1 /* $OpenBSD: ip_ipsp.c,v 1.234 2019/05/11 17:16:21 benno Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Niklas Hallqvist (niklas@appli.se). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 18 * 19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 1999 Niklas Hallqvist. 22 * Copyright (c) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40 #include "pf.h" 41 #include "pfsync.h" 42 43 #include <sys/param.h> 44 #include <sys/systm.h> 45 #include <sys/mbuf.h> 46 #include <sys/socket.h> 47 #include <sys/kernel.h> 48 #include <sys/timeout.h> 49 50 #include <net/if.h> 51 #include <net/route.h> 52 53 #include <netinet/in.h> 54 #include <netinet/ip.h> 55 #include <netinet/in_pcb.h> 56 #include <netinet/ip_var.h> 57 #include <netinet/ip_ipip.h> 58 59 #if NPF > 0 60 #include <net/pfvar.h> 61 #endif 62 63 #if NPFSYNC > 0 64 #include <net/if_pfsync.h> 65 #endif 66 67 #include <netinet/ip_ipsp.h> 68 #include <net/pfkeyv2.h> 69 70 #ifdef DDB 71 #include <ddb/db_output.h> 72 void tdb_hashstats(void); 73 #endif 74 75 #ifdef ENCDEBUG 76 #define DPRINTF(x) if (encdebug) printf x 77 #else 78 #define DPRINTF(x) 79 #endif 80 81 void tdb_rehash(void); 82 void tdb_reaper(void *); 83 void tdb_timeout(void *); 84 void tdb_firstuse(void *); 85 void tdb_soft_timeout(void *); 86 void tdb_soft_firstuse(void *); 87 int tdb_hash(u_int, u_int32_t, union sockaddr_union *, u_int8_t); 88 89 int ipsec_in_use = 0; 90 u_int64_t ipsec_last_added = 0; 91 int ipsec_ids_idle = 100; /* keep free ids for 100s */ 92 93 /* Protected by the NET_LOCK(). */ 94 u_int32_t ipsec_ids_next_flow = 1; /* may not be zero */ 95 struct ipsec_ids_tree ipsec_ids_tree; 96 struct ipsec_ids_flows ipsec_ids_flows; 97 struct ipsec_policy_head ipsec_policy_head = 98 TAILQ_HEAD_INITIALIZER(ipsec_policy_head); 99 100 void ipsp_ids_timeout(void *); 101 static inline int ipsp_ids_cmp(const struct ipsec_ids *, 102 const struct ipsec_ids *); 103 static inline int ipsp_ids_flow_cmp(const struct ipsec_ids *, 104 const struct ipsec_ids *); 105 RBT_PROTOTYPE(ipsec_ids_tree, ipsec_ids, id_node_flow, ipsp_ids_cmp); 106 RBT_PROTOTYPE(ipsec_ids_flows, ipsec_ids, id_node_id, ipsp_ids_flow_cmp); 107 RBT_GENERATE(ipsec_ids_tree, ipsec_ids, id_node_flow, ipsp_ids_cmp); 108 RBT_GENERATE(ipsec_ids_flows, ipsec_ids, id_node_id, ipsp_ids_flow_cmp); 109 110 /* 111 * This is the proper place to define the various encapsulation transforms. 112 */ 113 114 struct xformsw xformsw[] = { 115 #ifdef IPSEC 116 { 117 .xf_type = XF_IP4, 118 .xf_flags = 0, 119 .xf_name = "IPv4 Simple Encapsulation", 120 .xf_attach = ipe4_attach, 121 .xf_init = ipe4_init, 122 .xf_zeroize = ipe4_zeroize, 123 .xf_input = ipe4_input, 124 .xf_output = ipip_output, 125 }, 126 { 127 .xf_type = XF_AH, 128 .xf_flags = XFT_AUTH, 129 .xf_name = "IPsec AH", 130 .xf_attach = ah_attach, 131 .xf_init = ah_init, 132 .xf_zeroize = ah_zeroize, 133 .xf_input = ah_input, 134 .xf_output = ah_output, 135 }, 136 { 137 .xf_type = XF_ESP, 138 .xf_flags = XFT_CONF|XFT_AUTH, 139 .xf_name = "IPsec ESP", 140 .xf_attach = esp_attach, 141 .xf_init = esp_init, 142 .xf_zeroize = esp_zeroize, 143 .xf_input = esp_input, 144 .xf_output = esp_output, 145 }, 146 { 147 .xf_type = XF_IPCOMP, 148 .xf_flags = XFT_COMP, 149 .xf_name = "IPcomp", 150 .xf_attach = ipcomp_attach, 151 .xf_init = ipcomp_init, 152 .xf_zeroize = ipcomp_zeroize, 153 .xf_input = ipcomp_input, 154 .xf_output = ipcomp_output, 155 }, 156 #endif /* IPSEC */ 157 #ifdef TCP_SIGNATURE 