inet/ip/ipsecesp.c

7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * CDDL HEADER START
7c478bd9Sstevel@tonic-gate *
7c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the
7845d282Sdanmcd * Common Development and Distribution License (the "License").
7845d282Sdanmcd * You may not use this file except in compliance with the License.
7c478bd9Sstevel@tonic-gate *
7c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
7c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
7c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions
7c478bd9Sstevel@tonic-gate * and limitations under the License.
7c478bd9Sstevel@tonic-gate *
7c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
7c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
7c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
7c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
7c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
7c478bd9Sstevel@tonic-gate *
7c478bd9Sstevel@tonic-gate * CDDL HEADER END
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gate/*
930af642SDan McDonald * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
7c478bd9Sstevel@tonic-gate * Use is subject to license terms.
b7daf799SDan McDonald * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
b7daf799SDan McDonald * Copyright (c) 2017 Joyent, Inc.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#include <sys/types.h>
7c478bd9Sstevel@tonic-gate#include <sys/stream.h>
7c478bd9Sstevel@tonic-gate#include <sys/stropts.h>
7c478bd9Sstevel@tonic-gate#include <sys/errno.h>
7c478bd9Sstevel@tonic-gate#include <sys/strlog.h>
7c478bd9Sstevel@tonic-gate#include <sys/tihdr.h>
7c478bd9Sstevel@tonic-gate#include <sys/socket.h>
7c478bd9Sstevel@tonic-gate#include <sys/ddi.h>
7c478bd9Sstevel@tonic-gate#include <sys/sunddi.h>
7c478bd9Sstevel@tonic-gate#include <sys/kmem.h>
f4b3ec61Sdh155122#include <sys/zone.h>
7c478bd9Sstevel@tonic-gate#include <sys/sysmacros.h>
7c478bd9Sstevel@tonic-gate#include <sys/cmn_err.h>
7c478bd9Sstevel@tonic-gate#include <sys/vtrace.h>
7c478bd9Sstevel@tonic-gate#include <sys/debug.h>
7c478bd9Sstevel@tonic-gate#include <sys/atomic.h>
7c478bd9Sstevel@tonic-gate#include <sys/strsun.h>
7c478bd9Sstevel@tonic-gate#include <sys/random.h>
7c478bd9Sstevel@tonic-gate#include <netinet/in.h>
7c478bd9Sstevel@tonic-gate#include <net/if.h>
7c478bd9Sstevel@tonic-gate#include <netinet/ip6.h>
7c478bd9Sstevel@tonic-gate#include <net/pfkeyv2.h>
628b0c67SMark Fenwick#include <net/pfpolicy.h>
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#include <inet/common.h>
7c478bd9Sstevel@tonic-gate#include <inet/mi.h>
7c478bd9Sstevel@tonic-gate#include <inet/nd.h>
7c478bd9Sstevel@tonic-gate#include <inet/ip.h>
437220cdSdanmcd#include <inet/ip_impl.h>
7c478bd9Sstevel@tonic-gate#include <inet/ip6.h>
bd670b35SErik Nordmark#include <inet/ip_if.h>
bd670b35SErik Nordmark#include <inet/ip_ndp.h>
7c478bd9Sstevel@tonic-gate#include <inet/sadb.h>
7c478bd9Sstevel@tonic-gate#include <inet/ipsec_info.h>
7c478bd9Sstevel@tonic-gate#include <inet/ipsec_impl.h>
7c478bd9Sstevel@tonic-gate#include <inet/ipsecesp.h>
7c478bd9Sstevel@tonic-gate#include <inet/ipdrop.h>
7c478bd9Sstevel@tonic-gate#include <inet/tcp.h>
7c478bd9Sstevel@tonic-gate#include <sys/kstat.h>
7c478bd9Sstevel@tonic-gate#include <sys/policy.h>
7c478bd9Sstevel@tonic-gate#include <sys/strsun.h>
5d3b8cb7SBill Sommerfeld#include <sys/strsubr.h>
7c478bd9Sstevel@tonic-gate#include <inet/udp_impl.h>
7c478bd9Sstevel@tonic-gate#include <sys/taskq.h>
f4b3ec61Sdh155122#include <sys/note.h>
7c478bd9Sstevel@tonic-gate
5d3b8cb7SBill Sommerfeld#include <sys/tsol/tnet.h>
5d3b8cb7SBill Sommerfeld
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Table of ND variables supported by ipsecesp. These are loaded into
7c478bd9Sstevel@tonic-gate * ipsecesp_g_nd in ipsecesp_init_nd.
7c478bd9Sstevel@tonic-gate * All of these are alterable, within the min/max values given, at run time.
7c478bd9Sstevel@tonic-gate */
f4b3ec61Sdh155122static	ipsecespparam_t	lcl_param_arr[] = {
7c478bd9Sstevel@tonic-gate	/* min	max			value	name */
7c478bd9Sstevel@tonic-gate	{ 0,	3,			0,	"ipsecesp_debug"},
7c478bd9Sstevel@tonic-gate	{ 125,	32000, SADB_AGE_INTERVAL_DEFAULT, "ipsecesp_age_interval"},
7c478bd9Sstevel@tonic-gate	{ 1,	10,			1,	"ipsecesp_reap_delay"},
7c478bd9Sstevel@tonic-gate	{ 1,	SADB_MAX_REPLAY,	64,	"ipsecesp_replay_size"},
7c478bd9Sstevel@tonic-gate	{ 1,	300,			15,	"ipsecesp_acquire_timeout"},
7c478bd9Sstevel@tonic-gate	{ 1,	1800,			90,	"ipsecesp_larval_timeout"},
7c478bd9Sstevel@tonic-gate	/* Default lifetime values for ACQUIRE messages. */
7c478bd9Sstevel@tonic-gate	{ 0,	0xffffffffU,	0,	"ipsecesp_default_soft_bytes"},
7c478bd9Sstevel@tonic-gate	{ 0,	0xffffffffU,	0,	"ipsecesp_default_hard_bytes"},
7c478bd9Sstevel@tonic-gate	{ 0,	0xffffffffU,	24000,	"ipsecesp_default_soft_addtime"},
7c478bd9Sstevel@tonic-gate	{ 0,	0xffffffffU,	28800,	"ipsecesp_default_hard_addtime"},
7c478bd9Sstevel@tonic-gate	{ 0,	0xffffffffU,	0,	"ipsecesp_default_soft_usetime"},
7c478bd9Sstevel@tonic-gate	{ 0,	0xffffffffU,	0,	"ipsecesp_default_hard_usetime"},
7c478bd9Sstevel@tonic-gate	{ 0,	1,		0,	"ipsecesp_log_unknown_spi"},
7c478bd9Sstevel@tonic-gate	{ 0,	2,		1,	"ipsecesp_padding_check"},
437220cdSdanmcd	{ 0,	600,		20,	"ipsecesp_nat_keepalive_interval"},
7c478bd9Sstevel@tonic-gate};
437220cdSdanmcd/* For ipsecesp_nat_keepalive_interval, see ipsecesp.h. */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#define	esp0dbg(a)	printf a
7c478bd9Sstevel@tonic-gate/* NOTE:  != 0 instead of > 0 so lint doesn't complain. */
f4b3ec61Sdh155122#define	esp1dbg(espstack, a)	if (espstack->ipsecesp_debug != 0) printf a
f4b3ec61Sdh155122#define	esp2dbg(espstack, a)	if (espstack->ipsecesp_debug > 1) printf a
f4b3ec61Sdh155122#define	esp3dbg(espstack, a)	if (espstack->ipsecesp_debug > 2) printf a
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gatestatic int ipsecesp_open(queue_t *, dev_t *, int, int, cred_t *);
5e1743f0SToomas Soomestatic int ipsecesp_close(queue_t *, int, cred_t *);
9c451ec7SToomas Soomestatic int ipsecesp_rput(queue_t *, mblk_t *);
9c451ec7SToomas Soomestatic int ipsecesp_wput(queue_t *, mblk_t *);
f4b3ec61Sdh155122static void	*ipsecesp_stack_init(netstackid_t stackid, netstack_t *ns);
f4b3ec61Sdh155122static void	ipsecesp_stack_fini(netstackid_t stackid, void *arg);
7c478bd9Sstevel@tonic-gate
437220cdSdanmcdstatic void esp_prepare_udp(netstack_t *, mblk_t *, ipha_t *);
bd670b35SErik Nordmarkstatic void esp_outbound_finish(mblk_t *, ip_xmit_attr_t *);
bd670b35SErik Nordmarkstatic void esp_inbound_restart(mblk_t *, ip_recv_attr_t *);
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122static boolean_t esp_register_out(uint32_t, uint32_t, uint_t,
bd670b35SErik Nordmark    ipsecesp_stack_t *, cred_t *);
7c478bd9Sstevel@tonic-gatestatic boolean_t esp_strip_header(mblk_t *, boolean_t, uint32_t,
f4b3ec61Sdh155122    kstat_named_t **, ipsecesp_stack_t *);
bd670b35SErik Nordmarkstatic mblk_t *esp_submit_req_inbound(mblk_t *, ip_recv_attr_t *,
bd670b35SErik Nordmark    ipsa_t *, uint_t);
bd670b35SErik Nordmarkstatic mblk_t *esp_submit_req_outbound(mblk_t *, ip_xmit_attr_t *,
bd670b35SErik Nordmark    ipsa_t *, uchar_t *, uint_t);
9c2c14abSThejaswini Singarajipura
f4b3ec61Sdh155122/* Setable in /etc/system */
f4b3ec61Sdh155122uint32_t esp_hash_size = IPSEC_DEFAULT_HASH_SIZE;
f4b3ec61Sdh155122
7c478bd9Sstevel@tonic-gatestatic struct module_info info = {
7c478bd9Sstevel@tonic-gate	5137, "ipsecesp", 0, INFPSZ, 65536, 1024
7c478bd9Sstevel@tonic-gate};
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gatestatic struct qinit rinit = {
9c451ec7SToomas Soome	ipsecesp_rput, NULL, ipsecesp_open, ipsecesp_close, NULL, &info,
7c478bd9Sstevel@tonic-gate	NULL
7c478bd9Sstevel@tonic-gate};
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gatestatic struct qinit winit = {
9c451ec7SToomas Soome	ipsecesp_wput, NULL, ipsecesp_open, ipsecesp_close, NULL, &info,
7c478bd9Sstevel@tonic-gate	NULL
7c478bd9Sstevel@tonic-gate};
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gatestruct streamtab ipsecespinfo = {
7c478bd9Sstevel@tonic-gate	&rinit, &winit, NULL, NULL
7c478bd9Sstevel@tonic-gate};
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gatestatic taskq_t *esp_taskq;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * OTOH, this one is set at open/close, and I'm D_MTQPAIR for now.
7c478bd9Sstevel@tonic-gate *
7c478bd9Sstevel@tonic-gate * Question:	Do I need this, given that all instance's esps->esps_wq point
7c478bd9Sstevel@tonic-gate *		to IP?
7c478bd9Sstevel@tonic-gate *
7c478bd9Sstevel@tonic-gate * Answer:	Yes, because I need to know which queue is BOUND to
7c478bd9Sstevel@tonic-gate *		IPPROTO_ESP
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gatestatic int	esp_kstat_update(kstat_t *, int);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gatestatic boolean_t
f4b3ec61Sdh155122esp_kstat_init(ipsecesp_stack_t *espstack, netstackid_t stackid)
7c478bd9Sstevel@tonic-gate{
f4b3ec61Sdh155122	espstack->esp_ksp = kstat_create_netstack("ipsecesp", 0, "esp_stat",
f4b3ec61Sdh155122	    "net", KSTAT_TYPE_NAMED,
281819e5SDan McDonald	    sizeof (esp_kstats_t) / sizeof (kstat_named_t), 0, stackid);
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	if (espstack->esp_ksp == NULL || espstack->esp_ksp->ks_data == NULL)
7c478bd9Sstevel@tonic-gate		return (B_FALSE);
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	espstack->esp_kstats = espstack->esp_ksp->ks_data;
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	espstack->esp_ksp->ks_update = esp_kstat_update;
f4b3ec61Sdh155122	espstack->esp_ksp->ks_private = (void *)(uintptr_t)stackid;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#define	K64 KSTAT_DATA_UINT64
f4b3ec61Sdh155122#define	KI(x) kstat_named_init(&(espstack->esp_kstats->esp_stat_##x), #x, K64)
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	KI(num_aalgs);
7c478bd9Sstevel@tonic-gate	KI(num_ealgs);
7c478bd9Sstevel@tonic-gate	KI(good_auth);
7c478bd9Sstevel@tonic-gate	KI(bad_auth);
7c478bd9Sstevel@tonic-gate	KI(bad_padding);
7c478bd9Sstevel@tonic-gate	KI(replay_failures);
7c478bd9Sstevel@tonic-gate	KI(replay_early_failures);
7c478bd9Sstevel@tonic-gate	KI(keysock_in);
7c478bd9Sstevel@tonic-gate	KI(out_requests);
7c478bd9Sstevel@tonic-gate	KI(acquire_requests);
7c478bd9Sstevel@tonic-gate	KI(bytes_expired);
7c478bd9Sstevel@tonic-gate	KI(out_discards);
7c478bd9Sstevel@tonic-gate	KI(crypto_sync);
7c478bd9Sstevel@tonic-gate	KI(crypto_async);
7c478bd9Sstevel@tonic-gate	KI(crypto_failures);
7c478bd9Sstevel@tonic-gate	KI(bad_decrypt);
4a179720Sdanmcd	KI(sa_port_renumbers);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#undef KI
7c478bd9Sstevel@tonic-gate#undef K64
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	kstat_install(espstack->esp_ksp);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	return (B_TRUE);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gatestatic int
7c478bd9Sstevel@tonic-gateesp_kstat_update(kstat_t *kp, int rw)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	esp_kstats_t *ekp;
a23b3b1bSToomas Soome	netstackid_t	stackid;
f4b3ec61Sdh155122	netstack_t	*ns;
f4b3ec61Sdh155122	ipsec_stack_t	*ipss;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if ((kp == NULL) || (kp->ks_data == NULL))
7c478bd9Sstevel@tonic-gate		return (EIO);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (rw == KSTAT_WRITE)
7c478bd9Sstevel@tonic-gate		return (EACCES);
7c478bd9Sstevel@tonic-gate
a23b3b1bSToomas Soome	stackid = (zoneid_t)(uintptr_t)kp->ks_private;
f4b3ec61Sdh155122	ns = netstack_find_by_stackid(stackid);
f4b3ec61Sdh155122	if (ns == NULL)
f4b3ec61Sdh155122		return (-1);
f4b3ec61Sdh155122	ipss = ns->netstack_ipsec;
f4b3ec61Sdh155122	if (ipss == NULL) {
f4b3ec61Sdh155122		netstack_rele(ns);
f4b3ec61Sdh155122		return (-1);
f4b3ec61Sdh155122	}
7c478bd9Sstevel@tonic-gate	ekp = (esp_kstats_t *)kp->ks_data;
7c478bd9Sstevel@tonic-gate
69e71331SBayard Bell	rw_enter(&ipss->ipsec_alg_lock, RW_READER);
f4b3ec61Sdh155122	ekp->esp_stat_num_aalgs.value.ui64 =
f4b3ec61Sdh155122	    ipss->ipsec_nalgs[IPSEC_ALG_AUTH];
f4b3ec61Sdh155122	ekp->esp_stat_num_ealgs.value.ui64 =
f4b3ec61Sdh155122	    ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
69e71331SBayard Bell	rw_exit(&ipss->ipsec_alg_lock);
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	netstack_rele(ns);
7c478bd9Sstevel@tonic-gate	return (0);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#ifdef DEBUG
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Debug routine, useful to see pre-encryption data.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic char *
7c478bd9Sstevel@tonic-gatedump_msg(mblk_t *mp)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	char tmp_str[3], tmp_line[256];
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	while (mp != NULL) {
7c478bd9Sstevel@tonic-gate		unsigned char *ptr;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		printf("mblk address 0x%p, length %ld, db_ref %d "
7c478bd9Sstevel@tonic-gate		    "type %d, base 0x%p, lim 0x%p\n",
7c478bd9Sstevel@tonic-gate		    (void *) mp, (long)(mp->b_wptr - mp->b_rptr),
7c478bd9Sstevel@tonic-gate		    mp->b_datap->db_ref, mp->b_datap->db_type,
7c478bd9Sstevel@tonic-gate		    (void *)mp->b_datap->db_base, (void *)mp->b_datap->db_lim);
7c478bd9Sstevel@tonic-gate		ptr = mp->b_rptr;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		tmp_line[0] = '\0';
7c478bd9Sstevel@tonic-gate		while (ptr < mp->b_wptr) {
7c478bd9Sstevel@tonic-gate			uint_t diff;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate			diff = (ptr - mp->b_rptr);
7c478bd9Sstevel@tonic-gate			if (!(diff & 0x1f)) {
7c478bd9Sstevel@tonic-gate				if (strlen(tmp_line) > 0) {
7c478bd9Sstevel@tonic-gate					printf("bytes: %s\n", tmp_line);
7c478bd9Sstevel@tonic-gate					tmp_line[0] = '\0';
7c478bd9Sstevel@tonic-gate				}
7c478bd9Sstevel@tonic-gate			}
7c478bd9Sstevel@tonic-gate			if (!(diff & 0x3))
7c478bd9Sstevel@tonic-gate				(void) strcat(tmp_line, " ");
7c478bd9Sstevel@tonic-gate			(void) sprintf(tmp_str, "%02x", *ptr);
7c478bd9Sstevel@tonic-gate			(void) strcat(tmp_line, tmp_str);
7c478bd9Sstevel@tonic-gate			ptr++;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		if (strlen(tmp_line) > 0)
7c478bd9Sstevel@tonic-gate			printf("bytes: %s\n", tmp_line);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		mp = mp->b_cont;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	return ("\n");
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#else /* DEBUG */
7c478bd9Sstevel@tonic-gatestatic char *
7c478bd9Sstevel@tonic-gatedump_msg(mblk_t *mp)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	printf("Find value of mp %p.\n", mp);
7c478bd9Sstevel@tonic-gate	return ("\n");
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate#endif /* DEBUG */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Don't have to lock age_interval, as only one thread will access it at
7c478bd9Sstevel@tonic-gate * a time, because I control the one function that does with timeout().
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic void
f4b3ec61Sdh155122esp_ager(void *arg)
7c478bd9Sstevel@tonic-gate{
f4b3ec61Sdh155122	ipsecesp_stack_t *espstack = (ipsecesp_stack_t *)arg;
f4b3ec61Sdh155122	netstack_t	*ns = espstack->ipsecesp_netstack;
7c478bd9Sstevel@tonic-gate	hrtime_t begin = gethrtime();
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	sadb_ager(&espstack->esp_sadb.s_v4, espstack->esp_pfkey_q,
bd670b35SErik Nordmark	    espstack->ipsecesp_reap_delay, ns);
f4b3ec61Sdh155122	sadb_ager(&espstack->esp_sadb.s_v6, espstack->esp_pfkey_q,
bd670b35SErik Nordmark	    espstack->ipsecesp_reap_delay, ns);
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	espstack->esp_event = sadb_retimeout(begin, espstack->esp_pfkey_q,
f4b3ec61Sdh155122	    esp_ager, espstack,
f4b3ec61Sdh155122	    &espstack->ipsecesp_age_interval, espstack->ipsecesp_age_int_max,
f4b3ec61Sdh155122	    info.mi_idnum);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Get an ESP NDD parameter.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gate/* ARGSUSED */
7c478bd9Sstevel@tonic-gatestatic int
69e71331SBayard Bellipsecesp_param_get(
69e71331SBayard Bell    queue_t	*q,
69e71331SBayard Bell    mblk_t	*mp,
69e71331SBayard Bell    caddr_t	cp,
69e71331SBayard Bell    cred_t *cr)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	ipsecespparam_t	*ipsecesppa = (ipsecespparam_t *)cp;
7c478bd9Sstevel@tonic-gate	uint_t value;
f4b3ec61Sdh155122	ipsecesp_stack_t	*espstack = (ipsecesp_stack_t *)q->q_ptr;
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	mutex_enter(&espstack->ipsecesp_param_lock);
7c478bd9Sstevel@tonic-gate	value = ipsecesppa->ipsecesp_param_value;
f4b3ec61Sdh155122	mutex_exit(&espstack->ipsecesp_param_lock);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	(void) mi_mpprintf(mp, "%u", value);
7c478bd9Sstevel@tonic-gate	return (0);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * This routine sets an NDD variable in a ipsecespparam_t structure.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gate/* ARGSUSED */
7c478bd9Sstevel@tonic-gatestatic int
69e71331SBayard Bellipsecesp_param_set(
69e71331SBayard Bell    queue_t	*q,
69e71331SBayard Bell    mblk_t	*mp,
69e71331SBayard Bell    char	*value,
69e71331SBayard Bell    caddr_t	cp,
69e71331SBayard Bell    cred_t *cr)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	ulong_t	new_value;
7c478bd9Sstevel@tonic-gate	ipsecespparam_t	*ipsecesppa = (ipsecespparam_t *)cp;
f4b3ec61Sdh155122	ipsecesp_stack_t	*espstack = (ipsecesp_stack_t *)q->q_ptr;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Fail the request if the new value does not lie within the
7c478bd9Sstevel@tonic-gate	 * required bounds.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	if (ddi_strtoul(value, NULL, 10, &new_value) != 0 ||
7c478bd9Sstevel@tonic-gate	    new_value < ipsecesppa->ipsecesp_param_min ||
7c478bd9Sstevel@tonic-gate	    new_value > ipsecesppa->ipsecesp_param_max) {
7c478bd9Sstevel@tonic-gate		return (EINVAL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* Set the new value */
f4b3ec61Sdh155122	mutex_enter(&espstack->ipsecesp_param_lock);
7c478bd9Sstevel@tonic-gate	ipsecesppa->ipsecesp_param_value = new_value;
f4b3ec61Sdh155122	mutex_exit(&espstack->ipsecesp_param_lock);
7c478bd9Sstevel@tonic-gate	return (0);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Using lifetime NDD variables, fill in an extended combination's
7c478bd9Sstevel@tonic-gate * lifetime information.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatevoid
f4b3ec61Sdh155122ipsecesp_fill_defs(sadb_x_ecomb_t *ecomb, netstack_t *ns)
7c478bd9Sstevel@tonic-gate{
f4b3ec61Sdh155122	ipsecesp_stack_t	*espstack = ns->netstack_ipsecesp;
f4b3ec61Sdh155122
f4b3ec61Sdh155122	ecomb->sadb_x_ecomb_soft_bytes = espstack->ipsecesp_default_soft_bytes;
f4b3ec61Sdh155122	ecomb->sadb_x_ecomb_hard_bytes = espstack->ipsecesp_default_hard_bytes;
f4b3ec61Sdh155122	ecomb->sadb_x_ecomb_soft_addtime =
f4b3ec61Sdh155122	    espstack->ipsecesp_default_soft_addtime;
f4b3ec61Sdh155122	ecomb->sadb_x_ecomb_hard_addtime =
f4b3ec61Sdh155122	    espstack->ipsecesp_default_hard_addtime;
f4b3ec61Sdh155122	ecomb->sadb_x_ecomb_soft_usetime =
f4b3ec61Sdh155122	    espstack->ipsecesp_default_soft_usetime;
f4b3ec61Sdh155122	ecomb->sadb_x_ecomb_hard_usetime =
f4b3ec61Sdh155122	    espstack->ipsecesp_default_hard_usetime;
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Initialize things for ESP at module load time.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gateboolean_t
7c478bd9Sstevel@tonic-gateipsecesp_ddi_init(void)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	esp_taskq = taskq_create("esp_taskq", 1, minclsyspri,
7c478bd9Sstevel@tonic-gate	    IPSEC_TASKQ_MIN, IPSEC_TASKQ_MAX, 0);
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	/*
f4b3ec61Sdh155122	 * We want to be informed each time a stack is created or
f4b3ec61Sdh155122	 * destroyed in the kernel, so we can maintain the
f4b3ec61Sdh155122	 * set of ipsecesp_stack_t's.
f4b3ec61Sdh155122	 */
f4b3ec61Sdh155122	netstack_register(NS_IPSECESP, ipsecesp_stack_init, NULL,
f4b3ec61Sdh155122	    ipsecesp_stack_fini);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	return (B_TRUE);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
f4b3ec61Sdh155122 * Walk through the param array specified registering each element with the
f4b3ec61Sdh155122 * named dispatch handler.
f4b3ec61Sdh155122 */
f4b3ec61Sdh155122static boolean_t
f4b3ec61Sdh155122ipsecesp_param_register(IDP *ndp, ipsecespparam_t *espp, int cnt)
f4b3ec61Sdh155122{
f4b3ec61Sdh155122	for (; cnt-- > 0; espp++) {
f4b3ec61Sdh155122		if (espp->ipsecesp_param_name != NULL &&
f4b3ec61Sdh155122		    espp->ipsecesp_param_name[0]) {
f4b3ec61Sdh155122			if (!nd_load(ndp,
f4b3ec61Sdh155122			    espp->ipsecesp_param_name,
f4b3ec61Sdh155122			    ipsecesp_param_get, ipsecesp_param_set,
f4b3ec61Sdh155122			    (caddr_t)espp)) {
f4b3ec61Sdh155122				nd_free(ndp);
f4b3ec61Sdh155122				return (B_FALSE);
f4b3ec61Sdh155122			}
f4b3ec61Sdh155122		}
f4b3ec61Sdh155122	}
f4b3ec61Sdh155122	return (B_TRUE);
f4b3ec61Sdh155122}
b7daf799SDan McDonald
f4b3ec61Sdh155122/*
f4b3ec61Sdh155122 * Initialize things for ESP for each stack instance
f4b3ec61Sdh155122 */
f4b3ec61Sdh155122static void *
f4b3ec61Sdh155122ipsecesp_stack_init(netstackid_t stackid, netstack_t *ns)
f4b3ec61Sdh155122{
f4b3ec61Sdh155122	ipsecesp_stack_t	*espstack;
f4b3ec61Sdh155122	ipsecespparam_t		*espp;
f4b3ec61Sdh155122
f4b3ec61Sdh155122	espstack = (ipsecesp_stack_t *)kmem_zalloc(sizeof (*espstack),
f4b3ec61Sdh155122	    KM_SLEEP);
f4b3ec61Sdh155122	espstack->ipsecesp_netstack = ns;
f4b3ec61Sdh155122
f4b3ec61Sdh155122	espp = (ipsecespparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP);
f4b3ec61Sdh155122	espstack->ipsecesp_params = espp;
f4b3ec61Sdh155122	bcopy(lcl_param_arr, espp, sizeof (lcl_param_arr));
f4b3ec61Sdh155122
f4b3ec61Sdh155122	(void) ipsecesp_param_register(&espstack->ipsecesp_g_nd, espp,
f4b3ec61Sdh155122	    A_CNT(lcl_param_arr));
f4b3ec61Sdh155122
f4b3ec61Sdh155122	(void) esp_kstat_init(espstack, stackid);
f4b3ec61Sdh155122
f4b3ec61Sdh155122	espstack->esp_sadb.s_acquire_timeout =
f4b3ec61Sdh155122	    &espstack->ipsecesp_acquire_timeout;
f4b3ec61Sdh155122	sadbp_init("ESP", &espstack->esp_sadb, SADB_SATYPE_ESP, esp_hash_size,
f4b3ec61Sdh155122	    espstack->ipsecesp_netstack);
f4b3ec61Sdh155122
f4b3ec61Sdh155122	mutex_init(&espstack->ipsecesp_param_lock, NULL, MUTEX_DEFAULT, 0);
f4b3ec61Sdh155122
f4b3ec61Sdh155122	ip_drop_register(&espstack->esp_dropper, "IPsec ESP");
f4b3ec61Sdh155122	return (espstack);
f4b3ec61Sdh155122}
f4b3ec61Sdh155122
f4b3ec61Sdh155122/*
7c478bd9Sstevel@tonic-gate * Destroy things for ESP at module unload time.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatevoid
7c478bd9Sstevel@tonic-gateipsecesp_ddi_destroy(void)
7c478bd9Sstevel@tonic-gate{
f4b3ec61Sdh155122	netstack_unregister(NS_IPSECESP);
7c478bd9Sstevel@tonic-gate	taskq_destroy(esp_taskq);
f4b3ec61Sdh155122}
f4b3ec61Sdh155122
f4b3ec61Sdh155122/*
f4b3ec61Sdh155122 * Destroy things for ESP for one stack instance
f4b3ec61Sdh155122 */
f4b3ec61Sdh155122static void
f4b3ec61Sdh155122ipsecesp_stack_fini(netstackid_t stackid, void *arg)
f4b3ec61Sdh155122{
f4b3ec61Sdh155122	ipsecesp_stack_t *espstack = (ipsecesp_stack_t *)arg;
f4b3ec61Sdh155122
f4b3ec61Sdh155122	if (espstack->esp_pfkey_q != NULL) {
f4b3ec61Sdh155122		(void) quntimeout(espstack->esp_pfkey_q, espstack->esp_event);
f4b3ec61Sdh155122	}
f4b3ec61Sdh155122	espstack->esp_sadb.s_acquire_timeout = NULL;
f4b3ec61Sdh155122	sadbp_destroy(&espstack->esp_sadb, espstack->ipsecesp_netstack);
f4b3ec61Sdh155122	ip_drop_unregister(&espstack->esp_dropper);
f4b3ec61Sdh155122	mutex_destroy(&espstack->ipsecesp_param_lock);
f4b3ec61Sdh155122	nd_free(&espstack->ipsecesp_g_nd);
f4b3ec61Sdh155122
f4b3ec61Sdh155122	kmem_free(espstack->ipsecesp_params, sizeof (lcl_param_arr));
f4b3ec61Sdh155122	espstack->ipsecesp_params = NULL;
f4b3ec61Sdh155122	kstat_delete_netstack(espstack->esp_ksp, stackid);
f4b3ec61Sdh155122	espstack->esp_ksp = NULL;
f4b3ec61Sdh155122	espstack->esp_kstats = NULL;
f4b3ec61Sdh155122	kmem_free(espstack, sizeof (*espstack));
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
bd670b35SErik Nordmark * ESP module open routine, which is here for keysock plumbing.
bd670b35SErik Nordmark * Keysock is pushed over {AH,ESP} which is an artifact from the Bad Old
bd670b35SErik Nordmark * Days of export control, and fears that ESP would not be allowed
bd670b35SErik Nordmark * to be shipped at all by default.  Eventually, keysock should
bd670b35SErik Nordmark * either access AH and ESP via modstubs or krtld dependencies, or
bd670b35SErik Nordmark * perhaps be folded in with AH and ESP into a single IPsec/netsec
bd670b35SErik Nordmark * module ("netsec" if PF_KEY provides more than AH/ESP keying tables).
