1 /* $OpenBSD: ip_spd.c,v 1.47 2002/11/12 13:38:41 dhartmei Exp $ */ 2 /* 3 * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) 4 * 5 * Copyright (c) 2000-2001 Angelos D. Keromytis. 6 * 7 * Permission to use, copy, and modify this software with or without fee 8 * is hereby granted, provided that this entire notice is included in 9 * all copies of any software which is or includes a copy or 10 * modification of this software. 11 * You may use this code under the GNU public license if you so wish. Please 12 * contribute changes back to the authors under this freer than GPL license 13 * so that we may further the use of strong encryption without limitations to 14 * all. 15 * 16 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 17 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 18 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 19 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 20 * PURPOSE. 21 */ 22 23 #include <sys/param.h> 24 #include <sys/systm.h> 25 #include <sys/mbuf.h> 26 #include <sys/socket.h> 27 #include <sys/kernel.h> 28 #include <sys/socketvar.h> 29 #include <sys/protosw.h> 30 31 #include <net/if.h> 32 #include <net/route.h> 33 #include <net/netisr.h> 34 35 #ifdef INET 36 #include <netinet/in.h> 37 #include <netinet/in_systm.h> 38 #include <netinet/ip.h> 39 #include <netinet/in_pcb.h> 40 #include <netinet/in_var.h> 41 #endif /* INET */ 42 43 #ifdef INET6 44 #ifndef INET 45 #include <netinet/in.h> 46 #endif 47 #include <netinet6/in6_var.h> 48 #endif /* INET6 */ 49 50 #include <netinet/ip_ipsp.h> 51 #include <net/pfkeyv2.h> 52 53 #ifdef ENCDEBUG 54 #define DPRINTF(x) if (encdebug) printf x 55 #else 56 #define DPRINTF(x) 57 #endif 58 59 struct pool ipsec_policy_pool; 60 struct pool ipsec_acquire_pool; 61 int ipsec_policy_pool_initialized = 0; 62 int ipsec_acquire_pool_initialized = 0; 63 64 /* 65 * Lookup at the SPD based on the headers contained on the mbuf. The second 66 * argument indicates what protocol family the header at the beginning of 67 * the mbuf is. hlen is the the offset of the transport protocol header 68 * in the mbuf. 69 * 70 * Return combinations (of return value and in *error): 71 * - NULL/0 -> no IPsec required on packet 72 * - NULL/-EINVAL -> silently drop the packet 73 * - NULL/errno -> drop packet and return error 74 * or a pointer to a TDB (and 0 in *error). 75 * 76 * In the case of incoming flows, only the first three combinations are 77 * returned. 78 */ 79 struct tdb * 80 ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, 81 struct tdb *tdbp, struct inpcb *inp) 82 { 83 struct route_enc re0, *re = &re0; 84 union sockaddr_union sdst, ssrc; 85 struct sockaddr_encap *ddst; 86 struct ipsec_policy *ipo; 87 int signore = 0, dignore = 0; 88 89 /* 90 * If there are no flows in place, there's no point 91 * continuing with the SPD lookup. 92 */ 93 if (!ipsec_in_use && inp == NULL) { 94 *error = 0; 95 return NULL; 96 } 97 98 /* 99 * If an input packet is destined to a BYPASS socket, just accept it. 100 */ 101 if ((inp != NULL) && (direction == IPSP_DIRECTION_IN) && 102 (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && 103 (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) && 104 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { 105 *error = 0; 106 return NULL; 107 } 108 109 bzero((caddr_t) re, sizeof(struct route_enc)); 110 bzero((caddr_t) &sdst, sizeof(union sockaddr_union)); 111 bzero((caddr_t) &ssrc, sizeof(union sockaddr_union)); 112 ddst = (struct sockaddr_encap *) &re->re_dst; 113 ddst->sen_family = PF_KEY; 114 ddst->sen_len = SENT_LEN; 115 116 switch (af) { 117 #ifdef INET 118 case AF_INET: 119 if (hlen < sizeof (struct ip) || m->m_pkthdr.len < hlen) { 120 *error = EINVAL; 121 return NULL; 122 } 123 ddst->sen_direction = direction; 124 ddst->sen_type = SENT_IP4; 125 126 m_copydata(m, offsetof(struct ip, ip_src), 127 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_src)); 128 m_copydata(m, offsetof(struct ip, ip_dst), 129 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_dst)); 130 m_copydata(m, offsetof(struct ip, ip_p), sizeof(u_int8_t), 131 (caddr_t) &(ddst->sen_proto)); 132 133 sdst.sin.sin_family = ssrc.sin.sin_family = AF_INET; 134 sdst.sin.sin_len = ssrc.sin.sin_len = 135 sizeof(struct sockaddr_in); 136 ssrc.sin.sin_addr = ddst->sen_ip_src; 137 sdst.sin.sin_addr = ddst->sen_ip_dst; 138 139 /* 140 * If TCP/UDP, extract the port numbers to use in the lookup. 