1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
24 */
25
26 #include <sys/param.h>
27 #include <sys/types.h>
28 #include <sys/stream.h>
29 #include <sys/strsubr.h>
30 #include <sys/strsun.h>
31 #include <sys/stropts.h>
32 #include <sys/zone.h>
33 #include <sys/vnode.h>
34 #include <sys/sysmacros.h>
35 #define _SUN_TPI_VERSION 2
36 #include <sys/tihdr.h>
37 #include <sys/ddi.h>
38 #include <sys/sunddi.h>
39 #include <sys/mkdev.h>
40 #include <sys/debug.h>
41 #include <sys/kmem.h>
42 #include <sys/cmn_err.h>
43 #include <sys/suntpi.h>
44 #include <sys/policy.h>
45 #include <sys/dls.h>
46
47 #include <sys/socket.h>
48 #include <netinet/in.h>
49 #include <net/pfkeyv2.h>
50 #include <net/pfpolicy.h>
51
52 #include <inet/common.h>
53 #include <netinet/ip6.h>
54 #include <inet/ip.h>
55 #include <inet/ip6.h>
56 #include <inet/mi.h>
57 #include <inet/proto_set.h>
58 #include <inet/nd.h>
59 #include <inet/ip_if.h>
60 #include <inet/optcom.h>
61 #include <inet/ipsec_impl.h>
62 #include <inet/spdsock.h>
63 #include <inet/sadb.h>
64 #include <inet/iptun.h>
65 #include <inet/iptun/iptun_impl.h>
66
67 #include <sys/isa_defs.h>
68
69 #include <c2/audit.h>
70
71 /*
72 * This is a transport provider for the PF_POLICY IPsec policy
73 * management socket, which provides a management interface into the
74 * SPD, allowing policy rules to be added, deleted, and queried.
75 *
76 * This effectively replaces the old private SIOC*IPSECONFIG ioctls
77 * with an extensible interface which will hopefully be public some
78 * day.
79 *
80 * See <net/pfpolicy.h> for more details on the protocol.
81 *
82 * We link against drv/ip and call directly into it to manipulate the
83 * SPD; see ipsec_impl.h for the policy data structures and spd.c for
84 * the code which maintains them.
85 *
86 * The MT model of this is QPAIR with the addition of some explicit
87 * locking to protect system-wide policy data structures.
88 */
89
90 static vmem_t *spdsock_vmem; /* for minor numbers. */
91
92 #define ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t))
93
94 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */
95 static struct T_info_ack spdsock_g_t_info_ack = {
96 T_INFO_ACK,
97 T_INFINITE, /* TSDU_size. Maximum size messages. */
98 T_INVALID, /* ETSDU_size. No expedited data. */
99 T_INVALID, /* CDATA_size. No connect data. */
100 T_INVALID, /* DDATA_size. No disconnect data. */
101 0, /* ADDR_size. */
102 0, /* OPT_size. No user-settable options */
103 64 * 1024, /* TIDU_size. spdsock allows maximum size messages. */
104 T_COTS, /* SERV_type. spdsock supports connection oriented. */
105 TS_UNBND, /* CURRENT_state. This is set from spdsock_state. */
106 (XPG4_1) /* Provider flags */
107 };
108
109 /* Named Dispatch Parameter Management Structure */
110 typedef struct spdsockparam_s {
111 uint_t spdsock_param_min;
112 uint_t spdsock_param_max;
113 uint_t spdsock_param_value;
114 char *spdsock_param_name;
115 } spdsockparam_t;
116
117 /*
118 * Table of NDD variables supported by spdsock. These are loaded into
119 * spdsock_g_nd in spdsock_init_nd.
120 * All of these are alterable, within the min/max values given, at run time.
121 */
122 static spdsockparam_t lcl_param_arr[] = {
123 /* min max value name */
124 { 4096, 65536, 8192, "spdsock_xmit_hiwat"},
125 { 0, 65536, 1024, "spdsock_xmit_lowat"},
126 { 4096, 65536, 8192, "spdsock_recv_hiwat"},
127 { 65536, 1024*1024*1024, 256*1024, "spdsock_max_buf"},
128 { 0, 3, 0, "spdsock_debug"},
129 };
130 #define spds_xmit_hiwat spds_params[0].spdsock_param_value
131 #define spds_xmit_lowat spds_params[1].spdsock_param_value
132 #define spds_recv_hiwat spds_params[2].spdsock_param_value
133 #define spds_max_buf spds_params[3].spdsock_param_value
134 #define spds_debug spds_params[4].spdsock_param_value
135
136 #define ss0dbg(a) printf a
137 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */
138 #define ss1dbg(spds, a) if (spds->spds_debug != 0) printf a
139 #define ss2dbg(spds, a) if (spds->spds_debug > 1) printf a
140 #define ss3dbg(spds, a) if (spds->spds_debug > 2) printf a
141
142 #define RESET_SPDSOCK_DUMP_POLHEAD(ss, iph) { \
143 ASSERT(RW_READ_HELD(&(iph)->iph_lock)); \
144 (ss)->spdsock_dump_head = (iph); \
145 (ss)->spdsock_dump_gen = (iph)->iph_gen; \
146 (ss)->spdsock_dump_cur_type = 0; \
147 (ss)->spdsock_dump_cur_af = IPSEC_AF_V4; \
148 (ss)->spdsock_dump_cur_rule = NULL; \
149 (ss)->spdsock_dump_count = 0; \
150 (ss)->spdsock_dump_cur_chain = 0; \
151 }
152
153 static int spdsock_close(queue_t *);
154 static int spdsock_open(queue_t *, dev_t *, int, int, cred_t *);
155 static void spdsock_wput(queue_t *, mblk_t *);
156 static void spdsock_wsrv(queue_t *);
157 static void spdsock_rsrv(queue_t *);
158 static void *spdsock_stack_init(netstackid_t stackid, netstack_t *ns);
159 static void spdsock_stack_shutdown(netstackid_t stackid, void *arg);
160 static void spdsock_stack_fini(netstackid_t stackid, void *arg);
161 static void spdsock_loadcheck(void *);
162 static void spdsock_merge_algs(spd_stack_t *);
163 static void spdsock_flush_one(ipsec_policy_head_t *, netstack_t *);
164 static mblk_t *spdsock_dump_next_record(spdsock_t *);
165 static void update_iptun_policy(ipsec_tun_pol_t *);
166
167 static struct module_info info = {
168 5138, "spdsock", 1, INFPSZ, 512, 128
169 };
170
171 static struct qinit rinit = {
172 NULL, (pfi_t)spdsock_rsrv, spdsock_open, spdsock_close,
173 NULL, &info
174 };
175
176 static struct qinit winit = {
177 (pfi_t)spdsock_wput, (pfi_t)spdsock_wsrv, NULL, NULL, NULL, &info
178 };
179
180 struct streamtab spdsockinfo = {
181 &rinit, &winit
182 };
183
184 /* mapping from alg type to protocol number, as per RFC 2407 */
185 static const uint_t algproto[] = {
186 PROTO_IPSEC_AH,
187 PROTO_IPSEC_ESP,
188 };
189
190 #define NALGPROTOS (sizeof (algproto) / sizeof (algproto[0]))
191
192 /* mapping from kernel exec mode to spdsock exec mode */
193 static const uint_t execmodes[] = {
194 SPD_ALG_EXEC_MODE_SYNC,
195 SPD_ALG_EXEC_MODE_ASYNC
196 };
197
198 #define NEXECMODES (sizeof (execmodes) / sizeof (execmodes[0]))
199
200 #define ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1)
201 #define ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2)
202
203 #define ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL)
204
205 /* ARGSUSED */
206 static int
207 spdsock_param_get(
208 queue_t *q,
209 mblk_t *mp,
210 caddr_t cp,
211 cred_t *cr)
212 {
213 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp;
214 uint_t value;
215 spdsock_t *ss = (spdsock_t *)q->q_ptr;
216 spd_stack_t *spds = ss->spdsock_spds;
217
218 mutex_enter(&spds->spds_param_lock);
219 value = spdsockpa->spdsock_param_value;
220 mutex_exit(&spds->spds_param_lock);
221
222 (void) mi_mpprintf(mp, "%u", value);
223 return (0);
224 }
225
226 /* This routine sets an NDD variable in a spdsockparam_t structure. */
227 /* ARGSUSED */
228 static int
229 spdsock_param_set(
230 queue_t *q,
231 mblk_t *mp,
232 char *value,
233 caddr_t cp,
234 cred_t *cr)
235 {
236 ulong_t new_value;
237 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp;
238 spdsock_t *ss = (spdsock_t *)q->q_ptr;
239 spd_stack_t *spds = ss->spdsock_spds;
240
241 /* Convert the value from a string into a long integer. */
242 if (ddi_strtoul(value, NULL, 10, &new_value) != 0)
243 return (EINVAL);
244
245 mutex_enter(&spds->spds_param_lock);
246 /*
247 * Fail the request if the new value does not lie within the
248 * required bounds.
249 */
250 if (new_value < spdsockpa->spdsock_param_min ||
251 new_value > spdsockpa->spdsock_param_max) {
252 mutex_exit(&spds->spds_param_lock);
253 return (EINVAL);
254 }
255
256 /* Set the new value */
257 spdsockpa->spdsock_param_value = new_value;
258 mutex_exit(&spds->spds_param_lock);
259
260 return (0);
261 }
262
263 /*
264 * Initialize at module load time
265 */
266 boolean_t
267 spdsock_ddi_init(void)
268 {
269 spdsock_max_optsize = optcom_max_optsize(
270 spdsock_opt_obj.odb_opt_des_arr, spdsock_opt_obj.odb_opt_arr_cnt);
271
272 spdsock_vmem = vmem_create("spdsock", (void *)1, MAXMIN, 1,
273 NULL, NULL, NULL, 1, VM_SLEEP | VMC_IDENTIFIER);
274
275 /*
276 * We want to be informed each time a stack is created or
277 * destroyed in the kernel, so we can maintain the
278 * set of spd_stack_t's.
279 */
280 netstack_register(NS_SPDSOCK, spdsock_stack_init,
281 spdsock_stack_shutdown, spdsock_stack_fini);
282
283 return (B_TRUE);
284 }
285
286 /*
287 * Walk through the param array specified registering each element with the
288 * named dispatch handler.
289 */
290 static boolean_t
291 spdsock_param_register(IDP *ndp, spdsockparam_t *ssp, int cnt)
292 {
293 for (; cnt-- > 0; ssp++) {
294 if (ssp->spdsock_param_name != NULL &&
295 ssp->spdsock_param_name[0]) {
296 if (!nd_load(ndp,
297 ssp->spdsock_param_name,
298 spdsock_param_get, spdsock_param_set,
299 (caddr_t)ssp)) {
300 nd_free(ndp);
301 return (B_FALSE);
302 }
303 }
304 }
305 return (B_TRUE);
306 }
307
308 /*
309 * Initialize for each stack instance
310 */
311 /* ARGSUSED */
312 static void *
313 spdsock_stack_init(netstackid_t stackid, netstack_t *ns)
314 {
315 spd_stack_t *spds;
316 spdsockparam_t *ssp;
317
318 spds = (spd_stack_t *)kmem_zalloc(sizeof (*spds), KM_SLEEP);
319 spds->spds_netstack = ns;
320
321 ASSERT(spds->spds_g_nd == NULL);
322
323 ssp = (spdsockparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP);
324 spds->spds_params = ssp;
325 bcopy(lcl_param_arr, ssp, sizeof (lcl_param_arr));
326
327 (void) spdsock_param_register(&spds->spds_g_nd, ssp,
328 A_CNT(lcl_param_arr));
329
330 mutex_init(&spds->spds_param_lock, NULL, MUTEX_DEFAULT, NULL);
331 mutex_init(&spds->spds_alg_lock, NULL, MUTEX_DEFAULT, NULL);
332
333 return (spds);
334 }
335
336 void
337 spdsock_ddi_destroy(void)
338 {
339 vmem_destroy(spdsock_vmem);
340
341 netstack_unregister(NS_SPDSOCK);
342 }
343
344 /*
345 * Do pre-removal cleanup.
346 */
347 /* ARGSUSED */
348 static void
349 spdsock_stack_shutdown(netstackid_t stackid, void *arg)
350 {
351 spd_stack_t *spds = (spd_stack_t *)arg;
352
353 if (spds->spds_mp_algs != NULL) {
354 freemsg(spds->spds_mp_algs);
355 spds->spds_mp_algs = NULL;
356 }
357 }
358
359 /* ARGSUSED */
360 static void
361 spdsock_stack_fini(netstackid_t stackid, void *arg)
362 {
363 spd_stack_t *spds = (spd_stack_t *)arg;
364
365 ASSERT(spds->spds_mp_algs == NULL);
366 mutex_destroy(&spds->spds_param_lock);
367 mutex_destroy(&spds->spds_alg_lock);
368 nd_free(&spds->spds_g_nd);
369 kmem_free(spds->spds_params, sizeof (lcl_param_arr));
370 spds->spds_params = NULL;
371
372 kmem_free(spds, sizeof (*spds));
373 }
374
375 /*
376 * NOTE: large quantities of this should be shared with keysock.
377 * Would be nice to combine some of this into a common module, but
378 * not possible given time pressures.
379 */
380
381 /*
382 * High-level reality checking of extensions.
383 */
384 /* ARGSUSED */ /* XXX */
385 static boolean_t
386 ext_check(spd_ext_t *ext)
387 {
388 spd_if_t *tunname = (spd_if_t *)ext;
389 int i;
390 char *idstr;
391
392 if (ext->spd_ext_type == SPD_EXT_TUN_NAME) {
393 /* (NOTE: Modified from SADB_EXT_IDENTITY..) */
394
395 /*
396 * Make sure the strings in these identities are
397 * null-terminated. Let's "proactively" null-terminate the
398 * string at the last byte if it's not terminated sooner.
399 */
400 i = SPD_64TO8(tunname->spd_if_len) - sizeof (spd_if_t);
401 idstr = (char *)(tunname + 1);
402 while (*idstr != '\0' && i > 0) {
403 i--;
404 idstr++;
405 }
406 if (i == 0) {
407 /*
408 * I.e., if the bozo user didn't NULL-terminate the
409 * string...
410 */
411 idstr--;
412 *idstr = '\0';
413 }
414 }
415 return (B_TRUE); /* For now... */
416 }
417
418
419
420 /* Return values for spdsock_get_ext(). */
421 #define KGE_OK 0
422 #define KGE_DUP 1
423 #define KGE_UNK 2
424 #define KGE_LEN 3
425 #define KGE_CHK 4
426
427 /*
428 * Parse basic extension headers and return in the passed-in pointer vector.
429 * Return values include:
430 *
431 * KGE_OK Everything's nice and parsed out.
432 * If there are no extensions, place NULL in extv[0].
433 * KGE_DUP There is a duplicate extension.
434 * First instance in appropriate bin. First duplicate in
435 * extv[0].
436 * KGE_UNK Unknown extension type encountered. extv[0] contains
437 * unknown header.
438 * KGE_LEN Extension length error.
439 * KGE_CHK High-level reality check failed on specific extension.
440 *
441 * My apologies for some of the pointer arithmetic in here. I'm thinking
442 * like an assembly programmer, yet trying to make the compiler happy.
443 */
444 static int
445 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize)
446 {
447 bzero(extv, sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1));
448
449 /* Use extv[0] as the "current working pointer". */
450
451 extv[0] = (spd_ext_t *)(basehdr + 1);
452
453 while (extv[0] < (spd_ext_t *)(((uint8_t *)basehdr) + msgsize)) {
454 /* Check for unknown headers. */
455 if (extv[0]->spd_ext_type == 0 ||
456 extv[0]->spd_ext_type > SPD_EXT_MAX)
457 return (KGE_UNK);
458
459 /*
460 * Check length. Use uint64_t because extlen is in units
461 * of 64-bit words. If length goes beyond the msgsize,
462 * return an error. (Zero length also qualifies here.)
463 */
464 if (extv[0]->spd_ext_len == 0 ||
465 (void *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) >
466 (void *)((uint8_t *)basehdr + msgsize))
467 return (KGE_LEN);
468
469 /* Check for redundant headers. */
470 if (extv[extv[0]->spd_ext_type] != NULL)
471 return (KGE_DUP);
472
473 /*
474 * Reality check the extension if possible at the spdsock
475 * level.
476 */
477 if (!ext_check(extv[0]))
478 return (KGE_CHK);
479
480 /* If I make it here, assign the appropriate bin. */
481 extv[extv[0]->spd_ext_type] = extv[0];
482
483 /* Advance pointer (See above for uint64_t ptr reasoning.) */
484 extv[0] = (spd_ext_t *)
485 ((uint64_t *)extv[0] + extv[0]->spd_ext_len);
486 }
487
488 /* Everything's cool. */
489
490 /*
491 * If extv[0] == NULL, then there are no extension headers in this
492 * message. Ensure that this is the case.
