4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25 * Copyright (c) 2016 by Delphix. All rights reserved.
26 * Copyright (c) 2018, Joyent, Inc.
30 * IPsec Security Policy Database.
32 * This module maintains the SPD and provides routines used by ip and ip6
33 * to apply IPsec policy to inbound and outbound datagrams.
36 #include <sys/types.h>
37 #include <sys/stream.h>
38 #include <sys/stropts.h>
39 #include <sys/sysmacros.h>
40 #include <sys/strsubr.h>
41 #include <sys/strsun.h>
42 #include <sys/strlog.h>
43 #include <sys/strsun.h>
44 #include <sys/cmn_err.h>
47 #include <sys/systm.h>
48 #include <sys/param.h>
52 #include <sys/crypto/api.h>
54 #include <inet/common.h>
57 #include <netinet/ip6.h>
58 #include <netinet/icmp6.h>
59 #include <netinet/udp.h>
64 #include <net/pfkeyv2.h>
65 #include <net/pfpolicy.h>
66 #include <inet/sadb.h>
67 #include <inet/ipsec_impl.h>
69 #include <inet/ip_impl.h> /* For IP_MOD_ID */
71 #include <inet/ipsecah.h>
72 #include <inet/ipsecesp.h>
73 #include <inet/ipdrop.h>
74 #include <inet/ipclassifier.h>
75 #include <inet/iptun.h>
76 #include <inet/iptun/iptun_impl.h>
78 static void ipsec_update_present_flags(ipsec_stack_t
*);
79 static ipsec_act_t
*ipsec_act_wildcard_expand(ipsec_act_t
*, uint_t
*,
81 static mblk_t
*ipsec_check_ipsecin_policy(mblk_t
*, ipsec_policy_t
*,
82 ipha_t
*, ip6_t
*, uint64_t, ip_recv_attr_t
*, netstack_t
*);
83 static void ipsec_action_free_table(ipsec_action_t
*);
84 static void ipsec_action_reclaim(void *);
85 static void ipsec_action_reclaim_stack(ipsec_stack_t
*);
86 static void ipsid_init(netstack_t
*);
87 static void ipsid_fini(netstack_t
*);
89 /* sel_flags values for ipsec_init_inbound_sel(). */
90 #define SEL_NONE 0x0000
91 #define SEL_PORT_POLICY 0x0001
92 #define SEL_IS_ICMP 0x0002
93 #define SEL_TUNNEL_MODE 0x0004
94 #define SEL_POST_FRAG 0x0008
96 /* Return values for ipsec_init_inbound_sel(). */
97 typedef enum { SELRET_NOMEM
, SELRET_BADPKT
, SELRET_SUCCESS
, SELRET_TUNFRAG
}
100 static selret_t
ipsec_init_inbound_sel(ipsec_selector_t
*, mblk_t
*,
101 ipha_t
*, ip6_t
*, uint8_t);
103 static boolean_t
ipsec_check_ipsecin_action(ip_recv_attr_t
*, mblk_t
*,
104 struct ipsec_action_s
*, ipha_t
*ipha
, ip6_t
*ip6h
, const char **,
105 kstat_named_t
**, netstack_t
*);
106 static void ipsec_unregister_prov_update(void);
107 static void ipsec_prov_update_callback_stack(uint32_t, void *, netstack_t
*);
108 static boolean_t
ipsec_compare_action(ipsec_policy_t
*, ipsec_policy_t
*);
109 static uint32_t selector_hash(ipsec_selector_t
*, ipsec_policy_root_t
*);
110 static boolean_t
ipsec_kstat_init(ipsec_stack_t
*);
111 static void ipsec_kstat_destroy(ipsec_stack_t
*);
112 static int ipsec_free_tables(ipsec_stack_t
*);
113 static int tunnel_compare(const void *, const void *);
114 static void ipsec_freemsg_chain(mblk_t
*);
115 static void ip_drop_packet_chain(mblk_t
*, boolean_t
, ill_t
*,
116 struct kstat_named
*, ipdropper_t
*);
117 static boolean_t
ipsec_kstat_init(ipsec_stack_t
*);
118 static void ipsec_kstat_destroy(ipsec_stack_t
*);
119 static int ipsec_free_tables(ipsec_stack_t
*);
120 static int tunnel_compare(const void *, const void *);
121 static void ipsec_freemsg_chain(mblk_t
*);
124 * Selector hash table is statically sized at module load time.
125 * we default to 251 buckets, which is the largest prime number under 255
128 #define IPSEC_SPDHASH_DEFAULT 251
130 /* SPD hash-size tunable per tunnel. */
131 #define TUN_SPDHASH_DEFAULT 5
133 uint32_t ipsec_spd_hashsize
;
134 uint32_t tun_spd_hashsize
;
136 #define IPSEC_SEL_NOHASH ((uint32_t)(~0))
139 * Handle global across all stack instances
141 static crypto_notify_handle_t prov_update_handle
= NULL
;
143 static kmem_cache_t
*ipsec_action_cache
;
144 static kmem_cache_t
*ipsec_sel_cache
;
145 static kmem_cache_t
*ipsec_pol_cache
;
147 /* Frag cache prototypes */
148 static void ipsec_fragcache_clean(ipsec_fragcache_t
*, ipsec_stack_t
*);
149 static ipsec_fragcache_entry_t
*fragcache_delentry(int,
150 ipsec_fragcache_entry_t
*, ipsec_fragcache_t
*, ipsec_stack_t
*);
151 boolean_t
ipsec_fragcache_init(ipsec_fragcache_t
*);
152 void ipsec_fragcache_uninit(ipsec_fragcache_t
*, ipsec_stack_t
*ipss
);
153 mblk_t
*ipsec_fragcache_add(ipsec_fragcache_t
*, mblk_t
*, mblk_t
*,
154 int, ipsec_stack_t
*);
156 int ipsec_hdr_pullup_needed
= 0;
157 int ipsec_weird_null_inbound_policy
= 0;
159 #define ALGBITS_ROUND_DOWN(x, align) (((x)/(align))*(align))
160 #define ALGBITS_ROUND_UP(x, align) ALGBITS_ROUND_DOWN((x)+(align)-1, align)
163 * Inbound traffic should have matching identities for both SA's.
166 #define SA_IDS_MATCH(sa1, sa2) \
167 (((sa1) == NULL) || ((sa2) == NULL) || \
168 (((sa1)->ipsa_src_cid == (sa2)->ipsa_src_cid) && \
169 (((sa1)->ipsa_dst_cid == (sa2)->ipsa_dst_cid))))
174 #define IS_V6_FRAGMENT(ipp) (ipp.ipp_fields & IPPF_FRAGHDR)
177 * Policy failure messages.
179 static char *ipsec_policy_failure_msgs
[] = {
181 /* IPSEC_POLICY_NOT_NEEDED */
182 "%s: Dropping the datagram because the incoming packet "
183 "is %s, but the recipient expects clear; Source %s, "
186 /* IPSEC_POLICY_MISMATCH */
187 "%s: Policy Failure for the incoming packet (%s); Source %s, "
190 /* IPSEC_POLICY_AUTH_NOT_NEEDED */
191 "%s: Authentication present while not expected in the "
192 "incoming %s packet; Source %s, Destination %s.\n",
194 /* IPSEC_POLICY_ENCR_NOT_NEEDED */
195 "%s: Encryption present while not expected in the "
196 "incoming %s packet; Source %s, Destination %s.\n",
198 /* IPSEC_POLICY_SE_NOT_NEEDED */
199 "%s: Self-Encapsulation present while not expected in the "
200 "incoming %s packet; Source %s, Destination %s.\n",
208 * All of the system policy structures are protected by a single
209 * rwlock. These structures are threaded in a
210 * fairly complex fashion and are not expected to change on a
211 * regular basis, so this should not cause scaling/contention
212 * problems. As a result, policy checks should (hopefully) be MT-hot.
216 * We use custom kmem cache types for the various
217 * bits & pieces of the policy data structures. All allocations
218 * use KM_NOSLEEP instead of KM_SLEEP for policy allocation. The
219 * policy table is of potentially unbounded size, so we don't
220 * want to provide a way to hog all system memory with policy
224 /* Convenient functions for freeing or dropping a b_next linked mblk chain */
226 /* Free all messages in an mblk chain */
228 ipsec_freemsg_chain(mblk_t
*mp
)
232 ASSERT(mp
->b_prev
== NULL
);
241 * ip_drop all messages in an mblk chain
242 * Can handle a b_next chain of ip_recv_attr_t mblks, or just a b_next chain
246 ip_drop_packet_chain(mblk_t
*mp
, boolean_t inbound
, ill_t
*ill
,
247 struct kstat_named
*counter
, ipdropper_t
*who_called
)
251 ASSERT(mp
->b_prev
== NULL
);
254 if (ip_recv_attr_is_mblk(mp
))
255 mp
= ip_recv_attr_free_mblk(mp
);
256 ip_drop_packet(mp
, inbound
, ill
, counter
, who_called
);
262 * AVL tree comparison function.
263 * the in-kernel avl assumes unique keys for all objects.
264 * Since sometimes policy will duplicate rules, we may insert
265 * multiple rules with the same rule id, so we need a tie-breaker.
268 ipsec_policy_cmpbyid(const void *a
, const void *b
)
270 const ipsec_policy_t
*ipa
, *ipb
;
273 ipa
= (const ipsec_policy_t
*)a
;
274 ipb
= (const ipsec_policy_t
*)b
;
275 idxa
= ipa
->ipsp_index
;
276 idxb
= ipb
->ipsp_index
;
283 * Tie-breaker #1: All installed policy rules have a non-NULL
284 * ipsl_sel (selector set), so an entry with a NULL ipsp_sel is not
285 * actually in-tree but rather a template node being used in
286 * an avl_find query; see ipsec_policy_delete(). This gives us
287 * a placeholder in the ordering just before the first entry with
288 * a key >= the one we're looking for, so we can walk forward from
289 * that point to get the remaining entries with the same id.
291 if ((ipa
->ipsp_sel
== NULL
) && (ipb
->ipsp_sel
!= NULL
))
293 if ((ipb
->ipsp_sel
== NULL
) && (ipa
->ipsp_sel
!= NULL
))
296 * At most one of the arguments to the comparison should have a
297 * NULL selector pointer; if not, the tree is broken.
299 ASSERT(ipa
->ipsp_sel
!= NULL
);
300 ASSERT(ipb
->ipsp_sel
!= NULL
);
302 * Tie-breaker #2: use the virtual address of the policy node
303 * to arbitrarily break ties. Since we use the new tree node in
304 * the avl_find() in ipsec_insert_always, the new node will be
305 * inserted into the tree in the right place in the sequence.
315 * Free what ipsec_alloc_table allocated.
318 ipsec_polhead_free_table(ipsec_policy_head_t
*iph
)
323 for (dir
= 0; dir
< IPSEC_NTYPES
; dir
++) {
324 ipsec_policy_root_t
*ipr
= &iph
->iph_root
[dir
];
326 if (ipr
->ipr_hash
== NULL
)
329 for (i
= 0; i
< ipr
->ipr_nchains
; i
++) {
330 ASSERT(ipr
->ipr_hash
[i
].hash_head
== NULL
);
332 kmem_free(ipr
->ipr_hash
, ipr
->ipr_nchains
*
333 sizeof (ipsec_policy_hash_t
));
334 ipr
->ipr_hash
= NULL
;
339 ipsec_polhead_destroy(ipsec_policy_head_t
*iph
)
343 avl_destroy(&iph
->iph_rulebyid
);
344 rw_destroy(&iph
->iph_lock
);
346 for (dir
= 0; dir
< IPSEC_NTYPES
; dir
++) {
347 ipsec_policy_root_t
*ipr
= &iph
->iph_root
[dir
];
350 for (chain
= 0; chain
< ipr
->ipr_nchains
; chain
++)
351 mutex_destroy(&(ipr
->ipr_hash
[chain
].hash_lock
));
354 ipsec_polhead_free_table(iph
);
358 * Free the IPsec stack instance.
362 ipsec_stack_fini(netstackid_t stackid
, void *arg
)
364 ipsec_stack_t
*ipss
= (ipsec_stack_t
*)arg
;
366 ipsec_tun_pol_t
*node
;
367 netstack_t
*ns
= ipss
->ipsec_netstack
;
369 ipsec_algtype_t algtype
;
371 ipsec_loader_destroy(ipss
);
373 rw_enter(&ipss
->ipsec_tunnel_policy_lock
, RW_WRITER
);
375 * It's possible we can just ASSERT() the tree is empty. After all,
376 * we aren't called until IP is ready to unload (and presumably all
377 * tunnels have been unplumbed). But we'll play it safe for now, the
378 * loop will just exit immediately if it's empty.
381 while ((node
= (ipsec_tun_pol_t
*)
382 avl_destroy_nodes(&ipss
->ipsec_tunnel_policies
,
384 ITP_REFRELE(node
, ns
);
386 avl_destroy(&ipss
->ipsec_tunnel_policies
);
387 rw_exit(&ipss
->ipsec_tunnel_policy_lock
);
388 rw_destroy(&ipss
->ipsec_tunnel_policy_lock
);
390 ipsec_config_flush(ns
);
392 ipsec_kstat_destroy(ipss
);
394 ip_drop_unregister(&ipss
->ipsec_dropper
);
396 ip_drop_unregister(&ipss
->ipsec_spd_dropper
);
397 ip_drop_destroy(ipss
);
399 * Globals start with ref == 1 to prevent IPPH_REFRELE() from
400 * attempting to free them, hence they should have 1 now.
402 ipsec_polhead_destroy(&ipss
->ipsec_system_policy
);
403 ASSERT(ipss
->ipsec_system_policy
.iph_refs
== 1);
404 ipsec_polhead_destroy(&ipss
->ipsec_inactive_policy
);
405 ASSERT(ipss
->ipsec_inactive_policy
.iph_refs
== 1);
407 for (i
= 0; i
< IPSEC_ACTION_HASH_SIZE
; i
++) {
408 ipsec_action_free_table(ipss
->ipsec_action_hash
[i
].hash_head
);
409 ipss
->ipsec_action_hash
[i
].hash_head
= NULL
;
410 mutex_destroy(&(ipss
->ipsec_action_hash
[i
].hash_lock
));
413 for (i
= 0; i
< ipss
->ipsec_spd_hashsize
; i
++) {
414 ASSERT(ipss
->ipsec_sel_hash
[i
].hash_head
== NULL
);
415 mutex_destroy(&(ipss
->ipsec_sel_hash
[i
].hash_lock
));
418 rw_enter(&ipss
->ipsec_alg_lock
, RW_WRITER
);
419 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
420 for (i
= 0; i
< IPSEC_MAX_ALGS
; i
++) {
421 if (ipss
->ipsec_alglists
[algtype
][i
] != NULL
)
422 ipsec_alg_unreg(algtype
, i
, ns
);
425 rw_exit(&ipss
->ipsec_alg_lock
);
426 rw_destroy(&ipss
->ipsec_alg_lock
);
431 (void) ipsec_free_tables(ipss
);
432 kmem_free(ipss
, sizeof (*ipss
));
436 ipsec_policy_g_destroy(void)
438 kmem_cache_destroy(ipsec_action_cache
);
439 kmem_cache_destroy(ipsec_sel_cache
);
440 kmem_cache_destroy(ipsec_pol_cache
);
442 ipsec_unregister_prov_update();
444 netstack_unregister(NS_IPSEC
);
449 * Free what ipsec_alloc_tables allocated.
450 * Called when table allocation fails to free the table.
453 ipsec_free_tables(ipsec_stack_t
*ipss
)
457 if (ipss
->ipsec_sel_hash
!= NULL
) {
458 for (i
= 0; i
< ipss
->ipsec_spd_hashsize
; i
++) {
459 ASSERT(ipss
->ipsec_sel_hash
[i
].hash_head
== NULL
);
461 kmem_free(ipss
->ipsec_sel_hash
, ipss
->ipsec_spd_hashsize
*
462 sizeof (*ipss
->ipsec_sel_hash
));
463 ipss
->ipsec_sel_hash
= NULL
;
464 ipss
->ipsec_spd_hashsize
= 0;
466 ipsec_polhead_free_table(&ipss
->ipsec_system_policy
);
467 ipsec_polhead_free_table(&ipss
->ipsec_inactive_policy
);
473 * Attempt to allocate the tables in a single policy head.
474 * Return nonzero on failure after cleaning up any work in progress.
477 ipsec_alloc_table(ipsec_policy_head_t
*iph
, int nchains
, int kmflag
,
478 boolean_t global_cleanup
, netstack_t
*ns
)
482 for (dir
= 0; dir
< IPSEC_NTYPES
; dir
++) {
483 ipsec_policy_root_t
*ipr
= &iph
->iph_root
[dir
];
485 ipr
->ipr_nchains
= nchains
;
486 ipr
->ipr_hash
= kmem_zalloc(nchains
*
487 sizeof (ipsec_policy_hash_t
), kmflag
);
488 if (ipr
->ipr_hash
== NULL
)
489 return (global_cleanup
?
490 ipsec_free_tables(ns
->netstack_ipsec
) :
497 * Attempt to allocate the various tables. Return nonzero on failure
498 * after cleaning up any work in progress.
501 ipsec_alloc_tables(int kmflag
, netstack_t
*ns
)
504 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
506 error
= ipsec_alloc_table(&ipss
->ipsec_system_policy
,
507 ipss
->ipsec_spd_hashsize
, kmflag
, B_TRUE
, ns
);
511 error
= ipsec_alloc_table(&ipss
->ipsec_inactive_policy
,
512 ipss
->ipsec_spd_hashsize
, kmflag
, B_TRUE
, ns
);
516 ipss
->ipsec_sel_hash
= kmem_zalloc(ipss
->ipsec_spd_hashsize
*
517 sizeof (*ipss
->ipsec_sel_hash
), kmflag
);
519 if (ipss
->ipsec_sel_hash
== NULL
)
520 return (ipsec_free_tables(ipss
));
526 * After table allocation, initialize a policy head.
529 ipsec_polhead_init(ipsec_policy_head_t
*iph
, int nchains
)
533 rw_init(&iph
->iph_lock
, NULL
, RW_DEFAULT
, NULL
);
534 avl_create(&iph
->iph_rulebyid
, ipsec_policy_cmpbyid
,
535 sizeof (ipsec_policy_t
), offsetof(ipsec_policy_t
, ipsp_byid
));
537 for (dir
= 0; dir
< IPSEC_NTYPES
; dir
++) {
538 ipsec_policy_root_t
*ipr
= &iph
->iph_root
[dir
];
539 ipr
->ipr_nchains
= nchains
;
541 for (chain
= 0; chain
< nchains
; chain
++) {
542 mutex_init(&(ipr
->ipr_hash
[chain
].hash_lock
),
543 NULL
, MUTEX_DEFAULT
, NULL
);
549 ipsec_kstat_init(ipsec_stack_t
*ipss
)
551 ipss
->ipsec_ksp
= kstat_create_netstack("ip", 0, "ipsec_stat", "net",
552 KSTAT_TYPE_NAMED
, sizeof (ipsec_kstats_t
) / sizeof (kstat_named_t
),
553 KSTAT_FLAG_PERSISTENT
, ipss
->ipsec_netstack
->netstack_stackid
);
555 if (ipss
->ipsec_ksp
== NULL
|| ipss
->ipsec_ksp
->ks_data
== NULL
)
558 ipss
->ipsec_kstats
= ipss
->ipsec_ksp
->ks_data
;
560 #define KI(x) kstat_named_init(&ipss->ipsec_kstats->x, #x, KSTAT_DATA_UINT64)
561 KI(esp_stat_in_requests
);
562 KI(esp_stat_in_discards
);
563 KI(esp_stat_lookup_failure
);
564 KI(ah_stat_in_requests
);
565 KI(ah_stat_in_discards
);
566 KI(ah_stat_lookup_failure
);
567 KI(sadb_acquire_maxpackets
);
568 KI(sadb_acquire_qhiwater
);
571 kstat_install(ipss
->ipsec_ksp
);
576 ipsec_kstat_destroy(ipsec_stack_t
*ipss
)
578 kstat_delete_netstack(ipss
->ipsec_ksp
,
579 ipss
->ipsec_netstack
->netstack_stackid
);
580 ipss
->ipsec_kstats
= NULL
;
585 * Initialize the IPsec stack instance.
589 ipsec_stack_init(netstackid_t stackid
, netstack_t
*ns
)
594 ipss
= (ipsec_stack_t
*)kmem_zalloc(sizeof (*ipss
), KM_SLEEP
);
595 ipss
->ipsec_netstack
= ns
;
598 * FIXME: netstack_ipsec is used by some of the routines we call
599 * below, but it isn't set until this routine returns.
600 * Either we introduce optional xxx_stack_alloc() functions
601 * that will be called by the netstack framework before xxx_stack_init,
602 * or we switch spd.c and sadb.c to operate on ipsec_stack_t
603 * (latter has some include file order issues for sadb.h, but makes
604 * sense if we merge some of the ipsec related stack_t's together.
606 ns
->netstack_ipsec
= ipss
;
609 * Make two attempts to allocate policy hash tables; try it at
610 * the "preferred" size (may be set in /etc/system) first,
611 * then fall back to the default size.
613 ipss
->ipsec_spd_hashsize
= (ipsec_spd_hashsize
== 0) ?
614 IPSEC_SPDHASH_DEFAULT
: ipsec_spd_hashsize
;
616 if (ipsec_alloc_tables(KM_NOSLEEP
, ns
) != 0) {
618 "Unable to allocate %d entry IPsec policy hash table",
619 ipss
->ipsec_spd_hashsize
);
620 ipss
->ipsec_spd_hashsize
= IPSEC_SPDHASH_DEFAULT
;
621 cmn_err(CE_WARN
, "Falling back to %d entries",
622 ipss
->ipsec_spd_hashsize
);
623 (void) ipsec_alloc_tables(KM_SLEEP
, ns
);
626 /* Just set a default for tunnels. */
627 ipss
->ipsec_tun_spd_hashsize
= (tun_spd_hashsize
== 0) ?
628 TUN_SPDHASH_DEFAULT
: tun_spd_hashsize
;
632 * Globals need ref == 1 to prevent IPPH_REFRELE() from attempting
635 ipss
->ipsec_system_policy
.iph_refs
= 1;
636 ipss
->ipsec_inactive_policy
.iph_refs
= 1;
637 ipsec_polhead_init(&ipss
->ipsec_system_policy
,
638 ipss
->ipsec_spd_hashsize
);
639 ipsec_polhead_init(&ipss
->ipsec_inactive_policy
,
640 ipss
->ipsec_spd_hashsize
);
641 rw_init(&ipss
->ipsec_tunnel_policy_lock
, NULL
, RW_DEFAULT
, NULL
);
642 avl_create(&ipss
->ipsec_tunnel_policies
, tunnel_compare
,
643 sizeof (ipsec_tun_pol_t
), 0);
645 ipss
->ipsec_next_policy_index
= 1;
647 rw_init(&ipss
->ipsec_system_policy
.iph_lock
, NULL
, RW_DEFAULT
, NULL
);
648 rw_init(&ipss
->ipsec_inactive_policy
.iph_lock
, NULL
, RW_DEFAULT
, NULL
);
650 for (i
= 0; i
< IPSEC_ACTION_HASH_SIZE
; i
++)
651 mutex_init(&(ipss
->ipsec_action_hash
[i
].hash_lock
),
652 NULL
, MUTEX_DEFAULT
, NULL
);
654 for (i
= 0; i
< ipss
->ipsec_spd_hashsize
; i
++)
655 mutex_init(&(ipss
->ipsec_sel_hash
[i
].hash_lock
),
656 NULL
, MUTEX_DEFAULT
, NULL
);
658 rw_init(&ipss
->ipsec_alg_lock
, NULL
, RW_DEFAULT
, NULL
);
659 for (i
= 0; i
< IPSEC_NALGTYPES
; i
++) {
660 ipss
->ipsec_nalgs
[i
] = 0;
664 ip_drop_register(&ipss
->ipsec_spd_dropper
, "IPsec SPD");
666 /* IP's IPsec code calls the packet dropper */
667 ip_drop_register(&ipss
->ipsec_dropper
, "IP IPsec processing");
669 (void) ipsec_kstat_init(ipss
);
671 ipsec_loader_init(ipss
);
672 ipsec_loader_start(ipss
);
677 /* Global across all stack instances */
679 ipsec_policy_g_init(void)
681 ipsec_action_cache
= kmem_cache_create("ipsec_actions",
682 sizeof (ipsec_action_t
), _POINTER_ALIGNMENT
, NULL
, NULL
,
683 ipsec_action_reclaim
, NULL
, NULL
, 0);
684 ipsec_sel_cache
= kmem_cache_create("ipsec_selectors",
685 sizeof (ipsec_sel_t
), _POINTER_ALIGNMENT
, NULL
, NULL
,
686 NULL
, NULL
, NULL
, 0);
687 ipsec_pol_cache
= kmem_cache_create("ipsec_policy",
688 sizeof (ipsec_policy_t
), _POINTER_ALIGNMENT
, NULL
, NULL
,
689 NULL
, NULL
, NULL
, 0);
692 * We want to be informed each time a stack is created or
693 * destroyed in the kernel, so we can maintain the
694 * set of ipsec_stack_t's.
696 netstack_register(NS_IPSEC
, ipsec_stack_init
, NULL
, ipsec_stack_fini
);
700 * Sort algorithm lists.
702 * I may need to split this based on
703 * authentication/encryption, and I may wish to have an administrator
704 * configure this list. Hold on to some NDD variables...
706 * XXX For now, sort on minimum key size (GAG!). While minimum key size is
707 * not the ideal metric, it's the only quantifiable measure available.
708 * We need a better metric for sorting algorithms by preference.
711 alg_insert_sortlist(enum ipsec_algtype at
, uint8_t algid
, netstack_t
*ns
)
713 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
714 ipsec_alginfo_t
*ai
= ipss
->ipsec_alglists
[at
][algid
];
715 uint8_t holder
, swap
;
717 uint_t count
= ipss
->ipsec_nalgs
[at
];
719 ASSERT(algid
== ai
->alg_id
);
721 ASSERT(RW_WRITE_HELD(&ipss
->ipsec_alg_lock
));
725 for (i
= 0; i
< count
- 1; i
++) {
726 ipsec_alginfo_t
*alt
;
728 alt
= ipss
->ipsec_alglists
[at
][ipss
->ipsec_sortlist
[at
][i
]];
730 * If you want to give precedence to newly added algs,
731 * add the = in the > comparison.
733 if ((holder
!= algid
) || (ai
->alg_minbits
> alt
->alg_minbits
)) {
734 /* Swap sortlist[i] and holder. */
735 swap
= ipss
->ipsec_sortlist
[at
][i
];
736 ipss
->ipsec_sortlist
[at
][i
] = holder
;
739 } /* Else just continue. */
742 /* Store holder in last slot. */
743 ipss
->ipsec_sortlist
[at
][i
] = holder
;
747 * Remove an algorithm from a sorted algorithm list.
748 * This should be considerably easier, even with complex sorting.
751 alg_remove_sortlist(enum ipsec_algtype at
, uint8_t algid
, netstack_t
*ns
)
753 boolean_t copyback
= B_FALSE
;
755 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
756 int newcount
= ipss
->ipsec_nalgs
[at
];
758 ASSERT(RW_WRITE_HELD(&ipss
->ipsec_alg_lock
));
760 for (i
= 0; i
<= newcount
; i
++) {
762 ipss
->ipsec_sortlist
[at
][i
-1] =
763 ipss
->ipsec_sortlist
[at
][i
];
764 } else if (ipss
->ipsec_sortlist
[at
][i
] == algid
) {
771 * Add the specified algorithm to the algorithm tables.
772 * Must be called while holding the algorithm table writer lock.
775 ipsec_alg_reg(ipsec_algtype_t algtype
, ipsec_alginfo_t
*alg
, netstack_t
*ns
)
777 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
779 ASSERT(RW_WRITE_HELD(&ipss
->ipsec_alg_lock
));
781 ASSERT(ipss
->ipsec_alglists
[algtype
][alg
->alg_id
] == NULL
);
782 ipsec_alg_fix_min_max(alg
, algtype
, ns
);
783 ipss
->ipsec_alglists
[algtype
][alg
->alg_id
] = alg
;
785 ipss
->ipsec_nalgs
[algtype
]++;
786 alg_insert_sortlist(algtype
, alg
->alg_id
, ns
);
790 * Remove the specified algorithm from the algorithm tables.
791 * Must be called while holding the algorithm table writer lock.
794 ipsec_alg_unreg(ipsec_algtype_t algtype
, uint8_t algid
, netstack_t
*ns
)
796 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
798 ASSERT(RW_WRITE_HELD(&ipss
->ipsec_alg_lock
));
800 ASSERT(ipss
->ipsec_alglists
[algtype
][algid
] != NULL
);
801 ipsec_alg_free(ipss
->ipsec_alglists
[algtype
][algid
]);
802 ipss
->ipsec_alglists
[algtype
][algid
] = NULL
;
804 ipss
->ipsec_nalgs
[algtype
]--;
805 alg_remove_sortlist(algtype
, algid
, ns
);
809 * Hooks for spdsock to get a grip on system policy.
812 ipsec_policy_head_t
*
813 ipsec_system_policy(netstack_t
*ns
)
815 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
816 ipsec_policy_head_t
*h
= &ipss
->ipsec_system_policy
;
822 ipsec_policy_head_t
*
823 ipsec_inactive_policy(netstack_t
*ns
)
825 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
826 ipsec_policy_head_t
*h
= &ipss
->ipsec_inactive_policy
;
833 * Lock inactive policy, then active policy, then exchange policy root
837 ipsec_swap_policy(ipsec_policy_head_t
*active
, ipsec_policy_head_t
*inactive
,
843 rw_enter(&inactive
->iph_lock
, RW_WRITER
);
844 rw_enter(&active
->iph_lock
, RW_WRITER
);
846 r1
= active
->iph_rulebyid
;
847 r2
= inactive
->iph_rulebyid
;
848 active
->iph_rulebyid
= r2
;
849 inactive
->iph_rulebyid
= r1
;
851 for (dir
= 0; dir
< IPSEC_NTYPES
; dir
++) {
852 ipsec_policy_hash_t
*h1
, *h2
;
854 h1
= active
->iph_root
[dir
].ipr_hash
;
855 h2
= inactive
->iph_root
[dir
].ipr_hash
;
856 active
->iph_root
[dir
].ipr_hash
= h2
;
857 inactive
->iph_root
[dir
].ipr_hash
= h1
;
859 for (af
= 0; af
< IPSEC_NAF
; af
++) {
860 ipsec_policy_t
*t1
, *t2
;
862 t1
= active
->iph_root
[dir
].ipr_nonhash
[af
];
863 t2
= inactive
->iph_root
[dir
].ipr_nonhash
[af
];
864 active
->iph_root
[dir
].ipr_nonhash
[af
] = t2
;
865 inactive
->iph_root
[dir
].ipr_nonhash
[af
] = t1
;
867 t1
->ipsp_hash
.hash_pp
=
868 &(inactive
->iph_root
[dir
].ipr_nonhash
[af
]);
871 t2
->ipsp_hash
.hash_pp
=
872 &(active
->iph_root
[dir
].ipr_nonhash
[af
]);
879 ipsec_update_present_flags(ns
->netstack_ipsec
);
880 rw_exit(&active
->iph_lock
);
881 rw_exit(&inactive
->iph_lock
);
885 * Swap global policy primary/secondary.
888 ipsec_swap_global_policy(netstack_t
*ns
)
890 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
892 ipsec_swap_policy(&ipss
->ipsec_system_policy
,
893 &ipss
->ipsec_inactive_policy
, ns
);
897 * Clone one policy rule..
899 static ipsec_policy_t
*
900 ipsec_copy_policy(const ipsec_policy_t
*src
)
902 ipsec_policy_t
*dst
= kmem_cache_alloc(ipsec_pol_cache
, KM_NOSLEEP
);
908 * Adjust refcounts of cloned state.
