1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * IPsec Security Policy Database. 31 * 32 * This module maintains the SPD and provides routines used by ip and ip6 33 * to apply IPsec policy to inbound and outbound datagrams. 34 */ 35 36 #include <sys/types.h> 37 #include <sys/stream.h> 38 #include <sys/stropts.h> 39 #include <sys/sysmacros.h> 40 #include <sys/strsubr.h> 41 #include <sys/strlog.h> 42 #include <sys/cmn_err.h> 43 #include <sys/zone.h> 44 45 #include <sys/systm.h> 46 #include <sys/param.h> 47 #include <sys/kmem.h> 48 49 #include <sys/crypto/api.h> 50 51 #include <inet/common.h> 52 #include <inet/mi.h> 53 54 #include <netinet/ip6.h> 55 #include <netinet/icmp6.h> 56 #include <netinet/udp.h> 57 58 #include <inet/ip.h> 59 #include <inet/ip6.h> 60 61 #include <net/pfkeyv2.h> 62 #include <net/pfpolicy.h> 63 #include <inet/ipsec_info.h> 64 #include <inet/sadb.h> 65 #include <inet/ipsec_impl.h> 66 #include <inet/ipsecah.h> 67 #include <inet/ipsecesp.h> 68 #include <inet/ipdrop.h> 69 #include <inet/ipclassifier.h> 70 71 static void ipsec_update_present_flags(); 72 static ipsec_act_t *ipsec_act_wildcard_expand(ipsec_act_t *, uint_t *); 73 static void ipsec_out_free(void *); 74 static void ipsec_in_free(void *); 75 static boolean_t ipsec_init_inbound_sel(ipsec_selector_t *, mblk_t *, 76 ipha_t *, ip6_t *); 77 static mblk_t *ipsec_attach_global_policy(mblk_t *, conn_t *, 78 ipsec_selector_t *); 79 static mblk_t *ipsec_apply_global_policy(mblk_t *, conn_t *, 80 ipsec_selector_t *); 81 static mblk_t *ipsec_check_ipsecin_policy(queue_t *, mblk_t *, 82 ipsec_policy_t *, ipha_t *, ip6_t *); 83 static void ipsec_in_release_refs(ipsec_in_t *); 84 static void ipsec_out_release_refs(ipsec_out_t *); 85 static void ipsec_action_reclaim(void *); 86 static void ipsid_init(void); 87 static void ipsid_fini(void); 88 static boolean_t ipsec_check_ipsecin_action(struct ipsec_in_s *, mblk_t *, 89 struct ipsec_action_s *, ipha_t *ipha, ip6_t *ip6h, const char **, 90 kstat_named_t **); 91 static int32_t ipsec_act_ovhd(const ipsec_act_t *act); 92 static void ipsec_unregister_prov_update(void); 93 static boolean_t ipsec_compare_action(ipsec_policy_t *, ipsec_policy_t *); 94 static uint32_t selector_hash(ipsec_selector_t *); 95 96 /* 97 * Policy rule index generator. We assume this won't wrap in the 98 * lifetime of a system. If we make 2^20 policy changes per second, 99 * this will last 2^44 seconds, or roughly 500,000 years, so we don't 100 * have to worry about reusing policy index values. 101 * 102 * Protected by ipsec_conf_lock. 103 */ 104 uint64_t ipsec_next_policy_index = 1; 105 106 /* 107 * Active & Inactive system policy roots 108 */ 109 static ipsec_policy_head_t system_policy; 110 static ipsec_policy_head_t inactive_policy; 111 112 /* Packet dropper for generic SPD drops. */ 113 static ipdropper_t spd_dropper; 114 115 /* 116 * For now, use a trivially sized hash table for actions. 117 * In the future we can add the structure canonicalization necessary 118 * to get the hash function to behave correctly.. 119 */ 120 #define IPSEC_ACTION_HASH_SIZE 1 121 122 /* 123 * Selector hash table is statically sized at module load time. 124 * we default to 251 buckets, which is the largest prime number under 255 125 */ 126 127 #define IPSEC_SPDHASH_DEFAULT 251 128 uint32_t ipsec_spd_hashsize = 0; 129 130 #define IPSEC_SEL_NOHASH ((uint32_t)(~0)) 131 132 static HASH_HEAD(ipsec_action_s) ipsec_action_hash[IPSEC_ACTION_HASH_SIZE]; 133 static HASH_HEAD(ipsec_sel) *ipsec_sel_hash; 134 135 static kmem_cache_t *ipsec_action_cache; 136 static kmem_cache_t *ipsec_sel_cache; 137 static kmem_cache_t *ipsec_pol_cache; 138 static kmem_cache_t *ipsec_info_cache; 139 140 boolean_t ipsec_inbound_v4_policy_present = B_FALSE; 141 boolean_t ipsec_outbound_v4_policy_present = B_FALSE; 142 boolean_t ipsec_inbound_v6_policy_present = B_FALSE; 143 boolean_t ipsec_outbound_v6_policy_present = B_FALSE; 144 145 /* 146 * Because policy needs to know what algorithms are supported, keep the 147 * lists of algorithms here. 148 */ 149 150 kmutex_t alg_lock; 151 uint8_t ipsec_nalgs[IPSEC_NALGTYPES]; 152 ipsec_alginfo_t *ipsec_alglists[IPSEC_NALGTYPES][IPSEC_MAX_ALGS]; 153 uint8_t ipsec_sortlist[IPSEC_NALGTYPES][IPSEC_MAX_ALGS]; 154 ipsec_algs_exec_mode_t ipsec_algs_exec_mode[IPSEC_NALGTYPES]; 155 static crypto_notify_handle_t prov_update_handle = NULL; 156 157 int ipsec_hdr_pullup_needed = 0; 158 int ipsec_weird_null_inbound_policy = 0; 159 160 #define ALGBITS_ROUND_DOWN(x, align) (((x)/(align))*(align)) 161 #define ALGBITS_ROUND_UP(x, align) ALGBITS_ROUND_DOWN((x)+(align)-1, align) 162 163 /* 164 * Inbound traffic should have matching identities for both SA's. 165 */ 166 167 #define SA_IDS_MATCH(sa1, sa2) \ 168 (((sa1) == NULL) || ((sa2) == NULL) || \ 169 (((sa1)->ipsa_src_cid == (sa2)->ipsa_src_cid) && \ 170 (((sa1)->ipsa_dst_cid == (sa2)->ipsa_dst_cid)))) 171 172 #define IPPOL_UNCHAIN(php, ip) \ 173 HASHLIST_UNCHAIN((ip), ipsp_hash); \ 174 avl_remove(&(php)->iph_rulebyid, (ip)); \ 175 IPPOL_REFRELE(ip); 176 177 /* 178 * Policy failure messages. 179 */ 180 static char *ipsec_policy_failure_msgs[] = { 181 182 /* IPSEC_POLICY_NOT_NEEDED */ 183 "%s: Dropping the datagram because the incoming packet " 184 "is %s, but the recipient expects clear; Source %s, " 185 "Destination %s.\n", 186 187 /* IPSEC_POLICY_MISMATCH */ 188 "%s: Policy Failure for the incoming packet (%s); Source %s, " 189 "Destination %s.\n", 190 191 /* IPSEC_POLICY_AUTH_NOT_NEEDED */ 192 "%s: Authentication present while not expected in the " 193 "incoming %s packet; Source %s, Destination %s.\n", 194 195 /* IPSEC_POLICY_ENCR_NOT_NEEDED */ 196 "%s: Encryption present while not expected in the " 197 "incoming %s packet; Source %s, Destination %s.\n", 198 199 /* IPSEC_POLICY_SE_NOT_NEEDED */ 200 "%s: Self-Encapsulation present while not expected in the " 201 "incoming %s packet; Source %s, Destination %s.\n", 202 }; 203 /* 204 * Have a counter for every possible policy message in the previous array. 205 */ 206 static uint32_t ipsec_policy_failure_count[IPSEC_POLICY_MAX]; 207 /* Time since last ipsec policy failure that printed a message. */ 208 hrtime_t ipsec_policy_failure_last = 0; 209 210 /* 211 * General overviews: 212 * 213 * Locking: 214 * 215 * All of the system policy structures are protected by a single 216 * rwlock, ipsec_conf_lock. These structures are threaded in a 217 * fairly complex fashion and are not expected to change on a 218 * regular basis, so this should not cause scaling/contention 219 * problems. As a result, policy checks should (hopefully) be MT-hot. 220 * 221 * Allocation policy: 222 * 223 * We use custom kmem cache types for the various 224 * bits & pieces of the policy data structures. All allocations 225 * use KM_NOSLEEP instead of KM_SLEEP for policy allocation. The 226 * policy table is of potentially unbounded size, so we don't 227 * want to provide a way to hog all system memory with policy 228 * entries.. 229 */ 230 231 232 /* 233 * AVL tree comparison function. 234 * the in-kernel avl assumes unique keys for all objects. 235 * Since sometimes policy will duplicate rules, we may insert 236 * multiple rules with the same rule id, so we need a tie-breaker. 237 */ 238 static int 239 ipsec_policy_cmpbyid(const void *a, const void *b) 240 { 241 const ipsec_policy_t *ipa, *ipb; 242 uint64_t idxa, idxb; 243 244 ipa = (const ipsec_policy_t *)a; 245 ipb = (const ipsec_policy_t *)b; 246 idxa = ipa->ipsp_index; 247 idxb = ipb->ipsp_index; 248 249 if (idxa < idxb) 250 return (-1); 251 if (idxa > idxb) 252 return (1); 253 /* 254 * Tie-breaker #1: All installed policy rules have a non-NULL 255 * ipsl_sel (selector set), so an entry with a NULL ipsp_sel is not 256 * actually in-tree but rather a template node being used in 257 * an avl_find query; see ipsec_policy_delete(). This gives us 258 * a placeholder in the ordering just before the the first entry with 259 * a key >= the one we're looking for, so we can walk forward from 260 * that point to get the remaining entries with the same id. 261 */ 262 if ((ipa->ipsp_sel == NULL) && (ipb->ipsp_sel != NULL)) 263 return (-1); 264 if ((ipb->ipsp_sel == NULL) && (ipa->ipsp_sel != NULL)) 265 return (1); 266 /* 267 * At most one of the arguments to the comparison should have a 268 * NULL selector pointer; if not, the tree is broken. 269 */ 270 ASSERT(ipa->ipsp_sel != NULL); 271 ASSERT(ipb->ipsp_sel != NULL); 272 /* 273 * Tie-breaker #2: use the virtual address of the policy node 274 * to arbitrarily break ties. Since we use the new tree node in 275 * the avl_find() in ipsec_insert_always, the new node will be 276 * inserted into the tree in the right place in the sequence. 277 */ 278 if (ipa < ipb) 279 return (-1); 280 if (ipa > ipb) 281 return (1); 282 return (0); 283 } 284 285 static void 286 ipsec_polhead_free_table(ipsec_policy_head_t *iph) 287 { 288 int dir, nchains; 289 290 nchains = ipsec_spd_hashsize; 291 292 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 293 ipsec_policy_root_t *ipr = &iph->iph_root[dir]; 294 295 if (ipr->ipr_hash == NULL) 296 continue; 297 298 kmem_free(ipr->ipr_hash, nchains * 299 sizeof (ipsec_policy_hash_t)); 300 } 301 } 302 303 static void 304 ipsec_polhead_destroy(ipsec_policy_head_t *iph) 305 { 306 int dir; 307 308 avl_destroy(&iph->iph_rulebyid); 309 rw_destroy(&iph->iph_lock); 310 311 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 312 ipsec_policy_root_t *ipr = &iph->iph_root[dir]; 313 int nchains = ipr->ipr_nchains; 314 int chain; 315 316 for (chain = 0; chain < nchains; chain++) 317 mutex_destroy(&(ipr->ipr_hash[chain].hash_lock)); 318 319 } 320 ipsec_polhead_free_table(iph); 321 } 322 323 /* 324 * Module unload hook. 325 */ 326 void 327 ipsec_policy_destroy(void) 328 { 329 int i; 330 331 ip_drop_unregister(&spd_dropper); 332 ip_drop_destroy(); 333 334 ipsec_polhead_destroy(&system_policy); 335 ipsec_polhead_destroy(&inactive_policy); 336 337 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) 338 mutex_destroy(&(ipsec_action_hash[i].hash_lock)); 339 340 for (i = 0; i < ipsec_spd_hashsize; i++) 341 mutex_destroy(&(ipsec_sel_hash[i].hash_lock)); 342 343 ipsec_unregister_prov_update(); 344 345 mutex_destroy(&alg_lock); 346 347 kmem_cache_destroy(ipsec_action_cache); 348 kmem_cache_destroy(ipsec_sel_cache); 349 kmem_cache_destroy(ipsec_pol_cache); 350 kmem_cache_destroy(ipsec_info_cache); 351 ipsid_gc(); 352 ipsid_fini(); 353 } 354 355 356 /* 357 * Called when table allocation fails to free the table. 358 */ 359 static int 360 ipsec_alloc_tables_failed() 361 { 362 if (ipsec_sel_hash != NULL) { 363 kmem_free(ipsec_sel_hash, ipsec_spd_hashsize * 364 sizeof (*ipsec_sel_hash)); 365 ipsec_sel_hash = NULL; 366 } 367 ipsec_polhead_free_table(&system_policy); 368 ipsec_polhead_free_table(&inactive_policy); 369 370 return (ENOMEM); 371 } 372 373 /* 374 * Attempt to allocate the tables in a single policy head. 375 * Return nonzero on failure after cleaning up any work in progress. 376 */ 377 static int 378 ipsec_alloc_table(ipsec_policy_head_t *iph, int kmflag) 379 { 380 int dir, nchains; 381 382 nchains = ipsec_spd_hashsize; 383 384 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 385 ipsec_policy_root_t *ipr = &iph->iph_root[dir]; 386 387 ipr->ipr_hash = kmem_zalloc(nchains * 388 sizeof (ipsec_policy_hash_t), kmflag); 389 if (ipr->ipr_hash == NULL) 390 return (ipsec_alloc_tables_failed()); 391 } 392 return (0); 393 } 394 395 /* 396 * Attempt to allocate the various tables. Return nonzero on failure 397 * after cleaning up any work in progress. 398 */ 399 static int 400 ipsec_alloc_tables(int kmflag) 401 { 402 int error; 403 404 error = ipsec_alloc_table(&system_policy, kmflag); 405 if (error != 0) 406 return (error); 407 408 error = ipsec_alloc_table(&inactive_policy, kmflag); 409 if (error != 0) 410 return (error); 411 412 ipsec_sel_hash = kmem_zalloc(ipsec_spd_hashsize * 413 sizeof (*ipsec_sel_hash), kmflag); 414 415 if (ipsec_sel_hash == NULL) 416 return (ipsec_alloc_tables_failed()); 417 418 return (0); 419 } 420 421 /* 422 * After table allocation, initialize a policy head. 423 */ 424 static void 425 ipsec_polhead_init(ipsec_policy_head_t *iph) 426 { 427 int dir, chain, nchains; 428 429 nchains = ipsec_spd_hashsize; 430 431 rw_init(&iph->iph_lock, NULL, RW_DEFAULT, NULL); 432 avl_create(&iph->iph_rulebyid, ipsec_policy_cmpbyid, 433 sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid)); 434 435 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 436 ipsec_policy_root_t *ipr = &iph->iph_root[dir]; 437 ipr->ipr_nchains = nchains; 438 439 for (chain = 0; chain < nchains; chain++) { 440 mutex_init(&(ipr->ipr_hash[chain].hash_lock), 441 NULL, MUTEX_DEFAULT, NULL); 442 } 443 } 444 } 445 446 /* 447 * Module load hook. 448 */ 449 void 450 ipsec_policy_init() 451 { 452 int i; 453 454 /* 455 * Make two attempts to allocate policy hash tables; try it at 456 * the "preferred" size (may be set in /etc/system) first, 457 * then fall back to the default size. 458 */ 459 if (ipsec_spd_hashsize == 0) 460 ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT; 461 462 if (ipsec_alloc_tables(KM_NOSLEEP) != 0) { 463 cmn_err(CE_WARN, 464 "Unable to allocate %d entry IPsec policy hash table", 465 ipsec_spd_hashsize); 466 ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT; 467 cmn_err(CE_WARN, "Falling back to %d entries", 468 ipsec_spd_hashsize); 469 (void) ipsec_alloc_tables(KM_SLEEP); 470 } 471 472 ipsid_init(); 473 ipsec_polhead_init(&system_policy); 474 ipsec_polhead_init(&inactive_policy); 475 476 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) 477 mutex_init(&(ipsec_action_hash[i].hash_lock), 478 NULL, MUTEX_DEFAULT, NULL); 479 480 for (i = 0; i < ipsec_spd_hashsize; i++) 481 mutex_init(&(ipsec_sel_hash[i].hash_lock), 482 NULL, MUTEX_DEFAULT, NULL); 483 484 mutex_init(&alg_lock, NULL, MUTEX_DEFAULT, NULL); 485 486 for (i = 0; i < IPSEC_NALGTYPES; i++) 487 ipsec_nalgs[i] = 0; 488 489 ipsec_action_cache = kmem_cache_create("ipsec_actions", 490 sizeof (ipsec_action_t), _POINTER_ALIGNMENT, NULL, NULL, 491 ipsec_action_reclaim, NULL, NULL, 0); 492 ipsec_sel_cache = kmem_cache_create("ipsec_selectors", 493 sizeof (ipsec_sel_t), _POINTER_ALIGNMENT, NULL, NULL, 494 NULL, NULL, NULL, 0); 495 ipsec_pol_cache = kmem_cache_create("ipsec_policy", 496 sizeof (ipsec_policy_t), _POINTER_ALIGNMENT, NULL, NULL, 497 NULL, NULL, NULL, 0); 498 ipsec_info_cache = kmem_cache_create("ipsec_info", 499 sizeof (ipsec_info_t), _POINTER_ALIGNMENT, NULL, NULL, 500 NULL, NULL, NULL, 0); 501 502 ip_drop_init(); 503 ip_drop_register(&spd_dropper, "IPsec SPD"); 504 } 505 506 /* 507 * Sort algorithm lists. 508 * 509 * I may need to split this based on 510 * authentication/encryption, and I may wish to have an administrator 511 * configure this list. Hold on to some NDD variables... 512 * 513 * XXX For now, sort on minimum key size (GAG!). While minimum key size is 514 * not the ideal metric, it's the only quantifiable measure available. 515 * We need a better metric for sorting algorithms by preference. 516 */ 517 static void 518 alg_insert_sortlist(enum ipsec_algtype at, uint8_t algid) 519 { 520 ipsec_alginfo_t *ai = ipsec_alglists[at][algid]; 521 uint8_t holder, swap; 522 uint_t i; 523 uint_t count = ipsec_nalgs[at]; 524 ASSERT(ai != NULL); 525 ASSERT(algid == ai->alg_id); 526 527 ASSERT(MUTEX_HELD(&alg_lock)); 528 529 holder = algid; 530 531 for (i = 0; i < count - 1; i++) { 532 ipsec_alginfo_t *alt; 533 534 alt = ipsec_alglists[at][ipsec_sortlist[at][i]]; 535 /* 536 * If you want to give precedence to newly added algs, 537 * add the = in the > comparison. 538 */ 539 if ((holder != algid) || (ai->alg_minbits > alt->alg_minbits)) { 540 /* Swap sortlist[i] and holder. */ 541 swap = ipsec_sortlist[at][i]; 542 ipsec_sortlist[at][i] = holder; 543 holder = swap; 544 ai = alt; 545 } /* Else just continue. */ 546 } 547 548 /* Store holder in last slot. */ 549 ipsec_sortlist[at][i] = holder; 550 } 551 552 /* 553 * Remove an algorithm from a sorted algorithm list. 554 * This should be considerably easier, even with complex sorting. 555 */ 556 static void 557 alg_remove_sortlist(enum ipsec_algtype at, uint8_t algid) 558 { 559 boolean_t copyback = B_FALSE; 560 int i; 561 int newcount = ipsec_nalgs[at]; 562 563 ASSERT(MUTEX_HELD(&alg_lock)); 564 565 for (i = 0; i <= newcount; i++) { 566 if (copyback) 567 ipsec_sortlist[at][i-1] = ipsec_sortlist[at][i]; 568 else if (ipsec_sortlist[at][i] == algid) 569 copyback = B_TRUE; 570 } 571 } 572 573 /* 574 * Add the specified algorithm to the algorithm tables. 575 * Must be called while holding the algorithm table writer lock. 576 */ 577 void 578 ipsec_alg_reg(ipsec_algtype_t algtype, ipsec_alginfo_t *alg) 579 { 580 ASSERT(MUTEX_HELD(&alg_lock)); 581 582 ASSERT(ipsec_alglists[algtype][alg->alg_id] == NULL); 583 ipsec_alg_fix_min_max(alg, algtype); 584 ipsec_alglists[algtype][alg->alg_id] = alg; 585 586 ipsec_nalgs[algtype]++; 587 alg_insert_sortlist(algtype, alg->alg_id); 588 } 589 590 /* 591 * Remove the specified algorithm from the algorithm tables. 592 * Must be called while holding the algorithm table writer lock. 593 */ 594 void 595 ipsec_alg_unreg(ipsec_algtype_t algtype, uint8_t algid) 596 { 597 ASSERT(MUTEX_HELD(&alg_lock)); 598 599 ASSERT(ipsec_alglists[algtype][algid] != NULL); 600 ipsec_alg_free(ipsec_alglists[algtype][algid]); 601 ipsec_alglists[algtype][algid] = NULL; 602 603 ipsec_nalgs[algtype]--; 604 alg_remove_sortlist(algtype, algid); 605 } 606 607 /* 608 * Hooks for spdsock to get a grip on system policy. 