| blob | 756a6566970206745901705834e298fe183a6032 |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25 * Copyright 2017 Joyent, Inc.
26 */
28 #include <sys/types.h>
29 #include <sys/stream.h>
30 #include <sys/stropts.h>
31 #include <sys/errno.h>
32 #include <sys/strlog.h>
33 #include <sys/tihdr.h>
34 #include <sys/socket.h>
35 #include <sys/ddi.h>
36 #include <sys/sunddi.h>
37 #include <sys/mkdev.h>
38 #include <sys/kmem.h>
39 #include <sys/zone.h>
40 #include <sys/sysmacros.h>
41 #include <sys/cmn_err.h>
42 #include <sys/vtrace.h>
43 #include <sys/debug.h>
44 #include <sys/atomic.h>
45 #include <sys/strsun.h>
46 #include <sys/random.h>
47 #include <netinet/in.h>
48 #include <net/if.h>
49 #include <netinet/ip6.h>
50 #include <netinet/icmp6.h>
51 #include <net/pfkeyv2.h>
52 #include <net/pfpolicy.h>
54 #include <inet/common.h>
55 #include <inet/mi.h>
56 #include <inet/ip.h>
57 #include <inet/ip6.h>
58 #include <inet/nd.h>
59 #include <inet/ip_if.h>
60 #include <inet/ip_ndp.h>
61 #include <inet/ipsec_info.h>
62 #include <inet/ipsec_impl.h>
63 #include <inet/sadb.h>
64 #include <inet/ipsecah.h>
65 #include <inet/ipsec_impl.h>
66 #include <inet/ipdrop.h>
67 #include <sys/taskq.h>
68 #include <sys/policy.h>
69 #include <sys/strsun.h>
71 #include <sys/crypto/common.h>
72 #include <sys/crypto/api.h>
73 #include <sys/kstat.h>
74 #include <sys/strsubr.h>
76 /*
77 * Table of ND variables supported by ipsecah. These are loaded into
78 * ipsecah_g_nd in ipsecah_init_nd.
79 * All of these are alterable, within the min/max values given, at run time.
80 */
82 /* min max value name */
89 /* Default lifetime values for ACQUIRE messages. */
97 };
99 #define ah0dbg(a) printf a
100 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */
101 #define ah1dbg(ahstack, a) if (ahstack->ipsecah_debug != 0) printf a
102 #define ah2dbg(ahstack, a) if (ahstack->ipsecah_debug > 1) printf a
103 #define ah3dbg(ahstack, a) if (ahstack->ipsecah_debug > 2) printf a
105 /*
106 * XXX This is broken. Padding should be determined dynamically
107 * depending on the ICV size and IP version number so that the
108 * total AH header size is a multiple of 32 bits or 64 bits
109 * for V4 and V6 respectively. For 96bit ICVs we have no problems.
110 * Anything different from that, we need to fix our code.
111 */
115 /*
116 * Helper macro. Avoids a call to msgdsize if there is only one
117 * mblk in the chain.
118 */
119 #define AH_MSGSIZE(mp) ((mp)->b_cont != NULL ? msgdsize(mp) : MBLKL(mp))
138 cred_t *);
142 /* Setable in /etc/system */
149 };
153 NULL
154 };
158 NULL
159 };
163 };
169 static boolean_t
171 {
176 stackid);
186 #define K64 KSTAT_DATA_UINT64
187 #define KI(x) kstat_named_init(&(ahstack->ah_kstats->ah_stat_##x), #x, K64)
203 #undef KI
204 #undef K64
209 }
211 static int
213 {
232 }
241 }
243 /*
244 * Don't have to lock ipsec_age_interval, as only one thread will access it at
245 * a time, because I control the one function that does a qtimeout() on
246 * ah_pfkey_q.
247 */
248 static void
250 {
264 }
266 /*
267 * Get an AH NDD parameter.
268 */
269 /* ARGSUSED */
270 static int
274 caddr_t cp,
276 {
278 uint_t value;
287 }
289 /*
290 * This routine sets an NDD variable in a ipsecahparam_t structure.
291 */
292 /* ARGSUSED */
293 static int
298 caddr_t cp,
300 {
301 ulong_t new_value;
305 /*
306 * Fail the request if the new value does not lie within the
307 * required bounds.
308 */
313 }
315 /* Set the new value */
320 }
322 /*
323 * Using lifetime NDD variables, fill in an extended combination's
324 * lifetime information.
325 */
326 void
328 {
341 }
343 /*
344 * Initialize things for AH at module load time.
345 */
346 boolean_t
348 {
352 /*
353 * We want to be informed each time a stack is created or
354 * destroyed in the kernel, so we can maintain the
355 * set of ipsecah_stack_t's.
356 */
358 ipsecah_stack_fini);
361 }
363 /*
364 * Walk through the param array specified registering each element with the
365 * named dispatch handler.
366 */
367 static boolean_t
369 {
379 }
380 }
381 }
383 }
385 /*
386 * Initialize things for AH for each stack instance
387 */
390 {
414 }
416 /*
417 * Destroy things for AH at module unload time.
418 */
419 void
421 {
424 }
426 /*
427 * Destroy things for AH for one stack... Never called?
428 */
429 static void
431 {
436 }
450 }
452 /*
453 * AH module open routine, which is here for keysock plumbing.
454 * Keysock is pushed over {AH,ESP} which is an artifact from the Bad Old
455 * Days of export control, and fears that ESP would not be allowed
456 * to be shipped at all by default. Eventually, keysock should
457 * either access AH and ESP via modstubs or krtld dependencies, or
458 * perhaps be folded in with AH and ESP into a single IPsec/netsec
459 * module ("netsec" if PF_KEY provides more than AH/ESP keying tables).
