62  * This code is referd to RFC 2367
165 u_int32_t key_debug_level = 0; //### our sysctl is not dynamic
666 		panic("key_allocsp: NULL pointer is passed.\n");
674 		panic("key_allocsp: Invalid direction is passed.\n");
727 	struct sockaddr *os, *od, *is, *id;
760 				is = (struct sockaddr *)&r1->saidx.src;
762 				if (key_sockaddrcmp(is, isrc, 0) ||
791  *	ENOENT: policy may be valid, but SA with REQUIRE is on acquiring.
809 		panic("key_checkrequest: NULL pointer is passed.\n");
832 	/* When there is SA. */
836 	/* There is no SA.
891 	 * This search order is important.
979 		/* Which SA is the better ? */
984 				"lifetime_current is NULL.\n");
986 		/* What the best method is to compare ? */
1011 		 * prepared to delete the SA when there is more
1012 		 * suitable candidate and the lifetime of the SA is not
1102  *	A security association is uniquely identified by a triple consisting
1128 		panic("key_allocsa: NULL pointer is passed.\n");
1132 	 * the search order is important even in the inbound case.
1145 	 * IPsec tunnel packet is received.  But ESP tunnel mode is
1150 	 * the search order is not important.
1301 	 * This search order is important.
1354 		/* Which SA is the better ? */
1359 				"lifetime_current is NULL.\n");
1361 		/* What the best method is to compare ? */
1397 		panic("key_freesp: NULL pointer is passed.\n");
1429 		panic("key_freeso: NULL pointer is passed.\n");
1512  * This function is called by key_freesp() to free some SA allocated
1523 		panic("key_freesav: NULL pointer is passed.\n");
1552 		panic("key_delsp: NULL pointer is passed.\n");
1595 		panic("key_getsp: NULL pointer is passed.\n");
1796 				/* allocate new reqid id if reqid is zero. */
1896 	   issues. This code now tests to see if the tentative reqid is in use */
1965 	/* if is the policy for ipsec ? */
2102 		panic("key_spdadd: NULL pointer is passed.\n");
2107 		ipseclog((LOG_DEBUG, "key_spdadd: invalid message is passed.\n"));
2113 		ipseclog((LOG_DEBUG, "key_spdadd: invalid message is passed.\n"));
2119 			ipseclog((LOG_DEBUG, "key_spdadd: invalid message is passed.\n"));
2159 	/* policy requests are mandatory when action is ipsec. */
2168 	 * checking there is SP already or not.
2169 	 * SPDUPDATE doesn't depend on whether there is a SP or not.
2170 	 * If the type is either SPDADD or SPDSETIDX AND a SP is found,
2324 		/* n is already freed */
2364 		ipseclog((LOG_DEBUG, "key_getnewspid: to allocate policy id is failed.\n"));
2398 		panic("key_spddelete: NULL pointer is passed.\n");
2403 		ipseclog((LOG_DEBUG, "key_spddelete: invalid message is passed.\n"));
2409 		ipseclog((LOG_DEBUG, "key_spddelete: invalid message is passed.\n"));
2498 		panic("key_spddelete2: NULL pointer is passed.\n");
2502 		ipseclog((LOG_DEBUG, "key_spddelete2: invalid message is passed.\n"));
2601 		panic("key_spdget: NULL pointer is passed.\n");
2605 		ipseclog((LOG_DEBUG, "key_spdget: invalid message is passed.\n"));
2638  * policy(*) is without policy requests.
2655 		panic("key_spdacquire: NULL pointer is passed.\n");
2657 		panic("key_spdacquire: called but there is request.\n");
2659 		panic("key_spdacquire: policy mismathed. IPsec is expected.\n");
2714  * NOTE: what to do is only marking SADB_SASTATE_DEAD.
2730 		panic("key_spdflush: NULL pointer is passed.\n");
2785 		panic("key_spddump: NULL pointer is passed.\n");
2910 	/* if is the policy for ipsec ? */
2953 		panic("key_spdexpire: NULL pointer is passed.\n");
3060 		panic("key_newsaidx: NULL pointer is passed.\n");
3113 		panic("key_delsah: NULL pointer is passed.\n");
3165  * When SAD message type is GETSPI:
3188 		panic("key_newsa: NULL pointer is passed.\n");
3221 			ipseclog((LOG_DEBUG, "key_newsa: invalid message is passed.\n"));
3269  * When SAD message type is GETSPI:
3300 		panic("key_newsa: NULL pointer is passed.\n");
3383 		panic("key_delsav: NULL pointer is passed.\n");
3478  * NOTE: this function is too slow due to searching all SAD.
