypt = SADB_X_CALG_LZS; - sadb_comb->sadb_comb_encrypt_minbits = 0; - sadb_comb->sadb_comb_encrypt_maxbits = 0; - } - } - - /* Set the authentication algorithm */ - if (!strncasecmp(ipsec_def_auth, "hmac-sha1", sizeof("hmac-sha1"))) - { - sadb_comb->sadb_comb_auth = SADB_AALG_SHA1HMAC; - sadb_comb->sadb_comb_auth_minbits = 160; - sadb_comb->sadb_comb_auth_maxbits = 160; + sadb_comb->sadb_comb_soft_allocations = ipsec_soft_allocations; + sadb_comb->sadb_comb_hard_allocations = ipsec_exp_allocations; + + sadb_comb->sadb_comb_soft_bytes = ipsec_soft_bytes; + sadb_comb->sadb_comb_hard_bytes = ipsec_exp_bytes; + + sadb_comb->sadb_comb_soft_addtime = ipsec_soft_timeout; + sadb_comb->sadb_comb_hard_addtime = ipsec_exp_timeout; + + sadb_comb->sadb_comb_soft_usetime = ipsec_soft_first_use; + sadb_comb->sadb_comb_hard_usetime = ipsec_exp_first_use; + sadb_comb++; } - else - if (!strncasecmp(ipsec_def_auth, "hmac-ripemd160", - sizeof("hmac_ripemd160"))) - { - sadb_comb->sadb_comb_auth = SADB_AALG_RIPEMD160HMAC; - sadb_comb->sadb_comb_auth_minbits = 160; - sadb_comb->sadb_comb_auth_maxbits = 160; - } - else - if (!strncasecmp(ipsec_def_auth, "hmac-md5", sizeof("hmac-md5"))) - { - sadb_comb->sadb_comb_auth = SADB_AALG_MD5HMAC; - sadb_comb->sadb_comb_auth_minbits = 128; - sadb_comb->sadb_comb_auth_maxbits = 128; - } - - sadb_comb->sadb_comb_soft_allocations = ipsec_soft_allocations; - sadb_comb->sadb_comb_hard_allocations = ipsec_exp_allocations; - - sadb_comb->sadb_comb_soft_bytes = ipsec_soft_bytes; - sadb_comb->sadb_comb_hard_bytes = ipsec_exp_bytes; - - sadb_comb->sadb_comb_soft_addtime = ipsec_soft_timeout; - sadb_comb->sadb_comb_hard_addtime = ipsec_exp_timeout; - - sadb_comb->sadb_comb_soft_usetime = ipsec_soft_first_use; - sadb_comb->sadb_comb_hard_usetime = ipsec_exp_first_use; - sadb_comb++; - } /* Send the ACQUIRE message to all compliant registered listeners. */ - if ((rval = pfkeyv2_sendmessage(headers, PFKEYV2_SENDMESSAGE_REGISTERED, - NULL, smsg->sadb_msg_satype, 0)) != 0) - goto ret; + if ((rval = pfkeyv2_sendmessage(headers, + PFKEYV2_SENDMESSAGE_REGISTERED, NULL, smsg->sadb_msg_satype, 0)) + != 0) + goto ret; - rval = 0; + rval = 0; ret: - if (buffer != NULL) - { - bzero(buffer, i); - free(buffer, M_PFKEY); - } + if (buffer != NULL) { + bzero(buffer, i); + free(buffer, M_PFKEY); + } - return rval; + return (rval); } /* @@ -2107,13 +1989,12 @@ ret: int pfkeyv2_expire(struct tdb *sa, u_int16_t type) { - void *p, *headers[SADB_EXT_MAX+1], *buffer = NULL; - struct sadb_msg *smsg; - int rval = 0; - int i; + void *p, *headers[SADB_EXT_MAX+1], *buffer = NULL; + struct sadb_msg *smsg; + int rval = 0; + int i; - switch (sa->tdb_sproto) - { + switch (sa->tdb_sproto) { case IPPROTO_AH: case IPPROTO_ESP: case IPPROTO_IPIP: @@ -2121,90 +2002,88 @@ pfkeyv2_expire(struct tdb *sa, u_int16_t type) #ifdef TCP_SIGNATURE case IPPROTO_TCP: #endif /* TCP_SIGNATURE */ - break; + break; default: - rval = EOPNOTSUPP; - goto ret; - } + rval = EOPNOTSUPP; + goto ret; + } - i = sizeof(struct sadb_msg) + sizeof(struct sadb_sa) + - 2 * sizeof(struct sadb_lifetime) + - sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_src.sa)) + - sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_dst.sa)); + i = sizeof(struct sadb_msg) + sizeof(struct sadb_sa) + + 2 * sizeof(struct sadb_lifetime) + + sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_src.sa)) + + sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_dst.sa)); - if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) - { - rval = ENOMEM; - goto ret; - } + if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) { + rval = ENOMEM; + goto ret; + } - bzero(headers, sizeof(headers)); + bzero(headers, sizeof(headers)); - buffer = p; - bzero(p, i); + buffer = p; + bzero(p, i); - headers[0] = p; - p += sizeof(struct sadb_msg); + headers[0] = p; + p += sizeof(struct sadb_msg); - smsg = (struct sadb_msg *) headers[0]; - smsg->sadb_msg_version = PF_KEY_V2; - smsg->sadb_msg_type = SADB_EXPIRE; - smsg->sadb_msg_satype = sa->tdb_satype; - smsg->sadb_msg_len = i / sizeof(uint64_t); - smsg->sadb_msg_seq = pfkeyv2_seq++; + smsg = (struct sadb_msg *) headers[0]; + smsg->sadb_msg_version = PF_KEY_V2; + smsg->sadb_msg_type = SADB_EXPIRE; + smsg->sadb_msg_satype = sa->tdb_satype; + smsg->sadb_msg_len = i / sizeof(uint64_t); + smsg->sadb_msg_seq = pfkeyv2_seq++; - headers[SADB_EXT_SA] = p; - export_sa(&p, sa); + headers[SADB_EXT_SA] = p; + export_sa(&p, sa); - headers[SADB_EXT_LIFETIME_CURRENT] = p; - export_lifetime(&p, sa, 