1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * IPsec Security Policy Database. 31 * 32 * This module maintains the SPD and provides routines used by ip and ip6 33 * to apply IPsec policy to inbound and outbound datagrams. 34 * 35 * XXX TODO LIST 36 * Inbound policy: 37 * Put policy failure logging back in here (as policy action flag bit) 38 */ 39 40 #include <sys/types.h> 41 #include <sys/stream.h> 42 #include <sys/stropts.h> 43 #include <sys/sysmacros.h> 44 #include <sys/strsubr.h> 45 #include <sys/strlog.h> 46 #include <sys/cmn_err.h> 47 #include <sys/zone.h> 48 49 #include <sys/systm.h> 50 #include <sys/param.h> 51 #include <sys/kmem.h> 52 53 #include <sys/crypto/api.h> 54 55 #include <inet/common.h> 56 #include <inet/mi.h> 57 58 #include <netinet/ip6.h> 59 #include <netinet/icmp6.h> 60 #include <netinet/udp.h> 61 62 #include <inet/ip.h> 63 #include <inet/ip6.h> 64 65 #include <net/pfkeyv2.h> 66 #include <net/pfpolicy.h> 67 #include <inet/ipsec_info.h> 68 #include <inet/sadb.h> 69 #include <inet/ipsec_impl.h> 70 #include <inet/ipsecah.h> 71 #include <inet/ipsecesp.h> 72 #include <inet/ipdrop.h> 73 #include <inet/ipclassifier.h> 74 75 static void ipsec_update_present_flags(); 76 static ipsec_act_t *ipsec_act_wildcard_expand(ipsec_act_t *, uint_t *); 77 static void ipsec_out_free(void *); 78 static void ipsec_in_free(void *); 79 static boolean_t ipsec_init_inbound_sel(ipsec_selector_t *, mblk_t *, 80 ipha_t *, ip6_t *); 81 static mblk_t *ipsec_attach_global_policy(mblk_t *, conn_t *, 82 ipsec_selector_t *); 83 static mblk_t *ipsec_apply_global_policy(mblk_t *, conn_t *, 84 ipsec_selector_t *); 85 static mblk_t *ipsec_check_ipsecin_policy(queue_t *, mblk_t *, 86 ipsec_policy_t *, ipha_t *, ip6_t *); 87 static void ipsec_in_release_refs(ipsec_in_t *); 88 static void ipsec_out_release_refs(ipsec_out_t *); 89 static void ipsec_action_reclaim(void *); 90 static void ipsid_init(void); 91 static void ipsid_fini(void); 92 static boolean_t ipsec_check_ipsecin_action(struct ipsec_in_s *, mblk_t *, 93 struct ipsec_action_s *, ipha_t *ipha, ip6_t *ip6h, const char **, 94 kstat_named_t **); 95 static int32_t ipsec_act_ovhd(const ipsec_act_t *act); 96 static void ipsec_unregister_prov_update(void); 97 static boolean_t ipsec_compare_action(ipsec_policy_t *, ipsec_policy_t *); 98 static uint32_t selector_hash(ipsec_selector_t *); 99 100 /* 101 * Policy rule index generator. We assume this won't wrap in the 102 * lifetime of a system. If we make 2^20 policy changes per second, 103 * this will last 2^44 seconds, or roughly 500,000 years, so we don't 104 * have to worry about reusing policy index values. 105 * 106 * Protected by ipsec_conf_lock. 107 */ 108 uint64_t ipsec_next_policy_index = 1; 109 110 /* 111 * Active & Inactive system policy roots 112 */ 113 static ipsec_policy_head_t system_policy; 114 static ipsec_policy_head_t inactive_policy; 115 116 /* Packet dropper for generic SPD drops. */ 117 static ipdropper_t spd_dropper; 118 119 /* 120 * For now, use a trivially sized hash table for actions. 121 * In the future we can add the structure canonicalization necessary 122 * to get the hash function to behave correctly.. 123 */ 124 #define IPSEC_ACTION_HASH_SIZE 1 125 126 /* 127 * Selector hash table is statically sized at module load time. 128 * we default to 251 buckets, which is the largest prime number under 255 129 */ 130 131 #define IPSEC_SPDHASH_DEFAULT 251 132 uint32_t ipsec_spd_hashsize = 0; 133 134 #define IPSEC_SEL_NOHASH ((uint32_t)(~0)) 135 136 static HASH_HEAD(ipsec_action_s) ipsec_action_hash[IPSEC_ACTION_HASH_SIZE]; 137 static HASH_HEAD(ipsec_sel) *ipsec_sel_hash; 138 139 static kmem_cache_t *ipsec_action_cache; 140 static kmem_cache_t *ipsec_sel_cache; 141 static kmem_cache_t *ipsec_pol_cache; 142 static kmem_cache_t *ipsec_info_cache; 143 144 boolean_t ipsec_inbound_v4_policy_present = B_FALSE; 145 boolean_t ipsec_outbound_v4_policy_present = B_FALSE; 146 boolean_t ipsec_inbound_v6_policy_present = B_FALSE; 147 boolean_t ipsec_outbound_v6_policy_present = B_FALSE; 148 149 /* 150 * Because policy needs to know what algorithms are supported, keep the 151 * lists of algorithms here. 152 */ 153 154 kmutex_t alg_lock; 155 uint8_t ipsec_nalgs[IPSEC_NALGTYPES]; 156 ipsec_alginfo_t *ipsec_alglists[IPSEC_NALGTYPES][IPSEC_MAX_ALGS]; 157 uint8_t ipsec_sortlist[IPSEC_NALGTYPES][IPSEC_MAX_ALGS]; 158 ipsec_algs_exec_mode_t ipsec_algs_exec_mode[IPSEC_NALGTYPES]; 159 static crypto_notify_handle_t prov_update_handle = NULL; 160 161 #define ALGBITS_ROUND_DOWN(x, align) (((x)/(align))*(align)) 162 #define ALGBITS_ROUND_UP(x, align) ALGBITS_ROUND_DOWN((x)+(align)-1, align) 163 164 /* 165 * Inbound traffic should have matching identities for both SA's. 166 */ 167 168 #define SA_IDS_MATCH(sa1, sa2) \ 169 (((sa1) == NULL) || ((sa2) == NULL) || \ 170 (((sa1)->ipsa_src_cid == (sa2)->ipsa_src_cid) && \ 171 (((sa1)->ipsa_dst_cid == (sa2)->ipsa_dst_cid)))) 172 173 #define IPPOL_UNCHAIN(php, ip) \ 174 HASHLIST_UNCHAIN((ip), ipsp_hash); \ 175 avl_remove(&(php)->iph_rulebyid, (ip)); \ 176 IPPOL_REFRELE(ip); 177 178 /* 179 * Policy failure messages. 180 */ 181 static char *ipsec_policy_failure_msgs[] = { 182 183 /* IPSEC_POLICY_NOT_NEEDED */ 184 "%s: Dropping the datagram because the incoming packet " 185 "is %s, but the recipient expects clear; Source %s, " 186 "Destination %s.\n", 187 188 /* IPSEC_POLICY_MISMATCH */ 189 "%s: Policy Failure for the incoming packet (%s); Source %s, " 190 "Destination %s.\n", 191 192 /* IPSEC_POLICY_AUTH_NOT_NEEDED */ 193 "%s: Authentication present while not expected in the " 194 "incoming %s packet; Source %s, Destination %s.\n", 195 196 /* IPSEC_POLICY_ENCR_NOT_NEEDED */ 197 "%s: Encryption present while not expected in the " 198 "incoming %s packet; Source %s, Destination %s.\n", 199 200 /* IPSEC_POLICY_SE_NOT_NEEDED */ 201 "%s: Self-Encapsulation present while not expected in the " 202 "incoming %s packet; Source %s, Destination %s.\n", 203 }; 204 /* 205 * Have a counter for every possible policy message in the previous array. 206 */ 207 static uint32_t ipsec_policy_failure_count[IPSEC_POLICY_MAX]; 208 /* Time since last ipsec policy failure that printed a message. */ 209 hrtime_t ipsec_policy_failure_last = 0; 210 211 /* 212 * General overviews: 213 * 214 * Locking: 215 * 216 * All of the system policy structures are protected by a single 217 * rwlock, ipsec_conf_lock. These structures are threaded in a 218 * fairly complex fashion and are not expected to change on a 219 * regular basis, so this should not cause scaling/contention 220 * problems. As a result, policy checks should (hopefully) be MT-hot. 221 * 222 * Allocation policy: 223 * 224 * We use custom kmem cache types for the various 225 * bits & pieces of the policy data structures. All allocations 226 * use KM_NOSLEEP instead of KM_SLEEP for policy allocation. The 227 * policy table is of potentially unbounded size, so we don't 228 * want to provide a way to hog all system memory with policy 229 * entries.. 230 */ 231 232 233 /* 234 * AVL tree comparison function. 235 * the in-kernel avl assumes unique keys for all objects. 236 * Since sometimes policy will duplicate rules, we may insert 237 * multiple rules with the same rule id, so we need a tie-breaker. 238 */ 239 static int 240 ipsec_policy_cmpbyid(const void *a, const void *b) 241 { 242 const ipsec_policy_t *ipa, *ipb; 243 uint64_t idxa, idxb; 244 245 ipa = (const ipsec_policy_t *)a; 246 ipb = (const ipsec_policy_t *)b; 247 idxa = ipa->ipsp_index; 248 idxb = ipb->ipsp_index; 249 250 if (idxa < idxb) 251 return (-1); 252 if (idxa > idxb) 253 return (1); 254 /* 255 * Tie-breaker #1: All installed policy rules have a non-NULL 256 * ipsl_sel (selector set), so an entry with a NULL ipsp_sel is not 257 * actually in-tree but rather a template node being used in 258 * an avl_find query; see ipsec_policy_delete(). This gives us 259 * a placeholder in the ordering just before the the first entry with 260 * a key >= the one we're looking for, so we can walk forward from 261 * that point to get the remaining entries with the same id. 262 */ 263 if ((ipa->ipsp_sel == NULL) && (ipb->ipsp_sel != NULL)) 264 return (-1); 265 if ((ipb->ipsp_sel == NULL) && (ipa->ipsp_sel != NULL)) 266 return (1); 267 /* 268 * At most one of the arguments to the comparison should have a 269 * NULL selector pointer; if not, the tree is broken. 270 */ 271 ASSERT(ipa->ipsp_sel != NULL); 272 ASSERT(ipb->ipsp_sel != NULL); 273 /* 274 * Tie-breaker #2: use the virtual address of the policy node 275 * to arbitrarily break ties. Since we use the new tree node in 276 * the avl_find() in ipsec_insert_always, the new node will be 277 * inserted into the tree in the right place in the sequence. 278 */ 279 if (ipa < ipb) 280 return (-1); 281 if (ipa > ipb) 282 return (1); 283 return (0); 284 } 285 286 static void 287 ipsec_polhead_free_table(ipsec_policy_head_t *iph) 288 { 289 int dir, nchains; 290 291 nchains = ipsec_spd_hashsize; 292 293 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 294 ipsec_policy_root_t *ipr = &iph->iph_root[dir]; 295 296 if (ipr->ipr_hash == NULL) 297 continue; 298 299 kmem_free(ipr->ipr_hash, nchains * 300 sizeof (ipsec_policy_hash_t)); 301 } 302 } 303 304 static void 305 ipsec_polhead_destroy(ipsec_policy_head_t *iph) 306 { 307 int dir; 308 309 avl_destroy(&iph->iph_rulebyid); 310 rw_destroy(&iph->iph_lock); 311 312 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 313 ipsec_policy_root_t *ipr = &iph->iph_root[dir]; 314 int nchains = ipr->ipr_nchains; 315 int chain; 316 317 for (chain = 0; chain < nchains; chain++) 318 mutex_destroy(&(ipr->ipr_hash[chain].hash_lock)); 319 320 } 321 ipsec_polhead_free_table(iph); 322 } 323 324 /* 325 * Module unload hook. 326 */ 327 void 328 ipsec_policy_destroy(void) 329 { 330 int i; 331 332 ip_drop_unregister(&spd_dropper); 333 ip_drop_destroy(); 334 335 ipsec_polhead_destroy(&system_policy); 336 ipsec_polhead_destroy(&inactive_policy); 337 338 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) 339 mutex_destroy(&(ipsec_action_hash[i].hash_lock)); 340 341 for (i = 0; i < ipsec_spd_hashsize; i++) 342 mutex_destroy(&(ipsec_sel_hash[i].hash_lock)); 343 344 ipsec_unregister_prov_update(); 345 346 mutex_destroy(&alg_lock); 347 348 kmem_cache_destroy(ipsec_action_cache); 349 kmem_cache_destroy(ipsec_sel_cache); 350 kmem_cache_destroy(ipsec_pol_cache); 351 kmem_cache_destroy(ipsec_info_cache); 352 ipsid_gc(); 353 ipsid_fini(); 354 } 355 356 357 /* 358 * Called when table allocation fails to free the table. 359 */ 360 static int 361 ipsec_alloc_tables_failed() 362 { 363 if (ipsec_sel_hash != NULL) { 364 kmem_free(ipsec_sel_hash, ipsec_spd_hashsize * 365 sizeof (*ipsec_sel_hash)); 366 ipsec_sel_hash = NULL; 367 } 368 ipsec_polhead_free_table(&system_policy); 369 ipsec_polhead_free_table(&inactive_policy); 370 371 return (ENOMEM); 372 } 373 374 /* 375 * Attempt to allocate the tables in a single policy head. 376 * Return nonzero on failure after cleaning up any work in progress. 377 */ 378 static int 379 ipsec_alloc_table(ipsec_policy_head_t *iph, int kmflag) 380 { 381 int dir, nchains; 382 383 nchains = ipsec_spd_hashsize; 384 385 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 386 ipsec_policy_root_t *ipr = &iph->iph_root[dir]; 387 388 ipr->ipr_hash = kmem_zalloc(nchains * 389 sizeof (ipsec_policy_hash_t), kmflag); 390 if (ipr->ipr_hash == NULL) 391 return (ipsec_alloc_tables_failed()); 392 } 393 return (0); 394 } 395 396 /* 397 * Attempt to allocate the various tables. Return nonzero on failure 398 * after cleaning up any work in progress. 399 */ 400 static int 401 ipsec_alloc_tables(int kmflag) 402 { 403 int error; 404 405 error = ipsec_alloc_table(&system_policy, kmflag); 406 if (error != 0) 407 return (error); 408 409 error = ipsec_alloc_table(&inactive_policy, kmflag); 410 if (error != 0) 411 return (error); 412 413 ipsec_sel_hash = kmem_zalloc(ipsec_spd_hashsize * 414 sizeof (*ipsec_sel_hash), kmflag); 415 416 if (ipsec_sel_hash == NULL) 417 return (ipsec_alloc_tables_failed()); 418 419 return (0); 420 } 421 422 /* 423 * After table allocation, initialize a policy head. 424 */ 425 static void 426 ipsec_polhead_init(ipsec_policy_head_t *iph) 427 { 428 int dir, chain, nchains; 429 430 nchains = ipsec_spd_hashsize; 431 432 rw_init(&iph->iph_lock, NULL, RW_DEFAULT, NULL); 433 avl_create(&iph->iph_rulebyid, ipsec_policy_cmpbyid, 434 sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid)); 435 436 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 437 ipsec_policy_root_t *ipr = &iph->iph_root[dir]; 438 ipr->ipr_nchains = nchains; 439 440 for (chain = 0; chain < nchains; chain++) { 441 mutex_init(&(ipr->ipr_hash[chain].hash_lock), 442 NULL, MUTEX_DEFAULT, NULL); 443 } 444 } 445 } 446 447 /* 448 * Module load hook. 449 */ 450 void 451 ipsec_policy_init() 452 { 453 int i; 454 455 /* 456 * Make two attempts to allocate policy hash tables; try it at 457 * the "preferred" size (may be set in /etc/system) first, 458 * then fall back to the default size. 459 */ 460 if (ipsec_spd_hashsize == 0) 461 ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT; 462 463 if (ipsec_alloc_tables(KM_NOSLEEP) != 0) { 464 cmn_err(CE_WARN, 465 "Unable to allocate %d entry IPsec policy hash table", 466 ipsec_spd_hashsize); 467 ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT; 468 cmn_err(CE_WARN, "Falling back to %d entries", 469 ipsec_spd_hashsize); 470 (void) ipsec_alloc_tables(KM_SLEEP); 471 } 472 473 ipsid_init(); 474 ipsec_polhead_init(&system_policy); 475 ipsec_polhead_init(&inactive_policy); 476 477 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) 478 mutex_init(&(ipsec_action_hash[i].hash_lock), 479 NULL, MUTEX_DEFAULT, NULL); 480 481 for (i = 0; i < ipsec_spd_hashsize; i++) 482 mutex_init(&(ipsec_sel_hash[i].hash_lock), 483 NULL, MUTEX_DEFAULT, NULL); 484 485 mutex_init(&alg_lock, NULL, MUTEX_DEFAULT, NULL); 486 487 for (i = 0; i < IPSEC_NALGTYPES; i++) 488 ipsec_nalgs[i] = 0; 489 490 ipsec_action_cache = kmem_cache_create("ipsec_actions", 491 sizeof (ipsec_action_t), _POINTER_ALIGNMENT, NULL, NULL, 492 ipsec_action_reclaim, NULL, NULL, 0); 493 ipsec_sel_cache = kmem_cache_create("ipsec_selectors", 494 sizeof (ipsec_sel_t), _POINTER_ALIGNMENT, NULL, NULL, 495 NULL, NULL, NULL, 0); 496 ipsec_pol_cache = kmem_cache_create("ipsec_policy", 497 sizeof (ipsec_policy_t), _POINTER_ALIGNMENT, NULL, NULL, 498 NULL, NULL, NULL, 0); 499 ipsec_info_cache = kmem_cache_create("ipsec_info", 500 sizeof (ipsec_info_t), _POINTER_ALIGNMENT, NULL, NULL, 501 NULL, NULL, NULL, 0); 502 503 ip_drop_init(); 504 ip_drop_register(&spd_dropper, "IPsec SPD"); 505 } 506 507 /* 508 * Sort algorithm lists. 509 * EXPORT DELETE START 510 * I may need to split this based on 511 * authentication/encryption, and I may wish to have an administrator 512 * configure this list. Hold on to some NDD variables... 513 * EXPORT DELETE END 514 * 515 * XXX For now, sort on minimum key size (GAG!). While minimum key size is 516 * not the ideal metric, it's the only quantifiable measure available in the 517 * AUTH/ENCR PI. We need a better metric for sorting algorithms by preference. 518 */ 519 static void 520 alg_insert_sortlist(enum ipsec_algtype at, uint8_t algid) 521 { 522 ipsec_alginfo_t *ai = ipsec_alglists[at][algid]; 523 uint8_t holder, swap; 524 uint_t i; 525 uint_t count = ipsec_nalgs[at]; 526 ASSERT(ai != NULL); 527 ASSERT(algid == ai->alg_id); 528 529 ASSERT(MUTEX_HELD(&alg_lock)); 530 531 holder = algid; 532 533 for (i = 0; i < count - 1; i++) { 534 ipsec_alginfo_t *alt; 535 536 alt = ipsec_alglists[at][ipsec_sortlist[at][i]]; 537 /* 538 * If you want to give precedence to newly added algs, 539 * add the = in the > comparison. 540 */ 541 if ((holder != algid) || (ai->alg_minbits > alt->alg_minbits)) { 542 /* Swap sortlist[i] and holder. */ 543 swap = ipsec_sortlist[at][i]; 544 ipsec_sortlist[at][i] = holder; 545 holder = swap; 546 ai = alt; 547 } /* Else just continue. */ 548 } 549 550 /* Store holder in last slot. */ 551 ipsec_sortlist[at][i] = holder; 552 } 553 554 /* 555 * Remove an algorithm from a sorted algorithm list. 556 * This should be considerably easier, even with complex sorting. 557 */ 558 static void 559 alg_remove_sortlist(enum ipsec_algtype at, uint8_t algid) 560 { 561 boolean_t copyback = B_FALSE; 562 int i; 563 int newcount = ipsec_nalgs[at]; 564 565 ASSERT(MUTEX_HELD(&alg_lock)); 566 567 for (i = 0; i <= newcount; i++) { 568 if (copyback) 569 ipsec_sortlist[at][i-1] = ipsec_sortlist[at][i]; 570 else if (ipsec_sortlist[at][i] == algid) 571 copyback = B_TRUE; 572 } 573 } 574 575 /* 576 * Add the specified algorithm to the algorithm tables. 577 * Must be called while holding the algorithm table writer lock. 578 */ 579 void 580 ipsec_alg_reg(ipsec_algtype_t algtype, ipsec_alginfo_t *alg) 581 { 582 ASSERT(MUTEX_HELD(&alg_lock)); 583 584 ASSERT(ipsec_alglists[algtype][alg->alg_id] == NULL); 585 ipsec_alg_fix_min_max(alg, algtype); 586 ipsec_alglists[algtype][alg->alg_id] = alg; 587 588 ipsec_nalgs[algtype]++; 589 alg_insert_sortlist(algtype, alg->alg_id); 590 } 591 592 /* 593 * Remove the specified algorithm from the algorithm tables. 