141 */ 142 switch (ddst->sen_proto) { 143 case IPPROTO_UDP: 144 case IPPROTO_TCP: 145 /* Make sure there's enough data in the packet. */ 146 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) { 147 *error = EINVAL; 148 return NULL; 149 } 150 151 /* 152 * Luckily, the offset of the src/dst ports in 153 * both the UDP and TCP headers is the same (first 154 * two 16-bit values in the respective headers), 155 * so we can just copy them. 156 */ 157 m_copydata(m, hlen, sizeof(u_int16_t), 158 (caddr_t) &(ddst->sen_sport)); 159 m_copydata(m, hlen + sizeof(u_int16_t), sizeof(u_int16_t), 160 (caddr_t) &(ddst->sen_dport)); 161 break; 162 163 default: 164 ddst->sen_sport = 0; 165 ddst->sen_dport = 0; 166 } 167 168 break; 169 #endif /* INET */ 170 171 #ifdef INET6 172 case AF_INET6: 173 if (hlen < sizeof (struct ip6_hdr) || m->m_pkthdr.len < hlen) { 174 *error = EINVAL; 175 return NULL; 176 } 177 ddst->sen_type = SENT_IP6; 178 ddst->sen_ip6_direction = direction; 179 180 m_copydata(m, offsetof(struct ip6_hdr, ip6_src), 181 sizeof(struct in6_addr), 182 (caddr_t) &(ddst->sen_ip6_src)); 183 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 184 sizeof(struct in6_addr), 185 (caddr_t) &(ddst->sen_ip6_dst)); 186 m_copydata(m, offsetof(struct ip6_hdr, ip6_nxt), 187 sizeof(u_int8_t), 188 (caddr_t) &(ddst->sen_ip6_proto)); 189 190 sdst.sin6.sin6_family = ssrc.sin6.sin6_family = AF_INET6; 191 sdst.sin6.sin6_len = ssrc.sin6.sin6_family = 192 sizeof(struct sockaddr_in6); 193 ssrc.sin6.sin6_addr = ddst->sen_ip6_src; 194 sdst.sin6.sin6_addr = ddst->sen_ip6_dst; 195 196 /* 197 * If TCP/UDP, extract the port numbers to use in the lookup. 198 */ 199 switch (ddst->sen_ip6_proto) { 200 case IPPROTO_UDP: 201 case IPPROTO_TCP: 202 /* Make sure there's enough data in the packet. */ 203 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) { 204 *error = EINVAL; 205 return NULL; 206 } 207 208 /* 209 * Luckily, the offset of the src/dst ports in 210 * both the UDP and TCP headers is the same 211 * (first two 16-bit values in the respective 212 * headers), so we can just copy them. 213 */ 214 m_copydata(m, hlen, sizeof(u_int16_t), 215 (caddr_t) &(ddst->sen_ip6_sport)); 216 m_copydata(m, hlen + sizeof(u_int16_t), sizeof(u_int16_t), 217 (caddr_t) &(ddst->sen_ip6_dport)); 218 break; 219 220 default: 221 ddst->sen_ip6_sport = 0; 222 ddst->sen_ip6_dport = 0; 223 } 224 225 break; 226 #endif /* INET6 */ 227 228 default: 229 *error = EAFNOSUPPORT; 230 return NULL; 231 } 232 233 /* Actual SPD lookup. */ 234 rtalloc((struct route *) re); 235 if (re->re_rt == NULL) { 236 /* 237 * Return whatever the socket requirements are, there are no 238 * system-wide policies. 239 */ 240 *error = 0; 241 return ipsp_spd_inp(m, af, hlen, error, direction, 242 tdbp, inp, NULL); 243 } 244 245 /* Sanity check. */ 246 if ((re->re_rt->rt_gateway == NULL) || 247 (((struct sockaddr_encap *) re->re_rt->rt_gateway)->sen_type != 248 SENT_IPSP)) { 249 RTFREE(re->re_rt); 250 *error = EHOSTUNREACH; 251 DPRINTF(("ip_spd_lookup: no gateway in SPD entry!")); 252 return NULL; 253 } 254 255 ipo = ((struct sockaddr_encap *) (re->re_rt->rt_gateway))->sen_ipsp; 256 RTFREE(re->re_rt); 257 if (ipo == NULL) { 258 *error = EHOSTUNREACH; 259 DPRINTF(("ip_spd_lookup: no policy attached to SPD entry!")); 260 return NULL; 261 } 262 263 switch (ipo->ipo_type) { 264 case IPSP_PERMIT: 265 *error = 0; 266 return ipsp_spd_inp(m, af, hlen, error, direction, tdbp, 267 inp, ipo); 268 269 case IPSP_DENY: 270 *error = EHOSTUNREACH; 271 return NULL; 272 273 case IPSP_IPSEC_USE: 274 case IPSP_IPSEC_ACQUIRE: 275 case IPSP_IPSEC_REQUIRE: 276 case IPSP_IPSEC_DONTACQ: 277 /* Nothing more needed here. */ 278 break; 279 280 default: 281 *error = EINVAL; 282 return NULL; 283 } 284 285 /* Check for non-specific destination in the policy. */ 286 switch (ipo->ipo_dst.sa.sa_family) { 287 #ifdef INET 288 case AF_INET: 289 if ((ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_ANY) || 290 (ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_BROADCAST)) 291 dignore = 1; 292 break; 293 #endif /* INET */ 294 295 #ifdef INET6 296 case AF_INET6: 297 if ((IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_dst.sin6.sin6_addr)) || 298 (bcmp(&ipo->ipo_dst.sin6.sin6_addr, &in6mask128, 299 sizeof(in6mask128)) == 0)) 300 dignore = 1; 301 break; 302 #endif /* INET6 */ 303 } 304 305 /* Likewise for source. */ 306 switch (ipo->ipo_src.sa.sa_family) { 307 #ifdef INET 308 case AF_INET: 309 if (ipo->ipo_src.sin.sin_addr.s_addr == INADDR_ANY) 310 signore = 1; 311 break; 312 #endif /* INET */ 313 314 #ifdef INET6 315 case AF_INET6: 316 if (IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_src.sin6.sin6_addr)) 317 signore = 1; 318 break; 319 #endif /* INET6 */ 320 } 321 322 /* Do we have a cached entry ? If so, check if it's still valid. */ 323 if ((ipo->ipo_tdb) && (ipo->ipo_tdb->tdb_flags & TDBF_INVALID)) { 324 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 325 ipo_tdb_next); 326 ipo->ipo_tdb = NULL; 327 } 328 329 /* Outgoing packet policy check. */ 330 if (direction == IPSP_DIRECTION_OUT) { 331 /* 332 * If the packet is destined for the policy-specified 333 * gateway/endhost, and the socket has the BYPASS 334 * option set, skip IPsec processing. 335 */ 336 if ((inp != NULL) && 337 (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && 338 (inp->inp_seclevel[SL_ESP_NETWORK] == 339 IPSEC_LEVEL_BYPASS) && 340 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { 341 /* Direct match. */ 342 if (dignore || 343 !bcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) { 344 *error = 0; 345 return NULL; 346 } 347 } 348 349 /* Check that the cached TDB (if present), is appropriate. */ 350 if (ipo->ipo_tdb) { 351 if ((ipo->ipo_last_searched <= ipsec_last_added) || 352 (ipo->ipo_sproto != ipo->ipo_tdb->tdb_sproto) || 353 bcmp(dignore ? &sdst : &ipo->ipo_dst, 354 &ipo->ipo_tdb->tdb_dst, 355 ipo->ipo_tdb->tdb_dst.sa.sa_len)) 356 goto nomatchout; 357 358 if (!ipsp_aux_match(ipo->ipo_tdb->tdb_srcid, 359 ipo->ipo_srcid, ipo->ipo_tdb->tdb_dstid, 360 ipo->ipo_dstid, ipo->ipo_tdb->tdb_local_cred, 361 ipo->ipo_local_cred, NULL, NULL, 362 &ipo->ipo_tdb->tdb_filter, &ipo->ipo_addr, 363 &ipo->ipo_tdb->tdb_filtermask, &ipo->ipo_mask)) 364 goto nomatchout; 365 366 /* Cached entry is good. */ 367 *error = 0; 368 return ipsp_spd_inp(m, af, hlen, error, direction, 369 tdbp, inp, ipo); 370 371 nomatchout: 372 /* Cached TDB was not good. */ 373 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 374 ipo_tdb_next); 375 ipo->ipo_tdb = NULL; 376 ipo->ipo_last_searched = 0; 377 } 378 379 /* 380 * If no SA has been added since the last time we did a 381 * lookup, there's no point searching for one. However, if the 382 * destination gateway is left unspecified (or is all-1's), 383 * always lookup since this is a generic-match rule 384 * (otherwise, we can have situations where SAs to some 385 * destinations exist but are not used, possibly leading to an 386 * explosion in the number of acquired SAs). 387 */ 388 if (ipo->ipo_last_searched <= ipsec_last_added) { 389 /* "Touch" the entry. */ 390 if (dignore == 0) 391 ipo->ipo_last_searched = time.tv_sec; 392 393 /* Find an appropriate SA from the existing ones. */ 394 ipo->ipo_tdb = 395 gettdbbyaddr(dignore ? &sdst : &ipo->ipo_dst, 396 ipo->ipo_sproto, ipo->ipo_srcid, 397 ipo->ipo_dstid, ipo->ipo_local_cred, m, af, 398 &ipo->ipo_addr, &ipo->ipo_mask); 399 if (ipo->ipo_tdb) { 400 TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, 401 ipo, ipo_tdb_next); 402 *error = 0; 403 return ipsp_spd_inp(m, af, hlen, error, 404 direction, tdbp, inp, ipo); 405 } 406 } 407 408 /* So, we don't have an SA -- just a policy. */ 409 switch (ipo->ipo_type) { 410 case IPSP_IPSEC_REQUIRE: 411 /* Acquire SA through key management. */ 412 if (ipsp_acquire_sa(ipo, 413 dignore ? &sdst : &ipo->ipo_dst, 414 signore ? NULL : &ipo->ipo_src, ddst, m) != 0) { 415 *error = EACCES; 416 return NULL; 417 } 418 419 /* Fall through */ 420 case IPSP_IPSEC_DONTACQ: 421 *error = -EINVAL; /* Silently drop packet. */ 422 return NULL; 423 424 case IPSP_IPSEC_ACQUIRE: 425 /* Acquire SA through key management. */ 426 ipsp_acquire_sa(ipo, dignore ? &sdst : &ipo->ipo_dst, 427 signore ? NULL : &ipo->ipo_src, ddst, NULL); 428 429 /* Fall through */ 430 case IPSP_IPSEC_USE: 431 *error = 0; 432 return ipsp_spd_inp(m, af, hlen, error, direction, 433 tdbp, inp, ipo); 434 } 435 } else { /* IPSP_DIRECTION_IN */ 436 if (tdbp != NULL) { 437 /* Direct match in the cache. */ 438 if (ipo->ipo_tdb == tdbp) { 439 *error = 0; 440 return ipsp_spd_inp(m, af, hlen, error, 441 direction, tdbp, inp, ipo); 442 } 443 444 if (bcmp(dignore ? &ssrc : &ipo->ipo_dst, 445 &tdbp->tdb_src, tdbp->tdb_src.sa.sa_len) || 446 (ipo->ipo_sproto != tdbp->tdb_sproto)) 447 goto nomatchin; 448 449 /* Match source ID. */ 450 if (ipo->ipo_srcid) { 451 if (tdbp->tdb_dstid == NULL || 452 !ipsp_ref_match(ipo->ipo_srcid, 453 tdbp->tdb_dstid)) 454 goto nomatchin; 455 } 456 457 /* Match destination ID. */ 458 if (ipo->ipo_dstid) { 459 if (tdbp->tdb_srcid == NULL || 460 !ipsp_ref_match(ipo->ipo_dstid, 461 tdbp->tdb_srcid)) 462 goto nomatchin; 463 } 464 465 /* Add it to the cache. */ 466 if (ipo->ipo_tdb) 467 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, 468 ipo, ipo_tdb_next); 469 ipo->ipo_tdb = tdbp; 470 TAILQ_INSERT_TAIL(&tdbp->tdb_policy_head, ipo, 471 ipo_tdb_next); 472 *error = 0; 473 return ipsp_spd_inp(m, af, hlen, error, direction, 474 tdbp, inp, ipo); 475 476 nomatchin: /* Nothing needed here, falling through */ 477 ; 478 } 479 480 /* Check whether cached entry applies. */ 481 if (ipo->ipo_tdb) { 482 /* 483 * We only need to check that the correct 484 * security protocol and security gateway are 485 * set; credentials/IDs will be the same, 486 * since the cached entry is linked on this 487 * policy. 488 */ 489 if (ipo->ipo_sproto == ipo->ipo_tdb->tdb_sproto && 490 !bcmp(&ipo->ipo_tdb->tdb_src, 491 dignore ? &ssrc : &ipo->ipo_dst, 492 ipo->ipo_tdb->tdb_src.sa.sa_len)) 493 goto skipinputsearch; 494 495 /* Not applicable, unlink. */ 496 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 497 ipo_tdb_next); 498 ipo->ipo_last_searched = 0; 499 ipo->ipo_tdb = NULL; 500 } 501 502 /* Find whether there exists an appropriate SA. */ 503 if (ipo->ipo_last_searched <= ipsec_last_added) { 504 if (dignore == 0) 505 ipo->ipo_last_searched = time.tv_sec; 506 507 ipo->ipo_tdb = 508 gettdbbysrc(dignore ? &ssrc : &ipo->ipo_dst, 509 ipo->ipo_sproto, ipo->ipo_srcid, 510 ipo->ipo_dstid, m, af, &ipo->ipo_addr, 511 &ipo->ipo_mask); 512 if (ipo->ipo_tdb) 513 TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, 514 ipo, ipo_tdb_next); 515 } 516 skipinputsearch: 517 518 switch (ipo->ipo_type) { 519 case IPSP_IPSEC_REQUIRE: 520 /* If appropriate SA exists, don't acquire another. */ 521 if (ipo->ipo_tdb) { 522 *error = -EINVAL; 523 return NULL; 524 } 525 526 /* Acquire SA through key management. */ 527 if ((*error = ipsp_acquire_sa(ipo, 528 dignore ? &ssrc : &ipo->ipo_dst, 529 signore ? NULL : &ipo->ipo_src, ddst, m)) != 0) 530 return NULL; 531 532 /* Fall through */ 533 case IPSP_IPSEC_DONTACQ: 534 /* Drop packet. */ 535 *error = -EINVAL; 536 return NULL; 537 538 case IPSP_IPSEC_ACQUIRE: 539 /* If appropriate SA exists, don't acquire another. */ 540 if (ipo->ipo_tdb) { 541 *error = 0; 542 return ipsp_spd_inp(m, af, hlen, error, 543 direction, tdbp, inp, ipo); 544 } 545 546 /* Acquire SA through key management. */ 547 ipsp_acquire_sa(ipo, dignore ? &ssrc : &ipo->ipo_dst, 548 signore ? NULL : &ipo->ipo_src, ddst, NULL); 549 550 /* Fall through */ 551 case IPSP_IPSEC_USE: 552 *error = 0; 553 return ipsp_spd_inp(m, af, hlen, error, direction, 554 tdbp, inp, ipo); 555 } 556 } 557 558 /* Shouldn't ever get this far. */ 559 *error = EINVAL; 560 return NULL; 561 } 562 563 /* 564 * Delete a policy from the SPD. 565 */ 566 int 567 ipsec_delete_policy(struct ipsec_policy *ipo) 568 { 569 struct ipsec_acquire *ipa; 570 int err = 0; 571 572 if (--ipo->ipo_ref_count > 0) 573 return 0; 574 575 /* Delete from SPD. */ 576 if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET)) 577 err = rtrequest(RTM_DELETE, (struct sockaddr *) &ipo->ipo_addr, 578 (struct sockaddr *) 0, 579 (struct sockaddr *) &ipo->ipo_mask, 580 0, (struct rtentry **) 0); 581 582 if (ipo->ipo_tdb != NULL) 583 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 584 ipo_tdb_next); 585 586 while ((ipa = TAILQ_FIRST(&ipo->ipo_acquires)) != NULL) 587 ipsp_delete_acquire(ipa); 588 589 TAILQ_REMOVE(&ipsec_policy_head, ipo, ipo_list); 590 591 if (ipo->ipo_srcid) 592 ipsp_reffree(ipo->ipo_srcid); 593 if (ipo->ipo_dstid) 594 ipsp_reffree(ipo->ipo_dstid); 595 if (ipo->ipo_local_cred) 596 ipsp_reffree(ipo->ipo_local_cred); 597 if (ipo->ipo_local_auth) 598 ipsp_reffree(ipo->ipo_local_auth); 599 600 pool_put(&ipsec_policy_pool, ipo); 601 602 if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET)) 603 ipsec_in_use--; 604 605 return err; 606 } 607 608 /* 609 * Add a policy to the SPD. 610 */ 611 struct ipsec_policy * 612 ipsec_add_policy(struct inpcb *inp, int af, int direction) 613 { 614 struct ipsec_policy *ipon; 615 616 if (ipsec_policy_pool_initialized == 0) { 617 ipsec_policy_pool_initialized = 1; 618 pool_init(&ipsec_policy_pool, sizeof(struct ipsec_policy), 619 0, 0, 0, "ipsec policy", NULL); 620 } 621 622 ipon = pool_get(&ipsec_policy_pool, 0); 623 if (ipon == NULL) 624 return NULL; 625 626 bzero(ipon, sizeof(struct ipsec_policy)); 627 628 ipon->ipo_ref_count = 1; 629 ipon->ipo_flags |= IPSP_POLICY_SOCKET; 630 631 ipon->ipo_type = IPSP_IPSEC_REQUIRE; /* XXX */ 632 633 /* XXX 634 * We should actually be creating a linked list of 635 * policies (for tunnel/transport and ESP/AH), as needed. 