1 /* $OpenBSD: ip_spd.c,v 1.104 2021/07/08 16:39:55 mvs Exp $ */ 2 /* 3 * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) 4 * 5 * Copyright (c) 2000-2001 Angelos D. Keromytis. 6 * 7 * Permission to use, copy, and modify this software with or without fee 8 * is hereby granted, provided that this entire notice is included in 9 * all copies of any software which is or includes a copy or 10 * modification of this software. 11 * You may use this code under the GNU public license if you so wish. Please 12 * contribute changes back to the authors under this freer than GPL license 13 * so that we may further the use of strong encryption without limitations to 14 * all. 15 * 16 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 17 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 18 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 19 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 20 * PURPOSE. 21 */ 22 23 #include <sys/param.h> 24 #include <sys/systm.h> 25 #include <sys/mbuf.h> 26 #include <sys/socket.h> 27 #include <sys/kernel.h> 28 #include <sys/socketvar.h> 29 #include <sys/domain.h> 30 #include <sys/protosw.h> 31 #include <sys/pool.h> 32 #include <sys/timeout.h> 33 34 #include <net/route.h> 35 #include <net/netisr.h> 36 37 #include <netinet/in.h> 38 #include <netinet/ip.h> 39 #include <netinet/ip_var.h> 40 #include <netinet/in_pcb.h> 41 #include <netinet/ip_ipsp.h> 42 #include <net/pfkeyv2.h> 43 44 int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *, 45 union sockaddr_union *, struct sockaddr_encap *, struct mbuf *); 46 struct ipsec_acquire *ipsp_pending_acquire(struct ipsec_policy *, 47 union sockaddr_union *); 48 void ipsp_delete_acquire_timo(void *); 49 void ipsp_delete_acquire(struct ipsec_acquire *); 50 51 struct pool ipsec_policy_pool; 52 struct pool ipsec_acquire_pool; 53 54 /* Protected by the NET_LOCK(). */ 55 struct radix_node_head **spd_tables; 56 unsigned int spd_table_max; 57 TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head = 58 TAILQ_HEAD_INITIALIZER(ipsec_acquire_head); 59 60 struct radix_node_head * 61 spd_table_get(unsigned int rtableid) 62 { 63 unsigned int rdomain; 64 65 NET_ASSERT_LOCKED(); 66 67 if (spd_tables == NULL) 68 return (NULL); 69 70 rdomain = rtable_l2(rtableid); 71 if (rdomain > spd_table_max) 72 return (NULL); 73 74 return (spd_tables[rdomain]); 75 } 76 77 struct radix_node_head * 78 spd_table_add(unsigned int rtableid) 79 { 80 struct radix_node_head *rnh = NULL; 81 unsigned int rdomain; 82 void *p; 83 84 NET_ASSERT_LOCKED(); 85 86 rdomain = rtable_l2(rtableid); 87 if (spd_tables == NULL || rdomain > spd_table_max) { 88 if ((p = mallocarray(rdomain + 1, sizeof(*rnh), 89 M_RTABLE, M_NOWAIT|M_ZERO)) == NULL) 90 return (NULL); 91 92 if (spd_tables != NULL) { 93 memcpy(p, spd_tables, sizeof(*rnh) * (spd_table_max+1)); 94 free(spd_tables, M_RTABLE, 95 sizeof(*rnh) * (spd_table_max+1)); 96 } 97 spd_tables = p; 98 spd_table_max = rdomain; 99 } 100 101 if (spd_tables[rdomain] == NULL) { 102 if (rn_inithead((void **)&rnh, 103 offsetof(struct sockaddr_encap, sen_type)) == 0) 104 rnh = NULL; 105 