1 /* $OpenBSD: ip_ipsp.c,v 1.217 2016/09/20 14:01:04 mikeb Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Niklas Hallqvist (niklas@appli.se). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 18 * 19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 1999 Niklas Hallqvist. 22 * Copyright (c) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40 #include "pf.h" 41 #include "pfsync.h" 42 43 #include <sys/param.h> 44 #include <sys/systm.h> 45 #include <sys/mbuf.h> 46 #include <sys/socket.h> 47 #include <sys/kernel.h> 48 #include <sys/timeout.h> 49 50 #include <net/if.h> 51 #include <net/route.h> 52 53 #include <netinet/in.h> 54 #include <netinet/ip.h> 55 #include <netinet/in_pcb.h> 56 #include <netinet/ip_var.h> 57 58 #if NPF > 0 59 #include <net/pfvar.h> 60 #endif 61 62 #if NPFSYNC > 0 63 #include <net/if_pfsync.h> 64 #endif 65 66 #include <netinet/ip_ipsp.h> 67 #include <net/pfkeyv2.h> 68 69 #ifdef DDB 70 #include <ddb/db_output.h> 71 void tdb_hashstats(void); 72 #endif 73 74 #ifdef ENCDEBUG 75 #define DPRINTF(x) if (encdebug) printf x 76 #else 77 #define DPRINTF(x) 78 #endif 79 80 void tdb_rehash(void); 81 void tdb_timeout(void *v); 82 void tdb_firstuse(void *v); 83 void tdb_soft_timeout(void *v); 84 void tdb_soft_firstuse(void *v); 85 int tdb_hash(u_int, u_int32_t, union sockaddr_union *, u_int8_t); 86 87 int ipsec_in_use = 0; 88 u_int64_t ipsec_last_added = 0; 89 90 struct ipsec_policy_head ipsec_policy_head = 91 TAILQ_HEAD_INITIALIZER(ipsec_policy_head); 92 struct ipsec_acquire_head ipsec_acquire_head = 93 TAILQ_HEAD_INITIALIZER(ipsec_acquire_head); 94 95 u_int32_t ipsec_ids_next_flow = 1; /* may not be zero */ 96 int ipsec_ids_idle = 100; /* keep free ids for 100s */ 97 struct ipsec_ids_tree ipsec_ids_tree; 98 struct ipsec_ids_flows ipsec_ids_flows; 99 100 void ipsp_ids_timeout(void *); 101 static inline int ipsp_ids_cmp(const struct ipsec_ids *, 102 const struct ipsec_ids *); 103 static inline int ipsp_ids_flow_cmp(const struct ipsec_ids *, 104 const struct ipsec_ids *); 105 RBT_PROTOTYPE(ipsec_ids_tree, ipsec_ids, id_node_flow, ipsp_ids_cmp); 106 RBT_PROTOTYPE(ipsec_ids_flows, ipsec_ids, id_node_id, ipsp_ids_flow_cmp); 107 RBT_GENERATE(ipsec_ids_tree, ipsec_ids, id_node_flow, ipsp_ids_cmp); 108 RBT_GENERATE(ipsec_ids_flows, ipsec_ids, id_node_id, ipsp_ids_flow_cmp); 109 110 /* 111 * This is the proper place to define the various encapsulation transforms. 112 */ 113 114 struct xformsw xformsw[] = { 115 #ifdef IPSEC 116 { XF_IP4, 0, "IPv4 Simple Encapsulation", 117 ipe4_attach, ipe4_init, ipe4_zeroize, 118 (int (*)(struct mbuf *, struct tdb *, int, int))ipe4_input, 119 ipip_output, }, 120 { XF_AH, XFT_AUTH, "IPsec AH", 121 ah_attach, ah_init, ah_zeroize, 122 ah_input, ah_output, }, 123 { XF_ESP, XFT_CONF|XFT_AUTH, "IPsec ESP", 124 esp_attach, esp_init, esp_zeroize, 125 esp_input, esp_output, }, 126 { XF_IPCOMP, XFT_COMP, "IPcomp", 127 ipcomp_attach, ipcomp_init, ipcomp_zeroize, 128 ipcomp_input, ipcomp_output, }, 129 #endif /* IPSEC */ 130 #ifdef TCP_SIGNATURE 131 { XF_TCPSIGNATURE, XFT_AUTH, "TCP MD5 Signature Option, RFC 2385", 132 tcp_signature_tdb_attach, tcp_signature_tdb_init, 133 tcp_signature_tdb_zeroize, tcp_signature_tdb_input, 134 tcp_signature_tdb_output, } 135 #endif /* TCP_SIGNATURE */ 136 }; 137 138 struct xformsw *xformswNXFORMSW = &xformsw[nitems(xformsw)]; 139 140 #define TDB_HASHSIZE_INIT 32 141 142 static SIPHASH_KEY tdbkey; 143 static struct tdb **tdbh = NULL; 144 static struct tdb **tdbdst = NULL; 145 static struct tdb **tdbsrc = NULL; 146 static u_int tdb_hashmask = TDB_HASHSIZE_INIT - 1; 147 static int tdb_count; 148 149 /* 150 * Our hashing function needs to stir things with a non-zero random multiplier 151 * so we cannot be DoS-attacked via choosing of the data to hash. 152 */ 153 int 154 tdb_hash(u_int rdomain, u_int32_t spi, union sockaddr_union *dst, 155 u_int8_t proto) 156 { 157 SIPHASH_CTX ctx; 158 159 SipHash24_Init(&ctx, &tdbkey); 160 SipHash24_Update(&ctx, &rdomain, sizeof(rdomain)); 161 SipHash24_Update(&ctx, &spi, sizeof(spi)); 162 SipHash24_Update(&ctx, &proto, sizeof(proto)); 163 SipHash24_Update(&ctx, dst, SA_LEN(&dst->sa)); 164 165 return (SipHash24_End(&ctx) & tdb_hashmask); 166 } 167 168 /* 169 * Reserve an SPI; the SA is not valid yet though. We use 0 as 170 * an error return value. 171 */ 172 u_int32_t 173 reserve_spi(u_int rdomain, u_int32_t sspi, u_int32_t tspi, 174 union sockaddr_union *src, union sockaddr_union *dst, 175 u_int8_t sproto, int *errval) 176 { 177 struct tdb *tdbp, *exists; 178 u_int32_t spi; 179 int nums, s; 180 181 /* Don't accept ranges only encompassing reserved SPIs. */ 182 if (sproto != IPPROTO_IPCOMP && 183 (tspi < sspi || tspi <= SPI_RESERVED_MAX)) { 184 (*errval) = EINVAL; 185 return 0; 186 } 187 if (sproto == IPPROTO_IPCOMP && (tspi < sspi || 188 tspi <= CPI_RESERVED_MAX || 189 tspi >= CPI_PRIVATE_MIN)) { 190 (*errval) = EINVAL; 191 return 0; 192 } 193 194 /* Limit the range to not include reserved areas. */ 195 if (sspi <= SPI_RESERVED_MAX) 196 sspi = SPI_RESERVED_MAX + 1; 197 198 /* For IPCOMP the CPI is only 16 bits long, what a good idea.... */ 199 200 if (sproto == IPPROTO_IPCOMP) { 201 u_int32_t t; 202 if (sspi >= 0x10000) 203 sspi = 0xffff; 204 if (tspi >= 0x10000) 205 tspi = 0xffff; 206 if (sspi > tspi) { 207 t = sspi; sspi = tspi; tspi = t; 208 } 209 } 210 211 if (sspi == tspi) /* Asking for a specific SPI. */ 212 nums = 1; 213 else 214 nums = 100; /* Arbitrarily chosen */ 215 216 /* allocate ahead of time to avoid potential sleeping race in loop */ 217 tdbp = tdb_alloc(rdomain); 218 219 while (nums--) { 220 if (sspi == tspi) /* Specific SPI asked. */ 221 spi = tspi; 222 else /* Range specified */ 223 spi = sspi + arc4random_uniform(tspi - sspi); 224 225 /* Don't allocate reserved SPIs. */ 226 if (spi >= SPI_RESERVED_MIN && spi <= SPI_RESERVED_MAX) 227 continue; 228 else 229 spi = htonl(spi); 230 231 /* Check whether we're using this SPI already. */ 232 s = splsoftnet(); 233 exists = gettdb(rdomain, spi, dst, sproto); 234 splx(s); 235 236 if (exists) 237 continue; 238 239 240 tdbp->tdb_spi = spi; 241 memcpy(&tdbp->tdb_dst.sa, &dst->sa, SA_LEN(&dst->sa)); 242 memcpy(&tdbp->tdb_src.sa, &src->sa, SA_LEN(&src->sa)); 243 tdbp->tdb_sproto = sproto; 244 tdbp->tdb_flags |= TDBF_INVALID; /* Mark SA invalid for now. */ 245 tdbp->tdb_satype = SADB_SATYPE_UNSPEC; 246 puttdb(tdbp); 247 248 /* Setup a "silent" expiration (since TDBF_INVALID's set). */ 249 if (ipsec_keep_invalid > 0) { 250 tdbp->tdb_flags |= TDBF_TIMER; 251 tdbp->tdb_exp_timeout = ipsec_keep_invalid; 252 timeout_add_sec(&tdbp->tdb_timer_tmo, 253 ipsec_keep_invalid); 254 } 255 256 return spi; 257 } 258 259 (*errval) = EEXIST; 260 tdb_free(tdbp); 261 return 0; 262 } 263 264 /* 265 * An IPSP SAID is really the concatenation of the SPI found in the 266 * packet, the destination address of the packet and the IPsec protocol. 