1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25 * Copyright (c) 2016 by Delphix. All rights reserved.
26 * Copyright (c) 2017, Joyent, Inc.
27 */
28
29 /*
30 * IPsec Security Policy Database.
31 *
32 * This module maintains the SPD and provides routines used by ip and ip6
33 * to apply IPsec policy to inbound and outbound datagrams.
34 */
35
36 #include <sys/types.h>
37 #include <sys/stream.h>
38 #include <sys/stropts.h>
39 #include <sys/sysmacros.h>
40 #include <sys/strsubr.h>
41 #include <sys/strsun.h>
42 #include <sys/strlog.h>
43 #include <sys/strsun.h>
44 #include <sys/cmn_err.h>
45 #include <sys/zone.h>
46
47 #include <sys/systm.h>
48 #include <sys/param.h>
49 #include <sys/kmem.h>
50 #include <sys/ddi.h>
51
52 #include <sys/crypto/api.h>
53
54 #include <inet/common.h>
55 #include <inet/mi.h>
56
57 #include <netinet/ip6.h>
58 #include <netinet/icmp6.h>
59 #include <netinet/udp.h>
60
61 #include <inet/ip.h>
62 #include <inet/ip6.h>
63
64 #include <net/pfkeyv2.h>
65 #include <net/pfpolicy.h>
66 #include <inet/sadb.h>
67 #include <inet/ipsec_impl.h>
68
69 #include <inet/ip_impl.h> /* For IP_MOD_ID */
70
71 #include <inet/ipsecah.h>
72 #include <inet/ipsecesp.h>
73 #include <inet/ipdrop.h>
74 #include <inet/ipclassifier.h>
75 #include <inet/iptun.h>
76 #include <inet/iptun/iptun_impl.h>
77
78 static void ipsec_update_present_flags(ipsec_stack_t *);
79 static ipsec_act_t *ipsec_act_wildcard_expand(ipsec_act_t *, uint_t *,
80 netstack_t *);
81 static mblk_t *ipsec_check_ipsecin_policy(mblk_t *, ipsec_policy_t *,
82 ipha_t *, ip6_t *, uint64_t, ip_recv_attr_t *, netstack_t *);
83 static void ipsec_action_free_table(ipsec_action_t *);
84 static void ipsec_action_reclaim(void *);
85 static void ipsec_action_reclaim_stack(ipsec_stack_t *);
86 static void ipsid_init(netstack_t *);
87 static void ipsid_fini(netstack_t *);
88
89 /* sel_flags values for ipsec_init_inbound_sel(). */
90 #define SEL_NONE 0x0000
91 #define SEL_PORT_POLICY 0x0001
92 #define SEL_IS_ICMP 0x0002
93 #define SEL_TUNNEL_MODE 0x0004
94 #define SEL_POST_FRAG 0x0008
95
96 /* Return values for ipsec_init_inbound_sel(). */
97 typedef enum { SELRET_NOMEM, SELRET_BADPKT, SELRET_SUCCESS, SELRET_TUNFRAG}
98 selret_t;
99
100 static selret_t ipsec_init_inbound_sel(ipsec_selector_t *, mblk_t *,
101 ipha_t *, ip6_t *, uint8_t);
102
103 static boolean_t ipsec_check_ipsecin_action(ip_recv_attr_t *, mblk_t *,
104 struct ipsec_action_s *, ipha_t *ipha, ip6_t *ip6h, const char **,
105 kstat_named_t **, netstack_t *);
106 static void ipsec_unregister_prov_update(void);
107 static void ipsec_prov_update_callback_stack(uint32_t, void *, netstack_t *);
108 static boolean_t ipsec_compare_action(ipsec_policy_t *, ipsec_policy_t *);
109 static uint32_t selector_hash(ipsec_selector_t *, ipsec_policy_root_t *);
110 static boolean_t ipsec_kstat_init(ipsec_stack_t *);
111 static void ipsec_kstat_destroy(ipsec_stack_t *);
112 static int ipsec_free_tables(ipsec_stack_t *);
113 static int tunnel_compare(const void *, const void *);
114 static void ipsec_freemsg_chain(mblk_t *);
115 static void ip_drop_packet_chain(mblk_t *, boolean_t, ill_t *,
116 struct kstat_named *, ipdropper_t *);
117 static boolean_t ipsec_kstat_init(ipsec_stack_t *);
118 static void ipsec_kstat_destroy(ipsec_stack_t *);
119 static int ipsec_free_tables(ipsec_stack_t *);
120 static int tunnel_compare(const void *, const void *);
121 static void ipsec_freemsg_chain(mblk_t *);
122
123 /*
124 * Selector hash table is statically sized at module load time.
125 * we default to 251 buckets, which is the largest prime number under 255
126 */
127
128 #define IPSEC_SPDHASH_DEFAULT 251
129
130 /* SPD hash-size tunable per tunnel. */
131 #define TUN_SPDHASH_DEFAULT 5
132
133 uint32_t ipsec_spd_hashsize;
134 uint32_t tun_spd_hashsize;
135
136 #define IPSEC_SEL_NOHASH ((uint32_t)(~0))
137
138 /*
139 * Handle global across all stack instances
140 */
141 static crypto_notify_handle_t prov_update_handle = NULL;
142
143 static kmem_cache_t *ipsec_action_cache;
144 static kmem_cache_t *ipsec_sel_cache;
145 static kmem_cache_t *ipsec_pol_cache;
146
147 /* Frag cache prototypes */
148 static void ipsec_fragcache_clean(ipsec_fragcache_t *, ipsec_stack_t *);
149 static ipsec_fragcache_entry_t *fragcache_delentry(int,
150 ipsec_fragcache_entry_t *, ipsec_fragcache_t *, ipsec_stack_t *);
151 boolean_t ipsec_fragcache_init(ipsec_fragcache_t *);
152 void ipsec_fragcache_uninit(ipsec_fragcache_t *, ipsec_stack_t *ipss);
153 mblk_t *ipsec_fragcache_add(ipsec_fragcache_t *, mblk_t *, mblk_t *,
154 int, ipsec_stack_t *);
155
156 int ipsec_hdr_pullup_needed = 0;
157 int ipsec_weird_null_inbound_policy = 0;
158
159 #define ALGBITS_ROUND_DOWN(x, align) (((x)/(align))*(align))
160 #define ALGBITS_ROUND_UP(x, align) ALGBITS_ROUND_DOWN((x)+(align)-1, align)
161
162 /*
163 * Inbound traffic should have matching identities for both SA's.
164 */
165
166 #define SA_IDS_MATCH(sa1, sa2) \
167 (((sa1) == NULL) || ((sa2) == NULL) || \
168 (((sa1)->ipsa_src_cid == (sa2)->ipsa_src_cid) && \
169 (((sa1)->ipsa_dst_cid == (sa2)->ipsa_dst_cid))))
170
171 /*
172 * IPv6 Fragments
173 */
174 #define IS_V6_FRAGMENT(ipp) (ipp.ipp_fields & IPPF_FRAGHDR)
175
176 /*
177 * Policy failure messages.
178 */
179 static char *ipsec_policy_failure_msgs[] = {
180
181 /* IPSEC_POLICY_NOT_NEEDED */
182 "%s: Dropping the datagram because the incoming packet "
183 "is %s, but the recipient expects clear; Source %s, "
184 "Destination %s.\n",
185
186 /* IPSEC_POLICY_MISMATCH */
187 "%s: Policy Failure for the incoming packet (%s); Source %s, "
188 "Destination %s.\n",
189
190 /* IPSEC_POLICY_AUTH_NOT_NEEDED */
191 "%s: Authentication present while not expected in the "
192 "incoming %s packet; Source %s, Destination %s.\n",
193
194 /* IPSEC_POLICY_ENCR_NOT_NEEDED */
195 "%s: Encryption present while not expected in the "
196 "incoming %s packet; Source %s, Destination %s.\n",
197
198 /* IPSEC_POLICY_SE_NOT_NEEDED */
199 "%s: Self-Encapsulation present while not expected in the "
200 "incoming %s packet; Source %s, Destination %s.\n",
201 };
202
203 /*
204 * General overviews:
205 *
206 * Locking:
207 *
208 * All of the system policy structures are protected by a single
209 * rwlock. These structures are threaded in a
210 * fairly complex fashion and are not expected to change on a
211 * regular basis, so this should not cause scaling/contention
212 * problems. As a result, policy checks should (hopefully) be MT-hot.
213 *
214 * Allocation policy:
215 *
216 * We use custom kmem cache types for the various
217 * bits & pieces of the policy data structures. All allocations
218 * use KM_NOSLEEP instead of KM_SLEEP for policy allocation. The
219 * policy table is of potentially unbounded size, so we don't
220 * want to provide a way to hog all system memory with policy
221 * entries..
222 */
223
224 /* Convenient functions for freeing or dropping a b_next linked mblk chain */
225
226 /* Free all messages in an mblk chain */
227 static void
228 ipsec_freemsg_chain(mblk_t *mp)
229 {
230 mblk_t *mpnext;
231 while (mp != NULL) {
232 ASSERT(mp->b_prev == NULL);
233 mpnext = mp->b_next;
234 mp->b_next = NULL;
235 freemsg(mp);
236 mp = mpnext;
237 }
238 }
239
240 /*
241 * ip_drop all messages in an mblk chain
242 * Can handle a b_next chain of ip_recv_attr_t mblks, or just a b_next chain
243 * of data.
244 */
245 static void
246 ip_drop_packet_chain(mblk_t *mp, boolean_t inbound, ill_t *ill,
247 struct kstat_named *counter, ipdropper_t *who_called)
248 {
249 mblk_t *mpnext;
250 while (mp != NULL) {
251 ASSERT(mp->b_prev == NULL);
252 mpnext = mp->b_next;
253 mp->b_next = NULL;
254 if (ip_recv_attr_is_mblk(mp))
255 mp = ip_recv_attr_free_mblk(mp);
256 ip_drop_packet(mp, inbound, ill, counter, who_called);
257 mp = mpnext;
258 }
259 }
260
261 /*
262 * AVL tree comparison function.
263 * the in-kernel avl assumes unique keys for all objects.
264 * Since sometimes policy will duplicate rules, we may insert
265 * multiple rules with the same rule id, so we need a tie-breaker.
266 */
267 static int
268 ipsec_policy_cmpbyid(const void *a, const void *b)
269 {
270 const ipsec_policy_t *ipa, *ipb;
271 uint64_t idxa, idxb;
272
273 ipa = (const ipsec_policy_t *)a;
274 ipb = (const ipsec_policy_t *)b;
275 idxa = ipa->ipsp_index;
276 idxb = ipb->ipsp_index;
277
278 if (idxa < idxb)
279 return (-1);
280 if (idxa > idxb)
281 return (1);
282 /*
283 * Tie-breaker #1: All installed policy rules have a non-NULL
284 * ipsl_sel (selector set), so an entry with a NULL ipsp_sel is not
285 * actually in-tree but rather a template node being used in
286 * an avl_find query; see ipsec_policy_delete(). This gives us
287 * a placeholder in the ordering just before the first entry with
288 * a key >= the one we're looking for, so we can walk forward from
289 * that point to get the remaining entries with the same id.
290 */
291 if ((ipa->ipsp_sel == NULL) && (ipb->ipsp_sel != NULL))
292 return (-1);
293 if ((ipb->ipsp_sel == NULL) && (ipa->ipsp_sel != NULL))
294 return (1);
295 /*
296 * At most one of the arguments to the comparison should have a
297 * NULL selector pointer; if not, the tree is broken.
298 */
299 ASSERT(ipa->ipsp_sel != NULL);
300 ASSERT(ipb->ipsp_sel != NULL);
301 /*
302 * Tie-breaker #2: use the virtual address of the policy node
303 * to arbitrarily break ties. Since we use the new tree node in
304 * the avl_find() in ipsec_insert_always, the new node will be
305 * inserted into the tree in the right place in the sequence.
306 */
307 if (ipa < ipb)
308 return (-1);
309 if (ipa > ipb)
310 return (1);
311 return (0);
312 }
313
314 /*
315 * Free what ipsec_alloc_table allocated.
316 */
317 void
318 ipsec_polhead_free_table(ipsec_policy_head_t *iph)
319 {
320 int dir;
321 int i;
322
323 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
324 ipsec_policy_root_t *ipr = &iph->iph_root[dir];
325
326 if (ipr->ipr_hash == NULL)
327 continue;
328
329 for (i = 0; i < ipr->ipr_nchains; i++) {
330 ASSERT(ipr->ipr_hash[i].hash_head == NULL);
331 }
332 kmem_free(ipr->ipr_hash, ipr->ipr_nchains *
333 sizeof (ipsec_policy_hash_t));
334 ipr->ipr_hash = NULL;
335 }
336 }
337
338 void
339 ipsec_polhead_destroy(ipsec_policy_head_t *iph)
340 {
341 int dir;
342
343 avl_destroy(&iph->iph_rulebyid);
344 rw_destroy(&iph->iph_lock);
345
346 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
347 ipsec_policy_root_t *ipr = &iph->iph_root[dir];
348 int chain;
349
350 for (chain = 0; chain < ipr->ipr_nchains; chain++)
351 mutex_destroy(&(ipr->ipr_hash[chain].hash_lock));
352
353 }
354 ipsec_polhead_free_table(iph);
355 }
356
357 /*
358 * Free the IPsec stack instance.
359 */
360 /* ARGSUSED */
361 static void
362 ipsec_stack_fini(netstackid_t stackid, void *arg)
363 {
364 ipsec_stack_t *ipss = (ipsec_stack_t *)arg;
365 void *cookie;
366 ipsec_tun_pol_t *node;
367 netstack_t *ns = ipss->ipsec_netstack;
368 int i;
369 ipsec_algtype_t algtype;
370
371 ipsec_loader_destroy(ipss);
372
373 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_WRITER);
374 /*
375 * It's possible we can just ASSERT() the tree is empty. After all,
376 * we aren't called until IP is ready to unload (and presumably all
377 * tunnels have been unplumbed). But we'll play it safe for now, the
378 * loop will just exit immediately if it's empty.
379 */
380 cookie = NULL;
381 while ((node = (ipsec_tun_pol_t *)
382 avl_destroy_nodes(&ipss->ipsec_tunnel_policies,
383 &cookie)) != NULL) {
384 ITP_REFRELE(node, ns);
385 }
386 avl_destroy(&ipss->ipsec_tunnel_policies);
387 rw_exit(&ipss->ipsec_tunnel_policy_lock);
388 rw_destroy(&ipss->ipsec_tunnel_policy_lock);
389
390 ipsec_config_flush(ns);
391
392 ipsec_kstat_destroy(ipss);
393
394 ip_drop_unregister(&ipss->ipsec_dropper);
395
396 ip_drop_unregister(&ipss->ipsec_spd_dropper);
397 ip_drop_destroy(ipss);
398 /*
399 * Globals start with ref == 1 to prevent IPPH_REFRELE() from
400 * attempting to free them, hence they should have 1 now.
401 */
402 ipsec_polhead_destroy(&ipss->ipsec_system_policy);
403 ASSERT(ipss->ipsec_system_policy.iph_refs == 1);
404 ipsec_polhead_destroy(&ipss->ipsec_inactive_policy);
405 ASSERT(ipss->ipsec_inactive_policy.iph_refs == 1);
406
407 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) {
408 ipsec_action_free_table(ipss->ipsec_action_hash[i].hash_head);
409 ipss->ipsec_action_hash[i].hash_head = NULL;
410 mutex_destroy(&(ipss->ipsec_action_hash[i].hash_lock));
411 }
412
413 for (i = 0; i < ipss->ipsec_spd_hashsize; i++) {
414 ASSERT(ipss->ipsec_sel_hash[i].hash_head == NULL);
415 mutex_destroy(&(ipss->ipsec_sel_hash[i].hash_lock));
416 }
417
418 rw_enter(&ipss->ipsec_alg_lock, RW_WRITER);
419 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype ++) {
420 int nalgs = ipss->ipsec_nalgs[algtype];
421
422 for (i = 0; i < nalgs; i++) {
423 if (ipss->ipsec_alglists[algtype][i] != NULL)
424 ipsec_alg_unreg(algtype, i, ns);
425 }
426 }
427 rw_exit(&ipss->ipsec_alg_lock);
428 rw_destroy(&ipss->ipsec_alg_lock);
429
430 ipsid_gc(ns);
431 ipsid_fini(ns);
432
433 (void) ipsec_free_tables(ipss);
434 kmem_free(ipss, sizeof (*ipss));
435 }
436
437 void
438 ipsec_policy_g_destroy(void)
439 {
440 kmem_cache_destroy(ipsec_action_cache);
441 kmem_cache_destroy(ipsec_sel_cache);
442 kmem_cache_destroy(ipsec_pol_cache);
443
444 ipsec_unregister_prov_update();
445
446 netstack_unregister(NS_IPSEC);
447 }
448
449
450 /*
451 * Free what ipsec_alloc_tables allocated.
452 * Called when table allocation fails to free the table.
453 */
454 static int
455 ipsec_free_tables(ipsec_stack_t *ipss)
456 {
457 int i;
458
459 if (ipss->ipsec_sel_hash != NULL) {
460 for (i = 0; i < ipss->ipsec_spd_hashsize; i++) {
461 ASSERT(ipss->ipsec_sel_hash[i].hash_head == NULL);
462 }
463 kmem_free(ipss->ipsec_sel_hash, ipss->ipsec_spd_hashsize *
464 sizeof (*ipss->ipsec_sel_hash));
465 ipss->ipsec_sel_hash = NULL;
466 ipss->ipsec_spd_hashsize = 0;
467 }
468 ipsec_polhead_free_table(&ipss->ipsec_system_policy);
469 ipsec_polhead_free_table(&ipss->ipsec_inactive_policy);
470
471 return (ENOMEM);
472 }
473
474 /*
475 * Attempt to allocate the tables in a single policy head.
476 * Return nonzero on failure after cleaning up any work in progress.
477 */
478 int
479 ipsec_alloc_table(ipsec_policy_head_t *iph, int nchains, int kmflag,
480 boolean_t global_cleanup, netstack_t *ns)
481 {
482 int dir;
483
484 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
485 ipsec_policy_root_t *ipr = &iph->iph_root[dir];
486
487 ipr->ipr_nchains = nchains;
488 ipr->ipr_hash = kmem_zalloc(nchains *
489 sizeof (ipsec_policy_hash_t), kmflag);
490 if (ipr->ipr_hash == NULL)
491 return (global_cleanup ?
492 ipsec_free_tables(ns->netstack_ipsec) :
493 ENOMEM);
494 }
495 return (0);
496 }
497
498 /*
499 * Attempt to allocate the various tables. Return nonzero on failure
500 * after cleaning up any work in progress.
501 */
502 static int
503 ipsec_alloc_tables(int kmflag, netstack_t *ns)
504 {
505 int error;
506 ipsec_stack_t *ipss = ns->netstack_ipsec;
507
508 error = ipsec_alloc_table(&ipss->ipsec_system_policy,
509 ipss->ipsec_spd_hashsize, kmflag, B_TRUE, ns);
510 if (error != 0)
511 return (error);
512
513 error = ipsec_alloc_table(&ipss->ipsec_inactive_policy,
514 ipss->ipsec_spd_hashsize, kmflag, B_TRUE, ns);
515 if (error != 0)
516 return (error);
517
518 ipss->ipsec_sel_hash = kmem_zalloc(ipss->ipsec_spd_hashsize *
519 sizeof (*ipss->ipsec_sel_hash), kmflag);
520
521 if (ipss->ipsec_sel_hash == NULL)
522 return (ipsec_free_tables(ipss));
523
524 return (0);
525 }
526
527 /*
528 * After table allocation, initialize a policy head.
529 */
530 void
531 ipsec_polhead_init(ipsec_policy_head_t *iph, int nchains)
532 {
533 int dir, chain;
534
535 rw_init(&iph->iph_lock, NULL, RW_DEFAULT, NULL);
536 avl_create(&iph->iph_rulebyid, ipsec_policy_cmpbyid,
537 sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid));
538
539 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
540 ipsec_policy_root_t *ipr = &iph->iph_root[dir];
541 ipr->ipr_nchains = nchains;
542
543 for (chain = 0; chain < nchains; chain++) {
544 mutex_init(&(ipr->ipr_hash[chain].hash_lock),
545 NULL, MUTEX_DEFAULT, NULL);
546 }
547 }
548 }
549
550 static boolean_t
551 ipsec_kstat_init(ipsec_stack_t *ipss)
552 {
553 ipss->ipsec_ksp = kstat_create_netstack("ip", 0, "ipsec_stat", "net",
554 KSTAT_TYPE_NAMED, sizeof (ipsec_kstats_t) / sizeof (kstat_named_t),
555 KSTAT_FLAG_PERSISTENT, ipss->ipsec_netstack->netstack_stackid);
556
557 if (ipss->ipsec_ksp == NULL || ipss->ipsec_ksp->ks_data == NULL)
558 return (B_FALSE);
559
560 ipss->ipsec_kstats = ipss->ipsec_ksp->ks_data;
561
562 #define KI(x) kstat_named_init(&ipss->ipsec_kstats->x, #x, KSTAT_DATA_UINT64)
563 KI(esp_stat_in_requests);
564 KI(esp_stat_in_discards);
565 KI(esp_stat_lookup_failure);
566 KI(ah_stat_in_requests);
567 KI(ah_stat_in_discards);
568 KI(ah_stat_lookup_failure);
569 KI(sadb_acquire_maxpackets);
570 KI(sadb_acquire_qhiwater);
571 #undef KI
572
573 kstat_install(ipss->ipsec_ksp);
574 return (B_TRUE);
575 }
576
577 static void
578 ipsec_kstat_destroy(ipsec_stack_t *ipss)
579 {
580 kstat_delete_netstack(ipss->ipsec_ksp,
581 ipss->ipsec_netstack->netstack_stackid);
582 ipss->ipsec_kstats = NULL;
583
584 }
585
586 /*
587 * Initialize the IPsec stack instance.
588 */
589 /* ARGSUSED */
590 static void *
591 ipsec_stack_init(netstackid_t stackid, netstack_t *ns)
592 {
593 ipsec_stack_t *ipss;
594 int i;
595
596 ipss = (ipsec_stack_t *)kmem_zalloc(sizeof (*ipss), KM_SLEEP);
597 ipss->ipsec_netstack = ns;
598
599 /*
600 * FIXME: netstack_ipsec is used by some of the routines we call
601 * below, but it isn't set until this routine returns.
602 * Either we introduce optional xxx_stack_alloc() functions
603 * that will be called by the netstack framework before xxx_stack_init,
604 * or we switch spd.c and sadb.c to operate on ipsec_stack_t
605 * (latter has some include file order issues for sadb.h, but makes
606 * sense if we merge some of the ipsec related stack_t's together.
607 */
608 ns->netstack_ipsec = ipss;
609
610 /*
611 * Make two attempts to allocate policy hash tables; try it at
612 * the "preferred" size (may be set in /etc/system) first,
613 * then fall back to the default size.
614 */
615 ipss->ipsec_spd_hashsize = (ipsec_spd_hashsize == 0) ?
616 IPSEC_SPDHASH_DEFAULT : ipsec_spd_hashsize;
617
618 if (ipsec_alloc_tables(KM_NOSLEEP, ns) != 0) {
619 cmn_err(CE_WARN,
620 "Unable to allocate %d entry IPsec policy hash table",
621 ipss->ipsec_spd_hashsize);
622 ipss->ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT;
623 cmn_err(CE_WARN, "Falling back to %d entries",
624 ipss->ipsec_spd_hashsize);
625 (void) ipsec_alloc_tables(KM_SLEEP, ns);
626 }
627
628 /* Just set a default for tunnels. */
629 ipss->ipsec_tun_spd_hashsize = (tun_spd_hashsize == 0) ?
630 TUN_SPDHASH_DEFAULT : tun_spd_hashsize;
631
632 ipsid_init(ns);
633 /*
634 * Globals need ref == 1 to prevent IPPH_REFRELE() from attempting
635 * to free them.
636 */
637 ipss->ipsec_system_policy.iph_refs = 1;
638 ipss->ipsec_inactive_policy.iph_refs = 1;
639 ipsec_polhead_init(&ipss->ipsec_system_policy,
640 ipss->ipsec_spd_hashsize);
641 ipsec_polhead_init(&ipss->ipsec_inactive_policy,
642 ipss->ipsec_spd_hashsize);
643 rw_init(&ipss->ipsec_tunnel_policy_lock, NULL, RW_DEFAULT, NULL);
644 avl_create(&ipss->ipsec_tunnel_policies, tunnel_compare,
645 sizeof (ipsec_tun_pol_t), 0);
646
647 ipss->ipsec_next_policy_index = 1;
648
649 rw_init(&ipss->ipsec_system_policy.iph_lock, NULL, RW_DEFAULT, NULL);
650 rw_init(&ipss->ipsec_inactive_policy.iph_lock, NULL, RW_DEFAULT, NULL);
651
652 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++)
653 mutex_init(&(ipss->ipsec_action_hash[i].hash_lock),
654 NULL, MUTEX_DEFAULT, NULL);
655
656 for (i = 0; i < ipss->ipsec_spd_hashsize; i++)
657 mutex_init(&(ipss->ipsec_sel_hash[i].hash_lock),
658 NULL, MUTEX_DEFAULT, NULL);
659
660 rw_init(&ipss->ipsec_alg_lock, NULL, RW_DEFAULT, NULL);
661 for (i = 0; i < IPSEC_NALGTYPES; i++) {
662 ipss->ipsec_nalgs[i] = 0;
663 }
664
665 ip_drop_init(ipss);
666 ip_drop_register(&ipss->ipsec_spd_dropper, "IPsec SPD");
667
668 /* IP's IPsec code calls the packet dropper */
669 ip_drop_register(&ipss->ipsec_dropper, "IP IPsec processing");
670
671 (void) ipsec_kstat_init(ipss);
672
673 ipsec_loader_init(ipss);
674 ipsec_loader_start(ipss);
675
676 return (ipss);
677 }
678
679 /* Global across all stack instances */
680 void
681 ipsec_policy_g_init(void)
682 {
683 ipsec_action_cache = kmem_cache_create("ipsec_actions",
684 sizeof (ipsec_action_t), _POINTER_ALIGNMENT, NULL, NULL,
685 ipsec_action_reclaim, NULL, NULL, 0);
686 ipsec_sel_cache = kmem_cache_create("ipsec_selectors",
687 sizeof (ipsec_sel_t), _POINTER_ALIGNMENT, NULL, NULL,
688 NULL, NULL, NULL, 0);
689 ipsec_pol_cache = kmem_cache_create("ipsec_policy",
690 sizeof (ipsec_policy_t), _POINTER_ALIGNMENT, NULL, NULL,
691 NULL, NULL, NULL, 0);
692
693 /*
694 * We want to be informed each time a stack is created or
695 * destroyed in the kernel, so we can maintain the
696 * set of ipsec_stack_t's.
697 */
698 netstack_register(NS_IPSEC, ipsec_stack_init, NULL, ipsec_stack_fini);
699 }
700
701 /*
702 * Sort algorithm lists.
703 *
704 * I may need to split this based on
705 * authentication/encryption, and I may wish to have an administrator
706 * configure this list. Hold on to some NDD variables...
707 *
708 * XXX For now, sort on minimum key size (GAG!). While minimum key size is
709 * not the ideal metric, it's the only quantifiable measure available.
710 * We need a better metric for sorting algorithms by preference.
711 */
712 static void
713 alg_insert_sortlist(enum ipsec_algtype at, uint8_t algid, netstack_t *ns)
714 {
715 ipsec_stack_t *ipss = ns->netstack_ipsec;
716 ipsec_alginfo_t *ai = ipss->ipsec_alglists[at][algid];
717 uint8_t holder, swap;
718 uint_t i;
719 uint_t count = ipss->ipsec_nalgs[at];
720 ASSERT(ai != NULL);
721 ASSERT(algid == ai->alg_id);
722
723 ASSERT(RW_WRITE_HELD(&ipss->ipsec_alg_lock));
724
725 holder = algid;
726
727 for (i = 0; i < count - 1; i++) {
728 ipsec_alginfo_t *alt;
729
730 alt = ipss->ipsec_alglists[at][ipss->ipsec_sortlist[at][i]];
731 /*
732 * If you want to give precedence to newly added algs,
733 * add the = in the > comparison.
734 */
735 if ((holder != algid) || (ai->alg_minbits > alt->alg_minbits)) {
736 /* Swap sortlist[i] and holder. */
737 swap = ipss->ipsec_sortlist[at][i];
738 ipss->ipsec_sortlist[at][i] = holder;
739 holder = swap;
740 ai = alt;
741 } /* Else just continue. */
742 }
743
744 /* Store holder in last slot. */
745 ipss->ipsec_sortlist[at][i] = holder;
746 }
747
748 /*
749 * Remove an algorithm from a sorted algorithm list.
750 * This should be considerably easier, even with complex sorting.
751 */
752 static void
753 alg_remove_sortlist(enum ipsec_algtype at, uint8_t algid, netstack_t *ns)
754 {
755 boolean_t copyback = B_FALSE;
756 int i;
757 ipsec_stack_t *ipss = ns->netstack_ipsec;
758 int newcount = ipss->ipsec_nalgs[at];
759
760 ASSERT(RW_WRITE_HELD(&ipss->ipsec_alg_lock));
761
762 for (i = 0; i <= newcount; i++) {
763 if (copyback) {
764 ipss->ipsec_sortlist[at][i-1] =
765 ipss->ipsec_sortlist[at][i];
766 } else if (ipss->ipsec_sortlist[at][i] == algid) {
767 copyback = B_TRUE;
768 }
769 }
770 }
771
772 /*
773 * Add the specified algorithm to the algorithm tables.
774 * Must be called while holding the algorithm table writer lock.
775 */
776 void
777 ipsec_alg_reg(ipsec_algtype_t algtype, ipsec_alginfo_t *alg, netstack_t *ns)
778 {
779 ipsec_stack_t *ipss = ns->netstack_ipsec;
780
781 ASSERT(RW_WRITE_HELD(&ipss->ipsec_alg_lock));
782
783 ASSERT(ipss->ipsec_alglists[algtype][alg->alg_id] == NULL);
784 ipsec_alg_fix_min_max(alg, algtype, ns);
785 ipss->ipsec_alglists[algtype][alg->alg_id] = alg;
786
787 ipss->ipsec_nalgs[algtype]++;
788 alg_insert_sortlist(algtype, alg->alg_id, ns);
789 }
790
791 /*
792 * Remove the specified algorithm from the algorithm tables.
793 * Must be called while holding the algorithm table writer lock.
794 */
795 void
796 ipsec_alg_unreg(ipsec_algtype_t algtype, uint8_t algid, netstack_t *ns)
797 {
798 ipsec_stack_t *ipss = ns->netstack_ipsec;
799
800 ASSERT(RW_WRITE_HELD(&ipss->ipsec_alg_lock));
801
802 ASSERT(ipss->ipsec_alglists[algtype][algid] != NULL);
803 ipsec_alg_free(ipss->ipsec_alglists[algtype][algid]);
804 ipss->ipsec_alglists[algtype][algid] = NULL;
805
806 ipss->ipsec_nalgs[algtype]--;
807 alg_remove_sortlist(algtype, algid, ns);
808 }
809
810 /*
811 * Hooks for spdsock to get a grip on system policy.
812 */
813
814 ipsec_policy_head_t *
815 ipsec_system_policy(netstack_t *ns)
816 {
817 ipsec_stack_t *ipss = ns->netstack_ipsec;
818 ipsec_policy_head_t *h = &ipss->ipsec_system_policy;
819
820 IPPH_REFHOLD(h);
821 return (h);
822 }
823
824 ipsec_policy_head_t *
825 ipsec_inactive_policy(netstack_t *ns)
826 {
827 ipsec_stack_t *ipss = ns->netstack_ipsec;
828 ipsec_policy_head_t *h = &ipss->ipsec_inactive_policy;
829
830 IPPH_REFHOLD(h);
831 return (h);
832 }
833
834 /*
835 * Lock inactive policy, then active policy, then exchange policy root
836 * pointers.
837 */
838 void
839 ipsec_swap_policy(ipsec_policy_head_t *active, ipsec_policy_head_t *inactive,
840 netstack_t *ns)
841 {
842 int af, dir;
843 avl_tree_t r1, r2;
844
845 rw_enter(&inactive->iph_lock, RW_WRITER);
846 rw_enter(&active->iph_lock, RW_WRITER);
847
848 r1 = active->iph_rulebyid;
849 r2 = inactive->iph_rulebyid;
850 active->iph_rulebyid = r2;
851 inactive->iph_rulebyid = r1;
852
853 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
854 ipsec_policy_hash_t *h1, *h2;
855
856 h1 = active->iph_root[dir].ipr_hash;
857 h2 = inactive->iph_root[dir].ipr_hash;
858 active->iph_root[dir].ipr_hash = h2;
859 inactive->iph_root[dir].ipr_hash = h1;
860
861 for (af = 0; af < IPSEC_NAF; af++) {
862 ipsec_policy_t *t1, *t2;
863
864 t1 = active->iph_root[dir].ipr_nonhash[af];
865 t2 = inactive->iph_root[dir].ipr_nonhash[af];
866 active->iph_root[dir].ipr_nonhash[af] = t2;
867 inactive->iph_root[dir].ipr_nonhash[af] = t1;
868 if (t1 != NULL) {
869 t1->ipsp_hash.hash_pp =
870 &(inactive->iph_root[dir].ipr_nonhash[af]);
871 }
872 if (t2 != NULL) {
873 t2->ipsp_hash.hash_pp =
874 &(active->iph_root[dir].ipr_nonhash[af]);
875 }
876
877 }
878 }
879 active->iph_gen++;
880 inactive->iph_gen++;
881 ipsec_update_present_flags(ns->netstack_ipsec);
882 rw_exit(&active->iph_lock);
883 rw_exit(&inactive->iph_lock);
884 }
885
886 /*
887 * Swap global policy primary/secondary.
888 */
889 void
890 ipsec_swap_global_policy(netstack_t *ns)
891 {
892 ipsec_stack_t *ipss = ns->netstack_ipsec;
893
894 ipsec_swap_policy(&ipss->ipsec_system_policy,
895 &ipss->ipsec_inactive_policy, ns);
896 }
897
898 /*
899 * Clone one policy rule..
900 */
901 static ipsec_policy_t *
902 ipsec_copy_policy(const ipsec_policy_t *src)
903 {
904 ipsec_policy_t *dst = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP);
905
906 if (dst == NULL)
907 return (NULL);
908
909 /*
910 * Adjust refcounts of cloned state.
