Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

KAME/NetBSD 1.4, as of 1999/7/30.

for unified-KAME code.
no cross-OS portability is introduced.
works fine on NetBSD as no change from KAME/NetBSD.
  • Loading branch information...
commit 98a0219d841dad1aa50c761903593741f3485a39 1 parent c7b6504
itojun authored
View
8 kame/sys/netkey/Makefile
@@ -0,0 +1,8 @@
+# $NetBSD: Makefile,v 1.1 1998/06/12 23:23:07 cgd Exp $
+
+KDIR= /sys/netkey
+INCSDIR= /usr/include/netkey
+
+INCS= key.h key_debug.h key_var.h keydb.h keysock.h keyv2.h
+
+.include <bsd.kinc.mk>
View
6,719 kame/sys/netkey/key.c
6,719 additions, 0 deletions not shown
View
92 kame/sys/netkey/key.h
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: key.h,v 1.1.1.1 1999/08/03 01:02:08 itojun Exp $ */
+
+#ifndef _NETKEY_KEY_H_
+#define _NETKEY_KEY_H_
+
+#ifdef __NetBSD__
+# ifdef _KERNEL
+# define KERNEL
+# endif
+#endif
+
+#if defined(KERNEL)
+
+extern struct key_cb key_cb;
+
+struct sadb_address;
+struct secindex;
+struct secas;
+struct sockaddr;
+struct socket;
+struct secexpire;
+struct sadb_msg;
+struct sadb_x_policy;
+struct ipsecrequest;
+extern struct secpolicy *key_allocsp __P((struct secindex *));
+#if 0
+extern int key_checkpolicy __P((struct secpolicy *));
+#endif
+extern int key_checkrequest __P((struct ipsecrequest *));
+extern struct secas *key_allocsa __P((u_int, caddr_t, caddr_t, u_int, u_int));
+extern void key_freesp __P((struct secpolicy *));
+extern void key_freeso __P((struct socket *));
+extern void key_freesa __P((struct secas *));
+
+extern struct secpolicy *key_newsp __P((void));
+extern struct secpolicy *key_msg2sp __P((struct sadb_x_policy *));
+extern struct sadb_x_policy *key_sp2msg __P((struct secpolicy *));
+
+extern int key_setsecidx __P((struct sadb_address *, struct sadb_address *,
+ struct secindex *, int));
+extern void key_delsecidx __P((struct secindex *));
+extern int key_setexptime __P((struct secas *));
+extern void key_timehandler __P((void));
+extern void key_srandom __P((void));
+extern int key_ismyaddr __P((u_int, caddr_t));
+extern void key_freereg __P((struct socket *));
+extern int key_parse __P((struct sadb_msg **, struct socket *, int *));
+extern void key_init __P((void));
+extern int key_checktunnelsanity __P((struct secas *, u_int, caddr_t, caddr_t));
+extern void key_sa_recordxfer __P((struct secas *, struct mbuf *));
+extern void key_sa_routechange __P((struct sockaddr *));
+#ifdef MALLOC_DECLARE
+MALLOC_DECLARE(M_SECA);
+#endif /* MALLOC_DECLARE */
+
+#if defined(__bsdi__) || defined(__NetBSD__)
+extern int key_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
+#endif
+
+#endif /* defined(KERNEL) */
+
+#endif /* _NETKEY_KEY_H_ */
+
View
715 kame/sys/netkey/key_debug.c
@@ -0,0 +1,715 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* KAME @(#)$Id: key_debug.c,v 1.1.1.1 1999/08/03 01:02:11 itojun Exp $ */
+
+#ifdef _KERNEL
+# define KERNEL
+#endif
+
+#ifdef KERNEL
+#if (defined(__FreeBSD__) && __FreeBSD__ >= 3) || defined(__NetBSD__)
+#include "opt_inet.h"
+#endif
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+#ifdef KERNEL
+#include <sys/systm.h>
+#include <sys/mbuf.h>
+#endif
+#include <sys/socket.h>
+
+#include <net/route.h>
+
+#include <netkey/key_var.h>
+#include <netkey/key_debug.h>
+
+#include <netinet/in.h>
+#include <netinet6/in6.h>
+#include <netinet6/ipsec.h>
+
+#if !defined(KERNEL)
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#endif /* defined(KERNEL) */
+
+#if !defined(KERNEL) || (defined(KERNEL) && defined(IPSEC_DEBUG))
+
+#ifdef __NetBSD__
+# ifdef _KERNEL
+# define KERNEL
+# endif
+#endif
+
+static void kdebug_sadb_prop __P((struct sadb_ext *));
+static void kdebug_sadb_identity __P((struct sadb_ext *));
+static void kdebug_sadb_supported __P((struct sadb_ext *));
+static void kdebug_sadb_lifetime __P((struct sadb_ext *));
+static void kdebug_sadb_sa __P((struct sadb_ext *));
+static void kdebug_sadb_address __P((struct sadb_ext *));
+static void kdebug_sadb_key __P((struct sadb_ext *));
+
+#ifdef KERNEL
+static void kdebug_secreplay __P((struct secreplay *));
+#endif
+
+#ifndef KERNEL
+#define panic(param) { printf(param); exit(-1); }
+#endif
+
+/* NOTE: host byte order */
+
+/* %%%: about struct sadb_msg */
+void
+kdebug_sadb(base)
+ struct sadb_msg *base;
+{
+ struct sadb_ext *ext;
+ int tlen, extlen;
+
+ /* sanity check */
+ if (base == NULL)
+ panic("kdebug_sadb: NULL pointer was passed.\n");
+
+ printf("sadb_msg{ version=%u type=%u errno=%u satype=%u\n",
+ base->sadb_msg_version, base->sadb_msg_type,
+ base->sadb_msg_errno, base->sadb_msg_satype);
+ printf(" len=%u reserved=%u seq=%u pid=%u }\n",
+ base->sadb_msg_len, base->sadb_msg_reserved,
+ base->sadb_msg_seq, base->sadb_msg_pid);
+
+ tlen = PFKEY_UNUNIT64(base->sadb_msg_len) - sizeof(struct sadb_msg);
+ ext = (struct sadb_ext *)((caddr_t)base + sizeof(struct sadb_msg));
+
+ while (tlen > 0) {
+ printf("sadb_ext{ len=%u type=%u }\n",
+ ext->sadb_ext_len, ext->sadb_ext_type);
+
+ if (ext->sadb_ext_len == 0) {
+ printf("kdebug_sadb: invalid ext_len=0 was passed.\n");
+ return;
+ }
+
+ switch (ext->sadb_ext_type) {
+ case SADB_EXT_SA:
+ kdebug_sadb_sa(ext);
+ break;
+ case SADB_EXT_LIFETIME_CURRENT:
+ case SADB_EXT_LIFETIME_HARD:
+ case SADB_EXT_LIFETIME_SOFT:
+ kdebug_sadb_lifetime(ext);
+ break;
+ case SADB_EXT_ADDRESS_SRC:
+ case SADB_EXT_ADDRESS_DST:
+ case SADB_EXT_ADDRESS_PROXY:
+ kdebug_sadb_address(ext);
+ break;
+ case SADB_EXT_KEY_AUTH:
+ case SADB_EXT_KEY_ENCRYPT:
+ kdebug_sadb_key(ext);
+ break;
+ case SADB_EXT_IDENTITY_SRC:
+ case SADB_EXT_IDENTITY_DST:
+ kdebug_sadb_identity(ext);
+ break;
+ case SADB_EXT_SENSITIVITY:
+ break;
+ case SADB_EXT_PROPOSAL:
+ kdebug_sadb_prop(ext);
+ break;
+ case SADB_EXT_SUPPORTED_AUTH:
+ case SADB_EXT_SUPPORTED_ENCRYPT:
+ kdebug_sadb_supported(ext);
+ break;
+ case SADB_EXT_SPIRANGE:
+ case SADB_X_EXT_KMPRIVATE:
+ break;
+ case SADB_X_EXT_POLICY:
+ kdebug_sadb_x_policy(ext);
+ break;
+ default:
+ printf("kdebug_sadb: invalid ext_type %u was passed.\n",
+ ext->sadb_ext_type);
+ return;
+ }
+
+ extlen = PFKEY_UNUNIT64(ext->sadb_ext_len);
+ tlen -= extlen;
+ ext = (struct sadb_ext *)((caddr_t)ext + extlen);
+ }
+
+ return;
+}
+
+static void
+kdebug_sadb_prop(ext)
+ struct sadb_ext *ext;
+{
+ struct sadb_prop *prop = (struct sadb_prop *)ext;
+ struct sadb_comb *comb;
+ int len;
+
+ /* sanity check */
+ if (ext == NULL)
