Lines Matching refs:sav
316 #define KEY_CHKSASTATE(head, sav, name) \
318 if ((head) != (sav)) { \
320 (name), (head), (sav))); \
526 void ipsec_send_natt_keepalive(struct secasvar *sav);
717 key_checkrequest(isr, saidx, sav)
720 struct secasvar **sav;
728 *sav = NULL;
752 if (*sav == NULL)
753 *sav = key_allocsa_policy(saidx);
756 if (*sav != NULL)
791 struct secasvar *sav;
834 sav = key_do_allocsa_policy(sah, state, dstport);
835 if (sav != NULL) {
837 return sav;
857 struct secasvar *sav, *nextsav, *candidate, *natt_candidate, *no_natt_candidate, *d;
866 for (sav = LIST_FIRST(&sah->savtree[state]);
867 sav != NULL;
868 sav = nextsav) {
870 nextsav = LIST_NEXT(sav, chain);
873 KEY_CHKSASTATE(sav->state, state, "key_do_allocsa_policy");
876 ((sav->flags & SADB_X_EXT_NATT) != 0) &&
877 ntohs(dstport) != sav->remote_ike_port)
881 ((sav->flags & SADB_X_EXT_NATT_MULTIPLEUSERS) != 0) &&
882 ntohs(dstport) != sav->remote_ike_port)
886 ((sav->flags & SADB_X_EXT_NATT) != 0)) ||
888 ((sav->flags & SADB_X_EXT_NATT_MULTIPLEUSERS) != 0))) {
890 natt_candidate = sav;
896 no_natt_candidate = sav;
905 if (candidate->lft_c == NULL || sav->lft_c == NULL)
912 sav->lft_c->sadb_lifetime_addtime) {
913 if ((sav->flags & SADB_X_EXT_NATT_MULTIPLEUSERS) != 0)
914 natt_candidate = sav;
916 no_natt_candidate = sav;
924 sav->lft_c->sadb_lifetime_addtime) {
926 if ((sav->flags & SADB_X_EXT_NATT_MULTIPLEUSERS) != 0)
927 natt_candidate = sav;
929 no_natt_candidate = sav;
931 d = sav;
1020 * OUT: positive: pointer to a sav.
1038 struct secasvar *sav, *match;
1076 LIST_FOREACH(sav, &spihash[SPIHASH(spi)], spihash) {
1077 if (sav->spi != spi)
1079 if (proto != sav->sah->saidx.proto)
1081 if (family != sav->sah->saidx.src.ss_family ||
1082 family != sav->sah->saidx.dst.ss_family)
1087 if (sav->state == state) {
1105 (struct sockaddr *)&sav->sah->saidx.src, 0) != 0)
1121 (struct sockaddr *)&sav->sah->saidx.src, 0) != 0)
1141 (struct sockaddr *)&sav->sah->saidx.dst, 0) != 0)
1158 (struct sockaddr *)&sav->sah->saidx.dst, 0) != 0)
1167 match = sav;
1218 * sav->natt_encapsulated_src_port and return the port.
