Print this page
8541 pfiles does not properly identify PF_KEY or PF_POLICY
Reviewed by: Mike Zeller <mike.zeller@joyent.com>
Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/ip/spdsock.c
+++ new/usr/src/uts/common/inet/ip/spdsock.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
|
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
23 23 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
24 + * Copyright 2017 Joyent, Inc.
24 25 */
25 26
26 27 #include <sys/param.h>
27 28 #include <sys/types.h>
28 29 #include <sys/stream.h>
29 30 #include <sys/strsubr.h>
30 31 #include <sys/strsun.h>
31 32 #include <sys/stropts.h>
32 33 #include <sys/zone.h>
33 34 #include <sys/vnode.h>
34 35 #include <sys/sysmacros.h>
35 36 #define _SUN_TPI_VERSION 2
36 37 #include <sys/tihdr.h>
38 +#include <sys/timod.h>
37 39 #include <sys/ddi.h>
38 40 #include <sys/sunddi.h>
39 41 #include <sys/mkdev.h>
40 42 #include <sys/debug.h>
41 43 #include <sys/kmem.h>
42 44 #include <sys/cmn_err.h>
43 45 #include <sys/suntpi.h>
44 46 #include <sys/policy.h>
45 47 #include <sys/dls.h>
46 48
47 49 #include <sys/socket.h>
48 50 #include <netinet/in.h>
49 51 #include <net/pfkeyv2.h>
50 52 #include <net/pfpolicy.h>
51 53
52 54 #include <inet/common.h>
53 55 #include <netinet/ip6.h>
54 56 #include <inet/ip.h>
55 57 #include <inet/ip6.h>
56 58 #include <inet/mi.h>
57 59 #include <inet/proto_set.h>
58 60 #include <inet/nd.h>
59 61 #include <inet/ip_if.h>
60 62 #include <inet/optcom.h>
61 63 #include <inet/ipsec_impl.h>
62 64 #include <inet/spdsock.h>
63 65 #include <inet/sadb.h>
64 66 #include <inet/iptun.h>
65 67 #include <inet/iptun/iptun_impl.h>
66 68
67 69 #include <sys/isa_defs.h>
68 70
69 71 #include <c2/audit.h>
70 72
71 73 /*
72 74 * This is a transport provider for the PF_POLICY IPsec policy
73 75 * management socket, which provides a management interface into the
74 76 * SPD, allowing policy rules to be added, deleted, and queried.
75 77 *
76 78 * This effectively replaces the old private SIOC*IPSECONFIG ioctls
77 79 * with an extensible interface which will hopefully be public some
78 80 * day.
79 81 *
80 82 * See <net/pfpolicy.h> for more details on the protocol.
81 83 *
82 84 * We link against drv/ip and call directly into it to manipulate the
83 85 * SPD; see ipsec_impl.h for the policy data structures and spd.c for
84 86 * the code which maintains them.
85 87 *
86 88 * The MT model of this is QPAIR with the addition of some explicit
87 89 * locking to protect system-wide policy data structures.
88 90 */
89 91
90 92 static vmem_t *spdsock_vmem; /* for minor numbers. */
91 93
92 94 #define ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t))
93 95
94 96 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */
95 97 static struct T_info_ack spdsock_g_t_info_ack = {
96 98 T_INFO_ACK,
97 99 T_INFINITE, /* TSDU_size. Maximum size messages. */
98 100 T_INVALID, /* ETSDU_size. No expedited data. */
99 101 T_INVALID, /* CDATA_size. No connect data. */
100 102 T_INVALID, /* DDATA_size. No disconnect data. */
101 103 0, /* ADDR_size. */
102 104 0, /* OPT_size. No user-settable options */
103 105 64 * 1024, /* TIDU_size. spdsock allows maximum size messages. */
104 106 T_COTS, /* SERV_type. spdsock supports connection oriented. */
105 107 TS_UNBND, /* CURRENT_state. This is set from spdsock_state. */
106 108 (XPG4_1) /* Provider flags */
107 109 };
108 110
109 111 /* Named Dispatch Parameter Management Structure */
110 112 typedef struct spdsockparam_s {
111 113 uint_t spdsock_param_min;
112 114 uint_t spdsock_param_max;
113 115 uint_t spdsock_param_value;
114 116 char *spdsock_param_name;
115 117 } spdsockparam_t;
116 118
117 119 /*
118 120 * Table of NDD variables supported by spdsock. These are loaded into
119 121 * spdsock_g_nd in spdsock_init_nd.
120 122 * All of these are alterable, within the min/max values given, at run time.
121 123 */
122 124 static spdsockparam_t lcl_param_arr[] = {
123 125 /* min max value name */
124 126 { 4096, 65536, 8192, "spdsock_xmit_hiwat"},
125 127 { 0, 65536, 1024, "spdsock_xmit_lowat"},
126 128 { 4096, 65536, 8192, "spdsock_recv_hiwat"},
127 129 { 65536, 1024*1024*1024, 256*1024, "spdsock_max_buf"},
128 130 { 0, 3, 0, "spdsock_debug"},
129 131 };
130 132 #define spds_xmit_hiwat spds_params[0].spdsock_param_value
131 133 #define spds_xmit_lowat spds_params[1].spdsock_param_value
132 134 #define spds_recv_hiwat spds_params[2].spdsock_param_value
133 135 #define spds_max_buf spds_params[3].spdsock_param_value
134 136 #define spds_debug spds_params[4].spdsock_param_value
135 137
136 138 #define ss0dbg(a) printf a
137 139 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */
138 140 #define ss1dbg(spds, a) if (spds->spds_debug != 0) printf a
139 141 #define ss2dbg(spds, a) if (spds->spds_debug > 1) printf a
140 142 #define ss3dbg(spds, a) if (spds->spds_debug > 2) printf a
141 143
142 144 #define RESET_SPDSOCK_DUMP_POLHEAD(ss, iph) { \
143 145 ASSERT(RW_READ_HELD(&(iph)->iph_lock)); \
144 146 (ss)->spdsock_dump_head = (iph); \
145 147 (ss)->spdsock_dump_gen = (iph)->iph_gen; \
146 148 (ss)->spdsock_dump_cur_type = 0; \
147 149 (ss)->spdsock_dump_cur_af = IPSEC_AF_V4; \
148 150 (ss)->spdsock_dump_cur_rule = NULL; \
149 151 (ss)->spdsock_dump_count = 0; \
150 152 (ss)->spdsock_dump_cur_chain = 0; \
151 153 }
152 154
153 155 static int spdsock_close(queue_t *);
154 156 static int spdsock_open(queue_t *, dev_t *, int, int, cred_t *);
155 157 static void spdsock_wput(queue_t *, mblk_t *);
156 158 static void spdsock_wsrv(queue_t *);
157 159 static void spdsock_rsrv(queue_t *);
158 160 static void *spdsock_stack_init(netstackid_t stackid, netstack_t *ns);
159 161 static void spdsock_stack_shutdown(netstackid_t stackid, void *arg);
160 162 static void spdsock_stack_fini(netstackid_t stackid, void *arg);
161 163 static void spdsock_loadcheck(void *);
162 164 static void spdsock_merge_algs(spd_stack_t *);
163 165 static void spdsock_flush_one(ipsec_policy_head_t *, netstack_t *);
164 166 static mblk_t *spdsock_dump_next_record(spdsock_t *);
165 167 static void update_iptun_policy(ipsec_tun_pol_t *);
166 168
167 169 static struct module_info info = {
168 170 5138, "spdsock", 1, INFPSZ, 512, 128
169 171 };
170 172
171 173 static struct qinit rinit = {
172 174 NULL, (pfi_t)spdsock_rsrv, spdsock_open, spdsock_close,
173 175 NULL, &info
174 176 };
175 177
176 178 static struct qinit winit = {
177 179 (pfi_t)spdsock_wput, (pfi_t)spdsock_wsrv, NULL, NULL, NULL, &info
178 180 };
179 181
180 182 struct streamtab spdsockinfo = {
181 183 &rinit, &winit
182 184 };
183 185
184 186 /* mapping from alg type to protocol number, as per RFC 2407 */
185 187 static const uint_t algproto[] = {
186 188 PROTO_IPSEC_AH,
187 189 PROTO_IPSEC_ESP,
188 190 };
189 191
190 192 #define NALGPROTOS (sizeof (algproto) / sizeof (algproto[0]))
191 193
192 194 /* mapping from kernel exec mode to spdsock exec mode */
193 195 static const uint_t execmodes[] = {
194 196 SPD_ALG_EXEC_MODE_SYNC,
195 197 SPD_ALG_EXEC_MODE_ASYNC
196 198 };
197 199
198 200 #define NEXECMODES (sizeof (execmodes) / sizeof (execmodes[0]))
199 201
200 202 #define ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1)
201 203 #define ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2)
202 204
203 205 #define ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL)
204 206
205 207 /* ARGSUSED */
206 208 static int
207 209 spdsock_param_get(
208 210 queue_t *q,
209 211 mblk_t *mp,
210 212 caddr_t cp,
211 213 cred_t *cr)
212 214 {
213 215 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp;
214 216 uint_t value;
215 217 spdsock_t *ss = (spdsock_t *)q->q_ptr;
216 218 spd_stack_t *spds = ss->spdsock_spds;
217 219
218 220 mutex_enter(&spds->spds_param_lock);
219 221 value = spdsockpa->spdsock_param_value;
220 222 mutex_exit(&spds->spds_param_lock);
221 223
222 224 (void) mi_mpprintf(mp, "%u", value);
223 225 return (0);
224 226 }
225 227
226 228 /* This routine sets an NDD variable in a spdsockparam_t structure. */
227 229 /* ARGSUSED */
228 230 static int
229 231 spdsock_param_set(
230 232 queue_t *q,
231 233 mblk_t *mp,
232 234 char *value,
233 235 caddr_t cp,
234 236 cred_t *cr)
235 237 {
236 238 ulong_t new_value;
237 239 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp;
238 240 spdsock_t *ss = (spdsock_t *)q->q_ptr;
239 241 spd_stack_t *spds = ss->spdsock_spds;
240 242
241 243 /* Convert the value from a string into a long integer. */
242 244 if (ddi_strtoul(value, NULL, 10, &new_value) != 0)
243 245 return (EINVAL);
244 246
245 247 mutex_enter(&spds->spds_param_lock);
246 248 /*
247 249 * Fail the request if the new value does not lie within the
248 250 * required bounds.
249 251 */
250 252 if (new_value < spdsockpa->spdsock_param_min ||
251 253 new_value > spdsockpa->spdsock_param_max) {
252 254 mutex_exit(&spds->spds_param_lock);
253 255 return (EINVAL);
254 256 }
255 257
256 258 /* Set the new value */
257 259 spdsockpa->spdsock_param_value = new_value;
258 260 mutex_exit(&spds->spds_param_lock);
259 261
260 262 return (0);
261 263 }
262 264
263 265 /*
264 266 * Initialize at module load time
265 267 */
266 268 boolean_t
267 269 spdsock_ddi_init(void)
268 270 {
269 271 spdsock_max_optsize = optcom_max_optsize(
270 272 spdsock_opt_obj.odb_opt_des_arr, spdsock_opt_obj.odb_opt_arr_cnt);
271 273
272 274 spdsock_vmem = vmem_create("spdsock", (void *)1, MAXMIN, 1,
273 275 NULL, NULL, NULL, 1, VM_SLEEP | VMC_IDENTIFIER);
274 276
275 277 /*
276 278 * We want to be informed each time a stack is created or
277 279 * destroyed in the kernel, so we can maintain the
278 280 * set of spd_stack_t's.
279 281 */
280 282 netstack_register(NS_SPDSOCK, spdsock_stack_init,
281 283 spdsock_stack_shutdown, spdsock_stack_fini);
282 284
283 285 return (B_TRUE);
284 286 }
285 287
286 288 /*
287 289 * Walk through the param array specified registering each element with the
288 290 * named dispatch handler.
289 291 */
290 292 static boolean_t
291 293 spdsock_param_register(IDP *ndp, spdsockparam_t *ssp, int cnt)
292 294 {
293 295 for (; cnt-- > 0; ssp++) {
294 296 if (ssp->spdsock_param_name != NULL &&
295 297 ssp->spdsock_param_name[0]) {
296 298 if (!nd_load(ndp,
297 299 ssp->spdsock_param_name,
298 300 spdsock_param_get, spdsock_param_set,
299 301 (caddr_t)ssp)) {
300 302 nd_free(ndp);
301 303 return (B_FALSE);
302 304 }
303 305 }
304 306 }
305 307 return (B_TRUE);
306 308 }
307 309
308 310 /*
309 311 * Initialize for each stack instance
310 312 */
311 313 /* ARGSUSED */
312 314 static void *
313 315 spdsock_stack_init(netstackid_t stackid, netstack_t *ns)
314 316 {
315 317 spd_stack_t *spds;
316 318 spdsockparam_t *ssp;
317 319
318 320 spds = (spd_stack_t *)kmem_zalloc(sizeof (*spds), KM_SLEEP);
319 321 spds->spds_netstack = ns;
320 322
321 323 ASSERT(spds->spds_g_nd == NULL);
322 324
323 325 ssp = (spdsockparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP);
324 326 spds->spds_params = ssp;
325 327 bcopy(lcl_param_arr, ssp, sizeof (lcl_param_arr));
326 328
327 329 (void) spdsock_param_register(&spds->spds_g_nd, ssp,
328 330 A_CNT(lcl_param_arr));
329 331
330 332 mutex_init(&spds->spds_param_lock, NULL, MUTEX_DEFAULT, NULL);
331 333 mutex_init(&spds->spds_alg_lock, NULL, MUTEX_DEFAULT, NULL);
332 334
333 335 return (spds);
334 336 }
335 337
336 338 void
337 339 spdsock_ddi_destroy(void)
338 340 {
339 341 vmem_destroy(spdsock_vmem);
340 342
341 343 netstack_unregister(NS_SPDSOCK);
342 344 }
343 345
344 346 /*
345 347 * Do pre-removal cleanup.
346 348 */
347 349 /* ARGSUSED */
348 350 static void
349 351 spdsock_stack_shutdown(netstackid_t stackid, void *arg)
350 352 {
351 353 spd_stack_t *spds = (spd_stack_t *)arg;
352 354
353 355 if (spds->spds_mp_algs != NULL) {
354 356 freemsg(spds->spds_mp_algs);
355 357 spds->spds_mp_algs = NULL;
356 358 }
357 359 }
358 360
359 361 /* ARGSUSED */
360 362 static void
361 363 spdsock_stack_fini(netstackid_t stackid, void *arg)
362 364 {
363 365 spd_stack_t *spds = (spd_stack_t *)arg;
364 366
365 367 ASSERT(spds->spds_mp_algs == NULL);
366 368 mutex_destroy(&spds->spds_param_lock);
367 369 mutex_destroy(&spds->spds_alg_lock);
368 370 nd_free(&spds->spds_g_nd);
369 371 kmem_free(spds->spds_params, sizeof (lcl_param_arr));
370 372 spds->spds_params = NULL;
371 373
372 374 kmem_free(spds, sizeof (*spds));
373 375 }
374 376
375 377 /*
376 378 * NOTE: large quantities of this should be shared with keysock.
377 379 * Would be nice to combine some of this into a common module, but
378 380 * not possible given time pressures.
379 381 */
380 382
381 383 /*
382 384 * High-level reality checking of extensions.
383 385 */
384 386 /* ARGSUSED */ /* XXX */
385 387 static boolean_t
386 388 ext_check(spd_ext_t *ext)
387 389 {
388 390 spd_if_t *tunname = (spd_if_t *)ext;
389 391 int i;
390 392 char *idstr;
391 393
392 394 if (ext->spd_ext_type == SPD_EXT_TUN_NAME) {
393 395 /* (NOTE: Modified from SADB_EXT_IDENTITY..) */
394 396
395 397 /*
396 398 * Make sure the strings in these identities are
397 399 * null-terminated. Let's "proactively" null-terminate the
398 400 * string at the last byte if it's not terminated sooner.
399 401 */
400 402 i = SPD_64TO8(tunname->spd_if_len) - sizeof (spd_if_t);
401 403 idstr = (char *)(tunname + 1);
402 404 while (*idstr != '\0' && i > 0) {
403 405 i--;
404 406 idstr++;
405 407 }
406 408 if (i == 0) {
407 409 /*
408 410 * I.e., if the bozo user didn't NULL-terminate the
409 411 * string...
410 412 */
411 413 idstr--;
412 414 *idstr = '\0';
413 415 }
414 416 }
415 417 return (B_TRUE); /* For now... */
416 418 }
417 419
418 420
419 421
420 422 /* Return values for spdsock_get_ext(). */
421 423 #define KGE_OK 0
422 424 #define KGE_DUP 1
423 425 #define KGE_UNK 2
424 426 #define KGE_LEN 3
425 427 #define KGE_CHK 4
426 428
427 429 /*
428 430 * Parse basic extension headers and return in the passed-in pointer vector.
429 431 * Return values include:
430 432 *
431 433 * KGE_OK Everything's nice and parsed out.
432 434 * If there are no extensions, place NULL in extv[0].
433 435 * KGE_DUP There is a duplicate extension.
434 436 * First instance in appropriate bin. First duplicate in
435 437 * extv[0].
436 438 * KGE_UNK Unknown extension type encountered. extv[0] contains
437 439 * unknown header.
438 440 * KGE_LEN Extension length error.
439 441 * KGE_CHK High-level reality check failed on specific extension.
440 442 *
441 443 * My apologies for some of the pointer arithmetic in here. I'm thinking
442 444 * like an assembly programmer, yet trying to make the compiler happy.
443 445 */
444 446 static int
445 447 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize)
446 448 {
447 449 bzero(extv, sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1));
448 450
449 451 /* Use extv[0] as the "current working pointer". */
450 452
451 453 extv[0] = (spd_ext_t *)(basehdr + 1);
452 454
453 455 while (extv[0] < (spd_ext_t *)(((uint8_t *)basehdr) + msgsize)) {
454 456 /* Check for unknown headers. */
455 457 if (extv[0]->spd_ext_type == 0 ||
456 458 extv[0]->spd_ext_type > SPD_EXT_MAX)
457 459 return (KGE_UNK);
458 460
459 461 /*
460 462 * Check length. Use uint64_t because extlen is in units
461 463 * of 64-bit words. If length goes beyond the msgsize,
462 464 * return an error. (Zero length also qualifies here.)
463 465 */
464 466 if (extv[0]->spd_ext_len == 0 ||
465 467 (void *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) >
466 468 (void *)((uint8_t *)basehdr + msgsize))
467 469 return (KGE_LEN);
468 470
469 471 /* Check for redundant headers. */
470 472 if (extv[extv[0]->spd_ext_type] != NULL)
471 473 return (KGE_DUP);
472 474
473 475 /*
474 476 * Reality check the extension if possible at the spdsock
475 477 * level.
476 478 */
477 479 if (!ext_check(extv[0]))
478 480 return (KGE_CHK);
479 481
480 482 /* If I make it here, assign the appropriate bin. */
481 483 extv[extv[0]->spd_ext_type] = extv[0];
482 484
483 485 /* Advance pointer (See above for uint64_t ptr reasoning.) */
484 486 extv[0] = (spd_ext_t *)
485 487 ((uint64_t *)extv[0] + extv[0]->spd_ext_len);
486 488 }
487 489
488 490 /* Everything's cool. */
489 491
490 492 /*
491 493 * If extv[0] == NULL, then there are no extension headers in this
492 494 * message. Ensure that this is the case.
