1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 /* 29 * IPsec Security Policy Database. 30 * 31 * This module maintains the SPD and provides routines used by ip and ip6 32 * to apply IPsec policy to inbound and outbound datagrams. 33 */ 34 35 #include <sys/types.h> 36 #include <sys/stream.h> 37 #include <sys/stropts.h> 38 #include <sys/sysmacros.h> 39 #include <sys/strsubr.h> 40 #include <sys/strlog.h> 41 #include <sys/cmn_err.h> 42 #include <sys/zone.h> 43 44 #include <sys/systm.h> 45 #include <sys/param.h> 46 #include <sys/kmem.h> 47 48 #include <sys/crypto/api.h> 49 50 #include <inet/common.h> 51 #include <inet/mi.h> 52 53 #include <netinet/ip6.h> 54 #include <netinet/icmp6.h> 55 #include <netinet/udp.h> 56 57 #include <inet/ip.h> 58 #include <inet/ip6.h> 59 60 #include <net/pfkeyv2.h> 61 #include <net/pfpolicy.h> 62 #include <inet/ipsec_info.h> 63 #include <inet/sadb.h> 64 #include <inet/ipsec_impl.h> 65 #include <inet/ipsecah.h> 66 #include <inet/ipsecesp.h> 67 #include <inet/ipdrop.h> 68 #include <inet/ipclassifier.h> 69 70 static void ipsec_update_present_flags(); 71 static ipsec_act_t *ipsec_act_wildcard_expand(ipsec_act_t *, uint_t *); 72 static void ipsec_out_free(void *); 73 static void ipsec_in_free(void *); 74 static boolean_t ipsec_init_inbound_sel(ipsec_selector_t *, mblk_t *, 75 ipha_t *, ip6_t *); 76 static mblk_t *ipsec_attach_global_policy(mblk_t *, conn_t *, 77 ipsec_selector_t *); 78 static mblk_t *ipsec_apply_global_policy(mblk_t *, conn_t *, 79 ipsec_selector_t *); 80 static mblk_t *ipsec_check_ipsecin_policy(queue_t *, mblk_t *, 81 ipsec_policy_t *, ipha_t *, ip6_t *); 82 static void ipsec_in_release_refs(ipsec_in_t *); 83 static void ipsec_out_release_refs(ipsec_out_t *); 84 static void ipsec_action_reclaim(void *); 85 static void ipsid_init(void); 86 static void ipsid_fini(void); 87 static boolean_t ipsec_check_ipsecin_action(struct ipsec_in_s *, mblk_t *, 88 struct ipsec_action_s *, ipha_t *ipha, ip6_t *ip6h, const char **, 89 kstat_named_t **); 90 static int32_t ipsec_act_ovhd(const ipsec_act_t *act); 91 static void ipsec_unregister_prov_update(void); 92 static boolean_t ipsec_compare_action(ipsec_policy_t *, ipsec_policy_t *); 93 static uint32_t selector_hash(ipsec_selector_t *); 94 95 /* 96 * Policy rule index generator. We assume this won't wrap in the 97 * lifetime of a system. If we make 2^20 policy changes per second, 98 * this will last 2^44 seconds, or roughly 500,000 years, so we don't 99 * have to worry about reusing policy index values. 100 * 101 * Protected by ipsec_conf_lock. 102 */ 103 uint64_t ipsec_next_policy_index = 1; 104 105 /* 106 * Active & Inactive system policy roots 107 */ 108 static ipsec_policy_head_t system_policy; 109 static ipsec_policy_head_t inactive_policy; 110 111 /* Packet dropper for generic SPD drops. */ 112 static ipdropper_t spd_dropper; 113 114 /* 115 * For now, use a trivially sized hash table for actions. 116 * In the future we can add the structure canonicalization necessary 117 * to get the hash function to behave correctly.. 118 */ 119 #define IPSEC_ACTION_HASH_SIZE 1 120 121 /* 122 * Selector hash table is statically sized at module load time. 123 * we default to 251 buckets, which is the largest prime number under 255 124 */ 125 126 #define IPSEC_SPDHASH_DEFAULT 251 127 uint32_t ipsec_spd_hashsize = 0; 128 129 #define IPSEC_SEL_NOHASH ((uint32_t)(~0)) 130 131 static HASH_HEAD(ipsec_action_s) ipsec_action_hash[IPSEC_ACTION_HASH_SIZE]; 132 static HASH_HEAD(ipsec_sel) *ipsec_sel_hash; 133 134 static kmem_cache_t *ipsec_action_cache; 135 static kmem_cache_t *ipsec_sel_cache; 136 static kmem_cache_t *ipsec_pol_cache; 137 static kmem_cache_t *ipsec_info_cache; 138 139 boolean_t ipsec_inbound_v4_policy_present = B_FALSE; 140 boolean_t ipsec_outbound_v4_policy_present = B_FALSE; 141 boolean_t ipsec_inbound_v6_policy_present = B_FALSE; 142 boolean_t ipsec_outbound_v6_policy_present = B_FALSE; 143 144 /* 145 * Because policy needs to know what algorithms are supported, keep the 146 * lists of algorithms here. 147 */ 148 149 kmutex_t alg_lock; 150 uint8_t ipsec_nalgs[IPSEC_NALGTYPES]; 151 ipsec_alginfo_t *ipsec_alglists[IPSEC_NALGTYPES][IPSEC_MAX_ALGS]; 152 uint8_t ipsec_sortlist[IPSEC_NALGTYPES][IPSEC_MAX_ALGS]; 153 ipsec_algs_exec_mode_t ipsec_algs_exec_mode[IPSEC_NALGTYPES]; 154 static crypto_notify_handle_t prov_update_handle = NULL; 155 156 int ipsec_hdr_pullup_needed = 0; 157 int ipsec_weird_null_inbound_policy = 0; 158 159 #define ALGBITS_ROUND_DOWN(x, align) (((x)/(align))*(align)) 160 #define ALGBITS_ROUND_UP(x, align) ALGBITS_ROUND_DOWN((x)+(align)-1, align) 161 162 /* 163 * Inbound traffic should have matching identities for both SA's. 164 */ 165 166 #define SA_IDS_MATCH(sa1, sa2) \ 167 (((sa1) == NULL) || ((sa2) == NULL) || \ 168 (((sa1)->ipsa_src_cid == (sa2)->ipsa_src_cid) && \ 169 (((sa1)->ipsa_dst_cid == (sa2)->ipsa_dst_cid)))) 170 171 #define IPPOL_UNCHAIN(php, ip) \ 172 HASHLIST_UNCHAIN((ip), ipsp_hash); \ 173 avl_remove(&(php)->iph_rulebyid, (ip)); \ 174 IPPOL_REFRELE(ip); 175 176 /* 177 * Policy failure messages. 178 */ 179 static char *ipsec_policy_failure_msgs[] = { 180 181 /* IPSEC_POLICY_NOT_NEEDED */ 182 "%s: Dropping the datagram because the incoming packet " 183 "is %s, but the recipient expects clear; Source %s, " 184 "Destination %s.\n", 185 186 /* IPSEC_POLICY_MISMATCH */ 187 "%s: Policy Failure for the incoming packet (%s); Source %s, " 188 "Destination %s.\n", 189 190 /* IPSEC_POLICY_AUTH_NOT_NEEDED */ 191 "%s: Authentication present while not expected in the " 192 "incoming %s packet; Source %s, Destination %s.\n", 193 194 /* IPSEC_POLICY_ENCR_NOT_NEEDED */ 195 "%s: Encryption present while not expected in the " 196 "incoming %s packet; Source %s, Destination %s.\n", 197 198 /* IPSEC_POLICY_SE_NOT_NEEDED */ 199 "%s: Self-Encapsulation present while not expected in the " 200 "incoming %s packet; Source %s, Destination %s.\n", 201 }; 202 /* 203 * Have a counter for every possible policy message in the previous array. 204 */ 205 static uint32_t ipsec_policy_failure_count[IPSEC_POLICY_MAX]; 206 /* Time since last ipsec policy failure that printed a message. */ 207 hrtime_t ipsec_policy_failure_last = 0; 208 209 /* 210 * General overviews: 211 * 212 * Locking: 213 * 214 * All of the system policy structures are protected by a single 215 * rwlock, ipsec_conf_lock. These structures are threaded in a 216 * fairly complex fashion and are not expected to change on a 217 * regular basis, so this should not cause scaling/contention 218 * problems. As a result, policy checks should (hopefully) be MT-hot. 219 * 220 * Allocation policy: 221 * 222 * We use custom kmem cache types for the various 223 * bits & pieces of the policy data structures. All allocations 224 * use KM_NOSLEEP instead of KM_SLEEP for policy allocation. The 225 * policy table is of potentially unbounded size, so we don't 226 * want to provide a way to hog all system memory with policy 227 * entries.. 228 */ 229 230 231 /* 232 * AVL tree comparison function. 233 * the in-kernel avl assumes unique keys for all objects. 234 * Since sometimes policy will duplicate rules, we may insert 235 * multiple rules with the same rule id, so we need a tie-breaker. 236 */ 237 static int 238 ipsec_policy_cmpbyid(const void *a, const void *b) 239 { 240 const ipsec_policy_t *ipa, *ipb; 241 uint64_t idxa, idxb; 242 243 ipa = (const ipsec_policy_t *)a; 244 ipb = (const ipsec_policy_t *)b; 245 idxa = ipa->ipsp_index; 246 idxb = ipb->ipsp_index; 247 248 if (idxa < idxb) 249 return (-1); 250 if (idxa > idxb) 251 return (1); 252 /* 253 * Tie-breaker #1: All installed policy rules have a non-NULL 254 * ipsl_sel (selector set), so an entry with a NULL ipsp_sel is not 255 * actually in-tree but rather a template node being used in 256 * an avl_find query; see ipsec_policy_delete(). This gives us 257 * a placeholder in the ordering just before the the first entry with 258 * a key >= the one we're looking for, so we can walk forward from 259 * that point to get the remaining entries with the same id. 260 */ 261 if ((ipa->ipsp_sel == NULL) && (ipb->ipsp_sel != NULL)) 262 return (-1); 263 if ((ipb->ipsp_sel == NULL) && (ipa->ipsp_sel != NULL)) 264 return (1); 265 /* 266 * At most one of the arguments to the comparison should have a 267 * NULL selector pointer; if not, the tree is broken. 268 */ 269 ASSERT(ipa->ipsp_sel != NULL); 270 ASSERT(ipb->ipsp_sel != NULL); 271 /* 272 * Tie-breaker #2: use the virtual address of the policy node 273 * to arbitrarily break ties. Since we use the new tree node in 274 * the avl_find() in ipsec_insert_always, the new node will be 275 * inserted into the tree in the right place in the sequence. 276 */ 277 if (ipa < ipb) 278 return (-1); 279 if (ipa > ipb) 280 return (1); 281 return (0); 282 } 283 284 static void 285 ipsec_polhead_free_table(ipsec_policy_head_t *iph) 286 { 287 int dir, nchains; 288 289 nchains = ipsec_spd_hashsize; 290 291 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 292 ipsec_policy_root_t *ipr = &iph->iph_root[dir]; 293 294 if (ipr->ipr_hash == NULL) 295 continue; 296 297 kmem_free(ipr->ipr_hash, nchains * 298 sizeof (ipsec_policy_hash_t)); 299 } 300 } 301 302 static void 303 ipsec_polhead_destroy(ipsec_policy_head_t *iph) 304 { 305 int dir; 306 307 avl_destroy(&iph->iph_rulebyid); 308 rw_destroy(&iph->iph_lock); 309 310 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 311 ipsec_policy_root_t *ipr = &iph->iph_root[dir]; 312 int nchains = ipr->ipr_nchains; 313 int chain; 314 315 for (chain = 0; chain < nchains; chain++) 316 mutex_destroy(&(ipr->ipr_hash[chain].hash_lock)); 317 318 } 319 ipsec_polhead_free_table(iph); 320 } 321 322 /* 323 * Module unload hook. 324 */ 325 void 326 ipsec_policy_destroy(void) 327 { 328 int i; 329 330 ip_drop_unregister(&spd_dropper); 331 ip_drop_destroy(); 332 333 ipsec_polhead_destroy(&system_policy); 334 ipsec_polhead_destroy(&inactive_policy); 335 336 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) 337 mutex_destroy(&(ipsec_action_hash[i].hash_lock)); 338 339 for (i = 0; i < ipsec_spd_hashsize; i++) 340 mutex_destroy(&(ipsec_sel_hash[i].hash_lock)); 341 342 ipsec_unregister_prov_update(); 343 344 mutex_destroy(&alg_lock); 345 346 kmem_cache_destroy(ipsec_action_cache); 347 kmem_cache_destroy(ipsec_sel_cache); 348 kmem_cache_destroy(ipsec_pol_cache); 349 kmem_cache_destroy(ipsec_info_cache); 350 ipsid_gc(); 351 ipsid_fini(); 352 } 353 354 355 /* 356 * Called when table allocation fails to free the table. 357 */ 358 static int 359 ipsec_alloc_tables_failed() 360 { 361 if (ipsec_sel_hash != NULL) { 362 kmem_free(ipsec_sel_hash, ipsec_spd_hashsize * 363 sizeof (*ipsec_sel_hash)); 364 ipsec_sel_hash = NULL; 365 } 366 ipsec_polhead_free_table(&system_policy); 367 ipsec_polhead_free_table(&inactive_policy); 368 369 return (ENOMEM); 370 } 371 372 /* 373 * Attempt to allocate the tables in a single policy head. 374 * Return nonzero on failure after cleaning up any work in progress. 375 */ 376 static int 377 ipsec_alloc_table(ipsec_policy_head_t *iph, int kmflag) 378 { 379 int dir, nchains; 380 381 nchains = ipsec_spd_hashsize; 382 383 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 384 ipsec_policy_root_t *ipr = &iph->iph_root[dir]; 385 386 ipr->ipr_hash = kmem_zalloc(nchains * 387 sizeof (ipsec_policy_hash_t), kmflag); 388 if (ipr->ipr_hash == NULL) 389 return (ipsec_alloc_tables_failed()); 390 } 391 return (0); 392 } 393 394 /* 395 * Attempt to allocate the various tables. Return nonzero on failure 396 * after cleaning up any work in progress. 397 */ 398 static int 399 ipsec_alloc_tables(int kmflag) 400 { 401 int error; 402 403 error = ipsec_alloc_table(&system_policy, kmflag); 404 if (error != 0) 405 return (error); 406 407 error = ipsec_alloc_table(&inactive_policy, kmflag); 408 if (error != 0) 409 return (error); 410 411 ipsec_sel_hash = kmem_zalloc(ipsec_spd_hashsize * 412 sizeof (*ipsec_sel_hash), kmflag); 413 414 if (ipsec_sel_hash == NULL) 415 return (ipsec_alloc_tables_failed()); 416 417 return (0); 418 } 419 420 /* 421 * After table allocation, initialize a policy head. 422 */ 423 static void 424 ipsec_polhead_init(ipsec_policy_head_t *iph) 425 { 426 int dir, chain, nchains; 427 428 nchains = ipsec_spd_hashsize; 429 430 rw_init(&iph->iph_lock, NULL, RW_DEFAULT, NULL); 431 avl_create(&iph->iph_rulebyid, ipsec_policy_cmpbyid, 432 sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid)); 433 434 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 435 ipsec_policy_root_t *ipr = &iph->iph_root[dir]; 436 ipr->ipr_nchains = nchains; 437 438 for (chain = 0; chain < nchains; chain++) { 439 mutex_init(&(ipr->ipr_hash[chain].hash_lock), 440 NULL, MUTEX_DEFAULT, NULL); 441 } 442 } 443 } 444 445 /* 446 * Module load hook. 447 */ 448 void 449 ipsec_policy_init() 450 { 451 int i; 452 453 /* 454 * Make two attempts to allocate policy hash tables; try it at 455 * the "preferred" size (may be set in /etc/system) first, 456 * then fall back to the default size. 457 */ 458 if (ipsec_spd_hashsize == 0) 459 ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT; 460 461 if (ipsec_alloc_tables(KM_NOSLEEP) != 0) { 462 cmn_err(CE_WARN, 463 "Unable to allocate %d entry IPsec policy hash table", 464 ipsec_spd_hashsize); 465 ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT; 466 cmn_err(CE_WARN, "Falling back to %d entries", 467 ipsec_spd_hashsize); 468 (void) ipsec_alloc_tables(KM_SLEEP); 469 } 470 471 ipsid_init(); 472 ipsec_polhead_init(&system_policy); 473 ipsec_polhead_init(&inactive_policy); 474 475 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) 476 mutex_init(&(ipsec_action_hash[i].hash_lock), 477 NULL, MUTEX_DEFAULT, NULL); 478 479 for (i = 0; i < ipsec_spd_hashsize; i++) 480 mutex_init(&(ipsec_sel_hash[i].hash_lock), 481 NULL, MUTEX_DEFAULT, NULL); 482 483 mutex_init(&alg_lock, NULL, MUTEX_DEFAULT, NULL); 484 485 for (i = 0; i < IPSEC_NALGTYPES; i++) 486 ipsec_nalgs[i] = 0; 487 488 ipsec_action_cache = kmem_cache_create("ipsec_actions", 489 sizeof (ipsec_action_t), _POINTER_ALIGNMENT, NULL, NULL, 490 ipsec_action_reclaim, NULL, NULL, 0); 491 ipsec_sel_cache = kmem_cache_create("ipsec_selectors", 492 sizeof (ipsec_sel_t), _POINTER_ALIGNMENT, NULL, NULL, 493 NULL, NULL, NULL, 0); 494 ipsec_pol_cache = kmem_cache_create("ipsec_policy", 495 sizeof (ipsec_policy_t), _POINTER_ALIGNMENT, NULL, NULL, 496 NULL, NULL, NULL, 0); 497 ipsec_info_cache = kmem_cache_create("ipsec_info", 498 sizeof (ipsec_info_t), _POINTER_ALIGNMENT, NULL, NULL, 499 NULL, NULL, NULL, 0); 500 501 ip_drop_init(); 502 ip_drop_register(&spd_dropper, "IPsec SPD"); 503 } 504 505 /* 506 * Sort algorithm lists. 507 * 508 * I may need to split this based on 509 * authentication/encryption, and I may wish to have an administrator 510 * configure this list. Hold on to some NDD variables... 511 * 512 * XXX For now, sort on minimum key size (GAG!). While minimum key size is 513 * not the ideal metric, it's the only quantifiable measure available. 514 * We need a better metric for sorting algorithms by preference. 515 */ 516 static void 517 alg_insert_sortlist(enum ipsec_algtype at, uint8_t algid) 518 { 519 ipsec_alginfo_t *ai = ipsec_alglists[at][algid]; 520 uint8_t holder, swap; 521 uint_t i; 522 uint_t count = ipsec_nalgs[at]; 523 ASSERT(ai != NULL); 524 ASSERT(algid == ai->alg_id); 525 526 ASSERT(MUTEX_HELD(&alg_lock)); 527 528 holder = algid; 529 530 for (i = 0; i < count - 1; i++) { 531 ipsec_alginfo_t *alt; 532 533 alt = ipsec_alglists[at][ipsec_sortlist[at][i]]; 534 /* 535 * If you want to give precedence to newly added algs, 536 * add the = in the > comparison. 537 */ 538 if ((holder != algid) || (ai->alg_minbits > alt->alg_minbits)) { 539 /* Swap sortlist[i] and holder. */ 540 swap = ipsec_sortlist[at][i]; 541 ipsec_sortlist[at][i] = holder; 542 holder = swap; 543 ai = alt; 544 } /* Else just continue. */ 545 } 546 547 /* Store holder in last slot. */ 548 ipsec_sortlist[at][i] = holder; 549 } 550 551 /* 552 * Remove an algorithm from a sorted algorithm list. 553 * This should be considerably easier, even with complex sorting. 554 */ 555 static void 556 alg_remove_sortlist(enum ipsec_algtype at, uint8_t algid) 557 { 558 boolean_t copyback = B_FALSE; 559 int i; 560 int newcount = ipsec_nalgs[at]; 561 562 ASSERT(MUTEX_HELD(&alg_lock)); 563 564 for (i = 0; i <= newcount; i++) { 565 if (copyback) 566 ipsec_sortlist[at][i-1] = ipsec_sortlist[at][i]; 567 else if (ipsec_sortlist[at][i] == algid) 568 copyback = B_TRUE; 569 } 570 } 571 572 /* 573 * Add the specified algorithm to the algorithm tables. 574 * Must be called while holding the algorithm table writer lock. 575 */ 576 void 577 ipsec_alg_reg(ipsec_algtype_t algtype, ipsec_alginfo_t *alg) 578 { 579 ASSERT(MUTEX_HELD(&alg_lock)); 580 581 ASSERT(ipsec_alglists[algtype][alg->alg_id] == NULL); 582 ipsec_alg_fix_min_max(alg, algtype); 583 ipsec_alglists[algtype][alg->alg_id] = alg; 584 585 ipsec_nalgs[algtype]++; 586 alg_insert_sortlist(algtype, alg->alg_id); 587 } 588 589 /* 590 * Remove the specified algorithm from the algorithm tables. 591 * Must be called while holding the algorithm table writer lock. 592 */ 593 void 594 ipsec_alg_unreg(ipsec_algtype_t algtype, uint8_t algid) 595 { 596 ASSERT(MUTEX_HELD(&alg_lock)); 597 598 ASSERT(ipsec_alglists[algtype][algid] != NULL); 599 ipsec_alg_free(ipsec_alglists[algtype][algid]); 600 ipsec_alglists[algtype][algid] = NULL; 601 602 ipsec_nalgs[algtype]--; 603 alg_remove_sortlist(algtype, algid); 604 } 605 606 /* 607 * Hooks for spdsock to get a grip on system policy. 608 */ 609 610 ipsec_policy_head_t * 611 ipsec_system_policy(void) 612 { 613 ipsec_policy_head_t *h = &system_policy; 614 IPPH_REFHOLD(h); 615 return (h); 616 } 617 618 ipsec_policy_head_t * 619 ipsec_inactive_policy(void) 620 { 621 ipsec_policy_head_t *h = &inactive_policy; 622 IPPH_REFHOLD(h); 623 return (h); 624 } 625 626 /* 627 * Lock inactive policy, then active policy, then exchange policy root 628 * pointers. 