1437 key_freesav(sav, locked)
1438 struct secasvar *sav;
1443 if (sav == NULL)
1450 sav->refcnt--;
1453 sav->refcnt, sav, (u_int32_t)ntohl(sav->spi)));
1455 if (sav->refcnt == 0)
1456 key_delsav(sav);
2993 struct secasvar *sav, *nextsav;
3009 for (sav = (struct secasvar *)LIST_FIRST(&sah->savtree[state]);
3010 sav != NULL;
3011 sav = nextsav) {
3013 nextsav = LIST_NEXT(sav, chain);
3015 if (sav->refcnt > 0) {
3022 KEY_CHKSASTATE(state, sav->state, "key_delsah");
3024 key_freesav(sav, KEY_SADB_LOCKED);
3027 sav->sah = NULL;
3028 sav = NULL;
3123 /* copy sav values */
3158 key_delsav(sav)
3159 struct secasvar *sav;
3165 if (sav == NULL)
3168 if (sav->refcnt > 0)
3172 if (__LIST_CHAINED(sav))
3173 LIST_REMOVE(sav, chain);
3176 if (sav->spihash.le_prev || sav->spihash.le_next)
3177 LIST_REMOVE(sav, spihash);
3179 if (sav->key_auth != NULL) {
3180 bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
3181 KFREE(sav->key_auth);
3182 sav->key_auth = NULL;
3184 if (sav->key_enc != NULL) {
3185 bzero(_KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc));
3186 KFREE(sav->key_enc);
3187 sav->key_enc = NULL;
3189 if (sav->sched) {
3190 bzero(sav->sched, sav->schedlen);
3191 KFREE(sav->sched);
3192 sav->sched = NULL;
3194 if (sav->replay != NULL) {
3195 keydb_delsecreplay(sav->replay);
3196 sav->replay = NULL;
3198 if (sav->lft_c != NULL) {
3199 KFREE(sav->lft_c);
3200 sav->lft_c = NULL;
3202 if (sav->lft_h != NULL) {
3203 KFREE(sav->lft_h);
3204 sav->lft_h = NULL;
3206 if (sav->lft_s != NULL) {
3207 KFREE(sav->lft_s);
3208 sav->lft_s = NULL;
3210 if (sav->iv != NULL) {
3211 KFREE(sav->iv);
3212 sav->iv = NULL;
3215 KFREE(sav);
3256 struct secasvar *sav;
3268 LIST_FOREACH(sav, &spihash[SPIHASH(spi)], spihash) {
3269 if (sav->spi != spi)
3275 if (sav->state == state &&
3276 key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst))
3277 return sav;
3285 key_setspi(sav, spi)
3286 struct secasvar *sav;
3290 sav->spi = spi;
3291 if (sav->spihash.le_prev || sav->spihash.le_next)
3292 LIST_REMOVE(sav, spihash);
3293 LIST_INSERT_HEAD(&spihash[SPIHASH(spi)], sav, spihash);
3308 struct secasvar *sav, *match;
3314 LIST_FOREACH(sav, &spihash[SPIHASH(spi)], spihash) {
3315 if (sav->spi != spi)
3317 if (sav->sah != sah)
3321 if (sav->state == state) {
3322 match = sav;
3341 key_setsaval(sav, m, mhp)
3342 struct secasvar *sav;
3359 sav->replay = NULL;
3360 sav->key_auth = NULL;
3361 sav->key_enc = NULL;
3362 sav->sched = NULL;
3363 sav->schedlen = 0;
3364 sav->iv = NULL;
3365 sav->lft_c = NULL;
3366 sav->lft_h = NULL;
3367 sav->lft_s = NULL;
3368 sav->remote_ike_port = 0;
3369 sav->natt_last_activity = natt_now;
3370 sav->natt_encapsulated_src_port = 0;
3383 sav->alg_auth = sa0->sadb_sa_auth;
3384 sav->alg_enc = sa0->sadb_sa_encrypt;
3385 sav->flags = sa0->sadb_sa_flags;
3391 if ((sav->flags & SADB_X_EXT_NATT) != 0) {