spd_tables[rdomain] = rnh; 106 } 107 108 return (spd_tables[rdomain]); 109 } 110 111 int 112 spd_table_walk(unsigned int rtableid, 113 int (*func)(struct ipsec_policy *, void *, unsigned int), void *arg) 114 { 115 struct radix_node_head *rnh; 116 int (*walker)(struct radix_node *, void *, u_int) = (void *)func; 117 int error; 118 119 rnh = spd_table_get(rtableid); 120 if (rnh == NULL) 121 return (0); 122 123 /* EGAIN means the tree changed. */ 124 while ((error = rn_walktree(rnh, walker, arg)) == EAGAIN) 125 continue; 126 127 return (error); 128 } 129 130 /* 131 * Lookup at the SPD based on the headers contained on the mbuf. The second 132 * argument indicates what protocol family the header at the beginning of 133 * the mbuf is. hlen is the offset of the transport protocol header 134 * in the mbuf. 135 * 136 * Return combinations (of return value and in *error): 137 * - NULL/0 -> no IPsec required on packet 138 * - NULL/-EINVAL -> silently drop the packet 139 * - NULL/errno -> drop packet and return error 140 * or a pointer to a TDB (and 0 in *error). 141 * 142 * In the case of incoming flows, only the first three combinations are 143 * returned. 144 */ 145 struct tdb * 146 ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, 147 struct tdb *tdbp, struct inpcb *inp, u_int32_t ipsecflowinfo) 148 { 149 struct radix_node_head *rnh; 150 struct radix_node *rn; 151 union sockaddr_union sdst, ssrc; 152 struct sockaddr_encap *ddst, dst; 153 struct ipsec_policy *ipo; 154 struct ipsec_ids *ids = NULL; 155 int signore = 0, dignore = 0; 156 u_int rdomain = rtable_l2(m->m_pkthdr.ph_rtableid); 157 158 NET_ASSERT_LOCKED(); 159 160 /* 161 * If there are no flows in place, there's no point 162 * continuing with the SPD lookup. 163 */ 164 if (!ipsec_in_use && inp == NULL) { 165 *error = 0; 166 return NULL; 167 } 168 169 /* 170 * If an input packet is destined to a BYPASS socket, just accept it. 171 */ 172 if ((inp != NULL) && (direction == IPSP_DIRECTION_IN) && 173 (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && 174 (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) && 175 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { 176 *error = 0; 177 return NULL; 178 } 179 180 memset(&dst, 0, sizeof(dst)); 181 memset(&sdst, 0, sizeof(union sockaddr_union)); 182 memset(&ssrc, 0, sizeof(union sockaddr_union)); 183 ddst = (struct sockaddr_encap *)&dst; 184 ddst->sen_family = PF_KEY; 185 ddst->sen_len = SENT_LEN; 186 187 switch (af) { 188 case AF_INET: 189 if (hlen < sizeof (struct ip) || m->m_pkthdr.len < hlen) { 190 *error = EINVAL; 191 return NULL; 192 } 193 ddst->sen_direction = direction; 194 ddst->sen_type = SENT_IP4; 195 196 m_copydata(m, offsetof(struct ip, ip_src), 197 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_src)); 198 m_copydata(m, offsetof(struct ip, ip_dst), 199 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_dst)); 200 m_copydata(m, offsetof(struct ip, ip_p), sizeof(u_int8_t), 201 (caddr_t) &(ddst->sen_proto)); 202 203 sdst.sin.sin_family = ssrc.sin.sin_family = AF_INET; 204 sdst.sin.sin_len = ssrc.sin.sin_len = 205 sizeof(struct sockaddr_in); 206 ssrc.sin.sin_addr = ddst->sen_ip_src; 207 sdst.sin.sin_addr = ddst->sen_ip_dst; 208 209 /* 210 * If TCP/UDP, extract the port numbers to use in the lookup. 