629 */ 630 void 631 ipsec_swap_policy(void) 632 { 633 int af, dir; 634 avl_tree_t r1, r2; 635 636 rw_enter(&inactive_policy.iph_lock, RW_WRITER); 637 rw_enter(&system_policy.iph_lock, RW_WRITER); 638 639 r1 = system_policy.iph_rulebyid; 640 r2 = inactive_policy.iph_rulebyid; 641 system_policy.iph_rulebyid = r2; 642 inactive_policy.iph_rulebyid = r1; 643 644 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 645 ipsec_policy_hash_t *h1, *h2; 646 647 h1 = system_policy.iph_root[dir].ipr_hash; 648 h2 = inactive_policy.iph_root[dir].ipr_hash; 649 system_policy.iph_root[dir].ipr_hash = h2; 650 inactive_policy.iph_root[dir].ipr_hash = h1; 651 652 for (af = 0; af < IPSEC_NAF; af++) { 653 ipsec_policy_t *t1, *t2; 654 655 t1 = system_policy.iph_root[dir].ipr_nonhash[af]; 656 t2 = inactive_policy.iph_root[dir].ipr_nonhash[af]; 657 system_policy.iph_root[dir].ipr_nonhash[af] = t2; 658 inactive_policy.iph_root[dir].ipr_nonhash[af] = t1; 659 if (t1 != NULL) { 660 t1->ipsp_hash.hash_pp = 661 &(inactive_policy.iph_root[dir]. 662 ipr_nonhash[af]); 663 } 664 if (t2 != NULL) { 665 t2->ipsp_hash.hash_pp = 666 &(system_policy.iph_root[dir]. 667 ipr_nonhash[af]); 668 } 669 670 } 671 } 672 system_policy.iph_gen++; 673 inactive_policy.iph_gen++; 674 ipsec_update_present_flags(); 675 rw_exit(&system_policy.iph_lock); 676 rw_exit(&inactive_policy.iph_lock); 677 } 678 679 /* 680 * Clone one policy rule.. 681 */ 682 static ipsec_policy_t * 683 ipsec_copy_policy(const ipsec_policy_t *src) 684 { 685 ipsec_policy_t *dst = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP); 686 687 if (dst == NULL) 688 return (NULL); 689 690 /* 691 * Adjust refcounts of cloned state. 692 */ 693 IPACT_REFHOLD(src->ipsp_act); 694 src->ipsp_sel->ipsl_refs++; 695 696 HASH_NULL(dst, ipsp_hash); 697 dst->ipsp_refs = 1; 698 dst->ipsp_sel = src->ipsp_sel; 699 dst->ipsp_act = src->ipsp_act; 700 dst->ipsp_prio = src->ipsp_prio; 701 dst->ipsp_index = src->ipsp_index; 702 703 return (dst); 704 } 705 706 void 707 ipsec_insert_always(avl_tree_t *tree, void *new_node) 708 { 709 void *node; 710 avl_index_t where; 711 712 node = avl_find(tree, new_node, &where); 713 ASSERT(node == NULL); 714 avl_insert(tree, new_node, where); 715 } 716 717 718 static int 719 ipsec_copy_chain(ipsec_policy_head_t *dph, ipsec_policy_t *src, 720 ipsec_policy_t **dstp) 721 { 722 for (; src != NULL; src = src->ipsp_hash.hash_next) { 723 ipsec_policy_t *dst = ipsec_copy_policy(src); 724 if (dst == NULL) 725 return (ENOMEM); 726 727 HASHLIST_INSERT(dst, ipsp_hash, *dstp); 728 ipsec_insert_always(&dph->iph_rulebyid, dst); 729 } 730 return (0); 731 } 732 733 734 735 /* 736 * Make one policy head look exactly like another. 737 * 738 * As with ipsec_swap_policy, we lock the destination policy head first, then 739 * the source policy head. Note that we only need to read-lock the source 740 * policy head as we are not changing it. 741 */ 742 static int 743 ipsec_copy_polhead(ipsec_policy_head_t *sph, ipsec_policy_head_t *dph) 744 { 745 int af, dir, chain, nchains; 746 747 rw_enter(&dph->iph_lock, RW_WRITER); 748 749 ipsec_polhead_flush(dph); 750 751 rw_enter(&sph->iph_lock, RW_READER); 752 753 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 754 ipsec_policy_root_t *dpr = &dph->iph_root[dir]; 755 ipsec_policy_root_t *spr = &sph->iph_root[dir]; 756 nchains = dpr->ipr_nchains; 757 758 ASSERT(dpr->ipr_nchains == spr->ipr_nchains); 759 760 for (af = 0; af < IPSEC_NAF; af++) { 761 if (ipsec_copy_chain(dph, spr->ipr_nonhash[af], 762 &dpr->ipr_nonhash[af])) 763 goto abort_copy; 764 } 765 766 for (chain = 0; chain < nchains; chain++) { 767 if (ipsec_copy_chain(dph, 768 spr->ipr_hash[chain].hash_head, 769 &dpr->ipr_hash[chain].hash_head)) 770 goto abort_copy; 771 } 772 } 773 774 dph->iph_gen++; 775 776 rw_exit(&sph->iph_lock); 777 rw_exit(&dph->iph_lock); 778 return (0); 779 780 abort_copy: 781 ipsec_polhead_flush(dph); 782 rw_exit(&sph->iph_lock); 783 rw_exit(&dph->iph_lock); 784 return (ENOMEM); 785 } 786 787 /* 788 * Clone currently active policy to the inactive policy list. 789 */ 790 int 791 ipsec_clone_system_policy(void) 792 { 793 return (ipsec_copy_polhead(&system_policy, &inactive_policy)); 794 } 795 796 797 /* 798 * Extract the string from ipsec_policy_failure_msgs[type] and 799 * log it. 800 * 801 */ 802 void 803 ipsec_log_policy_failure(queue_t *q, int type, char *func_name, ipha_t *ipha, 804 ip6_t *ip6h, boolean_t secure) 805 { 806 char sbuf[INET6_ADDRSTRLEN]; 807 char dbuf[INET6_ADDRSTRLEN]; 808 char *s; 809 char *d; 810 short mid = 0; 811 812 ASSERT((ipha == NULL && ip6h != NULL) || 813 (ip6h == NULL && ipha != NULL)); 814 815 if (ipha != NULL) { 816 s = inet_ntop(AF_INET, &ipha->ipha_src, sbuf, sizeof (sbuf)); 817 d = inet_ntop(AF_INET, &ipha->ipha_dst, dbuf, sizeof (dbuf)); 818 } else { 819 s = inet_ntop(AF_INET6, &ip6h->ip6_src, sbuf, sizeof (sbuf)); 820 d = inet_ntop(AF_INET6, &ip6h->ip6_dst, dbuf, sizeof (dbuf)); 821 822 } 823 824 /* Always bump the policy failure counter. */ 825 ipsec_policy_failure_count[type]++; 826 827 if (q != NULL) { 828 mid = q->q_qinfo->qi_minfo->mi_idnum; 829 } 830 ipsec_rl_strlog(mid, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE, 831 ipsec_policy_failure_msgs[type], 832 func_name, 833 (secure ? "secure" : "not secure"), s, d); 834 } 835 836 /* 837 * Rate-limiting front-end to strlog() for AH and ESP. Uses the ndd variables 838 * in /dev/ip and the same rate-limiting clock so that there's a single 839 * knob to turn to throttle the rate of messages. 840 */ 841 void 842 ipsec_rl_strlog(short mid, short sid, char level, ushort_t sl, char *fmt, ...) 843 { 844 va_list adx; 845 hrtime_t current = gethrtime(); 846 847 sl |= SL_CONSOLE; 848 /* 849 * Throttle logging to stop syslog from being swamped. If variable 850 * 'ipsec_policy_log_interval' is zero, don't log any messages at 851 * all, otherwise log only one message every 'ipsec_policy_log_interval' 852 * msec. Convert interval (in msec) to hrtime (in nsec). 853 */ 854 855 if (ipsec_policy_log_interval) { 856 if (ipsec_policy_failure_last + 857 ((hrtime_t)ipsec_policy_log_interval * (hrtime_t)1000000) <= 858 current) { 859 va_start(adx, fmt); 860 (void) vstrlog(mid, sid, level, sl, fmt, adx); 861 va_end(adx); 862 ipsec_policy_failure_last = current; 863 } 864 } 865 } 866 867 void 868 ipsec_config_flush() 869 { 870 rw_enter(&system_policy.iph_lock, RW_WRITER); 871 ipsec_polhead_flush(&system_policy); 872 ipsec_next_policy_index = 1; 873 rw_exit(&system_policy.iph_lock); 874 ipsec_action_reclaim(0); 875 } 876 877 /* 878 * Clip a policy's min/max keybits vs. the capabilities of the 879 * algorithm. 880 */ 881 static void 882 act_alg_adjust(uint_t algtype, uint_t algid, 883 uint16_t *minbits, uint16_t *maxbits) 884 { 885 ipsec_alginfo_t *algp = ipsec_alglists[algtype][algid]; 886 if (algp != NULL) { 887 /* 888 * If passed-in minbits is zero, we assume the caller trusts 889 * us with setting the minimum key size. We pick the 890 * algorithms DEFAULT key size for the minimum in this case. 891 */ 892 if (*minbits == 0) { 893 *minbits = algp->alg_default_bits; 894 ASSERT(*minbits >= algp->alg_minbits); 895 } else { 896 *minbits = MAX(*minbits, algp->alg_minbits); 897 } 898 if (*maxbits == 0) 899 *maxbits = algp->alg_maxbits; 900 else 901 *maxbits = MIN(*maxbits, algp->alg_maxbits); 902 ASSERT(*minbits <= *maxbits); 903 } else { 904 *minbits = 0; 905 *maxbits = 0; 906 } 907 } 908 909 /* 910 * Check an action's requested algorithms against the algorithms currently 911 * loaded in the system. 912 */ 913 boolean_t 914 ipsec_check_action(ipsec_act_t *act, int *diag) 915 { 916 ipsec_prot_t *ipp; 917 918 ipp = &act->ipa_apply; 919 920 if (ipp->ipp_use_ah && 921 ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_auth_alg] == NULL) { 922 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG; 923 return (B_FALSE); 924 } 925 if (ipp->ipp_use_espa && 926 ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_esp_auth_alg] == NULL) { 927 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG; 928 return (B_FALSE); 929 } 930 if (ipp->ipp_use_esp && 931 ipsec_alglists[IPSEC_ALG_ENCR][ipp->ipp_encr_alg] == NULL) { 932 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG; 933 return (B_FALSE); 934 } 935 936 act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_auth_alg, 937 &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits); 938 act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_esp_auth_alg, 939 &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits); 940 act_alg_adjust(IPSEC_ALG_ENCR, ipp->ipp_encr_alg, 941 &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits); 942 943 if (ipp->ipp_ah_minbits > ipp->ipp_ah_maxbits) { 944 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE; 945 return (B_FALSE); 946 } 947 if (ipp->ipp_espa_minbits > ipp->ipp_espa_maxbits) { 948 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE; 949 return (B_FALSE); 950 } 951 if (ipp->ipp_espe_minbits > ipp->ipp_espe_maxbits) { 952 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE; 953 return (B_FALSE); 954 } 955 /* TODO: sanity check lifetimes */ 956 return (B_TRUE); 957 } 958 959 /* 960 * Set up a single action during wildcard expansion.. 961 */ 962 static void 963 ipsec_setup_act(ipsec_act_t *outact, ipsec_act_t *act, 964 uint_t auth_alg, uint_t encr_alg, uint_t eauth_alg) 965 { 966 ipsec_prot_t *ipp; 967 968 *outact = *act; 969 ipp = &outact->ipa_apply; 970 ipp->ipp_auth_alg = (uint8_t)auth_alg; 971 ipp->ipp_encr_alg = (uint8_t)encr_alg; 972 ipp->ipp_esp_auth_alg = (uint8_t)eauth_alg; 973 974 act_alg_adjust(IPSEC_ALG_AUTH, auth_alg, 975 &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits); 976 act_alg_adjust(IPSEC_ALG_AUTH, eauth_alg, 977 &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits); 978 act_alg_adjust(IPSEC_ALG_ENCR, encr_alg, 979 &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits); 980 } 981 982 /* 983 * combinatoric expansion time: expand a wildcarded action into an 984 * array of wildcarded actions; we return the exploded action list, 985 * and return a count in *nact (output only). 986 */ 987 static ipsec_act_t * 988 ipsec_act_wildcard_expand(ipsec_act_t *act, uint_t *nact) 989 { 990 boolean_t use_ah, use_esp, use_espa; 991 boolean_t wild_auth, wild_encr, wild_eauth; 992 uint_t auth_alg, auth_idx, auth_min, auth_max; 993 uint_t eauth_alg, eauth_idx, eauth_min, eauth_max; 994 uint_t encr_alg, encr_idx, encr_min, encr_max; 995 uint_t action_count, ai; 996 ipsec_act_t *outact; 997 998 if (act->ipa_type != IPSEC_ACT_APPLY) { 999 outact = kmem_alloc(sizeof (*act), KM_NOSLEEP); 1000 *nact = 1; 1001 if (outact != NULL) 1002 bcopy(act, outact, sizeof (*act)); 1003 return (outact); 1004 } 1005 /* 1006 * compute the combinatoric explosion.. 1007 * 1008 * we assume a request for encr if esp_req is PREF_REQUIRED 1009 * we assume a request for ah auth if ah_req is PREF_REQUIRED. 1010 * we assume a request for esp auth if !ah and esp_req is PREF_REQUIRED 1011 */ 1012 1013 use_ah = act->ipa_apply.ipp_use_ah; 1014 use_esp = act->ipa_apply.ipp_use_esp; 1015 use_espa = act->ipa_apply.ipp_use_espa; 1016 auth_alg = act->ipa_apply.ipp_auth_alg; 1017 eauth_alg = act->ipa_apply.ipp_esp_auth_alg; 1018 encr_alg = act->ipa_apply.ipp_encr_alg; 1019 1020 wild_auth = use_ah && (auth_alg == 0); 1021 wild_eauth = use_espa && (eauth_alg == 0); 1022 wild_encr = use_esp && (encr_alg == 0); 1023 1024 action_count = 1; 1025 auth_min = auth_max = auth_alg; 1026 eauth_min = eauth_max = eauth_alg; 1027 encr_min = encr_max = encr_alg; 1028 1029 /* 1030 * set up for explosion.. for each dimension, expand output 1031 * size by the explosion factor. 1032 * 1033 * Don't include the "any" algorithms, if defined, as no 1034 * kernel policies should be set for these algorithms. 1035 */ 1036 1037 #define SET_EXP_MINMAX(type, wild, alg, min, max) if (wild) { \ 1038 int nalgs = ipsec_nalgs[type]; \ 1039 if (ipsec_alglists[type][alg] != NULL) \ 1040 nalgs--; \ 1041 action_count *= nalgs; \ 1042 min = 0; \ 1043 max = ipsec_nalgs[type] - 1; \ 1044 } 1045 1046 SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_auth, SADB_AALG_NONE, 1047 auth_min, auth_max); 1048 SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_eauth, SADB_AALG_NONE, 1049 eauth_min, eauth_max); 1050 SET_EXP_MINMAX(IPSEC_ALG_ENCR, wild_encr, SADB_EALG_NONE, 1051 encr_min, encr_max); 1052 1053 #undef SET_EXP_MINMAX 1054 1055 /* 1056 * ok, allocate the whole mess.. 1057 */ 1058 1059 outact = kmem_alloc(sizeof (*outact) * action_count, KM_NOSLEEP); 1060 if (outact == NULL) 1061 return (NULL); 1062 1063 /* 1064 * Now compute all combinations. Note that non-wildcarded 1065 * dimensions just get a single value from auth_min, while 1066 * wildcarded dimensions indirect through the sortlist. 1067 * 1068 * We do encryption outermost since, at this time, there's 1069 * greater difference in security and performance between 1070 * encryption algorithms vs. authentication algorithms. 1071 */ 1072 1073 ai = 0; 1074 1075 #define WHICH_ALG(type, wild, idx) ((wild)?(ipsec_sortlist[type][idx]):(idx)) 1076 1077 for (encr_idx = encr_min; encr_idx <= encr_max; encr_idx++) { 1078 encr_alg = WHICH_ALG(IPSEC_ALG_ENCR, wild_encr, encr_idx); 1079 if (wild_encr && encr_alg == SADB_EALG_NONE) 1080 continue; 1081 for (auth_idx = auth_min; auth_idx <= auth_max; auth_idx++) { 1082 auth_alg = WHICH_ALG(IPSEC_ALG_AUTH, wild_auth, 1083 auth_idx); 1084 if (wild_auth && auth_alg == SADB_AALG_NONE) 1085 continue; 1086 for (eauth_idx = eauth_min; eauth_idx <= eauth_max; 1087 eauth_idx++) { 1088 eauth_alg = WHICH_ALG(IPSEC_ALG_AUTH, 1089 wild_eauth, eauth_idx); 1090 if (wild_eauth && eauth_alg == SADB_AALG_NONE) 1091 continue; 1092 1093 ipsec_setup_act(&outact[ai], act, 1094 auth_alg, encr_alg, eauth_alg); 1095 ai++; 1096 } 1097 } 1098 } 1099 1100 #undef WHICH_ALG 1101 1102 ASSERT(ai == action_count); 1103 *nact = action_count; 1104 return (outact); 1105 } 1106 1107 /* 1108 * Extract the parts of an ipsec_prot_t from an old-style ipsec_req_t. 1109 */ 1110 static void 1111 ipsec_prot_from_req(ipsec_req_t *req, ipsec_prot_t *ipp) 1112 { 1113 bzero(ipp, sizeof (*ipp)); 1114 /* 1115 * ipp_use_* are bitfields. Look at "!!" in the following as a 1116 * "boolean canonicalization" operator. 1117 */ 1118 ipp->ipp_use_ah = !!(req->ipsr_ah_req & IPSEC_PREF_REQUIRED); 1119 ipp->ipp_use_esp = !!(req->ipsr_esp_req & IPSEC_PREF_REQUIRED); 1120 ipp->ipp_use_espa = !!(req->ipsr_esp_auth_alg) || !ipp->ipp_use_ah; 1121 ipp->ipp_use_se = !!(req->ipsr_self_encap_req & IPSEC_PREF_REQUIRED); 1122 ipp->ipp_use_unique = !!((req->ipsr_ah_req|req->ipsr_esp_req) & 1123 IPSEC_PREF_UNIQUE); 1124 ipp->ipp_encr_alg = req->ipsr_esp_alg; 1125 ipp->ipp_auth_alg = req->ipsr_auth_alg; 1126 ipp->ipp_esp_auth_alg = req->ipsr_esp_auth_alg; 1127 } 1128 1129 /* 1130 * Extract a new-style action from a request. 1131 */ 1132 void 1133 ipsec_actvec_from_req(ipsec_req_t *req, ipsec_act_t **actp, uint_t *nactp) 1134 { 1135 struct ipsec_act act; 1136 bzero(&act, sizeof (act)); 1137 if ((req->ipsr_ah_req & IPSEC_PREF_NEVER) && 1138 (req->ipsr_esp_req & IPSEC_PREF_NEVER)) { 1139 act.ipa_type = IPSEC_ACT_BYPASS; 1140 } else { 1141 act.ipa_type = IPSEC_ACT_APPLY; 1142 ipsec_prot_from_req(req, &act.ipa_apply); 1143 } 1144 *actp = ipsec_act_wildcard_expand(&act, nactp); 1145 } 1146 1147 /* 1148 * Convert a new-style "prot" back to an ipsec_req_t (more backwards compat). 1149 * We assume caller has already zero'ed *req for us. 1150 */ 1151 static int 1152 ipsec_req_from_prot(ipsec_prot_t *ipp, ipsec_req_t *req) 1153 { 1154 req->ipsr_esp_alg = ipp->ipp_encr_alg; 1155 req->ipsr_auth_alg = ipp->ipp_auth_alg; 1156 req->ipsr_esp_auth_alg = ipp->ipp_esp_auth_alg; 1157 1158 if (ipp->ipp_use_unique) { 1159 req->ipsr_ah_req |= IPSEC_PREF_UNIQUE; 1160 req->ipsr_esp_req |= IPSEC_PREF_UNIQUE; 1161 } 1162 if (ipp->ipp_use_se) 1163 req->ipsr_self_encap_req |= IPSEC_PREF_REQUIRED; 1164 if (ipp->ipp_use_ah) 1165 req->ipsr_ah_req |= IPSEC_PREF_REQUIRED; 1166 if (ipp->ipp_use_esp) 1167 req->ipsr_esp_req |= IPSEC_PREF_REQUIRED; 1168 return (sizeof (*req)); 1169 } 1170 1171 /* 1172 * Convert a new-style action back to an ipsec_req_t (more backwards compat). 1173 * We assume caller has already zero'ed *req for us. 1174 */ 1175 static int 1176 ipsec_req_from_act(ipsec_action_t *ap, ipsec_req_t *req) 1177 { 1178 switch (ap->ipa_act.ipa_type) { 1179 case IPSEC_ACT_BYPASS: 1180 req->ipsr_ah_req = IPSEC_PREF_NEVER; 1181 req->ipsr_esp_req = IPSEC_PREF_NEVER; 1182 return (sizeof (*req)); 1183 case IPSEC_ACT_APPLY: 1184 return (ipsec_req_from_prot(&ap->ipa_act.ipa_apply, req)); 1185 } 1186 return (sizeof (*req)); 1187 } 1188 1189 /* 1190 * Convert a new-style action back to an ipsec_req_t (more backwards compat). 1191 * We assume caller has already zero'ed *req for us. 1192 */ 1193 static int 1194 ipsec_req_from_head(ipsec_policy_head_t *ph, ipsec_req_t *req, int af) 1195 { 1196 ipsec_policy_t *p; 1197 1198 /* 1199 * FULL-PERSOCK: consult hash table, too? 1200 */ 1201 for (p = ph->iph_root[IPSEC_INBOUND].ipr_nonhash[af]; 1202 p != NULL; 1203 p = p->ipsp_hash.hash_next) { 1204 if ((p->ipsp_sel->ipsl_key.ipsl_valid&IPSL_WILDCARD) == 0) 1205 return (ipsec_req_from_act(p->ipsp_act, req)); 1206 } 1207 return (sizeof (*req)); 1208 } 1209 1210 /* 1211 * Based on per-socket or latched policy, convert to an appropriate 1212 * IP_SEC_OPT ipsec_req_t for the socket option; return size so we can 1213 * be tail-called from ip. 1214 */ 1215 int 1216 ipsec_req_from_conn(conn_t *connp, ipsec_req_t *req, int af) 1217 { 1218 ipsec_latch_t *ipl; 1219 int rv = sizeof (ipsec_req_t); 1220 1221 bzero(req, sizeof (*req)); 1222 1223 mutex_enter(&connp->conn_lock); 1224 ipl = connp->conn_latch; 1225 1226 /* 1227 * Find appropriate policy. First choice is latched action; 1228 * failing that, see latched policy; failing that, 1229 * look at configured policy. 1230 */ 1231 if (ipl != NULL) { 1232 if (ipl->ipl_in_action != NULL) { 1233 rv = ipsec_req_from_act(ipl->ipl_in_action, req); 1234 goto done; 1235 } 1236 if (ipl->ipl_in_policy != NULL) { 1237 rv = ipsec_req_from_act(ipl->ipl_in_policy->ipsp_act, 1238 req); 1239 goto done; 1240 } 1241 } 1242 if (connp->conn_policy != NULL) 1243 rv = ipsec_req_from_head(connp->conn_policy, req, af); 1244 done: 1245 mutex_exit(&connp->conn_lock); 1246 return (rv); 1247 } 1248 1249 void 1250 ipsec_actvec_free(ipsec_act_t *act, uint_t nact) 1251 { 1252 kmem_free(act, nact * sizeof (*act)); 1253 } 1254 1255 /* 1256 * When outbound policy is not cached, look it up the hard way and attach 1257 * an ipsec_out_t to the packet.. 1258 */ 1259 static mblk_t * 1260 ipsec_attach_global_policy(mblk_t *mp, conn_t *connp, ipsec_selector_t *sel) 1261 { 1262 ipsec_policy_t *p; 1263 1264 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel); 1265 1266 if (p == NULL) 1267 return (NULL); 1268 return (ipsec_attach_ipsec_out(mp, connp, p, sel->ips_protocol)); 1269 } 1270 1271 /* 1272 * We have an ipsec_out already, but don't have cached policy; fill it in 1273 * with the right actions. 1274 */ 1275 static mblk_t * 1276 ipsec_apply_global_policy(mblk_t *ipsec_mp, conn_t *connp, 1277 ipsec_selector_t *sel) 1278 { 1279 ipsec_out_t *io; 1280 ipsec_policy_t *p; 1281 1282 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 1283 ASSERT(ipsec_mp->b_cont->b_datap->db_type == M_DATA); 1284 1285 io = (ipsec_out_t *)ipsec_mp->b_rptr; 1286 1287 if (io->ipsec_out_policy == NULL) { 1288 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, io, sel); 1289 io->ipsec_out_policy = p; 1290 } 1291 return (ipsec_mp); 1292 } 1293 1294 1295 /* ARGSUSED */ 1296 /* 1297 * Consumes a reference to ipsp. 1298 */ 1299 static mblk_t * 1300 ipsec_check_loopback_policy(queue_t *q, mblk_t *first_mp, 1301 boolean_t mctl_present, ipsec_policy_t *ipsp) 1302 { 1303 mblk_t *ipsec_mp; 1304 ipsec_in_t *ii; 1305 1306 if (!mctl_present) 1307 return (first_mp); 1308 1309 ipsec_mp = first_mp; 1310 1311 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 1312 ASSERT(ii->ipsec_in_loopback); 1313 IPPOL_REFRELE(ipsp); 1314 1315 /* 1316 * We should do an actual policy check here. Revisit this 1317 * when we revisit the IPsec API. 1318 */ 1319 1320 return (first_mp); 1321 } 1322 1323 /* 1324 * Check that packet's inbound ports & proto match the selectors 1325 * expected by the SAs it traversed on the way in. 1326 */ 1327 static boolean_t 1328 ipsec_check_ipsecin_unique(ipsec_in_t *ii, mblk_t *mp, 1329 ipha_t *ipha, ip6_t *ip6h, 1330 const char **reason, kstat_named_t **counter) 1331 { 1332 uint64_t pkt_unique, ah_mask, esp_mask; 1333 ipsa_t *ah_assoc; 1334 ipsa_t *esp_assoc; 1335 ipsec_selector_t sel; 1336 1337 ASSERT(ii->ipsec_in_secure); 1338 ASSERT(!ii->ipsec_in_loopback); 1339 1340 ah_assoc = ii->ipsec_in_ah_sa; 1341 esp_assoc = ii->ipsec_in_esp_sa; 1342 ASSERT((ah_assoc != NULL) || (esp_assoc != NULL)); 1343 1344 ah_mask = (ah_assoc != NULL) ? ah_assoc->ipsa_unique_mask : 0; 1345 esp_mask = (esp_assoc != NULL) ? esp_assoc->ipsa_unique_mask : 0; 1346 1347 if ((ah_mask == 0) && (esp_mask == 0)) 1348 return (B_TRUE); 1349 1350 if (!ipsec_init_inbound_sel(&sel, mp, ipha, ip6h)) { 1351 /* 1352 * Technically not a policy mismatch, but it is 1353 * an internal failure. 1354 */ 1355 *reason = "ipsec_init_inbound_sel"; 1356 *counter = &ipdrops_spd_nomem; 1357 return (B_FALSE); 1358 } 1359 1360 pkt_unique = SA_UNIQUE_ID(sel.ips_remote_port, sel.ips_local_port, 1361 sel.ips_protocol); 1362 1363 if (ah_mask != 0) { 1364 if (ah_assoc->ipsa_unique_id != (pkt_unique & ah_mask)) { 1365 *reason = "AH inner header mismatch"; 1366 *counter = &ipdrops_spd_ah_innermismatch; 1367 return (B_FALSE); 1368 } 1369 } 1370 if (esp_mask != 0) { 1371 if (esp_assoc->ipsa_unique_id != (pkt_unique & esp_mask)) { 1372 *reason = "ESP inner header mismatch"; 1373 *counter = &ipdrops_spd_esp_innermismatch; 1374 return (B_FALSE); 1375 } 1376 } 1377 return (B_TRUE); 1378 } 1379 1380 static boolean_t 1381 ipsec_check_ipsecin_action(ipsec_in_t *ii, mblk_t *mp, ipsec_action_t *ap, 1382 ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter) 1383 { 1384 boolean_t ret = B_TRUE; 1385 ipsec_prot_t *ipp; 1386 ipsa_t *ah_assoc; 1387 ipsa_t *esp_assoc; 1388 boolean_t decaps; 1389 1390 ASSERT((ipha == NULL && ip6h != NULL) || 1391 (ip6h == NULL && ipha != NULL)); 1392 1393 if (ii->ipsec_in_loopback) { 1394 /* 1395 * Besides accepting pointer-equivalent actions, we also 1396 * accept any ICMP errors we generated for ourselves, 1397 * regardless of policy. If we do not wish to make this 1398 * assumption in the future, check here, and where 1399 * icmp_loopback is initialized in ip.c and ip6.c. (Look for 1400 * ipsec_out_icmp_loopback.) 1401 */ 1402 if (ap == ii->ipsec_in_action || ii->ipsec_in_icmp_loopback) 1403 return (B_TRUE); 1404 1405 /* Deep compare necessary here?? */ 1406 *counter = &ipdrops_spd_loopback_mismatch; 1407 *reason = "loopback policy mismatch"; 1408 return (B_FALSE); 1409 } 1410 ASSERT(!ii->ipsec_in_icmp_loopback); 1411 1412 ah_assoc = ii->ipsec_in_ah_sa; 1413 esp_assoc = ii->ipsec_in_esp_sa; 1414 1415 decaps = ii->ipsec_in_decaps; 1416 1417 switch (ap->ipa_act.ipa_type) { 1418 case IPSEC_ACT_DISCARD: 1419 case IPSEC_ACT_REJECT: 1420 /* Should "fail hard" */ 1421 *counter = &ipdrops_spd_explicit; 1422 *reason = "blocked by policy"; 1423 return (B_FALSE); 1424 1425 case IPSEC_ACT_BYPASS: 1426 case IPSEC_ACT_CLEAR: 1427 *counter = &ipdrops_spd_got_secure; 1428 *reason = "expected clear, got protected"; 1429 return (B_FALSE); 1430 1431 case IPSEC_ACT_APPLY: 1432 ipp = &ap->ipa_act.ipa_apply; 1433 /* 1434 * As of now we do the simple checks of whether 1435 * the datagram has gone through the required IPSEC 1436 * protocol constraints or not. We might have more 1437 * in the future like sensitive levels, key bits, etc. 1438 * If it fails the constraints, check whether we would 1439 * have accepted this if it had come in clear. 1440 */ 1441 if (ipp->ipp_use_ah) { 1442 if (ah_assoc == NULL) { 1443 ret = ipsec_inbound_accept_clear(mp, ipha, 1444 ip6h); 1445 *counter = &ipdrops_spd_got_clear; 1446 *reason = "unprotected not accepted"; 1447 break; 1448 } 1449 ASSERT(ah_assoc != NULL); 1450 ASSERT(ipp->ipp_auth_alg != 0); 1451 1452 if (ah_assoc->ipsa_auth_alg != 1453 ipp->ipp_auth_alg) { 1454 *counter = &ipdrops_spd_bad_ahalg; 1455 *reason = "unacceptable ah alg"; 1456 ret = B_FALSE; 1457 break; 1458 } 1459 } else if (ah_assoc != NULL) { 1460 /* 1461 * Don't allow this. Check IPSEC NOTE above 1462 * ip_fanout_proto(). 1463 */ 1464 *counter = &ipdrops_spd_got_ah; 1465 *reason = "unexpected AH"; 1466 ret = B_FALSE; 1467 break; 1468 } 1469 if (ipp->ipp_use_esp) { 1470 if (esp_assoc == NULL) { 1471 ret = ipsec_inbound_accept_clear(mp, ipha, 1472 ip6h); 1473 *counter = &ipdrops_spd_got_clear; 1474 *reason = "unprotected not accepted"; 1475 break; 1476 } 1477 ASSERT(esp_assoc != NULL); 1478 ASSERT(ipp->ipp_encr_alg != 0); 1479 1480 if (esp_assoc->ipsa_encr_alg != 1481 ipp->ipp_encr_alg) { 1482 *counter = &ipdrops_spd_bad_espealg; 1483 *reason = "unacceptable esp alg"; 1484 ret = B_FALSE; 1485 break; 1486 } 1487 /* 1488 * If the client does not need authentication, 1489 * we don't verify the alogrithm. 1490 */ 1491 if (ipp->ipp_use_espa) { 1492 if (esp_assoc->ipsa_auth_alg != 1493 ipp->ipp_esp_auth_alg) { 1494 *counter = &ipdrops_spd_bad_espaalg; 1495 *reason = "unacceptable esp auth alg"; 1496 ret = B_FALSE; 1497 break; 1498 } 1499 } 1500 } else if (esp_assoc != NULL) { 1501 /* 1502 * Don't allow this. Check IPSEC NOTE above 1503 * ip_fanout_proto(). 1504 */ 1505 *counter = &ipdrops_spd_got_esp; 1506 *reason = "unexpected ESP"; 1507 ret = B_FALSE; 1508 break; 1509 } 1510 if (ipp->ipp_use_se) { 1511 if (!decaps) { 1512 ret = ipsec_inbound_accept_clear(mp, ipha, 1513 ip6h); 1514 if (!ret) { 1515 /* XXX mutant? */ 1516 *counter = &ipdrops_spd_bad_selfencap; 1517 *reason = "self encap not found"; 1518 break; 1519 } 1520 } 1521 } else if (decaps) { 1522 /* 1523 * XXX If the packet comes in tunneled and the 1524 * recipient does not expect it to be tunneled, it 1525 * is okay. But we drop to be consistent with the 1526 * other cases. 1527 */ 1528 *counter = &ipdrops_spd_got_selfencap; 1529 *reason = "unexpected self encap"; 1530 ret = B_FALSE; 1531 break; 1532 } 1533 if (ii->ipsec_in_action != NULL) { 1534 /* 1535 * This can happen if we do a double policy-check on 1536 * a packet 1537 * XXX XXX should fix this case! 1538 */ 1539 IPACT_REFRELE(ii->ipsec_in_action); 1540 } 1541 ASSERT(ii->ipsec_in_action == NULL); 1542 IPACT_REFHOLD(ap); 1543 ii->ipsec_in_action = ap; 1544 break; /* from switch */ 1545 } 1546 return (ret); 1547 } 1548 1549 static boolean_t 1550 spd_match_inbound_ids(ipsec_latch_t *ipl, ipsa_t *sa) 1551 { 1552 ASSERT(ipl->ipl_ids_latched == B_TRUE); 1553 return ipsid_equal(ipl->ipl_remote_cid, sa->ipsa_src_cid) && 1554 ipsid_equal(ipl->ipl_local_cid, sa->ipsa_dst_cid); 1555 } 1556 1557 /* 1558 * Called to check policy on a latched connection, both from this file 1559 * and from tcp.c 1560 */ 1561 boolean_t 1562 ipsec_check_ipsecin_latch(ipsec_in_t *ii, mblk_t *mp, ipsec_latch_t *ipl, 1563 ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter) 1564 { 1565 ASSERT(ipl->ipl_ids_latched == B_TRUE); 1566 1567 if (!ii->ipsec_in_loopback) { 1568 /* 1569 * Over loopback, there aren't real security associations, 1570 * so there are neither identities nor "unique" values 1571 * for us to check the packet against. 1572 */ 1573 if ((ii->ipsec_in_ah_sa != NULL) && 1574 (!spd_match_inbound_ids(ipl, ii->ipsec_in_ah_sa))) { 1575 *counter = &ipdrops_spd_ah_badid; 1576 *reason = "AH identity mismatch"; 1577 return (B_FALSE); 1578 } 1579 1580 if ((ii->ipsec_in_esp_sa != NULL) && 1581 (!spd_match_inbound_ids(ipl, ii->ipsec_in_esp_sa))) { 1582 *counter = &ipdrops_spd_esp_badid; 1583 *reason = "ESP identity mismatch"; 1584 return (B_FALSE); 1585 } 1586 1587 if (!ipsec_check_ipsecin_unique(ii, mp, ipha, ip6h, reason, 1588 counter)) { 1589 return (B_FALSE); 1590 } 1591 } 1592 1593 return (ipsec_check_ipsecin_action(ii, mp, ipl->ipl_in_action, 1594 ipha, ip6h, reason, counter)); 1595 } 1596 1597 /* 1598 * Check to see whether this secured datagram meets the policy 1599 * constraints specified in ipsp. 1600 * 1601 * Called from ipsec_check_global_policy, and ipsec_check_inbound_policy. 1602 * 1603 * Consumes a reference to ipsp. 1604 */ 1605 static mblk_t * 1606 ipsec_check_ipsecin_policy(queue_t *q, mblk_t *first_mp, ipsec_policy_t *ipsp, 1607 ipha_t *ipha, ip6_t *ip6h) 1608 { 1609 ipsec_in_t *ii; 1610 ipsec_action_t *ap; 1611 const char *reason = "no policy actions found"; 1612 mblk_t *data_mp, *ipsec_mp; 1613 short mid = 0; 1614 kstat_named_t *counter = &ipdrops_spd_got_secure; 1615 1616 data_mp = first_mp->b_cont; 1617 ipsec_mp = first_mp; 1618 1619 ASSERT(ipsp != NULL); 1620 1621 ASSERT((ipha == NULL && ip6h != NULL) || 1622 (ip6h == NULL && ipha != NULL)); 1623 1624 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 1625 1626 if (ii->ipsec_in_loopback) 1627 return (ipsec_check_loopback_policy(q, first_mp, B_TRUE, ipsp)); 1628 ASSERT(ii->ipsec_in_type == IPSEC_IN); 1629 ASSERT(ii->ipsec_in_secure); 1630 1631 if (ii->ipsec_in_action != NULL) { 1632 /* 1633 * this can happen if we do a double policy-check on a packet 1634 * Would be nice to be able to delete this test.. 1635 */ 1636 IPACT_REFRELE(ii->ipsec_in_action); 1637 } 1638 ASSERT(ii->ipsec_in_action == NULL); 1639 1640 if (!SA_IDS_MATCH(ii->ipsec_in_ah_sa, ii->ipsec_in_esp_sa)) { 1641 reason = "inbound AH and ESP identities differ"; 1642 counter = &ipdrops_spd_ahesp_diffid; 1643 goto drop; 1644 } 1645 1646 if (!ipsec_check_ipsecin_unique(ii, data_mp, ipha, ip6h, 1647 &reason, &counter)) 1648 goto drop; 1649 1650 /* 1651 * Ok, now loop through the possible actions and see if any 1652 * of them work for us. 1653 */ 1654 1655 for (ap = ipsp->ipsp_act; ap != NULL; ap = ap->ipa_next) { 1656 if (ipsec_check_ipsecin_action(ii, data_mp, ap, 1657 ipha, ip6h, &reason, &counter)) { 1658 BUMP_MIB(&ip_mib, ipsecInSucceeded); 1659 IPPOL_REFRELE(ipsp); 1660 return (first_mp); 1661 } 1662 } 1663 drop: 1664 if (q != NULL) { 1665 mid = q->q_qinfo->qi_minfo->mi_idnum; 1666 } 1667 ipsec_rl_strlog(mid, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE, 1668 "ipsec inbound policy mismatch: %s, packet dropped\n", 1669 reason); 1670 IPPOL_REFRELE(ipsp); 1671 ASSERT(ii->ipsec_in_action == NULL); 1672 BUMP_MIB(&ip_mib, ipsecInFailed); 1673 ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter, &spd_dropper); 1674 return (NULL); 1675 } 1676 1677 /* 1678 * sleazy prefix-length-based compare. 1679 * another inlining candidate.. 1680 */ 1681 static boolean_t 1682 ip_addr_match(uint8_t *addr1, int pfxlen, in6_addr_t *addr2p) 1683 { 1684 int offset = pfxlen>>3; 1685 int bitsleft = pfxlen & 7; 1686 uint8_t *addr2 = (uint8_t *)addr2p; 1687 1688 /* 1689 * and there was much evil.. 1690 * XXX should inline-expand the bcmp here and do this 32 bits 1691 * or 64 bits at a time.. 1692 */ 1693 return ((bcmp(addr1, addr2, offset) == 0) && 1694 ((bitsleft == 0) || 1695 (((addr1[offset] ^ addr2[offset]) & 1696 (0xff<<(8-bitsleft))) == 0))); 1697 } 1698 1699 static ipsec_policy_t * 1700 ipsec_find_policy_chain(ipsec_policy_t *best, ipsec_policy_t *chain, 1701 ipsec_selector_t *sel, boolean_t is_icmp_inv_acq) 1702 { 1703 ipsec_selkey_t *isel; 1704 ipsec_policy_t *p; 1705 int bpri = best ? best->ipsp_prio : 0; 1706 1707 for (p = chain; p != NULL; p = p->ipsp_hash.hash_next) { 1708 uint32_t valid; 1709 1710 if (p->ipsp_prio <= bpri) 1711 continue; 1712 isel = &p->ipsp_sel->ipsl_key; 1713 valid = isel->ipsl_valid; 1714 1715 if ((valid & IPSL_PROTOCOL) && 1716 (isel->ipsl_proto != sel->ips_protocol)) 1717 continue; 1718 1719 if ((valid & IPSL_REMOTE_ADDR) && 1720 !ip_addr_match((uint8_t *)&isel->ipsl_remote, 1721 isel->ipsl_remote_pfxlen, 1722 &sel->ips_remote_addr_v6)) 1723 continue; 1724 1725 if ((valid & IPSL_LOCAL_ADDR) && 1726 !ip_addr_match((uint8_t *)&isel->ipsl_local, 1727 isel->ipsl_local_pfxlen, 1728 &sel->ips_local_addr_v6)) 1729 continue; 1730 1731 if ((valid & IPSL_REMOTE_PORT) && 1732 isel->ipsl_rport != sel->ips_remote_port) 1733 continue; 1734 1735 if ((valid & IPSL_LOCAL_PORT) && 1736 isel->ipsl_lport != sel->ips_local_port) 1737 continue; 1738 1739 if (!is_icmp_inv_acq) { 1740 if ((valid & IPSL_ICMP_TYPE) && 1741 (isel->ipsl_icmp_type > sel->ips_icmp_type || 1742 isel->ipsl_icmp_type_end < sel->ips_icmp_type)) { 1743 continue; 1744 } 1745 1746 if ((valid & IPSL_ICMP_CODE) && 1747 (isel->ipsl_icmp_code > sel->ips_icmp_code || 1748 isel->ipsl_icmp_code_end < 1749 sel->ips_icmp_code)) { 1750 continue; 1751 } 1752 } else { 1753 /* 1754 * special case for icmp inverse acquire 1755 * we only want policies that aren't drop/pass 1756 */ 1757 if (p->ipsp_act->ipa_act.ipa_type != IPSEC_ACT_APPLY) 1758 continue; 1759 } 1760 1761 /* we matched all the packet-port-field selectors! */ 1762 best = p; 1763 bpri = p->ipsp_prio; 1764 } 1765 1766 return (best); 1767 } 1768 1769 /* 1770 * Try to find and return the best policy entry under a given policy 1771 * root for a given set of selectors; the first parameter "best" is 1772 * the current best policy so far. If "best" is non-null, we have a 1773 * reference to it. We return a reference to a policy; if that policy 1774 * is not the original "best", we need to release that reference 1775 * before returning. 1776 */ 1777 static ipsec_policy_t * 1778 ipsec_find_policy_head(ipsec_policy_t *best, 1779 ipsec_policy_head_t *head, int direction, ipsec_selector_t *sel, 1780 int selhash) 1781 { 1782 ipsec_policy_t *curbest; 1783 ipsec_policy_root_t *root; 1784 uint8_t is_icmp_inv_acq = sel->ips_is_icmp_inv_acq; 1785 int af = sel->ips_isv4 ? IPSEC_AF_V4 : IPSEC_AF_V6; 1786 1787 curbest = best; 1788 root = &head->iph_root[direction]; 1789 1790 #ifdef DEBUG 1791 if (is_icmp_inv_acq) { 1792 if (sel->ips_isv4) { 1793 if (sel->ips_protocol != IPPROTO_ICMP) { 1794 cmn_err(CE_WARN, "ipsec_find_policy_head:" 1795 " expecting icmp, got %d", sel->ips_protocol); 1796 } 1797 } else { 1798 if (sel->ips_protocol != IPPROTO_ICMPV6) { 1799 cmn_err(CE_WARN, "ipsec_find_policy_head:" 1800 " expecting icmpv6, got %d", sel->ips_protocol); 1801 } 1802 } 1803 } 1804 #endif 1805 1806 rw_enter(&head->iph_lock, RW_READER); 1807 1808 if (root->ipr_nchains > 0) { 1809 curbest = ipsec_find_policy_chain(curbest, 1810 root->ipr_hash[selhash].hash_head, sel, is_icmp_inv_acq); 1811 } 1812 curbest = ipsec_find_policy_chain(curbest, root->ipr_nonhash[af], sel, 1813 is_icmp_inv_acq); 1814 1815 /* 1816 * Adjust reference counts if we found anything new. 1817 */ 1818 if (curbest != best) { 1819 ASSERT(curbest != NULL); 1820 IPPOL_REFHOLD(curbest); 1821 1822 if (best != NULL) { 1823 IPPOL_REFRELE(best); 1824 } 1825 } 1826 1827 rw_exit(&head->iph_lock); 1828 1829 return (curbest); 1830 } 1831 1832 /* 1833 * Find the best system policy (either global or per-interface) which 1834 * applies to the given selector; look in all the relevant policy roots 1835 * to figure out which policy wins. 1836 * 1837 * Returns a reference to a policy; caller must release this 1838 * reference when done. 1839 */ 1840 ipsec_policy_t * 1841 ipsec_find_policy(int direction, conn_t *connp, ipsec_out_t *io, 1842 ipsec_selector_t *sel) 1843 { 1844 ipsec_policy_t *p; 1845 int selhash = selector_hash(sel); 1846 1847 p = ipsec_find_policy_head(NULL, &system_policy, direction, sel, 1848 selhash); 1849 if ((connp != NULL) && (connp->conn_policy != NULL)) { 1850 p = ipsec_find_policy_head(p, connp->conn_policy, 1851 direction, sel, selhash); 1852 } else if ((io != NULL) && (io->ipsec_out_polhead != NULL)) { 1853 p = ipsec_find_policy_head(p, io->ipsec_out_polhead, 1854 direction, sel, selhash); 1855 } 1856 1857 return (p); 1858 } 1859 1860 /* 1861 * Check with global policy and see whether this inbound 1862 * packet meets the policy constraints. 