1 /* $OpenBSD: ip_ipsp.c,v 1.236 2020/06/24 22:03:43 cheloha Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Niklas Hallqvist (niklas@appli.se). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 18 * 19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 1999 Niklas Hallqvist. 22 * Copyright (c) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40 #include "pf.h" 41 #include "pfsync.h" 42 43 #include <sys/param.h> 44 #include <sys/systm.h> 45 #include <sys/mbuf.h> 46 #include <sys/socket.h> 47 #include <sys/kernel.h> 48 #include <sys/timeout.h> 49 50 #include <net/if.h> 51 #include <net/route.h> 52 53 #include <netinet/in.h> 54 #include <netinet/ip.h> 55 #include <netinet/in_pcb.h> 56 #include <netinet/ip_var.h> 57 #include <netinet/ip_ipip.h> 58 59 #if NPF > 0 60 #include <net/pfvar.h> 61 #endif 62 63 #if NPFSYNC > 0 64 #include <net/if_pfsync.h> 65 #endif 66 67 #include <netinet/ip_ipsp.h> 68 #include <net/pfkeyv2.h> 69 70 #ifdef DDB 71 #include <ddb/db_output.h> 72 void tdb_hashstats(void); 73 #endif 74 75 #ifdef ENCDEBUG 76 #define DPRINTF(x) if (encdebug) printf x 77 #else 78 #define DPRINTF(x) 79 #endif 80 81 void tdb_rehash(void); 82 void tdb_reaper(void *); 83 void tdb_timeout(void *); 84 void tdb_firstuse(void *); 85 void tdb_soft_timeout(void *); 86 void tdb_soft_firstuse(void *); 87 int tdb_hash(u_int32_t, union sockaddr_union *, u_int8_t); 88 89 int ipsec_in_use = 0; 90 u_int64_t ipsec_last_added = 0; 91 int ipsec_ids_idle = 100; /* keep free ids for 100s */ 92 93 /* Protected by the NET_LOCK(). */ 94 u_int32_t ipsec_ids_next_flow = 1; /* may not be zero */ 95 struct ipsec_ids_tree ipsec_ids_tree; 96 struct ipsec_ids_flows ipsec_ids_flows; 97 struct ipsec_policy_head ipsec_policy_head = 98 TAILQ_HEAD_INITIALIZER(ipsec_policy_head); 99 100 void ipsp_ids_timeout(void *); 101 static inline int ipsp_ids_cmp(const struct ipsec_ids *, 102 const struct ipsec_ids *); 103 static inline int ipsp_ids_flow_cmp(const struct ipsec_ids *, 104 const struct ipsec_ids *); 105 RBT_PROTOTYPE(ipsec_ids_tree, ipsec_ids, id_node_flow, ipsp_ids_cmp); 106 RBT_PROTOTYPE(ipsec_ids_flows, ipsec_ids, id_node_id, ipsp_ids_flow_cmp); 107 RBT_GENERATE(ipsec_ids_tree, ipsec_ids, id_node_flow, ipsp_ids_cmp); 108 RBT_GENERATE(ipsec_ids_flows, ipsec_ids, id_node_id, ipsp_ids_flow_cmp); 109 110 /* 111 * This is the proper place to define the various encapsulation transforms. 112 */ 113 114 struct xformsw xformsw[] = { 115 #ifdef IPSEC 116 { 117 .xf_type = XF_IP4, 118 .xf_flags = 0, 119 .xf_name = "IPv4 Simple Encapsulation", 120 .xf_attach = ipe4_attach, 121 .xf_init = ipe4_init, 122 .xf_zeroize = ipe4_zeroize, 123 .xf_input = ipe4_input, 124 .xf_output = ipip_output, 125 }, 126 { 127 .xf_type = XF_AH, 128 .xf_flags = XFT_AUTH, 129 .xf_name = "IPsec AH", 130 .xf_attach = ah_attach, 131 .xf_init = ah_init, 132 .xf_zeroize = ah_zeroize, 133 .xf_input = ah_input, 134 .xf_output = ah_output, 135 }, 136 { 137 .xf_type = XF_ESP, 138 .xf_flags = XFT_CONF|XFT_AUTH, 139 .xf_name = "IPsec ESP", 140 .xf_attach = esp_attach, 141 .xf_init = esp_init, 142 .xf_zeroize = esp_zeroize, 143 .xf_input = esp_input, 144 .xf_output = esp_output, 145 }, 146 { 147 .xf_type = XF_IPCOMP, 148 .xf_flags = XFT_COMP, 149 .xf_name = "IPcomp", 150 .xf_attach = ipcomp_attach, 151 .xf_init = ipcomp_init, 152 .xf_zeroize = ipcomp_zeroize, 153 .xf_input = ipcomp_input, 154 .xf_output = ipcomp_output, 155 }, 156 #endif /* IPSEC */ 157 #ifdef TCP_SIGNATURE 