3588 		panic("key_setsaval: NULL pointer is passed.\n");
3621 		 * the nat-traversal flag is set.
3634 		 * Verify if SADB_X_EXT_NATT_MULTIPLEUSERS flag is set that
3635 		 * SADB_X_EXT_NATT is set and SADB_X_EXT_NATT_KEEPALIVE is not 
3944 	 * the nat-traversal flag is set.
3956 	 * Verify if SADB_X_EXT_NATT_MULTIPLEUSERS flag is set that
3957 	 * SADB_X_EXT_NATT is set and SADB_X_EXT_NATT_KEEPALIVE is not 
4127 		/* No reason to test if this is >= 0, because ntohl(sav->spi) is unsigned. */
4790 		panic("key_ismyaddr: NULL pointer is passed.\n");
4827  * NOTE: derived ip6_input() in KAME. This is necessary to modify more.
4916 			 * If reqid of SPD is non-zero, unique SA is required.
4945  *	spidx0: source, it is often in SPD.
4946  *	spidx1: object, it is often from PFKEY message.
4983  *	spidx0: source, it is often in SPD.
4984  *	spidx1: object, it is often from IP header.
5028 		 * scope_id check. if sin6_scope_id is 0, we regard it
5063 		 * scope_id check. if sin6_scope_id is 0, we regard it
5152 	 * at a time, but it is complicated on LSB Endian machines */
5291 			 * If this is a NAT traversal SA with no activity,
5296 			 * the list is the one that will be used for sending
5297 			 * traffic, so this is the one we use for determining
5301 				sav = LIST_FIRST(&sah->savtree[SADB_SASTATE_MATURE]);	//%%% should we check dying list if this is empty???
5329 						"There is no CURRENT time, why?\n"));
5356 				 * when new SA is installed.  Caution when it's
5392 						"There is no CURRENT time, why?\n"));
5413 					 * If there is no SA then sending
5596 	/* Our PRNG is based on Yarrow and doesn't need to be seeded */
5651  * if satype == SADB_SATYPE then satype is mapped to ~0.
5700  * SADB_GETSPI processing is to receive
5731 		panic("key_getspi: NULL pointer is passed.\n");
5735 		ipseclog((LOG_DEBUG, "key_getspi: invalid message is passed.\n"));
5740 		ipseclog((LOG_DEBUG, "key_getspi: invalid message is passed.\n"));
5758 		ipseclog((LOG_DEBUG, "key_getspi: invalid satype is passed.\n"));
5762 	/* make sure if port number is zero. */
5811 		/* create a new SA index: key_addspi is always used for inbound spi */
5932 	/* make sure if port number is zero. */
6038 			ipseclog((LOG_DEBUG, "key_do_getnewspi: to allocate spi is failed.\n"));
6055  * from the ikmpd, and update a secasvar entry whose status is SADB_SASTATE_LARVAL.
6083 		panic("key_update: NULL pointer is passed.\n");
6087 		ipseclog((LOG_DEBUG, "key_update: invalid satype is passed.\n"));
6102 		ipseclog((LOG_DEBUG, "key_update: invalid message is passed.\n"));
6108 		ipseclog((LOG_DEBUG, "key_update: invalid message is passed.\n"));
6201 	 * Verify if SADB_X_EXT_NATT_MULTIPLEUSERS flag is set that
6202 	 * this SA is for transport mode - otherwise clear it.
6234  * search SAD with sequence for a SA which state is SADB_SASTATE_LARVAL.
6307 		panic("key_add: NULL pointer is passed.\n");
6311 		ipseclog((LOG_DEBUG, "key_add: invalid satype is passed.\n"));
6326 		ipseclog((LOG_DEBUG, "key_add: invalid message is passed.\n"));
6333 		ipseclog((LOG_DEBUG, "key_add: invalid message is passed.\n"));
6357 		/* create a new SA header: key_addspi is always used for outbound spi */
6374 	/* We can create new SA only if SPI is different. */
6387 	 * Verify if SADB_X_EXT_NATT_MULTIPLEUSERS flag is set that
6388 	 * this SA is for transport mode - otherwise clear it.
6424 /* m is retained */
6438 		panic("key_setident: NULL pointer is passed.\n");
6509  * it is caller's responsibility to free the result. 