211 */ 212 switch (ddst->sen_proto) { 213 case IPPROTO_UDP: 214 case IPPROTO_TCP: 215 /* Make sure there's enough data in the packet. */ 216 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) { 217 *error = EINVAL; 218 return NULL; 219 } 220 221 /* 222 * Luckily, the offset of the src/dst ports in 223 * both the UDP and TCP headers is the same (first 224 * two 16-bit values in the respective headers), 225 * so we can just copy them. 226 */ 227 m_copydata(m, hlen, sizeof(u_int16_t), 228 (caddr_t) &(ddst->sen_sport)); 229 m_copydata(m, hlen + sizeof(u_int16_t), sizeof(u_int16_t), 230 (caddr_t) &(ddst->sen_dport)); 231 break; 232 233 default: 234 ddst->sen_sport = 0; 235 ddst->sen_dport = 0; 236 } 237 238 break; 239 240 #ifdef INET6 241 case AF_INET6: 242 if (hlen < sizeof (struct ip6_hdr) || m->m_pkthdr.len < hlen) { 243 *error = EINVAL; 244 return NULL; 245 } 246 ddst->sen_type = SENT_IP6; 247 ddst->sen_ip6_direction = direction; 248 249 m_copydata(m, offsetof(struct ip6_hdr, ip6_src), 250 sizeof(struct in6_addr), 251 (caddr_t) &(ddst->sen_ip6_src)); 252 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 253 sizeof(struct in6_addr), 254 (caddr_t) &(ddst->sen_ip6_dst)); 255 m_copydata(m, offsetof(struct ip6_hdr, ip6_nxt), 256 sizeof(u_int8_t), 257 (caddr_t) &(ddst->sen_ip6_proto)); 258 259 sdst.sin6.sin6_family = ssrc.sin6.sin6_family = AF_INET6; 260 sdst.sin6.sin6_len = ssrc.sin6.sin6_len = 261 sizeof(struct sockaddr_in6); 262 in6_recoverscope(&ssrc.sin6, &ddst->sen_ip6_src); 263 in6_recoverscope(&sdst.sin6, &ddst->sen_ip6_dst); 264 265 /* 266 * If TCP/UDP, extract the port numbers to use in the lookup. 267 */ 268 switch (ddst->sen_ip6_proto) { 269 case IPPROTO_UDP: 270 case IPPROTO_TCP: 271 /* Make sure there's enough data in the packet. */ 272 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) { 273 *error = EINVAL; 274 return NULL; 275 } 276 277 /* 278 * Luckily, the offset of the src/dst ports in 279 * both the UDP and TCP headers is the same 280 * (first two 16-bit values in the respective 281 * headers), so we can just copy them. 282 */ 283 m_copydata(m, hlen, sizeof(u_int16_t), 284 (caddr_t) &(ddst->sen_ip6_sport)); 285 m_copydata(m, hlen + sizeof(u_int16_t), sizeof(u_int16_t), 286 (caddr_t) &(ddst->sen_ip6_dport)); 287 break; 288 289 default: 290 ddst->sen_ip6_sport = 0; 291 ddst->sen_ip6_dport = 0; 292 } 293 294 break; 295 #endif /* INET6 */ 296 297 default: 298 *error = EAFNOSUPPORT; 299 return NULL; 300 } 301 302 /* Actual SPD lookup. */ 303 if ((rnh = spd_table_get(rdomain)) == NULL || 304 (rn = rn_match((caddr_t)&dst, rnh)) == NULL) { 305 /* 306 * Return whatever the socket requirements are, there are no 307 * system-wide policies. 