158 { 159 .xf_type = XF_TCPSIGNATURE, 160 .xf_flags = XFT_AUTH, 161 .xf_name = "TCP MD5 Signature Option, RFC 2385", 162 .xf_attach = tcp_signature_tdb_attach, 163 .xf_init = tcp_signature_tdb_init, 164 .xf_zeroize = tcp_signature_tdb_zeroize, 165 .xf_input = tcp_signature_tdb_input, 166 .xf_output = tcp_signature_tdb_output, 167 } 168 #endif /* TCP_SIGNATURE */ 169 }; 170 171 struct xformsw *xformswNXFORMSW = &xformsw[nitems(xformsw)]; 172 173 #define TDB_HASHSIZE_INIT 32 174 175 /* Protected by the NET_LOCK(). */ 176 static SIPHASH_KEY tdbkey; 177 static struct tdb **tdbh = NULL; 178 static struct tdb **tdbdst = NULL; 179 static struct tdb **tdbsrc = NULL; 180 static u_int tdb_hashmask = TDB_HASHSIZE_INIT - 1; 181 static int tdb_count; 182 183 /* 184 * Our hashing function needs to stir things with a non-zero random multiplier 185 * so we cannot be DoS-attacked via choosing of the data to hash. 186 */ 187 int 188 tdb_hash(u_int32_t spi, union sockaddr_union *dst, 189 u_int8_t proto) 190 { 191 SIPHASH_CTX ctx; 192 193 NET_ASSERT_LOCKED(); 194 195 SipHash24_Init(&ctx, &tdbkey); 196 SipHash24_Update(&ctx, &spi, sizeof(spi)); 197 SipHash24_Update(&ctx, &proto, sizeof(proto)); 198 SipHash24_Update(&ctx, dst, dst->sa.sa_len); 199 200 return (SipHash24_End(&ctx) & tdb_hashmask); 201 } 202 203 /* 204 * Reserve an SPI; the SA is not valid yet though. We use 0 as 205 * an error return value. 206 */ 207 u_int32_t 208 reserve_spi(u_int rdomain, u_int32_t sspi, u_int32_t tspi, 209 union sockaddr_union *src, union sockaddr_union *dst, 210 u_int8_t sproto, int *errval) 211 { 212 struct tdb *tdbp, *exists; 213 u_int32_t spi; 214 int nums; 215 216 NET_ASSERT_LOCKED(); 217 218 /* Don't accept ranges only encompassing reserved SPIs. */ 219 if (sproto != IPPROTO_IPCOMP && 220 (tspi < sspi || tspi <= SPI_RESERVED_MAX)) { 221 (*errval) = EINVAL; 222 return 0; 223 } 224 if (sproto == IPPROTO_IPCOMP && (tspi < sspi || 225 tspi <= CPI_RESERVED_MAX || 226 tspi >= CPI_PRIVATE_MIN)) { 227 (*errval) = EINVAL; 228 return 0; 229 } 230 231 /* Limit the range to not include reserved areas. */ 232 if (sspi <= SPI_RESERVED_MAX) 233 sspi = SPI_RESERVED_MAX + 1; 234 235 /* For IPCOMP the CPI is only 16 bits long, what a good idea.... */ 236 237 if (sproto == IPPROTO_IPCOMP) { 238 u_int32_t t; 239 if (sspi >= 0x10000) 240 sspi = 0xffff; 241 if (tspi >= 0x10000) 242 tspi = 0xffff; 243 if (sspi > tspi) { 244 t = sspi; sspi = tspi; tspi = t; 245 } 246 } 247 248 if (sspi == tspi) /* Asking for a specific SPI. */ 249 nums = 1; 250 else 251 nums = 100; /* Arbitrarily chosen */ 252 253 /* allocate ahead of time to avoid potential sleeping race in loop */ 254 tdbp = tdb_alloc(rdomain); 255 256 while (nums--) { 257 if (sspi == tspi) /* Specific SPI asked. */ 258 spi = tspi; 259 else /* Range specified */ 260 spi = sspi + arc4random_uniform(tspi - sspi); 261 262 /* Don't allocate reserved SPIs. */ 263 if (spi >= SPI_RESERVED_MIN && spi <= SPI_RESERVED_MAX) 264 continue; 265 else 266 spi = htonl(spi); 267 268 /* Check whether we're using this SPI already. */ 269 exists = gettdb(rdomain, spi, dst, sproto); 270 if (exists) 271 continue; 272 273 274 tdbp->tdb_spi = spi; 275 memcpy(&tdbp->tdb_dst.sa, &dst->sa, dst->sa.sa_len); 276 memcpy(&tdbp->tdb_src.sa, &src->sa, src->sa.sa_len); 277 tdbp->tdb_sproto = sproto; 278 tdbp->tdb_flags |= TDBF_INVALID; /* Mark SA invalid for now. */ 279 tdbp->tdb_satype = SADB_SATYPE_UNSPEC; 280 puttdb(tdbp); 281 282 #ifdef IPSEC 283 /* Setup a "silent" expiration (since TDBF_INVALID's set). */ 284 if (ipsec_keep_invalid > 0) { 285 tdbp->tdb_flags |= TDBF_TIMER; 286 tdbp->tdb_exp_timeout = ipsec_keep_invalid; 287 timeout_add_sec(&tdbp->tdb_timer_tmo, 288 ipsec_keep_invalid); 289 } 290 #endif 291 292 return spi; 293 } 294 295 (*errval) = EEXIST; 296 tdb_free(tdbp); 297 return 0; 298 } 299 300 /* 301 * An IPSP SAID is really the concatenation of the SPI found in the 302 * packet, the destination address of the packet and the IPsec protocol. 303 * When we receive an IPSP packet, we need to look up its tunnel descriptor 304 * block, based on the SPI in the packet and the destination address (which 305 * is really one of our addresses if we received the packet! 306 */ 307 struct tdb * 308 gettdb_dir(u_int rdomain, u_int32_t spi, union sockaddr_union *dst, u_int8_t proto, 309 int reverse) 310 { 311 u_int32_t hashval; 312 struct tdb *tdbp; 313 314 NET_ASSERT_LOCKED(); 315 316 if (tdbh == NULL) 317 return (struct tdb *) NULL; 318 319 hashval = tdb_hash(spi, dst, proto); 320 321 for (tdbp = tdbh[hashval]; tdbp != NULL; tdbp = tdbp->tdb_hnext) 322 if ((tdbp->tdb_spi == spi) && (tdbp->tdb_sproto == proto) && 323 ((!reverse && tdbp->tdb_rdomain == rdomain) || 324 (reverse && tdbp->tdb_rdomain_post == rdomain)) && 325 !memcmp(&tdbp->tdb_dst, dst, dst->sa.sa_len)) 326 break; 327 328 return tdbp; 329 } 330 331 /* 332 * Same as gettdb() but compare SRC as well, so we 333 * use the tdbsrc[] hash table. Setting spi to 0 334 * matches all SPIs. 335 */ 336 struct tdb * 337 gettdbbysrcdst_dir(u_int rdomain, u_int32_t spi, union sockaddr_union *src, 338 union sockaddr_union *dst, u_int8_t proto, int reverse) 339 { 340 u_int32_t hashval; 341 struct tdb *tdbp; 342 union sockaddr_union su_null; 343 344 NET_ASSERT_LOCKED(); 345 346 if (tdbsrc == NULL) 347 return (struct tdb *) NULL; 348 349 hashval = tdb_hash(0, src, proto); 350 351 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 352 if (tdbp->tdb_sproto == proto && 353 (spi == 0 || tdbp->tdb_spi == spi) && 354 ((!reverse && tdbp->tdb_rdomain == rdomain) || 355 (reverse && tdbp->tdb_rdomain_post == rdomain)) && 356 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 357 (tdbp->tdb_dst.sa.sa_family == AF_UNSPEC || 358 !memcmp(&tdbp->tdb_dst, dst, dst->sa.sa_len)) && 359 !memcmp(&tdbp->tdb_src, src, src->sa.sa_len)) 360 break; 361 362 if (tdbp != NULL) 363 return (tdbp); 364 365 memset(&su_null, 0, sizeof(su_null)); 366 su_null.sa.sa_len = sizeof(struct sockaddr); 367 hashval = tdb_hash(0, &su_null, proto); 368 369 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 370 if (tdbp->tdb_sproto == proto && 371 (spi == 0 || tdbp->tdb_spi == spi) && 372 ((!reverse && tdbp->tdb_rdomain == rdomain) || 373 (reverse && tdbp->tdb_rdomain_post == rdomain)) && 374 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 375 (tdbp->tdb_dst.sa.sa_family == AF_UNSPEC || 376 !memcmp(&tdbp->tdb_dst, dst, dst->sa.sa_len)) && 377 tdbp->tdb_src.sa.sa_family == AF_UNSPEC) 378 break; 379 380 return (tdbp); 381 } 382 383 /* 384 * Check that IDs match. Return true if so. The t* range of 385 * arguments contains information from TDBs; the p* range of 386 * arguments contains information from policies or already 387 * established TDBs. 388 */ 389 int 390 ipsp_aux_match(struct tdb *tdb, 391 struct ipsec_ids *ids, 392 struct sockaddr_encap *pfilter, 393 struct sockaddr_encap *pfiltermask) 394 { 395 if (ids != NULL) 396 if (tdb->tdb_ids == NULL || 397 !ipsp_ids_match(tdb->tdb_ids, ids)) 398 return 0; 399 400 /* Check for filter matches. */ 401 if (pfilter != NULL && pfiltermask != NULL && 402 tdb->tdb_filter.sen_type) { 403 /* 404 * XXX We should really be doing a subnet-check (see 405 * whether the TDB-associated filter is a subset 406 * of the policy's. For now, an exact match will solve 407 * most problems (all this will do is make every 408 * policy get its own SAs). 409 */ 410 if (memcmp(&tdb->tdb_filter, pfilter, 411 sizeof(struct sockaddr_encap)) || 412 memcmp(&tdb->tdb_filtermask, pfiltermask, 413 sizeof(struct sockaddr_encap))) 414 return 0; 415 } 416 417 return 1; 418 } 419 420 /* 421 * Get an SA given the remote address, the security protocol type, and 422 * the desired IDs. 423 */ 424 struct tdb * 425 gettdbbydst(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto, 426 struct ipsec_ids *ids, 427 struct sockaddr_encap *filter, struct sockaddr_encap *filtermask) 428 { 429 u_int32_t hashval; 430 struct tdb *tdbp; 431 432 NET_ASSERT_LOCKED(); 433 434 if (tdbdst == NULL) 435 return (struct tdb *) NULL; 436 437 hashval = tdb_hash(0, dst, sproto); 438 439 for (tdbp = tdbdst[hashval]; tdbp != NULL; tdbp = tdbp->tdb_dnext) 440 if ((tdbp->tdb_sproto == sproto) && 441 (tdbp->tdb_rdomain == rdomain) && 442 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 443 (!memcmp(&tdbp->tdb_dst, dst, dst->sa.sa_len))) { 444 /* Do IDs match ? */ 445 if (!ipsp_aux_match(tdbp, ids, filter, filtermask)) 446 continue; 447 break; 448 } 449 450 return tdbp; 451 } 452 453 /* 454 * Get an SA given the source address, the security protocol type, and 455 * the desired IDs. 456 */ 457 struct tdb * 458 gettdbbysrc(u_int rdomain, union sockaddr_union *src, u_int8_t sproto, 459 struct ipsec_ids *ids, 460 struct sockaddr_encap *filter, struct sockaddr_encap *filtermask) 461 { 462 u_int32_t hashval; 463 struct tdb *tdbp; 464 465 NET_ASSERT_LOCKED(); 466 467 if (tdbsrc == NULL) 468 return (struct tdb *) NULL; 469 470 hashval = tdb_hash(0, src, sproto); 471 472 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 473 if ((tdbp->tdb_sproto == sproto) && 474 (tdbp->tdb_rdomain == rdomain) && 475 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 476 (!memcmp(&tdbp->tdb_src, src, src->sa.sa_len))) { 477 /* Check whether IDs match */ 478 if (!ipsp_aux_match(tdbp, ids, filter, 479 filtermask)) 480 continue; 481 break; 482 } 483 484 return tdbp; 485 } 486 487 #if DDB 488 489 #define NBUCKETS 16 490 void 491 tdb_hashstats(void) 492 { 493 int i, cnt, buckets[NBUCKETS]; 494 struct tdb *tdbp; 495 496 if (tdbh == NULL) { 497 db_printf("no tdb hash table\n"); 498 return; 499 } 500 501 memset(buckets, 0, sizeof(buckets)); 502 for (i = 0; i <= tdb_hashmask; i++) { 503 cnt = 0; 504 for (tdbp = tdbh[i]; cnt < NBUCKETS - 1 && tdbp != NULL; 505 tdbp = tdbp->tdb_hnext) 506 cnt++; 507 buckets[cnt]++; 508 } 509 510 db_printf("tdb cnt\t\tbucket cnt\n"); 511 for (i = 0; i < NBUCKETS; i++) 512 if (buckets[i] > 0) 513 db_printf("%d%s\t\t%d\n", i, i == NBUCKETS - 1 ? 514 "+" : "", buckets[i]); 515 } 516 #endif /* DDB */ 517 518 int 519 tdb_walk(u_int rdomain, int (*walker)(struct tdb *, void *, int), void *arg) 520 { 521 int i, rval = 0; 522 struct tdb *tdbp, *next; 523 524 NET_ASSERT_LOCKED(); 525 526 if (tdbh == NULL) 527 return ENOENT; 528 529 for (i = 0; i <= tdb_hashmask; i++) 530 for (tdbp = tdbh[i]; rval == 0 && tdbp != NULL; tdbp = next) { 531 next = tdbp->tdb_hnext; 532 533 if (rdomain != tdbp->tdb_rdomain) 534 continue; 535 536 if (i == tdb_hashmask && next == NULL) 537 rval = walker(tdbp, (void *)arg, 1); 538 else 539 rval = walker(tdbp, (void *)arg, 0); 540 } 541 542 return rval; 543 } 544 545 void 546 tdb_timeout(void *v) 547 { 548 struct tdb *tdb = v; 549 550 NET_LOCK(); 551 if (tdb->tdb_flags & TDBF_TIMER) { 552 /* If it's an "invalid" TDB do a silent expiration. */ 553 if (!(tdb->tdb_flags & TDBF_INVALID)) 554 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 555 tdb_delete(tdb); 556 } 557 NET_UNLOCK(); 558 } 559 560 void 561 tdb_firstuse(void *v) 562 { 563 struct tdb *tdb = v; 564 565 NET_LOCK(); 566 if (tdb->tdb_flags & TDBF_SOFT_FIRSTUSE) { 567 /* If the TDB hasn't been used, don't renew it. */ 568 if (tdb->tdb_first_use != 0) 569 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 570 tdb_delete(tdb); 571 } 572 NET_UNLOCK(); 573 } 574 575 void 576 tdb_soft_timeout(void *v) 577 { 578 struct tdb *tdb = v; 579 580 NET_LOCK(); 581 if (tdb->tdb_flags & TDBF_SOFT_TIMER) { 582 /* Soft expirations. */ 583 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 584 tdb->tdb_flags &= ~TDBF_SOFT_TIMER; 585 } 586 NET_UNLOCK(); 587 } 588 589 void 590 tdb_soft_firstuse(void *v) 591 { 592 struct tdb *tdb = v; 593 594 NET_LOCK(); 595 if (tdb->tdb_flags & TDBF_SOFT_FIRSTUSE) { 596 /* If the TDB hasn't been used, don't renew it. */ 597 if (tdb->tdb_first_use != 0) 598 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 599 tdb->tdb_flags &= ~TDBF_SOFT_FIRSTUSE; 600 } 601 NET_UNLOCK(); 602 } 603 604 void 605 tdb_rehash(void) 606 { 607 struct tdb **new_tdbh, **new_tdbdst, **new_srcaddr, *tdbp, *tdbnp; 608 u_int i, old_hashmask = tdb_hashmask; 609 u_int32_t hashval; 610 611 NET_ASSERT_LOCKED(); 612 613 tdb_hashmask = (tdb_hashmask << 1) | 1; 614 615 arc4random_buf(&tdbkey, sizeof(tdbkey)); 616 new_tdbh = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), M_TDB, 617 M_WAITOK | M_ZERO); 618 new_tdbdst = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), M_TDB, 619 M_WAITOK | M_ZERO); 620 new_srcaddr = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), M_TDB, 621 M_WAITOK | M_ZERO); 622 623 for (i = 0; i <= old_hashmask; i++) { 624 for (tdbp = tdbh[i]; tdbp != NULL; tdbp = tdbnp) { 625 tdbnp = tdbp->tdb_hnext; 626 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst, 627 tdbp->tdb_sproto); 628 tdbp->tdb_hnext = new_tdbh[hashval]; 629 new_tdbh[hashval] = tdbp; 630 } 631 632 for (tdbp = tdbdst[i]; tdbp != NULL; tdbp = tdbnp) { 633 tdbnp = tdbp->tdb_dnext; 634 hashval = tdb_hash(0, &tdbp->tdb_dst, tdbp->tdb_sproto); 635 tdbp->tdb_dnext = new_tdbdst[hashval]; 636 new_tdbdst[hashval] = tdbp; 637 } 638 639 for (tdbp = tdbsrc[i]; tdbp != NULL; tdbp = tdbnp) { 640 tdbnp = tdbp->tdb_snext; 641 hashval = tdb_hash(0, &tdbp->tdb_src, tdbp->tdb_sproto); 642 tdbp->tdb_snext = new_srcaddr[hashval]; 643 new_srcaddr[hashval] = tdbp; 644 } 645 } 646 647 free(tdbh, M_TDB, 0); 648 tdbh = new_tdbh; 649 650 free(tdbdst, M_TDB, 0); 651 tdbdst = new_tdbdst; 652 653 free(tdbsrc, M_TDB, 0); 654 tdbsrc = new_srcaddr; 655 } 656 657 /* 658 * Add TDB in the hash table. 