644  * Caller must REFRELE the passed-in assoc.  This function must REFRELE
648 esp_age_bytes(ipsa_t *assoc, uint64_t bytes, boolean_t inbound)
655 	netstack_t		*ns = assoc->ipsa_netstack;
659 	if (!assoc->ipsa_haspeer) {
660 		return (sadb_age_bytes(espstack->esp_pfkey_q, assoc, bytes,
665 	 * Otherwise, we want to grab both the original assoc and its peer.
676 	isv6 = (assoc->ipsa_addrfam == AF_INET6);
680 		inassoc = assoc;
702 		outassoc = assoc;
741 esp_fix_natt_checksums(mblk_t *data_mp, ipsa_t *assoc)
747 	uint32_t sum = assoc->ipsa_inbound_cksum;
1040  * Caller has to REFRELE "assoc" which is passed in.  This function has
1044 esp_set_usetime(ipsa_t *assoc, boolean_t inbound)
1051 	netstack_t		*ns = assoc->ipsa_netstack;
1055 	if (!assoc->ipsa_haspeer) {
1056 		sadb_set_usetime(assoc);
1061 	 * Otherwise, we want to grab both the original assoc and its peer.
1071 	isv6 = (assoc->ipsa_addrfam == AF_INET6);
1075 		inassoc = assoc;
1097 		outassoc = assoc;
1367 	sadb_sa_t *assoc;
1474 	assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE];
1475 	assoc->sadb_sa_exttype = SADB_EXT_SA;
1476 	assoc->sadb_sa_spi = newbie->ipsa_spi;
1477 	*((uint64_t *)(&assoc->sadb_sa_replay)) = 0;
1561  * "ports" are ordered src,dst, and assoc is an inbound SA, where src should
1572 esp_port_freshness(uint32_t ports, ipsa_t *assoc)
1578 	ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp;
1583 	ASSERT(assoc->ipsa_addrfam == AF_INET);
1593 	if (remote == 0 || assoc->ipsa_otherspi == 0 ||
1594 	    (assoc->ipsa_flags & IPSA_F_BEHIND_NAT) ||
1595 	    (assoc->ipsa_remote_nat_port == 0 &&
1597 	    remote == assoc->ipsa_remote_nat_port)
1602 	    assoc->ipsa_srcaddr[0]);
1604 	outbound_peer = ipsec_getassocbyspi(bucket, assoc->ipsa_otherspi,
1605 	    assoc->ipsa_dstaddr, assoc->ipsa_srcaddr, AF_INET);
1621 	mutex_enter(&assoc->ipsa_lock);
1622 	outbound_peer->ipsa_remote_nat_port = assoc->ipsa_remote_nat_port =
1624 	mutex_exit(&assoc->ipsa_lock);
1642 	ipsa_t *assoc;
1653 	assoc = ira->ira_ipsec_esp_sa;
1654 	ASSERT(assoc != NULL);
1656 	is_natt = ((assoc->ipsa_flags & IPSA_F_NATT) != 0);
1659 	if (assoc->ipsa_encr_alg == SADB_EALG_NULL) {
1665 		ivlen = assoc->ipsa_iv_len;
1666 		if (assoc->ipsa_auth_alg == SADB_AALG_NONE) {
1669 			    sizeof (esph_t) - assoc->ipsa_iv_len;
1682 	if (assoc->ipsa_auth_alg != IPSA_AALG_NONE ||
1683 	    (assoc->ipsa_flags & IPSA_F_COMBINED)) {
1691 		data_mp->b_wptr -= assoc->ipsa_mac_len;
1700 		if (!sadb_replay_check(assoc, esph->esph_replay)) {
1711 			    assoc->ipsa_spi, assoc->ipsa_dstaddr,
1712 			    assoc->ipsa_addrfam, espstack->ipsecesp_netstack);
1721 			esp_port_freshness(ira->ira_esp_udp_ports, assoc);
1725 	esp_set_usetime(assoc, B_TRUE);
1727 	if (!esp_age_bytes(assoc, processed_len, B_TRUE)) {
1732 		    assoc->ipsa_spi, assoc->ipsa_dstaddr, assoc->ipsa_addrfam,
1747 		if (is_system_labeled() && assoc->ipsa_tsl != NULL) {
