4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #include <sys/types.h>
27 #include <sys/stream.h>
28 #include <sys/stropts.h>
29 #include <sys/errno.h>
30 #include <sys/strlog.h>
31 #include <sys/tihdr.h>
32 #include <sys/socket.h>
33 #include <sys/ddi.h>
34 #include <sys/sunddi.h>
35 #include <sys/kmem.h>
36 #include <sys/zone.h>
37 #include <sys/sysmacros.h>
38 #include <sys/cmn_err.h>
39 #include <sys/vtrace.h>
40 #include <sys/debug.h>
41 #include <sys/atomic.h>
42 #include <sys/strsun.h>
43 #include <sys/random.h>
78 */
79 static ipsecespparam_t lcl_param_arr[] = {
80 /* min max value name */
81 { 0, 3, 0, "ipsecesp_debug"},
82 { 125, 32000, SADB_AGE_INTERVAL_DEFAULT, "ipsecesp_age_interval"},
83 { 1, 10, 1, "ipsecesp_reap_delay"},
84 { 1, SADB_MAX_REPLAY, 64, "ipsecesp_replay_size"},
85 { 1, 300, 15, "ipsecesp_acquire_timeout"},
86 { 1, 1800, 90, "ipsecesp_larval_timeout"},
87 /* Default lifetime values for ACQUIRE messages. */
88 { 0, 0xffffffffU, 0, "ipsecesp_default_soft_bytes"},
89 { 0, 0xffffffffU, 0, "ipsecesp_default_hard_bytes"},
90 { 0, 0xffffffffU, 24000, "ipsecesp_default_soft_addtime"},
91 { 0, 0xffffffffU, 28800, "ipsecesp_default_hard_addtime"},
92 { 0, 0xffffffffU, 0, "ipsecesp_default_soft_usetime"},
93 { 0, 0xffffffffU, 0, "ipsecesp_default_hard_usetime"},
94 { 0, 1, 0, "ipsecesp_log_unknown_spi"},
95 { 0, 2, 1, "ipsecesp_padding_check"},
96 { 0, 600, 20, "ipsecesp_nat_keepalive_interval"},
97 };
98 #define ipsecesp_debug ipsecesp_params[0].ipsecesp_param_value
99 #define ipsecesp_age_interval ipsecesp_params[1].ipsecesp_param_value
100 #define ipsecesp_age_int_max ipsecesp_params[1].ipsecesp_param_max
101 #define ipsecesp_reap_delay ipsecesp_params[2].ipsecesp_param_value
102 #define ipsecesp_replay_size ipsecesp_params[3].ipsecesp_param_value
103 #define ipsecesp_acquire_timeout \
104 ipsecesp_params[4].ipsecesp_param_value
105 #define ipsecesp_larval_timeout \
106 ipsecesp_params[5].ipsecesp_param_value
107 #define ipsecesp_default_soft_bytes \
108 ipsecesp_params[6].ipsecesp_param_value
109 #define ipsecesp_default_hard_bytes \
110 ipsecesp_params[7].ipsecesp_param_value
111 #define ipsecesp_default_soft_addtime \
112 ipsecesp_params[8].ipsecesp_param_value
113 #define ipsecesp_default_hard_addtime \
114 ipsecesp_params[9].ipsecesp_param_value
115 #define ipsecesp_default_soft_usetime \
116 ipsecesp_params[10].ipsecesp_param_value
117 #define ipsecesp_default_hard_usetime \
118 ipsecesp_params[11].ipsecesp_param_value
119 #define ipsecesp_log_unknown_spi \
120 ipsecesp_params[12].ipsecesp_param_value
121 #define ipsecesp_padding_check \
122 ipsecesp_params[13].ipsecesp_param_value
123 /* For ipsecesp_nat_keepalive_interval, see ipsecesp.h. */
124
125 #define esp0dbg(a) printf a
126 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */
127 #define esp1dbg(espstack, a) if (espstack->ipsecesp_debug != 0) printf a
128 #define esp2dbg(espstack, a) if (espstack->ipsecesp_debug > 1) printf a
129 #define esp3dbg(espstack, a) if (espstack->ipsecesp_debug > 2) printf a
130
131 static int ipsecesp_open(queue_t *, dev_t *, int, int, cred_t *);
132 static int ipsecesp_close(queue_t *);
133 static void ipsecesp_wput(queue_t *, mblk_t *);
134 static void *ipsecesp_stack_init(netstackid_t stackid, netstack_t *ns);
135 static void ipsecesp_stack_fini(netstackid_t stackid, void *arg);
136 static void esp_send_acquire(ipsacq_t *, mblk_t *, netstack_t *);
137
138 static void esp_prepare_udp(netstack_t *, mblk_t *, ipha_t *);
139 static void esp_outbound_finish(mblk_t *, ip_xmit_attr_t *);