609 */ 610 611 ipsec_policy_head_t * 612 ipsec_system_policy(void) 613 { 614 ipsec_policy_head_t *h = &system_policy; 615 IPPH_REFHOLD(h); 616 return (h); 617 } 618 619 ipsec_policy_head_t * 620 ipsec_inactive_policy(void) 621 { 622 ipsec_policy_head_t *h = &inactive_policy; 623 IPPH_REFHOLD(h); 624 return (h); 625 } 626 627 /* 628 * Lock inactive policy, then active policy, then exchange policy root 629 * pointers. 630 */ 631 void 632 ipsec_swap_policy(void) 633 { 634 int af, dir; 635 avl_tree_t r1, r2; 636 637 rw_enter(&inactive_policy.iph_lock, RW_WRITER); 638 rw_enter(&system_policy.iph_lock, RW_WRITER); 639 640 r1 = system_policy.iph_rulebyid; 641 r2 = inactive_policy.iph_rulebyid; 642 system_policy.iph_rulebyid = r2; 643 inactive_policy.iph_rulebyid = r1; 644 645 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 646 ipsec_policy_hash_t *h1, *h2; 647 648 h1 = system_policy.iph_root[dir].ipr_hash; 649 h2 = inactive_policy.iph_root[dir].ipr_hash; 650 system_policy.iph_root[dir].ipr_hash = h2; 651 inactive_policy.iph_root[dir].ipr_hash = h1; 652 653 for (af = 0; af < IPSEC_NAF; af++) { 654 ipsec_policy_t *t1, *t2; 655 656 t1 = system_policy.iph_root[dir].ipr_nonhash[af]; 657 t2 = inactive_policy.iph_root[dir].ipr_nonhash[af]; 658 system_policy.iph_root[dir].ipr_nonhash[af] = t2; 659 inactive_policy.iph_root[dir].ipr_nonhash[af] = t1; 660 if (t1 != NULL) { 661 t1->ipsp_hash.hash_pp = 662 &(inactive_policy.iph_root[dir]. 663 ipr_nonhash[af]); 664 } 665 if (t2 != NULL) { 666 t2->ipsp_hash.hash_pp = 667 &(system_policy.iph_root[dir]. 668 ipr_nonhash[af]); 669 } 670 671 } 672 } 673 system_policy.iph_gen++; 674 inactive_policy.iph_gen++; 675 ipsec_update_present_flags(); 676 rw_exit(&system_policy.iph_lock); 677 rw_exit(&inactive_policy.iph_lock); 678 } 679 680 /* 681 * Clone one policy rule.. 682 */ 683 static ipsec_policy_t * 684 ipsec_copy_policy(const ipsec_policy_t *src) 685 { 686 ipsec_policy_t *dst = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP); 687 688 if (dst == NULL) 689 return (NULL); 690 691 /* 692 * Adjust refcounts of cloned state. 693 */ 694 IPACT_REFHOLD(src->ipsp_act); 695 src->ipsp_sel->ipsl_refs++; 696 697 HASH_NULL(dst, ipsp_hash); 698 dst->ipsp_refs = 1; 699 dst->ipsp_sel = src->ipsp_sel; 700 dst->ipsp_act = src->ipsp_act; 701 dst->ipsp_prio = src->ipsp_prio; 702 dst->ipsp_index = src->ipsp_index; 703 704 return (dst); 705 } 706 707 void 708 ipsec_insert_always(avl_tree_t *tree, void *new_node) 709 { 710 void *node; 711 avl_index_t where; 712 713 node = avl_find(tree, new_node, &where); 714 ASSERT(node == NULL); 715 avl_insert(tree, new_node, where); 716 } 717 718 719 static int 720 ipsec_copy_chain(ipsec_policy_head_t *dph, ipsec_policy_t *src, 721 ipsec_policy_t **dstp) 722 { 723 for (; src != NULL; src = src->ipsp_hash.hash_next) { 724 ipsec_policy_t *dst = ipsec_copy_policy(src); 725 if (dst == NULL) 726 return (ENOMEM); 727 728 HASHLIST_INSERT(dst, ipsp_hash, *dstp); 729 ipsec_insert_always(&dph->iph_rulebyid, dst); 730 } 731 return (0); 732 } 733 734 735 736 /* 737 * Make one policy head look exactly like another. 738 * 739 * As with ipsec_swap_policy, we lock the destination policy head first, then 740 * the source policy head. Note that we only need to read-lock the source 741 * policy head as we are not changing it. 742 */ 743 static int 744 ipsec_copy_polhead(ipsec_policy_head_t *sph, ipsec_policy_head_t *dph) 745 { 746 int af, dir, chain, nchains; 747 748 rw_enter(&dph->iph_lock, RW_WRITER); 749 750 ipsec_polhead_flush(dph); 751 752 rw_enter(&sph->iph_lock, RW_READER); 753 754 for (dir = 0; dir < IPSEC_NTYPES; dir++) { 755 ipsec_policy_root_t *dpr = &dph->iph_root[dir]; 756 ipsec_policy_root_t *spr = &sph->iph_root[dir]; 757 nchains = dpr->ipr_nchains; 758 759 ASSERT(dpr->ipr_nchains == spr->ipr_nchains); 760 761 for (af = 0; af < IPSEC_NAF; af++) { 762 if (ipsec_copy_chain(dph, spr->ipr_nonhash[af], 763 &dpr->ipr_nonhash[af])) 764 goto abort_copy; 765 } 766 767 for (chain = 0; chain < nchains; chain++) { 768 if (ipsec_copy_chain(dph, 769 spr->ipr_hash[chain].hash_head, 770 &dpr->ipr_hash[chain].hash_head)) 771 goto abort_copy; 772 } 773 } 774 775 dph->iph_gen++; 776 777 rw_exit(&sph->iph_lock); 778 rw_exit(&dph->iph_lock); 779 return (0); 780 781 abort_copy: 782 ipsec_polhead_flush(dph); 783 rw_exit(&sph->iph_lock); 784 rw_exit(&dph->iph_lock); 785 return (ENOMEM); 786 } 787 788 /* 789 * Clone currently active policy to the inactive policy list. 790 */ 791 int 792 ipsec_clone_system_policy(void) 793 { 794 return (ipsec_copy_polhead(&system_policy, &inactive_policy)); 795 } 796 797 798 /* 799 * Extract the string from ipsec_policy_failure_msgs[type] and 800 * log it. 801 * 802 * This function needs to be kept in synch with ipsec_rl_strlog() in 803 * sadb.c. 804 * XXX this function should be combined with the ipsec_rl_strlog() function. 805 */ 806 void 807 ipsec_log_policy_failure(queue_t *q, int type, char *func_name, ipha_t *ipha, 808 ip6_t *ip6h, boolean_t secure) 809 { 810 char sbuf[INET6_ADDRSTRLEN]; 811 char dbuf[INET6_ADDRSTRLEN]; 812 char *s; 813 char *d; 814 hrtime_t current = gethrtime(); 815 816 ASSERT((ipha == NULL && ip6h != NULL) || 817 (ip6h == NULL && ipha != NULL)); 818 819 if (ipha != NULL) { 820 s = inet_ntop(AF_INET, &ipha->ipha_src, sbuf, sizeof (sbuf)); 821 d = inet_ntop(AF_INET, &ipha->ipha_dst, dbuf, sizeof (dbuf)); 822 } else { 823 s = inet_ntop(AF_INET6, &ip6h->ip6_src, sbuf, sizeof (sbuf)); 824 d = inet_ntop(AF_INET6, &ip6h->ip6_dst, dbuf, sizeof (dbuf)); 825 826 } 827 828 /* Always bump the policy failure counter. */ 829 ipsec_policy_failure_count[type]++; 830 831 /* Convert interval (in msec) to hrtime (in nsec), which means * 10^6 */ 832 if (ipsec_policy_failure_last + 833 ((hrtime_t)ipsec_policy_log_interval * (hrtime_t)1000000) <= 834 current) { 835 /* 836 * Throttle the logging such that I only log one message 837 * every 'ipsec_policy_log_interval' amount of time. 838 */ 839 (void) mi_strlog(q, 0, SL_ERROR|SL_WARN|SL_CONSOLE, 840 ipsec_policy_failure_msgs[type], 841 func_name, 842 (secure ? "secure" : "not secure"), s, d); 843 ipsec_policy_failure_last = current; 844 } 845 } 846 847 void 848 ipsec_config_flush() 849 { 850 rw_enter(&system_policy.iph_lock, RW_WRITER); 851 ipsec_polhead_flush(&system_policy); 852 ipsec_next_policy_index = 1; 853 rw_exit(&system_policy.iph_lock); 854 ipsec_action_reclaim(0); 855 } 856 857 /* 858 * Clip a policy's min/max keybits vs. the capabilities of the 859 * algorithm. 860 */ 861 static void 862 act_alg_adjust(uint_t algtype, uint_t algid, 863 uint16_t *minbits, uint16_t *maxbits) 864 { 865 ipsec_alginfo_t *algp = ipsec_alglists[algtype][algid]; 866 if (algp != NULL) { 867 /* 868 * If passed-in minbits is zero, we assume the caller trusts 869 * us with setting the minimum key size. We pick the 870 * algorithms DEFAULT key size for the minimum in this case. 871 */ 872 if (*minbits == 0) { 873 *minbits = algp->alg_default_bits; 874 ASSERT(*minbits >= algp->alg_minbits); 875 } else { 876 *minbits = MAX(*minbits, algp->alg_minbits); 877 } 878 if (*maxbits == 0) 879 *maxbits = algp->alg_maxbits; 880 else 881 *maxbits = MIN(*maxbits, algp->alg_maxbits); 882 ASSERT(*minbits <= *maxbits); 883 } else { 884 *minbits = 0; 885 *maxbits = 0; 886 } 887 } 888 889 /* 890 * Check an action's requested algorithms against the algorithms currently 891 * loaded in the system. 892 */ 893 boolean_t 894 ipsec_check_action(ipsec_act_t *act, int *diag) 895 { 896 ipsec_prot_t *ipp; 897 898 ipp = &act->ipa_apply; 899 900 if (ipp->ipp_use_ah && 901 ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_auth_alg] == NULL) { 902 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG; 903 return (B_FALSE); 904 } 905 if (ipp->ipp_use_espa && 906 ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_esp_auth_alg] == NULL) { 907 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG; 908 return (B_FALSE); 909 } 910 if (ipp->ipp_use_esp && 911 ipsec_alglists[IPSEC_ALG_ENCR][ipp->ipp_encr_alg] == NULL) { 912 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG; 913 return (B_FALSE); 914 } 915 916 act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_auth_alg, 917 &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits); 918 act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_esp_auth_alg, 919 &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits); 920 act_alg_adjust(IPSEC_ALG_ENCR, ipp->ipp_encr_alg, 921 &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits); 922 923 if (ipp->ipp_ah_minbits > ipp->ipp_ah_maxbits) { 924 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE; 925 return (B_FALSE); 926 } 927 if (ipp->ipp_espa_minbits > ipp->ipp_espa_maxbits) { 928 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE; 929 return (B_FALSE); 930 } 931 if (ipp->ipp_espe_minbits > ipp->ipp_espe_maxbits) { 932 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE; 933 return (B_FALSE); 934 } 935 /* TODO: sanity check lifetimes */ 936 return (B_TRUE); 937 } 938 939 /* 940 * Set up a single action during wildcard expansion.. 941 */ 942 static void 943 ipsec_setup_act(ipsec_act_t *outact, ipsec_act_t *act, 944 uint_t auth_alg, uint_t encr_alg, uint_t eauth_alg) 945 { 946 ipsec_prot_t *ipp; 947 948 *outact = *act; 949 ipp = &outact->ipa_apply; 950 ipp->ipp_auth_alg = (uint8_t)auth_alg; 951 ipp->ipp_encr_alg = (uint8_t)encr_alg; 952 ipp->ipp_esp_auth_alg = (uint8_t)eauth_alg; 953 954 act_alg_adjust(IPSEC_ALG_AUTH, auth_alg, 955 &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits); 956 act_alg_adjust(IPSEC_ALG_AUTH, eauth_alg, 957 &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits); 958 act_alg_adjust(IPSEC_ALG_ENCR, encr_alg, 959 &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits); 960 } 961 962 /* 963 * combinatoric expansion time: expand a wildcarded action into an 964 * array of wildcarded actions; we return the exploded action list, 965 * and return a count in *nact (output only). 966 */ 967 static ipsec_act_t * 968 ipsec_act_wildcard_expand(ipsec_act_t *act, uint_t *nact) 969 { 970 boolean_t use_ah, use_esp, use_espa; 971 boolean_t wild_auth, wild_encr, wild_eauth; 972 uint_t auth_alg, auth_idx, auth_min, auth_max; 973 uint_t eauth_alg, eauth_idx, eauth_min, eauth_max; 974 uint_t encr_alg, encr_idx, encr_min, encr_max; 975 uint_t action_count, ai; 976 ipsec_act_t *outact; 977 978 if (act->ipa_type != IPSEC_ACT_APPLY) { 979 outact = kmem_alloc(sizeof (*act), KM_NOSLEEP); 980 *nact = 1; 981 if (outact != NULL) 982 bcopy(act, outact, sizeof (*act)); 983 return (outact); 984 } 985 /* 986 * compute the combinatoric explosion.. 987 * 988 * we assume a request for encr if esp_req is PREF_REQUIRED 989 * we assume a request for ah auth if ah_req is PREF_REQUIRED. 990 * we assume a request for esp auth if !ah and esp_req is PREF_REQUIRED 991 */ 992 993 use_ah = act->ipa_apply.ipp_use_ah; 994 use_esp = act->ipa_apply.ipp_use_esp; 995 use_espa = act->ipa_apply.ipp_use_espa; 996 auth_alg = act->ipa_apply.ipp_auth_alg; 997 eauth_alg = act->ipa_apply.ipp_esp_auth_alg; 998 encr_alg = act->ipa_apply.ipp_encr_alg; 999 1000 wild_auth = use_ah && (auth_alg == 0); 1001 wild_eauth = use_espa && (eauth_alg == 0); 1002 wild_encr = use_esp && (encr_alg == 0); 1003 1004 action_count = 1; 1005 auth_min = auth_max = auth_alg; 1006 eauth_min = eauth_max = eauth_alg; 1007 encr_min = encr_max = encr_alg; 1008 1009 /* 1010 * set up for explosion.. for each dimension, expand output 1011 * size by the explosion factor. 1012 * 1013 * Don't include the "any" algorithms, if defined, as no 1014 * kernel policies should be set for these algorithms. 1015 */ 1016 1017 #define SET_EXP_MINMAX(type, wild, alg, min, max) if (wild) { \ 1018 int nalgs = ipsec_nalgs[type]; \ 1019 if (ipsec_alglists[type][alg] != NULL) \ 1020 nalgs--; \ 1021 action_count *= nalgs; \ 1022 min = 0; \ 1023 max = ipsec_nalgs[type] - 1; \ 1024 } 1025 1026 SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_auth, SADB_AALG_NONE, 1027 auth_min, auth_max); 1028 SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_eauth, SADB_AALG_NONE, 1029 eauth_min, eauth_max); 1030 SET_EXP_MINMAX(IPSEC_ALG_ENCR, wild_encr, SADB_EALG_NONE, 1031 encr_min, encr_max); 1032 1033 #undef SET_EXP_MINMAX 1034 1035 /* 1036 * ok, allocate the whole mess.. 1037 */ 1038 1039 outact = kmem_alloc(sizeof (*outact) * action_count, KM_NOSLEEP); 1040 if (outact == NULL) 1041 return (NULL); 1042 1043 /* 1044 * Now compute all combinations. Note that non-wildcarded 1045 * dimensions just get a single value from auth_min, while 1046 * wildcarded dimensions indirect through the sortlist. 1047 * 1048 * We do encryption outermost since, at this time, there's 1049 * greater difference in security and performance between 1050 * encryption algorithms vs. authentication algorithms. 1051 */ 1052 1053 ai = 0; 1054 1055 #define WHICH_ALG(type, wild, idx) ((wild)?(ipsec_sortlist[type][idx]):(idx)) 1056 1057 for (encr_idx = encr_min; encr_idx <= encr_max; encr_idx++) { 1058 encr_alg = WHICH_ALG(IPSEC_ALG_ENCR, wild_encr, encr_idx); 1059 if (wild_encr && encr_alg == SADB_EALG_NONE) 1060 continue; 1061 for (auth_idx = auth_min; auth_idx <= auth_max; auth_idx++) { 1062 auth_alg = WHICH_ALG(IPSEC_ALG_AUTH, wild_auth, 1063 auth_idx); 1064 if (wild_auth && auth_alg == SADB_AALG_NONE) 1065 continue; 1066 for (eauth_idx = eauth_min; eauth_idx <= eauth_max; 1067 eauth_idx++) { 1068 eauth_alg = WHICH_ALG(IPSEC_ALG_AUTH, 1069 wild_eauth, eauth_idx); 1070 if (wild_eauth && eauth_alg == SADB_AALG_NONE) 1071 continue; 1072 1073 ipsec_setup_act(&outact[ai], act, 1074 auth_alg, encr_alg, eauth_alg); 1075 ai++; 1076 } 1077 } 1078 } 1079 1080 #undef WHICH_ALG 1081 1082 ASSERT(ai == action_count); 1083 *nact = action_count; 1084 return (outact); 1085 } 1086 1087 /* 1088 * Extract the parts of an ipsec_prot_t from an old-style ipsec_req_t. 1089 */ 1090 static void 1091 ipsec_prot_from_req(ipsec_req_t *req, ipsec_prot_t *ipp) 1092 { 1093 bzero(ipp, sizeof (*ipp)); 1094 /* 1095 * ipp_use_* are bitfields. Look at "!!" in the following as a 1096 * "boolean canonicalization" operator. 1097 */ 1098 ipp->ipp_use_ah = !!(req->ipsr_ah_req & IPSEC_PREF_REQUIRED); 1099 ipp->ipp_use_esp = !!(req->ipsr_esp_req & IPSEC_PREF_REQUIRED); 1100 ipp->ipp_use_espa = !!(req->ipsr_esp_auth_alg) || !ipp->ipp_use_ah; 1101 ipp->ipp_use_se = !!(req->ipsr_self_encap_req & IPSEC_PREF_REQUIRED); 1102 ipp->ipp_use_unique = !!((req->ipsr_ah_req|req->ipsr_esp_req) & 1103 IPSEC_PREF_UNIQUE); 1104 ipp->ipp_encr_alg = req->ipsr_esp_alg; 1105 ipp->ipp_auth_alg = req->ipsr_auth_alg; 1106 ipp->ipp_esp_auth_alg = req->ipsr_esp_auth_alg; 1107 } 1108 1109 /* 1110 * Extract a new-style action from a request. 1111 */ 1112 void 1113 ipsec_actvec_from_req(ipsec_req_t *req, ipsec_act_t **actp, uint_t *nactp) 1114 { 1115 struct ipsec_act act; 1116 bzero(&act, sizeof (act)); 1117 if ((req->ipsr_ah_req & IPSEC_PREF_NEVER) && 1118 (req->ipsr_esp_req & IPSEC_PREF_NEVER)) { 1119 act.ipa_type = IPSEC_ACT_BYPASS; 1120 } else { 1121 act.ipa_type = IPSEC_ACT_APPLY; 1122 ipsec_prot_from_req(req, &act.ipa_apply); 1123 } 1124 *actp = ipsec_act_wildcard_expand(&act, nactp); 1125 } 1126 1127 /* 1128 * Convert a new-style "prot" back to an ipsec_req_t (more backwards compat). 1129 * We assume caller has already zero'ed *req for us. 1130 */ 1131 static int 1132 ipsec_req_from_prot(ipsec_prot_t *ipp, ipsec_req_t *req) 1133 { 1134 req->ipsr_esp_alg = ipp->ipp_encr_alg; 1135 req->ipsr_auth_alg = ipp->ipp_auth_alg; 1136 req->ipsr_esp_auth_alg = ipp->ipp_esp_auth_alg; 1137 1138 if (ipp->ipp_use_unique) { 1139 req->ipsr_ah_req |= IPSEC_PREF_UNIQUE; 1140 req->ipsr_esp_req |= IPSEC_PREF_UNIQUE; 1141 } 1142 if (ipp->ipp_use_se) 1143 req->ipsr_self_encap_req |= IPSEC_PREF_REQUIRED; 1144 if (ipp->ipp_use_ah) 1145 req->ipsr_ah_req |= IPSEC_PREF_REQUIRED; 1146 if (ipp->ipp_use_esp) 1147 req->ipsr_esp_req |= IPSEC_PREF_REQUIRED; 1148 return (sizeof (*req)); 1149 } 1150 1151 /* 1152 * Convert a new-style action back to an ipsec_req_t (more backwards compat). 1153 * We assume caller has already zero'ed *req for us. 1154 */ 1155 static int 1156 ipsec_req_from_act(ipsec_action_t *ap, ipsec_req_t *req) 1157 { 1158 switch (ap->ipa_act.ipa_type) { 1159 case IPSEC_ACT_BYPASS: 1160 req->ipsr_ah_req = IPSEC_PREF_NEVER; 1161 req->ipsr_esp_req = IPSEC_PREF_NEVER; 1162 return (sizeof (*req)); 1163 case IPSEC_ACT_APPLY: 1164 return (ipsec_req_from_prot(&ap->ipa_act.ipa_apply, req)); 1165 } 1166 return (sizeof (*req)); 1167 } 1168 1169 /* 1170 * Convert a new-style action back to an ipsec_req_t (more backwards compat). 1171 * We assume caller has already zero'ed *req for us. 1172 */ 1173 static int 1174 ipsec_req_from_head(ipsec_policy_head_t *ph, ipsec_req_t *req, int af) 1175 { 1176 ipsec_policy_t *p; 1177 1178 /* 1179 * FULL-PERSOCK: consult hash table, too? 1180 */ 1181 for (p = ph->iph_root[IPSEC_INBOUND].ipr_nonhash[af]; 1182 p != NULL; 1183 p = p->ipsp_hash.hash_next) { 1184 if ((p->ipsp_sel->ipsl_key.ipsl_valid&IPSL_WILDCARD) == 0) 1185 return (ipsec_req_from_act(p->ipsp_act, req)); 1186 } 1187 return (sizeof (*req)); 1188 } 1189 1190 /* 1191 * Based on per-socket or latched policy, convert to an appropriate 1192 * IP_SEC_OPT ipsec_req_t for the socket option; return size so we can 1193 * be tail-called from ip. 1194 */ 1195 int 1196 ipsec_req_from_conn(conn_t *connp, ipsec_req_t *req, int af) 1197 { 1198 ipsec_latch_t *ipl; 1199 int rv = sizeof (ipsec_req_t); 1200 1201 bzero(req, sizeof (*req)); 1202 1203 mutex_enter(&connp->conn_lock); 1204 ipl = connp->conn_latch; 1205 1206 /* 1207 * Find appropriate policy. First choice is latched action; 1208 * failing that, see latched policy; failing that, 1209 * look at configured policy. 