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gate/* ARGSUSED */
7c478bd9Sstevel@tonic-gatestatic int
7c478bd9Sstevel@tonic-gateipsecesp_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
7c478bd9Sstevel@tonic-gate{
f4b3ec61Sdh155122	netstack_t		*ns;
f4b3ec61Sdh155122	ipsecesp_stack_t	*espstack;
f4b3ec61Sdh155122
d2370ffeSsommerfe	if (secpolicy_ip_config(credp, B_FALSE) != 0)
7c478bd9Sstevel@tonic-gate		return (EPERM);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (q->q_ptr != NULL)
7c478bd9Sstevel@tonic-gate		return (0);  /* Re-open of an already open instance. */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (sflag != MODOPEN)
7c478bd9Sstevel@tonic-gate		return (EINVAL);
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	ns = netstack_find_by_cred(credp);
f4b3ec61Sdh155122	ASSERT(ns != NULL);
f4b3ec61Sdh155122	espstack = ns->netstack_ipsecesp;
f4b3ec61Sdh155122	ASSERT(espstack != NULL);
f4b3ec61Sdh155122
f4b3ec61Sdh155122	q->q_ptr = espstack;
f4b3ec61Sdh155122	WR(q)->q_ptr = q->q_ptr;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	qprocson(q);
7c478bd9Sstevel@tonic-gate	return (0);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * ESP module close routine.
7c478bd9Sstevel@tonic-gate */
5e1743f0SToomas Soome/* ARGSUSED */
7c478bd9Sstevel@tonic-gatestatic int
5e1743f0SToomas Soomeipsecesp_close(queue_t *q, int flags __unused, cred_t *credp __unused)
7c478bd9Sstevel@tonic-gate{
f4b3ec61Sdh155122	ipsecesp_stack_t	*espstack = (ipsecesp_stack_t *)q->q_ptr;
f4b3ec61Sdh155122
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Clean up q_ptr, if needed.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	qprocsoff(q);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* Keysock queue check is safe, because of OCEXCL perimeter. */
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	if (q == espstack->esp_pfkey_q) {
f4b3ec61Sdh155122		esp1dbg(espstack,
f4b3ec61Sdh155122		    ("ipsecesp_close:  Ummm... keysock is closing ESP.\n"));
f4b3ec61Sdh155122		espstack->esp_pfkey_q = NULL;
7c478bd9Sstevel@tonic-gate		/* Detach qtimeouts. */
f4b3ec61Sdh155122		(void) quntimeout(q, espstack->esp_event);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	netstack_rele(espstack->ipsecesp_netstack);
7c478bd9Sstevel@tonic-gate	return (0);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Add a number of bytes to what the SA has protected so far.  Return
7c478bd9Sstevel@tonic-gate * B_TRUE if the SA can still protect that many bytes.
7c478bd9Sstevel@tonic-gate *
7c478bd9Sstevel@tonic-gate * Caller must REFRELE the passed-in assoc.  This function must REFRELE
7c478bd9Sstevel@tonic-gate * any obtained peer SA.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic boolean_t
7c478bd9Sstevel@tonic-gateesp_age_bytes(ipsa_t *assoc, uint64_t bytes, boolean_t inbound)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	ipsa_t *inassoc, *outassoc;
7c478bd9Sstevel@tonic-gate	isaf_t *bucket;
7c478bd9Sstevel@tonic-gate	boolean_t inrc, outrc, isv6;
7c478bd9Sstevel@tonic-gate	sadb_t *sp;
7c478bd9Sstevel@tonic-gate	int outhash;
f4b3ec61Sdh155122	netstack_t		*ns = assoc->ipsa_netstack;
f4b3ec61Sdh155122	ipsecesp_stack_t	*espstack = ns->netstack_ipsecesp;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* No peer?  No problem! */
7c478bd9Sstevel@tonic-gate	if (!assoc->ipsa_haspeer) {
f4b3ec61Sdh155122		return (sadb_age_bytes(espstack->esp_pfkey_q, assoc, bytes,
7c478bd9Sstevel@tonic-gate		    B_TRUE));
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Otherwise, we want to grab both the original assoc and its peer.
7c478bd9Sstevel@tonic-gate	 * There might be a race for this, but if it's a real race, two
7c478bd9Sstevel@tonic-gate	 * expire messages may occur.  We limit this by only sending the
7c478bd9Sstevel@tonic-gate	 * expire message on one of the peers, we'll pick the inbound
7c478bd9Sstevel@tonic-gate	 * arbitrarily.
7c478bd9Sstevel@tonic-gate	 *
7c478bd9Sstevel@tonic-gate	 * If we need tight synchronization on the peer SA, then we need to
7c478bd9Sstevel@tonic-gate	 * reconsider.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* Use address length to select IPv6/IPv4 */
7c478bd9Sstevel@tonic-gate	isv6 = (assoc->ipsa_addrfam == AF_INET6);
f4b3ec61Sdh155122	sp = isv6 ? &espstack->esp_sadb.s_v6 : &espstack->esp_sadb.s_v4;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (inbound) {
7c478bd9Sstevel@tonic-gate		inassoc = assoc;
7c478bd9Sstevel@tonic-gate		if (isv6) {
fb87b5d2Ssommerfe			outhash = OUTBOUND_HASH_V6(sp, *((in6_addr_t *)
7c478bd9Sstevel@tonic-gate			    &inassoc->ipsa_dstaddr));
7c478bd9Sstevel@tonic-gate		} else {
fb87b5d2Ssommerfe			outhash = OUTBOUND_HASH_V4(sp, *((ipaddr_t *)
7c478bd9Sstevel@tonic-gate			    &inassoc->ipsa_dstaddr));
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		bucket = &sp->sdb_of[outhash];
7c478bd9Sstevel@tonic-gate		mutex_enter(&bucket->isaf_lock);
7c478bd9Sstevel@tonic-gate		outassoc = ipsec_getassocbyspi(bucket, inassoc->ipsa_spi,
7c478bd9Sstevel@tonic-gate		    inassoc->ipsa_srcaddr, inassoc->ipsa_dstaddr,
7c478bd9Sstevel@tonic-gate		    inassoc->ipsa_addrfam);
7c478bd9Sstevel@tonic-gate		mutex_exit(&bucket->isaf_lock);
7c478bd9Sstevel@tonic-gate		if (outassoc == NULL) {
7c478bd9Sstevel@tonic-gate			/* Q: Do we wish to set haspeer == B_FALSE? */
7c478bd9Sstevel@tonic-gate			esp0dbg(("esp_age_bytes: "
7c478bd9Sstevel@tonic-gate			    "can't find peer for inbound.\n"));
f4b3ec61Sdh155122			return (sadb_age_bytes(espstack->esp_pfkey_q, inassoc,
7c478bd9Sstevel@tonic-gate			    bytes, B_TRUE));
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	} else {
7c478bd9Sstevel@tonic-gate		outassoc = assoc;
fb87b5d2Ssommerfe		bucket = INBOUND_BUCKET(sp, outassoc->ipsa_spi);
7c478bd9Sstevel@tonic-gate		mutex_enter(&bucket->isaf_lock);
7c478bd9Sstevel@tonic-gate		inassoc = ipsec_getassocbyspi(bucket, outassoc->ipsa_spi,
7c478bd9Sstevel@tonic-gate		    outassoc->ipsa_srcaddr, outassoc->ipsa_dstaddr,
7c478bd9Sstevel@tonic-gate		    outassoc->ipsa_addrfam);
7c478bd9Sstevel@tonic-gate		mutex_exit(&bucket->isaf_lock);
7c478bd9Sstevel@tonic-gate		if (inassoc == NULL) {
7c478bd9Sstevel@tonic-gate			/* Q: Do we wish to set haspeer == B_FALSE? */
7c478bd9Sstevel@tonic-gate			esp0dbg(("esp_age_bytes: "
7c478bd9Sstevel@tonic-gate			    "can't find peer for outbound.\n"));
f4b3ec61Sdh155122			return (sadb_age_bytes(espstack->esp_pfkey_q, outassoc,
7c478bd9Sstevel@tonic-gate			    bytes, B_TRUE));
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	inrc = sadb_age_bytes(espstack->esp_pfkey_q, inassoc, bytes, B_TRUE);
f4b3ec61Sdh155122	outrc = sadb_age_bytes(espstack->esp_pfkey_q, outassoc, bytes, B_FALSE);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * REFRELE any peer SA.
7c478bd9Sstevel@tonic-gate	 *
7c478bd9Sstevel@tonic-gate	 * Because of the multi-line macro nature of IPSA_REFRELE, keep
7c478bd9Sstevel@tonic-gate	 * them in { }.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	if (inbound) {
7c478bd9Sstevel@tonic-gate		IPSA_REFRELE(outassoc);
7c478bd9Sstevel@tonic-gate	} else {
7c478bd9Sstevel@tonic-gate		IPSA_REFRELE(inassoc);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	return (inrc && outrc);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Do incoming NAT-T manipulations for packet.
bd670b35SErik Nordmark * Returns NULL if the mblk chain is consumed.
7c478bd9Sstevel@tonic-gate */
bd670b35SErik Nordmarkstatic mblk_t *
7c478bd9Sstevel@tonic-gateesp_fix_natt_checksums(mblk_t *data_mp, ipsa_t *assoc)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	ipha_t *ipha = (ipha_t *)data_mp->b_rptr;
bd670b35SErik Nordmark	tcpha_t *tcpha;
7c478bd9Sstevel@tonic-gate	udpha_t *udpha;
7c478bd9Sstevel@tonic-gate	/* Initialize to our inbound cksum adjustment... */
7c478bd9Sstevel@tonic-gate	uint32_t sum = assoc->ipsa_inbound_cksum;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	switch (ipha->ipha_protocol) {
7c478bd9Sstevel@tonic-gate	case IPPROTO_TCP:
bd670b35SErik Nordmark		tcpha = (tcpha_t *)(data_mp->b_rptr +
7c478bd9Sstevel@tonic-gate		    IPH_HDR_LENGTH(ipha));
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#define	DOWN_SUM(x) (x) = ((x) & 0xFFFF) +	 ((x) >> 16)
bd670b35SErik Nordmark		sum += ~ntohs(tcpha->tha_sum) & 0xFFFF;
7c478bd9Sstevel@tonic-gate		DOWN_SUM(sum);
7c478bd9Sstevel@tonic-gate		DOWN_SUM(sum);
bd670b35SErik Nordmark		tcpha->tha_sum = ~htons(sum);
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case IPPROTO_UDP:
7c478bd9Sstevel@tonic-gate		udpha = (udpha_t *)(data_mp->b_rptr + IPH_HDR_LENGTH(ipha));
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		if (udpha->uha_checksum != 0) {
7c478bd9Sstevel@tonic-gate			/* Adujst if the inbound one was not zero. */
7c478bd9Sstevel@tonic-gate			sum += ~ntohs(udpha->uha_checksum) & 0xFFFF;
7c478bd9Sstevel@tonic-gate			DOWN_SUM(sum);
7c478bd9Sstevel@tonic-gate			DOWN_SUM(sum);
7c478bd9Sstevel@tonic-gate			udpha->uha_checksum = ~htons(sum);
7c478bd9Sstevel@tonic-gate			if (udpha->uha_checksum == 0)
7c478bd9Sstevel@tonic-gate				udpha->uha_checksum = 0xFFFF;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate#undef DOWN_SUM
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case IPPROTO_IP:
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * This case is only an issue for self-encapsulated
7c478bd9Sstevel@tonic-gate		 * packets.  So for now, fall through.
7c478bd9Sstevel@tonic-gate		 */
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	}
bd670b35SErik Nordmark	return (data_mp);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
32350c00Sdanmcd * Strip ESP header, check padding, and fix IP header.
7c478bd9Sstevel@tonic-gate * Returns B_TRUE on success, B_FALSE if an error occured.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic boolean_t
7c478bd9Sstevel@tonic-gateesp_strip_header(mblk_t *data_mp, boolean_t isv4, uint32_t ivlen,
f4b3ec61Sdh155122    kstat_named_t **counter, ipsecesp_stack_t *espstack)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	ipha_t *ipha;
7c478bd9Sstevel@tonic-gate	ip6_t *ip6h;
7c478bd9Sstevel@tonic-gate	uint_t divpoint;
7c478bd9Sstevel@tonic-gate	mblk_t *scratch;
7c478bd9Sstevel@tonic-gate	uint8_t nexthdr, padlen;
7c478bd9Sstevel@tonic-gate	uint8_t lastpad;
f4b3ec61Sdh155122	ipsec_stack_t	*ipss = espstack->ipsecesp_netstack->netstack_ipsec;
32350c00Sdanmcd	uint8_t *lastbyte;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Strip ESP data and fix IP header.
7c478bd9Sstevel@tonic-gate	 *
7c478bd9Sstevel@tonic-gate	 * XXX In case the beginning of esp_inbound() changes to not do a
7c478bd9Sstevel@tonic-gate	 * pullup, this part of the code can remain unchanged.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	if (isv4) {
7c478bd9Sstevel@tonic-gate		ASSERT((data_mp->b_wptr - data_mp->b_rptr) >= sizeof (ipha_t));
7c478bd9Sstevel@tonic-gate		ipha = (ipha_t *)data_mp->b_rptr;
7c478bd9Sstevel@tonic-gate		ASSERT((data_mp->b_wptr - data_mp->b_rptr) >= sizeof (esph_t) +
7c478bd9Sstevel@tonic-gate		    IPH_HDR_LENGTH(ipha));
7c478bd9Sstevel@tonic-gate		divpoint = IPH_HDR_LENGTH(ipha);
7c478bd9Sstevel@tonic-gate	} else {
7c478bd9Sstevel@tonic-gate		ASSERT((data_mp->b_wptr - data_mp->b_rptr) >= sizeof (ip6_t));
7c478bd9Sstevel@tonic-gate		ip6h = (ip6_t *)data_mp->b_rptr;
7c478bd9Sstevel@tonic-gate		divpoint = ip_hdr_length_v6(data_mp, ip6h);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	scratch = data_mp;
7c478bd9Sstevel@tonic-gate	while (scratch->b_cont != NULL)
7c478bd9Sstevel@tonic-gate		scratch = scratch->b_cont;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	ASSERT((scratch->b_wptr - scratch->b_rptr) >= 3);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * "Next header" and padding length are the last two bytes in the
7c478bd9Sstevel@tonic-gate	 * ESP-protected datagram, thus the explicit - 1 and - 2.
7c478bd9Sstevel@tonic-gate	 * lastpad is the last byte of the padding, which can be used for
7c478bd9Sstevel@tonic-gate	 * a quick check to see if the padding is correct.
7c478bd9Sstevel@tonic-gate	 */
32350c00Sdanmcd	lastbyte = scratch->b_wptr - 1;
32350c00Sdanmcd	nexthdr = *lastbyte--;
32350c00Sdanmcd	padlen = *lastbyte--;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (isv4) {
7c478bd9Sstevel@tonic-gate		/* Fix part of the IP header. */
7c478bd9Sstevel@tonic-gate		ipha->ipha_protocol = nexthdr;
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * Reality check the padlen.  The explicit - 2 is for the
7c478bd9Sstevel@tonic-gate		 * padding length and the next-header bytes.
7c478bd9Sstevel@tonic-gate		 */
7c478bd9Sstevel@tonic-gate		if (padlen >= ntohs(ipha->ipha_length) - sizeof (ipha_t) - 2 -
7c478bd9Sstevel@tonic-gate		    sizeof (esph_t) - ivlen) {
f4b3ec61Sdh155122			ESP_BUMP_STAT(espstack, bad_decrypt);
f4b3ec61Sdh155122			ipsec_rl_strlog(espstack->ipsecesp_netstack,
f4b3ec61Sdh155122			    info.mi_idnum, 0, 0,
f4b3ec61Sdh155122			    SL_ERROR | SL_WARN,
32350c00Sdanmcd			    "Corrupt ESP packet (padlen too big).\n");
f4b3ec61Sdh155122			esp1dbg(espstack, ("padlen (%d) is greater than:\n",
f4b3ec61Sdh155122			    padlen));
f4b3ec61Sdh155122			esp1dbg(espstack, ("pkt len(%d) - ip hdr - esp "
f4b3ec61Sdh155122			    "hdr - ivlen(%d) = %d.\n",
f4b3ec61Sdh155122			    ntohs(ipha->ipha_length), ivlen,
7c478bd9Sstevel@tonic-gate			    (int)(ntohs(ipha->ipha_length) - sizeof (ipha_t) -
7c478bd9Sstevel@tonic-gate			    2 - sizeof (esph_t) - ivlen)));
f4b3ec61Sdh155122			*counter = DROPPER(ipss, ipds_esp_bad_padlen);
7c478bd9Sstevel@tonic-gate			return (B_FALSE);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * Fix the rest of the header.  The explicit - 2 is for the
7c478bd9Sstevel@tonic-gate		 * padding length and the next-header bytes.
7c478bd9Sstevel@tonic-gate		 */
7c478bd9Sstevel@tonic-gate		ipha->ipha_length = htons(ntohs(ipha->ipha_length) - padlen -
7c478bd9Sstevel@tonic-gate		    2 - sizeof (esph_t) - ivlen);
7c478bd9Sstevel@tonic-gate		ipha->ipha_hdr_checksum = 0;
7c478bd9Sstevel@tonic-gate		ipha->ipha_hdr_checksum = (uint16_t)ip_csum_hdr(ipha);
7c478bd9Sstevel@tonic-gate	} else {
7c478bd9Sstevel@tonic-gate		if (ip6h->ip6_nxt == IPPROTO_ESP) {
7c478bd9Sstevel@tonic-gate			ip6h->ip6_nxt = nexthdr;
7c478bd9Sstevel@tonic-gate		} else {
bd670b35SErik Nordmark			ip_pkt_t ipp;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate			bzero(&ipp, sizeof (ipp));
bd670b35SErik Nordmark			(void) ip_find_hdr_v6(data_mp, ip6h, B_FALSE, &ipp,
bd670b35SErik Nordmark			    NULL);
7c478bd9Sstevel@tonic-gate			if (ipp.ipp_dstopts != NULL) {
7c478bd9Sstevel@tonic-gate				ipp.ipp_dstopts->ip6d_nxt = nexthdr;
7c478bd9Sstevel@tonic-gate			} else if (ipp.ipp_rthdr != NULL) {
7c478bd9Sstevel@tonic-gate				ipp.ipp_rthdr->ip6r_nxt = nexthdr;
7c478bd9Sstevel@tonic-gate			} else if (ipp.ipp_hopopts != NULL) {
7c478bd9Sstevel@tonic-gate				ipp.ipp_hopopts->ip6h_nxt = nexthdr;
7c478bd9Sstevel@tonic-gate			} else {
7c478bd9Sstevel@tonic-gate				/* Panic a DEBUG kernel. */
7c478bd9Sstevel@tonic-gate				ASSERT(ipp.ipp_hopopts != NULL);
7c478bd9Sstevel@tonic-gate				/* Otherwise, pretend it's IP + ESP. */
7c478bd9Sstevel@tonic-gate				cmn_err(CE_WARN, "ESP IPv6 headers wrong.\n");
7c478bd9Sstevel@tonic-gate				ip6h->ip6_nxt = nexthdr;
7c478bd9Sstevel@tonic-gate			}
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		if (padlen >= ntohs(ip6h->ip6_plen) - 2 - sizeof (esph_t) -
7c478bd9Sstevel@tonic-gate		    ivlen) {
f4b3ec61Sdh155122			ESP_BUMP_STAT(espstack, bad_decrypt);
f4b3ec61Sdh155122			ipsec_rl_strlog(espstack->ipsecesp_netstack,
f4b3ec61Sdh155122			    info.mi_idnum, 0, 0,
f4b3ec61Sdh155122			    SL_ERROR | SL_WARN,
32350c00Sdanmcd			    "Corrupt ESP packet (v6 padlen too big).\n");
f4b3ec61Sdh155122			esp1dbg(espstack, ("padlen (%d) is greater than:\n",
f4b3ec61Sdh155122			    padlen));
437220cdSdanmcd			esp1dbg(espstack,
437220cdSdanmcd			    ("pkt len(%u) - ip hdr - esp hdr - ivlen(%d) = "
437220cdSdanmcd			    "%u.\n", (unsigned)(ntohs(ip6h->ip6_plen)
7c478bd9Sstevel@tonic-gate			    + sizeof (ip6_t)), ivlen,
7c478bd9Sstevel@tonic-gate			    (unsigned)(ntohs(ip6h->ip6_plen) - 2 -
7c478bd9Sstevel@tonic-gate			    sizeof (esph_t) - ivlen)));
f4b3ec61Sdh155122			*counter = DROPPER(ipss, ipds_esp_bad_padlen);
7c478bd9Sstevel@tonic-gate			return (B_FALSE);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * Fix the rest of the header.  The explicit - 2 is for the
7c478bd9Sstevel@tonic-gate		 * padding length and the next-header bytes.  IPv6 is nice,
7c478bd9Sstevel@tonic-gate		 * because there's no hdr checksum!
7c478bd9Sstevel@tonic-gate		 */
7c478bd9Sstevel@tonic-gate		ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) - padlen -
7c478bd9Sstevel@tonic-gate		    2 - sizeof (esph_t) - ivlen);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	if (espstack->ipsecesp_padding_check > 0 && padlen > 0) {
32350c00Sdanmcd		/*
32350c00Sdanmcd		 * Weak padding check: compare last-byte to length, they
32350c00Sdanmcd		 * should be equal.
32350c00Sdanmcd		 */
32350c00Sdanmcd		lastpad = *lastbyte--;
32350c00Sdanmcd
32350c00Sdanmcd		if (padlen != lastpad) {
f4b3ec61Sdh155122			ipsec_rl_strlog(espstack->ipsecesp_netstack,
f4b3ec61Sdh155122			    info.mi_idnum, 0, 0, SL_ERROR | SL_WARN,
32350c00Sdanmcd			    "Corrupt ESP packet (lastpad != padlen).\n");
f4b3ec61Sdh155122			esp1dbg(espstack,
f4b3ec61Sdh155122			    ("lastpad (%d) not equal to padlen (%d):\n",
7c478bd9Sstevel@tonic-gate			    lastpad, padlen));
f4b3ec61Sdh155122			ESP_BUMP_STAT(espstack, bad_padding);
f4b3ec61Sdh155122			*counter = DROPPER(ipss, ipds_esp_bad_padding);
7c478bd9Sstevel@tonic-gate			return (B_FALSE);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate
32350c00Sdanmcd		/*
32350c00Sdanmcd		 * Strong padding check: Check all pad bytes to see that
32350c00Sdanmcd		 * they're ascending.  Go backwards using a descending counter
32350c00Sdanmcd		 * to verify.  padlen == 1 is checked by previous block, so
32350c00Sdanmcd		 * only bother if we've more than 1 byte of padding.
32350c00Sdanmcd		 * Consequently, start the check one byte before the location
32350c00Sdanmcd		 * of "lastpad".
32350c00Sdanmcd		 */
f4b3ec61Sdh155122		if (espstack->ipsecesp_padding_check > 1) {
32350c00Sdanmcd			/*
32350c00Sdanmcd			 * This assert may have to become an if and a pullup
32350c00Sdanmcd			 * if we start accepting multi-dblk mblks. For now,
32350c00Sdanmcd			 * though, any packet here will have been pulled up in
32350c00Sdanmcd			 * esp_inbound.
32350c00Sdanmcd			 */
32350c00Sdanmcd			ASSERT(MBLKL(scratch) >= lastpad + 3);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate			/*
32350c00Sdanmcd			 * Use "--lastpad" because we already checked the very
32350c00Sdanmcd			 * last pad byte previously.
7c478bd9Sstevel@tonic-gate			 */
32350c00Sdanmcd			while (--lastpad != 0) {
32350c00Sdanmcd				if (lastpad != *lastbyte) {
f4b3ec61Sdh155122					ipsec_rl_strlog(
f4b3ec61Sdh155122					    espstack->ipsecesp_netstack,
f4b3ec61Sdh155122					    info.mi_idnum, 0, 0,
32350c00Sdanmcd					    SL_ERROR | SL_WARN, "Corrupt ESP "
32350c00Sdanmcd					    "packet (bad padding).\n");
f4b3ec61Sdh155122					esp1dbg(espstack,
f4b3ec61Sdh155122					    ("padding not in correct"
7c478bd9Sstevel@tonic-gate					    " format:\n"));
f4b3ec61Sdh155122					ESP_BUMP_STAT(espstack, bad_padding);
f4b3ec61Sdh155122					*counter = DROPPER(ipss,
f4b3ec61Sdh155122					    ipds_esp_bad_padding);
7c478bd9Sstevel@tonic-gate					return (B_FALSE);
7c478bd9Sstevel@tonic-gate				}
32350c00Sdanmcd				lastbyte--;
32350c00Sdanmcd			}
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* Trim off the padding. */
7c478bd9Sstevel@tonic-gate	ASSERT(data_mp->b_cont == NULL);
7c478bd9Sstevel@tonic-gate	data_mp->b_wptr -= (padlen + 2);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Remove the ESP header.
7c478bd9Sstevel@tonic-gate	 *
7c478bd9Sstevel@tonic-gate	 * The above assertions about data_mp's size will make this work.
7c478bd9Sstevel@tonic-gate	 *
7c478bd9Sstevel@tonic-gate	 * XXX  Question:  If I send up and get back a contiguous mblk,
7c478bd9Sstevel@tonic-gate	 * would it be quicker to bcopy over, or keep doing the dupb stuff?
7c478bd9Sstevel@tonic-gate	 * I go with copying for now.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (IS_P2ALIGNED(data_mp->b_rptr, sizeof (uint32_t)) &&
7c478bd9Sstevel@tonic-gate	    IS_P2ALIGNED(ivlen, sizeof (uint32_t))) {
7c478bd9Sstevel@tonic-gate		uint8_t *start = data_mp->b_rptr;
7c478bd9Sstevel@tonic-gate		uint32_t *src, *dst;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		src = (uint32_t *)(start + divpoint);
7c478bd9Sstevel@tonic-gate		dst = (uint32_t *)(start + divpoint + sizeof (esph_t) + ivlen);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		ASSERT(IS_P2ALIGNED(dst, sizeof (uint32_t)) &&
7c478bd9Sstevel@tonic-gate		    IS_P2ALIGNED(src, sizeof (uint32_t)));
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		do {
7c478bd9Sstevel@tonic-gate			src--;
7c478bd9Sstevel@tonic-gate			dst--;
7c478bd9Sstevel@tonic-gate			*dst = *src;
7c478bd9Sstevel@tonic-gate		} while (src != (uint32_t *)start);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		data_mp->b_rptr = (uchar_t *)dst;
7c478bd9Sstevel@tonic-gate	} else {
7c478bd9Sstevel@tonic-gate		uint8_t *start = data_mp->b_rptr;
7c478bd9Sstevel@tonic-gate		uint8_t *src, *dst;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		src = start + divpoint;
7c478bd9Sstevel@tonic-gate		dst = src + sizeof (esph_t) + ivlen;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		do {
7c478bd9Sstevel@tonic-gate			src--;
7c478bd9Sstevel@tonic-gate			dst--;
7c478bd9Sstevel@tonic-gate			*dst = *src;
7c478bd9Sstevel@tonic-gate		} while (src != start);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		data_mp->b_rptr = dst;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	esp2dbg(espstack, ("data_mp after inbound ESP adjustment:\n"));
f4b3ec61Sdh155122	esp2dbg(espstack, (dump_msg(data_mp)));
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	return (B_TRUE);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Updating use times can be tricky business if the ipsa_haspeer flag is
7c478bd9Sstevel@tonic-gate * set.  This function is called once in an SA's lifetime.
7c478bd9Sstevel@tonic-gate *
7c478bd9Sstevel@tonic-gate * Caller has to REFRELE "assoc" which is passed in.  This function has
7c478bd9Sstevel@tonic-gate * to REFRELE any peer SA that is obtained.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic void
7c478bd9Sstevel@tonic-gateesp_set_usetime(ipsa_t *assoc, boolean_t inbound)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	ipsa_t *inassoc, *outassoc;
7c478bd9Sstevel@tonic-gate	isaf_t *bucket;
7c478bd9Sstevel@tonic-gate	sadb_t *sp;
7c478bd9Sstevel@tonic-gate	int outhash;
7c478bd9Sstevel@tonic-gate	boolean_t isv6;
f4b3ec61Sdh155122	netstack_t		*ns = assoc->ipsa_netstack;
f4b3ec61Sdh155122	ipsecesp_stack_t	*espstack = ns->netstack_ipsecesp;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* No peer?  No problem! */
7c478bd9Sstevel@tonic-gate	if (!assoc->ipsa_haspeer) {
7c478bd9Sstevel@tonic-gate		sadb_set_usetime(assoc);
7c478bd9Sstevel@tonic-gate		return;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Otherwise, we want to grab both the original assoc and its peer.
7c478bd9Sstevel@tonic-gate	 * There might be a race for this, but if it's a real race, the times
7c478bd9Sstevel@tonic-gate	 * will be out-of-synch by at most a second, and since our time
7c478bd9Sstevel@tonic-gate	 * granularity is a second, this won't be a problem.
7c478bd9Sstevel@tonic-gate	 *
7c478bd9Sstevel@tonic-gate	 * If we need tight synchronization on the peer SA, then we need to
7c478bd9Sstevel@tonic-gate	 * reconsider.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* Use address length to select IPv6/IPv4 */
7c478bd9Sstevel@tonic-gate	isv6 = (assoc->ipsa_addrfam == AF_INET6);
f4b3ec61Sdh155122	sp = isv6 ? &espstack->esp_sadb.s_v6 : &espstack->esp_sadb.s_v4;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (inbound) {
7c478bd9Sstevel@tonic-gate		inassoc = assoc;
7c478bd9Sstevel@tonic-gate		if (isv6) {
fb87b5d2Ssommerfe			outhash = OUTBOUND_HASH_V6(sp, *((in6_addr_t *)
7c478bd9Sstevel@tonic-gate			    &inassoc->ipsa_dstaddr));
7c478bd9Sstevel@tonic-gate		} else {
fb87b5d2Ssommerfe			outhash = OUTBOUND_HASH_V4(sp, *((ipaddr_t *)
7c478bd9Sstevel@tonic-gate			    &inassoc->ipsa_dstaddr));
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		bucket = &sp->sdb_of[outhash];
7c478bd9Sstevel@tonic-gate		mutex_enter(&bucket->isaf_lock);
7c478bd9Sstevel@tonic-gate		outassoc = ipsec_getassocbyspi(bucket, inassoc->ipsa_spi,
7c478bd9Sstevel@tonic-gate		    inassoc->ipsa_srcaddr, inassoc->ipsa_dstaddr,
7c478bd9Sstevel@tonic-gate		    inassoc->ipsa_addrfam);
7c478bd9Sstevel@tonic-gate		mutex_exit(&bucket->isaf_lock);
7c478bd9Sstevel@tonic-gate		if (outassoc == NULL) {
7c478bd9Sstevel@tonic-gate			/* Q: Do we wish to set haspeer == B_FALSE? */
7c478bd9Sstevel@tonic-gate			esp0dbg(("esp_set_usetime: "
7c478bd9Sstevel@tonic-gate			    "can't find peer for inbound.\n"));
7c478bd9Sstevel@tonic-gate			sadb_set_usetime(inassoc);
7c478bd9Sstevel@tonic-gate			return;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	} else {
7c478bd9Sstevel@tonic-gate		outassoc = assoc;
fb87b5d2Ssommerfe		bucket = INBOUND_BUCKET(sp, outassoc->ipsa_spi);
7c478bd9Sstevel@tonic-gate		mutex_enter(&bucket->isaf_lock);
7c478bd9Sstevel@tonic-gate		inassoc = ipsec_getassocbyspi(bucket, outassoc->ipsa_spi,
7c478bd9Sstevel@tonic-gate		    outassoc->ipsa_srcaddr, outassoc->ipsa_dstaddr,
7c478bd9Sstevel@tonic-gate		    outassoc->ipsa_addrfam);
7c478bd9Sstevel@tonic-gate		mutex_exit(&bucket->isaf_lock);
7c478bd9Sstevel@tonic-gate		if (inassoc == NULL) {
7c478bd9Sstevel@tonic-gate			/* Q: Do we wish to set haspeer == B_FALSE? */
7c478bd9Sstevel@tonic-gate			esp0dbg(("esp_set_usetime: "
7c478bd9Sstevel@tonic-gate			    "can't find peer for outbound.\n"));
7c478bd9Sstevel@tonic-gate			sadb_set_usetime(outassoc);
7c478bd9Sstevel@tonic-gate			return;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* Update usetime on both. */
7c478bd9Sstevel@tonic-gate	sadb_set_usetime(inassoc);
7c478bd9Sstevel@tonic-gate	sadb_set_usetime(outassoc);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * REFRELE any peer SA.