308 */ 309 *error = 0; 310 return ipsp_spd_inp(m, af, hlen, error, direction, 311 tdbp, inp, NULL); 312 } 313 ipo = (struct ipsec_policy *)rn; 314 315 switch (ipo->ipo_type) { 316 case IPSP_PERMIT: 317 *error = 0; 318 return ipsp_spd_inp(m, af, hlen, error, direction, tdbp, 319 inp, ipo); 320 321 case IPSP_DENY: 322 *error = EHOSTUNREACH; 323 return NULL; 324 325 case IPSP_IPSEC_USE: 326 case IPSP_IPSEC_ACQUIRE: 327 case IPSP_IPSEC_REQUIRE: 328 case IPSP_IPSEC_DONTACQ: 329 /* Nothing more needed here. */ 330 break; 331 332 default: 333 *error = EINVAL; 334 return NULL; 335 } 336 337 /* Check for non-specific destination in the policy. */ 338 switch (ipo->ipo_dst.sa.sa_family) { 339 case AF_INET: 340 if ((ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_ANY) || 341 (ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_BROADCAST)) 342 dignore = 1; 343 break; 344 345 #ifdef INET6 346 case AF_INET6: 347 if ((IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_dst.sin6.sin6_addr)) || 348 (memcmp(&ipo->ipo_dst.sin6.sin6_addr, &in6mask128, 349 sizeof(in6mask128)) == 0)) 350 dignore = 1; 351 break; 352 #endif /* INET6 */ 353 } 354 355 /* Likewise for source. */ 356 switch (ipo->ipo_src.sa.sa_family) { 357 case AF_INET: 358 if (ipo->ipo_src.sin.sin_addr.s_addr == INADDR_ANY) 359 signore = 1; 360 break; 361 362 #ifdef INET6 363 case AF_INET6: 364 if (IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_src.sin6.sin6_addr)) 365 signore = 1; 366 break; 367 #endif /* INET6 */ 368 } 369 370 /* Do we have a cached entry ? If so, check if it's still valid. */ 371 if ((ipo->ipo_tdb) && (ipo->ipo_tdb->tdb_flags & TDBF_INVALID)) { 372 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 373 ipo_tdb_next); 374 ipo->ipo_tdb = NULL; 375 } 376 377 /* Outgoing packet policy check. */ 378 if (direction == IPSP_DIRECTION_OUT) { 379 /* 380 * If the packet is destined for the policy-specified 381 * gateway/endhost, and the socket has the BYPASS 382 * option set, skip IPsec processing. 383 */ 384 if ((inp != NULL) && 385 (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && 386 (inp->inp_seclevel[SL_ESP_NETWORK] == 387 IPSEC_LEVEL_BYPASS) && 388 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { 389 /* Direct match. */ 390 if (dignore || 391 !memcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) { 392 *error = 0; 393 return NULL; 394 } 395 } 396 397 if (ipsecflowinfo) 398 ids = ipsp_ids_lookup(ipsecflowinfo); 399 400 /* Check that the cached TDB (if present), is appropriate. */ 401 if (ipo->ipo_tdb) { 402 if ((ipo->ipo_last_searched <= ipsec_last_added) || 403 (ipo->ipo_sproto != ipo->ipo_tdb->tdb_sproto) || 404 memcmp(dignore ? &sdst : &ipo->ipo_dst, 405 &ipo->ipo_tdb->tdb_dst, 406 ipo->ipo_tdb->tdb_dst.sa.sa_len)) 407 goto nomatchout; 408 409 if (!ipsp_aux_match(ipo->ipo_tdb, 410 ids ? ids : ipo->ipo_ids, 411 &ipo->ipo_addr, &ipo->ipo_mask)) 412 goto nomatchout; 413 414 /* Cached entry is good. */ 415 *error = 0; 416 return ipsp_spd_inp(m, af, hlen, error, direction, 417 tdbp, inp, ipo); 418 419 nomatchout: 420 /* Cached TDB was not good. */ 421 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 422 ipo_tdb_next); 423 ipo->ipo_tdb = NULL; 424 ipo->ipo_last_searched = 0; 425 } 426 427 /* 428 * If no SA has been added since the last time we did a 429 * lookup, there's no point searching for one. However, if the 430 * destination gateway is left unspecified (or is all-1's), 431 * always lookup since this is a generic-match rule 432 * (otherwise, we can have situations where SAs to some 433 * destinations exist but are not used, possibly leading to an 434 * explosion in the number of acquired SAs). 