910 IPACT_REFHOLD(src
->ipsp_act
);
911 src
->ipsp_sel
->ipsl_refs
++;
913 HASH_NULL(dst
, ipsp_hash
);
914 dst
->ipsp_netstack
= src
->ipsp_netstack
;
916 dst
->ipsp_sel
= src
->ipsp_sel
;
917 dst
->ipsp_act
= src
->ipsp_act
;
918 dst
->ipsp_prio
= src
->ipsp_prio
;
919 dst
->ipsp_index
= src
->ipsp_index
;
925 ipsec_insert_always(avl_tree_t
*tree
, void *new_node
)
930 node
= avl_find(tree
, new_node
, &where
);
931 ASSERT(node
== NULL
);
932 avl_insert(tree
, new_node
, where
);
937 ipsec_copy_chain(ipsec_policy_head_t
*dph
, ipsec_policy_t
*src
,
938 ipsec_policy_t
**dstp
)
940 for (; src
!= NULL
; src
= src
->ipsp_hash
.hash_next
) {
941 ipsec_policy_t
*dst
= ipsec_copy_policy(src
);
945 HASHLIST_INSERT(dst
, ipsp_hash
, *dstp
);
946 ipsec_insert_always(&dph
->iph_rulebyid
, dst
);
954 * Make one policy head look exactly like another.
956 * As with ipsec_swap_policy, we lock the destination policy head first, then
957 * the source policy head. Note that we only need to read-lock the source
958 * policy head as we are not changing it.
961 ipsec_copy_polhead(ipsec_policy_head_t
*sph
, ipsec_policy_head_t
*dph
,
964 int af
, dir
, chain
, nchains
;
966 rw_enter(&dph
->iph_lock
, RW_WRITER
);
968 ipsec_polhead_flush(dph
, ns
);
970 rw_enter(&sph
->iph_lock
, RW_READER
);
972 for (dir
= 0; dir
< IPSEC_NTYPES
; dir
++) {
973 ipsec_policy_root_t
*dpr
= &dph
->iph_root
[dir
];
974 ipsec_policy_root_t
*spr
= &sph
->iph_root
[dir
];
975 nchains
= dpr
->ipr_nchains
;
977 ASSERT(dpr
->ipr_nchains
== spr
->ipr_nchains
);
979 for (af
= 0; af
< IPSEC_NAF
; af
++) {
980 if (ipsec_copy_chain(dph
, spr
->ipr_nonhash
[af
],
981 &dpr
->ipr_nonhash
[af
]))
985 for (chain
= 0; chain
< nchains
; chain
++) {
986 if (ipsec_copy_chain(dph
,
987 spr
->ipr_hash
[chain
].hash_head
,
988 &dpr
->ipr_hash
[chain
].hash_head
))
995 rw_exit(&sph
->iph_lock
);
996 rw_exit(&dph
->iph_lock
);
1000 ipsec_polhead_flush(dph
, ns
);
1001 rw_exit(&sph
->iph_lock
);
1002 rw_exit(&dph
->iph_lock
);
1007 * Clone currently active policy to the inactive policy list.
1010 ipsec_clone_system_policy(netstack_t
*ns
)
1012 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
1014 return (ipsec_copy_polhead(&ipss
->ipsec_system_policy
,
1015 &ipss
->ipsec_inactive_policy
, ns
));
1019 * Extract the string from ipsec_policy_failure_msgs[type] and
1024 ipsec_log_policy_failure(int type
, char *func_name
, ipha_t
*ipha
, ip6_t
*ip6h
,
1025 boolean_t secure
, netstack_t
*ns
)
1027 char sbuf
[INET6_ADDRSTRLEN
];
1028 char dbuf
[INET6_ADDRSTRLEN
];
1031 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
1033 ASSERT((ipha
== NULL
&& ip6h
!= NULL
) ||
1034 (ip6h
== NULL
&& ipha
!= NULL
));
1037 s
= inet_ntop(AF_INET
, &ipha
->ipha_src
, sbuf
, sizeof (sbuf
));
1038 d
= inet_ntop(AF_INET
, &ipha
->ipha_dst
, dbuf
, sizeof (dbuf
));
1040 s
= inet_ntop(AF_INET6
, &ip6h
->ip6_src
, sbuf
, sizeof (sbuf
));
1041 d
= inet_ntop(AF_INET6
, &ip6h
->ip6_dst
, dbuf
, sizeof (dbuf
));
1045 /* Always bump the policy failure counter. */
1046 ipss
->ipsec_policy_failure_count
[type
]++;
1048 ipsec_rl_strlog(ns
, IP_MOD_ID
, 0, 0, SL_ERROR
|SL_WARN
|SL_CONSOLE
,
1049 ipsec_policy_failure_msgs
[type
], func_name
,
1050 (secure
? "secure" : "not secure"), s
, d
);
1054 * Rate-limiting front-end to strlog() for AH and ESP. Uses the ndd variables
1055 * in /dev/ip and the same rate-limiting clock so that there's a single
1056 * knob to turn to throttle the rate of messages.
1059 ipsec_rl_strlog(netstack_t
*ns
, short mid
, short sid
, char level
, ushort_t sl
,
1063 hrtime_t current
= gethrtime();
1064 ip_stack_t
*ipst
= ns
->netstack_ip
;
1065 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
1069 * Throttle logging to stop syslog from being swamped. If variable
1070 * 'ipsec_policy_log_interval' is zero, don't log any messages at
1071 * all, otherwise log only one message every 'ipsec_policy_log_interval'
1072 * msec. Convert interval (in msec) to hrtime (in nsec).
1075 if (ipst
->ips_ipsec_policy_log_interval
) {
1076 if (ipss
->ipsec_policy_failure_last
+
1077 MSEC2NSEC(ipst
->ips_ipsec_policy_log_interval
) <= current
) {
1079 (void) vstrlog(mid
, sid
, level
, sl
, fmt
, adx
);
1081 ipss
->ipsec_policy_failure_last
= current
;
1087 ipsec_config_flush(netstack_t
*ns
)
1089 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
1091 rw_enter(&ipss
->ipsec_system_policy
.iph_lock
, RW_WRITER
);
1092 ipsec_polhead_flush(&ipss
->ipsec_system_policy
, ns
);
1093 ipss
->ipsec_next_policy_index
= 1;
1094 rw_exit(&ipss
->ipsec_system_policy
.iph_lock
);
1095 ipsec_action_reclaim_stack(ipss
);
1099 * Clip a policy's min/max keybits vs. the capabilities of the
1103 act_alg_adjust(uint_t algtype
, uint_t algid
,
1104 uint16_t *minbits
, uint16_t *maxbits
, netstack_t
*ns
)
1106 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
1107 ipsec_alginfo_t
*algp
= ipss
->ipsec_alglists
[algtype
][algid
];
1111 * If passed-in minbits is zero, we assume the caller trusts
1112 * us with setting the minimum key size. We pick the
1113 * algorithms DEFAULT key size for the minimum in this case.
1115 if (*minbits
== 0) {
1116 *minbits
= algp
->alg_default_bits
;
1117 ASSERT(*minbits
>= algp
->alg_minbits
);
1119 *minbits
= MAX(MIN(*minbits
, algp
->alg_maxbits
),
1123 *maxbits
= algp
->alg_maxbits
;
1125 *maxbits
= MIN(MAX(*maxbits
, algp
->alg_minbits
),
1127 ASSERT(*minbits
<= *maxbits
);
1135 * Check an action's requested algorithms against the algorithms currently
1136 * loaded in the system.
1139 ipsec_check_action(ipsec_act_t
*act
, int *diag
, netstack_t
*ns
)
1142 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
1144 ipp
= &act
->ipa_apply
;
1146 if (ipp
->ipp_use_ah
&&
1147 ipss
->ipsec_alglists
[IPSEC_ALG_AUTH
][ipp
->ipp_auth_alg
] == NULL
) {
1148 *diag
= SPD_DIAGNOSTIC_UNSUPP_AH_ALG
;
1151 if (ipp
->ipp_use_espa
&&
1152 ipss
->ipsec_alglists
[IPSEC_ALG_AUTH
][ipp
->ipp_esp_auth_alg
] ==
1154 *diag
= SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG
;
1157 if (ipp
->ipp_use_esp
&&
1158 ipss
->ipsec_alglists
[IPSEC_ALG_ENCR
][ipp
->ipp_encr_alg
] == NULL
) {
1159 *diag
= SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG
;
1163 act_alg_adjust(IPSEC_ALG_AUTH
, ipp
->ipp_auth_alg
,
1164 &ipp
->ipp_ah_minbits
, &ipp
->ipp_ah_maxbits
, ns
);
1165 act_alg_adjust(IPSEC_ALG_AUTH
, ipp
->ipp_esp_auth_alg
,
1166 &ipp
->ipp_espa_minbits
, &ipp
->ipp_espa_maxbits
, ns
);
1167 act_alg_adjust(IPSEC_ALG_ENCR
, ipp
->ipp_encr_alg
,
1168 &ipp
->ipp_espe_minbits
, &ipp
->ipp_espe_maxbits
, ns
);
1170 if (ipp
->ipp_ah_minbits
> ipp
->ipp_ah_maxbits
) {
1171 *diag
= SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE
;
1174 if (ipp
->ipp_espa_minbits
> ipp
->ipp_espa_maxbits
) {
1175 *diag
= SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE
;
1178 if (ipp
->ipp_espe_minbits
> ipp
->ipp_espe_maxbits
) {
1179 *diag
= SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE
;
1182 /* TODO: sanity check lifetimes */
1187 * Set up a single action during wildcard expansion..
1190 ipsec_setup_act(ipsec_act_t
*outact
, ipsec_act_t
*act
,
1191 uint_t auth_alg
, uint_t encr_alg
, uint_t eauth_alg
, netstack_t
*ns
)
1196 ipp
= &outact
->ipa_apply
;
1197 ipp
->ipp_auth_alg
= (uint8_t)auth_alg
;
1198 ipp
->ipp_encr_alg
= (uint8_t)encr_alg
;
1199 ipp
->ipp_esp_auth_alg
= (uint8_t)eauth_alg
;
1201 act_alg_adjust(IPSEC_ALG_AUTH
, auth_alg
,
1202 &ipp
->ipp_ah_minbits
, &ipp
->ipp_ah_maxbits
, ns
);
1203 act_alg_adjust(IPSEC_ALG_AUTH
, eauth_alg
,
1204 &ipp
->ipp_espa_minbits
, &ipp
->ipp_espa_maxbits
, ns
);
1205 act_alg_adjust(IPSEC_ALG_ENCR
, encr_alg
,
1206 &ipp
->ipp_espe_minbits
, &ipp
->ipp_espe_maxbits
, ns
);
1210 * combinatoric expansion time: expand a wildcarded action into an
1211 * array of wildcarded actions; we return the exploded action list,
1212 * and return a count in *nact (output only).
1214 static ipsec_act_t
*
1215 ipsec_act_wildcard_expand(ipsec_act_t
*act
, uint_t
*nact
, netstack_t
*ns
)
1217 boolean_t use_ah
, use_esp
, use_espa
;
1218 boolean_t wild_auth
, wild_encr
, wild_eauth
;
1219 uint_t auth_alg
, auth_idx
, auth_min
, auth_max
;
1220 uint_t eauth_alg
, eauth_idx
, eauth_min
, eauth_max
;
1221 uint_t encr_alg
, encr_idx
, encr_min
, encr_max
;
1222 uint_t action_count
, ai
;
1223 ipsec_act_t
*outact
;
1224 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
1226 if (act
->ipa_type
!= IPSEC_ACT_APPLY
) {
1227 outact
= kmem_alloc(sizeof (*act
), KM_NOSLEEP
);
1230 bcopy(act
, outact
, sizeof (*act
));
1234 * compute the combinatoric explosion..
1236 * we assume a request for encr if esp_req is PREF_REQUIRED
1237 * we assume a request for ah auth if ah_req is PREF_REQUIRED.
1238 * we assume a request for esp auth if !ah and esp_req is PREF_REQUIRED
1241 use_ah
= act
->ipa_apply
.ipp_use_ah
;
1242 use_esp
= act
->ipa_apply
.ipp_use_esp
;
1243 use_espa
= act
->ipa_apply
.ipp_use_espa
;
1244 auth_alg
= act
->ipa_apply
.ipp_auth_alg
;
1245 eauth_alg
= act
->ipa_apply
.ipp_esp_auth_alg
;
1246 encr_alg
= act
->ipa_apply
.ipp_encr_alg
;
1248 wild_auth
= use_ah
&& (auth_alg
== 0);
1249 wild_eauth
= use_espa
&& (eauth_alg
== 0);
1250 wild_encr
= use_esp
&& (encr_alg
== 0);
1253 auth_min
= auth_max
= auth_alg
;
1254 eauth_min
= eauth_max
= eauth_alg
;
1255 encr_min
= encr_max
= encr_alg
;
1258 * set up for explosion.. for each dimension, expand output
1259 * size by the explosion factor.
1261 * Don't include the "any" algorithms, if defined, as no
1262 * kernel policies should be set for these algorithms.
1265 #define SET_EXP_MINMAX(type, wild, alg, min, max, ipss) \
1267 int nalgs = ipss->ipsec_nalgs[type]; \
1268 if (ipss->ipsec_alglists[type][alg] != NULL) \
1270 action_count *= nalgs; \
1272 max = ipss->ipsec_nalgs[type] - 1; \
1275 SET_EXP_MINMAX(IPSEC_ALG_AUTH
, wild_auth
, SADB_AALG_NONE
,
1276 auth_min
, auth_max
, ipss
);
1277 SET_EXP_MINMAX(IPSEC_ALG_AUTH
, wild_eauth
, SADB_AALG_NONE
,
1278 eauth_min
, eauth_max
, ipss
);
1279 SET_EXP_MINMAX(IPSEC_ALG_ENCR
, wild_encr
, SADB_EALG_NONE
,
1280 encr_min
, encr_max
, ipss
);
1282 #undef SET_EXP_MINMAX
1285 * ok, allocate the whole mess..
1288 outact
= kmem_alloc(sizeof (*outact
) * action_count
, KM_NOSLEEP
);
1293 * Now compute all combinations. Note that non-wildcarded
1294 * dimensions just get a single value from auth_min, while
1295 * wildcarded dimensions indirect through the sortlist.
1297 * We do encryption outermost since, at this time, there's
1298 * greater difference in security and performance between
1299 * encryption algorithms vs. authentication algorithms.
1304 #define WHICH_ALG(type, wild, idx, ipss) \
1305 ((wild)?(ipss->ipsec_sortlist[type][idx]):(idx))
1307 for (encr_idx
= encr_min
; encr_idx
<= encr_max
; encr_idx
++) {
1308 encr_alg
= WHICH_ALG(IPSEC_ALG_ENCR
, wild_encr
, encr_idx
, ipss
);
1309 if (wild_encr
&& encr_alg
== SADB_EALG_NONE
)
1311 for (auth_idx
= auth_min
; auth_idx
<= auth_max
; auth_idx
++) {
1312 auth_alg
= WHICH_ALG(IPSEC_ALG_AUTH
, wild_auth
,
1314 if (wild_auth
&& auth_alg
== SADB_AALG_NONE
)
1316 for (eauth_idx
= eauth_min
; eauth_idx
<= eauth_max
;
1318 eauth_alg
= WHICH_ALG(IPSEC_ALG_AUTH
,
1319 wild_eauth
, eauth_idx
, ipss
);
1320 if (wild_eauth
&& eauth_alg
== SADB_AALG_NONE
)
1323 ipsec_setup_act(&outact
[ai
], act
,
1324 auth_alg
, encr_alg
, eauth_alg
, ns
);
1332 ASSERT(ai
== action_count
);
1333 *nact
= action_count
;
1338 * Extract the parts of an ipsec_prot_t from an old-style ipsec_req_t.
1341 ipsec_prot_from_req(const ipsec_req_t
*req
, ipsec_prot_t
*ipp
)
1343 bzero(ipp
, sizeof (*ipp
));
1345 * ipp_use_* are bitfields. Look at "!!" in the following as a
1346 * "boolean canonicalization" operator.
1348 ipp
->ipp_use_ah
= !!(req
->ipsr_ah_req
& IPSEC_PREF_REQUIRED
);
1349 ipp
->ipp_use_esp
= !!(req
->ipsr_esp_req
& IPSEC_PREF_REQUIRED
);
1350 ipp
->ipp_use_espa
= !!(req
->ipsr_esp_auth_alg
);
1351 ipp
->ipp_use_se
= !!(req
->ipsr_self_encap_req
& IPSEC_PREF_REQUIRED
);
1352 ipp
->ipp_use_unique
= !!((req
->ipsr_ah_req
|req
->ipsr_esp_req
) &
1354 ipp
->ipp_encr_alg
= req
->ipsr_esp_alg
;
1356 * SADB_AALG_ANY is a placeholder to distinguish "any" from
1357 * "none" above. If auth is required, as determined above,
1358 * SADB_AALG_ANY becomes 0, which is the representation
1359 * of "any" and "none" in PF_KEY v2.
1361 ipp
->ipp_auth_alg
= (req
->ipsr_auth_alg
!= SADB_AALG_ANY
) ?
1362 req
->ipsr_auth_alg
: 0;
1363 ipp
->ipp_esp_auth_alg
= (req
->ipsr_esp_auth_alg
!= SADB_AALG_ANY
) ?
1364 req
->ipsr_esp_auth_alg
: 0;
1368 * Extract a new-style action from a request.
1371 ipsec_actvec_from_req(const ipsec_req_t
*req
, ipsec_act_t
**actp
, uint_t
*nactp
,
1374 struct ipsec_act act
;
1376 bzero(&act
, sizeof (act
));
1377 if ((req
->ipsr_ah_req
& IPSEC_PREF_NEVER
) &&
1378 (req
->ipsr_esp_req
& IPSEC_PREF_NEVER
)) {
1379 act
.ipa_type
= IPSEC_ACT_BYPASS
;
1381 act
.ipa_type
= IPSEC_ACT_APPLY
;
1382 ipsec_prot_from_req(req
, &act
.ipa_apply
);
1384 *actp
= ipsec_act_wildcard_expand(&act
, nactp
, ns
);
1388 * Convert a new-style "prot" back to an ipsec_req_t (more backwards compat).
1389 * We assume caller has already zero'ed *req for us.
1392 ipsec_req_from_prot(ipsec_prot_t
*ipp
, ipsec_req_t
*req
)
1394 req
->ipsr_esp_alg
= ipp
->ipp_encr_alg
;
1395 req
->ipsr_auth_alg
= ipp
->ipp_auth_alg
;
1396 req
->ipsr_esp_auth_alg
= ipp
->ipp_esp_auth_alg
;
1398 if (ipp
->ipp_use_unique
) {
1399 req
->ipsr_ah_req
|= IPSEC_PREF_UNIQUE
;
1400 req
->ipsr_esp_req
|= IPSEC_PREF_UNIQUE
;
1402 if (ipp
->ipp_use_se
)
1403 req
->ipsr_self_encap_req
|= IPSEC_PREF_REQUIRED
;
1404 if (ipp
->ipp_use_ah
)
1405 req
->ipsr_ah_req
|= IPSEC_PREF_REQUIRED
;
1406 if (ipp
->ipp_use_esp
)
1407 req
->ipsr_esp_req
|= IPSEC_PREF_REQUIRED
;
1408 return (sizeof (*req
));
1412 * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1413 * We assume caller has already zero'ed *req for us.
1416 ipsec_req_from_act(ipsec_action_t
*ap
, ipsec_req_t
*req
)
1418 switch (ap
->ipa_act
.ipa_type
) {
1419 case IPSEC_ACT_BYPASS
:
1420 req
->ipsr_ah_req
= IPSEC_PREF_NEVER
;
1421 req
->ipsr_esp_req
= IPSEC_PREF_NEVER
;
1422 return (sizeof (*req
));
1423 case IPSEC_ACT_APPLY
:
1424 return (ipsec_req_from_prot(&ap
->ipa_act
.ipa_apply
, req
));
1426 return (sizeof (*req
));
1430 * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1431 * We assume caller has already zero'ed *req for us.
1434 ipsec_req_from_head(ipsec_policy_head_t
*ph
, ipsec_req_t
*req
, int af
)
1439 * FULL-PERSOCK: consult hash table, too?
1441 for (p
= ph
->iph_root
[IPSEC_INBOUND
].ipr_nonhash
[af
];
1443 p
= p
->ipsp_hash
.hash_next
) {
1444 if ((p
->ipsp_sel
->ipsl_key
.ipsl_valid
& IPSL_WILDCARD
) == 0)
1445 return (ipsec_req_from_act(p
->ipsp_act
, req
));
1447 return (sizeof (*req
));
1451 * Based on per-socket or latched policy, convert to an appropriate
1452 * IP_SEC_OPT ipsec_req_t for the socket option; return size so we can
1453 * be tail-called from ip.
1456 ipsec_req_from_conn(conn_t
*connp
, ipsec_req_t
*req
, int af
)
1459 int rv
= sizeof (ipsec_req_t
);
1461 bzero(req
, sizeof (*req
));
1463 ASSERT(MUTEX_HELD(&connp
->conn_lock
));
1464 ipl
= connp
->conn_latch
;
1467 * Find appropriate policy. First choice is latched action;
1468 * failing that, see latched policy; failing that,
1469 * look at configured policy.
1472 if (connp
->conn_latch_in_action
!= NULL
) {
1473 rv
= ipsec_req_from_act(connp
->conn_latch_in_action
,
1477 if (connp
->conn_latch_in_policy
!= NULL
) {
1478 rv
= ipsec_req_from_act(
1479 connp
->conn_latch_in_policy
->ipsp_act
, req
);
1483 if (connp
->conn_policy
!= NULL
)
1484 rv
= ipsec_req_from_head(connp
->conn_policy
, req
, af
);
1490 ipsec_actvec_free(ipsec_act_t
*act
, uint_t nact
)
1492 kmem_free(act
, nact
* sizeof (*act
));
1496 * Consumes a reference to ipsp.
1499 ipsec_check_loopback_policy(mblk_t
*data_mp
, ip_recv_attr_t
*ira
,
1500 ipsec_policy_t
*ipsp
)
1502 if (!(ira
->ira_flags
& IRAF_IPSEC_SECURE
))
1505 ASSERT(ira
->ira_flags
& IRAF_LOOPBACK
);
1507 IPPOL_REFRELE(ipsp
);
1510 * We should do an actual policy check here. Revisit this
1511 * when we revisit the IPsec API. (And pass a conn_t in when we
1519 * Check that packet's inbound ports & proto match the selectors
1520 * expected by the SAs it traversed on the way in.
1523 ipsec_check_ipsecin_unique(ip_recv_attr_t
*ira
, const char **reason
,
1524 kstat_named_t
**counter
, uint64_t pkt_unique
, netstack_t
*ns
)
1526 uint64_t ah_mask
, esp_mask
;
1529 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
1531 ASSERT(ira
->ira_flags
& IRAF_IPSEC_SECURE
);
1532 ASSERT(!(ira
->ira_flags
& IRAF_LOOPBACK
));
1534 ah_assoc
= ira
->ira_ipsec_ah_sa
;
1535 esp_assoc
= ira
->ira_ipsec_esp_sa
;
1536 ASSERT((ah_assoc
!= NULL
) || (esp_assoc
!= NULL
));
1538 ah_mask
= (ah_assoc
!= NULL
) ? ah_assoc
->ipsa_unique_mask
: 0;
1539 esp_mask
= (esp_assoc
!= NULL
) ? esp_assoc
->ipsa_unique_mask
: 0;
1541 if ((ah_mask
== 0) && (esp_mask
== 0))
1545 * The pkt_unique check will also check for tunnel mode on the SA
1546 * vs. the tunneled_packet boolean. "Be liberal in what you receive"
1547 * should not apply in this case. ;)
1551 ah_assoc
->ipsa_unique_id
!= (pkt_unique
& ah_mask
)) {
1552 *reason
= "AH inner header mismatch";
1553 *counter
= DROPPER(ipss
, ipds_spd_ah_innermismatch
);
1556 if (esp_mask
!= 0 &&
1557 esp_assoc
->ipsa_unique_id
!= (pkt_unique
& esp_mask
)) {
1558 *reason
= "ESP inner header mismatch";
1559 *counter
= DROPPER(ipss
, ipds_spd_esp_innermismatch
);
1566 ipsec_check_ipsecin_action(ip_recv_attr_t
*ira
, mblk_t
*mp
, ipsec_action_t
*ap
,
1567 ipha_t
*ipha
, ip6_t
*ip6h
, const char **reason
, kstat_named_t
**counter
,
1570 boolean_t ret
= B_TRUE
;
1575 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
1577 ASSERT((ipha
== NULL
&& ip6h
!= NULL
) ||
1578 (ip6h
== NULL
&& ipha
!= NULL
));
1580 if (ira
->ira_flags
& IRAF_LOOPBACK
) {
1582 * Besides accepting pointer-equivalent actions, we also
1583 * accept any ICMP errors we generated for ourselves,
1584 * regardless of policy. If we do not wish to make this
1585 * assumption in the future, check here, and where
1586 * IXAF_TRUSTED_ICMP is initialized in ip.c and ip6.c.
1588 if (ap
== ira
->ira_ipsec_action
||
1589 (ira
->ira_flags
& IRAF_TRUSTED_ICMP
))
1592 /* Deep compare necessary here?? */
1593 *counter
= DROPPER(ipss
, ipds_spd_loopback_mismatch
);
1594 *reason
= "loopback policy mismatch";
1597 ASSERT(!(ira
->ira_flags
& IRAF_TRUSTED_ICMP
));
1598 ASSERT(ira
->ira_flags
& IRAF_IPSEC_SECURE
);
1600 ah_assoc
= ira
->ira_ipsec_ah_sa
;
1601 esp_assoc
= ira
->ira_ipsec_esp_sa
;
1603 decaps
= (ira
->ira_flags
& IRAF_IPSEC_DECAPS
);
1605 switch (ap
->ipa_act
.ipa_type
) {
1606 case IPSEC_ACT_DISCARD
:
1607 case IPSEC_ACT_REJECT
:
1608 /* Should "fail hard" */
1609 *counter
= DROPPER(ipss
, ipds_spd_explicit
);
1610 *reason
= "blocked by policy";
1613 case IPSEC_ACT_BYPASS
:
1614 case IPSEC_ACT_CLEAR
:
1615 *counter
= DROPPER(ipss
, ipds_spd_got_secure
);
1616 *reason
= "expected clear, got protected";
1619 case IPSEC_ACT_APPLY
:
1620 ipp
= &ap
->ipa_act
.ipa_apply
;
1622 * As of now we do the simple checks of whether
1623 * the datagram has gone through the required IPSEC
1624 * protocol constraints or not. We might have more
1625 * in the future like sensitive levels, key bits, etc.
1626 * If it fails the constraints, check whether we would
1627 * have accepted this if it had come in clear.
1629 if (ipp
->ipp_use_ah
) {
1630 if (ah_assoc
== NULL
) {
1631 ret
= ipsec_inbound_accept_clear(mp
, ipha
,
1633 *counter
= DROPPER(ipss
, ipds_spd_got_clear
);
1634 *reason
= "unprotected not accepted";
1637 ASSERT(ah_assoc
!= NULL
);
1638 ASSERT(ipp
->ipp_auth_alg
!= 0);
1640 if (ah_assoc
->ipsa_auth_alg
!=
1641 ipp
->ipp_auth_alg
) {
1642 *counter
= DROPPER(ipss
, ipds_spd_bad_ahalg
);
1643 *reason
= "unacceptable ah alg";
1647 } else if (ah_assoc
!= NULL
) {
1649 * Don't allow this. Check IPSEC NOTE above
1650 * ip_fanout_proto().
1652 *counter
= DROPPER(ipss
, ipds_spd_got_ah
);
1653 *reason
= "unexpected AH";
1657 if (ipp
->ipp_use_esp
) {
1658 if (esp_assoc
== NULL
) {
1659 ret
= ipsec_inbound_accept_clear(mp
, ipha
,
1661 *counter
= DROPPER(ipss
, ipds_spd_got_clear
);
1662 *reason
= "unprotected not accepted";
1665 ASSERT(esp_assoc
!= NULL
);
1666 ASSERT(ipp
->ipp_encr_alg
!= 0);
1668 if (esp_assoc
->ipsa_encr_alg
!=
1669 ipp
->ipp_encr_alg
) {
1670 *counter
= DROPPER(ipss
, ipds_spd_bad_espealg
);
1671 *reason
= "unacceptable esp alg";
1676 * If the client does not need authentication,
1677 * we don't verify the alogrithm.
1679 if (ipp
->ipp_use_espa
) {
1680 if (esp_assoc
->ipsa_auth_alg
!=
1681 ipp
->ipp_esp_auth_alg
) {
1682 *counter
= DROPPER(ipss
,
1683 ipds_spd_bad_espaalg
);
1684 *reason
= "unacceptable esp auth alg";
1689 } else if (esp_assoc
!= NULL
) {
1691 * Don't allow this. Check IPSEC NOTE above
1692 * ip_fanout_proto().
1694 *counter
= DROPPER(ipss
, ipds_spd_got_esp
);
1695 *reason
= "unexpected ESP";
1699 if (ipp
->ipp_use_se
) {
1701 ret
= ipsec_inbound_accept_clear(mp
, ipha
,
1705 *counter
= DROPPER(ipss
,
1706 ipds_spd_bad_selfencap
);
1707 *reason
= "self encap not found";
1711 } else if (decaps
) {
1713 * XXX If the packet comes in tunneled and the
1714 * recipient does not expect it to be tunneled, it
1715 * is okay. But we drop to be consistent with the
1718 *counter
= DROPPER(ipss
, ipds_spd_got_selfencap
);
1719 *reason
= "unexpected self encap";
1723 if (ira
->ira_ipsec_action
!= NULL
) {
1725 * This can happen if we do a double policy-check on
1727 * XXX XXX should fix this case!
1729 IPACT_REFRELE(ira
->ira_ipsec_action
);
1731 ASSERT(ira
->ira_flags
& IRAF_IPSEC_SECURE
);
1732 ASSERT(ira
->ira_ipsec_action
== NULL
);
1734 ira
->ira_ipsec_action
= ap
;
1735 break; /* from switch */
1741 spd_match_inbound_ids(ipsec_latch_t
*ipl
, ipsa_t
*sa
)
1743 ASSERT(ipl
->ipl_ids_latched
== B_TRUE
);
1744 return ipsid_equal(ipl
->ipl_remote_cid
, sa
->ipsa_src_cid
) &&
1745 ipsid_equal(ipl
->ipl_local_cid
, sa
->ipsa_dst_cid
);
1749 * Takes a latched conn and an inbound packet and returns a unique_id suitable
1750 * for SA comparisons. Most of the time we will copy from the conn_t, but
1751 * there are cases when the conn_t is latched but it has wildcard selectors,
1752 * and then we need to fallback to scooping them out of the packet.
1754 * Assume we'll never have 0 with a conn_t present, so use 0 as a failure. We
1755 * can get away with this because we only have non-zero ports/proto for
1758 * Ideal candidate for an "inline" keyword, as we're JUST convoluted enough
1759 * to not be a nice macro.