158 { 159 .xf_type = XF_TCPSIGNATURE, 160 .xf_flags = XFT_AUTH, 161 .xf_name = "TCP MD5 Signature Option, RFC 2385", 162 .xf_attach = tcp_signature_tdb_attach, 163 .xf_init = tcp_signature_tdb_init, 164 .xf_zeroize = tcp_signature_tdb_zeroize, 165 .xf_input = tcp_signature_tdb_input, 166 .xf_output = tcp_signature_tdb_output, 167 } 168 #endif /* TCP_SIGNATURE */ 169 }; 170 171 struct xformsw *xformswNXFORMSW = &xformsw[nitems(xformsw)]; 172 173 #define TDB_HASHSIZE_INIT 32 174 175 /* Protected by the NET_LOCK(). */ 176 static SIPHASH_KEY tdbkey; 177 static struct tdb **tdbh = NULL; 178 static struct tdb **tdbdst = NULL; 179 static struct tdb **tdbsrc = NULL; 180 static u_int tdb_hashmask = TDB_HASHSIZE_INIT - 1; 181 static int tdb_count; 182 183 /* 184 * Our hashing function needs to stir things with a non-zero random multiplier 185 * so we cannot be DoS-attacked via choosing of the data to hash. 186 */ 187 int 188 tdb_hash(u_int rdomain, u_int32_t spi, union sockaddr_union *dst, 189 u_int8_t proto) 190 { 191 SIPHASH_CTX ctx; 192 193 NET_ASSERT_LOCKED(); 194 195 SipHash24_Init(&ctx, &tdbkey); 196 SipHash24_Update(&ctx, &rdomain, sizeof(rdomain)); 197 SipHash24_Update(&ctx, &spi, sizeof(spi)); 198 SipHash24_Update(&ctx, &proto, sizeof(proto)); 199 SipHash24_Update(&ctx, dst, dst->sa.sa_len); 200 201 return (SipHash24_End(&ctx) & tdb_hashmask); 202 } 203 204 /* 205 * Reserve an SPI; the SA is not valid yet though. We use 0 as 206 * an error return value. 207 */ 208 u_int32_t 209 reserve_spi(u_int rdomain, u_int32_t sspi, u_int32_t tspi, 210 union sockaddr_union *src, union sockaddr_union *dst, 211 u_int8_t sproto, int *errval) 212 { 213 struct tdb *tdbp, *exists; 214 u_int32_t spi; 215 int nums; 216 217 NET_ASSERT_LOCKED(); 218 219 /* Don't accept ranges only encompassing reserved SPIs. */ 220 if (sproto != IPPROTO_IPCOMP && 221 (tspi < sspi || tspi <= SPI_RESERVED_MAX)) { 222 (*errval) = EINVAL; 223 return 0; 224 } 225 if (sproto == IPPROTO_IPCOMP && (tspi < sspi || 226 tspi <= CPI_RESERVED_MAX || 227 tspi >= CPI_PRIVATE_MIN)) { 228 (*errval) = EINVAL; 229 return 0; 230 } 231 232 /* Limit the range to not include reserved areas. */ 233 if (sspi <= SPI_RESERVED_MAX) 234 sspi = SPI_RESERVED_MAX + 1; 235 236 /* For IPCOMP the CPI is only 16 bits long, what a good idea.... */ 237 238 if (sproto == IPPROTO_IPCOMP) { 239 u_int32_t t; 240 if (sspi >= 0x10000) 241 sspi = 0xffff; 242 if (tspi >= 0x10000) 243 tspi = 0xffff; 244 if (sspi > tspi) { 245 t = sspi; sspi = tspi; tspi = t; 246 } 247 } 248 249 if (sspi == tspi) /* Asking for a specific SPI. */ 250 nums = 1; 251 else 252 nums = 100; /* Arbitrarily chosen */ 253 254 /* allocate ahead of time to avoid potential sleeping race in loop */ 255 tdbp = tdb_alloc(rdomain); 256 257 while (nums--) { 258 if (sspi == tspi) /* Specific SPI asked. */ 259 spi = tspi; 260 else /* Range specified */ 261 spi = sspi + arc4random_uniform(tspi - sspi); 262 263 /* Don't allocate reserved SPIs. */ 264 if (spi >= SPI_RESERVED_MIN && spi <= SPI_RESERVED_MAX) 265 continue; 266 else 267 spi = htonl(spi); 268 269 /* Check whether we're using this SPI already. */ 270 exists = gettdb(rdomain, spi, dst, sproto); 271 if (exists) 272 continue; 273 274 275 tdbp->tdb_spi = spi; 276 memcpy(&tdbp->tdb_dst.sa, &dst->sa, dst->sa.sa_len); 277 memcpy(&tdbp->tdb_src.sa, &src->sa, src->sa.sa_len); 278 tdbp->tdb_sproto = sproto; 279 tdbp->tdb_flags |= TDBF_INVALID; /* Mark SA invalid for now. */ 280 tdbp->tdb_satype = SADB_SATYPE_UNSPEC; 281 puttdb(tdbp); 282 283 #ifdef IPSEC 284 /* Setup a "silent" expiration (since TDBF_INVALID's set). */ 285 if (ipsec_keep_invalid > 0) { 286 tdbp->tdb_flags |= TDBF_TIMER; 287 tdbp->tdb_exp_timeout = ipsec_keep_invalid; 288 timeout_add_sec(&tdbp->tdb_timer_tmo, 289 ipsec_keep_invalid); 290 } 291 #endif 292 293 return spi; 294 } 295 296 (*errval) = EEXIST; 297 tdb_free(tdbp); 298 return 0; 299 } 300 301 /* 302 * An IPSP SAID is really the concatenation of the SPI found in the 303 * packet, the destination address of the packet and the IPsec protocol. 304 * When we receive an IPSP packet, we need to look up its tunnel descriptor 305 * block, based on the SPI in the packet and the destination address (which 306 * is really one of our addresses if we received the packet! 307 */ 308 struct tdb * 309 gettdb(u_int rdomain, u_int32_t spi, union sockaddr_union *dst, u_int8_t proto) 310 { 311 u_int32_t hashval; 312 struct tdb *tdbp; 313 314 NET_ASSERT_LOCKED(); 315 316 if (tdbh == NULL) 317 return (struct tdb *) NULL; 318 319 hashval = tdb_hash(rdomain, spi, dst, proto); 320 321 for (tdbp = tdbh[hashval]; tdbp != NULL; tdbp = tdbp->tdb_hnext) 322 if ((tdbp->tdb_spi == spi) && (tdbp->tdb_sproto == proto) && 323 (tdbp->tdb_rdomain == rdomain) && 324 !memcmp(&tdbp->tdb_dst, dst, dst->sa.sa_len)) 325 break; 326 327 return tdbp; 328 } 329 330 /* 331 * Same as gettdb() but compare SRC as well, so we 332 * use the tdbsrc[] hash table. Setting spi to 0 333 * matches all SPIs. 334 */ 335 struct tdb * 336 gettdbbysrcdst(u_int rdomain, u_int32_t spi, union sockaddr_union *src, 337 union sockaddr_union *dst, u_int8_t proto) 338 { 339 u_int32_t hashval; 340 struct tdb *tdbp; 341 union sockaddr_union su_null; 342 343 NET_ASSERT_LOCKED(); 344 345 if (tdbsrc == NULL) 346 return (struct tdb *) NULL; 347 348 hashval = tdb_hash(rdomain, 0, src, proto); 349 350 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 351 if (tdbp->tdb_sproto == proto && 352 (spi == 0 || tdbp->tdb_spi == spi) && 353 (tdbp->tdb_rdomain == rdomain) && 354 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 355 (tdbp->tdb_dst.sa.sa_family == AF_UNSPEC || 356 !memcmp(&tdbp->tdb_dst, dst, dst->sa.sa_len)) && 357 !memcmp(&tdbp->tdb_src, src, src->sa.sa_len)) 358 break; 359 360 if (tdbp != NULL) 361 return (tdbp); 362 363 memset(&su_null, 0, sizeof(su_null)); 364 su_null.sa.sa_len = sizeof(struct sockaddr); 365 hashval = tdb_hash(rdomain, 0, &su_null, proto); 366 367 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 368 if (tdbp->tdb_sproto == proto && 369 (spi == 0 || tdbp->tdb_spi == spi) && 370 (tdbp->tdb_rdomain == rdomain) && 371 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 372 (tdbp->tdb_dst.sa.sa_family == AF_UNSPEC || 373 !memcmp(&tdbp->tdb_dst, dst, dst->sa.sa_len)) && 374 tdbp->tdb_src.sa.sa_family == AF_UNSPEC) 375 break; 376 377 return (tdbp); 378 } 379 380 /* 381 * Check that IDs match. Return true if so. The t* range of 382 * arguments contains information from TDBs; the p* range of 383 * arguments contains information from policies or already 384 * established TDBs. 385 */ 386 int 387 ipsp_aux_match(struct tdb *tdb, 388 struct ipsec_ids *ids, 389 struct sockaddr_encap *pfilter, 390 struct sockaddr_encap *pfiltermask) 391 { 392 if (ids != NULL) 393 if (tdb->tdb_ids == NULL || 394 !ipsp_ids_match(tdb->tdb_ids, ids)) 395 return 0; 396 397 /* Check for filter matches. */ 398 if (pfilter != NULL && pfiltermask != NULL && 399 tdb->tdb_filter.sen_type) { 400 /* 401 * XXX We should really be doing a subnet-check (see 402 * whether the TDB-associated filter is a subset 403 * of the policy's. For now, an exact match will solve 404 * most problems (all this will do is make every 405 * policy get its own SAs). 