7c478bd9Sstevel@tonic-gate	 *
7c478bd9Sstevel@tonic-gate	 * Because of the multi-line macro nature of IPSA_REFRELE, keep
7c478bd9Sstevel@tonic-gate	 * them in { }.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	if (inbound) {
7c478bd9Sstevel@tonic-gate		IPSA_REFRELE(outassoc);
7c478bd9Sstevel@tonic-gate	} else {
7c478bd9Sstevel@tonic-gate		IPSA_REFRELE(inassoc);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Handle ESP inbound data for IPv4 and IPv6.
7c478bd9Sstevel@tonic-gate * On success returns B_TRUE, on failure returns B_FALSE and frees the
bd670b35SErik Nordmark * mblk chain data_mp.
7c478bd9Sstevel@tonic-gate */
bd670b35SErik Nordmarkmblk_t *
bd670b35SErik Nordmarkesp_inbound(mblk_t *data_mp, void *arg, ip_recv_attr_t *ira)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	esph_t *esph = (esph_t *)arg;
bd670b35SErik Nordmark	ipsa_t *ipsa = ira->ira_ipsec_esp_sa;
bd670b35SErik Nordmark	netstack_t	*ns = ira->ira_ill->ill_ipst->ips_netstack;
f4b3ec61Sdh155122	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
f4b3ec61Sdh155122	ipsec_stack_t	*ipss = ns->netstack_ipsec;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * We may wish to check replay in-range-only here as an optimization.
7c478bd9Sstevel@tonic-gate	 * Include the reality check of ipsa->ipsa_replay >
7c478bd9Sstevel@tonic-gate	 * ipsa->ipsa_replay_wsize for times when it's the first N packets,
7c478bd9Sstevel@tonic-gate	 * where N == ipsa->ipsa_replay_wsize.
7c478bd9Sstevel@tonic-gate	 *
7c478bd9Sstevel@tonic-gate	 * Another check that may come here later is the "collision" check.
7c478bd9Sstevel@tonic-gate	 * If legitimate packets flow quickly enough, this won't be a problem,
7c478bd9Sstevel@tonic-gate	 * but collisions may cause authentication algorithm crunching to
7c478bd9Sstevel@tonic-gate	 * take place when it doesn't need to.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	if (!sadb_replay_peek(ipsa, esph->esph_replay)) {
f4b3ec61Sdh155122		ESP_BUMP_STAT(espstack, replay_early_failures);
f4b3ec61Sdh155122		IP_ESP_BUMP_STAT(ipss, in_discards);
bd670b35SErik Nordmark		ip_drop_packet(data_mp, B_TRUE, ira->ira_ill,
f4b3ec61Sdh155122		    DROPPER(ipss, ipds_esp_early_replay),
f4b3ec61Sdh155122		    &espstack->esp_dropper);
bd670b35SErik Nordmark		BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
bd670b35SErik Nordmark		return (NULL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Adjust the IP header's payload length to reflect the removal
7c478bd9Sstevel@tonic-gate	 * of the ICV.
7c478bd9Sstevel@tonic-gate	 */
bd670b35SErik Nordmark	if (!(ira->ira_flags & IRAF_IS_IPV4)) {
7c478bd9Sstevel@tonic-gate		ip6_t *ip6h = (ip6_t *)data_mp->b_rptr;
7c478bd9Sstevel@tonic-gate		ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) -
7c478bd9Sstevel@tonic-gate		    ipsa->ipsa_mac_len);
7c478bd9Sstevel@tonic-gate	} else {
7c478bd9Sstevel@tonic-gate		ipha_t *ipha = (ipha_t *)data_mp->b_rptr;
7c478bd9Sstevel@tonic-gate		ipha->ipha_length = htons(ntohs(ipha->ipha_length) -
7c478bd9Sstevel@tonic-gate		    ipsa->ipsa_mac_len);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* submit the request to the crypto framework */
bd670b35SErik Nordmark	return (esp_submit_req_inbound(data_mp, ira, ipsa,
7c478bd9Sstevel@tonic-gate	    (uint8_t *)esph - data_mp->b_rptr));
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
5d3b8cb7SBill Sommerfeld/* XXX refactor me */
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Handle the SADB_GETSPI message.  Create a larval SA.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic void
f4b3ec61Sdh155122esp_getspi(mblk_t *mp, keysock_in_t *ksi, ipsecesp_stack_t *espstack)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	ipsa_t *newbie, *target;
7c478bd9Sstevel@tonic-gate	isaf_t *outbound, *inbound;
7c478bd9Sstevel@tonic-gate	int rc, diagnostic;
7c478bd9Sstevel@tonic-gate	sadb_sa_t *assoc;
7c478bd9Sstevel@tonic-gate	keysock_out_t *kso;
7c478bd9Sstevel@tonic-gate	uint32_t newspi;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Randomly generate a proposed SPI value
7c478bd9Sstevel@tonic-gate	 */
9c2c14abSThejaswini Singarajipura	if (cl_inet_getspi != NULL) {
8e4b770fSLu Huafeng		cl_inet_getspi(espstack->ipsecesp_netstack->netstack_stackid,
8e4b770fSLu Huafeng		    IPPROTO_ESP, (uint8_t *)&newspi, sizeof (uint32_t), NULL);
9c2c14abSThejaswini Singarajipura	} else {
9c2c14abSThejaswini Singarajipura		(void) random_get_pseudo_bytes((uint8_t *)&newspi,
9c2c14abSThejaswini Singarajipura		    sizeof (uint32_t));
9c2c14abSThejaswini Singarajipura	}
f4b3ec61Sdh155122	newbie = sadb_getspi(ksi, newspi, &diagnostic,
9c2c14abSThejaswini Singarajipura	    espstack->ipsecesp_netstack, IPPROTO_ESP);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (newbie == NULL) {
f4b3ec61Sdh155122		sadb_pfkey_error(espstack->esp_pfkey_q, mp, ENOMEM, diagnostic,
7c478bd9Sstevel@tonic-gate		    ksi->ks_in_serial);
7c478bd9Sstevel@tonic-gate		return;
7c478bd9Sstevel@tonic-gate	} else if (newbie == (ipsa_t *)-1) {
f4b3ec61Sdh155122		sadb_pfkey_error(espstack->esp_pfkey_q, mp, EINVAL, diagnostic,
7c478bd9Sstevel@tonic-gate		    ksi->ks_in_serial);
7c478bd9Sstevel@tonic-gate		return;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * XXX - We may randomly collide.  We really should recover from this.
7c478bd9Sstevel@tonic-gate	 *	 Unfortunately, that could require spending way-too-much-time
7c478bd9Sstevel@tonic-gate	 *	 in here.  For now, let the user retry.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (newbie->ipsa_addrfam == AF_INET6) {
f4b3ec61Sdh155122		outbound = OUTBOUND_BUCKET_V6(&espstack->esp_sadb.s_v6,
fb87b5d2Ssommerfe		    *(uint32_t *)(newbie->ipsa_dstaddr));
f4b3ec61Sdh155122		inbound = INBOUND_BUCKET(&espstack->esp_sadb.s_v6,
f4b3ec61Sdh155122		    newbie->ipsa_spi);
7c478bd9Sstevel@tonic-gate	} else {
7c478bd9Sstevel@tonic-gate		ASSERT(newbie->ipsa_addrfam == AF_INET);
f4b3ec61Sdh155122		outbound = OUTBOUND_BUCKET_V4(&espstack->esp_sadb.s_v4,
fb87b5d2Ssommerfe		    *(uint32_t *)(newbie->ipsa_dstaddr));
f4b3ec61Sdh155122		inbound = INBOUND_BUCKET(&espstack->esp_sadb.s_v4,
f4b3ec61Sdh155122		    newbie->ipsa_spi);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	mutex_enter(&outbound->isaf_lock);
7c478bd9Sstevel@tonic-gate	mutex_enter(&inbound->isaf_lock);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Check for collisions (i.e. did sadb_getspi() return with something
7c478bd9Sstevel@tonic-gate	 * that already exists?).
7c478bd9Sstevel@tonic-gate	 *
7c478bd9Sstevel@tonic-gate	 * Try outbound first.  Even though SADB_GETSPI is traditionally
7c478bd9Sstevel@tonic-gate	 * for inbound SAs, you never know what a user might do.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	target = ipsec_getassocbyspi(outbound, newbie->ipsa_spi,
7c478bd9Sstevel@tonic-gate	    newbie->ipsa_srcaddr, newbie->ipsa_dstaddr, newbie->ipsa_addrfam);
7c478bd9Sstevel@tonic-gate	if (target == NULL) {
7c478bd9Sstevel@tonic-gate		target = ipsec_getassocbyspi(inbound, newbie->ipsa_spi,
7c478bd9Sstevel@tonic-gate		    newbie->ipsa_srcaddr, newbie->ipsa_dstaddr,
7c478bd9Sstevel@tonic-gate		    newbie->ipsa_addrfam);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * I don't have collisions elsewhere!
7c478bd9Sstevel@tonic-gate	 * (Nor will I because I'm still holding inbound/outbound locks.)
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (target != NULL) {
7c478bd9Sstevel@tonic-gate		rc = EEXIST;
7c478bd9Sstevel@tonic-gate		IPSA_REFRELE(target);
7c478bd9Sstevel@tonic-gate	} else {
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * sadb_insertassoc() also checks for collisions, so
7c478bd9Sstevel@tonic-gate		 * if there's a colliding entry, rc will be set
7c478bd9Sstevel@tonic-gate		 * to EEXIST.
7c478bd9Sstevel@tonic-gate		 */
7c478bd9Sstevel@tonic-gate		rc = sadb_insertassoc(newbie, inbound);
437220cdSdanmcd		newbie->ipsa_hardexpiretime = gethrestime_sec();
f4b3ec61Sdh155122		newbie->ipsa_hardexpiretime +=
f4b3ec61Sdh155122		    espstack->ipsecesp_larval_timeout;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Can exit outbound mutex.  Hold inbound until we're done
7c478bd9Sstevel@tonic-gate	 * with newbie.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	mutex_exit(&outbound->isaf_lock);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (rc != 0) {
7c478bd9Sstevel@tonic-gate		mutex_exit(&inbound->isaf_lock);
7c478bd9Sstevel@tonic-gate		IPSA_REFRELE(newbie);
f4b3ec61Sdh155122		sadb_pfkey_error(espstack->esp_pfkey_q, mp, rc,
f4b3ec61Sdh155122		    SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial);
7c478bd9Sstevel@tonic-gate		return;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* Can write here because I'm still holding the bucket lock. */
7c478bd9Sstevel@tonic-gate	newbie->ipsa_type = SADB_SATYPE_ESP;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Construct successful return message. We have one thing going
7c478bd9Sstevel@tonic-gate	 * for us in PF_KEY v2.  That's the fact that
7c478bd9Sstevel@tonic-gate	 *	sizeof (sadb_spirange_t) == sizeof (sadb_sa_t)
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE];
7c478bd9Sstevel@tonic-gate	assoc->sadb_sa_exttype = SADB_EXT_SA;
7c478bd9Sstevel@tonic-gate	assoc->sadb_sa_spi = newbie->ipsa_spi;
7c478bd9Sstevel@tonic-gate	*((uint64_t *)(&assoc->sadb_sa_replay)) = 0;
7c478bd9Sstevel@tonic-gate	mutex_exit(&inbound->isaf_lock);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* Convert KEYSOCK_IN to KEYSOCK_OUT. */
7c478bd9Sstevel@tonic-gate	kso = (keysock_out_t *)ksi;
7c478bd9Sstevel@tonic-gate	kso->ks_out_len = sizeof (*kso);
7c478bd9Sstevel@tonic-gate	kso->ks_out_serial = ksi->ks_in_serial;
7c478bd9Sstevel@tonic-gate	kso->ks_out_type = KEYSOCK_OUT;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Can safely putnext() to esp_pfkey_q, because this is a turnaround
7c478bd9Sstevel@tonic-gate	 * from the esp_pfkey_q.
7c478bd9Sstevel@tonic-gate	 */
f4b3ec61Sdh155122	putnext(espstack->esp_pfkey_q, mp);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Insert the ESP header into a packet.  Duplicate an mblk, and insert a newly
7c478bd9Sstevel@tonic-gate * allocated mblk with the ESP header in between the two.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic boolean_t
f4b3ec61Sdh155122esp_insert_esp(mblk_t *mp, mblk_t *esp_mp, uint_t divpoint,
f4b3ec61Sdh155122    ipsecesp_stack_t *espstack)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	mblk_t *split_mp = mp;
7c478bd9Sstevel@tonic-gate	uint_t wheretodiv = divpoint;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	while ((split_mp->b_wptr - split_mp->b_rptr) < wheretodiv) {
7c478bd9Sstevel@tonic-gate		wheretodiv -= (split_mp->b_wptr - split_mp->b_rptr);
7c478bd9Sstevel@tonic-gate		split_mp = split_mp->b_cont;
7c478bd9Sstevel@tonic-gate		ASSERT(split_mp != NULL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (split_mp->b_wptr - split_mp->b_rptr != wheretodiv) {
7c478bd9Sstevel@tonic-gate		mblk_t *scratch;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		/* "scratch" is the 2nd half, split_mp is the first. */
7c478bd9Sstevel@tonic-gate		scratch = dupb(split_mp);
7c478bd9Sstevel@tonic-gate		if (scratch == NULL) {
f4b3ec61Sdh155122			esp1dbg(espstack,
f4b3ec61Sdh155122			    ("esp_insert_esp: can't allocate scratch.\n"));
7c478bd9Sstevel@tonic-gate			return (B_FALSE);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		/* NOTE:  dupb() doesn't set b_cont appropriately. */
7c478bd9Sstevel@tonic-gate		scratch->b_cont = split_mp->b_cont;
7c478bd9Sstevel@tonic-gate		scratch->b_rptr += wheretodiv;
7c478bd9Sstevel@tonic-gate		split_mp->b_wptr = split_mp->b_rptr + wheretodiv;
7c478bd9Sstevel@tonic-gate		split_mp->b_cont = scratch;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * At this point, split_mp is exactly "wheretodiv" bytes long, and
7c478bd9Sstevel@tonic-gate	 * holds the end of the pre-ESP part of the datagram.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	esp_mp->b_cont = split_mp->b_cont;
7c478bd9Sstevel@tonic-gate	split_mp->b_cont = esp_mp;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	return (B_TRUE);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
4a179720Sdanmcd * Section 7 of RFC 3947 says:
4a179720Sdanmcd *
4a179720Sdanmcd * 7.  Recovering from the Expiring NAT Mappings
4a179720Sdanmcd *
4a179720Sdanmcd *    There are cases where NAT box decides to remove mappings that are still
4a179720Sdanmcd *    alive (for example, when the keepalive interval is too long, or when the
4a179720Sdanmcd *    NAT box is rebooted).  To recover from this, ends that are NOT behind
4a179720Sdanmcd *    NAT SHOULD use the last valid UDP encapsulated IKE or IPsec packet from
4a179720Sdanmcd *    the other end to determine which IP and port addresses should be used.
4a179720Sdanmcd *    The host behind dynamic NAT MUST NOT do this, as otherwise it opens a
4a179720Sdanmcd *    DoS attack possibility because the IP address or port of the other host
4a179720Sdanmcd *    will not change (it is not behind NAT).
4a179720Sdanmcd *
4a179720Sdanmcd *    Keepalives cannot be used for these purposes, as they are not
4a179720Sdanmcd *    authenticated, but any IKE authenticated IKE packet or ESP packet can be
4a179720Sdanmcd *    used to detect whether the IP address or the port has changed.
4a179720Sdanmcd *
4a179720Sdanmcd * The following function will check an SA and its explicitly-set pair to see
4a179720Sdanmcd * if the NAT-T remote port matches the received packet (which must have
4a179720Sdanmcd * passed ESP authentication, see esp_in_done() for the caller context).  If
4a179720Sdanmcd * there is a mismatch, the SAs are updated.  It is not important if we race
4a179720Sdanmcd * with a transmitting thread, as if there is a transmitting thread, it will
4a179720Sdanmcd * merely emit a packet that will most-likely be dropped.
4a179720Sdanmcd *
4a179720Sdanmcd * "ports" are ordered src,dst, and assoc is an inbound SA, where src should
4a179720Sdanmcd * match ipsa_remote_nat_port and dst should match ipsa_local_nat_port.
4a179720Sdanmcd */
4a179720Sdanmcd#ifdef _LITTLE_ENDIAN
4a179720Sdanmcd#define	FIRST_16(x) ((x) & 0xFFFF)
4a179720Sdanmcd#define	NEXT_16(x) (((x) >> 16) & 0xFFFF)
4a179720Sdanmcd#else
4a179720Sdanmcd#define	FIRST_16(x) (((x) >> 16) & 0xFFFF)
4a179720Sdanmcd#define	NEXT_16(x) ((x) & 0xFFFF)
4a179720Sdanmcd#endif
4a179720Sdanmcdstatic void
4a179720Sdanmcdesp_port_freshness(uint32_t ports, ipsa_t *assoc)
4a179720Sdanmcd{
4a179720Sdanmcd	uint16_t remote = FIRST_16(ports);
4a179720Sdanmcd	uint16_t local = NEXT_16(ports);
4a179720Sdanmcd	ipsa_t *outbound_peer;
4a179720Sdanmcd	isaf_t *bucket;
4a179720Sdanmcd	ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp;
4a179720Sdanmcd
4a179720Sdanmcd	/* We found a conn_t, therefore local != 0. */
4a179720Sdanmcd	ASSERT(local != 0);
4a179720Sdanmcd	/* Assume an IPv4 SA. */
4a179720Sdanmcd	ASSERT(assoc->ipsa_addrfam == AF_INET);
4a179720Sdanmcd
4a179720Sdanmcd	/*
4a179720Sdanmcd	 * On-the-wire rport == 0 means something's very wrong.
4a179720Sdanmcd	 * An unpaired SA is also useless to us.
4a179720Sdanmcd	 * If we are behind the NAT, don't bother.
4a179720Sdanmcd	 * A zero local NAT port defaults to 4500, so check that too.
4a179720Sdanmcd	 * And, of course, if the ports already match, we don't need to
4a179720Sdanmcd	 * bother.
4a179720Sdanmcd	 */
4a179720Sdanmcd	if (remote == 0 || assoc->ipsa_otherspi == 0 ||
4a179720Sdanmcd	    (assoc->ipsa_flags & IPSA_F_BEHIND_NAT) ||
4a179720Sdanmcd	    (assoc->ipsa_remote_nat_port == 0 &&
4a179720Sdanmcd	    remote == htons(IPPORT_IKE_NATT)) ||
4a179720Sdanmcd	    remote == assoc->ipsa_remote_nat_port)
4a179720Sdanmcd		return;
4a179720Sdanmcd
4a179720Sdanmcd	/* Try and snag the peer.   NOTE:  Assume IPv4 for now. */
4a179720Sdanmcd	bucket = OUTBOUND_BUCKET_V4(&(espstack->esp_sadb.s_v4),
4a179720Sdanmcd	    assoc->ipsa_srcaddr[0]);
4a179720Sdanmcd	mutex_enter(&bucket->isaf_lock);
4a179720Sdanmcd	outbound_peer = ipsec_getassocbyspi(bucket, assoc->ipsa_otherspi,
4a179720Sdanmcd	    assoc->ipsa_dstaddr, assoc->ipsa_srcaddr, AF_INET);
4a179720Sdanmcd	mutex_exit(&bucket->isaf_lock);
4a179720Sdanmcd
4a179720Sdanmcd	/* We probably lost a race to a deleting or expiring thread. */
4a179720Sdanmcd	if (outbound_peer == NULL)
4a179720Sdanmcd		return;
4a179720Sdanmcd
4a179720Sdanmcd	/*
4a179720Sdanmcd	 * Hold the mutexes for both SAs so we don't race another inbound
4a179720Sdanmcd	 * thread.  A lock-entry order shouldn't matter, since all other
4a179720Sdanmcd	 * per-ipsa locks are individually held-then-released.
4a179720Sdanmcd	 *
4a179720Sdanmcd	 * Luckily, this has nothing to do with the remote-NAT address,
4a179720Sdanmcd	 * so we don't have to re-scribble the cached-checksum differential.
4a179720Sdanmcd	 */
4a179720Sdanmcd	mutex_enter(&outbound_peer->ipsa_lock);
4a179720Sdanmcd	mutex_enter(&assoc->ipsa_lock);
4a179720Sdanmcd	outbound_peer->ipsa_remote_nat_port = assoc->ipsa_remote_nat_port =
4a179720Sdanmcd	    remote;
4a179720Sdanmcd	mutex_exit(&assoc->ipsa_lock);
4a179720Sdanmcd	mutex_exit(&outbound_peer->ipsa_lock);
4a179720Sdanmcd	IPSA_REFRELE(outbound_peer);
4a179720Sdanmcd	ESP_BUMP_STAT(espstack, sa_port_renumbers);
4a179720Sdanmcd}
4a179720Sdanmcd/*
7c478bd9Sstevel@tonic-gate * Finish processing of an inbound ESP packet after processing by the
7c478bd9Sstevel@tonic-gate * crypto framework.
7c478bd9Sstevel@tonic-gate * - Remove the ESP header.
7c478bd9Sstevel@tonic-gate * - Send packet back to IP.
7c478bd9Sstevel@tonic-gate * If authentication was performed on the packet, this function is called
7c478bd9Sstevel@tonic-gate * only if the authentication succeeded.
7c478bd9Sstevel@tonic-gate * On success returns B_TRUE, on failure returns B_FALSE and frees the
bd670b35SErik Nordmark * mblk chain data_mp.
7c478bd9Sstevel@tonic-gate */
bd670b35SErik Nordmarkstatic mblk_t *
bd670b35SErik Nordmarkesp_in_done(mblk_t *data_mp, ip_recv_attr_t *ira, ipsec_crypto_t *ic)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	ipsa_t *assoc;
7c478bd9Sstevel@tonic-gate	uint_t espstart;
7c478bd9Sstevel@tonic-gate	uint32_t ivlen = 0;
7c478bd9Sstevel@tonic-gate	uint_t processed_len;
7c478bd9Sstevel@tonic-gate	esph_t *esph;
7c478bd9Sstevel@tonic-gate	kstat_named_t *counter;
7c478bd9Sstevel@tonic-gate	boolean_t is_natt;
bd670b35SErik Nordmark	netstack_t	*ns = ira->ira_ill->ill_ipst->ips_netstack;
f4b3ec61Sdh155122	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
f4b3ec61Sdh155122	ipsec_stack_t	*ipss = ns->netstack_ipsec;
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	assoc = ira->ira_ipsec_esp_sa;
7c478bd9Sstevel@tonic-gate	ASSERT(assoc != NULL);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	is_natt = ((assoc->ipsa_flags & IPSA_F_NATT) != 0);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* get the pointer to the ESP header */
7c478bd9Sstevel@tonic-gate	if (assoc->ipsa_encr_alg == SADB_EALG_NULL) {
7c478bd9Sstevel@tonic-gate		/* authentication-only ESP */
bd670b35SErik Nordmark		espstart = ic->ic_crypto_data.cd_offset;
bd670b35SErik Nordmark		processed_len = ic->ic_crypto_data.cd_length;
7c478bd9Sstevel@tonic-gate	} else {
7c478bd9Sstevel@tonic-gate		/* encryption present */
7c478bd9Sstevel@tonic-gate		ivlen = assoc->ipsa_iv_len;
7c478bd9Sstevel@tonic-gate		if (assoc->ipsa_auth_alg == SADB_AALG_NONE) {
7c478bd9Sstevel@tonic-gate			/* encryption-only ESP */
bd670b35SErik Nordmark			espstart = ic->ic_crypto_data.cd_offset -
7c478bd9Sstevel@tonic-gate			    sizeof (esph_t) - assoc->ipsa_iv_len;
bd670b35SErik Nordmark			processed_len = ic->ic_crypto_data.cd_length +
7c478bd9Sstevel@tonic-gate			    ivlen;
7c478bd9Sstevel@tonic-gate		} else {
7c478bd9Sstevel@tonic-gate			/* encryption with authentication */
bd670b35SErik Nordmark			espstart = ic->ic_crypto_dual_data.dd_offset1;
bd670b35SErik Nordmark			processed_len = ic->ic_crypto_dual_data.dd_len2 +
7c478bd9Sstevel@tonic-gate			    ivlen;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	esph = (esph_t *)(data_mp->b_rptr + espstart);
7c478bd9Sstevel@tonic-gate
628b0c67SMark Fenwick	if (assoc->ipsa_auth_alg != IPSA_AALG_NONE ||
628b0c67SMark Fenwick	    (assoc->ipsa_flags & IPSA_F_COMBINED)) {
628b0c67SMark Fenwick		/*
628b0c67SMark Fenwick		 * Authentication passed if we reach this point.
628b0c67SMark Fenwick		 * Packets with authentication will have the ICV
628b0c67SMark Fenwick		 * after the crypto data. Adjust b_wptr before
628b0c67SMark Fenwick		 * making padlen checks.
628b0c67SMark Fenwick		 */
f4b3ec61Sdh155122		ESP_BUMP_STAT(espstack, good_auth);
7c478bd9Sstevel@tonic-gate		data_mp->b_wptr -= assoc->ipsa_mac_len;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * Check replay window here!
7c478bd9Sstevel@tonic-gate		 * For right now, assume keysock will set the replay window
7c478bd9Sstevel@tonic-gate		 * size to zero for SAs that have an unspecified sender.
7c478bd9Sstevel@tonic-gate		 * This may change...
7c478bd9Sstevel@tonic-gate		 */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		if (!sadb_replay_check(assoc, esph->esph_replay)) {
7c478bd9Sstevel@tonic-gate			/*
7c478bd9Sstevel@tonic-gate			 * Log the event. As of now we print out an event.
7c478bd9Sstevel@tonic-gate			 * Do not print the replay failure number, or else
7c478bd9Sstevel@tonic-gate			 * syslog cannot collate the error messages.  Printing
7c478bd9Sstevel@tonic-gate			 * the replay number that failed opens a denial-of-
7c478bd9Sstevel@tonic-gate			 * service attack.
7c478bd9Sstevel@tonic-gate			 */
7c478bd9Sstevel@tonic-gate			ipsec_assocfailure(info.mi_idnum, 0, 0,
7c478bd9Sstevel@tonic-gate			    SL_ERROR | SL_WARN,
7c478bd9Sstevel@tonic-gate			    "Replay failed for ESP spi 0x%x, dst %s.\n",
7c478bd9Sstevel@tonic-gate			    assoc->ipsa_spi, assoc->ipsa_dstaddr,
f4b3ec61Sdh155122			    assoc->ipsa_addrfam, espstack->ipsecesp_netstack);
f4b3ec61Sdh155122			ESP_BUMP_STAT(espstack, replay_failures);
f4b3ec61Sdh155122			counter = DROPPER(ipss, ipds_esp_replay);
7c478bd9Sstevel@tonic-gate			goto drop_and_bail;
7c478bd9Sstevel@tonic-gate		}
4a179720Sdanmcd
bd670b35SErik Nordmark		if (is_natt) {
bd670b35SErik Nordmark			ASSERT(ira->ira_flags & IRAF_ESP_UDP_PORTS);
bd670b35SErik Nordmark			ASSERT(ira->ira_esp_udp_ports != 0);
bd670b35SErik Nordmark			esp_port_freshness(ira->ira_esp_udp_ports, assoc);
bd670b35SErik Nordmark		}
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
437220cdSdanmcd	esp_set_usetime(assoc, B_TRUE);
437220cdSdanmcd
7c478bd9Sstevel@tonic-gate	if (!esp_age_bytes(assoc, processed_len, B_TRUE)) {
7c478bd9Sstevel@tonic-gate		/* The ipsa has hit hard expiration, LOG and AUDIT. */
7c478bd9Sstevel@tonic-gate		ipsec_assocfailure(info.mi_idnum, 0, 0,
7c478bd9Sstevel@tonic-gate		    SL_ERROR | SL_WARN,
7c478bd9Sstevel@tonic-gate		    "ESP association 0x%x, dst %s had bytes expire.\n",
f4b3ec61Sdh155122		    assoc->ipsa_spi, assoc->ipsa_dstaddr, assoc->ipsa_addrfam,
f4b3ec61Sdh155122		    espstack->ipsecesp_netstack);
f4b3ec61Sdh155122		ESP_BUMP_STAT(espstack, bytes_expired);
f4b3ec61Sdh155122		counter = DROPPER(ipss, ipds_esp_bytes_expire);
7c478bd9Sstevel@tonic-gate		goto drop_and_bail;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Remove ESP header and padding from packet.  I hope the compiler
7c478bd9Sstevel@tonic-gate	 * spews "branch, predict taken" code for this.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	if (esp_strip_header(data_mp, (ira->ira_flags & IRAF_IS_IPV4),
bd670b35SErik Nordmark	    ivlen, &counter, espstack)) {
5d3b8cb7SBill Sommerfeld
bd670b35SErik Nordmark		if (is_system_labeled() && assoc->ipsa_tsl != NULL) {
bd670b35SErik Nordmark			if (!ip_recv_attr_replace_label(ira, assoc->ipsa_tsl)) {
bd670b35SErik Nordmark				ip_drop_packet(data_mp, B_TRUE, ira->ira_ill,
bd670b35SErik Nordmark				    DROPPER(ipss, ipds_ah_nomem),
bd670b35SErik Nordmark				    &espstack->esp_dropper);
bd670b35SErik Nordmark				BUMP_MIB(ira->ira_ill->ill_ip_mib,
bd670b35SErik Nordmark				    ipIfStatsInDiscards);
bd670b35SErik Nordmark				return (NULL);
5d3b8cb7SBill Sommerfeld			}
5d3b8cb7SBill Sommerfeld		}
7c478bd9Sstevel@tonic-gate		if (is_natt)
7c478bd9Sstevel@tonic-gate			return (esp_fix_natt_checksums(data_mp, assoc));
d74f5ecaSDan McDonald
d74f5ecaSDan McDonald		if (assoc->ipsa_state == IPSA_STATE_IDLE) {
d74f5ecaSDan McDonald			/*
d74f5ecaSDan McDonald			 * Cluster buffering case.  Tell caller that we're
d74f5ecaSDan McDonald			 * handling the packet.
d74f5ecaSDan McDonald			 */
bd670b35SErik Nordmark			sadb_buf_pkt(assoc, data_mp, ira);
bd670b35SErik Nordmark			return (NULL);
d74f5ecaSDan McDonald		}
d74f5ecaSDan McDonald
bd670b35SErik Nordmark		return (data_mp);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	esp1dbg(espstack, ("esp_in_done: esp_strip_header() failed\n"));
7c478bd9Sstevel@tonic-gatedrop_and_bail:
f4b3ec61Sdh155122	IP_ESP_BUMP_STAT(ipss, in_discards);
bd670b35SErik Nordmark	ip_drop_packet(data_mp, B_TRUE, ira->ira_ill, counter,
f4b3ec61Sdh155122	    &espstack->esp_dropper);
bd670b35SErik Nordmark	BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
bd670b35SErik Nordmark	return (NULL);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Called upon failing the inbound ICV check. The message passed as
7c478bd9Sstevel@tonic-gate * argument is freed.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic void
bd670b35SErik Nordmarkesp_log_bad_auth(mblk_t *mp, ip_recv_attr_t *ira)
7c478bd9Sstevel@tonic-gate{
bd670b35SErik Nordmark	ipsa_t		*assoc = ira->ira_ipsec_esp_sa;
bd670b35SErik Nordmark	netstack_t	*ns = ira->ira_ill->ill_ipst->ips_netstack;
f4b3ec61Sdh155122	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
f4b3ec61Sdh155122	ipsec_stack_t	*ipss = ns->netstack_ipsec;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Log the event. Don't print to the console, block
7c478bd9Sstevel@tonic-gate	 * potential denial-of-service attack.