6525 		panic("key_getmsgbuf_x1: NULL pointer is passed.\n");
6575 		panic("key_delete: NULL pointer is passed.\n");
6579 		ipseclog((LOG_DEBUG, "key_delete: invalid satype is passed.\n"));
6585 		ipseclog((LOG_DEBUG, "key_delete: invalid message is passed.\n"));
6591 		ipseclog((LOG_DEBUG, "key_delete: invalid message is passed.\n"));
6600 		 * that match the src/dst.  This is used during
6608 		ipseclog((LOG_DEBUG, "key_delete: invalid message is passed.\n"));
6778 		panic("key_get: NULL pointer is passed.\n");
6782 		ipseclog((LOG_DEBUG, "key_get: invalid satype is passed.\n"));
6789 		ipseclog((LOG_DEBUG, "key_get: invalid message is passed.\n"));
6795 		ipseclog((LOG_DEBUG, "key_get: invalid message is passed.\n"));
6855  *	0	: found, arg pointer to a SA stats is updated.
7002 				/* m is already freed */
7192  * XXX x_policy is outside of RFC2367 (KAME extension).
7193  * XXX sensitivity is not supported.
7218 		panic("key_acquire: NULL pointer is passed.\n");
7220 		panic("key_acquire: invalid proto is passed.\n");
7224 	 * We never do anything about acquirng SA.  There is anather
7325 		/* XXX is it correct? */
7341 	 * the problem is that we have no way to attach it for ipcomp,
7342 	 * due to the way sadb_comb is declared in RFC2367.
7496  * in first situation, is receiving
7500  * In second situation, is receiving
7523 		panic("key_acquire2: NULL pointer is passed.\n");
7528 	 * message is equal to the size of sadb_msg structure.
7548 			 * the specified larval SA is already gone, or we got
7567 	 * This message is from user land.
7573 		ipseclog((LOG_DEBUG, "key_acquire2: invalid satype is passed.\n"));
7582 		ipseclog((LOG_DEBUG, "key_acquire2: invalid message is passed.\n"));
7590 		ipseclog((LOG_DEBUG, "key_acquire2: invalid message is passed.\n"));
7633  * If socket is detached, must free from regnode.
7647 		panic("key_register: NULL pointer is passed.\n");
7653 	/* When SATYPE_UNSPEC is specified, only return sadb_supported. */
7817 		panic("key_freereg: NULL pointer is passed.\n");
7821 	 * check all type of SA, because there is a potential that
7822 	 * one socket is registered to multiple type of SA.
7863 		panic("key_expire: NULL pointer is passed.\n");
7867 		panic("key_expire: invalid proto is passed.\n");
7972  * NOTE: to do is only marking SADB_SASTATE_DEAD.
7991 		panic("key_flush: NULL pointer is passed.\n");
7995 		ipseclog((LOG_DEBUG, "key_flush: invalid satype is passed.\n"));
8086 		panic("key_dump: NULL pointer is passed.\n");
8090 		ipseclog((LOG_DEBUG, "key_dump: invalid satype is passed.\n"));
8194 		panic("key_promisc: NULL pointer is passed.\n");
8228 		/* send packet as is */
8232 		/* TODO: if sadb_msg_seq is specified, send to specific pid */
8271  *             This is rewrited to response.
8291 		panic("key_parse: NULL pointer is passed.\n");
8318 		    "key_parse: PF_KEY version %u is mismatched.\n",
8326 		ipseclog((LOG_DEBUG, "key_parse: invalid type %u is passed.\n",
8423 		ipseclog((LOG_DEBUG, "key_parse: invalid type %u is passed.\n",
8512 		 * prefixlen == 0 is valid because there can be a case when
8567 		panic("key_align: NULL pointer is passed.\n");
8578 	extlen = end;	/*just in case extlen is not updated*/
8582 			/* m is already freed */
8617 				    "is passed.\n", ext->sadb_ext_type));
8625 			    "key_align: invalid ext_type %u is passed.\n",
8642 			/* m is already freed */
8728  * XXX: maybe This function is called after INBOUND IPsec processing.
8769 	 * XXX Currently, there is a difference of bytes size
8773 	/* to check bytes lifetime is done in key_timehandler(). */
8778 	 * whenever {esp,ah}_{in,out}put is called.
8978 	        panic("%s: NULL pointer is passed.\n", __FUNCTION__);
8981 	        printf("%s: invalid message is passed. missing session-id.\n", __FUNCTION__);
8985 	        printf("%s: invalid message is passed. short session-id.\n", __FUNCTION__);
8989 	        printf("%s: invalid message is passed. missing stat args.\n", __FUNCTION__);
8993 	        printf("%s: invalid message is passed. short stat args.\n", __FUNCTION__);
9075 	// exit early if two SAs are identical, or if sav_update is current

Indexes created Tue Aug 27 01:24:33 MDT 2024