636 */ 637 ipon->ipo_sproto = IPPROTO_ESP; 638 639 TAILQ_INIT(&ipon->ipo_acquires); 640 TAILQ_INSERT_HEAD(&ipsec_policy_head, ipon, ipo_list); 641 642 ipsec_update_policy(inp, ipon, af, direction); 643 644 return ipon; 645 } 646 647 /* 648 * Update a PCB-attached policy. 649 */ 650 void 651 ipsec_update_policy(struct inpcb *inp, struct ipsec_policy *ipon, int af, 652 int direction) 653 { 654 ipon->ipo_addr.sen_len = ipon->ipo_mask.sen_len = SENT_LEN; 655 ipon->ipo_addr.sen_family = ipon->ipo_mask.sen_family = PF_KEY; 656 ipon->ipo_src.sa.sa_family = ipon->ipo_dst.sa.sa_family = af; 657 658 switch (af) { 659 case AF_INET: 660 #ifdef INET 661 ipon->ipo_addr.sen_type = ipon->ipo_mask.sen_type = SENT_IP4; 662 ipon->ipo_addr.sen_ip_src = inp->inp_laddr; 663 ipon->ipo_addr.sen_ip_dst = inp->inp_faddr; 664 ipon->ipo_addr.sen_sport = inp->inp_lport; 665 ipon->ipo_addr.sen_dport = inp->inp_fport; 666 ipon->ipo_addr.sen_proto = 667 inp->inp_socket->so_proto->pr_protocol; 668 ipon->ipo_addr.sen_direction = direction; 669 670 ipon->ipo_mask.sen_ip_src.s_addr = 0xffffffff; 671 ipon->ipo_mask.sen_ip_dst.s_addr = 0xffffffff; 672 ipon->ipo_mask.sen_sport = ipon->ipo_mask.sen_dport = 0xffff; 673 ipon->ipo_mask.sen_proto = 0xff; 674 ipon->ipo_mask.sen_direction = direction; 675 676 ipon->ipo_src.sa.sa_len = sizeof(struct sockaddr_in); 677 ipon->ipo_dst.sa.sa_len = sizeof(struct sockaddr_in); 678 ipon->ipo_src.sin.sin_addr = inp->inp_laddr; 679 ipon->ipo_dst.sin.sin_addr = inp->inp_faddr; 680 #endif /* INET */ 681 break; 682 683 case AF_INET6: 684 #ifdef INET6 685 ipon->ipo_addr.sen_type = ipon->ipo_mask.sen_type = SENT_IP6; 686 ipon->ipo_addr.sen_ip6_src = inp->inp_laddr6; 687 ipon->ipo_addr.sen_ip6_dst = inp->inp_faddr6; 688 ipon->ipo_addr.sen_ip6_sport = inp->inp_lport; 689 ipon->ipo_addr.sen_ip6_dport = inp->inp_fport; 690 ipon->ipo_addr.sen_ip6_proto = 691 inp->inp_socket->so_proto->pr_protocol; 692 ipon->ipo_addr.sen_ip6_direction = direction; 693 694 ipon->ipo_mask.sen_ip6_src = in6mask128; 695 ipon->ipo_mask.sen_ip6_dst = in6mask128; 696 ipon->ipo_mask.sen_ip6_sport = 0xffff; 697 ipon->ipo_mask.sen_ip6_dport = 0xffff; 698 ipon->ipo_mask.sen_ip6_proto = 0xff; 699 ipon->ipo_mask.sen_ip6_direction = direction; 700 701 ipon->ipo_src.sa.sa_len = sizeof(struct sockaddr_in6); 702 ipon->ipo_dst.sa.sa_len = sizeof(struct sockaddr_in6); 703 ipon->ipo_src.sin6.sin6_addr = inp->inp_laddr6; 704 ipon->ipo_dst.sin6.sin6_addr = inp->inp_faddr6; 705 #endif /* INET6 */ 706 break; 707 } 708 } 709 710 /* 711 * Delete a pending IPsec acquire record. 712 */ 713 void 714 ipsp_delete_acquire(void *v) 715 { 716 struct ipsec_acquire *ipa = v; 717 718 timeout_del(&ipa->ipa_timeout); 719 TAILQ_REMOVE(&ipsec_acquire_head, ipa, ipa_next); 720 if (ipa->ipa_policy != NULL) 721 TAILQ_REMOVE(&ipa->ipa_policy->ipo_acquires, ipa, 722 ipa_ipo_next); 723 pool_put(&ipsec_acquire_pool, ipa); 724 } 725 726 /* 727 * Find out if there's an ACQUIRE pending. 728 * XXX Need a better structure. 729 */ 730 struct ipsec_acquire * 731 ipsp_pending_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw) 732 { 733 struct ipsec_acquire *ipa; 734 735 TAILQ_FOREACH (ipa, &ipo->ipo_acquires, ipa_ipo_next) { 736 if (!bcmp(gw, &ipa->ipa_addr, gw->sa.sa_len)) 737 return ipa; 738 } 739 740 return NULL; 741 } 742 743 /* 744 * Signal key management that we need an SA. 745 * XXX For outgoing policies, we could try to hold on to the mbuf. 746 */ 747 int 748 ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, 749 union sockaddr_union *laddr, struct sockaddr_encap *ddst, struct mbuf *m) 750 { 751 struct ipsec_acquire *ipa; 752 753 /* 754 * If this is a socket policy, it has to have authentication 755 * information accompanying it --- can't tell key mgmt. to 756 * "find" it for us. This avoids abusing key mgmt. to authenticate 757 * on an application's behalf, even if the application doesn't 758 * have/know (and shouldn't) the appropriate authentication 759 * material (passphrase, private key, etc.) 760 */ 761 if (ipo->ipo_flags & IPSP_POLICY_SOCKET && 762 ipo->ipo_local_auth == NULL) 763 return EINVAL; 764 765 /* Check whether request has been made already. */ 766 if ((ipa = ipsp_pending_acquire(ipo, gw)) != NULL) 767 return 0; 768 769 /* Add request in cache and proceed. */ 770 if (ipsec_acquire_pool_initialized == 0) { 771 ipsec_acquire_pool_initialized = 1; 772 pool_init(&ipsec_acquire_pool, sizeof(struct ipsec_acquire), 773 0, 0, 0, "ipsec acquire", NULL); 774 } 775 776 ipa = pool_get(&ipsec_acquire_pool, 0); 777 if (ipa == NULL) 778 return ENOMEM; 779 780 bzero(ipa, sizeof(struct ipsec_acquire)); 781 bcopy(gw, &ipa->ipa_addr, sizeof(union sockaddr_union)); 782 783 timeout_set(&ipa->ipa_timeout, ipsp_delete_acquire, ipa); 784 785 ipa->ipa_info.sen_len = ipa->ipa_mask.sen_len = SENT_LEN; 786 ipa->ipa_info.sen_family = ipa->ipa_mask.sen_family = PF_KEY; 787 788 /* Just copy the right information. */ 789 switch (ipo->ipo_addr.sen_type) { 790 #ifdef INET 791 case SENT_IP4: 792 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP4; 793 ipa->ipa_info.sen_direction = ipo->ipo_addr.sen_direction; 794 ipa->ipa_mask.sen_direction = ipo->ipo_mask.sen_direction; 795 796 if (ipo->ipo_mask.sen_ip_src.s_addr == INADDR_ANY || 797 ipo->ipo_addr.sen_ip_src.s_addr == INADDR_ANY || 798 ipsp_is_unspecified(ipo->ipo_dst)) { 799 ipa->ipa_info.sen_ip_src = ddst->sen_ip_src; 800 ipa->ipa_mask.sen_ip_src.s_addr = INADDR_BROADCAST; 801 } else { 802 ipa->ipa_info.sen_ip_src = ipo->ipo_addr.sen_ip_src; 803 ipa->ipa_mask.sen_ip_src = ipo->ipo_mask.sen_ip_src; 804 } 805 806 if (ipo->ipo_mask.sen_ip_dst.s_addr == INADDR_ANY || 807 ipo->ipo_addr.sen_ip_dst.s_addr == INADDR_ANY || 808 ipsp_is_unspecified(ipo->ipo_dst)) { 809 ipa->ipa_info.sen_ip_dst = ddst->sen_ip_dst; 810 ipa->ipa_mask.sen_ip_dst.s_addr = INADDR_BROADCAST; 811 } else { 812 ipa->ipa_info.sen_ip_dst = ipo->ipo_addr.sen_ip_dst; 813 ipa->ipa_mask.sen_ip_dst = ipo->ipo_mask.sen_ip_dst; 814 } 815 816 ipa->ipa_info.sen_proto = ipo->ipo_addr.sen_proto; 817 ipa->ipa_mask.sen_proto = ipo->ipo_mask.sen_proto; 818 819 if (ipo->ipo_addr.sen_proto) { 820 ipa->ipa_info.sen_sport = ipo->ipo_addr.sen_sport; 821 ipa->ipa_mask.sen_sport = ipo->ipo_mask.sen_sport; 822 823 ipa->ipa_info.sen_dport = ipo->ipo_addr.sen_dport; 824 ipa->ipa_mask.sen_dport = ipo->ipo_mask.sen_dport; 825 } 826 break; 827 #endif /* INET */ 828 829 #ifdef INET6 830 case SENT_IP6: 831 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP6; 832 ipa->ipa_info.sen_ip6_direction = 833 ipo->ipo_addr.sen_ip6_direction; 834 ipa->ipa_mask.sen_ip6_direction = 835 ipo->ipo_mask.sen_ip6_direction; 836 837 if (IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_mask.sen_ip6_src) || 838 IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_addr.sen_ip6_src) || 839 ipsp_is_unspecified(ipo->ipo_dst)) { 840 ipa->ipa_info.sen_ip6_src = ddst->sen_ip6_src; 841 ipa->ipa_mask.sen_ip6_src = in6mask128; 842 } else { 843 ipa->ipa_info.sen_ip6_src = ipo->ipo_addr.sen_ip6_src; 844 ipa->ipa_mask.sen_ip6_src = ipo->ipo_mask.sen_ip6_src; 845 } 846 847 if (IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_mask.sen_ip6_dst) || 848 IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_addr.sen_ip6_dst) || 849 ipsp_is_unspecified(ipo->ipo_dst)) { 850 ipa->ipa_info.sen_ip6_dst = ddst->sen_ip6_dst; 851 ipa->ipa_mask.sen_ip6_dst = in6mask128; 852 } else { 853 ipa->ipa_info.sen_ip6_dst = ipo->ipo_addr.sen_ip6_dst; 854 ipa->ipa_mask.sen_ip6_dst = ipo->ipo_mask.sen_ip6_dst; 855 } 856 857 ipa->ipa_info.sen_ip6_proto = ipo->ipo_addr.sen_ip6_proto; 858 ipa->ipa_mask.sen_ip6_proto = ipo->ipo_mask.sen_ip6_proto; 859 860 if (ipo->ipo_mask.sen_ip6_proto) { 861 ipa->ipa_info.sen_ip6_sport = 862 ipo->ipo_addr.sen_ip6_sport; 863 ipa->ipa_mask.sen_ip6_sport = 864 ipo->ipo_mask.sen_ip6_sport; 865 ipa->ipa_info.sen_ip6_dport = 866 ipo->ipo_addr.sen_ip6_dport; 867 ipa->ipa_mask.sen_ip6_dport = 868 ipo->ipo_mask.sen_ip6_dport; 869 } 870 break; 871 #endif /* INET6 */ 872 873 default: 874 pool_put(&ipsec_acquire_pool, ipa); 875 return 0; 876 } 877 878 timeout_add(&ipa->ipa_timeout, ipsec_expire_acquire * hz); 879 880 TAILQ_INSERT_TAIL(&ipsec_acquire_head, ipa, ipa_next); 881 TAILQ_INSERT_TAIL(&ipo->ipo_acquires, ipa, ipa_ipo_next); 882 ipa->ipa_policy = ipo; 883 884 /* PF_KEYv2 notification message. */ 885 return pfkeyv2_acquire(ipo, gw, laddr, &ipa->ipa_seq, ddst); 886 } 887 888 /* 889 * Deal with PCB security requirements. 890 */ 891 struct tdb * 892 ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, 893 struct tdb *tdbp, struct inpcb *inp, struct ipsec_policy *ipo) 894 { 895 struct ipsec_policy sipon; 896 struct tdb_ident *tdbi; 897 struct m_tag *mtag; 898 struct tdb *tdb = NULL; 899 900 /* Sanity check. */ 901 if (inp == NULL) 902 goto justreturn; 903 904 /* Verify that we need to check for socket policy. */ 905 if ((inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS || 906 inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_NONE) && 907 (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS || 908 inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_NONE) && 909 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS || 910 inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_NONE)) 911 goto justreturn; 912 913 switch (direction) { 914 case IPSP_DIRECTION_IN: 915 /* 916 * Some further checking: if the socket has specified 917 * that it will accept unencrypted traffic, don't 918 * bother checking any further -- just accept the packet. 919 */ 920 if ((inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL || 921 inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_USE) && 922 (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL || 923 inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_USE) && 924 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL || 925 inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_USE)) 926 goto justreturn; 927 928 /* Initialize socket policy if unset. */ 929 if (inp->inp_ipo == NULL) { 930 inp->inp_ipo = ipsec_add_policy(inp, af, 931 IPSP_DIRECTION_OUT); 932 if (inp->inp_ipo == NULL) { 933 *error = ENOBUFS; 934 return NULL; 935 } 936 } 937 938 /* 939 * So we *must* have protected traffic. Let's see what 940 * we have received then. 941 */ 942 if (inp->inp_tdb_in != NULL) { 943 if (inp->inp_tdb_in == tdbp) 944 goto justreturn; /* We received packet under a 945 * previously-accepted TDB. */ 946 947 /* 948 * We should be receiving protected traffic, and 949 * have an SA in place, but packet was received 950 * unprotected. Simply discard. 951 */ 952 if (tdbp == NULL) { 953 *error = -EINVAL; 954 return NULL; 955 } 956 957 /* Update, since we may need all the relevant info. */ 958 ipsec_update_policy(inp, inp->inp_ipo, af, 959 IPSP_DIRECTION_OUT); 960 961 /* 962 * Check that the TDB the packet was received under 963 * is acceptable under the socket policy. If so, 964 * accept the packet; otherwise, discard. 965 */ 966 if (tdbp->tdb_sproto == inp->inp_ipo->ipo_sproto && 967 !bcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst, 968 SA_LEN(&tdbp->tdb_src.sa)) && 969 ipsp_aux_match(tdbp->tdb_srcid, 970 inp->inp_ipo->ipo_srcid, tdbp->tdb_dstid, 971 inp->inp_ipo->ipo_dstid, NULL, NULL, 972 NULL, NULL, &tdbp->tdb_filter, 973 &inp->inp_ipo->ipo_addr, 974 &tdbp->tdb_filtermask, 975 &inp->inp_ipo->ipo_mask)) 976 goto justreturn; 977 else { 978 *error = -EINVAL; 979 return NULL; 980 } 981 } else { 982 /* Update, since we may need all the relevant info. */ 983 ipsec_update_policy(inp, inp->inp_ipo, af, 984 IPSP_DIRECTION_OUT); 985 986 /* 987 * If the packet was received under an SA, see if 988 * it's acceptable under socket policy. If it is, 989 * accept the packet. 990 */ 991 if (tdbp != NULL && 992 tdbp->tdb_sproto == inp->inp_ipo->ipo_sproto && 993 !bcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst, 994 SA_LEN(&tdbp->tdb_src.sa)) && 995 ipsp_aux_match(tdbp->tdb_srcid, 996 inp->inp_ipo->ipo_srcid, tdbp->tdb_dstid, 997 inp->inp_ipo->ipo_dstid, NULL, NULL, 998 NULL, NULL, &tdbp->tdb_filter, 999 &inp->inp_ipo->ipo_addr, &tdbp->tdb_filtermask, 1000 &inp->inp_ipo->ipo_mask)) 1001 goto justreturn; 1002 1003 /* 1004 * If the packet was not received under an SA, or 1005 * if the SA it was received under is not acceptable, 1006 * see if we already have an acceptable SA 1007 * established. If we do, discard packet. 