1748 			if (!ip_recv_attr_replace_label(ira, assoc->ipsa_tsl)) {
1758 			return (esp_fix_natt_checksums(data_mp, assoc));
1760 		if (assoc->ipsa_state == IPSA_STATE_IDLE) {
1765 			sadb_buf_pkt(assoc, data_mp, ira);
1788 	ipsa_t		*assoc = ira->ira_ipsec_esp_sa;
1801 	    assoc->ipsa_spi, assoc->ipsa_dstaddr, assoc->ipsa_addrfam,
2071     ipsa_t *assoc, uint_t esph_offset)
2078 	uint_t icv_len = assoc->ipsa_mac_len;
2082 	uint_t iv_len = assoc->ipsa_iv_len;
2090 	do_auth = assoc->ipsa_auth_alg != SADB_AALG_NONE;
2091 	do_encr = assoc->ipsa_encr_alg != SADB_EALG_NULL;
2092 	force = (assoc->ipsa_flags & IPSA_F_ASYNC);
2117 	if ((assoc->ipsa_flags & IPSA_F_COUNTERMODE) &&
2118 	    (assoc->ipsa_nonce == NULL)) {
2148 		IPSEC_CTX_TMPL(assoc, ipsa_authtmpl, IPSEC_ALG_AUTH,
2165 			kef_rc = crypto_mac_verify(&assoc->ipsa_amech,
2167 			    &assoc->ipsa_kcfauthkey, auth_ctx_tmpl,
2174 		IPSEC_CTX_TMPL(assoc, ipsa_encrtmpl, IPSEC_ALG_ENCR,
2178 		(assoc->ipsa_noncefunc)(assoc, (uchar_t *)esph_ptr, encr_len,
2190 			    &assoc->ipsa_kcfencrkey, encr_ctx_tmpl,
2206 		kef_rc = crypto_mac_verify_decrypt(&assoc->ipsa_amech,
2207 		    &assoc->ipsa_emech, &ic->ic_crypto_dual_data,
2208 		    &assoc->ipsa_kcfauthkey, &assoc->ipsa_kcfencrkey,
2334 ipsecesp_send_keepalive(ipsa_t *assoc)
2339 	netstack_t	*ns = assoc->ipsa_netstack;
2341 	ASSERT(MUTEX_NOT_HELD(&assoc->ipsa_lock));
2351 	ipha->ipha_ident = *(((uint16_t *)(&assoc->ipsa_spi)) + 1);
2356 	ipha->ipha_src = assoc->ipsa_srcaddr[0];
2357 	ipha->ipha_dst = assoc->ipsa_dstaddr[0];
2359 	udpha->uha_src_port = (assoc->ipsa_local_nat_port != 0) ?
2360 	    assoc->ipsa_local_nat_port : htons(IPPORT_IKE_NATT);
2361 	udpha->uha_dst_port = (assoc->ipsa_remote_nat_port != 0) ?
2362 	    assoc->ipsa_remote_nat_port : htons(IPPORT_IKE_NATT);
2392 esp_submit_req_outbound(mblk_t *data_mp, ip_xmit_attr_t *ixa, ipsa_t *assoc,
2401 	uint_t icv_len = assoc->ipsa_mac_len;
2404 	uint_t iv_len = assoc->ipsa_iv_len;
2406 	boolean_t is_natt = ((assoc->ipsa_flags & IPSA_F_NATT) != 0);
2419 	do_encr = assoc->ipsa_encr_alg != SADB_EALG_NULL;
2420 	do_auth = assoc->ipsa_auth_alg != SADB_AALG_NONE;
2421 	force = (assoc->ipsa_flags & IPSA_F_ASYNC);
2446 	if ((assoc->ipsa_flags & IPSA_F_COUNTERMODE) &&
2447 	    (assoc->ipsa_nonce == NULL)) {
2479 		IPSEC_CTX_TMPL(assoc, ipsa_authtmpl, IPSEC_ALG_AUTH,
2495 			kef_rc = crypto_mac(&assoc->ipsa_amech,
2497 			    &assoc->ipsa_kcfauthkey, auth_ctx_tmpl,
2504 		IPSEC_CTX_TMPL(assoc, ipsa_encrtmpl, IPSEC_ALG_ENCR,
2507 		(assoc->ipsa_noncefunc)(assoc, (uchar_t *)esph_ptr, payload_len,
2529 			if (assoc->ipsa_flags & IPSA_F_COMBINED) {
2541 			    &assoc->ipsa_kcfencrkey, encr_ctx_tmpl,
2564 		kef_rc = crypto_encrypt_mac(&assoc->ipsa_emech,
2565 		    &assoc->ipsa_amech, NULL,
2566 		    &assoc->ipsa_kcfencrkey, &assoc->ipsa_kcfauthkey,
2575 		esp_set_usetime(assoc, B_FALSE);
2617 	ipsa_t *assoc;
2651 	assoc = ixa->ixa_ipsec_esp_sa;
2652 	ASSERT(assoc != NULL);
2657 	if (is_system_labeled() && (assoc->ipsa_otsl != NULL)) {
2672 		label_hold(assoc->ipsa_otsl);
2673 		ip_xmit_attr_replace_tsl(ixa, assoc->ipsa_otsl);
2675 		data_mp = sadb_whack_label(data_mp, assoc, ixa,
2733 	mac_len = assoc->ipsa_mac_len;
2735 	if (assoc->ipsa_flags & IPSA_F_NATT) {
2746 	if (assoc->ipsa_encr_alg != SADB_EALG_NULL) {
2747 		iv_len = assoc->ipsa_iv_len;
2748 		block_size = assoc->ipsa_datalen;
2778 	if (!esp_age_bytes(assoc, datalen + padlen + iv_len + 2, B_FALSE)) {
2807 		udpha->uha_src_port = (assoc->ipsa_local_nat_port != 0) ?
2808 		    assoc->ipsa_local_nat_port : htons(IPPORT_IKE_NATT);
2809 		udpha->uha_dst_port = (assoc->ipsa_remote_nat_port != 0) ?
2810 		    assoc->ipsa_remote_nat_port : htons(IPPORT_IKE_NATT);
2819 	esph_ptr->esph_spi = assoc->ipsa_spi;
2821 	esph_ptr->esph_replay = htonl(atomic_inc_32_nv(&assoc->ipsa_replay));
2822 	if (esph_ptr->esph_replay == 0 && assoc->ipsa_replay_wsize != 0) {
2830 		    esph_ptr->esph_spi, assoc->ipsa_dstaddr, af,
2834 		sadb_replay_delete(assoc);
2866 	if (!update_iv((uint8_t *)iv_ptr, espstack->esp_pfkey_q, assoc,
2960 	data_mp = esp_submit_req_outbound(data_mp, ixa, assoc, icv_buf,
3332 	if (sq.assoc->sadb_sa_flags & IPSA_F_INBOUND) {
3336 		if (sq.assoc->sadb_sa_flags & IPSA_F_OUTBOUND)
3338 	} else if (sq.assoc->sadb_sa_flags & IPSA_F_OUTBOUND) {
3351 			sq.assoc->sadb_sa_flags |= IPSA_F_OUTBOUND;
3362 			sq.assoc->sadb_sa_flags |= IPSA_F_INBOUND;
3377 			sq.assoc->sadb_sa_flags |= IPSA_F_OUTBOUND;
3381 				sq.assoc->sadb_sa_flags |= IPSA_F_INBOUND;
3438 		larval = ipsec_getassocbyspi(sq.inbound, sq.assoc->sadb_sa_spi,
3562 	sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
3608 	if (assoc == NULL) {
3612 	if (ekey == NULL && assoc->sadb_sa_encrypt != SADB_EALG_NULL) {
3627 	if ((assoc->sadb_sa_state != SADB_SASTATE_MATURE) &&
3628 	    (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) {
3632 	if (assoc->sadb_sa_encrypt == SADB_EALG_NONE) {
3638 	if (assoc->sadb_sa_encrypt == SADB_EALG_NULL &&
3639 	    assoc->sadb_sa_auth == SADB_AALG_NONE) {
3645 	if (assoc->sadb_sa_flags & ~espstack->esp_sadb.s_addflags) {
3655 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_LOC) {
3668 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_REM) {
3700 	if (akey != NULL && assoc->sadb_sa_auth != SADB_AALG_NONE) {
3707 		    [assoc->sadb_sa_auth];
3711 			    assoc->sadb_sa_auth));
3746 		    [assoc->sadb_sa_encrypt];
3750 			    assoc->sadb_sa_encrypt));
3767 		if ((assoc->sadb_sa_encrypt == SADB_EALG_NULL) ||
3797 	sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
3813 	if ((assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE) ||
3833 	sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
3840 	if (assoc == NULL) {

Indexes created Tue Jul 24 14:28:13 CEST 2018