493 */
494 if (extv[0] == (spd_ext_t *)(basehdr + 1))
495 extv[0] = NULL;
496
497 return (KGE_OK);
498 }
499
500 static const int bad_ext_diag[] = {
501 SPD_DIAGNOSTIC_MALFORMED_LCLPORT,
502 SPD_DIAGNOSTIC_MALFORMED_REMPORT,
503 SPD_DIAGNOSTIC_MALFORMED_PROTO,
504 SPD_DIAGNOSTIC_MALFORMED_LCLADDR,
505 SPD_DIAGNOSTIC_MALFORMED_REMADDR,
506 SPD_DIAGNOSTIC_MALFORMED_ACTION,
507 SPD_DIAGNOSTIC_MALFORMED_RULE,
508 SPD_DIAGNOSTIC_MALFORMED_RULESET,
509 SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE
510 };
511
512 static const int dup_ext_diag[] = {
513 SPD_DIAGNOSTIC_DUPLICATE_LCLPORT,
514 SPD_DIAGNOSTIC_DUPLICATE_REMPORT,
515 SPD_DIAGNOSTIC_DUPLICATE_PROTO,
516 SPD_DIAGNOSTIC_DUPLICATE_LCLADDR,
517 SPD_DIAGNOSTIC_DUPLICATE_REMADDR,
518 SPD_DIAGNOSTIC_DUPLICATE_ACTION,
519 SPD_DIAGNOSTIC_DUPLICATE_RULE,
520 SPD_DIAGNOSTIC_DUPLICATE_RULESET,
521 SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE
522 };
523
524 /*
525 * Transmit a PF_POLICY error message to the instance either pointed to
526 * by ks, the instance with serial number serial, or more, depending.
527 *
528 * The faulty message (or a reasonable facsimile thereof) is in mp.
529 * This function will free mp or recycle it for delivery, thereby causing
530 * the stream head to free it.
531 */
532 static void
533 spdsock_error(queue_t *q, mblk_t *mp, int error, int diagnostic)
534 {
535 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
536
537 ASSERT(mp->b_datap->db_type == M_DATA);
538
539 if (spmsg->spd_msg_type < SPD_MIN ||
540 spmsg->spd_msg_type > SPD_MAX)
541 spmsg->spd_msg_type = SPD_RESERVED;
542
543 /*
544 * Strip out extension headers.
545 */
546 ASSERT(mp->b_rptr + sizeof (*spmsg) <= mp->b_datap->db_lim);
547 mp->b_wptr = mp->b_rptr + sizeof (*spmsg);
548 spmsg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t));
549 spmsg->spd_msg_errno = (uint8_t)error;
550 spmsg->spd_msg_diagnostic = (uint16_t)diagnostic;
551
552 qreply(q, mp);
553 }
554
555 static void
556 spdsock_diag(queue_t *q, mblk_t *mp, int diagnostic)
557 {
558 spdsock_error(q, mp, EINVAL, diagnostic);
559 }
560
561 static void
562 spd_echo(queue_t *q, mblk_t *mp)
563 {
564 qreply(q, mp);
565 }
566
567 /*
568 * Do NOT consume a reference to itp.
569 */
570 /*ARGSUSED*/
571 static void
572 spdsock_flush_node(ipsec_tun_pol_t *itp, void *cookie, netstack_t *ns)
573 {
574 boolean_t active = (boolean_t)cookie;
575 ipsec_policy_head_t *iph;
576
577 iph = active ? itp->itp_policy : itp->itp_inactive;
578 IPPH_REFHOLD(iph);
579 mutex_enter(&itp->itp_lock);
580 spdsock_flush_one(iph, ns); /* Releases iph refhold. */
581 if (active)
582 itp->itp_flags &= ~ITPF_PFLAGS;
583 else
584 itp->itp_flags &= ~ITPF_IFLAGS;
585 mutex_exit(&itp->itp_lock);
586 /* SPD_FLUSH is worth a tunnel MTU check. */
587 update_iptun_policy(itp);
588 }
589
590 /*
591 * Clear out one polhead.
592 */
593 static void
594 spdsock_flush_one(ipsec_policy_head_t *iph, netstack_t *ns)
595 {
596 rw_enter(&iph->iph_lock, RW_WRITER);
597 ipsec_polhead_flush(iph, ns);
598 rw_exit(&iph->iph_lock);
599 IPPH_REFRELE(iph, ns);
600 }
601
602 static void
603 spdsock_flush(queue_t *q, ipsec_policy_head_t *iph, ipsec_tun_pol_t *itp,
604 mblk_t *mp)
605 {
606 boolean_t active;
607 spdsock_t *ss = (spdsock_t *)q->q_ptr;
608 netstack_t *ns = ss->spdsock_spds->spds_netstack;
609 uint32_t auditing = AU_AUDITING();
610
611 if (iph != ALL_ACTIVE_POLHEADS && iph != ALL_INACTIVE_POLHEADS) {
612 spdsock_flush_one(iph, ns);
613 if (auditing) {
614 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
615 cred_t *cr;
616 pid_t cpid;
617
618 cr = msg_getcred(mp, &cpid);
619 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
620 audit_pf_policy(SPD_FLUSH, cr, ns,
621 ITP_NAME(itp), active, 0, cpid);
622 }
623 } else {
624 active = (iph == ALL_ACTIVE_POLHEADS);
625
626 /* First flush the global policy. */
627 spdsock_flush_one(active ? ipsec_system_policy(ns) :
628 ipsec_inactive_policy(ns), ns);
629 if (auditing) {
630 cred_t *cr;
631 pid_t cpid;
632
633 cr = msg_getcred(mp, &cpid);
634 audit_pf_policy(SPD_FLUSH, cr, ns, NULL,
635 active, 0, cpid);
636 }
637 /* Then flush every tunnel's appropriate one. */
638 itp_walk(spdsock_flush_node, (void *)active, ns);
639 if (auditing) {
640 cred_t *cr;
641 pid_t cpid;
642
643 cr = msg_getcred(mp, &cpid);
644 audit_pf_policy(SPD_FLUSH, cr, ns,
645 "all tunnels", active, 0, cpid);
646 }
647 }
648
649 spd_echo(q, mp);
650 }
651
652 static boolean_t
653 spdsock_ext_to_sel(spd_ext_t **extv, ipsec_selkey_t *sel, int *diag)
654 {
655 bzero(sel, sizeof (*sel));
656
657 if (extv[SPD_EXT_PROTO] != NULL) {
658 struct spd_proto *pr =
659 (struct spd_proto *)extv[SPD_EXT_PROTO];
660 sel->ipsl_proto = pr->spd_proto_number;
661 sel->ipsl_valid |= IPSL_PROTOCOL;
662 }
663 if (extv[SPD_EXT_LCLPORT] != NULL) {
664 struct spd_portrange *pr =
665 (struct spd_portrange *)extv[SPD_EXT_LCLPORT];
666 sel->ipsl_lport = pr->spd_ports_minport;
667 sel->ipsl_valid |= IPSL_LOCAL_PORT;
668 }
669 if (extv[SPD_EXT_REMPORT] != NULL) {
670 struct spd_portrange *pr =
671 (struct spd_portrange *)extv[SPD_EXT_REMPORT];
672 sel->ipsl_rport = pr->spd_ports_minport;
673 sel->ipsl_valid |= IPSL_REMOTE_PORT;
674 }
675
676 if (extv[SPD_EXT_ICMP_TYPECODE] != NULL) {
677 struct spd_typecode *tc=
678 (struct spd_typecode *)extv[SPD_EXT_ICMP_TYPECODE];
679
680 sel->ipsl_valid |= IPSL_ICMP_TYPE;
681 sel->ipsl_icmp_type = tc->spd_typecode_type;
682 if (tc->spd_typecode_type_end < tc->spd_typecode_type)
683 sel->ipsl_icmp_type_end = tc->spd_typecode_type;
684 else
685 sel->ipsl_icmp_type_end = tc->spd_typecode_type_end;
686
687 if (tc->spd_typecode_code != 255) {
688 sel->ipsl_valid |= IPSL_ICMP_CODE;
689 sel->ipsl_icmp_code = tc->spd_typecode_code;
690 if (tc->spd_typecode_code_end < tc->spd_typecode_code)
691 sel->ipsl_icmp_code_end = tc->spd_typecode_code;
692 else
693 sel->ipsl_icmp_code_end =
694 tc->spd_typecode_code_end;
695 }
696 }
697 #define ADDR2SEL(sel, extv, field, pfield, extn, bit) \
698 if ((extv)[(extn)] != NULL) { \
699 uint_t addrlen; \
700 struct spd_address *ap = \
701 (struct spd_address *)((extv)[(extn)]); \
702 addrlen = (ap->spd_address_af == AF_INET6) ? \
703 IPV6_ADDR_LEN : IP_ADDR_LEN; \
704 if (SPD_64TO8(ap->spd_address_len) < \
705 (addrlen + sizeof (*ap))) { \
706 *diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN; \
707 return (B_FALSE); \
708 } \
709 bcopy((ap+1), &((sel)->field), addrlen); \
710 (sel)->pfield = ap->spd_address_prefixlen; \
711 (sel)->ipsl_valid |= (bit); \
712 (sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ? \
713 IPSL_IPV6 : IPSL_IPV4; \
714 }
715
716 ADDR2SEL(sel, extv, ipsl_local, ipsl_local_pfxlen,
717 SPD_EXT_LCLADDR, IPSL_LOCAL_ADDR);
718 ADDR2SEL(sel, extv, ipsl_remote, ipsl_remote_pfxlen,
719 SPD_EXT_REMADDR, IPSL_REMOTE_ADDR);
720
721 if ((sel->ipsl_valid & (IPSL_IPV6|IPSL_IPV4)) ==
722 (IPSL_IPV6|IPSL_IPV4)) {
723 *diag = SPD_DIAGNOSTIC_MIXED_AF;
724 return (B_FALSE);
725 }
726
727 #undef ADDR2SEL
728
729 return (B_TRUE);
730 }
731
732 static boolean_t
733 spd_convert_type(uint32_t type, ipsec_act_t *act)
734 {
735 switch (type) {
736 case SPD_ACTTYPE_DROP:
737 act->ipa_type = IPSEC_ACT_DISCARD;
738 return (B_TRUE);
739
740 case SPD_ACTTYPE_PASS:
741 act->ipa_type = IPSEC_ACT_CLEAR;
742 return (B_TRUE);
743
744 case SPD_ACTTYPE_IPSEC:
745 act->ipa_type = IPSEC_ACT_APPLY;
746 return (B_TRUE);
747 }
748 return (B_FALSE);
749 }
750
751 static boolean_t
752 spd_convert_flags(uint32_t flags, ipsec_act_t *act)
753 {
754 /*
755 * Note use of !! for boolean canonicalization.
756 */
757 act->ipa_apply.ipp_use_ah = !!(flags & SPD_APPLY_AH);
758 act->ipa_apply.ipp_use_esp = !!(flags & SPD_APPLY_ESP);
759 act->ipa_apply.ipp_use_espa = !!(flags & SPD_APPLY_ESPA);
760 act->ipa_apply.ipp_use_se = !!(flags & SPD_APPLY_SE);
761 act->ipa_apply.ipp_use_unique = !!(flags & SPD_APPLY_UNIQUE);
762 return (B_TRUE);
763 }
764
765 static void
766 spdsock_reset_act(ipsec_act_t *act)
767 {
768 bzero(act, sizeof (*act));
769 act->ipa_apply.ipp_espe_maxbits = IPSEC_MAX_KEYBITS;
770 act->ipa_apply.ipp_espa_maxbits = IPSEC_MAX_KEYBITS;
771 act->ipa_apply.ipp_ah_maxbits = IPSEC_MAX_KEYBITS;
772 }
773
774 /*
775 * Sanity check action against reality, and shrink-wrap key sizes..
776 */
777 static boolean_t
778 spdsock_check_action(ipsec_act_t *act, boolean_t tunnel_polhead, int *diag,
779 spd_stack_t *spds)
780 {
781 if (tunnel_polhead && act->ipa_apply.ipp_use_unique) {
782 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
783 return (B_FALSE);
784 }
785 if ((act->ipa_type != IPSEC_ACT_APPLY) &&
786 (act->ipa_apply.ipp_use_ah ||
787 act->ipa_apply.ipp_use_esp ||
788 act->ipa_apply.ipp_use_espa ||
789 act->ipa_apply.ipp_use_se ||
790 act->ipa_apply.ipp_use_unique)) {
791 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
792 return (B_FALSE);
793 }
794 if ((act->ipa_type == IPSEC_ACT_APPLY) &&
795 !act->ipa_apply.ipp_use_ah &&
796 !act->ipa_apply.ipp_use_esp) {
797 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
798 return (B_FALSE);
799 }
800 return (ipsec_check_action(act, diag, spds->spds_netstack));
801 }
802
803 /*
804 * We may be short a few error checks here..
805 */
806 static boolean_t
807 spdsock_ext_to_actvec(spd_ext_t **extv, ipsec_act_t **actpp, uint_t *nactp,
808 int *diag, spd_stack_t *spds)
809 {
810 struct spd_ext_actions *sactp =
811 (struct spd_ext_actions *)extv[SPD_EXT_ACTION];
812 ipsec_act_t act, *actp, *endactp;
813 struct spd_attribute *attrp, *endattrp;
814 uint64_t *endp;
815 int nact;
816 boolean_t tunnel_polhead;
817
818 tunnel_polhead = (extv[SPD_EXT_TUN_NAME] != NULL &&
819 (((struct spd_rule *)extv[SPD_EXT_RULE])->spd_rule_flags &
820 SPD_RULE_FLAG_TUNNEL));
821
822 *actpp = NULL;
823 *nactp = 0;
824
825 if (sactp == NULL) {
826 *diag = SPD_DIAGNOSTIC_NO_ACTION_EXT;
827 return (B_FALSE);
828 }
829
830 /*
831 * Parse the "action" extension and convert into an action chain.
832 */
833
834 nact = sactp->spd_actions_count;
835
836 endp = (uint64_t *)sactp;
837 endp += sactp->spd_actions_len;
838 endattrp = (struct spd_attribute *)endp;
839
840 actp = kmem_alloc(sizeof (*actp) * nact, KM_NOSLEEP);
841 if (actp == NULL) {
842 *diag = SPD_DIAGNOSTIC_ADD_NO_MEM;
843 return (B_FALSE);
844 }
845 *actpp = actp;
846 *nactp = nact;
847 endactp = actp + nact;
848
849 spdsock_reset_act(&act);
850 attrp = (struct spd_attribute *)(&sactp[1]);
851
852 for (; attrp < endattrp; attrp++) {
853 switch (attrp->spd_attr_tag) {
854 case SPD_ATTR_NOP:
855 break;
856
857 case SPD_ATTR_EMPTY:
858 spdsock_reset_act(&act);
859 break;
860
861 case SPD_ATTR_END:
862 attrp = endattrp;
863 /* FALLTHRU */
864 case SPD_ATTR_NEXT:
865 if (actp >= endactp) {
866 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT;
867 goto fail;
868 }
869 if (!spdsock_check_action(&act, tunnel_polhead,
870 diag, spds))
871 goto fail;
872 *actp++ = act;
873 spdsock_reset_act(&act);
874 break;
875
876 case SPD_ATTR_TYPE:
877 if (!spd_convert_type(attrp->spd_attr_value, &act)) {
878 *diag = SPD_DIAGNOSTIC_ADD_BAD_TYPE;
879 goto fail;
880 }
881 break;
882
883 case SPD_ATTR_FLAGS:
884 if (!tunnel_polhead && extv[SPD_EXT_TUN_NAME] != NULL) {
885 /*
886 * Set "sa unique" for transport-mode
887 * tunnels whether we want to or not.