+ panic("kdebug_sadb_prop: NULL pointer was passed.\n");
+
+ len = (PFKEY_UNUNIT64(prop->sadb_prop_len) - sizeof(*prop))
+ / sizeof(*comb);
+ comb = (struct sadb_comb *)(prop + 1);
+ printf("sadb_prop{ replay=%u\n", prop->sadb_prop_replay);
+
+ while (len--) {
+ printf("sadb_comb{ auth=%u encrypt=%u "
+ "flags=0x%04x reserved=0x%08x\n",
+ comb->sadb_comb_auth, comb->sadb_comb_encrypt,
+ comb->sadb_comb_flags, comb->sadb_comb_reserved);
+
+ printf(" auth_minbits=%u auth_maxbits=%u "
+ "encrypt_minbits=%u encrypt_maxbits=%u\n",
+ comb->sadb_comb_auth_minbits,
+ comb->sadb_comb_auth_maxbits,
+ comb->sadb_comb_encrypt_minbits,
+ comb->sadb_comb_encrypt_maxbits);
+
+ printf(" soft_alloc=%u hard_alloc=%u "
+ "soft_bytes=%lu hard_bytes=%lu\n",
+ comb->sadb_comb_soft_allocations,
+ comb->sadb_comb_hard_allocations,
+ (unsigned long)comb->sadb_comb_soft_bytes,
+ (unsigned long)comb->sadb_comb_hard_bytes);
+
+ printf(" soft_alloc=%lu hard_alloc=%lu "
+ "soft_bytes=%lu hard_bytes=%lu }\n",
+ (unsigned long)comb->sadb_comb_soft_addtime,
+ (unsigned long)comb->sadb_comb_hard_addtime,
+ (unsigned long)comb->sadb_comb_soft_usetime,
+ (unsigned long)comb->sadb_comb_hard_usetime);
+ comb++;
+ }
+ printf("}\n");
+
+ return;
+}
+
+static void
+kdebug_sadb_identity(ext)
+ struct sadb_ext *ext;
+{
+ struct sadb_ident *id = (struct sadb_ident *)ext;
+ int len;
+
+ /* sanity check */
+ if (ext == NULL)
+ panic("kdebug_sadb_identity: NULL pointer was passed.\n");
+
+ len = PFKEY_UNUNIT64(id->sadb_ident_len) - sizeof(*id);
+ printf("sadb_ident_%s{",
+ id->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC ? "src" : "dst");
+ printf(" type=%d id=%lu",
+ id->sadb_ident_type, (u_long)id->sadb_ident_id);
+ if (len) {
+#ifdef KERNEL
+ ipsec_hexdump((caddr_t)(id + 1), len); /*XXX cast ?*/
+#else
+ char *p, *ep;
+ printf("\n str=\"");
+ p = (char *)(id + 1);
+ ep = p + len;
+ for (/*nothing*/; *p && p < ep; p++) {
+ if (isprint(*p))
+ printf("%c", *p & 0xff);
+ else
+ printf("\\%03o", *p & 0xff);
+ }
+#endif
+ printf("\"");
+ }
+ printf(" }\n");
+
+ return;
+}
+
+static void
+kdebug_sadb_supported(ext)
+ struct sadb_ext *ext;
+{
+ struct sadb_supported *sup = (struct sadb_supported *)ext;
+ struct sadb_alg *alg;
+ int len;
+
+ /* sanity check */
+ if (ext == NULL)
+ panic("kdebug_sadb_supported: NULL pointer was passed.\n");
+
+ len = (PFKEY_UNUNIT64(sup->sadb_supported_len) - sizeof(*sup))
+ / sizeof(*alg);
+ alg = (struct sadb_alg *)(sup + 1);
+ printf("sadb_sup{\n");
+ while (len--) {
+ printf(" { id=%d ivlen=%d min=%d max=%d }\n",
+ alg->sadb_alg_id, alg->sadb_alg_ivlen,
+ alg->sadb_alg_minbits, alg->sadb_alg_maxbits);
+ alg++;
+ }
+ printf("}\n");
+
+ return;
+}
+
+static void
+kdebug_sadb_lifetime(ext)
+ struct sadb_ext *ext;
+{
+ struct sadb_lifetime *lft = (struct sadb_lifetime *)ext;
+
+ /* sanity check */
+ if (ext == NULL)
+ printf("kdebug_sadb_lifetime: NULL pointer was passed.\n");
+
+ printf("sadb_lifetime{ alloc=%u, bytes=%u\n",
+ lft->sadb_lifetime_allocations,
+ (u_int32_t)lft->sadb_lifetime_bytes);
+ printf(" addtime=%u, usetime=%u }\n",
+ (u_int32_t)lft->sadb_lifetime_addtime,
+ (u_int32_t)lft->sadb_lifetime_usetime);
+
+ return;
+}
+
+static void
+kdebug_sadb_sa(ext)
+ struct sadb_ext *ext;
+{
+ struct sadb_sa *sa = (struct sadb_sa *)ext;
+
+ /* sanity check */
+ if (ext == NULL)
+ panic("kdebug_sadb_sa: NULL pointer was passed.\n");
+
+ printf("sadb_sa{ spi=%u replay=%u state=%u\n",
+ (u_int32_t)ntohl(sa->sadb_sa_spi), sa->sadb_sa_replay,
+ sa->sadb_sa_state);
+ printf(" auth=%u encrypt=%u flags=0x%08x }\n",
+ sa->sadb_sa_auth, sa->sadb_sa_encrypt, sa->sadb_sa_flags);
+
+ return;
+}
+
+static void
+kdebug_sadb_address(ext)
+ struct sadb_ext *ext;
+{
+ struct sadb_address *addr = (struct sadb_address *)ext;
+
+ /* sanity check */
+ if (ext == NULL)
+ panic("kdebug_sadb_address: NULL pointer was passed.\n");
+
+ printf("sadb_address{ proto=%u prefixlen=%u reserved=0x%02x%02x }\n",
+ addr->sadb_address_proto, addr->sadb_address_prefixlen,
+ ((u_char *)&addr->sadb_address_reserved)[0],
+ ((u_char *)&addr->sadb_address_reserved)[1]);
+
+ kdebug_sockaddr((struct sockaddr *)((caddr_t)ext + sizeof(*addr)));
+
+ return;
+}
+
+static void
+kdebug_sadb_key(ext)
+ struct sadb_ext *ext;
+{
+ struct sadb_key *key = (struct sadb_key *)ext;
+
+ /* sanity check */
+ if (ext == NULL)
+ panic("kdebug_sadb_key: NULL pointer was passed.\n");
+
+ printf("sadb_key{ bits=%u reserved=%u }\n",
+ key->sadb_key_bits, key->sadb_key_reserved);
+ printf(" key=");
+
+ /* sanity check 2 */
+ if ((key->sadb_key_bits >> 3) >
+ (PFKEY_UNUNIT64(key->sadb_key_len) - sizeof(struct sadb_key))) {
+ printf("kdebug_sadb_key: key length mismatch, bit:%d len:%ld.\n",
+ key->sadb_key_bits >> 3,
+ (long)PFKEY_UNUNIT64(key->sadb_key_len) - sizeof(struct sadb_key));
+ }
+
+ ipsec_hexdump((caddr_t)key + sizeof(struct sadb_key),
+ key->sadb_key_bits >> 3);
+ printf(" }\n");
+ return;
+}
+
+void
+kdebug_sadb_x_policy(ext)
+ struct sadb_ext *ext;
+{
+ struct sadb_x_policy *xpl = (struct sadb_x_policy *)ext;
+
+ /* sanity check */
+ if (ext == NULL)
+ panic("kdebug_sadb_x_policy: NULL pointer was passed.\n");
+
+ printf("sadb_x_policy{ type=%u reserved=%x }\n",
+ xpl->sadb_x_policy_type, xpl->sadb_x_policy_reserved);
+
+ if (xpl->sadb_x_policy_type == IPSEC_POLICY_IPSEC) {
+ int tlen;
+ struct sadb_x_ipsecrequest *xisr;
+ int xxx_len; /* for sanity check */
+
+ tlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl);
+ xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl
+ + sizeof(*xpl));
+
+ while (tlen > 0) {
+ printf(" { len=%u proto=%u mode=%u level=%u",
+ xisr->sadb_x_ipsecrequest_len,
+ xisr->sadb_x_ipsecrequest_proto,
+ xisr->sadb_x_ipsecrequest_mode,
+ xisr->sadb_x_ipsecrequest_level);
+
+ xxx_len = sizeof(*xisr);
+
+ /* tunnel mode ? */
+ if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL){
+ struct sockaddr *addr
+ = (struct sockaddr *)((caddr_t)xisr
+ + sizeof(*xisr));
+
+ printf("\n");
+ xxx_len += PFKEY_ALIGN8(addr->sa_len);
+ kdebug_sockaddr(addr);
+ } else
+ printf(" }\n");
+
+ /* sanity check */
+ if (xisr->sadb_x_ipsecrequest_len != xxx_len) {
+ printf("kdebug_sadb_x_policy: "
+ "Invalid request length, "
+ "reqlen:%d real:%d\n",
+ xisr->sadb_x_ipsecrequest_len,
+ xxx_len);
+ return;
+ }
+
+ tlen -= xisr->sadb_x_ipsecrequest_len;
+
+ /* sanity check */
+ if (tlen < 0) {
+ printf("kdebug_sadb_x_policy: "
