1 /* $OpenBSD: ip_spd.c,v 1.88 2015/10/07 10:50:35 mpi Exp $ */ 2 /* 3 * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) 4 * 5 * Copyright (c) 2000-2001 Angelos D. Keromytis. 6 * 7 * Permission to use, copy, and modify this software with or without fee 8 * is hereby granted, provided that this entire notice is included in 9 * all copies of any software which is or includes a copy or 10 * modification of this software. 11 * You may use this code under the GNU public license if you so wish. Please 12 * contribute changes back to the authors under this freer than GPL license 13 * so that we may further the use of strong encryption without limitations to 14 * all. 15 * 16 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 17 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 18 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 19 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 20 * PURPOSE. 21 */ 22 23 #include <sys/param.h> 24 #include <sys/systm.h> 25 #include <sys/mbuf.h> 26 #include <sys/socket.h> 27 #include <sys/kernel.h> 28 #include <sys/socketvar.h> 29 #include <sys/domain.h> 30 #include <sys/protosw.h> 31 #include <sys/pool.h> 32 #include <sys/timeout.h> 33 34 #include <net/route.h> 35 #include <net/netisr.h> 36 37 #include <netinet/in.h> 38 #include <netinet/ip.h> 39 #include <netinet/ip_var.h> 40 #include <netinet/in_pcb.h> 41 42 #ifdef INET6 43 #endif /* INET6 */ 44 45 #include <netinet/ip_ipsp.h> 46 #include <net/pfkeyv2.h> 47 48 int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *, 49 union sockaddr_union *, struct sockaddr_encap *, struct mbuf *); 50 struct ipsec_acquire *ipsp_pending_acquire(struct ipsec_policy *, 51 union sockaddr_union *); 52 void ipsp_delete_acquire(void *); 53 54 #ifdef ENCDEBUG 55 #define DPRINTF(x) if (encdebug) printf x 56 #else 57 #define DPRINTF(x) 58 #endif 59 60 struct pool ipsec_policy_pool; 61 struct pool ipsec_acquire_pool; 62 int ipsec_policy_pool_initialized = 0; 63 int ipsec_acquire_pool_initialized = 0; 64 65 struct radix_node_head **spd_tables; 66 unsigned int spd_table_max; 67 68 struct radix_node_head * 69 spd_table_get(unsigned int rtableid) 70 { 71 unsigned int rdomain; 72 73 if (spd_tables == NULL) 74 return (NULL); 75 76 rdomain = rtable_l2(rtableid); 77 if (rdomain > spd_table_max) 78 return (NULL); 79 80 return (spd_tables[rdomain]); 81 } 82 83 struct radix_node_head * 84 spd_table_add(unsigned int rtableid) 85 { 86 struct radix_node_head *rnh = NULL; 87 unsigned int rdomain; 88 void *p; 89 90 rdomain = rtable_l2(rtableid); 91 if (spd_tables == NULL || rdomain > spd_table_max) { 92 if ((p = mallocarray(rdomain + 1, sizeof(*rnh), 93 M_RTABLE, M_NOWAIT|M_ZERO)) == NULL) 94 return (NULL); 95 96 if (spd_tables != NULL) { 97 bcopy(spd_tables, p, sizeof(*rnh) * (spd_table_max+1)); 98 free(spd_tables, M_RTABLE, 0); 99 } 100 spd_tables = p; 101 spd_table_max = rdomain; 102 } 103 104 if (spd_tables[rdomain] == NULL) { 105 if (rn_inithead((void **)&rnh, 106 offsetof(struct sockaddr_encap, sen_type)) == 0) 107 rnh = NULL; 108 spd_tables[rdomain] = rnh; 109 } 110 111 return (spd_tables[rdomain]); 112 } 113 114 /* 115 * Lookup at the SPD based on the headers contained on the mbuf. The second 116 * argument indicates what protocol family the header at the beginning of 117 * the mbuf is. hlen is the offset of the transport protocol header 118 * in the mbuf. 119 * 120 * Return combinations (of return value and in *error): 121 * - NULL/0 -> no IPsec required on packet 122 * - NULL/-EINVAL -> silently drop the packet 123 * - NULL/errno -> drop packet and return error 124 * or a pointer to a TDB (and 0 in *error). 125 * 126 * In the case of incoming flows, only the first three combinations are 127 * returned. 128 */ 129 struct tdb * 130 ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, 131 struct tdb *tdbp, struct inpcb *inp, u_int32_t ipsecflowinfo) 132 { 133 struct radix_node_head *rnh; 134 struct radix_node *rn; 135 union sockaddr_union sdst, ssrc; 136 struct sockaddr_encap *ddst, dst; 137 struct ipsec_policy *ipo; 138 struct ipsec_ids *ids = NULL; 139 int signore = 0, dignore = 0; 140 u_int rdomain = rtable_l2(m->m_pkthdr.ph_rtableid); 141 142 /* 143 * If there are no flows in place, there's no point 144 * continuing with the SPD lookup. 145 */ 146 if (!ipsec_in_use && inp == NULL) { 147 *error = 0; 148 return NULL; 149 } 150 151 /* 152 * If an input packet is destined to a BYPASS socket, just accept it. 153 */ 154 if ((inp != NULL) && (direction == IPSP_DIRECTION_IN) && 155 (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && 156 (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) && 157 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { 158 *error = 0; 159 return NULL; 160 } 161 162 memset(&dst, 0, sizeof(dst)); 163 memset(&sdst, 0, sizeof(union sockaddr_union)); 164 memset(&ssrc, 0, sizeof(union sockaddr_union)); 165 ddst = (struct sockaddr_encap *)&dst; 166 ddst->sen_family = PF_KEY; 167 ddst->sen_len = SENT_LEN; 168 169 switch (af) { 170 case AF_INET: 171 if (hlen < sizeof (struct ip) || m->m_pkthdr.len < hlen) { 172 *error = EINVAL; 173 return NULL; 174 } 175 ddst->sen_direction = direction; 176 ddst->sen_type = SENT_IP4; 177 178 m_copydata(m, offsetof(struct ip, ip_src), 179 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_src)); 180 m_copydata(m, offsetof(struct ip, ip_dst), 181 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_dst)); 182 m_copydata(m, offsetof(struct ip, ip_p), sizeof(u_int8_t), 183 (caddr_t) &(ddst->sen_proto)); 184 185 sdst.sin.sin_family = ssrc.sin.sin_family = AF_INET; 186 sdst.sin.sin_len = ssrc.sin.sin_len = 187 sizeof(struct sockaddr_in); 188 ssrc.sin.sin_addr = ddst->sen_ip_src; 189 sdst.sin.sin_addr = ddst->sen_ip_dst; 190 191 /* 192 * If TCP/UDP, extract the port numbers to use in the lookup. 