7c478bd9Sstevel@tonic-gate	 */
f4b3ec61Sdh155122	ESP_BUMP_STAT(espstack, bad_auth);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	ipsec_assocfailure(info.mi_idnum, 0, 0, SL_ERROR | SL_WARN,
7c478bd9Sstevel@tonic-gate	    "ESP Authentication failed for spi 0x%x, dst %s.\n",
f4b3ec61Sdh155122	    assoc->ipsa_spi, assoc->ipsa_dstaddr, assoc->ipsa_addrfam,
f4b3ec61Sdh155122	    espstack->ipsecesp_netstack);
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	IP_ESP_BUMP_STAT(ipss, in_discards);
bd670b35SErik Nordmark	ip_drop_packet(mp, B_TRUE, ira->ira_ill,
f4b3ec61Sdh155122	    DROPPER(ipss, ipds_esp_bad_auth),
f4b3ec61Sdh155122	    &espstack->esp_dropper);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Invoked for outbound packets after ESP processing. If the packet
7c478bd9Sstevel@tonic-gate * also requires AH, performs the AH SA selection and AH processing.
bd670b35SErik Nordmark *
b7daf799SDan McDonald * Returns data_mp (possibly with AH added) unless data_mp was consumed
b7daf799SDan McDonald * due to an error, or queued due to async. crypto or an ACQUIRE trigger.
7c478bd9Sstevel@tonic-gate */
bd670b35SErik Nordmarkstatic mblk_t *
bd670b35SErik Nordmarkesp_do_outbound_ah(mblk_t *data_mp, ip_xmit_attr_t *ixa)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	ipsec_action_t *ap;
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	ap = ixa->ixa_ipsec_action;
7c478bd9Sstevel@tonic-gate	if (ap == NULL) {
bd670b35SErik Nordmark		ipsec_policy_t *pp = ixa->ixa_ipsec_policy;
7c478bd9Sstevel@tonic-gate		ap = pp->ipsp_act;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (!ap->ipa_want_ah)
bd670b35SErik Nordmark		return (data_mp);
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	/*
bd670b35SErik Nordmark	 * Normally the AH SA would have already been put in place
bd670b35SErik Nordmark	 * but it could have been flushed so we need to look for it.
bd670b35SErik Nordmark	 */
bd670b35SErik Nordmark	if (ixa->ixa_ipsec_ah_sa == NULL) {
bd670b35SErik Nordmark		if (!ipsec_outbound_sa(data_mp, ixa, IPPROTO_AH)) {
bd670b35SErik Nordmark			sadb_acquire(data_mp, ixa, B_TRUE, B_FALSE);
bd670b35SErik Nordmark			return (NULL);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	}
bd670b35SErik Nordmark	ASSERT(ixa->ixa_ipsec_ah_sa != NULL);
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	data_mp = ixa->ixa_ipsec_ah_sa->ipsa_output_func(data_mp, ixa);
bd670b35SErik Nordmark	return (data_mp);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Kernel crypto framework callback invoked after completion of async
bd670b35SErik Nordmark * crypto requests for outbound packets.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic void
bd670b35SErik Nordmarkesp_kcf_callback_outbound(void *arg, int status)
7c478bd9Sstevel@tonic-gate{
bd670b35SErik Nordmark	mblk_t		*mp = (mblk_t *)arg;
bd670b35SErik Nordmark	mblk_t		*async_mp;
bd670b35SErik Nordmark	netstack_t	*ns;
f4b3ec61Sdh155122	ipsec_stack_t	*ipss;
bd670b35SErik Nordmark	ipsecesp_stack_t *espstack;
bd670b35SErik Nordmark	mblk_t		*data_mp;
bd670b35SErik Nordmark	ip_xmit_attr_t	ixas;
bd670b35SErik Nordmark	ipsec_crypto_t	*ic;
bd670b35SErik Nordmark	ill_t		*ill;
f4b3ec61Sdh155122
f4b3ec61Sdh155122	/*
bd670b35SErik Nordmark	 * First remove the ipsec_crypto_t mblk
bd670b35SErik Nordmark	 * Note that we need to ipsec_free_crypto_data(mp) once done with ic.
f4b3ec61Sdh155122	 */
bd670b35SErik Nordmark	async_mp = ipsec_remove_crypto_data(mp, &ic);
bd670b35SErik Nordmark	ASSERT(async_mp != NULL);
f4b3ec61Sdh155122
bd670b35SErik Nordmark	/*
bd670b35SErik Nordmark	 * Extract the ip_xmit_attr_t from the first mblk.
bd670b35SErik Nordmark	 * Verifies that the netstack and ill is still around; could
bd670b35SErik Nordmark	 * have vanished while kEf was doing its work.
bd670b35SErik Nordmark	 * On succesful return we have a nce_t and the ill/ipst can't
bd670b35SErik Nordmark	 * disappear until we do the nce_refrele in ixa_cleanup.
bd670b35SErik Nordmark	 */
bd670b35SErik Nordmark	data_mp = async_mp->b_cont;
bd670b35SErik Nordmark	async_mp->b_cont = NULL;
bd670b35SErik Nordmark	if (!ip_xmit_attr_from_mblk(async_mp, &ixas)) {
bd670b35SErik Nordmark		/* Disappeared on us - no ill/ipst for MIB */
bd670b35SErik Nordmark		/* We have nowhere to do stats since ixa_ipst could be NULL */
bd670b35SErik Nordmark		if (ixas.ixa_nce != NULL) {
bd670b35SErik Nordmark			ill = ixas.ixa_nce->nce_ill;
bd670b35SErik Nordmark			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
bd670b35SErik Nordmark			ip_drop_output("ipIfStatsOutDiscards", data_mp, ill);
bd670b35SErik Nordmark		}
bd670b35SErik Nordmark		freemsg(data_mp);
bd670b35SErik Nordmark		goto done;
bd670b35SErik Nordmark	}
bd670b35SErik Nordmark	ns = ixas.ixa_ipst->ips_netstack;
f4b3ec61Sdh155122	espstack = ns->netstack_ipsecesp;
f4b3ec61Sdh155122	ipss = ns->netstack_ipsec;
bd670b35SErik Nordmark	ill = ixas.ixa_nce->nce_ill;
f4b3ec61Sdh155122
7c478bd9Sstevel@tonic-gate	if (status == CRYPTO_SUCCESS) {
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * If a ICV was computed, it was stored by the
7c478bd9Sstevel@tonic-gate		 * crypto framework at the end of the packet.
7c478bd9Sstevel@tonic-gate		 */
bd670b35SErik Nordmark		ipha_t *ipha = (ipha_t *)data_mp->b_rptr;
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark		esp_set_usetime(ixas.ixa_ipsec_esp_sa, B_FALSE);
437220cdSdanmcd		/* NAT-T packet. */
bd670b35SErik Nordmark		if (IPH_HDR_VERSION(ipha) == IP_VERSION &&
bd670b35SErik Nordmark		    ipha->ipha_protocol == IPPROTO_UDP)
bd670b35SErik Nordmark			esp_prepare_udp(ns, data_mp, ipha);
437220cdSdanmcd
7c478bd9Sstevel@tonic-gate		/* do AH processing if needed */
bd670b35SErik Nordmark		data_mp = esp_do_outbound_ah(data_mp, &ixas);
bd670b35SErik Nordmark		if (data_mp == NULL)
bd670b35SErik Nordmark			goto done;
bd670b35SErik Nordmark
bd670b35SErik Nordmark		(void) ip_output_post_ipsec(data_mp, &ixas);
7c478bd9Sstevel@tonic-gate	} else {
bd670b35SErik Nordmark		/* Outbound shouldn't see invalid MAC */
bd670b35SErik Nordmark		ASSERT(status != CRYPTO_INVALID_MAC);
bd670b35SErik Nordmark
bd670b35SErik Nordmark		esp1dbg(espstack,
bd670b35SErik Nordmark		    ("esp_kcf_callback_outbound: crypto failed with 0x%x\n",
bd670b35SErik Nordmark		    status));
bd670b35SErik Nordmark		ESP_BUMP_STAT(espstack, crypto_failures);
bd670b35SErik Nordmark		ESP_BUMP_STAT(espstack, out_discards);
bd670b35SErik Nordmark		ip_drop_packet(data_mp, B_FALSE, ill,
bd670b35SErik Nordmark		    DROPPER(ipss, ipds_esp_crypto_failed),
bd670b35SErik Nordmark		    &espstack->esp_dropper);
bd670b35SErik Nordmark		BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
7c478bd9Sstevel@tonic-gate	}
bd670b35SErik Nordmarkdone:
bd670b35SErik Nordmark	ixa_cleanup(&ixas);
bd670b35SErik Nordmark	(void) ipsec_free_crypto_data(mp);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark/*
bd670b35SErik Nordmark * Kernel crypto framework callback invoked after completion of async
bd670b35SErik Nordmark * crypto requests for inbound packets.
bd670b35SErik Nordmark */
bd670b35SErik Nordmarkstatic void
bd670b35SErik Nordmarkesp_kcf_callback_inbound(void *arg, int status)
bd670b35SErik Nordmark{
bd670b35SErik Nordmark	mblk_t		*mp = (mblk_t *)arg;
bd670b35SErik Nordmark	mblk_t		*async_mp;
bd670b35SErik Nordmark	netstack_t	*ns;
bd670b35SErik Nordmark	ipsecesp_stack_t *espstack;
bd670b35SErik Nordmark	ipsec_stack_t	*ipss;
bd670b35SErik Nordmark	mblk_t		*data_mp;
bd670b35SErik Nordmark	ip_recv_attr_t	iras;
bd670b35SErik Nordmark	ipsec_crypto_t	*ic;
bd670b35SErik Nordmark
bd670b35SErik Nordmark	/*
bd670b35SErik Nordmark	 * First remove the ipsec_crypto_t mblk
bd670b35SErik Nordmark	 * Note that we need to ipsec_free_crypto_data(mp) once done with ic.
bd670b35SErik Nordmark	 */
bd670b35SErik Nordmark	async_mp = ipsec_remove_crypto_data(mp, &ic);
bd670b35SErik Nordmark	ASSERT(async_mp != NULL);
bd670b35SErik Nordmark
bd670b35SErik Nordmark	/*
bd670b35SErik Nordmark	 * Extract the ip_recv_attr_t from the first mblk.
bd670b35SErik Nordmark	 * Verifies that the netstack and ill is still around; could
bd670b35SErik Nordmark	 * have vanished while kEf was doing its work.
bd670b35SErik Nordmark	 */
bd670b35SErik Nordmark	data_mp = async_mp->b_cont;
bd670b35SErik Nordmark	async_mp->b_cont = NULL;
bd670b35SErik Nordmark	if (!ip_recv_attr_from_mblk(async_mp, &iras)) {
bd670b35SErik Nordmark		/* The ill or ip_stack_t disappeared on us */
bd670b35SErik Nordmark		ip_drop_input("ip_recv_attr_from_mblk", data_mp, NULL);
bd670b35SErik Nordmark		freemsg(data_mp);
bd670b35SErik Nordmark		goto done;
bd670b35SErik Nordmark	}
bd670b35SErik Nordmark
bd670b35SErik Nordmark	ns = iras.ira_ill->ill_ipst->ips_netstack;
bd670b35SErik Nordmark	espstack = ns->netstack_ipsecesp;
bd670b35SErik Nordmark	ipss = ns->netstack_ipsec;
bd670b35SErik Nordmark
bd670b35SErik Nordmark	if (status == CRYPTO_SUCCESS) {
bd670b35SErik Nordmark		data_mp = esp_in_done(data_mp, &iras, ic);
bd670b35SErik Nordmark		if (data_mp == NULL)
bd670b35SErik Nordmark			goto done;
bd670b35SErik Nordmark
bd670b35SErik Nordmark		/* finish IPsec processing */
bd670b35SErik Nordmark		ip_input_post_ipsec(data_mp, &iras);
7c478bd9Sstevel@tonic-gate	} else if (status == CRYPTO_INVALID_MAC) {
bd670b35SErik Nordmark		esp_log_bad_auth(data_mp, &iras);
7c478bd9Sstevel@tonic-gate	} else {
f4b3ec61Sdh155122		esp1dbg(espstack,
f4b3ec61Sdh155122		    ("esp_kcf_callback: crypto failed with 0x%x\n",
7c478bd9Sstevel@tonic-gate		    status));
f4b3ec61Sdh155122		ESP_BUMP_STAT(espstack, crypto_failures);
f4b3ec61Sdh155122		IP_ESP_BUMP_STAT(ipss, in_discards);
bd670b35SErik Nordmark		ip_drop_packet(data_mp, B_TRUE, iras.ira_ill,
f4b3ec61Sdh155122		    DROPPER(ipss, ipds_esp_crypto_failed),
f4b3ec61Sdh155122		    &espstack->esp_dropper);
bd670b35SErik Nordmark		BUMP_MIB(iras.ira_ill->ill_ip_mib, ipIfStatsInDiscards);
7c478bd9Sstevel@tonic-gate	}
bd670b35SErik Nordmarkdone:
bd670b35SErik Nordmark	ira_cleanup(&iras, B_TRUE);
bd670b35SErik Nordmark	(void) ipsec_free_crypto_data(mp);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Invoked on crypto framework failure during inbound and outbound processing.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic void
bd670b35SErik Nordmarkesp_crypto_failed(mblk_t *data_mp, boolean_t is_inbound, int kef_rc,
bd670b35SErik Nordmark    ill_t *ill, ipsecesp_stack_t *espstack)
7c478bd9Sstevel@tonic-gate{
f4b3ec61Sdh155122	ipsec_stack_t	*ipss = espstack->ipsecesp_netstack->netstack_ipsec;
f4b3ec61Sdh155122
f4b3ec61Sdh155122	esp1dbg(espstack, ("crypto failed for %s ESP with 0x%x\n",
7c478bd9Sstevel@tonic-gate	    is_inbound ? "inbound" : "outbound", kef_rc));
bd670b35SErik Nordmark	ip_drop_packet(data_mp, is_inbound, ill,
f4b3ec61Sdh155122	    DROPPER(ipss, ipds_esp_crypto_failed),
f4b3ec61Sdh155122	    &espstack->esp_dropper);
f4b3ec61Sdh155122	ESP_BUMP_STAT(espstack, crypto_failures);
7c478bd9Sstevel@tonic-gate	if (is_inbound)
f4b3ec61Sdh155122		IP_ESP_BUMP_STAT(ipss, in_discards);
7c478bd9Sstevel@tonic-gate	else
f4b3ec61Sdh155122		ESP_BUMP_STAT(espstack, out_discards);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark/*
bd670b35SErik Nordmark * A statement-equivalent macro, _cr MUST point to a modifiable
bd670b35SErik Nordmark * crypto_call_req_t.
bd670b35SErik Nordmark */
bd670b35SErik Nordmark#define	ESP_INIT_CALLREQ(_cr, _mp, _callback)				\
bd670b35SErik Nordmark	(_cr)->cr_flag = CRYPTO_SKIP_REQID|CRYPTO_ALWAYS_QUEUE;	\
bd670b35SErik Nordmark	(_cr)->cr_callback_arg = (_mp);				\
bd670b35SErik Nordmark	(_cr)->cr_callback_func = (_callback)
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#define	ESP_INIT_CRYPTO_MAC(mac, icvlen, icvbuf) {			\
7c478bd9Sstevel@tonic-gate	(mac)->cd_format = CRYPTO_DATA_RAW;				\
7c478bd9Sstevel@tonic-gate	(mac)->cd_offset = 0;						\
7c478bd9Sstevel@tonic-gate	(mac)->cd_length = icvlen;					\
7c478bd9Sstevel@tonic-gate	(mac)->cd_raw.iov_base = (char *)icvbuf;			\
7c478bd9Sstevel@tonic-gate	(mac)->cd_raw.iov_len = icvlen;					\
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#define	ESP_INIT_CRYPTO_DATA(data, mp, off, len) {			\
7c478bd9Sstevel@tonic-gate	if (MBLKL(mp) >= (len) + (off)) {				\
7c478bd9Sstevel@tonic-gate		(data)->cd_format = CRYPTO_DATA_RAW;			\
7c478bd9Sstevel@tonic-gate		(data)->cd_raw.iov_base = (char *)(mp)->b_rptr;		\
7c478bd9Sstevel@tonic-gate		(data)->cd_raw.iov_len = MBLKL(mp);			\
7c478bd9Sstevel@tonic-gate		(data)->cd_offset = off;				\
7c478bd9Sstevel@tonic-gate	} else {							\
7c478bd9Sstevel@tonic-gate		(data)->cd_format = CRYPTO_DATA_MBLK;			\
7c478bd9Sstevel@tonic-gate		(data)->cd_mp = mp;					\
7c478bd9Sstevel@tonic-gate		(data)->cd_offset = off;				\
7c478bd9Sstevel@tonic-gate	}								\
7c478bd9Sstevel@tonic-gate	(data)->cd_length = len;					\
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#define	ESP_INIT_CRYPTO_DUAL_DATA(data, mp, off1, len1, off2, len2) {	\
7c478bd9Sstevel@tonic-gate	(data)->dd_format = CRYPTO_DATA_MBLK;				\
7c478bd9Sstevel@tonic-gate	(data)->dd_mp = mp;						\
7c478bd9Sstevel@tonic-gate	(data)->dd_len1 = len1;						\
7c478bd9Sstevel@tonic-gate	(data)->dd_offset1 = off1;					\
7c478bd9Sstevel@tonic-gate	(data)->dd_len2 = len2;						\
7c478bd9Sstevel@tonic-gate	(data)->dd_offset2 = off2;					\
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark/*
bd670b35SErik Nordmark * Returns data_mp if successfully completed the request. Returns
bd670b35SErik Nordmark * NULL if it failed (and increments InDiscards) or if it is pending.
bd670b35SErik Nordmark */
bd670b35SErik Nordmarkstatic mblk_t *
bd670b35SErik Nordmarkesp_submit_req_inbound(mblk_t *esp_mp, ip_recv_attr_t *ira,
bd670b35SErik Nordmark    ipsa_t *assoc, uint_t esph_offset)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	uint_t auth_offset, msg_len, auth_len;
bd670b35SErik Nordmark	crypto_call_req_t call_req, *callrp;
bd670b35SErik Nordmark	mblk_t *mp;
628b0c67SMark Fenwick	esph_t *esph_ptr;
bd670b35SErik Nordmark	int kef_rc;
7c478bd9Sstevel@tonic-gate	uint_t icv_len = assoc->ipsa_mac_len;
7c478bd9Sstevel@tonic-gate	crypto_ctx_template_t auth_ctx_tmpl;
bd670b35SErik Nordmark	boolean_t do_auth, do_encr, force;
7c478bd9Sstevel@tonic-gate	uint_t encr_offset, encr_len;
7c478bd9Sstevel@tonic-gate	uint_t iv_len = assoc->ipsa_iv_len;
7c478bd9Sstevel@tonic-gate	crypto_ctx_template_t encr_ctx_tmpl;
bd670b35SErik Nordmark	ipsec_crypto_t	*ic, icstack;
628b0c67SMark Fenwick	uchar_t *iv_ptr;
bd670b35SErik Nordmark	netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
bd670b35SErik Nordmark	ipsec_stack_t *ipss = ns->netstack_ipsec;
bd670b35SErik Nordmark	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
f4b3ec61Sdh155122
*4132743aSToomas Soome	mp = NULL;
7c478bd9Sstevel@tonic-gate	do_auth = assoc->ipsa_auth_alg != SADB_AALG_NONE;
7c478bd9Sstevel@tonic-gate	do_encr = assoc->ipsa_encr_alg != SADB_EALG_NULL;
bd670b35SErik Nordmark	force = (assoc->ipsa_flags & IPSA_F_ASYNC);
bd670b35SErik Nordmark
bd670b35SErik Nordmark#ifdef IPSEC_LATENCY_TEST
bd670b35SErik Nordmark	kef_rc = CRYPTO_SUCCESS;
bd670b35SErik Nordmark#else
bd670b35SErik Nordmark	kef_rc = CRYPTO_FAILED;
bd670b35SErik Nordmark#endif
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * An inbound packet is of the form:
bd670b35SErik Nordmark	 * [IP,options,ESP,IV,data,ICV,pad]
7c478bd9Sstevel@tonic-gate	 */
628b0c67SMark Fenwick	esph_ptr = (esph_t *)(esp_mp->b_rptr + esph_offset);
628b0c67SMark Fenwick	iv_ptr = (uchar_t *)(esph_ptr + 1);
628b0c67SMark Fenwick	/* Packet length starting at IP header ending after ESP ICV. */
7c478bd9Sstevel@tonic-gate	msg_len = MBLKL(esp_mp);
7c478bd9Sstevel@tonic-gate
628b0c67SMark Fenwick	encr_offset = esph_offset + sizeof (esph_t) + iv_len;
628b0c67SMark Fenwick	encr_len = msg_len - encr_offset;
628b0c67SMark Fenwick
628b0c67SMark Fenwick	/*
628b0c67SMark Fenwick	 * Counter mode algs need a nonce. This is setup in sadb_common_add().
628b0c67SMark Fenwick	 * If for some reason we are using a SA which does not have a nonce
628b0c67SMark Fenwick	 * then we must fail here.
628b0c67SMark Fenwick	 */
628b0c67SMark Fenwick	if ((assoc->ipsa_flags & IPSA_F_COUNTERMODE) &&
628b0c67SMark Fenwick	    (assoc->ipsa_nonce == NULL)) {
bd670b35SErik Nordmark		ip_drop_packet(esp_mp, B_TRUE, ira->ira_ill,
628b0c67SMark Fenwick		    DROPPER(ipss, ipds_esp_nomem), &espstack->esp_dropper);
bd670b35SErik Nordmark		return (NULL);
bd670b35SErik Nordmark	}
bd670b35SErik Nordmark
bd670b35SErik Nordmark	if (force) {
bd670b35SErik Nordmark		/* We are doing asynch; allocate mblks to hold state */
bd670b35SErik Nordmark		if ((mp = ip_recv_attr_to_mblk(ira)) == NULL ||
bd670b35SErik Nordmark		    (mp = ipsec_add_crypto_data(mp, &ic)) == NULL) {
bd670b35SErik Nordmark			BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
bd670b35SErik Nordmark			ip_drop_input("ipIfStatsInDiscards", esp_mp,
bd670b35SErik Nordmark			    ira->ira_ill);
bd670b35SErik Nordmark			return (NULL);
bd670b35SErik Nordmark		}
bd670b35SErik Nordmark		linkb(mp, esp_mp);
bd670b35SErik Nordmark		callrp = &call_req;
bd670b35SErik Nordmark		ESP_INIT_CALLREQ(callrp, mp, esp_kcf_callback_inbound);
bd670b35SErik Nordmark	} else {
bd670b35SErik Nordmark		/*
bd670b35SErik Nordmark		 * If we know we are going to do sync then ipsec_crypto_t
bd670b35SErik Nordmark		 * should be on the stack.
bd670b35SErik Nordmark		 */
bd670b35SErik Nordmark		ic = &icstack;
bd670b35SErik Nordmark		bzero(ic, sizeof (*ic));
bd670b35SErik Nordmark		callrp = NULL;
628b0c67SMark Fenwick	}
628b0c67SMark Fenwick
7c478bd9Sstevel@tonic-gate	if (do_auth) {
7c478bd9Sstevel@tonic-gate		/* authentication context template */
7c478bd9Sstevel@tonic-gate		IPSEC_CTX_TMPL(assoc, ipsa_authtmpl, IPSEC_ALG_AUTH,
7c478bd9Sstevel@tonic-gate		    auth_ctx_tmpl);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		/* ICV to be verified */
bd670b35SErik Nordmark		ESP_INIT_CRYPTO_MAC(&ic->ic_crypto_mac,
7c478bd9Sstevel@tonic-gate		    icv_len, esp_mp->b_wptr - icv_len);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		/* authentication starts at the ESP header */
7c478bd9Sstevel@tonic-gate		auth_offset = esph_offset;
7c478bd9Sstevel@tonic-gate		auth_len = msg_len - auth_offset - icv_len;
7c478bd9Sstevel@tonic-gate		if (!do_encr) {
7c478bd9Sstevel@tonic-gate			/* authentication only */
7c478bd9Sstevel@tonic-gate			/* initialize input data argument */
bd670b35SErik Nordmark			ESP_INIT_CRYPTO_DATA(&ic->ic_crypto_data,
7c478bd9Sstevel@tonic-gate			    esp_mp, auth_offset, auth_len);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate			/* call the crypto framework */
7c478bd9Sstevel@tonic-gate			kef_rc = crypto_mac_verify(&assoc->ipsa_amech,
bd670b35SErik Nordmark			    &ic->ic_crypto_data,
7c478bd9Sstevel@tonic-gate			    &assoc->ipsa_kcfauthkey, auth_ctx_tmpl,
bd670b35SErik Nordmark			    &ic->ic_crypto_mac, callrp);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (do_encr) {
7c478bd9Sstevel@tonic-gate		/* encryption template */
7c478bd9Sstevel@tonic-gate		IPSEC_CTX_TMPL(assoc, ipsa_encrtmpl, IPSEC_ALG_ENCR,
7c478bd9Sstevel@tonic-gate		    encr_ctx_tmpl);
7c478bd9Sstevel@tonic-gate
628b0c67SMark Fenwick		/* Call the nonce update function. Also passes in IV */
628b0c67SMark Fenwick		(assoc->ipsa_noncefunc)(assoc, (uchar_t *)esph_ptr, encr_len,
bd670b35SErik Nordmark		    iv_ptr, &ic->ic_cmm, &ic->ic_crypto_data);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		if (!do_auth) {
7c478bd9Sstevel@tonic-gate			/* decryption only */
7c478bd9Sstevel@tonic-gate			/* initialize input data argument */
bd670b35SErik Nordmark			ESP_INIT_CRYPTO_DATA(&ic->ic_crypto_data,
7c478bd9Sstevel@tonic-gate			    esp_mp, encr_offset, encr_len);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate			/* call the crypto framework */
628b0c67SMark Fenwick			kef_rc = crypto_decrypt((crypto_mechanism_t *)
bd670b35SErik Nordmark			    &ic->ic_cmm, &ic->ic_crypto_data,
7c478bd9Sstevel@tonic-gate			    &assoc->ipsa_kcfencrkey, encr_ctx_tmpl,
bd670b35SErik Nordmark			    NULL, callrp);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (do_auth && do_encr) {
7c478bd9Sstevel@tonic-gate		/* dual operation */
7c478bd9Sstevel@tonic-gate		/* initialize input data argument */
bd670b35SErik Nordmark		ESP_INIT_CRYPTO_DUAL_DATA(&ic->ic_crypto_dual_data,
7c478bd9Sstevel@tonic-gate		    esp_mp, auth_offset, auth_len,
7c478bd9Sstevel@tonic-gate		    encr_offset, encr_len - icv_len);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		/* specify IV */
bd670b35SErik Nordmark		ic->ic_crypto_dual_data.dd_miscdata = (char *)iv_ptr;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		/* call the framework */
7c478bd9Sstevel@tonic-gate		kef_rc = crypto_mac_verify_decrypt(&assoc->ipsa_amech,
bd670b35SErik Nordmark		    &assoc->ipsa_emech, &ic->ic_crypto_dual_data,
7c478bd9Sstevel@tonic-gate		    &assoc->ipsa_kcfauthkey, &assoc->ipsa_kcfencrkey,
bd670b35SErik Nordmark		    auth_ctx_tmpl, encr_ctx_tmpl, &ic->ic_crypto_mac,
bd670b35SErik Nordmark		    NULL, callrp);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	switch (kef_rc) {
7c478bd9Sstevel@tonic-gate	case CRYPTO_SUCCESS:
f4b3ec61Sdh155122		ESP_BUMP_STAT(espstack, crypto_sync);
bd670b35SErik Nordmark		esp_mp = esp_in_done(esp_mp, ira, ic);
bd670b35SErik Nordmark		if (force) {
bd670b35SErik Nordmark			/* Free mp after we are done with ic */
bd670b35SErik Nordmark			mp = ipsec_free_crypto_data(mp);
bd670b35SErik Nordmark			(void) ip_recv_attr_free_mblk(mp);
bd670b35SErik Nordmark		}
bd670b35SErik Nordmark		return (esp_mp);
7c478bd9Sstevel@tonic-gate	case CRYPTO_QUEUED:
bd670b35SErik Nordmark		/* esp_kcf_callback_inbound() will be invoked on completion */
f4b3ec61Sdh155122		ESP_BUMP_STAT(espstack, crypto_async);
bd670b35SErik Nordmark		return (NULL);
7c478bd9Sstevel@tonic-gate	case CRYPTO_INVALID_MAC:
bd670b35SErik Nordmark		if (force) {
bd670b35SErik Nordmark			mp = ipsec_free_crypto_data(mp);
bd670b35SErik Nordmark			esp_mp = ip_recv_attr_free_mblk(mp);
bd670b35SErik Nordmark		}
f4b3ec61Sdh155122		ESP_BUMP_STAT(espstack, crypto_sync);
bd670b35SErik Nordmark		BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
bd670b35SErik Nordmark		esp_log_bad_auth(esp_mp, ira);
bd670b35SErik Nordmark		/* esp_mp was passed to ip_drop_packet */
bd670b35SErik Nordmark		return (NULL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
bd984e57SDan McDonald	if (force) {
bd670b35SErik Nordmark		mp = ipsec_free_crypto_data(mp);
bd670b35SErik Nordmark		esp_mp = ip_recv_attr_free_mblk(mp);
bd984e57SDan McDonald	}
bd670b35SErik Nordmark	BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
bd670b35SErik Nordmark	esp_crypto_failed(esp_mp, B_TRUE, kef_rc, ira->ira_ill, espstack);
bd670b35SErik Nordmark	/* esp_mp was passed to ip_drop_packet */
bd670b35SErik Nordmark	return (NULL);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
437220cdSdanmcd/*
437220cdSdanmcd * Compute the IP and UDP checksums -- common code for both keepalives and
437220cdSdanmcd * actual ESP-in-UDP packets.  Be flexible with multiple mblks because ESP
437220cdSdanmcd * uses mblk-insertion to insert the UDP header.