+ "becoming tlen < 0.\n");
+ return;
+ }
+
+ xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
+ + xisr->sadb_x_ipsecrequest_len);
+ }
+ }
+
+ return;
+}
+
+#ifdef KERNEL
+/* %%%: about SPD and SAD */
+void
+kdebug_secpolicy(sp)
+ struct secpolicy *sp;
+{
+ /* sanity check */
+ if (sp == NULL)
+ panic("kdebug_secpolicy: NULL pointer was passed.\n");
+
+ printf("secpolicy{ refcnt=%u state=%u policy=%u\n",
+ sp->refcnt, sp->state, sp->policy);
+
+ kdebug_secindex(&sp->idx);
+
+ switch (sp->policy) {
+ case IPSEC_POLICY_DISCARD:
+ printf(" type=discard }\n");
+ break;
+ case IPSEC_POLICY_NONE:
+ printf(" type=none }\n");
+ break;
+ case IPSEC_POLICY_IPSEC:
+ {
+ struct ipsecrequest *isr;
+ for (isr = sp->req; isr != NULL; isr = isr->next) {
+
+ printf(" proto=%u mode=%u level=%u\n",
+ isr->proto, isr->mode, isr->level);
+
+ if (isr->mode == IPSEC_MODE_TUNNEL) {
+ /* sanity check */
+ if (isr->proxy == NULL) {
+ printf("kdebug_secpolicy: "
+ "Specified tunnel mode, "
+ "but proxy points to NULL.\n");
+ continue;
+ }
+ kdebug_sockaddr(isr->proxy);
+ }
+
+ if (isr->sa != NULL)
+ kdebug_secas(isr->sa);
+ }
+ printf(" }\n");
+ }
+ break;
+ case IPSEC_POLICY_BYPASS:
+ printf(" type=bypass }\n");
+ break;
+ case IPSEC_POLICY_ENTRUST:
+ printf(" type=entrust }\n");
+ break;
+ default:
+ printf("kdebug_secpolicy: Invalid policy found. %d\n",
+ sp->policy);
+ break;
+ }
+
+ return;
+}
+
+void
+kdebug_secindex(idx)
+ struct secindex *idx;
+{
+ /* sanity check */
+ if (idx == NULL)
+ panic("kdebug_secindex: NULL pointer was passed.\n");
+
+ printf("secindex{ family=%u prefs=%u prefd=%d\n",
+ idx->family, idx->prefs, idx->prefd);
+
+ ipsec_hexdump((caddr_t)&idx->src, _INALENBYAF(idx->family));
+ printf("\n");
+ ipsec_hexdump((caddr_t)&idx->dst, _INALENBYAF(idx->family));
+ printf("\n");
+
+ printf(" proto=%u ports=%u portd=%d }\n",
+ idx->proto, ntohs(idx->ports), ntohs(idx->portd));
+
+ return;
+}
+
+void
+kdebug_secas(sa)
+ struct secas *sa;
+{
+ /* sanity check */
+ if (sa == NULL)
+ panic("kdebug_secas: NULL pointer was passed.\n");
+
+ printf("secas{");
+ kdebug_secindex(&sa->saidx->idx);
+
+ printf(" refcnt=%u state=%u type=%u auth=%u enc=%u\n",
+ sa->refcnt, sa->state, sa->type, sa->alg_auth, sa->alg_enc);
+ printf(" spi=%lu flags=%u\n", (unsigned long) ntohl(sa->spi),
+ sa->flags);
+
+ if (sa->key_auth != NULL)
+ kdebug_sadb_key((struct sadb_ext *)sa->key_auth);
+ if (sa->key_enc != NULL)
+ kdebug_sadb_key((struct sadb_ext *)sa->key_enc);
+ if (sa->iv != NULL) {
+ ipsec_hexdump(sa->iv, sa->ivlen ? sa->ivlen : 8);
+ printf("\n");
+ }
+ if (sa->proxy != NULL) {
+ kdebug_sockaddr(sa->proxy);
+ printf("\n");
+ }
+ if (sa->replay != NULL)
+ kdebug_secreplay(sa->replay);
+ if (sa->lft_c != NULL)
+ kdebug_sadb_lifetime((struct sadb_ext *)sa->lft_c);
+ if (sa->lft_h != NULL)
+ kdebug_sadb_lifetime((struct sadb_ext *)sa->lft_h);
+ if (sa->lft_s != NULL)
+ kdebug_sadb_lifetime((struct sadb_ext *)sa->lft_s);
+
+ /* XXX: misc[123] ? */
+
+ return;
+}
+
+static void
+kdebug_secreplay(rpl)
+ struct secreplay *rpl;
+{
+ int len, l;
+
+ /* sanity check */
+ if (rpl == NULL)
+ panic("kdebug_secreplay: NULL pointer was passed.\n");
+
+ printf(" secreplay{ count=%u wsize=%u seq=%u lastseq=%u",
+ rpl->count, rpl->wsize, rpl->seq, rpl->lastseq);
+
+ if (rpl->bitmap == NULL) {
+ printf(" }\n");
+ return;
+ }
+
+ printf("\n bitmap { ");
+
+ for (len = 0; len < rpl->wsize; len++) {
+ for (l = 7; l >= 0; l--)
+ printf("%u", (((rpl->bitmap)[len] >> l) & 1) ? 1 : 0);
+ }
+ printf(" }\n");
+
+ return;
+}
+
+void
+kdebug_mbufhdr(m)
+ struct mbuf *m;
+{
+ /* sanity check */
+ if (m == NULL)
+ panic("debug_mbufhdr: NULL pointer was passed.\n");
+
+ printf("mbuf(%p){ m_next:%p m_nextpkt:%p m_data:%p "
+ "m_len:%d m_type:0x%02x m_flags:0x%02x }\n",
+ m, m->m_next, m->m_nextpkt, m->m_data,
+ m->m_len, m->m_type, m->m_flags);
+
+ if (m->m_flags & M_PKTHDR) {
+ printf(" m_pkthdr{ len:%d rcvif:%p }\n",
+ m->m_pkthdr.len, m->m_pkthdr.rcvif);
+ }
+
+#ifdef __FreeBSD__
+ if (m->m_flags & M_EXT) {
+ printf(" m_ext{ ext_buf:%p ext_free:%p "
+ "ext_size:%u ext_ref:%p }\n",
+ m->m_ext.ext_buf, m->m_ext.ext_free,
+ m->m_ext.ext_size, m->m_ext.ext_ref);
+ }
+#endif
+
+ return;
+}
+
+void
+kdebug_mbuf(m0)
+ struct mbuf *m0;
+{
+ struct mbuf *m = m0;
+ int i, j;
+
+ kdebug_mbufhdr(m);
+ printf(" m_data=\n");
+ for (j = 0; m; m = m->m_next) {
+ for (i = 0; i < m->m_len; i++) {
+ if (i != 0 && i % 32 == 0) printf("\n");
+ if (i % 4 == 0) printf(" ");
+ printf("%02x", mtod(m, u_char *)[i]);
+ j++;
+ }
+ }
+
+ printf("\n");
+
+ return;
+}
+#endif /* KERNEL */
+
+void
+kdebug_sockaddr(addr)
+ struct sockaddr *addr;
+{
+ /* sanity check */
+ if (addr == NULL)
+ panic("kdebug_sockaddr: NULL pointer was passed.\n");
+
+ /* NOTE: We deal with port number as host byte order. */
+ printf("sockaddr{ len=%u family=%u port=%u\n",
+ addr->sa_len, addr->sa_family, ntohs(_INPORTBYSA(addr)));
+
+#ifdef INET6
+ if (addr->sa_family == PF_INET6) {
+ struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)addr;
+ printf(" flowinfo=0x%08x, scope_id=0x%08x\n",
+ in6->sin6_flowinfo, in6->sin6_scope_id);
+ }
+#endif
+
+ ipsec_hexdump(_INADDRBYSA(addr), _INALENBYAF(addr->sa_family));
+
+ printf(" }\n");
+
+ return;
+}
+
+#endif /* !defined(KERNEL) || (defined(KERNEL) && defined(IPSEC_DEBUG)) */
+
+void
+ipsec_bindump(buf, len)
+ caddr_t buf;
+ int len;
+{
+ int i;
+
+ for (i = 0; i < len; i++)
+ printf("%c", (unsigned char)buf[i]);
+
+ return;
+}
+
+
+void
+ipsec_hexdump(buf, len)
+ caddr_t buf;
+ int len;
+{
+ int i;
+
+ for (i = 0; i < len; i++) {
+ if (i != 0 && i % 32 == 0) printf("\n");
+ if (i % 4 == 0) printf(" ");
+ printf("%02x", (unsigned char)buf[i]);
+ }
+#if 0
+ if (i % 32 != 0) printf("\n");
+#endif
+
+ return;
+}
+
View
99 kame/sys/netkey/key_debug.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: key_debug.h,v 1.1.1.1 1999/08/03 01:02:11 itojun Exp $ */
+
+#ifndef _NETKEY_KEY_DEBUG_H_
+#define _NETKEY_KEY_DEBUG_H_
+
+#ifdef __NetBSD__
+# ifdef _KERNEL
+# define KERNEL
+# endif
+#endif
+
+#if !defined(KERNEL) || (defined(KERNEL) && defined(IPSEC_DEBUG))
+
+/* debug flags */
+#define KEYDEBUG_STAMP 0x00000001 /* path */
+#define KEYDEBUG_DATA 0x00000002 /* data */
+#define KEYDEBUG_DUMP 0x00000004 /* dump */
+
+#define KEYDEBUG_KEY 0x00000010 /* key processing */
+#define KEYDEBUG_ALG 0x00000020 /* ciph & auth algorithm */
