| blob | 02c109db3c77812f5b8c797b6d676c2cdc2d39f9 |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25 * Copyright (c) 2017 Joyent, Inc.
26 */
28 #include <sys/types.h>
29 #include <sys/stream.h>
30 #include <sys/stropts.h>
31 #include <sys/errno.h>
32 #include <sys/strlog.h>
33 #include <sys/tihdr.h>
34 #include <sys/socket.h>
35 #include <sys/ddi.h>
36 #include <sys/sunddi.h>
37 #include <sys/kmem.h>
38 #include <sys/zone.h>
39 #include <sys/sysmacros.h>
40 #include <sys/cmn_err.h>
41 #include <sys/vtrace.h>
42 #include <sys/debug.h>
43 #include <sys/atomic.h>
44 #include <sys/strsun.h>
45 #include <sys/random.h>
46 #include <netinet/in.h>
47 #include <net/if.h>
48 #include <netinet/ip6.h>
49 #include <net/pfkeyv2.h>
50 #include <net/pfpolicy.h>
52 #include <inet/common.h>
53 #include <inet/mi.h>
54 #include <inet/nd.h>
55 #include <inet/ip.h>
56 #include <inet/ip_impl.h>
57 #include <inet/ip6.h>
58 #include <inet/ip_if.h>
59 #include <inet/ip_ndp.h>
60 #include <inet/sadb.h>
61 #include <inet/ipsec_info.h>
62 #include <inet/ipsec_impl.h>
63 #include <inet/ipsecesp.h>
64 #include <inet/ipdrop.h>
65 #include <inet/tcp.h>
66 #include <sys/kstat.h>
67 #include <sys/policy.h>
68 #include <sys/strsun.h>
69 #include <sys/strsubr.h>
70 #include <inet/udp_impl.h>
71 #include <sys/taskq.h>
72 #include <sys/note.h>
74 /*
75 * Table of ND variables supported by ipsecesp. These are loaded into
76 * ipsecesp_g_nd in ipsecesp_init_nd.
77 * All of these are alterable, within the min/max values given, at run time.
78 */
80 /* min max value name */
87 /* Default lifetime values for ACQUIRE messages. */
97 };
98 /* For ipsecesp_nat_keepalive_interval, see ipsecesp.h. */
100 #define esp0dbg(a) printf a
101 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */
102 #define esp1dbg(espstack, a) if (espstack->ipsecesp_debug != 0) printf a
103 #define esp2dbg(espstack, a) if (espstack->ipsecesp_debug > 1) printf a
104 #define esp3dbg(espstack, a) if (espstack->ipsecesp_debug > 2) printf a
125 /* Setable in /etc/system */
130 };
134 NULL
135 };
139 NULL
140 };
144 };
148 /*
149 * OTOH, this one is set at open/close, and I'm D_MTQPAIR for now.
150 *
151 * Question: Do I need this, given that all instance's esps->esps_wq point
152 * to IP?
153 *
154 * Answer: Yes, because I need to know which queue is BOUND to
155 * IPPROTO_ESP
156 */
160 static boolean_t
162 {
176 #define K64 KSTAT_DATA_UINT64
177 #define KI(x) kstat_named_init(&(espstack->esp_kstats->esp_stat_##x), #x, K64)
197 #undef KI
198 #undef K64
203 }
205 static int
207 {
226 }
238 }
240 #ifdef DEBUG
241 /*
242 * Debug routine, useful to see pre-encryption data.
243 */
246 {
261 uint_t diff;
268 }
269 }
274 ptr++;
275 }
280 }
283 }
288 {
291 }
294 /*
295 * Don't have to lock age_interval, as only one thread will access it at
296 * a time, because I control the one function that does with timeout().
297 */
298 static void
300 {
314 }
316 /*
317 * Get an ESP NDD parameter.
318 */
319 /* ARGSUSED */
320 static int
324 caddr_t cp,
326 {
328 uint_t value;
337 }
339 /*
340 * This routine sets an NDD variable in a ipsecespparam_t structure.
341 */
342 /* ARGSUSED */
343 static int
348 caddr_t cp,
350 {
351 ulong_t new_value;
355 /*
356 * Fail the request if the new value does not lie within the
357 * required bounds.
358 */
363 }
365 /* Set the new value */
370 }
372 /*
373 * Using lifetime NDD variables, fill in an extended combination's
374 * lifetime information.
375 */
376 void
378 {
391 }
393 /*
394 * Initialize things for ESP at module load time.
395 */
396 boolean_t
398 {
402 /*
403 * We want to be informed each time a stack is created or
404 * destroyed in the kernel, so we can maintain the
405 * set of ipsecesp_stack_t's.
406 */
408 ipsecesp_stack_fini);
411 }
413 /*
414 * Walk through the param array specified registering each element with the
415 * named dispatch handler.
416 */
417 static boolean_t
419 {
429 }
430 }
431 }
433 }
435 /*
436 * Initialize things for ESP for each stack instance
437 */
440 {
445 KM_SLEEP);
466 }
468 /*
469 * Destroy things for ESP at module unload time.
470 */
471 void
473 {
476 }
478 /*
479 * Destroy things for ESP for one stack instance
480 */
481 static void
483 {
488 }
501 }
503 /*
504 * ESP module open routine, which is here for keysock plumbing.
505 * Keysock is pushed over {AH,ESP} which is an artifact from the Bad Old
506 * Days of export control, and fears that ESP would not be allowed
507 * to be shipped at all by default. Eventually, keysock should
508 * either access AH and ESP via modstubs or krtld dependencies, or
509 * perhaps be folded in with AH and ESP into a single IPsec/netsec
510 * module ("netsec" if PF_KEY provides more than AH/ESP keying tables).
511 */
512 /* ARGSUSED */
513 static int
515 {
538 }
540 /*
541 * ESP module close routine.
542 */
543 static int
545 {
548 /*
549 * Clean up q_ptr, if needed.