1863 * 1864 * Locate appropriate policy from global policy, supplemented by the 1865 * conn's configured and/or cached policy if the conn is supplied. 1866 * 1867 * Dispatch to ipsec_check_ipsecin_policy if we have policy and an 1868 * encrypted packet to see if they match. 1869 * 1870 * Otherwise, see if the policy allows cleartext; if not, drop it on the 1871 * floor. 1872 */ 1873 mblk_t * 1874 ipsec_check_global_policy(mblk_t *first_mp, conn_t *connp, 1875 ipha_t *ipha, ip6_t *ip6h, boolean_t mctl_present) 1876 { 1877 ipsec_policy_t *p; 1878 ipsec_selector_t sel; 1879 queue_t *q = NULL; 1880 mblk_t *data_mp, *ipsec_mp; 1881 boolean_t policy_present; 1882 kstat_named_t *counter; 1883 ipsec_in_t *ii = NULL; 1884 1885 data_mp = mctl_present ? first_mp->b_cont : first_mp; 1886 ipsec_mp = mctl_present ? first_mp : NULL; 1887 1888 sel.ips_is_icmp_inv_acq = 0; 1889 1890 ASSERT((ipha == NULL && ip6h != NULL) || 1891 (ip6h == NULL && ipha != NULL)); 1892 1893 if (ipha != NULL) 1894 policy_present = ipsec_inbound_v4_policy_present; 1895 else 1896 policy_present = ipsec_inbound_v6_policy_present; 1897 1898 if (!policy_present && connp == NULL) { 1899 /* 1900 * No global policy and no per-socket policy; 1901 * just pass it back (but we shouldn't get here in that case) 1902 */ 1903 return (first_mp); 1904 } 1905 1906 if (connp != NULL) 1907 q = CONNP_TO_WQ(connp); 1908 1909 if (ipsec_mp != NULL) { 1910 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 1911 ii = (ipsec_in_t *)(ipsec_mp->b_rptr); 1912 ASSERT(ii->ipsec_in_type == IPSEC_IN); 1913 } 1914 1915 /* 1916 * If we have cached policy, use it. 1917 * Otherwise consult system policy. 1918 */ 1919 if ((connp != NULL) && (connp->conn_latch != NULL)) { 1920 p = connp->conn_latch->ipl_in_policy; 1921 if (p != NULL) { 1922 IPPOL_REFHOLD(p); 1923 } 1924 } else { 1925 /* Initialize the ports in the selector */ 1926 if (!ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h)) { 1927 /* 1928 * Technically not a policy mismatch, but it is 1929 * an internal failure. 1930 */ 1931 ipsec_log_policy_failure(q, IPSEC_POLICY_MISMATCH, 1932 "ipsec_init_inbound_sel", ipha, ip6h, B_FALSE); 1933 counter = &ipdrops_spd_nomem; 1934 goto fail; 1935 } 1936 1937 /* 1938 * Find the policy which best applies. 1939 * 1940 * If we find global policy, we should look at both 1941 * local policy and global policy and see which is 1942 * stronger and match accordingly. 1943 * 1944 * If we don't find a global policy, check with 1945 * local policy alone. 1946 */ 1947 1948 p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, NULL, &sel); 1949 } 1950 1951 if (p == NULL) { 1952 if (ipsec_mp == NULL) { 1953 /* 1954 * We have no policy; default to succeeding. 1955 * XXX paranoid system design doesn't do this. 1956 */ 1957 BUMP_MIB(&ip_mib, ipsecInSucceeded); 1958 return (first_mp); 1959 } else { 1960 counter = &ipdrops_spd_got_secure; 1961 ipsec_log_policy_failure(q, IPSEC_POLICY_NOT_NEEDED, 1962 "ipsec_check_global_policy", ipha, ip6h, B_TRUE); 1963 goto fail; 1964 } 1965 } 1966 if ((ii != NULL) && (ii->ipsec_in_secure)) 1967 return (ipsec_check_ipsecin_policy(q, ipsec_mp, p, ipha, ip6h)); 1968 if (p->ipsp_act->ipa_allow_clear) { 1969 BUMP_MIB(&ip_mib, ipsecInSucceeded); 1970 IPPOL_REFRELE(p); 1971 return (first_mp); 1972 } 1973 IPPOL_REFRELE(p); 1974 /* 1975 * If we reach here, we will drop the packet because it failed the 1976 * global policy check because the packet was cleartext, and it 1977 * should not have been. 1978 */ 1979 ipsec_log_policy_failure(q, IPSEC_POLICY_MISMATCH, 1980 "ipsec_check_global_policy", ipha, ip6h, B_FALSE); 1981 counter = &ipdrops_spd_got_clear; 1982 1983 fail: 1984 ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter, &spd_dropper); 1985 BUMP_MIB(&ip_mib, ipsecInFailed); 1986 return (NULL); 1987 } 1988 1989 /* 1990 * We check whether an inbound datagram is a valid one 1991 * to accept in clear. If it is secure, it is the job 1992 * of IPSEC to log information appropriately if it 1993 * suspects that it may not be the real one. 1994 * 1995 * It is called only while fanning out to the ULP 1996 * where ULP accepts only secure data and the incoming 1997 * is clear. Usually we never accept clear datagrams in 1998 * such cases. ICMP is the only exception. 1999 * 2000 * NOTE : We don't call this function if the client (ULP) 2001 * is willing to accept things in clear. 2002 */ 2003 boolean_t 2004 ipsec_inbound_accept_clear(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h) 2005 { 2006 ushort_t iph_hdr_length; 2007 icmph_t *icmph; 2008 icmp6_t *icmp6; 2009 uint8_t *nexthdrp; 2010 2011 ASSERT((ipha != NULL && ip6h == NULL) || 2012 (ipha == NULL && ip6h != NULL)); 2013 2014 if (ip6h != NULL) { 2015 iph_hdr_length = ip_hdr_length_v6(mp, ip6h); 2016 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length, 2017 &nexthdrp)) { 2018 return (B_FALSE); 2019 } 2020 if (*nexthdrp != IPPROTO_ICMPV6) 2021 return (B_FALSE); 2022 icmp6 = (icmp6_t *)(&mp->b_rptr[iph_hdr_length]); 2023 /* Match IPv6 ICMP policy as closely as IPv4 as possible. */ 2024 switch (icmp6->icmp6_type) { 2025 case ICMP6_PARAM_PROB: 2026 /* Corresponds to port/proto unreach in IPv4. */ 2027 case ICMP6_ECHO_REQUEST: 2028 /* Just like IPv4. */ 2029 return (B_FALSE); 2030 2031 case MLD_LISTENER_QUERY: 2032 case MLD_LISTENER_REPORT: 2033 case MLD_LISTENER_REDUCTION: 2034 /* 2035 * XXX Seperate NDD in IPv4 what about here? 2036 * Plus, mcast is important to ND. 2037 */ 2038 case ICMP6_DST_UNREACH: 2039 /* Corresponds to HOST/NET unreachable in IPv4. */ 2040 case ICMP6_PACKET_TOO_BIG: 2041 case ICMP6_ECHO_REPLY: 2042 /* These are trusted in IPv4. */ 2043 case ND_ROUTER_SOLICIT: 2044 case ND_ROUTER_ADVERT: 2045 case ND_NEIGHBOR_SOLICIT: 2046 case ND_NEIGHBOR_ADVERT: 2047 case ND_REDIRECT: 2048 /* Trust ND messages for now. */ 2049 case ICMP6_TIME_EXCEEDED: 2050 default: 2051 return (B_TRUE); 2052 } 2053 } else { 2054 /* 2055 * If it is not ICMP, fail this request. 2056 */ 2057 if (ipha->ipha_protocol != IPPROTO_ICMP) 2058 return (B_FALSE); 2059 iph_hdr_length = IPH_HDR_LENGTH(ipha); 2060 icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length]; 2061 /* 2062 * It is an insecure icmp message. Check to see whether we are 2063 * willing to accept this one. 2064 */ 2065 2066 switch (icmph->icmph_type) { 2067 case ICMP_ECHO_REPLY: 2068 case ICMP_TIME_STAMP_REPLY: 2069 case ICMP_INFO_REPLY: 2070 case ICMP_ROUTER_ADVERTISEMENT: 2071 /* 2072 * We should not encourage clear replies if this 2073 * client expects secure. If somebody is replying 2074 * in clear some mailicious user watching both the 2075 * request and reply, can do chosen-plain-text attacks. 2076 * With global policy we might be just expecting secure 2077 * but sending out clear. We don't know what the right 2078 * thing is. We can't do much here as we can't control 2079 * the sender here. Till we are sure of what to do, 2080 * accept them. 2081 */ 2082 return (B_TRUE); 2083 case ICMP_ECHO_REQUEST: 2084 case ICMP_TIME_STAMP_REQUEST: 2085 case ICMP_INFO_REQUEST: 2086 case ICMP_ADDRESS_MASK_REQUEST: 2087 case ICMP_ROUTER_SOLICITATION: 2088 case ICMP_ADDRESS_MASK_REPLY: 2089 /* 2090 * Don't accept this as somebody could be sending 2091 * us plain text to get encrypted data. If we reply, 2092 * it will lead to chosen plain text attack. 2093 */ 2094 return (B_FALSE); 2095 case ICMP_DEST_UNREACHABLE: 2096 switch (icmph->icmph_code) { 2097 case ICMP_FRAGMENTATION_NEEDED: 2098 /* 2099 * Be in sync with icmp_inbound, where we have 2100 * already set ire_max_frag. 2101 */ 2102 return (B_TRUE); 2103 case ICMP_HOST_UNREACHABLE: 2104 case ICMP_NET_UNREACHABLE: 2105 /* 2106 * By accepting, we could reset a connection. 2107 * How do we solve the problem of some 2108 * intermediate router sending in-secure ICMP 2109 * messages ? 2110 */ 2111 return (B_TRUE); 2112 case ICMP_PORT_UNREACHABLE: 2113 case ICMP_PROTOCOL_UNREACHABLE: 2114 default : 2115 return (B_FALSE); 2116 } 2117 case ICMP_SOURCE_QUENCH: 2118 /* 2119 * If this is an attack, TCP will slow start 2120 * because of this. Is it very harmful ? 2121 */ 2122 return (B_TRUE); 2123 case ICMP_PARAM_PROBLEM: 2124 return (B_FALSE); 2125 case ICMP_TIME_EXCEEDED: 2126 return (B_TRUE); 2127 case ICMP_REDIRECT: 2128 return (B_FALSE); 2129 default : 2130 return (B_FALSE); 2131 } 2132 } 2133 } 2134 2135 void 2136 ipsec_latch_ids(ipsec_latch_t *ipl, ipsid_t *local, ipsid_t *remote) 2137 { 2138 mutex_enter(&ipl->ipl_lock); 2139 2140 if (ipl->ipl_ids_latched) { 2141 /* I lost, someone else got here before me */ 2142 mutex_exit(&ipl->ipl_lock); 2143 return; 2144 } 2145 2146 if (local != NULL) 2147 IPSID_REFHOLD(local); 2148 if (remote != NULL) 2149 IPSID_REFHOLD(remote); 2150 2151 ipl->ipl_local_cid = local; 2152 ipl->ipl_remote_cid = remote; 2153 ipl->ipl_ids_latched = B_TRUE; 2154 mutex_exit(&ipl->ipl_lock); 2155 } 2156 2157 void 2158 ipsec_latch_inbound(ipsec_latch_t *ipl, ipsec_in_t *ii) 2159 { 2160 ipsa_t *sa; 2161 2162 if (!ipl->ipl_ids_latched) { 2163 ipsid_t *local = NULL; 2164 ipsid_t *remote = NULL; 2165 2166 if (!ii->ipsec_in_loopback) { 2167 if (ii->ipsec_in_esp_sa != NULL) 2168 sa = ii->ipsec_in_esp_sa; 2169 else 2170 sa = ii->ipsec_in_ah_sa; 2171 ASSERT(sa != NULL); 2172 local = sa->ipsa_dst_cid; 2173 remote = sa->ipsa_src_cid; 2174 } 2175 ipsec_latch_ids(ipl, local, remote); 2176 } 2177 ipl->ipl_in_action = ii->ipsec_in_action; 2178 IPACT_REFHOLD(ipl->ipl_in_action); 2179 } 2180 2181 /* 2182 * Check whether the policy constraints are met either for an 2183 * inbound datagram; called from IP in numerous places. 2184 * 2185 * Note that this is not a chokepoint for inbound policy checks; 2186 * see also ipsec_check_ipsecin_latch() and ipsec_check_global_policy() 2187 */ 2188 mblk_t * 2189 ipsec_check_inbound_policy(mblk_t *first_mp, conn_t *connp, 2190 ipha_t *ipha, ip6_t *ip6h, boolean_t mctl_present) 2191 { 2192 ipsec_in_t *ii; 2193 boolean_t ret; 2194 queue_t *q; 2195 short mid = 0; 2196 mblk_t *mp = mctl_present ? first_mp->b_cont : first_mp; 2197 mblk_t *ipsec_mp = mctl_present ? first_mp : NULL; 2198 ipsec_latch_t *ipl; 2199 2200 ASSERT(connp != NULL); 2201 ipl = connp->conn_latch; 2202 2203 if (ipsec_mp == NULL) { 2204 clear: 2205 /* 2206 * This is the case where the incoming datagram is 2207 * cleartext and we need to see whether this client 2208 * would like to receive such untrustworthy things from 2209 * the wire. 2210 */ 2211 ASSERT(mp != NULL); 2212 2213 if (ipl != NULL) { 2214 /* 2215 * Policy is cached in the conn. 2216 */ 2217 if ((ipl->ipl_in_policy != NULL) && 2218 (!ipl->ipl_in_policy->ipsp_act->ipa_allow_clear)) { 2219 ret = ipsec_inbound_accept_clear(mp, 2220 ipha, ip6h); 2221 if (ret) { 2222 BUMP_MIB(&ip_mib, ipsecInSucceeded); 2223 return (first_mp); 2224 } else { 2225 ipsec_log_policy_failure( 2226 CONNP_TO_WQ(connp), 2227 IPSEC_POLICY_MISMATCH, 2228 "ipsec_check_inbound_policy", ipha, 2229 ip6h, B_FALSE); 2230 ip_drop_packet(first_mp, B_TRUE, NULL, 2231 NULL, &ipdrops_spd_got_clear, 2232 &spd_dropper); 2233 BUMP_MIB(&ip_mib, ipsecInFailed); 2234 return (NULL); 2235 } 2236 } else { 2237 BUMP_MIB(&ip_mib, ipsecInSucceeded); 2238 return (first_mp); 2239 } 2240 } else { 2241 /* 2242 * As this is a non-hardbound connection we need 2243 * to look at both per-socket policy and global 2244 * policy. As this is cleartext, mark the mp as 2245 * M_DATA in case if it is an ICMP error being 2246 * reported before calling ipsec_check_global_policy 2247 * so that it does not mistake it for IPSEC_IN. 2248 */ 2249 uchar_t db_type = mp->b_datap->db_type; 2250 mp->b_datap->db_type = M_DATA; 2251 first_mp = ipsec_check_global_policy(first_mp, connp, 2252 ipha, ip6h, mctl_present); 2253 if (first_mp != NULL) 2254 mp->b_datap->db_type = db_type; 2255 return (first_mp); 2256 } 2257 } 2258 /* 2259 * If it is inbound check whether the attached message 2260 * is secure or not. We have a special case for ICMP, 2261 * where we have a IPSEC_IN message and the attached 2262 * message is not secure. See icmp_inbound_error_fanout 2263 * for details. 2264 */ 2265 ASSERT(ipsec_mp != NULL); 2266 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 2267 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 2268 2269 if (!ii->ipsec_in_secure) 2270 goto clear; 2271 2272 /* 2273 * mp->b_cont could be either a M_CTL message 2274 * for icmp errors being sent up or a M_DATA message. 2275 */ 2276 ASSERT(mp->b_datap->db_type == M_CTL || 2277 mp->b_datap->db_type == M_DATA); 2278 2279 ASSERT(ii->ipsec_in_type == IPSEC_IN); 2280 2281 if (ipl == NULL) { 2282 /* 2283 * We don't have policies cached in the conn 2284 * for this stream. So, look at the global 2285 * policy. It will check against conn or global 2286 * depending on whichever is stronger. 2287 */ 2288 return (ipsec_check_global_policy(first_mp, connp, 2289 ipha, ip6h, mctl_present)); 2290 } 2291 2292 if (ipl->ipl_in_action != NULL) { 2293 /* Policy is cached & latched; fast(er) path */ 2294 const char *reason; 2295 kstat_named_t *counter; 2296 if (ipsec_check_ipsecin_latch(ii, mp, ipl, 2297 ipha, ip6h, &reason, &counter)) { 2298 BUMP_MIB(&ip_mib, ipsecInSucceeded); 2299 return (first_mp); 2300 } 2301 q = CONNP_TO_WQ(connp); 2302 if (q != NULL) { 2303 mid = q->q_qinfo->qi_minfo->mi_idnum; 2304 } 2305 ipsec_rl_strlog(mid, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE, 2306 "ipsec inbound policy mismatch: %s, packet dropped\n", 2307 reason); 2308 ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter, 2309 &spd_dropper); 2310 BUMP_MIB(&ip_mib, ipsecInFailed); 2311 return (NULL); 2312 } else if (ipl->ipl_in_policy == NULL) { 2313 ipsec_weird_null_inbound_policy++; 2314 return (first_mp); 2315 } 2316 2317 IPPOL_REFHOLD(ipl->ipl_in_policy); 2318 first_mp = ipsec_check_ipsecin_policy(CONNP_TO_WQ(connp), first_mp, 2319 ipl->ipl_in_policy, ipha, ip6h); 2320 /* 2321 * NOTE: ipsecIn{Failed,Succeeeded} bumped by 2322 * ipsec_check_ipsecin_policy(). 2323 */ 2324 if (first_mp != NULL) 2325 ipsec_latch_inbound(ipl, ii); 2326 return (first_mp); 2327 } 2328 2329 boolean_t 2330 ipsec_init_inbound_sel(ipsec_selector_t *sel, mblk_t *mp, 2331 ipha_t *ipha, ip6_t *ip6h) 2332 { 2333 uint16_t *ports; 2334 ushort_t hdr_len; 2335 mblk_t *spare_mp = NULL; 2336 uint8_t *nexthdrp; 2337 uint8_t nexthdr; 2338 uint8_t *typecode; 2339 uint8_t check_proto; 2340 2341 ASSERT((ipha == NULL && ip6h != NULL) || 2342 (ipha != NULL && ip6h == NULL)); 2343 2344 if (ip6h != NULL) { 2345 check_proto = IPPROTO_ICMPV6; 2346 sel->ips_isv4 = B_FALSE; 2347 sel->ips_local_addr_v6 = ip6h->ip6_dst; 2348 sel->ips_remote_addr_v6 = ip6h->ip6_src; 2349 2350 nexthdr = ip6h->ip6_nxt; 2351 switch (nexthdr) { 2352 case IPPROTO_HOPOPTS: 2353 case IPPROTO_ROUTING: 2354 case IPPROTO_DSTOPTS: 2355 /* 2356 * Use ip_hdr_length_nexthdr_v6(). And have a spare 2357 * mblk that's contiguous to feed it 2358 */ 2359 if ((spare_mp = msgpullup(mp, -1)) == NULL) 2360 return (B_FALSE); 2361 if (!ip_hdr_length_nexthdr_v6(spare_mp, 2362 (ip6_t *)spare_mp->b_rptr, &hdr_len, &nexthdrp)) { 2363 /* Malformed packet - XXX ip_drop_packet()? */ 2364 freemsg(spare_mp); 2365 return (B_FALSE); 2366 } 2367 nexthdr = *nexthdrp; 2368 /* We can just extract based on hdr_len now. */ 2369 break; 2370 default: 2371 hdr_len = IPV6_HDR_LEN; 2372 break; 2373 } 2374 } else { 2375 check_proto = IPPROTO_ICMP; 2376 sel->ips_isv4 = B_TRUE; 2377 sel->ips_local_addr_v4 = ipha->ipha_dst; 2378 sel->ips_remote_addr_v4 = ipha->ipha_src; 2379 nexthdr = ipha->ipha_protocol; 2380 hdr_len = IPH_HDR_LENGTH(ipha); 2381 } 2382 sel->ips_protocol = nexthdr; 2383 2384 if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP && 2385 nexthdr != IPPROTO_SCTP && nexthdr != check_proto) { 2386 sel->ips_remote_port = sel->ips_local_port = 0; 2387 freemsg(spare_mp); /* Always works, even if NULL. */ 2388 return (B_TRUE); 2389 } 2390 2391 if (&mp->b_rptr[hdr_len] + 4 > mp->b_wptr) { 2392 /* If we didn't pullup a copy already, do so now. */ 2393 /* 2394 * XXX performance, will upper-layers frequently split TCP/UDP 2395 * apart from IP or options? If so, perhaps we should revisit 2396 * the spare_mp strategy. 