1762 conn_to_unique(conn_t
*connp
, mblk_t
*data_mp
, ipha_t
*ipha
, ip6_t
*ip6h
)
1764 ipsec_selector_t sel
;
1765 uint8_t ulp
= connp
->conn_proto
;
1767 ASSERT(connp
->conn_latch_in_policy
!= NULL
);
1769 if ((ulp
== IPPROTO_TCP
|| ulp
== IPPROTO_UDP
|| ulp
== IPPROTO_SCTP
) &&
1770 (connp
->conn_fport
== 0 || connp
->conn_lport
== 0)) {
1771 /* Slow path - we gotta grab from the packet. */
1772 if (ipsec_init_inbound_sel(&sel
, data_mp
, ipha
, ip6h
,
1773 SEL_NONE
) != SELRET_SUCCESS
) {
1774 /* Failure -> have caller free packet with ENOMEM. */
1777 return (SA_UNIQUE_ID(sel
.ips_remote_port
, sel
.ips_local_port
,
1778 sel
.ips_protocol
, 0));
1781 #ifdef DEBUG_NOT_UNTIL_6478464
1782 if (ipsec_init_inbound_sel(&sel
, data_mp
, ipha
, ip6h
, SEL_NONE
) ==
1784 ASSERT(sel
.ips_local_port
== connp
->conn_lport
);
1785 ASSERT(sel
.ips_remote_port
== connp
->conn_fport
);
1786 ASSERT(sel
.ips_protocol
== connp
->conn_proto
);
1788 ASSERT(connp
->conn_proto
!= 0);
1791 return (SA_UNIQUE_ID(connp
->conn_fport
, connp
->conn_lport
, ulp
, 0));
1795 * Called to check policy on a latched connection.
1796 * Note that we don't dereference conn_latch or conn_ihere since the conn might
1797 * be closing. The caller passes a held ipsec_latch_t instead.
1800 ipsec_check_ipsecin_latch(ip_recv_attr_t
*ira
, mblk_t
*mp
, ipsec_latch_t
*ipl
,
1801 ipsec_action_t
*ap
, ipha_t
*ipha
, ip6_t
*ip6h
, const char **reason
,
1802 kstat_named_t
**counter
, conn_t
*connp
, netstack_t
*ns
)
1804 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
1806 ASSERT(ipl
->ipl_ids_latched
== B_TRUE
);
1807 ASSERT(ira
->ira_flags
& IRAF_IPSEC_SECURE
);
1809 if (!(ira
->ira_flags
& IRAF_LOOPBACK
)) {
1811 * Over loopback, there aren't real security associations,
1812 * so there are neither identities nor "unique" values
1813 * for us to check the packet against.
1815 if (ira
->ira_ipsec_ah_sa
!= NULL
) {
1816 if (!spd_match_inbound_ids(ipl
,
1817 ira
->ira_ipsec_ah_sa
)) {
1818 *counter
= DROPPER(ipss
, ipds_spd_ah_badid
);
1819 *reason
= "AH identity mismatch";
1824 if (ira
->ira_ipsec_esp_sa
!= NULL
) {
1825 if (!spd_match_inbound_ids(ipl
,
1826 ira
->ira_ipsec_esp_sa
)) {
1827 *counter
= DROPPER(ipss
, ipds_spd_esp_badid
);
1828 *reason
= "ESP identity mismatch";
1834 * Can fudge pkt_unique from connp because we're latched.
1835 * In DEBUG kernels (see conn_to_unique()'s implementation),
1836 * verify this even if it REALLY slows things down.
1838 if (!ipsec_check_ipsecin_unique(ira
, reason
, counter
,
1839 conn_to_unique(connp
, mp
, ipha
, ip6h
), ns
)) {
1843 return (ipsec_check_ipsecin_action(ira
, mp
, ap
, ipha
, ip6h
, reason
,
1848 * Check to see whether this secured datagram meets the policy
1849 * constraints specified in ipsp.
1851 * Called from ipsec_check_global_policy, and ipsec_check_inbound_policy.
1853 * Consumes a reference to ipsp.
1854 * Returns the mblk if ok.
1857 ipsec_check_ipsecin_policy(mblk_t
*data_mp
, ipsec_policy_t
*ipsp
,
1858 ipha_t
*ipha
, ip6_t
*ip6h
, uint64_t pkt_unique
, ip_recv_attr_t
*ira
,
1862 const char *reason
= "no policy actions found";
1863 ip_stack_t
*ipst
= ns
->netstack_ip
;
1864 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
1865 kstat_named_t
*counter
;
1867 counter
= DROPPER(ipss
, ipds_spd_got_secure
);
1869 ASSERT(ipsp
!= NULL
);
1871 ASSERT((ipha
== NULL
&& ip6h
!= NULL
) ||
1872 (ip6h
== NULL
&& ipha
!= NULL
));
1874 if (ira
->ira_flags
& IRAF_LOOPBACK
)
1875 return (ipsec_check_loopback_policy(data_mp
, ira
, ipsp
));
1877 ASSERT(ira
->ira_flags
& IRAF_IPSEC_SECURE
);
1879 if (ira
->ira_ipsec_action
!= NULL
) {
1881 * this can happen if we do a double policy-check on a packet
1882 * Would be nice to be able to delete this test..
1884 IPACT_REFRELE(ira
->ira_ipsec_action
);
1886 ASSERT(ira
->ira_ipsec_action
== NULL
);
1888 if (!SA_IDS_MATCH(ira
->ira_ipsec_ah_sa
, ira
->ira_ipsec_esp_sa
)) {
1889 reason
= "inbound AH and ESP identities differ";
1890 counter
= DROPPER(ipss
, ipds_spd_ahesp_diffid
);
1894 if (!ipsec_check_ipsecin_unique(ira
, &reason
, &counter
, pkt_unique
,
1899 * Ok, now loop through the possible actions and see if any
1900 * of them work for us.
1903 for (ap
= ipsp
->ipsp_act
; ap
!= NULL
; ap
= ap
->ipa_next
) {
1904 if (ipsec_check_ipsecin_action(ira
, data_mp
, ap
,
1905 ipha
, ip6h
, &reason
, &counter
, ns
)) {
1906 BUMP_MIB(&ipst
->ips_ip_mib
, ipsecInSucceeded
);
1907 IPPOL_REFRELE(ipsp
);
1912 ipsec_rl_strlog(ns
, IP_MOD_ID
, 0, 0, SL_ERROR
|SL_WARN
|SL_CONSOLE
,
1913 "ipsec inbound policy mismatch: %s, packet dropped\n",
1915 IPPOL_REFRELE(ipsp
);
1916 ASSERT(ira
->ira_ipsec_action
== NULL
);
1917 BUMP_MIB(&ipst
->ips_ip_mib
, ipsecInFailed
);
1918 ip_drop_packet(data_mp
, B_TRUE
, NULL
, counter
,
1919 &ipss
->ipsec_spd_dropper
);
1924 * sleazy prefix-length-based compare.
1925 * another inlining candidate..
1928 ip_addr_match(uint8_t *addr1
, int pfxlen
, in6_addr_t
*addr2p
)
1930 int offset
= pfxlen
>>3;
1931 int bitsleft
= pfxlen
& 7;
1932 uint8_t *addr2
= (uint8_t *)addr2p
;
1935 * and there was much evil..
1936 * XXX should inline-expand the bcmp here and do this 32 bits
1937 * or 64 bits at a time..
1939 return ((bcmp(addr1
, addr2
, offset
) == 0) &&
1941 (((addr1
[offset
] ^ addr2
[offset
]) & (0xff<<(8-bitsleft
))) == 0)));
1944 static ipsec_policy_t
*
1945 ipsec_find_policy_chain(ipsec_policy_t
*best
, ipsec_policy_t
*chain
,
1946 ipsec_selector_t
*sel
, boolean_t is_icmp_inv_acq
)
1948 ipsec_selkey_t
*isel
;
1950 int bpri
= best
? best
->ipsp_prio
: 0;
1952 for (p
= chain
; p
!= NULL
; p
= p
->ipsp_hash
.hash_next
) {
1955 if (p
->ipsp_prio
<= bpri
)
1957 isel
= &p
->ipsp_sel
->ipsl_key
;
1958 valid
= isel
->ipsl_valid
;
1960 if ((valid
& IPSL_PROTOCOL
) &&
1961 (isel
->ipsl_proto
!= sel
->ips_protocol
))
1964 if ((valid
& IPSL_REMOTE_ADDR
) &&
1965 !ip_addr_match((uint8_t *)&isel
->ipsl_remote
,
1966 isel
->ipsl_remote_pfxlen
, &sel
->ips_remote_addr_v6
))
1969 if ((valid
& IPSL_LOCAL_ADDR
) &&
1970 !ip_addr_match((uint8_t *)&isel
->ipsl_local
,
1971 isel
->ipsl_local_pfxlen
, &sel
->ips_local_addr_v6
))
1974 if ((valid
& IPSL_REMOTE_PORT
) &&
1975 isel
->ipsl_rport
!= sel
->ips_remote_port
)
1978 if ((valid
& IPSL_LOCAL_PORT
) &&
1979 isel
->ipsl_lport
!= sel
->ips_local_port
)
1982 if (!is_icmp_inv_acq
) {
1983 if ((valid
& IPSL_ICMP_TYPE
) &&
1984 (isel
->ipsl_icmp_type
> sel
->ips_icmp_type
||
1985 isel
->ipsl_icmp_type_end
< sel
->ips_icmp_type
)) {
1989 if ((valid
& IPSL_ICMP_CODE
) &&
1990 (isel
->ipsl_icmp_code
> sel
->ips_icmp_code
||
1991 isel
->ipsl_icmp_code_end
<
1992 sel
->ips_icmp_code
)) {
1997 * special case for icmp inverse acquire
1998 * we only want policies that aren't drop/pass
2000 if (p
->ipsp_act
->ipa_act
.ipa_type
!= IPSEC_ACT_APPLY
)
2004 /* we matched all the packet-port-field selectors! */
2006 bpri
= p
->ipsp_prio
;
2013 * Try to find and return the best policy entry under a given policy
2014 * root for a given set of selectors; the first parameter "best" is
2015 * the current best policy so far. If "best" is non-null, we have a
2016 * reference to it. We return a reference to a policy; if that policy
2017 * is not the original "best", we need to release that reference
2021 ipsec_find_policy_head(ipsec_policy_t
*best
, ipsec_policy_head_t
*head
,
2022 int direction
, ipsec_selector_t
*sel
)
2024 ipsec_policy_t
*curbest
;
2025 ipsec_policy_root_t
*root
;
2026 uint8_t is_icmp_inv_acq
= sel
->ips_is_icmp_inv_acq
;
2027 int af
= sel
->ips_isv4
? IPSEC_AF_V4
: IPSEC_AF_V6
;
2030 root
= &head
->iph_root
[direction
];
2033 if (is_icmp_inv_acq
) {
2034 if (sel
->ips_isv4
) {
2035 if (sel
->ips_protocol
!= IPPROTO_ICMP
) {
2036 cmn_err(CE_WARN
, "ipsec_find_policy_head:"
2037 " expecting icmp, got %d",
2041 if (sel
->ips_protocol
!= IPPROTO_ICMPV6
) {
2042 cmn_err(CE_WARN
, "ipsec_find_policy_head:"
2043 " expecting icmpv6, got %d",
2050 rw_enter(&head
->iph_lock
, RW_READER
);
2052 if (root
->ipr_nchains
> 0) {
2053 curbest
= ipsec_find_policy_chain(curbest
,
2054 root
->ipr_hash
[selector_hash(sel
, root
)].hash_head
, sel
,
2057 curbest
= ipsec_find_policy_chain(curbest
, root
->ipr_nonhash
[af
], sel
,
2061 * Adjust reference counts if we found anything new.
2063 if (curbest
!= best
) {
2064 ASSERT(curbest
!= NULL
);
2065 IPPOL_REFHOLD(curbest
);
2068 IPPOL_REFRELE(best
);
2072 rw_exit(&head
->iph_lock
);
2078 * Find the best system policy (either global or per-interface) which
2079 * applies to the given selector; look in all the relevant policy roots
2080 * to figure out which policy wins.
2082 * Returns a reference to a policy; caller must release this
2083 * reference when done.
2086 ipsec_find_policy(int direction
, const conn_t
*connp
, ipsec_selector_t
*sel
,
2090 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
2092 p
= ipsec_find_policy_head(NULL
, &ipss
->ipsec_system_policy
,
2094 if ((connp
!= NULL
) && (connp
->conn_policy
!= NULL
)) {
2095 p
= ipsec_find_policy_head(p
, connp
->conn_policy
,
2103 * Check with global policy and see whether this inbound
2104 * packet meets the policy constraints.
2106 * Locate appropriate policy from global policy, supplemented by the
2107 * conn's configured and/or cached policy if the conn is supplied.
2109 * Dispatch to ipsec_check_ipsecin_policy if we have policy and an
2110 * encrypted packet to see if they match.
2112 * Otherwise, see if the policy allows cleartext; if not, drop it on the
2116 ipsec_check_global_policy(mblk_t
*data_mp
, conn_t
*connp
,
2117 ipha_t
*ipha
, ip6_t
*ip6h
, ip_recv_attr_t
*ira
, netstack_t
*ns
)
2120 ipsec_selector_t sel
;
2121 boolean_t policy_present
;
2122 kstat_named_t
*counter
;
2123 uint64_t pkt_unique
;
2124 ip_stack_t
*ipst
= ns
->netstack_ip
;
2125 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
2127 sel
.ips_is_icmp_inv_acq
= 0;
2129 ASSERT((ipha
== NULL
&& ip6h
!= NULL
) ||
2130 (ip6h
== NULL
&& ipha
!= NULL
));
2133 policy_present
= ipss
->ipsec_inbound_v4_policy_present
;
2135 policy_present
= ipss
->ipsec_inbound_v6_policy_present
;
2137 if (!policy_present
&& connp
== NULL
) {
2139 * No global policy and no per-socket policy;
2140 * just pass it back (but we shouldn't get here in that case)
2146 * If we have cached policy, use it.
2147 * Otherwise consult system policy.
2149 if ((connp
!= NULL
) && (connp
->conn_latch
!= NULL
)) {
2150 p
= connp
->conn_latch_in_policy
;
2155 * Fudge sel for UNIQUE_ID setting below.
2157 pkt_unique
= conn_to_unique(connp
, data_mp
, ipha
, ip6h
);
2159 /* Initialize the ports in the selector */
2160 if (ipsec_init_inbound_sel(&sel
, data_mp
, ipha
, ip6h
,
2161 SEL_NONE
) == SELRET_NOMEM
) {
2163 * Technically not a policy mismatch, but it is
2164 * an internal failure.
2166 ipsec_log_policy_failure(IPSEC_POLICY_MISMATCH
,
2167 "ipsec_init_inbound_sel", ipha
, ip6h
, B_TRUE
, ns
);
2168 counter
= DROPPER(ipss
, ipds_spd_nomem
);
2173 * Find the policy which best applies.
2175 * If we find global policy, we should look at both
2176 * local policy and global policy and see which is
2177 * stronger and match accordingly.
2179 * If we don't find a global policy, check with
2180 * local policy alone.
2183 p
= ipsec_find_policy(IPSEC_TYPE_INBOUND
, connp
, &sel
, ns
);
2184 pkt_unique
= SA_UNIQUE_ID(sel
.ips_remote_port
,
2185 sel
.ips_local_port
, sel
.ips_protocol
, 0);
2189 if (!(ira
->ira_flags
& IRAF_IPSEC_SECURE
)) {
2191 * We have no policy; default to succeeding.
2192 * XXX paranoid system design doesn't do this.
2194 BUMP_MIB(&ipst
->ips_ip_mib
, ipsecInSucceeded
);
2197 counter
= DROPPER(ipss
, ipds_spd_got_secure
);
2198 ipsec_log_policy_failure(IPSEC_POLICY_NOT_NEEDED
,
2199 "ipsec_check_global_policy", ipha
, ip6h
, B_TRUE
,
2204 if (ira
->ira_flags
& IRAF_IPSEC_SECURE
) {
2205 return (ipsec_check_ipsecin_policy(data_mp
, p
, ipha
, ip6h
,
2206 pkt_unique
, ira
, ns
));
2208 if (p
->ipsp_act
->ipa_allow_clear
) {
2209 BUMP_MIB(&ipst
->ips_ip_mib
, ipsecInSucceeded
);
2215 * If we reach here, we will drop the packet because it failed the
2216 * global policy check because the packet was cleartext, and it
2217 * should not have been.
2219 ipsec_log_policy_failure(IPSEC_POLICY_MISMATCH
,
2220 "ipsec_check_global_policy", ipha
, ip6h
, B_FALSE
, ns
);
2221 counter
= DROPPER(ipss
, ipds_spd_got_clear
);
2224 ip_drop_packet(data_mp
, B_TRUE
, NULL
, counter
,
2225 &ipss
->ipsec_spd_dropper
);
2226 BUMP_MIB(&ipst
->ips_ip_mib
, ipsecInFailed
);
2231 * We check whether an inbound datagram is a valid one
2232 * to accept in clear. If it is secure, it is the job
2233 * of IPSEC to log information appropriately if it
2234 * suspects that it may not be the real one.
2236 * It is called only while fanning out to the ULP
2237 * where ULP accepts only secure data and the incoming
2238 * is clear. Usually we never accept clear datagrams in
2239 * such cases. ICMP is the only exception.
2241 * NOTE : We don't call this function if the client (ULP)
2242 * is willing to accept things in clear.
2245 ipsec_inbound_accept_clear(mblk_t
*mp
, ipha_t
*ipha
, ip6_t
*ip6h
)
2247 ushort_t iph_hdr_length
;
2252 ASSERT((ipha
!= NULL
&& ip6h
== NULL
) ||
2253 (ipha
== NULL
&& ip6h
!= NULL
));
2256 iph_hdr_length
= ip_hdr_length_v6(mp
, ip6h
);
2257 if (!ip_hdr_length_nexthdr_v6(mp
, ip6h
, &iph_hdr_length
,
2261 if (*nexthdrp
!= IPPROTO_ICMPV6
)
2263 icmp6
= (icmp6_t
*)(&mp
->b_rptr
[iph_hdr_length
]);
2264 /* Match IPv6 ICMP policy as closely as IPv4 as possible. */
2265 switch (icmp6
->icmp6_type
) {
2266 case ICMP6_PARAM_PROB
:
2267 /* Corresponds to port/proto unreach in IPv4. */
2268 case ICMP6_ECHO_REQUEST
:
2269 /* Just like IPv4. */
2272 case MLD_LISTENER_QUERY
:
2273 case MLD_LISTENER_REPORT
:
2274 case MLD_LISTENER_REDUCTION
:
2276 * XXX Seperate NDD in IPv4 what about here?
2277 * Plus, mcast is important to ND.
2279 case ICMP6_DST_UNREACH
:
2280 /* Corresponds to HOST/NET unreachable in IPv4. */
2281 case ICMP6_PACKET_TOO_BIG
:
2282 case ICMP6_ECHO_REPLY
:
2283 /* These are trusted in IPv4. */
2284 case ND_ROUTER_SOLICIT
:
2285 case ND_ROUTER_ADVERT
:
2286 case ND_NEIGHBOR_SOLICIT
:
2287 case ND_NEIGHBOR_ADVERT
:
2289 /* Trust ND messages for now. */
2290 case ICMP6_TIME_EXCEEDED
:
2296 * If it is not ICMP, fail this request.
2298 if (ipha
->ipha_protocol
!= IPPROTO_ICMP
) {
2299 #ifdef FRAGCACHE_DEBUG
2300 cmn_err(CE_WARN
, "Dropping - ipha_proto = %d\n",
2301 ipha
->ipha_protocol
);
2305 iph_hdr_length
= IPH_HDR_LENGTH(ipha
);
2306 icmph
= (icmph_t
*)&mp
->b_rptr
[iph_hdr_length
];
2308 * It is an insecure icmp message. Check to see whether we are
2309 * willing to accept this one.
2312 switch (icmph
->icmph_type
) {
2313 case ICMP_ECHO_REPLY
:
2314 case ICMP_TIME_STAMP_REPLY
:
2315 case ICMP_INFO_REPLY
:
2316 case ICMP_ROUTER_ADVERTISEMENT
:
2318 * We should not encourage clear replies if this
2319 * client expects secure. If somebody is replying
2320 * in clear some mailicious user watching both the
2321 * request and reply, can do chosen-plain-text attacks.
2322 * With global policy we might be just expecting secure
2323 * but sending out clear. We don't know what the right
2324 * thing is. We can't do much here as we can't control
2325 * the sender here. Till we are sure of what to do,
2329 case ICMP_ECHO_REQUEST
:
2330 case ICMP_TIME_STAMP_REQUEST
:
2331 case ICMP_INFO_REQUEST
:
2332 case ICMP_ADDRESS_MASK_REQUEST
:
2333 case ICMP_ROUTER_SOLICITATION
:
2334 case ICMP_ADDRESS_MASK_REPLY
:
2336 * Don't accept this as somebody could be sending
2337 * us plain text to get encrypted data. If we reply,
2338 * it will lead to chosen plain text attack.
2341 case ICMP_DEST_UNREACHABLE
:
2342 switch (icmph
->icmph_code
) {
2343 case ICMP_FRAGMENTATION_NEEDED
:
2345 * Be in sync with icmp_inbound, where we have
2346 * already set dce_pmtu
2348 #ifdef FRAGCACHE_DEBUG
2349 cmn_err(CE_WARN
, "ICMP frag needed\n");
2352 case ICMP_HOST_UNREACHABLE
:
2353 case ICMP_NET_UNREACHABLE
:
2355 * By accepting, we could reset a connection.
2356 * How do we solve the problem of some
2357 * intermediate router sending in-secure ICMP
2361 case ICMP_PORT_UNREACHABLE
:
2362 case ICMP_PROTOCOL_UNREACHABLE
:
2366 case ICMP_SOURCE_QUENCH
:
2368 * If this is an attack, TCP will slow start
2369 * because of this. Is it very harmful ?
2372 case ICMP_PARAM_PROBLEM
:
2374 case ICMP_TIME_EXCEEDED
:
2385 ipsec_latch_ids(ipsec_latch_t
*ipl
, ipsid_t
*local
, ipsid_t
*remote
)
2387 mutex_enter(&ipl
->ipl_lock
);
2389 if (ipl
->ipl_ids_latched
) {
2390 /* I lost, someone else got here before me */
2391 mutex_exit(&ipl
->ipl_lock
);
2396 IPSID_REFHOLD(local
);
2398 IPSID_REFHOLD(remote
);
2400 ipl
->ipl_local_cid
= local
;
2401 ipl
->ipl_remote_cid
= remote
;
2402 ipl
->ipl_ids_latched
= B_TRUE
;
2403 mutex_exit(&ipl
->ipl_lock
);
2407 ipsec_latch_inbound(conn_t
*connp
, ip_recv_attr_t
*ira
)
2410 ipsec_latch_t
*ipl
= connp
->conn_latch
;
2412 if (!ipl
->ipl_ids_latched
) {
2413 ipsid_t
*local
= NULL
;
2414 ipsid_t
*remote
= NULL
;
2416 if (!(ira
->ira_flags
& IRAF_LOOPBACK
)) {
2417 ASSERT(ira
->ira_flags
& IRAF_IPSEC_SECURE
);
2418 if (ira
->ira_ipsec_esp_sa
!= NULL
)
2419 sa
= ira
->ira_ipsec_esp_sa
;
2421 sa
= ira
->ira_ipsec_ah_sa
;
2423 local
= sa
->ipsa_dst_cid
;
2424 remote
= sa
->ipsa_src_cid
;
2426 ipsec_latch_ids(ipl
, local
, remote
);
2428 if (ira
->ira_flags
& IRAF_IPSEC_SECURE
) {
2429 if (connp
->conn_latch_in_action
!= NULL
) {
2431 * Previously cached action. This is probably
2432 * harmless, but in DEBUG kernels, check for
2435 * Preserve the existing action to preserve latch
2438 ASSERT(connp
->conn_latch_in_action
==
2439 ira
->ira_ipsec_action
);
2442 connp
->conn_latch_in_action
= ira
->ira_ipsec_action
;
2443 IPACT_REFHOLD(connp
->conn_latch_in_action
);
2448 * Check whether the policy constraints are met either for an
2449 * inbound datagram; called from IP in numerous places.
2451 * Note that this is not a chokepoint for inbound policy checks;
2452 * see also ipsec_check_ipsecin_latch() and ipsec_check_global_policy()
2455 ipsec_check_inbound_policy(mblk_t
*mp
, conn_t
*connp
,
2456 ipha_t
*ipha
, ip6_t
*ip6h
, ip_recv_attr_t
*ira
)
2462 ipsec_stack_t
*ipss
;
2465 ipsec_policy_head_t
*policy_head
;
2466 ipsec_policy_t
*p
= NULL
;
2468 ASSERT(connp
!= NULL
);
2469 ns
= connp
->conn_netstack
;
2470 ipss
= ns
->netstack_ipsec
;
2471 ipst
= ns
->netstack_ip
;
2473 if (!(ira
->ira_flags
& IRAF_IPSEC_SECURE
)) {
2475 * This is the case where the incoming datagram is
2476 * cleartext and we need to see whether this client
2477 * would like to receive such untrustworthy things from
2482 mutex_enter(&connp
->conn_lock
);
2483 if (connp
->conn_state_flags
& CONN_CONDEMNED
) {
2484 mutex_exit(&connp
->conn_lock
);
2485 ip_drop_packet(mp
, B_TRUE
, NULL
,
2486 DROPPER(ipss
, ipds_spd_got_clear
),
2487 &ipss
->ipsec_spd_dropper
);
2488 BUMP_MIB(&ipst
->ips_ip_mib
, ipsecInFailed
);
2491 if (connp
->conn_latch
!= NULL
) {
2492 /* Hold a reference in case the conn is closing */
2493 p
= connp
->conn_latch_in_policy
;
2496 mutex_exit(&connp
->conn_lock
);
2498 * Policy is cached in the conn.
2500 if (p
!= NULL
&& !p
->ipsp_act
->ipa_allow_clear
) {
2501 ret
= ipsec_inbound_accept_clear(mp
,
2504 BUMP_MIB(&ipst
->ips_ip_mib
,
2509 ipsec_log_policy_failure(
2510 IPSEC_POLICY_MISMATCH
,
2511 "ipsec_check_inbound_policy", ipha
,
2513 ip_drop_packet(mp
, B_TRUE
, NULL
,
2514 DROPPER(ipss
, ipds_spd_got_clear
),
2515 &ipss
->ipsec_spd_dropper
);
2516 BUMP_MIB(&ipst
->ips_ip_mib
,
2522 BUMP_MIB(&ipst
->ips_ip_mib
, ipsecInSucceeded
);
2528 policy_head
= connp
->conn_policy
;
2530 /* Hold a reference in case the conn is closing */
2531 if (policy_head
!= NULL
)
2532 IPPH_REFHOLD(policy_head
);
2533 mutex_exit(&connp
->conn_lock
);
2535 * As this is a non-hardbound connection we need
2536 * to look at both per-socket policy and global
2539 mp
= ipsec_check_global_policy(mp
, connp
,
2540 ipha
, ip6h
, ira
, ns
);
2541 if (policy_head
!= NULL
)
2542 IPPH_REFRELE(policy_head
, ns
);
2547 mutex_enter(&connp
->conn_lock
);
2548 /* Connection is closing */
2549 if (connp
->conn_state_flags
& CONN_CONDEMNED
) {
2550 mutex_exit(&connp
->conn_lock
);
2551 ip_drop_packet(mp
, B_TRUE
, NULL
,
2552 DROPPER(ipss
, ipds_spd_got_clear
),
2553 &ipss
->ipsec_spd_dropper
);
2554 BUMP_MIB(&ipst
->ips_ip_mib
, ipsecInFailed
);
2559 * Once a connection is latched it remains so for life, the conn_latch
2560 * pointer on the conn has not changed, simply initializing ipl here
2561 * as the earlier initialization was done only in the cleartext case.
2563 if ((ipl
= connp
->conn_latch
) == NULL
) {
2565 policy_head
= connp
->conn_policy
;
2567 /* Hold a reference in case the conn is closing */
2568 if (policy_head
!= NULL
)
2569 IPPH_REFHOLD(policy_head
);
2570 mutex_exit(&connp
->conn_lock
);
2572 * We don't have policies cached in the conn
2573 * for this stream. So, look at the global
2574 * policy. It will check against conn or global
2575 * depending on whichever is stronger.
2577 retmp
= ipsec_check_global_policy(mp
, connp
,
2578 ipha
, ip6h
, ira
, ns
);
2579 if (policy_head
!= NULL
)
2580 IPPH_REFRELE(policy_head
, ns
);
2584 IPLATCH_REFHOLD(ipl
);
2585 /* Hold reference on conn_latch_in_action in case conn is closing */
2586 ap
= connp
->conn_latch_in_action
;
2589 mutex_exit(&connp
->conn_lock
);
2592 /* Policy is cached & latched; fast(er) path */
2594 kstat_named_t
*counter
;
2596 if (ipsec_check_ipsecin_latch(ira
, mp
, ipl
, ap
,
2597 ipha
, ip6h
, &reason
, &counter
, connp
, ns
)) {
2598 BUMP_MIB(&ipst
->ips_ip_mib
, ipsecInSucceeded
);
2599 IPLATCH_REFRELE(ipl
);
2603 ipsec_rl_strlog(ns
, IP_MOD_ID
, 0, 0,
2604 SL_ERROR
|SL_WARN
|SL_CONSOLE
,
2605 "ipsec inbound policy mismatch: %s, packet dropped\n",
2607 ip_drop_packet(mp
, B_TRUE
, NULL
, counter
,
2608 &ipss
->ipsec_spd_dropper
);
2609 BUMP_MIB(&ipst
->ips_ip_mib
, ipsecInFailed
);
2610 IPLATCH_REFRELE(ipl
);
2614 if ((p
= connp
->conn_latch_in_policy
) == NULL
) {
2615 ipsec_weird_null_inbound_policy
++;
2616 IPLATCH_REFRELE(ipl
);
2620 unique_id
= conn_to_unique(connp
, mp
, ipha
, ip6h
);
2622 mp
= ipsec_check_ipsecin_policy(mp
, p
, ipha
, ip6h
, unique_id
, ira
, ns
);
2624 * NOTE: ipsecIn{Failed,Succeeeded} bumped by
2625 * ipsec_check_ipsecin_policy().
2628 ipsec_latch_inbound(connp
, ira
);
2629 IPLATCH_REFRELE(ipl
);
2634 * Handle all sorts of cases like tunnel-mode and ICMP.
2637 prepended_length(mblk_t
*mp
, uintptr_t hptr
)
2641 while (mp
!= NULL
) {
2642 if (hptr
>= (uintptr_t)mp
->b_rptr
&& hptr
<
2643 (uintptr_t)mp
->b_wptr
) {
2644 rc
+= (int)(hptr
- (uintptr_t)mp
->b_rptr
);
2645 break; /* out of while loop */
2647 rc
+= (int)MBLKL(mp
);
2653 * IF (big IF) we make it here by naturally exiting the loop,
2654 * then ip6h isn't in the mblk chain "mp" at all.
2656 * The only case where this happens is with a reversed IP
2657 * header that gets passed up by inbound ICMP processing.
2658 * This unfortunately triggers longstanding bug 6478464. For
2659 * now, just pass up 0 for the answer.
2661 #ifdef DEBUG_NOT_UNTIL_6478464
2673 * SELRET_NOMEM --> msgpullup() needed to gather things failed.
2674 * SELRET_BADPKT --> If we're being called after tunnel-mode fragment
2675 * gathering, the initial fragment is too short for
2676 * useful data. Only returned if SEL_TUNNEL_FIRSTFRAG is
2678 * SELRET_SUCCESS --> "sel" now has initialized IPsec selector data.
2679 * SELRET_TUNFRAG --> This is a fragment in a tunnel-mode packet. Caller
2680 * should put this packet in a fragment-gathering queue.
2681 * Only returned if SEL_TUNNEL_MODE and SEL_PORT_POLICY
2684 * Note that ipha/ip6h can be in a different mblk (mp->b_cont) in the case
2685 * of tunneled packets.
2686 * Also, mp->b_rptr can be an ICMP error where ipha/ip6h is the packet in
2687 * error past the ICMP error.
2690 ipsec_init_inbound_sel(ipsec_selector_t
*sel
, mblk_t
*mp
, ipha_t
*ipha
,
2691 ip6_t
*ip6h
, uint8_t sel_flags
)
2694 int outer_hdr_len
= 0; /* For ICMP or tunnel-mode cases... */
2696 mblk_t
*spare_mp
= NULL
;
2697 uint8_t *nexthdrp
, *transportp
;
2701 boolean_t port_policy_present
= (sel_flags
& SEL_PORT_POLICY
);
2702 boolean_t is_icmp
= (sel_flags
& SEL_IS_ICMP
);
2703 boolean_t tunnel_mode
= (sel_flags
& SEL_TUNNEL_MODE
);
2704 boolean_t post_frag
= (sel_flags
& SEL_POST_FRAG
);
2706 ASSERT((ipha
== NULL
&& ip6h
!= NULL
) ||
2707 (ipha
!= NULL
&& ip6h
== NULL
));
2710 outer_hdr_len
= prepended_length(mp
, (uintptr_t)ip6h
);
2711 nexthdr
= ip6h
->ip6_nxt
;
2712 icmp_proto
= IPPROTO_ICMPV6
;
2713 sel
->ips_isv4
= B_FALSE
;
2714 sel
->ips_local_addr_v6
= ip6h
->ip6_dst
;
2715 sel
->ips_remote_addr_v6
= ip6h
->ip6_src
;
2717 bzero(&ipp
, sizeof (ipp
));
2720 case IPPROTO_HOPOPTS
:
2721 case IPPROTO_ROUTING
:
2722 case IPPROTO_DSTOPTS
:
2723 case IPPROTO_FRAGMENT
:
2725 * Use ip_hdr_length_nexthdr_v6(). And have a spare
2726 * mblk that's contiguous to feed it
2728 if ((spare_mp
= msgpullup(mp
, -1)) == NULL
)
2729 return (SELRET_NOMEM
);
2730 if (!ip_hdr_length_nexthdr_v6(spare_mp
,
2731 (ip6_t
*)(spare_mp
->b_rptr
+ outer_hdr_len
),
2732 &hdr_len
, &nexthdrp
)) {
2733 /* Malformed packet - caller frees. */
2734 ipsec_freemsg_chain(spare_mp
);
2735 return (SELRET_BADPKT
);
2737 /* Repopulate now that we have the whole packet */
2738 ip6h
= (ip6_t
*)(spare_mp
->b_rptr
+ outer_hdr_len
);
2739 (void) ip_find_hdr_v6(spare_mp
, ip6h
, B_FALSE
, &ipp
,
2741 nexthdr
= *nexthdrp
;
2742 /* We can just extract based on hdr_len now. */
2745 (void) ip_find_hdr_v6(mp
, ip6h
, B_FALSE
, &ipp
, NULL
);
2746 hdr_len
= IPV6_HDR_LEN
;
2749 if (port_policy_present
&& IS_V6_FRAGMENT(ipp
) && !is_icmp
) {
2751 ipsec_freemsg_chain(spare_mp
);
2752 return (SELRET_TUNFRAG
);
2754 transportp
= (uint8_t *)ip6h
+ hdr_len
;
2756 outer_hdr_len
= prepended_length(mp
, (uintptr_t)ipha
);
2757 icmp_proto
= IPPROTO_ICMP
;
2758 sel
->ips_isv4
= B_TRUE
;
2759 sel
->ips_local_addr_v4
= ipha
->ipha_dst
;
2760 sel
->ips_remote_addr_v4
= ipha
->ipha_src
;
2761 nexthdr
= ipha
->ipha_protocol
;
2762 hdr_len
= IPH_HDR_LENGTH(ipha
);
2764 if (port_policy_present
&&
2765 IS_V4_FRAGMENT(ipha
->ipha_fragment_offset_and_flags
) &&
2768 ipsec_freemsg_chain(spare_mp
);
2769 return (SELRET_TUNFRAG
);
2771 transportp
= (uint8_t *)ipha
+ hdr_len
;
2773 sel
->ips_protocol
= nexthdr
;
2775 if ((nexthdr
!= IPPROTO_TCP
&& nexthdr
!= IPPROTO_UDP
&&
2776 nexthdr
!= IPPROTO_SCTP
&& nexthdr
!= icmp_proto
) ||
2777 (!port_policy_present
&& !post_frag
&& tunnel_mode
)) {
2778 sel
->ips_remote_port
= sel
->ips_local_port
= 0;
2779 ipsec_freemsg_chain(spare_mp
);
2780 return (SELRET_SUCCESS
);
2783 if (transportp
+ 4 > mp
->b_wptr
) {
2784 /* If we didn't pullup a copy already, do so now. */
2786 * XXX performance, will upper-layers frequently split TCP/UDP
2787 * apart from IP or options? If so, perhaps we should revisit
2788 * the spare_mp strategy.
2790 ipsec_hdr_pullup_needed
++;
2791 if (spare_mp
== NULL
&&
2792 (spare_mp
= msgpullup(mp
, -1)) == NULL
) {
2793 return (SELRET_NOMEM
);
2795 transportp
= &spare_mp
->b_rptr
[hdr_len
+ outer_hdr_len
];
2798 if (nexthdr
== icmp_proto
) {
2799 sel
->ips_icmp_type
= *transportp
++;
2800 sel
->ips_icmp_code
= *transportp
;
2801 sel
->ips_remote_port
= sel
->ips_local_port
= 0;
2803 ports
= (uint16_t *)transportp
;
2804 sel
->ips_remote_port
= *ports
++;
2805 sel
->ips_local_port
= *ports
;
2807 ipsec_freemsg_chain(spare_mp
);
2808 return (SELRET_SUCCESS
);
2812 * This is called with a b_next chain of messages from the fragcache code,
2813 * hence it needs to discard a chain on error.
2816 ipsec_init_outbound_ports(ipsec_selector_t
*sel
, mblk_t
*mp
, ipha_t
*ipha
,
2817 ip6_t
*ip6h
, int outer_hdr_len
, ipsec_stack_t
*ipss
)
2820 * XXX cut&paste shared with ipsec_init_inbound_sel
2824 mblk_t
*spare_mp
= NULL
;
2828 uint8_t check_proto
;
2830 ASSERT((ipha
== NULL
&& ip6h
!= NULL
) ||
2831 (ipha
!= NULL
&& ip6h
== NULL
));
2834 check_proto
= IPPROTO_ICMPV6
;
2835 nexthdr
= ip6h
->ip6_nxt
;
2837 case IPPROTO_HOPOPTS
:
2838 case IPPROTO_ROUTING
:
2839 case IPPROTO_DSTOPTS
:
2840 case IPPROTO_FRAGMENT
:
2842 * Use ip_hdr_length_nexthdr_v6(). And have a spare
2843 * mblk that's contiguous to feed it
2845 spare_mp
= msgpullup(mp
, -1);
2846 if (spare_mp
== NULL
||
2847 !ip_hdr_length_nexthdr_v6(spare_mp
,
2848 (ip6_t
*)(spare_mp
->b_rptr
+ outer_hdr_len
),
2849 &hdr_len
, &nexthdrp
)) {
2850 /* Always works, even if NULL. */
2851 ipsec_freemsg_chain(spare_mp
);
2852 ip_drop_packet_chain(mp
, B_FALSE
, NULL
,
2853 DROPPER(ipss
, ipds_spd_nomem
),
2854 &ipss
->ipsec_spd_dropper
);
2857 nexthdr
= *nexthdrp
;
2858 /* We can just extract based on hdr_len now. */
2862 hdr_len
= IPV6_HDR_LEN
;
2866 check_proto
= IPPROTO_ICMP
;
2867 hdr_len
= IPH_HDR_LENGTH(ipha
);
2868 nexthdr
= ipha
->ipha_protocol
;
2871 sel
->ips_protocol
= nexthdr
;
2872 if (nexthdr
!= IPPROTO_TCP
&& nexthdr
!= IPPROTO_UDP
&&
2873 nexthdr
!= IPPROTO_SCTP
&& nexthdr
!= check_proto
) {
2874 sel
->ips_local_port
= sel
->ips_remote_port
= 0;
2875 ipsec_freemsg_chain(spare_mp
); /* Always works, even if NULL */
2879 if (&mp
->b_rptr
[hdr_len
] + 4 + outer_hdr_len
> mp
->b_wptr
) {
2880 /* If we didn't pullup a copy already, do so now. */
2882 * XXX performance, will upper-layers frequently split TCP/UDP
2883 * apart from IP or options? If so, perhaps we should revisit
2884 * the spare_mp strategy.
2886 * XXX should this be msgpullup(mp, hdr_len+4) ???
2888 if (spare_mp
== NULL
&&
2889 (spare_mp
= msgpullup(mp
, -1)) == NULL
) {
2890 ip_drop_packet_chain(mp
, B_FALSE
, NULL
,
2891 DROPPER(ipss
, ipds_spd_nomem
),
2892 &ipss
->ipsec_spd_dropper
);
2895 ports
= (uint16_t *)&spare_mp
->b_rptr
[hdr_len
+ outer_hdr_len
];
2897 ports
= (uint16_t *)&mp
->b_rptr
[hdr_len
+ outer_hdr_len
];
2900 if (nexthdr
== check_proto
) {
2901 typecode
= (uint8_t *)ports
;
2902 sel
->ips_icmp_type
= *typecode
++;
2903 sel
->ips_icmp_code
= *typecode
;
2904 sel
->ips_remote_port
= sel
->ips_local_port
= 0;
2906 sel
->ips_local_port
= *ports
++;
2907 sel
->ips_remote_port
= *ports
;
2909 ipsec_freemsg_chain(spare_mp
); /* Always works, even if NULL */
2914 * Prepend an mblk with a ipsec_crypto_t to the message chain.
2915 * Frees the argument and returns NULL should the allocation fail.
2916 * Returns the pointer to the crypto data part.
2919 ipsec_add_crypto_data(mblk_t
*data_mp
, ipsec_crypto_t
**icp
)
2923 mp
= allocb(sizeof (ipsec_crypto_t
), BPRI_MED
);
2928 bzero(mp
->b_rptr
, sizeof (ipsec_crypto_t
));
2929 mp
->b_wptr
+= sizeof (ipsec_crypto_t
);
2930 mp
->b_cont
= data_mp
;
2931 mp
->b_datap
->db_type
= M_EVENT
; /* For ASSERT */
2932 *icp
= (ipsec_crypto_t
*)mp
->b_rptr
;
2937 * Remove what was prepended above. Return b_cont and a pointer to the
2939 * The caller must call ipsec_free_crypto_data for mblk once it is done
2940 * with the crypto data.
2943 ipsec_remove_crypto_data(mblk_t
*crypto_mp
, ipsec_crypto_t
**icp
)
2945 ASSERT(crypto_mp
->b_datap
->db_type
== M_EVENT
);
2946 ASSERT(MBLKL(crypto_mp
) == sizeof (ipsec_crypto_t
));
2948 *icp
= (ipsec_crypto_t
*)crypto_mp
->b_rptr
;
2949 return (crypto_mp
->b_cont
);
2953 * Free what was prepended above. Return b_cont.
2956 ipsec_free_crypto_data(mblk_t
*crypto_mp
)
2960 ASSERT(crypto_mp
->b_datap
->db_type
== M_EVENT
);
2961 ASSERT(MBLKL(crypto_mp
) == sizeof (ipsec_crypto_t
));
2963 mp
= crypto_mp
->b_cont
;
2969 * Create an ipsec_action_t based on the way an inbound packet was protected.
2970 * Used to reflect traffic back to a sender.
2972 * We don't bother interning the action into the hash table.
2975 ipsec_in_to_out_action(ip_recv_attr_t
*ira
)
2977 ipsa_t
*ah_assoc
, *esp_assoc
;
2978 uint_t auth_alg
= 0, encr_alg
= 0, espa_alg
= 0;
2982 ap
= kmem_cache_alloc(ipsec_action_cache
, KM_NOSLEEP
);
2987 bzero(ap
, sizeof (*ap
));
2988 HASH_NULL(ap
, ipa_hash
);
2989 ap
->ipa_next
= NULL
;
2993 * Get the algorithms that were used for this packet.
2995 ap
->ipa_act
.ipa_type
= IPSEC_ACT_APPLY
;
2996 ap
->ipa_act
.ipa_log
= 0;
2997 ASSERT(ira
->ira_flags
& IRAF_IPSEC_SECURE
);
2999 ah_assoc
= ira
->ira_ipsec_ah_sa
;
3000 ap
->ipa_act
.ipa_apply
.ipp_use_ah
= (ah_assoc
!= NULL
);
3002 esp_assoc
= ira
->ira_ipsec_esp_sa
;
3003 ap
->ipa_act
.ipa_apply
.ipp_use_esp
= (esp_assoc
!= NULL
);
3005 if (esp_assoc
!= NULL
) {
3006 encr_alg
= esp_assoc
->ipsa_encr_alg
;
3007 espa_alg
= esp_assoc
->ipsa_auth_alg
;
3008 ap
->ipa_act
.ipa_apply
.ipp_use_espa
= (espa_alg
!= 0);
3010 if (ah_assoc
!= NULL
)
3011 auth_alg
= ah_assoc
->ipsa_auth_alg
;
3013 ap
->ipa_act
.ipa_apply
.ipp_encr_alg
= (uint8_t)encr_alg
;
3014 ap
->ipa_act
.ipa_apply
.ipp_auth_alg
= (uint8_t)auth_alg
;
3015 ap
->ipa_act
.ipa_apply
.ipp_esp_auth_alg
= (uint8_t)espa_alg
;
3016 ap
->ipa_act
.ipa_apply
.ipp_use_se
=
3017 !!(ira
->ira_flags
& IRAF_IPSEC_DECAPS
);
3020 if (esp_assoc
!= NULL
) {
3021 ap
->ipa_act
.ipa_apply
.ipp_espa_minbits
=
3022 esp_assoc
->ipsa_authkeybits
;
3023 ap
->ipa_act
.ipa_apply
.ipp_espa_maxbits
=
3024 esp_assoc
->ipsa_authkeybits
;
3025 ap
->ipa_act
.ipa_apply
.ipp_espe_minbits
=
3026 esp_assoc
->ipsa_encrkeybits
;
3027 ap
->ipa_act
.ipa_apply
.ipp_espe_maxbits
=
3028 esp_assoc
->ipsa_encrkeybits
;
3029 ap
->ipa_act
.ipa_apply
.ipp_km_proto
= esp_assoc
->ipsa_kmp
;
3030 ap
->ipa_act
.ipa_apply
.ipp_km_cookie
= esp_assoc
->ipsa_kmc
;
3031 if (esp_assoc
->ipsa_flags
& IPSA_F_UNIQUE
)
3034 if (ah_assoc
!= NULL
) {
3035 ap
->ipa_act
.ipa_apply
.ipp_ah_minbits
=
3036 ah_assoc
->ipsa_authkeybits
;
3037 ap
->ipa_act
.ipa_apply
.ipp_ah_maxbits
=
3038 ah_assoc
->ipsa_authkeybits
;
3039 ap
->ipa_act
.ipa_apply
.ipp_km_proto
= ah_assoc
->ipsa_kmp
;
3040 ap
->ipa_act
.ipa_apply
.ipp_km_cookie
= ah_assoc
->ipsa_kmc
;
3041 if (ah_assoc
->ipsa_flags
& IPSA_F_UNIQUE
)
3044 ap
->ipa_act
.ipa_apply
.ipp_use_unique
= unique
;
3045 ap
->ipa_want_unique
= unique
;
3046 ap
->ipa_allow_clear
= B_FALSE
;
3047 ap
->ipa_want_se
= !!(ira
->ira_flags
& IRAF_IPSEC_DECAPS
);
3048 ap
->ipa_want_ah
= (ah_assoc
!= NULL
);
3049 ap
->ipa_want_esp
= (esp_assoc
!= NULL
);
3051 ap
->ipa_ovhd
= ipsec_act_ovhd(&ap
->ipa_act
);
3053 ap
->ipa_act
.ipa_apply
.ipp_replay_depth
= 0; /* don't care */
3060 * Compute the worst-case amount of extra space required by an action.
3061 * Note that, because of the ESP considerations listed below, this is
3062 * actually not the same as the best-case reduction in the MTU; in the
3063 * future, we should pass additional information to this function to
3064 * allow the actual MTU impact to be computed.
3066 * AH: Revisit this if we implement algorithms with
3067 * a verifier size of more than 12 bytes.
3069 * ESP: A more exact but more messy computation would take into
3070 * account the interaction between the cipher block size and the
3071 * effective MTU, yielding the inner payload size which reflects a
3072 * packet with *minimum* ESP padding..
3075 ipsec_act_ovhd(const ipsec_act_t
*act
)
3077 int32_t overhead
= 0;
3079 if (act
->ipa_type
== IPSEC_ACT_APPLY
) {
3080 const ipsec_prot_t
*ipp
= &act
->ipa_apply
;
3082 if (ipp
->ipp_use_ah
)
3083 overhead
+= IPSEC_MAX_AH_HDR_SIZE
;
3084 if (ipp
->ipp_use_esp
) {
3085 overhead
+= IPSEC_MAX_ESP_HDR_SIZE
;
3086 overhead
+= sizeof (struct udphdr
);
3088 if (ipp
->ipp_use_se
)
3089 overhead
+= IP_SIMPLE_HDR_LENGTH
;
3095 * This hash function is used only when creating policies and thus is not
3096 * performance-critical for packet flows.
3098 * Future work: canonicalize the structures hashed with this (i.e.,
3099 * zeroize padding) so the hash works correctly.
3103 policy_hash(int size
, const void *start
, const void *end
)
3110 * Hash function macros for each address type.
3112 * The IPV6 hash function assumes that the low order 32-bits of the
3113 * address (typically containing the low order 24 bits of the mac
3114 * address) are reasonably well-distributed. Revisit this if we run
3115 * into trouble from lots of collisions on ::1 addresses and the like
3118 #define IPSEC_IPV4_HASH(a, n) ((a) % (n))
3119 #define IPSEC_IPV6_HASH(a, n) (((a).s6_addr32[3]) % (n))
3122 * These two hash functions should produce coordinated values
3123 * but have slightly different roles.
3126 selkey_hash(const ipsec_selkey_t
*selkey
, netstack_t
*ns
)
3128 uint32_t valid
= selkey
->ipsl_valid
;
3129 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
3131 if (!(valid
& IPSL_REMOTE_ADDR
))
3132 return (IPSEC_SEL_NOHASH
);
3134 if (valid
& IPSL_IPV4
) {
3135 if (selkey
->ipsl_remote_pfxlen
== 32) {
3136 return (IPSEC_IPV4_HASH(selkey
->ipsl_remote
.ipsad_v4
,
3137 ipss
->ipsec_spd_hashsize
));
3140 if (valid
& IPSL_IPV6
) {
3141 if (selkey
->ipsl_remote_pfxlen
== 128) {
3142 return (IPSEC_IPV6_HASH(selkey
->ipsl_remote
.ipsad_v6
,
3143 ipss
->ipsec_spd_hashsize
));
3146 return (IPSEC_SEL_NOHASH
);
3150 selector_hash(ipsec_selector_t
*sel
, ipsec_policy_root_t
*root
)
3152 if (sel
->ips_isv4
) {
3153 return (IPSEC_IPV4_HASH(sel
->ips_remote_addr_v4
,
3154 root
->ipr_nchains
));
3156 return (IPSEC_IPV6_HASH(sel
->ips_remote_addr_v6
, root
->ipr_nchains
));
3160 * Intern actions into the action hash table.
3163 ipsec_act_find(const ipsec_act_t
*a
, int n
, netstack_t
*ns
)
3168 ipsec_action_t
*prev
= NULL
;
3169 int32_t overhead
, maxovhd
= 0;
3170 boolean_t allow_clear
= B_FALSE
;
3171 boolean_t want_ah
= B_FALSE
;
3172 boolean_t want_esp
= B_FALSE
;
3173 boolean_t want_se
= B_FALSE
;
3174 boolean_t want_unique
= B_FALSE
;
3175 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
3178 * TODO: should canonicalize a[] (i.e., zeroize any padding)
3179 * so we can use a non-trivial policy_hash function.
3181 for (i
= n
-1; i
>= 0; i
--) {
3182 hval
= policy_hash(IPSEC_ACTION_HASH_SIZE
, &a
[i
], &a
[n
]);
3184 HASH_LOCK(ipss
->ipsec_action_hash
, hval
);
3186 for (HASH_ITERATE(ap
, ipa_hash
,
3187 ipss
->ipsec_action_hash
, hval
)) {
3188 if (bcmp(&ap
->ipa_act
, &a
[i
], sizeof (*a
)) != 0)
3190 if (ap
->ipa_next
!= prev
)
3195 HASH_UNLOCK(ipss
->ipsec_action_hash
, hval
);
3200 * need to allocate a new one..
3202 ap
= kmem_cache_alloc(ipsec_action_cache
, KM_NOSLEEP
);
3204 HASH_UNLOCK(ipss
->ipsec_action_hash
, hval
);
3206 ipsec_action_free(prev
);
3209 HASH_INSERT(ap
, ipa_hash
, ipss
->ipsec_action_hash
, hval
);
3211 ap
->ipa_next
= prev
;
3214 overhead
= ipsec_act_ovhd(&a
[i
]);
3215 if (maxovhd
< overhead
)
3218 if ((a
[i
].ipa_type
== IPSEC_ACT_BYPASS
) ||
3219 (a
[i
].ipa_type
== IPSEC_ACT_CLEAR
))
3220 allow_clear
= B_TRUE
;
3221 if (a
[i
].ipa_type
== IPSEC_ACT_APPLY
) {
3222 const ipsec_prot_t
*ipp
= &a
[i
].ipa_apply
;
3224 ASSERT(ipp
->ipp_use_ah
|| ipp
->ipp_use_esp
);
3225 want_ah
|= ipp
->ipp_use_ah
;
3226 want_esp
|= ipp
->ipp_use_esp
;
3227 want_se
|= ipp
->ipp_use_se
;
3228 want_unique
|= ipp
->ipp_use_unique
;
3230 ap
->ipa_allow_clear
= allow_clear
;
3231 ap
->ipa_want_ah
= want_ah
;
3232 ap
->ipa_want_esp
= want_esp
;
3233 ap
->ipa_want_se
= want_se
;
3234 ap
->ipa_want_unique
= want_unique
;
3235 ap
->ipa_refs
= 1; /* from the hash table */
3236 ap
->ipa_ovhd
= maxovhd
;
3240 HASH_UNLOCK(ipss
->ipsec_action_hash
, hval
);
3243 ap
->ipa_refs
++; /* caller's reference */
3249 * Called when refcount goes to 0, indicating that all references to this
3252 * This does not unchain the action from the hash table.
3255 ipsec_action_free(ipsec_action_t
*ap
)
3258 ipsec_action_t
*np
= ap
->ipa_next
;
3259 ASSERT(ap
->ipa_refs
== 0);
3260 ASSERT(ap
->ipa_hash
.hash_pp
== NULL
);
3261 kmem_cache_free(ipsec_action_cache
, ap
);
3263 /* Inlined IPACT_REFRELE -- avoid recursion */
3267 if (atomic_dec_32_nv(&(ap
)->ipa_refs
) != 0)
3269 /* End inlined IPACT_REFRELE */
3274 * Called when the action hash table goes away.
3276 * The actions can be queued on an mblk with ipsec_in or
3277 * ipsec_out, hence the actions might still be around.
3278 * But we decrement ipa_refs here since we no longer have
3279 * a reference to the action from the hash table.
3282 ipsec_action_free_table(ipsec_action_t
*ap
)
3284 while (ap
!= NULL
) {
3285 ipsec_action_t
*np
= ap
->ipa_next
;
3287 /* FIXME: remove? */
3288 (void) printf("ipsec_action_free_table(%p) ref %d\n",
3289 (void *)ap
, ap
->ipa_refs
);
3290 ASSERT(ap
->ipa_refs
> 0);
3297 * Need to walk all stack instances since the reclaim function
3298 * is global for all instances
3302 ipsec_action_reclaim(void *arg
)
3304 netstack_handle_t nh
;
3306 ipsec_stack_t
*ipss
;
3308 netstack_next_init(&nh
);
3309 while ((ns
= netstack_next(&nh
)) != NULL
) {
3311 * netstack_next() can return a netstack_t with a NULL
3312 * netstack_ipsec at boot time.
3314 if ((ipss
= ns
->netstack_ipsec
) == NULL
) {
3318 ipsec_action_reclaim_stack(ipss
);
3321 netstack_next_fini(&nh
);
3325 * Periodically sweep action hash table for actions with refcount==1, and
3326 * nuke them. We cannot do this "on demand" (i.e., from IPACT_REFRELE)
3327 * because we can't close the race between another thread finding the action
3328 * in the hash table without holding the bucket lock during IPACT_REFRELE.
3329 * Instead, we run this function sporadically to clean up after ourselves;
3330 * we also set it as the "reclaim" function for the action kmem_cache.
3332 * Note that it may take several passes of ipsec_action_gc() to free all
3336 ipsec_action_reclaim_stack(ipsec_stack_t
*ipss
)
3340 for (i
= 0; i
< IPSEC_ACTION_HASH_SIZE
; i
++) {
3341 ipsec_action_t
*ap
, *np
;
3343 /* skip the lock if nobody home */
3344 if (ipss
->ipsec_action_hash
[i
].hash_head
== NULL
)
3347 HASH_LOCK(ipss
->ipsec_action_hash
, i
);
3348 for (ap
= ipss
->ipsec_action_hash
[i
].hash_head
;
3349 ap
!= NULL
; ap
= np
) {
3350 ASSERT(ap
->ipa_refs
> 0);
3351 np
= ap
->ipa_hash
.hash_next
;
3352 if (ap
->ipa_refs
> 1)
3354 HASH_UNCHAIN(ap
, ipa_hash
,
3355 ipss
->ipsec_action_hash
, i
);
3358 HASH_UNLOCK(ipss
->ipsec_action_hash
, i
);
3363 * Intern a selector set into the selector set hash table.
3364 * This is simpler than the actions case..
3366 static ipsec_sel_t
*
3367 ipsec_find_sel(ipsec_selkey_t
*selkey
, netstack_t
*ns
)
3370 uint32_t hval
, bucket
;
3371 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
3374 * Exactly one AF bit should be set in selkey.
3376 ASSERT(!(selkey
->ipsl_valid
& IPSL_IPV4
) ^
3377 !(selkey
->ipsl_valid
& IPSL_IPV6
));
3379 hval
= selkey_hash(selkey
, ns
);
3380 /* Set pol_hval to uninitialized until we put it in a polhead. */
3381 selkey
->ipsl_sel_hval
= hval
;
3383 bucket
= (hval
== IPSEC_SEL_NOHASH
) ? 0 : hval
;
3385 ASSERT(!HASH_LOCKED(ipss
->ipsec_sel_hash
, bucket
));
3386 HASH_LOCK(ipss
->ipsec_sel_hash
, bucket
);
3388 for (HASH_ITERATE(sp
, ipsl_hash
, ipss
->ipsec_sel_hash
, bucket
)) {
3389 if (bcmp(&sp
->ipsl_key
, selkey
,
3390 offsetof(ipsec_selkey_t
, ipsl_pol_hval
)) == 0)
3396 HASH_UNLOCK(ipss
->ipsec_sel_hash
, bucket
);
3400 sp
= kmem_cache_alloc(ipsec_sel_cache
, KM_NOSLEEP
);
3402 HASH_UNLOCK(ipss
->ipsec_sel_hash
, bucket
);
3406 HASH_INSERT(sp
, ipsl_hash
, ipss
->ipsec_sel_hash
, bucket
);
3407 sp
->ipsl_refs
= 2; /* one for hash table, one for caller */
3408 sp
->ipsl_key
= *selkey
;
3409 /* Set to uninitalized and have insertion into polhead fix things. */
3410 if (selkey
->ipsl_sel_hval
!= IPSEC_SEL_NOHASH
)
3411 sp
->ipsl_key
.ipsl_pol_hval
= 0;
3413 sp
->ipsl_key
.ipsl_pol_hval
= IPSEC_SEL_NOHASH
;
3415 HASH_UNLOCK(ipss
->ipsec_sel_hash
, bucket
);
3421 ipsec_sel_rel(ipsec_sel_t
**spp
, netstack_t
*ns
)
3423 ipsec_sel_t
*sp
= *spp
;
3424 int hval
= sp
->ipsl_key
.ipsl_sel_hval
;
3425 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
3429 if (hval
== IPSEC_SEL_NOHASH
)
3432 ASSERT(!HASH_LOCKED(ipss
->ipsec_sel_hash
, hval
));
3433 HASH_LOCK(ipss
->ipsec_sel_hash
, hval
);
3434 if (--sp
->ipsl_refs
== 1) {
3435 HASH_UNCHAIN(sp
, ipsl_hash
, ipss
->ipsec_sel_hash
, hval
);
3437 HASH_UNLOCK(ipss
->ipsec_sel_hash
, hval
);
3438 ASSERT(sp
->ipsl_refs
== 0);
3439 kmem_cache_free(ipsec_sel_cache
, sp
);
3440 /* Caller unlocks */
3444 HASH_UNLOCK(ipss
->ipsec_sel_hash
, hval
);
3448 * Free a policy rule which we know is no longer being referenced.
3451 ipsec_policy_free(ipsec_policy_t
*ipp
)
3453 ASSERT(ipp
->ipsp_refs
== 0);
3454 ASSERT(ipp
->ipsp_sel
!= NULL
);
3455 ASSERT(ipp
->ipsp_act
!= NULL
);
3456 ASSERT(ipp
->ipsp_netstack
!= NULL
);
3458 ipsec_sel_rel(&ipp
->ipsp_sel
, ipp
->ipsp_netstack
);
3459 IPACT_REFRELE(ipp
->ipsp_act
);
3460 kmem_cache_free(ipsec_pol_cache
, ipp
);
3464 * Construction of new policy rules; construct a policy, and add it to
3465 * the appropriate tables.
3468 ipsec_policy_create(ipsec_selkey_t
*keys
, const ipsec_act_t
*a
,
3469 int nacts
, int prio
, uint64_t *index_ptr
, netstack_t
*ns
)
3473 ipsec_policy_t
*ipp
;
3474 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
3476 if (index_ptr
== NULL
)
3477 index_ptr
= &ipss
->ipsec_next_policy_index
;
3479 ipp
= kmem_cache_alloc(ipsec_pol_cache
, KM_NOSLEEP
);
3480 ap
= ipsec_act_find(a
, nacts
, ns
);
3481 sp
= ipsec_find_sel(keys
, ns
);
3483 if ((ap
== NULL
) || (sp
== NULL
) || (ipp
== NULL
)) {
3488 ipsec_sel_rel(&sp
, ns
);
3490 kmem_cache_free(ipsec_pol_cache
, ipp
);
3494 HASH_NULL(ipp
, ipsp_hash
);
3496 ipp
->ipsp_netstack
= ns
; /* Needed for ipsec_policy_free */
3497 ipp
->ipsp_refs
= 1; /* caller's reference */
3500 ipp
->ipsp_prio
= prio
; /* rule priority */
3501 ipp
->ipsp_index
= *index_ptr
;
3508 ipsec_update_present_flags(ipsec_stack_t
*ipss
)
3512 hashpol
= (avl_numnodes(&ipss
->ipsec_system_policy
.iph_rulebyid
) > 0);
3515 ipss
->ipsec_outbound_v4_policy_present
= B_TRUE
;
3516 ipss
->ipsec_outbound_v6_policy_present
= B_TRUE
;
3517 ipss
->ipsec_inbound_v4_policy_present
= B_TRUE
;
3518 ipss
->ipsec_inbound_v6_policy_present
= B_TRUE
;
3522 ipss
->ipsec_outbound_v4_policy_present
= (NULL
!=
3523 ipss
->ipsec_system_policy
.iph_root
[IPSEC_TYPE_OUTBOUND
].
3524 ipr_nonhash
[IPSEC_AF_V4
]);
3525 ipss
->ipsec_outbound_v6_policy_present
= (NULL
!=
3526 ipss
->ipsec_system_policy
.iph_root
[IPSEC_TYPE_OUTBOUND
].
3527 ipr_nonhash
[IPSEC_AF_V6
]);
3528 ipss
->ipsec_inbound_v4_policy_present
= (NULL
!=
3529 ipss
->ipsec_system_policy
.iph_root
[IPSEC_TYPE_INBOUND
].
3530 ipr_nonhash
[IPSEC_AF_V4
]);
3531 ipss
->ipsec_inbound_v6_policy_present
= (NULL
!=
3532 ipss
->ipsec_system_policy
.iph_root
[IPSEC_TYPE_INBOUND
].
3533 ipr_nonhash
[IPSEC_AF_V6
]);
3537 ipsec_policy_delete(ipsec_policy_head_t
*php
, ipsec_selkey_t
*keys
, int dir
,
3541 ipsec_policy_t
*ip
, *nip
, *head
;
3543 ipsec_policy_root_t
*pr
= &php
->iph_root
[dir
];
3545 sp
= ipsec_find_sel(keys
, ns
);
3550 af
= (sp
->ipsl_key
.ipsl_valid
& IPSL_IPV4
) ? IPSEC_AF_V4
: IPSEC_AF_V6
;
3552 rw_enter(&php
->iph_lock
, RW_WRITER
);
3554 if (sp
->ipsl_key
.ipsl_pol_hval
== IPSEC_SEL_NOHASH
) {
3555 head
= pr
->ipr_nonhash
[af
];
3557 head
= pr
->ipr_hash
[sp
->ipsl_key
.ipsl_pol_hval
].hash_head
;
3560 for (ip
= head
; ip
!= NULL
; ip
= nip
) {
3561 nip
= ip
->ipsp_hash
.hash_next
;
3562 if (ip
->ipsp_sel
!= sp
) {
3566 IPPOL_UNCHAIN(php
, ip
);
3569 ipsec_update_present_flags(ns
->netstack_ipsec
);
3571 rw_exit(&php
->iph_lock
);
3573 ipsec_sel_rel(&sp
, ns
);
3578 rw_exit(&php
->iph_lock
);
3579 ipsec_sel_rel(&sp
, ns
);
3584 ipsec_policy_delete_index(ipsec_policy_head_t
*php
, uint64_t policy_index
,
3587 boolean_t found
= B_FALSE
;
3588 ipsec_policy_t ipkey
;
3592 bzero(&ipkey
, sizeof (ipkey
));
3593 ipkey
.ipsp_index
= policy_index
;
3595 rw_enter(&php
->iph_lock
, RW_WRITER
);
3598 * We could be cleverer here about the walk.
3599 * but well, (k+1)*log(N) will do for now (k==number of matches,
3600 * N==number of table entries
3603 ip
= (ipsec_policy_t
*)avl_find(&php
->iph_rulebyid
,
3604 (void *)&ipkey
, &where
);
3607 ip
= avl_nearest(&php
->iph_rulebyid
, where
, AVL_AFTER
);
3612 if (ip
->ipsp_index
!= policy_index
) {
3613 ASSERT(ip
->ipsp_index
> policy_index
);
3617 IPPOL_UNCHAIN(php
, ip
);
3623 ipsec_update_present_flags(ns
->netstack_ipsec
);
3626 rw_exit(&php
->iph_lock
);
3628 return (found
? 0 : ENOENT
);
3632 * Given a constructed ipsec_policy_t policy rule, see if it can be entered
3633 * into the correct policy ruleset. As a side-effect, it sets the hash
3634 * entries on "ipp"'s ipsp_pol_hval.
3636 * Returns B_TRUE if it can be entered, B_FALSE if it can't be (because a
3637 * duplicate policy exists with exactly the same selectors), or an icmp
3638 * rule exists with a different encryption/authentication action.
3641 ipsec_check_policy(ipsec_policy_head_t
*php
, ipsec_policy_t
*ipp
, int direction
)
3643 ipsec_policy_root_t
*pr
= &php
->iph_root
[direction
];
3645 ipsec_policy_t
*p2
, *head
;
3646 uint8_t check_proto
;
3647 ipsec_selkey_t
*selkey
= &ipp
->ipsp_sel
->ipsl_key
;
3648 uint32_t valid
= selkey
->ipsl_valid
;
3650 if (valid
& IPSL_IPV6
) {
3651 ASSERT(!(valid
& IPSL_IPV4
));
3653 check_proto
= IPPROTO_ICMPV6
;
3655 ASSERT(valid
& IPSL_IPV4
);
3657 check_proto
= IPPROTO_ICMP
;
3660 ASSERT(RW_WRITE_HELD(&php
->iph_lock
));
3663 * Double-check that we don't have any duplicate selectors here.
3664 * Because selectors are interned below, we need only compare pointers
3667 if (selkey
->ipsl_sel_hval
== IPSEC_SEL_NOHASH
) {
3668 head
= pr
->ipr_nonhash
[af
];
3670 selkey
->ipsl_pol_hval
=
3671 (selkey
->ipsl_valid
& IPSL_IPV4
) ?
3672 IPSEC_IPV4_HASH(selkey
->ipsl_remote
.ipsad_v4
,
3674 IPSEC_IPV6_HASH(selkey
->ipsl_remote
.ipsad_v6
,
3677 head
= pr
->ipr_hash
[selkey
->ipsl_pol_hval
].hash_head
;
3680 for (p2
= head
; p2
!= NULL
; p2
= p2
->ipsp_hash
.hash_next
) {
3681 if (p2
->ipsp_sel
== ipp
->ipsp_sel
)
3686 * If it's ICMP and not a drop or pass rule, run through the ICMP
3687 * rules and make sure the action is either new or the same as any
3688 * other actions. We don't have to check the full chain because
3689 * discard and bypass will override all other actions
3692 if (valid
& IPSL_PROTOCOL
&&
3693 selkey
->ipsl_proto
== check_proto
&&
3694 (ipp
->ipsp_act
->ipa_act
.ipa_type
== IPSEC_ACT_APPLY
)) {
3696 for (p2
= head
; p2
!= NULL
; p2
= p2
->ipsp_hash
.hash_next
) {
3698 if (p2
->ipsp_sel
->ipsl_key
.ipsl_valid
& IPSL_PROTOCOL
&&
3699 p2
->ipsp_sel
->ipsl_key
.ipsl_proto
== check_proto
&&
3700 (p2
->ipsp_act
->ipa_act
.ipa_type
==
3702 return (ipsec_compare_action(p2
, ipp
));
3711 * compare the action chains of two policies for equality
3712 * B_TRUE -> effective equality
3716 ipsec_compare_action(ipsec_policy_t
*p1
, ipsec_policy_t
*p2
)
3719 ipsec_action_t
*act1
, *act2
;
3721 /* We have a valid rule. Let's compare the actions */
3722 if (p1
->ipsp_act
== p2
->ipsp_act
) {
3723 /* same action. We are good */
3727 /* we have to walk the chain */
3729 act1
= p1
->ipsp_act
;
3730 act2
= p2
->ipsp_act
;
3732 while (act1
!= NULL
&& act2
!= NULL
) {
3734 /* otherwise, Are we close enough? */
3735 if (act1
->ipa_allow_clear
!= act2
->ipa_allow_clear
||
3736 act1
->ipa_want_ah
!= act2
->ipa_want_ah
||
3737 act1
->ipa_want_esp
!= act2
->ipa_want_esp
||
3738 act1
->ipa_want_se
!= act2
->ipa_want_se
) {
3739 /* Nope, we aren't */
3743 if (act1
->ipa_want_ah
) {
3744 if (act1
->ipa_act
.ipa_apply
.ipp_auth_alg
!=
3745 act2
->ipa_act
.ipa_apply
.ipp_auth_alg
) {
3749 if (act1
->ipa_act
.ipa_apply
.ipp_ah_minbits
!=
3750 act2
->ipa_act
.ipa_apply
.ipp_ah_minbits
||
3751 act1
->ipa_act
.ipa_apply
.ipp_ah_maxbits
!=
3752 act2
->ipa_act
.ipa_apply
.ipp_ah_maxbits
) {
3757 if (act1
->ipa_want_esp
) {
3758 if (act1
->ipa_act
.ipa_apply
.ipp_use_esp
!=
3759 act2
->ipa_act
.ipa_apply
.ipp_use_esp
||
3760 act1
->ipa_act
.ipa_apply
.ipp_use_espa
!=
3761 act2
->ipa_act
.ipa_apply
.ipp_use_espa
) {
3765 if (act1
->ipa_act
.ipa_apply
.ipp_use_esp
) {
3766 if (act1
->ipa_act
.ipa_apply
.ipp_encr_alg
!=
3767 act2
->ipa_act
.ipa_apply
.ipp_encr_alg
) {
3771 if (act1
->ipa_act
.ipa_apply
.ipp_espe_minbits
!=
3772 act2
->ipa_act
.ipa_apply
.ipp_espe_minbits
||
3773 act1
->ipa_act
.ipa_apply
.ipp_espe_maxbits
!=
3774 act2
->ipa_act
.ipa_apply
.ipp_espe_maxbits
) {
3779 if (act1
->ipa_act
.ipa_apply
.ipp_use_espa
) {
3780 if (act1
->ipa_act
.ipa_apply
.ipp_esp_auth_alg
!=
3781 act2
->ipa_act
.ipa_apply
.ipp_esp_auth_alg
) {
3785 if (act1
->ipa_act
.ipa_apply
.ipp_espa_minbits
!=
3786 act2
->ipa_act
.ipa_apply
.ipp_espa_minbits
||
3787 act1
->ipa_act
.ipa_apply
.ipp_espa_maxbits
!=
3788 act2
->ipa_act
.ipa_apply
.ipp_espa_maxbits
) {
3795 act1
= act1
->ipa_next
;
3796 act2
= act2
->ipa_next
;
3799 if (act1
!= NULL
|| act2
!= NULL
) {
3808 * Given a constructed ipsec_policy_t policy rule, enter it into
3809 * the correct policy ruleset.
3811 * ipsec_check_policy() is assumed to have succeeded first (to check for
3815 ipsec_enter_policy(ipsec_policy_head_t
*php
, ipsec_policy_t
*ipp
, int direction
,
3818 ipsec_policy_root_t
*pr
= &php
->iph_root
[direction
];
3819 ipsec_selkey_t
*selkey
= &ipp
->ipsp_sel
->ipsl_key
;
3820 uint32_t valid
= selkey
->ipsl_valid
;
3821 uint32_t hval
= selkey
->ipsl_pol_hval
;
3824 ASSERT(RW_WRITE_HELD(&php
->iph_lock
));
3826 if (valid
& IPSL_IPV6
) {
3827 ASSERT(!(valid
& IPSL_IPV4
));
3830 ASSERT(valid
& IPSL_IPV4
);
3836 if (hval
== IPSEC_SEL_NOHASH
) {
3837 HASHLIST_INSERT(ipp
, ipsp_hash
, pr
->ipr_nonhash
[af
]);
3839 HASH_LOCK(pr
->ipr_hash
, hval
);
3840 HASH_INSERT(ipp
, ipsp_hash
, pr
->ipr_hash
, hval
);
3841 HASH_UNLOCK(pr
->ipr_hash
, hval
);
3844 ipsec_insert_always(&php
->iph_rulebyid
, ipp
);
3846 ipsec_update_present_flags(ns
->netstack_ipsec
);
3850 ipsec_ipr_flush(ipsec_policy_head_t
*php
, ipsec_policy_root_t
*ipr
)
3852 ipsec_policy_t
*ip
, *nip
;
3853 int af
, chain
, nchain
;
3855 for (af
= 0; af
< IPSEC_NAF
; af
++) {
3856 for (ip
= ipr
->ipr_nonhash
[af
]; ip
!= NULL
; ip
= nip
) {
3857 nip
= ip
->ipsp_hash
.hash_next
;
3858 IPPOL_UNCHAIN(php
, ip
);
3860 ipr
->ipr_nonhash
[af
] = NULL
;
3862 nchain
= ipr
->ipr_nchains
;
3864 for (chain
= 0; chain
< nchain
; chain
++) {
3865 for (ip
= ipr
->ipr_hash
[chain
].hash_head
; ip
!= NULL
;
3867 nip
= ip
->ipsp_hash
.hash_next
;
3868 IPPOL_UNCHAIN(php
, ip
);
3870 ipr
->ipr_hash
[chain
].hash_head
= NULL
;
3875 * Create and insert inbound or outbound policy associated with actp for the
3876 * address family fam into the policy head ph. Returns B_TRUE if policy was
3877 * inserted, and B_FALSE otherwise.
3880 ipsec_polhead_insert(ipsec_policy_head_t
*ph
, ipsec_act_t
*actp
, uint_t nact
,
3881 int fam
, int ptype
, netstack_t
*ns
)
3884 ipsec_policy_t
*pol
;
3885 ipsec_policy_root_t
*pr
;
3887 bzero(&sel
, sizeof (sel
));
3888 sel
.ipsl_valid
= (fam
== IPSEC_AF_V4
? IPSL_IPV4
: IPSL_IPV6
);
3889 if ((pol
= ipsec_policy_create(&sel
, actp
, nact
, IPSEC_PRIO_SOCKET
,
3890 NULL
, ns
)) != NULL
) {
3891 pr
= &ph
->iph_root
[ptype
];
3892 HASHLIST_INSERT(pol
, ipsp_hash
, pr
->ipr_nonhash
[fam
]);
3893 ipsec_insert_always(&ph
->iph_rulebyid
, pol
);
3895 return (pol
!= NULL
);
3899 ipsec_polhead_flush(ipsec_policy_head_t
*php
, netstack_t
*ns
)
3903 ASSERT(RW_WRITE_HELD(&php
->iph_lock
));
3905 for (dir
= 0; dir
< IPSEC_NTYPES
; dir
++)
3906 ipsec_ipr_flush(php
, &php
->iph_root
[dir
]);
3909 ipsec_update_present_flags(ns
->netstack_ipsec
);
3913 ipsec_polhead_free(ipsec_policy_head_t
*php
, netstack_t
*ns
)
3917 ASSERT(php
->iph_refs
== 0);
3919 rw_enter(&php
->iph_lock
, RW_WRITER
);
3920 ipsec_polhead_flush(php
, ns
);
3921 rw_exit(&php
->iph_lock
);
3922 rw_destroy(&php
->iph_lock
);
3923 for (dir
= 0; dir
< IPSEC_NTYPES
; dir
++) {
3924 ipsec_policy_root_t
*ipr
= &php
->iph_root
[dir
];
3927 for (chain
= 0; chain
< ipr
->ipr_nchains
; chain
++)
3928 mutex_destroy(&(ipr
->ipr_hash
[chain
].hash_lock
));
3931 ipsec_polhead_free_table(php
);
3932 kmem_free(php
, sizeof (*php
));
3936 ipsec_ipr_init(ipsec_policy_root_t
*ipr
)
3940 ipr
->ipr_nchains
= 0;
3941 ipr
->ipr_hash
= NULL
;
3943 for (af
= 0; af
< IPSEC_NAF
; af
++) {
3944 ipr
->ipr_nonhash
[af
] = NULL
;
3948 ipsec_policy_head_t
*
3949 ipsec_polhead_create(void)
3951 ipsec_policy_head_t
*php
;
3953 php
= kmem_alloc(sizeof (*php
), KM_NOSLEEP
);
3957 rw_init(&php
->iph_lock
, NULL
, RW_DEFAULT
, NULL
);
3961 ipsec_ipr_init(&php
->iph_root
[IPSEC_TYPE_INBOUND
]);
3962 ipsec_ipr_init(&php
->iph_root
[IPSEC_TYPE_OUTBOUND
]);
3964 avl_create(&php
->iph_rulebyid
, ipsec_policy_cmpbyid
,
3965 sizeof (ipsec_policy_t
), offsetof(ipsec_policy_t
, ipsp_byid
));
3971 * Clone the policy head into a new polhead; release one reference to the
3972 * old one and return the only reference to the new one.
3973 * If the old one had a refcount of 1, just return it.
3975 ipsec_policy_head_t
*
3976 ipsec_polhead_split(ipsec_policy_head_t
*php
, netstack_t
*ns
)
3978 ipsec_policy_head_t
*nphp
;
3981 return (ipsec_polhead_create());
3982 else if (php
->iph_refs
== 1)
3985 nphp
= ipsec_polhead_create();
3989 if (ipsec_copy_polhead(php
, nphp
, ns
) != 0) {
3990 ipsec_polhead_free(nphp
, ns
);
3993 IPPH_REFRELE(php
, ns
);
3998 * When sending a response to a ICMP request or generating a RST
3999 * in the TCP case, the outbound packets need to go at the same level
4000 * of protection as the incoming ones i.e we associate our outbound
4001 * policy with how the packet came in. We call this after we have
4002 * accepted the incoming packet which may or may not have been in
4003 * clear and hence we are sending the reply back with the policy
4004 * matching the incoming datagram's policy.
4006 * NOTE : This technology serves two purposes :
4008 * 1) If we have multiple outbound policies, we send out a reply
4009 * matching with how it came in rather than matching the outbound
4012 * 2) For assymetric policies, we want to make sure that incoming
4013 * and outgoing has the same level of protection. Assymetric
4014 * policies exist only with global policy where we may not have
4015 * both outbound and inbound at the same time.
4017 * NOTE2: This function is called by cleartext cases, so it needs to be
4020 * Note: the caller has moved other parts of ira into ixa already.
4023 ipsec_in_to_out(ip_recv_attr_t
*ira
, ip_xmit_attr_t
*ixa
, mblk_t
*data_mp
,
4024 ipha_t
*ipha
, ip6_t
*ip6h
)
4026 ipsec_selector_t sel
;
4027 ipsec_action_t
*reflect_action
= NULL
;
4028 netstack_t
*ns
= ixa
->ixa_ipst
->ips_netstack
;
4030 bzero((void*)&sel
, sizeof (sel
));
4032 if (ira
->ira_ipsec_action
!= NULL
) {
4033 /* transfer reference.. */
4034 reflect_action
= ira
->ira_ipsec_action
;
4035 ira
->ira_ipsec_action
= NULL
;
4036 } else if (!(ira
->ira_flags
& IRAF_LOOPBACK
))
4037 reflect_action
= ipsec_in_to_out_action(ira
);
4040 * The caller is going to send the datagram out which might
4041 * go on the wire or delivered locally through ire_send_local.
4043 * 1) If it goes out on the wire, new associations will be
4045 * 2) If it is delivered locally, ire_send_local will convert
4046 * this ip_xmit_attr_t back to a ip_recv_attr_t looking at the
4049 ixa
->ixa_ipsec_action
= reflect_action
;
4051 if (!ipsec_init_outbound_ports(&sel
, data_mp
, ipha
, ip6h
, 0,
4052 ns
->netstack_ipsec
)) {
4053 /* Note: data_mp already consumed and ip_drop_packet done */
4056 ixa
->ixa_ipsec_src_port
= sel
.ips_local_port
;
4057 ixa
->ixa_ipsec_dst_port
= sel
.ips_remote_port
;
4058 ixa
->ixa_ipsec_proto
= sel
.ips_protocol
;
4059 ixa
->ixa_ipsec_icmp_type
= sel
.ips_icmp_type
;
4060 ixa
->ixa_ipsec_icmp_code
= sel
.ips_icmp_code
;
4063 * Don't use global policy for this, as we want
4064 * to use the same protection that was applied to the inbound packet.
4065 * Thus we set IXAF_NO_IPSEC is it arrived in the clear to make
4066 * it be sent in the clear.
4068 if (ira
->ira_flags
& IRAF_IPSEC_SECURE
)
4069 ixa
->ixa_flags
|= IXAF_IPSEC_SECURE
;
4071 ixa
->ixa_flags
|= IXAF_NO_IPSEC
;
4077 ipsec_out_release_refs(ip_xmit_attr_t
*ixa
)
4079 if (!(ixa
->ixa_flags
& IXAF_IPSEC_SECURE
))
4082 if (ixa
->ixa_ipsec_ah_sa
!= NULL
) {
4083 IPSA_REFRELE(ixa
->ixa_ipsec_ah_sa
);
4084 ixa
->ixa_ipsec_ah_sa
= NULL
;
4086 if (ixa
->ixa_ipsec_esp_sa
!= NULL
) {
4087 IPSA_REFRELE(ixa
->ixa_ipsec_esp_sa
);
4088 ixa
->ixa_ipsec_esp_sa
= NULL
;
4090 if (ixa
->ixa_ipsec_policy
!= NULL
) {
4091 IPPOL_REFRELE(ixa
->ixa_ipsec_policy
);
4092 ixa
->ixa_ipsec_policy
= NULL
;
4094 if (ixa
->ixa_ipsec_action
!= NULL
) {
4095 IPACT_REFRELE(ixa
->ixa_ipsec_action
);
4096 ixa
->ixa_ipsec_action
= NULL
;
4098 if (ixa
->ixa_ipsec_latch
) {
4099 IPLATCH_REFRELE(ixa
->ixa_ipsec_latch
);
4100 ixa
->ixa_ipsec_latch
= NULL
;
4102 /* Clear the soft references to the SAs */
4103 ixa
->ixa_ipsec_ref
[0].ipsr_sa
= NULL
;
4104 ixa
->ixa_ipsec_ref
[0].ipsr_bucket
= NULL
;
4105 ixa
->ixa_ipsec_ref
[0].ipsr_gen
= 0;
4106 ixa
->ixa_ipsec_ref
[1].ipsr_sa
= NULL
;
4107 ixa
->ixa_ipsec_ref
[1].ipsr_bucket
= NULL
;
4108 ixa
->ixa_ipsec_ref
[1].ipsr_gen
= 0;
4109 ixa
->ixa_flags
&= ~IXAF_IPSEC_SECURE
;
4113 ipsec_in_release_refs(ip_recv_attr_t
*ira
)
4115 if (!(ira
->ira_flags
& IRAF_IPSEC_SECURE
))
4118 if (ira
->ira_ipsec_ah_sa
!= NULL
) {
4119 IPSA_REFRELE(ira
->ira_ipsec_ah_sa
);
4120 ira
->ira_ipsec_ah_sa
= NULL
;
4122 if (ira
->ira_ipsec_esp_sa
!= NULL
) {
4123 IPSA_REFRELE(ira
->ira_ipsec_esp_sa
);
4124 ira
->ira_ipsec_esp_sa
= NULL
;
4126 if (ira
->ira_ipsec_action
!= NULL
) {
4127 IPACT_REFRELE(ira
->ira_ipsec_action
);
4128 ira
->ira_ipsec_action
= NULL
;
4131 ira
->ira_flags
&= ~IRAF_IPSEC_SECURE
;
4135 * This is called from ire_send_local when a packet
4136 * is looped back. We setup the ip_recv_attr_t "borrowing" the references
4137 * held by the callers.
4138 * Note that we don't do any IPsec but we carry the actions and IPSEC flags
4139 * across so that the fanout policy checks see that IPsec was applied.
4141 * The caller should do ipsec_in_release_refs() on the ira by calling
4145 ipsec_out_to_in(ip_xmit_attr_t
*ixa
, ill_t
*ill
, ip_recv_attr_t
*ira
)
4147 ipsec_policy_t
*pol
;
4148 ipsec_action_t
*act
;
4150 /* Non-IPsec operations */
4151 ira
->ira_free_flags
= 0;
4152 ira
->ira_zoneid
= ixa
->ixa_zoneid
;
4153 ira
->ira_cred
= ixa
->ixa_cred
;
4154 ira
->ira_cpid
= ixa
->ixa_cpid
;
4155 ira
->ira_tsl
= ixa
->ixa_tsl
;
4156 ira
->ira_ill
= ira
->ira_rill
= ill
;
4157 ira
->ira_flags
= ixa
->ixa_flags
& IAF_MASK
;
4158 ira
->ira_no_loop_zoneid
= ixa
->ixa_no_loop_zoneid
;
4159 ira
->ira_pktlen
= ixa
->ixa_pktlen
;
4160 ira
->ira_ip_hdr_length
= ixa
->ixa_ip_hdr_length
;
4161 ira
->ira_protocol
= ixa
->ixa_protocol
;
4162 ira
->ira_mhip
= NULL
;
4164 ira
->ira_flags
|= IRAF_LOOPBACK
| IRAF_L2SRC_LOOPBACK
;
4166 ira
->ira_sqp
= ixa
->ixa_sqp
;
4167 ira
->ira_ring
= NULL
;
4169 ira
->ira_ruifindex
= ill
->ill_phyint
->phyint_ifindex
;
4170 ira
->ira_rifindex
= ira
->ira_ruifindex
;
4172 if (!(ixa
->ixa_flags
& IXAF_IPSEC_SECURE
))
4175 ira
->ira_flags
|= IRAF_IPSEC_SECURE
;
4177 ira
->ira_ipsec_ah_sa
= NULL
;
4178 ira
->ira_ipsec_esp_sa
= NULL
;
4180 act
= ixa
->ixa_ipsec_action
;
4182 pol
= ixa
->ixa_ipsec_policy
;
4184 act
= pol
->ipsp_act
;
4188 ixa
->ixa_ipsec_action
= NULL
;
4189 ira
->ira_ipsec_action
= act
;
4193 * Consults global policy and per-socket policy to see whether this datagram
4194 * should go out secure. If so it updates the ip_xmit_attr_t
4195 * Should not be used when connecting, since then we want to latch the policy.
4197 * If connp is NULL we just look at the global policy.
4199 * Returns NULL if the packet was dropped, in which case the MIB has
4200 * been incremented and ip_drop_packet done.
4203 ip_output_attach_policy(mblk_t
*mp
, ipha_t
*ipha
, ip6_t
*ip6h
,
4204 const conn_t
*connp
, ip_xmit_attr_t
*ixa
)
4206 ipsec_selector_t sel
;
4207 boolean_t policy_present
;
4208 ip_stack_t
*ipst
= ixa
->ixa_ipst
;
4209 netstack_t
*ns
= ipst
->ips_netstack
;
4210 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
4213 ixa
->ixa_ipsec_policy_gen
= ipss
->ipsec_system_policy
.iph_gen
;
4214 ASSERT((ipha
!= NULL
&& ip6h
== NULL
) ||
4215 (ip6h
!= NULL
&& ipha
== NULL
));
4218 policy_present
= ipss
->ipsec_outbound_v4_policy_present
;
4220 policy_present
= ipss
->ipsec_outbound_v6_policy_present
;
4222 if (!policy_present
&& (connp
== NULL
|| connp
->conn_policy
== NULL
))
4225 bzero((void*)&sel
, sizeof (sel
));
4228 sel
.ips_local_addr_v4
= ipha
->ipha_src
;
4229 sel
.ips_remote_addr_v4
= ip_get_dst(ipha
);
4230 sel
.ips_isv4
= B_TRUE
;
4232 sel
.ips_isv4
= B_FALSE
;
4233 sel
.ips_local_addr_v6
= ip6h
->ip6_src
;
4234 sel
.ips_remote_addr_v6
= ip_get_dst_v6(ip6h
, mp
, NULL
);
4236 sel
.ips_protocol
= ixa
->ixa_protocol
;
4238 if (!ipsec_init_outbound_ports(&sel
, mp
, ipha
, ip6h
, 0, ipss
)) {
4240 BUMP_MIB(&ipst
->ips_ip_mib
, ipIfStatsOutDiscards
);
4242 BUMP_MIB(&ipst
->ips_ip6_mib
, ipIfStatsOutDiscards
);
4244 /* Note: mp already consumed and ip_drop_packet done */
4248 ASSERT(ixa
->ixa_ipsec_policy
== NULL
);
4249 p
= ipsec_find_policy(IPSEC_TYPE_OUTBOUND
, connp
, &sel
, ns
);
4250 ixa
->ixa_ipsec_policy
= p
;
4252 ixa
->ixa_flags
|= IXAF_IPSEC_SECURE
;
4253 if (connp
== NULL
|| connp
->conn_policy
== NULL
)
4254 ixa
->ixa_flags
|= IXAF_IPSEC_GLOBAL_POLICY
;
4256 ixa
->ixa_flags
&= ~IXAF_IPSEC_SECURE
;
4260 * Copy the right port information.
4262 ixa
->ixa_ipsec_src_port
= sel
.ips_local_port
;
4263 ixa
->ixa_ipsec_dst_port
= sel
.ips_remote_port
;
4264 ixa
->ixa_ipsec_icmp_type
= sel
.ips_icmp_type
;
4265 ixa
->ixa_ipsec_icmp_code
= sel
.ips_icmp_code
;
4266 ixa
->ixa_ipsec_proto
= sel
.ips_protocol
;
4271 * When appropriate, this function caches inbound and outbound policy
4272 * for this connection. The outbound policy is stored in conn_ixa.
4273 * Note that it can not be used for SCTP since conn_faddr isn't set for SCTP.
4275 * XXX need to work out more details about per-interface policy and
4278 * XXX may want to split inbound and outbound caching for ill..
4281 ipsec_conn_cache_policy(conn_t
*connp
, boolean_t isv4
)
4283 boolean_t global_policy_present
;
4284 netstack_t
*ns
= connp
->conn_netstack
;
4285 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
4287 connp
->conn_ixa
->ixa_ipsec_policy_gen
=
4288 ipss
->ipsec_system_policy
.iph_gen
;
4290 * There is no policy latching for ICMP sockets because we can't
4291 * decide on which policy to use until we see the packet and get
4292 * type/code selectors.
4294 if (connp
->conn_proto
== IPPROTO_ICMP
||
4295 connp
->conn_proto
== IPPROTO_ICMPV6
) {
4296 connp
->conn_in_enforce_policy
=
4297 connp
->conn_out_enforce_policy
= B_TRUE
;
4298 if (connp
->conn_latch
!= NULL
) {
4299 IPLATCH_REFRELE(connp
->conn_latch
);
4300 connp
->conn_latch
= NULL
;
4302 if (connp
->conn_latch_in_policy
!= NULL
) {
4303 IPPOL_REFRELE(connp
->conn_latch_in_policy
);
4304 connp
->conn_latch_in_policy
= NULL
;
4306 if (connp
->conn_latch_in_action
!= NULL
) {
4307 IPACT_REFRELE(connp
->conn_latch_in_action
);
4308 connp
->conn_latch_in_action
= NULL
;
4310 if (connp
->conn_ixa
->ixa_ipsec_policy
!= NULL
) {
4311 IPPOL_REFRELE(connp
->conn_ixa
->ixa_ipsec_policy
);
4312 connp
->conn_ixa
->ixa_ipsec_policy
= NULL
;
4314 if (connp
->conn_ixa
->ixa_ipsec_action
!= NULL
) {
4315 IPACT_REFRELE(connp
->conn_ixa
->ixa_ipsec_action
);
4316 connp
->conn_ixa
->ixa_ipsec_action
= NULL
;
4318 connp
->conn_ixa
->ixa_flags
&= ~IXAF_IPSEC_SECURE
;
4322 global_policy_present
= isv4
?
4323 (ipss
->ipsec_outbound_v4_policy_present
||
4324 ipss
->ipsec_inbound_v4_policy_present
) :
4325 (ipss
->ipsec_outbound_v6_policy_present
||
4326 ipss
->ipsec_inbound_v6_policy_present
);
4328 if ((connp
->conn_policy
!= NULL
) || global_policy_present
) {
4329 ipsec_selector_t sel
;
4332 if (connp
->conn_latch
== NULL
&&
4333 (connp
->conn_latch
= iplatch_create()) == NULL
) {
4337 bzero((void*)&sel
, sizeof (sel
));
4339 sel
.ips_protocol
= connp
->conn_proto
;
4340 sel
.ips_local_port
= connp
->conn_lport
;
4341 sel
.ips_remote_port
= connp
->conn_fport
;
4342 sel
.ips_is_icmp_inv_acq
= 0;
4343 sel
.ips_isv4
= isv4
;
4345 sel
.ips_local_addr_v4
= connp
->conn_laddr_v4
;
4346 sel
.ips_remote_addr_v4
= connp
->conn_faddr_v4
;
4348 sel
.ips_local_addr_v6
= connp
->conn_laddr_v6
;
4349 sel
.ips_remote_addr_v6
= connp
->conn_faddr_v6
;
4352 p
= ipsec_find_policy(IPSEC_TYPE_INBOUND
, connp
, &sel
, ns
);
4353 if (connp
->conn_latch_in_policy
!= NULL
)
4354 IPPOL_REFRELE(connp
->conn_latch_in_policy
);
4355 connp
->conn_latch_in_policy
= p
;
4356 connp
->conn_in_enforce_policy
= (p
!= NULL
);
4358 p
= ipsec_find_policy(IPSEC_TYPE_OUTBOUND
, connp
, &sel
, ns
);
4359 if (connp
->conn_ixa
->ixa_ipsec_policy
!= NULL
)
4360 IPPOL_REFRELE(connp
->conn_ixa
->ixa_ipsec_policy
);
4361 connp
->conn_ixa
->ixa_ipsec_policy
= p
;
4362 connp
->conn_out_enforce_policy
= (p
!= NULL
);
4364 connp
->conn_ixa
->ixa_flags
|= IXAF_IPSEC_SECURE
;
4365 if (connp
->conn_policy
== NULL
) {
4366 connp
->conn_ixa
->ixa_flags
|=
4367 IXAF_IPSEC_GLOBAL_POLICY
;
4370 connp
->conn_ixa
->ixa_flags
&= ~IXAF_IPSEC_SECURE
;
4372 /* Clear the latched actions too, in case we're recaching. */
4373 if (connp
->conn_ixa
->ixa_ipsec_action
!= NULL
) {
4374 IPACT_REFRELE(connp
->conn_ixa
->ixa_ipsec_action
);
4375 connp
->conn_ixa
->ixa_ipsec_action
= NULL
;
4377 if (connp
->conn_latch_in_action
!= NULL
) {
4378 IPACT_REFRELE(connp
->conn_latch_in_action
);
4379 connp
->conn_latch_in_action
= NULL
;
4381 connp
->conn_ixa
->ixa_ipsec_src_port
= sel
.ips_local_port
;
4382 connp
->conn_ixa
->ixa_ipsec_dst_port
= sel
.ips_remote_port
;
4383 connp
->conn_ixa
->ixa_ipsec_icmp_type
= sel
.ips_icmp_type
;
4384 connp
->conn_ixa
->ixa_ipsec_icmp_code
= sel
.ips_icmp_code
;
4385 connp
->conn_ixa
->ixa_ipsec_proto
= sel
.ips_protocol
;
4387 connp
->conn_ixa
->ixa_flags
&= ~IXAF_IPSEC_SECURE
;
4391 * We may or may not have policy for this endpoint. We still set
4392 * conn_policy_cached so that inbound datagrams don't have to look
4393 * at global policy as policy is considered latched for these
4394 * endpoints. We should not set conn_policy_cached until the conn
4395 * reflects the actual policy. If we *set* this before inheriting
4396 * the policy there is a window where the check
4397 * CONN_INBOUND_POLICY_PRESENT, will neither check with the policy
4398 * on the conn (because we have not yet copied the policy on to
4399 * conn and hence not set conn_in_enforce_policy) nor with the
4400 * global policy (because conn_policy_cached is already set).
4402 connp
->conn_policy_cached
= B_TRUE
;
4407 * When appropriate, this function caches outbound policy for faddr/fport.
4408 * It is used when we are not connected i.e., when we can not latch the
4412 ipsec_cache_outbound_policy(const conn_t
*connp
, const in6_addr_t
*v6src
,
4413 const in6_addr_t
*v6dst
, in_port_t dstport
, ip_xmit_attr_t
*ixa
)
4415 boolean_t isv4
= (ixa
->ixa_flags
& IXAF_IS_IPV4
) != 0;
4416 boolean_t global_policy_present
;
4417 netstack_t
*ns
= connp
->conn_netstack
;
4418 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
4420 ixa
->ixa_ipsec_policy_gen
= ipss
->ipsec_system_policy
.iph_gen
;
4423 * There is no policy caching for ICMP sockets because we can't
4424 * decide on which policy to use until we see the packet and get
4425 * type/code selectors.
4427 if (connp
->conn_proto
== IPPROTO_ICMP
||
4428 connp
->conn_proto
== IPPROTO_ICMPV6
) {
4429 ixa
->ixa_flags
&= ~IXAF_IPSEC_SECURE
;
4430 if (ixa
->ixa_ipsec_policy
!= NULL
) {
4431 IPPOL_REFRELE(ixa
->ixa_ipsec_policy
);
4432 ixa
->ixa_ipsec_policy
= NULL
;
4434 if (ixa
->ixa_ipsec_action
!= NULL
) {
4435 IPACT_REFRELE(ixa
->ixa_ipsec_action
);
4436 ixa
->ixa_ipsec_action
= NULL
;
4441 global_policy_present
= isv4
?
4442 (ipss
->ipsec_outbound_v4_policy_present
||
4443 ipss
->ipsec_inbound_v4_policy_present
) :
4444 (ipss
->ipsec_outbound_v6_policy_present
||
4445 ipss
->ipsec_inbound_v6_policy_present
);
4447 if ((connp
->conn_policy
!= NULL
) || global_policy_present
) {
4448 ipsec_selector_t sel
;
4451 bzero((void*)&sel
, sizeof (sel
));
4453 sel
.ips_protocol
= connp
->conn_proto
;
4454 sel
.ips_local_port
= connp
->conn_lport
;
4455 sel
.ips_remote_port
= dstport
;
4456 sel
.ips_is_icmp_inv_acq
= 0;
4457 sel
.ips_isv4
= isv4
;
4459 IN6_V4MAPPED_TO_IPADDR(v6src
, sel
.ips_local_addr_v4
);
4460 IN6_V4MAPPED_TO_IPADDR(v6dst
, sel
.ips_remote_addr_v4
);
4462 sel
.ips_local_addr_v6
= *v6src
;
4463 sel
.ips_remote_addr_v6
= *v6dst
;
4466 p
= ipsec_find_policy(IPSEC_TYPE_OUTBOUND
, connp
, &sel
, ns
);
4467 if (ixa
->ixa_ipsec_policy
!= NULL
)
4468 IPPOL_REFRELE(ixa
->ixa_ipsec_policy
);
4469 ixa
->ixa_ipsec_policy
= p
;
4471 ixa
->ixa_flags
|= IXAF_IPSEC_SECURE
;
4472 if (connp
->conn_policy
== NULL
)
4473 ixa
->ixa_flags
|= IXAF_IPSEC_GLOBAL_POLICY
;
4475 ixa
->ixa_flags
&= ~IXAF_IPSEC_SECURE
;
4477 /* Clear the latched actions too, in case we're recaching. */
4478 if (ixa
->ixa_ipsec_action
!= NULL
) {
4479 IPACT_REFRELE(ixa
->ixa_ipsec_action
);
4480 ixa
->ixa_ipsec_action
= NULL
;
4483 ixa
->ixa_ipsec_src_port
= sel
.ips_local_port
;
4484 ixa
->ixa_ipsec_dst_port
= sel
.ips_remote_port
;
4485 ixa
->ixa_ipsec_icmp_type
= sel
.ips_icmp_type
;
4486 ixa
->ixa_ipsec_icmp_code
= sel
.ips_icmp_code
;
4487 ixa
->ixa_ipsec_proto
= sel
.ips_protocol
;
4489 ixa
->ixa_flags
&= ~IXAF_IPSEC_SECURE
;
4490 if (ixa
->ixa_ipsec_policy
!= NULL
) {
4491 IPPOL_REFRELE(ixa
->ixa_ipsec_policy
);
4492 ixa
->ixa_ipsec_policy
= NULL
;
4494 if (ixa
->ixa_ipsec_action
!= NULL
) {
4495 IPACT_REFRELE(ixa
->ixa_ipsec_action
);
4496 ixa
->ixa_ipsec_action
= NULL
;
4502 * Returns B_FALSE if the policy has gone stale.
4505 ipsec_outbound_policy_current(ip_xmit_attr_t
*ixa
)
4507 ipsec_stack_t
*ipss
= ixa
->ixa_ipst
->ips_netstack
->netstack_ipsec
;
4509 if (!(ixa
->ixa_flags
& IXAF_IPSEC_GLOBAL_POLICY
))
4512 return (ixa
->ixa_ipsec_policy_gen
== ipss
->ipsec_system_policy
.iph_gen
);
4516 iplatch_free(ipsec_latch_t
*ipl
)
4518 if (ipl
->ipl_local_cid
!= NULL
)
4519 IPSID_REFRELE(ipl
->ipl_local_cid
);
4520 if (ipl
->ipl_remote_cid
!= NULL
)
4521 IPSID_REFRELE(ipl
->ipl_remote_cid
);
4522 mutex_destroy(&ipl
->ipl_lock
);
4523 kmem_free(ipl
, sizeof (*ipl
));
4529 ipsec_latch_t
*ipl
= kmem_zalloc(sizeof (*ipl
), KM_NOSLEEP
);
4532 mutex_init(&ipl
->ipl_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
4533 ipl
->ipl_refcnt
= 1;
4538 * Hash function for ID hash table.
4541 ipsid_hash(int idtype
, char *idstring
)
4543 uint32_t hval
= idtype
;
4546 while ((c
= *idstring
++) != 0) {
4547 hval
= (hval
<< 4) | (hval
>> 28);
4550 hval
= hval
^ (hval
>> 16);
4551 return (hval
& (IPSID_HASHSIZE
-1));
4555 * Look up identity string in hash table. Return identity object
4556 * corresponding to the name -- either preexisting, or newly allocated.
4558 * Return NULL if we need to allocate a new one and can't get memory.
4561 ipsid_lookup(int idtype
, char *idstring
, netstack_t
*ns
)
4565 int idlen
= strlen(idstring
) + 1;
4566 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
4569 bucket
= &ipss
->ipsec_ipsid_buckets
[ipsid_hash(idtype
, idstring
)];
4571 mutex_enter(&bucket
->ipsif_lock
);
4573 for (retval
= bucket
->ipsif_head
; retval
!= NULL
;
4574 retval
= retval
->ipsid_next
) {
4575 if (idtype
!= retval
->ipsid_type
)
4577 if (bcmp(idstring
, retval
->ipsid_cid
, idlen
) != 0)
4580 IPSID_REFHOLD(retval
);
4581 mutex_exit(&bucket
->ipsif_lock
);
4585 retval
= kmem_alloc(sizeof (*retval
), KM_NOSLEEP
);
4587 mutex_exit(&bucket
->ipsif_lock
);
4591 nstr
= kmem_alloc(idlen
, KM_NOSLEEP
);
4593 mutex_exit(&bucket
->ipsif_lock
);
4594 kmem_free(retval
, sizeof (*retval
));
4598 retval
->ipsid_refcnt
= 1;
4599 retval
->ipsid_next
= bucket
->ipsif_head
;
4600 if (retval
->ipsid_next
!= NULL
)
4601 retval
->ipsid_next
->ipsid_ptpn
= &retval
->ipsid_next
;
4602 retval
->ipsid_ptpn
= &bucket
->ipsif_head
;
4603 retval
->ipsid_type
= idtype
;
4604 retval
->ipsid_cid
= nstr
;
4605 bucket
->ipsif_head
= retval
;
4606 bcopy(idstring
, nstr
, idlen
);
4607 mutex_exit(&bucket
->ipsif_lock
);
4613 * Garbage collect the identity hash table.
4616 ipsid_gc(netstack_t
*ns
)
4621 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
4623 for (i
= 0; i
< IPSID_HASHSIZE
; i
++) {
4624 bucket
= &ipss
->ipsec_ipsid_buckets
[i
];
4625 mutex_enter(&bucket
->ipsif_lock
);
4626 for (id
= bucket
->ipsif_head
; id
!= NULL
; id
= nid
) {
4627 nid
= id
->ipsid_next
;
4628 if (id
->ipsid_refcnt
== 0) {
4629 *id
->ipsid_ptpn
= nid
;
4631 nid
->ipsid_ptpn
= id
->ipsid_ptpn
;
4632 len
= strlen(id
->ipsid_cid
) + 1;
4633 kmem_free(id
->ipsid_cid
, len
);
4634 kmem_free(id
, sizeof (*id
));
4637 mutex_exit(&bucket
->ipsif_lock
);
4642 * Return true if two identities are the same.
4645 ipsid_equal(ipsid_t
*id1
, ipsid_t
*id2
)
4650 if ((id1
== NULL
) || (id2
== NULL
))
4653 * test that we're interning id's correctly..
4655 ASSERT((strcmp(id1
->ipsid_cid
, id2
->ipsid_cid
) != 0) ||
4656 (id1
->ipsid_type
!= id2
->ipsid_type
));
4662 * Initialize identity table; called during module initialization.
4665 ipsid_init(netstack_t
*ns
)
4669 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
4671 for (i
= 0; i
< IPSID_HASHSIZE
; i
++) {
4672 bucket
= &ipss
->ipsec_ipsid_buckets
[i
];
4673 mutex_init(&bucket
->ipsif_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
4678 * Free identity table (preparatory to module unload)
4681 ipsid_fini(netstack_t
*ns
)
4685 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
4687 for (i
= 0; i
< IPSID_HASHSIZE
; i
++) {
4688 bucket
= &ipss
->ipsec_ipsid_buckets
[i
];
4689 ASSERT(bucket
->ipsif_head
== NULL
);
4690 mutex_destroy(&bucket
->ipsif_lock
);
4695 * Update the minimum and maximum supported key sizes for the specified
4696 * algorithm, which is either a member of a netstack alg array or about to be,
4697 * and therefore must be called holding ipsec_alg_lock for write.
4700 ipsec_alg_fix_min_max(ipsec_alginfo_t
*alg
, ipsec_algtype_t alg_type
,
4703 size_t crypto_min
= (size_t)-1, crypto_max
= 0;
4704 size_t cur_crypto_min
, cur_crypto_max
;
4706 crypto_mechanism_info_t
*mech_infos
;
4709 crypto_mech_usage_t mask
;
4710 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
4712 ASSERT(RW_WRITE_HELD(&ipss
->ipsec_alg_lock
));
4715 * Compute the min, max, and default key sizes (in number of
4716 * increments to the default key size in bits) as defined
4717 * by the algorithm mappings. This range of key sizes is used
4718 * for policy related operations. The effective key sizes
4719 * supported by the framework could be more limited than
4720 * those defined for an algorithm.
4722 alg
->alg_default_bits
= alg
->alg_key_sizes
[0];
4723 alg
->alg_default
= 0;
4724 if (alg
->alg_increment
!= 0) {
4725 /* key sizes are defined by range & increment */
4726 alg
->alg_minbits
= alg
->alg_key_sizes
[1];
4727 alg
->alg_maxbits
= alg
->alg_key_sizes
[2];
4728 } else if (alg
->alg_nkey_sizes
== 0) {
4729 /* no specified key size for algorithm */
4730 alg
->alg_minbits
= alg
->alg_maxbits
= 0;
4732 /* key sizes are defined by enumeration */
4733 alg
->alg_minbits
= (uint16_t)-1;
4734 alg
->alg_maxbits
= 0;
4736 for (i
= 0; i
< alg
->alg_nkey_sizes
; i
++) {
4737 if (alg
->alg_key_sizes
[i
] < alg
->alg_minbits
)
4738 alg
->alg_minbits
= alg
->alg_key_sizes
[i
];
4739 if (alg
->alg_key_sizes
[i
] > alg
->alg_maxbits
)
4740 alg
->alg_maxbits
= alg
->alg_key_sizes
[i
];
4744 if (!(alg
->alg_flags
& ALG_FLAG_VALID
))
4748 * Mechanisms do not apply to the NULL encryption
4749 * algorithm, so simply return for this case.
4751 if (alg
->alg_id
== SADB_EALG_NULL
)
4755 * Find the min and max key sizes supported by the cryptographic
4756 * framework providers.
4759 /* get the key sizes supported by the framework */
4760 crypto_rc
= crypto_get_all_mech_info(alg
->alg_mech_type
,
4761 &mech_infos
, &nmech_infos
, KM_SLEEP
);
4762 if (crypto_rc
!= CRYPTO_SUCCESS
|| nmech_infos
== 0) {
4763 alg
->alg_flags
&= ~ALG_FLAG_VALID
;
4767 /* min and max key sizes supported by framework */
4768 for (i
= 0, is_valid
= B_FALSE
; i
< nmech_infos
; i
++) {
4772 * Ignore entries that do not support the operations
4773 * needed for the algorithm type.
4775 if (alg_type
== IPSEC_ALG_AUTH
) {
4776 mask
= CRYPTO_MECH_USAGE_MAC
;
4778 mask
= CRYPTO_MECH_USAGE_ENCRYPT
|
4779 CRYPTO_MECH_USAGE_DECRYPT
;
4781 if ((mech_infos
[i
].mi_usage
& mask
) != mask
)
4784 unit_bits
= (mech_infos
[i
].mi_keysize_unit
==
4785 CRYPTO_KEYSIZE_UNIT_IN_BYTES
) ? 8 : 1;
4786 /* adjust min/max supported by framework */
4787 cur_crypto_min
= mech_infos
[i
].mi_min_key_size
* unit_bits
;
4788 cur_crypto_max
= mech_infos
[i
].mi_max_key_size
* unit_bits
;
4790 if (cur_crypto_min
< crypto_min
)
4791 crypto_min
= cur_crypto_min
;
4794 * CRYPTO_EFFECTIVELY_INFINITE is a special value of
4795 * the crypto framework which means "no upper limit".
4797 if (mech_infos
[i
].mi_max_key_size
==
4798 CRYPTO_EFFECTIVELY_INFINITE
) {
4799 crypto_max
= (size_t)-1;
4800 } else if (cur_crypto_max
> crypto_max
) {
4801 crypto_max
= cur_crypto_max
;
4807 kmem_free(mech_infos
, sizeof (crypto_mechanism_info_t
) *
4811 /* no key sizes supported by framework */
4812 alg
->alg_flags
&= ~ALG_FLAG_VALID
;
4817 * Determine min and max key sizes from alg_key_sizes[].
4818 * defined for the algorithm entry. Adjust key sizes based on
4819 * those supported by the framework.
4821 alg
->alg_ef_default_bits
= alg
->alg_key_sizes
[0];
4824 * For backwards compatability, assume that the IV length
4825 * is the same as the data length.
4827 alg
->alg_ivlen
= alg
->alg_datalen
;
4830 * Copy any algorithm parameters (if provided) into dedicated
4831 * elements in the ipsec_alginfo_t structure.
4832 * There may be a better place to put this code.
4834 for (i
= 0; i
< alg
->alg_nparams
; i
++) {
4837 /* Initialisation Vector length (bytes) */
4838 alg
->alg_ivlen
= alg
->alg_params
[0];
4841 /* Integrity Check Vector length (bytes) */
4842 alg
->alg_icvlen
= alg
->alg_params
[1];
4845 /* Salt length (bytes) */
4846 alg
->alg_saltlen
= (uint8_t)alg
->alg_params
[2];
4853 /* Default if the IV length is not specified. */
4854 if (alg_type
== IPSEC_ALG_ENCR
&& alg
->alg_ivlen
== 0)
4855 alg
->alg_ivlen
= alg
->alg_datalen
;
4857 alg_flag_check(alg
);
4859 if (alg
->alg_increment
!= 0) {
4860 /* supported key sizes are defined by range & increment */
4861 crypto_min
= ALGBITS_ROUND_UP(crypto_min
, alg
->alg_increment
);
4862 crypto_max
= ALGBITS_ROUND_DOWN(crypto_max
, alg
->alg_increment
);
4864 alg
->alg_ef_minbits
= MAX(alg
->alg_minbits
,
4865 (uint16_t)crypto_min
);
4866 alg
->alg_ef_maxbits
= MIN(alg
->alg_maxbits
,
4867 (uint16_t)crypto_max
);
4870 * If the sizes supported by the framework are outside
4871 * the range of sizes defined by the algorithm mappings,
4872 * the algorithm cannot be used. Check for this
4875 if (alg
->alg_ef_minbits
> alg
->alg_ef_maxbits
) {
4876 alg
->alg_flags
&= ~ALG_FLAG_VALID
;
4879 if (alg
->alg_ef_default_bits
< alg
->alg_ef_minbits
)
4880 alg
->alg_ef_default_bits
= alg
->alg_ef_minbits
;
4881 if (alg
->alg_ef_default_bits
> alg
->alg_ef_maxbits
)
4882 alg
->alg_ef_default_bits
= alg
->alg_ef_maxbits
;
4883 } else if (alg
->alg_nkey_sizes
== 0) {
4884 /* no specified key size for algorithm */
4885 alg
->alg_ef_minbits
= alg
->alg_ef_maxbits
= 0;
4887 /* supported key sizes are defined by enumeration */
4888 alg
->alg_ef_minbits
= (uint16_t)-1;
4889 alg
->alg_ef_maxbits
= 0;
4891 for (i
= 0, is_valid
= B_FALSE
; i
< alg
->alg_nkey_sizes
; i
++) {
4893 * Ignore the current key size if it is not in the
4894 * range of sizes supported by the framework.
4896 if (alg
->alg_key_sizes
[i
] < crypto_min
||
4897 alg
->alg_key_sizes
[i
] > crypto_max
)
4899 if (alg
->alg_key_sizes
[i
] < alg
->alg_ef_minbits
)
4900 alg
->alg_ef_minbits
= alg
->alg_key_sizes
[i
];
4901 if (alg
->alg_key_sizes
[i
] > alg
->alg_ef_maxbits
)
4902 alg
->alg_ef_maxbits
= alg
->alg_key_sizes
[i
];
4907 alg
->alg_flags
&= ~ALG_FLAG_VALID
;
4910 alg
->alg_ef_default
= 0;
4915 * Sanity check parameters provided by ipsecalgs(1m). Assume that
4916 * the algoritm is marked as valid, there is a check at the top
4917 * of this function. If any of the checks below fail, the algorithm
4921 alg_flag_check(ipsec_alginfo_t
*alg
)
4923 alg
->alg_flags
&= ~ALG_FLAG_VALID
;
4926 * Can't have the algorithm marked as CCM and GCM.
4927 * Check the ALG_FLAG_COMBINED and ALG_FLAG_COUNTERMODE
4928 * flags are set for CCM & GCM.
4930 if ((alg
->alg_flags
& (ALG_FLAG_CCM
|ALG_FLAG_GCM
)) ==
4931 (ALG_FLAG_CCM
|ALG_FLAG_GCM
))
4933 if (alg
->alg_flags
& (ALG_FLAG_CCM
|ALG_FLAG_GCM
)) {
4934 if (!(alg
->alg_flags
& ALG_FLAG_COUNTERMODE
))
4936 if (!(alg
->alg_flags
& ALG_FLAG_COMBINED
))
4941 * For ALG_FLAG_COUNTERMODE, check the parameters
4942 * fit in the ipsec_nonce_t structure.
4944 if (alg
->alg_flags
& ALG_FLAG_COUNTERMODE
) {
4945 if (alg
->alg_ivlen
!= sizeof (((ipsec_nonce_t
*)NULL
)->iv
))
4947 if (alg
->alg_saltlen
> sizeof (((ipsec_nonce_t
*)NULL
)->salt
))
4950 if ((alg
->alg_flags
& ALG_FLAG_COMBINED
) &&
4951 (alg
->alg_icvlen
== 0))
4955 alg
->alg_flags
|= ALG_FLAG_VALID
;
4959 * Free the memory used by the specified algorithm.
4962 ipsec_alg_free(ipsec_alginfo_t
*alg
)
4967 if (alg
->alg_key_sizes
!= NULL
) {
4968 kmem_free(alg
->alg_key_sizes
,
4969 (alg
->alg_nkey_sizes
+ 1) * sizeof (uint16_t));
4970 alg
->alg_key_sizes
= NULL
;
4972 if (alg
->alg_block_sizes
!= NULL
) {
4973 kmem_free(alg
->alg_block_sizes
,
4974 (alg
->alg_nblock_sizes
+ 1) * sizeof (uint16_t));
4975 alg
->alg_block_sizes
= NULL
;
4977 if (alg
->alg_params
!= NULL
) {
4978 kmem_free(alg
->alg_params
,
4979 (alg
->alg_nparams
+ 1) * sizeof (uint16_t));
4980 alg
->alg_params
= NULL
;
4982 kmem_free(alg
, sizeof (*alg
));
4986 * Check the validity of the specified key size for an algorithm.
4987 * Returns B_TRUE if key size is valid, B_FALSE otherwise.
4990 ipsec_valid_key_size(uint16_t key_size
, ipsec_alginfo_t
*alg
)
4992 if (key_size
< alg
->alg_ef_minbits
|| key_size
> alg
->alg_ef_maxbits
)
4995 if (alg
->alg_increment
== 0 && alg
->alg_nkey_sizes
!= 0) {
4997 * If the key sizes are defined by enumeration, the new
4998 * key size must be equal to one of the supported values.
5002 for (i
= 0; i
< alg
->alg_nkey_sizes
; i
++)
5003 if (key_size
== alg
->alg_key_sizes
[i
])
5005 if (i
== alg
->alg_nkey_sizes
)
5013 * Callback function invoked by the crypto framework when a provider
5014 * registers or unregisters. This callback updates the algorithms
5015 * tables when a crypto algorithm is no longer available or becomes
5016 * available, and triggers the freeing/creation of context templates
5017 * associated with existing SAs, if needed.
5019 * Need to walk all stack instances since the callback is global
5023 ipsec_prov_update_callback(uint32_t event
, void *event_arg
)
5025 netstack_handle_t nh
;
5028 netstack_next_init(&nh
);
5029 while ((ns
= netstack_next(&nh
)) != NULL
) {
5030 ipsec_prov_update_callback_stack(event
, event_arg
, ns
);
5033 netstack_next_fini(&nh
);
5037 ipsec_prov_update_callback_stack(uint32_t event
, void *event_arg
,
5040 crypto_notify_event_change_t
*prov_change
=
5041 (crypto_notify_event_change_t
*)event_arg
;
5042 uint_t algidx
, algid
, algtype
, mech_count
, mech_idx
;
5043 ipsec_alginfo_t
*alg
;
5044 ipsec_alginfo_t oalg
;
5045 crypto_mech_name_t
*mechs
;
5046 boolean_t alg_changed
= B_FALSE
;
5047 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
5049 /* ignore events for which we didn't register */
5050 if (event
!= CRYPTO_EVENT_MECHS_CHANGED
) {
5051 ip1dbg(("ipsec_prov_update_callback: unexpected event 0x%x "
5052 " received from crypto framework\n", event
));
5056 mechs
= crypto_get_mech_list(&mech_count
, KM_SLEEP
);
5061 * Walk the list of currently defined IPsec algorithm. Update
5062 * the algorithm valid flag and trigger an update of the
5063 * SAs that depend on that algorithm.
5065 rw_enter(&ipss
->ipsec_alg_lock
, RW_WRITER
);
5066 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
5067 for (algidx
= 0; algidx
< ipss
->ipsec_nalgs
[algtype
];
5070 algid
= ipss
->ipsec_sortlist
[algtype
][algidx
];
5071 alg
= ipss
->ipsec_alglists
[algtype
][algid
];
5072 ASSERT(alg
!= NULL
);
5075 * Skip the algorithms which do not map to the
5076 * crypto framework provider being added or removed.
5078 if (strncmp(alg
->alg_mech_name
,
5079 prov_change
->ec_mech_name
,
5080 CRYPTO_MAX_MECH_NAME
) != 0)
5084 * Determine if the mechanism is valid. If it
5085 * is not, mark the algorithm as being invalid. If
5086 * it is, mark the algorithm as being valid.
5088 for (mech_idx
= 0; mech_idx
< mech_count
; mech_idx
++)
5089 if (strncmp(alg
->alg_mech_name
,
5090 mechs
[mech_idx
], CRYPTO_MAX_MECH_NAME
) == 0)
5092 if (mech_idx
== mech_count
&&
5093 alg
->alg_flags
& ALG_FLAG_VALID
) {
5094 alg
->alg_flags
&= ~ALG_FLAG_VALID
;
5095 alg_changed
= B_TRUE
;
5096 } else if (mech_idx
< mech_count
&&
5097 !(alg
->alg_flags
& ALG_FLAG_VALID
)) {
5098 alg
->alg_flags
|= ALG_FLAG_VALID
;
5099 alg_changed
= B_TRUE
;
5103 * Update the supported key sizes, regardless
5104 * of whether a crypto provider was added or
5108 ipsec_alg_fix_min_max(alg
, algtype
, ns
);
5110 alg
->alg_ef_minbits
!= oalg
.alg_ef_minbits
||
5111 alg
->alg_ef_maxbits
!= oalg
.alg_ef_maxbits
||
5112 alg
->alg_ef_default
!= oalg
.alg_ef_default
||
5113 alg
->alg_ef_default_bits
!=
5114 oalg
.alg_ef_default_bits
)
5115 alg_changed
= B_TRUE
;
5118 * Update the affected SAs if a software provider is
5119 * being added or removed.
5121 if (prov_change
->ec_provider_type
==
5123 sadb_alg_update(algtype
, alg
->alg_id
,
5124 prov_change
->ec_change
==
5125 CRYPTO_MECH_ADDED
, ns
);
5128 rw_exit(&ipss
->ipsec_alg_lock
);
5129 crypto_free_mech_list(mechs
, mech_count
);
5133 * An algorithm has changed, i.e. it became valid or
5134 * invalid, or its support key sizes have changed.
5135 * Notify ipsecah and ipsecesp of this change so
5136 * that they can send a SADB_REGISTER to their consumers.
5138 ipsecah_algs_changed(ns
);
5139 ipsecesp_algs_changed(ns
);
5144 * Registers with the crypto framework to be notified of crypto
5145 * providers changes. Used to update the algorithm tables and
5146 * to free or create context templates if needed. Invoked after IPsec
5147 * is loaded successfully.
5149 * This is called separately for each IP instance, so we ensure we only
5153 ipsec_register_prov_update(void)
5155 if (prov_update_handle
!= NULL
)
5158 prov_update_handle
= crypto_notify_events(
5159 ipsec_prov_update_callback
, CRYPTO_EVENT_MECHS_CHANGED
);
5163 * Unregisters from the framework to be notified of crypto providers
5164 * changes. Called from ipsec_policy_g_destroy().
5167 ipsec_unregister_prov_update(void)
5169 if (prov_update_handle
!= NULL
)
5170 crypto_unnotify_events(prov_update_handle
);
5174 * Tunnel-mode support routines.
5178 * Returns an mblk chain suitable for putnext() if policies match and IPsec
5179 * SAs are available. If there's no per-tunnel policy, or a match comes back
5180 * with no match, then still return the packet and have global policy take
5181 * a crack at it in IP.
5182 * This updates the ip_xmit_attr with the IPsec policy.
5184 * Remember -> we can be forwarding packets. Keep that in mind w.r.t.
5185 * inner-packet contents.
5188 ipsec_tun_outbound(mblk_t
*mp
, iptun_t
*iptun
, ipha_t
*inner_ipv4
,
5189 ip6_t
*inner_ipv6
, ipha_t
*outer_ipv4
, ip6_t
*outer_ipv6
, int outer_hdr_len
,
5190 ip_xmit_attr_t
*ixa
)
5192 ipsec_policy_head_t
*polhead
;
5193 ipsec_selector_t sel
;
5195 boolean_t is_fragment
;
5196 ipsec_policy_t
*pol
;
5197 ipsec_tun_pol_t
*itp
= iptun
->iptun_itp
;
5198 netstack_t
*ns
= iptun
->iptun_ns
;
5199 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
5201 ASSERT(outer_ipv6
!= NULL
&& outer_ipv4
== NULL
||
5202 outer_ipv4
!= NULL
&& outer_ipv6
== NULL
);
5203 /* We take care of inners in a bit. */
5205 /* Are the IPsec fields initialized at all? */
5206 if (!(ixa
->ixa_flags
& IXAF_IPSEC_SECURE
)) {
5207 ASSERT(ixa
->ixa_ipsec_policy
== NULL
);
5208 ASSERT(ixa
->ixa_ipsec_latch
== NULL
);
5209 ASSERT(ixa
->ixa_ipsec_action
== NULL
);
5210 ASSERT(ixa
->ixa_ipsec_ah_sa
== NULL
);
5211 ASSERT(ixa
->ixa_ipsec_esp_sa
== NULL
);
5214 ASSERT(itp
!= NULL
&& (itp
->itp_flags
& ITPF_P_ACTIVE
));
5215 polhead
= itp
->itp_policy
;
5217 bzero(&sel
, sizeof (sel
));
5218 if (inner_ipv4
!= NULL
) {
5219 ASSERT(inner_ipv6
== NULL
);
5220 sel
.ips_isv4
= B_TRUE
;
5221 sel
.ips_local_addr_v4
= inner_ipv4
->ipha_src
;
5222 sel
.ips_remote_addr_v4
= inner_ipv4
->ipha_dst
;
5223 sel
.ips_protocol
= (uint8_t)inner_ipv4
->ipha_protocol
;
5225 ASSERT(inner_ipv6
!= NULL
);
5226 sel
.ips_isv4
= B_FALSE
;
5227 sel
.ips_local_addr_v6
= inner_ipv6
->ip6_src
;
5229 * We don't care about routing-header dests in the
5230 * forwarding/tunnel path, so just grab ip6_dst.
5232 sel
.ips_remote_addr_v6
= inner_ipv6
->ip6_dst
;
5235 if (itp
->itp_flags
& ITPF_P_PER_PORT_SECURITY
) {
5237 * Caller can prepend the outer header, which means
5238 * inner_ipv[46] may be stuck in the middle. Pullup the whole
5239 * mess now if need-be, for easier processing later. Don't
5240 * forget to rewire the outer header too.
5242 if (mp
->b_cont
!= NULL
) {
5243 nmp
= msgpullup(mp
, -1);
5245 ip_drop_packet(mp
, B_FALSE
, NULL
,
5246 DROPPER(ipss
, ipds_spd_nomem
),
5247 &ipss
->ipsec_spd_dropper
);
5252 if (outer_ipv4
!= NULL
)
5253 outer_ipv4
= (ipha_t
*)mp
->b_rptr
;
5255 outer_ipv6
= (ip6_t
*)mp
->b_rptr
;
5256 if (inner_ipv4
!= NULL
) {
5258 (ipha_t
*)(mp
->b_rptr
+ outer_hdr_len
);
5261 (ip6_t
*)(mp
->b_rptr
+ outer_hdr_len
);
5264 if (inner_ipv4
!= NULL
) {
5265 is_fragment
= IS_V4_FRAGMENT(
5266 inner_ipv4
->ipha_fragment_offset_and_flags
);
5268 sel
.ips_remote_addr_v6
= ip_get_dst_v6(inner_ipv6
, mp
,
5277 uint16_t ip6_hdr_length
;
5279 uint8_t *v6_proto_p
;
5282 * We have a fragment we need to track!
5284 mp
= ipsec_fragcache_add(&itp
->itp_fragcache
, NULL
, mp
,
5285 outer_hdr_len
, ipss
);
5288 ASSERT(mp
->b_cont
== NULL
);
5291 * If we get here, we have a full fragment chain
5294 oiph
= (ipha_t
*)mp
->b_rptr
;
5295 if (IPH_HDR_VERSION(oiph
) == IPV4_VERSION
) {
5296 hdr_len
= ((outer_hdr_len
!= 0) ?
5297 IPH_HDR_LENGTH(oiph
) : 0);
5298 iph
= (ipha_t
*)(mp
->b_rptr
+ hdr_len
);
5300 ASSERT(IPH_HDR_VERSION(oiph
) == IPV6_VERSION
);
5301 ip6h
= (ip6_t
*)mp
->b_rptr
;
5302 if (!ip_hdr_length_nexthdr_v6(mp
, ip6h
,
5303 &ip6_hdr_length
, &v6_proto_p
)) {
5304 ip_drop_packet_chain(mp
, B_FALSE
, NULL
,
5306 ipds_spd_malformed_packet
),
5307 &ipss
->ipsec_spd_dropper
);
5310 hdr_len
= ip6_hdr_length
;
5312 outer_hdr_len
= hdr_len
;
5317 iph
= (ipha_t
*)(mp
->b_rptr
+ hdr_len
);
5320 sel
.ips_local_addr_v4
= inner_ipv4
->ipha_src
;
5321 sel
.ips_remote_addr_v4
= inner_ipv4
->ipha_dst
;
5323 (uint8_t)inner_ipv4
->ipha_protocol
;
5325 inner_ipv6
= (ip6_t
*)(mp
->b_rptr
+
5327 sel
.ips_local_addr_v6
= inner_ipv6
->ip6_src
;
5328 sel
.ips_remote_addr_v6
= inner_ipv6
->ip6_dst
;
5329 if (!ip_hdr_length_nexthdr_v6(mp
,
5330 inner_ipv6
, &ip6_hdr_length
, &v6_proto_p
)) {
5331 ip_drop_packet_chain(mp
, B_FALSE
, NULL
,
5333 ipds_spd_malformed_frag
),
5334 &ipss
->ipsec_spd_dropper
);
5337 v6_proto
= *v6_proto_p
;
5338 sel
.ips_protocol
= v6_proto
;
5339 #ifdef FRAGCACHE_DEBUG
5340 cmn_err(CE_WARN
, "v6_sel.ips_protocol = %d\n",
5344 /* Ports are extracted below */
5348 if (!ipsec_init_outbound_ports(&sel
, mp
,
5349 inner_ipv4
, inner_ipv6
, outer_hdr_len
, ipss
)) {
5350 /* callee did ip_drop_packet_chain() on mp. */
5353 #ifdef FRAGCACHE_DEBUG
5354 if (inner_ipv4
!= NULL
)
5356 "(v4) sel.ips_protocol = %d, "
5357 "sel.ips_local_port = %d, "
5358 "sel.ips_remote_port = %d\n",
5359 sel
.ips_protocol
, ntohs(sel
.ips_local_port
),
5360 ntohs(sel
.ips_remote_port
));
5361 if (inner_ipv6
!= NULL
)
5363 "(v6) sel.ips_protocol = %d, "
5364 "sel.ips_local_port = %d, "
5365 "sel.ips_remote_port = %d\n",
5366 sel
.ips_protocol
, ntohs(sel
.ips_local_port
),
5367 ntohs(sel
.ips_remote_port
));
5369 /* Success so far! */
5371 rw_enter(&polhead
->iph_lock
, RW_READER
);
5372 pol
= ipsec_find_policy_head(NULL
, polhead
, IPSEC_TYPE_OUTBOUND
, &sel
);
5373 rw_exit(&polhead
->iph_lock
);
5376 * No matching policy on this tunnel, drop the packet.
5378 * NOTE: Tunnel-mode tunnels are different from the
5379 * IP global transport mode policy head. For a tunnel-mode
5380 * tunnel, we drop the packet in lieu of passing it
5381 * along accepted the way a global-policy miss would.
5383 * NOTE2: "negotiate transport" tunnels should match ALL
5384 * inbound packets, but we do not uncomment the ASSERT()
5385 * below because if/when we open PF_POLICY, a user can
5386 * shoot themself in the foot with a 0 priority.
5389 /* ASSERT(itp->itp_flags & ITPF_P_TUNNEL); */
5390 #ifdef FRAGCACHE_DEBUG
5391 cmn_err(CE_WARN
, "ipsec_tun_outbound(): No matching tunnel "
5392 "per-port policy\n");
5394 ip_drop_packet_chain(mp
, B_FALSE
, NULL
,
5395 DROPPER(ipss
, ipds_spd_explicit
),
5396 &ipss
->ipsec_spd_dropper
);
5400 #ifdef FRAGCACHE_DEBUG
5401 cmn_err(CE_WARN
, "Having matching tunnel per-port policy\n");
5405 * NOTE: ixa_cleanup() function will release pol references.
5407 ixa
->ixa_ipsec_policy
= pol
;
5409 * NOTE: There is a subtle difference between iptun_zoneid and
5410 * iptun_connp->conn_zoneid explained in iptun_conn_create(). When
5411 * interacting with the ip module, we must use conn_zoneid.
5413 ixa
->ixa_zoneid
= iptun
->iptun_connp
->conn_zoneid
;
5415 ASSERT((outer_ipv4
!= NULL
) ? (ixa
->ixa_flags
& IXAF_IS_IPV4
) :
5416 !(ixa
->ixa_flags
& IXAF_IS_IPV4
));
5417 ASSERT(ixa
->ixa_ipsec_policy
!= NULL
);
5418 ixa
->ixa_flags
|= IXAF_IPSEC_SECURE
;
5420 if (!(itp
->itp_flags
& ITPF_P_TUNNEL
)) {
5421 /* Set up transport mode for tunnelled packets. */
5422 ixa
->ixa_ipsec_proto
= (inner_ipv4
!= NULL
) ? IPPROTO_ENCAP
:
5427 /* Fill in tunnel-mode goodies here. */
5428 ixa
->ixa_flags
|= IXAF_IPSEC_TUNNEL
;
5429 /* XXX Do I need to fill in all of the goodies here? */
5431 ixa
->ixa_ipsec_inaf
= AF_INET
;
5432 ixa
->ixa_ipsec_insrc
[0] =
5433 pol
->ipsp_sel
->ipsl_key
.ipsl_local
.ipsad_v4
;
5434 ixa
->ixa_ipsec_indst
[0] =
5435 pol
->ipsp_sel
->ipsl_key
.ipsl_remote
.ipsad_v4
;
5437 ixa
->ixa_ipsec_inaf
= AF_INET6
;
5438 ixa
->ixa_ipsec_insrc
[0] =
5439 pol
->ipsp_sel
->ipsl_key
.ipsl_local
.ipsad_v6
.s6_addr32
[0];
5440 ixa
->ixa_ipsec_insrc
[1] =
5441 pol
->ipsp_sel
->ipsl_key
.ipsl_local
.ipsad_v6
.s6_addr32
[1];
5442 ixa
->ixa_ipsec_insrc
[2] =
5443 pol
->ipsp_sel
->ipsl_key
.ipsl_local
.ipsad_v6
.s6_addr32
[2];
5444 ixa
->ixa_ipsec_insrc
[3] =
5445 pol
->ipsp_sel
->ipsl_key
.ipsl_local
.ipsad_v6
.s6_addr32
[3];
5446 ixa
->ixa_ipsec_indst
[0] =
5447 pol
->ipsp_sel
->ipsl_key
.ipsl_remote
.ipsad_v6
.s6_addr32
[0];
5448 ixa
->ixa_ipsec_indst
[1] =
5449 pol
->ipsp_sel
->ipsl_key
.ipsl_remote
.ipsad_v6
.s6_addr32
[1];
5450 ixa
->ixa_ipsec_indst
[2] =
5451 pol
->ipsp_sel
->ipsl_key
.ipsl_remote
.ipsad_v6
.s6_addr32
[2];
5452 ixa
->ixa_ipsec_indst
[3] =
5453 pol
->ipsp_sel
->ipsl_key
.ipsl_remote
.ipsad_v6
.s6_addr32
[3];
5455 ixa
->ixa_ipsec_insrcpfx
= pol
->ipsp_sel
->ipsl_key
.ipsl_local_pfxlen
;
5456 ixa
->ixa_ipsec_indstpfx
= pol
->ipsp_sel
->ipsl_key
.ipsl_remote_pfxlen
;
5457 /* NOTE: These are used for transport mode too. */
5458 ixa
->ixa_ipsec_src_port
= pol
->ipsp_sel
->ipsl_key
.ipsl_lport
;
5459 ixa
->ixa_ipsec_dst_port
= pol
->ipsp_sel
->ipsl_key
.ipsl_rport
;
5460 ixa
->ixa_ipsec_proto
= pol
->ipsp_sel
->ipsl_key
.ipsl_proto
;
5466 * NOTE: The following releases pol's reference and
5467 * calls ip_drop_packet() for me on NULL returns.
5470 ipsec_check_ipsecin_policy_reasm(mblk_t
*attr_mp
, ipsec_policy_t
*pol
,
5471 ipha_t
*inner_ipv4
, ip6_t
*inner_ipv6
, uint64_t pkt_unique
, netstack_t
*ns
)
5473 /* Assume attr_mp is a chain of b_next-linked ip_recv_attr mblk. */
5474 mblk_t
*data_chain
= NULL
, *data_tail
= NULL
;
5477 ip_recv_attr_t iras
;
5479 while (attr_mp
!= NULL
) {
5480 ASSERT(ip_recv_attr_is_mblk(attr_mp
));
5481 next
= attr_mp
->b_next
;
5482 attr_mp
->b_next
= NULL
; /* No tripping asserts. */
5484 data_mp
= attr_mp
->b_cont
;
5485 attr_mp
->b_cont
= NULL
;
5486 if (!ip_recv_attr_from_mblk(attr_mp
, &iras
)) {
5487 /* The ill or ip_stack_t disappeared on us */
5488 freemsg(data_mp
); /* ip_drop_packet?? */
5489 ira_cleanup(&iras
, B_TRUE
);
5494 * Need IPPOL_REFHOLD(pol) for extras because
5495 * ipsecin_policy does the refrele.
5499 data_mp
= ipsec_check_ipsecin_policy(data_mp
, pol
, inner_ipv4
,
5500 inner_ipv6
, pkt_unique
, &iras
, ns
);
5501 ira_cleanup(&iras
, B_TRUE
);
5503 if (data_mp
== NULL
)
5506 if (data_tail
== NULL
) {
5508 data_chain
= data_tail
= data_mp
;
5510 data_tail
->b_next
= data_mp
;
5511 data_tail
= data_mp
;
5516 * One last release because either the loop bumped it up, or we never
5517 * called ipsec_check_ipsecin_policy().
5521 /* data_chain is ready for return to tun module. */
5522 return (data_chain
);
5526 * Need to get rid of any extra pol
5527 * references, and any remaining bits as well.
5530 ipsec_freemsg_chain(data_chain
);
5531 ipsec_freemsg_chain(next
); /* ipdrop stats? */
5536 * Return a message if the inbound packet passed an IPsec policy check. Returns
5537 * NULL if it failed or if it is a fragment needing its friends before a
5538 * policy check can be performed.
5540 * Expects a non-NULL data_mp, and a non-NULL polhead.
5541 * The returned mblk may be a b_next chain of packets if fragments
5542 * neeeded to be collected for a proper policy check.
5544 * This function calls ip_drop_packet() on data_mp if need be.
5546 * NOTE: outer_hdr_len is signed. If it's a negative value, the caller
5547 * is inspecting an ICMP packet.
5550 ipsec_tun_inbound(ip_recv_attr_t
*ira
, mblk_t
*data_mp
, ipsec_tun_pol_t
*itp
,
5551 ipha_t
*inner_ipv4
, ip6_t
*inner_ipv6
, ipha_t
*outer_ipv4
,
5552 ip6_t
*outer_ipv6
, int outer_hdr_len
, netstack_t
*ns
)
5554 ipsec_policy_head_t
*polhead
;
5555 ipsec_selector_t sel
;
5556 ipsec_policy_t
*pol
;
5559 boolean_t port_policy_present
, is_icmp
, global_present
;
5562 uint8_t flags
, *inner_hdr
;
5563 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
5565 sel
.ips_is_icmp_inv_acq
= 0;
5567 if (outer_ipv4
!= NULL
) {
5568 ASSERT(outer_ipv6
== NULL
);
5569 global_present
= ipss
->ipsec_inbound_v4_policy_present
;
5571 ASSERT(outer_ipv6
!= NULL
);
5572 global_present
= ipss
->ipsec_inbound_v6_policy_present
;
5575 ASSERT(inner_ipv4
!= NULL
&& inner_ipv6
== NULL
||
5576 inner_ipv4
== NULL
&& inner_ipv6
!= NULL
);
5578 if (outer_hdr_len
< 0) {
5579 outer_hdr_len
= (-outer_hdr_len
);
5585 if (itp
!= NULL
&& (itp
->itp_flags
& ITPF_P_ACTIVE
)) {
5586 mblk_t
*mp
= data_mp
;
5588 polhead
= itp
->itp_policy
;
5590 * We need to perform full Tunnel-Mode enforcement,
5591 * and we need to have inner-header data for such enforcement.
5593 * See ipsec_init_inbound_sel() for the 0x80000000 on inbound
5597 port_policy_present
= ((itp
->itp_flags
&
5598 ITPF_P_PER_PORT_SECURITY
) ? B_TRUE
: B_FALSE
);
5600 * NOTE: Even if our policy is transport mode, set the
5601 * SEL_TUNNEL_MODE flag so ipsec_init_inbound_sel() can
5602 * do the right thing w.r.t. outer headers.
5604 flags
= ((port_policy_present
? SEL_PORT_POLICY
: SEL_NONE
) |
5605 (is_icmp
? SEL_IS_ICMP
: SEL_NONE
) | SEL_TUNNEL_MODE
);
5607 rc
= ipsec_init_inbound_sel(&sel
, data_mp
, inner_ipv4
,
5612 ip_drop_packet(data_mp
, B_TRUE
, NULL
,
5613 DROPPER(ipss
, ipds_spd_nomem
),
5614 &ipss
->ipsec_spd_dropper
);
5616 case SELRET_TUNFRAG
:
5618 * At this point, if we're cleartext, we don't want
5621 if (!(ira
->ira_flags
& IRAF_IPSEC_SECURE
)) {
5622 ip_drop_packet(data_mp
, B_TRUE
, NULL
,
5623 DROPPER(ipss
, ipds_spd_got_clear
),
5624 &ipss
->ipsec_spd_dropper
);
5629 * Inner and outer headers may not be contiguous.
5630 * Pullup the data_mp now to satisfy assumptions of
5631 * ipsec_fragcache_add()
5633 if (data_mp
->b_cont
!= NULL
) {
5636 nmp
= msgpullup(data_mp
, -1);
5638 ip_drop_packet(data_mp
, B_TRUE
, NULL
,
5639 DROPPER(ipss
, ipds_spd_nomem
),
5640 &ipss
->ipsec_spd_dropper
);
5645 if (outer_ipv4
!= NULL
)
5647 (ipha_t
*)data_mp
->b_rptr
;
5650 (ip6_t
*)data_mp
->b_rptr
;
5651 if (inner_ipv4
!= NULL
) {
5653 (ipha_t
*)(data_mp
->b_rptr
+
5657 (ip6_t
*)(data_mp
->b_rptr
+
5663 * If we need to queue the packet. First we
5664 * get an mblk with the attributes. ipsec_fragcache_add
5665 * will prepend that to the queued data and return
5666 * a list of b_next messages each of which starts with
5667 * the attribute mblk.
5669 mp
= ip_recv_attr_to_mblk(ira
);
5671 ip_drop_packet(data_mp
, B_TRUE
, NULL
,
5672 DROPPER(ipss
, ipds_spd_nomem
),
5673 &ipss
->ipsec_spd_dropper
);
5677 mp
= ipsec_fragcache_add(&itp
->itp_fragcache
,
5678 mp
, data_mp
, outer_hdr_len
, ipss
);
5682 * Data is cached, fragment chain is not
5689 * If we get here, we have a full fragment chain.
5690 * Reacquire headers and selectors from first fragment.
5692 ASSERT(ip_recv_attr_is_mblk(mp
));
5693 data_mp
= mp
->b_cont
;
5694 inner_hdr
= data_mp
->b_rptr
;
5695 if (outer_ipv4
!= NULL
) {
5696 inner_hdr
+= IPH_HDR_LENGTH(
5697 (ipha_t
*)data_mp
->b_rptr
);
5699 inner_hdr
+= ip_hdr_length_v6(data_mp
,
5700 (ip6_t
*)data_mp
->b_rptr
);
5702 ASSERT(inner_hdr
<= data_mp
->b_wptr
);
5704 if (inner_ipv4
!= NULL
) {
5705 inner_ipv4
= (ipha_t
*)inner_hdr
;
5708 inner_ipv6
= (ip6_t
*)inner_hdr
;
5713 * Use SEL_TUNNEL_MODE to take into account the outer
5714 * header. Use SEL_POST_FRAG so we always get ports.
5716 rc
= ipsec_init_inbound_sel(&sel
, data_mp
,
5717 inner_ipv4
, inner_ipv6
,
5718 SEL_TUNNEL_MODE
| SEL_POST_FRAG
);
5720 case SELRET_SUCCESS
:
5722 * Get to same place as first caller's
5723 * SELRET_SUCCESS case.
5727 ip_drop_packet_chain(mp
, B_TRUE
, NULL
,
5728 DROPPER(ipss
, ipds_spd_nomem
),
5729 &ipss
->ipsec_spd_dropper
);
5732 ip_drop_packet_chain(mp
, B_TRUE
, NULL
,
5733 DROPPER(ipss
, ipds_spd_malformed_frag
),
5734 &ipss
->ipsec_spd_dropper
);
5736 case SELRET_TUNFRAG
:
5737 cmn_err(CE_WARN
, "(TUNFRAG on 2nd call...)");
5740 cmn_err(CE_WARN
, "ipsec_init_inbound_sel(mark2)"
5741 " returns bizarro 0x%x", rc
);
5742 /* Guaranteed panic! */
5743 ASSERT(rc
== SELRET_NOMEM
);
5747 case SELRET_SUCCESS
:
5750 * No per-port policy or a non-fragment. Keep going.
5755 * We may receive ICMP (with IPv6 inner) packets that
5756 * trigger this return value. Send 'em in for
5757 * enforcement checking.
5759 cmn_err(CE_NOTE
, "ipsec_tun_inbound(): "
5760 "sending 'bad packet' in for enforcement");
5764 "ipsec_init_inbound_sel() returns bizarro 0x%x",
5766 ASSERT(rc
== SELRET_NOMEM
); /* Guaranteed panic! */
5772 * Swap local/remote because this is an ICMP packet.
5774 tmpaddr
= sel
.ips_local_addr_v6
;
5775 sel
.ips_local_addr_v6
= sel
.ips_remote_addr_v6
;
5776 sel
.ips_remote_addr_v6
= tmpaddr
;
5777 tmpport
= sel
.ips_local_port
;
5778 sel
.ips_local_port
= sel
.ips_remote_port
;
5779 sel
.ips_remote_port
= tmpport
;
5782 /* find_policy_head() */
5783 rw_enter(&polhead
->iph_lock
, RW_READER
);
5784 pol
= ipsec_find_policy_head(NULL
, polhead
, IPSEC_TYPE_INBOUND
,
5786 rw_exit(&polhead
->iph_lock
);
5788 uint64_t pkt_unique
;
5790 if (!(ira
->ira_flags
& IRAF_IPSEC_SECURE
)) {
5791 if (!pol
->ipsp_act
->ipa_allow_clear
) {
5793 * XXX should never get here with
5794 * tunnel reassembled fragments?
5796 ASSERT(mp
== data_mp
);
5797 ip_drop_packet(data_mp
, B_TRUE
, NULL
,
5798 DROPPER(ipss
, ipds_spd_got_clear
),
5799 &ipss
->ipsec_spd_dropper
);
5807 pkt_unique
= SA_UNIQUE_ID(sel
.ips_remote_port
,
5809 (inner_ipv4
== NULL
) ? IPPROTO_IPV6
:
5810 IPPROTO_ENCAP
, sel
.ips_protocol
);
5813 * NOTE: The following releases pol's reference and
5814 * calls ip_drop_packet() for me on NULL returns.
5816 * "sel" is still good here, so let's use it!
5818 if (data_mp
== mp
) {
5819 /* A single packet without attributes */
5820 data_mp
= ipsec_check_ipsecin_policy(data_mp
,
5821 pol
, inner_ipv4
, inner_ipv6
, pkt_unique
,
5825 * We pass in the b_next chain of attr_mp's
5826 * and get back a b_next chain of data_mp's.
5828 data_mp
= ipsec_check_ipsecin_policy_reasm(mp
,
5829 pol
, inner_ipv4
, inner_ipv6
, pkt_unique
,
5836 * Else fallthru and check the global policy on the outer
5837 * header(s) if this tunnel is an old-style transport-mode
5838 * one. Drop the packet explicitly (no policy entry) for
5839 * a new-style tunnel-mode tunnel.
5841 if ((itp
->itp_flags
& ITPF_P_TUNNEL
) && !is_icmp
) {
5842 ip_drop_packet_chain(data_mp
, B_TRUE
, NULL
,
5843 DROPPER(ipss
, ipds_spd_explicit
),
5844 &ipss
->ipsec_spd_dropper
);
5850 * NOTE: If we reach here, we will not have packet chains from
5851 * fragcache_add(), because the only way I get chains is on a
5852 * tunnel-mode tunnel, which either returns with a pass, or gets
5853 * hit by the ip_drop_packet_chain() call right above here.
5855 ASSERT(data_mp
->b_next
== NULL
);
5857 /* If no per-tunnel security, check global policy now. */
5858 if ((ira
->ira_flags
& IRAF_IPSEC_SECURE
) && !global_present
) {
5859 if (ira
->ira_flags
& IRAF_TRUSTED_ICMP
) {
5861 * This is an ICMP message that was geenrated locally.
5862 * We should accept it.
5867 ip_drop_packet(data_mp
, B_TRUE
, NULL
,
5868 DROPPER(ipss
, ipds_spd_got_secure
),
5869 &ipss
->ipsec_spd_dropper
);
5875 * For ICMP packets, "outer_ipvN" is set to the outer header
5876 * that is *INSIDE* the ICMP payload. For global policy
5877 * checking, we need to reverse src/dst on the payload in
5878 * order to construct selectors appropriately. See "ripha"
5879 * constructions in ip.c. To avoid a bug like 6478464 (see
5880 * earlier in this file), we will actually exchange src/dst
5881 * in the packet, and reverse if after the call to
5882 * ipsec_check_global_policy().
5884 if (outer_ipv4
!= NULL
) {
5885 tmp4
= outer_ipv4
->ipha_src
;
5886 outer_ipv4
->ipha_src
= outer_ipv4
->ipha_dst
;
5887 outer_ipv4
->ipha_dst
= tmp4
;
5889 ASSERT(outer_ipv6
!= NULL
);
5890 tmpaddr
= outer_ipv6
->ip6_src
;
5891 outer_ipv6
->ip6_src
= outer_ipv6
->ip6_dst
;
5892 outer_ipv6
->ip6_dst
= tmpaddr
;
5896 data_mp
= ipsec_check_global_policy(data_mp
, NULL
, outer_ipv4
,
5897 outer_ipv6
, ira
, ns
);
5898 if (data_mp
== NULL
)
5902 /* Set things back to normal. */
5903 if (outer_ipv4
!= NULL
) {
5904 tmp4
= outer_ipv4
->ipha_src
;
5905 outer_ipv4
->ipha_src
= outer_ipv4
->ipha_dst
;
5906 outer_ipv4
->ipha_dst
= tmp4
;
5908 /* No need for ASSERT()s now. */
5909 tmpaddr
= outer_ipv6
->ip6_src
;
5910 outer_ipv6
->ip6_src
= outer_ipv6
->ip6_dst
;
5911 outer_ipv6
->ip6_dst
= tmpaddr
;
5916 * At this point, we pretend it's a cleartext accepted
5923 * AVL comparison routine for our list of tunnel polheads.
5926 tunnel_compare(const void *arg1
, const void *arg2
)
5928 ipsec_tun_pol_t
*left
, *right
;
5931 left
= (ipsec_tun_pol_t
*)arg1
;
5932 right
= (ipsec_tun_pol_t
*)arg2
;
5934 rc
= strncmp(left
->itp_name
, right
->itp_name
, LIFNAMSIZ
);
5935 return (rc
== 0 ? rc
: (rc
> 0 ? 1 : -1));
5939 * Free a tunnel policy node.
5942 itp_free(ipsec_tun_pol_t
*node
, netstack_t
*ns
)
5944 if (node
->itp_policy
!= NULL
) {
5945 IPPH_REFRELE(node
->itp_policy
, ns
);
5946 node
->itp_policy
= NULL
;
5948 if (node
->itp_inactive
!= NULL
) {
5949 IPPH_REFRELE(node
->itp_inactive
, ns
);
5950 node
->itp_inactive
= NULL
;
5952 mutex_destroy(&node
->itp_lock
);
5953 kmem_free(node
, sizeof (*node
));
5957 itp_unlink(ipsec_tun_pol_t
*node
, netstack_t
*ns
)
5959 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
5961 rw_enter(&ipss
->ipsec_tunnel_policy_lock
, RW_WRITER
);
5962 ipss
->ipsec_tunnel_policy_gen
++;
5963 ipsec_fragcache_uninit(&node
->itp_fragcache
, ipss
);
5964 avl_remove(&ipss
->ipsec_tunnel_policies
, node
);
5965 rw_exit(&ipss
->ipsec_tunnel_policy_lock
);
5966 ITP_REFRELE(node
, ns
);
5970 * Public interface to look up a tunnel security policy by name. Used by
5971 * spdsock mostly. Returns "node" with a bumped refcnt.
5974 get_tunnel_policy(char *name
, netstack_t
*ns
)
5976 ipsec_tun_pol_t
*node
, lookup
;
5977 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
5979 (void) strncpy(lookup
.itp_name
, name
, LIFNAMSIZ
);
5981 rw_enter(&ipss
->ipsec_tunnel_policy_lock
, RW_READER
);
5982 node
= (ipsec_tun_pol_t
*)avl_find(&ipss
->ipsec_tunnel_policies
,
5987 rw_exit(&ipss
->ipsec_tunnel_policy_lock
);
5993 * Public interface to walk all tunnel security polcies. Useful for spdsock
5994 * DUMP operations. iterator() will not consume a reference.
5997 itp_walk(void (*iterator
)(ipsec_tun_pol_t
*, void *, netstack_t
*),
5998 void *arg
, netstack_t
*ns
)
6000 ipsec_tun_pol_t
*node
;
6001 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
6003 rw_enter(&ipss
->ipsec_tunnel_policy_lock
, RW_READER
);
6004 for (node
= avl_first(&ipss
->ipsec_tunnel_policies
); node
!= NULL
;
6005 node
= AVL_NEXT(&ipss
->ipsec_tunnel_policies
, node
)) {
6006 iterator(node
, arg
, ns
);
6008 rw_exit(&ipss
->ipsec_tunnel_policy_lock
);
6012 * Initialize policy head. This can only fail if there's a memory problem.
6015 tunnel_polhead_init(ipsec_policy_head_t
*iph
, netstack_t
*ns
)
6017 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
6019 rw_init(&iph
->iph_lock
, NULL
, RW_DEFAULT
, NULL
);
6022 if (ipsec_alloc_table(iph
, ipss
->ipsec_tun_spd_hashsize
,
6023 KM_SLEEP
, B_FALSE
, ns
) != 0) {
6024 ipsec_polhead_free_table(iph
);
6027 ipsec_polhead_init(iph
, ipss
->ipsec_tun_spd_hashsize
);
6032 * Create a tunnel policy node with "name". Set errno with
6033 * ENOMEM if there's a memory problem, and EEXIST if there's an existing
6037 create_tunnel_policy(char *name
, int *errno
, uint64_t *gen
, netstack_t
*ns
)
6039 ipsec_tun_pol_t
*newbie
, *existing
;
6041 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
6043 newbie
= kmem_zalloc(sizeof (*newbie
), KM_NOSLEEP
);
6044 if (newbie
== NULL
) {
6048 if (!ipsec_fragcache_init(&newbie
->itp_fragcache
)) {
6049 kmem_free(newbie
, sizeof (*newbie
));
6054 (void) strncpy(newbie
->itp_name
, name
, LIFNAMSIZ
);
6056 rw_enter(&ipss
->ipsec_tunnel_policy_lock
, RW_WRITER
);
6057 existing
= (ipsec_tun_pol_t
*)avl_find(&ipss
->ipsec_tunnel_policies
,
6059 if (existing
!= NULL
) {
6060 itp_free(newbie
, ns
);
6062 rw_exit(&ipss
->ipsec_tunnel_policy_lock
);
6065 ipss
->ipsec_tunnel_policy_gen
++;
6066 *gen
= ipss
->ipsec_tunnel_policy_gen
;
6067 newbie
->itp_refcnt
= 2; /* One for the caller, one for the tree. */
6068 newbie
->itp_next_policy_index
= 1;
6069 avl_insert(&ipss
->ipsec_tunnel_policies
, newbie
, where
);
6070 mutex_init(&newbie
->itp_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
6071 newbie
->itp_policy
= kmem_zalloc(sizeof (ipsec_policy_head_t
),
6073 if (newbie
->itp_policy
== NULL
)
6075 newbie
->itp_inactive
= kmem_zalloc(sizeof (ipsec_policy_head_t
),
6077 if (newbie
->itp_inactive
== NULL
) {
6078 kmem_free(newbie
->itp_policy
, sizeof (ipsec_policy_head_t
));
6082 if (!tunnel_polhead_init(newbie
->itp_policy
, ns
)) {
6083 kmem_free(newbie
->itp_policy
, sizeof (ipsec_policy_head_t
));
6084 kmem_free(newbie
->itp_inactive
, sizeof (ipsec_policy_head_t
));
6086 } else if (!tunnel_polhead_init(newbie
->itp_inactive
, ns
)) {
6087 IPPH_REFRELE(newbie
->itp_policy
, ns
);
6088 kmem_free(newbie
->itp_inactive
, sizeof (ipsec_policy_head_t
));
6091 rw_exit(&ipss
->ipsec_tunnel_policy_lock
);
6096 kmem_free(newbie
, sizeof (*newbie
));
6101 * Given two addresses, find a tunnel instance's IPsec policy heads.
6102 * Returns NULL on failure.
6105 itp_get_byaddr(uint32_t *laddr
, uint32_t *faddr
, int af
, ip_stack_t
*ipst
)
6109 ipsec_tun_pol_t
*itp
= NULL
;
6111 /* Classifiers are used to "src" being foreign. */
6112 if (af
== AF_INET
) {
6113 connp
= ipcl_iptun_classify_v4((ipaddr_t
*)faddr
,
6114 (ipaddr_t
*)laddr
, ipst
);
6116 ASSERT(af
== AF_INET6
);
6117 ASSERT(!IN6_IS_ADDR_V4MAPPED((in6_addr_t
*)laddr
));
6118 ASSERT(!IN6_IS_ADDR_V4MAPPED((in6_addr_t
*)faddr
));
6119 connp
= ipcl_iptun_classify_v6((in6_addr_t
*)faddr
,
6120 (in6_addr_t
*)laddr
, ipst
);
6126 if (IPCL_IS_IPTUN(connp
)) {
6127 iptun
= connp
->conn_iptun
;
6128 if (iptun
!= NULL
) {
6129 itp
= iptun
->iptun_itp
;
6131 /* Braces due to the macro's nature... */
6134 } /* Else itp is already NULL. */
6137 CONN_DEC_REF(connp
);
6142 * Frag cache code, based on SunScreen 3.2 source
6143 * screen/kernel/common/screen_fragcache.c
6146 #define IPSEC_FRAG_TTL_MAX 5
6148 * Note that the following parameters create 256 hash buckets
6149 * with 1024 free entries to be distributed. Things are cleaned
6150 * periodically and are attempted to be cleaned when there is no
6151 * free space, but this system errs on the side of dropping packets
6152 * over creating memory exhaustion. We may decide to make hash
6153 * factor a tunable if this proves to be a bad decision.
6155 #define IPSEC_FRAG_HASH_SLOTS (1<<8)
6156 #define IPSEC_FRAG_HASH_FACTOR 4
6157 #define IPSEC_FRAG_HASH_SIZE (IPSEC_FRAG_HASH_SLOTS * IPSEC_FRAG_HASH_FACTOR)
6159 #define IPSEC_FRAG_HASH_MASK (IPSEC_FRAG_HASH_SLOTS - 1)
6160 #define IPSEC_FRAG_HASH_FUNC(id) (((id) & IPSEC_FRAG_HASH_MASK) ^ \
6162 (ushort_t)IPSEC_FRAG_HASH_SLOTS) & \
6163 IPSEC_FRAG_HASH_MASK))
6165 /* Maximum fragments per packet. 48 bytes payload x 1366 packets > 64KB */
6166 #define IPSEC_MAX_FRAGS 1366
6168 #define V4_FRAG_OFFSET(ipha) ((ntohs(ipha->ipha_fragment_offset_and_flags) & \
6170 #define V4_MORE_FRAGS(ipha) (ntohs(ipha->ipha_fragment_offset_and_flags) & \
6174 * Initialize an ipsec fragcache instance.
6175 * Returns B_FALSE if memory allocation fails.
6178 ipsec_fragcache_init(ipsec_fragcache_t
*frag
)
6180 ipsec_fragcache_entry_t
*ftemp
;
6183 mutex_init(&frag
->itpf_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
6184 frag
->itpf_ptr
= (ipsec_fragcache_entry_t
**)
6185 kmem_zalloc(sizeof (ipsec_fragcache_entry_t
*) *
6186 IPSEC_FRAG_HASH_SLOTS
, KM_NOSLEEP
);
6187 if (frag
->itpf_ptr
== NULL
)
6190 ftemp
= (ipsec_fragcache_entry_t
*)
6191 kmem_zalloc(sizeof (ipsec_fragcache_entry_t
) *
6192 IPSEC_FRAG_HASH_SIZE
, KM_NOSLEEP
);
6193 if (ftemp
== NULL
) {
6194 kmem_free(frag
->itpf_ptr
, sizeof (ipsec_fragcache_entry_t
*) *
6195 IPSEC_FRAG_HASH_SLOTS
);
6199 frag
->itpf_freelist
= NULL
;
6201 for (i
= 0; i
< IPSEC_FRAG_HASH_SIZE
; i
++) {
6202 ftemp
->itpfe_next
= frag
->itpf_freelist
;
6203 frag
->itpf_freelist
= ftemp
;
6207 frag
->itpf_expire_hint
= 0;
6213 ipsec_fragcache_uninit(ipsec_fragcache_t
*frag
, ipsec_stack_t
*ipss
)
6215 ipsec_fragcache_entry_t
*fep
;
6218 mutex_enter(&frag
->itpf_lock
);
6219 if (frag
->itpf_ptr
) {
6220 /* Delete any existing fragcache entry chains */
6221 for (i
= 0; i
< IPSEC_FRAG_HASH_SLOTS
; i
++) {
6222 fep
= (frag
->itpf_ptr
)[i
];
6223 while (fep
!= NULL
) {
6224 /* Returned fep is next in chain or NULL */
6225 fep
= fragcache_delentry(i
, fep
, frag
, ipss
);
6229 * Chase the pointers back to the beginning
6230 * of the memory allocation and then
6231 * get rid of the allocated freelist
6233 while (frag
->itpf_freelist
->itpfe_next
!= NULL
)
6234 frag
->itpf_freelist
= frag
->itpf_freelist
->itpfe_next
;
6236 * XXX - If we ever dynamically grow the freelist
6237 * then we'll have to free entries individually
6238 * or determine how many entries or chunks we have
6239 * grown since the initial allocation.
6241 kmem_free(frag
->itpf_freelist
,
6242 sizeof (ipsec_fragcache_entry_t
) *
6243 IPSEC_FRAG_HASH_SIZE
);
6244 /* Free the fragcache structure */
6245 kmem_free(frag
->itpf_ptr
,
6246 sizeof (ipsec_fragcache_entry_t
*) *
6247 IPSEC_FRAG_HASH_SLOTS
);
6249 mutex_exit(&frag
->itpf_lock
);
6250 mutex_destroy(&frag
->itpf_lock
);
6254 * Add a fragment to the fragment cache. Consumes mp if NULL is returned.
6255 * Returns mp if a whole fragment has been assembled, NULL otherwise
6256 * The returned mp could be a b_next chain of fragments.
6258 * The iramp argument is set on inbound; NULL if outbound.
6261 ipsec_fragcache_add(ipsec_fragcache_t
*frag
, mblk_t
*iramp
, mblk_t
*mp
,
6262 int outer_hdr_len
, ipsec_stack_t
*ipss
)
6270 uint8_t *v6_proto_p
;
6271 uint16_t ip6_hdr_length
;
6273 ip6_frag_t
*fraghdr
;
6274 ipsec_fragcache_entry_t
*fep
;
6276 mblk_t
*nmp
, *prevmp
;
6277 int firstbyte
, lastbyte
;
6280 boolean_t inbound
= (iramp
!= NULL
);
6282 #ifdef FRAGCACHE_DEBUG
6283 cmn_err(CE_WARN
, "Fragcache: %s\n", inbound
? "INBOUND" : "OUTBOUND");
6286 * You're on the slow path, so insure that every packet in the
6287 * cache is a single-mblk one.
6289 if (mp
->b_cont
!= NULL
) {
6290 nmp
= msgpullup(mp
, -1);
6292 ip_drop_packet(mp
, inbound
, NULL
,
6293 DROPPER(ipss
, ipds_spd_nomem
),
6294 &ipss
->ipsec_spd_dropper
);
6296 (void) ip_recv_attr_free_mblk(iramp
);
6303 mutex_enter(&frag
->itpf_lock
);
6305 oiph
= (ipha_t
*)mp
->b_rptr
;
6306 iph
= (ipha_t
*)(mp
->b_rptr
+ outer_hdr_len
);
6308 if (IPH_HDR_VERSION(iph
) == IPV4_VERSION
) {
6311 ASSERT(IPH_HDR_VERSION(iph
) == IPV6_VERSION
);
6312 ip6h
= (ip6_t
*)(mp
->b_rptr
+ outer_hdr_len
);
6314 if (!ip_hdr_length_nexthdr_v6(mp
, ip6h
, &ip6_hdr_length
,
6317 * Find upper layer protocol.
6318 * If it fails we have a malformed packet
6320 mutex_exit(&frag
->itpf_lock
);
6321 ip_drop_packet(mp
, inbound
, NULL
,
6322 DROPPER(ipss
, ipds_spd_malformed_packet
),
6323 &ipss
->ipsec_spd_dropper
);
6325 (void) ip_recv_attr_free_mblk(iramp
);
6328 v6_proto
= *v6_proto_p
;
6332 bzero(&ipp
, sizeof (ipp
));
6333 (void) ip_find_hdr_v6(mp
, ip6h
, B_FALSE
, &ipp
, NULL
);
6334 if (!(ipp
.ipp_fields
& IPPF_FRAGHDR
)) {
6336 * We think this is a fragment, but didn't find
6337 * a fragment header. Something is wrong.
6339 mutex_exit(&frag
->itpf_lock
);
6340 ip_drop_packet(mp
, inbound
, NULL
,
6341 DROPPER(ipss
, ipds_spd_malformed_frag
),
6342 &ipss
->ipsec_spd_dropper
);
6344 (void) ip_recv_attr_free_mblk(iramp
);
6347 fraghdr
= ipp
.ipp_fraghdr
;
6351 /* Anything to cleanup? */
6354 * This cleanup call could be put in a timer loop
6355 * but it may actually be just as reasonable a decision to
6356 * leave it here. The disadvantage is this only gets called when
6357 * frags are added. The advantage is that it is not
6358 * susceptible to race conditions like a time-based cleanup
6361 itpf_time
= gethrestime_sec();
6362 if (itpf_time
>= frag
->itpf_expire_hint
)
6363 ipsec_fragcache_clean(frag
, ipss
);
6365 /* Lookup to see if there is an existing entry */
6368 i
= IPSEC_FRAG_HASH_FUNC(iph
->ipha_ident
);
6370 i
= IPSEC_FRAG_HASH_FUNC(fraghdr
->ip6f_ident
);
6372 for (fep
= (frag
->itpf_ptr
)[i
]; fep
; fep
= fep
->itpfe_next
) {
6374 ASSERT(iph
!= NULL
);
6375 if ((fep
->itpfe_id
== iph
->ipha_ident
) &&
6376 (fep
->itpfe_src
== iph
->ipha_src
) &&
6377 (fep
->itpfe_dst
== iph
->ipha_dst
) &&
6378 (fep
->itpfe_proto
== iph
->ipha_protocol
))
6381 ASSERT(fraghdr
!= NULL
);
6382 ASSERT(fep
!= NULL
);
6383 if ((fep
->itpfe_id
== fraghdr
->ip6f_ident
) &&
6384 IN6_ARE_ADDR_EQUAL(&fep
->itpfe_src6
,
6386 IN6_ARE_ADDR_EQUAL(&fep
->itpfe_dst6
,
6387 &ip6h
->ip6_dst
) && (fep
->itpfe_proto
== v6_proto
))
6393 firstbyte
= V4_FRAG_OFFSET(iph
);
6394 lastbyte
= firstbyte
+ ntohs(iph
->ipha_length
) -
6395 IPH_HDR_LENGTH(iph
);
6396 last
= (V4_MORE_FRAGS(iph
) == 0);
6397 #ifdef FRAGCACHE_DEBUG
6398 cmn_err(CE_WARN
, "V4 fragcache: firstbyte = %d, lastbyte = %d, "
6399 "is_last_frag = %d, id = %d, mp = %p\n", firstbyte
,
6400 lastbyte
, last
, iph
->ipha_ident
, mp
);
6403 firstbyte
= ntohs(fraghdr
->ip6f_offlg
& IP6F_OFF_MASK
);
6404 lastbyte
= firstbyte
+ ntohs(ip6h
->ip6_plen
) +
6405 sizeof (ip6_t
) - ip6_hdr_length
;
6406 last
= (fraghdr
->ip6f_offlg
& IP6F_MORE_FRAG
) == 0;
6407 #ifdef FRAGCACHE_DEBUG
6408 cmn_err(CE_WARN
, "V6 fragcache: firstbyte = %d, lastbyte = %d, "
6409 "is_last_frag = %d, id = %d, fraghdr = %p, mp = %p\n",
6410 firstbyte
, lastbyte
, last
, fraghdr
->ip6f_ident
, fraghdr
,
6415 /* check for bogus fragments and delete the entry */
6416 if (firstbyte
> 0 && firstbyte
<= 8) {
6418 (void) fragcache_delentry(i
, fep
, frag
, ipss
);
6419 mutex_exit(&frag
->itpf_lock
);
6420 ip_drop_packet(mp
, inbound
, NULL
,
6421 DROPPER(ipss
, ipds_spd_malformed_frag
),
6422 &ipss
->ipsec_spd_dropper
);
6424 (void) ip_recv_attr_free_mblk(iramp
);
6428 /* Not found, allocate a new entry */
6430 if (frag
->itpf_freelist
== NULL
) {
6431 /* see if there is some space */
6432 ipsec_fragcache_clean(frag
, ipss
);
6433 if (frag
->itpf_freelist
== NULL
) {
6434 mutex_exit(&frag
->itpf_lock
);
6435 ip_drop_packet(mp
, inbound
, NULL
,
6436 DROPPER(ipss
, ipds_spd_nomem
),
6437 &ipss
->ipsec_spd_dropper
);
6439 (void) ip_recv_attr_free_mblk(iramp
);
6444 fep
= frag
->itpf_freelist
;
6445 frag
->itpf_freelist
= fep
->itpfe_next
;
6448 bcopy((caddr_t
)&iph
->ipha_src
, (caddr_t
)&fep
->itpfe_src
,
6449 sizeof (struct in_addr
));
6450 bcopy((caddr_t
)&iph
->ipha_dst
, (caddr_t
)&fep
->itpfe_dst
,
6451 sizeof (struct in_addr
));
6452 fep
->itpfe_id
= iph
->ipha_ident
;
6453 fep
->itpfe_proto
= iph
->ipha_protocol
;
6454 i
= IPSEC_FRAG_HASH_FUNC(fep
->itpfe_id
);
6456 bcopy((in6_addr_t
*)&ip6h
->ip6_src
,
6457 (in6_addr_t
*)&fep
->itpfe_src6
,
6458 sizeof (struct in6_addr
));
6459 bcopy((in6_addr_t
*)&ip6h
->ip6_dst
,
6460 (in6_addr_t
*)&fep
->itpfe_dst6
,
6461 sizeof (struct in6_addr
));
6462 fep
->itpfe_id
= fraghdr
->ip6f_ident
;
6463 fep
->itpfe_proto
= v6_proto
;
6464 i
= IPSEC_FRAG_HASH_FUNC(fep
->itpfe_id
);
6466 itpf_time
= gethrestime_sec();
6467 fep
->itpfe_exp
= itpf_time
+ IPSEC_FRAG_TTL_MAX
+ 1;
6468 fep
->itpfe_last
= 0;
6469 fep
->itpfe_fraglist
= NULL
;
6470 fep
->itpfe_depth
= 0;
6471 fep
->itpfe_next
= (frag
->itpf_ptr
)[i
];
6472 (frag
->itpf_ptr
)[i
] = fep
;
6474 if (frag
->itpf_expire_hint
> fep
->itpfe_exp
)
6475 frag
->itpf_expire_hint
= fep
->itpfe_exp
;
6479 /* Insert it in the frag list */
6480 /* List is in order by starting offset of fragments */
6483 for (nmp
= fep
->itpfe_fraglist
; nmp
; nmp
= nmp
->b_next
) {
6488 ip6_frag_t
*nfraghdr
;
6489 uint16_t nip6_hdr_length
;
6490 uint8_t *nv6_proto_p
;
6491 int nfirstbyte
, nlastbyte
;
6493 mblk_t
*ndata_mp
= (inbound
? nmp
->b_cont
: nmp
);
6496 oniph
= (ipha_t
*)mp
->b_rptr
;
6501 * Determine outer header type and length and set
6502 * pointers appropriately
6505 if (IPH_HDR_VERSION(oniph
) == IPV4_VERSION
) {
6506 hdr_len
= ((outer_hdr_len
!= 0) ?
6507 IPH_HDR_LENGTH(oiph
) : 0);
6508 niph
= (ipha_t
*)(ndata_mp
->b_rptr
+ hdr_len
);
6510 ASSERT(IPH_HDR_VERSION(oniph
) == IPV6_VERSION
);
6511 ASSERT(ndata_mp
->b_cont
== NULL
);
6512 nip6h
= (ip6_t
*)ndata_mp
->b_rptr
;
6513 (void) ip_hdr_length_nexthdr_v6(ndata_mp
, nip6h
,
6514 &nip6_hdr_length
, &v6_proto_p
);
6515 hdr_len
= ((outer_hdr_len
!= 0) ? nip6_hdr_length
: 0);
6519 * Determine inner header type and length and set
6520 * pointers appropriately
6526 niph
= (ipha_t
*)(ndata_mp
->b_rptr
+ hdr_len
);
6528 nfirstbyte
= V4_FRAG_OFFSET(niph
);
6529 nlastbyte
= nfirstbyte
+ ntohs(niph
->ipha_length
) -
6530 IPH_HDR_LENGTH(niph
);
6532 ASSERT(ndata_mp
->b_cont
== NULL
);
6533 nip6h
= (ip6_t
*)(ndata_mp
->b_rptr
+ hdr_len
);
6534 if (!ip_hdr_length_nexthdr_v6(ndata_mp
, nip6h
,
6535 &nip6_hdr_length
, &nv6_proto_p
)) {
6536 mutex_exit(&frag
->itpf_lock
);
6537 ip_drop_packet_chain(nmp
, inbound
, NULL
,
6538 DROPPER(ipss
, ipds_spd_malformed_frag
),
6539 &ipss
->ipsec_spd_dropper
);
6540 ipsec_freemsg_chain(ndata_mp
);
6542 (void) ip_recv_attr_free_mblk(iramp
);
6545 bzero(&nipp
, sizeof (nipp
));
6546 (void) ip_find_hdr_v6(ndata_mp
, nip6h
, B_FALSE
, &nipp
,
6548 nfraghdr
= nipp
.ipp_fraghdr
;
6549 nfirstbyte
= ntohs(nfraghdr
->ip6f_offlg
&
6551 nlastbyte
= nfirstbyte
+ ntohs(nip6h
->ip6_plen
) +
6552 sizeof (ip6_t
) - nip6_hdr_length
;
6555 /* Check for overlapping fragments */
6556 if (firstbyte
>= nfirstbyte
&& firstbyte
< nlastbyte
) {
6559 * ~~~~--------- # Check if the newly
6560 * ~ ndata_mp| # received fragment
6561 * ~~~~--------- # overlaps with the
6562 * ---------~~~~~~ # current fragment.
6567 data
= (char *)iph
+ IPH_HDR_LENGTH(iph
) +
6568 firstbyte
- nfirstbyte
;
6569 ndata
= (char *)niph
+ IPH_HDR_LENGTH(niph
);
6571 data
= (char *)ip6h
+
6572 nip6_hdr_length
+ firstbyte
-
6574 ndata
= (char *)nip6h
+ nip6_hdr_length
;
6576 if (bcmp(data
, ndata
, MIN(lastbyte
, nlastbyte
) -
6578 /* Overlapping data does not match */
6579 (void) fragcache_delentry(i
, fep
, frag
, ipss
);
6580 mutex_exit(&frag
->itpf_lock
);
6581 ip_drop_packet(mp
, inbound
, NULL
,
6582 DROPPER(ipss
, ipds_spd_overlap_frag
),
6583 &ipss
->ipsec_spd_dropper
);
6585 (void) ip_recv_attr_free_mblk(iramp
);
6588 /* Part of defense for jolt2.c fragmentation attack */
6589 if (firstbyte
>= nfirstbyte
&& lastbyte
<= nlastbyte
) {
6591 * Check for identical or subset fragments:
6592 * ---------- ~~~~--------~~~~~
6593 * | nmp | or ~ nmp ~
6594 * ---------- ~~~~--------~~~~~
6599 mutex_exit(&frag
->itpf_lock
);
6600 ip_drop_packet(mp
, inbound
, NULL
,
6601 DROPPER(ipss
, ipds_spd_evil_frag
),
6602 &ipss
->ipsec_spd_dropper
);
6604 (void) ip_recv_attr_free_mblk(iramp
);
6610 /* Correct location for this fragment? */
6611 if (firstbyte
<= nfirstbyte
) {
6613 * Check if the tail end of the new fragment overlaps
6614 * with the head of the current fragment.
6622 if (lastbyte
> nfirstbyte
) {
6623 /* Fragments overlap */
6624 data
= (char *)iph
+ IPH_HDR_LENGTH(iph
) +
6625 firstbyte
- nfirstbyte
;
6626 ndata
= (char *)niph
+ IPH_HDR_LENGTH(niph
);
6628 data
= (char *)iph
+
6629 IPH_HDR_LENGTH(iph
) + firstbyte
-
6631 ndata
= (char *)niph
+
6632 IPH_HDR_LENGTH(niph
);
6634 data
= (char *)ip6h
+
6635 nip6_hdr_length
+ firstbyte
-
6637 ndata
= (char *)nip6h
+ nip6_hdr_length
;
6639 if (bcmp(data
, ndata
, MIN(lastbyte
, nlastbyte
)
6641 /* Overlap mismatch */
6642 (void) fragcache_delentry(i
, fep
, frag
,
6644 mutex_exit(&frag
->itpf_lock
);
6645 ip_drop_packet(mp
, inbound
, NULL
,
6647 ipds_spd_overlap_frag
),
6648 &ipss
->ipsec_spd_dropper
);
6650 (void) ip_recv_attr_free_mblk(
6658 * Fragment does not illegally overlap and can now
6659 * be inserted into the chain
6666 /* Prepend the attributes before we link it in */
6667 if (iramp
!= NULL
) {
6668 ASSERT(iramp
->b_cont
== NULL
);
6675 if (prevmp
== NULL
) {
6676 fep
->itpfe_fraglist
= mp
;
6678 prevmp
->b_next
= mp
;
6681 fep
->itpfe_last
= 1;
6683 /* Part of defense for jolt2.c fragmentation attack */
6684 if (++(fep
->itpfe_depth
) > IPSEC_MAX_FRAGS
) {
6685 (void) fragcache_delentry(i
, fep
, frag
, ipss
);
6686 mutex_exit(&frag
->itpf_lock
);
6688 mp
= ip_recv_attr_free_mblk(mp
);
6690 ip_drop_packet(mp
, inbound
, NULL
,
6691 DROPPER(ipss
, ipds_spd_max_frags
),
6692 &ipss
->ipsec_spd_dropper
);
6696 /* Check for complete packet */
6698 if (!fep
->itpfe_last
) {
6699 mutex_exit(&frag
->itpf_lock
);
6700 #ifdef FRAGCACHE_DEBUG
6701 cmn_err(CE_WARN
, "Fragment cached, last not yet seen.\n");
6707 for (mp
= fep
->itpfe_fraglist
; mp
; mp
= mp
->b_next
) {
6708 mblk_t
*data_mp
= (inbound
? mp
->b_cont
: mp
);
6711 oiph
= (ipha_t
*)data_mp
->b_rptr
;
6715 if (IPH_HDR_VERSION(oiph
) == IPV4_VERSION
) {
6716 hdr_len
= ((outer_hdr_len
!= 0) ?
6717 IPH_HDR_LENGTH(oiph
) : 0);
6718 iph
= (ipha_t
*)(data_mp
->b_rptr
+ hdr_len
);
6720 ASSERT(IPH_HDR_VERSION(oiph
) == IPV6_VERSION
);
6721 ASSERT(data_mp
->b_cont
== NULL
);
6722 ip6h
= (ip6_t
*)data_mp
->b_rptr
;
6723 (void) ip_hdr_length_nexthdr_v6(data_mp
, ip6h
,
6724 &ip6_hdr_length
, &v6_proto_p
);
6725 hdr_len
= ((outer_hdr_len
!= 0) ? ip6_hdr_length
: 0);
6728 /* Calculate current fragment start/end */
6732 iph
= (ipha_t
*)(data_mp
->b_rptr
+ hdr_len
);
6734 firstbyte
= V4_FRAG_OFFSET(iph
);
6735 lastbyte
= firstbyte
+ ntohs(iph
->ipha_length
) -
6736 IPH_HDR_LENGTH(iph
);
6738 ASSERT(data_mp
->b_cont
== NULL
);
6739 ip6h
= (ip6_t
*)(data_mp
->b_rptr
+ hdr_len
);
6740 if (!ip_hdr_length_nexthdr_v6(data_mp
, ip6h
,
6741 &ip6_hdr_length
, &v6_proto_p
)) {
6742 mutex_exit(&frag
->itpf_lock
);
6743 ip_drop_packet_chain(mp
, inbound
, NULL
,
6744 DROPPER(ipss
, ipds_spd_malformed_frag
),
6745 &ipss
->ipsec_spd_dropper
);
6748 v6_proto
= *v6_proto_p
;
6749 bzero(&ipp
, sizeof (ipp
));
6750 (void) ip_find_hdr_v6(data_mp
, ip6h
, B_FALSE
, &ipp
,
6752 fraghdr
= ipp
.ipp_fraghdr
;
6753 firstbyte
= ntohs(fraghdr
->ip6f_offlg
&
6755 lastbyte
= firstbyte
+ ntohs(ip6h
->ip6_plen
) +
6756 sizeof (ip6_t
) - ip6_hdr_length
;
6760 * If this fragment is greater than current offset,
6761 * we have a missing fragment so return NULL
6763 if (firstbyte
> offset
) {
6764 mutex_exit(&frag
->itpf_lock
);
6765 #ifdef FRAGCACHE_DEBUG
6767 * Note, this can happen when the last frag
6768 * gets sent through because it is smaller
6769 * than the MTU. It is not necessarily an
6772 cmn_err(CE_WARN
, "Frag greater than offset! : "
6773 "missing fragment: firstbyte = %d, offset = %d, "
6774 "mp = %p\n", firstbyte
, offset
, mp
);
6778 #ifdef FRAGCACHE_DEBUG
6779 cmn_err(CE_WARN
, "Frag offsets : "
6780 "firstbyte = %d, offset = %d, mp = %p\n",
6781 firstbyte
, offset
, mp
);
6785 * If we are at the last fragment, we have the complete
6786 * packet, so rechain things and return it to caller
6790 if ((is_v4
&& !V4_MORE_FRAGS(iph
)) ||
6791 (!is_v4
&& !(fraghdr
->ip6f_offlg
& IP6F_MORE_FRAG
))) {
6792 mp
= fep
->itpfe_fraglist
;
6793 fep
->itpfe_fraglist
= NULL
;
6794 (void) fragcache_delentry(i
, fep
, frag
, ipss
);
6795 mutex_exit(&frag
->itpf_lock
);
6797 if ((is_v4
&& (firstbyte
+ ntohs(iph
->ipha_length
) >
6798 65535)) || (!is_v4
&& (firstbyte
+
6799 ntohs(ip6h
->ip6_plen
) > 65535))) {
6800 /* It is an invalid "ping-o-death" packet */
6802 ip_drop_packet_chain(mp
, inbound
, NULL
,
6803 DROPPER(ipss
, ipds_spd_evil_frag
),
6804 &ipss
->ipsec_spd_dropper
);
6807 #ifdef FRAGCACHE_DEBUG
6808 cmn_err(CE_WARN
, "Fragcache returning mp = %p, "
6809 "mp->b_next = %p", mp
, mp
->b_next
);
6812 * For inbound case, mp has attrmp b_next'd chain
6813 * For outbound case, it is just data mp chain
6819 * Update new ending offset if this
6820 * fragment extends the packet
6822 if (offset
< lastbyte
)
6826 mutex_exit(&frag
->itpf_lock
);
6828 /* Didn't find last fragment, so return NULL */
6833 ipsec_fragcache_clean(ipsec_fragcache_t
*frag
, ipsec_stack_t
*ipss
)
6835 ipsec_fragcache_entry_t
*fep
;
6837 ipsec_fragcache_entry_t
*earlyfep
= NULL
;
6842 ASSERT(MUTEX_HELD(&frag
->itpf_lock
));
6844 itpf_time
= gethrestime_sec();
6845 earlyexp
= itpf_time
+ 10000;
6847 for (i
= 0; i
< IPSEC_FRAG_HASH_SLOTS
; i
++) {
6848 fep
= (frag
->itpf_ptr
)[i
];
6850 if (fep
->itpfe_exp
< itpf_time
) {
6852 fep
= fragcache_delentry(i
, fep
, frag
, ipss
);
6854 if (fep
->itpfe_exp
< earlyexp
) {
6856 earlyexp
= fep
->itpfe_exp
;
6859 fep
= fep
->itpfe_next
;
6864 frag
->itpf_expire_hint
= earlyexp
;
6867 if (frag
->itpf_freelist
== NULL
)
6868 (void) fragcache_delentry(earlyi
, earlyfep
, frag
, ipss
);
6871 static ipsec_fragcache_entry_t
*
6872 fragcache_delentry(int slot
, ipsec_fragcache_entry_t
*fep
,
6873 ipsec_fragcache_t
*frag
, ipsec_stack_t
*ipss
)
6875 ipsec_fragcache_entry_t
*targp
;
6876 ipsec_fragcache_entry_t
*nextp
= fep
->itpfe_next
;
6878 ASSERT(MUTEX_HELD(&frag
->itpf_lock
));
6880 /* Free up any fragment list still in cache entry */
6881 if (fep
->itpfe_fraglist
!= NULL
) {
6882 ip_drop_packet_chain(fep
->itpfe_fraglist
,
6883 ip_recv_attr_is_mblk(fep
->itpfe_fraglist
), NULL
,
6884 DROPPER(ipss
, ipds_spd_expired_frags
),
6885 &ipss
->ipsec_spd_dropper
);
6887 fep
->itpfe_fraglist
= NULL
;
6889 targp
= (frag
->itpf_ptr
)[slot
];
6893 /* unlink from head of hash chain */
6894 (frag
->itpf_ptr
)[slot
] = nextp
;
6895 /* link into free list */
6896 fep
->itpfe_next
= frag
->itpf_freelist
;
6897 frag
->itpf_freelist
= fep
;
6901 /* maybe should use double linked list to make update faster */
6902 /* must be past front of chain */
6904 if (targp
->itpfe_next
== fep
) {
6905 /* unlink from hash chain */
6906 targp
->itpfe_next
= nextp
;
6907 /* link into free list */
6908 fep
->itpfe_next
= frag
->itpf_freelist
;
6909 frag
->itpf_freelist
= fep
;
6912 targp
= targp
->itpfe_next
;