550 */
553 /* Keysock queue check is safe, because of OCEXCL perimeter. */
559 /* Detach qtimeouts. */
561 }
565 }
567 /*
568 * Add a number of bytes to what the SA has protected so far. Return
569 * B_TRUE if the SA can still protect that many bytes.
570 *
571 * Caller must REFRELE the passed-in assoc. This function must REFRELE
572 * any obtained peer SA.
573 */
574 static boolean_t
576 {
585 /* No peer? No problem! */
588 B_TRUE));
589 }
591 /*
592 * Otherwise, we want to grab both the original assoc and its peer.
593 * There might be a race for this, but if it's a real race, two
594 * expire messages may occur. We limit this by only sending the
595 * expire message on one of the peers, we'll pick the inbound
596 * arbitrarily.
597 *
598 * If we need tight synchronization on the peer SA, then we need to
599 * reconsider.
600 */
602 /* Use address length to select IPv6/IPv4 */
614 }
622 /* Q: Do we wish to set haspeer == B_FALSE? */
627 }
637 /* Q: Do we wish to set haspeer == B_FALSE? */
642 }
643 }
648 /*
649 * REFRELE any peer SA.
650 *
651 * Because of the multi-line macro nature of IPSA_REFRELE, keep
652 * them in { }.
653 */
658 }
661 }
663 /*
664 * Do incoming NAT-T manipulations for packet.
665 * Returns NULL if the mblk chain is consumed.
666 */
669 {
673 /* Initialize to our inbound cksum adjustment... */
681 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16)
691 /* Adujst if the inbound one was not zero. */
698 }
699 #undef DOWN_SUM
702 /*
703 * This case is only an issue for self-encapsulated
704 * packets. So for now, fall through.
705 */
707 }
709 }
712 /*
713 * Strip ESP header, check padding, and fix IP header.
714 * Returns B_TRUE on success, B_FALSE if an error occured.
715 */
716 static boolean_t
719 {
722 uint_t divpoint;
729 /*
730 * Strip ESP data and fix IP header.
731 *
732 * XXX In case the beginning of esp_inbound() changes to not do a
733 * pullup, this part of the code can remain unchanged.
734 */
745 }
753 /*
754 * "Next header" and padding length are the last two bytes in the
755 * ESP-protected datagram, thus the explicit - 1 and - 2.
756 * lastpad is the last byte of the padding, which can be used for
757 * a quick check to see if the padding is correct.
758 */
764 /* Fix part of the IP header. */
766 /*
767 * Reality check the padlen. The explicit - 2 is for the
768 * padding length and the next-header bytes.
769 */
778 padlen));
786 }
788 /*
789 * Fix the rest of the header. The explicit - 2 is for the
790 * padding length and the next-header bytes.
791 */
800 ip_pkt_t ipp;
811 /* Panic a DEBUG kernel. */
813 /* Otherwise, pretend it's IP + ESP. */
816 }
817 }
820 ivlen) {
827 padlen));
836 }
839 /*
840 * Fix the rest of the header. The explicit - 2 is for the
841 * padding length and the next-header bytes. IPv6 is nice,
842 * because there's no hdr checksum!
843 */
846 }
849 /*
850 * Weak padding check: compare last-byte to length, they
851 * should be equal.
852 */
865 }
867 /*
868 * Strong padding check: Check all pad bytes to see that
869 * they're ascending. Go backwards using a descending counter
870 * to verify. padlen == 1 is checked by previous block, so
871 * only bother if we've more than 1 byte of padding.
872 * Consequently, start the check one byte before the location
873 * of "lastpad".
874 */
876 /*
877 * This assert may have to become an if and a pullup
878 * if we start accepting multi-dblk mblks. For now,
879 * though, any packet here will have been pulled up in
880 * esp_inbound.
881 */
884 /*
885 * Use "--lastpad" because we already checked the very
886 * last pad byte previously.
887 */
900 ipds_esp_bad_padding);
902 }
903 lastbyte--;
904 }
905 }
906 }
908 /* Trim off the padding. */
912 /*
913 * Remove the ESP header.
914 *
915 * The above assertions about data_mp's size will make this work.
916 *
917 * XXX Question: If I send up and get back a contiguous mblk,
918 * would it be quicker to bcopy over, or keep doing the dupb stuff?
919 * I go with copying for now.
920 */
934 src--;
935 dst--;
948 src--;
949 dst--;
954 }
960 }
962 /*
963 * Updating use times can be tricky business if the ipsa_haspeer flag is
964 * set. This function is called once in an SA's lifetime.
965 *
966 * Caller has to REFRELE "assoc" which is passed in. This function has
967 * to REFRELE any peer SA that is obtained.
968 */
969 static void
971 {
976 boolean_t isv6;
980 /* No peer? No problem! */
984 }
986 /*
987 * Otherwise, we want to grab both the original assoc and its peer.
988 * There might be a race for this, but if it's a real race, the times
989 * will be out-of-synch by at most a second, and since our time
990 * granularity is a second, this won't be a problem.
991 *
992 * If we need tight synchronization on the peer SA, then we need to
993 * reconsider.
994 */
996 /* Use address length to select IPv6/IPv4 */
1008 }
1016 /* Q: Do we wish to set haspeer == B_FALSE? */
1021 }
1031 /* Q: Do we wish to set haspeer == B_FALSE? */
1036 }
1037 }
1039 /* Update usetime on both. */
1043 /*
1044 * REFRELE any peer SA.
1045 *
1046 * Because of the multi-line macro nature of IPSA_REFRELE, keep
1047 * them in { }.
1048 */
1053 }
1054 }
1056 /*
1057 * Handle ESP inbound data for IPv4 and IPv6.
1058 * On success returns B_TRUE, on failure returns B_FALSE and frees the
1059 * mblk chain data_mp.
1060 */
1061 mblk_t *
1063 {
1070 /*
1071 * We may wish to check replay in-range-only here as an optimization.
1072 * Include the reality check of ipsa->ipsa_replay >
1073 * ipsa->ipsa_replay_wsize for times when it's the first N packets,
1074 * where N == ipsa->ipsa_replay_wsize.
