1 /* $OpenBSD: ip_ipsp.c,v 1.175 2009/02/16 00:31:25 dlg Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Niklas Hallqvist (niklas@appli.se). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 18 * 19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 1999 Niklas Hallqvist. 22 * Copyright (c) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40 #include "pf.h" 41 #include "pfsync.h" 42 43 #include <sys/param.h> 44 #include <sys/mbuf.h> 45 #include <sys/socket.h> 46 #include <sys/kernel.h> 47 #include <sys/sysctl.h> 48 49 #include <net/if.h> 50 #include <net/route.h> 51 52 #if NPF > 0 53 #include <net/pfvar.h> 54 #endif 55 56 #if NPFSYNC > 0 57 #include <net/if_pfsync.h> 58 #endif 59 60 #ifdef INET 61 #include <netinet/in.h> 62 #include <netinet/in_systm.h> 63 #include <netinet/ip.h> 64 #include <netinet/in_pcb.h> 65 #endif /* INET */ 66 67 #ifdef INET6 68 #ifndef INET 69 #include <netinet/in.h> 70 #endif 71 #include <netinet6/in6_var.h> 72 #endif /* INET6 */ 73 74 #include <netinet/ip_ipsp.h> 75 #include <net/pfkeyv2.h> 76 #include <crypto/xform.h> 77 #include <dev/rndvar.h> 78 79 #ifdef DDB 80 #include <ddb/db_output.h> 81 void tdb_hashstats(void); 82 #endif 83 84 #ifdef ENCDEBUG 85 #define DPRINTF(x) if (encdebug) printf x 86 #else 87 #define DPRINTF(x) 88 #endif 89 90 int ipsp_kern(int, char **, int); 91 u_int8_t get_sa_require(struct inpcb *); 92 void tdb_rehash(void); 93 void tdb_timeout(void *v); 94 void tdb_firstuse(void *v); 95 void tdb_soft_timeout(void *v); 96 void tdb_soft_firstuse(void *v); 97 98 extern int ipsec_auth_default_level; 99 extern int ipsec_esp_trans_default_level; 100 extern int ipsec_esp_network_default_level; 101 extern int ipsec_ipcomp_default_level; 102 103 extern int encdebug; 104 int ipsec_in_use = 0; 105 u_int64_t ipsec_last_added = 0; 106 107 struct ipsec_policy_head ipsec_policy_head = 108 TAILQ_HEAD_INITIALIZER(ipsec_policy_head); 109 struct ipsec_acquire_head ipsec_acquire_head = 110 TAILQ_HEAD_INITIALIZER(ipsec_acquire_head); 111 112 /* 113 * This is the proper place to define the various encapsulation transforms. 114 */ 115 116 struct xformsw xformsw[] = { 117 #ifdef IPSEC 118 { XF_IP4, 0, "IPv4 Simple Encapsulation", 119 ipe4_attach, ipe4_init, ipe4_zeroize, 120 (int (*)(struct mbuf *, struct tdb *, int, int))ipe4_input, 121 ipip_output, }, 122 { XF_AH, XFT_AUTH, "IPsec AH", 123 ah_attach, ah_init, ah_zeroize, 124 ah_input, ah_output, }, 125 { XF_ESP, XFT_CONF|XFT_AUTH, "IPsec ESP", 126 esp_attach, esp_init, esp_zeroize, 127 esp_input, esp_output, }, 128 { XF_IPCOMP, XFT_COMP, "IPcomp", 129 ipcomp_attach, ipcomp_init, ipcomp_zeroize, 130 ipcomp_input, ipcomp_output, }, 131 #endif /* IPSEC */ 132 #ifdef TCP_SIGNATURE 133 { XF_TCPSIGNATURE, XFT_AUTH, "TCP MD5 Signature Option, RFC 2385", 134 tcp_signature_tdb_attach, tcp_signature_tdb_init, 135 tcp_signature_tdb_zeroize, tcp_signature_tdb_input, 136 tcp_signature_tdb_output, } 137 #endif /* TCP_SIGNATURE */ 138 }; 139 140 struct xformsw *xformswNXFORMSW = &xformsw[sizeof(xformsw)/sizeof(xformsw[0])]; 141 142 unsigned char ipseczeroes[IPSEC_ZEROES_SIZE]; /* zeroes! */ 143 144 #define TDB_HASHSIZE_INIT 32 145 146 static struct tdb **tdbh = NULL; 147 static struct tdb **tdbaddr = NULL; 148 static struct tdb **tdbsrc = NULL; 149 static u_int tdb_hashmask = TDB_HASHSIZE_INIT - 1; 150 static int tdb_count; 151 152 /* 153 * Our hashing function needs to stir things with a non-zero random multiplier 154 * so we cannot be DoS-attacked via choosing of the data to hash. 155 */ 156 int 157 tdb_hash(u_int32_t spi, union sockaddr_union *dst, u_int8_t proto) 158 { 159 static u_int32_t mult1 = 0, mult2 = 0; 160 u_int8_t *ptr = (u_int8_t *) dst; 161 int i, shift; 162 u_int64_t hash; 163 int val32 = 0; 164 165 while (mult1 == 0) 166 mult1 = arc4random(); 167 while (mult2 == 0) 168 mult2 = arc4random(); 169 170 hash = (spi ^ proto) * mult1; 171 for (i = 0; i < SA_LEN(&dst->sa); i++) { 172 val32 = (val32 << 8) | ptr[i]; 173 if (i % 4 == 3) { 174 hash ^= val32 * mult2; 175 val32 = 0; 176 } 177 } 178 179 if (i % 4 != 0) 180 hash ^= val32 * mult2; 181 182 shift = ffs(tdb_hashmask + 1); 183 while ((hash & ~tdb_hashmask) != 0) 184 hash = (hash >> shift) ^ (hash & tdb_hashmask); 185 186 return hash; 187 } 188 189 /* 190 * Reserve an SPI; the SA is not valid yet though. We use 0 as 191 * an error return value. 192 */ 193 u_int32_t 194 reserve_spi(u_int32_t sspi, u_int32_t tspi, union sockaddr_union *src, 195 union sockaddr_union *dst, u_int8_t sproto, int *errval) 196 { 197 struct tdb *tdbp; 198 u_int32_t spi; 199 int nums, s; 200 201 /* Don't accept ranges only encompassing reserved SPIs. */ 202 if (sproto != IPPROTO_IPCOMP && 203 (tspi < sspi || tspi <= SPI_RESERVED_MAX)) { 204 (*errval) = EINVAL; 205 return 0; 206 } 207 if (sproto == IPPROTO_IPCOMP && (tspi < sspi || 208 tspi <= CPI_RESERVED_MAX || 209 tspi >= CPI_PRIVATE_MIN)) { 210 (*errval) = EINVAL; 211 return 0; 212 } 213 214 /* Limit the range to not include reserved areas. */ 215 if (sspi <= SPI_RESERVED_MAX) 216 sspi = SPI_RESERVED_MAX + 1; 217 218 /* For IPCOMP the CPI is only 16 bits long, what a good idea.... */ 219 220 if (sproto == IPPROTO_IPCOMP) { 221 u_int32_t t; 222 if (sspi >= 0x10000) 223 sspi = 0xffff; 224 if (tspi >= 0x10000) 225 tspi = 0xffff; 226 if (sspi > tspi) { 227 t = sspi; sspi = tspi; tspi = t; 228 } 229 } 230 231 if (sspi == tspi) /* Asking for a specific SPI. */ 232 nums = 1; 233 else 234 nums = 100; /* Arbitrarily chosen */ 235 236 while (nums--) { 237 if (sspi == tspi) /* Specific SPI asked. */ 238 spi = tspi; 239 else /* Range specified */ 240 spi = sspi + arc4random_uniform(tspi - sspi); 241 242 /* Don't allocate reserved SPIs. */ 243 if (spi >= SPI_RESERVED_MIN && spi <= SPI_RESERVED_MAX) 244 continue; 245 else 246 spi = htonl(spi); 247 248 /* Check whether we're using this SPI already. */ 249 s = spltdb(); 250 tdbp = gettdb(spi, dst, sproto); 251 splx(s); 252 253 if (tdbp != (struct tdb *) NULL) 254 continue; 255 256 tdbp = tdb_alloc(); 257 258 tdbp->tdb_spi = spi; 259 bcopy(&dst->sa, &tdbp->tdb_dst.sa, SA_LEN(&dst->sa)); 260 bcopy(&src->sa, &tdbp->tdb_src.sa, SA_LEN(&src->sa)); 261 tdbp->tdb_sproto = sproto; 262 tdbp->tdb_flags |= TDBF_INVALID; /* Mark SA invalid for now. */ 263 tdbp->tdb_satype = SADB_SATYPE_UNSPEC; 264 puttdb(tdbp); 265 266 /* Setup a "silent" expiration (since TDBF_INVALID's set). */ 267 if (ipsec_keep_invalid > 0) { 268 tdbp->tdb_flags |= TDBF_TIMER; 269 tdbp->tdb_exp_timeout = ipsec_keep_invalid; 270 timeout_add_sec(&tdbp->tdb_timer_tmo, 271 ipsec_keep_invalid); 272 } 273 274 return spi; 275 } 276 277 (*errval) = EEXIST; 278 return 0; 279 } 280 281 /* 282 * An IPSP SAID is really the concatenation of the SPI found in the 283 * packet, the destination address of the packet and the IPsec protocol. 284 * When we receive an IPSP packet, we need to look up its tunnel descriptor 285 * block, based on the SPI in the packet and the destination address (which 286 * is really one of our addresses if we received the packet! 287 * 288 * Caller is responsible for setting at least spltdb(). 289 */ 290 struct tdb * 291 gettdb(u_int32_t spi, union sockaddr_union *dst, u_int8_t proto) 292 { 293 u_int32_t hashval; 294 struct tdb *tdbp; 295 296 if (tdbh == NULL) 297 return (struct tdb *) NULL; 298 299 hashval = tdb_hash(spi, dst, proto); 300 301 for (tdbp = tdbh[hashval]; tdbp != NULL; tdbp = tdbp->tdb_hnext) 302 if ((tdbp->tdb_spi == spi) && (tdbp->tdb_sproto == proto) && 303 !bcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa))) 304 break; 305 306 return tdbp; 307 } 308 309 /* 310 * Same as gettdb() but compare SRC as well, so we 311 * use the tdbsrc[] hash table. Setting spi to 0 312 * matches all SPIs. 313 */ 314 struct tdb * 315 gettdbbysrcdst(u_int32_t spi, union sockaddr_union *src, 316 union sockaddr_union *dst, u_int8_t proto) 317 { 318 u_int32_t hashval; 319 struct tdb *tdbp; 320 union sockaddr_union su_null; 321 322 if (tdbsrc == NULL) 323 return (struct tdb *) NULL; 324 325 hashval = tdb_hash(0, src, proto); 326 327 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 328 if (tdbp->tdb_sproto == proto && 329 (spi == 0 || tdbp->tdb_spi == spi) && 330 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 331 (tdbp->tdb_dst.sa.sa_family == AF_UNSPEC || 332 !bcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa))) && 333 !bcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa))) 334 break; 335 336 if (tdbp != NULL) 337 return (tdbp); 338 339 bzero(&su_null, sizeof(su_null)); 340 su_null.sa.sa_len = sizeof(struct sockaddr); 341 hashval = tdb_hash(0, &su_null, proto); 342 343 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 344 if (tdbp->tdb_sproto == proto && 345 (spi == 0 || tdbp->tdb_spi == spi) && 346 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 347 (tdbp->tdb_dst.sa.sa_family == AF_UNSPEC || 348 !bcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa))) && 349 tdbp->tdb_src.sa.sa_family == AF_UNSPEC) 350 break; 351 352 return (tdbp); 353 } 354 355 /* 356 * Check that credentials and IDs match. Return true if so. The t* 357 * range of arguments contains information from TDBs; the p* 358 * range of arguments contains information from policies or 359 * already established TDBs. 360 */ 361 int 362 ipsp_aux_match(struct tdb *tdb, 363 struct ipsec_ref *psrcid, 364 struct ipsec_ref *pdstid, 365 struct ipsec_ref *plcred, 366 struct ipsec_ref *prcred, 367 struct sockaddr_encap *pfilter, 368 struct sockaddr_encap *pfiltermask) 369 { 370 if (psrcid != NULL) 371 if (tdb->tdb_srcid == NULL || 372 !ipsp_ref_match(tdb->tdb_srcid, psrcid)) 373 return 0; 374 375 if (pdstid != NULL) 376 if (tdb->tdb_dstid == NULL || 377 !ipsp_ref_match(tdb->tdb_dstid, pdstid)) 378 return 0; 379 380 if (plcred != NULL) 381 if (tdb->tdb_local_cred == NULL || 382 !ipsp_ref_match(tdb->tdb_local_cred, plcred)) 383 return 0; 384 385 if (prcred != NULL) 386 if (tdb->tdb_remote_cred == NULL || 387 !ipsp_ref_match(tdb->tdb_remote_cred, prcred)) 388 return 0; 389 390 /* Check for filter matches. */ 391 if (tdb->tdb_filter.sen_type) { 392 /* 393 * XXX We should really be doing a subnet-check (see 394 * whether the TDB-associated filter is a subset 395 * of the policy's. For now, an exact match will solve 396 * most problems (all this will do is make every 397 * policy get its own SAs). 398 */ 399 if (bcmp(&tdb->tdb_filter, pfilter, 400 sizeof(struct sockaddr_encap)) || 401 bcmp(&tdb->tdb_filtermask, pfiltermask, 402 sizeof(struct sockaddr_encap))) 403 return 0; 404 } 405 406 return 1; 407 } 408 409 /* 410 * Get an SA given the remote address, the security protocol type, and 411 * the desired IDs. 412 */ 413 struct tdb * 414 gettdbbyaddr(union sockaddr_union *dst, u_int8_t sproto, 415 struct ipsec_ref *srcid, struct ipsec_ref *dstid, 416 struct ipsec_ref *local_cred, struct mbuf *m, int af, 417 struct sockaddr_encap *filter, struct sockaddr_encap *filtermask) 418 { 419 u_int32_t hashval; 420 struct tdb *tdbp; 421 422 if (tdbaddr == NULL) 423 return (struct tdb *) NULL; 424 425 hashval = tdb_hash(0, dst, sproto); 426 427 for (tdbp = tdbaddr[hashval]; tdbp != NULL; tdbp = tdbp->tdb_anext) 428 if ((tdbp->tdb_sproto == sproto) && 429 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 430 (!bcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa)))) { 431 /* Do IDs and local credentials match ? */ 432 if (!ipsp_aux_match(tdbp, srcid, dstid, 433 local_cred, NULL, filter, filtermask)) 434 continue; 435 break; 436 } 437 438 return tdbp; 439 } 440 441 /* 442 * Get an SA given the source address, the security protocol type, and 443 * the desired IDs. 444 */ 445 struct tdb * 446 gettdbbysrc(union sockaddr_union *src, u_int8_t sproto, 447 struct ipsec_ref *srcid, struct ipsec_ref *dstid, 448 struct mbuf *m, int af, struct sockaddr_encap *filter, 449 struct sockaddr_encap *filtermask) 450 { 451 u_int32_t hashval; 452 struct tdb *tdbp; 453 454 if (tdbsrc == NULL) 455 return (struct tdb *) NULL; 456 457 hashval = tdb_hash(0, src, sproto); 458 459 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 460 if ((tdbp->tdb_sproto == sproto) && 461 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 462 (!bcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa)))) { 463 /* Check whether IDs match */ 464 if (!ipsp_aux_match(tdbp, dstid, srcid, NULL, NULL, 465 filter, filtermask)) 466 continue; 467 break; 468 } 469 470 return tdbp; 471 } 472 473 #if DDB 474 void 475 tdb_hashstats(void) 476 { 477 int i, cnt, buckets[16]; 478 struct tdb *tdbp; 479 480 if (tdbh == NULL) { 481 db_printf("no tdb hash table\n"); 482 return; 483 } 484 485 bzero (buckets, sizeof(buckets)); 486 for (i = 0; i <= tdb_hashmask; i++) { 487 cnt = 0; 488 for (tdbp = tdbh[i]; cnt < 16 && tdbp != NULL; 489 tdbp = tdbp->tdb_hnext) 490 cnt++; 491 buckets[cnt]++; 492 } 493 494 db_printf("tdb cnt\t\tbucket cnt\n"); 495 for (i = 0; i < 16; i++) 496 if (buckets[i] > 0) 497 db_printf("%d%c\t\t%d\n", i, i == 15 ? "+" : "", 498 buckets[i]); 499 } 500 #endif /* DDB */ 501 502 /* 503 * Caller is responsible for setting at least spltdb(). 504 */ 505 int 506 tdb_walk(int (*walker)(struct tdb *, void *, int), void *arg) 507 { 508 int i, rval = 0; 509 struct tdb *tdbp, *next; 510 511 if (tdbh == NULL) 512 return ENOENT; 513 514 for (i = 0; i <= tdb_hashmask; i++) 515 for (tdbp = tdbh[i]; rval == 0 && tdbp != NULL; tdbp = next) { 516 next = tdbp->tdb_hnext; 517 if (i == tdb_hashmask && next == NULL) 518 rval = walker(tdbp, (void *)arg, 1); 519 else 520 rval = walker(tdbp, (void *)arg, 0); 521 } 522 523 return rval; 524 } 525 526 /* 527 * Called at splsoftclock(). 528 */ 529 void 530 tdb_timeout(void *v) 531 { 532 struct tdb *tdb = v; 533 534 if (!(tdb->tdb_flags & TDBF_TIMER)) 535 return; 536 537 /* If it's an "invalid" TDB do a silent expiration. */ 538 if (!(tdb->tdb_flags & TDBF_INVALID)) 539 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 540 tdb_delete(tdb); 541 } 542 543 void 544 tdb_firstuse(void *v) 545 { 546 struct tdb *tdb = v; 547 548 if (!(tdb->tdb_flags & TDBF_SOFT_FIRSTUSE)) 549 return; 550 551 /* If the TDB hasn't been used, don't renew it. */ 552 if (tdb->tdb_first_use != 0) 553 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 554 tdb_delete(tdb); 555 } 556 557 void 558 tdb_soft_timeout(void *v) 559 { 560 struct tdb *tdb = v; 561 562 if (!(tdb->tdb_flags & TDBF_SOFT_TIMER)) 563 return; 564 565 /* Soft expirations. */ 566 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 567 tdb->tdb_flags &= ~TDBF_SOFT_TIMER; 568 } 569 570 void 571 tdb_soft_firstuse(void *v) 572 { 573 struct tdb *tdb = v; 574 575 if (!(tdb->tdb_flags & TDBF_SOFT_FIRSTUSE)) 576 return; 577 578 /* If the TDB hasn't been used, don't renew it. */ 579 if (tdb->tdb_first_use != 0) 580 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 581 tdb->tdb_flags &= ~TDBF_SOFT_FIRSTUSE; 582 } 583 584 /* 585 * Caller is responsible for spltdb(). 586 */ 587 void 588 tdb_rehash(void) 589 { 590 struct tdb **new_tdbh, **new_tdbaddr, **new_srcaddr, *tdbp, *tdbnp; 591 u_int i, old_hashmask = tdb_hashmask; 592 u_int32_t hashval; 593 594 tdb_hashmask = (tdb_hashmask << 1) | 1; 595 596 new_tdbh = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, 597 M_WAITOK | M_ZERO); 598 new_tdbaddr = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, 599 M_WAITOK | M_ZERO); 600 new_srcaddr = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, 601 M_WAITOK | M_ZERO); 602 603 for (i = 0; i <= old_hashmask; i++) { 604 for (tdbp = tdbh[i]; tdbp != NULL; tdbp = tdbnp) { 605 tdbnp = tdbp->tdb_hnext; 606 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst, 607 tdbp->tdb_sproto); 608 tdbp->tdb_hnext = new_tdbh[hashval]; 609 new_tdbh[hashval] = tdbp; 610 } 611 612 for (tdbp = tdbaddr[i]; tdbp != NULL; tdbp = tdbnp) { 613 tdbnp = tdbp->tdb_anext; 614 hashval = tdb_hash(0, &tdbp->tdb_dst, 615 tdbp->tdb_sproto); 616 tdbp->tdb_anext = new_tdbaddr[hashval]; 617 new_tdbaddr[hashval] = tdbp; 618 } 619 620 for (tdbp = tdbsrc[i]; tdbp != NULL; tdbp = tdbnp) { 621 tdbnp = tdbp->tdb_snext; 622 hashval = tdb_hash(0, &tdbp->tdb_src, 623 tdbp->tdb_sproto); 624 tdbp->tdb_snext = new_srcaddr[hashval]; 625 new_srcaddr[hashval] = tdbp; 626 } 627 } 628 629 free(tdbh, M_TDB); 630 tdbh = new_tdbh; 631 632 free(tdbaddr, M_TDB); 633 tdbaddr = new_tdbaddr; 634 635 free(tdbsrc, M_TDB); 636 tdbsrc = new_srcaddr; 637 } 638 639 /* 640 * Add TDB in the hash table. 641 */ 642 void 643 puttdb(struct tdb *tdbp) 644 { 645 u_int32_t hashval; 646 int s = spltdb(); 647 648 if (tdbh == NULL) { 649 tdbh = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, 650 M_WAITOK | M_ZERO); 651 tdbaddr = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), 652 M_TDB, M_WAITOK | M_ZERO); 653 tdbsrc = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), 654 M_TDB, M_WAITOK | M_ZERO); 655 } 656 657 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst, tdbp->tdb_sproto); 658 659 /* 660 * Rehash if this tdb would cause a bucket to have more than 661 * two items and if the number of tdbs exceed 10% of the 662 * bucket count. This number is arbitratily chosen and is 663 * just a measure to not keep rehashing when adding and 664 * removing tdbs which happens to always end up in the same 665 * bucket, which is not uncommon when doing manual keying. 666 */ 667 if (tdbh[hashval] != NULL && tdbh[hashval]->tdb_hnext != NULL && 668 tdb_count * 10 > tdb_hashmask + 1) { 669 tdb_rehash(); 670 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst, 671 tdbp->tdb_sproto); 672 } 673 674 tdbp->tdb_hnext = tdbh[hashval]; 675 tdbh[hashval] = tdbp; 676 677 hashval = tdb_hash(0, &tdbp->tdb_dst, tdbp->tdb_sproto); 678 tdbp->tdb_anext = tdbaddr[hashval]; 679 tdbaddr[hashval] = tdbp; 680 681 hashval = tdb_hash(0, &tdbp->tdb_src, tdbp->tdb_sproto); 682 tdbp->tdb_snext = tdbsrc[hashval]; 683 tdbsrc[hashval] = tdbp; 684 685 tdb_count++; 686 687 ipsec_last_added = time_second; 688 689 splx(s); 690 } 691 692 /* 693 * Caller is responsible to set at least spltdb(). 694 */ 695 void 696 tdb_delete(struct tdb *tdbp) 697 { 698 struct tdb *tdbpp; 699 u_int32_t hashval; 700 int s; 701 702 if (tdbh == NULL) 703 return; 704 705 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst, tdbp->tdb_sproto); 706 707 s = spltdb(); 708 if (tdbh[hashval] == tdbp) { 709 tdbh[hashval] = tdbp->tdb_hnext; 710 } else { 711 for (tdbpp = tdbh[hashval]; tdbpp != NULL; 712 tdbpp = tdbpp->tdb_hnext) { 713 if (tdbpp->tdb_hnext == tdbp) { 714 tdbpp->tdb_hnext = tdbp->tdb_hnext; 715 break; 716 } 717 } 718 } 719 720 tdbp->tdb_hnext = NULL; 721 722 hashval = tdb_hash(0, &tdbp->tdb_dst, tdbp->tdb_sproto); 723 724 if (tdbaddr[hashval] == tdbp) { 725 tdbaddr[hashval] = tdbp->tdb_anext; 726 } else { 727 for (tdbpp = tdbaddr[hashval]; tdbpp != NULL; 728 tdbpp = tdbpp->tdb_anext) { 729 if (tdbpp->tdb_anext == tdbp) { 730 tdbpp->tdb_anext = tdbp->tdb_anext; 731 break; 732 } 733 } 734 } 735 736 hashval = tdb_hash(0, &tdbp->tdb_src, tdbp->tdb_sproto); 737 738 if (tdbsrc[hashval] == tdbp) { 739 tdbsrc[hashval] = tdbp->tdb_snext; 740 } 741 else { 742 for (tdbpp = tdbsrc[hashval]; tdbpp != NULL; 743 tdbpp = tdbpp->tdb_snext) { 744 if (tdbpp->tdb_snext == tdbp) { 745 tdbpp->tdb_snext = tdbp->tdb_snext; 746 break; 747 } 748 } 749 } 750 751 tdbp->tdb_snext = NULL; 752 tdb_free(tdbp); 753 tdb_count--; 754 755 splx(s); 756 } 757 758 /* 759 * Allocate a TDB and initialize a few basic fields. 760 */ 761 struct tdb * 762 tdb_alloc(void) 763 { 764 struct tdb *tdbp; 765 766 tdbp = malloc(sizeof(*tdbp), M_TDB, M_WAITOK | M_ZERO); 767 768 /* Init Incoming SA-Binding Queues. */ 769 TAILQ_INIT(&tdbp->tdb_inp_out); 770 TAILQ_INIT(&tdbp->tdb_inp_in); 771 772 TAILQ_INIT(&tdbp->tdb_policy_head); 773 774 /* Record establishment time. */ 775 tdbp->tdb_established = time_second; 776 777 /* Initialize timeouts. */ 778 timeout_set(&tdbp->tdb_timer_tmo, tdb_timeout, tdbp); 779 timeout_set(&tdbp->tdb_first_tmo, tdb_firstuse, tdbp); 780 timeout_set(&tdbp->tdb_stimer_tmo, tdb_soft_timeout, tdbp); 781 timeout_set(&tdbp->tdb_sfirst_tmo, tdb_soft_firstuse, tdbp); 782 783 return tdbp; 784 } 785 786 void 787 tdb_free(struct tdb *tdbp) 788 { 789 struct ipsec_policy *ipo; 790 struct inpcb *inp; 791 792 if (tdbp->tdb_xform) { 793 (*(tdbp->tdb_xform->xf_zeroize))(tdbp); 794 tdbp->tdb_xform = NULL; 795 } 796 797 #if NPFSYNC > 0 798 /* Cleanup pfsync references */ 799 pfsync_delete_tdb(tdbp); 800 #endif 801 802 /* Cleanup inp references. */ 803 for (inp = TAILQ_FIRST(&tdbp->tdb_inp_in); inp; 804 inp = TAILQ_FIRST(&tdbp->tdb_inp_in)) { 805 TAILQ_REMOVE(&tdbp->tdb_inp_in, inp, inp_tdb_in_next); 806 inp->inp_tdb_in = NULL; 807 } 808 809 for (inp = TAILQ_FIRST(&tdbp->tdb_inp_out); inp; 810 inp = TAILQ_FIRST(&tdbp->tdb_inp_out)) { 811 TAILQ_REMOVE(&tdbp->tdb_inp_out, inp, inp_tdb_out_next); 812 inp->inp_tdb_out = NULL; 813 } 814 815 /* Cleanup SPD references. */ 816 for (ipo = TAILQ_FIRST(&tdbp->tdb_policy_head); ipo; 817 ipo = TAILQ_FIRST(&tdbp->tdb_policy_head)) { 818 TAILQ_REMOVE(&tdbp->tdb_policy_head, ipo, ipo_tdb_next); 819 ipo->ipo_tdb = NULL; 820 ipo->ipo_last_searched = 0; /* Force a re-search. */ 821 } 822 823 /* Remove expiration timeouts. */ 824 tdbp->tdb_flags &= ~(TDBF_FIRSTUSE | TDBF_SOFT_FIRSTUSE | TDBF_TIMER | 825 TDBF_SOFT_TIMER); 826 timeout_del(&tdbp->tdb_timer_tmo); 827 timeout_del(&tdbp->tdb_first_tmo); 828 timeout_del(&tdbp->tdb_stimer_tmo); 829 timeout_del(&tdbp->tdb_sfirst_tmo); 830 831 if (tdbp->tdb_local_auth) { 832 ipsp_reffree(tdbp->tdb_local_auth); 833 tdbp->tdb_local_auth = NULL; 834 } 835 836 if (tdbp->tdb_remote_auth) { 837 ipsp_reffree(tdbp->tdb_remote_auth); 838 tdbp->tdb_remote_auth = NULL; 839 } 840 841 if (tdbp->tdb_srcid) { 842 ipsp_reffree(tdbp->tdb_srcid); 843 tdbp->tdb_srcid = NULL; 844 } 845 846 if (tdbp->tdb_dstid) { 847 ipsp_reffree(tdbp->tdb_dstid); 848 tdbp->tdb_dstid = NULL; 849 } 850 851 if (tdbp->tdb_local_cred) { 852 ipsp_reffree(tdbp->tdb_local_cred); 853 tdbp->tdb_local_cred = NULL; 854 } 855 856 if (tdbp->tdb_remote_cred) { 857 ipsp_reffree(tdbp->tdb_remote_cred); 858 tdbp->tdb_remote_cred = NULL; 859 } 860 861 #if NPF > 0 862 if (tdbp->tdb_tag) { 863 pf_tag_unref(tdbp->tdb_tag); 864 tdbp->tdb_tag = 0; 865 } 866 #endif 867 868 if ((tdbp->tdb_onext) && (tdbp->tdb_onext->tdb_inext == tdbp)) 869 tdbp->tdb_onext->tdb_inext = NULL; 870 871 if ((tdbp->tdb_inext) && (tdbp->tdb_inext->tdb_onext == tdbp)) 872 tdbp->tdb_inext->tdb_onext = NULL; 873 874 free(tdbp, M_TDB); 875 } 876 877 /* 878 * Do further initializations of a TDB. 879 */ 880 int 881 tdb_init(struct tdb *tdbp, u_int16_t alg, struct ipsecinit *ii) 882 { 883 struct xformsw *xsp; 884 int err; 885 886 for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) { 887 if (xsp->xf_type == alg) { 888 err = (*(xsp->xf_init))(tdbp, xsp, ii); 889 return err; 890 } 891 } 892 893 DPRINTF(("tdb_init(): no alg %d for spi %08x, addr %s, proto %d\n", 894 alg, ntohl(tdbp->tdb_spi), ipsp_address(tdbp->tdb_dst), 895 tdbp->tdb_sproto)); 896 897 return EINVAL; 898 } 899 900 /* 901 * Check which transformations are required. 902 */ 903 u_int8_t 904 get_sa_require(struct inpcb *inp) 905 { 906 u_int8_t sareq = 0; 907 908 if (inp != NULL) { 909 sareq |= inp->inp_seclevel[SL_AUTH] >= IPSEC_LEVEL_USE ? 910 NOTIFY_SATYPE_AUTH : 0; 911 sareq |= inp->inp_seclevel[SL_ESP_TRANS] >= IPSEC_LEVEL_USE ? 912 NOTIFY_SATYPE_CONF : 0; 913 sareq |= inp->inp_seclevel[SL_ESP_NETWORK] >= IPSEC_LEVEL_USE ? 914 NOTIFY_SATYPE_TUNNEL : 0; 915 } else { 916 sareq |= ipsec_auth_default_level >= IPSEC_LEVEL_USE ? 917 NOTIFY_SATYPE_AUTH : 0; 918 sareq |= ipsec_esp_trans_default_level >= IPSEC_LEVEL_USE ? 919 NOTIFY_SATYPE_CONF : 0; 920 sareq |= ipsec_esp_network_default_level >= IPSEC_LEVEL_USE ? 921 NOTIFY_SATYPE_TUNNEL : 0; 922 } 923 924 return (sareq); 925 } 926 927 /* 928 * Add an inpcb to the list of inpcb which reference this tdb directly. 929 */ 930 void 931 tdb_add_inp(struct tdb *tdb, struct inpcb *inp, int inout) 932 { 933 if (inout) { 934 if (inp->inp_tdb_in) { 935 if (inp->inp_tdb_in == tdb) 936 return; 937 938 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp, 939 inp_tdb_in_next); 940 } 941 942 inp->inp_tdb_in = tdb; 943 TAILQ_INSERT_TAIL(&tdb->tdb_inp_in, inp, inp_tdb_in_next); 944 } else { 945 if (inp->inp_tdb_out) { 946 if (inp->inp_tdb_out == tdb) 947 return; 948 949 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, inp, 950 inp_tdb_out_next); 951 } 952 953 inp->inp_tdb_out = tdb; 954 TAILQ_INSERT_TAIL(&tdb->tdb_inp_out, inp, inp_tdb_out_next); 955 } 956 } 957 958 /* Return a printable string for the IPv4 address. */ 959 char * 960 inet_ntoa4(struct in_addr ina) 961 { 962 static char buf[4][4 * sizeof "123" + 4]; 963 unsigned char *ucp = (unsigned char *) &ina; 964 static int i = 3; 965 966 i = (i + 1) % 4; 967 snprintf(buf[i], sizeof buf[0], "%d.%d.%d.%d", 968 ucp[0] & 0xff, ucp[1] & 0xff, 969 ucp[2] & 0xff, ucp[3] & 0xff); 970 return (buf[i]); 971 } 972 973 /* Return a printable string for the address. */ 974 char * 975 ipsp_address(union sockaddr_union sa) 976 { 977 switch (sa.sa.sa_family) { 978 #ifdef INET 979 case AF_INET: 980 return inet_ntoa4(sa.sin.sin_addr); 981 #endif /* INET */ 982 983 #ifdef INET6 984 case AF_INET6: 985 return ip6_sprintf(&sa.sin6.sin6_addr); 986 #endif /* INET6 */ 987 988 default: 989 return "(unknown address family)"; 990 } 991 } 992 993 /* Check whether an IP{4,6} address is unspecified. */ 994 int 995 ipsp_is_unspecified(union sockaddr_union addr) 996 { 997 switch (addr.sa.sa_family) { 998 #ifdef INET 999 case AF_INET: 1000 if (addr.sin.sin_addr.s_addr == INADDR_ANY) 1001 return 1; 1002 else 1003 return 0; 1004 #endif /* INET */ 1005 1006 #ifdef INET6 1007 case AF_INET6: 1008 if (IN6_IS_ADDR_UNSPECIFIED(&addr.sin6.sin6_addr)) 1009 return 1; 1010 else 1011 return 0; 1012 #endif /* INET6 */ 1013 1014 case 0: /* No family set. */ 1015 default: 1016 return 1; 1017 } 1018 } 1019 1020 /* Free reference-counted structure. */ 1021 void 1022 ipsp_reffree(struct ipsec_ref *ipr) 1023 { 1024 #ifdef DIAGNOSTIC 1025 if (ipr->ref_count <= 0) 1026 printf("ipsp_reffree: illegal reference count %d for " 1027 "object %p (len = %d, malloctype = %d)\n", 1028 ipr->ref_count, ipr, ipr->ref_len, ipr->ref_malloctype); 1029 #endif 1030 if (--ipr->ref_count <= 0) 1031 free(ipr, ipr->ref_malloctype); 1032 } 1033 1034 /* Mark a TDB as TDBF_SKIPCRYPTO. */ 1035 void 1036 ipsp_skipcrypto_mark(struct tdb_ident *tdbi) 1037 { 1038 struct tdb *tdb; 1039 int s = spltdb(); 1040 1041 tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto); 1042 if (tdb != NULL) { 1043 tdb->tdb_flags |= TDBF_SKIPCRYPTO; 1044 tdb->tdb_last_marked = time_second; 1045 } 1046 splx(s); 1047 } 1048 1049 /* Unmark a TDB as TDBF_SKIPCRYPTO. */ 1050 void 1051 ipsp_skipcrypto_unmark(struct tdb_ident *tdbi) 1052 { 1053 struct tdb *tdb; 1054 int s = spltdb(); 1055 1056 tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto); 1057 if (tdb != NULL) { 1058 tdb->tdb_flags &= ~TDBF_SKIPCRYPTO; 1059 tdb->tdb_last_marked = time_second; 1060 } 1061 splx(s); 1062 } 1063 1064 /* Return true if the two structures match. */ 1065 int 1066 ipsp_ref_match(struct ipsec_ref *ref1, struct ipsec_ref *ref2) 1067 { 1068 if (ref1->ref_type != ref2->ref_type || 1069 ref1->ref_len != ref2->ref_len || 1070 bcmp(ref1 + 1, ref2 + 1, ref1->ref_len)) 1071 return 0; 1072 1073 return 1; 1074 } 1075 1076 #ifdef notyet 1077 /* 1078 * Go down a chain of IPv4/IPv6/ESP/AH/IPiP chains creating an tag for each 1079 * IPsec header encountered. The offset where the first header, as well 1080 * as its type are given to us. 1081 */ 1082 struct m_tag * 1083 ipsp_parse_headers(struct mbuf *m, int off, u_int8_t proto) 1084 { 1085 int ipv4sa = 0, s, esphlen = 0, trail = 0, i; 1086 SLIST_HEAD(packet_tags, m_tag) tags; 1087 unsigned char lasteight[8]; 1088 struct tdb_ident *tdbi; 1089 struct m_tag *mtag; 1090 struct tdb *tdb; 1091 1092 #ifdef INET 1093 struct ip iph; 1094 #endif /* INET */ 1095 1096 #ifdef INET6 1097 struct in6_addr ip6_dst; 1098 #endif /* INET6 */ 1099 1100 /* We have to start with a known network protocol. */ 1101 if (proto != IPPROTO_IPV4 && proto != IPPROTO_IPV6) 1102 return NULL; 1103 1104 SLIST_INIT(&tags); 1105 1106 while (1) { 1107 switch (proto) { 1108 #ifdef INET 1109 case IPPROTO_IPV4: /* Also IPPROTO_IPIP */ 1110 { 1111 /* 1112 * Save the IP header (we need both the 1113 * address and ip_hl). 1114 */ 1115 m_copydata(m, off, sizeof(struct ip), (caddr_t) &iph); 1116 ipv4sa = 1; 1117 proto = iph.ip_p; 1118 off += iph.ip_hl << 2; 1119 break; 1120 } 1121 #endif /* INET */ 1122 1123 #ifdef INET6 1124 case IPPROTO_IPV6: 1125 { 1126 int nxtp, l; 1127 1128 /* Copy the IPv6 address. */ 1129 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), 1130 sizeof(struct ip6_hdr), (caddr_t) &ip6_dst); 1131 ipv4sa = 0; 1132 1133 /* 1134 * Go down the chain of headers until we encounter a 1135 * non-option. 1136 */ 1137 for (l = ip6_nexthdr(m, off, proto, &nxtp); l != -1; 1138 l = ip6_nexthdr(m, off, proto, &nxtp)) { 1139 off += l; 1140 proto = nxtp; 1141 1142 /* Construct a tag. */ 1143 if (nxtp == IPPROTO_AH) { 1144 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_CRYPTO_DONE, 1145 sizeof(struct tdb_ident), 1146 M_NOWAIT); 1147 1148 if (mtag == NULL) 1149 return SLIST_FIRST(&tags); 1150 1151 tdbi = (struct tdb_ident *) (mtag + 1); 1152 bzero(tdbi, sizeof(struct tdb_ident)); 1153 1154 m_copydata(m, off + sizeof(u_int32_t), 1155 sizeof(u_int32_t), 1156 (caddr_t) &tdbi->spi); 1157 1158 tdbi->proto = IPPROTO_AH; 1159 tdbi->dst.sin6.sin6_family = AF_INET6; 1160 tdbi->dst.sin6.sin6_len = 1161 sizeof(struct sockaddr_in6); 1162 tdbi->dst.sin6.sin6_addr = ip6_dst; 1163 SLIST_INSERT_HEAD(&tags, 1164 mtag, m_tag_link); 1165 } 1166 else 1167 if (nxtp == IPPROTO_IPV6) 1168 m_copydata(m, off + 1169 offsetof(struct ip6_hdr, 1170 ip6_dst), 1171 sizeof(struct ip6_hdr), 1172 (caddr_t) &ip6_dst); 1173 } 1174 break; 1175 } 1176 #endif /* INET6 */ 1177 1178 case IPPROTO_ESP: 1179 /* Verify that this has been decrypted. */ 1180 { 1181 union sockaddr_union su; 1182 u_int32_t spi; 1183 1184 m_copydata(m, off, sizeof(u_int32_t), (caddr_t) &spi); 1185 bzero(&su, sizeof(union sockaddr_union)); 1186 1187 s = spltdb(); 1188 1189 #ifdef INET 1190 if (ipv4sa) { 1191 su.sin.sin_family = AF_INET; 1192 su.sin.sin_len = sizeof(struct sockaddr_in); 1193 su.sin.sin_addr = iph.ip_dst; 1194 } 1195 #endif /* INET */ 1196 1197 #ifdef INET6 1198 if (!ipv4sa) { 1199 su.sin6.sin6_family = AF_INET6; 1200 su.sin6.sin6_len = sizeof(struct sockaddr_in6); 1201 su.sin6.sin6_addr = ip6_dst; 1202 } 1203 #endif /* INET6 */ 1204 1205 tdb = gettdb(spi, &su, IPPROTO_ESP); 1206 if (tdb == NULL) { 1207 splx(s); 1208 return SLIST_FIRST(&tags); 1209 } 1210 1211 /* How large is the ESP header ? We use this later. */ 1212 if (tdb->tdb_flags & TDBF_NOREPLAY) 1213 esphlen = sizeof(u_int32_t) + tdb->tdb_ivlen; 1214 else 1215 esphlen = 2 * sizeof(u_int32_t) + 1216 tdb->tdb_ivlen; 1217 1218 /* 1219 * Verify decryption. If the SA is using 1220 * random padding (as the "old" ESP SAs were 1221 * bound to do, there's nothing we can do to 1222 * see if the payload has been decrypted. 1223 */ 1224 if (tdb->tdb_flags & TDBF_RANDOMPADDING) { 1225 splx(s); 1226 return SLIST_FIRST(&tags); 1227 } 1228 1229 /* Update the length of trailing ESP authenticators. */ 1230 if (tdb->tdb_authalgxform) 1231 trail += AH_HMAC_HASHLEN; 1232 1233 splx(s); 1234 1235 /* Copy the last 10 bytes. */ 1236 m_copydata(m, m->m_pkthdr.len - trail - 8, 8, 1237 lasteight); 1238 1239 /* Verify the self-describing padding values. */ 1240 if (lasteight[6] != 0) { 1241 if (lasteight[6] != lasteight[5]) 1242 return SLIST_FIRST(&tags); 1243 1244 for (i = 4; lasteight[i + 1] != 1 && i >= 0; 1245 i--) 1246 if (lasteight[i + 1] != 1247 lasteight[i] + 1) 1248 return SLIST_FIRST(&tags); 1249 } 1250 } 1251 /* FALLTHROUGH */ 1252 case IPPROTO_AH: 1253 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_CRYPTO_DONE, 1254 sizeof(struct tdb_ident), M_NOWAIT); 1255 if (mtag == NULL) 1256 return SLIST_FIRST(&tags); 1257 1258 tdbi = (struct tdb_ident *) (mtag + 1); 1259 bzero(tdbi, sizeof(struct tdb_ident)); 1260 1261 /* Get SPI off the relevant header. */ 1262 if (proto == IPPROTO_AH) 1263 m_copydata(m, off + sizeof(u_int32_t), 1264 sizeof(u_int32_t), (caddr_t) &tdbi->spi); 1265 else /* IPPROTO_ESP */ 1266 m_copydata(m, off, sizeof(u_int32_t), 1267 (caddr_t) &tdbi->spi); 1268 1269 tdbi->proto = proto; /* AH or ESP */ 1270 1271 #ifdef INET 1272 /* Last network header was IPv4. */ 1273 if (ipv4sa) { 1274 tdbi->dst.sin.sin_family = AF_INET; 1275 tdbi->dst.sin.sin_len = 1276 sizeof(struct sockaddr_in); 1277 tdbi->dst.sin.sin_addr = iph.ip_dst; 1278 } 1279 #endif /* INET */ 1280 1281 #ifdef INET6 1282 /* Last network header was IPv6. */ 1283 if (!ipv4sa) { 1284 tdbi->dst.sin6.sin6_family = AF_INET6; 1285 tdbi->dst.sin6.sin6_len = 1286 sizeof(struct sockaddr_in6); 1287 tdbi->dst.sin6.sin6_addr = ip6_dst; 1288 } 1289 #endif /* INET6 */ 1290 1291 SLIST_INSERT_HEAD(&tags, mtag, m_tag_link); 1292 1293 /* Update next protocol/header and header offset. */ 1294 if (proto == IPPROTO_AH) { 1295 u_int8_t foo[2]; 1296 1297 m_copydata(m, off, 2 * sizeof(u_int8_t), foo); 1298 proto = foo[0]; 1299 off += (foo[1] + 2) << 2; 1300 } else {/* IPPROTO_ESP */ 1301 /* Initialized in IPPROTO_ESP case. */ 1302 off += esphlen; 1303 proto = lasteight[7]; 1304 } 1305 break; 1306 1307 default: 1308 return SLIST_FIRST(&tags); /* We're done. */ 1309 } 1310 } 1311 } 1312 #endif /* notyet */ 1313