2); + headers[SADB_EXT_LIFETIME_CURRENT] = p; + export_lifetime(&p, sa, 2); - headers[type] = p; - type = (SADB_EXT_LIFETIME_SOFT ? PFKEYV2_LIFETIME_SOFT : - PFKEYV2_LIFETIME_HARD); - export_lifetime(&p, sa, type); + headers[type] = p; + type = (SADB_EXT_LIFETIME_SOFT ? PFKEYV2_LIFETIME_SOFT : + PFKEYV2_LIFETIME_HARD); + export_lifetime(&p, sa, type); - headers[SADB_EXT_ADDRESS_SRC] = p; - export_address(&p, (struct sockaddr *) &sa->tdb_src); + headers[SADB_EXT_ADDRESS_SRC] = p; + export_address(&p, (struct sockaddr *) &sa->tdb_src); - headers[SADB_EXT_ADDRESS_DST] = p; - export_address(&p, (struct sockaddr *) &sa->tdb_dst); + headers[SADB_EXT_ADDRESS_DST] = p; + export_address(&p, (struct sockaddr *) &sa->tdb_dst); - if ((rval = pfkeyv2_sendmessage(headers, PFKEYV2_SENDMESSAGE_BROADCAST, - NULL, 0, 0)) != 0) - goto ret; + if ((rval = pfkeyv2_sendmessage(headers, PFKEYV2_SENDMESSAGE_BROADCAST, + NULL, 0, 0)) != 0) + goto ret; - rval = 0; + rval = 0; -ret: - if (buffer != NULL) - { - bzero(buffer, i); - free(buffer, M_PFKEY); - } + ret: + if (buffer != NULL) { + bzero(buffer, i); + free(buffer, M_PFKEY); + } - return rval; + return (rval); } int pfkeyv2_init(void) { - int rval; + int rval; - bzero(&pfkeyv2_version, sizeof(struct pfkey_version)); - pfkeyv2_version.protocol = PFKEYV2_PROTOCOL; - pfkeyv2_version.create = &pfkeyv2_create; - pfkeyv2_version.release = &pfkeyv2_release; - pfkeyv2_version.send = &pfkeyv2_send; + bzero(&pfkeyv2_version, sizeof(struct pfkey_version)); + pfkeyv2_version.protocol = PFKEYV2_PROTOCOL; + pfkeyv2_version.create = &pfkeyv2_create; + pfkeyv2_version.release = &pfkeyv2_release; + pfkeyv2_version.send = &pfkeyv2_send; - rval = pfkey_register(&pfkeyv2_version); - return rval; + rval = pfkey_register(&pfkeyv2_version); + return (rval); } int pfkeyv2_cleanup(void) { - pfkey_unregister(&pfkeyv2_version); - return 0; + pfkey_unregister(&pfkeyv2_version); + return (0); } diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h index ae531ff9ead..7deaefa3915 100644 --- a/sys/net/pfkeyv2.h +++ b/sys/net/pfkeyv2.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.h,v 1.44 2003/02/15 19:21:05 jason Exp $ */ +/* $OpenBSD: pfkeyv2.h,v 1.45 2003/02/16 19:54:20 jason Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) January 1998 * @@ -67,142 +67,142 @@ #define SADB_MAX 15 struct sadb_msg { - uint8_t sadb_msg_version; - uint8_t sadb_msg_type; - uint8_t sadb_msg_errno; - uint8_t sadb_msg_satype; - uint16_t sadb_msg_len; - uint16_t sadb_msg_reserved; - uint32_t sadb_msg_seq; - uint32_t sadb_msg_pid; + uint8_t sadb_msg_version; + uint8_t sadb_msg_type; + uint8_t sadb_msg_errno; + uint8_t sadb_msg_satype; + uint16_t sadb_msg_len; + uint16_t sadb_msg_reserved; + uint32_t sadb_msg_seq; + uint32_t sadb_msg_pid; }; struct sadb_ext { - uint16_t sadb_ext_len; - uint16_t sadb_ext_type; + uint16_t sadb_ext_len; + uint16_t sadb_ext_type; }; struct sadb_sa { - uint16_t sadb_sa_len; - uint16_t sadb_sa_exttype; - uint32_t sadb_sa_spi; - uint8_t sadb_sa_replay; - uint8_t sadb_sa_state; - uint8_t sadb_sa_auth; - uint8_t sadb_sa_encrypt; - uint32_t sadb_sa_flags; + uint16_t sadb_sa_len; + uint16_t sadb_sa_exttype; + uint32_t sadb_sa_spi; + uint8_t sadb_sa_replay; + uint8_t sadb_sa_state; + uint8_t sadb_sa_auth; + uint8_t sadb_sa_encrypt; + uint32_t sadb_sa_flags; }; struct sadb_lifetime { - uint16_t sadb_lifetime_len; - uint16_t sadb_lifetime_exttype; - uint32_t sadb_lifetime_allocations; - uint64_t sadb_lifetime_bytes; - uint64_t sadb_lifetime_addtime; - uint64_t sadb_lifetime_usetime; + uint16_t sadb_lifetime_len; + uint16_t sadb_lifetime_exttype; + uint32_t sadb_lifetime_allocations; + uint64_t sadb_lifetime_bytes; + uint64_t sadb_lifetime_addtime; + uint64_t sadb_lifetime_usetime; }; struct sadb_address { - uint16_t sadb_address_len; - uint16_t sadb_address_exttype; - uint32_t sadb_address_reserved; + uint16_t sadb_address_len; + uint16_t sadb_address_exttype; + uint32_t sadb_address_reserved; }; struct sadb_key { - uint16_t sadb_key_len; - uint16_t sadb_key_exttype; - uint16_t sadb_key_bits; - uint16_t sadb_key_reserved; + uint16_t sadb_key_len; + uint16_t sadb_key_exttype; + uint16_t sadb_key_bits; + uint16_t sadb_key_reserved; }; struct sadb_ident { - uint16_t sadb_ident_len; - uint16_t sadb_ident_exttype; - uint16_t sadb_ident_type; - uint16_t sadb_ident_reserved; - uint64_t