659 */ 660 void 661 puttdb(struct tdb *tdbp) 662 { 663 u_int32_t hashval; 664 665 NET_ASSERT_LOCKED(); 666 667 if (tdbh == NULL) { 668 arc4random_buf(&tdbkey, sizeof(tdbkey)); 669 tdbh = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), 670 M_TDB, M_WAITOK | M_ZERO); 671 tdbdst = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), 672 M_TDB, M_WAITOK | M_ZERO); 673 tdbsrc = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), 674 M_TDB, M_WAITOK | M_ZERO); 675 } 676 677 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst, tdbp->tdb_sproto); 678 679 /* 680 * Rehash if this tdb would cause a bucket to have more than 681 * two items and if the number of tdbs exceed 10% of the 682 * bucket count. This number is arbitratily chosen and is 683 * just a measure to not keep rehashing when adding and 684 * removing tdbs which happens to always end up in the same 685 * bucket, which is not uncommon when doing manual keying. 686 */ 687 if (tdbh[hashval] != NULL && tdbh[hashval]->tdb_hnext != NULL && 688 tdb_count * 10 > tdb_hashmask + 1) { 689 tdb_rehash(); 690 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst, 691 tdbp->tdb_sproto); 692 } 693 694 tdbp->tdb_hnext = tdbh[hashval]; 695 tdbh[hashval] = tdbp; 696 697 hashval = tdb_hash(0, &tdbp->tdb_dst, tdbp->tdb_sproto); 698 tdbp->tdb_dnext = tdbdst[hashval]; 699 tdbdst[hashval] = tdbp; 700 701 hashval = tdb_hash(0, &tdbp->tdb_src, tdbp->tdb_sproto); 702 tdbp->tdb_snext = tdbsrc[hashval]; 703 tdbsrc[hashval] = tdbp; 704 705 tdb_count++; 706 #ifdef IPSEC 707 if ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_TUNNELING)) == TDBF_TUNNELING) 708 ipsecstat_inc(ipsec_tunnels); 709 #endif /* IPSEC */ 710 711 ipsec_last_added = getuptime(); 712 } 713 714 void 715 tdb_unlink(struct tdb *tdbp) 716 { 717 struct tdb *tdbpp; 718 u_int32_t hashval; 719 720 NET_ASSERT_LOCKED(); 721 722 if (tdbh == NULL) 723 return; 724 725 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst, tdbp->tdb_sproto); 726 727 if (tdbh[hashval] == tdbp) { 728 tdbh[hashval] = tdbp->tdb_hnext; 729 } else { 730 for (tdbpp = tdbh[hashval]; tdbpp != NULL; 731 tdbpp = tdbpp->tdb_hnext) { 732 if (tdbpp->tdb_hnext == tdbp) { 733 tdbpp->tdb_hnext = tdbp->tdb_hnext; 734 break; 735 } 736 } 737 } 738 739 tdbp->tdb_hnext = NULL; 740 741 hashval = tdb_hash(0, &tdbp->tdb_dst, tdbp->tdb_sproto); 742 743 if (tdbdst[hashval] == tdbp) { 744 tdbdst[hashval] = tdbp->tdb_dnext; 745 } else { 746 for (tdbpp = tdbdst[hashval]; tdbpp != NULL; 747 tdbpp = tdbpp->tdb_dnext) { 748 if (tdbpp->tdb_dnext == tdbp) { 749 tdbpp->tdb_dnext = tdbp->tdb_dnext; 750 break; 751 } 752 } 753 } 754 755 tdbp->tdb_dnext = NULL; 756 757 hashval = tdb_hash(0, &tdbp->tdb_src, tdbp->tdb_sproto); 758 759 if (tdbsrc[hashval] == tdbp) { 760 tdbsrc[hashval] = tdbp->tdb_snext; 761 } 762 else { 763 for (tdbpp = tdbsrc[hashval]; tdbpp != NULL; 764 tdbpp = tdbpp->tdb_snext) { 765 if (tdbpp->tdb_snext == tdbp) { 766 tdbpp->tdb_snext = tdbp->tdb_snext; 767 break; 768 } 769 } 770 } 771 772 tdbp->tdb_snext = NULL; 773 tdb_count--; 774 #ifdef IPSEC 775 if ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_TUNNELING)) == 776 TDBF_TUNNELING) { 777 ipsecstat_dec(ipsec_tunnels); 778 ipsecstat_inc(ipsec_prevtunnels); 779 } 780 #endif /* IPSEC */ 781 } 782 783 void 784 tdb_delete(struct tdb *tdbp) 785 { 786 NET_ASSERT_LOCKED(); 787 788 tdb_unlink(tdbp); 789 tdb_free(tdbp); 790 } 791 792 /* 793 * Allocate a TDB and initialize a few basic fields. 794 */ 795 struct tdb * 796 tdb_alloc(u_int rdomain) 797 { 798 struct tdb *tdbp; 799 800 NET_ASSERT_LOCKED(); 801 802 tdbp = malloc(sizeof(*tdbp), M_TDB, M_WAITOK | M_ZERO); 803 804 TAILQ_INIT(&tdbp->tdb_policy_head); 805 806 /* Record establishment time. */ 807 tdbp->tdb_established = gettime(); 808 809 /* Save routing domain */ 810 tdbp->tdb_rdomain = rdomain; 811 tdbp->tdb_rdomain_post = rdomain; 812 813 /* Initialize timeouts. */ 814 timeout_set_proc(&tdbp->tdb_timer_tmo, tdb_timeout, tdbp); 815 timeout_set_proc(&tdbp->tdb_first_tmo, tdb_firstuse, tdbp); 816 timeout_set_proc(&tdbp->tdb_stimer_tmo, tdb_soft_timeout, tdbp); 817 timeout_set_proc(&tdbp->tdb_sfirst_tmo, tdb_soft_firstuse, tdbp); 818 819 return tdbp; 820 } 821 822 void 823 tdb_free(struct tdb *tdbp) 824 { 825 struct ipsec_policy *ipo; 826 827 NET_ASSERT_LOCKED(); 828 829 if (tdbp->tdb_xform) { 830 (*(tdbp->tdb_xform->xf_zeroize))(tdbp); 831 tdbp->tdb_xform = NULL; 832 } 833 834 #if NPFSYNC > 0 835 /* Cleanup pfsync references */ 836 pfsync_delete_tdb(tdbp); 837 #endif 838 839 /* Cleanup SPD references. */ 840 for (ipo = TAILQ_FIRST(&tdbp->tdb_policy_head); ipo; 841 ipo = TAILQ_FIRST(&tdbp->tdb_policy_head)) { 842 TAILQ_REMOVE(&tdbp->tdb_policy_head, ipo, ipo_tdb_next); 843 ipo->ipo_tdb = NULL; 844 ipo->ipo_last_searched = 0; /* Force a re-search. */ 845 } 846 847 if (tdbp->tdb_ids) { 848 ipsp_ids_free(tdbp->tdb_ids); 849 tdbp->tdb_ids = NULL; 850 } 851 852 #if NPF > 0 853 if (tdbp->tdb_tag) { 854 pf_tag_unref(tdbp->tdb_tag); 855 tdbp->tdb_tag = 0; 856 } 857 #endif 858 859 if ((tdbp->tdb_onext) && (tdbp->tdb_onext->tdb_inext == tdbp)) 860 tdbp->tdb_onext->tdb_inext = NULL; 861 862 if ((tdbp->tdb_inext) && (tdbp->tdb_inext->tdb_onext == tdbp)) 863 tdbp->tdb_inext->tdb_onext = NULL; 864 865 /* Remove expiration timeouts. */ 866 tdbp->tdb_flags &= ~(TDBF_FIRSTUSE | TDBF_SOFT_FIRSTUSE | TDBF_TIMER | 867 TDBF_SOFT_TIMER); 868 timeout_del(&tdbp->tdb_timer_tmo); 869 timeout_del(&tdbp->tdb_first_tmo); 870 timeout_del(&tdbp->tdb_stimer_tmo); 871 timeout_del(&tdbp->tdb_sfirst_tmo); 872 873 timeout_set_proc(&tdbp->tdb_timer_tmo, tdb_reaper, tdbp); 874 timeout_add(&tdbp->tdb_timer_tmo, 0); 875 } 876 877 void 878 tdb_reaper(void *xtdbp) 879 { 880 struct tdb *tdbp = xtdbp; 881 882 free(tdbp, M_TDB, 0); 883 } 884 885 /* 886 * Do further initializations of a TDB. 887 */ 888 int 889 tdb_init(struct tdb *tdbp, u_int16_t alg, struct ipsecinit *ii) 890 { 891 struct xformsw *xsp; 892 int err; 893 #ifdef ENCDEBUG 894 char buf[INET6_ADDRSTRLEN]; 895 #endif 896 897 for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) { 898 if (xsp->xf_type == alg) { 899 err = (*(xsp->xf_init))(tdbp, xsp, ii); 900 return err; 901 } 902 } 903 904 DPRINTF(("%s: no alg %d for spi %08x, addr %s, proto %d\n", __func__, 905 alg, ntohl(tdbp->tdb_spi), ipsp_address(&tdbp->tdb_dst, buf, 906 sizeof(buf)), tdbp->tdb_sproto)); 907 908 return EINVAL; 909 } 910 911 #ifdef ENCDEBUG 912 /* Return a printable string for the address. */ 913 const char * 914 ipsp_address(union sockaddr_union *sa, char *buf, socklen_t size) 915 { 916 switch (sa->sa.sa_family) { 917 case AF_INET: 918 return inet_ntop(AF_INET, &sa->sin.sin_addr, 919 buf, (size_t)size); 920 921 #ifdef INET6 922 case AF_INET6: 923 return inet_ntop(AF_INET6, &sa->sin6.sin6_addr, 924 buf, (size_t)size); 925 #endif /* INET6 */ 926 927 default: 928 return "(unknown address family)"; 929 } 930 } 931 #endif /* ENCDEBUG */ 932 933 /* Check whether an IP{4,6} address is unspecified. */ 934 int 935 ipsp_is_unspecified(union sockaddr_union addr) 936 { 937 switch (addr.sa.sa_family) { 938 case AF_INET: 939 if (addr.sin.sin_addr.s_addr == INADDR_ANY) 940 return 1; 941 else 942 return 0; 943 944 #ifdef INET6 945 case AF_INET6: 946 if (IN6_IS_ADDR_UNSPECIFIED(&addr.sin6.sin6_addr)) 947 return 1; 948 else 949 return 0; 950 #endif /* INET6 */ 951 952 case 0: /* No family set. */ 953 default: 954 return 1; 955 } 956 } 957 958 int 959 ipsp_ids_match(struct ipsec_ids *a, struct ipsec_ids *b) 960 { 961 return a == b; 962 } 963 964 struct ipsec_ids * 965 ipsp_ids_insert(struct ipsec_ids *ids) 966 { 967 struct ipsec_ids *found; 968 u_int32_t start_flow; 969 970 NET_ASSERT_LOCKED(); 971 972 found = RBT_INSERT(ipsec_ids_tree, &ipsec_ids_tree, ids); 973 if (found) { 974 /* if refcount was zero, then timeout is running */ 975 if (found->id_refcount++ == 0) 976 timeout_del(&found->id_timeout); 977 DPRINTF(("%s: ids %p count %d\n", __func__, 978 found, found->id_refcount)); 979 return found; 980 } 981 ids->id_flow = start_flow = ipsec_ids_next_flow; 982 if (++ipsec_ids_next_flow == 0) 983 ipsec_ids_next_flow = 1; 984 while (RBT_INSERT(ipsec_ids_flows, &ipsec_ids_flows, ids) != NULL) { 985 ids->id_flow = ipsec_ids_next_flow; 986 if (++ipsec_ids_next_flow == 0) 987 ipsec_ids_next_flow = 1; 988 if (ipsec_ids_next_flow == start_flow) { 989 DPRINTF(("ipsec_ids_next_flow exhausted %u\n", 990 ipsec_ids_next_flow)); 991 return NULL; 992 } 993 } 994 ids->id_refcount = 1; 995 DPRINTF(("%s: new ids %p flow %u\n", __func__, ids, ids->id_flow)); 996 timeout_set_proc(&ids->id_timeout, ipsp_ids_timeout, ids); 997 return ids; 998 } 999 1000 struct ipsec_ids * 1001 ipsp_ids_lookup(u_int32_t ipsecflowinfo) 1002 { 1003 struct ipsec_ids key; 1004 1005 NET_ASSERT_LOCKED(); 1006 1007 key.id_flow = ipsecflowinfo; 1008 return RBT_FIND(ipsec_ids_flows, &ipsec_ids_flows, &key); 1009 } 1010 1011 /* free ids only from delayed timeout */ 1012 void 1013 ipsp_ids_timeout(void *arg) 1014 { 1015 struct ipsec_ids *ids = arg; 1016 1017 DPRINTF(("%s: ids %p count %d\n", __func__, ids, ids->id_refcount)); 1018 KASSERT(ids->id_refcount == 0); 1019 1020 NET_LOCK(); 1021 RBT_REMOVE(ipsec_ids_tree, &ipsec_ids_tree, ids); 1022 RBT_REMOVE(ipsec_ids_flows, &ipsec_ids_flows, ids); 1023 free(ids->id_local, M_CREDENTIALS, 0); 1024 free(ids->id_remote, M_CREDENTIALS, 0); 1025 free(ids, M_CREDENTIALS, 0); 1026 NET_UNLOCK(); 1027 } 1028 1029 /* decrements refcount, actual free happens in timeout */ 1030 void 1031 ipsp_ids_free(struct ipsec_ids *ids) 1032 { 1033 /* 1034 * If the refcount becomes zero, then a timeout is started. This 1035 * timeout must be cancelled if refcount is increased from zero. 1036 */ 1037 DPRINTF(("%s: ids %p count %d\n", __func__, ids, ids->id_refcount)); 1038 KASSERT(ids->id_refcount > 0); 1039 if (--ids->id_refcount == 0) 1040 timeout_add_sec(&ids->id_timeout, ipsec_ids_idle); 1041 } 1042 1043 static int 1044 ipsp_id_cmp(struct ipsec_id *a, struct ipsec_id *b) 1045 { 1046 if (a->type > b->type) 1047 return 1; 1048 if (a->type < b->type) 1049 return -1; 1050 if (a->len > b->len) 1051 return 1; 1052 if (a->len < b->len) 1053 return -1; 1054 return memcmp(a + 1, b + 1, a->len); 1055 } 1056 1057 static inline int 1058 ipsp_ids_cmp(const struct ipsec_ids *a, const struct ipsec_ids *b) 1059 { 1060 int ret; 1061 1062 ret = ipsp_id_cmp(a->id_remote, b->id_remote); 1063 if (ret != 0) 1064 return ret; 1065 return ipsp_id_cmp(a->id_local, b->id_local); 1066 } 1067 1068 static inline int 1069 ipsp_ids_flow_cmp(const struct ipsec_ids *a, const struct ipsec_ids *b) 1070 { 1071 if (a->id_flow > b->id_flow) 1072 return 1; 1073 if (a->id_flow < b->id_flow) 1074 return -1; 1075 return 0; 1076 } 1077