460 */
461 /* ARGSUSED */
462 static int
464 {
487 }
489 /*
490 * AH module close routine.
491 */
492 static int
494 {
497 /*
498 * Clean up q_ptr, if needed.
499 */
502 /* Keysock queue check is safe, because of OCEXCL perimeter. */
508 /* Detach qtimeouts. */
510 }
514 }
516 /*
517 * Construct an SADB_REGISTER message with the current algorithms.
518 */
519 static boolean_t
522 {
531 uint_t num_aalgs;
535 /* Allocate the KEYSOCK_OUT. */
540 }
542 /*
543 * Allocate the PF_KEY message that follows KEYSOCK_OUT.
544 * The alg reader lock needs to be held while allocating
545 * the variable part (i.e. the algorithms) of the message.
546 */
550 /*
551 * Return only valid algorithms, so the number of algorithms
552 * to send up may be less than the number of algorithm entries
553 * in the table.
554 */
558 num_aalgs++;
560 /*
561 * Fill SADB_REGISTER message's algorithm descriptors. Hold
562 * down the lock while filling it.
563 */
567 }
573 }
586 i++) {
596 /* For now, salt is meaningless in AH. */
600 numalgs_snap++;
601 saalg++;
602 }
604 #ifdef DEBUG
605 /*
606 * Reality check to make sure I snagged all of the
607 * algorithms.
608 */
615 }
619 /* Now fill the restof the SADB_REGISTER message. */
628 /*
629 * Assume caller has sufficient sequence/pid number info. If it's one
630 * from me over a new alg., I could give two hoots about sequence.
631 */
641 }
648 }
651 }
653 /*
654 * Invoked when the algorithm table changes. Causes SADB_REGISTER
655 * messages continaining the current list of algorithms to be
656 * sent up to the AH listeners.
657 */
658 void
660 {
663 /*
664 * Time to send a PF_KEY SADB_REGISTER message to AH listeners
665 * everywhere. (The function itself checks for NULL ah_pfkey_q.)
666 */
668 }
670 /*
671 * Stub function that taskq_dispatch() invokes to take the mblk (in arg)
672 * and send it into AH and IP again.
673 */
674 static void
676 {
679 ip_recv_attr_t iras;
685 /* The ill or ip_stack_t disappeared on us */
689 }
692 done:
694 }
696 /*
697 * Restart ESP after the SA has been added.
698 */
699 static void
701 {
720 /*
721 * Either it failed or is pending. In the former case
722 * ipIfStatsInDiscards was increased.
723 */
725 }
727 }
729 /*
730 * Now that weak-key passed, actually ADD the security association, and
731 * send back a reply ADD message.
732 */
733 static int
736 {
746 ipsa_query_t sq;
751 /*
752 * Locate the appropriate table(s).
753 */
762 /*
763 * Use the direction flags provided by the KMD to determine
764 * if the inbound or outbound table should be the primary
765 * for this SA. If these flags were absent then make this
766 * decision based on the addresses.
767 */
778 }
779 }
781 /*
782 * The KMD did not set a direction flag, determine which
783 * table to insert the SA into based on addresses.
784 */
789 /* FALLTHRU */
790 /*
791 * If the source address is either one of mine, or unspecified
792 * (which is best summed up by saying "not 'not mine'"),
793 * then the association is potentially bi-directional,
794 * in that it can be used for inbound traffic and outbound
795 * traffic. The best example of such and SA is a multicast
796 * SA (which allows me to receive the outbound traffic).
797 */
807 /*
808 * If the source address literally not mine (either
809 * unspecified or not mine), then this SA may have an
810 * address that WILL be mine after some configuration.
811 * We pay the price for this by making it a bi-directional
812 * SA.
813 */
821 }
826 }
827 }
829 /*
830 * Find a ACQUIRE list entry if possible. If we've added an SA that
831 * suits the needs of an ACQUIRE list entry, we can eliminate the
832 * ACQUIRE list entry and transmit the enqueued packets. Use the
833 * high-bit of the sequence number to queue it. Key off destination
834 * addr, and change acqrec's state.
835 */
843 /*
844 * Q: I only check sequence. Should I check dst?
845 * A: Yes, check dest because those are the packets
846 * that are queued up.
847 */
853 }
855 /*
856 * AHA! I found an ACQUIRE record for this SA.
857 * Grab the msg list, and free the acquire record.
858 * I already am holding the lock for this record,
859 * so all I have to do is free it.
860 */
865 }
867 }
869 /*
870 * Find PF_KEY message, and see if I'm an update. If so, find entry
871 * in larval list (if there).
872 */
887 }
891 }
894 /*
895 * Hold again, because sadb_common_add() consumes a reference,
896 * and we don't want to clear_lpkt() without a reference.
897 */
899 }
911 }
912 }
914 }
916 /*
917 * How much more stack will I create with all of these
918 * ah_outbound_*() calls?
919 */
921 /* Handle the packets queued waiting for the SA */
925 ip_xmit_attr_t ixas;
932 /*
933 * Extract the ip_xmit_attr_t from the first mblk.
934 * Verifies that the netstack and ill is still around; could
935 * have vanished while iked was doing its work.
936 * On succesful return we have a nce_t and the ill/ipst can't
937 * disappear until we do the nce_refrele in ixa_cleanup.
938 */
955 }
957 }
960 }
963 /*
964 * Process one of the queued messages (from ipsacq_mp) once the SA
965 * has been added.