sadb_ident_id; + uint16_t sadb_ident_len; + uint16_t sadb_ident_exttype; + uint16_t sadb_ident_type; + uint16_t sadb_ident_reserved; + uint64_t sadb_ident_id; }; struct sadb_sens { - uint16_t sadb_sens_len; - uint16_t sadb_sens_exttype; - uint32_t sadb_sens_dpd; - uint8_t sadb_sens_sens_level; - uint8_t sadb_sens_sens_len; - uint8_t sadb_sens_integ_level; - uint8_t sadb_sens_integ_len; - uint32_t sadb_sens_reserved; + uint16_t sadb_sens_len; + uint16_t sadb_sens_exttype; + uint32_t sadb_sens_dpd; + uint8_t sadb_sens_sens_level; + uint8_t sadb_sens_sens_len; + uint8_t sadb_sens_integ_level; + uint8_t sadb_sens_integ_len; + uint32_t sadb_sens_reserved; }; struct sadb_prop { - uint16_t sadb_prop_len; - uint16_t sadb_prop_exttype; - uint8_t sadb_prop_num; - uint8_t sadb_prop_replay; - uint16_t sadb_prop_reserved; + uint16_t sadb_prop_len; + uint16_t sadb_prop_exttype; + uint8_t sadb_prop_num; + uint8_t sadb_prop_replay; + uint16_t sadb_prop_reserved; }; struct sadb_comb { - uint8_t sadb_comb_auth; - uint8_t sadb_comb_encrypt; - uint16_t sadb_comb_flags; - uint16_t sadb_comb_auth_minbits; - uint16_t sadb_comb_auth_maxbits; - uint16_t sadb_comb_encrypt_minbits; - uint16_t sadb_comb_encrypt_maxbits; - uint32_t sadb_comb_reserved; - uint32_t sadb_comb_soft_allocations; - uint32_t sadb_comb_hard_allocations; - uint64_t sadb_comb_soft_bytes; - uint64_t sadb_comb_hard_bytes; - uint64_t sadb_comb_soft_addtime; - uint64_t sadb_comb_hard_addtime; - uint64_t sadb_comb_soft_usetime; - uint64_t sadb_comb_hard_usetime; + uint8_t sadb_comb_auth; + uint8_t sadb_comb_encrypt; + uint16_t sadb_comb_flags; + uint16_t sadb_comb_auth_minbits; + uint16_t sadb_comb_auth_maxbits; + uint16_t sadb_comb_encrypt_minbits; + uint16_t sadb_comb_encrypt_maxbits; + uint32_t sadb_comb_reserved; + uint32_t sadb_comb_soft_allocations; + uint32_t sadb_comb_hard_allocations; + uint64_t sadb_comb_soft_bytes; + uint64_t sadb_comb_hard_bytes; + uint64_t sadb_comb_soft_addtime; + uint64_t sadb_comb_hard_addtime; + uint64_t sadb_comb_soft_usetime; + uint64_t sadb_comb_hard_usetime; }; struct sadb_supported { - uint16_t sadb_supported_len; - uint16_t sadb_supported_exttype; - uint32_t sadb_supported_reserved; + uint16_t sadb_supported_len; + uint16_t sadb_supported_exttype; + uint32_t sadb_supported_reserved; }; struct sadb_alg { - uint8_t sadb_alg_id; - uint8_t sadb_alg_ivlen; - uint16_t sadb_alg_minbits; - uint16_t sadb_alg_maxbits; - uint16_t sadb_alg_reserved; + uint8_t sadb_alg_id; + uint8_t sadb_alg_ivlen; + uint16_t sadb_alg_minbits; + uint16_t sadb_alg_maxbits; + uint16_t sadb_alg_reserved; }; struct sadb_spirange { - uint16_t sadb_spirange_len; - uint16_t sadb_spirange_exttype; - uint32_t sadb_spirange_min; - uint32_t sadb_spirange_max; - uint32_t sadb_spirange_reserved; + uint16_t sadb_spirange_len; + uint16_t sadb_spirange_exttype; + uint32_t sadb_spirange_min; + uint32_t sadb_spirange_max; + uint32_t sadb_spirange_reserved; }; struct sadb_protocol { - uint16_t sadb_protocol_len; - uint16_t sadb_protocol_exttype; - uint8_t sadb_protocol_proto; - uint8_t sadb_protocol_direction; - uint8_t sadb_protocol_flags; - uint8_t sadb_protocol_reserved2; + uint16_t sadb_protocol_len; + uint16_t sadb_protocol_exttype; + uint8_t sadb_protocol_proto; + uint8_t sadb_protocol_direction; + uint8_t sadb_protocol_flags; + uint8_t sadb_protocol_reserved2; }; struct sadb_x_policy { - uint16_t sadb_x_policy_len; - uint16_t sadb_x_policy_exttype; - u_int32_t sadb_x_policy_seq; + uint16_t sadb_x_policy_len; + uint16_t sadb_x_policy_exttype; + u_int32_t sadb_x_policy_seq; }; struct sadb_x_cred { - uint16_t sadb_x_cred_len; - uint16_t sadb_x_cred_exttype; - uint16_t sadb_x_cred_type; - uint16_t sadb_x_cred_reserved; + uint16_t sadb_x_cred_len; + uint16_t sadb_x_cred_exttype; + uint16_t sadb_x_cred_type; + uint16_t sadb_x_cred_reserved; }; #ifdef _KERNEL @@ -370,25 +370,25 @@ struct mbuf; struct pfkey_version { - int protocol; - int (*create)(struct socket *socket); - int (*release)(struct socket *socket); - int (*send)(struct socket *socket, void *message, int len); + int protocol; + int (*create)(struct socket *socket); + int (*release)(struct socket *socket); + int (*send)(struct socket *socket, void *message, int len); }; struct pfkeyv2_socket { - struct pfkeyv2_socket *next; - struct socket *socket; - int flags; - uint32_t pid; - uint32_t registration; /* Increase size if SATYPE_MAX > 31 */ + struct pfkeyv2_socket *next; + struct socket *socket; + int flags; + uint32_t pid; + uint32_t registration; /* Increase size if SATYPE_MAX > 31 */ }; struct dump_state { - struct sadb_msg *sadb_msg; - struct socket *socket; + struct sadb_msg *sadb_msg; + struct socket *socket; }; int pfkeyv2_init(void); @@ -396,8 +396,7 @@ int pfkeyv2_cleanup(void); int pfkeyv2_parsemessage(void *, int, void **); int pfkeyv2_expire(struct tdb *, u_int16_t); int pfkeyv2_acquire(struct ipsec_policy *, union sockaddr_union *, - union sockaddr_union *, u_int32_t *, - struct sockaddr_encap *); + union sockaddr_union *, u_int32_t *, struct sockaddr_encap *); int pfkey_register(struct pfkey_version *version); int pfkey_unregister(struct pfkey_version *version); diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c index fec9491b97a..c1cc516bc30 100644 --- a/sys/net/pfkeyv2_parsemessage.c +++ b/sys/net/pfkeyv2_parsemessage.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.34 2002/06/07 06:16:39 angelos Exp $ */ +/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.35 2003/02/16 19:54:20 jason Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -124,146 +124,146 @@ extern int encdebug; uint32_t sadb_exts_allowed_in[SADB_MAX+1] = { - /* RESERVED */ - ~0, - /* GETSPI */ - BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_SPIRANGE, - /* UPDATE */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW, - /* ADD */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW, - /* DELETE */ - BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, - /* GET */ - BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, - /* ACQUIRE */ - BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS, - /* REGISTER */ - 0, - /* EXPIRE */ - BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, - /* FLUSH */ - 0, - /* DUMP */ - 0, - /* X_PROMISC */ - 0, - /* X_ADDFLOW */ - BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY_SRC | BITMAP_IDENTITY_DST | BITMAP_X_FLOW, - /* X_DELFLOW */ - BITMAP_X_FLOW, - /* X_GRPSPIS */ - BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, - /* X_ASKPOLICY */ - BITMAP_X_POLICY, + /* RESERVED */ + ~0, + /* GETSPI */ + BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_SPIRANGE, + /* UPDATE */ + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW, + /* ADD */ + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW, + /* DELETE */ + BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, + /* GET */ + BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, + /* ACQUIRE */ + BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS, + /* REGISTER */ + 0, + /* EXPIRE */ + BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, + /* FLUSH */ + 0, + /* DUMP */ + 0, + /* X_PROMISC */ + 0, + /* X_ADDFLOW */ + BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY_SRC | BITMAP_IDENTITY_DST | BITMAP_X_FLOW, + /* X_DELFLOW */ + BITMAP_X_FLOW, + /* X_GRPSPIS */ + BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, + /* X_ASKPOLICY */ + BITMAP_X_POLICY, }; uint32_t sadb_exts_required_in[SADB_MAX+1] = { - /* RESERVED */ - 0, - /* GETSPI */ - BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_SPIRANGE, - /* UPDATE */ - BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, - /* ADD */ - BITMAP_SA | BITMAP_ADDRESS_DST, - /* DELETE */ - BITMAP_SA | BITMAP_ADDRESS_DST, - /* GET */ - BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, - /* ACQUIRE */ - 0, - /* REGISTER */ - 0, - /* EXPIRE */ - BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, - /* FLUSH */ - 0, - /* DUMP */ - 0, - /* X_PROMISC */ - 0, - /* X_ADDFLOW */ - BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, - /* X_DELFLOW */ - BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, - /* X_GRPSPIS */ - BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, - /* X_ASKPOLICY */ - BITMAP_X_POLICY, + /* RESERVED */ + 0, + /* GETSPI */ + BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_SPIRANGE, + /* UPDATE */ + BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, + /* ADD */ + BITMAP_SA | BITMAP_ADDRESS_DST, + /* DELETE */ + BITMAP_SA | BITMAP_ADDRESS_DST, + /* GET */ + BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, + /* ACQUIRE */ + 0, + /* REGISTER */ + 0, + /* EXPIRE */ + BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, + /* FLUSH */ + 0, + /* DUMP */ + 0, + /* X_PROMISC */ + 0, + /* X_ADDFLOW */ + BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, + /* X_DELFLOW */ + BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, + /* X_GRPSPIS */ + BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, + /* X_ASKPOLICY */ + BITMAP_X_POLICY, }; uint32_t sadb_exts_allowed_out[SADB_MAX+1] = { - /* RESERVED */ - ~0, - /* GETSPI */ - BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, - /* UPDATE */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW, - /* ADD */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW, - /* DELETE */ - BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, - /* GET */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY, - /* ACQUIRE */ - BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS, - /* REGISTER */ - BITMAP_SUPPORTED_AUTH | BITMAP_SUPPORTED_ENCRYPT | BITMAP_X_SUPPORTED_COMP, - /* EXPIRE */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS, - /* FLUSH */ - 0, - /* DUMP */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY, - /* X_PROMISC */ - 0, - /* X_ADDFLOW */ - BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE | BITMAP_IDENTITY_SRC | BITMAP_IDENTITY_DST, - /* X_DELFLOW */ - BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, - /* X_GRPSPIS */ - BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, - /* X_ASKPOLICY */ - BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_FLOW_TYPE | BITMAP_X_POLICY, + /* RESERVED */ + ~0, + /* GETSPI */ + BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, + /* UPDATE */ + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW, + /* ADD */ + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW, + /* DELETE */ + BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, + /* GET */ + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY, + /* ACQUIRE */ + BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS, + /* REGISTER */ + BITMAP_SUPPORTED_AUTH | BITMAP_SUPPORTED_ENCRYPT | BITMAP_X_SUPPORTED_COMP, + /* EXPIRE */ + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS, + /* FLUSH */ + 0, + /* DUMP */ + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY, + /* X_PROMISC */ + 0, + /* X_ADDFLOW */ + BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE | BITMAP_IDENTITY_SRC | BITMAP_IDENTITY_DST, + /* X_DELFLOW */ + BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, + /* X_GRPSPIS */ + BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, + /* X_ASKPOLICY */ + BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_FLOW_TYPE | BITMAP_X_POLICY, }; uint32_t sadb_exts_required_out[SADB_MAX+1] = { - /* RESERVED */ - 0, - /* GETSPI */ - BITMAP_SA | BITMAP_ADDRESS_DST, - /* UPDATE */ - BITMAP_SA | BITMAP_ADDRESS_DST, - /* ADD */ - BITMAP_SA | BITMAP_ADDRESS_DST, - /* DELETE */ - BITMAP_SA | BITMAP_ADDRESS_DST, - /* GET */ - BITMAP_SA | BITMAP_LIFETIME_CURRENT | BITMAP_ADDRESS_DST, - /* ACQUIRE */ - 0, - /* REGISTER */ - BITMAP_SUPPORTED_AUTH | BITMAP_SUPPORTED_ENCRYPT | BITMAP_X_SUPPORTED_COMP, - /* EXPIRE */ - BITMAP_SA | BITMAP_ADDRESS_DST, - /* FLUSH */ - 0, - /* DUMP */ - 0, - /* X_PROMISC */ - 0, - /* X_ADDFLOW */ - BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, - /* X_DELFLOW */ - BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, - /* X_GRPSPIS */ - BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, - /* X_REPPOLICY */ - BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_FLOW_TYPE, + /* RESERVED */ + 0, + /* GETSPI */ + BITMAP_SA | BITMAP_ADDRESS_DST, + /* UPDATE */ + BITMAP_SA | BITMAP_ADDRESS_DST, + /* ADD */ + BITMAP_SA | BITMAP_ADDRESS_DST, + /* DELETE */ + BITMAP_SA | BITMAP_ADDRESS_DST, + /* GET */ + BITMAP_SA | BITMAP_LIFETIME_CURRENT | BITMAP_ADDRESS_DST, + /* ACQUIRE */ + 0, + /* REGISTER */ + BITMAP_SUPPORTED_AUTH | BITMAP_SUPPORTED_ENCRYPT | BITMAP_X_SUPPORTED_COMP, + /* EXPIRE */ + BITMAP_SA | BITMAP_ADDRESS_DST, + /* FLUSH */ + 0, + /* DUMP */ + 0, + /* X_PROMISC */ + 0, + /* X_ADDFLOW */ + BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, + /* X_DELFLOW */ + BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, + /* X_GRPSPIS */ + BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, + /* X_REPPOLICY */ + BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_FLOW_TYPE, }; int pfkeyv2_parsemessage(void *, int, void **); @@ -282,14 +282,14 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) if (left < sizeof(struct sadb_msg)) { DPRINTF(("pfkeyv2_parsemessage: message too short\n")); - return EINVAL; + return (EINVAL); } headers[0] = p; if (sadb_msg->sadb_msg_len * sizeof(uint64_t) != left) { DPRINTF(("pfkeyv2_parsemessage: length not a multiple of 64\n")); - return EINVAL; + return (EINVAL); } p += sizeof(struct sadb_msg); @@ -298,36 +298,36 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) if (sadb_msg->sadb_msg_reserved) { DPRINTF(("pfkeyv2_parsemessage: message header reserved " "field set\n")); - return EINVAL; + return (EINVAL); } if (sadb_msg->sadb_msg_type > SADB_MAX) { DPRINTF(("pfkeyv2_parsemessage: message type > %d\n", SADB_MAX)); - return EINVAL; + return (EINVAL); } if (!sadb_msg->sadb_msg_type) { DPRINTF(("pfkeyv2_parsemessage: message type unset\n")); - return EINVAL; + return (EINVAL); } if (sadb_msg->sadb_msg_pid != curproc->p_pid) { DPRINTF(("pfkeyv2_parsemessage: bad PID value\n")); - return EINVAL; + return (EINVAL); } if (sadb_msg->sadb_msg_errno) { if (left) { DPRINTF(("pfkeyv2_parsemessage: too-large error message\n")); - return EINVAL; + return (EINVAL); } - return 0; + return (0); } if (sadb_msg->sadb_msg_type == SADB_X_PROMISC) { DPRINTF(("pfkeyv2_parsemessage: message type promiscuous\n")); - return 0; + return (0); } allow = sadb_exts_allowed_in[sadb_msg->sadb_msg_type]; @@ -337,39 +337,39 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) if (left < sizeof(struct sadb_ext)) { DPRINTF(("pfkeyv2_parsemessage: extension header too " "short\n")); - return EINVAL; + return (EINVAL); } i = sadb_ext->sadb_ext_len * sizeof(uint64_t); if (left < i) { DPRINTF(("pfkeyv2_parsemessage: extension header " "exceeds message length\n")); - return EINVAL; + return (EINVAL); } if (sadb_ext->sadb_ext_type > SADB_EXT_MAX) { DPRINTF(("pfkeyv2_parsemessage: unknown extension " "header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (!sadb_ext->sadb_ext_type) { DPRINTF(("pfkeyv2_parsemessage: unset extension " "header\n")); - return EINVAL; + return (EINVAL); } if (!(allow & (1 << sadb_ext->sadb_ext_type))) { DPRINTF(("pfkeyv2_parsemessage: extension header %d " "not permitted on message type %d\n", sadb_ext->sadb_ext_type, sadb_msg->sadb_msg_type)); - return EINVAL; + return (EINVAL); } if (headers[sadb_ext->sadb_ext_type]) { DPRINTF(("pfkeyv2_parsemessage: duplicate extension " "header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } seen |= (1 << sadb_ext->sadb_ext_type); @@ -384,7 +384,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) DPRINTF(("pfkeyv2_parsemessage: bad header " "length for SA extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sadb_sa->sadb_sa_state > SADB_SASTATE_MAX) { @@ -392,14 +392,14 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "state %d in SA extension header %d\n", sadb_sa->sadb_sa_state, sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sadb_sa->sadb_sa_state == SADB_SASTATE_DEAD) { DPRINTF(("pfkeyv2_parsemessage: cannot set SA " "state to dead, SA extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sadb_sa->sadb_sa_encrypt > SADB_EALG_MAX) { @@ -407,7 +407,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "encryption algorithm %d in SA extension " "header %d\n", sadb_sa->sadb_sa_encrypt, sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sadb_sa->sadb_sa_auth > SADB_AALG_MAX) { @@ -416,7 +416,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "extension header %d\n", sadb_sa->sadb_sa_auth, sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sadb_sa->sadb_sa_replay > 32) { @@ -424,7 +424,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "replay window size %d in SA extension " "header %d\n", sadb_sa->sadb_sa_replay, sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } } break; @@ -434,14 +434,14 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) DPRINTF(("pfkeyv2_parsemessage: bad " "PROTOCOL/FLOW header length in extension " "header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } break; case SADB_X_EXT_POLICY: if (i != sizeof(struct sadb_x_policy)) { DPRINTF(("pfkeyv2_parsemessage: bad POLICY " "header length\n")); - return EINVAL; + return (EINVAL); } break; case SADB_EXT_LIFETIME_CURRENT: @@ -451,7 +451,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) DPRINTF(("pfkeyv2_parsemessage: bad header " "length for LIFETIME extension header " "%d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } break; case SADB_EXT_ADDRESS_SRC: @@ -473,14 +473,14 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) DPRINTF(("pfkeyv2_parsemessage: bad ADDRESS " "extension header %d length\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sadb_address->sadb_address_reserved) { DPRINTF(("pfkeyv2_parsemessage: ADDRESS " "extension header %d reserved field set\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sa->sa_len && (i != sizeof(struct sadb_address) + @@ -488,7 +488,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) DPRINTF(("pfkeyv2_parsemessage: bad sockaddr " "length field in ADDRESS extension " "header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } switch(sa->sa_family) { @@ -499,7 +499,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "invalid ADDRESS extension header " "%d length\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sa->sa_len != sizeof(struct sockaddr_in)) { @@ -507,7 +507,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "sockaddr_in length in ADDRESS " "extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } /* Only check the right pieces */ @@ -526,7 +526,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "sockaddr_in of ADDRESS " "extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } break; } @@ -542,7 +542,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "ADDRESS extension header " "%d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } } break; @@ -554,7 +554,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "invalid sockaddr_in6 length in " "ADDRESS extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sa->sa_len != @@ -563,7 +563,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "sockaddr_in6 length in ADDRESS " "extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (((struct sockaddr_in6 *)sa)->sin6_flowinfo) { @@ -572,7 +572,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "sockaddr_in6 of ADDRESS " "extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } /* Only check the right pieces */ @@ -591,7 +591,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "sockaddr_in6 of ADDRESS " "extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } break; } @@ -602,7 +602,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "address family %d in ADDRESS extension " "header %d\n", sa->sa_family, sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } } break; @@ -615,28 +615,28 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) DPRINTF(("pfkeyv2_parsemessage: bad header " "length in KEY extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (!sadb_key->sadb_key_bits) { DPRINTF(("pfkeyv2_parsemessage: key length " "unset in KEY extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (((sadb_key->sadb_key_bits + 63) / 64) * sizeof(uint64_t) != i - sizeof(struct sadb_key)) { DPRINTF(("pfkeyv2_parsemessage: invalid key " "length in KEY extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sadb_key->sadb_key_reserved) { DPRINTF(("pfkeyv2_parsemessage: reserved field" " set in KEY extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } } break; @@ -650,7 +650,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) DPRINTF(("pfkeyv2_parsemessage: bad header " "length for AUTH extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sadb_cred->sadb_x_cred_type > SADB_X_AUTHTYPE_MAX) { @@ -658,14 +658,14 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "type %d in AUTH extension header %d\n", sadb_cred->sadb_x_cred_type, sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sadb_cred->sadb_x_cred_reserved) { DPRINTF(("pfkeyv2_parsemessage: reserved field" " set in AUTH extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } } break; @@ -679,7 +679,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) DPRINTF(("pfkeyv2_parsemessage: bad header " "length of CREDENTIALS extension header " "%d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sadb_cred->sadb_x_cred_type > SADB_X_CREDTYPE_MAX) { @@ -688,14 +688,14 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "extension header %d\n", sadb_cred->sadb_x_cred_type, sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sadb_cred->sadb_x_cred_reserved) { DPRINTF(("pfkeyv2_parsemessage: reserved " "field set in CREDENTIALS extension " "header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } } break; @@ -708,7 +708,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) DPRINTF(("pfkeyv2_parsemessage: bad header " "length of IDENTITY extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sadb_ident->sadb_ident_type > SADB_IDENTTYPE_MAX) { @@ -717,14 +717,14 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "header %d\n", sadb_ident->sadb_ident_type, sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sadb_ident->sadb_ident_reserved) { DPRINTF(("pfkeyv2_parsemessage: reserved " "field set in IDENTITY extension header " "%d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (i > sizeof(struct sadb_ident)) { @@ -737,7 +737,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "NUL-terminated identity in " "IDENTITY extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } j = PADUP(strlen(c) + 1) + @@ -749,7 +749,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "expected length in identity " "extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } } } @@ -762,7 +762,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) DPRINTF(("pfkeyv2_parsemessage: bad header " "length for SENSITIVITY extension " "header\n")); - return EINVAL; + return (EINVAL); } if (i != (sadb_sens->sadb_sens_sens_len + @@ -772,7 +772,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) DPRINTF(("pfkeyv2_parsemessage: bad payload " "length for SENSITIVITY extension " "header\n")); - return EINVAL; + return (EINVAL); } } break; @@ -783,20 +783,20 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) if (i < sizeof(struct sadb_prop)) { DPRINTF(("pfkeyv2_parsemessage: bad PROPOSAL " "header length\n")); - return EINVAL; + return (EINVAL); } if (sadb_prop->sadb_prop_reserved) { DPRINTF(("pfkeyv2_parsemessage: reserved field" "set in PROPOSAL extension header\n")); - return EINVAL; + return (EINVAL); } if ((i - sizeof(struct sadb_prop)) % sizeof(struct sadb_comb)) { DPRINTF(("pfkeyv2_parsemessage: bad proposal " "length\n")); - return EINVAL; + return (EINVAL); } { @@ -815,7 +815,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "algorithm %d in " "PROPOSAL\n", sadb_comb->sadb_comb_auth)); - return EINVAL; + return (EINVAL); } if (sadb_comb->sadb_comb_encrypt > @@ -825,14 +825,14 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "algorithm %d in " "PROPOSAL\n", sadb_comb->sadb_comb_encrypt)); - return EINVAL; + return (EINVAL); } if (sadb_comb->sadb_comb_reserved) { DPRINTF(("pfkeyv2_parsemessage" ": reserved field set in " "COMB header\n")); - return EINVAL; + return (EINVAL); } } } @@ -850,14 +850,14 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) DPRINTF(("pfkeyv2_parsemessage: bad header " "length for SUPPORTED extension header " "%d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sadb_supported->sadb_supported_reserved) { DPRINTF(("pfkeyv2_parsemessage: reserved " "field set in SUPPORTED extension " "header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } { @@ -878,7 +878,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "header %d\n", sadb_alg->sadb_alg_id, sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } if (sadb_alg->sadb_alg_reserved) { @@ -888,7 +888,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) "header inside SUPPORTED " "extension header %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } sadb_alg++; @@ -904,14 +904,14 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) if (i != sizeof(struct sadb_spirange)) { DPRINTF(("pfkeyv2_parsemessage: bad header " "length of SPIRANGE extension header\n")); - return EINVAL; + return (EINVAL); } if (sadb_spirange->sadb_spirange_min > sadb_spirange->sadb_spirange_max) { DPRINTF(("pfkeyv2_parsemessage: bad SPI " "range\n")); - return EINVAL; + return (EINVAL); } } break; @@ -919,7 +919,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) DPRINTF(("pfkeyv2_parsemessage: unknown extension " "header type %d\n", sadb_ext->sadb_ext_type)); - return EINVAL; + return (EINVAL); } headers[sadb_ext->sadb_ext_type] = p; @@ -929,7 +929,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) if (left) { DPRINTF(("pfkeyv2_parsemessage: message too long\n")); - return EINVAL; + return (EINVAL); } { @@ -940,7 +940,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) if ((seen & required) != required) { DPRINTF(("pfkeyv2_parsemessage: required fields " "missing\n")); - return EINVAL; + return (EINVAL); } } @@ -950,7 +950,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) SADB_SASTATE_MATURE) { DPRINTF(("pfkeyv2_parsemessage: updating non-mature " "SA prohibited\n")); - return EINVAL; + return (EINVAL); } break; case SADB_ADD: @@ -958,10 +958,10 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) SADB_SASTATE_MATURE) { DPRINTF(("pfkeyv2_parsemessage: adding non-mature " "SA prohibited\n")); - return EINVAL; + return (EINVAL); } break; } - return 0; + return (0); } |