493 495 */
494 496 if (extv[0] == (spd_ext_t *)(basehdr + 1))
495 497 extv[0] = NULL;
496 498
497 499 return (KGE_OK);
498 500 }
499 501
500 502 static const int bad_ext_diag[] = {
501 503 SPD_DIAGNOSTIC_MALFORMED_LCLPORT,
502 504 SPD_DIAGNOSTIC_MALFORMED_REMPORT,
503 505 SPD_DIAGNOSTIC_MALFORMED_PROTO,
504 506 SPD_DIAGNOSTIC_MALFORMED_LCLADDR,
505 507 SPD_DIAGNOSTIC_MALFORMED_REMADDR,
506 508 SPD_DIAGNOSTIC_MALFORMED_ACTION,
507 509 SPD_DIAGNOSTIC_MALFORMED_RULE,
508 510 SPD_DIAGNOSTIC_MALFORMED_RULESET,
509 511 SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE
510 512 };
511 513
512 514 static const int dup_ext_diag[] = {
513 515 SPD_DIAGNOSTIC_DUPLICATE_LCLPORT,
514 516 SPD_DIAGNOSTIC_DUPLICATE_REMPORT,
515 517 SPD_DIAGNOSTIC_DUPLICATE_PROTO,
516 518 SPD_DIAGNOSTIC_DUPLICATE_LCLADDR,
517 519 SPD_DIAGNOSTIC_DUPLICATE_REMADDR,
518 520 SPD_DIAGNOSTIC_DUPLICATE_ACTION,
519 521 SPD_DIAGNOSTIC_DUPLICATE_RULE,
520 522 SPD_DIAGNOSTIC_DUPLICATE_RULESET,
521 523 SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE
522 524 };
523 525
524 526 /*
525 527 * Transmit a PF_POLICY error message to the instance either pointed to
526 528 * by ks, the instance with serial number serial, or more, depending.
527 529 *
528 530 * The faulty message (or a reasonable facsimile thereof) is in mp.
529 531 * This function will free mp or recycle it for delivery, thereby causing
530 532 * the stream head to free it.
531 533 */
532 534 static void
533 535 spdsock_error(queue_t *q, mblk_t *mp, int error, int diagnostic)
534 536 {
535 537 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
536 538
537 539 ASSERT(mp->b_datap->db_type == M_DATA);
538 540
539 541 if (spmsg->spd_msg_type < SPD_MIN ||
540 542 spmsg->spd_msg_type > SPD_MAX)
541 543 spmsg->spd_msg_type = SPD_RESERVED;
542 544
543 545 /*
544 546 * Strip out extension headers.
545 547 */
546 548 ASSERT(mp->b_rptr + sizeof (*spmsg) <= mp->b_datap->db_lim);
547 549 mp->b_wptr = mp->b_rptr + sizeof (*spmsg);
548 550 spmsg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t));
549 551 spmsg->spd_msg_errno = (uint8_t)error;
550 552 spmsg->spd_msg_diagnostic = (uint16_t)diagnostic;
551 553
552 554 qreply(q, mp);
553 555 }
554 556
555 557 static void
556 558 spdsock_diag(queue_t *q, mblk_t *mp, int diagnostic)
557 559 {
558 560 spdsock_error(q, mp, EINVAL, diagnostic);
559 561 }
560 562
561 563 static void
562 564 spd_echo(queue_t *q, mblk_t *mp)
563 565 {
564 566 qreply(q, mp);
565 567 }
566 568
567 569 /*
568 570 * Do NOT consume a reference to itp.
569 571 */
570 572 /*ARGSUSED*/
571 573 static void
572 574 spdsock_flush_node(ipsec_tun_pol_t *itp, void *cookie, netstack_t *ns)
573 575 {
574 576 boolean_t active = (boolean_t)cookie;
575 577 ipsec_policy_head_t *iph;
576 578
577 579 iph = active ? itp->itp_policy : itp->itp_inactive;
578 580 IPPH_REFHOLD(iph);
579 581 mutex_enter(&itp->itp_lock);
580 582 spdsock_flush_one(iph, ns); /* Releases iph refhold. */
581 583 if (active)
582 584 itp->itp_flags &= ~ITPF_PFLAGS;
583 585 else
584 586 itp->itp_flags &= ~ITPF_IFLAGS;
585 587 mutex_exit(&itp->itp_lock);
586 588 /* SPD_FLUSH is worth a tunnel MTU check. */
587 589 update_iptun_policy(itp);
588 590 }
589 591
590 592 /*
591 593 * Clear out one polhead.
592 594 */
593 595 static void
594 596 spdsock_flush_one(ipsec_policy_head_t *iph, netstack_t *ns)
595 597 {
596 598 rw_enter(&iph->iph_lock, RW_WRITER);
597 599 ipsec_polhead_flush(iph, ns);
598 600 rw_exit(&iph->iph_lock);
599 601 IPPH_REFRELE(iph, ns);
600 602 }
601 603
602 604 static void
603 605 spdsock_flush(queue_t *q, ipsec_policy_head_t *iph, ipsec_tun_pol_t *itp,
604 606 mblk_t *mp)
605 607 {
606 608 boolean_t active;
607 609 spdsock_t *ss = (spdsock_t *)q->q_ptr;
608 610 netstack_t *ns = ss->spdsock_spds->spds_netstack;
609 611 uint32_t auditing = AU_AUDITING();
610 612
611 613 if (iph != ALL_ACTIVE_POLHEADS && iph != ALL_INACTIVE_POLHEADS) {
612 614 spdsock_flush_one(iph, ns);
613 615 if (auditing) {
614 616 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
615 617 cred_t *cr;
616 618 pid_t cpid;
617 619
618 620 cr = msg_getcred(mp, &cpid);
619 621 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
620 622 audit_pf_policy(SPD_FLUSH, cr, ns,
621 623 ITP_NAME(itp), active, 0, cpid);
622 624 }
623 625 } else {
624 626 active = (iph == ALL_ACTIVE_POLHEADS);
625 627
626 628 /* First flush the global policy. */
627 629 spdsock_flush_one(active ? ipsec_system_policy(ns) :
628 630 ipsec_inactive_policy(ns), ns);
629 631 if (auditing) {
630 632 cred_t *cr;
631 633 pid_t cpid;
632 634
633 635 cr = msg_getcred(mp, &cpid);
634 636 audit_pf_policy(SPD_FLUSH, cr, ns, NULL,
635 637 active, 0, cpid);
636 638 }
637 639 /* Then flush every tunnel's appropriate one. */
638 640 itp_walk(spdsock_flush_node, (void *)active, ns);
639 641 if (auditing) {
640 642 cred_t *cr;
641 643 pid_t cpid;
642 644
643 645 cr = msg_getcred(mp, &cpid);
644 646 audit_pf_policy(SPD_FLUSH, cr, ns,
645 647 "all tunnels", active, 0, cpid);
646 648 }
647 649 }
648 650
649 651 spd_echo(q, mp);
650 652 }
651 653
652 654 static boolean_t
653 655 spdsock_ext_to_sel(spd_ext_t **extv, ipsec_selkey_t *sel, int *diag)
654 656 {
655 657 bzero(sel, sizeof (*sel));
656 658
657 659 if (extv[SPD_EXT_PROTO] != NULL) {
658 660 struct spd_proto *pr =
659 661 (struct spd_proto *)extv[SPD_EXT_PROTO];
660 662 sel->ipsl_proto = pr->spd_proto_number;
661 663 sel->ipsl_valid |= IPSL_PROTOCOL;
662 664 }
663 665 if (extv[SPD_EXT_LCLPORT] != NULL) {
664 666 struct spd_portrange *pr =
665 667 (struct spd_portrange *)extv[SPD_EXT_LCLPORT];
666 668 sel->ipsl_lport = pr->spd_ports_minport;
667 669 sel->ipsl_valid |= IPSL_LOCAL_PORT;
668 670 }
669 671 if (extv[SPD_EXT_REMPORT] != NULL) {
670 672 struct spd_portrange *pr =
671 673 (struct spd_portrange *)extv[SPD_EXT_REMPORT];
672 674 sel->ipsl_rport = pr->spd_ports_minport;
673 675 sel->ipsl_valid |= IPSL_REMOTE_PORT;
674 676 }
675 677
676 678 if (extv[SPD_EXT_ICMP_TYPECODE] != NULL) {
677 679 struct spd_typecode *tc=
678 680 (struct spd_typecode *)extv[SPD_EXT_ICMP_TYPECODE];
679 681
680 682 sel->ipsl_valid |= IPSL_ICMP_TYPE;
681 683 sel->ipsl_icmp_type = tc->spd_typecode_type;
682 684 if (tc->spd_typecode_type_end < tc->spd_typecode_type)
683 685 sel->ipsl_icmp_type_end = tc->spd_typecode_type;
684 686 else
685 687 sel->ipsl_icmp_type_end = tc->spd_typecode_type_end;
686 688
687 689 if (tc->spd_typecode_code != 255) {
688 690 sel->ipsl_valid |= IPSL_ICMP_CODE;
689 691 sel->ipsl_icmp_code = tc->spd_typecode_code;
690 692 if (tc->spd_typecode_code_end < tc->spd_typecode_code)
691 693 sel->ipsl_icmp_code_end = tc->spd_typecode_code;
692 694 else
693 695 sel->ipsl_icmp_code_end =
694 696 tc->spd_typecode_code_end;
695 697 }
696 698 }
697 699 #define ADDR2SEL(sel, extv, field, pfield, extn, bit) \
698 700 if ((extv)[(extn)] != NULL) { \
699 701 uint_t addrlen; \
700 702 struct spd_address *ap = \
701 703 (struct spd_address *)((extv)[(extn)]); \
702 704 addrlen = (ap->spd_address_af == AF_INET6) ? \
703 705 IPV6_ADDR_LEN : IP_ADDR_LEN; \
704 706 if (SPD_64TO8(ap->spd_address_len) < \
705 707 (addrlen + sizeof (*ap))) { \
706 708 *diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN; \
707 709 return (B_FALSE); \
708 710 } \
709 711 bcopy((ap+1), &((sel)->field), addrlen); \
710 712 (sel)->pfield = ap->spd_address_prefixlen; \
711 713 (sel)->ipsl_valid |= (bit); \
712 714 (sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ? \
713 715 IPSL_IPV6 : IPSL_IPV4; \
714 716 }
715 717
716 718 ADDR2SEL(sel, extv, ipsl_local, ipsl_local_pfxlen,
717 719 SPD_EXT_LCLADDR, IPSL_LOCAL_ADDR);
718 720 ADDR2SEL(sel, extv, ipsl_remote, ipsl_remote_pfxlen,
719 721 SPD_EXT_REMADDR, IPSL_REMOTE_ADDR);
720 722
721 723 if ((sel->ipsl_valid & (IPSL_IPV6|IPSL_IPV4)) ==
722 724 (IPSL_IPV6|IPSL_IPV4)) {
723 725 *diag = SPD_DIAGNOSTIC_MIXED_AF;
724 726 return (B_FALSE);
725 727 }
726 728
727 729 #undef ADDR2SEL
728 730
729 731 return (B_TRUE);
730 732 }
731 733
732 734 static boolean_t
733 735 spd_convert_type(uint32_t type, ipsec_act_t *act)
734 736 {
735 737 switch (type) {
736 738 case SPD_ACTTYPE_DROP:
737 739 act->ipa_type = IPSEC_ACT_DISCARD;
738 740 return (B_TRUE);
739 741
740 742 case SPD_ACTTYPE_PASS:
741 743 act->ipa_type = IPSEC_ACT_CLEAR;
742 744 return (B_TRUE);
743 745
744 746 case SPD_ACTTYPE_IPSEC:
745 747 act->ipa_type = IPSEC_ACT_APPLY;
746 748 return (B_TRUE);
747 749 }
748 750 return (B_FALSE);
749 751 }
750 752
751 753 static boolean_t
752 754 spd_convert_flags(uint32_t flags, ipsec_act_t *act)
753 755 {
754 756 /*
755 757 * Note use of !! for boolean canonicalization.
756 758 */
757 759 act->ipa_apply.ipp_use_ah = !!(flags & SPD_APPLY_AH);
758 760 act->ipa_apply.ipp_use_esp = !!(flags & SPD_APPLY_ESP);
759 761 act->ipa_apply.ipp_use_espa = !!(flags & SPD_APPLY_ESPA);
760 762 act->ipa_apply.ipp_use_se = !!(flags & SPD_APPLY_SE);
761 763 act->ipa_apply.ipp_use_unique = !!(flags & SPD_APPLY_UNIQUE);
762 764 return (B_TRUE);
763 765 }
764 766
765 767 static void
766 768 spdsock_reset_act(ipsec_act_t *act)
767 769 {
768 770 bzero(act, sizeof (*act));
769 771 act->ipa_apply.ipp_espe_maxbits = IPSEC_MAX_KEYBITS;
770 772 act->ipa_apply.ipp_espa_maxbits = IPSEC_MAX_KEYBITS;
771 773 act->ipa_apply.ipp_ah_maxbits = IPSEC_MAX_KEYBITS;
772 774 }
773 775
774 776 /*
775 777 * Sanity check action against reality, and shrink-wrap key sizes..
776 778 */
777 779 static boolean_t
778 780 spdsock_check_action(ipsec_act_t *act, boolean_t tunnel_polhead, int *diag,
779 781 spd_stack_t *spds)
780 782 {
781 783 if (tunnel_polhead && act->ipa_apply.ipp_use_unique) {
782 784 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
783 785 return (B_FALSE);
784 786 }
785 787 if ((act->ipa_type != IPSEC_ACT_APPLY) &&
786 788 (act->ipa_apply.ipp_use_ah ||
787 789 act->ipa_apply.ipp_use_esp ||
788 790 act->ipa_apply.ipp_use_espa ||
789 791 act->ipa_apply.ipp_use_se ||
790 792 act->ipa_apply.ipp_use_unique)) {
791 793 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
792 794 return (B_FALSE);
793 795 }
794 796 if ((act->ipa_type == IPSEC_ACT_APPLY) &&
795 797 !act->ipa_apply.ipp_use_ah &&
796 798 !act->ipa_apply.ipp_use_esp) {
797 799 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
798 800 return (B_FALSE);
799 801 }
800 802 return (ipsec_check_action(act, diag, spds->spds_netstack));
801 803 }
802 804
803 805 /*
804 806 * We may be short a few error checks here..
805 807 */
806 808 static boolean_t
807 809 spdsock_ext_to_actvec(spd_ext_t **extv, ipsec_act_t **actpp, uint_t *nactp,
808 810 int *diag, spd_stack_t *spds)
809 811 {
810 812 struct spd_ext_actions *sactp =
811 813 (struct spd_ext_actions *)extv[SPD_EXT_ACTION];
812 814 ipsec_act_t act, *actp, *endactp;
813 815 struct spd_attribute *attrp, *endattrp;
814 816 uint64_t *endp;
815 817 int nact;
816 818 boolean_t tunnel_polhead;
817 819
818 820 tunnel_polhead = (extv[SPD_EXT_TUN_NAME] != NULL &&
819 821 (((struct spd_rule *)extv[SPD_EXT_RULE])->spd_rule_flags &
820 822 SPD_RULE_FLAG_TUNNEL));
821 823
822 824 *actpp = NULL;
823 825 *nactp = 0;
824 826
825 827 if (sactp == NULL) {
826 828 *diag = SPD_DIAGNOSTIC_NO_ACTION_EXT;
827 829 return (B_FALSE);
828 830 }
829 831
830 832 /*
831 833 * Parse the "action" extension and convert into an action chain.
832 834 */
833 835
834 836 nact = sactp->spd_actions_count;
835 837
836 838 endp = (uint64_t *)sactp;
837 839 endp += sactp->spd_actions_len;
838 840 endattrp = (struct spd_attribute *)endp;
839 841
840 842 actp = kmem_alloc(sizeof (*actp) * nact, KM_NOSLEEP);
841 843 if (actp == NULL) {
842 844 *diag = SPD_DIAGNOSTIC_ADD_NO_MEM;
843 845 return (B_FALSE);
844 846 }
845 847 *actpp = actp;
846 848 *nactp = nact;
847 849 endactp = actp + nact;
848 850
849 851 spdsock_reset_act(&act);
850 852 attrp = (struct spd_attribute *)(&sactp[1]);
851 853
852 854 for (; attrp < endattrp; attrp++) {
853 855 switch (attrp->spd_attr_tag) {
854 856 case SPD_ATTR_NOP:
855 857 break;
856 858
857 859 case SPD_ATTR_EMPTY:
858 860 spdsock_reset_act(&act);
859 861 break;
860 862
861 863 case SPD_ATTR_END:
862 864 attrp = endattrp;
863 865 /* FALLTHRU */
864 866 case SPD_ATTR_NEXT:
865 867 if (actp >= endactp) {
866 868 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT;
867 869 goto fail;
868 870 }
869 871 if (!spdsock_check_action(&act, tunnel_polhead,
870 872 diag, spds))
871 873 goto fail;
872 874 *actp++ = act;
873 875 spdsock_reset_act(&act);
874 876 break;
875 877
876 878 case SPD_ATTR_TYPE:
877 879 if (!spd_convert_type(attrp->spd_attr_value, &act)) {
878 880 *diag = SPD_DIAGNOSTIC_ADD_BAD_TYPE;
879 881 goto fail;
880 882 }
881 883 break;
882 884
883 885 case SPD_ATTR_FLAGS:
884 886 if (!tunnel_polhead && extv[SPD_EXT_TUN_NAME] != NULL) {
885 887 /*
886 888 * Set "sa unique" for transport-mode
887 889 * tunnels whether we want to or not.