193 */ 194 switch (ddst->sen_proto) { 195 case IPPROTO_UDP: 196 case IPPROTO_TCP: 197 /* Make sure there's enough data in the packet. */ 198 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) { 199 *error = EINVAL; 200 return NULL; 201 } 202 203 /* 204 * Luckily, the offset of the src/dst ports in 205 * both the UDP and TCP headers is the same (first 206 * two 16-bit values in the respective headers), 207 * so we can just copy them. 208 */ 209 m_copydata(m, hlen, sizeof(u_int16_t), 210 (caddr_t) &(ddst->sen_sport)); 211 m_copydata(m, hlen + sizeof(u_int16_t), sizeof(u_int16_t), 212 (caddr_t) &(ddst->sen_dport)); 213 break; 214 215 default: 216 ddst->sen_sport = 0; 217 ddst->sen_dport = 0; 218 } 219 220 break; 221 222 #ifdef INET6 223 case AF_INET6: 224 if (hlen < sizeof (struct ip6_hdr) || m->m_pkthdr.len < hlen) { 225 *error = EINVAL; 226 return NULL; 227 } 228 ddst->sen_type = SENT_IP6; 229 ddst->sen_ip6_direction = direction; 230 231 m_copydata(m, offsetof(struct ip6_hdr, ip6_src), 232 sizeof(struct in6_addr), 233 (caddr_t) &(ddst->sen_ip6_src)); 234 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 235 sizeof(struct in6_addr), 236 (caddr_t) &(ddst->sen_ip6_dst)); 237 m_copydata(m, offsetof(struct ip6_hdr, ip6_nxt), 238 sizeof(u_int8_t), 239 (caddr_t) &(ddst->sen_ip6_proto)); 240 241 sdst.sin6.sin6_family = ssrc.sin6.sin6_family = AF_INET6; 242 sdst.sin6.sin6_len = ssrc.sin6.sin6_len = 243 sizeof(struct sockaddr_in6); 244 in6_recoverscope(&ssrc.sin6, &ddst->sen_ip6_src); 245 in6_recoverscope(&sdst.sin6, &ddst->sen_ip6_dst); 246 247 /* 248 * If TCP/UDP, extract the port numbers to use in the lookup. 249 */ 250 switch (ddst->sen_ip6_proto) { 251 case IPPROTO_UDP: 252 case IPPROTO_TCP: 253 /* Make sure there's enough data in the packet. */ 254 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) { 255 *error = EINVAL; 256 return NULL; 257 } 258 259 /* 260 * Luckily, the offset of the src/dst ports in 261 * both the UDP and TCP headers is the same 262 * (first two 16-bit values in the respective 263 * headers), so we can just copy them. 264 */ 265 m_copydata(m, hlen, sizeof(u_int16_t), 266 (caddr_t) &(ddst->sen_ip6_sport)); 267 m_copydata(m, hlen + sizeof(u_int16_t), sizeof(u_int16_t), 268 (caddr_t) &(ddst->sen_ip6_dport)); 269 break; 270 271 default: 272 ddst->sen_ip6_sport = 0; 273 ddst->sen_ip6_dport = 0; 274 } 275 276 break; 277 #endif /* INET6 */ 278 279 default: 280 *error = EAFNOSUPPORT; 281 return NULL; 282 } 283 284 /* Actual SPD lookup. */ 285 if ((rnh = spd_table_get(rdomain)) == NULL || 286 (rn = rn_match((caddr_t)&dst, rnh)) == NULL) { 287 /* 288 * Return whatever the socket requirements are, there are no 289 * system-wide policies. 290 */ 291 *error = 0; 292 return ipsp_spd_inp(m, af, hlen, error, direction, 293 tdbp, inp, NULL); 294 } 295 ipo = (struct ipsec_policy *)rn; 296 297 switch (ipo->ipo_type) { 298 case IPSP_PERMIT: 299 *error = 0; 300 return ipsp_spd_inp(m, af, hlen, error, direction, tdbp, 301 inp, ipo); 302 303 case IPSP_DENY: 304 *error = EHOSTUNREACH; 305 return NULL; 306 307 case IPSP_IPSEC_USE: 308 case IPSP_IPSEC_ACQUIRE: 309 case IPSP_IPSEC_REQUIRE: 310 case IPSP_IPSEC_DONTACQ: 311 /* Nothing more needed here. */ 312 break; 313 314 default: 315 *error = EINVAL; 316 return NULL; 317 } 318 319 /* Check for non-specific destination in the policy. */ 320 switch (ipo->ipo_dst.sa.sa_family) { 321 case AF_INET: 322 if ((ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_ANY) || 323 (ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_BROADCAST)) 324 dignore = 1; 325 break; 326 327 #ifdef INET6 328 case AF_INET6: 329 if ((IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_dst.sin6.sin6_addr)) || 330 (memcmp(&ipo->ipo_dst.sin6.sin6_addr, &in6mask128, 331 sizeof(in6mask128)) == 0)) 332 dignore = 1; 333 break; 334 #endif /* INET6 */ 335 } 336 337 /* Likewise for source. */ 338 switch (ipo->ipo_src.sa.sa_family) { 339 case AF_INET: 340 if (ipo->ipo_src.sin.sin_addr.s_addr == INADDR_ANY) 341 signore = 1; 342 break; 343 344 #ifdef INET6 345 case AF_INET6: 346 if (IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_src.sin6.sin6_addr)) 347 signore = 1; 348 break; 349 #endif /* INET6 */ 350 } 351 352 /* Do we have a cached entry ? If so, check if it's still valid. */ 353 if ((ipo->ipo_tdb) && (ipo->ipo_tdb->tdb_flags & TDBF_INVALID)) { 354 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 355 ipo_tdb_next); 356 ipo->ipo_tdb = NULL; 357 } 358 359 /* Outgoing packet policy check. */ 360 if (direction == IPSP_DIRECTION_OUT) { 361 /* 362 * If the packet is destined for the policy-specified 363 * gateway/endhost, and the socket has the BYPASS 364 * option set, skip IPsec processing. 365 */ 366 if ((inp != NULL) && 367 (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && 368 (inp->inp_seclevel[SL_ESP_NETWORK] == 369 IPSEC_LEVEL_BYPASS) && 370 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { 371 /* Direct match. */ 372 if (dignore || 373 !memcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) { 374 *error = 0; 375 return NULL; 376 } 377 } 378 379 if (ipsecflowinfo) 380 ids = ipsp_ids_lookup(ipsecflowinfo); 381 382 /* Check that the cached TDB (if present), is appropriate. */ 383 if (ipo->ipo_tdb) { 384 if ((ipo->ipo_last_searched <= ipsec_last_added) || 385 (ipo->ipo_sproto != ipo->ipo_tdb->tdb_sproto) || 386 memcmp(dignore ? &sdst : &ipo->ipo_dst, 387 &ipo->ipo_tdb->tdb_dst, 388 ipo->ipo_tdb->tdb_dst.sa.sa_len)) 389 goto nomatchout; 390 391 if (!ipsp_aux_match(ipo->ipo_tdb, 392 ids ? ids : ipo->ipo_ids, 393 &ipo->ipo_addr, &ipo->ipo_mask)) 394 goto nomatchout; 395 396 /* Cached entry is good. */ 397 *error = 0; 398 return ipsp_spd_inp(m, af, hlen, error, direction, 399 tdbp, inp, ipo); 400 401 nomatchout: 402 /* Cached TDB was not good. */ 403 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 404 ipo_tdb_next); 405 ipo->ipo_tdb = NULL; 406 ipo->ipo_last_searched = 0; 407 } 408 409 /* 410 * If no SA has been added since the last time we did a 411 * lookup, there's no point searching for one. However, if the 412 * destination gateway is left unspecified (or is all-1's), 413 * always lookup since this is a generic-match rule 414 * (otherwise, we can have situations where SAs to some 415 * destinations exist but are not used, possibly leading to an 416 * explosion in the number of acquired SAs). 417 */ 418 if (ipo->ipo_last_searched <= ipsec_last_added) { 419 /* "Touch" the entry. */ 420 if (dignore == 0) 421 ipo->ipo_last_searched = time_second; 422 423 /* Find an appropriate SA from the existing ones. */ 424 ipo->ipo_tdb = 425 gettdbbydst(rdomain, 426 dignore ? &sdst : &ipo->ipo_dst, 427 ipo->ipo_sproto, 428 ids ? ids: ipo->ipo_ids, 429 &ipo->ipo_addr, &ipo->ipo_mask); 430 if (ipo->ipo_tdb) { 431 TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, 432 ipo, ipo_tdb_next); 433 *error = 0; 434 return ipsp_spd_inp(m, af, hlen, error, 435 direction, tdbp, inp, ipo); 436 } 437 } 438 439 /* So, we don't have an SA -- just a policy. */ 440 switch (ipo->ipo_type) { 441 case IPSP_IPSEC_REQUIRE: 442 /* Acquire SA through key management. */ 443 if (ipsp_acquire_sa(ipo, 444 dignore ? &sdst : &ipo->ipo_dst, 445 signore ? NULL : &ipo->ipo_src, ddst, m) != 0) { 446 *error = EACCES; 447 return NULL; 448 } 449 450 /* FALLTHROUGH */ 451 case IPSP_IPSEC_DONTACQ: 452 *error = -EINVAL; /* Silently drop packet. */ 453 return NULL; 454 455 case IPSP_IPSEC_ACQUIRE: 456 /* Acquire SA through key management. */ 457 ipsp_acquire_sa(ipo, dignore ? &sdst : &ipo->ipo_dst, 458 signore ? NULL : &ipo->ipo_src, ddst, NULL); 459 460 /* FALLTHROUGH */ 461 case IPSP_IPSEC_USE: 462 *error = 0; 463 return ipsp_spd_inp(m, af, hlen, error, direction, 464 tdbp, inp, ipo); 465 } 466 } else { /* IPSP_DIRECTION_IN */ 467 if (tdbp != NULL) { 468 /* Direct match in the cache. */ 469 if (ipo->ipo_tdb == tdbp) { 470 *error = 0; 471 return ipsp_spd_inp(m, af, hlen, error, 472 direction, tdbp, inp, ipo); 473 } 474 475 if (memcmp(dignore ? &ssrc : &ipo->ipo_dst, 476 &tdbp->tdb_src, tdbp->tdb_src.sa.sa_len) || 477 (ipo->ipo_sproto != tdbp->tdb_sproto)) 478 goto nomatchin; 479 480 /* Match source/dest IDs. */ 481 if (ipo->ipo_ids) 482 if (tdbp->tdb_ids == NULL || 483 !ipsp_ids_match(ipo->ipo_ids, tdbp->tdb_ids)) 484 goto nomatchin; 485 486 /* Add it to the cache. */ 487 if (ipo->ipo_tdb) 488 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, 489 ipo, ipo_tdb_next); 490 ipo->ipo_tdb = tdbp; 491 TAILQ_INSERT_TAIL(&tdbp->tdb_policy_head, ipo, 492 ipo_tdb_next); 493 *error = 0; 494 return ipsp_spd_inp(m, af, hlen, error, direction, 495 tdbp, inp, ipo); 496 497 nomatchin: /* Nothing needed here, falling through */ 498 ; 499 } 500 501 /* Check whether cached entry applies. */ 502 if (ipo->ipo_tdb) { 503 /* 504 * We only need to check that the correct 505 * security protocol and security gateway are 506 * set; IDs will be the same since the cached 507 * entry is linked on this policy. 508 */ 509 if (ipo->ipo_sproto == ipo->ipo_tdb->tdb_sproto && 510 !memcmp(&ipo->ipo_tdb->tdb_src, 511 dignore ? &ssrc : &ipo->ipo_dst, 512 ipo->ipo_tdb->tdb_src.sa.sa_len)) 513 goto skipinputsearch; 514 515 /* Not applicable, unlink. */ 516 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 517 ipo_tdb_next); 518 ipo->ipo_last_searched = 0; 519 ipo->ipo_tdb = NULL; 520 } 521 522 /* Find whether there exists an appropriate SA. */ 523 if (ipo->ipo_last_searched <= ipsec_last_added) { 524 if (dignore == 0) 525 ipo->ipo_last_searched = time_second; 526 527 ipo->ipo_tdb = 528 gettdbbysrc(rdomain, 529 dignore ? &ssrc : &ipo->ipo_dst, 530 ipo->ipo_sproto, ipo->ipo_ids, 531 &ipo->ipo_addr, &ipo->ipo_mask); 532 if (ipo->ipo_tdb) 533 TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, 534 ipo, ipo_tdb_next); 535 } 536 skipinputsearch: 537 538 switch (ipo->ipo_type) { 539 case IPSP_IPSEC_REQUIRE: 540 /* If appropriate SA exists, don't acquire another. */ 541 if (ipo->ipo_tdb) { 542 *error = -EINVAL; 543 return NULL; 544 } 545 546 /* Acquire SA through key management. */ 547 if ((*error = ipsp_acquire_sa(ipo, 548 dignore ? &ssrc : &ipo->ipo_dst, 549 signore ? NULL : &ipo->ipo_src, ddst, m)) != 0) 550 return NULL; 551 552 /* FALLTHROUGH */ 553 case IPSP_IPSEC_DONTACQ: 554 /* Drop packet. */ 555 *error = -EINVAL; 556 return NULL; 557 558 case IPSP_IPSEC_ACQUIRE: 559 /* If appropriate SA exists, don't acquire another. */ 560 if (ipo->ipo_tdb) { 561 *error = 0; 562 return ipsp_spd_inp(m, af, hlen, error, 563 direction, tdbp, inp, ipo); 564 } 565 566 /* Acquire SA through key management. */ 567 ipsp_acquire_sa(ipo, dignore ? &ssrc : &ipo->ipo_dst, 568 signore ? NULL : &ipo->ipo_src, ddst, NULL); 569 570 /* FALLTHROUGH */ 571 case IPSP_IPSEC_USE: 572 *error = 0; 573 return ipsp_spd_inp(m, af, hlen, error, direction, 574 tdbp, inp, ipo); 575 } 576 } 577 578 /* Shouldn't ever get this far. */ 579 *error = EINVAL; 580 return NULL; 581 } 582 583 /* 584 * Delete a policy from the SPD. 585 */ 586 int 587 ipsec_delete_policy(struct ipsec_policy *ipo) 588 { 589 struct ipsec_acquire *ipa; 590 struct radix_node_head *rnh; 591 struct radix_node *rn = (struct radix_node *)ipo; 592 int err = 0; 593 594 if (--ipo->ipo_ref_count > 0) 595 return 0; 596 597 /* Delete from SPD. */ 598 if ((rnh = spd_table_get(ipo->ipo_rdomain)) == NULL || 599 rn_delete(&ipo->ipo_addr, &ipo->ipo_mask, rnh, rn) == NULL) 600 return (ESRCH); 601 602 if (ipo->ipo_tdb != NULL) 603 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 604 ipo_tdb_next); 605 606 while ((ipa = TAILQ_FIRST(&ipo->ipo_acquires)) != NULL) 607 ipsp_delete_acquire(ipa); 608 609 TAILQ_REMOVE(&ipsec_policy_head, ipo, ipo_list); 610 611 if (ipo->ipo_ids) 612 ipsp_ids_free(ipo->ipo_ids); 613 614 ipsec_in_use--; 615 616 pool_put(&ipsec_policy_pool, ipo); 617 618 return err; 619 } 620 621 /* 622 * Delete a pending IPsec acquire record. 623 */ 624 void 625 ipsp_delete_acquire(void *v) 626 { 627 struct ipsec_acquire *ipa = v; 628 629 timeout_del(&ipa->ipa_timeout); 630 TAILQ_REMOVE(&ipsec_acquire_head, ipa, ipa_next); 631 if (ipa->ipa_policy != NULL) 632 TAILQ_REMOVE(&ipa->ipa_policy->ipo_acquires, ipa, 633 ipa_ipo_next); 634 pool_put(&ipsec_acquire_pool, ipa); 635 } 636 637 /* 638 * Find out if there's an ACQUIRE pending. 639 * XXX Need a better structure. 640 */ 641 struct ipsec_acquire * 642 ipsp_pending_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw) 643 { 644 struct ipsec_acquire *ipa; 645 646 TAILQ_FOREACH (ipa, &ipo->ipo_acquires, ipa_ipo_next) { 647 if (!memcmp(gw, &ipa->ipa_addr, gw->sa.sa_len)) 648 return ipa; 649 } 650 651 return NULL; 652 } 653 654 /* 655 * Signal key management that we need an SA. 656 * XXX For outgoing policies, we could try to hold on to the mbuf. 657 */ 658 int 659 ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, 660 union sockaddr_union *laddr, struct sockaddr_encap *ddst, struct mbuf *m) 661 { 662 struct ipsec_acquire *ipa; 663 664 /* Check whether request has been made already. */ 665 if ((ipa = ipsp_pending_acquire(ipo, gw)) != NULL) 666 return 0; 667 668 /* Add request in cache and proceed. */ 669 if (ipsec_acquire_pool_initialized == 0) { 670 ipsec_acquire_pool_initialized = 1; 671 pool_init(&ipsec_acquire_pool, sizeof(struct ipsec_acquire), 672 0, 0, 0, "ipsec acquire", NULL); 673 } 674 675 ipa = pool_get(&ipsec_acquire_pool, PR_NOWAIT|PR_ZERO); 676 if (ipa == NULL) 677 return ENOMEM; 678 679 bcopy(gw, &ipa->ipa_addr, sizeof(union sockaddr_union)); 680 681 timeout_set(&ipa->ipa_timeout, ipsp_delete_acquire, ipa); 682 683 ipa->ipa_info.sen_len = ipa->ipa_mask.sen_len = SENT_LEN; 684 ipa->ipa_info.sen_family = ipa->ipa_mask.sen_family = PF_KEY; 685 686 /* Just copy the right information. */ 687 switch (ipo->ipo_addr.sen_type) { 688 case SENT_IP4: 689 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP4; 690 ipa->ipa_info.sen_direction = ipo->ipo_addr.sen_direction; 691 ipa->ipa_mask.sen_direction = ipo->ipo_mask.sen_direction; 692 693 if (ipsp_is_unspecified(ipo->ipo_dst)) { 694 ipa->ipa_info.sen_ip_src = ddst->sen_ip_src; 695 ipa->ipa_mask.sen_ip_src.s_addr = INADDR_BROADCAST; 696 697 ipa->ipa_info.sen_ip_dst = ddst->sen_ip_dst; 698 ipa->ipa_mask.sen_ip_dst.s_addr = INADDR_BROADCAST; 699 } else { 700 ipa->ipa_info.sen_ip_src = ipo->ipo_addr.sen_ip_src; 701 ipa->ipa_mask.sen_ip_src = ipo->ipo_mask.sen_ip_src; 702 703 ipa->ipa_info.sen_ip_dst = ipo->ipo_addr.sen_ip_dst; 704 ipa->ipa_mask.sen_ip_dst = ipo->ipo_mask.sen_ip_dst; 705 } 706 707 ipa->ipa_info.sen_proto = ipo->ipo_addr.sen_proto; 708 ipa->ipa_mask.sen_proto = ipo->ipo_mask.sen_proto; 709 710 if (ipo->ipo_addr.sen_proto) { 711 ipa->ipa_info.sen_sport = ipo->ipo_addr.sen_sport; 712 ipa->ipa_mask.sen_sport = ipo->ipo_mask.sen_sport; 713 714 ipa->ipa_info.sen_dport = ipo->ipo_addr.sen_dport; 715 ipa->ipa_mask.sen_dport = ipo->ipo_mask.sen_dport; 716 } 717 break; 718 719 #ifdef INET6 720 case SENT_IP6: 721 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP6; 722 ipa->ipa_info.sen_ip6_direction = 723 ipo->ipo_addr.sen_ip6_direction; 724 ipa->ipa_mask.sen_ip6_direction = 725 ipo->ipo_mask.sen_ip6_direction; 726 727 if (ipsp_is_unspecified(ipo->ipo_dst)) { 728 ipa->ipa_info.sen_ip6_src = ddst->sen_ip6_src; 729 ipa->ipa_mask.sen_ip6_src = in6mask128; 730 731 ipa->ipa_info.sen_ip6_dst = ddst->sen_ip6_dst; 732 ipa->ipa_mask.sen_ip6_dst = in6mask128; 733 } else { 734 ipa->ipa_info.sen_ip6_src = ipo->ipo_addr.sen_ip6_src; 735 ipa->ipa_mask.sen_ip6_src = ipo->ipo_mask.sen_ip6_src; 736 737 ipa->ipa_info.sen_ip6_dst = ipo->ipo_addr.sen_ip6_dst; 738 ipa->ipa_mask.sen_ip6_dst = ipo->ipo_mask.sen_ip6_dst; 739 } 740 741 ipa->ipa_info.sen_ip6_proto = ipo->ipo_addr.sen_ip6_proto; 742 ipa->ipa_mask.sen_ip6_proto = ipo->ipo_mask.sen_ip6_proto; 743 744 if (ipo->ipo_mask.sen_ip6_proto) { 745 ipa->ipa_info.sen_ip6_sport = 746 ipo->ipo_addr.sen_ip6_sport; 747 ipa->ipa_mask.sen_ip6_sport = 748 ipo->ipo_mask.sen_ip6_sport; 749 ipa->ipa_info.sen_ip6_dport = 750 ipo->ipo_addr.sen_ip6_dport; 751 ipa->ipa_mask.sen_ip6_dport = 752 ipo->ipo_mask.sen_ip6_dport; 753 } 754 break; 755 #endif /* INET6 */ 756 757 default: 758 pool_put(&ipsec_acquire_pool, ipa); 759 return 0; 760 } 761 762 timeout_add_sec(&ipa->ipa_timeout, ipsec_expire_acquire); 763 764 TAILQ_INSERT_TAIL(&ipsec_acquire_head, ipa, ipa_next); 765 TAILQ_INSERT_TAIL(&ipo->ipo_acquires, ipa, ipa_ipo_next); 766 ipa->ipa_policy = ipo; 767 768 /* PF_KEYv2 notification message. */ 769 return pfkeyv2_acquire(ipo, gw, laddr, &ipa->ipa_seq, ddst); 770 } 771 772 /* 773 * Deal with PCB security requirements. 774 */ 775 struct tdb * 776 ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, 777 struct tdb *tdbp, struct inpcb *inp, struct ipsec_policy *ipo) 778 { 779 /* Sanity check. */ 780 if (inp == NULL) 781 goto justreturn; 782 783 /* We only support IPSEC_LEVEL_BYPASS or IPSEC_LEVEL_AVAIL */ 784 785 if (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS && 786 inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS && 787 inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS) 788 goto justreturn; 789 790 if (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL && 791 inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL && 792 inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL) 793 goto justreturn; 794 795 *error = -EINVAL; 796 return NULL; 797 798 justreturn: 799 if (ipo != NULL) 800 return ipo->ipo_tdb; 801 else 802 return NULL; 803 } 804 805 /* 806 * Find a pending ACQUIRE record based on its sequence number. 807 * XXX Need to use a better data structure. 808 */ 809 struct ipsec_acquire * 810 ipsec_get_acquire(u_int32_t seq) 811 { 812 struct ipsec_acquire *ipa; 813 814 TAILQ_FOREACH (ipa, &ipsec_acquire_head, ipa_next) 815 if (ipa->ipa_seq == seq) 816 return ipa; 817 818 return NULL; 819 } 820