594 * Must be called while holding the algorithm table writer lock. 595 */ 596 void 597 ipsec_alg_unreg(ipsec_algtype_t algtype, uint8_t algid) 598 { 599 ASSERT(MUTEX_HELD(&alg_lock)); 600 601 ASSERT(ipsec_alglists[algtype][algid] != NULL); 602 ipsec_alg_free(ipsec_alglists[algtype][algid]); 603 ipsec_alglists[algtype][algid] = NULL; 604 605 ipsec_nalgs[algtype]--; 606 alg_remove_sortlist(algtype, algid); 607 } 608 609 /* 610 * Hooks for spdsock to get a grip on system policy. 611 */ 612 613 ipsec_policy_head_t * 614 ipsec_system_policy(void) 615 { 616 ipsec_policy_head_t *h = &system_policy; 617 IPPH_REFHOLD(h); 618 return (h); 619 } 620 621 ipsec_policy_head_t * 622 ipsec_inactive_policy(void) 623 { 624 ipsec_policy_head_t *h = &inactive_policy; 625 IPPH_REFHOLD(h); 626 return (h); 627 } 628 629 /* 630 * Lock inactive policy, then active policy, then exchange policy root 631 * pointers. 632 */ 633 void 634 ipsec_swap_policy(void) 635 { 636 int af, dir; 637 avl_tree_t r1, r2; 638 639 rw_enter(&inactive_policy.iph_lock, RW_WRITER); 640 rw_enter(&system_policy.iph_lock, RW_WRITER); 641 642 r1 = system_policy.iph_rulebyid; 643 r2 = inactive_policy.iph_rulebyid; 644 system_policy.iph_rulebyid = r2; 645 inactive_policy.iph_rulebyid = r1; 646 647 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 648 ipsec_policy_hash_t *h1, *h2; 649 650 h1 = system_policy.iph_root[dir].ipr_hash; 651 h2 = inactive_policy.iph_root[dir].ipr_hash; 652 system_policy.iph_root[dir].ipr_hash = h2; 653 inactive_policy.iph_root[dir].ipr_hash = h1; 654 655 for (af = 0; af < IPSEC_NAF; af++) { 656 ipsec_policy_t *t1, *t2; 657 658 t1 = system_policy.iph_root[dir].ipr_nonhash[af]; 659 t2 = inactive_policy.iph_root[dir].ipr_nonhash[af]; 660 system_policy.iph_root[dir].ipr_nonhash[af] = t2; 661 inactive_policy.iph_root[dir].ipr_nonhash[af] = t1; 662 if (t1 != NULL) { 663 t1->ipsp_hash.hash_pp = 664 &(inactive_policy.iph_root[dir]. 665 ipr_nonhash[af]); 666 } 667 if (t2 != NULL) { 668 t2->ipsp_hash.hash_pp = 669 &(system_policy.iph_root[dir]. 670 ipr_nonhash[af]); 671 } 672 673 } 674 } 675 system_policy.iph_gen++; 676 inactive_policy.iph_gen++; 677 ipsec_update_present_flags(); 678 rw_exit(&system_policy.iph_lock); 679 rw_exit(&inactive_policy.iph_lock); 680 } 681 682 /* 683 * Clone one policy rule.. 684 */ 685 static ipsec_policy_t * 686 ipsec_copy_policy(const ipsec_policy_t *src) 687 { 688 ipsec_policy_t *dst = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP); 689 690 if (dst == NULL) 691 return (NULL); 692 693 /* 694 * Adjust refcounts of cloned state. 695 */ 696 IPACT_REFHOLD(src->ipsp_act); 697 src->ipsp_sel->ipsl_refs++; 698 699 HASH_NULL(dst, ipsp_hash); 700 dst->ipsp_refs = 1; 701 dst->ipsp_sel = src->ipsp_sel; 702 dst->ipsp_act = src->ipsp_act; 703 dst->ipsp_prio = src->ipsp_prio; 704 dst->ipsp_index = src->ipsp_index; 705 706 return (dst); 707 } 708 709 void 710 ipsec_insert_always(avl_tree_t *tree, void *new_node) 711 { 712 void *node; 713 avl_index_t where; 714 715 node = avl_find(tree, new_node, &where); 716 ASSERT(node == NULL); 717 avl_insert(tree, new_node, where); 718 } 719 720 721 static int 722 ipsec_copy_chain(ipsec_policy_head_t *dph, ipsec_policy_t *src, 723 ipsec_policy_t **dstp) 724 { 725 for (; src != NULL; src = src->ipsp_hash.hash_next) { 726 ipsec_policy_t *dst = ipsec_copy_policy(src); 727 if (dst == NULL) 728 return (ENOMEM); 729 730 HASHLIST_INSERT(dst, ipsp_hash, *dstp); 731 ipsec_insert_always(&dph->iph_rulebyid, dst); 732 } 733 return (0); 734 } 735 736 737 738 /* 739 * Make one policy head look exactly like another. 740 * 741 * As with ipsec_swap_policy, we lock the destination policy head first, then 742 * the source policy head. Note that we only need to read-lock the source 743 * policy head as we are not changing it. 744 */ 745 static int 746 ipsec_copy_polhead(ipsec_policy_head_t *sph, ipsec_policy_head_t *dph) 747 { 748 int af, dir, chain, nchains; 749 750 rw_enter(&dph->iph_lock, RW_WRITER); 751 752 ipsec_polhead_flush(dph); 753 754 rw_enter(&sph->iph_lock, RW_READER); 755 756 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 757 ipsec_policy_root_t *dpr = &dph->iph_root[dir]; 758 ipsec_policy_root_t *spr = &sph->iph_root[dir]; 759 nchains = dpr->ipr_nchains; 760 761 ASSERT(dpr->ipr_nchains == spr->ipr_nchains); 762 763 for (af = 0; af < IPSEC_NAF; af++) { 764 if (ipsec_copy_chain(dph, spr->ipr_nonhash[af], 765 &dpr->ipr_nonhash[af])) 766 goto abort_copy; 767 } 768 769 for (chain = 0; chain < nchains; chain++) { 770 if (ipsec_copy_chain(dph, 771 spr->ipr_hash[chain].hash_head, 772 &dpr->ipr_hash[chain].hash_head)) 773 goto abort_copy; 774 } 775 } 776 777 dph->iph_gen++; 778 779 rw_exit(&sph->iph_lock); 780 rw_exit(&dph->iph_lock); 781 return (0); 782 783 abort_copy: 784 ipsec_polhead_flush(dph); 785 rw_exit(&sph->iph_lock); 786 rw_exit(&dph->iph_lock); 787 return (ENOMEM); 788 } 789 790 /* 791 * Clone currently active policy to the inactive policy list. 792 */ 793 int 794 ipsec_clone_system_policy(void) 795 { 796 return (ipsec_copy_polhead(&system_policy, &inactive_policy)); 797 } 798 799 800 /* 801 * Extract the string from ipsec_policy_failure_msgs[type] and 802 * log it. 803 * 804 * This function needs to be kept in synch with ipsec_rl_strlog() in 805 * sadb.c. 806 * XXX this function should be combined with the ipsec_rl_strlog() function. 807 */ 808 void 809 ipsec_log_policy_failure(queue_t *q, int type, char *func_name, ipha_t *ipha, 810 ip6_t *ip6h, boolean_t secure) 811 { 812 char sbuf[INET6_ADDRSTRLEN]; 813 char dbuf[INET6_ADDRSTRLEN]; 814 char *s; 815 char *d; 816 hrtime_t current = gethrtime(); 817 818 ASSERT((ipha == NULL && ip6h != NULL) || 819 (ip6h == NULL && ipha != NULL)); 820 821 if (ipha != NULL) { 822 s = inet_ntop(AF_INET, &ipha->ipha_src, sbuf, sizeof (sbuf)); 823 d = inet_ntop(AF_INET, &ipha->ipha_dst, dbuf, sizeof (dbuf)); 824 } else { 825 s = inet_ntop(AF_INET6, &ip6h->ip6_src, sbuf, sizeof (sbuf)); 826 d = inet_ntop(AF_INET6, &ip6h->ip6_dst, dbuf, sizeof (dbuf)); 827 828 } 829 830 /* Always bump the policy failure counter. */ 831 ipsec_policy_failure_count[type]++; 832 833 /* Convert interval (in msec) to hrtime (in nsec), which means * 10^6 */ 834 if (ipsec_policy_failure_last + 835 ((hrtime_t)ipsec_policy_log_interval * (hrtime_t)1000000) <= 836 current) { 837 /* 838 * Throttle the logging such that I only log one message 839 * every 'ipsec_policy_log_interval' amount of time. 840 */ 841 (void) mi_strlog(q, 0, SL_ERROR|SL_WARN|SL_CONSOLE, 842 ipsec_policy_failure_msgs[type], 843 func_name, 844 (secure ? "secure" : "not secure"), s, d); 845 ipsec_policy_failure_last = current; 846 } 847 } 848 849 void 850 ipsec_config_flush() 851 { 852 rw_enter(&system_policy.iph_lock, RW_WRITER); 853 ipsec_polhead_flush(&system_policy); 854 ipsec_next_policy_index = 1; 855 rw_exit(&system_policy.iph_lock); 856 ipsec_action_reclaim(0); 857 } 858 859 /* 860 * Clip a policy's min/max keybits vs. the capabilities of the 861 * algorithm. 862 */ 863 static void 864 act_alg_adjust(uint_t algtype, uint_t algid, 865 uint16_t *minbits, uint16_t *maxbits) 866 { 867 ipsec_alginfo_t *algp = ipsec_alglists[algtype][algid]; 868 if (algp != NULL) { 869 /* 870 * If passed-in minbits is zero, we assume the caller trusts 871 * us with setting the minimum key size. We pick the 872 * algorithms DEFAULT key size for the minimum in this case. 873 */ 874 if (*minbits == 0) { 875 *minbits = algp->alg_default_bits; 876 ASSERT(*minbits >= algp->alg_minbits); 877 } else { 878 *minbits = MAX(*minbits, algp->alg_minbits); 879 } 880 if (*maxbits == 0) 881 *maxbits = algp->alg_maxbits; 882 else 883 *maxbits = MIN(*maxbits, algp->alg_maxbits); 884 ASSERT(*minbits <= *maxbits); 885 } else { 886 *minbits = 0; 887 *maxbits = 0; 888 } 889 } 890 891 /* 892 * Check an action's requested algorithms against the algorithms currently 893 * loaded in the system. 894 */ 895 boolean_t 896 ipsec_check_action(ipsec_act_t *act, int *diag) 897 { 898 ipsec_prot_t *ipp; 899 900 ipp = &act->ipa_apply; 901 902 if (ipp->ipp_use_ah && 903 ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_auth_alg] == NULL) { 904 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG; 905 return (B_FALSE); 906 } 907 if (ipp->ipp_use_espa && 908 ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_esp_auth_alg] == NULL) { 909 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG; 910 return (B_FALSE); 911 } 912 if (ipp->ipp_use_esp && 913 ipsec_alglists[IPSEC_ALG_ENCR][ipp->ipp_encr_alg] == NULL) { 914 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG; 915 return (B_FALSE); 916 } 917 918 act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_auth_alg, 919 &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits); 920 act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_esp_auth_alg, 921 &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits); 922 act_alg_adjust(IPSEC_ALG_ENCR, ipp->ipp_encr_alg, 923 &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits); 924 925 if (ipp->ipp_ah_minbits > ipp->ipp_ah_maxbits) { 926 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE; 927 return (B_FALSE); 928 } 929 if (ipp->ipp_espa_minbits > ipp->ipp_espa_maxbits) { 930 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE; 931 return (B_FALSE); 932 } 933 if (ipp->ipp_espe_minbits > ipp->ipp_espe_maxbits) { 934 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE; 935 return (B_FALSE); 936 } 937 /* TODO: sanity check lifetimes */ 938 return (B_TRUE); 939 } 940 941 /* 942 * Set up a single action during wildcard expansion.. 943 */ 944 static void 945 ipsec_setup_act(ipsec_act_t *outact, ipsec_act_t *act, 946 uint_t auth_alg, uint_t encr_alg, uint_t eauth_alg) 947 { 948 ipsec_prot_t *ipp; 949 950 *outact = *act; 951 ipp = &outact->ipa_apply; 952 ipp->ipp_auth_alg = (uint8_t)auth_alg; 953 ipp->ipp_encr_alg = (uint8_t)encr_alg; 954 ipp->ipp_esp_auth_alg = (uint8_t)eauth_alg; 955 956 act_alg_adjust(IPSEC_ALG_AUTH, auth_alg, 957 &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits); 958 act_alg_adjust(IPSEC_ALG_AUTH, eauth_alg, 959 &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits); 960 act_alg_adjust(IPSEC_ALG_ENCR, encr_alg, 961 &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits); 962 } 963 964 /* 965 * combinatoric expansion time: expand a wildcarded action into an 966 * array of wildcarded actions; we return the exploded action list, 967 * and return a count in *nact (output only). 968 */ 969 static ipsec_act_t * 970 ipsec_act_wildcard_expand(ipsec_act_t *act, uint_t *nact) 971 { 972 boolean_t use_ah, use_esp, use_espa; 973 boolean_t wild_auth, wild_encr, wild_eauth; 974 uint_t auth_alg, auth_idx, auth_min, auth_max; 975 uint_t eauth_alg, eauth_idx, eauth_min, eauth_max; 976 uint_t encr_alg, encr_idx, encr_min, encr_max; 977 uint_t action_count, ai; 978 ipsec_act_t *outact; 979 980 if (act->ipa_type != IPSEC_ACT_APPLY) { 981 outact = kmem_alloc(sizeof (*act), KM_NOSLEEP); 982 *nact = 1; 983 if (outact != NULL) 984 bcopy(act, outact, sizeof (*act)); 985 return (outact); 986 } 987 /* 988 * compute the combinatoric explosion.. 989 * 990 * we assume a request for encr if esp_req is PREF_REQUIRED 991 * we assume a request for ah auth if ah_req is PREF_REQUIRED. 992 * we assume a request for esp auth if !ah and esp_req is PREF_REQUIRED 993 */ 994 995 use_ah = act->ipa_apply.ipp_use_ah; 996 use_esp = act->ipa_apply.ipp_use_esp; 997 use_espa = act->ipa_apply.ipp_use_espa; 998 auth_alg = act->ipa_apply.ipp_auth_alg; 999 eauth_alg = act->ipa_apply.ipp_esp_auth_alg; 1000 encr_alg = act->ipa_apply.ipp_encr_alg; 1001 1002 wild_auth = use_ah && (auth_alg == 0); 1003 wild_eauth = use_espa && (eauth_alg == 0); 1004 wild_encr = use_esp && (encr_alg == 0); 1005 1006 action_count = 1; 1007 auth_min = auth_max = auth_alg; 1008 eauth_min = eauth_max = eauth_alg; 1009 encr_min = encr_max = encr_alg; 1010 1011 /* 1012 * set up for explosion.. for each dimension, expand output 1013 * size by the explosion factor. 1014 * 1015 * Don't include the "any" algorithms, if defined, as no 1016 * kernel policies should be set for these algorithms. 1017 */ 1018 1019 #define SET_EXP_MINMAX(type, wild, alg, min, max) if (wild) { \ 1020 int nalgs = ipsec_nalgs[type]; \ 1021 if (ipsec_alglists[type][alg] != NULL) \ 1022 nalgs--; \ 1023 action_count *= nalgs; \ 1024 min = 0; \ 1025 max = ipsec_nalgs[type] - 1; \ 1026 } 1027 1028 SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_auth, SADB_AALG_NONE, 1029 auth_min, auth_max); 1030 SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_eauth, SADB_AALG_NONE, 1031 eauth_min, eauth_max); 1032 SET_EXP_MINMAX(IPSEC_ALG_ENCR, wild_encr, SADB_EALG_NONE, 1033 encr_min, encr_max); 1034 1035 #undef SET_EXP_MINMAX 1036 1037 /* 1038 * ok, allocate the whole mess.. 1039 */ 1040 1041 outact = kmem_alloc(sizeof (*outact) * action_count, KM_NOSLEEP); 1042 if (outact == NULL) 1043 return (NULL); 1044 1045 /* 1046 * Now compute all combinations. Note that non-wildcarded 1047 * dimensions just get a single value from auth_min, while 1048 * wildcarded dimensions indirect through the sortlist. 1049 * 1050 * We do encryption outermost since, at this time, there's 1051 * greater difference in security and performance between 1052 * encryption algorithms vs. authentication algorithms. 1053 */ 1054 1055 ai = 0; 1056 1057 #define WHICH_ALG(type, wild, idx) ((wild)?(ipsec_sortlist[type][idx]):(idx)) 1058 1059 for (encr_idx = encr_min; encr_idx <= encr_max; encr_idx++) { 1060 encr_alg = WHICH_ALG(IPSEC_ALG_ENCR, wild_encr, encr_idx); 1061 if (wild_encr && encr_alg == SADB_EALG_NONE) 1062 continue; 1063 for (auth_idx = auth_min; auth_idx <= auth_max; auth_idx++) { 1064 auth_alg = WHICH_ALG(IPSEC_ALG_AUTH, wild_auth, 1065 auth_idx); 1066 if (wild_auth && auth_alg == SADB_AALG_NONE) 1067 continue; 1068 for (eauth_idx = eauth_min; eauth_idx <= eauth_max; 1069 eauth_idx++) { 1070 eauth_alg = WHICH_ALG(IPSEC_ALG_AUTH, 1071 wild_eauth, eauth_idx); 1072 if (wild_eauth && eauth_alg == SADB_AALG_NONE) 1073 continue; 1074 1075 ipsec_setup_act(&outact[ai], act, 1076 auth_alg, encr_alg, eauth_alg); 1077 ai++; 1078 } 1079 } 1080 } 1081 1082 #undef WHICH_ALG 1083 1084 ASSERT(ai == action_count); 1085 *nact = action_count; 1086 return (outact); 1087 } 1088 1089 /* 1090 * Extract the parts of an ipsec_prot_t from an old-style ipsec_req_t. 1091 */ 1092 static void 1093 ipsec_prot_from_req(ipsec_req_t *req, ipsec_prot_t *ipp) 1094 { 1095 bzero(ipp, sizeof (*ipp)); 1096 /* 1097 * ipp_use_* are bitfields. Look at "!!" in the following as a 1098 * "boolean canonicalization" operator. 1099 */ 1100 ipp->ipp_use_ah = !!(req->ipsr_ah_req & IPSEC_PREF_REQUIRED); 1101 ipp->ipp_use_esp = !!(req->ipsr_esp_req & IPSEC_PREF_REQUIRED); 1102 ipp->ipp_use_espa = !!(req->ipsr_esp_auth_alg) || !ipp->ipp_use_ah; 1103 ipp->ipp_use_se = !!(req->ipsr_self_encap_req & IPSEC_PREF_REQUIRED); 1104 ipp->ipp_use_unique = !!((req->ipsr_ah_req|req->ipsr_esp_req) & 1105 IPSEC_PREF_UNIQUE); 1106 ipp->ipp_encr_alg = req->ipsr_esp_alg; 1107 ipp->ipp_auth_alg = req->ipsr_auth_alg; 1108 ipp->ipp_esp_auth_alg = req->ipsr_esp_auth_alg; 1109 } 1110 1111 /* 1112 * Extract a new-style action from a request. 1113 */ 1114 void 1115 ipsec_actvec_from_req(ipsec_req_t *req, ipsec_act_t **actp, uint_t *nactp) 1116 { 1117 struct ipsec_act act; 1118 bzero(&act, sizeof (act)); 1119 if ((req->ipsr_ah_req & IPSEC_PREF_NEVER) && 1120 (req->ipsr_esp_req & IPSEC_PREF_NEVER)) { 1121 act.ipa_type = IPSEC_ACT_BYPASS; 1122 } else { 1123 act.ipa_type = IPSEC_ACT_APPLY; 1124 ipsec_prot_from_req(req, &act.ipa_apply); 1125 } 1126 *actp = ipsec_act_wildcard_expand(&act, nactp); 1127 } 1128 1129 /* 1130 * Convert a new-style "prot" back to an ipsec_req_t (more backwards compat). 1131 * We assume caller has already zero'ed *req for us. 1132 */ 1133 static int 1134 ipsec_req_from_prot(ipsec_prot_t *ipp, ipsec_req_t *req) 1135 { 1136 req->ipsr_esp_alg = ipp->ipp_encr_alg; 1137 req->ipsr_auth_alg = ipp->ipp_auth_alg; 1138 req->ipsr_esp_auth_alg = ipp->ipp_esp_auth_alg; 1139 1140 if (ipp->ipp_use_unique) { 1141 req->ipsr_ah_req |= IPSEC_PREF_UNIQUE; 1142 req->ipsr_esp_req |= IPSEC_PREF_UNIQUE; 1143 } 1144 if (ipp->ipp_use_se) 1145 req->ipsr_self_encap_req |= IPSEC_PREF_REQUIRED; 1146 if (ipp->ipp_use_ah) 1147 req->ipsr_ah_req |= IPSEC_PREF_REQUIRED; 1148 if (ipp->ipp_use_esp) 1149 req->ipsr_esp_req |= IPSEC_PREF_REQUIRED; 1150 return (sizeof (*req)); 1151 } 1152 1153 /* 1154 * Convert a new-style action back to an ipsec_req_t (more backwards compat). 1155 * We assume caller has already zero'ed *req for us. 1156 */ 1157 static int 1158 ipsec_req_from_act(ipsec_action_t *ap, ipsec_req_t *req) 1159 { 1160 switch (ap->ipa_act.ipa_type) { 1161 case IPSEC_ACT_BYPASS: 1162 req->ipsr_ah_req = IPSEC_PREF_NEVER; 1163 req->ipsr_esp_req = IPSEC_PREF_NEVER; 1164 return (sizeof (*req)); 1165 case IPSEC_ACT_APPLY: 1166 return (ipsec_req_from_prot(&ap->ipa_act.ipa_apply, req)); 1167 } 1168 return (sizeof (*req)); 1169 } 1170 1171 /* 1172 * Convert a new-style action back to an ipsec_req_t (more backwards compat). 1173 * We assume caller has already zero'ed *req for us. 1174 */ 1175 static int 1176 ipsec_req_from_head(ipsec_policy_head_t *ph, ipsec_req_t *req, int af) 1177 { 1178 ipsec_policy_t *p; 1179 1180 /* 1181 * FULL-PERSOCK: consult hash table, too? 1182 */ 1183 for (p = ph->iph_root[IPSEC_INBOUND].ipr_nonhash[af]; 1184 p != NULL; 1185 p = p->ipsp_hash.hash_next) { 1186 if ((p->ipsp_sel->ipsl_key.ipsl_valid&IPSL_WILDCARD) == 0) 1187 return (ipsec_req_from_act(p->ipsp_act, req)); 1188 } 1189 return (sizeof (*req)); 1190 } 1191 1192 /* 1193 * Based on per-socket or latched policy, convert to an appropriate 1194 * IP_SEC_OPT ipsec_req_t for the socket option; return size so we can 1195 * be tail-called from ip. 1196 */ 1197 int 1198 ipsec_req_from_conn(conn_t *connp, ipsec_req_t *req, int af) 1199 { 1200 ipsec_latch_t *ipl; 1201 int rv = sizeof (ipsec_req_t); 1202 1203 bzero(req, sizeof (*req)); 1204 1205 mutex_enter(&connp->conn_lock); 1206 ipl = connp->conn_latch; 1207 1208 /* 1209 * Find appropriate policy. First choice is latched action; 1210 * failing that, see latched policy; failing that, 1211 * look at configured policy. 1212 */ 1213 if (ipl != NULL) { 1214 if (ipl->ipl_in_action != NULL) { 1215 rv = ipsec_req_from_act(ipl->ipl_in_action, req); 1216 goto done; 1217 } 1218 if (ipl->ipl_in_policy != NULL) { 1219 rv = ipsec_req_from_act(ipl->ipl_in_policy->ipsp_act, 1220 req); 1221 goto done; 1222 } 1223 } 1224 if (connp->conn_policy != NULL) 1225 rv = ipsec_req_from_head(connp->conn_policy, req, af); 1226 done: 1227 mutex_exit(&connp->conn_lock); 1228 return (rv); 1229 } 1230 1231 void 1232 ipsec_actvec_free(ipsec_act_t *act, uint_t nact) 1233 { 1234 kmem_free(act, nact * sizeof (*act)); 1235 } 1236 1237 /* 1238 * When outbound policy is not cached, look it up the hard way and attach 1239 * an ipsec_out_t to the packet.. 1240 */ 1241 static mblk_t * 1242 ipsec_attach_global_policy(mblk_t *mp, conn_t *connp, ipsec_selector_t *sel) 1243 { 1244 ipsec_policy_t *p; 1245 1246 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel); 1247 1248 if (p == NULL) 1249 return (NULL); 1250 return (ipsec_attach_ipsec_out(mp, connp, p, sel->ips_protocol)); 1251 } 1252 1253 /* 1254 * We have an ipsec_out already, but don't have cached policy; fill it in 1255 * with the right actions. 1256 */ 1257 static mblk_t * 1258 ipsec_apply_global_policy(mblk_t *ipsec_mp, conn_t *connp, 1259 ipsec_selector_t *sel) 1260 { 1261 ipsec_out_t *io; 1262 ipsec_policy_t *p; 1263 1264 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 1265 ASSERT(ipsec_mp->b_cont->b_datap->db_type == M_DATA); 1266 1267 io = (ipsec_out_t *)ipsec_mp->b_rptr; 1268 1269 if (io->ipsec_out_policy == NULL) { 1270 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, io, sel); 1271 io->ipsec_out_policy = p; 1272 } 1273 return (ipsec_mp); 1274 } 1275 1276 1277 /* ARGSUSED */ 1278 /* 1279 * Consumes a reference to ipsp. 1280 */ 1281 static mblk_t * 1282 ipsec_check_loopback_policy(queue_t *q, mblk_t *first_mp, 1283 boolean_t mctl_present, ipsec_policy_t *ipsp) 1284 { 1285 mblk_t *ipsec_mp; 1286 ipsec_in_t *ii; 1287 1288 if (!mctl_present) 1289 return (first_mp); 1290 1291 ipsec_mp = first_mp; 1292 1293 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 1294 ASSERT(ii->ipsec_in_loopback); 1295 IPPOL_REFRELE(ipsp); 1296 1297 /* 1298 * We should do an actual policy check here. Revisit this 1299 * when we revisit the IPsec API. 1300 */ 1301 1302 return (first_mp); 1303 } 1304 1305 static boolean_t 1306 ipsec_check_ipsecin_action(ipsec_in_t *ii, mblk_t *mp, ipsec_action_t *ap, 1307 ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter) 1308 { 1309 boolean_t ret = B_TRUE; 1310 ipsec_prot_t *ipp; 1311 ipsa_t *ah_assoc; 1312 ipsa_t *esp_assoc; 1313 boolean_t decaps; 1314 1315 ASSERT((ipha == NULL && ip6h != NULL) || 1316 (ip6h == NULL && ipha != NULL)); 1317 1318 if (ii->ipsec_in_loopback) { 1319 /* 1320 * Besides accepting pointer-equivalent actions, we also 1321 * accept any ICMP errors we generated for ourselves, 1322 * regardless of policy. If we do not wish to make this 1323 * assumption in the future, check here, and where 1324 * icmp_loopback is initialized in ip.c and ip6.c. (Look for 1325 * ipsec_out_icmp_loopback.) 1326 */ 1327 if (ap == ii->ipsec_in_action || ii->ipsec_in_icmp_loopback) 1328 return (B_TRUE); 1329 1330 /* Deep compare necessary here?? */ 1331 *counter = &ipdrops_spd_loopback_mismatch; 1332 *reason = "loopback policy mismatch"; 1333 return (B_FALSE); 1334 } 1335 ASSERT(!ii->ipsec_in_icmp_loopback); 1336 1337 ah_assoc = ii->ipsec_in_ah_sa; 1338 esp_assoc = ii->ipsec_in_esp_sa; 1339 1340 decaps = ii->ipsec_in_decaps; 1341 1342 switch (ap->ipa_act.ipa_type) { 1343 case IPSEC_ACT_DISCARD: 1344 case IPSEC_ACT_REJECT: 1345 /* Should "fail hard" */ 1346 *counter = &ipdrops_spd_explicit; 1347 *reason = "blocked by policy"; 1348 return (B_FALSE); 1349 1350 case IPSEC_ACT_BYPASS: 1351 case IPSEC_ACT_CLEAR: 1352 *counter = &ipdrops_spd_got_secure; 1353 *reason = "expected clear, got protected"; 1354 return (B_FALSE); 1355 1356 case IPSEC_ACT_APPLY: 1357 ipp = &ap->ipa_act.ipa_apply; 1358 /* 1359 * As of now we do the simple checks of whether 1360 * the datagram has gone through the required IPSEC 1361 * protocol constraints or not. We might have more 1362 * in the future like sensitive levels, key bits, etc. 1363 * If it fails the constraints, check whether we would 1364 * have accepted this if it had come in clear. 1365 */ 1366 if (ipp->ipp_use_ah) { 1367 if (ah_assoc == NULL) { 1368 ret = ipsec_inbound_accept_clear(mp, ipha, 1369 ip6h); 1370 *counter = &ipdrops_spd_got_clear; 1371 *reason = "unprotected not accepted"; 1372 break; 1373 } 1374 ASSERT(ah_assoc != NULL); 1375 ASSERT(ipp->ipp_auth_alg != 0); 1376 1377 if (ah_assoc->ipsa_auth_alg != 1378 ipp->ipp_auth_alg) { 1379 *counter = &ipdrops_spd_bad_ahalg; 1380 *reason = "unacceptable ah alg"; 1381 ret = B_FALSE; 1382 break; 1383 } 1384 } else if (ah_assoc != NULL) { 1385 /* 1386 * Don't allow this. Check IPSEC NOTE above 1387 * ip_fanout_proto(). 1388 */ 1389 *counter = &ipdrops_spd_got_ah; 1390 *reason = "unexpected AH"; 1391 ret = B_FALSE; 1392 break; 1393 } 1394 if (ipp->ipp_use_esp) { 1395 if (esp_assoc == NULL) { 1396 ret = ipsec_inbound_accept_clear(mp, ipha, 1397 ip6h); 1398 *counter = &ipdrops_spd_got_clear; 1399 *reason = "unprotected not accepted"; 1400 break; 1401 } 1402 ASSERT(esp_assoc != NULL); 1403 ASSERT(ipp->ipp_encr_alg != 0); 1404 1405 if (esp_assoc->ipsa_encr_alg != 1406 ipp->ipp_encr_alg) { 1407 *counter = &ipdrops_spd_bad_espealg; 1408 *reason = "unacceptable esp alg"; 1409 ret = B_FALSE; 1410 break; 1411 } 1412 /* 1413 * If the client does not need authentication, 1414 * we don't verify the alogrithm. 1415 */ 1416 if (ipp->ipp_use_espa) { 1417 if (esp_assoc->ipsa_auth_alg != 1418 ipp->ipp_esp_auth_alg) { 1419 *counter = &ipdrops_spd_bad_espaalg; 1420 *reason = "unacceptable esp auth alg"; 1421 ret = B_FALSE; 1422 break; 1423 } 1424 } 1425 } else if (esp_assoc != NULL) { 1426 /* 1427 * Don't allow this. Check IPSEC NOTE above 1428 * ip_fanout_proto(). 1429 */ 1430 *counter = &ipdrops_spd_got_esp; 1431 *reason = "unexpected ESP"; 1432 ret = B_FALSE; 1433 break; 1434 } 1435 if (ipp->ipp_use_se) { 1436 if (!decaps) { 1437 ret = ipsec_inbound_accept_clear(mp, ipha, 1438 ip6h); 1439 if (!ret) { 1440 /* XXX mutant? */ 1441 *counter = &ipdrops_spd_bad_selfencap; 1442 *reason = "self encap not found"; 1443 break; 1444 } 1445 } 1446 } else if (decaps) { 1447 /* 1448 * XXX If the packet comes in tunneled and the 1449 * recipient does not expect it to be tunneled, it 1450 * is okay. But we drop to be consistent with the 1451 * other cases. 1452 */ 1453 *counter = &ipdrops_spd_got_selfencap; 1454 *reason = "unexpected self encap"; 1455 ret = B_FALSE; 1456 break; 1457 } 1458 if (ii->ipsec_in_action != NULL) { 1459 /* 1460 * This can happen if we do a double policy-check on 1461 * a packet 1462 * XXX XXX should fix this case! 1463 */ 1464 IPACT_REFRELE(ii->ipsec_in_action); 1465 } 1466 ASSERT(ii->ipsec_in_action == NULL); 1467 IPACT_REFHOLD(ap); 1468 ii->ipsec_in_action = ap; 1469 break; /* from switch */ 1470 } 1471 return (ret); 1472 } 1473 1474 static boolean_t 1475 spd_match_inbound_ids(ipsec_latch_t *ipl, ipsa_t *sa) 1476 { 1477 ASSERT(ipl->ipl_ids_latched == B_TRUE); 1478 return ipsid_equal(ipl->ipl_remote_cid, sa->ipsa_src_cid) && 1479 ipsid_equal(ipl->ipl_local_cid, sa->ipsa_dst_cid); 1480 } 1481 1482 /* 1483 * Called to check policy on a latched connection, both from this file 1484 * and from tcp.c 1485 */ 1486 boolean_t 1487 ipsec_check_ipsecin_latch(ipsec_in_t *ii, mblk_t *mp, ipsec_latch_t *ipl, 1488 ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter) 1489 { 1490 ASSERT(ipl->ipl_ids_latched == B_TRUE); 1491 1492 if ((ii->ipsec_in_ah_sa != NULL) && 1493 (!spd_match_inbound_ids(ipl, ii->ipsec_in_ah_sa))) { 1494 *counter = &ipdrops_spd_ah_badid; 1495 *reason = "AH identity mismatch"; 1496 return (B_FALSE); 1497 } 1498 1499 if ((ii->ipsec_in_esp_sa != NULL) && 1500 (!spd_match_inbound_ids(ipl, ii->ipsec_in_esp_sa))) { 1501 *counter = &ipdrops_spd_esp_badid; 1502 *reason = "ESP identity mismatch"; 1503 return (B_FALSE); 1504 } 1505 1506 return (ipsec_check_ipsecin_action(ii, mp, ipl->ipl_in_action, 1507 ipha, ip6h, reason, counter)); 1508 } 1509 1510 /* 1511 * Check to see whether this secured datagram meets the policy 1512 * constraints specified in ipsp. 1513 * 1514 * Called from ipsec_check_global_policy, and ipsec_check_inbound_policy. 1515 * 1516 * Consumes a reference to ipsp. 1517 */ 1518 static mblk_t * 1519 ipsec_check_ipsecin_policy(queue_t *q, mblk_t *first_mp, ipsec_policy_t *ipsp, 1520 ipha_t *ipha, ip6_t *ip6h) 1521 { 1522 ipsec_in_t *ii; 1523 ipsec_action_t *ap; 1524 const char *reason = "no policy actions found"; 1525 mblk_t *data_mp, *ipsec_mp; 1526 kstat_named_t *counter = &ipdrops_spd_got_secure; 1527 1528 data_mp = first_mp->b_cont; 1529 ipsec_mp = first_mp; 1530 1531 ASSERT(ipsp != NULL); 1532 1533 ASSERT((ipha == NULL && ip6h != NULL) || 1534 (ip6h == NULL && ipha != NULL)); 1535 1536 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 1537 1538 if (ii->ipsec_in_loopback) 1539 return (ipsec_check_loopback_policy(q, first_mp, B_TRUE, ipsp)); 1540 1541 ASSERT(ii->ipsec_in_type == IPSEC_IN); 1542 if (ii->ipsec_in_action != NULL) { 1543 /* 1544 * this can happen if we do a double policy-check on a packet 1545 * Would be nice to be able to delete this test.. 1546 */ 1547 IPACT_REFRELE(ii->ipsec_in_action); 1548 } 1549 ASSERT(ii->ipsec_in_action == NULL); 1550 1551 if (!SA_IDS_MATCH(ii->ipsec_in_ah_sa, ii->ipsec_in_esp_sa)) { 1552 reason = "inbound AH and ESP identities differ"; 1553 counter = &ipdrops_spd_ahesp_diffid; 1554 goto drop; 1555 } 1556 1557 /* 1558 * Ok, now loop through the possible actions and see if any 1559 * of them work for us. 1560 */ 1561 1562 for (ap = ipsp->ipsp_act; ap != NULL; ap = ap->ipa_next) { 1563 if (ipsec_check_ipsecin_action(ii, data_mp, ap, 1564 ipha, ip6h, &reason, &counter)) { 1565 BUMP_MIB(&ip_mib, ipsecInSucceeded); 1566 IPPOL_REFRELE(ipsp); 1567 return (first_mp); 1568 } 1569 } 1570 drop: 1571 (void) mi_strlog(q, 0, SL_ERROR|SL_WARN|SL_CONSOLE, 1572 "ipsec inbound policy mismatch: %s, packet dropped\n", 1573 reason); 1574 IPPOL_REFRELE(ipsp); 1575 ASSERT(ii->ipsec_in_action == NULL); 1576 BUMP_MIB(&ip_mib, ipsecInFailed); 1577 ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter, &spd_dropper); 1578 return (NULL); 1579 } 1580 1581 /* 1582 * sleazy prefix-length-based compare. 1583 * another inlining candidate.. 1584 */ 1585 static boolean_t 1586 ip_addr_match(uint8_t *addr1, int pfxlen, in6_addr_t *addr2p) 1587 { 1588 int offset = pfxlen>>3; 1589 int bitsleft = pfxlen & 7; 1590 uint8_t *addr2 = (uint8_t *)addr2p; 1591 1592 /* 1593 * and there was much evil.. 1594 * XXX should inline-expand the bcmp here and do this 32 bits 1595 * or 64 bits at a time.. 1596 */ 1597 return ((bcmp(addr1, addr2, offset) == 0) && 1598 ((bitsleft == 0) || 1599 (((addr1[offset] ^ addr2[offset]) & 1600 (0xff<<(8-bitsleft))) == 0))); 1601 } 1602 1603 static ipsec_policy_t * 1604 ipsec_find_policy_chain(ipsec_policy_t *best, ipsec_policy_t *chain, 1605 ipsec_selector_t *sel, boolean_t is_icmp_inv_acq) 1606 { 1607 ipsec_selkey_t *isel; 1608 ipsec_policy_t *p; 1609 int bpri = best ? best->ipsp_prio : 0; 1610 1611 for (p = chain; p != NULL; p = p->ipsp_hash.hash_next) { 1612 uint32_t valid; 1613 1614 if (p->ipsp_prio <= bpri) 1615 continue; 1616 isel = &p->ipsp_sel->ipsl_key; 1617 valid = isel->ipsl_valid; 1618 1619 if ((valid & IPSL_PROTOCOL) && 1620 (isel->ipsl_proto != sel->ips_protocol)) 1621 continue; 1622 1623 if ((valid & IPSL_REMOTE_ADDR) && 1624 !ip_addr_match((uint8_t *)&isel->ipsl_remote, 1625 isel->ipsl_remote_pfxlen, 1626 &sel->ips_remote_addr_v6)) 1627 continue; 1628 1629 if ((valid & IPSL_LOCAL_ADDR) && 1630 !ip_addr_match((uint8_t *)&isel->ipsl_local, 1631 isel->ipsl_local_pfxlen, 1632 &sel->ips_local_addr_v6)) 1633 continue; 1634 1635 if ((valid & IPSL_REMOTE_PORT) && 1636 isel->ipsl_rport != sel->ips_remote_port) 1637 continue; 1638 1639 if ((valid & IPSL_LOCAL_PORT) && 1640 isel->ipsl_lport != sel->ips_local_port) 1641 continue; 1642 1643 if (!is_icmp_inv_acq) { 1644 if ((valid & IPSL_ICMP_TYPE) && 1645 (isel->ipsl_icmp_type > sel->ips_icmp_type || 1646 isel->ipsl_icmp_type_end < sel->ips_icmp_type)) { 1647 continue; 1648 } 1649 1650 if ((valid & IPSL_ICMP_CODE) && 1651 (isel->ipsl_icmp_code > sel->ips_icmp_code || 1652 isel->ipsl_icmp_code_end < 1653 sel->ips_icmp_code)) { 1654 continue; 1655 } 1656 } else { 1657 /* 1658 * special case for icmp inverse acquire 1659 * we only want policies that aren't drop/pass 1660 */ 1661 if (p->ipsp_act->ipa_act.ipa_type != IPSEC_ACT_APPLY) 1662 continue; 1663 } 1664 1665 /* we matched all the packet-port-field selectors! */ 1666 best = p; 1667 bpri = p->ipsp_prio; 1668 } 1669 1670 return (best); 1671 } 1672 1673 /* 1674 * Try to find and return the best policy entry under a given policy 1675 * root for a given set of selectors; the first parameter "best" is 1676 * the current best policy so far. If "best" is non-null, we have a 1677 * reference to it. We return a reference to a policy; if that policy 1678 * is not the original "best", we need to release that reference 1679 * before returning. 1680 */ 1681 static ipsec_policy_t * 1682 ipsec_find_policy_head(ipsec_policy_t *best, 1683 ipsec_policy_head_t *head, int direction, ipsec_selector_t *sel, 1684 int selhash) 1685 { 1686 ipsec_policy_t *curbest; 1687 ipsec_policy_root_t *root; 1688 uint8_t is_icmp_inv_acq = sel->ips_is_icmp_inv_acq; 1689 int af = sel->ips_isv4 ? IPSEC_AF_V4 : IPSEC_AF_V6; 1690 1691 curbest = best; 1692 root = &head->iph_root[direction]; 1693 1694 #ifdef DEBUG 1695 if (is_icmp_inv_acq) { 1696 if (sel->ips_isv4) { 1697 if (sel->ips_protocol != IPPROTO_ICMP) { 1698 cmn_err(CE_WARN, "ipsec_find_policy_head:" 1699 " expecting icmp, got %d", sel->ips_protocol); 1700 } 1701 } else { 1702 if (sel->ips_protocol != IPPROTO_ICMPV6) { 1703 cmn_err(CE_WARN, "ipsec_find_policy_head:" 1704 " expecting icmpv6, got %d", sel->ips_protocol); 1705 } 1706 } 1707 } 1708 #endif 1709 1710 rw_enter(&head->iph_lock, RW_READER); 1711 1712 if (root->ipr_nchains > 0) { 1713 curbest = ipsec_find_policy_chain(curbest, 1714 root->ipr_hash[selhash].hash_head, sel, is_icmp_inv_acq); 1715 } 1716 curbest = ipsec_find_policy_chain(curbest, root->ipr_nonhash[af], sel, 1717 is_icmp_inv_acq); 1718 1719 /* 1720 * Adjust reference counts if we found anything new. 1721 */ 1722 if (curbest != best) { 1723 ASSERT(curbest != NULL); 1724 IPPOL_REFHOLD(curbest); 1725 1726 if (best != NULL) { 1727 IPPOL_REFRELE(best); 1728 } 1729 } 1730 1731 rw_exit(&head->iph_lock); 1732 1733 return (curbest); 1734 } 1735 1736 /* 1737 * Find the best system policy (either global or per-interface) which 1738 * applies to the given selector; look in all the relevant policy roots 1739 * to figure out which policy wins. 1740 * 1741 * Returns a reference to a policy; caller must release this 1742 * reference when done. 1743 */ 1744 ipsec_policy_t * 1745 ipsec_find_policy(int direction, conn_t *connp, ipsec_out_t *io, 1746 ipsec_selector_t *sel) 1747 { 1748 ipsec_policy_t *p; 1749 int selhash = selector_hash(sel); 1750 1751 p = ipsec_find_policy_head(NULL, &system_policy, direction, sel, 1752 selhash); 1753 if ((connp != NULL) && (connp->conn_policy != NULL)) { 1754 p = ipsec_find_policy_head(p, connp->conn_policy, 1755 direction, sel, selhash); 1756 } else if ((io != NULL) && (io->ipsec_out_polhead != NULL)) { 1757 p = ipsec_find_policy_head(p, io->ipsec_out_polhead, 1758 direction, sel, selhash); 1759 } 1760 1761 return (p); 1762 } 1763 1764 /* 1765 * Check with global policy and see whether this inbound 1766 * packet meets the policy constraints. 1767 * 1768 * Locate appropriate policy from global policy, supplemented by the 1769 * conn's configured and/or cached policy if the conn is supplied. 1770 * 1771 * Dispatch to ipsec_check_ipsecin_policy if we have policy and an 1772 * encrypted packet to see if they match. 1773 * 1774 * Otherwise, see if the policy allows cleartext; if not, drop it on the 1775 * floor. 1776 */ 1777 mblk_t * 1778 ipsec_check_global_policy(mblk_t *first_mp, conn_t *connp, 1779 ipha_t *ipha, ip6_t *ip6h, boolean_t mctl_present) 1780 { 1781 ipsec_policy_t *p; 1782 ipsec_selector_t sel; 1783 queue_t *q = NULL; 1784 mblk_t *data_mp, *ipsec_mp; 1785 boolean_t policy_present; 1786 kstat_named_t *counter; 1787 1788 data_mp = mctl_present ? first_mp->b_cont : first_mp; 1789 ipsec_mp = mctl_present ? first_mp : NULL; 1790 1791 sel.ips_is_icmp_inv_acq = 0; 1792 1793 ASSERT((ipha == NULL && ip6h != NULL) || 1794 (ip6h == NULL && ipha != NULL)); 1795 1796 if (ipha != NULL) 1797 policy_present = ipsec_inbound_v4_policy_present; 1798 else 1799 policy_present = ipsec_inbound_v6_policy_present; 1800 1801 if (!policy_present && connp == NULL) { 1802 /* 1803 * No global policy and no per-socket policy; 1804 * just pass it back (but we shouldn't get here in that case) 1805 */ 1806 return (first_mp); 1807 } 1808 1809 if (connp != NULL) 1810 q = CONNP_TO_WQ(connp); 1811 1812 if (ipsec_mp != NULL) { 1813 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 1814 ASSERT(((ipsec_in_t *)ipsec_mp->b_rptr)->ipsec_in_type == 1815 IPSEC_IN); 1816 } 1817 1818 /* 1819 * If we have cached policy, use it. 1820 * Otherwise consult system policy. 1821 */ 1822 if ((connp != NULL) && (connp->conn_latch != NULL)) { 1823 p = connp->conn_latch->ipl_in_policy; 1824 if (p != NULL) { 1825 IPPOL_REFHOLD(p); 1826 } 1827 } else { 1828 /* Initialize the ports in the selector */ 1829 if (!ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h)) { 1830 /* 1831 * Technically not a policy mismatch, but it is 1832 * an internal failure. 1833 */ 1834 ipsec_log_policy_failure(q, IPSEC_POLICY_MISMATCH, 1835 "ipsec_init_inbound_sel", ipha, ip6h, B_FALSE); 1836 counter = &ipdrops_spd_nomem; 1837 goto fail; 1838 } 1839 1840 /* 1841 * Find the policy which best applies. 1842 * 1843 * If we find global policy, we should look at both 1844 * local policy and global policy and see which is 1845 * stronger and match accordingly. 1846 * 1847 * If we don't find a global policy, check with 1848 * local policy alone. 1849 */ 1850 1851 p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, NULL, &sel); 1852 } 1853 1854 if (p == NULL) { 1855 if (ipsec_mp == NULL) { 1856 /* 1857 * We have no policy; default to succeeding. 1858 * XXX paranoid system design doesn't do this. 1859 */ 1860 BUMP_MIB(&ip_mib, ipsecInSucceeded); 1861 return (first_mp); 1862 } else { 1863 counter = &ipdrops_spd_got_secure; 1864 ipsec_log_policy_failure(q, IPSEC_POLICY_NOT_NEEDED, 1865 "ipsec_check_global_policy", ipha, ip6h, B_TRUE); 1866 goto fail; 1867 } 1868 } 1869 if (ipsec_mp != NULL) 1870 return (ipsec_check_ipsecin_policy(q, ipsec_mp, p, ipha, ip6h)); 1871 if (p->ipsp_act->ipa_allow_clear) { 1872 BUMP_MIB(&ip_mib, ipsecInSucceeded); 1873 IPPOL_REFRELE(p); 1874 return (first_mp); 1875 } 1876 IPPOL_REFRELE(p); 1877 /* 1878 * If we reach here, we will drop the packet because it failed the 1879 * global policy check because the packet was cleartext, and it 1880 * should not have been. 1881 */ 1882 ipsec_log_policy_failure(q, IPSEC_POLICY_MISMATCH, 1883 "ipsec_check_global_policy", ipha, ip6h, B_FALSE); 1884 counter = &ipdrops_spd_got_clear; 1885 1886 fail: 1887 ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter, &spd_dropper); 1888 BUMP_MIB(&ip_mib, ipsecInFailed); 1889 return (NULL); 1890 } 1891 1892 /* 1893 * We check whether an inbound datagram is a valid one 1894 * to accept in clear. If it is secure, it is the job 1895 * of IPSEC to log information appropriately if it 1896 * suspects that it may not be the real one. 1897 * 1898 * It is called only while fanning out to the ULP 1899 * where ULP accepts only secure data and the incoming 1900 * is clear. Usually we never accept clear datagrams in 1901 * such cases. ICMP is the only exception. 1902 * 1903 * NOTE : We don't call this function if the client (ULP) 1904 * is willing to accept things in clear. 1905 */ 1906 boolean_t 1907 ipsec_inbound_accept_clear(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h) 1908 { 1909 ushort_t iph_hdr_length; 1910 icmph_t *icmph; 1911 icmp6_t *icmp6; 1912 uint8_t *nexthdrp; 1913 1914 ASSERT((ipha != NULL && ip6h == NULL) || 1915 (ipha == NULL && ip6h != NULL)); 1916 1917 if (ip6h != NULL) { 1918 iph_hdr_length = ip_hdr_length_v6(mp, ip6h); 1919 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length, 1920 &nexthdrp)) { 1921 return (B_FALSE); 1922 } 1923 if (*nexthdrp != IPPROTO_ICMPV6) 1924 return (B_FALSE); 1925 icmp6 = (icmp6_t *)(&mp->b_rptr[iph_hdr_length]); 1926 /* Match IPv6 ICMP policy as closely as IPv4 as possible. */ 1927 switch (icmp6->icmp6_type) { 1928 case ICMP6_PARAM_PROB: 1929 /* Corresponds to port/proto unreach in IPv4. */ 1930 case ICMP6_ECHO_REQUEST: 1931 /* Just like IPv4. */ 1932 return (B_FALSE); 1933 1934 case MLD_LISTENER_QUERY: 1935 case MLD_LISTENER_REPORT: 1936 case MLD_LISTENER_REDUCTION: 1937 /* 1938 * XXX Seperate NDD in IPv4 what about here? 1939 * Plus, mcast is important to ND. 1940 */ 1941 case ICMP6_DST_UNREACH: 1942 /* Corresponds to HOST/NET unreachable in IPv4. */ 1943 case ICMP6_PACKET_TOO_BIG: 1944 case ICMP6_ECHO_REPLY: 1945 /* These are trusted in IPv4. */ 1946 case ND_ROUTER_SOLICIT: 1947 case ND_ROUTER_ADVERT: 1948 case ND_NEIGHBOR_SOLICIT: 1949 case ND_NEIGHBOR_ADVERT: 1950 case ND_REDIRECT: 1951 /* Trust ND messages for now. */ 1952 case ICMP6_TIME_EXCEEDED: 1953 default: 1954 return (B_TRUE); 1955 } 1956 } else { 1957 /* 1958 * If it is not ICMP, fail this request. 1959 */ 1960 if (ipha->ipha_protocol != IPPROTO_ICMP) 1961 return (B_FALSE); 1962 iph_hdr_length = IPH_HDR_LENGTH(ipha); 1963 icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length]; 1964 /* 1965 * It is an insecure icmp message. Check to see whether we are 1966 * willing to accept this one. 1967 */ 1968 1969 switch (icmph->icmph_type) { 1970 case ICMP_ECHO_REPLY: 1971 case ICMP_TIME_STAMP_REPLY: 1972 case ICMP_INFO_REPLY: 1973 case ICMP_ROUTER_ADVERTISEMENT: 1974 /* 1975 * We should not encourage clear replies if this 1976 * client expects secure. If somebody is replying 1977 * in clear some mailicious user watching both the 1978 * request and reply, can do chosen-plain-text attacks. 1979 * With global policy we might be just expecting secure 1980 * but sending out clear. We don't know what the right 1981 * thing is. We can't do much here as we can't control 1982 * the sender here. Till we are sure of what to do, 1983 * accept them. 1984 */ 1985 return (B_TRUE); 1986 case ICMP_ECHO_REQUEST: 1987 case ICMP_TIME_STAMP_REQUEST: 1988 case ICMP_INFO_REQUEST: 1989 case ICMP_ADDRESS_MASK_REQUEST: 1990 case ICMP_ROUTER_SOLICITATION: 1991 case ICMP_ADDRESS_MASK_REPLY: 1992 /* 1993 * Don't accept this as somebody could be sending 1994 * us plain text to get encrypted data. If we reply, 1995 * it will lead to chosen plain text attack. 1996 */ 1997 return (B_FALSE); 1998 case ICMP_DEST_UNREACHABLE: 1999 switch (icmph->icmph_code) { 2000 case ICMP_FRAGMENTATION_NEEDED: 2001 /* 2002 * Be in sync with icmp_inbound, where we have 2003 * already set ire_max_frag. 2004 */ 2005 return (B_TRUE); 2006 case ICMP_HOST_UNREACHABLE: 2007 case ICMP_NET_UNREACHABLE: 2008 /* 2009 * By accepting, we could reset a connection. 2010 * How do we solve the problem of some 2011 * intermediate router sending in-secure ICMP 2012 * messages ? 2013 */ 2014 return (B_TRUE); 2015 case ICMP_PORT_UNREACHABLE: 2016 case ICMP_PROTOCOL_UNREACHABLE: 2017 default : 2018 return (B_FALSE); 2019 } 2020 case ICMP_SOURCE_QUENCH: 2021 /* 2022 * If this is an attack, TCP will slow start 2023 * because of this. Is it very harmful ? 2024 */ 2025 return (B_TRUE); 2026 case ICMP_PARAM_PROBLEM: 2027 return (B_FALSE); 2028 case ICMP_TIME_EXCEEDED: 2029 return (B_TRUE); 2030 case ICMP_REDIRECT: 2031 return (B_FALSE); 2032 default : 2033 return (B_FALSE); 2034 } 2035 } 2036 } 2037 2038 void 2039 ipsec_latch_ids(ipsec_latch_t *ipl, ipsid_t *local, ipsid_t *remote) 2040 { 2041 mutex_enter(&ipl->ipl_lock); 2042 2043 if (ipl->ipl_ids_latched) { 2044 /* I lost, someone else got here before me */ 2045 mutex_exit(&ipl->ipl_lock); 2046 return; 2047 } 2048 2049 if (local != NULL) 2050 IPSID_REFHOLD(local); 2051 if (remote != NULL) 2052 IPSID_REFHOLD(remote); 2053 2054 ipl->ipl_local_cid = local; 2055 ipl->ipl_remote_cid = remote; 2056 ipl->ipl_ids_latched = B_TRUE; 2057 mutex_exit(&ipl->ipl_lock); 2058 } 2059 2060 void 2061 ipsec_latch_inbound(ipsec_latch_t *ipl, ipsec_in_t *ii) 2062 { 2063 ipsa_t *sa; 2064 2065 if (!ipl->ipl_ids_latched) { 2066 ipsid_t *local = NULL; 2067 ipsid_t *remote = NULL; 2068 2069 if (!ii->ipsec_in_loopback) { 2070 if (ii->ipsec_in_esp_sa != NULL) 2071 sa = ii->ipsec_in_esp_sa; 2072 else 2073 sa = ii->ipsec_in_ah_sa; 2074 ASSERT(sa != NULL); 2075 local = sa->ipsa_dst_cid; 2076 remote = sa->ipsa_src_cid; 2077 } 2078 ipsec_latch_ids(ipl, local, remote); 2079 } 2080 ipl->ipl_in_action = ii->ipsec_in_action; 2081 IPACT_REFHOLD(ipl->ipl_in_action); 2082 } 2083 2084 /* 2085 * Check whether the policy constraints are met either for an 2086 * inbound datagram; called from IP in numerous places. 2087 * 2088 * Note that this is not a chokepoint for inbound policy checks; 2089 * see also ipsec_check_ipsecin_latch() 2090 */ 2091 mblk_t * 2092 ipsec_check_inbound_policy(mblk_t *first_mp, conn_t *connp, 2093 ipha_t *ipha, ip6_t *ip6h, boolean_t mctl_present) 2094 { 2095 ipsec_in_t *ii; 2096 boolean_t ret; 2097 mblk_t *mp = mctl_present ? first_mp->b_cont : first_mp; 2098 mblk_t *ipsec_mp = mctl_present ? first_mp : NULL; 2099 ipsec_latch_t *ipl; 2100 2101 ASSERT(connp != NULL); 2102 ipl = connp->conn_latch; 2103 2104 if (ipsec_mp == NULL) { 2105 /* 2106 * This is the case where the incoming datagram is 2107 * cleartext and we need to see whether this client 2108 * would like to receive such untrustworthy things from 2109 * the wire. 2110 */ 2111 ASSERT(mp != NULL); 2112 2113 if (ipl != NULL) { 2114 /* 2115 * Policy is cached in the conn. 2116 */ 2117 if ((ipl->ipl_in_policy != NULL) && 2118 (!ipl->ipl_in_policy->ipsp_act->ipa_allow_clear)) { 2119 ret = ipsec_inbound_accept_clear(mp, 2120 ipha, ip6h); 2121 if (ret) { 2122 BUMP_MIB(&ip_mib, ipsecInSucceeded); 2123 return (first_mp); 2124 } else { 2125 ip_drop_packet(first_mp, B_TRUE, NULL, 2126 NULL, &ipdrops_spd_got_clear, 2127 &spd_dropper); 2128 ipsec_log_policy_failure( 2129 CONNP_TO_WQ(connp), 2130 IPSEC_POLICY_MISMATCH, 2131 "ipsec_check_inbound_policy", ipha, 2132 ip6h, B_FALSE); 2133 BUMP_MIB(&ip_mib, ipsecInFailed); 2134 return (NULL); 2135 } 2136 } else { 2137 BUMP_MIB(&ip_mib, ipsecInSucceeded); 2138 return (first_mp); 2139 } 2140 } else { 2141 /* 2142 * As this is a non-hardbound connection we need 2143 * to look at both per-socket policy and global 2144 * policy. As this is cleartext, mark the mp as 2145 * M_DATA in case if it is an ICMP error being 2146 * reported before calling ipsec_check_global_policy 2147 * so that it does not mistake it for IPSEC_IN. 2148 */ 2149 uchar_t db_type = mp->b_datap->db_type; 2150 mp->b_datap->db_type = M_DATA; 2151 first_mp = ipsec_check_global_policy(first_mp, connp, 2152 ipha, ip6h, mctl_present); 2153 if (first_mp != NULL) 2154 mp->b_datap->db_type = db_type; 2155 return (first_mp); 2156 } 2157 } 2158 /* 2159 * If it is inbound check whether the attached message 2160 * is secure or not. We have a special case for ICMP, 2161 * where we have a IPSEC_IN message and the attached 2162 * message is not secure. See icmp_inbound_error_fanout 2163 * for details. 2164 */ 2165 ASSERT(ipsec_mp != NULL); 2166 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 2167 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 2168 2169 /* 2170 * mp->b_cont could be either a M_CTL message 2171 * for icmp errors being sent up or a M_DATA message. 2172 */ 2173 ASSERT(mp->b_datap->db_type == M_CTL || 2174 mp->b_datap->db_type == M_DATA); 2175 2176 ASSERT(ii->ipsec_in_type == IPSEC_IN); 2177 2178 if (ipl == NULL) { 2179 /* 2180 * We don't have policies cached in the conn's 2181 * for this stream. So, look at the global 2182 * policy. It will check against conn or global 2183 * depending on whichever is stronger. 2184 */ 2185 return (ipsec_check_global_policy(first_mp, connp, 2186 ipha, ip6h, mctl_present)); 2187 } else if (ipl->ipl_in_action != NULL) { 2188 /* Policy is cached & latched; fast(er) path */ 2189 const char *reason; 2190 kstat_named_t *counter; 2191 if (ipsec_check_ipsecin_latch(ii, mp, ipl, 2192 ipha, ip6h, &reason, &counter)) { 2193 BUMP_MIB(&ip_mib, ipsecInSucceeded); 2194 return (first_mp); 2195 } 2196 (void) mi_strlog(CONNP_TO_WQ(connp), 0, 2197 SL_ERROR|SL_WARN|SL_CONSOLE, 2198 "ipsec inbound policy mismatch: %s, packet dropped\n", 2199 reason); 2200 ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter, 2201 &spd_dropper); 2202 BUMP_MIB(&ip_mib, ipsecInFailed); 2203 return (NULL); 2204 } else if (ipl->ipl_in_policy == NULL) 2205 return (first_mp); 2206 2207 IPPOL_REFHOLD(ipl->ipl_in_policy); 2208 first_mp = ipsec_check_ipsecin_policy(CONNP_TO_WQ(connp), first_mp, 2209 ipl->ipl_in_policy, ipha, ip6h); 2210 /* 2211 * NOTE: ipsecIn{Failed,Succeeeded} bumped by 2212 * ipsec_check_ipsecin_policy(). 2213 */ 2214 if (first_mp != NULL) 2215 ipsec_latch_inbound(ipl, ii); 2216 return (first_mp); 2217 } 2218 2219 boolean_t 2220 ipsec_init_inbound_sel(ipsec_selector_t *sel, mblk_t *mp, 2221 ipha_t *ipha, ip6_t *ip6h) 2222 { 2223 uint16_t *ports; 2224 ushort_t hdr_len; 2225 mblk_t *spare_mp = NULL; 2226 uint8_t *nexthdrp; 2227 uint8_t nexthdr; 2228 uint8_t *typecode; 2229 uint8_t check_proto; 2230 2231 ASSERT((ipha == NULL && ip6h != NULL) || 2232 (ipha != NULL && ip6h == NULL)); 2233 2234 if (ip6h != NULL) { 2235 check_proto = IPPROTO_ICMPV6; 2236 sel->ips_isv4 = B_FALSE; 2237 sel->ips_local_addr_v6 = ip6h->ip6_dst; 2238 sel->ips_remote_addr_v6 = ip6h->ip6_src; 2239 2240 nexthdr = ip6h->ip6_nxt; 2241 switch (nexthdr) { 2242 case IPPROTO_HOPOPTS: 2243 case IPPROTO_ROUTING: 2244 case IPPROTO_DSTOPTS: 2245 /* 2246 * Use ip_hdr_length_nexthdr_v6(). And have a spare 2247 * mblk that's contiguous to feed it 2248 */ 2249 if ((spare_mp = msgpullup(mp, -1)) == NULL) 2250 return (B_FALSE); 2251 if (!ip_hdr_length_nexthdr_v6(spare_mp, 2252 (ip6_t *)spare_mp->b_rptr, &hdr_len, &nexthdrp)) { 2253 /* Malformed packet - XXX ip_drop_packet()? */ 2254 freemsg(spare_mp); 2255 return (B_FALSE); 2256 } 2257 nexthdr = *nexthdrp; 2258 /* We can just extract based on hdr_len now. */ 2259 break; 2260 default: 2261 hdr_len = IPV6_HDR_LEN; 2262 break; 2263 } 2264 } else { 2265 check_proto = IPPROTO_ICMP; 2266 sel->ips_isv4 = B_TRUE; 2267 sel->ips_local_addr_v4 = ipha->ipha_dst; 2268 sel->ips_remote_addr_v4 = ipha->ipha_src; 2269 nexthdr = ipha->ipha_protocol; 2270 hdr_len = IPH_HDR_LENGTH(ipha); 2271 } 2272 sel->ips_protocol = nexthdr; 2273 2274 if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP && 2275 nexthdr != IPPROTO_SCTP && nexthdr != check_proto) { 2276 sel->ips_remote_port = sel->ips_local_port = 0; 2277 freemsg(spare_mp); /* Always works, even if NULL. */ 2278 return (B_TRUE); 2279 } 2280 2281 if (&mp->b_rptr[hdr_len] + 4 > mp->b_wptr) { 2282 /* If we didn't pullup a copy already, do so now. */ 2283 /* 2284 * XXX performance, will upper-layers frequently split TCP/UDP 2285 * apart from IP or options? If so, perhaps we should revisit 2286 * the spare_mp strategy. 2287 */ 2288 if (spare_mp == NULL && 2289 (spare_mp = msgpullup(mp, -1)) == NULL) { 2290 return (B_FALSE); 2291 } 2292 ports = (uint16_t *)&spare_mp->b_rptr[hdr_len]; 2293 } else { 2294 ports = (uint16_t *)&mp->b_rptr[hdr_len]; 2295 } 2296 2297 if (nexthdr == check_proto) { 2298 typecode = (uint8_t *)ports; 2299 sel->ips_icmp_type = *typecode++; 2300 sel->ips_icmp_code = *typecode; 2301 sel->ips_remote_port = sel->ips_local_port = 0; 2302 freemsg(spare_mp); /* Always works, even if NULL */ 2303 return (B_TRUE); 2304 } 2305 2306 sel->ips_remote_port = *ports++; 2307 sel->ips_local_port = *ports; 2308 freemsg(spare_mp); /* Always works, even if NULL */ 2309 return (B_TRUE); 2310 } 2311 2312 static boolean_t 2313 ipsec_init_outbound_ports(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha, 2314 ip6_t *ip6h) 2315 { 2316 /* 2317 * XXX cut&paste shared with ipsec_init_inbound_sel 2318 */ 2319 uint16_t *ports; 2320 ushort_t hdr_len; 2321 mblk_t *spare_mp = NULL; 2322 uint8_t *nexthdrp; 2323 uint8_t nexthdr; 2324 uint8_t *typecode; 2325 uint8_t check_proto; 2326 2327 ASSERT((ipha == NULL && ip6h != NULL) || 2328 (ipha != NULL && ip6h == NULL)); 2329 2330 if (ip6h != NULL) { 2331 check_proto = IPPROTO_ICMPV6; 2332 nexthdr = ip6h->ip6_nxt; 2333 switch (nexthdr) { 2334 case IPPROTO_HOPOPTS: 2335 case IPPROTO_ROUTING: 2336 case IPPROTO_DSTOPTS: 2337 /* 2338 * Use ip_hdr_length_nexthdr_v6(). And have a spare 2339 * mblk that's contiguous to feed it 2340 */ 2341 spare_mp = msgpullup(mp, -1); 2342 if (spare_mp == NULL || 2343 !ip_hdr_length_nexthdr_v6(spare_mp, 2344 (ip6_t *)spare_mp->b_rptr, &hdr_len, 2345 &nexthdrp)) { 2346 /* Always works, even if NULL. */ 2347 freemsg(spare_mp); 2348 freemsg(mp); 2349 return (B_FALSE); 2350 } else { 2351 nexthdr = *nexthdrp; 2352 /* We can just extract based on hdr_len now. */ 2353 } 2354 break; 2355 default: 2356 hdr_len = IPV6_HDR_LEN; 2357 break; 2358 } 2359 } else { 2360 check_proto = IPPROTO_ICMP; 2361 hdr_len = IPH_HDR_LENGTH(ipha); 2362 nexthdr = ipha->ipha_protocol; 2363 } 2364 2365 sel->ips_protocol = nexthdr; 2366 if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP && 2367 nexthdr != IPPROTO_SCTP && nexthdr != check_proto) { 2368 sel->ips_local_port = sel->ips_remote_port = 0; 2369 freemsg(spare_mp); /* Always works, even if NULL. */ 2370 return (B_TRUE); 2371 } 2372 2373 if (&mp->b_rptr[hdr_len] + 4 > mp->b_wptr) { 2374 /* If we didn't pullup a copy already, do so now. */ 2375 /* 2376 * XXX performance, will upper-layers frequently split TCP/UDP 2377 * apart from IP or options? If so, perhaps we should revisit 2378 * the spare_mp strategy. 2379 * 2380 * XXX should this be msgpullup(mp, hdr_len+4) ??? 2381 */ 2382 if (spare_mp == NULL && 2383 (spare_mp = msgpullup(mp, -1)) == NULL) { 2384 freemsg(mp); 2385 return (B_FALSE); 2386 } 2387 ports = (uint16_t *)&spare_mp->b_rptr[hdr_len]; 2388 } else { 2389 ports = (uint16_t *)&mp->b_rptr[hdr_len]; 2390 } 2391 2392 if (nexthdr == check_proto) { 2393 typecode = (uint8_t *)ports; 2394 sel->ips_icmp_type = *typecode++; 2395 sel->ips_icmp_code = *typecode; 2396 sel->ips_remote_port = sel->ips_local_port = 0; 2397 freemsg(spare_mp); /* Always works, even if NULL */ 2398 return (B_TRUE); 2399 } 2400 2401 sel->ips_local_port = *ports++; 2402 sel->ips_remote_port = *ports; 2403 freemsg(spare_mp); /* Always works, even if NULL */ 2404 return (B_TRUE); 2405 } 2406 2407 /* 2408 * Create an ipsec_action_t based on the way an inbound packet was protected. 2409 * Used to reflect traffic back to a sender. 2410 * 2411 * We don't bother interning the action into the hash table. 2412 */ 2413 ipsec_action_t * 2414 ipsec_in_to_out_action(ipsec_in_t *ii) 2415 { 2416 ipsa_t *ah_assoc, *esp_assoc; 2417 uint_t auth_alg = 0, encr_alg = 0, espa_alg = 0; 2418 ipsec_action_t *ap; 2419 boolean_t unique; 2420 2421 ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP); 2422 2423 if (ap == NULL) 2424 return (NULL); 2425 2426 bzero(ap, sizeof (*ap)); 2427 HASH_NULL(ap, ipa_hash); 2428 ap->ipa_next = NULL; 2429 ap->ipa_refs = 1; 2430 2431 /* 2432 * Get the algorithms that were used for this packet. 2433 */ 2434 ap->ipa_act.ipa_type = IPSEC_ACT_APPLY; 2435 ap->ipa_act.ipa_log = 0; 2436 ah_assoc = ii->ipsec_in_ah_sa; 2437 ap->ipa_act.ipa_apply.ipp_use_ah = (ah_assoc != NULL); 2438 2439 esp_assoc = ii->ipsec_in_esp_sa; 2440 ap->ipa_act.ipa_apply.ipp_use_esp = (esp_assoc != NULL); 2441 2442 if (esp_assoc != NULL) { 2443 encr_alg = esp_assoc->ipsa_encr_alg; 2444 espa_alg = esp_assoc->ipsa_auth_alg; 2445 ap->ipa_act.ipa_apply.ipp_use_espa = (espa_alg != 0); 2446 } 2447 if (ah_assoc != NULL) 2448 auth_alg = ah_assoc->ipsa_auth_alg; 2449 2450 ap->ipa_act.ipa_apply.ipp_encr_alg = (uint8_t)encr_alg; 2451 ap->ipa_act.ipa_apply.ipp_auth_alg = (uint8_t)auth_alg; 2452 ap->ipa_act.ipa_apply.ipp_esp_auth_alg = (uint8_t)espa_alg; 2453 ap->ipa_act.ipa_apply.ipp_use_se = ii->ipsec_in_decaps; 2454 unique = B_FALSE; 2455 2456 if (esp_assoc != NULL) { 2457 ap->ipa_act.ipa_apply.ipp_espa_minbits = 2458 esp_assoc->ipsa_authkeybits; 2459 ap->ipa_act.ipa_apply.ipp_espa_maxbits = 2460 esp_assoc->ipsa_authkeybits; 2461 ap->ipa_act.ipa_apply.ipp_espe_minbits = 2462 esp_assoc->ipsa_encrkeybits; 2463 ap->ipa_act.ipa_apply.ipp_espe_maxbits = 2464 esp_assoc->ipsa_encrkeybits; 2465 ap->ipa_act.ipa_apply.ipp_km_proto = esp_assoc->ipsa_kmp; 2466 ap->ipa_act.ipa_apply.ipp_km_cookie = esp_assoc->ipsa_kmc; 2467 if (esp_assoc->ipsa_flags & IPSA_F_UNIQUE) 2468 unique = B_TRUE; 2469 } 2470 if (ah_assoc != NULL) { 2471 ap->ipa_act.ipa_apply.ipp_ah_minbits = 2472 ah_assoc->ipsa_authkeybits; 2473 ap->ipa_act.ipa_apply.ipp_ah_maxbits = 2474 ah_assoc->ipsa_authkeybits; 2475 ap->ipa_act.ipa_apply.ipp_km_proto = ah_assoc->ipsa_kmp; 2476 ap->ipa_act.ipa_apply.ipp_km_cookie = ah_assoc->ipsa_kmc; 2477 if (ah_assoc->ipsa_flags & IPSA_F_UNIQUE) 2478 unique = B_TRUE; 2479 } 2480 ap->ipa_act.ipa_apply.ipp_use_unique = unique; 2481 ap->ipa_want_unique = unique; 2482 ap->ipa_allow_clear = B_FALSE; 2483 ap->ipa_want_se = ii->ipsec_in_decaps; 2484 ap->ipa_want_ah = (ah_assoc != NULL); 2485 ap->ipa_want_esp = (esp_assoc != NULL); 2486 2487 ap->ipa_ovhd = ipsec_act_ovhd(&ap->ipa_act); 2488 2489 ap->ipa_act.ipa_apply.ipp_replay_depth = 0; /* don't care */ 2490 2491 return (ap); 2492 } 2493 2494 2495 /* 2496 * Compute the worst-case amount of extra space required by an action. 2497 * Note that, because of the ESP considerations listed below, this is 2498 * actually not the same as the best-case reduction in the MTU; in the 2499 * future, we should pass additional information to this function to 2500 * allow the actual MTU impact to be computed. 2501 * 2502 * AH: Revisit this if we implement algorithms with 2503 * a verifier size of more than 12 bytes. 2504 * 2505 * ESP: A more exact but more messy computation would take into 2506 * account the interaction between the cipher block size and the 2507 * effective MTU, yielding the inner payload size which reflects a 2508 * packet with *minimum* ESP padding.. 2509 */ 2510 static int32_t 2511 ipsec_act_ovhd(const ipsec_act_t *act) 2512 { 2513 int32_t overhead = 0; 2514 2515 if (act->ipa_type == IPSEC_ACT_APPLY) { 2516 const ipsec_prot_t *ipp = &act->ipa_apply; 2517 2518 if (ipp->ipp_use_ah) 2519 overhead += IPSEC_MAX_AH_HDR_SIZE; 2520 if (ipp->ipp_use_esp) { 2521 overhead += IPSEC_MAX_ESP_HDR_SIZE; 2522 overhead += sizeof (struct udphdr); 2523 } 2524 if (ipp->ipp_use_se) 2525 overhead += IP_SIMPLE_HDR_LENGTH; 2526 } 2527 return (overhead); 2528 } 2529 2530 /* 2531 * This hash function is used only when creating policies and thus is not 2532 * performance-critical for packet flows. 2533 * 2534 * Future work: canonicalize the structures hashed with this (i.e., 2535 * zeroize padding) so the hash works correctly. 2536 */ 2537 /* ARGSUSED */ 2538 static uint32_t 2539 policy_hash(int size, const void *start, const void *end) 2540 { 2541 return (0); 2542 } 2543 2544 2545 /* 2546 * Hash function macros for each address type. 2547 * 2548 * The IPV6 hash function assumes that the low order 32-bits of the 2549 * address (typically containing the low order 24 bits of the mac 2550 * address) are reasonably well-distributed. Revisit this if we run 2551 * into trouble from lots of collisions on ::1 addresses and the like 2552 * (seems unlikely). 2553 */ 2554 #define IPSEC_IPV4_HASH(a) ((a) % ipsec_spd_hashsize) 2555 #define IPSEC_IPV6_HASH(a) ((a.s6_addr32[3]) % ipsec_spd_hashsize) 2556 2557 /* 2558 * These two hash functions should produce coordinated values 2559 * but have slightly different roles. 2560 */ 2561 static uint32_t 2562 selkey_hash(const ipsec_selkey_t *selkey) 2563 { 2564 uint32_t valid = selkey->ipsl_valid; 2565 2566 if (!(valid & IPSL_REMOTE_ADDR)) 2567 return (IPSEC_SEL_NOHASH); 2568 2569 if (valid & IPSL_IPV4) { 2570 if (selkey->ipsl_remote_pfxlen == 32) 2571 return (IPSEC_IPV4_HASH(selkey->ipsl_remote.ipsad_v4)); 2572 } 2573 if (valid & IPSL_IPV6) { 2574 if (selkey->ipsl_remote_pfxlen == 128) 2575 return (IPSEC_IPV6_HASH(selkey->ipsl_remote.ipsad_v6)); 2576 } 2577 return (IPSEC_SEL_NOHASH); 2578 } 2579 2580 static uint32_t 2581 selector_hash(ipsec_selector_t *sel) 2582 { 2583 if (sel->ips_isv4) { 2584 return (IPSEC_IPV4_HASH(sel->ips_remote_addr_v4)); 2585 } 2586 return (IPSEC_IPV6_HASH(sel->ips_remote_addr_v6)); 2587 } 2588 2589 /* 2590 * Intern actions into the action hash table. 2591 */ 2592 ipsec_action_t * 2593 ipsec_act_find(const ipsec_act_t *a, int n) 2594 { 2595 int i; 2596 uint32_t hval; 2597 ipsec_action_t *ap; 2598 ipsec_action_t *prev = NULL; 2599 int32_t overhead, maxovhd = 0; 2600 boolean_t allow_clear = B_FALSE; 2601 boolean_t want_ah = B_FALSE; 2602 boolean_t want_esp = B_FALSE; 2603 boolean_t want_se = B_FALSE; 2604 boolean_t want_unique = B_FALSE; 2605 2606 /* 2607 * TODO: should canonicalize a[] (i.e., zeroize any padding) 2608 * so we can use a non-trivial policy_hash function. 2609 */ 2610 for (i = n-1; i >= 0; i--) { 2611 hval = policy_hash(IPSEC_ACTION_HASH_SIZE, &a[i], &a[n]); 2612 2613 HASH_LOCK(ipsec_action_hash, hval); 2614 2615 for (HASH_ITERATE(ap, ipa_hash, ipsec_action_hash, hval)) { 2616 if (bcmp(&ap->ipa_act, &a[i], sizeof (*a)) != 0) 2617 continue; 2618 if (ap->ipa_next != prev) 2619 continue; 2620 break; 2621 } 2622 if (ap != NULL) { 2623 HASH_UNLOCK(ipsec_action_hash, hval); 2624 prev = ap; 2625 continue; 2626 } 2627 /* 2628 * need to allocate a new one.. 2629 */ 2630 ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP); 2631 if (ap == NULL) { 2632 HASH_UNLOCK(ipsec_action_hash, hval); 2633 if (prev != NULL) 2634 ipsec_action_free(prev); 2635 return (NULL); 2636 } 2637 HASH_INSERT(ap, ipa_hash, ipsec_action_hash, hval); 2638 2639 ap->ipa_next = prev; 2640 ap->ipa_act = a[i]; 2641 2642 overhead = ipsec_act_ovhd(&a[i]); 2643 if (maxovhd < overhead) 2644 maxovhd = overhead; 2645 2646 if ((a[i].ipa_type == IPSEC_ACT_BYPASS) || 2647 (a[i].ipa_type == IPSEC_ACT_CLEAR)) 2648 allow_clear = B_TRUE; 2649 if (a[i].ipa_type == IPSEC_ACT_APPLY) { 2650 const ipsec_prot_t *ipp = &a[i].ipa_apply; 2651 2652 ASSERT(ipp->ipp_use_ah || ipp->ipp_use_esp); 2653 want_ah |= ipp->ipp_use_ah; 2654 want_esp |= ipp->ipp_use_esp; 2655 want_se |= ipp->ipp_use_se; 2656 want_unique |= ipp->ipp_use_unique; 2657 } 2658 ap->ipa_allow_clear = allow_clear; 2659 ap->ipa_want_ah = want_ah; 2660 ap->ipa_want_esp = want_esp; 2661 ap->ipa_want_se = want_se; 2662 ap->ipa_want_unique = want_unique; 2663 ap->ipa_refs = 1; /* from the hash table */ 2664 ap->ipa_ovhd = maxovhd; 2665 if (prev) 2666 prev->ipa_refs++; 2667 prev = ap; 2668 HASH_UNLOCK(ipsec_action_hash, hval); 2669 } 2670 2671 ap->ipa_refs++; /* caller's reference */ 2672 2673 return (ap); 2674 } 2675 2676 /* 2677 * Called when refcount goes to 0, indicating that all references to this 2678 * node are gone. 2679 * 2680 * This does not unchain the action from the hash table. 2681 */ 2682 void 2683 ipsec_action_free(ipsec_action_t *ap) 2684 { 2685 for (;;) { 2686 ipsec_action_t *np = ap->ipa_next; 2687 ASSERT(ap->ipa_refs == 0); 2688 ASSERT(ap->ipa_hash.hash_pp == NULL); 2689 kmem_cache_free(ipsec_action_cache, ap); 2690 ap = np; 2691 /* Inlined IPACT_REFRELE -- avoid recursion */ 2692 if (ap == NULL) 2693 break; 2694 membar_exit(); 2695 if (atomic_add_32_nv(&(ap)->ipa_refs, -1) != 0) 2696 break; 2697 /* End inlined IPACT_REFRELE */ 2698 } 2699 } 2700 2701 /* 2702 * Periodically sweep action hash table for actions with refcount==1, and 2703 * nuke them. We cannot do this "on demand" (i.e., from IPACT_REFRELE) 2704 * because we can't close the race between another thread finding the action 2705 * in the hash table without holding the bucket lock during IPACT_REFRELE. 2706 * Instead, we run this function sporadically to clean up after ourselves; 2707 * we also set it as the "reclaim" function for the action kmem_cache. 2708 * 2709 * Note that it may take several passes of ipsec_action_gc() to free all 2710 * "stale" actions. 2711 */ 2712 /* ARGSUSED */ 2713 static void 2714 ipsec_action_reclaim(void *dummy) 2715 { 2716 int i; 2717 2718 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) { 2719 ipsec_action_t *ap, *np; 2720 2721 /* skip the lock if nobody home */ 2722 if (ipsec_action_hash[i].hash_head == NULL) 2723 continue; 2724 2725 HASH_LOCK(ipsec_action_hash, i); 2726 for (ap = ipsec_action_hash[i].hash_head; 2727 ap != NULL; ap = np) { 2728 ASSERT(ap->ipa_refs > 0); 2729 np = ap->ipa_hash.hash_next; 2730 if (ap->ipa_refs > 1) 2731 continue; 2732 HASH_UNCHAIN(ap, ipa_hash, ipsec_action_hash, i); 2733 IPACT_REFRELE(ap); 2734 } 2735 HASH_UNLOCK(ipsec_action_hash, i); 2736 } 2737 } 2738 2739 /* 2740 * Intern a selector set into the selector set hash table. 2741 * This is simpler than the actions case.. 2742 */ 2743 static ipsec_sel_t * 2744 ipsec_find_sel(ipsec_selkey_t *selkey) 2745 { 2746 ipsec_sel_t *sp; 2747 uint32_t hval, bucket; 2748 2749 /* 2750 * Exactly one AF bit should be set in selkey. 2751 */ 2752 ASSERT(!(selkey->ipsl_valid & IPSL_IPV4) ^ 2753 !(selkey->ipsl_valid & IPSL_IPV6)); 2754 2755 hval = selkey_hash(selkey); 2756 selkey->ipsl_hval = hval; 2757 2758 bucket = (hval == IPSEC_SEL_NOHASH) ? 0 : hval; 2759 2760 ASSERT(!HASH_LOCKED(ipsec_sel_hash, bucket)); 2761 HASH_LOCK(ipsec_sel_hash, bucket); 2762 2763 for (HASH_ITERATE(sp, ipsl_hash, ipsec_sel_hash, bucket)) { 2764 if (bcmp(&sp->ipsl_key, selkey, sizeof (*selkey)) == 0) 2765 break; 2766 } 2767 if (sp != NULL) { 2768 sp->ipsl_refs++; 2769 2770 HASH_UNLOCK(ipsec_sel_hash, bucket); 2771 return (sp); 2772 } 2773 2774 sp = kmem_cache_alloc(ipsec_sel_cache, KM_NOSLEEP); 2775 if (sp == NULL) { 2776 HASH_UNLOCK(ipsec_sel_hash, bucket); 2777 return (NULL); 2778 } 2779 2780 HASH_INSERT(sp, ipsl_hash, ipsec_sel_hash, bucket); 2781 sp->ipsl_refs = 2; /* one for hash table, one for caller */ 2782 sp->ipsl_key = *selkey; 2783 2784 HASH_UNLOCK(ipsec_sel_hash, bucket); 2785 2786 return (sp); 2787 } 2788 2789 static void 2790 ipsec_sel_rel(ipsec_sel_t **spp) 2791 { 2792 ipsec_sel_t *sp = *spp; 2793 int hval = sp->ipsl_key.ipsl_hval; 2794 *spp = NULL; 2795 2796 if (hval == IPSEC_SEL_NOHASH) 2797 hval = 0; 2798 2799 ASSERT(!HASH_LOCKED(ipsec_sel_hash, hval)); 2800 HASH_LOCK(ipsec_sel_hash, hval); 2801 if (--sp->ipsl_refs == 1) { 2802 HASH_UNCHAIN(sp, ipsl_hash, ipsec_sel_hash, hval); 2803 sp->ipsl_refs--; 2804 HASH_UNLOCK(ipsec_sel_hash, hval); 2805 ASSERT(sp->ipsl_refs == 0); 2806 kmem_cache_free(ipsec_sel_cache, sp); 2807 /* Caller unlocks */ 2808 return; 2809 } 2810 2811 HASH_UNLOCK(ipsec_sel_hash, hval); 2812 } 2813 2814 /* 2815 * Free a policy rule which we know is no longer being referenced. 2816 */ 2817 void 2818 ipsec_policy_free(ipsec_policy_t *ipp) 2819 { 2820 ASSERT(ipp->ipsp_refs == 0); 2821 ASSERT(ipp->ipsp_sel != NULL); 2822 ASSERT(ipp->ipsp_act != NULL); 2823 ipsec_sel_rel(&ipp->ipsp_sel); 2824 IPACT_REFRELE(ipp->ipsp_act); 2825 kmem_cache_free(ipsec_pol_cache, ipp); 2826 } 2827 2828 /* 2829 * Construction of new policy rules; construct a policy, and add it to 2830 * the appropriate tables. 2831 */ 2832 ipsec_policy_t * 2833 ipsec_policy_create(ipsec_selkey_t *keys, const ipsec_act_t *a, 2834 int nacts, int prio) 2835 { 2836 ipsec_action_t *ap; 2837 ipsec_sel_t *sp; 2838 ipsec_policy_t *ipp; 2839 2840 ipp = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP); 2841 ap = ipsec_act_find(a, nacts); 2842 sp = ipsec_find_sel(keys); 2843 2844 if ((ap == NULL) || (sp == NULL) || (ipp == NULL)) { 2845 if (ap != NULL) { 2846 IPACT_REFRELE(ap); 2847 } 2848 if (sp != NULL) 2849 ipsec_sel_rel(&sp); 2850 if (ipp != NULL) 2851 kmem_cache_free(ipsec_pol_cache, ipp); 2852 return (NULL); 2853 } 2854 2855 HASH_NULL(ipp, ipsp_hash); 2856 2857 ipp->ipsp_refs = 1; /* caller's reference */ 2858 ipp->ipsp_sel = sp; 2859 ipp->ipsp_act = ap; 2860 ipp->ipsp_prio = prio; /* rule priority */ 2861 ipp->ipsp_index = ipsec_next_policy_index++; 2862 2863 return (ipp); 2864 } 2865 2866 static void 2867 ipsec_update_present_flags() 2868 { 2869 boolean_t hashpol = (avl_numnodes(&system_policy.iph_rulebyid) > 0); 2870 2871 if (hashpol) { 2872 ipsec_outbound_v4_policy_present = B_TRUE; 2873 ipsec_outbound_v6_policy_present = B_TRUE; 2874 ipsec_inbound_v4_policy_present = B_TRUE; 2875 ipsec_inbound_v6_policy_present = B_TRUE; 2876 return; 2877 } 2878 2879 ipsec_outbound_v4_policy_present = (NULL != 2880 system_policy.iph_root[IPSEC_TYPE_OUTBOUND]. 2881 ipr_nonhash[IPSEC_AF_V4]); 2882 ipsec_outbound_v6_policy_present = (NULL != 2883 system_policy.iph_root[IPSEC_TYPE_OUTBOUND]. 2884 ipr_nonhash[IPSEC_AF_V6]); 2885 ipsec_inbound_v4_policy_present = (NULL != 2886 system_policy.iph_root[IPSEC_TYPE_INBOUND]. 2887 ipr_nonhash[IPSEC_AF_V4]); 2888 ipsec_inbound_v6_policy_present = (NULL != 2889 system_policy.iph_root[IPSEC_TYPE_INBOUND]. 2890 ipr_nonhash[IPSEC_AF_V6]); 2891 } 2892 2893 boolean_t 2894 ipsec_policy_delete(ipsec_policy_head_t *php, ipsec_selkey_t *keys, int dir) 2895 { 2896 ipsec_sel_t *sp; 2897 ipsec_policy_t *ip, *nip, *head; 2898 int af; 2899 ipsec_policy_root_t *pr = &php->iph_root[dir]; 2900 2901 sp = ipsec_find_sel(keys); 2902 2903 if (sp == NULL) 2904 return (B_FALSE); 2905 2906 af = (sp->ipsl_key.ipsl_valid & IPSL_IPV4) ? IPSEC_AF_V4 : IPSEC_AF_V6; 2907 2908 rw_enter(&php->iph_lock, RW_WRITER); 2909 2910 if (keys->ipsl_hval == IPSEC_SEL_NOHASH) { 2911 head = pr->ipr_nonhash[af]; 2912 } else { 2913 head = pr->ipr_hash[keys->ipsl_hval].hash_head; 2914 } 2915 2916 for (ip = head; ip != NULL; ip = nip) { 2917 nip = ip->ipsp_hash.hash_next; 2918 if (ip->ipsp_sel != sp) { 2919 continue; 2920 } 2921 2922 IPPOL_UNCHAIN(php, ip); 2923 2924 php->iph_gen++; 2925 ipsec_update_present_flags(); 2926 2927 rw_exit(&php->iph_lock); 2928 2929 ipsec_sel_rel(&sp); 2930 2931 return (B_TRUE); 2932 } 2933 2934 rw_exit(&php->iph_lock); 2935 ipsec_sel_rel(&sp); 2936 return (B_FALSE); 2937 } 2938 2939 int 2940 ipsec_policy_delete_index(ipsec_policy_head_t *php, uint64_t policy_index) 2941 { 2942 boolean_t found = B_FALSE; 2943 ipsec_policy_t ipkey; 2944 ipsec_policy_t *ip; 2945 avl_index_t where; 2946 2947 (void) memset(&ipkey, 0, sizeof (ipkey)); 2948 ipkey.ipsp_index = policy_index; 2949 2950 rw_enter(&php->iph_lock, RW_WRITER); 2951 2952 /* 2953 * We could be cleverer here about the walk. 2954 * but well, (k+1)*log(N) will do for now (k==number of matches, 2955 * N==number of table entries 2956 */ 2957 for (;;) { 2958 ip = (ipsec_policy_t *)avl_find(&php->iph_rulebyid, 2959 (void *)&ipkey, &where); 2960 ASSERT(ip == NULL); 2961 2962 ip = avl_nearest(&php->iph_rulebyid, where, AVL_AFTER); 2963 2964 if (ip == NULL) 2965 break; 2966 2967 if (ip->ipsp_index != policy_index) { 2968 ASSERT(ip->ipsp_index > policy_index); 2969 break; 2970 } 2971 2972 IPPOL_UNCHAIN(php, ip); 2973 found = B_TRUE; 2974 } 2975 2976 if (found) { 2977 php->iph_gen++; 2978 ipsec_update_present_flags(); 2979 } 2980 2981 rw_exit(&php->iph_lock); 2982 2983 return (found ? 0 : ENOENT); 2984 } 2985 2986 /* 2987 * Given a constructed ipsec_policy_t policy rule, see if it can be entered 2988 * into the correct policy ruleset. 2989 * 2990 * Returns B_TRUE if it can be entered, B_FALSE if it can't be (because a 2991 * duplicate policy exists with exactly the same selectors), or an icmp 2992 * rule exists with a different encryption/authentication action. 2993 */ 2994 boolean_t 2995 ipsec_check_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction) 2996 { 2997 ipsec_policy_root_t *pr = &php->iph_root[direction]; 2998 int af = -1; 2999 ipsec_policy_t *p2, *head; 3000 uint8_t check_proto; 3001 ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key; 3002 uint32_t valid = selkey->ipsl_valid; 3003 3004 if (valid & IPSL_IPV6) { 3005 ASSERT(!(valid & IPSL_IPV4)); 3006 af = IPSEC_AF_V6; 3007 check_proto = IPPROTO_ICMPV6; 3008 } else { 3009 ASSERT(valid & IPSL_IPV4); 3010 af = IPSEC_AF_V4; 3011 check_proto = IPPROTO_ICMP; 3012 } 3013 3014 ASSERT(RW_WRITE_HELD(&php->iph_lock)); 3015 3016 /* 3017 * Double-check that we don't have any duplicate selectors here. 3018 * Because selectors are interned below, we need only compare pointers 3019 * for equality. 3020 */ 3021 if (selkey->ipsl_hval == IPSEC_SEL_NOHASH) { 3022 head = pr->ipr_nonhash[af]; 3023 } else { 3024 head = pr->ipr_hash[selkey->ipsl_hval].hash_head; 3025 } 3026 3027 for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) { 3028 if (p2->ipsp_sel == ipp->ipsp_sel) 3029 return (B_FALSE); 3030 } 3031 3032 /* 3033 * If it's ICMP and not a drop or pass rule, run through the ICMP 3034 * rules and make sure the action is either new or the same as any 3035 * other actions. We don't have to check the full chain because 3036 * discard and bypass will override all other actions 3037 */ 3038 3039 if (valid & IPSL_PROTOCOL && 3040 selkey->ipsl_proto == check_proto && 3041 (ipp->ipsp_act->ipa_act.ipa_type == IPSEC_ACT_APPLY)) { 3042 3043 for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) { 3044 3045 if (p2->ipsp_sel->ipsl_key.ipsl_valid & IPSL_PROTOCOL && 3046 p2->ipsp_sel->ipsl_key.ipsl_proto == check_proto && 3047 (p2->ipsp_act->ipa_act.ipa_type == 3048 IPSEC_ACT_APPLY)) { 3049 return (ipsec_compare_action(p2, ipp)); 3050 } 3051 } 3052 } 3053 3054 return (B_TRUE); 3055 } 3056 3057 /* 3058 * compare the action chains of two policies for equality 3059 * B_TRUE -> effective equality 3060 */ 3061 3062 static boolean_t 3063 ipsec_compare_action(ipsec_policy_t *p1, ipsec_policy_t *p2) 3064 { 3065 3066 ipsec_action_t *act1, *act2; 3067 3068 /* We have a valid rule. Let's compare the actions */ 3069 if (p1->ipsp_act == p2->ipsp_act) { 3070 /* same action. We are good */ 3071 return (B_TRUE); 3072 } 3073 3074 /* we have to walk the chain */ 3075 3076 act1 = p1->ipsp_act; 3077 act2 = p2->ipsp_act; 3078 3079 while (act1 != NULL && act2 != NULL) { 3080 3081 /* otherwise, Are we close enough? */ 3082 if (act1->ipa_allow_clear != act2->ipa_allow_clear || 3083 act1->ipa_want_ah != act2->ipa_want_ah || 3084 act1->ipa_want_esp != act2->ipa_want_esp || 3085 act1->ipa_want_se != act2->ipa_want_se) { 3086 /* Nope, we aren't */ 3087 return (B_FALSE); 3088 } 3089 3090 if (act1->ipa_want_ah) { 3091 if (act1->ipa_act.ipa_apply.ipp_auth_alg != 3092 act2->ipa_act.ipa_apply.ipp_auth_alg) { 3093 return (B_FALSE); 3094 } 3095 3096 if (act1->ipa_act.ipa_apply.ipp_ah_minbits != 3097 act2->ipa_act.ipa_apply.ipp_ah_minbits || 3098 act1->ipa_act.ipa_apply.ipp_ah_maxbits != 3099 act2->ipa_act.ipa_apply.ipp_ah_maxbits) { 3100 return (B_FALSE); 3101 } 3102 } 3103 3104 if (act1->ipa_want_esp) { 3105 if (act1->ipa_act.ipa_apply.ipp_use_esp != 3106 act2->ipa_act.ipa_apply.ipp_use_esp || 3107 act1->ipa_act.ipa_apply.ipp_use_espa != 3108 act2->ipa_act.ipa_apply.ipp_use_espa) { 3109 return (B_FALSE); 3110 } 3111 3112 if (act1->ipa_act.ipa_apply.ipp_use_esp) { 3113 if (act1->ipa_act.ipa_apply.ipp_encr_alg != 3114 act2->ipa_act.ipa_apply.ipp_encr_alg) { 3115 return (B_FALSE); 3116 } 3117 3118 if (act1->ipa_act.ipa_apply.ipp_espe_minbits != 3119 act2->ipa_act.ipa_apply.ipp_espe_minbits || 3120 act1->ipa_act.ipa_apply.ipp_espe_maxbits != 3121 act2->ipa_act.ipa_apply.ipp_espe_maxbits) { 3122 return (B_FALSE); 3123 } 3124 } 3125 3126 if (act1->ipa_act.ipa_apply.ipp_use_espa) { 3127 if (act1->ipa_act.ipa_apply.ipp_esp_auth_alg != 3128 act2->ipa_act.ipa_apply.ipp_esp_auth_alg) { 3129 return (B_FALSE); 3130 } 3131 3132 if (act1->ipa_act.ipa_apply.ipp_espa_minbits != 3133 act2->ipa_act.ipa_apply.ipp_espa_minbits || 3134 act1->ipa_act.ipa_apply.ipp_espa_maxbits != 3135 act2->ipa_act.ipa_apply.ipp_espa_maxbits) { 3136 return (B_FALSE); 3137 } 3138 } 3139 3140 } 3141 3142 act1 = act1->ipa_next; 3143 act2 = act2->ipa_next; 3144 } 3145 3146 if (act1 != NULL || act2 != NULL) { 3147 return (B_FALSE); 3148 } 3149 3150 return (B_TRUE); 3151 } 3152 3153 3154 /* 3155 * Given a constructed ipsec_policy_t policy rule, enter it into 3156 * the correct policy ruleset. 3157 * 3158 * ipsec_check_policy() is assumed to have succeeded first (to check for 3159 * duplicates). 3160 */ 3161 void 3162 ipsec_enter_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction) 3163 { 3164 ipsec_policy_root_t *pr = &php->iph_root[direction]; 3165 ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key; 3166 uint32_t valid = selkey->ipsl_valid; 3167 uint32_t hval = selkey->ipsl_hval; 3168 int af = -1; 3169 3170 ASSERT(RW_WRITE_HELD(&php->iph_lock)); 3171 3172 if (valid & IPSL_IPV6) { 3173 ASSERT(!(valid & IPSL_IPV4)); 3174 af = IPSEC_AF_V6; 3175 } else { 3176 ASSERT(valid & IPSL_IPV4); 3177 af = IPSEC_AF_V4; 3178 } 3179 3180 php->iph_gen++; 3181 3182 if (hval == IPSEC_SEL_NOHASH) { 3183 HASHLIST_INSERT(ipp, ipsp_hash, pr->ipr_nonhash[af]); 3184 } else { 3185 HASH_LOCK(pr->ipr_hash, hval); 3186 HASH_INSERT(ipp, ipsp_hash, pr->ipr_hash, hval); 3187 HASH_UNLOCK(pr->ipr_hash, hval); 3188 } 3189 3190 ipsec_insert_always(&php->iph_rulebyid, ipp); 3191 3192 ipsec_update_present_flags(); 3193 } 3194 3195 static void 3196 ipsec_ipr_flush(ipsec_policy_head_t *php, ipsec_policy_root_t *ipr) 3197 { 3198 ipsec_policy_t *ip, *nip; 3199 3200 int af, chain, nchain; 3201 3202 for (af = 0; af < IPSEC_NAF; af++) { 3203 for (ip = ipr->ipr_nonhash[af]; ip != NULL; ip = nip) { 3204 nip = ip->ipsp_hash.hash_next; 3205 IPPOL_UNCHAIN(php, ip); 3206 } 3207 ipr->ipr_nonhash[af] = NULL; 3208 } 3209 nchain = ipr->ipr_nchains; 3210 3211 for (chain = 0; chain < nchain; chain++) { 3212 for (ip = ipr->ipr_hash[chain].hash_head; ip != NULL; 3213 ip = nip) { 3214 nip = ip->ipsp_hash.hash_next; 3215 IPPOL_UNCHAIN(php, ip); 3216 } 3217 ipr->ipr_hash[chain].hash_head = NULL; 3218 } 3219 } 3220 3221 3222 void 3223 ipsec_polhead_flush(ipsec_policy_head_t *php) 3224 { 3225 int dir; 3226 3227 ASSERT(RW_WRITE_HELD(&php->iph_lock)); 3228 3229 for (dir = 0; dir < IPSEC_NTYPES; dir++) 3230 ipsec_ipr_flush(php, &php->iph_root[dir]); 3231 3232 ipsec_update_present_flags(); 3233 } 3234 3235 void 3236 ipsec_polhead_free(ipsec_policy_head_t *php) 3237 { 3238 ASSERT(php->iph_refs == 0); 3239 rw_enter(&php->iph_lock, RW_WRITER); 3240 ipsec_polhead_flush(php); 3241 rw_exit(&php->iph_lock); 3242 rw_destroy(&php->iph_lock); 3243 kmem_free(php, sizeof (*php)); 3244 } 3245 3246 static void 3247 ipsec_ipr_init(ipsec_policy_root_t *ipr) 3248 { 3249 int af; 3250 3251 ipr->ipr_nchains = 0; 3252 ipr->ipr_hash = NULL; 3253 3254 for (af = 0; af < IPSEC_NAF; af++) { 3255 ipr->ipr_nonhash[af] = NULL; 3256 } 3257 } 3258 3259 extern ipsec_policy_head_t * 3260 ipsec_polhead_create(void) 3261 { 3262 ipsec_policy_head_t *php; 3263 3264 php = kmem_alloc(sizeof (*php), KM_NOSLEEP); 3265 if (php == NULL) 3266 return (php); 3267 3268 rw_init(&php->iph_lock, NULL, RW_DEFAULT, NULL); 3269 php->iph_refs = 1; 3270 php->iph_gen = 0; 3271 3272 ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_INBOUND]); 3273 ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_OUTBOUND]); 3274 3275 avl_create(&php->iph_rulebyid, ipsec_policy_cmpbyid, 3276 sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid)); 3277 3278 return (php); 3279 } 3280 3281 /* 3282 * Clone the policy head into a new polhead; release one reference to the 3283 * old one and return the only reference to the new one. 3284 * If the old one had a refcount of 1, just return it. 3285 */ 3286 extern ipsec_policy_head_t * 3287 ipsec_polhead_split(ipsec_policy_head_t *php) 3288 { 3289 ipsec_policy_head_t *nphp; 3290 3291 if (php == NULL) 3292 return (ipsec_polhead_create()); 3293 else if (php->iph_refs == 1) 3294 return (php); 3295 3296 nphp = ipsec_polhead_create(); 3297 if (nphp == NULL) 3298 return (NULL); 3299 3300 if (ipsec_copy_polhead(php, nphp) != 0) { 3301 ipsec_polhead_free(nphp); 3302 return (NULL); 3303 } 3304 IPPH_REFRELE(php); 3305 return (nphp); 3306 } 3307 3308 /* 3309 * When sending a response to a ICMP request or generating a RST 3310 * in the TCP case, the outbound packets need to go at the same level 3311 * of protection as the incoming ones i.e we associate our outbound 3312 * policy with how the packet came in. We call this after we have 3313 * accepted the incoming packet which may or may not have been in 3314 * clear and hence we are sending the reply back with the policy 3315 * matching the incoming datagram's policy. 3316 * 3317 * NOTE : This technology serves two purposes : 3318 * 3319 * 1) If we have multiple outbound policies, we send out a reply 3320 * matching with how it came in rather than matching the outbound 3321 * policy. 3322 * 3323 * 2) For assymetric policies, we want to make sure that incoming 3324 * and outgoing has the same level of protection. Assymetric 3325 * policies exist only with global policy where we may not have 3326 * both outbound and inbound at the same time. 3327 * 3328 * NOTE2: This function is called by cleartext cases, so it needs to be 3329 * in IP proper. 3330 */ 3331 boolean_t 3332 ipsec_in_to_out(mblk_t *ipsec_mp, ipha_t *ipha, ip6_t *ip6h) 3333 { 3334 ipsec_in_t *ii; 3335 ipsec_out_t *io; 3336 boolean_t v4; 3337 mblk_t *mp; 3338 boolean_t secure, attach_if; 3339 uint_t ifindex; 3340 ipsec_selector_t sel; 3341 ipsec_action_t *reflect_action = NULL; 3342 zoneid_t zoneid; 3343 3344 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 3345 3346 bzero((void*)&sel, sizeof (sel)); 3347 3348 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 3349 3350 mp = ipsec_mp->b_cont; 3351 ASSERT(mp != NULL); 3352 3353 if (ii->ipsec_in_action != NULL) { 3354 /* transfer reference.. */ 3355 reflect_action = ii->ipsec_in_action; 3356 ii->ipsec_in_action = NULL; 3357 } else if (!ii->ipsec_in_loopback) 3358 reflect_action = ipsec_in_to_out_action(ii); 3359 secure = ii->ipsec_in_secure; 3360 attach_if = ii->ipsec_in_attach_if; 3361 ifindex = ii->ipsec_in_ill_index; 3362 zoneid = ii->ipsec_in_zoneid; 3363 v4 = ii->ipsec_in_v4; 3364 3365 ipsec_in_release_refs(ii); 3366 3367 /* 3368 * The caller is going to send the datagram out which might 3369 * go on the wire or delivered locally through ip_wput_local. 3370 * 3371 * 1) If it goes out on the wire, new associations will be 3372 * obtained. 3373 * 2) If it is delivered locally, ip_wput_local will convert 3374 * this IPSEC_OUT to a IPSEC_IN looking at the requests. 3375 */ 3376 3377 io = (ipsec_out_t *)ipsec_mp->b_rptr; 3378 bzero(io, sizeof (ipsec_out_t)); 3379 io->ipsec_out_type = IPSEC_OUT; 3380 io->ipsec_out_len = sizeof (ipsec_out_t); 3381 io->ipsec_out_frtn.free_func = ipsec_out_free; 3382 io->ipsec_out_frtn.free_arg = (char *)io; 3383 io->ipsec_out_act = reflect_action; 3384 3385 if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h)) 3386 return (B_FALSE); 3387 3388 io->ipsec_out_src_port = sel.ips_local_port; 3389 io->ipsec_out_dst_port = sel.ips_remote_port; 3390 io->ipsec_out_proto = sel.ips_protocol; 3391 io->ipsec_out_icmp_type = sel.ips_icmp_type; 3392 io->ipsec_out_icmp_code = sel.ips_icmp_code; 3393 3394 /* 3395 * Don't use global policy for this, as we want 3396 * to use the same protection that was applied to the inbound packet. 3397 */ 3398 io->ipsec_out_use_global_policy = B_FALSE; 3399 io->ipsec_out_proc_begin = B_FALSE; 3400 io->ipsec_out_secure = secure; 3401 io->ipsec_out_v4 = v4; 3402 io->ipsec_out_attach_if = attach_if; 3403 io->ipsec_out_ill_index = ifindex; 3404 io->ipsec_out_zoneid = zoneid; 3405 return (B_TRUE); 3406 } 3407 3408 mblk_t * 3409 ipsec_in_tag(mblk_t *mp, mblk_t *cont) 3410 { 3411 ipsec_in_t *ii = (ipsec_in_t *)mp->b_rptr; 3412 ipsec_in_t *nii; 3413 mblk_t *nmp; 3414 frtn_t nfrtn; 3415 3416 ASSERT(ii->ipsec_in_type == IPSEC_IN); 3417 ASSERT(ii->ipsec_in_len == sizeof (ipsec_in_t)); 3418 3419 nmp = ipsec_in_alloc(ii->ipsec_in_v4); 3420 3421 ASSERT(nmp->b_datap->db_type == M_CTL); 3422 ASSERT(nmp->b_wptr == (nmp->b_rptr + sizeof (ipsec_info_t))); 3423 3424 /* 3425 * Bump refcounts. 3426 */ 3427 if (ii->ipsec_in_ah_sa != NULL) 3428 IPSA_REFHOLD(ii->ipsec_in_ah_sa); 3429 if (ii->ipsec_in_esp_sa != NULL) 3430 IPSA_REFHOLD(ii->ipsec_in_esp_sa); 3431 if (ii->ipsec_in_policy != NULL) 3432 IPPH_REFHOLD(ii->ipsec_in_policy); 3433 3434 /* 3435 * Copy everything, but preserve the free routine provided by 3436 * ipsec_in_alloc(). 3437 */ 3438 nii = (ipsec_in_t *)nmp->b_rptr; 3439 nfrtn = nii->ipsec_in_frtn; 3440 bcopy(ii, nii, sizeof (*ii)); 3441 nii->ipsec_in_frtn = nfrtn; 3442 3443 nmp->b_cont = cont; 3444 3445 return (nmp); 3446 } 3447 3448 mblk_t * 3449 ipsec_out_tag(mblk_t *mp, mblk_t *cont) 3450 { 3451 ipsec_out_t *io = (ipsec_out_t *)mp->b_rptr; 3452 ipsec_out_t *nio; 3453 mblk_t *nmp; 3454 frtn_t nfrtn; 3455 3456 ASSERT(io->ipsec_out_type == IPSEC_OUT); 3457 ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t)); 3458 3459 nmp = ipsec_alloc_ipsec_out(); 3460 if (nmp == NULL) { 3461 freemsg(cont); /* XXX ip_drop_packet() ? */ 3462 return (NULL); 3463 } 3464 ASSERT(nmp->b_datap->db_type == M_CTL); 3465 ASSERT(nmp->b_wptr == (nmp->b_rptr + sizeof (ipsec_info_t))); 3466 3467 /* 3468 * Bump refcounts. 3469 */ 3470 if (io->ipsec_out_ah_sa != NULL) 3471 IPSA_REFHOLD(io->ipsec_out_ah_sa); 3472 if (io->ipsec_out_esp_sa != NULL) 3473 IPSA_REFHOLD(io->ipsec_out_esp_sa); 3474 if (io->ipsec_out_polhead != NULL) 3475 IPPH_REFHOLD(io->ipsec_out_polhead); 3476 if (io->ipsec_out_policy != NULL) 3477 IPPOL_REFHOLD(io->ipsec_out_policy); 3478 if (io->ipsec_out_act != NULL) 3479 IPACT_REFHOLD(io->ipsec_out_act); 3480 if (io->ipsec_out_latch != NULL) 3481 IPLATCH_REFHOLD(io->ipsec_out_latch); 3482 if (io->ipsec_out_cred != NULL) 3483 crhold(io->ipsec_out_cred); 3484 3485 /* 3486 * Copy everything, but preserve the free routine provided by 3487 * ipsec_alloc_ipsec_out(). 3488 */ 3489 nio = (ipsec_out_t *)nmp->b_rptr; 3490 nfrtn = nio->ipsec_out_frtn; 3491 bcopy(io, nio, sizeof (*io)); 3492 nio->ipsec_out_frtn = nfrtn; 3493 3494 nmp->b_cont = cont; 3495 3496 return (nmp); 3497 } 3498 3499 static void 3500 ipsec_out_release_refs(ipsec_out_t *io) 3501 { 3502 ASSERT(io->ipsec_out_type == IPSEC_OUT); 3503 ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t)); 3504 3505 /* Note: IPSA_REFRELE is multi-line macro */ 3506 if (io->ipsec_out_ah_sa != NULL) 3507 IPSA_REFRELE(io->ipsec_out_ah_sa); 3508 if (io->ipsec_out_esp_sa != NULL) 3509 IPSA_REFRELE(io->ipsec_out_esp_sa); 3510 if (io->ipsec_out_polhead != NULL) 3511 IPPH_REFRELE(io->ipsec_out_polhead); 3512 if (io->ipsec_out_policy != NULL) 3513 IPPOL_REFRELE(io->ipsec_out_policy); 3514 if (io->ipsec_out_act != NULL) 3515 IPACT_REFRELE(io->ipsec_out_act); 3516 if (io->ipsec_out_cred != NULL) { 3517 crfree(io->ipsec_out_cred); 3518 io->ipsec_out_cred = NULL; 3519 } 3520 if (io->ipsec_out_latch) { 3521 IPLATCH_REFRELE(io->ipsec_out_latch); 3522 io->ipsec_out_latch = NULL; 3523 } 3524 } 3525 3526 static void 3527 ipsec_out_free(void *arg) 3528 { 3529 ipsec_out_t *io = (ipsec_out_t *)arg; 3530 ipsec_out_release_refs(io); 3531 kmem_cache_free(ipsec_info_cache, arg); 3532 } 3533 3534 static void 3535 ipsec_in_release_refs(ipsec_in_t *ii) 3536 { 3537 /* Note: IPSA_REFRELE is multi-line macro */ 3538 if (ii->ipsec_in_ah_sa != NULL) 3539 IPSA_REFRELE(ii->ipsec_in_ah_sa); 3540 if (ii->ipsec_in_esp_sa != NULL) 3541 IPSA_REFRELE(ii->ipsec_in_esp_sa); 3542 if (ii->ipsec_in_policy != NULL) 3543 IPPH_REFRELE(ii->ipsec_in_policy); 3544 if (ii->ipsec_in_da != NULL) { 3545 freeb(ii->ipsec_in_da); 3546 ii->ipsec_in_da = NULL; 3547 } 3548 } 3549 3550 static void 3551 ipsec_in_free(void *arg) 3552 { 3553 ipsec_in_t *ii = (ipsec_in_t *)arg; 3554 ipsec_in_release_refs(ii); 3555 kmem_cache_free(ipsec_info_cache, arg); 3556 } 3557 3558 /* 3559 * This is called only for outbound datagrams if the datagram needs to 3560 * go out secure. A NULL mp can be passed to get an ipsec_out. This 3561 * facility is used by ip_unbind. 3562 * 3563 * NOTE : o As the data part could be modified by ipsec_out_process etc. 3564 * we can't make it fast by calling a dup. 3565 */ 3566 mblk_t * 3567 ipsec_alloc_ipsec_out() 3568 { 3569 mblk_t *ipsec_mp; 3570 3571 ipsec_out_t *io = kmem_cache_alloc(ipsec_info_cache, KM_NOSLEEP); 3572 3573 if (io == NULL) 3574 return (NULL); 3575 3576 bzero(io, sizeof (ipsec_out_t)); 3577 3578 io->ipsec_out_type = IPSEC_OUT; 3579 io->ipsec_out_len = sizeof (ipsec_out_t); 3580 io->ipsec_out_frtn.free_func = ipsec_out_free; 3581 io->ipsec_out_frtn.free_arg = (char *)io; 3582 3583 /* 3584 * Set the zoneid to ALL_ZONES which is used as an invalid value. Code 3585 * using ipsec_out_zoneid should assert that the zoneid has been set to 3586 * a sane value. 3587 */ 3588 io->ipsec_out_zoneid = ALL_ZONES; 3589 3590 ipsec_mp = desballoc((uint8_t *)io, sizeof (ipsec_info_t), BPRI_HI, 3591 &io->ipsec_out_frtn); 3592 if (ipsec_mp == NULL) { 3593 ipsec_out_free(io); 3594 3595 return (NULL); 3596 } 3597 ipsec_mp->b_datap->db_type = M_CTL; 3598 ipsec_mp->b_wptr = ipsec_mp->b_rptr + sizeof (ipsec_info_t); 3599 3600 return (ipsec_mp); 3601 } 3602 3603 /* 3604 * Attach an IPSEC_OUT; use pol for policy if it is non-null. 3605 * Otherwise initialize using conn. 3606 * 3607 * If pol is non-null, we consume a reference to it. 3608 */ 3609 mblk_t * 3610 ipsec_attach_ipsec_out(mblk_t *mp, conn_t *connp, ipsec_policy_t *pol, 3611 uint8_t proto) 3612 { 3613 mblk_t *ipsec_mp; 3614 3615 ASSERT((pol != NULL) || (connp != NULL)); 3616 3617 ipsec_mp = ipsec_alloc_ipsec_out(); 3618 if (ipsec_mp == NULL) { 3619 (void) mi_strlog(CONNP_TO_WQ(connp), 0, SL_ERROR|SL_NOTE, 3620 "ipsec_attach_ipsec_out: Allocation failure\n"); 3621 BUMP_MIB(&ip_mib, ipOutDiscards); 3622 ip_drop_packet(mp, B_FALSE, NULL, NULL, &ipdrops_spd_nomem, 3623 &spd_dropper); 3624 return (NULL); 3625 } 3626 ipsec_mp->b_cont = mp; 3627 return (ipsec_init_ipsec_out(ipsec_mp, connp, pol, proto)); 3628 } 3629 3630 /* 3631 * Initialize the IPSEC_OUT (ipsec_mp) using pol if it is non-null. 3632 * Otherwise initialize using conn. 3633 * 3634 * If pol is non-null, we consume a reference to it. 3635 */ 3636 mblk_t * 3637 ipsec_init_ipsec_out(mblk_t *ipsec_mp, conn_t *connp, ipsec_policy_t *pol, 3638 uint8_t proto) 3639 { 3640 mblk_t *mp; 3641 ipsec_out_t *io; 3642 ipsec_policy_t *p; 3643 ipha_t *ipha; 3644 ip6_t *ip6h; 3645 3646 ASSERT((pol != NULL) || (connp != NULL)); 3647 3648 /* 3649 * If mp is NULL, we won't/should not be using it. 3650 */ 3651 mp = ipsec_mp->b_cont; 3652 3653 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 3654 ASSERT(ipsec_mp->b_wptr == (ipsec_mp->b_rptr + sizeof (ipsec_info_t))); 3655 io = (ipsec_out_t *)ipsec_mp->b_rptr; 3656 ASSERT(io->ipsec_out_type == IPSEC_OUT); 3657 ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t)); 3658 io->ipsec_out_latch = NULL; 3659 /* 3660 * Set the zoneid when we have the connp. 3661 * Otherwise, we're called from ip_wput_attach_policy() who will take 3662 * care of setting the zoneid. 3663 */ 3664 if (connp != NULL) 3665 io->ipsec_out_zoneid = connp->conn_zoneid; 3666 3667 if (mp != NULL) { 3668 ipha = (ipha_t *)mp->b_rptr; 3669 if (IPH_HDR_VERSION(ipha) == IP_VERSION) { 3670 io->ipsec_out_v4 = B_TRUE; 3671 ip6h = NULL; 3672 } else { 3673 io->ipsec_out_v4 = B_FALSE; 3674 ip6h = (ip6_t *)ipha; 3675 ipha = NULL; 3676 } 3677 } else { 3678 ASSERT(connp != NULL && connp->conn_policy_cached); 3679 ip6h = NULL; 3680 ipha = NULL; 3681 io->ipsec_out_v4 = !connp->conn_pkt_isv6; 3682 } 3683 3684 p = NULL; 3685 3686 /* 3687 * Take latched policies over global policy. Check here again for 3688 * this, in case we had conn_latch set while the packet was flying 3689 * around in IP. 3690 */ 3691 if (connp != NULL && connp->conn_latch != NULL) { 3692 p = connp->conn_latch->ipl_out_policy; 3693 io->ipsec_out_latch = connp->conn_latch; 3694 IPLATCH_REFHOLD(connp->conn_latch); 3695 if (p != NULL) { 3696 IPPOL_REFHOLD(p); 3697 } 3698 io->ipsec_out_src_port = connp->conn_lport; 3699 io->ipsec_out_dst_port = connp->conn_fport; 3700 io->ipsec_out_icmp_type = io->ipsec_out_icmp_code = 0; 3701 if (pol != NULL) 3702 IPPOL_REFRELE(pol); 3703 } else if (pol != NULL) { 3704 ipsec_selector_t sel; 3705 3706 bzero((void*)&sel, sizeof (sel)); 3707 3708 p = pol; 3709 /* 3710 * conn does not have the port information. Get 3711 * it from the packet. 3712 */ 3713 3714 if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h)) { 3715 /* XXX any cleanup required here?? */ 3716 return (NULL); 3717 } 3718 io->ipsec_out_src_port = sel.ips_local_port; 3719 io->ipsec_out_dst_port = sel.ips_remote_port; 3720 io->ipsec_out_icmp_type = sel.ips_icmp_type; 3721 io->ipsec_out_icmp_code = sel.ips_icmp_code; 3722 } 3723 3724 io->ipsec_out_proto = proto; 3725 io->ipsec_out_use_global_policy = B_TRUE; 3726 io->ipsec_out_secure = (p != NULL); 3727 io->ipsec_out_policy = p; 3728 3729 if (p == NULL) { 3730 if (connp->conn_policy != NULL) { 3731 io->ipsec_out_secure = B_TRUE; 3732 ASSERT(io->ipsec_out_latch == NULL); 3733 ASSERT(io->ipsec_out_use_global_policy == B_TRUE); 3734 io->ipsec_out_need_policy = B_TRUE; 3735 ASSERT(io->ipsec_out_polhead == NULL); 3736 IPPH_REFHOLD(connp->conn_policy); 3737 io->ipsec_out_polhead = connp->conn_policy; 3738 } 3739 } 3740 return (ipsec_mp); 3741 } 3742 3743 /* 3744 * Allocate an IPSEC_IN mblk. This will be prepended to an inbound datagram 3745 * and keep track of what-if-any IPsec processing will be applied to the 3746 * datagram. 3747 */ 3748 mblk_t * 3749 ipsec_in_alloc(boolean_t isv4) 3750 { 3751 mblk_t *ipsec_in; 3752 ipsec_in_t *ii = kmem_cache_alloc(ipsec_info_cache, KM_NOSLEEP); 3753 3754 if (ii == NULL) 3755 return (NULL); 3756 3757 bzero(ii, sizeof (ipsec_info_t)); 3758 ii->ipsec_in_type = IPSEC_IN; 3759 ii->ipsec_in_len = sizeof (ipsec_in_t); 3760 3761 ii->ipsec_in_v4 = isv4; 3762 ii->ipsec_in_secure = B_TRUE; 3763 3764 ii->ipsec_in_frtn.free_func = ipsec_in_free; 3765 ii->ipsec_in_frtn.free_arg = (char *)ii; 3766 3767 ipsec_in = desballoc((uint8_t *)ii, sizeof (ipsec_info_t), BPRI_HI, 3768 &ii->ipsec_in_frtn); 3769 if (ipsec_in == NULL) { 3770 ip1dbg(("ipsec_in_alloc: IPSEC_IN allocation failure.\n")); 3771 ipsec_in_free(ii); 3772 return (NULL); 3773 } 3774 3775 ipsec_in->b_datap->db_type = M_CTL; 3776 ipsec_in->b_wptr += sizeof (ipsec_info_t); 3777 3778 return (ipsec_in); 3779 } 3780 3781 /* 3782 * This is called from ip_wput_local when a packet which needs 3783 * security is looped back, to convert the IPSEC_OUT to a IPSEC_IN 3784 * before fanout, where the policy check happens. In most of the 3785 * cases, IPSEC processing has *never* been done. There is one case 3786 * (ip_wput_ire_fragmentit -> ip_wput_frag -> icmp_frag_needed) where 3787 * the packet is destined for localhost, IPSEC processing has already 3788 * been done. 3789 * 3790 * Future: This could happen after SA selection has occurred for 3791 * outbound.. which will tell us who the src and dst identities are.. 3792 * Then it's just a matter of splicing the ah/esp SA pointers from the 3793 * ipsec_out_t to the ipsec_in_t. 3794 */ 3795 void 3796 ipsec_out_to_in(mblk_t *ipsec_mp) 3797 { 3798 ipsec_in_t *ii; 3799 ipsec_out_t *io; 3800 ipsec_policy_t *pol; 3801 ipsec_action_t *act; 3802 boolean_t v4, icmp_loopback; 3803 3804 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 3805 3806 io = (ipsec_out_t *)ipsec_mp->b_rptr; 3807 3808 v4 = io->ipsec_out_v4; 3809 icmp_loopback = io->ipsec_out_icmp_loopback; 3810 3811 act = io->ipsec_out_act; 3812 if (act == NULL) { 3813 pol = io->ipsec_out_policy; 3814 if (pol != NULL) { 3815 act = pol->ipsp_act; 3816 IPACT_REFHOLD(act); 3817 } 3818 } 3819 io->ipsec_out_act = NULL; 3820 3821 ipsec_out_release_refs(io); 3822 3823 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 3824 bzero(ii, sizeof (ipsec_in_t)); 3825 ii->ipsec_in_type = IPSEC_IN; 3826 ii->ipsec_in_len = sizeof (ipsec_in_t); 3827 ii->ipsec_in_loopback = B_TRUE; 3828 ii->ipsec_in_frtn.free_func = ipsec_in_free; 3829 ii->ipsec_in_frtn.free_arg = (char *)ii; 3830 ii->ipsec_in_action = act; 3831 3832 /* 3833 * In most of the cases, we can't look at the ipsec_out_XXX_sa 3834 * because this never went through IPSEC processing. So, look at 3835 * the requests and infer whether it would have gone through 3836 * IPSEC processing or not. Initialize the "done" fields with 3837 * the requests. The possible values for "done" fields are : 3838 * 3839 * 1) zero, indicates that a particular preference was never 3840 * requested. 3841 * 2) non-zero, indicates that it could be IPSEC_PREF_REQUIRED/ 3842 * IPSEC_PREF_NEVER. If IPSEC_REQ_DONE is set, it means that 3843 * IPSEC processing has been completed. 3844 */ 3845 ii->ipsec_in_secure = B_TRUE; 3846 ii->ipsec_in_v4 = v4; 3847 ii->ipsec_in_icmp_loopback = icmp_loopback; 3848 ii->ipsec_in_attach_if = B_FALSE; 3849 } 3850 3851 /* 3852 * Consults global policy to see whether this datagram should 3853 * go out secure. If so it attaches a ipsec_mp in front and 3854 * returns. 3855 */ 3856 mblk_t * 3857 ip_wput_attach_policy(mblk_t *ipsec_mp, ipha_t *ipha, ip6_t *ip6h, ire_t *ire, 3858 conn_t *connp, boolean_t unspec_src) 3859 { 3860 mblk_t *mp; 3861 ipsec_out_t *io = NULL; 3862 ipsec_selector_t sel; 3863 uint_t ill_index; 3864 boolean_t conn_dontroutex; 3865 boolean_t conn_multicast_loopx; 3866 boolean_t policy_present; 3867 3868 ASSERT((ipha != NULL && ip6h == NULL) || 3869 (ip6h != NULL && ipha == NULL)); 3870 3871 bzero((void*)&sel, sizeof (sel)); 3872 3873 if (ipha != NULL) 3874 policy_present = ipsec_outbound_v4_policy_present; 3875 else 3876 policy_present = ipsec_outbound_v6_policy_present; 3877 /* 3878 * Fast Path to see if there is any policy. 3879 */ 3880 if (!policy_present) { 3881 if (ipsec_mp->b_datap->db_type == M_CTL) { 3882 io = (ipsec_out_t *)ipsec_mp->b_rptr; 3883 if (!io->ipsec_out_secure) { 3884 /* 3885 * If there is no global policy and ip_wput 3886 * or ip_wput_multicast has attached this mp 3887 * for multicast case, free the ipsec_mp and 3888 * return the original mp. 3889 */ 3890 mp = ipsec_mp->b_cont; 3891 freeb(ipsec_mp); 3892 ipsec_mp = mp; 3893 io = NULL; 3894 } 3895 } 3896 if (((io == NULL) || (io->ipsec_out_polhead == NULL)) && 3897 ((connp == NULL) || (connp->conn_policy == NULL))) 3898 return (ipsec_mp); 3899 } 3900 3901 ill_index = 0; 3902 conn_multicast_loopx = conn_dontroutex = B_FALSE; 3903 mp = ipsec_mp; 3904 if (ipsec_mp->b_datap->db_type == M_CTL) { 3905 mp = ipsec_mp->b_cont; 3906 /* 3907 * This is a connection where we have some per-socket 3908 * policy or ip_wput has attached an ipsec_mp for 3909 * the multicast datagram. 3910 */ 3911 io = (ipsec_out_t *)ipsec_mp->b_rptr; 3912 if (!io->ipsec_out_secure) { 3913 /* 3914 * This ipsec_mp was allocated in ip_wput or 3915 * ip_wput_multicast so that we will know the 3916 * value of ill_index, conn_dontroute, 3917 * conn_multicast_loop in the multicast case if 3918 * we inherit global policy here. 3919 */ 3920 ill_index = io->ipsec_out_ill_index; 3921 conn_dontroutex = io->ipsec_out_dontroute; 3922 conn_multicast_loopx = io->ipsec_out_multicast_loop; 3923 freeb(ipsec_mp); 3924 ipsec_mp = mp; 3925 io = NULL; 3926 } 3927 } 3928 3929 if (ipha != NULL) { 3930 sel.ips_local_addr_v4 = (ipha->ipha_src != 0 ? 3931 ipha->ipha_src : ire->ire_src_addr); 3932 sel.ips_remote_addr_v4 = ip_get_dst(ipha); 3933 sel.ips_protocol = (uint8_t)ipha->ipha_protocol; 3934 sel.ips_isv4 = B_TRUE; 3935 } else { 3936 ushort_t hdr_len; 3937 uint8_t *nexthdrp; 3938 boolean_t is_fragment; 3939 3940 sel.ips_isv4 = B_FALSE; 3941 if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) { 3942 if (!unspec_src) 3943 sel.ips_local_addr_v6 = ire->ire_src_addr_v6; 3944 } else { 3945 sel.ips_local_addr_v6 = ip6h->ip6_src; 3946 } 3947 3948 sel.ips_remote_addr_v6 = ip_get_dst_v6(ip6h, &is_fragment); 3949 if (is_fragment) { 3950 /* 3951 * It's a packet fragment for a packet that 3952 * we have already processed (since IPsec processing 3953 * is done before fragmentation), so we don't 3954 * have to do policy checks again. Fragments can 3955 * come back to us for processing if they have 3956 * been queued up due to flow control. 3957 */ 3958 if (ipsec_mp->b_datap->db_type == M_CTL) { 3959 mp = ipsec_mp->b_cont; 3960 freeb(ipsec_mp); 3961 ipsec_mp = mp; 3962 } 3963 return (ipsec_mp); 3964 } 3965 3966 /* IPv6 common-case. */ 3967 sel.ips_protocol = ip6h->ip6_nxt; 3968 switch (ip6h->ip6_nxt) { 3969 case IPPROTO_TCP: 3970 case IPPROTO_UDP: 3971 case IPPROTO_SCTP: 3972 case IPPROTO_ICMPV6: 3973 break; 3974 default: 3975 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, 3976 &hdr_len, &nexthdrp)) { 3977 BUMP_MIB(&ip6_mib, ipv6OutDiscards); 3978 freemsg(ipsec_mp); /* Not IPsec-related drop. */ 3979 return (NULL); 3980 } 3981 sel.ips_protocol = *nexthdrp; 3982 break; 3983 } 3984 } 3985 3986 if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h)) { 3987 if (ipha != NULL) { 3988 BUMP_MIB(&ip_mib, ipOutDiscards); 3989 } else { 3990 BUMP_MIB(&ip6_mib, ipv6OutDiscards); 3991 } 3992 3993 ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL, 3994 &ipdrops_spd_nomem, &spd_dropper); 3995 return (NULL); 3996 } 3997 3998 if (io != NULL) { 3999 /* 4000 * We seem to have some local policy (we already have 4001 * an ipsec_out). Look at global policy and see 4002 * whether we have to inherit or not. 4003 */ 4004 io->ipsec_out_need_policy = B_FALSE; 4005 ipsec_mp = ipsec_apply_global_policy(ipsec_mp, connp, &sel); 4006 ASSERT((io->ipsec_out_policy != NULL) || 4007 (io->ipsec_out_act != NULL)); 4008 ASSERT(io->ipsec_out_need_policy == B_FALSE); 4009 return (ipsec_mp); 4010 } 4011 ipsec_mp = ipsec_attach_global_policy(mp, connp, &sel); 4012 if (ipsec_mp == NULL) 4013 return (mp); 4014 4015 /* 4016 * Copy the right port information. 4017 */ 4018 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 4019 io = (ipsec_out_t *)ipsec_mp->b_rptr; 4020 4021 ASSERT(io->ipsec_out_need_policy == B_FALSE); 4022 ASSERT((io->ipsec_out_policy != NULL) || 4023 (io->ipsec_out_act != NULL)); 4024 io->ipsec_out_src_port = sel.ips_local_port; 4025 io->ipsec_out_dst_port = sel.ips_remote_port; 4026 io->ipsec_out_icmp_type = sel.ips_icmp_type; 4027 io->ipsec_out_icmp_code = sel.ips_icmp_code; 4028 /* 4029 * Set ill_index, conn_dontroute and conn_multicast_loop 4030 * for multicast datagrams. 4031 */ 4032 io->ipsec_out_ill_index = ill_index; 4033 io->ipsec_out_dontroute = conn_dontroutex; 4034 io->ipsec_out_multicast_loop = conn_multicast_loopx; 4035 /* 4036 * When conn is non-NULL, the zoneid is set by ipsec_init_ipsec_out(). 4037 * Otherwise set the zoneid based on the ire. 4038 */ 4039 if (connp == NULL) 4040 io->ipsec_out_zoneid = ire->ire_zoneid; 4041 return (ipsec_mp); 4042 } 4043 4044 /* 4045 * When appropriate, this function caches inbound and outbound policy 4046 * for this connection. 4047 * 4048 * XXX need to work out more details about per-interface policy and 4049 * caching here! 4050 * 4051 * XXX may want to split inbound and outbound caching for ill.. 4052 */ 4053 int 4054 ipsec_conn_cache_policy(conn_t *connp, boolean_t isv4) 4055 { 4056 boolean_t global_policy_present; 4057 4058 /* 4059 * There is no policy latching for ICMP sockets because we can't 4060 * decide on which policy to use until we see the packet and get 4061 * type/code selectors. 4062 */ 4063 if (connp->conn_ulp == IPPROTO_ICMP || 4064 connp->conn_ulp == IPPROTO_ICMPV6) { 4065 connp->conn_in_enforce_policy = 4066 connp->conn_out_enforce_policy = B_TRUE; 4067 if (connp->conn_latch != NULL) { 4068 IPLATCH_REFRELE(connp->conn_latch); 4069 connp->conn_latch = NULL; 4070 } 4071 connp->conn_flags |= IPCL_CHECK_POLICY; 4072 return (0); 4073 } 4074 4075 global_policy_present = isv4 ? 4076 (ipsec_outbound_v4_policy_present || 4077 ipsec_inbound_v4_policy_present) : 4078 (ipsec_outbound_v6_policy_present || 4079 ipsec_inbound_v6_policy_present); 4080 4081 if ((connp->conn_policy != NULL) || global_policy_present) { 4082 ipsec_selector_t sel; 4083 ipsec_policy_t *p; 4084 4085 if (connp->conn_latch == NULL && 4086 (connp->conn_latch = iplatch_create()) == NULL) { 4087 return (ENOMEM); 4088 } 4089 4090 sel.ips_protocol = connp->conn_ulp; 4091 sel.ips_local_port = connp->conn_lport; 4092 sel.ips_remote_port = connp->conn_fport; 4093 sel.ips_is_icmp_inv_acq = 0; 4094 sel.ips_isv4 = isv4; 4095 if (isv4) { 4096 sel.ips_local_addr_v4 = connp->conn_src; 4097 sel.ips_remote_addr_v4 = connp->conn_rem; 4098 } else { 4099 sel.ips_local_addr_v6 = connp->conn_srcv6; 4100 sel.ips_remote_addr_v6 = connp->conn_remv6; 4101 } 4102 4103 p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, NULL, &sel); 4104 if (connp->conn_latch->ipl_in_policy != NULL) 4105 IPPOL_REFRELE(connp->conn_latch->ipl_in_policy); 4106 connp->conn_latch->ipl_in_policy = p; 4107 connp->conn_in_enforce_policy = (p != NULL); 4108 4109 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, &sel); 4110 if (connp->conn_latch->ipl_out_policy != NULL) 4111 IPPOL_REFRELE(connp->conn_latch->ipl_out_policy); 4112 connp->conn_latch->ipl_out_policy = p; 4113 connp->conn_out_enforce_policy = (p != NULL); 4114 4115 /* Clear the latched actions too, in case we're recaching. */ 4116 if (connp->conn_latch->ipl_out_action != NULL) 4117 IPACT_REFRELE(connp->conn_latch->ipl_out_action); 4118 if (connp->conn_latch->ipl_in_action != NULL) 4119 IPACT_REFRELE(connp->conn_latch->ipl_in_action); 4120 } 4121 4122 /* 4123 * We may or may not have policy for this endpoint. We still set 4124 * conn_policy_cached so that inbound datagrams don't have to look 4125 * at global policy as policy is considered latched for these 4126 * endpoints. We should not set conn_policy_cached until the conn 4127 * reflects the actual policy. If we *set* this before inheriting 4128 * the policy there is a window where the check 4129 * CONN_INBOUND_POLICY_PRESENT, will neither check with the policy 4130 * on the conn (because we have not yet copied the policy on to 4131 * conn and hence not set conn_in_enforce_policy) nor with the 4132 * global policy (because conn_policy_cached is already set). 4133 */ 4134 connp->conn_policy_cached = B_TRUE; 4135 if (connp->conn_in_enforce_policy) 4136 connp->conn_flags |= IPCL_CHECK_POLICY; 4137 return (0); 4138 } 4139 4140 void 4141 iplatch_free(ipsec_latch_t *ipl) 4142 { 4143 if (ipl->ipl_out_policy != NULL) 4144 IPPOL_REFRELE(ipl->ipl_out_policy); 4145 if (ipl->ipl_in_policy != NULL) 4146 IPPOL_REFRELE(ipl->ipl_in_policy); 4147 if (ipl->ipl_in_action != NULL) 4148 IPACT_REFRELE(ipl->ipl_in_action); 4149 if (ipl->ipl_out_action != NULL) 4150 IPACT_REFRELE(ipl->ipl_out_action); 4151 if (ipl->ipl_local_cid != NULL) 4152 IPSID_REFRELE(ipl->ipl_local_cid); 4153 if (ipl->ipl_remote_cid != NULL) 4154 IPSID_REFRELE(ipl->ipl_remote_cid); 4155 if (ipl->ipl_local_id != NULL) 4156 crfree(ipl->ipl_local_id); 4157 mutex_destroy(&ipl->ipl_lock); 4158 kmem_free(ipl, sizeof (*ipl)); 4159 } 4160 4161 ipsec_latch_t * 4162 iplatch_create() 4163 { 4164 ipsec_latch_t *ipl = kmem_alloc(sizeof (*ipl), KM_NOSLEEP); 4165 if (ipl == NULL) 4166 return (ipl); 4167 bzero(ipl, sizeof (*ipl)); 4168 mutex_init(&ipl->ipl_lock, NULL, MUTEX_DEFAULT, NULL); 4169 ipl->ipl_refcnt = 1; 4170 return (ipl); 4171 } 4172 4173 /* 4174 * Identity hash table. 4175 * 4176 * Identities are refcounted and "interned" into the hash table. 4177 * Only references coming from other objects (SA's, latching state) 4178 * are counted in ipsid_refcnt. 4179 * 4180 * Locking: IPSID_REFHOLD is safe only when (a) the object's hash bucket 4181 * is locked, (b) we know that the refcount must be > 0. 4182 * 4183 * The ipsid_next and ipsid_ptpn fields are only to be referenced or 4184 * modified when the bucket lock is held; in particular, we only 4185 * delete objects while holding the bucket lock, and we only increase 4186 * the refcount from 0 to 1 while the bucket lock is held. 4187 */ 4188 4189 #define IPSID_HASHSIZE 64 4190 4191 typedef struct ipsif_s 4192 { 4193 ipsid_t *ipsif_head; 4194 kmutex_t ipsif_lock; 4195 } ipsif_t; 4196 4197 ipsif_t ipsid_buckets[IPSID_HASHSIZE]; 4198 4199 /* 4200 * Hash function for ID hash table. 4201 */ 4202 static uint32_t 4203 ipsid_hash(int idtype, char *idstring) 4204 { 4205 uint32_t hval = idtype; 4206 unsigned char c; 4207 4208 while ((c = *idstring++) != 0) { 4209 hval = (hval << 4) | (hval >> 28); 4210 hval ^= c; 4211 } 4212 hval = hval ^ (hval >> 16); 4213 return (hval & (IPSID_HASHSIZE-1)); 4214 } 4215 4216 /* 4217 * Look up identity string in hash table. Return identity object 4218 * corresponding to the name -- either preexisting, or newly allocated. 4219 * 4220 * Return NULL if we need to allocate a new one and can't get memory. 4221 */ 4222 ipsid_t * 4223 ipsid_lookup(int idtype, char *idstring) 4224 { 4225 ipsid_t *retval; 4226 char *nstr; 4227 int idlen = strlen(idstring) + 1; 4228 4229 ipsif_t *bucket = &ipsid_buckets[ipsid_hash(idtype, idstring)]; 4230 4231 mutex_enter(&bucket->ipsif_lock); 4232 4233 for (retval = bucket->ipsif_head; retval != NULL; 4234 retval = retval->ipsid_next) { 4235 if (idtype != retval->ipsid_type) 4236 continue; 4237 if (bcmp(idstring, retval->ipsid_cid, idlen) != 0) 4238 continue; 4239 4240 IPSID_REFHOLD(retval); 4241 mutex_exit(&bucket->ipsif_lock); 4242 return (retval); 4243 } 4244 4245 retval = kmem_alloc(sizeof (*retval), KM_NOSLEEP); 4246 if (!retval) { 4247 mutex_exit(&bucket->ipsif_lock); 4248 return (NULL); 4249 } 4250 4251 nstr = kmem_alloc(idlen, KM_NOSLEEP); 4252 if (!nstr) { 4253 mutex_exit(&bucket->ipsif_lock); 4254 kmem_free(retval, sizeof (*retval)); 4255 return (NULL); 4256 } 4257 4258 retval->ipsid_refcnt = 1; 4259 retval->ipsid_next = bucket->ipsif_head; 4260 if (retval->ipsid_next != NULL) 4261 retval->ipsid_next->ipsid_ptpn = &retval->ipsid_next; 4262 retval->ipsid_ptpn = &bucket->ipsif_head; 4263 retval->ipsid_type = idtype; 4264 retval->ipsid_cid = nstr; 4265 bucket->ipsif_head = retval; 4266 bcopy(idstring, nstr, idlen); 4267 mutex_exit(&bucket->ipsif_lock); 4268 4269 return (retval); 4270 } 4271 4272 /* 4273 * Garbage collect the identity hash table. 4274 */ 4275 void 4276 ipsid_gc() 4277 { 4278 int i, len; 4279 ipsid_t *id, *nid; 4280 ipsif_t *bucket; 4281 4282 for (i = 0; i < IPSID_HASHSIZE; i++) { 4283 bucket = &ipsid_buckets[i]; 4284 mutex_enter(&bucket->ipsif_lock); 4285 for (id = bucket->ipsif_head; id != NULL; id = nid) { 4286 nid = id->ipsid_next; 4287 if (id->ipsid_refcnt == 0) { 4288 *id->ipsid_ptpn = nid; 4289 if (nid != NULL) 4290 nid->ipsid_ptpn = id->ipsid_ptpn; 4291 len = strlen(id->ipsid_cid) + 1; 4292 kmem_free(id->ipsid_cid, len); 4293 kmem_free(id, sizeof (*id)); 4294 } 4295 } 4296 mutex_exit(&bucket->ipsif_lock); 4297 } 4298 } 4299 4300 /* 4301 * Return true if two identities are the same. 4302 */ 4303 boolean_t 4304 ipsid_equal(ipsid_t *id1, ipsid_t *id2) 4305 { 4306 if (id1 == id2) 4307 return (B_TRUE); 4308 #ifdef DEBUG 4309 if ((id1 == NULL) || (id2 == NULL)) 4310 return (B_FALSE); 4311 /* 4312 * test that we're interning id's correctly.. 4313 */ 4314 ASSERT((strcmp(id1->ipsid_cid, id2->ipsid_cid) != 0) || 4315 (id1->ipsid_type != id2->ipsid_type)); 4316 #endif 4317 return (B_FALSE); 4318 } 4319 4320 /* 4321 * Initialize identity table; called during module initialization. 4322 */ 4323 static void 4324 ipsid_init() 4325 { 4326 ipsif_t *bucket; 4327 int i; 4328 4329 for (i = 0; i < IPSID_HASHSIZE; i++) { 4330 bucket = &ipsid_buckets[i]; 4331 mutex_init(&bucket->ipsif_lock, NULL, MUTEX_DEFAULT, NULL); 4332 } 4333 } 4334 4335 /* 4336 * Free identity table (preparatory to module unload) 4337 */ 4338 static void 4339 ipsid_fini() 4340 { 4341 ipsif_t *bucket; 4342 int i; 4343 4344 for (i = 0; i < IPSID_HASHSIZE; i++) { 4345 bucket = &ipsid_buckets[i]; 4346 mutex_destroy(&bucket->ipsif_lock); 4347 } 4348 } 4349 4350 /* 4351 * Update the minimum and maximum supported key sizes for the 4352 * specified algorithm. Must be called while holding the algorithms lock. 4353 */ 4354 void 4355 ipsec_alg_fix_min_max(ipsec_alginfo_t *alg, ipsec_algtype_t alg_type) 4356 { 4357 size_t crypto_min = (size_t)-1, crypto_max = 0; 4358 size_t cur_crypto_min, cur_crypto_max; 4359 boolean_t is_valid; 4360 crypto_mechanism_info_t *mech_infos; 4361 uint_t nmech_infos; 4362 int crypto_rc, i; 4363 crypto_mech_usage_t mask; 4364 4365 ASSERT(MUTEX_HELD(&alg_lock)); 4366 4367 /* 4368 * Compute the min, max, and default key sizes (in number of 4369 * increments to the default key size in bits) as defined 4370 * by the algorithm mappings. This range of key sizes is used 4371 * for policy related operations. The effective key sizes 4372 * supported by the framework could be more limited than 4373 * those defined for an algorithm. 4374 */ 4375 alg->alg_default_bits = alg->alg_key_sizes[0]; 4376 if (alg->alg_increment != 0) { 4377 /* key sizes are defined by range & increment */ 4378 alg->alg_minbits = alg->alg_key_sizes[1]; 4379 alg->alg_maxbits = alg->alg_key_sizes[2]; 4380 4381 alg->alg_default = SADB_ALG_DEFAULT_INCR(alg->alg_minbits, 4382 alg->alg_increment, alg->alg_default_bits); 4383 } else if (alg->alg_nkey_sizes == 0) { 4384 /* no specified key size for algorithm */ 4385 alg->alg_minbits = alg->alg_maxbits = 0; 4386 } else { 4387 /* key sizes are defined by enumeration */ 4388 alg->alg_minbits = (uint16_t)-1; 4389 alg->alg_maxbits = 0; 4390 4391 for (i = 0; i < alg->alg_nkey_sizes; i++) { 4392 if (alg->alg_key_sizes[i] < alg->alg_minbits) 4393 alg->alg_minbits = alg->alg_key_sizes[i]; 4394 if (alg->alg_key_sizes[i] > alg->alg_maxbits) 4395 alg->alg_maxbits = alg->alg_key_sizes[i]; 4396 } 4397 alg->alg_default = 0; 4398 } 4399 4400 if (!(alg->alg_flags & ALG_FLAG_VALID)) 4401 return; 4402 4403 /* 4404 * Mechanisms do not apply to the NULL encryption 4405 * algorithm, so simply return for this case. 4406 */ 4407 if (alg->alg_id == SADB_EALG_NULL) 4408 return; 4409 4410 /* 4411 * Find the min and max key sizes supported by the cryptographic 4412 * framework providers. 4413 */ 4414 4415 /* get the key sizes supported by the framework */ 4416 crypto_rc = crypto_get_all_mech_info(alg->alg_mech_type, 4417 &mech_infos, &nmech_infos, KM_SLEEP); 4418 if (crypto_rc != CRYPTO_SUCCESS || nmech_infos == 0) { 4419 alg->alg_flags &= ~ALG_FLAG_VALID; 4420 return; 4421 } 4422 4423 /* min and max key sizes supported by framework */ 4424 for (i = 0, is_valid = B_FALSE; i < nmech_infos; i++) { 4425 int unit_bits; 4426 4427 /* 4428 * Ignore entries that do not support the operations 4429 * needed for the algorithm type. 4430 */ 4431 if (alg_type == IPSEC_ALG_AUTH) 4432 mask = CRYPTO_MECH_USAGE_MAC; 4433 else 4434 mask = CRYPTO_MECH_USAGE_ENCRYPT | 4435 CRYPTO_MECH_USAGE_DECRYPT; 4436 if ((mech_infos[i].mi_usage & mask) != mask) 4437 continue; 4438 4439 unit_bits = (mech_infos[i].mi_keysize_unit == 4440 CRYPTO_KEYSIZE_UNIT_IN_BYTES) ? 8 : 1; 4441 /* adjust min/max supported by framework */ 4442 cur_crypto_min = mech_infos[i].mi_min_key_size * unit_bits; 4443 cur_crypto_max = mech_infos[i].mi_max_key_size * unit_bits; 4444 4445 if (cur_crypto_min < crypto_min) 4446 crypto_min = cur_crypto_min; 4447 4448 /* 4449 * CRYPTO_EFFECTIVELY_INFINITE is a special value of 4450 * the crypto framework which means "no upper limit". 4451 */ 4452 if (mech_infos[i].mi_max_key_size == 4453 CRYPTO_EFFECTIVELY_INFINITE) 4454 crypto_max = (size_t)-1; 4455 else if (cur_crypto_max > crypto_max) 4456 crypto_max = cur_crypto_max; 4457 4458 is_valid = B_TRUE; 4459 } 4460 4461 kmem_free(mech_infos, sizeof (crypto_mechanism_info_t) * 4462 nmech_infos); 4463 4464 if (!is_valid) { 4465 /* no key sizes supported by framework */ 4466 alg->alg_flags &= ~ALG_FLAG_VALID; 4467 return; 4468 } 4469 4470 /* 4471 * Determine min and max key sizes from alg_key_sizes[]. 4472 * defined for the algorithm entry. Adjust key sizes based on 4473 * those supported by the framework. 4474 */ 4475 alg->alg_ef_default_bits = alg->alg_key_sizes[0]; 4476 if (alg->alg_increment != 0) { 4477 /* supported key sizes are defined by range & increment */ 4478 crypto_min = ALGBITS_ROUND_UP(crypto_min, alg->alg_increment); 4479 crypto_max = ALGBITS_ROUND_DOWN(crypto_max, alg->alg_increment); 4480 4481 alg->alg_ef_minbits = MAX(alg->alg_minbits, 4482 (uint16_t)crypto_min); 4483 alg->alg_ef_maxbits = MIN(alg->alg_maxbits, 4484 (uint16_t)crypto_max); 4485 4486 /* 4487 * If the sizes supported by the framework are outside 4488 * the range of sizes defined by the algorithm mappings, 4489 * the algorithm cannot be used. Check for this 4490 * condition here. 4491 */ 4492 if (alg->alg_ef_minbits > alg->alg_ef_maxbits) { 4493 alg->alg_flags &= ~ALG_FLAG_VALID; 4494 return; 4495 } 4496 4497 if (alg->alg_ef_default_bits < alg->alg_ef_minbits) 4498 alg->alg_ef_default_bits = alg->alg_ef_minbits; 4499 if (alg->alg_ef_default_bits > alg->alg_ef_maxbits) 4500 alg->alg_ef_default_bits = alg->alg_ef_maxbits; 4501 4502 alg->alg_ef_default = SADB_ALG_DEFAULT_INCR(alg->alg_ef_minbits, 4503 alg->alg_increment, alg->alg_ef_default_bits); 4504 } else if (alg->alg_nkey_sizes == 0) { 4505 /* no specified key size for algorithm */ 4506 alg->alg_ef_minbits = alg->alg_ef_maxbits = 0; 4507 } else { 4508 /* supported key sizes are defined by enumeration */ 4509 alg->alg_ef_minbits = (uint16_t)-1; 4510 alg->alg_ef_maxbits = 0; 4511 4512 for (i = 0, is_valid = B_FALSE; i < alg->alg_nkey_sizes; i++) { 4513 /* 4514 * Ignore the current key size if it is not in the 4515 * range of sizes supported by the framework. 4516 */ 4517 if (alg->alg_key_sizes[i] < crypto_min || 4518 alg->alg_key_sizes[i] > crypto_max) 4519 continue; 4520 if (alg->alg_key_sizes[i] < alg->alg_ef_minbits) 4521 alg->alg_ef_minbits = alg->alg_key_sizes[i]; 4522 if (alg->alg_key_sizes[i] > alg->alg_ef_maxbits) 4523 alg->alg_ef_maxbits = alg->alg_key_sizes[i]; 4524 is_valid = B_TRUE; 4525 } 4526 4527 if (!is_valid) { 4528 alg->alg_flags &= ~ALG_FLAG_VALID; 4529 return; 4530 } 4531 alg->alg_ef_default = 0; 4532 } 4533 } 4534 4535 /* 4536 * Free the memory used by the specified algorithm. 4537 */ 4538 void 4539 ipsec_alg_free(ipsec_alginfo_t *alg) 4540 { 4541 if (alg == NULL) 4542 return; 4543 4544 if (alg->alg_key_sizes != NULL) 4545 kmem_free(alg->alg_key_sizes, 4546 (alg->alg_nkey_sizes + 1) * sizeof (uint16_t)); 4547 4548 if (alg->alg_block_sizes != NULL) 4549 kmem_free(alg->alg_block_sizes, 4550 (alg->alg_nblock_sizes + 1) * sizeof (uint16_t)); 4551 4552 kmem_free(alg, sizeof (*alg)); 4553 } 4554 4555 /* 4556 * Check the validity of the specified key size for an algorithm. 4557 * Returns B_TRUE if key size is valid, B_FALSE otherwise. 4558 */ 4559 boolean_t 4560 ipsec_valid_key_size(uint16_t key_size, ipsec_alginfo_t *alg) 4561 { 4562 if (key_size < alg->alg_ef_minbits || key_size > alg->alg_ef_maxbits) 4563 return (B_FALSE); 4564 4565 if (alg->alg_increment == 0 && alg->alg_nkey_sizes != 0) { 4566 /* 4567 * If the key sizes are defined by enumeration, the new 4568 * key size must be equal to one of the supported values. 4569 */ 4570 int i; 4571 4572 for (i = 0; i < alg->alg_nkey_sizes; i++) 4573 if (key_size == alg->alg_key_sizes[i]) 4574 break; 4575 if (i == alg->alg_nkey_sizes) 4576 return (B_FALSE); 4577 } 4578 4579 return (B_TRUE); 4580 } 4581 4582 /* 4583 * Callback function invoked by the crypto framework when a provider 4584 * registers or unregisters. This callback updates the algorithms 4585 * tables when a crypto algorithm is no longer available or becomes 4586 * available, and triggers the freeing/creation of context templates 4587 * associated with existing SAs, if needed. 4588 */ 4589 void 4590 ipsec_prov_update_callback(uint32_t event, void *event_arg) 4591 { 4592 crypto_notify_event_change_t *prov_change = 4593 (crypto_notify_event_change_t *)event_arg; 4594 uint_t algidx, algid, algtype, mech_count, mech_idx; 4595 ipsec_alginfo_t *alg; 4596 ipsec_alginfo_t oalg; 4597 crypto_mech_name_t *mechs; 4598 boolean_t alg_changed = B_FALSE; 4599 4600 /* ignore events for which we didn't register */ 4601 if (event != CRYPTO_EVENT_PROVIDERS_CHANGE) { 4602 ip1dbg(("ipsec_prov_update_callback: unexpected event 0x%x " 4603 " received from crypto framework\n", event)); 4604 return; 4605 } 4606 4607 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP); 4608 if (mechs == NULL) 4609 return; 4610 4611 /* 4612 * Walk the list of currently defined IPsec algorithm. Update 4613 * the algorithm valid flag and trigger an update of the 4614 * SAs that depend on that algorithm. 4615 */ 4616 mutex_enter(&alg_lock); 4617 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 4618 for (algidx = 0; algidx < ipsec_nalgs[algtype]; algidx++) { 4619 4620 algid = ipsec_sortlist[algtype][algidx]; 4621 alg = ipsec_alglists[algtype][algid]; 4622 ASSERT(alg != NULL); 4623 4624 /* 4625 * Skip the algorithms which do not map to the 4626 * crypto framework provider being added or removed. 4627 */ 4628 if (strncmp(alg->alg_mech_name, 4629 prov_change->ec_mech_name, 4630 CRYPTO_MAX_MECH_NAME) != 0) 4631 continue; 4632 4633 /* 4634 * Determine if the mechanism is valid. If it 4635 * is not, mark the algorithm as being invalid. If 4636 * it is, mark the algorithm as being valid. 4637 */ 4638 for (mech_idx = 0; mech_idx < mech_count; mech_idx++) 4639 if (strncmp(alg->alg_mech_name, 4640 mechs[mech_idx], CRYPTO_MAX_MECH_NAME) == 0) 4641 break; 4642 if (mech_idx == mech_count && 4643 alg->alg_flags & ALG_FLAG_VALID) { 4644 alg->alg_flags &= ~ALG_FLAG_VALID; 4645 alg_changed = B_TRUE; 4646 } else if (mech_idx < mech_count && 4647 !(alg->alg_flags & ALG_FLAG_VALID)) { 4648 alg->alg_flags |= ALG_FLAG_VALID; 4649 alg_changed = B_TRUE; 4650 } 4651 4652 /* 4653 * Update the supported key sizes, regardless 4654 * of whether a crypto provider was added or 4655 * removed. 4656 */ 4657 oalg = *alg; 4658 ipsec_alg_fix_min_max(alg, algtype); 4659 if (!alg_changed && 4660 alg->alg_ef_minbits != oalg.alg_ef_minbits || 4661 alg->alg_ef_maxbits != oalg.alg_ef_maxbits || 4662 alg->alg_ef_default != oalg.alg_ef_default || 4663 alg->alg_ef_default_bits != 4664 oalg.alg_ef_default_bits) 4665 alg_changed = B_TRUE; 4666 4667 /* 4668 * Update the affected SAs if a software provider is 4669 * being added or removed. 4670 */ 4671 if (prov_change->ec_provider_type == 4672 CRYPTO_SW_PROVIDER) 4673 sadb_alg_update(algtype, alg->alg_id, 4674 prov_change->ec_change == 4675 CRYPTO_EVENT_CHANGE_ADDED); 4676 } 4677 } 4678 mutex_exit(&alg_lock); 4679 crypto_free_mech_list(mechs, mech_count); 4680 4681 if (alg_changed) { 4682 /* 4683 * An algorithm has changed, i.e. it became valid or 4684 * invalid, or its support key sizes have changed. 4685 * Notify ipsecah and ipsecesp of this change so 4686 * that they can send a SADB_REGISTER to their consumers. 4687 */ 4688 ipsecah_algs_changed(); 4689 ipsecesp_algs_changed(); 4690 } 4691 } 4692 4693 /* 4694 * Registers with the crypto framework to be notified of crypto 4695 * providers changes. Used to update the algorithm tables and 4696 * to free or create context templates if needed. Invoked after IPsec 4697 * is loaded successfully. 4698 */ 4699 void 4700 ipsec_register_prov_update(void) 4701 { 4702 prov_update_handle = crypto_notify_events( 4703 ipsec_prov_update_callback, CRYPTO_EVENT_PROVIDERS_CHANGE); 4704 } 4705 4706 /* 4707 * Unregisters from the framework to be notified of crypto providers 4708 * changes. Called from ipsec_policy_destroy(). 4709 */ 4710 static void 4711 ipsec_unregister_prov_update(void) 4712 { 4713 if (prov_update_handle != NULL) 4714 crypto_unnotify_events(prov_update_handle); 4715 } 4716