1 /* $OpenBSD: ip_ipsp.c,v 1.141 2001/08/08 15:07:04 jjbg Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Niklas Hallqvist (niklas@appli.se). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 18 * 19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 1999 Niklas Hallqvist. 22 * Copyright (c) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40 #include <sys/param.h> 41 #include <sys/mbuf.h> 42 #include <sys/socket.h> 43 #include <sys/kernel.h> 44 #include <sys/sysctl.h> 45 46 #include <net/if.h> 47 #include <net/route.h> 48 49 #ifdef INET 50 #include <netinet/in.h> 51 #include <netinet/in_systm.h> 52 #include <netinet/ip.h> 53 #include <netinet/in_pcb.h> 54 #endif /* INET */ 55 56 #ifdef INET6 57 #ifndef INET 58 #include <netinet/in.h> 59 #endif 60 #include <netinet6/in6_var.h> 61 #endif /* INET6 */ 62 63 #include <netinet/ip_ipsp.h> 64 #include <net/pfkeyv2.h> 65 #include <crypto/xform.h> 66 #include <dev/rndvar.h> 67 68 #ifdef DDB 69 #include <ddb/db_output.h> 70 void tdb_hashstats(void); 71 #endif 72 73 #ifdef ENCDEBUG 74 #define DPRINTF(x) if (encdebug) printf x 75 #else 76 #define DPRINTF(x) 77 #endif 78 79 #ifdef __GNUC__ 80 #define INLINE static __inline 81 #endif 82 83 int ipsp_kern __P((int, char **, int)); 84 u_int8_t get_sa_require __P((struct inpcb *)); 85 void tdb_rehash __P((void)); 86 void tdb_timeout __P((void *v)); 87 void tdb_firstuse __P((void *v)); 88 void tdb_soft_timeout __P((void *v)); 89 void tdb_soft_firstuse __P((void *v)); 90 91 extern int ipsec_auth_default_level; 92 extern int ipsec_esp_trans_default_level; 93 extern int ipsec_esp_network_default_level; 94 extern int ipsec_ipcomp_default_level; 95 96 extern int encdebug; 97 int ipsec_in_use = 0; 98 u_int64_t ipsec_last_added = 0; 99 u_int32_t kernfs_epoch = 0; 100 101 struct ipsec_policy_head ipsec_policy_head = 102 TAILQ_HEAD_INITIALIZER(ipsec_policy_head); 103 struct ipsec_acquire_head ipsec_acquire_head = 104 TAILQ_HEAD_INITIALIZER(ipsec_acquire_head); 105 106 /* 107 * This is the proper place to define the various encapsulation transforms. 108 */ 109 110 struct xformsw xformsw[] = { 111 { XF_IP4, 0, "IPv4 Simple Encapsulation", 112 ipe4_attach, ipe4_init, ipe4_zeroize, 113 (int (*)(struct mbuf *, struct tdb *, int, int))ipe4_input, 114 ipip_output, }, 115 { XF_AH, XFT_AUTH, "IPsec AH", 116 ah_attach, ah_init, ah_zeroize, 117 ah_input, ah_output, }, 118 { XF_ESP, XFT_CONF|XFT_AUTH, "IPsec ESP", 119 esp_attach, esp_init, esp_zeroize, 120 esp_input, esp_output, }, 121 { XF_IPCOMP, XFT_COMP, "IPcomp", 122 ipcomp_attach, ipcomp_init, ipcomp_zeroize, 123 ipcomp_input, ipcomp_output, }, 124 #ifdef TCP_SIGNATURE 125 { XF_TCPSIGNATURE, XFT_AUTH, "TCP MD5 Signature Option, RFC 2385", 126 tcp_signature_tdb_attach, tcp_signature_tdb_init, 127 tcp_signature_tdb_zeroize, tcp_signature_tdb_input, 128 tcp_signature_tdb_output, } 129 #endif /* TCP_SIGNATURE */ 130 }; 131 132 struct xformsw *xformswNXFORMSW = &xformsw[sizeof(xformsw)/sizeof(xformsw[0])]; 133 134 unsigned char ipseczeroes[IPSEC_ZEROES_SIZE]; /* zeroes! */ 135 136 #define TDB_HASHSIZE_INIT 32 137 138 static struct tdb **tdbh = NULL; 139 static struct tdb **tdbaddr = NULL; 140 static struct tdb **tdbsrc = NULL; 141 static u_int tdb_hashmask = TDB_HASHSIZE_INIT - 1; 142 static int tdb_count; 143 144 /* 145 * Our hashing function needs to stir things with a non-zero random multiplier 146 * so we cannot be DoS-attacked via choosing of the data to hash. 147 */ 148 INLINE int 149 tdb_hash(u_int32_t spi, union sockaddr_union *dst, u_int8_t proto) 150 { 151 static u_int32_t mult1 = 0, mult2 = 0; 152 u_int8_t *ptr = (u_int8_t *) dst; 153 int i, shift; 154 u_int64_t hash; 155 int val32 = 0; 156 157 while (mult1 == 0) 158 mult1 = arc4random(); 159 while (mult2 == 0) 160 mult2 = arc4random(); 161 162 hash = (spi ^ proto) * mult1; 163 for (i = 0; i < SA_LEN(&dst->sa); i++) { 164 val32 = (val32 << 8) | ptr[i]; 165 if (i % 4 == 3) { 166 hash ^= val32 * mult2; 167 val32 = 0; 168 } 169 } 170 171 if (i % 4 != 0) 172 hash ^= val32 * mult2; 173 174 shift = ffs(tdb_hashmask + 1); 175 while ((hash & ~tdb_hashmask) != 0) 176 hash = (hash >> shift) ^ (hash & tdb_hashmask); 177 178 return hash; 179 } 180 181 /* 182 * Reserve an SPI; the SA is not valid yet though. We use 0 as 183 * an error return value. 184 */ 185 u_int32_t 186 reserve_spi(u_int32_t sspi, u_int32_t tspi, union sockaddr_union *src, 187 union sockaddr_union *dst, u_int8_t sproto, int *errval) 188 { 189 struct tdb *tdbp; 190 u_int32_t spi; 191 int nums, s; 192 193 /* Don't accept ranges only encompassing reserved SPIs. */ 194 if (sproto != IPPROTO_IPCOMP && 195 (tspi < sspi || tspi <= SPI_RESERVED_MAX)) { 196 (*errval) = EINVAL; 197 return 0; 198 } 199 if (sproto == IPPROTO_IPCOMP && (tspi < sspi || 200 tspi <= CPI_RESERVED_MAX || 201 tspi >= CPI_PRIVATE_MIN)) { 202 (*errval) = EINVAL; 203 return 0; 204 } 205 206 /* Limit the range to not include reserved areas. */ 207 if (sspi <= SPI_RESERVED_MAX) 208 sspi = SPI_RESERVED_MAX + 1; 209 210 /* For IPCOMP the CPI is only 16 bits long, what a good idea.... */ 211 212 if (sproto == IPPROTO_IPCOMP) { 213 u_int32_t t; 214 if (sspi >= 0x10000) 215 sspi = 0xffff; 216 if (tspi >= 0x10000) 217 tspi = 0xffff; 218 if (sspi > tspi) { 219 t = sspi; sspi = tspi; tspi = t; 220 } 221 } 222 223 if (sspi == tspi) /* Asking for a specific SPI. */ 224 nums = 1; 225 else 226 nums = 100; /* Arbitrarily chosen */ 227 228 while (nums--) { 229 if (sspi == tspi) /* Specific SPI asked. */ 230 spi = tspi; 231 else /* Range specified */ 232 spi = sspi + (arc4random() % (tspi - sspi)); 233 234 /* Don't allocate reserved SPIs. */ 235 if (spi >= SPI_RESERVED_MIN && spi <= SPI_RESERVED_MAX) 236 continue; 237 else 238 spi = htonl(spi); 239 240 /* Check whether we're using this SPI already. */ 241 s = spltdb(); 242 tdbp = gettdb(spi, dst, sproto); 243 splx(s); 244 245 if (tdbp != (struct tdb *) NULL) 246 continue; 247 248 tdbp = tdb_alloc(); 249 250 tdbp->tdb_spi = spi; 251 bcopy(&dst->sa, &tdbp->tdb_dst.sa, SA_LEN(&dst->sa)); 252 bcopy(&src->sa, &tdbp->tdb_src.sa, SA_LEN(&src->sa)); 253 tdbp->tdb_sproto = sproto; 254 tdbp->tdb_flags |= TDBF_INVALID; /* Mark SA invalid for now. */ 255 tdbp->tdb_satype = SADB_SATYPE_UNSPEC; 256 puttdb(tdbp); 257 258 /* Setup a "silent" expiration (since TDBF_INVALID's set). */ 259 if (ipsec_keep_invalid > 0) { 260 tdbp->tdb_flags |= TDBF_TIMER; 261 tdbp->tdb_exp_timeout = ipsec_keep_invalid; 262 timeout_add(&tdbp->tdb_timer_tmo, 263 hz * ipsec_keep_invalid); 264 } 265 266 return spi; 267 } 268 269 (*errval) = EEXIST; 270 return 0; 271 } 272 273 /* 274 * An IPSP SAID is really the concatenation of the SPI found in the 275 * packet, the destination address of the packet and the IPsec protocol. 276 * When we receive an IPSP packet, we need to look up its tunnel descriptor 277 * block, based on the SPI in the packet and the destination address (which 278 * is really one of our addresses if we received the packet! 279 * 280 * Caller is responsible for setting at least spltdb(). 281 */ 282 struct tdb * 283 gettdb(u_int32_t spi, union sockaddr_union *dst, u_int8_t proto) 284 { 285 u_int32_t hashval; 286 struct tdb *tdbp; 287 288 if (tdbh == NULL) 289 return (struct tdb *) NULL; 290 291 hashval = tdb_hash(spi, dst, proto); 292 293 for (tdbp = tdbh[hashval]; tdbp != NULL; tdbp = tdbp->tdb_hnext) 294 if ((tdbp->tdb_spi == spi) && 295 !bcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa)) && 296 (tdbp->tdb_sproto == proto)) 297 break; 298 299 return tdbp; 300 } 301 302 /* 303 * Get an SA given the remote address, the security protocol type, and 304 * the desired IDs. 305 */ 306 struct tdb * 307 gettdbbyaddr(union sockaddr_union *dst, struct ipsec_policy *ipo, 308 struct mbuf *m, int af) 309 { 310 u_int32_t hashval; 311 struct tdb *tdbp; 312 313 if (tdbaddr == NULL) 314 return (struct tdb *) NULL; 315 316 hashval = tdb_hash(0, dst, ipo->ipo_sproto); 317 318 for (tdbp = tdbaddr[hashval]; tdbp != NULL; tdbp = tdbp->tdb_anext) 319 if ((tdbp->tdb_sproto == ipo->ipo_sproto) && 320 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 321 (!bcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa)))) { 322 /* 323 * If the IDs are not set, this was probably a 324 * manually-keyed SA, so it can be used for 325 * any type of traffic. 326 */ 327 if (tdbp->tdb_srcid != NULL) { 328 if (ipo->ipo_srcid != NULL && 329 !ipsp_ref_match(ipo->ipo_srcid, 330 tdbp->tdb_srcid)) 331 continue; 332 /* Otherwise, this is fine. */ 333 } else if (ipo->ipo_srcid != NULL) 334 continue; 335 336 if (tdbp->tdb_dstid != NULL) { 337 if (ipo->ipo_dstid != NULL && 338 !ipsp_ref_match(ipo->ipo_dstid, 339 tdbp->tdb_dstid)) 340 continue; 341 /* Otherwise, this is fine. */ 342 } else if (ipo->ipo_dstid != NULL) 343 continue; 344 345 /* Check for credential matches. */ 346 if (tdbp->tdb_local_cred != NULL) { 347 if (ipo->ipo_local_cred != NULL && 348 !ipsp_ref_match(ipo->ipo_local_cred, 349 tdbp->tdb_local_cred)) 350 continue; 351 } else if (ipo->ipo_local_cred != NULL) 352 continue; /* If no credential was used 353 * in the TDB, try to 354 * establish a new SA with 355 * the given credential, 356 * since some type of access 357 * control may be done on 358 * the other side based on 359 * that credential. 360 */ 361 362 /* XXX Check for filter matches. */ 363 break; 364 } 365 366 return tdbp; 367 } 368 369 /* 370 * Get an SA given the source address, the security protocol type, and 371 * the desired IDs. 372 */ 373 struct tdb * 374 gettdbbysrc(union sockaddr_union *src, struct ipsec_policy *ipo, 375 struct mbuf *m, int af) 376 { 377 u_int32_t hashval; 378 struct tdb *tdbp; 379 380 if (tdbsrc == NULL) 381 return (struct tdb *) NULL; 382 383 hashval = tdb_hash(0, src, ipo->ipo_sproto); 384 385 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 386 if ((tdbp->tdb_sproto == ipo->ipo_sproto) && 387 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 388 (!bcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa)))) { 389 /* 390 * If the IDs are not set, this was probably a 391 * manually-keyed SA, so it can be used for 392 * any type of traffic. 393 */ 394 if (tdbp->tdb_srcid != NULL) { 395 if (ipo->ipo_dstid != NULL && 396 !ipsp_ref_match(ipo->ipo_dstid, 397 tdbp->tdb_srcid)) 398 continue; 399 /* Otherwise, this is fine. */ 400 } else if (ipo->ipo_dstid != NULL) 401 continue; 402 403 if (tdbp->tdb_dstid != NULL) { 404 if (ipo->ipo_srcid != NULL && 405 !ipsp_ref_match(ipo->ipo_srcid, 406 tdbp->tdb_dstid)) 407 continue; 408 /* Otherwise, this is fine. */ 409 } else if (ipo->ipo_srcid != NULL) 410 continue; 411 412 /* XXX Check for filter matches. */ 413 break; 414 } 415 416 return tdbp; 417 } 418 419 #if DDB 420 void 421 tdb_hashstats(void) 422 { 423 int i, cnt, buckets[16]; 424 struct tdb *tdbp; 425 426 if (tdbh == NULL) { 427 db_printf("no tdb hash table\n"); 428 return; 429 } 430 431 bzero (buckets, sizeof(buckets)); 432 for (i = 0; i <= tdb_hashmask; i++) { 433 cnt = 0; 434 for (tdbp = tdbh[i]; cnt < 16 && tdbp != NULL; 435 tdbp = tdbp->tdb_hnext) 436 cnt++; 437 buckets[cnt]++; 438 } 439 440 db_printf("tdb cnt\t\tbucket cnt\n"); 441 for (i = 0; i < 16; i++) 442 if (buckets[i] > 0) 443 db_printf("%d%c\t\t%d\n", i, i == 15 ? "+" : "", 444 buckets[i]); 445 } 446 #endif /* DDB */ 447 448 /* 449 * Caller is responsible for setting at least spltdb(). 450 */ 451 int 452 tdb_walk(int (*walker)(struct tdb *, void *, int), void *arg) 453 { 454 int i, rval = 0; 455 struct tdb *tdbp, *next; 456 457 if (tdbh == NULL) 458 return ENOENT; 459 460 for (i = 0; i <= tdb_hashmask; i++) 461 for (tdbp = tdbh[i]; rval == 0 && tdbp != NULL; tdbp = next) { 462 next = tdbp->tdb_hnext; 463 if (i == tdb_hashmask && next == NULL) 464 rval = walker(tdbp, (void *)arg, 1); 465 else 466 rval = walker(tdbp, (void *)arg, 0); 467 } 468 469 return rval; 470 } 471 472 /* 473 * Called at splsoftclock(). 474 */ 475 void 476 tdb_timeout(void *v) 477 { 478 struct tdb *tdb = v; 479 480 if (!(tdb->tdb_flags & TDBF_TIMER)) 481 return; 482 483 /* If it's an "invalid" TDB do a silent expiration. */ 484 if (!(tdb->tdb_flags & TDBF_INVALID)) 485 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 486 tdb_delete(tdb); 487 } 488 489 void 490 tdb_firstuse(void *v) 491 { 492 struct tdb *tdb = v; 493 494 if (!(tdb->tdb_flags & TDBF_SOFT_FIRSTUSE)) 495 return; 496 497 /* If the TDB hasn't been used, don't renew it. */ 498 if (tdb->tdb_first_use != 0) 499 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 500 tdb_delete(tdb); 501 } 502 503 void 504 tdb_soft_timeout(void *v) 505 { 506 struct tdb *tdb = v; 507 508 if (!(tdb->tdb_flags & TDBF_SOFT_TIMER)) 509 return; 510 511 /* Soft expirations. */ 512 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 513 tdb->tdb_flags &= ~TDBF_SOFT_TIMER; 514 } 515 516 void 517 tdb_soft_firstuse(void *v) 518 { 519 struct tdb *tdb = v; 520 521 if (!(tdb->tdb_flags & TDBF_SOFT_FIRSTUSE)) 522 return; 523 524 /* If the TDB hasn't been used, don't renew it. */ 525 if (tdb->tdb_first_use != 0) 526 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 527 tdb->tdb_flags &= ~TDBF_SOFT_FIRSTUSE; 528 } 529 530 /* 531 * Caller is responsible for spltdb(). 532 */ 533 void 534 tdb_rehash(void) 535 { 536 struct tdb **new_tdbh, **new_tdbaddr, **new_srcaddr, *tdbp, *tdbnp; 537 u_int i, old_hashmask = tdb_hashmask; 538 u_int32_t hashval; 539 540 tdb_hashmask = (tdb_hashmask << 1) | 1; 541 542 MALLOC(new_tdbh, struct tdb **, 543 sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, M_WAITOK); 544 MALLOC(new_tdbaddr, struct tdb **, 545 sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, M_WAITOK); 546 MALLOC(new_srcaddr, struct tdb **, 547 sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, M_WAITOK); 548 549 bzero(new_tdbh, sizeof(struct tdb *) * (tdb_hashmask + 1)); 550 bzero(new_tdbaddr, sizeof(struct tdb *) * (tdb_hashmask + 1)); 551 bzero(new_srcaddr, sizeof(struct tdb *) * (tdb_hashmask + 1)); 552 553 for (i = 0; i <= old_hashmask; i++) { 554 for (tdbp = tdbh[i]; tdbp != NULL; tdbp = tdbnp) { 555 tdbnp = tdbp->tdb_hnext; 556 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst, 557 tdbp->tdb_sproto); 558 tdbp->tdb_hnext = new_tdbh[hashval]; 559 new_tdbh[hashval] = tdbp; 560 } 561 562 for (tdbp = tdbaddr[i]; tdbp != NULL; tdbp = tdbnp) { 563 tdbnp = tdbp->tdb_anext; 564 hashval = tdb_hash(0, &tdbp->tdb_dst, 565 tdbp->tdb_sproto); 566 tdbp->tdb_anext = new_tdbaddr[hashval]; 567 new_tdbaddr[hashval] = tdbp; 568 } 569 570 for (tdbp = tdbsrc[i]; tdbp != NULL; tdbp = tdbnp) { 571 tdbnp = tdbp->tdb_snext; 572 hashval = tdb_hash(0, &tdbp->tdb_src, 573 tdbp->tdb_sproto); 574 tdbp->tdb_snext = new_srcaddr[hashval]; 575 new_srcaddr[hashval] = tdbp; 576 } 577 } 578 579 FREE(tdbh, M_TDB); 580 tdbh = new_tdbh; 581 582 FREE(tdbaddr, M_TDB); 583 tdbaddr = new_tdbaddr; 584 585 FREE(tdbsrc, M_TDB); 586 tdbsrc = new_srcaddr; 587 } 588 589 /* 590 * Add TDB in the hash table. 591 */ 592 void 593 puttdb(struct tdb *tdbp) 594 { 595 u_int32_t hashval; 596 int s = spltdb(); 597 598 if (tdbh == NULL) { 599 MALLOC(tdbh, struct tdb **, 600 sizeof(struct tdb *) * (tdb_hashmask + 1), 601 M_TDB, M_WAITOK); 602 MALLOC(tdbaddr, struct tdb **, 603 sizeof(struct tdb *) * (tdb_hashmask + 1), 604 M_TDB, M_WAITOK); 605 MALLOC(tdbsrc, struct tdb **, 606 sizeof(struct tdb *) * (tdb_hashmask + 1), 607 M_TDB, M_WAITOK); 608 609 bzero(tdbh, sizeof(struct tdb *) * (tdb_hashmask + 1)); 610 bzero(tdbaddr, sizeof(struct tdb *) * (tdb_hashmask + 1)); 611 bzero(tdbsrc, sizeof(struct tdb *) * (tdb_hashmask + 1)); 612 } 613 614 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst, tdbp->tdb_sproto); 615 616 /* 617 * Rehash if this tdb would cause a bucket to have more than 618 * two items and if the number of tdbs exceed 10% of the 619 * bucket count. This number is arbitratily chosen and is 620 * just a measure to not keep rehashing when adding and 621 * removing tdbs which happens to always end up in the same 622 * bucket, which is not uncommon when doing manual keying. 623 */ 624 if (tdbh[hashval] != NULL && tdbh[hashval]->tdb_hnext != NULL && 625 tdb_count * 10 > tdb_hashmask + 1) { 626 tdb_rehash(); 627 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst, 628 tdbp->tdb_sproto); 629 } 630 631 tdbp->tdb_hnext = tdbh[hashval]; 632 tdbh[hashval] = tdbp; 633 634 hashval = tdb_hash(0, &tdbp->tdb_dst, tdbp->tdb_sproto); 635 tdbp->tdb_anext = tdbaddr[hashval]; 636 tdbaddr[hashval] = tdbp; 637 638 hashval = tdb_hash(0, &tdbp->tdb_src, tdbp->tdb_sproto); 639 tdbp->tdb_snext = tdbsrc[hashval]; 640 tdbsrc[hashval] = tdbp; 641 642 tdb_count++; 643 644 ipsec_last_added = time.tv_sec; 645 646 splx(s); 647 } 648 649 /* 650 * Caller is responsible to set at least spltdb(). 651 */ 652 void 653 tdb_delete(struct tdb *tdbp) 654 { 655 struct ipsec_policy *ipo; 656 struct tdb *tdbpp; 657 struct inpcb *inp; 658 u_int32_t hashval; 659 int s; 660 661 if (tdbh == NULL) 662 return; 663 664 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst, tdbp->tdb_sproto); 665 666 s = spltdb(); 667 if (tdbh[hashval] == tdbp) { 668 tdbpp = tdbp; 669 tdbh[hashval] = tdbp->tdb_hnext; 670 } else { 671 for (tdbpp = tdbh[hashval]; tdbpp != NULL; 672 tdbpp = tdbpp->tdb_hnext) { 673 if (tdbpp->tdb_hnext == tdbp) { 674 tdbpp->tdb_hnext = tdbp->tdb_hnext; 675 tdbpp = tdbp; 676 break; 677 } 678 } 679 } 680 681 tdbp->tdb_hnext = NULL; 682 683 hashval = tdb_hash(0, &tdbp->tdb_dst, tdbp->tdb_sproto); 684 685 if (tdbaddr[hashval] == tdbp) { 686 tdbpp = tdbp; 687 tdbaddr[hashval] = tdbp->tdb_anext; 688 } else { 689 for (tdbpp = tdbaddr[hashval]; tdbpp != NULL; 690 tdbpp = tdbpp->tdb_anext) { 691 if (tdbpp->tdb_anext == tdbp) { 692 tdbpp->tdb_anext = tdbp->tdb_anext; 693 tdbpp = tdbp; 694 break; 695 } 696 } 697 } 698 699 hashval = tdb_hash(0, &tdbp->tdb_src, tdbp->tdb_sproto); 700 701 if (tdbsrc[hashval] == tdbp) { 702 tdbpp = tdbp; 703 tdbsrc[hashval] = tdbp->tdb_snext; 704 } 705 else { 706 for (tdbpp = tdbsrc[hashval]; tdbpp != NULL; 707 tdbpp = tdbpp->tdb_snext) { 708 if (tdbpp->tdb_snext == tdbp) { 709 tdbpp->tdb_snext = tdbp->tdb_snext; 710 tdbpp = tdbp; 711 break; 712 } 713 } 714 } 715 716 tdbp->tdb_snext = NULL; 717 718 if (tdbp->tdb_xform) { 719 (*(tdbp->tdb_xform->xf_zeroize))(tdbp); 720 tdbp->tdb_xform = NULL; 721 } 722 723 /* Cleanup inp references. */ 724 for (inp = TAILQ_FIRST(&tdbp->tdb_inp_in); inp; 725 inp = TAILQ_FIRST(&tdbp->tdb_inp_in)) { 726 TAILQ_REMOVE(&tdbp->tdb_inp_in, inp, inp_tdb_in_next); 727 inp->inp_tdb_in = NULL; 728 } 729 730 for (inp = TAILQ_FIRST(&tdbp->tdb_inp_out); inp; 731 inp = TAILQ_FIRST(&tdbp->tdb_inp_out)) { 732 TAILQ_REMOVE(&tdbp->tdb_inp_out, inp, inp_tdb_out_next); 733 inp->inp_tdb_out = NULL; 734 } 735 736 /* Cleanup SPD references. */ 737 for (ipo = TAILQ_FIRST(&tdbp->tdb_policy_head); ipo; 738 ipo = TAILQ_FIRST(&tdbp->tdb_policy_head)) { 739 TAILQ_REMOVE(&tdbp->tdb_policy_head, ipo, ipo_tdb_next); 740 ipo->ipo_tdb = NULL; 741 ipo->ipo_last_searched = 0; /* Force a re-search. */ 742 } 743 744 /* Remove expiration timeouts. */ 745 tdbp->tdb_flags &= ~(TDBF_FIRSTUSE | TDBF_SOFT_FIRSTUSE | TDBF_TIMER | 746 TDBF_SOFT_TIMER); 747 timeout_del(&tdbp->tdb_timer_tmo); 748 timeout_del(&tdbp->tdb_first_tmo); 749 timeout_del(&tdbp->tdb_stimer_tmo); 750 timeout_del(&tdbp->tdb_sfirst_tmo); 751 752 if (tdbp->tdb_local_auth) { 753 ipsp_reffree(tdbp->tdb_local_auth); 754 tdbp->tdb_local_auth = NULL; 755 } 756 757 if (tdbp->tdb_remote_auth) { 758 ipsp_reffree(tdbp->tdb_remote_auth); 759 tdbp->tdb_remote_auth = NULL; 760 } 761 762 if (tdbp->tdb_srcid) { 763 ipsp_reffree(tdbp->tdb_srcid); 764 tdbp->tdb_srcid = NULL; 765 } 766 767 if (tdbp->tdb_dstid) { 768 ipsp_reffree(tdbp->tdb_dstid); 769 tdbp->tdb_dstid = NULL; 770 } 771 772 if (tdbp->tdb_local_cred) { 773 ipsp_reffree(tdbp->tdb_local_cred); 774 tdbp->tdb_local_cred = NULL; 775 } 776 777 if (tdbp->tdb_remote_cred) { 778 ipsp_reffree(tdbp->tdb_remote_cred); 779 tdbp->tdb_local_cred = NULL; 780 } 781 782 if ((tdbp->tdb_onext) && (tdbp->tdb_onext->tdb_inext == tdbp)) 783 tdbp->tdb_onext->tdb_inext = NULL; 784 785 if ((tdbp->tdb_inext) && (tdbp->tdb_inext->tdb_onext == tdbp)) 786 tdbp->tdb_inext->tdb_onext = NULL; 787 788 FREE(tdbp, M_TDB); 789 tdb_count--; 790 791 splx(s); 792 } 793 794 /* 795 * Allocate a TDB and initialize a few basic fields. 796 */ 797 struct tdb * 798 tdb_alloc(void) 799 { 800 struct tdb *tdbp; 801 802 MALLOC(tdbp, struct tdb *, sizeof(struct tdb), M_TDB, M_WAITOK); 803 bzero((caddr_t) tdbp, sizeof(struct tdb)); 804 805 /* Init Incoming SA-Binding Queues. */ 806 TAILQ_INIT(&tdbp->tdb_inp_out); 807 TAILQ_INIT(&tdbp->tdb_inp_in); 808 809 TAILQ_INIT(&tdbp->tdb_policy_head); 810 811 /* Record establishment time. */ 812 tdbp->tdb_established = time.tv_sec; 813 tdbp->tdb_epoch = kernfs_epoch - 1; 814 815 /* Initialize timeouts. */ 816 timeout_set(&tdbp->tdb_timer_tmo, tdb_timeout, tdbp); 817 timeout_set(&tdbp->tdb_first_tmo, tdb_firstuse, tdbp); 818 timeout_set(&tdbp->tdb_stimer_tmo, tdb_soft_timeout, tdbp); 819 timeout_set(&tdbp->tdb_sfirst_tmo, tdb_soft_firstuse, tdbp); 820 821 return tdbp; 822 } 823 824 /* 825 * Do further initializations of a TDB. 826 */ 827 int 828 tdb_init(struct tdb *tdbp, u_int16_t alg, struct ipsecinit *ii) 829 { 830 struct xformsw *xsp; 831 int err; 832 833 for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) { 834 if (xsp->xf_type == alg) { 835 err = (*(xsp->xf_init))(tdbp, xsp, ii); 836 return err; 837 } 838 } 839 840 DPRINTF(("tdb_init(): no alg %d for spi %08x, addr %s, proto %d\n", 841 alg, ntohl(tdbp->tdb_spi), ipsp_address(tdbp->tdb_dst), 842 tdbp->tdb_sproto)); 843 844 return EINVAL; 845 } 846 847 #ifdef KERNFS 848 /* 849 * Print TDB information on a buffer. 850 */ 851 int 852 ipsp_print_tdb(struct tdb *tdb, char *buffer) 853 { 854 int l, i, k; 855 856 struct ctlname ipspflags[] = { \ 857 { "unique", TDBF_UNIQUE }, \ 858 { "invalid", TDBF_INVALID }, \ 859 { "halfiv", TDBF_HALFIV }, \ 860 { "pfs", TDBF_PFS }, \ 861 { "tunneling", TDBF_TUNNELING }, \ 862 { "noreplay", TDBF_NOREPLAY }, \ 863 { "random padding", TDBF_RANDOMPADDING }, \ 864 { "skipcrypto", TDBF_SKIPCRYPTO }, \ 865 { "usedtunnel", TDBF_USEDTUNNEL }, \ 866 }; 867 868 l = sprintf(buffer, "SPI = %08x, Destination = %s, Sproto = %u\n", 869 ntohl(tdb->tdb_spi), ipsp_address(tdb->tdb_dst), tdb->tdb_sproto); 870 871 l += sprintf(buffer + l, "\tEstablished %d seconds ago\n", 872 time.tv_sec - tdb->tdb_established); 873 874 l += sprintf(buffer + l, "\tSource = %s", ipsp_address(tdb->tdb_src)); 875 876 if (tdb->tdb_proxy.sa.sa_family) 877 l += sprintf(buffer + l, ", Proxy = %s\n", 878 ipsp_address(tdb->tdb_proxy)); 879 else 880 l += sprintf(buffer + l, "\n"); 881 882 if (tdb->tdb_mtu && tdb->tdb_mtutimeout > time.tv_sec) 883 l += sprintf(buffer + l, "\tMTU: %d, expires in %qu seconds\n", 884 tdb->tdb_mtu, tdb->tdb_mtutimeout - time.tv_sec); 885 886 if (tdb->tdb_local_cred) 887 l += sprintf(buffer + l, "\tLocal credential type %d\n", 888 ((struct ipsec_ref *) tdb->tdb_local_cred)->ref_type); 889 890 if (tdb->tdb_remote_cred) 891 l += sprintf(buffer + l, "\tRemote credential type %d\n", 892 ((struct ipsec_ref *) tdb->tdb_remote_cred)->ref_type); 893 894 if (tdb->tdb_local_auth) 895 l += sprintf(buffer + l, "\tLocal auth type %d\n", 896 ((struct ipsec_ref *) tdb->tdb_local_auth)->ref_type); 897 898 if (tdb->tdb_remote_auth) 899 l += sprintf(buffer + l, "\tRemote auth type %d\n", 900 ((struct ipsec_ref *) tdb->tdb_remote_auth)->ref_type); 901 902 l += sprintf(buffer + l, "\tFlags (%08x) = <", tdb->tdb_flags); 903 904 if ((tdb->tdb_flags & ~(TDBF_TIMER | TDBF_BYTES | TDBF_ALLOCATIONS | 905 TDBF_FIRSTUSE | TDBF_SOFT_TIMER | TDBF_SOFT_BYTES | 906 TDBF_SOFT_FIRSTUSE | TDBF_SOFT_ALLOCATIONS)) == 0) 907 l += sprintf(buffer + l, "none>\n"); 908 else { 909 for (k = 0, i = 0; 910 k < sizeof(ipspflags) / sizeof(struct ctlname); k++) { 911 if (tdb->tdb_flags & ipspflags[k].ctl_type) { 912 l += sprintf(buffer + l, "%s,", 913 ipspflags[k].ctl_name); 914 i = 1; 915 } 916 } 917 918 /* If we added flags, remove trailing comma. */ 919 if (i) 920 l--; 921 l += sprintf(buffer + l, ">\n"); 922 } 923 924 l += sprintf(buffer + l, "\tCrypto ID: %qu\n", tdb->tdb_cryptoid); 925 926 if (tdb->tdb_xform) 927 l += sprintf(buffer + l, "\txform = <%s>\n", 928 tdb->tdb_xform->xf_name); 929 930 if (tdb->tdb_encalgxform) 931 l += sprintf(buffer + l, "\t\tEncryption = <%s>\n", 932 tdb->tdb_encalgxform->name); 933 934 if (tdb->tdb_authalgxform) 935 l += sprintf(buffer + l, "\t\tAuthentication = <%s>\n", 936 tdb->tdb_authalgxform->name); 937 938 if (tdb->tdb_onext) 939 l += sprintf(buffer + l, 940 "\tNext SA: SPI = %08x, Destination = %s, Sproto = %u\n", 941 ntohl(tdb->tdb_onext->tdb_spi), 942 ipsp_address(tdb->tdb_onext->tdb_dst), 943 tdb->tdb_onext->tdb_sproto); 944 945 if (tdb->tdb_inext) 946 l += sprintf(buffer + l, "\tPrevious SA: SPI = %08x, " 947 "Destination = %s, Sproto = %u\n", 948 ntohl(tdb->tdb_inext->tdb_spi), 949 ipsp_address(tdb->tdb_inext->tdb_dst), 950 tdb->tdb_inext->tdb_sproto); 951 952 l += sprintf(buffer + l, "\t%qu bytes processed by this SA\n", 953 tdb->tdb_cur_bytes); 954 955 if (tdb->tdb_last_used) 956 l += sprintf(buffer + l, "\tLast used %qu seconds ago\n", 957 time.tv_sec - tdb->tdb_last_used); 958 959 if (tdb->tdb_last_marked) 960 l += sprintf(buffer + l, 961 "\tLast marked/unmarked %qu seconds ago\n", 962 time.tv_sec - tdb->tdb_last_marked); 963 964 l += sprintf(buffer + l, "\tExpirations:\n"); 965 966 if (tdb->tdb_flags & TDBF_TIMER) 967 l += sprintf(buffer + l, 968 "\t\tHard expiration(1) in %qu seconds\n", 969 tdb->tdb_established + tdb->tdb_exp_timeout - time.tv_sec); 970 971 if (tdb->tdb_flags & TDBF_SOFT_TIMER) 972 l += sprintf(buffer + l, 973 "\t\tSoft expiration(1) in %qu seconds\n", 974 tdb->tdb_established + tdb->tdb_soft_timeout - 975 time.tv_sec); 976 977 if (tdb->tdb_flags & TDBF_BYTES) 978 l += sprintf(buffer + l, 979 "\t\tHard expiration after %qu bytes\n", 980 tdb->tdb_exp_bytes); 981 982 if (tdb->tdb_flags & TDBF_SOFT_BYTES) 983 l += sprintf(buffer + l, 984 "\t\tSoft expiration after %qu bytes\n", 985 tdb->tdb_soft_bytes); 986 987 if (tdb->tdb_flags & TDBF_ALLOCATIONS) 988 l += sprintf(buffer + l, 989 "\t\tHard expiration after %u flows\n", 990 tdb->tdb_exp_allocations); 991 992 if (tdb->tdb_flags & TDBF_SOFT_ALLOCATIONS) 993 l += sprintf(buffer + l, 994 "\t\tSoft expiration after %u flows\n", 995 tdb->tdb_soft_allocations); 996 997 if (tdb->tdb_flags & TDBF_FIRSTUSE) { 998 if (tdb->tdb_first_use) 999 l += sprintf(buffer + l, 1000 "\t\tHard expiration(2) in %qu seconds\n", 1001 (tdb->tdb_first_use + tdb->tdb_exp_first_use) - 1002 time.tv_sec); 1003 else 1004 l += sprintf(buffer + l, 1005 "\t\tHard expiration in %qu seconds " 1006 "after first use\n", 1007 tdb->tdb_exp_first_use); 1008 } 1009 1010 if (tdb->tdb_flags & TDBF_SOFT_FIRSTUSE) { 1011 if (tdb->tdb_first_use) 1012 l += sprintf(buffer + l, 1013 "\t\tSoft expiration(2) in %qu seconds\n", 1014 (tdb->tdb_first_use + tdb->tdb_soft_first_use) - 1015 time.tv_sec); 1016 else 1017 l += sprintf(buffer + l, 1018 "\t\tSoft expiration in %qu seconds " 1019 "after first use\n", tdb->tdb_soft_first_use); 1020 } 1021 1022 if (!(tdb->tdb_flags & 1023 (TDBF_TIMER | TDBF_SOFT_TIMER | TDBF_BYTES | 1024 TDBF_SOFT_ALLOCATIONS | TDBF_ALLOCATIONS | 1025 TDBF_SOFT_BYTES | TDBF_FIRSTUSE | TDBF_SOFT_FIRSTUSE))) 1026 l += sprintf(buffer + l, "\t\t(none)\n"); 1027 1028 l += sprintf(buffer + l, "\n"); 1029 1030 return l; 1031 } 1032 1033 /* 1034 * Used by kernfs. 1035 */ 1036 int 1037 ipsp_kern(int off, char **bufp, int len) 1038 { 1039 static char buffer[IPSEC_KERNFS_BUFSIZE]; 1040 struct tdb *tdb; 1041 int i, s, l; 1042 1043 if (bufp == NULL) 1044 return 0; 1045 1046 bzero(buffer, IPSEC_KERNFS_BUFSIZE); 1047 *bufp = buffer; 1048 1049 if (off == 0) { 1050 kernfs_epoch++; 1051 l = sprintf(buffer, "Hashmask: %d, policy entries: %d\n", 1052 tdb_hashmask, ipsec_in_use); 1053 return l; 1054 } 1055 1056 if (tdbh == NULL) 1057 return 0; 1058 1059 for (i = 0; i <= tdb_hashmask; i++) { 1060 s = spltdb(); 1061 for (tdb = tdbh[i]; tdb; tdb = tdb->tdb_hnext) { 1062 if (tdb->tdb_epoch != kernfs_epoch) { 1063 tdb->tdb_epoch = kernfs_epoch; 1064 l = ipsp_print_tdb(tdb, buffer); 1065 splx(s); 1066 return l; 1067 } 1068 } 1069 splx(s); 1070 } 1071 return 0; 1072 } 1073 #endif /* KERNFS */ 1074 1075 /* 1076 * Check which transformations are required. 1077 */ 1078 u_int8_t 1079 get_sa_require(struct inpcb *inp) 1080 { 1081 u_int8_t sareq = 0; 1082 1083 if (inp != NULL) { 1084 sareq |= inp->inp_seclevel[SL_AUTH] >= IPSEC_LEVEL_USE ? 1085 NOTIFY_SATYPE_AUTH : 0; 1086 sareq |= inp->inp_seclevel[SL_ESP_TRANS] >= IPSEC_LEVEL_USE ? 1087 NOTIFY_SATYPE_CONF : 0; 1088 sareq |= inp->inp_seclevel[SL_ESP_NETWORK] >= IPSEC_LEVEL_USE ? 1089 NOTIFY_SATYPE_TUNNEL : 0; 1090 } else { 1091 sareq |= ipsec_auth_default_level >= IPSEC_LEVEL_USE ? 1092 NOTIFY_SATYPE_AUTH : 0; 1093 sareq |= ipsec_esp_trans_default_level >= IPSEC_LEVEL_USE ? 1094 NOTIFY_SATYPE_CONF : 0; 1095 sareq |= ipsec_esp_network_default_level >= IPSEC_LEVEL_USE ? 1096 NOTIFY_SATYPE_TUNNEL : 0; 1097 } 1098 1099 return (sareq); 1100 } 1101 1102 /* 1103 * Add an inpcb to the list of inpcb which reference this tdb directly. 1104 */ 1105 void 1106 tdb_add_inp(struct tdb *tdb, struct inpcb *inp, int inout) 1107 { 1108 if (inout) { 1109 if (inp->inp_tdb_in) { 1110 if (inp->inp_tdb_in == tdb) 1111 return; 1112 1113 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp, 1114 inp_tdb_in_next); 1115 } 1116 1117 inp->inp_tdb_in = tdb; 1118 TAILQ_INSERT_TAIL(&tdb->tdb_inp_in, inp, inp_tdb_in_next); 1119 } else { 1120 if (inp->inp_tdb_out) { 1121 if (inp->inp_tdb_out == tdb) 1122 return; 1123 1124 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, inp, 1125 inp_tdb_out_next); 1126 } 1127 1128 inp->inp_tdb_out = tdb; 1129 TAILQ_INSERT_TAIL(&tdb->tdb_inp_out, inp, inp_tdb_out_next); 1130 } 1131 } 1132 1133 /* Return a printable string for the IPv4 address. */ 1134 char * 1135 inet_ntoa4(struct in_addr ina) 1136 { 1137 static char buf[4][4 * sizeof "123" + 4]; 1138 unsigned char *ucp = (unsigned char *) &ina; 1139 static int i = 3; 1140 1141 i = (i + 1) % 4; 1142 sprintf(buf[i], "%d.%d.%d.%d", ucp[0] & 0xff, ucp[1] & 0xff, 1143 ucp[2] & 0xff, ucp[3] & 0xff); 1144 return (buf[i]); 1145 } 1146 1147 /* Return a printable string for the address. */ 1148 char * 1149 ipsp_address(union sockaddr_union sa) 1150 { 1151 switch (sa.sa.sa_family) { 1152 #if INET 1153 case AF_INET: 1154 return inet_ntoa4(sa.sin.sin_addr); 1155 #endif /* INET */ 1156 1157 #if INET6 1158 case AF_INET6: 1159 return ip6_sprintf(&sa.sin6.sin6_addr); 1160 #endif /* INET6 */ 1161 1162 default: 1163 return "(unknown address family)"; 1164 } 1165 } 1166 1167 /* Check whether an IP{4,6} address is unspecified. */ 1168 int 1169 ipsp_is_unspecified(union sockaddr_union addr) 1170 { 1171 switch (addr.sa.sa_family) { 1172 #ifdef INET 1173 case AF_INET: 1174 if (addr.sin.sin_addr.s_addr == INADDR_ANY) 1175 return 1; 1176 else 1177 return 0; 1178 #endif /* INET */ 1179 1180 #ifdef INET6 1181 case AF_INET6: 1182 if (IN6_IS_ADDR_UNSPECIFIED(&addr.sin6.sin6_addr)) 1183 return 1; 1184 else 1185 return 0; 1186 #endif /* INET6 */ 1187 1188 case 0: /* No family set. */ 1189 default: 1190 return 1; 1191 } 1192 } 1193 1194 /* Free reference-counted structure. */ 1195 void 1196 ipsp_reffree(struct ipsec_ref *ipr) 1197 { 1198 #ifdef DIAGNOSTIC 1199 if (ipr->ref_count <= 0) 1200 printf("ipsp_reffree: illegal reference count %d for " 1201 "object %p (len = %d, malloctype = %d)\n", 1202 ipr->ref_count, ipr, ipr->ref_len, ipr->ref_malloctype); 1203 #endif 1204 if (--ipr->ref_count <= 0) 1205 FREE(ipr, ipr->ref_malloctype); 1206 } 1207 1208 /* Mark a TDB as TDBF_SKIPCRYPTO. */ 1209 void 1210 ipsp_skipcrypto_mark(struct tdb_ident *tdbi) 1211 { 1212 struct tdb *tdb; 1213 int s = spltdb(); 1214 1215 tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto); 1216 if (tdb != NULL) { 1217 tdb->tdb_flags |= TDBF_SKIPCRYPTO; 1218 tdb->tdb_last_marked = time.tv_sec; 1219 } 1220 splx(s); 1221 } 1222 1223 /* Unmark a TDB as TDBF_SKIPCRYPTO. */ 1224 void 1225 ipsp_skipcrypto_unmark(struct tdb_ident *tdbi) 1226 { 1227 struct tdb *tdb; 1228 int s = spltdb(); 1229 1230 tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto); 1231 if (tdb != NULL) { 1232 tdb->tdb_flags &= ~TDBF_SKIPCRYPTO; 1233 tdb->tdb_last_marked = time.tv_sec; 1234 } 1235 splx(s); 1236 } 1237 1238 /* 1239 * Go down a chain of IPv4/IPv6/ESP/AH/IPiP chains creating an tag for each 1240 * IPsec header encountered. The offset where the first header, as well 1241 * as its type are given to us. 1242 */ 1243 struct m_tag * 1244 ipsp_parse_headers(struct mbuf *m, int off, u_int8_t proto) 1245 { 1246 int ipv4sa = 0, s, esphlen = 0, trail = 0, i; 1247 SLIST_HEAD(packet_tags, m_tag) tags; 1248 unsigned char lasteight[8]; 1249 struct tdb_ident *tdbi; 1250 struct m_tag *mtag; 1251 struct tdb *tdb; 1252 1253 #ifdef INET 1254 struct ip iph; 1255 #endif /* INET */ 1256 1257 #ifdef INET6 1258 struct in6_addr ip6_dst; 1259 #endif /* INET6 */ 1260 1261 /* We have to start with a known network protocol. */ 1262 if (proto != IPPROTO_IPV4 && proto != IPPROTO_IPV6) 1263 return NULL; 1264 1265 SLIST_INIT(&tags); 1266 1267 while (1) { 1268 switch (proto) { 1269 #ifdef INET 1270 case IPPROTO_IPV4: /* Also IPPROTO_IPIP */ 1271 { 1272 /* 1273 * Save the IP header (we need both the 1274 * address and ip_hl). 1275 */ 1276 m_copydata(m, off, sizeof(struct ip), (caddr_t) &iph); 1277 ipv4sa = 1; 1278 proto = iph.ip_p; 1279 off += iph.ip_hl << 2; 1280 break; 1281 } 1282 #endif /* INET */ 1283 1284 #ifdef INET6 1285 case IPPROTO_IPV6: 1286 { 1287 int nxtp, l; 1288 1289 /* Copy the IPv6 address. */ 1290 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), 1291 sizeof(struct ip6_hdr), (caddr_t) &ip6_dst); 1292 ipv4sa = 0; 1293 1294 /* 1295 * Go down the chain of headers until we encounter a 1296 * non-option. 1297 */ 1298 for (l = ip6_nexthdr(m, off, proto, &nxtp); l != -1; 1299 l = ip6_nexthdr(m, off, proto, &nxtp)) { 1300 off += l; 1301 proto = nxtp; 1302 1303 /* Construct a tag. */ 1304 if (nxtp == IPPROTO_AH) { 1305 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_CRYPTO_DONE, 1306 sizeof(struct tdb_ident), 1307 M_NOWAIT); 1308 1309 if (mtag == NULL) 1310 return tags.slh_first; 1311 1312 tdbi = (struct tdb_ident *) (mtag + 1); 1313 bzero(tdbi, sizeof(struct tdb_ident)); 1314 1315 m_copydata(m, off + sizeof(u_int32_t), 1316 sizeof(u_int32_t), 1317 (caddr_t) &tdbi->spi); 1318 1319 tdbi->proto = IPPROTO_AH; 1320 tdbi->dst.sin6.sin6_family = AF_INET6; 1321 tdbi->dst.sin6.sin6_len = 1322 sizeof(struct sockaddr_in6); 1323 tdbi->dst.sin6.sin6_addr = ip6_dst; 1324 SLIST_INSERT_HEAD(&tags, 1325 mtag, m_tag_link); 1326 } 1327 else 1328 if (nxtp == IPPROTO_IPV6) 1329 m_copydata(m, off + 1330 offsetof(struct ip6_hdr, 1331 ip6_dst), 1332 sizeof(struct ip6_hdr), 1333 (caddr_t) &ip6_dst); 1334 } 1335 break; 1336 } 1337 #endif /* INET6 */ 1338 1339 case IPPROTO_ESP: 1340 /* Verify that this has been decrypted. */ 1341 { 1342 union sockaddr_union su; 1343 u_int32_t spi; 1344 1345 m_copydata(m, off, sizeof(u_int32_t), (caddr_t) &spi); 1346 bzero(&su, sizeof(union sockaddr_union)); 1347 1348 s = spltdb(); 1349 1350 #ifdef INET 1351 if (ipv4sa) { 1352 su.sin.sin_family = AF_INET; 1353 su.sin.sin_len = sizeof(struct sockaddr_in); 1354 su.sin.sin_addr = iph.ip_dst; 1355 } 1356 #endif /* INET */ 1357 1358 #ifdef INET6 1359 if (!ipv4sa) { 1360 su.sin6.sin6_family = AF_INET6; 1361 su.sin6.sin6_len = sizeof(struct sockaddr_in6); 1362 su.sin6.sin6_addr = ip6_dst; 1363 } 1364 #endif /* INET6 */ 1365 1366 tdb = gettdb(spi, &su, IPPROTO_ESP); 1367 if (tdb == NULL) { 1368 splx(s); 1369 return tags.slh_first; 1370 } 1371 1372 /* How large is the ESP header ? We use this later. */ 1373 if (tdb->tdb_flags & TDBF_NOREPLAY) 1374 esphlen = sizeof(u_int32_t) + tdb->tdb_ivlen; 1375 else 1376 esphlen = 2 * sizeof(u_int32_t) + 1377 tdb->tdb_ivlen; 1378 1379 /* 1380 * Verify decryption. If the SA is using 1381 * random padding (as the "old" ESP SAs were 1382 * bound to do, there's nothing we can do to 1383 * see if the payload has been decrypted. 1384 */ 1385 if (tdb->tdb_flags & TDBF_RANDOMPADDING) { 1386 splx(s); 1387 return tags.slh_first; 1388 } 1389 1390 /* Update the length of trailing ESP authenticators. */ 1391 if (tdb->tdb_authalgxform) 1392 trail += AH_HMAC_HASHLEN; 1393 1394 splx(s); 1395 1396 /* Copy the last 10 bytes. */ 1397 m_copydata(m, m->m_pkthdr.len - trail - 8, 8, 1398 lasteight); 1399 1400 /* Verify the self-describing padding values. */ 1401 if (lasteight[6] != 0) { 1402 if (lasteight[6] != lasteight[5]) 1403 return tags.slh_first; 1404 1405 for (i = 4; lasteight[i + 1] != 1 && i >= 0; 1406 i--) 1407 if (lasteight[i + 1] != 1408 lasteight[i] + 1) 1409 return tags.slh_first; 1410 } 1411 } 1412 /* Fall through. */ 1413 case IPPROTO_AH: 1414 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_CRYPTO_DONE, 1415 sizeof(struct tdb_ident), M_NOWAIT); 1416 if (mtag == NULL) 1417 return tags.slh_first; 1418 1419 tdbi = (struct tdb_ident *) (mtag + 1); 1420 bzero(tdbi, sizeof(struct tdb_ident)); 1421 1422 /* Get SPI off the relevant header. */ 1423 if (proto == IPPROTO_AH) 1424 m_copydata(m, off + sizeof(u_int32_t), 1425 sizeof(u_int32_t), (caddr_t) &tdbi->spi); 1426 else /* IPPROTO_ESP */ 1427 m_copydata(m, off, sizeof(u_int32_t), 1428 (caddr_t) &tdbi->spi); 1429 1430 tdbi->proto = proto; /* AH or ESP */ 1431 1432 #ifdef INET 1433 /* Last network header was IPv4. */ 1434 if (ipv4sa) { 1435 tdbi->dst.sin.sin_family = AF_INET; 1436 tdbi->dst.sin.sin_len = 1437 sizeof(struct sockaddr_in); 1438 tdbi->dst.sin.sin_addr = iph.ip_dst; 1439 } 1440 #endif /* INET */ 1441 1442 #ifdef INET6 1443 /* Last network header was IPv6. */ 1444 if (!ipv4sa) { 1445 tdbi->dst.sin6.sin6_family = AF_INET6; 1446 tdbi->dst.sin6.sin6_len = 1447 sizeof(struct sockaddr_in6); 1448 tdbi->dst.sin6.sin6_addr = ip6_dst; 1449 } 1450 #endif /* INET6 */ 1451 1452 SLIST_INSERT_HEAD(&tags, mtag, m_tag_link); 1453 1454 /* Update next protocol/header and header offset. */ 1455 if (proto == IPPROTO_AH) { 1456 u_int8_t foo[2]; 1457 1458 m_copydata(m, off, 2 * sizeof(u_int8_t), foo); 1459 proto = foo[0]; 1460 off += (foo[1] + 2) << 2; 1461 } else {/* IPPROTO_ESP */ 1462 /* Initialized in IPPROTO_ESP case. */ 1463 off += esphlen; 1464 proto = lasteight[7]; 1465 } 1466 break; 1467 1468 default: 1469 return tags.slh_first; /* We're done. */ 1470 } 1471 } 1472 } 1473 1474 /* Return true if the two structures match. */ 1475 int 1476 ipsp_ref_match(struct ipsec_ref *ref1, struct ipsec_ref *ref2) 1477 { 1478 if (ref1->ref_type != ref2->ref_type || 1479 ref1->ref_len != ref2->ref_len || 1480 bcmp(ref1 + 1, ref2 + 1, ref1->ref_len)) 1481 return 0; 1482 1483 return 1; 1484 } 1485