3398 sav->remote_ike_port = ((struct sadb_sa_2*)(sa0))->sadb_sa_natt_port;
3406 if ((sav->flags & SADB_X_EXT_NATT_MULTIPLEUSERS) != 0)
3407 if ((sav->flags & SADB_X_EXT_NATT) == 0 ||
3408 (sav->flags & SADB_X_EXT_NATT_KEEPALIVE) != 0)
3409 sav->flags &= ~SADB_X_EXT_NATT_MULTIPLEUSERS;
3413 sav->replay = keydb_newsecreplay(sa0->sadb_sa_replay);
3414 if (sav->replay == NULL) {
3440 sav->alg_auth != SADB_X_AALG_NULL)
3453 sav->key_auth = (struct sadb_key *)key_newbuf(key0, len);
3454 if (sav->key_auth == NULL) {
3478 sav->alg_enc != SADB_EALG_NULL) {
3483 sav->key_enc = (struct sadb_key *)key_newbuf(key0, len);
3484 if (sav->key_enc == NULL) {
3493 sav->key_enc = NULL; /*just in case*/
3507 sav->ivlen = 0;
3512 algo = esp_algorithm_lookup(sav->alg_enc);
3514 sav->ivlen = (*algo->ivlen)(algo, sav);
3515 if (sav->ivlen == 0)
3517 KMALLOC_NOWAIT(sav->iv, caddr_t, sav->ivlen);
3518 if (sav->iv == 0) {
3520 KMALLOC_WAIT(sav->iv, caddr_t, sav->ivlen);
3522 if (sav->iv == 0) {
3530 key_randomfill(sav->iv, sav->ivlen);
3544 sav->created = tv.tv_sec;
3547 KMALLOC_NOWAIT(sav->lft_c, struct sadb_lifetime *,
3549 if (sav->lft_c == NULL) {
3551 KMALLOC_WAIT(sav->lft_c, struct sadb_lifetime *,
3554 if (sav->lft_c == NULL) {
3563 sav->lft_c->sadb_lifetime_len =
3565 sav->lft_c->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
3566 sav->lft_c->sadb_lifetime_allocations = 0;
3567 sav->lft_c->sadb_lifetime_bytes = 0;
3568 sav->lft_c->sadb_lifetime_addtime = tv.tv_sec;
3569 sav->lft_c->sadb_lifetime_usetime = 0;
3582 sav->lft_h = (struct sadb_lifetime *)key_newbuf(lft0,
3584 if (sav->lft_h == NULL) {
3599 sav->lft_s = (struct sadb_lifetime *)key_newbuf(lft0,
3601 if (sav->lft_s == NULL) {
3614 if (sav->replay != NULL) {
3615 keydb_delsecreplay(sav->replay);
3616 sav->replay = NULL;
3618 if (sav->key_auth != NULL) {
3619 bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
3620 KFREE(sav->key_auth);
3621 sav->key_auth = NULL;
3623 if (sav->key_enc != NULL) {
3624 bzero(_KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc));
3625 KFREE(sav->key_enc);
3626 sav->key_enc = NULL;
3628 if (sav->sched) {
3629 bzero(sav->sched, sav->schedlen);
3630 KFREE(sav->sched);
3631 sav->sched = NULL;
3633 if (sav->iv != NULL) {
3634 KFREE(sav->iv);
3635 sav->iv = NULL;
3637 if (sav->lft_c != NULL) {
3638 KFREE(sav->lft_c);
3639 sav->lft_c = NULL;
3641 if (sav->lft_h != NULL) {
3642 KFREE(sav->lft_h);
3643 sav->lft_h = NULL;
3645 if (sav->lft_s != NULL) {
3646 KFREE(sav->lft_s);
3647 sav->lft_s = NULL;
3659 key_mature(sav)
3660 struct secasvar *sav;
3671 switch (sav->sah->saidx.proto) {
3674 if (ntohl(sav->spi) >= 0 && ntohl(sav->spi) <= 255) {
3677 (u_int32_t)ntohl(sav->spi)));
3684 switch (sav->sah->saidx.proto) {
3687 if ((sav->flags & SADB_X_EXT_OLD)
3688 && (sav->flags & SADB_X_EXT_DERIV)) {
3693 if (sav->alg_auth == SADB_AALG_NONE)
3701 if (sav->flags & SADB_X_EXT_DERIV) {
3706 if (sav->alg_enc != SADB_EALG_NONE) {
3715 if (sav->alg_auth != SADB_AALG_NONE) {
3720 if ((sav->flags & SADB_X_EXT_RAWCPI) == 0
3721 && ntohl(sav->spi) >= 0x10000) {
3738 algo = ah_algorithm_lookup(sav->alg_auth);
3746 if (sav->key_auth)
3747 keylen = sav->key_auth->sadb_key_bits;
3759 if ((*algo->mature)(sav)) {
3778 algo = esp_algorithm_lookup(sav->alg_enc);
3785 if (sav->key_enc)
3786 keylen = sav->key_enc->sadb_key_bits;
3798 if ((*algo->mature)(sav)) {
3820 algo = ipcomp_algorithm_lookup(sav->alg_enc);
3827 key_sa_chgstate(sav, SADB_SASTATE_MATURE);
3836 key_setdumpsa(sav, type, satype, seq, pid)
3837 struct secasvar *sav;
3854 m = key_setsadbmsg(type, 0, satype, seq, pid, sav->refcnt);
3864 m = key_setsadbsa(sav);
3870 m = key_setsadbxsa2(sav->sah->saidx.mode,
3871 sav->replay ? sav->replay->count : 0,
3872 sav->sah->saidx.reqid);
3879 (struct sockaddr *)&sav->sah->saidx.src,
3887 (struct sockaddr *)&sav->sah->saidx.dst,
3894 if (!sav->key_auth)
3896 l = PFKEY_UNUNIT64(sav->key_auth->sadb_key_len);
3897 p = sav->key_auth;
3901 if (!sav->key_enc)
3903 l = PFKEY_UNUNIT64(sav->key_enc->sadb_key_len);
3904 p = sav->key_enc;
3908 if (!sav->lft_c)
3910 l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_c)->sadb_ext_len);
3911 p = sav->lft_c;
3915 if (!sav->lft_h)
3917 l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_h)->sadb_ext_len);
3918 p = sav->lft_h;
3922 if (!sav->lft_s)
3924 l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_s)->sadb_ext_len);
3925 p = sav->lft_s;
4031 key_setsadbsa(sav)
4032 struct secasvar *sav;
4051 p->sadb_sa_spi = sav->spi;
4052 p->sadb_sa_replay = (sav->replay != NULL ? sav->replay->wsize : 0);
4053 p->sadb_sa_state = sav->state;
4054 p->sadb_sa_auth = sav->alg_auth;
4055 p->sadb_sa_encrypt = sav->alg_enc;
4056 p->sadb_sa_flags = sav->flags;
4710 struct secasvar *sav, *nextsav;
4736 for (sav = LIST_FIRST(&sah->savtree[SADB_SASTATE_LARVAL]);
4737 sav != NULL;
4738 sav = nextsav) {
4742 nextsav = LIST_NEXT(sav, chain);
4744 if (tv.tv_sec - sav->created > key_larval_lifetime) {
4745 key_freesav(sav, KEY_SADB_LOCKED);
4760 sav = LIST_FIRST(&sah->savtree[SADB_SASTATE_MATURE]); //%%% should we check dying list if this is empty???
4761 if (natt_keepalive_interval && sav && (sav->flags & SADB_X_EXT_NATT_KEEPALIVE) != 0 &&
4762 (natt_now - sav->natt_last_activity) >= natt_keepalive_interval) {
4763 //ipsec_send_natt_keepalive(sav);
4764 sav->refcnt++;
4765 *savkaptr++ = sav;
4774 for (sav = LIST_FIRST(&sah->savtree[SADB_SASTATE_MATURE]);
4775 sav != NULL;
4776 sav = nextsav) {
4780 nextsav = LIST_NEXT(sav, chain);
4783 if (sav->lft_s == NULL)
4787 if (sav->lft_c == NULL) {
4794 if (sav->lft_s->sadb_lifetime_addtime != 0
4795 && tv.tv_sec - sav->created > sav->lft_s->sadb_lifetime_addtime) {
4801 if (sav->lft_c->sadb_lifetime_usetime == 0) {
4802 key_sa_chgstate(sav, SADB_SASTATE_DEAD);
4803 key_freesav(sav, KEY_SADB_LOCKED);
4804 sav = NULL;
4806 key_sa_chgstate(sav, SADB_SASTATE_DYING);
4807 sav->refcnt++;
4808 *savexptr++ = sav;
4820 && sav->lft_s->sadb_lifetime_bytes != 0
4821 && sav->lft_s->sadb_lifetime_bytes < sav->lft_c->sadb_lifetime_bytes) {
4828 //key_expire(sav);
4829 key_sa_chgstate(sav, SADB_SASTATE_DYING);
4830 sav->refcnt++;
4831 *savexptr++ = sav;
4837 for (sav = LIST_FIRST(&sah->savtree[SADB_SASTATE_DYING]);
4838 sav != NULL;
4839 sav = nextsav) {
4843 nextsav = LIST_NEXT(sav, chain);
4846 if (sav->lft_h == NULL)
4850 if (sav->lft_c == NULL) {
4856 if (sav->lft_h->sadb_lifetime_addtime != 0
4857 && tv.tv_sec - sav->created > sav->lft_h->sadb_lifetime_addtime) {
4858 key_sa_chgstate(sav, SADB_SASTATE_DEAD);
4859 key_freesav(sav, KEY_SADB_LOCKED);
4860 sav = NULL;
4864 && sav->lft_s != NULL
4865 && sav->lft_s->sadb_lifetime_addtime != 0
4866 && tv.tv_sec - sav->created > sav->lft_s->sadb_lifetime_addtime) {
4876 //key_expire(sav);
4877 sav->refcnt++;
4878 *savexptr++ = sav;
4883 else if (sav->lft_h->sadb_lifetime_bytes != 0
4884 && sav->lft_h->sadb_lifetime_bytes < sav->lft_c->sadb_lifetime_bytes) {
4885 key_sa_chgstate(sav, SADB_SASTATE_DEAD);
4886 key_freesav(sav, KEY_SADB_LOCKED);
4887 sav = NULL;
4892 for (sav = LIST_FIRST(&sah->savtree[SADB_SASTATE_DEAD]);
4893 sav != NULL;
4894 sav = nextsav) {
4898 nextsav = LIST_NEXT(sav, chain);
4901 if (sav->state != SADB_SASTATE_DEAD) {
4903 "invalid sav->state "
4906 SADB_SASTATE_DEAD, sav->state));
4911 * sav should already be freed, and sav->refcnt
4912 * shows other references to sav
5464 struct secasvar *sav;
5538 && (sav = key_getsavbyseq(sah, mhp->msg->sadb_msg_seq)) == NULL) {
5546 if ((sav = key_getsavbyspi(sah, sa0->sadb_sa_spi)) == NULL) {
5556 if (sav->sah->saidx.proto != proto) {
5560 sav->sah->saidx.proto, proto));
5564 if (sav->spi != sa0->sadb_sa_spi) {
5568 (u_int32_t)ntohl(sav->spi),
5573 if (sav->pid != mhp->msg->sadb_msg_pid) {
5577 sav->pid, mhp->msg->sadb_msg_pid));
5581 /* copy sav values */
5582 error = key_setsaval(sav, m, mhp);
5584 key_freesav(sav, KEY_SADB_LOCKED);
5593 if ((sav->flags & SADB_X_EXT_NATT_MULTIPLEUSERS) != 0 &&
5594 (sav->sah->saidx.mode != IPSEC_MODE_TRANSPORT ||
5595 sav->sah->saidx.src.ss_family != AF_INET))
5596 sav->flags &= ~SADB_X_EXT_NATT_MULTIPLEUSERS;
5599 if ((error = key_mature(sav)) != 0) {
5600 key_freesav(sav, KEY_SADB_LOCKED);
5635 struct secasvar *sav;
5643 LIST_FOREACH(sav, &sah->savtree[state], chain) {
5645 KEY_CHKSASTATE(state, sav->state, "key_getsabyseq");
5647 if (sav->seq == seq) {
5648 sav->refcnt++;
5652 sav->refcnt, sav));
5653 return sav;
5953 struct secasvar *sav = NULL;
6012 sav = key_getsavbyspi(sah, sa0->sadb_sa_spi);
6013 if (sav)
6022 key_sa_chgstate(sav, SADB_SASTATE_DEAD);
6023 key_freesav(sav, KEY_SADB_LOCKED);
6026 sav = NULL;
6066 struct secasvar *sav, *nextsav;
6090 for (sav = LIST_FIRST(&sah->savtree[state]);
6091 sav != NULL; sav = nextsav) {
6092 nextsav = LIST_NEXT(sav, chain);
6094 if (sav->state != state) {
6096 "invalid sav->state "
6098 state, sav->state));
6102 key_sa_chgstate(sav, SADB_SASTATE_DEAD);
6103 key_freesav(sav, KEY_SADB_LOCKED);
6156 struct secasvar *sav = NULL;
6201 sav = key_getsavbyspi(sah, sa0->sadb_sa_spi);
6202 if (sav)
6224 n = key_setdumpsa(sav, SADB_GET, satype, mhp->msg->sadb_msg_seq,
7155 key_expire(sav)
7156 struct secasvar *sav;
7167 if (sav == NULL)
7169 if (sav->sah == NULL)
7171 if ((satype = key_proto2satype(sav->sah->saidx.proto)) == 0)
7175 m = key_setsadbmsg(SADB_EXPIRE, 0, satype, sav->seq, 0, sav->refcnt);
7183 m = key_setsadbsa(sav);
7191 m = key_setsadbxsa2(sav->sah->saidx.mode,
7192 sav->replay ? sav->replay->count : 0,
7193 sav->sah->saidx.reqid);
7213 lt->sadb_lifetime_allocations = sav->lft_c->sadb_lifetime_allocations;
7214 lt->sadb_lifetime_bytes = sav->lft_c->sadb_lifetime_bytes;
7215 lt->sadb_lifetime_addtime = sav->lft_c->sadb_lifetime_addtime;
7216 lt->sadb_lifetime_usetime = sav->lft_c->sadb_lifetime_usetime;
7218 bcopy(sav->lft_s, lt, sizeof(*lt));
7223 (struct sockaddr *)&sav->sah->saidx.src,
7233 (struct sockaddr *)&sav->sah->saidx.dst,
7289 struct secasvar *sav, *nextsav;
7320 for (sav = LIST_FIRST(&sah->savtree[state]);
7321 sav != NULL;
7322 sav = nextsav) {
7324 nextsav = LIST_NEXT(sav, chain);
7326 key_sa_chgstate(sav, SADB_SASTATE_DEAD);
7327 key_freesav(sav, KEY_SADB_LOCKED);
7366 struct secasvar *sav;
7377 struct secasvar *sav;
7411 /* count sav entries to be sent to the userland. */
7431 LIST_FOREACH(sav, &sah->savtree[state], chain) {
7434 elem_ptr->sav = sav;
7436 sav->refcnt++;
7453 n = key_setdumpsa(elem_ptr->sav, SADB_DUMP, elem_ptr->satype,
7471 key_freesav((elem_ptr++)->sav, KEY_SADB_LOCKED);
8080 struct secasvar *sav,
8087 if (sav->sah == NULL)
8088 panic("sav->sah == NULL at key_checktunnelsanity");
8097 key_sa_recordxfer(sav, m)
8098 struct secasvar *sav;
8103 if (!sav)
8104 panic("key_sa_recordxfer called with sav == NULL");
8107 if (!sav->lft_c)
8115 sav->lft_c->sadb_lifetime_bytes += m->m_pkthdr.len;
8123 sav->lft_c->sadb_lifetime_allocations++;
8140 sav->lft_c->sadb_lifetime_usetime = tv.tv_sec;
8171 key_sa_chgstate(sav, state)
8172 struct secasvar *sav;
8176 if (sav == NULL)
8177 panic("key_sa_chgstate called with sav == NULL");
8179 if (sav->state == state)
8184 if (__LIST_CHAINED(sav))
8185 LIST_REMOVE(sav, chain);
8187 sav->state = state;
8188 LIST_INSERT_HEAD(&sav->sah->savtree[state], sav, chain);
8193 key_sa_stir_iv(sav)
8194 struct secasvar *sav;
8197 if (!sav->iv)
8198 panic("key_sa_stir_iv called with sav == NULL");
8199 key_randomfill(sav->iv, sav->ivlen);