140 static void esp_inbound_restart(mblk_t *, ip_recv_attr_t *);
141
142 static boolean_t esp_register_out(uint32_t, uint32_t, uint_t,
143 ipsecesp_stack_t *, cred_t *);
144 static boolean_t esp_strip_header(mblk_t *, boolean_t, uint32_t,
145 kstat_named_t **, ipsecesp_stack_t *);
146 static mblk_t *esp_submit_req_inbound(mblk_t *, ip_recv_attr_t *,
147 ipsa_t *, uint_t);
148 static mblk_t *esp_submit_req_outbound(mblk_t *, ip_xmit_attr_t *,
149 ipsa_t *, uchar_t *, uint_t);
150
151 /* Setable in /etc/system */
152 uint32_t esp_hash_size = IPSEC_DEFAULT_HASH_SIZE;
153
154 static struct module_info info = {
155 5137, "ipsecesp", 0, INFPSZ, 65536, 1024
156 };
164 (pfi_t)ipsecesp_wput, NULL, ipsecesp_open, ipsecesp_close, NULL, &info,
165 NULL
166 };
167
168 struct streamtab ipsecespinfo = {
169 &rinit, &winit, NULL, NULL
170 };
171
172 static taskq_t *esp_taskq;
173
174 /*
175 * OTOH, this one is set at open/close, and I'm D_MTQPAIR for now.
176 *
177 * Question: Do I need this, given that all instance's esps->esps_wq point
178 * to IP?
179 *
180 * Answer: Yes, because I need to know which queue is BOUND to
181 * IPPROTO_ESP
182 */
183
184 /*
185 * Stats. This may eventually become a full-blown SNMP MIB once that spec
186 * stabilizes.
187 */
188
189 typedef struct esp_kstats_s {
190 kstat_named_t esp_stat_num_aalgs;
191 kstat_named_t esp_stat_good_auth;
192 kstat_named_t esp_stat_bad_auth;
193 kstat_named_t esp_stat_bad_padding;
194 kstat_named_t esp_stat_replay_failures;
195 kstat_named_t esp_stat_replay_early_failures;
196 kstat_named_t esp_stat_keysock_in;
197 kstat_named_t esp_stat_out_requests;
198 kstat_named_t esp_stat_acquire_requests;
199 kstat_named_t esp_stat_bytes_expired;
200 kstat_named_t esp_stat_out_discards;
201 kstat_named_t esp_stat_crypto_sync;
202 kstat_named_t esp_stat_crypto_async;
203 kstat_named_t esp_stat_crypto_failures;
204 kstat_named_t esp_stat_num_ealgs;
205 kstat_named_t esp_stat_bad_decrypt;
206 kstat_named_t esp_stat_sa_port_renumbers;
207 } esp_kstats_t;
208
209 /*
210 * espstack->esp_kstats is equal to espstack->esp_ksp->ks_data if
211 * kstat_create_netstack for espstack->esp_ksp succeeds, but when it
212 * fails, it will be NULL. Note this is done for all stack instances,
213 * so it *could* fail. hence a non-NULL checking is done for
214 * ESP_BUMP_STAT and ESP_DEBUMP_STAT
215 */
216 #define ESP_BUMP_STAT(espstack, x) \
217 do { \
218 if (espstack->esp_kstats != NULL) \
219 (espstack->esp_kstats->esp_stat_ ## x).value.ui64++; \
220 _NOTE(CONSTCOND) \
221 } while (0)
222
223 #define ESP_DEBUMP_STAT(espstack, x) \
224 do { \
225 if (espstack->esp_kstats != NULL) \
226 (espstack->esp_kstats->esp_stat_ ## x).value.ui64--; \
227 _NOTE(CONSTCOND) \
228 } while (0)
229
230 static int esp_kstat_update(kstat_t *, int);
231
232 static boolean_t
233 esp_kstat_init(ipsecesp_stack_t *espstack, netstackid_t stackid)
234 {
235 espstack->esp_ksp = kstat_create_netstack("ipsecesp", 0, "esp_stat",
236 "net", KSTAT_TYPE_NAMED,
237 sizeof (esp_kstats_t) / sizeof (kstat_named_t),
238 KSTAT_FLAG_PERSISTENT, stackid);
239
240 if (espstack->esp_ksp == NULL || espstack->esp_ksp->ks_data == NULL)
241 return (B_FALSE);
242
243 espstack->esp_kstats = espstack->esp_ksp->ks_data;
244
245 espstack->esp_ksp->ks_update = esp_kstat_update;
246 espstack->esp_ksp->ks_private = (void *)(uintptr_t)stackid;
247
248 #define K64 KSTAT_DATA_UINT64
249 #define KI(x) kstat_named_init(&(espstack->esp_kstats->esp_stat_##x), #x, K64)
486 * Walk through the param array specified registering each element with the
487 * named dispatch handler.
488 */
489 static boolean_t
490 ipsecesp_param_register(IDP *ndp, ipsecespparam_t *espp, int cnt)
491 {
492 for (; cnt-- > 0; espp++) {
493 if (espp->ipsecesp_param_name != NULL &&
494 espp->ipsecesp_param_name[0]) {
495 if (!nd_load(ndp,
496 espp->ipsecesp_param_name,
497 ipsecesp_param_get, ipsecesp_param_set,
498 (caddr_t)espp)) {
499 nd_free(ndp);
500 return (B_FALSE);
501 }
502 }
503 }
504 return (B_TRUE);
505 }
506 /*
507 * Initialize things for ESP for each stack instance
508 */
509 static void *
510 ipsecesp_stack_init(netstackid_t stackid, netstack_t *ns)
511 {
512 ipsecesp_stack_t *espstack;
513 ipsecespparam_t *espp;
514
515 espstack = (ipsecesp_stack_t *)kmem_zalloc(sizeof (*espstack),
516 KM_SLEEP);
517 espstack->ipsecesp_netstack = ns;
518
519 espp = (ipsecespparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP);
520 espstack->ipsecesp_params = espp;
521 bcopy(lcl_param_arr, espp, sizeof (lcl_param_arr));
522
523 (void) ipsecesp_param_register(&espstack->ipsecesp_g_nd, espp,
524 A_CNT(lcl_param_arr));
525
526 (void) esp_kstat_init(espstack, stackid);
527
528 espstack->esp_sadb.s_acquire_timeout =
529 &espstack->ipsecesp_acquire_timeout;
530 espstack->esp_sadb.s_acqfn = esp_send_acquire;
531 sadbp_init("ESP", &espstack->esp_sadb, SADB_SATYPE_ESP, esp_hash_size,
532 espstack->ipsecesp_netstack);
533
534 mutex_init(&espstack->ipsecesp_param_lock, NULL, MUTEX_DEFAULT, 0);
535
536 ip_drop_register(&espstack->esp_dropper, "IPsec ESP");
537 return (espstack);
538 }
539
540 /*
541 * Destroy things for ESP at module unload time.
542 */
543 void
544 ipsecesp_ddi_destroy(void)
545 {
546 netstack_unregister(NS_IPSECESP);
547 taskq_destroy(esp_taskq);
548 }
549
550 /*
551 * Destroy things for ESP for one stack instance
552 */
553 static void
554 ipsecesp_stack_fini(netstackid_t stackid, void *arg)
555 {
556 ipsecesp_stack_t *espstack = (ipsecesp_stack_t *)arg;
557
558 if (espstack->esp_pfkey_q != NULL) {
559 (void) quntimeout(espstack->esp_pfkey_q, espstack->esp_event);
560 }
561 espstack->esp_sadb.s_acqfn = NULL;
562 espstack->esp_sadb.s_acquire_timeout = NULL;
563 sadbp_destroy(&espstack->esp_sadb, espstack->ipsecesp_netstack);
564 ip_drop_unregister(&espstack->esp_dropper);
565 mutex_destroy(&espstack->ipsecesp_param_lock);
566 nd_free(&espstack->ipsecesp_g_nd);
567
568 kmem_free(espstack->ipsecesp_params, sizeof (lcl_param_arr));
569 espstack->ipsecesp_params = NULL;
570 kstat_delete_netstack(espstack->esp_ksp, stackid);
571 espstack->esp_ksp = NULL;
572 espstack->esp_kstats = NULL;
573 kmem_free(espstack, sizeof (*espstack));
574 }
575
576 /*
577 * ESP module open routine, which is here for keysock plumbing.
578 * Keysock is pushed over {AH,ESP} which is an artifact from the Bad Old
579 * Days of export control, and fears that ESP would not be allowed
580 * to be shipped at all by default. Eventually, keysock should
581 * either access AH and ESP via modstubs or krtld dependencies, or
1164
1165 /*
1166 * Adjust the IP header's payload length to reflect the removal
1167 * of the ICV.
1168 */
1169 if (!(ira->ira_flags & IRAF_IS_IPV4)) {
1170 ip6_t *ip6h = (ip6_t *)data_mp->b_rptr;
1171 ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) -
1172 ipsa->ipsa_mac_len);
1173 } else {
1174 ipha_t *ipha = (ipha_t *)data_mp->b_rptr;
1175 ipha->ipha_length = htons(ntohs(ipha->ipha_length) -
1176 ipsa->ipsa_mac_len);
1177 }
1178
1179 /* submit the request to the crypto framework */
1180 return (esp_submit_req_inbound(data_mp, ira, ipsa,
1181 (uint8_t *)esph - data_mp->b_rptr));
1182 }
1183
1184 /*
1185 * Perform the really difficult work of inserting the proposed situation.
1186 * Called while holding the algorithm lock.
1187 */
1188 static void
1189 esp_insert_prop(sadb_prop_t *prop, ipsacq_t *acqrec, uint_t combs,
1190 netstack_t *ns)
1191 {
1192 sadb_comb_t *comb = (sadb_comb_t *)(prop + 1);
1193 ipsec_action_t *ap;
1194 ipsec_prot_t *prot;
1195 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
1196 ipsec_stack_t *ipss = ns->netstack_ipsec;
1197
1198 ASSERT(RW_READ_HELD(&ipss->ipsec_alg_lock));
1199
1200 prop->sadb_prop_exttype = SADB_EXT_PROPOSAL;
1201 prop->sadb_prop_len = SADB_8TO64(sizeof (sadb_prop_t));
1202 *(uint32_t *)(&prop->sadb_prop_replay) = 0; /* Quick zero-out! */
1203
1204 prop->sadb_prop_replay = espstack->ipsecesp_replay_size;
1205
1206 /*
1207 * Based upon algorithm properties, and what-not, prioritize a
1208 * proposal, based on the ordering of the ESP algorithms in the
1209 * alternatives in the policy rule or socket that was placed
1210 * in the acquire record.
1211 *
1212 * For each action in policy list
1213 * Add combination. If I've hit limit, return.
1214 */
1215
1216 for (ap = acqrec->ipsacq_act; ap != NULL;
1217 ap = ap->ipa_next) {
1218 ipsec_alginfo_t *ealg = NULL;
1219 ipsec_alginfo_t *aalg = NULL;
1220
1221 if (ap->ipa_act.ipa_type != IPSEC_POLICY_APPLY)
1222 continue;
1223
1224 prot = &ap->ipa_act.ipa_apply;
1225
1226 if (!(prot->ipp_use_esp))
1227 continue;
1228
1229 if (prot->ipp_esp_auth_alg != 0) {
1230 aalg = ipss->ipsec_alglists[IPSEC_ALG_AUTH]
1231 [prot->ipp_esp_auth_alg];
1232 if (aalg == NULL || !ALG_VALID(aalg))
1233 continue;
1234 }
1235
1236 ASSERT(prot->ipp_encr_alg > 0);
1237 ealg = ipss->ipsec_alglists[IPSEC_ALG_ENCR]
1238 [prot->ipp_encr_alg];
1239 if (ealg == NULL || !ALG_VALID(ealg))
1240 continue;
1241
1242 comb->sadb_comb_flags = 0;
1243 comb->sadb_comb_reserved = 0;
1244 comb->sadb_comb_encrypt = ealg->alg_id;
1245 comb->sadb_comb_encrypt_minbits =
1246 MAX(prot->ipp_espe_minbits, ealg->alg_ef_minbits);
1247 comb->sadb_comb_encrypt_maxbits =
1248 MIN(prot->ipp_espe_maxbits, ealg->alg_ef_maxbits);
1249
1250 if (aalg == NULL) {
1251 comb->sadb_comb_auth = 0;
1252 comb->sadb_comb_auth_minbits = 0;
1253 comb->sadb_comb_auth_maxbits = 0;
1254 } else {
1255 comb->sadb_comb_auth = aalg->alg_id;
1256 comb->sadb_comb_auth_minbits =
1257 MAX(prot->ipp_espa_minbits, aalg->alg_ef_minbits);
1258 comb->sadb_comb_auth_maxbits =
1259 MIN(prot->ipp_espa_maxbits, aalg->alg_ef_maxbits);
1260 }
1261
1262 /*
1263 * The following may be based on algorithm
1264 * properties, but in the meantime, we just pick
1265 * some good, sensible numbers. Key mgmt. can
1266 * (and perhaps should) be the place to finalize
1267 * such decisions.
1268 */
1269
1270 /*
1271 * No limits on allocations, since we really don't
1272 * support that concept currently.
1273 */
1274 comb->sadb_comb_soft_allocations = 0;
1275 comb->sadb_comb_hard_allocations = 0;
1276
1277 /*
1278 * These may want to come from policy rule..
1279 */
1280 comb->sadb_comb_soft_bytes =
1281 espstack->ipsecesp_default_soft_bytes;
1282 comb->sadb_comb_hard_bytes =
1283 espstack->ipsecesp_default_hard_bytes;
1284 comb->sadb_comb_soft_addtime =
1285 espstack->ipsecesp_default_soft_addtime;
1286 comb->sadb_comb_hard_addtime =
1287 espstack->ipsecesp_default_hard_addtime;
1288 comb->sadb_comb_soft_usetime =
1289 espstack->ipsecesp_default_soft_usetime;
1290 comb->sadb_comb_hard_usetime =
1291 espstack->ipsecesp_default_hard_usetime;
1292
1293 prop->sadb_prop_len += SADB_8TO64(sizeof (*comb));
1294 if (--combs == 0)
1295 break; /* out of space.. */
1296 comb++;
1297 }
1298 }
1299
1300 /*
1301 * Prepare and actually send the SADB_ACQUIRE message to PF_KEY.
1302 */
1303 static void
1304 esp_send_acquire(ipsacq_t *acqrec, mblk_t *extended, netstack_t *ns)
1305 {
1306 uint_t combs;
1307 sadb_msg_t *samsg;
1308 sadb_prop_t *prop;
1309 mblk_t *pfkeymp, *msgmp;
1310 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
1311 ipsec_stack_t *ipss = ns->netstack_ipsec;
1312
1313 ESP_BUMP_STAT(espstack, acquire_requests);
1314
1315 if (espstack->esp_pfkey_q == NULL) {
1316 mutex_exit(&acqrec->ipsacq_lock);
1317 return;
1318 }
1319
1320 /* Set up ACQUIRE. */
1321 pfkeymp = sadb_setup_acquire(acqrec, SADB_SATYPE_ESP,
1322 ns->netstack_ipsec);
1323 if (pfkeymp == NULL) {
1324 esp0dbg(("sadb_setup_acquire failed.\n"));
1325 mutex_exit(&acqrec->ipsacq_lock);
1326 return;
1327 }
1328 ASSERT(RW_READ_HELD(&ipss->ipsec_alg_lock));
1329 combs = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] *
1330 ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
1331 msgmp = pfkeymp->b_cont;
1332 samsg = (sadb_msg_t *)(msgmp->b_rptr);
1333
1334 /* Insert proposal here. */
1335
1336 prop = (sadb_prop_t *)(((uint64_t *)samsg) + samsg->sadb_msg_len);
1337 esp_insert_prop(prop, acqrec, combs, ns);
1338 samsg->sadb_msg_len += prop->sadb_prop_len;
1339 msgmp->b_wptr += SADB_64TO8(samsg->sadb_msg_len);
1340
1341 rw_exit(&ipss->ipsec_alg_lock);
1342
1343 /*
1344 * Must mutex_exit() before sending PF_KEY message up, in
1345 * order to avoid recursive mutex_enter() if there are no registered
1346 * listeners.
1347 *
1348 * Once I've sent the message, I'm cool anyway.
1349 */
1350 mutex_exit(&acqrec->ipsacq_lock);
1351 if (extended != NULL) {
1352 putnext(espstack->esp_pfkey_q, extended);
1353 }
1354 putnext(espstack->esp_pfkey_q, pfkeymp);
1355 }
1356
1357 /* XXX refactor me */
1358 /*
1359 * Handle the SADB_GETSPI message. Create a larval SA.
1360 */
1361 static void
1362 esp_getspi(mblk_t *mp, keysock_in_t *ksi, ipsecesp_stack_t *espstack)
1363 {
1364 ipsa_t *newbie, *target;
1365 isaf_t *outbound, *inbound;
1366 int rc, diagnostic;
1367 sadb_sa_t *assoc;
1368 keysock_out_t *kso;
1369 uint32_t newspi;
1370
1371 /*
1372 * Randomly generate a proposed SPI value
1373 */
1374 if (cl_inet_getspi != NULL) {
1375 cl_inet_getspi(espstack->ipsecesp_netstack->netstack_stackid,
1376 IPPROTO_ESP, (uint8_t *)&newspi, sizeof (uint32_t), NULL);
1794 * Log the event. Don't print to the console, block
1795 * potential denial-of-service attack.
1796 */
1797 ESP_BUMP_STAT(espstack, bad_auth);
1798
1799 ipsec_assocfailure(info.mi_idnum, 0, 0, SL_ERROR | SL_WARN,
1800 "ESP Authentication failed for spi 0x%x, dst %s.\n",
1801 assoc->ipsa_spi, assoc->ipsa_dstaddr, assoc->ipsa_addrfam,
1802 espstack->ipsecesp_netstack);
1803
1804 IP_ESP_BUMP_STAT(ipss, in_discards);
1805 ip_drop_packet(mp, B_TRUE, ira->ira_ill,
1806 DROPPER(ipss, ipds_esp_bad_auth),
1807 &espstack->esp_dropper);
1808 }
1809
1810
1811 /*
1812 * Invoked for outbound packets after ESP processing. If the packet
1813 * also requires AH, performs the AH SA selection and AH processing.
1814 * Returns B_TRUE if the AH processing was not needed or if it was
1815 * performed successfully. Returns B_FALSE and consumes the passed mblk
1816 * if AH processing was required but could not be performed.
1817 *
1818 * Returns data_mp unless data_mp was consumed/queued.
1819 */
1820 static mblk_t *
1821 esp_do_outbound_ah(mblk_t *data_mp, ip_xmit_attr_t *ixa)
1822 {
1823 ipsec_action_t *ap;
1824
1825 ap = ixa->ixa_ipsec_action;
1826 if (ap == NULL) {
1827 ipsec_policy_t *pp = ixa->ixa_ipsec_policy;
1828 ap = pp->ipsp_act;
1829 }
1830
1831 if (!ap->ipa_want_ah)
1832 return (data_mp);
1833
1834 /*
1835 * Normally the AH SA would have already been put in place
1836 * but it could have been flushed so we need to look for it.
1837 */
1838 if (ixa->ixa_ipsec_ah_sa == NULL) {
|
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25 * Copyright (c) 2017 Joyent, Inc.
26 */
27
28 #include <sys/types.h>
29 #include <sys/stream.h>
30 #include <sys/stropts.h>
31 #include <sys/errno.h>
32 #include <sys/strlog.h>
33 #include <sys/tihdr.h>
34 #include <sys/socket.h>
35 #include <sys/ddi.h>
36 #include <sys/sunddi.h>
37 #include <sys/kmem.h>
38 #include <sys/zone.h>
39 #include <sys/sysmacros.h>
40 #include <sys/cmn_err.h>
41 #include <sys/vtrace.h>
42 #include <sys/debug.h>
43 #include <sys/atomic.h>
44 #include <sys/strsun.h>
45 #include <sys/random.h>
80 */
81 static ipsecespparam_t lcl_param_arr[] = {
82 /* min max value name */
83 { 0, 3, 0, "ipsecesp_debug"},
84 { 125, 32000, SADB_AGE_INTERVAL_DEFAULT, "ipsecesp_age_interval"},
85 { 1, 10, 1, "ipsecesp_reap_delay"},
86 { 1, SADB_MAX_REPLAY, 64, "ipsecesp_replay_size"},
87 { 1, 300, 15, "ipsecesp_acquire_timeout"},
88 { 1, 1800, 90, "ipsecesp_larval_timeout"},
89 /* Default lifetime values for ACQUIRE messages. */
90 { 0, 0xffffffffU, 0, "ipsecesp_default_soft_bytes"},
91 { 0, 0xffffffffU, 0, "ipsecesp_default_hard_bytes"},
92 { 0, 0xffffffffU, 24000, "ipsecesp_default_soft_addtime"},
93 { 0, 0xffffffffU, 28800, "ipsecesp_default_hard_addtime"},
94 { 0, 0xffffffffU, 0, "ipsecesp_default_soft_usetime"},
95 { 0, 0xffffffffU, 0, "ipsecesp_default_hard_usetime"},
96 { 0, 1, 0, "ipsecesp_log_unknown_spi"},
97 { 0, 2, 1, "ipsecesp_padding_check"},
98 { 0, 600, 20, "ipsecesp_nat_keepalive_interval"},
99 };
100 /* For ipsecesp_nat_keepalive_interval, see ipsecesp.h. */
101
102 #define esp0dbg(a) printf a
103 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */
104 #define esp1dbg(espstack, a) if (espstack->ipsecesp_debug != 0) printf a
105 #define esp2dbg(espstack, a) if (espstack->ipsecesp_debug > 1) printf a
106 #define esp3dbg(espstack, a) if (espstack->ipsecesp_debug > 2) printf a
107
108 static int ipsecesp_open(queue_t *, dev_t *, int, int, cred_t *);
109 static int ipsecesp_close(queue_t *);
110 static void ipsecesp_wput(queue_t *, mblk_t *);
111 static void *ipsecesp_stack_init(netstackid_t stackid, netstack_t *ns);
112 static void ipsecesp_stack_fini(netstackid_t stackid, void *arg);
113
114 static void esp_prepare_udp(netstack_t *, mblk_t *, ipha_t *);
115 static void esp_outbound_finish(mblk_t *, ip_xmit_attr_t *);
116 static void esp_inbound_restart(mblk_t *, ip_recv_attr_t *);
117
118 static boolean_t esp_register_out(uint32_t, uint32_t, uint_t,
119 ipsecesp_stack_t *, cred_t *);
120 static boolean_t esp_strip_header(mblk_t *, boolean_t, uint32_t,
121 kstat_named_t **, ipsecesp_stack_t *);
122 static mblk_t *esp_submit_req_inbound(mblk_t *, ip_recv_attr_t *,
123 ipsa_t *, uint_t);
124 static mblk_t *esp_submit_req_outbound(mblk_t *, ip_xmit_attr_t *,
125 ipsa_t *, uchar_t *, uint_t);
126
127 /* Setable in /etc/system */
128 uint32_t esp_hash_size = IPSEC_DEFAULT_HASH_SIZE;
129
130 static struct module_info info = {
131 5137, "ipsecesp", 0, INFPSZ, 65536, 1024
132 };
140 (pfi_t)ipsecesp_wput, NULL, ipsecesp_open, ipsecesp_close, NULL, &info,
141 NULL
142 };
143
144 struct streamtab ipsecespinfo = {
145 &rinit, &winit, NULL, NULL
146 };
147
148 static taskq_t *esp_taskq;
149
150 /*
151 * OTOH, this one is set at open/close, and I'm D_MTQPAIR for now.
152 *
153 * Question: Do I need this, given that all instance's esps->esps_wq point
154 * to IP?
155 *
156 * Answer: Yes, because I need to know which queue is BOUND to
157 * IPPROTO_ESP
158 */
159
160 static int esp_kstat_update(kstat_t *, int);
161
162 static boolean_t
163 esp_kstat_init(ipsecesp_stack_t *espstack, netstackid_t stackid)
164 {
165 espstack->esp_ksp = kstat_create_netstack("ipsecesp", 0, "esp_stat",
166 "net", KSTAT_TYPE_NAMED,
167 sizeof (esp_kstats_t) / sizeof (kstat_named_t),
168 KSTAT_FLAG_PERSISTENT, stackid);
169
170 if (espstack->esp_ksp == NULL || espstack->esp_ksp->ks_data == NULL)
171 return (B_FALSE);
172
173 espstack->esp_kstats = espstack->esp_ksp->ks_data;
174
175 espstack->esp_ksp->ks_update = esp_kstat_update;
176 espstack->esp_ksp->ks_private = (void *)(uintptr_t)stackid;
177
178 #define K64 KSTAT_DATA_UINT64
179 #define KI(x) kstat_named_init(&(espstack->esp_kstats->esp_stat_##x), #x, K64)
416 * Walk through the param array specified registering each element with the
417 * named dispatch handler.
418 */
419 static boolean_t
420 ipsecesp_param_register(IDP *ndp, ipsecespparam_t *espp, int cnt)
421 {
422 for (; cnt-- > 0; espp++) {
423 if (espp->ipsecesp_param_name != NULL &&
424 espp->ipsecesp_param_name[0]) {
425 if (!nd_load(ndp,
426 espp->ipsecesp_param_name,
427 ipsecesp_param_get, ipsecesp_param_set,
428 (caddr_t)espp)) {
429 nd_free(ndp);
430 return (B_FALSE);
431 }
432 }
433 }
434 return (B_TRUE);
435 }
436
437 /*
438 * Initialize things for ESP for each stack instance
439 */
440 static void *
441 ipsecesp_stack_init(netstackid_t stackid, netstack_t *ns)
442 {
443 ipsecesp_stack_t *espstack;
444 ipsecespparam_t *espp;
445
446 espstack = (ipsecesp_stack_t *)kmem_zalloc(sizeof (*espstack),
447 KM_SLEEP);
448 espstack->ipsecesp_netstack = ns;
449
450 espp = (ipsecespparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP);
451 espstack->ipsecesp_params = espp;
452 bcopy(lcl_param_arr, espp, sizeof (lcl_param_arr));
453
454 (void) ipsecesp_param_register(&espstack->ipsecesp_g_nd, espp,
455 A_CNT(lcl_param_arr));
456
457 (void) esp_kstat_init(espstack, stackid);
458
459 espstack->esp_sadb.s_acquire_timeout =
460 &espstack->ipsecesp_acquire_timeout;
461 sadbp_init("ESP", &espstack->esp_sadb, SADB_SATYPE_ESP, esp_hash_size,
462 espstack->ipsecesp_netstack);
463
464 mutex_init(&espstack->ipsecesp_param_lock, NULL, MUTEX_DEFAULT, 0);
465
466 ip_drop_register(&espstack->esp_dropper, "IPsec ESP");
467 return (espstack);
468 }
469
470 /*
471 * Destroy things for ESP at module unload time.
472 */
473 void
474 ipsecesp_ddi_destroy(void)
475 {
476 netstack_unregister(NS_IPSECESP);
477 taskq_destroy(esp_taskq);
478 }
479
480 /*
481 * Destroy things for ESP for one stack instance
482 */
483 static void
484 ipsecesp_stack_fini(netstackid_t stackid, void *arg)
485 {
486 ipsecesp_stack_t *espstack = (ipsecesp_stack_t *)arg;
487
488 if (espstack->esp_pfkey_q != NULL) {
489 (void) quntimeout(espstack->esp_pfkey_q, espstack->esp_event);
490 }
491 espstack->esp_sadb.s_acquire_timeout = NULL;
492 sadbp_destroy(&espstack->esp_sadb, espstack->ipsecesp_netstack);
493 ip_drop_unregister(&espstack->esp_dropper);
494 mutex_destroy(&espstack->ipsecesp_param_lock);
495 nd_free(&espstack->ipsecesp_g_nd);
496
497 kmem_free(espstack->ipsecesp_params, sizeof (lcl_param_arr));
498 espstack->ipsecesp_params = NULL;
499 kstat_delete_netstack(espstack->esp_ksp, stackid);
500 espstack->esp_ksp = NULL;
501 espstack->esp_kstats = NULL;
502 kmem_free(espstack, sizeof (*espstack));
503 }
504
505 /*
506 * ESP module open routine, which is here for keysock plumbing.
507 * Keysock is pushed over {AH,ESP} which is an artifact from the Bad Old
508 * Days of export control, and fears that ESP would not be allowed
509 * to be shipped at all by default. Eventually, keysock should
510 * either access AH and ESP via modstubs or krtld dependencies, or
1093
1094 /*
1095 * Adjust the IP header's payload length to reflect the removal
1096 * of the ICV.
1097 */
1098 if (!(ira->ira_flags & IRAF_IS_IPV4)) {
1099 ip6_t *ip6h = (ip6_t *)data_mp->b_rptr;
1100 ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) -
1101 ipsa->ipsa_mac_len);
1102 } else {
1103 ipha_t *ipha = (ipha_t *)data_mp->b_rptr;
1104 ipha->ipha_length = htons(ntohs(ipha->ipha_length) -
1105 ipsa->ipsa_mac_len);
1106 }
1107
1108 /* submit the request to the crypto framework */
1109 return (esp_submit_req_inbound(data_mp, ira, ipsa,
1110 (uint8_t *)esph - data_mp->b_rptr));
1111 }
1112
1113 /* XXX refactor me */
1114 /*
1115 * Handle the SADB_GETSPI message. Create a larval SA.
1116 */
1117 static void
1118 esp_getspi(mblk_t *mp, keysock_in_t *ksi, ipsecesp_stack_t *espstack)
1119 {
1120 ipsa_t *newbie, *target;
1121 isaf_t *outbound, *inbound;
1122 int rc, diagnostic;
1123 sadb_sa_t *assoc;
1124 keysock_out_t *kso;
1125 uint32_t newspi;
1126
1127 /*
1128 * Randomly generate a proposed SPI value
1129 */
1130 if (cl_inet_getspi != NULL) {
1131 cl_inet_getspi(espstack->ipsecesp_netstack->netstack_stackid,
1132 IPPROTO_ESP, (uint8_t *)&newspi, sizeof (uint32_t), NULL);
1550 * Log the event. Don't print to the console, block
1551 * potential denial-of-service attack.
1552 */
1553 ESP_BUMP_STAT(espstack, bad_auth);
1554
1555 ipsec_assocfailure(info.mi_idnum, 0, 0, SL_ERROR | SL_WARN,
1556 "ESP Authentication failed for spi 0x%x, dst %s.\n",
1557 assoc->ipsa_spi, assoc->ipsa_dstaddr, assoc->ipsa_addrfam,
1558 espstack->ipsecesp_netstack);
1559
1560 IP_ESP_BUMP_STAT(ipss, in_discards);
1561 ip_drop_packet(mp, B_TRUE, ira->ira_ill,
1562 DROPPER(ipss, ipds_esp_bad_auth),
1563 &espstack->esp_dropper);
1564 }
1565
1566
1567 /*
1568 * Invoked for outbound packets after ESP processing. If the packet
1569 * also requires AH, performs the AH SA selection and AH processing.
1570 *
1571 * Returns data_mp (possibly with AH added) unless data_mp was consumed
1572 * due to an error, or queued due to async. crypto or an ACQUIRE trigger.
1573 */
1574 static mblk_t *
1575 esp_do_outbound_ah(mblk_t *data_mp, ip_xmit_attr_t *ixa)
1576 {
1577 ipsec_action_t *ap;
1578
1579 ap = ixa->ixa_ipsec_action;
1580 if (ap == NULL) {
1581 ipsec_policy_t *pp = ixa->ixa_ipsec_policy;
1582 ap = pp->ipsp_act;
1583 }
1584
1585 if (!ap->ipa_want_ah)
1586 return (data_mp);
1587
1588 /*
1589 * Normally the AH SA would have already been put in place
1590 * but it could have been flushed so we need to look for it.
1591 */
1592 if (ixa->ixa_ipsec_ah_sa == NULL) {
|