966 */
967 static void
969 {
982 }
989 }
991 /*
992 * Add new AH security association. This may become a generic AH/ESP
993 * routine eventually.
994 */
995 static int
997 {
1009 /* We don't need sockaddr_in6 for now. */
1020 /* I need certain extensions present for an ADD message. */
1024 }
1028 }
1032 }
1036 }
1040 }
1044 }
1049 /* Sundry ADD-specific reality checks. */
1050 /* XXX STATS : Logging/stats here? */
1056 }
1060 }
1064 }
1070 /* Stuff I don't support, for now. XXX Diagnostic? */
1076 }
1080 }
1081 /*
1082 * XXX Policy : I'm not checking identities at this time, but
1083 * if I did, I'd do them here, before I sent the weak key
1084 * check up to the algorithm.
1085 */
1087 /* verify that there is a mapping for the specified algorithm */
1096 }
1099 /* sanity check key sizes */
1104 }
1106 /* check key and fix parity if needed */
1111 }
1117 }
1119 /* Refactor me */
1120 /*
1121 * Update a security association. Updates come in two varieties. The first
1122 * is an update of lifetimes on a non-larval SA. The second is an update of
1123 * a larval SA, which ends up looking a lot more like an add.
1124 */
1125 static int
1128 {
1138 }
1147 }
1153 }
1155 /* Refactor me */
1156 /*
1157 * Delete a security association. This is REALLY likely to be code common to
1158 * both AH and ESP. Find the association, then unlink it.
1159 */
1160 static int
1163 {
1179 }
1183 }
1187 }
1189 /* Refactor me */
1190 /*
1191 * Convert the entire contents of all of AH's SA tables into PF_KEY SADB_DUMP
1192 * messages.
1193 */
1194 static void
1196 {
1200 /*
1201 * Dump each fanout, bailing if error is non-zero.
1202 */
1209 bail:
1215 }
1217 /*
1218 * First-cut reality check for an inbound PF_KEY message.
1219 */
1220 static boolean_t
1223 {
1229 }
1234 }
1238 }
1243 }
1246 badmsg:
1250 }
1252 /*
1253 * AH parsing of PF_KEY messages. Keysock did most of the really silly
1254 * error cases. What I receive is a fully-formed, syntactically legal
1255 * PF_KEY message. I then need to check semantics...
1256 *
1257 * This code may become common to AH and ESP. Stay tuned.
1258 *
1259 * I also make the assumption that db_ref's are cool. If this assumption
1260 * is wrong, this means that someone other than keysock or me has been
1261 * mucking with PF_KEY messages.
1262 */
1263 static void
1265 {
1277 /*
1278 * If applicable, convert unspecified AF_INET6 to unspecified
1279 * AF_INET.
1280 */
1285 }
1294 }
1295 /* else ah_add_sa() took care of things. */
1305 }
1306 /* Else ah_del_sa() took care of things. */
1314 }
1315 /* Else sadb_get_sa() took care of things. */
1322 /*
1323 * Hmmm, let's do it! Check for extensions (there should
1324 * be none), extract the fields, call ah_register_out(),
1325 * then either free or report an error.
1326 *
1327 * Keysock takes care of the PF_KEY bookkeeping for this.
1328 */
1333 /*
1334 * Only way this path hits is if there is a memory
1335 * failure. It will not return B_FALSE because of
1336 * lack of ah_pfkey_q if I am in wput().
1337 */
1340 }
1344 /*
1345 * Find a larval, if not there, find a full one and get
1346 * strict.
1347 */
1353 }
1354 /* else ah_update_sa() took care of things. */
1357 /*
1358 * Reserve a new larval entry.
1359 */
1363 /*
1364 * Find larval and/or ACQUIRE record and kill it (them), I'm
1365 * most likely an error. Inbound ACQUIRE messages should only
1366 * have the base header.
1367 */
1373 /*
1374 * Dump all entries.
1375 */
1377 /* ah_dump will take care of the return message, etc. */
1380 /* Should never reach me. */
1388 }
1389 }
1391 /*
1392 * Handle case where PF_KEY says it can't find a keysock for one of my
1393 * ACQUIRE messages.
1394 */
1395 static void
1397 {
1404 }
1407 /*
1408 * If keysock can't find any registered, delete the acquire record
1409 * immediately, and handle errors.
1410 */
1414 /*
1415 * Use the write-side of the ah_pfkey_q
1416 */
1419 }
1422 }
1424 /*
1425 * AH module write put routine.
1426 */
1427 static void
1429 {
1436 /* NOTE: Each case must take care of freeing or passing mp. */
1440 /* Not big enough message. */
1443 }
1455 /* Parse the message. */
1461 SADB_SATYPE_AH);
1468 }
1480 }
1481 /* FALLTHRU */
1483 /* We really don't support any other ioctls, do we? */
1485 /* Return EINVAL */
1492 }
1498 }
1499 }
1501 /* Refactor me */
1502 /*
1503 * Updating use times can be tricky business if the ipsa_haspeer flag is
1504 * set. This function is called once in an SA's lifetime.
1505 *
1506 * Caller has to REFRELE "assoc" which is passed in. This function has
1507 * to REFRELE any peer SA that is obtained.
1508 */
1509 static void
1511 {
1516 boolean_t isv6;
1520 /* No peer? No problem! */
1524 }
1526 /*
1527 * Otherwise, we want to grab both the original assoc and its peer.
1528 * There might be a race for this, but if it's a real race, the times
1529 * will be out-of-synch by at most a second, and since our time
1530 * granularity is a second, this won't be a problem.
1531 *
1532 * If we need tight synchronization on the peer SA, then we need to
1533 * reconsider.
1534 */
1536 /* Use address family to select IPv6/IPv4 */
1543 }
1549 else
1560 /* Q: Do we wish to set haspeer == B_FALSE? */
1565 }
1575 /* Q: Do we wish to set haspeer == B_FALSE? */
1580 }
1581 }
1583 /* Update usetime on both. */
1587 /*
1588 * REFRELE any peer SA.
1589 *
1590 * Because of the multi-line macro nature of IPSA_REFRELE, keep
1591 * them in { }.
1592 */
1597 }
1598 }
1600 /* Refactor me */
1601 /*
1602 * Add a number of bytes to what the SA has protected so far. Return
1603 * B_TRUE if the SA can still protect that many bytes.
1604 *
1605 * Caller must REFRELE the passed-in assoc. This function must REFRELE
1606 * any obtained peer SA.
1607 */
1608 static boolean_t
1610 {
1619 /* No peer? No problem! */
1622 B_TRUE));
1623 }
1625 /*
1626 * Otherwise, we want to grab both the original assoc and its peer.
1627 * There might be a race for this, but if it's a real race, two
1628 * expire messages may occur. We limit this by only sending the
1629 * expire message on one of the peers, we'll pick the inbound
1630 * arbitrarily.
1631 *
1632 * If we need tight synchronization on the peer SA, then we need to
1633 * reconsider.
1634 */
1636 /* Pick v4/v6 bucket based on addrfam. */
1643 }
1649 else
1659 /* Q: Do we wish to set haspeer == B_FALSE? */
1664 }
1674 /* Q: Do we wish to set haspeer == B_FALSE? */
1679 }
1680 }
1685 /*
1686 * REFRELE any peer SA.
1687 *
1688 * Because of the multi-line macro nature of IPSA_REFRELE, keep
1689 * them in { }.
1690 */
1695 }
1698 }
1700 /* Refactor me */
1701 /*
1702 * Handle the SADB_GETSPI message. Create a larval SA.
1703 */
1704 static void
1706 {
1714 /*
1715 * Randomly generate a proposed SPI value.
1716 */
1729 }
1731 /*
1732 * XXX - We may randomly collide. We really should recover from this.
1733 * Unfortunately, that could require spending way-too-much-time
1734 * in here. For now, let the user retry.
1735 */
1747 }
1752 /*
1753 * Check for collisions (i.e. did sadb_getspi() return with something
1754 * that already exists?).
1755 *
1756 * Try outbound first. Even though SADB_GETSPI is traditionally
1757 * for inbound SAs, you never know what a user might do.
1758 */
1765 }
1767 /*
1768 * I don't have collisions elsewhere!
1769 * (Nor will I because I'm still holding inbound/outbound locks.)
1770 */
1776 /*
1777 * sadb_insertassoc() also checks for collisions, so
1778 * if there's a colliding larval entry, rc will be set
1779 * to EEXIST.
1780 */
1784 }
1786 /*
1787 * Can exit outbound mutex. Hold inbound until we're done with
1788 * newbie.
1789 */
1798 }
1800 /* Can write here because I'm still holding the bucket lock. */
1803 /*
1804 * Construct successful return message. We have one thing going
1805 * for us in PF_KEY v2. That's the fact that
1806 * sizeof (sadb_spirange_t) == sizeof (sadb_sa_t)
1807 */
1814 /* Convert KEYSOCK_IN to KEYSOCK_OUT. */
1820 /*
1821 * Can safely putnext() to ah_pfkey_q, because this is a turnaround
1822 * from the ah_pfkey_q.
1823 */
1825 }
1827 /*
1828 * IPv6 sends up the ICMP errors for validation and the removal of the AH
1829 * header.
1830 * If succesful, the mp has been modified to not include the AH header so
1831 * that the caller can fanout to the ULP's icmp error handler.
1832 */
1835 {
1846 /*
1847 * Eat the cost of a pullupmsg() for now. It makes the rest of this
1848 * code far less convoluted.
1849 */
1860 }
1871 }
1886 "Bad ICMP message - No association for the "
1887 "attached AH header whose spi is 0x%x, "
1891 }
1896 }
1900 /*
1901 * There seems to be a valid association. If there is enough of AH
1902 * header remove it, otherwise bail. One could check whether it has
1903 * complete AH header plus 8 bytes but it does not make sense if an
1904 * icmp error is returned for ICMP messages e.g ICMP time exceeded,
1905 * that are being sent up. Let the caller figure out.
1906 *
1907 * NOTE: ah_length is the number of 32 bit words minus 2.
1908 */
1918 }
1927 }
1929 /*
1930 * IP sends up the ICMP errors for validation and the removal of
1931 * the AH header.
1932 * If succesful, the mp has been modified to not include the AH header so
1933 * that the caller can fanout to the ULP's icmp error handler.
1934 */
1937 {
1960 /*
1961 * See if we have enough to locate the SPI
1962 */
1975 }
1978 }
1995 "Bad ICMP message - No association for the "
1996 "attached AH header whose spi is 0x%x, "
2000 }
2005 }
2008 /*
2009 * There seems to be a valid association. If there
2010 * is enough of AH header remove it, otherwise remove
2011 * as much as possible and send it back. One could check
2012 * whether it has complete AH header plus 8 bytes but it
2013 * does not make sense if an icmp error is returned for
2014 * ICMP messages e.g ICMP time exceeded, that are being
2015 * sent up. Let the caller figure out.
2016 *
2017 * NOTE: ah_length is the number of 32 bit words minus 2.
2018 */
2023 /*
2024 * There is nothing to pullup. Just remove as
2025 * much as possible. This is a common case for
2026 * IPV4.
2027 */
2029 hdr_length));
2031 }
2032 /* Pullup the full ah header */
2034 /*
2035 * pullupmsg could have failed if there was not
2036 * enough to pullup or memory allocation failed.
2037 * We tried hard, give up now.
2038 */
2044 }
2047 }
2048 done:
2049 /*
2050 * Remove the AH header and change the protocol.
2051 * Don't update the spi fields in the ip_recv_attr_t
2052 * as we are called just to validate the
2053 * message attached to the ICMP message.
2054 *
2055 * If we never pulled up since all of the message
2056 * is in one single mblk, we can't remove the AH header
2057 * by just setting the b_wptr to the beginning of the
2058 * AH header. We need to allocate a mblk that can hold
2059 * up until the inner IP header and copy them.
2060 */
2069 }
2073 /*
2074 * Skip whatever we have copied and as much of AH header
2075 * possible. If we still have something left in the original
2076 * message, tag on.
2077 */
2086 }
2097 }
2099 /*
2100 * IP calls this to validate the ICMP errors that
2101 * we got from the network.
2102 */
2103 mblk_t *
2105 {
2111 else
2113 }
2115 static int
2118 {
2120 uint_t optlen;
2124 /*
2125 * Copy the next header and hdr ext. len of the HOP-by-HOP
2126 * and Destination option.
2127 */
2132 /*
2133 * Now handle all the TLV encoded options.
2134 */
2146 }
2153 /*
2154 * Copy the type and data length fields.
2155 * Zero the option data by skipping
2156 * option type and option data len
2157 * fields.
2158 */
2162 }
2163 }
2167 }
2169 bad_opt:
2171 }
2173 /*
2174 * Construct a pseudo header for AH, processing all the options.
2175 *
2176 * oip6h is the IPv6 header of the incoming or outgoing packet.
2177 * ip6h is the pointer to the pseudo headers IPV6 header. All
2178 * the space needed for the options have been allocated including
2179 * the AH header.
2180 *
2181 * If copy_always is set, all the options that appear before AH are copied
2182 * blindly without checking for IP6OPT_MUTABLE. This is used by
2183 * ah_auth_out_done(). Please refer to that function for details.
2184 *
2185 * NOTE :
2186 *
2187 * * AH header is never copied in this function even if copy_always
2188 * is set. It just returns the ah_offset - offset of the AH header
2189 * and the caller needs to do the copying. This is done so that we
2190 * don't have pass extra arguments e.g. SA etc. and also,
2191 * it is not needed when ah_auth_out_done is calling this function.
2192 */
2193 static uint_t
2195 boolean_t copy_always)
2196 {
2208 /*
2209 * In the outbound case for source route, ULP has already moved
2210 * the first hop, which is now in ip6_dst. We need to re-arrange
2211 * the header to make it look like how it would appear in the
2212 * receiver i.e
2213 *
2214 * Because of ip_massage_options_v6 the header looks like
2215 * this :
2216 *
2217 * ip6_src = S, ip6_dst = I1. followed by I2,I3,D.
2218 *
2219 * When it reaches the receiver, it would look like
2220 *
2221 * ip6_src = S, ip6_dst = D. followed by I1,I2,I3.
2222 *
2223 * NOTE : We assume that there are no problems with the options
2224 * as IP should have already checked this.
2225 */
2230 /*
2231 * We set the prev_nexthdr properly in the pseudo header.
2232 * After we finish authentication and come back from the
2233 * algorithm module, pseudo header will become the real
2234 * IP header.
2235 */
2238 /* Assume IP has already stripped it */
2250 /*
2251 * Return a zero offset indicating error if there
2252 * was error.
2253 */
2272 /*
2273 * First eight bytes except seg_left
2274 * does not change en route.
2275 */
2278 /*
2279 * First address has been moved to
2280 * the destination address of the
2281 * ip header by ip_massage_options_v6.
2282 * And the real destination address is
2283 * in the last address part of the
2284 * option.
2285 */
2292 }
2297 /*
2298 * Destination options are tricky. If there is
2299 * a terminal (e.g. non-IPv6-extension) header
2300 * following the destination options, don't
2301 * reset prev_nexthdr or advance the AH insertion
2302 * point and just treat this as a terminal header.
2303 *
2304 * If this is an inbound packet, just deal with
2305 * it as is.
2306 */
2308 /*
2309 * XXX I hope common-subexpression elimination
2310 * saves us the double-evaluate.
2311 */
2319 /*
2320 * Return a zero offset indicating error if there
2321 * was error.
2322 */
2327 /*
2328 * Be conservative in what you send. We shouldn't
2329 * see two same-scoped AH's in one packet.
2330 * (Inner-IP-scoped AH will be hit by terminal
2331 * header of IP or IPv6.)
2332 */
2337 terminal_hdr:
2342 }
2345 }
2346 /* NOTREACHED */
2347 }
2349 static boolean_t
2352 {
2355 /*
2356 * Padding :
2357 *
2358 * 1) Authentication data may have to be padded
2359 * before ICV calculation if ICV is not a multiple
2360 * of 64 bits. This padding is arbitrary and transmitted
2361 * with the packet at the end of the authentication data.
2362 * Payload length should include the padding bytes.
2363 *
2364 * 2) Explicit padding of the whole datagram may be
2365 * required by the algorithm which need not be
2366 * transmitted. It is assumed that this will be taken
2367 * care by the algorithm module.
2368 */
2372 /* Outbound AH datagram. */
2381 /*
2382 * XXX We have replay counter wrapping. We probably
2383 * want to nuke this SA (and its peer).
2384 */
2387 "Outbound AH SA (0x%x), dst %s has wrapped "
2393 /* Caller will free phdr_mp and return NULL. */
2395 }
2399 ah_data_sz);
2403 }
2404 }
2406 /* Inbound AH datagram. */
2418 ah_data_sz);
2422 }
2423 }
2424 }
2427 }
2429 /*
2430 * Called upon failing the inbound ICV check. The message passed as
2431 * argument is freed.
2432 */
2433 static void
2435 {
2456 }
2458 /*
2459 * Log the event. Don't print to the console, block
2460 * potential denial-of-service attack.
2461 */
2472 }
2474 /*
2475 * Kernel crypto framework callback invoked after completion of async
2476 * crypto requests for outbound packets.
2477 */
2478 static void
2480 {
2487 ip_xmit_attr_t ixas;
2491 /*
2492 * First remove the ipsec_crypto_t mblk
2493 * Note that we need to ipsec_free_crypto_data(mp) once done with ic.
2494 */
2498 /*
2499 * Extract the ip_xmit_attr_t from the first mblk.
2500 * Verifies that the netstack and ill is still around; could
2501 * have vanished while kEf was doing its work.
2502 * On succesful return we have a nce_t and the ill/ipst can't
2503 * disappear until we do the nce_refrele in ixa_cleanup.
2504 */
2508 /* Disappeared on us - no ill/ipst for MIB */
2513 }
2516 }
2529 /* Outbound shouldn't see invalid MAC */
2534 status));
2542 }
2543 done:
2546 }
2548 /*
2549 * Kernel crypto framework callback invoked after completion of async
2550 * crypto requests for inbound packets.
2551 */
2552 static void
2554 {
2561 ip_recv_attr_t iras;
2564 /*
2565 * First remove the ipsec_crypto_t mblk
2566 * Note that we need to ipsec_free_crypto_data(mp) once done with ic.
2567 */
2571 /*
2572 * Extract the ip_xmit_attr_t from the first mblk.
2573 * Verifies that the netstack and ill is still around; could
2574 * have vanished while kEf was doing its work.
2575 */
2579 /* The ill or ip_stack_t disappeared on us */
2583 }
2593 /* finish IPsec processing */
2601 status));
2608 }
2609 done:
2612 }
2614 /*
2615 * Invoked on kernel crypto failure during inbound and outbound processing.
2616 */
2617 static void
2620 {
2631 else
2633 }
2635 /*
2636 * Helper macros for the ah_submit_req_{inbound,outbound}() functions.
2637 */
2639 /*
2640 * A statement-equivalent macro, _cr MUST point to a modifiable
2641 * crypto_call_req_t.
2642 */
2643 #define AH_INIT_CALLREQ(_cr, _mp, _callback) \
2644 (_cr)->cr_flag = CRYPTO_SKIP_REQID|CRYPTO_ALWAYS_QUEUE; \
2645 (_cr)->cr_callback_arg = (_mp); \
2646 (_cr)->cr_callback_func = (_callback)
2648 #define AH_INIT_CRYPTO_DATA(data, msglen, mblk) { \
2649 (data)->cd_format = CRYPTO_DATA_MBLK; \
2650 (data)->cd_mp = mblk; \
2651 (data)->cd_offset = 0; \
2652 (data)->cd_length = msglen; \
2653 }
2655 #define AH_INIT_CRYPTO_MAC(mac, icvlen, icvbuf) { \
2656 (mac)->cd_format = CRYPTO_DATA_RAW; \
2657 (mac)->cd_offset = 0; \
2658 (mac)->cd_length = icvlen; \
2659 (mac)->cd_raw.iov_base = icvbuf; \
2660 (mac)->cd_raw.iov_len = icvlen; \
2661 }
2663 /*
2664 * Submit an inbound packet for processing by the crypto framework.
2665 */
2669 {
2674 crypto_ctx_template_t ctx_tmpl;
2685 /* We are doing asynch; allocate mblks to hold state */
2693 }
2699 /*
2700 * If we know we are going to do sync then ipsec_crypto_t
2701 * should be on the stack.
2702 */
2706 }
2708 /* init arguments for the crypto framework */
2710 phdr_mp);
2720 /* call KEF to do the MAC operation */
2730 /* Free mp after we are done with ic */
2733 }
2736 /* ah_kcf_callback_inbound() will be invoked on completion */
2740 /* Free mp after we are done with ic */
2744 /* phdr_mp was passed to ip_drop_packet */
2748 }
2750 }
2755 }
2758 /* phdr_mp was passed to ip_drop_packet */
2760 }
2762 /*
2763 * Submit an outbound packet for processing by the crypto framework.
2764 */
2768 {
2784 /* We are doing asynch; allocate mblks to hold state */
2791 }
2796 /*
2797 * If we know we are going to do sync then ipsec_crypto_t
2798 * should be on the stack.
2799 */
2803 }
2805 /* init arguments for the crypto framework */
2807 phdr_mp);
2816 /* call KEF to do the MAC operation */
2826 /* Free mp after we are done with ic */
2829 }
2832 /* ah_kcf_callback_outbound() will be invoked on completion */
2835 }
2840 }
2843 /* phdr_mp was passed to ip_drop_packet */
2845 }
2847 /*
2848 * This function constructs a pseudo header by looking at the IP header
2849 * and options if any. This is called for both outbound and inbound,
2850 * before computing the ICV.
2851 */
2855 {
2860 uint_t ah_align_sz;
2861 uint_t ah_offset;
2864 /*
2865 * Allocate space for the authentication data also. It is
2866 * useful both during the ICV calculation where we need to
2867 * feed in zeroes and while sending the datagram back to IP
2868 * where we will be using the same space.
2869 *
2870 * We need to allocate space for padding bytes if it is not
2871 * a multiple of IPV6_PADDING_ALIGN.
2872 *
2873 * In addition, we allocate space for the ICV computed by
2874 * the kernel crypto framework, saving us a separate kmem
2875 * allocation down the road.
2876 */
2879 IPV6_PADDING_ALIGN);
2886 /* This was not included in ipsec_ah_get_hdr_size_v6() */
2890 /*
2891 * We have post-AH header options in a separate mblk,
2892 * a pullup is required.
2893 */
2896 }
2900 }
2904 /*
2905 * Form the basic IP header first. Zero out the header
2906 * so that the mutable fields are zeroed out.
2907 */
2913 /*
2914 * Include the size of AH and authentication data.
2915 * This is how our recipient would compute the
2916 * authentication data. Look at what we do in the
2917 * inbound case below.
2918 */
2923 }
2930 /* Form the AH header */
2936 /* option_length does not include the AH header's size */
2942 }
2943 }
2949 /*
2950 * Returning NULL will tell the caller to
2951 * IPSA_REFELE(), free the memory, etc.
2952 */
2954 }
2957 ah_align_sz);
2961 }
2963 /*
2964 * This function constructs a pseudo header by looking at the IP header
2965 * and options if any. This is called for both outbound and inbound,
2966 * before computing the ICV.
2967 */
2971 {
2972 ipoptp_t opts;
2981 ipaddr_t dst;
2984 uint_t ah_align_sz;
2987 #ifdef _BIG_ENDIAN
2988 #define V_HLEN (v_hlen_tos_len >> 24)
2989 #else
2990 #define V_HLEN (v_hlen_tos_len & 0xFF)
2991 #endif
2996 /*
2997 * Allocate space for the authentication data also. It is
2998 * useful both during the ICV calculation where we need to
2999 * feed in zeroes and while sending the datagram back to IP
3000 * where we will be using the same space.
3001 *
3002 * We need to allocate space for padding bytes if it is not
3003 * a multiple of IPV4_PADDING_ALIGN.
3004 *
3005 * In addition, we allocate space for the ICV computed by
3006 * the kernel crypto framework, saving us a separate kmem
3007 * allocation down the road.
3008 */
3011 IPV4_PADDING_ALIGN);
3016 ah_data_sz;
3021 IP_SIMPLE_HDR_LENGTH_IN_WORDS);
3024 }
3028 }
3030 /*
3031 * Form the basic IP header first.
3032 */
3038 /*
3039 * Include the size of AH and authentication data.
3040 * This is how our recipient would compute the
3041 * authentication data. Look at what we do in the
3042 * inbound case below.
3043 */
3048 }
3058 /*
3059 * If there is no option to process return now.
3060 */
3064 /* Form the AH header */
3066 }
3070 /*
3071 * We have options. In the outbound case for source route,
3072 * ULP has already moved the first hop, which is now in
3073 * ipha_dst. We need the final destination for the calculation
3074 * of authentication data. And also make sure that mutable
3075 * and experimental fields are zeroed out in the IP options.
3076 */
3089 /*
3090 * These options are Immutable, leave them as-is.
3091 * Note that IPOPT_NOP is also Immutable, but it
3092 * was skipped by ipoptp_next() and thus remains
3093 * intact in the header.
3094 */
3100 /*
3101 * These two are mutable and will be zeroed, but
3102 * first get the final destination.
3103 */
3105 /*
3106 * If one of the conditions is true, it means
3107 * end of options and dst already has the right
3108 * value. So, just fall through.
3109 */
3113 }
3114 /* FALLTHRU */
3119 /*
3120 * optlen should include from the beginning of an
3121 * option.
3122 * NOTE : Stream Identifier Option (SID): RFC 791
3123 * shows the bit pattern of optlen as 2 and documents
3124 * the length as 4. We assume it to be 2 here.
3125 */
3128 }
3129 }
3132 bad_ipv4opt:
3136 }
3138 /*
3139 * Don't change ipha_dst for an inbound datagram as it points
3140 * to the right value. Only for the outbound with LSRR/SSRR,
3141 * because of ip_massage_options called by the ULP, ipha_dst
3142 * points to the first hop and we need to use the final
3143 * destination for computing the ICV.
3144 */
3148 ah_hdr:
3155 /*
3156 * Returning NULL will tell the caller to IPSA_REFELE(), free
3157 * the memory, etc.
3158 */
3160 }
3168 else
3171 }
3173 /*
3174 * Authenticate an outbound datagram. This function is called
3175 * whenever IP sends an outbound datagram that needs authentication.
3176 * Returns a modified packet if done. Returns NULL if error or queued.
3177 * If error return then ipIfStatsOutDiscards has been increased.
3178 */
3181 {
3185 uint_t ah_align_sz;
3186 uint_t age_bytes;
3193 /*
3194 * Construct the chain of mblks
3195 *
3196 * PSEUDO_HDR->DATA
3197 *
3198 * one by one.
3199 */
3208 /*
3209 * Age SA according to number of bytes that will be sent after
3210 * adding the AH header, ICV, and padding to the packet.
3211 */
3218 ah_align_sz;
3225 }
3228 /* rig things as if ipsec_getassocbyconn() failed */
3239 }
3241 /*
3242 * Insert pseudo header:
3243 * [IP, ULP] => [IP, AH, ICV] -> ULP
3244 */
3252 }
3263 }
3269 /*
3270 * At this point data_mp points to
3271 * an mblk containing the pseudo header (IP header,
3272 * AH header, and ICV with mutable fields zero'ed out).
3273 * mp points to the mblk containing the ULP data. The original
3274 * IP header is kept before the ULP data in data_mp.
3275 */
3277 /* submit MAC request to KCF */
3282 }
3286 {
3299 /*
3300 * We may wish to check replay in-range-only here as an optimization.
3301 * Include the reality check of ipsa->ipsa_replay >
3302 * ipsa->ipsa_replay_wsize for times when it's the first N packets,
3303 * where N == ipsa->ipsa_replay_wsize.
3304 *
3305 * Another check that may come here later is the "collision" check.
3306 * If legitimate packets flow quickly enough, this won't be a problem,
3307 * but collisions may cause authentication algorithm crunching to
3308 * take place when it doesn't need to.
3309 */
3318 }
3320 /*
3321 * The offset of the AH header can be computed from its pointer
3322 * within the data mblk, which was pulled up until the AH header
3323 * by ipsec_inbound_ah_sa() during SA selection.
3324 */
3327 /*
3328 * We need to pullup until the ICV before we call
3329 * ah_process_ip_options_v6.
3330 */
3333 /*
3334 * NOTE : If we want to use any field of IP/AH header, you need
3335 * to re-assign following the pullup.
3336 */
3349 }
3350 }
3352 /*
3353 * Insert pseudo header:
3354 * [IP, ULP] => [IP, AH, ICV] -> ULP
3355 */
3362 }
3373 }
3379 /* submit request to KCF */
3381 assoc));
3382 }
3384 /*
3385 * Invoked after processing of an inbound packet by the
3386 * kernel crypto framework. Called by ah_submit_req() for a sync request,
3387 * or by the kcf callback for an async request.
3388 * Returns NULL if the mblk chain is consumed.
3389 */
3392 {
3401 boolean_t isv4;
3403 uint_t icv_len;
3420 }
3429 }
3440 IPV4_PADDING_ALIGN);
3446 IPV6_PADDING_ALIGN);
3447 }
3452 /*
3453 * We get here only when authentication passed.
3454 */
3469 }
3471 /*
3472 * Log the event. As of now we print out an event.
3473 * Do not print the replay failure number, or else
3474 * syslog cannot collate the error messages. Printing
3475 * the replay number that failed (or printing to the
3476 * console) opens a denial-of-service attack.
3477 */
3485 }
3487 /*
3488 * We need to remove the AH header from the original
3489 * datagram. Best way to do this is to move the pre-AH headers
3490 * forward in the (relatively simple) IPv4 case. In IPv6, it's
3491 * a bit more complicated because of IPv6's next-header chaining,
3492 * but it's doable.
3493 */
3495 /*
3496 * Assign the right protocol, adjust the length as we
3497 * are removing the AH header and adjust the checksum to
3498 * account for the protocol and length.
3499 */
3502 /* The ipsa has hit hard expiration, LOG and AUDIT. */
3511 }
3526 /*
3527 * Make phdr_mp hold until the AH header and make
3528 * mp hold everything past AH header.
3529 */
3532 /* The ipsa has hit hard expiration, LOG and AUDIT. */
3535 "AH Association 0x%x, dst %s had bytes "
3541 }
3543 /*
3544 * Update the next header field of the header preceding
3545 * AH with the next header field of AH. Start with the
3546 * IPv6 header and proceed with the extension headers
3547 * until we find what we're looking for.
3548 */
3555 /* Assume IP has already stripped it */
3573 }
3574 }
3578 }
3580 /* Now that we've fixed the IP header, move it forward. */
3590 }
3594 /*
3595 * Cluster buffering case. Tell caller that we're
3596 * handling the packet.
3597 */
3600 }
3604 ah_in_discard:
3610 }
3612 /*
3613 * Invoked after processing of an outbound packet by the
3614 * kernel crypto framework, either by ah_submit_req() for a request
3615 * executed syncrhonously, or by the KEF callback for a request
3616 * executed asynchronously.
3617 */
3620 {
3626 boolean_t isv4;
3643 }
3659 IPV4_PADDING_ALIGN);
3660 /*
3661 * phdr_mp must have the right amount of space for the
3662 * combined IP and AH header. Copy the IP header and
3663 * the ack_data onto AH. Note that the AH header was
3664 * already formed before the ICV calculation and hence
3665 * you don't have to copy it here.
3666 */
3672 /*
3673 * Compute the new header checksum as we are assigning
3674 * IPPROTO_AH and adjusting the length here.
3675 */
3687 uint_t ah_offset;
3692 IPV6_PADDING_ALIGN);
3693 /*
3694 * phdr_mp must have the right amount of space for the
3695 * combined IP and AH header. Copy the IP header with
3696 * options into the pseudo header. When we constructed
3697 * a pseudo header, we did not copy some of the mutable
3698 * fields. We do it now by calling ah_fix_phdr_v6()
3699 * with the last argument B_TRUE. It returns the
3700 * ah_offset into the pseudo header.
3701 */
3706 /*
3707 * phdr_mp can hold exactly the whole IP header with options
3708 * plus the AH header also. Thus subtracting the AH header's
3709 * size should give exactly how much of the original header
3710 * should be skipped.
3711 */
3719 }
3721 /* Skip the original IP header */
3726 }
3729 }
3731 /* Refactor me */
3732 /*
3733 * Wrapper to allow IP to trigger an AH association failure message
3734 * during SA inbound selection.
3735 */
3736 void
3739 {
3747 }
3752 }
3754 /*
3755 * Initialize the AH input and output processing functions.
3756 */
3757 void
3759 {
3764 }