911 */
912 IPACT_REFHOLD(src->ipsp_act);
913 src->ipsp_sel->ipsl_refs++;
914
915 HASH_NULL(dst, ipsp_hash);
916 dst->ipsp_netstack = src->ipsp_netstack;
917 dst->ipsp_refs = 1;
918 dst->ipsp_sel = src->ipsp_sel;
919 dst->ipsp_act = src->ipsp_act;
920 dst->ipsp_prio = src->ipsp_prio;
921 dst->ipsp_index = src->ipsp_index;
922
923 return (dst);
924 }
925
926 void
927 ipsec_insert_always(avl_tree_t *tree, void *new_node)
928 {
929 void *node;
930 avl_index_t where;
931
932 node = avl_find(tree, new_node, &where);
933 ASSERT(node == NULL);
934 avl_insert(tree, new_node, where);
935 }
936
937
938 static int
939 ipsec_copy_chain(ipsec_policy_head_t *dph, ipsec_policy_t *src,
940 ipsec_policy_t **dstp)
941 {
942 for (; src != NULL; src = src->ipsp_hash.hash_next) {
943 ipsec_policy_t *dst = ipsec_copy_policy(src);
944 if (dst == NULL)
945 return (ENOMEM);
946
947 HASHLIST_INSERT(dst, ipsp_hash, *dstp);
948 ipsec_insert_always(&dph->iph_rulebyid, dst);
949 }
950 return (0);
951 }
952
953
954
955 /*
956 * Make one policy head look exactly like another.
957 *
958 * As with ipsec_swap_policy, we lock the destination policy head first, then
959 * the source policy head. Note that we only need to read-lock the source
960 * policy head as we are not changing it.
961 */
962 int
963 ipsec_copy_polhead(ipsec_policy_head_t *sph, ipsec_policy_head_t *dph,
964 netstack_t *ns)
965 {
966 int af, dir, chain, nchains;
967
968 rw_enter(&dph->iph_lock, RW_WRITER);
969
970 ipsec_polhead_flush(dph, ns);
971
972 rw_enter(&sph->iph_lock, RW_READER);
973
974 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
975 ipsec_policy_root_t *dpr = &dph->iph_root[dir];
976 ipsec_policy_root_t *spr = &sph->iph_root[dir];
977 nchains = dpr->ipr_nchains;
978
979 ASSERT(dpr->ipr_nchains == spr->ipr_nchains);
980
981 for (af = 0; af < IPSEC_NAF; af++) {
982 if (ipsec_copy_chain(dph, spr->ipr_nonhash[af],
983 &dpr->ipr_nonhash[af]))
984 goto abort_copy;
985 }
986
987 for (chain = 0; chain < nchains; chain++) {
988 if (ipsec_copy_chain(dph,
989 spr->ipr_hash[chain].hash_head,
990 &dpr->ipr_hash[chain].hash_head))
991 goto abort_copy;
992 }
993 }
994
995 dph->iph_gen++;
996
997 rw_exit(&sph->iph_lock);
998 rw_exit(&dph->iph_lock);
999 return (0);
1000
1001 abort_copy:
1002 ipsec_polhead_flush(dph, ns);
1003 rw_exit(&sph->iph_lock);
1004 rw_exit(&dph->iph_lock);
1005 return (ENOMEM);
1006 }
1007
1008 /*
1009 * Clone currently active policy to the inactive policy list.
1010 */
1011 int
1012 ipsec_clone_system_policy(netstack_t *ns)
1013 {
1014 ipsec_stack_t *ipss = ns->netstack_ipsec;
1015
1016 return (ipsec_copy_polhead(&ipss->ipsec_system_policy,
1017 &ipss->ipsec_inactive_policy, ns));
1018 }
1019
1020 /*
1021 * Extract the string from ipsec_policy_failure_msgs[type] and
1022 * log it.
1023 *
1024 */
1025 void
1026 ipsec_log_policy_failure(int type, char *func_name, ipha_t *ipha, ip6_t *ip6h,
1027 boolean_t secure, netstack_t *ns)
1028 {
1029 char sbuf[INET6_ADDRSTRLEN];
1030 char dbuf[INET6_ADDRSTRLEN];
1031 char *s;
1032 char *d;
1033 ipsec_stack_t *ipss = ns->netstack_ipsec;
1034
1035 ASSERT((ipha == NULL && ip6h != NULL) ||
1036 (ip6h == NULL && ipha != NULL));
1037
1038 if (ipha != NULL) {
1039 s = inet_ntop(AF_INET, &ipha->ipha_src, sbuf, sizeof (sbuf));
1040 d = inet_ntop(AF_INET, &ipha->ipha_dst, dbuf, sizeof (dbuf));
1041 } else {
1042 s = inet_ntop(AF_INET6, &ip6h->ip6_src, sbuf, sizeof (sbuf));
1043 d = inet_ntop(AF_INET6, &ip6h->ip6_dst, dbuf, sizeof (dbuf));
1044
1045 }
1046
1047 /* Always bump the policy failure counter. */
1048 ipss->ipsec_policy_failure_count[type]++;
1049
1050 ipsec_rl_strlog(ns, IP_MOD_ID, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
1051 ipsec_policy_failure_msgs[type], func_name,
1052 (secure ? "secure" : "not secure"), s, d);
1053 }
1054
1055 /*
1056 * Rate-limiting front-end to strlog() for AH and ESP. Uses the ndd variables
1057 * in /dev/ip and the same rate-limiting clock so that there's a single
1058 * knob to turn to throttle the rate of messages.
1059 */
1060 void
1061 ipsec_rl_strlog(netstack_t *ns, short mid, short sid, char level, ushort_t sl,
1062 char *fmt, ...)
1063 {
1064 va_list adx;
1065 hrtime_t current = gethrtime();
1066 ip_stack_t *ipst = ns->netstack_ip;
1067 ipsec_stack_t *ipss = ns->netstack_ipsec;
1068
1069 sl |= SL_CONSOLE;
1070 /*
1071 * Throttle logging to stop syslog from being swamped. If variable
1072 * 'ipsec_policy_log_interval' is zero, don't log any messages at
1073 * all, otherwise log only one message every 'ipsec_policy_log_interval'
1074 * msec. Convert interval (in msec) to hrtime (in nsec).
1075 */
1076
1077 if (ipst->ips_ipsec_policy_log_interval) {
1078 if (ipss->ipsec_policy_failure_last +
1079 MSEC2NSEC(ipst->ips_ipsec_policy_log_interval) <= current) {
1080 va_start(adx, fmt);
1081 (void) vstrlog(mid, sid, level, sl, fmt, adx);
1082 va_end(adx);
1083 ipss->ipsec_policy_failure_last = current;
1084 }
1085 }
1086 }
1087
1088 void
1089 ipsec_config_flush(netstack_t *ns)
1090 {
1091 ipsec_stack_t *ipss = ns->netstack_ipsec;
1092
1093 rw_enter(&ipss->ipsec_system_policy.iph_lock, RW_WRITER);
1094 ipsec_polhead_flush(&ipss->ipsec_system_policy, ns);
1095 ipss->ipsec_next_policy_index = 1;
1096 rw_exit(&ipss->ipsec_system_policy.iph_lock);
1097 ipsec_action_reclaim_stack(ipss);
1098 }
1099
1100 /*
1101 * Clip a policy's min/max keybits vs. the capabilities of the
1102 * algorithm.
1103 */
1104 static void
1105 act_alg_adjust(uint_t algtype, uint_t algid,
1106 uint16_t *minbits, uint16_t *maxbits, netstack_t *ns)
1107 {
1108 ipsec_stack_t *ipss = ns->netstack_ipsec;
1109 ipsec_alginfo_t *algp = ipss->ipsec_alglists[algtype][algid];
1110
1111 if (algp != NULL) {
1112 /*
1113 * If passed-in minbits is zero, we assume the caller trusts
1114 * us with setting the minimum key size. We pick the
1115 * algorithms DEFAULT key size for the minimum in this case.
1116 */
1117 if (*minbits == 0) {
1118 *minbits = algp->alg_default_bits;
1119 ASSERT(*minbits >= algp->alg_minbits);
1120 } else {
1121 *minbits = MAX(MIN(*minbits, algp->alg_maxbits),
1122 algp->alg_minbits);
1123 }
1124 if (*maxbits == 0)
1125 *maxbits = algp->alg_maxbits;
1126 else
1127 *maxbits = MIN(MAX(*maxbits, algp->alg_minbits),
1128 algp->alg_maxbits);
1129 ASSERT(*minbits <= *maxbits);
1130 } else {
1131 *minbits = 0;
1132 *maxbits = 0;
1133 }
1134 }
1135
1136 /*
1137 * Check an action's requested algorithms against the algorithms currently
1138 * loaded in the system.
1139 */
1140 boolean_t
1141 ipsec_check_action(ipsec_act_t *act, int *diag, netstack_t *ns)
1142 {
1143 ipsec_prot_t *ipp;
1144 ipsec_stack_t *ipss = ns->netstack_ipsec;
1145
1146 ipp = &act->ipa_apply;
1147
1148 if (ipp->ipp_use_ah &&
1149 ipss->ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_auth_alg] == NULL) {
1150 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG;
1151 return (B_FALSE);
1152 }
1153 if (ipp->ipp_use_espa &&
1154 ipss->ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_esp_auth_alg] ==
1155 NULL) {
1156 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG;
1157 return (B_FALSE);
1158 }
1159 if (ipp->ipp_use_esp &&
1160 ipss->ipsec_alglists[IPSEC_ALG_ENCR][ipp->ipp_encr_alg] == NULL) {
1161 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG;
1162 return (B_FALSE);
1163 }
1164
1165 act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_auth_alg,
1166 &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits, ns);
1167 act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_esp_auth_alg,
1168 &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits, ns);
1169 act_alg_adjust(IPSEC_ALG_ENCR, ipp->ipp_encr_alg,
1170 &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits, ns);
1171
1172 if (ipp->ipp_ah_minbits > ipp->ipp_ah_maxbits) {
1173 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE;
1174 return (B_FALSE);
1175 }
1176 if (ipp->ipp_espa_minbits > ipp->ipp_espa_maxbits) {
1177 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE;
1178 return (B_FALSE);
1179 }
1180 if (ipp->ipp_espe_minbits > ipp->ipp_espe_maxbits) {
1181 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE;
1182 return (B_FALSE);
1183 }
1184 /* TODO: sanity check lifetimes */
1185 return (B_TRUE);
1186 }
1187
1188 /*
1189 * Set up a single action during wildcard expansion..
1190 */
1191 static void
1192 ipsec_setup_act(ipsec_act_t *outact, ipsec_act_t *act,
1193 uint_t auth_alg, uint_t encr_alg, uint_t eauth_alg, netstack_t *ns)
1194 {
1195 ipsec_prot_t *ipp;
1196
1197 *outact = *act;
1198 ipp = &outact->ipa_apply;
1199 ipp->ipp_auth_alg = (uint8_t)auth_alg;
1200 ipp->ipp_encr_alg = (uint8_t)encr_alg;
1201 ipp->ipp_esp_auth_alg = (uint8_t)eauth_alg;
1202
1203 act_alg_adjust(IPSEC_ALG_AUTH, auth_alg,
1204 &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits, ns);
1205 act_alg_adjust(IPSEC_ALG_AUTH, eauth_alg,
1206 &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits, ns);
1207 act_alg_adjust(IPSEC_ALG_ENCR, encr_alg,
1208 &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits, ns);
1209 }
1210
1211 /*
1212 * combinatoric expansion time: expand a wildcarded action into an
1213 * array of wildcarded actions; we return the exploded action list,
1214 * and return a count in *nact (output only).
1215 */
1216 static ipsec_act_t *
1217 ipsec_act_wildcard_expand(ipsec_act_t *act, uint_t *nact, netstack_t *ns)
1218 {
1219 boolean_t use_ah, use_esp, use_espa;
1220 boolean_t wild_auth, wild_encr, wild_eauth;
1221 uint_t auth_alg, auth_idx, auth_min, auth_max;
1222 uint_t eauth_alg, eauth_idx, eauth_min, eauth_max;
1223 uint_t encr_alg, encr_idx, encr_min, encr_max;
1224 uint_t action_count, ai;
1225 ipsec_act_t *outact;
1226 ipsec_stack_t *ipss = ns->netstack_ipsec;
1227
1228 if (act->ipa_type != IPSEC_ACT_APPLY) {
1229 outact = kmem_alloc(sizeof (*act), KM_NOSLEEP);
1230 *nact = 1;
1231 if (outact != NULL)
1232 bcopy(act, outact, sizeof (*act));
1233 return (outact);
1234 }
1235 /*
1236 * compute the combinatoric explosion..
1237 *
1238 * we assume a request for encr if esp_req is PREF_REQUIRED
1239 * we assume a request for ah auth if ah_req is PREF_REQUIRED.
1240 * we assume a request for esp auth if !ah and esp_req is PREF_REQUIRED
1241 */
1242
1243 use_ah = act->ipa_apply.ipp_use_ah;
1244 use_esp = act->ipa_apply.ipp_use_esp;
1245 use_espa = act->ipa_apply.ipp_use_espa;
1246 auth_alg = act->ipa_apply.ipp_auth_alg;
1247 eauth_alg = act->ipa_apply.ipp_esp_auth_alg;
1248 encr_alg = act->ipa_apply.ipp_encr_alg;
1249
1250 wild_auth = use_ah && (auth_alg == 0);
1251 wild_eauth = use_espa && (eauth_alg == 0);
1252 wild_encr = use_esp && (encr_alg == 0);
1253
1254 action_count = 1;
1255 auth_min = auth_max = auth_alg;
1256 eauth_min = eauth_max = eauth_alg;
1257 encr_min = encr_max = encr_alg;
1258
1259 /*
1260 * set up for explosion.. for each dimension, expand output
1261 * size by the explosion factor.
1262 *
1263 * Don't include the "any" algorithms, if defined, as no
1264 * kernel policies should be set for these algorithms.
1265 */
1266
1267 #define SET_EXP_MINMAX(type, wild, alg, min, max, ipss) \
1268 if (wild) { \
1269 int nalgs = ipss->ipsec_nalgs[type]; \
1270 if (ipss->ipsec_alglists[type][alg] != NULL) \
1271 nalgs--; \
1272 action_count *= nalgs; \
1273 min = 0; \
1274 max = ipss->ipsec_nalgs[type] - 1; \
1275 }
1276
1277 SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_auth, SADB_AALG_NONE,
1278 auth_min, auth_max, ipss);
1279 SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_eauth, SADB_AALG_NONE,
1280 eauth_min, eauth_max, ipss);
1281 SET_EXP_MINMAX(IPSEC_ALG_ENCR, wild_encr, SADB_EALG_NONE,
1282 encr_min, encr_max, ipss);
1283
1284 #undef SET_EXP_MINMAX
1285
1286 /*
1287 * ok, allocate the whole mess..
1288 */
1289
1290 outact = kmem_alloc(sizeof (*outact) * action_count, KM_NOSLEEP);
1291 if (outact == NULL)
1292 return (NULL);
1293
1294 /*
1295 * Now compute all combinations. Note that non-wildcarded
1296 * dimensions just get a single value from auth_min, while
1297 * wildcarded dimensions indirect through the sortlist.
1298 *
1299 * We do encryption outermost since, at this time, there's
1300 * greater difference in security and performance between
1301 * encryption algorithms vs. authentication algorithms.
1302 */
1303
1304 ai = 0;
1305
1306 #define WHICH_ALG(type, wild, idx, ipss) \
1307 ((wild)?(ipss->ipsec_sortlist[type][idx]):(idx))
1308
1309 for (encr_idx = encr_min; encr_idx <= encr_max; encr_idx++) {
1310 encr_alg = WHICH_ALG(IPSEC_ALG_ENCR, wild_encr, encr_idx, ipss);
1311 if (wild_encr && encr_alg == SADB_EALG_NONE)
1312 continue;
1313 for (auth_idx = auth_min; auth_idx <= auth_max; auth_idx++) {
1314 auth_alg = WHICH_ALG(IPSEC_ALG_AUTH, wild_auth,
1315 auth_idx, ipss);
1316 if (wild_auth && auth_alg == SADB_AALG_NONE)
1317 continue;
1318 for (eauth_idx = eauth_min; eauth_idx <= eauth_max;
1319 eauth_idx++) {
1320 eauth_alg = WHICH_ALG(IPSEC_ALG_AUTH,
1321 wild_eauth, eauth_idx, ipss);
1322 if (wild_eauth && eauth_alg == SADB_AALG_NONE)
1323 continue;
1324
1325 ipsec_setup_act(&outact[ai], act,
1326 auth_alg, encr_alg, eauth_alg, ns);
1327 ai++;
1328 }
1329 }
1330 }
1331
1332 #undef WHICH_ALG
1333
1334 ASSERT(ai == action_count);
1335 *nact = action_count;
1336 return (outact);
1337 }
1338
1339 /*
1340 * Extract the parts of an ipsec_prot_t from an old-style ipsec_req_t.
1341 */
1342 static void
1343 ipsec_prot_from_req(const ipsec_req_t *req, ipsec_prot_t *ipp)
1344 {
1345 bzero(ipp, sizeof (*ipp));
1346 /*
1347 * ipp_use_* are bitfields. Look at "!!" in the following as a
1348 * "boolean canonicalization" operator.
1349 */
1350 ipp->ipp_use_ah = !!(req->ipsr_ah_req & IPSEC_PREF_REQUIRED);
1351 ipp->ipp_use_esp = !!(req->ipsr_esp_req & IPSEC_PREF_REQUIRED);
1352 ipp->ipp_use_espa = !!(req->ipsr_esp_auth_alg);
1353 ipp->ipp_use_se = !!(req->ipsr_self_encap_req & IPSEC_PREF_REQUIRED);
1354 ipp->ipp_use_unique = !!((req->ipsr_ah_req|req->ipsr_esp_req) &
1355 IPSEC_PREF_UNIQUE);
1356 ipp->ipp_encr_alg = req->ipsr_esp_alg;
1357 /*
1358 * SADB_AALG_ANY is a placeholder to distinguish "any" from
1359 * "none" above. If auth is required, as determined above,
1360 * SADB_AALG_ANY becomes 0, which is the representation
1361 * of "any" and "none" in PF_KEY v2.
1362 */
1363 ipp->ipp_auth_alg = (req->ipsr_auth_alg != SADB_AALG_ANY) ?
1364 req->ipsr_auth_alg : 0;
1365 ipp->ipp_esp_auth_alg = (req->ipsr_esp_auth_alg != SADB_AALG_ANY) ?
1366 req->ipsr_esp_auth_alg : 0;
1367 }
1368
1369 /*
1370 * Extract a new-style action from a request.
1371 */
1372 void
1373 ipsec_actvec_from_req(const ipsec_req_t *req, ipsec_act_t **actp, uint_t *nactp,
1374 netstack_t *ns)
1375 {
1376 struct ipsec_act act;
1377
1378 bzero(&act, sizeof (act));
1379 if ((req->ipsr_ah_req & IPSEC_PREF_NEVER) &&
1380 (req->ipsr_esp_req & IPSEC_PREF_NEVER)) {
1381 act.ipa_type = IPSEC_ACT_BYPASS;
1382 } else {
1383 act.ipa_type = IPSEC_ACT_APPLY;
1384 ipsec_prot_from_req(req, &act.ipa_apply);
1385 }
1386 *actp = ipsec_act_wildcard_expand(&act, nactp, ns);
1387 }
1388
1389 /*
1390 * Convert a new-style "prot" back to an ipsec_req_t (more backwards compat).
1391 * We assume caller has already zero'ed *req for us.
1392 */
1393 static int
1394 ipsec_req_from_prot(ipsec_prot_t *ipp, ipsec_req_t *req)
1395 {
1396 req->ipsr_esp_alg = ipp->ipp_encr_alg;
1397 req->ipsr_auth_alg = ipp->ipp_auth_alg;
1398 req->ipsr_esp_auth_alg = ipp->ipp_esp_auth_alg;
1399
1400 if (ipp->ipp_use_unique) {
1401 req->ipsr_ah_req |= IPSEC_PREF_UNIQUE;
1402 req->ipsr_esp_req |= IPSEC_PREF_UNIQUE;
1403 }
1404 if (ipp->ipp_use_se)
1405 req->ipsr_self_encap_req |= IPSEC_PREF_REQUIRED;
1406 if (ipp->ipp_use_ah)
1407 req->ipsr_ah_req |= IPSEC_PREF_REQUIRED;
1408 if (ipp->ipp_use_esp)
1409 req->ipsr_esp_req |= IPSEC_PREF_REQUIRED;
1410 return (sizeof (*req));
1411 }
1412
1413 /*
1414 * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1415 * We assume caller has already zero'ed *req for us.
1416 */
1417 static int
1418 ipsec_req_from_act(ipsec_action_t *ap, ipsec_req_t *req)
1419 {
1420 switch (ap->ipa_act.ipa_type) {
1421 case IPSEC_ACT_BYPASS:
1422 req->ipsr_ah_req = IPSEC_PREF_NEVER;
1423 req->ipsr_esp_req = IPSEC_PREF_NEVER;
1424 return (sizeof (*req));
1425 case IPSEC_ACT_APPLY:
1426 return (ipsec_req_from_prot(&ap->ipa_act.ipa_apply, req));
1427 }
1428 return (sizeof (*req));
1429 }
1430
1431 /*
1432 * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1433 * We assume caller has already zero'ed *req for us.
1434 */
1435 int
1436 ipsec_req_from_head(ipsec_policy_head_t *ph, ipsec_req_t *req, int af)
1437 {
1438 ipsec_policy_t *p;
1439
1440 /*
1441 * FULL-PERSOCK: consult hash table, too?
1442 */
1443 for (p = ph->iph_root[IPSEC_INBOUND].ipr_nonhash[af];
1444 p != NULL;
1445 p = p->ipsp_hash.hash_next) {
1446 if ((p->ipsp_sel->ipsl_key.ipsl_valid & IPSL_WILDCARD) == 0)
1447 return (ipsec_req_from_act(p->ipsp_act, req));
1448 }
1449 return (sizeof (*req));
1450 }
1451
1452 /*
1453 * Based on per-socket or latched policy, convert to an appropriate
1454 * IP_SEC_OPT ipsec_req_t for the socket option; return size so we can
1455 * be tail-called from ip.
1456 */
1457 int
1458 ipsec_req_from_conn(conn_t *connp, ipsec_req_t *req, int af)
1459 {
1460 ipsec_latch_t *ipl;
1461 int rv = sizeof (ipsec_req_t);
1462
1463 bzero(req, sizeof (*req));
1464
1465 ASSERT(MUTEX_HELD(&connp->conn_lock));
1466 ipl = connp->conn_latch;
1467
1468 /*
1469 * Find appropriate policy. First choice is latched action;
1470 * failing that, see latched policy; failing that,
1471 * look at configured policy.
1472 */
1473 if (ipl != NULL) {
1474 if (connp->conn_latch_in_action != NULL) {
1475 rv = ipsec_req_from_act(connp->conn_latch_in_action,
1476 req);
1477 goto done;
1478 }
1479 if (connp->conn_latch_in_policy != NULL) {
1480 rv = ipsec_req_from_act(
1481 connp->conn_latch_in_policy->ipsp_act, req);
1482 goto done;
1483 }
1484 }
1485 if (connp->conn_policy != NULL)
1486 rv = ipsec_req_from_head(connp->conn_policy, req, af);
1487 done:
1488 return (rv);
1489 }
1490
1491 void
1492 ipsec_actvec_free(ipsec_act_t *act, uint_t nact)
1493 {
1494 kmem_free(act, nact * sizeof (*act));
1495 }
1496
1497 /*
1498 * Consumes a reference to ipsp.
1499 */
1500 static mblk_t *
1501 ipsec_check_loopback_policy(mblk_t *data_mp, ip_recv_attr_t *ira,
1502 ipsec_policy_t *ipsp)
1503 {
1504 if (!(ira->ira_flags & IRAF_IPSEC_SECURE))
1505 return (data_mp);
1506
1507 ASSERT(ira->ira_flags & IRAF_LOOPBACK);
1508
1509 IPPOL_REFRELE(ipsp);
1510
1511 /*
1512 * We should do an actual policy check here. Revisit this
1513 * when we revisit the IPsec API. (And pass a conn_t in when we
1514 * get there.)
1515 */
1516
1517 return (data_mp);
1518 }
1519
1520 /*
1521 * Check that packet's inbound ports & proto match the selectors
1522 * expected by the SAs it traversed on the way in.
1523 */
1524 static boolean_t
1525 ipsec_check_ipsecin_unique(ip_recv_attr_t *ira, const char **reason,
1526 kstat_named_t **counter, uint64_t pkt_unique, netstack_t *ns)
1527 {
1528 uint64_t ah_mask, esp_mask;
1529 ipsa_t *ah_assoc;
1530 ipsa_t *esp_assoc;
1531 ipsec_stack_t *ipss = ns->netstack_ipsec;
1532
1533 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1534 ASSERT(!(ira->ira_flags & IRAF_LOOPBACK));
1535
1536 ah_assoc = ira->ira_ipsec_ah_sa;
1537 esp_assoc = ira->ira_ipsec_esp_sa;
1538 ASSERT((ah_assoc != NULL) || (esp_assoc != NULL));
1539
1540 ah_mask = (ah_assoc != NULL) ? ah_assoc->ipsa_unique_mask : 0;
1541 esp_mask = (esp_assoc != NULL) ? esp_assoc->ipsa_unique_mask : 0;
1542
1543 if ((ah_mask == 0) && (esp_mask == 0))
1544 return (B_TRUE);
1545
1546 /*
1547 * The pkt_unique check will also check for tunnel mode on the SA
1548 * vs. the tunneled_packet boolean. "Be liberal in what you receive"
1549 * should not apply in this case. ;)
1550 */
1551
1552 if (ah_mask != 0 &&
1553 ah_assoc->ipsa_unique_id != (pkt_unique & ah_mask)) {
1554 *reason = "AH inner header mismatch";
1555 *counter = DROPPER(ipss, ipds_spd_ah_innermismatch);
1556 return (B_FALSE);
1557 }
1558 if (esp_mask != 0 &&
1559 esp_assoc->ipsa_unique_id != (pkt_unique & esp_mask)) {
1560 *reason = "ESP inner header mismatch";
1561 *counter = DROPPER(ipss, ipds_spd_esp_innermismatch);
1562 return (B_FALSE);
1563 }
1564 return (B_TRUE);
1565 }
1566
1567 static boolean_t
1568 ipsec_check_ipsecin_action(ip_recv_attr_t *ira, mblk_t *mp, ipsec_action_t *ap,
1569 ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter,
1570 netstack_t *ns)
1571 {
1572 boolean_t ret = B_TRUE;
1573 ipsec_prot_t *ipp;
1574 ipsa_t *ah_assoc;
1575 ipsa_t *esp_assoc;
1576 boolean_t decaps;
1577 ipsec_stack_t *ipss = ns->netstack_ipsec;
1578
1579 ASSERT((ipha == NULL && ip6h != NULL) ||
1580 (ip6h == NULL && ipha != NULL));
1581
1582 if (ira->ira_flags & IRAF_LOOPBACK) {
1583 /*
1584 * Besides accepting pointer-equivalent actions, we also
1585 * accept any ICMP errors we generated for ourselves,
1586 * regardless of policy. If we do not wish to make this
1587 * assumption in the future, check here, and where
1588 * IXAF_TRUSTED_ICMP is initialized in ip.c and ip6.c.
1589 */
1590 if (ap == ira->ira_ipsec_action ||
1591 (ira->ira_flags & IRAF_TRUSTED_ICMP))
1592 return (B_TRUE);
1593
1594 /* Deep compare necessary here?? */
1595 *counter = DROPPER(ipss, ipds_spd_loopback_mismatch);
1596 *reason = "loopback policy mismatch";
1597 return (B_FALSE);
1598 }
1599 ASSERT(!(ira->ira_flags & IRAF_TRUSTED_ICMP));
1600 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1601
1602 ah_assoc = ira->ira_ipsec_ah_sa;
1603 esp_assoc = ira->ira_ipsec_esp_sa;
1604
1605 decaps = (ira->ira_flags & IRAF_IPSEC_DECAPS);
1606
1607 switch (ap->ipa_act.ipa_type) {
1608 case IPSEC_ACT_DISCARD:
1609 case IPSEC_ACT_REJECT:
1610 /* Should "fail hard" */
1611 *counter = DROPPER(ipss, ipds_spd_explicit);
1612 *reason = "blocked by policy";
1613 return (B_FALSE);
1614
1615 case IPSEC_ACT_BYPASS:
1616 case IPSEC_ACT_CLEAR:
1617 *counter = DROPPER(ipss, ipds_spd_got_secure);
1618 *reason = "expected clear, got protected";
1619 return (B_FALSE);
1620
1621 case IPSEC_ACT_APPLY:
1622 ipp = &ap->ipa_act.ipa_apply;
1623 /*
1624 * As of now we do the simple checks of whether
1625 * the datagram has gone through the required IPSEC
1626 * protocol constraints or not. We might have more
1627 * in the future like sensitive levels, key bits, etc.
1628 * If it fails the constraints, check whether we would
1629 * have accepted this if it had come in clear.
1630 */
1631 if (ipp->ipp_use_ah) {
1632 if (ah_assoc == NULL) {
1633 ret = ipsec_inbound_accept_clear(mp, ipha,
1634 ip6h);
1635 *counter = DROPPER(ipss, ipds_spd_got_clear);
1636 *reason = "unprotected not accepted";
1637 break;
1638 }
1639 ASSERT(ah_assoc != NULL);
1640 ASSERT(ipp->ipp_auth_alg != 0);
1641
1642 if (ah_assoc->ipsa_auth_alg !=
1643 ipp->ipp_auth_alg) {
1644 *counter = DROPPER(ipss, ipds_spd_bad_ahalg);
1645 *reason = "unacceptable ah alg";
1646 ret = B_FALSE;
1647 break;
1648 }
1649 } else if (ah_assoc != NULL) {
1650 /*
1651 * Don't allow this. Check IPSEC NOTE above
1652 * ip_fanout_proto().
1653 */
1654 *counter = DROPPER(ipss, ipds_spd_got_ah);
1655 *reason = "unexpected AH";
1656 ret = B_FALSE;
1657 break;
1658 }
1659 if (ipp->ipp_use_esp) {
1660 if (esp_assoc == NULL) {
1661 ret = ipsec_inbound_accept_clear(mp, ipha,
1662 ip6h);
1663 *counter = DROPPER(ipss, ipds_spd_got_clear);
1664 *reason = "unprotected not accepted";
1665 break;
1666 }
1667 ASSERT(esp_assoc != NULL);
1668 ASSERT(ipp->ipp_encr_alg != 0);
1669
1670 if (esp_assoc->ipsa_encr_alg !=
1671 ipp->ipp_encr_alg) {
1672 *counter = DROPPER(ipss, ipds_spd_bad_espealg);
1673 *reason = "unacceptable esp alg";
1674 ret = B_FALSE;
1675 break;
1676 }
1677 /*
1678 * If the client does not need authentication,
1679 * we don't verify the alogrithm.
1680 */
1681 if (ipp->ipp_use_espa) {
1682 if (esp_assoc->ipsa_auth_alg !=
1683 ipp->ipp_esp_auth_alg) {
1684 *counter = DROPPER(ipss,
1685 ipds_spd_bad_espaalg);
1686 *reason = "unacceptable esp auth alg";
1687 ret = B_FALSE;
1688 break;
1689 }
1690 }
1691 } else if (esp_assoc != NULL) {
1692 /*
1693 * Don't allow this. Check IPSEC NOTE above
1694 * ip_fanout_proto().
1695 */
1696 *counter = DROPPER(ipss, ipds_spd_got_esp);
1697 *reason = "unexpected ESP";
1698 ret = B_FALSE;
1699 break;
1700 }
1701 if (ipp->ipp_use_se) {
1702 if (!decaps) {
1703 ret = ipsec_inbound_accept_clear(mp, ipha,
1704 ip6h);
1705 if (!ret) {
1706 /* XXX mutant? */
1707 *counter = DROPPER(ipss,
1708 ipds_spd_bad_selfencap);
1709 *reason = "self encap not found";
1710 break;
1711 }
1712 }
1713 } else if (decaps) {
1714 /*
1715 * XXX If the packet comes in tunneled and the
1716 * recipient does not expect it to be tunneled, it
1717 * is okay. But we drop to be consistent with the
1718 * other cases.
1719 */
1720 *counter = DROPPER(ipss, ipds_spd_got_selfencap);
1721 *reason = "unexpected self encap";
1722 ret = B_FALSE;
1723 break;
1724 }
1725 if (ira->ira_ipsec_action != NULL) {
1726 /*
1727 * This can happen if we do a double policy-check on
1728 * a packet
1729 * XXX XXX should fix this case!
1730 */
1731 IPACT_REFRELE(ira->ira_ipsec_action);
1732 }
1733 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1734 ASSERT(ira->ira_ipsec_action == NULL);
1735 IPACT_REFHOLD(ap);
1736 ira->ira_ipsec_action = ap;
1737 break; /* from switch */
1738 }
1739 return (ret);
1740 }
1741
1742 static boolean_t
1743 spd_match_inbound_ids(ipsec_latch_t *ipl, ipsa_t *sa)
1744 {
1745 ASSERT(ipl->ipl_ids_latched == B_TRUE);
1746 return ipsid_equal(ipl->ipl_remote_cid, sa->ipsa_src_cid) &&
1747 ipsid_equal(ipl->ipl_local_cid, sa->ipsa_dst_cid);
1748 }
1749
1750 /*
1751 * Takes a latched conn and an inbound packet and returns a unique_id suitable
1752 * for SA comparisons. Most of the time we will copy from the conn_t, but
1753 * there are cases when the conn_t is latched but it has wildcard selectors,
1754 * and then we need to fallback to scooping them out of the packet.
1755 *
1756 * Assume we'll never have 0 with a conn_t present, so use 0 as a failure. We
1757 * can get away with this because we only have non-zero ports/proto for
1758 * latched conn_ts.
1759 *
1760 * Ideal candidate for an "inline" keyword, as we're JUST convoluted enough
1761 * to not be a nice macro.
1762 */
1763 static uint64_t
1764 conn_to_unique(conn_t *connp, mblk_t *data_mp, ipha_t *ipha, ip6_t *ip6h)
1765 {
1766 ipsec_selector_t sel;
1767 uint8_t ulp = connp->conn_proto;
1768
1769 ASSERT(connp->conn_latch_in_policy != NULL);
1770
1771 if ((ulp == IPPROTO_TCP || ulp == IPPROTO_UDP || ulp == IPPROTO_SCTP) &&
1772 (connp->conn_fport == 0 || connp->conn_lport == 0)) {
1773 /* Slow path - we gotta grab from the packet. */
1774 if (ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h,
1775 SEL_NONE) != SELRET_SUCCESS) {
1776 /* Failure -> have caller free packet with ENOMEM. */
1777 return (0);
1778 }
1779 return (SA_UNIQUE_ID(sel.ips_remote_port, sel.ips_local_port,
1780 sel.ips_protocol, 0));
1781 }
1782
1783 #ifdef DEBUG_NOT_UNTIL_6478464
1784 if (ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h, SEL_NONE) ==
1785 SELRET_SUCCESS) {
1786 ASSERT(sel.ips_local_port == connp->conn_lport);
1787 ASSERT(sel.ips_remote_port == connp->conn_fport);
1788 ASSERT(sel.ips_protocol == connp->conn_proto);
1789 }
1790 ASSERT(connp->conn_proto != 0);
1791 #endif
1792
1793 return (SA_UNIQUE_ID(connp->conn_fport, connp->conn_lport, ulp, 0));
1794 }
1795
1796 /*
1797 * Called to check policy on a latched connection.
1798 * Note that we don't dereference conn_latch or conn_ihere since the conn might
1799 * be closing. The caller passes a held ipsec_latch_t instead.
1800 */
1801 static boolean_t
1802 ipsec_check_ipsecin_latch(ip_recv_attr_t *ira, mblk_t *mp, ipsec_latch_t *ipl,
1803 ipsec_action_t *ap, ipha_t *ipha, ip6_t *ip6h, const char **reason,
1804 kstat_named_t **counter, conn_t *connp, netstack_t *ns)
1805 {
1806 ipsec_stack_t *ipss = ns->netstack_ipsec;
1807
1808 ASSERT(ipl->ipl_ids_latched == B_TRUE);
1809 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1810
1811 if (!(ira->ira_flags & IRAF_LOOPBACK)) {
1812 /*
1813 * Over loopback, there aren't real security associations,
1814 * so there are neither identities nor "unique" values
1815 * for us to check the packet against.
1816 */
1817 if (ira->ira_ipsec_ah_sa != NULL) {
1818 if (!spd_match_inbound_ids(ipl,
1819 ira->ira_ipsec_ah_sa)) {
1820 *counter = DROPPER(ipss, ipds_spd_ah_badid);
1821 *reason = "AH identity mismatch";
1822 return (B_FALSE);
1823 }
1824 }
1825
1826 if (ira->ira_ipsec_esp_sa != NULL) {
1827 if (!spd_match_inbound_ids(ipl,
1828 ira->ira_ipsec_esp_sa)) {
1829 *counter = DROPPER(ipss, ipds_spd_esp_badid);
1830 *reason = "ESP identity mismatch";
1831 return (B_FALSE);
1832 }
1833 }
1834
1835 /*
1836 * Can fudge pkt_unique from connp because we're latched.
1837 * In DEBUG kernels (see conn_to_unique()'s implementation),
1838 * verify this even if it REALLY slows things down.
1839 */
1840 if (!ipsec_check_ipsecin_unique(ira, reason, counter,
1841 conn_to_unique(connp, mp, ipha, ip6h), ns)) {
1842 return (B_FALSE);
1843 }
1844 }
1845 return (ipsec_check_ipsecin_action(ira, mp, ap, ipha, ip6h, reason,
1846 counter, ns));
1847 }
1848
1849 /*
1850 * Check to see whether this secured datagram meets the policy
1851 * constraints specified in ipsp.
1852 *
1853 * Called from ipsec_check_global_policy, and ipsec_check_inbound_policy.
1854 *
1855 * Consumes a reference to ipsp.
1856 * Returns the mblk if ok.
1857 */
1858 static mblk_t *
1859 ipsec_check_ipsecin_policy(mblk_t *data_mp, ipsec_policy_t *ipsp,
1860 ipha_t *ipha, ip6_t *ip6h, uint64_t pkt_unique, ip_recv_attr_t *ira,
1861 netstack_t *ns)
1862 {
1863 ipsec_action_t *ap;
1864 const char *reason = "no policy actions found";
1865 ip_stack_t *ipst = ns->netstack_ip;
1866 ipsec_stack_t *ipss = ns->netstack_ipsec;
1867 kstat_named_t *counter;
1868
1869 counter = DROPPER(ipss, ipds_spd_got_secure);
1870
1871 ASSERT(ipsp != NULL);
1872
1873 ASSERT((ipha == NULL && ip6h != NULL) ||
1874 (ip6h == NULL && ipha != NULL));
1875
1876 if (ira->ira_flags & IRAF_LOOPBACK)
1877 return (ipsec_check_loopback_policy(data_mp, ira, ipsp));
1878
1879 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1880
1881 if (ira->ira_ipsec_action != NULL) {
1882 /*
1883 * this can happen if we do a double policy-check on a packet
1884 * Would be nice to be able to delete this test..
1885 */
1886 IPACT_REFRELE(ira->ira_ipsec_action);
1887 }
1888 ASSERT(ira->ira_ipsec_action == NULL);
1889
1890 if (!SA_IDS_MATCH(ira->ira_ipsec_ah_sa, ira->ira_ipsec_esp_sa)) {
1891 reason = "inbound AH and ESP identities differ";
1892 counter = DROPPER(ipss, ipds_spd_ahesp_diffid);
1893 goto drop;
1894 }
1895
1896 if (!ipsec_check_ipsecin_unique(ira, &reason, &counter, pkt_unique,
1897 ns))
1898 goto drop;
1899
1900 /*
1901 * Ok, now loop through the possible actions and see if any
1902 * of them work for us.
1903 */
1904
1905 for (ap = ipsp->ipsp_act; ap != NULL; ap = ap->ipa_next) {
1906 if (ipsec_check_ipsecin_action(ira, data_mp, ap,
1907 ipha, ip6h, &reason, &counter, ns)) {
1908 BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
1909 IPPOL_REFRELE(ipsp);
1910 return (data_mp);
1911 }
1912 }
1913 drop:
1914 ipsec_rl_strlog(ns, IP_MOD_ID, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
1915 "ipsec inbound policy mismatch: %s, packet dropped\n",
1916 reason);
1917 IPPOL_REFRELE(ipsp);
1918 ASSERT(ira->ira_ipsec_action == NULL);
1919 BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
1920 ip_drop_packet(data_mp, B_TRUE, NULL, counter,
1921 &ipss->ipsec_spd_dropper);
1922 return (NULL);
1923 }
1924
1925 /*
1926 * sleazy prefix-length-based compare.
1927 * another inlining candidate..
1928 */
1929 boolean_t
1930 ip_addr_match(uint8_t *addr1, int pfxlen, in6_addr_t *addr2p)
1931 {
1932 int offset = pfxlen>>3;
1933 int bitsleft = pfxlen & 7;
1934 uint8_t *addr2 = (uint8_t *)addr2p;
1935
1936 /*
1937 * and there was much evil..
1938 * XXX should inline-expand the bcmp here and do this 32 bits
1939 * or 64 bits at a time..
1940 */
1941 return ((bcmp(addr1, addr2, offset) == 0) &&
1942 ((bitsleft == 0) ||
1943 (((addr1[offset] ^ addr2[offset]) & (0xff<<(8-bitsleft))) == 0)));
1944 }
1945
1946 static ipsec_policy_t *
1947 ipsec_find_policy_chain(ipsec_policy_t *best, ipsec_policy_t *chain,
1948 ipsec_selector_t *sel, boolean_t is_icmp_inv_acq)
1949 {
1950 ipsec_selkey_t *isel;
1951 ipsec_policy_t *p;
1952 int bpri = best ? best->ipsp_prio : 0;
1953
1954 for (p = chain; p != NULL; p = p->ipsp_hash.hash_next) {
1955 uint32_t valid;
1956
1957 if (p->ipsp_prio <= bpri)
1958 continue;
1959 isel = &p->ipsp_sel->ipsl_key;
1960 valid = isel->ipsl_valid;
1961
1962 if ((valid & IPSL_PROTOCOL) &&
1963 (isel->ipsl_proto != sel->ips_protocol))
1964 continue;
1965
1966 if ((valid & IPSL_REMOTE_ADDR) &&
1967 !ip_addr_match((uint8_t *)&isel->ipsl_remote,
1968 isel->ipsl_remote_pfxlen, &sel->ips_remote_addr_v6))
1969 continue;
1970
1971 if ((valid & IPSL_LOCAL_ADDR) &&
1972 !ip_addr_match((uint8_t *)&isel->ipsl_local,
1973 isel->ipsl_local_pfxlen, &sel->ips_local_addr_v6))
1974 continue;
1975
1976 if ((valid & IPSL_REMOTE_PORT) &&
1977 isel->ipsl_rport != sel->ips_remote_port)
1978 continue;
1979
1980 if ((valid & IPSL_LOCAL_PORT) &&
1981 isel->ipsl_lport != sel->ips_local_port)
1982 continue;
1983
1984 if (!is_icmp_inv_acq) {
1985 if ((valid & IPSL_ICMP_TYPE) &&
1986 (isel->ipsl_icmp_type > sel->ips_icmp_type ||
1987 isel->ipsl_icmp_type_end < sel->ips_icmp_type)) {
1988 continue;
1989 }
1990
1991 if ((valid & IPSL_ICMP_CODE) &&
1992 (isel->ipsl_icmp_code > sel->ips_icmp_code ||
1993 isel->ipsl_icmp_code_end <
1994 sel->ips_icmp_code)) {
1995 continue;
1996 }
1997 } else {
1998 /*
1999 * special case for icmp inverse acquire
2000 * we only want policies that aren't drop/pass
2001 */
2002 if (p->ipsp_act->ipa_act.ipa_type != IPSEC_ACT_APPLY)
2003 continue;
2004 }
2005
2006 /* we matched all the packet-port-field selectors! */
2007 best = p;
2008 bpri = p->ipsp_prio;
2009 }
2010
2011 return (best);
2012 }
2013
2014 /*
2015 * Try to find and return the best policy entry under a given policy
2016 * root for a given set of selectors; the first parameter "best" is
2017 * the current best policy so far. If "best" is non-null, we have a
2018 * reference to it. We return a reference to a policy; if that policy
2019 * is not the original "best", we need to release that reference
2020 * before returning.
2021 */
2022 ipsec_policy_t *
2023 ipsec_find_policy_head(ipsec_policy_t *best, ipsec_policy_head_t *head,
2024 int direction, ipsec_selector_t *sel)
2025 {
2026 ipsec_policy_t *curbest;
2027 ipsec_policy_root_t *root;
2028 uint8_t is_icmp_inv_acq = sel->ips_is_icmp_inv_acq;
2029 int af = sel->ips_isv4 ? IPSEC_AF_V4 : IPSEC_AF_V6;
2030
2031 curbest = best;
2032 root = &head->iph_root[direction];
2033
2034 #ifdef DEBUG
2035 if (is_icmp_inv_acq) {
2036 if (sel->ips_isv4) {
2037 if (sel->ips_protocol != IPPROTO_ICMP) {
2038 cmn_err(CE_WARN, "ipsec_find_policy_head:"
2039 " expecting icmp, got %d",
2040 sel->ips_protocol);
2041 }
2042 } else {
2043 if (sel->ips_protocol != IPPROTO_ICMPV6) {
2044 cmn_err(CE_WARN, "ipsec_find_policy_head:"
2045 " expecting icmpv6, got %d",
2046 sel->ips_protocol);
2047 }
2048 }
2049 }
2050 #endif
2051
2052 rw_enter(&head->iph_lock, RW_READER);
2053
2054 if (root->ipr_nchains > 0) {
2055 curbest = ipsec_find_policy_chain(curbest,
2056 root->ipr_hash[selector_hash(sel, root)].hash_head, sel,
2057 is_icmp_inv_acq);
2058 }
2059 curbest = ipsec_find_policy_chain(curbest, root->ipr_nonhash[af], sel,
2060 is_icmp_inv_acq);
2061
2062 /*
2063 * Adjust reference counts if we found anything new.
2064 */
2065 if (curbest != best) {
2066 ASSERT(curbest != NULL);
2067 IPPOL_REFHOLD(curbest);
2068
2069 if (best != NULL) {
2070 IPPOL_REFRELE(best);
2071 }
2072 }
2073
2074 rw_exit(&head->iph_lock);
2075
2076 return (curbest);
2077 }
2078
2079 /*
2080 * Find the best system policy (either global or per-interface) which
2081 * applies to the given selector; look in all the relevant policy roots
2082 * to figure out which policy wins.
2083 *
2084 * Returns a reference to a policy; caller must release this
2085 * reference when done.
2086 */
2087 ipsec_policy_t *
2088 ipsec_find_policy(int direction, const conn_t *connp, ipsec_selector_t *sel,
2089 netstack_t *ns)
2090 {
2091 ipsec_policy_t *p;
2092 ipsec_stack_t *ipss = ns->netstack_ipsec;
2093
2094 p = ipsec_find_policy_head(NULL, &ipss->ipsec_system_policy,
2095 direction, sel);
2096 if ((connp != NULL) && (connp->conn_policy != NULL)) {
2097 p = ipsec_find_policy_head(p, connp->conn_policy,
2098 direction, sel);
2099 }
2100
2101 return (p);
2102 }
2103
2104 /*
2105 * Check with global policy and see whether this inbound
2106 * packet meets the policy constraints.
2107 *
2108 * Locate appropriate policy from global policy, supplemented by the
2109 * conn's configured and/or cached policy if the conn is supplied.
2110 *
2111 * Dispatch to ipsec_check_ipsecin_policy if we have policy and an
2112 * encrypted packet to see if they match.
2113 *
2114 * Otherwise, see if the policy allows cleartext; if not, drop it on the
2115 * floor.
2116 */
2117 mblk_t *
2118 ipsec_check_global_policy(mblk_t *data_mp, conn_t *connp,
2119 ipha_t *ipha, ip6_t *ip6h, ip_recv_attr_t *ira, netstack_t *ns)
2120 {
2121 ipsec_policy_t *p;
2122 ipsec_selector_t sel;
2123 boolean_t policy_present;
2124 kstat_named_t *counter;
2125 uint64_t pkt_unique;
2126 ip_stack_t *ipst = ns->netstack_ip;
2127 ipsec_stack_t *ipss = ns->netstack_ipsec;
2128
2129 sel.ips_is_icmp_inv_acq = 0;
2130
2131 ASSERT((ipha == NULL && ip6h != NULL) ||
2132 (ip6h == NULL && ipha != NULL));
2133
2134 if (ipha != NULL)
2135 policy_present = ipss->ipsec_inbound_v4_policy_present;
2136 else
2137 policy_present = ipss->ipsec_inbound_v6_policy_present;
2138
2139 if (!policy_present && connp == NULL) {
2140 /*
2141 * No global policy and no per-socket policy;
2142 * just pass it back (but we shouldn't get here in that case)
2143 */
2144 return (data_mp);
2145 }
2146
2147 /*
2148 * If we have cached policy, use it.
2149 * Otherwise consult system policy.
2150 */
2151 if ((connp != NULL) && (connp->conn_latch != NULL)) {
2152 p = connp->conn_latch_in_policy;
2153 if (p != NULL) {
2154 IPPOL_REFHOLD(p);
2155 }
2156 /*
2157 * Fudge sel for UNIQUE_ID setting below.
2158 */
2159 pkt_unique = conn_to_unique(connp, data_mp, ipha, ip6h);
2160 } else {
2161 /* Initialize the ports in the selector */
2162 if (ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h,
2163 SEL_NONE) == SELRET_NOMEM) {
2164 /*
2165 * Technically not a policy mismatch, but it is
2166 * an internal failure.
2167 */
2168 ipsec_log_policy_failure(IPSEC_POLICY_MISMATCH,
2169 "ipsec_init_inbound_sel", ipha, ip6h, B_TRUE, ns);
2170 counter = DROPPER(ipss, ipds_spd_nomem);
2171 goto fail;
2172 }
2173
2174 /*
2175 * Find the policy which best applies.
2176 *
2177 * If we find global policy, we should look at both
2178 * local policy and global policy and see which is
2179 * stronger and match accordingly.
2180 *
2181 * If we don't find a global policy, check with
2182 * local policy alone.
2183 */
2184
2185 p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, &sel, ns);
2186 pkt_unique = SA_UNIQUE_ID(sel.ips_remote_port,
2187 sel.ips_local_port, sel.ips_protocol, 0);
2188 }
2189
2190 if (p == NULL) {
2191 if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
2192 /*
2193 * We have no policy; default to succeeding.
2194 * XXX paranoid system design doesn't do this.
2195 */
2196 BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2197 return (data_mp);
2198 } else {
2199 counter = DROPPER(ipss, ipds_spd_got_secure);
2200 ipsec_log_policy_failure(IPSEC_POLICY_NOT_NEEDED,
2201 "ipsec_check_global_policy", ipha, ip6h, B_TRUE,
2202 ns);
2203 goto fail;
2204 }
2205 }
2206 if (ira->ira_flags & IRAF_IPSEC_SECURE) {
2207 return (ipsec_check_ipsecin_policy(data_mp, p, ipha, ip6h,
2208 pkt_unique, ira, ns));
2209 }
2210 if (p->ipsp_act->ipa_allow_clear) {
2211 BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2212 IPPOL_REFRELE(p);
2213 return (data_mp);
2214 }
2215 IPPOL_REFRELE(p);
2216 /*
2217 * If we reach here, we will drop the packet because it failed the
2218 * global policy check because the packet was cleartext, and it
2219 * should not have been.
2220 */
2221 ipsec_log_policy_failure(IPSEC_POLICY_MISMATCH,
2222 "ipsec_check_global_policy", ipha, ip6h, B_FALSE, ns);
2223 counter = DROPPER(ipss, ipds_spd_got_clear);
2224
2225 fail:
2226 ip_drop_packet(data_mp, B_TRUE, NULL, counter,
2227 &ipss->ipsec_spd_dropper);
2228 BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2229 return (NULL);
2230 }
2231
2232 /*
2233 * We check whether an inbound datagram is a valid one
2234 * to accept in clear. If it is secure, it is the job
2235 * of IPSEC to log information appropriately if it
2236 * suspects that it may not be the real one.
2237 *
2238 * It is called only while fanning out to the ULP
2239 * where ULP accepts only secure data and the incoming
2240 * is clear. Usually we never accept clear datagrams in
2241 * such cases. ICMP is the only exception.
2242 *
2243 * NOTE : We don't call this function if the client (ULP)
2244 * is willing to accept things in clear.
2245 */
2246 boolean_t
2247 ipsec_inbound_accept_clear(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h)
2248 {
2249 ushort_t iph_hdr_length;
2250 icmph_t *icmph;
2251 icmp6_t *icmp6;
2252 uint8_t *nexthdrp;
2253
2254 ASSERT((ipha != NULL && ip6h == NULL) ||
2255 (ipha == NULL && ip6h != NULL));
2256
2257 if (ip6h != NULL) {
2258 iph_hdr_length = ip_hdr_length_v6(mp, ip6h);
2259 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length,
2260 &nexthdrp)) {
2261 return (B_FALSE);
2262 }
2263 if (*nexthdrp != IPPROTO_ICMPV6)
2264 return (B_FALSE);
2265 icmp6 = (icmp6_t *)(&mp->b_rptr[iph_hdr_length]);
2266 /* Match IPv6 ICMP policy as closely as IPv4 as possible. */
2267 switch (icmp6->icmp6_type) {
2268 case ICMP6_PARAM_PROB:
2269 /* Corresponds to port/proto unreach in IPv4. */
2270 case ICMP6_ECHO_REQUEST:
2271 /* Just like IPv4. */
2272 return (B_FALSE);
2273
2274 case MLD_LISTENER_QUERY:
2275 case MLD_LISTENER_REPORT:
2276 case MLD_LISTENER_REDUCTION:
2277 /*
2278 * XXX Seperate NDD in IPv4 what about here?
2279 * Plus, mcast is important to ND.
2280 */
2281 case ICMP6_DST_UNREACH:
2282 /* Corresponds to HOST/NET unreachable in IPv4. */
2283 case ICMP6_PACKET_TOO_BIG:
2284 case ICMP6_ECHO_REPLY:
2285 /* These are trusted in IPv4. */
2286 case ND_ROUTER_SOLICIT:
2287 case ND_ROUTER_ADVERT:
2288 case ND_NEIGHBOR_SOLICIT:
2289 case ND_NEIGHBOR_ADVERT:
2290 case ND_REDIRECT:
2291 /* Trust ND messages for now. */
2292 case ICMP6_TIME_EXCEEDED:
2293 default:
2294 return (B_TRUE);
2295 }
2296 } else {
2297 /*
2298 * If it is not ICMP, fail this request.
2299 */
2300 if (ipha->ipha_protocol != IPPROTO_ICMP) {
2301 #ifdef FRAGCACHE_DEBUG
2302 cmn_err(CE_WARN, "Dropping - ipha_proto = %d\n",
2303 ipha->ipha_protocol);
2304 #endif
2305 return (B_FALSE);
2306 }
2307 iph_hdr_length = IPH_HDR_LENGTH(ipha);
2308 icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
2309 /*
2310 * It is an insecure icmp message. Check to see whether we are
2311 * willing to accept this one.
2312 */
2313
2314 switch (icmph->icmph_type) {
2315 case ICMP_ECHO_REPLY:
2316 case ICMP_TIME_STAMP_REPLY:
2317 case ICMP_INFO_REPLY:
2318 case ICMP_ROUTER_ADVERTISEMENT:
2319 /*
2320 * We should not encourage clear replies if this
2321 * client expects secure. If somebody is replying
2322 * in clear some mailicious user watching both the
2323 * request and reply, can do chosen-plain-text attacks.
2324 * With global policy we might be just expecting secure
2325 * but sending out clear. We don't know what the right
2326 * thing is. We can't do much here as we can't control
2327 * the sender here. Till we are sure of what to do,
2328 * accept them.
2329 */
2330 return (B_TRUE);
2331 case ICMP_ECHO_REQUEST:
2332 case ICMP_TIME_STAMP_REQUEST:
2333 case ICMP_INFO_REQUEST:
2334 case ICMP_ADDRESS_MASK_REQUEST:
2335 case ICMP_ROUTER_SOLICITATION:
2336 case ICMP_ADDRESS_MASK_REPLY:
2337 /*
2338 * Don't accept this as somebody could be sending
2339 * us plain text to get encrypted data. If we reply,
2340 * it will lead to chosen plain text attack.
2341 */
2342 return (B_FALSE);
2343 case ICMP_DEST_UNREACHABLE:
2344 switch (icmph->icmph_code) {
2345 case ICMP_FRAGMENTATION_NEEDED:
2346 /*
2347 * Be in sync with icmp_inbound, where we have
2348 * already set dce_pmtu
2349 */
2350 #ifdef FRAGCACHE_DEBUG
2351 cmn_err(CE_WARN, "ICMP frag needed\n");
2352 #endif
2353 return (B_TRUE);
2354 case ICMP_HOST_UNREACHABLE:
2355 case ICMP_NET_UNREACHABLE:
2356 /*
2357 * By accepting, we could reset a connection.
2358 * How do we solve the problem of some
2359 * intermediate router sending in-secure ICMP
2360 * messages ?
2361 */
2362 return (B_TRUE);
2363 case ICMP_PORT_UNREACHABLE:
2364 case ICMP_PROTOCOL_UNREACHABLE:
2365 default :
2366 return (B_FALSE);
2367 }
2368 case ICMP_SOURCE_QUENCH:
2369 /*
2370 * If this is an attack, TCP will slow start
2371 * because of this. Is it very harmful ?
2372 */
2373 return (B_TRUE);
2374 case ICMP_PARAM_PROBLEM:
2375 return (B_FALSE);
2376 case ICMP_TIME_EXCEEDED:
2377 return (B_TRUE);
2378 case ICMP_REDIRECT:
2379 return (B_FALSE);
2380 default :
2381 return (B_FALSE);
2382 }
2383 }
2384 }
2385
2386 void
2387 ipsec_latch_ids(ipsec_latch_t *ipl, ipsid_t *local, ipsid_t *remote)
2388 {
2389 mutex_enter(&ipl->ipl_lock);
2390
2391 if (ipl->ipl_ids_latched) {
2392 /* I lost, someone else got here before me */
2393 mutex_exit(&ipl->ipl_lock);
2394 return;
2395 }
2396
2397 if (local != NULL)
2398 IPSID_REFHOLD(local);
2399 if (remote != NULL)
2400 IPSID_REFHOLD(remote);
2401
2402 ipl->ipl_local_cid = local;
2403 ipl->ipl_remote_cid = remote;
2404 ipl->ipl_ids_latched = B_TRUE;
2405 mutex_exit(&ipl->ipl_lock);
2406 }
2407
2408 void
2409 ipsec_latch_inbound(conn_t *connp, ip_recv_attr_t *ira)
2410 {
2411 ipsa_t *sa;
2412 ipsec_latch_t *ipl = connp->conn_latch;
2413
2414 if (!ipl->ipl_ids_latched) {
2415 ipsid_t *local = NULL;
2416 ipsid_t *remote = NULL;
2417
2418 if (!(ira->ira_flags & IRAF_LOOPBACK)) {
2419 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
2420 if (ira->ira_ipsec_esp_sa != NULL)
2421 sa = ira->ira_ipsec_esp_sa;
2422 else
2423 sa = ira->ira_ipsec_ah_sa;
2424 ASSERT(sa != NULL);
2425 local = sa->ipsa_dst_cid;
2426 remote = sa->ipsa_src_cid;
2427 }
2428 ipsec_latch_ids(ipl, local, remote);
2429 }
2430 if (ira->ira_flags & IRAF_IPSEC_SECURE) {
2431 if (connp->conn_latch_in_action != NULL) {
2432 /*
2433 * Previously cached action. This is probably
2434 * harmless, but in DEBUG kernels, check for
2435 * action equality.
2436 *
2437 * Preserve the existing action to preserve latch
2438 * invariance.
2439 */
2440 ASSERT(connp->conn_latch_in_action ==
2441 ira->ira_ipsec_action);
2442 return;
2443 }
2444 connp->conn_latch_in_action = ira->ira_ipsec_action;
2445 IPACT_REFHOLD(connp->conn_latch_in_action);
2446 }
2447 }
2448
2449 /*
2450 * Check whether the policy constraints are met either for an
2451 * inbound datagram; called from IP in numerous places.
2452 *
2453 * Note that this is not a chokepoint for inbound policy checks;
2454 * see also ipsec_check_ipsecin_latch() and ipsec_check_global_policy()
2455 */
2456 mblk_t *
2457 ipsec_check_inbound_policy(mblk_t *mp, conn_t *connp,
2458 ipha_t *ipha, ip6_t *ip6h, ip_recv_attr_t *ira)
2459 {
2460 boolean_t ret;
2461 ipsec_latch_t *ipl;
2462 ipsec_action_t *ap;
2463 uint64_t unique_id;
2464 ipsec_stack_t *ipss;
2465 ip_stack_t *ipst;
2466 netstack_t *ns;
2467 ipsec_policy_head_t *policy_head;
2468 ipsec_policy_t *p = NULL;
2469
2470 ASSERT(connp != NULL);
2471 ns = connp->conn_netstack;
2472 ipss = ns->netstack_ipsec;
2473 ipst = ns->netstack_ip;
2474
2475 if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
2476 /*
2477 * This is the case where the incoming datagram is
2478 * cleartext and we need to see whether this client
2479 * would like to receive such untrustworthy things from
2480 * the wire.
2481 */
2482 ASSERT(mp != NULL);
2483
2484 mutex_enter(&connp->conn_lock);
2485 if (connp->conn_state_flags & CONN_CONDEMNED) {
2486 mutex_exit(&connp->conn_lock);
2487 ip_drop_packet(mp, B_TRUE, NULL,
2488 DROPPER(ipss, ipds_spd_got_clear),
2489 &ipss->ipsec_spd_dropper);
2490 BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2491 return (NULL);
2492 }
2493 if (connp->conn_latch != NULL) {
2494 /* Hold a reference in case the conn is closing */
2495 p = connp->conn_latch_in_policy;
2496 if (p != NULL)
2497 IPPOL_REFHOLD(p);
2498 mutex_exit(&connp->conn_lock);
2499 /*
2500 * Policy is cached in the conn.
2501 */
2502 if (p != NULL && !p->ipsp_act->ipa_allow_clear) {
2503 ret = ipsec_inbound_accept_clear(mp,
2504 ipha, ip6h);
2505 if (ret) {
2506 BUMP_MIB(&ipst->ips_ip_mib,
2507 ipsecInSucceeded);
2508 IPPOL_REFRELE(p);
2509 return (mp);
2510 } else {
2511 ipsec_log_policy_failure(
2512 IPSEC_POLICY_MISMATCH,
2513 "ipsec_check_inbound_policy", ipha,
2514 ip6h, B_FALSE, ns);
2515 ip_drop_packet(mp, B_TRUE, NULL,
2516 DROPPER(ipss, ipds_spd_got_clear),
2517 &ipss->ipsec_spd_dropper);
2518 BUMP_MIB(&ipst->ips_ip_mib,
2519 ipsecInFailed);
2520 IPPOL_REFRELE(p);
2521 return (NULL);
2522 }
2523 } else {
2524 BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2525 if (p != NULL)
2526 IPPOL_REFRELE(p);
2527 return (mp);
2528 }
2529 } else {
2530 policy_head = connp->conn_policy;
2531
2532 /* Hold a reference in case the conn is closing */
2533 if (policy_head != NULL)
2534 IPPH_REFHOLD(policy_head);
2535 mutex_exit(&connp->conn_lock);
2536 /*
2537 * As this is a non-hardbound connection we need
2538 * to look at both per-socket policy and global
2539 * policy.
2540 */
2541 mp = ipsec_check_global_policy(mp, connp,
2542 ipha, ip6h, ira, ns);
2543 if (policy_head != NULL)
2544 IPPH_REFRELE(policy_head, ns);
2545 return (mp);
2546 }
2547 }
2548
2549 mutex_enter(&connp->conn_lock);
2550 /* Connection is closing */
2551 if (connp->conn_state_flags & CONN_CONDEMNED) {
2552 mutex_exit(&connp->conn_lock);
2553 ip_drop_packet(mp, B_TRUE, NULL,
2554 DROPPER(ipss, ipds_spd_got_clear),
2555 &ipss->ipsec_spd_dropper);
2556 BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2557 return (NULL);
2558 }
2559
2560 /*
2561 * Once a connection is latched it remains so for life, the conn_latch
2562 * pointer on the conn has not changed, simply initializing ipl here
2563 * as the earlier initialization was done only in the cleartext case.
2564 */
2565 if ((ipl = connp->conn_latch) == NULL) {
2566 mblk_t *retmp;
2567 policy_head = connp->conn_policy;
2568
2569 /* Hold a reference in case the conn is closing */
2570 if (policy_head != NULL)
2571 IPPH_REFHOLD(policy_head);
2572 mutex_exit(&connp->conn_lock);
2573 /*
2574 * We don't have policies cached in the conn
2575 * for this stream. So, look at the global
2576 * policy. It will check against conn or global
2577 * depending on whichever is stronger.
2578 */
2579 retmp = ipsec_check_global_policy(mp, connp,
2580 ipha, ip6h, ira, ns);
2581 if (policy_head != NULL)
2582 IPPH_REFRELE(policy_head, ns);
2583 return (retmp);
2584 }
2585
2586 IPLATCH_REFHOLD(ipl);
2587 /* Hold reference on conn_latch_in_action in case conn is closing */
2588 ap = connp->conn_latch_in_action;
2589 if (ap != NULL)
2590 IPACT_REFHOLD(ap);
2591 mutex_exit(&connp->conn_lock);
2592
2593 if (ap != NULL) {
2594 /* Policy is cached & latched; fast(er) path */
2595 const char *reason;
2596 kstat_named_t *counter;
2597
2598 if (ipsec_check_ipsecin_latch(ira, mp, ipl, ap,
2599 ipha, ip6h, &reason, &counter, connp, ns)) {
2600 BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2601 IPLATCH_REFRELE(ipl);
2602 IPACT_REFRELE(ap);
2603 return (mp);
2604 }
2605 ipsec_rl_strlog(ns, IP_MOD_ID, 0, 0,
2606 SL_ERROR|SL_WARN|SL_CONSOLE,
2607 "ipsec inbound policy mismatch: %s, packet dropped\n",
2608 reason);
2609 ip_drop_packet(mp, B_TRUE, NULL, counter,
2610 &ipss->ipsec_spd_dropper);
2611 BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2612 IPLATCH_REFRELE(ipl);
2613 IPACT_REFRELE(ap);
2614 return (NULL);
2615 }
2616 if ((p = connp->conn_latch_in_policy) == NULL) {
2617 ipsec_weird_null_inbound_policy++;
2618 IPLATCH_REFRELE(ipl);
2619 return (mp);
2620 }
2621
2622 unique_id = conn_to_unique(connp, mp, ipha, ip6h);
2623 IPPOL_REFHOLD(p);
2624 mp = ipsec_check_ipsecin_policy(mp, p, ipha, ip6h, unique_id, ira, ns);
2625 /*
2626 * NOTE: ipsecIn{Failed,Succeeeded} bumped by
2627 * ipsec_check_ipsecin_policy().
2628 */
2629 if (mp != NULL)
2630 ipsec_latch_inbound(connp, ira);
2631 IPLATCH_REFRELE(ipl);
2632 return (mp);
2633 }
2634
2635 /*
2636 * Handle all sorts of cases like tunnel-mode and ICMP.
2637 */
2638 static int
2639 prepended_length(mblk_t *mp, uintptr_t hptr)
2640 {
2641 int rc = 0;
2642
2643 while (mp != NULL) {
2644 if (hptr >= (uintptr_t)mp->b_rptr && hptr <
2645 (uintptr_t)mp->b_wptr) {
2646 rc += (int)(hptr - (uintptr_t)mp->b_rptr);
2647 break; /* out of while loop */
2648 }
2649 rc += (int)MBLKL(mp);
2650 mp = mp->b_cont;
2651 }
2652
2653 if (mp == NULL) {
2654 /*
2655 * IF (big IF) we make it here by naturally exiting the loop,
2656 * then ip6h isn't in the mblk chain "mp" at all.
2657 *
2658 * The only case where this happens is with a reversed IP
2659 * header that gets passed up by inbound ICMP processing.
2660 * This unfortunately triggers longstanding bug 6478464. For
2661 * now, just pass up 0 for the answer.
2662 */
2663 #ifdef DEBUG_NOT_UNTIL_6478464
2664 ASSERT(mp != NULL);
2665 #endif
2666 rc = 0;
2667 }
2668
2669 return (rc);
2670 }
2671
2672 /*
2673 * Returns:
2674 *
2675 * SELRET_NOMEM --> msgpullup() needed to gather things failed.
2676 * SELRET_BADPKT --> If we're being called after tunnel-mode fragment
2677 * gathering, the initial fragment is too short for
2678 * useful data. Only returned if SEL_TUNNEL_FIRSTFRAG is
2679 * set.
2680 * SELRET_SUCCESS --> "sel" now has initialized IPsec selector data.
2681 * SELRET_TUNFRAG --> This is a fragment in a tunnel-mode packet. Caller
2682 * should put this packet in a fragment-gathering queue.
2683 * Only returned if SEL_TUNNEL_MODE and SEL_PORT_POLICY
2684 * is set.