2397 */ 2398 ipsec_hdr_pullup_needed++; 2399 if (spare_mp == NULL && 2400 (spare_mp = msgpullup(mp, -1)) == NULL) { 2401 return (B_FALSE); 2402 } 2403 ports = (uint16_t *)&spare_mp->b_rptr[hdr_len]; 2404 } else { 2405 ports = (uint16_t *)&mp->b_rptr[hdr_len]; 2406 } 2407 2408 if (nexthdr == check_proto) { 2409 typecode = (uint8_t *)ports; 2410 sel->ips_icmp_type = *typecode++; 2411 sel->ips_icmp_code = *typecode; 2412 sel->ips_remote_port = sel->ips_local_port = 0; 2413 freemsg(spare_mp); /* Always works, even if NULL */ 2414 return (B_TRUE); 2415 } 2416 2417 sel->ips_remote_port = *ports++; 2418 sel->ips_local_port = *ports; 2419 freemsg(spare_mp); /* Always works, even if NULL */ 2420 return (B_TRUE); 2421 } 2422 2423 static boolean_t 2424 ipsec_init_outbound_ports(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha, 2425 ip6_t *ip6h) 2426 { 2427 /* 2428 * XXX cut&paste shared with ipsec_init_inbound_sel 2429 */ 2430 uint16_t *ports; 2431 ushort_t hdr_len; 2432 mblk_t *spare_mp = NULL; 2433 uint8_t *nexthdrp; 2434 uint8_t nexthdr; 2435 uint8_t *typecode; 2436 uint8_t check_proto; 2437 2438 ASSERT((ipha == NULL && ip6h != NULL) || 2439 (ipha != NULL && ip6h == NULL)); 2440 2441 if (ip6h != NULL) { 2442 check_proto = IPPROTO_ICMPV6; 2443 nexthdr = ip6h->ip6_nxt; 2444 switch (nexthdr) { 2445 case IPPROTO_HOPOPTS: 2446 case IPPROTO_ROUTING: 2447 case IPPROTO_DSTOPTS: 2448 /* 2449 * Use ip_hdr_length_nexthdr_v6(). And have a spare 2450 * mblk that's contiguous to feed it 2451 */ 2452 spare_mp = msgpullup(mp, -1); 2453 if (spare_mp == NULL || 2454 !ip_hdr_length_nexthdr_v6(spare_mp, 2455 (ip6_t *)spare_mp->b_rptr, &hdr_len, 2456 &nexthdrp)) { 2457 /* Always works, even if NULL. */ 2458 freemsg(spare_mp); 2459 freemsg(mp); 2460 return (B_FALSE); 2461 } else { 2462 nexthdr = *nexthdrp; 2463 /* We can just extract based on hdr_len now. */ 2464 } 2465 break; 2466 default: 2467 hdr_len = IPV6_HDR_LEN; 2468 break; 2469 } 2470 } else { 2471 check_proto = IPPROTO_ICMP; 2472 hdr_len = IPH_HDR_LENGTH(ipha); 2473 nexthdr = ipha->ipha_protocol; 2474 } 2475 2476 sel->ips_protocol = nexthdr; 2477 if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP && 2478 nexthdr != IPPROTO_SCTP && nexthdr != check_proto) { 2479 sel->ips_local_port = sel->ips_remote_port = 0; 2480 freemsg(spare_mp); /* Always works, even if NULL. */ 2481 return (B_TRUE); 2482 } 2483 2484 if (&mp->b_rptr[hdr_len] + 4 > mp->b_wptr) { 2485 /* If we didn't pullup a copy already, do so now. */ 2486 /* 2487 * XXX performance, will upper-layers frequently split TCP/UDP 2488 * apart from IP or options? If so, perhaps we should revisit 2489 * the spare_mp strategy. 2490 * 2491 * XXX should this be msgpullup(mp, hdr_len+4) ??? 2492 */ 2493 if (spare_mp == NULL && 2494 (spare_mp = msgpullup(mp, -1)) == NULL) { 2495 freemsg(mp); 2496 return (B_FALSE); 2497 } 2498 ports = (uint16_t *)&spare_mp->b_rptr[hdr_len]; 2499 } else { 2500 ports = (uint16_t *)&mp->b_rptr[hdr_len]; 2501 } 2502 2503 if (nexthdr == check_proto) { 2504 typecode = (uint8_t *)ports; 2505 sel->ips_icmp_type = *typecode++; 2506 sel->ips_icmp_code = *typecode; 2507 sel->ips_remote_port = sel->ips_local_port = 0; 2508 freemsg(spare_mp); /* Always works, even if NULL */ 2509 return (B_TRUE); 2510 } 2511 2512 sel->ips_local_port = *ports++; 2513 sel->ips_remote_port = *ports; 2514 freemsg(spare_mp); /* Always works, even if NULL */ 2515 return (B_TRUE); 2516 } 2517 2518 /* 2519 * Create an ipsec_action_t based on the way an inbound packet was protected. 2520 * Used to reflect traffic back to a sender. 2521 * 2522 * We don't bother interning the action into the hash table. 2523 */ 2524 ipsec_action_t * 2525 ipsec_in_to_out_action(ipsec_in_t *ii) 2526 { 2527 ipsa_t *ah_assoc, *esp_assoc; 2528 uint_t auth_alg = 0, encr_alg = 0, espa_alg = 0; 2529 ipsec_action_t *ap; 2530 boolean_t unique; 2531 2532 ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP); 2533 2534 if (ap == NULL) 2535 return (NULL); 2536 2537 bzero(ap, sizeof (*ap)); 2538 HASH_NULL(ap, ipa_hash); 2539 ap->ipa_next = NULL; 2540 ap->ipa_refs = 1; 2541 2542 /* 2543 * Get the algorithms that were used for this packet. 2544 */ 2545 ap->ipa_act.ipa_type = IPSEC_ACT_APPLY; 2546 ap->ipa_act.ipa_log = 0; 2547 ah_assoc = ii->ipsec_in_ah_sa; 2548 ap->ipa_act.ipa_apply.ipp_use_ah = (ah_assoc != NULL); 2549 2550 esp_assoc = ii->ipsec_in_esp_sa; 2551 ap->ipa_act.ipa_apply.ipp_use_esp = (esp_assoc != NULL); 2552 2553 if (esp_assoc != NULL) { 2554 encr_alg = esp_assoc->ipsa_encr_alg; 2555 espa_alg = esp_assoc->ipsa_auth_alg; 2556 ap->ipa_act.ipa_apply.ipp_use_espa = (espa_alg != 0); 2557 } 2558 if (ah_assoc != NULL) 2559 auth_alg = ah_assoc->ipsa_auth_alg; 2560 2561 ap->ipa_act.ipa_apply.ipp_encr_alg = (uint8_t)encr_alg; 2562 ap->ipa_act.ipa_apply.ipp_auth_alg = (uint8_t)auth_alg; 2563 ap->ipa_act.ipa_apply.ipp_esp_auth_alg = (uint8_t)espa_alg; 2564 ap->ipa_act.ipa_apply.ipp_use_se = ii->ipsec_in_decaps; 2565 unique = B_FALSE; 2566 2567 if (esp_assoc != NULL) { 2568 ap->ipa_act.ipa_apply.ipp_espa_minbits = 2569 esp_assoc->ipsa_authkeybits; 2570 ap->ipa_act.ipa_apply.ipp_espa_maxbits = 2571 esp_assoc->ipsa_authkeybits; 2572 ap->ipa_act.ipa_apply.ipp_espe_minbits = 2573 esp_assoc->ipsa_encrkeybits; 2574 ap->ipa_act.ipa_apply.ipp_espe_maxbits = 2575 esp_assoc->ipsa_encrkeybits; 2576 ap->ipa_act.ipa_apply.ipp_km_proto = esp_assoc->ipsa_kmp; 2577 ap->ipa_act.ipa_apply.ipp_km_cookie = esp_assoc->ipsa_kmc; 2578 if (esp_assoc->ipsa_flags & IPSA_F_UNIQUE) 2579 unique = B_TRUE; 2580 } 2581 if (ah_assoc != NULL) { 2582 ap->ipa_act.ipa_apply.ipp_ah_minbits = 2583 ah_assoc->ipsa_authkeybits; 2584 ap->ipa_act.ipa_apply.ipp_ah_maxbits = 2585 ah_assoc->ipsa_authkeybits; 2586 ap->ipa_act.ipa_apply.ipp_km_proto = ah_assoc->ipsa_kmp; 2587 ap->ipa_act.ipa_apply.ipp_km_cookie = ah_assoc->ipsa_kmc; 2588 if (ah_assoc->ipsa_flags & IPSA_F_UNIQUE) 2589 unique = B_TRUE; 2590 } 2591 ap->ipa_act.ipa_apply.ipp_use_unique = unique; 2592 ap->ipa_want_unique = unique; 2593 ap->ipa_allow_clear = B_FALSE; 2594 ap->ipa_want_se = ii->ipsec_in_decaps; 2595 ap->ipa_want_ah = (ah_assoc != NULL); 2596 ap->ipa_want_esp = (esp_assoc != NULL); 2597 2598 ap->ipa_ovhd = ipsec_act_ovhd(&ap->ipa_act); 2599 2600 ap->ipa_act.ipa_apply.ipp_replay_depth = 0; /* don't care */ 2601 2602 return (ap); 2603 } 2604 2605 2606 /* 2607 * Compute the worst-case amount of extra space required by an action. 2608 * Note that, because of the ESP considerations listed below, this is 2609 * actually not the same as the best-case reduction in the MTU; in the 2610 * future, we should pass additional information to this function to 2611 * allow the actual MTU impact to be computed. 2612 * 2613 * AH: Revisit this if we implement algorithms with 2614 * a verifier size of more than 12 bytes. 2615 * 2616 * ESP: A more exact but more messy computation would take into 2617 * account the interaction between the cipher block size and the 2618 * effective MTU, yielding the inner payload size which reflects a 2619 * packet with *minimum* ESP padding.. 2620 */ 2621 static int32_t 2622 ipsec_act_ovhd(const ipsec_act_t *act) 2623 { 2624 int32_t overhead = 0; 2625 2626 if (act->ipa_type == IPSEC_ACT_APPLY) { 2627 const ipsec_prot_t *ipp = &act->ipa_apply; 2628 2629 if (ipp->ipp_use_ah) 2630 overhead += IPSEC_MAX_AH_HDR_SIZE; 2631 if (ipp->ipp_use_esp) { 2632 overhead += IPSEC_MAX_ESP_HDR_SIZE; 2633 overhead += sizeof (struct udphdr); 2634 } 2635 if (ipp->ipp_use_se) 2636 overhead += IP_SIMPLE_HDR_LENGTH; 2637 } 2638 return (overhead); 2639 } 2640 2641 /* 2642 * This hash function is used only when creating policies and thus is not 2643 * performance-critical for packet flows. 2644 * 2645 * Future work: canonicalize the structures hashed with this (i.e., 2646 * zeroize padding) so the hash works correctly. 2647 */ 2648 /* ARGSUSED */ 2649 static uint32_t 2650 policy_hash(int size, const void *start, const void *end) 2651 { 2652 return (0); 2653 } 2654 2655 2656 /* 2657 * Hash function macros for each address type. 2658 * 2659 * The IPV6 hash function assumes that the low order 32-bits of the 2660 * address (typically containing the low order 24 bits of the mac 2661 * address) are reasonably well-distributed. Revisit this if we run 2662 * into trouble from lots of collisions on ::1 addresses and the like 2663 * (seems unlikely). 2664 */ 2665 #define IPSEC_IPV4_HASH(a) ((a) % ipsec_spd_hashsize) 2666 #define IPSEC_IPV6_HASH(a) ((a.s6_addr32[3]) % ipsec_spd_hashsize) 2667 2668 /* 2669 * These two hash functions should produce coordinated values 2670 * but have slightly different roles. 2671 */ 2672 static uint32_t 2673 selkey_hash(const ipsec_selkey_t *selkey) 2674 { 2675 uint32_t valid = selkey->ipsl_valid; 2676 2677 if (!(valid & IPSL_REMOTE_ADDR)) 2678 return (IPSEC_SEL_NOHASH); 2679 2680 if (valid & IPSL_IPV4) { 2681 if (selkey->ipsl_remote_pfxlen == 32) 2682 return (IPSEC_IPV4_HASH(selkey->ipsl_remote.ipsad_v4)); 2683 } 2684 if (valid & IPSL_IPV6) { 2685 if (selkey->ipsl_remote_pfxlen == 128) 2686 return (IPSEC_IPV6_HASH(selkey->ipsl_remote.ipsad_v6)); 2687 } 2688 return (IPSEC_SEL_NOHASH); 2689 } 2690 2691 static uint32_t 2692 selector_hash(ipsec_selector_t *sel) 2693 { 2694 if (sel->ips_isv4) { 2695 return (IPSEC_IPV4_HASH(sel->ips_remote_addr_v4)); 2696 } 2697 return (IPSEC_IPV6_HASH(sel->ips_remote_addr_v6)); 2698 } 2699 2700 /* 2701 * Intern actions into the action hash table. 2702 */ 2703 ipsec_action_t * 2704 ipsec_act_find(const ipsec_act_t *a, int n) 2705 { 2706 int i; 2707 uint32_t hval; 2708 ipsec_action_t *ap; 2709 ipsec_action_t *prev = NULL; 2710 int32_t overhead, maxovhd = 0; 2711 boolean_t allow_clear = B_FALSE; 2712 boolean_t want_ah = B_FALSE; 2713 boolean_t want_esp = B_FALSE; 2714 boolean_t want_se = B_FALSE; 2715 boolean_t want_unique = B_FALSE; 2716 2717 /* 2718 * TODO: should canonicalize a[] (i.e., zeroize any padding) 2719 * so we can use a non-trivial policy_hash function. 2720 */ 2721 for (i = n-1; i >= 0; i--) { 2722 hval = policy_hash(IPSEC_ACTION_HASH_SIZE, &a[i], &a[n]); 2723 2724 HASH_LOCK(ipsec_action_hash, hval); 2725 2726 for (HASH_ITERATE(ap, ipa_hash, ipsec_action_hash, hval)) { 2727 if (bcmp(&ap->ipa_act, &a[i], sizeof (*a)) != 0) 2728 continue; 2729 if (ap->ipa_next != prev) 2730 continue; 2731 break; 2732 } 2733 if (ap != NULL) { 2734 HASH_UNLOCK(ipsec_action_hash, hval); 2735 prev = ap; 2736 continue; 2737 } 2738 /* 2739 * need to allocate a new one.. 2740 */ 2741 ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP); 2742 if (ap == NULL) { 2743 HASH_UNLOCK(ipsec_action_hash, hval); 2744 if (prev != NULL) 2745 ipsec_action_free(prev); 2746 return (NULL); 2747 } 2748 HASH_INSERT(ap, ipa_hash, ipsec_action_hash, hval); 2749 2750 ap->ipa_next = prev; 2751 ap->ipa_act = a[i]; 2752 2753 overhead = ipsec_act_ovhd(&a[i]); 2754 if (maxovhd < overhead) 2755 maxovhd = overhead; 2756 2757 if ((a[i].ipa_type == IPSEC_ACT_BYPASS) || 2758 (a[i].ipa_type == IPSEC_ACT_CLEAR)) 2759 allow_clear = B_TRUE; 2760 if (a[i].ipa_type == IPSEC_ACT_APPLY) { 2761 const ipsec_prot_t *ipp = &a[i].ipa_apply; 2762 2763 ASSERT(ipp->ipp_use_ah || ipp->ipp_use_esp); 2764 want_ah |= ipp->ipp_use_ah; 2765 want_esp |= ipp->ipp_use_esp; 2766 want_se |= ipp->ipp_use_se; 2767 want_unique |= ipp->ipp_use_unique; 2768 } 2769 ap->ipa_allow_clear = allow_clear; 2770 ap->ipa_want_ah = want_ah; 2771 ap->ipa_want_esp = want_esp; 2772 ap->ipa_want_se = want_se; 2773 ap->ipa_want_unique = want_unique; 2774 ap->ipa_refs = 1; /* from the hash table */ 2775 ap->ipa_ovhd = maxovhd; 2776 if (prev) 2777 prev->ipa_refs++; 2778 prev = ap; 2779 HASH_UNLOCK(ipsec_action_hash, hval); 2780 } 2781 2782 ap->ipa_refs++; /* caller's reference */ 2783 2784 return (ap); 2785 } 2786 2787 /* 2788 * Called when refcount goes to 0, indicating that all references to this 2789 * node are gone. 2790 * 2791 * This does not unchain the action from the hash table. 2792 */ 2793 void 2794 ipsec_action_free(ipsec_action_t *ap) 2795 { 2796 for (;;) { 2797 ipsec_action_t *np = ap->ipa_next; 2798 ASSERT(ap->ipa_refs == 0); 2799 ASSERT(ap->ipa_hash.hash_pp == NULL); 2800 kmem_cache_free(ipsec_action_cache, ap); 2801 ap = np; 2802 /* Inlined IPACT_REFRELE -- avoid recursion */ 2803 if (ap == NULL) 2804 break; 2805 membar_exit(); 2806 if (atomic_add_32_nv(&(ap)->ipa_refs, -1) != 0) 2807 break; 2808 /* End inlined IPACT_REFRELE */ 2809 } 2810 } 2811 2812 /* 2813 * Periodically sweep action hash table for actions with refcount==1, and 2814 * nuke them. We cannot do this "on demand" (i.e., from IPACT_REFRELE) 2815 * because we can't close the race between another thread finding the action 2816 * in the hash table without holding the bucket lock during IPACT_REFRELE. 2817 * Instead, we run this function sporadically to clean up after ourselves; 2818 * we also set it as the "reclaim" function for the action kmem_cache. 2819 * 2820 * Note that it may take several passes of ipsec_action_gc() to free all 2821 * "stale" actions. 2822 */ 2823 /* ARGSUSED */ 2824 static void 2825 ipsec_action_reclaim(void *dummy) 2826 { 2827 int i; 2828 2829 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) { 2830 ipsec_action_t *ap, *np; 2831 2832 /* skip the lock if nobody home */ 2833 if (ipsec_action_hash[i].hash_head == NULL) 2834 continue; 2835 2836 HASH_LOCK(ipsec_action_hash, i); 2837 for (ap = ipsec_action_hash[i].hash_head; 2838 ap != NULL; ap = np) { 2839 ASSERT(ap->ipa_refs > 0); 2840 np = ap->ipa_hash.hash_next; 2841 if (ap->ipa_refs > 1) 2842 continue; 2843 HASH_UNCHAIN(ap, ipa_hash, ipsec_action_hash, i); 2844 IPACT_REFRELE(ap); 2845 } 2846 HASH_UNLOCK(ipsec_action_hash, i); 2847 } 2848 } 2849 2850 /* 2851 * Intern a selector set into the selector set hash table. 2852 * This is simpler than the actions case.. 2853 */ 2854 static ipsec_sel_t * 2855 ipsec_find_sel(ipsec_selkey_t *selkey) 2856 { 2857 ipsec_sel_t *sp; 2858 uint32_t hval, bucket; 2859 2860 /* 2861 * Exactly one AF bit should be set in selkey. 2862 */ 2863 ASSERT(!(selkey->ipsl_valid & IPSL_IPV4) ^ 2864 !(selkey->ipsl_valid & IPSL_IPV6)); 2865 2866 hval = selkey_hash(selkey); 2867 selkey->ipsl_hval = hval; 2868 2869 bucket = (hval == IPSEC_SEL_NOHASH) ? 0 : hval; 2870 2871 ASSERT(!HASH_LOCKED(ipsec_sel_hash, bucket)); 2872 HASH_LOCK(ipsec_sel_hash, bucket); 2873 2874 for (HASH_ITERATE(sp, ipsl_hash, ipsec_sel_hash, bucket)) { 2875 if (bcmp(&sp->ipsl_key, selkey, sizeof (*selkey)) == 0) 2876 break; 2877 } 2878 if (sp != NULL) { 2879 sp->ipsl_refs++; 2880 2881 HASH_UNLOCK(ipsec_sel_hash, bucket); 2882 return (sp); 2883 } 2884 2885 sp = kmem_cache_alloc(ipsec_sel_cache, KM_NOSLEEP); 2886 if (sp == NULL) { 2887 HASH_UNLOCK(ipsec_sel_hash, bucket); 2888 return (NULL); 2889 } 2890 2891 HASH_INSERT(sp, ipsl_hash, ipsec_sel_hash, bucket); 2892 sp->ipsl_refs = 2; /* one for hash table, one for caller */ 2893 sp->ipsl_key = *selkey; 2894 2895 HASH_UNLOCK(ipsec_sel_hash, bucket); 2896 2897 return (sp); 2898 } 2899 2900 static void 2901 ipsec_sel_rel(ipsec_sel_t **spp) 2902 { 2903 ipsec_sel_t *sp = *spp; 2904 int hval = sp->ipsl_key.ipsl_hval; 2905 *spp = NULL; 2906 2907 if (hval == IPSEC_SEL_NOHASH) 2908 hval = 0; 2909 2910 ASSERT(!HASH_LOCKED(ipsec_sel_hash, hval)); 2911 HASH_LOCK(ipsec_sel_hash, hval); 2912 if (--sp->ipsl_refs == 1) { 2913 HASH_UNCHAIN(sp, ipsl_hash, ipsec_sel_hash, hval); 2914 sp->ipsl_refs--; 2915 HASH_UNLOCK(ipsec_sel_hash, hval); 2916 ASSERT(sp->ipsl_refs == 0); 2917 kmem_cache_free(ipsec_sel_cache, sp); 2918 /* Caller unlocks */ 2919 return; 2920 } 2921 2922 HASH_UNLOCK(ipsec_sel_hash, hval); 2923 } 2924 2925 /* 2926 * Free a policy rule which we know is no longer being referenced. 2927 */ 2928 void 2929 ipsec_policy_free(ipsec_policy_t *ipp) 2930 { 2931 ASSERT(ipp->ipsp_refs == 0); 2932 ASSERT(ipp->ipsp_sel != NULL); 2933 ASSERT(ipp->ipsp_act != NULL); 2934 ipsec_sel_rel(&ipp->ipsp_sel); 2935 IPACT_REFRELE(ipp->ipsp_act); 2936 kmem_cache_free(ipsec_pol_cache, ipp); 2937 } 2938 2939 /* 2940 * Construction of new policy rules; construct a policy, and add it to 2941 * the appropriate tables. 2942 */ 2943 ipsec_policy_t * 2944 ipsec_policy_create(ipsec_selkey_t *keys, const ipsec_act_t *a, 2945 int nacts, int prio) 2946 { 2947 ipsec_action_t *ap; 2948 ipsec_sel_t *sp; 2949 ipsec_policy_t *ipp; 2950 2951 ipp = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP); 2952 ap = ipsec_act_find(a, nacts); 2953 sp = ipsec_find_sel(keys); 2954 2955 if ((ap == NULL) || (sp == NULL) || (ipp == NULL)) { 2956 if (ap != NULL) { 2957 IPACT_REFRELE(ap); 2958 } 2959 if (sp != NULL) 2960 ipsec_sel_rel(&sp); 2961 if (ipp != NULL) 2962 kmem_cache_free(ipsec_pol_cache, ipp); 2963 return (NULL); 2964 } 2965 2966 HASH_NULL(ipp, ipsp_hash); 2967 2968 ipp->ipsp_refs = 1; /* caller's reference */ 2969 ipp->ipsp_sel = sp; 2970 ipp->ipsp_act = ap; 2971 ipp->ipsp_prio = prio; /* rule priority */ 2972 ipp->ipsp_index = ipsec_next_policy_index++; 2973 2974 return (ipp); 2975 } 2976 2977 static void 2978 ipsec_update_present_flags() 2979 { 2980 boolean_t hashpol = (avl_numnodes(&system_policy.iph_rulebyid) > 0); 2981 2982 if (hashpol) { 2983 ipsec_outbound_v4_policy_present = B_TRUE; 2984 ipsec_outbound_v6_policy_present = B_TRUE; 2985 ipsec_inbound_v4_policy_present = B_TRUE; 2986 ipsec_inbound_v6_policy_present = B_TRUE; 2987 return; 2988 } 2989 2990 ipsec_outbound_v4_policy_present = (NULL != 2991 system_policy.iph_root[IPSEC_TYPE_OUTBOUND]. 2992 ipr_nonhash[IPSEC_AF_V4]); 2993 ipsec_outbound_v6_policy_present = (NULL != 2994 system_policy.iph_root[IPSEC_TYPE_OUTBOUND]. 2995 ipr_nonhash[IPSEC_AF_V6]); 2996 ipsec_inbound_v4_policy_present = (NULL != 2997 system_policy.iph_root[IPSEC_TYPE_INBOUND]. 2998 ipr_nonhash[IPSEC_AF_V4]); 2999 ipsec_inbound_v6_policy_present = (NULL != 3000 system_policy.iph_root[IPSEC_TYPE_INBOUND]. 3001 ipr_nonhash[IPSEC_AF_V6]); 3002 } 3003 3004 boolean_t 3005 ipsec_policy_delete(ipsec_policy_head_t *php, ipsec_selkey_t *keys, int dir) 3006 { 3007 ipsec_sel_t *sp; 3008 ipsec_policy_t *ip, *nip, *head; 3009 int af; 3010 ipsec_policy_root_t *pr = &php->iph_root[dir]; 3011 3012 sp = ipsec_find_sel(keys); 3013 3014 if (sp == NULL) 3015 return (B_FALSE); 3016 3017 af = (sp->ipsl_key.ipsl_valid & IPSL_IPV4) ? IPSEC_AF_V4 : IPSEC_AF_V6; 3018 3019 rw_enter(&php->iph_lock, RW_WRITER); 3020 3021 if (keys->ipsl_hval == IPSEC_SEL_NOHASH) { 3022 head = pr->ipr_nonhash[af]; 3023 } else { 3024 head = pr->ipr_hash[keys->ipsl_hval].hash_head; 3025 } 3026 3027 for (ip = head; ip != NULL; ip = nip) { 3028 nip = ip->ipsp_hash.hash_next; 3029 if (ip->ipsp_sel != sp) { 3030 continue; 3031 } 3032 3033 IPPOL_UNCHAIN(php, ip); 3034 3035 php->iph_gen++; 3036 ipsec_update_present_flags(); 3037 3038 rw_exit(&php->iph_lock); 3039 3040 ipsec_sel_rel(&sp); 3041 3042 return (B_TRUE); 3043 } 3044 3045 rw_exit(&php->iph_lock); 3046 ipsec_sel_rel(&sp); 3047 return (B_FALSE); 3048 } 3049 3050 int 3051 ipsec_policy_delete_index(ipsec_policy_head_t *php, uint64_t policy_index) 3052 { 3053 boolean_t found = B_FALSE; 3054 ipsec_policy_t ipkey; 3055 ipsec_policy_t *ip; 3056 avl_index_t where; 3057 3058 (void) memset(&ipkey, 0, sizeof (ipkey)); 3059 ipkey.ipsp_index = policy_index; 3060 3061 rw_enter(&php->iph_lock, RW_WRITER); 3062 3063 /* 3064 * We could be cleverer here about the walk. 3065 * but well, (k+1)*log(N) will do for now (k==number of matches, 3066 * N==number of table entries 3067 */ 3068 for (;;) { 3069 ip = (ipsec_policy_t *)avl_find(&php->iph_rulebyid, 3070 (void *)&ipkey, &where); 3071 ASSERT(ip == NULL); 3072 3073 ip = avl_nearest(&php->iph_rulebyid, where, AVL_AFTER); 3074 3075 if (ip == NULL) 3076 break; 3077 3078 if (ip->ipsp_index != policy_index) { 3079 ASSERT(ip->ipsp_index > policy_index); 3080 break; 3081 } 3082 3083 IPPOL_UNCHAIN(php, ip); 3084 found = B_TRUE; 3085 } 3086 3087 if (found) { 3088 php->iph_gen++; 3089 ipsec_update_present_flags(); 3090 } 3091 3092 rw_exit(&php->iph_lock); 3093 3094 return (found ? 0 : ENOENT); 3095 } 3096 3097 /* 3098 * Given a constructed ipsec_policy_t policy rule, see if it can be entered 3099 * into the correct policy ruleset. 3100 * 3101 * Returns B_TRUE if it can be entered, B_FALSE if it can't be (because a 3102 * duplicate policy exists with exactly the same selectors), or an icmp 3103 * rule exists with a different encryption/authentication action. 3104 */ 3105 boolean_t 3106 ipsec_check_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction) 3107 { 3108 ipsec_policy_root_t *pr = &php->iph_root[direction]; 3109 int af = -1; 3110 ipsec_policy_t *p2, *head; 3111 uint8_t check_proto; 3112 ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key; 3113 uint32_t valid = selkey->ipsl_valid; 3114 3115 if (valid & IPSL_IPV6) { 3116 ASSERT(!(valid & IPSL_IPV4)); 3117 af = IPSEC_AF_V6; 3118 check_proto = IPPROTO_ICMPV6; 3119 } else { 3120 ASSERT(valid & IPSL_IPV4); 3121 af = IPSEC_AF_V4; 3122 check_proto = IPPROTO_ICMP; 3123 } 3124 3125 ASSERT(RW_WRITE_HELD(&php->iph_lock)); 3126 3127 /* 3128 * Double-check that we don't have any duplicate selectors here. 3129 * Because selectors are interned below, we need only compare pointers 3130 * for equality. 3131 */ 3132 if (selkey->ipsl_hval == IPSEC_SEL_NOHASH) { 3133 head = pr->ipr_nonhash[af]; 3134 } else { 3135 head = pr->ipr_hash[selkey->ipsl_hval].hash_head; 3136 } 3137 3138 for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) { 3139 if (p2->ipsp_sel == ipp->ipsp_sel) 3140 return (B_FALSE); 3141 } 3142 3143 /* 3144 * If it's ICMP and not a drop or pass rule, run through the ICMP 3145 * rules and make sure the action is either new or the same as any 3146 * other actions. We don't have to check the full chain because 3147 * discard and bypass will override all other actions 3148 */ 3149 3150 if (valid & IPSL_PROTOCOL && 3151 selkey->ipsl_proto == check_proto && 3152 (ipp->ipsp_act->ipa_act.ipa_type == IPSEC_ACT_APPLY)) { 3153 3154 for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) { 3155 3156 if (p2->ipsp_sel->ipsl_key.ipsl_valid & IPSL_PROTOCOL && 3157 p2->ipsp_sel->ipsl_key.ipsl_proto == check_proto && 3158 (p2->ipsp_act->ipa_act.ipa_type == 3159 IPSEC_ACT_APPLY)) { 3160 return (ipsec_compare_action(p2, ipp)); 3161 } 3162 } 3163 } 3164 3165 return (B_TRUE); 3166 } 3167 3168 /* 3169 * compare the action chains of two policies for equality 3170 * B_TRUE -> effective equality 3171 */ 3172 3173 static boolean_t 3174 ipsec_compare_action(ipsec_policy_t *p1, ipsec_policy_t *p2) 3175 { 3176 3177 ipsec_action_t *act1, *act2; 3178 3179 /* We have a valid rule. Let's compare the actions */ 3180 if (p1->ipsp_act == p2->ipsp_act) { 3181 /* same action. We are good */ 3182 return (B_TRUE); 3183 } 3184 3185 /* we have to walk the chain */ 3186 3187 act1 = p1->ipsp_act; 3188 act2 = p2->ipsp_act; 3189 3190 while (act1 != NULL && act2 != NULL) { 3191 3192 /* otherwise, Are we close enough? */ 3193 if (act1->ipa_allow_clear != act2->ipa_allow_clear || 3194 act1->ipa_want_ah != act2->ipa_want_ah || 3195 act1->ipa_want_esp != act2->ipa_want_esp || 3196 act1->ipa_want_se != act2->ipa_want_se) { 3197 /* Nope, we aren't */ 3198 return (B_FALSE); 3199 } 3200 3201 if (act1->ipa_want_ah) { 3202 if (act1->ipa_act.ipa_apply.ipp_auth_alg != 3203 act2->ipa_act.ipa_apply.ipp_auth_alg) { 3204 return (B_FALSE); 3205 } 3206 3207 if (act1->ipa_act.ipa_apply.ipp_ah_minbits != 3208 act2->ipa_act.ipa_apply.ipp_ah_minbits || 3209 act1->ipa_act.ipa_apply.ipp_ah_maxbits != 3210 act2->ipa_act.ipa_apply.ipp_ah_maxbits) { 3211 return (B_FALSE); 3212 } 3213 } 3214 3215 if (act1->ipa_want_esp) { 3216 if (act1->ipa_act.ipa_apply.ipp_use_esp != 3217 act2->ipa_act.ipa_apply.ipp_use_esp || 3218 act1->ipa_act.ipa_apply.ipp_use_espa != 3219 act2->ipa_act.ipa_apply.ipp_use_espa) { 3220 return (B_FALSE); 3221 } 3222 3223 if (act1->ipa_act.ipa_apply.ipp_use_esp) { 3224 if (act1->ipa_act.ipa_apply.ipp_encr_alg != 3225 act2->ipa_act.ipa_apply.ipp_encr_alg) { 3226 return (B_FALSE); 3227 } 3228 3229 if (act1->ipa_act.ipa_apply.ipp_espe_minbits != 3230 act2->ipa_act.ipa_apply.ipp_espe_minbits || 3231 act1->ipa_act.ipa_apply.ipp_espe_maxbits != 3232 act2->ipa_act.ipa_apply.ipp_espe_maxbits) { 3233 return (B_FALSE); 3234 } 3235 } 3236 3237 if (act1->ipa_act.ipa_apply.ipp_use_espa) { 3238 if (act1->ipa_act.ipa_apply.ipp_esp_auth_alg != 3239 act2->ipa_act.ipa_apply.ipp_esp_auth_alg) { 3240 return (B_FALSE); 3241 } 3242 3243 if (act1->ipa_act.ipa_apply.ipp_espa_minbits != 3244 act2->ipa_act.ipa_apply.ipp_espa_minbits || 3245 act1->ipa_act.ipa_apply.ipp_espa_maxbits != 3246 act2->ipa_act.ipa_apply.ipp_espa_maxbits) { 3247 return (B_FALSE); 3248 } 3249 } 3250 3251 } 3252 3253 act1 = act1->ipa_next; 3254 act2 = act2->ipa_next; 3255 } 3256 3257 if (act1 != NULL || act2 != NULL) { 3258 return (B_FALSE); 3259 } 3260 3261 return (B_TRUE); 3262 } 3263 3264 3265 /* 3266 * Given a constructed ipsec_policy_t policy rule, enter it into 3267 * the correct policy ruleset. 3268 * 3269 * ipsec_check_policy() is assumed to have succeeded first (to check for 3270 * duplicates). 3271 */ 3272 void 3273 ipsec_enter_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction) 3274 { 3275 ipsec_policy_root_t *pr = &php->iph_root[direction]; 3276 ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key; 3277 uint32_t valid = selkey->ipsl_valid; 3278 uint32_t hval = selkey->ipsl_hval; 3279 int af = -1; 3280 3281 ASSERT(RW_WRITE_HELD(&php->iph_lock)); 3282 3283 if (valid & IPSL_IPV6) { 3284 ASSERT(!(valid & IPSL_IPV4)); 3285 af = IPSEC_AF_V6; 3286 } else { 3287 ASSERT(valid & IPSL_IPV4); 3288 af = IPSEC_AF_V4; 3289 } 3290 3291 php->iph_gen++; 3292 3293 if (hval == IPSEC_SEL_NOHASH) { 3294 HASHLIST_INSERT(ipp, ipsp_hash, pr->ipr_nonhash[af]); 3295 } else { 3296 HASH_LOCK(pr->ipr_hash, hval); 3297 HASH_INSERT(ipp, ipsp_hash, pr->ipr_hash, hval); 3298 HASH_UNLOCK(pr->ipr_hash, hval); 3299 } 3300 3301 ipsec_insert_always(&php->iph_rulebyid, ipp); 3302 3303 ipsec_update_present_flags(); 3304 } 3305 3306 static void 3307 ipsec_ipr_flush(ipsec_policy_head_t *php, ipsec_policy_root_t *ipr) 3308 { 3309 ipsec_policy_t *ip, *nip; 3310 3311 int af, chain, nchain; 3312 3313 for (af = 0; af < IPSEC_NAF; af++) { 3314 for (ip = ipr->ipr_nonhash[af]; ip != NULL; ip = nip) { 3315 nip = ip->ipsp_hash.hash_next; 3316 IPPOL_UNCHAIN(php, ip); 3317 } 3318 ipr->ipr_nonhash[af] = NULL; 3319 } 3320 nchain = ipr->ipr_nchains; 3321 3322 for (chain = 0; chain < nchain; chain++) { 3323 for (ip = ipr->ipr_hash[chain].hash_head; ip != NULL; 3324 ip = nip) { 3325 nip = ip->ipsp_hash.hash_next; 3326 IPPOL_UNCHAIN(php, ip); 3327 } 3328 ipr->ipr_hash[chain].hash_head = NULL; 3329 } 3330 } 3331 3332 3333 void 3334 ipsec_polhead_flush(ipsec_policy_head_t *php) 3335 { 3336 int dir; 3337 3338 ASSERT(RW_WRITE_HELD(&php->iph_lock)); 3339 3340 for (dir = 0; dir < IPSEC_NTYPES; dir++) 3341 ipsec_ipr_flush(php, &php->iph_root[dir]); 3342 3343 ipsec_update_present_flags(); 3344 } 3345 3346 void 3347 ipsec_polhead_free(ipsec_policy_head_t *php) 3348 { 3349 ASSERT(php->iph_refs == 0); 3350 rw_enter(&php->iph_lock, RW_WRITER); 3351 ipsec_polhead_flush(php); 3352 rw_exit(&php->iph_lock); 3353 rw_destroy(&php->iph_lock); 3354 kmem_free(php, sizeof (*php)); 3355 } 3356 3357 static void 3358 ipsec_ipr_init(ipsec_policy_root_t *ipr) 3359 { 3360 int af; 3361 3362 ipr->ipr_nchains = 0; 3363 ipr->ipr_hash = NULL; 3364 3365 for (af = 0; af < IPSEC_NAF; af++) { 3366 ipr->ipr_nonhash[af] = NULL; 3367 } 3368 } 3369 3370 extern ipsec_policy_head_t * 3371 ipsec_polhead_create(void) 3372 { 3373 ipsec_policy_head_t *php; 3374 3375 php = kmem_alloc(sizeof (*php), KM_NOSLEEP); 3376 if (php == NULL) 3377 return (php); 3378 3379 rw_init(&php->iph_lock, NULL, RW_DEFAULT, NULL); 3380 php->iph_refs = 1; 3381 php->iph_gen = 0; 3382 3383 ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_INBOUND]); 3384 ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_OUTBOUND]); 3385 3386 avl_create(&php->iph_rulebyid, ipsec_policy_cmpbyid, 3387 sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid)); 3388 3389 return (php); 3390 } 3391 3392 /* 3393 * Clone the policy head into a new polhead; release one reference to the 3394 * old one and return the only reference to the new one. 3395 * If the old one had a refcount of 1, just return it. 3396 */ 3397 extern ipsec_policy_head_t * 3398 ipsec_polhead_split(ipsec_policy_head_t *php) 3399 { 3400 ipsec_policy_head_t *nphp; 3401 3402 if (php == NULL) 3403 return (ipsec_polhead_create()); 3404 else if (php->iph_refs == 1) 3405 return (php); 3406 3407 nphp = ipsec_polhead_create(); 3408 if (nphp == NULL) 3409 return (NULL); 3410 3411 if (ipsec_copy_polhead(php, nphp) != 0) { 3412 ipsec_polhead_free(nphp); 3413 return (NULL); 3414 } 3415 IPPH_REFRELE(php); 3416 return (nphp); 3417 } 3418 3419 /* 3420 * When sending a response to a ICMP request or generating a RST 3421 * in the TCP case, the outbound packets need to go at the same level 3422 * of protection as the incoming ones i.e we associate our outbound 3423 * policy with how the packet came in. We call this after we have 3424 * accepted the incoming packet which may or may not have been in 3425 * clear and hence we are sending the reply back with the policy 3426 * matching the incoming datagram's policy. 3427 * 3428 * NOTE : This technology serves two purposes : 3429 * 3430 * 1) If we have multiple outbound policies, we send out a reply 3431 * matching with how it came in rather than matching the outbound 3432 * policy. 3433 * 3434 * 2) For assymetric policies, we want to make sure that incoming 3435 * and outgoing has the same level of protection. Assymetric 3436 * policies exist only with global policy where we may not have 3437 * both outbound and inbound at the same time. 3438 * 3439 * NOTE2: This function is called by cleartext cases, so it needs to be 3440 * in IP proper. 3441 */ 3442 boolean_t 3443 ipsec_in_to_out(mblk_t *ipsec_mp, ipha_t *ipha, ip6_t *ip6h) 3444 { 3445 ipsec_in_t *ii; 3446 ipsec_out_t *io; 3447 boolean_t v4; 3448 mblk_t *mp; 3449 boolean_t secure, attach_if; 3450 uint_t ifindex; 3451 ipsec_selector_t sel; 3452 ipsec_action_t *reflect_action = NULL; 3453 zoneid_t zoneid; 3454 3455 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 3456 3457 bzero((void*)&sel, sizeof (sel)); 3458 3459 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 3460 3461 mp = ipsec_mp->b_cont; 3462 ASSERT(mp != NULL); 3463 3464 if (ii->ipsec_in_action != NULL) { 3465 /* transfer reference.. */ 3466 reflect_action = ii->ipsec_in_action; 3467 ii->ipsec_in_action = NULL; 3468 } else if (!ii->ipsec_in_loopback) 3469 reflect_action = ipsec_in_to_out_action(ii); 3470 secure = ii->ipsec_in_secure; 3471 attach_if = ii->ipsec_in_attach_if; 3472 ifindex = ii->ipsec_in_ill_index; 3473 zoneid = ii->ipsec_in_zoneid; 3474 ASSERT(zoneid != ALL_ZONES); 3475 v4 = ii->ipsec_in_v4; 3476 3477 ipsec_in_release_refs(ii); 3478 3479 /* 3480 * The caller is going to send the datagram out which might 3481 * go on the wire or delivered locally through ip_wput_local. 3482 * 3483 * 1) If it goes out on the wire, new associations will be 3484 * obtained. 3485 * 2) If it is delivered locally, ip_wput_local will convert 3486 * this IPSEC_OUT to a IPSEC_IN looking at the requests. 3487 */ 3488 3489 io = (ipsec_out_t *)ipsec_mp->b_rptr; 3490 bzero(io, sizeof (ipsec_out_t)); 3491 io->ipsec_out_type = IPSEC_OUT; 3492 io->ipsec_out_len = sizeof (ipsec_out_t); 3493 io->ipsec_out_frtn.free_func = ipsec_out_free; 3494 io->ipsec_out_frtn.free_arg = (char *)io; 3495 io->ipsec_out_act = reflect_action; 3496 3497 if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h)) 3498 return (B_FALSE); 3499 3500 io->ipsec_out_src_port = sel.ips_local_port; 3501 io->ipsec_out_dst_port = sel.ips_remote_port; 3502 io->ipsec_out_proto = sel.ips_protocol; 3503 io->ipsec_out_icmp_type = sel.ips_icmp_type; 3504 io->ipsec_out_icmp_code = sel.ips_icmp_code; 3505 3506 /* 3507 * Don't use global policy for this, as we want 3508 * to use the same protection that was applied to the inbound packet. 3509 */ 3510 io->ipsec_out_use_global_policy = B_FALSE; 3511 io->ipsec_out_proc_begin = B_FALSE; 3512 io->ipsec_out_secure = secure; 3513 io->ipsec_out_v4 = v4; 3514 io->ipsec_out_attach_if = attach_if; 3515 io->ipsec_out_ill_index = ifindex; 3516 io->ipsec_out_zoneid = zoneid; 3517 return (B_TRUE); 3518 } 3519 3520 mblk_t * 3521 ipsec_in_tag(mblk_t *mp, mblk_t *cont) 3522 { 3523 ipsec_in_t *ii = (ipsec_in_t *)mp->b_rptr; 3524 ipsec_in_t *nii; 3525 mblk_t *nmp; 3526 frtn_t nfrtn; 3527 3528 ASSERT(ii->ipsec_in_type == IPSEC_IN); 3529 ASSERT(ii->ipsec_in_len == sizeof (ipsec_in_t)); 3530 3531 nmp = ipsec_in_alloc(ii->ipsec_in_v4); 3532 3533 ASSERT(nmp->b_datap->db_type == M_CTL); 3534 ASSERT(nmp->b_wptr == (nmp->b_rptr + sizeof (ipsec_info_t))); 3535 3536 /* 3537 * Bump refcounts. 3538 */ 3539 if (ii->ipsec_in_ah_sa != NULL) 3540 IPSA_REFHOLD(ii->ipsec_in_ah_sa); 3541 if (ii->ipsec_in_esp_sa != NULL) 3542 IPSA_REFHOLD(ii->ipsec_in_esp_sa); 3543 if (ii->ipsec_in_policy != NULL) 3544 IPPH_REFHOLD(ii->ipsec_in_policy); 3545 3546 /* 3547 * Copy everything, but preserve the free routine provided by 3548 * ipsec_in_alloc(). 3549 */ 3550 nii = (ipsec_in_t *)nmp->b_rptr; 3551 nfrtn = nii->ipsec_in_frtn; 3552 bcopy(ii, nii, sizeof (*ii)); 3553 nii->ipsec_in_frtn = nfrtn; 3554 3555 nmp->b_cont = cont; 3556 3557 return (nmp); 3558 } 3559 3560 mblk_t * 3561 ipsec_out_tag(mblk_t *mp, mblk_t *cont) 3562 { 3563 ipsec_out_t *io = (ipsec_out_t *)mp->b_rptr; 3564 ipsec_out_t *nio; 3565 mblk_t *nmp; 3566 frtn_t nfrtn; 3567 3568 ASSERT(io->ipsec_out_type == IPSEC_OUT); 3569 ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t)); 3570 3571 nmp = ipsec_alloc_ipsec_out(); 3572 if (nmp == NULL) { 3573 freemsg(cont); /* XXX ip_drop_packet() ? */ 3574 return (NULL); 3575 } 3576 ASSERT(nmp->b_datap->db_type == M_CTL); 3577 ASSERT(nmp->b_wptr == (nmp->b_rptr + sizeof (ipsec_info_t))); 3578 3579 /* 3580 * Bump refcounts. 3581 */ 3582 if (io->ipsec_out_ah_sa != NULL) 3583 IPSA_REFHOLD(io->ipsec_out_ah_sa); 3584 if (io->ipsec_out_esp_sa != NULL) 3585 IPSA_REFHOLD(io->ipsec_out_esp_sa); 3586 if (io->ipsec_out_polhead != NULL) 3587 IPPH_REFHOLD(io->ipsec_out_polhead); 3588 if (io->ipsec_out_policy != NULL) 3589 IPPOL_REFHOLD(io->ipsec_out_policy); 3590 if (io->ipsec_out_act != NULL) 3591 IPACT_REFHOLD(io->ipsec_out_act); 3592 if (io->ipsec_out_latch != NULL) 3593 IPLATCH_REFHOLD(io->ipsec_out_latch); 3594 if (io->ipsec_out_cred != NULL) 3595 crhold(io->ipsec_out_cred); 3596 3597 /* 3598 * Copy everything, but preserve the free routine provided by 3599 * ipsec_alloc_ipsec_out(). 3600 */ 3601 nio = (ipsec_out_t *)nmp->b_rptr; 3602 nfrtn = nio->ipsec_out_frtn; 3603 bcopy(io, nio, sizeof (*io)); 3604 nio->ipsec_out_frtn = nfrtn; 3605 3606 nmp->b_cont = cont; 3607 3608 return (nmp); 3609 } 3610 3611 static void 3612 ipsec_out_release_refs(ipsec_out_t *io) 3613 { 3614 ASSERT(io->ipsec_out_type == IPSEC_OUT); 3615 ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t)); 3616 3617 /* Note: IPSA_REFRELE is multi-line macro */ 3618 if (io->ipsec_out_ah_sa != NULL) 3619 IPSA_REFRELE(io->ipsec_out_ah_sa); 3620 if (io->ipsec_out_esp_sa != NULL) 3621 IPSA_REFRELE(io->ipsec_out_esp_sa); 3622 if (io->ipsec_out_polhead != NULL) 3623 IPPH_REFRELE(io->ipsec_out_polhead); 3624 if (io->ipsec_out_policy != NULL) 3625 IPPOL_REFRELE(io->ipsec_out_policy); 3626 if (io->ipsec_out_act != NULL) 3627 IPACT_REFRELE(io->ipsec_out_act); 3628 if (io->ipsec_out_cred != NULL) { 3629 crfree(io->ipsec_out_cred); 3630 io->ipsec_out_cred = NULL; 3631 } 3632 if (io->ipsec_out_latch) { 3633 IPLATCH_REFRELE(io->ipsec_out_latch); 3634 io->ipsec_out_latch = NULL; 3635 } 3636 } 3637 3638 static void 3639 ipsec_out_free(void *arg) 3640 { 3641 ipsec_out_t *io = (ipsec_out_t *)arg; 3642 ipsec_out_release_refs(io); 3643 kmem_cache_free(ipsec_info_cache, arg); 3644 } 3645 3646 static void 3647 ipsec_in_release_refs(ipsec_in_t *ii) 3648 { 3649 /* Note: IPSA_REFRELE is multi-line macro */ 3650 if (ii->ipsec_in_ah_sa != NULL) 3651 IPSA_REFRELE(ii->ipsec_in_ah_sa); 3652 if (ii->ipsec_in_esp_sa != NULL) 3653 IPSA_REFRELE(ii->ipsec_in_esp_sa); 3654 if (ii->ipsec_in_policy != NULL) 3655 IPPH_REFRELE(ii->ipsec_in_policy); 3656 if (ii->ipsec_in_da != NULL) { 3657 freeb(ii->ipsec_in_da); 3658 ii->ipsec_in_da = NULL; 3659 } 3660 } 3661 3662 static void 3663 ipsec_in_free(void *arg) 3664 { 3665 ipsec_in_t *ii = (ipsec_in_t *)arg; 3666 ipsec_in_release_refs(ii); 3667 kmem_cache_free(ipsec_info_cache, arg); 3668 } 3669 3670 /* 3671 * This is called only for outbound datagrams if the datagram needs to 3672 * go out secure. A NULL mp can be passed to get an ipsec_out. This 3673 * facility is used by ip_unbind. 3674 * 3675 * NOTE : o As the data part could be modified by ipsec_out_process etc. 3676 * we can't make it fast by calling a dup. 3677 */ 3678 mblk_t * 3679 ipsec_alloc_ipsec_out() 3680 { 3681 mblk_t *ipsec_mp; 3682 3683 ipsec_out_t *io = kmem_cache_alloc(ipsec_info_cache, KM_NOSLEEP); 3684 3685 if (io == NULL) 3686 return (NULL); 3687 3688 bzero(io, sizeof (ipsec_out_t)); 3689 3690 io->ipsec_out_type = IPSEC_OUT; 3691 io->ipsec_out_len = sizeof (ipsec_out_t); 3692 io->ipsec_out_frtn.free_func = ipsec_out_free; 3693 io->ipsec_out_frtn.free_arg = (char *)io; 3694 3695 /* 3696 * Set the zoneid to ALL_ZONES which is used as an invalid value. Code 3697 * using ipsec_out_zoneid should assert that the zoneid has been set to 3698 * a sane value. 3699 */ 3700 io->ipsec_out_zoneid = ALL_ZONES; 3701 3702 ipsec_mp = desballoc((uint8_t *)io, sizeof (ipsec_info_t), BPRI_HI, 3703 &io->ipsec_out_frtn); 3704 if (ipsec_mp == NULL) { 3705 ipsec_out_free(io); 3706 3707 return (NULL); 3708 } 3709 ipsec_mp->b_datap->db_type = M_CTL; 3710 ipsec_mp->b_wptr = ipsec_mp->b_rptr + sizeof (ipsec_info_t); 3711 3712 return (ipsec_mp); 3713 } 3714 3715 /* 3716 * Attach an IPSEC_OUT; use pol for policy if it is non-null. 3717 * Otherwise initialize using conn. 3718 * 3719 * If pol is non-null, we consume a reference to it. 3720 */ 3721 mblk_t * 3722 ipsec_attach_ipsec_out(mblk_t *mp, conn_t *connp, ipsec_policy_t *pol, 3723 uint8_t proto) 3724 { 3725 mblk_t *ipsec_mp; 3726 queue_t *q; 3727 short mid = 0; 3728 3729 ASSERT((pol != NULL) || (connp != NULL)); 3730 3731 ipsec_mp = ipsec_alloc_ipsec_out(); 3732 if (ipsec_mp == NULL) { 3733 q = CONNP_TO_WQ(connp); 3734 if (q != NULL) { 3735 mid = q->q_qinfo->qi_minfo->mi_idnum; 3736 } 3737 ipsec_rl_strlog(mid, 0, 0, SL_ERROR|SL_NOTE, 3738 "ipsec_attach_ipsec_out: Allocation failure\n"); 3739 BUMP_MIB(&ip_mib, ipOutDiscards); 3740 ip_drop_packet(mp, B_FALSE, NULL, NULL, &ipdrops_spd_nomem, 3741 &spd_dropper); 3742 return (NULL); 3743 } 3744 ipsec_mp->b_cont = mp; 3745 return (ipsec_init_ipsec_out(ipsec_mp, connp, pol, proto)); 3746 } 3747 3748 /* 3749 * Initialize the IPSEC_OUT (ipsec_mp) using pol if it is non-null. 3750 * Otherwise initialize using conn. 3751 * 3752 * If pol is non-null, we consume a reference to it. 3753 */ 3754 mblk_t * 3755 ipsec_init_ipsec_out(mblk_t *ipsec_mp, conn_t *connp, ipsec_policy_t *pol, 3756 uint8_t proto) 3757 { 3758 mblk_t *mp; 3759 ipsec_out_t *io; 3760 ipsec_policy_t *p; 3761 ipha_t *ipha; 3762 ip6_t *ip6h; 3763 3764 ASSERT((pol != NULL) || (connp != NULL)); 3765 3766 /* 3767 * If mp is NULL, we won't/should not be using it. 3768 */ 3769 mp = ipsec_mp->b_cont; 3770 3771 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 3772 ASSERT(ipsec_mp->b_wptr == (ipsec_mp->b_rptr + sizeof (ipsec_info_t))); 3773 io = (ipsec_out_t *)ipsec_mp->b_rptr; 3774 ASSERT(io->ipsec_out_type == IPSEC_OUT); 3775 ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t)); 3776 io->ipsec_out_latch = NULL; 3777 /* 3778 * Set the zoneid when we have the connp. 3779 * Otherwise, we're called from ip_wput_attach_policy() who will take 3780 * care of setting the zoneid. 3781 */ 3782 if (connp != NULL) 3783 io->ipsec_out_zoneid = connp->conn_zoneid; 3784 3785 if (mp != NULL) { 3786 ipha = (ipha_t *)mp->b_rptr; 3787 if (IPH_HDR_VERSION(ipha) == IP_VERSION) { 3788 io->ipsec_out_v4 = B_TRUE; 3789 ip6h = NULL; 3790 } else { 3791 io->ipsec_out_v4 = B_FALSE; 3792 ip6h = (ip6_t *)ipha; 3793 ipha = NULL; 3794 } 3795 } else { 3796 ASSERT(connp != NULL && connp->conn_policy_cached); 3797 ip6h = NULL; 3798 ipha = NULL; 3799 io->ipsec_out_v4 = !connp->conn_pkt_isv6; 3800 } 3801 3802 p = NULL; 3803 3804 /* 3805 * Take latched policies over global policy. Check here again for 3806 * this, in case we had conn_latch set while the packet was flying 3807 * around in IP. 3808 */ 3809 if (connp != NULL && connp->conn_latch != NULL) { 3810 p = connp->conn_latch->ipl_out_policy; 3811 io->ipsec_out_latch = connp->conn_latch; 3812 IPLATCH_REFHOLD(connp->conn_latch); 3813 if (p != NULL) { 3814 IPPOL_REFHOLD(p); 3815 } 3816 io->ipsec_out_src_port = connp->conn_lport; 3817 io->ipsec_out_dst_port = connp->conn_fport; 3818 io->ipsec_out_icmp_type = io->ipsec_out_icmp_code = 0; 3819 if (pol != NULL) 3820 IPPOL_REFRELE(pol); 3821 } else if (pol != NULL) { 3822 ipsec_selector_t sel; 3823 3824 bzero((void*)&sel, sizeof (sel)); 3825 3826 p = pol; 3827 /* 3828 * conn does not have the port information. Get 3829 * it from the packet. 3830 */ 3831 3832 if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h)) { 3833 /* XXX any cleanup required here?? */ 3834 return (NULL); 3835 } 3836 io->ipsec_out_src_port = sel.ips_local_port; 3837 io->ipsec_out_dst_port = sel.ips_remote_port; 3838 io->ipsec_out_icmp_type = sel.ips_icmp_type; 3839 io->ipsec_out_icmp_code = sel.ips_icmp_code; 3840 } 3841 3842 io->ipsec_out_proto = proto; 3843 io->ipsec_out_use_global_policy = B_TRUE; 3844 io->ipsec_out_secure = (p != NULL); 3845 io->ipsec_out_policy = p; 3846 3847 if (p == NULL) { 3848 if (connp->conn_policy != NULL) { 3849 io->ipsec_out_secure = B_TRUE; 3850 ASSERT(io->ipsec_out_latch == NULL); 3851 ASSERT(io->ipsec_out_use_global_policy == B_TRUE); 3852 io->ipsec_out_need_policy = B_TRUE; 3853 ASSERT(io->ipsec_out_polhead == NULL); 3854 IPPH_REFHOLD(connp->conn_policy); 3855 io->ipsec_out_polhead = connp->conn_policy; 3856 } 3857 } 3858 return (ipsec_mp); 3859 } 3860 3861 /* 3862 * Allocate an IPSEC_IN mblk. This will be prepended to an inbound datagram 3863 * and keep track of what-if-any IPsec processing will be applied to the 3864 * datagram. 3865 */ 3866 mblk_t * 3867 ipsec_in_alloc(boolean_t isv4) 3868 { 3869 mblk_t *ipsec_in; 3870 ipsec_in_t *ii = kmem_cache_alloc(ipsec_info_cache, KM_NOSLEEP); 3871 3872 if (ii == NULL) 3873 return (NULL); 3874 3875 bzero(ii, sizeof (ipsec_info_t)); 3876 ii->ipsec_in_type = IPSEC_IN; 3877 ii->ipsec_in_len = sizeof (ipsec_in_t); 3878 3879 ii->ipsec_in_v4 = isv4; 3880 ii->ipsec_in_secure = B_TRUE; 3881 3882 ii->ipsec_in_frtn.free_func = ipsec_in_free; 3883 ii->ipsec_in_frtn.free_arg = (char *)ii; 3884 3885 ipsec_in = desballoc((uint8_t *)ii, sizeof (ipsec_info_t), BPRI_HI, 3886 &ii->ipsec_in_frtn); 3887 if (ipsec_in == NULL) { 3888 ip1dbg(("ipsec_in_alloc: IPSEC_IN allocation failure.\n")); 3889 ipsec_in_free(ii); 3890 return (NULL); 3891 } 3892 3893 ipsec_in->b_datap->db_type = M_CTL; 3894 ipsec_in->b_wptr += sizeof (ipsec_info_t); 3895 3896 return (ipsec_in); 3897 } 3898 3899 /* 3900 * This is called from ip_wput_local when a packet which needs 3901 * security is looped back, to convert the IPSEC_OUT to a IPSEC_IN 3902 * before fanout, where the policy check happens. In most of the 3903 * cases, IPSEC processing has *never* been done. There is one case 3904 * (ip_wput_ire_fragmentit -> ip_wput_frag -> icmp_frag_needed) where 3905 * the packet is destined for localhost, IPSEC processing has already 3906 * been done. 3907 * 3908 * Future: This could happen after SA selection has occurred for 3909 * outbound.. which will tell us who the src and dst identities are.. 3910 * Then it's just a matter of splicing the ah/esp SA pointers from the 3911 * ipsec_out_t to the ipsec_in_t. 3912 */ 3913 void 3914 ipsec_out_to_in(mblk_t *ipsec_mp) 3915 { 3916 ipsec_in_t *ii; 3917 ipsec_out_t *io; 3918 ipsec_policy_t *pol; 3919 ipsec_action_t *act; 3920 boolean_t v4, icmp_loopback; 3921 3922 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 3923 3924 io = (ipsec_out_t *)ipsec_mp->b_rptr; 3925 3926 v4 = io->ipsec_out_v4; 3927 icmp_loopback = io->ipsec_out_icmp_loopback; 3928 3929 act = io->ipsec_out_act; 3930 if (act == NULL) { 3931 pol = io->ipsec_out_policy; 3932 if (pol != NULL) { 3933 act = pol->ipsp_act; 3934 IPACT_REFHOLD(act); 3935 } 3936 } 3937 io->ipsec_out_act = NULL; 3938 3939 ipsec_out_release_refs(io); 3940 3941 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 3942 bzero(ii, sizeof (ipsec_in_t)); 3943 ii->ipsec_in_type = IPSEC_IN; 3944 ii->ipsec_in_len = sizeof (ipsec_in_t); 3945 ii->ipsec_in_loopback = B_TRUE; 3946 ii->ipsec_in_frtn.free_func = ipsec_in_free; 3947 ii->ipsec_in_frtn.free_arg = (char *)ii; 3948 ii->ipsec_in_action = act; 3949 3950 /* 3951 * In most of the cases, we can't look at the ipsec_out_XXX_sa 3952 * because this never went through IPSEC processing. So, look at 3953 * the requests and infer whether it would have gone through 3954 * IPSEC processing or not. Initialize the "done" fields with 3955 * the requests. The possible values for "done" fields are : 3956 * 3957 * 1) zero, indicates that a particular preference was never 3958 * requested. 3959 * 2) non-zero, indicates that it could be IPSEC_PREF_REQUIRED/ 3960 * IPSEC_PREF_NEVER. If IPSEC_REQ_DONE is set, it means that 3961 * IPSEC processing has been completed. 3962 */ 3963 ii->ipsec_in_secure = B_TRUE; 3964 ii->ipsec_in_v4 = v4; 3965 ii->ipsec_in_icmp_loopback = icmp_loopback; 3966 ii->ipsec_in_attach_if = B_FALSE; 3967 } 3968 3969 /* 3970 * Consults global policy to see whether this datagram should 3971 * go out secure. If so it attaches a ipsec_mp in front and 3972 * returns. 3973 */ 3974 mblk_t * 3975 ip_wput_attach_policy(mblk_t *ipsec_mp, ipha_t *ipha, ip6_t *ip6h, ire_t *ire, 3976 conn_t *connp, boolean_t unspec_src) 3977 { 3978 mblk_t *mp; 3979 ipsec_out_t *io = NULL; 3980 ipsec_selector_t sel; 3981 uint_t ill_index; 3982 boolean_t conn_dontroutex; 3983 boolean_t conn_multicast_loopx; 3984 boolean_t policy_present; 3985 3986 ASSERT((ipha != NULL && ip6h == NULL) || 3987 (ip6h != NULL && ipha == NULL)); 3988 3989 bzero((void*)&sel, sizeof (sel)); 3990 3991 if (ipha != NULL) 3992 policy_present = ipsec_outbound_v4_policy_present; 3993 else 3994 policy_present = ipsec_outbound_v6_policy_present; 3995 /* 3996 * Fast Path to see if there is any policy. 3997 */ 3998 if (!policy_present) { 3999 if (ipsec_mp->b_datap->db_type == M_CTL) { 4000 io = (ipsec_out_t *)ipsec_mp->b_rptr; 4001 if (!io->ipsec_out_secure) { 4002 /* 4003 * If there is no global policy and ip_wput 4004 * or ip_wput_multicast has attached this mp 4005 * for multicast case, free the ipsec_mp and 4006 * return the original mp. 4007 */ 4008 mp = ipsec_mp->b_cont; 4009 freeb(ipsec_mp); 4010 ipsec_mp = mp; 4011 io = NULL; 4012 } 4013 } 4014 if (((io == NULL) || (io->ipsec_out_polhead == NULL)) && 4015 ((connp == NULL) || (connp->conn_policy == NULL))) 4016 return (ipsec_mp); 4017 } 4018 4019 ill_index = 0; 4020 conn_multicast_loopx = conn_dontroutex = B_FALSE; 4021 mp = ipsec_mp; 4022 if (ipsec_mp->b_datap->db_type == M_CTL) { 4023 mp = ipsec_mp->b_cont; 4024 /* 4025 * This is a connection where we have some per-socket 4026 * policy or ip_wput has attached an ipsec_mp for 4027 * the multicast datagram. 4028 */ 4029 io = (ipsec_out_t *)ipsec_mp->b_rptr; 4030 if (!io->ipsec_out_secure) { 4031 /* 4032 * This ipsec_mp was allocated in ip_wput or 4033 * ip_wput_multicast so that we will know the 4034 * value of ill_index, conn_dontroute, 4035 * conn_multicast_loop in the multicast case if 4036 * we inherit global policy here. 4037 */ 4038 ill_index = io->ipsec_out_ill_index; 4039 conn_dontroutex = io->ipsec_out_dontroute; 4040 conn_multicast_loopx = io->ipsec_out_multicast_loop; 4041 freeb(ipsec_mp); 4042 ipsec_mp = mp; 4043 io = NULL; 4044 } 4045 } 4046 4047 if (ipha != NULL) { 4048 sel.ips_local_addr_v4 = (ipha->ipha_src != 0 ? 4049 ipha->ipha_src : ire->ire_src_addr); 4050 sel.ips_remote_addr_v4 = ip_get_dst(ipha); 4051 sel.ips_protocol = (uint8_t)ipha->ipha_protocol; 4052 sel.ips_isv4 = B_TRUE; 4053 } else { 4054 ushort_t hdr_len; 4055 uint8_t *nexthdrp; 4056 boolean_t is_fragment; 4057 4058 sel.ips_isv4 = B_FALSE; 4059 if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) { 4060 if (!unspec_src) 4061 sel.ips_local_addr_v6 = ire->ire_src_addr_v6; 4062 } else { 4063 sel.ips_local_addr_v6 = ip6h->ip6_src; 4064 } 4065 4066 sel.ips_remote_addr_v6 = ip_get_dst_v6(ip6h, &is_fragment); 4067 if (is_fragment) { 4068 /* 4069 * It's a packet fragment for a packet that 4070 * we have already processed (since IPsec processing 4071 * is done before fragmentation), so we don't 4072 * have to do policy checks again. Fragments can 4073 * come back to us for processing if they have 4074 * been queued up due to flow control. 4075 */ 4076 if (ipsec_mp->b_datap->db_type == M_CTL) { 4077 mp = ipsec_mp->b_cont; 4078 freeb(ipsec_mp); 4079 ipsec_mp = mp; 4080 } 4081 return (ipsec_mp); 4082 } 4083 4084 /* IPv6 common-case. */ 4085 sel.ips_protocol = ip6h->ip6_nxt; 4086 switch (ip6h->ip6_nxt) { 4087 case IPPROTO_TCP: 4088 case IPPROTO_UDP: 4089 case IPPROTO_SCTP: 4090 case IPPROTO_ICMPV6: 4091 break; 4092 default: 4093 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, 4094 &hdr_len, &nexthdrp)) { 4095 BUMP_MIB(&ip6_mib, ipv6OutDiscards); 4096 freemsg(ipsec_mp); /* Not IPsec-related drop. */ 4097 return (NULL); 4098 } 4099 sel.ips_protocol = *nexthdrp; 4100 break; 4101 } 4102 } 4103 4104 if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h)) { 4105 if (ipha != NULL) { 4106 BUMP_MIB(&ip_mib, ipOutDiscards); 4107 } else { 4108 BUMP_MIB(&ip6_mib, ipv6OutDiscards); 4109 } 4110 4111 ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL, 4112 &ipdrops_spd_nomem, &spd_dropper); 4113 return (NULL); 4114 } 4115 4116 if (io != NULL) { 4117 /* 4118 * We seem to have some local policy (we already have 4119 * an ipsec_out). Look at global policy and see 4120 * whether we have to inherit or not. 4121 */ 4122 io->ipsec_out_need_policy = B_FALSE; 4123 ipsec_mp = ipsec_apply_global_policy(ipsec_mp, connp, &sel); 4124 ASSERT((io->ipsec_out_policy != NULL) || 4125 (io->ipsec_out_act != NULL)); 4126 ASSERT(io->ipsec_out_need_policy == B_FALSE); 4127 return (ipsec_mp); 4128 } 4129 ipsec_mp = ipsec_attach_global_policy(mp, connp, &sel); 4130 if (ipsec_mp == NULL) 4131 return (mp); 4132 4133 /* 4134 * Copy the right port information. 4135 */ 4136 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 4137 io = (ipsec_out_t *)ipsec_mp->b_rptr; 4138 4139 ASSERT(io->ipsec_out_need_policy == B_FALSE); 4140 ASSERT((io->ipsec_out_policy != NULL) || 4141 (io->ipsec_out_act != NULL)); 4142 io->ipsec_out_src_port = sel.ips_local_port; 4143 io->ipsec_out_dst_port = sel.ips_remote_port; 4144 io->ipsec_out_icmp_type = sel.ips_icmp_type; 4145 io->ipsec_out_icmp_code = sel.ips_icmp_code; 4146 /* 4147 * Set ill_index, conn_dontroute and conn_multicast_loop 4148 * for multicast datagrams. 4149 */ 4150 io->ipsec_out_ill_index = ill_index; 4151 io->ipsec_out_dontroute = conn_dontroutex; 4152 io->ipsec_out_multicast_loop = conn_multicast_loopx; 4153 /* 4154 * When conn is non-NULL, the zoneid is set by ipsec_init_ipsec_out(). 4155 * Otherwise set the zoneid based on the ire. 4156 */ 4157 if (connp == NULL) { 4158 zoneid_t zoneid = ire->ire_zoneid; 4159 4160 if (zoneid == ALL_ZONES) 4161 zoneid = GLOBAL_ZONEID; 4162 io->ipsec_out_zoneid = zoneid; 4163 } 4164 return (ipsec_mp); 4165 } 4166 4167 /* 4168 * When appropriate, this function caches inbound and outbound policy 4169 * for this connection. 4170 * 4171 * XXX need to work out more details about per-interface policy and 4172 * caching here! 4173 * 4174 * XXX may want to split inbound and outbound caching for ill.. 4175 */ 4176 int 4177 ipsec_conn_cache_policy(conn_t *connp, boolean_t isv4) 4178 { 4179 boolean_t global_policy_present; 4180 4181 /* 4182 * There is no policy latching for ICMP sockets because we can't 4183 * decide on which policy to use until we see the packet and get 4184 * type/code selectors. 4185 */ 4186 if (connp->conn_ulp == IPPROTO_ICMP || 4187 connp->conn_ulp == IPPROTO_ICMPV6) { 4188 connp->conn_in_enforce_policy = 4189 connp->conn_out_enforce_policy = B_TRUE; 4190 if (connp->conn_latch != NULL) { 4191 IPLATCH_REFRELE(connp->conn_latch); 4192 connp->conn_latch = NULL; 4193 } 4194 connp->conn_flags |= IPCL_CHECK_POLICY; 4195 return (0); 4196 } 4197 4198 global_policy_present = isv4 ? 4199 (ipsec_outbound_v4_policy_present || 4200 ipsec_inbound_v4_policy_present) : 4201 (ipsec_outbound_v6_policy_present || 4202 ipsec_inbound_v6_policy_present); 4203 4204 if ((connp->conn_policy != NULL) || global_policy_present) { 4205 ipsec_selector_t sel; 4206 ipsec_policy_t *p; 4207 4208 if (connp->conn_latch == NULL && 4209 (connp->conn_latch = iplatch_create()) == NULL) { 4210 return (ENOMEM); 4211 } 4212 4213 sel.ips_protocol = connp->conn_ulp; 4214 sel.ips_local_port = connp->conn_lport; 4215 sel.ips_remote_port = connp->conn_fport; 4216 sel.ips_is_icmp_inv_acq = 0; 4217 sel.ips_isv4 = isv4; 4218 if (isv4) { 4219 sel.ips_local_addr_v4 = connp->conn_src; 4220 sel.ips_remote_addr_v4 = connp->conn_rem; 4221 } else { 4222 sel.ips_local_addr_v6 = connp->conn_srcv6; 4223 sel.ips_remote_addr_v6 = connp->conn_remv6; 4224 } 4225 4226 p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, NULL, &sel); 4227 if (connp->conn_latch->ipl_in_policy != NULL) 4228 IPPOL_REFRELE(connp->conn_latch->ipl_in_policy); 4229 connp->conn_latch->ipl_in_policy = p; 4230 connp->conn_in_enforce_policy = (p != NULL); 4231 4232 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, &sel); 4233 if (connp->conn_latch->ipl_out_policy != NULL) 4234 IPPOL_REFRELE(connp->conn_latch->ipl_out_policy); 4235 connp->conn_latch->ipl_out_policy = p; 4236 connp->conn_out_enforce_policy = (p != NULL); 4237 4238 /* Clear the latched actions too, in case we're recaching. */ 4239 if (connp->conn_latch->ipl_out_action != NULL) 4240 IPACT_REFRELE(connp->conn_latch->ipl_out_action); 4241 if (connp->conn_latch->ipl_in_action != NULL) 4242 IPACT_REFRELE(connp->conn_latch->ipl_in_action); 4243 } 4244 4245 /* 4246 * We may or may not have policy for this endpoint. We still set 4247 * conn_policy_cached so that inbound datagrams don't have to look 4248 * at global policy as policy is considered latched for these 4249 * endpoints. We should not set conn_policy_cached until the conn 4250 * reflects the actual policy. If we *set* this before inheriting 4251 * the policy there is a window where the check 4252 * CONN_INBOUND_POLICY_PRESENT, will neither check with the policy 4253 * on the conn (because we have not yet copied the policy on to 4254 * conn and hence not set conn_in_enforce_policy) nor with the 4255 * global policy (because conn_policy_cached is already set). 4256 */ 4257 connp->conn_policy_cached = B_TRUE; 4258 if (connp->conn_in_enforce_policy) 4259 connp->conn_flags |= IPCL_CHECK_POLICY; 4260 return (0); 4261 } 4262 4263 void 4264 iplatch_free(ipsec_latch_t *ipl) 4265 { 4266 if (ipl->ipl_out_policy != NULL) 4267 IPPOL_REFRELE(ipl->ipl_out_policy); 4268 if (ipl->ipl_in_policy != NULL) 4269 IPPOL_REFRELE(ipl->ipl_in_policy); 4270 if (ipl->ipl_in_action != NULL) 4271 IPACT_REFRELE(ipl->ipl_in_action); 4272 if (ipl->ipl_out_action != NULL) 4273 IPACT_REFRELE(ipl->ipl_out_action); 4274 if (ipl->ipl_local_cid != NULL) 4275 IPSID_REFRELE(ipl->ipl_local_cid); 4276 if (ipl->ipl_remote_cid != NULL) 4277 IPSID_REFRELE(ipl->ipl_remote_cid); 4278 if (ipl->ipl_local_id != NULL) 4279 crfree(ipl->ipl_local_id); 4280 mutex_destroy(&ipl->ipl_lock); 4281 kmem_free(ipl, sizeof (*ipl)); 4282 } 4283 4284 ipsec_latch_t * 4285 iplatch_create() 4286 { 4287 ipsec_latch_t *ipl = kmem_alloc(sizeof (*ipl), KM_NOSLEEP); 4288 if (ipl == NULL) 4289 return (ipl); 4290 bzero(ipl, sizeof (*ipl)); 4291 mutex_init(&ipl->ipl_lock, NULL, MUTEX_DEFAULT, NULL); 4292 ipl->ipl_refcnt = 1; 4293 return (ipl); 4294 } 4295 4296 /* 4297 * Identity hash table. 4298 * 4299 * Identities are refcounted and "interned" into the hash table. 4300 * Only references coming from other objects (SA's, latching state) 4301 * are counted in ipsid_refcnt. 4302 * 4303 * Locking: IPSID_REFHOLD is safe only when (a) the object's hash bucket 4304 * is locked, (b) we know that the refcount must be > 0. 4305 * 4306 * The ipsid_next and ipsid_ptpn fields are only to be referenced or 4307 * modified when the bucket lock is held; in particular, we only 4308 * delete objects while holding the bucket lock, and we only increase 4309 * the refcount from 0 to 1 while the bucket lock is held. 4310 */ 4311 4312 #define IPSID_HASHSIZE 64 4313 4314 typedef struct ipsif_s 4315 { 4316 ipsid_t *ipsif_head; 4317 kmutex_t ipsif_lock; 4318 } ipsif_t; 4319 4320 ipsif_t ipsid_buckets[IPSID_HASHSIZE]; 4321 4322 /* 4323 * Hash function for ID hash table. 4324 */ 4325 static uint32_t 4326 ipsid_hash(int idtype, char *idstring) 4327 { 4328 uint32_t hval = idtype; 4329 unsigned char c; 4330 4331 while ((c = *idstring++) != 0) { 4332 hval = (hval << 4) | (hval >> 28); 4333 hval ^= c; 4334 } 4335 hval = hval ^ (hval >> 16); 4336 return (hval & (IPSID_HASHSIZE-1)); 4337 } 4338 4339 /* 4340 * Look up identity string in hash table. Return identity object 4341 * corresponding to the name -- either preexisting, or newly allocated. 4342 * 4343 * Return NULL if we need to allocate a new one and can't get memory. 4344 */ 4345 ipsid_t * 4346 ipsid_lookup(int idtype, char *idstring) 4347 { 4348 ipsid_t *retval; 4349 char *nstr; 4350 int idlen = strlen(idstring) + 1; 4351 4352 ipsif_t *bucket = &ipsid_buckets[ipsid_hash(idtype, idstring)]; 4353 4354 mutex_enter(&bucket->ipsif_lock); 4355 4356 for (retval = bucket->ipsif_head; retval != NULL; 4357 retval = retval->ipsid_next) { 4358 if (idtype != retval->ipsid_type) 4359 continue; 4360 if (bcmp(idstring, retval->ipsid_cid, idlen) != 0) 4361 continue; 4362 4363 IPSID_REFHOLD(retval); 4364 mutex_exit(&bucket->ipsif_lock); 4365 return (retval); 4366 } 4367 4368 retval = kmem_alloc(sizeof (*retval), KM_NOSLEEP); 4369 if (!retval) { 4370 mutex_exit(&bucket->ipsif_lock); 4371 return (NULL); 4372 } 4373 4374 nstr = kmem_alloc(idlen, KM_NOSLEEP); 4375 if (!nstr) { 4376 mutex_exit(&bucket->ipsif_lock); 4377 kmem_free(retval, sizeof (*retval)); 4378 return (NULL); 4379 } 4380 4381 retval->ipsid_refcnt = 1; 4382 retval->ipsid_next = bucket->ipsif_head; 4383 if (retval->ipsid_next != NULL) 4384 retval->ipsid_next->ipsid_ptpn = &retval->ipsid_next; 4385 retval->ipsid_ptpn = &bucket->ipsif_head; 4386 retval->ipsid_type = idtype; 4387 retval->ipsid_cid = nstr; 4388 bucket->ipsif_head = retval; 4389 bcopy(idstring, nstr, idlen); 4390 mutex_exit(&bucket->ipsif_lock); 4391 4392 return (retval); 4393 } 4394 4395 /* 4396 * Garbage collect the identity hash table. 4397 */ 4398 void 4399 ipsid_gc() 4400 { 4401 int i, len; 4402 ipsid_t *id, *nid; 4403 ipsif_t *bucket; 4404 4405 for (i = 0; i < IPSID_HASHSIZE; i++) { 4406 bucket = &ipsid_buckets[i]; 4407 mutex_enter(&bucket->ipsif_lock); 4408 for (id = bucket->ipsif_head; id != NULL; id = nid) { 4409 nid = id->ipsid_next; 4410 if (id->ipsid_refcnt == 0) { 4411 *id->ipsid_ptpn = nid; 4412 if (nid != NULL) 4413 nid->ipsid_ptpn = id->ipsid_ptpn; 4414 len = strlen(id->ipsid_cid) + 1; 4415 kmem_free(id->ipsid_cid, len); 4416 kmem_free(id, sizeof (*id)); 4417 } 4418 } 4419 mutex_exit(&bucket->ipsif_lock); 4420 } 4421 } 4422 4423 /* 4424 * Return true if two identities are the same. 4425 */ 4426 boolean_t 4427 ipsid_equal(ipsid_t *id1, ipsid_t *id2) 4428 { 4429 if (id1 == id2) 4430 return (B_TRUE); 4431 #ifdef DEBUG 4432 if ((id1 == NULL) || (id2 == NULL)) 4433 return (B_FALSE); 4434 /* 4435 * test that we're interning id's correctly.. 4436 */ 4437 ASSERT((strcmp(id1->ipsid_cid, id2->ipsid_cid) != 0) || 4438 (id1->ipsid_type != id2->ipsid_type)); 4439 #endif 4440 return (B_FALSE); 4441 } 4442 4443 /* 4444 * Initialize identity table; called during module initialization. 4445 */ 4446 static void 4447 ipsid_init() 4448 { 4449 ipsif_t *bucket; 4450 int i; 4451 4452 for (i = 0; i < IPSID_HASHSIZE; i++) { 4453 bucket = &ipsid_buckets[i]; 4454 mutex_init(&bucket->ipsif_lock, NULL, MUTEX_DEFAULT, NULL); 4455 } 4456 } 4457 4458 /* 4459 * Free identity table (preparatory to module unload) 4460 */ 4461 static void 4462 ipsid_fini() 4463 { 4464 ipsif_t *bucket; 4465 int i; 4466 4467 for (i = 0; i < IPSID_HASHSIZE; i++) { 4468 bucket = &ipsid_buckets[i]; 4469 mutex_destroy(&bucket->ipsif_lock); 4470 } 4471 } 4472 4473 /* 4474 * Update the minimum and maximum supported key sizes for the 4475 * specified algorithm. Must be called while holding the algorithms lock. 4476 */ 4477 void 4478 ipsec_alg_fix_min_max(ipsec_alginfo_t *alg, ipsec_algtype_t alg_type) 4479 { 4480 size_t crypto_min = (size_t)-1, crypto_max = 0; 4481 size_t cur_crypto_min, cur_crypto_max; 4482 boolean_t is_valid; 4483 crypto_mechanism_info_t *mech_infos; 4484 uint_t nmech_infos; 4485 int crypto_rc, i; 4486 crypto_mech_usage_t mask; 4487 4488 ASSERT(MUTEX_HELD(&alg_lock)); 4489 4490 /* 4491 * Compute the min, max, and default key sizes (in number of 4492 * increments to the default key size in bits) as defined 4493 * by the algorithm mappings. This range of key sizes is used 4494 * for policy related operations. The effective key sizes 4495 * supported by the framework could be more limited than 4496 * those defined for an algorithm. 4497 */ 4498 alg->alg_default_bits = alg->alg_key_sizes[0]; 4499 if (alg->alg_increment != 0) { 4500 /* key sizes are defined by range & increment */ 4501 alg->alg_minbits = alg->alg_key_sizes[1]; 4502 alg->alg_maxbits = alg->alg_key_sizes[2]; 4503 4504 alg->alg_default = SADB_ALG_DEFAULT_INCR(alg->alg_minbits, 4505 alg->alg_increment, alg->alg_default_bits); 4506 } else if (alg->alg_nkey_sizes == 0) { 4507 /* no specified key size for algorithm */ 4508 alg->alg_minbits = alg->alg_maxbits = 0; 4509 } else { 4510 /* key sizes are defined by enumeration */ 4511 alg->alg_minbits = (uint16_t)-1; 4512 alg->alg_maxbits = 0; 4513 4514 for (i = 0; i < alg->alg_nkey_sizes; i++) { 4515 if (alg->alg_key_sizes[i] < alg->alg_minbits) 4516 alg->alg_minbits = alg->alg_key_sizes[i]; 4517 if (alg->alg_key_sizes[i] > alg->alg_maxbits) 4518 alg->alg_maxbits = alg->alg_key_sizes[i]; 4519 } 4520 alg->alg_default = 0; 4521 } 4522 4523 if (!(alg->alg_flags & ALG_FLAG_VALID)) 4524 return; 4525 4526 /* 4527 * Mechanisms do not apply to the NULL encryption 4528 * algorithm, so simply return for this case. 4529 */ 4530 if (alg->alg_id == SADB_EALG_NULL) 4531 return; 4532 4533 /* 4534 * Find the min and max key sizes supported by the cryptographic 4535 * framework providers. 4536 */ 4537 4538 /* get the key sizes supported by the framework */ 4539 crypto_rc = crypto_get_all_mech_info(alg->alg_mech_type, 4540 &mech_infos, &nmech_infos, KM_SLEEP); 4541 if (crypto_rc != CRYPTO_SUCCESS || nmech_infos == 0) { 4542 alg->alg_flags &= ~ALG_FLAG_VALID; 4543 return; 4544 } 4545 4546 /* min and max key sizes supported by framework */ 4547 for (i = 0, is_valid = B_FALSE; i < nmech_infos; i++) { 4548 int unit_bits; 4549 4550 /* 4551 * Ignore entries that do not support the operations 4552 * needed for the algorithm type. 4553 */ 4554 if (alg_type == IPSEC_ALG_AUTH) 4555 mask = CRYPTO_MECH_USAGE_MAC; 4556 else 4557 mask = CRYPTO_MECH_USAGE_ENCRYPT | 4558 CRYPTO_MECH_USAGE_DECRYPT; 4559 if ((mech_infos[i].mi_usage & mask) != mask) 4560 continue; 4561 4562 unit_bits = (mech_infos[i].mi_keysize_unit == 4563 CRYPTO_KEYSIZE_UNIT_IN_BYTES) ? 8 : 1; 4564 /* adjust min/max supported by framework */ 4565 cur_crypto_min = mech_infos[i].mi_min_key_size * unit_bits; 4566 cur_crypto_max = mech_infos[i].mi_max_key_size * unit_bits; 4567 4568 if (cur_crypto_min < crypto_min) 4569 crypto_min = cur_crypto_min; 4570 4571 /* 4572 * CRYPTO_EFFECTIVELY_INFINITE is a special value of 4573 * the crypto framework which means "no upper limit". 4574 */ 4575 if (mech_infos[i].mi_max_key_size == 4576 CRYPTO_EFFECTIVELY_INFINITE) 4577 crypto_max = (size_t)-1; 4578 else if (cur_crypto_max > crypto_max) 4579 crypto_max = cur_crypto_max; 4580 4581 is_valid = B_TRUE; 4582 } 4583 4584 kmem_free(mech_infos, sizeof (crypto_mechanism_info_t) * 4585 nmech_infos); 4586 4587 if (!is_valid) { 4588 /* no key sizes supported by framework */ 4589 alg->alg_flags &= ~ALG_FLAG_VALID; 4590 return; 4591 } 4592 4593 /* 4594 * Determine min and max key sizes from alg_key_sizes[]. 4595 * defined for the algorithm entry. Adjust key sizes based on 4596 * those supported by the framework. 4597 */ 4598 alg->alg_ef_default_bits = alg->alg_key_sizes[0]; 4599 if (alg->alg_increment != 0) { 4600 /* supported key sizes are defined by range & increment */ 4601 crypto_min = ALGBITS_ROUND_UP(crypto_min, alg->alg_increment); 4602 crypto_max = ALGBITS_ROUND_DOWN(crypto_max, alg->alg_increment); 4603 4604 alg->alg_ef_minbits = MAX(alg->alg_minbits, 4605 (uint16_t)crypto_min); 4606 alg->alg_ef_maxbits = MIN(alg->alg_maxbits, 4607 (uint16_t)crypto_max); 4608 4609 /* 4610 * If the sizes supported by the framework are outside 4611 * the range of sizes defined by the algorithm mappings, 4612 * the algorithm cannot be used. Check for this 4613 * condition here. 4614 */ 4615 if (alg->alg_ef_minbits > alg->alg_ef_maxbits) { 4616 alg->alg_flags &= ~ALG_FLAG_VALID; 4617 return; 4618 } 4619 4620 if (alg->alg_ef_default_bits < alg->alg_ef_minbits) 4621 alg->alg_ef_default_bits = alg->alg_ef_minbits; 4622 if (alg->alg_ef_default_bits > alg->alg_ef_maxbits) 4623 alg->alg_ef_default_bits = alg->alg_ef_maxbits; 4624 4625 alg->alg_ef_default = SADB_ALG_DEFAULT_INCR(alg->alg_ef_minbits, 4626 alg->alg_increment, alg->alg_ef_default_bits); 4627 } else if (alg->alg_nkey_sizes == 0) { 4628 /* no specified key size for algorithm */ 4629 alg->alg_ef_minbits = alg->alg_ef_maxbits = 0; 4630 } else { 4631 /* supported key sizes are defined by enumeration */ 4632 alg->alg_ef_minbits = (uint16_t)-1; 4633 alg->alg_ef_maxbits = 0; 4634 4635 for (i = 0, is_valid = B_FALSE; i < alg->alg_nkey_sizes; i++) { 4636 /* 4637 * Ignore the current key size if it is not in the 4638 * range of sizes supported by the framework. 4639 */ 4640 if (alg->alg_key_sizes[i] < crypto_min || 4641 alg->alg_key_sizes[i] > crypto_max) 4642 continue; 4643 if (alg->alg_key_sizes[i] < alg->alg_ef_minbits) 4644 alg->alg_ef_minbits = alg->alg_key_sizes[i]; 4645 if (alg->alg_key_sizes[i] > alg->alg_ef_maxbits) 4646 alg->alg_ef_maxbits = alg->alg_key_sizes[i]; 4647 is_valid = B_TRUE; 4648 } 4649 4650 if (!is_valid) { 4651 alg->alg_flags &= ~ALG_FLAG_VALID; 4652 return; 4653 } 4654 alg->alg_ef_default = 0; 4655 } 4656 } 4657 4658 /* 4659 * Free the memory used by the specified algorithm. 4660 */ 4661 void 4662 ipsec_alg_free(ipsec_alginfo_t *alg) 4663 { 4664 if (alg == NULL) 4665 return; 4666 4667 if (alg->alg_key_sizes != NULL) 4668 kmem_free(alg->alg_key_sizes, 4669 (alg->alg_nkey_sizes + 1) * sizeof (uint16_t)); 4670 4671 if (alg->alg_block_sizes != NULL) 4672 kmem_free(alg->alg_block_sizes, 4673 (alg->alg_nblock_sizes + 1) * sizeof (uint16_t)); 4674 4675 kmem_free(alg, sizeof (*alg)); 4676 } 4677 4678 /* 4679 * Check the validity of the specified key size for an algorithm. 4680 * Returns B_TRUE if key size is valid, B_FALSE otherwise. 4681 */ 4682 boolean_t 4683 ipsec_valid_key_size(uint16_t key_size, ipsec_alginfo_t *alg) 4684 { 4685 if (key_size < alg->alg_ef_minbits || key_size > alg->alg_ef_maxbits) 4686 return (B_FALSE); 4687 4688 if (alg->alg_increment == 0 && alg->alg_nkey_sizes != 0) { 4689 /* 4690 * If the key sizes are defined by enumeration, the new 4691 * key size must be equal to one of the supported values. 4692 */ 4693 int i; 4694 4695 for (i = 0; i < alg->alg_nkey_sizes; i++) 4696 if (key_size == alg->alg_key_sizes[i]) 4697 break; 4698 if (i == alg->alg_nkey_sizes) 4699 return (B_FALSE); 4700 } 4701 4702 return (B_TRUE); 4703 } 4704 4705 /* 4706 * Callback function invoked by the crypto framework when a provider 4707 * registers or unregisters. This callback updates the algorithms 4708 * tables when a crypto algorithm is no longer available or becomes 4709 * available, and triggers the freeing/creation of context templates 4710 * associated with existing SAs, if needed. 4711 */ 4712 void 4713 ipsec_prov_update_callback(uint32_t event, void *event_arg) 4714 { 4715 crypto_notify_event_change_t *prov_change = 4716 (crypto_notify_event_change_t *)event_arg; 4717 uint_t algidx, algid, algtype, mech_count, mech_idx; 4718 ipsec_alginfo_t *alg; 4719 ipsec_alginfo_t oalg; 4720 crypto_mech_name_t *mechs; 4721 boolean_t alg_changed = B_FALSE; 4722 4723 /* ignore events for which we didn't register */ 4724 if (event != CRYPTO_EVENT_PROVIDERS_CHANGE) { 4725 ip1dbg(("ipsec_prov_update_callback: unexpected event 0x%x " 4726 " received from crypto framework\n", event)); 4727 return; 4728 } 4729 4730 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP); 4731 if (mechs == NULL) 4732 return; 4733 4734 /* 4735 * Walk the list of currently defined IPsec algorithm. Update 4736 * the algorithm valid flag and trigger an update of the 4737 * SAs that depend on that algorithm. 4738 */ 4739 mutex_enter(&alg_lock); 4740 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 4741 for (algidx = 0; algidx < ipsec_nalgs[algtype]; algidx++) { 4742 4743 algid = ipsec_sortlist[algtype][algidx]; 4744 alg = ipsec_alglists[algtype][algid]; 4745 ASSERT(alg != NULL); 4746 4747 /* 4748 * Skip the algorithms which do not map to the 4749 * crypto framework provider being added or removed. 4750 */ 4751 if (strncmp(alg->alg_mech_name, 4752 prov_change->ec_mech_name, 4753 CRYPTO_MAX_MECH_NAME) != 0) 4754 continue; 4755 4756 /* 4757 * Determine if the mechanism is valid. If it 4758 * is not, mark the algorithm as being invalid. If 4759 * it is, mark the algorithm as being valid. 4760 */ 4761 for (mech_idx = 0; mech_idx < mech_count; mech_idx++) 4762 if (strncmp(alg->alg_mech_name, 4763 mechs[mech_idx], CRYPTO_MAX_MECH_NAME) == 0) 4764 break; 4765 if (mech_idx == mech_count && 4766 alg->alg_flags & ALG_FLAG_VALID) { 4767 alg->alg_flags &= ~ALG_FLAG_VALID; 4768 alg_changed = B_TRUE; 4769 } else if (mech_idx < mech_count && 4770 !(alg->alg_flags & ALG_FLAG_VALID)) { 4771 alg->alg_flags |= ALG_FLAG_VALID; 4772 alg_changed = B_TRUE; 4773 } 4774 4775 /* 4776 * Update the supported key sizes, regardless 4777 * of whether a crypto provider was added or 4778 * removed. 4779 */ 4780 oalg = *alg; 4781 ipsec_alg_fix_min_max(alg, algtype); 4782 if (!alg_changed && 4783 alg->alg_ef_minbits != oalg.alg_ef_minbits || 4784 alg->alg_ef_maxbits != oalg.alg_ef_maxbits || 4785 alg->alg_ef_default != oalg.alg_ef_default || 4786 alg->alg_ef_default_bits != 4787 oalg.alg_ef_default_bits) 4788 alg_changed = B_TRUE; 4789 4790 /* 4791 * Update the affected SAs if a software provider is 4792 * being added or removed. 4793 */ 4794 if (prov_change->ec_provider_type == 4795 CRYPTO_SW_PROVIDER) 4796 sadb_alg_update(algtype, alg->alg_id, 4797 prov_change->ec_change == 4798 CRYPTO_EVENT_CHANGE_ADDED); 4799 } 4800 } 4801 mutex_exit(&alg_lock); 4802 crypto_free_mech_list(mechs, mech_count); 4803 4804 if (alg_changed) { 4805 /* 4806 * An algorithm has changed, i.e. it became valid or 4807 * invalid, or its support key sizes have changed. 4808 * Notify ipsecah and ipsecesp of this change so 4809 * that they can send a SADB_REGISTER to their consumers. 4810 */ 4811 ipsecah_algs_changed(); 4812 ipsecesp_algs_changed(); 4813 } 4814 } 4815 4816 /* 4817 * Registers with the crypto framework to be notified of crypto 4818 * providers changes. Used to update the algorithm tables and 4819 * to free or create context templates if needed. Invoked after IPsec 4820 * is loaded successfully. 4821 */ 4822 void 4823 ipsec_register_prov_update(void) 4824 { 4825 prov_update_handle = crypto_notify_events( 4826 ipsec_prov_update_callback, CRYPTO_EVENT_PROVIDERS_CHANGE); 4827 } 4828 4829 /* 4830 * Unregisters from the framework to be notified of crypto providers 4831 * changes. Called from ipsec_policy_destroy(). 4832 */ 4833 static void 4834 ipsec_unregister_prov_update(void) 4835 { 4836 if (prov_update_handle != NULL) 4837 crypto_unnotify_events(prov_update_handle); 4838 } 4839