435 */ 436 if (ipo->ipo_last_searched <= ipsec_last_added) { 437 /* "Touch" the entry. */ 438 if (dignore == 0) 439 ipo->ipo_last_searched = getuptime(); 440 441 /* Find an appropriate SA from the existing ones. */ 442 ipo->ipo_tdb = 443 gettdbbydst(rdomain, 444 dignore ? &sdst : &ipo->ipo_dst, 445 ipo->ipo_sproto, 446 ids ? ids: ipo->ipo_ids, 447 &ipo->ipo_addr, &ipo->ipo_mask); 448 if (ipo->ipo_tdb) { 449 TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, 450 ipo, ipo_tdb_next); 451 *error = 0; 452 return ipsp_spd_inp(m, af, hlen, error, 453 direction, tdbp, inp, ipo); 454 } 455 } 456 457 /* So, we don't have an SA -- just a policy. */ 458 switch (ipo->ipo_type) { 459 case IPSP_IPSEC_REQUIRE: 460 /* Acquire SA through key management. */ 461 if (ipsp_acquire_sa(ipo, 462 dignore ? &sdst : &ipo->ipo_dst, 463 signore ? NULL : &ipo->ipo_src, ddst, m) != 0) { 464 *error = EACCES; 465 return NULL; 466 } 467 468 /* FALLTHROUGH */ 469 case IPSP_IPSEC_DONTACQ: 470 *error = -EINVAL; /* Silently drop packet. */ 471 return NULL; 472 473 case IPSP_IPSEC_ACQUIRE: 474 /* Acquire SA through key management. */ 475 ipsp_acquire_sa(ipo, dignore ? &sdst : &ipo->ipo_dst, 476 signore ? NULL : &ipo->ipo_src, ddst, NULL); 477 478 /* FALLTHROUGH */ 479 case IPSP_IPSEC_USE: 480 *error = 0; 481 return ipsp_spd_inp(m, af, hlen, error, direction, 482 tdbp, inp, ipo); 483 } 484 } else { /* IPSP_DIRECTION_IN */ 485 if (tdbp != NULL) { 486 /* 487 * Special case for bundled IPcomp/ESP SAs: 488 * 1) only IPcomp flows are loaded into kernel 489 * 2) input processing processes ESP SA first 490 * 3) then optional IPcomp processing happens 491 * 4) we only update m_tag for ESP 492 * => 'tdbp' is always set to ESP SA 493 * => flow has ipo_proto for IPcomp 494 * So if 'tdbp' points to an ESP SA and this 'tdbp' is 495 * bundled with an IPcomp SA, then we replace 'tdbp' 496 * with the IPcomp SA at tdbp->tdb_inext. 497 */ 498 if (ipo->ipo_sproto == IPPROTO_IPCOMP && 499 tdbp->tdb_sproto == IPPROTO_ESP && 500 tdbp->tdb_inext != NULL && 501 tdbp->tdb_inext->tdb_sproto == IPPROTO_IPCOMP) 502 tdbp = tdbp->tdb_inext; 503 504 /* Direct match in the cache. */ 505 if (ipo->ipo_tdb == tdbp) { 506 *error = 0; 507 return ipsp_spd_inp(m, af, hlen, error, 508 direction, tdbp, inp, ipo); 509 } 510 511 if (memcmp(dignore ? &ssrc : &ipo->ipo_dst, 512 &tdbp->tdb_src, tdbp->tdb_src.sa.sa_len) || 513 (ipo->ipo_sproto != tdbp->tdb_sproto)) 514 goto nomatchin; 515 516 /* Match source/dest IDs. */ 517 if (ipo->ipo_ids) 518 if (tdbp->tdb_ids == NULL || 519 !ipsp_ids_match(ipo->ipo_ids, tdbp->tdb_ids)) 520 goto nomatchin; 521 522 /* Add it to the cache. */ 523 if (ipo->ipo_tdb) 524 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, 525 ipo, ipo_tdb_next); 526 ipo->ipo_tdb = tdbp; 527 TAILQ_INSERT_TAIL(&tdbp->tdb_policy_head, ipo, 528 ipo_tdb_next); 529 *error = 0; 530 return ipsp_spd_inp(m, af, hlen, error, direction, 531 tdbp, inp, ipo); 532 533 nomatchin: /* Nothing needed here, falling through */ 534 ; 535 } 536 537 /* Check whether cached entry applies. */ 538 if (ipo->ipo_tdb) { 539 /* 540 * We only need to check that the correct 541 * security protocol and security gateway are 542 * set; IDs will be the same since the cached 543 * entry is linked on this policy. 