888 890 */
889 891 attrp->spd_attr_value |= SPD_APPLY_UNIQUE;
890 892 }
891 893 if (!spd_convert_flags(attrp->spd_attr_value, &act)) {
892 894 *diag = SPD_DIAGNOSTIC_ADD_BAD_FLAGS;
893 895 goto fail;
894 896 }
895 897 break;
896 898
897 899 case SPD_ATTR_AH_AUTH:
898 900 if (attrp->spd_attr_value == 0) {
899 901 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG;
900 902 goto fail;
901 903 }
902 904 act.ipa_apply.ipp_auth_alg = attrp->spd_attr_value;
903 905 break;
904 906
905 907 case SPD_ATTR_ESP_ENCR:
906 908 if (attrp->spd_attr_value == 0) {
907 909 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG;
908 910 goto fail;
909 911 }
910 912 act.ipa_apply.ipp_encr_alg = attrp->spd_attr_value;
911 913 break;
912 914
913 915 case SPD_ATTR_ESP_AUTH:
914 916 if (attrp->spd_attr_value == 0) {
915 917 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG;
916 918 goto fail;
917 919 }
918 920 act.ipa_apply.ipp_esp_auth_alg = attrp->spd_attr_value;
919 921 break;
920 922
921 923 case SPD_ATTR_ENCR_MINBITS:
922 924 act.ipa_apply.ipp_espe_minbits = attrp->spd_attr_value;
923 925 break;
924 926
925 927 case SPD_ATTR_ENCR_MAXBITS:
926 928 act.ipa_apply.ipp_espe_maxbits = attrp->spd_attr_value;
927 929 break;
928 930
929 931 case SPD_ATTR_AH_MINBITS:
930 932 act.ipa_apply.ipp_ah_minbits = attrp->spd_attr_value;
931 933 break;
932 934
933 935 case SPD_ATTR_AH_MAXBITS:
934 936 act.ipa_apply.ipp_ah_maxbits = attrp->spd_attr_value;
935 937 break;
936 938
937 939 case SPD_ATTR_ESPA_MINBITS:
938 940 act.ipa_apply.ipp_espa_minbits = attrp->spd_attr_value;
939 941 break;
940 942
941 943 case SPD_ATTR_ESPA_MAXBITS:
942 944 act.ipa_apply.ipp_espa_maxbits = attrp->spd_attr_value;
943 945 break;
944 946
945 947 case SPD_ATTR_LIFE_SOFT_TIME:
946 948 case SPD_ATTR_LIFE_HARD_TIME:
947 949 case SPD_ATTR_LIFE_SOFT_BYTES:
948 950 case SPD_ATTR_LIFE_HARD_BYTES:
949 951 break;
950 952
951 953 case SPD_ATTR_KM_PROTO:
952 954 act.ipa_apply.ipp_km_proto = attrp->spd_attr_value;
953 955 break;
954 956
955 957 case SPD_ATTR_KM_COOKIE:
956 958 act.ipa_apply.ipp_km_cookie = attrp->spd_attr_value;
957 959 break;
958 960
959 961 case SPD_ATTR_REPLAY_DEPTH:
960 962 act.ipa_apply.ipp_replay_depth = attrp->spd_attr_value;
961 963 break;
962 964 }
963 965 }
964 966 if (actp != endactp) {
965 967 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT;
966 968 goto fail;
967 969 }
968 970
969 971 return (B_TRUE);
970 972 fail:
971 973 ipsec_actvec_free(*actpp, nact);
972 974 *actpp = NULL;
973 975 return (B_FALSE);
974 976 }
975 977
976 978 typedef struct
977 979 {
978 980 ipsec_policy_t *pol;
979 981 int dir;
980 982 } tmprule_t;
981 983
982 984 static int
983 985 mkrule(ipsec_policy_head_t *iph, struct spd_rule *rule,
984 986 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t af,
985 987 tmprule_t **rp, uint64_t *index, spd_stack_t *spds)
986 988 {
987 989 ipsec_policy_t *pol;
988 990
989 991 sel->ipsl_valid &= ~(IPSL_IPV6|IPSL_IPV4);
990 992 sel->ipsl_valid |= af;
991 993
992 994 pol = ipsec_policy_create(sel, actp, nact, rule->spd_rule_priority,
993 995 index, spds->spds_netstack);
994 996 if (pol == NULL)
995 997 return (ENOMEM);
996 998
997 999 (*rp)->pol = pol;
998 1000 (*rp)->dir = dir;
999 1001 (*rp)++;
1000 1002
1001 1003 if (!ipsec_check_policy(iph, pol, dir))
1002 1004 return (EEXIST);
1003 1005
1004 1006 rule->spd_rule_index = pol->ipsp_index;
1005 1007 return (0);
1006 1008 }
1007 1009
1008 1010 static int
1009 1011 mkrulepair(ipsec_policy_head_t *iph, struct spd_rule *rule,
1010 1012 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t afs,
1011 1013 tmprule_t **rp, uint64_t *index, spd_stack_t *spds)
1012 1014 {
1013 1015 int error;
1014 1016
1015 1017 if (afs & IPSL_IPV4) {
1016 1018 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV4, rp,
1017 1019 index, spds);
1018 1020 if (error != 0)
1019 1021 return (error);
1020 1022 }
1021 1023 if (afs & IPSL_IPV6) {
1022 1024 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV6, rp,
1023 1025 index, spds);
1024 1026 if (error != 0)
1025 1027 return (error);
1026 1028 }
1027 1029 return (0);
1028 1030 }
1029 1031
1030 1032
1031 1033 static void
1032 1034 spdsock_addrule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1033 1035 spd_ext_t **extv, ipsec_tun_pol_t *itp)
1034 1036 {
1035 1037 ipsec_selkey_t sel;
1036 1038 ipsec_act_t *actp;
1037 1039 uint_t nact;
1038 1040 int diag = 0, error, afs;
1039 1041 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE];
1040 1042 tmprule_t rules[4], *rulep = &rules[0];
1041 1043 boolean_t tunnel_mode, empty_itp, active;
1042 1044 uint64_t *index = (itp == NULL) ? NULL : &itp->itp_next_policy_index;
1043 1045 spdsock_t *ss = (spdsock_t *)q->q_ptr;
1044 1046 spd_stack_t *spds = ss->spdsock_spds;
1045 1047 uint32_t auditing = AU_AUDITING();
1046 1048
1047 1049 if (rule == NULL) {
1048 1050 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT);
1049 1051 if (auditing) {
1050 1052 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1051 1053 cred_t *cr;
1052 1054 pid_t cpid;
1053 1055
1054 1056 cr = msg_getcred(mp, &cpid);
1055 1057 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1056 1058 audit_pf_policy(SPD_ADDRULE, cr,
1057 1059 spds->spds_netstack, ITP_NAME(itp), active,
1058 1060 SPD_DIAGNOSTIC_NO_RULE_EXT, cpid);
1059 1061 }
1060 1062 return;
1061 1063 }
1062 1064
1063 1065 tunnel_mode = (rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL);
1064 1066
1065 1067 if (itp != NULL) {
1066 1068 mutex_enter(&itp->itp_lock);
1067 1069 ASSERT(itp->itp_policy == iph || itp->itp_inactive == iph);
1068 1070 active = (itp->itp_policy == iph);
1069 1071 if (ITP_P_ISACTIVE(itp, iph)) {
1070 1072 /* Check for mix-and-match of tunnel/transport. */
1071 1073 if ((tunnel_mode && !ITP_P_ISTUNNEL(itp, iph)) ||
1072 1074 (!tunnel_mode && ITP_P_ISTUNNEL(itp, iph))) {
1073 1075 mutex_exit(&itp->itp_lock);
1074 1076 spdsock_error(q, mp, EBUSY, 0);
1075 1077 return;
1076 1078 }
1077 1079 empty_itp = B_FALSE;
1078 1080 } else {
1079 1081 empty_itp = B_TRUE;
1080 1082 itp->itp_flags = active ? ITPF_P_ACTIVE : ITPF_I_ACTIVE;
1081 1083 if (tunnel_mode)
1082 1084 itp->itp_flags |= active ? ITPF_P_TUNNEL :
1083 1085 ITPF_I_TUNNEL;
1084 1086 }
1085 1087 } else {
1086 1088 empty_itp = B_FALSE;
1087 1089 }
1088 1090
1089 1091 if (rule->spd_rule_index != 0) {
1090 1092 diag = SPD_DIAGNOSTIC_INVALID_RULE_INDEX;
1091 1093 error = EINVAL;
1092 1094 goto fail2;
1093 1095 }
1094 1096
1095 1097 if (!spdsock_ext_to_sel(extv, &sel, &diag)) {
1096 1098 error = EINVAL;
1097 1099 goto fail2;
1098 1100 }
1099 1101
1100 1102 if (itp != NULL) {
1101 1103 if (tunnel_mode) {
1102 1104 if (sel.ipsl_valid &
1103 1105 (IPSL_REMOTE_PORT | IPSL_LOCAL_PORT)) {
1104 1106 itp->itp_flags |= active ?
1105 1107 ITPF_P_PER_PORT_SECURITY :
1106 1108 ITPF_I_PER_PORT_SECURITY;
1107 1109 }
1108 1110 } else {
1109 1111 /*
1110 1112 * For now, we don't allow transport-mode on a tunnel
1111 1113 * with ANY specific selectors. Bail if we have such
1112 1114 * a request.
1113 1115 */
1114 1116 if (sel.ipsl_valid & IPSL_WILDCARD) {
1115 1117 diag = SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS;
1116 1118 error = EINVAL;
1117 1119 goto fail2;
1118 1120 }
1119 1121 }
1120 1122 }
1121 1123
1122 1124 if (!spdsock_ext_to_actvec(extv, &actp, &nact, &diag, spds)) {
1123 1125 error = EINVAL;
1124 1126 goto fail2;
1125 1127 }
1126 1128 /*
1127 1129 * If no addresses were specified, add both.
1128 1130 */
1129 1131 afs = sel.ipsl_valid & (IPSL_IPV6|IPSL_IPV4);
1130 1132 if (afs == 0)
1131 1133 afs = (IPSL_IPV6|IPSL_IPV4);
1132 1134
1133 1135 rw_enter(&iph->iph_lock, RW_WRITER);
1134 1136
1135 1137 if (rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) {
1136 1138 error = mkrulepair(iph, rule, &sel, actp, nact,
1137 1139 IPSEC_TYPE_OUTBOUND, afs, &rulep, index, spds);
1138 1140 if (error != 0)
1139 1141 goto fail;
1140 1142 }
1141 1143
1142 1144 if (rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) {
1143 1145 error = mkrulepair(iph, rule, &sel, actp, nact,
1144 1146 IPSEC_TYPE_INBOUND, afs, &rulep, index, spds);
1145 1147 if (error != 0)
1146 1148 goto fail;
1147 1149 }
1148 1150
1149 1151 while ((--rulep) >= &rules[0]) {
1150 1152 ipsec_enter_policy(iph, rulep->pol, rulep->dir,
1151 1153 spds->spds_netstack);
1152 1154 }
1153 1155 rw_exit(&iph->iph_lock);
1154 1156 if (itp != NULL)
1155 1157 mutex_exit(&itp->itp_lock);
1156 1158
1157 1159 ipsec_actvec_free(actp, nact);
1158 1160 spd_echo(q, mp);
1159 1161 if (auditing) {
1160 1162 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1161 1163 cred_t *cr;
1162 1164 pid_t cpid;
1163 1165
1164 1166 cr = msg_getcred(mp, &cpid);
1165 1167 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1166 1168 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack,
1167 1169 ITP_NAME(itp), active, 0, cpid);
1168 1170 }
1169 1171 return;
1170 1172
1171 1173 fail:
1172 1174 rw_exit(&iph->iph_lock);
1173 1175 while ((--rulep) >= &rules[0])
1174 1176 IPPOL_REFRELE(rulep->pol);
1175 1177 ipsec_actvec_free(actp, nact);
1176 1178 fail2:
1177 1179 if (itp != NULL) {
1178 1180 if (empty_itp)
1179 1181 itp->itp_flags = 0;
1180 1182 mutex_exit(&itp->itp_lock);
1181 1183 }
1182 1184 spdsock_error(q, mp, error, diag);
1183 1185 if (auditing) {
1184 1186 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1185 1187 cred_t *cr;
1186 1188 pid_t cpid;
1187 1189
1188 1190 cr = msg_getcred(mp, &cpid);
1189 1191 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1190 1192 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack,
1191 1193 ITP_NAME(itp), active, error, cpid);
1192 1194 }
1193 1195 }
1194 1196
1195 1197 void
1196 1198 spdsock_deleterule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1197 1199 spd_ext_t **extv, ipsec_tun_pol_t *itp)
1198 1200 {
1199 1201 ipsec_selkey_t sel;
1200 1202 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE];
1201 1203 int err, diag = 0;
1202 1204 spdsock_t *ss = (spdsock_t *)q->q_ptr;
1203 1205 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1204 1206 uint32_t auditing = AU_AUDITING();
1205 1207
1206 1208 if (rule == NULL) {
1207 1209 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT);
1208 1210 if (auditing) {
1209 1211 boolean_t active;
1210 1212 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1211 1213 cred_t *cr;
1212 1214 pid_t cpid;
1213 1215
1214 1216 cr = msg_getcred(mp, &cpid);
1215 1217 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1216 1218 audit_pf_policy(SPD_DELETERULE, cr, ns,
1217 1219 ITP_NAME(itp), active, SPD_DIAGNOSTIC_NO_RULE_EXT,
1218 1220 cpid);
1219 1221 }
1220 1222 return;
1221 1223 }
1222 1224
1223 1225 /*
1224 1226 * Must enter itp_lock first to avoid deadlock. See tun.c's
1225 1227 * set_sec_simple() for the other case of itp_lock and iph_lock.
1226 1228 */
1227 1229 if (itp != NULL)
1228 1230 mutex_enter(&itp->itp_lock);
1229 1231
1230 1232 if (rule->spd_rule_index != 0) {
1231 1233 if (ipsec_policy_delete_index(iph, rule->spd_rule_index, ns) !=
1232 1234 0) {
1233 1235 err = ESRCH;
1234 1236 goto fail;
1235 1237 }
1236 1238 } else {
1237 1239 if (!spdsock_ext_to_sel(extv, &sel, &diag)) {
1238 1240 err = EINVAL; /* diag already set... */
1239 1241 goto fail;
1240 1242 }
1241 1243
1242 1244 if ((rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) &&
1243 1245 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_INBOUND, ns)) {
1244 1246 err = ESRCH;
1245 1247 goto fail;
1246 1248 }
1247 1249
1248 1250 if ((rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) &&
1249 1251 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_OUTBOUND, ns)) {
1250 1252 err = ESRCH;
1251 1253 goto fail;
1252 1254 }
1253 1255 }
1254 1256
1255 1257 if (itp != NULL) {
1256 1258 ASSERT(iph == itp->itp_policy || iph == itp->itp_inactive);
1257 1259 rw_enter(&iph->iph_lock, RW_READER);
1258 1260 if (avl_numnodes(&iph->iph_rulebyid) == 0) {
1259 1261 if (iph == itp->itp_policy)
1260 1262 itp->itp_flags &= ~ITPF_PFLAGS;
1261 1263 else
1262 1264 itp->itp_flags &= ~ITPF_IFLAGS;
1263 1265 }
1264 1266 /* Can exit locks in any order. */
1265 1267 rw_exit(&iph->iph_lock);
1266 1268 mutex_exit(&itp->itp_lock);
1267 1269 }
1268 1270 spd_echo(q, mp);
1269 1271 if (auditing) {
1270 1272 boolean_t active;
1271 1273 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1272 1274 cred_t *cr;
1273 1275 pid_t cpid;
1274 1276
1275 1277 cr = msg_getcred(mp, &cpid);
1276 1278 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1277 1279 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp),
1278 1280 active, 0, cpid);
1279 1281 }
1280 1282 return;
1281 1283 fail:
1282 1284 if (itp != NULL)
1283 1285 mutex_exit(&itp->itp_lock);
1284 1286 spdsock_error(q, mp, err, diag);
1285 1287 if (auditing) {
1286 1288 boolean_t active;
1287 1289 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1288 1290 cred_t *cr;
1289 1291 pid_t cpid;
1290 1292
1291 1293 cr = msg_getcred(mp, &cpid);
1292 1294 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1293 1295 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp),
1294 1296 active, err, cpid);
1295 1297 }
1296 1298 }
1297 1299
1298 1300 /* Do NOT consume a reference to itp. */
1299 1301 /* ARGSUSED */
1300 1302 static void
1301 1303 spdsock_flip_node(ipsec_tun_pol_t *itp, void *ignoreme, netstack_t *ns)
1302 1304 {
1303 1305 mutex_enter(&itp->itp_lock);
1304 1306 ITPF_SWAP(itp->itp_flags);
1305 1307 ipsec_swap_policy(itp->itp_policy, itp->itp_inactive, ns);
1306 1308 mutex_exit(&itp->itp_lock);
1307 1309 /* SPD_FLIP is worth a tunnel MTU check. */
1308 1310 update_iptun_policy(itp);
1309 1311 }
1310 1312
1311 1313 void
1312 1314 spdsock_flip(queue_t *q, mblk_t *mp, spd_if_t *tunname)
1313 1315 {
1314 1316 char *tname;
1315 1317 ipsec_tun_pol_t *itp;
1316 1318 spdsock_t *ss = (spdsock_t *)q->q_ptr;
1317 1319 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1318 1320 uint32_t auditing = AU_AUDITING();
1319 1321
1320 1322 if (tunname != NULL) {
1321 1323 tname = (char *)tunname->spd_if_name;
1322 1324 if (*tname == '\0') {
1323 1325 /* can't fail */
1324 1326 ipsec_swap_global_policy(ns);
1325 1327 if (auditing) {
1326 1328 boolean_t active;
1327 1329 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1328 1330 cred_t *cr;
1329 1331 pid_t cpid;
1330 1332
1331 1333 cr = msg_getcred(mp, &cpid);
1332 1334 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1333 1335 audit_pf_policy(SPD_FLIP, cr, ns,
1334 1336 NULL, active, 0, cpid);
1335 1337 }
1336 1338 itp_walk(spdsock_flip_node, NULL, ns);
1337 1339 if (auditing) {
1338 1340 boolean_t active;
1339 1341 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1340 1342 cred_t *cr;
1341 1343 pid_t cpid;
1342 1344
1343 1345 cr = msg_getcred(mp, &cpid);
1344 1346 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1345 1347 audit_pf_policy(SPD_FLIP, cr, ns,
1346 1348 "all tunnels", active, 0, cpid);
1347 1349 }
1348 1350 } else {
1349 1351 itp = get_tunnel_policy(tname, ns);
1350 1352 if (itp == NULL) {
1351 1353 /* Better idea for "tunnel not found"? */
1352 1354 spdsock_error(q, mp, ESRCH, 0);
1353 1355 if (auditing) {
1354 1356 boolean_t active;
1355 1357 spd_msg_t *spmsg =
1356 1358 (spd_msg_t *)mp->b_rptr;
1357 1359 cred_t *cr;
1358 1360 pid_t cpid;
1359 1361
1360 1362 cr = msg_getcred(mp, &cpid);
1361 1363 active = (spmsg->spd_msg_spdid ==
1362 1364 SPD_ACTIVE);
1363 1365 audit_pf_policy(SPD_FLIP, cr, ns,
1364 1366 ITP_NAME(itp), active,
1365 1367 ESRCH, cpid);
1366 1368 }
1367 1369 return;
1368 1370 }
1369 1371 spdsock_flip_node(itp, NULL, ns);
1370 1372 if (auditing) {
1371 1373 boolean_t active;
1372 1374 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1373 1375 cred_t *cr;
1374 1376 pid_t cpid;
1375 1377
1376 1378 cr = msg_getcred(mp, &cpid);
1377 1379 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1378 1380 audit_pf_policy(SPD_FLIP, cr, ns,
1379 1381 ITP_NAME(itp), active, 0, cpid);
1380 1382 }
1381 1383 ITP_REFRELE(itp, ns);
1382 1384 }
1383 1385 } else {
1384 1386 ipsec_swap_global_policy(ns); /* can't fail */
1385 1387 if (auditing) {
1386 1388 boolean_t active;
1387 1389 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1388 1390 cred_t *cr;
1389 1391 pid_t cpid;
1390 1392
1391 1393 cr = msg_getcred(mp, &cpid);
1392 1394 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1393 1395 audit_pf_policy(SPD_FLIP, cr,
1394 1396 ns, NULL, active, 0, cpid);
1395 1397 }
1396 1398 }
1397 1399 spd_echo(q, mp);
1398 1400 }
1399 1401
1400 1402 /*
1401 1403 * Unimplemented feature
1402 1404 */
1403 1405 /* ARGSUSED */
1404 1406 static void
1405 1407 spdsock_lookup(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1406 1408 spd_ext_t **extv, ipsec_tun_pol_t *itp)
1407 1409 {
1408 1410 spdsock_error(q, mp, EINVAL, 0);
1409 1411 }
1410 1412
1411 1413
1412 1414 static mblk_t *
1413 1415 spdsock_dump_ruleset(mblk_t *req, ipsec_policy_head_t *iph,
1414 1416 uint32_t count, uint16_t error)
1415 1417 {
1416 1418 size_t len = sizeof (spd_ruleset_ext_t) + sizeof (spd_msg_t);
1417 1419 spd_msg_t *msg;
1418 1420 spd_ruleset_ext_t *ruleset;
1419 1421 mblk_t *m = allocb(len, BPRI_HI);
1420 1422
1421 1423 ASSERT(RW_READ_HELD(&iph->iph_lock));
1422 1424
1423 1425 if (m == NULL) {
1424 1426 return (NULL);
1425 1427 }
1426 1428 msg = (spd_msg_t *)m->b_rptr;
1427 1429 ruleset = (spd_ruleset_ext_t *)(&msg[1]);
1428 1430
1429 1431 m->b_wptr = (uint8_t *)&ruleset[1];
1430 1432
1431 1433 *msg = *(spd_msg_t *)(req->b_rptr);
1432 1434 msg->spd_msg_len = SPD_8TO64(len);
1433 1435 msg->spd_msg_errno = error;
1434 1436
1435 1437 ruleset->spd_ruleset_len = SPD_8TO64(sizeof (*ruleset));
1436 1438 ruleset->spd_ruleset_type = SPD_EXT_RULESET;
1437 1439 ruleset->spd_ruleset_count = count;
1438 1440 ruleset->spd_ruleset_version = iph->iph_gen;
1439 1441 return (m);
1440 1442 }
1441 1443
1442 1444 static mblk_t *
1443 1445 spdsock_dump_finish(spdsock_t *ss, int error)
1444 1446 {
1445 1447 mblk_t *m;
1446 1448 ipsec_policy_head_t *iph = ss->spdsock_dump_head;
1447 1449 mblk_t *req = ss->spdsock_dump_req;
1448 1450 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1449 1451
1450 1452 rw_enter(&iph->iph_lock, RW_READER);
1451 1453 m = spdsock_dump_ruleset(req, iph, ss->spdsock_dump_count, error);
1452 1454 rw_exit(&iph->iph_lock);
1453 1455 IPPH_REFRELE(iph, ns);
1454 1456 if (ss->spdsock_itp != NULL) {
1455 1457 ITP_REFRELE(ss->spdsock_itp, ns);
1456 1458 ss->spdsock_itp = NULL;
1457 1459 }
1458 1460 ss->spdsock_dump_req = NULL;
1459 1461 freemsg(req);
1460 1462
1461 1463 return (m);
1462 1464 }
1463 1465
1464 1466 /*
1465 1467 * Rule encoding functions.
1466 1468 * We do a two-pass encode.
1467 1469 * If base != NULL, fill in encoded rule part starting at base+offset.
1468 1470 * Always return "offset" plus length of to-be-encoded data.
