Print this page
Bayard's initial drop, needs finishing, or at least testing.
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/ip/spd.c
+++ new/usr/src/uts/common/inet/ip/spd.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
|
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 + * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
24 25 */
25 26
26 27 /*
27 28 * IPsec Security Policy Database.
28 29 *
29 30 * This module maintains the SPD and provides routines used by ip and ip6
30 31 * to apply IPsec policy to inbound and outbound datagrams.
31 32 */
32 33
33 34 #include <sys/types.h>
34 35 #include <sys/stream.h>
35 36 #include <sys/stropts.h>
36 37 #include <sys/sysmacros.h>
37 38 #include <sys/strsubr.h>
38 39 #include <sys/strsun.h>
39 40 #include <sys/strlog.h>
40 41 #include <sys/strsun.h>
41 42 #include <sys/cmn_err.h>
42 43 #include <sys/zone.h>
43 44
44 45 #include <sys/systm.h>
45 46 #include <sys/param.h>
46 47 #include <sys/kmem.h>
47 48 #include <sys/ddi.h>
48 49
49 50 #include <sys/crypto/api.h>
50 51
51 52 #include <inet/common.h>
52 53 #include <inet/mi.h>
53 54
54 55 #include <netinet/ip6.h>
55 56 #include <netinet/icmp6.h>
56 57 #include <netinet/udp.h>
57 58
58 59 #include <inet/ip.h>
59 60 #include <inet/ip6.h>
60 61
61 62 #include <net/pfkeyv2.h>
62 63 #include <net/pfpolicy.h>
63 64 #include <inet/sadb.h>
64 65 #include <inet/ipsec_impl.h>
65 66
66 67 #include <inet/ip_impl.h> /* For IP_MOD_ID */
67 68
68 69 #include <inet/ipsecah.h>
69 70 #include <inet/ipsecesp.h>
70 71 #include <inet/ipdrop.h>
71 72 #include <inet/ipclassifier.h>
72 73 #include <inet/iptun.h>
73 74 #include <inet/iptun/iptun_impl.h>
74 75
75 76 static void ipsec_update_present_flags(ipsec_stack_t *);
76 77 static ipsec_act_t *ipsec_act_wildcard_expand(ipsec_act_t *, uint_t *,
77 78 netstack_t *);
78 79 static mblk_t *ipsec_check_ipsecin_policy(mblk_t *, ipsec_policy_t *,
79 80 ipha_t *, ip6_t *, uint64_t, ip_recv_attr_t *, netstack_t *);
80 81 static void ipsec_action_free_table(ipsec_action_t *);
81 82 static void ipsec_action_reclaim(void *);
82 83 static void ipsec_action_reclaim_stack(ipsec_stack_t *);
83 84 static void ipsid_init(netstack_t *);
84 85 static void ipsid_fini(netstack_t *);
85 86
86 87 /* sel_flags values for ipsec_init_inbound_sel(). */
87 88 #define SEL_NONE 0x0000
88 89 #define SEL_PORT_POLICY 0x0001
89 90 #define SEL_IS_ICMP 0x0002
90 91 #define SEL_TUNNEL_MODE 0x0004
91 92 #define SEL_POST_FRAG 0x0008
92 93
93 94 /* Return values for ipsec_init_inbound_sel(). */
94 95 typedef enum { SELRET_NOMEM, SELRET_BADPKT, SELRET_SUCCESS, SELRET_TUNFRAG}
95 96 selret_t;
96 97
97 98 static selret_t ipsec_init_inbound_sel(ipsec_selector_t *, mblk_t *,
98 99 ipha_t *, ip6_t *, uint8_t);
99 100
100 101 static boolean_t ipsec_check_ipsecin_action(ip_recv_attr_t *, mblk_t *,
101 102 struct ipsec_action_s *, ipha_t *ipha, ip6_t *ip6h, const char **,
102 103 kstat_named_t **, netstack_t *);
103 104 static void ipsec_unregister_prov_update(void);
104 105 static void ipsec_prov_update_callback_stack(uint32_t, void *, netstack_t *);
105 106 static boolean_t ipsec_compare_action(ipsec_policy_t *, ipsec_policy_t *);
106 107 static uint32_t selector_hash(ipsec_selector_t *, ipsec_policy_root_t *);
107 108 static boolean_t ipsec_kstat_init(ipsec_stack_t *);
108 109 static void ipsec_kstat_destroy(ipsec_stack_t *);
109 110 static int ipsec_free_tables(ipsec_stack_t *);
110 111 static int tunnel_compare(const void *, const void *);
111 112 static void ipsec_freemsg_chain(mblk_t *);
112 113 static void ip_drop_packet_chain(mblk_t *, boolean_t, ill_t *,
113 114 struct kstat_named *, ipdropper_t *);
114 115 static boolean_t ipsec_kstat_init(ipsec_stack_t *);
115 116 static void ipsec_kstat_destroy(ipsec_stack_t *);
116 117 static int ipsec_free_tables(ipsec_stack_t *);
117 118 static int tunnel_compare(const void *, const void *);
118 119 static void ipsec_freemsg_chain(mblk_t *);
119 120
120 121 /*
121 122 * Selector hash table is statically sized at module load time.
122 123 * we default to 251 buckets, which is the largest prime number under 255
123 124 */
124 125
125 126 #define IPSEC_SPDHASH_DEFAULT 251
126 127
127 128 /* SPD hash-size tunable per tunnel. */
128 129 #define TUN_SPDHASH_DEFAULT 5
129 130
130 131 uint32_t ipsec_spd_hashsize;
131 132 uint32_t tun_spd_hashsize;
132 133
133 134 #define IPSEC_SEL_NOHASH ((uint32_t)(~0))
134 135
135 136 /*
136 137 * Handle global across all stack instances
137 138 */
138 139 static crypto_notify_handle_t prov_update_handle = NULL;
139 140
140 141 static kmem_cache_t *ipsec_action_cache;
141 142 static kmem_cache_t *ipsec_sel_cache;
142 143 static kmem_cache_t *ipsec_pol_cache;
143 144
144 145 /* Frag cache prototypes */
145 146 static void ipsec_fragcache_clean(ipsec_fragcache_t *, ipsec_stack_t *);
146 147 static ipsec_fragcache_entry_t *fragcache_delentry(int,
147 148 ipsec_fragcache_entry_t *, ipsec_fragcache_t *, ipsec_stack_t *);
148 149 boolean_t ipsec_fragcache_init(ipsec_fragcache_t *);
149 150 void ipsec_fragcache_uninit(ipsec_fragcache_t *, ipsec_stack_t *ipss);
150 151 mblk_t *ipsec_fragcache_add(ipsec_fragcache_t *, mblk_t *, mblk_t *,
151 152 int, ipsec_stack_t *);
152 153
153 154 int ipsec_hdr_pullup_needed = 0;
154 155 int ipsec_weird_null_inbound_policy = 0;
155 156
156 157 #define ALGBITS_ROUND_DOWN(x, align) (((x)/(align))*(align))
157 158 #define ALGBITS_ROUND_UP(x, align) ALGBITS_ROUND_DOWN((x)+(align)-1, align)
158 159
159 160 /*
160 161 * Inbound traffic should have matching identities for both SA's.
161 162 */
162 163
163 164 #define SA_IDS_MATCH(sa1, sa2) \
164 165 (((sa1) == NULL) || ((sa2) == NULL) || \
165 166 (((sa1)->ipsa_src_cid == (sa2)->ipsa_src_cid) && \
166 167 (((sa1)->ipsa_dst_cid == (sa2)->ipsa_dst_cid))))
167 168
168 169 /*
169 170 * IPv6 Fragments
170 171 */
171 172 #define IS_V6_FRAGMENT(ipp) (ipp.ipp_fields & IPPF_FRAGHDR)
172 173
173 174 /*
174 175 * Policy failure messages.
175 176 */
176 177 static char *ipsec_policy_failure_msgs[] = {
177 178
178 179 /* IPSEC_POLICY_NOT_NEEDED */
179 180 "%s: Dropping the datagram because the incoming packet "
180 181 "is %s, but the recipient expects clear; Source %s, "
181 182 "Destination %s.\n",
182 183
183 184 /* IPSEC_POLICY_MISMATCH */
184 185 "%s: Policy Failure for the incoming packet (%s); Source %s, "
185 186 "Destination %s.\n",
186 187
187 188 /* IPSEC_POLICY_AUTH_NOT_NEEDED */
188 189 "%s: Authentication present while not expected in the "
189 190 "incoming %s packet; Source %s, Destination %s.\n",
190 191
191 192 /* IPSEC_POLICY_ENCR_NOT_NEEDED */
192 193 "%s: Encryption present while not expected in the "
193 194 "incoming %s packet; Source %s, Destination %s.\n",
194 195
195 196 /* IPSEC_POLICY_SE_NOT_NEEDED */
196 197 "%s: Self-Encapsulation present while not expected in the "
197 198 "incoming %s packet; Source %s, Destination %s.\n",
198 199 };
199 200
200 201 /*
201 202 * General overviews:
202 203 *
203 204 * Locking:
204 205 *
205 206 * All of the system policy structures are protected by a single
206 207 * rwlock. These structures are threaded in a
207 208 * fairly complex fashion and are not expected to change on a
208 209 * regular basis, so this should not cause scaling/contention
209 210 * problems. As a result, policy checks should (hopefully) be MT-hot.
210 211 *
211 212 * Allocation policy:
212 213 *
213 214 * We use custom kmem cache types for the various
214 215 * bits & pieces of the policy data structures. All allocations
215 216 * use KM_NOSLEEP instead of KM_SLEEP for policy allocation. The
216 217 * policy table is of potentially unbounded size, so we don't
217 218 * want to provide a way to hog all system memory with policy
218 219 * entries..
219 220 */
220 221
221 222 /* Convenient functions for freeing or dropping a b_next linked mblk chain */
222 223
223 224 /* Free all messages in an mblk chain */
224 225 static void
225 226 ipsec_freemsg_chain(mblk_t *mp)
226 227 {
227 228 mblk_t *mpnext;
228 229 while (mp != NULL) {
229 230 ASSERT(mp->b_prev == NULL);
230 231 mpnext = mp->b_next;
231 232 mp->b_next = NULL;
232 233 freemsg(mp);
233 234 mp = mpnext;
234 235 }
235 236 }
236 237
237 238 /*
238 239 * ip_drop all messages in an mblk chain
239 240 * Can handle a b_next chain of ip_recv_attr_t mblks, or just a b_next chain
240 241 * of data.
241 242 */
242 243 static void
243 244 ip_drop_packet_chain(mblk_t *mp, boolean_t inbound, ill_t *ill,
244 245 struct kstat_named *counter, ipdropper_t *who_called)
245 246 {
246 247 mblk_t *mpnext;
247 248 while (mp != NULL) {
248 249 ASSERT(mp->b_prev == NULL);
249 250 mpnext = mp->b_next;
250 251 mp->b_next = NULL;
251 252 if (ip_recv_attr_is_mblk(mp))
252 253 mp = ip_recv_attr_free_mblk(mp);
253 254 ip_drop_packet(mp, inbound, ill, counter, who_called);
254 255 mp = mpnext;
255 256 }
256 257 }
257 258
258 259 /*
259 260 * AVL tree comparison function.
260 261 * the in-kernel avl assumes unique keys for all objects.
261 262 * Since sometimes policy will duplicate rules, we may insert
262 263 * multiple rules with the same rule id, so we need a tie-breaker.
263 264 */
264 265 static int
265 266 ipsec_policy_cmpbyid(const void *a, const void *b)
266 267 {
267 268 const ipsec_policy_t *ipa, *ipb;
268 269 uint64_t idxa, idxb;
269 270
270 271 ipa = (const ipsec_policy_t *)a;
271 272 ipb = (const ipsec_policy_t *)b;
272 273 idxa = ipa->ipsp_index;
273 274 idxb = ipb->ipsp_index;
274 275
275 276 if (idxa < idxb)
276 277 return (-1);
277 278 if (idxa > idxb)
278 279 return (1);
279 280 /*
280 281 * Tie-breaker #1: All installed policy rules have a non-NULL
281 282 * ipsl_sel (selector set), so an entry with a NULL ipsp_sel is not
282 283 * actually in-tree but rather a template node being used in
283 284 * an avl_find query; see ipsec_policy_delete(). This gives us
284 285 * a placeholder in the ordering just before the first entry with
285 286 * a key >= the one we're looking for, so we can walk forward from
286 287 * that point to get the remaining entries with the same id.
287 288 */
288 289 if ((ipa->ipsp_sel == NULL) && (ipb->ipsp_sel != NULL))
289 290 return (-1);
290 291 if ((ipb->ipsp_sel == NULL) && (ipa->ipsp_sel != NULL))
291 292 return (1);
292 293 /*
293 294 * At most one of the arguments to the comparison should have a
294 295 * NULL selector pointer; if not, the tree is broken.
295 296 */
296 297 ASSERT(ipa->ipsp_sel != NULL);
297 298 ASSERT(ipb->ipsp_sel != NULL);
298 299 /*
299 300 * Tie-breaker #2: use the virtual address of the policy node
300 301 * to arbitrarily break ties. Since we use the new tree node in
301 302 * the avl_find() in ipsec_insert_always, the new node will be
302 303 * inserted into the tree in the right place in the sequence.
303 304 */
304 305 if (ipa < ipb)
305 306 return (-1);
306 307 if (ipa > ipb)
307 308 return (1);
308 309 return (0);
309 310 }
310 311
311 312 /*
312 313 * Free what ipsec_alloc_table allocated.
313 314 */
314 315 void
315 316 ipsec_polhead_free_table(ipsec_policy_head_t *iph)
316 317 {
317 318 int dir;
318 319 int i;
319 320
320 321 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
321 322 ipsec_policy_root_t *ipr = &iph->iph_root[dir];
322 323
323 324 if (ipr->ipr_hash == NULL)
324 325 continue;
325 326
326 327 for (i = 0; i < ipr->ipr_nchains; i++) {
327 328 ASSERT(ipr->ipr_hash[i].hash_head == NULL);
328 329 }
329 330 kmem_free(ipr->ipr_hash, ipr->ipr_nchains *
330 331 sizeof (ipsec_policy_hash_t));
331 332 ipr->ipr_hash = NULL;
332 333 }
333 334 }
334 335
335 336 void
336 337 ipsec_polhead_destroy(ipsec_policy_head_t *iph)
337 338 {
338 339 int dir;
339 340
340 341 avl_destroy(&iph->iph_rulebyid);
341 342 rw_destroy(&iph->iph_lock);
342 343
343 344 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
344 345 ipsec_policy_root_t *ipr = &iph->iph_root[dir];
345 346 int chain;
346 347
347 348 for (chain = 0; chain < ipr->ipr_nchains; chain++)
348 349 mutex_destroy(&(ipr->ipr_hash[chain].hash_lock));
349 350
350 351 }
351 352 ipsec_polhead_free_table(iph);
352 353 }
353 354
354 355 /*
355 356 * Free the IPsec stack instance.
356 357 */
357 358 /* ARGSUSED */
358 359 static void
359 360 ipsec_stack_fini(netstackid_t stackid, void *arg)
360 361 {
361 362 ipsec_stack_t *ipss = (ipsec_stack_t *)arg;
362 363 void *cookie;
363 364 ipsec_tun_pol_t *node;
364 365 netstack_t *ns = ipss->ipsec_netstack;
365 366 int i;
366 367 ipsec_algtype_t algtype;
367 368
368 369 ipsec_loader_destroy(ipss);
369 370
370 371 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_WRITER);
371 372 /*
372 373 * It's possible we can just ASSERT() the tree is empty. After all,
373 374 * we aren't called until IP is ready to unload (and presumably all
374 375 * tunnels have been unplumbed). But we'll play it safe for now, the
375 376 * loop will just exit immediately if it's empty.
376 377 */
377 378 cookie = NULL;
378 379 while ((node = (ipsec_tun_pol_t *)
379 380 avl_destroy_nodes(&ipss->ipsec_tunnel_policies,
380 381 &cookie)) != NULL) {
381 382 ITP_REFRELE(node, ns);
382 383 }
383 384 avl_destroy(&ipss->ipsec_tunnel_policies);
384 385 rw_exit(&ipss->ipsec_tunnel_policy_lock);
385 386 rw_destroy(&ipss->ipsec_tunnel_policy_lock);
386 387
387 388 ipsec_config_flush(ns);
388 389
389 390 ipsec_kstat_destroy(ipss);
390 391
391 392 ip_drop_unregister(&ipss->ipsec_dropper);
392 393
393 394 ip_drop_unregister(&ipss->ipsec_spd_dropper);
394 395 ip_drop_destroy(ipss);
395 396 /*
396 397 * Globals start with ref == 1 to prevent IPPH_REFRELE() from
397 398 * attempting to free them, hence they should have 1 now.
398 399 */
399 400 ipsec_polhead_destroy(&ipss->ipsec_system_policy);
400 401 ASSERT(ipss->ipsec_system_policy.iph_refs == 1);
401 402 ipsec_polhead_destroy(&ipss->ipsec_inactive_policy);
402 403 ASSERT(ipss->ipsec_inactive_policy.iph_refs == 1);
403 404
404 405 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) {
|
↓ open down ↓ |
371 lines elided |
↑ open up ↑ |
405 406 ipsec_action_free_table(ipss->ipsec_action_hash[i].hash_head);
406 407 ipss->ipsec_action_hash[i].hash_head = NULL;
407 408 mutex_destroy(&(ipss->ipsec_action_hash[i].hash_lock));
408 409 }
409 410
410 411 for (i = 0; i < ipss->ipsec_spd_hashsize; i++) {
411 412 ASSERT(ipss->ipsec_sel_hash[i].hash_head == NULL);
412 413 mutex_destroy(&(ipss->ipsec_sel_hash[i].hash_lock));
413 414 }
414 415
415 - mutex_enter(&ipss->ipsec_alg_lock);
416 + rw_enter(&ipss->ipsec_alg_lock, RW_WRITER);
416 417 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype ++) {
417 418 int nalgs = ipss->ipsec_nalgs[algtype];
418 419
419 420 for (i = 0; i < nalgs; i++) {
420 421 if (ipss->ipsec_alglists[algtype][i] != NULL)
421 422 ipsec_alg_unreg(algtype, i, ns);
422 423 }
423 424 }
424 - mutex_exit(&ipss->ipsec_alg_lock);
425 - mutex_destroy(&ipss->ipsec_alg_lock);
425 + rw_exit(&ipss->ipsec_alg_lock);
426 + rw_destroy(&ipss->ipsec_alg_lock);
426 427
427 428 ipsid_gc(ns);
428 429 ipsid_fini(ns);
429 430
430 431 (void) ipsec_free_tables(ipss);
431 432 kmem_free(ipss, sizeof (*ipss));
432 433 }
433 434
434 435 void
435 436 ipsec_policy_g_destroy(void)
436 437 {
437 438 kmem_cache_destroy(ipsec_action_cache);
438 439 kmem_cache_destroy(ipsec_sel_cache);
439 440 kmem_cache_destroy(ipsec_pol_cache);
440 441
441 442 ipsec_unregister_prov_update();
442 443
443 444 netstack_unregister(NS_IPSEC);
444 445 }
445 446
446 447
447 448 /*
448 449 * Free what ipsec_alloc_tables allocated.
449 450 * Called when table allocation fails to free the table.
450 451 */
451 452 static int
452 453 ipsec_free_tables(ipsec_stack_t *ipss)
453 454 {
454 455 int i;
455 456
456 457 if (ipss->ipsec_sel_hash != NULL) {
457 458 for (i = 0; i < ipss->ipsec_spd_hashsize; i++) {
458 459 ASSERT(ipss->ipsec_sel_hash[i].hash_head == NULL);
459 460 }
460 461 kmem_free(ipss->ipsec_sel_hash, ipss->ipsec_spd_hashsize *
461 462 sizeof (*ipss->ipsec_sel_hash));
462 463 ipss->ipsec_sel_hash = NULL;
463 464 ipss->ipsec_spd_hashsize = 0;
464 465 }
465 466 ipsec_polhead_free_table(&ipss->ipsec_system_policy);
466 467 ipsec_polhead_free_table(&ipss->ipsec_inactive_policy);
467 468
468 469 return (ENOMEM);
469 470 }
470 471
471 472 /*
472 473 * Attempt to allocate the tables in a single policy head.
473 474 * Return nonzero on failure after cleaning up any work in progress.
474 475 */
475 476 int
476 477 ipsec_alloc_table(ipsec_policy_head_t *iph, int nchains, int kmflag,
477 478 boolean_t global_cleanup, netstack_t *ns)
478 479 {
479 480 int dir;
480 481
481 482 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
482 483 ipsec_policy_root_t *ipr = &iph->iph_root[dir];
483 484
484 485 ipr->ipr_nchains = nchains;
485 486 ipr->ipr_hash = kmem_zalloc(nchains *
486 487 sizeof (ipsec_policy_hash_t), kmflag);
487 488 if (ipr->ipr_hash == NULL)
488 489 return (global_cleanup ?
489 490 ipsec_free_tables(ns->netstack_ipsec) :
490 491 ENOMEM);
491 492 }
492 493 return (0);
493 494 }
494 495
495 496 /*
496 497 * Attempt to allocate the various tables. Return nonzero on failure
497 498 * after cleaning up any work in progress.
498 499 */
499 500 static int
500 501 ipsec_alloc_tables(int kmflag, netstack_t *ns)
501 502 {
502 503 int error;
503 504 ipsec_stack_t *ipss = ns->netstack_ipsec;
504 505
505 506 error = ipsec_alloc_table(&ipss->ipsec_system_policy,
506 507 ipss->ipsec_spd_hashsize, kmflag, B_TRUE, ns);
507 508 if (error != 0)
508 509 return (error);
509 510
510 511 error = ipsec_alloc_table(&ipss->ipsec_inactive_policy,
511 512 ipss->ipsec_spd_hashsize, kmflag, B_TRUE, ns);
512 513 if (error != 0)
513 514 return (error);
514 515
515 516 ipss->ipsec_sel_hash = kmem_zalloc(ipss->ipsec_spd_hashsize *
516 517 sizeof (*ipss->ipsec_sel_hash), kmflag);
517 518
518 519 if (ipss->ipsec_sel_hash == NULL)
519 520 return (ipsec_free_tables(ipss));
520 521
521 522 return (0);
522 523 }
523 524
524 525 /*
525 526 * After table allocation, initialize a policy head.
526 527 */
527 528 void
528 529 ipsec_polhead_init(ipsec_policy_head_t *iph, int nchains)
529 530 {
530 531 int dir, chain;
531 532
532 533 rw_init(&iph->iph_lock, NULL, RW_DEFAULT, NULL);
533 534 avl_create(&iph->iph_rulebyid, ipsec_policy_cmpbyid,
534 535 sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid));
535 536
536 537 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
537 538 ipsec_policy_root_t *ipr = &iph->iph_root[dir];
538 539 ipr->ipr_nchains = nchains;
539 540
540 541 for (chain = 0; chain < nchains; chain++) {
541 542 mutex_init(&(ipr->ipr_hash[chain].hash_lock),
542 543 NULL, MUTEX_DEFAULT, NULL);
543 544 }
544 545 }
545 546 }
546 547
547 548 static boolean_t
548 549 ipsec_kstat_init(ipsec_stack_t *ipss)
549 550 {
550 551 ipss->ipsec_ksp = kstat_create_netstack("ip", 0, "ipsec_stat", "net",
551 552 KSTAT_TYPE_NAMED, sizeof (ipsec_kstats_t) / sizeof (kstat_named_t),
552 553 KSTAT_FLAG_PERSISTENT, ipss->ipsec_netstack->netstack_stackid);
553 554
554 555 if (ipss->ipsec_ksp == NULL || ipss->ipsec_ksp->ks_data == NULL)
555 556 return (B_FALSE);
556 557
557 558 ipss->ipsec_kstats = ipss->ipsec_ksp->ks_data;
558 559
559 560 #define KI(x) kstat_named_init(&ipss->ipsec_kstats->x, #x, KSTAT_DATA_UINT64)
560 561 KI(esp_stat_in_requests);
561 562 KI(esp_stat_in_discards);
562 563 KI(esp_stat_lookup_failure);
563 564 KI(ah_stat_in_requests);
564 565 KI(ah_stat_in_discards);
565 566 KI(ah_stat_lookup_failure);
566 567 KI(sadb_acquire_maxpackets);
567 568 KI(sadb_acquire_qhiwater);
568 569 #undef KI
569 570
570 571 kstat_install(ipss->ipsec_ksp);
571 572 return (B_TRUE);
572 573 }
573 574
574 575 static void
575 576 ipsec_kstat_destroy(ipsec_stack_t *ipss)
576 577 {
577 578 kstat_delete_netstack(ipss->ipsec_ksp,
578 579 ipss->ipsec_netstack->netstack_stackid);
579 580 ipss->ipsec_kstats = NULL;
580 581
581 582 }
582 583
583 584 /*
584 585 * Initialize the IPsec stack instance.
585 586 */
586 587 /* ARGSUSED */
587 588 static void *
588 589 ipsec_stack_init(netstackid_t stackid, netstack_t *ns)
589 590 {
590 591 ipsec_stack_t *ipss;
591 592 int i;
592 593
593 594 ipss = (ipsec_stack_t *)kmem_zalloc(sizeof (*ipss), KM_SLEEP);
594 595 ipss->ipsec_netstack = ns;
595 596
596 597 /*
597 598 * FIXME: netstack_ipsec is used by some of the routines we call
598 599 * below, but it isn't set until this routine returns.
599 600 * Either we introduce optional xxx_stack_alloc() functions
600 601 * that will be called by the netstack framework before xxx_stack_init,
601 602 * or we switch spd.c and sadb.c to operate on ipsec_stack_t
602 603 * (latter has some include file order issues for sadb.h, but makes
603 604 * sense if we merge some of the ipsec related stack_t's together.
604 605 */
605 606 ns->netstack_ipsec = ipss;
606 607
607 608 /*
608 609 * Make two attempts to allocate policy hash tables; try it at
609 610 * the "preferred" size (may be set in /etc/system) first,
610 611 * then fall back to the default size.
611 612 */
612 613 ipss->ipsec_spd_hashsize = (ipsec_spd_hashsize == 0) ?
613 614 IPSEC_SPDHASH_DEFAULT : ipsec_spd_hashsize;
614 615
615 616 if (ipsec_alloc_tables(KM_NOSLEEP, ns) != 0) {
616 617 cmn_err(CE_WARN,
617 618 "Unable to allocate %d entry IPsec policy hash table",
618 619 ipss->ipsec_spd_hashsize);
619 620 ipss->ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT;
620 621 cmn_err(CE_WARN, "Falling back to %d entries",
621 622 ipss->ipsec_spd_hashsize);
622 623 (void) ipsec_alloc_tables(KM_SLEEP, ns);
623 624 }
624 625
625 626 /* Just set a default for tunnels. */
626 627 ipss->ipsec_tun_spd_hashsize = (tun_spd_hashsize == 0) ?
627 628 TUN_SPDHASH_DEFAULT : tun_spd_hashsize;
628 629
629 630 ipsid_init(ns);
630 631 /*
631 632 * Globals need ref == 1 to prevent IPPH_REFRELE() from attempting
632 633 * to free them.
633 634 */
634 635 ipss->ipsec_system_policy.iph_refs = 1;
635 636 ipss->ipsec_inactive_policy.iph_refs = 1;
636 637 ipsec_polhead_init(&ipss->ipsec_system_policy,
637 638 ipss->ipsec_spd_hashsize);
638 639 ipsec_polhead_init(&ipss->ipsec_inactive_policy,
639 640 ipss->ipsec_spd_hashsize);
640 641 rw_init(&ipss->ipsec_tunnel_policy_lock, NULL, RW_DEFAULT, NULL);
641 642 avl_create(&ipss->ipsec_tunnel_policies, tunnel_compare,
642 643 sizeof (ipsec_tun_pol_t), 0);
643 644
644 645 ipss->ipsec_next_policy_index = 1;
645 646
646 647 rw_init(&ipss->ipsec_system_policy.iph_lock, NULL, RW_DEFAULT, NULL);
|
↓ open down ↓ |
211 lines elided |
↑ open up ↑ |
647 648 rw_init(&ipss->ipsec_inactive_policy.iph_lock, NULL, RW_DEFAULT, NULL);
648 649
649 650 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++)
650 651 mutex_init(&(ipss->ipsec_action_hash[i].hash_lock),
651 652 NULL, MUTEX_DEFAULT, NULL);
652 653
653 654 for (i = 0; i < ipss->ipsec_spd_hashsize; i++)
654 655 mutex_init(&(ipss->ipsec_sel_hash[i].hash_lock),
655 656 NULL, MUTEX_DEFAULT, NULL);
656 657
657 - mutex_init(&ipss->ipsec_alg_lock, NULL, MUTEX_DEFAULT, NULL);
658 + rw_init(&ipss->ipsec_alg_lock, NULL, RW_DEFAULT, NULL);
658 659 for (i = 0; i < IPSEC_NALGTYPES; i++) {
659 660 ipss->ipsec_nalgs[i] = 0;
660 661 }
661 662
662 663 ip_drop_init(ipss);
663 664 ip_drop_register(&ipss->ipsec_spd_dropper, "IPsec SPD");
664 665
665 666 /* IP's IPsec code calls the packet dropper */
666 667 ip_drop_register(&ipss->ipsec_dropper, "IP IPsec processing");
667 668
668 669 (void) ipsec_kstat_init(ipss);
669 670
670 671 ipsec_loader_init(ipss);
671 672 ipsec_loader_start(ipss);
672 673
673 674 return (ipss);
674 675 }
675 676
676 677 /* Global across all stack instances */
677 678 void
678 679 ipsec_policy_g_init(void)
679 680 {
680 681 ipsec_action_cache = kmem_cache_create("ipsec_actions",
681 682 sizeof (ipsec_action_t), _POINTER_ALIGNMENT, NULL, NULL,
682 683 ipsec_action_reclaim, NULL, NULL, 0);
683 684 ipsec_sel_cache = kmem_cache_create("ipsec_selectors",
684 685 sizeof (ipsec_sel_t), _POINTER_ALIGNMENT, NULL, NULL,
685 686 NULL, NULL, NULL, 0);
686 687 ipsec_pol_cache = kmem_cache_create("ipsec_policy",
687 688 sizeof (ipsec_policy_t), _POINTER_ALIGNMENT, NULL, NULL,
688 689 NULL, NULL, NULL, 0);
689 690
690 691 /*
691 692 * We want to be informed each time a stack is created or
692 693 * destroyed in the kernel, so we can maintain the
693 694 * set of ipsec_stack_t's.
694 695 */
695 696 netstack_register(NS_IPSEC, ipsec_stack_init, NULL, ipsec_stack_fini);
696 697 }
697 698
698 699 /*
699 700 * Sort algorithm lists.
700 701 *
701 702 * I may need to split this based on
702 703 * authentication/encryption, and I may wish to have an administrator
703 704 * configure this list. Hold on to some NDD variables...
704 705 *
705 706 * XXX For now, sort on minimum key size (GAG!). While minimum key size is
706 707 * not the ideal metric, it's the only quantifiable measure available.
707 708 * We need a better metric for sorting algorithms by preference.
708 709 */
709 710 static void
|
↓ open down ↓ |
42 lines elided |
↑ open up ↑ |
710 711 alg_insert_sortlist(enum ipsec_algtype at, uint8_t algid, netstack_t *ns)
711 712 {
712 713 ipsec_stack_t *ipss = ns->netstack_ipsec;
713 714 ipsec_alginfo_t *ai = ipss->ipsec_alglists[at][algid];
714 715 uint8_t holder, swap;
715 716 uint_t i;
716 717 uint_t count = ipss->ipsec_nalgs[at];
717 718 ASSERT(ai != NULL);
718 719 ASSERT(algid == ai->alg_id);
719 720
720 - ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
721 + ASSERT(RW_WRITE_HELD(&ipss->ipsec_alg_lock));
721 722
722 723 holder = algid;
723 724
724 725 for (i = 0; i < count - 1; i++) {
725 726 ipsec_alginfo_t *alt;
726 727
727 728 alt = ipss->ipsec_alglists[at][ipss->ipsec_sortlist[at][i]];
728 729 /*
729 730 * If you want to give precedence to newly added algs,
730 731 * add the = in the > comparison.
731 732 */
732 733 if ((holder != algid) || (ai->alg_minbits > alt->alg_minbits)) {
733 734 /* Swap sortlist[i] and holder. */
734 735 swap = ipss->ipsec_sortlist[at][i];
735 736 ipss->ipsec_sortlist[at][i] = holder;
736 737 holder = swap;
737 738 ai = alt;
738 739 } /* Else just continue. */
739 740 }
740 741
741 742 /* Store holder in last slot. */
742 743 ipss->ipsec_sortlist[at][i] = holder;
743 744 }
744 745
745 746 /*
746 747 * Remove an algorithm from a sorted algorithm list.
|
↓ open down ↓ |
16 lines elided |
↑ open up ↑ |
747 748 * This should be considerably easier, even with complex sorting.
748 749 */
749 750 static void
750 751 alg_remove_sortlist(enum ipsec_algtype at, uint8_t algid, netstack_t *ns)
751 752 {
752 753 boolean_t copyback = B_FALSE;
753 754 int i;
754 755 ipsec_stack_t *ipss = ns->netstack_ipsec;
755 756 int newcount = ipss->ipsec_nalgs[at];
756 757
757 - ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
758 + ASSERT(RW_WRITE_HELD(&ipss->ipsec_alg_lock));
758 759
759 760 for (i = 0; i <= newcount; i++) {
760 761 if (copyback) {
761 762 ipss->ipsec_sortlist[at][i-1] =
762 763 ipss->ipsec_sortlist[at][i];
763 764 } else if (ipss->ipsec_sortlist[at][i] == algid) {
764 765 copyback = B_TRUE;
765 766 }
766 767 }
767 768 }
768 769
769 770 /*
770 771 * Add the specified algorithm to the algorithm tables.
771 772 * Must be called while holding the algorithm table writer lock.
772 773 */
773 774 void
774 775 ipsec_alg_reg(ipsec_algtype_t algtype, ipsec_alginfo_t *alg, netstack_t *ns)
775 776 {
776 777 ipsec_stack_t *ipss = ns->netstack_ipsec;
777 778
778 - ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
779 + ASSERT(RW_WRITE_HELD(&ipss->ipsec_alg_lock));
779 780
780 781 ASSERT(ipss->ipsec_alglists[algtype][alg->alg_id] == NULL);
781 782 ipsec_alg_fix_min_max(alg, algtype, ns);
782 783 ipss->ipsec_alglists[algtype][alg->alg_id] = alg;
783 784
784 785 ipss->ipsec_nalgs[algtype]++;
785 786 alg_insert_sortlist(algtype, alg->alg_id, ns);
786 787 }
787 788
788 789 /*
789 790 * Remove the specified algorithm from the algorithm tables.
790 791 * Must be called while holding the algorithm table writer lock.
791 792 */
792 793 void
793 794 ipsec_alg_unreg(ipsec_algtype_t algtype, uint8_t algid, netstack_t *ns)
794 795 {
795 796 ipsec_stack_t *ipss = ns->netstack_ipsec;
796 797
797 - ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
798 + ASSERT(RW_WRITE_HELD(&ipss->ipsec_alg_lock));
798 799
799 800 ASSERT(ipss->ipsec_alglists[algtype][algid] != NULL);
800 801 ipsec_alg_free(ipss->ipsec_alglists[algtype][algid]);
801 802 ipss->ipsec_alglists[algtype][algid] = NULL;
802 803
803 804 ipss->ipsec_nalgs[algtype]--;
804 805 alg_remove_sortlist(algtype, algid, ns);
805 806 }
806 807
807 808 /*
808 809 * Hooks for spdsock to get a grip on system policy.
809 810 */
810 811
811 812 ipsec_policy_head_t *
812 813 ipsec_system_policy(netstack_t *ns)
813 814 {
814 815 ipsec_stack_t *ipss = ns->netstack_ipsec;
815 816 ipsec_policy_head_t *h = &ipss->ipsec_system_policy;
816 817
817 818 IPPH_REFHOLD(h);
818 819 return (h);
819 820 }
820 821
821 822 ipsec_policy_head_t *
822 823 ipsec_inactive_policy(netstack_t *ns)
823 824 {
824 825 ipsec_stack_t *ipss = ns->netstack_ipsec;
825 826 ipsec_policy_head_t *h = &ipss->ipsec_inactive_policy;
826 827
827 828 IPPH_REFHOLD(h);
828 829 return (h);
829 830 }
830 831
831 832 /*
832 833 * Lock inactive policy, then active policy, then exchange policy root
833 834 * pointers.
834 835 */
835 836 void
836 837 ipsec_swap_policy(ipsec_policy_head_t *active, ipsec_policy_head_t *inactive,
837 838 netstack_t *ns)
838 839 {
839 840 int af, dir;
840 841 avl_tree_t r1, r2;
841 842
842 843 rw_enter(&inactive->iph_lock, RW_WRITER);
843 844 rw_enter(&active->iph_lock, RW_WRITER);
844 845
845 846 r1 = active->iph_rulebyid;
846 847 r2 = inactive->iph_rulebyid;
847 848 active->iph_rulebyid = r2;
848 849 inactive->iph_rulebyid = r1;
849 850
850 851 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
851 852 ipsec_policy_hash_t *h1, *h2;
852 853
853 854 h1 = active->iph_root[dir].ipr_hash;
854 855 h2 = inactive->iph_root[dir].ipr_hash;
855 856 active->iph_root[dir].ipr_hash = h2;
856 857 inactive->iph_root[dir].ipr_hash = h1;
857 858
858 859 for (af = 0; af < IPSEC_NAF; af++) {
859 860 ipsec_policy_t *t1, *t2;
860 861
861 862 t1 = active->iph_root[dir].ipr_nonhash[af];
862 863 t2 = inactive->iph_root[dir].ipr_nonhash[af];
863 864 active->iph_root[dir].ipr_nonhash[af] = t2;
864 865 inactive->iph_root[dir].ipr_nonhash[af] = t1;
865 866 if (t1 != NULL) {
866 867 t1->ipsp_hash.hash_pp =
867 868 &(inactive->iph_root[dir].ipr_nonhash[af]);
868 869 }
869 870 if (t2 != NULL) {
870 871 t2->ipsp_hash.hash_pp =
871 872 &(active->iph_root[dir].ipr_nonhash[af]);
872 873 }
873 874
874 875 }
875 876 }
876 877 active->iph_gen++;
877 878 inactive->iph_gen++;
878 879 ipsec_update_present_flags(ns->netstack_ipsec);
879 880 rw_exit(&active->iph_lock);
880 881 rw_exit(&inactive->iph_lock);
881 882 }
882 883
883 884 /*
884 885 * Swap global policy primary/secondary.
885 886 */
886 887 void
887 888 ipsec_swap_global_policy(netstack_t *ns)
888 889 {
889 890 ipsec_stack_t *ipss = ns->netstack_ipsec;
890 891
891 892 ipsec_swap_policy(&ipss->ipsec_system_policy,
892 893 &ipss->ipsec_inactive_policy, ns);
893 894 }
894 895
895 896 /*
896 897 * Clone one policy rule..
897 898 */
898 899 static ipsec_policy_t *
899 900 ipsec_copy_policy(const ipsec_policy_t *src)
900 901 {
901 902 ipsec_policy_t *dst = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP);
902 903
903 904 if (dst == NULL)
904 905 return (NULL);
905 906
906 907 /*
907 908 * Adjust refcounts of cloned state.
908 909 */
909 910 IPACT_REFHOLD(src->ipsp_act);
910 911 src->ipsp_sel->ipsl_refs++;
911 912
912 913 HASH_NULL(dst, ipsp_hash);
913 914 dst->ipsp_netstack = src->ipsp_netstack;
914 915 dst->ipsp_refs = 1;
915 916 dst->ipsp_sel = src->ipsp_sel;
916 917 dst->ipsp_act = src->ipsp_act;
917 918 dst->ipsp_prio = src->ipsp_prio;
918 919 dst->ipsp_index = src->ipsp_index;
919 920
920 921 return (dst);
921 922 }
922 923
923 924 void
924 925 ipsec_insert_always(avl_tree_t *tree, void *new_node)
925 926 {
926 927 void *node;
927 928 avl_index_t where;
928 929
929 930 node = avl_find(tree, new_node, &where);
930 931 ASSERT(node == NULL);
931 932 avl_insert(tree, new_node, where);
932 933 }
933 934
934 935
935 936 static int
936 937 ipsec_copy_chain(ipsec_policy_head_t *dph, ipsec_policy_t *src,
937 938 ipsec_policy_t **dstp)
938 939 {
939 940 for (; src != NULL; src = src->ipsp_hash.hash_next) {
940 941 ipsec_policy_t *dst = ipsec_copy_policy(src);
941 942 if (dst == NULL)
942 943 return (ENOMEM);
943 944
944 945 HASHLIST_INSERT(dst, ipsp_hash, *dstp);
945 946 ipsec_insert_always(&dph->iph_rulebyid, dst);
946 947 }
947 948 return (0);
948 949 }
949 950
950 951
951 952
952 953 /*
953 954 * Make one policy head look exactly like another.
954 955 *
955 956 * As with ipsec_swap_policy, we lock the destination policy head first, then
956 957 * the source policy head. Note that we only need to read-lock the source
957 958 * policy head as we are not changing it.
958 959 */
959 960 int
960 961 ipsec_copy_polhead(ipsec_policy_head_t *sph, ipsec_policy_head_t *dph,
961 962 netstack_t *ns)
962 963 {
963 964 int af, dir, chain, nchains;
964 965
965 966 rw_enter(&dph->iph_lock, RW_WRITER);
966 967
967 968 ipsec_polhead_flush(dph, ns);
968 969
969 970 rw_enter(&sph->iph_lock, RW_READER);
970 971
971 972 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
972 973 ipsec_policy_root_t *dpr = &dph->iph_root[dir];
973 974 ipsec_policy_root_t *spr = &sph->iph_root[dir];
974 975 nchains = dpr->ipr_nchains;
975 976
976 977 ASSERT(dpr->ipr_nchains == spr->ipr_nchains);
977 978
978 979 for (af = 0; af < IPSEC_NAF; af++) {
979 980 if (ipsec_copy_chain(dph, spr->ipr_nonhash[af],
980 981 &dpr->ipr_nonhash[af]))
981 982 goto abort_copy;
982 983 }
983 984
984 985 for (chain = 0; chain < nchains; chain++) {
985 986 if (ipsec_copy_chain(dph,
986 987 spr->ipr_hash[chain].hash_head,
987 988 &dpr->ipr_hash[chain].hash_head))
988 989 goto abort_copy;
989 990 }
990 991 }
991 992
992 993 dph->iph_gen++;
993 994
994 995 rw_exit(&sph->iph_lock);
995 996 rw_exit(&dph->iph_lock);
996 997 return (0);
997 998
998 999 abort_copy:
999 1000 ipsec_polhead_flush(dph, ns);
1000 1001 rw_exit(&sph->iph_lock);
1001 1002 rw_exit(&dph->iph_lock);
1002 1003 return (ENOMEM);
1003 1004 }
1004 1005
1005 1006 /*
1006 1007 * Clone currently active policy to the inactive policy list.
1007 1008 */
1008 1009 int
1009 1010 ipsec_clone_system_policy(netstack_t *ns)
1010 1011 {
1011 1012 ipsec_stack_t *ipss = ns->netstack_ipsec;
1012 1013
1013 1014 return (ipsec_copy_polhead(&ipss->ipsec_system_policy,
1014 1015 &ipss->ipsec_inactive_policy, ns));
1015 1016 }
1016 1017
1017 1018 /*
1018 1019 * Extract the string from ipsec_policy_failure_msgs[type] and
1019 1020 * log it.
1020 1021 *
1021 1022 */
1022 1023 void
1023 1024 ipsec_log_policy_failure(int type, char *func_name, ipha_t *ipha, ip6_t *ip6h,
1024 1025 boolean_t secure, netstack_t *ns)
1025 1026 {
1026 1027 char sbuf[INET6_ADDRSTRLEN];
1027 1028 char dbuf[INET6_ADDRSTRLEN];
1028 1029 char *s;
1029 1030 char *d;
1030 1031 ipsec_stack_t *ipss = ns->netstack_ipsec;
1031 1032
1032 1033 ASSERT((ipha == NULL && ip6h != NULL) ||
1033 1034 (ip6h == NULL && ipha != NULL));
1034 1035
1035 1036 if (ipha != NULL) {
1036 1037 s = inet_ntop(AF_INET, &ipha->ipha_src, sbuf, sizeof (sbuf));
1037 1038 d = inet_ntop(AF_INET, &ipha->ipha_dst, dbuf, sizeof (dbuf));
1038 1039 } else {
1039 1040 s = inet_ntop(AF_INET6, &ip6h->ip6_src, sbuf, sizeof (sbuf));
1040 1041 d = inet_ntop(AF_INET6, &ip6h->ip6_dst, dbuf, sizeof (dbuf));
1041 1042
1042 1043 }
1043 1044
1044 1045 /* Always bump the policy failure counter. */
1045 1046 ipss->ipsec_policy_failure_count[type]++;
1046 1047
1047 1048 ipsec_rl_strlog(ns, IP_MOD_ID, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
1048 1049 ipsec_policy_failure_msgs[type], func_name,
1049 1050 (secure ? "secure" : "not secure"), s, d);
1050 1051 }
1051 1052
1052 1053 /*
1053 1054 * Rate-limiting front-end to strlog() for AH and ESP. Uses the ndd variables
1054 1055 * in /dev/ip and the same rate-limiting clock so that there's a single
1055 1056 * knob to turn to throttle the rate of messages.
1056 1057 */
1057 1058 void
1058 1059 ipsec_rl_strlog(netstack_t *ns, short mid, short sid, char level, ushort_t sl,
1059 1060 char *fmt, ...)
1060 1061 {
1061 1062 va_list adx;
1062 1063 hrtime_t current = gethrtime();
1063 1064 ip_stack_t *ipst = ns->netstack_ip;
1064 1065 ipsec_stack_t *ipss = ns->netstack_ipsec;
1065 1066
1066 1067 sl |= SL_CONSOLE;
1067 1068 /*
1068 1069 * Throttle logging to stop syslog from being swamped. If variable
1069 1070 * 'ipsec_policy_log_interval' is zero, don't log any messages at
1070 1071 * all, otherwise log only one message every 'ipsec_policy_log_interval'
1071 1072 * msec. Convert interval (in msec) to hrtime (in nsec).
1072 1073 */
1073 1074
1074 1075 if (ipst->ips_ipsec_policy_log_interval) {
1075 1076 if (ipss->ipsec_policy_failure_last +
1076 1077 MSEC2NSEC(ipst->ips_ipsec_policy_log_interval) <= current) {
1077 1078 va_start(adx, fmt);
1078 1079 (void) vstrlog(mid, sid, level, sl, fmt, adx);
1079 1080 va_end(adx);
1080 1081 ipss->ipsec_policy_failure_last = current;
1081 1082 }
1082 1083 }
1083 1084 }
1084 1085
1085 1086 void
1086 1087 ipsec_config_flush(netstack_t *ns)
1087 1088 {
1088 1089 ipsec_stack_t *ipss = ns->netstack_ipsec;
1089 1090
1090 1091 rw_enter(&ipss->ipsec_system_policy.iph_lock, RW_WRITER);
1091 1092 ipsec_polhead_flush(&ipss->ipsec_system_policy, ns);
1092 1093 ipss->ipsec_next_policy_index = 1;
1093 1094 rw_exit(&ipss->ipsec_system_policy.iph_lock);
1094 1095 ipsec_action_reclaim_stack(ipss);
1095 1096 }
1096 1097
1097 1098 /*
1098 1099 * Clip a policy's min/max keybits vs. the capabilities of the
1099 1100 * algorithm.
1100 1101 */
1101 1102 static void
1102 1103 act_alg_adjust(uint_t algtype, uint_t algid,
1103 1104 uint16_t *minbits, uint16_t *maxbits, netstack_t *ns)
1104 1105 {
1105 1106 ipsec_stack_t *ipss = ns->netstack_ipsec;
1106 1107 ipsec_alginfo_t *algp = ipss->ipsec_alglists[algtype][algid];
1107 1108
1108 1109 if (algp != NULL) {
1109 1110 /*
1110 1111 * If passed-in minbits is zero, we assume the caller trusts
1111 1112 * us with setting the minimum key size. We pick the
1112 1113 * algorithms DEFAULT key size for the minimum in this case.
1113 1114 */
1114 1115 if (*minbits == 0) {
1115 1116 *minbits = algp->alg_default_bits;
1116 1117 ASSERT(*minbits >= algp->alg_minbits);
1117 1118 } else {
1118 1119 *minbits = MAX(MIN(*minbits, algp->alg_maxbits),
1119 1120 algp->alg_minbits);
1120 1121 }
1121 1122 if (*maxbits == 0)
1122 1123 *maxbits = algp->alg_maxbits;
1123 1124 else
1124 1125 *maxbits = MIN(MAX(*maxbits, algp->alg_minbits),
1125 1126 algp->alg_maxbits);
1126 1127 ASSERT(*minbits <= *maxbits);
1127 1128 } else {
1128 1129 *minbits = 0;
1129 1130 *maxbits = 0;
1130 1131 }
1131 1132 }
1132 1133
1133 1134 /*
1134 1135 * Check an action's requested algorithms against the algorithms currently
1135 1136 * loaded in the system.
1136 1137 */
1137 1138 boolean_t
1138 1139 ipsec_check_action(ipsec_act_t *act, int *diag, netstack_t *ns)
1139 1140 {
1140 1141 ipsec_prot_t *ipp;
1141 1142 ipsec_stack_t *ipss = ns->netstack_ipsec;
1142 1143
1143 1144 ipp = &act->ipa_apply;
1144 1145
1145 1146 if (ipp->ipp_use_ah &&
1146 1147 ipss->ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_auth_alg] == NULL) {
1147 1148 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG;
1148 1149 return (B_FALSE);
1149 1150 }
1150 1151 if (ipp->ipp_use_espa &&
1151 1152 ipss->ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_esp_auth_alg] ==
1152 1153 NULL) {
1153 1154 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG;
1154 1155 return (B_FALSE);
1155 1156 }
1156 1157 if (ipp->ipp_use_esp &&
1157 1158 ipss->ipsec_alglists[IPSEC_ALG_ENCR][ipp->ipp_encr_alg] == NULL) {
1158 1159 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG;
1159 1160 return (B_FALSE);
1160 1161 }
1161 1162
1162 1163 act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_auth_alg,
1163 1164 &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits, ns);
1164 1165 act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_esp_auth_alg,
1165 1166 &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits, ns);
1166 1167 act_alg_adjust(IPSEC_ALG_ENCR, ipp->ipp_encr_alg,
1167 1168 &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits, ns);
1168 1169
1169 1170 if (ipp->ipp_ah_minbits > ipp->ipp_ah_maxbits) {
1170 1171 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE;
1171 1172 return (B_FALSE);
1172 1173 }
1173 1174 if (ipp->ipp_espa_minbits > ipp->ipp_espa_maxbits) {
1174 1175 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE;
1175 1176 return (B_FALSE);
1176 1177 }
1177 1178 if (ipp->ipp_espe_minbits > ipp->ipp_espe_maxbits) {
1178 1179 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE;
1179 1180 return (B_FALSE);
1180 1181 }
1181 1182 /* TODO: sanity check lifetimes */
1182 1183 return (B_TRUE);
1183 1184 }
1184 1185
1185 1186 /*
1186 1187 * Set up a single action during wildcard expansion..
1187 1188 */
1188 1189 static void
1189 1190 ipsec_setup_act(ipsec_act_t *outact, ipsec_act_t *act,
1190 1191 uint_t auth_alg, uint_t encr_alg, uint_t eauth_alg, netstack_t *ns)
1191 1192 {
1192 1193 ipsec_prot_t *ipp;
1193 1194
1194 1195 *outact = *act;
1195 1196 ipp = &outact->ipa_apply;
1196 1197 ipp->ipp_auth_alg = (uint8_t)auth_alg;
1197 1198 ipp->ipp_encr_alg = (uint8_t)encr_alg;
1198 1199 ipp->ipp_esp_auth_alg = (uint8_t)eauth_alg;
1199 1200
1200 1201 act_alg_adjust(IPSEC_ALG_AUTH, auth_alg,
1201 1202 &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits, ns);
1202 1203 act_alg_adjust(IPSEC_ALG_AUTH, eauth_alg,
1203 1204 &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits, ns);
1204 1205 act_alg_adjust(IPSEC_ALG_ENCR, encr_alg,
1205 1206 &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits, ns);
1206 1207 }
1207 1208
1208 1209 /*
1209 1210 * combinatoric expansion time: expand a wildcarded action into an
1210 1211 * array of wildcarded actions; we return the exploded action list,
1211 1212 * and return a count in *nact (output only).
1212 1213 */
1213 1214 static ipsec_act_t *
1214 1215 ipsec_act_wildcard_expand(ipsec_act_t *act, uint_t *nact, netstack_t *ns)
1215 1216 {
1216 1217 boolean_t use_ah, use_esp, use_espa;
1217 1218 boolean_t wild_auth, wild_encr, wild_eauth;
1218 1219 uint_t auth_alg, auth_idx, auth_min, auth_max;
1219 1220 uint_t eauth_alg, eauth_idx, eauth_min, eauth_max;
1220 1221 uint_t encr_alg, encr_idx, encr_min, encr_max;
1221 1222 uint_t action_count, ai;
1222 1223 ipsec_act_t *outact;
1223 1224 ipsec_stack_t *ipss = ns->netstack_ipsec;
1224 1225
1225 1226 if (act->ipa_type != IPSEC_ACT_APPLY) {
1226 1227 outact = kmem_alloc(sizeof (*act), KM_NOSLEEP);
1227 1228 *nact = 1;
1228 1229 if (outact != NULL)
1229 1230 bcopy(act, outact, sizeof (*act));
1230 1231 return (outact);
1231 1232 }
1232 1233 /*
1233 1234 * compute the combinatoric explosion..
1234 1235 *
1235 1236 * we assume a request for encr if esp_req is PREF_REQUIRED
1236 1237 * we assume a request for ah auth if ah_req is PREF_REQUIRED.
1237 1238 * we assume a request for esp auth if !ah and esp_req is PREF_REQUIRED
1238 1239 */
1239 1240
1240 1241 use_ah = act->ipa_apply.ipp_use_ah;
1241 1242 use_esp = act->ipa_apply.ipp_use_esp;
1242 1243 use_espa = act->ipa_apply.ipp_use_espa;
1243 1244 auth_alg = act->ipa_apply.ipp_auth_alg;
1244 1245 eauth_alg = act->ipa_apply.ipp_esp_auth_alg;
1245 1246 encr_alg = act->ipa_apply.ipp_encr_alg;
1246 1247
1247 1248 wild_auth = use_ah && (auth_alg == 0);
1248 1249 wild_eauth = use_espa && (eauth_alg == 0);
1249 1250 wild_encr = use_esp && (encr_alg == 0);
1250 1251
1251 1252 action_count = 1;
1252 1253 auth_min = auth_max = auth_alg;
1253 1254 eauth_min = eauth_max = eauth_alg;
1254 1255 encr_min = encr_max = encr_alg;
1255 1256
1256 1257 /*
1257 1258 * set up for explosion.. for each dimension, expand output
1258 1259 * size by the explosion factor.
1259 1260 *
1260 1261 * Don't include the "any" algorithms, if defined, as no
1261 1262 * kernel policies should be set for these algorithms.
1262 1263 */
1263 1264
1264 1265 #define SET_EXP_MINMAX(type, wild, alg, min, max, ipss) \
1265 1266 if (wild) { \
1266 1267 int nalgs = ipss->ipsec_nalgs[type]; \
1267 1268 if (ipss->ipsec_alglists[type][alg] != NULL) \
1268 1269 nalgs--; \
1269 1270 action_count *= nalgs; \
1270 1271 min = 0; \
1271 1272 max = ipss->ipsec_nalgs[type] - 1; \
1272 1273 }
1273 1274
1274 1275 SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_auth, SADB_AALG_NONE,
1275 1276 auth_min, auth_max, ipss);
1276 1277 SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_eauth, SADB_AALG_NONE,
1277 1278 eauth_min, eauth_max, ipss);
1278 1279 SET_EXP_MINMAX(IPSEC_ALG_ENCR, wild_encr, SADB_EALG_NONE,
1279 1280 encr_min, encr_max, ipss);
1280 1281
1281 1282 #undef SET_EXP_MINMAX
1282 1283
1283 1284 /*
1284 1285 * ok, allocate the whole mess..
1285 1286 */
1286 1287
1287 1288 outact = kmem_alloc(sizeof (*outact) * action_count, KM_NOSLEEP);
1288 1289 if (outact == NULL)
1289 1290 return (NULL);
1290 1291
1291 1292 /*
1292 1293 * Now compute all combinations. Note that non-wildcarded
1293 1294 * dimensions just get a single value from auth_min, while
1294 1295 * wildcarded dimensions indirect through the sortlist.
1295 1296 *
1296 1297 * We do encryption outermost since, at this time, there's
1297 1298 * greater difference in security and performance between
1298 1299 * encryption algorithms vs. authentication algorithms.
1299 1300 */
1300 1301
1301 1302 ai = 0;
1302 1303
1303 1304 #define WHICH_ALG(type, wild, idx, ipss) \
1304 1305 ((wild)?(ipss->ipsec_sortlist[type][idx]):(idx))
1305 1306
1306 1307 for (encr_idx = encr_min; encr_idx <= encr_max; encr_idx++) {
1307 1308 encr_alg = WHICH_ALG(IPSEC_ALG_ENCR, wild_encr, encr_idx, ipss);
1308 1309 if (wild_encr && encr_alg == SADB_EALG_NONE)
1309 1310 continue;
1310 1311 for (auth_idx = auth_min; auth_idx <= auth_max; auth_idx++) {
1311 1312 auth_alg = WHICH_ALG(IPSEC_ALG_AUTH, wild_auth,
1312 1313 auth_idx, ipss);
1313 1314 if (wild_auth && auth_alg == SADB_AALG_NONE)
1314 1315 continue;
1315 1316 for (eauth_idx = eauth_min; eauth_idx <= eauth_max;
1316 1317 eauth_idx++) {
1317 1318 eauth_alg = WHICH_ALG(IPSEC_ALG_AUTH,
1318 1319 wild_eauth, eauth_idx, ipss);
1319 1320 if (wild_eauth && eauth_alg == SADB_AALG_NONE)
1320 1321 continue;
1321 1322
1322 1323 ipsec_setup_act(&outact[ai], act,
1323 1324 auth_alg, encr_alg, eauth_alg, ns);
1324 1325 ai++;
1325 1326 }
1326 1327 }
1327 1328 }
1328 1329
1329 1330 #undef WHICH_ALG
1330 1331
1331 1332 ASSERT(ai == action_count);
1332 1333 *nact = action_count;
1333 1334 return (outact);
1334 1335 }
1335 1336
1336 1337 /*
1337 1338 * Extract the parts of an ipsec_prot_t from an old-style ipsec_req_t.
1338 1339 */
1339 1340 static void
1340 1341 ipsec_prot_from_req(const ipsec_req_t *req, ipsec_prot_t *ipp)
1341 1342 {
1342 1343 bzero(ipp, sizeof (*ipp));
1343 1344 /*
1344 1345 * ipp_use_* are bitfields. Look at "!!" in the following as a
1345 1346 * "boolean canonicalization" operator.
1346 1347 */
1347 1348 ipp->ipp_use_ah = !!(req->ipsr_ah_req & IPSEC_PREF_REQUIRED);
1348 1349 ipp->ipp_use_esp = !!(req->ipsr_esp_req & IPSEC_PREF_REQUIRED);
1349 1350 ipp->ipp_use_espa = !!(req->ipsr_esp_auth_alg);
1350 1351 ipp->ipp_use_se = !!(req->ipsr_self_encap_req & IPSEC_PREF_REQUIRED);
1351 1352 ipp->ipp_use_unique = !!((req->ipsr_ah_req|req->ipsr_esp_req) &
1352 1353 IPSEC_PREF_UNIQUE);
1353 1354 ipp->ipp_encr_alg = req->ipsr_esp_alg;
1354 1355 /*
1355 1356 * SADB_AALG_ANY is a placeholder to distinguish "any" from
1356 1357 * "none" above. If auth is required, as determined above,
1357 1358 * SADB_AALG_ANY becomes 0, which is the representation
1358 1359 * of "any" and "none" in PF_KEY v2.
1359 1360 */
1360 1361 ipp->ipp_auth_alg = (req->ipsr_auth_alg != SADB_AALG_ANY) ?
1361 1362 req->ipsr_auth_alg : 0;
1362 1363 ipp->ipp_esp_auth_alg = (req->ipsr_esp_auth_alg != SADB_AALG_ANY) ?
1363 1364 req->ipsr_esp_auth_alg : 0;
1364 1365 }
1365 1366
1366 1367 /*
1367 1368 * Extract a new-style action from a request.
1368 1369 */
1369 1370 void
1370 1371 ipsec_actvec_from_req(const ipsec_req_t *req, ipsec_act_t **actp, uint_t *nactp,
1371 1372 netstack_t *ns)
1372 1373 {
1373 1374 struct ipsec_act act;
1374 1375
1375 1376 bzero(&act, sizeof (act));
1376 1377 if ((req->ipsr_ah_req & IPSEC_PREF_NEVER) &&
1377 1378 (req->ipsr_esp_req & IPSEC_PREF_NEVER)) {
1378 1379 act.ipa_type = IPSEC_ACT_BYPASS;
1379 1380 } else {
1380 1381 act.ipa_type = IPSEC_ACT_APPLY;
1381 1382 ipsec_prot_from_req(req, &act.ipa_apply);
1382 1383 }
1383 1384 *actp = ipsec_act_wildcard_expand(&act, nactp, ns);
1384 1385 }
1385 1386
1386 1387 /*
1387 1388 * Convert a new-style "prot" back to an ipsec_req_t (more backwards compat).
1388 1389 * We assume caller has already zero'ed *req for us.
1389 1390 */
1390 1391 static int
1391 1392 ipsec_req_from_prot(ipsec_prot_t *ipp, ipsec_req_t *req)
1392 1393 {
1393 1394 req->ipsr_esp_alg = ipp->ipp_encr_alg;
1394 1395 req->ipsr_auth_alg = ipp->ipp_auth_alg;
1395 1396 req->ipsr_esp_auth_alg = ipp->ipp_esp_auth_alg;
1396 1397
1397 1398 if (ipp->ipp_use_unique) {
1398 1399 req->ipsr_ah_req |= IPSEC_PREF_UNIQUE;
1399 1400 req->ipsr_esp_req |= IPSEC_PREF_UNIQUE;
1400 1401 }
1401 1402 if (ipp->ipp_use_se)
1402 1403 req->ipsr_self_encap_req |= IPSEC_PREF_REQUIRED;
1403 1404 if (ipp->ipp_use_ah)
1404 1405 req->ipsr_ah_req |= IPSEC_PREF_REQUIRED;
1405 1406 if (ipp->ipp_use_esp)
1406 1407 req->ipsr_esp_req |= IPSEC_PREF_REQUIRED;
1407 1408 return (sizeof (*req));
1408 1409 }
1409 1410
1410 1411 /*
1411 1412 * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1412 1413 * We assume caller has already zero'ed *req for us.
1413 1414 */
1414 1415 static int
1415 1416 ipsec_req_from_act(ipsec_action_t *ap, ipsec_req_t *req)
1416 1417 {
1417 1418 switch (ap->ipa_act.ipa_type) {
1418 1419 case IPSEC_ACT_BYPASS:
1419 1420 req->ipsr_ah_req = IPSEC_PREF_NEVER;
1420 1421 req->ipsr_esp_req = IPSEC_PREF_NEVER;
1421 1422 return (sizeof (*req));
1422 1423 case IPSEC_ACT_APPLY:
1423 1424 return (ipsec_req_from_prot(&ap->ipa_act.ipa_apply, req));
1424 1425 }
1425 1426 return (sizeof (*req));
1426 1427 }
1427 1428
1428 1429 /*
1429 1430 * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1430 1431 * We assume caller has already zero'ed *req for us.
1431 1432 */
1432 1433 int
1433 1434 ipsec_req_from_head(ipsec_policy_head_t *ph, ipsec_req_t *req, int af)
1434 1435 {
1435 1436 ipsec_policy_t *p;
1436 1437
1437 1438 /*
1438 1439 * FULL-PERSOCK: consult hash table, too?
1439 1440 */
1440 1441 for (p = ph->iph_root[IPSEC_INBOUND].ipr_nonhash[af];
1441 1442 p != NULL;
1442 1443 p = p->ipsp_hash.hash_next) {
1443 1444 if ((p->ipsp_sel->ipsl_key.ipsl_valid & IPSL_WILDCARD) == 0)
1444 1445 return (ipsec_req_from_act(p->ipsp_act, req));
1445 1446 }
1446 1447 return (sizeof (*req));
1447 1448 }
1448 1449
1449 1450 /*
1450 1451 * Based on per-socket or latched policy, convert to an appropriate
1451 1452 * IP_SEC_OPT ipsec_req_t for the socket option; return size so we can
1452 1453 * be tail-called from ip.
1453 1454 */
1454 1455 int
1455 1456 ipsec_req_from_conn(conn_t *connp, ipsec_req_t *req, int af)
1456 1457 {
1457 1458 ipsec_latch_t *ipl;
1458 1459 int rv = sizeof (ipsec_req_t);
1459 1460
1460 1461 bzero(req, sizeof (*req));
1461 1462
1462 1463 ASSERT(MUTEX_HELD(&connp->conn_lock));
1463 1464 ipl = connp->conn_latch;
1464 1465
1465 1466 /*
1466 1467 * Find appropriate policy. First choice is latched action;
1467 1468 * failing that, see latched policy; failing that,
1468 1469 * look at configured policy.
1469 1470 */
1470 1471 if (ipl != NULL) {
1471 1472 if (connp->conn_latch_in_action != NULL) {
1472 1473 rv = ipsec_req_from_act(connp->conn_latch_in_action,
1473 1474 req);
1474 1475 goto done;
1475 1476 }
1476 1477 if (connp->conn_latch_in_policy != NULL) {
1477 1478 rv = ipsec_req_from_act(
1478 1479 connp->conn_latch_in_policy->ipsp_act, req);
1479 1480 goto done;
1480 1481 }
1481 1482 }
1482 1483 if (connp->conn_policy != NULL)
1483 1484 rv = ipsec_req_from_head(connp->conn_policy, req, af);
1484 1485 done:
1485 1486 return (rv);
1486 1487 }
1487 1488
1488 1489 void
1489 1490 ipsec_actvec_free(ipsec_act_t *act, uint_t nact)
1490 1491 {
1491 1492 kmem_free(act, nact * sizeof (*act));
1492 1493 }
1493 1494
1494 1495 /*
1495 1496 * Consumes a reference to ipsp.
1496 1497 */
1497 1498 static mblk_t *
1498 1499 ipsec_check_loopback_policy(mblk_t *data_mp, ip_recv_attr_t *ira,
1499 1500 ipsec_policy_t *ipsp)
1500 1501 {
1501 1502 if (!(ira->ira_flags & IRAF_IPSEC_SECURE))
1502 1503 return (data_mp);
1503 1504
1504 1505 ASSERT(ira->ira_flags & IRAF_LOOPBACK);
1505 1506
1506 1507 IPPOL_REFRELE(ipsp);
1507 1508
1508 1509 /*
1509 1510 * We should do an actual policy check here. Revisit this
1510 1511 * when we revisit the IPsec API. (And pass a conn_t in when we
1511 1512 * get there.)
1512 1513 */
1513 1514
1514 1515 return (data_mp);
1515 1516 }
1516 1517
1517 1518 /*
1518 1519 * Check that packet's inbound ports & proto match the selectors
1519 1520 * expected by the SAs it traversed on the way in.
1520 1521 */
1521 1522 static boolean_t
1522 1523 ipsec_check_ipsecin_unique(ip_recv_attr_t *ira, const char **reason,
1523 1524 kstat_named_t **counter, uint64_t pkt_unique, netstack_t *ns)
1524 1525 {
1525 1526 uint64_t ah_mask, esp_mask;
1526 1527 ipsa_t *ah_assoc;
1527 1528 ipsa_t *esp_assoc;
1528 1529 ipsec_stack_t *ipss = ns->netstack_ipsec;
1529 1530
1530 1531 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1531 1532 ASSERT(!(ira->ira_flags & IRAF_LOOPBACK));
1532 1533
1533 1534 ah_assoc = ira->ira_ipsec_ah_sa;
1534 1535 esp_assoc = ira->ira_ipsec_esp_sa;
1535 1536 ASSERT((ah_assoc != NULL) || (esp_assoc != NULL));
1536 1537
1537 1538 ah_mask = (ah_assoc != NULL) ? ah_assoc->ipsa_unique_mask : 0;
1538 1539 esp_mask = (esp_assoc != NULL) ? esp_assoc->ipsa_unique_mask : 0;
1539 1540
1540 1541 if ((ah_mask == 0) && (esp_mask == 0))
1541 1542 return (B_TRUE);
1542 1543
1543 1544 /*
1544 1545 * The pkt_unique check will also check for tunnel mode on the SA
1545 1546 * vs. the tunneled_packet boolean. "Be liberal in what you receive"
1546 1547 * should not apply in this case. ;)
1547 1548 */
1548 1549
1549 1550 if (ah_mask != 0 &&
1550 1551 ah_assoc->ipsa_unique_id != (pkt_unique & ah_mask)) {
1551 1552 *reason = "AH inner header mismatch";
1552 1553 *counter = DROPPER(ipss, ipds_spd_ah_innermismatch);
1553 1554 return (B_FALSE);
1554 1555 }
1555 1556 if (esp_mask != 0 &&
1556 1557 esp_assoc->ipsa_unique_id != (pkt_unique & esp_mask)) {
1557 1558 *reason = "ESP inner header mismatch";
1558 1559 *counter = DROPPER(ipss, ipds_spd_esp_innermismatch);
1559 1560 return (B_FALSE);
1560 1561 }
1561 1562 return (B_TRUE);
1562 1563 }
1563 1564
1564 1565 static boolean_t
1565 1566 ipsec_check_ipsecin_action(ip_recv_attr_t *ira, mblk_t *mp, ipsec_action_t *ap,
1566 1567 ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter,
1567 1568 netstack_t *ns)
1568 1569 {
1569 1570 boolean_t ret = B_TRUE;
1570 1571 ipsec_prot_t *ipp;
1571 1572 ipsa_t *ah_assoc;
1572 1573 ipsa_t *esp_assoc;
1573 1574 boolean_t decaps;
1574 1575 ipsec_stack_t *ipss = ns->netstack_ipsec;
1575 1576
1576 1577 ASSERT((ipha == NULL && ip6h != NULL) ||
1577 1578 (ip6h == NULL && ipha != NULL));
1578 1579
1579 1580 if (ira->ira_flags & IRAF_LOOPBACK) {
1580 1581 /*
1581 1582 * Besides accepting pointer-equivalent actions, we also
1582 1583 * accept any ICMP errors we generated for ourselves,
1583 1584 * regardless of policy. If we do not wish to make this
1584 1585 * assumption in the future, check here, and where
1585 1586 * IXAF_TRUSTED_ICMP is initialized in ip.c and ip6.c.
1586 1587 */
1587 1588 if (ap == ira->ira_ipsec_action ||
1588 1589 (ira->ira_flags & IRAF_TRUSTED_ICMP))
1589 1590 return (B_TRUE);
1590 1591
1591 1592 /* Deep compare necessary here?? */
1592 1593 *counter = DROPPER(ipss, ipds_spd_loopback_mismatch);
1593 1594 *reason = "loopback policy mismatch";
1594 1595 return (B_FALSE);
1595 1596 }
1596 1597 ASSERT(!(ira->ira_flags & IRAF_TRUSTED_ICMP));
1597 1598 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1598 1599
1599 1600 ah_assoc = ira->ira_ipsec_ah_sa;
1600 1601 esp_assoc = ira->ira_ipsec_esp_sa;
1601 1602
1602 1603 decaps = (ira->ira_flags & IRAF_IPSEC_DECAPS);
1603 1604
1604 1605 switch (ap->ipa_act.ipa_type) {
1605 1606 case IPSEC_ACT_DISCARD:
1606 1607 case IPSEC_ACT_REJECT:
1607 1608 /* Should "fail hard" */
1608 1609 *counter = DROPPER(ipss, ipds_spd_explicit);
1609 1610 *reason = "blocked by policy";
1610 1611 return (B_FALSE);
1611 1612
1612 1613 case IPSEC_ACT_BYPASS:
1613 1614 case IPSEC_ACT_CLEAR:
1614 1615 *counter = DROPPER(ipss, ipds_spd_got_secure);
1615 1616 *reason = "expected clear, got protected";
1616 1617 return (B_FALSE);
1617 1618
1618 1619 case IPSEC_ACT_APPLY:
1619 1620 ipp = &ap->ipa_act.ipa_apply;
1620 1621 /*
1621 1622 * As of now we do the simple checks of whether
1622 1623 * the datagram has gone through the required IPSEC
1623 1624 * protocol constraints or not. We might have more
1624 1625 * in the future like sensitive levels, key bits, etc.
1625 1626 * If it fails the constraints, check whether we would
1626 1627 * have accepted this if it had come in clear.
1627 1628 */
1628 1629 if (ipp->ipp_use_ah) {
1629 1630 if (ah_assoc == NULL) {
1630 1631 ret = ipsec_inbound_accept_clear(mp, ipha,
1631 1632 ip6h);
1632 1633 *counter = DROPPER(ipss, ipds_spd_got_clear);
1633 1634 *reason = "unprotected not accepted";
1634 1635 break;
1635 1636 }
1636 1637 ASSERT(ah_assoc != NULL);
1637 1638 ASSERT(ipp->ipp_auth_alg != 0);
1638 1639
1639 1640 if (ah_assoc->ipsa_auth_alg !=
1640 1641 ipp->ipp_auth_alg) {
1641 1642 *counter = DROPPER(ipss, ipds_spd_bad_ahalg);
1642 1643 *reason = "unacceptable ah alg";
1643 1644 ret = B_FALSE;
1644 1645 break;
1645 1646 }
1646 1647 } else if (ah_assoc != NULL) {
1647 1648 /*
1648 1649 * Don't allow this. Check IPSEC NOTE above
1649 1650 * ip_fanout_proto().
1650 1651 */
1651 1652 *counter = DROPPER(ipss, ipds_spd_got_ah);
1652 1653 *reason = "unexpected AH";
1653 1654 ret = B_FALSE;
1654 1655 break;
1655 1656 }
1656 1657 if (ipp->ipp_use_esp) {
1657 1658 if (esp_assoc == NULL) {
1658 1659 ret = ipsec_inbound_accept_clear(mp, ipha,
1659 1660 ip6h);
1660 1661 *counter = DROPPER(ipss, ipds_spd_got_clear);
1661 1662 *reason = "unprotected not accepted";
1662 1663 break;
1663 1664 }
1664 1665 ASSERT(esp_assoc != NULL);
1665 1666 ASSERT(ipp->ipp_encr_alg != 0);
1666 1667
1667 1668 if (esp_assoc->ipsa_encr_alg !=
1668 1669 ipp->ipp_encr_alg) {
1669 1670 *counter = DROPPER(ipss, ipds_spd_bad_espealg);
1670 1671 *reason = "unacceptable esp alg";
1671 1672 ret = B_FALSE;
1672 1673 break;
1673 1674 }
1674 1675 /*
1675 1676 * If the client does not need authentication,
1676 1677 * we don't verify the alogrithm.
1677 1678 */
1678 1679 if (ipp->ipp_use_espa) {
1679 1680 if (esp_assoc->ipsa_auth_alg !=
1680 1681 ipp->ipp_esp_auth_alg) {
1681 1682 *counter = DROPPER(ipss,
1682 1683 ipds_spd_bad_espaalg);
1683 1684 *reason = "unacceptable esp auth alg";
1684 1685 ret = B_FALSE;
1685 1686 break;
1686 1687 }
1687 1688 }
1688 1689 } else if (esp_assoc != NULL) {
1689 1690 /*
1690 1691 * Don't allow this. Check IPSEC NOTE above
1691 1692 * ip_fanout_proto().
1692 1693 */
1693 1694 *counter = DROPPER(ipss, ipds_spd_got_esp);
1694 1695 *reason = "unexpected ESP";
1695 1696 ret = B_FALSE;
1696 1697 break;
1697 1698 }
1698 1699 if (ipp->ipp_use_se) {
1699 1700 if (!decaps) {
1700 1701 ret = ipsec_inbound_accept_clear(mp, ipha,
1701 1702 ip6h);
1702 1703 if (!ret) {
1703 1704 /* XXX mutant? */
1704 1705 *counter = DROPPER(ipss,
1705 1706 ipds_spd_bad_selfencap);
1706 1707 *reason = "self encap not found";
1707 1708 break;
1708 1709 }
1709 1710 }
1710 1711 } else if (decaps) {
1711 1712 /*
1712 1713 * XXX If the packet comes in tunneled and the
1713 1714 * recipient does not expect it to be tunneled, it
1714 1715 * is okay. But we drop to be consistent with the
1715 1716 * other cases.
1716 1717 */
1717 1718 *counter = DROPPER(ipss, ipds_spd_got_selfencap);
1718 1719 *reason = "unexpected self encap";
1719 1720 ret = B_FALSE;
1720 1721 break;
1721 1722 }
1722 1723 if (ira->ira_ipsec_action != NULL) {
1723 1724 /*
1724 1725 * This can happen if we do a double policy-check on
1725 1726 * a packet
1726 1727 * XXX XXX should fix this case!
1727 1728 */
1728 1729 IPACT_REFRELE(ira->ira_ipsec_action);
1729 1730 }
1730 1731 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1731 1732 ASSERT(ira->ira_ipsec_action == NULL);
1732 1733 IPACT_REFHOLD(ap);
1733 1734 ira->ira_ipsec_action = ap;
1734 1735 break; /* from switch */
1735 1736 }
1736 1737 return (ret);
1737 1738 }
1738 1739
1739 1740 static boolean_t
1740 1741 spd_match_inbound_ids(ipsec_latch_t *ipl, ipsa_t *sa)
1741 1742 {
1742 1743 ASSERT(ipl->ipl_ids_latched == B_TRUE);
1743 1744 return ipsid_equal(ipl->ipl_remote_cid, sa->ipsa_src_cid) &&
1744 1745 ipsid_equal(ipl->ipl_local_cid, sa->ipsa_dst_cid);
1745 1746 }
1746 1747
1747 1748 /*
1748 1749 * Takes a latched conn and an inbound packet and returns a unique_id suitable
1749 1750 * for SA comparisons. Most of the time we will copy from the conn_t, but
1750 1751 * there are cases when the conn_t is latched but it has wildcard selectors,
1751 1752 * and then we need to fallback to scooping them out of the packet.
1752 1753 *
1753 1754 * Assume we'll never have 0 with a conn_t present, so use 0 as a failure. We
1754 1755 * can get away with this because we only have non-zero ports/proto for
1755 1756 * latched conn_ts.
1756 1757 *
1757 1758 * Ideal candidate for an "inline" keyword, as we're JUST convoluted enough
1758 1759 * to not be a nice macro.
1759 1760 */
1760 1761 static uint64_t
1761 1762 conn_to_unique(conn_t *connp, mblk_t *data_mp, ipha_t *ipha, ip6_t *ip6h)
1762 1763 {
1763 1764 ipsec_selector_t sel;
1764 1765 uint8_t ulp = connp->conn_proto;
1765 1766
1766 1767 ASSERT(connp->conn_latch_in_policy != NULL);
1767 1768
1768 1769 if ((ulp == IPPROTO_TCP || ulp == IPPROTO_UDP || ulp == IPPROTO_SCTP) &&
1769 1770 (connp->conn_fport == 0 || connp->conn_lport == 0)) {
1770 1771 /* Slow path - we gotta grab from the packet. */
1771 1772 if (ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h,
1772 1773 SEL_NONE) != SELRET_SUCCESS) {
1773 1774 /* Failure -> have caller free packet with ENOMEM. */
1774 1775 return (0);
1775 1776 }
1776 1777 return (SA_UNIQUE_ID(sel.ips_remote_port, sel.ips_local_port,
1777 1778 sel.ips_protocol, 0));
1778 1779 }
1779 1780
1780 1781 #ifdef DEBUG_NOT_UNTIL_6478464
1781 1782 if (ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h, SEL_NONE) ==
1782 1783 SELRET_SUCCESS) {
1783 1784 ASSERT(sel.ips_local_port == connp->conn_lport);
1784 1785 ASSERT(sel.ips_remote_port == connp->conn_fport);
1785 1786 ASSERT(sel.ips_protocol == connp->conn_proto);
1786 1787 }
1787 1788 ASSERT(connp->conn_proto != 0);
1788 1789 #endif
1789 1790
1790 1791 return (SA_UNIQUE_ID(connp->conn_fport, connp->conn_lport, ulp, 0));
1791 1792 }
1792 1793
1793 1794 /*
1794 1795 * Called to check policy on a latched connection.
1795 1796 * Note that we don't dereference conn_latch or conn_ihere since the conn might
1796 1797 * be closing. The caller passes a held ipsec_latch_t instead.