437220cdSdanmcd * TODO - If there is an easy way to prep a packet for HW checksums, make
437220cdSdanmcd * it happen here.
bd670b35SErik Nordmark * Note that this is used before both before calling ip_output_simple and
bd670b35SErik Nordmark * in the esp datapath. The former could use IXAF_SET_ULP_CKSUM but not the
bd670b35SErik Nordmark * latter.
437220cdSdanmcd */
437220cdSdanmcdstatic void
437220cdSdanmcdesp_prepare_udp(netstack_t *ns, mblk_t *mp, ipha_t *ipha)
437220cdSdanmcd{
437220cdSdanmcd	int offset;
437220cdSdanmcd	uint32_t cksum;
437220cdSdanmcd	uint16_t *arr;
437220cdSdanmcd	mblk_t *udpmp = mp;
87e10ffaSwy83408	uint_t hlen = IPH_HDR_LENGTH(ipha);
437220cdSdanmcd
437220cdSdanmcd	ASSERT(MBLKL(mp) >= sizeof (ipha_t));
437220cdSdanmcd
437220cdSdanmcd	ipha->ipha_hdr_checksum = 0;
437220cdSdanmcd	ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
437220cdSdanmcd
437220cdSdanmcd	if (ns->netstack_udp->us_do_checksum) {
437220cdSdanmcd		ASSERT(MBLKL(udpmp) >= sizeof (udpha_t));
437220cdSdanmcd		/* arr points to the IP header. */
437220cdSdanmcd		arr = (uint16_t *)ipha;
437220cdSdanmcd		IP_STAT(ns->netstack_ip, ip_out_sw_cksum);
bd670b35SErik Nordmark		IP_STAT_UPDATE(ns->netstack_ip, ip_out_sw_cksum_bytes,
87e10ffaSwy83408		    ntohs(htons(ipha->ipha_length) - hlen));
437220cdSdanmcd		/* arr[6-9] are the IP addresses. */
437220cdSdanmcd		cksum = IP_UDP_CSUM_COMP + arr[6] + arr[7] + arr[8] + arr[9] +
87e10ffaSwy83408		    ntohs(htons(ipha->ipha_length) - hlen);
87e10ffaSwy83408		cksum = IP_CSUM(mp, hlen, cksum);
87e10ffaSwy83408		offset = hlen + UDP_CHECKSUM_OFFSET;
437220cdSdanmcd		while (offset >= MBLKL(udpmp)) {
437220cdSdanmcd			offset -= MBLKL(udpmp);
437220cdSdanmcd			udpmp = udpmp->b_cont;
437220cdSdanmcd		}
437220cdSdanmcd		/* arr points to the UDP header's checksum field. */
437220cdSdanmcd		arr = (uint16_t *)(udpmp->b_rptr + offset);
437220cdSdanmcd		*arr = cksum;
437220cdSdanmcd	}
437220cdSdanmcd}
437220cdSdanmcd
437220cdSdanmcd/*
73184bc7SDan McDonald * taskq handler so we can send the NAT-T keepalive on a separate thread.
73184bc7SDan McDonald */
73184bc7SDan McDonaldstatic void
73184bc7SDan McDonaldactually_send_keepalive(void *arg)
73184bc7SDan McDonald{
bd670b35SErik Nordmark	mblk_t *mp = (mblk_t *)arg;
bd670b35SErik Nordmark	ip_xmit_attr_t ixas;
73184bc7SDan McDonald	netstack_t	*ns;
bd670b35SErik Nordmark	netstackid_t	stackid;
73184bc7SDan McDonald
bd670b35SErik Nordmark	stackid = (netstackid_t)(uintptr_t)mp->b_prev;
bd670b35SErik Nordmark	mp->b_prev = NULL;
bd670b35SErik Nordmark	ns = netstack_find_by_stackid(stackid);
bd670b35SErik Nordmark	if (ns == NULL) {
bd670b35SErik Nordmark		/* Disappeared */
bd670b35SErik Nordmark		ip_drop_output("ipIfStatsOutDiscards", mp, NULL);
bd670b35SErik Nordmark		freemsg(mp);
73184bc7SDan McDonald		return;
73184bc7SDan McDonald	}
73184bc7SDan McDonald
bd670b35SErik Nordmark	bzero(&ixas, sizeof (ixas));
bd670b35SErik Nordmark	ixas.ixa_zoneid = ALL_ZONES;
bd670b35SErik Nordmark	ixas.ixa_cred = kcred;
bd670b35SErik Nordmark	ixas.ixa_cpid = NOPID;
bd670b35SErik Nordmark	ixas.ixa_tsl = NULL;
bd670b35SErik Nordmark	ixas.ixa_ipst = ns->netstack_ip;
bd670b35SErik Nordmark	/* No ULP checksum; done by esp_prepare_udp */
44b099c4SSowmini Varadhan	ixas.ixa_flags = (IXAF_IS_IPV4 | IXAF_NO_IPSEC | IXAF_VERIFY_SOURCE);
bd670b35SErik Nordmark
bd670b35SErik Nordmark	(void) ip_output_simple(mp, &ixas);
bd670b35SErik Nordmark	ixa_cleanup(&ixas);
73184bc7SDan McDonald	netstack_rele(ns);
73184bc7SDan McDonald}
73184bc7SDan McDonald
73184bc7SDan McDonald/*
bd670b35SErik Nordmark * Send a one-byte UDP NAT-T keepalive.
437220cdSdanmcd */
437220cdSdanmcdvoid
437220cdSdanmcdipsecesp_send_keepalive(ipsa_t *assoc)
437220cdSdanmcd{
bd670b35SErik Nordmark	mblk_t		*mp;
437220cdSdanmcd	ipha_t		*ipha;
437220cdSdanmcd	udpha_t		*udpha;
bd670b35SErik Nordmark	netstack_t	*ns = assoc->ipsa_netstack;
437220cdSdanmcd
0c0328cdSBill Sommerfeld	ASSERT(MUTEX_NOT_HELD(&assoc->ipsa_lock));
437220cdSdanmcd
437220cdSdanmcd	mp = allocb(sizeof (ipha_t) + sizeof (udpha_t) + 1, BPRI_HI);
437220cdSdanmcd	if (mp == NULL)
437220cdSdanmcd		return;
437220cdSdanmcd	ipha = (ipha_t *)mp->b_rptr;
437220cdSdanmcd	ipha->ipha_version_and_hdr_length = IP_SIMPLE_HDR_VERSION;
437220cdSdanmcd	ipha->ipha_type_of_service = 0;
437220cdSdanmcd	ipha->ipha_length = htons(sizeof (ipha_t) + sizeof (udpha_t) + 1);
437220cdSdanmcd	/* Use the low-16 of the SPI so we have some clue where it came from. */
437220cdSdanmcd	ipha->ipha_ident = *(((uint16_t *)(&assoc->ipsa_spi)) + 1);
437220cdSdanmcd	ipha->ipha_fragment_offset_and_flags = 0;  /* Too small to fragment! */
437220cdSdanmcd	ipha->ipha_ttl = 0xFF;
437220cdSdanmcd	ipha->ipha_protocol = IPPROTO_UDP;
437220cdSdanmcd	ipha->ipha_hdr_checksum = 0;
437220cdSdanmcd	ipha->ipha_src = assoc->ipsa_srcaddr[0];
437220cdSdanmcd	ipha->ipha_dst = assoc->ipsa_dstaddr[0];
437220cdSdanmcd	udpha = (udpha_t *)(ipha + 1);
437220cdSdanmcd	udpha->uha_src_port = (assoc->ipsa_local_nat_port != 0) ?
437220cdSdanmcd	    assoc->ipsa_local_nat_port : htons(IPPORT_IKE_NATT);
437220cdSdanmcd	udpha->uha_dst_port = (assoc->ipsa_remote_nat_port != 0) ?
437220cdSdanmcd	    assoc->ipsa_remote_nat_port : htons(IPPORT_IKE_NATT);
437220cdSdanmcd	udpha->uha_length = htons(sizeof (udpha_t) + 1);
437220cdSdanmcd	udpha->uha_checksum = 0;
437220cdSdanmcd	mp->b_wptr = (uint8_t *)(udpha + 1);
437220cdSdanmcd	*(mp->b_wptr++) = 0xFF;
437220cdSdanmcd
bd670b35SErik Nordmark	esp_prepare_udp(ns, mp, ipha);
437220cdSdanmcd
73184bc7SDan McDonald	/*
73184bc7SDan McDonald	 * We're holding an isaf_t bucket lock, so pawn off the actual
73184bc7SDan McDonald	 * packet transmission to another thread.  Just in case syncq
73184bc7SDan McDonald	 * processing causes a same-bucket packet to be processed.
73184bc7SDan McDonald	 */
bd670b35SErik Nordmark	mp->b_prev = (mblk_t *)(uintptr_t)ns->netstack_stackid;
bd670b35SErik Nordmark
bd670b35SErik Nordmark	if (taskq_dispatch(esp_taskq, actually_send_keepalive, mp,
fc8ae2ecSToomas Soome	    TQ_NOSLEEP) == TASKQID_INVALID) {
73184bc7SDan McDonald		/* Assume no memory if taskq_dispatch() fails. */
bd670b35SErik Nordmark		mp->b_prev = NULL;
bd670b35SErik Nordmark		ip_drop_packet(mp, B_FALSE, NULL,
bd670b35SErik Nordmark		    DROPPER(ns->netstack_ipsec, ipds_esp_nomem),
bd670b35SErik Nordmark		    &ns->netstack_ipsecesp->esp_dropper);
73184bc7SDan McDonald	}
437220cdSdanmcd}
437220cdSdanmcd
bd670b35SErik Nordmark/*
bd670b35SErik Nordmark * Returns mp if successfully completed the request. Returns
bd670b35SErik Nordmark * NULL if it failed (and increments InDiscards) or if it is pending.
bd670b35SErik Nordmark */
bd670b35SErik Nordmarkstatic mblk_t *
bd670b35SErik Nordmarkesp_submit_req_outbound(mblk_t *data_mp, ip_xmit_attr_t *ixa, ipsa_t *assoc,
bd670b35SErik Nordmark    uchar_t *icv_buf, uint_t payload_len)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	uint_t auth_len;
bd670b35SErik Nordmark	crypto_call_req_t call_req, *callrp;
bd670b35SErik Nordmark	mblk_t *esp_mp;
628b0c67SMark Fenwick	esph_t *esph_ptr;
bd670b35SErik Nordmark	mblk_t *mp;
7c478bd9Sstevel@tonic-gate	int kef_rc = CRYPTO_FAILED;
7c478bd9Sstevel@tonic-gate	uint_t icv_len = assoc->ipsa_mac_len;
7c478bd9Sstevel@tonic-gate	crypto_ctx_template_t auth_ctx_tmpl;
bd670b35SErik Nordmark	boolean_t do_auth, do_encr, force;
7c478bd9Sstevel@tonic-gate	uint_t iv_len = assoc->ipsa_iv_len;
7c478bd9Sstevel@tonic-gate	crypto_ctx_template_t encr_ctx_tmpl;
7c478bd9Sstevel@tonic-gate	boolean_t is_natt = ((assoc->ipsa_flags & IPSA_F_NATT) != 0);
7c478bd9Sstevel@tonic-gate	size_t esph_offset = (is_natt ? UDPH_SIZE : 0);
bd670b35SErik Nordmark	netstack_t	*ns = ixa->ixa_ipst->ips_netstack;
f4b3ec61Sdh155122	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
bd670b35SErik Nordmark	ipsec_crypto_t	*ic, icstack;
628b0c67SMark Fenwick	uchar_t		*iv_ptr;
628b0c67SMark Fenwick	crypto_data_t	*cd_ptr = NULL;
bd670b35SErik Nordmark	ill_t		*ill = ixa->ixa_nce->nce_ill;
bd670b35SErik Nordmark	ipsec_stack_t	*ipss = ns->netstack_ipsec;
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	esp3dbg(espstack, ("esp_submit_req_outbound:%s",
f4b3ec61Sdh155122	    is_natt ? "natt" : "not natt"));
7c478bd9Sstevel@tonic-gate
*4132743aSToomas Soome	mp = NULL;
7c478bd9Sstevel@tonic-gate	do_encr = assoc->ipsa_encr_alg != SADB_EALG_NULL;
7c478bd9Sstevel@tonic-gate	do_auth = assoc->ipsa_auth_alg != SADB_AALG_NONE;
bd670b35SErik Nordmark	force = (assoc->ipsa_flags & IPSA_F_ASYNC);
bd670b35SErik Nordmark
bd670b35SErik Nordmark#ifdef IPSEC_LATENCY_TEST
bd670b35SErik Nordmark	kef_rc = CRYPTO_SUCCESS;
bd670b35SErik Nordmark#else
bd670b35SErik Nordmark	kef_rc = CRYPTO_FAILED;
bd670b35SErik Nordmark#endif
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Outbound IPsec packets are of the form:
bd670b35SErik Nordmark	 * [IP,options] -> [ESP,IV] -> [data] -> [pad,ICV]
7c478bd9Sstevel@tonic-gate	 * unless it's NATT, then it's
bd670b35SErik Nordmark	 * [IP,options] -> [udp][ESP,IV] -> [data] -> [pad,ICV]
7c478bd9Sstevel@tonic-gate	 * Get a pointer to the mblk containing the ESP header.
7c478bd9Sstevel@tonic-gate	 */
bd670b35SErik Nordmark	ASSERT(data_mp->b_cont != NULL);
bd670b35SErik Nordmark	esp_mp = data_mp->b_cont;
628b0c67SMark Fenwick	esph_ptr = (esph_t *)(esp_mp->b_rptr + esph_offset);
628b0c67SMark Fenwick	iv_ptr = (uchar_t *)(esph_ptr + 1);
628b0c67SMark Fenwick
628b0c67SMark Fenwick	/*
628b0c67SMark Fenwick	 * Combined mode algs need a nonce. This is setup in sadb_common_add().
628b0c67SMark Fenwick	 * If for some reason we are using a SA which does not have a nonce
628b0c67SMark Fenwick	 * then we must fail here.
628b0c67SMark Fenwick	 */
628b0c67SMark Fenwick	if ((assoc->ipsa_flags & IPSA_F_COUNTERMODE) &&
628b0c67SMark Fenwick	    (assoc->ipsa_nonce == NULL)) {
bd670b35SErik Nordmark		ip_drop_packet(data_mp, B_FALSE, NULL,
628b0c67SMark Fenwick		    DROPPER(ipss, ipds_esp_nomem), &espstack->esp_dropper);
bd670b35SErik Nordmark		return (NULL);
628b0c67SMark Fenwick	}
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	if (force) {
bd670b35SErik Nordmark		/* We are doing asynch; allocate mblks to hold state */
bd670b35SErik Nordmark		if ((mp = ip_xmit_attr_to_mblk(ixa)) == NULL ||
bd670b35SErik Nordmark		    (mp = ipsec_add_crypto_data(mp, &ic)) == NULL) {
bd670b35SErik Nordmark			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
bd670b35SErik Nordmark			ip_drop_output("ipIfStatsOutDiscards", data_mp, ill);
bd670b35SErik Nordmark			freemsg(data_mp);
bd670b35SErik Nordmark			return (NULL);
bd670b35SErik Nordmark		}
bd670b35SErik Nordmark
bd670b35SErik Nordmark		linkb(mp, data_mp);
bd670b35SErik Nordmark		callrp = &call_req;
bd670b35SErik Nordmark		ESP_INIT_CALLREQ(callrp, mp, esp_kcf_callback_outbound);
bd670b35SErik Nordmark	} else {
bd670b35SErik Nordmark		/*
bd670b35SErik Nordmark		 * If we know we are going to do sync then ipsec_crypto_t
bd670b35SErik Nordmark		 * should be on the stack.
bd670b35SErik Nordmark		 */
bd670b35SErik Nordmark		ic = &icstack;
bd670b35SErik Nordmark		bzero(ic, sizeof (*ic));
bd670b35SErik Nordmark		callrp = NULL;
bd670b35SErik Nordmark	}
bd670b35SErik Nordmark
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (do_auth) {
7c478bd9Sstevel@tonic-gate		/* authentication context template */
7c478bd9Sstevel@tonic-gate		IPSEC_CTX_TMPL(assoc, ipsa_authtmpl, IPSEC_ALG_AUTH,
7c478bd9Sstevel@tonic-gate		    auth_ctx_tmpl);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		/* where to store the computed mac */
bd670b35SErik Nordmark		ESP_INIT_CRYPTO_MAC(&ic->ic_crypto_mac,
7c478bd9Sstevel@tonic-gate		    icv_len, icv_buf);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		/* authentication starts at the ESP header */
a86080f9Sdanmcd		auth_len = payload_len + iv_len + sizeof (esph_t);
7c478bd9Sstevel@tonic-gate		if (!do_encr) {
7c478bd9Sstevel@tonic-gate			/* authentication only */
7c478bd9Sstevel@tonic-gate			/* initialize input data argument */
bd670b35SErik Nordmark			ESP_INIT_CRYPTO_DATA(&ic->ic_crypto_data,
7c478bd9Sstevel@tonic-gate			    esp_mp, esph_offset, auth_len);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate			/* call the crypto framework */
7c478bd9Sstevel@tonic-gate			kef_rc = crypto_mac(&assoc->ipsa_amech,
bd670b35SErik Nordmark			    &ic->ic_crypto_data,
7c478bd9Sstevel@tonic-gate			    &assoc->ipsa_kcfauthkey, auth_ctx_tmpl,
bd670b35SErik Nordmark			    &ic->ic_crypto_mac, callrp);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (do_encr) {
7c478bd9Sstevel@tonic-gate		/* encryption context template */
7c478bd9Sstevel@tonic-gate		IPSEC_CTX_TMPL(assoc, ipsa_encrtmpl, IPSEC_ALG_ENCR,
7c478bd9Sstevel@tonic-gate		    encr_ctx_tmpl);
628b0c67SMark Fenwick		/* Call the nonce update function. */
628b0c67SMark Fenwick		(assoc->ipsa_noncefunc)(assoc, (uchar_t *)esph_ptr, payload_len,
bd670b35SErik Nordmark		    iv_ptr, &ic->ic_cmm, &ic->ic_crypto_data);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		if (!do_auth) {
7c478bd9Sstevel@tonic-gate			/* encryption only, skip mblk that contains ESP hdr */
7c478bd9Sstevel@tonic-gate			/* initialize input data argument */
bd670b35SErik Nordmark			ESP_INIT_CRYPTO_DATA(&ic->ic_crypto_data,
bd670b35SErik Nordmark			    esp_mp->b_cont, 0, payload_len);
7c478bd9Sstevel@tonic-gate
628b0c67SMark Fenwick			/*
628b0c67SMark Fenwick			 * For combined mode ciphers, the ciphertext is the same
628b0c67SMark Fenwick			 * size as the clear text, the ICV should follow the
628b0c67SMark Fenwick			 * ciphertext. To convince the kcf to allow in-line
628b0c67SMark Fenwick			 * encryption, with an ICV, use ipsec_out_crypto_mac
628b0c67SMark Fenwick			 * to point to the same buffer as the data. The calling
628b0c67SMark Fenwick			 * function need to ensure the buffer is large enough to
628b0c67SMark Fenwick			 * include the ICV.
628b0c67SMark Fenwick			 *
628b0c67SMark Fenwick			 * The IV is already written to the packet buffer, the
628b0c67SMark Fenwick			 * nonce setup function copied it to the params struct
628b0c67SMark Fenwick			 * for the cipher to use.
628b0c67SMark Fenwick			 */
628b0c67SMark Fenwick			if (assoc->ipsa_flags & IPSA_F_COMBINED) {
bd670b35SErik Nordmark				bcopy(&ic->ic_crypto_data,
bd670b35SErik Nordmark				    &ic->ic_crypto_mac,
628b0c67SMark Fenwick				    sizeof (crypto_data_t));
bd670b35SErik Nordmark				ic->ic_crypto_mac.cd_length =
628b0c67SMark Fenwick				    payload_len + icv_len;
bd670b35SErik Nordmark				cd_ptr = &ic->ic_crypto_mac;
628b0c67SMark Fenwick			}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate			/* call the crypto framework */
628b0c67SMark Fenwick			kef_rc = crypto_encrypt((crypto_mechanism_t *)
bd670b35SErik Nordmark			    &ic->ic_cmm, &ic->ic_crypto_data,
7c478bd9Sstevel@tonic-gate			    &assoc->ipsa_kcfencrkey, encr_ctx_tmpl,
bd670b35SErik Nordmark			    cd_ptr, callrp);
628b0c67SMark Fenwick
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (do_auth && do_encr) {
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * Encryption and authentication:
7c478bd9Sstevel@tonic-gate		 * Pass the pointer to the mblk chain starting at the ESP
7c478bd9Sstevel@tonic-gate		 * header to the framework. Skip the ESP header mblk
7c478bd9Sstevel@tonic-gate		 * for encryption, which is reflected by an encryption
7c478bd9Sstevel@tonic-gate		 * offset equal to the length of that mblk. Start
7c478bd9Sstevel@tonic-gate		 * the authentication at the ESP header, i.e. use an
7c478bd9Sstevel@tonic-gate		 * authentication offset of zero.
7c478bd9Sstevel@tonic-gate		 */
bd670b35SErik Nordmark		ESP_INIT_CRYPTO_DUAL_DATA(&ic->ic_crypto_dual_data,
7c478bd9Sstevel@tonic-gate		    esp_mp, MBLKL(esp_mp), payload_len, esph_offset, auth_len);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		/* specify IV */
bd670b35SErik Nordmark		ic->ic_crypto_dual_data.dd_miscdata = (char *)iv_ptr;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		/* call the framework */
7c478bd9Sstevel@tonic-gate		kef_rc = crypto_encrypt_mac(&assoc->ipsa_emech,
7c478bd9Sstevel@tonic-gate		    &assoc->ipsa_amech, NULL,
7c478bd9Sstevel@tonic-gate		    &assoc->ipsa_kcfencrkey, &assoc->ipsa_kcfauthkey,
7c478bd9Sstevel@tonic-gate		    encr_ctx_tmpl, auth_ctx_tmpl,
bd670b35SErik Nordmark		    &ic->ic_crypto_dual_data,
bd670b35SErik Nordmark		    &ic->ic_crypto_mac, callrp);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	switch (kef_rc) {
7c478bd9Sstevel@tonic-gate	case CRYPTO_SUCCESS:
f4b3ec61Sdh155122		ESP_BUMP_STAT(espstack, crypto_sync);
437220cdSdanmcd		esp_set_usetime(assoc, B_FALSE);
bd670b35SErik Nordmark		if (force) {
bd670b35SErik Nordmark			mp = ipsec_free_crypto_data(mp);
bd670b35SErik Nordmark			data_mp = ip_xmit_attr_free_mblk(mp);
bd670b35SErik Nordmark		}
437220cdSdanmcd		if (is_natt)
bd670b35SErik Nordmark			esp_prepare_udp(ns, data_mp, (ipha_t *)data_mp->b_rptr);
bd670b35SErik Nordmark		return (data_mp);
7c478bd9Sstevel@tonic-gate	case CRYPTO_QUEUED:
bd670b35SErik Nordmark		/* esp_kcf_callback_outbound() will be invoked on completion */
f4b3ec61Sdh155122		ESP_BUMP_STAT(espstack, crypto_async);
bd670b35SErik Nordmark		return (NULL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	if (force) {
bd670b35SErik Nordmark		mp = ipsec_free_crypto_data(mp);
bd670b35SErik Nordmark		data_mp = ip_xmit_attr_free_mblk(mp);
bd670b35SErik Nordmark	}
bd670b35SErik Nordmark	BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
bd670b35SErik Nordmark	esp_crypto_failed(data_mp, B_FALSE, kef_rc, NULL, espstack);
bd670b35SErik Nordmark	/* data_mp was passed to ip_drop_packet */
bd670b35SErik Nordmark	return (NULL);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Handle outbound IPsec processing for IPv4 and IPv6
bd670b35SErik Nordmark *
bd670b35SErik Nordmark * Returns data_mp if successfully completed the request. Returns
bd670b35SErik Nordmark * NULL if it failed (and increments InDiscards) or if it is pending.
7c478bd9Sstevel@tonic-gate */
bd670b35SErik Nordmarkstatic mblk_t *
bd670b35SErik Nordmarkesp_outbound(mblk_t *data_mp, ip_xmit_attr_t *ixa)
7c478bd9Sstevel@tonic-gate{
bd670b35SErik Nordmark	mblk_t *espmp, *tailmp;
7c478bd9Sstevel@tonic-gate	ipha_t *ipha;
7c478bd9Sstevel@tonic-gate	ip6_t *ip6h;
628b0c67SMark Fenwick	esph_t *esph_ptr, *iv_ptr;
7c478bd9Sstevel@tonic-gate	uint_t af;
7c478bd9Sstevel@tonic-gate	uint8_t *nhp;
7c478bd9Sstevel@tonic-gate	uintptr_t divpoint, datalen, adj, padlen, i, alloclen;
7c478bd9Sstevel@tonic-gate	uintptr_t esplen = sizeof (esph_t);
7c478bd9Sstevel@tonic-gate	uint8_t protocol;
7c478bd9Sstevel@tonic-gate	ipsa_t *assoc;
628b0c67SMark Fenwick	uint_t iv_len, block_size, mac_len = 0;
7c478bd9Sstevel@tonic-gate	uchar_t *icv_buf;
7c478bd9Sstevel@tonic-gate	udpha_t *udpha;
7c478bd9Sstevel@tonic-gate	boolean_t is_natt = B_FALSE;
bd670b35SErik Nordmark	netstack_t	*ns = ixa->ixa_ipst->ips_netstack;
bd670b35SErik Nordmark	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
bd670b35SErik Nordmark	ipsec_stack_t	*ipss = ns->netstack_ipsec;
bd670b35SErik Nordmark	ill_t		*ill = ixa->ixa_nce->nce_ill;
bd670b35SErik Nordmark	boolean_t	need_refrele = B_FALSE;
f4b3ec61Sdh155122
f4b3ec61Sdh155122	ESP_BUMP_STAT(espstack, out_requests);
f4b3ec61Sdh155122
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * <sigh> We have to copy the message here, because TCP (for example)
7c478bd9Sstevel@tonic-gate	 * keeps a dupb() of the message lying around for retransmission.
7c478bd9Sstevel@tonic-gate	 * Since ESP changes the whole of the datagram, we have to create our
7c478bd9Sstevel@tonic-gate	 * own copy lest we clobber TCP's data.  Since we have to copy anyway,
7c478bd9Sstevel@tonic-gate	 * we might as well make use of msgpullup() and get the mblk into one
7c478bd9Sstevel@tonic-gate	 * contiguous piece!
7c478bd9Sstevel@tonic-gate	 */
bd670b35SErik Nordmark	tailmp = msgpullup(data_mp, -1);
bd670b35SErik Nordmark	if (tailmp == NULL) {
7c478bd9Sstevel@tonic-gate		esp0dbg(("esp_outbound: msgpullup() failed, "
7c478bd9Sstevel@tonic-gate		    "dropping packet.\n"));
bd670b35SErik Nordmark		ip_drop_packet(data_mp, B_FALSE, ill,
f4b3ec61Sdh155122		    DROPPER(ipss, ipds_esp_nomem),
f4b3ec61Sdh155122		    &espstack->esp_dropper);
bd670b35SErik Nordmark		BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
bd670b35SErik Nordmark		return (NULL);
7c478bd9Sstevel@tonic-gate	}
bd670b35SErik Nordmark	freemsg(data_mp);
bd670b35SErik Nordmark	data_mp = tailmp;
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	assoc = ixa->ixa_ipsec_esp_sa;
5d3b8cb7SBill Sommerfeld	ASSERT(assoc != NULL);
5d3b8cb7SBill Sommerfeld
5d3b8cb7SBill Sommerfeld	/*
5d3b8cb7SBill Sommerfeld	 * Get the outer IP header in shape to escape this system..
5d3b8cb7SBill Sommerfeld	 */
bd670b35SErik Nordmark	if (is_system_labeled() && (assoc->ipsa_otsl != NULL)) {
bd670b35SErik Nordmark		/*
bd670b35SErik Nordmark		 * Need to update packet with any CIPSO option and update
bd670b35SErik Nordmark		 * ixa_tsl to capture the new label.
bd670b35SErik Nordmark		 * We allocate a separate ixa for that purpose.
bd670b35SErik Nordmark		 */
bd670b35SErik Nordmark		ixa = ip_xmit_attr_duplicate(ixa);
bd670b35SErik Nordmark		if (ixa == NULL) {
bd670b35SErik Nordmark			ip_drop_packet(data_mp, B_FALSE, ill,
bd670b35SErik Nordmark			    DROPPER(ipss, ipds_esp_nomem),
5d3b8cb7SBill Sommerfeld			    &espstack->esp_dropper);
bd670b35SErik Nordmark			return (NULL);
5d3b8cb7SBill Sommerfeld		}
bd670b35SErik Nordmark		need_refrele = B_TRUE;
5d3b8cb7SBill Sommerfeld
bd670b35SErik Nordmark		label_hold(assoc->ipsa_otsl);
bd670b35SErik Nordmark		ip_xmit_attr_replace_tsl(ixa, assoc->ipsa_otsl);
bd670b35SErik Nordmark
bd670b35SErik Nordmark		data_mp = sadb_whack_label(data_mp, assoc, ixa,
bd670b35SErik Nordmark		    DROPPER(ipss, ipds_esp_nomem), &espstack->esp_dropper);
bd670b35SErik Nordmark		if (data_mp == NULL) {
bd670b35SErik Nordmark			/* Packet dropped by sadb_whack_label */
bd670b35SErik Nordmark			ixa_refrele(ixa);
bd670b35SErik Nordmark			return (NULL);
bd670b35SErik Nordmark		}
bd670b35SErik Nordmark	}
5d3b8cb7SBill Sommerfeld
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Reality check....