1075 *
1076 * Another check that may come here later is the "collision" check.
1077 * If legitimate packets flow quickly enough, this won't be a problem,
1078 * but collisions may cause authentication algorithm crunching to
1079 * take place when it doesn't need to.
1080 */
1089 }
1091 /*
1092 * Adjust the IP header's payload length to reflect the removal
1093 * of the ICV.
1094 */
1103 }
1105 /* submit the request to the crypto framework */
1108 }
1110 /* XXX refactor me */
1111 /*
1112 * Handle the SADB_GETSPI message. Create a larval SA.
1113 */
1114 static void
1116 {
1124 /*
1125 * Randomly generate a proposed SPI value
1126 */
1139 }
1141 /*
1142 * XXX - We may randomly collide. We really should recover from this.
1143 * Unfortunately, that could require spending way-too-much-time
1144 * in here. For now, let the user retry.
1145 */
1158 }
1163 /*
1164 * Check for collisions (i.e. did sadb_getspi() return with something
1165 * that already exists?).
1166 *
1167 * Try outbound first. Even though SADB_GETSPI is traditionally
1168 * for inbound SAs, you never know what a user might do.
1169 */
1176 }
1178 /*
1179 * I don't have collisions elsewhere!
1180 * (Nor will I because I'm still holding inbound/outbound locks.)
1181 */
1187 /*
1188 * sadb_insertassoc() also checks for collisions, so
1189 * if there's a colliding entry, rc will be set
1190 * to EEXIST.
1191 */
1196 }
1198 /*
1199 * Can exit outbound mutex. Hold inbound until we're done
1200 * with newbie.
1201 */
1210 }
1213 /* Can write here because I'm still holding the bucket lock. */
1216 /*
1217 * Construct successful return message. We have one thing going
1218 * for us in PF_KEY v2. That's the fact that
1219 * sizeof (sadb_spirange_t) == sizeof (sadb_sa_t)
1220 */
1227 /* Convert KEYSOCK_IN to KEYSOCK_OUT. */
1233 /*
1234 * Can safely putnext() to esp_pfkey_q, because this is a turnaround
1235 * from the esp_pfkey_q.
1236 */
1238 }
1240 /*
1241 * Insert the ESP header into a packet. Duplicate an mblk, and insert a newly
1242 * allocated mblk with the ESP header in between the two.
1243 */
1244 static boolean_t
1247 {
1255 }
1260 /* "scratch" is the 2nd half, split_mp is the first. */
1266 }
1267 /* NOTE: dupb() doesn't set b_cont appropriately. */
1272 }
1273 /*
1274 * At this point, split_mp is exactly "wheretodiv" bytes long, and
1275 * holds the end of the pre-ESP part of the datagram.
1276 */
1281 }
1283 /*
1284 * Section 7 of RFC 3947 says:
1285 *
1286 * 7. Recovering from the Expiring NAT Mappings
1287 *
1288 * There are cases where NAT box decides to remove mappings that are still
1289 * alive (for example, when the keepalive interval is too long, or when the
1290 * NAT box is rebooted). To recover from this, ends that are NOT behind
1291 * NAT SHOULD use the last valid UDP encapsulated IKE or IPsec packet from
1292 * the other end to determine which IP and port addresses should be used.
1293 * The host behind dynamic NAT MUST NOT do this, as otherwise it opens a
1294 * DoS attack possibility because the IP address or port of the other host
1295 * will not change (it is not behind NAT).
1296 *
1297 * Keepalives cannot be used for these purposes, as they are not
1298 * authenticated, but any IKE authenticated IKE packet or ESP packet can be
1299 * used to detect whether the IP address or the port has changed.
1300 *
1301 * The following function will check an SA and its explicitly-set pair to see
1302 * if the NAT-T remote port matches the received packet (which must have
1303 * passed ESP authentication, see esp_in_done() for the caller context). If
1304 * there is a mismatch, the SAs are updated. It is not important if we race
1305 * with a transmitting thread, as if there is a transmitting thread, it will
1306 * merely emit a packet that will most-likely be dropped.
1307 *
1308 * "ports" are ordered src,dst, and assoc is an inbound SA, where src should
1309 * match ipsa_remote_nat_port and dst should match ipsa_local_nat_port.
1310 */
1311 #ifdef _LITTLE_ENDIAN
1312 #define FIRST_16(x) ((x) & 0xFFFF)
1313 #define NEXT_16(x) (((x) >> 16) & 0xFFFF)
1314 #else
1315 #define FIRST_16(x) (((x) >> 16) & 0xFFFF)
1316 #define NEXT_16(x) ((x) & 0xFFFF)
1317 #endif
1318 static void
1320 {
1327 /* We found a conn_t, therefore local != 0. */
1329 /* Assume an IPv4 SA. */
1332 /*
1333 * On-the-wire rport == 0 means something's very wrong.
1334 * An unpaired SA is also useless to us.
1335 * If we are behind the NAT, don't bother.
1336 * A zero local NAT port defaults to 4500, so check that too.
1337 * And, of course, if the ports already match, we don't need to
1338 * bother.
1339 */
1347 /* Try and snag the peer. NOTE: Assume IPv4 for now. */
1355 /* We probably lost a race to a deleting or expiring thread. */
1359 /*
1360 * Hold the mutexes for both SAs so we don't race another inbound
1361 * thread. A lock-entry order shouldn't matter, since all other
1362 * per-ipsa locks are individually held-then-released.
1363 *
1364 * Luckily, this has nothing to do with the remote-NAT address,
1365 * so we don't have to re-scribble the cached-checksum differential.
1366 */
1370 remote;
1375 }
1376 /*
1377 * Finish processing of an inbound ESP packet after processing by the
1378 * crypto framework.
1379 * - Remove the ESP header.
1380 * - Send packet back to IP.
1381 * If authentication was performed on the packet, this function is called
1382 * only if the authentication succeeded.
1383 * On success returns B_TRUE, on failure returns B_FALSE and frees the
1384 * mblk chain data_mp.
1385 */
1388 {
1390 uint_t espstart;
1392 uint_t processed_len;
1395 boolean_t is_natt;
1405 /* get the pointer to the ESP header */
1407 /* authentication-only ESP */
1411 /* encryption present */
1414 /* encryption-only ESP */
1418 ivlen;
1420 /* encryption with authentication */
1423 ivlen;
1424 }
1425 }
1431 /*
1432 * Authentication passed if we reach this point.
1433 * Packets with authentication will have the ICV
1434 * after the crypto data. Adjust b_wptr before
1435 * making padlen checks.
1436 */
1440 /*
1441 * Check replay window here!
1442 * For right now, assume keysock will set the replay window
1443 * size to zero for SAs that have an unspecified sender.
1444 * This may change...
1445 */
1448 /*
1449 * Log the event. As of now we print out an event.
1450 * Do not print the replay failure number, or else
1451 * syslog cannot collate the error messages. Printing
1452 * the replay number that failed opens a denial-of-
1453 * service attack.
1454 */
1463 }
1469 }
1470 }
1475 /* The ipsa has hit hard expiration, LOG and AUDIT. */
1484 }
1486 /*
1487 * Remove ESP header and padding from packet. I hope the compiler
1488 * spews "branch, predict taken" code for this.
1489 */
1498 /*
1499 * Cluster buffering case. Tell caller that we're
1500 * handling the packet.
1501 */
1504 }
1507 }
1510 drop_and_bail:
1516 }
1518 /*
1519 * Called upon failing the inbound ICV check. The message passed as
1520 * argument is freed.
1521 */
1522 static void
1524 {
1530 /*
1531 * Log the event. Don't print to the console, block
1532 * potential denial-of-service attack.
1533 */
1545 }
1548 /*
1549 * Invoked for outbound packets after ESP processing. If the packet
1550 * also requires AH, performs the AH SA selection and AH processing.
1551 *
1552 * Returns data_mp (possibly with AH added) unless data_mp was consumed
1553 * due to an error, or queued due to async. crypto or an ACQUIRE trigger.
1554 */
1557 {
1564 }
1569 /*
1570 * Normally the AH SA would have already been put in place
1571 * but it could have been flushed so we need to look for it.
1572 */
1577 }
1578 }
1583 }
1586 /*
1587 * Kernel crypto framework callback invoked after completion of async
1588 * crypto requests for outbound packets.
1589 */
1590 static void
1592 {
1599 ip_xmit_attr_t ixas;
1603 /*
1604 * First remove the ipsec_crypto_t mblk
1605 * Note that we need to ipsec_free_crypto_data(mp) once done with ic.
1606 */
1610 /*
1611 * Extract the ip_xmit_attr_t from the first mblk.
1612 * Verifies that the netstack and ill is still around; could
1613 * have vanished while kEf was doing its work.
1614 * On succesful return we have a nce_t and the ill/ipst can't
1615 * disappear until we do the nce_refrele in ixa_cleanup.
1616 */
1620 /* Disappeared on us - no ill/ipst for MIB */
1621 /* We have nowhere to do stats since ixa_ipst could be NULL */
1626 }
1629 }
1636 /*
1637 * If a ICV was computed, it was stored by the
1638 * crypto framework at the end of the packet.
1639 */
1643 /* NAT-T packet. */
1648 /* do AH processing if needed */
1655 /* Outbound shouldn't see invalid MAC */
1660 status));
1667 }
1668 done:
1671 }
1673 /*
1674 * Kernel crypto framework callback invoked after completion of async
1675 * crypto requests for inbound packets.
1676 */
1677 static void
1679 {
1686 ip_recv_attr_t iras;
1689 /*
1690 * First remove the ipsec_crypto_t mblk
1691 * Note that we need to ipsec_free_crypto_data(mp) once done with ic.
1692 */
1696 /*
1697 * Extract the ip_recv_attr_t from the first mblk.
1698 * Verifies that the netstack and ill is still around; could
1699 * have vanished while kEf was doing its work.
1700 */
1704 /* The ill or ip_stack_t disappeared on us */
1708 }
1719 /* finish IPsec processing */
1726 status));
1733 }
1734 done:
1737 }
1739 /*
1740 * Invoked on crypto framework failure during inbound and outbound processing.
1741 */
1742 static void
1745 {
1756 else
1758 }
1760 /*
1761 * A statement-equivalent macro, _cr MUST point to a modifiable
1762 * crypto_call_req_t.
1763 */
1764 #define ESP_INIT_CALLREQ(_cr, _mp, _callback) \
1765 (_cr)->cr_flag = CRYPTO_SKIP_REQID|CRYPTO_ALWAYS_QUEUE; \
1766 (_cr)->cr_callback_arg = (_mp); \
1767 (_cr)->cr_callback_func = (_callback)
1769 #define ESP_INIT_CRYPTO_MAC(mac, icvlen, icvbuf) { \
1770 (mac)->cd_format = CRYPTO_DATA_RAW; \
1771 (mac)->cd_offset = 0; \
1772 (mac)->cd_length = icvlen; \
1773 (mac)->cd_raw.iov_base = (char *)icvbuf; \
1774 (mac)->cd_raw.iov_len = icvlen; \
1775 }
1777 #define ESP_INIT_CRYPTO_DATA(data, mp, off, len) { \
1778 if (MBLKL(mp) >= (len) + (off)) { \
1779 (data)->cd_format = CRYPTO_DATA_RAW; \
1780 (data)->cd_raw.iov_base = (char *)(mp)->b_rptr; \
1781 (data)->cd_raw.iov_len = MBLKL(mp); \
1782 (data)->cd_offset = off; \
1783 } else { \
1784 (data)->cd_format = CRYPTO_DATA_MBLK; \
1785 (data)->cd_mp = mp; \
1786 (data)->cd_offset = off; \
1787 } \
1788 (data)->cd_length = len; \
1789 }
1791 #define ESP_INIT_CRYPTO_DUAL_DATA(data, mp, off1, len1, off2, len2) { \
1792 (data)->dd_format = CRYPTO_DATA_MBLK; \
1793 (data)->dd_mp = mp; \
1794 (data)->dd_len1 = len1; \
1795 (data)->dd_offset1 = off1; \
1796 (data)->dd_len2 = len2; \
1797 (data)->dd_offset2 = off2; \
1798 }
1800 /*
1801 * Returns data_mp if successfully completed the request. Returns
1802 * NULL if it failed (and increments InDiscards) or if it is pending.
1803 */
1807 {
1814 crypto_ctx_template_t auth_ctx_tmpl;
1818 crypto_ctx_template_t encr_ctx_tmpl;
1829 #ifdef IPSEC_LATENCY_TEST
1831 #else
1833 #endif
1835 /*
1836 * An inbound packet is of the form:
1837 * [IP,options,ESP,IV,data,ICV,pad]
1838 */
1841 /* Packet length starting at IP header ending after ESP ICV. */
1847 /*
1848 * Counter mode algs need a nonce. This is setup in sadb_common_add().
1849 * If for some reason we are using a SA which does not have a nonce
1850 * then we must fail here.
1851 */
1857 }
1860 /* We are doing asynch; allocate mblks to hold state */
1867 }
1872 /*
1873 * If we know we are going to do sync then ipsec_crypto_t
1874 * should be on the stack.
1875 */
1879 }
1882 /* authentication context template */
1884 auth_ctx_tmpl);
1886 /* ICV to be verified */
1890 /* authentication starts at the ESP header */
1894 /* authentication only */
1895 /* initialize input data argument */
1899 /* call the crypto framework */
1904 }
1905 }
1908 /* encryption template */
1910 encr_ctx_tmpl);
1912 /* Call the nonce update function. Also passes in IV */
1917 /* decryption only */
1918 /* initialize input data argument */
1922 /* call the crypto framework */
1927 }
1928 }
1931 /* dual operation */
1932 /* initialize input data argument */
1937 /* specify IV */
1940 /* call the framework */
1946 }
1953 /* Free mp after we are done with ic */
1956 }
1959 /* esp_kcf_callback_inbound() will be invoked on completion */
1966 }
1970 /* esp_mp was passed to ip_drop_packet */
1972 }
1977 }
1980 /* esp_mp was passed to ip_drop_packet */
1982 }
1984 /*
1985 * Compute the IP and UDP checksums -- common code for both keepalives and
1986 * actual ESP-in-UDP packets. Be flexible with multiple mblks because ESP
1987 * uses mblk-insertion to insert the UDP header.
1988 * TODO - If there is an easy way to prep a packet for HW checksums, make
1989 * it happen here.
1990 * Note that this is used before both before calling ip_output_simple and
1991 * in the esp datapath. The former could use IXAF_SET_ULP_CKSUM but not the
1992 * latter.
1993 */
1994 static void
1996 {
2010 /* arr points to the IP header. */
2015 /* arr[6-9] are the IP addresses. */
2023 }
2024 /* arr points to the UDP header's checksum field. */
2027 }
2028 }
2030 /*
2031 * taskq handler so we can send the NAT-T keepalive on a separate thread.
2032 */
2033 static void
2035 {
2037 ip_xmit_attr_t ixas;
2039 netstackid_t stackid;
2045 /* Disappeared */
2049 }
2056 /* No ULP checksum; done by esp_prepare_udp */
2062 }
2064 /*
2065 * Send a one-byte UDP NAT-T keepalive.
2066 */
2067 void
2069 {
2084 /* Use the low-16 of the SPI so we have some clue where it came from. */
2104 /*
2105 * We're holding an isaf_t bucket lock, so pawn off the actual
2106 * packet transmission to another thread. Just in case syncq
2107 * processing causes a same-bucket packet to be processed.
2108 */
2113 /* Assume no memory if taskq_dispatch() fails. */
2118 }
2119 }
2121 /*
2122 * Returns mp if successfully completed the request. Returns
2123 * NULL if it failed (and increments InDiscards) or if it is pending.
2124 */
2128 {
2129 uint_t auth_len;
2136 crypto_ctx_template_t auth_ctx_tmpl;
2139 crypto_ctx_template_t encr_ctx_tmpl;
2157 #ifdef IPSEC_LATENCY_TEST
2159 #else
2161 #endif
2163 /*
2164 * Outbound IPsec packets are of the form:
2165 * [IP,options] -> [ESP,IV] -> [data] -> [pad,ICV]
2166 * unless it's NATT, then it's
2167 * [IP,options] -> [udp][ESP,IV] -> [data] -> [pad,ICV]
2168 * Get a pointer to the mblk containing the ESP header.
2169 */
2175 /*
2176 * Combined mode algs need a nonce. This is setup in sadb_common_add().
2177 * If for some reason we are using a SA which does not have a nonce
2178 * then we must fail here.
2179 */
2185 }
2188 /* We are doing asynch; allocate mblks to hold state */
2195 }
2201 /*
2202 * If we know we are going to do sync then ipsec_crypto_t
2203 * should be on the stack.
2204 */
2208 }
2212 /* authentication context template */
2214 auth_ctx_tmpl);
2216 /* where to store the computed mac */
2220 /* authentication starts at the ESP header */
2223 /* authentication only */
2224 /* initialize input data argument */
2228 /* call the crypto framework */
2233 }
2234 }
2237 /* encryption context template */
2239 encr_ctx_tmpl);
2240 /* Call the nonce update function. */
2245 /* encryption only, skip mblk that contains ESP hdr */
2246 /* initialize input data argument */
2250 /*
2251 * For combined mode ciphers, the ciphertext is the same
2252 * size as the clear text, the ICV should follow the
2253 * ciphertext. To convince the kcf to allow in-line
2254 * encryption, with an ICV, use ipsec_out_crypto_mac
2255 * to point to the same buffer as the data. The calling
2256 * function need to ensure the buffer is large enough to
2257 * include the ICV.
2258 *
2259 * The IV is already written to the packet buffer, the
2260 * nonce setup function copied it to the params struct
2261 * for the cipher to use.
2262 */
2270 }
2272 /* call the crypto framework */
2278 }
2279 }
2282 /*
2283 * Encryption and authentication:
2284 * Pass the pointer to the mblk chain starting at the ESP
2285 * header to the framework. Skip the ESP header mblk
2286 * for encryption, which is reflected by an encryption
2287 * offset equal to the length of that mblk. Start
2288 * the authentication at the ESP header, i.e. use an
2289 * authentication offset of zero.
2290 */
2294 /* specify IV */
2297 /* call the framework */
2304 }
2313 }
2318 /* esp_kcf_callback_outbound() will be invoked on completion */
2321 }
2326 }
2329 /* data_mp was passed to ip_drop_packet */
2331 }
2333 /*
2334 * Handle outbound IPsec processing for IPv4 and IPv6
2335 *
2336 * Returns data_mp if successfully completed the request. Returns
2337 * NULL if it failed (and increments InDiscards) or if it is pending.
2338 */
2341 {
2346 uint_t af;
2364 /*
2365 * <sigh> We have to copy the message here, because TCP (for example)
2366 * keeps a dupb() of the message lying around for retransmission.
2367 * Since ESP changes the whole of the datagram, we have to create our
2368 * own copy lest we clobber TCP's data. Since we have to copy anyway,
2369 * we might as well make use of msgpullup() and get the mblk into one
2370 * contiguous piece!
2371 */
2381 }
2388 /*
2389 * Reality check....
2390 */
2401 ip_pkt_t ipp;
2411 /*
2412 * Destination options are tricky. If we get in here,
2413 * then we have a terminal header following the
2414 * destination options. We need to adjust backwards
2415 * so we insert ESP BEFORE the destination options
2416 * bag. (So that the dstopts get encrypted!)
2417 *
2418 * Since this is for outbound packets only, we know
2419 * that non-terminal destination options only precede
2420 * routing headers.
2421 */
2423 }
2432 /* It's probably IP + ESP. */
2434 }
2435 }
2440 /* wedge in UDP header */
2443 }
2445 /*
2446 * Set up ESP header and encryption padding for ENCR PI request.
2447 */
2449 /* Determine the padding length. Pad to 4-bytes for no-encryption. */
2454 /*
2455 * Pad the data to the length of the cipher block size.
2456 * Include the two additional bytes (hence the - 2) for the
2457 * padding length and the next header. Take this into account
2458 * when calculating the actual length of the padding.
2459 */
2467 }
2469 /* Allocate ESP header and IV. */
2472 /*
2473 * Update association byte-count lifetimes. Don't forget to take
2474 * into account the padding length and next-header (hence the + 2).
2475 *
2476 * Use the amount of data fed into the "encryption algorithm". This
2477 * is the IV, the data length, the padding length, and the final two
2478 * bytes (padlen, and next-header).
2479 *
2480 */
2490 }
2503 }
2515 /*
2516 * Set the checksum to 0, so that the esp_prepare_udp() call
2517 * can do the right thing.
2518 */
2521 }
2527 /*
2528 * XXX We have replay counter wrapping.
2529 * We probably want to nuke this SA (and its peer).
2530 */
2546 }
2549 /*
2550 * iv_ptr points to the mblk which will contain the IV once we have
2551 * written it there. This mblk will be part of a mblk chain that
2552 * will make up the packet.
2553 *
2554 * For counter mode algorithms, the IV is a 64 bit quantity, it
2555 * must NEVER repeat in the lifetime of the SA, otherwise an
2556 * attacker who had recorded enough packets might be able to
2557 * determine some clear text.
2558 *
2559 * To ensure this does not happen, the IV is stored in the SA and
2560 * incremented for each packet, the IV is then copied into the
2561 * "packet" for transmission to the receiving system. The IV will
2562 * also be copied into the nonce, when the packet is encrypted.
2563 *
2564 * CBC mode algorithms use a random IV for each packet. We do not
2565 * require the highest quality random bits, but for best security
2566 * with CBC mode ciphers, the value must be unlikely to repeat and
2567 * must not be known in advance to an adversary capable of influencing
2568 * the clear text.
2569 */
2571 espstack)) {
2577 }
2579 /* Fix the IP header. */
2593 }
2599 }
2601 /* I've got the two ESP mblks, now insert them. */
2608 /* NOTE: esp_insert_esp() only fails if there's no memory. */
2617 }
2619 /* Append padding (and leave room for ICV). */
2621 ;
2634 }
2636 }
2638 /*
2639 * If there's padding, N bytes of padding must be of the form 0x1,
2640 * 0x2, 0x3... 0xN.
2641 */
2643 i++;
2645 }
2652 /*
2653 * Okay. I've set up the pre-encryption ESP. Let's do it!
2654 */
2662 }
2669 }
2671 /*
2672 * IP calls this to validate the ICMP errors that
2673 * we got from the network.
2674 */
2675 mblk_t *
2677 {
2682 /*
2683 * Unless we get an entire packet back, this function is useless.
2684 * Why?
2685 *
2686 * 1.) Partial packets are useless, because the "next header"
2687 * is at the end of the decrypted ESP packet. Without the
2688 * whole packet, this is useless.
2689 *
2690 * 2.) If we every use a stateful cipher, such as a stream or a
2691 * one-time pad, we can't do anything.
2692 *
2693 * Since the chances of us getting an entire packet back are very
2694 * very small, we discard here.
2695 */
2701 }
2703 /*
2704 * Construct an SADB_REGISTER message with the current algorithms.
2705 * This function gets called when 'ipsecalgs -s' is run or when
2706 * in.iked (or other KMD) starts.
2707 */
2708 static boolean_t
2711 {
2721 uint_t num_aalgs;
2724 uint_t num_ealgs;
2728 /* Allocate the KEYSOCK_OUT. */
2733 }
2735 /*
2736 * Allocate the PF_KEY message that follows KEYSOCK_OUT.
2737 */
2740 /*
2741 * Fill SADB_REGISTER message's algorithm descriptors. Hold
2742 * down the lock while filling it.
2743 *
2744 * Return only valid algorithms, so the number of algorithms
2745 * to send up may be less than the number of algorithm entries
2746 * in the table.
2747 */
2751 num_aalgs++;
2756 }
2760 num_ealgs++;
2765 }
2771 }
2786 i++) {
2798 numalgs_snap++;
2799 saalg++;
2800 }
2802 #ifdef DEBUG
2803 /*
2804 * Reality check to make sure I snagged all of the
2805 * algorithms.
2806 */
2811 }
2812 }
2815 }
2830 /*
2831 * We could advertise the ICV length, except there
2832 * is not a value in sadb_x_algb to do this.
2833 * saalg->sadb_alg_maclen = encralgs[i]->alg_maclen;
2834 */
2840 numalgs_snap++;
2841 saalg++;
2842 }
2844 #ifdef DEBUG
2845 /*
2846 * Reality check to make sure I snagged all of the
2847 * algorithms.
2848 */
2853 }
2854 }
2857 }
2864 /* Now fill the rest of the SADB_REGISTER message. */
2873 /*
2874 * Assume caller has sufficient sequence/pid number info. If it's one
2875 * from me over a new alg., I could give two hoots about sequence.
2876 */
2885 }
2891 SADB_EXT_SUPPORTED_ENCRYPT;
2893 }
2900 }
2903 }
2905 /*
2906 * Invoked when the algorithm table changes. Causes SADB_REGISTER
2907 * messages continaining the current list of algorithms to be
2908 * sent up to the ESP listeners.
2909 */
2910 void
2912 {
2915 /*
2916 * Time to send a PF_KEY SADB_REGISTER message to ESP listeners
2917 * everywhere. (The function itself checks for NULL esp_pfkey_q.)
2918 */
2920 }
2922 /*
2923 * Stub function that taskq_dispatch() invokes to take the mblk (in arg)
2924 * and send() it into ESP and IP again.
2925 */
2926 static void
2928 {
2931 ip_recv_attr_t iras;
2937 /* The ill or ip_stack_t disappeared on us */
2941 }
2944 done:
2946 }
2948 /*
2949 * Restart ESP after the SA has been added.
2950 */
2951 static void
2953 {
2971 /*
2972 * Either it failed or is pending. In the former case
2973 * ipIfStatsInDiscards was increased.
2974 */
2976 }
2979 }
2981 /*
2982 * Now that weak-key passed, actually ADD the security association, and
2983 * send back a reply ADD message.
2984 */
2985 static int
2988 {
2998 ipsa_query_t sq;
3001 /*
3002 * Locate the appropriate table(s).
3003 */
3011 /*
3012 * Use the direction flags provided by the KMD to determine
3013 * if the inbound or outbound table should be the primary
3014 * for this SA. If these flags were absent then make this
3015 * decision based on the addresses.
3016 */
3026 }
3029 /*
3030 * The KMD did not set a direction flag, determine which
3031 * table to insert the SA into based on addresses.
3032 */
3037 /* FALLTHRU */
3038 /*
3039 * If the source address is either one of mine, or unspecified
3040 * (which is best summed up by saying "not 'not mine'"),
3041 * then the association is potentially bi-directional,
3042 * in that it can be used for inbound traffic and outbound
3043 * traffic. The best example of such an SA is a multicast
3044 * SA (which allows me to receive the outbound traffic).
3045 */
3054 /*
3055 * If the source address literally not mine (either
3056 * unspecified or not mine), then this SA may have an
3057 * address that WILL be mine after some configuration.
3058 * We pay the price for this by making it a bi-directional
3059 * SA.
3060 */
3068 }
3073 }
3074 }
3076 /*
3077 * Find a ACQUIRE list entry if possible. If we've added an SA that
3078 * suits the needs of an ACQUIRE list entry, we can eliminate the
3079 * ACQUIRE list entry and transmit the enqueued packets. Use the
3080 * high-bit of the sequence number to queue it. Key off destination
3081 * addr, and change acqrec's state.
3082 */
3090 /*
3091 * Q: I only check sequence. Should I check dst?
3092 * A: Yes, check dest because those are the packets
3093 * that are queued up.
3094 */
3100 }
3102 /*
3103 * AHA! I found an ACQUIRE record for this SA.
3104 * Grab the msg list, and free the acquire record.
3105 * I already am holding the lock for this record,
3106 * so all I have to do is free it.
3107 */
3113 }
3115 }
3117 /*
3118 * Find PF_KEY message, and see if I'm an update. If so, find entry
3119 * in larval list (if there).
3120 */
3132 }
3136 }
3139 /*
3140 * Hold again, because sadb_common_add() consumes a reference,
3141 * and we don't want to clear_lpkt() without a reference.
3142 */
3144 }
3156 }
3157 }
3159 }
3161 /*
3162 * How much more stack will I create with all of these
3163 * esp_outbound() calls?
3164 */
3166 /* Handle the packets queued waiting for the SA */
3170 ip_xmit_attr_t ixas;
3177 /*
3178 * Extract the ip_xmit_attr_t from the first mblk.
3179 * Verifies that the netstack and ill is still around; could
3180 * have vanished while iked was doing its work.
3181 * On succesful return we have a nce_t and the ill/ipst can't
3182 * disappear until we do the nce_refrele in ixa_cleanup.
3183 */
3200 }
3202 }
3205 }
3207 /*
3208 * Process one of the queued messages (from ipsacq_mp) once the SA
3209 * has been added.
3210 */
3211 static void
3213 {
3226 }
3232 /* do AH processing if needed */
3238 }
3240 /*
3241 * Add new ESP security association. This may become a generic AH/ESP
3242 * routine eventually.
3243 */
3244 static int
3246 {
3276 /* I need certain extensions present for an ADD message. */
3280 }
3284 }
3288 }
3292 }
3296 }
3300 }
3309 /* Sundry ADD-specific reality checks. */
3310 /* XXX STATS : Logging/stats here? */
3316 }
3320 }
3322 #ifndef IPSEC_LATENCY_TEST
3327 }
3328 #endif
3333 }
3337 }
3344 }
3350 }
3351 }
3357 }
3362 }
3363 }
3366 /* Stuff I don't support, for now. XXX Diagnostic? */
3370 /*
3371 * XXX Policy : I'm not checking identities at this time,
3372 * but if I did, I'd do them here, before I sent
3373 * the weak key check up to the algorithm.
3374 */
3378 /*
3379 * First locate the authentication algorithm.
3380 */
3381 #ifdef IPSEC_LATENCY_TEST
3383 #else
3385 #endif
3396 }
3398 /*
3399 * Sanity check key sizes.
3400 * Note: It's not possible to use SADB_AALG_NONE because
3401 * this auth_alg is not defined with ALG_FLAG_VALID. If this
3402 * ever changes, the same check for SADB_AALG_NONE and
3403 * a auth_key != NULL should be made here ( see below).
3404 */
3409 }
3412 /* check key and fix parity if needed */
3417 }
3418 }
3420 /*
3421 * Then locate the encryption algorithm.
3422 */
3424 uint_t keybits;
3435 }
3437 /*
3438 * Sanity check key sizes. If the encryption algorithm is
3439 * SADB_EALG_NULL but the encryption key is NOT
3440 * NULL then complain.
3441 *
3442 * The keying material includes salt bits if required by
3443 * algorithm and optionally the Initial IV, check the
3444 * length of whats left.
3445 */
3454 }
3457 /* check key */
3462 }
3463 }
3468 }
3470 /*
3471 * Update a security association. Updates come in two varieties. The first
3472 * is an update of lifetimes on a non-larval SA. The second is an update of
3473 * a larval SA, which ends up looking a lot more like an add.
3474 */
3475 static int
3478 {
3489 }
3498 }
3504 }
3506 /* XXX refactor me */
3507 /*
3508 * Delete a security association. This is REALLY likely to be code common to
3509 * both AH and ESP. Find the association, then unlink it.
3510 */
3511 static int
3514 {
3530 }
3535 }
3539 }
3541 /* XXX refactor me */
3542 /*
3543 * Convert the entire contents of all of ESP's SA tables into PF_KEY SADB_DUMP
3544 * messages.
3545 */
3546 static void
3548 {
3552 /*
3553 * Dump each fanout, bailing if error is non-zero.
3554 */
3563 bail:
3569 }
3571 /*
3572 * First-cut reality check for an inbound PF_KEY message.
3573 */
3574 static boolean_t
3577 {
3583 }
3588 }
3591 badmsg:
3595 }
3597 /*
3598 * ESP parsing of PF_KEY messages. Keysock did most of the really silly
3599 * error cases. What I receive is a fully-formed, syntactically legal
3600 * PF_KEY message. I then need to check semantics...
3601 *
3602 * This code may become common to AH and ESP. Stay tuned.
3603 *
3604 * I also make the assumption that db_ref's are cool. If this assumption
3605 * is wrong, this means that someone other than keysock or me has been
3606 * mucking with PF_KEY messages.
3607 */
3608 static void
3610 {
3622 /*
3623 * If applicable, convert unspecified AF_INET6 to unspecified
3624 * AF_INET. And do other address reality checks.
3625 */
3630 }
3639 }
3640 /* else esp_add_sa() took care of things. */
3650 }
3651 /* Else esp_del_sa() took care of things. */
3659 }
3660 /* Else sadb_get_sa() took care of things. */
3667 /*
3668 * Hmmm, let's do it! Check for extensions (there should
3669 * be none), extract the fields, call esp_register_out(),
3670 * then either free or report an error.
3671 *
3672 * Keysock takes care of the PF_KEY bookkeeping for this.
3673 */
3678 /*
3679 * Only way this path hits is if there is a memory
3680 * failure. It will not return B_FALSE because of
3681 * lack of esp_pfkey_q if I am in wput().
3682 */
3685 }
3689 /*
3690 * Find a larval, if not there, find a full one and get
3691 * strict.
3692 */
3698 }
3699 /* else esp_update_sa() took care of things. */
3702 /*
3703 * Reserve a new larval entry.
3704 */
3708 /*
3709 * Find larval and/or ACQUIRE record and kill it (them), I'm
3710 * most likely an error. Inbound ACQUIRE messages should only
3711 * have the base header.
3712 */
3718 /*
3719 * Dump all entries.
3720 */
3722 /* esp_dump will take care of the return message, etc. */
3725 /* Should never reach me. */
3733 }
3734 }
3736 /*
3737 * Handle case where PF_KEY says it can't find a keysock for one of my
3738 * ACQUIRE messages.
3739 */
3740 static void
3742 {
3749 }
3752 /*
3753 * If keysock can't find any registered, delete the acquire record
3754 * immediately, and handle errors.
3755 */
3759 /*
3760 * Use the write-side of the esp_pfkey_q
3761 */
3764 }
3767 }
3769 /*
3770 * ESP module write put routine.
3771 */
3772 static void
3774 {
3781 /* NOTE: Each case must take care of freeing or passing mp. */
3785 /* Not big enough message. */
3788 }
3800 /* Parse the message. */
3806 SADB_SATYPE_ESP);
3813 }
3825 }
3826 /* FALLTHRU */
3828 /* We really don't support any other ioctls, do we? */
3830 /* Return EINVAL */
3837 }
3843 }
3844 }
3846 /*
3847 * Wrapper to allow IP to trigger an ESP association failure message
3848 * during inbound SA selection.
3849 */
3850 void
3853 {
3861 }
3866 }
3868 /*
3869 * Initialize the ESP input and output processing functions.
3870 */
3871 void
3873 {
3878 }