267 * When we receive an IPSP packet, we need to look up its tunnel descriptor 268 * block, based on the SPI in the packet and the destination address (which 269 * is really one of our addresses if we received the packet! 270 * 271 * Caller is responsible for setting at least splsoftnet(). 272 */ 273 struct tdb * 274 gettdb(u_int rdomain, u_int32_t spi, union sockaddr_union *dst, u_int8_t proto) 275 { 276 u_int32_t hashval; 277 struct tdb *tdbp; 278 279 if (tdbh == NULL) 280 return (struct tdb *) NULL; 281 282 hashval = tdb_hash(rdomain, spi, dst, proto); 283 284 for (tdbp = tdbh[hashval]; tdbp != NULL; tdbp = tdbp->tdb_hnext) 285 if ((tdbp->tdb_spi == spi) && (tdbp->tdb_sproto == proto) && 286 (tdbp->tdb_rdomain == rdomain) && 287 !memcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa))) 288 break; 289 290 return tdbp; 291 } 292 293 /* 294 * Same as gettdb() but compare SRC as well, so we 295 * use the tdbsrc[] hash table. Setting spi to 0 296 * matches all SPIs. 297 */ 298 struct tdb * 299 gettdbbysrcdst(u_int rdomain, u_int32_t spi, union sockaddr_union *src, 300 union sockaddr_union *dst, u_int8_t proto) 301 { 302 u_int32_t hashval; 303 struct tdb *tdbp; 304 union sockaddr_union su_null; 305 306 if (tdbsrc == NULL) 307 return (struct tdb *) NULL; 308 309 hashval = tdb_hash(rdomain, 0, src, proto); 310 311 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 312 if (tdbp->tdb_sproto == proto && 313 (spi == 0 || tdbp->tdb_spi == spi) && 314 (tdbp->tdb_rdomain == rdomain) && 315 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 316 (tdbp->tdb_dst.sa.sa_family == AF_UNSPEC || 317 !memcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa))) && 318 !memcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa))) 319 break; 320 321 if (tdbp != NULL) 322 return (tdbp); 323 324 memset(&su_null, 0, sizeof(su_null)); 325 su_null.sa.sa_len = sizeof(struct sockaddr); 326 hashval = tdb_hash(rdomain, 0, &su_null, proto); 327 328 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 329 if (tdbp->tdb_sproto == proto && 330 (spi == 0 || tdbp->tdb_spi == spi) && 331 (tdbp->tdb_rdomain == rdomain) && 332 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 333 (tdbp->tdb_dst.sa.sa_family == AF_UNSPEC || 334 !memcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa))) && 335 tdbp->tdb_src.sa.sa_family == AF_UNSPEC) 336 break; 337 338 return (tdbp); 339 } 340 341 /* 342 * Check that IDs match. Return true if so. The t* range of 343 * arguments contains information from TDBs; the p* range of 344 * arguments contains information from policies or already 345 * established TDBs. 346 */ 347 int 348 ipsp_aux_match(struct tdb *tdb, 349 struct ipsec_ids *ids, 350 struct sockaddr_encap *pfilter, 351 struct sockaddr_encap *pfiltermask) 352 { 353 if (ids != NULL) 354 if (tdb->tdb_ids == NULL || 355 !ipsp_ids_match(tdb->tdb_ids, ids)) 356 return 0; 357 358 /* Check for filter matches. */ 359 if (pfilter != NULL && pfiltermask != NULL && 360 tdb->tdb_filter.sen_type) { 361 /* 362 * XXX We should really be doing a subnet-check (see 363 * whether the TDB-associated filter is a subset 364 * of the policy's. For now, an exact match will solve 365 * most problems (all this will do is make every 366 * policy get its own SAs). 367 */ 368 if (memcmp(&tdb->tdb_filter, pfilter, 369 sizeof(struct sockaddr_encap)) || 370 memcmp(&tdb->tdb_filtermask, pfiltermask, 371 sizeof(struct sockaddr_encap))) 372 return 0; 373 } 374 375 return 1; 376 } 377 378 /* 379 * Get an SA given the remote address, the security protocol type, and 380 * the desired IDs. 381 */ 382 struct tdb * 383 gettdbbydst(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto, 384 struct ipsec_ids *ids, 385 struct sockaddr_encap *filter, struct sockaddr_encap *filtermask) 386 { 387 u_int32_t hashval; 388 struct tdb *tdbp; 389 390 if (tdbdst == NULL) 391 return (struct tdb *) NULL; 392 393 hashval = tdb_hash(rdomain, 0, dst, sproto); 394 395 for (tdbp = tdbdst[hashval]; tdbp != NULL; tdbp = tdbp->tdb_dnext) 396 if ((tdbp->tdb_sproto == sproto) && 397 (tdbp->tdb_rdomain == rdomain) && 398 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 399 (!memcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa)))) { 400 /* Do IDs match ? */ 401 if (!ipsp_aux_match(tdbp, ids, filter, filtermask)) 402 continue; 403 break; 404 } 405 406 return tdbp; 407 } 408 409 /* 410 * Get an SA given the source address, the security protocol type, and 411 * the desired IDs. 412 */ 413 struct tdb * 414 gettdbbysrc(u_int rdomain, union sockaddr_union *src, u_int8_t sproto, 415 struct ipsec_ids *ids, 416 struct sockaddr_encap *filter, struct sockaddr_encap *filtermask) 417 { 418 u_int32_t hashval; 419 struct tdb *tdbp; 420 421 if (tdbsrc == NULL) 422 return (struct tdb *) NULL; 423 424 hashval = tdb_hash(rdomain, 0, src, sproto); 425 426 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 427 if ((tdbp->tdb_sproto == sproto) && 428 (tdbp->tdb_rdomain == rdomain) && 429 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 430 (!memcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa)))) { 431 /* Check whether IDs match */ 432 if (!ipsp_aux_match(tdbp, ids, filter, 433 filtermask)) 434 continue; 435 break; 436 } 437 438 return tdbp; 439 } 440 441 #if DDB 442 443 #define NBUCKETS 16 444 void 445 tdb_hashstats(void) 446 { 447 int i, cnt, buckets[NBUCKETS]; 448 struct tdb *tdbp; 449 450 if (tdbh == NULL) { 451 db_printf("no tdb hash table\n"); 452 return; 453 } 454 455 memset(buckets, 0, sizeof(buckets)); 456 for (i = 0; i <= tdb_hashmask; i++) { 457 cnt = 0; 458 for (tdbp = tdbh[i]; cnt < NBUCKETS - 1 && tdbp != NULL; 459 tdbp = tdbp->tdb_hnext) 460 cnt++; 461 buckets[cnt]++; 462 } 463 464 db_printf("tdb cnt\t\tbucket cnt\n"); 465 for (i = 0; i < NBUCKETS; i++) 466 if (buckets[i] > 0) 467 db_printf("%d%s\t\t%d\n", i, i == NBUCKETS - 1 ? 468 "+" : "", buckets[i]); 469 } 470 #endif /* DDB */ 471 472 /* 473 * Caller is responsible for setting at least splsoftnet(). 474 */ 475 int 476 tdb_walk(u_int rdomain, int (*walker)(struct tdb *, void *, int), void *arg) 477 { 478 int i, rval = 0; 479 struct tdb *tdbp, *next; 480 481 if (tdbh == NULL) 482 return ENOENT; 483 484 for (i = 0; i <= tdb_hashmask; i++) 485 for (tdbp = tdbh[i]; rval == 0 && tdbp != NULL; tdbp = next) { 486 next = tdbp->tdb_hnext; 487 488 if (rdomain != tdbp->tdb_rdomain) 489 continue; 490 491 if (i == tdb_hashmask && next == NULL) 492 rval = walker(tdbp, (void *)arg, 1); 493 else 494 rval = walker(tdbp, (void *)arg, 0); 495 } 496 497 return rval; 498 } 499 500 /* 501 * Called at splsoftclock(). 502 */ 503 void 504 tdb_timeout(void *v) 505 { 506 struct tdb *tdb = v; 507 int s; 508 509 if (!(tdb->tdb_flags & TDBF_TIMER)) 510 return; 511 512 s = splsoftnet(); 513 /* If it's an "invalid" TDB do a silent expiration. */ 514 if (!(tdb->tdb_flags & TDBF_INVALID)) 515 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 516 tdb_delete(tdb); 517 splx(s); 518 } 519 520 void 521 tdb_firstuse(void *v) 522 { 523 struct tdb *tdb = v; 524 int s; 525 526 if (!(tdb->tdb_flags & TDBF_SOFT_FIRSTUSE)) 527 return; 528 529 s = splsoftnet(); 530 /* If the TDB hasn't been used, don't renew it. */ 531 if (tdb->tdb_first_use != 0) 532 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 533 tdb_delete(tdb); 534 splx(s); 535 } 536 537 void 538 tdb_soft_timeout(void *v) 539 { 540 struct tdb *tdb = v; 541 int s; 542 543 if (!(tdb->tdb_flags & TDBF_SOFT_TIMER)) 544 return; 545 546 s = splsoftnet(); 547 /* Soft expirations. */ 548 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 549 tdb->tdb_flags &= ~TDBF_SOFT_TIMER; 550 splx(s); 551 } 552 553 void 554 tdb_soft_firstuse(void *v) 555 { 556 struct tdb *tdb = v; 557 int s; 558 559 if (!(tdb->tdb_flags & TDBF_SOFT_FIRSTUSE)) 560 return; 561 562 s = splsoftnet(); 563 /* If the TDB hasn't been used, don't renew it. */ 564 if (tdb->tdb_first_use != 0) 565 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 566 tdb->tdb_flags &= ~TDBF_SOFT_FIRSTUSE; 567 splx(s); 568 } 569 570 /* 571 * Caller is responsible for splsoftnet(). 572 */ 573 void 574 tdb_rehash(void) 575 { 576 struct tdb **new_tdbh, **new_tdbdst, **new_srcaddr, *tdbp, *tdbnp; 577 u_int i, old_hashmask = tdb_hashmask; 578 u_int32_t hashval; 579 580 tdb_hashmask = (tdb_hashmask << 1) | 1; 581 582 arc4random_buf(&tdbkey, sizeof(tdbkey)); 583 new_tdbh = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), M_TDB, 584 M_WAITOK | M_ZERO); 585 new_tdbdst = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), M_TDB, 586 M_WAITOK | M_ZERO); 587 new_srcaddr = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), M_TDB, 588 M_WAITOK | M_ZERO); 589 590 for (i = 0; i <= old_hashmask; i++) { 591 for (tdbp = tdbh[i]; tdbp != NULL; tdbp = tdbnp) { 592 tdbnp = tdbp->tdb_hnext; 593 hashval = tdb_hash(tdbp->tdb_rdomain, 594 tdbp->tdb_spi, &tdbp->tdb_dst, 595 tdbp->tdb_sproto); 596 tdbp->tdb_hnext = new_tdbh[hashval]; 597 new_tdbh[hashval] = tdbp; 598 } 599 600 for (tdbp = tdbdst[i]; tdbp != NULL; tdbp = tdbnp) { 601 tdbnp = tdbp->tdb_dnext; 602 hashval = tdb_hash(tdbp->tdb_rdomain, 603 0, &tdbp->tdb_dst, 604 tdbp->tdb_sproto); 605 tdbp->tdb_dnext = new_tdbdst[hashval]; 606 new_tdbdst[hashval] = tdbp; 607 } 608 609 for (tdbp = tdbsrc[i]; tdbp != NULL; tdbp = tdbnp) { 610 tdbnp = tdbp->tdb_snext; 611 hashval = tdb_hash(tdbp->tdb_rdomain, 612 0, &tdbp->tdb_src, 613 tdbp->tdb_sproto); 614 tdbp->tdb_snext = new_srcaddr[hashval]; 615 new_srcaddr[hashval] = tdbp; 616 } 617 } 618 619 free(tdbh, M_TDB, 0); 620 tdbh = new_tdbh; 621 622 free(tdbdst, M_TDB, 0); 623 tdbdst = new_tdbdst; 624 625 free(tdbsrc, M_TDB, 0); 626 tdbsrc = new_srcaddr; 627 } 628 629 /* 630 * Add TDB in the hash table. 631 */ 632 void 633 puttdb(struct tdb *tdbp) 634 { 635 u_int32_t hashval; 636 int s = splsoftnet(); 637 638 if (tdbh == NULL) { 639 arc4random_buf(&tdbkey, sizeof(tdbkey)); 640 tdbh = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), 641 M_TDB, M_WAITOK | M_ZERO); 642 tdbdst = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), 643 M_TDB, M_WAITOK | M_ZERO); 644 tdbsrc = mallocarray(tdb_hashmask + 1, sizeof(struct tdb *), 645 M_TDB, M_WAITOK | M_ZERO); 646 } 647 648 hashval = tdb_hash(tdbp->tdb_rdomain, tdbp->tdb_spi, 649 &tdbp->tdb_dst, tdbp->tdb_sproto); 650 651 /* 652 * Rehash if this tdb would cause a bucket to have more than 653 * two items and if the number of tdbs exceed 10% of the 654 * bucket count. This number is arbitratily chosen and is 655 * just a measure to not keep rehashing when adding and 656 * removing tdbs which happens to always end up in the same 657 * bucket, which is not uncommon when doing manual keying. 658 */ 659 if (tdbh[hashval] != NULL && tdbh[hashval]->tdb_hnext != NULL && 660 tdb_count * 10 > tdb_hashmask + 1) { 661 tdb_rehash(); 662 hashval = tdb_hash(tdbp->tdb_rdomain, tdbp->tdb_spi, 663 &tdbp->tdb_dst, tdbp->tdb_sproto); 664 } 665 666 tdbp->tdb_hnext = tdbh[hashval]; 667 tdbh[hashval] = tdbp; 668 669 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_dst, 670 tdbp->tdb_sproto); 671 tdbp->tdb_dnext = tdbdst[hashval]; 672 tdbdst[hashval] = tdbp; 673 674 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_src, 675 tdbp->tdb_sproto); 676 tdbp->tdb_snext = tdbsrc[hashval]; 677 tdbsrc[hashval] = tdbp; 678 679 tdb_count++; 680 681 ipsec_last_added = time_second; 682 683 splx(s); 684 } 685 686 /* 687 * Caller is responsible to set at least splsoftnet(). 688 */ 689 void 690 tdb_delete(struct tdb *tdbp) 691 { 692 struct tdb *tdbpp; 693 u_int32_t hashval; 694 int s; 695 696 if (tdbh == NULL) 697 return; 698 699 s = splsoftnet(); 700 701 hashval = tdb_hash(tdbp->tdb_rdomain, tdbp->tdb_spi, 702 &tdbp->tdb_dst, tdbp->tdb_sproto); 703 704 if (tdbh[hashval] == tdbp) { 705 tdbh[hashval] = tdbp->tdb_hnext; 706 } else { 707 for (tdbpp = tdbh[hashval]; tdbpp != NULL; 708 tdbpp = tdbpp->tdb_hnext) { 709 if (tdbpp->tdb_hnext == tdbp) { 710 tdbpp->tdb_hnext = tdbp->tdb_hnext; 711 break; 712 } 713 } 714 } 715 716 tdbp->tdb_hnext = NULL; 717 718 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_dst, 719 tdbp->tdb_sproto); 720 721 if (tdbdst[hashval] == tdbp) { 722 tdbdst[hashval] = tdbp->tdb_dnext; 723 } else { 724 for (tdbpp = tdbdst[hashval]; tdbpp != NULL; 725 tdbpp = tdbpp->tdb_dnext) { 726 if (tdbpp->tdb_dnext == tdbp) { 727 tdbpp->tdb_dnext = tdbp->tdb_dnext; 728 break; 729 } 730 } 731 } 732 733 tdbp->tdb_dnext = NULL; 734 735 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_src, 736 tdbp->tdb_sproto); 737 738 if (tdbsrc[hashval] == tdbp) { 739 tdbsrc[hashval] = tdbp->tdb_snext; 740 } 741 else { 742 for (tdbpp = tdbsrc[hashval]; tdbpp != NULL; 743 tdbpp = tdbpp->tdb_snext) { 744 if (tdbpp->tdb_snext == tdbp) { 745 tdbpp->tdb_snext = tdbp->tdb_snext; 746 break; 747 } 748 } 749 } 750 751 tdbp->tdb_snext = NULL; 752 tdb_free(tdbp); 753 tdb_count--; 754 755 splx(s); 756 } 757 758 /* 759 * Allocate a TDB and initialize a few basic fields. 760 */ 761 struct tdb * 762 tdb_alloc(u_int rdomain) 763 { 764 struct tdb *tdbp; 765 766 tdbp = malloc(sizeof(*tdbp), M_TDB, M_WAITOK | M_ZERO); 767 768 TAILQ_INIT(&tdbp->tdb_policy_head); 769 770 /* Record establishment time. */ 771 tdbp->tdb_established = time_second; 772 773 /* Save routing domain */ 774 tdbp->tdb_rdomain = rdomain; 775 776 /* Initialize timeouts. */ 777 timeout_set(&tdbp->tdb_timer_tmo, tdb_timeout, tdbp); 778 timeout_set(&tdbp->tdb_first_tmo, tdb_firstuse, tdbp); 779 timeout_set(&tdbp->tdb_stimer_tmo, tdb_soft_timeout, tdbp); 780 timeout_set(&tdbp->tdb_sfirst_tmo, tdb_soft_firstuse, tdbp); 781 782 return tdbp; 783 } 784 785 void 786 tdb_free(struct tdb *tdbp) 787 { 788 struct ipsec_policy *ipo; 789 790 if (tdbp->tdb_xform) { 791 (*(tdbp->tdb_xform->xf_zeroize))(tdbp); 792 tdbp->tdb_xform = NULL; 793 } 794 795 #if NPFSYNC > 0 796 /* Cleanup pfsync references */ 797 pfsync_delete_tdb(tdbp); 798 #endif 799 800 /* Cleanup SPD references. */ 801 for (ipo = TAILQ_FIRST(&tdbp->tdb_policy_head); ipo; 802 ipo = TAILQ_FIRST(&tdbp->tdb_policy_head)) { 803 TAILQ_REMOVE(&tdbp->tdb_policy_head, ipo, ipo_tdb_next); 804 ipo->ipo_tdb = NULL; 805 ipo->ipo_last_searched = 0; /* Force a re-search. */ 806 } 807 808 /* Remove expiration timeouts. */ 809 tdbp->tdb_flags &= ~(TDBF_FIRSTUSE | TDBF_SOFT_FIRSTUSE | TDBF_TIMER | 810 TDBF_SOFT_TIMER); 811 timeout_del(&tdbp->tdb_timer_tmo); 812 timeout_del(&tdbp->tdb_first_tmo); 813 timeout_del(&tdbp->tdb_stimer_tmo); 814 timeout_del(&tdbp->tdb_sfirst_tmo); 815 816 if (tdbp->tdb_ids) { 817 ipsp_ids_free(tdbp->tdb_ids); 818 tdbp->tdb_ids = NULL; 819 } 820 821 #if NPF > 0 822 if (tdbp->tdb_tag) { 823 pf_tag_unref(tdbp->tdb_tag); 824 tdbp->tdb_tag = 0; 825 } 826 #endif 827 828 if ((tdbp->tdb_onext) && (tdbp->tdb_onext->tdb_inext == tdbp)) 829 tdbp->tdb_onext->tdb_inext = NULL; 830 831 if ((tdbp->tdb_inext) && (tdbp->tdb_inext->tdb_onext == tdbp)) 832 tdbp->tdb_inext->tdb_onext = NULL; 833 834 free(tdbp, M_TDB, 0); 835 } 836 837 /* 838 * Do further initializations of a TDB. 839 */ 840 int 841 tdb_init(struct tdb *tdbp, u_int16_t alg, struct ipsecinit *ii) 842 { 843 struct xformsw *xsp; 844 int err; 845 #ifdef ENCDEBUG 846 char buf[INET6_ADDRSTRLEN]; 847 #endif 848 849 for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) { 850 if (xsp->xf_type == alg) { 851 err = (*(xsp->xf_init))(tdbp, xsp, ii); 852 return err; 853 } 854 } 855 856 DPRINTF(("tdb_init(): no alg %d for spi %08x, addr %s, proto %d\n", 857 alg, ntohl(tdbp->tdb_spi), ipsp_address(&tdbp->tdb_dst, buf, 858 sizeof(buf)), tdbp->tdb_sproto)); 859 860 return EINVAL; 861 } 862 863 #ifdef ENCDEBUG 864 /* Return a printable string for the address. */ 865 const char * 866 ipsp_address(union sockaddr_union *sa, char *buf, socklen_t size) 867 { 868 switch (sa->sa.sa_family) { 869 case AF_INET: 870 return inet_ntop(AF_INET, &sa->sin.sin_addr, 871 buf, (size_t)size); 872 873 #ifdef INET6 874 case AF_INET6: 875 return inet_ntop(AF_INET6, &sa->sin6.sin6_addr, 876 buf, (size_t)size); 877 #endif /* INET6 */ 878 879 default: 880 return "(unknown address family)"; 881 } 882 } 883 #endif /* ENCDEBUG */ 884 885 /* Check whether an IP{4,6} address is unspecified. */ 886 int 887 ipsp_is_unspecified(union sockaddr_union addr) 888 { 889 switch (addr.sa.sa_family) { 890 case AF_INET: 891 if (addr.sin.sin_addr.s_addr == INADDR_ANY) 892 return 1; 893 else 894 return 0; 895 896 #ifdef INET6 897 case AF_INET6: 898 if (IN6_IS_ADDR_UNSPECIFIED(&addr.sin6.sin6_addr)) 899 return 1; 900 else 901 return 0; 902 #endif /* INET6 */ 903 904 case 0: /* No family set. */ 905 default: 906 return 1; 907 } 908 } 909 910 int 911 ipsp_ids_match(struct ipsec_ids *a, struct ipsec_ids *b) 912 { 913 return a == b; 914 } 915 916 struct ipsec_ids * 917 ipsp_ids_insert(struct ipsec_ids *ids) 918 { 919 struct ipsec_ids *found; 920 u_int32_t start_flow; 921 922 found = RBT_INSERT(ipsec_ids_tree, &ipsec_ids_tree, ids); 923 if (found) { 924 /* if refcount was zero, then timeout is running */ 925 if (found->id_refcount++ == 0) 926 timeout_del(&found->id_timeout); 927 DPRINTF(("%s: ids %p count %d\n", __func__, 928 found, found->id_refcount)); 929 return found; 930 } 931 ids->id_flow = start_flow = ipsec_ids_next_flow; 932 if (++ipsec_ids_next_flow == 0) 933 ipsec_ids_next_flow = 1; 934 while (RBT_INSERT(ipsec_ids_flows, &ipsec_ids_flows, ids) != NULL) { 935 ids->id_flow = ipsec_ids_next_flow; 936 if (++ipsec_ids_next_flow == 0) 937 ipsec_ids_next_flow = 1; 938 if (ipsec_ids_next_flow == start_flow) { 939 DPRINTF(("ipsec_ids_next_flow exhausted %u\n", 940 ipsec_ids_next_flow)); 941 return NULL; 942 } 943 } 944 ids->id_refcount = 1; 945 DPRINTF(("%s: new ids %p flow %u\n", __func__, ids, ids->id_flow)); 946 timeout_set(&ids->id_timeout, ipsp_ids_timeout, ids); 947 return ids; 948 } 949 950 struct ipsec_ids * 951 ipsp_ids_lookup(u_int32_t ipsecflowinfo) 952 { 953 struct ipsec_ids key; 954 955 key.id_flow = ipsecflowinfo; 956 return RBT_FIND(ipsec_ids_flows, &ipsec_ids_flows, &key); 957 } 958 959 /* free ids only from delayed timeout */ 960 void 961 ipsp_ids_timeout(void *arg) 962 { 963 struct ipsec_ids *ids = arg; 964 int s; 965 966 DPRINTF(("%s: ids %p count %d\n", __func__, ids, ids->id_refcount)); 967 KASSERT(ids->id_refcount == 0); 968 s = splsoftnet(); 969 RBT_REMOVE(ipsec_ids_tree, &ipsec_ids_tree, ids); 970 RBT_REMOVE(ipsec_ids_flows, &ipsec_ids_flows, ids); 971 free(ids->id_local, M_CREDENTIALS, 0); 972 free(ids->id_remote, M_CREDENTIALS, 0); 973 free(ids, M_CREDENTIALS, 0); 974 splx(s); 975 } 976 977 /* decrements refcount, actual free happens in timeout */ 978 void 979 ipsp_ids_free(struct ipsec_ids *ids) 980 { 981 /* 982 * If the refcount becomes zero, then a timeout is started. This 983 * timeout must be cancelled if refcount is increased from zero. 984 */ 985 DPRINTF(("%s: ids %p count %d\n", __func__, ids, ids->id_refcount)); 986 KASSERT(ids->id_refcount > 0); 987 if (--ids->id_refcount == 0) 988 timeout_add_sec(&ids->id_timeout, ipsec_ids_idle); 989 } 990 991 static int 992 ipsp_id_cmp(struct ipsec_id *a, struct ipsec_id *b) 993 { 994 if (a->type > b->type) 995 return 1; 996 if (a->type < b->type) 997 return -1; 998 if (a->len > b->len) 999 return 1; 1000 if (a->len < b->len) 1001 return -1; 1002 return memcmp(a + 1, b + 1, a->len); 1003 } 1004 1005 static inline int 1006 ipsp_ids_cmp(const struct ipsec_ids *a, const struct ipsec_ids *b) 1007 { 1008 int ret; 1009 1010 ret = ipsp_id_cmp(a->id_remote, b->id_remote); 1011 if (ret != 0) 1012 return ret; 1013 return ipsp_id_cmp(a->id_local, b->id_local); 1014 } 1015 1016 static inline int 1017 ipsp_ids_flow_cmp(const struct ipsec_ids *a, const struct ipsec_ids *b) 1018 { 1019 if (a->id_flow > b->id_flow) 1020 return 1; 1021 if (a->id_flow < b->id_flow) 1022 return -1; 1023 return 0; 1024 } 1025