544 */ 545 if (ipo->ipo_sproto == ipo->ipo_tdb->tdb_sproto && 546 !memcmp(&ipo->ipo_tdb->tdb_src, 547 dignore ? &ssrc : &ipo->ipo_dst, 548 ipo->ipo_tdb->tdb_src.sa.sa_len)) 549 goto skipinputsearch; 550 551 /* Not applicable, unlink. */ 552 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 553 ipo_tdb_next); 554 ipo->ipo_last_searched = 0; 555 ipo->ipo_tdb = NULL; 556 } 557 558 /* Find whether there exists an appropriate SA. */ 559 if (ipo->ipo_last_searched <= ipsec_last_added) { 560 if (dignore == 0) 561 ipo->ipo_last_searched = getuptime(); 562 563 ipo->ipo_tdb = 564 gettdbbysrc(rdomain, 565 dignore ? &ssrc : &ipo->ipo_dst, 566 ipo->ipo_sproto, ipo->ipo_ids, 567 &ipo->ipo_addr, &ipo->ipo_mask); 568 if (ipo->ipo_tdb) 569 TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, 570 ipo, ipo_tdb_next); 571 } 572 skipinputsearch: 573 574 switch (ipo->ipo_type) { 575 case IPSP_IPSEC_REQUIRE: 576 /* If appropriate SA exists, don't acquire another. */ 577 if (ipo->ipo_tdb) { 578 *error = -EINVAL; 579 return NULL; 580 } 581 582 /* Acquire SA through key management. */ 583 if ((*error = ipsp_acquire_sa(ipo, 584 dignore ? &ssrc : &ipo->ipo_dst, 585 signore ? NULL : &ipo->ipo_src, ddst, m)) != 0) 586 return NULL; 587 588 /* FALLTHROUGH */ 589 case IPSP_IPSEC_DONTACQ: 590 /* Drop packet. */ 591 *error = -EINVAL; 592 return NULL; 593 594 case IPSP_IPSEC_ACQUIRE: 595 /* If appropriate SA exists, don't acquire another. */ 596 if (ipo->ipo_tdb) { 597 *error = 0; 598 return ipsp_spd_inp(m, af, hlen, error, 599 direction, tdbp, inp, ipo); 600 } 601 602 /* Acquire SA through key management. */ 603 ipsp_acquire_sa(ipo, dignore ? &ssrc : &ipo->ipo_dst, 604 signore ? NULL : &ipo->ipo_src, ddst, NULL); 605 606 /* FALLTHROUGH */ 607 case IPSP_IPSEC_USE: 608 *error = 0; 609 return ipsp_spd_inp(m, af, hlen, error, direction, 610 tdbp, inp, ipo); 611 } 612 } 613 614 /* Shouldn't ever get this far. */ 615 *error = EINVAL; 616 return NULL; 617 } 618 619 /* 620 * Delete a policy from the SPD. 621 */ 622 int 623 ipsec_delete_policy(struct ipsec_policy *ipo) 624 { 625 struct ipsec_acquire *ipa; 626 struct radix_node_head *rnh; 627 struct radix_node *rn = (struct radix_node *)ipo; 628 int err = 0; 629 630 NET_ASSERT_LOCKED(); 631 632 if (--ipo->ipo_ref_count > 0) 633 return 0; 634 635 /* Delete from SPD. */ 636 if ((rnh = spd_table_get(ipo->ipo_rdomain)) == NULL || 637 rn_delete(&ipo->ipo_addr, &ipo->ipo_mask, rnh, rn) == NULL) 638 return (ESRCH); 639 640 if (ipo->ipo_tdb != NULL) 641 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 642 ipo_tdb_next); 643 644 while ((ipa = TAILQ_FIRST(&ipo->ipo_acquires)) != NULL) 645 ipsp_delete_acquire(ipa); 646 647 TAILQ_REMOVE(&ipsec_policy_head, ipo, ipo_list); 648 649 if (ipo->ipo_ids) 650 ipsp_ids_free(ipo->ipo_ids); 651 652 ipsec_in_use--; 653 654 pool_put(&ipsec_policy_pool, ipo); 655 656 return err; 657 } 658 659 void 660 ipsp_delete_acquire_timo(void *v) 661 { 662 struct ipsec_acquire *ipa = v; 663 664 NET_LOCK(); 665 ipsp_delete_acquire(ipa); 666 NET_UNLOCK(); 667 } 668 669 /* 670 * Delete a pending IPsec acquire record. 