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	ipha = (ipha_t *)data_mp->b_rptr;  /* So we can call esp_acquire(). */
*4132743aSToomas Soome	ip6h = (ip6_t *)ipha;
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	if (ixa->ixa_flags & IXAF_IS_IPV4) {
bd670b35SErik Nordmark		ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
bd670b35SErik Nordmark
7c478bd9Sstevel@tonic-gate		af = AF_INET;
7c478bd9Sstevel@tonic-gate		divpoint = IPH_HDR_LENGTH(ipha);
7c478bd9Sstevel@tonic-gate		datalen = ntohs(ipha->ipha_length) - divpoint;
7c478bd9Sstevel@tonic-gate		nhp = (uint8_t *)&ipha->ipha_protocol;
7c478bd9Sstevel@tonic-gate	} else {
bd670b35SErik Nordmark		ip_pkt_t ipp;
bd670b35SErik Nordmark
bd670b35SErik Nordmark		ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		af = AF_INET6;
7c478bd9Sstevel@tonic-gate		bzero(&ipp, sizeof (ipp));
bd670b35SErik Nordmark		divpoint = ip_find_hdr_v6(data_mp, ip6h, B_FALSE, &ipp, NULL);
7c478bd9Sstevel@tonic-gate		if (ipp.ipp_dstopts != NULL &&
7c478bd9Sstevel@tonic-gate		    ipp.ipp_dstopts->ip6d_nxt != IPPROTO_ROUTING) {
7c478bd9Sstevel@tonic-gate			/*
7c478bd9Sstevel@tonic-gate			 * Destination options are tricky.  If we get in here,
7c478bd9Sstevel@tonic-gate			 * then we have a terminal header following the
7c478bd9Sstevel@tonic-gate			 * destination options.  We need to adjust backwards
7c478bd9Sstevel@tonic-gate			 * so we insert ESP BEFORE the destination options
7c478bd9Sstevel@tonic-gate			 * bag.  (So that the dstopts get encrypted!)
7c478bd9Sstevel@tonic-gate			 *
7c478bd9Sstevel@tonic-gate			 * Since this is for outbound packets only, we know
7c478bd9Sstevel@tonic-gate			 * that non-terminal destination options only precede
7c478bd9Sstevel@tonic-gate			 * routing headers.
7c478bd9Sstevel@tonic-gate			 */
7c478bd9Sstevel@tonic-gate			divpoint -= ipp.ipp_dstoptslen;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		datalen = ntohs(ip6h->ip6_plen) + sizeof (ip6_t) - divpoint;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		if (ipp.ipp_rthdr != NULL) {
7c478bd9Sstevel@tonic-gate			nhp = &ipp.ipp_rthdr->ip6r_nxt;
7c478bd9Sstevel@tonic-gate		} else if (ipp.ipp_hopopts != NULL) {
7c478bd9Sstevel@tonic-gate			nhp = &ipp.ipp_hopopts->ip6h_nxt;
7c478bd9Sstevel@tonic-gate		} else {
7c478bd9Sstevel@tonic-gate			ASSERT(divpoint == sizeof (ip6_t));
7c478bd9Sstevel@tonic-gate			/* It's probably IP + ESP. */
7c478bd9Sstevel@tonic-gate			nhp = &ip6h->ip6_nxt;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	mac_len = assoc->ipsa_mac_len;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (assoc->ipsa_flags & IPSA_F_NATT) {
5d3b8cb7SBill Sommerfeld		/* wedge in UDP header */
7c478bd9Sstevel@tonic-gate		is_natt = B_TRUE;
7c478bd9Sstevel@tonic-gate		esplen += UDPH_SIZE;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Set up ESP header and encryption padding for ENCR PI request.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate
32350c00Sdanmcd	/* Determine the padding length.  Pad to 4-bytes for no-encryption. */
7c478bd9Sstevel@tonic-gate	if (assoc->ipsa_encr_alg != SADB_EALG_NULL) {
32350c00Sdanmcd		iv_len = assoc->ipsa_iv_len;
628b0c67SMark Fenwick		block_size = assoc->ipsa_datalen;
32350c00Sdanmcd
32350c00Sdanmcd		/*
628b0c67SMark Fenwick		 * Pad the data to the length of the cipher block size.
32350c00Sdanmcd		 * Include the two additional bytes (hence the - 2) for the
32350c00Sdanmcd		 * padding length and the next header.  Take this into account
32350c00Sdanmcd		 * when calculating the actual length of the padding.
32350c00Sdanmcd		 */
32350c00Sdanmcd		ASSERT(ISP2(iv_len));
628b0c67SMark Fenwick		padlen = ((unsigned)(block_size - datalen - 2)) &
628b0c67SMark Fenwick		    (block_size - 1);
7c478bd9Sstevel@tonic-gate	} else {
32350c00Sdanmcd		iv_len = 0;
32350c00Sdanmcd		padlen = ((unsigned)(sizeof (uint32_t) - datalen - 2)) &
32350c00Sdanmcd		    (sizeof (uint32_t) - 1);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* Allocate ESP header and IV. */
7c478bd9Sstevel@tonic-gate	esplen += iv_len;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Update association byte-count lifetimes.  Don't forget to take
7c478bd9Sstevel@tonic-gate	 * into account the padding length and next-header (hence the + 2).
a86080f9Sdanmcd	 *
7c478bd9Sstevel@tonic-gate	 * Use the amount of data fed into the "encryption algorithm".  This
7c478bd9Sstevel@tonic-gate	 * is the IV, the data length, the padding length, and the final two
7c478bd9Sstevel@tonic-gate	 * bytes (padlen, and next-header).
7c478bd9Sstevel@tonic-gate	 *
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate
a86080f9Sdanmcd	if (!esp_age_bytes(assoc, datalen + padlen + iv_len + 2, B_FALSE)) {
bd670b35SErik Nordmark		ip_drop_packet(data_mp, B_FALSE, ill,
f4b3ec61Sdh155122		    DROPPER(ipss, ipds_esp_bytes_expire),
f4b3ec61Sdh155122		    &espstack->esp_dropper);
bd670b35SErik Nordmark		BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
bd670b35SErik Nordmark		if (need_refrele)
bd670b35SErik Nordmark			ixa_refrele(ixa);
bd670b35SErik Nordmark		return (NULL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	espmp = allocb(esplen, BPRI_HI);
7c478bd9Sstevel@tonic-gate	if (espmp == NULL) {
f4b3ec61Sdh155122		ESP_BUMP_STAT(espstack, out_discards);
f4b3ec61Sdh155122		esp1dbg(espstack, ("esp_outbound: can't allocate espmp.\n"));
bd670b35SErik Nordmark		ip_drop_packet(data_mp, B_FALSE, ill,
f4b3ec61Sdh155122		    DROPPER(ipss, ipds_esp_nomem),
f4b3ec61Sdh155122		    &espstack->esp_dropper);
bd670b35SErik Nordmark		BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
bd670b35SErik Nordmark		if (need_refrele)
bd670b35SErik Nordmark			ixa_refrele(ixa);
bd670b35SErik Nordmark		return (NULL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate	espmp->b_wptr += esplen;
628b0c67SMark Fenwick	esph_ptr = (esph_t *)espmp->b_rptr;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (is_natt) {
f4b3ec61Sdh155122		esp3dbg(espstack, ("esp_outbound: NATT"));
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		udpha = (udpha_t *)espmp->b_rptr;
437220cdSdanmcd		udpha->uha_src_port = (assoc->ipsa_local_nat_port != 0) ?
437220cdSdanmcd		    assoc->ipsa_local_nat_port : htons(IPPORT_IKE_NATT);
437220cdSdanmcd		udpha->uha_dst_port = (assoc->ipsa_remote_nat_port != 0) ?
437220cdSdanmcd		    assoc->ipsa_remote_nat_port : htons(IPPORT_IKE_NATT);
7c478bd9Sstevel@tonic-gate		/*
437220cdSdanmcd		 * Set the checksum to 0, so that the esp_prepare_udp() call
7c478bd9Sstevel@tonic-gate		 * can do the right thing.
7c478bd9Sstevel@tonic-gate		 */
7c478bd9Sstevel@tonic-gate		udpha->uha_checksum = 0;
628b0c67SMark Fenwick		esph_ptr = (esph_t *)(udpha + 1);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
628b0c67SMark Fenwick	esph_ptr->esph_spi = assoc->ipsa_spi;
7c478bd9Sstevel@tonic-gate
1a5e258fSJosef 'Jeff' Sipek	esph_ptr->esph_replay = htonl(atomic_inc_32_nv(&assoc->ipsa_replay));
628b0c67SMark Fenwick	if (esph_ptr->esph_replay == 0 && assoc->ipsa_replay_wsize != 0) {
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * XXX We have replay counter wrapping.
7c478bd9Sstevel@tonic-gate		 * We probably want to nuke this SA (and its peer).
7c478bd9Sstevel@tonic-gate		 */
7c478bd9Sstevel@tonic-gate		ipsec_assocfailure(info.mi_idnum, 0, 0,
7c478bd9Sstevel@tonic-gate		    SL_ERROR | SL_CONSOLE | SL_WARN,
7c478bd9Sstevel@tonic-gate		    "Outbound ESP SA (0x%x, %s) has wrapped sequence.\n",
628b0c67SMark Fenwick		    esph_ptr->esph_spi, assoc->ipsa_dstaddr, af,
f4b3ec61Sdh155122		    espstack->ipsecesp_netstack);
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122		ESP_BUMP_STAT(espstack, out_discards);
7c478bd9Sstevel@tonic-gate		sadb_replay_delete(assoc);
bd670b35SErik Nordmark		ip_drop_packet(data_mp, B_FALSE, ill,
f4b3ec61Sdh155122		    DROPPER(ipss, ipds_esp_replay),
f4b3ec61Sdh155122		    &espstack->esp_dropper);
bd670b35SErik Nordmark		BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
bd670b35SErik Nordmark		if (need_refrele)
bd670b35SErik Nordmark			ixa_refrele(ixa);
bd670b35SErik Nordmark		return (NULL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
628b0c67SMark Fenwick	iv_ptr = (esph_ptr + 1);
7c478bd9Sstevel@tonic-gate	/*
628b0c67SMark Fenwick	 * iv_ptr points to the mblk which will contain the IV once we have
628b0c67SMark Fenwick	 * written it there. This mblk will be part of a mblk chain that
628b0c67SMark Fenwick	 * will make up the packet.
628b0c67SMark Fenwick	 *
628b0c67SMark Fenwick	 * For counter mode algorithms, the IV is a 64 bit quantity, it
628b0c67SMark Fenwick	 * must NEVER repeat in the lifetime of the SA, otherwise an
628b0c67SMark Fenwick	 * attacker who had recorded enough packets might be able to
628b0c67SMark Fenwick	 * determine some clear text.
628b0c67SMark Fenwick	 *
628b0c67SMark Fenwick	 * To ensure this does not happen, the IV is stored in the SA and
628b0c67SMark Fenwick	 * incremented for each packet, the IV is then copied into the
628b0c67SMark Fenwick	 * "packet" for transmission to the receiving system. The IV will
628b0c67SMark Fenwick	 * also be copied into the nonce, when the packet is encrypted.
628b0c67SMark Fenwick	 *
628b0c67SMark Fenwick	 * CBC mode algorithms use a random IV for each packet. We do not
628b0c67SMark Fenwick	 * require the highest quality random bits, but for best security
628b0c67SMark Fenwick	 * with CBC mode ciphers, the value must be unlikely to repeat and
628b0c67SMark Fenwick	 * must not be known in advance to an adversary capable of influencing
628b0c67SMark Fenwick	 * the clear text.
7c478bd9Sstevel@tonic-gate	 */
628b0c67SMark Fenwick	if (!update_iv((uint8_t *)iv_ptr, espstack->esp_pfkey_q, assoc,
628b0c67SMark Fenwick	    espstack)) {
bd670b35SErik Nordmark		ip_drop_packet(data_mp, B_FALSE, ill,
628b0c67SMark Fenwick		    DROPPER(ipss, ipds_esp_iv_wrap), &espstack->esp_dropper);
bd670b35SErik Nordmark		if (need_refrele)
bd670b35SErik Nordmark			ixa_refrele(ixa);
bd670b35SErik Nordmark		return (NULL);
628b0c67SMark Fenwick	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* Fix the IP header. */
7c478bd9Sstevel@tonic-gate	alloclen = padlen + 2 + mac_len;
7c478bd9Sstevel@tonic-gate	adj = alloclen + (espmp->b_wptr - espmp->b_rptr);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	protocol = *nhp;
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	if (ixa->ixa_flags & IXAF_IS_IPV4) {
7c478bd9Sstevel@tonic-gate		ipha->ipha_length = htons(ntohs(ipha->ipha_length) + adj);
7c478bd9Sstevel@tonic-gate		if (is_natt) {
7c478bd9Sstevel@tonic-gate			*nhp = IPPROTO_UDP;
7c478bd9Sstevel@tonic-gate			udpha->uha_length = htons(ntohs(ipha->ipha_length) -
7c478bd9Sstevel@tonic-gate			    IPH_HDR_LENGTH(ipha));
7c478bd9Sstevel@tonic-gate		} else {
7c478bd9Sstevel@tonic-gate			*nhp = IPPROTO_ESP;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		ipha->ipha_hdr_checksum = 0;
7c478bd9Sstevel@tonic-gate		ipha->ipha_hdr_checksum = (uint16_t)ip_csum_hdr(ipha);
7c478bd9Sstevel@tonic-gate	} else {
7c478bd9Sstevel@tonic-gate		ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) + adj);
7c478bd9Sstevel@tonic-gate		*nhp = IPPROTO_ESP;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* I've got the two ESP mblks, now insert them. */
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	esp2dbg(espstack, ("data_mp before outbound ESP adjustment:\n"));
f4b3ec61Sdh155122	esp2dbg(espstack, (dump_msg(data_mp)));
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	if (!esp_insert_esp(data_mp, espmp, divpoint, espstack)) {
f4b3ec61Sdh155122		ESP_BUMP_STAT(espstack, out_discards);
7c478bd9Sstevel@tonic-gate		/* NOTE:  esp_insert_esp() only fails if there's no memory. */
bd670b35SErik Nordmark		ip_drop_packet(data_mp, B_FALSE, ill,
f4b3ec61Sdh155122		    DROPPER(ipss, ipds_esp_nomem),
f4b3ec61Sdh155122		    &espstack->esp_dropper);
7c478bd9Sstevel@tonic-gate		freeb(espmp);
bd670b35SErik Nordmark		BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
bd670b35SErik Nordmark		if (need_refrele)
bd670b35SErik Nordmark			ixa_refrele(ixa);
bd670b35SErik Nordmark		return (NULL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* Append padding (and leave room for ICV). */
7c478bd9Sstevel@tonic-gate	for (tailmp = data_mp; tailmp->b_cont != NULL; tailmp = tailmp->b_cont)
7c478bd9Sstevel@tonic-gate		;
7c478bd9Sstevel@tonic-gate	if (tailmp->b_wptr + alloclen > tailmp->b_datap->db_lim) {
7c478bd9Sstevel@tonic-gate		tailmp->b_cont = allocb(alloclen, BPRI_HI);
7c478bd9Sstevel@tonic-gate		if (tailmp->b_cont == NULL) {
f4b3ec61Sdh155122			ESP_BUMP_STAT(espstack, out_discards);
7c478bd9Sstevel@tonic-gate			esp0dbg(("esp_outbound:  Can't allocate tailmp.\n"));
bd670b35SErik Nordmark			ip_drop_packet(data_mp, B_FALSE, ill,
f4b3ec61Sdh155122			    DROPPER(ipss, ipds_esp_nomem),
f4b3ec61Sdh155122			    &espstack->esp_dropper);
bd670b35SErik Nordmark			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
bd670b35SErik Nordmark			if (need_refrele)
bd670b35SErik Nordmark				ixa_refrele(ixa);
bd670b35SErik Nordmark			return (NULL);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		tailmp = tailmp->b_cont;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * If there's padding, N bytes of padding must be of the form 0x1,
7c478bd9Sstevel@tonic-gate	 * 0x2, 0x3... 0xN.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	for (i = 0; i < padlen; ) {
7c478bd9Sstevel@tonic-gate		i++;
7c478bd9Sstevel@tonic-gate		*tailmp->b_wptr++ = i;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate	*tailmp->b_wptr++ = i;
7c478bd9Sstevel@tonic-gate	*tailmp->b_wptr++ = protocol;
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	esp2dbg(espstack, ("data_Mp before encryption:\n"));
f4b3ec61Sdh155122	esp2dbg(espstack, (dump_msg(data_mp)));
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Okay.  I've set up the pre-encryption ESP.  Let's do it!
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (mac_len > 0) {
7c478bd9Sstevel@tonic-gate		ASSERT(tailmp->b_wptr + mac_len <= tailmp->b_datap->db_lim);
7c478bd9Sstevel@tonic-gate		icv_buf = tailmp->b_wptr;
7c478bd9Sstevel@tonic-gate		tailmp->b_wptr += mac_len;
7c478bd9Sstevel@tonic-gate	} else {
7c478bd9Sstevel@tonic-gate		icv_buf = NULL;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	data_mp = esp_submit_req_outbound(data_mp, ixa, assoc, icv_buf,
bd670b35SErik Nordmark	    datalen + padlen + 2);
bd670b35SErik Nordmark	if (need_refrele)
bd670b35SErik Nordmark		ixa_refrele(ixa);
bd670b35SErik Nordmark	return (data_mp);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * IP calls this to validate the ICMP errors that
7c478bd9Sstevel@tonic-gate * we got from the network.
7c478bd9Sstevel@tonic-gate */
bd670b35SErik Nordmarkmblk_t *
bd670b35SErik Nordmarkipsecesp_icmp_error(mblk_t *data_mp, ip_recv_attr_t *ira)
7c478bd9Sstevel@tonic-gate{
bd670b35SErik Nordmark	netstack_t	*ns = ira->ira_ill->ill_ipst->ips_netstack;
bd670b35SErik Nordmark	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
bd670b35SErik Nordmark	ipsec_stack_t	*ipss = ns->netstack_ipsec;
f4b3ec61Sdh155122
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Unless we get an entire packet back, this function is useless.
7c478bd9Sstevel@tonic-gate	 * Why?
7c478bd9Sstevel@tonic-gate	 *
7c478bd9Sstevel@tonic-gate	 * 1.)	Partial packets are useless, because the "next header"
7c478bd9Sstevel@tonic-gate	 *	is at the end of the decrypted ESP packet.  Without the
7c478bd9Sstevel@tonic-gate	 *	whole packet, this is useless.
7c478bd9Sstevel@tonic-gate	 *
7c478bd9Sstevel@tonic-gate	 * 2.)	If we every use a stateful cipher, such as a stream or a
7c478bd9Sstevel@tonic-gate	 *	one-time pad, we can't do anything.
7c478bd9Sstevel@tonic-gate	 *
7c478bd9Sstevel@tonic-gate	 * Since the chances of us getting an entire packet back are very
7c478bd9Sstevel@tonic-gate	 * very small, we discard here.
7c478bd9Sstevel@tonic-gate	 */
f4b3ec61Sdh155122	IP_ESP_BUMP_STAT(ipss, in_discards);
bd670b35SErik Nordmark	ip_drop_packet(data_mp, B_TRUE, ira->ira_ill,
f4b3ec61Sdh155122	    DROPPER(ipss, ipds_esp_icmp),
f4b3ec61Sdh155122	    &espstack->esp_dropper);
bd670b35SErik Nordmark	return (NULL);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Construct an SADB_REGISTER message with the current algorithms.
628b0c67SMark Fenwick * This function gets called when 'ipsecalgs -s' is run or when
628b0c67SMark Fenwick * in.iked (or other KMD) starts.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic boolean_t
f4b3ec61Sdh155122esp_register_out(uint32_t sequence, uint32_t pid, uint_t serial,
bd670b35SErik Nordmark    ipsecesp_stack_t *espstack, cred_t *cr)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	mblk_t *pfkey_msg_mp, *keysock_out_mp;
7c478bd9Sstevel@tonic-gate	sadb_msg_t *samsg;
7c478bd9Sstevel@tonic-gate	sadb_supported_t *sasupp_auth = NULL;
7c478bd9Sstevel@tonic-gate	sadb_supported_t *sasupp_encr = NULL;
7c478bd9Sstevel@tonic-gate	sadb_alg_t *saalg;
7c478bd9Sstevel@tonic-gate	uint_t allocsize = sizeof (*samsg);
7c478bd9Sstevel@tonic-gate	uint_t i, numalgs_snap;
7c478bd9Sstevel@tonic-gate	int current_aalgs;
7c478bd9Sstevel@tonic-gate	ipsec_alginfo_t **authalgs;
7c478bd9Sstevel@tonic-gate	uint_t num_aalgs;
7c478bd9Sstevel@tonic-gate	int current_ealgs;
7c478bd9Sstevel@tonic-gate	ipsec_alginfo_t **encralgs;
7c478bd9Sstevel@tonic-gate	uint_t num_ealgs;
f4b3ec61Sdh155122	ipsec_stack_t	*ipss = espstack->ipsecesp_netstack->netstack_ipsec;
5d3b8cb7SBill Sommerfeld	sadb_sens_t *sens;
5d3b8cb7SBill Sommerfeld	size_t sens_len = 0;
5d3b8cb7SBill Sommerfeld	sadb_ext_t *nextext;
bd670b35SErik Nordmark	ts_label_t *sens_tsl = NULL;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* Allocate the KEYSOCK_OUT. */
7c478bd9Sstevel@tonic-gate	keysock_out_mp = sadb_keysock_out(serial);
7c478bd9Sstevel@tonic-gate	if (keysock_out_mp == NULL) {
7c478bd9Sstevel@tonic-gate		esp0dbg(("esp_register_out: couldn't allocate mblk.\n"));
7c478bd9Sstevel@tonic-gate		return (B_FALSE);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	if (is_system_labeled() && (cr != NULL)) {
bd670b35SErik Nordmark		sens_tsl = crgetlabel(cr);
bd670b35SErik Nordmark		if (sens_tsl != NULL) {
bd670b35SErik Nordmark			sens_len = sadb_sens_len_from_label(sens_tsl);
5d3b8cb7SBill Sommerfeld			allocsize += sens_len;
5d3b8cb7SBill Sommerfeld		}
5d3b8cb7SBill Sommerfeld	}
5d3b8cb7SBill Sommerfeld
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Allocate the PF_KEY message that follows KEYSOCK_OUT.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate
69e71331SBayard Bell	rw_enter(&ipss->ipsec_alg_lock, RW_READER);
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Fill SADB_REGISTER message's algorithm descriptors.  Hold
7c478bd9Sstevel@tonic-gate	 * down the lock while filling it.
7c478bd9Sstevel@tonic-gate	 *
7c478bd9Sstevel@tonic-gate	 * Return only valid algorithms, so the number of algorithms
7c478bd9Sstevel@tonic-gate	 * to send up may be less than the number of algorithm entries
7c478bd9Sstevel@tonic-gate	 * in the table.
7c478bd9Sstevel@tonic-gate	 */
f4b3ec61Sdh155122	authalgs = ipss->ipsec_alglists[IPSEC_ALG_AUTH];
7c478bd9Sstevel@tonic-gate	for (num_aalgs = 0, i = 0; i < IPSEC_MAX_ALGS; i++)
7c478bd9Sstevel@tonic-gate		if (authalgs[i] != NULL && ALG_VALID(authalgs[i]))
7c478bd9Sstevel@tonic-gate			num_aalgs++;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (num_aalgs != 0) {
7c478bd9Sstevel@tonic-gate		allocsize += (num_aalgs * sizeof (*saalg));
7c478bd9Sstevel@tonic-gate		allocsize += sizeof (*sasupp_auth);
7c478bd9Sstevel@tonic-gate	}
f4b3ec61Sdh155122	encralgs = ipss->ipsec_alglists[IPSEC_ALG_ENCR];
7c478bd9Sstevel@tonic-gate	for (num_ealgs = 0, i = 0; i < IPSEC_MAX_ALGS; i++)
7c478bd9Sstevel@tonic-gate		if (encralgs[i] != NULL && ALG_VALID(encralgs[i]))
7c478bd9Sstevel@tonic-gate			num_ealgs++;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (num_ealgs != 0) {
7c478bd9Sstevel@tonic-gate		allocsize += (num_ealgs * sizeof (*saalg));
7c478bd9Sstevel@tonic-gate		allocsize += sizeof (*sasupp_encr);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate	keysock_out_mp->b_cont = allocb(allocsize, BPRI_HI);
7c478bd9Sstevel@tonic-gate	if (keysock_out_mp->b_cont == NULL) {
69e71331SBayard Bell		rw_exit(&ipss->ipsec_alg_lock);
7c478bd9Sstevel@tonic-gate		freemsg(keysock_out_mp);
7c478bd9Sstevel@tonic-gate		return (B_FALSE);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate	pfkey_msg_mp = keysock_out_mp->b_cont;
7c478bd9Sstevel@tonic-gate	pfkey_msg_mp->b_wptr += allocsize;
5d3b8cb7SBill Sommerfeld
5d3b8cb7SBill Sommerfeld	nextext = (sadb_ext_t *)(pfkey_msg_mp->b_rptr + sizeof (*samsg));
5d3b8cb7SBill Sommerfeld
7c478bd9Sstevel@tonic-gate	if (num_aalgs != 0) {
5d3b8cb7SBill Sommerfeld		sasupp_auth = (sadb_supported_t *)nextext;
7c478bd9Sstevel@tonic-gate		saalg = (sadb_alg_t *)(sasupp_auth + 1);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		ASSERT(((ulong_t)saalg & 0x7) == 0);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		numalgs_snap = 0;
7c478bd9Sstevel@tonic-gate		for (i = 0;
f4b3ec61Sdh155122		    ((i < IPSEC_MAX_ALGS) && (numalgs_snap < num_aalgs));
f4b3ec61Sdh155122		    i++) {
7c478bd9Sstevel@tonic-gate			if (authalgs[i] == NULL || !ALG_VALID(authalgs[i]))
7c478bd9Sstevel@tonic-gate				continue;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate			saalg->sadb_alg_id = authalgs[i]->alg_id;
7c478bd9Sstevel@tonic-gate			saalg->sadb_alg_ivlen = 0;
7c478bd9Sstevel@tonic-gate			saalg->sadb_alg_minbits	= authalgs[i]->alg_ef_minbits;
7c478bd9Sstevel@tonic-gate			saalg->sadb_alg_maxbits	= authalgs[i]->alg_ef_maxbits;
7c478bd9Sstevel@tonic-gate			saalg->sadb_x_alg_increment =
7c478bd9Sstevel@tonic-gate			    authalgs[i]->alg_increment;
628b0c67SMark Fenwick			saalg->sadb_x_alg_saltbits = SADB_8TO1(
628b0c67SMark Fenwick			    authalgs[i]->alg_saltlen);
7c478bd9Sstevel@tonic-gate			numalgs_snap++;
7c478bd9Sstevel@tonic-gate			saalg++;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		ASSERT(numalgs_snap == num_aalgs);
7c478bd9Sstevel@tonic-gate#ifdef DEBUG
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * Reality check to make sure I snagged all of the
7c478bd9Sstevel@tonic-gate		 * algorithms.
7c478bd9Sstevel@tonic-gate		 */
7c478bd9Sstevel@tonic-gate		for (; i < IPSEC_MAX_ALGS; i++) {
7c478bd9Sstevel@tonic-gate			if (authalgs[i] != NULL && ALG_VALID(authalgs[i])) {
7c478bd9Sstevel@tonic-gate				cmn_err(CE_PANIC, "esp_register_out()! "
7c478bd9Sstevel@tonic-gate				    "Missed aalg #%d.\n", i);
7c478bd9Sstevel@tonic-gate			}
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate#endif /* DEBUG */
5d3b8cb7SBill Sommerfeld		nextext = (sadb_ext_t *)saalg;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (num_ealgs != 0) {
5d3b8cb7SBill Sommerfeld		sasupp_encr = (sadb_supported_t *)nextext;
7c478bd9Sstevel@tonic-gate		saalg = (sadb_alg_t *)(sasupp_encr + 1);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		numalgs_snap = 0;
7c478bd9Sstevel@tonic-gate		for (i = 0;
7c478bd9Sstevel@tonic-gate		    ((i < IPSEC_MAX_ALGS) && (numalgs_snap < num_ealgs)); i++) {
7c478bd9Sstevel@tonic-gate			if (encralgs[i] == NULL || !ALG_VALID(encralgs[i]))
7c478bd9Sstevel@tonic-gate				continue;
7c478bd9Sstevel@tonic-gate			saalg->sadb_alg_id = encralgs[i]->alg_id;
628b0c67SMark Fenwick			saalg->sadb_alg_ivlen = encralgs[i]->alg_ivlen;
7c478bd9Sstevel@tonic-gate			saalg->sadb_alg_minbits	= encralgs[i]->alg_ef_minbits;
7c478bd9Sstevel@tonic-gate			saalg->sadb_alg_maxbits	= encralgs[i]->alg_ef_maxbits;
628b0c67SMark Fenwick			/*
628b0c67SMark Fenwick			 * We could advertise the ICV length, except there
628b0c67SMark Fenwick			 * is not a value in sadb_x_algb to do this.
628b0c67SMark Fenwick			 * saalg->sadb_alg_maclen = encralgs[i]->alg_maclen;
628b0c67SMark Fenwick			 */
7c478bd9Sstevel@tonic-gate			saalg->sadb_x_alg_increment =
7c478bd9Sstevel@tonic-gate			    encralgs[i]->alg_increment;
628b0c67SMark Fenwick			saalg->sadb_x_alg_saltbits =
628b0c67SMark Fenwick			    SADB_8TO1(encralgs[i]->alg_saltlen);
628b0c67SMark Fenwick
7c478bd9Sstevel@tonic-gate			numalgs_snap++;
7c478bd9Sstevel@tonic-gate			saalg++;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		ASSERT(numalgs_snap == num_ealgs);
7c478bd9Sstevel@tonic-gate#ifdef DEBUG
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * Reality check to make sure I snagged all of the
7c478bd9Sstevel@tonic-gate		 * algorithms.
7c478bd9Sstevel@tonic-gate		 */
7c478bd9Sstevel@tonic-gate		for (; i < IPSEC_MAX_ALGS; i++) {
7c478bd9Sstevel@tonic-gate			if (encralgs[i] != NULL && ALG_VALID(encralgs[i])) {
7c478bd9Sstevel@tonic-gate				cmn_err(CE_PANIC, "esp_register_out()! "
7c478bd9Sstevel@tonic-gate				    "Missed ealg #%d.\n", i);
7c478bd9Sstevel@tonic-gate			}
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate#endif /* DEBUG */
5d3b8cb7SBill Sommerfeld		nextext = (sadb_ext_t *)saalg;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	current_aalgs = num_aalgs;
7c478bd9Sstevel@tonic-gate	current_ealgs = num_ealgs;
7c478bd9Sstevel@tonic-gate
69e71331SBayard Bell	rw_exit(&ipss->ipsec_alg_lock);
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	if (sens_tsl != NULL) {
5d3b8cb7SBill Sommerfeld		sens = (sadb_sens_t *)nextext;
bd670b35SErik Nordmark		sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY,
bd670b35SErik Nordmark		    sens_tsl, sens_len);
5d3b8cb7SBill Sommerfeld
5d3b8cb7SBill Sommerfeld		nextext = (sadb_ext_t *)(((uint8_t *)sens) + sens_len);
5d3b8cb7SBill Sommerfeld	}
5d3b8cb7SBill Sommerfeld
7c478bd9Sstevel@tonic-gate	/* Now fill the rest of the SADB_REGISTER message. */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	samsg = (sadb_msg_t *)pfkey_msg_mp->b_rptr;
7c478bd9Sstevel@tonic-gate	samsg->sadb_msg_version = PF_KEY_V2;
7c478bd9Sstevel@tonic-gate	samsg->sadb_msg_type = SADB_REGISTER;
7c478bd9Sstevel@tonic-gate	samsg->sadb_msg_errno = 0;
7c478bd9Sstevel@tonic-gate	samsg->sadb_msg_satype = SADB_SATYPE_ESP;
7c478bd9Sstevel@tonic-gate	samsg->sadb_msg_len = SADB_8TO64(allocsize);
7c478bd9Sstevel@tonic-gate	samsg->sadb_msg_reserved = 0;
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Assume caller has sufficient sequence/pid number info.  If it's one
7c478bd9Sstevel@tonic-gate	 * from me over a new alg., I could give two hoots about sequence.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	samsg->sadb_msg_seq = sequence;
7c478bd9Sstevel@tonic-gate	samsg->sadb_msg_pid = pid;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (sasupp_auth != NULL) {
437220cdSdanmcd		sasupp_auth->sadb_supported_len = SADB_8TO64(
437220cdSdanmcd		    sizeof (*sasupp_auth) + sizeof (*saalg) * current_aalgs);
7c478bd9Sstevel@tonic-gate		sasupp_auth->sadb_supported_exttype = SADB_EXT_SUPPORTED_AUTH;
7c478bd9Sstevel@tonic-gate		sasupp_auth->sadb_supported_reserved = 0;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (sasupp_encr != NULL) {
437220cdSdanmcd		sasupp_encr->sadb_supported_len = SADB_8TO64(
437220cdSdanmcd		    sizeof (*sasupp_encr) + sizeof (*saalg) * current_ealgs);
7c478bd9Sstevel@tonic-gate		sasupp_encr->sadb_supported_exttype =
7c478bd9Sstevel@tonic-gate		    SADB_EXT_SUPPORTED_ENCRYPT;
7c478bd9Sstevel@tonic-gate		sasupp_encr->sadb_supported_reserved = 0;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	if (espstack->esp_pfkey_q != NULL)
f4b3ec61Sdh155122		putnext(espstack->esp_pfkey_q, keysock_out_mp);
7c478bd9Sstevel@tonic-gate	else {
7c478bd9Sstevel@tonic-gate		freemsg(keysock_out_mp);
7c478bd9Sstevel@tonic-gate		return (B_FALSE);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	return (B_TRUE);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Invoked when the algorithm table changes. Causes SADB_REGISTER
7c478bd9Sstevel@tonic-gate * messages continaining the current list of algorithms to be
7c478bd9Sstevel@tonic-gate * sent up to the ESP listeners.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatevoid
f4b3ec61Sdh155122ipsecesp_algs_changed(netstack_t *ns)
7c478bd9Sstevel@tonic-gate{
f4b3ec61Sdh155122	ipsecesp_stack_t	*espstack = ns->netstack_ipsecesp;
f4b3ec61Sdh155122
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Time to send a PF_KEY SADB_REGISTER message to ESP listeners
7c478bd9Sstevel@tonic-gate	 * everywhere.  (The function itself checks for NULL esp_pfkey_q.)
7c478bd9Sstevel@tonic-gate	 */
5d3b8cb7SBill Sommerfeld	(void) esp_register_out(0, 0, 0, espstack, NULL);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
73184bc7SDan McDonald * Stub function that taskq_dispatch() invokes to take the mblk (in arg)
bd670b35SErik Nordmark * and send() it into ESP and IP again.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic void
7c478bd9Sstevel@tonic-gateinbound_task(void *arg)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	mblk_t		*mp = (mblk_t *)arg;
bd670b35SErik Nordmark	mblk_t		*async_mp;
bd670b35SErik Nordmark	ip_recv_attr_t	iras;
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	async_mp = mp;
bd670b35SErik Nordmark	mp = async_mp->b_cont;
bd670b35SErik Nordmark	async_mp->b_cont = NULL;
bd670b35SErik Nordmark	if (!ip_recv_attr_from_mblk(async_mp, &iras)) {
bd670b35SErik Nordmark		/* The ill or ip_stack_t disappeared on us */
bd670b35SErik Nordmark		ip_drop_input("ip_recv_attr_from_mblk", mp, NULL);
73184bc7SDan McDonald		freemsg(mp);
bd670b35SErik Nordmark		goto done;
73184bc7SDan McDonald	}
73184bc7SDan McDonald
bd670b35SErik Nordmark	esp_inbound_restart(mp, &iras);
bd670b35SErik Nordmarkdone:
bd670b35SErik Nordmark	ira_cleanup(&iras, B_TRUE);
bd670b35SErik Nordmark}
bd670b35SErik Nordmark
bd670b35SErik Nordmark/*
bd670b35SErik Nordmark * Restart ESP after the SA has been added.
bd670b35SErik Nordmark */
bd670b35SErik Nordmarkstatic void
bd670b35SErik Nordmarkesp_inbound_restart(mblk_t *mp, ip_recv_attr_t *ira)
bd670b35SErik Nordmark{
bd670b35SErik Nordmark	esph_t		*esph;
bd670b35SErik Nordmark	netstack_t	*ns = ira->ira_ill->ill_ipst->ips_netstack;
bd670b35SErik Nordmark	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
73184bc7SDan McDonald
f4b3ec61Sdh155122	esp2dbg(espstack, ("in ESP inbound_task"));
f4b3ec61Sdh155122	ASSERT(espstack != NULL);
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	mp = ipsec_inbound_esp_sa(mp, ira, &esph);
bd670b35SErik Nordmark	if (mp == NULL)
bd670b35SErik Nordmark		return;
bd670b35SErik Nordmark
bd670b35SErik Nordmark	ASSERT(esph != NULL);
bd670b35SErik Nordmark	ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
bd670b35SErik Nordmark	ASSERT(ira->ira_ipsec_esp_sa != NULL);
bd670b35SErik Nordmark
bd670b35SErik Nordmark	mp = ira->ira_ipsec_esp_sa->ipsa_input_func(mp, esph, ira);
bd670b35SErik Nordmark	if (mp == NULL) {
bd670b35SErik Nordmark		/*
bd670b35SErik Nordmark		 * Either it failed or is pending. In the former case
bd670b35SErik Nordmark		 * ipIfStatsInDiscards was increased.
bd670b35SErik Nordmark		 */
bd670b35SErik Nordmark		return;
7c478bd9Sstevel@tonic-gate	}
bd670b35SErik Nordmark
bd670b35SErik Nordmark	ip_input_post_ipsec(mp, ira);
73184bc7SDan McDonald}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Now that weak-key passed, actually ADD the security association, and
7c478bd9Sstevel@tonic-gate * send back a reply ADD message.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic int
8810c16bSdanmcdesp_add_sa_finish(mblk_t *mp, sadb_msg_t *samsg, keysock_in_t *ksi,
f4b3ec61Sdh155122    int *diagnostic, ipsecesp_stack_t *espstack)
7c478bd9Sstevel@tonic-gate{
5d3b8cb7SBill Sommerfeld	isaf_t *primary = NULL, *secondary;
5d3b8cb7SBill Sommerfeld	boolean_t clone = B_FALSE, is_inbound = B_FALSE;
7c478bd9Sstevel@tonic-gate	ipsa_t *larval = NULL;
7c478bd9Sstevel@tonic-gate	ipsacq_t *acqrec;
7c478bd9Sstevel@tonic-gate	iacqf_t *acq_bucket;
7c478bd9Sstevel@tonic-gate	mblk_t *acq_msgs = NULL;
7c478bd9Sstevel@tonic-gate	int rc;
7c478bd9Sstevel@tonic-gate	mblk_t *lpkt;
5d3b8cb7SBill Sommerfeld	int error;
5d3b8cb7SBill Sommerfeld	ipsa_query_t sq;
f4b3ec61Sdh155122	ipsec_stack_t	*ipss = espstack->ipsecesp_netstack->netstack_ipsec;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Locate the appropriate table(s).
7c478bd9Sstevel@tonic-gate	 */
5d3b8cb7SBill Sommerfeld	sq.spp = &espstack->esp_sadb;	/* XXX */
5d3b8cb7SBill Sommerfeld	error = sadb_form_query(ksi, IPSA_Q_SA|IPSA_Q_DST,
5d3b8cb7SBill Sommerfeld	    IPSA_Q_SA|IPSA_Q_DST|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND,
5d3b8cb7SBill Sommerfeld	    &sq, diagnostic);
5d3b8cb7SBill Sommerfeld	if (error)
5d3b8cb7SBill Sommerfeld		return (error);
07b56925Ssommerfe
38d95a78Smarkfen	/*
38d95a78Smarkfen	 * Use the direction flags provided by the KMD to determine
38d95a78Smarkfen	 * if the inbound or outbound table should be the primary
38d95a78Smarkfen	 * for this SA. If these flags were absent then make this
38d95a78Smarkfen	 * decision based on the addresses.
38d95a78Smarkfen	 */
5d3b8cb7SBill Sommerfeld	if (sq.assoc->sadb_sa_flags & IPSA_F_INBOUND) {
5d3b8cb7SBill Sommerfeld		primary = sq.inbound;
5d3b8cb7SBill Sommerfeld		secondary = sq.outbound;
38d95a78Smarkfen		is_inbound = B_TRUE;
5d3b8cb7SBill Sommerfeld		if (sq.assoc->sadb_sa_flags & IPSA_F_OUTBOUND)
38d95a78Smarkfen			clone = B_TRUE;
5d3b8cb7SBill Sommerfeld	} else if (sq.assoc->sadb_sa_flags & IPSA_F_OUTBOUND) {
5d3b8cb7SBill Sommerfeld		primary = sq.outbound;
5d3b8cb7SBill Sommerfeld		secondary = sq.inbound;
38d95a78Smarkfen	}
38d95a78Smarkfen
38d95a78Smarkfen	if (primary == NULL) {
38d95a78Smarkfen		/*
38d95a78Smarkfen		 * The KMD did not set a direction flag, determine which
38d95a78Smarkfen		 * table to insert the SA into based on addresses.
38d95a78Smarkfen		 */
7c478bd9Sstevel@tonic-gate		switch (ksi->ks_in_dsttype) {
7c478bd9Sstevel@tonic-gate		case KS_IN_ADDR_MBCAST:
7c478bd9Sstevel@tonic-gate			clone = B_TRUE;	/* All mcast SAs can be bidirectional */
5d3b8cb7SBill Sommerfeld			sq.assoc->sadb_sa_flags |= IPSA_F_OUTBOUND;
7c478bd9Sstevel@tonic-gate			/* FALLTHRU */
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * If the source address is either one of mine, or unspecified
7c478bd9Sstevel@tonic-gate		 * (which is best summed up by saying "not 'not mine'"),
7c478bd9Sstevel@tonic-gate		 * then the association is potentially bi-directional,
7c478bd9Sstevel@tonic-gate		 * in that it can be used for inbound traffic and outbound
7c478bd9Sstevel@tonic-gate		 * traffic.  The best example of such an SA is a multicast
7c478bd9Sstevel@tonic-gate		 * SA (which allows me to receive the outbound traffic).
7c478bd9Sstevel@tonic-gate		 */
38d95a78Smarkfen		case KS_IN_ADDR_ME:
5d3b8cb7SBill Sommerfeld			sq.assoc->sadb_sa_flags |= IPSA_F_INBOUND;
5d3b8cb7SBill Sommerfeld			primary = sq.inbound;
5d3b8cb7SBill Sommerfeld			secondary = sq.outbound;
7c478bd9Sstevel@tonic-gate			if (ksi->ks_in_srctype != KS_IN_ADDR_NOTME)
7c478bd9Sstevel@tonic-gate				clone = B_TRUE;
7c478bd9Sstevel@tonic-gate			is_inbound = B_TRUE;
7c478bd9Sstevel@tonic-gate			break;
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * If the source address literally not mine (either
7c478bd9Sstevel@tonic-gate		 * unspecified or not mine), then this SA may have an
7c478bd9Sstevel@tonic-gate		 * address that WILL be mine after some configuration.
7c478bd9Sstevel@tonic-gate		 * We pay the price for this by making it a bi-directional
7c478bd9Sstevel@tonic-gate		 * SA.
7c478bd9Sstevel@tonic-gate		 */
38d95a78Smarkfen		case KS_IN_ADDR_NOTME:
5d3b8cb7SBill Sommerfeld			sq.assoc->sadb_sa_flags |= IPSA_F_OUTBOUND;
5d3b8cb7SBill Sommerfeld			primary = sq.outbound;
5d3b8cb7SBill Sommerfeld			secondary = sq.inbound;
38d95a78Smarkfen			if (ksi->ks_in_srctype != KS_IN_ADDR_ME) {
5d3b8cb7SBill Sommerfeld				sq.assoc->sadb_sa_flags |= IPSA_F_INBOUND;
7c478bd9Sstevel@tonic-gate				clone = B_TRUE;
38d95a78Smarkfen			}
7c478bd9Sstevel@tonic-gate			break;
7c478bd9Sstevel@tonic-gate		default:
8810c16bSdanmcd			*diagnostic = SADB_X_DIAGNOSTIC_BAD_DST;
7c478bd9Sstevel@tonic-gate			return (EINVAL);
7c478bd9Sstevel@tonic-gate		}
38d95a78Smarkfen	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Find a ACQUIRE list entry if possible.  If we've added an SA that
7c478bd9Sstevel@tonic-gate	 * suits the needs of an ACQUIRE list entry, we can eliminate the
7c478bd9Sstevel@tonic-gate	 * ACQUIRE list entry and transmit the enqueued packets.  Use the
7c478bd9Sstevel@tonic-gate	 * high-bit of the sequence number to queue it.  Key off destination
7c478bd9Sstevel@tonic-gate	 * addr, and change acqrec's state.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (samsg->sadb_msg_seq & IACQF_LOWEST_SEQ) {
5d3b8cb7SBill Sommerfeld		acq_bucket = &(sq.sp->sdb_acq[sq.outhash]);
7c478bd9Sstevel@tonic-gate		mutex_enter(&acq_bucket->iacqf_lock);
7c478bd9Sstevel@tonic-gate		for (acqrec = acq_bucket->iacqf_ipsacq; acqrec != NULL;
7c478bd9Sstevel@tonic-gate		    acqrec = acqrec->ipsacq_next) {
7c478bd9Sstevel@tonic-gate			mutex_enter(&acqrec->ipsacq_lock);
7c478bd9Sstevel@tonic-gate			/*
7c478bd9Sstevel@tonic-gate			 * Q:  I only check sequence.  Should I check dst?
7c478bd9Sstevel@tonic-gate			 * A: Yes, check dest because those are the packets
7c478bd9Sstevel@tonic-gate			 *    that are queued up.
7c478bd9Sstevel@tonic-gate			 */
7c478bd9Sstevel@tonic-gate			if (acqrec->ipsacq_seq == samsg->sadb_msg_seq &&
5d3b8cb7SBill Sommerfeld			    IPSA_ARE_ADDR_EQUAL(sq.dstaddr,
7c478bd9Sstevel@tonic-gate			    acqrec->ipsacq_dstaddr, acqrec->ipsacq_addrfam))
7c478bd9Sstevel@tonic-gate				break;
7c478bd9Sstevel@tonic-gate			mutex_exit(&acqrec->ipsacq_lock);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		if (acqrec != NULL) {
7c478bd9Sstevel@tonic-gate			/*
7c478bd9Sstevel@tonic-gate			 * AHA!  I found an ACQUIRE record for this SA.
7c478bd9Sstevel@tonic-gate			 * Grab the msg list, and free the acquire record.
7c478bd9Sstevel@tonic-gate			 * I already am holding the lock for this record,
7c478bd9Sstevel@tonic-gate			 * so all I have to do is free it.
7c478bd9Sstevel@tonic-gate			 */
7c478bd9Sstevel@tonic-gate			acq_msgs = acqrec->ipsacq_mp;
7c478bd9Sstevel@tonic-gate			acqrec->ipsacq_mp = NULL;
7c478bd9Sstevel@tonic-gate			mutex_exit(&acqrec->ipsacq_lock);
f4b3ec61Sdh155122			sadb_destroy_acquire(acqrec,
f4b3ec61Sdh155122			    espstack->ipsecesp_netstack);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		mutex_exit(&acq_bucket->iacqf_lock);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Find PF_KEY message, and see if I'm an update.  If so, find entry
7c478bd9Sstevel@tonic-gate	 * in larval list (if there).
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	if (samsg->sadb_msg_type == SADB_UPDATE) {
5d3b8cb7SBill Sommerfeld		mutex_enter(&sq.inbound->isaf_lock);
5d3b8cb7SBill Sommerfeld		larval = ipsec_getassocbyspi(sq.inbound, sq.assoc->sadb_sa_spi,
5d3b8cb7SBill Sommerfeld		    ALL_ZEROES_PTR, sq.dstaddr, sq.dst->sin_family);
5d3b8cb7SBill Sommerfeld		mutex_exit(&sq.inbound->isaf_lock);
7c478bd9Sstevel@tonic-gate
72bd9b6bSdanmcd		if ((larval == NULL) ||
72bd9b6bSdanmcd		    (larval->ipsa_state != IPSA_STATE_LARVAL)) {
38d95a78Smarkfen			*diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND;
72bd9b6bSdanmcd			if (larval != NULL) {
72bd9b6bSdanmcd				IPSA_REFRELE(larval);
72bd9b6bSdanmcd			}
7c478bd9Sstevel@tonic-gate			esp0dbg(("Larval update, but larval disappeared.\n"));
7c478bd9Sstevel@tonic-gate			return (ESRCH);
7c478bd9Sstevel@tonic-gate		} /* Else sadb_common_add unlinks it for me! */
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
930af642SDan McDonald	if (larval != NULL) {
930af642SDan McDonald		/*
930af642SDan McDonald		 * Hold again, because sadb_common_add() consumes a reference,
930af642SDan McDonald		 * and we don't want to clear_lpkt() without a reference.
930af642SDan McDonald		 */
930af642SDan McDonald		IPSA_REFHOLD(larval);
930af642SDan McDonald	}
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	rc = sadb_common_add(espstack->esp_pfkey_q,
f4b3ec61Sdh155122	    mp, samsg, ksi, primary, secondary, larval, clone, is_inbound,
38d95a78Smarkfen	    diagnostic, espstack->ipsecesp_netstack, &espstack->esp_sadb);
7c478bd9Sstevel@tonic-gate
930af642SDan McDonald	if (larval != NULL) {
bd670b35SErik Nordmark		if (rc == 0) {
930af642SDan McDonald			lpkt = sadb_clear_lpkt(larval);
930af642SDan McDonald			if (lpkt != NULL) {
fc8ae2ecSToomas Soome				rc = taskq_dispatch(esp_taskq, inbound_task,
fc8ae2ecSToomas Soome				    lpkt, TQ_NOSLEEP) == TASKQID_INVALID;
bd670b35SErik Nordmark			}
7c478bd9Sstevel@tonic-gate		}
930af642SDan McDonald		IPSA_REFRELE(larval);
bd670b35SErik Nordmark	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * How much more stack will I create with all of these
7c478bd9Sstevel@tonic-gate	 * esp_outbound() calls?
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	/* Handle the packets queued waiting for the SA */
7c478bd9Sstevel@tonic-gate	while (acq_msgs != NULL) {
bd670b35SErik Nordmark		mblk_t		*asyncmp;
bd670b35SErik Nordmark		mblk_t		*data_mp;
bd670b35SErik Nordmark		ip_xmit_attr_t	ixas;
bd670b35SErik Nordmark		ill_t		*ill;
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark		asyncmp = acq_msgs;
7c478bd9Sstevel@tonic-gate		acq_msgs = acq_msgs->b_next;
bd670b35SErik Nordmark		asyncmp->b_next = NULL;
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark		/*
bd670b35SErik Nordmark		 * Extract the ip_xmit_attr_t from the first mblk.
bd670b35SErik Nordmark		 * Verifies that the netstack and ill is still around; could
bd670b35SErik Nordmark		 * have vanished while iked was doing its work.
bd670b35SErik Nordmark		 * On succesful return we have a nce_t and the ill/ipst can't
bd670b35SErik Nordmark		 * disappear until we do the nce_refrele in ixa_cleanup.
bd670b35SErik Nordmark		 */
bd670b35SErik Nordmark		data_mp = asyncmp->b_cont;
bd670b35SErik Nordmark		asyncmp->b_cont = NULL;
bd670b35SErik Nordmark		if (!ip_xmit_attr_from_mblk(asyncmp, &ixas)) {
f4b3ec61Sdh155122			ESP_BUMP_STAT(espstack, out_discards);
bd670b35SErik Nordmark			ip_drop_packet(data_mp, B_FALSE, NULL,
f4b3ec61Sdh155122			    DROPPER(ipss, ipds_sadb_acquire_timeout),
f4b3ec61Sdh155122			    &espstack->esp_dropper);
bd670b35SErik Nordmark		} else if (rc != 0) {
bd670b35SErik Nordmark			ill = ixas.ixa_nce->nce_ill;
bd670b35SErik Nordmark			ESP_BUMP_STAT(espstack, out_discards);
bd670b35SErik Nordmark			ip_drop_packet(data_mp, B_FALSE, ill,
bd670b35SErik Nordmark			    DROPPER(ipss, ipds_sadb_acquire_timeout),
bd670b35SErik Nordmark			    &espstack->esp_dropper);
bd670b35SErik Nordmark			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
bd670b35SErik Nordmark		} else {
bd670b35SErik Nordmark			esp_outbound_finish(data_mp, &ixas);
bd670b35SErik Nordmark		}
bd670b35SErik Nordmark		ixa_cleanup(&ixas);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	return (rc);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
bd670b35SErik Nordmark * Process one of the queued messages (from ipsacq_mp) once the SA
bd670b35SErik Nordmark * has been added.
bd670b35SErik Nordmark */
bd670b35SErik Nordmarkstatic void
bd670b35SErik Nordmarkesp_outbound_finish(mblk_t *data_mp, ip_xmit_attr_t *ixa)
bd670b35SErik Nordmark{
bd670b35SErik Nordmark	netstack_t	*ns = ixa->ixa_ipst->ips_netstack;
bd670b35SErik Nordmark	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
bd670b35SErik Nordmark	ipsec_stack_t	*ipss = ns->netstack_ipsec;
bd670b35SErik Nordmark	ill_t		*ill = ixa->ixa_nce->nce_ill;
bd670b35SErik Nordmark
bd670b35SErik Nordmark	if (!ipsec_outbound_sa(data_mp, ixa, IPPROTO_ESP)) {
bd670b35SErik Nordmark		ESP_BUMP_STAT(espstack, out_discards);
bd670b35SErik Nordmark		ip_drop_packet(data_mp, B_FALSE, ill,
bd670b35SErik Nordmark		    DROPPER(ipss, ipds_sadb_acquire_timeout),
bd670b35SErik Nordmark		    &espstack->esp_dropper);
bd670b35SErik Nordmark		BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
bd670b35SErik Nordmark		return;
bd670b35SErik Nordmark	}
bd670b35SErik Nordmark
bd670b35SErik Nordmark	data_mp = esp_outbound(data_mp, ixa);
bd670b35SErik Nordmark	if (data_mp == NULL)
bd670b35SErik Nordmark		return;
bd670b35SErik Nordmark
bd670b35SErik Nordmark	/* do AH processing if needed */
bd670b35SErik Nordmark	data_mp = esp_do_outbound_ah(data_mp, ixa);
bd670b35SErik Nordmark	if (data_mp == NULL)
bd670b35SErik Nordmark		return;
bd670b35SErik Nordmark
bd670b35SErik Nordmark	(void) ip_output_post_ipsec(data_mp, ixa);
bd670b35SErik Nordmark}
bd670b35SErik Nordmark
bd670b35SErik Nordmark/*
7c478bd9Sstevel@tonic-gate * Add new ESP security association.  This may become a generic AH/ESP
7c478bd9Sstevel@tonic-gate * routine eventually.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic int
f4b3ec61Sdh155122esp_add_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic, netstack_t *ns)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
7c478bd9Sstevel@tonic-gate	sadb_address_t *srcext =
7c478bd9Sstevel@tonic-gate	    (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC];
7c478bd9Sstevel@tonic-gate	sadb_address_t *dstext =
7c478bd9Sstevel@tonic-gate	    (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
8810c16bSdanmcd	sadb_address_t *isrcext =
8810c16bSdanmcd	    (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC];
8810c16bSdanmcd	sadb_address_t *idstext =
8810c16bSdanmcd	    (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_DST];
7c478bd9Sstevel@tonic-gate	sadb_address_t *nttext_loc =
7c478bd9Sstevel@tonic-gate	    (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC];
7c478bd9Sstevel@tonic-gate	sadb_address_t *nttext_rem =
7c478bd9Sstevel@tonic-gate	    (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM];
7c478bd9Sstevel@tonic-gate	sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH];
7c478bd9Sstevel@tonic-gate	sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT];
7c478bd9Sstevel@tonic-gate	struct sockaddr_in *src, *dst;
7c478bd9Sstevel@tonic-gate	struct sockaddr_in *natt_loc, *natt_rem;
7c478bd9Sstevel@tonic-gate	struct sockaddr_in6 *natt_loc6, *natt_rem6;
7c478bd9Sstevel@tonic-gate	sadb_lifetime_t *soft =
7c478bd9Sstevel@tonic-gate	    (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT];
7c478bd9Sstevel@tonic-gate	sadb_lifetime_t *hard =
7c478bd9Sstevel@tonic-gate	    (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD];
9c2c14abSThejaswini Singarajipura	sadb_lifetime_t *idle =
9c2c14abSThejaswini Singarajipura	    (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE];
f4b3ec61Sdh155122	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
f4b3ec61Sdh155122	ipsec_stack_t	*ipss = ns->netstack_ipsec;
7c478bd9Sstevel@tonic-gate
5d3b8cb7SBill Sommerfeld
5d3b8cb7SBill Sommerfeld
7c478bd9Sstevel@tonic-gate	/* I need certain extensions present for an ADD message. */
7c478bd9Sstevel@tonic-gate	if (srcext == NULL) {
7c478bd9Sstevel@tonic-gate		*diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC;
7c478bd9Sstevel@tonic-gate		return (EINVAL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate	if (dstext == NULL) {
7c478bd9Sstevel@tonic-gate		*diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
7c478bd9Sstevel@tonic-gate		return (EINVAL);
7c478bd9Sstevel@tonic-gate	}
8810c16bSdanmcd	if (isrcext == NULL && idstext != NULL) {
8810c16bSdanmcd		*diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC;
8810c16bSdanmcd		return (EINVAL);
8810c16bSdanmcd	}
8810c16bSdanmcd	if (isrcext != NULL && idstext == NULL) {
8810c16bSdanmcd		*diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_DST;
8810c16bSdanmcd		return (EINVAL);
8810c16bSdanmcd	}
7c478bd9Sstevel@tonic-gate	if (assoc == NULL) {
7c478bd9Sstevel@tonic-gate		*diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA;
7c478bd9Sstevel@tonic-gate		return (EINVAL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate	if (ekey == NULL && assoc->sadb_sa_encrypt != SADB_EALG_NULL) {
7c478bd9Sstevel@tonic-gate		*diagnostic = SADB_X_DIAGNOSTIC_MISSING_EKEY;
7c478bd9Sstevel@tonic-gate		return (EINVAL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	src = (struct sockaddr_in *)(srcext + 1);
7c478bd9Sstevel@tonic-gate	dst = (struct sockaddr_in *)(dstext + 1);
7c478bd9Sstevel@tonic-gate	natt_loc = (struct sockaddr_in *)(nttext_loc + 1);
7c478bd9Sstevel@tonic-gate	natt_loc6 = (struct sockaddr_in6 *)(nttext_loc + 1);
7c478bd9Sstevel@tonic-gate	natt_rem = (struct sockaddr_in *)(nttext_rem + 1);
7c478bd9Sstevel@tonic-gate	natt_rem6 = (struct sockaddr_in6 *)(nttext_rem + 1);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* Sundry ADD-specific reality checks. */
7c478bd9Sstevel@tonic-gate	/* XXX STATS :  Logging/stats here? */
9c2c14abSThejaswini Singarajipura
9c2c14abSThejaswini Singarajipura	if ((assoc->sadb_sa_state != SADB_SASTATE_MATURE) &&
9c2c14abSThejaswini Singarajipura	    (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) {
7c478bd9Sstevel@tonic-gate		*diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
7c478bd9Sstevel@tonic-gate		return (EINVAL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate	if (assoc->sadb_sa_encrypt == SADB_EALG_NONE) {
7c478bd9Sstevel@tonic-gate		*diagnostic = SADB_X_DIAGNOSTIC_BAD_EALG;
7c478bd9Sstevel@tonic-gate		return (EINVAL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark#ifndef IPSEC_LATENCY_TEST
7c478bd9Sstevel@tonic-gate	if (assoc->sadb_sa_encrypt == SADB_EALG_NULL &&
7c478bd9Sstevel@tonic-gate	    assoc->sadb_sa_auth == SADB_AALG_NONE) {
7c478bd9Sstevel@tonic-gate		*diagnostic = SADB_X_DIAGNOSTIC_BAD_AALG;
7c478bd9Sstevel@tonic-gate		return (EINVAL);
7c478bd9Sstevel@tonic-gate	}
bd670b35SErik Nordmark#endif
7c478bd9Sstevel@tonic-gate
72bd9b6bSdanmcd	if (assoc->sadb_sa_flags & ~espstack->esp_sadb.s_addflags) {
7c478bd9Sstevel@tonic-gate		*diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS;
7c478bd9Sstevel@tonic-gate		return (EINVAL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
9c2c14abSThejaswini Singarajipura	if ((*diagnostic = sadb_hardsoftchk(hard, soft, idle)) != 0) {
7c478bd9Sstevel@tonic-gate		return (EINVAL);
7c478bd9Sstevel@tonic-gate	}
8810c16bSdanmcd	ASSERT(src->sin_family == dst->sin_family);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_LOC) {
7c478bd9Sstevel@tonic-gate		if (nttext_loc == NULL) {
7c478bd9Sstevel@tonic-gate			*diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_LOC;
7c478bd9Sstevel@tonic-gate			return (EINVAL);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		if (natt_loc->sin_family == AF_INET6 &&
7c478bd9Sstevel@tonic-gate		    !IN6_IS_ADDR_V4MAPPED(&natt_loc6->sin6_addr)) {
7c478bd9Sstevel@tonic-gate			*diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC;
7c478bd9Sstevel@tonic-gate			return (EINVAL);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_REM) {
7c478bd9Sstevel@tonic-gate		if (nttext_rem == NULL) {
7c478bd9Sstevel@tonic-gate			*diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_REM;
7c478bd9Sstevel@tonic-gate			return (EINVAL);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		if (natt_rem->sin_family == AF_INET6 &&
7c478bd9Sstevel@tonic-gate		    !IN6_IS_ADDR_V4MAPPED(&natt_rem6->sin6_addr)) {
7c478bd9Sstevel@tonic-gate			*diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM;
7c478bd9Sstevel@tonic-gate			return (EINVAL);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* Stuff I don't support, for now.  XXX Diagnostic? */
5d3b8cb7SBill Sommerfeld	if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL)
7c478bd9Sstevel@tonic-gate		return (EOPNOTSUPP);
7c478bd9Sstevel@tonic-gate
5d3b8cb7SBill Sommerfeld	if ((*diagnostic = sadb_labelchk(ksi)) != 0)
5d3b8cb7SBill Sommerfeld		return (EINVAL);
5d3b8cb7SBill Sommerfeld
7c478bd9Sstevel@tonic-gate	/*
5d3b8cb7SBill Sommerfeld	 * XXX Policy :  I'm not checking identities at this time,
5d3b8cb7SBill Sommerfeld	 * but if I did, I'd do them here, before I sent
7c478bd9Sstevel@tonic-gate	 * the weak key check up to the algorithm.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate
69e71331SBayard Bell	rw_enter(&ipss->ipsec_alg_lock, RW_READER);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * First locate the authentication algorithm.
7c478bd9Sstevel@tonic-gate	 */
bd670b35SErik Nordmark#ifdef IPSEC_LATENCY_TEST
bd670b35SErik Nordmark	if (akey != NULL && assoc->sadb_sa_auth != SADB_AALG_NONE) {
bd670b35SErik Nordmark#else
7c478bd9Sstevel@tonic-gate	if (akey != NULL) {
bd670b35SErik Nordmark#endif
7c478bd9Sstevel@tonic-gate		ipsec_alginfo_t *aalg;
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122		aalg = ipss->ipsec_alglists[IPSEC_ALG_AUTH]
f4b3ec61Sdh155122		    [assoc->sadb_sa_auth];
7c478bd9Sstevel@tonic-gate		if (aalg == NULL || !ALG_VALID(aalg)) {
69e71331SBayard Bell			rw_exit(&ipss->ipsec_alg_lock);
f4b3ec61Sdh155122			esp1dbg(espstack, ("Couldn't find auth alg #%d.\n",
7c478bd9Sstevel@tonic-gate			    assoc->sadb_sa_auth));
7c478bd9Sstevel@tonic-gate			*diagnostic = SADB_X_DIAGNOSTIC_BAD_AALG;
7c478bd9Sstevel@tonic-gate			return (EINVAL);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate
46c444baSmarkfen		/*
46c444baSmarkfen		 * Sanity check key sizes.
46c444baSmarkfen		 * Note: It's not possible to use SADB_AALG_NONE because
46c444baSmarkfen		 * this auth_alg is not defined with ALG_FLAG_VALID. If this
46c444baSmarkfen		 * ever changes, the same check for SADB_AALG_NONE and
46c444baSmarkfen		 * a auth_key != NULL should be made here ( see below).
46c444baSmarkfen		 */
7c478bd9Sstevel@tonic-gate		if (!ipsec_valid_key_size(akey->sadb_key_bits, aalg)) {
69e71331SBayard Bell			rw_exit(&ipss->ipsec_alg_lock);
7c478bd9Sstevel@tonic-gate			*diagnostic = SADB_X_DIAGNOSTIC_BAD_AKEYBITS;
7c478bd9Sstevel@tonic-gate			return (EINVAL);
7c478bd9Sstevel@tonic-gate		}
46c444baSmarkfen		ASSERT(aalg->alg_mech_type != CRYPTO_MECHANISM_INVALID);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		/* check key and fix parity if needed */
7c478bd9Sstevel@tonic-gate		if (ipsec_check_key(aalg->alg_mech_type, akey, B_TRUE,
7c478bd9Sstevel@tonic-gate		    diagnostic) != 0) {
69e71331SBayard Bell			rw_exit(&ipss->ipsec_alg_lock);
7c478bd9Sstevel@tonic-gate			return (EINVAL);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Then locate the encryption algorithm.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	if (ekey != NULL) {
628b0c67SMark Fenwick		uint_t keybits;
7c478bd9Sstevel@tonic-gate		ipsec_alginfo_t *ealg;
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122		ealg = ipss->ipsec_alglists[IPSEC_ALG_ENCR]
f4b3ec61Sdh155122		    [assoc->sadb_sa_encrypt];
7c478bd9Sstevel@tonic-gate		if (ealg == NULL || !ALG_VALID(ealg)) {
69e71331SBayard Bell			rw_exit(&ipss->ipsec_alg_lock);
f4b3ec61Sdh155122			esp1dbg(espstack, ("Couldn't find encr alg #%d.\n",
7c478bd9Sstevel@tonic-gate			    assoc->sadb_sa_encrypt));
7c478bd9Sstevel@tonic-gate			*diagnostic = SADB_X_DIAGNOSTIC_BAD_EALG;
7c478bd9Sstevel@tonic-gate			return (EINVAL);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate
46c444baSmarkfen		/*
46c444baSmarkfen		 * Sanity check key sizes. If the encryption algorithm is
46c444baSmarkfen		 * SADB_EALG_NULL but the encryption key is NOT
46c444baSmarkfen		 * NULL then complain.
628b0c67SMark Fenwick		 *
628b0c67SMark Fenwick		 * The keying material includes salt bits if required by
628b0c67SMark Fenwick		 * algorithm and optionally the Initial IV, check the
628b0c67SMark Fenwick		 * length of whats left.
46c444baSmarkfen		 */
628b0c67SMark Fenwick		keybits = ekey->sadb_key_bits;
628b0c67SMark Fenwick		keybits -= ekey->sadb_key_reserved;
628b0c67SMark Fenwick		keybits -= SADB_8TO1(ealg->alg_saltlen);
46c444baSmarkfen		if ((assoc->sadb_sa_encrypt == SADB_EALG_NULL) ||
628b0c67SMark Fenwick		    (!ipsec_valid_key_size(keybits, ealg))) {
69e71331SBayard Bell			rw_exit(&ipss->ipsec_alg_lock);
7c478bd9Sstevel@tonic-gate			*diagnostic = SADB_X_DIAGNOSTIC_BAD_EKEYBITS;
7c478bd9Sstevel@tonic-gate			return (EINVAL);
7c478bd9Sstevel@tonic-gate		}
46c444baSmarkfen		ASSERT(ealg->alg_mech_type != CRYPTO_MECHANISM_INVALID);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		/* check key */
7c478bd9Sstevel@tonic-gate		if (ipsec_check_key(ealg->alg_mech_type, ekey, B_FALSE,
7c478bd9Sstevel@tonic-gate		    diagnostic) != 0) {
69e71331SBayard Bell			rw_exit(&ipss->ipsec_alg_lock);
7c478bd9Sstevel@tonic-gate			return (EINVAL);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	}
69e71331SBayard Bell	rw_exit(&ipss->ipsec_alg_lock);
7c478bd9Sstevel@tonic-gate
8810c16bSdanmcd	return (esp_add_sa_finish(mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi,
f4b3ec61Sdh155122	    diagnostic, espstack));
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Update a security association.  Updates come in two varieties.  The first
7c478bd9Sstevel@tonic-gate * is an update of lifetimes on a non-larval SA.  The second is an update of
7c478bd9Sstevel@tonic-gate * a larval SA, which ends up looking a lot more like an add.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic int
f4b3ec61Sdh155122esp_update_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic,
38d95a78Smarkfen    ipsecesp_stack_t *espstack, uint8_t sadb_msg_type)
7c478bd9Sstevel@tonic-gate{
9c2c14abSThejaswini Singarajipura	sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
9c2c14abSThejaswini Singarajipura	mblk_t    *buf_pkt;
9c2c14abSThejaswini Singarajipura	int rcode;
9c2c14abSThejaswini Singarajipura
7c478bd9Sstevel@tonic-gate	sadb_address_t *dstext =
7c478bd9Sstevel@tonic-gate	    (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (dstext == NULL) {
7c478bd9Sstevel@tonic-gate		*diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
7c478bd9Sstevel@tonic-gate		return (EINVAL);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
9c2c14abSThejaswini Singarajipura	rcode = sadb_update_sa(mp, ksi, &buf_pkt, &espstack->esp_sadb,
9c2c14abSThejaswini Singarajipura	    diagnostic, espstack->esp_pfkey_q, esp_add_sa,
9c2c14abSThejaswini Singarajipura	    espstack->ipsecesp_netstack, sadb_msg_type);
9c2c14abSThejaswini Singarajipura
9c2c14abSThejaswini Singarajipura	if ((assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE) ||
9c2c14abSThejaswini Singarajipura	    (rcode != 0)) {
9c2c14abSThejaswini Singarajipura		return (rcode);
9c2c14abSThejaswini Singarajipura	}
9c2c14abSThejaswini Singarajipura
73184bc7SDan McDonald	HANDLE_BUF_PKT(esp_taskq, espstack->ipsecesp_netstack->netstack_ipsec,
9c2c14abSThejaswini Singarajipura	    espstack->esp_dropper, buf_pkt);
9c2c14abSThejaswini Singarajipura
9c2c14abSThejaswini Singarajipura	return (rcode);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
5d3b8cb7SBill Sommerfeld/* XXX refactor me */
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Delete a security association.  This is REALLY likely to be code common to
7c478bd9Sstevel@tonic-gate * both AH and ESP.  Find the association, then unlink it.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic int
f4b3ec61Sdh155122esp_del_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic,
38d95a78Smarkfen    ipsecesp_stack_t *espstack, uint8_t sadb_msg_type)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
7c478bd9Sstevel@tonic-gate	sadb_address_t *dstext =
7c478bd9Sstevel@tonic-gate	    (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
7c478bd9Sstevel@tonic-gate	sadb_address_t *srcext =
7c478bd9Sstevel@tonic-gate	    (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC];
7c478bd9Sstevel@tonic-gate	struct sockaddr_in *sin;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (assoc == NULL) {
7c478bd9Sstevel@tonic-gate		if (dstext != NULL) {
7c478bd9Sstevel@tonic-gate			sin = (struct sockaddr_in *)(dstext + 1);
7c478bd9Sstevel@tonic-gate		} else if (srcext != NULL) {
7c478bd9Sstevel@tonic-gate			sin = (struct sockaddr_in *)(srcext + 1);
7c478bd9Sstevel@tonic-gate		} else {
7c478bd9Sstevel@tonic-gate			*diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA;
7c478bd9Sstevel@tonic-gate			return (EINVAL);
7c478bd9Sstevel@tonic-gate		}
8810c16bSdanmcd		return (sadb_purge_sa(mp, ksi,
f4b3ec61Sdh155122		    (sin->sin_family == AF_INET6) ? &espstack->esp_sadb.s_v6 :
5d3b8cb7SBill Sommerfeld		    &espstack->esp_sadb.s_v4, diagnostic,
bd670b35SErik Nordmark		    espstack->esp_pfkey_q));
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
38d95a78Smarkfen	return (sadb_delget_sa(mp, ksi, &espstack->esp_sadb, diagnostic,
38d95a78Smarkfen	    espstack->esp_pfkey_q, sadb_msg_type));
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
5d3b8cb7SBill Sommerfeld/* XXX refactor me */
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Convert the entire contents of all of ESP's SA tables into PF_KEY SADB_DUMP
7c478bd9Sstevel@tonic-gate * messages.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic void
f4b3ec61Sdh155122esp_dump(mblk_t *mp, keysock_in_t *ksi, ipsecesp_stack_t *espstack)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	int error;
7c478bd9Sstevel@tonic-gate	sadb_msg_t *samsg;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Dump each fanout, bailing if error is non-zero.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate
9c2c14abSThejaswini Singarajipura	error = sadb_dump(espstack->esp_pfkey_q, mp, ksi,
f4b3ec61Sdh155122	    &espstack->esp_sadb.s_v4);
7c478bd9Sstevel@tonic-gate	if (error != 0)
7c478bd9Sstevel@tonic-gate		goto bail;
7c478bd9Sstevel@tonic-gate
9c2c14abSThejaswini Singarajipura	error = sadb_dump(espstack->esp_pfkey_q, mp, ksi,
f4b3ec61Sdh155122	    &espstack->esp_sadb.s_v6);
7c478bd9Sstevel@tonic-gatebail:
7c478bd9Sstevel@tonic-gate	ASSERT(mp->b_cont != NULL);
7c478bd9Sstevel@tonic-gate	samsg = (sadb_msg_t *)mp->b_cont->b_rptr;
7c478bd9Sstevel@tonic-gate	samsg->sadb_msg_errno = (uint8_t)error;
f4b3ec61Sdh155122	sadb_pfkey_echo(espstack->esp_pfkey_q, mp,
f4b3ec61Sdh155122	    (sadb_msg_t *)mp->b_cont->b_rptr, ksi, NULL);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
8810c16bSdanmcd * First-cut reality check for an inbound PF_KEY message.
8810c16bSdanmcd */
8810c16bSdanmcdstatic boolean_t
f4b3ec61Sdh155122esp_pfkey_reality_failures(mblk_t *mp, keysock_in_t *ksi,
f4b3ec61Sdh155122    ipsecesp_stack_t *espstack)
8810c16bSdanmcd{
8810c16bSdanmcd	int diagnostic;
8810c16bSdanmcd
8810c16bSdanmcd	if (ksi->ks_in_extv[SADB_EXT_PROPOSAL] != NULL) {
8810c16bSdanmcd		diagnostic = SADB_X_DIAGNOSTIC_PROP_PRESENT;
8810c16bSdanmcd		goto badmsg;
8810c16bSdanmcd	}
8810c16bSdanmcd	if (ksi->ks_in_extv[SADB_EXT_SUPPORTED_AUTH] != NULL ||
8810c16bSdanmcd	    ksi->ks_in_extv[SADB_EXT_SUPPORTED_ENCRYPT] != NULL) {
8810c16bSdanmcd		diagnostic = SADB_X_DIAGNOSTIC_SUPP_PRESENT;
8810c16bSdanmcd		goto badmsg;
8810c16bSdanmcd	}
8810c16bSdanmcd	return (B_FALSE);	/* False ==> no failures */
8810c16bSdanmcd
8810c16bSdanmcdbadmsg:
f4b3ec61Sdh155122	sadb_pfkey_error(espstack->esp_pfkey_q, mp, EINVAL, diagnostic,
8810c16bSdanmcd	    ksi->ks_in_serial);
8810c16bSdanmcd	return (B_TRUE);	/* True ==> failures */
8810c16bSdanmcd}
8810c16bSdanmcd
8810c16bSdanmcd/*
7c478bd9Sstevel@tonic-gate * ESP parsing of PF_KEY messages.  Keysock did most of the really silly
7c478bd9Sstevel@tonic-gate * error cases.  What I receive is a fully-formed, syntactically legal
7c478bd9Sstevel@tonic-gate * PF_KEY message.  I then need to check semantics...
7c478bd9Sstevel@tonic-gate *
7c478bd9Sstevel@tonic-gate * This code may become common to AH and ESP.  Stay tuned.
7c478bd9Sstevel@tonic-gate *
7c478bd9Sstevel@tonic-gate * I also make the assumption that db_ref's are cool.  If this assumption
7c478bd9Sstevel@tonic-gate * is wrong, this means that someone other than keysock or me has been
7c478bd9Sstevel@tonic-gate * mucking with PF_KEY messages.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic void
f4b3ec61Sdh155122esp_parse_pfkey(mblk_t *mp, ipsecesp_stack_t *espstack)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	mblk_t *msg = mp->b_cont;
7c478bd9Sstevel@tonic-gate	sadb_msg_t *samsg;
7c478bd9Sstevel@tonic-gate	keysock_in_t *ksi;
7c478bd9Sstevel@tonic-gate	int error;
7c478bd9Sstevel@tonic-gate	int diagnostic = SADB_X_DIAGNOSTIC_NONE;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	ASSERT(msg != NULL);
f4b3ec61Sdh155122
7c478bd9Sstevel@tonic-gate	samsg = (sadb_msg_t *)msg->b_rptr;
7c478bd9Sstevel@tonic-gate	ksi = (keysock_in_t *)mp->b_rptr;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * If applicable, convert unspecified AF_INET6 to unspecified
8810c16bSdanmcd	 * AF_INET.  And do other address reality checks.
7c478bd9Sstevel@tonic-gate	 */
f4b3ec61Sdh155122	if (!sadb_addrfix(ksi, espstack->esp_pfkey_q, mp,
f4b3ec61Sdh155122	    espstack->ipsecesp_netstack) ||
f4b3ec61Sdh155122	    esp_pfkey_reality_failures(mp, ksi, espstack)) {
8810c16bSdanmcd		return;
8810c16bSdanmcd	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	switch (samsg->sadb_msg_type) {
7c478bd9Sstevel@tonic-gate	case SADB_ADD:
f4b3ec61Sdh155122		error = esp_add_sa(mp, ksi, &diagnostic,
f4b3ec61Sdh155122		    espstack->ipsecesp_netstack);
7c478bd9Sstevel@tonic-gate		if (error != 0) {
f4b3ec61Sdh155122			sadb_pfkey_error(espstack->esp_pfkey_q, mp, error,
f4b3ec61Sdh155122			    diagnostic, ksi->ks_in_serial);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		/* else esp_add_sa() took care of things. */
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SADB_DELETE:
38d95a78Smarkfen	case SADB_X_DELPAIR:
9c2c14abSThejaswini Singarajipura	case SADB_X_DELPAIR_STATE:
38d95a78Smarkfen		error = esp_del_sa(mp, ksi, &diagnostic, espstack,
38d95a78Smarkfen		    samsg->sadb_msg_type);
7c478bd9Sstevel@tonic-gate		if (error != 0) {
f4b3ec61Sdh155122			sadb_pfkey_error(espstack->esp_pfkey_q, mp, error,
f4b3ec61Sdh155122			    diagnostic, ksi->ks_in_serial);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		/* Else esp_del_sa() took care of things. */
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SADB_GET:
38d95a78Smarkfen		error = sadb_delget_sa(mp, ksi, &espstack->esp_sadb,
38d95a78Smarkfen		    &diagnostic, espstack->esp_pfkey_q, samsg->sadb_msg_type);
7c478bd9Sstevel@tonic-gate		if (error != 0) {
f4b3ec61Sdh155122			sadb_pfkey_error(espstack->esp_pfkey_q, mp, error,
f4b3ec61Sdh155122			    diagnostic, ksi->ks_in_serial);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		/* Else sadb_get_sa() took care of things. */
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SADB_FLUSH:
f4b3ec61Sdh155122		sadbp_flush(&espstack->esp_sadb, espstack->ipsecesp_netstack);
f4b3ec61Sdh155122		sadb_pfkey_echo(espstack->esp_pfkey_q, mp, samsg, ksi, NULL);
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SADB_REGISTER:
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * Hmmm, let's do it!  Check for extensions (there should
7c478bd9Sstevel@tonic-gate		 * be none), extract the fields, call esp_register_out(),
7c478bd9Sstevel@tonic-gate		 * then either free or report an error.
7c478bd9Sstevel@tonic-gate		 *
7c478bd9Sstevel@tonic-gate		 * Keysock takes care of the PF_KEY bookkeeping for this.
7c478bd9Sstevel@tonic-gate		 */
7c478bd9Sstevel@tonic-gate		if (esp_register_out(samsg->sadb_msg_seq, samsg->sadb_msg_pid,
bd670b35SErik Nordmark		    ksi->ks_in_serial, espstack, msg_getcred(mp, NULL))) {
7c478bd9Sstevel@tonic-gate			freemsg(mp);
7c478bd9Sstevel@tonic-gate		} else {
7c478bd9Sstevel@tonic-gate			/*
7c478bd9Sstevel@tonic-gate			 * Only way this path hits is if there is a memory
7c478bd9Sstevel@tonic-gate			 * failure.  It will not return B_FALSE because of
7c478bd9Sstevel@tonic-gate			 * lack of esp_pfkey_q if I am in wput().
7c478bd9Sstevel@tonic-gate			 */
f4b3ec61Sdh155122			sadb_pfkey_error(espstack->esp_pfkey_q, mp, ENOMEM,
f4b3ec61Sdh155122			    diagnostic, ksi->ks_in_serial);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SADB_UPDATE:
38d95a78Smarkfen	case SADB_X_UPDATEPAIR:
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * Find a larval, if not there, find a full one and get
7c478bd9Sstevel@tonic-gate		 * strict.
7c478bd9Sstevel@tonic-gate		 */
38d95a78Smarkfen		error = esp_update_sa(mp, ksi, &diagnostic, espstack,
38d95a78Smarkfen		    samsg->sadb_msg_type);
7c478bd9Sstevel@tonic-gate		if (error != 0) {
f4b3ec61Sdh155122			sadb_pfkey_error(espstack->esp_pfkey_q, mp, error,
f4b3ec61Sdh155122			    diagnostic, ksi->ks_in_serial);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		/* else esp_update_sa() took care of things. */
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SADB_GETSPI:
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * Reserve a new larval entry.
7c478bd9Sstevel@tonic-gate		 */
f4b3ec61Sdh155122		esp_getspi(mp, ksi, espstack);
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SADB_ACQUIRE:
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * Find larval and/or ACQUIRE record and kill it (them), I'm
7c478bd9Sstevel@tonic-gate		 * most likely an error.  Inbound ACQUIRE messages should only
7c478bd9Sstevel@tonic-gate		 * have the base header.
7c478bd9Sstevel@tonic-gate		 */
f4b3ec61Sdh155122		sadb_in_acquire(samsg, &espstack->esp_sadb,
f4b3ec61Sdh155122		    espstack->esp_pfkey_q, espstack->ipsecesp_netstack);
7c478bd9Sstevel@tonic-gate		freemsg(mp);
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SADB_DUMP:
7c478bd9Sstevel@tonic-gate		/*
7c478bd9Sstevel@tonic-gate		 * Dump all entries.
7c478bd9Sstevel@tonic-gate		 */
f4b3ec61Sdh155122		esp_dump(mp, ksi, espstack);
7c478bd9Sstevel@tonic-gate		/* esp_dump will take care of the return message, etc. */
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SADB_EXPIRE:
7c478bd9Sstevel@tonic-gate		/* Should never reach me. */
f4b3ec61Sdh155122		sadb_pfkey_error(espstack->esp_pfkey_q, mp, EOPNOTSUPP,
f4b3ec61Sdh155122		    diagnostic, ksi->ks_in_serial);
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	default:
f4b3ec61Sdh155122		sadb_pfkey_error(espstack->esp_pfkey_q, mp, EINVAL,
7c478bd9Sstevel@tonic-gate		    SADB_X_DIAGNOSTIC_UNKNOWN_MSG, ksi->ks_in_serial);
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Handle case where PF_KEY says it can't find a keysock for one of my
7c478bd9Sstevel@tonic-gate * ACQUIRE messages.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatestatic void
f4b3ec61Sdh155122esp_keysock_no_socket(mblk_t *mp, ipsecesp_stack_t *espstack)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	sadb_msg_t *samsg;
7c478bd9Sstevel@tonic-gate	keysock_out_err_t *kse = (keysock_out_err_t *)mp->b_rptr;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (mp->b_cont == NULL) {
7c478bd9Sstevel@tonic-gate		freemsg(mp);
7c478bd9Sstevel@tonic-gate		return;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate	samsg = (sadb_msg_t *)mp->b_cont->b_rptr;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * If keysock can't find any registered, delete the acquire record
7c478bd9Sstevel@tonic-gate	 * immediately, and handle errors.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	if (samsg->sadb_msg_type == SADB_ACQUIRE) {
7c478bd9Sstevel@tonic-gate		samsg->sadb_msg_errno = kse->ks_err_errno;
7c478bd9Sstevel@tonic-gate		samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg));
7c478bd9Sstevel@tonic-gate		/*
bd670b35SErik Nordmark		 * Use the write-side of the esp_pfkey_q
7c478bd9Sstevel@tonic-gate		 */
f4b3ec61Sdh155122		sadb_in_acquire(samsg, &espstack->esp_sadb,
f4b3ec61Sdh155122		    WR(espstack->esp_pfkey_q), espstack->ipsecesp_netstack);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	freemsg(mp);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
9c451ec7SToomas Soome * ESP module read put routine.
9c451ec7SToomas Soome */
9c451ec7SToomas Soomestatic int
9c451ec7SToomas Soomeipsecesp_rput(queue_t *q, mblk_t *mp)
9c451ec7SToomas Soome{
9c451ec7SToomas Soome	putnext(q, mp);
9c451ec7SToomas Soome	return (0);
9c451ec7SToomas Soome}
9c451ec7SToomas Soome
9c451ec7SToomas Soome/*
7c478bd9Sstevel@tonic-gate * ESP module write put routine.
7c478bd9Sstevel@tonic-gate */
9c451ec7SToomas Soomestatic int
7c478bd9Sstevel@tonic-gateipsecesp_wput(queue_t *q, mblk_t *mp)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	ipsec_info_t *ii;
7c478bd9Sstevel@tonic-gate	struct iocblk *iocp;
f4b3ec61Sdh155122	ipsecesp_stack_t	*espstack = (ipsecesp_stack_t *)q->q_ptr;
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh155122	esp3dbg(espstack, ("In esp_wput().\n"));
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/* NOTE: Each case must take care of freeing or passing mp. */
7c478bd9Sstevel@tonic-gate	switch (mp->b_datap->db_type) {
7c478bd9Sstevel@tonic-gate	case M_CTL:
7c478bd9Sstevel@tonic-gate		if ((mp->b_wptr - mp->b_rptr) < sizeof (ipsec_info_t)) {
7c478bd9Sstevel@tonic-gate			/* Not big enough message. */
7c478bd9Sstevel@tonic-gate			freemsg(mp);
7c478bd9Sstevel@tonic-gate			break;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		ii = (ipsec_info_t *)mp->b_rptr;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		switch (ii->ipsec_info_type) {
7c478bd9Sstevel@tonic-gate		case KEYSOCK_OUT_ERR:
f4b3ec61Sdh155122			esp1dbg(espstack, ("Got KEYSOCK_OUT_ERR message.\n"));
f4b3ec61Sdh155122			esp_keysock_no_socket(mp, espstack);
7c478bd9Sstevel@tonic-gate			break;
7c478bd9Sstevel@tonic-gate		case KEYSOCK_IN:
f4b3ec61Sdh155122			ESP_BUMP_STAT(espstack, keysock_in);
f4b3ec61Sdh155122			esp3dbg(espstack, ("Got KEYSOCK_IN message.\n"));
7c478bd9Sstevel@tonic-gate
8810c16bSdanmcd			/* Parse the message. */
f4b3ec61Sdh155122			esp_parse_pfkey(mp, espstack);
7c478bd9Sstevel@tonic-gate			break;
7c478bd9Sstevel@tonic-gate		case KEYSOCK_HELLO:
f4b3ec61Sdh155122			sadb_keysock_hello(&espstack->esp_pfkey_q, q, mp,
f4b3ec61Sdh155122			    esp_ager, (void *)espstack, &espstack->esp_event,
f4b3ec61Sdh155122			    SADB_SATYPE_ESP);
7c478bd9Sstevel@tonic-gate			break;
7c478bd9Sstevel@tonic-gate		default:
f4b3ec61Sdh155122			esp2dbg(espstack, ("Got M_CTL from above of 0x%x.\n",
7c478bd9Sstevel@tonic-gate			    ii->ipsec_info_type));
7c478bd9Sstevel@tonic-gate			freemsg(mp);
7c478bd9Sstevel@tonic-gate			break;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case M_IOCTL:
7c478bd9Sstevel@tonic-gate		iocp = (struct iocblk *)mp->b_rptr;
7c478bd9Sstevel@tonic-gate		switch (iocp->ioc_cmd) {
7c478bd9Sstevel@tonic-gate		case ND_SET:
7c478bd9Sstevel@tonic-gate		case ND_GET:
f4b3ec61Sdh155122			if (nd_getset(q, espstack->ipsecesp_g_nd, mp)) {
7c478bd9Sstevel@tonic-gate				qreply(q, mp);
9c451ec7SToomas Soome				return (0);
7c478bd9Sstevel@tonic-gate			} else {
7c478bd9Sstevel@tonic-gate				iocp->ioc_error = ENOENT;
7c478bd9Sstevel@tonic-gate			}
7c478bd9Sstevel@tonic-gate			/* FALLTHRU */
7c478bd9Sstevel@tonic-gate		default:
7c478bd9Sstevel@tonic-gate			/* We really don't support any other ioctls, do we? */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate			/* Return EINVAL */
7c478bd9Sstevel@tonic-gate			if (iocp->ioc_error != ENOENT)
7c478bd9Sstevel@tonic-gate				iocp->ioc_error = EINVAL;
7c478bd9Sstevel@tonic-gate			iocp->ioc_count = 0;
7c478bd9Sstevel@tonic-gate			mp->b_datap->db_type = M_IOCACK;
7c478bd9Sstevel@tonic-gate			qreply(q, mp);
9c451ec7SToomas Soome			return (0);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate	default:
f4b3ec61Sdh155122		esp3dbg(espstack,
f4b3ec61Sdh155122		    ("Got default message, type %d, passing to IP.\n",
7c478bd9Sstevel@tonic-gate		    mp->b_datap->db_type));
7c478bd9Sstevel@tonic-gate		putnext(q, mp);
7c478bd9Sstevel@tonic-gate	}
9c451ec7SToomas Soome	return (0);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Wrapper to allow IP to trigger an ESP association failure message
7c478bd9Sstevel@tonic-gate * during inbound SA selection.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatevoid
7c478bd9Sstevel@tonic-gateipsecesp_in_assocfailure(mblk_t *mp, char level, ushort_t sl, char *fmt,
bd670b35SErik Nordmark    uint32_t spi, void *addr, int af, ip_recv_attr_t *ira)
7c478bd9Sstevel@tonic-gate{
bd670b35SErik Nordmark	netstack_t	*ns = ira->ira_ill->ill_ipst->ips_netstack;
bd670b35SErik Nordmark	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
bd670b35SErik Nordmark	ipsec_stack_t	*ipss = ns->netstack_ipsec;
f4b3ec61Sdh155122
f4b3ec61Sdh155122	if (espstack->ipsecesp_log_unknown_spi) {
7c478bd9Sstevel@tonic-gate		ipsec_assocfailure(info.mi_idnum, 0, level, sl, fmt, spi,
f4b3ec61Sdh155122		    addr, af, espstack->ipsecesp_netstack);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
bd670b35SErik Nordmark	ip_drop_packet(mp, B_TRUE, ira->ira_ill,
f4b3ec61Sdh155122	    DROPPER(ipss, ipds_esp_no_sa),
f4b3ec61Sdh155122	    &espstack->esp_dropper);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Initialize the ESP input and output processing functions.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gatevoid
7c478bd9Sstevel@tonic-gateipsecesp_init_funcs(ipsa_t *sa)
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	if (sa->ipsa_output_func == NULL)
7c478bd9Sstevel@tonic-gate		sa->ipsa_output_func = esp_outbound;
7c478bd9Sstevel@tonic-gate	if (sa->ipsa_input_func == NULL)
7c478bd9Sstevel@tonic-gate		sa->ipsa_input_func = esp_inbound;
7c478bd9Sstevel@tonic-gate}