2685 *
2686 * Note that ipha/ip6h can be in a different mblk (mp->b_cont) in the case
2687 * of tunneled packets.
2688 * Also, mp->b_rptr can be an ICMP error where ipha/ip6h is the packet in
2689 * error past the ICMP error.
2690 */
2691 static selret_t
2692 ipsec_init_inbound_sel(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
2693 ip6_t *ip6h, uint8_t sel_flags)
2694 {
2695 uint16_t *ports;
2696 int outer_hdr_len = 0; /* For ICMP or tunnel-mode cases... */
2697 ushort_t hdr_len;
2698 mblk_t *spare_mp = NULL;
2699 uint8_t *nexthdrp, *transportp;
2700 uint8_t nexthdr;
2701 uint8_t icmp_proto;
2702 ip_pkt_t ipp;
2703 boolean_t port_policy_present = (sel_flags & SEL_PORT_POLICY);
2704 boolean_t is_icmp = (sel_flags & SEL_IS_ICMP);
2705 boolean_t tunnel_mode = (sel_flags & SEL_TUNNEL_MODE);
2706 boolean_t post_frag = (sel_flags & SEL_POST_FRAG);
2707
2708 ASSERT((ipha == NULL && ip6h != NULL) ||
2709 (ipha != NULL && ip6h == NULL));
2710
2711 if (ip6h != NULL) {
2712 outer_hdr_len = prepended_length(mp, (uintptr_t)ip6h);
2713 nexthdr = ip6h->ip6_nxt;
2714 icmp_proto = IPPROTO_ICMPV6;
2715 sel->ips_isv4 = B_FALSE;
2716 sel->ips_local_addr_v6 = ip6h->ip6_dst;
2717 sel->ips_remote_addr_v6 = ip6h->ip6_src;
2718
2719 bzero(&ipp, sizeof (ipp));
2720
2721 switch (nexthdr) {
2722 case IPPROTO_HOPOPTS:
2723 case IPPROTO_ROUTING:
2724 case IPPROTO_DSTOPTS:
2725 case IPPROTO_FRAGMENT:
2726 /*
2727 * Use ip_hdr_length_nexthdr_v6(). And have a spare
2728 * mblk that's contiguous to feed it
2729 */
2730 if ((spare_mp = msgpullup(mp, -1)) == NULL)
2731 return (SELRET_NOMEM);
2732 if (!ip_hdr_length_nexthdr_v6(spare_mp,
2733 (ip6_t *)(spare_mp->b_rptr + outer_hdr_len),
2734 &hdr_len, &nexthdrp)) {
2735 /* Malformed packet - caller frees. */
2736 ipsec_freemsg_chain(spare_mp);
2737 return (SELRET_BADPKT);
2738 }
2739 /* Repopulate now that we have the whole packet */
2740 ip6h = (ip6_t *)(spare_mp->b_rptr + outer_hdr_len);
2741 (void) ip_find_hdr_v6(spare_mp, ip6h, B_FALSE, &ipp,
2742 NULL);
2743 nexthdr = *nexthdrp;
2744 /* We can just extract based on hdr_len now. */
2745 break;
2746 default:
2747 (void) ip_find_hdr_v6(mp, ip6h, B_FALSE, &ipp, NULL);
2748 hdr_len = IPV6_HDR_LEN;
2749 break;
2750 }
2751 if (port_policy_present && IS_V6_FRAGMENT(ipp) && !is_icmp) {
2752 /* IPv6 Fragment */
2753 ipsec_freemsg_chain(spare_mp);
2754 return (SELRET_TUNFRAG);
2755 }
2756 transportp = (uint8_t *)ip6h + hdr_len;
2757 } else {
2758 outer_hdr_len = prepended_length(mp, (uintptr_t)ipha);
2759 icmp_proto = IPPROTO_ICMP;
2760 sel->ips_isv4 = B_TRUE;
2761 sel->ips_local_addr_v4 = ipha->ipha_dst;
2762 sel->ips_remote_addr_v4 = ipha->ipha_src;
2763 nexthdr = ipha->ipha_protocol;
2764 hdr_len = IPH_HDR_LENGTH(ipha);
2765
2766 if (port_policy_present &&
2767 IS_V4_FRAGMENT(ipha->ipha_fragment_offset_and_flags) &&
2768 !is_icmp) {
2769 /* IPv4 Fragment */
2770 ipsec_freemsg_chain(spare_mp);
2771 return (SELRET_TUNFRAG);
2772 }
2773 transportp = (uint8_t *)ipha + hdr_len;
2774 }
2775 sel->ips_protocol = nexthdr;
2776
2777 if ((nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP &&
2778 nexthdr != IPPROTO_SCTP && nexthdr != icmp_proto) ||
2779 (!port_policy_present && !post_frag && tunnel_mode)) {
2780 sel->ips_remote_port = sel->ips_local_port = 0;
2781 ipsec_freemsg_chain(spare_mp);
2782 return (SELRET_SUCCESS);
2783 }
2784
2785 if (transportp + 4 > mp->b_wptr) {
2786 /* If we didn't pullup a copy already, do so now. */
2787 /*
2788 * XXX performance, will upper-layers frequently split TCP/UDP
2789 * apart from IP or options? If so, perhaps we should revisit
2790 * the spare_mp strategy.
2791 */
2792 ipsec_hdr_pullup_needed++;
2793 if (spare_mp == NULL &&
2794 (spare_mp = msgpullup(mp, -1)) == NULL) {
2795 return (SELRET_NOMEM);
2796 }
2797 transportp = &spare_mp->b_rptr[hdr_len + outer_hdr_len];
2798 }
2799
2800 if (nexthdr == icmp_proto) {
2801 sel->ips_icmp_type = *transportp++;
2802 sel->ips_icmp_code = *transportp;
2803 sel->ips_remote_port = sel->ips_local_port = 0;
2804 } else {
2805 ports = (uint16_t *)transportp;
2806 sel->ips_remote_port = *ports++;
2807 sel->ips_local_port = *ports;
2808 }
2809 ipsec_freemsg_chain(spare_mp);
2810 return (SELRET_SUCCESS);
2811 }
2812
2813 /*
2814 * This is called with a b_next chain of messages from the fragcache code,
2815 * hence it needs to discard a chain on error.
2816 */
2817 static boolean_t
2818 ipsec_init_outbound_ports(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
2819 ip6_t *ip6h, int outer_hdr_len, ipsec_stack_t *ipss)
2820 {
2821 /*
2822 * XXX cut&paste shared with ipsec_init_inbound_sel
2823 */
2824 uint16_t *ports;
2825 ushort_t hdr_len;
2826 mblk_t *spare_mp = NULL;
2827 uint8_t *nexthdrp;
2828 uint8_t nexthdr;
2829 uint8_t *typecode;
2830 uint8_t check_proto;
2831
2832 ASSERT((ipha == NULL && ip6h != NULL) ||
2833 (ipha != NULL && ip6h == NULL));
2834
2835 if (ip6h != NULL) {
2836 check_proto = IPPROTO_ICMPV6;
2837 nexthdr = ip6h->ip6_nxt;
2838 switch (nexthdr) {
2839 case IPPROTO_HOPOPTS:
2840 case IPPROTO_ROUTING:
2841 case IPPROTO_DSTOPTS:
2842 case IPPROTO_FRAGMENT:
2843 /*
2844 * Use ip_hdr_length_nexthdr_v6(). And have a spare
2845 * mblk that's contiguous to feed it
2846 */
2847 spare_mp = msgpullup(mp, -1);
2848 if (spare_mp == NULL ||
2849 !ip_hdr_length_nexthdr_v6(spare_mp,
2850 (ip6_t *)(spare_mp->b_rptr + outer_hdr_len),
2851 &hdr_len, &nexthdrp)) {
2852 /* Always works, even if NULL. */
2853 ipsec_freemsg_chain(spare_mp);
2854 ip_drop_packet_chain(mp, B_FALSE, NULL,
2855 DROPPER(ipss, ipds_spd_nomem),
2856 &ipss->ipsec_spd_dropper);
2857 return (B_FALSE);
2858 } else {
2859 nexthdr = *nexthdrp;
2860 /* We can just extract based on hdr_len now. */
2861 }
2862 break;
2863 default:
2864 hdr_len = IPV6_HDR_LEN;
2865 break;
2866 }
2867 } else {
2868 check_proto = IPPROTO_ICMP;
2869 hdr_len = IPH_HDR_LENGTH(ipha);
2870 nexthdr = ipha->ipha_protocol;
2871 }
2872
2873 sel->ips_protocol = nexthdr;
2874 if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP &&
2875 nexthdr != IPPROTO_SCTP && nexthdr != check_proto) {
2876 sel->ips_local_port = sel->ips_remote_port = 0;
2877 ipsec_freemsg_chain(spare_mp); /* Always works, even if NULL */
2878 return (B_TRUE);
2879 }
2880
2881 if (&mp->b_rptr[hdr_len] + 4 + outer_hdr_len > mp->b_wptr) {
2882 /* If we didn't pullup a copy already, do so now. */
2883 /*
2884 * XXX performance, will upper-layers frequently split TCP/UDP
2885 * apart from IP or options? If so, perhaps we should revisit
2886 * the spare_mp strategy.
2887 *
2888 * XXX should this be msgpullup(mp, hdr_len+4) ???
2889 */
2890 if (spare_mp == NULL &&
2891 (spare_mp = msgpullup(mp, -1)) == NULL) {
2892 ip_drop_packet_chain(mp, B_FALSE, NULL,
2893 DROPPER(ipss, ipds_spd_nomem),
2894 &ipss->ipsec_spd_dropper);
2895 return (B_FALSE);
2896 }
2897 ports = (uint16_t *)&spare_mp->b_rptr[hdr_len + outer_hdr_len];
2898 } else {
2899 ports = (uint16_t *)&mp->b_rptr[hdr_len + outer_hdr_len];
2900 }
2901
2902 if (nexthdr == check_proto) {
2903 typecode = (uint8_t *)ports;
2904 sel->ips_icmp_type = *typecode++;
2905 sel->ips_icmp_code = *typecode;
2906 sel->ips_remote_port = sel->ips_local_port = 0;
2907 } else {
2908 sel->ips_local_port = *ports++;
2909 sel->ips_remote_port = *ports;
2910 }
2911 ipsec_freemsg_chain(spare_mp); /* Always works, even if NULL */
2912 return (B_TRUE);
2913 }
2914
2915 /*
2916 * Prepend an mblk with a ipsec_crypto_t to the message chain.
2917 * Frees the argument and returns NULL should the allocation fail.
2918 * Returns the pointer to the crypto data part.
2919 */
2920 mblk_t *
2921 ipsec_add_crypto_data(mblk_t *data_mp, ipsec_crypto_t **icp)
2922 {
2923 mblk_t *mp;
2924
2925 mp = allocb(sizeof (ipsec_crypto_t), BPRI_MED);
2926 if (mp == NULL) {
2927 freemsg(data_mp);
2928 return (NULL);
2929 }
2930 bzero(mp->b_rptr, sizeof (ipsec_crypto_t));
2931 mp->b_wptr += sizeof (ipsec_crypto_t);
2932 mp->b_cont = data_mp;
2933 mp->b_datap->db_type = M_EVENT; /* For ASSERT */
2934 *icp = (ipsec_crypto_t *)mp->b_rptr;
2935 return (mp);
2936 }
2937
2938 /*
2939 * Remove what was prepended above. Return b_cont and a pointer to the
2940 * crypto data.
2941 * The caller must call ipsec_free_crypto_data for mblk once it is done
2942 * with the crypto data.
2943 */
2944 mblk_t *
2945 ipsec_remove_crypto_data(mblk_t *crypto_mp, ipsec_crypto_t **icp)
2946 {
2947 ASSERT(crypto_mp->b_datap->db_type == M_EVENT);
2948 ASSERT(MBLKL(crypto_mp) == sizeof (ipsec_crypto_t));
2949
2950 *icp = (ipsec_crypto_t *)crypto_mp->b_rptr;
2951 return (crypto_mp->b_cont);
2952 }
2953
2954 /*
2955 * Free what was prepended above. Return b_cont.
2956 */
2957 mblk_t *
2958 ipsec_free_crypto_data(mblk_t *crypto_mp)
2959 {
2960 mblk_t *mp;
2961
2962 ASSERT(crypto_mp->b_datap->db_type == M_EVENT);
2963 ASSERT(MBLKL(crypto_mp) == sizeof (ipsec_crypto_t));
2964
2965 mp = crypto_mp->b_cont;
2966 freeb(crypto_mp);
2967 return (mp);
2968 }
2969
2970 /*
2971 * Create an ipsec_action_t based on the way an inbound packet was protected.
2972 * Used to reflect traffic back to a sender.
2973 *
2974 * We don't bother interning the action into the hash table.
2975 */
2976 ipsec_action_t *
2977 ipsec_in_to_out_action(ip_recv_attr_t *ira)
2978 {
2979 ipsa_t *ah_assoc, *esp_assoc;
2980 uint_t auth_alg = 0, encr_alg = 0, espa_alg = 0;
2981 ipsec_action_t *ap;
2982 boolean_t unique;
2983
2984 ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP);
2985
2986 if (ap == NULL)
2987 return (NULL);
2988
2989 bzero(ap, sizeof (*ap));
2990 HASH_NULL(ap, ipa_hash);
2991 ap->ipa_next = NULL;
2992 ap->ipa_refs = 1;
2993
2994 /*
2995 * Get the algorithms that were used for this packet.
2996 */
2997 ap->ipa_act.ipa_type = IPSEC_ACT_APPLY;
2998 ap->ipa_act.ipa_log = 0;
2999 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
3000
3001 ah_assoc = ira->ira_ipsec_ah_sa;
3002 ap->ipa_act.ipa_apply.ipp_use_ah = (ah_assoc != NULL);
3003
3004 esp_assoc = ira->ira_ipsec_esp_sa;
3005 ap->ipa_act.ipa_apply.ipp_use_esp = (esp_assoc != NULL);
3006
3007 if (esp_assoc != NULL) {
3008 encr_alg = esp_assoc->ipsa_encr_alg;
3009 espa_alg = esp_assoc->ipsa_auth_alg;
3010 ap->ipa_act.ipa_apply.ipp_use_espa = (espa_alg != 0);
3011 }
3012 if (ah_assoc != NULL)
3013 auth_alg = ah_assoc->ipsa_auth_alg;
3014
3015 ap->ipa_act.ipa_apply.ipp_encr_alg = (uint8_t)encr_alg;
3016 ap->ipa_act.ipa_apply.ipp_auth_alg = (uint8_t)auth_alg;
3017 ap->ipa_act.ipa_apply.ipp_esp_auth_alg = (uint8_t)espa_alg;
3018 ap->ipa_act.ipa_apply.ipp_use_se =
3019 !!(ira->ira_flags & IRAF_IPSEC_DECAPS);
3020 unique = B_FALSE;
3021
3022 if (esp_assoc != NULL) {
3023 ap->ipa_act.ipa_apply.ipp_espa_minbits =
3024 esp_assoc->ipsa_authkeybits;
3025 ap->ipa_act.ipa_apply.ipp_espa_maxbits =
3026 esp_assoc->ipsa_authkeybits;
3027 ap->ipa_act.ipa_apply.ipp_espe_minbits =
3028 esp_assoc->ipsa_encrkeybits;
3029 ap->ipa_act.ipa_apply.ipp_espe_maxbits =
3030 esp_assoc->ipsa_encrkeybits;
3031 ap->ipa_act.ipa_apply.ipp_km_proto = esp_assoc->ipsa_kmp;
3032 ap->ipa_act.ipa_apply.ipp_km_cookie = esp_assoc->ipsa_kmc;
3033 if (esp_assoc->ipsa_flags & IPSA_F_UNIQUE)
3034 unique = B_TRUE;
3035 }
3036 if (ah_assoc != NULL) {
3037 ap->ipa_act.ipa_apply.ipp_ah_minbits =
3038 ah_assoc->ipsa_authkeybits;
3039 ap->ipa_act.ipa_apply.ipp_ah_maxbits =
3040 ah_assoc->ipsa_authkeybits;
3041 ap->ipa_act.ipa_apply.ipp_km_proto = ah_assoc->ipsa_kmp;
3042 ap->ipa_act.ipa_apply.ipp_km_cookie = ah_assoc->ipsa_kmc;
3043 if (ah_assoc->ipsa_flags & IPSA_F_UNIQUE)
3044 unique = B_TRUE;
3045 }
3046 ap->ipa_act.ipa_apply.ipp_use_unique = unique;
3047 ap->ipa_want_unique = unique;
3048 ap->ipa_allow_clear = B_FALSE;
3049 ap->ipa_want_se = !!(ira->ira_flags & IRAF_IPSEC_DECAPS);
3050 ap->ipa_want_ah = (ah_assoc != NULL);
3051 ap->ipa_want_esp = (esp_assoc != NULL);
3052
3053 ap->ipa_ovhd = ipsec_act_ovhd(&ap->ipa_act);
3054
3055 ap->ipa_act.ipa_apply.ipp_replay_depth = 0; /* don't care */
3056
3057 return (ap);
3058 }
3059
3060
3061 /*
3062 * Compute the worst-case amount of extra space required by an action.
3063 * Note that, because of the ESP considerations listed below, this is
3064 * actually not the same as the best-case reduction in the MTU; in the
3065 * future, we should pass additional information to this function to
3066 * allow the actual MTU impact to be computed.
3067 *
3068 * AH: Revisit this if we implement algorithms with
3069 * a verifier size of more than 12 bytes.
3070 *
3071 * ESP: A more exact but more messy computation would take into
3072 * account the interaction between the cipher block size and the
3073 * effective MTU, yielding the inner payload size which reflects a
3074 * packet with *minimum* ESP padding..
3075 */
3076 int32_t
3077 ipsec_act_ovhd(const ipsec_act_t *act)
3078 {
3079 int32_t overhead = 0;
3080
3081 if (act->ipa_type == IPSEC_ACT_APPLY) {
3082 const ipsec_prot_t *ipp = &act->ipa_apply;
3083
3084 if (ipp->ipp_use_ah)
3085 overhead += IPSEC_MAX_AH_HDR_SIZE;
3086 if (ipp->ipp_use_esp) {
3087 overhead += IPSEC_MAX_ESP_HDR_SIZE;
3088 overhead += sizeof (struct udphdr);
3089 }
3090 if (ipp->ipp_use_se)
3091 overhead += IP_SIMPLE_HDR_LENGTH;
3092 }
3093 return (overhead);
3094 }
3095
3096 /*
3097 * This hash function is used only when creating policies and thus is not
3098 * performance-critical for packet flows.
3099 *
3100 * Future work: canonicalize the structures hashed with this (i.e.,
3101 * zeroize padding) so the hash works correctly.
3102 */
3103 /* ARGSUSED */
3104 static uint32_t
3105 policy_hash(int size, const void *start, const void *end)
3106 {
3107 return (0);
3108 }
3109
3110
3111 /*
3112 * Hash function macros for each address type.
3113 *
3114 * The IPV6 hash function assumes that the low order 32-bits of the
3115 * address (typically containing the low order 24 bits of the mac
3116 * address) are reasonably well-distributed. Revisit this if we run
3117 * into trouble from lots of collisions on ::1 addresses and the like
3118 * (seems unlikely).
3119 */
3120 #define IPSEC_IPV4_HASH(a, n) ((a) % (n))
3121 #define IPSEC_IPV6_HASH(a, n) (((a).s6_addr32[3]) % (n))
3122
3123 /*
3124 * These two hash functions should produce coordinated values
3125 * but have slightly different roles.
3126 */
3127 static uint32_t
3128 selkey_hash(const ipsec_selkey_t *selkey, netstack_t *ns)
3129 {
3130 uint32_t valid = selkey->ipsl_valid;
3131 ipsec_stack_t *ipss = ns->netstack_ipsec;
3132
3133 if (!(valid & IPSL_REMOTE_ADDR))
3134 return (IPSEC_SEL_NOHASH);
3135
3136 if (valid & IPSL_IPV4) {
3137 if (selkey->ipsl_remote_pfxlen == 32) {
3138 return (IPSEC_IPV4_HASH(selkey->ipsl_remote.ipsad_v4,
3139 ipss->ipsec_spd_hashsize));
3140 }
3141 }
3142 if (valid & IPSL_IPV6) {
3143 if (selkey->ipsl_remote_pfxlen == 128) {
3144 return (IPSEC_IPV6_HASH(selkey->ipsl_remote.ipsad_v6,
3145 ipss->ipsec_spd_hashsize));
3146 }
3147 }
3148 return (IPSEC_SEL_NOHASH);
3149 }
3150
3151 static uint32_t
3152 selector_hash(ipsec_selector_t *sel, ipsec_policy_root_t *root)
3153 {
3154 if (sel->ips_isv4) {
3155 return (IPSEC_IPV4_HASH(sel->ips_remote_addr_v4,
3156 root->ipr_nchains));
3157 }
3158 return (IPSEC_IPV6_HASH(sel->ips_remote_addr_v6, root->ipr_nchains));
3159 }
3160
3161 /*
3162 * Intern actions into the action hash table.
3163 */
3164 ipsec_action_t *
3165 ipsec_act_find(const ipsec_act_t *a, int n, netstack_t *ns)
3166 {
3167 int i;
3168 uint32_t hval;
3169 ipsec_action_t *ap;
3170 ipsec_action_t *prev = NULL;
3171 int32_t overhead, maxovhd = 0;
3172 boolean_t allow_clear = B_FALSE;
3173 boolean_t want_ah = B_FALSE;
3174 boolean_t want_esp = B_FALSE;
3175 boolean_t want_se = B_FALSE;
3176 boolean_t want_unique = B_FALSE;
3177 ipsec_stack_t *ipss = ns->netstack_ipsec;
3178
3179 /*
3180 * TODO: should canonicalize a[] (i.e., zeroize any padding)
3181 * so we can use a non-trivial policy_hash function.
3182 */
3183 for (i = n-1; i >= 0; i--) {
3184 hval = policy_hash(IPSEC_ACTION_HASH_SIZE, &a[i], &a[n]);
3185
3186 HASH_LOCK(ipss->ipsec_action_hash, hval);
3187
3188 for (HASH_ITERATE(ap, ipa_hash,
3189 ipss->ipsec_action_hash, hval)) {
3190 if (bcmp(&ap->ipa_act, &a[i], sizeof (*a)) != 0)
3191 continue;
3192 if (ap->ipa_next != prev)
3193 continue;
3194 break;
3195 }
3196 if (ap != NULL) {
3197 HASH_UNLOCK(ipss->ipsec_action_hash, hval);
3198 prev = ap;
3199 continue;
3200 }
3201 /*
3202 * need to allocate a new one..
3203 */
3204 ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP);
3205 if (ap == NULL) {
3206 HASH_UNLOCK(ipss->ipsec_action_hash, hval);
3207 if (prev != NULL)
3208 ipsec_action_free(prev);
3209 return (NULL);
3210 }
3211 HASH_INSERT(ap, ipa_hash, ipss->ipsec_action_hash, hval);
3212
3213 ap->ipa_next = prev;
3214 ap->ipa_act = a[i];
3215
3216 overhead = ipsec_act_ovhd(&a[i]);
3217 if (maxovhd < overhead)
3218 maxovhd = overhead;
3219
3220 if ((a[i].ipa_type == IPSEC_ACT_BYPASS) ||
3221 (a[i].ipa_type == IPSEC_ACT_CLEAR))
3222 allow_clear = B_TRUE;
3223 if (a[i].ipa_type == IPSEC_ACT_APPLY) {
3224 const ipsec_prot_t *ipp = &a[i].ipa_apply;
3225
3226 ASSERT(ipp->ipp_use_ah || ipp->ipp_use_esp);
3227 want_ah |= ipp->ipp_use_ah;
3228 want_esp |= ipp->ipp_use_esp;
3229 want_se |= ipp->ipp_use_se;
3230 want_unique |= ipp->ipp_use_unique;
3231 }
3232 ap->ipa_allow_clear = allow_clear;
3233 ap->ipa_want_ah = want_ah;
3234 ap->ipa_want_esp = want_esp;
3235 ap->ipa_want_se = want_se;
3236 ap->ipa_want_unique = want_unique;
3237 ap->ipa_refs = 1; /* from the hash table */
3238 ap->ipa_ovhd = maxovhd;
3239 if (prev)
3240 prev->ipa_refs++;
3241 prev = ap;
3242 HASH_UNLOCK(ipss->ipsec_action_hash, hval);
3243 }
3244
3245 ap->ipa_refs++; /* caller's reference */
3246
3247 return (ap);
3248 }
3249
3250 /*
3251 * Called when refcount goes to 0, indicating that all references to this
3252 * node are gone.
3253 *
3254 * This does not unchain the action from the hash table.
3255 */
3256 void
3257 ipsec_action_free(ipsec_action_t *ap)
3258 {
3259 for (;;) {
3260 ipsec_action_t *np = ap->ipa_next;
3261 ASSERT(ap->ipa_refs == 0);
3262 ASSERT(ap->ipa_hash.hash_pp == NULL);
3263 kmem_cache_free(ipsec_action_cache, ap);
3264 ap = np;
3265 /* Inlined IPACT_REFRELE -- avoid recursion */
3266 if (ap == NULL)
3267 break;
3268 membar_exit();
3269 if (atomic_dec_32_nv(&(ap)->ipa_refs) != 0)
3270 break;
3271 /* End inlined IPACT_REFRELE */
3272 }
3273 }
3274
3275 /*
3276 * Called when the action hash table goes away.
3277 *
3278 * The actions can be queued on an mblk with ipsec_in or
3279 * ipsec_out, hence the actions might still be around.
3280 * But we decrement ipa_refs here since we no longer have
3281 * a reference to the action from the hash table.
3282 */
3283 static void
3284 ipsec_action_free_table(ipsec_action_t *ap)
3285 {
3286 while (ap != NULL) {
3287 ipsec_action_t *np = ap->ipa_next;
3288
3289 /* FIXME: remove? */
3290 (void) printf("ipsec_action_free_table(%p) ref %d\n",
3291 (void *)ap, ap->ipa_refs);
3292 ASSERT(ap->ipa_refs > 0);
3293 IPACT_REFRELE(ap);
3294 ap = np;
3295 }
3296 }
3297
3298 /*
3299 * Need to walk all stack instances since the reclaim function
3300 * is global for all instances
3301 */
3302 /* ARGSUSED */
3303 static void
3304 ipsec_action_reclaim(void *arg)
3305 {
3306 netstack_handle_t nh;
3307 netstack_t *ns;
3308 ipsec_stack_t *ipss;
3309
3310 netstack_next_init(&nh);
3311 while ((ns = netstack_next(&nh)) != NULL) {
3312 /*
3313 * netstack_next() can return a netstack_t with a NULL
3314 * netstack_ipsec at boot time.
3315 */
3316 if ((ipss = ns->netstack_ipsec) == NULL) {
3317 netstack_rele(ns);
3318 continue;
3319 }
3320 ipsec_action_reclaim_stack(ipss);
3321 netstack_rele(ns);
3322 }
3323 netstack_next_fini(&nh);
3324 }
3325
3326 /*
3327 * Periodically sweep action hash table for actions with refcount==1, and
3328 * nuke them. We cannot do this "on demand" (i.e., from IPACT_REFRELE)
3329 * because we can't close the race between another thread finding the action
3330 * in the hash table without holding the bucket lock during IPACT_REFRELE.
3331 * Instead, we run this function sporadically to clean up after ourselves;
3332 * we also set it as the "reclaim" function for the action kmem_cache.
3333 *
3334 * Note that it may take several passes of ipsec_action_gc() to free all
3335 * "stale" actions.
3336 */
3337 static void
3338 ipsec_action_reclaim_stack(ipsec_stack_t *ipss)
3339 {
3340 int i;
3341
3342 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) {
3343 ipsec_action_t *ap, *np;
3344
3345 /* skip the lock if nobody home */
3346 if (ipss->ipsec_action_hash[i].hash_head == NULL)
3347 continue;
3348
3349 HASH_LOCK(ipss->ipsec_action_hash, i);
3350 for (ap = ipss->ipsec_action_hash[i].hash_head;
3351 ap != NULL; ap = np) {
3352 ASSERT(ap->ipa_refs > 0);
3353 np = ap->ipa_hash.hash_next;
3354 if (ap->ipa_refs > 1)
3355 continue;
3356 HASH_UNCHAIN(ap, ipa_hash,
3357 ipss->ipsec_action_hash, i);
3358 IPACT_REFRELE(ap);
3359 }
3360 HASH_UNLOCK(ipss->ipsec_action_hash, i);
3361 }
3362 }
3363
3364 /*
3365 * Intern a selector set into the selector set hash table.
3366 * This is simpler than the actions case..
3367 */
3368 static ipsec_sel_t *
3369 ipsec_find_sel(ipsec_selkey_t *selkey, netstack_t *ns)
3370 {
3371 ipsec_sel_t *sp;
3372 uint32_t hval, bucket;
3373 ipsec_stack_t *ipss = ns->netstack_ipsec;
3374
3375 /*
3376 * Exactly one AF bit should be set in selkey.
3377 */
3378 ASSERT(!(selkey->ipsl_valid & IPSL_IPV4) ^
3379 !(selkey->ipsl_valid & IPSL_IPV6));
3380
3381 hval = selkey_hash(selkey, ns);
3382 /* Set pol_hval to uninitialized until we put it in a polhead. */
3383 selkey->ipsl_sel_hval = hval;
3384
3385 bucket = (hval == IPSEC_SEL_NOHASH) ? 0 : hval;
3386
3387 ASSERT(!HASH_LOCKED(ipss->ipsec_sel_hash, bucket));
3388 HASH_LOCK(ipss->ipsec_sel_hash, bucket);
3389
3390 for (HASH_ITERATE(sp, ipsl_hash, ipss->ipsec_sel_hash, bucket)) {
3391 if (bcmp(&sp->ipsl_key, selkey,
3392 offsetof(ipsec_selkey_t, ipsl_pol_hval)) == 0)
3393 break;
3394 }
3395 if (sp != NULL) {
3396 sp->ipsl_refs++;
3397
3398 HASH_UNLOCK(ipss->ipsec_sel_hash, bucket);
3399 return (sp);
3400 }
3401
3402 sp = kmem_cache_alloc(ipsec_sel_cache, KM_NOSLEEP);
3403 if (sp == NULL) {
3404 HASH_UNLOCK(ipss->ipsec_sel_hash, bucket);
3405 return (NULL);
3406 }
3407
3408 HASH_INSERT(sp, ipsl_hash, ipss->ipsec_sel_hash, bucket);
3409 sp->ipsl_refs = 2; /* one for hash table, one for caller */
3410 sp->ipsl_key = *selkey;
3411 /* Set to uninitalized and have insertion into polhead fix things. */
3412 if (selkey->ipsl_sel_hval != IPSEC_SEL_NOHASH)
3413 sp->ipsl_key.ipsl_pol_hval = 0;
3414 else
3415 sp->ipsl_key.ipsl_pol_hval = IPSEC_SEL_NOHASH;
3416
3417 HASH_UNLOCK(ipss->ipsec_sel_hash, bucket);
3418
3419 return (sp);
3420 }
3421
3422 static void
3423 ipsec_sel_rel(ipsec_sel_t **spp, netstack_t *ns)
3424 {
3425 ipsec_sel_t *sp = *spp;
3426 int hval = sp->ipsl_key.ipsl_sel_hval;
3427 ipsec_stack_t *ipss = ns->netstack_ipsec;
3428
3429 *spp = NULL;
3430
3431 if (hval == IPSEC_SEL_NOHASH)
3432 hval = 0;
3433
3434 ASSERT(!HASH_LOCKED(ipss->ipsec_sel_hash, hval));
3435 HASH_LOCK(ipss->ipsec_sel_hash, hval);
3436 if (--sp->ipsl_refs == 1) {
3437 HASH_UNCHAIN(sp, ipsl_hash, ipss->ipsec_sel_hash, hval);
3438 sp->ipsl_refs--;
3439 HASH_UNLOCK(ipss->ipsec_sel_hash, hval);
3440 ASSERT(sp->ipsl_refs == 0);
3441 kmem_cache_free(ipsec_sel_cache, sp);
3442 /* Caller unlocks */
3443 return;
3444 }
3445
3446 HASH_UNLOCK(ipss->ipsec_sel_hash, hval);
3447 }
3448
3449 /*
3450 * Free a policy rule which we know is no longer being referenced.
3451 */
3452 void
3453 ipsec_policy_free(ipsec_policy_t *ipp)
3454 {
3455 ASSERT(ipp->ipsp_refs == 0);
3456 ASSERT(ipp->ipsp_sel != NULL);
3457 ASSERT(ipp->ipsp_act != NULL);
3458 ASSERT(ipp->ipsp_netstack != NULL);
3459
3460 ipsec_sel_rel(&ipp->ipsp_sel, ipp->ipsp_netstack);
3461 IPACT_REFRELE(ipp->ipsp_act);
3462 kmem_cache_free(ipsec_pol_cache, ipp);
3463 }
3464
3465 /*
3466 * Construction of new policy rules; construct a policy, and add it to
3467 * the appropriate tables.
3468 */
3469 ipsec_policy_t *
3470 ipsec_policy_create(ipsec_selkey_t *keys, const ipsec_act_t *a,
3471 int nacts, int prio, uint64_t *index_ptr, netstack_t *ns)
3472 {
3473 ipsec_action_t *ap;
3474 ipsec_sel_t *sp;
3475 ipsec_policy_t *ipp;
3476 ipsec_stack_t *ipss = ns->netstack_ipsec;
3477
3478 if (index_ptr == NULL)
3479 index_ptr = &ipss->ipsec_next_policy_index;
3480
3481 ipp = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP);
3482 ap = ipsec_act_find(a, nacts, ns);
3483 sp = ipsec_find_sel(keys, ns);
3484
3485 if ((ap == NULL) || (sp == NULL) || (ipp == NULL)) {
3486 if (ap != NULL) {
3487 IPACT_REFRELE(ap);
3488 }
3489 if (sp != NULL)
3490 ipsec_sel_rel(&sp, ns);
3491 if (ipp != NULL)
3492 kmem_cache_free(ipsec_pol_cache, ipp);
3493 return (NULL);
3494 }
3495
3496 HASH_NULL(ipp, ipsp_hash);
3497
3498 ipp->ipsp_netstack = ns; /* Needed for ipsec_policy_free */
3499 ipp->ipsp_refs = 1; /* caller's reference */
3500 ipp->ipsp_sel = sp;
3501 ipp->ipsp_act = ap;
3502 ipp->ipsp_prio = prio; /* rule priority */
3503 ipp->ipsp_index = *index_ptr;
3504 (*index_ptr)++;
3505
3506 return (ipp);
3507 }
3508
3509 static void
3510 ipsec_update_present_flags(ipsec_stack_t *ipss)
3511 {
3512 boolean_t hashpol;
3513
3514 hashpol = (avl_numnodes(&ipss->ipsec_system_policy.iph_rulebyid) > 0);
3515
3516 if (hashpol) {
3517 ipss->ipsec_outbound_v4_policy_present = B_TRUE;
3518 ipss->ipsec_outbound_v6_policy_present = B_TRUE;
3519 ipss->ipsec_inbound_v4_policy_present = B_TRUE;
3520 ipss->ipsec_inbound_v6_policy_present = B_TRUE;
3521 return;
3522 }
3523
3524 ipss->ipsec_outbound_v4_policy_present = (NULL !=
3525 ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_OUTBOUND].
3526 ipr_nonhash[IPSEC_AF_V4]);
3527 ipss->ipsec_outbound_v6_policy_present = (NULL !=
3528 ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_OUTBOUND].
3529 ipr_nonhash[IPSEC_AF_V6]);
3530 ipss->ipsec_inbound_v4_policy_present = (NULL !=
3531 ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_INBOUND].
3532 ipr_nonhash[IPSEC_AF_V4]);
3533 ipss->ipsec_inbound_v6_policy_present = (NULL !=
3534 ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_INBOUND].
3535 ipr_nonhash[IPSEC_AF_V6]);
3536 }
3537
3538 boolean_t
3539 ipsec_policy_delete(ipsec_policy_head_t *php, ipsec_selkey_t *keys, int dir,
3540 netstack_t *ns)
3541 {
3542 ipsec_sel_t *sp;
3543 ipsec_policy_t *ip, *nip, *head;
3544 int af;
3545 ipsec_policy_root_t *pr = &php->iph_root[dir];
3546
3547 sp = ipsec_find_sel(keys, ns);
3548
3549 if (sp == NULL)
3550 return (B_FALSE);
3551
3552 af = (sp->ipsl_key.ipsl_valid & IPSL_IPV4) ? IPSEC_AF_V4 : IPSEC_AF_V6;
3553
3554 rw_enter(&php->iph_lock, RW_WRITER);
3555
3556 if (sp->ipsl_key.ipsl_pol_hval == IPSEC_SEL_NOHASH) {
3557 head = pr->ipr_nonhash[af];
3558 } else {
3559 head = pr->ipr_hash[sp->ipsl_key.ipsl_pol_hval].hash_head;
3560 }
3561
3562 for (ip = head; ip != NULL; ip = nip) {
3563 nip = ip->ipsp_hash.hash_next;
3564 if (ip->ipsp_sel != sp) {
3565 continue;
3566 }
3567
3568 IPPOL_UNCHAIN(php, ip);
3569
3570 php->iph_gen++;
3571 ipsec_update_present_flags(ns->netstack_ipsec);
3572
3573 rw_exit(&php->iph_lock);
3574
3575 ipsec_sel_rel(&sp, ns);
3576
3577 return (B_TRUE);
3578 }
3579
3580 rw_exit(&php->iph_lock);
3581 ipsec_sel_rel(&sp, ns);
3582 return (B_FALSE);
3583 }
3584
3585 int
3586 ipsec_policy_delete_index(ipsec_policy_head_t *php, uint64_t policy_index,
3587 netstack_t *ns)
3588 {
3589 boolean_t found = B_FALSE;
3590 ipsec_policy_t ipkey;
3591 ipsec_policy_t *ip;
3592 avl_index_t where;
3593
3594 bzero(&ipkey, sizeof (ipkey));
3595 ipkey.ipsp_index = policy_index;
3596
3597 rw_enter(&php->iph_lock, RW_WRITER);
3598
3599 /*
3600 * We could be cleverer here about the walk.
3601 * but well, (k+1)*log(N) will do for now (k==number of matches,
3602 * N==number of table entries
3603 */
3604 for (;;) {
3605 ip = (ipsec_policy_t *)avl_find(&php->iph_rulebyid,
3606 (void *)&ipkey, &where);
3607 ASSERT(ip == NULL);
3608
3609 ip = avl_nearest(&php->iph_rulebyid, where, AVL_AFTER);
3610
3611 if (ip == NULL)
3612 break;
3613
3614 if (ip->ipsp_index != policy_index) {
3615 ASSERT(ip->ipsp_index > policy_index);
3616 break;
3617 }
3618
3619 IPPOL_UNCHAIN(php, ip);
3620 found = B_TRUE;
3621 }
3622
3623 if (found) {
3624 php->iph_gen++;
3625 ipsec_update_present_flags(ns->netstack_ipsec);
3626 }
3627
3628 rw_exit(&php->iph_lock);
3629
3630 return (found ? 0 : ENOENT);
3631 }
3632
3633 /*
3634 * Given a constructed ipsec_policy_t policy rule, see if it can be entered
3635 * into the correct policy ruleset. As a side-effect, it sets the hash
3636 * entries on "ipp"'s ipsp_pol_hval.
3637 *
3638 * Returns B_TRUE if it can be entered, B_FALSE if it can't be (because a
3639 * duplicate policy exists with exactly the same selectors), or an icmp
3640 * rule exists with a different encryption/authentication action.
3641 */
3642 boolean_t
3643 ipsec_check_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction)
3644 {
3645 ipsec_policy_root_t *pr = &php->iph_root[direction];
3646 int af = -1;
3647 ipsec_policy_t *p2, *head;
3648 uint8_t check_proto;
3649 ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key;
3650 uint32_t valid = selkey->ipsl_valid;
3651
3652 if (valid & IPSL_IPV6) {
3653 ASSERT(!(valid & IPSL_IPV4));
3654 af = IPSEC_AF_V6;
3655 check_proto = IPPROTO_ICMPV6;
3656 } else {
3657 ASSERT(valid & IPSL_IPV4);
3658 af = IPSEC_AF_V4;
3659 check_proto = IPPROTO_ICMP;
3660 }
3661
3662 ASSERT(RW_WRITE_HELD(&php->iph_lock));
3663
3664 /*
3665 * Double-check that we don't have any duplicate selectors here.
3666 * Because selectors are interned below, we need only compare pointers
3667 * for equality.
3668 */
3669 if (selkey->ipsl_sel_hval == IPSEC_SEL_NOHASH) {
3670 head = pr->ipr_nonhash[af];
3671 } else {
3672 selkey->ipsl_pol_hval =
3673 (selkey->ipsl_valid & IPSL_IPV4) ?
3674 IPSEC_IPV4_HASH(selkey->ipsl_remote.ipsad_v4,
3675 pr->ipr_nchains) :
3676 IPSEC_IPV6_HASH(selkey->ipsl_remote.ipsad_v6,
3677 pr->ipr_nchains);
3678
3679 head = pr->ipr_hash[selkey->ipsl_pol_hval].hash_head;
3680 }
3681
3682 for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) {
3683 if (p2->ipsp_sel == ipp->ipsp_sel)
3684 return (B_FALSE);
3685 }
3686
3687 /*
3688 * If it's ICMP and not a drop or pass rule, run through the ICMP
3689 * rules and make sure the action is either new or the same as any
3690 * other actions. We don't have to check the full chain because
3691 * discard and bypass will override all other actions
3692 */
3693
3694 if (valid & IPSL_PROTOCOL &&
3695 selkey->ipsl_proto == check_proto &&
3696 (ipp->ipsp_act->ipa_act.ipa_type == IPSEC_ACT_APPLY)) {
3697
3698 for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) {
3699
3700 if (p2->ipsp_sel->ipsl_key.ipsl_valid & IPSL_PROTOCOL &&
3701 p2->ipsp_sel->ipsl_key.ipsl_proto == check_proto &&
3702 (p2->ipsp_act->ipa_act.ipa_type ==
3703 IPSEC_ACT_APPLY)) {
3704 return (ipsec_compare_action(p2, ipp));
3705 }
3706 }
3707 }
3708
3709 return (B_TRUE);
3710 }
3711
3712 /*
3713 * compare the action chains of two policies for equality
3714 * B_TRUE -> effective equality
3715 */
3716
3717 static boolean_t
3718 ipsec_compare_action(ipsec_policy_t *p1, ipsec_policy_t *p2)
3719 {
3720
3721 ipsec_action_t *act1, *act2;
3722
3723 /* We have a valid rule. Let's compare the actions */
3724 if (p1->ipsp_act == p2->ipsp_act) {
3725 /* same action. We are good */
3726 return (B_TRUE);
3727 }
3728
3729 /* we have to walk the chain */
3730
3731 act1 = p1->ipsp_act;
3732 act2 = p2->ipsp_act;
3733
3734 while (act1 != NULL && act2 != NULL) {
3735
3736 /* otherwise, Are we close enough? */
3737 if (act1->ipa_allow_clear != act2->ipa_allow_clear ||
3738 act1->ipa_want_ah != act2->ipa_want_ah ||
3739 act1->ipa_want_esp != act2->ipa_want_esp ||
3740 act1->ipa_want_se != act2->ipa_want_se) {
3741 /* Nope, we aren't */
3742 return (B_FALSE);
3743 }
3744
3745 if (act1->ipa_want_ah) {
3746 if (act1->ipa_act.ipa_apply.ipp_auth_alg !=
3747 act2->ipa_act.ipa_apply.ipp_auth_alg) {
3748 return (B_FALSE);
3749 }
3750
3751 if (act1->ipa_act.ipa_apply.ipp_ah_minbits !=
3752 act2->ipa_act.ipa_apply.ipp_ah_minbits ||
3753 act1->ipa_act.ipa_apply.ipp_ah_maxbits !=
3754 act2->ipa_act.ipa_apply.ipp_ah_maxbits) {
3755 return (B_FALSE);
3756 }
3757 }
3758
3759 if (act1->ipa_want_esp) {
3760 if (act1->ipa_act.ipa_apply.ipp_use_esp !=
3761 act2->ipa_act.ipa_apply.ipp_use_esp ||
3762 act1->ipa_act.ipa_apply.ipp_use_espa !=
3763 act2->ipa_act.ipa_apply.ipp_use_espa) {
3764 return (B_FALSE);
3765 }
3766
3767 if (act1->ipa_act.ipa_apply.ipp_use_esp) {
3768 if (act1->ipa_act.ipa_apply.ipp_encr_alg !=
3769 act2->ipa_act.ipa_apply.ipp_encr_alg) {
3770 return (B_FALSE);
3771 }
3772
3773 if (act1->ipa_act.ipa_apply.ipp_espe_minbits !=
3774 act2->ipa_act.ipa_apply.ipp_espe_minbits ||
3775 act1->ipa_act.ipa_apply.ipp_espe_maxbits !=
3776 act2->ipa_act.ipa_apply.ipp_espe_maxbits) {
3777 return (B_FALSE);
3778 }
3779 }
3780
3781 if (act1->ipa_act.ipa_apply.ipp_use_espa) {
3782 if (act1->ipa_act.ipa_apply.ipp_esp_auth_alg !=
3783 act2->ipa_act.ipa_apply.ipp_esp_auth_alg) {
3784 return (B_FALSE);
3785 }
3786
3787 if (act1->ipa_act.ipa_apply.ipp_espa_minbits !=
3788 act2->ipa_act.ipa_apply.ipp_espa_minbits ||
3789 act1->ipa_act.ipa_apply.ipp_espa_maxbits !=
3790 act2->ipa_act.ipa_apply.ipp_espa_maxbits) {
3791 return (B_FALSE);
3792 }
3793 }
3794
3795 }
3796
3797 act1 = act1->ipa_next;
3798 act2 = act2->ipa_next;
3799 }
3800
3801 if (act1 != NULL || act2 != NULL) {
3802 return (B_FALSE);
3803 }
3804
3805 return (B_TRUE);
3806 }
3807
3808
3809 /*
3810 * Given a constructed ipsec_policy_t policy rule, enter it into
3811 * the correct policy ruleset.
3812 *
3813 * ipsec_check_policy() is assumed to have succeeded first (to check for
3814 * duplicates).
3815 */
3816 void
3817 ipsec_enter_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction,
3818 netstack_t *ns)
3819 {
3820 ipsec_policy_root_t *pr = &php->iph_root[direction];
3821 ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key;
3822 uint32_t valid = selkey->ipsl_valid;
3823 uint32_t hval = selkey->ipsl_pol_hval;
3824 int af = -1;
3825
3826 ASSERT(RW_WRITE_HELD(&php->iph_lock));
3827
3828 if (valid & IPSL_IPV6) {
3829 ASSERT(!(valid & IPSL_IPV4));
3830 af = IPSEC_AF_V6;
3831 } else {
3832 ASSERT(valid & IPSL_IPV4);
3833 af = IPSEC_AF_V4;
3834 }
3835
3836 php->iph_gen++;
3837
3838 if (hval == IPSEC_SEL_NOHASH) {
3839 HASHLIST_INSERT(ipp, ipsp_hash, pr->ipr_nonhash[af]);
3840 } else {
3841 HASH_LOCK(pr->ipr_hash, hval);
3842 HASH_INSERT(ipp, ipsp_hash, pr->ipr_hash, hval);
3843 HASH_UNLOCK(pr->ipr_hash, hval);
3844 }
3845
3846 ipsec_insert_always(&php->iph_rulebyid, ipp);
3847
3848 ipsec_update_present_flags(ns->netstack_ipsec);
3849 }
3850
3851 static void
3852 ipsec_ipr_flush(ipsec_policy_head_t *php, ipsec_policy_root_t *ipr)
3853 {
3854 ipsec_policy_t *ip, *nip;
3855 int af, chain, nchain;
3856
3857 for (af = 0; af < IPSEC_NAF; af++) {
3858 for (ip = ipr->ipr_nonhash[af]; ip != NULL; ip = nip) {
3859 nip = ip->ipsp_hash.hash_next;
3860 IPPOL_UNCHAIN(php, ip);
3861 }
3862 ipr->ipr_nonhash[af] = NULL;
3863 }
3864 nchain = ipr->ipr_nchains;
3865
3866 for (chain = 0; chain < nchain; chain++) {
3867 for (ip = ipr->ipr_hash[chain].hash_head; ip != NULL;
3868 ip = nip) {
3869 nip = ip->ipsp_hash.hash_next;
3870 IPPOL_UNCHAIN(php, ip);
3871 }
3872 ipr->ipr_hash[chain].hash_head = NULL;
3873 }
3874 }
3875
3876 /*
3877 * Create and insert inbound or outbound policy associated with actp for the
3878 * address family fam into the policy head ph. Returns B_TRUE if policy was
3879 * inserted, and B_FALSE otherwise.
3880 */
3881 boolean_t
3882 ipsec_polhead_insert(ipsec_policy_head_t *ph, ipsec_act_t *actp, uint_t nact,
3883 int fam, int ptype, netstack_t *ns)
3884 {
3885 ipsec_selkey_t sel;
3886 ipsec_policy_t *pol;
3887 ipsec_policy_root_t *pr;
3888
3889 bzero(&sel, sizeof (sel));
3890 sel.ipsl_valid = (fam == IPSEC_AF_V4 ? IPSL_IPV4 : IPSL_IPV6);
3891 if ((pol = ipsec_policy_create(&sel, actp, nact, IPSEC_PRIO_SOCKET,
3892 NULL, ns)) != NULL) {
3893 pr = &ph->iph_root[ptype];
3894 HASHLIST_INSERT(pol, ipsp_hash, pr->ipr_nonhash[fam]);
3895 ipsec_insert_always(&ph->iph_rulebyid, pol);
3896 }
3897 return (pol != NULL);
3898 }
3899
3900 void
3901 ipsec_polhead_flush(ipsec_policy_head_t *php, netstack_t *ns)
3902 {
3903 int dir;
3904
3905 ASSERT(RW_WRITE_HELD(&php->iph_lock));
3906
3907 for (dir = 0; dir < IPSEC_NTYPES; dir++)
3908 ipsec_ipr_flush(php, &php->iph_root[dir]);
3909
3910 php->iph_gen++;
3911 ipsec_update_present_flags(ns->netstack_ipsec);
3912 }
3913
3914 void
3915 ipsec_polhead_free(ipsec_policy_head_t *php, netstack_t *ns)
3916 {
3917 int dir;
3918
3919 ASSERT(php->iph_refs == 0);
3920
3921 rw_enter(&php->iph_lock, RW_WRITER);
3922 ipsec_polhead_flush(php, ns);
3923 rw_exit(&php->iph_lock);
3924 rw_destroy(&php->iph_lock);
3925 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
3926 ipsec_policy_root_t *ipr = &php->iph_root[dir];
3927 int chain;
3928
3929 for (chain = 0; chain < ipr->ipr_nchains; chain++)
3930 mutex_destroy(&(ipr->ipr_hash[chain].hash_lock));
3931
3932 }
3933 ipsec_polhead_free_table(php);
3934 kmem_free(php, sizeof (*php));
3935 }
3936
3937 static void
3938 ipsec_ipr_init(ipsec_policy_root_t *ipr)
3939 {
3940 int af;
3941
3942 ipr->ipr_nchains = 0;
3943 ipr->ipr_hash = NULL;
3944
3945 for (af = 0; af < IPSEC_NAF; af++) {
3946 ipr->ipr_nonhash[af] = NULL;
3947 }
3948 }
3949
3950 ipsec_policy_head_t *
3951 ipsec_polhead_create(void)
3952 {
3953 ipsec_policy_head_t *php;
3954
3955 php = kmem_alloc(sizeof (*php), KM_NOSLEEP);
3956 if (php == NULL)
3957 return (php);
3958
3959 rw_init(&php->iph_lock, NULL, RW_DEFAULT, NULL);
3960 php->iph_refs = 1;
3961 php->iph_gen = 0;
3962
3963 ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_INBOUND]);
3964 ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_OUTBOUND]);
3965
3966 avl_create(&php->iph_rulebyid, ipsec_policy_cmpbyid,
3967 sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid));
3968
3969 return (php);
3970 }
3971
3972 /*
3973 * Clone the policy head into a new polhead; release one reference to the
3974 * old one and return the only reference to the new one.
3975 * If the old one had a refcount of 1, just return it.
3976 */
3977 ipsec_policy_head_t *
3978 ipsec_polhead_split(ipsec_policy_head_t *php, netstack_t *ns)
3979 {
3980 ipsec_policy_head_t *nphp;
3981
3982 if (php == NULL)
3983 return (ipsec_polhead_create());
3984 else if (php->iph_refs == 1)
3985 return (php);
3986
3987 nphp = ipsec_polhead_create();
3988 if (nphp == NULL)
3989 return (NULL);
3990
3991 if (ipsec_copy_polhead(php, nphp, ns) != 0) {
3992 ipsec_polhead_free(nphp, ns);
3993 return (NULL);
3994 }
3995 IPPH_REFRELE(php, ns);
3996 return (nphp);
3997 }
3998
3999 /*
4000 * When sending a response to a ICMP request or generating a RST
4001 * in the TCP case, the outbound packets need to go at the same level
4002 * of protection as the incoming ones i.e we associate our outbound
4003 * policy with how the packet came in. We call this after we have
4004 * accepted the incoming packet which may or may not have been in
4005 * clear and hence we are sending the reply back with the policy
4006 * matching the incoming datagram's policy.
4007 *
4008 * NOTE : This technology serves two purposes :
4009 *
4010 * 1) If we have multiple outbound policies, we send out a reply
4011 * matching with how it came in rather than matching the outbound
4012 * policy.
4013 *
4014 * 2) For assymetric policies, we want to make sure that incoming
4015 * and outgoing has the same level of protection. Assymetric
4016 * policies exist only with global policy where we may not have
4017 * both outbound and inbound at the same time.
4018 *
4019 * NOTE2: This function is called by cleartext cases, so it needs to be
4020 * in IP proper.
4021 *
4022 * Note: the caller has moved other parts of ira into ixa already.
4023 */
4024 boolean_t
4025 ipsec_in_to_out(ip_recv_attr_t *ira, ip_xmit_attr_t *ixa, mblk_t *data_mp,
4026 ipha_t *ipha, ip6_t *ip6h)
4027 {
4028 ipsec_selector_t sel;
4029 ipsec_action_t *reflect_action = NULL;
4030 netstack_t *ns = ixa->ixa_ipst->ips_netstack;
4031
4032 bzero((void*)&sel, sizeof (sel));
4033
4034 if (ira->ira_ipsec_action != NULL) {
4035 /* transfer reference.. */
4036 reflect_action = ira->ira_ipsec_action;
4037 ira->ira_ipsec_action = NULL;
4038 } else if (!(ira->ira_flags & IRAF_LOOPBACK))
4039 reflect_action = ipsec_in_to_out_action(ira);
4040
4041 /*
4042 * The caller is going to send the datagram out which might
4043 * go on the wire or delivered locally through ire_send_local.
4044 *
4045 * 1) If it goes out on the wire, new associations will be
4046 * obtained.
4047 * 2) If it is delivered locally, ire_send_local will convert
4048 * this ip_xmit_attr_t back to a ip_recv_attr_t looking at the
4049 * requests.
4050 */
4051 ixa->ixa_ipsec_action = reflect_action;
4052
4053 if (!ipsec_init_outbound_ports(&sel, data_mp, ipha, ip6h, 0,
4054 ns->netstack_ipsec)) {
4055 /* Note: data_mp already consumed and ip_drop_packet done */
4056 return (B_FALSE);
4057 }
4058 ixa->ixa_ipsec_src_port = sel.ips_local_port;
4059 ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4060 ixa->ixa_ipsec_proto = sel.ips_protocol;
4061 ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4062 ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4063
4064 /*
4065 * Don't use global policy for this, as we want
4066 * to use the same protection that was applied to the inbound packet.
4067 * Thus we set IXAF_NO_IPSEC is it arrived in the clear to make
4068 * it be sent in the clear.
4069 */
4070 if (ira->ira_flags & IRAF_IPSEC_SECURE)
4071 ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4072 else
4073 ixa->ixa_flags |= IXAF_NO_IPSEC;
4074
4075 return (B_TRUE);
4076 }
4077
4078 void
4079 ipsec_out_release_refs(ip_xmit_attr_t *ixa)
4080 {
4081 if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE))
4082 return;
4083
4084 if (ixa->ixa_ipsec_ah_sa != NULL) {
4085 IPSA_REFRELE(ixa->ixa_ipsec_ah_sa);
4086 ixa->ixa_ipsec_ah_sa = NULL;
4087 }
4088 if (ixa->ixa_ipsec_esp_sa != NULL) {
4089 IPSA_REFRELE(ixa->ixa_ipsec_esp_sa);
4090 ixa->ixa_ipsec_esp_sa = NULL;
4091 }
4092 if (ixa->ixa_ipsec_policy != NULL) {
4093 IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4094 ixa->ixa_ipsec_policy = NULL;
4095 }
4096 if (ixa->ixa_ipsec_action != NULL) {
4097 IPACT_REFRELE(ixa->ixa_ipsec_action);
4098 ixa->ixa_ipsec_action = NULL;
4099 }
4100 if (ixa->ixa_ipsec_latch) {
4101 IPLATCH_REFRELE(ixa->ixa_ipsec_latch);
4102 ixa->ixa_ipsec_latch = NULL;
4103 }
4104 /* Clear the soft references to the SAs */
4105 ixa->ixa_ipsec_ref[0].ipsr_sa = NULL;
4106 ixa->ixa_ipsec_ref[0].ipsr_bucket = NULL;
4107 ixa->ixa_ipsec_ref[0].ipsr_gen = 0;
4108 ixa->ixa_ipsec_ref[1].ipsr_sa = NULL;
4109 ixa->ixa_ipsec_ref[1].ipsr_bucket = NULL;
4110 ixa->ixa_ipsec_ref[1].ipsr_gen = 0;
4111 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4112 }
4113
4114 void
4115 ipsec_in_release_refs(ip_recv_attr_t *ira)
4116 {
4117 if (!(ira->ira_flags & IRAF_IPSEC_SECURE))
4118 return;
4119
4120 if (ira->ira_ipsec_ah_sa != NULL) {
4121 IPSA_REFRELE(ira->ira_ipsec_ah_sa);
4122 ira->ira_ipsec_ah_sa = NULL;
4123 }
4124 if (ira->ira_ipsec_esp_sa != NULL) {
4125 IPSA_REFRELE(ira->ira_ipsec_esp_sa);
4126 ira->ira_ipsec_esp_sa = NULL;
4127 }
4128 ira->ira_flags &= ~IRAF_IPSEC_SECURE;
4129 }
4130
4131 /*
4132 * This is called from ire_send_local when a packet
4133 * is looped back. We setup the ip_recv_attr_t "borrowing" the references
4134 * held by the callers.
4135 * Note that we don't do any IPsec but we carry the actions and IPSEC flags
4136 * across so that the fanout policy checks see that IPsec was applied.
4137 *
4138 * The caller should do ipsec_in_release_refs() on the ira by calling
4139 * ira_cleanup().
4140 */
4141 void
4142 ipsec_out_to_in(ip_xmit_attr_t *ixa, ill_t *ill, ip_recv_attr_t *ira)
4143 {
4144 ipsec_policy_t *pol;
4145 ipsec_action_t *act;
4146
4147 /* Non-IPsec operations */
4148 ira->ira_free_flags = 0;
4149 ira->ira_zoneid = ixa->ixa_zoneid;
4150 ira->ira_cred = ixa->ixa_cred;
4151 ira->ira_cpid = ixa->ixa_cpid;
4152 ira->ira_tsl = ixa->ixa_tsl;
4153 ira->ira_ill = ira->ira_rill = ill;
4154 ira->ira_flags = ixa->ixa_flags & IAF_MASK;
4155 ira->ira_no_loop_zoneid = ixa->ixa_no_loop_zoneid;
4156 ira->ira_pktlen = ixa->ixa_pktlen;
4157 ira->ira_ip_hdr_length = ixa->ixa_ip_hdr_length;
4158 ira->ira_protocol = ixa->ixa_protocol;
4159 ira->ira_mhip = NULL;
4160
4161 ira->ira_flags |= IRAF_LOOPBACK | IRAF_L2SRC_LOOPBACK;
4162
4163 ira->ira_sqp = ixa->ixa_sqp;
4164 ira->ira_ring = NULL;
4165
4166 ira->ira_ruifindex = ill->ill_phyint->phyint_ifindex;
4167 ira->ira_rifindex = ira->ira_ruifindex;
4168
4169 if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE))
4170 return;
4171
4172 ira->ira_flags |= IRAF_IPSEC_SECURE;
4173
4174 ira->ira_ipsec_ah_sa = NULL;
4175 ira->ira_ipsec_esp_sa = NULL;
4176
4177 act = ixa->ixa_ipsec_action;
4178 if (act == NULL) {
4179 pol = ixa->ixa_ipsec_policy;
4180 if (pol != NULL) {
4181 act = pol->ipsp_act;
4182 IPACT_REFHOLD(act);
4183 }
4184 }
4185 ixa->ixa_ipsec_action = NULL;
4186 ira->ira_ipsec_action = act;
4187 }
4188
4189 /*
4190 * Consults global policy and per-socket policy to see whether this datagram
4191 * should go out secure. If so it updates the ip_xmit_attr_t
4192 * Should not be used when connecting, since then we want to latch the policy.
4193 *
4194 * If connp is NULL we just look at the global policy.
4195 *
4196 * Returns NULL if the packet was dropped, in which case the MIB has
4197 * been incremented and ip_drop_packet done.
4198 */
4199 mblk_t *
4200 ip_output_attach_policy(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h,
4201 const conn_t *connp, ip_xmit_attr_t *ixa)
4202 {
4203 ipsec_selector_t sel;
4204 boolean_t policy_present;
4205 ip_stack_t *ipst = ixa->ixa_ipst;
4206 netstack_t *ns = ipst->ips_netstack;
4207 ipsec_stack_t *ipss = ns->netstack_ipsec;
4208 ipsec_policy_t *p;
4209
4210 ixa->ixa_ipsec_policy_gen = ipss->ipsec_system_policy.iph_gen;
4211 ASSERT((ipha != NULL && ip6h == NULL) ||
4212 (ip6h != NULL && ipha == NULL));
4213
4214 if (ipha != NULL)
4215 policy_present = ipss->ipsec_outbound_v4_policy_present;
4216 else
4217 policy_present = ipss->ipsec_outbound_v6_policy_present;
4218
4219 if (!policy_present && (connp == NULL || connp->conn_policy == NULL))
4220 return (mp);
4221
4222 bzero((void*)&sel, sizeof (sel));
4223
4224 if (ipha != NULL) {
4225 sel.ips_local_addr_v4 = ipha->ipha_src;
4226 sel.ips_remote_addr_v4 = ip_get_dst(ipha);
4227 sel.ips_isv4 = B_TRUE;
4228 } else {
4229 sel.ips_isv4 = B_FALSE;
4230 sel.ips_local_addr_v6 = ip6h->ip6_src;
4231 sel.ips_remote_addr_v6 = ip_get_dst_v6(ip6h, mp, NULL);
4232 }
4233 sel.ips_protocol = ixa->ixa_protocol;
4234
4235 if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h, 0, ipss)) {
4236 if (ipha != NULL) {
4237 BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
4238 } else {
4239 BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutDiscards);
4240 }
4241 /* Note: mp already consumed and ip_drop_packet done */
4242 return (NULL);
4243 }
4244
4245 ASSERT(ixa->ixa_ipsec_policy == NULL);
4246 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, &sel, ns);
4247 ixa->ixa_ipsec_policy = p;
4248 if (p != NULL) {
4249 ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4250 if (connp == NULL || connp->conn_policy == NULL)
4251 ixa->ixa_flags |= IXAF_IPSEC_GLOBAL_POLICY;
4252 } else {
4253 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4254 }
4255
4256 /*
4257 * Copy the right port information.
4258 */
4259 ixa->ixa_ipsec_src_port = sel.ips_local_port;
4260 ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4261 ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4262 ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4263 ixa->ixa_ipsec_proto = sel.ips_protocol;
4264 return (mp);
4265 }
4266
4267 /*
4268 * When appropriate, this function caches inbound and outbound policy
4269 * for this connection. The outbound policy is stored in conn_ixa.
4270 * Note that it can not be used for SCTP since conn_faddr isn't set for SCTP.
4271 *
4272 * XXX need to work out more details about per-interface policy and
4273 * caching here!
4274 *
4275 * XXX may want to split inbound and outbound caching for ill..
4276 */
4277 int
4278 ipsec_conn_cache_policy(conn_t *connp, boolean_t isv4)
4279 {
4280 boolean_t global_policy_present;
4281 netstack_t *ns = connp->conn_netstack;
4282 ipsec_stack_t *ipss = ns->netstack_ipsec;
4283
4284 connp->conn_ixa->ixa_ipsec_policy_gen =
4285 ipss->ipsec_system_policy.iph_gen;
4286 /*
4287 * There is no policy latching for ICMP sockets because we can't
4288 * decide on which policy to use until we see the packet and get
4289 * type/code selectors.
4290 */
4291 if (connp->conn_proto == IPPROTO_ICMP ||
4292 connp->conn_proto == IPPROTO_ICMPV6) {
4293 connp->conn_in_enforce_policy =
4294 connp->conn_out_enforce_policy = B_TRUE;
4295 if (connp->conn_latch != NULL) {
4296 IPLATCH_REFRELE(connp->conn_latch);
4297 connp->conn_latch = NULL;
4298 }
4299 if (connp->conn_latch_in_policy != NULL) {
4300 IPPOL_REFRELE(connp->conn_latch_in_policy);
4301 connp->conn_latch_in_policy = NULL;
4302 }
4303 if (connp->conn_latch_in_action != NULL) {
4304 IPACT_REFRELE(connp->conn_latch_in_action);
4305 connp->conn_latch_in_action = NULL;
4306 }
4307 if (connp->conn_ixa->ixa_ipsec_policy != NULL) {
4308 IPPOL_REFRELE(connp->conn_ixa->ixa_ipsec_policy);
4309 connp->conn_ixa->ixa_ipsec_policy = NULL;
4310 }
4311 if (connp->conn_ixa->ixa_ipsec_action != NULL) {
4312 IPACT_REFRELE(connp->conn_ixa->ixa_ipsec_action);
4313 connp->conn_ixa->ixa_ipsec_action = NULL;
4314 }
4315 connp->conn_ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4316 return (0);
4317 }
4318
4319 global_policy_present = isv4 ?
4320 (ipss->ipsec_outbound_v4_policy_present ||
4321 ipss->ipsec_inbound_v4_policy_present) :
4322 (ipss->ipsec_outbound_v6_policy_present ||
4323 ipss->ipsec_inbound_v6_policy_present);
4324
4325 if ((connp->conn_policy != NULL) || global_policy_present) {
4326 ipsec_selector_t sel;
4327 ipsec_policy_t *p;
4328
4329 if (connp->conn_latch == NULL &&
4330 (connp->conn_latch = iplatch_create()) == NULL) {
4331 return (ENOMEM);
4332 }
4333
4334 bzero((void*)&sel, sizeof (sel));
4335
4336 sel.ips_protocol = connp->conn_proto;
4337 sel.ips_local_port = connp->conn_lport;
4338 sel.ips_remote_port = connp->conn_fport;
4339 sel.ips_is_icmp_inv_acq = 0;
4340 sel.ips_isv4 = isv4;
4341 if (isv4) {
4342 sel.ips_local_addr_v4 = connp->conn_laddr_v4;
4343 sel.ips_remote_addr_v4 = connp->conn_faddr_v4;
4344 } else {
4345 sel.ips_local_addr_v6 = connp->conn_laddr_v6;
4346 sel.ips_remote_addr_v6 = connp->conn_faddr_v6;
4347 }
4348
4349 p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, &sel, ns);
4350 if (connp->conn_latch_in_policy != NULL)
4351 IPPOL_REFRELE(connp->conn_latch_in_policy);
4352 connp->conn_latch_in_policy = p;
4353 connp->conn_in_enforce_policy = (p != NULL);
4354
4355 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, &sel, ns);
4356 if (connp->conn_ixa->ixa_ipsec_policy != NULL)
4357 IPPOL_REFRELE(connp->conn_ixa->ixa_ipsec_policy);
4358 connp->conn_ixa->ixa_ipsec_policy = p;
4359 connp->conn_out_enforce_policy = (p != NULL);
4360 if (p != NULL) {
4361 connp->conn_ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4362 if (connp->conn_policy == NULL) {
4363 connp->conn_ixa->ixa_flags |=
4364 IXAF_IPSEC_GLOBAL_POLICY;
4365 }
4366 } else {
4367 connp->conn_ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4368 }
4369 /* Clear the latched actions too, in case we're recaching. */
4370 if (connp->conn_ixa->ixa_ipsec_action != NULL) {
4371 IPACT_REFRELE(connp->conn_ixa->ixa_ipsec_action);
4372 connp->conn_ixa->ixa_ipsec_action = NULL;
4373 }
4374 if (connp->conn_latch_in_action != NULL) {
4375 IPACT_REFRELE(connp->conn_latch_in_action);
4376 connp->conn_latch_in_action = NULL;
4377 }
4378 connp->conn_ixa->ixa_ipsec_src_port = sel.ips_local_port;
4379 connp->conn_ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4380 connp->conn_ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4381 connp->conn_ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4382 connp->conn_ixa->ixa_ipsec_proto = sel.ips_protocol;
4383 } else {
4384 connp->conn_ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4385 }
4386
4387 /*
4388 * We may or may not have policy for this endpoint. We still set
4389 * conn_policy_cached so that inbound datagrams don't have to look
4390 * at global policy as policy is considered latched for these
4391 * endpoints. We should not set conn_policy_cached until the conn
4392 * reflects the actual policy. If we *set* this before inheriting
4393 * the policy there is a window where the check
4394 * CONN_INBOUND_POLICY_PRESENT, will neither check with the policy
4395 * on the conn (because we have not yet copied the policy on to
4396 * conn and hence not set conn_in_enforce_policy) nor with the
4397 * global policy (because conn_policy_cached is already set).
4398 */
4399 connp->conn_policy_cached = B_TRUE;
4400 return (0);
4401 }
4402
4403 /*
4404 * When appropriate, this function caches outbound policy for faddr/fport.
4405 * It is used when we are not connected i.e., when we can not latch the
4406 * policy.
4407 */
4408 void
4409 ipsec_cache_outbound_policy(const conn_t *connp, const in6_addr_t *v6src,
4410 const in6_addr_t *v6dst, in_port_t dstport, ip_xmit_attr_t *ixa)
4411 {
4412 boolean_t isv4 = (ixa->ixa_flags & IXAF_IS_IPV4) != 0;
4413 boolean_t global_policy_present;
4414 netstack_t *ns = connp->conn_netstack;
4415 ipsec_stack_t *ipss = ns->netstack_ipsec;
4416
4417 ixa->ixa_ipsec_policy_gen = ipss->ipsec_system_policy.iph_gen;
4418
4419 /*
4420 * There is no policy caching for ICMP sockets because we can't
4421 * decide on which policy to use until we see the packet and get
4422 * type/code selectors.
4423 */
4424 if (connp->conn_proto == IPPROTO_ICMP ||
4425 connp->conn_proto == IPPROTO_ICMPV6) {
4426 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4427 if (ixa->ixa_ipsec_policy != NULL) {
4428 IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4429 ixa->ixa_ipsec_policy = NULL;
4430 }
4431 if (ixa->ixa_ipsec_action != NULL) {
4432 IPACT_REFRELE(ixa->ixa_ipsec_action);
4433 ixa->ixa_ipsec_action = NULL;
4434 }
4435 return;
4436 }
4437
4438 global_policy_present = isv4 ?
4439 (ipss->ipsec_outbound_v4_policy_present ||
4440 ipss->ipsec_inbound_v4_policy_present) :
4441 (ipss->ipsec_outbound_v6_policy_present ||
4442 ipss->ipsec_inbound_v6_policy_present);
4443
4444 if ((connp->conn_policy != NULL) || global_policy_present) {
4445 ipsec_selector_t sel;
4446 ipsec_policy_t *p;
4447
4448 bzero((void*)&sel, sizeof (sel));
4449
4450 sel.ips_protocol = connp->conn_proto;
4451 sel.ips_local_port = connp->conn_lport;
4452 sel.ips_remote_port = dstport;
4453 sel.ips_is_icmp_inv_acq = 0;
4454 sel.ips_isv4 = isv4;
4455 if (isv4) {
4456 IN6_V4MAPPED_TO_IPADDR(v6src, sel.ips_local_addr_v4);
4457 IN6_V4MAPPED_TO_IPADDR(v6dst, sel.ips_remote_addr_v4);
4458 } else {
4459 sel.ips_local_addr_v6 = *v6src;
4460 sel.ips_remote_addr_v6 = *v6dst;
4461 }
4462
4463 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, &sel, ns);
4464 if (ixa->ixa_ipsec_policy != NULL)
4465 IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4466 ixa->ixa_ipsec_policy = p;
4467 if (p != NULL) {
4468 ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4469 if (connp->conn_policy == NULL)
4470 ixa->ixa_flags |= IXAF_IPSEC_GLOBAL_POLICY;
4471 } else {
4472 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4473 }
4474 /* Clear the latched actions too, in case we're recaching. */
4475 if (ixa->ixa_ipsec_action != NULL) {
4476 IPACT_REFRELE(ixa->ixa_ipsec_action);
4477 ixa->ixa_ipsec_action = NULL;
4478 }
4479
4480 ixa->ixa_ipsec_src_port = sel.ips_local_port;
4481 ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4482 ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4483 ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4484 ixa->ixa_ipsec_proto = sel.ips_protocol;
4485 } else {
4486 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4487 if (ixa->ixa_ipsec_policy != NULL) {
4488 IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4489 ixa->ixa_ipsec_policy = NULL;
4490 }
4491 if (ixa->ixa_ipsec_action != NULL) {
4492 IPACT_REFRELE(ixa->ixa_ipsec_action);
4493 ixa->ixa_ipsec_action = NULL;
4494 }
4495 }
4496 }
4497
4498 /*
4499 * Returns B_FALSE if the policy has gone stale.
4500 */
4501 boolean_t
4502 ipsec_outbound_policy_current(ip_xmit_attr_t *ixa)
4503 {
4504 ipsec_stack_t *ipss = ixa->ixa_ipst->ips_netstack->netstack_ipsec;
4505
4506 if (!(ixa->ixa_flags & IXAF_IPSEC_GLOBAL_POLICY))
4507 return (B_TRUE);
4508
4509 return (ixa->ixa_ipsec_policy_gen == ipss->ipsec_system_policy.iph_gen);
4510 }
4511
4512 void
4513 iplatch_free(ipsec_latch_t *ipl)
4514 {
4515 if (ipl->ipl_local_cid != NULL)
4516 IPSID_REFRELE(ipl->ipl_local_cid);
4517 if (ipl->ipl_remote_cid != NULL)
4518 IPSID_REFRELE(ipl->ipl_remote_cid);
4519 mutex_destroy(&ipl->ipl_lock);
4520 kmem_free(ipl, sizeof (*ipl));
4521 }
4522
4523 ipsec_latch_t *
4524 iplatch_create()
4525 {
4526 ipsec_latch_t *ipl = kmem_zalloc(sizeof (*ipl), KM_NOSLEEP);
4527 if (ipl == NULL)
4528 return (ipl);
4529 mutex_init(&ipl->ipl_lock, NULL, MUTEX_DEFAULT, NULL);
4530 ipl->ipl_refcnt = 1;
4531 return (ipl);
4532 }
4533
4534 /*
4535 * Hash function for ID hash table.
4536 */
4537 static uint32_t
4538 ipsid_hash(int idtype, char *idstring)
4539 {
4540 uint32_t hval = idtype;
4541 unsigned char c;
4542
4543 while ((c = *idstring++) != 0) {
4544 hval = (hval << 4) | (hval >> 28);
4545 hval ^= c;
4546 }
4547 hval = hval ^ (hval >> 16);
4548 return (hval & (IPSID_HASHSIZE-1));
4549 }
4550
4551 /*
4552 * Look up identity string in hash table. Return identity object
4553 * corresponding to the name -- either preexisting, or newly allocated.
4554 *
4555 * Return NULL if we need to allocate a new one and can't get memory.
4556 */
4557 ipsid_t *
4558 ipsid_lookup(int idtype, char *idstring, netstack_t *ns)
4559 {
4560 ipsid_t *retval;
4561 char *nstr;
4562 int idlen = strlen(idstring) + 1;
4563 ipsec_stack_t *ipss = ns->netstack_ipsec;
4564 ipsif_t *bucket;
4565
4566 bucket = &ipss->ipsec_ipsid_buckets[ipsid_hash(idtype, idstring)];
4567
4568 mutex_enter(&bucket->ipsif_lock);
4569
4570 for (retval = bucket->ipsif_head; retval != NULL;
4571 retval = retval->ipsid_next) {
4572 if (idtype != retval->ipsid_type)
4573 continue;
4574 if (bcmp(idstring, retval->ipsid_cid, idlen) != 0)
4575 continue;
4576
4577 IPSID_REFHOLD(retval);
4578 mutex_exit(&bucket->ipsif_lock);
4579 return (retval);
4580 }
4581
4582 retval = kmem_alloc(sizeof (*retval), KM_NOSLEEP);
4583 if (!retval) {
4584 mutex_exit(&bucket->ipsif_lock);
4585 return (NULL);
4586 }
4587
4588 nstr = kmem_alloc(idlen, KM_NOSLEEP);
4589 if (!nstr) {
4590 mutex_exit(&bucket->ipsif_lock);
4591 kmem_free(retval, sizeof (*retval));
4592 return (NULL);
4593 }
4594
4595 retval->ipsid_refcnt = 1;
4596 retval->ipsid_next = bucket->ipsif_head;
4597 if (retval->ipsid_next != NULL)
4598 retval->ipsid_next->ipsid_ptpn = &retval->ipsid_next;
4599 retval->ipsid_ptpn = &bucket->ipsif_head;
4600 retval->ipsid_type = idtype;
4601 retval->ipsid_cid = nstr;
4602 bucket->ipsif_head = retval;
4603 bcopy(idstring, nstr, idlen);
4604 mutex_exit(&bucket->ipsif_lock);
4605
4606 return (retval);
4607 }
4608
4609 /*
4610 * Garbage collect the identity hash table.
4611 */
4612 void
4613 ipsid_gc(netstack_t *ns)
4614 {
4615 int i, len;
4616 ipsid_t *id, *nid;
4617 ipsif_t *bucket;
4618 ipsec_stack_t *ipss = ns->netstack_ipsec;
4619
4620 for (i = 0; i < IPSID_HASHSIZE; i++) {
4621 bucket = &ipss->ipsec_ipsid_buckets[i];
4622 mutex_enter(&bucket->ipsif_lock);
4623 for (id = bucket->ipsif_head; id != NULL; id = nid) {
4624 nid = id->ipsid_next;
4625 if (id->ipsid_refcnt == 0) {
4626 *id->ipsid_ptpn = nid;
4627 if (nid != NULL)
4628 nid->ipsid_ptpn = id->ipsid_ptpn;
4629 len = strlen(id->ipsid_cid) + 1;
4630 kmem_free(id->ipsid_cid, len);
4631 kmem_free(id, sizeof (*id));
4632 }
4633 }
4634 mutex_exit(&bucket->ipsif_lock);
4635 }
4636 }
4637
4638 /*
4639 * Return true if two identities are the same.
4640 */
4641 boolean_t
4642 ipsid_equal(ipsid_t *id1, ipsid_t *id2)
4643 {
4644 if (id1 == id2)
4645 return (B_TRUE);
4646 #ifdef DEBUG
4647 if ((id1 == NULL) || (id2 == NULL))
4648 return (B_FALSE);
4649 /*
4650 * test that we're interning id's correctly..
4651 */
4652 ASSERT((strcmp(id1->ipsid_cid, id2->ipsid_cid) != 0) ||
4653 (id1->ipsid_type != id2->ipsid_type));
4654 #endif
4655 return (B_FALSE);
4656 }
4657
4658 /*
4659 * Initialize identity table; called during module initialization.
4660 */
4661 static void
4662 ipsid_init(netstack_t *ns)
4663 {
4664 ipsif_t *bucket;
4665 int i;
4666 ipsec_stack_t *ipss = ns->netstack_ipsec;
4667
4668 for (i = 0; i < IPSID_HASHSIZE; i++) {
4669 bucket = &ipss->ipsec_ipsid_buckets[i];
4670 mutex_init(&bucket->ipsif_lock, NULL, MUTEX_DEFAULT, NULL);
4671 }
4672 }
4673
4674 /*
4675 * Free identity table (preparatory to module unload)
4676 */
4677 static void
4678 ipsid_fini(netstack_t *ns)
4679 {
4680 ipsif_t *bucket;
4681 int i;
4682 ipsec_stack_t *ipss = ns->netstack_ipsec;
4683
4684 for (i = 0; i < IPSID_HASHSIZE; i++) {
4685 bucket = &ipss->ipsec_ipsid_buckets[i];
4686 ASSERT(bucket->ipsif_head == NULL);
4687 mutex_destroy(&bucket->ipsif_lock);
4688 }
4689 }
4690
4691 /*
4692 * Update the minimum and maximum supported key sizes for the specified
4693 * algorithm, which is either a member of a netstack alg array or about to be,
4694 * and therefore must be called holding ipsec_alg_lock for write.
4695 */
4696 void
4697 ipsec_alg_fix_min_max(ipsec_alginfo_t *alg, ipsec_algtype_t alg_type,
4698 netstack_t *ns)
4699 {
4700 size_t crypto_min = (size_t)-1, crypto_max = 0;
4701 size_t cur_crypto_min, cur_crypto_max;
4702 boolean_t is_valid;
4703 crypto_mechanism_info_t *mech_infos;
4704 uint_t nmech_infos;
4705 int crypto_rc, i;
4706 crypto_mech_usage_t mask;
4707 ipsec_stack_t *ipss = ns->netstack_ipsec;
4708
4709 ASSERT(RW_WRITE_HELD(&ipss->ipsec_alg_lock));
4710
4711 /*
4712 * Compute the min, max, and default key sizes (in number of
4713 * increments to the default key size in bits) as defined
4714 * by the algorithm mappings. This range of key sizes is used
4715 * for policy related operations. The effective key sizes
4716 * supported by the framework could be more limited than
4717 * those defined for an algorithm.
4718 */
4719 alg->alg_default_bits = alg->alg_key_sizes[0];
4720 alg->alg_default = 0;
4721 if (alg->alg_increment != 0) {
4722 /* key sizes are defined by range & increment */
4723 alg->alg_minbits = alg->alg_key_sizes[1];
4724 alg->alg_maxbits = alg->alg_key_sizes[2];
4725 } else if (alg->alg_nkey_sizes == 0) {
4726 /* no specified key size for algorithm */
4727 alg->alg_minbits = alg->alg_maxbits = 0;
4728 } else {
4729 /* key sizes are defined by enumeration */
4730 alg->alg_minbits = (uint16_t)-1;
4731 alg->alg_maxbits = 0;
4732
4733 for (i = 0; i < alg->alg_nkey_sizes; i++) {
4734 if (alg->alg_key_sizes[i] < alg->alg_minbits)
4735 alg->alg_minbits = alg->alg_key_sizes[i];
4736 if (alg->alg_key_sizes[i] > alg->alg_maxbits)
4737 alg->alg_maxbits = alg->alg_key_sizes[i];
4738 }
4739 }
4740
4741 if (!(alg->alg_flags & ALG_FLAG_VALID))
4742 return;
4743
4744 /*
4745 * Mechanisms do not apply to the NULL encryption
4746 * algorithm, so simply return for this case.
4747 */
4748 if (alg->alg_id == SADB_EALG_NULL)
4749 return;
4750
4751 /*
4752 * Find the min and max key sizes supported by the cryptographic
4753 * framework providers.
4754 */
4755
4756 /* get the key sizes supported by the framework */
4757 crypto_rc = crypto_get_all_mech_info(alg->alg_mech_type,
4758 &mech_infos, &nmech_infos, KM_SLEEP);
4759 if (crypto_rc != CRYPTO_SUCCESS || nmech_infos == 0) {
4760 alg->alg_flags &= ~ALG_FLAG_VALID;
4761 return;
4762 }
4763
4764 /* min and max key sizes supported by framework */
4765 for (i = 0, is_valid = B_FALSE; i < nmech_infos; i++) {
4766 int unit_bits;
4767
4768 /*
4769 * Ignore entries that do not support the operations
4770 * needed for the algorithm type.
4771 */
4772 if (alg_type == IPSEC_ALG_AUTH) {
4773 mask = CRYPTO_MECH_USAGE_MAC;
4774 } else {
4775 mask = CRYPTO_MECH_USAGE_ENCRYPT |
4776 CRYPTO_MECH_USAGE_DECRYPT;
4777 }
4778 if ((mech_infos[i].mi_usage & mask) != mask)
4779 continue;
4780
4781 unit_bits = (mech_infos[i].mi_keysize_unit ==
4782 CRYPTO_KEYSIZE_UNIT_IN_BYTES) ? 8 : 1;
4783 /* adjust min/max supported by framework */
4784 cur_crypto_min = mech_infos[i].mi_min_key_size * unit_bits;
4785 cur_crypto_max = mech_infos[i].mi_max_key_size * unit_bits;
4786
4787 if (cur_crypto_min < crypto_min)
4788 crypto_min = cur_crypto_min;
4789
4790 /*
4791 * CRYPTO_EFFECTIVELY_INFINITE is a special value of
4792 * the crypto framework which means "no upper limit".
4793 */
4794 if (mech_infos[i].mi_max_key_size ==
4795 CRYPTO_EFFECTIVELY_INFINITE) {
4796 crypto_max = (size_t)-1;
4797 } else if (cur_crypto_max > crypto_max) {
4798 crypto_max = cur_crypto_max;
4799 }
4800
4801 is_valid = B_TRUE;
4802 }
4803
4804 kmem_free(mech_infos, sizeof (crypto_mechanism_info_t) *
4805 nmech_infos);
4806
4807 if (!is_valid) {
4808 /* no key sizes supported by framework */
4809 alg->alg_flags &= ~ALG_FLAG_VALID;
4810 return;
4811 }
4812
4813 /*
4814 * Determine min and max key sizes from alg_key_sizes[].
4815 * defined for the algorithm entry. Adjust key sizes based on
4816 * those supported by the framework.
4817 */
4818 alg->alg_ef_default_bits = alg->alg_key_sizes[0];
4819
4820 /*
4821 * For backwards compatability, assume that the IV length
4822 * is the same as the data length.
4823 */
4824 alg->alg_ivlen = alg->alg_datalen;
4825
4826 /*
4827 * Copy any algorithm parameters (if provided) into dedicated
4828 * elements in the ipsec_alginfo_t structure.
4829 * There may be a better place to put this code.
4830 */
4831 for (i = 0; i < alg->alg_nparams; i++) {
4832 switch (i) {
4833 case 0:
4834 /* Initialisation Vector length (bytes) */
4835 alg->alg_ivlen = alg->alg_params[0];
4836 break;
4837 case 1:
4838 /* Integrity Check Vector length (bytes) */
4839 alg->alg_icvlen = alg->alg_params[1];
4840 break;
4841 case 2:
4842 /* Salt length (bytes) */
4843 alg->alg_saltlen = (uint8_t)alg->alg_params[2];
4844 break;
4845 default:
4846 break;
4847 }
4848 }
4849
4850 /* Default if the IV length is not specified. */
4851 if (alg_type == IPSEC_ALG_ENCR && alg->alg_ivlen == 0)
4852 alg->alg_ivlen = alg->alg_datalen;
4853
4854 alg_flag_check(alg);
4855
4856 if (alg->alg_increment != 0) {
4857 /* supported key sizes are defined by range & increment */
4858 crypto_min = ALGBITS_ROUND_UP(crypto_min, alg->alg_increment);
4859 crypto_max = ALGBITS_ROUND_DOWN(crypto_max, alg->alg_increment);
4860
4861 alg->alg_ef_minbits = MAX(alg->alg_minbits,
4862 (uint16_t)crypto_min);
4863 alg->alg_ef_maxbits = MIN(alg->alg_maxbits,
4864 (uint16_t)crypto_max);
4865
4866 /*
4867 * If the sizes supported by the framework are outside
4868 * the range of sizes defined by the algorithm mappings,
4869 * the algorithm cannot be used. Check for this
4870 * condition here.
4871 */
4872 if (alg->alg_ef_minbits > alg->alg_ef_maxbits) {
4873 alg->alg_flags &= ~ALG_FLAG_VALID;
4874 return;
4875 }
4876 if (alg->alg_ef_default_bits < alg->alg_ef_minbits)
4877 alg->alg_ef_default_bits = alg->alg_ef_minbits;
4878 if (alg->alg_ef_default_bits > alg->alg_ef_maxbits)
4879 alg->alg_ef_default_bits = alg->alg_ef_maxbits;
4880 } else if (alg->alg_nkey_sizes == 0) {
4881 /* no specified key size for algorithm */
4882 alg->alg_ef_minbits = alg->alg_ef_maxbits = 0;
4883 } else {
4884 /* supported key sizes are defined by enumeration */
4885 alg->alg_ef_minbits = (uint16_t)-1;
4886 alg->alg_ef_maxbits = 0;
4887
4888 for (i = 0, is_valid = B_FALSE; i < alg->alg_nkey_sizes; i++) {
4889 /*
4890 * Ignore the current key size if it is not in the
4891 * range of sizes supported by the framework.
4892 */
4893 if (alg->alg_key_sizes[i] < crypto_min ||
4894 alg->alg_key_sizes[i] > crypto_max)
4895 continue;
4896 if (alg->alg_key_sizes[i] < alg->alg_ef_minbits)
4897 alg->alg_ef_minbits = alg->alg_key_sizes[i];
4898 if (alg->alg_key_sizes[i] > alg->alg_ef_maxbits)
4899 alg->alg_ef_maxbits = alg->alg_key_sizes[i];
4900 is_valid = B_TRUE;
4901 }
4902
4903 if (!is_valid) {
4904 alg->alg_flags &= ~ALG_FLAG_VALID;
4905 return;
4906 }
4907 alg->alg_ef_default = 0;
4908 }
4909 }
4910
4911 /*
4912 * Sanity check parameters provided by ipsecalgs(1m). Assume that
4913 * the algoritm is marked as valid, there is a check at the top
4914 * of this function. If any of the checks below fail, the algorithm
4915 * entry is invalid.
4916 */
4917 void
4918 alg_flag_check(ipsec_alginfo_t *alg)
4919 {
4920 alg->alg_flags &= ~ALG_FLAG_VALID;
4921
4922 /*
4923 * Can't have the algorithm marked as CCM and GCM.
4924 * Check the ALG_FLAG_COMBINED and ALG_FLAG_COUNTERMODE
4925 * flags are set for CCM & GCM.
4926 */
4927 if ((alg->alg_flags & (ALG_FLAG_CCM|ALG_FLAG_GCM)) ==
4928 (ALG_FLAG_CCM|ALG_FLAG_GCM))
4929 return;
4930 if (alg->alg_flags & (ALG_FLAG_CCM|ALG_FLAG_GCM)) {
4931 if (!(alg->alg_flags & ALG_FLAG_COUNTERMODE))
4932 return;
4933 if (!(alg->alg_flags & ALG_FLAG_COMBINED))
4934 return;
4935 }
4936
4937 /*
4938 * For ALG_FLAG_COUNTERMODE, check the parameters
4939 * fit in the ipsec_nonce_t structure.
4940 */
4941 if (alg->alg_flags & ALG_FLAG_COUNTERMODE) {
4942 if (alg->alg_ivlen != sizeof (((ipsec_nonce_t *)NULL)->iv))
4943 return;
4944 if (alg->alg_saltlen > sizeof (((ipsec_nonce_t *)NULL)->salt))
4945 return;
4946 }
4947 if ((alg->alg_flags & ALG_FLAG_COMBINED) &&
4948 (alg->alg_icvlen == 0))
4949 return;
4950
4951 /* all is well. */
4952 alg->alg_flags |= ALG_FLAG_VALID;
4953 }
4954
4955 /*
4956 * Free the memory used by the specified algorithm.
4957 */
4958 void
4959 ipsec_alg_free(ipsec_alginfo_t *alg)
4960 {
4961 if (alg == NULL)
4962 return;
4963
4964 if (alg->alg_key_sizes != NULL) {
4965 kmem_free(alg->alg_key_sizes,
4966 (alg->alg_nkey_sizes + 1) * sizeof (uint16_t));
4967 alg->alg_key_sizes = NULL;
4968 }
4969 if (alg->alg_block_sizes != NULL) {
4970 kmem_free(alg->alg_block_sizes,
4971 (alg->alg_nblock_sizes + 1) * sizeof (uint16_t));
4972 alg->alg_block_sizes = NULL;
4973 }
4974 if (alg->alg_params != NULL) {
4975 kmem_free(alg->alg_params,
4976 (alg->alg_nparams + 1) * sizeof (uint16_t));
4977 alg->alg_params = NULL;
4978 }
4979 kmem_free(alg, sizeof (*alg));
4980 }
4981
4982 /*
4983 * Check the validity of the specified key size for an algorithm.
4984 * Returns B_TRUE if key size is valid, B_FALSE otherwise.
4985 */
4986 boolean_t
4987 ipsec_valid_key_size(uint16_t key_size, ipsec_alginfo_t *alg)
4988 {
4989 if (key_size < alg->alg_ef_minbits || key_size > alg->alg_ef_maxbits)
4990 return (B_FALSE);
4991
4992 if (alg->alg_increment == 0 && alg->alg_nkey_sizes != 0) {
4993 /*
4994 * If the key sizes are defined by enumeration, the new
4995 * key size must be equal to one of the supported values.
4996 */
4997 int i;
4998
4999 for (i = 0; i < alg->alg_nkey_sizes; i++)
5000 if (key_size == alg->alg_key_sizes[i])
5001 break;
5002 if (i == alg->alg_nkey_sizes)
5003 return (B_FALSE);
5004 }
5005
5006 return (B_TRUE);
5007 }
5008
5009 /*
5010 * Callback function invoked by the crypto framework when a provider
5011 * registers or unregisters. This callback updates the algorithms
5012 * tables when a crypto algorithm is no longer available or becomes
5013 * available, and triggers the freeing/creation of context templates
5014 * associated with existing SAs, if needed.
5015 *
5016 * Need to walk all stack instances since the callback is global
5017 * for all instances
5018 */
5019 void
5020 ipsec_prov_update_callback(uint32_t event, void *event_arg)
5021 {
5022 netstack_handle_t nh;
5023 netstack_t *ns;
5024
5025 netstack_next_init(&nh);
5026 while ((ns = netstack_next(&nh)) != NULL) {
5027 ipsec_prov_update_callback_stack(event, event_arg, ns);
5028 netstack_rele(ns);
5029 }
5030 netstack_next_fini(&nh);
5031 }
5032
5033 static void
5034 ipsec_prov_update_callback_stack(uint32_t event, void *event_arg,
5035 netstack_t *ns)
5036 {
5037 crypto_notify_event_change_t *prov_change =
5038 (crypto_notify_event_change_t *)event_arg;
5039 uint_t algidx, algid, algtype, mech_count, mech_idx;
5040 ipsec_alginfo_t *alg;
5041 ipsec_alginfo_t oalg;
5042 crypto_mech_name_t *mechs;
5043 boolean_t alg_changed = B_FALSE;
5044 ipsec_stack_t *ipss = ns->netstack_ipsec;
5045
5046 /* ignore events for which we didn't register */
5047 if (event != CRYPTO_EVENT_MECHS_CHANGED) {
5048 ip1dbg(("ipsec_prov_update_callback: unexpected event 0x%x "
5049 " received from crypto framework\n", event));
5050 return;
5051 }
5052
5053 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
5054 if (mechs == NULL)
5055 return;
5056
5057 /*
5058 * Walk the list of currently defined IPsec algorithm. Update
5059 * the algorithm valid flag and trigger an update of the
5060 * SAs that depend on that algorithm.
5061 */
5062 rw_enter(&ipss->ipsec_alg_lock, RW_WRITER);
5063 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
5064 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
5065 algidx++) {
5066
5067 algid = ipss->ipsec_sortlist[algtype][algidx];
5068 alg = ipss->ipsec_alglists[algtype][algid];
5069 ASSERT(alg != NULL);
5070
5071 /*
5072 * Skip the algorithms which do not map to the
5073 * crypto framework provider being added or removed.
5074 */
5075 if (strncmp(alg->alg_mech_name,
5076 prov_change->ec_mech_name,
5077 CRYPTO_MAX_MECH_NAME) != 0)
5078 continue;
5079
5080 /*
5081 * Determine if the mechanism is valid. If it
5082 * is not, mark the algorithm as being invalid. If
5083 * it is, mark the algorithm as being valid.
5084 */
5085 for (mech_idx = 0; mech_idx < mech_count; mech_idx++)
5086 if (strncmp(alg->alg_mech_name,
5087 mechs[mech_idx], CRYPTO_MAX_MECH_NAME) == 0)
5088 break;
5089 if (mech_idx == mech_count &&
5090 alg->alg_flags & ALG_FLAG_VALID) {
5091 alg->alg_flags &= ~ALG_FLAG_VALID;
5092 alg_changed = B_TRUE;
5093 } else if (mech_idx < mech_count &&
5094 !(alg->alg_flags & ALG_FLAG_VALID)) {
5095 alg->alg_flags |= ALG_FLAG_VALID;
5096 alg_changed = B_TRUE;
5097 }
5098
5099 /*
5100 * Update the supported key sizes, regardless
5101 * of whether a crypto provider was added or
5102 * removed.
5103 */
5104 oalg = *alg;
5105 ipsec_alg_fix_min_max(alg, algtype, ns);
5106 if (!alg_changed &&
5107 alg->alg_ef_minbits != oalg.alg_ef_minbits ||
5108 alg->alg_ef_maxbits != oalg.alg_ef_maxbits ||
5109 alg->alg_ef_default != oalg.alg_ef_default ||
5110 alg->alg_ef_default_bits !=
5111 oalg.alg_ef_default_bits)
5112 alg_changed = B_TRUE;
5113
5114 /*
5115 * Update the affected SAs if a software provider is
5116 * being added or removed.
5117 */
5118 if (prov_change->ec_provider_type ==
5119 CRYPTO_SW_PROVIDER)
5120 sadb_alg_update(algtype, alg->alg_id,
5121 prov_change->ec_change ==
5122 CRYPTO_MECH_ADDED, ns);
5123 }
5124 }
5125 rw_exit(&ipss->ipsec_alg_lock);
5126 crypto_free_mech_list(mechs, mech_count);
5127
5128 if (alg_changed) {
5129 /*
5130 * An algorithm has changed, i.e. it became valid or
5131 * invalid, or its support key sizes have changed.
5132 * Notify ipsecah and ipsecesp of this change so
5133 * that they can send a SADB_REGISTER to their consumers.
5134 */
5135 ipsecah_algs_changed(ns);
5136 ipsecesp_algs_changed(ns);
5137 }
5138 }
5139
5140 /*
5141 * Registers with the crypto framework to be notified of crypto
5142 * providers changes. Used to update the algorithm tables and
5143 * to free or create context templates if needed. Invoked after IPsec
5144 * is loaded successfully.
5145 *
5146 * This is called separately for each IP instance, so we ensure we only
5147 * register once.
5148 */
5149 void
5150 ipsec_register_prov_update(void)
5151 {
5152 if (prov_update_handle != NULL)
5153 return;
5154
5155 prov_update_handle = crypto_notify_events(
5156 ipsec_prov_update_callback, CRYPTO_EVENT_MECHS_CHANGED);
5157 }
5158
5159 /*
5160 * Unregisters from the framework to be notified of crypto providers
5161 * changes. Called from ipsec_policy_g_destroy().
5162 */
5163 static void
5164 ipsec_unregister_prov_update(void)
5165 {
5166 if (prov_update_handle != NULL)
5167 crypto_unnotify_events(prov_update_handle);
5168 }
5169
5170 /*
5171 * Tunnel-mode support routines.
5172 */
5173
5174 /*
5175 * Returns an mblk chain suitable for putnext() if policies match and IPsec
5176 * SAs are available. If there's no per-tunnel policy, or a match comes back
5177 * with no match, then still return the packet and have global policy take
5178 * a crack at it in IP.
5179 * This updates the ip_xmit_attr with the IPsec policy.
5180 *
5181 * Remember -> we can be forwarding packets. Keep that in mind w.r.t.
5182 * inner-packet contents.
5183 */
5184 mblk_t *
5185 ipsec_tun_outbound(mblk_t *mp, iptun_t *iptun, ipha_t *inner_ipv4,
5186 ip6_t *inner_ipv6, ipha_t *outer_ipv4, ip6_t *outer_ipv6, int outer_hdr_len,
5187 ip_xmit_attr_t *ixa)
5188 {
5189 ipsec_policy_head_t *polhead;
5190 ipsec_selector_t sel;
5191 mblk_t *nmp;
5192 boolean_t is_fragment;
5193 ipsec_policy_t *pol;
5194 ipsec_tun_pol_t *itp = iptun->iptun_itp;
5195 netstack_t *ns = iptun->iptun_ns;
5196 ipsec_stack_t *ipss = ns->netstack_ipsec;
5197
5198 ASSERT(outer_ipv6 != NULL && outer_ipv4 == NULL ||
5199 outer_ipv4 != NULL && outer_ipv6 == NULL);
5200 /* We take care of inners in a bit. */
5201
5202 /* Are the IPsec fields initialized at all? */
5203 if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE)) {
5204 ASSERT(ixa->ixa_ipsec_policy == NULL);
5205 ASSERT(ixa->ixa_ipsec_latch == NULL);
5206 ASSERT(ixa->ixa_ipsec_action == NULL);
5207 ASSERT(ixa->ixa_ipsec_ah_sa == NULL);
5208 ASSERT(ixa->ixa_ipsec_esp_sa == NULL);
5209 }
5210
5211 ASSERT(itp != NULL && (itp->itp_flags & ITPF_P_ACTIVE));
5212 polhead = itp->itp_policy;
5213
5214 bzero(&sel, sizeof (sel));
5215 if (inner_ipv4 != NULL) {
5216 ASSERT(inner_ipv6 == NULL);
5217 sel.ips_isv4 = B_TRUE;
5218 sel.ips_local_addr_v4 = inner_ipv4->ipha_src;
5219 sel.ips_remote_addr_v4 = inner_ipv4->ipha_dst;
5220 sel.ips_protocol = (uint8_t)inner_ipv4->ipha_protocol;
5221 } else {
5222 ASSERT(inner_ipv6 != NULL);
5223 sel.ips_isv4 = B_FALSE;
5224 sel.ips_local_addr_v6 = inner_ipv6->ip6_src;
5225 /*
5226 * We don't care about routing-header dests in the
5227 * forwarding/tunnel path, so just grab ip6_dst.
5228 */
5229 sel.ips_remote_addr_v6 = inner_ipv6->ip6_dst;
5230 }
5231
5232 if (itp->itp_flags & ITPF_P_PER_PORT_SECURITY) {
5233 /*
5234 * Caller can prepend the outer header, which means
5235 * inner_ipv[46] may be stuck in the middle. Pullup the whole
5236 * mess now if need-be, for easier processing later. Don't
5237 * forget to rewire the outer header too.
5238 */
5239 if (mp->b_cont != NULL) {
5240 nmp = msgpullup(mp, -1);
5241 if (nmp == NULL) {
5242 ip_drop_packet(mp, B_FALSE, NULL,
5243 DROPPER(ipss, ipds_spd_nomem),
5244 &ipss->ipsec_spd_dropper);
5245 return (NULL);
5246 }
5247 freemsg(mp);
5248 mp = nmp;
5249 if (outer_ipv4 != NULL)
5250 outer_ipv4 = (ipha_t *)mp->b_rptr;
5251 else
5252 outer_ipv6 = (ip6_t *)mp->b_rptr;
5253 if (inner_ipv4 != NULL) {
5254 inner_ipv4 =
5255 (ipha_t *)(mp->b_rptr + outer_hdr_len);
5256 } else {
5257 inner_ipv6 =
5258 (ip6_t *)(mp->b_rptr + outer_hdr_len);
5259 }
5260 }
5261 if (inner_ipv4 != NULL) {
5262 is_fragment = IS_V4_FRAGMENT(
5263 inner_ipv4->ipha_fragment_offset_and_flags);
5264 } else {
5265 sel.ips_remote_addr_v6 = ip_get_dst_v6(inner_ipv6, mp,
5266 &is_fragment);
5267 }
5268
5269 if (is_fragment) {
5270 ipha_t *oiph;
5271 ipha_t *iph = NULL;
5272 ip6_t *ip6h = NULL;
5273 int hdr_len;
5274 uint16_t ip6_hdr_length;
5275 uint8_t v6_proto;
5276 uint8_t *v6_proto_p;
5277
5278 /*
5279 * We have a fragment we need to track!
5280 */
5281 mp = ipsec_fragcache_add(&itp->itp_fragcache, NULL, mp,
5282 outer_hdr_len, ipss);
5283 if (mp == NULL)
5284 return (NULL);
5285 ASSERT(mp->b_cont == NULL);
5286
5287 /*
5288 * If we get here, we have a full fragment chain
5289 */
5290
5291 oiph = (ipha_t *)mp->b_rptr;
5292 if (IPH_HDR_VERSION(oiph) == IPV4_VERSION) {
5293 hdr_len = ((outer_hdr_len != 0) ?
5294 IPH_HDR_LENGTH(oiph) : 0);
5295 iph = (ipha_t *)(mp->b_rptr + hdr_len);
5296 } else {
5297 ASSERT(IPH_HDR_VERSION(oiph) == IPV6_VERSION);
5298 ip6h = (ip6_t *)mp->b_rptr;
5299 if (!ip_hdr_length_nexthdr_v6(mp, ip6h,
5300 &ip6_hdr_length, &v6_proto_p)) {
5301 ip_drop_packet_chain(mp, B_FALSE, NULL,
5302 DROPPER(ipss,
5303 ipds_spd_malformed_packet),
5304 &ipss->ipsec_spd_dropper);
5305 return (NULL);
5306 }
5307 hdr_len = ip6_hdr_length;
5308 }
5309 outer_hdr_len = hdr_len;
5310
5311 if (sel.ips_isv4) {
5312 if (iph == NULL) {
5313 /* Was v6 outer */
5314 iph = (ipha_t *)(mp->b_rptr + hdr_len);
5315 }
5316 inner_ipv4 = iph;
5317 sel.ips_local_addr_v4 = inner_ipv4->ipha_src;
5318 sel.ips_remote_addr_v4 = inner_ipv4->ipha_dst;
5319 sel.ips_protocol =
5320 (uint8_t)inner_ipv4->ipha_protocol;
5321 } else {
5322 inner_ipv6 = (ip6_t *)(mp->b_rptr +
5323 hdr_len);
5324 sel.ips_local_addr_v6 = inner_ipv6->ip6_src;
5325 sel.ips_remote_addr_v6 = inner_ipv6->ip6_dst;
5326 if (!ip_hdr_length_nexthdr_v6(mp,
5327 inner_ipv6, &ip6_hdr_length, &v6_proto_p)) {
5328 ip_drop_packet_chain(mp, B_FALSE, NULL,
5329 DROPPER(ipss,
5330 ipds_spd_malformed_frag),
5331 &ipss->ipsec_spd_dropper);
5332 return (NULL);
5333 }
5334 v6_proto = *v6_proto_p;
5335 sel.ips_protocol = v6_proto;
5336 #ifdef FRAGCACHE_DEBUG
5337 cmn_err(CE_WARN, "v6_sel.ips_protocol = %d\n",
5338 sel.ips_protocol);
5339 #endif
5340 }
5341 /* Ports are extracted below */
5342 }
5343
5344 /* Get ports... */
5345 if (!ipsec_init_outbound_ports(&sel, mp,
5346 inner_ipv4, inner_ipv6, outer_hdr_len, ipss)) {
5347 /* callee did ip_drop_packet_chain() on mp. */
5348 return (NULL);
5349 }
5350 #ifdef FRAGCACHE_DEBUG
5351 if (inner_ipv4 != NULL)
5352 cmn_err(CE_WARN,
5353 "(v4) sel.ips_protocol = %d, "
5354 "sel.ips_local_port = %d, "
5355 "sel.ips_remote_port = %d\n",
5356 sel.ips_protocol, ntohs(sel.ips_local_port),
5357 ntohs(sel.ips_remote_port));
5358 if (inner_ipv6 != NULL)
5359 cmn_err(CE_WARN,
5360 "(v6) sel.ips_protocol = %d, "
5361 "sel.ips_local_port = %d, "
5362 "sel.ips_remote_port = %d\n",
5363 sel.ips_protocol, ntohs(sel.ips_local_port),
5364 ntohs(sel.ips_remote_port));
5365 #endif
5366 /* Success so far! */
5367 }
5368 rw_enter(&polhead->iph_lock, RW_READER);
5369 pol = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_OUTBOUND, &sel);
5370 rw_exit(&polhead->iph_lock);
5371 if (pol == NULL) {
5372 /*
5373 * No matching policy on this tunnel, drop the packet.
5374 *
5375 * NOTE: Tunnel-mode tunnels are different from the
5376 * IP global transport mode policy head. For a tunnel-mode
5377 * tunnel, we drop the packet in lieu of passing it
5378 * along accepted the way a global-policy miss would.
5379 *
5380 * NOTE2: "negotiate transport" tunnels should match ALL
5381 * inbound packets, but we do not uncomment the ASSERT()
5382 * below because if/when we open PF_POLICY, a user can
5383 * shoot themself in the foot with a 0 priority.
5384 */
5385
5386 /* ASSERT(itp->itp_flags & ITPF_P_TUNNEL); */
5387 #ifdef FRAGCACHE_DEBUG
5388 cmn_err(CE_WARN, "ipsec_tun_outbound(): No matching tunnel "
5389 "per-port policy\n");
5390 #endif
5391 ip_drop_packet_chain(mp, B_FALSE, NULL,
5392 DROPPER(ipss, ipds_spd_explicit),
5393 &ipss->ipsec_spd_dropper);
5394 return (NULL);
5395 }
5396
5397 #ifdef FRAGCACHE_DEBUG
5398 cmn_err(CE_WARN, "Having matching tunnel per-port policy\n");
5399 #endif
5400
5401 /*
5402 * NOTE: ixa_cleanup() function will release pol references.
5403 */
5404 ixa->ixa_ipsec_policy = pol;
5405 /*
5406 * NOTE: There is a subtle difference between iptun_zoneid and
5407 * iptun_connp->conn_zoneid explained in iptun_conn_create(). When
5408 * interacting with the ip module, we must use conn_zoneid.
5409 */
5410 ixa->ixa_zoneid = iptun->iptun_connp->conn_zoneid;
5411
5412 ASSERT((outer_ipv4 != NULL) ? (ixa->ixa_flags & IXAF_IS_IPV4) :
5413 !(ixa->ixa_flags & IXAF_IS_IPV4));
5414 ASSERT(ixa->ixa_ipsec_policy != NULL);
5415 ixa->ixa_flags |= IXAF_IPSEC_SECURE;
5416
5417 if (!(itp->itp_flags & ITPF_P_TUNNEL)) {
5418 /* Set up transport mode for tunnelled packets. */
5419 ixa->ixa_ipsec_proto = (inner_ipv4 != NULL) ? IPPROTO_ENCAP :
5420 IPPROTO_IPV6;
5421 return (mp);
5422 }
5423
5424 /* Fill in tunnel-mode goodies here. */
5425 ixa->ixa_flags |= IXAF_IPSEC_TUNNEL;
5426 /* XXX Do I need to fill in all of the goodies here? */
5427 if (inner_ipv4) {
5428 ixa->ixa_ipsec_inaf = AF_INET;
5429 ixa->ixa_ipsec_insrc[0] =
5430 pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v4;
5431 ixa->ixa_ipsec_indst[0] =
5432 pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v4;
5433 } else {
5434 ixa->ixa_ipsec_inaf = AF_INET6;
5435 ixa->ixa_ipsec_insrc[0] =
5436 pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[0];
5437 ixa->ixa_ipsec_insrc[1] =
5438 pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[1];
5439 ixa->ixa_ipsec_insrc[2] =
5440 pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[2];
5441 ixa->ixa_ipsec_insrc[3] =
5442 pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[3];
5443 ixa->ixa_ipsec_indst[0] =
5444 pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[0];
5445 ixa->ixa_ipsec_indst[1] =
5446 pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[1];
5447 ixa->ixa_ipsec_indst[2] =
5448 pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[2];
5449 ixa->ixa_ipsec_indst[3] =
5450 pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[3];
5451 }
5452 ixa->ixa_ipsec_insrcpfx = pol->ipsp_sel->ipsl_key.ipsl_local_pfxlen;
5453 ixa->ixa_ipsec_indstpfx = pol->ipsp_sel->ipsl_key.ipsl_remote_pfxlen;
5454 /* NOTE: These are used for transport mode too. */
5455 ixa->ixa_ipsec_src_port = pol->ipsp_sel->ipsl_key.ipsl_lport;
5456 ixa->ixa_ipsec_dst_port = pol->ipsp_sel->ipsl_key.ipsl_rport;
5457 ixa->ixa_ipsec_proto = pol->ipsp_sel->ipsl_key.ipsl_proto;
5458
5459 return (mp);
5460 }
5461
5462 /*
5463 * NOTE: The following releases pol's reference and
5464 * calls ip_drop_packet() for me on NULL returns.
5465 */
5466 mblk_t *
5467 ipsec_check_ipsecin_policy_reasm(mblk_t *attr_mp, ipsec_policy_t *pol,
5468 ipha_t *inner_ipv4, ip6_t *inner_ipv6, uint64_t pkt_unique, netstack_t *ns)
5469 {
5470 /* Assume attr_mp is a chain of b_next-linked ip_recv_attr mblk. */
5471 mblk_t *data_chain = NULL, *data_tail = NULL;
5472 mblk_t *next;
5473 mblk_t *data_mp;
5474 ip_recv_attr_t iras;
5475
5476 while (attr_mp != NULL) {
5477 ASSERT(ip_recv_attr_is_mblk(attr_mp));
5478 next = attr_mp->b_next;
5479 attr_mp->b_next = NULL; /* No tripping asserts. */
5480
5481 data_mp = attr_mp->b_cont;
5482 attr_mp->b_cont = NULL;
5483 if (!ip_recv_attr_from_mblk(attr_mp, &iras)) {
5484 /* The ill or ip_stack_t disappeared on us */
5485 freemsg(data_mp); /* ip_drop_packet?? */
5486 ira_cleanup(&iras, B_TRUE);
5487 goto fail;
5488 }
5489
5490 /*
5491 * Need IPPOL_REFHOLD(pol) for extras because
5492 * ipsecin_policy does the refrele.
5493 */
5494 IPPOL_REFHOLD(pol);
5495
5496 data_mp = ipsec_check_ipsecin_policy(data_mp, pol, inner_ipv4,
5497 inner_ipv6, pkt_unique, &iras, ns);
5498 ira_cleanup(&iras, B_TRUE);
5499
5500 if (data_mp == NULL)
5501 goto fail;
5502
5503 if (data_tail == NULL) {
5504 /* First one */
5505 data_chain = data_tail = data_mp;
5506 } else {
5507 data_tail->b_next = data_mp;
5508 data_tail = data_mp;
5509 }
5510 attr_mp = next;
5511 }
5512 /*
5513 * One last release because either the loop bumped it up, or we never
5514 * called ipsec_check_ipsecin_policy().
5515 */
5516 IPPOL_REFRELE(pol);
5517
5518 /* data_chain is ready for return to tun module. */
5519 return (data_chain);
5520
5521 fail:
5522 /*
5523 * Need to get rid of any extra pol
5524 * references, and any remaining bits as well.
5525 */
5526 IPPOL_REFRELE(pol);
5527 ipsec_freemsg_chain(data_chain);
5528 ipsec_freemsg_chain(next); /* ipdrop stats? */
5529 return (NULL);
5530 }
5531
5532 /*
5533 * Return a message if the inbound packet passed an IPsec policy check. Returns
5534 * NULL if it failed or if it is a fragment needing its friends before a
5535 * policy check can be performed.
5536 *
5537 * Expects a non-NULL data_mp, and a non-NULL polhead.
5538 * The returned mblk may be a b_next chain of packets if fragments
5539 * neeeded to be collected for a proper policy check.
5540 *
5541 * This function calls ip_drop_packet() on data_mp if need be.
5542 *
5543 * NOTE: outer_hdr_len is signed. If it's a negative value, the caller
5544 * is inspecting an ICMP packet.
5545 */
5546 mblk_t *
5547 ipsec_tun_inbound(ip_recv_attr_t *ira, mblk_t *data_mp, ipsec_tun_pol_t *itp,
5548 ipha_t *inner_ipv4, ip6_t *inner_ipv6, ipha_t *outer_ipv4,
5549 ip6_t *outer_ipv6, int outer_hdr_len, netstack_t *ns)
5550 {
5551 ipsec_policy_head_t *polhead;
5552 ipsec_selector_t sel;
5553 ipsec_policy_t *pol;
5554 uint16_t tmpport;
5555 selret_t rc;
5556 boolean_t port_policy_present, is_icmp, global_present;
5557 in6_addr_t tmpaddr;
5558 ipaddr_t tmp4;
5559 uint8_t flags, *inner_hdr;
5560 ipsec_stack_t *ipss = ns->netstack_ipsec;
5561
5562 sel.ips_is_icmp_inv_acq = 0;
5563
5564 if (outer_ipv4 != NULL) {
5565 ASSERT(outer_ipv6 == NULL);
5566 global_present = ipss->ipsec_inbound_v4_policy_present;
5567 } else {
5568 ASSERT(outer_ipv6 != NULL);
5569 global_present = ipss->ipsec_inbound_v6_policy_present;
5570 }
5571
5572 ASSERT(inner_ipv4 != NULL && inner_ipv6 == NULL ||
5573 inner_ipv4 == NULL && inner_ipv6 != NULL);
5574
5575 if (outer_hdr_len < 0) {
5576 outer_hdr_len = (-outer_hdr_len);
5577 is_icmp = B_TRUE;
5578 } else {
5579 is_icmp = B_FALSE;
5580 }
5581
5582 if (itp != NULL && (itp->itp_flags & ITPF_P_ACTIVE)) {
5583 mblk_t *mp = data_mp;
5584
5585 polhead = itp->itp_policy;
5586 /*
5587 * We need to perform full Tunnel-Mode enforcement,
5588 * and we need to have inner-header data for such enforcement.
5589 *
5590 * See ipsec_init_inbound_sel() for the 0x80000000 on inbound
5591 * and on return.
5592 */
5593
5594 port_policy_present = ((itp->itp_flags &
5595 ITPF_P_PER_PORT_SECURITY) ? B_TRUE : B_FALSE);
5596 /*
5597 * NOTE: Even if our policy is transport mode, set the
5598 * SEL_TUNNEL_MODE flag so ipsec_init_inbound_sel() can
5599 * do the right thing w.r.t. outer headers.
5600 */
5601 flags = ((port_policy_present ? SEL_PORT_POLICY : SEL_NONE) |
5602 (is_icmp ? SEL_IS_ICMP : SEL_NONE) | SEL_TUNNEL_MODE);
5603
5604 rc = ipsec_init_inbound_sel(&sel, data_mp, inner_ipv4,
5605 inner_ipv6, flags);
5606
5607 switch (rc) {
5608 case SELRET_NOMEM:
5609 ip_drop_packet(data_mp, B_TRUE, NULL,
5610 DROPPER(ipss, ipds_spd_nomem),
5611 &ipss->ipsec_spd_dropper);
5612 return (NULL);
5613 case SELRET_TUNFRAG:
5614 /*
5615 * At this point, if we're cleartext, we don't want
5616 * to go there.
5617 */
5618 if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
5619 ip_drop_packet(data_mp, B_TRUE, NULL,
5620 DROPPER(ipss, ipds_spd_got_clear),
5621 &ipss->ipsec_spd_dropper);
5622 return (NULL);
5623 }
5624
5625 /*
5626 * Inner and outer headers may not be contiguous.
5627 * Pullup the data_mp now to satisfy assumptions of
5628 * ipsec_fragcache_add()
5629 */
5630 if (data_mp->b_cont != NULL) {
5631 mblk_t *nmp;
5632
5633 nmp = msgpullup(data_mp, -1);
5634 if (nmp == NULL) {
5635 ip_drop_packet(data_mp, B_TRUE, NULL,
5636 DROPPER(ipss, ipds_spd_nomem),
5637 &ipss->ipsec_spd_dropper);
5638 return (NULL);
5639 }
5640 freemsg(data_mp);
5641 data_mp = nmp;
5642 if (outer_ipv4 != NULL)
5643 outer_ipv4 =
5644 (ipha_t *)data_mp->b_rptr;
5645 else
5646 outer_ipv6 =
5647 (ip6_t *)data_mp->b_rptr;
5648 if (inner_ipv4 != NULL) {
5649 inner_ipv4 =
5650 (ipha_t *)(data_mp->b_rptr +
5651 outer_hdr_len);
5652 } else {
5653 inner_ipv6 =
5654 (ip6_t *)(data_mp->b_rptr +
5655 outer_hdr_len);
5656 }
5657 }
5658
5659 /*
5660 * If we need to queue the packet. First we
5661 * get an mblk with the attributes. ipsec_fragcache_add
5662 * will prepend that to the queued data and return
5663 * a list of b_next messages each of which starts with
5664 * the attribute mblk.
5665 */
5666 mp = ip_recv_attr_to_mblk(ira);
5667 if (mp == NULL) {
5668 ip_drop_packet(data_mp, B_TRUE, NULL,
5669 DROPPER(ipss, ipds_spd_nomem),
5670 &ipss->ipsec_spd_dropper);
5671 return (NULL);
5672 }
5673
5674 mp = ipsec_fragcache_add(&itp->itp_fragcache,
5675 mp, data_mp, outer_hdr_len, ipss);
5676
5677 if (mp == NULL) {
5678 /*
5679 * Data is cached, fragment chain is not
5680 * complete.
5681 */
5682 return (NULL);
5683 }
5684
5685 /*
5686 * If we get here, we have a full fragment chain.
5687 * Reacquire headers and selectors from first fragment.
5688 */
5689 ASSERT(ip_recv_attr_is_mblk(mp));
5690 data_mp = mp->b_cont;
5691 inner_hdr = data_mp->b_rptr;
5692 if (outer_ipv4 != NULL) {
5693 inner_hdr += IPH_HDR_LENGTH(
5694 (ipha_t *)data_mp->b_rptr);
5695 } else {
5696 inner_hdr += ip_hdr_length_v6(data_mp,
5697 (ip6_t *)data_mp->b_rptr);
5698 }
5699 ASSERT(inner_hdr <= data_mp->b_wptr);
5700
5701 if (inner_ipv4 != NULL) {
5702 inner_ipv4 = (ipha_t *)inner_hdr;
5703 inner_ipv6 = NULL;
5704 } else {
5705 inner_ipv6 = (ip6_t *)inner_hdr;
5706 inner_ipv4 = NULL;
5707 }
5708
5709 /*
5710 * Use SEL_TUNNEL_MODE to take into account the outer
5711 * header. Use SEL_POST_FRAG so we always get ports.
5712 */
5713 rc = ipsec_init_inbound_sel(&sel, data_mp,
5714 inner_ipv4, inner_ipv6,
5715 SEL_TUNNEL_MODE | SEL_POST_FRAG);
5716 switch (rc) {
5717 case SELRET_SUCCESS:
5718 /*
5719 * Get to same place as first caller's
5720 * SELRET_SUCCESS case.
5721 */
5722 break;
5723 case SELRET_NOMEM:
5724 ip_drop_packet_chain(mp, B_TRUE, NULL,
5725 DROPPER(ipss, ipds_spd_nomem),
5726 &ipss->ipsec_spd_dropper);
5727 return (NULL);
5728 case SELRET_BADPKT:
5729 ip_drop_packet_chain(mp, B_TRUE, NULL,
5730 DROPPER(ipss, ipds_spd_malformed_frag),
5731 &ipss->ipsec_spd_dropper);
5732 return (NULL);
5733 case SELRET_TUNFRAG:
5734 cmn_err(CE_WARN, "(TUNFRAG on 2nd call...)");
5735 /* FALLTHRU */
5736 default:
5737 cmn_err(CE_WARN, "ipsec_init_inbound_sel(mark2)"
5738 " returns bizarro 0x%x", rc);
5739 /* Guaranteed panic! */
5740 ASSERT(rc == SELRET_NOMEM);
5741 return (NULL);
5742 }
5743 /* FALLTHRU */
5744 case SELRET_SUCCESS:
5745 /*
5746 * Common case:
5747 * No per-port policy or a non-fragment. Keep going.
5748 */
5749 break;
5750 case SELRET_BADPKT:
5751 /*
5752 * We may receive ICMP (with IPv6 inner) packets that
5753 * trigger this return value. Send 'em in for
5754 * enforcement checking.
5755 */
5756 cmn_err(CE_NOTE, "ipsec_tun_inbound(): "
5757 "sending 'bad packet' in for enforcement");
5758 break;
5759 default:
5760 cmn_err(CE_WARN,
5761 "ipsec_init_inbound_sel() returns bizarro 0x%x",
5762 rc);
5763 ASSERT(rc == SELRET_NOMEM); /* Guaranteed panic! */
5764 return (NULL);
5765 }
5766
5767 if (is_icmp) {
5768 /*
5769 * Swap local/remote because this is an ICMP packet.
5770 */
5771 tmpaddr = sel.ips_local_addr_v6;
5772 sel.ips_local_addr_v6 = sel.ips_remote_addr_v6;
5773 sel.ips_remote_addr_v6 = tmpaddr;
5774 tmpport = sel.ips_local_port;
5775 sel.ips_local_port = sel.ips_remote_port;
5776 sel.ips_remote_port = tmpport;
5777 }
5778
5779 /* find_policy_head() */
5780 rw_enter(&polhead->iph_lock, RW_READER);
5781 pol = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_INBOUND,
5782 &sel);
5783 rw_exit(&polhead->iph_lock);
5784 if (pol != NULL) {
5785 uint64_t pkt_unique;
5786
5787 if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
5788 if (!pol->ipsp_act->ipa_allow_clear) {
5789 /*
5790 * XXX should never get here with
5791 * tunnel reassembled fragments?
5792 */
5793 ASSERT(mp == data_mp);
5794 ip_drop_packet(data_mp, B_TRUE, NULL,
5795 DROPPER(ipss, ipds_spd_got_clear),
5796 &ipss->ipsec_spd_dropper);
5797 IPPOL_REFRELE(pol);
5798 return (NULL);
5799 } else {
5800 IPPOL_REFRELE(pol);
5801 return (mp);
5802 }
5803 }
5804 pkt_unique = SA_UNIQUE_ID(sel.ips_remote_port,
5805 sel.ips_local_port,
5806 (inner_ipv4 == NULL) ? IPPROTO_IPV6 :
5807 IPPROTO_ENCAP, sel.ips_protocol);
5808
5809 /*
5810 * NOTE: The following releases pol's reference and
5811 * calls ip_drop_packet() for me on NULL returns.
5812 *
5813 * "sel" is still good here, so let's use it!
5814 */
5815 if (data_mp == mp) {
5816 /* A single packet without attributes */
5817 data_mp = ipsec_check_ipsecin_policy(data_mp,
5818 pol, inner_ipv4, inner_ipv6, pkt_unique,
5819 ira, ns);
5820 } else {
5821 /*
5822 * We pass in the b_next chain of attr_mp's
5823 * and get back a b_next chain of data_mp's.
5824 */
5825 data_mp = ipsec_check_ipsecin_policy_reasm(mp,
5826 pol, inner_ipv4, inner_ipv6, pkt_unique,
5827 ns);
5828 }
5829 return (data_mp);
5830 }
5831
5832 /*
5833 * Else fallthru and check the global policy on the outer
5834 * header(s) if this tunnel is an old-style transport-mode
5835 * one. Drop the packet explicitly (no policy entry) for
5836 * a new-style tunnel-mode tunnel.
5837 */
5838 if ((itp->itp_flags & ITPF_P_TUNNEL) && !is_icmp) {
5839 ip_drop_packet_chain(data_mp, B_TRUE, NULL,
5840 DROPPER(ipss, ipds_spd_explicit),
5841 &ipss->ipsec_spd_dropper);
5842 return (NULL);
5843 }
5844 }
5845
5846 /*
5847 * NOTE: If we reach here, we will not have packet chains from
5848 * fragcache_add(), because the only way I get chains is on a
5849 * tunnel-mode tunnel, which either returns with a pass, or gets
5850 * hit by the ip_drop_packet_chain() call right above here.
5851 */
5852 ASSERT(data_mp->b_next == NULL);
5853
5854 /* If no per-tunnel security, check global policy now. */
5855 if ((ira->ira_flags & IRAF_IPSEC_SECURE) && !global_present) {
5856 if (ira->ira_flags & IRAF_TRUSTED_ICMP) {
5857 /*
5858 * This is an ICMP message that was geenrated locally.
5859 * We should accept it.
5860 */
5861 return (data_mp);
5862 }
5863
5864 ip_drop_packet(data_mp, B_TRUE, NULL,
5865 DROPPER(ipss, ipds_spd_got_secure),
5866 &ipss->ipsec_spd_dropper);
5867 return (NULL);
5868 }
5869
5870 if (is_icmp) {
5871 /*
5872 * For ICMP packets, "outer_ipvN" is set to the outer header
5873 * that is *INSIDE* the ICMP payload. For global policy
5874 * checking, we need to reverse src/dst on the payload in
5875 * order to construct selectors appropriately. See "ripha"
5876 * constructions in ip.c. To avoid a bug like 6478464 (see
5877 * earlier in this file), we will actually exchange src/dst
5878 * in the packet, and reverse if after the call to
5879 * ipsec_check_global_policy().
5880 */
5881 if (outer_ipv4 != NULL) {
5882 tmp4 = outer_ipv4->ipha_src;
5883 outer_ipv4->ipha_src = outer_ipv4->ipha_dst;
5884 outer_ipv4->ipha_dst = tmp4;
5885 } else {
5886 ASSERT(outer_ipv6 != NULL);
5887 tmpaddr = outer_ipv6->ip6_src;
5888 outer_ipv6->ip6_src = outer_ipv6->ip6_dst;
5889 outer_ipv6->ip6_dst = tmpaddr;
5890 }
5891 }
5892
5893 data_mp = ipsec_check_global_policy(data_mp, NULL, outer_ipv4,
5894 outer_ipv6, ira, ns);
5895 if (data_mp == NULL)
5896 return (NULL);
5897
5898 if (is_icmp) {
5899 /* Set things back to normal. */
5900 if (outer_ipv4 != NULL) {
5901 tmp4 = outer_ipv4->ipha_src;
5902 outer_ipv4->ipha_src = outer_ipv4->ipha_dst;
5903 outer_ipv4->ipha_dst = tmp4;
5904 } else {
5905 /* No need for ASSERT()s now. */
5906 tmpaddr = outer_ipv6->ip6_src;
5907 outer_ipv6->ip6_src = outer_ipv6->ip6_dst;
5908 outer_ipv6->ip6_dst = tmpaddr;
5909 }
5910 }
5911
5912 /*
5913 * At this point, we pretend it's a cleartext accepted
5914 * packet.
5915 */
5916 return (data_mp);
5917 }
5918
5919 /*
5920 * AVL comparison routine for our list of tunnel polheads.
5921 */
5922 static int
5923 tunnel_compare(const void *arg1, const void *arg2)
5924 {
5925 ipsec_tun_pol_t *left, *right;
5926 int rc;
5927
5928 left = (ipsec_tun_pol_t *)arg1;
5929 right = (ipsec_tun_pol_t *)arg2;
5930
5931 rc = strncmp(left->itp_name, right->itp_name, LIFNAMSIZ);
5932 return (rc == 0 ? rc : (rc > 0 ? 1 : -1));
5933 }
5934
5935 /*
5936 * Free a tunnel policy node.
5937 */
5938 void
5939 itp_free(ipsec_tun_pol_t *node, netstack_t *ns)
5940 {
5941 if (node->itp_policy != NULL) {
5942 IPPH_REFRELE(node->itp_policy, ns);
5943 node->itp_policy = NULL;
5944 }
5945 if (node->itp_inactive != NULL) {
5946 IPPH_REFRELE(node->itp_inactive, ns);
5947 node->itp_inactive = NULL;
5948 }
5949 mutex_destroy(&node->itp_lock);
5950 kmem_free(node, sizeof (*node));
5951 }
5952
5953 void
5954 itp_unlink(ipsec_tun_pol_t *node, netstack_t *ns)
5955 {
5956 ipsec_stack_t *ipss = ns->netstack_ipsec;
5957
5958 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_WRITER);
5959 ipss->ipsec_tunnel_policy_gen++;
5960 ipsec_fragcache_uninit(&node->itp_fragcache, ipss);
5961 avl_remove(&ipss->ipsec_tunnel_policies, node);
5962 rw_exit(&ipss->ipsec_tunnel_policy_lock);
5963 ITP_REFRELE(node, ns);
5964 }
5965
5966 /*
5967 * Public interface to look up a tunnel security policy by name. Used by
5968 * spdsock mostly. Returns "node" with a bumped refcnt.
5969 */
5970 ipsec_tun_pol_t *
5971 get_tunnel_policy(char *name, netstack_t *ns)
5972 {
5973 ipsec_tun_pol_t *node, lookup;
5974 ipsec_stack_t *ipss = ns->netstack_ipsec;
5975
5976 (void) strncpy(lookup.itp_name, name, LIFNAMSIZ);
5977
5978 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
5979 node = (ipsec_tun_pol_t *)avl_find(&ipss->ipsec_tunnel_policies,
5980 &lookup, NULL);
5981 if (node != NULL) {
5982 ITP_REFHOLD(node);
5983 }
5984 rw_exit(&ipss->ipsec_tunnel_policy_lock);
5985
5986 return (node);
5987 }
5988
5989 /*
5990 * Public interface to walk all tunnel security polcies. Useful for spdsock
5991 * DUMP operations. iterator() will not consume a reference.
5992 */
5993 void
5994 itp_walk(void (*iterator)(ipsec_tun_pol_t *, void *, netstack_t *),
5995 void *arg, netstack_t *ns)
5996 {
5997 ipsec_tun_pol_t *node;
5998 ipsec_stack_t *ipss = ns->netstack_ipsec;
5999
6000 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
6001 for (node = avl_first(&ipss->ipsec_tunnel_policies); node != NULL;
6002 node = AVL_NEXT(&ipss->ipsec_tunnel_policies, node)) {
6003 iterator(node, arg, ns);
6004 }
6005 rw_exit(&ipss->ipsec_tunnel_policy_lock);
6006 }
6007
6008 /*
6009 * Initialize policy head. This can only fail if there's a memory problem.
6010 */
6011 static boolean_t
6012 tunnel_polhead_init(ipsec_policy_head_t *iph, netstack_t *ns)
6013 {
6014 ipsec_stack_t *ipss = ns->netstack_ipsec;
6015
6016 rw_init(&iph->iph_lock, NULL, RW_DEFAULT, NULL);
6017 iph->iph_refs = 1;
6018 iph->iph_gen = 0;
6019 if (ipsec_alloc_table(iph, ipss->ipsec_tun_spd_hashsize,
6020 KM_SLEEP, B_FALSE, ns) != 0) {
6021 ipsec_polhead_free_table(iph);
6022 return (B_FALSE);
6023 }
6024 ipsec_polhead_init(iph, ipss->ipsec_tun_spd_hashsize);
6025 return (B_TRUE);
6026 }
6027
6028 /*
6029 * Create a tunnel policy node with "name". Set errno with
6030 * ENOMEM if there's a memory problem, and EEXIST if there's an existing
6031 * node.
6032 */
6033 ipsec_tun_pol_t *
6034 create_tunnel_policy(char *name, int *errno, uint64_t *gen, netstack_t *ns)
6035 {
6036 ipsec_tun_pol_t *newbie, *existing;
6037 avl_index_t where;
6038 ipsec_stack_t *ipss = ns->netstack_ipsec;
6039
6040 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP);
6041 if (newbie == NULL) {
6042 *errno = ENOMEM;
6043 return (NULL);
6044 }
6045 if (!ipsec_fragcache_init(&newbie->itp_fragcache)) {
6046 kmem_free(newbie, sizeof (*newbie));
6047 *errno = ENOMEM;
6048 return (NULL);
6049 }
6050
6051 (void) strncpy(newbie->itp_name, name, LIFNAMSIZ);
6052
6053 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_WRITER);
6054 existing = (ipsec_tun_pol_t *)avl_find(&ipss->ipsec_tunnel_policies,
6055 newbie, &where);
6056 if (existing != NULL) {
6057 itp_free(newbie, ns);
6058 *errno = EEXIST;
6059 rw_exit(&ipss->ipsec_tunnel_policy_lock);
6060 return (NULL);
6061 }
6062 ipss->ipsec_tunnel_policy_gen++;
6063 *gen = ipss->ipsec_tunnel_policy_gen;
6064 newbie->itp_refcnt = 2; /* One for the caller, one for the tree. */
6065 newbie->itp_next_policy_index = 1;
6066 avl_insert(&ipss->ipsec_tunnel_policies, newbie, where);
6067 mutex_init(&newbie->itp_lock, NULL, MUTEX_DEFAULT, NULL);
6068 newbie->itp_policy = kmem_zalloc(sizeof (ipsec_policy_head_t),
6069 KM_NOSLEEP);
6070 if (newbie->itp_policy == NULL)
6071 goto nomem;
6072 newbie->itp_inactive = kmem_zalloc(sizeof (ipsec_policy_head_t),
6073 KM_NOSLEEP);
6074 if (newbie->itp_inactive == NULL) {
6075 kmem_free(newbie->itp_policy, sizeof (ipsec_policy_head_t));
6076 goto nomem;
6077 }
6078
6079 if (!tunnel_polhead_init(newbie->itp_policy, ns)) {
6080 kmem_free(newbie->itp_policy, sizeof (ipsec_policy_head_t));
6081 kmem_free(newbie->itp_inactive, sizeof (ipsec_policy_head_t));
6082 goto nomem;
6083 } else if (!tunnel_polhead_init(newbie->itp_inactive, ns)) {
6084 IPPH_REFRELE(newbie->itp_policy, ns);
6085 kmem_free(newbie->itp_inactive, sizeof (ipsec_policy_head_t));
6086 goto nomem;
6087 }
6088 rw_exit(&ipss->ipsec_tunnel_policy_lock);
6089
6090 return (newbie);
6091 nomem:
6092 *errno = ENOMEM;
6093 kmem_free(newbie, sizeof (*newbie));
6094 return (NULL);
6095 }
6096
6097 /*
6098 * Given two addresses, find a tunnel instance's IPsec policy heads.
6099 * Returns NULL on failure.
6100 */
6101 ipsec_tun_pol_t *
6102 itp_get_byaddr(uint32_t *laddr, uint32_t *faddr, int af, ip_stack_t *ipst)
6103 {
6104 conn_t *connp;
6105 iptun_t *iptun;
6106 ipsec_tun_pol_t *itp = NULL;
6107
6108 /* Classifiers are used to "src" being foreign. */
6109 if (af == AF_INET) {
6110 connp = ipcl_iptun_classify_v4((ipaddr_t *)faddr,
6111 (ipaddr_t *)laddr, ipst);
6112 } else {
6113 ASSERT(af == AF_INET6);
6114 ASSERT(!IN6_IS_ADDR_V4MAPPED((in6_addr_t *)laddr));
6115 ASSERT(!IN6_IS_ADDR_V4MAPPED((in6_addr_t *)faddr));
6116 connp = ipcl_iptun_classify_v6((in6_addr_t *)faddr,
6117 (in6_addr_t *)laddr, ipst);
6118 }
6119
6120 if (connp == NULL)
6121 return (NULL);
6122
6123 if (IPCL_IS_IPTUN(connp)) {
6124 iptun = connp->conn_iptun;
6125 if (iptun != NULL) {
6126 itp = iptun->iptun_itp;
6127 if (itp != NULL) {
6128 /* Braces due to the macro's nature... */
6129 ITP_REFHOLD(itp);
6130 }
6131 } /* Else itp is already NULL. */
6132 }
6133
6134 CONN_DEC_REF(connp);
6135 return (itp);
6136 }
6137
6138 /*
6139 * Frag cache code, based on SunScreen 3.2 source
6140 * screen/kernel/common/screen_fragcache.c
6141 */
6142
6143 #define IPSEC_FRAG_TTL_MAX 5
6144 /*
6145 * Note that the following parameters create 256 hash buckets
6146 * with 1024 free entries to be distributed. Things are cleaned
6147 * periodically and are attempted to be cleaned when there is no
6148 * free space, but this system errs on the side of dropping packets
6149 * over creating memory exhaustion. We may decide to make hash
6150 * factor a tunable if this proves to be a bad decision.
6151 */
6152 #define IPSEC_FRAG_HASH_SLOTS (1<<8)
6153 #define IPSEC_FRAG_HASH_FACTOR 4
6154 #define IPSEC_FRAG_HASH_SIZE (IPSEC_FRAG_HASH_SLOTS * IPSEC_FRAG_HASH_FACTOR)
6155
6156 #define IPSEC_FRAG_HASH_MASK (IPSEC_FRAG_HASH_SLOTS - 1)
6157 #define IPSEC_FRAG_HASH_FUNC(id) (((id) & IPSEC_FRAG_HASH_MASK) ^ \
6158 (((id) / \
6159 (ushort_t)IPSEC_FRAG_HASH_SLOTS) & \
6160 IPSEC_FRAG_HASH_MASK))
6161
6162 /* Maximum fragments per packet. 48 bytes payload x 1366 packets > 64KB */
6163 #define IPSEC_MAX_FRAGS 1366
6164
6165 #define V4_FRAG_OFFSET(ipha) ((ntohs(ipha->ipha_fragment_offset_and_flags) & \
6166 IPH_OFFSET) << 3)
6167 #define V4_MORE_FRAGS(ipha) (ntohs(ipha->ipha_fragment_offset_and_flags) & \
6168 IPH_MF)
6169
6170 /*
6171 * Initialize an ipsec fragcache instance.
6172 * Returns B_FALSE if memory allocation fails.
6173 */
6174 boolean_t
6175 ipsec_fragcache_init(ipsec_fragcache_t *frag)
6176 {
6177 ipsec_fragcache_entry_t *ftemp;
6178 int i;
6179
6180 mutex_init(&frag->itpf_lock, NULL, MUTEX_DEFAULT, NULL);
6181 frag->itpf_ptr = (ipsec_fragcache_entry_t **)
6182 kmem_zalloc(sizeof (ipsec_fragcache_entry_t *) *
6183 IPSEC_FRAG_HASH_SLOTS, KM_NOSLEEP);
6184 if (frag->itpf_ptr == NULL)
6185 return (B_FALSE);
6186
6187 ftemp = (ipsec_fragcache_entry_t *)
6188 kmem_zalloc(sizeof (ipsec_fragcache_entry_t) *
6189 IPSEC_FRAG_HASH_SIZE, KM_NOSLEEP);
6190 if (ftemp == NULL) {
6191 kmem_free(frag->itpf_ptr, sizeof (ipsec_fragcache_entry_t *) *
6192 IPSEC_FRAG_HASH_SLOTS);
6193 return (B_FALSE);
6194 }
6195
6196 frag->itpf_freelist = NULL;
6197
6198 for (i = 0; i < IPSEC_FRAG_HASH_SIZE; i++) {
6199 ftemp->itpfe_next = frag->itpf_freelist;
6200 frag->itpf_freelist = ftemp;
6201 ftemp++;
6202 }
6203
6204 frag->itpf_expire_hint = 0;
6205
6206 return (B_TRUE);
6207 }
6208
6209 void
6210 ipsec_fragcache_uninit(ipsec_fragcache_t *frag, ipsec_stack_t *ipss)
6211 {
6212 ipsec_fragcache_entry_t *fep;
6213 int i;
6214
6215 mutex_enter(&frag->itpf_lock);
6216 if (frag->itpf_ptr) {
6217 /* Delete any existing fragcache entry chains */
6218 for (i = 0; i < IPSEC_FRAG_HASH_SLOTS; i++) {
6219 fep = (frag->itpf_ptr)[i];
6220 while (fep != NULL) {
6221 /* Returned fep is next in chain or NULL */
6222 fep = fragcache_delentry(i, fep, frag, ipss);
6223 }
6224 }
6225 /*
6226 * Chase the pointers back to the beginning
6227 * of the memory allocation and then
6228 * get rid of the allocated freelist
6229 */
6230 while (frag->itpf_freelist->itpfe_next != NULL)
6231 frag->itpf_freelist = frag->itpf_freelist->itpfe_next;
6232 /*
6233 * XXX - If we ever dynamically grow the freelist
6234 * then we'll have to free entries individually
6235 * or determine how many entries or chunks we have
6236 * grown since the initial allocation.
6237 */
6238 kmem_free(frag->itpf_freelist,
6239 sizeof (ipsec_fragcache_entry_t) *
6240 IPSEC_FRAG_HASH_SIZE);
6241 /* Free the fragcache structure */
6242 kmem_free(frag->itpf_ptr,
6243 sizeof (ipsec_fragcache_entry_t *) *
6244 IPSEC_FRAG_HASH_SLOTS);
6245 }
6246 mutex_exit(&frag->itpf_lock);
6247 mutex_destroy(&frag->itpf_lock);
6248 }
6249
6250 /*
6251 * Add a fragment to the fragment cache. Consumes mp if NULL is returned.
6252 * Returns mp if a whole fragment has been assembled, NULL otherwise
6253 * The returned mp could be a b_next chain of fragments.
6254 *
6255 * The iramp argument is set on inbound; NULL if outbound.
6256 */
6257 mblk_t *
6258 ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *iramp, mblk_t *mp,
6259 int outer_hdr_len, ipsec_stack_t *ipss)
6260 {
6261 boolean_t is_v4;
6262 time_t itpf_time;
6263 ipha_t *iph;
6264 ipha_t *oiph;
6265 ip6_t *ip6h = NULL;
6266 uint8_t v6_proto;
6267 uint8_t *v6_proto_p;
6268 uint16_t ip6_hdr_length;
6269 ip_pkt_t ipp;
6270 ip6_frag_t *fraghdr;
6271 ipsec_fragcache_entry_t *fep;
6272 int i;
6273 mblk_t *nmp, *prevmp;
6274 int firstbyte, lastbyte;
6275 int offset;
6276 int last;
6277 boolean_t inbound = (iramp != NULL);
6278
6279 #ifdef FRAGCACHE_DEBUG
6280 cmn_err(CE_WARN, "Fragcache: %s\n", inbound ? "INBOUND" : "OUTBOUND");
6281 #endif
6282 /*
6283 * You're on the slow path, so insure that every packet in the
6284 * cache is a single-mblk one.
6285 */
6286 if (mp->b_cont != NULL) {
6287 nmp = msgpullup(mp, -1);
6288 if (nmp == NULL) {
6289 ip_drop_packet(mp, inbound, NULL,
6290 DROPPER(ipss, ipds_spd_nomem),
6291 &ipss->ipsec_spd_dropper);
6292 if (inbound)
6293 (void) ip_recv_attr_free_mblk(iramp);
6294 return (NULL);
6295 }
6296 freemsg(mp);
6297 mp = nmp;
6298 }
6299
6300 mutex_enter(&frag->itpf_lock);
6301
6302 oiph = (ipha_t *)mp->b_rptr;
6303 iph = (ipha_t *)(mp->b_rptr + outer_hdr_len);
6304
6305 if (IPH_HDR_VERSION(iph) == IPV4_VERSION) {
6306 is_v4 = B_TRUE;
6307 } else {
6308 ASSERT(IPH_HDR_VERSION(iph) == IPV6_VERSION);
6309 ip6h = (ip6_t *)(mp->b_rptr + outer_hdr_len);
6310
6311 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &ip6_hdr_length,
6312 &v6_proto_p)) {
6313 /*
6314 * Find upper layer protocol.
6315 * If it fails we have a malformed packet
6316 */
6317 mutex_exit(&frag->itpf_lock);
6318 ip_drop_packet(mp, inbound, NULL,
6319 DROPPER(ipss, ipds_spd_malformed_packet),
6320 &ipss->ipsec_spd_dropper);
6321 if (inbound)
6322 (void) ip_recv_attr_free_mblk(iramp);
6323 return (NULL);
6324 } else {
6325 v6_proto = *v6_proto_p;
6326 }
6327
6328
6329 bzero(&ipp, sizeof (ipp));
6330 (void) ip_find_hdr_v6(mp, ip6h, B_FALSE, &ipp, NULL);
6331 if (!(ipp.ipp_fields & IPPF_FRAGHDR)) {
6332 /*
6333 * We think this is a fragment, but didn't find
6334 * a fragment header. Something is wrong.
6335 */
6336 mutex_exit(&frag->itpf_lock);
6337 ip_drop_packet(mp, inbound, NULL,
6338 DROPPER(ipss, ipds_spd_malformed_frag),
6339 &ipss->ipsec_spd_dropper);
6340 if (inbound)
6341 (void) ip_recv_attr_free_mblk(iramp);
6342 return (NULL);
6343 }
6344 fraghdr = ipp.ipp_fraghdr;
6345 is_v4 = B_FALSE;
6346 }
6347
6348 /* Anything to cleanup? */
6349
6350 /*
6351 * This cleanup call could be put in a timer loop
6352 * but it may actually be just as reasonable a decision to
6353 * leave it here. The disadvantage is this only gets called when
6354 * frags are added. The advantage is that it is not
6355 * susceptible to race conditions like a time-based cleanup
6356 * may be.
6357 */
6358 itpf_time = gethrestime_sec();
6359 if (itpf_time >= frag->itpf_expire_hint)
6360 ipsec_fragcache_clean(frag, ipss);
6361
6362 /* Lookup to see if there is an existing entry */
6363
6364 if (is_v4)
6365 i = IPSEC_FRAG_HASH_FUNC(iph->ipha_ident);
6366 else
6367 i = IPSEC_FRAG_HASH_FUNC(fraghdr->ip6f_ident);
6368
6369 for (fep = (frag->itpf_ptr)[i]; fep; fep = fep->itpfe_next) {
6370 if (is_v4) {
6371 ASSERT(iph != NULL);
6372 if ((fep->itpfe_id == iph->ipha_ident) &&
6373 (fep->itpfe_src == iph->ipha_src) &&
6374 (fep->itpfe_dst == iph->ipha_dst) &&
6375 (fep->itpfe_proto == iph->ipha_protocol))
6376 break;
6377 } else {
6378 ASSERT(fraghdr != NULL);
6379 ASSERT(fep != NULL);
6380 if ((fep->itpfe_id == fraghdr->ip6f_ident) &&
6381 IN6_ARE_ADDR_EQUAL(&fep->itpfe_src6,
6382 &ip6h->ip6_src) &&
6383 IN6_ARE_ADDR_EQUAL(&fep->itpfe_dst6,
6384 &ip6h->ip6_dst) && (fep->itpfe_proto == v6_proto))
6385 break;
6386 }
6387 }
6388
6389 if (is_v4) {
6390 firstbyte = V4_FRAG_OFFSET(iph);
6391 lastbyte = firstbyte + ntohs(iph->ipha_length) -
6392 IPH_HDR_LENGTH(iph);
6393 last = (V4_MORE_FRAGS(iph) == 0);
6394 #ifdef FRAGCACHE_DEBUG
6395 cmn_err(CE_WARN, "V4 fragcache: firstbyte = %d, lastbyte = %d, "
6396 "is_last_frag = %d, id = %d, mp = %p\n", firstbyte,
6397 lastbyte, last, iph->ipha_ident, mp);
6398 #endif
6399 } else {
6400 firstbyte = ntohs(fraghdr->ip6f_offlg & IP6F_OFF_MASK);
6401 lastbyte = firstbyte + ntohs(ip6h->ip6_plen) +
6402 sizeof (ip6_t) - ip6_hdr_length;
6403 last = (fraghdr->ip6f_offlg & IP6F_MORE_FRAG) == 0;
6404 #ifdef FRAGCACHE_DEBUG
6405 cmn_err(CE_WARN, "V6 fragcache: firstbyte = %d, lastbyte = %d, "
6406 "is_last_frag = %d, id = %d, fraghdr = %p, mp = %p\n",
6407 firstbyte, lastbyte, last, fraghdr->ip6f_ident, fraghdr,
6408 mp);
6409 #endif
6410 }
6411
6412 /* check for bogus fragments and delete the entry */
6413 if (firstbyte > 0 && firstbyte <= 8) {
6414 if (fep != NULL)
6415 (void) fragcache_delentry(i, fep, frag, ipss);
6416 mutex_exit(&frag->itpf_lock);
6417 ip_drop_packet(mp, inbound, NULL,
6418 DROPPER(ipss, ipds_spd_malformed_frag),
6419 &ipss->ipsec_spd_dropper);
6420 if (inbound)
6421 (void) ip_recv_attr_free_mblk(iramp);
6422 return (NULL);
6423 }
6424
6425 /* Not found, allocate a new entry */
6426 if (fep == NULL) {
6427 if (frag->itpf_freelist == NULL) {
6428 /* see if there is some space */
6429 ipsec_fragcache_clean(frag, ipss);
6430 if (frag->itpf_freelist == NULL) {
6431 mutex_exit(&frag->itpf_lock);
6432 ip_drop_packet(mp, inbound, NULL,
6433 DROPPER(ipss, ipds_spd_nomem),
6434 &ipss->ipsec_spd_dropper);
6435 if (inbound)
6436 (void) ip_recv_attr_free_mblk(iramp);
6437 return (NULL);
6438 }
6439 }
6440
6441 fep = frag->itpf_freelist;
6442 frag->itpf_freelist = fep->itpfe_next;
6443
6444 if (is_v4) {
6445 bcopy((caddr_t)&iph->ipha_src, (caddr_t)&fep->itpfe_src,
6446 sizeof (struct in_addr));
6447 bcopy((caddr_t)&iph->ipha_dst, (caddr_t)&fep->itpfe_dst,
6448 sizeof (struct in_addr));
6449 fep->itpfe_id = iph->ipha_ident;
6450 fep->itpfe_proto = iph->ipha_protocol;
6451 i = IPSEC_FRAG_HASH_FUNC(fep->itpfe_id);
6452 } else {
6453 bcopy((in6_addr_t *)&ip6h->ip6_src,
6454 (in6_addr_t *)&fep->itpfe_src6,
6455 sizeof (struct in6_addr));
6456 bcopy((in6_addr_t *)&ip6h->ip6_dst,
6457 (in6_addr_t *)&fep->itpfe_dst6,
6458 sizeof (struct in6_addr));
6459 fep->itpfe_id = fraghdr->ip6f_ident;
6460 fep->itpfe_proto = v6_proto;
6461 i = IPSEC_FRAG_HASH_FUNC(fep->itpfe_id);
6462 }
6463 itpf_time = gethrestime_sec();
6464 fep->itpfe_exp = itpf_time + IPSEC_FRAG_TTL_MAX + 1;
6465 fep->itpfe_last = 0;
6466 fep->itpfe_fraglist = NULL;
6467 fep->itpfe_depth = 0;
6468 fep->itpfe_next = (frag->itpf_ptr)[i];
6469 (frag->itpf_ptr)[i] = fep;
6470
6471 if (frag->itpf_expire_hint > fep->itpfe_exp)
6472 frag->itpf_expire_hint = fep->itpfe_exp;
6473
6474 }
6475
6476 /* Insert it in the frag list */
6477 /* List is in order by starting offset of fragments */
6478
6479 prevmp = NULL;
6480 for (nmp = fep->itpfe_fraglist; nmp; nmp = nmp->b_next) {
6481 ipha_t *niph;
6482 ipha_t *oniph;
6483 ip6_t *nip6h;
6484 ip_pkt_t nipp;
6485 ip6_frag_t *nfraghdr;
6486 uint16_t nip6_hdr_length;
6487 uint8_t *nv6_proto_p;
6488 int nfirstbyte, nlastbyte;
6489 char *data, *ndata;
6490 mblk_t *ndata_mp = (inbound ? nmp->b_cont : nmp);
6491 int hdr_len;
6492
6493 oniph = (ipha_t *)mp->b_rptr;
6494 nip6h = NULL;
6495 niph = NULL;
6496
6497 /*
6498 * Determine outer header type and length and set
6499 * pointers appropriately
6500 */
6501
6502 if (IPH_HDR_VERSION(oniph) == IPV4_VERSION) {
6503 hdr_len = ((outer_hdr_len != 0) ?
6504 IPH_HDR_LENGTH(oiph) : 0);
6505 niph = (ipha_t *)(ndata_mp->b_rptr + hdr_len);
6506 } else {
6507 ASSERT(IPH_HDR_VERSION(oniph) == IPV6_VERSION);
6508 ASSERT(ndata_mp->b_cont == NULL);
6509 nip6h = (ip6_t *)ndata_mp->b_rptr;
6510 (void) ip_hdr_length_nexthdr_v6(ndata_mp, nip6h,
6511 &nip6_hdr_length, &v6_proto_p);
6512 hdr_len = ((outer_hdr_len != 0) ? nip6_hdr_length : 0);
6513 }
6514
6515 /*
6516 * Determine inner header type and length and set
6517 * pointers appropriately
6518 */
6519
6520 if (is_v4) {
6521 if (niph == NULL) {
6522 /* Was v6 outer */
6523 niph = (ipha_t *)(ndata_mp->b_rptr + hdr_len);
6524 }
6525 nfirstbyte = V4_FRAG_OFFSET(niph);
6526 nlastbyte = nfirstbyte + ntohs(niph->ipha_length) -
6527 IPH_HDR_LENGTH(niph);
6528 } else {
6529 ASSERT(ndata_mp->b_cont == NULL);
6530 nip6h = (ip6_t *)(ndata_mp->b_rptr + hdr_len);
6531 if (!ip_hdr_length_nexthdr_v6(ndata_mp, nip6h,
6532 &nip6_hdr_length, &nv6_proto_p)) {
6533 mutex_exit(&frag->itpf_lock);
6534 ip_drop_packet_chain(nmp, inbound, NULL,
6535 DROPPER(ipss, ipds_spd_malformed_frag),
6536 &ipss->ipsec_spd_dropper);
6537 ipsec_freemsg_chain(ndata_mp);
6538 if (inbound)
6539 (void) ip_recv_attr_free_mblk(iramp);
6540 return (NULL);
6541 }
6542 bzero(&nipp, sizeof (nipp));
6543 (void) ip_find_hdr_v6(ndata_mp, nip6h, B_FALSE, &nipp,
6544 NULL);
6545 nfraghdr = nipp.ipp_fraghdr;
6546 nfirstbyte = ntohs(nfraghdr->ip6f_offlg &
6547 IP6F_OFF_MASK);
6548 nlastbyte = nfirstbyte + ntohs(nip6h->ip6_plen) +
6549 sizeof (ip6_t) - nip6_hdr_length;
6550 }
6551
6552 /* Check for overlapping fragments */
6553 if (firstbyte >= nfirstbyte && firstbyte < nlastbyte) {
6554 /*
6555 * Overlap Check:
6556 * ~~~~--------- # Check if the newly
6557 * ~ ndata_mp| # received fragment
6558 * ~~~~--------- # overlaps with the
6559 * ---------~~~~~~ # current fragment.
6560 * | mp ~
6561 * ---------~~~~~~
6562 */
6563 if (is_v4) {
6564 data = (char *)iph + IPH_HDR_LENGTH(iph) +
6565 firstbyte - nfirstbyte;
6566 ndata = (char *)niph + IPH_HDR_LENGTH(niph);
6567 } else {
6568 data = (char *)ip6h +
6569 nip6_hdr_length + firstbyte -
6570 nfirstbyte;
6571 ndata = (char *)nip6h + nip6_hdr_length;
6572 }
6573 if (bcmp(data, ndata, MIN(lastbyte, nlastbyte) -
6574 firstbyte)) {
6575 /* Overlapping data does not match */
6576 (void) fragcache_delentry(i, fep, frag, ipss);
6577 mutex_exit(&frag->itpf_lock);
6578 ip_drop_packet(mp, inbound, NULL,
6579 DROPPER(ipss, ipds_spd_overlap_frag),
6580 &ipss->ipsec_spd_dropper);
6581 if (inbound)
6582 (void) ip_recv_attr_free_mblk(iramp);
6583 return (NULL);
6584 }
6585 /* Part of defense for jolt2.c fragmentation attack */
6586 if (firstbyte >= nfirstbyte && lastbyte <= nlastbyte) {
6587 /*
6588 * Check for identical or subset fragments:
6589 * ---------- ~~~~--------~~~~~
6590 * | nmp | or ~ nmp ~
6591 * ---------- ~~~~--------~~~~~
6592 * ---------- ------
6593 * | mp | | mp |
6594 * ---------- ------
6595 */
6596 mutex_exit(&frag->itpf_lock);
6597 ip_drop_packet(mp, inbound, NULL,
6598 DROPPER(ipss, ipds_spd_evil_frag),
6599 &ipss->ipsec_spd_dropper);
6600 if (inbound)
6601 (void) ip_recv_attr_free_mblk(iramp);
6602 return (NULL);
6603 }
6604
6605 }
6606
6607 /* Correct location for this fragment? */
6608 if (firstbyte <= nfirstbyte) {
6609 /*
6610 * Check if the tail end of the new fragment overlaps
6611 * with the head of the current fragment.
6612 * --------~~~~~~~
6613 * | nmp ~
6614 * --------~~~~~~~
6615 * ~~~~~--------
6616 * ~ mp |
6617 * ~~~~~--------
6618 */
6619 if (lastbyte > nfirstbyte) {
6620 /* Fragments overlap */
6621 data = (char *)iph + IPH_HDR_LENGTH(iph) +
6622 firstbyte - nfirstbyte;
6623 ndata = (char *)niph + IPH_HDR_LENGTH(niph);
6624 if (is_v4) {
6625 data = (char *)iph +
6626 IPH_HDR_LENGTH(iph) + firstbyte -
6627 nfirstbyte;
6628 ndata = (char *)niph +
6629 IPH_HDR_LENGTH(niph);
6630 } else {
6631 data = (char *)ip6h +
6632 nip6_hdr_length + firstbyte -
6633 nfirstbyte;
6634 ndata = (char *)nip6h + nip6_hdr_length;
6635 }
6636 if (bcmp(data, ndata, MIN(lastbyte, nlastbyte)
6637 - nfirstbyte)) {
6638 /* Overlap mismatch */
6639 (void) fragcache_delentry(i, fep, frag,
6640 ipss);
6641 mutex_exit(&frag->itpf_lock);
6642 ip_drop_packet(mp, inbound, NULL,
6643 DROPPER(ipss,
6644 ipds_spd_overlap_frag),
6645 &ipss->ipsec_spd_dropper);
6646 if (inbound) {
6647 (void) ip_recv_attr_free_mblk(
6648 iramp);
6649 }
6650 return (NULL);
6651 }
6652 }
6653
6654 /*
6655 * Fragment does not illegally overlap and can now
6656 * be inserted into the chain
6657 */
6658 break;
6659 }
6660
6661 prevmp = nmp;
6662 }
6663 /* Prepend the attributes before we link it in */
6664 if (iramp != NULL) {
6665 ASSERT(iramp->b_cont == NULL);
6666 iramp->b_cont = mp;
6667 mp = iramp;
6668 iramp = NULL;
6669 }
6670 mp->b_next = nmp;
6671
6672 if (prevmp == NULL) {
6673 fep->itpfe_fraglist = mp;
6674 } else {
6675 prevmp->b_next = mp;
6676 }
6677 if (last)
6678 fep->itpfe_last = 1;
6679
6680 /* Part of defense for jolt2.c fragmentation attack */
6681 if (++(fep->itpfe_depth) > IPSEC_MAX_FRAGS) {
6682 (void) fragcache_delentry(i, fep, frag, ipss);
6683 mutex_exit(&frag->itpf_lock);
6684 if (inbound)
6685 mp = ip_recv_attr_free_mblk(mp);
6686
6687 ip_drop_packet(mp, inbound, NULL,
6688 DROPPER(ipss, ipds_spd_max_frags),
6689 &ipss->ipsec_spd_dropper);
6690 return (NULL);
6691 }
6692
6693 /* Check for complete packet */
6694
6695 if (!fep->itpfe_last) {
6696 mutex_exit(&frag->itpf_lock);
6697 #ifdef FRAGCACHE_DEBUG
6698 cmn_err(CE_WARN, "Fragment cached, last not yet seen.\n");
6699 #endif
6700 return (NULL);
6701 }
6702
6703 offset = 0;
6704 for (mp = fep->itpfe_fraglist; mp; mp = mp->b_next) {
6705 mblk_t *data_mp = (inbound ? mp->b_cont : mp);
6706 int hdr_len;
6707
6708 oiph = (ipha_t *)data_mp->b_rptr;
6709 ip6h = NULL;
6710 iph = NULL;
6711
6712 if (IPH_HDR_VERSION(oiph) == IPV4_VERSION) {
6713 hdr_len = ((outer_hdr_len != 0) ?
6714 IPH_HDR_LENGTH(oiph) : 0);
6715 iph = (ipha_t *)(data_mp->b_rptr + hdr_len);
6716 } else {
6717 ASSERT(IPH_HDR_VERSION(oiph) == IPV6_VERSION);
6718 ASSERT(data_mp->b_cont == NULL);
6719 ip6h = (ip6_t *)data_mp->b_rptr;
6720 (void) ip_hdr_length_nexthdr_v6(data_mp, ip6h,
6721 &ip6_hdr_length, &v6_proto_p);
6722 hdr_len = ((outer_hdr_len != 0) ? ip6_hdr_length : 0);
6723 }
6724
6725 /* Calculate current fragment start/end */
6726 if (is_v4) {
6727 if (iph == NULL) {
6728 /* Was v6 outer */
6729 iph = (ipha_t *)(data_mp->b_rptr + hdr_len);
6730 }
6731 firstbyte = V4_FRAG_OFFSET(iph);
6732 lastbyte = firstbyte + ntohs(iph->ipha_length) -
6733 IPH_HDR_LENGTH(iph);
6734 } else {
6735 ASSERT(data_mp->b_cont == NULL);
6736 ip6h = (ip6_t *)(data_mp->b_rptr + hdr_len);
6737 if (!ip_hdr_length_nexthdr_v6(data_mp, ip6h,
6738 &ip6_hdr_length, &v6_proto_p)) {
6739 mutex_exit(&frag->itpf_lock);
6740 ip_drop_packet_chain(mp, inbound, NULL,
6741 DROPPER(ipss, ipds_spd_malformed_frag),
6742 &ipss->ipsec_spd_dropper);
6743 return (NULL);
6744 }
6745 v6_proto = *v6_proto_p;
6746 bzero(&ipp, sizeof (ipp));
6747 (void) ip_find_hdr_v6(data_mp, ip6h, B_FALSE, &ipp,
6748 NULL);
6749 fraghdr = ipp.ipp_fraghdr;
6750 firstbyte = ntohs(fraghdr->ip6f_offlg &
6751 IP6F_OFF_MASK);
6752 lastbyte = firstbyte + ntohs(ip6h->ip6_plen) +
6753 sizeof (ip6_t) - ip6_hdr_length;
6754 }
6755
6756 /*
6757 * If this fragment is greater than current offset,
6758 * we have a missing fragment so return NULL
6759 */
6760 if (firstbyte > offset) {
6761 mutex_exit(&frag->itpf_lock);
6762 #ifdef FRAGCACHE_DEBUG
6763 /*
6764 * Note, this can happen when the last frag
6765 * gets sent through because it is smaller
6766 * than the MTU. It is not necessarily an
6767 * error condition.
6768 */
6769 cmn_err(CE_WARN, "Frag greater than offset! : "
6770 "missing fragment: firstbyte = %d, offset = %d, "
6771 "mp = %p\n", firstbyte, offset, mp);
6772 #endif
6773 return (NULL);
6774 }
6775 #ifdef FRAGCACHE_DEBUG
6776 cmn_err(CE_WARN, "Frag offsets : "
6777 "firstbyte = %d, offset = %d, mp = %p\n",
6778 firstbyte, offset, mp);
6779 #endif
6780
6781 /*
6782 * If we are at the last fragment, we have the complete
6783 * packet, so rechain things and return it to caller
6784 * for processing
6785 */
6786
6787 if ((is_v4 && !V4_MORE_FRAGS(iph)) ||
6788 (!is_v4 && !(fraghdr->ip6f_offlg & IP6F_MORE_FRAG))) {
6789 mp = fep->itpfe_fraglist;
6790 fep->itpfe_fraglist = NULL;
6791 (void) fragcache_delentry(i, fep, frag, ipss);
6792 mutex_exit(&frag->itpf_lock);
6793
6794 if ((is_v4 && (firstbyte + ntohs(iph->ipha_length) >
6795 65535)) || (!is_v4 && (firstbyte +
6796 ntohs(ip6h->ip6_plen) > 65535))) {
6797 /* It is an invalid "ping-o-death" packet */
6798 /* Discard it */
6799 ip_drop_packet_chain(mp, inbound, NULL,
6800 DROPPER(ipss, ipds_spd_evil_frag),
6801 &ipss->ipsec_spd_dropper);
6802 return (NULL);
6803 }
6804 #ifdef FRAGCACHE_DEBUG
6805 cmn_err(CE_WARN, "Fragcache returning mp = %p, "
6806 "mp->b_next = %p", mp, mp->b_next);
6807 #endif
6808 /*
6809 * For inbound case, mp has attrmp b_next'd chain
6810 * For outbound case, it is just data mp chain
6811 */
6812 return (mp);
6813 }
6814
6815 /*
6816 * Update new ending offset if this
6817 * fragment extends the packet
6818 */
6819 if (offset < lastbyte)
6820 offset = lastbyte;
6821 }
6822
6823 mutex_exit(&frag->itpf_lock);
6824
6825 /* Didn't find last fragment, so return NULL */
6826 return (NULL);
6827 }
6828
6829 static void
6830 ipsec_fragcache_clean(ipsec_fragcache_t *frag, ipsec_stack_t *ipss)
6831 {
6832 ipsec_fragcache_entry_t *fep;
6833 int i;
6834 ipsec_fragcache_entry_t *earlyfep = NULL;
6835 time_t itpf_time;
6836 int earlyexp;
6837 int earlyi = 0;
6838
6839 ASSERT(MUTEX_HELD(&frag->itpf_lock));
6840
6841 itpf_time = gethrestime_sec();
6842 earlyexp = itpf_time + 10000;
6843
6844 for (i = 0; i < IPSEC_FRAG_HASH_SLOTS; i++) {
6845 fep = (frag->itpf_ptr)[i];
6846 while (fep) {
6847 if (fep->itpfe_exp < itpf_time) {
6848 /* found */
6849 fep = fragcache_delentry(i, fep, frag, ipss);
6850 } else {
6851 if (fep->itpfe_exp < earlyexp) {
6852 earlyfep = fep;
6853 earlyexp = fep->itpfe_exp;
6854 earlyi = i;
6855 }
6856 fep = fep->itpfe_next;
6857 }
6858 }
6859 }
6860
6861 frag->itpf_expire_hint = earlyexp;
6862
6863 /* if (!found) */
6864 if (frag->itpf_freelist == NULL)
6865 (void) fragcache_delentry(earlyi, earlyfep, frag, ipss);
6866 }
6867
6868 static ipsec_fragcache_entry_t *
6869 fragcache_delentry(int slot, ipsec_fragcache_entry_t *fep,
6870 ipsec_fragcache_t *frag, ipsec_stack_t *ipss)
6871 {
6872 ipsec_fragcache_entry_t *targp;
6873 ipsec_fragcache_entry_t *nextp = fep->itpfe_next;
6874
6875 ASSERT(MUTEX_HELD(&frag->itpf_lock));
6876
6877 /* Free up any fragment list still in cache entry */
6878 if (fep->itpfe_fraglist != NULL) {
6879 ip_drop_packet_chain(fep->itpfe_fraglist,
6880 ip_recv_attr_is_mblk(fep->itpfe_fraglist), NULL,
6881 DROPPER(ipss, ipds_spd_expired_frags),
6882 &ipss->ipsec_spd_dropper);
6883 }
6884 fep->itpfe_fraglist = NULL;
6885
6886 targp = (frag->itpf_ptr)[slot];
6887 ASSERT(targp != 0);
6888
6889 if (targp == fep) {
6890 /* unlink from head of hash chain */
6891 (frag->itpf_ptr)[slot] = nextp;
6892 /* link into free list */
6893 fep->itpfe_next = frag->itpf_freelist;
6894 frag->itpf_freelist = fep;
6895 return (nextp);
6896 }
6897
6898 /* maybe should use double linked list to make update faster */
6899 /* must be past front of chain */
6900 while (targp) {
6901 if (targp->itpfe_next == fep) {
6902 /* unlink from hash chain */
6903 targp->itpfe_next = nextp;
6904 /* link into free list */
6905 fep->itpfe_next = frag->itpf_freelist;
6906 frag->itpf_freelist = fep;
6907 return (nextp);
6908 }
6909 targp = targp->itpfe_next;
6910 ASSERT(targp != 0);
6911 }
6912 /* NOTREACHED */
6913 return (NULL);
6914 }