1210 */ 1211 if (ipl != NULL) { 1212 if (ipl->ipl_in_action != NULL) { 1213 rv = ipsec_req_from_act(ipl->ipl_in_action, req); 1214 goto done; 1215 } 1216 if (ipl->ipl_in_policy != NULL) { 1217 rv = ipsec_req_from_act(ipl->ipl_in_policy->ipsp_act, 1218 req); 1219 goto done; 1220 } 1221 } 1222 if (connp->conn_policy != NULL) 1223 rv = ipsec_req_from_head(connp->conn_policy, req, af); 1224 done: 1225 mutex_exit(&connp->conn_lock); 1226 return (rv); 1227 } 1228 1229 void 1230 ipsec_actvec_free(ipsec_act_t *act, uint_t nact) 1231 { 1232 kmem_free(act, nact * sizeof (*act)); 1233 } 1234 1235 /* 1236 * When outbound policy is not cached, look it up the hard way and attach 1237 * an ipsec_out_t to the packet.. 1238 */ 1239 static mblk_t * 1240 ipsec_attach_global_policy(mblk_t *mp, conn_t *connp, ipsec_selector_t *sel) 1241 { 1242 ipsec_policy_t *p; 1243 1244 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel); 1245 1246 if (p == NULL) 1247 return (NULL); 1248 return (ipsec_attach_ipsec_out(mp, connp, p, sel->ips_protocol)); 1249 } 1250 1251 /* 1252 * We have an ipsec_out already, but don't have cached policy; fill it in 1253 * with the right actions. 1254 */ 1255 static mblk_t * 1256 ipsec_apply_global_policy(mblk_t *ipsec_mp, conn_t *connp, 1257 ipsec_selector_t *sel) 1258 { 1259 ipsec_out_t *io; 1260 ipsec_policy_t *p; 1261 1262 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 1263 ASSERT(ipsec_mp->b_cont->b_datap->db_type == M_DATA); 1264 1265 io = (ipsec_out_t *)ipsec_mp->b_rptr; 1266 1267 if (io->ipsec_out_policy == NULL) { 1268 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, io, sel); 1269 io->ipsec_out_policy = p; 1270 } 1271 return (ipsec_mp); 1272 } 1273 1274 1275 /* ARGSUSED */ 1276 /* 1277 * Consumes a reference to ipsp. 1278 */ 1279 static mblk_t * 1280 ipsec_check_loopback_policy(queue_t *q, mblk_t *first_mp, 1281 boolean_t mctl_present, ipsec_policy_t *ipsp) 1282 { 1283 mblk_t *ipsec_mp; 1284 ipsec_in_t *ii; 1285 1286 if (!mctl_present) 1287 return (first_mp); 1288 1289 ipsec_mp = first_mp; 1290 1291 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 1292 ASSERT(ii->ipsec_in_loopback); 1293 IPPOL_REFRELE(ipsp); 1294 1295 /* 1296 * We should do an actual policy check here. Revisit this 1297 * when we revisit the IPsec API. 1298 */ 1299 1300 return (first_mp); 1301 } 1302 1303 /* 1304 * Check that packet's inbound ports & proto match the selectors 1305 * expected by the SAs it traversed on the way in. 1306 */ 1307 static boolean_t 1308 ipsec_check_ipsecin_unique(ipsec_in_t *ii, mblk_t *mp, 1309 ipha_t *ipha, ip6_t *ip6h, 1310 const char **reason, kstat_named_t **counter) 1311 { 1312 uint64_t pkt_unique, ah_mask, esp_mask; 1313 ipsa_t *ah_assoc; 1314 ipsa_t *esp_assoc; 1315 ipsec_selector_t sel; 1316 1317 ASSERT(ii->ipsec_in_secure); 1318 ASSERT(!ii->ipsec_in_loopback); 1319 1320 ah_assoc = ii->ipsec_in_ah_sa; 1321 esp_assoc = ii->ipsec_in_esp_sa; 1322 ASSERT((ah_assoc != NULL) || (esp_assoc != NULL)); 1323 1324 ah_mask = (ah_assoc != NULL) ? ah_assoc->ipsa_unique_mask : 0; 1325 esp_mask = (esp_assoc != NULL) ? esp_assoc->ipsa_unique_mask : 0; 1326 1327 if ((ah_mask == 0) && (esp_mask == 0)) 1328 return (B_TRUE); 1329 1330 if (!ipsec_init_inbound_sel(&sel, mp, ipha, ip6h)) { 1331 /* 1332 * Technically not a policy mismatch, but it is 1333 * an internal failure. 1334 */ 1335 *reason = "ipsec_init_inbound_sel"; 1336 *counter = &ipdrops_spd_nomem; 1337 return (B_FALSE); 1338 } 1339 1340 pkt_unique = SA_UNIQUE_ID(sel.ips_remote_port, sel.ips_local_port, 1341 sel.ips_protocol); 1342 1343 if (ah_mask != 0) { 1344 if (ah_assoc->ipsa_unique_id != (pkt_unique & ah_mask)) { 1345 *reason = "AH inner header mismatch"; 1346 *counter = &ipdrops_spd_ah_innermismatch; 1347 return (B_FALSE); 1348 } 1349 } 1350 if (esp_mask != 0) { 1351 if (esp_assoc->ipsa_unique_id != (pkt_unique & esp_mask)) { 1352 *reason = "ESP inner header mismatch"; 1353 *counter = &ipdrops_spd_esp_innermismatch; 1354 return (B_FALSE); 1355 } 1356 } 1357 return (B_TRUE); 1358 } 1359 1360 static boolean_t 1361 ipsec_check_ipsecin_action(ipsec_in_t *ii, mblk_t *mp, ipsec_action_t *ap, 1362 ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter) 1363 { 1364 boolean_t ret = B_TRUE; 1365 ipsec_prot_t *ipp; 1366 ipsa_t *ah_assoc; 1367 ipsa_t *esp_assoc; 1368 boolean_t decaps; 1369 1370 ASSERT((ipha == NULL && ip6h != NULL) || 1371 (ip6h == NULL && ipha != NULL)); 1372 1373 if (ii->ipsec_in_loopback) { 1374 /* 1375 * Besides accepting pointer-equivalent actions, we also 1376 * accept any ICMP errors we generated for ourselves, 1377 * regardless of policy. If we do not wish to make this 1378 * assumption in the future, check here, and where 1379 * icmp_loopback is initialized in ip.c and ip6.c. (Look for 1380 * ipsec_out_icmp_loopback.) 1381 */ 1382 if (ap == ii->ipsec_in_action || ii->ipsec_in_icmp_loopback) 1383 return (B_TRUE); 1384 1385 /* Deep compare necessary here?? */ 1386 *counter = &ipdrops_spd_loopback_mismatch; 1387 *reason = "loopback policy mismatch"; 1388 return (B_FALSE); 1389 } 1390 ASSERT(!ii->ipsec_in_icmp_loopback); 1391 1392 ah_assoc = ii->ipsec_in_ah_sa; 1393 esp_assoc = ii->ipsec_in_esp_sa; 1394 1395 decaps = ii->ipsec_in_decaps; 1396 1397 switch (ap->ipa_act.ipa_type) { 1398 case IPSEC_ACT_DISCARD: 1399 case IPSEC_ACT_REJECT: 1400 /* Should "fail hard" */ 1401 *counter = &ipdrops_spd_explicit; 1402 *reason = "blocked by policy"; 1403 return (B_FALSE); 1404 1405 case IPSEC_ACT_BYPASS: 1406 case IPSEC_ACT_CLEAR: 1407 *counter = &ipdrops_spd_got_secure; 1408 *reason = "expected clear, got protected"; 1409 return (B_FALSE); 1410 1411 case IPSEC_ACT_APPLY: 1412 ipp = &ap->ipa_act.ipa_apply; 1413 /* 1414 * As of now we do the simple checks of whether 1415 * the datagram has gone through the required IPSEC 1416 * protocol constraints or not. We might have more 1417 * in the future like sensitive levels, key bits, etc. 1418 * If it fails the constraints, check whether we would 1419 * have accepted this if it had come in clear. 1420 */ 1421 if (ipp->ipp_use_ah) { 1422 if (ah_assoc == NULL) { 1423 ret = ipsec_inbound_accept_clear(mp, ipha, 1424 ip6h); 1425 *counter = &ipdrops_spd_got_clear; 1426 *reason = "unprotected not accepted"; 1427 break; 1428 } 1429 ASSERT(ah_assoc != NULL); 1430 ASSERT(ipp->ipp_auth_alg != 0); 1431 1432 if (ah_assoc->ipsa_auth_alg != 1433 ipp->ipp_auth_alg) { 1434 *counter = &ipdrops_spd_bad_ahalg; 1435 *reason = "unacceptable ah alg"; 1436 ret = B_FALSE; 1437 break; 1438 } 1439 } else if (ah_assoc != NULL) { 1440 /* 1441 * Don't allow this. Check IPSEC NOTE above 1442 * ip_fanout_proto(). 1443 */ 1444 *counter = &ipdrops_spd_got_ah; 1445 *reason = "unexpected AH"; 1446 ret = B_FALSE; 1447 break; 1448 } 1449 if (ipp->ipp_use_esp) { 1450 if (esp_assoc == NULL) { 1451 ret = ipsec_inbound_accept_clear(mp, ipha, 1452 ip6h); 1453 *counter = &ipdrops_spd_got_clear; 1454 *reason = "unprotected not accepted"; 1455 break; 1456 } 1457 ASSERT(esp_assoc != NULL); 1458 ASSERT(ipp->ipp_encr_alg != 0); 1459 1460 if (esp_assoc->ipsa_encr_alg != 1461 ipp->ipp_encr_alg) { 1462 *counter = &ipdrops_spd_bad_espealg; 1463 *reason = "unacceptable esp alg"; 1464 ret = B_FALSE; 1465 break; 1466 } 1467 /* 1468 * If the client does not need authentication, 1469 * we don't verify the alogrithm. 1470 */ 1471 if (ipp->ipp_use_espa) { 1472 if (esp_assoc->ipsa_auth_alg != 1473 ipp->ipp_esp_auth_alg) { 1474 *counter = &ipdrops_spd_bad_espaalg; 1475 *reason = "unacceptable esp auth alg"; 1476 ret = B_FALSE; 1477 break; 1478 } 1479 } 1480 } else if (esp_assoc != NULL) { 1481 /* 1482 * Don't allow this. Check IPSEC NOTE above 1483 * ip_fanout_proto(). 1484 */ 1485 *counter = &ipdrops_spd_got_esp; 1486 *reason = "unexpected ESP"; 1487 ret = B_FALSE; 1488 break; 1489 } 1490 if (ipp->ipp_use_se) { 1491 if (!decaps) { 1492 ret = ipsec_inbound_accept_clear(mp, ipha, 1493 ip6h); 1494 if (!ret) { 1495 /* XXX mutant? */ 1496 *counter = &ipdrops_spd_bad_selfencap; 1497 *reason = "self encap not found"; 1498 break; 1499 } 1500 } 1501 } else if (decaps) { 1502 /* 1503 * XXX If the packet comes in tunneled and the 1504 * recipient does not expect it to be tunneled, it 1505 * is okay. But we drop to be consistent with the 1506 * other cases. 1507 */ 1508 *counter = &ipdrops_spd_got_selfencap; 1509 *reason = "unexpected self encap"; 1510 ret = B_FALSE; 1511 break; 1512 } 1513 if (ii->ipsec_in_action != NULL) { 1514 /* 1515 * This can happen if we do a double policy-check on 1516 * a packet 1517 * XXX XXX should fix this case! 1518 */ 1519 IPACT_REFRELE(ii->ipsec_in_action); 1520 } 1521 ASSERT(ii->ipsec_in_action == NULL); 1522 IPACT_REFHOLD(ap); 1523 ii->ipsec_in_action = ap; 1524 break; /* from switch */ 1525 } 1526 return (ret); 1527 } 1528 1529 static boolean_t 1530 spd_match_inbound_ids(ipsec_latch_t *ipl, ipsa_t *sa) 1531 { 1532 ASSERT(ipl->ipl_ids_latched == B_TRUE); 1533 return ipsid_equal(ipl->ipl_remote_cid, sa->ipsa_src_cid) && 1534 ipsid_equal(ipl->ipl_local_cid, sa->ipsa_dst_cid); 1535 } 1536 1537 /* 1538 * Called to check policy on a latched connection, both from this file 1539 * and from tcp.c 1540 */ 1541 boolean_t 1542 ipsec_check_ipsecin_latch(ipsec_in_t *ii, mblk_t *mp, ipsec_latch_t *ipl, 1543 ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter) 1544 { 1545 ASSERT(ipl->ipl_ids_latched == B_TRUE); 1546 1547 if (!ii->ipsec_in_loopback) { 1548 /* 1549 * Over loopback, there aren't real security associations, 1550 * so there are neither identities nor "unique" values 1551 * for us to check the packet against. 1552 */ 1553 if ((ii->ipsec_in_ah_sa != NULL) && 1554 (!spd_match_inbound_ids(ipl, ii->ipsec_in_ah_sa))) { 1555 *counter = &ipdrops_spd_ah_badid; 1556 *reason = "AH identity mismatch"; 1557 return (B_FALSE); 1558 } 1559 1560 if ((ii->ipsec_in_esp_sa != NULL) && 1561 (!spd_match_inbound_ids(ipl, ii->ipsec_in_esp_sa))) { 1562 *counter = &ipdrops_spd_esp_badid; 1563 *reason = "ESP identity mismatch"; 1564 return (B_FALSE); 1565 } 1566 1567 if (!ipsec_check_ipsecin_unique(ii, mp, ipha, ip6h, reason, 1568 counter)) { 1569 return (B_FALSE); 1570 } 1571 } 1572 1573 return (ipsec_check_ipsecin_action(ii, mp, ipl->ipl_in_action, 1574 ipha, ip6h, reason, counter)); 1575 } 1576 1577 /* 1578 * Check to see whether this secured datagram meets the policy 1579 * constraints specified in ipsp. 1580 * 1581 * Called from ipsec_check_global_policy, and ipsec_check_inbound_policy. 1582 * 1583 * Consumes a reference to ipsp. 1584 */ 1585 static mblk_t * 1586 ipsec_check_ipsecin_policy(queue_t *q, mblk_t *first_mp, ipsec_policy_t *ipsp, 1587 ipha_t *ipha, ip6_t *ip6h) 1588 { 1589 ipsec_in_t *ii; 1590 ipsec_action_t *ap; 1591 const char *reason = "no policy actions found"; 1592 mblk_t *data_mp, *ipsec_mp; 1593 kstat_named_t *counter = &ipdrops_spd_got_secure; 1594 1595 data_mp = first_mp->b_cont; 1596 ipsec_mp = first_mp; 1597 1598 ASSERT(ipsp != NULL); 1599 1600 ASSERT((ipha == NULL && ip6h != NULL) || 1601 (ip6h == NULL && ipha != NULL)); 1602 1603 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 1604 1605 if (ii->ipsec_in_loopback) 1606 return (ipsec_check_loopback_policy(q, first_mp, B_TRUE, ipsp)); 1607 ASSERT(ii->ipsec_in_type == IPSEC_IN); 1608 ASSERT(ii->ipsec_in_secure); 1609 1610 if (ii->ipsec_in_action != NULL) { 1611 /* 1612 * this can happen if we do a double policy-check on a packet 1613 * Would be nice to be able to delete this test.. 1614 */ 1615 IPACT_REFRELE(ii->ipsec_in_action); 1616 } 1617 ASSERT(ii->ipsec_in_action == NULL); 1618 1619 if (!SA_IDS_MATCH(ii->ipsec_in_ah_sa, ii->ipsec_in_esp_sa)) { 1620 reason = "inbound AH and ESP identities differ"; 1621 counter = &ipdrops_spd_ahesp_diffid; 1622 goto drop; 1623 } 1624 1625 if (!ipsec_check_ipsecin_unique(ii, data_mp, ipha, ip6h, 1626 &reason, &counter)) 1627 goto drop; 1628 1629 /* 1630 * Ok, now loop through the possible actions and see if any 1631 * of them work for us. 1632 */ 1633 1634 for (ap = ipsp->ipsp_act; ap != NULL; ap = ap->ipa_next) { 1635 if (ipsec_check_ipsecin_action(ii, data_mp, ap, 1636 ipha, ip6h, &reason, &counter)) { 1637 BUMP_MIB(&ip_mib, ipsecInSucceeded); 1638 IPPOL_REFRELE(ipsp); 1639 return (first_mp); 1640 } 1641 } 1642 drop: 1643 (void) mi_strlog(q, 0, SL_ERROR|SL_WARN|SL_CONSOLE, 1644 "ipsec inbound policy mismatch: %s, packet dropped\n", 1645 reason); 1646 IPPOL_REFRELE(ipsp); 1647 ASSERT(ii->ipsec_in_action == NULL); 1648 BUMP_MIB(&ip_mib, ipsecInFailed); 1649 ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter, &spd_dropper); 1650 return (NULL); 1651 } 1652 1653 /* 1654 * sleazy prefix-length-based compare. 1655 * another inlining candidate.. 1656 */ 1657 static boolean_t 1658 ip_addr_match(uint8_t *addr1, int pfxlen, in6_addr_t *addr2p) 1659 { 1660 int offset = pfxlen>>3; 1661 int bitsleft = pfxlen & 7; 1662 uint8_t *addr2 = (uint8_t *)addr2p; 1663 1664 /* 1665 * and there was much evil.. 1666 * XXX should inline-expand the bcmp here and do this 32 bits 1667 * or 64 bits at a time.. 1668 */ 1669 return ((bcmp(addr1, addr2, offset) == 0) && 1670 ((bitsleft == 0) || 1671 (((addr1[offset] ^ addr2[offset]) & 1672 (0xff<<(8-bitsleft))) == 0))); 1673 } 1674 1675 static ipsec_policy_t * 1676 ipsec_find_policy_chain(ipsec_policy_t *best, ipsec_policy_t *chain, 1677 ipsec_selector_t *sel, boolean_t is_icmp_inv_acq) 1678 { 1679 ipsec_selkey_t *isel; 1680 ipsec_policy_t *p; 1681 int bpri = best ? best->ipsp_prio : 0; 1682 1683 for (p = chain; p != NULL; p = p->ipsp_hash.hash_next) { 1684 uint32_t valid; 1685 1686 if (p->ipsp_prio <= bpri) 1687 continue; 1688 isel = &p->ipsp_sel->ipsl_key; 1689 valid = isel->ipsl_valid; 1690 1691 if ((valid & IPSL_PROTOCOL) && 1692 (isel->ipsl_proto != sel->ips_protocol)) 1693 continue; 1694 1695 if ((valid & IPSL_REMOTE_ADDR) && 1696 !ip_addr_match((uint8_t *)&isel->ipsl_remote, 1697 isel->ipsl_remote_pfxlen, 1698 &sel->ips_remote_addr_v6)) 1699 continue; 1700 1701 if ((valid & IPSL_LOCAL_ADDR) && 1702 !ip_addr_match((uint8_t *)&isel->ipsl_local, 1703 isel->ipsl_local_pfxlen, 1704 &sel->ips_local_addr_v6)) 1705 continue; 1706 1707 if ((valid & IPSL_REMOTE_PORT) && 1708 isel->ipsl_rport != sel->ips_remote_port) 1709 continue; 1710 1711 if ((valid & IPSL_LOCAL_PORT) && 1712 isel->ipsl_lport != sel->ips_local_port) 1713 continue; 1714 1715 if (!is_icmp_inv_acq) { 1716 if ((valid & IPSL_ICMP_TYPE) && 1717 (isel->ipsl_icmp_type > sel->ips_icmp_type || 1718 isel->ipsl_icmp_type_end < sel->ips_icmp_type)) { 1719 continue; 1720 } 1721 1722 if ((valid & IPSL_ICMP_CODE) && 1723 (isel->ipsl_icmp_code > sel->ips_icmp_code || 1724 isel->ipsl_icmp_code_end < 1725 sel->ips_icmp_code)) { 1726 continue; 1727 } 1728 } else { 1729 /* 1730 * special case for icmp inverse acquire 1731 * we only want policies that aren't drop/pass 1732 */ 1733 if (p->ipsp_act->ipa_act.ipa_type != IPSEC_ACT_APPLY) 1734 continue; 1735 } 1736 1737 /* we matched all the packet-port-field selectors! */ 1738 best = p; 1739 bpri = p->ipsp_prio; 1740 } 1741 1742 return (best); 1743 } 1744 1745 /* 1746 * Try to find and return the best policy entry under a given policy 1747 * root for a given set of selectors; the first parameter "best" is 1748 * the current best policy so far. If "best" is non-null, we have a 1749 * reference to it. We return a reference to a policy; if that policy 1750 * is not the original "best", we need to release that reference 1751 * before returning. 1752 */ 1753 static ipsec_policy_t * 1754 ipsec_find_policy_head(ipsec_policy_t *best, 1755 ipsec_policy_head_t *head, int direction, ipsec_selector_t *sel, 1756 int selhash) 1757 { 1758 ipsec_policy_t *curbest; 1759 ipsec_policy_root_t *root; 1760 uint8_t is_icmp_inv_acq = sel->ips_is_icmp_inv_acq; 1761 int af = sel->ips_isv4 ? IPSEC_AF_V4 : IPSEC_AF_V6; 1762 1763 curbest = best; 1764 root = &head->iph_root[direction]; 1765 1766 #ifdef DEBUG 1767 if (is_icmp_inv_acq) { 1768 if (sel->ips_isv4) { 1769 if (sel->ips_protocol != IPPROTO_ICMP) { 1770 cmn_err(CE_WARN, "ipsec_find_policy_head:" 1771 " expecting icmp, got %d", sel->ips_protocol); 1772 } 1773 } else { 1774 if (sel->ips_protocol != IPPROTO_ICMPV6) { 1775 cmn_err(CE_WARN, "ipsec_find_policy_head:" 1776 " expecting icmpv6, got %d", sel->ips_protocol); 1777 } 1778 } 1779 } 1780 #endif 1781 1782 rw_enter(&head->iph_lock, RW_READER); 1783 1784 if (root->ipr_nchains > 0) { 1785 curbest = ipsec_find_policy_chain(curbest, 1786 root->ipr_hash[selhash].hash_head, sel, is_icmp_inv_acq); 1787 } 1788 curbest = ipsec_find_policy_chain(curbest, root->ipr_nonhash[af], sel, 1789 is_icmp_inv_acq); 1790 1791 /* 1792 * Adjust reference counts if we found anything new. 1793 */ 1794 if (curbest != best) { 1795 ASSERT(curbest != NULL); 1796 IPPOL_REFHOLD(curbest); 1797 1798 if (best != NULL) { 1799 IPPOL_REFRELE(best); 1800 } 1801 } 1802 1803 rw_exit(&head->iph_lock); 1804 1805 return (curbest); 1806 } 1807 1808 /* 1809 * Find the best system policy (either global or per-interface) which 1810 * applies to the given selector; look in all the relevant policy roots 1811 * to figure out which policy wins. 1812 * 1813 * Returns a reference to a policy; caller must release this 1814 * reference when done. 1815 */ 1816 ipsec_policy_t * 1817 ipsec_find_policy(int direction, conn_t *connp, ipsec_out_t *io, 1818 ipsec_selector_t *sel) 1819 { 1820 ipsec_policy_t *p; 1821 int selhash = selector_hash(sel); 1822 1823 p = ipsec_find_policy_head(NULL, &system_policy, direction, sel, 1824 selhash); 1825 if ((connp != NULL) && (connp->conn_policy != NULL)) { 1826 p = ipsec_find_policy_head(p, connp->conn_policy, 1827 direction, sel, selhash); 1828 } else if ((io != NULL) && (io->ipsec_out_polhead != NULL)) { 1829 p = ipsec_find_policy_head(p, io->ipsec_out_polhead, 1830 direction, sel, selhash); 1831 } 1832 1833 return (p); 1834 } 1835 1836 /* 1837 * Check with global policy and see whether this inbound 1838 * packet meets the policy constraints. 1839 * 1840 * Locate appropriate policy from global policy, supplemented by the 1841 * conn's configured and/or cached policy if the conn is supplied. 1842 * 1843 * Dispatch to ipsec_check_ipsecin_policy if we have policy and an 1844 * encrypted packet to see if they match. 1845 * 1846 * Otherwise, see if the policy allows cleartext; if not, drop it on the 1847 * floor. 1848 */ 1849 mblk_t * 1850 ipsec_check_global_policy(mblk_t *first_mp, conn_t *connp, 1851 ipha_t *ipha, ip6_t *ip6h, boolean_t mctl_present) 1852 { 1853 ipsec_policy_t *p; 1854 ipsec_selector_t sel; 1855 queue_t *q = NULL; 1856 mblk_t *data_mp, *ipsec_mp; 1857 boolean_t policy_present; 1858 kstat_named_t *counter; 1859 ipsec_in_t *ii = NULL; 1860 1861 data_mp = mctl_present ? first_mp->b_cont : first_mp; 1862 ipsec_mp = mctl_present ? first_mp : NULL; 1863 1864 sel.ips_is_icmp_inv_acq = 0; 1865 1866 ASSERT((ipha == NULL && ip6h != NULL) || 1867 (ip6h == NULL && ipha != NULL)); 1868 1869 if (ipha != NULL) 1870 policy_present = ipsec_inbound_v4_policy_present; 1871 else 1872 policy_present = ipsec_inbound_v6_policy_present; 1873 1874 if (!policy_present && connp == NULL) { 1875 /* 1876 * No global policy and no per-socket policy; 1877 * just pass it back (but we shouldn't get here in that case) 1878 */ 1879 return (first_mp); 1880 } 1881 1882 if (connp != NULL) 1883 q = CONNP_TO_WQ(connp); 1884 1885 if (ipsec_mp != NULL) { 1886 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 1887 ii = (ipsec_in_t *)(ipsec_mp->b_rptr); 1888 ASSERT(ii->ipsec_in_type == IPSEC_IN); 1889 } 1890 1891 /* 1892 * If we have cached policy, use it. 1893 * Otherwise consult system policy. 1894 */ 1895 if ((connp != NULL) && (connp->conn_latch != NULL)) { 1896 p = connp->conn_latch->ipl_in_policy; 1897 if (p != NULL) { 1898 IPPOL_REFHOLD(p); 1899 } 1900 } else { 1901 /* Initialize the ports in the selector */ 1902 if (!ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h)) { 1903 /* 1904 * Technically not a policy mismatch, but it is 1905 * an internal failure. 1906 */ 1907 ipsec_log_policy_failure(q, IPSEC_POLICY_MISMATCH, 1908 "ipsec_init_inbound_sel", ipha, ip6h, B_FALSE); 1909 counter = &ipdrops_spd_nomem; 1910 goto fail; 1911 } 1912 1913 /* 1914 * Find the policy which best applies. 1915 * 1916 * If we find global policy, we should look at both 1917 * local policy and global policy and see which is 1918 * stronger and match accordingly. 1919 * 1920 * If we don't find a global policy, check with 1921 * local policy alone. 1922 */ 1923 1924 p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, NULL, &sel); 1925 } 1926 1927 if (p == NULL) { 1928 if (ipsec_mp == NULL) { 1929 /* 1930 * We have no policy; default to succeeding. 1931 * XXX paranoid system design doesn't do this. 1932 */ 1933 BUMP_MIB(&ip_mib, ipsecInSucceeded); 1934 return (first_mp); 1935 } else { 1936 counter = &ipdrops_spd_got_secure; 1937 ipsec_log_policy_failure(q, IPSEC_POLICY_NOT_NEEDED, 1938 "ipsec_check_global_policy", ipha, ip6h, B_TRUE); 1939 goto fail; 1940 } 1941 } 1942 if ((ii != NULL) && (ii->ipsec_in_secure)) 1943 return (ipsec_check_ipsecin_policy(q, ipsec_mp, p, ipha, ip6h)); 1944 if (p->ipsp_act->ipa_allow_clear) { 1945 BUMP_MIB(&ip_mib, ipsecInSucceeded); 1946 IPPOL_REFRELE(p); 1947 return (first_mp); 1948 } 1949 IPPOL_REFRELE(p); 1950 /* 1951 * If we reach here, we will drop the packet because it failed the 1952 * global policy check because the packet was cleartext, and it 1953 * should not have been. 1954 */ 1955 ipsec_log_policy_failure(q, IPSEC_POLICY_MISMATCH, 1956 "ipsec_check_global_policy", ipha, ip6h, B_FALSE); 1957 counter = &ipdrops_spd_got_clear; 1958 1959 fail: 1960 ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter, &spd_dropper); 1961 BUMP_MIB(&ip_mib, ipsecInFailed); 1962 return (NULL); 1963 } 1964 1965 /* 1966 * We check whether an inbound datagram is a valid one 1967 * to accept in clear. If it is secure, it is the job 1968 * of IPSEC to log information appropriately if it 1969 * suspects that it may not be the real one. 1970 * 1971 * It is called only while fanning out to the ULP 1972 * where ULP accepts only secure data and the incoming 1973 * is clear. Usually we never accept clear datagrams in 1974 * such cases. ICMP is the only exception. 1975 * 1976 * NOTE : We don't call this function if the client (ULP) 1977 * is willing to accept things in clear. 1978 */ 1979 boolean_t 1980 ipsec_inbound_accept_clear(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h) 1981 { 1982 ushort_t iph_hdr_length; 1983 icmph_t *icmph; 1984 icmp6_t *icmp6; 1985 uint8_t *nexthdrp; 1986 1987 ASSERT((ipha != NULL && ip6h == NULL) || 1988 (ipha == NULL && ip6h != NULL)); 1989 1990 if (ip6h != NULL) { 1991 iph_hdr_length = ip_hdr_length_v6(mp, ip6h); 1992 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length, 1993 &nexthdrp)) { 1994 return (B_FALSE); 1995 } 1996 if (*nexthdrp != IPPROTO_ICMPV6) 1997 return (B_FALSE); 1998 icmp6 = (icmp6_t *)(&mp->b_rptr[iph_hdr_length]); 1999 /* Match IPv6 ICMP policy as closely as IPv4 as possible. */ 2000 switch (icmp6->icmp6_type) { 2001 case ICMP6_PARAM_PROB: 2002 /* Corresponds to port/proto unreach in IPv4. */ 2003 case ICMP6_ECHO_REQUEST: 2004 /* Just like IPv4. */ 2005 return (B_FALSE); 2006 2007 case MLD_LISTENER_QUERY: 2008 case MLD_LISTENER_REPORT: 2009 case MLD_LISTENER_REDUCTION: 2010 /* 2011 * XXX Seperate NDD in IPv4 what about here? 2012 * Plus, mcast is important to ND. 2013 */ 2014 case ICMP6_DST_UNREACH: 2015 /* Corresponds to HOST/NET unreachable in IPv4. */ 2016 case ICMP6_PACKET_TOO_BIG: 2017 case ICMP6_ECHO_REPLY: 2018 /* These are trusted in IPv4. */ 2019 case ND_ROUTER_SOLICIT: 2020 case ND_ROUTER_ADVERT: 2021 case ND_NEIGHBOR_SOLICIT: 2022 case ND_NEIGHBOR_ADVERT: 2023 case ND_REDIRECT: 2024 /* Trust ND messages for now. */ 2025 case ICMP6_TIME_EXCEEDED: 2026 default: 2027 return (B_TRUE); 2028 } 2029 } else { 2030 /* 2031 * If it is not ICMP, fail this request. 2032 */ 2033 if (ipha->ipha_protocol != IPPROTO_ICMP) 2034 return (B_FALSE); 2035 iph_hdr_length = IPH_HDR_LENGTH(ipha); 2036 icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length]; 2037 /* 2038 * It is an insecure icmp message. Check to see whether we are 2039 * willing to accept this one. 2040 */ 2041 2042 switch (icmph->icmph_type) { 2043 case ICMP_ECHO_REPLY: 2044 case ICMP_TIME_STAMP_REPLY: 2045 case ICMP_INFO_REPLY: 2046 case ICMP_ROUTER_ADVERTISEMENT: 2047 /* 2048 * We should not encourage clear replies if this 2049 * client expects secure. If somebody is replying 2050 * in clear some mailicious user watching both the 2051 * request and reply, can do chosen-plain-text attacks. 2052 * With global policy we might be just expecting secure 2053 * but sending out clear. We don't know what the right 2054 * thing is. We can't do much here as we can't control 2055 * the sender here. Till we are sure of what to do, 2056 * accept them. 2057 */ 2058 return (B_TRUE); 2059 case ICMP_ECHO_REQUEST: 2060 case ICMP_TIME_STAMP_REQUEST: 2061 case ICMP_INFO_REQUEST: 2062 case ICMP_ADDRESS_MASK_REQUEST: 2063 case ICMP_ROUTER_SOLICITATION: 2064 case ICMP_ADDRESS_MASK_REPLY: 2065 /* 2066 * Don't accept this as somebody could be sending 2067 * us plain text to get encrypted data. If we reply, 2068 * it will lead to chosen plain text attack. 2069 */ 2070 return (B_FALSE); 2071 case ICMP_DEST_UNREACHABLE: 2072 switch (icmph->icmph_code) { 2073 case ICMP_FRAGMENTATION_NEEDED: 2074 /* 2075 * Be in sync with icmp_inbound, where we have 2076 * already set ire_max_frag. 2077 */ 2078 return (B_TRUE); 2079 case ICMP_HOST_UNREACHABLE: 2080 case ICMP_NET_UNREACHABLE: 2081 /* 2082 * By accepting, we could reset a connection. 2083 * How do we solve the problem of some 2084 * intermediate router sending in-secure ICMP 2085 * messages ? 2086 */ 2087 return (B_TRUE); 2088 case ICMP_PORT_UNREACHABLE: 2089 case ICMP_PROTOCOL_UNREACHABLE: 2090 default : 2091 return (B_FALSE); 2092 } 2093 case ICMP_SOURCE_QUENCH: 2094 /* 2095 * If this is an attack, TCP will slow start 2096 * because of this. Is it very harmful ? 2097 */ 2098 return (B_TRUE); 2099 case ICMP_PARAM_PROBLEM: 2100 return (B_FALSE); 2101 case ICMP_TIME_EXCEEDED: 2102 return (B_TRUE); 2103 case ICMP_REDIRECT: 2104 return (B_FALSE); 2105 default : 2106 return (B_FALSE); 2107 } 2108 } 2109 } 2110 2111 void 2112 ipsec_latch_ids(ipsec_latch_t *ipl, ipsid_t *local, ipsid_t *remote) 2113 { 2114 mutex_enter(&ipl->ipl_lock); 2115 2116 if (ipl->ipl_ids_latched) { 2117 /* I lost, someone else got here before me */ 2118 mutex_exit(&ipl->ipl_lock); 2119 return; 2120 } 2121 2122 if (local != NULL) 2123 IPSID_REFHOLD(local); 2124 if (remote != NULL) 2125 IPSID_REFHOLD(remote); 2126 2127 ipl->ipl_local_cid = local; 2128 ipl->ipl_remote_cid = remote; 2129 ipl->ipl_ids_latched = B_TRUE; 2130 mutex_exit(&ipl->ipl_lock); 2131 } 2132 2133 void 2134 ipsec_latch_inbound(ipsec_latch_t *ipl, ipsec_in_t *ii) 2135 { 2136 ipsa_t *sa; 2137 2138 if (!ipl->ipl_ids_latched) { 2139 ipsid_t *local = NULL; 2140 ipsid_t *remote = NULL; 2141 2142 if (!ii->ipsec_in_loopback) { 2143 if (ii->ipsec_in_esp_sa != NULL) 2144 sa = ii->ipsec_in_esp_sa; 2145 else 2146 sa = ii->ipsec_in_ah_sa; 2147 ASSERT(sa != NULL); 2148 local = sa->ipsa_dst_cid; 2149 remote = sa->ipsa_src_cid; 2150 } 2151 ipsec_latch_ids(ipl, local, remote); 2152 } 2153 ipl->ipl_in_action = ii->ipsec_in_action; 2154 IPACT_REFHOLD(ipl->ipl_in_action); 2155 } 2156 2157 /* 2158 * Check whether the policy constraints are met either for an 2159 * inbound datagram; called from IP in numerous places. 2160 * 2161 * Note that this is not a chokepoint for inbound policy checks; 2162 * see also ipsec_check_ipsecin_latch() and ipsec_check_global_policy() 2163 */ 2164 mblk_t * 2165 ipsec_check_inbound_policy(mblk_t *first_mp, conn_t *connp, 2166 ipha_t *ipha, ip6_t *ip6h, boolean_t mctl_present) 2167 { 2168 ipsec_in_t *ii; 2169 boolean_t ret; 2170 mblk_t *mp = mctl_present ? first_mp->b_cont : first_mp; 2171 mblk_t *ipsec_mp = mctl_present ? first_mp : NULL; 2172 ipsec_latch_t *ipl; 2173 2174 ASSERT(connp != NULL); 2175 ipl = connp->conn_latch; 2176 2177 if (ipsec_mp == NULL) { 2178 clear: 2179 /* 2180 * This is the case where the incoming datagram is 2181 * cleartext and we need to see whether this client 2182 * would like to receive such untrustworthy things from 2183 * the wire. 2184 */ 2185 ASSERT(mp != NULL); 2186 2187 if (ipl != NULL) { 2188 /* 2189 * Policy is cached in the conn. 2190 */ 2191 if ((ipl->ipl_in_policy != NULL) && 2192 (!ipl->ipl_in_policy->ipsp_act->ipa_allow_clear)) { 2193 ret = ipsec_inbound_accept_clear(mp, 2194 ipha, ip6h); 2195 if (ret) { 2196 BUMP_MIB(&ip_mib, ipsecInSucceeded); 2197 return (first_mp); 2198 } else { 2199 ip_drop_packet(first_mp, B_TRUE, NULL, 2200 NULL, &ipdrops_spd_got_clear, 2201 &spd_dropper); 2202 ipsec_log_policy_failure( 2203 CONNP_TO_WQ(connp), 2204 IPSEC_POLICY_MISMATCH, 2205 "ipsec_check_inbound_policy", ipha, 2206 ip6h, B_FALSE); 2207 BUMP_MIB(&ip_mib, ipsecInFailed); 2208 return (NULL); 2209 } 2210 } else { 2211 BUMP_MIB(&ip_mib, ipsecInSucceeded); 2212 return (first_mp); 2213 } 2214 } else { 2215 /* 2216 * As this is a non-hardbound connection we need 2217 * to look at both per-socket policy and global 2218 * policy. As this is cleartext, mark the mp as 2219 * M_DATA in case if it is an ICMP error being 2220 * reported before calling ipsec_check_global_policy 2221 * so that it does not mistake it for IPSEC_IN. 2222 */ 2223 uchar_t db_type = mp->b_datap->db_type; 2224 mp->b_datap->db_type = M_DATA; 2225 first_mp = ipsec_check_global_policy(first_mp, connp, 2226 ipha, ip6h, mctl_present); 2227 if (first_mp != NULL) 2228 mp->b_datap->db_type = db_type; 2229 return (first_mp); 2230 } 2231 } 2232 /* 2233 * If it is inbound check whether the attached message 2234 * is secure or not. We have a special case for ICMP, 2235 * where we have a IPSEC_IN message and the attached 2236 * message is not secure. See icmp_inbound_error_fanout 2237 * for details. 2238 */ 2239 ASSERT(ipsec_mp != NULL); 2240 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 2241 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 2242 2243 if (!ii->ipsec_in_secure) 2244 goto clear; 2245 2246 /* 2247 * mp->b_cont could be either a M_CTL message 2248 * for icmp errors being sent up or a M_DATA message. 2249 */ 2250 ASSERT(mp->b_datap->db_type == M_CTL || 2251 mp->b_datap->db_type == M_DATA); 2252 2253 ASSERT(ii->ipsec_in_type == IPSEC_IN); 2254 2255 if (ipl == NULL) { 2256 /* 2257 * We don't have policies cached in the conn 2258 * for this stream. So, look at the global 2259 * policy. It will check against conn or global 2260 * depending on whichever is stronger. 2261 */ 2262 return (ipsec_check_global_policy(first_mp, connp, 2263 ipha, ip6h, mctl_present)); 2264 } 2265 2266 if (ipl->ipl_in_action != NULL) { 2267 /* Policy is cached & latched; fast(er) path */ 2268 const char *reason; 2269 kstat_named_t *counter; 2270 if (ipsec_check_ipsecin_latch(ii, mp, ipl, 2271 ipha, ip6h, &reason, &counter)) { 2272 BUMP_MIB(&ip_mib, ipsecInSucceeded); 2273 return (first_mp); 2274 } 2275 (void) mi_strlog(CONNP_TO_WQ(connp), 0, 2276 SL_ERROR|SL_WARN|SL_CONSOLE, 2277 "ipsec inbound policy mismatch: %s, packet dropped\n", 2278 reason); 2279 ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter, 2280 &spd_dropper); 2281 BUMP_MIB(&ip_mib, ipsecInFailed); 2282 return (NULL); 2283 } else if (ipl->ipl_in_policy == NULL) { 2284 ipsec_weird_null_inbound_policy++; 2285 return (first_mp); 2286 } 2287 2288 IPPOL_REFHOLD(ipl->ipl_in_policy); 2289 first_mp = ipsec_check_ipsecin_policy(CONNP_TO_WQ(connp), first_mp, 2290 ipl->ipl_in_policy, ipha, ip6h); 2291 /* 2292 * NOTE: ipsecIn{Failed,Succeeeded} bumped by 2293 * ipsec_check_ipsecin_policy(). 2294 */ 2295 if (first_mp != NULL) 2296 ipsec_latch_inbound(ipl, ii); 2297 return (first_mp); 2298 } 2299 2300 boolean_t 2301 ipsec_init_inbound_sel(ipsec_selector_t *sel, mblk_t *mp, 2302 ipha_t *ipha, ip6_t *ip6h) 2303 { 2304 uint16_t *ports; 2305 ushort_t hdr_len; 2306 mblk_t *spare_mp = NULL; 2307 uint8_t *nexthdrp; 2308 uint8_t nexthdr; 2309 uint8_t *typecode; 2310 uint8_t check_proto; 2311 2312 ASSERT((ipha == NULL && ip6h != NULL) || 2313 (ipha != NULL && ip6h == NULL)); 2314 2315 if (ip6h != NULL) { 2316 check_proto = IPPROTO_ICMPV6; 2317 sel->ips_isv4 = B_FALSE; 2318 sel->ips_local_addr_v6 = ip6h->ip6_dst; 2319 sel->ips_remote_addr_v6 = ip6h->ip6_src; 2320 2321 nexthdr = ip6h->ip6_nxt; 2322 switch (nexthdr) { 2323 case IPPROTO_HOPOPTS: 2324 case IPPROTO_ROUTING: 2325 case IPPROTO_DSTOPTS: 2326 /* 2327 * Use ip_hdr_length_nexthdr_v6(). And have a spare 2328 * mblk that's contiguous to feed it 2329 */ 2330 if ((spare_mp = msgpullup(mp, -1)) == NULL) 2331 return (B_FALSE); 2332 if (!ip_hdr_length_nexthdr_v6(spare_mp, 2333 (ip6_t *)spare_mp->b_rptr, &hdr_len, &nexthdrp)) { 2334 /* Malformed packet - XXX ip_drop_packet()? */ 2335 freemsg(spare_mp); 2336 return (B_FALSE); 2337 } 2338 nexthdr = *nexthdrp; 2339 /* We can just extract based on hdr_len now. */ 2340 break; 2341 default: 2342 hdr_len = IPV6_HDR_LEN; 2343 break; 2344 } 2345 } else { 2346 check_proto = IPPROTO_ICMP; 2347 sel->ips_isv4 = B_TRUE; 2348 sel->ips_local_addr_v4 = ipha->ipha_dst; 2349 sel->ips_remote_addr_v4 = ipha->ipha_src; 2350 nexthdr = ipha->ipha_protocol; 2351 hdr_len = IPH_HDR_LENGTH(ipha); 2352 } 2353 sel->ips_protocol = nexthdr; 2354 2355 if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP && 2356 nexthdr != IPPROTO_SCTP && nexthdr != check_proto) { 2357 sel->ips_remote_port = sel->ips_local_port = 0; 2358 freemsg(spare_mp); /* Always works, even if NULL. */ 2359 return (B_TRUE); 2360 } 2361 2362 if (&mp->b_rptr[hdr_len] + 4 > mp->b_wptr) { 2363 /* If we didn't pullup a copy already, do so now. */ 2364 /* 2365 * XXX performance, will upper-layers frequently split TCP/UDP 2366 * apart from IP or options? If so, perhaps we should revisit 2367 * the spare_mp strategy. 2368 */ 2369 ipsec_hdr_pullup_needed++; 2370 if (spare_mp == NULL && 2371 (spare_mp = msgpullup(mp, -1)) == NULL) { 2372 return (B_FALSE); 2373 } 2374 ports = (uint16_t *)&spare_mp->b_rptr[hdr_len]; 2375 } else { 2376 ports = (uint16_t *)&mp->b_rptr[hdr_len]; 2377 } 2378 2379 if (nexthdr == check_proto) { 2380 typecode = (uint8_t *)ports; 2381 sel->ips_icmp_type = *typecode++; 2382 sel->ips_icmp_code = *typecode; 2383 sel->ips_remote_port = sel->ips_local_port = 0; 2384 freemsg(spare_mp); /* Always works, even if NULL */ 2385 return (B_TRUE); 2386 } 2387 2388 sel->ips_remote_port = *ports++; 2389 sel->ips_local_port = *ports; 2390 freemsg(spare_mp); /* Always works, even if NULL */ 2391 return (B_TRUE); 2392 } 2393 2394 static boolean_t 2395 ipsec_init_outbound_ports(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha, 2396 ip6_t *ip6h) 2397 { 2398 /* 2399 * XXX cut&paste shared with ipsec_init_inbound_sel 2400 */ 2401 uint16_t *ports; 2402 ushort_t hdr_len; 2403 mblk_t *spare_mp = NULL; 2404 uint8_t *nexthdrp; 2405 uint8_t nexthdr; 2406 uint8_t *typecode; 2407 uint8_t check_proto; 2408 2409 ASSERT((ipha == NULL && ip6h != NULL) || 2410 (ipha != NULL && ip6h == NULL)); 2411 2412 if (ip6h != NULL) { 2413 check_proto = IPPROTO_ICMPV6; 2414 nexthdr = ip6h->ip6_nxt; 2415 switch (nexthdr) { 2416 case IPPROTO_HOPOPTS: 2417 case IPPROTO_ROUTING: 2418 case IPPROTO_DSTOPTS: 2419 /* 2420 * Use ip_hdr_length_nexthdr_v6(). And have a spare 2421 * mblk that's contiguous to feed it 2422 */ 2423 spare_mp = msgpullup(mp, -1); 2424 if (spare_mp == NULL || 2425 !ip_hdr_length_nexthdr_v6(spare_mp, 2426 (ip6_t *)spare_mp->b_rptr, &hdr_len, 2427 &nexthdrp)) { 2428 /* Always works, even if NULL. */ 2429 freemsg(spare_mp); 2430 freemsg(mp); 2431 return (B_FALSE); 2432 } else { 2433 nexthdr = *nexthdrp; 2434 /* We can just extract based on hdr_len now. */ 2435 } 2436 break; 2437 default: 2438 hdr_len = IPV6_HDR_LEN; 2439 break; 2440 } 2441 } else { 2442 check_proto = IPPROTO_ICMP; 2443 hdr_len = IPH_HDR_LENGTH(ipha); 2444 nexthdr = ipha->ipha_protocol; 2445 } 2446 2447 sel->ips_protocol = nexthdr; 2448 if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP && 2449 nexthdr != IPPROTO_SCTP && nexthdr != check_proto) { 2450 sel->ips_local_port = sel->ips_remote_port = 0; 2451 freemsg(spare_mp); /* Always works, even if NULL. */ 2452 return (B_TRUE); 2453 } 2454 2455 if (&mp->b_rptr[hdr_len] + 4 > mp->b_wptr) { 2456 /* If we didn't pullup a copy already, do so now. */ 2457 /* 2458 * XXX performance, will upper-layers frequently split TCP/UDP 2459 * apart from IP or options? If so, perhaps we should revisit 2460 * the spare_mp strategy. 2461 * 2462 * XXX should this be msgpullup(mp, hdr_len+4) ??? 2463 */ 2464 if (spare_mp == NULL && 2465 (spare_mp = msgpullup(mp, -1)) == NULL) { 2466 freemsg(mp); 2467 return (B_FALSE); 2468 } 2469 ports = (uint16_t *)&spare_mp->b_rptr[hdr_len]; 2470 } else { 2471 ports = (uint16_t *)&mp->b_rptr[hdr_len]; 2472 } 2473 2474 if (nexthdr == check_proto) { 2475 typecode = (uint8_t *)ports; 2476 sel->ips_icmp_type = *typecode++; 2477 sel->ips_icmp_code = *typecode; 2478 sel->ips_remote_port = sel->ips_local_port = 0; 2479 freemsg(spare_mp); /* Always works, even if NULL */ 2480 return (B_TRUE); 2481 } 2482 2483 sel->ips_local_port = *ports++; 2484 sel->ips_remote_port = *ports; 2485 freemsg(spare_mp); /* Always works, even if NULL */ 2486 return (B_TRUE); 2487 } 2488 2489 /* 2490 * Create an ipsec_action_t based on the way an inbound packet was protected. 2491 * Used to reflect traffic back to a sender. 2492 * 2493 * We don't bother interning the action into the hash table. 2494 */ 2495 ipsec_action_t * 2496 ipsec_in_to_out_action(ipsec_in_t *ii) 2497 { 2498 ipsa_t *ah_assoc, *esp_assoc; 2499 uint_t auth_alg = 0, encr_alg = 0, espa_alg = 0; 2500 ipsec_action_t *ap; 2501 boolean_t unique; 2502 2503 ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP); 2504 2505 if (ap == NULL) 2506 return (NULL); 2507 2508 bzero(ap, sizeof (*ap)); 2509 HASH_NULL(ap, ipa_hash); 2510 ap->ipa_next = NULL; 2511 ap->ipa_refs = 1; 2512 2513 /* 2514 * Get the algorithms that were used for this packet. 2515 */ 2516 ap->ipa_act.ipa_type = IPSEC_ACT_APPLY; 2517 ap->ipa_act.ipa_log = 0; 2518 ah_assoc = ii->ipsec_in_ah_sa; 2519 ap->ipa_act.ipa_apply.ipp_use_ah = (ah_assoc != NULL); 2520 2521 esp_assoc = ii->ipsec_in_esp_sa; 2522 ap->ipa_act.ipa_apply.ipp_use_esp = (esp_assoc != NULL); 2523 2524 if (esp_assoc != NULL) { 2525 encr_alg = esp_assoc->ipsa_encr_alg; 2526 espa_alg = esp_assoc->ipsa_auth_alg; 2527 ap->ipa_act.ipa_apply.ipp_use_espa = (espa_alg != 0); 2528 } 2529 if (ah_assoc != NULL) 2530 auth_alg = ah_assoc->ipsa_auth_alg; 2531 2532 ap->ipa_act.ipa_apply.ipp_encr_alg = (uint8_t)encr_alg; 2533 ap->ipa_act.ipa_apply.ipp_auth_alg = (uint8_t)auth_alg; 2534 ap->ipa_act.ipa_apply.ipp_esp_auth_alg = (uint8_t)espa_alg; 2535 ap->ipa_act.ipa_apply.ipp_use_se = ii->ipsec_in_decaps; 2536 unique = B_FALSE; 2537 2538 if (esp_assoc != NULL) { 2539 ap->ipa_act.ipa_apply.ipp_espa_minbits = 2540 esp_assoc->ipsa_authkeybits; 2541 ap->ipa_act.ipa_apply.ipp_espa_maxbits = 2542 esp_assoc->ipsa_authkeybits; 2543 ap->ipa_act.ipa_apply.ipp_espe_minbits = 2544 esp_assoc->ipsa_encrkeybits; 2545 ap->ipa_act.ipa_apply.ipp_espe_maxbits = 2546 esp_assoc->ipsa_encrkeybits; 2547 ap->ipa_act.ipa_apply.ipp_km_proto = esp_assoc->ipsa_kmp; 2548 ap->ipa_act.ipa_apply.ipp_km_cookie = esp_assoc->ipsa_kmc; 2549 if (esp_assoc->ipsa_flags & IPSA_F_UNIQUE) 2550 unique = B_TRUE; 2551 } 2552 if (ah_assoc != NULL) { 2553 ap->ipa_act.ipa_apply.ipp_ah_minbits = 2554 ah_assoc->ipsa_authkeybits; 2555 ap->ipa_act.ipa_apply.ipp_ah_maxbits = 2556 ah_assoc->ipsa_authkeybits; 2557 ap->ipa_act.ipa_apply.ipp_km_proto = ah_assoc->ipsa_kmp; 2558 ap->ipa_act.ipa_apply.ipp_km_cookie = ah_assoc->ipsa_kmc; 2559 if (ah_assoc->ipsa_flags & IPSA_F_UNIQUE) 2560 unique = B_TRUE; 2561 } 2562 ap->ipa_act.ipa_apply.ipp_use_unique = unique; 2563 ap->ipa_want_unique = unique; 2564 ap->ipa_allow_clear = B_FALSE; 2565 ap->ipa_want_se = ii->ipsec_in_decaps; 2566 ap->ipa_want_ah = (ah_assoc != NULL); 2567 ap->ipa_want_esp = (esp_assoc != NULL); 2568 2569 ap->ipa_ovhd = ipsec_act_ovhd(&ap->ipa_act); 2570 2571 ap->ipa_act.ipa_apply.ipp_replay_depth = 0; /* don't care */ 2572 2573 return (ap); 2574 } 2575 2576 2577 /* 2578 * Compute the worst-case amount of extra space required by an action. 2579 * Note that, because of the ESP considerations listed below, this is 2580 * actually not the same as the best-case reduction in the MTU; in the 2581 * future, we should pass additional information to this function to 2582 * allow the actual MTU impact to be computed. 2583 * 2584 * AH: Revisit this if we implement algorithms with 2585 * a verifier size of more than 12 bytes. 2586 * 2587 * ESP: A more exact but more messy computation would take into 2588 * account the interaction between the cipher block size and the 2589 * effective MTU, yielding the inner payload size which reflects a 2590 * packet with *minimum* ESP padding.. 2591 */ 2592 static int32_t 2593 ipsec_act_ovhd(const ipsec_act_t *act) 2594 { 2595 int32_t overhead = 0; 2596 2597 if (act->ipa_type == IPSEC_ACT_APPLY) { 2598 const ipsec_prot_t *ipp = &act->ipa_apply; 2599 2600 if (ipp->ipp_use_ah) 2601 overhead += IPSEC_MAX_AH_HDR_SIZE; 2602 if (ipp->ipp_use_esp) { 2603 overhead += IPSEC_MAX_ESP_HDR_SIZE; 2604 overhead += sizeof (struct udphdr); 2605 } 2606 if (ipp->ipp_use_se) 2607 overhead += IP_SIMPLE_HDR_LENGTH; 2608 } 2609 return (overhead); 2610 } 2611 2612 /* 2613 * This hash function is used only when creating policies and thus is not 2614 * performance-critical for packet flows. 2615 * 2616 * Future work: canonicalize the structures hashed with this (i.e., 2617 * zeroize padding) so the hash works correctly. 2618 */ 2619 /* ARGSUSED */ 2620 static uint32_t 2621 policy_hash(int size, const void *start, const void *end) 2622 { 2623 return (0); 2624 } 2625 2626 2627 /* 2628 * Hash function macros for each address type. 2629 * 2630 * The IPV6 hash function assumes that the low order 32-bits of the 2631 * address (typically containing the low order 24 bits of the mac 2632 * address) are reasonably well-distributed. Revisit this if we run 2633 * into trouble from lots of collisions on ::1 addresses and the like 2634 * (seems unlikely). 2635 */ 2636 #define IPSEC_IPV4_HASH(a) ((a) % ipsec_spd_hashsize) 2637 #define IPSEC_IPV6_HASH(a) ((a.s6_addr32[3]) % ipsec_spd_hashsize) 2638 2639 /* 2640 * These two hash functions should produce coordinated values 2641 * but have slightly different roles. 2642 */ 2643 static uint32_t 2644 selkey_hash(const ipsec_selkey_t *selkey) 2645 { 2646 uint32_t valid = selkey->ipsl_valid; 2647 2648 if (!(valid & IPSL_REMOTE_ADDR)) 2649 return (IPSEC_SEL_NOHASH); 2650 2651 if (valid & IPSL_IPV4) { 2652 if (selkey->ipsl_remote_pfxlen == 32) 2653 return (IPSEC_IPV4_HASH(selkey->ipsl_remote.ipsad_v4)); 2654 } 2655 if (valid & IPSL_IPV6) { 2656 if (selkey->ipsl_remote_pfxlen == 128) 2657 return (IPSEC_IPV6_HASH(selkey->ipsl_remote.ipsad_v6)); 2658 } 2659 return (IPSEC_SEL_NOHASH); 2660 } 2661 2662 static uint32_t 2663 selector_hash(ipsec_selector_t *sel) 2664 { 2665 if (sel->ips_isv4) { 2666 return (IPSEC_IPV4_HASH(sel->ips_remote_addr_v4)); 2667 } 2668 return (IPSEC_IPV6_HASH(sel->ips_remote_addr_v6)); 2669 } 2670 2671 /* 2672 * Intern actions into the action hash table. 2673 */ 2674 ipsec_action_t * 2675 ipsec_act_find(const ipsec_act_t *a, int n) 2676 { 2677 int i; 2678 uint32_t hval; 2679 ipsec_action_t *ap; 2680 ipsec_action_t *prev = NULL; 2681 int32_t overhead, maxovhd = 0; 2682 boolean_t allow_clear = B_FALSE; 2683 boolean_t want_ah = B_FALSE; 2684 boolean_t want_esp = B_FALSE; 2685 boolean_t want_se = B_FALSE; 2686 boolean_t want_unique = B_FALSE; 2687 2688 /* 2689 * TODO: should canonicalize a[] (i.e., zeroize any padding) 2690 * so we can use a non-trivial policy_hash function. 2691 */ 2692 for (i = n-1; i >= 0; i--) { 2693 hval = policy_hash(IPSEC_ACTION_HASH_SIZE, &a[i], &a[n]); 2694 2695 HASH_LOCK(ipsec_action_hash, hval); 2696 2697 for (HASH_ITERATE(ap, ipa_hash, ipsec_action_hash, hval)) { 2698 if (bcmp(&ap->ipa_act, &a[i], sizeof (*a)) != 0) 2699 continue; 2700 if (ap->ipa_next != prev) 2701 continue; 2702 break; 2703 } 2704 if (ap != NULL) { 2705 HASH_UNLOCK(ipsec_action_hash, hval); 2706 prev = ap; 2707 continue; 2708 } 2709 /* 2710 * need to allocate a new one.. 2711 */ 2712 ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP); 2713 if (ap == NULL) { 2714 HASH_UNLOCK(ipsec_action_hash, hval); 2715 if (prev != NULL) 2716 ipsec_action_free(prev); 2717 return (NULL); 2718 } 2719 HASH_INSERT(ap, ipa_hash, ipsec_action_hash, hval); 2720 2721 ap->ipa_next = prev; 2722 ap->ipa_act = a[i]; 2723 2724 overhead = ipsec_act_ovhd(&a[i]); 2725 if (maxovhd < overhead) 2726 maxovhd = overhead; 2727 2728 if ((a[i].ipa_type == IPSEC_ACT_BYPASS) || 2729 (a[i].ipa_type == IPSEC_ACT_CLEAR)) 2730 allow_clear = B_TRUE; 2731 if (a[i].ipa_type == IPSEC_ACT_APPLY) { 2732 const ipsec_prot_t *ipp = &a[i].ipa_apply; 2733 2734 ASSERT(ipp->ipp_use_ah || ipp->ipp_use_esp); 2735 want_ah |= ipp->ipp_use_ah; 2736 want_esp |= ipp->ipp_use_esp; 2737 want_se |= ipp->ipp_use_se; 2738 want_unique |= ipp->ipp_use_unique; 2739 } 2740 ap->ipa_allow_clear = allow_clear; 2741 ap->ipa_want_ah = want_ah; 2742 ap->ipa_want_esp = want_esp; 2743 ap->ipa_want_se = want_se; 2744 ap->ipa_want_unique = want_unique; 2745 ap->ipa_refs = 1; /* from the hash table */ 2746 ap->ipa_ovhd = maxovhd; 2747 if (prev) 2748 prev->ipa_refs++; 2749 prev = ap; 2750 HASH_UNLOCK(ipsec_action_hash, hval); 2751 } 2752 2753 ap->ipa_refs++; /* caller's reference */ 2754 2755 return (ap); 2756 } 2757 2758 /* 2759 * Called when refcount goes to 0, indicating that all references to this 2760 * node are gone. 2761 * 2762 * This does not unchain the action from the hash table. 2763 */ 2764 void 2765 ipsec_action_free(ipsec_action_t *ap) 2766 { 2767 for (;;) { 2768 ipsec_action_t *np = ap->ipa_next; 2769 ASSERT(ap->ipa_refs == 0); 2770 ASSERT(ap->ipa_hash.hash_pp == NULL); 2771 kmem_cache_free(ipsec_action_cache, ap); 2772 ap = np; 2773 /* Inlined IPACT_REFRELE -- avoid recursion */ 2774 if (ap == NULL) 2775 break; 2776 membar_exit(); 2777 if (atomic_add_32_nv(&(ap)->ipa_refs, -1) != 0) 2778 break; 2779 /* End inlined IPACT_REFRELE */ 2780 } 2781 } 2782 2783 /* 2784 * Periodically sweep action hash table for actions with refcount==1, and 2785 * nuke them. We cannot do this "on demand" (i.e., from IPACT_REFRELE) 2786 * because we can't close the race between another thread finding the action 2787 * in the hash table without holding the bucket lock during IPACT_REFRELE. 2788 * Instead, we run this function sporadically to clean up after ourselves; 2789 * we also set it as the "reclaim" function for the action kmem_cache. 2790 * 2791 * Note that it may take several passes of ipsec_action_gc() to free all 2792 * "stale" actions. 2793 */ 2794 /* ARGSUSED */ 2795 static void 2796 ipsec_action_reclaim(void *dummy) 2797 { 2798 int i; 2799 2800 for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) { 2801 ipsec_action_t *ap, *np; 2802 2803 /* skip the lock if nobody home */ 2804 if (ipsec_action_hash[i].hash_head == NULL) 2805 continue; 2806 2807 HASH_LOCK(ipsec_action_hash, i); 2808 for (ap = ipsec_action_hash[i].hash_head; 2809 ap != NULL; ap = np) { 2810 ASSERT(ap->ipa_refs > 0); 2811 np = ap->ipa_hash.hash_next; 2812 if (ap->ipa_refs > 1) 2813 continue; 2814 HASH_UNCHAIN(ap, ipa_hash, ipsec_action_hash, i); 2815 IPACT_REFRELE(ap); 2816 } 2817 HASH_UNLOCK(ipsec_action_hash, i); 2818 } 2819 } 2820 2821 /* 2822 * Intern a selector set into the selector set hash table. 2823 * This is simpler than the actions case.. 2824 */ 2825 static ipsec_sel_t * 2826 ipsec_find_sel(ipsec_selkey_t *selkey) 2827 { 2828 ipsec_sel_t *sp; 2829 uint32_t hval, bucket; 2830 2831 /* 2832 * Exactly one AF bit should be set in selkey. 2833 */ 2834 ASSERT(!(selkey->ipsl_valid & IPSL_IPV4) ^ 2835 !(selkey->ipsl_valid & IPSL_IPV6)); 2836 2837 hval = selkey_hash(selkey); 2838 selkey->ipsl_hval = hval; 2839 2840 bucket = (hval == IPSEC_SEL_NOHASH) ? 0 : hval; 2841 2842 ASSERT(!HASH_LOCKED(ipsec_sel_hash, bucket)); 2843 HASH_LOCK(ipsec_sel_hash, bucket); 2844 2845 for (HASH_ITERATE(sp, ipsl_hash, ipsec_sel_hash, bucket)) { 2846 if (bcmp(&sp->ipsl_key, selkey, sizeof (*selkey)) == 0) 2847 break; 2848 } 2849 if (sp != NULL) { 2850 sp->ipsl_refs++; 2851 2852 HASH_UNLOCK(ipsec_sel_hash, bucket); 2853 return (sp); 2854 } 2855 2856 sp = kmem_cache_alloc(ipsec_sel_cache, KM_NOSLEEP); 2857 if (sp == NULL) { 2858 HASH_UNLOCK(ipsec_sel_hash, bucket); 2859 return (NULL); 2860 } 2861 2862 HASH_INSERT(sp, ipsl_hash, ipsec_sel_hash, bucket); 2863 sp->ipsl_refs = 2; /* one for hash table, one for caller */ 2864 sp->ipsl_key = *selkey; 2865 2866 HASH_UNLOCK(ipsec_sel_hash, bucket); 2867 2868 return (sp); 2869 } 2870 2871 static void 2872 ipsec_sel_rel(ipsec_sel_t **spp) 2873 { 2874 ipsec_sel_t *sp = *spp; 2875 int hval = sp->ipsl_key.ipsl_hval; 2876 *spp = NULL; 2877 2878 if (hval == IPSEC_SEL_NOHASH) 2879 hval = 0; 2880 2881 ASSERT(!HASH_LOCKED(ipsec_sel_hash, hval)); 2882 HASH_LOCK(ipsec_sel_hash, hval); 2883 if (--sp->ipsl_refs == 1) { 2884 HASH_UNCHAIN(sp, ipsl_hash, ipsec_sel_hash, hval); 2885 sp->ipsl_refs--; 2886 HASH_UNLOCK(ipsec_sel_hash, hval); 2887 ASSERT(sp->ipsl_refs == 0); 2888 kmem_cache_free(ipsec_sel_cache, sp); 2889 /* Caller unlocks */ 2890 return; 2891 } 2892 2893 HASH_UNLOCK(ipsec_sel_hash, hval); 2894 } 2895 2896 /* 2897 * Free a policy rule which we know is no longer being referenced. 2898 */ 2899 void 2900 ipsec_policy_free(ipsec_policy_t *ipp) 2901 { 2902 ASSERT(ipp->ipsp_refs == 0); 2903 ASSERT(ipp->ipsp_sel != NULL); 2904 ASSERT(ipp->ipsp_act != NULL); 2905 ipsec_sel_rel(&ipp->ipsp_sel); 2906 IPACT_REFRELE(ipp->ipsp_act); 2907 kmem_cache_free(ipsec_pol_cache, ipp); 2908 } 2909 2910 /* 2911 * Construction of new policy rules; construct a policy, and add it to 2912 * the appropriate tables. 2913 */ 2914 ipsec_policy_t * 2915 ipsec_policy_create(ipsec_selkey_t *keys, const ipsec_act_t *a, 2916 int nacts, int prio) 2917 { 2918 ipsec_action_t *ap; 2919 ipsec_sel_t *sp; 2920 ipsec_policy_t *ipp; 2921 2922 ipp = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP); 2923 ap = ipsec_act_find(a, nacts); 2924 sp = ipsec_find_sel(keys); 2925 2926 if ((ap == NULL) || (sp == NULL) || (ipp == NULL)) { 2927 if (ap != NULL) { 2928 IPACT_REFRELE(ap); 2929 } 2930 if (sp != NULL) 2931 ipsec_sel_rel(&sp); 2932 if (ipp != NULL) 2933 kmem_cache_free(ipsec_pol_cache, ipp); 2934 return (NULL); 2935 } 2936 2937 HASH_NULL(ipp, ipsp_hash); 2938 2939 ipp->ipsp_refs = 1; /* caller's reference */ 2940 ipp->ipsp_sel = sp; 2941 ipp->ipsp_act = ap; 2942 ipp->ipsp_prio = prio; /* rule priority */ 2943 ipp->ipsp_index = ipsec_next_policy_index++; 2944 2945 return (ipp); 2946 } 2947 2948 static void 2949 ipsec_update_present_flags() 2950 { 2951 boolean_t hashpol = (avl_numnodes(&system_policy.iph_rulebyid) > 0); 2952 2953 if (hashpol) { 2954 ipsec_outbound_v4_policy_present = B_TRUE; 2955 ipsec_outbound_v6_policy_present = B_TRUE; 2956 ipsec_inbound_v4_policy_present = B_TRUE; 2957 ipsec_inbound_v6_policy_present = B_TRUE; 2958 return; 2959 } 2960 2961 ipsec_outbound_v4_policy_present = (NULL != 2962 system_policy.iph_root[IPSEC_TYPE_OUTBOUND]. 2963 ipr_nonhash[IPSEC_AF_V4]); 2964 ipsec_outbound_v6_policy_present = (NULL != 2965 system_policy.iph_root[IPSEC_TYPE_OUTBOUND]. 2966 ipr_nonhash[IPSEC_AF_V6]); 2967 ipsec_inbound_v4_policy_present = (NULL != 2968 system_policy.iph_root[IPSEC_TYPE_INBOUND]. 2969 ipr_nonhash[IPSEC_AF_V4]); 2970 ipsec_inbound_v6_policy_present = (NULL != 2971 system_policy.iph_root[IPSEC_TYPE_INBOUND]. 2972 ipr_nonhash[IPSEC_AF_V6]); 2973 } 2974 2975 boolean_t 2976 ipsec_policy_delete(ipsec_policy_head_t *php, ipsec_selkey_t *keys, int dir) 2977 { 2978 ipsec_sel_t *sp; 2979 ipsec_policy_t *ip, *nip, *head; 2980 int af; 2981 ipsec_policy_root_t *pr = &php->iph_root[dir]; 2982 2983 sp = ipsec_find_sel(keys); 2984 2985 if (sp == NULL) 2986 return (B_FALSE); 2987 2988 af = (sp->ipsl_key.ipsl_valid & IPSL_IPV4) ? IPSEC_AF_V4 : IPSEC_AF_V6; 2989 2990 rw_enter(&php->iph_lock, RW_WRITER); 2991 2992 if (keys->ipsl_hval == IPSEC_SEL_NOHASH) { 2993 head = pr->ipr_nonhash[af]; 2994 } else { 2995 head = pr->ipr_hash[keys->ipsl_hval].hash_head; 2996 } 2997 2998 for (ip = head; ip != NULL; ip = nip) { 2999 nip = ip->ipsp_hash.hash_next; 3000 if (ip->ipsp_sel != sp) { 3001 continue; 3002 } 3003 3004 IPPOL_UNCHAIN(php, ip); 3005 3006 php->iph_gen++; 3007 ipsec_update_present_flags(); 3008 3009 rw_exit(&php->iph_lock); 3010 3011 ipsec_sel_rel(&sp); 3012 3013 return (B_TRUE); 3014 } 3015 3016 rw_exit(&php->iph_lock); 3017 ipsec_sel_rel(&sp); 3018 return (B_FALSE); 3019 } 3020 3021 int 3022 ipsec_policy_delete_index(ipsec_policy_head_t *php, uint64_t policy_index) 3023 { 3024 boolean_t found = B_FALSE; 3025 ipsec_policy_t ipkey; 3026 ipsec_policy_t *ip; 3027 avl_index_t where; 3028 3029 (void) memset(&ipkey, 0, sizeof (ipkey)); 3030 ipkey.ipsp_index = policy_index; 3031 3032 rw_enter(&php->iph_lock, RW_WRITER); 3033 3034 /* 3035 * We could be cleverer here about the walk. 3036 * but well, (k+1)*log(N) will do for now (k==number of matches, 3037 * N==number of table entries 3038 */ 3039 for (;;) { 3040 ip = (ipsec_policy_t *)avl_find(&php->iph_rulebyid, 3041 (void *)&ipkey, &where); 3042 ASSERT(ip == NULL); 3043 3044 ip = avl_nearest(&php->iph_rulebyid, where, AVL_AFTER); 3045 3046 if (ip == NULL) 3047 break; 3048 3049 if (ip->ipsp_index != policy_index) { 3050 ASSERT(ip->ipsp_index > policy_index); 3051 break; 3052 } 3053 3054 IPPOL_UNCHAIN(php, ip); 3055 found = B_TRUE; 3056 } 3057 3058 if (found) { 3059 php->iph_gen++; 3060 ipsec_update_present_flags(); 3061 } 3062 3063 rw_exit(&php->iph_lock); 3064 3065 return (found ? 0 : ENOENT); 3066 } 3067 3068 /* 3069 * Given a constructed ipsec_policy_t policy rule, see if it can be entered 3070 * into the correct policy ruleset. 3071 * 3072 * Returns B_TRUE if it can be entered, B_FALSE if it can't be (because a 3073 * duplicate policy exists with exactly the same selectors), or an icmp 3074 * rule exists with a different encryption/authentication action. 3075 */ 3076 boolean_t 3077 ipsec_check_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction) 3078 { 3079 ipsec_policy_root_t *pr = &php->iph_root[direction]; 3080 int af = -1; 3081 ipsec_policy_t *p2, *head; 3082 uint8_t check_proto; 3083 ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key; 3084 uint32_t valid = selkey->ipsl_valid; 3085 3086 if (valid & IPSL_IPV6) { 3087 ASSERT(!(valid & IPSL_IPV4)); 3088 af = IPSEC_AF_V6; 3089 check_proto = IPPROTO_ICMPV6; 3090 } else { 3091 ASSERT(valid & IPSL_IPV4); 3092 af = IPSEC_AF_V4; 3093 check_proto = IPPROTO_ICMP; 3094 } 3095 3096 ASSERT(RW_WRITE_HELD(&php->iph_lock)); 3097 3098 /* 3099 * Double-check that we don't have any duplicate selectors here. 3100 * Because selectors are interned below, we need only compare pointers 3101 * for equality. 3102 */ 3103 if (selkey->ipsl_hval == IPSEC_SEL_NOHASH) { 3104 head = pr->ipr_nonhash[af]; 3105 } else { 3106 head = pr->ipr_hash[selkey->ipsl_hval].hash_head; 3107 } 3108 3109 for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) { 3110 if (p2->ipsp_sel == ipp->ipsp_sel) 3111 return (B_FALSE); 3112 } 3113 3114 /* 3115 * If it's ICMP and not a drop or pass rule, run through the ICMP 3116 * rules and make sure the action is either new or the same as any 3117 * other actions. We don't have to check the full chain because 3118 * discard and bypass will override all other actions 3119 */ 3120 3121 if (valid & IPSL_PROTOCOL && 3122 selkey->ipsl_proto == check_proto && 3123 (ipp->ipsp_act->ipa_act.ipa_type == IPSEC_ACT_APPLY)) { 3124 3125 for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) { 3126 3127 if (p2->ipsp_sel->ipsl_key.ipsl_valid & IPSL_PROTOCOL && 3128 p2->ipsp_sel->ipsl_key.ipsl_proto == check_proto && 3129 (p2->ipsp_act->ipa_act.ipa_type == 3130 IPSEC_ACT_APPLY)) { 3131 return (ipsec_compare_action(p2, ipp)); 3132 } 3133 } 3134 } 3135 3136 return (B_TRUE); 3137 } 3138 3139 /* 3140 * compare the action chains of two policies for equality 3141 * B_TRUE -> effective equality 3142 */ 3143 3144 static boolean_t 3145 ipsec_compare_action(ipsec_policy_t *p1, ipsec_policy_t *p2) 3146 { 3147 3148 ipsec_action_t *act1, *act2; 3149 3150 /* We have a valid rule. Let's compare the actions */ 3151 if (p1->ipsp_act == p2->ipsp_act) { 3152 /* same action. We are good */ 3153 return (B_TRUE); 3154 } 3155 3156 /* we have to walk the chain */ 3157 3158 act1 = p1->ipsp_act; 3159 act2 = p2->ipsp_act; 3160 3161 while (act1 != NULL && act2 != NULL) { 3162 3163 /* otherwise, Are we close enough? */ 3164 if (act1->ipa_allow_clear != act2->ipa_allow_clear || 3165 act1->ipa_want_ah != act2->ipa_want_ah || 3166 act1->ipa_want_esp != act2->ipa_want_esp || 3167 act1->ipa_want_se != act2->ipa_want_se) { 3168 /* Nope, we aren't */ 3169 return (B_FALSE); 3170 } 3171 3172 if (act1->ipa_want_ah) { 3173 if (act1->ipa_act.ipa_apply.ipp_auth_alg != 3174 act2->ipa_act.ipa_apply.ipp_auth_alg) { 3175 return (B_FALSE); 3176 } 3177 3178 if (act1->ipa_act.ipa_apply.ipp_ah_minbits != 3179 act2->ipa_act.ipa_apply.ipp_ah_minbits || 3180 act1->ipa_act.ipa_apply.ipp_ah_maxbits != 3181 act2->ipa_act.ipa_apply.ipp_ah_maxbits) { 3182 return (B_FALSE); 3183 } 3184 } 3185 3186 if (act1->ipa_want_esp) { 3187 if (act1->ipa_act.ipa_apply.ipp_use_esp != 3188 act2->ipa_act.ipa_apply.ipp_use_esp || 3189 act1->ipa_act.ipa_apply.ipp_use_espa != 3190 act2->ipa_act.ipa_apply.ipp_use_espa) { 3191 return (B_FALSE); 3192 } 3193 3194 if (act1->ipa_act.ipa_apply.ipp_use_esp) { 3195 if (act1->ipa_act.ipa_apply.ipp_encr_alg != 3196 act2->ipa_act.ipa_apply.ipp_encr_alg) { 3197 return (B_FALSE); 3198 } 3199 3200 if (act1->ipa_act.ipa_apply.ipp_espe_minbits != 3201 act2->ipa_act.ipa_apply.ipp_espe_minbits || 3202 act1->ipa_act.ipa_apply.ipp_espe_maxbits != 3203 act2->ipa_act.ipa_apply.ipp_espe_maxbits) { 3204 return (B_FALSE); 3205 } 3206 } 3207 3208 if (act1->ipa_act.ipa_apply.ipp_use_espa) { 3209 if (act1->ipa_act.ipa_apply.ipp_esp_auth_alg != 3210 act2->ipa_act.ipa_apply.ipp_esp_auth_alg) { 3211 return (B_FALSE); 3212 } 3213 3214 if (act1->ipa_act.ipa_apply.ipp_espa_minbits != 3215 act2->ipa_act.ipa_apply.ipp_espa_minbits || 3216 act1->ipa_act.ipa_apply.ipp_espa_maxbits != 3217 act2->ipa_act.ipa_apply.ipp_espa_maxbits) { 3218 return (B_FALSE); 3219 } 3220 } 3221 3222 } 3223 3224 act1 = act1->ipa_next; 3225 act2 = act2->ipa_next; 3226 } 3227 3228 if (act1 != NULL || act2 != NULL) { 3229 return (B_FALSE); 3230 } 3231 3232 return (B_TRUE); 3233 } 3234 3235 3236 /* 3237 * Given a constructed ipsec_policy_t policy rule, enter it into 3238 * the correct policy ruleset. 3239 * 3240 * ipsec_check_policy() is assumed to have succeeded first (to check for 3241 * duplicates). 3242 */ 3243 void 3244 ipsec_enter_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction) 3245 { 3246 ipsec_policy_root_t *pr = &php->iph_root[direction]; 3247 ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key; 3248 uint32_t valid = selkey->ipsl_valid; 3249 uint32_t hval = selkey->ipsl_hval; 3250 int af = -1; 3251 3252 ASSERT(RW_WRITE_HELD(&php->iph_lock)); 3253 3254 if (valid & IPSL_IPV6) { 3255 ASSERT(!(valid & IPSL_IPV4)); 3256 af = IPSEC_AF_V6; 3257 } else { 3258 ASSERT(valid & IPSL_IPV4); 3259 af = IPSEC_AF_V4; 3260 } 3261 3262 php->iph_gen++; 3263 3264 if (hval == IPSEC_SEL_NOHASH) { 3265 HASHLIST_INSERT(ipp, ipsp_hash, pr->ipr_nonhash[af]); 3266 } else { 3267 HASH_LOCK(pr->ipr_hash, hval); 3268 HASH_INSERT(ipp, ipsp_hash, pr->ipr_hash, hval); 3269 HASH_UNLOCK(pr->ipr_hash, hval); 3270 } 3271 3272 ipsec_insert_always(&php->iph_rulebyid, ipp); 3273 3274 ipsec_update_present_flags(); 3275 } 3276 3277 static void 3278 ipsec_ipr_flush(ipsec_policy_head_t *php, ipsec_policy_root_t *ipr) 3279 { 3280 ipsec_policy_t *ip, *nip; 3281 3282 int af, chain, nchain; 3283 3284 for (af = 0; af < IPSEC_NAF; af++) { 3285 for (ip = ipr->ipr_nonhash[af]; ip != NULL; ip = nip) { 3286 nip = ip->ipsp_hash.hash_next; 3287 IPPOL_UNCHAIN(php, ip); 3288 } 3289 ipr->ipr_nonhash[af] = NULL; 3290 } 3291 nchain = ipr->ipr_nchains; 3292 3293 for (chain = 0; chain < nchain; chain++) { 3294 for (ip = ipr->ipr_hash[chain].hash_head; ip != NULL; 3295 ip = nip) { 3296 nip = ip->ipsp_hash.hash_next; 3297 IPPOL_UNCHAIN(php, ip); 3298 } 3299 ipr->ipr_hash[chain].hash_head = NULL; 3300 } 3301 } 3302 3303 3304 void 3305 ipsec_polhead_flush(ipsec_policy_head_t *php) 3306 { 3307 int dir; 3308 3309 ASSERT(RW_WRITE_HELD(&php->iph_lock)); 3310 3311 for (dir = 0; dir < IPSEC_NTYPES; dir++) 3312 ipsec_ipr_flush(php, &php->iph_root[dir]); 3313 3314 ipsec_update_present_flags(); 3315 } 3316 3317 void 3318 ipsec_polhead_free(ipsec_policy_head_t *php) 3319 { 3320 ASSERT(php->iph_refs == 0); 3321 rw_enter(&php->iph_lock, RW_WRITER); 3322 ipsec_polhead_flush(php); 3323 rw_exit(&php->iph_lock); 3324 rw_destroy(&php->iph_lock); 3325 kmem_free(php, sizeof (*php)); 3326 } 3327 3328 static void 3329 ipsec_ipr_init(ipsec_policy_root_t *ipr) 3330 { 3331 int af; 3332 3333 ipr->ipr_nchains = 0; 3334 ipr->ipr_hash = NULL; 3335 3336 for (af = 0; af < IPSEC_NAF; af++) { 3337 ipr->ipr_nonhash[af] = NULL; 3338 } 3339 } 3340 3341 extern ipsec_policy_head_t * 3342 ipsec_polhead_create(void) 3343 { 3344 ipsec_policy_head_t *php; 3345 3346 php = kmem_alloc(sizeof (*php), KM_NOSLEEP); 3347 if (php == NULL) 3348 return (php); 3349 3350 rw_init(&php->iph_lock, NULL, RW_DEFAULT, NULL); 3351 php->iph_refs = 1; 3352 php->iph_gen = 0; 3353 3354 ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_INBOUND]); 3355 ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_OUTBOUND]); 3356 3357 avl_create(&php->iph_rulebyid, ipsec_policy_cmpbyid, 3358 sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid)); 3359 3360 return (php); 3361 } 3362 3363 /* 3364 * Clone the policy head into a new polhead; release one reference to the 3365 * old one and return the only reference to the new one. 3366 * If the old one had a refcount of 1, just return it. 3367 */ 3368 extern ipsec_policy_head_t * 3369 ipsec_polhead_split(ipsec_policy_head_t *php) 3370 { 3371 ipsec_policy_head_t *nphp; 3372 3373 if (php == NULL) 3374 return (ipsec_polhead_create()); 3375 else if (php->iph_refs == 1) 3376 return (php); 3377 3378 nphp = ipsec_polhead_create(); 3379 if (nphp == NULL) 3380 return (NULL); 3381 3382 if (ipsec_copy_polhead(php, nphp) != 0) { 3383 ipsec_polhead_free(nphp); 3384 return (NULL); 3385 } 3386 IPPH_REFRELE(php); 3387 return (nphp); 3388 } 3389 3390 /* 3391 * When sending a response to a ICMP request or generating a RST 3392 * in the TCP case, the outbound packets need to go at the same level 3393 * of protection as the incoming ones i.e we associate our outbound 3394 * policy with how the packet came in. We call this after we have 3395 * accepted the incoming packet which may or may not have been in 3396 * clear and hence we are sending the reply back with the policy 3397 * matching the incoming datagram's policy. 3398 * 3399 * NOTE : This technology serves two purposes : 3400 * 3401 * 1) If we have multiple outbound policies, we send out a reply 3402 * matching with how it came in rather than matching the outbound 3403 * policy. 3404 * 3405 * 2) For assymetric policies, we want to make sure that incoming 3406 * and outgoing has the same level of protection. Assymetric 3407 * policies exist only with global policy where we may not have 3408 * both outbound and inbound at the same time. 3409 * 3410 * NOTE2: This function is called by cleartext cases, so it needs to be 3411 * in IP proper. 3412 */ 3413 boolean_t 3414 ipsec_in_to_out(mblk_t *ipsec_mp, ipha_t *ipha, ip6_t *ip6h) 3415 { 3416 ipsec_in_t *ii; 3417 ipsec_out_t *io; 3418 boolean_t v4; 3419 mblk_t *mp; 3420 boolean_t secure, attach_if; 3421 uint_t ifindex; 3422 ipsec_selector_t sel; 3423 ipsec_action_t *reflect_action = NULL; 3424 zoneid_t zoneid; 3425 3426 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 3427 3428 bzero((void*)&sel, sizeof (sel)); 3429 3430 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 3431 3432 mp = ipsec_mp->b_cont; 3433 ASSERT(mp != NULL); 3434 3435 if (ii->ipsec_in_action != NULL) { 3436 /* transfer reference.. */ 3437 reflect_action = ii->ipsec_in_action; 3438 ii->ipsec_in_action = NULL; 3439 } else if (!ii->ipsec_in_loopback) 3440 reflect_action = ipsec_in_to_out_action(ii); 3441 secure = ii->ipsec_in_secure; 3442 attach_if = ii->ipsec_in_attach_if; 3443 ifindex = ii->ipsec_in_ill_index; 3444 zoneid = ii->ipsec_in_zoneid; 3445 v4 = ii->ipsec_in_v4; 3446 3447 ipsec_in_release_refs(ii); 3448 3449 /* 3450 * The caller is going to send the datagram out which might 3451 * go on the wire or delivered locally through ip_wput_local. 3452 * 3453 * 1) If it goes out on the wire, new associations will be 3454 * obtained. 3455 * 2) If it is delivered locally, ip_wput_local will convert 3456 * this IPSEC_OUT to a IPSEC_IN looking at the requests. 3457 */ 3458 3459 io = (ipsec_out_t *)ipsec_mp->b_rptr; 3460 bzero(io, sizeof (ipsec_out_t)); 3461 io->ipsec_out_type = IPSEC_OUT; 3462 io->ipsec_out_len = sizeof (ipsec_out_t); 3463 io->ipsec_out_frtn.free_func = ipsec_out_free; 3464 io->ipsec_out_frtn.free_arg = (char *)io; 3465 io->ipsec_out_act = reflect_action; 3466 3467 if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h)) 3468 return (B_FALSE); 3469 3470 io->ipsec_out_src_port = sel.ips_local_port; 3471 io->ipsec_out_dst_port = sel.ips_remote_port; 3472 io->ipsec_out_proto = sel.ips_protocol; 3473 io->ipsec_out_icmp_type = sel.ips_icmp_type; 3474 io->ipsec_out_icmp_code = sel.ips_icmp_code; 3475 3476 /* 3477 * Don't use global policy for this, as we want 3478 * to use the same protection that was applied to the inbound packet. 3479 */ 3480 io->ipsec_out_use_global_policy = B_FALSE; 3481 io->ipsec_out_proc_begin = B_FALSE; 3482 io->ipsec_out_secure = secure; 3483 io->ipsec_out_v4 = v4; 3484 io->ipsec_out_attach_if = attach_if; 3485 io->ipsec_out_ill_index = ifindex; 3486 io->ipsec_out_zoneid = zoneid; 3487 return (B_TRUE); 3488 } 3489 3490 mblk_t * 3491 ipsec_in_tag(mblk_t *mp, mblk_t *cont) 3492 { 3493 ipsec_in_t *ii = (ipsec_in_t *)mp->b_rptr; 3494 ipsec_in_t *nii; 3495 mblk_t *nmp; 3496 frtn_t nfrtn; 3497 3498 ASSERT(ii->ipsec_in_type == IPSEC_IN); 3499 ASSERT(ii->ipsec_in_len == sizeof (ipsec_in_t)); 3500 3501 nmp = ipsec_in_alloc(ii->ipsec_in_v4); 3502 3503 ASSERT(nmp->b_datap->db_type == M_CTL); 3504 ASSERT(nmp->b_wptr == (nmp->b_rptr + sizeof (ipsec_info_t))); 3505 3506 /* 3507 * Bump refcounts. 3508 */ 3509 if (ii->ipsec_in_ah_sa != NULL) 3510 IPSA_REFHOLD(ii->ipsec_in_ah_sa); 3511 if (ii->ipsec_in_esp_sa != NULL) 3512 IPSA_REFHOLD(ii->ipsec_in_esp_sa); 3513 if (ii->ipsec_in_policy != NULL) 3514 IPPH_REFHOLD(ii->ipsec_in_policy); 3515 3516 /* 3517 * Copy everything, but preserve the free routine provided by 3518 * ipsec_in_alloc(). 3519 */ 3520 nii = (ipsec_in_t *)nmp->b_rptr; 3521 nfrtn = nii->ipsec_in_frtn; 3522 bcopy(ii, nii, sizeof (*ii)); 3523 nii->ipsec_in_frtn = nfrtn; 3524 3525 nmp->b_cont = cont; 3526 3527 return (nmp); 3528 } 3529 3530 mblk_t * 3531 ipsec_out_tag(mblk_t *mp, mblk_t *cont) 3532 { 3533 ipsec_out_t *io = (ipsec_out_t *)mp->b_rptr; 3534 ipsec_out_t *nio; 3535 mblk_t *nmp; 3536 frtn_t nfrtn; 3537 3538 ASSERT(io->ipsec_out_type == IPSEC_OUT); 3539 ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t)); 3540 3541 nmp = ipsec_alloc_ipsec_out(); 3542 if (nmp == NULL) { 3543 freemsg(cont); /* XXX ip_drop_packet() ? */ 3544 return (NULL); 3545 } 3546 ASSERT(nmp->b_datap->db_type == M_CTL); 3547 ASSERT(nmp->b_wptr == (nmp->b_rptr + sizeof (ipsec_info_t))); 3548 3549 /* 3550 * Bump refcounts. 3551 */ 3552 if (io->ipsec_out_ah_sa != NULL) 3553 IPSA_REFHOLD(io->ipsec_out_ah_sa); 3554 if (io->ipsec_out_esp_sa != NULL) 3555 IPSA_REFHOLD(io->ipsec_out_esp_sa); 3556 if (io->ipsec_out_polhead != NULL) 3557 IPPH_REFHOLD(io->ipsec_out_polhead); 3558 if (io->ipsec_out_policy != NULL) 3559 IPPOL_REFHOLD(io->ipsec_out_policy); 3560 if (io->ipsec_out_act != NULL) 3561 IPACT_REFHOLD(io->ipsec_out_act); 3562 if (io->ipsec_out_latch != NULL) 3563 IPLATCH_REFHOLD(io->ipsec_out_latch); 3564 if (io->ipsec_out_cred != NULL) 3565 crhold(io->ipsec_out_cred); 3566 3567 /* 3568 * Copy everything, but preserve the free routine provided by 3569 * ipsec_alloc_ipsec_out(). 3570 */ 3571 nio = (ipsec_out_t *)nmp->b_rptr; 3572 nfrtn = nio->ipsec_out_frtn; 3573 bcopy(io, nio, sizeof (*io)); 3574 nio->ipsec_out_frtn = nfrtn; 3575 3576 nmp->b_cont = cont; 3577 3578 return (nmp); 3579 } 3580 3581 static void 3582 ipsec_out_release_refs(ipsec_out_t *io) 3583 { 3584 ASSERT(io->ipsec_out_type == IPSEC_OUT); 3585 ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t)); 3586 3587 /* Note: IPSA_REFRELE is multi-line macro */ 3588 if (io->ipsec_out_ah_sa != NULL) 3589 IPSA_REFRELE(io->ipsec_out_ah_sa); 3590 if (io->ipsec_out_esp_sa != NULL) 3591 IPSA_REFRELE(io->ipsec_out_esp_sa); 3592 if (io->ipsec_out_polhead != NULL) 3593 IPPH_REFRELE(io->ipsec_out_polhead); 3594 if (io->ipsec_out_policy != NULL) 3595 IPPOL_REFRELE(io->ipsec_out_policy); 3596 if (io->ipsec_out_act != NULL) 3597 IPACT_REFRELE(io->ipsec_out_act); 3598 if (io->ipsec_out_cred != NULL) { 3599 crfree(io->ipsec_out_cred); 3600 io->ipsec_out_cred = NULL; 3601 } 3602 if (io->ipsec_out_latch) { 3603 IPLATCH_REFRELE(io->ipsec_out_latch); 3604 io->ipsec_out_latch = NULL; 3605 } 3606 } 3607 3608 static void 3609 ipsec_out_free(void *arg) 3610 { 3611 ipsec_out_t *io = (ipsec_out_t *)arg; 3612 ipsec_out_release_refs(io); 3613 kmem_cache_free(ipsec_info_cache, arg); 3614 } 3615 3616 static void 3617 ipsec_in_release_refs(ipsec_in_t *ii) 3618 { 3619 /* Note: IPSA_REFRELE is multi-line macro */ 3620 if (ii->ipsec_in_ah_sa != NULL) 3621 IPSA_REFRELE(ii->ipsec_in_ah_sa); 3622 if (ii->ipsec_in_esp_sa != NULL) 3623 IPSA_REFRELE(ii->ipsec_in_esp_sa); 3624 if (ii->ipsec_in_policy != NULL) 3625 IPPH_REFRELE(ii->ipsec_in_policy); 3626 if (ii->ipsec_in_da != NULL) { 3627 freeb(ii->ipsec_in_da); 3628 ii->ipsec_in_da = NULL; 3629 } 3630 } 3631 3632 static void 3633 ipsec_in_free(void *arg) 3634 { 3635 ipsec_in_t *ii = (ipsec_in_t *)arg; 3636 ipsec_in_release_refs(ii); 3637 kmem_cache_free(ipsec_info_cache, arg); 3638 } 3639 3640 /* 3641 * This is called only for outbound datagrams if the datagram needs to 3642 * go out secure. A NULL mp can be passed to get an ipsec_out. This 3643 * facility is used by ip_unbind. 3644 * 3645 * NOTE : o As the data part could be modified by ipsec_out_process etc. 3646 * we can't make it fast by calling a dup. 3647 */ 3648 mblk_t * 3649 ipsec_alloc_ipsec_out() 3650 { 3651 mblk_t *ipsec_mp; 3652 3653 ipsec_out_t *io = kmem_cache_alloc(ipsec_info_cache, KM_NOSLEEP); 3654 3655 if (io == NULL) 3656 return (NULL); 3657 3658 bzero(io, sizeof (ipsec_out_t)); 3659 3660 io->ipsec_out_type = IPSEC_OUT; 3661 io->ipsec_out_len = sizeof (ipsec_out_t); 3662 io->ipsec_out_frtn.free_func = ipsec_out_free; 3663 io->ipsec_out_frtn.free_arg = (char *)io; 3664 3665 /* 3666 * Set the zoneid to ALL_ZONES which is used as an invalid value. Code 3667 * using ipsec_out_zoneid should assert that the zoneid has been set to 3668 * a sane value. 3669 */ 3670 io->ipsec_out_zoneid = ALL_ZONES; 3671 3672 ipsec_mp = desballoc((uint8_t *)io, sizeof (ipsec_info_t), BPRI_HI, 3673 &io->ipsec_out_frtn); 3674 if (ipsec_mp == NULL) { 3675 ipsec_out_free(io); 3676 3677 return (NULL); 3678 } 3679 ipsec_mp->b_datap->db_type = M_CTL; 3680 ipsec_mp->b_wptr = ipsec_mp->b_rptr + sizeof (ipsec_info_t); 3681 3682 return (ipsec_mp); 3683 } 3684 3685 /* 3686 * Attach an IPSEC_OUT; use pol for policy if it is non-null. 3687 * Otherwise initialize using conn. 3688 * 3689 * If pol is non-null, we consume a reference to it. 3690 */ 3691 mblk_t * 3692 ipsec_attach_ipsec_out(mblk_t *mp, conn_t *connp, ipsec_policy_t *pol, 3693 uint8_t proto) 3694 { 3695 mblk_t *ipsec_mp; 3696 3697 ASSERT((pol != NULL) || (connp != NULL)); 3698 3699 ipsec_mp = ipsec_alloc_ipsec_out(); 3700 if (ipsec_mp == NULL) { 3701 (void) mi_strlog(CONNP_TO_WQ(connp), 0, SL_ERROR|SL_NOTE, 3702 "ipsec_attach_ipsec_out: Allocation failure\n"); 3703 BUMP_MIB(&ip_mib, ipOutDiscards); 3704 ip_drop_packet(mp, B_FALSE, NULL, NULL, &ipdrops_spd_nomem, 3705 &spd_dropper); 3706 return (NULL); 3707 } 3708 ipsec_mp->b_cont = mp; 3709 return (ipsec_init_ipsec_out(ipsec_mp, connp, pol, proto)); 3710 } 3711 3712 /* 3713 * Initialize the IPSEC_OUT (ipsec_mp) using pol if it is non-null. 3714 * Otherwise initialize using conn. 3715 * 3716 * If pol is non-null, we consume a reference to it. 3717 */ 3718 mblk_t * 3719 ipsec_init_ipsec_out(mblk_t *ipsec_mp, conn_t *connp, ipsec_policy_t *pol, 3720 uint8_t proto) 3721 { 3722 mblk_t *mp; 3723 ipsec_out_t *io; 3724 ipsec_policy_t *p; 3725 ipha_t *ipha; 3726 ip6_t *ip6h; 3727 3728 ASSERT((pol != NULL) || (connp != NULL)); 3729 3730 /* 3731 * If mp is NULL, we won't/should not be using it. 3732 */ 3733 mp = ipsec_mp->b_cont; 3734 3735 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 3736 ASSERT(ipsec_mp->b_wptr == (ipsec_mp->b_rptr + sizeof (ipsec_info_t))); 3737 io = (ipsec_out_t *)ipsec_mp->b_rptr; 3738 ASSERT(io->ipsec_out_type == IPSEC_OUT); 3739 ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t)); 3740 io->ipsec_out_latch = NULL; 3741 /* 3742 * Set the zoneid when we have the connp. 3743 * Otherwise, we're called from ip_wput_attach_policy() who will take 3744 * care of setting the zoneid. 3745 */ 3746 if (connp != NULL) 3747 io->ipsec_out_zoneid = connp->conn_zoneid; 3748 3749 if (mp != NULL) { 3750 ipha = (ipha_t *)mp->b_rptr; 3751 if (IPH_HDR_VERSION(ipha) == IP_VERSION) { 3752 io->ipsec_out_v4 = B_TRUE; 3753 ip6h = NULL; 3754 } else { 3755 io->ipsec_out_v4 = B_FALSE; 3756 ip6h = (ip6_t *)ipha; 3757 ipha = NULL; 3758 } 3759 } else { 3760 ASSERT(connp != NULL && connp->conn_policy_cached); 3761 ip6h = NULL; 3762 ipha = NULL; 3763 io->ipsec_out_v4 = !connp->conn_pkt_isv6; 3764 } 3765 3766 p = NULL; 3767 3768 /* 3769 * Take latched policies over global policy. Check here again for 3770 * this, in case we had conn_latch set while the packet was flying 3771 * around in IP. 3772 */ 3773 if (connp != NULL && connp->conn_latch != NULL) { 3774 p = connp->conn_latch->ipl_out_policy; 3775 io->ipsec_out_latch = connp->conn_latch; 3776 IPLATCH_REFHOLD(connp->conn_latch); 3777 if (p != NULL) { 3778 IPPOL_REFHOLD(p); 3779 } 3780 io->ipsec_out_src_port = connp->conn_lport; 3781 io->ipsec_out_dst_port = connp->conn_fport; 3782 io->ipsec_out_icmp_type = io->ipsec_out_icmp_code = 0; 3783 if (pol != NULL) 3784 IPPOL_REFRELE(pol); 3785 } else if (pol != NULL) { 3786 ipsec_selector_t sel; 3787 3788 bzero((void*)&sel, sizeof (sel)); 3789 3790 p = pol; 3791 /* 3792 * conn does not have the port information. Get 3793 * it from the packet. 3794 */ 3795 3796 if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h)) { 3797 /* XXX any cleanup required here?? */ 3798 return (NULL); 3799 } 3800 io->ipsec_out_src_port = sel.ips_local_port; 3801 io->ipsec_out_dst_port = sel.ips_remote_port; 3802 io->ipsec_out_icmp_type = sel.ips_icmp_type; 3803 io->ipsec_out_icmp_code = sel.ips_icmp_code; 3804 } 3805 3806 io->ipsec_out_proto = proto; 3807 io->ipsec_out_use_global_policy = B_TRUE; 3808 io->ipsec_out_secure = (p != NULL); 3809 io->ipsec_out_policy = p; 3810 3811 if (p == NULL) { 3812 if (connp->conn_policy != NULL) { 3813 io->ipsec_out_secure = B_TRUE; 3814 ASSERT(io->ipsec_out_latch == NULL); 3815 ASSERT(io->ipsec_out_use_global_policy == B_TRUE); 3816 io->ipsec_out_need_policy = B_TRUE; 3817 ASSERT(io->ipsec_out_polhead == NULL); 3818 IPPH_REFHOLD(connp->conn_policy); 3819 io->ipsec_out_polhead = connp->conn_policy; 3820 } 3821 } 3822 return (ipsec_mp); 3823 } 3824 3825 /* 3826 * Allocate an IPSEC_IN mblk. This will be prepended to an inbound datagram 3827 * and keep track of what-if-any IPsec processing will be applied to the 3828 * datagram. 3829 */ 3830 mblk_t * 3831 ipsec_in_alloc(boolean_t isv4) 3832 { 3833 mblk_t *ipsec_in; 3834 ipsec_in_t *ii = kmem_cache_alloc(ipsec_info_cache, KM_NOSLEEP); 3835 3836 if (ii == NULL) 3837 return (NULL); 3838 3839 bzero(ii, sizeof (ipsec_info_t)); 3840 ii->ipsec_in_type = IPSEC_IN; 3841 ii->ipsec_in_len = sizeof (ipsec_in_t); 3842 3843 ii->ipsec_in_v4 = isv4; 3844 ii->ipsec_in_secure = B_TRUE; 3845 3846 ii->ipsec_in_frtn.free_func = ipsec_in_free; 3847 ii->ipsec_in_frtn.free_arg = (char *)ii; 3848 3849 ipsec_in = desballoc((uint8_t *)ii, sizeof (ipsec_info_t), BPRI_HI, 3850 &ii->ipsec_in_frtn); 3851 if (ipsec_in == NULL) { 3852 ip1dbg(("ipsec_in_alloc: IPSEC_IN allocation failure.\n")); 3853 ipsec_in_free(ii); 3854 return (NULL); 3855 } 3856 3857 ipsec_in->b_datap->db_type = M_CTL; 3858 ipsec_in->b_wptr += sizeof (ipsec_info_t); 3859 3860 return (ipsec_in); 3861 } 3862 3863 /* 3864 * This is called from ip_wput_local when a packet which needs 3865 * security is looped back, to convert the IPSEC_OUT to a IPSEC_IN 3866 * before fanout, where the policy check happens. In most of the 3867 * cases, IPSEC processing has *never* been done. There is one case 3868 * (ip_wput_ire_fragmentit -> ip_wput_frag -> icmp_frag_needed) where 3869 * the packet is destined for localhost, IPSEC processing has already 3870 * been done. 3871 * 3872 * Future: This could happen after SA selection has occurred for 3873 * outbound.. which will tell us who the src and dst identities are.. 3874 * Then it's just a matter of splicing the ah/esp SA pointers from the 3875 * ipsec_out_t to the ipsec_in_t. 3876 */ 3877 void 3878 ipsec_out_to_in(mblk_t *ipsec_mp) 3879 { 3880 ipsec_in_t *ii; 3881 ipsec_out_t *io; 3882 ipsec_policy_t *pol; 3883 ipsec_action_t *act; 3884 boolean_t v4, icmp_loopback; 3885 3886 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 3887 3888 io = (ipsec_out_t *)ipsec_mp->b_rptr; 3889 3890 v4 = io->ipsec_out_v4; 3891 icmp_loopback = io->ipsec_out_icmp_loopback; 3892 3893 act = io->ipsec_out_act; 3894 if (act == NULL) { 3895 pol = io->ipsec_out_policy; 3896 if (pol != NULL) { 3897 act = pol->ipsp_act; 3898 IPACT_REFHOLD(act); 3899 } 3900 } 3901 io->ipsec_out_act = NULL; 3902 3903 ipsec_out_release_refs(io); 3904 3905 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 3906 bzero(ii, sizeof (ipsec_in_t)); 3907 ii->ipsec_in_type = IPSEC_IN; 3908 ii->ipsec_in_len = sizeof (ipsec_in_t); 3909 ii->ipsec_in_loopback = B_TRUE; 3910 ii->ipsec_in_frtn.free_func = ipsec_in_free; 3911 ii->ipsec_in_frtn.free_arg = (char *)ii; 3912 ii->ipsec_in_action = act; 3913 3914 /* 3915 * In most of the cases, we can't look at the ipsec_out_XXX_sa 3916 * because this never went through IPSEC processing. So, look at 3917 * the requests and infer whether it would have gone through 3918 * IPSEC processing or not. Initialize the "done" fields with 3919 * the requests. The possible values for "done" fields are : 3920 * 3921 * 1) zero, indicates that a particular preference was never 3922 * requested. 3923 * 2) non-zero, indicates that it could be IPSEC_PREF_REQUIRED/ 3924 * IPSEC_PREF_NEVER. If IPSEC_REQ_DONE is set, it means that 3925 * IPSEC processing has been completed. 3926 */ 3927 ii->ipsec_in_secure = B_TRUE; 3928 ii->ipsec_in_v4 = v4; 3929 ii->ipsec_in_icmp_loopback = icmp_loopback; 3930 ii->ipsec_in_attach_if = B_FALSE; 3931 } 3932 3933 /* 3934 * Consults global policy to see whether this datagram should 3935 * go out secure. If so it attaches a ipsec_mp in front and 3936 * returns. 3937 */ 3938 mblk_t * 3939 ip_wput_attach_policy(mblk_t *ipsec_mp, ipha_t *ipha, ip6_t *ip6h, ire_t *ire, 3940 conn_t *connp, boolean_t unspec_src) 3941 { 3942 mblk_t *mp; 3943 ipsec_out_t *io = NULL; 3944 ipsec_selector_t sel; 3945 uint_t ill_index; 3946 boolean_t conn_dontroutex; 3947 boolean_t conn_multicast_loopx; 3948 boolean_t policy_present; 3949 3950 ASSERT((ipha != NULL && ip6h == NULL) || 3951 (ip6h != NULL && ipha == NULL)); 3952 3953 bzero((void*)&sel, sizeof (sel)); 3954 3955 if (ipha != NULL) 3956 policy_present = ipsec_outbound_v4_policy_present; 3957 else 3958 policy_present = ipsec_outbound_v6_policy_present; 3959 /* 3960 * Fast Path to see if there is any policy. 3961 */ 3962 if (!policy_present) { 3963 if (ipsec_mp->b_datap->db_type == M_CTL) { 3964 io = (ipsec_out_t *)ipsec_mp->b_rptr; 3965 if (!io->ipsec_out_secure) { 3966 /* 3967 * If there is no global policy and ip_wput 3968 * or ip_wput_multicast has attached this mp 3969 * for multicast case, free the ipsec_mp and 3970 * return the original mp. 3971 */ 3972 mp = ipsec_mp->b_cont; 3973 freeb(ipsec_mp); 3974 ipsec_mp = mp; 3975 io = NULL; 3976 } 3977 } 3978 if (((io == NULL) || (io->ipsec_out_polhead == NULL)) && 3979 ((connp == NULL) || (connp->conn_policy == NULL))) 3980 return (ipsec_mp); 3981 } 3982 3983 ill_index = 0; 3984 conn_multicast_loopx = conn_dontroutex = B_FALSE; 3985 mp = ipsec_mp; 3986 if (ipsec_mp->b_datap->db_type == M_CTL) { 3987 mp = ipsec_mp->b_cont; 3988 /* 3989 * This is a connection where we have some per-socket 3990 * policy or ip_wput has attached an ipsec_mp for 3991 * the multicast datagram. 3992 */ 3993 io = (ipsec_out_t *)ipsec_mp->b_rptr; 3994 if (!io->ipsec_out_secure) { 3995 /* 3996 * This ipsec_mp was allocated in ip_wput or 3997 * ip_wput_multicast so that we will know the 3998 * value of ill_index, conn_dontroute, 3999 * conn_multicast_loop in the multicast case if 4000 * we inherit global policy here. 4001 */ 4002 ill_index = io->ipsec_out_ill_index; 4003 conn_dontroutex = io->ipsec_out_dontroute; 4004 conn_multicast_loopx = io->ipsec_out_multicast_loop; 4005 freeb(ipsec_mp); 4006 ipsec_mp = mp; 4007 io = NULL; 4008 } 4009 } 4010 4011 if (ipha != NULL) { 4012 sel.ips_local_addr_v4 = (ipha->ipha_src != 0 ? 4013 ipha->ipha_src : ire->ire_src_addr); 4014 sel.ips_remote_addr_v4 = ip_get_dst(ipha); 4015 sel.ips_protocol = (uint8_t)ipha->ipha_protocol; 4016 sel.ips_isv4 = B_TRUE; 4017 } else { 4018 ushort_t hdr_len; 4019 uint8_t *nexthdrp; 4020 boolean_t is_fragment; 4021 4022 sel.ips_isv4 = B_FALSE; 4023 if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) { 4024 if (!unspec_src) 4025 sel.ips_local_addr_v6 = ire->ire_src_addr_v6; 4026 } else { 4027 sel.ips_local_addr_v6 = ip6h->ip6_src; 4028 } 4029 4030 sel.ips_remote_addr_v6 = ip_get_dst_v6(ip6h, &is_fragment); 4031 if (is_fragment) { 4032 /* 4033 * It's a packet fragment for a packet that 4034 * we have already processed (since IPsec processing 4035 * is done before fragmentation), so we don't 4036 * have to do policy checks again. Fragments can 4037 * come back to us for processing if they have 4038 * been queued up due to flow control. 4039 */ 4040 if (ipsec_mp->b_datap->db_type == M_CTL) { 4041 mp = ipsec_mp->b_cont; 4042 freeb(ipsec_mp); 4043 ipsec_mp = mp; 4044 } 4045 return (ipsec_mp); 4046 } 4047 4048 /* IPv6 common-case. */ 4049 sel.ips_protocol = ip6h->ip6_nxt; 4050 switch (ip6h->ip6_nxt) { 4051 case IPPROTO_TCP: 4052 case IPPROTO_UDP: 4053 case IPPROTO_SCTP: 4054 case IPPROTO_ICMPV6: 4055 break; 4056 default: 4057 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, 4058 &hdr_len, &nexthdrp)) { 4059 BUMP_MIB(&ip6_mib, ipv6OutDiscards); 4060 freemsg(ipsec_mp); /* Not IPsec-related drop. */ 4061 return (NULL); 4062 } 4063 sel.ips_protocol = *nexthdrp; 4064 break; 4065 } 4066 } 4067 4068 if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h)) { 4069 if (ipha != NULL) { 4070 BUMP_MIB(&ip_mib, ipOutDiscards); 4071 } else { 4072 BUMP_MIB(&ip6_mib, ipv6OutDiscards); 4073 } 4074 4075 ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL, 4076 &ipdrops_spd_nomem, &spd_dropper); 4077 return (NULL); 4078 } 4079 4080 if (io != NULL) { 4081 /* 4082 * We seem to have some local policy (we already have 4083 * an ipsec_out). Look at global policy and see 4084 * whether we have to inherit or not. 4085 */ 4086 io->ipsec_out_need_policy = B_FALSE; 4087 ipsec_mp = ipsec_apply_global_policy(ipsec_mp, connp, &sel); 4088 ASSERT((io->ipsec_out_policy != NULL) || 4089 (io->ipsec_out_act != NULL)); 4090 ASSERT(io->ipsec_out_need_policy == B_FALSE); 4091 return (ipsec_mp); 4092 } 4093 ipsec_mp = ipsec_attach_global_policy(mp, connp, &sel); 4094 if (ipsec_mp == NULL) 4095 return (mp); 4096 4097 /* 4098 * Copy the right port information. 4099 */ 4100 ASSERT(ipsec_mp->b_datap->db_type == M_CTL); 4101 io = (ipsec_out_t *)ipsec_mp->b_rptr; 4102 4103 ASSERT(io->ipsec_out_need_policy == B_FALSE); 4104 ASSERT((io->ipsec_out_policy != NULL) || 4105 (io->ipsec_out_act != NULL)); 4106 io->ipsec_out_src_port = sel.ips_local_port; 4107 io->ipsec_out_dst_port = sel.ips_remote_port; 4108 io->ipsec_out_icmp_type = sel.ips_icmp_type; 4109 io->ipsec_out_icmp_code = sel.ips_icmp_code; 4110 /* 4111 * Set ill_index, conn_dontroute and conn_multicast_loop 4112 * for multicast datagrams. 4113 */ 4114 io->ipsec_out_ill_index = ill_index; 4115 io->ipsec_out_dontroute = conn_dontroutex; 4116 io->ipsec_out_multicast_loop = conn_multicast_loopx; 4117 /* 4118 * When conn is non-NULL, the zoneid is set by ipsec_init_ipsec_out(). 4119 * Otherwise set the zoneid based on the ire. 4120 */ 4121 if (connp == NULL) 4122 io->ipsec_out_zoneid = ire->ire_zoneid; 4123 return (ipsec_mp); 4124 } 4125 4126 /* 4127 * When appropriate, this function caches inbound and outbound policy 4128 * for this connection. 4129 * 4130 * XXX need to work out more details about per-interface policy and 4131 * caching here! 4132 * 4133 * XXX may want to split inbound and outbound caching for ill.. 4134 */ 4135 int 4136 ipsec_conn_cache_policy(conn_t *connp, boolean_t isv4) 4137 { 4138 boolean_t global_policy_present; 4139 4140 /* 4141 * There is no policy latching for ICMP sockets because we can't 4142 * decide on which policy to use until we see the packet and get 4143 * type/code selectors. 4144 */ 4145 if (connp->conn_ulp == IPPROTO_ICMP || 4146 connp->conn_ulp == IPPROTO_ICMPV6) { 4147 connp->conn_in_enforce_policy = 4148 connp->conn_out_enforce_policy = B_TRUE; 4149 if (connp->conn_latch != NULL) { 4150 IPLATCH_REFRELE(connp->conn_latch); 4151 connp->conn_latch = NULL; 4152 } 4153 connp->conn_flags |= IPCL_CHECK_POLICY; 4154 return (0); 4155 } 4156 4157 global_policy_present = isv4 ? 4158 (ipsec_outbound_v4_policy_present || 4159 ipsec_inbound_v4_policy_present) : 4160 (ipsec_outbound_v6_policy_present || 4161 ipsec_inbound_v6_policy_present); 4162 4163 if ((connp->conn_policy != NULL) || global_policy_present) { 4164 ipsec_selector_t sel; 4165 ipsec_policy_t *p; 4166 4167 if (connp->conn_latch == NULL && 4168 (connp->conn_latch = iplatch_create()) == NULL) { 4169 return (ENOMEM); 4170 } 4171 4172 sel.ips_protocol = connp->conn_ulp; 4173 sel.ips_local_port = connp->conn_lport; 4174 sel.ips_remote_port = connp->conn_fport; 4175 sel.ips_is_icmp_inv_acq = 0; 4176 sel.ips_isv4 = isv4; 4177 if (isv4) { 4178 sel.ips_local_addr_v4 = connp->conn_src; 4179 sel.ips_remote_addr_v4 = connp->conn_rem; 4180 } else { 4181 sel.ips_local_addr_v6 = connp->conn_srcv6; 4182 sel.ips_remote_addr_v6 = connp->conn_remv6; 4183 } 4184 4185 p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, NULL, &sel); 4186 if (connp->conn_latch->ipl_in_policy != NULL) 4187 IPPOL_REFRELE(connp->conn_latch->ipl_in_policy); 4188 connp->conn_latch->ipl_in_policy = p; 4189 connp->conn_in_enforce_policy = (p != NULL); 4190 4191 p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, &sel); 4192 if (connp->conn_latch->ipl_out_policy != NULL) 4193 IPPOL_REFRELE(connp->conn_latch->ipl_out_policy); 4194 connp->conn_latch->ipl_out_policy = p; 4195 connp->conn_out_enforce_policy = (p != NULL); 4196 4197 /* Clear the latched actions too, in case we're recaching. */ 4198 if (connp->conn_latch->ipl_out_action != NULL) 4199 IPACT_REFRELE(connp->conn_latch->ipl_out_action); 4200 if (connp->conn_latch->ipl_in_action != NULL) 4201 IPACT_REFRELE(connp->conn_latch->ipl_in_action); 4202 } 4203 4204 /* 4205 * We may or may not have policy for this endpoint. We still set 4206 * conn_policy_cached so that inbound datagrams don't have to look 4207 * at global policy as policy is considered latched for these 4208 * endpoints. We should not set conn_policy_cached until the conn 4209 * reflects the actual policy. If we *set* this before inheriting 4210 * the policy there is a window where the check 4211 * CONN_INBOUND_POLICY_PRESENT, will neither check with the policy 4212 * on the conn (because we have not yet copied the policy on to 4213 * conn and hence not set conn_in_enforce_policy) nor with the 4214 * global policy (because conn_policy_cached is already set). 4215 */ 4216 connp->conn_policy_cached = B_TRUE; 4217 if (connp->conn_in_enforce_policy) 4218 connp->conn_flags |= IPCL_CHECK_POLICY; 4219 return (0); 4220 } 4221 4222 void 4223 iplatch_free(ipsec_latch_t *ipl) 4224 { 4225 if (ipl->ipl_out_policy != NULL) 4226 IPPOL_REFRELE(ipl->ipl_out_policy); 4227 if (ipl->ipl_in_policy != NULL) 4228 IPPOL_REFRELE(ipl->ipl_in_policy); 4229 if (ipl->ipl_in_action != NULL) 4230 IPACT_REFRELE(ipl->ipl_in_action); 4231 if (ipl->ipl_out_action != NULL) 4232 IPACT_REFRELE(ipl->ipl_out_action); 4233 if (ipl->ipl_local_cid != NULL) 4234 IPSID_REFRELE(ipl->ipl_local_cid); 4235 if (ipl->ipl_remote_cid != NULL) 4236 IPSID_REFRELE(ipl->ipl_remote_cid); 4237 if (ipl->ipl_local_id != NULL) 4238 crfree(ipl->ipl_local_id); 4239 mutex_destroy(&ipl->ipl_lock); 4240 kmem_free(ipl, sizeof (*ipl)); 4241 } 4242 4243 ipsec_latch_t * 4244 iplatch_create() 4245 { 4246 ipsec_latch_t *ipl = kmem_alloc(sizeof (*ipl), KM_NOSLEEP); 4247 if (ipl == NULL) 4248 return (ipl); 4249 bzero(ipl, sizeof (*ipl)); 4250 mutex_init(&ipl->ipl_lock, NULL, MUTEX_DEFAULT, NULL); 4251 ipl->ipl_refcnt = 1; 4252 return (ipl); 4253 } 4254 4255 /* 4256 * Identity hash table. 4257 * 4258 * Identities are refcounted and "interned" into the hash table. 4259 * Only references coming from other objects (SA's, latching state) 4260 * are counted in ipsid_refcnt. 4261 * 4262 * Locking: IPSID_REFHOLD is safe only when (a) the object's hash bucket 4263 * is locked, (b) we know that the refcount must be > 0. 4264 * 4265 * The ipsid_next and ipsid_ptpn fields are only to be referenced or 4266 * modified when the bucket lock is held; in particular, we only 4267 * delete objects while holding the bucket lock, and we only increase 4268 * the refcount from 0 to 1 while the bucket lock is held. 4269 */ 4270 4271 #define IPSID_HASHSIZE 64 4272 4273 typedef struct ipsif_s 4274 { 4275 ipsid_t *ipsif_head; 4276 kmutex_t ipsif_lock; 4277 } ipsif_t; 4278 4279 ipsif_t ipsid_buckets[IPSID_HASHSIZE]; 4280 4281 /* 4282 * Hash function for ID hash table. 4283 */ 4284 static uint32_t 4285 ipsid_hash(int idtype, char *idstring) 4286 { 4287 uint32_t hval = idtype; 4288 unsigned char c; 4289 4290 while ((c = *idstring++) != 0) { 4291 hval = (hval << 4) | (hval >> 28); 4292 hval ^= c; 4293 } 4294 hval = hval ^ (hval >> 16); 4295 return (hval & (IPSID_HASHSIZE-1)); 4296 } 4297 4298 /* 4299 * Look up identity string in hash table. Return identity object 4300 * corresponding to the name -- either preexisting, or newly allocated. 4301 * 4302 * Return NULL if we need to allocate a new one and can't get memory. 4303 */ 4304 ipsid_t * 4305 ipsid_lookup(int idtype, char *idstring) 4306 { 4307 ipsid_t *retval; 4308 char *nstr; 4309 int idlen = strlen(idstring) + 1; 4310 4311 ipsif_t *bucket = &ipsid_buckets[ipsid_hash(idtype, idstring)]; 4312 4313 mutex_enter(&bucket->ipsif_lock); 4314 4315 for (retval = bucket->ipsif_head; retval != NULL; 4316 retval = retval->ipsid_next) { 4317 if (idtype != retval->ipsid_type) 4318 continue; 4319 if (bcmp(idstring, retval->ipsid_cid, idlen) != 0) 4320 continue; 4321 4322 IPSID_REFHOLD(retval); 4323 mutex_exit(&bucket->ipsif_lock); 4324 return (retval); 4325 } 4326 4327 retval = kmem_alloc(sizeof (*retval), KM_NOSLEEP); 4328 if (!retval) { 4329 mutex_exit(&bucket->ipsif_lock); 4330 return (NULL); 4331 } 4332 4333 nstr = kmem_alloc(idlen, KM_NOSLEEP); 4334 if (!nstr) { 4335 mutex_exit(&bucket->ipsif_lock); 4336 kmem_free(retval, sizeof (*retval)); 4337 return (NULL); 4338 } 4339 4340 retval->ipsid_refcnt = 1; 4341 retval->ipsid_next = bucket->ipsif_head; 4342 if (retval->ipsid_next != NULL) 4343 retval->ipsid_next->ipsid_ptpn = &retval->ipsid_next; 4344 retval->ipsid_ptpn = &bucket->ipsif_head; 4345 retval->ipsid_type = idtype; 4346 retval->ipsid_cid = nstr; 4347 bucket->ipsif_head = retval; 4348 bcopy(idstring, nstr, idlen); 4349 mutex_exit(&bucket->ipsif_lock); 4350 4351 return (retval); 4352 } 4353 4354 /* 4355 * Garbage collect the identity hash table. 4356 */ 4357 void 4358 ipsid_gc() 4359 { 4360 int i, len; 4361 ipsid_t *id, *nid; 4362 ipsif_t *bucket; 4363 4364 for (i = 0; i < IPSID_HASHSIZE; i++) { 4365 bucket = &ipsid_buckets[i]; 4366 mutex_enter(&bucket->ipsif_lock); 4367 for (id = bucket->ipsif_head; id != NULL; id = nid) { 4368 nid = id->ipsid_next; 4369 if (id->ipsid_refcnt == 0) { 4370 *id->ipsid_ptpn = nid; 4371 if (nid != NULL) 4372 nid->ipsid_ptpn = id->ipsid_ptpn; 4373 len = strlen(id->ipsid_cid) + 1; 4374 kmem_free(id->ipsid_cid, len); 4375 kmem_free(id, sizeof (*id)); 4376 } 4377 } 4378 mutex_exit(&bucket->ipsif_lock); 4379 } 4380 } 4381 4382 /* 4383 * Return true if two identities are the same. 4384 */ 4385 boolean_t 4386 ipsid_equal(ipsid_t *id1, ipsid_t *id2) 4387 { 4388 if (id1 == id2) 4389 return (B_TRUE); 4390 #ifdef DEBUG 4391 if ((id1 == NULL) || (id2 == NULL)) 4392 return (B_FALSE); 4393 /* 4394 * test that we're interning id's correctly.. 4395 */ 4396 ASSERT((strcmp(id1->ipsid_cid, id2->ipsid_cid) != 0) || 4397 (id1->ipsid_type != id2->ipsid_type)); 4398 #endif 4399 return (B_FALSE); 4400 } 4401 4402 /* 4403 * Initialize identity table; called during module initialization. 4404 */ 4405 static void 4406 ipsid_init() 4407 { 4408 ipsif_t *bucket; 4409 int i; 4410 4411 for (i = 0; i < IPSID_HASHSIZE; i++) { 4412 bucket = &ipsid_buckets[i]; 4413 mutex_init(&bucket->ipsif_lock, NULL, MUTEX_DEFAULT, NULL); 4414 } 4415 } 4416 4417 /* 4418 * Free identity table (preparatory to module unload) 4419 */ 4420 static void 4421 ipsid_fini() 4422 { 4423 ipsif_t *bucket; 4424 int i; 4425 4426 for (i = 0; i < IPSID_HASHSIZE; i++) { 4427 bucket = &ipsid_buckets[i]; 4428 mutex_destroy(&bucket->ipsif_lock); 4429 } 4430 } 4431 4432 /* 4433 * Update the minimum and maximum supported key sizes for the 4434 * specified algorithm. Must be called while holding the algorithms lock. 4435 */ 4436 void 4437 ipsec_alg_fix_min_max(ipsec_alginfo_t *alg, ipsec_algtype_t alg_type) 4438 { 4439 size_t crypto_min = (size_t)-1, crypto_max = 0; 4440 size_t cur_crypto_min, cur_crypto_max; 4441 boolean_t is_valid; 4442 crypto_mechanism_info_t *mech_infos; 4443 uint_t nmech_infos; 4444 int crypto_rc, i; 4445 crypto_mech_usage_t mask; 4446 4447 ASSERT(MUTEX_HELD(&alg_lock)); 4448 4449 /* 4450 * Compute the min, max, and default key sizes (in number of 4451 * increments to the default key size in bits) as defined 4452 * by the algorithm mappings. This range of key sizes is used 4453 * for policy related operations. The effective key sizes 4454 * supported by the framework could be more limited than 4455 * those defined for an algorithm. 4456 */ 4457 alg->alg_default_bits = alg->alg_key_sizes[0]; 4458 if (alg->alg_increment != 0) { 4459 /* key sizes are defined by range & increment */ 4460 alg->alg_minbits = alg->alg_key_sizes[1]; 4461 alg->alg_maxbits = alg->alg_key_sizes[2]; 4462 4463 alg->alg_default = SADB_ALG_DEFAULT_INCR(alg->alg_minbits, 4464 alg->alg_increment, alg->alg_default_bits); 4465 } else if (alg->alg_nkey_sizes == 0) { 4466 /* no specified key size for algorithm */ 4467 alg->alg_minbits = alg->alg_maxbits = 0; 4468 } else { 4469 /* key sizes are defined by enumeration */ 4470 alg->alg_minbits = (uint16_t)-1; 4471 alg->alg_maxbits = 0; 4472 4473 for (i = 0; i < alg->alg_nkey_sizes; i++) { 4474 if (alg->alg_key_sizes[i] < alg->alg_minbits) 4475 alg->alg_minbits = alg->alg_key_sizes[i]; 4476 if (alg->alg_key_sizes[i] > alg->alg_maxbits) 4477 alg->alg_maxbits = alg->alg_key_sizes[i]; 4478 } 4479 alg->alg_default = 0; 4480 } 4481 4482 if (!(alg->alg_flags & ALG_FLAG_VALID)) 4483 return; 4484 4485 /* 4486 * Mechanisms do not apply to the NULL encryption 4487 * algorithm, so simply return for this case. 4488 */ 4489 if (alg->alg_id == SADB_EALG_NULL) 4490 return; 4491 4492 /* 4493 * Find the min and max key sizes supported by the cryptographic 4494 * framework providers. 4495 */ 4496 4497 /* get the key sizes supported by the framework */ 4498 crypto_rc = crypto_get_all_mech_info(alg->alg_mech_type, 4499 &mech_infos, &nmech_infos, KM_SLEEP); 4500 if (crypto_rc != CRYPTO_SUCCESS || nmech_infos == 0) { 4501 alg->alg_flags &= ~ALG_FLAG_VALID; 4502 return; 4503 } 4504 4505 /* min and max key sizes supported by framework */ 4506 for (i = 0, is_valid = B_FALSE; i < nmech_infos; i++) { 4507 int unit_bits; 4508 4509 /* 4510 * Ignore entries that do not support the operations 4511 * needed for the algorithm type. 4512 */ 4513 if (alg_type == IPSEC_ALG_AUTH) 4514 mask = CRYPTO_MECH_USAGE_MAC; 4515 else 4516 mask = CRYPTO_MECH_USAGE_ENCRYPT | 4517 CRYPTO_MECH_USAGE_DECRYPT; 4518 if ((mech_infos[i].mi_usage & mask) != mask) 4519 continue; 4520 4521 unit_bits = (mech_infos[i].mi_keysize_unit == 4522 CRYPTO_KEYSIZE_UNIT_IN_BYTES) ? 8 : 1; 4523 /* adjust min/max supported by framework */ 4524 cur_crypto_min = mech_infos[i].mi_min_key_size * unit_bits; 4525 cur_crypto_max = mech_infos[i].mi_max_key_size * unit_bits; 4526 4527 if (cur_crypto_min < crypto_min) 4528 crypto_min = cur_crypto_min; 4529 4530 /* 4531 * CRYPTO_EFFECTIVELY_INFINITE is a special value of 4532 * the crypto framework which means "no upper limit". 4533 */ 4534 if (mech_infos[i].mi_max_key_size == 4535 CRYPTO_EFFECTIVELY_INFINITE) 4536 crypto_max = (size_t)-1; 4537 else if (cur_crypto_max > crypto_max) 4538 crypto_max = cur_crypto_max; 4539 4540 is_valid = B_TRUE; 4541 } 4542 4543 kmem_free(mech_infos, sizeof (crypto_mechanism_info_t) * 4544 nmech_infos); 4545 4546 if (!is_valid) { 4547 /* no key sizes supported by framework */ 4548 alg->alg_flags &= ~ALG_FLAG_VALID; 4549 return; 4550 } 4551 4552 /* 4553 * Determine min and max key sizes from alg_key_sizes[]. 4554 * defined for the algorithm entry. Adjust key sizes based on 4555 * those supported by the framework. 4556 */ 4557 alg->alg_ef_default_bits = alg->alg_key_sizes[0]; 4558 if (alg->alg_increment != 0) { 4559 /* supported key sizes are defined by range & increment */ 4560 crypto_min = ALGBITS_ROUND_UP(crypto_min, alg->alg_increment); 4561 crypto_max = ALGBITS_ROUND_DOWN(crypto_max, alg->alg_increment); 4562 4563 alg->alg_ef_minbits = MAX(alg->alg_minbits, 4564 (uint16_t)crypto_min); 4565 alg->alg_ef_maxbits = MIN(alg->alg_maxbits, 4566 (uint16_t)crypto_max); 4567 4568 /* 4569 * If the sizes supported by the framework are outside 4570 * the range of sizes defined by the algorithm mappings, 4571 * the algorithm cannot be used. Check for this 4572 * condition here. 4573 */ 4574 if (alg->alg_ef_minbits > alg->alg_ef_maxbits) { 4575 alg->alg_flags &= ~ALG_FLAG_VALID; 4576 return; 4577 } 4578 4579 if (alg->alg_ef_default_bits < alg->alg_ef_minbits) 4580 alg->alg_ef_default_bits = alg->alg_ef_minbits; 4581 if (alg->alg_ef_default_bits > alg->alg_ef_maxbits) 4582 alg->alg_ef_default_bits = alg->alg_ef_maxbits; 4583 4584 alg->alg_ef_default = SADB_ALG_DEFAULT_INCR(alg->alg_ef_minbits, 4585 alg->alg_increment, alg->alg_ef_default_bits); 4586 } else if (alg->alg_nkey_sizes == 0) { 4587 /* no specified key size for algorithm */ 4588 alg->alg_ef_minbits = alg->alg_ef_maxbits = 0; 4589 } else { 4590 /* supported key sizes are defined by enumeration */ 4591 alg->alg_ef_minbits = (uint16_t)-1; 4592 alg->alg_ef_maxbits = 0; 4593 4594 for (i = 0, is_valid = B_FALSE; i < alg->alg_nkey_sizes; i++) { 4595 /* 4596 * Ignore the current key size if it is not in the 4597 * range of sizes supported by the framework. 4598 */ 4599 if (alg->alg_key_sizes[i] < crypto_min || 4600 alg->alg_key_sizes[i] > crypto_max) 4601 continue; 4602 if (alg->alg_key_sizes[i] < alg->alg_ef_minbits) 4603 alg->alg_ef_minbits = alg->alg_key_sizes[i]; 4604 if (alg->alg_key_sizes[i] > alg->alg_ef_maxbits) 4605 alg->alg_ef_maxbits = alg->alg_key_sizes[i]; 4606 is_valid = B_TRUE; 4607 } 4608 4609 if (!is_valid) { 4610 alg->alg_flags &= ~ALG_FLAG_VALID; 4611 return; 4612 } 4613 alg->alg_ef_default = 0; 4614 } 4615 } 4616 4617 /* 4618 * Free the memory used by the specified algorithm. 4619 */ 4620 void 4621 ipsec_alg_free(ipsec_alginfo_t *alg) 4622 { 4623 if (alg == NULL) 4624 return; 4625 4626 if (alg->alg_key_sizes != NULL) 4627 kmem_free(alg->alg_key_sizes, 4628 (alg->alg_nkey_sizes + 1) * sizeof (uint16_t)); 4629 4630 if (alg->alg_block_sizes != NULL) 4631 kmem_free(alg->alg_block_sizes, 4632 (alg->alg_nblock_sizes + 1) * sizeof (uint16_t)); 4633 4634 kmem_free(alg, sizeof (*alg)); 4635 } 4636 4637 /* 4638 * Check the validity of the specified key size for an algorithm. 4639 * Returns B_TRUE if key size is valid, B_FALSE otherwise. 4640 */ 4641 boolean_t 4642 ipsec_valid_key_size(uint16_t key_size, ipsec_alginfo_t *alg) 4643 { 4644 if (key_size < alg->alg_ef_minbits || key_size > alg->alg_ef_maxbits) 4645 return (B_FALSE); 4646 4647 if (alg->alg_increment == 0 && alg->alg_nkey_sizes != 0) { 4648 /* 4649 * If the key sizes are defined by enumeration, the new 4650 * key size must be equal to one of the supported values. 4651 */ 4652 int i; 4653 4654 for (i = 0; i < alg->alg_nkey_sizes; i++) 4655 if (key_size == alg->alg_key_sizes[i]) 4656 break; 4657 if (i == alg->alg_nkey_sizes) 4658 return (B_FALSE); 4659 } 4660 4661 return (B_TRUE); 4662 } 4663 4664 /* 4665 * Callback function invoked by the crypto framework when a provider 4666 * registers or unregisters. This callback updates the algorithms 4667 * tables when a crypto algorithm is no longer available or becomes 4668 * available, and triggers the freeing/creation of context templates 4669 * associated with existing SAs, if needed. 4670 */ 4671 void 4672 ipsec_prov_update_callback(uint32_t event, void *event_arg) 4673 { 4674 crypto_notify_event_change_t *prov_change = 4675 (crypto_notify_event_change_t *)event_arg; 4676 uint_t algidx, algid, algtype, mech_count, mech_idx; 4677 ipsec_alginfo_t *alg; 4678 ipsec_alginfo_t oalg; 4679 crypto_mech_name_t *mechs; 4680 boolean_t alg_changed = B_FALSE; 4681 4682 /* ignore events for which we didn't register */ 4683 if (event != CRYPTO_EVENT_PROVIDERS_CHANGE) { 4684 ip1dbg(("ipsec_prov_update_callback: unexpected event 0x%x " 4685 " received from crypto framework\n", event)); 4686 return; 4687 } 4688 4689 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP); 4690 if (mechs == NULL) 4691 return; 4692 4693 /* 4694 * Walk the list of currently defined IPsec algorithm. Update 4695 * the algorithm valid flag and trigger an update of the 4696 * SAs that depend on that algorithm. 4697 */ 4698 mutex_enter(&alg_lock); 4699 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 4700 for (algidx = 0; algidx < ipsec_nalgs[algtype]; algidx++) { 4701 4702 algid = ipsec_sortlist[algtype][algidx]; 4703 alg = ipsec_alglists[algtype][algid]; 4704 ASSERT(alg != NULL); 4705 4706 /* 4707 * Skip the algorithms which do not map to the 4708 * crypto framework provider being added or removed. 4709 */ 4710 if (strncmp(alg->alg_mech_name, 4711 prov_change->ec_mech_name, 4712 CRYPTO_MAX_MECH_NAME) != 0) 4713 continue; 4714 4715 /* 4716 * Determine if the mechanism is valid. If it 4717 * is not, mark the algorithm as being invalid. If 4718 * it is, mark the algorithm as being valid. 4719 */ 4720 for (mech_idx = 0; mech_idx < mech_count; mech_idx++) 4721 if (strncmp(alg->alg_mech_name, 4722 mechs[mech_idx], CRYPTO_MAX_MECH_NAME) == 0) 4723 break; 4724 if (mech_idx == mech_count && 4725 alg->alg_flags & ALG_FLAG_VALID) { 4726 alg->alg_flags &= ~ALG_FLAG_VALID; 4727 alg_changed = B_TRUE; 4728 } else if (mech_idx < mech_count && 4729 !(alg->alg_flags & ALG_FLAG_VALID)) { 4730 alg->alg_flags |= ALG_FLAG_VALID; 4731 alg_changed = B_TRUE; 4732 } 4733 4734 /* 4735 * Update the supported key sizes, regardless 4736 * of whether a crypto provider was added or 4737 * removed. 4738 */ 4739 oalg = *alg; 4740 ipsec_alg_fix_min_max(alg, algtype); 4741 if (!alg_changed && 4742 alg->alg_ef_minbits != oalg.alg_ef_minbits || 4743 alg->alg_ef_maxbits != oalg.alg_ef_maxbits || 4744 alg->alg_ef_default != oalg.alg_ef_default || 4745 alg->alg_ef_default_bits != 4746 oalg.alg_ef_default_bits) 4747 alg_changed = B_TRUE; 4748 4749 /* 4750 * Update the affected SAs if a software provider is 4751 * being added or removed. 4752 */ 4753 if (prov_change->ec_provider_type == 4754 CRYPTO_SW_PROVIDER) 4755 sadb_alg_update(algtype, alg->alg_id, 4756 prov_change->ec_change == 4757 CRYPTO_EVENT_CHANGE_ADDED); 4758 } 4759 } 4760 mutex_exit(&alg_lock); 4761 crypto_free_mech_list(mechs, mech_count); 4762 4763 if (alg_changed) { 4764 /* 4765 * An algorithm has changed, i.e. it became valid or 4766 * invalid, or its support key sizes have changed. 4767 * Notify ipsecah and ipsecesp of this change so 4768 * that they can send a SADB_REGISTER to their consumers. 4769 */ 4770 ipsecah_algs_changed(); 4771 ipsecesp_algs_changed(); 4772 } 4773 } 4774 4775 /* 4776 * Registers with the crypto framework to be notified of crypto 4777 * providers changes. Used to update the algorithm tables and 4778 * to free or create context templates if needed. Invoked after IPsec 4779 * is loaded successfully. 4780 */ 4781 void 4782 ipsec_register_prov_update(void) 4783 { 4784 prov_update_handle = crypto_notify_events( 4785 ipsec_prov_update_callback, CRYPTO_EVENT_PROVIDERS_CHANGE); 4786 } 4787 4788 /* 4789 * Unregisters from the framework to be notified of crypto providers 4790 * changes. Called from ipsec_policy_destroy(). 4791 */ 4792 static void 4793 ipsec_unregister_prov_update(void) 4794 { 4795 if (prov_update_handle != NULL) 4796 crypto_unnotify_events(prov_update_handle); 4797 } 4798