+#define KEYDEBUG_IPSEC 0x00000040 /* ipsec processing */
+
+#define KEYDEBUG_KEY_STAMP (KEYDEBUG_KEY | KEYDEBUG_STAMP)
+#define KEYDEBUG_KEY_DATA (KEYDEBUG_KEY | KEYDEBUG_DATA)
+#define KEYDEBUG_KEY_DUMP (KEYDEBUG_KEY | KEYDEBUG_DUMP)
+#define KEYDEBUG_ALG_STAMP (KEYDEBUG_ALG | KEYDEBUG_STAMP)
+#define KEYDEBUG_ALG_DATA (KEYDEBUG_ALG | KEYDEBUG_DATA)
+#define KEYDEBUG_ALG_DUMP (KEYDEBUG_ALG | KEYDEBUG_DUMP)
+#define KEYDEBUG_IPSEC_STAMP (KEYDEBUG_IPSEC | KEYDEBUG_STAMP)
+#define KEYDEBUG_IPSEC_DATA (KEYDEBUG_IPSEC | KEYDEBUG_DATA)
+#define KEYDEBUG_IPSEC_DUMP (KEYDEBUG_IPSEC | KEYDEBUG_DUMP)
+
+#define KEYDEBUG(lev,arg) if ((key_debug_level & (lev)) == (lev)) { arg; }
+
+#ifdef KERNEL
+extern u_int32_t key_debug_level;
+#endif /*KERNEL*/
+
+struct sadb_msg;
+struct sadb_ext;
+extern void kdebug_sadb __P((struct sadb_msg *));
+extern void kdebug_sadb_x_policy __P((struct sadb_ext *));
+
+#ifdef KERNEL
+struct secpolicy;
+struct secindex;
+struct secas;
+struct secreplay;
+struct mbuf;
+extern void kdebug_secindex __P((struct secindex *));
+extern void kdebug_secpolicy __P((struct secpolicy *));
+extern void kdebug_secas __P((struct secas *));
+extern void kdebug_mbufhdr __P((struct mbuf *));
+extern void kdebug_mbuf __P((struct mbuf *));
+#endif /*KERNEL*/
+
+struct sockaddr;
+extern void kdebug_sockaddr __P((struct sockaddr *));
+
+#else
+
+#define KEYDEBUG(lev,arg)
+
+#endif /*!defined(KERNEL) || (defined(KERNEL) && defined(IPSEC_DEBUG))*/
+
+extern void ipsec_hexdump __P((caddr_t, int));
+extern void ipsec_bindump __P((caddr_t, int));
+
+#endif /* _NETKEY_KEY_DEBUG_H_ */
+
View
125 kame/sys/netkey/key_var.h
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _NETKEY_KEY_VAR_H_
+#define _NETKEY_KEY_VAR_H_
+
+/* sysctl */
+#define KEYCTL_DEBUG_LEVEL 1
+#define KEYCTL_SPI_TRY 2
+#define KEYCTL_SPI_MIN_VALUE 3
+#define KEYCTL_SPI_MAX_VALUE 4
+#define KEYCTL_RANDOM_INT 5
+#define KEYCTL_LARVAL_LIFETIME 6
+#define KEYCTL_BLOCKACQ_COUNT 7
+#define KEYCTL_BLOCKACQ_LIFETIME 8
+#define KEYCTL_MAXID 9
+
+#define KEYCTL_NAMES { \
+ { 0, 0 }, \
+ { "debug", CTLTYPE_INT }, \
+ { "spi_try", CTLTYPE_INT }, \
+ { "spi_min_value", CTLTYPE_INT }, \
+ { "spi_max_value", CTLTYPE_INT }, \
+ { "random_int", CTLTYPE_INT }, \
+ { "larval_lifetime", CTLTYPE_INT }, \
+ { "blockacq_count", CTLTYPE_INT }, \
+ { "blockacq_lifetime", CTLTYPE_INT }, \
+}
+
+#ifdef IPSEC_DEBUG
+#define KEYCTL_VARS { \
+ 0, \
+ &key_debug_level, \
+ &key_spi_trycnt, \
+ &key_spi_minval, \
+ &key_spi_maxval, \
+ &key_int_random, \
+ &key_larval_lifetime, \
+ &key_blockacq_count, \
+ &key_blockacq_lifetime, \
+}
+#else
+#define KEYCTL_VARS { \
+ 0, \
+ 0, \
+ &key_spi_trycnt, \
+ &key_spi_minval, \
+ &key_spi_maxval, \
+ &key_int_random, \
+ &key_larval_lifetime, \
+ &key_blockacq_count, \
+ &key_blockacq_lifetime, \
+}
+#endif
+
+#define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0]))
+#define _KEYLEN(key) ((u_int)((key)->sadb_key_bits >> 3))
+#define _KEYBITS(key) ((u_int)((key)->sadb_key_bits))
+#define _KEYBUF(key) ((caddr_t)((caddr_t)(key) + sizeof(struct sadb_key)))
+
+#define _INADDR(in) ((struct sockaddr_in *)(in))
+
+#if defined(INET6)
+#define _IN6ADDR(in6) ((struct sockaddr_in6 *)(in6))
+#define _SALENBYAF(family) \
+ (((family) == AF_INET) ? \
+ (u_int)sizeof(struct sockaddr_in) : \
+ (u_int)sizeof(struct sockaddr_in6))
+#define _INALENBYAF(family) \
+ (((family) == AF_INET) ? \
+ (u_int)sizeof(struct in_addr) : \
+ (u_int)sizeof(struct in6_addr))
+#define _INADDRBYSA(saddr) \
+ ((((struct sockaddr *)(saddr))->sa_family == AF_INET) ? \
+ (caddr_t)&((struct sockaddr_in *)(saddr))->sin_addr : \
+ (caddr_t)&((struct sockaddr_in6 *)(saddr))->sin6_addr)
+#define _INPORTBYSA(saddr) \
+ ((((struct sockaddr *)(saddr))->sa_family == AF_INET) ? \
+ ((struct sockaddr_in *)(saddr))->sin_port : \
+ ((struct sockaddr_in6 *)(saddr))->sin6_port)
+#if 0
+#define _SADDRBYSA(saddr) \
+ ((((struct sockaddr *)(saddr))->sa_family == AF_INET) ? \
+ (caddr_t)&((struct sockaddr_in *)(saddr))->sin_addr.s_addr : \
+ (caddr_t)&((struct sockaddr_in6 *)(saddr))->sin6_addr.s6_addr)
+#endif
+#else
+#define _IN6ADDR(in6) "#error"
+#define _SALENBYAF(family) sizeof(struct sockaddr_in)
+#define _INALENBYAF(family) sizeof(struct in_addr)
+#define _INADDRBYSA(saddr) ((caddr_t)&((struct sockaddr_in *)(saddr))->sin_addr)
+#define _INPORTBYSA(saddr) (((struct sockaddr_in *)(saddr))->sin_port)
+#if 0
+#define _SADDRBYSA(saddr) \
+ ((caddr_t)&((struct sockaddr_in *)(saddr))->sin_addr.s_addr)
+#endif
+#endif /* defined(INET6) */
+
+#endif /* _NETKEY_KEY_VAR_H_ */
View
6,719 kame/sys/netkey/keydb.c
6,719 additions, 0 deletions not shown
View
199 kame/sys/netkey/keydb.h
@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _NETKEY_KEYDB_H_
+#define _NETKEY_KEYDB_H_
+
+#ifdef __NetBSD__
+# ifdef _KERNEL
+# define KERNEL
+# endif
+#endif
+
+#ifdef KERNEL
+
+#include <netkey/key_var.h>
+
+/* Must include ipsec.h and keyv2.h before in its use. */
+
+/* management for the tree and nodes. */
+struct keytree {
+ struct keynode *head;
+ struct keynode *tail;
+ int len;
+};
+
+struct keynode {
+ struct keynode *next;
+ struct keynode *prev;
+ struct keytree *back; /* pointer to the keytree */
+};
+
+/* index structure for SPD and SAD */
+/* NOTE: All field are network byte order. */
+struct secindex {
+ u_int8_t family; /* AF_INET or AF_INET6 */
+ u_int8_t prefs; /* preference for srouce address in bits */
+ u_int8_t prefd; /* preference for destination address in bits */
+ u_int8_t proto; /* upper layer Protocol */
+ u_int16_t ports; /* source port */
+ u_int16_t portd; /* destination port */
+ union {
+#if 0 /* #include dependency... */
+ struct in_addr src4;
+ struct in6_addr src6;
+#endif
+ u_int8_t srcany[16]; /*guarantee minimum size*/
+ } src; /* buffer for source address */
+ union {
+#if 0 /* #include dependency... */
+ struct in_addr dst4;
+ struct in6_addr dst6;
+#endif
+ u_int8_t dstany[16]; /*guarantee minimum size*/
+ } dst; /* buffer for destination address */
+};
+
+/* direction of SA */
+#define SADB_X_DIR_UNKNOWN 0 /* initial */
+#define SADB_X_DIR_INBOUND 1
+#define SADB_X_DIR_OUTBOUND 2
+#define SADB_X_DIR_BIDIRECT 3 /* including loopback */
+#define SADB_X_DIR_MAX 4
+#define SADB_X_DIR_INVALID 4
+ /*
+ * Since X_DIR_INVALID is equal to SADB_X_DIR_MAX,
+ * it can be used just as flag. The other are too
+ * used for loop counter.
+ */
+
+/* Security Association Data Base */
+struct secasindex {
+ struct secasindex *next;
+ struct secasindex *prev;
+ struct keytree *saidxt; /* back pointer to */
+ /* the top of SA index tree */
+
+ struct secindex idx; /* security index */
+
+ struct keytree satree[SADB_SASTATE_MAX+1];
+ /* SA chain */
+
+ struct route sa_route; /* XXX */
+};
+
+/* Security Association */
+struct secas {
+ struct secas *next;
+ struct secas *prev;
+ struct keytree *sat; /* back pointer to the top of SA tree */
+
+ int refcnt; /* reference count */
+ u_int8_t state; /* Status of this Association */
+ u_int8_t type; /* Type of this association: protocol */
+ u_int8_t alg_auth; /* Authentication Algorithm Identifier*/
+ u_int8_t alg_enc; /* Cipher Algorithm Identifier */
+ u_int32_t spi; /* SPI Value, network byte order */
+ u_int32_t flags; /* holder for SADB_KEY_FLAGS */
+ struct sadb_key *key_auth; /* Key for Authentication */
+ /* length has been shifted up to 3. */
+ struct sadb_key *key_enc; /* Key for Encryption */
+ /* length has been shifted up to 3. */
+ struct sockaddr *proxy; /* Proxy IP address for Destination */
+ struct secreplay *replay; /* replay prevention */
+ u_int32_t tick; /* for lifetime */
+ struct sadb_lifetime *lft_c; /* CURRENT lifetime, it's constant. */
+ struct sadb_lifetime *lft_h; /* HARD lifetime */
+ struct sadb_lifetime *lft_s; /* SOFT lifetime */
+ /* sadb_lifetime_len is in 32 bits. */
+
+ caddr_t iv; /* Initilization Vector */
+ u_int ivlen; /* XXX: quick hack */
+ caddr_t misc1; /* the use for example DES's setkey. */
+ caddr_t misc2;
+ caddr_t misc3;
+
+ u_int32_t seq; /* sequence number */
+ u_int32_t pid; /* pid */
+
+ struct secasindex *saidx; /* back pointer to the secasindex */
+};
+
+/* replay prevention */
+struct secreplay {
+ u_int32_t count;
+ u_int wsize; /* window size, i.g. 4 bytes */
+ u_int32_t seq; /* used by sender */
+ u_int32_t lastseq; /* used by receiver */
+ caddr_t bitmap; /* used by receiver */
+};
+
+/* socket table due to send PF_KEY messages. */
+struct secreg {
+ struct secreg *next;
+ struct secreg *prev;
+ struct keytree *regt; /* back pointer to the top of secreg tree */
+
+ struct socket *so;
+};
+
+#ifndef IPSEC_BLOCK_ACQUIRE
+/* acquiring list table. */
+struct secacq {
+ struct secacq *next;
+ struct secacq *prev;
+ struct keytree *acqt; /* back pointer to the top of secacq tree */
+
+#if 1
+ struct secindex idx; /* security index */
+ u_int8_t proto; /* Type of this association: IPsec protocol */
+ u_int8_t proxy[16]; /* buffer for proxy address */
+#else
+ u_int8_t hash[16];
+#endif
+
+ u_int32_t seq; /* sequence number */
+ u_int32_t tick; /* for lifetime */
+ int count; /* for lifetime */
+};
+#endif
+
+/* Sensitivity Level Specification */
+/* nothing */
+
+#define SADB_KILL_INTERVAL 600 /* six seconds */
+
+struct key_cb {
+ int key_count;
+ int any_count;
+};
+
+#endif /* KERNEL */
+
+#endif /* _NETKEY_KEYDB_H_ */
View
501 kame/sys/netkey/keysock.c
@@ -0,0 +1,501 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* KAME @(#)$Id: keysock.c,v 1.1.1.1 1999/08/03 01:02:15 itojun Exp $ */
+
+#if defined(__FreeBSD__) && __FreeBSD__ >= 3
+#include "opt_inet.h"
+#endif
+
+/* This code has derived from sys/net/rtsock.c on FreeBSD2.2.5 */
+
+#ifdef __NetBSD__
+# ifdef _KERNEL
+# define KERNEL
+# endif
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/kernel.h>
+#ifdef __FreeBSD__
+#include <sys/sysctl.h>
+#endif
+#include <sys/mbuf.h>
+#include <sys/socket.h>
+#include <sys/socketvar.h>
+#include <sys/domain.h>
+#include <sys/protosw.h>
+#include <sys/errno.h>
+#ifdef __NetBSD__
+#include <sys/proc.h>
+#include <sys/queue.h>
+#endif
+
+#ifdef __FreeBSD__
+#include <machine/spl.h>
+#endif
+
+#include <net/raw_cb.h>
+#include <net/route.h>
+
+#include <netkey/keyv2.h>
+#include <netkey/keydb.h>
+#include <netkey/key.h>
+#include <netkey/keysock.h>
+#include <netkey/key_debug.h>
+
+#include <machine/stdarg.h>
+
+struct sockaddr key_dst = { 2, PF_KEY, };
+struct sockaddr key_src = { 2, PF_KEY, };
+struct sockproto key_proto = { PF_KEY, PF_KEY_V2 };
+
+static int key_sendup0 __P((struct rawcb *, struct mbuf *, int));
+
+#if 1
+#define KMALLOC(p, t, n) \
+ ((p) = (t) malloc((unsigned long)(n), M_SECA, M_NOWAIT))
+#define KFREE(p) \
+ free((caddr_t)(p), M_SECA);
+#else
+#define KMALLOC(p, t, n) \
+ do { \
+ ((p) = (t)malloc((unsigned long)(n), M_SECA, M_NOWAIT));\
+ printf("%s %d: %p <- KMALLOC(%s, %d)\n", \
+ __FILE__, __LINE__, (p), #t, n); \
+ } while (0)
+
+#define KFREE(p) \
+ do { \
+ printf("%s %d: %p -> KFREE()\n", __FILE__, __LINE__, (p));\
+ free((caddr_t)(p), M_SECA); \
+ } while (0)
+#endif
+
+/*
+ * key_usrreq()
+ * derived from net/rtsock.c:route_usrreq()
+ */
+#ifndef __NetBSD__
+int
+key_usrreq(so, req, m, nam, control)
+ register struct socket *so;
+ int req;
+ struct mbuf *m, *nam, *control;
+#else
+int
+key_usrreq(so, req, m, nam, control, p)
+ register struct socket *so;
+ int req;
+ struct mbuf *m, *nam, *control;
+ struct proc *p;
+#endif /*__NetBSD__*/
+{
+ register int error = 0;
+ register struct keycb *kp = (struct keycb *)sotorawcb(so);
+ int s;
+
+#ifdef __NetBSD__
+ s = splsoftnet();
+#else
+ s = splnet();
+#endif
+ if (req == PRU_ATTACH) {
+ MALLOC(kp, struct keycb *, sizeof(*kp), M_PCB, M_WAITOK);
+ so->so_pcb = (caddr_t)kp;
+ if (so->so_pcb)
+ bzero(so->so_pcb, sizeof(*kp));
+ }
+ if (req == PRU_DETACH && kp) {
+ int af = kp->kp_raw.rcb_proto.sp_protocol;
+ if (af == PF_KEY) /* XXX: AF_KEY */
+ key_cb.key_count--;
+ key_cb.any_count--;
+
+ key_freereg(so);
+ }
+
+#ifndef __NetBSD__
+ error = raw_usrreq(so, req, m, nam, control);
+#else
+ error = raw_usrreq(so, req, m, nam, control, p);
+#endif
+ m = control = NULL; /* reclaimed in raw_usrreq */
+ kp = (struct keycb *)sotorawcb(so);
+ if (req == PRU_ATTACH && kp) {
+ int af = kp->kp_raw.rcb_proto.sp_protocol;
+ if (error) {
+ printf("key_usrreq: key_usrreq results %d\n", error);
+ free((caddr_t)kp, M_PCB);
+ so->so_pcb = (caddr_t) 0;
+ splx(s);
+ return(error);
+ }
+
+ kp->kp_promisc = kp->kp_registered = 0;
+
+ if (af == PF_KEY) /* XXX: AF_KEY */
+ key_cb.key_count++;
+ key_cb.any_count++;
+#ifndef __bsdi__
+ kp->kp_raw.rcb_laddr = &key_src;
+ kp->kp_raw.rcb_faddr = &key_dst;
+#else
+ /*
+ * XXX rcb_faddr must be dynamically allocated, otherwise
+ * raw_disconnect() will be angry.
+ */
+ {
+ struct mbuf *m, *n;
+ MGET(m, M_WAITOK, MT_DATA);
+ if (!m) {
+ error = ENOBUFS;
+ printf("key_usrreq: key_usrreq results %d\n", error);
+ free((caddr_t)kp, M_PCB);
+ so->so_pcb = (caddr_t) 0;
+ splx(s);
+ return(error);
+ }
+ MGET(n, M_WAITOK, MT_DATA);
+ if (!n) {
+ error = ENOBUFS;
+ m_freem(m);
+ printf("key_usrreq: key_usrreq results %d\n", error);
+ free((caddr_t)kp, M_PCB);
+ so->so_pcb = (caddr_t) 0;
+ splx(s);
+ return(error);
+ }
+ m->m_len = sizeof(key_src);
+ kp->kp_raw.rcb_laddr = mtod(m, struct sockaddr *);
+ bcopy(&key_src, kp->kp_raw.rcb_laddr, sizeof(key_src));
+ n->m_len = sizeof(key_dst);
+ kp->kp_raw.rcb_faddr = mtod(n, struct sockaddr *);
+ bcopy(&key_dst, kp->kp_raw.rcb_faddr, sizeof(key_dst));
+ }
+#endif
+ soisconnected(so);
+ so->so_options |= SO_USELOOPBACK;
+ }
+ splx(s);
+ return(error);
+}
+
+/*
+ * key_output()
+ */
+int
+#if __STDC__
+key_output(struct mbuf *m, ...)
+#else
+key_output(m, va_alist)
+ struct mbuf *m;
+ va_dcl
+#endif
+{
+ struct sadb_msg *msg = NULL;
+ int len, error = 0;
+ int s;
+ int target;
+ struct socket *so;
+ va_list ap;
+
+ va_start(ap, m);
+ so = va_arg(ap, struct socket *);
+ va_end(ap);
+
+ if (m == 0)
+ panic("key_output: NULL pointer was passed.\n");
+
+ if (m->m_len < sizeof(long)
+ && (m = m_pullup(m, 8)) == 0) {
+ printf("key_output: can't pullup mbuf\n");
+ error = ENOBUFS;
+ goto end;
+ }
+
+ if ((m->m_flags & M_PKTHDR) == 0)
+ panic("key_output: not M_PKTHDR ??");
+
+#if defined(IPSEC_DEBUG)
+ KEYDEBUG(KEYDEBUG_KEY_DUMP, kdebug_mbuf(m));
+#endif /* defined(IPSEC_DEBUG) */
+
+ len = m->m_pkthdr.len;
+ if (len < sizeof(struct sadb_msg)
+ || len != PFKEY_UNUNIT64(mtod(m, struct sadb_msg *)->sadb_msg_len)) {
+ printf("key_output: Invalid message length.\n");
+ error = EINVAL;
+ goto end;
+ }
+
+ /*
+ * allocate memory for sadb_msg, and copy to sadb_msg from mbuf
+ * XXX: To be processed directly without a copy.
+ */
+ KMALLOC(msg, struct sadb_msg *, len);
+ if (msg == 0) {
+ printf("key_output: No more memory.\n");
+ error = ENOBUFS;
+ goto end;
+ /* or do panic ? */
+ }
+ m_copydata(m, 0, len, (caddr_t)msg);
+
+ /*XXX giant lock*/
+#ifdef __NetBSD__
+ s = splsoftnet();
+#else
+ s = splnet();
+#endif
+ if ((len = key_parse(&msg, so, &target)) == 0) {
+ /* discard. i.e. no need to reply. */
+ error = 0;
+ splx(s);
+ goto end;
+ }
+
+ /* send up message to the socket */
+ error = key_sendup(so, msg, len, target);
+ splx(s);
+ KFREE(msg);
+end:
+ m_freem(m);
+ return (error);
+}
+
+/*
+ * send message to the socket.
+ */
+static int
+key_sendup0(rp, m, promisc)
+ struct rawcb *rp;
+ struct mbuf *m;
+ int promisc;
+{
+ if (promisc) {
+ struct sadb_msg *pmsg;
+
+ M_PREPEND(m, sizeof(struct sadb_msg), M_NOWAIT);
+ if (m && m->m_len < sizeof(struct sadb_msg))
+ m = m_pullup(m, sizeof(struct sadb_msg));
+ if (!m) {
+ printf("key_sendup0: cannot pullup\n");
+ m_freem(m);
+ return ENOBUFS;
+ }
+ m->m_pkthdr.len += sizeof(*pmsg);
+
+ pmsg = mtod(m, struct sadb_msg *);
+ bzero(pmsg, sizeof(*pmsg));
+ pmsg->sadb_msg_version = PF_KEY_V2;
+ pmsg->sadb_msg_type = SADB_X_PROMISC;
+ pmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
+ /* pid and seq? */
+ }
+
+ if (!sbappendaddr(&rp->rcb_socket->so_rcv,
+ (struct sockaddr *)&key_src, m, NULL)) {
+ printf("key_sendup0: sbappendaddr failed\n");
+ m_freem(m);
+ return ENOBUFS;
+ }
+ sorwakeup(rp->rcb_socket);
+ return 0;
+}
+
+int
+key_sendup(so, msg, len, target)
+ struct socket *so;
+ struct sadb_msg *msg;
+ u_int len;
+ int target; /*target of the resulting message*/
+{
+ struct mbuf *m, *n, *mprev;
+ struct keycb *kp;
+ int sendup;
+ struct rawcb *rp;
+ int error;
+ int tlen;
+
+ /* sanity check */
+ if (so == 0 || msg == 0)
+ panic("key_sendup: NULL pointer was passed.\n");
+
+ KEYDEBUG(KEYDEBUG_KEY_DUMP,
+ printf("key_sendup: \n");
+ kdebug_sadb(msg));
+
+ /*
+ * Get mbuf chain whenever possible (not clusters),
+ * to save socket buffer. We'll be generating many SADB_ACQUIRE
+ * messages to listening key sockets. If we simmply allocate clusters,
+ * sbappendaddr() will raise ENOBUFS due to too little sbspace().
+ * sbspace() computes # of actual data bytes AND mbuf region.
+ *
+ * TODO: SADB_ACQUIRE filters should be implemented.
+ */
+ tlen = len;
+ m = mprev = NULL;
+ while (tlen > 0) {
+ if (tlen == len) {
+ MGETHDR(n, M_DONTWAIT, MT_DATA);
+ n->m_len = MHLEN;
+ } else {
+ MGET(n, M_DONTWAIT, MT_DATA);
+ n->m_len = MLEN;
+ }
+ if (!n)
+ return ENOBUFS;
+ if (tlen > MCLBYTES) { /*XXX better threshold? */
+ MCLGET(n, M_DONTWAIT);
+ if ((n->m_flags & M_EXT) == 0) {
+ m_free(n);
+ m_freem(m);
+ return ENOBUFS;
+ }
+ n->m_len = MCLBYTES;
+ }
+
+ if (tlen < n->m_len)
+ n->m_len = tlen;
+ n->m_next = NULL;
+ if (m == NULL)
+ m = mprev = n;
+ else {
+ mprev->m_next = n;
+ mprev = n;
+ }
+ tlen -= n->m_len;
+ n = NULL;
+ }
+ m->m_pkthdr.len = len;
+ m->m_pkthdr.rcvif = NULL;
+ m_copyback(m, 0, len, (caddr_t)msg);
+
+#ifndef __NetBSD__
+ for (rp = rawcb.rcb_next; rp != &rawcb; rp = rp->rcb_next)
+#else
+ for (rp = rawcb.lh_first; rp; rp = rp->rcb_list.le_next)
+#endif
+ {
+ if (rp->rcb_proto.sp_family != PF_KEY)
+ continue;
+ if (rp->rcb_proto.sp_protocol
+ && rp->rcb_proto.sp_protocol != PF_KEY_V2) {
+ continue;
+ }
+
+ kp = (struct keycb *)rp;
+
+ /*
+ * If you are in promiscuous mode, and when you get broadcasted
+ * reply, you'll get two PF_KEY messages.
+ * (based on pf_key@inner.net message on 14 Oct 1998)
+ */
+ if (((struct keycb *)rp)->kp_promisc) {
+ if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) {
+ (void)key_sendup0(rp, n, 1);
+ n = NULL;
+ }
+ }
+
+ /* the exact target will be processed later */
+ if (sotorawcb(so) == rp)
+ continue;
+
+ sendup = 0;
+ switch (target) {
+ case KEY_SENDUP_ONE:
+ /* the statement has no effect */
+ if (sotorawcb(so) == rp)
+ sendup++;
+ break;
+ case KEY_SENDUP_ALL:
+ sendup++;
+ break;
+ case KEY_SENDUP_REGISTERED:
+ if (kp->kp_registered)
+ sendup++;
+ break;
+ }
+
+ if (!sendup)
+ continue;
+
+ if ((n = m_copy(m, 0, (int)M_COPYALL)) == NULL) {
+ printf("key_sendup: m_copy fail\n");
+ m_freem(m);
+ return ENOBUFS;
+ }
+
+ if ((error = key_sendup0(rp, n, 0)) != 0) {
+ m_freem(m);
+ return error;
+ }
+
+ n = NULL;
+ }
+
+ error = key_sendup0(sotorawcb(so), m, 0);
+ m = NULL;
+ return error;
+}
+
+#ifdef __FreeBSD__
+/* sysctl */
+SYSCTL_NODE(_net, PF_KEY, key, CTLFLAG_RW, 0, "Key Family");
+#endif
+
+/*
+ * Definitions of protocols supported in the KEY domain.
+ */
+
+extern struct domain keydomain;
+
+struct protosw keysw[] = {
+{ SOCK_RAW, &keydomain, PF_KEY_V2, PR_ATOMIC|PR_ADDR,
+ 0, key_output, raw_ctlinput, 0,
+ key_usrreq,
+ raw_init, 0, 0, 0,
+#if defined(__bsdi__) || defined(__NetBSD__)
+ key_sysctl,
+#endif
+}
+};
+
+struct domain keydomain =
+ { PF_KEY, "key", key_init, 0, 0,
+ keysw, &keysw[sizeof(keysw)/sizeof(keysw[0])] };
+
+#ifdef __FreeBSD__
+DOMAIN_SET(key);
+#endif
View
67 kame/sys/netkey/keysock.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: keysock.h,v 1.1.1.1 1999/08/03 01:02:15 itojun Exp $ */
+
+#ifndef _NETKEY_KEYSOCK_H_
+#define _NETKEY_KEYSOCK_H_
+
+#ifdef __NetBSD__
+# ifdef _KERNEL
+# define KERNEL
+# endif
+#endif
+
+#if defined(KERNEL)
+struct keycb {
+ struct rawcb kp_raw; /* rawcb */
+ int kp_promisc; /* promiscuous mode */
+ int kp_registered; /* registered socket */
+};
+
+extern int key_output __P((struct mbuf *, ...));
+#ifndef __NetBSD__
+extern int key_usrreq __P((struct socket *, int, struct mbuf *, struct mbuf *, struct mbuf *));
+#else
+extern int key_usrreq __P((struct socket *,
+ int, struct mbuf *, struct mbuf *, struct mbuf *, struct proc *));
+#endif
+
+#define KEY_SENDUP_ONE 0
+#define KEY_SENDUP_ALL 1
+#define KEY_SENDUP_REGISTERED 2
+
+extern int key_sendup __P((struct socket *, struct sadb_msg *, u_int, int));
+#else
+#if 0 /* no library defined for this */
+extern int key_sendup __P((int, struct sadb_msg *, u_int, int));
+#endif
+#endif /* defined(KERNEL) */
+
+#endif _NETKEY_KEYSOCK_H_
View
402 kame/sys/netkey/keyv2.h
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: keyv2.h,v 1.1.1.1 1999/08/03 01:02:16 itojun Exp $ */
+
+/*
+ * This file has been derived rfc 2367,
+ * And added some flags of SADB_KEY_FLAGS_ as SADB_X_EXT_.
+ * sakane@ydc.co.jp
+ */
+
+#ifndef _NETKEY_KEYV2_H_
+#define _NETKEY_KEYV2_H_
+
+#ifdef __NetBSD__
+# ifdef _KERNEL
+# define KERNEL
+# endif
+#endif
+
+/*
+This file defines structures and symbols for the PF_KEY Version 2
+key management interface. It was written at the U.S. Naval Research
+Laboratory. This file is in the public domain. The authors ask that
+you leave this credit intact on any copies of this file.
+*/
+#ifndef __PFKEY_V2_H
+#define __PFKEY_V2_H 1
+
+#define PF_KEY_V2 2
+#define PFKEYV2_REVISION 199806L
+
+#define SADB_RESERVED 0
+#define SADB_GETSPI 1
+#define SADB_UPDATE 2
+#define SADB_ADD 3
+#define SADB_DELETE 4
+#define SADB_GET 5
+#define SADB_ACQUIRE 6
+#define SADB_REGISTER 7
+#define SADB_EXPIRE 8
+#define SADB_FLUSH 9
+#define SADB_DUMP 10
+#define SADB_X_PROMISC 11
+#define SADB_X_PCHANGE 12
+#define SADB_X_SPDADD 13
+#define SADB_X_SPDDELETE 14
+#define SADB_X_SPDDUMP 15
+#define SADB_X_SPDFLUSH 16
+#define SADB_MAX 16
+
+struct sadb_msg {
+ u_int8_t sadb_msg_version;
+ u_int8_t sadb_msg_type;
+ u_int8_t sadb_msg_errno;
+ u_int8_t sadb_msg_satype;
+ u_int16_t sadb_msg_len;
+ u_int16_t sadb_msg_reserved;
+ u_int32_t sadb_msg_seq;
+ u_int32_t sadb_msg_pid;
+};
+
+struct sadb_ext {
+ u_int16_t sadb_ext_len;
+ u_int16_t sadb_ext_type;
+};
+
+struct sadb_sa {
+ u_int16_t sadb_sa_len;
+ u_int16_t sadb_sa_exttype;
+ u_int32_t sadb_sa_spi;
+ u_int8_t sadb_sa_replay;
+ u_int8_t sadb_sa_state;
+ u_int8_t sadb_sa_auth;
+ u_int8_t sadb_sa_encrypt;
+ u_int32_t sadb_sa_flags;
+};
+
+struct sadb_lifetime {
+ u_int16_t sadb_lifetime_len;
+ u_int16_t sadb_lifetime_exttype;
+ u_int32_t sadb_lifetime_allocations;
+ u_int64_t sadb_lifetime_bytes;
+ u_int64_t sadb_lifetime_addtime;
+ u_int64_t sadb_lifetime_usetime;
+};
+
+struct sadb_address {
+ u_int16_t sadb_address_len;
+ u_int16_t sadb_address_exttype;
+ u_int8_t sadb_address_proto;
+ u_int8_t sadb_address_prefixlen;
+ u_int16_t sadb_address_reserved;
+};
+
+struct sadb_key {
+ u_int16_t sadb_key_len;
+ u_int16_t sadb_key_exttype;
+ u_int16_t sadb_key_bits;
+ u_int16_t sadb_key_reserved;
+};
+
+struct sadb_ident {
+ u_int16_t sadb_ident_len;
+ u_int16_t sadb_ident_exttype;
+ u_int16_t sadb_ident_type;
+ u_int16_t sadb_ident_reserved;
+ u_int64_t sadb_ident_id;
+};
+
+struct sadb_sens {
+ u_int16_t sadb_sens_len;
+ u_int16_t sadb_sens_exttype;
+ u_int32_t sadb_sens_dpd;
+ u_int8_t sadb_sens_sens_level;
+ u_int8_t sadb_sens_sens_len;
+ u_int8_t sadb_sens_integ_level;
+ u_int8_t sadb_sens_integ_len;
+ u_int32_t sadb_sens_reserved;
+};
+
+struct sadb_prop {
+ u_int16_t sadb_prop_len;
+ u_int16_t sadb_prop_exttype;
+ u_int8_t sadb_prop_replay;
+ u_int8_t sadb_prop_reserved[3];
+};
+
+struct sadb_comb {
+ u_int8_t sadb_comb_auth;
+ u_int8_t sadb_comb_encrypt;
+ u_int16_t sadb_comb_flags;
+ u_int16_t sadb_comb_auth_minbits;
+ u_int16_t sadb_comb_auth_maxbits;
+ u_int16_t sadb_comb_encrypt_minbits;
+ u_int16_t sadb_comb_encrypt_maxbits;
+ u_int32_t sadb_comb_reserved;
+ u_int32_t sadb_comb_soft_allocations;
+ u_int32_t sadb_comb_hard_allocations;
+ u_int64_t sadb_comb_soft_bytes;
+ u_int64_t sadb_comb_hard_bytes;
+ u_int64_t sadb_comb_soft_addtime;
+ u_int64_t sadb_comb_hard_addtime;
+ u_int64_t sadb_comb_soft_usetime;
+ u_int64_t sadb_comb_hard_usetime;
+};
+
+struct sadb_supported {
+ u_int16_t sadb_supported_len;
+ u_int16_t sadb_supported_exttype;
+ u_int32_t sadb_supported_reserved;
+};
+
+struct sadb_alg {
+ u_int8_t sadb_alg_id;
+ u_int8_t sadb_alg_ivlen;
+ u_int16_t sadb_alg_minbits;
+ u_int16_t sadb_alg_maxbits;
+ u_int16_t sadb_alg_reserved;
+};
+
+struct sadb_spirange {
+ u_int16_t sadb_spirange_len;
+ u_int16_t sadb_spirange_exttype;
+ u_int32_t sadb_spirange_min;
+ u_int32_t sadb_spirange_max;
+ u_int32_t sadb_spirange_reserved;
+};
+
+struct sadb_x_kmprivate {
+ u_int16_t sadb_x_kmprivate_len;
+ u_int16_t sadb_x_kmprivate_exttype;
+ u_int32_t sadb_x_kmprivate_reserved;
+};
+
+/* XXX Policy Extension */
+/* sizeof(struct sadb_x_policy) == 8 */
+struct sadb_x_policy {
+ u_int16_t sadb_x_policy_len;
+ u_int16_t sadb_x_policy_exttype;
+ u_int16_t sadb_x_policy_type; /* See ipsec.h */
+ u_int16_t sadb_x_policy_reserved;
+};
+/*
+ * followed by some of the ipsec policy request, if policy_type == IPSEC.
+ * [total length of ipsec policy requests]
+ * = (sadb_x_policy_len * sizeof(uint64_t) - sizeof(struct sadb_x_policy))
+ */
+
+/* XXX IPsec Policy Request Extension */
+/*
+ * This structure is aligned 8 bytes. Also it's aligned with proxy address
+ * if present.
+ */
+struct sadb_x_ipsecrequest {
+ u_int16_t sadb_x_ipsecrequest_len; /* structure length aligned 8 bytes.
+ * This value is true length of bytes.
+ * Not in units of 64 bits. */
+ u_int16_t sadb_x_ipsecrequest_proto; /* See ipsec.h */
+ u_int16_t sadb_x_ipsecrequest_mode; /* See ipsec.h */
+ u_int16_t sadb_x_ipsecrequest_level; /* See ipsec.h */
+ /* If mode != 0, the proxy address encoded struct sockaddr is following. */
+};
+
+#define SADB_EXT_RESERVED 0
+#define SADB_EXT_SA 1
+#define SADB_EXT_LIFETIME_CURRENT 2
+#define SADB_EXT_LIFETIME_HARD 3
+#define SADB_EXT_LIFETIME_SOFT 4
+#define SADB_EXT_ADDRESS_SRC 5
+#define SADB_EXT_ADDRESS_DST 6
+#define SADB_EXT_ADDRESS_PROXY 7
+#define SADB_EXT_KEY_AUTH 8
+#define SADB_EXT_KEY_ENCRYPT 9
+#define SADB_EXT_IDENTITY_SRC 10
+#define SADB_EXT_IDENTITY_DST 11
+#define SADB_EXT_SENSITIVITY 12
+#define SADB_EXT_PROPOSAL 13
+#define SADB_EXT_SUPPORTED_AUTH 14
+#define SADB_EXT_SUPPORTED_ENCRYPT 15
+#define SADB_EXT_SPIRANGE 16
+#define SADB_X_EXT_KMPRIVATE 17
+#define SADB_X_EXT_POLICY 18
+#define SADB_EXT_MAX 18
+
+#define SADB_SATYPE_UNSPEC 0
+#define SADB_SATYPE_AH 2
+#define SADB_SATYPE_ESP 3
+#define SADB_SATYPE_RSVP 5
+#define SADB_SATYPE_OSPFV2 6
+#define SADB_SATYPE_RIPV2 7
+#define SADB_SATYPE_MIP 8
+#define SADB_X_SATYPE_IPCOMP 9
+#define SADB_SATYPE_MAX 9
+
+#define SADB_SASTATE_LARVAL 0
+#define SADB_SASTATE_MATURE 1
+#define SADB_SASTATE_DYING 2
+#define SADB_SASTATE_DEAD 3
+#define SADB_SASTATE_MAX 3
+
+#define SADB_SAFLAGS_PFS 1
+
+#define SADB_AALG_NONE 0
+#define SADB_AALG_MD5HMAC 1 /* 2 */
+#define SADB_AALG_SHA1HMAC 2 /* 3 */
+#define SADB_AALG_MD5 3 /* Keyed MD5 */
+#define SADB_AALG_SHA 4 /* Keyed SHA */
+#define SADB_AALG_NULL 5 /* null authentication */
+#define SADB_AALG_MAX 6
+
+#define SADB_EALG_NONE 0
+#define SADB_EALG_DESCBC 1 /* 2 */
+#define SADB_EALG_3DESCBC 2 /* 3 */
+#define SADB_EALG_NULL 3 /* 11 */
+#define SADB_EALG_BLOWFISHCBC 4
+#define SADB_EALG_CAST128CBC 5
+#define SADB_EALG_RC5CBC 6
+#define SADB_EALG_MAX 7
+
+#if 1 /*nonstandard */
+#define SADB_X_CALG_NONE 0
+#define SADB_X_CALG_OUI 1
+#define SADB_X_CALG_DEFLATE 2
+#define SADB_X_CALG_LZS 3
+#endif
+
+#define SADB_IDENTTYPE_RESERVED 0
+#define SADB_IDENTTYPE_PREFIX 1
+#define SADB_IDENTTYPE_FQDN 2
+#define SADB_IDENTTYPE_USERFQDN 3
+#define SADB_IDENTTYPE_MAX 3
+
+/* `flags' in SA structure holds followings */
+#define SADB_X_EXT_NONE 0x0000 /* i.e. new format. */
+#define SADB_X_EXT_OLD 0x0001 /* old format. */
+#define SADB_X_EXT_IV4B 0x0010 /* IV length of 4 bytes in use */
+#define SADB_X_EXT_DERIV 0x0020 /* DES derived */
+#define SADB_X_EXT_CYCSEQ 0x0040 /* allowing to cyclic sequence. */
+ /* the followings are exclusive flags */
+#define SADB_X_EXT_PSEQ 0x0000 /* sequencial padding for ESP */
+#define SADB_X_EXT_PRAND 0x0100 /* random padding for ESP */
+#define SADB_X_EXT_PZERO 0x0300 /* zero padding for ESP */
+#define SADB_X_EXT_PMASK 0x0300 /* mask for padding flag */
+#if 1
+#define SADB_X_EXT_RAWCPI 0x0080 /* use well known CPI (IPComp) */
+#endif
+#define SADB_KEY_FLAGS_MAX 0x0fff
+
+/* SPI size for PF_KEYv2 */
+#define PFKEY_SPI_SIZE sizeof(u_int32_t)
+
+/* Identifier for menber of lifetime structure */
+#define SADB_X_LIFETIME_ALLOCATIONS 0
+#define SADB_X_LIFETIME_BYTES 1
+#define SADB_X_LIFETIME_ADDTIME 2
+#define SADB_X_LIFETIME_USETIME 3
+
+/* The rate for SOFT lifetime against HARD one. */
+#define PFKEY_SOFT_LIFETIME_RATE 80
+
+/* Utilities */
+#define PFKEY_ALIGN8(a) (1 + (((a) - 1) | (8 - 1)))
+#define PFKEY_EXTLEN(msg) \
+ PFKEY_UNUNIT64(((struct sadb_ext *)(msg))->sadb_ext_len)
+#define PFKEY_ADDR_PREFIX(ext) \
+ (((struct sadb_address *)(ext))->sadb_address_prefixlen)
+#define PFKEY_ADDR_PROTO(ext) \
+ (((struct sadb_address *)(ext))->sadb_address_proto)
+#define PFKEY_ADDR_SADDR(ext) \
+ ((struct sockaddr *)((caddr_t)(ext) + sizeof(struct sadb_address)))
+
+#if 1
+/* in 64bits */
+#define PFKEY_UNUNIT64(a) ((a) << 3)
+#define PFKEY_UNIT64(a) ((a) >> 3)
+#else
+#define PFKEY_UNUNIT64(a) (a)
+#define PFKEY_UNIT64(a) (a)
+#endif
+
+#ifndef KERNEL
+extern void pfkey_sadump(struct sadb_msg *m);
+extern void pfkey_spdump(struct sadb_msg *m);
+
+struct sockaddr;
+extern int ipsec_check_keylen(u_int supported, u_int alg_id, u_int keylen);
+extern int pfkey_check(struct sadb_msg *msg, caddr_t *mhp);
+extern u_int pfkey_set_softrate(u_int type, u_int rate);
+extern u_int pfkey_get_softrate(u_int type);
+extern int pfkey_send_getspi(int so, u_int satype,
+ struct sockaddr *src, u_int prefs,
+ struct sockaddr *dst, u_int prefd, u_int proto,
+ u_int32_t min, u_int32_t max, u_int32_t seq);
+extern int pfkey_send_update( int so, u_int satype,
+ struct sockaddr *src, u_int prefs,
+ struct sockaddr *dst, u_int prefd, u_int proto,
+ struct sockaddr *proxy,
+ u_int32_t spi, caddr_t keymat,
+ u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen,
+ u_int flags,
+ u_int32_t l_alloc, u_int32_t l_bytes,
+ u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq);
+extern int pfkey_send_add( int so, u_int satype,
+ struct sockaddr *src, u_int prefs,
+ struct sockaddr *dst, u_int prefd, u_int proto,
+ struct sockaddr *proxy,
+ u_int32_t spi, caddr_t keymat,
+ u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen,
+ u_int flags,
+ u_int32_t l_alloc, u_int32_t l_bytes,
+ u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq);
+extern int pfkey_send_delete( int so, u_int satype,
+ struct sockaddr *src, u_int prefs,
+ struct sockaddr *dst, u_int prefd, u_int proto,
+ u_int32_t spi);
+extern int pfkey_send_get( int so, u_int satype,
+ struct sockaddr *src, u_int prefs,
+ struct sockaddr *dst, u_int prefd, u_int proto,
+ u_int32_t spi);
+extern int pfkey_send_register(int so, u_int satype);
+extern int pfkey_recv_register(int so);
+extern int pfkey_send_flush(int so, u_int satype);
+extern int pfkey_send_dump(int so, u_int satype);
+extern int pfkey_send_promisc_toggle(int so, int flag);
+
+extern int pfkey_open(void);
+extern void pfkey_close(int so);
+extern struct sadb_msg *pfkey_recv(int so);
+extern int pfkey_send(int so, struct sadb_msg *msg, int len);
+
+#endif /*!KERNEL*/
+
+#endif /* __PFKEY_V2_H */
+
+#endif /* _NETKEY_KEYV2_H_ */
Please sign in to comment.
Something went wrong with that request. Please try again.