1008 */ 1009 if (inp->inp_ipo->ipo_last_searched <= 1010 ipsec_last_added) { 1011 inp->inp_ipo->ipo_last_searched = time.tv_sec; 1012 1013 /* Do we have an SA already established ? */ 1014 if (gettdbbysrc(&inp->inp_ipo->ipo_dst, 1015 inp->inp_ipo->ipo_sproto, 1016 inp->inp_ipo->ipo_srcid, 1017 inp->inp_ipo->ipo_dstid, m, af, 1018 &inp->inp_ipo->ipo_addr, 1019 &inp->inp_ipo->ipo_mask) != NULL) { 1020 *error = -EINVAL; 1021 return NULL; 1022 } 1023 /* Fall through */ 1024 } 1025 1026 /* 1027 * If we don't have an appropriate SA, acquire one 1028 * and discard the packet. 1029 */ 1030 ipsp_acquire_sa(inp->inp_ipo, &inp->inp_ipo->ipo_dst, 1031 &inp->inp_ipo->ipo_src, &inp->inp_ipo->ipo_addr, m); 1032 *error = -EINVAL; 1033 return NULL; 1034 } 1035 1036 break; 1037 1038 case IPSP_DIRECTION_OUT: 1039 /* Do we have a cached entry ? */ 1040 if (inp->inp_tdb_out != NULL) { 1041 /* 1042 * If we also have to apply a different TDB as 1043 * a result of a system-wide policy, add a tag 1044 * to the packet. 1045 */ 1046 if (ipo != NULL && m != NULL && 1047 ipo->ipo_tdb != NULL && 1048 ipo->ipo_tdb != inp->inp_tdb_out) { 1049 tdb = inp->inp_tdb_out; 1050 goto tagandreturn; 1051 } else 1052 return inp->inp_tdb_out; 1053 } 1054 1055 /* 1056 * We need to either find an SA with the appropriate 1057 * characteristics and link it to the PCB, or acquire 1058 * one. 1059 */ 1060 /* XXX Only support one policy/protocol for now. */ 1061 if (inp->inp_ipo != NULL) { 1062 if (inp->inp_ipo->ipo_last_searched <= 1063 ipsec_last_added) { 1064 inp->inp_ipo->ipo_last_searched = time.tv_sec; 1065 1066 /* Update, just in case. */ 1067 ipsec_update_policy(inp, inp->inp_ipo, af, 1068 IPSP_DIRECTION_OUT); 1069 1070 tdb = gettdbbyaddr(&inp->inp_ipo->ipo_dst, 1071 inp->inp_ipo->ipo_sproto, 1072 inp->inp_ipo->ipo_srcid, 1073 inp->inp_ipo->ipo_dstid, 1074 inp->inp_ipo->ipo_local_cred, m, af, 1075 &inp->inp_ipo->ipo_addr, 1076 &inp->inp_ipo->ipo_mask); 1077 } 1078 } else { 1079 /* 1080 * Construct a pseudo-policy, with just the necessary 1081 * fields. 1082 */ 1083 ipsec_update_policy(inp, &sipon, af, 1084 IPSP_DIRECTION_OUT); 1085 1086 tdb = gettdbbyaddr(&sipon.ipo_dst, IPPROTO_ESP, NULL, 1087 NULL, NULL, m, af, &sipon.ipo_addr, 1088 &sipon.ipo_mask); 1089 } 1090 1091 /* If we found an appropriate SA... */ 1092 if (tdb != NULL) { 1093 tdb_add_inp(tdb, inp, 0); /* Latch onto PCB. */ 1094 1095 if (ipo != NULL && ipo->ipo_tdb != NULL && 1096 ipo->ipo_tdb != inp->inp_tdb_out && m != NULL) 1097 goto tagandreturn; 1098 else 1099 return tdb; 1100 } else { 1101 /* Do we need to acquire one ? */ 1102 switch (inp->inp_seclevel[SL_ESP_TRANS]) { 1103 case IPSEC_LEVEL_BYPASS: 1104 case IPSEC_LEVEL_AVAIL: 1105 /* No need to do anything. */ 1106 goto justreturn; 1107 case IPSEC_LEVEL_USE: 1108 case IPSEC_LEVEL_REQUIRE: 1109 case IPSEC_LEVEL_UNIQUE: 1110 /* Initialize socket policy if unset. */ 1111 if (inp->inp_ipo == NULL) { 1112 inp->inp_ipo = ipsec_add_policy(inp, af, IPSP_DIRECTION_OUT); 1113 if (inp->inp_ipo == NULL) { 1114 *error = ENOBUFS; 1115 return NULL; 1116 } 1117 } 1118 1119 /* Acquire a new SA. */ 1120 if ((*error = ipsp_acquire_sa(inp->inp_ipo, 1121 &inp->inp_ipo->ipo_dst, 1122 &inp->inp_ipo->ipo_src, 1123 &inp->inp_ipo->ipo_addr, m)) == 0) 1124 *error = -EINVAL; 1125 1126 return NULL; 1127 default: 1128 DPRINTF(("ipsp_spd_inp: unknown sock security" 1129 " level %d", 1130 inp->inp_seclevel[SL_ESP_TRANS])); 1131 *error = -EINVAL; 1132 return NULL; 1133 } 1134 } 1135 break; 1136 1137 default: /* Should never happen. */ 1138 *error = -EINVAL; 1139 return NULL; 1140 } 1141 1142 tagandreturn: 1143 if (tdb == NULL) 1144 goto justreturn; 1145 1146 mtag = m_tag_get(PACKET_TAG_IPSEC_PENDING_TDB, 1147 sizeof (struct tdb_ident), M_NOWAIT); 1148 if (mtag == NULL) { 1149 *error = ENOMEM; 1150 return NULL; 1151 } 1152 1153 tdbi = (struct tdb_ident *)(mtag + 1); 1154 tdbi->spi = ipo->ipo_tdb->tdb_spi; 1155 tdbi->proto = ipo->ipo_tdb->tdb_sproto; 1156 bcopy(&ipo->ipo_tdb->tdb_dst, &tdbi->dst, 1157 ipo->ipo_tdb->tdb_dst.sa.sa_len); 1158 m_tag_prepend(m, mtag); 1159 return tdb; 1160 1161 justreturn: 1162 if (ipo != NULL) 1163 return ipo->ipo_tdb; 1164 else 1165 return NULL; 1166 } 1167 1168 /* 1169 * Find a pending ACQUIRE record based on its sequence number. 1170 * XXX Need to use a better data structure. 1171 */ 1172 struct ipsec_acquire * 1173 ipsec_get_acquire(u_int32_t seq) 1174 { 1175 struct ipsec_acquire *ipa; 1176 1177 TAILQ_FOREACH (ipa, &ipsec_acquire_head, ipa_next) 1178 if (ipa->ipa_seq == seq) 1179 return ipa; 1180 1181 return NULL; 1182 } 1183