406 */ 407 if (memcmp(&tdb->tdb_filter, pfilter, 408 sizeof(struct sockaddr_encap)) || 409 memcmp(&tdb->tdb_filtermask, pfiltermask, 410 sizeof(struct sockaddr_encap))) 411 return 0; 412 } 413 414 return 1; 415 } 416 417 /* 418 * Get an SA given the remote address, the security protocol type, and 419 * the desired IDs. 420 */ 421 struct tdb * 422 gettdbbydst(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto, 423 struct ipsec_ids *ids, 424 struct sockaddr_encap *filter, struct sockaddr_encap *filtermask) 425 { 426 u_int32_t hashval; 427 struct tdb *tdbp; 428 429 NET_ASSERT_LOCKED(); 430 431 if (tdbdst == NULL) 432 return (struct tdb *) NULL; 433 434 hashval = tdb_hash(rdomain, 0, dst, sproto); 435 436 for (tdbp = tdbdst[hashval]; tdbp != NULL; tdbp = tdbp->tdb_dnext) 437 if ((tdbp->tdb_sproto == sproto) && 438 (tdbp->tdb_rdomain == rdomain) && 439 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 440 (!memcmp(&tdbp->tdb_dst, dst, dst->sa.sa_len))) { 441 /* Do IDs match ? */ 442 if (!ipsp_aux_match(tdbp, ids, filter, filtermask)) 443 continue; 444 break; 445 } 446 447 return tdbp; 448 } 449 450 /* 451 * Get an SA given the source address, the security protocol type, and 452 * the desired IDs. 453 */ 454 struct tdb * 455 gettdbbysrc(u_int rdomain, union sockaddr_union *src, u_int8_t sproto, 456 struct ipsec_ids *ids, 457 struct sockaddr_encap *filter, struct sockaddr_encap *filtermask) 458 { 459 u_int32_t hashval; 460 struct tdb *tdbp; 461 462 NET_ASSERT_LOCKED(); 463 464 if (tdbsrc == NULL) 465 return (struct tdb *) NULL; 466 467 hashval = tdb_hash(rdomain, 0, src, sproto); 468 469 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 470 if ((tdbp->tdb_sproto == sproto) && 471 (tdbp->tdb_rdomain == rdomain) && 472 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 473 (!memcmp(&tdbp->tdb_src, src, src->sa.sa_len))) { 474 /* Check whether IDs match */ 475 if (!ipsp_aux_match(tdbp, ids, filter, 476 filtermask)) 477 continue; 478 break; 479 } 480 481 return tdbp; 482 } 483 484 #if DDB 485 486 #define NBUCKETS 16 487 void 488 tdb_hashstats(void) 489 { 490 int i, cnt, buckets[NBUCKETS]; 491 struct tdb *tdbp; 492 493 if (tdbh == NULL) { 494 db_printf("no tdb hash table\n"); 495 return; 496 } 497 498 memset(buckets, 0, sizeof(buckets)); 499 for (i = 0; i <= tdb_hashmask; i++) { 500 cnt = 0; 501 for (tdbp = tdbh[i]; cnt < NBUCKETS - 1 && tdbp != NULL; 502 tdbp = tdbp->tdb_hnext) 503 cnt++; 504 buckets[cnt]++; 505 } 506 507 db_printf("tdb cnt\t\tbucket cnt\n"); 508 for (i = 0; i < NBUCKETS; i++) 509 if (buckets[i] > 0) 510 db_printf("%d%s\t\t%d\n", i, i == NBUCKETS - 1 ? 511 "+" : "", buckets[i]); 512 } 513 #endif /* DDB */ 514 515 int 516 tdb_walk(u_int rdomain, int (*walker)(struct tdb *, void *, int), void *arg) 517 { 518 int i, rval = 0; 519 struct tdb *tdbp, *next; 520 521 NET_ASSERT_LOCKED(); 522 523 if (tdbh == NULL) 524 return ENOENT; 525 526 for (i = 0; i <= tdb_hashmask; i++) 527 for (tdbp = tdbh[i]; rval == 0 && tdbp != NULL; tdbp = next) { 528 next = tdbp->tdb_hnext; 529 530 if (rdomain != tdbp->tdb_rdomain) 531 continue; 532 533 if (i == tdb_hashmask && next == NULL) 534 rval = walker(tdbp, (void *)arg, 1); 535 else 536 rval = walker(tdbp, (void *)arg, 0); 537 } 538 539 return rval; 540 } 541 542 void 543 tdb_timeout(void *v) 544 { 545 struct tdb *tdb = v; 546 547 NET_LOCK(); 548 if (tdb->tdb_flags & TDBF_TIMER) { 549 /* If it's an "invalid" TDB do a silent expiration. */ 550 if (!(tdb->tdb_flags & TDBF_INVALID)) 551 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 552 tdb_delete(tdb); 553 } 554 NET_UNLOCK(); 555 } 556 557 void 558 tdb_firstuse(void *v) 559 { 560 struct tdb *tdb = v; 561 562 NET_LOCK(); 563 if (tdb->tdb_flags & TDBF_SOFT_FIRSTUSE) { 564 /* If the TDB hasn't been used, don't renew it. */ 565 if (tdb->tdb_first_use != 0) 566 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 567 tdb_delete(tdb); 568 } 569 NET_UNLOCK(); 570 } 571 572 void 573 tdb_soft_timeout(void *v) 574 { 575 struct tdb *tdb = v; 576 577 NET_LOCK(); 578 if (tdb->tdb_flags & TDBF_SOFT_TIMER) { 579 /* Soft expirations. */ 580 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 581 tdb->tdb_flags &= ~TDBF_SOFT_TIMER; 582 } 583 NET_UNLOCK(); 584 } 585 586 void 587 tdb_soft_firstuse(void *v) 588 { 589 struct tdb *tdb = v; 590 591 NET_LOCK(); 592 if (tdb->tdb_flags & TDBF_SOFT_FIRSTUSE) { 593 /* If the TDB hasn't been used, don't renew it. */ 594 if (tdb->tdb_first_use != 0) 595 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 596 tdb->tdb_flags &= ~TDBF_SOFT_FIRSTUSE; 597 } 598 NET_UNLOCK(); 599 } 600 601 void 602 tdb_rehash(void) 603 { 604 struct tdb **new_tdbh, **new_tdbdst, **new_srcaddr, *tdbp, *tdbnp; 605 u_int i, old_hashmask = tdb_hashmask; 606 u_int32_t hashval; 607 608 NET_ASSERT_LOCKED(); 609 610 tdb_hashmask = (tdb_hashmask << 1) | 1; 611 612 arc4random_buf(&tdbkey, sizeof(tdbkey)); 613 new_tdbh = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), M_TDB, 614 M_WAITOK | M_ZERO); 615 new_tdbdst = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), M_TDB, 616 M_WAITOK | M_ZERO); 617 new_srcaddr = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), M_TDB, 618 M_WAITOK | M_ZERO); 619 620 for (i = 0; i <= old_hashmask; i++) { 621 for (tdbp = tdbh[i]; tdbp != NULL; tdbp = tdbnp) { 622 tdbnp = tdbp->tdb_hnext; 623 hashval = tdb_hash(tdbp->tdb_rdomain, 624 tdbp->tdb_spi, &tdbp->tdb_dst, 625 tdbp->tdb_sproto); 626 tdbp->tdb_hnext = new_tdbh[hashval]; 627 new_tdbh[hashval] = tdbp; 628 } 629 630 for (tdbp = tdbdst[i]; tdbp != NULL; tdbp = tdbnp) { 631 tdbnp = tdbp->tdb_dnext; 632 hashval = tdb_hash(tdbp->tdb_rdomain, 633 0, &tdbp->tdb_dst, 634 tdbp->tdb_sproto); 635 tdbp->tdb_dnext = new_tdbdst[hashval]; 636 new_tdbdst[hashval] = tdbp; 637 } 638 639 for (tdbp = tdbsrc[i]; tdbp != NULL; tdbp = tdbnp) { 640 tdbnp = tdbp->tdb_snext; 641 hashval = tdb_hash(tdbp->tdb_rdomain, 642 0, &tdbp->tdb_src, 643 tdbp->tdb_sproto); 644 tdbp->tdb_snext = new_srcaddr[hashval]; 645 new_srcaddr[hashval] = tdbp; 646 } 647 } 648 649 free(tdbh, M_TDB, 0); 650 tdbh = new_tdbh; 651 652 free(tdbdst, M_TDB, 0); 653 tdbdst = new_tdbdst; 654 655 free(tdbsrc, M_TDB, 0); 656 tdbsrc = new_srcaddr; 657 } 658 659 /* 660 * Add TDB in the hash table. 661 */ 662 void 663 puttdb(struct tdb *tdbp) 664 { 665 u_int32_t hashval; 666 667 NET_ASSERT_LOCKED(); 668 669 if (tdbh == NULL) { 670 arc4random_buf(&tdbkey, sizeof(tdbkey)); 671 tdbh = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), 672 M_TDB, M_WAITOK | M_ZERO); 673 tdbdst = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), 674 M_TDB, M_WAITOK | M_ZERO); 675 tdbsrc = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), 676 M_TDB, M_WAITOK | M_ZERO); 677 } 678 679 hashval = tdb_hash(tdbp->tdb_rdomain, tdbp->tdb_spi, 680 &tdbp->tdb_dst, tdbp->tdb_sproto); 681 682 /* 683 * Rehash if this tdb would cause a bucket to have more than 684 * two items and if the number of tdbs exceed 10% of the 685 * bucket count. This number is arbitratily chosen and is 686 * just a measure to not keep rehashing when adding and 687 * removing tdbs which happens to always end up in the same 688 * bucket, which is not uncommon when doing manual keying. 689 */ 690 if (tdbh[hashval] != NULL && tdbh[hashval]->tdb_hnext != NULL && 691 tdb_count * 10 > tdb_hashmask + 1) { 692 tdb_rehash(); 693 hashval = tdb_hash(tdbp->tdb_rdomain, tdbp->tdb_spi, 694 &tdbp->tdb_dst, tdbp->tdb_sproto); 695 } 696 697 tdbp->tdb_hnext = tdbh[hashval]; 698 tdbh[hashval] = tdbp; 699 700 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_dst, 701 tdbp->tdb_sproto); 702 tdbp->tdb_dnext = tdbdst[hashval]; 703 tdbdst[hashval] = tdbp; 704 705 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_src, 706 tdbp->tdb_sproto); 707 tdbp->tdb_snext = tdbsrc[hashval]; 708 tdbsrc[hashval] = tdbp; 709 710 tdb_count++; 711 #ifdef IPSEC 712 if ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_TUNNELING)) == TDBF_TUNNELING) 713 ipsecstat_inc(ipsec_tunnels); 714 #endif /* IPSEC */ 715 716 ipsec_last_added = time_uptime; 717 } 718 719 void 720 tdb_unlink(struct tdb *tdbp) 721 { 722 struct tdb *tdbpp; 723 u_int32_t hashval; 724 725 NET_ASSERT_LOCKED(); 726 727 if (tdbh == NULL) 728 return; 729 730 hashval = tdb_hash(tdbp->tdb_rdomain, tdbp->tdb_spi, 731 &tdbp->tdb_dst, tdbp->tdb_sproto); 732 733 if (tdbh[hashval] == tdbp) { 734 tdbh[hashval] = tdbp->tdb_hnext; 735 } else { 736 for (tdbpp = tdbh[hashval]; tdbpp != NULL; 737 tdbpp = tdbpp->tdb_hnext) { 738 if (tdbpp->tdb_hnext == tdbp) { 739 tdbpp->tdb_hnext = tdbp->tdb_hnext; 740 break; 741 } 742 } 743 } 744 745 tdbp->tdb_hnext = NULL; 746 747 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_dst, 748 tdbp->tdb_sproto); 749 750 if (tdbdst[hashval] == tdbp) { 751 tdbdst[hashval] = tdbp->tdb_dnext; 752 } else { 753 for (tdbpp = tdbdst[hashval]; tdbpp != NULL; 754 tdbpp = tdbpp->tdb_dnext) { 755 if (tdbpp->tdb_dnext == tdbp) { 756 tdbpp->tdb_dnext = tdbp->tdb_dnext; 757 break; 758 } 759 } 760 } 761 762 tdbp->tdb_dnext = NULL; 763 764 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_src, 765 tdbp->tdb_sproto); 766 767 if (tdbsrc[hashval] == tdbp) { 768 tdbsrc[hashval] = tdbp->tdb_snext; 769 } 770 else { 771 for (tdbpp = tdbsrc[hashval]; tdbpp != NULL; 772 tdbpp = tdbpp->tdb_snext) { 773 if (tdbpp->tdb_snext == tdbp) { 774 tdbpp->tdb_snext = tdbp->tdb_snext; 775 break; 776 } 777 } 778 } 779 780 tdbp->tdb_snext = NULL; 781 tdb_count--; 782 #ifdef IPSEC 783 if ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_TUNNELING)) == 784 TDBF_TUNNELING) { 785 ipsecstat_dec(ipsec_tunnels); 786 ipsecstat_inc(ipsec_prevtunnels); 787 } 788 #endif /* IPSEC */ 789 } 790 791 void 792 tdb_delete(struct tdb *tdbp) 793 { 794 NET_ASSERT_LOCKED(); 795 796 tdb_unlink(tdbp); 797 tdb_free(tdbp); 798 } 799 800 /* 801 * Allocate a TDB and initialize a few basic fields. 