671 */ 672 void 673 ipsp_delete_acquire(struct ipsec_acquire *ipa) 674 { 675 NET_ASSERT_LOCKED(); 676 677 timeout_del(&ipa->ipa_timeout); 678 TAILQ_REMOVE(&ipsec_acquire_head, ipa, ipa_next); 679 if (ipa->ipa_policy != NULL) 680 TAILQ_REMOVE(&ipa->ipa_policy->ipo_acquires, ipa, 681 ipa_ipo_next); 682 pool_put(&ipsec_acquire_pool, ipa); 683 } 684 685 /* 686 * Find out if there's an ACQUIRE pending. 687 * XXX Need a better structure. 688 */ 689 struct ipsec_acquire * 690 ipsp_pending_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw) 691 { 692 struct ipsec_acquire *ipa; 693 694 NET_ASSERT_LOCKED(); 695 696 TAILQ_FOREACH (ipa, &ipo->ipo_acquires, ipa_ipo_next) { 697 if (!memcmp(gw, &ipa->ipa_addr, gw->sa.sa_len)) 698 return ipa; 699 } 700 701 return NULL; 702 } 703 704 /* 705 * Signal key management that we need an SA. 706 * XXX For outgoing policies, we could try to hold on to the mbuf. 707 */ 708 int 709 ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, 710 union sockaddr_union *laddr, struct sockaddr_encap *ddst, struct mbuf *m) 711 { 712 struct ipsec_acquire *ipa; 713 714 NET_ASSERT_LOCKED(); 715 716 /* Check whether request has been made already. */ 717 if ((ipa = ipsp_pending_acquire(ipo, gw)) != NULL) 718 return 0; 719 720 /* Add request in cache and proceed. */ 721 ipa = pool_get(&ipsec_acquire_pool, PR_NOWAIT|PR_ZERO); 722 if (ipa == NULL) 723 return ENOMEM; 724 725 ipa->ipa_addr = *gw; 726 727 timeout_set_proc(&ipa->ipa_timeout, ipsp_delete_acquire_timo, ipa); 728 729 ipa->ipa_info.sen_len = ipa->ipa_mask.sen_len = SENT_LEN; 730 ipa->ipa_info.sen_family = ipa->ipa_mask.sen_family = PF_KEY; 731 732 /* Just copy the right information. */ 733 switch (ipo->ipo_addr.sen_type) { 734 case SENT_IP4: 735 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP4; 736 ipa->ipa_info.sen_direction = ipo->ipo_addr.sen_direction; 737 ipa->ipa_mask.sen_direction = ipo->ipo_mask.sen_direction; 738 739 if (ipsp_is_unspecified(ipo->ipo_dst)) { 740 ipa->ipa_info.sen_ip_src = ddst->sen_ip_src; 741 ipa->ipa_mask.sen_ip_src.s_addr = INADDR_BROADCAST; 742 743 ipa->ipa_info.sen_ip_dst = ddst->sen_ip_dst; 744 ipa->ipa_mask.sen_ip_dst.s_addr = INADDR_BROADCAST; 745 } else { 746 ipa->ipa_info.sen_ip_src = ipo->ipo_addr.sen_ip_src; 747 ipa->ipa_mask.sen_ip_src = ipo->ipo_mask.sen_ip_src; 748 749 ipa->ipa_info.sen_ip_dst = ipo->ipo_addr.sen_ip_dst; 750 ipa->ipa_mask.sen_ip_dst = ipo->ipo_mask.sen_ip_dst; 751 } 752 753 ipa->ipa_info.sen_proto = ipo->ipo_addr.sen_proto; 754 ipa->ipa_mask.sen_proto = ipo->ipo_mask.sen_proto; 755 756 if (ipo->ipo_addr.sen_proto) { 757 ipa->ipa_info.sen_sport = ipo->ipo_addr.sen_sport; 758 ipa->ipa_mask.sen_sport = ipo->ipo_mask.sen_sport; 