888 */
889 attrp->spd_attr_value |= SPD_APPLY_UNIQUE;
890 }
891 if (!spd_convert_flags(attrp->spd_attr_value, &act)) {
892 *diag = SPD_DIAGNOSTIC_ADD_BAD_FLAGS;
893 goto fail;
894 }
895 break;
896
897 case SPD_ATTR_AH_AUTH:
898 if (attrp->spd_attr_value == 0) {
899 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG;
900 goto fail;
901 }
902 act.ipa_apply.ipp_auth_alg = attrp->spd_attr_value;
903 break;
904
905 case SPD_ATTR_ESP_ENCR:
906 if (attrp->spd_attr_value == 0) {
907 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG;
908 goto fail;
909 }
910 act.ipa_apply.ipp_encr_alg = attrp->spd_attr_value;
911 break;
912
913 case SPD_ATTR_ESP_AUTH:
914 if (attrp->spd_attr_value == 0) {
915 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG;
916 goto fail;
917 }
918 act.ipa_apply.ipp_esp_auth_alg = attrp->spd_attr_value;
919 break;
920
921 case SPD_ATTR_ENCR_MINBITS:
922 act.ipa_apply.ipp_espe_minbits = attrp->spd_attr_value;
923 break;
924
925 case SPD_ATTR_ENCR_MAXBITS:
926 act.ipa_apply.ipp_espe_maxbits = attrp->spd_attr_value;
927 break;
928
929 case SPD_ATTR_AH_MINBITS:
930 act.ipa_apply.ipp_ah_minbits = attrp->spd_attr_value;
931 break;
932
933 case SPD_ATTR_AH_MAXBITS:
934 act.ipa_apply.ipp_ah_maxbits = attrp->spd_attr_value;
935 break;
936
937 case SPD_ATTR_ESPA_MINBITS:
938 act.ipa_apply.ipp_espa_minbits = attrp->spd_attr_value;
939 break;
940
941 case SPD_ATTR_ESPA_MAXBITS:
942 act.ipa_apply.ipp_espa_maxbits = attrp->spd_attr_value;
943 break;
944
945 case SPD_ATTR_LIFE_SOFT_TIME:
946 case SPD_ATTR_LIFE_HARD_TIME:
947 case SPD_ATTR_LIFE_SOFT_BYTES:
948 case SPD_ATTR_LIFE_HARD_BYTES:
949 break;
950
951 case SPD_ATTR_KM_PROTO:
952 act.ipa_apply.ipp_km_proto = attrp->spd_attr_value;
953 break;
954
955 case SPD_ATTR_KM_COOKIE:
956 act.ipa_apply.ipp_km_cookie = attrp->spd_attr_value;
957 break;
958
959 case SPD_ATTR_REPLAY_DEPTH:
960 act.ipa_apply.ipp_replay_depth = attrp->spd_attr_value;
961 break;
962 }
963 }
964 if (actp != endactp) {
965 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT;
966 goto fail;
967 }
968
969 return (B_TRUE);
970 fail:
971 ipsec_actvec_free(*actpp, nact);
972 *actpp = NULL;
973 return (B_FALSE);
974 }
975
976 typedef struct
977 {
978 ipsec_policy_t *pol;
979 int dir;
980 } tmprule_t;
981
982 static int
983 mkrule(ipsec_policy_head_t *iph, struct spd_rule *rule,
984 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t af,
985 tmprule_t **rp, uint64_t *index, spd_stack_t *spds)
986 {
987 ipsec_policy_t *pol;
988
989 sel->ipsl_valid &= ~(IPSL_IPV6|IPSL_IPV4);
990 sel->ipsl_valid |= af;
991
992 pol = ipsec_policy_create(sel, actp, nact, rule->spd_rule_priority,
993 index, spds->spds_netstack);
994 if (pol == NULL)
995 return (ENOMEM);
996
997 (*rp)->pol = pol;
998 (*rp)->dir = dir;
999 (*rp)++;
1000
1001 if (!ipsec_check_policy(iph, pol, dir))
1002 return (EEXIST);
1003
1004 rule->spd_rule_index = pol->ipsp_index;
1005 return (0);
1006 }
1007
1008 static int
1009 mkrulepair(ipsec_policy_head_t *iph, struct spd_rule *rule,
1010 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t afs,
1011 tmprule_t **rp, uint64_t *index, spd_stack_t *spds)
1012 {
1013 int error;
1014
1015 if (afs & IPSL_IPV4) {
1016 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV4, rp,
1017 index, spds);
1018 if (error != 0)
1019 return (error);
1020 }
1021 if (afs & IPSL_IPV6) {
1022 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV6, rp,
1023 index, spds);
1024 if (error != 0)
1025 return (error);
1026 }
1027 return (0);
1028 }
1029
1030
1031 static void
1032 spdsock_addrule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1033 spd_ext_t **extv, ipsec_tun_pol_t *itp)
1034 {
1035 ipsec_selkey_t sel;
1036 ipsec_act_t *actp;
1037 uint_t nact;
1038 int diag = 0, error, afs;
1039 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE];
1040 tmprule_t rules[4], *rulep = &rules[0];
1041 boolean_t tunnel_mode, empty_itp, active;
1042 uint64_t *index = (itp == NULL) ? NULL : &itp->itp_next_policy_index;
1043 spdsock_t *ss = (spdsock_t *)q->q_ptr;
1044 spd_stack_t *spds = ss->spdsock_spds;
1045 uint32_t auditing = AU_AUDITING();
1046
1047 if (rule == NULL) {
1048 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT);
1049 if (auditing) {
1050 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1051 cred_t *cr;
1052 pid_t cpid;
1053
1054 cr = msg_getcred(mp, &cpid);
1055 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1056 audit_pf_policy(SPD_ADDRULE, cr,
1057 spds->spds_netstack, ITP_NAME(itp), active,
1058 SPD_DIAGNOSTIC_NO_RULE_EXT, cpid);
1059 }
1060 return;
1061 }
1062
1063 tunnel_mode = (rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL);
1064
1065 if (itp != NULL) {
1066 mutex_enter(&itp->itp_lock);
1067 ASSERT(itp->itp_policy == iph || itp->itp_inactive == iph);
1068 active = (itp->itp_policy == iph);
1069 if (ITP_P_ISACTIVE(itp, iph)) {
1070 /* Check for mix-and-match of tunnel/transport. */
1071 if ((tunnel_mode && !ITP_P_ISTUNNEL(itp, iph)) ||
1072 (!tunnel_mode && ITP_P_ISTUNNEL(itp, iph))) {
1073 mutex_exit(&itp->itp_lock);
1074 spdsock_error(q, mp, EBUSY, 0);
1075 return;
1076 }
1077 empty_itp = B_FALSE;
1078 } else {
1079 empty_itp = B_TRUE;
1080 itp->itp_flags = active ? ITPF_P_ACTIVE : ITPF_I_ACTIVE;
1081 if (tunnel_mode)
1082 itp->itp_flags |= active ? ITPF_P_TUNNEL :
1083 ITPF_I_TUNNEL;
1084 }
1085 } else {
1086 empty_itp = B_FALSE;
1087 }
1088
1089 if (rule->spd_rule_index != 0) {
1090 diag = SPD_DIAGNOSTIC_INVALID_RULE_INDEX;
1091 error = EINVAL;
1092 goto fail2;
1093 }
1094
1095 if (!spdsock_ext_to_sel(extv, &sel, &diag)) {
1096 error = EINVAL;
1097 goto fail2;
1098 }
1099
1100 if (itp != NULL) {
1101 if (tunnel_mode) {
1102 if (sel.ipsl_valid &
1103 (IPSL_REMOTE_PORT | IPSL_LOCAL_PORT)) {
1104 itp->itp_flags |= active ?
1105 ITPF_P_PER_PORT_SECURITY :
1106 ITPF_I_PER_PORT_SECURITY;
1107 }
1108 } else {
1109 /*
1110 * For now, we don't allow transport-mode on a tunnel
1111 * with ANY specific selectors. Bail if we have such
1112 * a request.
1113 */
1114 if (sel.ipsl_valid & IPSL_WILDCARD) {
1115 diag = SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS;
1116 error = EINVAL;
1117 goto fail2;
1118 }
1119 }
1120 }
1121
1122 if (!spdsock_ext_to_actvec(extv, &actp, &nact, &diag, spds)) {
1123 error = EINVAL;
1124 goto fail2;
1125 }
1126 /*
1127 * If no addresses were specified, add both.
1128 */
1129 afs = sel.ipsl_valid & (IPSL_IPV6|IPSL_IPV4);
1130 if (afs == 0)
1131 afs = (IPSL_IPV6|IPSL_IPV4);
1132
1133 rw_enter(&iph->iph_lock, RW_WRITER);
1134
1135 if (rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) {
1136 error = mkrulepair(iph, rule, &sel, actp, nact,
1137 IPSEC_TYPE_OUTBOUND, afs, &rulep, index, spds);
1138 if (error != 0)
1139 goto fail;
1140 }
1141
1142 if (rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) {
1143 error = mkrulepair(iph, rule, &sel, actp, nact,
1144 IPSEC_TYPE_INBOUND, afs, &rulep, index, spds);
1145 if (error != 0)
1146 goto fail;
1147 }
1148
1149 while ((--rulep) >= &rules[0]) {
1150 ipsec_enter_policy(iph, rulep->pol, rulep->dir,
1151 spds->spds_netstack);
1152 }
1153 rw_exit(&iph->iph_lock);
1154 if (itp != NULL)
1155 mutex_exit(&itp->itp_lock);
1156
1157 ipsec_actvec_free(actp, nact);
1158 spd_echo(q, mp);
1159 if (auditing) {
1160 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1161 cred_t *cr;
1162 pid_t cpid;
1163
1164 cr = msg_getcred(mp, &cpid);
1165 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1166 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack,
1167 ITP_NAME(itp), active, 0, cpid);
1168 }
1169 return;
1170
1171 fail:
1172 rw_exit(&iph->iph_lock);
1173 while ((--rulep) >= &rules[0])
1174 IPPOL_REFRELE(rulep->pol);
1175 ipsec_actvec_free(actp, nact);
1176 fail2:
1177 if (itp != NULL) {
1178 if (empty_itp)
1179 itp->itp_flags = 0;
1180 mutex_exit(&itp->itp_lock);
1181 }
1182 spdsock_error(q, mp, error, diag);
1183 if (auditing) {
1184 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1185 cred_t *cr;
1186 pid_t cpid;
1187
1188 cr = msg_getcred(mp, &cpid);
1189 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1190 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack,
1191 ITP_NAME(itp), active, error, cpid);
1192 }
1193 }
1194
1195 void
1196 spdsock_deleterule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1197 spd_ext_t **extv, ipsec_tun_pol_t *itp)
1198 {
1199 ipsec_selkey_t sel;
1200 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE];
1201 int err, diag = 0;
1202 spdsock_t *ss = (spdsock_t *)q->q_ptr;
1203 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1204 uint32_t auditing = AU_AUDITING();
1205
1206 if (rule == NULL) {
1207 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT);
1208 if (auditing) {
1209 boolean_t active;
1210 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1211 cred_t *cr;
1212 pid_t cpid;
1213
1214 cr = msg_getcred(mp, &cpid);
1215 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1216 audit_pf_policy(SPD_DELETERULE, cr, ns,
1217 ITP_NAME(itp), active, SPD_DIAGNOSTIC_NO_RULE_EXT,
1218 cpid);
1219 }
1220 return;
1221 }
1222
1223 /*
1224 * Must enter itp_lock first to avoid deadlock. See tun.c's
1225 * set_sec_simple() for the other case of itp_lock and iph_lock.
1226 */
1227 if (itp != NULL)
1228 mutex_enter(&itp->itp_lock);
1229
1230 if (rule->spd_rule_index != 0) {
1231 if (ipsec_policy_delete_index(iph, rule->spd_rule_index, ns) !=
1232 0) {
1233 err = ESRCH;
1234 goto fail;
1235 }
1236 } else {
1237 if (!spdsock_ext_to_sel(extv, &sel, &diag)) {
1238 err = EINVAL; /* diag already set... */
1239 goto fail;
1240 }
1241
1242 if ((rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) &&
1243 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_INBOUND, ns)) {
1244 err = ESRCH;
1245 goto fail;
1246 }
1247
1248 if ((rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) &&
1249 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_OUTBOUND, ns)) {
1250 err = ESRCH;
1251 goto fail;
1252 }
1253 }
1254
1255 if (itp != NULL) {
1256 ASSERT(iph == itp->itp_policy || iph == itp->itp_inactive);
1257 rw_enter(&iph->iph_lock, RW_READER);
1258 if (avl_numnodes(&iph->iph_rulebyid) == 0) {
1259 if (iph == itp->itp_policy)
1260 itp->itp_flags &= ~ITPF_PFLAGS;
1261 else
1262 itp->itp_flags &= ~ITPF_IFLAGS;
1263 }
1264 /* Can exit locks in any order. */
1265 rw_exit(&iph->iph_lock);
1266 mutex_exit(&itp->itp_lock);
1267 }
1268 spd_echo(q, mp);
1269 if (auditing) {
1270 boolean_t active;
1271 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1272 cred_t *cr;
1273 pid_t cpid;
1274
1275 cr = msg_getcred(mp, &cpid);
1276 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1277 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp),
1278 active, 0, cpid);
1279 }
1280 return;
1281 fail:
1282 if (itp != NULL)
1283 mutex_exit(&itp->itp_lock);
1284 spdsock_error(q, mp, err, diag);
1285 if (auditing) {
1286 boolean_t active;
1287 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1288 cred_t *cr;
1289 pid_t cpid;
1290
1291 cr = msg_getcred(mp, &cpid);
1292 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1293 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp),
1294 active, err, cpid);
1295 }
1296 }
1297
1298 /* Do NOT consume a reference to itp. */
1299 /* ARGSUSED */
1300 static void
1301 spdsock_flip_node(ipsec_tun_pol_t *itp, void *ignoreme, netstack_t *ns)
1302 {
1303 mutex_enter(&itp->itp_lock);
1304 ITPF_SWAP(itp->itp_flags);
1305 ipsec_swap_policy(itp->itp_policy, itp->itp_inactive, ns);
1306 mutex_exit(&itp->itp_lock);
1307 /* SPD_FLIP is worth a tunnel MTU check. */
1308 update_iptun_policy(itp);
1309 }
1310
1311 void
1312 spdsock_flip(queue_t *q, mblk_t *mp, spd_if_t *tunname)
1313 {
1314 char *tname;
1315 ipsec_tun_pol_t *itp;
1316 spdsock_t *ss = (spdsock_t *)q->q_ptr;
1317 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1318 uint32_t auditing = AU_AUDITING();
1319
1320 if (tunname != NULL) {
1321 tname = (char *)tunname->spd_if_name;
1322 if (*tname == '\0') {
1323 /* can't fail */
1324 ipsec_swap_global_policy(ns);
1325 if (auditing) {
1326 boolean_t active;
1327 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1328 cred_t *cr;
1329 pid_t cpid;
1330
1331 cr = msg_getcred(mp, &cpid);
1332 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1333 audit_pf_policy(SPD_FLIP, cr, ns,
1334 NULL, active, 0, cpid);
1335 }
1336 itp_walk(spdsock_flip_node, NULL, ns);
1337 if (auditing) {
1338 boolean_t active;
1339 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1340 cred_t *cr;
1341 pid_t cpid;
1342
1343 cr = msg_getcred(mp, &cpid);
1344 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1345 audit_pf_policy(SPD_FLIP, cr, ns,
1346 "all tunnels", active, 0, cpid);
1347 }
1348 } else {
1349 itp = get_tunnel_policy(tname, ns);
1350 if (itp == NULL) {
1351 /* Better idea for "tunnel not found"? */
1352 spdsock_error(q, mp, ESRCH, 0);
1353 if (auditing) {
1354 boolean_t active;
1355 spd_msg_t *spmsg =
1356 (spd_msg_t *)mp->b_rptr;
1357 cred_t *cr;
1358 pid_t cpid;
1359
1360 cr = msg_getcred(mp, &cpid);
1361 active = (spmsg->spd_msg_spdid ==
1362 SPD_ACTIVE);
1363 audit_pf_policy(SPD_FLIP, cr, ns,
1364 ITP_NAME(itp), active,
1365 ESRCH, cpid);
1366 }
1367 return;
1368 }
1369 spdsock_flip_node(itp, NULL, ns);
1370 if (auditing) {
1371 boolean_t active;
1372 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1373 cred_t *cr;
1374 pid_t cpid;
1375
1376 cr = msg_getcred(mp, &cpid);
1377 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1378 audit_pf_policy(SPD_FLIP, cr, ns,
1379 ITP_NAME(itp), active, 0, cpid);
1380 }
1381 ITP_REFRELE(itp, ns);
1382 }
1383 } else {
1384 ipsec_swap_global_policy(ns); /* can't fail */
1385 if (auditing) {
1386 boolean_t active;
1387 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1388 cred_t *cr;
1389 pid_t cpid;
1390
1391 cr = msg_getcred(mp, &cpid);
1392 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1393 audit_pf_policy(SPD_FLIP, cr,
1394 ns, NULL, active, 0, cpid);
1395 }
1396 }
1397 spd_echo(q, mp);
1398 }
1399
1400 /*
1401 * Unimplemented feature
1402 */
1403 /* ARGSUSED */
1404 static void
1405 spdsock_lookup(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1406 spd_ext_t **extv, ipsec_tun_pol_t *itp)
1407 {
1408 spdsock_error(q, mp, EINVAL, 0);
1409 }
1410
1411
1412 static mblk_t *
1413 spdsock_dump_ruleset(mblk_t *req, ipsec_policy_head_t *iph,
1414 uint32_t count, uint16_t error)
1415 {
1416 size_t len = sizeof (spd_ruleset_ext_t) + sizeof (spd_msg_t);
1417 spd_msg_t *msg;
1418 spd_ruleset_ext_t *ruleset;
1419 mblk_t *m = allocb(len, BPRI_HI);
1420
1421 ASSERT(RW_READ_HELD(&iph->iph_lock));
1422
1423 if (m == NULL) {
1424 return (NULL);
1425 }
1426 msg = (spd_msg_t *)m->b_rptr;
1427 ruleset = (spd_ruleset_ext_t *)(&msg[1]);
1428
1429 m->b_wptr = (uint8_t *)&ruleset[1];
1430
1431 *msg = *(spd_msg_t *)(req->b_rptr);
1432 msg->spd_msg_len = SPD_8TO64(len);
1433 msg->spd_msg_errno = error;
1434
1435 ruleset->spd_ruleset_len = SPD_8TO64(sizeof (*ruleset));
1436 ruleset->spd_ruleset_type = SPD_EXT_RULESET;
1437 ruleset->spd_ruleset_count = count;
1438 ruleset->spd_ruleset_version = iph->iph_gen;
1439 return (m);
1440 }
1441
1442 static mblk_t *
1443 spdsock_dump_finish(spdsock_t *ss, int error)
1444 {
1445 mblk_t *m;
1446 ipsec_policy_head_t *iph = ss->spdsock_dump_head;
1447 mblk_t *req = ss->spdsock_dump_req;
1448 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1449
1450 rw_enter(&iph->iph_lock, RW_READER);
1451 m = spdsock_dump_ruleset(req, iph, ss->spdsock_dump_count, error);
1452 rw_exit(&iph->iph_lock);
1453 IPPH_REFRELE(iph, ns);
1454 if (ss->spdsock_itp != NULL) {
1455 ITP_REFRELE(ss->spdsock_itp, ns);
1456 ss->spdsock_itp = NULL;
1457 }
1458 ss->spdsock_dump_req = NULL;
1459 freemsg(req);
1460
1461 return (m);
1462 }
1463
1464 /*
1465 * Rule encoding functions.
1466 * We do a two-pass encode.
1467 * If base != NULL, fill in encoded rule part starting at base+offset.
1468 * Always return "offset" plus length of to-be-encoded data.
1469 */
1470 static uint_t
1471 spdsock_encode_typecode(uint8_t *base, uint_t offset, uint8_t type,
1472 uint8_t type_end, uint8_t code, uint8_t code_end)
1473 {
1474 struct spd_typecode *tcp;
1475
1476 ASSERT(ALIGNED64(offset));
1477
1478 if (base != NULL) {
1479 tcp = (struct spd_typecode *)(base + offset);
1480 tcp->spd_typecode_len = SPD_8TO64(sizeof (*tcp));
1481 tcp->spd_typecode_exttype = SPD_EXT_ICMP_TYPECODE;
1482 tcp->spd_typecode_code = code;
1483 tcp->spd_typecode_type = type;
1484 tcp->spd_typecode_type_end = type_end;
1485 tcp->spd_typecode_code_end = code_end;
1486 }
1487 offset += sizeof (*tcp);
1488
1489 ASSERT(ALIGNED64(offset));
1490
1491 return (offset);
1492 }
1493
1494 static uint_t
1495 spdsock_encode_proto(uint8_t *base, uint_t offset, uint8_t proto)
1496 {
1497 struct spd_proto *spp;
1498
1499 ASSERT(ALIGNED64(offset));
1500
1501 if (base != NULL) {
1502 spp = (struct spd_proto *)(base + offset);
1503 spp->spd_proto_len = SPD_8TO64(sizeof (*spp));
1504 spp->spd_proto_exttype = SPD_EXT_PROTO;
1505 spp->spd_proto_number = proto;
1506 spp->spd_proto_reserved1 = 0;
1507 spp->spd_proto_reserved2 = 0;
1508 }
1509 offset += sizeof (*spp);
1510
1511 ASSERT(ALIGNED64(offset));
1512
1513 return (offset);
1514 }
1515
1516 static uint_t
1517 spdsock_encode_port(uint8_t *base, uint_t offset, uint16_t ext, uint16_t port)
1518 {
1519 struct spd_portrange *spp;
1520
1521 ASSERT(ALIGNED64(offset));
1522
1523 if (base != NULL) {
1524 spp = (struct spd_portrange *)(base + offset);
1525 spp->spd_ports_len = SPD_8TO64(sizeof (*spp));
1526 spp->spd_ports_exttype = ext;
1527 spp->spd_ports_minport = port;
1528 spp->spd_ports_maxport = port;
1529 }
1530 offset += sizeof (*spp);
1531
1532 ASSERT(ALIGNED64(offset));
1533
1534 return (offset);
1535 }
1536
1537 static uint_t
1538 spdsock_encode_addr(uint8_t *base, uint_t offset, uint16_t ext,
1539 const ipsec_selkey_t *sel, const ipsec_addr_t *addr, uint_t pfxlen)
1540 {
1541 struct spd_address *sae;
1542 ipsec_addr_t *spdaddr;
1543 uint_t start = offset;
1544 uint_t addrlen;
1545 uint_t af;
1546
1547 if (sel->ipsl_valid & IPSL_IPV4) {
1548 af = AF_INET;
1549 addrlen = IP_ADDR_LEN;
1550 } else {
1551 af = AF_INET6;
1552 addrlen = IPV6_ADDR_LEN;
1553 }
1554
1555 ASSERT(ALIGNED64(offset));
1556
1557 if (base != NULL) {
1558 sae = (struct spd_address *)(base + offset);
1559 sae->spd_address_exttype = ext;
1560 sae->spd_address_af = af;
1561 sae->spd_address_prefixlen = pfxlen;
1562 sae->spd_address_reserved2 = 0;
1563
1564 spdaddr = (ipsec_addr_t *)(&sae[1]);
1565 bcopy(addr, spdaddr, addrlen);
1566 }
1567 offset += sizeof (*sae);
1568 addrlen = roundup(addrlen, sizeof (uint64_t));
1569 offset += addrlen;
1570
1571 ASSERT(ALIGNED64(offset));
1572
1573 if (base != NULL)
1574 sae->spd_address_len = SPD_8TO64(offset - start);
1575 return (offset);
1576 }
1577
1578 static uint_t
1579 spdsock_encode_sel(uint8_t *base, uint_t offset, const ipsec_sel_t *sel)
1580 {
1581 const ipsec_selkey_t *selkey = &sel->ipsl_key;
1582
1583 if (selkey->ipsl_valid & IPSL_PROTOCOL)
1584 offset = spdsock_encode_proto(base, offset, selkey->ipsl_proto);
1585 if (selkey->ipsl_valid & IPSL_LOCAL_PORT)
1586 offset = spdsock_encode_port(base, offset, SPD_EXT_LCLPORT,
1587 selkey->ipsl_lport);
1588 if (selkey->ipsl_valid & IPSL_REMOTE_PORT)
1589 offset = spdsock_encode_port(base, offset, SPD_EXT_REMPORT,
1590 selkey->ipsl_rport);
1591 if (selkey->ipsl_valid & IPSL_REMOTE_ADDR)
1592 offset = spdsock_encode_addr(base, offset, SPD_EXT_REMADDR,
1593 selkey, &selkey->ipsl_remote, selkey->ipsl_remote_pfxlen);
1594 if (selkey->ipsl_valid & IPSL_LOCAL_ADDR)
1595 offset = spdsock_encode_addr(base, offset, SPD_EXT_LCLADDR,
1596 selkey, &selkey->ipsl_local, selkey->ipsl_local_pfxlen);
1597 if (selkey->ipsl_valid & IPSL_ICMP_TYPE) {
1598 offset = spdsock_encode_typecode(base, offset,
1599 selkey->ipsl_icmp_type, selkey->ipsl_icmp_type_end,
1600 (selkey->ipsl_valid & IPSL_ICMP_CODE) ?
1601 selkey->ipsl_icmp_code : 255,
1602 (selkey->ipsl_valid & IPSL_ICMP_CODE) ?
1603 selkey->ipsl_icmp_code_end : 255);
1604 }
1605 return (offset);
1606 }
1607
1608 static uint_t
1609 spdsock_encode_actattr(uint8_t *base, uint_t offset, uint32_t tag,
1610 uint32_t value)
1611 {
1612 struct spd_attribute *attr;
1613
1614 ASSERT(ALIGNED64(offset));
1615
1616 if (base != NULL) {
1617 attr = (struct spd_attribute *)(base + offset);
1618 attr->spd_attr_tag = tag;
1619 attr->spd_attr_value = value;
1620 }
1621 offset += sizeof (struct spd_attribute);
1622
1623 ASSERT(ALIGNED64(offset));
1624
1625 return (offset);
1626 }
1627
1628
1629 #define EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v))
1630
1631 static uint_t
1632 spdsock_encode_action(uint8_t *base, uint_t offset, const ipsec_action_t *ap)
1633 {
1634 const struct ipsec_act *act = &(ap->ipa_act);
1635 uint_t flags;
1636
1637 EMIT(SPD_ATTR_EMPTY, 0);
1638 switch (act->ipa_type) {
1639 case IPSEC_ACT_DISCARD:
1640 case IPSEC_ACT_REJECT:
1641 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_DROP);
1642 break;
1643 case IPSEC_ACT_BYPASS:
1644 case IPSEC_ACT_CLEAR:
1645 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_PASS);
1646 break;
1647
1648 case IPSEC_ACT_APPLY:
1649 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_IPSEC);
1650 flags = 0;
1651 if (act->ipa_apply.ipp_use_ah)
1652 flags |= SPD_APPLY_AH;
1653 if (act->ipa_apply.ipp_use_esp)
1654 flags |= SPD_APPLY_ESP;
1655 if (act->ipa_apply.ipp_use_espa)
1656 flags |= SPD_APPLY_ESPA;
1657 if (act->ipa_apply.ipp_use_se)
1658 flags |= SPD_APPLY_SE;
1659 if (act->ipa_apply.ipp_use_unique)
1660 flags |= SPD_APPLY_UNIQUE;
1661 EMIT(SPD_ATTR_FLAGS, flags);
1662 if (flags & SPD_APPLY_AH) {
1663 EMIT(SPD_ATTR_AH_AUTH, act->ipa_apply.ipp_auth_alg);
1664 EMIT(SPD_ATTR_AH_MINBITS,
1665 act->ipa_apply.ipp_ah_minbits);
1666 EMIT(SPD_ATTR_AH_MAXBITS,
1667 act->ipa_apply.ipp_ah_maxbits);
1668 }
1669 if (flags & SPD_APPLY_ESP) {
1670 EMIT(SPD_ATTR_ESP_ENCR, act->ipa_apply.ipp_encr_alg);
1671 EMIT(SPD_ATTR_ENCR_MINBITS,
1672 act->ipa_apply.ipp_espe_minbits);
1673 EMIT(SPD_ATTR_ENCR_MAXBITS,
1674 act->ipa_apply.ipp_espe_maxbits);
1675 if (flags & SPD_APPLY_ESPA) {
1676 EMIT(SPD_ATTR_ESP_AUTH,
1677 act->ipa_apply.ipp_esp_auth_alg);
1678 EMIT(SPD_ATTR_ESPA_MINBITS,
1679 act->ipa_apply.ipp_espa_minbits);
1680 EMIT(SPD_ATTR_ESPA_MAXBITS,
1681 act->ipa_apply.ipp_espa_maxbits);
1682 }
1683 }
1684 if (act->ipa_apply.ipp_km_proto != 0)
1685 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_proto);
1686 if (act->ipa_apply.ipp_km_cookie != 0)
1687 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_cookie);
1688 if (act->ipa_apply.ipp_replay_depth != 0)
1689 EMIT(SPD_ATTR_REPLAY_DEPTH,
1690 act->ipa_apply.ipp_replay_depth);
1691 /* Add more here */
1692 break;
1693 }
1694
1695 return (offset);
1696 }
1697
1698 static uint_t
1699 spdsock_encode_action_list(uint8_t *base, uint_t offset,
1700 const ipsec_action_t *ap)
1701 {
1702 struct spd_ext_actions *act;
1703 uint_t nact = 0;
1704 uint_t start = offset;
1705
1706 ASSERT(ALIGNED64(offset));
1707
1708 if (base != NULL) {
1709 act = (struct spd_ext_actions *)(base + offset);
1710 act->spd_actions_len = 0;
1711 act->spd_actions_exttype = SPD_EXT_ACTION;
1712 act->spd_actions_count = 0;
1713 act->spd_actions_reserved = 0;
1714 }
1715
1716 offset += sizeof (*act);
1717
1718 ASSERT(ALIGNED64(offset));
1719
1720 while (ap != NULL) {
1721 offset = spdsock_encode_action(base, offset, ap);
1722 ap = ap->ipa_next;
1723 nact++;
1724 if (ap != NULL) {
1725 EMIT(SPD_ATTR_NEXT, 0);
1726 }
1727 }
1728 EMIT(SPD_ATTR_END, 0);
1729
1730 ASSERT(ALIGNED64(offset));
1731
1732 if (base != NULL) {
1733 act->spd_actions_count = nact;
1734 act->spd_actions_len = SPD_8TO64(offset - start);
1735 }
1736
1737 return (offset);
1738 }
1739
1740 #undef EMIT
1741
1742 /* ARGSUSED */
1743 static uint_t
1744 spdsock_rule_flags(uint_t dir, uint_t af)
1745 {
1746 uint_t flags = 0;
1747
1748 if (dir == IPSEC_TYPE_INBOUND)
1749 flags |= SPD_RULE_FLAG_INBOUND;
1750 if (dir == IPSEC_TYPE_OUTBOUND)
1751 flags |= SPD_RULE_FLAG_OUTBOUND;
1752
1753 return (flags);
1754 }
1755
1756
1757 static uint_t
1758 spdsock_encode_rule_head(uint8_t *base, uint_t offset, spd_msg_t *req,
1759 const ipsec_policy_t *rule, uint_t dir, uint_t af, char *name,
1760 boolean_t tunnel)
1761 {
1762 struct spd_msg *spmsg;
1763 struct spd_rule *spr;
1764 spd_if_t *sid;
1765
1766 uint_t start = offset;
1767
1768 ASSERT(ALIGNED64(offset));
1769
1770 if (base != NULL) {
1771 spmsg = (struct spd_msg *)(base + offset);
1772 bzero(spmsg, sizeof (*spmsg));
1773 spmsg->spd_msg_version = PF_POLICY_V1;
1774 spmsg->spd_msg_type = SPD_DUMP;
1775 spmsg->spd_msg_seq = req->spd_msg_seq;
1776 spmsg->spd_msg_pid = req->spd_msg_pid;
1777 }
1778 offset += sizeof (struct spd_msg);
1779
1780 ASSERT(ALIGNED64(offset));
1781
1782 if (base != NULL) {
1783 spr = (struct spd_rule *)(base + offset);
1784 spr->spd_rule_type = SPD_EXT_RULE;
1785 spr->spd_rule_priority = rule->ipsp_prio;
1786 spr->spd_rule_flags = spdsock_rule_flags(dir, af);
1787 if (tunnel)
1788 spr->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL;
1789 spr->spd_rule_unused = 0;
1790 spr->spd_rule_len = SPD_8TO64(sizeof (*spr));
1791 spr->spd_rule_index = rule->ipsp_index;
1792 }
1793 offset += sizeof (struct spd_rule);
1794
1795 /*
1796 * If we have an interface name (i.e. if this policy head came from
1797 * a tunnel), add the SPD_EXT_TUN_NAME extension.
1798 */
1799 if (name != NULL) {
1800
1801 ASSERT(ALIGNED64(offset));
1802
1803 if (base != NULL) {
1804 sid = (spd_if_t *)(base + offset);
1805 sid->spd_if_exttype = SPD_EXT_TUN_NAME;
1806 sid->spd_if_len = SPD_8TO64(sizeof (spd_if_t) +
1807 roundup((strlen(name) - 4), 8));
1808 (void) strlcpy((char *)sid->spd_if_name, name,
1809 LIFNAMSIZ);
1810 }
1811
1812 offset += sizeof (spd_if_t) + roundup((strlen(name) - 4), 8);
1813 }
1814
1815 offset = spdsock_encode_sel(base, offset, rule->ipsp_sel);
1816 offset = spdsock_encode_action_list(base, offset, rule->ipsp_act);
1817
1818 ASSERT(ALIGNED64(offset));
1819
1820 if (base != NULL) {
1821 spmsg->spd_msg_len = SPD_8TO64(offset - start);
1822 }
1823 return (offset);
1824 }
1825
1826 /* ARGSUSED */
1827 static mblk_t *
1828 spdsock_encode_rule(mblk_t *req, const ipsec_policy_t *rule,
1829 uint_t dir, uint_t af, char *name, boolean_t tunnel)
1830 {
1831 mblk_t *m;
1832 uint_t len;
1833 spd_msg_t *mreq = (spd_msg_t *)req->b_rptr;
1834
1835 /*
1836 * Figure out how much space we'll need.
1837 */
1838 len = spdsock_encode_rule_head(NULL, 0, mreq, rule, dir, af, name,
1839 tunnel);
1840
1841 /*
1842 * Allocate mblk.
1843 */
1844 m = allocb(len, BPRI_HI);
1845 if (m == NULL)
1846 return (NULL);
1847
1848 /*
1849 * Fill it in..
1850 */
1851 m->b_wptr = m->b_rptr + len;
1852 bzero(m->b_rptr, len);
1853 (void) spdsock_encode_rule_head(m->b_rptr, 0, mreq, rule, dir, af,
1854 name, tunnel);
1855 return (m);
1856 }
1857
1858 static ipsec_policy_t *
1859 spdsock_dump_next_in_chain(spdsock_t *ss, ipsec_policy_head_t *iph,
1860 ipsec_policy_t *cur)
1861 {
1862 ASSERT(RW_READ_HELD(&iph->iph_lock));
1863
1864 ss->spdsock_dump_count++;
1865 ss->spdsock_dump_cur_rule = cur->ipsp_hash.hash_next;
1866 return (cur);
1867 }
1868
1869 static ipsec_policy_t *
1870 spdsock_dump_next_rule(spdsock_t *ss, ipsec_policy_head_t *iph)
1871 {
1872 ipsec_policy_t *cur;
1873 ipsec_policy_root_t *ipr;
1874 int chain, nchains, type, af;
1875
1876 ASSERT(RW_READ_HELD(&iph->iph_lock));
1877
1878 cur = ss->spdsock_dump_cur_rule;
1879
1880 if (cur != NULL)
1881 return (spdsock_dump_next_in_chain(ss, iph, cur));
1882
1883 type = ss->spdsock_dump_cur_type;
1884
1885 next:
1886 chain = ss->spdsock_dump_cur_chain;
1887 ipr = &iph->iph_root[type];
1888 nchains = ipr->ipr_nchains;
1889
1890 while (chain < nchains) {
1891 cur = ipr->ipr_hash[chain].hash_head;
1892 chain++;
1893 if (cur != NULL) {
1894 ss->spdsock_dump_cur_chain = chain;
1895 return (spdsock_dump_next_in_chain(ss, iph, cur));
1896 }
1897 }
1898 ss->spdsock_dump_cur_chain = nchains;
1899
1900 af = ss->spdsock_dump_cur_af;
1901 while (af < IPSEC_NAF) {
1902 cur = ipr->ipr_nonhash[af];
1903 af++;
1904 if (cur != NULL) {
1905 ss->spdsock_dump_cur_af = af;
1906 return (spdsock_dump_next_in_chain(ss, iph, cur));
1907 }
1908 }
1909
1910 type++;
1911 if (type >= IPSEC_NTYPES)
1912 return (NULL);
1913
1914 ss->spdsock_dump_cur_chain = 0;
1915 ss->spdsock_dump_cur_type = type;
1916 ss->spdsock_dump_cur_af = IPSEC_AF_V4;
1917 goto next;
1918
1919 }
1920
1921 /*
1922 * If we're done with one policy head, but have more to go, we iterate through
1923 * another IPsec tunnel policy head (itp). Return NULL if it is an error
1924 * worthy of returning EAGAIN via PF_POLICY.
1925 */
1926 static ipsec_tun_pol_t *
1927 spdsock_dump_iterate_next_tunnel(spdsock_t *ss, ipsec_stack_t *ipss)
1928 {
1929 ipsec_tun_pol_t *itp;
1930
1931 ASSERT(RW_READ_HELD(&ipss->ipsec_tunnel_policy_lock));
1932 if (ipss->ipsec_tunnel_policy_gen > ss->spdsock_dump_tun_gen) {
1933 /* Oops, state of the tunnel polheads changed. */
1934 itp = NULL;
1935 } else if (ss->spdsock_itp == NULL) {
1936 /* Just finished global, find first node. */
1937 itp = avl_first(&ipss->ipsec_tunnel_policies);
1938 } else {
1939 /* We just finished current polhead, find the next one. */
1940 itp = AVL_NEXT(&ipss->ipsec_tunnel_policies, ss->spdsock_itp);
1941 }
1942 if (itp != NULL) {
1943 ITP_REFHOLD(itp);
1944 }
1945 if (ss->spdsock_itp != NULL) {
1946 ITP_REFRELE(ss->spdsock_itp, ipss->ipsec_netstack);
1947 }
1948 ss->spdsock_itp = itp;
1949 return (itp);
1950 }
1951
1952 static mblk_t *
1953 spdsock_dump_next_record(spdsock_t *ss)
1954 {
1955 ipsec_policy_head_t *iph;
1956 ipsec_policy_t *rule;
1957 mblk_t *m;
1958 ipsec_tun_pol_t *itp;
1959 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1960 ipsec_stack_t *ipss = ns->netstack_ipsec;
1961
1962 iph = ss->spdsock_dump_head;
1963
1964 ASSERT(iph != NULL);
1965
1966 rw_enter(&iph->iph_lock, RW_READER);
1967
1968 if (iph->iph_gen != ss->spdsock_dump_gen) {
1969 rw_exit(&iph->iph_lock);
1970 return (spdsock_dump_finish(ss, EAGAIN));
1971 }
1972
1973 while ((rule = spdsock_dump_next_rule(ss, iph)) == NULL) {
1974 rw_exit(&iph->iph_lock);
1975 if (--(ss->spdsock_dump_remaining_polheads) == 0)
1976 return (spdsock_dump_finish(ss, 0));
1977
1978
1979 /*
1980 * If we reach here, we have more policy heads (tunnel
1981 * entries) to dump. Let's reset to a new policy head
1982 * and get some more rules.
1983 *
1984 * An empty policy head will have spdsock_dump_next_rule()
1985 * return NULL, and we loop (while dropping the number of
1986 * remaining polheads). If we loop to 0, we finish. We
1987 * keep looping until we hit 0 or until we have a rule to
1988 * encode.
1989 *
1990 * NOTE: No need for ITP_REF*() macros here as we're only
1991 * going after and refholding the policy head itself.
1992 */
1993 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
1994 itp = spdsock_dump_iterate_next_tunnel(ss, ipss);
1995 if (itp == NULL) {
1996 rw_exit(&ipss->ipsec_tunnel_policy_lock);
1997 return (spdsock_dump_finish(ss, EAGAIN));
1998 }
1999
2000 /* Reset other spdsock_dump thingies. */
2001 IPPH_REFRELE(ss->spdsock_dump_head, ns);
2002 if (ss->spdsock_dump_active) {
2003 ss->spdsock_dump_tunnel =
2004 itp->itp_flags & ITPF_P_TUNNEL;
2005 iph = itp->itp_policy;
2006 } else {
2007 ss->spdsock_dump_tunnel =
2008 itp->itp_flags & ITPF_I_TUNNEL;
2009 iph = itp->itp_inactive;
2010 }
2011 IPPH_REFHOLD(iph);
2012 rw_exit(&ipss->ipsec_tunnel_policy_lock);
2013
2014 rw_enter(&iph->iph_lock, RW_READER);
2015 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph);
2016 }
2017
2018 m = spdsock_encode_rule(ss->spdsock_dump_req, rule,
2019 ss->spdsock_dump_cur_type, ss->spdsock_dump_cur_af,
2020 (ss->spdsock_itp == NULL) ? NULL : ss->spdsock_itp->itp_name,
2021 ss->spdsock_dump_tunnel);
2022 rw_exit(&iph->iph_lock);
2023
2024 if (m == NULL)
2025 return (spdsock_dump_finish(ss, ENOMEM));
2026 return (m);
2027 }
2028
2029 /*
2030 * Dump records until we run into flow-control back-pressure.
2031 */
2032 static void
2033 spdsock_dump_some(queue_t *q, spdsock_t *ss)
2034 {
2035 mblk_t *m, *dataind;
2036
2037 while ((ss->spdsock_dump_req != NULL) && canputnext(q)) {
2038 m = spdsock_dump_next_record(ss);
2039 if (m == NULL)
2040 return;
2041 dataind = allocb(sizeof (struct T_data_req), BPRI_HI);
2042 if (dataind == NULL) {
2043 freemsg(m);
2044 return;
2045 }
2046 dataind->b_cont = m;
2047 dataind->b_wptr += sizeof (struct T_data_req);
2048 ((struct T_data_ind *)dataind->b_rptr)->PRIM_type = T_DATA_IND;
2049 ((struct T_data_ind *)dataind->b_rptr)->MORE_flag = 0;
2050 dataind->b_datap->db_type = M_PROTO;
2051 putnext(q, dataind);
2052 }
2053 }
2054
2055 /*
2056 * Start dumping.
2057 * Format a start-of-dump record, and set up the stream and kick the rsrv
2058 * procedure to continue the job..
2059 */
2060 /* ARGSUSED */
2061 static void
2062 spdsock_dump(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp)
2063 {
2064 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2065 netstack_t *ns = ss->spdsock_spds->spds_netstack;
2066 ipsec_stack_t *ipss = ns->netstack_ipsec;
2067 mblk_t *mr;
2068
2069 /* spdsock_open() already set spdsock_itp to NULL. */
2070 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) {
2071 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
2072 ss->spdsock_dump_remaining_polheads = 1 +
2073 avl_numnodes(&ipss->ipsec_tunnel_policies);
2074 ss->spdsock_dump_tun_gen = ipss->ipsec_tunnel_policy_gen;
2075 rw_exit(&ipss->ipsec_tunnel_policy_lock);
2076 if (iph == ALL_ACTIVE_POLHEADS) {
2077 iph = ipsec_system_policy(ns);
2078 ss->spdsock_dump_active = B_TRUE;
2079 } else {
2080 iph = ipsec_inactive_policy(ns);
2081 ss->spdsock_dump_active = B_FALSE;
2082 }
2083 ASSERT(ss->spdsock_itp == NULL);
2084 } else {
2085 ss->spdsock_dump_remaining_polheads = 1;
2086 }
2087
2088 rw_enter(&iph->iph_lock, RW_READER);
2089
2090 mr = spdsock_dump_ruleset(mp, iph, 0, 0);
2091
2092 if (!mr) {
2093 rw_exit(&iph->iph_lock);
2094 spdsock_error(q, mp, ENOMEM, 0);
2095 return;
2096 }
2097
2098 ss->spdsock_dump_req = mp;
2099 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph);
2100
2101 rw_exit(&iph->iph_lock);
2102
2103 qreply(q, mr);
2104 qenable(OTHERQ(q));
2105 }
2106
2107 /* Do NOT consume a reference to ITP. */
2108 void
2109 spdsock_clone_node(ipsec_tun_pol_t *itp, void *ep, netstack_t *ns)
2110 {
2111 int *errptr = (int *)ep;
2112
2113 if (*errptr != 0)
2114 return; /* We've failed already for some reason. */
2115 mutex_enter(&itp->itp_lock);
2116 ITPF_CLONE(itp->itp_flags);
2117 *errptr = ipsec_copy_polhead(itp->itp_policy, itp->itp_inactive, ns);
2118 mutex_exit(&itp->itp_lock);
2119 }
2120
2121 void
2122 spdsock_clone(queue_t *q, mblk_t *mp, spd_if_t *tunname)
2123 {
2124 int error;
2125 char *tname;
2126 ipsec_tun_pol_t *itp;
2127 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2128 netstack_t *ns = ss->spdsock_spds->spds_netstack;
2129 uint32_t auditing = AU_AUDITING();
2130
2131 if (tunname != NULL) {
2132 tname = (char *)tunname->spd_if_name;
2133 if (*tname == '\0') {
2134 error = ipsec_clone_system_policy(ns);
2135 if (auditing) {
2136 boolean_t active;
2137 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2138 cred_t *cr;
2139 pid_t cpid;
2140
2141 cr = msg_getcred(mp, &cpid);
2142 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2143 audit_pf_policy(SPD_CLONE, cr, ns,
2144 NULL, active, error, cpid);
2145 }
2146 if (error == 0) {
2147 itp_walk(spdsock_clone_node, &error, ns);
2148 if (auditing) {
2149 boolean_t active;
2150 spd_msg_t *spmsg =
2151 (spd_msg_t *)mp->b_rptr;
2152 cred_t *cr;
2153 pid_t cpid;
2154
2155 cr = msg_getcred(mp, &cpid);
2156 active = (spmsg->spd_msg_spdid ==
2157 SPD_ACTIVE);
2158 audit_pf_policy(SPD_CLONE, cr,
2159 ns, "all tunnels", active, 0,
2160 cpid);
2161 }
2162 }
2163 } else {
2164 itp = get_tunnel_policy(tname, ns);
2165 if (itp == NULL) {
2166 spdsock_error(q, mp, ENOENT, 0);
2167 if (auditing) {
2168 boolean_t active;
2169 spd_msg_t *spmsg =
2170 (spd_msg_t *)mp->b_rptr;
2171 cred_t *cr;
2172 pid_t cpid;
2173
2174 cr = msg_getcred(mp, &cpid);
2175 active = (spmsg->spd_msg_spdid ==
2176 SPD_ACTIVE);
2177 audit_pf_policy(SPD_CLONE, cr,
2178 ns, NULL, active, ENOENT, cpid);
2179 }
2180 return;
2181 }
2182 spdsock_clone_node(itp, &error, NULL);
2183 if (auditing) {
2184 boolean_t active;
2185 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2186 cred_t *cr;
2187 pid_t cpid;
2188
2189 cr = msg_getcred(mp, &cpid);
2190 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2191 audit_pf_policy(SPD_CLONE, cr, ns,
2192 ITP_NAME(itp), active, error, cpid);
2193 }
2194 ITP_REFRELE(itp, ns);
2195 }
2196 } else {
2197 error = ipsec_clone_system_policy(ns);
2198 if (auditing) {
2199 boolean_t active;
2200 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2201 cred_t *cr;
2202 pid_t cpid;
2203
2204 cr = msg_getcred(mp, &cpid);
2205 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2206 audit_pf_policy(SPD_CLONE, cr, ns, NULL,
2207 active, error, cpid);
2208 }
2209 }
2210
2211 if (error != 0)
2212 spdsock_error(q, mp, error, 0);
2213 else
2214 spd_echo(q, mp);
2215 }
2216
2217 /*
2218 * Process a SPD_ALGLIST request. The caller expects separate alg entries
2219 * for AH authentication, ESP authentication, and ESP encryption.
2220 * The same distinction is then used when setting the min and max key
2221 * sizes when defining policies.
2222 */
2223
2224 #define SPDSOCK_AH_AUTH 0
2225 #define SPDSOCK_ESP_AUTH 1
2226 #define SPDSOCK_ESP_ENCR 2
2227 #define SPDSOCK_NTYPES 3
2228
2229 static const uint_t algattr[SPDSOCK_NTYPES] = {
2230 SPD_ATTR_AH_AUTH,
2231 SPD_ATTR_ESP_AUTH,
2232 SPD_ATTR_ESP_ENCR
2233 };
2234 static const uint_t minbitsattr[SPDSOCK_NTYPES] = {
2235 SPD_ATTR_AH_MINBITS,
2236 SPD_ATTR_ESPA_MINBITS,
2237 SPD_ATTR_ENCR_MINBITS
2238 };
2239 static const uint_t maxbitsattr[SPDSOCK_NTYPES] = {
2240 SPD_ATTR_AH_MAXBITS,
2241 SPD_ATTR_ESPA_MAXBITS,
2242 SPD_ATTR_ENCR_MAXBITS
2243 };
2244 static const uint_t defbitsattr[SPDSOCK_NTYPES] = {
2245 SPD_ATTR_AH_DEFBITS,
2246 SPD_ATTR_ESPA_DEFBITS,
2247 SPD_ATTR_ENCR_DEFBITS
2248 };
2249 static const uint_t incrbitsattr[SPDSOCK_NTYPES] = {
2250 SPD_ATTR_AH_INCRBITS,
2251 SPD_ATTR_ESPA_INCRBITS,
2252 SPD_ATTR_ENCR_INCRBITS
2253 };
2254
2255 #define ATTRPERALG 6 /* fixed attributes per algs */
2256
2257 void
2258 spdsock_alglist(queue_t *q, mblk_t *mp)
2259 {
2260 uint_t algtype;
2261 uint_t algidx;
2262 uint_t algcount;
2263 uint_t size;
2264 mblk_t *m;
2265 uint8_t *cur;
2266 spd_msg_t *msg;
2267 struct spd_ext_actions *act;
2268 struct spd_attribute *attr;
2269 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2270 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
2271
2272 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
2273 /*
2274 * The SPD client expects to receive separate entries for
2275 * AH authentication and ESP authentication supported algorithms.
2276 *
2277 * Don't return the "any" algorithms, if defined, as no
2278 * kernel policies can be set for these algorithms.
2279 */
2280 algcount = 2 * ipss->ipsec_nalgs[IPSEC_ALG_AUTH] +
2281 ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
2282
2283 if (ipss->ipsec_alglists[IPSEC_ALG_AUTH][SADB_AALG_NONE] != NULL)
2284 algcount--;
2285 if (ipss->ipsec_alglists[IPSEC_ALG_ENCR][SADB_EALG_NONE] != NULL)
2286 algcount--;
2287
2288 /*
2289 * For each algorithm, we encode:
2290 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2291 */
2292
2293 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions) +
2294 ATTRPERALG * sizeof (struct spd_attribute) * algcount;
2295
2296 ASSERT(ALIGNED64(size));
2297
2298 m = allocb(size, BPRI_HI);
2299 if (m == NULL) {
2300 rw_exit(&ipss->ipsec_alg_lock);
2301 spdsock_error(q, mp, ENOMEM, 0);
2302 return;
2303 }
2304
2305 m->b_wptr = m->b_rptr + size;
2306 cur = m->b_rptr;
2307
2308 msg = (spd_msg_t *)cur;
2309 bcopy(mp->b_rptr, cur, sizeof (*msg));
2310
2311 msg->spd_msg_len = SPD_8TO64(size);
2312 msg->spd_msg_errno = 0;
2313 msg->spd_msg_diagnostic = 0;
2314
2315 cur += sizeof (*msg);
2316
2317 act = (struct spd_ext_actions *)cur;
2318 cur += sizeof (*act);
2319
2320 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t));
2321 act->spd_actions_exttype = SPD_EXT_ACTION;
2322 act->spd_actions_count = algcount;
2323 act->spd_actions_reserved = 0;
2324
2325 attr = (struct spd_attribute *)cur;
2326
2327 #define EMIT(tag, value) { \
2328 attr->spd_attr_tag = (tag); \
2329 attr->spd_attr_value = (value); \
2330 attr++; \
2331 }
2332
2333 /*
2334 * If you change the number of EMIT's here, change
2335 * ATTRPERALG above to match
2336 */
2337 #define EMITALGATTRS(_type) { \
2338 EMIT(algattr[_type], algid); /* 1 */ \
2339 EMIT(minbitsattr[_type], minbits); /* 2 */ \
2340 EMIT(maxbitsattr[_type], maxbits); /* 3 */ \
2341 EMIT(defbitsattr[_type], defbits); /* 4 */ \
2342 EMIT(incrbitsattr[_type], incr); /* 5 */ \
2343 EMIT(SPD_ATTR_NEXT, 0); /* 6 */ \
2344 }
2345
2346 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2347 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2348 algidx++) {
2349 int algid = ipss->ipsec_sortlist[algtype][algidx];
2350 ipsec_alginfo_t *alg =
2351 ipss->ipsec_alglists[algtype][algid];
2352 uint_t minbits = alg->alg_minbits;
2353 uint_t maxbits = alg->alg_maxbits;
2354 uint_t defbits = alg->alg_default_bits;
2355 uint_t incr = alg->alg_increment;
2356
2357 if (algtype == IPSEC_ALG_AUTH) {
2358 if (algid == SADB_AALG_NONE)
2359 continue;
2360 EMITALGATTRS(SPDSOCK_AH_AUTH);
2361 EMITALGATTRS(SPDSOCK_ESP_AUTH);
2362 } else {
2363 if (algid == SADB_EALG_NONE)
2364 continue;
2365 ASSERT(algtype == IPSEC_ALG_ENCR);
2366 EMITALGATTRS(SPDSOCK_ESP_ENCR);
2367 }
2368 }
2369 }
2370
2371 rw_exit(&ipss->ipsec_alg_lock);
2372
2373 #undef EMITALGATTRS
2374 #undef EMIT
2375 #undef ATTRPERALG
2376
2377 attr--;
2378 attr->spd_attr_tag = SPD_ATTR_END;
2379
2380 freemsg(mp);
2381 qreply(q, m);
2382 }
2383
2384 /*
2385 * Process a SPD_DUMPALGS request.
2386 */
2387
2388 #define ATTRPERALG 9 /* fixed attributes per algs */
2389
2390 void
2391 spdsock_dumpalgs(queue_t *q, mblk_t *mp)
2392 {
2393 uint_t algtype;
2394 uint_t algidx;
2395 uint_t size;
2396 mblk_t *m;
2397 uint8_t *cur;
2398 spd_msg_t *msg;
2399 struct spd_ext_actions *act;
2400 struct spd_attribute *attr;
2401 ipsec_alginfo_t *alg;
2402 uint_t algid;
2403 uint_t i;
2404 uint_t alg_size;
2405 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2406 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
2407
2408 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
2409
2410 /*
2411 * For each algorithm, we encode:
2412 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2413 *
2414 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE*
2415 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_NPARAMS / ALG_PARAMS* /
2416 * ALG_MECHNAME / ALG_FLAGS / {END, NEXT}
2417 */
2418
2419 /*
2420 * Compute the size of the SPD message.
2421 */
2422 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions);
2423
2424 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2425 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2426 algidx++) {
2427 algid = ipss->ipsec_sortlist[algtype][algidx];
2428 alg = ipss->ipsec_alglists[algtype][algid];
2429 alg_size = sizeof (struct spd_attribute) *
2430 (ATTRPERALG + alg->alg_nkey_sizes +
2431 alg->alg_nblock_sizes + alg->alg_nparams) +
2432 CRYPTO_MAX_MECH_NAME;
2433 size += alg_size;
2434 }
2435 }
2436
2437 ASSERT(ALIGNED64(size));
2438
2439 m = allocb(size, BPRI_HI);
2440 if (m == NULL) {
2441 rw_exit(&ipss->ipsec_alg_lock);
2442 spdsock_error(q, mp, ENOMEM, 0);
2443 return;
2444 }
2445
2446 m->b_wptr = m->b_rptr + size;
2447 cur = m->b_rptr;
2448
2449 msg = (spd_msg_t *)cur;
2450 bcopy(mp->b_rptr, cur, sizeof (*msg));
2451
2452 msg->spd_msg_len = SPD_8TO64(size);
2453 msg->spd_msg_errno = 0;
2454 msg->spd_msg_type = SPD_ALGLIST;
2455
2456 msg->spd_msg_diagnostic = 0;
2457
2458 cur += sizeof (*msg);
2459
2460 act = (struct spd_ext_actions *)cur;
2461 cur += sizeof (*act);
2462
2463 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t));
2464 act->spd_actions_exttype = SPD_EXT_ACTION;
2465 act->spd_actions_count = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] +
2466 ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
2467 act->spd_actions_reserved = 0;
2468
2469 /*
2470 * If there aren't any algorithms registered, return an empty message.
2471 * spdsock_get_ext() knows how to deal with this.
2472 */
2473 if (act->spd_actions_count == 0) {
2474 act->spd_actions_len = 0;
2475 rw_exit(&ipss->ipsec_alg_lock);
2476 goto error;
2477 }
2478
2479 attr = (struct spd_attribute *)cur;
2480
2481 #define EMIT(tag, value) { \
2482 attr->spd_attr_tag = (tag); \
2483 attr->spd_attr_value = (value); \
2484 attr++; \
2485 }
2486
2487 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2488 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2489 algidx++) {
2490
2491 algid = ipss->ipsec_sortlist[algtype][algidx];
2492 alg = ipss->ipsec_alglists[algtype][algid];
2493
2494 /*
2495 * If you change the number of EMIT's here, change
2496 * ATTRPERALG above to match
2497 */
2498 EMIT(SPD_ATTR_ALG_ID, algid);
2499 EMIT(SPD_ATTR_ALG_PROTO, algproto[algtype]);
2500 EMIT(SPD_ATTR_ALG_INCRBITS, alg->alg_increment);
2501 EMIT(SPD_ATTR_ALG_NKEYSIZES, alg->alg_nkey_sizes);
2502 for (i = 0; i < alg->alg_nkey_sizes; i++)
2503 EMIT(SPD_ATTR_ALG_KEYSIZE,
2504 alg->alg_key_sizes[i]);
2505
2506 EMIT(SPD_ATTR_ALG_NBLOCKSIZES, alg->alg_nblock_sizes);
2507 for (i = 0; i < alg->alg_nblock_sizes; i++)
2508 EMIT(SPD_ATTR_ALG_BLOCKSIZE,
2509 alg->alg_block_sizes[i]);
2510
2511 EMIT(SPD_ATTR_ALG_NPARAMS, alg->alg_nparams);
2512 for (i = 0; i < alg->alg_nparams; i++)
2513 EMIT(SPD_ATTR_ALG_PARAMS,
2514 alg->alg_params[i]);
2515
2516 EMIT(SPD_ATTR_ALG_FLAGS, alg->alg_flags);
2517
2518 EMIT(SPD_ATTR_ALG_MECHNAME, CRYPTO_MAX_MECH_NAME);
2519 bcopy(alg->alg_mech_name, attr, CRYPTO_MAX_MECH_NAME);
2520 attr = (struct spd_attribute *)((char *)attr +
2521 CRYPTO_MAX_MECH_NAME);
2522
2523 EMIT(SPD_ATTR_NEXT, 0);
2524 }
2525 }
2526
2527 rw_exit(&ipss->ipsec_alg_lock);
2528
2529 #undef EMITALGATTRS
2530 #undef EMIT
2531 #undef ATTRPERALG
2532
2533 attr--;
2534 attr->spd_attr_tag = SPD_ATTR_END;
2535
2536 error:
2537 freemsg(mp);
2538 qreply(q, m);
2539 }
2540
2541 /*
2542 * Do the actual work of processing an SPD_UPDATEALGS request. Can
2543 * be invoked either once IPsec is loaded on a cached request, or
2544 * when a request is received while IPsec is loaded.
2545 */
2546 static int
2547 spdsock_do_updatealg(spd_ext_t *extv[], spd_stack_t *spds)
2548 {
2549 struct spd_ext_actions *actp;
2550 struct spd_attribute *attr, *endattr;
2551 uint64_t *start, *end;
2552 ipsec_alginfo_t *alg = NULL;
2553 ipsec_algtype_t alg_type = 0;
2554 boolean_t skip_alg = B_TRUE, doing_proto = B_FALSE;
2555 uint_t i, cur_key, cur_block, algid;
2556 int diag = -1;
2557
2558 ASSERT(MUTEX_HELD(&spds->spds_alg_lock));
2559
2560 /* parse the message, building the list of algorithms */
2561
2562 actp = (struct spd_ext_actions *)extv[SPD_EXT_ACTION];
2563 if (actp == NULL)
2564 return (SPD_DIAGNOSTIC_NO_ACTION_EXT);
2565
2566 start = (uint64_t *)actp;
2567 end = (start + actp->spd_actions_len);
2568 endattr = (struct spd_attribute *)end;
2569 attr = (struct spd_attribute *)&actp[1];
2570
2571 bzero(spds->spds_algs, IPSEC_NALGTYPES * IPSEC_MAX_ALGS *
2572 sizeof (ipsec_alginfo_t *));
2573
2574 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP);
2575
2576 #define ALG_KEY_SIZES(a) (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t))
2577 #define ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t))
2578 #define ALG_PARAM_SIZES(a) (((a)->alg_nparams + 1) * sizeof (uint16_t))
2579
2580 while (attr < endattr) {
2581 switch (attr->spd_attr_tag) {
2582 case SPD_ATTR_NOP:
2583 case SPD_ATTR_EMPTY:
2584 break;
2585 case SPD_ATTR_END:
2586 attr = endattr;
2587 /* FALLTHRU */
2588 case SPD_ATTR_NEXT:
2589 if (doing_proto) {
2590 doing_proto = B_FALSE;
2591 break;
2592 }
2593 if (skip_alg) {
2594 ipsec_alg_free(alg);
2595 } else {
2596 ipsec_alg_free(
2597 spds->spds_algs[alg_type][alg->alg_id]);
2598 spds->spds_algs[alg_type][alg->alg_id] =
2599 alg;
2600 }
2601 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP);
2602 break;
2603
2604 case SPD_ATTR_ALG_ID:
2605 if (attr->spd_attr_value >= IPSEC_MAX_ALGS) {
2606 ss1dbg(spds, ("spdsock_do_updatealg: "
2607 "invalid alg id %d\n",
2608 attr->spd_attr_value));
2609 diag = SPD_DIAGNOSTIC_ALG_ID_RANGE;
2610 goto bail;
2611 }
2612 alg->alg_id = attr->spd_attr_value;
2613 break;
2614
2615 case SPD_ATTR_ALG_PROTO:
2616 /* find the alg type */
2617 for (i = 0; i < NALGPROTOS; i++)
2618 if (algproto[i] == attr->spd_attr_value)
2619 break;
2620 skip_alg = (i == NALGPROTOS);
2621 if (!skip_alg)
2622 alg_type = i;
2623 break;
2624
2625 case SPD_ATTR_ALG_INCRBITS:
2626 alg->alg_increment = attr->spd_attr_value;
2627 break;
2628
2629 case SPD_ATTR_ALG_NKEYSIZES:
2630 if (alg->alg_key_sizes != NULL) {
2631 kmem_free(alg->alg_key_sizes,
2632 ALG_KEY_SIZES(alg));
2633 }
2634 alg->alg_nkey_sizes = attr->spd_attr_value;
2635 /*
2636 * Allocate room for the trailing zero key size
2637 * value as well.
2638 */
2639 alg->alg_key_sizes = kmem_zalloc(ALG_KEY_SIZES(alg),
2640 KM_SLEEP);
2641 cur_key = 0;
2642 break;
2643
2644 case SPD_ATTR_ALG_KEYSIZE:
2645 if (alg->alg_key_sizes == NULL ||
2646 cur_key >= alg->alg_nkey_sizes) {
2647 ss1dbg(spds, ("spdsock_do_updatealg: "
2648 "too many key sizes\n"));
2649 diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES;
2650 goto bail;
2651 }
2652 alg->alg_key_sizes[cur_key++] = attr->spd_attr_value;
2653 break;
2654
2655 case SPD_ATTR_ALG_FLAGS:
2656 /*
2657 * Flags (bit mask). The alg_flags element of
2658 * ipsecalg_flags_t is only 8 bits wide. The
2659 * user can set the VALID bit, but we will ignore it
2660 * and make the decision is the algorithm is valid.
2661 */
2662 alg->alg_flags |= (uint8_t)attr->spd_attr_value;
2663 break;
2664
2665 case SPD_ATTR_ALG_NBLOCKSIZES:
2666 if (alg->alg_block_sizes != NULL) {
2667 kmem_free(alg->alg_block_sizes,
2668 ALG_BLOCK_SIZES(alg));
2669 }
2670 alg->alg_nblock_sizes = attr->spd_attr_value;
2671 /*
2672 * Allocate room for the trailing zero block size
2673 * value as well.
2674 */
2675 alg->alg_block_sizes = kmem_zalloc(ALG_BLOCK_SIZES(alg),
2676 KM_SLEEP);
2677 cur_block = 0;
2678 break;
2679
2680 case SPD_ATTR_ALG_BLOCKSIZE:
2681 if (alg->alg_block_sizes == NULL ||
2682 cur_block >= alg->alg_nblock_sizes) {
2683 ss1dbg(spds, ("spdsock_do_updatealg: "
2684 "too many block sizes\n"));
2685 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
2686 goto bail;
2687 }
2688 alg->alg_block_sizes[cur_block++] =
2689 attr->spd_attr_value;
2690 break;
2691
2692 case SPD_ATTR_ALG_NPARAMS:
2693 if (alg->alg_params != NULL) {
2694 kmem_free(alg->alg_params,
2695 ALG_PARAM_SIZES(alg));
2696 }
2697 alg->alg_nparams = attr->spd_attr_value;
2698 /*
2699 * Allocate room for the trailing zero block size
2700 * value as well.
2701 */
2702 alg->alg_params = kmem_zalloc(ALG_PARAM_SIZES(alg),
2703 KM_SLEEP);
2704 cur_block = 0;
2705 break;
2706
2707 case SPD_ATTR_ALG_PARAMS:
2708 if (alg->alg_params == NULL ||
2709 cur_block >= alg->alg_nparams) {
2710 ss1dbg(spds, ("spdsock_do_updatealg: "
2711 "too many params\n"));
2712 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
2713 goto bail;
2714 }
2715 /*
2716 * Array contains: iv_len, icv_len, salt_len
2717 * Any additional parameters are currently ignored.
2718 */
2719 alg->alg_params[cur_block++] =
2720 attr->spd_attr_value;
2721 break;
2722
2723 case SPD_ATTR_ALG_MECHNAME: {
2724 char *mech_name;
2725
2726 if (attr->spd_attr_value > CRYPTO_MAX_MECH_NAME) {
2727 ss1dbg(spds, ("spdsock_do_updatealg: "
2728 "mech name too long\n"));
2729 diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN;
2730 goto bail;
2731 }
2732 mech_name = (char *)(attr + 1);
2733 bcopy(mech_name, alg->alg_mech_name,
2734 attr->spd_attr_value);
2735 alg->alg_mech_name[CRYPTO_MAX_MECH_NAME-1] = '\0';
2736 attr = (struct spd_attribute *)((char *)attr +
2737 attr->spd_attr_value);
2738 break;
2739 }
2740
2741 case SPD_ATTR_PROTO_ID:
2742 doing_proto = B_TRUE;
2743 for (i = 0; i < NALGPROTOS; i++) {
2744 if (algproto[i] == attr->spd_attr_value) {
2745 alg_type = i;
2746 break;
2747 }
2748 }
2749 break;
2750
2751 case SPD_ATTR_PROTO_EXEC_MODE:
2752 if (!doing_proto)
2753 break;
2754 for (i = 0; i < NEXECMODES; i++) {
2755 if (execmodes[i] == attr->spd_attr_value) {
2756 spds->spds_algs_exec_mode[alg_type] = i;
2757 break;
2758 }
2759 }
2760 break;
2761 }
2762 attr++;
2763 }
2764
2765 #undef ALG_KEY_SIZES
2766 #undef ALG_BLOCK_SIZES
2767 #undef ALG_PARAM_SIZES
2768
2769 /* update the algorithm tables */
2770 spdsock_merge_algs(spds);
2771 bail:
2772 /* cleanup */
2773 ipsec_alg_free(alg);
2774 for (alg_type = 0; alg_type < IPSEC_NALGTYPES; alg_type++)
2775 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++)
2776 if (spds->spds_algs[alg_type][algid] != NULL)
2777 ipsec_alg_free(spds->spds_algs[alg_type][algid]);
2778 return (diag);
2779 }
2780
2781 /*
2782 * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue
2783 * the request until IPsec loads. If IPsec is loaded, act on it
2784 * immediately.
2785 */
2786
2787 static void
2788 spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[])
2789 {
2790 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2791 spd_stack_t *spds = ss->spdsock_spds;
2792 ipsec_stack_t *ipss = spds->spds_netstack->netstack_ipsec;
2793 uint32_t auditing = AU_AUDITING();
2794
2795 if (!ipsec_loaded(ipss)) {
2796 /*
2797 * IPsec is not loaded, save request and return nicely,
2798 * the message will be processed once IPsec loads.
2799 */
2800 mblk_t *new_mp;
2801
2802 /* last update message wins */
2803 if ((new_mp = copymsg(mp)) == NULL) {
2804 spdsock_error(q, mp, ENOMEM, 0);
2805 return;
2806 }
2807 mutex_enter(&spds->spds_alg_lock);
2808 bcopy(extv, spds->spds_extv_algs,
2809 sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1));
2810 if (spds->spds_mp_algs != NULL)
2811 freemsg(spds->spds_mp_algs);
2812 spds->spds_mp_algs = mp;
2813 mutex_exit(&spds->spds_alg_lock);
2814 if (auditing) {
2815 cred_t *cr;
2816 pid_t cpid;
2817
2818 cr = msg_getcred(mp, &cpid);
2819 audit_pf_policy(SPD_UPDATEALGS, cr,
2820 spds->spds_netstack, NULL, B_TRUE, EAGAIN,
2821 cpid);
2822 }
2823 spd_echo(q, new_mp);
2824 } else {
2825 /*
2826 * IPsec is loaded, act on the message immediately.
2827 */
2828 int diag;
2829
2830 mutex_enter(&spds->spds_alg_lock);
2831 diag = spdsock_do_updatealg(extv, spds);
2832 if (diag == -1) {
2833 /* Keep the lock held while we walk the SA tables. */
2834 sadb_alg_update(IPSEC_ALG_ALL, 0, 0,
2835 spds->spds_netstack);
2836 mutex_exit(&spds->spds_alg_lock);
2837 spd_echo(q, mp);
2838 if (auditing) {
2839 cred_t *cr;
2840 pid_t cpid;
2841
2842 cr = msg_getcred(mp, &cpid);
2843 audit_pf_policy(SPD_UPDATEALGS, cr,
2844 spds->spds_netstack, NULL, B_TRUE, 0,
2845 cpid);
2846 }
2847 } else {
2848 mutex_exit(&spds->spds_alg_lock);
2849 spdsock_diag(q, mp, diag);
2850 if (auditing) {
2851 cred_t *cr;
2852 pid_t cpid;
2853
2854 cr = msg_getcred(mp, &cpid);
2855 audit_pf_policy(SPD_UPDATEALGS, cr,
2856 spds->spds_netstack, NULL, B_TRUE, diag,
2857 cpid);
2858 }
2859 }
2860 }
2861 }
2862
2863 /*
2864 * Find a tunnel instance (using the name to link ID mapping), and
2865 * update it after an IPsec change. We need to do this always in case
2866 * we add policy AFTER plumbing a tunnel. We also need to do this
2867 * because, as a side-effect, the tunnel's MTU is updated to reflect
2868 * any IPsec overhead in the itp's policy.
2869 */
2870 static void
2871 update_iptun_policy(ipsec_tun_pol_t *itp)
2872 {
2873 datalink_id_t linkid;
2874
2875 if (dls_mgmt_get_linkid(itp->itp_name, &linkid) == 0)
2876 iptun_set_policy(linkid, itp);
2877 }
2878
2879 /*
2880 * Sort through the mess of polhead options to retrieve an appropriate one.
2881 * Returns NULL if we send an spdsock error. Returns a valid pointer if we
2882 * found a valid polhead. Returns ALL_ACTIVE_POLHEADS (aka. -1) or
2883 * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to
2884 * act on ALL policy heads.
2885 */
2886 static ipsec_policy_head_t *
2887 get_appropriate_polhead(queue_t *q, mblk_t *mp, spd_if_t *tunname, int spdid,
2888 int msgtype, ipsec_tun_pol_t **itpp)
2889 {
2890 ipsec_tun_pol_t *itp;
2891 ipsec_policy_head_t *iph;
2892 int errno;
2893 char *tname;
2894 boolean_t active;
2895 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2896 netstack_t *ns = ss->spdsock_spds->spds_netstack;
2897 uint64_t gen; /* Placeholder */
2898
2899 active = (spdid == SPD_ACTIVE);
2900 *itpp = NULL;
2901 if (!active && spdid != SPD_STANDBY) {
2902 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_SPDID);
2903 return (NULL);
2904 }
2905
2906 if (tunname != NULL) {
2907 /* Acting on a tunnel's SPD. */
2908 tname = (char *)tunname->spd_if_name;
2909 if (*tname == '\0') {
2910 /* Handle all-polhead cases here. */
2911 if (msgtype != SPD_FLUSH && msgtype != SPD_DUMP) {
2912 spdsock_diag(q, mp,
2913 SPD_DIAGNOSTIC_NOT_GLOBAL_OP);
2914 return (NULL);
2915 }
2916 return (active ? ALL_ACTIVE_POLHEADS :
2917 ALL_INACTIVE_POLHEADS);
2918 }
2919
2920 itp = get_tunnel_policy(tname, ns);
2921 if (itp == NULL) {
2922 if (msgtype != SPD_ADDRULE) {
2923 /* "Tunnel not found" */
2924 spdsock_error(q, mp, ENOENT, 0);
2925 return (NULL);
2926 }
2927
2928 errno = 0;
2929 itp = create_tunnel_policy(tname, &errno, &gen, ns);
2930 if (itp == NULL) {
2931 /*
2932 * Something very bad happened, most likely
2933 * ENOMEM. Return an indicator.
2934 */
2935 spdsock_error(q, mp, errno, 0);
2936 return (NULL);
2937 }
2938 }
2939
2940 /* Match up the itp to an iptun instance. */
2941 update_iptun_policy(itp);
2942
2943 *itpp = itp;
2944 /* For spdsock dump state, set the polhead's name. */
2945 if (msgtype == SPD_DUMP) {
2946 ITP_REFHOLD(itp);
2947 ss->spdsock_itp = itp;
2948 ss->spdsock_dump_tunnel = itp->itp_flags &
2949 (active ? ITPF_P_TUNNEL : ITPF_I_TUNNEL);
2950 }
2951 } else {
2952 itp = NULL;
2953 /* For spdsock dump state, indicate it's global policy. */
2954 if (msgtype == SPD_DUMP)
2955 ss->spdsock_itp = NULL;
2956 }
2957
2958 if (active)
2959 iph = (itp == NULL) ? ipsec_system_policy(ns) : itp->itp_policy;
2960 else
2961 iph = (itp == NULL) ? ipsec_inactive_policy(ns) :
2962 itp->itp_inactive;
2963
2964 ASSERT(iph != NULL);
2965 if (itp != NULL) {
2966 IPPH_REFHOLD(iph);
2967 }
2968
2969 return (iph);
2970 }
2971
2972 static void
2973 spdsock_parse(queue_t *q, mblk_t *mp)
2974 {
2975 spd_msg_t *spmsg;
2976 spd_ext_t *extv[SPD_EXT_MAX + 1];
2977 uint_t msgsize;
2978 ipsec_policy_head_t *iph;
2979 ipsec_tun_pol_t *itp;
2980 spd_if_t *tunname;
2981 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2982 spd_stack_t *spds = ss->spdsock_spds;
2983 netstack_t *ns = spds->spds_netstack;
2984 ipsec_stack_t *ipss = ns->netstack_ipsec;
2985
2986 /* Make sure nothing's below me. */
2987 ASSERT(WR(q)->q_next == NULL);
2988
2989 spmsg = (spd_msg_t *)mp->b_rptr;
2990
2991 msgsize = SPD_64TO8(spmsg->spd_msg_len);
2992
2993 if (msgdsize(mp) != msgsize) {
2994 /*
2995 * Message len incorrect w.r.t. actual size. Send an error
2996 * (EMSGSIZE). It may be necessary to massage things a
2997 * bit. For example, if the spd_msg_type is hosed,
2998 * I need to set it to SPD_RESERVED to get delivery to
2999 * do the right thing. Then again, maybe just letting
3000 * the error delivery do the right thing.
3001 */
3002 ss2dbg(spds,
3003 ("mblk (%lu) and base (%d) message sizes don't jibe.\n",
3004 msgdsize(mp), msgsize));
3005 spdsock_error(q, mp, EMSGSIZE, SPD_DIAGNOSTIC_NONE);
3006 return;
3007 }
3008
3009 if (msgsize > (uint_t)(mp->b_wptr - mp->b_rptr)) {
3010 /* Get all message into one mblk. */
3011 if (pullupmsg(mp, -1) == 0) {
3012 /*
3013 * Something screwy happened.
3014 */
3015 ss3dbg(spds, ("spdsock_parse: pullupmsg() failed.\n"));
3016 return;
3017 } else {
3018 spmsg = (spd_msg_t *)mp->b_rptr;
3019 }
3020 }
3021
3022 switch (spdsock_get_ext(extv, spmsg, msgsize)) {
3023 case KGE_DUP:
3024 /* Handle duplicate extension. */
3025 ss1dbg(spds, ("Got duplicate extension of type %d.\n",
3026 extv[0]->spd_ext_type));
3027 spdsock_diag(q, mp, dup_ext_diag[extv[0]->spd_ext_type]);
3028 return;
3029 case KGE_UNK:
3030 /* Handle unknown extension. */
3031 ss1dbg(spds, ("Got unknown extension of type %d.\n",
3032 extv[0]->spd_ext_type));
3033 spdsock_diag(q, mp, SPD_DIAGNOSTIC_UNKNOWN_EXT);
3034 return;
3035 case KGE_LEN:
3036 /* Length error. */
3037 ss1dbg(spds, ("Length %d on extension type %d overrun or 0.\n",
3038 extv[0]->spd_ext_len, extv[0]->spd_ext_type));
3039 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_EXTLEN);
3040 return;
3041 case KGE_CHK:
3042 /* Reality check failed. */
3043 ss1dbg(spds, ("Reality check failed on extension type %d.\n",
3044 extv[0]->spd_ext_type));
3045 spdsock_diag(q, mp, bad_ext_diag[extv[0]->spd_ext_type]);
3046 return;
3047 default:
3048 /* Default case is no errors. */
3049 break;
3050 }
3051
3052 /*
3053 * Special-case SPD_UPDATEALGS so as not to load IPsec.
3054 */
3055 if (!ipsec_loaded(ipss) && spmsg->spd_msg_type != SPD_UPDATEALGS) {
3056 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3057
3058 ASSERT(ss != NULL);
3059 ipsec_loader_loadnow(ipss);
3060 ss->spdsock_timeout_arg = mp;
3061 ss->spdsock_timeout = qtimeout(q, spdsock_loadcheck,
3062 q, LOADCHECK_INTERVAL);
3063 return;
3064 }
3065
3066 /* First check for messages that need no polheads at all. */
3067 switch (spmsg->spd_msg_type) {
3068 case SPD_UPDATEALGS:
3069 spdsock_updatealg(q, mp, extv);
3070 return;
3071 case SPD_ALGLIST:
3072 spdsock_alglist(q, mp);
3073 return;
3074 case SPD_DUMPALGS:
3075 spdsock_dumpalgs(q, mp);
3076 return;
3077 }
3078
3079 /*
3080 * Then check for ones that need both primary/secondary polheads,
3081 * finding the appropriate tunnel policy if need be.
3082 */
3083 tunname = (spd_if_t *)extv[SPD_EXT_TUN_NAME];
3084 switch (spmsg->spd_msg_type) {
3085 case SPD_FLIP:
3086 spdsock_flip(q, mp, tunname);
3087 return;
3088 case SPD_CLONE:
3089 spdsock_clone(q, mp, tunname);
3090 return;
3091 }
3092
3093 /*
3094 * Finally, find ones that operate on exactly one polhead, or
3095 * "all polheads" of a given type (active/inactive).
3096 */
3097 iph = get_appropriate_polhead(q, mp, tunname, spmsg->spd_msg_spdid,
3098 spmsg->spd_msg_type, &itp);
3099 if (iph == NULL)
3100 return;
3101
3102 /* All-polheads-ready operations. */
3103 switch (spmsg->spd_msg_type) {
3104 case SPD_FLUSH:
3105 if (itp != NULL) {
3106 mutex_enter(&itp->itp_lock);
3107 if (spmsg->spd_msg_spdid == SPD_ACTIVE)
3108 itp->itp_flags &= ~ITPF_PFLAGS;
3109 else
3110 itp->itp_flags &= ~ITPF_IFLAGS;
3111 mutex_exit(&itp->itp_lock);
3112 }
3113
3114 spdsock_flush(q, iph, itp, mp);
3115
3116 if (itp != NULL) {
3117 /* SPD_FLUSH is worth a tunnel MTU check. */
3118 update_iptun_policy(itp);
3119 ITP_REFRELE(itp, ns);
3120 }
3121 return;
3122 case SPD_DUMP:
3123 if (itp != NULL)
3124 ITP_REFRELE(itp, ns);
3125 spdsock_dump(q, iph, mp);
3126 return;
3127 }
3128
3129 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) {
3130 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NOT_GLOBAL_OP);
3131 return;
3132 }
3133
3134 /* Single-polhead-only operations. */
3135 switch (spmsg->spd_msg_type) {
3136 case SPD_ADDRULE:
3137 spdsock_addrule(q, iph, mp, extv, itp);
3138 break;
3139 case SPD_DELETERULE:
3140 spdsock_deleterule(q, iph, mp, extv, itp);
3141 break;
3142 case SPD_LOOKUP:
3143 spdsock_lookup(q, iph, mp, extv, itp);
3144 break;
3145 default:
3146 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_MSG_TYPE);
3147 break;
3148 }
3149
3150 IPPH_REFRELE(iph, ns);
3151 if (itp != NULL) {
3152 /* SPD_{ADD,DELETE}RULE are worth a tunnel MTU check. */
3153 if (spmsg->spd_msg_type == SPD_ADDRULE ||
3154 spmsg->spd_msg_type == SPD_DELETERULE)
3155 update_iptun_policy(itp);
3156 ITP_REFRELE(itp, ns);
3157 }
3158 }
3159
3160 /*
3161 * If an algorithm mapping was received before IPsec was loaded, process it.
3162 * Called from the IPsec loader.
3163 */
3164 void
3165 spdsock_update_pending_algs(netstack_t *ns)
3166 {
3167 spd_stack_t *spds = ns->netstack_spdsock;
3168
3169 mutex_enter(&spds->spds_alg_lock);
3170 if (spds->spds_mp_algs != NULL) {
3171 (void) spdsock_do_updatealg(spds->spds_extv_algs, spds);
3172 freemsg(spds->spds_mp_algs);
3173 spds->spds_mp_algs = NULL;
3174 }
3175 mutex_exit(&spds->spds_alg_lock);
3176 }
3177
3178 static void
3179 spdsock_loadcheck(void *arg)
3180 {
3181 queue_t *q = (queue_t *)arg;
3182 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3183 mblk_t *mp;
3184 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
3185
3186 ASSERT(ss != NULL);
3187
3188 ss->spdsock_timeout = 0;
3189 mp = ss->spdsock_timeout_arg;
3190 ASSERT(mp != NULL);
3191 ss->spdsock_timeout_arg = NULL;
3192 if (ipsec_failed(ipss))
3193 spdsock_error(q, mp, EPROTONOSUPPORT, 0);
3194 else
3195 spdsock_parse(q, mp);
3196 }
3197
3198 /*
3199 * Copy relevant state bits.
3200 */
3201 static void
3202 spdsock_copy_info(struct T_info_ack *tap, spdsock_t *ss)
3203 {
3204 *tap = spdsock_g_t_info_ack;
3205 tap->CURRENT_state = ss->spdsock_state;
3206 tap->OPT_size = spdsock_max_optsize;
3207 }
3208
3209 /*
3210 * This routine responds to T_CAPABILITY_REQ messages. It is called by
3211 * spdsock_wput. Much of the T_CAPABILITY_ACK information is copied from
3212 * spdsock_g_t_info_ack. The current state of the stream is copied from
3213 * spdsock_state.
3214 */
3215 static void
3216 spdsock_capability_req(queue_t *q, mblk_t *mp)
3217 {
3218 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3219 t_uscalar_t cap_bits1;
3220 struct T_capability_ack *tcap;
3221
3222 cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1;
3223
3224 mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack),
3225 mp->b_datap->db_type, T_CAPABILITY_ACK);
3226 if (mp == NULL)
3227 return;
3228
3229 tcap = (struct T_capability_ack *)mp->b_rptr;
3230 tcap->CAP_bits1 = 0;
3231
3232 if (cap_bits1 & TC1_INFO) {
3233 spdsock_copy_info(&tcap->INFO_ack, ss);
3234 tcap->CAP_bits1 |= TC1_INFO;
3235 }
3236
3237 qreply(q, mp);
3238 }
3239
3240 /*
3241 * This routine responds to T_INFO_REQ messages. It is called by
3242 * spdsock_wput_other.
3243 * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack.
3244 * The current state of the stream is copied from spdsock_state.
3245 */
3246 static void
3247 spdsock_info_req(
3248 queue_t *q,
3249 mblk_t *mp)
3250 {
3251 mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO,
3252 T_INFO_ACK);
3253 if (mp == NULL)
3254 return;
3255 spdsock_copy_info((struct T_info_ack *)mp->b_rptr,
3256 (spdsock_t *)q->q_ptr);
3257 qreply(q, mp);
3258 }
3259
3260 /*
3261 * spdsock_err_ack. This routine creates a
3262 * T_ERROR_ACK message and passes it
3263 * upstream.
3264 */
3265 static void
3266 spdsock_err_ack(
3267 queue_t *q,
3268 mblk_t *mp,
3269 int t_error,
3270 int sys_error)
3271 {
3272 if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL)
3273 qreply(q, mp);
3274 }
3275
3276 /*
3277 * This routine retrieves the current status of socket options.
3278 * It returns the size of the option retrieved.
3279 */
3280 /* ARGSUSED */
3281 int
3282 spdsock_opt_get(queue_t *q, int level, int name, uchar_t *ptr)
3283 {
3284 int *i1 = (int *)ptr;
3285
3286 switch (level) {
3287 case SOL_SOCKET:
3288 switch (name) {
3289 case SO_TYPE:
3290 *i1 = SOCK_RAW;
3291 break;
3292 /*
3293 * The following two items can be manipulated,
3294 * but changing them should do nothing.
3295 */
3296 case SO_SNDBUF:
3297 *i1 = (int)q->q_hiwat;
3298 break;
3299 case SO_RCVBUF:
3300 *i1 = (int)(RD(q)->q_hiwat);
3301 break;
3302 }
3303 break;
3304 default:
3305 return (0);
3306 }
3307 return (sizeof (int));
3308 }
3309
3310 /*
3311 * This routine sets socket options.
3312 */
3313 /* ARGSUSED */
3314 int
3315 spdsock_opt_set(queue_t *q, uint_t mgmt_flags, int level, int name,
3316 uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
3317 void *thisdg_attrs, cred_t *cr)
3318 {
3319 int *i1 = (int *)invalp;
3320 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3321 spd_stack_t *spds = ss->spdsock_spds;
3322
3323 switch (level) {
3324 case SOL_SOCKET:
3325 switch (name) {
3326 case SO_SNDBUF:
3327 if (*i1 > spds->spds_max_buf)
3328 return (ENOBUFS);
3329 q->q_hiwat = *i1;
3330 break;
3331 case SO_RCVBUF:
3332 if (*i1 > spds->spds_max_buf)
3333 return (ENOBUFS);
3334 RD(q)->q_hiwat = *i1;
3335 (void) proto_set_rx_hiwat(RD(q), NULL, *i1);
3336 break;
3337 }
3338 break;
3339 }
3340 return (0);
3341 }
3342
3343
3344 /*
3345 * Handle STREAMS messages.
3346 */
3347 static void
3348 spdsock_wput_other(queue_t *q, mblk_t *mp)
3349 {
3350 struct iocblk *iocp;
3351 int error;
3352 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3353 spd_stack_t *spds = ss->spdsock_spds;
3354 cred_t *cr;
3355
3356 switch (mp->b_datap->db_type) {
3357 case M_PROTO:
3358 case M_PCPROTO:
3359 if ((mp->b_wptr - mp->b_rptr) < sizeof (long)) {
3360 ss3dbg(spds, (
3361 "spdsock_wput_other: Not big enough M_PROTO\n"));
3362 freemsg(mp);
3363 return;
3364 }
3365 switch (((union T_primitives *)mp->b_rptr)->type) {
3366 case T_CAPABILITY_REQ:
3367 spdsock_capability_req(q, mp);
3368 break;
3369 case T_INFO_REQ:
3370 spdsock_info_req(q, mp);
3371 break;
3372 case T_SVR4_OPTMGMT_REQ:
3373 case T_OPTMGMT_REQ:
3374 /*
3375 * All Solaris components should pass a db_credp
3376 * for this TPI message, hence we ASSERT.
3377 * But in case there is some other M_PROTO that looks
3378 * like a TPI message sent by some other kernel
3379 * component, we check and return an error.
3380 */
3381 cr = msg_getcred(mp, NULL);
3382 ASSERT(cr != NULL);
3383 if (cr == NULL) {
3384 spdsock_err_ack(q, mp, TSYSERR, EINVAL);
3385 return;
3386 }
3387 if (((union T_primitives *)mp->b_rptr)->type ==
3388 T_SVR4_OPTMGMT_REQ) {
3389 svr4_optcom_req(q, mp, cr, &spdsock_opt_obj);
3390 } else {
3391 tpi_optcom_req(q, mp, cr, &spdsock_opt_obj);
3392 }
3393 break;
3394 case T_DATA_REQ:
3395 case T_EXDATA_REQ:
3396 case T_ORDREL_REQ:
3397 /* Illegal for spdsock. */
3398 freemsg(mp);
3399 (void) putnextctl1(RD(q), M_ERROR, EPROTO);
3400 break;
3401 default:
3402 /* Not supported by spdsock. */
3403 spdsock_err_ack(q, mp, TNOTSUPPORT, 0);
3404 break;
3405 }
3406 return;
3407 case M_IOCTL:
3408 iocp = (struct iocblk *)mp->b_rptr;
3409 error = EINVAL;
3410
3411 switch (iocp->ioc_cmd) {
3412 case ND_SET:
3413 case ND_GET:
3414 if (nd_getset(q, spds->spds_g_nd, mp)) {
3415 qreply(q, mp);
3416 return;
3417 } else
3418 error = ENOENT;
3419 /* FALLTHRU */
3420 default:
3421 miocnak(q, mp, 0, error);
3422 return;
3423 }
3424 case M_FLUSH:
3425 if (*mp->b_rptr & FLUSHW) {
3426 flushq(q, FLUSHALL);
3427 *mp->b_rptr &= ~FLUSHW;
3428 }
3429 if (*mp->b_rptr & FLUSHR) {
3430 qreply(q, mp);
3431 return;
3432 }
3433 /* Else FALLTHRU */
3434 }
3435
3436 /* If fell through, just black-hole the message. */
3437 freemsg(mp);
3438 }
3439
3440 static void
3441 spdsock_wput(queue_t *q, mblk_t *mp)
3442 {
3443 uint8_t *rptr = mp->b_rptr;
3444 mblk_t *mp1;
3445 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3446 spd_stack_t *spds = ss->spdsock_spds;
3447
3448 /*
3449 * If we're dumping, defer processing other messages until the
3450 * dump completes.
3451 */
3452 if (ss->spdsock_dump_req != NULL) {
3453 if (!putq(q, mp))
3454 freemsg(mp);
3455 return;
3456 }
3457
3458 switch (mp->b_datap->db_type) {
3459 case M_DATA:
3460 /*
3461 * Silently discard.
3462 */
3463 ss2dbg(spds, ("raw M_DATA in spdsock.\n"));
3464 freemsg(mp);
3465 return;
3466 case M_PROTO:
3467 case M_PCPROTO:
3468 if ((mp->b_wptr - rptr) >= sizeof (struct T_data_req)) {
3469 if (((union T_primitives *)rptr)->type == T_DATA_REQ) {
3470 if ((mp1 = mp->b_cont) == NULL) {
3471 /* No data after T_DATA_REQ. */
3472 ss2dbg(spds,
3473 ("No data after DATA_REQ.\n"));
3474 freemsg(mp);
3475 return;
3476 }
3477 freeb(mp);
3478 mp = mp1;
3479 ss2dbg(spds, ("T_DATA_REQ\n"));
3480 break; /* Out of switch. */
3481 }
3482 }
3483 /* FALLTHRU */
3484 default:
3485 ss3dbg(spds, ("In default wput case (%d %d).\n",
3486 mp->b_datap->db_type, ((union T_primitives *)rptr)->type));
3487 spdsock_wput_other(q, mp);
3488 return;
3489 }
3490
3491 /* I now have a PF_POLICY message in an M_DATA block. */
3492 spdsock_parse(q, mp);
3493 }
3494
3495 /*
3496 * Device open procedure, called when new queue pair created.
3497 * We are passed the read-side queue.
3498 */
3499 /* ARGSUSED */
3500 static int
3501 spdsock_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
3502 {
3503 spdsock_t *ss;
3504 queue_t *oq = OTHERQ(q);
3505 minor_t ssminor;
3506 netstack_t *ns;
3507 spd_stack_t *spds;
3508
3509 if (secpolicy_ip_config(credp, B_FALSE) != 0)
3510 return (EPERM);
3511
3512 if (q->q_ptr != NULL)
3513 return (0); /* Re-open of an already open instance. */
3514
3515 if (sflag & MODOPEN)
3516 return (EINVAL);
3517
3518 ns = netstack_find_by_cred(credp);
3519 ASSERT(ns != NULL);
3520 spds = ns->netstack_spdsock;
3521 ASSERT(spds != NULL);
3522
3523 ss2dbg(spds, ("Made it into PF_POLICY socket open.\n"));
3524
3525 ssminor = (minor_t)(uintptr_t)vmem_alloc(spdsock_vmem, 1, VM_NOSLEEP);
3526 if (ssminor == 0) {
3527 netstack_rele(spds->spds_netstack);
3528 return (ENOMEM);
3529 }
3530 ss = kmem_zalloc(sizeof (spdsock_t), KM_NOSLEEP);
3531 if (ss == NULL) {
3532 vmem_free(spdsock_vmem, (void *)(uintptr_t)ssminor, 1);
3533 netstack_rele(spds->spds_netstack);
3534 return (ENOMEM);
3535 }
3536
3537 ss->spdsock_minor = ssminor;
3538 ss->spdsock_state = TS_UNBND;
3539 ss->spdsock_dump_req = NULL;
3540
3541 ss->spdsock_spds = spds;
3542
3543 q->q_ptr = ss;
3544 oq->q_ptr = ss;
3545
3546 q->q_hiwat = spds->spds_recv_hiwat;
3547
3548 oq->q_hiwat = spds->spds_xmit_hiwat;
3549 oq->q_lowat = spds->spds_xmit_lowat;
3550
3551 qprocson(q);
3552 (void) proto_set_rx_hiwat(q, NULL, spds->spds_recv_hiwat);
3553
3554 *devp = makedevice(getmajor(*devp), ss->spdsock_minor);
3555 return (0);
3556 }
3557
3558 /*
3559 * Read-side service procedure, invoked when we get back-enabled
3560 * when buffer space becomes available.
3561 *
3562 * Dump another chunk if we were dumping before; when we finish, kick
3563 * the write-side queue in case it's waiting for read queue space.
3564 */
3565 void
3566 spdsock_rsrv(queue_t *q)
3567 {
3568 spdsock_t *ss = q->q_ptr;
3569
3570 if (ss->spdsock_dump_req != NULL)
3571 spdsock_dump_some(q, ss);
3572
3573 if (ss->spdsock_dump_req == NULL)
3574 qenable(OTHERQ(q));
3575 }
3576
3577 /*
3578 * Write-side service procedure, invoked when we defer processing
3579 * if another message is received while a dump is in progress.
3580 */
3581 void
3582 spdsock_wsrv(queue_t *q)
3583 {
3584 spdsock_t *ss = q->q_ptr;
3585 mblk_t *mp;
3586 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
3587
3588 if (ss->spdsock_dump_req != NULL) {
3589 qenable(OTHERQ(q));
3590 return;
3591 }
3592
3593 while ((mp = getq(q)) != NULL) {
3594 if (ipsec_loaded(ipss)) {
3595 spdsock_wput(q, mp);
3596 if (ss->spdsock_dump_req != NULL)
3597 return;
3598 } else if (!ipsec_failed(ipss)) {
3599 (void) putq(q, mp);
3600 } else {
3601 spdsock_error(q, mp, EPFNOSUPPORT, 0);
3602 }
3603 }
3604 }
3605
3606 static int
3607 spdsock_close(queue_t *q)
3608 {
3609 spdsock_t *ss = q->q_ptr;
3610 spd_stack_t *spds = ss->spdsock_spds;
3611
3612 qprocsoff(q);
3613
3614 /* Safe assumption. */
3615 ASSERT(ss != NULL);
3616
3617 if (ss->spdsock_timeout != 0)
3618 (void) quntimeout(q, ss->spdsock_timeout);
3619
3620 ss3dbg(spds, ("Driver close, PF_POLICY socket is going away.\n"));
3621
3622 vmem_free(spdsock_vmem, (void *)(uintptr_t)ss->spdsock_minor, 1);
3623 netstack_rele(ss->spdsock_spds->spds_netstack);
3624
3625 kmem_free(ss, sizeof (spdsock_t));
3626 return (0);
3627 }
3628
3629 /*
3630 * Merge the IPsec algorithms tables with the received algorithm information.
3631 */
3632 void
3633 spdsock_merge_algs(spd_stack_t *spds)
3634 {
3635 ipsec_alginfo_t *alg, *oalg;
3636 ipsec_algtype_t algtype;
3637 uint_t algidx, algid, nalgs;
3638 crypto_mech_name_t *mechs;
3639 uint_t mech_count, mech_idx;
3640 netstack_t *ns = spds->spds_netstack;
3641 ipsec_stack_t *ipss = ns->netstack_ipsec;
3642
3643 ASSERT(MUTEX_HELD(&spds->spds_alg_lock));
3644
3645 /*
3646 * Get the list of supported mechanisms from the crypto framework.
3647 * If a mechanism is supported by KCF, resolve its mechanism
3648 * id and mark it as being valid. This operation must be done
3649 * without holding alg_lock, since it can cause a provider
3650 * module to be loaded and the provider notification callback to
3651 * be invoked.
3652 */
3653 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
3654 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3655 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) {
3656 int algflags = 0;
3657 crypto_mech_type_t mt = CRYPTO_MECHANISM_INVALID;
3658
3659 alg = spds->spds_algs[algtype][algid];
3660 if (alg == NULL)
3661 continue;
3662
3663 /*
3664 * The NULL encryption algorithm is a special
3665 * case because there are no mechanisms, yet
3666 * the algorithm is still valid.
3667 */
3668 if (alg->alg_id == SADB_EALG_NULL) {
3669 alg->alg_mech_type = CRYPTO_MECHANISM_INVALID;
3670 alg->alg_flags |= ALG_FLAG_VALID;
3671 continue;
3672 }
3673
3674 for (mech_idx = 0; mech_idx < mech_count; mech_idx++) {
3675 if (strncmp(alg->alg_mech_name, mechs[mech_idx],
3676 CRYPTO_MAX_MECH_NAME) == 0) {
3677 mt = crypto_mech2id(alg->alg_mech_name);
3678 ASSERT(mt != CRYPTO_MECHANISM_INVALID);
3679 algflags = ALG_FLAG_VALID;
3680 break;
3681 }
3682 }
3683 alg->alg_mech_type = mt;
3684 alg->alg_flags |= algflags;
3685 }
3686 }
3687
3688 rw_enter(&ipss->ipsec_alg_lock, RW_WRITER);
3689
3690 /*
3691 * For each algorithm currently defined, check if it is
3692 * present in the new tables created from the SPD_UPDATEALGS
3693 * message received from user-space.
3694 * Delete the algorithm entries that are currently defined
3695 * but not part of the new tables.
3696 */
3697 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3698 nalgs = ipss->ipsec_nalgs[algtype];
3699 for (algidx = 0; algidx < nalgs; algidx++) {
3700 algid = ipss->ipsec_sortlist[algtype][algidx];
3701 if (spds->spds_algs[algtype][algid] == NULL)
3702 ipsec_alg_unreg(algtype, algid, ns);
3703 }
3704 }
3705
3706 /*
3707 * For each algorithm we just received, check if it is
3708 * present in the currently defined tables. If it is, swap
3709 * the entry with the one we just allocated.
3710 * If the new algorithm is not in the current tables,
3711 * add it.
3712 */
3713 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3714 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) {
3715 alg = spds->spds_algs[algtype][algid];
3716 if (alg == NULL)
3717 continue;
3718
3719 if ((oalg = ipss->ipsec_alglists[algtype][algid]) ==
3720 NULL) {
3721 /*
3722 * New algorithm, add it to the algorithm
3723 * table.
3724 */
3725 ipsec_alg_reg(algtype, alg, ns);
3726 } else {
3727 /*
3728 * Algorithm is already in the table. Swap
3729 * the existing entry with the new one.
3730 */
3731 ipsec_alg_fix_min_max(alg, algtype, ns);
3732 ipss->ipsec_alglists[algtype][algid] = alg;
3733 ipsec_alg_free(oalg);
3734 }
3735 spds->spds_algs[algtype][algid] = NULL;
3736 }
3737 }
3738
3739 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3740 ipss->ipsec_algs_exec_mode[algtype] =
3741 spds->spds_algs_exec_mode[algtype];
3742 }
3743
3744 rw_exit(&ipss->ipsec_alg_lock);
3745
3746 crypto_free_mech_list(mechs, mech_count);
3747
3748 ipsecah_algs_changed(ns);
3749 ipsecesp_algs_changed(ns);
3750 }