802 */ 803 struct tdb * 804 tdb_alloc(u_int rdomain) 805 { 806 struct tdb *tdbp; 807 808 NET_ASSERT_LOCKED(); 809 810 tdbp = malloc(sizeof(*tdbp), M_TDB, M_WAITOK | M_ZERO); 811 812 TAILQ_INIT(&tdbp->tdb_policy_head); 813 814 /* Record establishment time. */ 815 tdbp->tdb_established = time_second; 816 817 /* Save routing domain */ 818 tdbp->tdb_rdomain = rdomain; 819 820 /* Initialize timeouts. */ 821 timeout_set_proc(&tdbp->tdb_timer_tmo, tdb_timeout, tdbp); 822 timeout_set_proc(&tdbp->tdb_first_tmo, tdb_firstuse, tdbp); 823 timeout_set_proc(&tdbp->tdb_stimer_tmo, tdb_soft_timeout, tdbp); 824 timeout_set_proc(&tdbp->tdb_sfirst_tmo, tdb_soft_firstuse, tdbp); 825 826 return tdbp; 827 } 828 829 void 830 tdb_free(struct tdb *tdbp) 831 { 832 struct ipsec_policy *ipo; 833 834 NET_ASSERT_LOCKED(); 835 836 if (tdbp->tdb_xform) { 837 (*(tdbp->tdb_xform->xf_zeroize))(tdbp); 838 tdbp->tdb_xform = NULL; 839 } 840 841 #if NPFSYNC > 0 842 /* Cleanup pfsync references */ 843 pfsync_delete_tdb(tdbp); 844 #endif 845 846 /* Cleanup SPD references. */ 847 for (ipo = TAILQ_FIRST(&tdbp->tdb_policy_head); ipo; 848 ipo = TAILQ_FIRST(&tdbp->tdb_policy_head)) { 849 TAILQ_REMOVE(&tdbp->tdb_policy_head, ipo, ipo_tdb_next); 850 ipo->ipo_tdb = NULL; 851 ipo->ipo_last_searched = 0; /* Force a re-search. */ 852 } 853 854 if (tdbp->tdb_ids) { 855 ipsp_ids_free(tdbp->tdb_ids); 856 tdbp->tdb_ids = NULL; 857 } 858 859 #if NPF > 0 860 if (tdbp->tdb_tag) { 861 pf_tag_unref(tdbp->tdb_tag); 862 tdbp->tdb_tag = 0; 863 } 864 #endif 865 866 if ((tdbp->tdb_onext) && (tdbp->tdb_onext->tdb_inext == tdbp)) 867 tdbp->tdb_onext->tdb_inext = NULL; 868 869 if ((tdbp->tdb_inext) && (tdbp->tdb_inext->tdb_onext == tdbp)) 870 tdbp->tdb_inext->tdb_onext = NULL; 871 872 /* Remove expiration timeouts. */ 873 tdbp->tdb_flags &= ~(TDBF_FIRSTUSE | TDBF_SOFT_FIRSTUSE | TDBF_TIMER | 874 TDBF_SOFT_TIMER); 875 timeout_del(&tdbp->tdb_timer_tmo); 876 timeout_del(&tdbp->tdb_first_tmo); 877 timeout_del(&tdbp->tdb_stimer_tmo); 878 timeout_del(&tdbp->tdb_sfirst_tmo); 879 880 timeout_set_proc(&tdbp->tdb_timer_tmo, tdb_reaper, tdbp); 881 timeout_add(&tdbp->tdb_timer_tmo, 0); 882 } 883 884 void 885 tdb_reaper(void *xtdbp) 886 { 887 struct tdb *tdbp = xtdbp; 888 889 free(tdbp, M_TDB, 0); 890 } 891 892 /* 893 * Do further initializations of a TDB. 894 */ 895 int 896 tdb_init(struct tdb *tdbp, u_int16_t alg, struct ipsecinit *ii) 897 { 898 struct xformsw *xsp; 899 int err; 900 #ifdef ENCDEBUG 901 char buf[INET6_ADDRSTRLEN]; 902 #endif 903 904 for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) { 905 if (xsp->xf_type == alg) { 906 err = (*(xsp->xf_init))(tdbp, xsp, ii); 907 return err; 908 } 909 } 910 911 DPRINTF(("%s: no alg %d for spi %08x, addr %s, proto %d\n", __func__, 912 alg, ntohl(tdbp->tdb_spi), ipsp_address(&tdbp->tdb_dst, buf, 913 sizeof(buf)), tdbp->tdb_sproto)); 914 915 return EINVAL; 916 } 917 918 #ifdef ENCDEBUG 919 /* Return a printable string for the address. */ 920 const char * 921 ipsp_address(union sockaddr_union *sa, char *buf, socklen_t size) 922 { 923 switch (sa->sa.sa_family) { 924 case AF_INET: 925 return inet_ntop(AF_INET, &sa->sin.sin_addr, 926 buf, (size_t)size); 927 928 #ifdef INET6 929 case AF_INET6: 930 return inet_ntop(AF_INET6, &sa->sin6.sin6_addr, 931 buf, (size_t)size); 932 #endif /* INET6 */ 933 934 default: 935 return "(unknown address family)"; 936 } 937 } 938 #endif /* ENCDEBUG */ 939 940 /* Check whether an IP{4,6} address is unspecified. */ 941 int 942 ipsp_is_unspecified(union sockaddr_union addr) 943 { 944 switch (addr.sa.sa_family) { 945 case AF_INET: 946 if (addr.sin.sin_addr.s_addr == INADDR_ANY) 947 return 1; 948 else 949 return 0; 950 951 #ifdef INET6 952 case AF_INET6: 953 if (IN6_IS_ADDR_UNSPECIFIED(&addr.sin6.sin6_addr)) 954 return 1; 955 else 956 return 0; 957 #endif /* INET6 */ 958 959 case 0: /* No family set. */ 960 default: 961 return 1; 962 } 963 } 964 965 int 966 ipsp_ids_match(struct ipsec_ids *a, struct ipsec_ids *b) 967 { 968 return a == b; 969 } 970 971 struct ipsec_ids * 972 ipsp_ids_insert(struct ipsec_ids *ids) 973 { 974 struct ipsec_ids *found; 975 u_int32_t start_flow; 976 977 NET_ASSERT_LOCKED(); 978 979 found = RBT_INSERT(ipsec_ids_tree, &ipsec_ids_tree, ids); 980 if (found) { 981 /* if refcount was zero, then timeout is running */ 982 if (found->id_refcount++ == 0) 983 timeout_del(&found->id_timeout); 984 DPRINTF(("%s: ids %p count %d\n", __func__, 985 found, found->id_refcount)); 986 return found; 987 } 988 ids->id_flow = start_flow = ipsec_ids_next_flow; 989 if (++ipsec_ids_next_flow == 0) 990 ipsec_ids_next_flow = 1; 991 while (RBT_INSERT(ipsec_ids_flows, &ipsec_ids_flows, ids) != NULL) { 992 ids->id_flow = ipsec_ids_next_flow; 993 if (++ipsec_ids_next_flow == 0) 994 ipsec_ids_next_flow = 1; 995 if (ipsec_ids_next_flow == start_flow) { 996 DPRINTF(("ipsec_ids_next_flow exhausted %u\n", 997 ipsec_ids_next_flow)); 998 return NULL; 999 } 1000 } 1001 ids->id_refcount = 1; 1002 DPRINTF(("%s: new ids %p flow %u\n", __func__, ids, ids->id_flow)); 1003 timeout_set_proc(&ids->id_timeout, ipsp_ids_timeout, ids); 1004 return ids; 1005 } 1006 1007 struct ipsec_ids * 1008 ipsp_ids_lookup(u_int32_t ipsecflowinfo) 1009 { 1010 struct ipsec_ids key; 1011 1012 NET_ASSERT_LOCKED(); 1013 1014 key.id_flow = ipsecflowinfo; 1015 return RBT_FIND(ipsec_ids_flows, &ipsec_ids_flows, &key); 1016 } 1017 1018 /* free ids only from delayed timeout */ 1019 void 1020 ipsp_ids_timeout(void *arg) 1021 { 1022 struct ipsec_ids *ids = arg; 1023 1024 DPRINTF(("%s: ids %p count %d\n", __func__, ids, ids->id_refcount)); 1025 KASSERT(ids->id_refcount == 0); 1026 1027 NET_LOCK(); 1028 RBT_REMOVE(ipsec_ids_tree, &ipsec_ids_tree, ids); 1029 RBT_REMOVE(ipsec_ids_flows, &ipsec_ids_flows, ids); 1030 free(ids->id_local, M_CREDENTIALS, 0); 1031 free(ids->id_remote, M_CREDENTIALS, 0); 1032 free(ids, M_CREDENTIALS, 0); 1033 NET_UNLOCK(); 1034 } 1035 1036 /* decrements refcount, actual free happens in timeout */ 1037 void 1038 ipsp_ids_free(struct ipsec_ids *ids) 1039 { 1040 /* 1041 * If the refcount becomes zero, then a timeout is started. This 1042 * timeout must be cancelled if refcount is increased from zero. 1043 */ 1044 DPRINTF(("%s: ids %p count %d\n", __func__, ids, ids->id_refcount)); 1045 KASSERT(ids->id_refcount > 0); 1046 if (--ids->id_refcount == 0) 1047 timeout_add_sec(&ids->id_timeout, ipsec_ids_idle); 1048 } 1049 1050 static int 1051 ipsp_id_cmp(struct ipsec_id *a, struct ipsec_id *b) 1052 { 1053 if (a->type > b->type) 1054 return 1; 1055 if (a->type < b->type) 1056 return -1; 1057 if (a->len > b->len) 1058 return 1; 1059 if (a->len < b->len) 1060 return -1; 1061 return memcmp(a + 1, b + 1, a->len); 1062 } 1063 1064 static inline int 1065 ipsp_ids_cmp(const struct ipsec_ids *a, const struct ipsec_ids *b) 1066 { 1067 int ret; 1068 1069 ret = ipsp_id_cmp(a->id_remote, b->id_remote); 1070 if (ret != 0) 1071 return ret; 1072 return ipsp_id_cmp(a->id_local, b->id_local); 1073 } 1074 1075 static inline int 1076 ipsp_ids_flow_cmp(const struct ipsec_ids *a, const struct ipsec_ids *b) 1077 { 1078 if (a->id_flow > b->id_flow) 1079 return 1; 1080 if (a->id_flow < b->id_flow) 1081 return -1; 1082 return 0; 1083 } 1084