1797 1798 */
1798 1799 static boolean_t
1799 1800 ipsec_check_ipsecin_latch(ip_recv_attr_t *ira, mblk_t *mp, ipsec_latch_t *ipl,
1800 1801 ipsec_action_t *ap, ipha_t *ipha, ip6_t *ip6h, const char **reason,
1801 1802 kstat_named_t **counter, conn_t *connp, netstack_t *ns)
1802 1803 {
1803 1804 ipsec_stack_t *ipss = ns->netstack_ipsec;
1804 1805
1805 1806 ASSERT(ipl->ipl_ids_latched == B_TRUE);
1806 1807 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1807 1808
1808 1809 if (!(ira->ira_flags & IRAF_LOOPBACK)) {
1809 1810 /*
1810 1811 * Over loopback, there aren't real security associations,
1811 1812 * so there are neither identities nor "unique" values
1812 1813 * for us to check the packet against.
1813 1814 */
1814 1815 if (ira->ira_ipsec_ah_sa != NULL) {
1815 1816 if (!spd_match_inbound_ids(ipl,
1816 1817 ira->ira_ipsec_ah_sa)) {
1817 1818 *counter = DROPPER(ipss, ipds_spd_ah_badid);
1818 1819 *reason = "AH identity mismatch";
1819 1820 return (B_FALSE);
1820 1821 }
1821 1822 }
1822 1823
1823 1824 if (ira->ira_ipsec_esp_sa != NULL) {
1824 1825 if (!spd_match_inbound_ids(ipl,
1825 1826 ira->ira_ipsec_esp_sa)) {
1826 1827 *counter = DROPPER(ipss, ipds_spd_esp_badid);
1827 1828 *reason = "ESP identity mismatch";
1828 1829 return (B_FALSE);
1829 1830 }
1830 1831 }
1831 1832
1832 1833 /*
1833 1834 * Can fudge pkt_unique from connp because we're latched.
1834 1835 * In DEBUG kernels (see conn_to_unique()'s implementation),
1835 1836 * verify this even if it REALLY slows things down.
1836 1837 */
1837 1838 if (!ipsec_check_ipsecin_unique(ira, reason, counter,
1838 1839 conn_to_unique(connp, mp, ipha, ip6h), ns)) {
1839 1840 return (B_FALSE);
1840 1841 }
1841 1842 }
1842 1843 return (ipsec_check_ipsecin_action(ira, mp, ap, ipha, ip6h, reason,
1843 1844 counter, ns));
1844 1845 }
1845 1846
1846 1847 /*
1847 1848 * Check to see whether this secured datagram meets the policy
1848 1849 * constraints specified in ipsp.
1849 1850 *
1850 1851 * Called from ipsec_check_global_policy, and ipsec_check_inbound_policy.
1851 1852 *
1852 1853 * Consumes a reference to ipsp.
1853 1854 * Returns the mblk if ok.
1854 1855 */
1855 1856 static mblk_t *
1856 1857 ipsec_check_ipsecin_policy(mblk_t *data_mp, ipsec_policy_t *ipsp,
1857 1858 ipha_t *ipha, ip6_t *ip6h, uint64_t pkt_unique, ip_recv_attr_t *ira,
1858 1859 netstack_t *ns)
1859 1860 {
1860 1861 ipsec_action_t *ap;
1861 1862 const char *reason = "no policy actions found";
1862 1863 ip_stack_t *ipst = ns->netstack_ip;
1863 1864 ipsec_stack_t *ipss = ns->netstack_ipsec;
1864 1865 kstat_named_t *counter;
1865 1866
1866 1867 counter = DROPPER(ipss, ipds_spd_got_secure);
1867 1868
1868 1869 ASSERT(ipsp != NULL);
1869 1870
1870 1871 ASSERT((ipha == NULL && ip6h != NULL) ||
1871 1872 (ip6h == NULL && ipha != NULL));
1872 1873
1873 1874 if (ira->ira_flags & IRAF_LOOPBACK)
1874 1875 return (ipsec_check_loopback_policy(data_mp, ira, ipsp));
1875 1876
1876 1877 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1877 1878
1878 1879 if (ira->ira_ipsec_action != NULL) {
1879 1880 /*
1880 1881 * this can happen if we do a double policy-check on a packet
1881 1882 * Would be nice to be able to delete this test..
1882 1883 */
1883 1884 IPACT_REFRELE(ira->ira_ipsec_action);
1884 1885 }
1885 1886 ASSERT(ira->ira_ipsec_action == NULL);
1886 1887
1887 1888 if (!SA_IDS_MATCH(ira->ira_ipsec_ah_sa, ira->ira_ipsec_esp_sa)) {
1888 1889 reason = "inbound AH and ESP identities differ";
1889 1890 counter = DROPPER(ipss, ipds_spd_ahesp_diffid);
1890 1891 goto drop;
1891 1892 }
1892 1893
1893 1894 if (!ipsec_check_ipsecin_unique(ira, &reason, &counter, pkt_unique,
1894 1895 ns))
1895 1896 goto drop;
1896 1897
1897 1898 /*
1898 1899 * Ok, now loop through the possible actions and see if any
1899 1900 * of them work for us.
1900 1901 */
1901 1902
1902 1903 for (ap = ipsp->ipsp_act; ap != NULL; ap = ap->ipa_next) {
1903 1904 if (ipsec_check_ipsecin_action(ira, data_mp, ap,
1904 1905 ipha, ip6h, &reason, &counter, ns)) {
1905 1906 BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
1906 1907 IPPOL_REFRELE(ipsp);
1907 1908 return (data_mp);
1908 1909 }
1909 1910 }
1910 1911 drop:
1911 1912 ipsec_rl_strlog(ns, IP_MOD_ID, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
1912 1913 "ipsec inbound policy mismatch: %s, packet dropped\n",
1913 1914 reason);
1914 1915 IPPOL_REFRELE(ipsp);
1915 1916 ASSERT(ira->ira_ipsec_action == NULL);
1916 1917 BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
1917 1918 ip_drop_packet(data_mp, B_TRUE, NULL, counter,
1918 1919 &ipss->ipsec_spd_dropper);
1919 1920 return (NULL);
1920 1921 }
1921 1922
1922 1923 /*
1923 1924 * sleazy prefix-length-based compare.
1924 1925 * another inlining candidate..
1925 1926 */
1926 1927 boolean_t
1927 1928 ip_addr_match(uint8_t *addr1, int pfxlen, in6_addr_t *addr2p)
1928 1929 {
1929 1930 int offset = pfxlen>>3;
1930 1931 int bitsleft = pfxlen & 7;
1931 1932 uint8_t *addr2 = (uint8_t *)addr2p;
1932 1933
1933 1934 /*
1934 1935 * and there was much evil..
1935 1936 * XXX should inline-expand the bcmp here and do this 32 bits
1936 1937 * or 64 bits at a time..
1937 1938 */
1938 1939 return ((bcmp(addr1, addr2, offset) == 0) &&
1939 1940 ((bitsleft == 0) ||
1940 1941 (((addr1[offset] ^ addr2[offset]) & (0xff<<(8-bitsleft))) == 0)));
1941 1942 }
1942 1943
1943 1944 static ipsec_policy_t *
1944 1945 ipsec_find_policy_chain(ipsec_policy_t *best, ipsec_policy_t *chain,
1945 1946 ipsec_selector_t *sel, boolean_t is_icmp_inv_acq)
1946 1947 {
1947 1948 ipsec_selkey_t *isel;
1948 1949 ipsec_policy_t *p;
1949 1950 int bpri = best ? best->ipsp_prio : 0;
1950 1951
1951 1952 for (p = chain; p != NULL; p = p->ipsp_hash.hash_next) {
1952 1953 uint32_t valid;
1953 1954
1954 1955 if (p->ipsp_prio <= bpri)
1955 1956 continue;
1956 1957 isel = &p->ipsp_sel->ipsl_key;
1957 1958 valid = isel->ipsl_valid;
1958 1959
1959 1960 if ((valid & IPSL_PROTOCOL) &&
1960 1961 (isel->ipsl_proto != sel->ips_protocol))
1961 1962 continue;
1962 1963
1963 1964 if ((valid & IPSL_REMOTE_ADDR) &&
1964 1965 !ip_addr_match((uint8_t *)&isel->ipsl_remote,
1965 1966 isel->ipsl_remote_pfxlen, &sel->ips_remote_addr_v6))
1966 1967 continue;
1967 1968
1968 1969 if ((valid & IPSL_LOCAL_ADDR) &&
1969 1970 !ip_addr_match((uint8_t *)&isel->ipsl_local,
1970 1971 isel->ipsl_local_pfxlen, &sel->ips_local_addr_v6))
1971 1972 continue;
1972 1973
1973 1974 if ((valid & IPSL_REMOTE_PORT) &&
1974 1975 isel->ipsl_rport != sel->ips_remote_port)
1975 1976 continue;
1976 1977
1977 1978 if ((valid & IPSL_LOCAL_PORT) &&
1978 1979 isel->ipsl_lport != sel->ips_local_port)
1979 1980 continue;
1980 1981
1981 1982 if (!is_icmp_inv_acq) {
1982 1983 if ((valid & IPSL_ICMP_TYPE) &&
1983 1984 (isel->ipsl_icmp_type > sel->ips_icmp_type ||
1984 1985 isel->ipsl_icmp_type_end < sel->ips_icmp_type)) {
1985 1986 continue;
1986 1987 }
1987 1988
1988 1989 if ((valid & IPSL_ICMP_CODE) &&
1989 1990 (isel->ipsl_icmp_code > sel->ips_icmp_code ||
1990 1991 isel->ipsl_icmp_code_end <
1991 1992 sel->ips_icmp_code)) {
1992 1993 continue;
1993 1994 }
1994 1995 } else {
1995 1996 /*
1996 1997 * special case for icmp inverse acquire
1997 1998 * we only want policies that aren't drop/pass
1998 1999 */
1999 2000 if (p->ipsp_act->ipa_act.ipa_type != IPSEC_ACT_APPLY)
2000 2001 continue;
2001 2002 }
2002 2003
2003 2004 /* we matched all the packet-port-field selectors! */
2004 2005 best = p;
2005 2006 bpri = p->ipsp_prio;
2006 2007 }
2007 2008
2008 2009 return (best);
2009 2010 }
2010 2011
2011 2012 /*
2012 2013 * Try to find and return the best policy entry under a given policy
2013 2014 * root for a given set of selectors; the first parameter "best" is
2014 2015 * the current best policy so far. If "best" is non-null, we have a
2015 2016 * reference to it. We return a reference to a policy; if that policy
2016 2017 * is not the original "best", we need to release that reference
2017 2018 * before returning.
2018 2019 */
2019 2020 ipsec_policy_t *
2020 2021 ipsec_find_policy_head(ipsec_policy_t *best, ipsec_policy_head_t *head,
2021 2022 int direction, ipsec_selector_t *sel)
2022 2023 {
2023 2024 ipsec_policy_t *curbest;
2024 2025 ipsec_policy_root_t *root;
2025 2026 uint8_t is_icmp_inv_acq = sel->ips_is_icmp_inv_acq;
2026 2027 int af = sel->ips_isv4 ? IPSEC_AF_V4 : IPSEC_AF_V6;
2027 2028
2028 2029 curbest = best;
2029 2030 root = &head->iph_root[direction];
2030 2031
2031 2032 #ifdef DEBUG
2032 2033 if (is_icmp_inv_acq) {
2033 2034 if (sel->ips_isv4) {
2034 2035 if (sel->ips_protocol != IPPROTO_ICMP) {
2035 2036 cmn_err(CE_WARN, "ipsec_find_policy_head:"
2036 2037 " expecting icmp, got %d",
2037 2038 sel->ips_protocol);
2038 2039 }
2039 2040 } else {
2040 2041 if (sel->ips_protocol != IPPROTO_ICMPV6) {
2041 2042 cmn_err(CE_WARN, "ipsec_find_policy_head:"
2042 2043 " expecting icmpv6, got %d",
2043 2044 sel->ips_protocol);
2044 2045 }
2045 2046 }
2046 2047 }
2047 2048 #endif
2048 2049
2049 2050 rw_enter(&head->iph_lock, RW_READER);
2050 2051
2051 2052 if (root->ipr_nchains > 0) {
2052 2053 curbest = ipsec_find_policy_chain(curbest,
2053 2054 root->ipr_hash[selector_hash(sel, root)].hash_head, sel,
2054 2055 is_icmp_inv_acq);
2055 2056 }
2056 2057 curbest = ipsec_find_policy_chain(curbest, root->ipr_nonhash[af], sel,
2057 2058 is_icmp_inv_acq);
2058 2059
2059 2060 /*
2060 2061 * Adjust reference counts if we found anything new.
2061 2062 */
2062 2063 if (curbest != best) {
2063 2064 ASSERT(curbest != NULL);
2064 2065 IPPOL_REFHOLD(curbest);
2065 2066
2066 2067 if (best != NULL) {
2067 2068 IPPOL_REFRELE(best);
2068 2069 }
2069 2070 }
2070 2071
2071 2072 rw_exit(&head->iph_lock);
2072 2073
2073 2074 return (curbest);
2074 2075 }
2075 2076
2076 2077 /*
2077 2078 * Find the best system policy (either global or per-interface) which
2078 2079 * applies to the given selector; look in all the relevant policy roots
2079 2080 * to figure out which policy wins.
2080 2081 *
2081 2082 * Returns a reference to a policy; caller must release this
2082 2083 * reference when done.
2083 2084 */
2084 2085 ipsec_policy_t *
2085 2086 ipsec_find_policy(int direction, const conn_t *connp, ipsec_selector_t *sel,
2086 2087 netstack_t *ns)
2087 2088 {
2088 2089 ipsec_policy_t *p;
2089 2090 ipsec_stack_t *ipss = ns->netstack_ipsec;
2090 2091
2091 2092 p = ipsec_find_policy_head(NULL, &ipss->ipsec_system_policy,
2092 2093 direction, sel);
2093 2094 if ((connp != NULL) && (connp->conn_policy != NULL)) {
2094 2095 p = ipsec_find_policy_head(p, connp->conn_policy,
2095 2096 direction, sel);
2096 2097 }
2097 2098
2098 2099 return (p);
2099 2100 }
2100 2101
2101 2102 /*
2102 2103 * Check with global policy and see whether this inbound
2103 2104 * packet meets the policy constraints.
2104 2105 *
2105 2106 * Locate appropriate policy from global policy, supplemented by the
2106 2107 * conn's configured and/or cached policy if the conn is supplied.
2107 2108 *
2108 2109 * Dispatch to ipsec_check_ipsecin_policy if we have policy and an
2109 2110 * encrypted packet to see if they match.
2110 2111 *
2111 2112 * Otherwise, see if the policy allows cleartext; if not, drop it on the
2112 2113 * floor.
2113 2114 */
2114 2115 mblk_t *
2115 2116 ipsec_check_global_policy(mblk_t *data_mp, conn_t *connp,
2116 2117 ipha_t *ipha, ip6_t *ip6h, ip_recv_attr_t *ira, netstack_t *ns)
2117 2118 {
2118 2119 ipsec_policy_t *p;
2119 2120 ipsec_selector_t sel;
2120 2121 boolean_t policy_present;
2121 2122 kstat_named_t *counter;
2122 2123 uint64_t pkt_unique;
2123 2124 ip_stack_t *ipst = ns->netstack_ip;
2124 2125 ipsec_stack_t *ipss = ns->netstack_ipsec;
2125 2126
2126 2127 sel.ips_is_icmp_inv_acq = 0;
2127 2128
2128 2129 ASSERT((ipha == NULL && ip6h != NULL) ||
2129 2130 (ip6h == NULL && ipha != NULL));
2130 2131
2131 2132 if (ipha != NULL)
2132 2133 policy_present = ipss->ipsec_inbound_v4_policy_present;
2133 2134 else
2134 2135 policy_present = ipss->ipsec_inbound_v6_policy_present;
2135 2136
2136 2137 if (!policy_present && connp == NULL) {
2137 2138 /*
2138 2139 * No global policy and no per-socket policy;
2139 2140 * just pass it back (but we shouldn't get here in that case)
2140 2141 */
2141 2142 return (data_mp);
2142 2143 }
2143 2144
2144 2145 /*
2145 2146 * If we have cached policy, use it.
2146 2147 * Otherwise consult system policy.
2147 2148 */
2148 2149 if ((connp != NULL) && (connp->conn_latch != NULL)) {
2149 2150 p = connp->conn_latch_in_policy;
2150 2151 if (p != NULL) {
2151 2152 IPPOL_REFHOLD(p);
2152 2153 }
2153 2154 /*
2154 2155 * Fudge sel for UNIQUE_ID setting below.
2155 2156 */
2156 2157 pkt_unique = conn_to_unique(connp, data_mp, ipha, ip6h);
2157 2158 } else {
2158 2159 /* Initialize the ports in the selector */
2159 2160 if (ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h,
2160 2161 SEL_NONE) == SELRET_NOMEM) {
2161 2162 /*
2162 2163 * Technically not a policy mismatch, but it is
2163 2164 * an internal failure.
2164 2165 */
2165 2166 ipsec_log_policy_failure(IPSEC_POLICY_MISMATCH,
2166 2167 "ipsec_init_inbound_sel", ipha, ip6h, B_TRUE, ns);
2167 2168 counter = DROPPER(ipss, ipds_spd_nomem);
2168 2169 goto fail;
2169 2170 }
2170 2171
2171 2172 /*
2172 2173 * Find the policy which best applies.
2173 2174 *
2174 2175 * If we find global policy, we should look at both
2175 2176 * local policy and global policy and see which is
2176 2177 * stronger and match accordingly.
2177 2178 *
2178 2179 * If we don't find a global policy, check with
2179 2180 * local policy alone.
2180 2181 */
2181 2182
2182 2183 p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, &sel, ns);
2183 2184 pkt_unique = SA_UNIQUE_ID(sel.ips_remote_port,
2184 2185 sel.ips_local_port, sel.ips_protocol, 0);
2185 2186 }
2186 2187
2187 2188 if (p == NULL) {
2188 2189 if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
2189 2190 /*
2190 2191 * We have no policy; default to succeeding.
2191 2192 * XXX paranoid system design doesn't do this.
2192 2193 */
2193 2194 BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2194 2195 return (data_mp);
2195 2196 } else {
2196 2197 counter = DROPPER(ipss, ipds_spd_got_secure);
2197 2198 ipsec_log_policy_failure(IPSEC_POLICY_NOT_NEEDED,
2198 2199 "ipsec_check_global_policy", ipha, ip6h, B_TRUE,
2199 2200 ns);
2200 2201 goto fail;
2201 2202 }
2202 2203 }
2203 2204 if (ira->ira_flags & IRAF_IPSEC_SECURE) {
2204 2205 return (ipsec_check_ipsecin_policy(data_mp, p, ipha, ip6h,
2205 2206 pkt_unique, ira, ns));
2206 2207 }
2207 2208 if (p->ipsp_act->ipa_allow_clear) {
2208 2209 BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2209 2210 IPPOL_REFRELE(p);
2210 2211 return (data_mp);
2211 2212 }
2212 2213 IPPOL_REFRELE(p);
2213 2214 /*
2214 2215 * If we reach here, we will drop the packet because it failed the
2215 2216 * global policy check because the packet was cleartext, and it
2216 2217 * should not have been.
2217 2218 */
2218 2219 ipsec_log_policy_failure(IPSEC_POLICY_MISMATCH,
2219 2220 "ipsec_check_global_policy", ipha, ip6h, B_FALSE, ns);
2220 2221 counter = DROPPER(ipss, ipds_spd_got_clear);
2221 2222
2222 2223 fail:
2223 2224 ip_drop_packet(data_mp, B_TRUE, NULL, counter,
2224 2225 &ipss->ipsec_spd_dropper);
2225 2226 BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2226 2227 return (NULL);
2227 2228 }
2228 2229
2229 2230 /*
2230 2231 * We check whether an inbound datagram is a valid one
2231 2232 * to accept in clear. If it is secure, it is the job
2232 2233 * of IPSEC to log information appropriately if it
2233 2234 * suspects that it may not be the real one.
2234 2235 *
2235 2236 * It is called only while fanning out to the ULP
2236 2237 * where ULP accepts only secure data and the incoming
2237 2238 * is clear. Usually we never accept clear datagrams in
2238 2239 * such cases. ICMP is the only exception.
2239 2240 *
2240 2241 * NOTE : We don't call this function if the client (ULP)
2241 2242 * is willing to accept things in clear.
2242 2243 */
2243 2244 boolean_t
2244 2245 ipsec_inbound_accept_clear(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h)
2245 2246 {
2246 2247 ushort_t iph_hdr_length;
2247 2248 icmph_t *icmph;
2248 2249 icmp6_t *icmp6;
2249 2250 uint8_t *nexthdrp;
2250 2251
2251 2252 ASSERT((ipha != NULL && ip6h == NULL) ||
2252 2253 (ipha == NULL && ip6h != NULL));
2253 2254
2254 2255 if (ip6h != NULL) {
2255 2256 iph_hdr_length = ip_hdr_length_v6(mp, ip6h);
2256 2257 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length,
2257 2258 &nexthdrp)) {
2258 2259 return (B_FALSE);
2259 2260 }
2260 2261 if (*nexthdrp != IPPROTO_ICMPV6)
2261 2262 return (B_FALSE);
2262 2263 icmp6 = (icmp6_t *)(&mp->b_rptr[iph_hdr_length]);
2263 2264 /* Match IPv6 ICMP policy as closely as IPv4 as possible. */
2264 2265 switch (icmp6->icmp6_type) {
2265 2266 case ICMP6_PARAM_PROB:
2266 2267 /* Corresponds to port/proto unreach in IPv4. */
2267 2268 case ICMP6_ECHO_REQUEST:
2268 2269 /* Just like IPv4. */
2269 2270 return (B_FALSE);
2270 2271
2271 2272 case MLD_LISTENER_QUERY:
2272 2273 case MLD_LISTENER_REPORT:
2273 2274 case MLD_LISTENER_REDUCTION:
2274 2275 /*
2275 2276 * XXX Seperate NDD in IPv4 what about here?
2276 2277 * Plus, mcast is important to ND.
2277 2278 */
2278 2279 case ICMP6_DST_UNREACH:
2279 2280 /* Corresponds to HOST/NET unreachable in IPv4. */
2280 2281 case ICMP6_PACKET_TOO_BIG:
2281 2282 case ICMP6_ECHO_REPLY:
2282 2283 /* These are trusted in IPv4. */
2283 2284 case ND_ROUTER_SOLICIT:
2284 2285 case ND_ROUTER_ADVERT:
2285 2286 case ND_NEIGHBOR_SOLICIT:
2286 2287 case ND_NEIGHBOR_ADVERT:
2287 2288 case ND_REDIRECT:
2288 2289 /* Trust ND messages for now. */
2289 2290 case ICMP6_TIME_EXCEEDED:
2290 2291 default:
2291 2292 return (B_TRUE);
2292 2293 }
2293 2294 } else {
2294 2295 /*
2295 2296 * If it is not ICMP, fail this request.
2296 2297 */
2297 2298 if (ipha->ipha_protocol != IPPROTO_ICMP) {
2298 2299 #ifdef FRAGCACHE_DEBUG
2299 2300 cmn_err(CE_WARN, "Dropping - ipha_proto = %d\n",
2300 2301 ipha->ipha_protocol);
2301 2302 #endif
2302 2303 return (B_FALSE);
2303 2304 }
2304 2305 iph_hdr_length = IPH_HDR_LENGTH(ipha);
2305 2306 icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
2306 2307 /*
2307 2308 * It is an insecure icmp message. Check to see whether we are
2308 2309 * willing to accept this one.
2309 2310 */
2310 2311
2311 2312 switch (icmph->icmph_type) {
2312 2313 case ICMP_ECHO_REPLY:
2313 2314 case ICMP_TIME_STAMP_REPLY:
2314 2315 case ICMP_INFO_REPLY:
2315 2316 case ICMP_ROUTER_ADVERTISEMENT:
2316 2317 /*
2317 2318 * We should not encourage clear replies if this
2318 2319 * client expects secure. If somebody is replying
2319 2320 * in clear some mailicious user watching both the
2320 2321 * request and reply, can do chosen-plain-text attacks.
2321 2322 * With global policy we might be just expecting secure
2322 2323 * but sending out clear. We don't know what the right
2323 2324 * thing is. We can't do much here as we can't control
2324 2325 * the sender here. Till we are sure of what to do,
2325 2326 * accept them.
2326 2327 */
2327 2328 return (B_TRUE);
2328 2329 case ICMP_ECHO_REQUEST:
2329 2330 case ICMP_TIME_STAMP_REQUEST:
2330 2331 case ICMP_INFO_REQUEST:
2331 2332 case ICMP_ADDRESS_MASK_REQUEST:
2332 2333 case ICMP_ROUTER_SOLICITATION:
2333 2334 case ICMP_ADDRESS_MASK_REPLY:
2334 2335 /*
2335 2336 * Don't accept this as somebody could be sending
2336 2337 * us plain text to get encrypted data. If we reply,
2337 2338 * it will lead to chosen plain text attack.
2338 2339 */
2339 2340 return (B_FALSE);
2340 2341 case ICMP_DEST_UNREACHABLE:
2341 2342 switch (icmph->icmph_code) {
2342 2343 case ICMP_FRAGMENTATION_NEEDED:
2343 2344 /*
2344 2345 * Be in sync with icmp_inbound, where we have
2345 2346 * already set dce_pmtu
2346 2347 */
2347 2348 #ifdef FRAGCACHE_DEBUG
2348 2349 cmn_err(CE_WARN, "ICMP frag needed\n");
2349 2350 #endif
2350 2351 return (B_TRUE);
2351 2352 case ICMP_HOST_UNREACHABLE:
2352 2353 case ICMP_NET_UNREACHABLE:
2353 2354 /*
2354 2355 * By accepting, we could reset a connection.
2355 2356 * How do we solve the problem of some
2356 2357 * intermediate router sending in-secure ICMP
2357 2358 * messages ?
2358 2359 */
2359 2360 return (B_TRUE);
2360 2361 case ICMP_PORT_UNREACHABLE:
2361 2362 case ICMP_PROTOCOL_UNREACHABLE:
2362 2363 default :
2363 2364 return (B_FALSE);
2364 2365 }
2365 2366 case ICMP_SOURCE_QUENCH:
2366 2367 /*
2367 2368 * If this is an attack, TCP will slow start
2368 2369 * because of this. Is it very harmful ?
2369 2370 */
2370 2371 return (B_TRUE);
2371 2372 case ICMP_PARAM_PROBLEM:
2372 2373 return (B_FALSE);
2373 2374 case ICMP_TIME_EXCEEDED:
2374 2375 return (B_TRUE);
2375 2376 case ICMP_REDIRECT:
2376 2377 return (B_FALSE);
2377 2378 default :
2378 2379 return (B_FALSE);
2379 2380 }
2380 2381 }
2381 2382 }
2382 2383
2383 2384 void
2384 2385 ipsec_latch_ids(ipsec_latch_t *ipl, ipsid_t *local, ipsid_t *remote)
2385 2386 {
2386 2387 mutex_enter(&ipl->ipl_lock);
2387 2388
2388 2389 if (ipl->ipl_ids_latched) {
2389 2390 /* I lost, someone else got here before me */
2390 2391 mutex_exit(&ipl->ipl_lock);
2391 2392 return;
2392 2393 }
2393 2394
2394 2395 if (local != NULL)
2395 2396 IPSID_REFHOLD(local);
2396 2397 if (remote != NULL)
2397 2398 IPSID_REFHOLD(remote);
2398 2399
2399 2400 ipl->ipl_local_cid = local;
2400 2401 ipl->ipl_remote_cid = remote;
2401 2402 ipl->ipl_ids_latched = B_TRUE;
2402 2403 mutex_exit(&ipl->ipl_lock);
2403 2404 }
2404 2405
2405 2406 void
2406 2407 ipsec_latch_inbound(conn_t *connp, ip_recv_attr_t *ira)
2407 2408 {
2408 2409 ipsa_t *sa;
2409 2410 ipsec_latch_t *ipl = connp->conn_latch;
2410 2411
2411 2412 if (!ipl->ipl_ids_latched) {
2412 2413 ipsid_t *local = NULL;
2413 2414 ipsid_t *remote = NULL;
2414 2415
2415 2416 if (!(ira->ira_flags & IRAF_LOOPBACK)) {
2416 2417 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
2417 2418 if (ira->ira_ipsec_esp_sa != NULL)
2418 2419 sa = ira->ira_ipsec_esp_sa;
2419 2420 else
2420 2421 sa = ira->ira_ipsec_ah_sa;
2421 2422 ASSERT(sa != NULL);
2422 2423 local = sa->ipsa_dst_cid;
2423 2424 remote = sa->ipsa_src_cid;
2424 2425 }
2425 2426 ipsec_latch_ids(ipl, local, remote);
2426 2427 }
2427 2428 if (ira->ira_flags & IRAF_IPSEC_SECURE) {
2428 2429 if (connp->conn_latch_in_action != NULL) {
2429 2430 /*
2430 2431 * Previously cached action. This is probably
2431 2432 * harmless, but in DEBUG kernels, check for
2432 2433 * action equality.
2433 2434 *
2434 2435 * Preserve the existing action to preserve latch
2435 2436 * invariance.
2436 2437 */
2437 2438 ASSERT(connp->conn_latch_in_action ==
2438 2439 ira->ira_ipsec_action);
2439 2440 return;
2440 2441 }
2441 2442 connp->conn_latch_in_action = ira->ira_ipsec_action;
2442 2443 IPACT_REFHOLD(connp->conn_latch_in_action);
2443 2444 }
2444 2445 }
2445 2446
2446 2447 /*
2447 2448 * Check whether the policy constraints are met either for an
2448 2449 * inbound datagram; called from IP in numerous places.
2449 2450 *
2450 2451 * Note that this is not a chokepoint for inbound policy checks;
2451 2452 * see also ipsec_check_ipsecin_latch() and ipsec_check_global_policy()
2452 2453 */
2453 2454 mblk_t *
2454 2455 ipsec_check_inbound_policy(mblk_t *mp, conn_t *connp,
2455 2456 ipha_t *ipha, ip6_t *ip6h, ip_recv_attr_t *ira)
2456 2457 {
2457 2458 boolean_t ret;
2458 2459 ipsec_latch_t *ipl;
2459 2460 ipsec_action_t *ap;
2460 2461 uint64_t unique_id;
2461 2462 ipsec_stack_t *ipss;
2462 2463 ip_stack_t *ipst;
2463 2464 netstack_t *ns;
2464 2465 ipsec_policy_head_t *policy_head;
2465 2466 ipsec_policy_t *p = NULL;
2466 2467
2467 2468 ASSERT(connp != NULL);
2468 2469 ns = connp->conn_netstack;
2469 2470 ipss = ns->netstack_ipsec;
2470 2471 ipst = ns->netstack_ip;
2471 2472
2472 2473 if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
2473 2474 /*
2474 2475 * This is the case where the incoming datagram is
2475 2476 * cleartext and we need to see whether this client
2476 2477 * would like to receive such untrustworthy things from
2477 2478 * the wire.
2478 2479 */
2479 2480 ASSERT(mp != NULL);
2480 2481
2481 2482 mutex_enter(&connp->conn_lock);
2482 2483 if (connp->conn_state_flags & CONN_CONDEMNED) {
2483 2484 mutex_exit(&connp->conn_lock);
2484 2485 ip_drop_packet(mp, B_TRUE, NULL,
2485 2486 DROPPER(ipss, ipds_spd_got_clear),
2486 2487 &ipss->ipsec_spd_dropper);
2487 2488 BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2488 2489 return (NULL);
2489 2490 }
2490 2491 if (connp->conn_latch != NULL) {
2491 2492 /* Hold a reference in case the conn is closing */
2492 2493 p = connp->conn_latch_in_policy;
2493 2494 if (p != NULL)
2494 2495 IPPOL_REFHOLD(p);
2495 2496 mutex_exit(&connp->conn_lock);
2496 2497 /*
2497 2498 * Policy is cached in the conn.
2498 2499 */
2499 2500 if (p != NULL && !p->ipsp_act->ipa_allow_clear) {
2500 2501 ret = ipsec_inbound_accept_clear(mp,
2501 2502 ipha, ip6h);
2502 2503 if (ret) {
2503 2504 BUMP_MIB(&ipst->ips_ip_mib,
2504 2505 ipsecInSucceeded);
2505 2506 IPPOL_REFRELE(p);
2506 2507 return (mp);
2507 2508 } else {
2508 2509 ipsec_log_policy_failure(
2509 2510 IPSEC_POLICY_MISMATCH,
2510 2511 "ipsec_check_inbound_policy", ipha,
2511 2512 ip6h, B_FALSE, ns);
2512 2513 ip_drop_packet(mp, B_TRUE, NULL,
2513 2514 DROPPER(ipss, ipds_spd_got_clear),
2514 2515 &ipss->ipsec_spd_dropper);
2515 2516 BUMP_MIB(&ipst->ips_ip_mib,
2516 2517 ipsecInFailed);
2517 2518 IPPOL_REFRELE(p);
2518 2519 return (NULL);
2519 2520 }
2520 2521 } else {
2521 2522 BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2522 2523 if (p != NULL)
2523 2524 IPPOL_REFRELE(p);
2524 2525 return (mp);
2525 2526 }
2526 2527 } else {
2527 2528 policy_head = connp->conn_policy;
2528 2529
2529 2530 /* Hold a reference in case the conn is closing */
2530 2531 if (policy_head != NULL)
2531 2532 IPPH_REFHOLD(policy_head);
2532 2533 mutex_exit(&connp->conn_lock);
2533 2534 /*
2534 2535 * As this is a non-hardbound connection we need
2535 2536 * to look at both per-socket policy and global
2536 2537 * policy.
2537 2538 */
2538 2539 mp = ipsec_check_global_policy(mp, connp,
2539 2540 ipha, ip6h, ira, ns);
2540 2541 if (policy_head != NULL)
2541 2542 IPPH_REFRELE(policy_head, ns);
2542 2543 return (mp);
2543 2544 }
2544 2545 }
2545 2546
2546 2547 mutex_enter(&connp->conn_lock);
2547 2548 /* Connection is closing */
2548 2549 if (connp->conn_state_flags & CONN_CONDEMNED) {
2549 2550 mutex_exit(&connp->conn_lock);
2550 2551 ip_drop_packet(mp, B_TRUE, NULL,
2551 2552 DROPPER(ipss, ipds_spd_got_clear),
2552 2553 &ipss->ipsec_spd_dropper);
2553 2554 BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2554 2555 return (NULL);
2555 2556 }
2556 2557
2557 2558 /*
2558 2559 * Once a connection is latched it remains so for life, the conn_latch
2559 2560 * pointer on the conn has not changed, simply initializing ipl here
2560 2561 * as the earlier initialization was done only in the cleartext case.
2561 2562 */
2562 2563 if ((ipl = connp->conn_latch) == NULL) {
2563 2564 mblk_t *retmp;
2564 2565 policy_head = connp->conn_policy;
2565 2566
2566 2567 /* Hold a reference in case the conn is closing */
2567 2568 if (policy_head != NULL)
2568 2569 IPPH_REFHOLD(policy_head);
2569 2570 mutex_exit(&connp->conn_lock);
2570 2571 /*
2571 2572 * We don't have policies cached in the conn
2572 2573 * for this stream. So, look at the global
2573 2574 * policy. It will check against conn or global
2574 2575 * depending on whichever is stronger.
2575 2576 */
2576 2577 retmp = ipsec_check_global_policy(mp, connp,
2577 2578 ipha, ip6h, ira, ns);
2578 2579 if (policy_head != NULL)
2579 2580 IPPH_REFRELE(policy_head, ns);
2580 2581 return (retmp);
2581 2582 }
2582 2583
2583 2584 IPLATCH_REFHOLD(ipl);
2584 2585 /* Hold reference on conn_latch_in_action in case conn is closing */
2585 2586 ap = connp->conn_latch_in_action;
2586 2587 if (ap != NULL)
2587 2588 IPACT_REFHOLD(ap);
2588 2589 mutex_exit(&connp->conn_lock);
2589 2590
2590 2591 if (ap != NULL) {
2591 2592 /* Policy is cached & latched; fast(er) path */
2592 2593 const char *reason;
2593 2594 kstat_named_t *counter;
2594 2595
2595 2596 if (ipsec_check_ipsecin_latch(ira, mp, ipl, ap,
2596 2597 ipha, ip6h, &reason, &counter, connp, ns)) {
2597 2598 BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2598 2599 IPLATCH_REFRELE(ipl);
2599 2600 IPACT_REFRELE(ap);
2600 2601 return (mp);
2601 2602 }
2602 2603 ipsec_rl_strlog(ns, IP_MOD_ID, 0, 0,
2603 2604 SL_ERROR|SL_WARN|SL_CONSOLE,
2604 2605 "ipsec inbound policy mismatch: %s, packet dropped\n",
2605 2606 reason);
2606 2607 ip_drop_packet(mp, B_TRUE, NULL, counter,
2607 2608 &ipss->ipsec_spd_dropper);
2608 2609 BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2609 2610 IPLATCH_REFRELE(ipl);
2610 2611 IPACT_REFRELE(ap);
2611 2612 return (NULL);
2612 2613 }
2613 2614 if ((p = connp->conn_latch_in_policy) == NULL) {
2614 2615 ipsec_weird_null_inbound_policy++;
2615 2616 IPLATCH_REFRELE(ipl);
2616 2617 return (mp);
2617 2618 }
2618 2619
2619 2620 unique_id = conn_to_unique(connp, mp, ipha, ip6h);
2620 2621 IPPOL_REFHOLD(p);
2621 2622 mp = ipsec_check_ipsecin_policy(mp, p, ipha, ip6h, unique_id, ira, ns);
2622 2623 /*
2623 2624 * NOTE: ipsecIn{Failed,Succeeeded} bumped by
2624 2625 * ipsec_check_ipsecin_policy().
2625 2626 */
2626 2627 if (mp != NULL)
2627 2628 ipsec_latch_inbound(connp, ira);
2628 2629 IPLATCH_REFRELE(ipl);
2629 2630 return (mp);
2630 2631 }
2631 2632
2632 2633 /*
2633 2634 * Handle all sorts of cases like tunnel-mode and ICMP.
2634 2635 */
2635 2636 static int
2636 2637 prepended_length(mblk_t *mp, uintptr_t hptr)
2637 2638 {
2638 2639 int rc = 0;
2639 2640
2640 2641 while (mp != NULL) {
2641 2642 if (hptr >= (uintptr_t)mp->b_rptr && hptr <
2642 2643 (uintptr_t)mp->b_wptr) {
2643 2644 rc += (int)(hptr - (uintptr_t)mp->b_rptr);
2644 2645 break; /* out of while loop */
2645 2646 }
2646 2647 rc += (int)MBLKL(mp);
2647 2648 mp = mp->b_cont;
2648 2649 }
2649 2650
2650 2651 if (mp == NULL) {
2651 2652 /*
2652 2653 * IF (big IF) we make it here by naturally exiting the loop,
2653 2654 * then ip6h isn't in the mblk chain "mp" at all.
2654 2655 *
2655 2656 * The only case where this happens is with a reversed IP
2656 2657 * header that gets passed up by inbound ICMP processing.
2657 2658 * This unfortunately triggers longstanding bug 6478464. For
2658 2659 * now, just pass up 0 for the answer.
2659 2660 */
2660 2661 #ifdef DEBUG_NOT_UNTIL_6478464
2661 2662 ASSERT(mp != NULL);
2662 2663 #endif
2663 2664 rc = 0;
2664 2665 }
2665 2666
2666 2667 return (rc);
2667 2668 }
2668 2669
2669 2670 /*
2670 2671 * Returns:
2671 2672 *
2672 2673 * SELRET_NOMEM --> msgpullup() needed to gather things failed.
2673 2674 * SELRET_BADPKT --> If we're being called after tunnel-mode fragment
2674 2675 * gathering, the initial fragment is too short for
2675 2676 * useful data. Only returned if SEL_TUNNEL_FIRSTFRAG is
2676 2677 * set.
2677 2678 * SELRET_SUCCESS --> "sel" now has initialized IPsec selector data.
2678 2679 * SELRET_TUNFRAG --> This is a fragment in a tunnel-mode packet. Caller
2679 2680 * should put this packet in a fragment-gathering queue.
2680 2681 * Only returned if SEL_TUNNEL_MODE and SEL_PORT_POLICY
2681 2682 * is set.
2682 2683 *
2683 2684 * Note that ipha/ip6h can be in a different mblk (mp->b_cont) in the case
2684 2685 * of tunneled packets.
2685 2686 * Also, mp->b_rptr can be an ICMP error where ipha/ip6h is the packet in
2686 2687 * error past the ICMP error.
2687 2688 */
2688 2689 static selret_t
2689 2690 ipsec_init_inbound_sel(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
2690 2691 ip6_t *ip6h, uint8_t sel_flags)
2691 2692 {
2692 2693 uint16_t *ports;
2693 2694 int outer_hdr_len = 0; /* For ICMP or tunnel-mode cases... */
2694 2695 ushort_t hdr_len;
2695 2696 mblk_t *spare_mp = NULL;
2696 2697 uint8_t *nexthdrp, *transportp;
2697 2698 uint8_t nexthdr;
2698 2699 uint8_t icmp_proto;
2699 2700 ip_pkt_t ipp;
2700 2701 boolean_t port_policy_present = (sel_flags & SEL_PORT_POLICY);
2701 2702 boolean_t is_icmp = (sel_flags & SEL_IS_ICMP);
2702 2703 boolean_t tunnel_mode = (sel_flags & SEL_TUNNEL_MODE);
2703 2704 boolean_t post_frag = (sel_flags & SEL_POST_FRAG);
2704 2705
2705 2706 ASSERT((ipha == NULL && ip6h != NULL) ||
2706 2707 (ipha != NULL && ip6h == NULL));
2707 2708
2708 2709 if (ip6h != NULL) {
2709 2710 outer_hdr_len = prepended_length(mp, (uintptr_t)ip6h);
2710 2711 nexthdr = ip6h->ip6_nxt;
2711 2712 icmp_proto = IPPROTO_ICMPV6;
2712 2713 sel->ips_isv4 = B_FALSE;
2713 2714 sel->ips_local_addr_v6 = ip6h->ip6_dst;
2714 2715 sel->ips_remote_addr_v6 = ip6h->ip6_src;
2715 2716
2716 2717 bzero(&ipp, sizeof (ipp));
2717 2718
2718 2719 switch (nexthdr) {
2719 2720 case IPPROTO_HOPOPTS:
2720 2721 case IPPROTO_ROUTING:
2721 2722 case IPPROTO_DSTOPTS:
2722 2723 case IPPROTO_FRAGMENT:
2723 2724 /*
2724 2725 * Use ip_hdr_length_nexthdr_v6(). And have a spare
2725 2726 * mblk that's contiguous to feed it
2726 2727 */
2727 2728 if ((spare_mp = msgpullup(mp, -1)) == NULL)
2728 2729 return (SELRET_NOMEM);
2729 2730 if (!ip_hdr_length_nexthdr_v6(spare_mp,
2730 2731 (ip6_t *)(spare_mp->b_rptr + outer_hdr_len),
2731 2732 &hdr_len, &nexthdrp)) {
2732 2733 /* Malformed packet - caller frees. */
2733 2734 ipsec_freemsg_chain(spare_mp);
2734 2735 return (SELRET_BADPKT);
2735 2736 }
2736 2737 /* Repopulate now that we have the whole packet */
2737 2738 ip6h = (ip6_t *)(spare_mp->b_rptr + outer_hdr_len);
2738 2739 (void) ip_find_hdr_v6(spare_mp, ip6h, B_FALSE, &ipp,
2739 2740 NULL);
2740 2741 nexthdr = *nexthdrp;
2741 2742 /* We can just extract based on hdr_len now. */
2742 2743 break;
2743 2744 default:
2744 2745 (void) ip_find_hdr_v6(mp, ip6h, B_FALSE, &ipp, NULL);
2745 2746 hdr_len = IPV6_HDR_LEN;
2746 2747 break;
2747 2748 }
2748 2749 if (port_policy_present && IS_V6_FRAGMENT(ipp) && !is_icmp) {
2749 2750 /* IPv6 Fragment */
2750 2751 ipsec_freemsg_chain(spare_mp);
2751 2752 return (SELRET_TUNFRAG);
2752 2753 }
2753 2754 transportp = (uint8_t *)ip6h + hdr_len;
2754 2755 } else {
2755 2756 outer_hdr_len = prepended_length(mp, (uintptr_t)ipha);
2756 2757 icmp_proto = IPPROTO_ICMP;
2757 2758 sel->ips_isv4 = B_TRUE;
2758 2759 sel->ips_local_addr_v4 = ipha->ipha_dst;
2759 2760 sel->ips_remote_addr_v4 = ipha->ipha_src;
2760 2761 nexthdr = ipha->ipha_protocol;
2761 2762 hdr_len = IPH_HDR_LENGTH(ipha);
2762 2763
2763 2764 if (port_policy_present &&
2764 2765 IS_V4_FRAGMENT(ipha->ipha_fragment_offset_and_flags) &&
2765 2766 !is_icmp) {
2766 2767 /* IPv4 Fragment */
2767 2768 ipsec_freemsg_chain(spare_mp);
2768 2769 return (SELRET_TUNFRAG);
2769 2770 }
2770 2771 transportp = (uint8_t *)ipha + hdr_len;
2771 2772 }
2772 2773 sel->ips_protocol = nexthdr;
2773 2774
2774 2775 if ((nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP &&
2775 2776 nexthdr != IPPROTO_SCTP && nexthdr != icmp_proto) ||
2776 2777 (!port_policy_present && !post_frag && tunnel_mode)) {
2777 2778 sel->ips_remote_port = sel->ips_local_port = 0;
2778 2779 ipsec_freemsg_chain(spare_mp);
2779 2780 return (SELRET_SUCCESS);
2780 2781 }
2781 2782
2782 2783 if (transportp + 4 > mp->b_wptr) {
2783 2784 /* If we didn't pullup a copy already, do so now. */
2784 2785 /*
2785 2786 * XXX performance, will upper-layers frequently split TCP/UDP
2786 2787 * apart from IP or options? If so, perhaps we should revisit
2787 2788 * the spare_mp strategy.
2788 2789 */
2789 2790 ipsec_hdr_pullup_needed++;
2790 2791 if (spare_mp == NULL &&
2791 2792 (spare_mp = msgpullup(mp, -1)) == NULL) {
2792 2793 return (SELRET_NOMEM);
2793 2794 }
2794 2795 transportp = &spare_mp->b_rptr[hdr_len + outer_hdr_len];
2795 2796 }
2796 2797
2797 2798 if (nexthdr == icmp_proto) {
2798 2799 sel->ips_icmp_type = *transportp++;
2799 2800 sel->ips_icmp_code = *transportp;
2800 2801 sel->ips_remote_port = sel->ips_local_port = 0;
2801 2802 } else {
2802 2803 ports = (uint16_t *)transportp;
2803 2804 sel->ips_remote_port = *ports++;
2804 2805 sel->ips_local_port = *ports;
2805 2806 }
2806 2807 ipsec_freemsg_chain(spare_mp);
2807 2808 return (SELRET_SUCCESS);
2808 2809 }
2809 2810
2810 2811 /*
2811 2812 * This is called with a b_next chain of messages from the fragcache code,
2812 2813 * hence it needs to discard a chain on error.
2813 2814 */
2814 2815 static boolean_t
2815 2816 ipsec_init_outbound_ports(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
2816 2817 ip6_t *ip6h, int outer_hdr_len, ipsec_stack_t *ipss)
2817 2818 {
2818 2819 /*
2819 2820 * XXX cut&paste shared with ipsec_init_inbound_sel
2820 2821 */
2821 2822 uint16_t *ports;
2822 2823 ushort_t hdr_len;
2823 2824 mblk_t *spare_mp = NULL;
2824 2825 uint8_t *nexthdrp;
2825 2826 uint8_t nexthdr;
2826 2827 uint8_t *typecode;
2827 2828 uint8_t check_proto;
2828 2829
2829 2830 ASSERT((ipha == NULL && ip6h != NULL) ||
2830 2831 (ipha != NULL && ip6h == NULL));
2831 2832
2832 2833 if (ip6h != NULL) {
2833 2834 check_proto = IPPROTO_ICMPV6;
2834 2835 nexthdr = ip6h->ip6_nxt;
2835 2836 switch (nexthdr) {
2836 2837 case IPPROTO_HOPOPTS:
2837 2838 case IPPROTO_ROUTING:
2838 2839 case IPPROTO_DSTOPTS:
2839 2840 case IPPROTO_FRAGMENT:
2840 2841 /*
2841 2842 * Use ip_hdr_length_nexthdr_v6(). And have a spare
2842 2843 * mblk that's contiguous to feed it
2843 2844 */
2844 2845 spare_mp = msgpullup(mp, -1);
2845 2846 if (spare_mp == NULL ||
2846 2847 !ip_hdr_length_nexthdr_v6(spare_mp,
2847 2848 (ip6_t *)(spare_mp->b_rptr + outer_hdr_len),
2848 2849 &hdr_len, &nexthdrp)) {
2849 2850 /* Always works, even if NULL. */
2850 2851 ipsec_freemsg_chain(spare_mp);
2851 2852 ip_drop_packet_chain(mp, B_FALSE, NULL,
2852 2853 DROPPER(ipss, ipds_spd_nomem),
2853 2854 &ipss->ipsec_spd_dropper);
2854 2855 return (B_FALSE);
2855 2856 } else {
2856 2857 nexthdr = *nexthdrp;
2857 2858 /* We can just extract based on hdr_len now. */
2858 2859 }
2859 2860 break;
2860 2861 default:
2861 2862 hdr_len = IPV6_HDR_LEN;
2862 2863 break;
2863 2864 }
2864 2865 } else {
2865 2866 check_proto = IPPROTO_ICMP;
2866 2867 hdr_len = IPH_HDR_LENGTH(ipha);
2867 2868 nexthdr = ipha->ipha_protocol;
2868 2869 }
2869 2870
2870 2871 sel->ips_protocol = nexthdr;
2871 2872 if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP &&
2872 2873 nexthdr != IPPROTO_SCTP && nexthdr != check_proto) {
2873 2874 sel->ips_local_port = sel->ips_remote_port = 0;
2874 2875 ipsec_freemsg_chain(spare_mp); /* Always works, even if NULL */
2875 2876 return (B_TRUE);
2876 2877 }
2877 2878
2878 2879 if (&mp->b_rptr[hdr_len] + 4 + outer_hdr_len > mp->b_wptr) {
2879 2880 /* If we didn't pullup a copy already, do so now. */
2880 2881 /*
2881 2882 * XXX performance, will upper-layers frequently split TCP/UDP
2882 2883 * apart from IP or options? If so, perhaps we should revisit
2883 2884 * the spare_mp strategy.
2884 2885 *
2885 2886 * XXX should this be msgpullup(mp, hdr_len+4) ???
2886 2887 */
2887 2888 if (spare_mp == NULL &&
2888 2889 (spare_mp = msgpullup(mp, -1)) == NULL) {
2889 2890 ip_drop_packet_chain(mp, B_FALSE, NULL,
2890 2891 DROPPER(ipss, ipds_spd_nomem),
2891 2892 &ipss->ipsec_spd_dropper);
2892 2893 return (B_FALSE);
2893 2894 }
2894 2895 ports = (uint16_t *)&spare_mp->b_rptr[hdr_len + outer_hdr_len];
2895 2896 } else {
2896 2897 ports = (uint16_t *)&mp->b_rptr[hdr_len + outer_hdr_len];
2897 2898 }
2898 2899
2899 2900 if (nexthdr == check_proto) {
2900 2901 typecode = (uint8_t *)ports;
2901 2902 sel->ips_icmp_type = *typecode++;
2902 2903 sel->ips_icmp_code = *typecode;
2903 2904 sel->ips_remote_port = sel->ips_local_port = 0;
2904 2905 } else {
2905 2906 sel->ips_local_port = *ports++;
2906 2907 sel->ips_remote_port = *ports;
2907 2908 }
2908 2909 ipsec_freemsg_chain(spare_mp); /* Always works, even if NULL */
2909 2910 return (B_TRUE);
2910 2911 }
2911 2912
2912 2913 /*
2913 2914 * Prepend an mblk with a ipsec_crypto_t to the message chain.
2914 2915 * Frees the argument and returns NULL should the allocation fail.
2915 2916 * Returns the pointer to the crypto data part.
2916 2917 */
2917 2918 mblk_t *
2918 2919 ipsec_add_crypto_data(mblk_t *data_mp, ipsec_crypto_t **icp)
2919 2920 {
2920 2921 mblk_t *mp;
2921 2922
2922 2923 mp = allocb(sizeof (ipsec_crypto_t), BPRI_MED);
2923 2924 if (mp == NULL) {
2924 2925 freemsg(data_mp);
2925 2926 return (NULL);
2926 2927 }
2927 2928 bzero(mp->b_rptr, sizeof (ipsec_crypto_t));
2928 2929 mp->b_wptr += sizeof (ipsec_crypto_t);
2929 2930 mp->b_cont = data_mp;
2930 2931 mp->b_datap->db_type = M_EVENT; /* For ASSERT */
2931 2932 *icp = (ipsec_crypto_t *)mp->b_rptr;
2932 2933 return (mp);
2933 2934 }
2934 2935
2935 2936 /*
2936 2937 * Remove what was prepended above. Return b_cont and a pointer to the
2937 2938 * crypto data.
2938 2939 * The caller must call ipsec_free_crypto_data for mblk once it is done
2939 2940 * with the crypto data.
2940 2941 */
2941 2942 mblk_t *
2942 2943 ipsec_remove_crypto_data(mblk_t *crypto_mp, ipsec_crypto_t **icp)
2943 2944 {
2944 2945 ASSERT(crypto_mp->b_datap->db_type == M_EVENT);
2945 2946 ASSERT(MBLKL(crypto_mp) == sizeof (ipsec_crypto_t));
2946 2947
2947 2948 *icp = (ipsec_crypto_t *)crypto_mp->b_rptr;
2948 2949 return (crypto_mp->b_cont);
2949 2950 }
2950 2951
2951 2952 /*
2952 2953 * Free what was prepended above. Return b_cont.
2953 2954 */
2954 2955 mblk_t *
2955 2956 ipsec_free_crypto_data(mblk_t *crypto_mp)
2956 2957 {
2957 2958 mblk_t *mp;
2958 2959
2959 2960 ASSERT(crypto_mp->b_datap->db_type == M_EVENT);
2960 2961 ASSERT(MBLKL(crypto_mp) == sizeof (ipsec_crypto_t));
2961 2962
2962 2963 mp = crypto_mp->b_cont;
2963 2964 freeb(crypto_mp);
2964 2965 return (mp);
2965 2966 }
2966 2967
2967 2968 /*
2968 2969 * Create an ipsec_action_t based on the way an inbound packet was protected.
2969 2970 * Used to reflect traffic back to a sender.
2970 2971 *
2971 2972 * We don't bother interning the action into the hash table.
2972 2973 */
2973 2974 ipsec_action_t *
2974 2975 ipsec_in_to_out_action(ip_recv_attr_t *ira)
2975 2976 {
2976 2977 ipsa_t *ah_assoc, *esp_assoc;
2977 2978 uint_t auth_alg = 0, encr_alg = 0, espa_alg = 0;
2978 2979 ipsec_action_t *ap;
2979 2980 boolean_t unique;
2980 2981
2981 2982 ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP);
2982 2983
2983 2984 if (ap == NULL)
2984 2985 return (NULL);
2985 2986
2986 2987 bzero(ap, sizeof (*ap));
2987 2988 HASH_NULL(ap, ipa_hash);
2988 2989 ap->ipa_next = NULL;
2989 2990 ap->ipa_refs = 1;
2990 2991
2991 2992 /*
2992 2993 * Get the algorithms that were used for this packet.
2993 2994 */
2994 2995 ap->ipa_act.ipa_type = IPSEC_ACT_APPLY;
2995 2996 ap->ipa_act.ipa_log = 0;
2996 2997 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
2997 2998
2998 2999 ah_assoc = ira->ira_ipsec_ah_sa;
2999 3000 ap->ipa_act.ipa_apply.ipp_use_ah = (ah_assoc != NULL);
3000 3001
3001 3002 esp_assoc = ira->ira_ipsec_esp_sa;
3002 3003 ap->ipa_act.ipa_apply.ipp_use_esp = (esp_assoc != NULL);
3003 3004
3004 3005 if (esp_assoc != NULL) {
3005 3006 encr_alg = esp_assoc->ipsa_encr_alg;
3006 3007 espa_alg = esp_assoc->ipsa_auth_alg;
3007 3008 ap->ipa_act.ipa_apply.ipp_use_espa = (espa_alg != 0);
3008 3009 }
3009 3010 if (ah_assoc != NULL)
3010 3011 auth_alg = ah_assoc->ipsa_auth_alg;
3011 3012
3012 3013 ap->ipa_act.ipa_apply.ipp_encr_alg = (uint8_t)encr_alg;
3013 3014 ap->ipa_act.ipa_apply.ipp_auth_alg = (uint8_t)auth_alg;
3014 3015 ap->ipa_act.ipa_apply.ipp_esp_auth_alg = (uint8_t)espa_alg;
3015 3016 ap->ipa_act.ipa_apply.ipp_use_se =
3016 3017 !!(ira->ira_flags & IRAF_IPSEC_DECAPS);
3017 3018 unique = B_FALSE;
3018 3019
3019 3020 if (esp_assoc != NULL) {
3020 3021 ap->ipa_act.ipa_apply.ipp_espa_minbits =
3021 3022 esp_assoc->ipsa_authkeybits;
3022 3023 ap->ipa_act.ipa_apply.ipp_espa_maxbits =
3023 3024 esp_assoc->ipsa_authkeybits;
3024 3025 ap->ipa_act.ipa_apply.ipp_espe_minbits =
3025 3026 esp_assoc->ipsa_encrkeybits;
3026 3027 ap->ipa_act.ipa_apply.ipp_espe_maxbits =
3027 3028 esp_assoc->ipsa_encrkeybits;
3028 3029 ap->ipa_act.ipa_apply.ipp_km_proto = esp_assoc->ipsa_kmp;
3029 3030 ap->ipa_act.ipa_apply.ipp_km_cookie = esp_assoc->ipsa_kmc;
3030 3031 if (esp_assoc->ipsa_flags & IPSA_F_UNIQUE)
3031 3032 unique = B_TRUE;
3032 3033 }
3033 3034 if (ah_assoc != NULL) {
3034 3035 ap->ipa_act.ipa_apply.ipp_ah_minbits =
3035 3036 ah_assoc->ipsa_authkeybits;
3036 3037 ap->ipa_act.ipa_apply.ipp_ah_maxbits =
3037 3038 ah_assoc->ipsa_authkeybits;
3038 3039 ap->ipa_act.ipa_apply.ipp_km_proto = ah_assoc->ipsa_kmp;
3039 3040 ap->ipa_act.ipa_apply.ipp_km_cookie = ah_assoc->ipsa_kmc;
3040 3041 if (ah_assoc->ipsa_flags & IPSA_F_UNIQUE)
3041 3042 unique = B_TRUE;
3042 3043 }
3043 3044 ap->ipa_act.ipa_apply.ipp_use_unique = unique;
3044 3045 ap->ipa_want_unique = unique;
3045 3046 ap->ipa_allow_clear = B_FALSE;
3046 3047 ap->ipa_want_se = !!(ira->ira_flags & IRAF_IPSEC_DECAPS);
3047 3048 ap->ipa_want_ah = (ah_assoc != NULL);
3048 3049 ap->ipa_want_esp = (esp_assoc != NULL);
3049 3050
3050 3051 ap->ipa_ovhd = ipsec_act_ovhd(&ap->ipa_act);
3051 3052
3052 3053 ap->ipa_act.ipa_apply.ipp_replay_depth = 0; /* don't care */
3053 3054
3054 3055 return (ap);
3055 3056 }
3056 3057
3057 3058
3058 3059 /*
3059 3060 * Compute the worst-case amount of extra space required by an action.
3060 3061 * Note that, because of the ESP considerations listed below, this is
3061 3062 * actually not the same as the best-case reduction in the MTU; in the
3062 3063 * future, we should pass additional information to this function to
3063 3064 * allow the actual MTU impact to be computed.
3064 3065 *
3065 3066 * AH: Revisit this if we implement algorithms with
3066 3067 * a verifier size of more than 12 bytes.
3067 3068 *
3068 3069 * ESP: A more exact but more messy computation would take into
3069 3070 * account the interaction between the cipher block size and the
3070 3071 * effective MTU, yielding the inner payload size which reflects a
3071 3072 * packet with *minimum* ESP padding..
3072 3073 */
3073 3074 int32_t
3074 3075 ipsec_act_ovhd(const ipsec_act_t *act)
3075 3076 {
3076 3077 int32_t overhead = 0;
3077 3078
3078 3079 if (act->ipa_type == IPSEC_ACT_APPLY) {
3079 3080 const ipsec_prot_t *ipp = &act->ipa_apply;
3080 3081
3081 3082 if (ipp->ipp_use_ah)
3082 3083 overhead += IPSEC_MAX_AH_HDR_SIZE;
3083 3084 if (ipp->ipp_use_esp) {
3084 3085 overhead += IPSEC_MAX_ESP_HDR_SIZE;
3085 3086 overhead += sizeof (struct udphdr);
3086 3087 }
3087 3088 if (ipp->ipp_use_se)
3088 3089 overhead += IP_SIMPLE_HDR_LENGTH;
3089 3090 }
3090 3091 return (overhead);
3091 3092 }
3092 3093
3093 3094 /*
3094 3095 * This hash function is used only when creating policies and thus is not
3095 3096 * performance-critical for packet flows.
3096 3097 *
3097 3098 * Future work: canonicalize the structures hashed with this (i.e.,
3098 3099 * zeroize padding) so the hash works correctly.
3099 3100 */
3100 3101 /* ARGSUSED */
3101 3102 static uint32_t
3102 3103 policy_hash(int size, const void *start, const void *end)
3103 3104 {
3104 3105 return (0);
3105 3106 }
3106 3107
3107 3108
3108 3109 /*
3109 3110 * Hash function macros for each address type.
3110 3111 *
3111 3112 * The IPV6 hash function assumes that the low order 32-bits of the
3112 3113 * address (typically containing the low order 24 bits of the mac
3113 3114 * address) are reasonably well-distributed. Revisit this if we run
3114 3115 * into trouble from lots of collisions on ::1 addresses and the like
3115 3116 * (seems unlikely).
3116 3117 */
3117 3118 #define IPSEC_IPV4_HASH(a, n) ((a) % (n))
3118 3119 #define IPSEC_IPV6_HASH(a, n) (((a).s6_addr32[3]) % (n))
3119 3120
3120 3121 /*
3121 3122 * These two hash functions should produce coordinated values
3122 3123 * but have slightly different roles.
3123 3124 */
3124 3125 static uint32_t
3125 3126 selkey_hash(const ipsec_selkey_t *selkey, netstack_t *ns)
3126 3127 {
3127 3128 uint32_t valid = selkey->ipsl_valid;
3128 3129 ipsec_stack_t *ipss = ns->netstack_ipsec;
3129 3130
3130 3131 if (!(valid & IPSL_REMOTE_ADDR))
3131 3132 return (IPSEC_SEL_NOHASH);
3132 3133
3133 3134 if (valid & IPSL_IPV4) {
3134 3135 if (selkey->ipsl_remote_pfxlen == 32) {
3135 3136 return (IPSEC_IPV4_HASH(selkey->ipsl_remote.ipsad_v4,
3136 3137 ipss->ipsec_spd_hashsize));
3137 3138 }
3138 3139 }
3139 3140 if (valid & IPSL_IPV6) {
3140 3141 if (selkey->ipsl_remote_pfxlen == 128) {
3141 3142 return (IPSEC_IPV6_HASH(selkey->ipsl_remote.ipsad_v6,
3142 3143 ipss->ipsec_spd_hashsize));
3143 3144 }
3144 3145 }
3145 3146 return (IPSEC_SEL_NOHASH);
3146 3147 }
3147 3148
3148 3149 static uint32_t
3149 3150 selector_hash(ipsec_selector_t *sel, ipsec_policy_root_t *root)
3150 3151 {
3151 3152 if (sel->ips_isv4) {
3152 3153 return (IPSEC_IPV4_HASH(sel->ips_remote_addr_v4,
3153 3154 root->ipr_nchains));
3154 3155 }
3155 3156 return (IPSEC_IPV6_HASH(sel->ips_remote_addr_v6, root->ipr_nchains));
3156 3157 }
3157 3158
3158 3159 /*
3159 3160 * Intern actions into the action hash table.
3160 3161 */
3161 3162 ipsec_action_t *
3162 3163 ipsec_act_find(const ipsec_act_t *a, int n, netstack_t *ns)
3163 3164 {
3164 3165 int i;
3165 3166 uint32_t hval;
3166 3167 ipsec_action_t *ap;
3167 3168 ipsec_action_t *prev = NULL;
3168 3169 int32_t overhead, maxovhd = 0;
3169 3170 boolean_t allow_clear = B_FALSE;
3170 3171 boolean_t want_ah = B_FALSE;
3171 3172 boolean_t want_esp = B_FALSE;
3172 3173 boolean_t want_se = B_FALSE;
3173 3174 boolean_t want_unique = B_FALSE;
3174 3175 ipsec_stack_t *ipss = ns->netstack_ipsec;
3175 3176
3176 3177 /*
3177 3178 * TODO: should canonicalize a[] (i.e., zeroize any padding)
3178 3179 * so we can use a non-trivial policy_hash function.
3179 3180 */
3180 3181 for (i = n-1; i >= 0; i--) {
3181 3182 hval = policy_hash(IPSEC_ACTION_HASH_SIZE, &a[i], &a[n]);
3182 3183
3183 3184 HASH_LOCK(ipss->ipsec_action_hash, hval);
3184 3185
3185 3186 for (HASH_ITERATE(ap, ipa_hash,
3186 3187 ipss->ipsec_action_hash, hval)) {
3187 3188 if (bcmp(&ap->ipa_act, &a[i], sizeof (*a)) != 0)
3188 3189 continue;
3189 3190 if (ap->ipa_next != prev)
3190 3191 continue;
3191 3192 break;
3192 3193 }
3193 3194 if (ap != NULL) {
3194 3195 HASH_UNLOCK(ipss->ipsec_action_hash, hval);
3195 3196 prev = ap;
3196 3197 continue;
3197 3198 }
3198 3199 /*
3199 3200 * need to allocate a new one..
3200 3201 */
3201 3202 ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP);
3202 3203 if (ap == NULL) {
3203 3204 HASH_UNLOCK(ipss->ipsec_action_hash, hval);
3204 3205 if (prev != NULL)
3205 3206 ipsec_action_free(prev);
3206 3207 return (NULL);
3207 3208 }
3208 3209 HASH_INSERT(ap, ipa_hash, ipss->ipsec_action_hash, hval);
3209 3210
3210 3211 ap->ipa_next = prev;
3211 3212 ap->ipa_act = a[i];
3212 3213
3213 3214 overhead = ipsec_act_ovhd(&a[i]);
3214 3215 if (maxovhd < overhead)
3215 3216 maxovhd = overhead;
3216 3217
3217 3218 if ((a[i].ipa_type == IPSEC_ACT_BYPASS) ||
3218 3219 (a[i].ipa_type == IPSEC_ACT_CLEAR))
3219 3220 allow_clear = B_TRUE;
3220 3221 if (a[i].ipa_type == IPSEC_ACT_APPLY) {
3221 3222 const ipsec_prot_t *ipp = &a[i].ipa_apply;
3222 3223
3223 3224 ASSERT(ipp->ipp_use_ah || ipp->ipp_use_esp);
3224 3225 want_ah |= ipp->ipp_use_ah;
3225 3226 want_esp |= ipp->ipp_use_esp;
3226 3227 want_se |= ipp->ipp_use_se;
3227 3228 want_unique |= ipp->ipp_use_unique;
3228 3229 }
3229 3230 ap->ipa_allow_clear = allow_clear;
3230 3231 ap->ipa_want_ah = want_ah;
3231 3232 ap->ipa_want_esp = want_esp;
3232 3233 ap->ipa_want_se = want_se;
3233 3234 ap->ipa_want_unique = want_unique;
3234 3235 ap->ipa_refs = 1; /* from the hash table */
3235 3236 ap->ipa_ovhd = maxovhd;
3236 3237 if (prev)
3237 3238 prev->ipa_refs++;
3238 3239 prev = ap;
3239 3240 HASH_UNLOCK(ipss->ipsec_action_hash, hval);
3240 3241 }
3241 3242
3242 3243 ap->ipa_refs++; /* caller's reference */
3243 3244
3244 3245 return (ap);
3245 3246 }
3246 3247
3247 3248 /*
3248 3249 * Called when refcount goes to 0, indicating that all references to this
3249 3250 * node are gone.
3250 3251 *
3251 3252 * This does not unchain the action from the hash table.
3252 3253 */
3253 3254 void
3254 3255 ipsec_action_free(ipsec_action_t *ap)
3255 3256 {
3256 3257 for (;;) {
3257 3258 ipsec_action_t *np = ap->ipa_next;
3258 3259 ASSERT(ap->ipa_refs == 0);
3259 3260 ASSERT(ap->ipa_hash.hash_pp == NULL);
3260 3261 kmem_cache_free(ipsec_action_cache, ap);
3261 3262 ap = np;
3262 3263 /* Inlined IPACT_REFRELE -- avoid recursion */
3263 3264 if (ap == NULL)
3264 3265 break;
3265 3266 membar_exit();
3266 3267 if (atomic_add_32_nv(&(ap)->ipa_refs, -1) != 0)
3267 3268 break;
3268 3269 /* End inlined IPACT_REFRELE */
3269 3270 }
3270 3271 }
3271 3272
3272 3273 /*
3273 3274 * Called when the action hash table goes away.
3274 3275 *
3275 3276 * The actions can be queued on an mblk with ipsec_in or
3276 3277 * ipsec_out, hence the actions might still be around.
3277 3278 * But we decrement ipa_refs here since we no longer have
3278 3279 * a reference to the action from the hash table.
3279 3280 */
3280 3281 static void
3281 3282 ipsec_action_free_table(ipsec_action_t *ap)
3282 3283 {
3283 3284 while (ap != NULL) {
3284 3285 ipsec_action_t *np = ap->ipa_next;
3285 3286
3286 3287 /* FIXME: remove? */
3287 3288 (void) printf("ipsec_action_free_table(%p) ref %d\n",
3288 3289 (void *)ap, ap->ipa_refs);
3289 3290 ASSERT(ap->ipa_refs > 0);
3290 3291 IPACT_REFRELE(ap);
3291 3292 ap = np;
3292 3293 }
3293 3294 }
3294 3295
3295 3296 /*
3296 3297 * Need to walk all stack instances since the reclaim function
3297 3298 * is global for all instances
3298 3299 */
3299 3300 /* ARGSUSED */
3300 3301 static void
3301 3302 ipsec_action_reclaim(void *arg)
3302 3303 {
3303 3304 netstack_handle_t nh;
3304 3305 netstack_t *ns;
3305 3306 ipsec_stack_t *ipss;
3306 3307
3307 3308 netstack_next_init(&nh);
3308 3309 while ((ns = netstack_next(&nh)) != NULL) {
3309 3310 /*
3310 3311 * netstack_next() can return a netstack_t with a NULL
3311 3312 * netstack_ipsec at boot time.
3312 3313 */
3313 3314 if ((ipss = ns->netstack_ipsec) == NULL) {
3314 3315 netstack_rele(ns);
3315 3316 continue;
3316 3317 }
3317 3318 ipsec_action_reclaim_stack(ipss);
3318 3319 netstack_rele(ns);
3319 3320 }
3320 3321 netstack_next_fini(&nh);
3321 3322 }
3322 3323
3323 3324 /*
3324 3325 * Periodically sweep action hash table for actions with refcount==1, and
3325 3326 * nuke them. We cannot do this "on demand" (i.e., from IPACT_REFRELE)
3326 3327 * because we can't close the race between another thread finding the action
3327 3328 * in the hash table without holding the bucket lock during IPACT_REFRELE.
3328 3329 * Instead, we run this function sporadically to clean up after ourselves;
3329 3330 * we also set it as the "reclaim" function for the action kmem_cache.
3330 3331 *
3331 3332 * Note that it may take several passes of ipsec_action_gc() to free all
3332 3333 * "stale" actions.
3333 3334 */
3334 3335 static void
3335 3336 ipsec_action_reclaim_stack(ipsec_stack_t *ipss)
3336 3337 {
3337 3338 int i;
3338 3339
3339 3340 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) {
3340 3341 ipsec_action_t *ap, *np;
3341 3342
3342 3343 /* skip the lock if nobody home */
3343 3344 if (ipss->ipsec_action_hash[i].hash_head == NULL)
3344 3345 continue;
3345 3346
3346 3347 HASH_LOCK(ipss->ipsec_action_hash, i);
3347 3348 for (ap = ipss->ipsec_action_hash[i].hash_head;
3348 3349 ap != NULL; ap = np) {
3349 3350 ASSERT(ap->ipa_refs > 0);
3350 3351 np = ap->ipa_hash.hash_next;
3351 3352 if (ap->ipa_refs > 1)
3352 3353 continue;
3353 3354 HASH_UNCHAIN(ap, ipa_hash,
3354 3355 ipss->ipsec_action_hash, i);
3355 3356 IPACT_REFRELE(ap);
3356 3357 }
3357 3358 HASH_UNLOCK(ipss->ipsec_action_hash, i);
3358 3359 }
3359 3360 }
3360 3361
3361 3362 /*
3362 3363 * Intern a selector set into the selector set hash table.
3363 3364 * This is simpler than the actions case..
3364 3365 */
3365 3366 static ipsec_sel_t *
3366 3367 ipsec_find_sel(ipsec_selkey_t *selkey, netstack_t *ns)
3367 3368 {
3368 3369 ipsec_sel_t *sp;
3369 3370 uint32_t hval, bucket;
3370 3371 ipsec_stack_t *ipss = ns->netstack_ipsec;
3371 3372
3372 3373 /*
3373 3374 * Exactly one AF bit should be set in selkey.
3374 3375 */
3375 3376 ASSERT(!(selkey->ipsl_valid & IPSL_IPV4) ^
3376 3377 !(selkey->ipsl_valid & IPSL_IPV6));
3377 3378
3378 3379 hval = selkey_hash(selkey, ns);
3379 3380 /* Set pol_hval to uninitialized until we put it in a polhead. */
3380 3381 selkey->ipsl_sel_hval = hval;
3381 3382
3382 3383 bucket = (hval == IPSEC_SEL_NOHASH) ? 0 : hval;
3383 3384
3384 3385 ASSERT(!HASH_LOCKED(ipss->ipsec_sel_hash, bucket));
3385 3386 HASH_LOCK(ipss->ipsec_sel_hash, bucket);
3386 3387
3387 3388 for (HASH_ITERATE(sp, ipsl_hash, ipss->ipsec_sel_hash, bucket)) {
3388 3389 if (bcmp(&sp->ipsl_key, selkey,
3389 3390 offsetof(ipsec_selkey_t, ipsl_pol_hval)) == 0)
3390 3391 break;
3391 3392 }
3392 3393 if (sp != NULL) {
3393 3394 sp->ipsl_refs++;
3394 3395
3395 3396 HASH_UNLOCK(ipss->ipsec_sel_hash, bucket);
3396 3397 return (sp);
3397 3398 }
3398 3399
3399 3400 sp = kmem_cache_alloc(ipsec_sel_cache, KM_NOSLEEP);
3400 3401 if (sp == NULL) {
3401 3402 HASH_UNLOCK(ipss->ipsec_sel_hash, bucket);
3402 3403 return (NULL);
3403 3404 }
3404 3405
3405 3406 HASH_INSERT(sp, ipsl_hash, ipss->ipsec_sel_hash, bucket);
3406 3407 sp->ipsl_refs = 2; /* one for hash table, one for caller */
3407 3408 sp->ipsl_key = *selkey;
3408 3409 /* Set to uninitalized and have insertion into polhead fix things. */
3409 3410 if (selkey->ipsl_sel_hval != IPSEC_SEL_NOHASH)
3410 3411 sp->ipsl_key.ipsl_pol_hval = 0;
3411 3412 else
3412 3413 sp->ipsl_key.ipsl_pol_hval = IPSEC_SEL_NOHASH;
3413 3414
3414 3415 HASH_UNLOCK(ipss->ipsec_sel_hash, bucket);
3415 3416
3416 3417 return (sp);
3417 3418 }
3418 3419
3419 3420 static void
3420 3421 ipsec_sel_rel(ipsec_sel_t **spp, netstack_t *ns)
3421 3422 {
3422 3423 ipsec_sel_t *sp = *spp;
3423 3424 int hval = sp->ipsl_key.ipsl_sel_hval;
3424 3425 ipsec_stack_t *ipss = ns->netstack_ipsec;
3425 3426
3426 3427 *spp = NULL;
3427 3428
3428 3429 if (hval == IPSEC_SEL_NOHASH)
3429 3430 hval = 0;
3430 3431
3431 3432 ASSERT(!HASH_LOCKED(ipss->ipsec_sel_hash, hval));
3432 3433 HASH_LOCK(ipss->ipsec_sel_hash, hval);
3433 3434 if (--sp->ipsl_refs == 1) {
3434 3435 HASH_UNCHAIN(sp, ipsl_hash, ipss->ipsec_sel_hash, hval);
3435 3436 sp->ipsl_refs--;
3436 3437 HASH_UNLOCK(ipss->ipsec_sel_hash, hval);
3437 3438 ASSERT(sp->ipsl_refs == 0);
3438 3439 kmem_cache_free(ipsec_sel_cache, sp);
3439 3440 /* Caller unlocks */
3440 3441 return;
3441 3442 }
3442 3443
3443 3444 HASH_UNLOCK(ipss->ipsec_sel_hash, hval);
3444 3445 }
3445 3446
3446 3447 /*
3447 3448 * Free a policy rule which we know is no longer being referenced.
3448 3449 */
3449 3450 void
3450 3451 ipsec_policy_free(ipsec_policy_t *ipp)
3451 3452 {
3452 3453 ASSERT(ipp->ipsp_refs == 0);
3453 3454 ASSERT(ipp->ipsp_sel != NULL);
3454 3455 ASSERT(ipp->ipsp_act != NULL);
3455 3456 ASSERT(ipp->ipsp_netstack != NULL);
3456 3457
3457 3458 ipsec_sel_rel(&ipp->ipsp_sel, ipp->ipsp_netstack);
3458 3459 IPACT_REFRELE(ipp->ipsp_act);
3459 3460 kmem_cache_free(ipsec_pol_cache, ipp);
3460 3461 }
3461 3462
3462 3463 /*
3463 3464 * Construction of new policy rules; construct a policy, and add it to
3464 3465 * the appropriate tables.
3465 3466 */
3466 3467 ipsec_policy_t *
3467 3468 ipsec_policy_create(ipsec_selkey_t *keys, const ipsec_act_t *a,
3468 3469 int nacts, int prio, uint64_t *index_ptr, netstack_t *ns)
3469 3470 {
3470 3471 ipsec_action_t *ap;
3471 3472 ipsec_sel_t *sp;
3472 3473 ipsec_policy_t *ipp;
3473 3474 ipsec_stack_t *ipss = ns->netstack_ipsec;
3474 3475
3475 3476 if (index_ptr == NULL)
3476 3477 index_ptr = &ipss->ipsec_next_policy_index;
3477 3478
3478 3479 ipp = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP);
3479 3480 ap = ipsec_act_find(a, nacts, ns);
3480 3481 sp = ipsec_find_sel(keys, ns);
3481 3482
3482 3483 if ((ap == NULL) || (sp == NULL) || (ipp == NULL)) {
3483 3484 if (ap != NULL) {
3484 3485 IPACT_REFRELE(ap);
3485 3486 }
3486 3487 if (sp != NULL)
3487 3488 ipsec_sel_rel(&sp, ns);
3488 3489 if (ipp != NULL)
3489 3490 kmem_cache_free(ipsec_pol_cache, ipp);
3490 3491 return (NULL);
3491 3492 }
3492 3493
3493 3494 HASH_NULL(ipp, ipsp_hash);
3494 3495
3495 3496 ipp->ipsp_netstack = ns; /* Needed for ipsec_policy_free */
3496 3497 ipp->ipsp_refs = 1; /* caller's reference */
3497 3498 ipp->ipsp_sel = sp;
3498 3499 ipp->ipsp_act = ap;
3499 3500 ipp->ipsp_prio = prio; /* rule priority */
3500 3501 ipp->ipsp_index = *index_ptr;
3501 3502 (*index_ptr)++;
3502 3503
3503 3504 return (ipp);
3504 3505 }
3505 3506
3506 3507 static void
3507 3508 ipsec_update_present_flags(ipsec_stack_t *ipss)
3508 3509 {
3509 3510 boolean_t hashpol;
3510 3511
3511 3512 hashpol = (avl_numnodes(&ipss->ipsec_system_policy.iph_rulebyid) > 0);
3512 3513
3513 3514 if (hashpol) {
3514 3515 ipss->ipsec_outbound_v4_policy_present = B_TRUE;
3515 3516 ipss->ipsec_outbound_v6_policy_present = B_TRUE;
3516 3517 ipss->ipsec_inbound_v4_policy_present = B_TRUE;
3517 3518 ipss->ipsec_inbound_v6_policy_present = B_TRUE;
3518 3519 return;
3519 3520 }
3520 3521
3521 3522 ipss->ipsec_outbound_v4_policy_present = (NULL !=
3522 3523 ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_OUTBOUND].
3523 3524 ipr_nonhash[IPSEC_AF_V4]);
3524 3525 ipss->ipsec_outbound_v6_policy_present = (NULL !=
3525 3526 ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_OUTBOUND].
3526 3527 ipr_nonhash[IPSEC_AF_V6]);
3527 3528 ipss->ipsec_inbound_v4_policy_present = (NULL !=
3528 3529 ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_INBOUND].
3529 3530 ipr_nonhash[IPSEC_AF_V4]);
3530 3531 ipss->ipsec_inbound_v6_policy_present = (NULL !=
3531 3532 ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_INBOUND].
3532 3533 ipr_nonhash[IPSEC_AF_V6]);
3533 3534 }
3534 3535
3535 3536 boolean_t
3536 3537 ipsec_policy_delete(ipsec_policy_head_t *php, ipsec_selkey_t *keys, int dir,
3537 3538 netstack_t *ns)
3538 3539 {
3539 3540 ipsec_sel_t *sp;
3540 3541 ipsec_policy_t *ip, *nip, *head;
3541 3542 int af;
3542 3543 ipsec_policy_root_t *pr = &php->iph_root[dir];
3543 3544
3544 3545 sp = ipsec_find_sel(keys, ns);
3545 3546
3546 3547 if (sp == NULL)
3547 3548 return (B_FALSE);
3548 3549
3549 3550 af = (sp->ipsl_key.ipsl_valid & IPSL_IPV4) ? IPSEC_AF_V4 : IPSEC_AF_V6;
3550 3551
3551 3552 rw_enter(&php->iph_lock, RW_WRITER);
3552 3553
3553 3554 if (sp->ipsl_key.ipsl_pol_hval == IPSEC_SEL_NOHASH) {
3554 3555 head = pr->ipr_nonhash[af];
3555 3556 } else {
3556 3557 head = pr->ipr_hash[sp->ipsl_key.ipsl_pol_hval].hash_head;
3557 3558 }
3558 3559
3559 3560 for (ip = head; ip != NULL; ip = nip) {
3560 3561 nip = ip->ipsp_hash.hash_next;
3561 3562 if (ip->ipsp_sel != sp) {
3562 3563 continue;
3563 3564 }
3564 3565
3565 3566 IPPOL_UNCHAIN(php, ip);
3566 3567
3567 3568 php->iph_gen++;
3568 3569 ipsec_update_present_flags(ns->netstack_ipsec);
3569 3570
3570 3571 rw_exit(&php->iph_lock);
3571 3572
3572 3573 ipsec_sel_rel(&sp, ns);
3573 3574
3574 3575 return (B_TRUE);
3575 3576 }
3576 3577
3577 3578 rw_exit(&php->iph_lock);
3578 3579 ipsec_sel_rel(&sp, ns);
3579 3580 return (B_FALSE);
3580 3581 }
3581 3582
3582 3583 int
3583 3584 ipsec_policy_delete_index(ipsec_policy_head_t *php, uint64_t policy_index,
3584 3585 netstack_t *ns)
3585 3586 {
3586 3587 boolean_t found = B_FALSE;
3587 3588 ipsec_policy_t ipkey;
3588 3589 ipsec_policy_t *ip;
3589 3590 avl_index_t where;
3590 3591
3591 3592 bzero(&ipkey, sizeof (ipkey));
3592 3593 ipkey.ipsp_index = policy_index;
3593 3594
3594 3595 rw_enter(&php->iph_lock, RW_WRITER);
3595 3596
3596 3597 /*
3597 3598 * We could be cleverer here about the walk.
3598 3599 * but well, (k+1)*log(N) will do for now (k==number of matches,
3599 3600 * N==number of table entries
3600 3601 */
3601 3602 for (;;) {
3602 3603 ip = (ipsec_policy_t *)avl_find(&php->iph_rulebyid,
3603 3604 (void *)&ipkey, &where);
3604 3605 ASSERT(ip == NULL);
3605 3606
3606 3607 ip = avl_nearest(&php->iph_rulebyid, where, AVL_AFTER);
3607 3608
3608 3609 if (ip == NULL)
3609 3610 break;
3610 3611
3611 3612 if (ip->ipsp_index != policy_index) {
3612 3613 ASSERT(ip->ipsp_index > policy_index);
3613 3614 break;
3614 3615 }
3615 3616
3616 3617 IPPOL_UNCHAIN(php, ip);
3617 3618 found = B_TRUE;
3618 3619 }
3619 3620
3620 3621 if (found) {
3621 3622 php->iph_gen++;
3622 3623 ipsec_update_present_flags(ns->netstack_ipsec);
3623 3624 }
3624 3625
3625 3626 rw_exit(&php->iph_lock);
3626 3627
3627 3628 return (found ? 0 : ENOENT);
3628 3629 }
3629 3630
3630 3631 /*
3631 3632 * Given a constructed ipsec_policy_t policy rule, see if it can be entered
3632 3633 * into the correct policy ruleset. As a side-effect, it sets the hash
3633 3634 * entries on "ipp"'s ipsp_pol_hval.
3634 3635 *
3635 3636 * Returns B_TRUE if it can be entered, B_FALSE if it can't be (because a
3636 3637 * duplicate policy exists with exactly the same selectors), or an icmp
3637 3638 * rule exists with a different encryption/authentication action.
3638 3639 */
3639 3640 boolean_t
3640 3641 ipsec_check_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction)
3641 3642 {
3642 3643 ipsec_policy_root_t *pr = &php->iph_root[direction];
3643 3644 int af = -1;
3644 3645 ipsec_policy_t *p2, *head;
3645 3646 uint8_t check_proto;
3646 3647 ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key;
3647 3648 uint32_t valid = selkey->ipsl_valid;
3648 3649
3649 3650 if (valid & IPSL_IPV6) {
3650 3651 ASSERT(!(valid & IPSL_IPV4));
3651 3652 af = IPSEC_AF_V6;
3652 3653 check_proto = IPPROTO_ICMPV6;
3653 3654 } else {
3654 3655 ASSERT(valid & IPSL_IPV4);
3655 3656 af = IPSEC_AF_V4;
3656 3657 check_proto = IPPROTO_ICMP;
3657 3658 }
3658 3659
3659 3660 ASSERT(RW_WRITE_HELD(&php->iph_lock));
3660 3661
3661 3662 /*
3662 3663 * Double-check that we don't have any duplicate selectors here.
3663 3664 * Because selectors are interned below, we need only compare pointers
3664 3665 * for equality.
3665 3666 */
3666 3667 if (selkey->ipsl_sel_hval == IPSEC_SEL_NOHASH) {
3667 3668 head = pr->ipr_nonhash[af];
3668 3669 } else {
3669 3670 selkey->ipsl_pol_hval =
3670 3671 (selkey->ipsl_valid & IPSL_IPV4) ?
3671 3672 IPSEC_IPV4_HASH(selkey->ipsl_remote.ipsad_v4,
3672 3673 pr->ipr_nchains) :
3673 3674 IPSEC_IPV6_HASH(selkey->ipsl_remote.ipsad_v6,
3674 3675 pr->ipr_nchains);
3675 3676
3676 3677 head = pr->ipr_hash[selkey->ipsl_pol_hval].hash_head;
3677 3678 }
3678 3679
3679 3680 for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) {
3680 3681 if (p2->ipsp_sel == ipp->ipsp_sel)
3681 3682 return (B_FALSE);
3682 3683 }
3683 3684
3684 3685 /*
3685 3686 * If it's ICMP and not a drop or pass rule, run through the ICMP
3686 3687 * rules and make sure the action is either new or the same as any
3687 3688 * other actions. We don't have to check the full chain because
3688 3689 * discard and bypass will override all other actions
3689 3690 */
3690 3691
3691 3692 if (valid & IPSL_PROTOCOL &&
3692 3693 selkey->ipsl_proto == check_proto &&
3693 3694 (ipp->ipsp_act->ipa_act.ipa_type == IPSEC_ACT_APPLY)) {
3694 3695
3695 3696 for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) {
3696 3697
3697 3698 if (p2->ipsp_sel->ipsl_key.ipsl_valid & IPSL_PROTOCOL &&
3698 3699 p2->ipsp_sel->ipsl_key.ipsl_proto == check_proto &&
3699 3700 (p2->ipsp_act->ipa_act.ipa_type ==
3700 3701 IPSEC_ACT_APPLY)) {
3701 3702 return (ipsec_compare_action(p2, ipp));
3702 3703 }
3703 3704 }
3704 3705 }
3705 3706
3706 3707 return (B_TRUE);
3707 3708 }
3708 3709
3709 3710 /*
3710 3711 * compare the action chains of two policies for equality
3711 3712 * B_TRUE -> effective equality
3712 3713 */
3713 3714
3714 3715 static boolean_t
3715 3716 ipsec_compare_action(ipsec_policy_t *p1, ipsec_policy_t *p2)
3716 3717 {
3717 3718
3718 3719 ipsec_action_t *act1, *act2;
3719 3720
3720 3721 /* We have a valid rule. Let's compare the actions */
3721 3722 if (p1->ipsp_act == p2->ipsp_act) {
3722 3723 /* same action. We are good */
3723 3724 return (B_TRUE);
3724 3725 }
3725 3726
3726 3727 /* we have to walk the chain */
3727 3728
3728 3729 act1 = p1->ipsp_act;
3729 3730 act2 = p2->ipsp_act;
3730 3731
3731 3732 while (act1 != NULL && act2 != NULL) {
3732 3733
3733 3734 /* otherwise, Are we close enough? */
3734 3735 if (act1->ipa_allow_clear != act2->ipa_allow_clear ||
3735 3736 act1->ipa_want_ah != act2->ipa_want_ah ||
3736 3737 act1->ipa_want_esp != act2->ipa_want_esp ||
3737 3738 act1->ipa_want_se != act2->ipa_want_se) {
3738 3739 /* Nope, we aren't */
3739 3740 return (B_FALSE);
3740 3741 }
3741 3742
3742 3743 if (act1->ipa_want_ah) {
3743 3744 if (act1->ipa_act.ipa_apply.ipp_auth_alg !=
3744 3745 act2->ipa_act.ipa_apply.ipp_auth_alg) {
3745 3746 return (B_FALSE);
3746 3747 }
3747 3748
3748 3749 if (act1->ipa_act.ipa_apply.ipp_ah_minbits !=
3749 3750 act2->ipa_act.ipa_apply.ipp_ah_minbits ||
3750 3751 act1->ipa_act.ipa_apply.ipp_ah_maxbits !=
3751 3752 act2->ipa_act.ipa_apply.ipp_ah_maxbits) {
3752 3753 return (B_FALSE);
3753 3754 }
3754 3755 }
3755 3756
3756 3757 if (act1->ipa_want_esp) {
3757 3758 if (act1->ipa_act.ipa_apply.ipp_use_esp !=
3758 3759 act2->ipa_act.ipa_apply.ipp_use_esp ||
3759 3760 act1->ipa_act.ipa_apply.ipp_use_espa !=
3760 3761 act2->ipa_act.ipa_apply.ipp_use_espa) {
3761 3762 return (B_FALSE);
3762 3763 }
3763 3764
3764 3765 if (act1->ipa_act.ipa_apply.ipp_use_esp) {
3765 3766 if (act1->ipa_act.ipa_apply.ipp_encr_alg !=
3766 3767 act2->ipa_act.ipa_apply.ipp_encr_alg) {
3767 3768 return (B_FALSE);
3768 3769 }
3769 3770
3770 3771 if (act1->ipa_act.ipa_apply.ipp_espe_minbits !=
3771 3772 act2->ipa_act.ipa_apply.ipp_espe_minbits ||
3772 3773 act1->ipa_act.ipa_apply.ipp_espe_maxbits !=
3773 3774 act2->ipa_act.ipa_apply.ipp_espe_maxbits) {
3774 3775 return (B_FALSE);
3775 3776 }
3776 3777 }
3777 3778
3778 3779 if (act1->ipa_act.ipa_apply.ipp_use_espa) {
3779 3780 if (act1->ipa_act.ipa_apply.ipp_esp_auth_alg !=
3780 3781 act2->ipa_act.ipa_apply.ipp_esp_auth_alg) {
3781 3782 return (B_FALSE);
3782 3783 }
3783 3784
3784 3785 if (act1->ipa_act.ipa_apply.ipp_espa_minbits !=
3785 3786 act2->ipa_act.ipa_apply.ipp_espa_minbits ||
3786 3787 act1->ipa_act.ipa_apply.ipp_espa_maxbits !=
3787 3788 act2->ipa_act.ipa_apply.ipp_espa_maxbits) {
3788 3789 return (B_FALSE);
3789 3790 }
3790 3791 }
3791 3792
3792 3793 }
3793 3794
3794 3795 act1 = act1->ipa_next;
3795 3796 act2 = act2->ipa_next;
3796 3797 }
3797 3798
3798 3799 if (act1 != NULL || act2 != NULL) {
3799 3800 return (B_FALSE);
3800 3801 }
3801 3802
3802 3803 return (B_TRUE);
3803 3804 }
3804 3805
3805 3806
3806 3807 /*
3807 3808 * Given a constructed ipsec_policy_t policy rule, enter it into
3808 3809 * the correct policy ruleset.
3809 3810 *
3810 3811 * ipsec_check_policy() is assumed to have succeeded first (to check for
3811 3812 * duplicates).
3812 3813 */
3813 3814 void
3814 3815 ipsec_enter_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction,
3815 3816 netstack_t *ns)
3816 3817 {
3817 3818 ipsec_policy_root_t *pr = &php->iph_root[direction];
3818 3819 ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key;
3819 3820 uint32_t valid = selkey->ipsl_valid;
3820 3821 uint32_t hval = selkey->ipsl_pol_hval;
3821 3822 int af = -1;
3822 3823
3823 3824 ASSERT(RW_WRITE_HELD(&php->iph_lock));
3824 3825
3825 3826 if (valid & IPSL_IPV6) {
3826 3827 ASSERT(!(valid & IPSL_IPV4));
3827 3828 af = IPSEC_AF_V6;
3828 3829 } else {
3829 3830 ASSERT(valid & IPSL_IPV4);
3830 3831 af = IPSEC_AF_V4;
3831 3832 }
3832 3833
3833 3834 php->iph_gen++;
3834 3835
3835 3836 if (hval == IPSEC_SEL_NOHASH) {
3836 3837 HASHLIST_INSERT(ipp, ipsp_hash, pr->ipr_nonhash[af]);
3837 3838 } else {
3838 3839 HASH_LOCK(pr->ipr_hash, hval);
3839 3840 HASH_INSERT(ipp, ipsp_hash, pr->ipr_hash, hval);
3840 3841 HASH_UNLOCK(pr->ipr_hash, hval);
3841 3842 }
3842 3843
3843 3844 ipsec_insert_always(&php->iph_rulebyid, ipp);
3844 3845
3845 3846 ipsec_update_present_flags(ns->netstack_ipsec);
3846 3847 }
3847 3848
3848 3849 static void
3849 3850 ipsec_ipr_flush(ipsec_policy_head_t *php, ipsec_policy_root_t *ipr)
3850 3851 {
3851 3852 ipsec_policy_t *ip, *nip;
3852 3853 int af, chain, nchain;
3853 3854
3854 3855 for (af = 0; af < IPSEC_NAF; af++) {
3855 3856 for (ip = ipr->ipr_nonhash[af]; ip != NULL; ip = nip) {
3856 3857 nip = ip->ipsp_hash.hash_next;
3857 3858 IPPOL_UNCHAIN(php, ip);
3858 3859 }
3859 3860 ipr->ipr_nonhash[af] = NULL;
3860 3861 }
3861 3862 nchain = ipr->ipr_nchains;
3862 3863
3863 3864 for (chain = 0; chain < nchain; chain++) {
3864 3865 for (ip = ipr->ipr_hash[chain].hash_head; ip != NULL;
3865 3866 ip = nip) {
3866 3867 nip = ip->ipsp_hash.hash_next;
3867 3868 IPPOL_UNCHAIN(php, ip);
3868 3869 }
3869 3870 ipr->ipr_hash[chain].hash_head = NULL;
3870 3871 }
3871 3872 }
3872 3873
3873 3874 /*
3874 3875 * Create and insert inbound or outbound policy associated with actp for the
3875 3876 * address family fam into the policy head ph. Returns B_TRUE if policy was
3876 3877 * inserted, and B_FALSE otherwise.
3877 3878 */
3878 3879 boolean_t
3879 3880 ipsec_polhead_insert(ipsec_policy_head_t *ph, ipsec_act_t *actp, uint_t nact,
3880 3881 int fam, int ptype, netstack_t *ns)
3881 3882 {
3882 3883 ipsec_selkey_t sel;
3883 3884 ipsec_policy_t *pol;
3884 3885 ipsec_policy_root_t *pr;
3885 3886
3886 3887 bzero(&sel, sizeof (sel));
3887 3888 sel.ipsl_valid = (fam == IPSEC_AF_V4 ? IPSL_IPV4 : IPSL_IPV6);
3888 3889 if ((pol = ipsec_policy_create(&sel, actp, nact, IPSEC_PRIO_SOCKET,
3889 3890 NULL, ns)) != NULL) {
3890 3891 pr = &ph->iph_root[ptype];
3891 3892 HASHLIST_INSERT(pol, ipsp_hash, pr->ipr_nonhash[fam]);
3892 3893 ipsec_insert_always(&ph->iph_rulebyid, pol);
3893 3894 }
3894 3895 return (pol != NULL);
3895 3896 }
3896 3897
3897 3898 void
3898 3899 ipsec_polhead_flush(ipsec_policy_head_t *php, netstack_t *ns)
3899 3900 {
3900 3901 int dir;
3901 3902
3902 3903 ASSERT(RW_WRITE_HELD(&php->iph_lock));
3903 3904
3904 3905 for (dir = 0; dir < IPSEC_NTYPES; dir++)
3905 3906 ipsec_ipr_flush(php, &php->iph_root[dir]);
3906 3907
3907 3908 php->iph_gen++;
3908 3909 ipsec_update_present_flags(ns->netstack_ipsec);
3909 3910 }
3910 3911
3911 3912 void
3912 3913 ipsec_polhead_free(ipsec_policy_head_t *php, netstack_t *ns)
3913 3914 {
3914 3915 int dir;
3915 3916
3916 3917 ASSERT(php->iph_refs == 0);
3917 3918
3918 3919 rw_enter(&php->iph_lock, RW_WRITER);
3919 3920 ipsec_polhead_flush(php, ns);
3920 3921 rw_exit(&php->iph_lock);
3921 3922 rw_destroy(&php->iph_lock);
3922 3923 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
3923 3924 ipsec_policy_root_t *ipr = &php->iph_root[dir];
3924 3925 int chain;
3925 3926
3926 3927 for (chain = 0; chain < ipr->ipr_nchains; chain++)
3927 3928 mutex_destroy(&(ipr->ipr_hash[chain].hash_lock));
3928 3929
3929 3930 }
3930 3931 ipsec_polhead_free_table(php);
3931 3932 kmem_free(php, sizeof (*php));
3932 3933 }
3933 3934
3934 3935 static void
3935 3936 ipsec_ipr_init(ipsec_policy_root_t *ipr)
3936 3937 {
3937 3938 int af;
3938 3939
3939 3940 ipr->ipr_nchains = 0;
3940 3941 ipr->ipr_hash = NULL;
3941 3942
3942 3943 for (af = 0; af < IPSEC_NAF; af++) {
3943 3944 ipr->ipr_nonhash[af] = NULL;
3944 3945 }
3945 3946 }
3946 3947
3947 3948 ipsec_policy_head_t *
3948 3949 ipsec_polhead_create(void)
3949 3950 {
3950 3951 ipsec_policy_head_t *php;
3951 3952
3952 3953 php = kmem_alloc(sizeof (*php), KM_NOSLEEP);
3953 3954 if (php == NULL)
3954 3955 return (php);
3955 3956
3956 3957 rw_init(&php->iph_lock, NULL, RW_DEFAULT, NULL);
3957 3958 php->iph_refs = 1;
3958 3959 php->iph_gen = 0;
3959 3960
3960 3961 ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_INBOUND]);
3961 3962 ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_OUTBOUND]);
3962 3963
3963 3964 avl_create(&php->iph_rulebyid, ipsec_policy_cmpbyid,
3964 3965 sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid));
3965 3966
3966 3967 return (php);
3967 3968 }
3968 3969
3969 3970 /*
3970 3971 * Clone the policy head into a new polhead; release one reference to the
3971 3972 * old one and return the only reference to the new one.
3972 3973 * If the old one had a refcount of 1, just return it.
3973 3974 */
3974 3975 ipsec_policy_head_t *
3975 3976 ipsec_polhead_split(ipsec_policy_head_t *php, netstack_t *ns)
3976 3977 {
3977 3978 ipsec_policy_head_t *nphp;
3978 3979
3979 3980 if (php == NULL)
3980 3981 return (ipsec_polhead_create());
3981 3982 else if (php->iph_refs == 1)
3982 3983 return (php);
3983 3984
3984 3985 nphp = ipsec_polhead_create();
3985 3986 if (nphp == NULL)
3986 3987 return (NULL);
3987 3988
3988 3989 if (ipsec_copy_polhead(php, nphp, ns) != 0) {
3989 3990 ipsec_polhead_free(nphp, ns);
3990 3991 return (NULL);
3991 3992 }
3992 3993 IPPH_REFRELE(php, ns);
3993 3994 return (nphp);
3994 3995 }
3995 3996
3996 3997 /*
3997 3998 * When sending a response to a ICMP request or generating a RST
3998 3999 * in the TCP case, the outbound packets need to go at the same level
3999 4000 * of protection as the incoming ones i.e we associate our outbound
4000 4001 * policy with how the packet came in. We call this after we have
4001 4002 * accepted the incoming packet which may or may not have been in
4002 4003 * clear and hence we are sending the reply back with the policy
4003 4004 * matching the incoming datagram's policy.
4004 4005 *
4005 4006 * NOTE : This technology serves two purposes :
4006 4007 *
4007 4008 * 1) If we have multiple outbound policies, we send out a reply
4008 4009 * matching with how it came in rather than matching the outbound
4009 4010 * policy.
4010 4011 *
4011 4012 * 2) For assymetric policies, we want to make sure that incoming
4012 4013 * and outgoing has the same level of protection. Assymetric
4013 4014 * policies exist only with global policy where we may not have
4014 4015 * both outbound and inbound at the same time.
4015 4016 *
4016 4017 * NOTE2: This function is called by cleartext cases, so it needs to be
4017 4018 * in IP proper.
4018 4019 *
4019 4020 * Note: the caller has moved other parts of ira into ixa already.
4020 4021 */
4021 4022 boolean_t
4022 4023 ipsec_in_to_out(ip_recv_attr_t *ira, ip_xmit_attr_t *ixa, mblk_t *data_mp,
4023 4024 ipha_t *ipha, ip6_t *ip6h)
4024 4025 {
4025 4026 ipsec_selector_t sel;
4026 4027 ipsec_action_t *reflect_action = NULL;
4027 4028 netstack_t *ns = ixa->ixa_ipst->ips_netstack;
4028 4029
4029 4030 bzero((void*)&sel, sizeof (sel));
4030 4031
4031 4032 if (ira->ira_ipsec_action != NULL) {
4032 4033 /* transfer reference.. */
4033 4034 reflect_action = ira->ira_ipsec_action;
4034 4035 ira->ira_ipsec_action = NULL;
4035 4036 } else if (!(ira->ira_flags & IRAF_LOOPBACK))
4036 4037 reflect_action = ipsec_in_to_out_action(ira);
4037 4038
4038 4039 /*
4039 4040 * The caller is going to send the datagram out which might
4040 4041 * go on the wire or delivered locally through ire_send_local.
4041 4042 *
4042 4043 * 1) If it goes out on the wire, new associations will be
4043 4044 * obtained.
4044 4045 * 2) If it is delivered locally, ire_send_local will convert
4045 4046 * this ip_xmit_attr_t back to a ip_recv_attr_t looking at the
4046 4047 * requests.
4047 4048 */
4048 4049 ixa->ixa_ipsec_action = reflect_action;
4049 4050
4050 4051 if (!ipsec_init_outbound_ports(&sel, data_mp, ipha, ip6h, 0,
4051 4052 ns->netstack_ipsec)) {
4052 4053 /* Note: data_mp already consumed and ip_drop_packet done */
4053 4054 return (B_FALSE);
4054 4055 }
4055 4056 ixa->ixa_ipsec_src_port = sel.ips_local_port;
4056 4057 ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4057 4058 ixa->ixa_ipsec_proto = sel.ips_protocol;
4058 4059 ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4059 4060 ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4060 4061
4061 4062 /*
4062 4063 * Don't use global policy for this, as we want
4063 4064 * to use the same protection that was applied to the inbound packet.
4064 4065 * Thus we set IXAF_NO_IPSEC is it arrived in the clear to make
4065 4066 * it be sent in the clear.
4066 4067 */
4067 4068 if (ira->ira_flags & IRAF_IPSEC_SECURE)
4068 4069 ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4069 4070 else
4070 4071 ixa->ixa_flags |= IXAF_NO_IPSEC;
4071 4072
4072 4073 return (B_TRUE);
4073 4074 }
4074 4075
4075 4076 void
4076 4077 ipsec_out_release_refs(ip_xmit_attr_t *ixa)
4077 4078 {
4078 4079 if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE))
4079 4080 return;
4080 4081
4081 4082 if (ixa->ixa_ipsec_ah_sa != NULL) {
4082 4083 IPSA_REFRELE(ixa->ixa_ipsec_ah_sa);
4083 4084 ixa->ixa_ipsec_ah_sa = NULL;
4084 4085 }
4085 4086 if (ixa->ixa_ipsec_esp_sa != NULL) {
4086 4087 IPSA_REFRELE(ixa->ixa_ipsec_esp_sa);
4087 4088 ixa->ixa_ipsec_esp_sa = NULL;
4088 4089 }
4089 4090 if (ixa->ixa_ipsec_policy != NULL) {
4090 4091 IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4091 4092 ixa->ixa_ipsec_policy = NULL;
4092 4093 }
4093 4094 if (ixa->ixa_ipsec_action != NULL) {
4094 4095 IPACT_REFRELE(ixa->ixa_ipsec_action);
4095 4096 ixa->ixa_ipsec_action = NULL;
4096 4097 }
4097 4098 if (ixa->ixa_ipsec_latch) {
4098 4099 IPLATCH_REFRELE(ixa->ixa_ipsec_latch);
4099 4100 ixa->ixa_ipsec_latch = NULL;
4100 4101 }
4101 4102 /* Clear the soft references to the SAs */
4102 4103 ixa->ixa_ipsec_ref[0].ipsr_sa = NULL;
4103 4104 ixa->ixa_ipsec_ref[0].ipsr_bucket = NULL;
4104 4105 ixa->ixa_ipsec_ref[0].ipsr_gen = 0;
4105 4106 ixa->ixa_ipsec_ref[1].ipsr_sa = NULL;
4106 4107 ixa->ixa_ipsec_ref[1].ipsr_bucket = NULL;
4107 4108 ixa->ixa_ipsec_ref[1].ipsr_gen = 0;
4108 4109 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4109 4110 }
4110 4111
4111 4112 void
4112 4113 ipsec_in_release_refs(ip_recv_attr_t *ira)
4113 4114 {
4114 4115 if (!(ira->ira_flags & IRAF_IPSEC_SECURE))
4115 4116 return;
4116 4117
4117 4118 if (ira->ira_ipsec_ah_sa != NULL) {
4118 4119 IPSA_REFRELE(ira->ira_ipsec_ah_sa);
4119 4120 ira->ira_ipsec_ah_sa = NULL;
4120 4121 }
4121 4122 if (ira->ira_ipsec_esp_sa != NULL) {
4122 4123 IPSA_REFRELE(ira->ira_ipsec_esp_sa);
4123 4124 ira->ira_ipsec_esp_sa = NULL;
4124 4125 }
4125 4126 ira->ira_flags &= ~IRAF_IPSEC_SECURE;
4126 4127 }
4127 4128
4128 4129 /*
4129 4130 * This is called from ire_send_local when a packet
4130 4131 * is looped back. We setup the ip_recv_attr_t "borrowing" the references
4131 4132 * held by the callers.
4132 4133 * Note that we don't do any IPsec but we carry the actions and IPSEC flags
4133 4134 * across so that the fanout policy checks see that IPsec was applied.
4134 4135 *
4135 4136 * The caller should do ipsec_in_release_refs() on the ira by calling
4136 4137 * ira_cleanup().
4137 4138 */
4138 4139 void
4139 4140 ipsec_out_to_in(ip_xmit_attr_t *ixa, ill_t *ill, ip_recv_attr_t *ira)
4140 4141 {
4141 4142 ipsec_policy_t *pol;
4142 4143 ipsec_action_t *act;
4143 4144
4144 4145 /* Non-IPsec operations */
4145 4146 ira->ira_free_flags = 0;
4146 4147 ira->ira_zoneid = ixa->ixa_zoneid;
4147 4148 ira->ira_cred = ixa->ixa_cred;
4148 4149 ira->ira_cpid = ixa->ixa_cpid;
4149 4150 ira->ira_tsl = ixa->ixa_tsl;
4150 4151 ira->ira_ill = ira->ira_rill = ill;
4151 4152 ira->ira_flags = ixa->ixa_flags & IAF_MASK;
4152 4153 ira->ira_no_loop_zoneid = ixa->ixa_no_loop_zoneid;
4153 4154 ira->ira_pktlen = ixa->ixa_pktlen;
4154 4155 ira->ira_ip_hdr_length = ixa->ixa_ip_hdr_length;
4155 4156 ira->ira_protocol = ixa->ixa_protocol;
4156 4157 ira->ira_mhip = NULL;
4157 4158
4158 4159 ira->ira_flags |= IRAF_LOOPBACK | IRAF_L2SRC_LOOPBACK;
4159 4160
4160 4161 ira->ira_sqp = ixa->ixa_sqp;
4161 4162 ira->ira_ring = NULL;
4162 4163
4163 4164 ira->ira_ruifindex = ill->ill_phyint->phyint_ifindex;
4164 4165 ira->ira_rifindex = ira->ira_ruifindex;
4165 4166
4166 4167 if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE))
4167 4168 return;
4168 4169
4169 4170 ira->ira_flags |= IRAF_IPSEC_SECURE;
4170 4171
4171 4172 ira->ira_ipsec_ah_sa = NULL;
4172 4173 ira->ira_ipsec_esp_sa = NULL;
4173 4174
4174 4175 act = ixa->ixa_ipsec_action;
4175 4176 if (act == NULL) {
4176 4177 pol = ixa->ixa_ipsec_policy;
4177 4178 if (pol != NULL) {
4178 4179 act = pol->ipsp_act;
4179 4180 IPACT_REFHOLD(act);
4180 4181 }
4181 4182 }
4182 4183 ixa->ixa_ipsec_action = NULL;
4183 4184 ira->ira_ipsec_action = act;
4184 4185 }
4185 4186
4186 4187 /*
4187 4188 * Consults global policy and per-socket policy to see whether this datagram
4188 4189 * should go out secure. If so it updates the ip_xmit_attr_t
4189 4190 * Should not be used when connecting, since then we want to latch the policy.
4190 4191 *
4191 4192 * If connp is NULL we just look at the global policy.
4192 4193 *
4193 4194 * Returns NULL if the packet was dropped, in which case the MIB has
4194 4195 * been incremented and ip_drop_packet done.
4195 4196 */
4196 4197 mblk_t *
4197 4198 ip_output_attach_policy(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h,
4198 4199 const conn_t *connp, ip_xmit_attr_t *ixa)
4199 4200 {
4200 4201 ipsec_selector_t sel;
4201 4202 boolean_t policy_present;
4202 4203 ip_stack_t *ipst = ixa->ixa_ipst;
4203 4204 netstack_t *ns = ipst->ips_netstack;
4204 4205 ipsec_stack_t *ipss = ns->netstack_ipsec;
4205 4206 ipsec_policy_t *p;
4206 4207
4207 4208 ixa->ixa_ipsec_policy_gen = ipss->ipsec_system_policy.iph_gen;
4208 4209 ASSERT((ipha != NULL && ip6h == NULL) ||
4209 4210 (ip6h != NULL && ipha == NULL));
4210 4211
4211 4212 if (ipha != NULL)
4212 4213 policy_present = ipss->ipsec_outbound_v4_policy_present;
4213 4214 else
4214 4215 policy_present = ipss->ipsec_outbound_v6_policy_present;
4215 4216
4216 4217 if (!policy_present && (connp == NULL || connp->conn_policy == NULL))
4217 4218 return (mp);
4218 4219
4219 4220 bzero((void*)&sel, sizeof (sel));
4220 4221
4221 4222 if (ipha != NULL) {
4222 4223 sel.ips_local_addr_v4 = ipha->ipha_src;
4223 4224 sel.ips_remote_addr_v4 = ip_get_dst(ipha);
4224 4225 sel.ips_isv4 = B_TRUE;
4225 4226 } else {
4226 4227 sel.ips_isv4 = B_FALSE;
4227 4228 sel.ips_local_addr_v6 = ip6h->ip6_src;
4228 4229 sel.ips_remote_addr_v6 = ip_get_dst_v6(ip6h, mp, NULL);
4229 4230 }
4230 4231 sel.ips_protocol = ixa->ixa_protocol;
4231 4232
4232 4233 if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h, 0, ipss)) {
4233 4234 if (ipha != NULL) {
4234 4235 BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
4235 4236 } else {
4236 4237 BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutDiscards);
4237 4238 }
4238 4239 /* Note: mp already consumed and ip_drop_packet done */
4239 4240 return (NULL);
4240 4241 }
4241 4242
4242 4243 ASSERT(ixa->ixa_ipsec_policy == NULL);
4243 4244 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, &sel, ns);
4244 4245 ixa->ixa_ipsec_policy = p;
4245 4246 if (p != NULL) {
4246 4247 ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4247 4248 if (connp == NULL || connp->conn_policy == NULL)
4248 4249 ixa->ixa_flags |= IXAF_IPSEC_GLOBAL_POLICY;
4249 4250 } else {
4250 4251 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4251 4252 }
4252 4253
4253 4254 /*
4254 4255 * Copy the right port information.
4255 4256 */
4256 4257 ixa->ixa_ipsec_src_port = sel.ips_local_port;
4257 4258 ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4258 4259 ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4259 4260 ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4260 4261 ixa->ixa_ipsec_proto = sel.ips_protocol;
4261 4262 return (mp);
4262 4263 }
4263 4264
4264 4265 /*
4265 4266 * When appropriate, this function caches inbound and outbound policy
4266 4267 * for this connection. The outbound policy is stored in conn_ixa.
4267 4268 * Note that it can not be used for SCTP since conn_faddr isn't set for SCTP.
4268 4269 *
4269 4270 * XXX need to work out more details about per-interface policy and
4270 4271 * caching here!
4271 4272 *
4272 4273 * XXX may want to split inbound and outbound caching for ill..
4273 4274 */
4274 4275 int
4275 4276 ipsec_conn_cache_policy(conn_t *connp, boolean_t isv4)
4276 4277 {
4277 4278 boolean_t global_policy_present;
4278 4279 netstack_t *ns = connp->conn_netstack;
4279 4280 ipsec_stack_t *ipss = ns->netstack_ipsec;
4280 4281
4281 4282 connp->conn_ixa->ixa_ipsec_policy_gen =
4282 4283 ipss->ipsec_system_policy.iph_gen;
4283 4284 /*
4284 4285 * There is no policy latching for ICMP sockets because we can't
4285 4286 * decide on which policy to use until we see the packet and get
4286 4287 * type/code selectors.
4287 4288 */
4288 4289 if (connp->conn_proto == IPPROTO_ICMP ||
4289 4290 connp->conn_proto == IPPROTO_ICMPV6) {
4290 4291 connp->conn_in_enforce_policy =
4291 4292 connp->conn_out_enforce_policy = B_TRUE;
4292 4293 if (connp->conn_latch != NULL) {
4293 4294 IPLATCH_REFRELE(connp->conn_latch);
4294 4295 connp->conn_latch = NULL;
4295 4296 }
4296 4297 if (connp->conn_latch_in_policy != NULL) {
4297 4298 IPPOL_REFRELE(connp->conn_latch_in_policy);
4298 4299 connp->conn_latch_in_policy = NULL;
4299 4300 }
4300 4301 if (connp->conn_latch_in_action != NULL) {
4301 4302 IPACT_REFRELE(connp->conn_latch_in_action);
4302 4303 connp->conn_latch_in_action = NULL;
4303 4304 }
4304 4305 if (connp->conn_ixa->ixa_ipsec_policy != NULL) {
4305 4306 IPPOL_REFRELE(connp->conn_ixa->ixa_ipsec_policy);
4306 4307 connp->conn_ixa->ixa_ipsec_policy = NULL;
4307 4308 }
4308 4309 if (connp->conn_ixa->ixa_ipsec_action != NULL) {
4309 4310 IPACT_REFRELE(connp->conn_ixa->ixa_ipsec_action);
4310 4311 connp->conn_ixa->ixa_ipsec_action = NULL;
4311 4312 }
4312 4313 connp->conn_ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4313 4314 return (0);
4314 4315 }
4315 4316
4316 4317 global_policy_present = isv4 ?
4317 4318 (ipss->ipsec_outbound_v4_policy_present ||
4318 4319 ipss->ipsec_inbound_v4_policy_present) :
4319 4320 (ipss->ipsec_outbound_v6_policy_present ||
4320 4321 ipss->ipsec_inbound_v6_policy_present);
4321 4322
4322 4323 if ((connp->conn_policy != NULL) || global_policy_present) {
4323 4324 ipsec_selector_t sel;
4324 4325 ipsec_policy_t *p;
4325 4326
4326 4327 if (connp->conn_latch == NULL &&
4327 4328 (connp->conn_latch = iplatch_create()) == NULL) {
4328 4329 return (ENOMEM);
4329 4330 }
4330 4331
4331 4332 bzero((void*)&sel, sizeof (sel));
4332 4333
4333 4334 sel.ips_protocol = connp->conn_proto;
4334 4335 sel.ips_local_port = connp->conn_lport;
4335 4336 sel.ips_remote_port = connp->conn_fport;
4336 4337 sel.ips_is_icmp_inv_acq = 0;
4337 4338 sel.ips_isv4 = isv4;
4338 4339 if (isv4) {
4339 4340 sel.ips_local_addr_v4 = connp->conn_laddr_v4;
4340 4341 sel.ips_remote_addr_v4 = connp->conn_faddr_v4;
4341 4342 } else {
4342 4343 sel.ips_local_addr_v6 = connp->conn_laddr_v6;
4343 4344 sel.ips_remote_addr_v6 = connp->conn_faddr_v6;
4344 4345 }
4345 4346
4346 4347 p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, &sel, ns);
4347 4348 if (connp->conn_latch_in_policy != NULL)
4348 4349 IPPOL_REFRELE(connp->conn_latch_in_policy);
4349 4350 connp->conn_latch_in_policy = p;
4350 4351 connp->conn_in_enforce_policy = (p != NULL);
4351 4352
4352 4353 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, &sel, ns);
4353 4354 if (connp->conn_ixa->ixa_ipsec_policy != NULL)
4354 4355 IPPOL_REFRELE(connp->conn_ixa->ixa_ipsec_policy);
4355 4356 connp->conn_ixa->ixa_ipsec_policy = p;
4356 4357 connp->conn_out_enforce_policy = (p != NULL);
4357 4358 if (p != NULL) {
4358 4359 connp->conn_ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4359 4360 if (connp->conn_policy == NULL) {
4360 4361 connp->conn_ixa->ixa_flags |=
4361 4362 IXAF_IPSEC_GLOBAL_POLICY;
4362 4363 }
4363 4364 } else {
4364 4365 connp->conn_ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4365 4366 }
4366 4367 /* Clear the latched actions too, in case we're recaching. */
4367 4368 if (connp->conn_ixa->ixa_ipsec_action != NULL) {
4368 4369 IPACT_REFRELE(connp->conn_ixa->ixa_ipsec_action);
4369 4370 connp->conn_ixa->ixa_ipsec_action = NULL;
4370 4371 }
4371 4372 if (connp->conn_latch_in_action != NULL) {
4372 4373 IPACT_REFRELE(connp->conn_latch_in_action);
4373 4374 connp->conn_latch_in_action = NULL;
4374 4375 }
4375 4376 connp->conn_ixa->ixa_ipsec_src_port = sel.ips_local_port;
4376 4377 connp->conn_ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4377 4378 connp->conn_ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4378 4379 connp->conn_ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4379 4380 connp->conn_ixa->ixa_ipsec_proto = sel.ips_protocol;
4380 4381 } else {
4381 4382 connp->conn_ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4382 4383 }
4383 4384
4384 4385 /*
4385 4386 * We may or may not have policy for this endpoint. We still set
4386 4387 * conn_policy_cached so that inbound datagrams don't have to look
4387 4388 * at global policy as policy is considered latched for these
4388 4389 * endpoints. We should not set conn_policy_cached until the conn
4389 4390 * reflects the actual policy. If we *set* this before inheriting
4390 4391 * the policy there is a window where the check
4391 4392 * CONN_INBOUND_POLICY_PRESENT, will neither check with the policy
4392 4393 * on the conn (because we have not yet copied the policy on to
4393 4394 * conn and hence not set conn_in_enforce_policy) nor with the
4394 4395 * global policy (because conn_policy_cached is already set).
4395 4396 */
4396 4397 connp->conn_policy_cached = B_TRUE;
4397 4398 return (0);
4398 4399 }
4399 4400
4400 4401 /*
4401 4402 * When appropriate, this function caches outbound policy for faddr/fport.
4402 4403 * It is used when we are not connected i.e., when we can not latch the
4403 4404 * policy.
4404 4405 */
4405 4406 void
4406 4407 ipsec_cache_outbound_policy(const conn_t *connp, const in6_addr_t *v6src,
4407 4408 const in6_addr_t *v6dst, in_port_t dstport, ip_xmit_attr_t *ixa)
4408 4409 {
4409 4410 boolean_t isv4 = (ixa->ixa_flags & IXAF_IS_IPV4) != 0;
4410 4411 boolean_t global_policy_present;
4411 4412 netstack_t *ns = connp->conn_netstack;
4412 4413 ipsec_stack_t *ipss = ns->netstack_ipsec;
4413 4414
4414 4415 ixa->ixa_ipsec_policy_gen = ipss->ipsec_system_policy.iph_gen;
4415 4416
4416 4417 /*
4417 4418 * There is no policy caching for ICMP sockets because we can't
4418 4419 * decide on which policy to use until we see the packet and get
4419 4420 * type/code selectors.
4420 4421 */
4421 4422 if (connp->conn_proto == IPPROTO_ICMP ||
4422 4423 connp->conn_proto == IPPROTO_ICMPV6) {
4423 4424 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4424 4425 if (ixa->ixa_ipsec_policy != NULL) {
4425 4426 IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4426 4427 ixa->ixa_ipsec_policy = NULL;
4427 4428 }
4428 4429 if (ixa->ixa_ipsec_action != NULL) {
4429 4430 IPACT_REFRELE(ixa->ixa_ipsec_action);
4430 4431 ixa->ixa_ipsec_action = NULL;
4431 4432 }
4432 4433 return;
4433 4434 }
4434 4435
4435 4436 global_policy_present = isv4 ?
4436 4437 (ipss->ipsec_outbound_v4_policy_present ||
4437 4438 ipss->ipsec_inbound_v4_policy_present) :
4438 4439 (ipss->ipsec_outbound_v6_policy_present ||
4439 4440 ipss->ipsec_inbound_v6_policy_present);
4440 4441
4441 4442 if ((connp->conn_policy != NULL) || global_policy_present) {
4442 4443 ipsec_selector_t sel;
4443 4444 ipsec_policy_t *p;
4444 4445
4445 4446 bzero((void*)&sel, sizeof (sel));
4446 4447
4447 4448 sel.ips_protocol = connp->conn_proto;
4448 4449 sel.ips_local_port = connp->conn_lport;
4449 4450 sel.ips_remote_port = dstport;
4450 4451 sel.ips_is_icmp_inv_acq = 0;
4451 4452 sel.ips_isv4 = isv4;
4452 4453 if (isv4) {
4453 4454 IN6_V4MAPPED_TO_IPADDR(v6src, sel.ips_local_addr_v4);
4454 4455 IN6_V4MAPPED_TO_IPADDR(v6dst, sel.ips_remote_addr_v4);
4455 4456 } else {
4456 4457 sel.ips_local_addr_v6 = *v6src;
4457 4458 sel.ips_remote_addr_v6 = *v6dst;
4458 4459 }
4459 4460
4460 4461 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, &sel, ns);
4461 4462 if (ixa->ixa_ipsec_policy != NULL)
4462 4463 IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4463 4464 ixa->ixa_ipsec_policy = p;
4464 4465 if (p != NULL) {
4465 4466 ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4466 4467 if (connp->conn_policy == NULL)
4467 4468 ixa->ixa_flags |= IXAF_IPSEC_GLOBAL_POLICY;
4468 4469 } else {
4469 4470 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4470 4471 }
4471 4472 /* Clear the latched actions too, in case we're recaching. */
4472 4473 if (ixa->ixa_ipsec_action != NULL) {
4473 4474 IPACT_REFRELE(ixa->ixa_ipsec_action);
4474 4475 ixa->ixa_ipsec_action = NULL;
4475 4476 }
4476 4477
4477 4478 ixa->ixa_ipsec_src_port = sel.ips_local_port;
4478 4479 ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4479 4480 ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4480 4481 ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4481 4482 ixa->ixa_ipsec_proto = sel.ips_protocol;
4482 4483 } else {
4483 4484 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4484 4485 if (ixa->ixa_ipsec_policy != NULL) {
4485 4486 IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4486 4487 ixa->ixa_ipsec_policy = NULL;
4487 4488 }
4488 4489 if (ixa->ixa_ipsec_action != NULL) {
4489 4490 IPACT_REFRELE(ixa->ixa_ipsec_action);
4490 4491 ixa->ixa_ipsec_action = NULL;
4491 4492 }
4492 4493 }
4493 4494 }
4494 4495
4495 4496 /*
4496 4497 * Returns B_FALSE if the policy has gone stale.
4497 4498 */
4498 4499 boolean_t
4499 4500 ipsec_outbound_policy_current(ip_xmit_attr_t *ixa)
4500 4501 {
4501 4502 ipsec_stack_t *ipss = ixa->ixa_ipst->ips_netstack->netstack_ipsec;
4502 4503
4503 4504 if (!(ixa->ixa_flags & IXAF_IPSEC_GLOBAL_POLICY))
4504 4505 return (B_TRUE);
4505 4506
4506 4507 return (ixa->ixa_ipsec_policy_gen == ipss->ipsec_system_policy.iph_gen);
4507 4508 }
4508 4509
4509 4510 void
4510 4511 iplatch_free(ipsec_latch_t *ipl)
4511 4512 {
4512 4513 if (ipl->ipl_local_cid != NULL)
4513 4514 IPSID_REFRELE(ipl->ipl_local_cid);
4514 4515 if (ipl->ipl_remote_cid != NULL)
4515 4516 IPSID_REFRELE(ipl->ipl_remote_cid);
4516 4517 mutex_destroy(&ipl->ipl_lock);
4517 4518 kmem_free(ipl, sizeof (*ipl));
4518 4519 }
4519 4520
4520 4521 ipsec_latch_t *
4521 4522 iplatch_create()
4522 4523 {
4523 4524 ipsec_latch_t *ipl = kmem_alloc(sizeof (*ipl), KM_NOSLEEP);
4524 4525 if (ipl == NULL)
4525 4526 return (ipl);
4526 4527 bzero(ipl, sizeof (*ipl));
4527 4528 mutex_init(&ipl->ipl_lock, NULL, MUTEX_DEFAULT, NULL);
4528 4529 ipl->ipl_refcnt = 1;
4529 4530 return (ipl);
4530 4531 }
4531 4532
4532 4533 /*
4533 4534 * Hash function for ID hash table.
4534 4535 */
4535 4536 static uint32_t
4536 4537 ipsid_hash(int idtype, char *idstring)
4537 4538 {
4538 4539 uint32_t hval = idtype;
4539 4540 unsigned char c;
4540 4541
4541 4542 while ((c = *idstring++) != 0) {
4542 4543 hval = (hval << 4) | (hval >> 28);
4543 4544 hval ^= c;
4544 4545 }
4545 4546 hval = hval ^ (hval >> 16);
4546 4547 return (hval & (IPSID_HASHSIZE-1));
4547 4548 }
4548 4549
4549 4550 /*
4550 4551 * Look up identity string in hash table. Return identity object
4551 4552 * corresponding to the name -- either preexisting, or newly allocated.
4552 4553 *
4553 4554 * Return NULL if we need to allocate a new one and can't get memory.
4554 4555 */
4555 4556 ipsid_t *
4556 4557 ipsid_lookup(int idtype, char *idstring, netstack_t *ns)
4557 4558 {
4558 4559 ipsid_t *retval;
4559 4560 char *nstr;
4560 4561 int idlen = strlen(idstring) + 1;
4561 4562 ipsec_stack_t *ipss = ns->netstack_ipsec;
4562 4563 ipsif_t *bucket;
4563 4564
4564 4565 bucket = &ipss->ipsec_ipsid_buckets[ipsid_hash(idtype, idstring)];
4565 4566
4566 4567 mutex_enter(&bucket->ipsif_lock);
4567 4568
4568 4569 for (retval = bucket->ipsif_head; retval != NULL;
4569 4570 retval = retval->ipsid_next) {
4570 4571 if (idtype != retval->ipsid_type)
4571 4572 continue;
4572 4573 if (bcmp(idstring, retval->ipsid_cid, idlen) != 0)
4573 4574 continue;
4574 4575
4575 4576 IPSID_REFHOLD(retval);
4576 4577 mutex_exit(&bucket->ipsif_lock);
4577 4578 return (retval);
4578 4579 }
4579 4580
4580 4581 retval = kmem_alloc(sizeof (*retval), KM_NOSLEEP);
4581 4582 if (!retval) {
4582 4583 mutex_exit(&bucket->ipsif_lock);
4583 4584 return (NULL);
4584 4585 }
4585 4586
4586 4587 nstr = kmem_alloc(idlen, KM_NOSLEEP);
4587 4588 if (!nstr) {
4588 4589 mutex_exit(&bucket->ipsif_lock);
4589 4590 kmem_free(retval, sizeof (*retval));
4590 4591 return (NULL);
4591 4592 }
4592 4593
4593 4594 retval->ipsid_refcnt = 1;
4594 4595 retval->ipsid_next = bucket->ipsif_head;
4595 4596 if (retval->ipsid_next != NULL)
4596 4597 retval->ipsid_next->ipsid_ptpn = &retval->ipsid_next;
4597 4598 retval->ipsid_ptpn = &bucket->ipsif_head;
4598 4599 retval->ipsid_type = idtype;
4599 4600 retval->ipsid_cid = nstr;
4600 4601 bucket->ipsif_head = retval;
4601 4602 bcopy(idstring, nstr, idlen);
4602 4603 mutex_exit(&bucket->ipsif_lock);
4603 4604
4604 4605 return (retval);
4605 4606 }
4606 4607
4607 4608 /*
4608 4609 * Garbage collect the identity hash table.
4609 4610 */
4610 4611 void
4611 4612 ipsid_gc(netstack_t *ns)
4612 4613 {
4613 4614 int i, len;
4614 4615 ipsid_t *id, *nid;
4615 4616 ipsif_t *bucket;
4616 4617 ipsec_stack_t *ipss = ns->netstack_ipsec;
4617 4618
4618 4619 for (i = 0; i < IPSID_HASHSIZE; i++) {
4619 4620 bucket = &ipss->ipsec_ipsid_buckets[i];
4620 4621 mutex_enter(&bucket->ipsif_lock);
4621 4622 for (id = bucket->ipsif_head; id != NULL; id = nid) {
4622 4623 nid = id->ipsid_next;
4623 4624 if (id->ipsid_refcnt == 0) {
4624 4625 *id->ipsid_ptpn = nid;
4625 4626 if (nid != NULL)
4626 4627 nid->ipsid_ptpn = id->ipsid_ptpn;
4627 4628 len = strlen(id->ipsid_cid) + 1;
4628 4629 kmem_free(id->ipsid_cid, len);
4629 4630 kmem_free(id, sizeof (*id));
4630 4631 }
4631 4632 }
4632 4633 mutex_exit(&bucket->ipsif_lock);
4633 4634 }
4634 4635 }
4635 4636
4636 4637 /*
4637 4638 * Return true if two identities are the same.
4638 4639 */
4639 4640 boolean_t
4640 4641 ipsid_equal(ipsid_t *id1, ipsid_t *id2)
4641 4642 {
4642 4643 if (id1 == id2)
4643 4644 return (B_TRUE);
4644 4645 #ifdef DEBUG
4645 4646 if ((id1 == NULL) || (id2 == NULL))
4646 4647 return (B_FALSE);
4647 4648 /*
4648 4649 * test that we're interning id's correctly..
4649 4650 */
4650 4651 ASSERT((strcmp(id1->ipsid_cid, id2->ipsid_cid) != 0) ||
4651 4652 (id1->ipsid_type != id2->ipsid_type));
4652 4653 #endif
4653 4654 return (B_FALSE);
4654 4655 }
4655 4656
4656 4657 /*
4657 4658 * Initialize identity table; called during module initialization.
4658 4659 */
4659 4660 static void
4660 4661 ipsid_init(netstack_t *ns)
4661 4662 {
4662 4663 ipsif_t *bucket;
4663 4664 int i;
4664 4665 ipsec_stack_t *ipss = ns->netstack_ipsec;
4665 4666
4666 4667 for (i = 0; i < IPSID_HASHSIZE; i++) {
4667 4668 bucket = &ipss->ipsec_ipsid_buckets[i];
4668 4669 mutex_init(&bucket->ipsif_lock, NULL, MUTEX_DEFAULT, NULL);
4669 4670 }
4670 4671 }
4671 4672
4672 4673 /*
4673 4674 * Free identity table (preparatory to module unload)
4674 4675 */
4675 4676 static void
4676 4677 ipsid_fini(netstack_t *ns)
4677 4678 {
4678 4679 ipsif_t *bucket;
4679 4680 int i;
|
↓ open down ↓ |
3872 lines elided |
↑ open up ↑ |
4680 4681 ipsec_stack_t *ipss = ns->netstack_ipsec;
4681 4682
4682 4683 for (i = 0; i < IPSID_HASHSIZE; i++) {
4683 4684 bucket = &ipss->ipsec_ipsid_buckets[i];
4684 4685 ASSERT(bucket->ipsif_head == NULL);
4685 4686 mutex_destroy(&bucket->ipsif_lock);
4686 4687 }
4687 4688 }
4688 4689
4689 4690 /*
4690 - * Update the minimum and maximum supported key sizes for the
4691 - * specified algorithm. Must be called while holding the algorithms lock.
4691 + * Update the minimum and maximum supported key sizes for the specified
4692 + * algorithm, which is either a member of a netstack alg array or about to be,
4693 + * and therefore must be called holding ipsec_alg_lock for write.
4692 4694 */
4693 4695 void
4694 4696 ipsec_alg_fix_min_max(ipsec_alginfo_t *alg, ipsec_algtype_t alg_type,
4695 4697 netstack_t *ns)
4696 4698 {
4697 4699 size_t crypto_min = (size_t)-1, crypto_max = 0;
4698 4700 size_t cur_crypto_min, cur_crypto_max;
4699 4701 boolean_t is_valid;
4700 4702 crypto_mechanism_info_t *mech_infos;
4701 4703 uint_t nmech_infos;
4702 4704 int crypto_rc, i;
4703 4705 crypto_mech_usage_t mask;
4704 4706 ipsec_stack_t *ipss = ns->netstack_ipsec;
4705 4707
4706 - ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
4708 + ASSERT(RW_WRITE_HELD(&ipss->ipsec_alg_lock));
4707 4709
4708 4710 /*
4709 4711 * Compute the min, max, and default key sizes (in number of
4710 4712 * increments to the default key size in bits) as defined
4711 4713 * by the algorithm mappings. This range of key sizes is used
4712 4714 * for policy related operations. The effective key sizes
4713 4715 * supported by the framework could be more limited than
4714 4716 * those defined for an algorithm.
4715 4717 */
4716 4718 alg->alg_default_bits = alg->alg_key_sizes[0];
4717 4719 alg->alg_default = 0;
4718 4720 if (alg->alg_increment != 0) {
4719 4721 /* key sizes are defined by range & increment */
4720 4722 alg->alg_minbits = alg->alg_key_sizes[1];
4721 4723 alg->alg_maxbits = alg->alg_key_sizes[2];
4722 4724 } else if (alg->alg_nkey_sizes == 0) {
4723 4725 /* no specified key size for algorithm */
4724 4726 alg->alg_minbits = alg->alg_maxbits = 0;
4725 4727 } else {
4726 4728 /* key sizes are defined by enumeration */
4727 4729 alg->alg_minbits = (uint16_t)-1;
4728 4730 alg->alg_maxbits = 0;
4729 4731
4730 4732 for (i = 0; i < alg->alg_nkey_sizes; i++) {
4731 4733 if (alg->alg_key_sizes[i] < alg->alg_minbits)
4732 4734 alg->alg_minbits = alg->alg_key_sizes[i];
4733 4735 if (alg->alg_key_sizes[i] > alg->alg_maxbits)
4734 4736 alg->alg_maxbits = alg->alg_key_sizes[i];
4735 4737 }
4736 4738 }
4737 4739
4738 4740 if (!(alg->alg_flags & ALG_FLAG_VALID))
4739 4741 return;
4740 4742
4741 4743 /*
4742 4744 * Mechanisms do not apply to the NULL encryption
4743 4745 * algorithm, so simply return for this case.
4744 4746 */
4745 4747 if (alg->alg_id == SADB_EALG_NULL)
4746 4748 return;
4747 4749
4748 4750 /*
4749 4751 * Find the min and max key sizes supported by the cryptographic
4750 4752 * framework providers.
4751 4753 */
4752 4754
4753 4755 /* get the key sizes supported by the framework */
4754 4756 crypto_rc = crypto_get_all_mech_info(alg->alg_mech_type,
4755 4757 &mech_infos, &nmech_infos, KM_SLEEP);
4756 4758 if (crypto_rc != CRYPTO_SUCCESS || nmech_infos == 0) {
4757 4759 alg->alg_flags &= ~ALG_FLAG_VALID;
4758 4760 return;
4759 4761 }
4760 4762
4761 4763 /* min and max key sizes supported by framework */
4762 4764 for (i = 0, is_valid = B_FALSE; i < nmech_infos; i++) {
4763 4765 int unit_bits;
4764 4766
4765 4767 /*
4766 4768 * Ignore entries that do not support the operations
4767 4769 * needed for the algorithm type.
4768 4770 */
4769 4771 if (alg_type == IPSEC_ALG_AUTH) {
4770 4772 mask = CRYPTO_MECH_USAGE_MAC;
4771 4773 } else {
4772 4774 mask = CRYPTO_MECH_USAGE_ENCRYPT |
4773 4775 CRYPTO_MECH_USAGE_DECRYPT;
4774 4776 }
4775 4777 if ((mech_infos[i].mi_usage & mask) != mask)
4776 4778 continue;
4777 4779
4778 4780 unit_bits = (mech_infos[i].mi_keysize_unit ==
4779 4781 CRYPTO_KEYSIZE_UNIT_IN_BYTES) ? 8 : 1;
4780 4782 /* adjust min/max supported by framework */
4781 4783 cur_crypto_min = mech_infos[i].mi_min_key_size * unit_bits;
4782 4784 cur_crypto_max = mech_infos[i].mi_max_key_size * unit_bits;
4783 4785
4784 4786 if (cur_crypto_min < crypto_min)
4785 4787 crypto_min = cur_crypto_min;
4786 4788
4787 4789 /*
4788 4790 * CRYPTO_EFFECTIVELY_INFINITE is a special value of
4789 4791 * the crypto framework which means "no upper limit".
4790 4792 */
4791 4793 if (mech_infos[i].mi_max_key_size ==
4792 4794 CRYPTO_EFFECTIVELY_INFINITE) {
4793 4795 crypto_max = (size_t)-1;
4794 4796 } else if (cur_crypto_max > crypto_max) {
4795 4797 crypto_max = cur_crypto_max;
4796 4798 }
4797 4799
4798 4800 is_valid = B_TRUE;
4799 4801 }
4800 4802
4801 4803 kmem_free(mech_infos, sizeof (crypto_mechanism_info_t) *
4802 4804 nmech_infos);
4803 4805
4804 4806 if (!is_valid) {
4805 4807 /* no key sizes supported by framework */
4806 4808 alg->alg_flags &= ~ALG_FLAG_VALID;
4807 4809 return;
4808 4810 }
4809 4811
4810 4812 /*
4811 4813 * Determine min and max key sizes from alg_key_sizes[].
4812 4814 * defined for the algorithm entry. Adjust key sizes based on
4813 4815 * those supported by the framework.
4814 4816 */
4815 4817 alg->alg_ef_default_bits = alg->alg_key_sizes[0];
4816 4818
4817 4819 /*
4818 4820 * For backwards compatability, assume that the IV length
4819 4821 * is the same as the data length.
4820 4822 */
4821 4823 alg->alg_ivlen = alg->alg_datalen;
4822 4824
4823 4825 /*
4824 4826 * Copy any algorithm parameters (if provided) into dedicated
4825 4827 * elements in the ipsec_alginfo_t structure.
4826 4828 * There may be a better place to put this code.
4827 4829 */
4828 4830 for (i = 0; i < alg->alg_nparams; i++) {
4829 4831 switch (i) {
4830 4832 case 0:
4831 4833 /* Initialisation Vector length (bytes) */
4832 4834 alg->alg_ivlen = alg->alg_params[0];
4833 4835 break;
4834 4836 case 1:
4835 4837 /* Integrity Check Vector length (bytes) */
4836 4838 alg->alg_icvlen = alg->alg_params[1];
4837 4839 break;
4838 4840 case 2:
4839 4841 /* Salt length (bytes) */
4840 4842 alg->alg_saltlen = (uint8_t)alg->alg_params[2];
4841 4843 break;
4842 4844 default:
4843 4845 break;
4844 4846 }
4845 4847 }
4846 4848
4847 4849 /* Default if the IV length is not specified. */
4848 4850 if (alg_type == IPSEC_ALG_ENCR && alg->alg_ivlen == 0)
4849 4851 alg->alg_ivlen = alg->alg_datalen;
4850 4852
4851 4853 alg_flag_check(alg);
4852 4854
4853 4855 if (alg->alg_increment != 0) {
4854 4856 /* supported key sizes are defined by range & increment */
4855 4857 crypto_min = ALGBITS_ROUND_UP(crypto_min, alg->alg_increment);
4856 4858 crypto_max = ALGBITS_ROUND_DOWN(crypto_max, alg->alg_increment);
4857 4859
4858 4860 alg->alg_ef_minbits = MAX(alg->alg_minbits,
4859 4861 (uint16_t)crypto_min);
4860 4862 alg->alg_ef_maxbits = MIN(alg->alg_maxbits,
4861 4863 (uint16_t)crypto_max);
4862 4864
4863 4865 /*
4864 4866 * If the sizes supported by the framework are outside
4865 4867 * the range of sizes defined by the algorithm mappings,
4866 4868 * the algorithm cannot be used. Check for this
4867 4869 * condition here.
4868 4870 */
4869 4871 if (alg->alg_ef_minbits > alg->alg_ef_maxbits) {
4870 4872 alg->alg_flags &= ~ALG_FLAG_VALID;
4871 4873 return;
4872 4874 }
4873 4875 if (alg->alg_ef_default_bits < alg->alg_ef_minbits)
4874 4876 alg->alg_ef_default_bits = alg->alg_ef_minbits;
4875 4877 if (alg->alg_ef_default_bits > alg->alg_ef_maxbits)
4876 4878 alg->alg_ef_default_bits = alg->alg_ef_maxbits;
4877 4879 } else if (alg->alg_nkey_sizes == 0) {
4878 4880 /* no specified key size for algorithm */
4879 4881 alg->alg_ef_minbits = alg->alg_ef_maxbits = 0;
4880 4882 } else {
4881 4883 /* supported key sizes are defined by enumeration */
4882 4884 alg->alg_ef_minbits = (uint16_t)-1;
4883 4885 alg->alg_ef_maxbits = 0;
4884 4886
4885 4887 for (i = 0, is_valid = B_FALSE; i < alg->alg_nkey_sizes; i++) {
4886 4888 /*
4887 4889 * Ignore the current key size if it is not in the
4888 4890 * range of sizes supported by the framework.
4889 4891 */
4890 4892 if (alg->alg_key_sizes[i] < crypto_min ||
4891 4893 alg->alg_key_sizes[i] > crypto_max)
4892 4894 continue;
4893 4895 if (alg->alg_key_sizes[i] < alg->alg_ef_minbits)
4894 4896 alg->alg_ef_minbits = alg->alg_key_sizes[i];
4895 4897 if (alg->alg_key_sizes[i] > alg->alg_ef_maxbits)
4896 4898 alg->alg_ef_maxbits = alg->alg_key_sizes[i];
4897 4899 is_valid = B_TRUE;
4898 4900 }
4899 4901
4900 4902 if (!is_valid) {
4901 4903 alg->alg_flags &= ~ALG_FLAG_VALID;
4902 4904 return;
4903 4905 }
4904 4906 alg->alg_ef_default = 0;
4905 4907 }
4906 4908 }
4907 4909
4908 4910 /*
4909 4911 * Sanity check parameters provided by ipsecalgs(1m). Assume that
4910 4912 * the algoritm is marked as valid, there is a check at the top
4911 4913 * of this function. If any of the checks below fail, the algorithm
4912 4914 * entry is invalid.
4913 4915 */
4914 4916 void
4915 4917 alg_flag_check(ipsec_alginfo_t *alg)
4916 4918 {
4917 4919 alg->alg_flags &= ~ALG_FLAG_VALID;
4918 4920
4919 4921 /*
4920 4922 * Can't have the algorithm marked as CCM and GCM.
4921 4923 * Check the ALG_FLAG_COMBINED and ALG_FLAG_COUNTERMODE
4922 4924 * flags are set for CCM & GCM.
4923 4925 */
4924 4926 if ((alg->alg_flags & (ALG_FLAG_CCM|ALG_FLAG_GCM)) ==
4925 4927 (ALG_FLAG_CCM|ALG_FLAG_GCM))
4926 4928 return;
4927 4929 if (alg->alg_flags & (ALG_FLAG_CCM|ALG_FLAG_GCM)) {
4928 4930 if (!(alg->alg_flags & ALG_FLAG_COUNTERMODE))
4929 4931 return;
4930 4932 if (!(alg->alg_flags & ALG_FLAG_COMBINED))
4931 4933 return;
4932 4934 }
4933 4935
4934 4936 /*
4935 4937 * For ALG_FLAG_COUNTERMODE, check the parameters
4936 4938 * fit in the ipsec_nonce_t structure.
4937 4939 */
4938 4940 if (alg->alg_flags & ALG_FLAG_COUNTERMODE) {
4939 4941 if (alg->alg_ivlen != sizeof (((ipsec_nonce_t *)NULL)->iv))
4940 4942 return;
4941 4943 if (alg->alg_saltlen > sizeof (((ipsec_nonce_t *)NULL)->salt))
4942 4944 return;
4943 4945 }
4944 4946 if ((alg->alg_flags & ALG_FLAG_COMBINED) &&
4945 4947 (alg->alg_icvlen == 0))
4946 4948 return;
4947 4949
4948 4950 /* all is well. */
4949 4951 alg->alg_flags |= ALG_FLAG_VALID;
4950 4952 }
4951 4953
4952 4954 /*
4953 4955 * Free the memory used by the specified algorithm.
4954 4956 */
4955 4957 void
4956 4958 ipsec_alg_free(ipsec_alginfo_t *alg)
4957 4959 {
4958 4960 if (alg == NULL)
4959 4961 return;
4960 4962
4961 4963 if (alg->alg_key_sizes != NULL) {
4962 4964 kmem_free(alg->alg_key_sizes,
4963 4965 (alg->alg_nkey_sizes + 1) * sizeof (uint16_t));
4964 4966 alg->alg_key_sizes = NULL;
4965 4967 }
4966 4968 if (alg->alg_block_sizes != NULL) {
4967 4969 kmem_free(alg->alg_block_sizes,
4968 4970 (alg->alg_nblock_sizes + 1) * sizeof (uint16_t));
4969 4971 alg->alg_block_sizes = NULL;
4970 4972 }
4971 4973 if (alg->alg_params != NULL) {
4972 4974 kmem_free(alg->alg_params,
4973 4975 (alg->alg_nparams + 1) * sizeof (uint16_t));
4974 4976 alg->alg_params = NULL;
4975 4977 }
4976 4978 kmem_free(alg, sizeof (*alg));
4977 4979 }
4978 4980
4979 4981 /*
4980 4982 * Check the validity of the specified key size for an algorithm.
4981 4983 * Returns B_TRUE if key size is valid, B_FALSE otherwise.
4982 4984 */
4983 4985 boolean_t
4984 4986 ipsec_valid_key_size(uint16_t key_size, ipsec_alginfo_t *alg)
4985 4987 {
4986 4988 if (key_size < alg->alg_ef_minbits || key_size > alg->alg_ef_maxbits)
4987 4989 return (B_FALSE);
4988 4990
4989 4991 if (alg->alg_increment == 0 && alg->alg_nkey_sizes != 0) {
4990 4992 /*
4991 4993 * If the key sizes are defined by enumeration, the new
4992 4994 * key size must be equal to one of the supported values.
4993 4995 */
4994 4996 int i;
4995 4997
4996 4998 for (i = 0; i < alg->alg_nkey_sizes; i++)
4997 4999 if (key_size == alg->alg_key_sizes[i])
4998 5000 break;
4999 5001 if (i == alg->alg_nkey_sizes)
5000 5002 return (B_FALSE);
5001 5003 }
5002 5004
5003 5005 return (B_TRUE);
5004 5006 }
5005 5007
5006 5008 /*
5007 5009 * Callback function invoked by the crypto framework when a provider
5008 5010 * registers or unregisters. This callback updates the algorithms
5009 5011 * tables when a crypto algorithm is no longer available or becomes
5010 5012 * available, and triggers the freeing/creation of context templates
5011 5013 * associated with existing SAs, if needed.
5012 5014 *
5013 5015 * Need to walk all stack instances since the callback is global
5014 5016 * for all instances
5015 5017 */
5016 5018 void
5017 5019 ipsec_prov_update_callback(uint32_t event, void *event_arg)
5018 5020 {
5019 5021 netstack_handle_t nh;
5020 5022 netstack_t *ns;
5021 5023
5022 5024 netstack_next_init(&nh);
5023 5025 while ((ns = netstack_next(&nh)) != NULL) {
5024 5026 ipsec_prov_update_callback_stack(event, event_arg, ns);
5025 5027 netstack_rele(ns);
5026 5028 }
5027 5029 netstack_next_fini(&nh);
5028 5030 }
5029 5031
5030 5032 static void
5031 5033 ipsec_prov_update_callback_stack(uint32_t event, void *event_arg,
5032 5034 netstack_t *ns)
5033 5035 {
5034 5036 crypto_notify_event_change_t *prov_change =
5035 5037 (crypto_notify_event_change_t *)event_arg;
5036 5038 uint_t algidx, algid, algtype, mech_count, mech_idx;
5037 5039 ipsec_alginfo_t *alg;
5038 5040 ipsec_alginfo_t oalg;
5039 5041 crypto_mech_name_t *mechs;
5040 5042 boolean_t alg_changed = B_FALSE;
5041 5043 ipsec_stack_t *ipss = ns->netstack_ipsec;
5042 5044
5043 5045 /* ignore events for which we didn't register */
5044 5046 if (event != CRYPTO_EVENT_MECHS_CHANGED) {
5045 5047 ip1dbg(("ipsec_prov_update_callback: unexpected event 0x%x "
5046 5048 " received from crypto framework\n", event));
5047 5049 return;
5048 5050 }
|
↓ open down ↓ |
332 lines elided |
↑ open up ↑ |
5049 5051
5050 5052 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
5051 5053 if (mechs == NULL)
5052 5054 return;
5053 5055
5054 5056 /*
5055 5057 * Walk the list of currently defined IPsec algorithm. Update
5056 5058 * the algorithm valid flag and trigger an update of the
5057 5059 * SAs that depend on that algorithm.
5058 5060 */
5059 - mutex_enter(&ipss->ipsec_alg_lock);
5061 + rw_enter(&ipss->ipsec_alg_lock, RW_WRITER);
5060 5062 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
5061 5063 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
5062 5064 algidx++) {
5063 5065
5064 5066 algid = ipss->ipsec_sortlist[algtype][algidx];
5065 5067 alg = ipss->ipsec_alglists[algtype][algid];
5066 5068 ASSERT(alg != NULL);
5067 5069
5068 5070 /*
5069 5071 * Skip the algorithms which do not map to the
5070 5072 * crypto framework provider being added or removed.
5071 5073 */
5072 5074 if (strncmp(alg->alg_mech_name,
5073 5075 prov_change->ec_mech_name,
5074 5076 CRYPTO_MAX_MECH_NAME) != 0)
5075 5077 continue;
5076 5078
5077 5079 /*
5078 5080 * Determine if the mechanism is valid. If it
5079 5081 * is not, mark the algorithm as being invalid. If
5080 5082 * it is, mark the algorithm as being valid.
5081 5083 */
5082 5084 for (mech_idx = 0; mech_idx < mech_count; mech_idx++)
5083 5085 if (strncmp(alg->alg_mech_name,
5084 5086 mechs[mech_idx], CRYPTO_MAX_MECH_NAME) == 0)
5085 5087 break;
5086 5088 if (mech_idx == mech_count &&
5087 5089 alg->alg_flags & ALG_FLAG_VALID) {
5088 5090 alg->alg_flags &= ~ALG_FLAG_VALID;
5089 5091 alg_changed = B_TRUE;
5090 5092 } else if (mech_idx < mech_count &&
5091 5093 !(alg->alg_flags & ALG_FLAG_VALID)) {
5092 5094 alg->alg_flags |= ALG_FLAG_VALID;
5093 5095 alg_changed = B_TRUE;
5094 5096 }
5095 5097
5096 5098 /*
5097 5099 * Update the supported key sizes, regardless
5098 5100 * of whether a crypto provider was added or
5099 5101 * removed.
5100 5102 */
5101 5103 oalg = *alg;
5102 5104 ipsec_alg_fix_min_max(alg, algtype, ns);
5103 5105 if (!alg_changed &&
5104 5106 alg->alg_ef_minbits != oalg.alg_ef_minbits ||
5105 5107 alg->alg_ef_maxbits != oalg.alg_ef_maxbits ||
5106 5108 alg->alg_ef_default != oalg.alg_ef_default ||
5107 5109 alg->alg_ef_default_bits !=
5108 5110 oalg.alg_ef_default_bits)
5109 5111 alg_changed = B_TRUE;
5110 5112
5111 5113 /*
|
↓ open down ↓ |
42 lines elided |
↑ open up ↑ |
5112 5114 * Update the affected SAs if a software provider is
5113 5115 * being added or removed.
5114 5116 */
5115 5117 if (prov_change->ec_provider_type ==
5116 5118 CRYPTO_SW_PROVIDER)
5117 5119 sadb_alg_update(algtype, alg->alg_id,
5118 5120 prov_change->ec_change ==
5119 5121 CRYPTO_MECH_ADDED, ns);
5120 5122 }
5121 5123 }
5122 - mutex_exit(&ipss->ipsec_alg_lock);
5124 + rw_exit(&ipss->ipsec_alg_lock);
5123 5125 crypto_free_mech_list(mechs, mech_count);
5124 5126
5125 5127 if (alg_changed) {
5126 5128 /*
5127 5129 * An algorithm has changed, i.e. it became valid or
5128 5130 * invalid, or its support key sizes have changed.
5129 5131 * Notify ipsecah and ipsecesp of this change so
5130 5132 * that they can send a SADB_REGISTER to their consumers.
5131 5133 */
5132 5134 ipsecah_algs_changed(ns);
5133 5135 ipsecesp_algs_changed(ns);
5134 5136 }
5135 5137 }
5136 5138
5137 5139 /*
5138 5140 * Registers with the crypto framework to be notified of crypto
5139 5141 * providers changes. Used to update the algorithm tables and
5140 5142 * to free or create context templates if needed. Invoked after IPsec
5141 5143 * is loaded successfully.
5142 5144 *
5143 5145 * This is called separately for each IP instance, so we ensure we only
5144 5146 * register once.
5145 5147 */
5146 5148 void
5147 5149 ipsec_register_prov_update(void)
5148 5150 {
5149 5151 if (prov_update_handle != NULL)
5150 5152 return;
5151 5153
5152 5154 prov_update_handle = crypto_notify_events(
5153 5155 ipsec_prov_update_callback, CRYPTO_EVENT_MECHS_CHANGED);
5154 5156 }
5155 5157
5156 5158 /*
5157 5159 * Unregisters from the framework to be notified of crypto providers
5158 5160 * changes. Called from ipsec_policy_g_destroy().
5159 5161 */
5160 5162 static void
5161 5163 ipsec_unregister_prov_update(void)
5162 5164 {
5163 5165 if (prov_update_handle != NULL)
5164 5166 crypto_unnotify_events(prov_update_handle);
5165 5167 }
5166 5168
5167 5169 /*
5168 5170 * Tunnel-mode support routines.
5169 5171 */
5170 5172
5171 5173 /*
5172 5174 * Returns an mblk chain suitable for putnext() if policies match and IPsec
5173 5175 * SAs are available. If there's no per-tunnel policy, or a match comes back
5174 5176 * with no match, then still return the packet and have global policy take
5175 5177 * a crack at it in IP.
5176 5178 * This updates the ip_xmit_attr with the IPsec policy.
5177 5179 *
5178 5180 * Remember -> we can be forwarding packets. Keep that in mind w.r.t.
5179 5181 * inner-packet contents.
5180 5182 */
5181 5183 mblk_t *
5182 5184 ipsec_tun_outbound(mblk_t *mp, iptun_t *iptun, ipha_t *inner_ipv4,
5183 5185 ip6_t *inner_ipv6, ipha_t *outer_ipv4, ip6_t *outer_ipv6, int outer_hdr_len,
5184 5186 ip_xmit_attr_t *ixa)
5185 5187 {
5186 5188 ipsec_policy_head_t *polhead;
5187 5189 ipsec_selector_t sel;
5188 5190 mblk_t *nmp;
5189 5191 boolean_t is_fragment;
5190 5192 ipsec_policy_t *pol;
5191 5193 ipsec_tun_pol_t *itp = iptun->iptun_itp;
5192 5194 netstack_t *ns = iptun->iptun_ns;
5193 5195 ipsec_stack_t *ipss = ns->netstack_ipsec;
5194 5196
5195 5197 ASSERT(outer_ipv6 != NULL && outer_ipv4 == NULL ||
5196 5198 outer_ipv4 != NULL && outer_ipv6 == NULL);
5197 5199 /* We take care of inners in a bit. */
5198 5200
5199 5201 /* Are the IPsec fields initialized at all? */
5200 5202 if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE)) {
5201 5203 ASSERT(ixa->ixa_ipsec_policy == NULL);
5202 5204 ASSERT(ixa->ixa_ipsec_latch == NULL);
5203 5205 ASSERT(ixa->ixa_ipsec_action == NULL);
5204 5206 ASSERT(ixa->ixa_ipsec_ah_sa == NULL);
5205 5207 ASSERT(ixa->ixa_ipsec_esp_sa == NULL);
5206 5208 }
5207 5209
5208 5210 ASSERT(itp != NULL && (itp->itp_flags & ITPF_P_ACTIVE));
5209 5211 polhead = itp->itp_policy;
5210 5212
5211 5213 bzero(&sel, sizeof (sel));
5212 5214 if (inner_ipv4 != NULL) {
5213 5215 ASSERT(inner_ipv6 == NULL);
5214 5216 sel.ips_isv4 = B_TRUE;
5215 5217 sel.ips_local_addr_v4 = inner_ipv4->ipha_src;
5216 5218 sel.ips_remote_addr_v4 = inner_ipv4->ipha_dst;
5217 5219 sel.ips_protocol = (uint8_t)inner_ipv4->ipha_protocol;
5218 5220 } else {
5219 5221 ASSERT(inner_ipv6 != NULL);
5220 5222 sel.ips_isv4 = B_FALSE;
5221 5223 sel.ips_local_addr_v6 = inner_ipv6->ip6_src;
5222 5224 /*
5223 5225 * We don't care about routing-header dests in the
5224 5226 * forwarding/tunnel path, so just grab ip6_dst.
5225 5227 */
5226 5228 sel.ips_remote_addr_v6 = inner_ipv6->ip6_dst;
5227 5229 }
5228 5230
5229 5231 if (itp->itp_flags & ITPF_P_PER_PORT_SECURITY) {
5230 5232 /*
5231 5233 * Caller can prepend the outer header, which means
5232 5234 * inner_ipv[46] may be stuck in the middle. Pullup the whole
5233 5235 * mess now if need-be, for easier processing later. Don't
5234 5236 * forget to rewire the outer header too.
5235 5237 */
5236 5238 if (mp->b_cont != NULL) {
5237 5239 nmp = msgpullup(mp, -1);
5238 5240 if (nmp == NULL) {
5239 5241 ip_drop_packet(mp, B_FALSE, NULL,
5240 5242 DROPPER(ipss, ipds_spd_nomem),
5241 5243 &ipss->ipsec_spd_dropper);
5242 5244 return (NULL);
5243 5245 }
5244 5246 freemsg(mp);
5245 5247 mp = nmp;
5246 5248 if (outer_ipv4 != NULL)
5247 5249 outer_ipv4 = (ipha_t *)mp->b_rptr;
5248 5250 else
5249 5251 outer_ipv6 = (ip6_t *)mp->b_rptr;
5250 5252 if (inner_ipv4 != NULL) {
5251 5253 inner_ipv4 =
5252 5254 (ipha_t *)(mp->b_rptr + outer_hdr_len);
5253 5255 } else {
5254 5256 inner_ipv6 =
5255 5257 (ip6_t *)(mp->b_rptr + outer_hdr_len);
5256 5258 }
5257 5259 }
5258 5260 if (inner_ipv4 != NULL) {
5259 5261 is_fragment = IS_V4_FRAGMENT(
5260 5262 inner_ipv4->ipha_fragment_offset_and_flags);
5261 5263 } else {
5262 5264 sel.ips_remote_addr_v6 = ip_get_dst_v6(inner_ipv6, mp,
5263 5265 &is_fragment);
5264 5266 }
5265 5267
5266 5268 if (is_fragment) {
5267 5269 ipha_t *oiph;
5268 5270 ipha_t *iph = NULL;
5269 5271 ip6_t *ip6h = NULL;
5270 5272 int hdr_len;
5271 5273 uint16_t ip6_hdr_length;
5272 5274 uint8_t v6_proto;
5273 5275 uint8_t *v6_proto_p;
5274 5276
5275 5277 /*
5276 5278 * We have a fragment we need to track!
5277 5279 */
5278 5280 mp = ipsec_fragcache_add(&itp->itp_fragcache, NULL, mp,
5279 5281 outer_hdr_len, ipss);
5280 5282 if (mp == NULL)
5281 5283 return (NULL);
5282 5284 ASSERT(mp->b_cont == NULL);
5283 5285
5284 5286 /*
5285 5287 * If we get here, we have a full fragment chain
5286 5288 */
5287 5289
5288 5290 oiph = (ipha_t *)mp->b_rptr;
5289 5291 if (IPH_HDR_VERSION(oiph) == IPV4_VERSION) {
5290 5292 hdr_len = ((outer_hdr_len != 0) ?
5291 5293 IPH_HDR_LENGTH(oiph) : 0);
5292 5294 iph = (ipha_t *)(mp->b_rptr + hdr_len);
5293 5295 } else {
5294 5296 ASSERT(IPH_HDR_VERSION(oiph) == IPV6_VERSION);
5295 5297 ip6h = (ip6_t *)mp->b_rptr;
5296 5298 if (!ip_hdr_length_nexthdr_v6(mp, ip6h,
5297 5299 &ip6_hdr_length, &v6_proto_p)) {
5298 5300 ip_drop_packet_chain(mp, B_FALSE, NULL,
5299 5301 DROPPER(ipss,
5300 5302 ipds_spd_malformed_packet),
5301 5303 &ipss->ipsec_spd_dropper);
5302 5304 return (NULL);
5303 5305 }
5304 5306 hdr_len = ip6_hdr_length;
5305 5307 }
5306 5308 outer_hdr_len = hdr_len;
5307 5309
5308 5310 if (sel.ips_isv4) {
5309 5311 if (iph == NULL) {
5310 5312 /* Was v6 outer */
5311 5313 iph = (ipha_t *)(mp->b_rptr + hdr_len);
5312 5314 }
5313 5315 inner_ipv4 = iph;
5314 5316 sel.ips_local_addr_v4 = inner_ipv4->ipha_src;
5315 5317 sel.ips_remote_addr_v4 = inner_ipv4->ipha_dst;
5316 5318 sel.ips_protocol =
5317 5319 (uint8_t)inner_ipv4->ipha_protocol;
5318 5320 } else {
5319 5321 inner_ipv6 = (ip6_t *)(mp->b_rptr +
5320 5322 hdr_len);
5321 5323 sel.ips_local_addr_v6 = inner_ipv6->ip6_src;
5322 5324 sel.ips_remote_addr_v6 = inner_ipv6->ip6_dst;
5323 5325 if (!ip_hdr_length_nexthdr_v6(mp,
5324 5326 inner_ipv6, &ip6_hdr_length, &v6_proto_p)) {
5325 5327 ip_drop_packet_chain(mp, B_FALSE, NULL,
5326 5328 DROPPER(ipss,
5327 5329 ipds_spd_malformed_frag),
5328 5330 &ipss->ipsec_spd_dropper);
5329 5331 return (NULL);
5330 5332 }
5331 5333 v6_proto = *v6_proto_p;
5332 5334 sel.ips_protocol = v6_proto;
5333 5335 #ifdef FRAGCACHE_DEBUG
5334 5336 cmn_err(CE_WARN, "v6_sel.ips_protocol = %d\n",
5335 5337 sel.ips_protocol);
5336 5338 #endif
5337 5339 }
5338 5340 /* Ports are extracted below */
5339 5341 }
5340 5342
5341 5343 /* Get ports... */
5342 5344 if (!ipsec_init_outbound_ports(&sel, mp,
5343 5345 inner_ipv4, inner_ipv6, outer_hdr_len, ipss)) {
5344 5346 /* callee did ip_drop_packet_chain() on mp. */
5345 5347 return (NULL);
5346 5348 }
5347 5349 #ifdef FRAGCACHE_DEBUG
5348 5350 if (inner_ipv4 != NULL)
5349 5351 cmn_err(CE_WARN,
5350 5352 "(v4) sel.ips_protocol = %d, "
5351 5353 "sel.ips_local_port = %d, "
5352 5354 "sel.ips_remote_port = %d\n",
5353 5355 sel.ips_protocol, ntohs(sel.ips_local_port),
5354 5356 ntohs(sel.ips_remote_port));
5355 5357 if (inner_ipv6 != NULL)
5356 5358 cmn_err(CE_WARN,
5357 5359 "(v6) sel.ips_protocol = %d, "
5358 5360 "sel.ips_local_port = %d, "
5359 5361 "sel.ips_remote_port = %d\n",
5360 5362 sel.ips_protocol, ntohs(sel.ips_local_port),
5361 5363 ntohs(sel.ips_remote_port));
5362 5364 #endif
5363 5365 /* Success so far! */
5364 5366 }
5365 5367 rw_enter(&polhead->iph_lock, RW_READER);
5366 5368 pol = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_OUTBOUND, &sel);
5367 5369 rw_exit(&polhead->iph_lock);
5368 5370 if (pol == NULL) {
5369 5371 /*
5370 5372 * No matching policy on this tunnel, drop the packet.
5371 5373 *
5372 5374 * NOTE: Tunnel-mode tunnels are different from the
5373 5375 * IP global transport mode policy head. For a tunnel-mode
5374 5376 * tunnel, we drop the packet in lieu of passing it
5375 5377 * along accepted the way a global-policy miss would.
5376 5378 *
5377 5379 * NOTE2: "negotiate transport" tunnels should match ALL
5378 5380 * inbound packets, but we do not uncomment the ASSERT()
5379 5381 * below because if/when we open PF_POLICY, a user can
5380 5382 * shoot him/her-self in the foot with a 0 priority.
5381 5383 */
5382 5384
5383 5385 /* ASSERT(itp->itp_flags & ITPF_P_TUNNEL); */
5384 5386 #ifdef FRAGCACHE_DEBUG
5385 5387 cmn_err(CE_WARN, "ipsec_tun_outbound(): No matching tunnel "
5386 5388 "per-port policy\n");
5387 5389 #endif
5388 5390 ip_drop_packet_chain(mp, B_FALSE, NULL,
5389 5391 DROPPER(ipss, ipds_spd_explicit),
5390 5392 &ipss->ipsec_spd_dropper);
5391 5393 return (NULL);
5392 5394 }
5393 5395
5394 5396 #ifdef FRAGCACHE_DEBUG
5395 5397 cmn_err(CE_WARN, "Having matching tunnel per-port policy\n");
5396 5398 #endif
5397 5399
5398 5400 /*
5399 5401 * NOTE: ixa_cleanup() function will release pol references.
5400 5402 */
5401 5403 ixa->ixa_ipsec_policy = pol;
5402 5404 /*
5403 5405 * NOTE: There is a subtle difference between iptun_zoneid and
5404 5406 * iptun_connp->conn_zoneid explained in iptun_conn_create(). When
5405 5407 * interacting with the ip module, we must use conn_zoneid.
5406 5408 */
5407 5409 ixa->ixa_zoneid = iptun->iptun_connp->conn_zoneid;
5408 5410
5409 5411 ASSERT((outer_ipv4 != NULL) ? (ixa->ixa_flags & IXAF_IS_IPV4) :
5410 5412 !(ixa->ixa_flags & IXAF_IS_IPV4));
5411 5413 ASSERT(ixa->ixa_ipsec_policy != NULL);
5412 5414 ixa->ixa_flags |= IXAF_IPSEC_SECURE;
5413 5415
5414 5416 if (!(itp->itp_flags & ITPF_P_TUNNEL)) {
5415 5417 /* Set up transport mode for tunnelled packets. */
5416 5418 ixa->ixa_ipsec_proto = (inner_ipv4 != NULL) ? IPPROTO_ENCAP :
5417 5419 IPPROTO_IPV6;
5418 5420 return (mp);
5419 5421 }
5420 5422
5421 5423 /* Fill in tunnel-mode goodies here. */
5422 5424 ixa->ixa_flags |= IXAF_IPSEC_TUNNEL;
5423 5425 /* XXX Do I need to fill in all of the goodies here? */
5424 5426 if (inner_ipv4) {
5425 5427 ixa->ixa_ipsec_inaf = AF_INET;
5426 5428 ixa->ixa_ipsec_insrc[0] =
5427 5429 pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v4;
5428 5430 ixa->ixa_ipsec_indst[0] =
5429 5431 pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v4;
5430 5432 } else {
5431 5433 ixa->ixa_ipsec_inaf = AF_INET6;
5432 5434 ixa->ixa_ipsec_insrc[0] =
5433 5435 pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[0];
5434 5436 ixa->ixa_ipsec_insrc[1] =
5435 5437 pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[1];
5436 5438 ixa->ixa_ipsec_insrc[2] =
5437 5439 pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[2];
5438 5440 ixa->ixa_ipsec_insrc[3] =
5439 5441 pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[3];
5440 5442 ixa->ixa_ipsec_indst[0] =
5441 5443 pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[0];
5442 5444 ixa->ixa_ipsec_indst[1] =
5443 5445 pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[1];
5444 5446 ixa->ixa_ipsec_indst[2] =
5445 5447 pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[2];
5446 5448 ixa->ixa_ipsec_indst[3] =
5447 5449 pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[3];
5448 5450 }
5449 5451 ixa->ixa_ipsec_insrcpfx = pol->ipsp_sel->ipsl_key.ipsl_local_pfxlen;
5450 5452 ixa->ixa_ipsec_indstpfx = pol->ipsp_sel->ipsl_key.ipsl_remote_pfxlen;
5451 5453 /* NOTE: These are used for transport mode too. */
5452 5454 ixa->ixa_ipsec_src_port = pol->ipsp_sel->ipsl_key.ipsl_lport;
5453 5455 ixa->ixa_ipsec_dst_port = pol->ipsp_sel->ipsl_key.ipsl_rport;
5454 5456 ixa->ixa_ipsec_proto = pol->ipsp_sel->ipsl_key.ipsl_proto;
5455 5457
5456 5458 return (mp);
5457 5459 }
5458 5460
5459 5461 /*
5460 5462 * NOTE: The following releases pol's reference and
5461 5463 * calls ip_drop_packet() for me on NULL returns.
5462 5464 */
5463 5465 mblk_t *
5464 5466 ipsec_check_ipsecin_policy_reasm(mblk_t *attr_mp, ipsec_policy_t *pol,
5465 5467 ipha_t *inner_ipv4, ip6_t *inner_ipv6, uint64_t pkt_unique, netstack_t *ns)
5466 5468 {
5467 5469 /* Assume attr_mp is a chain of b_next-linked ip_recv_attr mblk. */
5468 5470 mblk_t *data_chain = NULL, *data_tail = NULL;
5469 5471 mblk_t *next;
5470 5472 mblk_t *data_mp;
5471 5473 ip_recv_attr_t iras;
5472 5474
5473 5475 while (attr_mp != NULL) {
5474 5476 ASSERT(ip_recv_attr_is_mblk(attr_mp));
5475 5477 next = attr_mp->b_next;
5476 5478 attr_mp->b_next = NULL; /* No tripping asserts. */
5477 5479
5478 5480 data_mp = attr_mp->b_cont;
5479 5481 attr_mp->b_cont = NULL;
5480 5482 if (!ip_recv_attr_from_mblk(attr_mp, &iras)) {
5481 5483 /* The ill or ip_stack_t disappeared on us */
5482 5484 freemsg(data_mp); /* ip_drop_packet?? */
5483 5485 ira_cleanup(&iras, B_TRUE);
5484 5486 goto fail;
5485 5487 }
5486 5488
5487 5489 /*
5488 5490 * Need IPPOL_REFHOLD(pol) for extras because
5489 5491 * ipsecin_policy does the refrele.
5490 5492 */
5491 5493 IPPOL_REFHOLD(pol);
5492 5494
5493 5495 data_mp = ipsec_check_ipsecin_policy(data_mp, pol, inner_ipv4,
5494 5496 inner_ipv6, pkt_unique, &iras, ns);
5495 5497 ira_cleanup(&iras, B_TRUE);
5496 5498
5497 5499 if (data_mp == NULL)
5498 5500 goto fail;
5499 5501
5500 5502 if (data_tail == NULL) {
5501 5503 /* First one */
5502 5504 data_chain = data_tail = data_mp;
5503 5505 } else {
5504 5506 data_tail->b_next = data_mp;
5505 5507 data_tail = data_mp;
5506 5508 }
5507 5509 attr_mp = next;
5508 5510 }
5509 5511 /*
5510 5512 * One last release because either the loop bumped it up, or we never
5511 5513 * called ipsec_check_ipsecin_policy().
5512 5514 */
5513 5515 IPPOL_REFRELE(pol);
5514 5516
5515 5517 /* data_chain is ready for return to tun module. */
5516 5518 return (data_chain);
5517 5519
5518 5520 fail:
5519 5521 /*
5520 5522 * Need to get rid of any extra pol
5521 5523 * references, and any remaining bits as well.
5522 5524 */
5523 5525 IPPOL_REFRELE(pol);
5524 5526 ipsec_freemsg_chain(data_chain);
5525 5527 ipsec_freemsg_chain(next); /* ipdrop stats? */
5526 5528 return (NULL);
5527 5529 }
5528 5530
5529 5531 /*
5530 5532 * Return a message if the inbound packet passed an IPsec policy check. Returns
5531 5533 * NULL if it failed or if it is a fragment needing its friends before a
5532 5534 * policy check can be performed.
5533 5535 *
5534 5536 * Expects a non-NULL data_mp, and a non-NULL polhead.
5535 5537 * The returned mblk may be a b_next chain of packets if fragments
5536 5538 * neeeded to be collected for a proper policy check.
5537 5539 *
5538 5540 * This function calls ip_drop_packet() on data_mp if need be.
5539 5541 *
5540 5542 * NOTE: outer_hdr_len is signed. If it's a negative value, the caller
5541 5543 * is inspecting an ICMP packet.
5542 5544 */
5543 5545 mblk_t *
5544 5546 ipsec_tun_inbound(ip_recv_attr_t *ira, mblk_t *data_mp, ipsec_tun_pol_t *itp,
5545 5547 ipha_t *inner_ipv4, ip6_t *inner_ipv6, ipha_t *outer_ipv4,
5546 5548 ip6_t *outer_ipv6, int outer_hdr_len, netstack_t *ns)
5547 5549 {
5548 5550 ipsec_policy_head_t *polhead;
5549 5551 ipsec_selector_t sel;
5550 5552 ipsec_policy_t *pol;
5551 5553 uint16_t tmpport;
5552 5554 selret_t rc;
5553 5555 boolean_t port_policy_present, is_icmp, global_present;
5554 5556 in6_addr_t tmpaddr;
5555 5557 ipaddr_t tmp4;
5556 5558 uint8_t flags, *inner_hdr;
5557 5559 ipsec_stack_t *ipss = ns->netstack_ipsec;
5558 5560
5559 5561 sel.ips_is_icmp_inv_acq = 0;
5560 5562
5561 5563 if (outer_ipv4 != NULL) {
5562 5564 ASSERT(outer_ipv6 == NULL);
5563 5565 global_present = ipss->ipsec_inbound_v4_policy_present;
5564 5566 } else {
5565 5567 ASSERT(outer_ipv6 != NULL);
5566 5568 global_present = ipss->ipsec_inbound_v6_policy_present;
5567 5569 }
5568 5570
5569 5571 ASSERT(inner_ipv4 != NULL && inner_ipv6 == NULL ||
5570 5572 inner_ipv4 == NULL && inner_ipv6 != NULL);
5571 5573
5572 5574 if (outer_hdr_len < 0) {
5573 5575 outer_hdr_len = (-outer_hdr_len);
5574 5576 is_icmp = B_TRUE;
5575 5577 } else {
5576 5578 is_icmp = B_FALSE;
5577 5579 }
5578 5580
5579 5581 if (itp != NULL && (itp->itp_flags & ITPF_P_ACTIVE)) {
5580 5582 mblk_t *mp = data_mp;
5581 5583
5582 5584 polhead = itp->itp_policy;
5583 5585 /*
5584 5586 * We need to perform full Tunnel-Mode enforcement,
5585 5587 * and we need to have inner-header data for such enforcement.
5586 5588 *
5587 5589 * See ipsec_init_inbound_sel() for the 0x80000000 on inbound
5588 5590 * and on return.
5589 5591 */
5590 5592
5591 5593 port_policy_present = ((itp->itp_flags &
5592 5594 ITPF_P_PER_PORT_SECURITY) ? B_TRUE : B_FALSE);
5593 5595 /*
5594 5596 * NOTE: Even if our policy is transport mode, set the
5595 5597 * SEL_TUNNEL_MODE flag so ipsec_init_inbound_sel() can
5596 5598 * do the right thing w.r.t. outer headers.
5597 5599 */
5598 5600 flags = ((port_policy_present ? SEL_PORT_POLICY : SEL_NONE) |
5599 5601 (is_icmp ? SEL_IS_ICMP : SEL_NONE) | SEL_TUNNEL_MODE);
5600 5602
5601 5603 rc = ipsec_init_inbound_sel(&sel, data_mp, inner_ipv4,
5602 5604 inner_ipv6, flags);
5603 5605
5604 5606 switch (rc) {
5605 5607 case SELRET_NOMEM:
5606 5608 ip_drop_packet(data_mp, B_TRUE, NULL,
5607 5609 DROPPER(ipss, ipds_spd_nomem),
5608 5610 &ipss->ipsec_spd_dropper);
5609 5611 return (NULL);
5610 5612 case SELRET_TUNFRAG:
5611 5613 /*
5612 5614 * At this point, if we're cleartext, we don't want
5613 5615 * to go there.
5614 5616 */
5615 5617 if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
5616 5618 ip_drop_packet(data_mp, B_TRUE, NULL,
5617 5619 DROPPER(ipss, ipds_spd_got_clear),
5618 5620 &ipss->ipsec_spd_dropper);
5619 5621 return (NULL);
5620 5622 }
5621 5623
5622 5624 /*
5623 5625 * Inner and outer headers may not be contiguous.
5624 5626 * Pullup the data_mp now to satisfy assumptions of
5625 5627 * ipsec_fragcache_add()
5626 5628 */
5627 5629 if (data_mp->b_cont != NULL) {
5628 5630 mblk_t *nmp;
5629 5631
5630 5632 nmp = msgpullup(data_mp, -1);
5631 5633 if (nmp == NULL) {
5632 5634 ip_drop_packet(data_mp, B_TRUE, NULL,
5633 5635 DROPPER(ipss, ipds_spd_nomem),
5634 5636 &ipss->ipsec_spd_dropper);
5635 5637 return (NULL);
5636 5638 }
5637 5639 freemsg(data_mp);
5638 5640 data_mp = nmp;
5639 5641 if (outer_ipv4 != NULL)
5640 5642 outer_ipv4 =
5641 5643 (ipha_t *)data_mp->b_rptr;
5642 5644 else
5643 5645 outer_ipv6 =
5644 5646 (ip6_t *)data_mp->b_rptr;
5645 5647 if (inner_ipv4 != NULL) {
5646 5648 inner_ipv4 =
5647 5649 (ipha_t *)(data_mp->b_rptr +
5648 5650 outer_hdr_len);
5649 5651 } else {
5650 5652 inner_ipv6 =
5651 5653 (ip6_t *)(data_mp->b_rptr +
5652 5654 outer_hdr_len);
5653 5655 }
5654 5656 }
5655 5657
5656 5658 /*
5657 5659 * If we need to queue the packet. First we
5658 5660 * get an mblk with the attributes. ipsec_fragcache_add
5659 5661 * will prepend that to the queued data and return
5660 5662 * a list of b_next messages each of which starts with
5661 5663 * the attribute mblk.
5662 5664 */
5663 5665 mp = ip_recv_attr_to_mblk(ira);
5664 5666 if (mp == NULL) {
5665 5667 ip_drop_packet(data_mp, B_TRUE, NULL,
5666 5668 DROPPER(ipss, ipds_spd_nomem),
5667 5669 &ipss->ipsec_spd_dropper);
5668 5670 return (NULL);
5669 5671 }
5670 5672
5671 5673 mp = ipsec_fragcache_add(&itp->itp_fragcache,
5672 5674 mp, data_mp, outer_hdr_len, ipss);
5673 5675
5674 5676 if (mp == NULL) {
5675 5677 /*
5676 5678 * Data is cached, fragment chain is not
5677 5679 * complete.
5678 5680 */
5679 5681 return (NULL);
5680 5682 }
5681 5683
5682 5684 /*
5683 5685 * If we get here, we have a full fragment chain.
5684 5686 * Reacquire headers and selectors from first fragment.
5685 5687 */
5686 5688 ASSERT(ip_recv_attr_is_mblk(mp));
5687 5689 data_mp = mp->b_cont;
5688 5690 inner_hdr = data_mp->b_rptr;
5689 5691 if (outer_ipv4 != NULL) {
5690 5692 inner_hdr += IPH_HDR_LENGTH(
5691 5693 (ipha_t *)data_mp->b_rptr);
5692 5694 } else {
5693 5695 inner_hdr += ip_hdr_length_v6(data_mp,
5694 5696 (ip6_t *)data_mp->b_rptr);
5695 5697 }
5696 5698 ASSERT(inner_hdr <= data_mp->b_wptr);
5697 5699
5698 5700 if (inner_ipv4 != NULL) {
5699 5701 inner_ipv4 = (ipha_t *)inner_hdr;
5700 5702 inner_ipv6 = NULL;
5701 5703 } else {
5702 5704 inner_ipv6 = (ip6_t *)inner_hdr;
5703 5705 inner_ipv4 = NULL;
5704 5706 }
5705 5707
5706 5708 /*
5707 5709 * Use SEL_TUNNEL_MODE to take into account the outer
5708 5710 * header. Use SEL_POST_FRAG so we always get ports.
5709 5711 */
5710 5712 rc = ipsec_init_inbound_sel(&sel, data_mp,
5711 5713 inner_ipv4, inner_ipv6,
5712 5714 SEL_TUNNEL_MODE | SEL_POST_FRAG);
5713 5715 switch (rc) {
5714 5716 case SELRET_SUCCESS:
5715 5717 /*
5716 5718 * Get to same place as first caller's
5717 5719 * SELRET_SUCCESS case.
5718 5720 */
5719 5721 break;
5720 5722 case SELRET_NOMEM:
5721 5723 ip_drop_packet_chain(mp, B_TRUE, NULL,
5722 5724 DROPPER(ipss, ipds_spd_nomem),
5723 5725 &ipss->ipsec_spd_dropper);
5724 5726 return (NULL);
5725 5727 case SELRET_BADPKT:
5726 5728 ip_drop_packet_chain(mp, B_TRUE, NULL,
5727 5729 DROPPER(ipss, ipds_spd_malformed_frag),
5728 5730 &ipss->ipsec_spd_dropper);
5729 5731 return (NULL);
5730 5732 case SELRET_TUNFRAG:
5731 5733 cmn_err(CE_WARN, "(TUNFRAG on 2nd call...)");
5732 5734 /* FALLTHRU */
5733 5735 default:
5734 5736 cmn_err(CE_WARN, "ipsec_init_inbound_sel(mark2)"
5735 5737 " returns bizarro 0x%x", rc);
5736 5738 /* Guaranteed panic! */
5737 5739 ASSERT(rc == SELRET_NOMEM);
5738 5740 return (NULL);
5739 5741 }
5740 5742 /* FALLTHRU */
5741 5743 case SELRET_SUCCESS:
5742 5744 /*
5743 5745 * Common case:
5744 5746 * No per-port policy or a non-fragment. Keep going.
5745 5747 */
5746 5748 break;
5747 5749 case SELRET_BADPKT:
5748 5750 /*
5749 5751 * We may receive ICMP (with IPv6 inner) packets that
5750 5752 * trigger this return value. Send 'em in for
5751 5753 * enforcement checking.
5752 5754 */
5753 5755 cmn_err(CE_NOTE, "ipsec_tun_inbound(): "
5754 5756 "sending 'bad packet' in for enforcement");
5755 5757 break;
5756 5758 default:
5757 5759 cmn_err(CE_WARN,
5758 5760 "ipsec_init_inbound_sel() returns bizarro 0x%x",
5759 5761 rc);
5760 5762 ASSERT(rc == SELRET_NOMEM); /* Guaranteed panic! */
5761 5763 return (NULL);
5762 5764 }
5763 5765
5764 5766 if (is_icmp) {
5765 5767 /*
5766 5768 * Swap local/remote because this is an ICMP packet.
5767 5769 */
5768 5770 tmpaddr = sel.ips_local_addr_v6;
5769 5771 sel.ips_local_addr_v6 = sel.ips_remote_addr_v6;
5770 5772 sel.ips_remote_addr_v6 = tmpaddr;
5771 5773 tmpport = sel.ips_local_port;
5772 5774 sel.ips_local_port = sel.ips_remote_port;
5773 5775 sel.ips_remote_port = tmpport;
5774 5776 }
5775 5777
5776 5778 /* find_policy_head() */
5777 5779 rw_enter(&polhead->iph_lock, RW_READER);
5778 5780 pol = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_INBOUND,
5779 5781 &sel);
5780 5782 rw_exit(&polhead->iph_lock);
5781 5783 if (pol != NULL) {
5782 5784 uint64_t pkt_unique;
5783 5785
5784 5786 if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
5785 5787 if (!pol->ipsp_act->ipa_allow_clear) {
5786 5788 /*
5787 5789 * XXX should never get here with
5788 5790 * tunnel reassembled fragments?
5789 5791 */
5790 5792 ASSERT(mp == data_mp);
5791 5793 ip_drop_packet(data_mp, B_TRUE, NULL,
5792 5794 DROPPER(ipss, ipds_spd_got_clear),
5793 5795 &ipss->ipsec_spd_dropper);
5794 5796 IPPOL_REFRELE(pol);
5795 5797 return (NULL);
5796 5798 } else {
5797 5799 IPPOL_REFRELE(pol);
5798 5800 return (mp);
5799 5801 }
5800 5802 }
5801 5803 pkt_unique = SA_UNIQUE_ID(sel.ips_remote_port,
5802 5804 sel.ips_local_port,
5803 5805 (inner_ipv4 == NULL) ? IPPROTO_IPV6 :
5804 5806 IPPROTO_ENCAP, sel.ips_protocol);
5805 5807
5806 5808 /*
5807 5809 * NOTE: The following releases pol's reference and
5808 5810 * calls ip_drop_packet() for me on NULL returns.
5809 5811 *
5810 5812 * "sel" is still good here, so let's use it!
5811 5813 */
5812 5814 if (data_mp == mp) {
5813 5815 /* A single packet without attributes */
5814 5816 data_mp = ipsec_check_ipsecin_policy(data_mp,
5815 5817 pol, inner_ipv4, inner_ipv6, pkt_unique,
5816 5818 ira, ns);
5817 5819 } else {
5818 5820 /*
5819 5821 * We pass in the b_next chain of attr_mp's
5820 5822 * and get back a b_next chain of data_mp's.
5821 5823 */
5822 5824 data_mp = ipsec_check_ipsecin_policy_reasm(mp,
5823 5825 pol, inner_ipv4, inner_ipv6, pkt_unique,
5824 5826 ns);
5825 5827 }
5826 5828 return (data_mp);
5827 5829 }
5828 5830
5829 5831 /*
5830 5832 * Else fallthru and check the global policy on the outer
5831 5833 * header(s) if this tunnel is an old-style transport-mode
5832 5834 * one. Drop the packet explicitly (no policy entry) for
5833 5835 * a new-style tunnel-mode tunnel.
5834 5836 */
5835 5837 if ((itp->itp_flags & ITPF_P_TUNNEL) && !is_icmp) {
5836 5838 ip_drop_packet_chain(data_mp, B_TRUE, NULL,
5837 5839 DROPPER(ipss, ipds_spd_explicit),
5838 5840 &ipss->ipsec_spd_dropper);
5839 5841 return (NULL);
5840 5842 }
5841 5843 }
5842 5844
5843 5845 /*
5844 5846 * NOTE: If we reach here, we will not have packet chains from
5845 5847 * fragcache_add(), because the only way I get chains is on a
5846 5848 * tunnel-mode tunnel, which either returns with a pass, or gets
5847 5849 * hit by the ip_drop_packet_chain() call right above here.
5848 5850 */
5849 5851 ASSERT(data_mp->b_next == NULL);
5850 5852
5851 5853 /* If no per-tunnel security, check global policy now. */
5852 5854 if ((ira->ira_flags & IRAF_IPSEC_SECURE) && !global_present) {
5853 5855 if (ira->ira_flags & IRAF_TRUSTED_ICMP) {
5854 5856 /*
5855 5857 * This is an ICMP message that was geenrated locally.
5856 5858 * We should accept it.
5857 5859 */
5858 5860 return (data_mp);
5859 5861 }
5860 5862
5861 5863 ip_drop_packet(data_mp, B_TRUE, NULL,
5862 5864 DROPPER(ipss, ipds_spd_got_secure),
5863 5865 &ipss->ipsec_spd_dropper);
5864 5866 return (NULL);
5865 5867 }
5866 5868
5867 5869 if (is_icmp) {
5868 5870 /*
5869 5871 * For ICMP packets, "outer_ipvN" is set to the outer header
5870 5872 * that is *INSIDE* the ICMP payload. For global policy
5871 5873 * checking, we need to reverse src/dst on the payload in
5872 5874 * order to construct selectors appropriately. See "ripha"
5873 5875 * constructions in ip.c. To avoid a bug like 6478464 (see
5874 5876 * earlier in this file), we will actually exchange src/dst
5875 5877 * in the packet, and reverse if after the call to
5876 5878 * ipsec_check_global_policy().
5877 5879 */
5878 5880 if (outer_ipv4 != NULL) {
5879 5881 tmp4 = outer_ipv4->ipha_src;
5880 5882 outer_ipv4->ipha_src = outer_ipv4->ipha_dst;
5881 5883 outer_ipv4->ipha_dst = tmp4;
5882 5884 } else {
5883 5885 ASSERT(outer_ipv6 != NULL);
5884 5886 tmpaddr = outer_ipv6->ip6_src;
5885 5887 outer_ipv6->ip6_src = outer_ipv6->ip6_dst;
5886 5888 outer_ipv6->ip6_dst = tmpaddr;
5887 5889 }
5888 5890 }
5889 5891
5890 5892 data_mp = ipsec_check_global_policy(data_mp, NULL, outer_ipv4,
5891 5893 outer_ipv6, ira, ns);
5892 5894 if (data_mp == NULL)
5893 5895 return (NULL);
5894 5896
5895 5897 if (is_icmp) {
5896 5898 /* Set things back to normal. */
5897 5899 if (outer_ipv4 != NULL) {
5898 5900 tmp4 = outer_ipv4->ipha_src;
5899 5901 outer_ipv4->ipha_src = outer_ipv4->ipha_dst;
5900 5902 outer_ipv4->ipha_dst = tmp4;
5901 5903 } else {
5902 5904 /* No need for ASSERT()s now. */
5903 5905 tmpaddr = outer_ipv6->ip6_src;
5904 5906 outer_ipv6->ip6_src = outer_ipv6->ip6_dst;
5905 5907 outer_ipv6->ip6_dst = tmpaddr;
5906 5908 }
5907 5909 }
5908 5910
5909 5911 /*
5910 5912 * At this point, we pretend it's a cleartext accepted
5911 5913 * packet.
5912 5914 */
5913 5915 return (data_mp);
5914 5916 }
5915 5917
5916 5918 /*
5917 5919 * AVL comparison routine for our list of tunnel polheads.
5918 5920 */
5919 5921 static int
5920 5922 tunnel_compare(const void *arg1, const void *arg2)
5921 5923 {
5922 5924 ipsec_tun_pol_t *left, *right;
5923 5925 int rc;
5924 5926
5925 5927 left = (ipsec_tun_pol_t *)arg1;
5926 5928 right = (ipsec_tun_pol_t *)arg2;
5927 5929
5928 5930 rc = strncmp(left->itp_name, right->itp_name, LIFNAMSIZ);
5929 5931 return (rc == 0 ? rc : (rc > 0 ? 1 : -1));
5930 5932 }
5931 5933
5932 5934 /*
5933 5935 * Free a tunnel policy node.
5934 5936 */
5935 5937 void
5936 5938 itp_free(ipsec_tun_pol_t *node, netstack_t *ns)
5937 5939 {
5938 5940 if (node->itp_policy != NULL) {
5939 5941 IPPH_REFRELE(node->itp_policy, ns);
5940 5942 node->itp_policy = NULL;
5941 5943 }
5942 5944 if (node->itp_inactive != NULL) {
5943 5945 IPPH_REFRELE(node->itp_inactive, ns);
5944 5946 node->itp_inactive = NULL;
5945 5947 }
5946 5948 mutex_destroy(&node->itp_lock);
5947 5949 kmem_free(node, sizeof (*node));
5948 5950 }
5949 5951
5950 5952 void
5951 5953 itp_unlink(ipsec_tun_pol_t *node, netstack_t *ns)
5952 5954 {
5953 5955 ipsec_stack_t *ipss = ns->netstack_ipsec;
5954 5956
5955 5957 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_WRITER);
5956 5958 ipss->ipsec_tunnel_policy_gen++;
5957 5959 ipsec_fragcache_uninit(&node->itp_fragcache, ipss);
5958 5960 avl_remove(&ipss->ipsec_tunnel_policies, node);
5959 5961 rw_exit(&ipss->ipsec_tunnel_policy_lock);
5960 5962 ITP_REFRELE(node, ns);
5961 5963 }
5962 5964
5963 5965 /*
5964 5966 * Public interface to look up a tunnel security policy by name. Used by
5965 5967 * spdsock mostly. Returns "node" with a bumped refcnt.
5966 5968 */
5967 5969 ipsec_tun_pol_t *
5968 5970 get_tunnel_policy(char *name, netstack_t *ns)
5969 5971 {
5970 5972 ipsec_tun_pol_t *node, lookup;
5971 5973 ipsec_stack_t *ipss = ns->netstack_ipsec;
5972 5974
5973 5975 (void) strncpy(lookup.itp_name, name, LIFNAMSIZ);
5974 5976
5975 5977 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
5976 5978 node = (ipsec_tun_pol_t *)avl_find(&ipss->ipsec_tunnel_policies,
5977 5979 &lookup, NULL);
5978 5980 if (node != NULL) {
5979 5981 ITP_REFHOLD(node);
5980 5982 }
5981 5983 rw_exit(&ipss->ipsec_tunnel_policy_lock);
5982 5984
5983 5985 return (node);
5984 5986 }
5985 5987
5986 5988 /*
5987 5989 * Public interface to walk all tunnel security polcies. Useful for spdsock
5988 5990 * DUMP operations. iterator() will not consume a reference.
5989 5991 */
5990 5992 void
5991 5993 itp_walk(void (*iterator)(ipsec_tun_pol_t *, void *, netstack_t *),
5992 5994 void *arg, netstack_t *ns)
5993 5995 {
5994 5996 ipsec_tun_pol_t *node;
5995 5997 ipsec_stack_t *ipss = ns->netstack_ipsec;
5996 5998
5997 5999 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
5998 6000 for (node = avl_first(&ipss->ipsec_tunnel_policies); node != NULL;
5999 6001 node = AVL_NEXT(&ipss->ipsec_tunnel_policies, node)) {
6000 6002 iterator(node, arg, ns);
6001 6003 }
6002 6004 rw_exit(&ipss->ipsec_tunnel_policy_lock);
6003 6005 }
6004 6006
6005 6007 /*
6006 6008 * Initialize policy head. This can only fail if there's a memory problem.
6007 6009 */
6008 6010 static boolean_t
6009 6011 tunnel_polhead_init(ipsec_policy_head_t *iph, netstack_t *ns)
6010 6012 {
6011 6013 ipsec_stack_t *ipss = ns->netstack_ipsec;
6012 6014
6013 6015 rw_init(&iph->iph_lock, NULL, RW_DEFAULT, NULL);
6014 6016 iph->iph_refs = 1;
6015 6017 iph->iph_gen = 0;
6016 6018 if (ipsec_alloc_table(iph, ipss->ipsec_tun_spd_hashsize,
6017 6019 KM_SLEEP, B_FALSE, ns) != 0) {
6018 6020 ipsec_polhead_free_table(iph);
6019 6021 return (B_FALSE);
6020 6022 }
6021 6023 ipsec_polhead_init(iph, ipss->ipsec_tun_spd_hashsize);
6022 6024 return (B_TRUE);
6023 6025 }
6024 6026
6025 6027 /*
6026 6028 * Create a tunnel policy node with "name". Set errno with
6027 6029 * ENOMEM if there's a memory problem, and EEXIST if there's an existing
6028 6030 * node.
6029 6031 */
6030 6032 ipsec_tun_pol_t *
6031 6033 create_tunnel_policy(char *name, int *errno, uint64_t *gen, netstack_t *ns)
6032 6034 {
6033 6035 ipsec_tun_pol_t *newbie, *existing;
6034 6036 avl_index_t where;
6035 6037 ipsec_stack_t *ipss = ns->netstack_ipsec;
6036 6038
6037 6039 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP);
6038 6040 if (newbie == NULL) {
6039 6041 *errno = ENOMEM;
6040 6042 return (NULL);
6041 6043 }
6042 6044 if (!ipsec_fragcache_init(&newbie->itp_fragcache)) {
6043 6045 kmem_free(newbie, sizeof (*newbie));
6044 6046 *errno = ENOMEM;
6045 6047 return (NULL);
6046 6048 }
6047 6049
6048 6050 (void) strncpy(newbie->itp_name, name, LIFNAMSIZ);
6049 6051
6050 6052 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_WRITER);
6051 6053 existing = (ipsec_tun_pol_t *)avl_find(&ipss->ipsec_tunnel_policies,
6052 6054 newbie, &where);
6053 6055 if (existing != NULL) {
6054 6056 itp_free(newbie, ns);
6055 6057 *errno = EEXIST;
6056 6058 rw_exit(&ipss->ipsec_tunnel_policy_lock);
6057 6059 return (NULL);
6058 6060 }
6059 6061 ipss->ipsec_tunnel_policy_gen++;
6060 6062 *gen = ipss->ipsec_tunnel_policy_gen;
6061 6063 newbie->itp_refcnt = 2; /* One for the caller, one for the tree. */
6062 6064 newbie->itp_next_policy_index = 1;
6063 6065 avl_insert(&ipss->ipsec_tunnel_policies, newbie, where);
6064 6066 mutex_init(&newbie->itp_lock, NULL, MUTEX_DEFAULT, NULL);
6065 6067 newbie->itp_policy = kmem_zalloc(sizeof (ipsec_policy_head_t),
6066 6068 KM_NOSLEEP);
6067 6069 if (newbie->itp_policy == NULL)
6068 6070 goto nomem;
6069 6071 newbie->itp_inactive = kmem_zalloc(sizeof (ipsec_policy_head_t),
6070 6072 KM_NOSLEEP);
6071 6073 if (newbie->itp_inactive == NULL) {
6072 6074 kmem_free(newbie->itp_policy, sizeof (ipsec_policy_head_t));
6073 6075 goto nomem;
6074 6076 }
6075 6077
6076 6078 if (!tunnel_polhead_init(newbie->itp_policy, ns)) {
6077 6079 kmem_free(newbie->itp_policy, sizeof (ipsec_policy_head_t));
6078 6080 kmem_free(newbie->itp_inactive, sizeof (ipsec_policy_head_t));
6079 6081 goto nomem;
6080 6082 } else if (!tunnel_polhead_init(newbie->itp_inactive, ns)) {
6081 6083 IPPH_REFRELE(newbie->itp_policy, ns);
6082 6084 kmem_free(newbie->itp_inactive, sizeof (ipsec_policy_head_t));
6083 6085 goto nomem;
6084 6086 }
6085 6087 rw_exit(&ipss->ipsec_tunnel_policy_lock);
6086 6088
6087 6089 return (newbie);
6088 6090 nomem:
6089 6091 *errno = ENOMEM;
6090 6092 kmem_free(newbie, sizeof (*newbie));
6091 6093 return (NULL);
6092 6094 }
6093 6095
6094 6096 /*
6095 6097 * Given two addresses, find a tunnel instance's IPsec policy heads.
6096 6098 * Returns NULL on failure.
6097 6099 */
6098 6100 ipsec_tun_pol_t *
6099 6101 itp_get_byaddr(uint32_t *laddr, uint32_t *faddr, int af, ip_stack_t *ipst)
6100 6102 {
6101 6103 conn_t *connp;
6102 6104 iptun_t *iptun;
6103 6105 ipsec_tun_pol_t *itp = NULL;
6104 6106
6105 6107 /* Classifiers are used to "src" being foreign. */
6106 6108 if (af == AF_INET) {
6107 6109 connp = ipcl_iptun_classify_v4((ipaddr_t *)faddr,
6108 6110 (ipaddr_t *)laddr, ipst);
6109 6111 } else {
6110 6112 ASSERT(af == AF_INET6);
6111 6113 ASSERT(!IN6_IS_ADDR_V4MAPPED((in6_addr_t *)laddr));
6112 6114 ASSERT(!IN6_IS_ADDR_V4MAPPED((in6_addr_t *)faddr));
6113 6115 connp = ipcl_iptun_classify_v6((in6_addr_t *)faddr,
6114 6116 (in6_addr_t *)laddr, ipst);
6115 6117 }
6116 6118
6117 6119 if (connp == NULL)
6118 6120 return (NULL);
6119 6121
6120 6122 if (IPCL_IS_IPTUN(connp)) {
6121 6123 iptun = connp->conn_iptun;
6122 6124 if (iptun != NULL) {
6123 6125 itp = iptun->iptun_itp;
6124 6126 if (itp != NULL) {
6125 6127 /* Braces due to the macro's nature... */
6126 6128 ITP_REFHOLD(itp);
6127 6129 }
6128 6130 } /* Else itp is already NULL. */
6129 6131 }
6130 6132
6131 6133 CONN_DEC_REF(connp);
6132 6134 return (itp);
6133 6135 }
6134 6136
6135 6137 /*
6136 6138 * Frag cache code, based on SunScreen 3.2 source
6137 6139 * screen/kernel/common/screen_fragcache.c
6138 6140 */
6139 6141
6140 6142 #define IPSEC_FRAG_TTL_MAX 5
6141 6143 /*
6142 6144 * Note that the following parameters create 256 hash buckets
6143 6145 * with 1024 free entries to be distributed. Things are cleaned
6144 6146 * periodically and are attempted to be cleaned when there is no
6145 6147 * free space, but this system errs on the side of dropping packets
6146 6148 * over creating memory exhaustion. We may decide to make hash
6147 6149 * factor a tunable if this proves to be a bad decision.
6148 6150 */
6149 6151 #define IPSEC_FRAG_HASH_SLOTS (1<<8)
6150 6152 #define IPSEC_FRAG_HASH_FACTOR 4
6151 6153 #define IPSEC_FRAG_HASH_SIZE (IPSEC_FRAG_HASH_SLOTS * IPSEC_FRAG_HASH_FACTOR)
6152 6154
6153 6155 #define IPSEC_FRAG_HASH_MASK (IPSEC_FRAG_HASH_SLOTS - 1)
6154 6156 #define IPSEC_FRAG_HASH_FUNC(id) (((id) & IPSEC_FRAG_HASH_MASK) ^ \
6155 6157 (((id) / \
6156 6158 (ushort_t)IPSEC_FRAG_HASH_SLOTS) & \
6157 6159 IPSEC_FRAG_HASH_MASK))
6158 6160
6159 6161 /* Maximum fragments per packet. 48 bytes payload x 1366 packets > 64KB */
6160 6162 #define IPSEC_MAX_FRAGS 1366
6161 6163
6162 6164 #define V4_FRAG_OFFSET(ipha) ((ntohs(ipha->ipha_fragment_offset_and_flags) & \
6163 6165 IPH_OFFSET) << 3)
6164 6166 #define V4_MORE_FRAGS(ipha) (ntohs(ipha->ipha_fragment_offset_and_flags) & \
6165 6167 IPH_MF)
6166 6168
6167 6169 /*
6168 6170 * Initialize an ipsec fragcache instance.
6169 6171 * Returns B_FALSE if memory allocation fails.
6170 6172 */
6171 6173 boolean_t
6172 6174 ipsec_fragcache_init(ipsec_fragcache_t *frag)
6173 6175 {
6174 6176 ipsec_fragcache_entry_t *ftemp;
6175 6177 int i;
6176 6178
6177 6179 mutex_init(&frag->itpf_lock, NULL, MUTEX_DEFAULT, NULL);
6178 6180 frag->itpf_ptr = (ipsec_fragcache_entry_t **)
6179 6181 kmem_zalloc(sizeof (ipsec_fragcache_entry_t *) *
6180 6182 IPSEC_FRAG_HASH_SLOTS, KM_NOSLEEP);
6181 6183 if (frag->itpf_ptr == NULL)
6182 6184 return (B_FALSE);
6183 6185
6184 6186 ftemp = (ipsec_fragcache_entry_t *)
6185 6187 kmem_zalloc(sizeof (ipsec_fragcache_entry_t) *
6186 6188 IPSEC_FRAG_HASH_SIZE, KM_NOSLEEP);
6187 6189 if (ftemp == NULL) {
6188 6190 kmem_free(frag->itpf_ptr, sizeof (ipsec_fragcache_entry_t *) *
6189 6191 IPSEC_FRAG_HASH_SLOTS);
6190 6192 return (B_FALSE);
6191 6193 }
6192 6194
6193 6195 frag->itpf_freelist = NULL;
6194 6196
6195 6197 for (i = 0; i < IPSEC_FRAG_HASH_SIZE; i++) {
6196 6198 ftemp->itpfe_next = frag->itpf_freelist;
6197 6199 frag->itpf_freelist = ftemp;
6198 6200 ftemp++;
6199 6201 }
6200 6202
6201 6203 frag->itpf_expire_hint = 0;
6202 6204
6203 6205 return (B_TRUE);
6204 6206 }
6205 6207
6206 6208 void
6207 6209 ipsec_fragcache_uninit(ipsec_fragcache_t *frag, ipsec_stack_t *ipss)
6208 6210 {
6209 6211 ipsec_fragcache_entry_t *fep;
6210 6212 int i;
6211 6213
6212 6214 mutex_enter(&frag->itpf_lock);
6213 6215 if (frag->itpf_ptr) {
6214 6216 /* Delete any existing fragcache entry chains */
6215 6217 for (i = 0; i < IPSEC_FRAG_HASH_SLOTS; i++) {
6216 6218 fep = (frag->itpf_ptr)[i];
6217 6219 while (fep != NULL) {
6218 6220 /* Returned fep is next in chain or NULL */
6219 6221 fep = fragcache_delentry(i, fep, frag, ipss);
6220 6222 }
6221 6223 }
6222 6224 /*
6223 6225 * Chase the pointers back to the beginning
6224 6226 * of the memory allocation and then
6225 6227 * get rid of the allocated freelist
6226 6228 */
6227 6229 while (frag->itpf_freelist->itpfe_next != NULL)
6228 6230 frag->itpf_freelist = frag->itpf_freelist->itpfe_next;
6229 6231 /*
6230 6232 * XXX - If we ever dynamically grow the freelist
6231 6233 * then we'll have to free entries individually
6232 6234 * or determine how many entries or chunks we have
6233 6235 * grown since the initial allocation.
6234 6236 */
6235 6237 kmem_free(frag->itpf_freelist,
6236 6238 sizeof (ipsec_fragcache_entry_t) *
6237 6239 IPSEC_FRAG_HASH_SIZE);
6238 6240 /* Free the fragcache structure */
6239 6241 kmem_free(frag->itpf_ptr,
6240 6242 sizeof (ipsec_fragcache_entry_t *) *
6241 6243 IPSEC_FRAG_HASH_SLOTS);
6242 6244 }
6243 6245 mutex_exit(&frag->itpf_lock);
6244 6246 mutex_destroy(&frag->itpf_lock);
6245 6247 }
6246 6248
6247 6249 /*
6248 6250 * Add a fragment to the fragment cache. Consumes mp if NULL is returned.
6249 6251 * Returns mp if a whole fragment has been assembled, NULL otherwise
6250 6252 * The returned mp could be a b_next chain of fragments.
6251 6253 *
6252 6254 * The iramp argument is set on inbound; NULL if outbound.
6253 6255 */
6254 6256 mblk_t *
6255 6257 ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *iramp, mblk_t *mp,
6256 6258 int outer_hdr_len, ipsec_stack_t *ipss)
6257 6259 {
6258 6260 boolean_t is_v4;
6259 6261 time_t itpf_time;
6260 6262 ipha_t *iph;
6261 6263 ipha_t *oiph;
6262 6264 ip6_t *ip6h = NULL;
6263 6265 uint8_t v6_proto;
6264 6266 uint8_t *v6_proto_p;
6265 6267 uint16_t ip6_hdr_length;
6266 6268 ip_pkt_t ipp;
6267 6269 ip6_frag_t *fraghdr;
6268 6270 ipsec_fragcache_entry_t *fep;
6269 6271 int i;
6270 6272 mblk_t *nmp, *prevmp;
6271 6273 int firstbyte, lastbyte;
6272 6274 int offset;
6273 6275 int last;
6274 6276 boolean_t inbound = (iramp != NULL);
6275 6277
6276 6278 #ifdef FRAGCACHE_DEBUG
6277 6279 cmn_err(CE_WARN, "Fragcache: %s\n", inbound ? "INBOUND" : "OUTBOUND");
6278 6280 #endif
6279 6281 /*
6280 6282 * You're on the slow path, so insure that every packet in the
6281 6283 * cache is a single-mblk one.
6282 6284 */
6283 6285 if (mp->b_cont != NULL) {
6284 6286 nmp = msgpullup(mp, -1);
6285 6287 if (nmp == NULL) {
6286 6288 ip_drop_packet(mp, inbound, NULL,
6287 6289 DROPPER(ipss, ipds_spd_nomem),
6288 6290 &ipss->ipsec_spd_dropper);
6289 6291 if (inbound)
6290 6292 (void) ip_recv_attr_free_mblk(iramp);
6291 6293 return (NULL);
6292 6294 }
6293 6295 freemsg(mp);
6294 6296 mp = nmp;
6295 6297 }
6296 6298
6297 6299 mutex_enter(&frag->itpf_lock);
6298 6300
6299 6301 oiph = (ipha_t *)mp->b_rptr;
6300 6302 iph = (ipha_t *)(mp->b_rptr + outer_hdr_len);
6301 6303
6302 6304 if (IPH_HDR_VERSION(iph) == IPV4_VERSION) {
6303 6305 is_v4 = B_TRUE;
6304 6306 } else {
6305 6307 ASSERT(IPH_HDR_VERSION(iph) == IPV6_VERSION);
6306 6308 ip6h = (ip6_t *)(mp->b_rptr + outer_hdr_len);
6307 6309
6308 6310 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &ip6_hdr_length,
6309 6311 &v6_proto_p)) {
6310 6312 /*
6311 6313 * Find upper layer protocol.
6312 6314 * If it fails we have a malformed packet
6313 6315 */
6314 6316 mutex_exit(&frag->itpf_lock);
6315 6317 ip_drop_packet(mp, inbound, NULL,
6316 6318 DROPPER(ipss, ipds_spd_malformed_packet),
6317 6319 &ipss->ipsec_spd_dropper);
6318 6320 if (inbound)
6319 6321 (void) ip_recv_attr_free_mblk(iramp);
6320 6322 return (NULL);
6321 6323 } else {
6322 6324 v6_proto = *v6_proto_p;
6323 6325 }
6324 6326
6325 6327
6326 6328 bzero(&ipp, sizeof (ipp));
6327 6329 (void) ip_find_hdr_v6(mp, ip6h, B_FALSE, &ipp, NULL);
6328 6330 if (!(ipp.ipp_fields & IPPF_FRAGHDR)) {
6329 6331 /*
6330 6332 * We think this is a fragment, but didn't find
6331 6333 * a fragment header. Something is wrong.
6332 6334 */
6333 6335 mutex_exit(&frag->itpf_lock);
6334 6336 ip_drop_packet(mp, inbound, NULL,
6335 6337 DROPPER(ipss, ipds_spd_malformed_frag),
6336 6338 &ipss->ipsec_spd_dropper);
6337 6339 if (inbound)
6338 6340 (void) ip_recv_attr_free_mblk(iramp);
6339 6341 return (NULL);
6340 6342 }
6341 6343 fraghdr = ipp.ipp_fraghdr;
6342 6344 is_v4 = B_FALSE;
6343 6345 }
6344 6346
6345 6347 /* Anything to cleanup? */
6346 6348
6347 6349 /*
6348 6350 * This cleanup call could be put in a timer loop
6349 6351 * but it may actually be just as reasonable a decision to
6350 6352 * leave it here. The disadvantage is this only gets called when
6351 6353 * frags are added. The advantage is that it is not
6352 6354 * susceptible to race conditions like a time-based cleanup
6353 6355 * may be.
6354 6356 */
6355 6357 itpf_time = gethrestime_sec();
6356 6358 if (itpf_time >= frag->itpf_expire_hint)
6357 6359 ipsec_fragcache_clean(frag, ipss);
6358 6360
6359 6361 /* Lookup to see if there is an existing entry */
6360 6362
6361 6363 if (is_v4)
6362 6364 i = IPSEC_FRAG_HASH_FUNC(iph->ipha_ident);
6363 6365 else
6364 6366 i = IPSEC_FRAG_HASH_FUNC(fraghdr->ip6f_ident);
6365 6367
6366 6368 for (fep = (frag->itpf_ptr)[i]; fep; fep = fep->itpfe_next) {
6367 6369 if (is_v4) {
6368 6370 ASSERT(iph != NULL);
6369 6371 if ((fep->itpfe_id == iph->ipha_ident) &&
6370 6372 (fep->itpfe_src == iph->ipha_src) &&
6371 6373 (fep->itpfe_dst == iph->ipha_dst) &&
6372 6374 (fep->itpfe_proto == iph->ipha_protocol))
6373 6375 break;
6374 6376 } else {
6375 6377 ASSERT(fraghdr != NULL);
6376 6378 ASSERT(fep != NULL);
6377 6379 if ((fep->itpfe_id == fraghdr->ip6f_ident) &&
6378 6380 IN6_ARE_ADDR_EQUAL(&fep->itpfe_src6,
6379 6381 &ip6h->ip6_src) &&
6380 6382 IN6_ARE_ADDR_EQUAL(&fep->itpfe_dst6,
6381 6383 &ip6h->ip6_dst) && (fep->itpfe_proto == v6_proto))
6382 6384 break;
6383 6385 }
6384 6386 }
6385 6387
6386 6388 if (is_v4) {
6387 6389 firstbyte = V4_FRAG_OFFSET(iph);
6388 6390 lastbyte = firstbyte + ntohs(iph->ipha_length) -
6389 6391 IPH_HDR_LENGTH(iph);
6390 6392 last = (V4_MORE_FRAGS(iph) == 0);
6391 6393 #ifdef FRAGCACHE_DEBUG
6392 6394 cmn_err(CE_WARN, "V4 fragcache: firstbyte = %d, lastbyte = %d, "
6393 6395 "is_last_frag = %d, id = %d, mp = %p\n", firstbyte,
6394 6396 lastbyte, last, iph->ipha_ident, mp);
6395 6397 #endif
6396 6398 } else {
6397 6399 firstbyte = ntohs(fraghdr->ip6f_offlg & IP6F_OFF_MASK);
6398 6400 lastbyte = firstbyte + ntohs(ip6h->ip6_plen) +
6399 6401 sizeof (ip6_t) - ip6_hdr_length;
6400 6402 last = (fraghdr->ip6f_offlg & IP6F_MORE_FRAG) == 0;
6401 6403 #ifdef FRAGCACHE_DEBUG
6402 6404 cmn_err(CE_WARN, "V6 fragcache: firstbyte = %d, lastbyte = %d, "
6403 6405 "is_last_frag = %d, id = %d, fraghdr = %p, mp = %p\n",
6404 6406 firstbyte, lastbyte, last, fraghdr->ip6f_ident, fraghdr,
6405 6407 mp);
6406 6408 #endif
6407 6409 }
6408 6410
6409 6411 /* check for bogus fragments and delete the entry */
6410 6412 if (firstbyte > 0 && firstbyte <= 8) {
6411 6413 if (fep != NULL)
6412 6414 (void) fragcache_delentry(i, fep, frag, ipss);
6413 6415 mutex_exit(&frag->itpf_lock);
6414 6416 ip_drop_packet(mp, inbound, NULL,
6415 6417 DROPPER(ipss, ipds_spd_malformed_frag),
6416 6418 &ipss->ipsec_spd_dropper);
6417 6419 if (inbound)
6418 6420 (void) ip_recv_attr_free_mblk(iramp);
6419 6421 return (NULL);
6420 6422 }
6421 6423
6422 6424 /* Not found, allocate a new entry */
6423 6425 if (fep == NULL) {
6424 6426 if (frag->itpf_freelist == NULL) {
6425 6427 /* see if there is some space */
6426 6428 ipsec_fragcache_clean(frag, ipss);
6427 6429 if (frag->itpf_freelist == NULL) {
6428 6430 mutex_exit(&frag->itpf_lock);
6429 6431 ip_drop_packet(mp, inbound, NULL,
6430 6432 DROPPER(ipss, ipds_spd_nomem),
6431 6433 &ipss->ipsec_spd_dropper);
6432 6434 if (inbound)
6433 6435 (void) ip_recv_attr_free_mblk(iramp);
6434 6436 return (NULL);
6435 6437 }
6436 6438 }
6437 6439
6438 6440 fep = frag->itpf_freelist;
6439 6441 frag->itpf_freelist = fep->itpfe_next;
6440 6442
6441 6443 if (is_v4) {
6442 6444 bcopy((caddr_t)&iph->ipha_src, (caddr_t)&fep->itpfe_src,
6443 6445 sizeof (struct in_addr));
6444 6446 bcopy((caddr_t)&iph->ipha_dst, (caddr_t)&fep->itpfe_dst,
6445 6447 sizeof (struct in_addr));
6446 6448 fep->itpfe_id = iph->ipha_ident;
6447 6449 fep->itpfe_proto = iph->ipha_protocol;
6448 6450 i = IPSEC_FRAG_HASH_FUNC(fep->itpfe_id);
6449 6451 } else {
6450 6452 bcopy((in6_addr_t *)&ip6h->ip6_src,
6451 6453 (in6_addr_t *)&fep->itpfe_src6,
6452 6454 sizeof (struct in6_addr));
6453 6455 bcopy((in6_addr_t *)&ip6h->ip6_dst,
6454 6456 (in6_addr_t *)&fep->itpfe_dst6,
6455 6457 sizeof (struct in6_addr));
6456 6458 fep->itpfe_id = fraghdr->ip6f_ident;
6457 6459 fep->itpfe_proto = v6_proto;
6458 6460 i = IPSEC_FRAG_HASH_FUNC(fep->itpfe_id);
6459 6461 }
6460 6462 itpf_time = gethrestime_sec();
6461 6463 fep->itpfe_exp = itpf_time + IPSEC_FRAG_TTL_MAX + 1;
6462 6464 fep->itpfe_last = 0;
6463 6465 fep->itpfe_fraglist = NULL;
6464 6466 fep->itpfe_depth = 0;
6465 6467 fep->itpfe_next = (frag->itpf_ptr)[i];
6466 6468 (frag->itpf_ptr)[i] = fep;
6467 6469
6468 6470 if (frag->itpf_expire_hint > fep->itpfe_exp)
6469 6471 frag->itpf_expire_hint = fep->itpfe_exp;
6470 6472
6471 6473 }
6472 6474
6473 6475 /* Insert it in the frag list */
6474 6476 /* List is in order by starting offset of fragments */
6475 6477
6476 6478 prevmp = NULL;
6477 6479 for (nmp = fep->itpfe_fraglist; nmp; nmp = nmp->b_next) {
6478 6480 ipha_t *niph;
6479 6481 ipha_t *oniph;
6480 6482 ip6_t *nip6h;
6481 6483 ip_pkt_t nipp;
6482 6484 ip6_frag_t *nfraghdr;
6483 6485 uint16_t nip6_hdr_length;
6484 6486 uint8_t *nv6_proto_p;
6485 6487 int nfirstbyte, nlastbyte;
6486 6488 char *data, *ndata;
6487 6489 mblk_t *ndata_mp = (inbound ? nmp->b_cont : nmp);
6488 6490 int hdr_len;
6489 6491
6490 6492 oniph = (ipha_t *)mp->b_rptr;
6491 6493 nip6h = NULL;
6492 6494 niph = NULL;
6493 6495
6494 6496 /*
6495 6497 * Determine outer header type and length and set
6496 6498 * pointers appropriately
6497 6499 */
6498 6500
6499 6501 if (IPH_HDR_VERSION(oniph) == IPV4_VERSION) {
6500 6502 hdr_len = ((outer_hdr_len != 0) ?
6501 6503 IPH_HDR_LENGTH(oiph) : 0);
6502 6504 niph = (ipha_t *)(ndata_mp->b_rptr + hdr_len);
6503 6505 } else {
6504 6506 ASSERT(IPH_HDR_VERSION(oniph) == IPV6_VERSION);
6505 6507 ASSERT(ndata_mp->b_cont == NULL);
6506 6508 nip6h = (ip6_t *)ndata_mp->b_rptr;
6507 6509 (void) ip_hdr_length_nexthdr_v6(ndata_mp, nip6h,
6508 6510 &nip6_hdr_length, &v6_proto_p);
6509 6511 hdr_len = ((outer_hdr_len != 0) ? nip6_hdr_length : 0);
6510 6512 }
6511 6513
6512 6514 /*
6513 6515 * Determine inner header type and length and set
6514 6516 * pointers appropriately
6515 6517 */
6516 6518
6517 6519 if (is_v4) {
6518 6520 if (niph == NULL) {
6519 6521 /* Was v6 outer */
6520 6522 niph = (ipha_t *)(ndata_mp->b_rptr + hdr_len);
6521 6523 }
6522 6524 nfirstbyte = V4_FRAG_OFFSET(niph);
6523 6525 nlastbyte = nfirstbyte + ntohs(niph->ipha_length) -
6524 6526 IPH_HDR_LENGTH(niph);
6525 6527 } else {
6526 6528 ASSERT(ndata_mp->b_cont == NULL);
6527 6529 nip6h = (ip6_t *)(ndata_mp->b_rptr + hdr_len);
6528 6530 if (!ip_hdr_length_nexthdr_v6(ndata_mp, nip6h,
6529 6531 &nip6_hdr_length, &nv6_proto_p)) {
6530 6532 mutex_exit(&frag->itpf_lock);
6531 6533 ip_drop_packet_chain(nmp, inbound, NULL,
6532 6534 DROPPER(ipss, ipds_spd_malformed_frag),
6533 6535 &ipss->ipsec_spd_dropper);
6534 6536 ipsec_freemsg_chain(ndata_mp);
6535 6537 if (inbound)
6536 6538 (void) ip_recv_attr_free_mblk(iramp);
6537 6539 return (NULL);
6538 6540 }
6539 6541 bzero(&nipp, sizeof (nipp));
6540 6542 (void) ip_find_hdr_v6(ndata_mp, nip6h, B_FALSE, &nipp,
6541 6543 NULL);
6542 6544 nfraghdr = nipp.ipp_fraghdr;
6543 6545 nfirstbyte = ntohs(nfraghdr->ip6f_offlg &
6544 6546 IP6F_OFF_MASK);
6545 6547 nlastbyte = nfirstbyte + ntohs(nip6h->ip6_plen) +
6546 6548 sizeof (ip6_t) - nip6_hdr_length;
6547 6549 }
6548 6550
6549 6551 /* Check for overlapping fragments */
6550 6552 if (firstbyte >= nfirstbyte && firstbyte < nlastbyte) {
6551 6553 /*
6552 6554 * Overlap Check:
6553 6555 * ~~~~--------- # Check if the newly
6554 6556 * ~ ndata_mp| # received fragment
6555 6557 * ~~~~--------- # overlaps with the
6556 6558 * ---------~~~~~~ # current fragment.
6557 6559 * | mp ~
6558 6560 * ---------~~~~~~
6559 6561 */
6560 6562 if (is_v4) {
6561 6563 data = (char *)iph + IPH_HDR_LENGTH(iph) +
6562 6564 firstbyte - nfirstbyte;
6563 6565 ndata = (char *)niph + IPH_HDR_LENGTH(niph);
6564 6566 } else {
6565 6567 data = (char *)ip6h +
6566 6568 nip6_hdr_length + firstbyte -
6567 6569 nfirstbyte;
6568 6570 ndata = (char *)nip6h + nip6_hdr_length;
6569 6571 }
6570 6572 if (bcmp(data, ndata, MIN(lastbyte, nlastbyte) -
6571 6573 firstbyte)) {
6572 6574 /* Overlapping data does not match */
6573 6575 (void) fragcache_delentry(i, fep, frag, ipss);
6574 6576 mutex_exit(&frag->itpf_lock);
6575 6577 ip_drop_packet(mp, inbound, NULL,
6576 6578 DROPPER(ipss, ipds_spd_overlap_frag),
6577 6579 &ipss->ipsec_spd_dropper);
6578 6580 if (inbound)
6579 6581 (void) ip_recv_attr_free_mblk(iramp);
6580 6582 return (NULL);
6581 6583 }
6582 6584 /* Part of defense for jolt2.c fragmentation attack */
6583 6585 if (firstbyte >= nfirstbyte && lastbyte <= nlastbyte) {
6584 6586 /*
6585 6587 * Check for identical or subset fragments:
6586 6588 * ---------- ~~~~--------~~~~~
6587 6589 * | nmp | or ~ nmp ~
6588 6590 * ---------- ~~~~--------~~~~~
6589 6591 * ---------- ------
6590 6592 * | mp | | mp |
6591 6593 * ---------- ------
6592 6594 */
6593 6595 mutex_exit(&frag->itpf_lock);
6594 6596 ip_drop_packet(mp, inbound, NULL,
6595 6597 DROPPER(ipss, ipds_spd_evil_frag),
6596 6598 &ipss->ipsec_spd_dropper);
6597 6599 if (inbound)
6598 6600 (void) ip_recv_attr_free_mblk(iramp);
6599 6601 return (NULL);
6600 6602 }
6601 6603
6602 6604 }
6603 6605
6604 6606 /* Correct location for this fragment? */
6605 6607 if (firstbyte <= nfirstbyte) {
6606 6608 /*
6607 6609 * Check if the tail end of the new fragment overlaps
6608 6610 * with the head of the current fragment.
6609 6611 * --------~~~~~~~
6610 6612 * | nmp ~
6611 6613 * --------~~~~~~~
6612 6614 * ~~~~~--------
6613 6615 * ~ mp |
6614 6616 * ~~~~~--------
6615 6617 */
6616 6618 if (lastbyte > nfirstbyte) {
6617 6619 /* Fragments overlap */
6618 6620 data = (char *)iph + IPH_HDR_LENGTH(iph) +
6619 6621 firstbyte - nfirstbyte;
6620 6622 ndata = (char *)niph + IPH_HDR_LENGTH(niph);
6621 6623 if (is_v4) {
6622 6624 data = (char *)iph +
6623 6625 IPH_HDR_LENGTH(iph) + firstbyte -
6624 6626 nfirstbyte;
6625 6627 ndata = (char *)niph +
6626 6628 IPH_HDR_LENGTH(niph);
6627 6629 } else {
6628 6630 data = (char *)ip6h +
6629 6631 nip6_hdr_length + firstbyte -
6630 6632 nfirstbyte;
6631 6633 ndata = (char *)nip6h + nip6_hdr_length;
6632 6634 }
6633 6635 if (bcmp(data, ndata, MIN(lastbyte, nlastbyte)
6634 6636 - nfirstbyte)) {
6635 6637 /* Overlap mismatch */
6636 6638 (void) fragcache_delentry(i, fep, frag,
6637 6639 ipss);
6638 6640 mutex_exit(&frag->itpf_lock);
6639 6641 ip_drop_packet(mp, inbound, NULL,
6640 6642 DROPPER(ipss,
6641 6643 ipds_spd_overlap_frag),
6642 6644 &ipss->ipsec_spd_dropper);
6643 6645 if (inbound) {
6644 6646 (void) ip_recv_attr_free_mblk(
6645 6647 iramp);
6646 6648 }
6647 6649 return (NULL);
6648 6650 }
6649 6651 }
6650 6652
6651 6653 /*
6652 6654 * Fragment does not illegally overlap and can now
6653 6655 * be inserted into the chain
6654 6656 */
6655 6657 break;
6656 6658 }
6657 6659
6658 6660 prevmp = nmp;
6659 6661 }
6660 6662 /* Prepend the attributes before we link it in */
6661 6663 if (iramp != NULL) {
6662 6664 ASSERT(iramp->b_cont == NULL);
6663 6665 iramp->b_cont = mp;
6664 6666 mp = iramp;
6665 6667 iramp = NULL;
6666 6668 }
6667 6669 mp->b_next = nmp;
6668 6670
6669 6671 if (prevmp == NULL) {
6670 6672 fep->itpfe_fraglist = mp;
6671 6673 } else {
6672 6674 prevmp->b_next = mp;
6673 6675 }
6674 6676 if (last)
6675 6677 fep->itpfe_last = 1;
6676 6678
6677 6679 /* Part of defense for jolt2.c fragmentation attack */
6678 6680 if (++(fep->itpfe_depth) > IPSEC_MAX_FRAGS) {
6679 6681 (void) fragcache_delentry(i, fep, frag, ipss);
6680 6682 mutex_exit(&frag->itpf_lock);
6681 6683 if (inbound)
6682 6684 mp = ip_recv_attr_free_mblk(mp);
6683 6685
6684 6686 ip_drop_packet(mp, inbound, NULL,
6685 6687 DROPPER(ipss, ipds_spd_max_frags),
6686 6688 &ipss->ipsec_spd_dropper);
6687 6689 return (NULL);
6688 6690 }
6689 6691
6690 6692 /* Check for complete packet */
6691 6693
6692 6694 if (!fep->itpfe_last) {
6693 6695 mutex_exit(&frag->itpf_lock);
6694 6696 #ifdef FRAGCACHE_DEBUG
6695 6697 cmn_err(CE_WARN, "Fragment cached, last not yet seen.\n");
6696 6698 #endif
6697 6699 return (NULL);
6698 6700 }
6699 6701
6700 6702 offset = 0;
6701 6703 for (mp = fep->itpfe_fraglist; mp; mp = mp->b_next) {
6702 6704 mblk_t *data_mp = (inbound ? mp->b_cont : mp);
6703 6705 int hdr_len;
6704 6706
6705 6707 oiph = (ipha_t *)data_mp->b_rptr;
6706 6708 ip6h = NULL;
6707 6709 iph = NULL;
6708 6710
6709 6711 if (IPH_HDR_VERSION(oiph) == IPV4_VERSION) {
6710 6712 hdr_len = ((outer_hdr_len != 0) ?
6711 6713 IPH_HDR_LENGTH(oiph) : 0);
6712 6714 iph = (ipha_t *)(data_mp->b_rptr + hdr_len);
6713 6715 } else {
6714 6716 ASSERT(IPH_HDR_VERSION(oiph) == IPV6_VERSION);
6715 6717 ASSERT(data_mp->b_cont == NULL);
6716 6718 ip6h = (ip6_t *)data_mp->b_rptr;
6717 6719 (void) ip_hdr_length_nexthdr_v6(data_mp, ip6h,
6718 6720 &ip6_hdr_length, &v6_proto_p);
6719 6721 hdr_len = ((outer_hdr_len != 0) ? ip6_hdr_length : 0);
6720 6722 }
6721 6723
6722 6724 /* Calculate current fragment start/end */
6723 6725 if (is_v4) {
6724 6726 if (iph == NULL) {
6725 6727 /* Was v6 outer */
6726 6728 iph = (ipha_t *)(data_mp->b_rptr + hdr_len);
6727 6729 }
6728 6730 firstbyte = V4_FRAG_OFFSET(iph);
6729 6731 lastbyte = firstbyte + ntohs(iph->ipha_length) -
6730 6732 IPH_HDR_LENGTH(iph);
6731 6733 } else {
6732 6734 ASSERT(data_mp->b_cont == NULL);
6733 6735 ip6h = (ip6_t *)(data_mp->b_rptr + hdr_len);
6734 6736 if (!ip_hdr_length_nexthdr_v6(data_mp, ip6h,
6735 6737 &ip6_hdr_length, &v6_proto_p)) {
6736 6738 mutex_exit(&frag->itpf_lock);
6737 6739 ip_drop_packet_chain(mp, inbound, NULL,
6738 6740 DROPPER(ipss, ipds_spd_malformed_frag),
6739 6741 &ipss->ipsec_spd_dropper);
6740 6742 return (NULL);
6741 6743 }
6742 6744 v6_proto = *v6_proto_p;
6743 6745 bzero(&ipp, sizeof (ipp));
6744 6746 (void) ip_find_hdr_v6(data_mp, ip6h, B_FALSE, &ipp,
6745 6747 NULL);
6746 6748 fraghdr = ipp.ipp_fraghdr;
6747 6749 firstbyte = ntohs(fraghdr->ip6f_offlg &
6748 6750 IP6F_OFF_MASK);
6749 6751 lastbyte = firstbyte + ntohs(ip6h->ip6_plen) +
6750 6752 sizeof (ip6_t) - ip6_hdr_length;
6751 6753 }
6752 6754
6753 6755 /*
6754 6756 * If this fragment is greater than current offset,
6755 6757 * we have a missing fragment so return NULL
6756 6758 */
6757 6759 if (firstbyte > offset) {
6758 6760 mutex_exit(&frag->itpf_lock);
6759 6761 #ifdef FRAGCACHE_DEBUG
6760 6762 /*
6761 6763 * Note, this can happen when the last frag
6762 6764 * gets sent through because it is smaller
6763 6765 * than the MTU. It is not necessarily an
6764 6766 * error condition.
6765 6767 */
6766 6768 cmn_err(CE_WARN, "Frag greater than offset! : "
6767 6769 "missing fragment: firstbyte = %d, offset = %d, "
6768 6770 "mp = %p\n", firstbyte, offset, mp);
6769 6771 #endif
6770 6772 return (NULL);
6771 6773 }
6772 6774 #ifdef FRAGCACHE_DEBUG
6773 6775 cmn_err(CE_WARN, "Frag offsets : "
6774 6776 "firstbyte = %d, offset = %d, mp = %p\n",
6775 6777 firstbyte, offset, mp);
6776 6778 #endif
6777 6779
6778 6780 /*
6779 6781 * If we are at the last fragment, we have the complete
6780 6782 * packet, so rechain things and return it to caller
6781 6783 * for processing
6782 6784 */
6783 6785
6784 6786 if ((is_v4 && !V4_MORE_FRAGS(iph)) ||
6785 6787 (!is_v4 && !(fraghdr->ip6f_offlg & IP6F_MORE_FRAG))) {
6786 6788 mp = fep->itpfe_fraglist;
6787 6789 fep->itpfe_fraglist = NULL;
6788 6790 (void) fragcache_delentry(i, fep, frag, ipss);
6789 6791 mutex_exit(&frag->itpf_lock);
6790 6792
6791 6793 if ((is_v4 && (firstbyte + ntohs(iph->ipha_length) >
6792 6794 65535)) || (!is_v4 && (firstbyte +
6793 6795 ntohs(ip6h->ip6_plen) > 65535))) {
6794 6796 /* It is an invalid "ping-o-death" packet */
6795 6797 /* Discard it */
6796 6798 ip_drop_packet_chain(mp, inbound, NULL,
6797 6799 DROPPER(ipss, ipds_spd_evil_frag),
6798 6800 &ipss->ipsec_spd_dropper);
6799 6801 return (NULL);
6800 6802 }
6801 6803 #ifdef FRAGCACHE_DEBUG
6802 6804 cmn_err(CE_WARN, "Fragcache returning mp = %p, "
6803 6805 "mp->b_next = %p", mp, mp->b_next);
6804 6806 #endif
6805 6807 /*
6806 6808 * For inbound case, mp has attrmp b_next'd chain
6807 6809 * For outbound case, it is just data mp chain
6808 6810 */
6809 6811 return (mp);
6810 6812 }
6811 6813
6812 6814 /*
6813 6815 * Update new ending offset if this
6814 6816 * fragment extends the packet
6815 6817 */
6816 6818 if (offset < lastbyte)
6817 6819 offset = lastbyte;
6818 6820 }
6819 6821
6820 6822 mutex_exit(&frag->itpf_lock);
6821 6823
6822 6824 /* Didn't find last fragment, so return NULL */
6823 6825 return (NULL);
6824 6826 }
6825 6827
6826 6828 static void
6827 6829 ipsec_fragcache_clean(ipsec_fragcache_t *frag, ipsec_stack_t *ipss)
6828 6830 {
6829 6831 ipsec_fragcache_entry_t *fep;
6830 6832 int i;
6831 6833 ipsec_fragcache_entry_t *earlyfep = NULL;
6832 6834 time_t itpf_time;
6833 6835 int earlyexp;
6834 6836 int earlyi = 0;
6835 6837
6836 6838 ASSERT(MUTEX_HELD(&frag->itpf_lock));
6837 6839
6838 6840 itpf_time = gethrestime_sec();
6839 6841 earlyexp = itpf_time + 10000;
6840 6842
6841 6843 for (i = 0; i < IPSEC_FRAG_HASH_SLOTS; i++) {
6842 6844 fep = (frag->itpf_ptr)[i];
6843 6845 while (fep) {
6844 6846 if (fep->itpfe_exp < itpf_time) {
6845 6847 /* found */
6846 6848 fep = fragcache_delentry(i, fep, frag, ipss);
6847 6849 } else {
6848 6850 if (fep->itpfe_exp < earlyexp) {
6849 6851 earlyfep = fep;
6850 6852 earlyexp = fep->itpfe_exp;
6851 6853 earlyi = i;
6852 6854 }
6853 6855 fep = fep->itpfe_next;
6854 6856 }
6855 6857 }
6856 6858 }
6857 6859
6858 6860 frag->itpf_expire_hint = earlyexp;
6859 6861
6860 6862 /* if (!found) */
6861 6863 if (frag->itpf_freelist == NULL)
6862 6864 (void) fragcache_delentry(earlyi, earlyfep, frag, ipss);
6863 6865 }
6864 6866
6865 6867 static ipsec_fragcache_entry_t *
6866 6868 fragcache_delentry(int slot, ipsec_fragcache_entry_t *fep,
6867 6869 ipsec_fragcache_t *frag, ipsec_stack_t *ipss)
6868 6870 {
6869 6871 ipsec_fragcache_entry_t *targp;
6870 6872 ipsec_fragcache_entry_t *nextp = fep->itpfe_next;
6871 6873
6872 6874 ASSERT(MUTEX_HELD(&frag->itpf_lock));
6873 6875
6874 6876 /* Free up any fragment list still in cache entry */
6875 6877 if (fep->itpfe_fraglist != NULL) {
6876 6878 ip_drop_packet_chain(fep->itpfe_fraglist,
6877 6879 ip_recv_attr_is_mblk(fep->itpfe_fraglist), NULL,
6878 6880 DROPPER(ipss, ipds_spd_expired_frags),
6879 6881 &ipss->ipsec_spd_dropper);
6880 6882 }
6881 6883 fep->itpfe_fraglist = NULL;
6882 6884
6883 6885 targp = (frag->itpf_ptr)[slot];
6884 6886 ASSERT(targp != 0);
6885 6887
6886 6888 if (targp == fep) {
6887 6889 /* unlink from head of hash chain */
6888 6890 (frag->itpf_ptr)[slot] = nextp;
6889 6891 /* link into free list */
6890 6892 fep->itpfe_next = frag->itpf_freelist;
6891 6893 frag->itpf_freelist = fep;
6892 6894 return (nextp);
6893 6895 }
6894 6896
6895 6897 /* maybe should use double linked list to make update faster */
6896 6898 /* must be past front of chain */
6897 6899 while (targp) {
6898 6900 if (targp->itpfe_next == fep) {
6899 6901 /* unlink from hash chain */
6900 6902 targp->itpfe_next = nextp;
6901 6903 /* link into free list */
6902 6904 fep->itpfe_next = frag->itpf_freelist;
6903 6905 frag->itpf_freelist = fep;
6904 6906 return (nextp);
6905 6907 }
6906 6908 targp = targp->itpfe_next;
6907 6909 ASSERT(targp != 0);
6908 6910 }
6909 6911 /* NOTREACHED */
6910 6912 return (NULL);
6911 6913 }
|
↓ open down ↓ |
1779 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX