1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved. 25 * Copyright (c) 2017 Joyent, Inc. 26 */ 27 28 #include <sys/types.h> 29 #include <sys/stream.h> 30 #include <sys/stropts.h> 31 #include <sys/errno.h> 32 #include <sys/strlog.h> 33 #include <sys/tihdr.h> 34 #include <sys/socket.h> 35 #include <sys/ddi.h> 36 #include <sys/sunddi.h> 37 #include <sys/kmem.h> 38 #include <sys/zone.h> 39 #include <sys/sysmacros.h> 40 #include <sys/cmn_err.h> 41 #include <sys/vtrace.h> 42 #include <sys/debug.h> 43 #include <sys/atomic.h> 44 #include <sys/strsun.h> 45 #include <sys/random.h> 46 #include <netinet/in.h> 47 #include <net/if.h> 48 #include <netinet/ip6.h> 49 #include <net/pfkeyv2.h> 50 #include <net/pfpolicy.h> 51 52 #include <inet/common.h> 53 #include <inet/mi.h> 54 #include <inet/nd.h> 55 #include <inet/ip.h> 56 #include <inet/ip_impl.h> 57 #include <inet/ip6.h> 58 #include <inet/ip_if.h> 59 #include <inet/ip_ndp.h> 60 #include <inet/sadb.h> 61 #include <inet/ipsec_info.h> 62 #include <inet/ipsec_impl.h> 63 #include <inet/ipsecesp.h> 64 #include <inet/ipdrop.h> 65 #include <inet/tcp.h> 66 #include <sys/kstat.h> 67 #include <sys/policy.h> 68 #include <sys/strsun.h> 69 #include <sys/strsubr.h> 70 #include <inet/udp_impl.h> 71 #include <sys/taskq.h> 72 #include <sys/note.h> 73 74 #include <sys/tsol/tnet.h> 75 76 /* 77 * Table of ND variables supported by ipsecesp. These are loaded into 78 * ipsecesp_g_nd in ipsecesp_init_nd. 79 * All of these are alterable, within the min/max values given, at run time. 80 */ 81 static ipsecespparam_t lcl_param_arr[] = { 82 /* min max value name */ 83 { 0, 3, 0, "ipsecesp_debug"}, 84 { 125, 32000, SADB_AGE_INTERVAL_DEFAULT, "ipsecesp_age_interval"}, 85 { 1, 10, 1, "ipsecesp_reap_delay"}, 86 { 1, SADB_MAX_REPLAY, 64, "ipsecesp_replay_size"}, 87 { 1, 300, 15, "ipsecesp_acquire_timeout"}, 88 { 1, 1800, 90, "ipsecesp_larval_timeout"}, 89 /* Default lifetime values for ACQUIRE messages. */ 90 { 0, 0xffffffffU, 0, "ipsecesp_default_soft_bytes"}, 91 { 0, 0xffffffffU, 0, "ipsecesp_default_hard_bytes"}, 92 { 0, 0xffffffffU, 24000, "ipsecesp_default_soft_addtime"}, 93 { 0, 0xffffffffU, 28800, "ipsecesp_default_hard_addtime"}, 94 { 0, 0xffffffffU, 0, "ipsecesp_default_soft_usetime"}, 95 { 0, 0xffffffffU, 0, "ipsecesp_default_hard_usetime"}, 96 { 0, 1, 0, "ipsecesp_log_unknown_spi"}, 97 { 0, 2, 1, "ipsecesp_padding_check"}, 98 { 0, 600, 20, "ipsecesp_nat_keepalive_interval"}, 99 }; 100 /* For ipsecesp_nat_keepalive_interval, see ipsecesp.h. */ 101 102 #define esp0dbg(a) printf a 103 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */ 104 #define esp1dbg(espstack, a) if (espstack->ipsecesp_debug != 0) printf a 105 #define esp2dbg(espstack, a) if (espstack->ipsecesp_debug > 1) printf a 106 #define esp3dbg(espstack, a) if (espstack->ipsecesp_debug > 2) printf a 107 108 static int ipsecesp_open(queue_t *, dev_t *, int, int, cred_t *); 109 static int ipsecesp_close(queue_t *); 110 static void ipsecesp_wput(queue_t *, mblk_t *); 111 static void *ipsecesp_stack_init(netstackid_t stackid, netstack_t *ns); 112 static void ipsecesp_stack_fini(netstackid_t stackid, void *arg); 113 114 static void esp_prepare_udp(netstack_t *, mblk_t *, ipha_t *); 115 static void esp_outbound_finish(mblk_t *, ip_xmit_attr_t *); 116 static void esp_inbound_restart(mblk_t *, ip_recv_attr_t *); 117 118 static boolean_t esp_register_out(uint32_t, uint32_t, uint_t, 119 ipsecesp_stack_t *, cred_t *); 120 static boolean_t esp_strip_header(mblk_t *, boolean_t, uint32_t, 121 kstat_named_t **, ipsecesp_stack_t *); 122 static mblk_t *esp_submit_req_inbound(mblk_t *, ip_recv_attr_t *, 123 ipsa_t *, uint_t); 124 static mblk_t *esp_submit_req_outbound(mblk_t *, ip_xmit_attr_t *, 125 ipsa_t *, uchar_t *, uint_t); 126 127 /* Setable in /etc/system */ 128 uint32_t esp_hash_size = IPSEC_DEFAULT_HASH_SIZE; 129 130 static struct module_info info = { 131 5137, "ipsecesp", 0, INFPSZ, 65536, 1024 132 }; 133 134 static struct qinit rinit = { 135 (pfi_t)putnext, NULL, ipsecesp_open, ipsecesp_close, NULL, &info, 136 NULL 137 }; 138 139 static struct qinit winit = { 140 (pfi_t)ipsecesp_wput, NULL, ipsecesp_open, ipsecesp_close, NULL, &info, 141 NULL 142 }; 143 144 struct streamtab ipsecespinfo = { 145 &rinit, &winit, NULL, NULL 146 }; 147 148 static taskq_t *esp_taskq; 149 150 /* 151 * OTOH, this one is set at open/close, and I'm D_MTQPAIR for now. 152 * 153 * Question: Do I need this, given that all instance's esps->esps_wq point 154 * to IP? 155 * 156 * Answer: Yes, because I need to know which queue is BOUND to 157 * IPPROTO_ESP 158 */ 159 160 static int esp_kstat_update(kstat_t *, int); 161 162 static boolean_t 163 esp_kstat_init(ipsecesp_stack_t *espstack, netstackid_t stackid) 164 { 165 espstack->esp_ksp = kstat_create_netstack("ipsecesp", 0, "esp_stat", 166 "net", KSTAT_TYPE_NAMED, 167 sizeof (esp_kstats_t) / sizeof (kstat_named_t), 0, stackid); 168 169 if (espstack->esp_ksp == NULL || espstack->esp_ksp->ks_data == NULL) 170 return (B_FALSE); 171 172 espstack->esp_kstats = espstack->esp_ksp->ks_data; 173 174 espstack->esp_ksp->ks_update = esp_kstat_update; 175 espstack->esp_ksp->ks_private = (void *)(uintptr_t)stackid; 176 177 #define K64 KSTAT_DATA_UINT64 178 #define KI(x) kstat_named_init(&(espstack->esp_kstats->esp_stat_##x), #x, K64) 179 180 KI(num_aalgs); 181 KI(num_ealgs); 182 KI(good_auth); 183 KI(bad_auth); 184 KI(bad_padding); 185 KI(replay_failures); 186 KI(replay_early_failures); 187 KI(keysock_in); 188 KI(out_requests); 189 KI(acquire_requests); 190 KI(bytes_expired); 191 KI(out_discards); 192 KI(crypto_sync); 193 KI(crypto_async); 194 KI(crypto_failures); 195 KI(bad_decrypt); 196 KI(sa_port_renumbers); 197 198 #undef KI 199 #undef K64 200 201 kstat_install(espstack->esp_ksp); 202 203 return (B_TRUE); 204 } 205 206 static int 207 esp_kstat_update(kstat_t *kp, int rw) 208 { 209 esp_kstats_t *ekp; 210 netstackid_t stackid = (zoneid_t)(uintptr_t)kp->ks_private; 211 netstack_t *ns; 212 ipsec_stack_t *ipss; 213 214 if ((kp == NULL) || (kp->ks_data == NULL)) 215 return (EIO); 216 217 if (rw == KSTAT_WRITE) 218 return (EACCES); 219 220 ns = netstack_find_by_stackid(stackid); 221 if (ns == NULL) 222 return (-1); 223 ipss = ns->netstack_ipsec; 224 if (ipss == NULL) { 225 netstack_rele(ns); 226 return (-1); 227 } 228 ekp = (esp_kstats_t *)kp->ks_data; 229 230 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 231 ekp->esp_stat_num_aalgs.value.ui64 = 232 ipss->ipsec_nalgs[IPSEC_ALG_AUTH]; 233 ekp->esp_stat_num_ealgs.value.ui64 = 234 ipss->ipsec_nalgs[IPSEC_ALG_ENCR]; 235 rw_exit(&ipss->ipsec_alg_lock); 236 237 netstack_rele(ns); 238 return (0); 239 } 240 241 #ifdef DEBUG 242 /* 243 * Debug routine, useful to see pre-encryption data. 244 */ 245 static char * 246 dump_msg(mblk_t *mp) 247 { 248 char tmp_str[3], tmp_line[256]; 249 250 while (mp != NULL) { 251 unsigned char *ptr; 252 253 printf("mblk address 0x%p, length %ld, db_ref %d " 254 "type %d, base 0x%p, lim 0x%p\n", 255 (void *) mp, (long)(mp->b_wptr - mp->b_rptr), 256 mp->b_datap->db_ref, mp->b_datap->db_type, 257 (void *)mp->b_datap->db_base, (void *)mp->b_datap->db_lim); 258 ptr = mp->b_rptr; 259 260 tmp_line[0] = '\0'; 261 while (ptr < mp->b_wptr) { 262 uint_t diff; 263 264 diff = (ptr - mp->b_rptr); 265 if (!(diff & 0x1f)) { 266 if (strlen(tmp_line) > 0) { 267 printf("bytes: %s\n", tmp_line); 268 tmp_line[0] = '\0'; 269 } 270 } 271 if (!(diff & 0x3)) 272 (void) strcat(tmp_line, " "); 273 (void) sprintf(tmp_str, "%02x", *ptr); 274 (void) strcat(tmp_line, tmp_str); 275 ptr++; 276 } 277 if (strlen(tmp_line) > 0) 278 printf("bytes: %s\n", tmp_line); 279 280 mp = mp->b_cont; 281 } 282 283 return ("\n"); 284 } 285 286 #else /* DEBUG */ 287 static char * 288 dump_msg(mblk_t *mp) 289 { 290 printf("Find value of mp %p.\n", mp); 291 return ("\n"); 292 } 293 #endif /* DEBUG */ 294 295 /* 296 * Don't have to lock age_interval, as only one thread will access it at 297 * a time, because I control the one function that does with timeout(). 298 */ 299 static void 300 esp_ager(void *arg) 301 { 302 ipsecesp_stack_t *espstack = (ipsecesp_stack_t *)arg; 303 netstack_t *ns = espstack->ipsecesp_netstack; 304 hrtime_t begin = gethrtime(); 305 306 sadb_ager(&espstack->esp_sadb.s_v4, espstack->esp_pfkey_q, 307 espstack->ipsecesp_reap_delay, ns); 308 sadb_ager(&espstack->esp_sadb.s_v6, espstack->esp_pfkey_q, 309 espstack->ipsecesp_reap_delay, ns); 310 311 espstack->esp_event = sadb_retimeout(begin, espstack->esp_pfkey_q, 312 esp_ager, espstack, 313 &espstack->ipsecesp_age_interval, espstack->ipsecesp_age_int_max, 314 info.mi_idnum); 315 } 316 317 /* 318 * Get an ESP NDD parameter. 319 */ 320 /* ARGSUSED */ 321 static int 322 ipsecesp_param_get( 323 queue_t *q, 324 mblk_t *mp, 325 caddr_t cp, 326 cred_t *cr) 327 { 328 ipsecespparam_t *ipsecesppa = (ipsecespparam_t *)cp; 329 uint_t value; 330 ipsecesp_stack_t *espstack = (ipsecesp_stack_t *)q->q_ptr; 331 332 mutex_enter(&espstack->ipsecesp_param_lock); 333 value = ipsecesppa->ipsecesp_param_value; 334 mutex_exit(&espstack->ipsecesp_param_lock); 335 336 (void) mi_mpprintf(mp, "%u", value); 337 return (0); 338 } 339 340 /* 341 * This routine sets an NDD variable in a ipsecespparam_t structure. 342 */ 343 /* ARGSUSED */ 344 static int 345 ipsecesp_param_set( 346 queue_t *q, 347 mblk_t *mp, 348 char *value, 349 caddr_t cp, 350 cred_t *cr) 351 { 352 ulong_t new_value; 353 ipsecespparam_t *ipsecesppa = (ipsecespparam_t *)cp; 354 ipsecesp_stack_t *espstack = (ipsecesp_stack_t *)q->q_ptr; 355 356 /* 357 * Fail the request if the new value does not lie within the 358 * required bounds. 359 */ 360 if (ddi_strtoul(value, NULL, 10, &new_value) != 0 || 361 new_value < ipsecesppa->ipsecesp_param_min || 362 new_value > ipsecesppa->ipsecesp_param_max) { 363 return (EINVAL); 364 } 365 366 /* Set the new value */ 367 mutex_enter(&espstack->ipsecesp_param_lock); 368 ipsecesppa->ipsecesp_param_value = new_value; 369 mutex_exit(&espstack->ipsecesp_param_lock); 370 return (0); 371 } 372 373 /* 374 * Using lifetime NDD variables, fill in an extended combination's 375 * lifetime information. 376 */ 377 void 378 ipsecesp_fill_defs(sadb_x_ecomb_t *ecomb, netstack_t *ns) 379 { 380 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 381 382 ecomb->sadb_x_ecomb_soft_bytes = espstack->ipsecesp_default_soft_bytes; 383 ecomb->sadb_x_ecomb_hard_bytes = espstack->ipsecesp_default_hard_bytes; 384 ecomb->sadb_x_ecomb_soft_addtime = 385 espstack->ipsecesp_default_soft_addtime; 386 ecomb->sadb_x_ecomb_hard_addtime = 387 espstack->ipsecesp_default_hard_addtime; 388 ecomb->sadb_x_ecomb_soft_usetime = 389 espstack->ipsecesp_default_soft_usetime; 390 ecomb->sadb_x_ecomb_hard_usetime = 391 espstack->ipsecesp_default_hard_usetime; 392 } 393 394 /* 395 * Initialize things for ESP at module load time. 396 */ 397 boolean_t 398 ipsecesp_ddi_init(void) 399 { 400 esp_taskq = taskq_create("esp_taskq", 1, minclsyspri, 401 IPSEC_TASKQ_MIN, IPSEC_TASKQ_MAX, 0); 402 403 /* 404 * We want to be informed each time a stack is created or 405 * destroyed in the kernel, so we can maintain the 406 * set of ipsecesp_stack_t's. 407 */ 408 netstack_register(NS_IPSECESP, ipsecesp_stack_init, NULL, 409 ipsecesp_stack_fini); 410 411 return (B_TRUE); 412 } 413 414 /* 415 * Walk through the param array specified registering each element with the 416 * named dispatch handler. 417 */ 418 static boolean_t 419 ipsecesp_param_register(IDP *ndp, ipsecespparam_t *espp, int cnt) 420 { 421 for (; cnt-- > 0; espp++) { 422 if (espp->ipsecesp_param_name != NULL && 423 espp->ipsecesp_param_name[0]) { 424 if (!nd_load(ndp, 425 espp->ipsecesp_param_name, 426 ipsecesp_param_get, ipsecesp_param_set, 427 (caddr_t)espp)) { 428 nd_free(ndp); 429 return (B_FALSE); 430 } 431 } 432 } 433 return (B_TRUE); 434 } 435 436 /* 437 * Initialize things for ESP for each stack instance 438 */ 439 static void * 440 ipsecesp_stack_init(netstackid_t stackid, netstack_t *ns) 441 { 442 ipsecesp_stack_t *espstack; 443 ipsecespparam_t *espp; 444 445 espstack = (ipsecesp_stack_t *)kmem_zalloc(sizeof (*espstack), 446 KM_SLEEP); 447 espstack->ipsecesp_netstack = ns; 448 449 espp = (ipsecespparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP); 450 espstack->ipsecesp_params = espp; 451 bcopy(lcl_param_arr, espp, sizeof (lcl_param_arr)); 452 453 (void) ipsecesp_param_register(&espstack->ipsecesp_g_nd, espp, 454 A_CNT(lcl_param_arr)); 455 456 (void) esp_kstat_init(espstack, stackid); 457 458 espstack->esp_sadb.s_acquire_timeout = 459 &espstack->ipsecesp_acquire_timeout; 460 sadbp_init("ESP", &espstack->esp_sadb, SADB_SATYPE_ESP, esp_hash_size, 461 espstack->ipsecesp_netstack); 462 463 mutex_init(&espstack->ipsecesp_param_lock, NULL, MUTEX_DEFAULT, 0); 464 465 ip_drop_register(&espstack->esp_dropper, "IPsec ESP"); 466 return (espstack); 467 } 468 469 /* 470 * Destroy things for ESP at module unload time. 471 */ 472 void 473 ipsecesp_ddi_destroy(void) 474 { 475 netstack_unregister(NS_IPSECESP); 476 taskq_destroy(esp_taskq); 477 } 478 479 /* 480 * Destroy things for ESP for one stack instance 481 */ 482 static void 483 ipsecesp_stack_fini(netstackid_t stackid, void *arg) 484 { 485 ipsecesp_stack_t *espstack = (ipsecesp_stack_t *)arg; 486 487 if (espstack->esp_pfkey_q != NULL) { 488 (void) quntimeout(espstack->esp_pfkey_q, espstack->esp_event); 489 } 490 espstack->esp_sadb.s_acquire_timeout = NULL; 491 sadbp_destroy(&espstack->esp_sadb, espstack->ipsecesp_netstack); 492 ip_drop_unregister(&espstack->esp_dropper); 493 mutex_destroy(&espstack->ipsecesp_param_lock); 494 nd_free(&espstack->ipsecesp_g_nd); 495 496 kmem_free(espstack->ipsecesp_params, sizeof (lcl_param_arr)); 497 espstack->ipsecesp_params = NULL; 498 kstat_delete_netstack(espstack->esp_ksp, stackid); 499 espstack->esp_ksp = NULL; 500 espstack->esp_kstats = NULL; 501 kmem_free(espstack, sizeof (*espstack)); 502 } 503 504 /* 505 * ESP module open routine, which is here for keysock plumbing. 506 * Keysock is pushed over {AH,ESP} which is an artifact from the Bad Old 507 * Days of export control, and fears that ESP would not be allowed 508 * to be shipped at all by default. Eventually, keysock should 509 * either access AH and ESP via modstubs or krtld dependencies, or 510 * perhaps be folded in with AH and ESP into a single IPsec/netsec 511 * module ("netsec" if PF_KEY provides more than AH/ESP keying tables). 512 */ 513 /* ARGSUSED */ 514 static int 515 ipsecesp_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp) 516 { 517 netstack_t *ns; 518 ipsecesp_stack_t *espstack; 519 520 if (secpolicy_ip_config(credp, B_FALSE) != 0) 521 return (EPERM); 522 523 if (q->q_ptr != NULL) 524 return (0); /* Re-open of an already open instance. */ 525 526 if (sflag != MODOPEN) 527 return (EINVAL); 528 529 ns = netstack_find_by_cred(credp); 530 ASSERT(ns != NULL); 531 espstack = ns->netstack_ipsecesp; 532 ASSERT(espstack != NULL); 533 534 q->q_ptr = espstack; 535 WR(q)->q_ptr = q->q_ptr; 536 537 qprocson(q); 538 return (0); 539 } 540 541 /* 542 * ESP module close routine. 543 */ 544 static int 545 ipsecesp_close(queue_t *q) 546 { 547 ipsecesp_stack_t *espstack = (ipsecesp_stack_t *)q->q_ptr; 548 549 /* 550 * Clean up q_ptr, if needed. 551 */ 552 qprocsoff(q); 553 554 /* Keysock queue check is safe, because of OCEXCL perimeter. */ 555 556 if (q == espstack->esp_pfkey_q) { 557 esp1dbg(espstack, 558 ("ipsecesp_close: Ummm... keysock is closing ESP.\n")); 559 espstack->esp_pfkey_q = NULL; 560 /* Detach qtimeouts. */ 561 (void) quntimeout(q, espstack->esp_event); 562 } 563 564 netstack_rele(espstack->ipsecesp_netstack); 565 return (0); 566 } 567 568 /* 569 * Add a number of bytes to what the SA has protected so far. Return 570 * B_TRUE if the SA can still protect that many bytes. 571 * 572 * Caller must REFRELE the passed-in assoc. This function must REFRELE 573 * any obtained peer SA. 574 */ 575 static boolean_t 576 esp_age_bytes(ipsa_t *assoc, uint64_t bytes, boolean_t inbound) 577 { 578 ipsa_t *inassoc, *outassoc; 579 isaf_t *bucket; 580 boolean_t inrc, outrc, isv6; 581 sadb_t *sp; 582 int outhash; 583 netstack_t *ns = assoc->ipsa_netstack; 584 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 585 586 /* No peer? No problem! */ 587 if (!assoc->ipsa_haspeer) { 588 return (sadb_age_bytes(espstack->esp_pfkey_q, assoc, bytes, 589 B_TRUE)); 590 } 591 592 /* 593 * Otherwise, we want to grab both the original assoc and its peer. 594 * There might be a race for this, but if it's a real race, two 595 * expire messages may occur. We limit this by only sending the 596 * expire message on one of the peers, we'll pick the inbound 597 * arbitrarily. 598 * 599 * If we need tight synchronization on the peer SA, then we need to 600 * reconsider. 601 */ 602 603 /* Use address length to select IPv6/IPv4 */ 604 isv6 = (assoc->ipsa_addrfam == AF_INET6); 605 sp = isv6 ? &espstack->esp_sadb.s_v6 : &espstack->esp_sadb.s_v4; 606 607 if (inbound) { 608 inassoc = assoc; 609 if (isv6) { 610 outhash = OUTBOUND_HASH_V6(sp, *((in6_addr_t *) 611 &inassoc->ipsa_dstaddr)); 612 } else { 613 outhash = OUTBOUND_HASH_V4(sp, *((ipaddr_t *) 614 &inassoc->ipsa_dstaddr)); 615 } 616 bucket = &sp->sdb_of[outhash]; 617 mutex_enter(&bucket->isaf_lock); 618 outassoc = ipsec_getassocbyspi(bucket, inassoc->ipsa_spi, 619 inassoc->ipsa_srcaddr, inassoc->ipsa_dstaddr, 620 inassoc->ipsa_addrfam); 621 mutex_exit(&bucket->isaf_lock); 622 if (outassoc == NULL) { 623 /* Q: Do we wish to set haspeer == B_FALSE? */ 624 esp0dbg(("esp_age_bytes: " 625 "can't find peer for inbound.\n")); 626 return (sadb_age_bytes(espstack->esp_pfkey_q, inassoc, 627 bytes, B_TRUE)); 628 } 629 } else { 630 outassoc = assoc; 631 bucket = INBOUND_BUCKET(sp, outassoc->ipsa_spi); 632 mutex_enter(&bucket->isaf_lock); 633 inassoc = ipsec_getassocbyspi(bucket, outassoc->ipsa_spi, 634 outassoc->ipsa_srcaddr, outassoc->ipsa_dstaddr, 635 outassoc->ipsa_addrfam); 636 mutex_exit(&bucket->isaf_lock); 637 if (inassoc == NULL) { 638 /* Q: Do we wish to set haspeer == B_FALSE? */ 639 esp0dbg(("esp_age_bytes: " 640 "can't find peer for outbound.\n")); 641 return (sadb_age_bytes(espstack->esp_pfkey_q, outassoc, 642 bytes, B_TRUE)); 643 } 644 } 645 646 inrc = sadb_age_bytes(espstack->esp_pfkey_q, inassoc, bytes, B_TRUE); 647 outrc = sadb_age_bytes(espstack->esp_pfkey_q, outassoc, bytes, B_FALSE); 648 649 /* 650 * REFRELE any peer SA. 651 * 652 * Because of the multi-line macro nature of IPSA_REFRELE, keep 653 * them in { }. 654 */ 655 if (inbound) { 656 IPSA_REFRELE(outassoc); 657 } else { 658 IPSA_REFRELE(inassoc); 659 } 660 661 return (inrc && outrc); 662 } 663 664 /* 665 * Do incoming NAT-T manipulations for packet. 666 * Returns NULL if the mblk chain is consumed. 667 */ 668 static mblk_t * 669 esp_fix_natt_checksums(mblk_t *data_mp, ipsa_t *assoc) 670 { 671 ipha_t *ipha = (ipha_t *)data_mp->b_rptr; 672 tcpha_t *tcpha; 673 udpha_t *udpha; 674 /* Initialize to our inbound cksum adjustment... */ 675 uint32_t sum = assoc->ipsa_inbound_cksum; 676 677 switch (ipha->ipha_protocol) { 678 case IPPROTO_TCP: 679 tcpha = (tcpha_t *)(data_mp->b_rptr + 680 IPH_HDR_LENGTH(ipha)); 681 682 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16) 683 sum += ~ntohs(tcpha->tha_sum) & 0xFFFF; 684 DOWN_SUM(sum); 685 DOWN_SUM(sum); 686 tcpha->tha_sum = ~htons(sum); 687 break; 688 case IPPROTO_UDP: 689 udpha = (udpha_t *)(data_mp->b_rptr + IPH_HDR_LENGTH(ipha)); 690 691 if (udpha->uha_checksum != 0) { 692 /* Adujst if the inbound one was not zero. */ 693 sum += ~ntohs(udpha->uha_checksum) & 0xFFFF; 694 DOWN_SUM(sum); 695 DOWN_SUM(sum); 696 udpha->uha_checksum = ~htons(sum); 697 if (udpha->uha_checksum == 0) 698 udpha->uha_checksum = 0xFFFF; 699 } 700 #undef DOWN_SUM 701 break; 702 case IPPROTO_IP: 703 /* 704 * This case is only an issue for self-encapsulated 705 * packets. So for now, fall through. 706 */ 707 break; 708 } 709 return (data_mp); 710 } 711 712 713 /* 714 * Strip ESP header, check padding, and fix IP header. 715 * Returns B_TRUE on success, B_FALSE if an error occured. 716 */ 717 static boolean_t 718 esp_strip_header(mblk_t *data_mp, boolean_t isv4, uint32_t ivlen, 719 kstat_named_t **counter, ipsecesp_stack_t *espstack) 720 { 721 ipha_t *ipha; 722 ip6_t *ip6h; 723 uint_t divpoint; 724 mblk_t *scratch; 725 uint8_t nexthdr, padlen; 726 uint8_t lastpad; 727 ipsec_stack_t *ipss = espstack->ipsecesp_netstack->netstack_ipsec; 728 uint8_t *lastbyte; 729 730 /* 731 * Strip ESP data and fix IP header. 732 * 733 * XXX In case the beginning of esp_inbound() changes to not do a 734 * pullup, this part of the code can remain unchanged. 735 */ 736 if (isv4) { 737 ASSERT((data_mp->b_wptr - data_mp->b_rptr) >= sizeof (ipha_t)); 738 ipha = (ipha_t *)data_mp->b_rptr; 739 ASSERT((data_mp->b_wptr - data_mp->b_rptr) >= sizeof (esph_t) + 740 IPH_HDR_LENGTH(ipha)); 741 divpoint = IPH_HDR_LENGTH(ipha); 742 } else { 743 ASSERT((data_mp->b_wptr - data_mp->b_rptr) >= sizeof (ip6_t)); 744 ip6h = (ip6_t *)data_mp->b_rptr; 745 divpoint = ip_hdr_length_v6(data_mp, ip6h); 746 } 747 748 scratch = data_mp; 749 while (scratch->b_cont != NULL) 750 scratch = scratch->b_cont; 751 752 ASSERT((scratch->b_wptr - scratch->b_rptr) >= 3); 753 754 /* 755 * "Next header" and padding length are the last two bytes in the 756 * ESP-protected datagram, thus the explicit - 1 and - 2. 757 * lastpad is the last byte of the padding, which can be used for 758 * a quick check to see if the padding is correct. 759 */ 760 lastbyte = scratch->b_wptr - 1; 761 nexthdr = *lastbyte--; 762 padlen = *lastbyte--; 763 764 if (isv4) { 765 /* Fix part of the IP header. */ 766 ipha->ipha_protocol = nexthdr; 767 /* 768 * Reality check the padlen. The explicit - 2 is for the 769 * padding length and the next-header bytes. 770 */ 771 if (padlen >= ntohs(ipha->ipha_length) - sizeof (ipha_t) - 2 - 772 sizeof (esph_t) - ivlen) { 773 ESP_BUMP_STAT(espstack, bad_decrypt); 774 ipsec_rl_strlog(espstack->ipsecesp_netstack, 775 info.mi_idnum, 0, 0, 776 SL_ERROR | SL_WARN, 777 "Corrupt ESP packet (padlen too big).\n"); 778 esp1dbg(espstack, ("padlen (%d) is greater than:\n", 779 padlen)); 780 esp1dbg(espstack, ("pkt len(%d) - ip hdr - esp " 781 "hdr - ivlen(%d) = %d.\n", 782 ntohs(ipha->ipha_length), ivlen, 783 (int)(ntohs(ipha->ipha_length) - sizeof (ipha_t) - 784 2 - sizeof (esph_t) - ivlen))); 785 *counter = DROPPER(ipss, ipds_esp_bad_padlen); 786 return (B_FALSE); 787 } 788 789 /* 790 * Fix the rest of the header. The explicit - 2 is for the 791 * padding length and the next-header bytes. 792 */ 793 ipha->ipha_length = htons(ntohs(ipha->ipha_length) - padlen - 794 2 - sizeof (esph_t) - ivlen); 795 ipha->ipha_hdr_checksum = 0; 796 ipha->ipha_hdr_checksum = (uint16_t)ip_csum_hdr(ipha); 797 } else { 798 if (ip6h->ip6_nxt == IPPROTO_ESP) { 799 ip6h->ip6_nxt = nexthdr; 800 } else { 801 ip_pkt_t ipp; 802 803 bzero(&ipp, sizeof (ipp)); 804 (void) ip_find_hdr_v6(data_mp, ip6h, B_FALSE, &ipp, 805 NULL); 806 if (ipp.ipp_dstopts != NULL) { 807 ipp.ipp_dstopts->ip6d_nxt = nexthdr; 808 } else if (ipp.ipp_rthdr != NULL) { 809 ipp.ipp_rthdr->ip6r_nxt = nexthdr; 810 } else if (ipp.ipp_hopopts != NULL) { 811 ipp.ipp_hopopts->ip6h_nxt = nexthdr; 812 } else { 813 /* Panic a DEBUG kernel. */ 814 ASSERT(ipp.ipp_hopopts != NULL); 815 /* Otherwise, pretend it's IP + ESP. */ 816 cmn_err(CE_WARN, "ESP IPv6 headers wrong.\n"); 817 ip6h->ip6_nxt = nexthdr; 818 } 819 } 820 821 if (padlen >= ntohs(ip6h->ip6_plen) - 2 - sizeof (esph_t) - 822 ivlen) { 823 ESP_BUMP_STAT(espstack, bad_decrypt); 824 ipsec_rl_strlog(espstack->ipsecesp_netstack, 825 info.mi_idnum, 0, 0, 826 SL_ERROR | SL_WARN, 827 "Corrupt ESP packet (v6 padlen too big).\n"); 828 esp1dbg(espstack, ("padlen (%d) is greater than:\n", 829 padlen)); 830 esp1dbg(espstack, 831 ("pkt len(%u) - ip hdr - esp hdr - ivlen(%d) = " 832 "%u.\n", (unsigned)(ntohs(ip6h->ip6_plen) 833 + sizeof (ip6_t)), ivlen, 834 (unsigned)(ntohs(ip6h->ip6_plen) - 2 - 835 sizeof (esph_t) - ivlen))); 836 *counter = DROPPER(ipss, ipds_esp_bad_padlen); 837 return (B_FALSE); 838 } 839 840 841 /* 842 * Fix the rest of the header. The explicit - 2 is for the 843 * padding length and the next-header bytes. IPv6 is nice, 844 * because there's no hdr checksum! 845 */ 846 ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) - padlen - 847 2 - sizeof (esph_t) - ivlen); 848 } 849 850 if (espstack->ipsecesp_padding_check > 0 && padlen > 0) { 851 /* 852 * Weak padding check: compare last-byte to length, they 853 * should be equal. 854 */ 855 lastpad = *lastbyte--; 856 857 if (padlen != lastpad) { 858 ipsec_rl_strlog(espstack->ipsecesp_netstack, 859 info.mi_idnum, 0, 0, SL_ERROR | SL_WARN, 860 "Corrupt ESP packet (lastpad != padlen).\n"); 861 esp1dbg(espstack, 862 ("lastpad (%d) not equal to padlen (%d):\n", 863 lastpad, padlen)); 864 ESP_BUMP_STAT(espstack, bad_padding); 865 *counter = DROPPER(ipss, ipds_esp_bad_padding); 866 return (B_FALSE); 867 } 868 869 /* 870 * Strong padding check: Check all pad bytes to see that 871 * they're ascending. Go backwards using a descending counter 872 * to verify. padlen == 1 is checked by previous block, so 873 * only bother if we've more than 1 byte of padding. 874 * Consequently, start the check one byte before the location 875 * of "lastpad". 876 */ 877 if (espstack->ipsecesp_padding_check > 1) { 878 /* 879 * This assert may have to become an if and a pullup 880 * if we start accepting multi-dblk mblks. For now, 881 * though, any packet here will have been pulled up in 882 * esp_inbound. 883 */ 884 ASSERT(MBLKL(scratch) >= lastpad + 3); 885 886 /* 887 * Use "--lastpad" because we already checked the very 888 * last pad byte previously. 889 */ 890 while (--lastpad != 0) { 891 if (lastpad != *lastbyte) { 892 ipsec_rl_strlog( 893 espstack->ipsecesp_netstack, 894 info.mi_idnum, 0, 0, 895 SL_ERROR | SL_WARN, "Corrupt ESP " 896 "packet (bad padding).\n"); 897 esp1dbg(espstack, 898 ("padding not in correct" 899 " format:\n")); 900 ESP_BUMP_STAT(espstack, bad_padding); 901 *counter = DROPPER(ipss, 902 ipds_esp_bad_padding); 903 return (B_FALSE); 904 } 905 lastbyte--; 906 } 907 } 908 } 909 910 /* Trim off the padding. */ 911 ASSERT(data_mp->b_cont == NULL); 912 data_mp->b_wptr -= (padlen + 2); 913 914 /* 915 * Remove the ESP header. 916 * 917 * The above assertions about data_mp's size will make this work. 918 * 919 * XXX Question: If I send up and get back a contiguous mblk, 920 * would it be quicker to bcopy over, or keep doing the dupb stuff? 921 * I go with copying for now. 922 */ 923 924 if (IS_P2ALIGNED(data_mp->b_rptr, sizeof (uint32_t)) && 925 IS_P2ALIGNED(ivlen, sizeof (uint32_t))) { 926 uint8_t *start = data_mp->b_rptr; 927 uint32_t *src, *dst; 928 929 src = (uint32_t *)(start + divpoint); 930 dst = (uint32_t *)(start + divpoint + sizeof (esph_t) + ivlen); 931 932 ASSERT(IS_P2ALIGNED(dst, sizeof (uint32_t)) && 933 IS_P2ALIGNED(src, sizeof (uint32_t))); 934 935 do { 936 src--; 937 dst--; 938 *dst = *src; 939 } while (src != (uint32_t *)start); 940 941 data_mp->b_rptr = (uchar_t *)dst; 942 } else { 943 uint8_t *start = data_mp->b_rptr; 944 uint8_t *src, *dst; 945 946 src = start + divpoint; 947 dst = src + sizeof (esph_t) + ivlen; 948 949 do { 950 src--; 951 dst--; 952 *dst = *src; 953 } while (src != start); 954 955 data_mp->b_rptr = dst; 956 } 957 958 esp2dbg(espstack, ("data_mp after inbound ESP adjustment:\n")); 959 esp2dbg(espstack, (dump_msg(data_mp))); 960 961 return (B_TRUE); 962 } 963 964 /* 965 * Updating use times can be tricky business if the ipsa_haspeer flag is 966 * set. This function is called once in an SA's lifetime. 967 * 968 * Caller has to REFRELE "assoc" which is passed in. This function has 969 * to REFRELE any peer SA that is obtained. 970 */ 971 static void 972 esp_set_usetime(ipsa_t *assoc, boolean_t inbound) 973 { 974 ipsa_t *inassoc, *outassoc; 975 isaf_t *bucket; 976 sadb_t *sp; 977 int outhash; 978 boolean_t isv6; 979 netstack_t *ns = assoc->ipsa_netstack; 980 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 981 982 /* No peer? No problem! */ 983 if (!assoc->ipsa_haspeer) { 984 sadb_set_usetime(assoc); 985 return; 986 } 987 988 /* 989 * Otherwise, we want to grab both the original assoc and its peer. 990 * There might be a race for this, but if it's a real race, the times 991 * will be out-of-synch by at most a second, and since our time 992 * granularity is a second, this won't be a problem. 993 * 994 * If we need tight synchronization on the peer SA, then we need to 995 * reconsider. 996 */ 997 998 /* Use address length to select IPv6/IPv4 */ 999 isv6 = (assoc->ipsa_addrfam == AF_INET6); 1000 sp = isv6 ? &espstack->esp_sadb.s_v6 : &espstack->esp_sadb.s_v4; 1001 1002 if (inbound) { 1003 inassoc = assoc; 1004 if (isv6) { 1005 outhash = OUTBOUND_HASH_V6(sp, *((in6_addr_t *) 1006 &inassoc->ipsa_dstaddr)); 1007 } else { 1008 outhash = OUTBOUND_HASH_V4(sp, *((ipaddr_t *) 1009 &inassoc->ipsa_dstaddr)); 1010 } 1011 bucket = &sp->sdb_of[outhash]; 1012 mutex_enter(&bucket->isaf_lock); 1013 outassoc = ipsec_getassocbyspi(bucket, inassoc->ipsa_spi, 1014 inassoc->ipsa_srcaddr, inassoc->ipsa_dstaddr, 1015 inassoc->ipsa_addrfam); 1016 mutex_exit(&bucket->isaf_lock); 1017 if (outassoc == NULL) { 1018 /* Q: Do we wish to set haspeer == B_FALSE? */ 1019 esp0dbg(("esp_set_usetime: " 1020 "can't find peer for inbound.\n")); 1021 sadb_set_usetime(inassoc); 1022 return; 1023 } 1024 } else { 1025 outassoc = assoc; 1026 bucket = INBOUND_BUCKET(sp, outassoc->ipsa_spi); 1027 mutex_enter(&bucket->isaf_lock); 1028 inassoc = ipsec_getassocbyspi(bucket, outassoc->ipsa_spi, 1029 outassoc->ipsa_srcaddr, outassoc->ipsa_dstaddr, 1030 outassoc->ipsa_addrfam); 1031 mutex_exit(&bucket->isaf_lock); 1032 if (inassoc == NULL) { 1033 /* Q: Do we wish to set haspeer == B_FALSE? */ 1034 esp0dbg(("esp_set_usetime: " 1035 "can't find peer for outbound.\n")); 1036 sadb_set_usetime(outassoc); 1037 return; 1038 } 1039 } 1040 1041 /* Update usetime on both. */ 1042 sadb_set_usetime(inassoc); 1043 sadb_set_usetime(outassoc); 1044 1045 /* 1046 * REFRELE any peer SA. 1047 * 1048 * Because of the multi-line macro nature of IPSA_REFRELE, keep 1049 * them in { }. 1050 */ 1051 if (inbound) { 1052 IPSA_REFRELE(outassoc); 1053 } else { 1054 IPSA_REFRELE(inassoc); 1055 } 1056 } 1057 1058 /* 1059 * Handle ESP inbound data for IPv4 and IPv6. 1060 * On success returns B_TRUE, on failure returns B_FALSE and frees the 1061 * mblk chain data_mp. 1062 */ 1063 mblk_t * 1064 esp_inbound(mblk_t *data_mp, void *arg, ip_recv_attr_t *ira) 1065 { 1066 esph_t *esph = (esph_t *)arg; 1067 ipsa_t *ipsa = ira->ira_ipsec_esp_sa; 1068 netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack; 1069 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 1070 ipsec_stack_t *ipss = ns->netstack_ipsec; 1071 1072 /* 1073 * We may wish to check replay in-range-only here as an optimization. 1074 * Include the reality check of ipsa->ipsa_replay > 1075 * ipsa->ipsa_replay_wsize for times when it's the first N packets, 1076 * where N == ipsa->ipsa_replay_wsize. 1077 * 1078 * Another check that may come here later is the "collision" check. 1079 * If legitimate packets flow quickly enough, this won't be a problem, 1080 * but collisions may cause authentication algorithm crunching to 1081 * take place when it doesn't need to. 1082 */ 1083 if (!sadb_replay_peek(ipsa, esph->esph_replay)) { 1084 ESP_BUMP_STAT(espstack, replay_early_failures); 1085 IP_ESP_BUMP_STAT(ipss, in_discards); 1086 ip_drop_packet(data_mp, B_TRUE, ira->ira_ill, 1087 DROPPER(ipss, ipds_esp_early_replay), 1088 &espstack->esp_dropper); 1089 BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards); 1090 return (NULL); 1091 } 1092 1093 /* 1094 * Adjust the IP header's payload length to reflect the removal 1095 * of the ICV. 1096 */ 1097 if (!(ira->ira_flags & IRAF_IS_IPV4)) { 1098 ip6_t *ip6h = (ip6_t *)data_mp->b_rptr; 1099 ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) - 1100 ipsa->ipsa_mac_len); 1101 } else { 1102 ipha_t *ipha = (ipha_t *)data_mp->b_rptr; 1103 ipha->ipha_length = htons(ntohs(ipha->ipha_length) - 1104 ipsa->ipsa_mac_len); 1105 } 1106 1107 /* submit the request to the crypto framework */ 1108 return (esp_submit_req_inbound(data_mp, ira, ipsa, 1109 (uint8_t *)esph - data_mp->b_rptr)); 1110 } 1111 1112 /* XXX refactor me */ 1113 /* 1114 * Handle the SADB_GETSPI message. Create a larval SA. 1115 */ 1116 static void 1117 esp_getspi(mblk_t *mp, keysock_in_t *ksi, ipsecesp_stack_t *espstack) 1118 { 1119 ipsa_t *newbie, *target; 1120 isaf_t *outbound, *inbound; 1121 int rc, diagnostic; 1122 sadb_sa_t *assoc; 1123 keysock_out_t *kso; 1124 uint32_t newspi; 1125 1126 /* 1127 * Randomly generate a proposed SPI value 1128 */ 1129 if (cl_inet_getspi != NULL) { 1130 cl_inet_getspi(espstack->ipsecesp_netstack->netstack_stackid, 1131 IPPROTO_ESP, (uint8_t *)&newspi, sizeof (uint32_t), NULL); 1132 } else { 1133 (void) random_get_pseudo_bytes((uint8_t *)&newspi, 1134 sizeof (uint32_t)); 1135 } 1136 newbie = sadb_getspi(ksi, newspi, &diagnostic, 1137 espstack->ipsecesp_netstack, IPPROTO_ESP); 1138 1139 if (newbie == NULL) { 1140 sadb_pfkey_error(espstack->esp_pfkey_q, mp, ENOMEM, diagnostic, 1141 ksi->ks_in_serial); 1142 return; 1143 } else if (newbie == (ipsa_t *)-1) { 1144 sadb_pfkey_error(espstack->esp_pfkey_q, mp, EINVAL, diagnostic, 1145 ksi->ks_in_serial); 1146 return; 1147 } 1148 1149 /* 1150 * XXX - We may randomly collide. We really should recover from this. 1151 * Unfortunately, that could require spending way-too-much-time 1152 * in here. For now, let the user retry. 1153 */ 1154 1155 if (newbie->ipsa_addrfam == AF_INET6) { 1156 outbound = OUTBOUND_BUCKET_V6(&espstack->esp_sadb.s_v6, 1157 *(uint32_t *)(newbie->ipsa_dstaddr)); 1158 inbound = INBOUND_BUCKET(&espstack->esp_sadb.s_v6, 1159 newbie->ipsa_spi); 1160 } else { 1161 ASSERT(newbie->ipsa_addrfam == AF_INET); 1162 outbound = OUTBOUND_BUCKET_V4(&espstack->esp_sadb.s_v4, 1163 *(uint32_t *)(newbie->ipsa_dstaddr)); 1164 inbound = INBOUND_BUCKET(&espstack->esp_sadb.s_v4, 1165 newbie->ipsa_spi); 1166 } 1167 1168 mutex_enter(&outbound->isaf_lock); 1169 mutex_enter(&inbound->isaf_lock); 1170 1171 /* 1172 * Check for collisions (i.e. did sadb_getspi() return with something 1173 * that already exists?). 1174 * 1175 * Try outbound first. Even though SADB_GETSPI is traditionally 1176 * for inbound SAs, you never know what a user might do. 1177 */ 1178 target = ipsec_getassocbyspi(outbound, newbie->ipsa_spi, 1179 newbie->ipsa_srcaddr, newbie->ipsa_dstaddr, newbie->ipsa_addrfam); 1180 if (target == NULL) { 1181 target = ipsec_getassocbyspi(inbound, newbie->ipsa_spi, 1182 newbie->ipsa_srcaddr, newbie->ipsa_dstaddr, 1183 newbie->ipsa_addrfam); 1184 } 1185 1186 /* 1187 * I don't have collisions elsewhere! 1188 * (Nor will I because I'm still holding inbound/outbound locks.) 1189 */ 1190 1191 if (target != NULL) { 1192 rc = EEXIST; 1193 IPSA_REFRELE(target); 1194 } else { 1195 /* 1196 * sadb_insertassoc() also checks for collisions, so 1197 * if there's a colliding entry, rc will be set 1198 * to EEXIST. 1199 */ 1200 rc = sadb_insertassoc(newbie, inbound); 1201 newbie->ipsa_hardexpiretime = gethrestime_sec(); 1202 newbie->ipsa_hardexpiretime += 1203 espstack->ipsecesp_larval_timeout; 1204 } 1205 1206 /* 1207 * Can exit outbound mutex. Hold inbound until we're done 1208 * with newbie. 1209 */ 1210 mutex_exit(&outbound->isaf_lock); 1211 1212 if (rc != 0) { 1213 mutex_exit(&inbound->isaf_lock); 1214 IPSA_REFRELE(newbie); 1215 sadb_pfkey_error(espstack->esp_pfkey_q, mp, rc, 1216 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 1217 return; 1218 } 1219 1220 1221 /* Can write here because I'm still holding the bucket lock. */ 1222 newbie->ipsa_type = SADB_SATYPE_ESP; 1223 1224 /* 1225 * Construct successful return message. We have one thing going 1226 * for us in PF_KEY v2. That's the fact that 1227 * sizeof (sadb_spirange_t) == sizeof (sadb_sa_t) 1228 */ 1229 assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE]; 1230 assoc->sadb_sa_exttype = SADB_EXT_SA; 1231 assoc->sadb_sa_spi = newbie->ipsa_spi; 1232 *((uint64_t *)(&assoc->sadb_sa_replay)) = 0; 1233 mutex_exit(&inbound->isaf_lock); 1234 1235 /* Convert KEYSOCK_IN to KEYSOCK_OUT. */ 1236 kso = (keysock_out_t *)ksi; 1237 kso->ks_out_len = sizeof (*kso); 1238 kso->ks_out_serial = ksi->ks_in_serial; 1239 kso->ks_out_type = KEYSOCK_OUT; 1240 1241 /* 1242 * Can safely putnext() to esp_pfkey_q, because this is a turnaround 1243 * from the esp_pfkey_q. 1244 */ 1245 putnext(espstack->esp_pfkey_q, mp); 1246 } 1247 1248 /* 1249 * Insert the ESP header into a packet. Duplicate an mblk, and insert a newly 1250 * allocated mblk with the ESP header in between the two. 1251 */ 1252 static boolean_t 1253 esp_insert_esp(mblk_t *mp, mblk_t *esp_mp, uint_t divpoint, 1254 ipsecesp_stack_t *espstack) 1255 { 1256 mblk_t *split_mp = mp; 1257 uint_t wheretodiv = divpoint; 1258 1259 while ((split_mp->b_wptr - split_mp->b_rptr) < wheretodiv) { 1260 wheretodiv -= (split_mp->b_wptr - split_mp->b_rptr); 1261 split_mp = split_mp->b_cont; 1262 ASSERT(split_mp != NULL); 1263 } 1264 1265 if (split_mp->b_wptr - split_mp->b_rptr != wheretodiv) { 1266 mblk_t *scratch; 1267 1268 /* "scratch" is the 2nd half, split_mp is the first. */ 1269 scratch = dupb(split_mp); 1270 if (scratch == NULL) { 1271 esp1dbg(espstack, 1272 ("esp_insert_esp: can't allocate scratch.\n")); 1273 return (B_FALSE); 1274 } 1275 /* NOTE: dupb() doesn't set b_cont appropriately. */ 1276 scratch->b_cont = split_mp->b_cont; 1277 scratch->b_rptr += wheretodiv; 1278 split_mp->b_wptr = split_mp->b_rptr + wheretodiv; 1279 split_mp->b_cont = scratch; 1280 } 1281 /* 1282 * At this point, split_mp is exactly "wheretodiv" bytes long, and 1283 * holds the end of the pre-ESP part of the datagram. 1284 */ 1285 esp_mp->b_cont = split_mp->b_cont; 1286 split_mp->b_cont = esp_mp; 1287 1288 return (B_TRUE); 1289 } 1290 1291 /* 1292 * Section 7 of RFC 3947 says: 1293 * 1294 * 7. Recovering from the Expiring NAT Mappings 1295 * 1296 * There are cases where NAT box decides to remove mappings that are still 1297 * alive (for example, when the keepalive interval is too long, or when the 1298 * NAT box is rebooted). To recover from this, ends that are NOT behind 1299 * NAT SHOULD use the last valid UDP encapsulated IKE or IPsec packet from 1300 * the other end to determine which IP and port addresses should be used. 1301 * The host behind dynamic NAT MUST NOT do this, as otherwise it opens a 1302 * DoS attack possibility because the IP address or port of the other host 1303 * will not change (it is not behind NAT). 1304 * 1305 * Keepalives cannot be used for these purposes, as they are not 1306 * authenticated, but any IKE authenticated IKE packet or ESP packet can be 1307 * used to detect whether the IP address or the port has changed. 1308 * 1309 * The following function will check an SA and its explicitly-set pair to see 1310 * if the NAT-T remote port matches the received packet (which must have 1311 * passed ESP authentication, see esp_in_done() for the caller context). If 1312 * there is a mismatch, the SAs are updated. It is not important if we race 1313 * with a transmitting thread, as if there is a transmitting thread, it will 1314 * merely emit a packet that will most-likely be dropped. 1315 * 1316 * "ports" are ordered src,dst, and assoc is an inbound SA, where src should 1317 * match ipsa_remote_nat_port and dst should match ipsa_local_nat_port. 1318 */ 1319 #ifdef _LITTLE_ENDIAN 1320 #define FIRST_16(x) ((x) & 0xFFFF) 1321 #define NEXT_16(x) (((x) >> 16) & 0xFFFF) 1322 #else 1323 #define FIRST_16(x) (((x) >> 16) & 0xFFFF) 1324 #define NEXT_16(x) ((x) & 0xFFFF) 1325 #endif 1326 static void 1327 esp_port_freshness(uint32_t ports, ipsa_t *assoc) 1328 { 1329 uint16_t remote = FIRST_16(ports); 1330 uint16_t local = NEXT_16(ports); 1331 ipsa_t *outbound_peer; 1332 isaf_t *bucket; 1333 ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp; 1334 1335 /* We found a conn_t, therefore local != 0. */ 1336 ASSERT(local != 0); 1337 /* Assume an IPv4 SA. */ 1338 ASSERT(assoc->ipsa_addrfam == AF_INET); 1339 1340 /* 1341 * On-the-wire rport == 0 means something's very wrong. 1342 * An unpaired SA is also useless to us. 1343 * If we are behind the NAT, don't bother. 1344 * A zero local NAT port defaults to 4500, so check that too. 1345 * And, of course, if the ports already match, we don't need to 1346 * bother. 1347 */ 1348 if (remote == 0 || assoc->ipsa_otherspi == 0 || 1349 (assoc->ipsa_flags & IPSA_F_BEHIND_NAT) || 1350 (assoc->ipsa_remote_nat_port == 0 && 1351 remote == htons(IPPORT_IKE_NATT)) || 1352 remote == assoc->ipsa_remote_nat_port) 1353 return; 1354 1355 /* Try and snag the peer. NOTE: Assume IPv4 for now. */ 1356 bucket = OUTBOUND_BUCKET_V4(&(espstack->esp_sadb.s_v4), 1357 assoc->ipsa_srcaddr[0]); 1358 mutex_enter(&bucket->isaf_lock); 1359 outbound_peer = ipsec_getassocbyspi(bucket, assoc->ipsa_otherspi, 1360 assoc->ipsa_dstaddr, assoc->ipsa_srcaddr, AF_INET); 1361 mutex_exit(&bucket->isaf_lock); 1362 1363 /* We probably lost a race to a deleting or expiring thread. */ 1364 if (outbound_peer == NULL) 1365 return; 1366 1367 /* 1368 * Hold the mutexes for both SAs so we don't race another inbound 1369 * thread. A lock-entry order shouldn't matter, since all other 1370 * per-ipsa locks are individually held-then-released. 1371 * 1372 * Luckily, this has nothing to do with the remote-NAT address, 1373 * so we don't have to re-scribble the cached-checksum differential. 1374 */ 1375 mutex_enter(&outbound_peer->ipsa_lock); 1376 mutex_enter(&assoc->ipsa_lock); 1377 outbound_peer->ipsa_remote_nat_port = assoc->ipsa_remote_nat_port = 1378 remote; 1379 mutex_exit(&assoc->ipsa_lock); 1380 mutex_exit(&outbound_peer->ipsa_lock); 1381 IPSA_REFRELE(outbound_peer); 1382 ESP_BUMP_STAT(espstack, sa_port_renumbers); 1383 } 1384 /* 1385 * Finish processing of an inbound ESP packet after processing by the 1386 * crypto framework. 1387 * - Remove the ESP header. 1388 * - Send packet back to IP. 1389 * If authentication was performed on the packet, this function is called 1390 * only if the authentication succeeded. 1391 * On success returns B_TRUE, on failure returns B_FALSE and frees the 1392 * mblk chain data_mp. 1393 */ 1394 static mblk_t * 1395 esp_in_done(mblk_t *data_mp, ip_recv_attr_t *ira, ipsec_crypto_t *ic) 1396 { 1397 ipsa_t *assoc; 1398 uint_t espstart; 1399 uint32_t ivlen = 0; 1400 uint_t processed_len; 1401 esph_t *esph; 1402 kstat_named_t *counter; 1403 boolean_t is_natt; 1404 netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack; 1405 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 1406 ipsec_stack_t *ipss = ns->netstack_ipsec; 1407 1408 assoc = ira->ira_ipsec_esp_sa; 1409 ASSERT(assoc != NULL); 1410 1411 is_natt = ((assoc->ipsa_flags & IPSA_F_NATT) != 0); 1412 1413 /* get the pointer to the ESP header */ 1414 if (assoc->ipsa_encr_alg == SADB_EALG_NULL) { 1415 /* authentication-only ESP */ 1416 espstart = ic->ic_crypto_data.cd_offset; 1417 processed_len = ic->ic_crypto_data.cd_length; 1418 } else { 1419 /* encryption present */ 1420 ivlen = assoc->ipsa_iv_len; 1421 if (assoc->ipsa_auth_alg == SADB_AALG_NONE) { 1422 /* encryption-only ESP */ 1423 espstart = ic->ic_crypto_data.cd_offset - 1424 sizeof (esph_t) - assoc->ipsa_iv_len; 1425 processed_len = ic->ic_crypto_data.cd_length + 1426 ivlen; 1427 } else { 1428 /* encryption with authentication */ 1429 espstart = ic->ic_crypto_dual_data.dd_offset1; 1430 processed_len = ic->ic_crypto_dual_data.dd_len2 + 1431 ivlen; 1432 } 1433 } 1434 1435 esph = (esph_t *)(data_mp->b_rptr + espstart); 1436 1437 if (assoc->ipsa_auth_alg != IPSA_AALG_NONE || 1438 (assoc->ipsa_flags & IPSA_F_COMBINED)) { 1439 /* 1440 * Authentication passed if we reach this point. 1441 * Packets with authentication will have the ICV 1442 * after the crypto data. Adjust b_wptr before 1443 * making padlen checks. 1444 */ 1445 ESP_BUMP_STAT(espstack, good_auth); 1446 data_mp->b_wptr -= assoc->ipsa_mac_len; 1447 1448 /* 1449 * Check replay window here! 1450 * For right now, assume keysock will set the replay window 1451 * size to zero for SAs that have an unspecified sender. 1452 * This may change... 1453 */ 1454 1455 if (!sadb_replay_check(assoc, esph->esph_replay)) { 1456 /* 1457 * Log the event. As of now we print out an event. 1458 * Do not print the replay failure number, or else 1459 * syslog cannot collate the error messages. Printing 1460 * the replay number that failed opens a denial-of- 1461 * service attack. 1462 */ 1463 ipsec_assocfailure(info.mi_idnum, 0, 0, 1464 SL_ERROR | SL_WARN, 1465 "Replay failed for ESP spi 0x%x, dst %s.\n", 1466 assoc->ipsa_spi, assoc->ipsa_dstaddr, 1467 assoc->ipsa_addrfam, espstack->ipsecesp_netstack); 1468 ESP_BUMP_STAT(espstack, replay_failures); 1469 counter = DROPPER(ipss, ipds_esp_replay); 1470 goto drop_and_bail; 1471 } 1472 1473 if (is_natt) { 1474 ASSERT(ira->ira_flags & IRAF_ESP_UDP_PORTS); 1475 ASSERT(ira->ira_esp_udp_ports != 0); 1476 esp_port_freshness(ira->ira_esp_udp_ports, assoc); 1477 } 1478 } 1479 1480 esp_set_usetime(assoc, B_TRUE); 1481 1482 if (!esp_age_bytes(assoc, processed_len, B_TRUE)) { 1483 /* The ipsa has hit hard expiration, LOG and AUDIT. */ 1484 ipsec_assocfailure(info.mi_idnum, 0, 0, 1485 SL_ERROR | SL_WARN, 1486 "ESP association 0x%x, dst %s had bytes expire.\n", 1487 assoc->ipsa_spi, assoc->ipsa_dstaddr, assoc->ipsa_addrfam, 1488 espstack->ipsecesp_netstack); 1489 ESP_BUMP_STAT(espstack, bytes_expired); 1490 counter = DROPPER(ipss, ipds_esp_bytes_expire); 1491 goto drop_and_bail; 1492 } 1493 1494 /* 1495 * Remove ESP header and padding from packet. I hope the compiler 1496 * spews "branch, predict taken" code for this. 1497 */ 1498 1499 if (esp_strip_header(data_mp, (ira->ira_flags & IRAF_IS_IPV4), 1500 ivlen, &counter, espstack)) { 1501 1502 if (is_system_labeled() && assoc->ipsa_tsl != NULL) { 1503 if (!ip_recv_attr_replace_label(ira, assoc->ipsa_tsl)) { 1504 ip_drop_packet(data_mp, B_TRUE, ira->ira_ill, 1505 DROPPER(ipss, ipds_ah_nomem), 1506 &espstack->esp_dropper); 1507 BUMP_MIB(ira->ira_ill->ill_ip_mib, 1508 ipIfStatsInDiscards); 1509 return (NULL); 1510 } 1511 } 1512 if (is_natt) 1513 return (esp_fix_natt_checksums(data_mp, assoc)); 1514 1515 if (assoc->ipsa_state == IPSA_STATE_IDLE) { 1516 /* 1517 * Cluster buffering case. Tell caller that we're 1518 * handling the packet. 1519 */ 1520 sadb_buf_pkt(assoc, data_mp, ira); 1521 return (NULL); 1522 } 1523 1524 return (data_mp); 1525 } 1526 1527 esp1dbg(espstack, ("esp_in_done: esp_strip_header() failed\n")); 1528 drop_and_bail: 1529 IP_ESP_BUMP_STAT(ipss, in_discards); 1530 ip_drop_packet(data_mp, B_TRUE, ira->ira_ill, counter, 1531 &espstack->esp_dropper); 1532 BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards); 1533 return (NULL); 1534 } 1535 1536 /* 1537 * Called upon failing the inbound ICV check. The message passed as 1538 * argument is freed. 1539 */ 1540 static void 1541 esp_log_bad_auth(mblk_t *mp, ip_recv_attr_t *ira) 1542 { 1543 ipsa_t *assoc = ira->ira_ipsec_esp_sa; 1544 netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack; 1545 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 1546 ipsec_stack_t *ipss = ns->netstack_ipsec; 1547 1548 /* 1549 * Log the event. Don't print to the console, block 1550 * potential denial-of-service attack. 1551 */ 1552 ESP_BUMP_STAT(espstack, bad_auth); 1553 1554 ipsec_assocfailure(info.mi_idnum, 0, 0, SL_ERROR | SL_WARN, 1555 "ESP Authentication failed for spi 0x%x, dst %s.\n", 1556 assoc->ipsa_spi, assoc->ipsa_dstaddr, assoc->ipsa_addrfam, 1557 espstack->ipsecesp_netstack); 1558 1559 IP_ESP_BUMP_STAT(ipss, in_discards); 1560 ip_drop_packet(mp, B_TRUE, ira->ira_ill, 1561 DROPPER(ipss, ipds_esp_bad_auth), 1562 &espstack->esp_dropper); 1563 } 1564 1565 1566 /* 1567 * Invoked for outbound packets after ESP processing. If the packet 1568 * also requires AH, performs the AH SA selection and AH processing. 1569 * 1570 * Returns data_mp (possibly with AH added) unless data_mp was consumed 1571 * due to an error, or queued due to async. crypto or an ACQUIRE trigger. 1572 */ 1573 static mblk_t * 1574 esp_do_outbound_ah(mblk_t *data_mp, ip_xmit_attr_t *ixa) 1575 { 1576 ipsec_action_t *ap; 1577 1578 ap = ixa->ixa_ipsec_action; 1579 if (ap == NULL) { 1580 ipsec_policy_t *pp = ixa->ixa_ipsec_policy; 1581 ap = pp->ipsp_act; 1582 } 1583 1584 if (!ap->ipa_want_ah) 1585 return (data_mp); 1586 1587 /* 1588 * Normally the AH SA would have already been put in place 1589 * but it could have been flushed so we need to look for it. 1590 */ 1591 if (ixa->ixa_ipsec_ah_sa == NULL) { 1592 if (!ipsec_outbound_sa(data_mp, ixa, IPPROTO_AH)) { 1593 sadb_acquire(data_mp, ixa, B_TRUE, B_FALSE); 1594 return (NULL); 1595 } 1596 } 1597 ASSERT(ixa->ixa_ipsec_ah_sa != NULL); 1598 1599 data_mp = ixa->ixa_ipsec_ah_sa->ipsa_output_func(data_mp, ixa); 1600 return (data_mp); 1601 } 1602 1603 1604 /* 1605 * Kernel crypto framework callback invoked after completion of async 1606 * crypto requests for outbound packets. 1607 */ 1608 static void 1609 esp_kcf_callback_outbound(void *arg, int status) 1610 { 1611 mblk_t *mp = (mblk_t *)arg; 1612 mblk_t *async_mp; 1613 netstack_t *ns; 1614 ipsec_stack_t *ipss; 1615 ipsecesp_stack_t *espstack; 1616 mblk_t *data_mp; 1617 ip_xmit_attr_t ixas; 1618 ipsec_crypto_t *ic; 1619 ill_t *ill; 1620 1621 /* 1622 * First remove the ipsec_crypto_t mblk 1623 * Note that we need to ipsec_free_crypto_data(mp) once done with ic. 1624 */ 1625 async_mp = ipsec_remove_crypto_data(mp, &ic); 1626 ASSERT(async_mp != NULL); 1627 1628 /* 1629 * Extract the ip_xmit_attr_t from the first mblk. 1630 * Verifies that the netstack and ill is still around; could 1631 * have vanished while kEf was doing its work. 1632 * On succesful return we have a nce_t and the ill/ipst can't 1633 * disappear until we do the nce_refrele in ixa_cleanup. 1634 */ 1635 data_mp = async_mp->b_cont; 1636 async_mp->b_cont = NULL; 1637 if (!ip_xmit_attr_from_mblk(async_mp, &ixas)) { 1638 /* Disappeared on us - no ill/ipst for MIB */ 1639 /* We have nowhere to do stats since ixa_ipst could be NULL */ 1640 if (ixas.ixa_nce != NULL) { 1641 ill = ixas.ixa_nce->nce_ill; 1642 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards); 1643 ip_drop_output("ipIfStatsOutDiscards", data_mp, ill); 1644 } 1645 freemsg(data_mp); 1646 goto done; 1647 } 1648 ns = ixas.ixa_ipst->ips_netstack; 1649 espstack = ns->netstack_ipsecesp; 1650 ipss = ns->netstack_ipsec; 1651 ill = ixas.ixa_nce->nce_ill; 1652 1653 if (status == CRYPTO_SUCCESS) { 1654 /* 1655 * If a ICV was computed, it was stored by the 1656 * crypto framework at the end of the packet. 1657 */ 1658 ipha_t *ipha = (ipha_t *)data_mp->b_rptr; 1659 1660 esp_set_usetime(ixas.ixa_ipsec_esp_sa, B_FALSE); 1661 /* NAT-T packet. */ 1662 if (IPH_HDR_VERSION(ipha) == IP_VERSION && 1663 ipha->ipha_protocol == IPPROTO_UDP) 1664 esp_prepare_udp(ns, data_mp, ipha); 1665 1666 /* do AH processing if needed */ 1667 data_mp = esp_do_outbound_ah(data_mp, &ixas); 1668 if (data_mp == NULL) 1669 goto done; 1670 1671 (void) ip_output_post_ipsec(data_mp, &ixas); 1672 } else { 1673 /* Outbound shouldn't see invalid MAC */ 1674 ASSERT(status != CRYPTO_INVALID_MAC); 1675 1676 esp1dbg(espstack, 1677 ("esp_kcf_callback_outbound: crypto failed with 0x%x\n", 1678 status)); 1679 ESP_BUMP_STAT(espstack, crypto_failures); 1680 ESP_BUMP_STAT(espstack, out_discards); 1681 ip_drop_packet(data_mp, B_FALSE, ill, 1682 DROPPER(ipss, ipds_esp_crypto_failed), 1683 &espstack->esp_dropper); 1684 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards); 1685 } 1686 done: 1687 ixa_cleanup(&ixas); 1688 (void) ipsec_free_crypto_data(mp); 1689 } 1690 1691 /* 1692 * Kernel crypto framework callback invoked after completion of async 1693 * crypto requests for inbound packets. 1694 */ 1695 static void 1696 esp_kcf_callback_inbound(void *arg, int status) 1697 { 1698 mblk_t *mp = (mblk_t *)arg; 1699 mblk_t *async_mp; 1700 netstack_t *ns; 1701 ipsecesp_stack_t *espstack; 1702 ipsec_stack_t *ipss; 1703 mblk_t *data_mp; 1704 ip_recv_attr_t iras; 1705 ipsec_crypto_t *ic; 1706 1707 /* 1708 * First remove the ipsec_crypto_t mblk 1709 * Note that we need to ipsec_free_crypto_data(mp) once done with ic. 1710 */ 1711 async_mp = ipsec_remove_crypto_data(mp, &ic); 1712 ASSERT(async_mp != NULL); 1713 1714 /* 1715 * Extract the ip_recv_attr_t from the first mblk. 1716 * Verifies that the netstack and ill is still around; could 1717 * have vanished while kEf was doing its work. 1718 */ 1719 data_mp = async_mp->b_cont; 1720 async_mp->b_cont = NULL; 1721 if (!ip_recv_attr_from_mblk(async_mp, &iras)) { 1722 /* The ill or ip_stack_t disappeared on us */ 1723 ip_drop_input("ip_recv_attr_from_mblk", data_mp, NULL); 1724 freemsg(data_mp); 1725 goto done; 1726 } 1727 1728 ns = iras.ira_ill->ill_ipst->ips_netstack; 1729 espstack = ns->netstack_ipsecesp; 1730 ipss = ns->netstack_ipsec; 1731 1732 if (status == CRYPTO_SUCCESS) { 1733 data_mp = esp_in_done(data_mp, &iras, ic); 1734 if (data_mp == NULL) 1735 goto done; 1736 1737 /* finish IPsec processing */ 1738 ip_input_post_ipsec(data_mp, &iras); 1739 } else if (status == CRYPTO_INVALID_MAC) { 1740 esp_log_bad_auth(data_mp, &iras); 1741 } else { 1742 esp1dbg(espstack, 1743 ("esp_kcf_callback: crypto failed with 0x%x\n", 1744 status)); 1745 ESP_BUMP_STAT(espstack, crypto_failures); 1746 IP_ESP_BUMP_STAT(ipss, in_discards); 1747 ip_drop_packet(data_mp, B_TRUE, iras.ira_ill, 1748 DROPPER(ipss, ipds_esp_crypto_failed), 1749 &espstack->esp_dropper); 1750 BUMP_MIB(iras.ira_ill->ill_ip_mib, ipIfStatsInDiscards); 1751 } 1752 done: 1753 ira_cleanup(&iras, B_TRUE); 1754 (void) ipsec_free_crypto_data(mp); 1755 } 1756 1757 /* 1758 * Invoked on crypto framework failure during inbound and outbound processing. 1759 */ 1760 static void 1761 esp_crypto_failed(mblk_t *data_mp, boolean_t is_inbound, int kef_rc, 1762 ill_t *ill, ipsecesp_stack_t *espstack) 1763 { 1764 ipsec_stack_t *ipss = espstack->ipsecesp_netstack->netstack_ipsec; 1765 1766 esp1dbg(espstack, ("crypto failed for %s ESP with 0x%x\n", 1767 is_inbound ? "inbound" : "outbound", kef_rc)); 1768 ip_drop_packet(data_mp, is_inbound, ill, 1769 DROPPER(ipss, ipds_esp_crypto_failed), 1770 &espstack->esp_dropper); 1771 ESP_BUMP_STAT(espstack, crypto_failures); 1772 if (is_inbound) 1773 IP_ESP_BUMP_STAT(ipss, in_discards); 1774 else 1775 ESP_BUMP_STAT(espstack, out_discards); 1776 } 1777 1778 /* 1779 * A statement-equivalent macro, _cr MUST point to a modifiable 1780 * crypto_call_req_t. 1781 */ 1782 #define ESP_INIT_CALLREQ(_cr, _mp, _callback) \ 1783 (_cr)->cr_flag = CRYPTO_SKIP_REQID|CRYPTO_ALWAYS_QUEUE; \ 1784 (_cr)->cr_callback_arg = (_mp); \ 1785 (_cr)->cr_callback_func = (_callback) 1786 1787 #define ESP_INIT_CRYPTO_MAC(mac, icvlen, icvbuf) { \ 1788 (mac)->cd_format = CRYPTO_DATA_RAW; \ 1789 (mac)->cd_offset = 0; \ 1790 (mac)->cd_length = icvlen; \ 1791 (mac)->cd_raw.iov_base = (char *)icvbuf; \ 1792 (mac)->cd_raw.iov_len = icvlen; \ 1793 } 1794 1795 #define ESP_INIT_CRYPTO_DATA(data, mp, off, len) { \ 1796 if (MBLKL(mp) >= (len) + (off)) { \ 1797 (data)->cd_format = CRYPTO_DATA_RAW; \ 1798 (data)->cd_raw.iov_base = (char *)(mp)->b_rptr; \ 1799 (data)->cd_raw.iov_len = MBLKL(mp); \ 1800 (data)->cd_offset = off; \ 1801 } else { \ 1802 (data)->cd_format = CRYPTO_DATA_MBLK; \ 1803 (data)->cd_mp = mp; \ 1804 (data)->cd_offset = off; \ 1805 } \ 1806 (data)->cd_length = len; \ 1807 } 1808 1809 #define ESP_INIT_CRYPTO_DUAL_DATA(data, mp, off1, len1, off2, len2) { \ 1810 (data)->dd_format = CRYPTO_DATA_MBLK; \ 1811 (data)->dd_mp = mp; \ 1812 (data)->dd_len1 = len1; \ 1813 (data)->dd_offset1 = off1; \ 1814 (data)->dd_len2 = len2; \ 1815 (data)->dd_offset2 = off2; \ 1816 } 1817 1818 /* 1819 * Returns data_mp if successfully completed the request. Returns 1820 * NULL if it failed (and increments InDiscards) or if it is pending. 1821 */ 1822 static mblk_t * 1823 esp_submit_req_inbound(mblk_t *esp_mp, ip_recv_attr_t *ira, 1824 ipsa_t *assoc, uint_t esph_offset) 1825 { 1826 uint_t auth_offset, msg_len, auth_len; 1827 crypto_call_req_t call_req, *callrp; 1828 mblk_t *mp; 1829 esph_t *esph_ptr; 1830 int kef_rc; 1831 uint_t icv_len = assoc->ipsa_mac_len; 1832 crypto_ctx_template_t auth_ctx_tmpl; 1833 boolean_t do_auth, do_encr, force; 1834 uint_t encr_offset, encr_len; 1835 uint_t iv_len = assoc->ipsa_iv_len; 1836 crypto_ctx_template_t encr_ctx_tmpl; 1837 ipsec_crypto_t *ic, icstack; 1838 uchar_t *iv_ptr; 1839 netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack; 1840 ipsec_stack_t *ipss = ns->netstack_ipsec; 1841 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 1842 1843 do_auth = assoc->ipsa_auth_alg != SADB_AALG_NONE; 1844 do_encr = assoc->ipsa_encr_alg != SADB_EALG_NULL; 1845 force = (assoc->ipsa_flags & IPSA_F_ASYNC); 1846 1847 #ifdef IPSEC_LATENCY_TEST 1848 kef_rc = CRYPTO_SUCCESS; 1849 #else 1850 kef_rc = CRYPTO_FAILED; 1851 #endif 1852 1853 /* 1854 * An inbound packet is of the form: 1855 * [IP,options,ESP,IV,data,ICV,pad] 1856 */ 1857 esph_ptr = (esph_t *)(esp_mp->b_rptr + esph_offset); 1858 iv_ptr = (uchar_t *)(esph_ptr + 1); 1859 /* Packet length starting at IP header ending after ESP ICV. */ 1860 msg_len = MBLKL(esp_mp); 1861 1862 encr_offset = esph_offset + sizeof (esph_t) + iv_len; 1863 encr_len = msg_len - encr_offset; 1864 1865 /* 1866 * Counter mode algs need a nonce. This is setup in sadb_common_add(). 1867 * If for some reason we are using a SA which does not have a nonce 1868 * then we must fail here. 1869 */ 1870 if ((assoc->ipsa_flags & IPSA_F_COUNTERMODE) && 1871 (assoc->ipsa_nonce == NULL)) { 1872 ip_drop_packet(esp_mp, B_TRUE, ira->ira_ill, 1873 DROPPER(ipss, ipds_esp_nomem), &espstack->esp_dropper); 1874 return (NULL); 1875 } 1876 1877 if (force) { 1878 /* We are doing asynch; allocate mblks to hold state */ 1879 if ((mp = ip_recv_attr_to_mblk(ira)) == NULL || 1880 (mp = ipsec_add_crypto_data(mp, &ic)) == NULL) { 1881 BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards); 1882 ip_drop_input("ipIfStatsInDiscards", esp_mp, 1883 ira->ira_ill); 1884 return (NULL); 1885 } 1886 linkb(mp, esp_mp); 1887 callrp = &call_req; 1888 ESP_INIT_CALLREQ(callrp, mp, esp_kcf_callback_inbound); 1889 } else { 1890 /* 1891 * If we know we are going to do sync then ipsec_crypto_t 1892 * should be on the stack. 1893 */ 1894 ic = &icstack; 1895 bzero(ic, sizeof (*ic)); 1896 callrp = NULL; 1897 } 1898 1899 if (do_auth) { 1900 /* authentication context template */ 1901 IPSEC_CTX_TMPL(assoc, ipsa_authtmpl, IPSEC_ALG_AUTH, 1902 auth_ctx_tmpl); 1903 1904 /* ICV to be verified */ 1905 ESP_INIT_CRYPTO_MAC(&ic->ic_crypto_mac, 1906 icv_len, esp_mp->b_wptr - icv_len); 1907 1908 /* authentication starts at the ESP header */ 1909 auth_offset = esph_offset; 1910 auth_len = msg_len - auth_offset - icv_len; 1911 if (!do_encr) { 1912 /* authentication only */ 1913 /* initialize input data argument */ 1914 ESP_INIT_CRYPTO_DATA(&ic->ic_crypto_data, 1915 esp_mp, auth_offset, auth_len); 1916 1917 /* call the crypto framework */ 1918 kef_rc = crypto_mac_verify(&assoc->ipsa_amech, 1919 &ic->ic_crypto_data, 1920 &assoc->ipsa_kcfauthkey, auth_ctx_tmpl, 1921 &ic->ic_crypto_mac, callrp); 1922 } 1923 } 1924 1925 if (do_encr) { 1926 /* encryption template */ 1927 IPSEC_CTX_TMPL(assoc, ipsa_encrtmpl, IPSEC_ALG_ENCR, 1928 encr_ctx_tmpl); 1929 1930 /* Call the nonce update function. Also passes in IV */ 1931 (assoc->ipsa_noncefunc)(assoc, (uchar_t *)esph_ptr, encr_len, 1932 iv_ptr, &ic->ic_cmm, &ic->ic_crypto_data); 1933 1934 if (!do_auth) { 1935 /* decryption only */ 1936 /* initialize input data argument */ 1937 ESP_INIT_CRYPTO_DATA(&ic->ic_crypto_data, 1938 esp_mp, encr_offset, encr_len); 1939 1940 /* call the crypto framework */ 1941 kef_rc = crypto_decrypt((crypto_mechanism_t *) 1942 &ic->ic_cmm, &ic->ic_crypto_data, 1943 &assoc->ipsa_kcfencrkey, encr_ctx_tmpl, 1944 NULL, callrp); 1945 } 1946 } 1947 1948 if (do_auth && do_encr) { 1949 /* dual operation */ 1950 /* initialize input data argument */ 1951 ESP_INIT_CRYPTO_DUAL_DATA(&ic->ic_crypto_dual_data, 1952 esp_mp, auth_offset, auth_len, 1953 encr_offset, encr_len - icv_len); 1954 1955 /* specify IV */ 1956 ic->ic_crypto_dual_data.dd_miscdata = (char *)iv_ptr; 1957 1958 /* call the framework */ 1959 kef_rc = crypto_mac_verify_decrypt(&assoc->ipsa_amech, 1960 &assoc->ipsa_emech, &ic->ic_crypto_dual_data, 1961 &assoc->ipsa_kcfauthkey, &assoc->ipsa_kcfencrkey, 1962 auth_ctx_tmpl, encr_ctx_tmpl, &ic->ic_crypto_mac, 1963 NULL, callrp); 1964 } 1965 1966 switch (kef_rc) { 1967 case CRYPTO_SUCCESS: 1968 ESP_BUMP_STAT(espstack, crypto_sync); 1969 esp_mp = esp_in_done(esp_mp, ira, ic); 1970 if (force) { 1971 /* Free mp after we are done with ic */ 1972 mp = ipsec_free_crypto_data(mp); 1973 (void) ip_recv_attr_free_mblk(mp); 1974 } 1975 return (esp_mp); 1976 case CRYPTO_QUEUED: 1977 /* esp_kcf_callback_inbound() will be invoked on completion */ 1978 ESP_BUMP_STAT(espstack, crypto_async); 1979 return (NULL); 1980 case CRYPTO_INVALID_MAC: 1981 if (force) { 1982 mp = ipsec_free_crypto_data(mp); 1983 esp_mp = ip_recv_attr_free_mblk(mp); 1984 } 1985 ESP_BUMP_STAT(espstack, crypto_sync); 1986 BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards); 1987 esp_log_bad_auth(esp_mp, ira); 1988 /* esp_mp was passed to ip_drop_packet */ 1989 return (NULL); 1990 } 1991 1992 if (force) { 1993 mp = ipsec_free_crypto_data(mp); 1994 esp_mp = ip_recv_attr_free_mblk(mp); 1995 } 1996 BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards); 1997 esp_crypto_failed(esp_mp, B_TRUE, kef_rc, ira->ira_ill, espstack); 1998 /* esp_mp was passed to ip_drop_packet */ 1999 return (NULL); 2000 } 2001 2002 /* 2003 * Compute the IP and UDP checksums -- common code for both keepalives and 2004 * actual ESP-in-UDP packets. Be flexible with multiple mblks because ESP 2005 * uses mblk-insertion to insert the UDP header. 2006 * TODO - If there is an easy way to prep a packet for HW checksums, make 2007 * it happen here. 2008 * Note that this is used before both before calling ip_output_simple and 2009 * in the esp datapath. The former could use IXAF_SET_ULP_CKSUM but not the 2010 * latter. 2011 */ 2012 static void 2013 esp_prepare_udp(netstack_t *ns, mblk_t *mp, ipha_t *ipha) 2014 { 2015 int offset; 2016 uint32_t cksum; 2017 uint16_t *arr; 2018 mblk_t *udpmp = mp; 2019 uint_t hlen = IPH_HDR_LENGTH(ipha); 2020 2021 ASSERT(MBLKL(mp) >= sizeof (ipha_t)); 2022 2023 ipha->ipha_hdr_checksum = 0; 2024 ipha->ipha_hdr_checksum = ip_csum_hdr(ipha); 2025 2026 if (ns->netstack_udp->us_do_checksum) { 2027 ASSERT(MBLKL(udpmp) >= sizeof (udpha_t)); 2028 /* arr points to the IP header. */ 2029 arr = (uint16_t *)ipha; 2030 IP_STAT(ns->netstack_ip, ip_out_sw_cksum); 2031 IP_STAT_UPDATE(ns->netstack_ip, ip_out_sw_cksum_bytes, 2032 ntohs(htons(ipha->ipha_length) - hlen)); 2033 /* arr[6-9] are the IP addresses. */ 2034 cksum = IP_UDP_CSUM_COMP + arr[6] + arr[7] + arr[8] + arr[9] + 2035 ntohs(htons(ipha->ipha_length) - hlen); 2036 cksum = IP_CSUM(mp, hlen, cksum); 2037 offset = hlen + UDP_CHECKSUM_OFFSET; 2038 while (offset >= MBLKL(udpmp)) { 2039 offset -= MBLKL(udpmp); 2040 udpmp = udpmp->b_cont; 2041 } 2042 /* arr points to the UDP header's checksum field. */ 2043 arr = (uint16_t *)(udpmp->b_rptr + offset); 2044 *arr = cksum; 2045 } 2046 } 2047 2048 /* 2049 * taskq handler so we can send the NAT-T keepalive on a separate thread. 2050 */ 2051 static void 2052 actually_send_keepalive(void *arg) 2053 { 2054 mblk_t *mp = (mblk_t *)arg; 2055 ip_xmit_attr_t ixas; 2056 netstack_t *ns; 2057 netstackid_t stackid; 2058 2059 stackid = (netstackid_t)(uintptr_t)mp->b_prev; 2060 mp->b_prev = NULL; 2061 ns = netstack_find_by_stackid(stackid); 2062 if (ns == NULL) { 2063 /* Disappeared */ 2064 ip_drop_output("ipIfStatsOutDiscards", mp, NULL); 2065 freemsg(mp); 2066 return; 2067 } 2068 2069 bzero(&ixas, sizeof (ixas)); 2070 ixas.ixa_zoneid = ALL_ZONES; 2071 ixas.ixa_cred = kcred; 2072 ixas.ixa_cpid = NOPID; 2073 ixas.ixa_tsl = NULL; 2074 ixas.ixa_ipst = ns->netstack_ip; 2075 /* No ULP checksum; done by esp_prepare_udp */ 2076 ixas.ixa_flags = (IXAF_IS_IPV4 | IXAF_NO_IPSEC | IXAF_VERIFY_SOURCE); 2077 2078 (void) ip_output_simple(mp, &ixas); 2079 ixa_cleanup(&ixas); 2080 netstack_rele(ns); 2081 } 2082 2083 /* 2084 * Send a one-byte UDP NAT-T keepalive. 2085 */ 2086 void 2087 ipsecesp_send_keepalive(ipsa_t *assoc) 2088 { 2089 mblk_t *mp; 2090 ipha_t *ipha; 2091 udpha_t *udpha; 2092 netstack_t *ns = assoc->ipsa_netstack; 2093 2094 ASSERT(MUTEX_NOT_HELD(&assoc->ipsa_lock)); 2095 2096 mp = allocb(sizeof (ipha_t) + sizeof (udpha_t) + 1, BPRI_HI); 2097 if (mp == NULL) 2098 return; 2099 ipha = (ipha_t *)mp->b_rptr; 2100 ipha->ipha_version_and_hdr_length = IP_SIMPLE_HDR_VERSION; 2101 ipha->ipha_type_of_service = 0; 2102 ipha->ipha_length = htons(sizeof (ipha_t) + sizeof (udpha_t) + 1); 2103 /* Use the low-16 of the SPI so we have some clue where it came from. */ 2104 ipha->ipha_ident = *(((uint16_t *)(&assoc->ipsa_spi)) + 1); 2105 ipha->ipha_fragment_offset_and_flags = 0; /* Too small to fragment! */ 2106 ipha->ipha_ttl = 0xFF; 2107 ipha->ipha_protocol = IPPROTO_UDP; 2108 ipha->ipha_hdr_checksum = 0; 2109 ipha->ipha_src = assoc->ipsa_srcaddr[0]; 2110 ipha->ipha_dst = assoc->ipsa_dstaddr[0]; 2111 udpha = (udpha_t *)(ipha + 1); 2112 udpha->uha_src_port = (assoc->ipsa_local_nat_port != 0) ? 2113 assoc->ipsa_local_nat_port : htons(IPPORT_IKE_NATT); 2114 udpha->uha_dst_port = (assoc->ipsa_remote_nat_port != 0) ? 2115 assoc->ipsa_remote_nat_port : htons(IPPORT_IKE_NATT); 2116 udpha->uha_length = htons(sizeof (udpha_t) + 1); 2117 udpha->uha_checksum = 0; 2118 mp->b_wptr = (uint8_t *)(udpha + 1); 2119 *(mp->b_wptr++) = 0xFF; 2120 2121 esp_prepare_udp(ns, mp, ipha); 2122 2123 /* 2124 * We're holding an isaf_t bucket lock, so pawn off the actual 2125 * packet transmission to another thread. Just in case syncq 2126 * processing causes a same-bucket packet to be processed. 2127 */ 2128 mp->b_prev = (mblk_t *)(uintptr_t)ns->netstack_stackid; 2129 2130 if (taskq_dispatch(esp_taskq, actually_send_keepalive, mp, 2131 TQ_NOSLEEP) == 0) { 2132 /* Assume no memory if taskq_dispatch() fails. */ 2133 mp->b_prev = NULL; 2134 ip_drop_packet(mp, B_FALSE, NULL, 2135 DROPPER(ns->netstack_ipsec, ipds_esp_nomem), 2136 &ns->netstack_ipsecesp->esp_dropper); 2137 } 2138 } 2139 2140 /* 2141 * Returns mp if successfully completed the request. Returns 2142 * NULL if it failed (and increments InDiscards) or if it is pending. 2143 */ 2144 static mblk_t * 2145 esp_submit_req_outbound(mblk_t *data_mp, ip_xmit_attr_t *ixa, ipsa_t *assoc, 2146 uchar_t *icv_buf, uint_t payload_len) 2147 { 2148 uint_t auth_len; 2149 crypto_call_req_t call_req, *callrp; 2150 mblk_t *esp_mp; 2151 esph_t *esph_ptr; 2152 mblk_t *mp; 2153 int kef_rc = CRYPTO_FAILED; 2154 uint_t icv_len = assoc->ipsa_mac_len; 2155 crypto_ctx_template_t auth_ctx_tmpl; 2156 boolean_t do_auth, do_encr, force; 2157 uint_t iv_len = assoc->ipsa_iv_len; 2158 crypto_ctx_template_t encr_ctx_tmpl; 2159 boolean_t is_natt = ((assoc->ipsa_flags & IPSA_F_NATT) != 0); 2160 size_t esph_offset = (is_natt ? UDPH_SIZE : 0); 2161 netstack_t *ns = ixa->ixa_ipst->ips_netstack; 2162 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 2163 ipsec_crypto_t *ic, icstack; 2164 uchar_t *iv_ptr; 2165 crypto_data_t *cd_ptr = NULL; 2166 ill_t *ill = ixa->ixa_nce->nce_ill; 2167 ipsec_stack_t *ipss = ns->netstack_ipsec; 2168 2169 esp3dbg(espstack, ("esp_submit_req_outbound:%s", 2170 is_natt ? "natt" : "not natt")); 2171 2172 do_encr = assoc->ipsa_encr_alg != SADB_EALG_NULL; 2173 do_auth = assoc->ipsa_auth_alg != SADB_AALG_NONE; 2174 force = (assoc->ipsa_flags & IPSA_F_ASYNC); 2175 2176 #ifdef IPSEC_LATENCY_TEST 2177 kef_rc = CRYPTO_SUCCESS; 2178 #else 2179 kef_rc = CRYPTO_FAILED; 2180 #endif 2181 2182 /* 2183 * Outbound IPsec packets are of the form: 2184 * [IP,options] -> [ESP,IV] -> [data] -> [pad,ICV] 2185 * unless it's NATT, then it's 2186 * [IP,options] -> [udp][ESP,IV] -> [data] -> [pad,ICV] 2187 * Get a pointer to the mblk containing the ESP header. 2188 */ 2189 ASSERT(data_mp->b_cont != NULL); 2190 esp_mp = data_mp->b_cont; 2191 esph_ptr = (esph_t *)(esp_mp->b_rptr + esph_offset); 2192 iv_ptr = (uchar_t *)(esph_ptr + 1); 2193 2194 /* 2195 * Combined mode algs need a nonce. This is setup in sadb_common_add(). 2196 * If for some reason we are using a SA which does not have a nonce 2197 * then we must fail here. 2198 */ 2199 if ((assoc->ipsa_flags & IPSA_F_COUNTERMODE) && 2200 (assoc->ipsa_nonce == NULL)) { 2201 ip_drop_packet(data_mp, B_FALSE, NULL, 2202 DROPPER(ipss, ipds_esp_nomem), &espstack->esp_dropper); 2203 return (NULL); 2204 } 2205 2206 if (force) { 2207 /* We are doing asynch; allocate mblks to hold state */ 2208 if ((mp = ip_xmit_attr_to_mblk(ixa)) == NULL || 2209 (mp = ipsec_add_crypto_data(mp, &ic)) == NULL) { 2210 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards); 2211 ip_drop_output("ipIfStatsOutDiscards", data_mp, ill); 2212 freemsg(data_mp); 2213 return (NULL); 2214 } 2215 2216 linkb(mp, data_mp); 2217 callrp = &call_req; 2218 ESP_INIT_CALLREQ(callrp, mp, esp_kcf_callback_outbound); 2219 } else { 2220 /* 2221 * If we know we are going to do sync then ipsec_crypto_t 2222 * should be on the stack. 2223 */ 2224 ic = &icstack; 2225 bzero(ic, sizeof (*ic)); 2226 callrp = NULL; 2227 } 2228 2229 2230 if (do_auth) { 2231 /* authentication context template */ 2232 IPSEC_CTX_TMPL(assoc, ipsa_authtmpl, IPSEC_ALG_AUTH, 2233 auth_ctx_tmpl); 2234 2235 /* where to store the computed mac */ 2236 ESP_INIT_CRYPTO_MAC(&ic->ic_crypto_mac, 2237 icv_len, icv_buf); 2238 2239 /* authentication starts at the ESP header */ 2240 auth_len = payload_len + iv_len + sizeof (esph_t); 2241 if (!do_encr) { 2242 /* authentication only */ 2243 /* initialize input data argument */ 2244 ESP_INIT_CRYPTO_DATA(&ic->ic_crypto_data, 2245 esp_mp, esph_offset, auth_len); 2246 2247 /* call the crypto framework */ 2248 kef_rc = crypto_mac(&assoc->ipsa_amech, 2249 &ic->ic_crypto_data, 2250 &assoc->ipsa_kcfauthkey, auth_ctx_tmpl, 2251 &ic->ic_crypto_mac, callrp); 2252 } 2253 } 2254 2255 if (do_encr) { 2256 /* encryption context template */ 2257 IPSEC_CTX_TMPL(assoc, ipsa_encrtmpl, IPSEC_ALG_ENCR, 2258 encr_ctx_tmpl); 2259 /* Call the nonce update function. */ 2260 (assoc->ipsa_noncefunc)(assoc, (uchar_t *)esph_ptr, payload_len, 2261 iv_ptr, &ic->ic_cmm, &ic->ic_crypto_data); 2262 2263 if (!do_auth) { 2264 /* encryption only, skip mblk that contains ESP hdr */ 2265 /* initialize input data argument */ 2266 ESP_INIT_CRYPTO_DATA(&ic->ic_crypto_data, 2267 esp_mp->b_cont, 0, payload_len); 2268 2269 /* 2270 * For combined mode ciphers, the ciphertext is the same 2271 * size as the clear text, the ICV should follow the 2272 * ciphertext. To convince the kcf to allow in-line 2273 * encryption, with an ICV, use ipsec_out_crypto_mac 2274 * to point to the same buffer as the data. The calling 2275 * function need to ensure the buffer is large enough to 2276 * include the ICV. 2277 * 2278 * The IV is already written to the packet buffer, the 2279 * nonce setup function copied it to the params struct 2280 * for the cipher to use. 2281 */ 2282 if (assoc->ipsa_flags & IPSA_F_COMBINED) { 2283 bcopy(&ic->ic_crypto_data, 2284 &ic->ic_crypto_mac, 2285 sizeof (crypto_data_t)); 2286 ic->ic_crypto_mac.cd_length = 2287 payload_len + icv_len; 2288 cd_ptr = &ic->ic_crypto_mac; 2289 } 2290 2291 /* call the crypto framework */ 2292 kef_rc = crypto_encrypt((crypto_mechanism_t *) 2293 &ic->ic_cmm, &ic->ic_crypto_data, 2294 &assoc->ipsa_kcfencrkey, encr_ctx_tmpl, 2295 cd_ptr, callrp); 2296 2297 } 2298 } 2299 2300 if (do_auth && do_encr) { 2301 /* 2302 * Encryption and authentication: 2303 * Pass the pointer to the mblk chain starting at the ESP 2304 * header to the framework. Skip the ESP header mblk 2305 * for encryption, which is reflected by an encryption 2306 * offset equal to the length of that mblk. Start 2307 * the authentication at the ESP header, i.e. use an 2308 * authentication offset of zero. 2309 */ 2310 ESP_INIT_CRYPTO_DUAL_DATA(&ic->ic_crypto_dual_data, 2311 esp_mp, MBLKL(esp_mp), payload_len, esph_offset, auth_len); 2312 2313 /* specify IV */ 2314 ic->ic_crypto_dual_data.dd_miscdata = (char *)iv_ptr; 2315 2316 /* call the framework */ 2317 kef_rc = crypto_encrypt_mac(&assoc->ipsa_emech, 2318 &assoc->ipsa_amech, NULL, 2319 &assoc->ipsa_kcfencrkey, &assoc->ipsa_kcfauthkey, 2320 encr_ctx_tmpl, auth_ctx_tmpl, 2321 &ic->ic_crypto_dual_data, 2322 &ic->ic_crypto_mac, callrp); 2323 } 2324 2325 switch (kef_rc) { 2326 case CRYPTO_SUCCESS: 2327 ESP_BUMP_STAT(espstack, crypto_sync); 2328 esp_set_usetime(assoc, B_FALSE); 2329 if (force) { 2330 mp = ipsec_free_crypto_data(mp); 2331 data_mp = ip_xmit_attr_free_mblk(mp); 2332 } 2333 if (is_natt) 2334 esp_prepare_udp(ns, data_mp, (ipha_t *)data_mp->b_rptr); 2335 return (data_mp); 2336 case CRYPTO_QUEUED: 2337 /* esp_kcf_callback_outbound() will be invoked on completion */ 2338 ESP_BUMP_STAT(espstack, crypto_async); 2339 return (NULL); 2340 } 2341 2342 if (force) { 2343 mp = ipsec_free_crypto_data(mp); 2344 data_mp = ip_xmit_attr_free_mblk(mp); 2345 } 2346 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards); 2347 esp_crypto_failed(data_mp, B_FALSE, kef_rc, NULL, espstack); 2348 /* data_mp was passed to ip_drop_packet */ 2349 return (NULL); 2350 } 2351 2352 /* 2353 * Handle outbound IPsec processing for IPv4 and IPv6 2354 * 2355 * Returns data_mp if successfully completed the request. Returns 2356 * NULL if it failed (and increments InDiscards) or if it is pending. 2357 */ 2358 static mblk_t * 2359 esp_outbound(mblk_t *data_mp, ip_xmit_attr_t *ixa) 2360 { 2361 mblk_t *espmp, *tailmp; 2362 ipha_t *ipha; 2363 ip6_t *ip6h; 2364 esph_t *esph_ptr, *iv_ptr; 2365 uint_t af; 2366 uint8_t *nhp; 2367 uintptr_t divpoint, datalen, adj, padlen, i, alloclen; 2368 uintptr_t esplen = sizeof (esph_t); 2369 uint8_t protocol; 2370 ipsa_t *assoc; 2371 uint_t iv_len, block_size, mac_len = 0; 2372 uchar_t *icv_buf; 2373 udpha_t *udpha; 2374 boolean_t is_natt = B_FALSE; 2375 netstack_t *ns = ixa->ixa_ipst->ips_netstack; 2376 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 2377 ipsec_stack_t *ipss = ns->netstack_ipsec; 2378 ill_t *ill = ixa->ixa_nce->nce_ill; 2379 boolean_t need_refrele = B_FALSE; 2380 2381 ESP_BUMP_STAT(espstack, out_requests); 2382 2383 /* 2384 * <sigh> We have to copy the message here, because TCP (for example) 2385 * keeps a dupb() of the message lying around for retransmission. 2386 * Since ESP changes the whole of the datagram, we have to create our 2387 * own copy lest we clobber TCP's data. Since we have to copy anyway, 2388 * we might as well make use of msgpullup() and get the mblk into one 2389 * contiguous piece! 2390 */ 2391 tailmp = msgpullup(data_mp, -1); 2392 if (tailmp == NULL) { 2393 esp0dbg(("esp_outbound: msgpullup() failed, " 2394 "dropping packet.\n")); 2395 ip_drop_packet(data_mp, B_FALSE, ill, 2396 DROPPER(ipss, ipds_esp_nomem), 2397 &espstack->esp_dropper); 2398 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards); 2399 return (NULL); 2400 } 2401 freemsg(data_mp); 2402 data_mp = tailmp; 2403 2404 assoc = ixa->ixa_ipsec_esp_sa; 2405 ASSERT(assoc != NULL); 2406 2407 /* 2408 * Get the outer IP header in shape to escape this system.. 2409 */ 2410 if (is_system_labeled() && (assoc->ipsa_otsl != NULL)) { 2411 /* 2412 * Need to update packet with any CIPSO option and update 2413 * ixa_tsl to capture the new label. 2414 * We allocate a separate ixa for that purpose. 2415 */ 2416 ixa = ip_xmit_attr_duplicate(ixa); 2417 if (ixa == NULL) { 2418 ip_drop_packet(data_mp, B_FALSE, ill, 2419 DROPPER(ipss, ipds_esp_nomem), 2420 &espstack->esp_dropper); 2421 return (NULL); 2422 } 2423 need_refrele = B_TRUE; 2424 2425 label_hold(assoc->ipsa_otsl); 2426 ip_xmit_attr_replace_tsl(ixa, assoc->ipsa_otsl); 2427 2428 data_mp = sadb_whack_label(data_mp, assoc, ixa, 2429 DROPPER(ipss, ipds_esp_nomem), &espstack->esp_dropper); 2430 if (data_mp == NULL) { 2431 /* Packet dropped by sadb_whack_label */ 2432 ixa_refrele(ixa); 2433 return (NULL); 2434 } 2435 } 2436 2437 /* 2438 * Reality check.... 2439 */ 2440 ipha = (ipha_t *)data_mp->b_rptr; /* So we can call esp_acquire(). */ 2441 2442 if (ixa->ixa_flags & IXAF_IS_IPV4) { 2443 ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION); 2444 2445 af = AF_INET; 2446 divpoint = IPH_HDR_LENGTH(ipha); 2447 datalen = ntohs(ipha->ipha_length) - divpoint; 2448 nhp = (uint8_t *)&ipha->ipha_protocol; 2449 } else { 2450 ip_pkt_t ipp; 2451 2452 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION); 2453 2454 af = AF_INET6; 2455 ip6h = (ip6_t *)ipha; 2456 bzero(&ipp, sizeof (ipp)); 2457 divpoint = ip_find_hdr_v6(data_mp, ip6h, B_FALSE, &ipp, NULL); 2458 if (ipp.ipp_dstopts != NULL && 2459 ipp.ipp_dstopts->ip6d_nxt != IPPROTO_ROUTING) { 2460 /* 2461 * Destination options are tricky. If we get in here, 2462 * then we have a terminal header following the 2463 * destination options. We need to adjust backwards 2464 * so we insert ESP BEFORE the destination options 2465 * bag. (So that the dstopts get encrypted!) 2466 * 2467 * Since this is for outbound packets only, we know 2468 * that non-terminal destination options only precede 2469 * routing headers. 2470 */ 2471 divpoint -= ipp.ipp_dstoptslen; 2472 } 2473 datalen = ntohs(ip6h->ip6_plen) + sizeof (ip6_t) - divpoint; 2474 2475 if (ipp.ipp_rthdr != NULL) { 2476 nhp = &ipp.ipp_rthdr->ip6r_nxt; 2477 } else if (ipp.ipp_hopopts != NULL) { 2478 nhp = &ipp.ipp_hopopts->ip6h_nxt; 2479 } else { 2480 ASSERT(divpoint == sizeof (ip6_t)); 2481 /* It's probably IP + ESP. */ 2482 nhp = &ip6h->ip6_nxt; 2483 } 2484 } 2485 2486 mac_len = assoc->ipsa_mac_len; 2487 2488 if (assoc->ipsa_flags & IPSA_F_NATT) { 2489 /* wedge in UDP header */ 2490 is_natt = B_TRUE; 2491 esplen += UDPH_SIZE; 2492 } 2493 2494 /* 2495 * Set up ESP header and encryption padding for ENCR PI request. 2496 */ 2497 2498 /* Determine the padding length. Pad to 4-bytes for no-encryption. */ 2499 if (assoc->ipsa_encr_alg != SADB_EALG_NULL) { 2500 iv_len = assoc->ipsa_iv_len; 2501 block_size = assoc->ipsa_datalen; 2502 2503 /* 2504 * Pad the data to the length of the cipher block size. 2505 * Include the two additional bytes (hence the - 2) for the 2506 * padding length and the next header. Take this into account 2507 * when calculating the actual length of the padding. 2508 */ 2509 ASSERT(ISP2(iv_len)); 2510 padlen = ((unsigned)(block_size - datalen - 2)) & 2511 (block_size - 1); 2512 } else { 2513 iv_len = 0; 2514 padlen = ((unsigned)(sizeof (uint32_t) - datalen - 2)) & 2515 (sizeof (uint32_t) - 1); 2516 } 2517 2518 /* Allocate ESP header and IV. */ 2519 esplen += iv_len; 2520 2521 /* 2522 * Update association byte-count lifetimes. Don't forget to take 2523 * into account the padding length and next-header (hence the + 2). 2524 * 2525 * Use the amount of data fed into the "encryption algorithm". This 2526 * is the IV, the data length, the padding length, and the final two 2527 * bytes (padlen, and next-header). 2528 * 2529 */ 2530 2531 if (!esp_age_bytes(assoc, datalen + padlen + iv_len + 2, B_FALSE)) { 2532 ip_drop_packet(data_mp, B_FALSE, ill, 2533 DROPPER(ipss, ipds_esp_bytes_expire), 2534 &espstack->esp_dropper); 2535 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards); 2536 if (need_refrele) 2537 ixa_refrele(ixa); 2538 return (NULL); 2539 } 2540 2541 espmp = allocb(esplen, BPRI_HI); 2542 if (espmp == NULL) { 2543 ESP_BUMP_STAT(espstack, out_discards); 2544 esp1dbg(espstack, ("esp_outbound: can't allocate espmp.\n")); 2545 ip_drop_packet(data_mp, B_FALSE, ill, 2546 DROPPER(ipss, ipds_esp_nomem), 2547 &espstack->esp_dropper); 2548 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards); 2549 if (need_refrele) 2550 ixa_refrele(ixa); 2551 return (NULL); 2552 } 2553 espmp->b_wptr += esplen; 2554 esph_ptr = (esph_t *)espmp->b_rptr; 2555 2556 if (is_natt) { 2557 esp3dbg(espstack, ("esp_outbound: NATT")); 2558 2559 udpha = (udpha_t *)espmp->b_rptr; 2560 udpha->uha_src_port = (assoc->ipsa_local_nat_port != 0) ? 2561 assoc->ipsa_local_nat_port : htons(IPPORT_IKE_NATT); 2562 udpha->uha_dst_port = (assoc->ipsa_remote_nat_port != 0) ? 2563 assoc->ipsa_remote_nat_port : htons(IPPORT_IKE_NATT); 2564 /* 2565 * Set the checksum to 0, so that the esp_prepare_udp() call 2566 * can do the right thing. 2567 */ 2568 udpha->uha_checksum = 0; 2569 esph_ptr = (esph_t *)(udpha + 1); 2570 } 2571 2572 esph_ptr->esph_spi = assoc->ipsa_spi; 2573 2574 esph_ptr->esph_replay = htonl(atomic_inc_32_nv(&assoc->ipsa_replay)); 2575 if (esph_ptr->esph_replay == 0 && assoc->ipsa_replay_wsize != 0) { 2576 /* 2577 * XXX We have replay counter wrapping. 2578 * We probably want to nuke this SA (and its peer). 2579 */ 2580 ipsec_assocfailure(info.mi_idnum, 0, 0, 2581 SL_ERROR | SL_CONSOLE | SL_WARN, 2582 "Outbound ESP SA (0x%x, %s) has wrapped sequence.\n", 2583 esph_ptr->esph_spi, assoc->ipsa_dstaddr, af, 2584 espstack->ipsecesp_netstack); 2585 2586 ESP_BUMP_STAT(espstack, out_discards); 2587 sadb_replay_delete(assoc); 2588 ip_drop_packet(data_mp, B_FALSE, ill, 2589 DROPPER(ipss, ipds_esp_replay), 2590 &espstack->esp_dropper); 2591 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards); 2592 if (need_refrele) 2593 ixa_refrele(ixa); 2594 return (NULL); 2595 } 2596 2597 iv_ptr = (esph_ptr + 1); 2598 /* 2599 * iv_ptr points to the mblk which will contain the IV once we have 2600 * written it there. This mblk will be part of a mblk chain that 2601 * will make up the packet. 2602 * 2603 * For counter mode algorithms, the IV is a 64 bit quantity, it 2604 * must NEVER repeat in the lifetime of the SA, otherwise an 2605 * attacker who had recorded enough packets might be able to 2606 * determine some clear text. 2607 * 2608 * To ensure this does not happen, the IV is stored in the SA and 2609 * incremented for each packet, the IV is then copied into the 2610 * "packet" for transmission to the receiving system. The IV will 2611 * also be copied into the nonce, when the packet is encrypted. 2612 * 2613 * CBC mode algorithms use a random IV for each packet. We do not 2614 * require the highest quality random bits, but for best security 2615 * with CBC mode ciphers, the value must be unlikely to repeat and 2616 * must not be known in advance to an adversary capable of influencing 2617 * the clear text. 2618 */ 2619 if (!update_iv((uint8_t *)iv_ptr, espstack->esp_pfkey_q, assoc, 2620 espstack)) { 2621 ip_drop_packet(data_mp, B_FALSE, ill, 2622 DROPPER(ipss, ipds_esp_iv_wrap), &espstack->esp_dropper); 2623 if (need_refrele) 2624 ixa_refrele(ixa); 2625 return (NULL); 2626 } 2627 2628 /* Fix the IP header. */ 2629 alloclen = padlen + 2 + mac_len; 2630 adj = alloclen + (espmp->b_wptr - espmp->b_rptr); 2631 2632 protocol = *nhp; 2633 2634 if (ixa->ixa_flags & IXAF_IS_IPV4) { 2635 ipha->ipha_length = htons(ntohs(ipha->ipha_length) + adj); 2636 if (is_natt) { 2637 *nhp = IPPROTO_UDP; 2638 udpha->uha_length = htons(ntohs(ipha->ipha_length) - 2639 IPH_HDR_LENGTH(ipha)); 2640 } else { 2641 *nhp = IPPROTO_ESP; 2642 } 2643 ipha->ipha_hdr_checksum = 0; 2644 ipha->ipha_hdr_checksum = (uint16_t)ip_csum_hdr(ipha); 2645 } else { 2646 ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) + adj); 2647 *nhp = IPPROTO_ESP; 2648 } 2649 2650 /* I've got the two ESP mblks, now insert them. */ 2651 2652 esp2dbg(espstack, ("data_mp before outbound ESP adjustment:\n")); 2653 esp2dbg(espstack, (dump_msg(data_mp))); 2654 2655 if (!esp_insert_esp(data_mp, espmp, divpoint, espstack)) { 2656 ESP_BUMP_STAT(espstack, out_discards); 2657 /* NOTE: esp_insert_esp() only fails if there's no memory. */ 2658 ip_drop_packet(data_mp, B_FALSE, ill, 2659 DROPPER(ipss, ipds_esp_nomem), 2660 &espstack->esp_dropper); 2661 freeb(espmp); 2662 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards); 2663 if (need_refrele) 2664 ixa_refrele(ixa); 2665 return (NULL); 2666 } 2667 2668 /* Append padding (and leave room for ICV). */ 2669 for (tailmp = data_mp; tailmp->b_cont != NULL; tailmp = tailmp->b_cont) 2670 ; 2671 if (tailmp->b_wptr + alloclen > tailmp->b_datap->db_lim) { 2672 tailmp->b_cont = allocb(alloclen, BPRI_HI); 2673 if (tailmp->b_cont == NULL) { 2674 ESP_BUMP_STAT(espstack, out_discards); 2675 esp0dbg(("esp_outbound: Can't allocate tailmp.\n")); 2676 ip_drop_packet(data_mp, B_FALSE, ill, 2677 DROPPER(ipss, ipds_esp_nomem), 2678 &espstack->esp_dropper); 2679 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards); 2680 if (need_refrele) 2681 ixa_refrele(ixa); 2682 return (NULL); 2683 } 2684 tailmp = tailmp->b_cont; 2685 } 2686 2687 /* 2688 * If there's padding, N bytes of padding must be of the form 0x1, 2689 * 0x2, 0x3... 0xN. 2690 */ 2691 for (i = 0; i < padlen; ) { 2692 i++; 2693 *tailmp->b_wptr++ = i; 2694 } 2695 *tailmp->b_wptr++ = i; 2696 *tailmp->b_wptr++ = protocol; 2697 2698 esp2dbg(espstack, ("data_Mp before encryption:\n")); 2699 esp2dbg(espstack, (dump_msg(data_mp))); 2700 2701 /* 2702 * Okay. I've set up the pre-encryption ESP. Let's do it! 2703 */ 2704 2705 if (mac_len > 0) { 2706 ASSERT(tailmp->b_wptr + mac_len <= tailmp->b_datap->db_lim); 2707 icv_buf = tailmp->b_wptr; 2708 tailmp->b_wptr += mac_len; 2709 } else { 2710 icv_buf = NULL; 2711 } 2712 2713 data_mp = esp_submit_req_outbound(data_mp, ixa, assoc, icv_buf, 2714 datalen + padlen + 2); 2715 if (need_refrele) 2716 ixa_refrele(ixa); 2717 return (data_mp); 2718 } 2719 2720 /* 2721 * IP calls this to validate the ICMP errors that 2722 * we got from the network. 2723 */ 2724 mblk_t * 2725 ipsecesp_icmp_error(mblk_t *data_mp, ip_recv_attr_t *ira) 2726 { 2727 netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack; 2728 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 2729 ipsec_stack_t *ipss = ns->netstack_ipsec; 2730 2731 /* 2732 * Unless we get an entire packet back, this function is useless. 2733 * Why? 2734 * 2735 * 1.) Partial packets are useless, because the "next header" 2736 * is at the end of the decrypted ESP packet. Without the 2737 * whole packet, this is useless. 2738 * 2739 * 2.) If we every use a stateful cipher, such as a stream or a 2740 * one-time pad, we can't do anything. 2741 * 2742 * Since the chances of us getting an entire packet back are very 2743 * very small, we discard here. 2744 */ 2745 IP_ESP_BUMP_STAT(ipss, in_discards); 2746 ip_drop_packet(data_mp, B_TRUE, ira->ira_ill, 2747 DROPPER(ipss, ipds_esp_icmp), 2748 &espstack->esp_dropper); 2749 return (NULL); 2750 } 2751 2752 /* 2753 * Construct an SADB_REGISTER message with the current algorithms. 2754 * This function gets called when 'ipsecalgs -s' is run or when 2755 * in.iked (or other KMD) starts. 2756 */ 2757 static boolean_t 2758 esp_register_out(uint32_t sequence, uint32_t pid, uint_t serial, 2759 ipsecesp_stack_t *espstack, cred_t *cr) 2760 { 2761 mblk_t *pfkey_msg_mp, *keysock_out_mp; 2762 sadb_msg_t *samsg; 2763 sadb_supported_t *sasupp_auth = NULL; 2764 sadb_supported_t *sasupp_encr = NULL; 2765 sadb_alg_t *saalg; 2766 uint_t allocsize = sizeof (*samsg); 2767 uint_t i, numalgs_snap; 2768 int current_aalgs; 2769 ipsec_alginfo_t **authalgs; 2770 uint_t num_aalgs; 2771 int current_ealgs; 2772 ipsec_alginfo_t **encralgs; 2773 uint_t num_ealgs; 2774 ipsec_stack_t *ipss = espstack->ipsecesp_netstack->netstack_ipsec; 2775 sadb_sens_t *sens; 2776 size_t sens_len = 0; 2777 sadb_ext_t *nextext; 2778 ts_label_t *sens_tsl = NULL; 2779 2780 /* Allocate the KEYSOCK_OUT. */ 2781 keysock_out_mp = sadb_keysock_out(serial); 2782 if (keysock_out_mp == NULL) { 2783 esp0dbg(("esp_register_out: couldn't allocate mblk.\n")); 2784 return (B_FALSE); 2785 } 2786 2787 if (is_system_labeled() && (cr != NULL)) { 2788 sens_tsl = crgetlabel(cr); 2789 if (sens_tsl != NULL) { 2790 sens_len = sadb_sens_len_from_label(sens_tsl); 2791 allocsize += sens_len; 2792 } 2793 } 2794 2795 /* 2796 * Allocate the PF_KEY message that follows KEYSOCK_OUT. 2797 */ 2798 2799 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 2800 /* 2801 * Fill SADB_REGISTER message's algorithm descriptors. Hold 2802 * down the lock while filling it. 2803 * 2804 * Return only valid algorithms, so the number of algorithms 2805 * to send up may be less than the number of algorithm entries 2806 * in the table. 2807 */ 2808 authalgs = ipss->ipsec_alglists[IPSEC_ALG_AUTH]; 2809 for (num_aalgs = 0, i = 0; i < IPSEC_MAX_ALGS; i++) 2810 if (authalgs[i] != NULL && ALG_VALID(authalgs[i])) 2811 num_aalgs++; 2812 2813 if (num_aalgs != 0) { 2814 allocsize += (num_aalgs * sizeof (*saalg)); 2815 allocsize += sizeof (*sasupp_auth); 2816 } 2817 encralgs = ipss->ipsec_alglists[IPSEC_ALG_ENCR]; 2818 for (num_ealgs = 0, i = 0; i < IPSEC_MAX_ALGS; i++) 2819 if (encralgs[i] != NULL && ALG_VALID(encralgs[i])) 2820 num_ealgs++; 2821 2822 if (num_ealgs != 0) { 2823 allocsize += (num_ealgs * sizeof (*saalg)); 2824 allocsize += sizeof (*sasupp_encr); 2825 } 2826 keysock_out_mp->b_cont = allocb(allocsize, BPRI_HI); 2827 if (keysock_out_mp->b_cont == NULL) { 2828 rw_exit(&ipss->ipsec_alg_lock); 2829 freemsg(keysock_out_mp); 2830 return (B_FALSE); 2831 } 2832 pfkey_msg_mp = keysock_out_mp->b_cont; 2833 pfkey_msg_mp->b_wptr += allocsize; 2834 2835 nextext = (sadb_ext_t *)(pfkey_msg_mp->b_rptr + sizeof (*samsg)); 2836 2837 if (num_aalgs != 0) { 2838 sasupp_auth = (sadb_supported_t *)nextext; 2839 saalg = (sadb_alg_t *)(sasupp_auth + 1); 2840 2841 ASSERT(((ulong_t)saalg & 0x7) == 0); 2842 2843 numalgs_snap = 0; 2844 for (i = 0; 2845 ((i < IPSEC_MAX_ALGS) && (numalgs_snap < num_aalgs)); 2846 i++) { 2847 if (authalgs[i] == NULL || !ALG_VALID(authalgs[i])) 2848 continue; 2849 2850 saalg->sadb_alg_id = authalgs[i]->alg_id; 2851 saalg->sadb_alg_ivlen = 0; 2852 saalg->sadb_alg_minbits = authalgs[i]->alg_ef_minbits; 2853 saalg->sadb_alg_maxbits = authalgs[i]->alg_ef_maxbits; 2854 saalg->sadb_x_alg_increment = 2855 authalgs[i]->alg_increment; 2856 saalg->sadb_x_alg_saltbits = SADB_8TO1( 2857 authalgs[i]->alg_saltlen); 2858 numalgs_snap++; 2859 saalg++; 2860 } 2861 ASSERT(numalgs_snap == num_aalgs); 2862 #ifdef DEBUG 2863 /* 2864 * Reality check to make sure I snagged all of the 2865 * algorithms. 2866 */ 2867 for (; i < IPSEC_MAX_ALGS; i++) { 2868 if (authalgs[i] != NULL && ALG_VALID(authalgs[i])) { 2869 cmn_err(CE_PANIC, "esp_register_out()! " 2870 "Missed aalg #%d.\n", i); 2871 } 2872 } 2873 #endif /* DEBUG */ 2874 nextext = (sadb_ext_t *)saalg; 2875 } 2876 2877 if (num_ealgs != 0) { 2878 sasupp_encr = (sadb_supported_t *)nextext; 2879 saalg = (sadb_alg_t *)(sasupp_encr + 1); 2880 2881 numalgs_snap = 0; 2882 for (i = 0; 2883 ((i < IPSEC_MAX_ALGS) && (numalgs_snap < num_ealgs)); i++) { 2884 if (encralgs[i] == NULL || !ALG_VALID(encralgs[i])) 2885 continue; 2886 saalg->sadb_alg_id = encralgs[i]->alg_id; 2887 saalg->sadb_alg_ivlen = encralgs[i]->alg_ivlen; 2888 saalg->sadb_alg_minbits = encralgs[i]->alg_ef_minbits; 2889 saalg->sadb_alg_maxbits = encralgs[i]->alg_ef_maxbits; 2890 /* 2891 * We could advertise the ICV length, except there 2892 * is not a value in sadb_x_algb to do this. 2893 * saalg->sadb_alg_maclen = encralgs[i]->alg_maclen; 2894 */ 2895 saalg->sadb_x_alg_increment = 2896 encralgs[i]->alg_increment; 2897 saalg->sadb_x_alg_saltbits = 2898 SADB_8TO1(encralgs[i]->alg_saltlen); 2899 2900 numalgs_snap++; 2901 saalg++; 2902 } 2903 ASSERT(numalgs_snap == num_ealgs); 2904 #ifdef DEBUG 2905 /* 2906 * Reality check to make sure I snagged all of the 2907 * algorithms. 2908 */ 2909 for (; i < IPSEC_MAX_ALGS; i++) { 2910 if (encralgs[i] != NULL && ALG_VALID(encralgs[i])) { 2911 cmn_err(CE_PANIC, "esp_register_out()! " 2912 "Missed ealg #%d.\n", i); 2913 } 2914 } 2915 #endif /* DEBUG */ 2916 nextext = (sadb_ext_t *)saalg; 2917 } 2918 2919 current_aalgs = num_aalgs; 2920 current_ealgs = num_ealgs; 2921 2922 rw_exit(&ipss->ipsec_alg_lock); 2923 2924 if (sens_tsl != NULL) { 2925 sens = (sadb_sens_t *)nextext; 2926 sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY, 2927 sens_tsl, sens_len); 2928 2929 nextext = (sadb_ext_t *)(((uint8_t *)sens) + sens_len); 2930 } 2931 2932 /* Now fill the rest of the SADB_REGISTER message. */ 2933 2934 samsg = (sadb_msg_t *)pfkey_msg_mp->b_rptr; 2935 samsg->sadb_msg_version = PF_KEY_V2; 2936 samsg->sadb_msg_type = SADB_REGISTER; 2937 samsg->sadb_msg_errno = 0; 2938 samsg->sadb_msg_satype = SADB_SATYPE_ESP; 2939 samsg->sadb_msg_len = SADB_8TO64(allocsize); 2940 samsg->sadb_msg_reserved = 0; 2941 /* 2942 * Assume caller has sufficient sequence/pid number info. If it's one 2943 * from me over a new alg., I could give two hoots about sequence. 2944 */ 2945 samsg->sadb_msg_seq = sequence; 2946 samsg->sadb_msg_pid = pid; 2947 2948 if (sasupp_auth != NULL) { 2949 sasupp_auth->sadb_supported_len = SADB_8TO64( 2950 sizeof (*sasupp_auth) + sizeof (*saalg) * current_aalgs); 2951 sasupp_auth->sadb_supported_exttype = SADB_EXT_SUPPORTED_AUTH; 2952 sasupp_auth->sadb_supported_reserved = 0; 2953 } 2954 2955 if (sasupp_encr != NULL) { 2956 sasupp_encr->sadb_supported_len = SADB_8TO64( 2957 sizeof (*sasupp_encr) + sizeof (*saalg) * current_ealgs); 2958 sasupp_encr->sadb_supported_exttype = 2959 SADB_EXT_SUPPORTED_ENCRYPT; 2960 sasupp_encr->sadb_supported_reserved = 0; 2961 } 2962 2963 if (espstack->esp_pfkey_q != NULL) 2964 putnext(espstack->esp_pfkey_q, keysock_out_mp); 2965 else { 2966 freemsg(keysock_out_mp); 2967 return (B_FALSE); 2968 } 2969 2970 return (B_TRUE); 2971 } 2972 2973 /* 2974 * Invoked when the algorithm table changes. Causes SADB_REGISTER 2975 * messages continaining the current list of algorithms to be 2976 * sent up to the ESP listeners. 2977 */ 2978 void 2979 ipsecesp_algs_changed(netstack_t *ns) 2980 { 2981 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 2982 2983 /* 2984 * Time to send a PF_KEY SADB_REGISTER message to ESP listeners 2985 * everywhere. (The function itself checks for NULL esp_pfkey_q.) 2986 */ 2987 (void) esp_register_out(0, 0, 0, espstack, NULL); 2988 } 2989 2990 /* 2991 * Stub function that taskq_dispatch() invokes to take the mblk (in arg) 2992 * and send() it into ESP and IP again. 2993 */ 2994 static void 2995 inbound_task(void *arg) 2996 { 2997 mblk_t *mp = (mblk_t *)arg; 2998 mblk_t *async_mp; 2999 ip_recv_attr_t iras; 3000 3001 async_mp = mp; 3002 mp = async_mp->b_cont; 3003 async_mp->b_cont = NULL; 3004 if (!ip_recv_attr_from_mblk(async_mp, &iras)) { 3005 /* The ill or ip_stack_t disappeared on us */ 3006 ip_drop_input("ip_recv_attr_from_mblk", mp, NULL); 3007 freemsg(mp); 3008 goto done; 3009 } 3010 3011 esp_inbound_restart(mp, &iras); 3012 done: 3013 ira_cleanup(&iras, B_TRUE); 3014 } 3015 3016 /* 3017 * Restart ESP after the SA has been added. 3018 */ 3019 static void 3020 esp_inbound_restart(mblk_t *mp, ip_recv_attr_t *ira) 3021 { 3022 esph_t *esph; 3023 netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack; 3024 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 3025 3026 esp2dbg(espstack, ("in ESP inbound_task")); 3027 ASSERT(espstack != NULL); 3028 3029 mp = ipsec_inbound_esp_sa(mp, ira, &esph); 3030 if (mp == NULL) 3031 return; 3032 3033 ASSERT(esph != NULL); 3034 ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE); 3035 ASSERT(ira->ira_ipsec_esp_sa != NULL); 3036 3037 mp = ira->ira_ipsec_esp_sa->ipsa_input_func(mp, esph, ira); 3038 if (mp == NULL) { 3039 /* 3040 * Either it failed or is pending. In the former case 3041 * ipIfStatsInDiscards was increased. 3042 */ 3043 return; 3044 } 3045 3046 ip_input_post_ipsec(mp, ira); 3047 } 3048 3049 /* 3050 * Now that weak-key passed, actually ADD the security association, and 3051 * send back a reply ADD message. 3052 */ 3053 static int 3054 esp_add_sa_finish(mblk_t *mp, sadb_msg_t *samsg, keysock_in_t *ksi, 3055 int *diagnostic, ipsecesp_stack_t *espstack) 3056 { 3057 isaf_t *primary = NULL, *secondary; 3058 boolean_t clone = B_FALSE, is_inbound = B_FALSE; 3059 ipsa_t *larval = NULL; 3060 ipsacq_t *acqrec; 3061 iacqf_t *acq_bucket; 3062 mblk_t *acq_msgs = NULL; 3063 int rc; 3064 mblk_t *lpkt; 3065 int error; 3066 ipsa_query_t sq; 3067 ipsec_stack_t *ipss = espstack->ipsecesp_netstack->netstack_ipsec; 3068 3069 /* 3070 * Locate the appropriate table(s). 3071 */ 3072 sq.spp = &espstack->esp_sadb; /* XXX */ 3073 error = sadb_form_query(ksi, IPSA_Q_SA|IPSA_Q_DST, 3074 IPSA_Q_SA|IPSA_Q_DST|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, 3075 &sq, diagnostic); 3076 if (error) 3077 return (error); 3078 3079 /* 3080 * Use the direction flags provided by the KMD to determine 3081 * if the inbound or outbound table should be the primary 3082 * for this SA. If these flags were absent then make this 3083 * decision based on the addresses. 3084 */ 3085 if (sq.assoc->sadb_sa_flags & IPSA_F_INBOUND) { 3086 primary = sq.inbound; 3087 secondary = sq.outbound; 3088 is_inbound = B_TRUE; 3089 if (sq.assoc->sadb_sa_flags & IPSA_F_OUTBOUND) 3090 clone = B_TRUE; 3091 } else if (sq.assoc->sadb_sa_flags & IPSA_F_OUTBOUND) { 3092 primary = sq.outbound; 3093 secondary = sq.inbound; 3094 } 3095 3096 if (primary == NULL) { 3097 /* 3098 * The KMD did not set a direction flag, determine which 3099 * table to insert the SA into based on addresses. 3100 */ 3101 switch (ksi->ks_in_dsttype) { 3102 case KS_IN_ADDR_MBCAST: 3103 clone = B_TRUE; /* All mcast SAs can be bidirectional */ 3104 sq.assoc->sadb_sa_flags |= IPSA_F_OUTBOUND; 3105 /* FALLTHRU */ 3106 /* 3107 * If the source address is either one of mine, or unspecified 3108 * (which is best summed up by saying "not 'not mine'"), 3109 * then the association is potentially bi-directional, 3110 * in that it can be used for inbound traffic and outbound 3111 * traffic. The best example of such an SA is a multicast 3112 * SA (which allows me to receive the outbound traffic). 3113 */ 3114 case KS_IN_ADDR_ME: 3115 sq.assoc->sadb_sa_flags |= IPSA_F_INBOUND; 3116 primary = sq.inbound; 3117 secondary = sq.outbound; 3118 if (ksi->ks_in_srctype != KS_IN_ADDR_NOTME) 3119 clone = B_TRUE; 3120 is_inbound = B_TRUE; 3121 break; 3122 /* 3123 * If the source address literally not mine (either 3124 * unspecified or not mine), then this SA may have an 3125 * address that WILL be mine after some configuration. 3126 * We pay the price for this by making it a bi-directional 3127 * SA. 3128 */ 3129 case KS_IN_ADDR_NOTME: 3130 sq.assoc->sadb_sa_flags |= IPSA_F_OUTBOUND; 3131 primary = sq.outbound; 3132 secondary = sq.inbound; 3133 if (ksi->ks_in_srctype != KS_IN_ADDR_ME) { 3134 sq.assoc->sadb_sa_flags |= IPSA_F_INBOUND; 3135 clone = B_TRUE; 3136 } 3137 break; 3138 default: 3139 *diagnostic = SADB_X_DIAGNOSTIC_BAD_DST; 3140 return (EINVAL); 3141 } 3142 } 3143 3144 /* 3145 * Find a ACQUIRE list entry if possible. If we've added an SA that 3146 * suits the needs of an ACQUIRE list entry, we can eliminate the 3147 * ACQUIRE list entry and transmit the enqueued packets. Use the 3148 * high-bit of the sequence number to queue it. Key off destination 3149 * addr, and change acqrec's state. 3150 */ 3151 3152 if (samsg->sadb_msg_seq & IACQF_LOWEST_SEQ) { 3153 acq_bucket = &(sq.sp->sdb_acq[sq.outhash]); 3154 mutex_enter(&acq_bucket->iacqf_lock); 3155 for (acqrec = acq_bucket->iacqf_ipsacq; acqrec != NULL; 3156 acqrec = acqrec->ipsacq_next) { 3157 mutex_enter(&acqrec->ipsacq_lock); 3158 /* 3159 * Q: I only check sequence. Should I check dst? 3160 * A: Yes, check dest because those are the packets 3161 * that are queued up. 3162 */ 3163 if (acqrec->ipsacq_seq == samsg->sadb_msg_seq && 3164 IPSA_ARE_ADDR_EQUAL(sq.dstaddr, 3165 acqrec->ipsacq_dstaddr, acqrec->ipsacq_addrfam)) 3166 break; 3167 mutex_exit(&acqrec->ipsacq_lock); 3168 } 3169 if (acqrec != NULL) { 3170 /* 3171 * AHA! I found an ACQUIRE record for this SA. 3172 * Grab the msg list, and free the acquire record. 3173 * I already am holding the lock for this record, 3174 * so all I have to do is free it. 3175 */ 3176 acq_msgs = acqrec->ipsacq_mp; 3177 acqrec->ipsacq_mp = NULL; 3178 mutex_exit(&acqrec->ipsacq_lock); 3179 sadb_destroy_acquire(acqrec, 3180 espstack->ipsecesp_netstack); 3181 } 3182 mutex_exit(&acq_bucket->iacqf_lock); 3183 } 3184 3185 /* 3186 * Find PF_KEY message, and see if I'm an update. If so, find entry 3187 * in larval list (if there). 3188 */ 3189 if (samsg->sadb_msg_type == SADB_UPDATE) { 3190 mutex_enter(&sq.inbound->isaf_lock); 3191 larval = ipsec_getassocbyspi(sq.inbound, sq.assoc->sadb_sa_spi, 3192 ALL_ZEROES_PTR, sq.dstaddr, sq.dst->sin_family); 3193 mutex_exit(&sq.inbound->isaf_lock); 3194 3195 if ((larval == NULL) || 3196 (larval->ipsa_state != IPSA_STATE_LARVAL)) { 3197 *diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND; 3198 if (larval != NULL) { 3199 IPSA_REFRELE(larval); 3200 } 3201 esp0dbg(("Larval update, but larval disappeared.\n")); 3202 return (ESRCH); 3203 } /* Else sadb_common_add unlinks it for me! */ 3204 } 3205 3206 if (larval != NULL) { 3207 /* 3208 * Hold again, because sadb_common_add() consumes a reference, 3209 * and we don't want to clear_lpkt() without a reference. 3210 */ 3211 IPSA_REFHOLD(larval); 3212 } 3213 3214 rc = sadb_common_add(espstack->esp_pfkey_q, 3215 mp, samsg, ksi, primary, secondary, larval, clone, is_inbound, 3216 diagnostic, espstack->ipsecesp_netstack, &espstack->esp_sadb); 3217 3218 if (larval != NULL) { 3219 if (rc == 0) { 3220 lpkt = sadb_clear_lpkt(larval); 3221 if (lpkt != NULL) { 3222 rc = !taskq_dispatch(esp_taskq, inbound_task, 3223 lpkt, TQ_NOSLEEP); 3224 } 3225 } 3226 IPSA_REFRELE(larval); 3227 } 3228 3229 /* 3230 * How much more stack will I create with all of these 3231 * esp_outbound() calls? 3232 */ 3233 3234 /* Handle the packets queued waiting for the SA */ 3235 while (acq_msgs != NULL) { 3236 mblk_t *asyncmp; 3237 mblk_t *data_mp; 3238 ip_xmit_attr_t ixas; 3239 ill_t *ill; 3240 3241 asyncmp = acq_msgs; 3242 acq_msgs = acq_msgs->b_next; 3243 asyncmp->b_next = NULL; 3244 3245 /* 3246 * Extract the ip_xmit_attr_t from the first mblk. 3247 * Verifies that the netstack and ill is still around; could 3248 * have vanished while iked was doing its work. 3249 * On succesful return we have a nce_t and the ill/ipst can't 3250 * disappear until we do the nce_refrele in ixa_cleanup. 3251 */ 3252 data_mp = asyncmp->b_cont; 3253 asyncmp->b_cont = NULL; 3254 if (!ip_xmit_attr_from_mblk(asyncmp, &ixas)) { 3255 ESP_BUMP_STAT(espstack, out_discards); 3256 ip_drop_packet(data_mp, B_FALSE, NULL, 3257 DROPPER(ipss, ipds_sadb_acquire_timeout), 3258 &espstack->esp_dropper); 3259 } else if (rc != 0) { 3260 ill = ixas.ixa_nce->nce_ill; 3261 ESP_BUMP_STAT(espstack, out_discards); 3262 ip_drop_packet(data_mp, B_FALSE, ill, 3263 DROPPER(ipss, ipds_sadb_acquire_timeout), 3264 &espstack->esp_dropper); 3265 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards); 3266 } else { 3267 esp_outbound_finish(data_mp, &ixas); 3268 } 3269 ixa_cleanup(&ixas); 3270 } 3271 3272 return (rc); 3273 } 3274 3275 /* 3276 * Process one of the queued messages (from ipsacq_mp) once the SA 3277 * has been added. 3278 */ 3279 static void 3280 esp_outbound_finish(mblk_t *data_mp, ip_xmit_attr_t *ixa) 3281 { 3282 netstack_t *ns = ixa->ixa_ipst->ips_netstack; 3283 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 3284 ipsec_stack_t *ipss = ns->netstack_ipsec; 3285 ill_t *ill = ixa->ixa_nce->nce_ill; 3286 3287 if (!ipsec_outbound_sa(data_mp, ixa, IPPROTO_ESP)) { 3288 ESP_BUMP_STAT(espstack, out_discards); 3289 ip_drop_packet(data_mp, B_FALSE, ill, 3290 DROPPER(ipss, ipds_sadb_acquire_timeout), 3291 &espstack->esp_dropper); 3292 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards); 3293 return; 3294 } 3295 3296 data_mp = esp_outbound(data_mp, ixa); 3297 if (data_mp == NULL) 3298 return; 3299 3300 /* do AH processing if needed */ 3301 data_mp = esp_do_outbound_ah(data_mp, ixa); 3302 if (data_mp == NULL) 3303 return; 3304 3305 (void) ip_output_post_ipsec(data_mp, ixa); 3306 } 3307 3308 /* 3309 * Add new ESP security association. This may become a generic AH/ESP 3310 * routine eventually. 3311 */ 3312 static int 3313 esp_add_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic, netstack_t *ns) 3314 { 3315 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 3316 sadb_address_t *srcext = 3317 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 3318 sadb_address_t *dstext = 3319 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 3320 sadb_address_t *isrcext = 3321 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC]; 3322 sadb_address_t *idstext = 3323 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_DST]; 3324 sadb_address_t *nttext_loc = 3325 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC]; 3326 sadb_address_t *nttext_rem = 3327 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM]; 3328 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 3329 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 3330 struct sockaddr_in *src, *dst; 3331 struct sockaddr_in *natt_loc, *natt_rem; 3332 struct sockaddr_in6 *natt_loc6, *natt_rem6; 3333 sadb_lifetime_t *soft = 3334 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 3335 sadb_lifetime_t *hard = 3336 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 3337 sadb_lifetime_t *idle = 3338 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE]; 3339 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 3340 ipsec_stack_t *ipss = ns->netstack_ipsec; 3341 3342 3343 3344 /* I need certain extensions present for an ADD message. */ 3345 if (srcext == NULL) { 3346 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 3347 return (EINVAL); 3348 } 3349 if (dstext == NULL) { 3350 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 3351 return (EINVAL); 3352 } 3353 if (isrcext == NULL && idstext != NULL) { 3354 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC; 3355 return (EINVAL); 3356 } 3357 if (isrcext != NULL && idstext == NULL) { 3358 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_DST; 3359 return (EINVAL); 3360 } 3361 if (assoc == NULL) { 3362 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 3363 return (EINVAL); 3364 } 3365 if (ekey == NULL && assoc->sadb_sa_encrypt != SADB_EALG_NULL) { 3366 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_EKEY; 3367 return (EINVAL); 3368 } 3369 3370 src = (struct sockaddr_in *)(srcext + 1); 3371 dst = (struct sockaddr_in *)(dstext + 1); 3372 natt_loc = (struct sockaddr_in *)(nttext_loc + 1); 3373 natt_loc6 = (struct sockaddr_in6 *)(nttext_loc + 1); 3374 natt_rem = (struct sockaddr_in *)(nttext_rem + 1); 3375 natt_rem6 = (struct sockaddr_in6 *)(nttext_rem + 1); 3376 3377 /* Sundry ADD-specific reality checks. */ 3378 /* XXX STATS : Logging/stats here? */ 3379 3380 if ((assoc->sadb_sa_state != SADB_SASTATE_MATURE) && 3381 (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) { 3382 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 3383 return (EINVAL); 3384 } 3385 if (assoc->sadb_sa_encrypt == SADB_EALG_NONE) { 3386 *diagnostic = SADB_X_DIAGNOSTIC_BAD_EALG; 3387 return (EINVAL); 3388 } 3389 3390 #ifndef IPSEC_LATENCY_TEST 3391 if (assoc->sadb_sa_encrypt == SADB_EALG_NULL && 3392 assoc->sadb_sa_auth == SADB_AALG_NONE) { 3393 *diagnostic = SADB_X_DIAGNOSTIC_BAD_AALG; 3394 return (EINVAL); 3395 } 3396 #endif 3397 3398 if (assoc->sadb_sa_flags & ~espstack->esp_sadb.s_addflags) { 3399 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS; 3400 return (EINVAL); 3401 } 3402 3403 if ((*diagnostic = sadb_hardsoftchk(hard, soft, idle)) != 0) { 3404 return (EINVAL); 3405 } 3406 ASSERT(src->sin_family == dst->sin_family); 3407 3408 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_LOC) { 3409 if (nttext_loc == NULL) { 3410 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_LOC; 3411 return (EINVAL); 3412 } 3413 3414 if (natt_loc->sin_family == AF_INET6 && 3415 !IN6_IS_ADDR_V4MAPPED(&natt_loc6->sin6_addr)) { 3416 *diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC; 3417 return (EINVAL); 3418 } 3419 } 3420 3421 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_REM) { 3422 if (nttext_rem == NULL) { 3423 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_REM; 3424 return (EINVAL); 3425 } 3426 if (natt_rem->sin_family == AF_INET6 && 3427 !IN6_IS_ADDR_V4MAPPED(&natt_rem6->sin6_addr)) { 3428 *diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM; 3429 return (EINVAL); 3430 } 3431 } 3432 3433 3434 /* Stuff I don't support, for now. XXX Diagnostic? */ 3435 if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL) 3436 return (EOPNOTSUPP); 3437 3438 if ((*diagnostic = sadb_labelchk(ksi)) != 0) 3439 return (EINVAL); 3440 3441 /* 3442 * XXX Policy : I'm not checking identities at this time, 3443 * but if I did, I'd do them here, before I sent 3444 * the weak key check up to the algorithm. 3445 */ 3446 3447 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 3448 3449 /* 3450 * First locate the authentication algorithm. 3451 */ 3452 #ifdef IPSEC_LATENCY_TEST 3453 if (akey != NULL && assoc->sadb_sa_auth != SADB_AALG_NONE) { 3454 #else 3455 if (akey != NULL) { 3456 #endif 3457 ipsec_alginfo_t *aalg; 3458 3459 aalg = ipss->ipsec_alglists[IPSEC_ALG_AUTH] 3460 [assoc->sadb_sa_auth]; 3461 if (aalg == NULL || !ALG_VALID(aalg)) { 3462 rw_exit(&ipss->ipsec_alg_lock); 3463 esp1dbg(espstack, ("Couldn't find auth alg #%d.\n", 3464 assoc->sadb_sa_auth)); 3465 *diagnostic = SADB_X_DIAGNOSTIC_BAD_AALG; 3466 return (EINVAL); 3467 } 3468 3469 /* 3470 * Sanity check key sizes. 3471 * Note: It's not possible to use SADB_AALG_NONE because 3472 * this auth_alg is not defined with ALG_FLAG_VALID. If this 3473 * ever changes, the same check for SADB_AALG_NONE and 3474 * a auth_key != NULL should be made here ( see below). 3475 */ 3476 if (!ipsec_valid_key_size(akey->sadb_key_bits, aalg)) { 3477 rw_exit(&ipss->ipsec_alg_lock); 3478 *diagnostic = SADB_X_DIAGNOSTIC_BAD_AKEYBITS; 3479 return (EINVAL); 3480 } 3481 ASSERT(aalg->alg_mech_type != CRYPTO_MECHANISM_INVALID); 3482 3483 /* check key and fix parity if needed */ 3484 if (ipsec_check_key(aalg->alg_mech_type, akey, B_TRUE, 3485 diagnostic) != 0) { 3486 rw_exit(&ipss->ipsec_alg_lock); 3487 return (EINVAL); 3488 } 3489 } 3490 3491 /* 3492 * Then locate the encryption algorithm. 3493 */ 3494 if (ekey != NULL) { 3495 uint_t keybits; 3496 ipsec_alginfo_t *ealg; 3497 3498 ealg = ipss->ipsec_alglists[IPSEC_ALG_ENCR] 3499 [assoc->sadb_sa_encrypt]; 3500 if (ealg == NULL || !ALG_VALID(ealg)) { 3501 rw_exit(&ipss->ipsec_alg_lock); 3502 esp1dbg(espstack, ("Couldn't find encr alg #%d.\n", 3503 assoc->sadb_sa_encrypt)); 3504 *diagnostic = SADB_X_DIAGNOSTIC_BAD_EALG; 3505 return (EINVAL); 3506 } 3507 3508 /* 3509 * Sanity check key sizes. If the encryption algorithm is 3510 * SADB_EALG_NULL but the encryption key is NOT 3511 * NULL then complain. 3512 * 3513 * The keying material includes salt bits if required by 3514 * algorithm and optionally the Initial IV, check the 3515 * length of whats left. 3516 */ 3517 keybits = ekey->sadb_key_bits; 3518 keybits -= ekey->sadb_key_reserved; 3519 keybits -= SADB_8TO1(ealg->alg_saltlen); 3520 if ((assoc->sadb_sa_encrypt == SADB_EALG_NULL) || 3521 (!ipsec_valid_key_size(keybits, ealg))) { 3522 rw_exit(&ipss->ipsec_alg_lock); 3523 *diagnostic = SADB_X_DIAGNOSTIC_BAD_EKEYBITS; 3524 return (EINVAL); 3525 } 3526 ASSERT(ealg->alg_mech_type != CRYPTO_MECHANISM_INVALID); 3527 3528 /* check key */ 3529 if (ipsec_check_key(ealg->alg_mech_type, ekey, B_FALSE, 3530 diagnostic) != 0) { 3531 rw_exit(&ipss->ipsec_alg_lock); 3532 return (EINVAL); 3533 } 3534 } 3535 rw_exit(&ipss->ipsec_alg_lock); 3536 3537 return (esp_add_sa_finish(mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi, 3538 diagnostic, espstack)); 3539 } 3540 3541 /* 3542 * Update a security association. Updates come in two varieties. The first 3543 * is an update of lifetimes on a non-larval SA. The second is an update of 3544 * a larval SA, which ends up looking a lot more like an add. 3545 */ 3546 static int 3547 esp_update_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic, 3548 ipsecesp_stack_t *espstack, uint8_t sadb_msg_type) 3549 { 3550 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 3551 mblk_t *buf_pkt; 3552 int rcode; 3553 3554 sadb_address_t *dstext = 3555 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 3556 3557 if (dstext == NULL) { 3558 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 3559 return (EINVAL); 3560 } 3561 3562 rcode = sadb_update_sa(mp, ksi, &buf_pkt, &espstack->esp_sadb, 3563 diagnostic, espstack->esp_pfkey_q, esp_add_sa, 3564 espstack->ipsecesp_netstack, sadb_msg_type); 3565 3566 if ((assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE) || 3567 (rcode != 0)) { 3568 return (rcode); 3569 } 3570 3571 HANDLE_BUF_PKT(esp_taskq, espstack->ipsecesp_netstack->netstack_ipsec, 3572 espstack->esp_dropper, buf_pkt); 3573 3574 return (rcode); 3575 } 3576 3577 /* XXX refactor me */ 3578 /* 3579 * Delete a security association. This is REALLY likely to be code common to 3580 * both AH and ESP. Find the association, then unlink it. 3581 */ 3582 static int 3583 esp_del_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic, 3584 ipsecesp_stack_t *espstack, uint8_t sadb_msg_type) 3585 { 3586 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 3587 sadb_address_t *dstext = 3588 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 3589 sadb_address_t *srcext = 3590 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 3591 struct sockaddr_in *sin; 3592 3593 if (assoc == NULL) { 3594 if (dstext != NULL) { 3595 sin = (struct sockaddr_in *)(dstext + 1); 3596 } else if (srcext != NULL) { 3597 sin = (struct sockaddr_in *)(srcext + 1); 3598 } else { 3599 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 3600 return (EINVAL); 3601 } 3602 return (sadb_purge_sa(mp, ksi, 3603 (sin->sin_family == AF_INET6) ? &espstack->esp_sadb.s_v6 : 3604 &espstack->esp_sadb.s_v4, diagnostic, 3605 espstack->esp_pfkey_q)); 3606 } 3607 3608 return (sadb_delget_sa(mp, ksi, &espstack->esp_sadb, diagnostic, 3609 espstack->esp_pfkey_q, sadb_msg_type)); 3610 } 3611 3612 /* XXX refactor me */ 3613 /* 3614 * Convert the entire contents of all of ESP's SA tables into PF_KEY SADB_DUMP 3615 * messages. 3616 */ 3617 static void 3618 esp_dump(mblk_t *mp, keysock_in_t *ksi, ipsecesp_stack_t *espstack) 3619 { 3620 int error; 3621 sadb_msg_t *samsg; 3622 3623 /* 3624 * Dump each fanout, bailing if error is non-zero. 3625 */ 3626 3627 error = sadb_dump(espstack->esp_pfkey_q, mp, ksi, 3628 &espstack->esp_sadb.s_v4); 3629 if (error != 0) 3630 goto bail; 3631 3632 error = sadb_dump(espstack->esp_pfkey_q, mp, ksi, 3633 &espstack->esp_sadb.s_v6); 3634 bail: 3635 ASSERT(mp->b_cont != NULL); 3636 samsg = (sadb_msg_t *)mp->b_cont->b_rptr; 3637 samsg->sadb_msg_errno = (uint8_t)error; 3638 sadb_pfkey_echo(espstack->esp_pfkey_q, mp, 3639 (sadb_msg_t *)mp->b_cont->b_rptr, ksi, NULL); 3640 } 3641 3642 /* 3643 * First-cut reality check for an inbound PF_KEY message. 3644 */ 3645 static boolean_t 3646 esp_pfkey_reality_failures(mblk_t *mp, keysock_in_t *ksi, 3647 ipsecesp_stack_t *espstack) 3648 { 3649 int diagnostic; 3650 3651 if (ksi->ks_in_extv[SADB_EXT_PROPOSAL] != NULL) { 3652 diagnostic = SADB_X_DIAGNOSTIC_PROP_PRESENT; 3653 goto badmsg; 3654 } 3655 if (ksi->ks_in_extv[SADB_EXT_SUPPORTED_AUTH] != NULL || 3656 ksi->ks_in_extv[SADB_EXT_SUPPORTED_ENCRYPT] != NULL) { 3657 diagnostic = SADB_X_DIAGNOSTIC_SUPP_PRESENT; 3658 goto badmsg; 3659 } 3660 return (B_FALSE); /* False ==> no failures */ 3661 3662 badmsg: 3663 sadb_pfkey_error(espstack->esp_pfkey_q, mp, EINVAL, diagnostic, 3664 ksi->ks_in_serial); 3665 return (B_TRUE); /* True ==> failures */ 3666 } 3667 3668 /* 3669 * ESP parsing of PF_KEY messages. Keysock did most of the really silly 3670 * error cases. What I receive is a fully-formed, syntactically legal 3671 * PF_KEY message. I then need to check semantics... 3672 * 3673 * This code may become common to AH and ESP. Stay tuned. 3674 * 3675 * I also make the assumption that db_ref's are cool. If this assumption 3676 * is wrong, this means that someone other than keysock or me has been 3677 * mucking with PF_KEY messages. 3678 */ 3679 static void 3680 esp_parse_pfkey(mblk_t *mp, ipsecesp_stack_t *espstack) 3681 { 3682 mblk_t *msg = mp->b_cont; 3683 sadb_msg_t *samsg; 3684 keysock_in_t *ksi; 3685 int error; 3686 int diagnostic = SADB_X_DIAGNOSTIC_NONE; 3687 3688 ASSERT(msg != NULL); 3689 3690 samsg = (sadb_msg_t *)msg->b_rptr; 3691 ksi = (keysock_in_t *)mp->b_rptr; 3692 3693 /* 3694 * If applicable, convert unspecified AF_INET6 to unspecified 3695 * AF_INET. And do other address reality checks. 3696 */ 3697 if (!sadb_addrfix(ksi, espstack->esp_pfkey_q, mp, 3698 espstack->ipsecesp_netstack) || 3699 esp_pfkey_reality_failures(mp, ksi, espstack)) { 3700 return; 3701 } 3702 3703 switch (samsg->sadb_msg_type) { 3704 case SADB_ADD: 3705 error = esp_add_sa(mp, ksi, &diagnostic, 3706 espstack->ipsecesp_netstack); 3707 if (error != 0) { 3708 sadb_pfkey_error(espstack->esp_pfkey_q, mp, error, 3709 diagnostic, ksi->ks_in_serial); 3710 } 3711 /* else esp_add_sa() took care of things. */ 3712 break; 3713 case SADB_DELETE: 3714 case SADB_X_DELPAIR: 3715 case SADB_X_DELPAIR_STATE: 3716 error = esp_del_sa(mp, ksi, &diagnostic, espstack, 3717 samsg->sadb_msg_type); 3718 if (error != 0) { 3719 sadb_pfkey_error(espstack->esp_pfkey_q, mp, error, 3720 diagnostic, ksi->ks_in_serial); 3721 } 3722 /* Else esp_del_sa() took care of things. */ 3723 break; 3724 case SADB_GET: 3725 error = sadb_delget_sa(mp, ksi, &espstack->esp_sadb, 3726 &diagnostic, espstack->esp_pfkey_q, samsg->sadb_msg_type); 3727 if (error != 0) { 3728 sadb_pfkey_error(espstack->esp_pfkey_q, mp, error, 3729 diagnostic, ksi->ks_in_serial); 3730 } 3731 /* Else sadb_get_sa() took care of things. */ 3732 break; 3733 case SADB_FLUSH: 3734 sadbp_flush(&espstack->esp_sadb, espstack->ipsecesp_netstack); 3735 sadb_pfkey_echo(espstack->esp_pfkey_q, mp, samsg, ksi, NULL); 3736 break; 3737 case SADB_REGISTER: 3738 /* 3739 * Hmmm, let's do it! Check for extensions (there should 3740 * be none), extract the fields, call esp_register_out(), 3741 * then either free or report an error. 3742 * 3743 * Keysock takes care of the PF_KEY bookkeeping for this. 3744 */ 3745 if (esp_register_out(samsg->sadb_msg_seq, samsg->sadb_msg_pid, 3746 ksi->ks_in_serial, espstack, msg_getcred(mp, NULL))) { 3747 freemsg(mp); 3748 } else { 3749 /* 3750 * Only way this path hits is if there is a memory 3751 * failure. It will not return B_FALSE because of 3752 * lack of esp_pfkey_q if I am in wput(). 3753 */ 3754 sadb_pfkey_error(espstack->esp_pfkey_q, mp, ENOMEM, 3755 diagnostic, ksi->ks_in_serial); 3756 } 3757 break; 3758 case SADB_UPDATE: 3759 case SADB_X_UPDATEPAIR: 3760 /* 3761 * Find a larval, if not there, find a full one and get 3762 * strict. 3763 */ 3764 error = esp_update_sa(mp, ksi, &diagnostic, espstack, 3765 samsg->sadb_msg_type); 3766 if (error != 0) { 3767 sadb_pfkey_error(espstack->esp_pfkey_q, mp, error, 3768 diagnostic, ksi->ks_in_serial); 3769 } 3770 /* else esp_update_sa() took care of things. */ 3771 break; 3772 case SADB_GETSPI: 3773 /* 3774 * Reserve a new larval entry. 3775 */ 3776 esp_getspi(mp, ksi, espstack); 3777 break; 3778 case SADB_ACQUIRE: 3779 /* 3780 * Find larval and/or ACQUIRE record and kill it (them), I'm 3781 * most likely an error. Inbound ACQUIRE messages should only 3782 * have the base header. 3783 */ 3784 sadb_in_acquire(samsg, &espstack->esp_sadb, 3785 espstack->esp_pfkey_q, espstack->ipsecesp_netstack); 3786 freemsg(mp); 3787 break; 3788 case SADB_DUMP: 3789 /* 3790 * Dump all entries. 3791 */ 3792 esp_dump(mp, ksi, espstack); 3793 /* esp_dump will take care of the return message, etc. */ 3794 break; 3795 case SADB_EXPIRE: 3796 /* Should never reach me. */ 3797 sadb_pfkey_error(espstack->esp_pfkey_q, mp, EOPNOTSUPP, 3798 diagnostic, ksi->ks_in_serial); 3799 break; 3800 default: 3801 sadb_pfkey_error(espstack->esp_pfkey_q, mp, EINVAL, 3802 SADB_X_DIAGNOSTIC_UNKNOWN_MSG, ksi->ks_in_serial); 3803 break; 3804 } 3805 } 3806 3807 /* 3808 * Handle case where PF_KEY says it can't find a keysock for one of my 3809 * ACQUIRE messages. 3810 */ 3811 static void 3812 esp_keysock_no_socket(mblk_t *mp, ipsecesp_stack_t *espstack) 3813 { 3814 sadb_msg_t *samsg; 3815 keysock_out_err_t *kse = (keysock_out_err_t *)mp->b_rptr; 3816 3817 if (mp->b_cont == NULL) { 3818 freemsg(mp); 3819 return; 3820 } 3821 samsg = (sadb_msg_t *)mp->b_cont->b_rptr; 3822 3823 /* 3824 * If keysock can't find any registered, delete the acquire record 3825 * immediately, and handle errors. 3826 */ 3827 if (samsg->sadb_msg_type == SADB_ACQUIRE) { 3828 samsg->sadb_msg_errno = kse->ks_err_errno; 3829 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 3830 /* 3831 * Use the write-side of the esp_pfkey_q 3832 */ 3833 sadb_in_acquire(samsg, &espstack->esp_sadb, 3834 WR(espstack->esp_pfkey_q), espstack->ipsecesp_netstack); 3835 } 3836 3837 freemsg(mp); 3838 } 3839 3840 /* 3841 * ESP module write put routine. 3842 */ 3843 static void 3844 ipsecesp_wput(queue_t *q, mblk_t *mp) 3845 { 3846 ipsec_info_t *ii; 3847 struct iocblk *iocp; 3848 ipsecesp_stack_t *espstack = (ipsecesp_stack_t *)q->q_ptr; 3849 3850 esp3dbg(espstack, ("In esp_wput().\n")); 3851 3852 /* NOTE: Each case must take care of freeing or passing mp. */ 3853 switch (mp->b_datap->db_type) { 3854 case M_CTL: 3855 if ((mp->b_wptr - mp->b_rptr) < sizeof (ipsec_info_t)) { 3856 /* Not big enough message. */ 3857 freemsg(mp); 3858 break; 3859 } 3860 ii = (ipsec_info_t *)mp->b_rptr; 3861 3862 switch (ii->ipsec_info_type) { 3863 case KEYSOCK_OUT_ERR: 3864 esp1dbg(espstack, ("Got KEYSOCK_OUT_ERR message.\n")); 3865 esp_keysock_no_socket(mp, espstack); 3866 break; 3867 case KEYSOCK_IN: 3868 ESP_BUMP_STAT(espstack, keysock_in); 3869 esp3dbg(espstack, ("Got KEYSOCK_IN message.\n")); 3870 3871 /* Parse the message. */ 3872 esp_parse_pfkey(mp, espstack); 3873 break; 3874 case KEYSOCK_HELLO: 3875 sadb_keysock_hello(&espstack->esp_pfkey_q, q, mp, 3876 esp_ager, (void *)espstack, &espstack->esp_event, 3877 SADB_SATYPE_ESP); 3878 break; 3879 default: 3880 esp2dbg(espstack, ("Got M_CTL from above of 0x%x.\n", 3881 ii->ipsec_info_type)); 3882 freemsg(mp); 3883 break; 3884 } 3885 break; 3886 case M_IOCTL: 3887 iocp = (struct iocblk *)mp->b_rptr; 3888 switch (iocp->ioc_cmd) { 3889 case ND_SET: 3890 case ND_GET: 3891 if (nd_getset(q, espstack->ipsecesp_g_nd, mp)) { 3892 qreply(q, mp); 3893 return; 3894 } else { 3895 iocp->ioc_error = ENOENT; 3896 } 3897 /* FALLTHRU */ 3898 default: 3899 /* We really don't support any other ioctls, do we? */ 3900 3901 /* Return EINVAL */ 3902 if (iocp->ioc_error != ENOENT) 3903 iocp->ioc_error = EINVAL; 3904 iocp->ioc_count = 0; 3905 mp->b_datap->db_type = M_IOCACK; 3906 qreply(q, mp); 3907 return; 3908 } 3909 default: 3910 esp3dbg(espstack, 3911 ("Got default message, type %d, passing to IP.\n", 3912 mp->b_datap->db_type)); 3913 putnext(q, mp); 3914 } 3915 } 3916 3917 /* 3918 * Wrapper to allow IP to trigger an ESP association failure message 3919 * during inbound SA selection. 3920 */ 3921 void 3922 ipsecesp_in_assocfailure(mblk_t *mp, char level, ushort_t sl, char *fmt, 3923 uint32_t spi, void *addr, int af, ip_recv_attr_t *ira) 3924 { 3925 netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack; 3926 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 3927 ipsec_stack_t *ipss = ns->netstack_ipsec; 3928 3929 if (espstack->ipsecesp_log_unknown_spi) { 3930 ipsec_assocfailure(info.mi_idnum, 0, level, sl, fmt, spi, 3931 addr, af, espstack->ipsecesp_netstack); 3932 } 3933 3934 ip_drop_packet(mp, B_TRUE, ira->ira_ill, 3935 DROPPER(ipss, ipds_esp_no_sa), 3936 &espstack->esp_dropper); 3937 } 3938 3939 /* 3940 * Initialize the ESP input and output processing functions. 3941 */ 3942 void 3943 ipsecesp_init_funcs(ipsa_t *sa) 3944 { 3945 if (sa->ipsa_output_func == NULL) 3946 sa->ipsa_output_func = esp_outbound; 3947 if (sa->ipsa_input_func == NULL) 3948 sa->ipsa_input_func = esp_inbound; 3949 } 3950