2313 if ((match & IPSA_Q_DSTID) && (sq->dstid != NULL)) {
2314 sq->didstr = (char *)(sq->dstid + 1);
2315 sq->didtype = sq->dstid->sadb_ident_type;
2316 *mfpp++ = sadb_match_dstid;
2317 }
2318
2319 sq->srcid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC];
2320
2321 if ((match & IPSA_Q_SRCID) && (sq->srcid != NULL)) {
2322 sq->sidstr = (char *)(sq->srcid + 1);
2323 sq->sidtype = sq->srcid->sadb_ident_type;
2324 *mfpp++ = sadb_match_srcid;
2325 }
2326
2327 sq->kmcext = (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE];
2328 sq->kmc = 0;
2329 sq->kmp = 0;
2330
2331 if ((match & IPSA_Q_KMC) && (sq->kmcext)) {
2332 sq->kmp = sq->kmcext->sadb_x_kmc_proto;
2333 /* Be liberal in what we receive. Special-case IKEv1. */
2334 if (sq->kmp == SADB_X_KMP_IKE) {
2335 /* Just in case in.iked is misbehaving... */
2336 sq->kmcext->sadb_x_kmc_reserved = 0;
2337 }
2338 sq->kmc = sq->kmcext->sadb_x_kmc_cookie64;
2339 *mfpp++ = sadb_match_kmc;
2340 }
2341
2342 if (match & (IPSA_Q_INBOUND|IPSA_Q_OUTBOUND)) {
2343 if (sq->af == AF_INET6)
2344 sq->sp = &sq->spp->s_v6;
2345 else
2346 sq->sp = &sq->spp->s_v4;
2347 } else {
2348 sq->sp = NULL;
2349 }
2350
2351 if (match & IPSA_Q_INBOUND) {
2352 sq->inhash = INBOUND_HASH(sq->sp, sq->assoc->sadb_sa_spi);
2353 sq->inbound = &sq->sp->sdb_if[sq->inhash];
3120 mutex_exit(&newbie->ipsa_lock);
3121 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC;
3122 error = EINVAL;
3123 goto error;
3124 }
3125 /*
3126 * If unspecified source address, force replay_wsize to 0.
3127 * This is because an SA that has multiple sources of secure
3128 * traffic cannot enforce a replay counter w/o synchronizing the
3129 * senders.
3130 */
3131 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC)
3132 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay;
3133 else
3134 newbie->ipsa_replay_wsize = 0;
3135
3136 newbie->ipsa_addtime = gethrestime_sec();
3137
3138 if (kmcext != NULL) {
3139 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto;
3140 /* Be liberal in what we receive. Special-case IKEv1. */
3141 if (newbie->ipsa_kmp == SADB_X_KMP_IKE) {
3142 /* Just in case in.iked is misbehaving... */
3143 kmcext->sadb_x_kmc_reserved = 0;
3144 }
3145 newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie64;
3146 }
3147
3148 /*
3149 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE.
3150 * The spec says that one can update current lifetimes, but
3151 * that seems impractical, especially in the larval-to-mature
3152 * update that this function performs.
3153 */
3154 if (soft != NULL) {
3155 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime;
3156 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime;
3157 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes;
3158 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations;
3159 SET_EXPIRE(newbie, softaddlt, softexpiretime);
3160 }
|
2313 if ((match & IPSA_Q_DSTID) && (sq->dstid != NULL)) {
2314 sq->didstr = (char *)(sq->dstid + 1);
2315 sq->didtype = sq->dstid->sadb_ident_type;
2316 *mfpp++ = sadb_match_dstid;
2317 }
2318
2319 sq->srcid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC];
2320
2321 if ((match & IPSA_Q_SRCID) && (sq->srcid != NULL)) {
2322 sq->sidstr = (char *)(sq->srcid + 1);
2323 sq->sidtype = sq->srcid->sadb_ident_type;
2324 *mfpp++ = sadb_match_srcid;
2325 }
2326
2327 sq->kmcext = (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE];
2328 sq->kmc = 0;
2329 sq->kmp = 0;
2330
2331 if ((match & IPSA_Q_KMC) && (sq->kmcext)) {
2332 sq->kmp = sq->kmcext->sadb_x_kmc_proto;
2333 /*
2334 * Be liberal in what we receive. Special-case the IKEv1
2335 * cookie, which closed-source in.iked assumes is 32 bits.
2336 * Now that we store all 64 bits, we should pre-zero the
2337 * reserved field on behalf of closed-source in.iked.
2338 */
2339 if (sq->kmp == SADB_X_KMP_IKE) {
2340 /* Just in case in.iked is misbehaving... */
2341 sq->kmcext->sadb_x_kmc_reserved = 0;
2342 }
2343 sq->kmc = sq->kmcext->sadb_x_kmc_cookie64;
2344 *mfpp++ = sadb_match_kmc;
2345 }
2346
2347 if (match & (IPSA_Q_INBOUND|IPSA_Q_OUTBOUND)) {
2348 if (sq->af == AF_INET6)
2349 sq->sp = &sq->spp->s_v6;
2350 else
2351 sq->sp = &sq->spp->s_v4;
2352 } else {
2353 sq->sp = NULL;
2354 }
2355
2356 if (match & IPSA_Q_INBOUND) {
2357 sq->inhash = INBOUND_HASH(sq->sp, sq->assoc->sadb_sa_spi);
2358 sq->inbound = &sq->sp->sdb_if[sq->inhash];
3125 mutex_exit(&newbie->ipsa_lock);
3126 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC;
3127 error = EINVAL;
3128 goto error;
3129 }
3130 /*
3131 * If unspecified source address, force replay_wsize to 0.
3132 * This is because an SA that has multiple sources of secure
3133 * traffic cannot enforce a replay counter w/o synchronizing the
3134 * senders.
3135 */
3136 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC)
3137 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay;
3138 else
3139 newbie->ipsa_replay_wsize = 0;
3140
3141 newbie->ipsa_addtime = gethrestime_sec();
3142
3143 if (kmcext != NULL) {
3144 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto;
3145 /*
3146 * Be liberal in what we receive. Special-case the IKEv1
3147 * cookie, which closed-source in.iked assumes is 32 bits.
3148 * Now that we store all 64 bits, we should pre-zero the
3149 * reserved field on behalf of closed-source in.iked.
3150 */
3151 if (newbie->ipsa_kmp == SADB_X_KMP_IKE) {
3152 /* Just in case in.iked is misbehaving... */
3153 kmcext->sadb_x_kmc_reserved = 0;
3154 }
3155 newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie64;
3156 }
3157
3158 /*
3159 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE.
3160 * The spec says that one can update current lifetimes, but
3161 * that seems impractical, especially in the larval-to-mature
3162 * update that this function performs.
3163 */
3164 if (soft != NULL) {
3165 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime;
3166 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime;
3167 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes;
3168 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations;
3169 SET_EXPIRE(newbie, softaddlt, softexpiretime);
3170 }
|