1469 1471 */
1470 1472 static uint_t
1471 1473 spdsock_encode_typecode(uint8_t *base, uint_t offset, uint8_t type,
1472 1474 uint8_t type_end, uint8_t code, uint8_t code_end)
1473 1475 {
1474 1476 struct spd_typecode *tcp;
1475 1477
1476 1478 ASSERT(ALIGNED64(offset));
1477 1479
1478 1480 if (base != NULL) {
1479 1481 tcp = (struct spd_typecode *)(base + offset);
1480 1482 tcp->spd_typecode_len = SPD_8TO64(sizeof (*tcp));
1481 1483 tcp->spd_typecode_exttype = SPD_EXT_ICMP_TYPECODE;
1482 1484 tcp->spd_typecode_code = code;
1483 1485 tcp->spd_typecode_type = type;
1484 1486 tcp->spd_typecode_type_end = type_end;
1485 1487 tcp->spd_typecode_code_end = code_end;
1486 1488 }
1487 1489 offset += sizeof (*tcp);
1488 1490
1489 1491 ASSERT(ALIGNED64(offset));
1490 1492
1491 1493 return (offset);
1492 1494 }
1493 1495
1494 1496 static uint_t
1495 1497 spdsock_encode_proto(uint8_t *base, uint_t offset, uint8_t proto)
1496 1498 {
1497 1499 struct spd_proto *spp;
1498 1500
1499 1501 ASSERT(ALIGNED64(offset));
1500 1502
1501 1503 if (base != NULL) {
1502 1504 spp = (struct spd_proto *)(base + offset);
1503 1505 spp->spd_proto_len = SPD_8TO64(sizeof (*spp));
1504 1506 spp->spd_proto_exttype = SPD_EXT_PROTO;
1505 1507 spp->spd_proto_number = proto;
1506 1508 spp->spd_proto_reserved1 = 0;
1507 1509 spp->spd_proto_reserved2 = 0;
1508 1510 }
1509 1511 offset += sizeof (*spp);
1510 1512
1511 1513 ASSERT(ALIGNED64(offset));
1512 1514
1513 1515 return (offset);
1514 1516 }
1515 1517
1516 1518 static uint_t
1517 1519 spdsock_encode_port(uint8_t *base, uint_t offset, uint16_t ext, uint16_t port)
1518 1520 {
1519 1521 struct spd_portrange *spp;
1520 1522
1521 1523 ASSERT(ALIGNED64(offset));
1522 1524
1523 1525 if (base != NULL) {
1524 1526 spp = (struct spd_portrange *)(base + offset);
1525 1527 spp->spd_ports_len = SPD_8TO64(sizeof (*spp));
1526 1528 spp->spd_ports_exttype = ext;
1527 1529 spp->spd_ports_minport = port;
1528 1530 spp->spd_ports_maxport = port;
1529 1531 }
1530 1532 offset += sizeof (*spp);
1531 1533
1532 1534 ASSERT(ALIGNED64(offset));
1533 1535
1534 1536 return (offset);
1535 1537 }
1536 1538
1537 1539 static uint_t
1538 1540 spdsock_encode_addr(uint8_t *base, uint_t offset, uint16_t ext,
1539 1541 const ipsec_selkey_t *sel, const ipsec_addr_t *addr, uint_t pfxlen)
1540 1542 {
1541 1543 struct spd_address *sae;
1542 1544 ipsec_addr_t *spdaddr;
1543 1545 uint_t start = offset;
1544 1546 uint_t addrlen;
1545 1547 uint_t af;
1546 1548
1547 1549 if (sel->ipsl_valid & IPSL_IPV4) {
1548 1550 af = AF_INET;
1549 1551 addrlen = IP_ADDR_LEN;
1550 1552 } else {
1551 1553 af = AF_INET6;
1552 1554 addrlen = IPV6_ADDR_LEN;
1553 1555 }
1554 1556
1555 1557 ASSERT(ALIGNED64(offset));
1556 1558
1557 1559 if (base != NULL) {
1558 1560 sae = (struct spd_address *)(base + offset);
1559 1561 sae->spd_address_exttype = ext;
1560 1562 sae->spd_address_af = af;
1561 1563 sae->spd_address_prefixlen = pfxlen;
1562 1564 sae->spd_address_reserved2 = 0;
1563 1565
1564 1566 spdaddr = (ipsec_addr_t *)(&sae[1]);
1565 1567 bcopy(addr, spdaddr, addrlen);
1566 1568 }
1567 1569 offset += sizeof (*sae);
1568 1570 addrlen = roundup(addrlen, sizeof (uint64_t));
1569 1571 offset += addrlen;
1570 1572
1571 1573 ASSERT(ALIGNED64(offset));
1572 1574
1573 1575 if (base != NULL)
1574 1576 sae->spd_address_len = SPD_8TO64(offset - start);
1575 1577 return (offset);
1576 1578 }
1577 1579
1578 1580 static uint_t
1579 1581 spdsock_encode_sel(uint8_t *base, uint_t offset, const ipsec_sel_t *sel)
1580 1582 {
1581 1583 const ipsec_selkey_t *selkey = &sel->ipsl_key;
1582 1584
1583 1585 if (selkey->ipsl_valid & IPSL_PROTOCOL)
1584 1586 offset = spdsock_encode_proto(base, offset, selkey->ipsl_proto);
1585 1587 if (selkey->ipsl_valid & IPSL_LOCAL_PORT)
1586 1588 offset = spdsock_encode_port(base, offset, SPD_EXT_LCLPORT,
1587 1589 selkey->ipsl_lport);
1588 1590 if (selkey->ipsl_valid & IPSL_REMOTE_PORT)
1589 1591 offset = spdsock_encode_port(base, offset, SPD_EXT_REMPORT,
1590 1592 selkey->ipsl_rport);
1591 1593 if (selkey->ipsl_valid & IPSL_REMOTE_ADDR)
1592 1594 offset = spdsock_encode_addr(base, offset, SPD_EXT_REMADDR,
1593 1595 selkey, &selkey->ipsl_remote, selkey->ipsl_remote_pfxlen);
1594 1596 if (selkey->ipsl_valid & IPSL_LOCAL_ADDR)
1595 1597 offset = spdsock_encode_addr(base, offset, SPD_EXT_LCLADDR,
1596 1598 selkey, &selkey->ipsl_local, selkey->ipsl_local_pfxlen);
1597 1599 if (selkey->ipsl_valid & IPSL_ICMP_TYPE) {
1598 1600 offset = spdsock_encode_typecode(base, offset,
1599 1601 selkey->ipsl_icmp_type, selkey->ipsl_icmp_type_end,
1600 1602 (selkey->ipsl_valid & IPSL_ICMP_CODE) ?
1601 1603 selkey->ipsl_icmp_code : 255,
1602 1604 (selkey->ipsl_valid & IPSL_ICMP_CODE) ?
1603 1605 selkey->ipsl_icmp_code_end : 255);
1604 1606 }
1605 1607 return (offset);
1606 1608 }
1607 1609
1608 1610 static uint_t
1609 1611 spdsock_encode_actattr(uint8_t *base, uint_t offset, uint32_t tag,
1610 1612 uint32_t value)
1611 1613 {
1612 1614 struct spd_attribute *attr;
1613 1615
1614 1616 ASSERT(ALIGNED64(offset));
1615 1617
1616 1618 if (base != NULL) {
1617 1619 attr = (struct spd_attribute *)(base + offset);
1618 1620 attr->spd_attr_tag = tag;
1619 1621 attr->spd_attr_value = value;
1620 1622 }
1621 1623 offset += sizeof (struct spd_attribute);
1622 1624
1623 1625 ASSERT(ALIGNED64(offset));
1624 1626
1625 1627 return (offset);
1626 1628 }
1627 1629
1628 1630
1629 1631 #define EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v))
1630 1632
1631 1633 static uint_t
1632 1634 spdsock_encode_action(uint8_t *base, uint_t offset, const ipsec_action_t *ap)
1633 1635 {
1634 1636 const struct ipsec_act *act = &(ap->ipa_act);
1635 1637 uint_t flags;
1636 1638
1637 1639 EMIT(SPD_ATTR_EMPTY, 0);
1638 1640 switch (act->ipa_type) {
1639 1641 case IPSEC_ACT_DISCARD:
1640 1642 case IPSEC_ACT_REJECT:
1641 1643 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_DROP);
1642 1644 break;
1643 1645 case IPSEC_ACT_BYPASS:
1644 1646 case IPSEC_ACT_CLEAR:
1645 1647 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_PASS);
1646 1648 break;
1647 1649
1648 1650 case IPSEC_ACT_APPLY:
1649 1651 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_IPSEC);
1650 1652 flags = 0;
1651 1653 if (act->ipa_apply.ipp_use_ah)
1652 1654 flags |= SPD_APPLY_AH;
1653 1655 if (act->ipa_apply.ipp_use_esp)
1654 1656 flags |= SPD_APPLY_ESP;
1655 1657 if (act->ipa_apply.ipp_use_espa)
1656 1658 flags |= SPD_APPLY_ESPA;
1657 1659 if (act->ipa_apply.ipp_use_se)
1658 1660 flags |= SPD_APPLY_SE;
1659 1661 if (act->ipa_apply.ipp_use_unique)
1660 1662 flags |= SPD_APPLY_UNIQUE;
1661 1663 EMIT(SPD_ATTR_FLAGS, flags);
1662 1664 if (flags & SPD_APPLY_AH) {
1663 1665 EMIT(SPD_ATTR_AH_AUTH, act->ipa_apply.ipp_auth_alg);
1664 1666 EMIT(SPD_ATTR_AH_MINBITS,
1665 1667 act->ipa_apply.ipp_ah_minbits);
1666 1668 EMIT(SPD_ATTR_AH_MAXBITS,
1667 1669 act->ipa_apply.ipp_ah_maxbits);
1668 1670 }
1669 1671 if (flags & SPD_APPLY_ESP) {
1670 1672 EMIT(SPD_ATTR_ESP_ENCR, act->ipa_apply.ipp_encr_alg);
1671 1673 EMIT(SPD_ATTR_ENCR_MINBITS,
1672 1674 act->ipa_apply.ipp_espe_minbits);
1673 1675 EMIT(SPD_ATTR_ENCR_MAXBITS,
1674 1676 act->ipa_apply.ipp_espe_maxbits);
1675 1677 if (flags & SPD_APPLY_ESPA) {
1676 1678 EMIT(SPD_ATTR_ESP_AUTH,
1677 1679 act->ipa_apply.ipp_esp_auth_alg);
1678 1680 EMIT(SPD_ATTR_ESPA_MINBITS,
1679 1681 act->ipa_apply.ipp_espa_minbits);
1680 1682 EMIT(SPD_ATTR_ESPA_MAXBITS,
1681 1683 act->ipa_apply.ipp_espa_maxbits);
1682 1684 }
1683 1685 }
1684 1686 if (act->ipa_apply.ipp_km_proto != 0)
1685 1687 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_proto);
1686 1688 if (act->ipa_apply.ipp_km_cookie != 0)
1687 1689 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_cookie);
1688 1690 if (act->ipa_apply.ipp_replay_depth != 0)
1689 1691 EMIT(SPD_ATTR_REPLAY_DEPTH,
1690 1692 act->ipa_apply.ipp_replay_depth);
1691 1693 /* Add more here */
1692 1694 break;
1693 1695 }
1694 1696
1695 1697 return (offset);
1696 1698 }
1697 1699
1698 1700 static uint_t
1699 1701 spdsock_encode_action_list(uint8_t *base, uint_t offset,
1700 1702 const ipsec_action_t *ap)
1701 1703 {
1702 1704 struct spd_ext_actions *act;
1703 1705 uint_t nact = 0;
1704 1706 uint_t start = offset;
1705 1707
1706 1708 ASSERT(ALIGNED64(offset));
1707 1709
1708 1710 if (base != NULL) {
1709 1711 act = (struct spd_ext_actions *)(base + offset);
1710 1712 act->spd_actions_len = 0;
1711 1713 act->spd_actions_exttype = SPD_EXT_ACTION;
1712 1714 act->spd_actions_count = 0;
1713 1715 act->spd_actions_reserved = 0;
1714 1716 }
1715 1717
1716 1718 offset += sizeof (*act);
1717 1719
1718 1720 ASSERT(ALIGNED64(offset));
1719 1721
1720 1722 while (ap != NULL) {
1721 1723 offset = spdsock_encode_action(base, offset, ap);
1722 1724 ap = ap->ipa_next;
1723 1725 nact++;
1724 1726 if (ap != NULL) {
1725 1727 EMIT(SPD_ATTR_NEXT, 0);
1726 1728 }
1727 1729 }
1728 1730 EMIT(SPD_ATTR_END, 0);
1729 1731
1730 1732 ASSERT(ALIGNED64(offset));
1731 1733
1732 1734 if (base != NULL) {
1733 1735 act->spd_actions_count = nact;
1734 1736 act->spd_actions_len = SPD_8TO64(offset - start);
1735 1737 }
1736 1738
1737 1739 return (offset);
1738 1740 }
1739 1741
1740 1742 #undef EMIT
1741 1743
1742 1744 /* ARGSUSED */
1743 1745 static uint_t
1744 1746 spdsock_rule_flags(uint_t dir, uint_t af)
1745 1747 {
1746 1748 uint_t flags = 0;
1747 1749
1748 1750 if (dir == IPSEC_TYPE_INBOUND)
1749 1751 flags |= SPD_RULE_FLAG_INBOUND;
1750 1752 if (dir == IPSEC_TYPE_OUTBOUND)
1751 1753 flags |= SPD_RULE_FLAG_OUTBOUND;
1752 1754
1753 1755 return (flags);
1754 1756 }
1755 1757
1756 1758
1757 1759 static uint_t
1758 1760 spdsock_encode_rule_head(uint8_t *base, uint_t offset, spd_msg_t *req,
1759 1761 const ipsec_policy_t *rule, uint_t dir, uint_t af, char *name,
1760 1762 boolean_t tunnel)
1761 1763 {
1762 1764 struct spd_msg *spmsg;
1763 1765 struct spd_rule *spr;
1764 1766 spd_if_t *sid;
1765 1767
1766 1768 uint_t start = offset;
1767 1769
1768 1770 ASSERT(ALIGNED64(offset));
1769 1771
1770 1772 if (base != NULL) {
1771 1773 spmsg = (struct spd_msg *)(base + offset);
1772 1774 bzero(spmsg, sizeof (*spmsg));
1773 1775 spmsg->spd_msg_version = PF_POLICY_V1;
1774 1776 spmsg->spd_msg_type = SPD_DUMP;
1775 1777 spmsg->spd_msg_seq = req->spd_msg_seq;
1776 1778 spmsg->spd_msg_pid = req->spd_msg_pid;
1777 1779 }
1778 1780 offset += sizeof (struct spd_msg);
1779 1781
1780 1782 ASSERT(ALIGNED64(offset));
1781 1783
1782 1784 if (base != NULL) {
1783 1785 spr = (struct spd_rule *)(base + offset);
1784 1786 spr->spd_rule_type = SPD_EXT_RULE;
1785 1787 spr->spd_rule_priority = rule->ipsp_prio;
1786 1788 spr->spd_rule_flags = spdsock_rule_flags(dir, af);
1787 1789 if (tunnel)
1788 1790 spr->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL;
1789 1791 spr->spd_rule_unused = 0;
1790 1792 spr->spd_rule_len = SPD_8TO64(sizeof (*spr));
1791 1793 spr->spd_rule_index = rule->ipsp_index;
1792 1794 }
1793 1795 offset += sizeof (struct spd_rule);
1794 1796
1795 1797 /*
1796 1798 * If we have an interface name (i.e. if this policy head came from
1797 1799 * a tunnel), add the SPD_EXT_TUN_NAME extension.
1798 1800 */
1799 1801 if (name != NULL) {
1800 1802
1801 1803 ASSERT(ALIGNED64(offset));
1802 1804
1803 1805 if (base != NULL) {
1804 1806 sid = (spd_if_t *)(base + offset);
1805 1807 sid->spd_if_exttype = SPD_EXT_TUN_NAME;
1806 1808 sid->spd_if_len = SPD_8TO64(sizeof (spd_if_t) +
1807 1809 roundup((strlen(name) - 4), 8));
1808 1810 (void) strlcpy((char *)sid->spd_if_name, name,
1809 1811 LIFNAMSIZ);
1810 1812 }
1811 1813
1812 1814 offset += sizeof (spd_if_t) + roundup((strlen(name) - 4), 8);
1813 1815 }
1814 1816
1815 1817 offset = spdsock_encode_sel(base, offset, rule->ipsp_sel);
1816 1818 offset = spdsock_encode_action_list(base, offset, rule->ipsp_act);
1817 1819
1818 1820 ASSERT(ALIGNED64(offset));
1819 1821
1820 1822 if (base != NULL) {
1821 1823 spmsg->spd_msg_len = SPD_8TO64(offset - start);
1822 1824 }
1823 1825 return (offset);
1824 1826 }
1825 1827
1826 1828 /* ARGSUSED */
1827 1829 static mblk_t *
1828 1830 spdsock_encode_rule(mblk_t *req, const ipsec_policy_t *rule,
1829 1831 uint_t dir, uint_t af, char *name, boolean_t tunnel)
1830 1832 {
1831 1833 mblk_t *m;
1832 1834 uint_t len;
1833 1835 spd_msg_t *mreq = (spd_msg_t *)req->b_rptr;
1834 1836
1835 1837 /*
1836 1838 * Figure out how much space we'll need.
1837 1839 */
1838 1840 len = spdsock_encode_rule_head(NULL, 0, mreq, rule, dir, af, name,
1839 1841 tunnel);
1840 1842
1841 1843 /*
1842 1844 * Allocate mblk.
1843 1845 */
1844 1846 m = allocb(len, BPRI_HI);
1845 1847 if (m == NULL)
1846 1848 return (NULL);
1847 1849
1848 1850 /*
1849 1851 * Fill it in..
1850 1852 */
1851 1853 m->b_wptr = m->b_rptr + len;
1852 1854 bzero(m->b_rptr, len);
1853 1855 (void) spdsock_encode_rule_head(m->b_rptr, 0, mreq, rule, dir, af,
1854 1856 name, tunnel);
1855 1857 return (m);
1856 1858 }
1857 1859
1858 1860 static ipsec_policy_t *
1859 1861 spdsock_dump_next_in_chain(spdsock_t *ss, ipsec_policy_head_t *iph,
1860 1862 ipsec_policy_t *cur)
1861 1863 {
1862 1864 ASSERT(RW_READ_HELD(&iph->iph_lock));
1863 1865
1864 1866 ss->spdsock_dump_count++;
1865 1867 ss->spdsock_dump_cur_rule = cur->ipsp_hash.hash_next;
1866 1868 return (cur);
1867 1869 }
1868 1870
1869 1871 static ipsec_policy_t *
1870 1872 spdsock_dump_next_rule(spdsock_t *ss, ipsec_policy_head_t *iph)
1871 1873 {
1872 1874 ipsec_policy_t *cur;
1873 1875 ipsec_policy_root_t *ipr;
1874 1876 int chain, nchains, type, af;
1875 1877
1876 1878 ASSERT(RW_READ_HELD(&iph->iph_lock));
1877 1879
1878 1880 cur = ss->spdsock_dump_cur_rule;
1879 1881
1880 1882 if (cur != NULL)
1881 1883 return (spdsock_dump_next_in_chain(ss, iph, cur));
1882 1884
1883 1885 type = ss->spdsock_dump_cur_type;
1884 1886
1885 1887 next:
1886 1888 chain = ss->spdsock_dump_cur_chain;
1887 1889 ipr = &iph->iph_root[type];
1888 1890 nchains = ipr->ipr_nchains;
1889 1891
1890 1892 while (chain < nchains) {
1891 1893 cur = ipr->ipr_hash[chain].hash_head;
1892 1894 chain++;
1893 1895 if (cur != NULL) {
1894 1896 ss->spdsock_dump_cur_chain = chain;
1895 1897 return (spdsock_dump_next_in_chain(ss, iph, cur));
1896 1898 }
1897 1899 }
1898 1900 ss->spdsock_dump_cur_chain = nchains;
1899 1901
1900 1902 af = ss->spdsock_dump_cur_af;
1901 1903 while (af < IPSEC_NAF) {
1902 1904 cur = ipr->ipr_nonhash[af];
1903 1905 af++;
1904 1906 if (cur != NULL) {
1905 1907 ss->spdsock_dump_cur_af = af;
1906 1908 return (spdsock_dump_next_in_chain(ss, iph, cur));
1907 1909 }
1908 1910 }
1909 1911
1910 1912 type++;
1911 1913 if (type >= IPSEC_NTYPES)
1912 1914 return (NULL);
1913 1915
1914 1916 ss->spdsock_dump_cur_chain = 0;
1915 1917 ss->spdsock_dump_cur_type = type;
1916 1918 ss->spdsock_dump_cur_af = IPSEC_AF_V4;
1917 1919 goto next;
1918 1920
1919 1921 }
1920 1922
1921 1923 /*
1922 1924 * If we're done with one policy head, but have more to go, we iterate through
1923 1925 * another IPsec tunnel policy head (itp). Return NULL if it is an error
1924 1926 * worthy of returning EAGAIN via PF_POLICY.
1925 1927 */
1926 1928 static ipsec_tun_pol_t *
1927 1929 spdsock_dump_iterate_next_tunnel(spdsock_t *ss, ipsec_stack_t *ipss)
1928 1930 {
1929 1931 ipsec_tun_pol_t *itp;
1930 1932
1931 1933 ASSERT(RW_READ_HELD(&ipss->ipsec_tunnel_policy_lock));
1932 1934 if (ipss->ipsec_tunnel_policy_gen > ss->spdsock_dump_tun_gen) {
1933 1935 /* Oops, state of the tunnel polheads changed. */
1934 1936 itp = NULL;
1935 1937 } else if (ss->spdsock_itp == NULL) {
1936 1938 /* Just finished global, find first node. */
1937 1939 itp = avl_first(&ipss->ipsec_tunnel_policies);
1938 1940 } else {
1939 1941 /* We just finished current polhead, find the next one. */
1940 1942 itp = AVL_NEXT(&ipss->ipsec_tunnel_policies, ss->spdsock_itp);
1941 1943 }
1942 1944 if (itp != NULL) {
1943 1945 ITP_REFHOLD(itp);
1944 1946 }
1945 1947 if (ss->spdsock_itp != NULL) {
1946 1948 ITP_REFRELE(ss->spdsock_itp, ipss->ipsec_netstack);
1947 1949 }
1948 1950 ss->spdsock_itp = itp;
1949 1951 return (itp);
1950 1952 }
1951 1953
1952 1954 static mblk_t *
1953 1955 spdsock_dump_next_record(spdsock_t *ss)
1954 1956 {
1955 1957 ipsec_policy_head_t *iph;
1956 1958 ipsec_policy_t *rule;
1957 1959 mblk_t *m;
1958 1960 ipsec_tun_pol_t *itp;
1959 1961 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1960 1962 ipsec_stack_t *ipss = ns->netstack_ipsec;
1961 1963
1962 1964 iph = ss->spdsock_dump_head;
1963 1965
1964 1966 ASSERT(iph != NULL);
1965 1967
1966 1968 rw_enter(&iph->iph_lock, RW_READER);
1967 1969
1968 1970 if (iph->iph_gen != ss->spdsock_dump_gen) {
1969 1971 rw_exit(&iph->iph_lock);
1970 1972 return (spdsock_dump_finish(ss, EAGAIN));
1971 1973 }
1972 1974
1973 1975 while ((rule = spdsock_dump_next_rule(ss, iph)) == NULL) {
1974 1976 rw_exit(&iph->iph_lock);
1975 1977 if (--(ss->spdsock_dump_remaining_polheads) == 0)
1976 1978 return (spdsock_dump_finish(ss, 0));
1977 1979
1978 1980
1979 1981 /*
1980 1982 * If we reach here, we have more policy heads (tunnel
1981 1983 * entries) to dump. Let's reset to a new policy head
1982 1984 * and get some more rules.
1983 1985 *
1984 1986 * An empty policy head will have spdsock_dump_next_rule()
1985 1987 * return NULL, and we loop (while dropping the number of
1986 1988 * remaining polheads). If we loop to 0, we finish. We
1987 1989 * keep looping until we hit 0 or until we have a rule to
1988 1990 * encode.
1989 1991 *
1990 1992 * NOTE: No need for ITP_REF*() macros here as we're only
1991 1993 * going after and refholding the policy head itself.
1992 1994 */
1993 1995 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
1994 1996 itp = spdsock_dump_iterate_next_tunnel(ss, ipss);
1995 1997 if (itp == NULL) {
1996 1998 rw_exit(&ipss->ipsec_tunnel_policy_lock);
1997 1999 return (spdsock_dump_finish(ss, EAGAIN));
1998 2000 }
1999 2001
2000 2002 /* Reset other spdsock_dump thingies. */
2001 2003 IPPH_REFRELE(ss->spdsock_dump_head, ns);
2002 2004 if (ss->spdsock_dump_active) {
2003 2005 ss->spdsock_dump_tunnel =
2004 2006 itp->itp_flags & ITPF_P_TUNNEL;
2005 2007 iph = itp->itp_policy;
2006 2008 } else {
2007 2009 ss->spdsock_dump_tunnel =
2008 2010 itp->itp_flags & ITPF_I_TUNNEL;
2009 2011 iph = itp->itp_inactive;
2010 2012 }
2011 2013 IPPH_REFHOLD(iph);
2012 2014 rw_exit(&ipss->ipsec_tunnel_policy_lock);
2013 2015
2014 2016 rw_enter(&iph->iph_lock, RW_READER);
2015 2017 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph);
2016 2018 }
2017 2019
2018 2020 m = spdsock_encode_rule(ss->spdsock_dump_req, rule,
2019 2021 ss->spdsock_dump_cur_type, ss->spdsock_dump_cur_af,
2020 2022 (ss->spdsock_itp == NULL) ? NULL : ss->spdsock_itp->itp_name,
2021 2023 ss->spdsock_dump_tunnel);
2022 2024 rw_exit(&iph->iph_lock);
2023 2025
2024 2026 if (m == NULL)
2025 2027 return (spdsock_dump_finish(ss, ENOMEM));
2026 2028 return (m);
2027 2029 }
2028 2030
2029 2031 /*
2030 2032 * Dump records until we run into flow-control back-pressure.
2031 2033 */
2032 2034 static void
2033 2035 spdsock_dump_some(queue_t *q, spdsock_t *ss)
2034 2036 {
2035 2037 mblk_t *m, *dataind;
2036 2038
2037 2039 while ((ss->spdsock_dump_req != NULL) && canputnext(q)) {
2038 2040 m = spdsock_dump_next_record(ss);
2039 2041 if (m == NULL)
2040 2042 return;
2041 2043 dataind = allocb(sizeof (struct T_data_req), BPRI_HI);
2042 2044 if (dataind == NULL) {
2043 2045 freemsg(m);
2044 2046 return;
2045 2047 }
2046 2048 dataind->b_cont = m;
2047 2049 dataind->b_wptr += sizeof (struct T_data_req);
2048 2050 ((struct T_data_ind *)dataind->b_rptr)->PRIM_type = T_DATA_IND;
2049 2051 ((struct T_data_ind *)dataind->b_rptr)->MORE_flag = 0;
2050 2052 dataind->b_datap->db_type = M_PROTO;
2051 2053 putnext(q, dataind);
2052 2054 }
2053 2055 }
2054 2056
2055 2057 /*
2056 2058 * Start dumping.
2057 2059 * Format a start-of-dump record, and set up the stream and kick the rsrv
2058 2060 * procedure to continue the job..
2059 2061 */
2060 2062 /* ARGSUSED */
2061 2063 static void
2062 2064 spdsock_dump(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp)
2063 2065 {
2064 2066 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2065 2067 netstack_t *ns = ss->spdsock_spds->spds_netstack;
2066 2068 ipsec_stack_t *ipss = ns->netstack_ipsec;
2067 2069 mblk_t *mr;
2068 2070
2069 2071 /* spdsock_open() already set spdsock_itp to NULL. */
2070 2072 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) {
2071 2073 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
2072 2074 ss->spdsock_dump_remaining_polheads = 1 +
2073 2075 avl_numnodes(&ipss->ipsec_tunnel_policies);
2074 2076 ss->spdsock_dump_tun_gen = ipss->ipsec_tunnel_policy_gen;
2075 2077 rw_exit(&ipss->ipsec_tunnel_policy_lock);
2076 2078 if (iph == ALL_ACTIVE_POLHEADS) {
2077 2079 iph = ipsec_system_policy(ns);
2078 2080 ss->spdsock_dump_active = B_TRUE;
2079 2081 } else {
2080 2082 iph = ipsec_inactive_policy(ns);
2081 2083 ss->spdsock_dump_active = B_FALSE;
2082 2084 }
2083 2085 ASSERT(ss->spdsock_itp == NULL);
2084 2086 } else {
2085 2087 ss->spdsock_dump_remaining_polheads = 1;
2086 2088 }
2087 2089
2088 2090 rw_enter(&iph->iph_lock, RW_READER);
2089 2091
2090 2092 mr = spdsock_dump_ruleset(mp, iph, 0, 0);
2091 2093
2092 2094 if (!mr) {
2093 2095 rw_exit(&iph->iph_lock);
2094 2096 spdsock_error(q, mp, ENOMEM, 0);
2095 2097 return;
2096 2098 }
2097 2099
2098 2100 ss->spdsock_dump_req = mp;
2099 2101 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph);
2100 2102
2101 2103 rw_exit(&iph->iph_lock);
2102 2104
2103 2105 qreply(q, mr);
2104 2106 qenable(OTHERQ(q));
2105 2107 }
2106 2108
2107 2109 /* Do NOT consume a reference to ITP. */
2108 2110 void
2109 2111 spdsock_clone_node(ipsec_tun_pol_t *itp, void *ep, netstack_t *ns)
2110 2112 {
2111 2113 int *errptr = (int *)ep;
2112 2114
2113 2115 if (*errptr != 0)
2114 2116 return; /* We've failed already for some reason. */
2115 2117 mutex_enter(&itp->itp_lock);
2116 2118 ITPF_CLONE(itp->itp_flags);
2117 2119 *errptr = ipsec_copy_polhead(itp->itp_policy, itp->itp_inactive, ns);
2118 2120 mutex_exit(&itp->itp_lock);
2119 2121 }
2120 2122
2121 2123 void
2122 2124 spdsock_clone(queue_t *q, mblk_t *mp, spd_if_t *tunname)
2123 2125 {
2124 2126 int error;
2125 2127 char *tname;
2126 2128 ipsec_tun_pol_t *itp;
2127 2129 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2128 2130 netstack_t *ns = ss->spdsock_spds->spds_netstack;
2129 2131 uint32_t auditing = AU_AUDITING();
2130 2132
2131 2133 if (tunname != NULL) {
2132 2134 tname = (char *)tunname->spd_if_name;
2133 2135 if (*tname == '\0') {
2134 2136 error = ipsec_clone_system_policy(ns);
2135 2137 if (auditing) {
2136 2138 boolean_t active;
2137 2139 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2138 2140 cred_t *cr;
2139 2141 pid_t cpid;
2140 2142
2141 2143 cr = msg_getcred(mp, &cpid);
2142 2144 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2143 2145 audit_pf_policy(SPD_CLONE, cr, ns,
2144 2146 NULL, active, error, cpid);
2145 2147 }
2146 2148 if (error == 0) {
2147 2149 itp_walk(spdsock_clone_node, &error, ns);
2148 2150 if (auditing) {
2149 2151 boolean_t active;
2150 2152 spd_msg_t *spmsg =
2151 2153 (spd_msg_t *)mp->b_rptr;
2152 2154 cred_t *cr;
2153 2155 pid_t cpid;
2154 2156
2155 2157 cr = msg_getcred(mp, &cpid);
2156 2158 active = (spmsg->spd_msg_spdid ==
2157 2159 SPD_ACTIVE);
2158 2160 audit_pf_policy(SPD_CLONE, cr,
2159 2161 ns, "all tunnels", active, 0,
2160 2162 cpid);
2161 2163 }
2162 2164 }
2163 2165 } else {
2164 2166 itp = get_tunnel_policy(tname, ns);
2165 2167 if (itp == NULL) {
2166 2168 spdsock_error(q, mp, ENOENT, 0);
2167 2169 if (auditing) {
2168 2170 boolean_t active;
2169 2171 spd_msg_t *spmsg =
2170 2172 (spd_msg_t *)mp->b_rptr;
2171 2173 cred_t *cr;
2172 2174 pid_t cpid;
2173 2175
2174 2176 cr = msg_getcred(mp, &cpid);
2175 2177 active = (spmsg->spd_msg_spdid ==
2176 2178 SPD_ACTIVE);
2177 2179 audit_pf_policy(SPD_CLONE, cr,
2178 2180 ns, NULL, active, ENOENT, cpid);
2179 2181 }
2180 2182 return;
2181 2183 }
2182 2184 spdsock_clone_node(itp, &error, NULL);
2183 2185 if (auditing) {
2184 2186 boolean_t active;
2185 2187 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2186 2188 cred_t *cr;
2187 2189 pid_t cpid;
2188 2190
2189 2191 cr = msg_getcred(mp, &cpid);
2190 2192 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2191 2193 audit_pf_policy(SPD_CLONE, cr, ns,
2192 2194 ITP_NAME(itp), active, error, cpid);
2193 2195 }
2194 2196 ITP_REFRELE(itp, ns);
2195 2197 }
2196 2198 } else {
2197 2199 error = ipsec_clone_system_policy(ns);
2198 2200 if (auditing) {
2199 2201 boolean_t active;
2200 2202 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2201 2203 cred_t *cr;
2202 2204 pid_t cpid;
2203 2205
2204 2206 cr = msg_getcred(mp, &cpid);
2205 2207 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2206 2208 audit_pf_policy(SPD_CLONE, cr, ns, NULL,
2207 2209 active, error, cpid);
2208 2210 }
2209 2211 }
2210 2212
2211 2213 if (error != 0)
2212 2214 spdsock_error(q, mp, error, 0);
2213 2215 else
2214 2216 spd_echo(q, mp);
2215 2217 }
2216 2218
2217 2219 /*
2218 2220 * Process a SPD_ALGLIST request. The caller expects separate alg entries
2219 2221 * for AH authentication, ESP authentication, and ESP encryption.
2220 2222 * The same distinction is then used when setting the min and max key
2221 2223 * sizes when defining policies.
2222 2224 */
2223 2225
2224 2226 #define SPDSOCK_AH_AUTH 0
2225 2227 #define SPDSOCK_ESP_AUTH 1
2226 2228 #define SPDSOCK_ESP_ENCR 2
2227 2229 #define SPDSOCK_NTYPES 3
2228 2230
2229 2231 static const uint_t algattr[SPDSOCK_NTYPES] = {
2230 2232 SPD_ATTR_AH_AUTH,
2231 2233 SPD_ATTR_ESP_AUTH,
2232 2234 SPD_ATTR_ESP_ENCR
2233 2235 };
2234 2236 static const uint_t minbitsattr[SPDSOCK_NTYPES] = {
2235 2237 SPD_ATTR_AH_MINBITS,
2236 2238 SPD_ATTR_ESPA_MINBITS,
2237 2239 SPD_ATTR_ENCR_MINBITS
2238 2240 };
2239 2241 static const uint_t maxbitsattr[SPDSOCK_NTYPES] = {
2240 2242 SPD_ATTR_AH_MAXBITS,
2241 2243 SPD_ATTR_ESPA_MAXBITS,
2242 2244 SPD_ATTR_ENCR_MAXBITS
2243 2245 };
2244 2246 static const uint_t defbitsattr[SPDSOCK_NTYPES] = {
2245 2247 SPD_ATTR_AH_DEFBITS,
2246 2248 SPD_ATTR_ESPA_DEFBITS,
2247 2249 SPD_ATTR_ENCR_DEFBITS
2248 2250 };
2249 2251 static const uint_t incrbitsattr[SPDSOCK_NTYPES] = {
2250 2252 SPD_ATTR_AH_INCRBITS,
2251 2253 SPD_ATTR_ESPA_INCRBITS,
2252 2254 SPD_ATTR_ENCR_INCRBITS
2253 2255 };
2254 2256
2255 2257 #define ATTRPERALG 6 /* fixed attributes per algs */
2256 2258
2257 2259 void
2258 2260 spdsock_alglist(queue_t *q, mblk_t *mp)
2259 2261 {
2260 2262 uint_t algtype;
2261 2263 uint_t algidx;
2262 2264 uint_t algcount;
2263 2265 uint_t size;
2264 2266 mblk_t *m;
2265 2267 uint8_t *cur;
2266 2268 spd_msg_t *msg;
2267 2269 struct spd_ext_actions *act;
2268 2270 struct spd_attribute *attr;
2269 2271 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2270 2272 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
2271 2273
2272 2274 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
2273 2275 /*
2274 2276 * The SPD client expects to receive separate entries for
2275 2277 * AH authentication and ESP authentication supported algorithms.
2276 2278 *
2277 2279 * Don't return the "any" algorithms, if defined, as no
2278 2280 * kernel policies can be set for these algorithms.
2279 2281 */
2280 2282 algcount = 2 * ipss->ipsec_nalgs[IPSEC_ALG_AUTH] +
2281 2283 ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
2282 2284
2283 2285 if (ipss->ipsec_alglists[IPSEC_ALG_AUTH][SADB_AALG_NONE] != NULL)
2284 2286 algcount--;
2285 2287 if (ipss->ipsec_alglists[IPSEC_ALG_ENCR][SADB_EALG_NONE] != NULL)
2286 2288 algcount--;
2287 2289
2288 2290 /*
2289 2291 * For each algorithm, we encode:
2290 2292 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2291 2293 */
2292 2294
2293 2295 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions) +
2294 2296 ATTRPERALG * sizeof (struct spd_attribute) * algcount;
2295 2297
2296 2298 ASSERT(ALIGNED64(size));
2297 2299
2298 2300 m = allocb(size, BPRI_HI);
2299 2301 if (m == NULL) {
2300 2302 rw_exit(&ipss->ipsec_alg_lock);
2301 2303 spdsock_error(q, mp, ENOMEM, 0);
2302 2304 return;
2303 2305 }
2304 2306
2305 2307 m->b_wptr = m->b_rptr + size;
2306 2308 cur = m->b_rptr;
2307 2309
2308 2310 msg = (spd_msg_t *)cur;
2309 2311 bcopy(mp->b_rptr, cur, sizeof (*msg));
2310 2312
2311 2313 msg->spd_msg_len = SPD_8TO64(size);
2312 2314 msg->spd_msg_errno = 0;
2313 2315 msg->spd_msg_diagnostic = 0;
2314 2316
2315 2317 cur += sizeof (*msg);
2316 2318
2317 2319 act = (struct spd_ext_actions *)cur;
2318 2320 cur += sizeof (*act);
2319 2321
2320 2322 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t));
2321 2323 act->spd_actions_exttype = SPD_EXT_ACTION;
2322 2324 act->spd_actions_count = algcount;
2323 2325 act->spd_actions_reserved = 0;
2324 2326
2325 2327 attr = (struct spd_attribute *)cur;
2326 2328
2327 2329 #define EMIT(tag, value) { \
2328 2330 attr->spd_attr_tag = (tag); \
2329 2331 attr->spd_attr_value = (value); \
2330 2332 attr++; \
2331 2333 }
2332 2334
2333 2335 /*
2334 2336 * If you change the number of EMIT's here, change
2335 2337 * ATTRPERALG above to match
2336 2338 */
2337 2339 #define EMITALGATTRS(_type) { \
2338 2340 EMIT(algattr[_type], algid); /* 1 */ \
2339 2341 EMIT(minbitsattr[_type], minbits); /* 2 */ \
2340 2342 EMIT(maxbitsattr[_type], maxbits); /* 3 */ \
2341 2343 EMIT(defbitsattr[_type], defbits); /* 4 */ \
2342 2344 EMIT(incrbitsattr[_type], incr); /* 5 */ \
2343 2345 EMIT(SPD_ATTR_NEXT, 0); /* 6 */ \
2344 2346 }
2345 2347
2346 2348 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2347 2349 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2348 2350 algidx++) {
2349 2351 int algid = ipss->ipsec_sortlist[algtype][algidx];
2350 2352 ipsec_alginfo_t *alg =
2351 2353 ipss->ipsec_alglists[algtype][algid];
2352 2354 uint_t minbits = alg->alg_minbits;
2353 2355 uint_t maxbits = alg->alg_maxbits;
2354 2356 uint_t defbits = alg->alg_default_bits;
2355 2357 uint_t incr = alg->alg_increment;
2356 2358
2357 2359 if (algtype == IPSEC_ALG_AUTH) {
2358 2360 if (algid == SADB_AALG_NONE)
2359 2361 continue;
2360 2362 EMITALGATTRS(SPDSOCK_AH_AUTH);
2361 2363 EMITALGATTRS(SPDSOCK_ESP_AUTH);
2362 2364 } else {
2363 2365 if (algid == SADB_EALG_NONE)
2364 2366 continue;
2365 2367 ASSERT(algtype == IPSEC_ALG_ENCR);
2366 2368 EMITALGATTRS(SPDSOCK_ESP_ENCR);
2367 2369 }
2368 2370 }
2369 2371 }
2370 2372
2371 2373 rw_exit(&ipss->ipsec_alg_lock);
2372 2374
2373 2375 #undef EMITALGATTRS
2374 2376 #undef EMIT
2375 2377 #undef ATTRPERALG
2376 2378
2377 2379 attr--;
2378 2380 attr->spd_attr_tag = SPD_ATTR_END;
2379 2381
2380 2382 freemsg(mp);
2381 2383 qreply(q, m);
2382 2384 }
2383 2385
2384 2386 /*
2385 2387 * Process a SPD_DUMPALGS request.
2386 2388 */
2387 2389
2388 2390 #define ATTRPERALG 9 /* fixed attributes per algs */
2389 2391
2390 2392 void
2391 2393 spdsock_dumpalgs(queue_t *q, mblk_t *mp)
2392 2394 {
2393 2395 uint_t algtype;
2394 2396 uint_t algidx;
2395 2397 uint_t size;
2396 2398 mblk_t *m;
2397 2399 uint8_t *cur;
2398 2400 spd_msg_t *msg;
2399 2401 struct spd_ext_actions *act;
2400 2402 struct spd_attribute *attr;
2401 2403 ipsec_alginfo_t *alg;
2402 2404 uint_t algid;
2403 2405 uint_t i;
2404 2406 uint_t alg_size;
2405 2407 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2406 2408 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
2407 2409
2408 2410 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
2409 2411
2410 2412 /*
2411 2413 * For each algorithm, we encode:
2412 2414 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2413 2415 *
2414 2416 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE*
2415 2417 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_NPARAMS / ALG_PARAMS* /
2416 2418 * ALG_MECHNAME / ALG_FLAGS / {END, NEXT}
2417 2419 */
2418 2420
2419 2421 /*
2420 2422 * Compute the size of the SPD message.
2421 2423 */
2422 2424 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions);
2423 2425
2424 2426 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2425 2427 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2426 2428 algidx++) {
2427 2429 algid = ipss->ipsec_sortlist[algtype][algidx];
2428 2430 alg = ipss->ipsec_alglists[algtype][algid];
2429 2431 alg_size = sizeof (struct spd_attribute) *
2430 2432 (ATTRPERALG + alg->alg_nkey_sizes +
2431 2433 alg->alg_nblock_sizes + alg->alg_nparams) +
2432 2434 CRYPTO_MAX_MECH_NAME;
2433 2435 size += alg_size;
2434 2436 }
2435 2437 }
2436 2438
2437 2439 ASSERT(ALIGNED64(size));
2438 2440
2439 2441 m = allocb(size, BPRI_HI);
2440 2442 if (m == NULL) {
2441 2443 rw_exit(&ipss->ipsec_alg_lock);
2442 2444 spdsock_error(q, mp, ENOMEM, 0);
2443 2445 return;
2444 2446 }
2445 2447
2446 2448 m->b_wptr = m->b_rptr + size;
2447 2449 cur = m->b_rptr;
2448 2450
2449 2451 msg = (spd_msg_t *)cur;
2450 2452 bcopy(mp->b_rptr, cur, sizeof (*msg));
2451 2453
2452 2454 msg->spd_msg_len = SPD_8TO64(size);
2453 2455 msg->spd_msg_errno = 0;
2454 2456 msg->spd_msg_type = SPD_ALGLIST;
2455 2457
2456 2458 msg->spd_msg_diagnostic = 0;
2457 2459
2458 2460 cur += sizeof (*msg);
2459 2461
2460 2462 act = (struct spd_ext_actions *)cur;
2461 2463 cur += sizeof (*act);
2462 2464
2463 2465 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t));
2464 2466 act->spd_actions_exttype = SPD_EXT_ACTION;
2465 2467 act->spd_actions_count = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] +
2466 2468 ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
2467 2469 act->spd_actions_reserved = 0;
2468 2470
2469 2471 /*
2470 2472 * If there aren't any algorithms registered, return an empty message.
2471 2473 * spdsock_get_ext() knows how to deal with this.
2472 2474 */
2473 2475 if (act->spd_actions_count == 0) {
2474 2476 act->spd_actions_len = 0;
2475 2477 rw_exit(&ipss->ipsec_alg_lock);
2476 2478 goto error;
2477 2479 }
2478 2480
2479 2481 attr = (struct spd_attribute *)cur;
2480 2482
2481 2483 #define EMIT(tag, value) { \
2482 2484 attr->spd_attr_tag = (tag); \
2483 2485 attr->spd_attr_value = (value); \
2484 2486 attr++; \
2485 2487 }
2486 2488
2487 2489 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2488 2490 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2489 2491 algidx++) {
2490 2492
2491 2493 algid = ipss->ipsec_sortlist[algtype][algidx];
2492 2494 alg = ipss->ipsec_alglists[algtype][algid];
2493 2495
2494 2496 /*
2495 2497 * If you change the number of EMIT's here, change
2496 2498 * ATTRPERALG above to match
2497 2499 */
2498 2500 EMIT(SPD_ATTR_ALG_ID, algid);
2499 2501 EMIT(SPD_ATTR_ALG_PROTO, algproto[algtype]);
2500 2502 EMIT(SPD_ATTR_ALG_INCRBITS, alg->alg_increment);
2501 2503 EMIT(SPD_ATTR_ALG_NKEYSIZES, alg->alg_nkey_sizes);
2502 2504 for (i = 0; i < alg->alg_nkey_sizes; i++)
2503 2505 EMIT(SPD_ATTR_ALG_KEYSIZE,
2504 2506 alg->alg_key_sizes[i]);
2505 2507
2506 2508 EMIT(SPD_ATTR_ALG_NBLOCKSIZES, alg->alg_nblock_sizes);
2507 2509 for (i = 0; i < alg->alg_nblock_sizes; i++)
2508 2510 EMIT(SPD_ATTR_ALG_BLOCKSIZE,
2509 2511 alg->alg_block_sizes[i]);
2510 2512
2511 2513 EMIT(SPD_ATTR_ALG_NPARAMS, alg->alg_nparams);
2512 2514 for (i = 0; i < alg->alg_nparams; i++)
2513 2515 EMIT(SPD_ATTR_ALG_PARAMS,
2514 2516 alg->alg_params[i]);
2515 2517
2516 2518 EMIT(SPD_ATTR_ALG_FLAGS, alg->alg_flags);
2517 2519
2518 2520 EMIT(SPD_ATTR_ALG_MECHNAME, CRYPTO_MAX_MECH_NAME);
2519 2521 bcopy(alg->alg_mech_name, attr, CRYPTO_MAX_MECH_NAME);
2520 2522 attr = (struct spd_attribute *)((char *)attr +
2521 2523 CRYPTO_MAX_MECH_NAME);
2522 2524
2523 2525 EMIT(SPD_ATTR_NEXT, 0);
2524 2526 }
2525 2527 }
2526 2528
2527 2529 rw_exit(&ipss->ipsec_alg_lock);
2528 2530
2529 2531 #undef EMITALGATTRS
2530 2532 #undef EMIT
2531 2533 #undef ATTRPERALG
2532 2534
2533 2535 attr--;
2534 2536 attr->spd_attr_tag = SPD_ATTR_END;
2535 2537
2536 2538 error:
2537 2539 freemsg(mp);
2538 2540 qreply(q, m);
2539 2541 }
2540 2542
2541 2543 /*
2542 2544 * Do the actual work of processing an SPD_UPDATEALGS request. Can
2543 2545 * be invoked either once IPsec is loaded on a cached request, or
2544 2546 * when a request is received while IPsec is loaded.
2545 2547 */
2546 2548 static int
2547 2549 spdsock_do_updatealg(spd_ext_t *extv[], spd_stack_t *spds)
2548 2550 {
2549 2551 struct spd_ext_actions *actp;
2550 2552 struct spd_attribute *attr, *endattr;
2551 2553 uint64_t *start, *end;
2552 2554 ipsec_alginfo_t *alg = NULL;
2553 2555 ipsec_algtype_t alg_type = 0;
2554 2556 boolean_t skip_alg = B_TRUE, doing_proto = B_FALSE;
2555 2557 uint_t i, cur_key, cur_block, algid;
2556 2558 int diag = -1;
2557 2559
2558 2560 ASSERT(MUTEX_HELD(&spds->spds_alg_lock));
2559 2561
2560 2562 /* parse the message, building the list of algorithms */
2561 2563
2562 2564 actp = (struct spd_ext_actions *)extv[SPD_EXT_ACTION];
2563 2565 if (actp == NULL)
2564 2566 return (SPD_DIAGNOSTIC_NO_ACTION_EXT);
2565 2567
2566 2568 start = (uint64_t *)actp;
2567 2569 end = (start + actp->spd_actions_len);
2568 2570 endattr = (struct spd_attribute *)end;
2569 2571 attr = (struct spd_attribute *)&actp[1];
2570 2572
2571 2573 bzero(spds->spds_algs, IPSEC_NALGTYPES * IPSEC_MAX_ALGS *
2572 2574 sizeof (ipsec_alginfo_t *));
2573 2575
2574 2576 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP);
2575 2577
2576 2578 #define ALG_KEY_SIZES(a) (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t))
2577 2579 #define ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t))
2578 2580 #define ALG_PARAM_SIZES(a) (((a)->alg_nparams + 1) * sizeof (uint16_t))
2579 2581
2580 2582 while (attr < endattr) {
2581 2583 switch (attr->spd_attr_tag) {
2582 2584 case SPD_ATTR_NOP:
2583 2585 case SPD_ATTR_EMPTY:
2584 2586 break;
2585 2587 case SPD_ATTR_END:
2586 2588 attr = endattr;
2587 2589 /* FALLTHRU */
2588 2590 case SPD_ATTR_NEXT:
2589 2591 if (doing_proto) {
2590 2592 doing_proto = B_FALSE;
2591 2593 break;
2592 2594 }
2593 2595 if (skip_alg) {
2594 2596 ipsec_alg_free(alg);
2595 2597 } else {
2596 2598 ipsec_alg_free(
2597 2599 spds->spds_algs[alg_type][alg->alg_id]);
2598 2600 spds->spds_algs[alg_type][alg->alg_id] =
2599 2601 alg;
2600 2602 }
2601 2603 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP);
2602 2604 break;
2603 2605
2604 2606 case SPD_ATTR_ALG_ID:
2605 2607 if (attr->spd_attr_value >= IPSEC_MAX_ALGS) {
2606 2608 ss1dbg(spds, ("spdsock_do_updatealg: "
2607 2609 "invalid alg id %d\n",
2608 2610 attr->spd_attr_value));
2609 2611 diag = SPD_DIAGNOSTIC_ALG_ID_RANGE;
2610 2612 goto bail;
2611 2613 }
2612 2614 alg->alg_id = attr->spd_attr_value;
2613 2615 break;
2614 2616
2615 2617 case SPD_ATTR_ALG_PROTO:
2616 2618 /* find the alg type */
2617 2619 for (i = 0; i < NALGPROTOS; i++)
2618 2620 if (algproto[i] == attr->spd_attr_value)
2619 2621 break;
2620 2622 skip_alg = (i == NALGPROTOS);
2621 2623 if (!skip_alg)
2622 2624 alg_type = i;
2623 2625 break;
2624 2626
2625 2627 case SPD_ATTR_ALG_INCRBITS:
2626 2628 alg->alg_increment = attr->spd_attr_value;
2627 2629 break;
2628 2630
2629 2631 case SPD_ATTR_ALG_NKEYSIZES:
2630 2632 if (alg->alg_key_sizes != NULL) {
2631 2633 kmem_free(alg->alg_key_sizes,
2632 2634 ALG_KEY_SIZES(alg));
2633 2635 }
2634 2636 alg->alg_nkey_sizes = attr->spd_attr_value;
2635 2637 /*
2636 2638 * Allocate room for the trailing zero key size
2637 2639 * value as well.
2638 2640 */
2639 2641 alg->alg_key_sizes = kmem_zalloc(ALG_KEY_SIZES(alg),
2640 2642 KM_SLEEP);
2641 2643 cur_key = 0;
2642 2644 break;
2643 2645
2644 2646 case SPD_ATTR_ALG_KEYSIZE:
2645 2647 if (alg->alg_key_sizes == NULL ||
2646 2648 cur_key >= alg->alg_nkey_sizes) {
2647 2649 ss1dbg(spds, ("spdsock_do_updatealg: "
2648 2650 "too many key sizes\n"));
2649 2651 diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES;
2650 2652 goto bail;
2651 2653 }
2652 2654 alg->alg_key_sizes[cur_key++] = attr->spd_attr_value;
2653 2655 break;
2654 2656
2655 2657 case SPD_ATTR_ALG_FLAGS:
2656 2658 /*
2657 2659 * Flags (bit mask). The alg_flags element of
2658 2660 * ipsecalg_flags_t is only 8 bits wide. The
2659 2661 * user can set the VALID bit, but we will ignore it
2660 2662 * and make the decision is the algorithm is valid.
2661 2663 */
2662 2664 alg->alg_flags |= (uint8_t)attr->spd_attr_value;
2663 2665 break;
2664 2666
2665 2667 case SPD_ATTR_ALG_NBLOCKSIZES:
2666 2668 if (alg->alg_block_sizes != NULL) {
2667 2669 kmem_free(alg->alg_block_sizes,
2668 2670 ALG_BLOCK_SIZES(alg));
2669 2671 }
2670 2672 alg->alg_nblock_sizes = attr->spd_attr_value;
2671 2673 /*
2672 2674 * Allocate room for the trailing zero block size
2673 2675 * value as well.
2674 2676 */
2675 2677 alg->alg_block_sizes = kmem_zalloc(ALG_BLOCK_SIZES(alg),
2676 2678 KM_SLEEP);
2677 2679 cur_block = 0;
2678 2680 break;
2679 2681
2680 2682 case SPD_ATTR_ALG_BLOCKSIZE:
2681 2683 if (alg->alg_block_sizes == NULL ||
2682 2684 cur_block >= alg->alg_nblock_sizes) {
2683 2685 ss1dbg(spds, ("spdsock_do_updatealg: "
2684 2686 "too many block sizes\n"));
2685 2687 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
2686 2688 goto bail;
2687 2689 }
2688 2690 alg->alg_block_sizes[cur_block++] =
2689 2691 attr->spd_attr_value;
2690 2692 break;
2691 2693
2692 2694 case SPD_ATTR_ALG_NPARAMS:
2693 2695 if (alg->alg_params != NULL) {
2694 2696 kmem_free(alg->alg_params,
2695 2697 ALG_PARAM_SIZES(alg));
2696 2698 }
2697 2699 alg->alg_nparams = attr->spd_attr_value;
2698 2700 /*
2699 2701 * Allocate room for the trailing zero block size
2700 2702 * value as well.
2701 2703 */
2702 2704 alg->alg_params = kmem_zalloc(ALG_PARAM_SIZES(alg),
2703 2705 KM_SLEEP);
2704 2706 cur_block = 0;
2705 2707 break;
2706 2708
2707 2709 case SPD_ATTR_ALG_PARAMS:
2708 2710 if (alg->alg_params == NULL ||
2709 2711 cur_block >= alg->alg_nparams) {
2710 2712 ss1dbg(spds, ("spdsock_do_updatealg: "
2711 2713 "too many params\n"));
2712 2714 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
2713 2715 goto bail;
2714 2716 }
2715 2717 /*
2716 2718 * Array contains: iv_len, icv_len, salt_len
2717 2719 * Any additional parameters are currently ignored.
2718 2720 */
2719 2721 alg->alg_params[cur_block++] =
2720 2722 attr->spd_attr_value;
2721 2723 break;
2722 2724
2723 2725 case SPD_ATTR_ALG_MECHNAME: {
2724 2726 char *mech_name;
2725 2727
2726 2728 if (attr->spd_attr_value > CRYPTO_MAX_MECH_NAME) {
2727 2729 ss1dbg(spds, ("spdsock_do_updatealg: "
2728 2730 "mech name too long\n"));
2729 2731 diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN;
2730 2732 goto bail;
2731 2733 }
2732 2734 mech_name = (char *)(attr + 1);
2733 2735 bcopy(mech_name, alg->alg_mech_name,
2734 2736 attr->spd_attr_value);
2735 2737 alg->alg_mech_name[CRYPTO_MAX_MECH_NAME-1] = '\0';
2736 2738 attr = (struct spd_attribute *)((char *)attr +
2737 2739 attr->spd_attr_value);
2738 2740 break;
2739 2741 }
2740 2742
2741 2743 case SPD_ATTR_PROTO_ID:
2742 2744 doing_proto = B_TRUE;
2743 2745 for (i = 0; i < NALGPROTOS; i++) {
2744 2746 if (algproto[i] == attr->spd_attr_value) {
2745 2747 alg_type = i;
2746 2748 break;
2747 2749 }
2748 2750 }
2749 2751 break;
2750 2752
2751 2753 case SPD_ATTR_PROTO_EXEC_MODE:
2752 2754 if (!doing_proto)
2753 2755 break;
2754 2756 for (i = 0; i < NEXECMODES; i++) {
2755 2757 if (execmodes[i] == attr->spd_attr_value) {
2756 2758 spds->spds_algs_exec_mode[alg_type] = i;
2757 2759 break;
2758 2760 }
2759 2761 }
2760 2762 break;
2761 2763 }
2762 2764 attr++;
2763 2765 }
2764 2766
2765 2767 #undef ALG_KEY_SIZES
2766 2768 #undef ALG_BLOCK_SIZES
2767 2769 #undef ALG_PARAM_SIZES
2768 2770
2769 2771 /* update the algorithm tables */
2770 2772 spdsock_merge_algs(spds);
2771 2773 bail:
2772 2774 /* cleanup */
2773 2775 ipsec_alg_free(alg);
2774 2776 for (alg_type = 0; alg_type < IPSEC_NALGTYPES; alg_type++)
2775 2777 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++)
2776 2778 if (spds->spds_algs[alg_type][algid] != NULL)
2777 2779 ipsec_alg_free(spds->spds_algs[alg_type][algid]);
2778 2780 return (diag);
2779 2781 }
2780 2782
2781 2783 /*
2782 2784 * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue
2783 2785 * the request until IPsec loads. If IPsec is loaded, act on it
2784 2786 * immediately.
2785 2787 */
2786 2788
2787 2789 static void
2788 2790 spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[])
2789 2791 {
2790 2792 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2791 2793 spd_stack_t *spds = ss->spdsock_spds;
2792 2794 ipsec_stack_t *ipss = spds->spds_netstack->netstack_ipsec;
2793 2795 uint32_t auditing = AU_AUDITING();
2794 2796
2795 2797 if (!ipsec_loaded(ipss)) {
2796 2798 /*
2797 2799 * IPsec is not loaded, save request and return nicely,
2798 2800 * the message will be processed once IPsec loads.
2799 2801 */
2800 2802 mblk_t *new_mp;
2801 2803
2802 2804 /* last update message wins */
2803 2805 if ((new_mp = copymsg(mp)) == NULL) {
2804 2806 spdsock_error(q, mp, ENOMEM, 0);
2805 2807 return;
2806 2808 }
2807 2809 mutex_enter(&spds->spds_alg_lock);
2808 2810 bcopy(extv, spds->spds_extv_algs,
2809 2811 sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1));
2810 2812 if (spds->spds_mp_algs != NULL)
2811 2813 freemsg(spds->spds_mp_algs);
2812 2814 spds->spds_mp_algs = mp;
2813 2815 mutex_exit(&spds->spds_alg_lock);
2814 2816 if (auditing) {
2815 2817 cred_t *cr;
2816 2818 pid_t cpid;
2817 2819
2818 2820 cr = msg_getcred(mp, &cpid);
2819 2821 audit_pf_policy(SPD_UPDATEALGS, cr,
2820 2822 spds->spds_netstack, NULL, B_TRUE, EAGAIN,
2821 2823 cpid);
2822 2824 }
2823 2825 spd_echo(q, new_mp);
2824 2826 } else {
2825 2827 /*
2826 2828 * IPsec is loaded, act on the message immediately.
2827 2829 */
2828 2830 int diag;
2829 2831
2830 2832 mutex_enter(&spds->spds_alg_lock);
2831 2833 diag = spdsock_do_updatealg(extv, spds);
2832 2834 if (diag == -1) {
2833 2835 /* Keep the lock held while we walk the SA tables. */
2834 2836 sadb_alg_update(IPSEC_ALG_ALL, 0, 0,
2835 2837 spds->spds_netstack);
2836 2838 mutex_exit(&spds->spds_alg_lock);
2837 2839 spd_echo(q, mp);
2838 2840 if (auditing) {
2839 2841 cred_t *cr;
2840 2842 pid_t cpid;
2841 2843
2842 2844 cr = msg_getcred(mp, &cpid);
2843 2845 audit_pf_policy(SPD_UPDATEALGS, cr,
2844 2846 spds->spds_netstack, NULL, B_TRUE, 0,
2845 2847 cpid);
2846 2848 }
2847 2849 } else {
2848 2850 mutex_exit(&spds->spds_alg_lock);
2849 2851 spdsock_diag(q, mp, diag);
2850 2852 if (auditing) {
2851 2853 cred_t *cr;
2852 2854 pid_t cpid;
2853 2855
2854 2856 cr = msg_getcred(mp, &cpid);
2855 2857 audit_pf_policy(SPD_UPDATEALGS, cr,
2856 2858 spds->spds_netstack, NULL, B_TRUE, diag,
2857 2859 cpid);
2858 2860 }
2859 2861 }
2860 2862 }
2861 2863 }
2862 2864
2863 2865 /*
2864 2866 * Find a tunnel instance (using the name to link ID mapping), and
2865 2867 * update it after an IPsec change. We need to do this always in case
2866 2868 * we add policy AFTER plumbing a tunnel. We also need to do this
2867 2869 * because, as a side-effect, the tunnel's MTU is updated to reflect
2868 2870 * any IPsec overhead in the itp's policy.
2869 2871 */
2870 2872 static void
2871 2873 update_iptun_policy(ipsec_tun_pol_t *itp)
2872 2874 {
2873 2875 datalink_id_t linkid;
2874 2876
2875 2877 if (dls_mgmt_get_linkid(itp->itp_name, &linkid) == 0)
2876 2878 iptun_set_policy(linkid, itp);
2877 2879 }
2878 2880
2879 2881 /*
2880 2882 * Sort through the mess of polhead options to retrieve an appropriate one.
2881 2883 * Returns NULL if we send an spdsock error. Returns a valid pointer if we
2882 2884 * found a valid polhead. Returns ALL_ACTIVE_POLHEADS (aka. -1) or
2883 2885 * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to
2884 2886 * act on ALL policy heads.
2885 2887 */
2886 2888 static ipsec_policy_head_t *
2887 2889 get_appropriate_polhead(queue_t *q, mblk_t *mp, spd_if_t *tunname, int spdid,
2888 2890 int msgtype, ipsec_tun_pol_t **itpp)
2889 2891 {
2890 2892 ipsec_tun_pol_t *itp;
2891 2893 ipsec_policy_head_t *iph;
2892 2894 int errno;
2893 2895 char *tname;
2894 2896 boolean_t active;
2895 2897 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2896 2898 netstack_t *ns = ss->spdsock_spds->spds_netstack;
2897 2899 uint64_t gen; /* Placeholder */
2898 2900
2899 2901 active = (spdid == SPD_ACTIVE);
2900 2902 *itpp = NULL;
2901 2903 if (!active && spdid != SPD_STANDBY) {
2902 2904 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_SPDID);
2903 2905 return (NULL);
2904 2906 }
2905 2907
2906 2908 if (tunname != NULL) {
2907 2909 /* Acting on a tunnel's SPD. */
2908 2910 tname = (char *)tunname->spd_if_name;
2909 2911 if (*tname == '\0') {
2910 2912 /* Handle all-polhead cases here. */
2911 2913 if (msgtype != SPD_FLUSH && msgtype != SPD_DUMP) {
2912 2914 spdsock_diag(q, mp,
2913 2915 SPD_DIAGNOSTIC_NOT_GLOBAL_OP);
2914 2916 return (NULL);
2915 2917 }
2916 2918 return (active ? ALL_ACTIVE_POLHEADS :
2917 2919 ALL_INACTIVE_POLHEADS);
2918 2920 }
2919 2921
2920 2922 itp = get_tunnel_policy(tname, ns);
2921 2923 if (itp == NULL) {
2922 2924 if (msgtype != SPD_ADDRULE) {
2923 2925 /* "Tunnel not found" */
2924 2926 spdsock_error(q, mp, ENOENT, 0);
2925 2927 return (NULL);
2926 2928 }
2927 2929
2928 2930 errno = 0;
2929 2931 itp = create_tunnel_policy(tname, &errno, &gen, ns);
2930 2932 if (itp == NULL) {
2931 2933 /*
2932 2934 * Something very bad happened, most likely
2933 2935 * ENOMEM. Return an indicator.
2934 2936 */
2935 2937 spdsock_error(q, mp, errno, 0);
2936 2938 return (NULL);
2937 2939 }
2938 2940 }
2939 2941
2940 2942 /* Match up the itp to an iptun instance. */
2941 2943 update_iptun_policy(itp);
2942 2944
2943 2945 *itpp = itp;
2944 2946 /* For spdsock dump state, set the polhead's name. */
2945 2947 if (msgtype == SPD_DUMP) {
2946 2948 ITP_REFHOLD(itp);
2947 2949 ss->spdsock_itp = itp;
2948 2950 ss->spdsock_dump_tunnel = itp->itp_flags &
2949 2951 (active ? ITPF_P_TUNNEL : ITPF_I_TUNNEL);
2950 2952 }
2951 2953 } else {
2952 2954 itp = NULL;
2953 2955 /* For spdsock dump state, indicate it's global policy. */
2954 2956 if (msgtype == SPD_DUMP)
2955 2957 ss->spdsock_itp = NULL;
2956 2958 }
2957 2959
2958 2960 if (active)
2959 2961 iph = (itp == NULL) ? ipsec_system_policy(ns) : itp->itp_policy;
2960 2962 else
2961 2963 iph = (itp == NULL) ? ipsec_inactive_policy(ns) :
2962 2964 itp->itp_inactive;
2963 2965
2964 2966 ASSERT(iph != NULL);
2965 2967 if (itp != NULL) {
2966 2968 IPPH_REFHOLD(iph);
2967 2969 }
2968 2970
2969 2971 return (iph);
2970 2972 }
2971 2973
2972 2974 static void
2973 2975 spdsock_parse(queue_t *q, mblk_t *mp)
2974 2976 {
2975 2977 spd_msg_t *spmsg;
2976 2978 spd_ext_t *extv[SPD_EXT_MAX + 1];
2977 2979 uint_t msgsize;
2978 2980 ipsec_policy_head_t *iph;
2979 2981 ipsec_tun_pol_t *itp;
2980 2982 spd_if_t *tunname;
2981 2983 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2982 2984 spd_stack_t *spds = ss->spdsock_spds;
2983 2985 netstack_t *ns = spds->spds_netstack;
2984 2986 ipsec_stack_t *ipss = ns->netstack_ipsec;
2985 2987
2986 2988 /* Make sure nothing's below me. */
2987 2989 ASSERT(WR(q)->q_next == NULL);
2988 2990
2989 2991 spmsg = (spd_msg_t *)mp->b_rptr;
2990 2992
2991 2993 msgsize = SPD_64TO8(spmsg->spd_msg_len);
2992 2994
2993 2995 if (msgdsize(mp) != msgsize) {
2994 2996 /*
2995 2997 * Message len incorrect w.r.t. actual size. Send an error
2996 2998 * (EMSGSIZE). It may be necessary to massage things a
2997 2999 * bit. For example, if the spd_msg_type is hosed,
2998 3000 * I need to set it to SPD_RESERVED to get delivery to
2999 3001 * do the right thing. Then again, maybe just letting
3000 3002 * the error delivery do the right thing.
3001 3003 */
3002 3004 ss2dbg(spds,
3003 3005 ("mblk (%lu) and base (%d) message sizes don't jibe.\n",
3004 3006 msgdsize(mp), msgsize));
3005 3007 spdsock_error(q, mp, EMSGSIZE, SPD_DIAGNOSTIC_NONE);
3006 3008 return;
3007 3009 }
3008 3010
3009 3011 if (msgsize > (uint_t)(mp->b_wptr - mp->b_rptr)) {
3010 3012 /* Get all message into one mblk. */
3011 3013 if (pullupmsg(mp, -1) == 0) {
3012 3014 /*
3013 3015 * Something screwy happened.
3014 3016 */
3015 3017 ss3dbg(spds, ("spdsock_parse: pullupmsg() failed.\n"));
3016 3018 return;
3017 3019 } else {
3018 3020 spmsg = (spd_msg_t *)mp->b_rptr;
3019 3021 }
3020 3022 }
3021 3023
3022 3024 switch (spdsock_get_ext(extv, spmsg, msgsize)) {
3023 3025 case KGE_DUP:
3024 3026 /* Handle duplicate extension. */
3025 3027 ss1dbg(spds, ("Got duplicate extension of type %d.\n",
3026 3028 extv[0]->spd_ext_type));
3027 3029 spdsock_diag(q, mp, dup_ext_diag[extv[0]->spd_ext_type]);
3028 3030 return;
3029 3031 case KGE_UNK:
3030 3032 /* Handle unknown extension. */
3031 3033 ss1dbg(spds, ("Got unknown extension of type %d.\n",
3032 3034 extv[0]->spd_ext_type));
3033 3035 spdsock_diag(q, mp, SPD_DIAGNOSTIC_UNKNOWN_EXT);
3034 3036 return;
3035 3037 case KGE_LEN:
3036 3038 /* Length error. */
3037 3039 ss1dbg(spds, ("Length %d on extension type %d overrun or 0.\n",
3038 3040 extv[0]->spd_ext_len, extv[0]->spd_ext_type));
3039 3041 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_EXTLEN);
3040 3042 return;
3041 3043 case KGE_CHK:
3042 3044 /* Reality check failed. */
3043 3045 ss1dbg(spds, ("Reality check failed on extension type %d.\n",
3044 3046 extv[0]->spd_ext_type));
3045 3047 spdsock_diag(q, mp, bad_ext_diag[extv[0]->spd_ext_type]);
3046 3048 return;
3047 3049 default:
3048 3050 /* Default case is no errors. */
3049 3051 break;
3050 3052 }
3051 3053
3052 3054 /*
3053 3055 * Special-case SPD_UPDATEALGS so as not to load IPsec.
3054 3056 */
3055 3057 if (!ipsec_loaded(ipss) && spmsg->spd_msg_type != SPD_UPDATEALGS) {
3056 3058 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3057 3059
3058 3060 ASSERT(ss != NULL);
3059 3061 ipsec_loader_loadnow(ipss);
3060 3062 ss->spdsock_timeout_arg = mp;
3061 3063 ss->spdsock_timeout = qtimeout(q, spdsock_loadcheck,
3062 3064 q, LOADCHECK_INTERVAL);
3063 3065 return;
3064 3066 }
3065 3067
3066 3068 /* First check for messages that need no polheads at all. */
3067 3069 switch (spmsg->spd_msg_type) {
3068 3070 case SPD_UPDATEALGS:
3069 3071 spdsock_updatealg(q, mp, extv);
3070 3072 return;
3071 3073 case SPD_ALGLIST:
3072 3074 spdsock_alglist(q, mp);
3073 3075 return;
3074 3076 case SPD_DUMPALGS:
3075 3077 spdsock_dumpalgs(q, mp);
3076 3078 return;
3077 3079 }
3078 3080
3079 3081 /*
3080 3082 * Then check for ones that need both primary/secondary polheads,
3081 3083 * finding the appropriate tunnel policy if need be.
3082 3084 */
3083 3085 tunname = (spd_if_t *)extv[SPD_EXT_TUN_NAME];
3084 3086 switch (spmsg->spd_msg_type) {
3085 3087 case SPD_FLIP:
3086 3088 spdsock_flip(q, mp, tunname);
3087 3089 return;
3088 3090 case SPD_CLONE:
3089 3091 spdsock_clone(q, mp, tunname);
3090 3092 return;
3091 3093 }
3092 3094
3093 3095 /*
3094 3096 * Finally, find ones that operate on exactly one polhead, or
3095 3097 * "all polheads" of a given type (active/inactive).
3096 3098 */
3097 3099 iph = get_appropriate_polhead(q, mp, tunname, spmsg->spd_msg_spdid,
3098 3100 spmsg->spd_msg_type, &itp);
3099 3101 if (iph == NULL)
3100 3102 return;
3101 3103
3102 3104 /* All-polheads-ready operations. */
3103 3105 switch (spmsg->spd_msg_type) {
3104 3106 case SPD_FLUSH:
3105 3107 if (itp != NULL) {
3106 3108 mutex_enter(&itp->itp_lock);
3107 3109 if (spmsg->spd_msg_spdid == SPD_ACTIVE)
3108 3110 itp->itp_flags &= ~ITPF_PFLAGS;
3109 3111 else
3110 3112 itp->itp_flags &= ~ITPF_IFLAGS;
3111 3113 mutex_exit(&itp->itp_lock);
3112 3114 }
3113 3115
3114 3116 spdsock_flush(q, iph, itp, mp);
3115 3117
3116 3118 if (itp != NULL) {
3117 3119 /* SPD_FLUSH is worth a tunnel MTU check. */
3118 3120 update_iptun_policy(itp);
3119 3121 ITP_REFRELE(itp, ns);
3120 3122 }
3121 3123 return;
3122 3124 case SPD_DUMP:
3123 3125 if (itp != NULL)
3124 3126 ITP_REFRELE(itp, ns);
3125 3127 spdsock_dump(q, iph, mp);
3126 3128 return;
3127 3129 }
3128 3130
3129 3131 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) {
3130 3132 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NOT_GLOBAL_OP);
3131 3133 return;
3132 3134 }
3133 3135
3134 3136 /* Single-polhead-only operations. */
3135 3137 switch (spmsg->spd_msg_type) {
3136 3138 case SPD_ADDRULE:
3137 3139 spdsock_addrule(q, iph, mp, extv, itp);
3138 3140 break;
3139 3141 case SPD_DELETERULE:
3140 3142 spdsock_deleterule(q, iph, mp, extv, itp);
3141 3143 break;
3142 3144 case SPD_LOOKUP:
3143 3145 spdsock_lookup(q, iph, mp, extv, itp);
3144 3146 break;
3145 3147 default:
3146 3148 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_MSG_TYPE);
3147 3149 break;
3148 3150 }
3149 3151
3150 3152 IPPH_REFRELE(iph, ns);
3151 3153 if (itp != NULL) {
3152 3154 /* SPD_{ADD,DELETE}RULE are worth a tunnel MTU check. */
3153 3155 if (spmsg->spd_msg_type == SPD_ADDRULE ||
3154 3156 spmsg->spd_msg_type == SPD_DELETERULE)
3155 3157 update_iptun_policy(itp);
3156 3158 ITP_REFRELE(itp, ns);
3157 3159 }
3158 3160 }
3159 3161
3160 3162 /*
3161 3163 * If an algorithm mapping was received before IPsec was loaded, process it.
3162 3164 * Called from the IPsec loader.
3163 3165 */
3164 3166 void
3165 3167 spdsock_update_pending_algs(netstack_t *ns)
3166 3168 {
3167 3169 spd_stack_t *spds = ns->netstack_spdsock;
3168 3170
3169 3171 mutex_enter(&spds->spds_alg_lock);
3170 3172 if (spds->spds_mp_algs != NULL) {
3171 3173 (void) spdsock_do_updatealg(spds->spds_extv_algs, spds);
3172 3174 freemsg(spds->spds_mp_algs);
3173 3175 spds->spds_mp_algs = NULL;
3174 3176 }
3175 3177 mutex_exit(&spds->spds_alg_lock);
3176 3178 }
3177 3179
3178 3180 static void
3179 3181 spdsock_loadcheck(void *arg)
3180 3182 {
3181 3183 queue_t *q = (queue_t *)arg;
3182 3184 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3183 3185 mblk_t *mp;
3184 3186 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
3185 3187
3186 3188 ASSERT(ss != NULL);
3187 3189
3188 3190 ss->spdsock_timeout = 0;
3189 3191 mp = ss->spdsock_timeout_arg;
3190 3192 ASSERT(mp != NULL);
3191 3193 ss->spdsock_timeout_arg = NULL;
3192 3194 if (ipsec_failed(ipss))
3193 3195 spdsock_error(q, mp, EPROTONOSUPPORT, 0);
3194 3196 else
3195 3197 spdsock_parse(q, mp);
3196 3198 }
3197 3199
3198 3200 /*
3199 3201 * Copy relevant state bits.
3200 3202 */
3201 3203 static void
3202 3204 spdsock_copy_info(struct T_info_ack *tap, spdsock_t *ss)
3203 3205 {
3204 3206 *tap = spdsock_g_t_info_ack;
3205 3207 tap->CURRENT_state = ss->spdsock_state;
3206 3208 tap->OPT_size = spdsock_max_optsize;
3207 3209 }
3208 3210
3209 3211 /*
3210 3212 * This routine responds to T_CAPABILITY_REQ messages. It is called by
3211 3213 * spdsock_wput. Much of the T_CAPABILITY_ACK information is copied from
3212 3214 * spdsock_g_t_info_ack. The current state of the stream is copied from
3213 3215 * spdsock_state.
3214 3216 */
3215 3217 static void
3216 3218 spdsock_capability_req(queue_t *q, mblk_t *mp)
3217 3219 {
3218 3220 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3219 3221 t_uscalar_t cap_bits1;
3220 3222 struct T_capability_ack *tcap;
3221 3223
3222 3224 cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1;
3223 3225
3224 3226 mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack),
3225 3227 mp->b_datap->db_type, T_CAPABILITY_ACK);
3226 3228 if (mp == NULL)
3227 3229 return;
3228 3230
3229 3231 tcap = (struct T_capability_ack *)mp->b_rptr;
3230 3232 tcap->CAP_bits1 = 0;
3231 3233
3232 3234 if (cap_bits1 & TC1_INFO) {
3233 3235 spdsock_copy_info(&tcap->INFO_ack, ss);
3234 3236 tcap->CAP_bits1 |= TC1_INFO;
3235 3237 }
3236 3238
3237 3239 qreply(q, mp);
3238 3240 }
3239 3241
3240 3242 /*
3241 3243 * This routine responds to T_INFO_REQ messages. It is called by
3242 3244 * spdsock_wput_other.
3243 3245 * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack.
3244 3246 * The current state of the stream is copied from spdsock_state.
3245 3247 */
3246 3248 static void
3247 3249 spdsock_info_req(
3248 3250 queue_t *q,
3249 3251 mblk_t *mp)
3250 3252 {
3251 3253 mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO,
3252 3254 T_INFO_ACK);
3253 3255 if (mp == NULL)
3254 3256 return;
3255 3257 spdsock_copy_info((struct T_info_ack *)mp->b_rptr,
3256 3258 (spdsock_t *)q->q_ptr);
3257 3259 qreply(q, mp);
3258 3260 }
3259 3261
3260 3262 /*
3261 3263 * spdsock_err_ack. This routine creates a
3262 3264 * T_ERROR_ACK message and passes it
3263 3265 * upstream.
3264 3266 */
3265 3267 static void
3266 3268 spdsock_err_ack(
3267 3269 queue_t *q,
3268 3270 mblk_t *mp,
3269 3271 int t_error,
3270 3272 int sys_error)
3271 3273 {
3272 3274 if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL)
3273 3275 qreply(q, mp);
3274 3276 }
3275 3277
3276 3278 /*
3277 3279 * This routine retrieves the current status of socket options.
3278 3280 * It returns the size of the option retrieved.
3279 3281 */
3280 3282 /* ARGSUSED */
3281 3283 int
3282 3284 spdsock_opt_get(queue_t *q, int level, int name, uchar_t *ptr)
3283 3285 {
3284 3286 int *i1 = (int *)ptr;
3285 3287
3286 3288 switch (level) {
3287 3289 case SOL_SOCKET:
3288 3290 switch (name) {
3289 3291 case SO_TYPE:
3290 3292 *i1 = SOCK_RAW;
3291 3293 break;
3292 3294 /*
3293 3295 * The following two items can be manipulated,
3294 3296 * but changing them should do nothing.
3295 3297 */
3296 3298 case SO_SNDBUF:
3297 3299 *i1 = (int)q->q_hiwat;
3298 3300 break;
3299 3301 case SO_RCVBUF:
3300 3302 *i1 = (int)(RD(q)->q_hiwat);
3301 3303 break;
3302 3304 }
3303 3305 break;
3304 3306 default:
3305 3307 return (0);
3306 3308 }
3307 3309 return (sizeof (int));
3308 3310 }
3309 3311
3310 3312 /*
3311 3313 * This routine sets socket options.
3312 3314 */
3313 3315 /* ARGSUSED */
3314 3316 int
3315 3317 spdsock_opt_set(queue_t *q, uint_t mgmt_flags, int level, int name,
3316 3318 uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
3317 3319 void *thisdg_attrs, cred_t *cr)
3318 3320 {
3319 3321 int *i1 = (int *)invalp;
3320 3322 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3321 3323 spd_stack_t *spds = ss->spdsock_spds;
3322 3324
3323 3325 switch (level) {
3324 3326 case SOL_SOCKET:
3325 3327 switch (name) {
3326 3328 case SO_SNDBUF:
3327 3329 if (*i1 > spds->spds_max_buf)
3328 3330 return (ENOBUFS);
3329 3331 q->q_hiwat = *i1;
3330 3332 break;
3331 3333 case SO_RCVBUF:
3332 3334 if (*i1 > spds->spds_max_buf)
3333 3335 return (ENOBUFS);
3334 3336 RD(q)->q_hiwat = *i1;
3335 3337 (void) proto_set_rx_hiwat(RD(q), NULL, *i1);
3336 3338 break;
3337 3339 }
3338 3340 break;
3339 3341 }
3340 3342 return (0);
3341 3343 }
3342 3344
3343 3345
3344 3346 /*
3345 3347 * Handle STREAMS messages.
3346 3348 */
3347 3349 static void
3348 3350 spdsock_wput_other(queue_t *q, mblk_t *mp)
3349 3351 {
3350 3352 struct iocblk *iocp;
3351 3353 int error;
3352 3354 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3353 3355 spd_stack_t *spds = ss->spdsock_spds;
3354 3356 cred_t *cr;
3355 3357
3356 3358 switch (mp->b_datap->db_type) {
3357 3359 case M_PROTO:
3358 3360 case M_PCPROTO:
3359 3361 if ((mp->b_wptr - mp->b_rptr) < sizeof (long)) {
3360 3362 ss3dbg(spds, (
3361 3363 "spdsock_wput_other: Not big enough M_PROTO\n"));
3362 3364 freemsg(mp);
3363 3365 return;
3364 3366 }
3365 3367 switch (((union T_primitives *)mp->b_rptr)->type) {
3366 3368 case T_CAPABILITY_REQ:
3367 3369 spdsock_capability_req(q, mp);
3368 3370 break;
3369 3371 case T_INFO_REQ:
3370 3372 spdsock_info_req(q, mp);
3371 3373 break;
3372 3374 case T_SVR4_OPTMGMT_REQ:
3373 3375 case T_OPTMGMT_REQ:
3374 3376 /*
3375 3377 * All Solaris components should pass a db_credp
3376 3378 * for this TPI message, hence we ASSERT.
3377 3379 * But in case there is some other M_PROTO that looks
3378 3380 * like a TPI message sent by some other kernel
3379 3381 * component, we check and return an error.
3380 3382 */
3381 3383 cr = msg_getcred(mp, NULL);
3382 3384 ASSERT(cr != NULL);
3383 3385 if (cr == NULL) {
3384 3386 spdsock_err_ack(q, mp, TSYSERR, EINVAL);
3385 3387 return;
3386 3388 }
3387 3389 if (((union T_primitives *)mp->b_rptr)->type ==
3388 3390 T_SVR4_OPTMGMT_REQ) {
3389 3391 svr4_optcom_req(q, mp, cr, &spdsock_opt_obj);
3390 3392 } else {
3391 3393 tpi_optcom_req(q, mp, cr, &spdsock_opt_obj);
3392 3394 }
3393 3395 break;
3394 3396 case T_DATA_REQ:
3395 3397 case T_EXDATA_REQ:
3396 3398 case T_ORDREL_REQ:
|
↓ open down ↓ |
3350 lines elided |
↑ open up ↑ |
3397 3399 /* Illegal for spdsock. */
3398 3400 freemsg(mp);
3399 3401 (void) putnextctl1(RD(q), M_ERROR, EPROTO);
3400 3402 break;
3401 3403 default:
3402 3404 /* Not supported by spdsock. */
3403 3405 spdsock_err_ack(q, mp, TNOTSUPPORT, 0);
3404 3406 break;
3405 3407 }
3406 3408 return;
3409 + case M_IOCDATA:
3410 + keysock_spdsock_wput_iocdata(q, mp, PF_POLICY);
3411 + return;
3407 3412 case M_IOCTL:
3408 3413 iocp = (struct iocblk *)mp->b_rptr;
3409 3414 error = EINVAL;
3410 3415
3411 3416 switch (iocp->ioc_cmd) {
3417 + case TI_GETMYNAME:
3418 + case TI_GETPEERNAME:
3419 + /*
3420 + * For pfiles(1) observability with getsockname().
3421 + * See keysock_spdsock_wput_iocdata() for the rest of
3422 + * this.
3423 + */
3424 + mi_copyin(q, mp, NULL,
3425 + SIZEOF_STRUCT(strbuf, iocp->ioc_flag));
3426 + return;
3412 3427 case ND_SET:
3413 3428 case ND_GET:
3414 3429 if (nd_getset(q, spds->spds_g_nd, mp)) {
3415 3430 qreply(q, mp);
3416 3431 return;
3417 3432 } else
3418 3433 error = ENOENT;
3419 3434 /* FALLTHRU */
3420 3435 default:
3421 3436 miocnak(q, mp, 0, error);
3422 3437 return;
3423 3438 }
3424 3439 case M_FLUSH:
3425 3440 if (*mp->b_rptr & FLUSHW) {
3426 3441 flushq(q, FLUSHALL);
3427 3442 *mp->b_rptr &= ~FLUSHW;
3428 3443 }
3429 3444 if (*mp->b_rptr & FLUSHR) {
3430 3445 qreply(q, mp);
3431 3446 return;
3432 3447 }
3433 3448 /* Else FALLTHRU */
3434 3449 }
3435 3450
3436 3451 /* If fell through, just black-hole the message. */
3437 3452 freemsg(mp);
3438 3453 }
3439 3454
3440 3455 static void
3441 3456 spdsock_wput(queue_t *q, mblk_t *mp)
3442 3457 {
3443 3458 uint8_t *rptr = mp->b_rptr;
3444 3459 mblk_t *mp1;
3445 3460 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3446 3461 spd_stack_t *spds = ss->spdsock_spds;
3447 3462
3448 3463 /*
3449 3464 * If we're dumping, defer processing other messages until the
3450 3465 * dump completes.
3451 3466 */
3452 3467 if (ss->spdsock_dump_req != NULL) {
3453 3468 if (!putq(q, mp))
3454 3469 freemsg(mp);
3455 3470 return;
3456 3471 }
3457 3472
3458 3473 switch (mp->b_datap->db_type) {
3459 3474 case M_DATA:
3460 3475 /*
3461 3476 * Silently discard.
3462 3477 */
3463 3478 ss2dbg(spds, ("raw M_DATA in spdsock.\n"));
3464 3479 freemsg(mp);
3465 3480 return;
3466 3481 case M_PROTO:
3467 3482 case M_PCPROTO:
3468 3483 if ((mp->b_wptr - rptr) >= sizeof (struct T_data_req)) {
3469 3484 if (((union T_primitives *)rptr)->type == T_DATA_REQ) {
3470 3485 if ((mp1 = mp->b_cont) == NULL) {
3471 3486 /* No data after T_DATA_REQ. */
3472 3487 ss2dbg(spds,
3473 3488 ("No data after DATA_REQ.\n"));
3474 3489 freemsg(mp);
3475 3490 return;
3476 3491 }
3477 3492 freeb(mp);
3478 3493 mp = mp1;
3479 3494 ss2dbg(spds, ("T_DATA_REQ\n"));
3480 3495 break; /* Out of switch. */
3481 3496 }
3482 3497 }
3483 3498 /* FALLTHRU */
3484 3499 default:
3485 3500 ss3dbg(spds, ("In default wput case (%d %d).\n",
3486 3501 mp->b_datap->db_type, ((union T_primitives *)rptr)->type));
3487 3502 spdsock_wput_other(q, mp);
3488 3503 return;
3489 3504 }
3490 3505
3491 3506 /* I now have a PF_POLICY message in an M_DATA block. */
3492 3507 spdsock_parse(q, mp);
3493 3508 }
3494 3509
3495 3510 /*
3496 3511 * Device open procedure, called when new queue pair created.
3497 3512 * We are passed the read-side queue.
3498 3513 */
3499 3514 /* ARGSUSED */
3500 3515 static int
3501 3516 spdsock_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
3502 3517 {
3503 3518 spdsock_t *ss;
3504 3519 queue_t *oq = OTHERQ(q);
3505 3520 minor_t ssminor;
3506 3521 netstack_t *ns;
3507 3522 spd_stack_t *spds;
3508 3523
3509 3524 if (secpolicy_ip_config(credp, B_FALSE) != 0)
3510 3525 return (EPERM);
3511 3526
3512 3527 if (q->q_ptr != NULL)
3513 3528 return (0); /* Re-open of an already open instance. */
3514 3529
3515 3530 if (sflag & MODOPEN)
3516 3531 return (EINVAL);
3517 3532
3518 3533 ns = netstack_find_by_cred(credp);
3519 3534 ASSERT(ns != NULL);
3520 3535 spds = ns->netstack_spdsock;
3521 3536 ASSERT(spds != NULL);
3522 3537
3523 3538 ss2dbg(spds, ("Made it into PF_POLICY socket open.\n"));
3524 3539
3525 3540 ssminor = (minor_t)(uintptr_t)vmem_alloc(spdsock_vmem, 1, VM_NOSLEEP);
3526 3541 if (ssminor == 0) {
3527 3542 netstack_rele(spds->spds_netstack);
3528 3543 return (ENOMEM);
3529 3544 }
3530 3545 ss = kmem_zalloc(sizeof (spdsock_t), KM_NOSLEEP);
3531 3546 if (ss == NULL) {
3532 3547 vmem_free(spdsock_vmem, (void *)(uintptr_t)ssminor, 1);
3533 3548 netstack_rele(spds->spds_netstack);
3534 3549 return (ENOMEM);
3535 3550 }
3536 3551
3537 3552 ss->spdsock_minor = ssminor;
3538 3553 ss->spdsock_state = TS_UNBND;
3539 3554 ss->spdsock_dump_req = NULL;
3540 3555
3541 3556 ss->spdsock_spds = spds;
3542 3557
3543 3558 q->q_ptr = ss;
3544 3559 oq->q_ptr = ss;
3545 3560
3546 3561 q->q_hiwat = spds->spds_recv_hiwat;
3547 3562
3548 3563 oq->q_hiwat = spds->spds_xmit_hiwat;
3549 3564 oq->q_lowat = spds->spds_xmit_lowat;
3550 3565
3551 3566 qprocson(q);
3552 3567 (void) proto_set_rx_hiwat(q, NULL, spds->spds_recv_hiwat);
3553 3568
3554 3569 *devp = makedevice(getmajor(*devp), ss->spdsock_minor);
3555 3570 return (0);
3556 3571 }
3557 3572
3558 3573 /*
3559 3574 * Read-side service procedure, invoked when we get back-enabled
3560 3575 * when buffer space becomes available.
3561 3576 *
3562 3577 * Dump another chunk if we were dumping before; when we finish, kick
3563 3578 * the write-side queue in case it's waiting for read queue space.
3564 3579 */
3565 3580 void
3566 3581 spdsock_rsrv(queue_t *q)
3567 3582 {
3568 3583 spdsock_t *ss = q->q_ptr;
3569 3584
3570 3585 if (ss->spdsock_dump_req != NULL)
3571 3586 spdsock_dump_some(q, ss);
3572 3587
3573 3588 if (ss->spdsock_dump_req == NULL)
3574 3589 qenable(OTHERQ(q));
3575 3590 }
3576 3591
3577 3592 /*
3578 3593 * Write-side service procedure, invoked when we defer processing
3579 3594 * if another message is received while a dump is in progress.
3580 3595 */
3581 3596 void
3582 3597 spdsock_wsrv(queue_t *q)
3583 3598 {
3584 3599 spdsock_t *ss = q->q_ptr;
3585 3600 mblk_t *mp;
3586 3601 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
3587 3602
3588 3603 if (ss->spdsock_dump_req != NULL) {
3589 3604 qenable(OTHERQ(q));
3590 3605 return;
3591 3606 }
3592 3607
3593 3608 while ((mp = getq(q)) != NULL) {
3594 3609 if (ipsec_loaded(ipss)) {
3595 3610 spdsock_wput(q, mp);
3596 3611 if (ss->spdsock_dump_req != NULL)
3597 3612 return;
3598 3613 } else if (!ipsec_failed(ipss)) {
3599 3614 (void) putq(q, mp);
3600 3615 } else {
3601 3616 spdsock_error(q, mp, EPFNOSUPPORT, 0);
3602 3617 }
3603 3618 }
3604 3619 }
3605 3620
3606 3621 static int
3607 3622 spdsock_close(queue_t *q)
3608 3623 {
3609 3624 spdsock_t *ss = q->q_ptr;
3610 3625 spd_stack_t *spds = ss->spdsock_spds;
3611 3626
3612 3627 qprocsoff(q);
3613 3628
3614 3629 /* Safe assumption. */
3615 3630 ASSERT(ss != NULL);
3616 3631
3617 3632 if (ss->spdsock_timeout != 0)
3618 3633 (void) quntimeout(q, ss->spdsock_timeout);
3619 3634
3620 3635 ss3dbg(spds, ("Driver close, PF_POLICY socket is going away.\n"));
3621 3636
3622 3637 vmem_free(spdsock_vmem, (void *)(uintptr_t)ss->spdsock_minor, 1);
3623 3638 netstack_rele(ss->spdsock_spds->spds_netstack);
3624 3639
3625 3640 kmem_free(ss, sizeof (spdsock_t));
3626 3641 return (0);
3627 3642 }
3628 3643
3629 3644 /*
3630 3645 * Merge the IPsec algorithms tables with the received algorithm information.
3631 3646 */
3632 3647 void
3633 3648 spdsock_merge_algs(spd_stack_t *spds)
3634 3649 {
3635 3650 ipsec_alginfo_t *alg, *oalg;
3636 3651 ipsec_algtype_t algtype;
3637 3652 uint_t algidx, algid, nalgs;
3638 3653 crypto_mech_name_t *mechs;
3639 3654 uint_t mech_count, mech_idx;
3640 3655 netstack_t *ns = spds->spds_netstack;
3641 3656 ipsec_stack_t *ipss = ns->netstack_ipsec;
3642 3657
3643 3658 ASSERT(MUTEX_HELD(&spds->spds_alg_lock));
3644 3659
3645 3660 /*
3646 3661 * Get the list of supported mechanisms from the crypto framework.
3647 3662 * If a mechanism is supported by KCF, resolve its mechanism
3648 3663 * id and mark it as being valid. This operation must be done
3649 3664 * without holding alg_lock, since it can cause a provider
3650 3665 * module to be loaded and the provider notification callback to
3651 3666 * be invoked.
3652 3667 */
3653 3668 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
3654 3669 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3655 3670 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) {
3656 3671 int algflags = 0;
3657 3672 crypto_mech_type_t mt = CRYPTO_MECHANISM_INVALID;
3658 3673
3659 3674 alg = spds->spds_algs[algtype][algid];
3660 3675 if (alg == NULL)
3661 3676 continue;
3662 3677
3663 3678 /*
3664 3679 * The NULL encryption algorithm is a special
3665 3680 * case because there are no mechanisms, yet
3666 3681 * the algorithm is still valid.
3667 3682 */
3668 3683 if (alg->alg_id == SADB_EALG_NULL) {
3669 3684 alg->alg_mech_type = CRYPTO_MECHANISM_INVALID;
3670 3685 alg->alg_flags |= ALG_FLAG_VALID;
3671 3686 continue;
3672 3687 }
3673 3688
3674 3689 for (mech_idx = 0; mech_idx < mech_count; mech_idx++) {
3675 3690 if (strncmp(alg->alg_mech_name, mechs[mech_idx],
3676 3691 CRYPTO_MAX_MECH_NAME) == 0) {
3677 3692 mt = crypto_mech2id(alg->alg_mech_name);
3678 3693 ASSERT(mt != CRYPTO_MECHANISM_INVALID);
3679 3694 algflags = ALG_FLAG_VALID;
3680 3695 break;
3681 3696 }
3682 3697 }
3683 3698 alg->alg_mech_type = mt;
3684 3699 alg->alg_flags |= algflags;
3685 3700 }
3686 3701 }
3687 3702
3688 3703 rw_enter(&ipss->ipsec_alg_lock, RW_WRITER);
3689 3704
3690 3705 /*
3691 3706 * For each algorithm currently defined, check if it is
3692 3707 * present in the new tables created from the SPD_UPDATEALGS
3693 3708 * message received from user-space.
3694 3709 * Delete the algorithm entries that are currently defined
3695 3710 * but not part of the new tables.
3696 3711 */
3697 3712 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3698 3713 nalgs = ipss->ipsec_nalgs[algtype];
3699 3714 for (algidx = 0; algidx < nalgs; algidx++) {
3700 3715 algid = ipss->ipsec_sortlist[algtype][algidx];
3701 3716 if (spds->spds_algs[algtype][algid] == NULL)
3702 3717 ipsec_alg_unreg(algtype, algid, ns);
3703 3718 }
3704 3719 }
3705 3720
3706 3721 /*
3707 3722 * For each algorithm we just received, check if it is
3708 3723 * present in the currently defined tables. If it is, swap
3709 3724 * the entry with the one we just allocated.
3710 3725 * If the new algorithm is not in the current tables,
3711 3726 * add it.
3712 3727 */
3713 3728 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3714 3729 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) {
3715 3730 alg = spds->spds_algs[algtype][algid];
3716 3731 if (alg == NULL)
3717 3732 continue;
3718 3733
3719 3734 if ((oalg = ipss->ipsec_alglists[algtype][algid]) ==
3720 3735 NULL) {
3721 3736 /*
3722 3737 * New algorithm, add it to the algorithm
3723 3738 * table.
3724 3739 */
3725 3740 ipsec_alg_reg(algtype, alg, ns);
3726 3741 } else {
3727 3742 /*
3728 3743 * Algorithm is already in the table. Swap
3729 3744 * the existing entry with the new one.
3730 3745 */
3731 3746 ipsec_alg_fix_min_max(alg, algtype, ns);
3732 3747 ipss->ipsec_alglists[algtype][algid] = alg;
3733 3748 ipsec_alg_free(oalg);
3734 3749 }
3735 3750 spds->spds_algs[algtype][algid] = NULL;
3736 3751 }
3737 3752 }
3738 3753
3739 3754 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3740 3755 ipss->ipsec_algs_exec_mode[algtype] =
3741 3756 spds->spds_algs_exec_mode[algtype];
3742 3757 }
3743 3758
3744 3759 rw_exit(&ipss->ipsec_alg_lock);
3745 3760
3746 3761 crypto_free_mech_list(mechs, mech_count);
3747 3762
3748 3763 ipsecah_algs_changed(ns);
3749 3764 ipsecesp_algs_changed(ns);
3750 3765 }
|
↓ open down ↓ |
329 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX