Print this page
4851 IPsec should use NANOSEC & friends from time.h
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/ip/spd.c
+++ new/usr/src/uts/common/inet/ip/spd.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 */
25 25
26 26 /*
27 27 * IPsec Security Policy Database.
28 28 *
29 29 * This module maintains the SPD and provides routines used by ip and ip6
30 30 * to apply IPsec policy to inbound and outbound datagrams.
31 31 */
32 32
33 33 #include <sys/types.h>
34 34 #include <sys/stream.h>
35 35 #include <sys/stropts.h>
36 36 #include <sys/sysmacros.h>
37 37 #include <sys/strsubr.h>
38 38 #include <sys/strsun.h>
39 39 #include <sys/strlog.h>
40 40 #include <sys/strsun.h>
41 41 #include <sys/cmn_err.h>
42 42 #include <sys/zone.h>
43 43
44 44 #include <sys/systm.h>
45 45 #include <sys/param.h>
46 46 #include <sys/kmem.h>
47 47 #include <sys/ddi.h>
48 48
49 49 #include <sys/crypto/api.h>
50 50
51 51 #include <inet/common.h>
52 52 #include <inet/mi.h>
53 53
54 54 #include <netinet/ip6.h>
55 55 #include <netinet/icmp6.h>
56 56 #include <netinet/udp.h>
57 57
58 58 #include <inet/ip.h>
59 59 #include <inet/ip6.h>
60 60
61 61 #include <net/pfkeyv2.h>
62 62 #include <net/pfpolicy.h>
63 63 #include <inet/sadb.h>
64 64 #include <inet/ipsec_impl.h>
65 65
66 66 #include <inet/ip_impl.h> /* For IP_MOD_ID */
67 67
68 68 #include <inet/ipsecah.h>
69 69 #include <inet/ipsecesp.h>
70 70 #include <inet/ipdrop.h>
71 71 #include <inet/ipclassifier.h>
72 72 #include <inet/iptun.h>
73 73 #include <inet/iptun/iptun_impl.h>
74 74
75 75 static void ipsec_update_present_flags(ipsec_stack_t *);
76 76 static ipsec_act_t *ipsec_act_wildcard_expand(ipsec_act_t *, uint_t *,
77 77 netstack_t *);
78 78 static mblk_t *ipsec_check_ipsecin_policy(mblk_t *, ipsec_policy_t *,
79 79 ipha_t *, ip6_t *, uint64_t, ip_recv_attr_t *, netstack_t *);
80 80 static void ipsec_action_free_table(ipsec_action_t *);
81 81 static void ipsec_action_reclaim(void *);
82 82 static void ipsec_action_reclaim_stack(ipsec_stack_t *);
83 83 static void ipsid_init(netstack_t *);
84 84 static void ipsid_fini(netstack_t *);
85 85
86 86 /* sel_flags values for ipsec_init_inbound_sel(). */
87 87 #define SEL_NONE 0x0000
88 88 #define SEL_PORT_POLICY 0x0001
89 89 #define SEL_IS_ICMP 0x0002
90 90 #define SEL_TUNNEL_MODE 0x0004
91 91 #define SEL_POST_FRAG 0x0008
92 92
93 93 /* Return values for ipsec_init_inbound_sel(). */
94 94 typedef enum { SELRET_NOMEM, SELRET_BADPKT, SELRET_SUCCESS, SELRET_TUNFRAG}
95 95 selret_t;
96 96
97 97 static selret_t ipsec_init_inbound_sel(ipsec_selector_t *, mblk_t *,
98 98 ipha_t *, ip6_t *, uint8_t);
99 99
100 100 static boolean_t ipsec_check_ipsecin_action(ip_recv_attr_t *, mblk_t *,
101 101 struct ipsec_action_s *, ipha_t *ipha, ip6_t *ip6h, const char **,
102 102 kstat_named_t **, netstack_t *);
103 103 static void ipsec_unregister_prov_update(void);
104 104 static void ipsec_prov_update_callback_stack(uint32_t, void *, netstack_t *);
105 105 static boolean_t ipsec_compare_action(ipsec_policy_t *, ipsec_policy_t *);
106 106 static uint32_t selector_hash(ipsec_selector_t *, ipsec_policy_root_t *);
107 107 static boolean_t ipsec_kstat_init(ipsec_stack_t *);
108 108 static void ipsec_kstat_destroy(ipsec_stack_t *);
109 109 static int ipsec_free_tables(ipsec_stack_t *);
110 110 static int tunnel_compare(const void *, const void *);
111 111 static void ipsec_freemsg_chain(mblk_t *);
112 112 static void ip_drop_packet_chain(mblk_t *, boolean_t, ill_t *,
113 113 struct kstat_named *, ipdropper_t *);
114 114 static boolean_t ipsec_kstat_init(ipsec_stack_t *);
115 115 static void ipsec_kstat_destroy(ipsec_stack_t *);
116 116 static int ipsec_free_tables(ipsec_stack_t *);
117 117 static int tunnel_compare(const void *, const void *);
118 118 static void ipsec_freemsg_chain(mblk_t *);
119 119
120 120 /*
121 121 * Selector hash table is statically sized at module load time.
122 122 * we default to 251 buckets, which is the largest prime number under 255
123 123 */
124 124
125 125 #define IPSEC_SPDHASH_DEFAULT 251
126 126
127 127 /* SPD hash-size tunable per tunnel. */
128 128 #define TUN_SPDHASH_DEFAULT 5
129 129
130 130 uint32_t ipsec_spd_hashsize;
131 131 uint32_t tun_spd_hashsize;
132 132
133 133 #define IPSEC_SEL_NOHASH ((uint32_t)(~0))
134 134
135 135 /*
136 136 * Handle global across all stack instances
137 137 */
138 138 static crypto_notify_handle_t prov_update_handle = NULL;
139 139
140 140 static kmem_cache_t *ipsec_action_cache;
141 141 static kmem_cache_t *ipsec_sel_cache;
142 142 static kmem_cache_t *ipsec_pol_cache;
143 143
144 144 /* Frag cache prototypes */
145 145 static void ipsec_fragcache_clean(ipsec_fragcache_t *, ipsec_stack_t *);
146 146 static ipsec_fragcache_entry_t *fragcache_delentry(int,
147 147 ipsec_fragcache_entry_t *, ipsec_fragcache_t *, ipsec_stack_t *);
148 148 boolean_t ipsec_fragcache_init(ipsec_fragcache_t *);
149 149 void ipsec_fragcache_uninit(ipsec_fragcache_t *, ipsec_stack_t *ipss);
150 150 mblk_t *ipsec_fragcache_add(ipsec_fragcache_t *, mblk_t *, mblk_t *,
151 151 int, ipsec_stack_t *);
152 152
153 153 int ipsec_hdr_pullup_needed = 0;
154 154 int ipsec_weird_null_inbound_policy = 0;
155 155
156 156 #define ALGBITS_ROUND_DOWN(x, align) (((x)/(align))*(align))
157 157 #define ALGBITS_ROUND_UP(x, align) ALGBITS_ROUND_DOWN((x)+(align)-1, align)
158 158
159 159 /*
160 160 * Inbound traffic should have matching identities for both SA's.
161 161 */
162 162
163 163 #define SA_IDS_MATCH(sa1, sa2) \
164 164 (((sa1) == NULL) || ((sa2) == NULL) || \
165 165 (((sa1)->ipsa_src_cid == (sa2)->ipsa_src_cid) && \
166 166 (((sa1)->ipsa_dst_cid == (sa2)->ipsa_dst_cid))))
167 167
168 168 /*
169 169 * IPv6 Fragments
170 170 */
171 171 #define IS_V6_FRAGMENT(ipp) (ipp.ipp_fields & IPPF_FRAGHDR)
172 172
173 173 /*
174 174 * Policy failure messages.
175 175 */
176 176 static char *ipsec_policy_failure_msgs[] = {
177 177
178 178 /* IPSEC_POLICY_NOT_NEEDED */
179 179 "%s: Dropping the datagram because the incoming packet "
180 180 "is %s, but the recipient expects clear; Source %s, "
181 181 "Destination %s.\n",
182 182
183 183 /* IPSEC_POLICY_MISMATCH */
184 184 "%s: Policy Failure for the incoming packet (%s); Source %s, "
185 185 "Destination %s.\n",
186 186
187 187 /* IPSEC_POLICY_AUTH_NOT_NEEDED */
188 188 "%s: Authentication present while not expected in the "
189 189 "incoming %s packet; Source %s, Destination %s.\n",
190 190
191 191 /* IPSEC_POLICY_ENCR_NOT_NEEDED */
192 192 "%s: Encryption present while not expected in the "
193 193 "incoming %s packet; Source %s, Destination %s.\n",
194 194
195 195 /* IPSEC_POLICY_SE_NOT_NEEDED */
196 196 "%s: Self-Encapsulation present while not expected in the "
197 197 "incoming %s packet; Source %s, Destination %s.\n",
198 198 };
199 199
200 200 /*
201 201 * General overviews:
202 202 *
203 203 * Locking:
204 204 *
205 205 * All of the system policy structures are protected by a single
206 206 * rwlock. These structures are threaded in a
207 207 * fairly complex fashion and are not expected to change on a
208 208 * regular basis, so this should not cause scaling/contention
209 209 * problems. As a result, policy checks should (hopefully) be MT-hot.
210 210 *
211 211 * Allocation policy:
212 212 *
213 213 * We use custom kmem cache types for the various
214 214 * bits & pieces of the policy data structures. All allocations
215 215 * use KM_NOSLEEP instead of KM_SLEEP for policy allocation. The
216 216 * policy table is of potentially unbounded size, so we don't
217 217 * want to provide a way to hog all system memory with policy
218 218 * entries..
219 219 */
220 220
221 221 /* Convenient functions for freeing or dropping a b_next linked mblk chain */
222 222
223 223 /* Free all messages in an mblk chain */
224 224 static void
225 225 ipsec_freemsg_chain(mblk_t *mp)
226 226 {
227 227 mblk_t *mpnext;
228 228 while (mp != NULL) {
229 229 ASSERT(mp->b_prev == NULL);
230 230 mpnext = mp->b_next;
231 231 mp->b_next = NULL;
232 232 freemsg(mp);
233 233 mp = mpnext;
234 234 }
235 235 }
236 236
237 237 /*
238 238 * ip_drop all messages in an mblk chain
239 239 * Can handle a b_next chain of ip_recv_attr_t mblks, or just a b_next chain
240 240 * of data.
241 241 */
242 242 static void
243 243 ip_drop_packet_chain(mblk_t *mp, boolean_t inbound, ill_t *ill,
244 244 struct kstat_named *counter, ipdropper_t *who_called)
245 245 {
246 246 mblk_t *mpnext;
247 247 while (mp != NULL) {
248 248 ASSERT(mp->b_prev == NULL);
249 249 mpnext = mp->b_next;
250 250 mp->b_next = NULL;
251 251 if (ip_recv_attr_is_mblk(mp))
252 252 mp = ip_recv_attr_free_mblk(mp);
253 253 ip_drop_packet(mp, inbound, ill, counter, who_called);
254 254 mp = mpnext;
255 255 }
256 256 }
257 257
258 258 /*
259 259 * AVL tree comparison function.
260 260 * the in-kernel avl assumes unique keys for all objects.
261 261 * Since sometimes policy will duplicate rules, we may insert
262 262 * multiple rules with the same rule id, so we need a tie-breaker.
263 263 */
264 264 static int
265 265 ipsec_policy_cmpbyid(const void *a, const void *b)
266 266 {
267 267 const ipsec_policy_t *ipa, *ipb;
268 268 uint64_t idxa, idxb;
269 269
270 270 ipa = (const ipsec_policy_t *)a;
271 271 ipb = (const ipsec_policy_t *)b;
272 272 idxa = ipa->ipsp_index;
273 273 idxb = ipb->ipsp_index;
274 274
275 275 if (idxa < idxb)
276 276 return (-1);
277 277 if (idxa > idxb)
278 278 return (1);
279 279 /*
280 280 * Tie-breaker #1: All installed policy rules have a non-NULL
281 281 * ipsl_sel (selector set), so an entry with a NULL ipsp_sel is not
282 282 * actually in-tree but rather a template node being used in
283 283 * an avl_find query; see ipsec_policy_delete(). This gives us
284 284 * a placeholder in the ordering just before the first entry with
285 285 * a key >= the one we're looking for, so we can walk forward from
286 286 * that point to get the remaining entries with the same id.
287 287 */
288 288 if ((ipa->ipsp_sel == NULL) && (ipb->ipsp_sel != NULL))
289 289 return (-1);
290 290 if ((ipb->ipsp_sel == NULL) && (ipa->ipsp_sel != NULL))
291 291 return (1);
292 292 /*
293 293 * At most one of the arguments to the comparison should have a
294 294 * NULL selector pointer; if not, the tree is broken.
295 295 */
296 296 ASSERT(ipa->ipsp_sel != NULL);
297 297 ASSERT(ipb->ipsp_sel != NULL);
298 298 /*
299 299 * Tie-breaker #2: use the virtual address of the policy node
300 300 * to arbitrarily break ties. Since we use the new tree node in
301 301 * the avl_find() in ipsec_insert_always, the new node will be
302 302 * inserted into the tree in the right place in the sequence.
303 303 */
304 304 if (ipa < ipb)
305 305 return (-1);
306 306 if (ipa > ipb)
307 307 return (1);
308 308 return (0);
309 309 }
310 310
311 311 /*
312 312 * Free what ipsec_alloc_table allocated.
313 313 */
314 314 void
315 315 ipsec_polhead_free_table(ipsec_policy_head_t *iph)
316 316 {
317 317 int dir;
318 318 int i;
319 319
320 320 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
321 321 ipsec_policy_root_t *ipr = &iph->iph_root[dir];
322 322
323 323 if (ipr->ipr_hash == NULL)
324 324 continue;
325 325
326 326 for (i = 0; i < ipr->ipr_nchains; i++) {
327 327 ASSERT(ipr->ipr_hash[i].hash_head == NULL);
328 328 }
329 329 kmem_free(ipr->ipr_hash, ipr->ipr_nchains *
330 330 sizeof (ipsec_policy_hash_t));
331 331 ipr->ipr_hash = NULL;
332 332 }
333 333 }
334 334
335 335 void
336 336 ipsec_polhead_destroy(ipsec_policy_head_t *iph)
337 337 {
338 338 int dir;
339 339
340 340 avl_destroy(&iph->iph_rulebyid);
341 341 rw_destroy(&iph->iph_lock);
342 342
343 343 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
344 344 ipsec_policy_root_t *ipr = &iph->iph_root[dir];
345 345 int chain;
346 346
347 347 for (chain = 0; chain < ipr->ipr_nchains; chain++)
348 348 mutex_destroy(&(ipr->ipr_hash[chain].hash_lock));
349 349
350 350 }
351 351 ipsec_polhead_free_table(iph);
352 352 }
353 353
354 354 /*
355 355 * Free the IPsec stack instance.
356 356 */
357 357 /* ARGSUSED */
358 358 static void
359 359 ipsec_stack_fini(netstackid_t stackid, void *arg)
360 360 {
361 361 ipsec_stack_t *ipss = (ipsec_stack_t *)arg;
362 362 void *cookie;
363 363 ipsec_tun_pol_t *node;
364 364 netstack_t *ns = ipss->ipsec_netstack;
365 365 int i;
366 366 ipsec_algtype_t algtype;
367 367
368 368 ipsec_loader_destroy(ipss);
369 369
370 370 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_WRITER);
371 371 /*
372 372 * It's possible we can just ASSERT() the tree is empty. After all,
373 373 * we aren't called until IP is ready to unload (and presumably all
374 374 * tunnels have been unplumbed). But we'll play it safe for now, the
375 375 * loop will just exit immediately if it's empty.
376 376 */
377 377 cookie = NULL;
378 378 while ((node = (ipsec_tun_pol_t *)
379 379 avl_destroy_nodes(&ipss->ipsec_tunnel_policies,
380 380 &cookie)) != NULL) {
381 381 ITP_REFRELE(node, ns);
382 382 }
383 383 avl_destroy(&ipss->ipsec_tunnel_policies);
384 384 rw_exit(&ipss->ipsec_tunnel_policy_lock);
385 385 rw_destroy(&ipss->ipsec_tunnel_policy_lock);
386 386
387 387 ipsec_config_flush(ns);
388 388
389 389 ipsec_kstat_destroy(ipss);
390 390
391 391 ip_drop_unregister(&ipss->ipsec_dropper);
392 392
393 393 ip_drop_unregister(&ipss->ipsec_spd_dropper);
394 394 ip_drop_destroy(ipss);
395 395 /*
396 396 * Globals start with ref == 1 to prevent IPPH_REFRELE() from
397 397 * attempting to free them, hence they should have 1 now.
398 398 */
399 399 ipsec_polhead_destroy(&ipss->ipsec_system_policy);
400 400 ASSERT(ipss->ipsec_system_policy.iph_refs == 1);
401 401 ipsec_polhead_destroy(&ipss->ipsec_inactive_policy);
402 402 ASSERT(ipss->ipsec_inactive_policy.iph_refs == 1);
403 403
404 404 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) {
405 405 ipsec_action_free_table(ipss->ipsec_action_hash[i].hash_head);
406 406 ipss->ipsec_action_hash[i].hash_head = NULL;
407 407 mutex_destroy(&(ipss->ipsec_action_hash[i].hash_lock));
408 408 }
409 409
410 410 for (i = 0; i < ipss->ipsec_spd_hashsize; i++) {
411 411 ASSERT(ipss->ipsec_sel_hash[i].hash_head == NULL);
412 412 mutex_destroy(&(ipss->ipsec_sel_hash[i].hash_lock));
413 413 }
414 414
415 415 mutex_enter(&ipss->ipsec_alg_lock);
416 416 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype ++) {
417 417 int nalgs = ipss->ipsec_nalgs[algtype];
418 418
419 419 for (i = 0; i < nalgs; i++) {
420 420 if (ipss->ipsec_alglists[algtype][i] != NULL)
421 421 ipsec_alg_unreg(algtype, i, ns);
422 422 }
423 423 }
424 424 mutex_exit(&ipss->ipsec_alg_lock);
425 425 mutex_destroy(&ipss->ipsec_alg_lock);
426 426
427 427 ipsid_gc(ns);
428 428 ipsid_fini(ns);
429 429
430 430 (void) ipsec_free_tables(ipss);
431 431 kmem_free(ipss, sizeof (*ipss));
432 432 }
433 433
434 434 void
435 435 ipsec_policy_g_destroy(void)
436 436 {
437 437 kmem_cache_destroy(ipsec_action_cache);
438 438 kmem_cache_destroy(ipsec_sel_cache);
439 439 kmem_cache_destroy(ipsec_pol_cache);
440 440
441 441 ipsec_unregister_prov_update();
442 442
443 443 netstack_unregister(NS_IPSEC);
444 444 }
445 445
446 446
447 447 /*
448 448 * Free what ipsec_alloc_tables allocated.
449 449 * Called when table allocation fails to free the table.
450 450 */
451 451 static int
452 452 ipsec_free_tables(ipsec_stack_t *ipss)
453 453 {
454 454 int i;
455 455
456 456 if (ipss->ipsec_sel_hash != NULL) {
457 457 for (i = 0; i < ipss->ipsec_spd_hashsize; i++) {
458 458 ASSERT(ipss->ipsec_sel_hash[i].hash_head == NULL);
459 459 }
460 460 kmem_free(ipss->ipsec_sel_hash, ipss->ipsec_spd_hashsize *
461 461 sizeof (*ipss->ipsec_sel_hash));
462 462 ipss->ipsec_sel_hash = NULL;
463 463 ipss->ipsec_spd_hashsize = 0;
464 464 }
465 465 ipsec_polhead_free_table(&ipss->ipsec_system_policy);
466 466 ipsec_polhead_free_table(&ipss->ipsec_inactive_policy);
467 467
468 468 return (ENOMEM);
469 469 }
470 470
471 471 /*
472 472 * Attempt to allocate the tables in a single policy head.
473 473 * Return nonzero on failure after cleaning up any work in progress.
474 474 */
475 475 int
476 476 ipsec_alloc_table(ipsec_policy_head_t *iph, int nchains, int kmflag,
477 477 boolean_t global_cleanup, netstack_t *ns)
478 478 {
479 479 int dir;
480 480
481 481 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
482 482 ipsec_policy_root_t *ipr = &iph->iph_root[dir];
483 483
484 484 ipr->ipr_nchains = nchains;
485 485 ipr->ipr_hash = kmem_zalloc(nchains *
486 486 sizeof (ipsec_policy_hash_t), kmflag);
487 487 if (ipr->ipr_hash == NULL)
488 488 return (global_cleanup ?
489 489 ipsec_free_tables(ns->netstack_ipsec) :
490 490 ENOMEM);
491 491 }
492 492 return (0);
493 493 }
494 494
495 495 /*
496 496 * Attempt to allocate the various tables. Return nonzero on failure
497 497 * after cleaning up any work in progress.
498 498 */
499 499 static int
500 500 ipsec_alloc_tables(int kmflag, netstack_t *ns)
501 501 {
502 502 int error;
503 503 ipsec_stack_t *ipss = ns->netstack_ipsec;
504 504
505 505 error = ipsec_alloc_table(&ipss->ipsec_system_policy,
506 506 ipss->ipsec_spd_hashsize, kmflag, B_TRUE, ns);
507 507 if (error != 0)
508 508 return (error);
509 509
510 510 error = ipsec_alloc_table(&ipss->ipsec_inactive_policy,
511 511 ipss->ipsec_spd_hashsize, kmflag, B_TRUE, ns);
512 512 if (error != 0)
513 513 return (error);
514 514
515 515 ipss->ipsec_sel_hash = kmem_zalloc(ipss->ipsec_spd_hashsize *
516 516 sizeof (*ipss->ipsec_sel_hash), kmflag);
517 517
518 518 if (ipss->ipsec_sel_hash == NULL)
519 519 return (ipsec_free_tables(ipss));
520 520
521 521 return (0);
522 522 }
523 523
524 524 /*
525 525 * After table allocation, initialize a policy head.
526 526 */
527 527 void
528 528 ipsec_polhead_init(ipsec_policy_head_t *iph, int nchains)
529 529 {
530 530 int dir, chain;
531 531
532 532 rw_init(&iph->iph_lock, NULL, RW_DEFAULT, NULL);
533 533 avl_create(&iph->iph_rulebyid, ipsec_policy_cmpbyid,
534 534 sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid));
535 535
536 536 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
537 537 ipsec_policy_root_t *ipr = &iph->iph_root[dir];
538 538 ipr->ipr_nchains = nchains;
539 539
540 540 for (chain = 0; chain < nchains; chain++) {
541 541 mutex_init(&(ipr->ipr_hash[chain].hash_lock),
542 542 NULL, MUTEX_DEFAULT, NULL);
543 543 }
544 544 }
545 545 }
546 546
547 547 static boolean_t
548 548 ipsec_kstat_init(ipsec_stack_t *ipss)
549 549 {
550 550 ipss->ipsec_ksp = kstat_create_netstack("ip", 0, "ipsec_stat", "net",
551 551 KSTAT_TYPE_NAMED, sizeof (ipsec_kstats_t) / sizeof (kstat_named_t),
552 552 KSTAT_FLAG_PERSISTENT, ipss->ipsec_netstack->netstack_stackid);
553 553
554 554 if (ipss->ipsec_ksp == NULL || ipss->ipsec_ksp->ks_data == NULL)
555 555 return (B_FALSE);
556 556
557 557 ipss->ipsec_kstats = ipss->ipsec_ksp->ks_data;
558 558
559 559 #define KI(x) kstat_named_init(&ipss->ipsec_kstats->x, #x, KSTAT_DATA_UINT64)
560 560 KI(esp_stat_in_requests);
561 561 KI(esp_stat_in_discards);
562 562 KI(esp_stat_lookup_failure);
563 563 KI(ah_stat_in_requests);
564 564 KI(ah_stat_in_discards);
565 565 KI(ah_stat_lookup_failure);
566 566 KI(sadb_acquire_maxpackets);
567 567 KI(sadb_acquire_qhiwater);
568 568 #undef KI
569 569
570 570 kstat_install(ipss->ipsec_ksp);
571 571 return (B_TRUE);
572 572 }
573 573
574 574 static void
575 575 ipsec_kstat_destroy(ipsec_stack_t *ipss)
576 576 {
577 577 kstat_delete_netstack(ipss->ipsec_ksp,
578 578 ipss->ipsec_netstack->netstack_stackid);
579 579 ipss->ipsec_kstats = NULL;
580 580
581 581 }
582 582
583 583 /*
584 584 * Initialize the IPsec stack instance.
585 585 */
586 586 /* ARGSUSED */
587 587 static void *
588 588 ipsec_stack_init(netstackid_t stackid, netstack_t *ns)
589 589 {
590 590 ipsec_stack_t *ipss;
591 591 int i;
592 592
593 593 ipss = (ipsec_stack_t *)kmem_zalloc(sizeof (*ipss), KM_SLEEP);
594 594 ipss->ipsec_netstack = ns;
595 595
596 596 /*
597 597 * FIXME: netstack_ipsec is used by some of the routines we call
598 598 * below, but it isn't set until this routine returns.
599 599 * Either we introduce optional xxx_stack_alloc() functions
600 600 * that will be called by the netstack framework before xxx_stack_init,
601 601 * or we switch spd.c and sadb.c to operate on ipsec_stack_t
602 602 * (latter has some include file order issues for sadb.h, but makes
603 603 * sense if we merge some of the ipsec related stack_t's together.
604 604 */
605 605 ns->netstack_ipsec = ipss;
606 606
607 607 /*
608 608 * Make two attempts to allocate policy hash tables; try it at
609 609 * the "preferred" size (may be set in /etc/system) first,
610 610 * then fall back to the default size.
611 611 */
612 612 ipss->ipsec_spd_hashsize = (ipsec_spd_hashsize == 0) ?
613 613 IPSEC_SPDHASH_DEFAULT : ipsec_spd_hashsize;
614 614
615 615 if (ipsec_alloc_tables(KM_NOSLEEP, ns) != 0) {
616 616 cmn_err(CE_WARN,
617 617 "Unable to allocate %d entry IPsec policy hash table",
618 618 ipss->ipsec_spd_hashsize);
619 619 ipss->ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT;
620 620 cmn_err(CE_WARN, "Falling back to %d entries",
621 621 ipss->ipsec_spd_hashsize);
622 622 (void) ipsec_alloc_tables(KM_SLEEP, ns);
623 623 }
624 624
625 625 /* Just set a default for tunnels. */
626 626 ipss->ipsec_tun_spd_hashsize = (tun_spd_hashsize == 0) ?
627 627 TUN_SPDHASH_DEFAULT : tun_spd_hashsize;
628 628
629 629 ipsid_init(ns);
630 630 /*
631 631 * Globals need ref == 1 to prevent IPPH_REFRELE() from attempting
632 632 * to free them.
633 633 */
634 634 ipss->ipsec_system_policy.iph_refs = 1;
635 635 ipss->ipsec_inactive_policy.iph_refs = 1;
636 636 ipsec_polhead_init(&ipss->ipsec_system_policy,
637 637 ipss->ipsec_spd_hashsize);
638 638 ipsec_polhead_init(&ipss->ipsec_inactive_policy,
639 639 ipss->ipsec_spd_hashsize);
640 640 rw_init(&ipss->ipsec_tunnel_policy_lock, NULL, RW_DEFAULT, NULL);
641 641 avl_create(&ipss->ipsec_tunnel_policies, tunnel_compare,
642 642 sizeof (ipsec_tun_pol_t), 0);
643 643
644 644 ipss->ipsec_next_policy_index = 1;
645 645
646 646 rw_init(&ipss->ipsec_system_policy.iph_lock, NULL, RW_DEFAULT, NULL);
647 647 rw_init(&ipss->ipsec_inactive_policy.iph_lock, NULL, RW_DEFAULT, NULL);
648 648
649 649 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++)
650 650 mutex_init(&(ipss->ipsec_action_hash[i].hash_lock),
651 651 NULL, MUTEX_DEFAULT, NULL);
652 652
653 653 for (i = 0; i < ipss->ipsec_spd_hashsize; i++)
654 654 mutex_init(&(ipss->ipsec_sel_hash[i].hash_lock),
655 655 NULL, MUTEX_DEFAULT, NULL);
656 656
657 657 mutex_init(&ipss->ipsec_alg_lock, NULL, MUTEX_DEFAULT, NULL);
658 658 for (i = 0; i < IPSEC_NALGTYPES; i++) {
659 659 ipss->ipsec_nalgs[i] = 0;
660 660 }
661 661
662 662 ip_drop_init(ipss);
663 663 ip_drop_register(&ipss->ipsec_spd_dropper, "IPsec SPD");
664 664
665 665 /* IP's IPsec code calls the packet dropper */
666 666 ip_drop_register(&ipss->ipsec_dropper, "IP IPsec processing");
667 667
668 668 (void) ipsec_kstat_init(ipss);
669 669
670 670 ipsec_loader_init(ipss);
671 671 ipsec_loader_start(ipss);
672 672
673 673 return (ipss);
674 674 }
675 675
676 676 /* Global across all stack instances */
677 677 void
678 678 ipsec_policy_g_init(void)
679 679 {
680 680 ipsec_action_cache = kmem_cache_create("ipsec_actions",
681 681 sizeof (ipsec_action_t), _POINTER_ALIGNMENT, NULL, NULL,
682 682 ipsec_action_reclaim, NULL, NULL, 0);
683 683 ipsec_sel_cache = kmem_cache_create("ipsec_selectors",
684 684 sizeof (ipsec_sel_t), _POINTER_ALIGNMENT, NULL, NULL,
685 685 NULL, NULL, NULL, 0);
686 686 ipsec_pol_cache = kmem_cache_create("ipsec_policy",
687 687 sizeof (ipsec_policy_t), _POINTER_ALIGNMENT, NULL, NULL,
688 688 NULL, NULL, NULL, 0);
689 689
690 690 /*
691 691 * We want to be informed each time a stack is created or
692 692 * destroyed in the kernel, so we can maintain the
693 693 * set of ipsec_stack_t's.
694 694 */
695 695 netstack_register(NS_IPSEC, ipsec_stack_init, NULL, ipsec_stack_fini);
696 696 }
697 697
698 698 /*
699 699 * Sort algorithm lists.
700 700 *
701 701 * I may need to split this based on
702 702 * authentication/encryption, and I may wish to have an administrator
703 703 * configure this list. Hold on to some NDD variables...
704 704 *
705 705 * XXX For now, sort on minimum key size (GAG!). While minimum key size is
706 706 * not the ideal metric, it's the only quantifiable measure available.
707 707 * We need a better metric for sorting algorithms by preference.
708 708 */
709 709 static void
710 710 alg_insert_sortlist(enum ipsec_algtype at, uint8_t algid, netstack_t *ns)
711 711 {
712 712 ipsec_stack_t *ipss = ns->netstack_ipsec;
713 713 ipsec_alginfo_t *ai = ipss->ipsec_alglists[at][algid];
714 714 uint8_t holder, swap;
715 715 uint_t i;
716 716 uint_t count = ipss->ipsec_nalgs[at];
717 717 ASSERT(ai != NULL);
718 718 ASSERT(algid == ai->alg_id);
719 719
720 720 ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
721 721
722 722 holder = algid;
723 723
724 724 for (i = 0; i < count - 1; i++) {
725 725 ipsec_alginfo_t *alt;
726 726
727 727 alt = ipss->ipsec_alglists[at][ipss->ipsec_sortlist[at][i]];
728 728 /*
729 729 * If you want to give precedence to newly added algs,
730 730 * add the = in the > comparison.
731 731 */
732 732 if ((holder != algid) || (ai->alg_minbits > alt->alg_minbits)) {
733 733 /* Swap sortlist[i] and holder. */
734 734 swap = ipss->ipsec_sortlist[at][i];
735 735 ipss->ipsec_sortlist[at][i] = holder;
736 736 holder = swap;
737 737 ai = alt;
738 738 } /* Else just continue. */
739 739 }
740 740
741 741 /* Store holder in last slot. */
742 742 ipss->ipsec_sortlist[at][i] = holder;
743 743 }
744 744
745 745 /*
746 746 * Remove an algorithm from a sorted algorithm list.
747 747 * This should be considerably easier, even with complex sorting.
748 748 */
749 749 static void
750 750 alg_remove_sortlist(enum ipsec_algtype at, uint8_t algid, netstack_t *ns)
751 751 {
752 752 boolean_t copyback = B_FALSE;
753 753 int i;
754 754 ipsec_stack_t *ipss = ns->netstack_ipsec;
755 755 int newcount = ipss->ipsec_nalgs[at];
756 756
757 757 ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
758 758
759 759 for (i = 0; i <= newcount; i++) {
760 760 if (copyback) {
761 761 ipss->ipsec_sortlist[at][i-1] =
762 762 ipss->ipsec_sortlist[at][i];
763 763 } else if (ipss->ipsec_sortlist[at][i] == algid) {
764 764 copyback = B_TRUE;
765 765 }
766 766 }
767 767 }
768 768
769 769 /*
770 770 * Add the specified algorithm to the algorithm tables.
771 771 * Must be called while holding the algorithm table writer lock.
772 772 */
773 773 void
774 774 ipsec_alg_reg(ipsec_algtype_t algtype, ipsec_alginfo_t *alg, netstack_t *ns)
775 775 {
776 776 ipsec_stack_t *ipss = ns->netstack_ipsec;
777 777
778 778 ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
779 779
780 780 ASSERT(ipss->ipsec_alglists[algtype][alg->alg_id] == NULL);
781 781 ipsec_alg_fix_min_max(alg, algtype, ns);
782 782 ipss->ipsec_alglists[algtype][alg->alg_id] = alg;
783 783
784 784 ipss->ipsec_nalgs[algtype]++;
785 785 alg_insert_sortlist(algtype, alg->alg_id, ns);
786 786 }
787 787
788 788 /*
789 789 * Remove the specified algorithm from the algorithm tables.
790 790 * Must be called while holding the algorithm table writer lock.
791 791 */
792 792 void
793 793 ipsec_alg_unreg(ipsec_algtype_t algtype, uint8_t algid, netstack_t *ns)
794 794 {
795 795 ipsec_stack_t *ipss = ns->netstack_ipsec;
796 796
797 797 ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
798 798
799 799 ASSERT(ipss->ipsec_alglists[algtype][algid] != NULL);
800 800 ipsec_alg_free(ipss->ipsec_alglists[algtype][algid]);
801 801 ipss->ipsec_alglists[algtype][algid] = NULL;
802 802
803 803 ipss->ipsec_nalgs[algtype]--;
804 804 alg_remove_sortlist(algtype, algid, ns);
805 805 }
806 806
807 807 /*
808 808 * Hooks for spdsock to get a grip on system policy.
809 809 */
810 810
811 811 ipsec_policy_head_t *
812 812 ipsec_system_policy(netstack_t *ns)
813 813 {
814 814 ipsec_stack_t *ipss = ns->netstack_ipsec;
815 815 ipsec_policy_head_t *h = &ipss->ipsec_system_policy;
816 816
817 817 IPPH_REFHOLD(h);
818 818 return (h);
819 819 }
820 820
821 821 ipsec_policy_head_t *
822 822 ipsec_inactive_policy(netstack_t *ns)
823 823 {
824 824 ipsec_stack_t *ipss = ns->netstack_ipsec;
825 825 ipsec_policy_head_t *h = &ipss->ipsec_inactive_policy;
826 826
827 827 IPPH_REFHOLD(h);
828 828 return (h);
829 829 }
830 830
831 831 /*
832 832 * Lock inactive policy, then active policy, then exchange policy root
833 833 * pointers.
834 834 */
835 835 void
836 836 ipsec_swap_policy(ipsec_policy_head_t *active, ipsec_policy_head_t *inactive,
837 837 netstack_t *ns)
838 838 {
839 839 int af, dir;
840 840 avl_tree_t r1, r2;
841 841
842 842 rw_enter(&inactive->iph_lock, RW_WRITER);
843 843 rw_enter(&active->iph_lock, RW_WRITER);
844 844
845 845 r1 = active->iph_rulebyid;
846 846 r2 = inactive->iph_rulebyid;
847 847 active->iph_rulebyid = r2;
848 848 inactive->iph_rulebyid = r1;
849 849
850 850 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
851 851 ipsec_policy_hash_t *h1, *h2;
852 852
853 853 h1 = active->iph_root[dir].ipr_hash;
854 854 h2 = inactive->iph_root[dir].ipr_hash;
855 855 active->iph_root[dir].ipr_hash = h2;
856 856 inactive->iph_root[dir].ipr_hash = h1;
857 857
858 858 for (af = 0; af < IPSEC_NAF; af++) {
859 859 ipsec_policy_t *t1, *t2;
860 860
861 861 t1 = active->iph_root[dir].ipr_nonhash[af];
862 862 t2 = inactive->iph_root[dir].ipr_nonhash[af];
863 863 active->iph_root[dir].ipr_nonhash[af] = t2;
864 864 inactive->iph_root[dir].ipr_nonhash[af] = t1;
865 865 if (t1 != NULL) {
866 866 t1->ipsp_hash.hash_pp =
867 867 &(inactive->iph_root[dir].ipr_nonhash[af]);
868 868 }
869 869 if (t2 != NULL) {
870 870 t2->ipsp_hash.hash_pp =
871 871 &(active->iph_root[dir].ipr_nonhash[af]);
872 872 }
873 873
874 874 }
875 875 }
876 876 active->iph_gen++;
877 877 inactive->iph_gen++;
878 878 ipsec_update_present_flags(ns->netstack_ipsec);
879 879 rw_exit(&active->iph_lock);
880 880 rw_exit(&inactive->iph_lock);
881 881 }
882 882
883 883 /*
884 884 * Swap global policy primary/secondary.
885 885 */
886 886 void
887 887 ipsec_swap_global_policy(netstack_t *ns)
888 888 {
889 889 ipsec_stack_t *ipss = ns->netstack_ipsec;
890 890
891 891 ipsec_swap_policy(&ipss->ipsec_system_policy,
892 892 &ipss->ipsec_inactive_policy, ns);
893 893 }
894 894
895 895 /*
896 896 * Clone one policy rule..
897 897 */
898 898 static ipsec_policy_t *
899 899 ipsec_copy_policy(const ipsec_policy_t *src)
900 900 {
901 901 ipsec_policy_t *dst = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP);
902 902
903 903 if (dst == NULL)
904 904 return (NULL);
905 905
906 906 /*
907 907 * Adjust refcounts of cloned state.
908 908 */
909 909 IPACT_REFHOLD(src->ipsp_act);
910 910 src->ipsp_sel->ipsl_refs++;
911 911
912 912 HASH_NULL(dst, ipsp_hash);
913 913 dst->ipsp_netstack = src->ipsp_netstack;
914 914 dst->ipsp_refs = 1;
915 915 dst->ipsp_sel = src->ipsp_sel;
916 916 dst->ipsp_act = src->ipsp_act;
917 917 dst->ipsp_prio = src->ipsp_prio;
918 918 dst->ipsp_index = src->ipsp_index;
919 919
920 920 return (dst);
921 921 }
922 922
923 923 void
924 924 ipsec_insert_always(avl_tree_t *tree, void *new_node)
925 925 {
926 926 void *node;
927 927 avl_index_t where;
928 928
929 929 node = avl_find(tree, new_node, &where);
930 930 ASSERT(node == NULL);
931 931 avl_insert(tree, new_node, where);
932 932 }
933 933
934 934
935 935 static int
936 936 ipsec_copy_chain(ipsec_policy_head_t *dph, ipsec_policy_t *src,
937 937 ipsec_policy_t **dstp)
938 938 {
939 939 for (; src != NULL; src = src->ipsp_hash.hash_next) {
940 940 ipsec_policy_t *dst = ipsec_copy_policy(src);
941 941 if (dst == NULL)
942 942 return (ENOMEM);
943 943
944 944 HASHLIST_INSERT(dst, ipsp_hash, *dstp);
945 945 ipsec_insert_always(&dph->iph_rulebyid, dst);
946 946 }
947 947 return (0);
948 948 }
949 949
950 950
951 951
952 952 /*
953 953 * Make one policy head look exactly like another.
954 954 *
955 955 * As with ipsec_swap_policy, we lock the destination policy head first, then
956 956 * the source policy head. Note that we only need to read-lock the source
957 957 * policy head as we are not changing it.
958 958 */
959 959 int
960 960 ipsec_copy_polhead(ipsec_policy_head_t *sph, ipsec_policy_head_t *dph,
961 961 netstack_t *ns)
962 962 {
963 963 int af, dir, chain, nchains;
964 964
965 965 rw_enter(&dph->iph_lock, RW_WRITER);
966 966
967 967 ipsec_polhead_flush(dph, ns);
968 968
969 969 rw_enter(&sph->iph_lock, RW_READER);
970 970
971 971 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
972 972 ipsec_policy_root_t *dpr = &dph->iph_root[dir];
973 973 ipsec_policy_root_t *spr = &sph->iph_root[dir];
974 974 nchains = dpr->ipr_nchains;
975 975
976 976 ASSERT(dpr->ipr_nchains == spr->ipr_nchains);
977 977
978 978 for (af = 0; af < IPSEC_NAF; af++) {
979 979 if (ipsec_copy_chain(dph, spr->ipr_nonhash[af],
980 980 &dpr->ipr_nonhash[af]))
981 981 goto abort_copy;
982 982 }
983 983
984 984 for (chain = 0; chain < nchains; chain++) {
985 985 if (ipsec_copy_chain(dph,
986 986 spr->ipr_hash[chain].hash_head,
987 987 &dpr->ipr_hash[chain].hash_head))
988 988 goto abort_copy;
989 989 }
990 990 }
991 991
992 992 dph->iph_gen++;
993 993
994 994 rw_exit(&sph->iph_lock);
995 995 rw_exit(&dph->iph_lock);
996 996 return (0);
997 997
998 998 abort_copy:
999 999 ipsec_polhead_flush(dph, ns);
1000 1000 rw_exit(&sph->iph_lock);
1001 1001 rw_exit(&dph->iph_lock);
1002 1002 return (ENOMEM);
1003 1003 }
1004 1004
1005 1005 /*
1006 1006 * Clone currently active policy to the inactive policy list.
1007 1007 */
1008 1008 int
1009 1009 ipsec_clone_system_policy(netstack_t *ns)
1010 1010 {
1011 1011 ipsec_stack_t *ipss = ns->netstack_ipsec;
1012 1012
1013 1013 return (ipsec_copy_polhead(&ipss->ipsec_system_policy,
1014 1014 &ipss->ipsec_inactive_policy, ns));
1015 1015 }
1016 1016
1017 1017 /*
1018 1018 * Extract the string from ipsec_policy_failure_msgs[type] and
1019 1019 * log it.
1020 1020 *
1021 1021 */
1022 1022 void
1023 1023 ipsec_log_policy_failure(int type, char *func_name, ipha_t *ipha, ip6_t *ip6h,
1024 1024 boolean_t secure, netstack_t *ns)
1025 1025 {
1026 1026 char sbuf[INET6_ADDRSTRLEN];
1027 1027 char dbuf[INET6_ADDRSTRLEN];
1028 1028 char *s;
1029 1029 char *d;
1030 1030 ipsec_stack_t *ipss = ns->netstack_ipsec;
1031 1031
1032 1032 ASSERT((ipha == NULL && ip6h != NULL) ||
1033 1033 (ip6h == NULL && ipha != NULL));
1034 1034
1035 1035 if (ipha != NULL) {
1036 1036 s = inet_ntop(AF_INET, &ipha->ipha_src, sbuf, sizeof (sbuf));
1037 1037 d = inet_ntop(AF_INET, &ipha->ipha_dst, dbuf, sizeof (dbuf));
1038 1038 } else {
1039 1039 s = inet_ntop(AF_INET6, &ip6h->ip6_src, sbuf, sizeof (sbuf));
1040 1040 d = inet_ntop(AF_INET6, &ip6h->ip6_dst, dbuf, sizeof (dbuf));
1041 1041
1042 1042 }
1043 1043
1044 1044 /* Always bump the policy failure counter. */
1045 1045 ipss->ipsec_policy_failure_count[type]++;
1046 1046
1047 1047 ipsec_rl_strlog(ns, IP_MOD_ID, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
1048 1048 ipsec_policy_failure_msgs[type], func_name,
1049 1049 (secure ? "secure" : "not secure"), s, d);
1050 1050 }
1051 1051
1052 1052 /*
1053 1053 * Rate-limiting front-end to strlog() for AH and ESP. Uses the ndd variables
1054 1054 * in /dev/ip and the same rate-limiting clock so that there's a single
1055 1055 * knob to turn to throttle the rate of messages.
1056 1056 */
1057 1057 void
1058 1058 ipsec_rl_strlog(netstack_t *ns, short mid, short sid, char level, ushort_t sl,
1059 1059 char *fmt, ...)
1060 1060 {
1061 1061 va_list adx;
1062 1062 hrtime_t current = gethrtime();
1063 1063 ip_stack_t *ipst = ns->netstack_ip;
1064 1064 ipsec_stack_t *ipss = ns->netstack_ipsec;
1065 1065
|
↓ open down ↓ |
1065 lines elided |
↑ open up ↑ |
1066 1066 sl |= SL_CONSOLE;
1067 1067 /*
1068 1068 * Throttle logging to stop syslog from being swamped. If variable
1069 1069 * 'ipsec_policy_log_interval' is zero, don't log any messages at
1070 1070 * all, otherwise log only one message every 'ipsec_policy_log_interval'
1071 1071 * msec. Convert interval (in msec) to hrtime (in nsec).
1072 1072 */
1073 1073
1074 1074 if (ipst->ips_ipsec_policy_log_interval) {
1075 1075 if (ipss->ipsec_policy_failure_last +
1076 - ((hrtime_t)ipst->ips_ipsec_policy_log_interval *
1077 - (hrtime_t)1000000) <= current) {
1076 + MSEC2NSEC(ipst->ips_ipsec_policy_log_interval) <= current) {
1078 1077 va_start(adx, fmt);
1079 1078 (void) vstrlog(mid, sid, level, sl, fmt, adx);
1080 1079 va_end(adx);
1081 1080 ipss->ipsec_policy_failure_last = current;
1082 1081 }
1083 1082 }
1084 1083 }
1085 1084
1086 1085 void
1087 1086 ipsec_config_flush(netstack_t *ns)
1088 1087 {
1089 1088 ipsec_stack_t *ipss = ns->netstack_ipsec;
1090 1089
1091 1090 rw_enter(&ipss->ipsec_system_policy.iph_lock, RW_WRITER);
1092 1091 ipsec_polhead_flush(&ipss->ipsec_system_policy, ns);
1093 1092 ipss->ipsec_next_policy_index = 1;
1094 1093 rw_exit(&ipss->ipsec_system_policy.iph_lock);
1095 1094 ipsec_action_reclaim_stack(ipss);
1096 1095 }
1097 1096
1098 1097 /*
1099 1098 * Clip a policy's min/max keybits vs. the capabilities of the
1100 1099 * algorithm.
1101 1100 */
1102 1101 static void
1103 1102 act_alg_adjust(uint_t algtype, uint_t algid,
1104 1103 uint16_t *minbits, uint16_t *maxbits, netstack_t *ns)
1105 1104 {
1106 1105 ipsec_stack_t *ipss = ns->netstack_ipsec;
1107 1106 ipsec_alginfo_t *algp = ipss->ipsec_alglists[algtype][algid];
1108 1107
1109 1108 if (algp != NULL) {
1110 1109 /*
1111 1110 * If passed-in minbits is zero, we assume the caller trusts
1112 1111 * us with setting the minimum key size. We pick the
1113 1112 * algorithms DEFAULT key size for the minimum in this case.
1114 1113 */
1115 1114 if (*minbits == 0) {
1116 1115 *minbits = algp->alg_default_bits;
1117 1116 ASSERT(*minbits >= algp->alg_minbits);
1118 1117 } else {
1119 1118 *minbits = MAX(MIN(*minbits, algp->alg_maxbits),
1120 1119 algp->alg_minbits);
1121 1120 }
1122 1121 if (*maxbits == 0)
1123 1122 *maxbits = algp->alg_maxbits;
1124 1123 else
1125 1124 *maxbits = MIN(MAX(*maxbits, algp->alg_minbits),
1126 1125 algp->alg_maxbits);
1127 1126 ASSERT(*minbits <= *maxbits);
1128 1127 } else {
1129 1128 *minbits = 0;
1130 1129 *maxbits = 0;
1131 1130 }
1132 1131 }
1133 1132
1134 1133 /*
1135 1134 * Check an action's requested algorithms against the algorithms currently
1136 1135 * loaded in the system.
1137 1136 */
1138 1137 boolean_t
1139 1138 ipsec_check_action(ipsec_act_t *act, int *diag, netstack_t *ns)
1140 1139 {
1141 1140 ipsec_prot_t *ipp;
1142 1141 ipsec_stack_t *ipss = ns->netstack_ipsec;
1143 1142
1144 1143 ipp = &act->ipa_apply;
1145 1144
1146 1145 if (ipp->ipp_use_ah &&
1147 1146 ipss->ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_auth_alg] == NULL) {
1148 1147 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG;
1149 1148 return (B_FALSE);
1150 1149 }
1151 1150 if (ipp->ipp_use_espa &&
1152 1151 ipss->ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_esp_auth_alg] ==
1153 1152 NULL) {
1154 1153 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG;
1155 1154 return (B_FALSE);
1156 1155 }
1157 1156 if (ipp->ipp_use_esp &&
1158 1157 ipss->ipsec_alglists[IPSEC_ALG_ENCR][ipp->ipp_encr_alg] == NULL) {
1159 1158 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG;
1160 1159 return (B_FALSE);
1161 1160 }
1162 1161
1163 1162 act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_auth_alg,
1164 1163 &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits, ns);
1165 1164 act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_esp_auth_alg,
1166 1165 &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits, ns);
1167 1166 act_alg_adjust(IPSEC_ALG_ENCR, ipp->ipp_encr_alg,
1168 1167 &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits, ns);
1169 1168
1170 1169 if (ipp->ipp_ah_minbits > ipp->ipp_ah_maxbits) {
1171 1170 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE;
1172 1171 return (B_FALSE);
1173 1172 }
1174 1173 if (ipp->ipp_espa_minbits > ipp->ipp_espa_maxbits) {
1175 1174 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE;
1176 1175 return (B_FALSE);
1177 1176 }
1178 1177 if (ipp->ipp_espe_minbits > ipp->ipp_espe_maxbits) {
1179 1178 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE;
1180 1179 return (B_FALSE);
1181 1180 }
1182 1181 /* TODO: sanity check lifetimes */
1183 1182 return (B_TRUE);
1184 1183 }
1185 1184
1186 1185 /*
1187 1186 * Set up a single action during wildcard expansion..
1188 1187 */
1189 1188 static void
1190 1189 ipsec_setup_act(ipsec_act_t *outact, ipsec_act_t *act,
1191 1190 uint_t auth_alg, uint_t encr_alg, uint_t eauth_alg, netstack_t *ns)
1192 1191 {
1193 1192 ipsec_prot_t *ipp;
1194 1193
1195 1194 *outact = *act;
1196 1195 ipp = &outact->ipa_apply;
1197 1196 ipp->ipp_auth_alg = (uint8_t)auth_alg;
1198 1197 ipp->ipp_encr_alg = (uint8_t)encr_alg;
1199 1198 ipp->ipp_esp_auth_alg = (uint8_t)eauth_alg;
1200 1199
1201 1200 act_alg_adjust(IPSEC_ALG_AUTH, auth_alg,
1202 1201 &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits, ns);
1203 1202 act_alg_adjust(IPSEC_ALG_AUTH, eauth_alg,
1204 1203 &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits, ns);
1205 1204 act_alg_adjust(IPSEC_ALG_ENCR, encr_alg,
1206 1205 &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits, ns);
1207 1206 }
1208 1207
1209 1208 /*
1210 1209 * combinatoric expansion time: expand a wildcarded action into an
1211 1210 * array of wildcarded actions; we return the exploded action list,
1212 1211 * and return a count in *nact (output only).
1213 1212 */
1214 1213 static ipsec_act_t *
1215 1214 ipsec_act_wildcard_expand(ipsec_act_t *act, uint_t *nact, netstack_t *ns)
1216 1215 {
1217 1216 boolean_t use_ah, use_esp, use_espa;
1218 1217 boolean_t wild_auth, wild_encr, wild_eauth;
1219 1218 uint_t auth_alg, auth_idx, auth_min, auth_max;
1220 1219 uint_t eauth_alg, eauth_idx, eauth_min, eauth_max;
1221 1220 uint_t encr_alg, encr_idx, encr_min, encr_max;
1222 1221 uint_t action_count, ai;
1223 1222 ipsec_act_t *outact;
1224 1223 ipsec_stack_t *ipss = ns->netstack_ipsec;
1225 1224
1226 1225 if (act->ipa_type != IPSEC_ACT_APPLY) {
1227 1226 outact = kmem_alloc(sizeof (*act), KM_NOSLEEP);
1228 1227 *nact = 1;
1229 1228 if (outact != NULL)
1230 1229 bcopy(act, outact, sizeof (*act));
1231 1230 return (outact);
1232 1231 }
1233 1232 /*
1234 1233 * compute the combinatoric explosion..
1235 1234 *
1236 1235 * we assume a request for encr if esp_req is PREF_REQUIRED
1237 1236 * we assume a request for ah auth if ah_req is PREF_REQUIRED.
1238 1237 * we assume a request for esp auth if !ah and esp_req is PREF_REQUIRED
1239 1238 */
1240 1239
1241 1240 use_ah = act->ipa_apply.ipp_use_ah;
1242 1241 use_esp = act->ipa_apply.ipp_use_esp;
1243 1242 use_espa = act->ipa_apply.ipp_use_espa;
1244 1243 auth_alg = act->ipa_apply.ipp_auth_alg;
1245 1244 eauth_alg = act->ipa_apply.ipp_esp_auth_alg;
1246 1245 encr_alg = act->ipa_apply.ipp_encr_alg;
1247 1246
1248 1247 wild_auth = use_ah && (auth_alg == 0);
1249 1248 wild_eauth = use_espa && (eauth_alg == 0);
1250 1249 wild_encr = use_esp && (encr_alg == 0);
1251 1250
1252 1251 action_count = 1;
1253 1252 auth_min = auth_max = auth_alg;
1254 1253 eauth_min = eauth_max = eauth_alg;
1255 1254 encr_min = encr_max = encr_alg;
1256 1255
1257 1256 /*
1258 1257 * set up for explosion.. for each dimension, expand output
1259 1258 * size by the explosion factor.
1260 1259 *
1261 1260 * Don't include the "any" algorithms, if defined, as no
1262 1261 * kernel policies should be set for these algorithms.
1263 1262 */
1264 1263
1265 1264 #define SET_EXP_MINMAX(type, wild, alg, min, max, ipss) \
1266 1265 if (wild) { \
1267 1266 int nalgs = ipss->ipsec_nalgs[type]; \
1268 1267 if (ipss->ipsec_alglists[type][alg] != NULL) \
1269 1268 nalgs--; \
1270 1269 action_count *= nalgs; \
1271 1270 min = 0; \
1272 1271 max = ipss->ipsec_nalgs[type] - 1; \
1273 1272 }
1274 1273
1275 1274 SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_auth, SADB_AALG_NONE,
1276 1275 auth_min, auth_max, ipss);
1277 1276 SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_eauth, SADB_AALG_NONE,
1278 1277 eauth_min, eauth_max, ipss);
1279 1278 SET_EXP_MINMAX(IPSEC_ALG_ENCR, wild_encr, SADB_EALG_NONE,
1280 1279 encr_min, encr_max, ipss);
1281 1280
1282 1281 #undef SET_EXP_MINMAX
1283 1282
1284 1283 /*
1285 1284 * ok, allocate the whole mess..
1286 1285 */
1287 1286
1288 1287 outact = kmem_alloc(sizeof (*outact) * action_count, KM_NOSLEEP);
1289 1288 if (outact == NULL)
1290 1289 return (NULL);
1291 1290
1292 1291 /*
1293 1292 * Now compute all combinations. Note that non-wildcarded
1294 1293 * dimensions just get a single value from auth_min, while
1295 1294 * wildcarded dimensions indirect through the sortlist.
1296 1295 *
1297 1296 * We do encryption outermost since, at this time, there's
1298 1297 * greater difference in security and performance between
1299 1298 * encryption algorithms vs. authentication algorithms.
1300 1299 */
1301 1300
1302 1301 ai = 0;
1303 1302
1304 1303 #define WHICH_ALG(type, wild, idx, ipss) \
1305 1304 ((wild)?(ipss->ipsec_sortlist[type][idx]):(idx))
1306 1305
1307 1306 for (encr_idx = encr_min; encr_idx <= encr_max; encr_idx++) {
1308 1307 encr_alg = WHICH_ALG(IPSEC_ALG_ENCR, wild_encr, encr_idx, ipss);
1309 1308 if (wild_encr && encr_alg == SADB_EALG_NONE)
1310 1309 continue;
1311 1310 for (auth_idx = auth_min; auth_idx <= auth_max; auth_idx++) {
1312 1311 auth_alg = WHICH_ALG(IPSEC_ALG_AUTH, wild_auth,
1313 1312 auth_idx, ipss);
1314 1313 if (wild_auth && auth_alg == SADB_AALG_NONE)
1315 1314 continue;
1316 1315 for (eauth_idx = eauth_min; eauth_idx <= eauth_max;
1317 1316 eauth_idx++) {
1318 1317 eauth_alg = WHICH_ALG(IPSEC_ALG_AUTH,
1319 1318 wild_eauth, eauth_idx, ipss);
1320 1319 if (wild_eauth && eauth_alg == SADB_AALG_NONE)
1321 1320 continue;
1322 1321
1323 1322 ipsec_setup_act(&outact[ai], act,
1324 1323 auth_alg, encr_alg, eauth_alg, ns);
1325 1324 ai++;
1326 1325 }
1327 1326 }
1328 1327 }
1329 1328
1330 1329 #undef WHICH_ALG
1331 1330
1332 1331 ASSERT(ai == action_count);
1333 1332 *nact = action_count;
1334 1333 return (outact);
1335 1334 }
1336 1335
1337 1336 /*
1338 1337 * Extract the parts of an ipsec_prot_t from an old-style ipsec_req_t.
1339 1338 */
1340 1339 static void
1341 1340 ipsec_prot_from_req(const ipsec_req_t *req, ipsec_prot_t *ipp)
1342 1341 {
1343 1342 bzero(ipp, sizeof (*ipp));
1344 1343 /*
1345 1344 * ipp_use_* are bitfields. Look at "!!" in the following as a
1346 1345 * "boolean canonicalization" operator.
1347 1346 */
1348 1347 ipp->ipp_use_ah = !!(req->ipsr_ah_req & IPSEC_PREF_REQUIRED);
1349 1348 ipp->ipp_use_esp = !!(req->ipsr_esp_req & IPSEC_PREF_REQUIRED);
1350 1349 ipp->ipp_use_espa = !!(req->ipsr_esp_auth_alg);
1351 1350 ipp->ipp_use_se = !!(req->ipsr_self_encap_req & IPSEC_PREF_REQUIRED);
1352 1351 ipp->ipp_use_unique = !!((req->ipsr_ah_req|req->ipsr_esp_req) &
1353 1352 IPSEC_PREF_UNIQUE);
1354 1353 ipp->ipp_encr_alg = req->ipsr_esp_alg;
1355 1354 /*
1356 1355 * SADB_AALG_ANY is a placeholder to distinguish "any" from
1357 1356 * "none" above. If auth is required, as determined above,
1358 1357 * SADB_AALG_ANY becomes 0, which is the representation
1359 1358 * of "any" and "none" in PF_KEY v2.
1360 1359 */
1361 1360 ipp->ipp_auth_alg = (req->ipsr_auth_alg != SADB_AALG_ANY) ?
1362 1361 req->ipsr_auth_alg : 0;
1363 1362 ipp->ipp_esp_auth_alg = (req->ipsr_esp_auth_alg != SADB_AALG_ANY) ?
1364 1363 req->ipsr_esp_auth_alg : 0;
1365 1364 }
1366 1365
1367 1366 /*
1368 1367 * Extract a new-style action from a request.
1369 1368 */
1370 1369 void
1371 1370 ipsec_actvec_from_req(const ipsec_req_t *req, ipsec_act_t **actp, uint_t *nactp,
1372 1371 netstack_t *ns)
1373 1372 {
1374 1373 struct ipsec_act act;
1375 1374
1376 1375 bzero(&act, sizeof (act));
1377 1376 if ((req->ipsr_ah_req & IPSEC_PREF_NEVER) &&
1378 1377 (req->ipsr_esp_req & IPSEC_PREF_NEVER)) {
1379 1378 act.ipa_type = IPSEC_ACT_BYPASS;
1380 1379 } else {
1381 1380 act.ipa_type = IPSEC_ACT_APPLY;
1382 1381 ipsec_prot_from_req(req, &act.ipa_apply);
1383 1382 }
1384 1383 *actp = ipsec_act_wildcard_expand(&act, nactp, ns);
1385 1384 }
1386 1385
1387 1386 /*
1388 1387 * Convert a new-style "prot" back to an ipsec_req_t (more backwards compat).
1389 1388 * We assume caller has already zero'ed *req for us.
1390 1389 */
1391 1390 static int
1392 1391 ipsec_req_from_prot(ipsec_prot_t *ipp, ipsec_req_t *req)
1393 1392 {
1394 1393 req->ipsr_esp_alg = ipp->ipp_encr_alg;
1395 1394 req->ipsr_auth_alg = ipp->ipp_auth_alg;
1396 1395 req->ipsr_esp_auth_alg = ipp->ipp_esp_auth_alg;
1397 1396
1398 1397 if (ipp->ipp_use_unique) {
1399 1398 req->ipsr_ah_req |= IPSEC_PREF_UNIQUE;
1400 1399 req->ipsr_esp_req |= IPSEC_PREF_UNIQUE;
1401 1400 }
1402 1401 if (ipp->ipp_use_se)
1403 1402 req->ipsr_self_encap_req |= IPSEC_PREF_REQUIRED;
1404 1403 if (ipp->ipp_use_ah)
1405 1404 req->ipsr_ah_req |= IPSEC_PREF_REQUIRED;
1406 1405 if (ipp->ipp_use_esp)
1407 1406 req->ipsr_esp_req |= IPSEC_PREF_REQUIRED;
1408 1407 return (sizeof (*req));
1409 1408 }
1410 1409
1411 1410 /*
1412 1411 * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1413 1412 * We assume caller has already zero'ed *req for us.
1414 1413 */
1415 1414 static int
1416 1415 ipsec_req_from_act(ipsec_action_t *ap, ipsec_req_t *req)
1417 1416 {
1418 1417 switch (ap->ipa_act.ipa_type) {
1419 1418 case IPSEC_ACT_BYPASS:
1420 1419 req->ipsr_ah_req = IPSEC_PREF_NEVER;
1421 1420 req->ipsr_esp_req = IPSEC_PREF_NEVER;
1422 1421 return (sizeof (*req));
1423 1422 case IPSEC_ACT_APPLY:
1424 1423 return (ipsec_req_from_prot(&ap->ipa_act.ipa_apply, req));
1425 1424 }
1426 1425 return (sizeof (*req));
1427 1426 }
1428 1427
1429 1428 /*
1430 1429 * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1431 1430 * We assume caller has already zero'ed *req for us.
1432 1431 */
1433 1432 int
1434 1433 ipsec_req_from_head(ipsec_policy_head_t *ph, ipsec_req_t *req, int af)
1435 1434 {
1436 1435 ipsec_policy_t *p;
1437 1436
1438 1437 /*
1439 1438 * FULL-PERSOCK: consult hash table, too?
1440 1439 */
1441 1440 for (p = ph->iph_root[IPSEC_INBOUND].ipr_nonhash[af];
1442 1441 p != NULL;
1443 1442 p = p->ipsp_hash.hash_next) {
1444 1443 if ((p->ipsp_sel->ipsl_key.ipsl_valid & IPSL_WILDCARD) == 0)
1445 1444 return (ipsec_req_from_act(p->ipsp_act, req));
1446 1445 }
1447 1446 return (sizeof (*req));
1448 1447 }
1449 1448
1450 1449 /*
1451 1450 * Based on per-socket or latched policy, convert to an appropriate
1452 1451 * IP_SEC_OPT ipsec_req_t for the socket option; return size so we can
1453 1452 * be tail-called from ip.
1454 1453 */
1455 1454 int
1456 1455 ipsec_req_from_conn(conn_t *connp, ipsec_req_t *req, int af)
1457 1456 {
1458 1457 ipsec_latch_t *ipl;
1459 1458 int rv = sizeof (ipsec_req_t);
1460 1459
1461 1460 bzero(req, sizeof (*req));
1462 1461
1463 1462 ASSERT(MUTEX_HELD(&connp->conn_lock));
1464 1463 ipl = connp->conn_latch;
1465 1464
1466 1465 /*
1467 1466 * Find appropriate policy. First choice is latched action;
1468 1467 * failing that, see latched policy; failing that,
1469 1468 * look at configured policy.
1470 1469 */
1471 1470 if (ipl != NULL) {
1472 1471 if (connp->conn_latch_in_action != NULL) {
1473 1472 rv = ipsec_req_from_act(connp->conn_latch_in_action,
1474 1473 req);
1475 1474 goto done;
1476 1475 }
1477 1476 if (connp->conn_latch_in_policy != NULL) {
1478 1477 rv = ipsec_req_from_act(
1479 1478 connp->conn_latch_in_policy->ipsp_act, req);
1480 1479 goto done;
1481 1480 }
1482 1481 }
1483 1482 if (connp->conn_policy != NULL)
1484 1483 rv = ipsec_req_from_head(connp->conn_policy, req, af);
1485 1484 done:
1486 1485 return (rv);
1487 1486 }
1488 1487
1489 1488 void
1490 1489 ipsec_actvec_free(ipsec_act_t *act, uint_t nact)
1491 1490 {
1492 1491 kmem_free(act, nact * sizeof (*act));
1493 1492 }
1494 1493
1495 1494 /*
1496 1495 * Consumes a reference to ipsp.
1497 1496 */
1498 1497 static mblk_t *
1499 1498 ipsec_check_loopback_policy(mblk_t *data_mp, ip_recv_attr_t *ira,
1500 1499 ipsec_policy_t *ipsp)
1501 1500 {
1502 1501 if (!(ira->ira_flags & IRAF_IPSEC_SECURE))
1503 1502 return (data_mp);
1504 1503
1505 1504 ASSERT(ira->ira_flags & IRAF_LOOPBACK);
1506 1505
1507 1506 IPPOL_REFRELE(ipsp);
1508 1507
1509 1508 /*
1510 1509 * We should do an actual policy check here. Revisit this
1511 1510 * when we revisit the IPsec API. (And pass a conn_t in when we
1512 1511 * get there.)
1513 1512 */
1514 1513
1515 1514 return (data_mp);
1516 1515 }
1517 1516
1518 1517 /*
1519 1518 * Check that packet's inbound ports & proto match the selectors
1520 1519 * expected by the SAs it traversed on the way in.
1521 1520 */
1522 1521 static boolean_t
1523 1522 ipsec_check_ipsecin_unique(ip_recv_attr_t *ira, const char **reason,
1524 1523 kstat_named_t **counter, uint64_t pkt_unique, netstack_t *ns)
1525 1524 {
1526 1525 uint64_t ah_mask, esp_mask;
1527 1526 ipsa_t *ah_assoc;
1528 1527 ipsa_t *esp_assoc;
1529 1528 ipsec_stack_t *ipss = ns->netstack_ipsec;
1530 1529
1531 1530 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1532 1531 ASSERT(!(ira->ira_flags & IRAF_LOOPBACK));
1533 1532
1534 1533 ah_assoc = ira->ira_ipsec_ah_sa;
1535 1534 esp_assoc = ira->ira_ipsec_esp_sa;
1536 1535 ASSERT((ah_assoc != NULL) || (esp_assoc != NULL));
1537 1536
1538 1537 ah_mask = (ah_assoc != NULL) ? ah_assoc->ipsa_unique_mask : 0;
1539 1538 esp_mask = (esp_assoc != NULL) ? esp_assoc->ipsa_unique_mask : 0;
1540 1539
1541 1540 if ((ah_mask == 0) && (esp_mask == 0))
1542 1541 return (B_TRUE);
1543 1542
1544 1543 /*
1545 1544 * The pkt_unique check will also check for tunnel mode on the SA
1546 1545 * vs. the tunneled_packet boolean. "Be liberal in what you receive"
1547 1546 * should not apply in this case. ;)
1548 1547 */
1549 1548
1550 1549 if (ah_mask != 0 &&
1551 1550 ah_assoc->ipsa_unique_id != (pkt_unique & ah_mask)) {
1552 1551 *reason = "AH inner header mismatch";
1553 1552 *counter = DROPPER(ipss, ipds_spd_ah_innermismatch);
1554 1553 return (B_FALSE);
1555 1554 }
1556 1555 if (esp_mask != 0 &&
1557 1556 esp_assoc->ipsa_unique_id != (pkt_unique & esp_mask)) {
1558 1557 *reason = "ESP inner header mismatch";
1559 1558 *counter = DROPPER(ipss, ipds_spd_esp_innermismatch);
1560 1559 return (B_FALSE);
1561 1560 }
1562 1561 return (B_TRUE);
1563 1562 }
1564 1563
1565 1564 static boolean_t
1566 1565 ipsec_check_ipsecin_action(ip_recv_attr_t *ira, mblk_t *mp, ipsec_action_t *ap,
1567 1566 ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter,
1568 1567 netstack_t *ns)
1569 1568 {
1570 1569 boolean_t ret = B_TRUE;
1571 1570 ipsec_prot_t *ipp;
1572 1571 ipsa_t *ah_assoc;
1573 1572 ipsa_t *esp_assoc;
1574 1573 boolean_t decaps;
1575 1574 ipsec_stack_t *ipss = ns->netstack_ipsec;
1576 1575
1577 1576 ASSERT((ipha == NULL && ip6h != NULL) ||
1578 1577 (ip6h == NULL && ipha != NULL));
1579 1578
1580 1579 if (ira->ira_flags & IRAF_LOOPBACK) {
1581 1580 /*
1582 1581 * Besides accepting pointer-equivalent actions, we also
1583 1582 * accept any ICMP errors we generated for ourselves,
1584 1583 * regardless of policy. If we do not wish to make this
1585 1584 * assumption in the future, check here, and where
1586 1585 * IXAF_TRUSTED_ICMP is initialized in ip.c and ip6.c.
1587 1586 */
1588 1587 if (ap == ira->ira_ipsec_action ||
1589 1588 (ira->ira_flags & IRAF_TRUSTED_ICMP))
1590 1589 return (B_TRUE);
1591 1590
1592 1591 /* Deep compare necessary here?? */
1593 1592 *counter = DROPPER(ipss, ipds_spd_loopback_mismatch);
1594 1593 *reason = "loopback policy mismatch";
1595 1594 return (B_FALSE);
1596 1595 }
1597 1596 ASSERT(!(ira->ira_flags & IRAF_TRUSTED_ICMP));
1598 1597 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1599 1598
1600 1599 ah_assoc = ira->ira_ipsec_ah_sa;
1601 1600 esp_assoc = ira->ira_ipsec_esp_sa;
1602 1601
1603 1602 decaps = (ira->ira_flags & IRAF_IPSEC_DECAPS);
1604 1603
1605 1604 switch (ap->ipa_act.ipa_type) {
1606 1605 case IPSEC_ACT_DISCARD:
1607 1606 case IPSEC_ACT_REJECT:
1608 1607 /* Should "fail hard" */
1609 1608 *counter = DROPPER(ipss, ipds_spd_explicit);
1610 1609 *reason = "blocked by policy";
1611 1610 return (B_FALSE);
1612 1611
1613 1612 case IPSEC_ACT_BYPASS:
1614 1613 case IPSEC_ACT_CLEAR:
1615 1614 *counter = DROPPER(ipss, ipds_spd_got_secure);
1616 1615 *reason = "expected clear, got protected";
1617 1616 return (B_FALSE);
1618 1617
1619 1618 case IPSEC_ACT_APPLY:
1620 1619 ipp = &ap->ipa_act.ipa_apply;
1621 1620 /*
1622 1621 * As of now we do the simple checks of whether
1623 1622 * the datagram has gone through the required IPSEC
1624 1623 * protocol constraints or not. We might have more
1625 1624 * in the future like sensitive levels, key bits, etc.
1626 1625 * If it fails the constraints, check whether we would
1627 1626 * have accepted this if it had come in clear.
1628 1627 */
1629 1628 if (ipp->ipp_use_ah) {
1630 1629 if (ah_assoc == NULL) {
1631 1630 ret = ipsec_inbound_accept_clear(mp, ipha,
1632 1631 ip6h);
1633 1632 *counter = DROPPER(ipss, ipds_spd_got_clear);
1634 1633 *reason = "unprotected not accepted";
1635 1634 break;
1636 1635 }
1637 1636 ASSERT(ah_assoc != NULL);
1638 1637 ASSERT(ipp->ipp_auth_alg != 0);
1639 1638
1640 1639 if (ah_assoc->ipsa_auth_alg !=
1641 1640 ipp->ipp_auth_alg) {
1642 1641 *counter = DROPPER(ipss, ipds_spd_bad_ahalg);
1643 1642 *reason = "unacceptable ah alg";
1644 1643 ret = B_FALSE;
1645 1644 break;
1646 1645 }
1647 1646 } else if (ah_assoc != NULL) {
1648 1647 /*
1649 1648 * Don't allow this. Check IPSEC NOTE above
1650 1649 * ip_fanout_proto().
1651 1650 */
1652 1651 *counter = DROPPER(ipss, ipds_spd_got_ah);
1653 1652 *reason = "unexpected AH";
1654 1653 ret = B_FALSE;
1655 1654 break;
1656 1655 }
1657 1656 if (ipp->ipp_use_esp) {
1658 1657 if (esp_assoc == NULL) {
1659 1658 ret = ipsec_inbound_accept_clear(mp, ipha,
1660 1659 ip6h);
1661 1660 *counter = DROPPER(ipss, ipds_spd_got_clear);
1662 1661 *reason = "unprotected not accepted";
1663 1662 break;
1664 1663 }
1665 1664 ASSERT(esp_assoc != NULL);
1666 1665 ASSERT(ipp->ipp_encr_alg != 0);
1667 1666
1668 1667 if (esp_assoc->ipsa_encr_alg !=
1669 1668 ipp->ipp_encr_alg) {
1670 1669 *counter = DROPPER(ipss, ipds_spd_bad_espealg);
1671 1670 *reason = "unacceptable esp alg";
1672 1671 ret = B_FALSE;
1673 1672 break;
1674 1673 }
1675 1674 /*
1676 1675 * If the client does not need authentication,
1677 1676 * we don't verify the alogrithm.
1678 1677 */
1679 1678 if (ipp->ipp_use_espa) {
1680 1679 if (esp_assoc->ipsa_auth_alg !=
1681 1680 ipp->ipp_esp_auth_alg) {
1682 1681 *counter = DROPPER(ipss,
1683 1682 ipds_spd_bad_espaalg);
1684 1683 *reason = "unacceptable esp auth alg";
1685 1684 ret = B_FALSE;
1686 1685 break;
1687 1686 }
1688 1687 }
1689 1688 } else if (esp_assoc != NULL) {
1690 1689 /*
1691 1690 * Don't allow this. Check IPSEC NOTE above
1692 1691 * ip_fanout_proto().
1693 1692 */
1694 1693 *counter = DROPPER(ipss, ipds_spd_got_esp);
1695 1694 *reason = "unexpected ESP";
1696 1695 ret = B_FALSE;
1697 1696 break;
1698 1697 }
1699 1698 if (ipp->ipp_use_se) {
1700 1699 if (!decaps) {
1701 1700 ret = ipsec_inbound_accept_clear(mp, ipha,
1702 1701 ip6h);
1703 1702 if (!ret) {
1704 1703 /* XXX mutant? */
1705 1704 *counter = DROPPER(ipss,
1706 1705 ipds_spd_bad_selfencap);
1707 1706 *reason = "self encap not found";
1708 1707 break;
1709 1708 }
1710 1709 }
1711 1710 } else if (decaps) {
1712 1711 /*
1713 1712 * XXX If the packet comes in tunneled and the
1714 1713 * recipient does not expect it to be tunneled, it
1715 1714 * is okay. But we drop to be consistent with the
1716 1715 * other cases.
1717 1716 */
1718 1717 *counter = DROPPER(ipss, ipds_spd_got_selfencap);
1719 1718 *reason = "unexpected self encap";
1720 1719 ret = B_FALSE;
1721 1720 break;
1722 1721 }
1723 1722 if (ira->ira_ipsec_action != NULL) {
1724 1723 /*
1725 1724 * This can happen if we do a double policy-check on
1726 1725 * a packet
1727 1726 * XXX XXX should fix this case!
1728 1727 */
1729 1728 IPACT_REFRELE(ira->ira_ipsec_action);
1730 1729 }
1731 1730 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1732 1731 ASSERT(ira->ira_ipsec_action == NULL);
1733 1732 IPACT_REFHOLD(ap);
1734 1733 ira->ira_ipsec_action = ap;
1735 1734 break; /* from switch */
1736 1735 }
1737 1736 return (ret);
1738 1737 }
1739 1738
1740 1739 static boolean_t
1741 1740 spd_match_inbound_ids(ipsec_latch_t *ipl, ipsa_t *sa)
1742 1741 {
1743 1742 ASSERT(ipl->ipl_ids_latched == B_TRUE);
1744 1743 return ipsid_equal(ipl->ipl_remote_cid, sa->ipsa_src_cid) &&
1745 1744 ipsid_equal(ipl->ipl_local_cid, sa->ipsa_dst_cid);
1746 1745 }
1747 1746
1748 1747 /*
1749 1748 * Takes a latched conn and an inbound packet and returns a unique_id suitable
1750 1749 * for SA comparisons. Most of the time we will copy from the conn_t, but
1751 1750 * there are cases when the conn_t is latched but it has wildcard selectors,
1752 1751 * and then we need to fallback to scooping them out of the packet.
1753 1752 *
1754 1753 * Assume we'll never have 0 with a conn_t present, so use 0 as a failure. We
1755 1754 * can get away with this because we only have non-zero ports/proto for
1756 1755 * latched conn_ts.
1757 1756 *
1758 1757 * Ideal candidate for an "inline" keyword, as we're JUST convoluted enough
1759 1758 * to not be a nice macro.
1760 1759 */
1761 1760 static uint64_t
1762 1761 conn_to_unique(conn_t *connp, mblk_t *data_mp, ipha_t *ipha, ip6_t *ip6h)
1763 1762 {
1764 1763 ipsec_selector_t sel;
1765 1764 uint8_t ulp = connp->conn_proto;
1766 1765
1767 1766 ASSERT(connp->conn_latch_in_policy != NULL);
1768 1767
1769 1768 if ((ulp == IPPROTO_TCP || ulp == IPPROTO_UDP || ulp == IPPROTO_SCTP) &&
1770 1769 (connp->conn_fport == 0 || connp->conn_lport == 0)) {
1771 1770 /* Slow path - we gotta grab from the packet. */
1772 1771 if (ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h,
1773 1772 SEL_NONE) != SELRET_SUCCESS) {
1774 1773 /* Failure -> have caller free packet with ENOMEM. */
1775 1774 return (0);
1776 1775 }
1777 1776 return (SA_UNIQUE_ID(sel.ips_remote_port, sel.ips_local_port,
1778 1777 sel.ips_protocol, 0));
1779 1778 }
1780 1779
1781 1780 #ifdef DEBUG_NOT_UNTIL_6478464
1782 1781 if (ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h, SEL_NONE) ==
1783 1782 SELRET_SUCCESS) {
1784 1783 ASSERT(sel.ips_local_port == connp->conn_lport);
1785 1784 ASSERT(sel.ips_remote_port == connp->conn_fport);
1786 1785 ASSERT(sel.ips_protocol == connp->conn_proto);
1787 1786 }
1788 1787 ASSERT(connp->conn_proto != 0);
1789 1788 #endif
1790 1789
1791 1790 return (SA_UNIQUE_ID(connp->conn_fport, connp->conn_lport, ulp, 0));
1792 1791 }
1793 1792
1794 1793 /*
1795 1794 * Called to check policy on a latched connection.
1796 1795 * Note that we don't dereference conn_latch or conn_ihere since the conn might
1797 1796 * be closing. The caller passes a held ipsec_latch_t instead.
1798 1797 */
1799 1798 static boolean_t
1800 1799 ipsec_check_ipsecin_latch(ip_recv_attr_t *ira, mblk_t *mp, ipsec_latch_t *ipl,
1801 1800 ipsec_action_t *ap, ipha_t *ipha, ip6_t *ip6h, const char **reason,
1802 1801 kstat_named_t **counter, conn_t *connp, netstack_t *ns)
1803 1802 {
1804 1803 ipsec_stack_t *ipss = ns->netstack_ipsec;
1805 1804
1806 1805 ASSERT(ipl->ipl_ids_latched == B_TRUE);
1807 1806 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1808 1807
1809 1808 if (!(ira->ira_flags & IRAF_LOOPBACK)) {
1810 1809 /*
1811 1810 * Over loopback, there aren't real security associations,
1812 1811 * so there are neither identities nor "unique" values
1813 1812 * for us to check the packet against.
1814 1813 */
1815 1814 if (ira->ira_ipsec_ah_sa != NULL) {
1816 1815 if (!spd_match_inbound_ids(ipl,
1817 1816 ira->ira_ipsec_ah_sa)) {
1818 1817 *counter = DROPPER(ipss, ipds_spd_ah_badid);
1819 1818 *reason = "AH identity mismatch";
1820 1819 return (B_FALSE);
1821 1820 }
1822 1821 }
1823 1822
1824 1823 if (ira->ira_ipsec_esp_sa != NULL) {
1825 1824 if (!spd_match_inbound_ids(ipl,
1826 1825 ira->ira_ipsec_esp_sa)) {
1827 1826 *counter = DROPPER(ipss, ipds_spd_esp_badid);
1828 1827 *reason = "ESP identity mismatch";
1829 1828 return (B_FALSE);
1830 1829 }
1831 1830 }
1832 1831
1833 1832 /*
1834 1833 * Can fudge pkt_unique from connp because we're latched.
1835 1834 * In DEBUG kernels (see conn_to_unique()'s implementation),
1836 1835 * verify this even if it REALLY slows things down.
1837 1836 */
1838 1837 if (!ipsec_check_ipsecin_unique(ira, reason, counter,
1839 1838 conn_to_unique(connp, mp, ipha, ip6h), ns)) {
1840 1839 return (B_FALSE);
1841 1840 }
1842 1841 }
1843 1842 return (ipsec_check_ipsecin_action(ira, mp, ap, ipha, ip6h, reason,
1844 1843 counter, ns));
1845 1844 }
1846 1845
1847 1846 /*
1848 1847 * Check to see whether this secured datagram meets the policy
1849 1848 * constraints specified in ipsp.
1850 1849 *
1851 1850 * Called from ipsec_check_global_policy, and ipsec_check_inbound_policy.
1852 1851 *
1853 1852 * Consumes a reference to ipsp.
1854 1853 * Returns the mblk if ok.
1855 1854 */
1856 1855 static mblk_t *
1857 1856 ipsec_check_ipsecin_policy(mblk_t *data_mp, ipsec_policy_t *ipsp,
1858 1857 ipha_t *ipha, ip6_t *ip6h, uint64_t pkt_unique, ip_recv_attr_t *ira,
1859 1858 netstack_t *ns)
1860 1859 {
1861 1860 ipsec_action_t *ap;
1862 1861 const char *reason = "no policy actions found";
1863 1862 ip_stack_t *ipst = ns->netstack_ip;
1864 1863 ipsec_stack_t *ipss = ns->netstack_ipsec;
1865 1864 kstat_named_t *counter;
1866 1865
1867 1866 counter = DROPPER(ipss, ipds_spd_got_secure);
1868 1867
1869 1868 ASSERT(ipsp != NULL);
1870 1869
1871 1870 ASSERT((ipha == NULL && ip6h != NULL) ||
1872 1871 (ip6h == NULL && ipha != NULL));
1873 1872
1874 1873 if (ira->ira_flags & IRAF_LOOPBACK)
1875 1874 return (ipsec_check_loopback_policy(data_mp, ira, ipsp));
1876 1875
1877 1876 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1878 1877
1879 1878 if (ira->ira_ipsec_action != NULL) {
1880 1879 /*
1881 1880 * this can happen if we do a double policy-check on a packet
1882 1881 * Would be nice to be able to delete this test..
1883 1882 */
1884 1883 IPACT_REFRELE(ira->ira_ipsec_action);
1885 1884 }
1886 1885 ASSERT(ira->ira_ipsec_action == NULL);
1887 1886
1888 1887 if (!SA_IDS_MATCH(ira->ira_ipsec_ah_sa, ira->ira_ipsec_esp_sa)) {
1889 1888 reason = "inbound AH and ESP identities differ";
1890 1889 counter = DROPPER(ipss, ipds_spd_ahesp_diffid);
1891 1890 goto drop;
1892 1891 }
1893 1892
1894 1893 if (!ipsec_check_ipsecin_unique(ira, &reason, &counter, pkt_unique,
1895 1894 ns))
1896 1895 goto drop;
1897 1896
1898 1897 /*
1899 1898 * Ok, now loop through the possible actions and see if any
1900 1899 * of them work for us.
1901 1900 */
1902 1901
1903 1902 for (ap = ipsp->ipsp_act; ap != NULL; ap = ap->ipa_next) {
1904 1903 if (ipsec_check_ipsecin_action(ira, data_mp, ap,
1905 1904 ipha, ip6h, &reason, &counter, ns)) {
1906 1905 BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
1907 1906 IPPOL_REFRELE(ipsp);
1908 1907 return (data_mp);
1909 1908 }
1910 1909 }
1911 1910 drop:
1912 1911 ipsec_rl_strlog(ns, IP_MOD_ID, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
1913 1912 "ipsec inbound policy mismatch: %s, packet dropped\n",
1914 1913 reason);
1915 1914 IPPOL_REFRELE(ipsp);
1916 1915 ASSERT(ira->ira_ipsec_action == NULL);
1917 1916 BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
1918 1917 ip_drop_packet(data_mp, B_TRUE, NULL, counter,
1919 1918 &ipss->ipsec_spd_dropper);
1920 1919 return (NULL);
1921 1920 }
1922 1921
1923 1922 /*
1924 1923 * sleazy prefix-length-based compare.
1925 1924 * another inlining candidate..
1926 1925 */
1927 1926 boolean_t
1928 1927 ip_addr_match(uint8_t *addr1, int pfxlen, in6_addr_t *addr2p)
1929 1928 {
1930 1929 int offset = pfxlen>>3;
1931 1930 int bitsleft = pfxlen & 7;
1932 1931 uint8_t *addr2 = (uint8_t *)addr2p;
1933 1932
1934 1933 /*
1935 1934 * and there was much evil..
1936 1935 * XXX should inline-expand the bcmp here and do this 32 bits
1937 1936 * or 64 bits at a time..
1938 1937 */
1939 1938 return ((bcmp(addr1, addr2, offset) == 0) &&
1940 1939 ((bitsleft == 0) ||
1941 1940 (((addr1[offset] ^ addr2[offset]) & (0xff<<(8-bitsleft))) == 0)));
1942 1941 }
1943 1942
1944 1943 static ipsec_policy_t *
1945 1944 ipsec_find_policy_chain(ipsec_policy_t *best, ipsec_policy_t *chain,
1946 1945 ipsec_selector_t *sel, boolean_t is_icmp_inv_acq)
1947 1946 {
1948 1947 ipsec_selkey_t *isel;
1949 1948 ipsec_policy_t *p;
1950 1949 int bpri = best ? best->ipsp_prio : 0;
1951 1950
1952 1951 for (p = chain; p != NULL; p = p->ipsp_hash.hash_next) {
1953 1952 uint32_t valid;
1954 1953
1955 1954 if (p->ipsp_prio <= bpri)
1956 1955 continue;
1957 1956 isel = &p->ipsp_sel->ipsl_key;
1958 1957 valid = isel->ipsl_valid;
1959 1958
1960 1959 if ((valid & IPSL_PROTOCOL) &&
1961 1960 (isel->ipsl_proto != sel->ips_protocol))
1962 1961 continue;
1963 1962
1964 1963 if ((valid & IPSL_REMOTE_ADDR) &&
1965 1964 !ip_addr_match((uint8_t *)&isel->ipsl_remote,
1966 1965 isel->ipsl_remote_pfxlen, &sel->ips_remote_addr_v6))
1967 1966 continue;
1968 1967
1969 1968 if ((valid & IPSL_LOCAL_ADDR) &&
1970 1969 !ip_addr_match((uint8_t *)&isel->ipsl_local,
1971 1970 isel->ipsl_local_pfxlen, &sel->ips_local_addr_v6))
1972 1971 continue;
1973 1972
1974 1973 if ((valid & IPSL_REMOTE_PORT) &&
1975 1974 isel->ipsl_rport != sel->ips_remote_port)
1976 1975 continue;
1977 1976
1978 1977 if ((valid & IPSL_LOCAL_PORT) &&
1979 1978 isel->ipsl_lport != sel->ips_local_port)
1980 1979 continue;
1981 1980
1982 1981 if (!is_icmp_inv_acq) {
1983 1982 if ((valid & IPSL_ICMP_TYPE) &&
1984 1983 (isel->ipsl_icmp_type > sel->ips_icmp_type ||
1985 1984 isel->ipsl_icmp_type_end < sel->ips_icmp_type)) {
1986 1985 continue;
1987 1986 }
1988 1987
1989 1988 if ((valid & IPSL_ICMP_CODE) &&
1990 1989 (isel->ipsl_icmp_code > sel->ips_icmp_code ||
1991 1990 isel->ipsl_icmp_code_end <
1992 1991 sel->ips_icmp_code)) {
1993 1992 continue;
1994 1993 }
1995 1994 } else {
1996 1995 /*
1997 1996 * special case for icmp inverse acquire
1998 1997 * we only want policies that aren't drop/pass
1999 1998 */
2000 1999 if (p->ipsp_act->ipa_act.ipa_type != IPSEC_ACT_APPLY)
2001 2000 continue;
2002 2001 }
2003 2002
2004 2003 /* we matched all the packet-port-field selectors! */
2005 2004 best = p;
2006 2005 bpri = p->ipsp_prio;
2007 2006 }
2008 2007
2009 2008 return (best);
2010 2009 }
2011 2010
2012 2011 /*
2013 2012 * Try to find and return the best policy entry under a given policy
2014 2013 * root for a given set of selectors; the first parameter "best" is
2015 2014 * the current best policy so far. If "best" is non-null, we have a
2016 2015 * reference to it. We return a reference to a policy; if that policy
2017 2016 * is not the original "best", we need to release that reference
2018 2017 * before returning.
2019 2018 */
2020 2019 ipsec_policy_t *
2021 2020 ipsec_find_policy_head(ipsec_policy_t *best, ipsec_policy_head_t *head,
2022 2021 int direction, ipsec_selector_t *sel)
2023 2022 {
2024 2023 ipsec_policy_t *curbest;
2025 2024 ipsec_policy_root_t *root;
2026 2025 uint8_t is_icmp_inv_acq = sel->ips_is_icmp_inv_acq;
2027 2026 int af = sel->ips_isv4 ? IPSEC_AF_V4 : IPSEC_AF_V6;
2028 2027
2029 2028 curbest = best;
2030 2029 root = &head->iph_root[direction];
2031 2030
2032 2031 #ifdef DEBUG
2033 2032 if (is_icmp_inv_acq) {
2034 2033 if (sel->ips_isv4) {
2035 2034 if (sel->ips_protocol != IPPROTO_ICMP) {
2036 2035 cmn_err(CE_WARN, "ipsec_find_policy_head:"
2037 2036 " expecting icmp, got %d",
2038 2037 sel->ips_protocol);
2039 2038 }
2040 2039 } else {
2041 2040 if (sel->ips_protocol != IPPROTO_ICMPV6) {
2042 2041 cmn_err(CE_WARN, "ipsec_find_policy_head:"
2043 2042 " expecting icmpv6, got %d",
2044 2043 sel->ips_protocol);
2045 2044 }
2046 2045 }
2047 2046 }
2048 2047 #endif
2049 2048
2050 2049 rw_enter(&head->iph_lock, RW_READER);
2051 2050
2052 2051 if (root->ipr_nchains > 0) {
2053 2052 curbest = ipsec_find_policy_chain(curbest,
2054 2053 root->ipr_hash[selector_hash(sel, root)].hash_head, sel,
2055 2054 is_icmp_inv_acq);
2056 2055 }
2057 2056 curbest = ipsec_find_policy_chain(curbest, root->ipr_nonhash[af], sel,
2058 2057 is_icmp_inv_acq);
2059 2058
2060 2059 /*
2061 2060 * Adjust reference counts if we found anything new.
2062 2061 */
2063 2062 if (curbest != best) {
2064 2063 ASSERT(curbest != NULL);
2065 2064 IPPOL_REFHOLD(curbest);
2066 2065
2067 2066 if (best != NULL) {
2068 2067 IPPOL_REFRELE(best);
2069 2068 }
2070 2069 }
2071 2070
2072 2071 rw_exit(&head->iph_lock);
2073 2072
2074 2073 return (curbest);
2075 2074 }
2076 2075
2077 2076 /*
2078 2077 * Find the best system policy (either global or per-interface) which
2079 2078 * applies to the given selector; look in all the relevant policy roots
2080 2079 * to figure out which policy wins.
2081 2080 *
2082 2081 * Returns a reference to a policy; caller must release this
2083 2082 * reference when done.
2084 2083 */
2085 2084 ipsec_policy_t *
2086 2085 ipsec_find_policy(int direction, const conn_t *connp, ipsec_selector_t *sel,
2087 2086 netstack_t *ns)
2088 2087 {
2089 2088 ipsec_policy_t *p;
2090 2089 ipsec_stack_t *ipss = ns->netstack_ipsec;
2091 2090
2092 2091 p = ipsec_find_policy_head(NULL, &ipss->ipsec_system_policy,
2093 2092 direction, sel);
2094 2093 if ((connp != NULL) && (connp->conn_policy != NULL)) {
2095 2094 p = ipsec_find_policy_head(p, connp->conn_policy,
2096 2095 direction, sel);
2097 2096 }
2098 2097
2099 2098 return (p);
2100 2099 }
2101 2100
2102 2101 /*
2103 2102 * Check with global policy and see whether this inbound
2104 2103 * packet meets the policy constraints.
2105 2104 *
2106 2105 * Locate appropriate policy from global policy, supplemented by the
2107 2106 * conn's configured and/or cached policy if the conn is supplied.
2108 2107 *
2109 2108 * Dispatch to ipsec_check_ipsecin_policy if we have policy and an
2110 2109 * encrypted packet to see if they match.
2111 2110 *
2112 2111 * Otherwise, see if the policy allows cleartext; if not, drop it on the
2113 2112 * floor.
2114 2113 */
2115 2114 mblk_t *
2116 2115 ipsec_check_global_policy(mblk_t *data_mp, conn_t *connp,
2117 2116 ipha_t *ipha, ip6_t *ip6h, ip_recv_attr_t *ira, netstack_t *ns)
2118 2117 {
2119 2118 ipsec_policy_t *p;
2120 2119 ipsec_selector_t sel;
2121 2120 boolean_t policy_present;
2122 2121 kstat_named_t *counter;
2123 2122 uint64_t pkt_unique;
2124 2123 ip_stack_t *ipst = ns->netstack_ip;
2125 2124 ipsec_stack_t *ipss = ns->netstack_ipsec;
2126 2125
2127 2126 sel.ips_is_icmp_inv_acq = 0;
2128 2127
2129 2128 ASSERT((ipha == NULL && ip6h != NULL) ||
2130 2129 (ip6h == NULL && ipha != NULL));
2131 2130
2132 2131 if (ipha != NULL)
2133 2132 policy_present = ipss->ipsec_inbound_v4_policy_present;
2134 2133 else
2135 2134 policy_present = ipss->ipsec_inbound_v6_policy_present;
2136 2135
2137 2136 if (!policy_present && connp == NULL) {
2138 2137 /*
2139 2138 * No global policy and no per-socket policy;
2140 2139 * just pass it back (but we shouldn't get here in that case)
2141 2140 */
2142 2141 return (data_mp);
2143 2142 }
2144 2143
2145 2144 /*
2146 2145 * If we have cached policy, use it.
2147 2146 * Otherwise consult system policy.
2148 2147 */
2149 2148 if ((connp != NULL) && (connp->conn_latch != NULL)) {
2150 2149 p = connp->conn_latch_in_policy;
2151 2150 if (p != NULL) {
2152 2151 IPPOL_REFHOLD(p);
2153 2152 }
2154 2153 /*
2155 2154 * Fudge sel for UNIQUE_ID setting below.
2156 2155 */
2157 2156 pkt_unique = conn_to_unique(connp, data_mp, ipha, ip6h);
2158 2157 } else {
2159 2158 /* Initialize the ports in the selector */
2160 2159 if (ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h,
2161 2160 SEL_NONE) == SELRET_NOMEM) {
2162 2161 /*
2163 2162 * Technically not a policy mismatch, but it is
2164 2163 * an internal failure.
2165 2164 */
2166 2165 ipsec_log_policy_failure(IPSEC_POLICY_MISMATCH,
2167 2166 "ipsec_init_inbound_sel", ipha, ip6h, B_TRUE, ns);
2168 2167 counter = DROPPER(ipss, ipds_spd_nomem);
2169 2168 goto fail;
2170 2169 }
2171 2170
2172 2171 /*
2173 2172 * Find the policy which best applies.
2174 2173 *
2175 2174 * If we find global policy, we should look at both
2176 2175 * local policy and global policy and see which is
2177 2176 * stronger and match accordingly.
2178 2177 *
2179 2178 * If we don't find a global policy, check with
2180 2179 * local policy alone.
2181 2180 */
2182 2181
2183 2182 p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, &sel, ns);
2184 2183 pkt_unique = SA_UNIQUE_ID(sel.ips_remote_port,
2185 2184 sel.ips_local_port, sel.ips_protocol, 0);
2186 2185 }
2187 2186
2188 2187 if (p == NULL) {
2189 2188 if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
2190 2189 /*
2191 2190 * We have no policy; default to succeeding.
2192 2191 * XXX paranoid system design doesn't do this.
2193 2192 */
2194 2193 BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2195 2194 return (data_mp);
2196 2195 } else {
2197 2196 counter = DROPPER(ipss, ipds_spd_got_secure);
2198 2197 ipsec_log_policy_failure(IPSEC_POLICY_NOT_NEEDED,
2199 2198 "ipsec_check_global_policy", ipha, ip6h, B_TRUE,
2200 2199 ns);
2201 2200 goto fail;
2202 2201 }
2203 2202 }
2204 2203 if (ira->ira_flags & IRAF_IPSEC_SECURE) {
2205 2204 return (ipsec_check_ipsecin_policy(data_mp, p, ipha, ip6h,
2206 2205 pkt_unique, ira, ns));
2207 2206 }
2208 2207 if (p->ipsp_act->ipa_allow_clear) {
2209 2208 BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2210 2209 IPPOL_REFRELE(p);
2211 2210 return (data_mp);
2212 2211 }
2213 2212 IPPOL_REFRELE(p);
2214 2213 /*
2215 2214 * If we reach here, we will drop the packet because it failed the
2216 2215 * global policy check because the packet was cleartext, and it
2217 2216 * should not have been.
2218 2217 */
2219 2218 ipsec_log_policy_failure(IPSEC_POLICY_MISMATCH,
2220 2219 "ipsec_check_global_policy", ipha, ip6h, B_FALSE, ns);
2221 2220 counter = DROPPER(ipss, ipds_spd_got_clear);
2222 2221
2223 2222 fail:
2224 2223 ip_drop_packet(data_mp, B_TRUE, NULL, counter,
2225 2224 &ipss->ipsec_spd_dropper);
2226 2225 BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2227 2226 return (NULL);
2228 2227 }
2229 2228
2230 2229 /*
2231 2230 * We check whether an inbound datagram is a valid one
2232 2231 * to accept in clear. If it is secure, it is the job
2233 2232 * of IPSEC to log information appropriately if it
2234 2233 * suspects that it may not be the real one.
2235 2234 *
2236 2235 * It is called only while fanning out to the ULP
2237 2236 * where ULP accepts only secure data and the incoming
2238 2237 * is clear. Usually we never accept clear datagrams in
2239 2238 * such cases. ICMP is the only exception.
2240 2239 *
2241 2240 * NOTE : We don't call this function if the client (ULP)
2242 2241 * is willing to accept things in clear.
2243 2242 */
2244 2243 boolean_t
2245 2244 ipsec_inbound_accept_clear(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h)
2246 2245 {
2247 2246 ushort_t iph_hdr_length;
2248 2247 icmph_t *icmph;
2249 2248 icmp6_t *icmp6;
2250 2249 uint8_t *nexthdrp;
2251 2250
2252 2251 ASSERT((ipha != NULL && ip6h == NULL) ||
2253 2252 (ipha == NULL && ip6h != NULL));
2254 2253
2255 2254 if (ip6h != NULL) {
2256 2255 iph_hdr_length = ip_hdr_length_v6(mp, ip6h);
2257 2256 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length,
2258 2257 &nexthdrp)) {
2259 2258 return (B_FALSE);
2260 2259 }
2261 2260 if (*nexthdrp != IPPROTO_ICMPV6)
2262 2261 return (B_FALSE);
2263 2262 icmp6 = (icmp6_t *)(&mp->b_rptr[iph_hdr_length]);
2264 2263 /* Match IPv6 ICMP policy as closely as IPv4 as possible. */
2265 2264 switch (icmp6->icmp6_type) {
2266 2265 case ICMP6_PARAM_PROB:
2267 2266 /* Corresponds to port/proto unreach in IPv4. */
2268 2267 case ICMP6_ECHO_REQUEST:
2269 2268 /* Just like IPv4. */
2270 2269 return (B_FALSE);
2271 2270
2272 2271 case MLD_LISTENER_QUERY:
2273 2272 case MLD_LISTENER_REPORT:
2274 2273 case MLD_LISTENER_REDUCTION:
2275 2274 /*
2276 2275 * XXX Seperate NDD in IPv4 what about here?
2277 2276 * Plus, mcast is important to ND.
2278 2277 */
2279 2278 case ICMP6_DST_UNREACH:
2280 2279 /* Corresponds to HOST/NET unreachable in IPv4. */
2281 2280 case ICMP6_PACKET_TOO_BIG:
2282 2281 case ICMP6_ECHO_REPLY:
2283 2282 /* These are trusted in IPv4. */
2284 2283 case ND_ROUTER_SOLICIT:
2285 2284 case ND_ROUTER_ADVERT:
2286 2285 case ND_NEIGHBOR_SOLICIT:
2287 2286 case ND_NEIGHBOR_ADVERT:
2288 2287 case ND_REDIRECT:
2289 2288 /* Trust ND messages for now. */
2290 2289 case ICMP6_TIME_EXCEEDED:
2291 2290 default:
2292 2291 return (B_TRUE);
2293 2292 }
2294 2293 } else {
2295 2294 /*
2296 2295 * If it is not ICMP, fail this request.
2297 2296 */
2298 2297 if (ipha->ipha_protocol != IPPROTO_ICMP) {
2299 2298 #ifdef FRAGCACHE_DEBUG
2300 2299 cmn_err(CE_WARN, "Dropping - ipha_proto = %d\n",
2301 2300 ipha->ipha_protocol);
2302 2301 #endif
2303 2302 return (B_FALSE);
2304 2303 }
2305 2304 iph_hdr_length = IPH_HDR_LENGTH(ipha);
2306 2305 icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
2307 2306 /*
2308 2307 * It is an insecure icmp message. Check to see whether we are
2309 2308 * willing to accept this one.
2310 2309 */
2311 2310
2312 2311 switch (icmph->icmph_type) {
2313 2312 case ICMP_ECHO_REPLY:
2314 2313 case ICMP_TIME_STAMP_REPLY:
2315 2314 case ICMP_INFO_REPLY:
2316 2315 case ICMP_ROUTER_ADVERTISEMENT:
2317 2316 /*
2318 2317 * We should not encourage clear replies if this
2319 2318 * client expects secure. If somebody is replying
2320 2319 * in clear some mailicious user watching both the
2321 2320 * request and reply, can do chosen-plain-text attacks.
2322 2321 * With global policy we might be just expecting secure
2323 2322 * but sending out clear. We don't know what the right
2324 2323 * thing is. We can't do much here as we can't control
2325 2324 * the sender here. Till we are sure of what to do,
2326 2325 * accept them.
2327 2326 */
2328 2327 return (B_TRUE);
2329 2328 case ICMP_ECHO_REQUEST:
2330 2329 case ICMP_TIME_STAMP_REQUEST:
2331 2330 case ICMP_INFO_REQUEST:
2332 2331 case ICMP_ADDRESS_MASK_REQUEST:
2333 2332 case ICMP_ROUTER_SOLICITATION:
2334 2333 case ICMP_ADDRESS_MASK_REPLY:
2335 2334 /*
2336 2335 * Don't accept this as somebody could be sending
2337 2336 * us plain text to get encrypted data. If we reply,
2338 2337 * it will lead to chosen plain text attack.
2339 2338 */
2340 2339 return (B_FALSE);
2341 2340 case ICMP_DEST_UNREACHABLE:
2342 2341 switch (icmph->icmph_code) {
2343 2342 case ICMP_FRAGMENTATION_NEEDED:
2344 2343 /*
2345 2344 * Be in sync with icmp_inbound, where we have
2346 2345 * already set dce_pmtu
2347 2346 */
2348 2347 #ifdef FRAGCACHE_DEBUG
2349 2348 cmn_err(CE_WARN, "ICMP frag needed\n");
2350 2349 #endif
2351 2350 return (B_TRUE);
2352 2351 case ICMP_HOST_UNREACHABLE:
2353 2352 case ICMP_NET_UNREACHABLE:
2354 2353 /*
2355 2354 * By accepting, we could reset a connection.
2356 2355 * How do we solve the problem of some
2357 2356 * intermediate router sending in-secure ICMP
2358 2357 * messages ?
2359 2358 */
2360 2359 return (B_TRUE);
2361 2360 case ICMP_PORT_UNREACHABLE:
2362 2361 case ICMP_PROTOCOL_UNREACHABLE:
2363 2362 default :
2364 2363 return (B_FALSE);
2365 2364 }
2366 2365 case ICMP_SOURCE_QUENCH:
2367 2366 /*
2368 2367 * If this is an attack, TCP will slow start
2369 2368 * because of this. Is it very harmful ?
2370 2369 */
2371 2370 return (B_TRUE);
2372 2371 case ICMP_PARAM_PROBLEM:
2373 2372 return (B_FALSE);
2374 2373 case ICMP_TIME_EXCEEDED:
2375 2374 return (B_TRUE);
2376 2375 case ICMP_REDIRECT:
2377 2376 return (B_FALSE);
2378 2377 default :
2379 2378 return (B_FALSE);
2380 2379 }
2381 2380 }
2382 2381 }
2383 2382
2384 2383 void
2385 2384 ipsec_latch_ids(ipsec_latch_t *ipl, ipsid_t *local, ipsid_t *remote)
2386 2385 {
2387 2386 mutex_enter(&ipl->ipl_lock);
2388 2387
2389 2388 if (ipl->ipl_ids_latched) {
2390 2389 /* I lost, someone else got here before me */
2391 2390 mutex_exit(&ipl->ipl_lock);
2392 2391 return;
2393 2392 }
2394 2393
2395 2394 if (local != NULL)
2396 2395 IPSID_REFHOLD(local);
2397 2396 if (remote != NULL)
2398 2397 IPSID_REFHOLD(remote);
2399 2398
2400 2399 ipl->ipl_local_cid = local;
2401 2400 ipl->ipl_remote_cid = remote;
2402 2401 ipl->ipl_ids_latched = B_TRUE;
2403 2402 mutex_exit(&ipl->ipl_lock);
2404 2403 }
2405 2404
2406 2405 void
2407 2406 ipsec_latch_inbound(conn_t *connp, ip_recv_attr_t *ira)
2408 2407 {
2409 2408 ipsa_t *sa;
2410 2409 ipsec_latch_t *ipl = connp->conn_latch;
2411 2410
2412 2411 if (!ipl->ipl_ids_latched) {
2413 2412 ipsid_t *local = NULL;
2414 2413 ipsid_t *remote = NULL;
2415 2414
2416 2415 if (!(ira->ira_flags & IRAF_LOOPBACK)) {
2417 2416 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
2418 2417 if (ira->ira_ipsec_esp_sa != NULL)
2419 2418 sa = ira->ira_ipsec_esp_sa;
2420 2419 else
2421 2420 sa = ira->ira_ipsec_ah_sa;
2422 2421 ASSERT(sa != NULL);
2423 2422 local = sa->ipsa_dst_cid;
2424 2423 remote = sa->ipsa_src_cid;
2425 2424 }
2426 2425 ipsec_latch_ids(ipl, local, remote);
2427 2426 }
2428 2427 if (ira->ira_flags & IRAF_IPSEC_SECURE) {
2429 2428 if (connp->conn_latch_in_action != NULL) {
2430 2429 /*
2431 2430 * Previously cached action. This is probably
2432 2431 * harmless, but in DEBUG kernels, check for
2433 2432 * action equality.
2434 2433 *
2435 2434 * Preserve the existing action to preserve latch
2436 2435 * invariance.
2437 2436 */
2438 2437 ASSERT(connp->conn_latch_in_action ==
2439 2438 ira->ira_ipsec_action);
2440 2439 return;
2441 2440 }
2442 2441 connp->conn_latch_in_action = ira->ira_ipsec_action;
2443 2442 IPACT_REFHOLD(connp->conn_latch_in_action);
2444 2443 }
2445 2444 }
2446 2445
2447 2446 /*
2448 2447 * Check whether the policy constraints are met either for an
2449 2448 * inbound datagram; called from IP in numerous places.
2450 2449 *
2451 2450 * Note that this is not a chokepoint for inbound policy checks;
2452 2451 * see also ipsec_check_ipsecin_latch() and ipsec_check_global_policy()
2453 2452 */
2454 2453 mblk_t *
2455 2454 ipsec_check_inbound_policy(mblk_t *mp, conn_t *connp,
2456 2455 ipha_t *ipha, ip6_t *ip6h, ip_recv_attr_t *ira)
2457 2456 {
2458 2457 boolean_t ret;
2459 2458 ipsec_latch_t *ipl;
2460 2459 ipsec_action_t *ap;
2461 2460 uint64_t unique_id;
2462 2461 ipsec_stack_t *ipss;
2463 2462 ip_stack_t *ipst;
2464 2463 netstack_t *ns;
2465 2464 ipsec_policy_head_t *policy_head;
2466 2465 ipsec_policy_t *p = NULL;
2467 2466
2468 2467 ASSERT(connp != NULL);
2469 2468 ns = connp->conn_netstack;
2470 2469 ipss = ns->netstack_ipsec;
2471 2470 ipst = ns->netstack_ip;
2472 2471
2473 2472 if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
2474 2473 /*
2475 2474 * This is the case where the incoming datagram is
2476 2475 * cleartext and we need to see whether this client
2477 2476 * would like to receive such untrustworthy things from
2478 2477 * the wire.
2479 2478 */
2480 2479 ASSERT(mp != NULL);
2481 2480
2482 2481 mutex_enter(&connp->conn_lock);
2483 2482 if (connp->conn_state_flags & CONN_CONDEMNED) {
2484 2483 mutex_exit(&connp->conn_lock);
2485 2484 ip_drop_packet(mp, B_TRUE, NULL,
2486 2485 DROPPER(ipss, ipds_spd_got_clear),
2487 2486 &ipss->ipsec_spd_dropper);
2488 2487 BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2489 2488 return (NULL);
2490 2489 }
2491 2490 if (connp->conn_latch != NULL) {
2492 2491 /* Hold a reference in case the conn is closing */
2493 2492 p = connp->conn_latch_in_policy;
2494 2493 if (p != NULL)
2495 2494 IPPOL_REFHOLD(p);
2496 2495 mutex_exit(&connp->conn_lock);
2497 2496 /*
2498 2497 * Policy is cached in the conn.
2499 2498 */
2500 2499 if (p != NULL && !p->ipsp_act->ipa_allow_clear) {
2501 2500 ret = ipsec_inbound_accept_clear(mp,
2502 2501 ipha, ip6h);
2503 2502 if (ret) {
2504 2503 BUMP_MIB(&ipst->ips_ip_mib,
2505 2504 ipsecInSucceeded);
2506 2505 IPPOL_REFRELE(p);
2507 2506 return (mp);
2508 2507 } else {
2509 2508 ipsec_log_policy_failure(
2510 2509 IPSEC_POLICY_MISMATCH,
2511 2510 "ipsec_check_inbound_policy", ipha,
2512 2511 ip6h, B_FALSE, ns);
2513 2512 ip_drop_packet(mp, B_TRUE, NULL,
2514 2513 DROPPER(ipss, ipds_spd_got_clear),
2515 2514 &ipss->ipsec_spd_dropper);
2516 2515 BUMP_MIB(&ipst->ips_ip_mib,
2517 2516 ipsecInFailed);
2518 2517 IPPOL_REFRELE(p);
2519 2518 return (NULL);
2520 2519 }
2521 2520 } else {
2522 2521 BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2523 2522 if (p != NULL)
2524 2523 IPPOL_REFRELE(p);
2525 2524 return (mp);
2526 2525 }
2527 2526 } else {
2528 2527 policy_head = connp->conn_policy;
2529 2528
2530 2529 /* Hold a reference in case the conn is closing */
2531 2530 if (policy_head != NULL)
2532 2531 IPPH_REFHOLD(policy_head);
2533 2532 mutex_exit(&connp->conn_lock);
2534 2533 /*
2535 2534 * As this is a non-hardbound connection we need
2536 2535 * to look at both per-socket policy and global
2537 2536 * policy.
2538 2537 */
2539 2538 mp = ipsec_check_global_policy(mp, connp,
2540 2539 ipha, ip6h, ira, ns);
2541 2540 if (policy_head != NULL)
2542 2541 IPPH_REFRELE(policy_head, ns);
2543 2542 return (mp);
2544 2543 }
2545 2544 }
2546 2545
2547 2546 mutex_enter(&connp->conn_lock);
2548 2547 /* Connection is closing */
2549 2548 if (connp->conn_state_flags & CONN_CONDEMNED) {
2550 2549 mutex_exit(&connp->conn_lock);
2551 2550 ip_drop_packet(mp, B_TRUE, NULL,
2552 2551 DROPPER(ipss, ipds_spd_got_clear),
2553 2552 &ipss->ipsec_spd_dropper);
2554 2553 BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2555 2554 return (NULL);
2556 2555 }
2557 2556
2558 2557 /*
2559 2558 * Once a connection is latched it remains so for life, the conn_latch
2560 2559 * pointer on the conn has not changed, simply initializing ipl here
2561 2560 * as the earlier initialization was done only in the cleartext case.
2562 2561 */
2563 2562 if ((ipl = connp->conn_latch) == NULL) {
2564 2563 mblk_t *retmp;
2565 2564 policy_head = connp->conn_policy;
2566 2565
2567 2566 /* Hold a reference in case the conn is closing */
2568 2567 if (policy_head != NULL)
2569 2568 IPPH_REFHOLD(policy_head);
2570 2569 mutex_exit(&connp->conn_lock);
2571 2570 /*
2572 2571 * We don't have policies cached in the conn
2573 2572 * for this stream. So, look at the global
2574 2573 * policy. It will check against conn or global
2575 2574 * depending on whichever is stronger.
2576 2575 */
2577 2576 retmp = ipsec_check_global_policy(mp, connp,
2578 2577 ipha, ip6h, ira, ns);
2579 2578 if (policy_head != NULL)
2580 2579 IPPH_REFRELE(policy_head, ns);
2581 2580 return (retmp);
2582 2581 }
2583 2582
2584 2583 IPLATCH_REFHOLD(ipl);
2585 2584 /* Hold reference on conn_latch_in_action in case conn is closing */
2586 2585 ap = connp->conn_latch_in_action;
2587 2586 if (ap != NULL)
2588 2587 IPACT_REFHOLD(ap);
2589 2588 mutex_exit(&connp->conn_lock);
2590 2589
2591 2590 if (ap != NULL) {
2592 2591 /* Policy is cached & latched; fast(er) path */
2593 2592 const char *reason;
2594 2593 kstat_named_t *counter;
2595 2594
2596 2595 if (ipsec_check_ipsecin_latch(ira, mp, ipl, ap,
2597 2596 ipha, ip6h, &reason, &counter, connp, ns)) {
2598 2597 BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2599 2598 IPLATCH_REFRELE(ipl);
2600 2599 IPACT_REFRELE(ap);
2601 2600 return (mp);
2602 2601 }
2603 2602 ipsec_rl_strlog(ns, IP_MOD_ID, 0, 0,
2604 2603 SL_ERROR|SL_WARN|SL_CONSOLE,
2605 2604 "ipsec inbound policy mismatch: %s, packet dropped\n",
2606 2605 reason);
2607 2606 ip_drop_packet(mp, B_TRUE, NULL, counter,
2608 2607 &ipss->ipsec_spd_dropper);
2609 2608 BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2610 2609 IPLATCH_REFRELE(ipl);
2611 2610 IPACT_REFRELE(ap);
2612 2611 return (NULL);
2613 2612 }
2614 2613 if ((p = connp->conn_latch_in_policy) == NULL) {
2615 2614 ipsec_weird_null_inbound_policy++;
2616 2615 IPLATCH_REFRELE(ipl);
2617 2616 return (mp);
2618 2617 }
2619 2618
2620 2619 unique_id = conn_to_unique(connp, mp, ipha, ip6h);
2621 2620 IPPOL_REFHOLD(p);
2622 2621 mp = ipsec_check_ipsecin_policy(mp, p, ipha, ip6h, unique_id, ira, ns);
2623 2622 /*
2624 2623 * NOTE: ipsecIn{Failed,Succeeeded} bumped by
2625 2624 * ipsec_check_ipsecin_policy().
2626 2625 */
2627 2626 if (mp != NULL)
2628 2627 ipsec_latch_inbound(connp, ira);
2629 2628 IPLATCH_REFRELE(ipl);
2630 2629 return (mp);
2631 2630 }
2632 2631
2633 2632 /*
2634 2633 * Handle all sorts of cases like tunnel-mode and ICMP.
2635 2634 */
2636 2635 static int
2637 2636 prepended_length(mblk_t *mp, uintptr_t hptr)
2638 2637 {
2639 2638 int rc = 0;
2640 2639
2641 2640 while (mp != NULL) {
2642 2641 if (hptr >= (uintptr_t)mp->b_rptr && hptr <
2643 2642 (uintptr_t)mp->b_wptr) {
2644 2643 rc += (int)(hptr - (uintptr_t)mp->b_rptr);
2645 2644 break; /* out of while loop */
2646 2645 }
2647 2646 rc += (int)MBLKL(mp);
2648 2647 mp = mp->b_cont;
2649 2648 }
2650 2649
2651 2650 if (mp == NULL) {
2652 2651 /*
2653 2652 * IF (big IF) we make it here by naturally exiting the loop,
2654 2653 * then ip6h isn't in the mblk chain "mp" at all.
2655 2654 *
2656 2655 * The only case where this happens is with a reversed IP
2657 2656 * header that gets passed up by inbound ICMP processing.
2658 2657 * This unfortunately triggers longstanding bug 6478464. For
2659 2658 * now, just pass up 0 for the answer.
2660 2659 */
2661 2660 #ifdef DEBUG_NOT_UNTIL_6478464
2662 2661 ASSERT(mp != NULL);
2663 2662 #endif
2664 2663 rc = 0;
2665 2664 }
2666 2665
2667 2666 return (rc);
2668 2667 }
2669 2668
2670 2669 /*
2671 2670 * Returns:
2672 2671 *
2673 2672 * SELRET_NOMEM --> msgpullup() needed to gather things failed.
2674 2673 * SELRET_BADPKT --> If we're being called after tunnel-mode fragment
2675 2674 * gathering, the initial fragment is too short for
2676 2675 * useful data. Only returned if SEL_TUNNEL_FIRSTFRAG is
2677 2676 * set.
2678 2677 * SELRET_SUCCESS --> "sel" now has initialized IPsec selector data.
2679 2678 * SELRET_TUNFRAG --> This is a fragment in a tunnel-mode packet. Caller
2680 2679 * should put this packet in a fragment-gathering queue.
2681 2680 * Only returned if SEL_TUNNEL_MODE and SEL_PORT_POLICY
2682 2681 * is set.
2683 2682 *
2684 2683 * Note that ipha/ip6h can be in a different mblk (mp->b_cont) in the case
2685 2684 * of tunneled packets.
2686 2685 * Also, mp->b_rptr can be an ICMP error where ipha/ip6h is the packet in
2687 2686 * error past the ICMP error.
2688 2687 */
2689 2688 static selret_t
2690 2689 ipsec_init_inbound_sel(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
2691 2690 ip6_t *ip6h, uint8_t sel_flags)
2692 2691 {
2693 2692 uint16_t *ports;
2694 2693 int outer_hdr_len = 0; /* For ICMP or tunnel-mode cases... */
2695 2694 ushort_t hdr_len;
2696 2695 mblk_t *spare_mp = NULL;
2697 2696 uint8_t *nexthdrp, *transportp;
2698 2697 uint8_t nexthdr;
2699 2698 uint8_t icmp_proto;
2700 2699 ip_pkt_t ipp;
2701 2700 boolean_t port_policy_present = (sel_flags & SEL_PORT_POLICY);
2702 2701 boolean_t is_icmp = (sel_flags & SEL_IS_ICMP);
2703 2702 boolean_t tunnel_mode = (sel_flags & SEL_TUNNEL_MODE);
2704 2703 boolean_t post_frag = (sel_flags & SEL_POST_FRAG);
2705 2704
2706 2705 ASSERT((ipha == NULL && ip6h != NULL) ||
2707 2706 (ipha != NULL && ip6h == NULL));
2708 2707
2709 2708 if (ip6h != NULL) {
2710 2709 outer_hdr_len = prepended_length(mp, (uintptr_t)ip6h);
2711 2710 nexthdr = ip6h->ip6_nxt;
2712 2711 icmp_proto = IPPROTO_ICMPV6;
2713 2712 sel->ips_isv4 = B_FALSE;
2714 2713 sel->ips_local_addr_v6 = ip6h->ip6_dst;
2715 2714 sel->ips_remote_addr_v6 = ip6h->ip6_src;
2716 2715
2717 2716 bzero(&ipp, sizeof (ipp));
2718 2717
2719 2718 switch (nexthdr) {
2720 2719 case IPPROTO_HOPOPTS:
2721 2720 case IPPROTO_ROUTING:
2722 2721 case IPPROTO_DSTOPTS:
2723 2722 case IPPROTO_FRAGMENT:
2724 2723 /*
2725 2724 * Use ip_hdr_length_nexthdr_v6(). And have a spare
2726 2725 * mblk that's contiguous to feed it
2727 2726 */
2728 2727 if ((spare_mp = msgpullup(mp, -1)) == NULL)
2729 2728 return (SELRET_NOMEM);
2730 2729 if (!ip_hdr_length_nexthdr_v6(spare_mp,
2731 2730 (ip6_t *)(spare_mp->b_rptr + outer_hdr_len),
2732 2731 &hdr_len, &nexthdrp)) {
2733 2732 /* Malformed packet - caller frees. */
2734 2733 ipsec_freemsg_chain(spare_mp);
2735 2734 return (SELRET_BADPKT);
2736 2735 }
2737 2736 /* Repopulate now that we have the whole packet */
2738 2737 ip6h = (ip6_t *)(spare_mp->b_rptr + outer_hdr_len);
2739 2738 (void) ip_find_hdr_v6(spare_mp, ip6h, B_FALSE, &ipp,
2740 2739 NULL);
2741 2740 nexthdr = *nexthdrp;
2742 2741 /* We can just extract based on hdr_len now. */
2743 2742 break;
2744 2743 default:
2745 2744 (void) ip_find_hdr_v6(mp, ip6h, B_FALSE, &ipp, NULL);
2746 2745 hdr_len = IPV6_HDR_LEN;
2747 2746 break;
2748 2747 }
2749 2748 if (port_policy_present && IS_V6_FRAGMENT(ipp) && !is_icmp) {
2750 2749 /* IPv6 Fragment */
2751 2750 ipsec_freemsg_chain(spare_mp);
2752 2751 return (SELRET_TUNFRAG);
2753 2752 }
2754 2753 transportp = (uint8_t *)ip6h + hdr_len;
2755 2754 } else {
2756 2755 outer_hdr_len = prepended_length(mp, (uintptr_t)ipha);
2757 2756 icmp_proto = IPPROTO_ICMP;
2758 2757 sel->ips_isv4 = B_TRUE;
2759 2758 sel->ips_local_addr_v4 = ipha->ipha_dst;
2760 2759 sel->ips_remote_addr_v4 = ipha->ipha_src;
2761 2760 nexthdr = ipha->ipha_protocol;
2762 2761 hdr_len = IPH_HDR_LENGTH(ipha);
2763 2762
2764 2763 if (port_policy_present &&
2765 2764 IS_V4_FRAGMENT(ipha->ipha_fragment_offset_and_flags) &&
2766 2765 !is_icmp) {
2767 2766 /* IPv4 Fragment */
2768 2767 ipsec_freemsg_chain(spare_mp);
2769 2768 return (SELRET_TUNFRAG);
2770 2769 }
2771 2770 transportp = (uint8_t *)ipha + hdr_len;
2772 2771 }
2773 2772 sel->ips_protocol = nexthdr;
2774 2773
2775 2774 if ((nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP &&
2776 2775 nexthdr != IPPROTO_SCTP && nexthdr != icmp_proto) ||
2777 2776 (!port_policy_present && !post_frag && tunnel_mode)) {
2778 2777 sel->ips_remote_port = sel->ips_local_port = 0;
2779 2778 ipsec_freemsg_chain(spare_mp);
2780 2779 return (SELRET_SUCCESS);
2781 2780 }
2782 2781
2783 2782 if (transportp + 4 > mp->b_wptr) {
2784 2783 /* If we didn't pullup a copy already, do so now. */
2785 2784 /*
2786 2785 * XXX performance, will upper-layers frequently split TCP/UDP
2787 2786 * apart from IP or options? If so, perhaps we should revisit
2788 2787 * the spare_mp strategy.
2789 2788 */
2790 2789 ipsec_hdr_pullup_needed++;
2791 2790 if (spare_mp == NULL &&
2792 2791 (spare_mp = msgpullup(mp, -1)) == NULL) {
2793 2792 return (SELRET_NOMEM);
2794 2793 }
2795 2794 transportp = &spare_mp->b_rptr[hdr_len + outer_hdr_len];
2796 2795 }
2797 2796
2798 2797 if (nexthdr == icmp_proto) {
2799 2798 sel->ips_icmp_type = *transportp++;
2800 2799 sel->ips_icmp_code = *transportp;
2801 2800 sel->ips_remote_port = sel->ips_local_port = 0;
2802 2801 } else {
2803 2802 ports = (uint16_t *)transportp;
2804 2803 sel->ips_remote_port = *ports++;
2805 2804 sel->ips_local_port = *ports;
2806 2805 }
2807 2806 ipsec_freemsg_chain(spare_mp);
2808 2807 return (SELRET_SUCCESS);
2809 2808 }
2810 2809
2811 2810 /*
2812 2811 * This is called with a b_next chain of messages from the fragcache code,
2813 2812 * hence it needs to discard a chain on error.
2814 2813 */
2815 2814 static boolean_t
2816 2815 ipsec_init_outbound_ports(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
2817 2816 ip6_t *ip6h, int outer_hdr_len, ipsec_stack_t *ipss)
2818 2817 {
2819 2818 /*
2820 2819 * XXX cut&paste shared with ipsec_init_inbound_sel
2821 2820 */
2822 2821 uint16_t *ports;
2823 2822 ushort_t hdr_len;
2824 2823 mblk_t *spare_mp = NULL;
2825 2824 uint8_t *nexthdrp;
2826 2825 uint8_t nexthdr;
2827 2826 uint8_t *typecode;
2828 2827 uint8_t check_proto;
2829 2828
2830 2829 ASSERT((ipha == NULL && ip6h != NULL) ||
2831 2830 (ipha != NULL && ip6h == NULL));
2832 2831
2833 2832 if (ip6h != NULL) {
2834 2833 check_proto = IPPROTO_ICMPV6;
2835 2834 nexthdr = ip6h->ip6_nxt;
2836 2835 switch (nexthdr) {
2837 2836 case IPPROTO_HOPOPTS:
2838 2837 case IPPROTO_ROUTING:
2839 2838 case IPPROTO_DSTOPTS:
2840 2839 case IPPROTO_FRAGMENT:
2841 2840 /*
2842 2841 * Use ip_hdr_length_nexthdr_v6(). And have a spare
2843 2842 * mblk that's contiguous to feed it
2844 2843 */
2845 2844 spare_mp = msgpullup(mp, -1);
2846 2845 if (spare_mp == NULL ||
2847 2846 !ip_hdr_length_nexthdr_v6(spare_mp,
2848 2847 (ip6_t *)(spare_mp->b_rptr + outer_hdr_len),
2849 2848 &hdr_len, &nexthdrp)) {
2850 2849 /* Always works, even if NULL. */
2851 2850 ipsec_freemsg_chain(spare_mp);
2852 2851 ip_drop_packet_chain(mp, B_FALSE, NULL,
2853 2852 DROPPER(ipss, ipds_spd_nomem),
2854 2853 &ipss->ipsec_spd_dropper);
2855 2854 return (B_FALSE);
2856 2855 } else {
2857 2856 nexthdr = *nexthdrp;
2858 2857 /* We can just extract based on hdr_len now. */
2859 2858 }
2860 2859 break;
2861 2860 default:
2862 2861 hdr_len = IPV6_HDR_LEN;
2863 2862 break;
2864 2863 }
2865 2864 } else {
2866 2865 check_proto = IPPROTO_ICMP;
2867 2866 hdr_len = IPH_HDR_LENGTH(ipha);
2868 2867 nexthdr = ipha->ipha_protocol;
2869 2868 }
2870 2869
2871 2870 sel->ips_protocol = nexthdr;
2872 2871 if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP &&
2873 2872 nexthdr != IPPROTO_SCTP && nexthdr != check_proto) {
2874 2873 sel->ips_local_port = sel->ips_remote_port = 0;
2875 2874 ipsec_freemsg_chain(spare_mp); /* Always works, even if NULL */
2876 2875 return (B_TRUE);
2877 2876 }
2878 2877
2879 2878 if (&mp->b_rptr[hdr_len] + 4 + outer_hdr_len > mp->b_wptr) {
2880 2879 /* If we didn't pullup a copy already, do so now. */
2881 2880 /*
2882 2881 * XXX performance, will upper-layers frequently split TCP/UDP
2883 2882 * apart from IP or options? If so, perhaps we should revisit
2884 2883 * the spare_mp strategy.
2885 2884 *
2886 2885 * XXX should this be msgpullup(mp, hdr_len+4) ???
2887 2886 */
2888 2887 if (spare_mp == NULL &&
2889 2888 (spare_mp = msgpullup(mp, -1)) == NULL) {
2890 2889 ip_drop_packet_chain(mp, B_FALSE, NULL,
2891 2890 DROPPER(ipss, ipds_spd_nomem),
2892 2891 &ipss->ipsec_spd_dropper);
2893 2892 return (B_FALSE);
2894 2893 }
2895 2894 ports = (uint16_t *)&spare_mp->b_rptr[hdr_len + outer_hdr_len];
2896 2895 } else {
2897 2896 ports = (uint16_t *)&mp->b_rptr[hdr_len + outer_hdr_len];
2898 2897 }
2899 2898
2900 2899 if (nexthdr == check_proto) {
2901 2900 typecode = (uint8_t *)ports;
2902 2901 sel->ips_icmp_type = *typecode++;
2903 2902 sel->ips_icmp_code = *typecode;
2904 2903 sel->ips_remote_port = sel->ips_local_port = 0;
2905 2904 } else {
2906 2905 sel->ips_local_port = *ports++;
2907 2906 sel->ips_remote_port = *ports;
2908 2907 }
2909 2908 ipsec_freemsg_chain(spare_mp); /* Always works, even if NULL */
2910 2909 return (B_TRUE);
2911 2910 }
2912 2911
2913 2912 /*
2914 2913 * Prepend an mblk with a ipsec_crypto_t to the message chain.
2915 2914 * Frees the argument and returns NULL should the allocation fail.
2916 2915 * Returns the pointer to the crypto data part.
2917 2916 */
2918 2917 mblk_t *
2919 2918 ipsec_add_crypto_data(mblk_t *data_mp, ipsec_crypto_t **icp)
2920 2919 {
2921 2920 mblk_t *mp;
2922 2921
2923 2922 mp = allocb(sizeof (ipsec_crypto_t), BPRI_MED);
2924 2923 if (mp == NULL) {
2925 2924 freemsg(data_mp);
2926 2925 return (NULL);
2927 2926 }
2928 2927 bzero(mp->b_rptr, sizeof (ipsec_crypto_t));
2929 2928 mp->b_wptr += sizeof (ipsec_crypto_t);
2930 2929 mp->b_cont = data_mp;
2931 2930 mp->b_datap->db_type = M_EVENT; /* For ASSERT */
2932 2931 *icp = (ipsec_crypto_t *)mp->b_rptr;
2933 2932 return (mp);
2934 2933 }
2935 2934
2936 2935 /*
2937 2936 * Remove what was prepended above. Return b_cont and a pointer to the
2938 2937 * crypto data.
2939 2938 * The caller must call ipsec_free_crypto_data for mblk once it is done
2940 2939 * with the crypto data.
2941 2940 */
2942 2941 mblk_t *
2943 2942 ipsec_remove_crypto_data(mblk_t *crypto_mp, ipsec_crypto_t **icp)
2944 2943 {
2945 2944 ASSERT(crypto_mp->b_datap->db_type == M_EVENT);
2946 2945 ASSERT(MBLKL(crypto_mp) == sizeof (ipsec_crypto_t));
2947 2946
2948 2947 *icp = (ipsec_crypto_t *)crypto_mp->b_rptr;
2949 2948 return (crypto_mp->b_cont);
2950 2949 }
2951 2950
2952 2951 /*
2953 2952 * Free what was prepended above. Return b_cont.
2954 2953 */
2955 2954 mblk_t *
2956 2955 ipsec_free_crypto_data(mblk_t *crypto_mp)
2957 2956 {
2958 2957 mblk_t *mp;
2959 2958
2960 2959 ASSERT(crypto_mp->b_datap->db_type == M_EVENT);
2961 2960 ASSERT(MBLKL(crypto_mp) == sizeof (ipsec_crypto_t));
2962 2961
2963 2962 mp = crypto_mp->b_cont;
2964 2963 freeb(crypto_mp);
2965 2964 return (mp);
2966 2965 }
2967 2966
2968 2967 /*
2969 2968 * Create an ipsec_action_t based on the way an inbound packet was protected.
2970 2969 * Used to reflect traffic back to a sender.
2971 2970 *
2972 2971 * We don't bother interning the action into the hash table.
2973 2972 */
2974 2973 ipsec_action_t *
2975 2974 ipsec_in_to_out_action(ip_recv_attr_t *ira)
2976 2975 {
2977 2976 ipsa_t *ah_assoc, *esp_assoc;
2978 2977 uint_t auth_alg = 0, encr_alg = 0, espa_alg = 0;
2979 2978 ipsec_action_t *ap;
2980 2979 boolean_t unique;
2981 2980
2982 2981 ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP);
2983 2982
2984 2983 if (ap == NULL)
2985 2984 return (NULL);
2986 2985
2987 2986 bzero(ap, sizeof (*ap));
2988 2987 HASH_NULL(ap, ipa_hash);
2989 2988 ap->ipa_next = NULL;
2990 2989 ap->ipa_refs = 1;
2991 2990
2992 2991 /*
2993 2992 * Get the algorithms that were used for this packet.
2994 2993 */
2995 2994 ap->ipa_act.ipa_type = IPSEC_ACT_APPLY;
2996 2995 ap->ipa_act.ipa_log = 0;
2997 2996 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
2998 2997
2999 2998 ah_assoc = ira->ira_ipsec_ah_sa;
3000 2999 ap->ipa_act.ipa_apply.ipp_use_ah = (ah_assoc != NULL);
3001 3000
3002 3001 esp_assoc = ira->ira_ipsec_esp_sa;
3003 3002 ap->ipa_act.ipa_apply.ipp_use_esp = (esp_assoc != NULL);
3004 3003
3005 3004 if (esp_assoc != NULL) {
3006 3005 encr_alg = esp_assoc->ipsa_encr_alg;
3007 3006 espa_alg = esp_assoc->ipsa_auth_alg;
3008 3007 ap->ipa_act.ipa_apply.ipp_use_espa = (espa_alg != 0);
3009 3008 }
3010 3009 if (ah_assoc != NULL)
3011 3010 auth_alg = ah_assoc->ipsa_auth_alg;
3012 3011
3013 3012 ap->ipa_act.ipa_apply.ipp_encr_alg = (uint8_t)encr_alg;
3014 3013 ap->ipa_act.ipa_apply.ipp_auth_alg = (uint8_t)auth_alg;
3015 3014 ap->ipa_act.ipa_apply.ipp_esp_auth_alg = (uint8_t)espa_alg;
3016 3015 ap->ipa_act.ipa_apply.ipp_use_se =
3017 3016 !!(ira->ira_flags & IRAF_IPSEC_DECAPS);
3018 3017 unique = B_FALSE;
3019 3018
3020 3019 if (esp_assoc != NULL) {
3021 3020 ap->ipa_act.ipa_apply.ipp_espa_minbits =
3022 3021 esp_assoc->ipsa_authkeybits;
3023 3022 ap->ipa_act.ipa_apply.ipp_espa_maxbits =
3024 3023 esp_assoc->ipsa_authkeybits;
3025 3024 ap->ipa_act.ipa_apply.ipp_espe_minbits =
3026 3025 esp_assoc->ipsa_encrkeybits;
3027 3026 ap->ipa_act.ipa_apply.ipp_espe_maxbits =
3028 3027 esp_assoc->ipsa_encrkeybits;
3029 3028 ap->ipa_act.ipa_apply.ipp_km_proto = esp_assoc->ipsa_kmp;
3030 3029 ap->ipa_act.ipa_apply.ipp_km_cookie = esp_assoc->ipsa_kmc;
3031 3030 if (esp_assoc->ipsa_flags & IPSA_F_UNIQUE)
3032 3031 unique = B_TRUE;
3033 3032 }
3034 3033 if (ah_assoc != NULL) {
3035 3034 ap->ipa_act.ipa_apply.ipp_ah_minbits =
3036 3035 ah_assoc->ipsa_authkeybits;
3037 3036 ap->ipa_act.ipa_apply.ipp_ah_maxbits =
3038 3037 ah_assoc->ipsa_authkeybits;
3039 3038 ap->ipa_act.ipa_apply.ipp_km_proto = ah_assoc->ipsa_kmp;
3040 3039 ap->ipa_act.ipa_apply.ipp_km_cookie = ah_assoc->ipsa_kmc;
3041 3040 if (ah_assoc->ipsa_flags & IPSA_F_UNIQUE)
3042 3041 unique = B_TRUE;
3043 3042 }
3044 3043 ap->ipa_act.ipa_apply.ipp_use_unique = unique;
3045 3044 ap->ipa_want_unique = unique;
3046 3045 ap->ipa_allow_clear = B_FALSE;
3047 3046 ap->ipa_want_se = !!(ira->ira_flags & IRAF_IPSEC_DECAPS);
3048 3047 ap->ipa_want_ah = (ah_assoc != NULL);
3049 3048 ap->ipa_want_esp = (esp_assoc != NULL);
3050 3049
3051 3050 ap->ipa_ovhd = ipsec_act_ovhd(&ap->ipa_act);
3052 3051
3053 3052 ap->ipa_act.ipa_apply.ipp_replay_depth = 0; /* don't care */
3054 3053
3055 3054 return (ap);
3056 3055 }
3057 3056
3058 3057
3059 3058 /*
3060 3059 * Compute the worst-case amount of extra space required by an action.
3061 3060 * Note that, because of the ESP considerations listed below, this is
3062 3061 * actually not the same as the best-case reduction in the MTU; in the
3063 3062 * future, we should pass additional information to this function to
3064 3063 * allow the actual MTU impact to be computed.
3065 3064 *
3066 3065 * AH: Revisit this if we implement algorithms with
3067 3066 * a verifier size of more than 12 bytes.
3068 3067 *
3069 3068 * ESP: A more exact but more messy computation would take into
3070 3069 * account the interaction between the cipher block size and the
3071 3070 * effective MTU, yielding the inner payload size which reflects a
3072 3071 * packet with *minimum* ESP padding..
3073 3072 */
3074 3073 int32_t
3075 3074 ipsec_act_ovhd(const ipsec_act_t *act)
3076 3075 {
3077 3076 int32_t overhead = 0;
3078 3077
3079 3078 if (act->ipa_type == IPSEC_ACT_APPLY) {
3080 3079 const ipsec_prot_t *ipp = &act->ipa_apply;
3081 3080
3082 3081 if (ipp->ipp_use_ah)
3083 3082 overhead += IPSEC_MAX_AH_HDR_SIZE;
3084 3083 if (ipp->ipp_use_esp) {
3085 3084 overhead += IPSEC_MAX_ESP_HDR_SIZE;
3086 3085 overhead += sizeof (struct udphdr);
3087 3086 }
3088 3087 if (ipp->ipp_use_se)
3089 3088 overhead += IP_SIMPLE_HDR_LENGTH;
3090 3089 }
3091 3090 return (overhead);
3092 3091 }
3093 3092
3094 3093 /*
3095 3094 * This hash function is used only when creating policies and thus is not
3096 3095 * performance-critical for packet flows.
3097 3096 *
3098 3097 * Future work: canonicalize the structures hashed with this (i.e.,
3099 3098 * zeroize padding) so the hash works correctly.
3100 3099 */
3101 3100 /* ARGSUSED */
3102 3101 static uint32_t
3103 3102 policy_hash(int size, const void *start, const void *end)
3104 3103 {
3105 3104 return (0);
3106 3105 }
3107 3106
3108 3107
3109 3108 /*
3110 3109 * Hash function macros for each address type.
3111 3110 *
3112 3111 * The IPV6 hash function assumes that the low order 32-bits of the
3113 3112 * address (typically containing the low order 24 bits of the mac
3114 3113 * address) are reasonably well-distributed. Revisit this if we run
3115 3114 * into trouble from lots of collisions on ::1 addresses and the like
3116 3115 * (seems unlikely).
3117 3116 */
3118 3117 #define IPSEC_IPV4_HASH(a, n) ((a) % (n))
3119 3118 #define IPSEC_IPV6_HASH(a, n) (((a).s6_addr32[3]) % (n))
3120 3119
3121 3120 /*
3122 3121 * These two hash functions should produce coordinated values
3123 3122 * but have slightly different roles.
3124 3123 */
3125 3124 static uint32_t
3126 3125 selkey_hash(const ipsec_selkey_t *selkey, netstack_t *ns)
3127 3126 {
3128 3127 uint32_t valid = selkey->ipsl_valid;
3129 3128 ipsec_stack_t *ipss = ns->netstack_ipsec;
3130 3129
3131 3130 if (!(valid & IPSL_REMOTE_ADDR))
3132 3131 return (IPSEC_SEL_NOHASH);
3133 3132
3134 3133 if (valid & IPSL_IPV4) {
3135 3134 if (selkey->ipsl_remote_pfxlen == 32) {
3136 3135 return (IPSEC_IPV4_HASH(selkey->ipsl_remote.ipsad_v4,
3137 3136 ipss->ipsec_spd_hashsize));
3138 3137 }
3139 3138 }
3140 3139 if (valid & IPSL_IPV6) {
3141 3140 if (selkey->ipsl_remote_pfxlen == 128) {
3142 3141 return (IPSEC_IPV6_HASH(selkey->ipsl_remote.ipsad_v6,
3143 3142 ipss->ipsec_spd_hashsize));
3144 3143 }
3145 3144 }
3146 3145 return (IPSEC_SEL_NOHASH);
3147 3146 }
3148 3147
3149 3148 static uint32_t
3150 3149 selector_hash(ipsec_selector_t *sel, ipsec_policy_root_t *root)
3151 3150 {
3152 3151 if (sel->ips_isv4) {
3153 3152 return (IPSEC_IPV4_HASH(sel->ips_remote_addr_v4,
3154 3153 root->ipr_nchains));
3155 3154 }
3156 3155 return (IPSEC_IPV6_HASH(sel->ips_remote_addr_v6, root->ipr_nchains));
3157 3156 }
3158 3157
3159 3158 /*
3160 3159 * Intern actions into the action hash table.
3161 3160 */
3162 3161 ipsec_action_t *
3163 3162 ipsec_act_find(const ipsec_act_t *a, int n, netstack_t *ns)
3164 3163 {
3165 3164 int i;
3166 3165 uint32_t hval;
3167 3166 ipsec_action_t *ap;
3168 3167 ipsec_action_t *prev = NULL;
3169 3168 int32_t overhead, maxovhd = 0;
3170 3169 boolean_t allow_clear = B_FALSE;
3171 3170 boolean_t want_ah = B_FALSE;
3172 3171 boolean_t want_esp = B_FALSE;
3173 3172 boolean_t want_se = B_FALSE;
3174 3173 boolean_t want_unique = B_FALSE;
3175 3174 ipsec_stack_t *ipss = ns->netstack_ipsec;
3176 3175
3177 3176 /*
3178 3177 * TODO: should canonicalize a[] (i.e., zeroize any padding)
3179 3178 * so we can use a non-trivial policy_hash function.
3180 3179 */
3181 3180 for (i = n-1; i >= 0; i--) {
3182 3181 hval = policy_hash(IPSEC_ACTION_HASH_SIZE, &a[i], &a[n]);
3183 3182
3184 3183 HASH_LOCK(ipss->ipsec_action_hash, hval);
3185 3184
3186 3185 for (HASH_ITERATE(ap, ipa_hash,
3187 3186 ipss->ipsec_action_hash, hval)) {
3188 3187 if (bcmp(&ap->ipa_act, &a[i], sizeof (*a)) != 0)
3189 3188 continue;
3190 3189 if (ap->ipa_next != prev)
3191 3190 continue;
3192 3191 break;
3193 3192 }
3194 3193 if (ap != NULL) {
3195 3194 HASH_UNLOCK(ipss->ipsec_action_hash, hval);
3196 3195 prev = ap;
3197 3196 continue;
3198 3197 }
3199 3198 /*
3200 3199 * need to allocate a new one..
3201 3200 */
3202 3201 ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP);
3203 3202 if (ap == NULL) {
3204 3203 HASH_UNLOCK(ipss->ipsec_action_hash, hval);
3205 3204 if (prev != NULL)
3206 3205 ipsec_action_free(prev);
3207 3206 return (NULL);
3208 3207 }
3209 3208 HASH_INSERT(ap, ipa_hash, ipss->ipsec_action_hash, hval);
3210 3209
3211 3210 ap->ipa_next = prev;
3212 3211 ap->ipa_act = a[i];
3213 3212
3214 3213 overhead = ipsec_act_ovhd(&a[i]);
3215 3214 if (maxovhd < overhead)
3216 3215 maxovhd = overhead;
3217 3216
3218 3217 if ((a[i].ipa_type == IPSEC_ACT_BYPASS) ||
3219 3218 (a[i].ipa_type == IPSEC_ACT_CLEAR))
3220 3219 allow_clear = B_TRUE;
3221 3220 if (a[i].ipa_type == IPSEC_ACT_APPLY) {
3222 3221 const ipsec_prot_t *ipp = &a[i].ipa_apply;
3223 3222
3224 3223 ASSERT(ipp->ipp_use_ah || ipp->ipp_use_esp);
3225 3224 want_ah |= ipp->ipp_use_ah;
3226 3225 want_esp |= ipp->ipp_use_esp;
3227 3226 want_se |= ipp->ipp_use_se;
3228 3227 want_unique |= ipp->ipp_use_unique;
3229 3228 }
3230 3229 ap->ipa_allow_clear = allow_clear;
3231 3230 ap->ipa_want_ah = want_ah;
3232 3231 ap->ipa_want_esp = want_esp;
3233 3232 ap->ipa_want_se = want_se;
3234 3233 ap->ipa_want_unique = want_unique;
3235 3234 ap->ipa_refs = 1; /* from the hash table */
3236 3235 ap->ipa_ovhd = maxovhd;
3237 3236 if (prev)
3238 3237 prev->ipa_refs++;
3239 3238 prev = ap;
3240 3239 HASH_UNLOCK(ipss->ipsec_action_hash, hval);
3241 3240 }
3242 3241
3243 3242 ap->ipa_refs++; /* caller's reference */
3244 3243
3245 3244 return (ap);
3246 3245 }
3247 3246
3248 3247 /*
3249 3248 * Called when refcount goes to 0, indicating that all references to this
3250 3249 * node are gone.
3251 3250 *
3252 3251 * This does not unchain the action from the hash table.
3253 3252 */
3254 3253 void
3255 3254 ipsec_action_free(ipsec_action_t *ap)
3256 3255 {
3257 3256 for (;;) {
3258 3257 ipsec_action_t *np = ap->ipa_next;
3259 3258 ASSERT(ap->ipa_refs == 0);
3260 3259 ASSERT(ap->ipa_hash.hash_pp == NULL);
3261 3260 kmem_cache_free(ipsec_action_cache, ap);
3262 3261 ap = np;
3263 3262 /* Inlined IPACT_REFRELE -- avoid recursion */
3264 3263 if (ap == NULL)
3265 3264 break;
3266 3265 membar_exit();
3267 3266 if (atomic_add_32_nv(&(ap)->ipa_refs, -1) != 0)
3268 3267 break;
3269 3268 /* End inlined IPACT_REFRELE */
3270 3269 }
3271 3270 }
3272 3271
3273 3272 /*
3274 3273 * Called when the action hash table goes away.
3275 3274 *
3276 3275 * The actions can be queued on an mblk with ipsec_in or
3277 3276 * ipsec_out, hence the actions might still be around.
3278 3277 * But we decrement ipa_refs here since we no longer have
3279 3278 * a reference to the action from the hash table.
3280 3279 */
3281 3280 static void
3282 3281 ipsec_action_free_table(ipsec_action_t *ap)
3283 3282 {
3284 3283 while (ap != NULL) {
3285 3284 ipsec_action_t *np = ap->ipa_next;
3286 3285
3287 3286 /* FIXME: remove? */
3288 3287 (void) printf("ipsec_action_free_table(%p) ref %d\n",
3289 3288 (void *)ap, ap->ipa_refs);
3290 3289 ASSERT(ap->ipa_refs > 0);
3291 3290 IPACT_REFRELE(ap);
3292 3291 ap = np;
3293 3292 }
3294 3293 }
3295 3294
3296 3295 /*
3297 3296 * Need to walk all stack instances since the reclaim function
3298 3297 * is global for all instances
3299 3298 */
3300 3299 /* ARGSUSED */
3301 3300 static void
3302 3301 ipsec_action_reclaim(void *arg)
3303 3302 {
3304 3303 netstack_handle_t nh;
3305 3304 netstack_t *ns;
3306 3305 ipsec_stack_t *ipss;
3307 3306
3308 3307 netstack_next_init(&nh);
3309 3308 while ((ns = netstack_next(&nh)) != NULL) {
3310 3309 /*
3311 3310 * netstack_next() can return a netstack_t with a NULL
3312 3311 * netstack_ipsec at boot time.
3313 3312 */
3314 3313 if ((ipss = ns->netstack_ipsec) == NULL) {
3315 3314 netstack_rele(ns);
3316 3315 continue;
3317 3316 }
3318 3317 ipsec_action_reclaim_stack(ipss);
3319 3318 netstack_rele(ns);
3320 3319 }
3321 3320 netstack_next_fini(&nh);
3322 3321 }
3323 3322
3324 3323 /*
3325 3324 * Periodically sweep action hash table for actions with refcount==1, and
3326 3325 * nuke them. We cannot do this "on demand" (i.e., from IPACT_REFRELE)
3327 3326 * because we can't close the race between another thread finding the action
3328 3327 * in the hash table without holding the bucket lock during IPACT_REFRELE.
3329 3328 * Instead, we run this function sporadically to clean up after ourselves;
3330 3329 * we also set it as the "reclaim" function for the action kmem_cache.
3331 3330 *
3332 3331 * Note that it may take several passes of ipsec_action_gc() to free all
3333 3332 * "stale" actions.
3334 3333 */
3335 3334 static void
3336 3335 ipsec_action_reclaim_stack(ipsec_stack_t *ipss)
3337 3336 {
3338 3337 int i;
3339 3338
3340 3339 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) {
3341 3340 ipsec_action_t *ap, *np;
3342 3341
3343 3342 /* skip the lock if nobody home */
3344 3343 if (ipss->ipsec_action_hash[i].hash_head == NULL)
3345 3344 continue;
3346 3345
3347 3346 HASH_LOCK(ipss->ipsec_action_hash, i);
3348 3347 for (ap = ipss->ipsec_action_hash[i].hash_head;
3349 3348 ap != NULL; ap = np) {
3350 3349 ASSERT(ap->ipa_refs > 0);
3351 3350 np = ap->ipa_hash.hash_next;
3352 3351 if (ap->ipa_refs > 1)
3353 3352 continue;
3354 3353 HASH_UNCHAIN(ap, ipa_hash,
3355 3354 ipss->ipsec_action_hash, i);
3356 3355 IPACT_REFRELE(ap);
3357 3356 }
3358 3357 HASH_UNLOCK(ipss->ipsec_action_hash, i);
3359 3358 }
3360 3359 }
3361 3360
3362 3361 /*
3363 3362 * Intern a selector set into the selector set hash table.
3364 3363 * This is simpler than the actions case..
3365 3364 */
3366 3365 static ipsec_sel_t *
3367 3366 ipsec_find_sel(ipsec_selkey_t *selkey, netstack_t *ns)
3368 3367 {
3369 3368 ipsec_sel_t *sp;
3370 3369 uint32_t hval, bucket;
3371 3370 ipsec_stack_t *ipss = ns->netstack_ipsec;
3372 3371
3373 3372 /*
3374 3373 * Exactly one AF bit should be set in selkey.
3375 3374 */
3376 3375 ASSERT(!(selkey->ipsl_valid & IPSL_IPV4) ^
3377 3376 !(selkey->ipsl_valid & IPSL_IPV6));
3378 3377
3379 3378 hval = selkey_hash(selkey, ns);
3380 3379 /* Set pol_hval to uninitialized until we put it in a polhead. */
3381 3380 selkey->ipsl_sel_hval = hval;
3382 3381
3383 3382 bucket = (hval == IPSEC_SEL_NOHASH) ? 0 : hval;
3384 3383
3385 3384 ASSERT(!HASH_LOCKED(ipss->ipsec_sel_hash, bucket));
3386 3385 HASH_LOCK(ipss->ipsec_sel_hash, bucket);
3387 3386
3388 3387 for (HASH_ITERATE(sp, ipsl_hash, ipss->ipsec_sel_hash, bucket)) {
3389 3388 if (bcmp(&sp->ipsl_key, selkey,
3390 3389 offsetof(ipsec_selkey_t, ipsl_pol_hval)) == 0)
3391 3390 break;
3392 3391 }
3393 3392 if (sp != NULL) {
3394 3393 sp->ipsl_refs++;
3395 3394
3396 3395 HASH_UNLOCK(ipss->ipsec_sel_hash, bucket);
3397 3396 return (sp);
3398 3397 }
3399 3398
3400 3399 sp = kmem_cache_alloc(ipsec_sel_cache, KM_NOSLEEP);
3401 3400 if (sp == NULL) {
3402 3401 HASH_UNLOCK(ipss->ipsec_sel_hash, bucket);
3403 3402 return (NULL);
3404 3403 }
3405 3404
3406 3405 HASH_INSERT(sp, ipsl_hash, ipss->ipsec_sel_hash, bucket);
3407 3406 sp->ipsl_refs = 2; /* one for hash table, one for caller */
3408 3407 sp->ipsl_key = *selkey;
3409 3408 /* Set to uninitalized and have insertion into polhead fix things. */
3410 3409 if (selkey->ipsl_sel_hval != IPSEC_SEL_NOHASH)
3411 3410 sp->ipsl_key.ipsl_pol_hval = 0;
3412 3411 else
3413 3412 sp->ipsl_key.ipsl_pol_hval = IPSEC_SEL_NOHASH;
3414 3413
3415 3414 HASH_UNLOCK(ipss->ipsec_sel_hash, bucket);
3416 3415
3417 3416 return (sp);
3418 3417 }
3419 3418
3420 3419 static void
3421 3420 ipsec_sel_rel(ipsec_sel_t **spp, netstack_t *ns)
3422 3421 {
3423 3422 ipsec_sel_t *sp = *spp;
3424 3423 int hval = sp->ipsl_key.ipsl_sel_hval;
3425 3424 ipsec_stack_t *ipss = ns->netstack_ipsec;
3426 3425
3427 3426 *spp = NULL;
3428 3427
3429 3428 if (hval == IPSEC_SEL_NOHASH)
3430 3429 hval = 0;
3431 3430
3432 3431 ASSERT(!HASH_LOCKED(ipss->ipsec_sel_hash, hval));
3433 3432 HASH_LOCK(ipss->ipsec_sel_hash, hval);
3434 3433 if (--sp->ipsl_refs == 1) {
3435 3434 HASH_UNCHAIN(sp, ipsl_hash, ipss->ipsec_sel_hash, hval);
3436 3435 sp->ipsl_refs--;
3437 3436 HASH_UNLOCK(ipss->ipsec_sel_hash, hval);
3438 3437 ASSERT(sp->ipsl_refs == 0);
3439 3438 kmem_cache_free(ipsec_sel_cache, sp);
3440 3439 /* Caller unlocks */
3441 3440 return;
3442 3441 }
3443 3442
3444 3443 HASH_UNLOCK(ipss->ipsec_sel_hash, hval);
3445 3444 }
3446 3445
3447 3446 /*
3448 3447 * Free a policy rule which we know is no longer being referenced.
3449 3448 */
3450 3449 void
3451 3450 ipsec_policy_free(ipsec_policy_t *ipp)
3452 3451 {
3453 3452 ASSERT(ipp->ipsp_refs == 0);
3454 3453 ASSERT(ipp->ipsp_sel != NULL);
3455 3454 ASSERT(ipp->ipsp_act != NULL);
3456 3455 ASSERT(ipp->ipsp_netstack != NULL);
3457 3456
3458 3457 ipsec_sel_rel(&ipp->ipsp_sel, ipp->ipsp_netstack);
3459 3458 IPACT_REFRELE(ipp->ipsp_act);
3460 3459 kmem_cache_free(ipsec_pol_cache, ipp);
3461 3460 }
3462 3461
3463 3462 /*
3464 3463 * Construction of new policy rules; construct a policy, and add it to
3465 3464 * the appropriate tables.
3466 3465 */
3467 3466 ipsec_policy_t *
3468 3467 ipsec_policy_create(ipsec_selkey_t *keys, const ipsec_act_t *a,
3469 3468 int nacts, int prio, uint64_t *index_ptr, netstack_t *ns)
3470 3469 {
3471 3470 ipsec_action_t *ap;
3472 3471 ipsec_sel_t *sp;
3473 3472 ipsec_policy_t *ipp;
3474 3473 ipsec_stack_t *ipss = ns->netstack_ipsec;
3475 3474
3476 3475 if (index_ptr == NULL)
3477 3476 index_ptr = &ipss->ipsec_next_policy_index;
3478 3477
3479 3478 ipp = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP);
3480 3479 ap = ipsec_act_find(a, nacts, ns);
3481 3480 sp = ipsec_find_sel(keys, ns);
3482 3481
3483 3482 if ((ap == NULL) || (sp == NULL) || (ipp == NULL)) {
3484 3483 if (ap != NULL) {
3485 3484 IPACT_REFRELE(ap);
3486 3485 }
3487 3486 if (sp != NULL)
3488 3487 ipsec_sel_rel(&sp, ns);
3489 3488 if (ipp != NULL)
3490 3489 kmem_cache_free(ipsec_pol_cache, ipp);
3491 3490 return (NULL);
3492 3491 }
3493 3492
3494 3493 HASH_NULL(ipp, ipsp_hash);
3495 3494
3496 3495 ipp->ipsp_netstack = ns; /* Needed for ipsec_policy_free */
3497 3496 ipp->ipsp_refs = 1; /* caller's reference */
3498 3497 ipp->ipsp_sel = sp;
3499 3498 ipp->ipsp_act = ap;
3500 3499 ipp->ipsp_prio = prio; /* rule priority */
3501 3500 ipp->ipsp_index = *index_ptr;
3502 3501 (*index_ptr)++;
3503 3502
3504 3503 return (ipp);
3505 3504 }
3506 3505
3507 3506 static void
3508 3507 ipsec_update_present_flags(ipsec_stack_t *ipss)
3509 3508 {
3510 3509 boolean_t hashpol;
3511 3510
3512 3511 hashpol = (avl_numnodes(&ipss->ipsec_system_policy.iph_rulebyid) > 0);
3513 3512
3514 3513 if (hashpol) {
3515 3514 ipss->ipsec_outbound_v4_policy_present = B_TRUE;
3516 3515 ipss->ipsec_outbound_v6_policy_present = B_TRUE;
3517 3516 ipss->ipsec_inbound_v4_policy_present = B_TRUE;
3518 3517 ipss->ipsec_inbound_v6_policy_present = B_TRUE;
3519 3518 return;
3520 3519 }
3521 3520
3522 3521 ipss->ipsec_outbound_v4_policy_present = (NULL !=
3523 3522 ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_OUTBOUND].
3524 3523 ipr_nonhash[IPSEC_AF_V4]);
3525 3524 ipss->ipsec_outbound_v6_policy_present = (NULL !=
3526 3525 ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_OUTBOUND].
3527 3526 ipr_nonhash[IPSEC_AF_V6]);
3528 3527 ipss->ipsec_inbound_v4_policy_present = (NULL !=
3529 3528 ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_INBOUND].
3530 3529 ipr_nonhash[IPSEC_AF_V4]);
3531 3530 ipss->ipsec_inbound_v6_policy_present = (NULL !=
3532 3531 ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_INBOUND].
3533 3532 ipr_nonhash[IPSEC_AF_V6]);
3534 3533 }
3535 3534
3536 3535 boolean_t
3537 3536 ipsec_policy_delete(ipsec_policy_head_t *php, ipsec_selkey_t *keys, int dir,
3538 3537 netstack_t *ns)
3539 3538 {
3540 3539 ipsec_sel_t *sp;
3541 3540 ipsec_policy_t *ip, *nip, *head;
3542 3541 int af;
3543 3542 ipsec_policy_root_t *pr = &php->iph_root[dir];
3544 3543
3545 3544 sp = ipsec_find_sel(keys, ns);
3546 3545
3547 3546 if (sp == NULL)
3548 3547 return (B_FALSE);
3549 3548
3550 3549 af = (sp->ipsl_key.ipsl_valid & IPSL_IPV4) ? IPSEC_AF_V4 : IPSEC_AF_V6;
3551 3550
3552 3551 rw_enter(&php->iph_lock, RW_WRITER);
3553 3552
3554 3553 if (sp->ipsl_key.ipsl_pol_hval == IPSEC_SEL_NOHASH) {
3555 3554 head = pr->ipr_nonhash[af];
3556 3555 } else {
3557 3556 head = pr->ipr_hash[sp->ipsl_key.ipsl_pol_hval].hash_head;
3558 3557 }
3559 3558
3560 3559 for (ip = head; ip != NULL; ip = nip) {
3561 3560 nip = ip->ipsp_hash.hash_next;
3562 3561 if (ip->ipsp_sel != sp) {
3563 3562 continue;
3564 3563 }
3565 3564
3566 3565 IPPOL_UNCHAIN(php, ip);
3567 3566
3568 3567 php->iph_gen++;
3569 3568 ipsec_update_present_flags(ns->netstack_ipsec);
3570 3569
3571 3570 rw_exit(&php->iph_lock);
3572 3571
3573 3572 ipsec_sel_rel(&sp, ns);
3574 3573
3575 3574 return (B_TRUE);
3576 3575 }
3577 3576
3578 3577 rw_exit(&php->iph_lock);
3579 3578 ipsec_sel_rel(&sp, ns);
3580 3579 return (B_FALSE);
3581 3580 }
3582 3581
3583 3582 int
3584 3583 ipsec_policy_delete_index(ipsec_policy_head_t *php, uint64_t policy_index,
3585 3584 netstack_t *ns)
3586 3585 {
3587 3586 boolean_t found = B_FALSE;
3588 3587 ipsec_policy_t ipkey;
3589 3588 ipsec_policy_t *ip;
3590 3589 avl_index_t where;
3591 3590
3592 3591 bzero(&ipkey, sizeof (ipkey));
3593 3592 ipkey.ipsp_index = policy_index;
3594 3593
3595 3594 rw_enter(&php->iph_lock, RW_WRITER);
3596 3595
3597 3596 /*
3598 3597 * We could be cleverer here about the walk.
3599 3598 * but well, (k+1)*log(N) will do for now (k==number of matches,
3600 3599 * N==number of table entries
3601 3600 */
3602 3601 for (;;) {
3603 3602 ip = (ipsec_policy_t *)avl_find(&php->iph_rulebyid,
3604 3603 (void *)&ipkey, &where);
3605 3604 ASSERT(ip == NULL);
3606 3605
3607 3606 ip = avl_nearest(&php->iph_rulebyid, where, AVL_AFTER);
3608 3607
3609 3608 if (ip == NULL)
3610 3609 break;
3611 3610
3612 3611 if (ip->ipsp_index != policy_index) {
3613 3612 ASSERT(ip->ipsp_index > policy_index);
3614 3613 break;
3615 3614 }
3616 3615
3617 3616 IPPOL_UNCHAIN(php, ip);
3618 3617 found = B_TRUE;
3619 3618 }
3620 3619
3621 3620 if (found) {
3622 3621 php->iph_gen++;
3623 3622 ipsec_update_present_flags(ns->netstack_ipsec);
3624 3623 }
3625 3624
3626 3625 rw_exit(&php->iph_lock);
3627 3626
3628 3627 return (found ? 0 : ENOENT);
3629 3628 }
3630 3629
3631 3630 /*
3632 3631 * Given a constructed ipsec_policy_t policy rule, see if it can be entered
3633 3632 * into the correct policy ruleset. As a side-effect, it sets the hash
3634 3633 * entries on "ipp"'s ipsp_pol_hval.
3635 3634 *
3636 3635 * Returns B_TRUE if it can be entered, B_FALSE if it can't be (because a
3637 3636 * duplicate policy exists with exactly the same selectors), or an icmp
3638 3637 * rule exists with a different encryption/authentication action.
3639 3638 */
3640 3639 boolean_t
3641 3640 ipsec_check_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction)
3642 3641 {
3643 3642 ipsec_policy_root_t *pr = &php->iph_root[direction];
3644 3643 int af = -1;
3645 3644 ipsec_policy_t *p2, *head;
3646 3645 uint8_t check_proto;
3647 3646 ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key;
3648 3647 uint32_t valid = selkey->ipsl_valid;
3649 3648
3650 3649 if (valid & IPSL_IPV6) {
3651 3650 ASSERT(!(valid & IPSL_IPV4));
3652 3651 af = IPSEC_AF_V6;
3653 3652 check_proto = IPPROTO_ICMPV6;
3654 3653 } else {
3655 3654 ASSERT(valid & IPSL_IPV4);
3656 3655 af = IPSEC_AF_V4;
3657 3656 check_proto = IPPROTO_ICMP;
3658 3657 }
3659 3658
3660 3659 ASSERT(RW_WRITE_HELD(&php->iph_lock));
3661 3660
3662 3661 /*
3663 3662 * Double-check that we don't have any duplicate selectors here.
3664 3663 * Because selectors are interned below, we need only compare pointers
3665 3664 * for equality.
3666 3665 */
3667 3666 if (selkey->ipsl_sel_hval == IPSEC_SEL_NOHASH) {
3668 3667 head = pr->ipr_nonhash[af];
3669 3668 } else {
3670 3669 selkey->ipsl_pol_hval =
3671 3670 (selkey->ipsl_valid & IPSL_IPV4) ?
3672 3671 IPSEC_IPV4_HASH(selkey->ipsl_remote.ipsad_v4,
3673 3672 pr->ipr_nchains) :
3674 3673 IPSEC_IPV6_HASH(selkey->ipsl_remote.ipsad_v6,
3675 3674 pr->ipr_nchains);
3676 3675
3677 3676 head = pr->ipr_hash[selkey->ipsl_pol_hval].hash_head;
3678 3677 }
3679 3678
3680 3679 for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) {
3681 3680 if (p2->ipsp_sel == ipp->ipsp_sel)
3682 3681 return (B_FALSE);
3683 3682 }
3684 3683
3685 3684 /*
3686 3685 * If it's ICMP and not a drop or pass rule, run through the ICMP
3687 3686 * rules and make sure the action is either new or the same as any
3688 3687 * other actions. We don't have to check the full chain because
3689 3688 * discard and bypass will override all other actions
3690 3689 */
3691 3690
3692 3691 if (valid & IPSL_PROTOCOL &&
3693 3692 selkey->ipsl_proto == check_proto &&
3694 3693 (ipp->ipsp_act->ipa_act.ipa_type == IPSEC_ACT_APPLY)) {
3695 3694
3696 3695 for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) {
3697 3696
3698 3697 if (p2->ipsp_sel->ipsl_key.ipsl_valid & IPSL_PROTOCOL &&
3699 3698 p2->ipsp_sel->ipsl_key.ipsl_proto == check_proto &&
3700 3699 (p2->ipsp_act->ipa_act.ipa_type ==
3701 3700 IPSEC_ACT_APPLY)) {
3702 3701 return (ipsec_compare_action(p2, ipp));
3703 3702 }
3704 3703 }
3705 3704 }
3706 3705
3707 3706 return (B_TRUE);
3708 3707 }
3709 3708
3710 3709 /*
3711 3710 * compare the action chains of two policies for equality
3712 3711 * B_TRUE -> effective equality
3713 3712 */
3714 3713
3715 3714 static boolean_t
3716 3715 ipsec_compare_action(ipsec_policy_t *p1, ipsec_policy_t *p2)
3717 3716 {
3718 3717
3719 3718 ipsec_action_t *act1, *act2;
3720 3719
3721 3720 /* We have a valid rule. Let's compare the actions */
3722 3721 if (p1->ipsp_act == p2->ipsp_act) {
3723 3722 /* same action. We are good */
3724 3723 return (B_TRUE);
3725 3724 }
3726 3725
3727 3726 /* we have to walk the chain */
3728 3727
3729 3728 act1 = p1->ipsp_act;
3730 3729 act2 = p2->ipsp_act;
3731 3730
3732 3731 while (act1 != NULL && act2 != NULL) {
3733 3732
3734 3733 /* otherwise, Are we close enough? */
3735 3734 if (act1->ipa_allow_clear != act2->ipa_allow_clear ||
3736 3735 act1->ipa_want_ah != act2->ipa_want_ah ||
3737 3736 act1->ipa_want_esp != act2->ipa_want_esp ||
3738 3737 act1->ipa_want_se != act2->ipa_want_se) {
3739 3738 /* Nope, we aren't */
3740 3739 return (B_FALSE);
3741 3740 }
3742 3741
3743 3742 if (act1->ipa_want_ah) {
3744 3743 if (act1->ipa_act.ipa_apply.ipp_auth_alg !=
3745 3744 act2->ipa_act.ipa_apply.ipp_auth_alg) {
3746 3745 return (B_FALSE);
3747 3746 }
3748 3747
3749 3748 if (act1->ipa_act.ipa_apply.ipp_ah_minbits !=
3750 3749 act2->ipa_act.ipa_apply.ipp_ah_minbits ||
3751 3750 act1->ipa_act.ipa_apply.ipp_ah_maxbits !=
3752 3751 act2->ipa_act.ipa_apply.ipp_ah_maxbits) {
3753 3752 return (B_FALSE);
3754 3753 }
3755 3754 }
3756 3755
3757 3756 if (act1->ipa_want_esp) {
3758 3757 if (act1->ipa_act.ipa_apply.ipp_use_esp !=
3759 3758 act2->ipa_act.ipa_apply.ipp_use_esp ||
3760 3759 act1->ipa_act.ipa_apply.ipp_use_espa !=
3761 3760 act2->ipa_act.ipa_apply.ipp_use_espa) {
3762 3761 return (B_FALSE);
3763 3762 }
3764 3763
3765 3764 if (act1->ipa_act.ipa_apply.ipp_use_esp) {
3766 3765 if (act1->ipa_act.ipa_apply.ipp_encr_alg !=
3767 3766 act2->ipa_act.ipa_apply.ipp_encr_alg) {
3768 3767 return (B_FALSE);
3769 3768 }
3770 3769
3771 3770 if (act1->ipa_act.ipa_apply.ipp_espe_minbits !=
3772 3771 act2->ipa_act.ipa_apply.ipp_espe_minbits ||
3773 3772 act1->ipa_act.ipa_apply.ipp_espe_maxbits !=
3774 3773 act2->ipa_act.ipa_apply.ipp_espe_maxbits) {
3775 3774 return (B_FALSE);
3776 3775 }
3777 3776 }
3778 3777
3779 3778 if (act1->ipa_act.ipa_apply.ipp_use_espa) {
3780 3779 if (act1->ipa_act.ipa_apply.ipp_esp_auth_alg !=
3781 3780 act2->ipa_act.ipa_apply.ipp_esp_auth_alg) {
3782 3781 return (B_FALSE);
3783 3782 }
3784 3783
3785 3784 if (act1->ipa_act.ipa_apply.ipp_espa_minbits !=
3786 3785 act2->ipa_act.ipa_apply.ipp_espa_minbits ||
3787 3786 act1->ipa_act.ipa_apply.ipp_espa_maxbits !=
3788 3787 act2->ipa_act.ipa_apply.ipp_espa_maxbits) {
3789 3788 return (B_FALSE);
3790 3789 }
3791 3790 }
3792 3791
3793 3792 }
3794 3793
3795 3794 act1 = act1->ipa_next;
3796 3795 act2 = act2->ipa_next;
3797 3796 }
3798 3797
3799 3798 if (act1 != NULL || act2 != NULL) {
3800 3799 return (B_FALSE);
3801 3800 }
3802 3801
3803 3802 return (B_TRUE);
3804 3803 }
3805 3804
3806 3805
3807 3806 /*
3808 3807 * Given a constructed ipsec_policy_t policy rule, enter it into
3809 3808 * the correct policy ruleset.
3810 3809 *
3811 3810 * ipsec_check_policy() is assumed to have succeeded first (to check for
3812 3811 * duplicates).
3813 3812 */
3814 3813 void
3815 3814 ipsec_enter_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction,
3816 3815 netstack_t *ns)
3817 3816 {
3818 3817 ipsec_policy_root_t *pr = &php->iph_root[direction];
3819 3818 ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key;
3820 3819 uint32_t valid = selkey->ipsl_valid;
3821 3820 uint32_t hval = selkey->ipsl_pol_hval;
3822 3821 int af = -1;
3823 3822
3824 3823 ASSERT(RW_WRITE_HELD(&php->iph_lock));
3825 3824
3826 3825 if (valid & IPSL_IPV6) {
3827 3826 ASSERT(!(valid & IPSL_IPV4));
3828 3827 af = IPSEC_AF_V6;
3829 3828 } else {
3830 3829 ASSERT(valid & IPSL_IPV4);
3831 3830 af = IPSEC_AF_V4;
3832 3831 }
3833 3832
3834 3833 php->iph_gen++;
3835 3834
3836 3835 if (hval == IPSEC_SEL_NOHASH) {
3837 3836 HASHLIST_INSERT(ipp, ipsp_hash, pr->ipr_nonhash[af]);
3838 3837 } else {
3839 3838 HASH_LOCK(pr->ipr_hash, hval);
3840 3839 HASH_INSERT(ipp, ipsp_hash, pr->ipr_hash, hval);
3841 3840 HASH_UNLOCK(pr->ipr_hash, hval);
3842 3841 }
3843 3842
3844 3843 ipsec_insert_always(&php->iph_rulebyid, ipp);
3845 3844
3846 3845 ipsec_update_present_flags(ns->netstack_ipsec);
3847 3846 }
3848 3847
3849 3848 static void
3850 3849 ipsec_ipr_flush(ipsec_policy_head_t *php, ipsec_policy_root_t *ipr)
3851 3850 {
3852 3851 ipsec_policy_t *ip, *nip;
3853 3852 int af, chain, nchain;
3854 3853
3855 3854 for (af = 0; af < IPSEC_NAF; af++) {
3856 3855 for (ip = ipr->ipr_nonhash[af]; ip != NULL; ip = nip) {
3857 3856 nip = ip->ipsp_hash.hash_next;
3858 3857 IPPOL_UNCHAIN(php, ip);
3859 3858 }
3860 3859 ipr->ipr_nonhash[af] = NULL;
3861 3860 }
3862 3861 nchain = ipr->ipr_nchains;
3863 3862
3864 3863 for (chain = 0; chain < nchain; chain++) {
3865 3864 for (ip = ipr->ipr_hash[chain].hash_head; ip != NULL;
3866 3865 ip = nip) {
3867 3866 nip = ip->ipsp_hash.hash_next;
3868 3867 IPPOL_UNCHAIN(php, ip);
3869 3868 }
3870 3869 ipr->ipr_hash[chain].hash_head = NULL;
3871 3870 }
3872 3871 }
3873 3872
3874 3873 /*
3875 3874 * Create and insert inbound or outbound policy associated with actp for the
3876 3875 * address family fam into the policy head ph. Returns B_TRUE if policy was
3877 3876 * inserted, and B_FALSE otherwise.
3878 3877 */
3879 3878 boolean_t
3880 3879 ipsec_polhead_insert(ipsec_policy_head_t *ph, ipsec_act_t *actp, uint_t nact,
3881 3880 int fam, int ptype, netstack_t *ns)
3882 3881 {
3883 3882 ipsec_selkey_t sel;
3884 3883 ipsec_policy_t *pol;
3885 3884 ipsec_policy_root_t *pr;
3886 3885
3887 3886 bzero(&sel, sizeof (sel));
3888 3887 sel.ipsl_valid = (fam == IPSEC_AF_V4 ? IPSL_IPV4 : IPSL_IPV6);
3889 3888 if ((pol = ipsec_policy_create(&sel, actp, nact, IPSEC_PRIO_SOCKET,
3890 3889 NULL, ns)) != NULL) {
3891 3890 pr = &ph->iph_root[ptype];
3892 3891 HASHLIST_INSERT(pol, ipsp_hash, pr->ipr_nonhash[fam]);
3893 3892 ipsec_insert_always(&ph->iph_rulebyid, pol);
3894 3893 }
3895 3894 return (pol != NULL);
3896 3895 }
3897 3896
3898 3897 void
3899 3898 ipsec_polhead_flush(ipsec_policy_head_t *php, netstack_t *ns)
3900 3899 {
3901 3900 int dir;
3902 3901
3903 3902 ASSERT(RW_WRITE_HELD(&php->iph_lock));
3904 3903
3905 3904 for (dir = 0; dir < IPSEC_NTYPES; dir++)
3906 3905 ipsec_ipr_flush(php, &php->iph_root[dir]);
3907 3906
3908 3907 php->iph_gen++;
3909 3908 ipsec_update_present_flags(ns->netstack_ipsec);
3910 3909 }
3911 3910
3912 3911 void
3913 3912 ipsec_polhead_free(ipsec_policy_head_t *php, netstack_t *ns)
3914 3913 {
3915 3914 int dir;
3916 3915
3917 3916 ASSERT(php->iph_refs == 0);
3918 3917
3919 3918 rw_enter(&php->iph_lock, RW_WRITER);
3920 3919 ipsec_polhead_flush(php, ns);
3921 3920 rw_exit(&php->iph_lock);
3922 3921 rw_destroy(&php->iph_lock);
3923 3922 for (dir = 0; dir < IPSEC_NTYPES; dir++) {
3924 3923 ipsec_policy_root_t *ipr = &php->iph_root[dir];
3925 3924 int chain;
3926 3925
3927 3926 for (chain = 0; chain < ipr->ipr_nchains; chain++)
3928 3927 mutex_destroy(&(ipr->ipr_hash[chain].hash_lock));
3929 3928
3930 3929 }
3931 3930 ipsec_polhead_free_table(php);
3932 3931 kmem_free(php, sizeof (*php));
3933 3932 }
3934 3933
3935 3934 static void
3936 3935 ipsec_ipr_init(ipsec_policy_root_t *ipr)
3937 3936 {
3938 3937 int af;
3939 3938
3940 3939 ipr->ipr_nchains = 0;
3941 3940 ipr->ipr_hash = NULL;
3942 3941
3943 3942 for (af = 0; af < IPSEC_NAF; af++) {
3944 3943 ipr->ipr_nonhash[af] = NULL;
3945 3944 }
3946 3945 }
3947 3946
3948 3947 ipsec_policy_head_t *
3949 3948 ipsec_polhead_create(void)
3950 3949 {
3951 3950 ipsec_policy_head_t *php;
3952 3951
3953 3952 php = kmem_alloc(sizeof (*php), KM_NOSLEEP);
3954 3953 if (php == NULL)
3955 3954 return (php);
3956 3955
3957 3956 rw_init(&php->iph_lock, NULL, RW_DEFAULT, NULL);
3958 3957 php->iph_refs = 1;
3959 3958 php->iph_gen = 0;
3960 3959
3961 3960 ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_INBOUND]);
3962 3961 ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_OUTBOUND]);
3963 3962
3964 3963 avl_create(&php->iph_rulebyid, ipsec_policy_cmpbyid,
3965 3964 sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid));
3966 3965
3967 3966 return (php);
3968 3967 }
3969 3968
3970 3969 /*
3971 3970 * Clone the policy head into a new polhead; release one reference to the
3972 3971 * old one and return the only reference to the new one.
3973 3972 * If the old one had a refcount of 1, just return it.
3974 3973 */
3975 3974 ipsec_policy_head_t *
3976 3975 ipsec_polhead_split(ipsec_policy_head_t *php, netstack_t *ns)
3977 3976 {
3978 3977 ipsec_policy_head_t *nphp;
3979 3978
3980 3979 if (php == NULL)
3981 3980 return (ipsec_polhead_create());
3982 3981 else if (php->iph_refs == 1)
3983 3982 return (php);
3984 3983
3985 3984 nphp = ipsec_polhead_create();
3986 3985 if (nphp == NULL)
3987 3986 return (NULL);
3988 3987
3989 3988 if (ipsec_copy_polhead(php, nphp, ns) != 0) {
3990 3989 ipsec_polhead_free(nphp, ns);
3991 3990 return (NULL);
3992 3991 }
3993 3992 IPPH_REFRELE(php, ns);
3994 3993 return (nphp);
3995 3994 }
3996 3995
3997 3996 /*
3998 3997 * When sending a response to a ICMP request or generating a RST
3999 3998 * in the TCP case, the outbound packets need to go at the same level
4000 3999 * of protection as the incoming ones i.e we associate our outbound
4001 4000 * policy with how the packet came in. We call this after we have
4002 4001 * accepted the incoming packet which may or may not have been in
4003 4002 * clear and hence we are sending the reply back with the policy
4004 4003 * matching the incoming datagram's policy.
4005 4004 *
4006 4005 * NOTE : This technology serves two purposes :
4007 4006 *
4008 4007 * 1) If we have multiple outbound policies, we send out a reply
4009 4008 * matching with how it came in rather than matching the outbound
4010 4009 * policy.
4011 4010 *
4012 4011 * 2) For assymetric policies, we want to make sure that incoming
4013 4012 * and outgoing has the same level of protection. Assymetric
4014 4013 * policies exist only with global policy where we may not have
4015 4014 * both outbound and inbound at the same time.
4016 4015 *
4017 4016 * NOTE2: This function is called by cleartext cases, so it needs to be
4018 4017 * in IP proper.
4019 4018 *
4020 4019 * Note: the caller has moved other parts of ira into ixa already.
4021 4020 */
4022 4021 boolean_t
4023 4022 ipsec_in_to_out(ip_recv_attr_t *ira, ip_xmit_attr_t *ixa, mblk_t *data_mp,
4024 4023 ipha_t *ipha, ip6_t *ip6h)
4025 4024 {
4026 4025 ipsec_selector_t sel;
4027 4026 ipsec_action_t *reflect_action = NULL;
4028 4027 netstack_t *ns = ixa->ixa_ipst->ips_netstack;
4029 4028
4030 4029 bzero((void*)&sel, sizeof (sel));
4031 4030
4032 4031 if (ira->ira_ipsec_action != NULL) {
4033 4032 /* transfer reference.. */
4034 4033 reflect_action = ira->ira_ipsec_action;
4035 4034 ira->ira_ipsec_action = NULL;
4036 4035 } else if (!(ira->ira_flags & IRAF_LOOPBACK))
4037 4036 reflect_action = ipsec_in_to_out_action(ira);
4038 4037
4039 4038 /*
4040 4039 * The caller is going to send the datagram out which might
4041 4040 * go on the wire or delivered locally through ire_send_local.
4042 4041 *
4043 4042 * 1) If it goes out on the wire, new associations will be
4044 4043 * obtained.
4045 4044 * 2) If it is delivered locally, ire_send_local will convert
4046 4045 * this ip_xmit_attr_t back to a ip_recv_attr_t looking at the
4047 4046 * requests.
4048 4047 */
4049 4048 ixa->ixa_ipsec_action = reflect_action;
4050 4049
4051 4050 if (!ipsec_init_outbound_ports(&sel, data_mp, ipha, ip6h, 0,
4052 4051 ns->netstack_ipsec)) {
4053 4052 /* Note: data_mp already consumed and ip_drop_packet done */
4054 4053 return (B_FALSE);
4055 4054 }
4056 4055 ixa->ixa_ipsec_src_port = sel.ips_local_port;
4057 4056 ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4058 4057 ixa->ixa_ipsec_proto = sel.ips_protocol;
4059 4058 ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4060 4059 ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4061 4060
4062 4061 /*
4063 4062 * Don't use global policy for this, as we want
4064 4063 * to use the same protection that was applied to the inbound packet.
4065 4064 * Thus we set IXAF_NO_IPSEC is it arrived in the clear to make
4066 4065 * it be sent in the clear.
4067 4066 */
4068 4067 if (ira->ira_flags & IRAF_IPSEC_SECURE)
4069 4068 ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4070 4069 else
4071 4070 ixa->ixa_flags |= IXAF_NO_IPSEC;
4072 4071
4073 4072 return (B_TRUE);
4074 4073 }
4075 4074
4076 4075 void
4077 4076 ipsec_out_release_refs(ip_xmit_attr_t *ixa)
4078 4077 {
4079 4078 if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE))
4080 4079 return;
4081 4080
4082 4081 if (ixa->ixa_ipsec_ah_sa != NULL) {
4083 4082 IPSA_REFRELE(ixa->ixa_ipsec_ah_sa);
4084 4083 ixa->ixa_ipsec_ah_sa = NULL;
4085 4084 }
4086 4085 if (ixa->ixa_ipsec_esp_sa != NULL) {
4087 4086 IPSA_REFRELE(ixa->ixa_ipsec_esp_sa);
4088 4087 ixa->ixa_ipsec_esp_sa = NULL;
4089 4088 }
4090 4089 if (ixa->ixa_ipsec_policy != NULL) {
4091 4090 IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4092 4091 ixa->ixa_ipsec_policy = NULL;
4093 4092 }
4094 4093 if (ixa->ixa_ipsec_action != NULL) {
4095 4094 IPACT_REFRELE(ixa->ixa_ipsec_action);
4096 4095 ixa->ixa_ipsec_action = NULL;
4097 4096 }
4098 4097 if (ixa->ixa_ipsec_latch) {
4099 4098 IPLATCH_REFRELE(ixa->ixa_ipsec_latch);
4100 4099 ixa->ixa_ipsec_latch = NULL;
4101 4100 }
4102 4101 /* Clear the soft references to the SAs */
4103 4102 ixa->ixa_ipsec_ref[0].ipsr_sa = NULL;
4104 4103 ixa->ixa_ipsec_ref[0].ipsr_bucket = NULL;
4105 4104 ixa->ixa_ipsec_ref[0].ipsr_gen = 0;
4106 4105 ixa->ixa_ipsec_ref[1].ipsr_sa = NULL;
4107 4106 ixa->ixa_ipsec_ref[1].ipsr_bucket = NULL;
4108 4107 ixa->ixa_ipsec_ref[1].ipsr_gen = 0;
4109 4108 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4110 4109 }
4111 4110
4112 4111 void
4113 4112 ipsec_in_release_refs(ip_recv_attr_t *ira)
4114 4113 {
4115 4114 if (!(ira->ira_flags & IRAF_IPSEC_SECURE))
4116 4115 return;
4117 4116
4118 4117 if (ira->ira_ipsec_ah_sa != NULL) {
4119 4118 IPSA_REFRELE(ira->ira_ipsec_ah_sa);
4120 4119 ira->ira_ipsec_ah_sa = NULL;
4121 4120 }
4122 4121 if (ira->ira_ipsec_esp_sa != NULL) {
4123 4122 IPSA_REFRELE(ira->ira_ipsec_esp_sa);
4124 4123 ira->ira_ipsec_esp_sa = NULL;
4125 4124 }
4126 4125 ira->ira_flags &= ~IRAF_IPSEC_SECURE;
4127 4126 }
4128 4127
4129 4128 /*
4130 4129 * This is called from ire_send_local when a packet
4131 4130 * is looped back. We setup the ip_recv_attr_t "borrowing" the references
4132 4131 * held by the callers.
4133 4132 * Note that we don't do any IPsec but we carry the actions and IPSEC flags
4134 4133 * across so that the fanout policy checks see that IPsec was applied.
4135 4134 *
4136 4135 * The caller should do ipsec_in_release_refs() on the ira by calling
4137 4136 * ira_cleanup().
4138 4137 */
4139 4138 void
4140 4139 ipsec_out_to_in(ip_xmit_attr_t *ixa, ill_t *ill, ip_recv_attr_t *ira)
4141 4140 {
4142 4141 ipsec_policy_t *pol;
4143 4142 ipsec_action_t *act;
4144 4143
4145 4144 /* Non-IPsec operations */
4146 4145 ira->ira_free_flags = 0;
4147 4146 ira->ira_zoneid = ixa->ixa_zoneid;
4148 4147 ira->ira_cred = ixa->ixa_cred;
4149 4148 ira->ira_cpid = ixa->ixa_cpid;
4150 4149 ira->ira_tsl = ixa->ixa_tsl;
4151 4150 ira->ira_ill = ira->ira_rill = ill;
4152 4151 ira->ira_flags = ixa->ixa_flags & IAF_MASK;
4153 4152 ira->ira_no_loop_zoneid = ixa->ixa_no_loop_zoneid;
4154 4153 ira->ira_pktlen = ixa->ixa_pktlen;
4155 4154 ira->ira_ip_hdr_length = ixa->ixa_ip_hdr_length;
4156 4155 ira->ira_protocol = ixa->ixa_protocol;
4157 4156 ira->ira_mhip = NULL;
4158 4157
4159 4158 ira->ira_flags |= IRAF_LOOPBACK | IRAF_L2SRC_LOOPBACK;
4160 4159
4161 4160 ira->ira_sqp = ixa->ixa_sqp;
4162 4161 ira->ira_ring = NULL;
4163 4162
4164 4163 ira->ira_ruifindex = ill->ill_phyint->phyint_ifindex;
4165 4164 ira->ira_rifindex = ira->ira_ruifindex;
4166 4165
4167 4166 if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE))
4168 4167 return;
4169 4168
4170 4169 ira->ira_flags |= IRAF_IPSEC_SECURE;
4171 4170
4172 4171 ira->ira_ipsec_ah_sa = NULL;
4173 4172 ira->ira_ipsec_esp_sa = NULL;
4174 4173
4175 4174 act = ixa->ixa_ipsec_action;
4176 4175 if (act == NULL) {
4177 4176 pol = ixa->ixa_ipsec_policy;
4178 4177 if (pol != NULL) {
4179 4178 act = pol->ipsp_act;
4180 4179 IPACT_REFHOLD(act);
4181 4180 }
4182 4181 }
4183 4182 ixa->ixa_ipsec_action = NULL;
4184 4183 ira->ira_ipsec_action = act;
4185 4184 }
4186 4185
4187 4186 /*
4188 4187 * Consults global policy and per-socket policy to see whether this datagram
4189 4188 * should go out secure. If so it updates the ip_xmit_attr_t
4190 4189 * Should not be used when connecting, since then we want to latch the policy.
4191 4190 *
4192 4191 * If connp is NULL we just look at the global policy.
4193 4192 *
4194 4193 * Returns NULL if the packet was dropped, in which case the MIB has
4195 4194 * been incremented and ip_drop_packet done.
4196 4195 */
4197 4196 mblk_t *
4198 4197 ip_output_attach_policy(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h,
4199 4198 const conn_t *connp, ip_xmit_attr_t *ixa)
4200 4199 {
4201 4200 ipsec_selector_t sel;
4202 4201 boolean_t policy_present;
4203 4202 ip_stack_t *ipst = ixa->ixa_ipst;
4204 4203 netstack_t *ns = ipst->ips_netstack;
4205 4204 ipsec_stack_t *ipss = ns->netstack_ipsec;
4206 4205 ipsec_policy_t *p;
4207 4206
4208 4207 ixa->ixa_ipsec_policy_gen = ipss->ipsec_system_policy.iph_gen;
4209 4208 ASSERT((ipha != NULL && ip6h == NULL) ||
4210 4209 (ip6h != NULL && ipha == NULL));
4211 4210
4212 4211 if (ipha != NULL)
4213 4212 policy_present = ipss->ipsec_outbound_v4_policy_present;
4214 4213 else
4215 4214 policy_present = ipss->ipsec_outbound_v6_policy_present;
4216 4215
4217 4216 if (!policy_present && (connp == NULL || connp->conn_policy == NULL))
4218 4217 return (mp);
4219 4218
4220 4219 bzero((void*)&sel, sizeof (sel));
4221 4220
4222 4221 if (ipha != NULL) {
4223 4222 sel.ips_local_addr_v4 = ipha->ipha_src;
4224 4223 sel.ips_remote_addr_v4 = ip_get_dst(ipha);
4225 4224 sel.ips_isv4 = B_TRUE;
4226 4225 } else {
4227 4226 sel.ips_isv4 = B_FALSE;
4228 4227 sel.ips_local_addr_v6 = ip6h->ip6_src;
4229 4228 sel.ips_remote_addr_v6 = ip_get_dst_v6(ip6h, mp, NULL);
4230 4229 }
4231 4230 sel.ips_protocol = ixa->ixa_protocol;
4232 4231
4233 4232 if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h, 0, ipss)) {
4234 4233 if (ipha != NULL) {
4235 4234 BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
4236 4235 } else {
4237 4236 BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutDiscards);
4238 4237 }
4239 4238 /* Note: mp already consumed and ip_drop_packet done */
4240 4239 return (NULL);
4241 4240 }
4242 4241
4243 4242 ASSERT(ixa->ixa_ipsec_policy == NULL);
4244 4243 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, &sel, ns);
4245 4244 ixa->ixa_ipsec_policy = p;
4246 4245 if (p != NULL) {
4247 4246 ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4248 4247 if (connp == NULL || connp->conn_policy == NULL)
4249 4248 ixa->ixa_flags |= IXAF_IPSEC_GLOBAL_POLICY;
4250 4249 } else {
4251 4250 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4252 4251 }
4253 4252
4254 4253 /*
4255 4254 * Copy the right port information.
4256 4255 */
4257 4256 ixa->ixa_ipsec_src_port = sel.ips_local_port;
4258 4257 ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4259 4258 ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4260 4259 ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4261 4260 ixa->ixa_ipsec_proto = sel.ips_protocol;
4262 4261 return (mp);
4263 4262 }
4264 4263
4265 4264 /*
4266 4265 * When appropriate, this function caches inbound and outbound policy
4267 4266 * for this connection. The outbound policy is stored in conn_ixa.
4268 4267 * Note that it can not be used for SCTP since conn_faddr isn't set for SCTP.
4269 4268 *
4270 4269 * XXX need to work out more details about per-interface policy and
4271 4270 * caching here!
4272 4271 *
4273 4272 * XXX may want to split inbound and outbound caching for ill..
4274 4273 */
4275 4274 int
4276 4275 ipsec_conn_cache_policy(conn_t *connp, boolean_t isv4)
4277 4276 {
4278 4277 boolean_t global_policy_present;
4279 4278 netstack_t *ns = connp->conn_netstack;
4280 4279 ipsec_stack_t *ipss = ns->netstack_ipsec;
4281 4280
4282 4281 connp->conn_ixa->ixa_ipsec_policy_gen =
4283 4282 ipss->ipsec_system_policy.iph_gen;
4284 4283 /*
4285 4284 * There is no policy latching for ICMP sockets because we can't
4286 4285 * decide on which policy to use until we see the packet and get
4287 4286 * type/code selectors.
4288 4287 */
4289 4288 if (connp->conn_proto == IPPROTO_ICMP ||
4290 4289 connp->conn_proto == IPPROTO_ICMPV6) {
4291 4290 connp->conn_in_enforce_policy =
4292 4291 connp->conn_out_enforce_policy = B_TRUE;
4293 4292 if (connp->conn_latch != NULL) {
4294 4293 IPLATCH_REFRELE(connp->conn_latch);
4295 4294 connp->conn_latch = NULL;
4296 4295 }
4297 4296 if (connp->conn_latch_in_policy != NULL) {
4298 4297 IPPOL_REFRELE(connp->conn_latch_in_policy);
4299 4298 connp->conn_latch_in_policy = NULL;
4300 4299 }
4301 4300 if (connp->conn_latch_in_action != NULL) {
4302 4301 IPACT_REFRELE(connp->conn_latch_in_action);
4303 4302 connp->conn_latch_in_action = NULL;
4304 4303 }
4305 4304 if (connp->conn_ixa->ixa_ipsec_policy != NULL) {
4306 4305 IPPOL_REFRELE(connp->conn_ixa->ixa_ipsec_policy);
4307 4306 connp->conn_ixa->ixa_ipsec_policy = NULL;
4308 4307 }
4309 4308 if (connp->conn_ixa->ixa_ipsec_action != NULL) {
4310 4309 IPACT_REFRELE(connp->conn_ixa->ixa_ipsec_action);
4311 4310 connp->conn_ixa->ixa_ipsec_action = NULL;
4312 4311 }
4313 4312 connp->conn_ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4314 4313 return (0);
4315 4314 }
4316 4315
4317 4316 global_policy_present = isv4 ?
4318 4317 (ipss->ipsec_outbound_v4_policy_present ||
4319 4318 ipss->ipsec_inbound_v4_policy_present) :
4320 4319 (ipss->ipsec_outbound_v6_policy_present ||
4321 4320 ipss->ipsec_inbound_v6_policy_present);
4322 4321
4323 4322 if ((connp->conn_policy != NULL) || global_policy_present) {
4324 4323 ipsec_selector_t sel;
4325 4324 ipsec_policy_t *p;
4326 4325
4327 4326 if (connp->conn_latch == NULL &&
4328 4327 (connp->conn_latch = iplatch_create()) == NULL) {
4329 4328 return (ENOMEM);
4330 4329 }
4331 4330
4332 4331 bzero((void*)&sel, sizeof (sel));
4333 4332
4334 4333 sel.ips_protocol = connp->conn_proto;
4335 4334 sel.ips_local_port = connp->conn_lport;
4336 4335 sel.ips_remote_port = connp->conn_fport;
4337 4336 sel.ips_is_icmp_inv_acq = 0;
4338 4337 sel.ips_isv4 = isv4;
4339 4338 if (isv4) {
4340 4339 sel.ips_local_addr_v4 = connp->conn_laddr_v4;
4341 4340 sel.ips_remote_addr_v4 = connp->conn_faddr_v4;
4342 4341 } else {
4343 4342 sel.ips_local_addr_v6 = connp->conn_laddr_v6;
4344 4343 sel.ips_remote_addr_v6 = connp->conn_faddr_v6;
4345 4344 }
4346 4345
4347 4346 p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, &sel, ns);
4348 4347 if (connp->conn_latch_in_policy != NULL)
4349 4348 IPPOL_REFRELE(connp->conn_latch_in_policy);
4350 4349 connp->conn_latch_in_policy = p;
4351 4350 connp->conn_in_enforce_policy = (p != NULL);
4352 4351
4353 4352 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, &sel, ns);
4354 4353 if (connp->conn_ixa->ixa_ipsec_policy != NULL)
4355 4354 IPPOL_REFRELE(connp->conn_ixa->ixa_ipsec_policy);
4356 4355 connp->conn_ixa->ixa_ipsec_policy = p;
4357 4356 connp->conn_out_enforce_policy = (p != NULL);
4358 4357 if (p != NULL) {
4359 4358 connp->conn_ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4360 4359 if (connp->conn_policy == NULL) {
4361 4360 connp->conn_ixa->ixa_flags |=
4362 4361 IXAF_IPSEC_GLOBAL_POLICY;
4363 4362 }
4364 4363 } else {
4365 4364 connp->conn_ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4366 4365 }
4367 4366 /* Clear the latched actions too, in case we're recaching. */
4368 4367 if (connp->conn_ixa->ixa_ipsec_action != NULL) {
4369 4368 IPACT_REFRELE(connp->conn_ixa->ixa_ipsec_action);
4370 4369 connp->conn_ixa->ixa_ipsec_action = NULL;
4371 4370 }
4372 4371 if (connp->conn_latch_in_action != NULL) {
4373 4372 IPACT_REFRELE(connp->conn_latch_in_action);
4374 4373 connp->conn_latch_in_action = NULL;
4375 4374 }
4376 4375 connp->conn_ixa->ixa_ipsec_src_port = sel.ips_local_port;
4377 4376 connp->conn_ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4378 4377 connp->conn_ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4379 4378 connp->conn_ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4380 4379 connp->conn_ixa->ixa_ipsec_proto = sel.ips_protocol;
4381 4380 } else {
4382 4381 connp->conn_ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4383 4382 }
4384 4383
4385 4384 /*
4386 4385 * We may or may not have policy for this endpoint. We still set
4387 4386 * conn_policy_cached so that inbound datagrams don't have to look
4388 4387 * at global policy as policy is considered latched for these
4389 4388 * endpoints. We should not set conn_policy_cached until the conn
4390 4389 * reflects the actual policy. If we *set* this before inheriting
4391 4390 * the policy there is a window where the check
4392 4391 * CONN_INBOUND_POLICY_PRESENT, will neither check with the policy
4393 4392 * on the conn (because we have not yet copied the policy on to
4394 4393 * conn and hence not set conn_in_enforce_policy) nor with the
4395 4394 * global policy (because conn_policy_cached is already set).
4396 4395 */
4397 4396 connp->conn_policy_cached = B_TRUE;
4398 4397 return (0);
4399 4398 }
4400 4399
4401 4400 /*
4402 4401 * When appropriate, this function caches outbound policy for faddr/fport.
4403 4402 * It is used when we are not connected i.e., when we can not latch the
4404 4403 * policy.
4405 4404 */
4406 4405 void
4407 4406 ipsec_cache_outbound_policy(const conn_t *connp, const in6_addr_t *v6src,
4408 4407 const in6_addr_t *v6dst, in_port_t dstport, ip_xmit_attr_t *ixa)
4409 4408 {
4410 4409 boolean_t isv4 = (ixa->ixa_flags & IXAF_IS_IPV4) != 0;
4411 4410 boolean_t global_policy_present;
4412 4411 netstack_t *ns = connp->conn_netstack;
4413 4412 ipsec_stack_t *ipss = ns->netstack_ipsec;
4414 4413
4415 4414 ixa->ixa_ipsec_policy_gen = ipss->ipsec_system_policy.iph_gen;
4416 4415
4417 4416 /*
4418 4417 * There is no policy caching for ICMP sockets because we can't
4419 4418 * decide on which policy to use until we see the packet and get
4420 4419 * type/code selectors.
4421 4420 */
4422 4421 if (connp->conn_proto == IPPROTO_ICMP ||
4423 4422 connp->conn_proto == IPPROTO_ICMPV6) {
4424 4423 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4425 4424 if (ixa->ixa_ipsec_policy != NULL) {
4426 4425 IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4427 4426 ixa->ixa_ipsec_policy = NULL;
4428 4427 }
4429 4428 if (ixa->ixa_ipsec_action != NULL) {
4430 4429 IPACT_REFRELE(ixa->ixa_ipsec_action);
4431 4430 ixa->ixa_ipsec_action = NULL;
4432 4431 }
4433 4432 return;
4434 4433 }
4435 4434
4436 4435 global_policy_present = isv4 ?
4437 4436 (ipss->ipsec_outbound_v4_policy_present ||
4438 4437 ipss->ipsec_inbound_v4_policy_present) :
4439 4438 (ipss->ipsec_outbound_v6_policy_present ||
4440 4439 ipss->ipsec_inbound_v6_policy_present);
4441 4440
4442 4441 if ((connp->conn_policy != NULL) || global_policy_present) {
4443 4442 ipsec_selector_t sel;
4444 4443 ipsec_policy_t *p;
4445 4444
4446 4445 bzero((void*)&sel, sizeof (sel));
4447 4446
4448 4447 sel.ips_protocol = connp->conn_proto;
4449 4448 sel.ips_local_port = connp->conn_lport;
4450 4449 sel.ips_remote_port = dstport;
4451 4450 sel.ips_is_icmp_inv_acq = 0;
4452 4451 sel.ips_isv4 = isv4;
4453 4452 if (isv4) {
4454 4453 IN6_V4MAPPED_TO_IPADDR(v6src, sel.ips_local_addr_v4);
4455 4454 IN6_V4MAPPED_TO_IPADDR(v6dst, sel.ips_remote_addr_v4);
4456 4455 } else {
4457 4456 sel.ips_local_addr_v6 = *v6src;
4458 4457 sel.ips_remote_addr_v6 = *v6dst;
4459 4458 }
4460 4459
4461 4460 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, &sel, ns);
4462 4461 if (ixa->ixa_ipsec_policy != NULL)
4463 4462 IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4464 4463 ixa->ixa_ipsec_policy = p;
4465 4464 if (p != NULL) {
4466 4465 ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4467 4466 if (connp->conn_policy == NULL)
4468 4467 ixa->ixa_flags |= IXAF_IPSEC_GLOBAL_POLICY;
4469 4468 } else {
4470 4469 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4471 4470 }
4472 4471 /* Clear the latched actions too, in case we're recaching. */
4473 4472 if (ixa->ixa_ipsec_action != NULL) {
4474 4473 IPACT_REFRELE(ixa->ixa_ipsec_action);
4475 4474 ixa->ixa_ipsec_action = NULL;
4476 4475 }
4477 4476
4478 4477 ixa->ixa_ipsec_src_port = sel.ips_local_port;
4479 4478 ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4480 4479 ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4481 4480 ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4482 4481 ixa->ixa_ipsec_proto = sel.ips_protocol;
4483 4482 } else {
4484 4483 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4485 4484 if (ixa->ixa_ipsec_policy != NULL) {
4486 4485 IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4487 4486 ixa->ixa_ipsec_policy = NULL;
4488 4487 }
4489 4488 if (ixa->ixa_ipsec_action != NULL) {
4490 4489 IPACT_REFRELE(ixa->ixa_ipsec_action);
4491 4490 ixa->ixa_ipsec_action = NULL;
4492 4491 }
4493 4492 }
4494 4493 }
4495 4494
4496 4495 /*
4497 4496 * Returns B_FALSE if the policy has gone stale.
4498 4497 */
4499 4498 boolean_t
4500 4499 ipsec_outbound_policy_current(ip_xmit_attr_t *ixa)
4501 4500 {
4502 4501 ipsec_stack_t *ipss = ixa->ixa_ipst->ips_netstack->netstack_ipsec;
4503 4502
4504 4503 if (!(ixa->ixa_flags & IXAF_IPSEC_GLOBAL_POLICY))
4505 4504 return (B_TRUE);
4506 4505
4507 4506 return (ixa->ixa_ipsec_policy_gen == ipss->ipsec_system_policy.iph_gen);
4508 4507 }
4509 4508
4510 4509 void
4511 4510 iplatch_free(ipsec_latch_t *ipl)
4512 4511 {
4513 4512 if (ipl->ipl_local_cid != NULL)
4514 4513 IPSID_REFRELE(ipl->ipl_local_cid);
4515 4514 if (ipl->ipl_remote_cid != NULL)
4516 4515 IPSID_REFRELE(ipl->ipl_remote_cid);
4517 4516 mutex_destroy(&ipl->ipl_lock);
4518 4517 kmem_free(ipl, sizeof (*ipl));
4519 4518 }
4520 4519
4521 4520 ipsec_latch_t *
4522 4521 iplatch_create()
4523 4522 {
4524 4523 ipsec_latch_t *ipl = kmem_alloc(sizeof (*ipl), KM_NOSLEEP);
4525 4524 if (ipl == NULL)
4526 4525 return (ipl);
4527 4526 bzero(ipl, sizeof (*ipl));
4528 4527 mutex_init(&ipl->ipl_lock, NULL, MUTEX_DEFAULT, NULL);
4529 4528 ipl->ipl_refcnt = 1;
4530 4529 return (ipl);
4531 4530 }
4532 4531
4533 4532 /*
4534 4533 * Hash function for ID hash table.
4535 4534 */
4536 4535 static uint32_t
4537 4536 ipsid_hash(int idtype, char *idstring)
4538 4537 {
4539 4538 uint32_t hval = idtype;
4540 4539 unsigned char c;
4541 4540
4542 4541 while ((c = *idstring++) != 0) {
4543 4542 hval = (hval << 4) | (hval >> 28);
4544 4543 hval ^= c;
4545 4544 }
4546 4545 hval = hval ^ (hval >> 16);
4547 4546 return (hval & (IPSID_HASHSIZE-1));
4548 4547 }
4549 4548
4550 4549 /*
4551 4550 * Look up identity string in hash table. Return identity object
4552 4551 * corresponding to the name -- either preexisting, or newly allocated.
4553 4552 *
4554 4553 * Return NULL if we need to allocate a new one and can't get memory.
4555 4554 */
4556 4555 ipsid_t *
4557 4556 ipsid_lookup(int idtype, char *idstring, netstack_t *ns)
4558 4557 {
4559 4558 ipsid_t *retval;
4560 4559 char *nstr;
4561 4560 int idlen = strlen(idstring) + 1;
4562 4561 ipsec_stack_t *ipss = ns->netstack_ipsec;
4563 4562 ipsif_t *bucket;
4564 4563
4565 4564 bucket = &ipss->ipsec_ipsid_buckets[ipsid_hash(idtype, idstring)];
4566 4565
4567 4566 mutex_enter(&bucket->ipsif_lock);
4568 4567
4569 4568 for (retval = bucket->ipsif_head; retval != NULL;
4570 4569 retval = retval->ipsid_next) {
4571 4570 if (idtype != retval->ipsid_type)
4572 4571 continue;
4573 4572 if (bcmp(idstring, retval->ipsid_cid, idlen) != 0)
4574 4573 continue;
4575 4574
4576 4575 IPSID_REFHOLD(retval);
4577 4576 mutex_exit(&bucket->ipsif_lock);
4578 4577 return (retval);
4579 4578 }
4580 4579
4581 4580 retval = kmem_alloc(sizeof (*retval), KM_NOSLEEP);
4582 4581 if (!retval) {
4583 4582 mutex_exit(&bucket->ipsif_lock);
4584 4583 return (NULL);
4585 4584 }
4586 4585
4587 4586 nstr = kmem_alloc(idlen, KM_NOSLEEP);
4588 4587 if (!nstr) {
4589 4588 mutex_exit(&bucket->ipsif_lock);
4590 4589 kmem_free(retval, sizeof (*retval));
4591 4590 return (NULL);
4592 4591 }
4593 4592
4594 4593 retval->ipsid_refcnt = 1;
4595 4594 retval->ipsid_next = bucket->ipsif_head;
4596 4595 if (retval->ipsid_next != NULL)
4597 4596 retval->ipsid_next->ipsid_ptpn = &retval->ipsid_next;
4598 4597 retval->ipsid_ptpn = &bucket->ipsif_head;
4599 4598 retval->ipsid_type = idtype;
4600 4599 retval->ipsid_cid = nstr;
4601 4600 bucket->ipsif_head = retval;
4602 4601 bcopy(idstring, nstr, idlen);
4603 4602 mutex_exit(&bucket->ipsif_lock);
4604 4603
4605 4604 return (retval);
4606 4605 }
4607 4606
4608 4607 /*
4609 4608 * Garbage collect the identity hash table.
4610 4609 */
4611 4610 void
4612 4611 ipsid_gc(netstack_t *ns)
4613 4612 {
4614 4613 int i, len;
4615 4614 ipsid_t *id, *nid;
4616 4615 ipsif_t *bucket;
4617 4616 ipsec_stack_t *ipss = ns->netstack_ipsec;
4618 4617
4619 4618 for (i = 0; i < IPSID_HASHSIZE; i++) {
4620 4619 bucket = &ipss->ipsec_ipsid_buckets[i];
4621 4620 mutex_enter(&bucket->ipsif_lock);
4622 4621 for (id = bucket->ipsif_head; id != NULL; id = nid) {
4623 4622 nid = id->ipsid_next;
4624 4623 if (id->ipsid_refcnt == 0) {
4625 4624 *id->ipsid_ptpn = nid;
4626 4625 if (nid != NULL)
4627 4626 nid->ipsid_ptpn = id->ipsid_ptpn;
4628 4627 len = strlen(id->ipsid_cid) + 1;
4629 4628 kmem_free(id->ipsid_cid, len);
4630 4629 kmem_free(id, sizeof (*id));
4631 4630 }
4632 4631 }
4633 4632 mutex_exit(&bucket->ipsif_lock);
4634 4633 }
4635 4634 }
4636 4635
4637 4636 /*
4638 4637 * Return true if two identities are the same.
4639 4638 */
4640 4639 boolean_t
4641 4640 ipsid_equal(ipsid_t *id1, ipsid_t *id2)
4642 4641 {
4643 4642 if (id1 == id2)
4644 4643 return (B_TRUE);
4645 4644 #ifdef DEBUG
4646 4645 if ((id1 == NULL) || (id2 == NULL))
4647 4646 return (B_FALSE);
4648 4647 /*
4649 4648 * test that we're interning id's correctly..
4650 4649 */
4651 4650 ASSERT((strcmp(id1->ipsid_cid, id2->ipsid_cid) != 0) ||
4652 4651 (id1->ipsid_type != id2->ipsid_type));
4653 4652 #endif
4654 4653 return (B_FALSE);
4655 4654 }
4656 4655
4657 4656 /*
4658 4657 * Initialize identity table; called during module initialization.
4659 4658 */
4660 4659 static void
4661 4660 ipsid_init(netstack_t *ns)
4662 4661 {
4663 4662 ipsif_t *bucket;
4664 4663 int i;
4665 4664 ipsec_stack_t *ipss = ns->netstack_ipsec;
4666 4665
4667 4666 for (i = 0; i < IPSID_HASHSIZE; i++) {
4668 4667 bucket = &ipss->ipsec_ipsid_buckets[i];
4669 4668 mutex_init(&bucket->ipsif_lock, NULL, MUTEX_DEFAULT, NULL);
4670 4669 }
4671 4670 }
4672 4671
4673 4672 /*
4674 4673 * Free identity table (preparatory to module unload)
4675 4674 */
4676 4675 static void
4677 4676 ipsid_fini(netstack_t *ns)
4678 4677 {
4679 4678 ipsif_t *bucket;
4680 4679 int i;
4681 4680 ipsec_stack_t *ipss = ns->netstack_ipsec;
4682 4681
4683 4682 for (i = 0; i < IPSID_HASHSIZE; i++) {
4684 4683 bucket = &ipss->ipsec_ipsid_buckets[i];
4685 4684 ASSERT(bucket->ipsif_head == NULL);
4686 4685 mutex_destroy(&bucket->ipsif_lock);
4687 4686 }
4688 4687 }
4689 4688
4690 4689 /*
4691 4690 * Update the minimum and maximum supported key sizes for the
4692 4691 * specified algorithm. Must be called while holding the algorithms lock.
4693 4692 */
4694 4693 void
4695 4694 ipsec_alg_fix_min_max(ipsec_alginfo_t *alg, ipsec_algtype_t alg_type,
4696 4695 netstack_t *ns)
4697 4696 {
4698 4697 size_t crypto_min = (size_t)-1, crypto_max = 0;
4699 4698 size_t cur_crypto_min, cur_crypto_max;
4700 4699 boolean_t is_valid;
4701 4700 crypto_mechanism_info_t *mech_infos;
4702 4701 uint_t nmech_infos;
4703 4702 int crypto_rc, i;
4704 4703 crypto_mech_usage_t mask;
4705 4704 ipsec_stack_t *ipss = ns->netstack_ipsec;
4706 4705
4707 4706 ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
4708 4707
4709 4708 /*
4710 4709 * Compute the min, max, and default key sizes (in number of
4711 4710 * increments to the default key size in bits) as defined
4712 4711 * by the algorithm mappings. This range of key sizes is used
4713 4712 * for policy related operations. The effective key sizes
4714 4713 * supported by the framework could be more limited than
4715 4714 * those defined for an algorithm.
4716 4715 */
4717 4716 alg->alg_default_bits = alg->alg_key_sizes[0];
4718 4717 alg->alg_default = 0;
4719 4718 if (alg->alg_increment != 0) {
4720 4719 /* key sizes are defined by range & increment */
4721 4720 alg->alg_minbits = alg->alg_key_sizes[1];
4722 4721 alg->alg_maxbits = alg->alg_key_sizes[2];
4723 4722 } else if (alg->alg_nkey_sizes == 0) {
4724 4723 /* no specified key size for algorithm */
4725 4724 alg->alg_minbits = alg->alg_maxbits = 0;
4726 4725 } else {
4727 4726 /* key sizes are defined by enumeration */
4728 4727 alg->alg_minbits = (uint16_t)-1;
4729 4728 alg->alg_maxbits = 0;
4730 4729
4731 4730 for (i = 0; i < alg->alg_nkey_sizes; i++) {
4732 4731 if (alg->alg_key_sizes[i] < alg->alg_minbits)
4733 4732 alg->alg_minbits = alg->alg_key_sizes[i];
4734 4733 if (alg->alg_key_sizes[i] > alg->alg_maxbits)
4735 4734 alg->alg_maxbits = alg->alg_key_sizes[i];
4736 4735 }
4737 4736 }
4738 4737
4739 4738 if (!(alg->alg_flags & ALG_FLAG_VALID))
4740 4739 return;
4741 4740
4742 4741 /*
4743 4742 * Mechanisms do not apply to the NULL encryption
4744 4743 * algorithm, so simply return for this case.
4745 4744 */
4746 4745 if (alg->alg_id == SADB_EALG_NULL)
4747 4746 return;
4748 4747
4749 4748 /*
4750 4749 * Find the min and max key sizes supported by the cryptographic
4751 4750 * framework providers.
4752 4751 */
4753 4752
4754 4753 /* get the key sizes supported by the framework */
4755 4754 crypto_rc = crypto_get_all_mech_info(alg->alg_mech_type,
4756 4755 &mech_infos, &nmech_infos, KM_SLEEP);
4757 4756 if (crypto_rc != CRYPTO_SUCCESS || nmech_infos == 0) {
4758 4757 alg->alg_flags &= ~ALG_FLAG_VALID;
4759 4758 return;
4760 4759 }
4761 4760
4762 4761 /* min and max key sizes supported by framework */
4763 4762 for (i = 0, is_valid = B_FALSE; i < nmech_infos; i++) {
4764 4763 int unit_bits;
4765 4764
4766 4765 /*
4767 4766 * Ignore entries that do not support the operations
4768 4767 * needed for the algorithm type.
4769 4768 */
4770 4769 if (alg_type == IPSEC_ALG_AUTH) {
4771 4770 mask = CRYPTO_MECH_USAGE_MAC;
4772 4771 } else {
4773 4772 mask = CRYPTO_MECH_USAGE_ENCRYPT |
4774 4773 CRYPTO_MECH_USAGE_DECRYPT;
4775 4774 }
4776 4775 if ((mech_infos[i].mi_usage & mask) != mask)
4777 4776 continue;
4778 4777
4779 4778 unit_bits = (mech_infos[i].mi_keysize_unit ==
4780 4779 CRYPTO_KEYSIZE_UNIT_IN_BYTES) ? 8 : 1;
4781 4780 /* adjust min/max supported by framework */
4782 4781 cur_crypto_min = mech_infos[i].mi_min_key_size * unit_bits;
4783 4782 cur_crypto_max = mech_infos[i].mi_max_key_size * unit_bits;
4784 4783
4785 4784 if (cur_crypto_min < crypto_min)
4786 4785 crypto_min = cur_crypto_min;
4787 4786
4788 4787 /*
4789 4788 * CRYPTO_EFFECTIVELY_INFINITE is a special value of
4790 4789 * the crypto framework which means "no upper limit".
4791 4790 */
4792 4791 if (mech_infos[i].mi_max_key_size ==
4793 4792 CRYPTO_EFFECTIVELY_INFINITE) {
4794 4793 crypto_max = (size_t)-1;
4795 4794 } else if (cur_crypto_max > crypto_max) {
4796 4795 crypto_max = cur_crypto_max;
4797 4796 }
4798 4797
4799 4798 is_valid = B_TRUE;
4800 4799 }
4801 4800
4802 4801 kmem_free(mech_infos, sizeof (crypto_mechanism_info_t) *
4803 4802 nmech_infos);
4804 4803
4805 4804 if (!is_valid) {
4806 4805 /* no key sizes supported by framework */
4807 4806 alg->alg_flags &= ~ALG_FLAG_VALID;
4808 4807 return;
4809 4808 }
4810 4809
4811 4810 /*
4812 4811 * Determine min and max key sizes from alg_key_sizes[].
4813 4812 * defined for the algorithm entry. Adjust key sizes based on
4814 4813 * those supported by the framework.
4815 4814 */
4816 4815 alg->alg_ef_default_bits = alg->alg_key_sizes[0];
4817 4816
4818 4817 /*
4819 4818 * For backwards compatability, assume that the IV length
4820 4819 * is the same as the data length.
4821 4820 */
4822 4821 alg->alg_ivlen = alg->alg_datalen;
4823 4822
4824 4823 /*
4825 4824 * Copy any algorithm parameters (if provided) into dedicated
4826 4825 * elements in the ipsec_alginfo_t structure.
4827 4826 * There may be a better place to put this code.
4828 4827 */
4829 4828 for (i = 0; i < alg->alg_nparams; i++) {
4830 4829 switch (i) {
4831 4830 case 0:
4832 4831 /* Initialisation Vector length (bytes) */
4833 4832 alg->alg_ivlen = alg->alg_params[0];
4834 4833 break;
4835 4834 case 1:
4836 4835 /* Integrity Check Vector length (bytes) */
4837 4836 alg->alg_icvlen = alg->alg_params[1];
4838 4837 break;
4839 4838 case 2:
4840 4839 /* Salt length (bytes) */
4841 4840 alg->alg_saltlen = (uint8_t)alg->alg_params[2];
4842 4841 break;
4843 4842 default:
4844 4843 break;
4845 4844 }
4846 4845 }
4847 4846
4848 4847 /* Default if the IV length is not specified. */
4849 4848 if (alg_type == IPSEC_ALG_ENCR && alg->alg_ivlen == 0)
4850 4849 alg->alg_ivlen = alg->alg_datalen;
4851 4850
4852 4851 alg_flag_check(alg);
4853 4852
4854 4853 if (alg->alg_increment != 0) {
4855 4854 /* supported key sizes are defined by range & increment */
4856 4855 crypto_min = ALGBITS_ROUND_UP(crypto_min, alg->alg_increment);
4857 4856 crypto_max = ALGBITS_ROUND_DOWN(crypto_max, alg->alg_increment);
4858 4857
4859 4858 alg->alg_ef_minbits = MAX(alg->alg_minbits,
4860 4859 (uint16_t)crypto_min);
4861 4860 alg->alg_ef_maxbits = MIN(alg->alg_maxbits,
4862 4861 (uint16_t)crypto_max);
4863 4862
4864 4863 /*
4865 4864 * If the sizes supported by the framework are outside
4866 4865 * the range of sizes defined by the algorithm mappings,
4867 4866 * the algorithm cannot be used. Check for this
4868 4867 * condition here.
4869 4868 */
4870 4869 if (alg->alg_ef_minbits > alg->alg_ef_maxbits) {
4871 4870 alg->alg_flags &= ~ALG_FLAG_VALID;
4872 4871 return;
4873 4872 }
4874 4873 if (alg->alg_ef_default_bits < alg->alg_ef_minbits)
4875 4874 alg->alg_ef_default_bits = alg->alg_ef_minbits;
4876 4875 if (alg->alg_ef_default_bits > alg->alg_ef_maxbits)
4877 4876 alg->alg_ef_default_bits = alg->alg_ef_maxbits;
4878 4877 } else if (alg->alg_nkey_sizes == 0) {
4879 4878 /* no specified key size for algorithm */
4880 4879 alg->alg_ef_minbits = alg->alg_ef_maxbits = 0;
4881 4880 } else {
4882 4881 /* supported key sizes are defined by enumeration */
4883 4882 alg->alg_ef_minbits = (uint16_t)-1;
4884 4883 alg->alg_ef_maxbits = 0;
4885 4884
4886 4885 for (i = 0, is_valid = B_FALSE; i < alg->alg_nkey_sizes; i++) {
4887 4886 /*
4888 4887 * Ignore the current key size if it is not in the
4889 4888 * range of sizes supported by the framework.
4890 4889 */
4891 4890 if (alg->alg_key_sizes[i] < crypto_min ||
4892 4891 alg->alg_key_sizes[i] > crypto_max)
4893 4892 continue;
4894 4893 if (alg->alg_key_sizes[i] < alg->alg_ef_minbits)
4895 4894 alg->alg_ef_minbits = alg->alg_key_sizes[i];
4896 4895 if (alg->alg_key_sizes[i] > alg->alg_ef_maxbits)
4897 4896 alg->alg_ef_maxbits = alg->alg_key_sizes[i];
4898 4897 is_valid = B_TRUE;
4899 4898 }
4900 4899
4901 4900 if (!is_valid) {
4902 4901 alg->alg_flags &= ~ALG_FLAG_VALID;
4903 4902 return;
4904 4903 }
4905 4904 alg->alg_ef_default = 0;
4906 4905 }
4907 4906 }
4908 4907
4909 4908 /*
4910 4909 * Sanity check parameters provided by ipsecalgs(1m). Assume that
4911 4910 * the algoritm is marked as valid, there is a check at the top
4912 4911 * of this function. If any of the checks below fail, the algorithm
4913 4912 * entry is invalid.
4914 4913 */
4915 4914 void
4916 4915 alg_flag_check(ipsec_alginfo_t *alg)
4917 4916 {
4918 4917 alg->alg_flags &= ~ALG_FLAG_VALID;
4919 4918
4920 4919 /*
4921 4920 * Can't have the algorithm marked as CCM and GCM.
4922 4921 * Check the ALG_FLAG_COMBINED and ALG_FLAG_COUNTERMODE
4923 4922 * flags are set for CCM & GCM.
4924 4923 */
4925 4924 if ((alg->alg_flags & (ALG_FLAG_CCM|ALG_FLAG_GCM)) ==
4926 4925 (ALG_FLAG_CCM|ALG_FLAG_GCM))
4927 4926 return;
4928 4927 if (alg->alg_flags & (ALG_FLAG_CCM|ALG_FLAG_GCM)) {
4929 4928 if (!(alg->alg_flags & ALG_FLAG_COUNTERMODE))
4930 4929 return;
4931 4930 if (!(alg->alg_flags & ALG_FLAG_COMBINED))
4932 4931 return;
4933 4932 }
4934 4933
4935 4934 /*
4936 4935 * For ALG_FLAG_COUNTERMODE, check the parameters
4937 4936 * fit in the ipsec_nonce_t structure.
4938 4937 */
4939 4938 if (alg->alg_flags & ALG_FLAG_COUNTERMODE) {
4940 4939 if (alg->alg_ivlen != sizeof (((ipsec_nonce_t *)NULL)->iv))
4941 4940 return;
4942 4941 if (alg->alg_saltlen > sizeof (((ipsec_nonce_t *)NULL)->salt))
4943 4942 return;
4944 4943 }
4945 4944 if ((alg->alg_flags & ALG_FLAG_COMBINED) &&
4946 4945 (alg->alg_icvlen == 0))
4947 4946 return;
4948 4947
4949 4948 /* all is well. */
4950 4949 alg->alg_flags |= ALG_FLAG_VALID;
4951 4950 }
4952 4951
4953 4952 /*
4954 4953 * Free the memory used by the specified algorithm.
4955 4954 */
4956 4955 void
4957 4956 ipsec_alg_free(ipsec_alginfo_t *alg)
4958 4957 {
4959 4958 if (alg == NULL)
4960 4959 return;
4961 4960
4962 4961 if (alg->alg_key_sizes != NULL) {
4963 4962 kmem_free(alg->alg_key_sizes,
4964 4963 (alg->alg_nkey_sizes + 1) * sizeof (uint16_t));
4965 4964 alg->alg_key_sizes = NULL;
4966 4965 }
4967 4966 if (alg->alg_block_sizes != NULL) {
4968 4967 kmem_free(alg->alg_block_sizes,
4969 4968 (alg->alg_nblock_sizes + 1) * sizeof (uint16_t));
4970 4969 alg->alg_block_sizes = NULL;
4971 4970 }
4972 4971 if (alg->alg_params != NULL) {
4973 4972 kmem_free(alg->alg_params,
4974 4973 (alg->alg_nparams + 1) * sizeof (uint16_t));
4975 4974 alg->alg_params = NULL;
4976 4975 }
4977 4976 kmem_free(alg, sizeof (*alg));
4978 4977 }
4979 4978
4980 4979 /*
4981 4980 * Check the validity of the specified key size for an algorithm.
4982 4981 * Returns B_TRUE if key size is valid, B_FALSE otherwise.
4983 4982 */
4984 4983 boolean_t
4985 4984 ipsec_valid_key_size(uint16_t key_size, ipsec_alginfo_t *alg)
4986 4985 {
4987 4986 if (key_size < alg->alg_ef_minbits || key_size > alg->alg_ef_maxbits)
4988 4987 return (B_FALSE);
4989 4988
4990 4989 if (alg->alg_increment == 0 && alg->alg_nkey_sizes != 0) {
4991 4990 /*
4992 4991 * If the key sizes are defined by enumeration, the new
4993 4992 * key size must be equal to one of the supported values.
4994 4993 */
4995 4994 int i;
4996 4995
4997 4996 for (i = 0; i < alg->alg_nkey_sizes; i++)
4998 4997 if (key_size == alg->alg_key_sizes[i])
4999 4998 break;
5000 4999 if (i == alg->alg_nkey_sizes)
5001 5000 return (B_FALSE);
5002 5001 }
5003 5002
5004 5003 return (B_TRUE);
5005 5004 }
5006 5005
5007 5006 /*
5008 5007 * Callback function invoked by the crypto framework when a provider
5009 5008 * registers or unregisters. This callback updates the algorithms
5010 5009 * tables when a crypto algorithm is no longer available or becomes
5011 5010 * available, and triggers the freeing/creation of context templates
5012 5011 * associated with existing SAs, if needed.
5013 5012 *
5014 5013 * Need to walk all stack instances since the callback is global
5015 5014 * for all instances
5016 5015 */
5017 5016 void
5018 5017 ipsec_prov_update_callback(uint32_t event, void *event_arg)
5019 5018 {
5020 5019 netstack_handle_t nh;
5021 5020 netstack_t *ns;
5022 5021
5023 5022 netstack_next_init(&nh);
5024 5023 while ((ns = netstack_next(&nh)) != NULL) {
5025 5024 ipsec_prov_update_callback_stack(event, event_arg, ns);
5026 5025 netstack_rele(ns);
5027 5026 }
5028 5027 netstack_next_fini(&nh);
5029 5028 }
5030 5029
5031 5030 static void
5032 5031 ipsec_prov_update_callback_stack(uint32_t event, void *event_arg,
5033 5032 netstack_t *ns)
5034 5033 {
5035 5034 crypto_notify_event_change_t *prov_change =
5036 5035 (crypto_notify_event_change_t *)event_arg;
5037 5036 uint_t algidx, algid, algtype, mech_count, mech_idx;
5038 5037 ipsec_alginfo_t *alg;
5039 5038 ipsec_alginfo_t oalg;
5040 5039 crypto_mech_name_t *mechs;
5041 5040 boolean_t alg_changed = B_FALSE;
5042 5041 ipsec_stack_t *ipss = ns->netstack_ipsec;
5043 5042
5044 5043 /* ignore events for which we didn't register */
5045 5044 if (event != CRYPTO_EVENT_MECHS_CHANGED) {
5046 5045 ip1dbg(("ipsec_prov_update_callback: unexpected event 0x%x "
5047 5046 " received from crypto framework\n", event));
5048 5047 return;
5049 5048 }
5050 5049
5051 5050 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
5052 5051 if (mechs == NULL)
5053 5052 return;
5054 5053
5055 5054 /*
5056 5055 * Walk the list of currently defined IPsec algorithm. Update
5057 5056 * the algorithm valid flag and trigger an update of the
5058 5057 * SAs that depend on that algorithm.
5059 5058 */
5060 5059 mutex_enter(&ipss->ipsec_alg_lock);
5061 5060 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
5062 5061 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
5063 5062 algidx++) {
5064 5063
5065 5064 algid = ipss->ipsec_sortlist[algtype][algidx];
5066 5065 alg = ipss->ipsec_alglists[algtype][algid];
5067 5066 ASSERT(alg != NULL);
5068 5067
5069 5068 /*
5070 5069 * Skip the algorithms which do not map to the
5071 5070 * crypto framework provider being added or removed.
5072 5071 */
5073 5072 if (strncmp(alg->alg_mech_name,
5074 5073 prov_change->ec_mech_name,
5075 5074 CRYPTO_MAX_MECH_NAME) != 0)
5076 5075 continue;
5077 5076
5078 5077 /*
5079 5078 * Determine if the mechanism is valid. If it
5080 5079 * is not, mark the algorithm as being invalid. If
5081 5080 * it is, mark the algorithm as being valid.
5082 5081 */
5083 5082 for (mech_idx = 0; mech_idx < mech_count; mech_idx++)
5084 5083 if (strncmp(alg->alg_mech_name,
5085 5084 mechs[mech_idx], CRYPTO_MAX_MECH_NAME) == 0)
5086 5085 break;
5087 5086 if (mech_idx == mech_count &&
5088 5087 alg->alg_flags & ALG_FLAG_VALID) {
5089 5088 alg->alg_flags &= ~ALG_FLAG_VALID;
5090 5089 alg_changed = B_TRUE;
5091 5090 } else if (mech_idx < mech_count &&
5092 5091 !(alg->alg_flags & ALG_FLAG_VALID)) {
5093 5092 alg->alg_flags |= ALG_FLAG_VALID;
5094 5093 alg_changed = B_TRUE;
5095 5094 }
5096 5095
5097 5096 /*
5098 5097 * Update the supported key sizes, regardless
5099 5098 * of whether a crypto provider was added or
5100 5099 * removed.
5101 5100 */
5102 5101 oalg = *alg;
5103 5102 ipsec_alg_fix_min_max(alg, algtype, ns);
5104 5103 if (!alg_changed &&
5105 5104 alg->alg_ef_minbits != oalg.alg_ef_minbits ||
5106 5105 alg->alg_ef_maxbits != oalg.alg_ef_maxbits ||
5107 5106 alg->alg_ef_default != oalg.alg_ef_default ||
5108 5107 alg->alg_ef_default_bits !=
5109 5108 oalg.alg_ef_default_bits)
5110 5109 alg_changed = B_TRUE;
5111 5110
5112 5111 /*
5113 5112 * Update the affected SAs if a software provider is
5114 5113 * being added or removed.
5115 5114 */
5116 5115 if (prov_change->ec_provider_type ==
5117 5116 CRYPTO_SW_PROVIDER)
5118 5117 sadb_alg_update(algtype, alg->alg_id,
5119 5118 prov_change->ec_change ==
5120 5119 CRYPTO_MECH_ADDED, ns);
5121 5120 }
5122 5121 }
5123 5122 mutex_exit(&ipss->ipsec_alg_lock);
5124 5123 crypto_free_mech_list(mechs, mech_count);
5125 5124
5126 5125 if (alg_changed) {
5127 5126 /*
5128 5127 * An algorithm has changed, i.e. it became valid or
5129 5128 * invalid, or its support key sizes have changed.
5130 5129 * Notify ipsecah and ipsecesp of this change so
5131 5130 * that they can send a SADB_REGISTER to their consumers.
5132 5131 */
5133 5132 ipsecah_algs_changed(ns);
5134 5133 ipsecesp_algs_changed(ns);
5135 5134 }
5136 5135 }
5137 5136
5138 5137 /*
5139 5138 * Registers with the crypto framework to be notified of crypto
5140 5139 * providers changes. Used to update the algorithm tables and
5141 5140 * to free or create context templates if needed. Invoked after IPsec
5142 5141 * is loaded successfully.
5143 5142 *
5144 5143 * This is called separately for each IP instance, so we ensure we only
5145 5144 * register once.
5146 5145 */
5147 5146 void
5148 5147 ipsec_register_prov_update(void)
5149 5148 {
5150 5149 if (prov_update_handle != NULL)
5151 5150 return;
5152 5151
5153 5152 prov_update_handle = crypto_notify_events(
5154 5153 ipsec_prov_update_callback, CRYPTO_EVENT_MECHS_CHANGED);
5155 5154 }
5156 5155
5157 5156 /*
5158 5157 * Unregisters from the framework to be notified of crypto providers
5159 5158 * changes. Called from ipsec_policy_g_destroy().
5160 5159 */
5161 5160 static void
5162 5161 ipsec_unregister_prov_update(void)
5163 5162 {
5164 5163 if (prov_update_handle != NULL)
5165 5164 crypto_unnotify_events(prov_update_handle);
5166 5165 }
5167 5166
5168 5167 /*
5169 5168 * Tunnel-mode support routines.
5170 5169 */
5171 5170
5172 5171 /*
5173 5172 * Returns an mblk chain suitable for putnext() if policies match and IPsec
5174 5173 * SAs are available. If there's no per-tunnel policy, or a match comes back
5175 5174 * with no match, then still return the packet and have global policy take
5176 5175 * a crack at it in IP.
5177 5176 * This updates the ip_xmit_attr with the IPsec policy.
5178 5177 *
5179 5178 * Remember -> we can be forwarding packets. Keep that in mind w.r.t.
5180 5179 * inner-packet contents.
5181 5180 */
5182 5181 mblk_t *
5183 5182 ipsec_tun_outbound(mblk_t *mp, iptun_t *iptun, ipha_t *inner_ipv4,
5184 5183 ip6_t *inner_ipv6, ipha_t *outer_ipv4, ip6_t *outer_ipv6, int outer_hdr_len,
5185 5184 ip_xmit_attr_t *ixa)
5186 5185 {
5187 5186 ipsec_policy_head_t *polhead;
5188 5187 ipsec_selector_t sel;
5189 5188 mblk_t *nmp;
5190 5189 boolean_t is_fragment;
5191 5190 ipsec_policy_t *pol;
5192 5191 ipsec_tun_pol_t *itp = iptun->iptun_itp;
5193 5192 netstack_t *ns = iptun->iptun_ns;
5194 5193 ipsec_stack_t *ipss = ns->netstack_ipsec;
5195 5194
5196 5195 ASSERT(outer_ipv6 != NULL && outer_ipv4 == NULL ||
5197 5196 outer_ipv4 != NULL && outer_ipv6 == NULL);
5198 5197 /* We take care of inners in a bit. */
5199 5198
5200 5199 /* Are the IPsec fields initialized at all? */
5201 5200 if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE)) {
5202 5201 ASSERT(ixa->ixa_ipsec_policy == NULL);
5203 5202 ASSERT(ixa->ixa_ipsec_latch == NULL);
5204 5203 ASSERT(ixa->ixa_ipsec_action == NULL);
5205 5204 ASSERT(ixa->ixa_ipsec_ah_sa == NULL);
5206 5205 ASSERT(ixa->ixa_ipsec_esp_sa == NULL);
5207 5206 }
5208 5207
5209 5208 ASSERT(itp != NULL && (itp->itp_flags & ITPF_P_ACTIVE));
5210 5209 polhead = itp->itp_policy;
5211 5210
5212 5211 bzero(&sel, sizeof (sel));
5213 5212 if (inner_ipv4 != NULL) {
5214 5213 ASSERT(inner_ipv6 == NULL);
5215 5214 sel.ips_isv4 = B_TRUE;
5216 5215 sel.ips_local_addr_v4 = inner_ipv4->ipha_src;
5217 5216 sel.ips_remote_addr_v4 = inner_ipv4->ipha_dst;
5218 5217 sel.ips_protocol = (uint8_t)inner_ipv4->ipha_protocol;
5219 5218 } else {
5220 5219 ASSERT(inner_ipv6 != NULL);
5221 5220 sel.ips_isv4 = B_FALSE;
5222 5221 sel.ips_local_addr_v6 = inner_ipv6->ip6_src;
5223 5222 /*
5224 5223 * We don't care about routing-header dests in the
5225 5224 * forwarding/tunnel path, so just grab ip6_dst.
5226 5225 */
5227 5226 sel.ips_remote_addr_v6 = inner_ipv6->ip6_dst;
5228 5227 }
5229 5228
5230 5229 if (itp->itp_flags & ITPF_P_PER_PORT_SECURITY) {
5231 5230 /*
5232 5231 * Caller can prepend the outer header, which means
5233 5232 * inner_ipv[46] may be stuck in the middle. Pullup the whole
5234 5233 * mess now if need-be, for easier processing later. Don't
5235 5234 * forget to rewire the outer header too.
5236 5235 */
5237 5236 if (mp->b_cont != NULL) {
5238 5237 nmp = msgpullup(mp, -1);
5239 5238 if (nmp == NULL) {
5240 5239 ip_drop_packet(mp, B_FALSE, NULL,
5241 5240 DROPPER(ipss, ipds_spd_nomem),
5242 5241 &ipss->ipsec_spd_dropper);
5243 5242 return (NULL);
5244 5243 }
5245 5244 freemsg(mp);
5246 5245 mp = nmp;
5247 5246 if (outer_ipv4 != NULL)
5248 5247 outer_ipv4 = (ipha_t *)mp->b_rptr;
5249 5248 else
5250 5249 outer_ipv6 = (ip6_t *)mp->b_rptr;
5251 5250 if (inner_ipv4 != NULL) {
5252 5251 inner_ipv4 =
5253 5252 (ipha_t *)(mp->b_rptr + outer_hdr_len);
5254 5253 } else {
5255 5254 inner_ipv6 =
5256 5255 (ip6_t *)(mp->b_rptr + outer_hdr_len);
5257 5256 }
5258 5257 }
5259 5258 if (inner_ipv4 != NULL) {
5260 5259 is_fragment = IS_V4_FRAGMENT(
5261 5260 inner_ipv4->ipha_fragment_offset_and_flags);
5262 5261 } else {
5263 5262 sel.ips_remote_addr_v6 = ip_get_dst_v6(inner_ipv6, mp,
5264 5263 &is_fragment);
5265 5264 }
5266 5265
5267 5266 if (is_fragment) {
5268 5267 ipha_t *oiph;
5269 5268 ipha_t *iph = NULL;
5270 5269 ip6_t *ip6h = NULL;
5271 5270 int hdr_len;
5272 5271 uint16_t ip6_hdr_length;
5273 5272 uint8_t v6_proto;
5274 5273 uint8_t *v6_proto_p;
5275 5274
5276 5275 /*
5277 5276 * We have a fragment we need to track!
5278 5277 */
5279 5278 mp = ipsec_fragcache_add(&itp->itp_fragcache, NULL, mp,
5280 5279 outer_hdr_len, ipss);
5281 5280 if (mp == NULL)
5282 5281 return (NULL);
5283 5282 ASSERT(mp->b_cont == NULL);
5284 5283
5285 5284 /*
5286 5285 * If we get here, we have a full fragment chain
5287 5286 */
5288 5287
5289 5288 oiph = (ipha_t *)mp->b_rptr;
5290 5289 if (IPH_HDR_VERSION(oiph) == IPV4_VERSION) {
5291 5290 hdr_len = ((outer_hdr_len != 0) ?
5292 5291 IPH_HDR_LENGTH(oiph) : 0);
5293 5292 iph = (ipha_t *)(mp->b_rptr + hdr_len);
5294 5293 } else {
5295 5294 ASSERT(IPH_HDR_VERSION(oiph) == IPV6_VERSION);
5296 5295 ip6h = (ip6_t *)mp->b_rptr;
5297 5296 if (!ip_hdr_length_nexthdr_v6(mp, ip6h,
5298 5297 &ip6_hdr_length, &v6_proto_p)) {
5299 5298 ip_drop_packet_chain(mp, B_FALSE, NULL,
5300 5299 DROPPER(ipss,
5301 5300 ipds_spd_malformed_packet),
5302 5301 &ipss->ipsec_spd_dropper);
5303 5302 return (NULL);
5304 5303 }
5305 5304 hdr_len = ip6_hdr_length;
5306 5305 }
5307 5306 outer_hdr_len = hdr_len;
5308 5307
5309 5308 if (sel.ips_isv4) {
5310 5309 if (iph == NULL) {
5311 5310 /* Was v6 outer */
5312 5311 iph = (ipha_t *)(mp->b_rptr + hdr_len);
5313 5312 }
5314 5313 inner_ipv4 = iph;
5315 5314 sel.ips_local_addr_v4 = inner_ipv4->ipha_src;
5316 5315 sel.ips_remote_addr_v4 = inner_ipv4->ipha_dst;
5317 5316 sel.ips_protocol =
5318 5317 (uint8_t)inner_ipv4->ipha_protocol;
5319 5318 } else {
5320 5319 inner_ipv6 = (ip6_t *)(mp->b_rptr +
5321 5320 hdr_len);
5322 5321 sel.ips_local_addr_v6 = inner_ipv6->ip6_src;
5323 5322 sel.ips_remote_addr_v6 = inner_ipv6->ip6_dst;
5324 5323 if (!ip_hdr_length_nexthdr_v6(mp,
5325 5324 inner_ipv6, &ip6_hdr_length, &v6_proto_p)) {
5326 5325 ip_drop_packet_chain(mp, B_FALSE, NULL,
5327 5326 DROPPER(ipss,
5328 5327 ipds_spd_malformed_frag),
5329 5328 &ipss->ipsec_spd_dropper);
5330 5329 return (NULL);
5331 5330 }
5332 5331 v6_proto = *v6_proto_p;
5333 5332 sel.ips_protocol = v6_proto;
5334 5333 #ifdef FRAGCACHE_DEBUG
5335 5334 cmn_err(CE_WARN, "v6_sel.ips_protocol = %d\n",
5336 5335 sel.ips_protocol);
5337 5336 #endif
5338 5337 }
5339 5338 /* Ports are extracted below */
5340 5339 }
5341 5340
5342 5341 /* Get ports... */
5343 5342 if (!ipsec_init_outbound_ports(&sel, mp,
5344 5343 inner_ipv4, inner_ipv6, outer_hdr_len, ipss)) {
5345 5344 /* callee did ip_drop_packet_chain() on mp. */
5346 5345 return (NULL);
5347 5346 }
5348 5347 #ifdef FRAGCACHE_DEBUG
5349 5348 if (inner_ipv4 != NULL)
5350 5349 cmn_err(CE_WARN,
5351 5350 "(v4) sel.ips_protocol = %d, "
5352 5351 "sel.ips_local_port = %d, "
5353 5352 "sel.ips_remote_port = %d\n",
5354 5353 sel.ips_protocol, ntohs(sel.ips_local_port),
5355 5354 ntohs(sel.ips_remote_port));
5356 5355 if (inner_ipv6 != NULL)
5357 5356 cmn_err(CE_WARN,
5358 5357 "(v6) sel.ips_protocol = %d, "
5359 5358 "sel.ips_local_port = %d, "
5360 5359 "sel.ips_remote_port = %d\n",
5361 5360 sel.ips_protocol, ntohs(sel.ips_local_port),
5362 5361 ntohs(sel.ips_remote_port));
5363 5362 #endif
5364 5363 /* Success so far! */
5365 5364 }
5366 5365 rw_enter(&polhead->iph_lock, RW_READER);
5367 5366 pol = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_OUTBOUND, &sel);
5368 5367 rw_exit(&polhead->iph_lock);
5369 5368 if (pol == NULL) {
5370 5369 /*
5371 5370 * No matching policy on this tunnel, drop the packet.
5372 5371 *
5373 5372 * NOTE: Tunnel-mode tunnels are different from the
5374 5373 * IP global transport mode policy head. For a tunnel-mode
5375 5374 * tunnel, we drop the packet in lieu of passing it
5376 5375 * along accepted the way a global-policy miss would.
5377 5376 *
5378 5377 * NOTE2: "negotiate transport" tunnels should match ALL
5379 5378 * inbound packets, but we do not uncomment the ASSERT()
5380 5379 * below because if/when we open PF_POLICY, a user can
5381 5380 * shoot him/her-self in the foot with a 0 priority.
5382 5381 */
5383 5382
5384 5383 /* ASSERT(itp->itp_flags & ITPF_P_TUNNEL); */
5385 5384 #ifdef FRAGCACHE_DEBUG
5386 5385 cmn_err(CE_WARN, "ipsec_tun_outbound(): No matching tunnel "
5387 5386 "per-port policy\n");
5388 5387 #endif
5389 5388 ip_drop_packet_chain(mp, B_FALSE, NULL,
5390 5389 DROPPER(ipss, ipds_spd_explicit),
5391 5390 &ipss->ipsec_spd_dropper);
5392 5391 return (NULL);
5393 5392 }
5394 5393
5395 5394 #ifdef FRAGCACHE_DEBUG
5396 5395 cmn_err(CE_WARN, "Having matching tunnel per-port policy\n");
5397 5396 #endif
5398 5397
5399 5398 /*
5400 5399 * NOTE: ixa_cleanup() function will release pol references.
5401 5400 */
5402 5401 ixa->ixa_ipsec_policy = pol;
5403 5402 /*
5404 5403 * NOTE: There is a subtle difference between iptun_zoneid and
5405 5404 * iptun_connp->conn_zoneid explained in iptun_conn_create(). When
5406 5405 * interacting with the ip module, we must use conn_zoneid.
5407 5406 */
5408 5407 ixa->ixa_zoneid = iptun->iptun_connp->conn_zoneid;
5409 5408
5410 5409 ASSERT((outer_ipv4 != NULL) ? (ixa->ixa_flags & IXAF_IS_IPV4) :
5411 5410 !(ixa->ixa_flags & IXAF_IS_IPV4));
5412 5411 ASSERT(ixa->ixa_ipsec_policy != NULL);
5413 5412 ixa->ixa_flags |= IXAF_IPSEC_SECURE;
5414 5413
5415 5414 if (!(itp->itp_flags & ITPF_P_TUNNEL)) {
5416 5415 /* Set up transport mode for tunnelled packets. */
5417 5416 ixa->ixa_ipsec_proto = (inner_ipv4 != NULL) ? IPPROTO_ENCAP :
5418 5417 IPPROTO_IPV6;
5419 5418 return (mp);
5420 5419 }
5421 5420
5422 5421 /* Fill in tunnel-mode goodies here. */
5423 5422 ixa->ixa_flags |= IXAF_IPSEC_TUNNEL;
5424 5423 /* XXX Do I need to fill in all of the goodies here? */
5425 5424 if (inner_ipv4) {
5426 5425 ixa->ixa_ipsec_inaf = AF_INET;
5427 5426 ixa->ixa_ipsec_insrc[0] =
5428 5427 pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v4;
5429 5428 ixa->ixa_ipsec_indst[0] =
5430 5429 pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v4;
5431 5430 } else {
5432 5431 ixa->ixa_ipsec_inaf = AF_INET6;
5433 5432 ixa->ixa_ipsec_insrc[0] =
5434 5433 pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[0];
5435 5434 ixa->ixa_ipsec_insrc[1] =
5436 5435 pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[1];
5437 5436 ixa->ixa_ipsec_insrc[2] =
5438 5437 pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[2];
5439 5438 ixa->ixa_ipsec_insrc[3] =
5440 5439 pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[3];
5441 5440 ixa->ixa_ipsec_indst[0] =
5442 5441 pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[0];
5443 5442 ixa->ixa_ipsec_indst[1] =
5444 5443 pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[1];
5445 5444 ixa->ixa_ipsec_indst[2] =
5446 5445 pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[2];
5447 5446 ixa->ixa_ipsec_indst[3] =
5448 5447 pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[3];
5449 5448 }
5450 5449 ixa->ixa_ipsec_insrcpfx = pol->ipsp_sel->ipsl_key.ipsl_local_pfxlen;
5451 5450 ixa->ixa_ipsec_indstpfx = pol->ipsp_sel->ipsl_key.ipsl_remote_pfxlen;
5452 5451 /* NOTE: These are used for transport mode too. */
5453 5452 ixa->ixa_ipsec_src_port = pol->ipsp_sel->ipsl_key.ipsl_lport;
5454 5453 ixa->ixa_ipsec_dst_port = pol->ipsp_sel->ipsl_key.ipsl_rport;
5455 5454 ixa->ixa_ipsec_proto = pol->ipsp_sel->ipsl_key.ipsl_proto;
5456 5455
5457 5456 return (mp);
5458 5457 }
5459 5458
5460 5459 /*
5461 5460 * NOTE: The following releases pol's reference and
5462 5461 * calls ip_drop_packet() for me on NULL returns.
5463 5462 */
5464 5463 mblk_t *
5465 5464 ipsec_check_ipsecin_policy_reasm(mblk_t *attr_mp, ipsec_policy_t *pol,
5466 5465 ipha_t *inner_ipv4, ip6_t *inner_ipv6, uint64_t pkt_unique, netstack_t *ns)
5467 5466 {
5468 5467 /* Assume attr_mp is a chain of b_next-linked ip_recv_attr mblk. */
5469 5468 mblk_t *data_chain = NULL, *data_tail = NULL;
5470 5469 mblk_t *next;
5471 5470 mblk_t *data_mp;
5472 5471 ip_recv_attr_t iras;
5473 5472
5474 5473 while (attr_mp != NULL) {
5475 5474 ASSERT(ip_recv_attr_is_mblk(attr_mp));
5476 5475 next = attr_mp->b_next;
5477 5476 attr_mp->b_next = NULL; /* No tripping asserts. */
5478 5477
5479 5478 data_mp = attr_mp->b_cont;
5480 5479 attr_mp->b_cont = NULL;
5481 5480 if (!ip_recv_attr_from_mblk(attr_mp, &iras)) {
5482 5481 /* The ill or ip_stack_t disappeared on us */
5483 5482 freemsg(data_mp); /* ip_drop_packet?? */
5484 5483 ira_cleanup(&iras, B_TRUE);
5485 5484 goto fail;
5486 5485 }
5487 5486
5488 5487 /*
5489 5488 * Need IPPOL_REFHOLD(pol) for extras because
5490 5489 * ipsecin_policy does the refrele.
5491 5490 */
5492 5491 IPPOL_REFHOLD(pol);
5493 5492
5494 5493 data_mp = ipsec_check_ipsecin_policy(data_mp, pol, inner_ipv4,
5495 5494 inner_ipv6, pkt_unique, &iras, ns);
5496 5495 ira_cleanup(&iras, B_TRUE);
5497 5496
5498 5497 if (data_mp == NULL)
5499 5498 goto fail;
5500 5499
5501 5500 if (data_tail == NULL) {
5502 5501 /* First one */
5503 5502 data_chain = data_tail = data_mp;
5504 5503 } else {
5505 5504 data_tail->b_next = data_mp;
5506 5505 data_tail = data_mp;
5507 5506 }
5508 5507 attr_mp = next;
5509 5508 }
5510 5509 /*
5511 5510 * One last release because either the loop bumped it up, or we never
5512 5511 * called ipsec_check_ipsecin_policy().
5513 5512 */
5514 5513 IPPOL_REFRELE(pol);
5515 5514
5516 5515 /* data_chain is ready for return to tun module. */
5517 5516 return (data_chain);
5518 5517
5519 5518 fail:
5520 5519 /*
5521 5520 * Need to get rid of any extra pol
5522 5521 * references, and any remaining bits as well.
5523 5522 */
5524 5523 IPPOL_REFRELE(pol);
5525 5524 ipsec_freemsg_chain(data_chain);
5526 5525 ipsec_freemsg_chain(next); /* ipdrop stats? */
5527 5526 return (NULL);
5528 5527 }
5529 5528
5530 5529 /*
5531 5530 * Return a message if the inbound packet passed an IPsec policy check. Returns
5532 5531 * NULL if it failed or if it is a fragment needing its friends before a
5533 5532 * policy check can be performed.
5534 5533 *
5535 5534 * Expects a non-NULL data_mp, and a non-NULL polhead.
5536 5535 * The returned mblk may be a b_next chain of packets if fragments
5537 5536 * neeeded to be collected for a proper policy check.
5538 5537 *
5539 5538 * This function calls ip_drop_packet() on data_mp if need be.
5540 5539 *
5541 5540 * NOTE: outer_hdr_len is signed. If it's a negative value, the caller
5542 5541 * is inspecting an ICMP packet.
5543 5542 */
5544 5543 mblk_t *
5545 5544 ipsec_tun_inbound(ip_recv_attr_t *ira, mblk_t *data_mp, ipsec_tun_pol_t *itp,
5546 5545 ipha_t *inner_ipv4, ip6_t *inner_ipv6, ipha_t *outer_ipv4,
5547 5546 ip6_t *outer_ipv6, int outer_hdr_len, netstack_t *ns)
5548 5547 {
5549 5548 ipsec_policy_head_t *polhead;
5550 5549 ipsec_selector_t sel;
5551 5550 ipsec_policy_t *pol;
5552 5551 uint16_t tmpport;
5553 5552 selret_t rc;
5554 5553 boolean_t port_policy_present, is_icmp, global_present;
5555 5554 in6_addr_t tmpaddr;
5556 5555 ipaddr_t tmp4;
5557 5556 uint8_t flags, *inner_hdr;
5558 5557 ipsec_stack_t *ipss = ns->netstack_ipsec;
5559 5558
5560 5559 sel.ips_is_icmp_inv_acq = 0;
5561 5560
5562 5561 if (outer_ipv4 != NULL) {
5563 5562 ASSERT(outer_ipv6 == NULL);
5564 5563 global_present = ipss->ipsec_inbound_v4_policy_present;
5565 5564 } else {
5566 5565 ASSERT(outer_ipv6 != NULL);
5567 5566 global_present = ipss->ipsec_inbound_v6_policy_present;
5568 5567 }
5569 5568
5570 5569 ASSERT(inner_ipv4 != NULL && inner_ipv6 == NULL ||
5571 5570 inner_ipv4 == NULL && inner_ipv6 != NULL);
5572 5571
5573 5572 if (outer_hdr_len < 0) {
5574 5573 outer_hdr_len = (-outer_hdr_len);
5575 5574 is_icmp = B_TRUE;
5576 5575 } else {
5577 5576 is_icmp = B_FALSE;
5578 5577 }
5579 5578
5580 5579 if (itp != NULL && (itp->itp_flags & ITPF_P_ACTIVE)) {
5581 5580 mblk_t *mp = data_mp;
5582 5581
5583 5582 polhead = itp->itp_policy;
5584 5583 /*
5585 5584 * We need to perform full Tunnel-Mode enforcement,
5586 5585 * and we need to have inner-header data for such enforcement.
5587 5586 *
5588 5587 * See ipsec_init_inbound_sel() for the 0x80000000 on inbound
5589 5588 * and on return.
5590 5589 */
5591 5590
5592 5591 port_policy_present = ((itp->itp_flags &
5593 5592 ITPF_P_PER_PORT_SECURITY) ? B_TRUE : B_FALSE);
5594 5593 /*
5595 5594 * NOTE: Even if our policy is transport mode, set the
5596 5595 * SEL_TUNNEL_MODE flag so ipsec_init_inbound_sel() can
5597 5596 * do the right thing w.r.t. outer headers.
5598 5597 */
5599 5598 flags = ((port_policy_present ? SEL_PORT_POLICY : SEL_NONE) |
5600 5599 (is_icmp ? SEL_IS_ICMP : SEL_NONE) | SEL_TUNNEL_MODE);
5601 5600
5602 5601 rc = ipsec_init_inbound_sel(&sel, data_mp, inner_ipv4,
5603 5602 inner_ipv6, flags);
5604 5603
5605 5604 switch (rc) {
5606 5605 case SELRET_NOMEM:
5607 5606 ip_drop_packet(data_mp, B_TRUE, NULL,
5608 5607 DROPPER(ipss, ipds_spd_nomem),
5609 5608 &ipss->ipsec_spd_dropper);
5610 5609 return (NULL);
5611 5610 case SELRET_TUNFRAG:
5612 5611 /*
5613 5612 * At this point, if we're cleartext, we don't want
5614 5613 * to go there.
5615 5614 */
5616 5615 if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
5617 5616 ip_drop_packet(data_mp, B_TRUE, NULL,
5618 5617 DROPPER(ipss, ipds_spd_got_clear),
5619 5618 &ipss->ipsec_spd_dropper);
5620 5619 return (NULL);
5621 5620 }
5622 5621
5623 5622 /*
5624 5623 * Inner and outer headers may not be contiguous.
5625 5624 * Pullup the data_mp now to satisfy assumptions of
5626 5625 * ipsec_fragcache_add()
5627 5626 */
5628 5627 if (data_mp->b_cont != NULL) {
5629 5628 mblk_t *nmp;
5630 5629
5631 5630 nmp = msgpullup(data_mp, -1);
5632 5631 if (nmp == NULL) {
5633 5632 ip_drop_packet(data_mp, B_TRUE, NULL,
5634 5633 DROPPER(ipss, ipds_spd_nomem),
5635 5634 &ipss->ipsec_spd_dropper);
5636 5635 return (NULL);
5637 5636 }
5638 5637 freemsg(data_mp);
5639 5638 data_mp = nmp;
5640 5639 if (outer_ipv4 != NULL)
5641 5640 outer_ipv4 =
5642 5641 (ipha_t *)data_mp->b_rptr;
5643 5642 else
5644 5643 outer_ipv6 =
5645 5644 (ip6_t *)data_mp->b_rptr;
5646 5645 if (inner_ipv4 != NULL) {
5647 5646 inner_ipv4 =
5648 5647 (ipha_t *)(data_mp->b_rptr +
5649 5648 outer_hdr_len);
5650 5649 } else {
5651 5650 inner_ipv6 =
5652 5651 (ip6_t *)(data_mp->b_rptr +
5653 5652 outer_hdr_len);
5654 5653 }
5655 5654 }
5656 5655
5657 5656 /*
5658 5657 * If we need to queue the packet. First we
5659 5658 * get an mblk with the attributes. ipsec_fragcache_add
5660 5659 * will prepend that to the queued data and return
5661 5660 * a list of b_next messages each of which starts with
5662 5661 * the attribute mblk.
5663 5662 */
5664 5663 mp = ip_recv_attr_to_mblk(ira);
5665 5664 if (mp == NULL) {
5666 5665 ip_drop_packet(data_mp, B_TRUE, NULL,
5667 5666 DROPPER(ipss, ipds_spd_nomem),
5668 5667 &ipss->ipsec_spd_dropper);
5669 5668 return (NULL);
5670 5669 }
5671 5670
5672 5671 mp = ipsec_fragcache_add(&itp->itp_fragcache,
5673 5672 mp, data_mp, outer_hdr_len, ipss);
5674 5673
5675 5674 if (mp == NULL) {
5676 5675 /*
5677 5676 * Data is cached, fragment chain is not
5678 5677 * complete.
5679 5678 */
5680 5679 return (NULL);
5681 5680 }
5682 5681
5683 5682 /*
5684 5683 * If we get here, we have a full fragment chain.
5685 5684 * Reacquire headers and selectors from first fragment.
5686 5685 */
5687 5686 ASSERT(ip_recv_attr_is_mblk(mp));
5688 5687 data_mp = mp->b_cont;
5689 5688 inner_hdr = data_mp->b_rptr;
5690 5689 if (outer_ipv4 != NULL) {
5691 5690 inner_hdr += IPH_HDR_LENGTH(
5692 5691 (ipha_t *)data_mp->b_rptr);
5693 5692 } else {
5694 5693 inner_hdr += ip_hdr_length_v6(data_mp,
5695 5694 (ip6_t *)data_mp->b_rptr);
5696 5695 }
5697 5696 ASSERT(inner_hdr <= data_mp->b_wptr);
5698 5697
5699 5698 if (inner_ipv4 != NULL) {
5700 5699 inner_ipv4 = (ipha_t *)inner_hdr;
5701 5700 inner_ipv6 = NULL;
5702 5701 } else {
5703 5702 inner_ipv6 = (ip6_t *)inner_hdr;
5704 5703 inner_ipv4 = NULL;
5705 5704 }
5706 5705
5707 5706 /*
5708 5707 * Use SEL_TUNNEL_MODE to take into account the outer
5709 5708 * header. Use SEL_POST_FRAG so we always get ports.
5710 5709 */
5711 5710 rc = ipsec_init_inbound_sel(&sel, data_mp,
5712 5711 inner_ipv4, inner_ipv6,
5713 5712 SEL_TUNNEL_MODE | SEL_POST_FRAG);
5714 5713 switch (rc) {
5715 5714 case SELRET_SUCCESS:
5716 5715 /*
5717 5716 * Get to same place as first caller's
5718 5717 * SELRET_SUCCESS case.
5719 5718 */
5720 5719 break;
5721 5720 case SELRET_NOMEM:
5722 5721 ip_drop_packet_chain(mp, B_TRUE, NULL,
5723 5722 DROPPER(ipss, ipds_spd_nomem),
5724 5723 &ipss->ipsec_spd_dropper);
5725 5724 return (NULL);
5726 5725 case SELRET_BADPKT:
5727 5726 ip_drop_packet_chain(mp, B_TRUE, NULL,
5728 5727 DROPPER(ipss, ipds_spd_malformed_frag),
5729 5728 &ipss->ipsec_spd_dropper);
5730 5729 return (NULL);
5731 5730 case SELRET_TUNFRAG:
5732 5731 cmn_err(CE_WARN, "(TUNFRAG on 2nd call...)");
5733 5732 /* FALLTHRU */
5734 5733 default:
5735 5734 cmn_err(CE_WARN, "ipsec_init_inbound_sel(mark2)"
5736 5735 " returns bizarro 0x%x", rc);
5737 5736 /* Guaranteed panic! */
5738 5737 ASSERT(rc == SELRET_NOMEM);
5739 5738 return (NULL);
5740 5739 }
5741 5740 /* FALLTHRU */
5742 5741 case SELRET_SUCCESS:
5743 5742 /*
5744 5743 * Common case:
5745 5744 * No per-port policy or a non-fragment. Keep going.
5746 5745 */
5747 5746 break;
5748 5747 case SELRET_BADPKT:
5749 5748 /*
5750 5749 * We may receive ICMP (with IPv6 inner) packets that
5751 5750 * trigger this return value. Send 'em in for
5752 5751 * enforcement checking.
5753 5752 */
5754 5753 cmn_err(CE_NOTE, "ipsec_tun_inbound(): "
5755 5754 "sending 'bad packet' in for enforcement");
5756 5755 break;
5757 5756 default:
5758 5757 cmn_err(CE_WARN,
5759 5758 "ipsec_init_inbound_sel() returns bizarro 0x%x",
5760 5759 rc);
5761 5760 ASSERT(rc == SELRET_NOMEM); /* Guaranteed panic! */
5762 5761 return (NULL);
5763 5762 }
5764 5763
5765 5764 if (is_icmp) {
5766 5765 /*
5767 5766 * Swap local/remote because this is an ICMP packet.
5768 5767 */
5769 5768 tmpaddr = sel.ips_local_addr_v6;
5770 5769 sel.ips_local_addr_v6 = sel.ips_remote_addr_v6;
5771 5770 sel.ips_remote_addr_v6 = tmpaddr;
5772 5771 tmpport = sel.ips_local_port;
5773 5772 sel.ips_local_port = sel.ips_remote_port;
5774 5773 sel.ips_remote_port = tmpport;
5775 5774 }
5776 5775
5777 5776 /* find_policy_head() */
5778 5777 rw_enter(&polhead->iph_lock, RW_READER);
5779 5778 pol = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_INBOUND,
5780 5779 &sel);
5781 5780 rw_exit(&polhead->iph_lock);
5782 5781 if (pol != NULL) {
5783 5782 uint64_t pkt_unique;
5784 5783
5785 5784 if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
5786 5785 if (!pol->ipsp_act->ipa_allow_clear) {
5787 5786 /*
5788 5787 * XXX should never get here with
5789 5788 * tunnel reassembled fragments?
5790 5789 */
5791 5790 ASSERT(mp == data_mp);
5792 5791 ip_drop_packet(data_mp, B_TRUE, NULL,
5793 5792 DROPPER(ipss, ipds_spd_got_clear),
5794 5793 &ipss->ipsec_spd_dropper);
5795 5794 IPPOL_REFRELE(pol);
5796 5795 return (NULL);
5797 5796 } else {
5798 5797 IPPOL_REFRELE(pol);
5799 5798 return (mp);
5800 5799 }
5801 5800 }
5802 5801 pkt_unique = SA_UNIQUE_ID(sel.ips_remote_port,
5803 5802 sel.ips_local_port,
5804 5803 (inner_ipv4 == NULL) ? IPPROTO_IPV6 :
5805 5804 IPPROTO_ENCAP, sel.ips_protocol);
5806 5805
5807 5806 /*
5808 5807 * NOTE: The following releases pol's reference and
5809 5808 * calls ip_drop_packet() for me on NULL returns.
5810 5809 *
5811 5810 * "sel" is still good here, so let's use it!
5812 5811 */
5813 5812 if (data_mp == mp) {
5814 5813 /* A single packet without attributes */
5815 5814 data_mp = ipsec_check_ipsecin_policy(data_mp,
5816 5815 pol, inner_ipv4, inner_ipv6, pkt_unique,
5817 5816 ira, ns);
5818 5817 } else {
5819 5818 /*
5820 5819 * We pass in the b_next chain of attr_mp's
5821 5820 * and get back a b_next chain of data_mp's.
5822 5821 */
5823 5822 data_mp = ipsec_check_ipsecin_policy_reasm(mp,
5824 5823 pol, inner_ipv4, inner_ipv6, pkt_unique,
5825 5824 ns);
5826 5825 }
5827 5826 return (data_mp);
5828 5827 }
5829 5828
5830 5829 /*
5831 5830 * Else fallthru and check the global policy on the outer
5832 5831 * header(s) if this tunnel is an old-style transport-mode
5833 5832 * one. Drop the packet explicitly (no policy entry) for
5834 5833 * a new-style tunnel-mode tunnel.
5835 5834 */
5836 5835 if ((itp->itp_flags & ITPF_P_TUNNEL) && !is_icmp) {
5837 5836 ip_drop_packet_chain(data_mp, B_TRUE, NULL,
5838 5837 DROPPER(ipss, ipds_spd_explicit),
5839 5838 &ipss->ipsec_spd_dropper);
5840 5839 return (NULL);
5841 5840 }
5842 5841 }
5843 5842
5844 5843 /*
5845 5844 * NOTE: If we reach here, we will not have packet chains from
5846 5845 * fragcache_add(), because the only way I get chains is on a
5847 5846 * tunnel-mode tunnel, which either returns with a pass, or gets
5848 5847 * hit by the ip_drop_packet_chain() call right above here.
5849 5848 */
5850 5849 ASSERT(data_mp->b_next == NULL);
5851 5850
5852 5851 /* If no per-tunnel security, check global policy now. */
5853 5852 if ((ira->ira_flags & IRAF_IPSEC_SECURE) && !global_present) {
5854 5853 if (ira->ira_flags & IRAF_TRUSTED_ICMP) {
5855 5854 /*
5856 5855 * This is an ICMP message that was geenrated locally.
5857 5856 * We should accept it.
5858 5857 */
5859 5858 return (data_mp);
5860 5859 }
5861 5860
5862 5861 ip_drop_packet(data_mp, B_TRUE, NULL,
5863 5862 DROPPER(ipss, ipds_spd_got_secure),
5864 5863 &ipss->ipsec_spd_dropper);
5865 5864 return (NULL);
5866 5865 }
5867 5866
5868 5867 if (is_icmp) {
5869 5868 /*
5870 5869 * For ICMP packets, "outer_ipvN" is set to the outer header
5871 5870 * that is *INSIDE* the ICMP payload. For global policy
5872 5871 * checking, we need to reverse src/dst on the payload in
5873 5872 * order to construct selectors appropriately. See "ripha"
5874 5873 * constructions in ip.c. To avoid a bug like 6478464 (see
5875 5874 * earlier in this file), we will actually exchange src/dst
5876 5875 * in the packet, and reverse if after the call to
5877 5876 * ipsec_check_global_policy().
5878 5877 */
5879 5878 if (outer_ipv4 != NULL) {
5880 5879 tmp4 = outer_ipv4->ipha_src;
5881 5880 outer_ipv4->ipha_src = outer_ipv4->ipha_dst;
5882 5881 outer_ipv4->ipha_dst = tmp4;
5883 5882 } else {
5884 5883 ASSERT(outer_ipv6 != NULL);
5885 5884 tmpaddr = outer_ipv6->ip6_src;
5886 5885 outer_ipv6->ip6_src = outer_ipv6->ip6_dst;
5887 5886 outer_ipv6->ip6_dst = tmpaddr;
5888 5887 }
5889 5888 }
5890 5889
5891 5890 data_mp = ipsec_check_global_policy(data_mp, NULL, outer_ipv4,
5892 5891 outer_ipv6, ira, ns);
5893 5892 if (data_mp == NULL)
5894 5893 return (NULL);
5895 5894
5896 5895 if (is_icmp) {
5897 5896 /* Set things back to normal. */
5898 5897 if (outer_ipv4 != NULL) {
5899 5898 tmp4 = outer_ipv4->ipha_src;
5900 5899 outer_ipv4->ipha_src = outer_ipv4->ipha_dst;
5901 5900 outer_ipv4->ipha_dst = tmp4;
5902 5901 } else {
5903 5902 /* No need for ASSERT()s now. */
5904 5903 tmpaddr = outer_ipv6->ip6_src;
5905 5904 outer_ipv6->ip6_src = outer_ipv6->ip6_dst;
5906 5905 outer_ipv6->ip6_dst = tmpaddr;
5907 5906 }
5908 5907 }
5909 5908
5910 5909 /*
5911 5910 * At this point, we pretend it's a cleartext accepted
5912 5911 * packet.
5913 5912 */
5914 5913 return (data_mp);
5915 5914 }
5916 5915
5917 5916 /*
5918 5917 * AVL comparison routine for our list of tunnel polheads.
5919 5918 */
5920 5919 static int
5921 5920 tunnel_compare(const void *arg1, const void *arg2)
5922 5921 {
5923 5922 ipsec_tun_pol_t *left, *right;
5924 5923 int rc;
5925 5924
5926 5925 left = (ipsec_tun_pol_t *)arg1;
5927 5926 right = (ipsec_tun_pol_t *)arg2;
5928 5927
5929 5928 rc = strncmp(left->itp_name, right->itp_name, LIFNAMSIZ);
5930 5929 return (rc == 0 ? rc : (rc > 0 ? 1 : -1));
5931 5930 }
5932 5931
5933 5932 /*
5934 5933 * Free a tunnel policy node.
5935 5934 */
5936 5935 void
5937 5936 itp_free(ipsec_tun_pol_t *node, netstack_t *ns)
5938 5937 {
5939 5938 if (node->itp_policy != NULL) {
5940 5939 IPPH_REFRELE(node->itp_policy, ns);
5941 5940 node->itp_policy = NULL;
5942 5941 }
5943 5942 if (node->itp_inactive != NULL) {
5944 5943 IPPH_REFRELE(node->itp_inactive, ns);
5945 5944 node->itp_inactive = NULL;
5946 5945 }
5947 5946 mutex_destroy(&node->itp_lock);
5948 5947 kmem_free(node, sizeof (*node));
5949 5948 }
5950 5949
5951 5950 void
5952 5951 itp_unlink(ipsec_tun_pol_t *node, netstack_t *ns)
5953 5952 {
5954 5953 ipsec_stack_t *ipss = ns->netstack_ipsec;
5955 5954
5956 5955 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_WRITER);
5957 5956 ipss->ipsec_tunnel_policy_gen++;
5958 5957 ipsec_fragcache_uninit(&node->itp_fragcache, ipss);
5959 5958 avl_remove(&ipss->ipsec_tunnel_policies, node);
5960 5959 rw_exit(&ipss->ipsec_tunnel_policy_lock);
5961 5960 ITP_REFRELE(node, ns);
5962 5961 }
5963 5962
5964 5963 /*
5965 5964 * Public interface to look up a tunnel security policy by name. Used by
5966 5965 * spdsock mostly. Returns "node" with a bumped refcnt.
5967 5966 */
5968 5967 ipsec_tun_pol_t *
5969 5968 get_tunnel_policy(char *name, netstack_t *ns)
5970 5969 {
5971 5970 ipsec_tun_pol_t *node, lookup;
5972 5971 ipsec_stack_t *ipss = ns->netstack_ipsec;
5973 5972
5974 5973 (void) strncpy(lookup.itp_name, name, LIFNAMSIZ);
5975 5974
5976 5975 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
5977 5976 node = (ipsec_tun_pol_t *)avl_find(&ipss->ipsec_tunnel_policies,
5978 5977 &lookup, NULL);
5979 5978 if (node != NULL) {
5980 5979 ITP_REFHOLD(node);
5981 5980 }
5982 5981 rw_exit(&ipss->ipsec_tunnel_policy_lock);
5983 5982
5984 5983 return (node);
5985 5984 }
5986 5985
5987 5986 /*
5988 5987 * Public interface to walk all tunnel security polcies. Useful for spdsock
5989 5988 * DUMP operations. iterator() will not consume a reference.
5990 5989 */
5991 5990 void
5992 5991 itp_walk(void (*iterator)(ipsec_tun_pol_t *, void *, netstack_t *),
5993 5992 void *arg, netstack_t *ns)
5994 5993 {
5995 5994 ipsec_tun_pol_t *node;
5996 5995 ipsec_stack_t *ipss = ns->netstack_ipsec;
5997 5996
5998 5997 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
5999 5998 for (node = avl_first(&ipss->ipsec_tunnel_policies); node != NULL;
6000 5999 node = AVL_NEXT(&ipss->ipsec_tunnel_policies, node)) {
6001 6000 iterator(node, arg, ns);
6002 6001 }
6003 6002 rw_exit(&ipss->ipsec_tunnel_policy_lock);
6004 6003 }
6005 6004
6006 6005 /*
6007 6006 * Initialize policy head. This can only fail if there's a memory problem.
6008 6007 */
6009 6008 static boolean_t
6010 6009 tunnel_polhead_init(ipsec_policy_head_t *iph, netstack_t *ns)
6011 6010 {
6012 6011 ipsec_stack_t *ipss = ns->netstack_ipsec;
6013 6012
6014 6013 rw_init(&iph->iph_lock, NULL, RW_DEFAULT, NULL);
6015 6014 iph->iph_refs = 1;
6016 6015 iph->iph_gen = 0;
6017 6016 if (ipsec_alloc_table(iph, ipss->ipsec_tun_spd_hashsize,
6018 6017 KM_SLEEP, B_FALSE, ns) != 0) {
6019 6018 ipsec_polhead_free_table(iph);
6020 6019 return (B_FALSE);
6021 6020 }
6022 6021 ipsec_polhead_init(iph, ipss->ipsec_tun_spd_hashsize);
6023 6022 return (B_TRUE);
6024 6023 }
6025 6024
6026 6025 /*
6027 6026 * Create a tunnel policy node with "name". Set errno with
6028 6027 * ENOMEM if there's a memory problem, and EEXIST if there's an existing
6029 6028 * node.
6030 6029 */
6031 6030 ipsec_tun_pol_t *
6032 6031 create_tunnel_policy(char *name, int *errno, uint64_t *gen, netstack_t *ns)
6033 6032 {
6034 6033 ipsec_tun_pol_t *newbie, *existing;
6035 6034 avl_index_t where;
6036 6035 ipsec_stack_t *ipss = ns->netstack_ipsec;
6037 6036
6038 6037 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP);
6039 6038 if (newbie == NULL) {
6040 6039 *errno = ENOMEM;
6041 6040 return (NULL);
6042 6041 }
6043 6042 if (!ipsec_fragcache_init(&newbie->itp_fragcache)) {
6044 6043 kmem_free(newbie, sizeof (*newbie));
6045 6044 *errno = ENOMEM;
6046 6045 return (NULL);
6047 6046 }
6048 6047
6049 6048 (void) strncpy(newbie->itp_name, name, LIFNAMSIZ);
6050 6049
6051 6050 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_WRITER);
6052 6051 existing = (ipsec_tun_pol_t *)avl_find(&ipss->ipsec_tunnel_policies,
6053 6052 newbie, &where);
6054 6053 if (existing != NULL) {
6055 6054 itp_free(newbie, ns);
6056 6055 *errno = EEXIST;
6057 6056 rw_exit(&ipss->ipsec_tunnel_policy_lock);
6058 6057 return (NULL);
6059 6058 }
6060 6059 ipss->ipsec_tunnel_policy_gen++;
6061 6060 *gen = ipss->ipsec_tunnel_policy_gen;
6062 6061 newbie->itp_refcnt = 2; /* One for the caller, one for the tree. */
6063 6062 newbie->itp_next_policy_index = 1;
6064 6063 avl_insert(&ipss->ipsec_tunnel_policies, newbie, where);
6065 6064 mutex_init(&newbie->itp_lock, NULL, MUTEX_DEFAULT, NULL);
6066 6065 newbie->itp_policy = kmem_zalloc(sizeof (ipsec_policy_head_t),
6067 6066 KM_NOSLEEP);
6068 6067 if (newbie->itp_policy == NULL)
6069 6068 goto nomem;
6070 6069 newbie->itp_inactive = kmem_zalloc(sizeof (ipsec_policy_head_t),
6071 6070 KM_NOSLEEP);
6072 6071 if (newbie->itp_inactive == NULL) {
6073 6072 kmem_free(newbie->itp_policy, sizeof (ipsec_policy_head_t));
6074 6073 goto nomem;
6075 6074 }
6076 6075
6077 6076 if (!tunnel_polhead_init(newbie->itp_policy, ns)) {
6078 6077 kmem_free(newbie->itp_policy, sizeof (ipsec_policy_head_t));
6079 6078 kmem_free(newbie->itp_inactive, sizeof (ipsec_policy_head_t));
6080 6079 goto nomem;
6081 6080 } else if (!tunnel_polhead_init(newbie->itp_inactive, ns)) {
6082 6081 IPPH_REFRELE(newbie->itp_policy, ns);
6083 6082 kmem_free(newbie->itp_inactive, sizeof (ipsec_policy_head_t));
6084 6083 goto nomem;
6085 6084 }
6086 6085 rw_exit(&ipss->ipsec_tunnel_policy_lock);
6087 6086
6088 6087 return (newbie);
6089 6088 nomem:
6090 6089 *errno = ENOMEM;
6091 6090 kmem_free(newbie, sizeof (*newbie));
6092 6091 return (NULL);
6093 6092 }
6094 6093
6095 6094 /*
6096 6095 * Given two addresses, find a tunnel instance's IPsec policy heads.
6097 6096 * Returns NULL on failure.
6098 6097 */
6099 6098 ipsec_tun_pol_t *
6100 6099 itp_get_byaddr(uint32_t *laddr, uint32_t *faddr, int af, ip_stack_t *ipst)
6101 6100 {
6102 6101 conn_t *connp;
6103 6102 iptun_t *iptun;
6104 6103 ipsec_tun_pol_t *itp = NULL;
6105 6104
6106 6105 /* Classifiers are used to "src" being foreign. */
6107 6106 if (af == AF_INET) {
6108 6107 connp = ipcl_iptun_classify_v4((ipaddr_t *)faddr,
6109 6108 (ipaddr_t *)laddr, ipst);
6110 6109 } else {
6111 6110 ASSERT(af == AF_INET6);
6112 6111 ASSERT(!IN6_IS_ADDR_V4MAPPED((in6_addr_t *)laddr));
6113 6112 ASSERT(!IN6_IS_ADDR_V4MAPPED((in6_addr_t *)faddr));
6114 6113 connp = ipcl_iptun_classify_v6((in6_addr_t *)faddr,
6115 6114 (in6_addr_t *)laddr, ipst);
6116 6115 }
6117 6116
6118 6117 if (connp == NULL)
6119 6118 return (NULL);
6120 6119
6121 6120 if (IPCL_IS_IPTUN(connp)) {
6122 6121 iptun = connp->conn_iptun;
6123 6122 if (iptun != NULL) {
6124 6123 itp = iptun->iptun_itp;
6125 6124 if (itp != NULL) {
6126 6125 /* Braces due to the macro's nature... */
6127 6126 ITP_REFHOLD(itp);
6128 6127 }
6129 6128 } /* Else itp is already NULL. */
6130 6129 }
6131 6130
6132 6131 CONN_DEC_REF(connp);
6133 6132 return (itp);
6134 6133 }
6135 6134
6136 6135 /*
6137 6136 * Frag cache code, based on SunScreen 3.2 source
6138 6137 * screen/kernel/common/screen_fragcache.c
6139 6138 */
6140 6139
6141 6140 #define IPSEC_FRAG_TTL_MAX 5
6142 6141 /*
6143 6142 * Note that the following parameters create 256 hash buckets
6144 6143 * with 1024 free entries to be distributed. Things are cleaned
6145 6144 * periodically and are attempted to be cleaned when there is no
6146 6145 * free space, but this system errs on the side of dropping packets
6147 6146 * over creating memory exhaustion. We may decide to make hash
6148 6147 * factor a tunable if this proves to be a bad decision.
6149 6148 */
6150 6149 #define IPSEC_FRAG_HASH_SLOTS (1<<8)
6151 6150 #define IPSEC_FRAG_HASH_FACTOR 4
6152 6151 #define IPSEC_FRAG_HASH_SIZE (IPSEC_FRAG_HASH_SLOTS * IPSEC_FRAG_HASH_FACTOR)
6153 6152
6154 6153 #define IPSEC_FRAG_HASH_MASK (IPSEC_FRAG_HASH_SLOTS - 1)
6155 6154 #define IPSEC_FRAG_HASH_FUNC(id) (((id) & IPSEC_FRAG_HASH_MASK) ^ \
6156 6155 (((id) / \
6157 6156 (ushort_t)IPSEC_FRAG_HASH_SLOTS) & \
6158 6157 IPSEC_FRAG_HASH_MASK))
6159 6158
6160 6159 /* Maximum fragments per packet. 48 bytes payload x 1366 packets > 64KB */
6161 6160 #define IPSEC_MAX_FRAGS 1366
6162 6161
6163 6162 #define V4_FRAG_OFFSET(ipha) ((ntohs(ipha->ipha_fragment_offset_and_flags) & \
6164 6163 IPH_OFFSET) << 3)
6165 6164 #define V4_MORE_FRAGS(ipha) (ntohs(ipha->ipha_fragment_offset_and_flags) & \
6166 6165 IPH_MF)
6167 6166
6168 6167 /*
6169 6168 * Initialize an ipsec fragcache instance.
6170 6169 * Returns B_FALSE if memory allocation fails.
6171 6170 */
6172 6171 boolean_t
6173 6172 ipsec_fragcache_init(ipsec_fragcache_t *frag)
6174 6173 {
6175 6174 ipsec_fragcache_entry_t *ftemp;
6176 6175 int i;
6177 6176
6178 6177 mutex_init(&frag->itpf_lock, NULL, MUTEX_DEFAULT, NULL);
6179 6178 frag->itpf_ptr = (ipsec_fragcache_entry_t **)
6180 6179 kmem_zalloc(sizeof (ipsec_fragcache_entry_t *) *
6181 6180 IPSEC_FRAG_HASH_SLOTS, KM_NOSLEEP);
6182 6181 if (frag->itpf_ptr == NULL)
6183 6182 return (B_FALSE);
6184 6183
6185 6184 ftemp = (ipsec_fragcache_entry_t *)
6186 6185 kmem_zalloc(sizeof (ipsec_fragcache_entry_t) *
6187 6186 IPSEC_FRAG_HASH_SIZE, KM_NOSLEEP);
6188 6187 if (ftemp == NULL) {
6189 6188 kmem_free(frag->itpf_ptr, sizeof (ipsec_fragcache_entry_t *) *
6190 6189 IPSEC_FRAG_HASH_SLOTS);
6191 6190 return (B_FALSE);
6192 6191 }
6193 6192
6194 6193 frag->itpf_freelist = NULL;
6195 6194
6196 6195 for (i = 0; i < IPSEC_FRAG_HASH_SIZE; i++) {
6197 6196 ftemp->itpfe_next = frag->itpf_freelist;
6198 6197 frag->itpf_freelist = ftemp;
6199 6198 ftemp++;
6200 6199 }
6201 6200
6202 6201 frag->itpf_expire_hint = 0;
6203 6202
6204 6203 return (B_TRUE);
6205 6204 }
6206 6205
6207 6206 void
6208 6207 ipsec_fragcache_uninit(ipsec_fragcache_t *frag, ipsec_stack_t *ipss)
6209 6208 {
6210 6209 ipsec_fragcache_entry_t *fep;
6211 6210 int i;
6212 6211
6213 6212 mutex_enter(&frag->itpf_lock);
6214 6213 if (frag->itpf_ptr) {
6215 6214 /* Delete any existing fragcache entry chains */
6216 6215 for (i = 0; i < IPSEC_FRAG_HASH_SLOTS; i++) {
6217 6216 fep = (frag->itpf_ptr)[i];
6218 6217 while (fep != NULL) {
6219 6218 /* Returned fep is next in chain or NULL */
6220 6219 fep = fragcache_delentry(i, fep, frag, ipss);
6221 6220 }
6222 6221 }
6223 6222 /*
6224 6223 * Chase the pointers back to the beginning
6225 6224 * of the memory allocation and then
6226 6225 * get rid of the allocated freelist
6227 6226 */
6228 6227 while (frag->itpf_freelist->itpfe_next != NULL)
6229 6228 frag->itpf_freelist = frag->itpf_freelist->itpfe_next;
6230 6229 /*
6231 6230 * XXX - If we ever dynamically grow the freelist
6232 6231 * then we'll have to free entries individually
6233 6232 * or determine how many entries or chunks we have
6234 6233 * grown since the initial allocation.
6235 6234 */
6236 6235 kmem_free(frag->itpf_freelist,
6237 6236 sizeof (ipsec_fragcache_entry_t) *
6238 6237 IPSEC_FRAG_HASH_SIZE);
6239 6238 /* Free the fragcache structure */
6240 6239 kmem_free(frag->itpf_ptr,
6241 6240 sizeof (ipsec_fragcache_entry_t *) *
6242 6241 IPSEC_FRAG_HASH_SLOTS);
6243 6242 }
6244 6243 mutex_exit(&frag->itpf_lock);
6245 6244 mutex_destroy(&frag->itpf_lock);
6246 6245 }
6247 6246
6248 6247 /*
6249 6248 * Add a fragment to the fragment cache. Consumes mp if NULL is returned.
6250 6249 * Returns mp if a whole fragment has been assembled, NULL otherwise
6251 6250 * The returned mp could be a b_next chain of fragments.
6252 6251 *
6253 6252 * The iramp argument is set on inbound; NULL if outbound.
6254 6253 */
6255 6254 mblk_t *
6256 6255 ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *iramp, mblk_t *mp,
6257 6256 int outer_hdr_len, ipsec_stack_t *ipss)
6258 6257 {
6259 6258 boolean_t is_v4;
6260 6259 time_t itpf_time;
6261 6260 ipha_t *iph;
6262 6261 ipha_t *oiph;
6263 6262 ip6_t *ip6h = NULL;
6264 6263 uint8_t v6_proto;
6265 6264 uint8_t *v6_proto_p;
6266 6265 uint16_t ip6_hdr_length;
6267 6266 ip_pkt_t ipp;
6268 6267 ip6_frag_t *fraghdr;
6269 6268 ipsec_fragcache_entry_t *fep;
6270 6269 int i;
6271 6270 mblk_t *nmp, *prevmp;
6272 6271 int firstbyte, lastbyte;
6273 6272 int offset;
6274 6273 int last;
6275 6274 boolean_t inbound = (iramp != NULL);
6276 6275
6277 6276 #ifdef FRAGCACHE_DEBUG
6278 6277 cmn_err(CE_WARN, "Fragcache: %s\n", inbound ? "INBOUND" : "OUTBOUND");
6279 6278 #endif
6280 6279 /*
6281 6280 * You're on the slow path, so insure that every packet in the
6282 6281 * cache is a single-mblk one.
6283 6282 */
6284 6283 if (mp->b_cont != NULL) {
6285 6284 nmp = msgpullup(mp, -1);
6286 6285 if (nmp == NULL) {
6287 6286 ip_drop_packet(mp, inbound, NULL,
6288 6287 DROPPER(ipss, ipds_spd_nomem),
6289 6288 &ipss->ipsec_spd_dropper);
6290 6289 if (inbound)
6291 6290 (void) ip_recv_attr_free_mblk(iramp);
6292 6291 return (NULL);
6293 6292 }
6294 6293 freemsg(mp);
6295 6294 mp = nmp;
6296 6295 }
6297 6296
6298 6297 mutex_enter(&frag->itpf_lock);
6299 6298
6300 6299 oiph = (ipha_t *)mp->b_rptr;
6301 6300 iph = (ipha_t *)(mp->b_rptr + outer_hdr_len);
6302 6301
6303 6302 if (IPH_HDR_VERSION(iph) == IPV4_VERSION) {
6304 6303 is_v4 = B_TRUE;
6305 6304 } else {
6306 6305 ASSERT(IPH_HDR_VERSION(iph) == IPV6_VERSION);
6307 6306 ip6h = (ip6_t *)(mp->b_rptr + outer_hdr_len);
6308 6307
6309 6308 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &ip6_hdr_length,
6310 6309 &v6_proto_p)) {
6311 6310 /*
6312 6311 * Find upper layer protocol.
6313 6312 * If it fails we have a malformed packet
6314 6313 */
6315 6314 mutex_exit(&frag->itpf_lock);
6316 6315 ip_drop_packet(mp, inbound, NULL,
6317 6316 DROPPER(ipss, ipds_spd_malformed_packet),
6318 6317 &ipss->ipsec_spd_dropper);
6319 6318 if (inbound)
6320 6319 (void) ip_recv_attr_free_mblk(iramp);
6321 6320 return (NULL);
6322 6321 } else {
6323 6322 v6_proto = *v6_proto_p;
6324 6323 }
6325 6324
6326 6325
6327 6326 bzero(&ipp, sizeof (ipp));
6328 6327 (void) ip_find_hdr_v6(mp, ip6h, B_FALSE, &ipp, NULL);
6329 6328 if (!(ipp.ipp_fields & IPPF_FRAGHDR)) {
6330 6329 /*
6331 6330 * We think this is a fragment, but didn't find
6332 6331 * a fragment header. Something is wrong.
6333 6332 */
6334 6333 mutex_exit(&frag->itpf_lock);
6335 6334 ip_drop_packet(mp, inbound, NULL,
6336 6335 DROPPER(ipss, ipds_spd_malformed_frag),
6337 6336 &ipss->ipsec_spd_dropper);
6338 6337 if (inbound)
6339 6338 (void) ip_recv_attr_free_mblk(iramp);
6340 6339 return (NULL);
6341 6340 }
6342 6341 fraghdr = ipp.ipp_fraghdr;
6343 6342 is_v4 = B_FALSE;
6344 6343 }
6345 6344
6346 6345 /* Anything to cleanup? */
6347 6346
6348 6347 /*
6349 6348 * This cleanup call could be put in a timer loop
6350 6349 * but it may actually be just as reasonable a decision to
6351 6350 * leave it here. The disadvantage is this only gets called when
6352 6351 * frags are added. The advantage is that it is not
6353 6352 * susceptible to race conditions like a time-based cleanup
6354 6353 * may be.
6355 6354 */
6356 6355 itpf_time = gethrestime_sec();
6357 6356 if (itpf_time >= frag->itpf_expire_hint)
6358 6357 ipsec_fragcache_clean(frag, ipss);
6359 6358
6360 6359 /* Lookup to see if there is an existing entry */
6361 6360
6362 6361 if (is_v4)
6363 6362 i = IPSEC_FRAG_HASH_FUNC(iph->ipha_ident);
6364 6363 else
6365 6364 i = IPSEC_FRAG_HASH_FUNC(fraghdr->ip6f_ident);
6366 6365
6367 6366 for (fep = (frag->itpf_ptr)[i]; fep; fep = fep->itpfe_next) {
6368 6367 if (is_v4) {
6369 6368 ASSERT(iph != NULL);
6370 6369 if ((fep->itpfe_id == iph->ipha_ident) &&
6371 6370 (fep->itpfe_src == iph->ipha_src) &&
6372 6371 (fep->itpfe_dst == iph->ipha_dst) &&
6373 6372 (fep->itpfe_proto == iph->ipha_protocol))
6374 6373 break;
6375 6374 } else {
6376 6375 ASSERT(fraghdr != NULL);
6377 6376 ASSERT(fep != NULL);
6378 6377 if ((fep->itpfe_id == fraghdr->ip6f_ident) &&
6379 6378 IN6_ARE_ADDR_EQUAL(&fep->itpfe_src6,
6380 6379 &ip6h->ip6_src) &&
6381 6380 IN6_ARE_ADDR_EQUAL(&fep->itpfe_dst6,
6382 6381 &ip6h->ip6_dst) && (fep->itpfe_proto == v6_proto))
6383 6382 break;
6384 6383 }
6385 6384 }
6386 6385
6387 6386 if (is_v4) {
6388 6387 firstbyte = V4_FRAG_OFFSET(iph);
6389 6388 lastbyte = firstbyte + ntohs(iph->ipha_length) -
6390 6389 IPH_HDR_LENGTH(iph);
6391 6390 last = (V4_MORE_FRAGS(iph) == 0);
6392 6391 #ifdef FRAGCACHE_DEBUG
6393 6392 cmn_err(CE_WARN, "V4 fragcache: firstbyte = %d, lastbyte = %d, "
6394 6393 "is_last_frag = %d, id = %d, mp = %p\n", firstbyte,
6395 6394 lastbyte, last, iph->ipha_ident, mp);
6396 6395 #endif
6397 6396 } else {
6398 6397 firstbyte = ntohs(fraghdr->ip6f_offlg & IP6F_OFF_MASK);
6399 6398 lastbyte = firstbyte + ntohs(ip6h->ip6_plen) +
6400 6399 sizeof (ip6_t) - ip6_hdr_length;
6401 6400 last = (fraghdr->ip6f_offlg & IP6F_MORE_FRAG) == 0;
6402 6401 #ifdef FRAGCACHE_DEBUG
6403 6402 cmn_err(CE_WARN, "V6 fragcache: firstbyte = %d, lastbyte = %d, "
6404 6403 "is_last_frag = %d, id = %d, fraghdr = %p, mp = %p\n",
6405 6404 firstbyte, lastbyte, last, fraghdr->ip6f_ident, fraghdr,
6406 6405 mp);
6407 6406 #endif
6408 6407 }
6409 6408
6410 6409 /* check for bogus fragments and delete the entry */
6411 6410 if (firstbyte > 0 && firstbyte <= 8) {
6412 6411 if (fep != NULL)
6413 6412 (void) fragcache_delentry(i, fep, frag, ipss);
6414 6413 mutex_exit(&frag->itpf_lock);
6415 6414 ip_drop_packet(mp, inbound, NULL,
6416 6415 DROPPER(ipss, ipds_spd_malformed_frag),
6417 6416 &ipss->ipsec_spd_dropper);
6418 6417 if (inbound)
6419 6418 (void) ip_recv_attr_free_mblk(iramp);
6420 6419 return (NULL);
6421 6420 }
6422 6421
6423 6422 /* Not found, allocate a new entry */
6424 6423 if (fep == NULL) {
6425 6424 if (frag->itpf_freelist == NULL) {
6426 6425 /* see if there is some space */
6427 6426 ipsec_fragcache_clean(frag, ipss);
6428 6427 if (frag->itpf_freelist == NULL) {
6429 6428 mutex_exit(&frag->itpf_lock);
6430 6429 ip_drop_packet(mp, inbound, NULL,
6431 6430 DROPPER(ipss, ipds_spd_nomem),
6432 6431 &ipss->ipsec_spd_dropper);
6433 6432 if (inbound)
6434 6433 (void) ip_recv_attr_free_mblk(iramp);
6435 6434 return (NULL);
6436 6435 }
6437 6436 }
6438 6437
6439 6438 fep = frag->itpf_freelist;
6440 6439 frag->itpf_freelist = fep->itpfe_next;
6441 6440
6442 6441 if (is_v4) {
6443 6442 bcopy((caddr_t)&iph->ipha_src, (caddr_t)&fep->itpfe_src,
6444 6443 sizeof (struct in_addr));
6445 6444 bcopy((caddr_t)&iph->ipha_dst, (caddr_t)&fep->itpfe_dst,
6446 6445 sizeof (struct in_addr));
6447 6446 fep->itpfe_id = iph->ipha_ident;
6448 6447 fep->itpfe_proto = iph->ipha_protocol;
6449 6448 i = IPSEC_FRAG_HASH_FUNC(fep->itpfe_id);
6450 6449 } else {
6451 6450 bcopy((in6_addr_t *)&ip6h->ip6_src,
6452 6451 (in6_addr_t *)&fep->itpfe_src6,
6453 6452 sizeof (struct in6_addr));
6454 6453 bcopy((in6_addr_t *)&ip6h->ip6_dst,
6455 6454 (in6_addr_t *)&fep->itpfe_dst6,
6456 6455 sizeof (struct in6_addr));
6457 6456 fep->itpfe_id = fraghdr->ip6f_ident;
6458 6457 fep->itpfe_proto = v6_proto;
6459 6458 i = IPSEC_FRAG_HASH_FUNC(fep->itpfe_id);
6460 6459 }
6461 6460 itpf_time = gethrestime_sec();
6462 6461 fep->itpfe_exp = itpf_time + IPSEC_FRAG_TTL_MAX + 1;
6463 6462 fep->itpfe_last = 0;
6464 6463 fep->itpfe_fraglist = NULL;
6465 6464 fep->itpfe_depth = 0;
6466 6465 fep->itpfe_next = (frag->itpf_ptr)[i];
6467 6466 (frag->itpf_ptr)[i] = fep;
6468 6467
6469 6468 if (frag->itpf_expire_hint > fep->itpfe_exp)
6470 6469 frag->itpf_expire_hint = fep->itpfe_exp;
6471 6470
6472 6471 }
6473 6472
6474 6473 /* Insert it in the frag list */
6475 6474 /* List is in order by starting offset of fragments */
6476 6475
6477 6476 prevmp = NULL;
6478 6477 for (nmp = fep->itpfe_fraglist; nmp; nmp = nmp->b_next) {
6479 6478 ipha_t *niph;
6480 6479 ipha_t *oniph;
6481 6480 ip6_t *nip6h;
6482 6481 ip_pkt_t nipp;
6483 6482 ip6_frag_t *nfraghdr;
6484 6483 uint16_t nip6_hdr_length;
6485 6484 uint8_t *nv6_proto_p;
6486 6485 int nfirstbyte, nlastbyte;
6487 6486 char *data, *ndata;
6488 6487 mblk_t *ndata_mp = (inbound ? nmp->b_cont : nmp);
6489 6488 int hdr_len;
6490 6489
6491 6490 oniph = (ipha_t *)mp->b_rptr;
6492 6491 nip6h = NULL;
6493 6492 niph = NULL;
6494 6493
6495 6494 /*
6496 6495 * Determine outer header type and length and set
6497 6496 * pointers appropriately
6498 6497 */
6499 6498
6500 6499 if (IPH_HDR_VERSION(oniph) == IPV4_VERSION) {
6501 6500 hdr_len = ((outer_hdr_len != 0) ?
6502 6501 IPH_HDR_LENGTH(oiph) : 0);
6503 6502 niph = (ipha_t *)(ndata_mp->b_rptr + hdr_len);
6504 6503 } else {
6505 6504 ASSERT(IPH_HDR_VERSION(oniph) == IPV6_VERSION);
6506 6505 ASSERT(ndata_mp->b_cont == NULL);
6507 6506 nip6h = (ip6_t *)ndata_mp->b_rptr;
6508 6507 (void) ip_hdr_length_nexthdr_v6(ndata_mp, nip6h,
6509 6508 &nip6_hdr_length, &v6_proto_p);
6510 6509 hdr_len = ((outer_hdr_len != 0) ? nip6_hdr_length : 0);
6511 6510 }
6512 6511
6513 6512 /*
6514 6513 * Determine inner header type and length and set
6515 6514 * pointers appropriately
6516 6515 */
6517 6516
6518 6517 if (is_v4) {
6519 6518 if (niph == NULL) {
6520 6519 /* Was v6 outer */
6521 6520 niph = (ipha_t *)(ndata_mp->b_rptr + hdr_len);
6522 6521 }
6523 6522 nfirstbyte = V4_FRAG_OFFSET(niph);
6524 6523 nlastbyte = nfirstbyte + ntohs(niph->ipha_length) -
6525 6524 IPH_HDR_LENGTH(niph);
6526 6525 } else {
6527 6526 ASSERT(ndata_mp->b_cont == NULL);
6528 6527 nip6h = (ip6_t *)(ndata_mp->b_rptr + hdr_len);
6529 6528 if (!ip_hdr_length_nexthdr_v6(ndata_mp, nip6h,
6530 6529 &nip6_hdr_length, &nv6_proto_p)) {
6531 6530 mutex_exit(&frag->itpf_lock);
6532 6531 ip_drop_packet_chain(nmp, inbound, NULL,
6533 6532 DROPPER(ipss, ipds_spd_malformed_frag),
6534 6533 &ipss->ipsec_spd_dropper);
6535 6534 ipsec_freemsg_chain(ndata_mp);
6536 6535 if (inbound)
6537 6536 (void) ip_recv_attr_free_mblk(iramp);
6538 6537 return (NULL);
6539 6538 }
6540 6539 bzero(&nipp, sizeof (nipp));
6541 6540 (void) ip_find_hdr_v6(ndata_mp, nip6h, B_FALSE, &nipp,
6542 6541 NULL);
6543 6542 nfraghdr = nipp.ipp_fraghdr;
6544 6543 nfirstbyte = ntohs(nfraghdr->ip6f_offlg &
6545 6544 IP6F_OFF_MASK);
6546 6545 nlastbyte = nfirstbyte + ntohs(nip6h->ip6_plen) +
6547 6546 sizeof (ip6_t) - nip6_hdr_length;
6548 6547 }
6549 6548
6550 6549 /* Check for overlapping fragments */
6551 6550 if (firstbyte >= nfirstbyte && firstbyte < nlastbyte) {
6552 6551 /*
6553 6552 * Overlap Check:
6554 6553 * ~~~~--------- # Check if the newly
6555 6554 * ~ ndata_mp| # received fragment
6556 6555 * ~~~~--------- # overlaps with the
6557 6556 * ---------~~~~~~ # current fragment.
6558 6557 * | mp ~
6559 6558 * ---------~~~~~~
6560 6559 */
6561 6560 if (is_v4) {
6562 6561 data = (char *)iph + IPH_HDR_LENGTH(iph) +
6563 6562 firstbyte - nfirstbyte;
6564 6563 ndata = (char *)niph + IPH_HDR_LENGTH(niph);
6565 6564 } else {
6566 6565 data = (char *)ip6h +
6567 6566 nip6_hdr_length + firstbyte -
6568 6567 nfirstbyte;
6569 6568 ndata = (char *)nip6h + nip6_hdr_length;
6570 6569 }
6571 6570 if (bcmp(data, ndata, MIN(lastbyte, nlastbyte) -
6572 6571 firstbyte)) {
6573 6572 /* Overlapping data does not match */
6574 6573 (void) fragcache_delentry(i, fep, frag, ipss);
6575 6574 mutex_exit(&frag->itpf_lock);
6576 6575 ip_drop_packet(mp, inbound, NULL,
6577 6576 DROPPER(ipss, ipds_spd_overlap_frag),
6578 6577 &ipss->ipsec_spd_dropper);
6579 6578 if (inbound)
6580 6579 (void) ip_recv_attr_free_mblk(iramp);
6581 6580 return (NULL);
6582 6581 }
6583 6582 /* Part of defense for jolt2.c fragmentation attack */
6584 6583 if (firstbyte >= nfirstbyte && lastbyte <= nlastbyte) {
6585 6584 /*
6586 6585 * Check for identical or subset fragments:
6587 6586 * ---------- ~~~~--------~~~~~
6588 6587 * | nmp | or ~ nmp ~
6589 6588 * ---------- ~~~~--------~~~~~
6590 6589 * ---------- ------
6591 6590 * | mp | | mp |
6592 6591 * ---------- ------
6593 6592 */
6594 6593 mutex_exit(&frag->itpf_lock);
6595 6594 ip_drop_packet(mp, inbound, NULL,
6596 6595 DROPPER(ipss, ipds_spd_evil_frag),
6597 6596 &ipss->ipsec_spd_dropper);
6598 6597 if (inbound)
6599 6598 (void) ip_recv_attr_free_mblk(iramp);
6600 6599 return (NULL);
6601 6600 }
6602 6601
6603 6602 }
6604 6603
6605 6604 /* Correct location for this fragment? */
6606 6605 if (firstbyte <= nfirstbyte) {
6607 6606 /*
6608 6607 * Check if the tail end of the new fragment overlaps
6609 6608 * with the head of the current fragment.
6610 6609 * --------~~~~~~~
6611 6610 * | nmp ~
6612 6611 * --------~~~~~~~
6613 6612 * ~~~~~--------
6614 6613 * ~ mp |
6615 6614 * ~~~~~--------
6616 6615 */
6617 6616 if (lastbyte > nfirstbyte) {
6618 6617 /* Fragments overlap */
6619 6618 data = (char *)iph + IPH_HDR_LENGTH(iph) +
6620 6619 firstbyte - nfirstbyte;
6621 6620 ndata = (char *)niph + IPH_HDR_LENGTH(niph);
6622 6621 if (is_v4) {
6623 6622 data = (char *)iph +
6624 6623 IPH_HDR_LENGTH(iph) + firstbyte -
6625 6624 nfirstbyte;
6626 6625 ndata = (char *)niph +
6627 6626 IPH_HDR_LENGTH(niph);
6628 6627 } else {
6629 6628 data = (char *)ip6h +
6630 6629 nip6_hdr_length + firstbyte -
6631 6630 nfirstbyte;
6632 6631 ndata = (char *)nip6h + nip6_hdr_length;
6633 6632 }
6634 6633 if (bcmp(data, ndata, MIN(lastbyte, nlastbyte)
6635 6634 - nfirstbyte)) {
6636 6635 /* Overlap mismatch */
6637 6636 (void) fragcache_delentry(i, fep, frag,
6638 6637 ipss);
6639 6638 mutex_exit(&frag->itpf_lock);
6640 6639 ip_drop_packet(mp, inbound, NULL,
6641 6640 DROPPER(ipss,
6642 6641 ipds_spd_overlap_frag),
6643 6642 &ipss->ipsec_spd_dropper);
6644 6643 if (inbound) {
6645 6644 (void) ip_recv_attr_free_mblk(
6646 6645 iramp);
6647 6646 }
6648 6647 return (NULL);
6649 6648 }
6650 6649 }
6651 6650
6652 6651 /*
6653 6652 * Fragment does not illegally overlap and can now
6654 6653 * be inserted into the chain
6655 6654 */
6656 6655 break;
6657 6656 }
6658 6657
6659 6658 prevmp = nmp;
6660 6659 }
6661 6660 /* Prepend the attributes before we link it in */
6662 6661 if (iramp != NULL) {
6663 6662 ASSERT(iramp->b_cont == NULL);
6664 6663 iramp->b_cont = mp;
6665 6664 mp = iramp;
6666 6665 iramp = NULL;
6667 6666 }
6668 6667 mp->b_next = nmp;
6669 6668
6670 6669 if (prevmp == NULL) {
6671 6670 fep->itpfe_fraglist = mp;
6672 6671 } else {
6673 6672 prevmp->b_next = mp;
6674 6673 }
6675 6674 if (last)
6676 6675 fep->itpfe_last = 1;
6677 6676
6678 6677 /* Part of defense for jolt2.c fragmentation attack */
6679 6678 if (++(fep->itpfe_depth) > IPSEC_MAX_FRAGS) {
6680 6679 (void) fragcache_delentry(i, fep, frag, ipss);
6681 6680 mutex_exit(&frag->itpf_lock);
6682 6681 if (inbound)
6683 6682 mp = ip_recv_attr_free_mblk(mp);
6684 6683
6685 6684 ip_drop_packet(mp, inbound, NULL,
6686 6685 DROPPER(ipss, ipds_spd_max_frags),
6687 6686 &ipss->ipsec_spd_dropper);
6688 6687 return (NULL);
6689 6688 }
6690 6689
6691 6690 /* Check for complete packet */
6692 6691
6693 6692 if (!fep->itpfe_last) {
6694 6693 mutex_exit(&frag->itpf_lock);
6695 6694 #ifdef FRAGCACHE_DEBUG
6696 6695 cmn_err(CE_WARN, "Fragment cached, last not yet seen.\n");
6697 6696 #endif
6698 6697 return (NULL);
6699 6698 }
6700 6699
6701 6700 offset = 0;
6702 6701 for (mp = fep->itpfe_fraglist; mp; mp = mp->b_next) {
6703 6702 mblk_t *data_mp = (inbound ? mp->b_cont : mp);
6704 6703 int hdr_len;
6705 6704
6706 6705 oiph = (ipha_t *)data_mp->b_rptr;
6707 6706 ip6h = NULL;
6708 6707 iph = NULL;
6709 6708
6710 6709 if (IPH_HDR_VERSION(oiph) == IPV4_VERSION) {
6711 6710 hdr_len = ((outer_hdr_len != 0) ?
6712 6711 IPH_HDR_LENGTH(oiph) : 0);
6713 6712 iph = (ipha_t *)(data_mp->b_rptr + hdr_len);
6714 6713 } else {
6715 6714 ASSERT(IPH_HDR_VERSION(oiph) == IPV6_VERSION);
6716 6715 ASSERT(data_mp->b_cont == NULL);
6717 6716 ip6h = (ip6_t *)data_mp->b_rptr;
6718 6717 (void) ip_hdr_length_nexthdr_v6(data_mp, ip6h,
6719 6718 &ip6_hdr_length, &v6_proto_p);
6720 6719 hdr_len = ((outer_hdr_len != 0) ? ip6_hdr_length : 0);
6721 6720 }
6722 6721
6723 6722 /* Calculate current fragment start/end */
6724 6723 if (is_v4) {
6725 6724 if (iph == NULL) {
6726 6725 /* Was v6 outer */
6727 6726 iph = (ipha_t *)(data_mp->b_rptr + hdr_len);
6728 6727 }
6729 6728 firstbyte = V4_FRAG_OFFSET(iph);
6730 6729 lastbyte = firstbyte + ntohs(iph->ipha_length) -
6731 6730 IPH_HDR_LENGTH(iph);
6732 6731 } else {
6733 6732 ASSERT(data_mp->b_cont == NULL);
6734 6733 ip6h = (ip6_t *)(data_mp->b_rptr + hdr_len);
6735 6734 if (!ip_hdr_length_nexthdr_v6(data_mp, ip6h,
6736 6735 &ip6_hdr_length, &v6_proto_p)) {
6737 6736 mutex_exit(&frag->itpf_lock);
6738 6737 ip_drop_packet_chain(mp, inbound, NULL,
6739 6738 DROPPER(ipss, ipds_spd_malformed_frag),
6740 6739 &ipss->ipsec_spd_dropper);
6741 6740 return (NULL);
6742 6741 }
6743 6742 v6_proto = *v6_proto_p;
6744 6743 bzero(&ipp, sizeof (ipp));
6745 6744 (void) ip_find_hdr_v6(data_mp, ip6h, B_FALSE, &ipp,
6746 6745 NULL);
6747 6746 fraghdr = ipp.ipp_fraghdr;
6748 6747 firstbyte = ntohs(fraghdr->ip6f_offlg &
6749 6748 IP6F_OFF_MASK);
6750 6749 lastbyte = firstbyte + ntohs(ip6h->ip6_plen) +
6751 6750 sizeof (ip6_t) - ip6_hdr_length;
6752 6751 }
6753 6752
6754 6753 /*
6755 6754 * If this fragment is greater than current offset,
6756 6755 * we have a missing fragment so return NULL
6757 6756 */
6758 6757 if (firstbyte > offset) {
6759 6758 mutex_exit(&frag->itpf_lock);
6760 6759 #ifdef FRAGCACHE_DEBUG
6761 6760 /*
6762 6761 * Note, this can happen when the last frag
6763 6762 * gets sent through because it is smaller
6764 6763 * than the MTU. It is not necessarily an
6765 6764 * error condition.
6766 6765 */
6767 6766 cmn_err(CE_WARN, "Frag greater than offset! : "
6768 6767 "missing fragment: firstbyte = %d, offset = %d, "
6769 6768 "mp = %p\n", firstbyte, offset, mp);
6770 6769 #endif
6771 6770 return (NULL);
6772 6771 }
6773 6772 #ifdef FRAGCACHE_DEBUG
6774 6773 cmn_err(CE_WARN, "Frag offsets : "
6775 6774 "firstbyte = %d, offset = %d, mp = %p\n",
6776 6775 firstbyte, offset, mp);
6777 6776 #endif
6778 6777
6779 6778 /*
6780 6779 * If we are at the last fragment, we have the complete
6781 6780 * packet, so rechain things and return it to caller
6782 6781 * for processing
6783 6782 */
6784 6783
6785 6784 if ((is_v4 && !V4_MORE_FRAGS(iph)) ||
6786 6785 (!is_v4 && !(fraghdr->ip6f_offlg & IP6F_MORE_FRAG))) {
6787 6786 mp = fep->itpfe_fraglist;
6788 6787 fep->itpfe_fraglist = NULL;
6789 6788 (void) fragcache_delentry(i, fep, frag, ipss);
6790 6789 mutex_exit(&frag->itpf_lock);
6791 6790
6792 6791 if ((is_v4 && (firstbyte + ntohs(iph->ipha_length) >
6793 6792 65535)) || (!is_v4 && (firstbyte +
6794 6793 ntohs(ip6h->ip6_plen) > 65535))) {
6795 6794 /* It is an invalid "ping-o-death" packet */
6796 6795 /* Discard it */
6797 6796 ip_drop_packet_chain(mp, inbound, NULL,
6798 6797 DROPPER(ipss, ipds_spd_evil_frag),
6799 6798 &ipss->ipsec_spd_dropper);
6800 6799 return (NULL);
6801 6800 }
6802 6801 #ifdef FRAGCACHE_DEBUG
6803 6802 cmn_err(CE_WARN, "Fragcache returning mp = %p, "
6804 6803 "mp->b_next = %p", mp, mp->b_next);
6805 6804 #endif
6806 6805 /*
6807 6806 * For inbound case, mp has attrmp b_next'd chain
6808 6807 * For outbound case, it is just data mp chain
6809 6808 */
6810 6809 return (mp);
6811 6810 }
6812 6811
6813 6812 /*
6814 6813 * Update new ending offset if this
6815 6814 * fragment extends the packet
6816 6815 */
6817 6816 if (offset < lastbyte)
6818 6817 offset = lastbyte;
6819 6818 }
6820 6819
6821 6820 mutex_exit(&frag->itpf_lock);
6822 6821
6823 6822 /* Didn't find last fragment, so return NULL */
6824 6823 return (NULL);
6825 6824 }
6826 6825
6827 6826 static void
6828 6827 ipsec_fragcache_clean(ipsec_fragcache_t *frag, ipsec_stack_t *ipss)
6829 6828 {
6830 6829 ipsec_fragcache_entry_t *fep;
6831 6830 int i;
6832 6831 ipsec_fragcache_entry_t *earlyfep = NULL;
6833 6832 time_t itpf_time;
6834 6833 int earlyexp;
6835 6834 int earlyi = 0;
6836 6835
6837 6836 ASSERT(MUTEX_HELD(&frag->itpf_lock));
6838 6837
6839 6838 itpf_time = gethrestime_sec();
6840 6839 earlyexp = itpf_time + 10000;
6841 6840
6842 6841 for (i = 0; i < IPSEC_FRAG_HASH_SLOTS; i++) {
6843 6842 fep = (frag->itpf_ptr)[i];
6844 6843 while (fep) {
6845 6844 if (fep->itpfe_exp < itpf_time) {
6846 6845 /* found */
6847 6846 fep = fragcache_delentry(i, fep, frag, ipss);
6848 6847 } else {
6849 6848 if (fep->itpfe_exp < earlyexp) {
6850 6849 earlyfep = fep;
6851 6850 earlyexp = fep->itpfe_exp;
6852 6851 earlyi = i;
6853 6852 }
6854 6853 fep = fep->itpfe_next;
6855 6854 }
6856 6855 }
6857 6856 }
6858 6857
6859 6858 frag->itpf_expire_hint = earlyexp;
6860 6859
6861 6860 /* if (!found) */
6862 6861 if (frag->itpf_freelist == NULL)
6863 6862 (void) fragcache_delentry(earlyi, earlyfep, frag, ipss);
6864 6863 }
6865 6864
6866 6865 static ipsec_fragcache_entry_t *
6867 6866 fragcache_delentry(int slot, ipsec_fragcache_entry_t *fep,
6868 6867 ipsec_fragcache_t *frag, ipsec_stack_t *ipss)
6869 6868 {
6870 6869 ipsec_fragcache_entry_t *targp;
6871 6870 ipsec_fragcache_entry_t *nextp = fep->itpfe_next;
6872 6871
6873 6872 ASSERT(MUTEX_HELD(&frag->itpf_lock));
6874 6873
6875 6874 /* Free up any fragment list still in cache entry */
6876 6875 if (fep->itpfe_fraglist != NULL) {
6877 6876 ip_drop_packet_chain(fep->itpfe_fraglist,
6878 6877 ip_recv_attr_is_mblk(fep->itpfe_fraglist), NULL,
6879 6878 DROPPER(ipss, ipds_spd_expired_frags),
6880 6879 &ipss->ipsec_spd_dropper);
6881 6880 }
6882 6881 fep->itpfe_fraglist = NULL;
6883 6882
6884 6883 targp = (frag->itpf_ptr)[slot];
6885 6884 ASSERT(targp != 0);
6886 6885
6887 6886 if (targp == fep) {
6888 6887 /* unlink from head of hash chain */
6889 6888 (frag->itpf_ptr)[slot] = nextp;
6890 6889 /* link into free list */
6891 6890 fep->itpfe_next = frag->itpf_freelist;
6892 6891 frag->itpf_freelist = fep;
6893 6892 return (nextp);
6894 6893 }
6895 6894
6896 6895 /* maybe should use double linked list to make update faster */
6897 6896 /* must be past front of chain */
6898 6897 while (targp) {
6899 6898 if (targp->itpfe_next == fep) {
6900 6899 /* unlink from hash chain */
6901 6900 targp->itpfe_next = nextp;
6902 6901 /* link into free list */
6903 6902 fep->itpfe_next = frag->itpf_freelist;
6904 6903 frag->itpf_freelist = fep;
6905 6904 return (nextp);
6906 6905 }
6907 6906 targp = targp->itpfe_next;
6908 6907 ASSERT(targp != 0);
6909 6908 }
6910 6909 /* NOTREACHED */
6911 6910 return (NULL);
6912 6911 }
|
↓ open down ↓ |
5825 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX