| blob | b0a3e2b0632d375cbc7d78b04d0214629bf344f5 |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25 * Copyright (c) 2017 Joyent, Inc.
26 */
28 #include <sys/types.h>
29 #include <sys/stream.h>
30 #include <sys/stropts.h>
31 #include <sys/errno.h>
32 #include <sys/strlog.h>
33 #include <sys/tihdr.h>
34 #include <sys/socket.h>
35 #include <sys/ddi.h>
36 #include <sys/sunddi.h>
37 #include <sys/kmem.h>
38 #include <sys/zone.h>
39 #include <sys/sysmacros.h>
40 #include <sys/cmn_err.h>
41 #include <sys/vtrace.h>
42 #include <sys/debug.h>
43 #include <sys/atomic.h>
44 #include <sys/strsun.h>
45 #include <sys/random.h>
46 #include <netinet/in.h>
47 #include <net/if.h>
48 #include <netinet/ip6.h>
49 #include <net/pfkeyv2.h>
50 #include <net/pfpolicy.h>
52 #include <inet/common.h>
53 #include <inet/mi.h>
54 #include <inet/nd.h>
55 #include <inet/ip.h>
56 #include <inet/ip_impl.h>
57 #include <inet/ip6.h>
58 #include <inet/ip_if.h>
59 #include <inet/ip_ndp.h>
60 #include <inet/sadb.h>
61 #include <inet/ipsec_info.h>
62 #include <inet/ipsec_impl.h>
63 #include <inet/ipsecesp.h>
64 #include <inet/ipdrop.h>
65 #include <inet/tcp.h>
66 #include <sys/kstat.h>
67 #include <sys/policy.h>
68 #include <sys/strsun.h>
69 #include <sys/strsubr.h>
70 #include <inet/udp_impl.h>
71 #include <sys/taskq.h>
72 #include <sys/note.h>
74 /*
75 * Table of ND variables supported by ipsecesp. These are loaded into
76 * ipsecesp_g_nd in ipsecesp_init_nd.
77 * All of these are alterable, within the min/max values given, at run time.
78 */
80 /* min max value name */
87 /* Default lifetime values for ACQUIRE messages. */
97 };
98 /* For ipsecesp_nat_keepalive_interval, see ipsecesp.h. */
100 #define esp0dbg(a) printf a
101 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */
102 #define esp1dbg(espstack, a) if (espstack->ipsecesp_debug != 0) printf a
103 #define esp2dbg(espstack, a) if (espstack->ipsecesp_debug > 1) printf a
104 #define esp3dbg(espstack, a) if (espstack->ipsecesp_debug > 2) printf a
125 /* Setable in /etc/system */
130 };
134 NULL
135 };
139 NULL
140 };
144 };
148 /*
149 * OTOH, this one is set at open/close, and I'm D_MTQPAIR for now.
150 *
151 * Question: Do I need this, given that all instance's esps->esps_wq point
152 * to IP?
153 *
154 * Answer: Yes, because I need to know which queue is BOUND to
155 * IPPROTO_ESP
156 */
160 static boolean_t
162 {
175 #define K64 KSTAT_DATA_UINT64
176 #define KI(x) kstat_named_init(&(espstack->esp_kstats->esp_stat_##x), #x, K64)
196 #undef KI
197 #undef K64
202 }
204 static int
206 {
225 }
237 }
239 #ifdef DEBUG
240 /*
241 * Debug routine, useful to see pre-encryption data.
242 */
245 {
260 uint_t diff;
267 }
268 }
273 ptr++;
274 }
279 }
282 }
287 {
290 }
293 /*
294 * Don't have to lock age_interval, as only one thread will access it at
295 * a time, because I control the one function that does with timeout().
296 */
297 static void
299 {
313 }
315 /*
316 * Get an ESP NDD parameter.
317 */
318 /* ARGSUSED */
319 static int
323 caddr_t cp,
325 {
327 uint_t value;
336 }
338 /*
339 * This routine sets an NDD variable in a ipsecespparam_t structure.
340 */
341 /* ARGSUSED */
342 static int
347 caddr_t cp,
349 {
350 ulong_t new_value;
354 /*
355 * Fail the request if the new value does not lie within the
356 * required bounds.
357 */
362 }
364 /* Set the new value */
369 }
371 /*
372 * Using lifetime NDD variables, fill in an extended combination's
373 * lifetime information.
374 */
375 void
377 {
390 }
392 /*
393 * Initialize things for ESP at module load time.
394 */
395 boolean_t
397 {
401 /*
402 * We want to be informed each time a stack is created or
403 * destroyed in the kernel, so we can maintain the
404 * set of ipsecesp_stack_t's.
405 */
407 ipsecesp_stack_fini);
410 }
412 /*
413 * Walk through the param array specified registering each element with the
414 * named dispatch handler.
415 */
416 static boolean_t
418 {
428 }
429 }
430 }
432 }
434 /*
435 * Initialize things for ESP for each stack instance
436 */
439 {
444 KM_SLEEP);
465 }
467 /*
468 * Destroy things for ESP at module unload time.
469 */
470 void
472 {
475 }
477 /*
478 * Destroy things for ESP for one stack instance
479 */
480 static void
482 {
487 }
500 }
502 /*
503 * ESP module open routine, which is here for keysock plumbing.
504 * Keysock is pushed over {AH,ESP} which is an artifact from the Bad Old
505 * Days of export control, and fears that ESP would not be allowed
506 * to be shipped at all by default. Eventually, keysock should
507 * either access AH and ESP via modstubs or krtld dependencies, or
508 * perhaps be folded in with AH and ESP into a single IPsec/netsec
509 * module ("netsec" if PF_KEY provides more than AH/ESP keying tables).
510 */
511 /* ARGSUSED */
512 static int
514 {
537 }
539 /*
540 * ESP module close routine.
541 */
542 static int
544 {
547 /*
548 * Clean up q_ptr, if needed.
549 */
552 /* Keysock queue check is safe, because of OCEXCL perimeter. */
558 /* Detach qtimeouts. */
560 }
564 }
566 /*
567 * Add a number of bytes to what the SA has protected so far. Return
568 * B_TRUE if the SA can still protect that many bytes.
569 *
570 * Caller must REFRELE the passed-in assoc. This function must REFRELE
571 * any obtained peer SA.
572 */
573 static boolean_t
575 {
584 /* No peer? No problem! */
587 B_TRUE));
588 }
590 /*
591 * Otherwise, we want to grab both the original assoc and its peer.
592 * There might be a race for this, but if it's a real race, two
593 * expire messages may occur. We limit this by only sending the
594 * expire message on one of the peers, we'll pick the inbound
595 * arbitrarily.
596 *
597 * If we need tight synchronization on the peer SA, then we need to
598 * reconsider.
599 */
601 /* Use address length to select IPv6/IPv4 */
613 }
621 /* Q: Do we wish to set haspeer == B_FALSE? */
626 }
636 /* Q: Do we wish to set haspeer == B_FALSE? */
641 }
642 }
647 /*
648 * REFRELE any peer SA.
649 *
650 * Because of the multi-line macro nature of IPSA_REFRELE, keep
651 * them in { }.
652 */
657 }
660 }
662 /*
663 * Do incoming NAT-T manipulations for packet.
664 * Returns NULL if the mblk chain is consumed.
665 */
668 {
672 /* Initialize to our inbound cksum adjustment... */
680 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16)
690 /* Adujst if the inbound one was not zero. */
697 }
698 #undef DOWN_SUM
701 /*
702 * This case is only an issue for self-encapsulated
703 * packets. So for now, fall through.
704 */
706 }
708 }
711 /*
712 * Strip ESP header, check padding, and fix IP header.
713 * Returns B_TRUE on success, B_FALSE if an error occured.
714 */
715 static boolean_t
718 {
721 uint_t divpoint;
728 /*
729 * Strip ESP data and fix IP header.
730 *
731 * XXX In case the beginning of esp_inbound() changes to not do a
732 * pullup, this part of the code can remain unchanged.
733 */
744 }
752 /*
753 * "Next header" and padding length are the last two bytes in the
754 * ESP-protected datagram, thus the explicit - 1 and - 2.
755 * lastpad is the last byte of the padding, which can be used for
756 * a quick check to see if the padding is correct.
757 */
763 /* Fix part of the IP header. */
765 /*
766 * Reality check the padlen. The explicit - 2 is for the
767 * padding length and the next-header bytes.
768 */
777 padlen));
785 }
787 /*
788 * Fix the rest of the header. The explicit - 2 is for the
789 * padding length and the next-header bytes.
790 */
799 ip_pkt_t ipp;
810 /* Panic a DEBUG kernel. */
812 /* Otherwise, pretend it's IP + ESP. */
815 }
816 }
819 ivlen) {
826 padlen));
835 }
838 /*
839 * Fix the rest of the header. The explicit - 2 is for the
840 * padding length and the next-header bytes. IPv6 is nice,
841 * because there's no hdr checksum!
842 */
845 }
848 /*
849 * Weak padding check: compare last-byte to length, they
850 * should be equal.
851 */
864 }
866 /*
867 * Strong padding check: Check all pad bytes to see that
868 * they're ascending. Go backwards using a descending counter
869 * to verify. padlen == 1 is checked by previous block, so
870 * only bother if we've more than 1 byte of padding.
871 * Consequently, start the check one byte before the location
872 * of "lastpad".
873 */
875 /*
876 * This assert may have to become an if and a pullup
877 * if we start accepting multi-dblk mblks. For now,
878 * though, any packet here will have been pulled up in
879 * esp_inbound.
880 */
883 /*
884 * Use "--lastpad" because we already checked the very
885 * last pad byte previously.
886 */
899 ipds_esp_bad_padding);
901 }
902 lastbyte--;
903 }
904 }
905 }
907 /* Trim off the padding. */
911 /*
912 * Remove the ESP header.
913 *
914 * The above assertions about data_mp's size will make this work.
915 *
916 * XXX Question: If I send up and get back a contiguous mblk,
917 * would it be quicker to bcopy over, or keep doing the dupb stuff?
918 * I go with copying for now.
919 */
933 src--;
934 dst--;
947 src--;
948 dst--;
953 }
959 }
961 /*
962 * Updating use times can be tricky business if the ipsa_haspeer flag is
963 * set. This function is called once in an SA's lifetime.
964 *
965 * Caller has to REFRELE "assoc" which is passed in. This function has
966 * to REFRELE any peer SA that is obtained.
967 */
968 static void
970 {
975 boolean_t isv6;
979 /* No peer? No problem! */
983 }
985 /*
986 * Otherwise, we want to grab both the original assoc and its peer.
987 * There might be a race for this, but if it's a real race, the times
988 * will be out-of-synch by at most a second, and since our time
989 * granularity is a second, this won't be a problem.
990 *
991 * If we need tight synchronization on the peer SA, then we need to
992 * reconsider.
993 */
995 /* Use address length to select IPv6/IPv4 */
1007 }
1015 /* Q: Do we wish to set haspeer == B_FALSE? */
1020 }
1030 /* Q: Do we wish to set haspeer == B_FALSE? */
1035 }
1036 }
1038 /* Update usetime on both. */
1042 /*
1043 * REFRELE any peer SA.
1044 *
1045 * Because of the multi-line macro nature of IPSA_REFRELE, keep
1046 * them in { }.
1047 */
1052 }
1053 }
1055 /*
1056 * Handle ESP inbound data for IPv4 and IPv6.
1057 * On success returns B_TRUE, on failure returns B_FALSE and frees the
1058 * mblk chain data_mp.
1059 */
1060 mblk_t *
1062 {
1069 /*
1070 * We may wish to check replay in-range-only here as an optimization.
1071 * Include the reality check of ipsa->ipsa_replay >
1072 * ipsa->ipsa_replay_wsize for times when it's the first N packets,
1073 * where N == ipsa->ipsa_replay_wsize.
1074 *
1075 * Another check that may come here later is the "collision" check.
1076 * If legitimate packets flow quickly enough, this won't be a problem,
1077 * but collisions may cause authentication algorithm crunching to
1078 * take place when it doesn't need to.
1079 */
1088 }
1090 /*
1091 * Adjust the IP header's payload length to reflect the removal
1092 * of the ICV.
1093 */
1102 }
1104 /* submit the request to the crypto framework */
1107 }
1109 /* XXX refactor me */
1110 /*
1111 * Handle the SADB_GETSPI message. Create a larval SA.
1112 */
1113 static void
1115 {
1123 /*
1124 * Randomly generate a proposed SPI value
1125 */
1138 }
1140 /*
1141 * XXX - We may randomly collide. We really should recover from this.
1142 * Unfortunately, that could require spending way-too-much-time
1143 * in here. For now, let the user retry.
1144 */
1157 }
1162 /*
1163 * Check for collisions (i.e. did sadb_getspi() return with something
1164 * that already exists?).
1165 *
1166 * Try outbound first. Even though SADB_GETSPI is traditionally
1167 * for inbound SAs, you never know what a user might do.
1168 */
1175 }
1177 /*
1178 * I don't have collisions elsewhere!
1179 * (Nor will I because I'm still holding inbound/outbound locks.)
1180 */
1186 /*
1187 * sadb_insertassoc() also checks for collisions, so
1188 * if there's a colliding entry, rc will be set
1189 * to EEXIST.
1190 */
1195 }
1197 /*
1198 * Can exit outbound mutex. Hold inbound until we're done
1199 * with newbie.
1200 */
1209 }
1212 /* Can write here because I'm still holding the bucket lock. */
1215 /*
1216 * Construct successful return message. We have one thing going
1217 * for us in PF_KEY v2. That's the fact that
1218 * sizeof (sadb_spirange_t) == sizeof (sadb_sa_t)
1219 */
1226 /* Convert KEYSOCK_IN to KEYSOCK_OUT. */
1232 /*
1233 * Can safely putnext() to esp_pfkey_q, because this is a turnaround
1234 * from the esp_pfkey_q.
1235 */
1237 }
1239 /*
1240 * Insert the ESP header into a packet. Duplicate an mblk, and insert a newly
1241 * allocated mblk with the ESP header in between the two.
1242 */
1243 static boolean_t
1246 {
1254 }
1259 /* "scratch" is the 2nd half, split_mp is the first. */
1265 }
1266 /* NOTE: dupb() doesn't set b_cont appropriately. */
1271 }
1272 /*
1273 * At this point, split_mp is exactly "wheretodiv" bytes long, and
1274 * holds the end of the pre-ESP part of the datagram.
1275 */
1280 }
1282 /*
1283 * Section 7 of RFC 3947 says:
1284 *
1285 * 7. Recovering from the Expiring NAT Mappings
1286 *
1287 * There are cases where NAT box decides to remove mappings that are still
1288 * alive (for example, when the keepalive interval is too long, or when the
1289 * NAT box is rebooted). To recover from this, ends that are NOT behind
1290 * NAT SHOULD use the last valid UDP encapsulated IKE or IPsec packet from
1291 * the other end to determine which IP and port addresses should be used.
1292 * The host behind dynamic NAT MUST NOT do this, as otherwise it opens a
1293 * DoS attack possibility because the IP address or port of the other host
1294 * will not change (it is not behind NAT).
1295 *
1296 * Keepalives cannot be used for these purposes, as they are not
1297 * authenticated, but any IKE authenticated IKE packet or ESP packet can be
1298 * used to detect whether the IP address or the port has changed.
1299 *
1300 * The following function will check an SA and its explicitly-set pair to see
1301 * if the NAT-T remote port matches the received packet (which must have
1302 * passed ESP authentication, see esp_in_done() for the caller context). If
1303 * there is a mismatch, the SAs are updated. It is not important if we race
1304 * with a transmitting thread, as if there is a transmitting thread, it will
1305 * merely emit a packet that will most-likely be dropped.
1306 *
1307 * "ports" are ordered src,dst, and assoc is an inbound SA, where src should
1308 * match ipsa_remote_nat_port and dst should match ipsa_local_nat_port.
1309 */
1310 #ifdef _LITTLE_ENDIAN
1311 #define FIRST_16(x) ((x) & 0xFFFF)
1312 #define NEXT_16(x) (((x) >> 16) & 0xFFFF)
1313 #else
1314 #define FIRST_16(x) (((x) >> 16) & 0xFFFF)
1315 #define NEXT_16(x) ((x) & 0xFFFF)
1316 #endif
1317 static void
1319 {
1326 /* We found a conn_t, therefore local != 0. */
1328 /* Assume an IPv4 SA. */
1331 /*
1332 * On-the-wire rport == 0 means something's very wrong.
1333 * An unpaired SA is also useless to us.
1334 * If we are behind the NAT, don't bother.
1335 * A zero local NAT port defaults to 4500, so check that too.
1336 * And, of course, if the ports already match, we don't need to
1337 * bother.
1338 */
1346 /* Try and snag the peer. NOTE: Assume IPv4 for now. */
1354 /* We probably lost a race to a deleting or expiring thread. */
1358 /*
1359 * Hold the mutexes for both SAs so we don't race another inbound
1360 * thread. A lock-entry order shouldn't matter, since all other
1361 * per-ipsa locks are individually held-then-released.
1362 *
1363 * Luckily, this has nothing to do with the remote-NAT address,
1364 * so we don't have to re-scribble the cached-checksum differential.
1365 */
1369 remote;
1374 }
1375 /*
1376 * Finish processing of an inbound ESP packet after processing by the
1377 * crypto framework.
1378 * - Remove the ESP header.
1379 * - Send packet back to IP.
1380 * If authentication was performed on the packet, this function is called
1381 * only if the authentication succeeded.
1382 * On success returns B_TRUE, on failure returns B_FALSE and frees the
1383 * mblk chain data_mp.
1384 */
1387 {
1389 uint_t espstart;
1391 uint_t processed_len;
1394 boolean_t is_natt;
1404 /* get the pointer to the ESP header */
1406 /* authentication-only ESP */
1410 /* encryption present */
1413 /* encryption-only ESP */
1417 ivlen;
1419 /* encryption with authentication */
1422 ivlen;
1423 }
1424 }
1430 /*
1431 * Authentication passed if we reach this point.
1432 * Packets with authentication will have the ICV
1433 * after the crypto data. Adjust b_wptr before
1434 * making padlen checks.
1435 */
1439 /*
1440 * Check replay window here!
1441 * For right now, assume keysock will set the replay window
1442 * size to zero for SAs that have an unspecified sender.
1443 * This may change...
1444 */
1447 /*
1448 * Log the event. As of now we print out an event.
1449 * Do not print the replay failure number, or else
1450 * syslog cannot collate the error messages. Printing
1451 * the replay number that failed opens a denial-of-
1452 * service attack.
1453 */
1462 }
1468 }
1469 }
1474 /* The ipsa has hit hard expiration, LOG and AUDIT. */
1483 }
1485 /*
1486 * Remove ESP header and padding from packet. I hope the compiler
1487 * spews "branch, predict taken" code for this.
1488 */
1497 /*
1498 * Cluster buffering case. Tell caller that we're
1499 * handling the packet.
1500 */
1503 }
1506 }
1509 drop_and_bail:
1515 }
1517 /*
1518 * Called upon failing the inbound ICV check. The message passed as
1519 * argument is freed.
1520 */
1521 static void
1523 {
1529 /*
1530 * Log the event. Don't print to the console, block
1531 * potential denial-of-service attack.
1532 */
1544 }
1547 /*
1548 * Invoked for outbound packets after ESP processing. If the packet
1549 * also requires AH, performs the AH SA selection and AH processing.
1550 *
1551 * Returns data_mp (possibly with AH added) unless data_mp was consumed
1552 * due to an error, or queued due to async. crypto or an ACQUIRE trigger.
1553 */
1556 {
1563 }
1568 /*
1569 * Normally the AH SA would have already been put in place
1570 * but it could have been flushed so we need to look for it.
1571 */
1576 }
1577 }
1582 }
1585 /*
1586 * Kernel crypto framework callback invoked after completion of async
1587 * crypto requests for outbound packets.
1588 */
1589 static void
1591 {
1598 ip_xmit_attr_t ixas;
1602 /*
1603 * First remove the ipsec_crypto_t mblk
1604 * Note that we need to ipsec_free_crypto_data(mp) once done with ic.
1605 */
1609 /*
1610 * Extract the ip_xmit_attr_t from the first mblk.
1611 * Verifies that the netstack and ill is still around; could
1612 * have vanished while kEf was doing its work.
1613 * On succesful return we have a nce_t and the ill/ipst can't
1614 * disappear until we do the nce_refrele in ixa_cleanup.
1615 */
1619 /* Disappeared on us - no ill/ipst for MIB */
1620 /* We have nowhere to do stats since ixa_ipst could be NULL */
1625 }
1628 }
1635 /*
1636 * If a ICV was computed, it was stored by the
1637 * crypto framework at the end of the packet.
1638 */
1642 /* NAT-T packet. */
1647 /* do AH processing if needed */
1654 /* Outbound shouldn't see invalid MAC */
1659 status));
1666 }
1667 done:
1670 }
1672 /*
1673 * Kernel crypto framework callback invoked after completion of async
1674 * crypto requests for inbound packets.
1675 */
1676 static void
1678 {
1685 ip_recv_attr_t iras;
1688 /*
1689 * First remove the ipsec_crypto_t mblk
1690 * Note that we need to ipsec_free_crypto_data(mp) once done with ic.
1691 */
1695 /*
1696 * Extract the ip_recv_attr_t from the first mblk.
1697 * Verifies that the netstack and ill is still around; could
1698 * have vanished while kEf was doing its work.
1699 */
1703 /* The ill or ip_stack_t disappeared on us */
1707 }
1718 /* finish IPsec processing */
1725 status));
1732 }
1733 done:
1736 }
1738 /*
1739 * Invoked on crypto framework failure during inbound and outbound processing.
1740 */
1741 static void
1744 {
1755 else
1757 }
1759 /*
1760 * A statement-equivalent macro, _cr MUST point to a modifiable
1761 * crypto_call_req_t.
1762 */
1763 #define ESP_INIT_CALLREQ(_cr, _mp, _callback) \
1764 (_cr)->cr_flag = CRYPTO_SKIP_REQID|CRYPTO_ALWAYS_QUEUE; \
1765 (_cr)->cr_callback_arg = (_mp); \
1766 (_cr)->cr_callback_func = (_callback)
1768 #define ESP_INIT_CRYPTO_MAC(mac, icvlen, icvbuf) { \
1769 (mac)->cd_format = CRYPTO_DATA_RAW; \
1770 (mac)->cd_offset = 0; \
1771 (mac)->cd_length = icvlen; \
1772 (mac)->cd_raw.iov_base = (char *)icvbuf; \
1773 (mac)->cd_raw.iov_len = icvlen; \
1774 }
1776 #define ESP_INIT_CRYPTO_DATA(data, mp, off, len) { \
1777 if (MBLKL(mp) >= (len) + (off)) { \
1778 (data)->cd_format = CRYPTO_DATA_RAW; \
1779 (data)->cd_raw.iov_base = (char *)(mp)->b_rptr; \
1780 (data)->cd_raw.iov_len = MBLKL(mp); \
1781 (data)->cd_offset = off; \
1782 } else { \
1783 (data)->cd_format = CRYPTO_DATA_MBLK; \
1784 (data)->cd_mp = mp; \
1785 (data)->cd_offset = off; \
1786 } \
1787 (data)->cd_length = len; \
1788 }
1790 #define ESP_INIT_CRYPTO_DUAL_DATA(data, mp, off1, len1, off2, len2) { \
1791 (data)->dd_format = CRYPTO_DATA_MBLK; \
1792 (data)->dd_mp = mp; \
1793 (data)->dd_len1 = len1; \
1794 (data)->dd_offset1 = off1; \
1795 (data)->dd_len2 = len2; \
1796 (data)->dd_offset2 = off2; \
1797 }
1799 /*
1800 * Returns data_mp if successfully completed the request. Returns
1801 * NULL if it failed (and increments InDiscards) or if it is pending.
1802 */
1806 {
1813 crypto_ctx_template_t auth_ctx_tmpl;
1817 crypto_ctx_template_t encr_ctx_tmpl;
1828 #ifdef IPSEC_LATENCY_TEST
1830 #else
1832 #endif
1834 /*
1835 * An inbound packet is of the form:
1836 * [IP,options,ESP,IV,data,ICV,pad]
1837 */
1840 /* Packet length starting at IP header ending after ESP ICV. */
1846 /*
1847 * Counter mode algs need a nonce. This is setup in sadb_common_add().
1848 * If for some reason we are using a SA which does not have a nonce
1849 * then we must fail here.
1850 */
1856 }
1859 /* We are doing asynch; allocate mblks to hold state */
1866 }
1871 /*
1872 * If we know we are going to do sync then ipsec_crypto_t
1873 * should be on the stack.
1874 */
1878 }
1881 /* authentication context template */
1883 auth_ctx_tmpl);
1885 /* ICV to be verified */
1889 /* authentication starts at the ESP header */
1893 /* authentication only */
1894 /* initialize input data argument */
1898 /* call the crypto framework */
1903 }
1904 }
1907 /* encryption template */
1909 encr_ctx_tmpl);
1911 /* Call the nonce update function. Also passes in IV */
1916 /* decryption only */
1917 /* initialize input data argument */
1921 /* call the crypto framework */
1926 }
1927 }
1930 /* dual operation */
1931 /* initialize input data argument */
1936 /* specify IV */
1939 /* call the framework */
1945 }
1952 /* Free mp after we are done with ic */
1955 }
1958 /* esp_kcf_callback_inbound() will be invoked on completion */
1965 }
1969 /* esp_mp was passed to ip_drop_packet */
1971 }
1976 }
1979 /* esp_mp was passed to ip_drop_packet */
1981 }
1983 /*
1984 * Compute the IP and UDP checksums -- common code for both keepalives and
1985 * actual ESP-in-UDP packets. Be flexible with multiple mblks because ESP
1986 * uses mblk-insertion to insert the UDP header.
1987 * TODO - If there is an easy way to prep a packet for HW checksums, make
1988 * it happen here.
1989 * Note that this is used before both before calling ip_output_simple and
1990 * in the esp datapath. The former could use IXAF_SET_ULP_CKSUM but not the
1991 * latter.
1992 */
1993 static void
1995 {
2009 /* arr points to the IP header. */
2014 /* arr[6-9] are the IP addresses. */
2022 }
2023 /* arr points to the UDP header's checksum field. */
2026 }
2027 }
2029 /*
2030 * taskq handler so we can send the NAT-T keepalive on a separate thread.
2031 */
2032 static void
2034 {
2036 ip_xmit_attr_t ixas;
2038 netstackid_t stackid;
2044 /* Disappeared */
2048 }
2055 /* No ULP checksum; done by esp_prepare_udp */
2061 }
2063 /*
2064 * Send a one-byte UDP NAT-T keepalive.
2065 */
2066 void
2068 {
2083 /* Use the low-16 of the SPI so we have some clue where it came from. */
2103 /*
2104 * We're holding an isaf_t bucket lock, so pawn off the actual
2105 * packet transmission to another thread. Just in case syncq
2106 * processing causes a same-bucket packet to be processed.
2107 */
2112 /* Assume no memory if taskq_dispatch() fails. */
2117 }
2118 }
2120 /*
2121 * Returns mp if successfully completed the request. Returns
2122 * NULL if it failed (and increments InDiscards) or if it is pending.
2123 */
2127 {
2128 uint_t auth_len;
2135 crypto_ctx_template_t auth_ctx_tmpl;
2138 crypto_ctx_template_t encr_ctx_tmpl;
2156 #ifdef IPSEC_LATENCY_TEST
2158 #else
2160 #endif
2162 /*
2163 * Outbound IPsec packets are of the form:
2164 * [IP,options] -> [ESP,IV] -> [data] -> [pad,ICV]
2165 * unless it's NATT, then it's
2166 * [IP,options] -> [udp][ESP,IV] -> [data] -> [pad,ICV]
2167 * Get a pointer to the mblk containing the ESP header.
2168 */
2174 /*
2175 * Combined mode algs need a nonce. This is setup in sadb_common_add().
2176 * If for some reason we are using a SA which does not have a nonce
2177 * then we must fail here.
2178 */
2184 }
2187 /* We are doing asynch; allocate mblks to hold state */
2194 }
2200 /*
2201 * If we know we are going to do sync then ipsec_crypto_t
2202 * should be on the stack.
2203 */
2207 }
2211 /* authentication context template */
2213 auth_ctx_tmpl);
2215 /* where to store the computed mac */
2219 /* authentication starts at the ESP header */
2222 /* authentication only */
2223 /* initialize input data argument */
2227 /* call the crypto framework */
2232 }
2233 }
2236 /* encryption context template */
2238 encr_ctx_tmpl);
2239 /* Call the nonce update function. */
2244 /* encryption only, skip mblk that contains ESP hdr */
2245 /* initialize input data argument */
2249 /*
2250 * For combined mode ciphers, the ciphertext is the same
2251 * size as the clear text, the ICV should follow the
2252 * ciphertext. To convince the kcf to allow in-line
2253 * encryption, with an ICV, use ipsec_out_crypto_mac
2254 * to point to the same buffer as the data. The calling
2255 * function need to ensure the buffer is large enough to
2256 * include the ICV.
2257 *
2258 * The IV is already written to the packet buffer, the
2259 * nonce setup function copied it to the params struct
2260 * for the cipher to use.
2261 */
2269 }
2271 /* call the crypto framework */
2277 }
2278 }
2281 /*
2282 * Encryption and authentication:
2283 * Pass the pointer to the mblk chain starting at the ESP
2284 * header to the framework. Skip the ESP header mblk
2285 * for encryption, which is reflected by an encryption
2286 * offset equal to the length of that mblk. Start
2287 * the authentication at the ESP header, i.e. use an
2288 * authentication offset of zero.
2289 */
2293 /* specify IV */
2296 /* call the framework */
2303 }
2312 }
2317 /* esp_kcf_callback_outbound() will be invoked on completion */
2320 }
2325 }
2328 /* data_mp was passed to ip_drop_packet */
2330 }
2332 /*
2333 * Handle outbound IPsec processing for IPv4 and IPv6
2334 *
2335 * Returns data_mp if successfully completed the request. Returns
2336 * NULL if it failed (and increments InDiscards) or if it is pending.
2337 */
2340 {
2345 uint_t af;
2363 /*
2364 * <sigh> We have to copy the message here, because TCP (for example)
2365 * keeps a dupb() of the message lying around for retransmission.
2366 * Since ESP changes the whole of the datagram, we have to create our
2367 * own copy lest we clobber TCP's data. Since we have to copy anyway,
2368 * we might as well make use of msgpullup() and get the mblk into one
2369 * contiguous piece!
2370 */
2380 }
2387 /*
2388 * Reality check....
2389 */
2400 ip_pkt_t ipp;
2410 /*
2411 * Destination options are tricky. If we get in here,
2412 * then we have a terminal header following the
2413 * destination options. We need to adjust backwards
2414 * so we insert ESP BEFORE the destination options
2415 * bag. (So that the dstopts get encrypted!)
2416 *
2417 * Since this is for outbound packets only, we know
2418 * that non-terminal destination options only precede
2419 * routing headers.
2420 */
2422 }
2431 /* It's probably IP + ESP. */
2433 }
2434 }
2439 /* wedge in UDP header */
2442 }
2444 /*
2445 * Set up ESP header and encryption padding for ENCR PI request.
2446 */
2448 /* Determine the padding length. Pad to 4-bytes for no-encryption. */
2453 /*
2454 * Pad the data to the length of the cipher block size.
2455 * Include the two additional bytes (hence the - 2) for the
2456 * padding length and the next header. Take this into account
2457 * when calculating the actual length of the padding.
2458 */
2466 }
2468 /* Allocate ESP header and IV. */
2471 /*
2472 * Update association byte-count lifetimes. Don't forget to take
2473 * into account the padding length and next-header (hence the + 2).
2474 *
2475 * Use the amount of data fed into the "encryption algorithm". This
2476 * is the IV, the data length, the padding length, and the final two
2477 * bytes (padlen, and next-header).
2478 *
2479 */
2489 }
2502 }
2514 /*
2515 * Set the checksum to 0, so that the esp_prepare_udp() call
2516 * can do the right thing.
2517 */
2520 }
2526 /*
2527 * XXX We have replay counter wrapping.
2528 * We probably want to nuke this SA (and its peer).
2529 */
2545 }
2548 /*
2549 * iv_ptr points to the mblk which will contain the IV once we have
2550 * written it there. This mblk will be part of a mblk chain that
2551 * will make up the packet.
2552 *
2553 * For counter mode algorithms, the IV is a 64 bit quantity, it
2554 * must NEVER repeat in the lifetime of the SA, otherwise an
2555 * attacker who had recorded enough packets might be able to
2556 * determine some clear text.
2557 *
2558 * To ensure this does not happen, the IV is stored in the SA and
2559 * incremented for each packet, the IV is then copied into the
2560 * "packet" for transmission to the receiving system. The IV will
2561 * also be copied into the nonce, when the packet is encrypted.
2562 *
2563 * CBC mode algorithms use a random IV for each packet. We do not
2564 * require the highest quality random bits, but for best security
2565 * with CBC mode ciphers, the value must be unlikely to repeat and
2566 * must not be known in advance to an adversary capable of influencing
2567 * the clear text.
2568 */
2570 espstack)) {
2576 }
2578 /* Fix the IP header. */
2592 }
2598 }
2600 /* I've got the two ESP mblks, now insert them. */
2607 /* NOTE: esp_insert_esp() only fails if there's no memory. */
2616 }
2618 /* Append padding (and leave room for ICV). */
2620 ;
2633 }
2635 }
2637 /*
2638 * If there's padding, N bytes of padding must be of the form 0x1,
2639 * 0x2, 0x3... 0xN.
2640 */
2642 i++;
2644 }
2651 /*
2652 * Okay. I've set up the pre-encryption ESP. Let's do it!
2653 */
2661 }
2668 }
2670 /*
2671 * IP calls this to validate the ICMP errors that
2672 * we got from the network.
2673 */
2674 mblk_t *
2676 {
2681 /*
2682 * Unless we get an entire packet back, this function is useless.
2683 * Why?
2684 *
2685 * 1.) Partial packets are useless, because the "next header"
2686 * is at the end of the decrypted ESP packet. Without the
2687 * whole packet, this is useless.
2688 *
2689 * 2.) If we every use a stateful cipher, such as a stream or a
2690 * one-time pad, we can't do anything.
2691 *
2692 * Since the chances of us getting an entire packet back are very
2693 * very small, we discard here.
2694 */
2700 }
2702 /*
2703 * Construct an SADB_REGISTER message with the current algorithms.
2704 * This function gets called when 'ipsecalgs -s' is run or when
2705 * in.iked (or other KMD) starts.
2706 */
2707 static boolean_t
2710 {
2720 uint_t num_aalgs;
2723 uint_t num_ealgs;
2727 /* Allocate the KEYSOCK_OUT. */
2732 }
2734 /*
2735 * Allocate the PF_KEY message that follows KEYSOCK_OUT.
2736 */
2739 /*
2740 * Fill SADB_REGISTER message's algorithm descriptors. Hold
2741 * down the lock while filling it.
2742 *
2743 * Return only valid algorithms, so the number of algorithms
2744 * to send up may be less than the number of algorithm entries
2745 * in the table.
2746 */
2750 num_aalgs++;
2755 }
2759 num_ealgs++;
2764 }
2770 }
2785 i++) {
2797 numalgs_snap++;
2798 saalg++;
2799 }
2801 #ifdef DEBUG
2802 /*
2803 * Reality check to make sure I snagged all of the
2804 * algorithms.
2805 */
2810 }
2811 }
2814 }
2829 /*
2830 * We could advertise the ICV length, except there
2831 * is not a value in sadb_x_algb to do this.
2832 * saalg->sadb_alg_maclen = encralgs[i]->alg_maclen;
2833 */
2839 numalgs_snap++;
2840 saalg++;
2841 }
2843 #ifdef DEBUG
2844 /*
2845 * Reality check to make sure I snagged all of the
2846 * algorithms.
2847 */
2852 }
2853 }
2856 }
2863 /* Now fill the rest of the SADB_REGISTER message. */
2872 /*
2873 * Assume caller has sufficient sequence/pid number info. If it's one
2874 * from me over a new alg., I could give two hoots about sequence.
2875 */
2884 }
2890 SADB_EXT_SUPPORTED_ENCRYPT;
2892 }
2899 }
2902 }
2904 /*
2905 * Invoked when the algorithm table changes. Causes SADB_REGISTER
2906 * messages continaining the current list of algorithms to be
2907 * sent up to the ESP listeners.
2908 */
2909 void
2911 {
2914 /*
2915 * Time to send a PF_KEY SADB_REGISTER message to ESP listeners
2916 * everywhere. (The function itself checks for NULL esp_pfkey_q.)
2917 */
2919 }
2921 /*
2922 * Stub function that taskq_dispatch() invokes to take the mblk (in arg)
2923 * and send() it into ESP and IP again.
2924 */
2925 static void
2927 {
2930 ip_recv_attr_t iras;
2936 /* The ill or ip_stack_t disappeared on us */
2940 }
2943 done:
2945 }
2947 /*
2948 * Restart ESP after the SA has been added.
2949 */
2950 static void
2952 {
2970 /*
2971 * Either it failed or is pending. In the former case
2972 * ipIfStatsInDiscards was increased.
2973 */
2975 }
2978 }
2980 /*
2981 * Now that weak-key passed, actually ADD the security association, and
2982 * send back a reply ADD message.
2983 */
2984 static int
2987 {
2997 ipsa_query_t sq;
3000 /*
3001 * Locate the appropriate table(s).
3002 */
3010 /*
3011 * Use the direction flags provided by the KMD to determine
3012 * if the inbound or outbound table should be the primary
3013 * for this SA. If these flags were absent then make this
3014 * decision based on the addresses.
3015 */
3025 }
3028 /*
3029 * The KMD did not set a direction flag, determine which
3030 * table to insert the SA into based on addresses.
3031 */
3036 /* FALLTHRU */
3037 /*
3038 * If the source address is either one of mine, or unspecified
3039 * (which is best summed up by saying "not 'not mine'"),
3040 * then the association is potentially bi-directional,
3041 * in that it can be used for inbound traffic and outbound
3042 * traffic. The best example of such an SA is a multicast
3043 * SA (which allows me to receive the outbound traffic).
3044 */
3053 /*
3054 * If the source address literally not mine (either
3055 * unspecified or not mine), then this SA may have an
3056 * address that WILL be mine after some configuration.
3057 * We pay the price for this by making it a bi-directional
3058 * SA.
3059 */
3067 }
3072 }
3073 }
3075 /*
3076 * Find a ACQUIRE list entry if possible. If we've added an SA that
3077 * suits the needs of an ACQUIRE list entry, we can eliminate the
3078 * ACQUIRE list entry and transmit the enqueued packets. Use the
3079 * high-bit of the sequence number to queue it. Key off destination
3080 * addr, and change acqrec's state.
3081 */
3089 /*
3090 * Q: I only check sequence. Should I check dst?
3091 * A: Yes, check dest because those are the packets
3092 * that are queued up.
3093 */
3099 }
3101 /*
3102 * AHA! I found an ACQUIRE record for this SA.
3103 * Grab the msg list, and free the acquire record.
3104 * I already am holding the lock for this record,
3105 * so all I have to do is free it.
3106 */
3112 }
3114 }
3116 /*
3117 * Find PF_KEY message, and see if I'm an update. If so, find entry
3118 * in larval list (if there).
3119 */
3131 }
3135 }
3138 /*
3139 * Hold again, because sadb_common_add() consumes a reference,
3140 * and we don't want to clear_lpkt() without a reference.
3141 */
3143 }
3155 }
3156 }
3158 }
3160 /*
3161 * How much more stack will I create with all of these
3162 * esp_outbound() calls?
3163 */
3165 /* Handle the packets queued waiting for the SA */
3169 ip_xmit_attr_t ixas;
3176 /*
3177 * Extract the ip_xmit_attr_t from the first mblk.
3178 * Verifies that the netstack and ill is still around; could
3179 * have vanished while iked was doing its work.
3180 * On succesful return we have a nce_t and the ill/ipst can't
3181 * disappear until we do the nce_refrele in ixa_cleanup.
3182 */
3199 }
3201 }
3204 }
3206 /*
3207 * Process one of the queued messages (from ipsacq_mp) once the SA
3208 * has been added.
3209 */
3210 static void
3212 {
3225 }
3231 /* do AH processing if needed */
3237 }
3239 /*
3240 * Add new ESP security association. This may become a generic AH/ESP
3241 * routine eventually.
3242 */
3243 static int
3245 {
3275 /* I need certain extensions present for an ADD message. */
3279 }
3283 }
3287 }
3291 }
3295 }
3299 }
3308 /* Sundry ADD-specific reality checks. */
3309 /* XXX STATS : Logging/stats here? */
3315 }
3319 }
3321 #ifndef IPSEC_LATENCY_TEST
3326 }
3327 #endif
3332 }
3336 }
3343 }
3349 }
3350 }
3356 }
3361 }
3362 }
3365 /* Stuff I don't support, for now. XXX Diagnostic? */
3369 /*
3370 * XXX Policy : I'm not checking identities at this time,
3371 * but if I did, I'd do them here, before I sent
3372 * the weak key check up to the algorithm.
3373 */
3377 /*
3378 * First locate the authentication algorithm.
3379 */
3380 #ifdef IPSEC_LATENCY_TEST
3382 #else
3384 #endif
3395 }
3397 /*
3398 * Sanity check key sizes.
3399 * Note: It's not possible to use SADB_AALG_NONE because
3400 * this auth_alg is not defined with ALG_FLAG_VALID. If this
3401 * ever changes, the same check for SADB_AALG_NONE and
3402 * a auth_key != NULL should be made here ( see below).
3403 */
3408 }
3411 /* check key and fix parity if needed */
3416 }
3417 }
3419 /*
3420 * Then locate the encryption algorithm.
3421 */
3423 uint_t keybits;
3434 }
3436 /*
3437 * Sanity check key sizes. If the encryption algorithm is
3438 * SADB_EALG_NULL but the encryption key is NOT
3439 * NULL then complain.
3440 *
3441 * The keying material includes salt bits if required by
3442 * algorithm and optionally the Initial IV, check the
3443 * length of whats left.
3444 */
3453 }
3456 /* check key */
3461 }
3462 }
3467 }
3469 /*
3470 * Update a security association. Updates come in two varieties. The first
3471 * is an update of lifetimes on a non-larval SA. The second is an update of
3472 * a larval SA, which ends up looking a lot more like an add.
3473 */
3474 static int
3477 {
3488 }
3497 }
3503 }
3505 /* XXX refactor me */
3506 /*
3507 * Delete a security association. This is REALLY likely to be code common to
3508 * both AH and ESP. Find the association, then unlink it.
3509 */
3510 static int
3513 {
3529 }
3534 }
3538 }
3540 /* XXX refactor me */
3541 /*
3542 * Convert the entire contents of all of ESP's SA tables into PF_KEY SADB_DUMP
3543 * messages.
3544 */
3545 static void
3547 {
3551 /*
3552 * Dump each fanout, bailing if error is non-zero.
3553 */
3562 bail:
3568 }
3570 /*
3571 * First-cut reality check for an inbound PF_KEY message.
3572 */
3573 static boolean_t
3576 {
3582 }
3587 }
3590 badmsg:
3594 }
3596 /*
3597 * ESP parsing of PF_KEY messages. Keysock did most of the really silly
3598 * error cases. What I receive is a fully-formed, syntactically legal
3599 * PF_KEY message. I then need to check semantics...
3600 *
3601 * This code may become common to AH and ESP. Stay tuned.
3602 *
3603 * I also make the assumption that db_ref's are cool. If this assumption
3604 * is wrong, this means that someone other than keysock or me has been
3605 * mucking with PF_KEY messages.
3606 */
3607 static void
3609 {
3621 /*
3622 * If applicable, convert unspecified AF_INET6 to unspecified
3623 * AF_INET. And do other address reality checks.
3624 */
3629 }
3638 }
3639 /* else esp_add_sa() took care of things. */
3649 }
3650 /* Else esp_del_sa() took care of things. */
3658 }
3659 /* Else sadb_get_sa() took care of things. */
3666 /*
3667 * Hmmm, let's do it! Check for extensions (there should
3668 * be none), extract the fields, call esp_register_out(),
3669 * then either free or report an error.
3670 *
3671 * Keysock takes care of the PF_KEY bookkeeping for this.
3672 */
3677 /*
3678 * Only way this path hits is if there is a memory
3679 * failure. It will not return B_FALSE because of
3680 * lack of esp_pfkey_q if I am in wput().
3681 */
3684 }
3688 /*
3689 * Find a larval, if not there, find a full one and get
3690 * strict.
3691 */
3697 }
3698 /* else esp_update_sa() took care of things. */
3701 /*
3702 * Reserve a new larval entry.
3703 */
3707 /*
3708 * Find larval and/or ACQUIRE record and kill it (them), I'm
3709 * most likely an error. Inbound ACQUIRE messages should only
3710 * have the base header.
3711 */
3717 /*
3718 * Dump all entries.
3719 */
3721 /* esp_dump will take care of the return message, etc. */
3724 /* Should never reach me. */
3732 }
3733 }
3735 /*
3736 * Handle case where PF_KEY says it can't find a keysock for one of my
3737 * ACQUIRE messages.
3738 */
3739 static void
3741 {
3748 }
3751 /*
3752 * If keysock can't find any registered, delete the acquire record
3753 * immediately, and handle errors.
3754 */
3758 /*
3759 * Use the write-side of the esp_pfkey_q
3760 */
3763 }
3766 }
3768 /*
3769 * ESP module write put routine.
3770 */
3771 static void
3773 {
3780 /* NOTE: Each case must take care of freeing or passing mp. */
3784 /* Not big enough message. */
3787 }
3799 /* Parse the message. */
3805 SADB_SATYPE_ESP);
3812 }
3824 }
3825 /* FALLTHRU */
3827 /* We really don't support any other ioctls, do we? */
3829 /* Return EINVAL */
3836 }
3842 }
3843 }
3845 /*
3846 * Wrapper to allow IP to trigger an ESP association failure message
3847 * during inbound SA selection.
3848 */
3849 void
3852 {
3860 }
3865 }
3867 /*
3868 * Initialize the ESP input and output processing functions.
3869 */
3870 void
3872 {
3877 }