759 760 ipa->ipa_info.sen_dport = ipo->ipo_addr.sen_dport; 761 ipa->ipa_mask.sen_dport = ipo->ipo_mask.sen_dport; 762 } 763 break; 764 765 #ifdef INET6 766 case SENT_IP6: 767 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP6; 768 ipa->ipa_info.sen_ip6_direction = 769 ipo->ipo_addr.sen_ip6_direction; 770 ipa->ipa_mask.sen_ip6_direction = 771 ipo->ipo_mask.sen_ip6_direction; 772 773 if (ipsp_is_unspecified(ipo->ipo_dst)) { 774 ipa->ipa_info.sen_ip6_src = ddst->sen_ip6_src; 775 ipa->ipa_mask.sen_ip6_src = in6mask128; 776 777 ipa->ipa_info.sen_ip6_dst = ddst->sen_ip6_dst; 778 ipa->ipa_mask.sen_ip6_dst = in6mask128; 779 } else { 780 ipa->ipa_info.sen_ip6_src = ipo->ipo_addr.sen_ip6_src; 781 ipa->ipa_mask.sen_ip6_src = ipo->ipo_mask.sen_ip6_src; 782 783 ipa->ipa_info.sen_ip6_dst = ipo->ipo_addr.sen_ip6_dst; 784 ipa->ipa_mask.sen_ip6_dst = ipo->ipo_mask.sen_ip6_dst; 785 } 786 787 ipa->ipa_info.sen_ip6_proto = ipo->ipo_addr.sen_ip6_proto; 788 ipa->ipa_mask.sen_ip6_proto = ipo->ipo_mask.sen_ip6_proto; 789 790 if (ipo->ipo_mask.sen_ip6_proto) { 791 ipa->ipa_info.sen_ip6_sport = 792 ipo->ipo_addr.sen_ip6_sport; 793 ipa->ipa_mask.sen_ip6_sport = 794 ipo->ipo_mask.sen_ip6_sport; 795 ipa->ipa_info.sen_ip6_dport = 796 ipo->ipo_addr.sen_ip6_dport; 797 ipa->ipa_mask.sen_ip6_dport = 798 ipo->ipo_mask.sen_ip6_dport; 799 } 800 break; 801 #endif /* INET6 */ 802 803 default: 804 pool_put(&ipsec_acquire_pool, ipa); 805 return 0; 806 } 807 808 #ifdef IPSEC 809 timeout_add_sec(&ipa->ipa_timeout, ipsec_expire_acquire); 810 #endif 811 812 TAILQ_INSERT_TAIL(&ipsec_acquire_head, ipa, ipa_next); 813 TAILQ_INSERT_TAIL(&ipo->ipo_acquires, ipa, ipa_ipo_next); 814 ipa->ipa_policy = ipo; 815 816 /* PF_KEYv2 notification message. */ 817 return pfkeyv2_acquire(ipo, gw, laddr, &ipa->ipa_seq, ddst); 818 } 819 820 /* 821 * Deal with PCB security requirements. 822 */ 823 struct tdb * 824 ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, 825 struct tdb *tdbp, struct inpcb *inp, struct ipsec_policy *ipo) 826 { 827 /* Sanity check. */ 828 if (inp == NULL) 829 goto justreturn; 830 831 /* We only support IPSEC_LEVEL_BYPASS or IPSEC_LEVEL_AVAIL */ 832 833 if (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS && 834 inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS && 835 inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS) 836 goto justreturn; 837 838 if (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL && 839 inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL && 840 inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL) 841 goto justreturn; 842 843 *error = -EINVAL; 844 return NULL; 845 846 justreturn: 847 if (ipo != NULL) 848 return ipo->ipo_tdb; 849 else 850 return NULL; 851 } 852 853 /* 854 * Find a pending ACQUIRE record based on its sequence number. 855 * XXX Need to use a better data structure. 856 */ 857 struct ipsec_acquire * 858 ipsec_get_acquire(u_int32_t seq) 859 { 860 struct ipsec_acquire *ipa; 861 862 NET_ASSERT_LOCKED(); 863 864 TAILQ_FOREACH (ipa, &ipsec_acquire_head, ipa_next) 865 if (ipa->ipa_seq == seq) 866 return ipa; 867 868 return NULL; 869 } 870