Print this page
8381 Convert ipsec_alg_lock from mutex to rwlock
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/ip/sadb.c
+++ new/usr/src/uts/common/inet/ip/sadb.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
|
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 + * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
24 25 */
25 26
26 27 #include <sys/types.h>
27 28 #include <sys/stream.h>
28 29 #include <sys/stropts.h>
29 30 #include <sys/strsubr.h>
30 31 #include <sys/errno.h>
31 32 #include <sys/ddi.h>
32 33 #include <sys/debug.h>
33 34 #include <sys/cmn_err.h>
34 35 #include <sys/stream.h>
35 36 #include <sys/strlog.h>
36 37 #include <sys/kmem.h>
37 38 #include <sys/sunddi.h>
38 39 #include <sys/tihdr.h>
39 40 #include <sys/atomic.h>
40 41 #include <sys/socket.h>
41 42 #include <sys/sysmacros.h>
42 43 #include <sys/crypto/common.h>
43 44 #include <sys/crypto/api.h>
44 45 #include <sys/zone.h>
45 46 #include <netinet/in.h>
46 47 #include <net/if.h>
47 48 #include <net/pfkeyv2.h>
48 49 #include <net/pfpolicy.h>
49 50 #include <inet/common.h>
50 51 #include <netinet/ip6.h>
51 52 #include <inet/ip.h>
52 53 #include <inet/ip_ire.h>
53 54 #include <inet/ip6.h>
54 55 #include <inet/ipsec_info.h>
55 56 #include <inet/tcp.h>
56 57 #include <inet/sadb.h>
57 58 #include <inet/ipsec_impl.h>
58 59 #include <inet/ipsecah.h>
59 60 #include <inet/ipsecesp.h>
60 61 #include <sys/random.h>
61 62 #include <sys/dlpi.h>
62 63 #include <sys/strsun.h>
63 64 #include <sys/strsubr.h>
64 65 #include <inet/ip_if.h>
65 66 #include <inet/ipdrop.h>
66 67 #include <inet/ipclassifier.h>
67 68 #include <inet/sctp_ip.h>
68 69 #include <sys/tsol/tnet.h>
69 70
70 71 /*
71 72 * This source file contains Security Association Database (SADB) common
72 73 * routines. They are linked in with the AH module. Since AH has no chance
73 74 * of falling under export control, it was safe to link it in there.
74 75 */
75 76
76 77 static mblk_t *sadb_extended_acquire(ipsec_selector_t *, ipsec_policy_t *,
77 78 ipsec_action_t *, boolean_t, uint32_t, uint32_t, sadb_sens_t *,
78 79 netstack_t *);
79 80 static ipsa_t *sadb_torch_assoc(isaf_t *, ipsa_t *);
80 81 static void sadb_destroy_acqlist(iacqf_t **, uint_t, boolean_t,
81 82 netstack_t *);
82 83 static void sadb_destroy(sadb_t *, netstack_t *);
83 84 static mblk_t *sadb_sa2msg(ipsa_t *, sadb_msg_t *);
84 85 static ts_label_t *sadb_label_from_sens(sadb_sens_t *, uint64_t *);
85 86 static sadb_sens_t *sadb_make_sens_ext(ts_label_t *tsl, int *len);
86 87
87 88 static time_t sadb_add_time(time_t, uint64_t);
88 89 static void lifetime_fuzz(ipsa_t *);
89 90 static void age_pair_peer_list(templist_t *, sadb_t *, boolean_t);
90 91 static int get_ipsa_pair(ipsa_query_t *, ipsap_t *, int *);
91 92 static void init_ipsa_pair(ipsap_t *);
92 93 static void destroy_ipsa_pair(ipsap_t *);
93 94 static int update_pairing(ipsap_t *, ipsa_query_t *, keysock_in_t *, int *);
94 95 static void ipsa_set_replay(ipsa_t *ipsa, uint32_t offset);
95 96
96 97 /*
97 98 * ipsacq_maxpackets is defined here to make it tunable
98 99 * from /etc/system.
99 100 */
100 101 extern uint64_t ipsacq_maxpackets;
101 102
102 103 #define SET_EXPIRE(sa, delta, exp) { \
103 104 if (((sa)->ipsa_ ## delta) != 0) { \
104 105 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \
105 106 (sa)->ipsa_ ## delta); \
106 107 } \
107 108 }
108 109
109 110 #define UPDATE_EXPIRE(sa, delta, exp) { \
110 111 if (((sa)->ipsa_ ## delta) != 0) { \
111 112 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \
112 113 (sa)->ipsa_ ## delta); \
113 114 if (((sa)->ipsa_ ## exp) == 0) \
114 115 (sa)->ipsa_ ## exp = tmp; \
115 116 else \
116 117 (sa)->ipsa_ ## exp = \
117 118 MIN((sa)->ipsa_ ## exp, tmp); \
118 119 } \
119 120 }
120 121
121 122
122 123 /* wrap the macro so we can pass it as a function pointer */
123 124 void
124 125 sadb_sa_refrele(void *target)
125 126 {
126 127 IPSA_REFRELE(((ipsa_t *)target));
127 128 }
128 129
129 130 /*
130 131 * We presume that sizeof (long) == sizeof (time_t) and that time_t is
131 132 * a signed type.
132 133 */
133 134 #define TIME_MAX LONG_MAX
134 135
135 136 /*
136 137 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that
137 138 * time_t is defined to be a signed type with the same range as
138 139 * "long". On ILP32 systems, we thus run the risk of wrapping around
139 140 * at end of time, as well as "overwrapping" the clock back around
140 141 * into a seemingly valid but incorrect future date earlier than the
141 142 * desired expiration.
142 143 *
143 144 * In order to avoid odd behavior (either negative lifetimes or loss
144 145 * of high order bits) when someone asks for bizarrely long SA
145 146 * lifetimes, we do a saturating add for expire times.
146 147 *
147 148 * We presume that ILP32 systems will be past end of support life when
148 149 * the 32-bit time_t overflows (a dangerous assumption, mind you..).
149 150 *
150 151 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we
151 152 * will hopefully have figured out clever ways to avoid the use of
152 153 * fixed-sized integers in computation.
153 154 */
154 155 static time_t
155 156 sadb_add_time(time_t base, uint64_t delta)
156 157 {
157 158 time_t sum;
158 159
159 160 /*
160 161 * Clip delta to the maximum possible time_t value to
161 162 * prevent "overwrapping" back into a shorter-than-desired
162 163 * future time.
163 164 */
164 165 if (delta > TIME_MAX)
165 166 delta = TIME_MAX;
166 167 /*
167 168 * This sum may still overflow.
168 169 */
169 170 sum = base + delta;
170 171
171 172 /*
172 173 * .. so if the result is less than the base, we overflowed.
173 174 */
174 175 if (sum < base)
175 176 sum = TIME_MAX;
176 177
177 178 return (sum);
178 179 }
179 180
180 181 /*
181 182 * Callers of this function have already created a working security
182 183 * association, and have found the appropriate table & hash chain. All this
183 184 * function does is check duplicates, and insert the SA. The caller needs to
184 185 * hold the hash bucket lock and increment the refcnt before insertion.
185 186 *
186 187 * Return 0 if success, EEXIST if collision.
187 188 */
188 189 #define SA_UNIQUE_MATCH(sa1, sa2) \
189 190 (((sa1)->ipsa_unique_id & (sa1)->ipsa_unique_mask) == \
190 191 ((sa2)->ipsa_unique_id & (sa2)->ipsa_unique_mask))
191 192
192 193 int
193 194 sadb_insertassoc(ipsa_t *ipsa, isaf_t *bucket)
194 195 {
195 196 ipsa_t **ptpn = NULL;
196 197 ipsa_t *walker;
197 198 boolean_t unspecsrc;
198 199
199 200 ASSERT(MUTEX_HELD(&bucket->isaf_lock));
200 201
201 202 unspecsrc = IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_srcaddr, ipsa->ipsa_addrfam);
202 203
203 204 walker = bucket->isaf_ipsa;
204 205 ASSERT(walker == NULL || ipsa->ipsa_addrfam == walker->ipsa_addrfam);
205 206
206 207 /*
207 208 * Find insertion point (pointed to with **ptpn). Insert at the head
208 209 * of the list unless there's an unspecified source address, then
209 210 * insert it after the last SA with a specified source address.
210 211 *
211 212 * BTW, you'll have to walk the whole chain, matching on {DST, SPI}
212 213 * checking for collisions.
213 214 */
214 215
215 216 while (walker != NULL) {
216 217 if (IPSA_ARE_ADDR_EQUAL(walker->ipsa_dstaddr,
217 218 ipsa->ipsa_dstaddr, ipsa->ipsa_addrfam)) {
218 219 if (walker->ipsa_spi == ipsa->ipsa_spi)
219 220 return (EEXIST);
220 221
221 222 mutex_enter(&walker->ipsa_lock);
222 223 if (ipsa->ipsa_state == IPSA_STATE_MATURE &&
223 224 (walker->ipsa_flags & IPSA_F_USED) &&
224 225 SA_UNIQUE_MATCH(walker, ipsa)) {
225 226 walker->ipsa_flags |= IPSA_F_CINVALID;
226 227 }
227 228 mutex_exit(&walker->ipsa_lock);
228 229 }
229 230
230 231 if (ptpn == NULL && unspecsrc) {
231 232 if (IPSA_IS_ADDR_UNSPEC(walker->ipsa_srcaddr,
232 233 walker->ipsa_addrfam))
233 234 ptpn = walker->ipsa_ptpn;
234 235 else if (walker->ipsa_next == NULL)
235 236 ptpn = &walker->ipsa_next;
236 237 }
237 238
238 239 walker = walker->ipsa_next;
239 240 }
240 241
241 242 if (ptpn == NULL)
242 243 ptpn = &bucket->isaf_ipsa;
243 244 ipsa->ipsa_next = *ptpn;
244 245 ipsa->ipsa_ptpn = ptpn;
245 246 if (ipsa->ipsa_next != NULL)
246 247 ipsa->ipsa_next->ipsa_ptpn = &ipsa->ipsa_next;
247 248 *ptpn = ipsa;
248 249 ipsa->ipsa_linklock = &bucket->isaf_lock;
249 250
250 251 return (0);
251 252 }
252 253 #undef SA_UNIQUE_MATCH
253 254
254 255 /*
255 256 * Free a security association. Its reference count is 0, which means
256 257 * I must free it. The SA must be unlocked and must not be linked into
257 258 * any fanout list.
258 259 */
259 260 static void
260 261 sadb_freeassoc(ipsa_t *ipsa)
261 262 {
262 263 ipsec_stack_t *ipss = ipsa->ipsa_netstack->netstack_ipsec;
263 264 mblk_t *asyncmp, *mp;
264 265
265 266 ASSERT(ipss != NULL);
266 267 ASSERT(MUTEX_NOT_HELD(&ipsa->ipsa_lock));
267 268 ASSERT(ipsa->ipsa_refcnt == 0);
268 269 ASSERT(ipsa->ipsa_next == NULL);
269 270 ASSERT(ipsa->ipsa_ptpn == NULL);
270 271
271 272
272 273 asyncmp = sadb_clear_lpkt(ipsa);
273 274 if (asyncmp != NULL) {
274 275 mp = ip_recv_attr_free_mblk(asyncmp);
275 276 ip_drop_packet(mp, B_TRUE, NULL,
276 277 DROPPER(ipss, ipds_sadb_inlarval_timeout),
277 278 &ipss->ipsec_sadb_dropper);
278 279 }
279 280 mutex_enter(&ipsa->ipsa_lock);
280 281
281 282 if (ipsa->ipsa_tsl != NULL) {
282 283 label_rele(ipsa->ipsa_tsl);
283 284 ipsa->ipsa_tsl = NULL;
284 285 }
285 286
286 287 if (ipsa->ipsa_otsl != NULL) {
287 288 label_rele(ipsa->ipsa_otsl);
288 289 ipsa->ipsa_otsl = NULL;
289 290 }
290 291
291 292 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_AUTH);
292 293 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_ENCR);
293 294 mutex_exit(&ipsa->ipsa_lock);
294 295
295 296 /* bzero() these fields for paranoia's sake. */
296 297 if (ipsa->ipsa_authkey != NULL) {
297 298 bzero(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen);
298 299 kmem_free(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen);
299 300 }
300 301 if (ipsa->ipsa_encrkey != NULL) {
301 302 bzero(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen);
302 303 kmem_free(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen);
303 304 }
304 305 if (ipsa->ipsa_nonce_buf != NULL) {
305 306 bzero(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t));
306 307 kmem_free(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t));
307 308 }
308 309 if (ipsa->ipsa_src_cid != NULL) {
309 310 IPSID_REFRELE(ipsa->ipsa_src_cid);
310 311 }
311 312 if (ipsa->ipsa_dst_cid != NULL) {
312 313 IPSID_REFRELE(ipsa->ipsa_dst_cid);
313 314 }
314 315 if (ipsa->ipsa_emech.cm_param != NULL)
315 316 kmem_free(ipsa->ipsa_emech.cm_param,
316 317 ipsa->ipsa_emech.cm_param_len);
317 318
318 319 mutex_destroy(&ipsa->ipsa_lock);
319 320 kmem_free(ipsa, sizeof (*ipsa));
320 321 }
321 322
322 323 /*
323 324 * Unlink a security association from a hash bucket. Assume the hash bucket
324 325 * lock is held, but the association's lock is not.
325 326 *
326 327 * Note that we do not bump the bucket's generation number here because
327 328 * we might not be making a visible change to the set of visible SA's.
328 329 * All callers MUST bump the bucket's generation number before they unlock
329 330 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which
330 331 * was present in the bucket at the time it was locked.
331 332 */
332 333 void
333 334 sadb_unlinkassoc(ipsa_t *ipsa)
334 335 {
335 336 ASSERT(ipsa->ipsa_linklock != NULL);
336 337 ASSERT(MUTEX_HELD(ipsa->ipsa_linklock));
337 338
338 339 /* These fields are protected by the link lock. */
339 340 *(ipsa->ipsa_ptpn) = ipsa->ipsa_next;
340 341 if (ipsa->ipsa_next != NULL) {
341 342 ipsa->ipsa_next->ipsa_ptpn = ipsa->ipsa_ptpn;
342 343 ipsa->ipsa_next = NULL;
343 344 }
344 345
345 346 ipsa->ipsa_ptpn = NULL;
346 347
347 348 /* This may destroy the SA. */
348 349 IPSA_REFRELE(ipsa);
349 350 }
350 351
351 352 void
352 353 sadb_delete_cluster(ipsa_t *assoc)
353 354 {
354 355 uint8_t protocol;
355 356
356 357 if (cl_inet_deletespi &&
357 358 ((assoc->ipsa_state == IPSA_STATE_LARVAL) ||
358 359 (assoc->ipsa_state == IPSA_STATE_MATURE))) {
359 360 protocol = (assoc->ipsa_type == SADB_SATYPE_AH) ?
360 361 IPPROTO_AH : IPPROTO_ESP;
361 362 cl_inet_deletespi(assoc->ipsa_netstack->netstack_stackid,
362 363 protocol, assoc->ipsa_spi, NULL);
363 364 }
364 365 }
365 366
366 367 /*
367 368 * Create a larval security association with the specified SPI. All other
368 369 * fields are zeroed.
369 370 */
370 371 static ipsa_t *
371 372 sadb_makelarvalassoc(uint32_t spi, uint32_t *src, uint32_t *dst, int addrfam,
372 373 netstack_t *ns)
373 374 {
374 375 ipsa_t *newbie;
375 376
376 377 /*
377 378 * Allocate...
378 379 */
379 380
380 381 newbie = (ipsa_t *)kmem_zalloc(sizeof (ipsa_t), KM_NOSLEEP);
381 382 if (newbie == NULL) {
382 383 /* Can't make new larval SA. */
383 384 return (NULL);
384 385 }
385 386
386 387 /* Assigned requested SPI, assume caller does SPI allocation magic. */
387 388 newbie->ipsa_spi = spi;
388 389 newbie->ipsa_netstack = ns; /* No netstack_hold */
389 390
390 391 /*
391 392 * Copy addresses...
392 393 */
393 394
394 395 IPSA_COPY_ADDR(newbie->ipsa_srcaddr, src, addrfam);
395 396 IPSA_COPY_ADDR(newbie->ipsa_dstaddr, dst, addrfam);
396 397
397 398 newbie->ipsa_addrfam = addrfam;
398 399
399 400 /*
400 401 * Set common initialization values, including refcnt.
401 402 */
402 403 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL);
403 404 newbie->ipsa_state = IPSA_STATE_LARVAL;
404 405 newbie->ipsa_refcnt = 1;
405 406 newbie->ipsa_freefunc = sadb_freeassoc;
406 407
407 408 /*
408 409 * There aren't a lot of other common initialization values, as
409 410 * they are copied in from the PF_KEY message.
410 411 */
411 412
412 413 return (newbie);
413 414 }
414 415
415 416 /*
416 417 * Call me to initialize a security association fanout.
417 418 */
418 419 static int
419 420 sadb_init_fanout(isaf_t **tablep, uint_t size, int kmflag)
420 421 {
421 422 isaf_t *table;
422 423 int i;
423 424
424 425 table = (isaf_t *)kmem_alloc(size * sizeof (*table), kmflag);
425 426 *tablep = table;
426 427
427 428 if (table == NULL)
428 429 return (ENOMEM);
429 430
430 431 for (i = 0; i < size; i++) {
431 432 mutex_init(&(table[i].isaf_lock), NULL, MUTEX_DEFAULT, NULL);
432 433 table[i].isaf_ipsa = NULL;
433 434 table[i].isaf_gen = 0;
434 435 }
435 436
436 437 return (0);
437 438 }
438 439
439 440 /*
440 441 * Call me to initialize an acquire fanout
441 442 */
442 443 static int
443 444 sadb_init_acfanout(iacqf_t **tablep, uint_t size, int kmflag)
444 445 {
445 446 iacqf_t *table;
446 447 int i;
447 448
448 449 table = (iacqf_t *)kmem_alloc(size * sizeof (*table), kmflag);
449 450 *tablep = table;
450 451
451 452 if (table == NULL)
452 453 return (ENOMEM);
453 454
454 455 for (i = 0; i < size; i++) {
455 456 mutex_init(&(table[i].iacqf_lock), NULL, MUTEX_DEFAULT, NULL);
456 457 table[i].iacqf_ipsacq = NULL;
457 458 }
458 459
459 460 return (0);
460 461 }
461 462
462 463 /*
463 464 * Attempt to initialize an SADB instance. On failure, return ENOMEM;
464 465 * caller must clean up partial allocations.
465 466 */
466 467 static int
467 468 sadb_init_trial(sadb_t *sp, uint_t size, int kmflag)
468 469 {
469 470 ASSERT(sp->sdb_of == NULL);
470 471 ASSERT(sp->sdb_if == NULL);
471 472 ASSERT(sp->sdb_acq == NULL);
472 473
473 474 sp->sdb_hashsize = size;
474 475 if (sadb_init_fanout(&sp->sdb_of, size, kmflag) != 0)
475 476 return (ENOMEM);
476 477 if (sadb_init_fanout(&sp->sdb_if, size, kmflag) != 0)
477 478 return (ENOMEM);
478 479 if (sadb_init_acfanout(&sp->sdb_acq, size, kmflag) != 0)
479 480 return (ENOMEM);
480 481
481 482 return (0);
482 483 }
483 484
484 485 /*
485 486 * Call me to initialize an SADB instance; fall back to default size on failure.
486 487 */
487 488 static void
488 489 sadb_init(const char *name, sadb_t *sp, uint_t size, uint_t ver,
489 490 netstack_t *ns)
490 491 {
491 492 ASSERT(sp->sdb_of == NULL);
492 493 ASSERT(sp->sdb_if == NULL);
493 494 ASSERT(sp->sdb_acq == NULL);
494 495
495 496 if (size < IPSEC_DEFAULT_HASH_SIZE)
496 497 size = IPSEC_DEFAULT_HASH_SIZE;
497 498
498 499 if (sadb_init_trial(sp, size, KM_NOSLEEP) != 0) {
499 500
500 501 cmn_err(CE_WARN,
501 502 "Unable to allocate %u entry IPv%u %s SADB hash table",
502 503 size, ver, name);
503 504
504 505 sadb_destroy(sp, ns);
505 506 size = IPSEC_DEFAULT_HASH_SIZE;
506 507 cmn_err(CE_WARN, "Falling back to %d entries", size);
507 508 (void) sadb_init_trial(sp, size, KM_SLEEP);
508 509 }
509 510 }
510 511
511 512
512 513 /*
513 514 * Initialize an SADB-pair.
514 515 */
515 516 void
516 517 sadbp_init(const char *name, sadbp_t *sp, int type, int size, netstack_t *ns)
517 518 {
518 519 sadb_init(name, &sp->s_v4, size, 4, ns);
519 520 sadb_init(name, &sp->s_v6, size, 6, ns);
520 521
521 522 sp->s_satype = type;
522 523
523 524 ASSERT((type == SADB_SATYPE_AH) || (type == SADB_SATYPE_ESP));
524 525 if (type == SADB_SATYPE_AH) {
525 526 ipsec_stack_t *ipss = ns->netstack_ipsec;
526 527
527 528 ip_drop_register(&ipss->ipsec_sadb_dropper, "IPsec SADB");
528 529 sp->s_addflags = AH_ADD_SETTABLE_FLAGS;
529 530 sp->s_updateflags = AH_UPDATE_SETTABLE_FLAGS;
530 531 } else {
531 532 sp->s_addflags = ESP_ADD_SETTABLE_FLAGS;
532 533 sp->s_updateflags = ESP_UPDATE_SETTABLE_FLAGS;
533 534 }
534 535 }
535 536
536 537 /*
537 538 * Deliver a single SADB_DUMP message representing a single SA. This is
538 539 * called many times by sadb_dump().
539 540 *
540 541 * If the return value of this is ENOBUFS (not the same as ENOMEM), then
541 542 * the caller should take that as a hint that dupb() on the "original answer"
542 543 * failed, and that perhaps the caller should try again with a copyb()ed
543 544 * "original answer".
544 545 */
545 546 static int
546 547 sadb_dump_deliver(queue_t *pfkey_q, mblk_t *original_answer, ipsa_t *ipsa,
547 548 sadb_msg_t *samsg)
548 549 {
549 550 mblk_t *answer;
550 551
551 552 answer = dupb(original_answer);
552 553 if (answer == NULL)
553 554 return (ENOBUFS);
554 555 answer->b_cont = sadb_sa2msg(ipsa, samsg);
555 556 if (answer->b_cont == NULL) {
556 557 freeb(answer);
557 558 return (ENOMEM);
558 559 }
559 560
560 561 /* Just do a putnext, and let keysock deal with flow control. */
561 562 putnext(pfkey_q, answer);
562 563 return (0);
563 564 }
564 565
565 566 /*
566 567 * Common function to allocate and prepare a keysock_out_t M_CTL message.
567 568 */
568 569 mblk_t *
569 570 sadb_keysock_out(minor_t serial)
570 571 {
571 572 mblk_t *mp;
572 573 keysock_out_t *kso;
573 574
574 575 mp = allocb(sizeof (ipsec_info_t), BPRI_HI);
575 576 if (mp != NULL) {
576 577 mp->b_datap->db_type = M_CTL;
577 578 mp->b_wptr += sizeof (ipsec_info_t);
578 579 kso = (keysock_out_t *)mp->b_rptr;
579 580 kso->ks_out_type = KEYSOCK_OUT;
580 581 kso->ks_out_len = sizeof (*kso);
581 582 kso->ks_out_serial = serial;
582 583 }
583 584
584 585 return (mp);
585 586 }
586 587
587 588 /*
588 589 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts
589 590 * to keysock.
590 591 */
591 592 static int
592 593 sadb_dump_fanout(queue_t *pfkey_q, mblk_t *mp, minor_t serial, isaf_t *fanout,
593 594 int num_entries, boolean_t do_peers, time_t active_time)
594 595 {
595 596 int i, error = 0;
596 597 mblk_t *original_answer;
597 598 ipsa_t *walker;
598 599 sadb_msg_t *samsg;
599 600 time_t current;
600 601
601 602 /*
602 603 * For each IPSA hash bucket do:
603 604 * - Hold the mutex
604 605 * - Walk each entry, doing an sadb_dump_deliver() on it.
605 606 */
606 607 ASSERT(mp->b_cont != NULL);
607 608 samsg = (sadb_msg_t *)mp->b_cont->b_rptr;
608 609
609 610 original_answer = sadb_keysock_out(serial);
610 611 if (original_answer == NULL)
611 612 return (ENOMEM);
612 613
613 614 current = gethrestime_sec();
614 615 for (i = 0; i < num_entries; i++) {
615 616 mutex_enter(&fanout[i].isaf_lock);
616 617 for (walker = fanout[i].isaf_ipsa; walker != NULL;
617 618 walker = walker->ipsa_next) {
618 619 if (!do_peers && walker->ipsa_haspeer)
619 620 continue;
620 621 if ((active_time != 0) &&
621 622 ((current - walker->ipsa_lastuse) > active_time))
622 623 continue;
623 624 error = sadb_dump_deliver(pfkey_q, original_answer,
624 625 walker, samsg);
625 626 if (error == ENOBUFS) {
626 627 mblk_t *new_original_answer;
627 628
628 629 /* Ran out of dupb's. Try a copyb. */
629 630 new_original_answer = copyb(original_answer);
630 631 if (new_original_answer == NULL) {
631 632 error = ENOMEM;
632 633 } else {
633 634 freeb(original_answer);
634 635 original_answer = new_original_answer;
635 636 error = sadb_dump_deliver(pfkey_q,
636 637 original_answer, walker, samsg);
637 638 }
638 639 }
639 640 if (error != 0)
640 641 break; /* out of for loop. */
641 642 }
642 643 mutex_exit(&fanout[i].isaf_lock);
643 644 if (error != 0)
644 645 break; /* out of for loop. */
645 646 }
646 647
647 648 freeb(original_answer);
648 649 return (error);
649 650 }
650 651
651 652 /*
652 653 * Dump an entire SADB; outbound first, then inbound.
653 654 */
654 655
655 656 int
656 657 sadb_dump(queue_t *pfkey_q, mblk_t *mp, keysock_in_t *ksi, sadb_t *sp)
657 658 {
658 659 int error;
659 660 time_t active_time = 0;
660 661 sadb_x_edump_t *edump =
661 662 (sadb_x_edump_t *)ksi->ks_in_extv[SADB_X_EXT_EDUMP];
662 663
663 664 if (edump != NULL) {
664 665 active_time = edump->sadb_x_edump_timeout;
665 666 }
666 667
667 668 /* Dump outbound */
668 669 error = sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_of,
669 670 sp->sdb_hashsize, B_TRUE, active_time);
670 671 if (error)
671 672 return (error);
672 673
673 674 /* Dump inbound */
674 675 return sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_if,
675 676 sp->sdb_hashsize, B_FALSE, active_time);
676 677 }
677 678
678 679 /*
679 680 * Generic sadb table walker.
680 681 *
681 682 * Call "walkfn" for each SA in each bucket in "table"; pass the
682 683 * bucket, the entry and "cookie" to the callback function.
683 684 * Take care to ensure that walkfn can delete the SA without screwing
684 685 * up our traverse.
685 686 *
686 687 * The bucket is locked for the duration of the callback, both so that the
687 688 * callback can just call sadb_unlinkassoc() when it wants to delete something,
688 689 * and so that no new entries are added while we're walking the list.
689 690 */
690 691 static void
691 692 sadb_walker(isaf_t *table, uint_t numentries,
692 693 void (*walkfn)(isaf_t *head, ipsa_t *entry, void *cookie),
693 694 void *cookie)
694 695 {
695 696 int i;
696 697 for (i = 0; i < numentries; i++) {
697 698 ipsa_t *entry, *next;
698 699
699 700 mutex_enter(&table[i].isaf_lock);
700 701
701 702 for (entry = table[i].isaf_ipsa; entry != NULL;
702 703 entry = next) {
703 704 next = entry->ipsa_next;
704 705 (*walkfn)(&table[i], entry, cookie);
705 706 }
706 707 mutex_exit(&table[i].isaf_lock);
707 708 }
708 709 }
709 710
710 711 /*
711 712 * Call me to free up a security association fanout. Use the forever
712 713 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g.
713 714 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE,
714 715 * when a module is unloaded).
715 716 */
716 717 static void
717 718 sadb_destroyer(isaf_t **tablep, uint_t numentries, boolean_t forever,
718 719 boolean_t inbound)
719 720 {
720 721 int i;
721 722 isaf_t *table = *tablep;
722 723 uint8_t protocol;
723 724 ipsa_t *sa;
724 725 netstackid_t sid;
725 726
726 727 if (table == NULL)
727 728 return;
728 729
729 730 for (i = 0; i < numentries; i++) {
730 731 mutex_enter(&table[i].isaf_lock);
731 732 while ((sa = table[i].isaf_ipsa) != NULL) {
732 733 if (inbound && cl_inet_deletespi &&
733 734 (sa->ipsa_state != IPSA_STATE_ACTIVE_ELSEWHERE) &&
734 735 (sa->ipsa_state != IPSA_STATE_IDLE)) {
735 736 protocol = (sa->ipsa_type == SADB_SATYPE_AH) ?
736 737 IPPROTO_AH : IPPROTO_ESP;
737 738 sid = sa->ipsa_netstack->netstack_stackid;
738 739 cl_inet_deletespi(sid, protocol, sa->ipsa_spi,
739 740 NULL);
740 741 }
741 742 sadb_unlinkassoc(sa);
742 743 }
743 744 table[i].isaf_gen++;
744 745 mutex_exit(&table[i].isaf_lock);
745 746 if (forever)
746 747 mutex_destroy(&(table[i].isaf_lock));
747 748 }
748 749
749 750 if (forever) {
750 751 *tablep = NULL;
751 752 kmem_free(table, numentries * sizeof (*table));
752 753 }
753 754 }
754 755
755 756 /*
756 757 * Entry points to sadb_destroyer().
757 758 */
758 759 static void
759 760 sadb_flush(sadb_t *sp, netstack_t *ns)
760 761 {
761 762 /*
762 763 * Flush out each bucket, one at a time. Were it not for keysock's
763 764 * enforcement, there would be a subtlety where I could add on the
764 765 * heels of a flush. With keysock's enforcement, however, this
765 766 * makes ESP's job easy.
766 767 */
767 768 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_FALSE, B_FALSE);
768 769 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_FALSE, B_TRUE);
769 770
770 771 /* For each acquire, destroy it; leave the bucket mutex alone. */
771 772 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_FALSE, ns);
772 773 }
773 774
774 775 static void
775 776 sadb_destroy(sadb_t *sp, netstack_t *ns)
776 777 {
777 778 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_TRUE, B_FALSE);
778 779 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_TRUE, B_TRUE);
779 780
780 781 /* For each acquire, destroy it, including the bucket mutex. */
781 782 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_TRUE, ns);
782 783
783 784 ASSERT(sp->sdb_of == NULL);
784 785 ASSERT(sp->sdb_if == NULL);
785 786 ASSERT(sp->sdb_acq == NULL);
786 787 }
787 788
788 789 void
789 790 sadbp_flush(sadbp_t *spp, netstack_t *ns)
790 791 {
791 792 sadb_flush(&spp->s_v4, ns);
792 793 sadb_flush(&spp->s_v6, ns);
793 794 }
794 795
795 796 void
796 797 sadbp_destroy(sadbp_t *spp, netstack_t *ns)
797 798 {
798 799 sadb_destroy(&spp->s_v4, ns);
799 800 sadb_destroy(&spp->s_v6, ns);
800 801
801 802 if (spp->s_satype == SADB_SATYPE_AH) {
802 803 ipsec_stack_t *ipss = ns->netstack_ipsec;
803 804
804 805 ip_drop_unregister(&ipss->ipsec_sadb_dropper);
805 806 }
806 807 }
807 808
808 809
809 810 /*
810 811 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g.
811 812 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for
812 813 * EINVAL.
813 814 */
814 815 int
815 816 sadb_hardsoftchk(sadb_lifetime_t *hard, sadb_lifetime_t *soft,
816 817 sadb_lifetime_t *idle)
817 818 {
818 819 if (hard == NULL || soft == NULL)
819 820 return (0);
820 821
821 822 if (hard->sadb_lifetime_allocations != 0 &&
822 823 soft->sadb_lifetime_allocations != 0 &&
823 824 hard->sadb_lifetime_allocations < soft->sadb_lifetime_allocations)
824 825 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR);
825 826
826 827 if (hard->sadb_lifetime_bytes != 0 &&
827 828 soft->sadb_lifetime_bytes != 0 &&
828 829 hard->sadb_lifetime_bytes < soft->sadb_lifetime_bytes)
829 830 return (SADB_X_DIAGNOSTIC_BYTES_HSERR);
830 831
831 832 if (hard->sadb_lifetime_addtime != 0 &&
832 833 soft->sadb_lifetime_addtime != 0 &&
833 834 hard->sadb_lifetime_addtime < soft->sadb_lifetime_addtime)
834 835 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR);
835 836
836 837 if (hard->sadb_lifetime_usetime != 0 &&
837 838 soft->sadb_lifetime_usetime != 0 &&
838 839 hard->sadb_lifetime_usetime < soft->sadb_lifetime_usetime)
839 840 return (SADB_X_DIAGNOSTIC_USETIME_HSERR);
840 841
841 842 if (idle != NULL) {
842 843 if (hard->sadb_lifetime_addtime != 0 &&
843 844 idle->sadb_lifetime_addtime != 0 &&
844 845 hard->sadb_lifetime_addtime < idle->sadb_lifetime_addtime)
845 846 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR);
846 847
847 848 if (soft->sadb_lifetime_addtime != 0 &&
848 849 idle->sadb_lifetime_addtime != 0 &&
849 850 soft->sadb_lifetime_addtime < idle->sadb_lifetime_addtime)
850 851 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR);
851 852
852 853 if (hard->sadb_lifetime_usetime != 0 &&
853 854 idle->sadb_lifetime_usetime != 0 &&
854 855 hard->sadb_lifetime_usetime < idle->sadb_lifetime_usetime)
855 856 return (SADB_X_DIAGNOSTIC_USETIME_HSERR);
856 857
857 858 if (soft->sadb_lifetime_usetime != 0 &&
858 859 idle->sadb_lifetime_usetime != 0 &&
859 860 soft->sadb_lifetime_usetime < idle->sadb_lifetime_usetime)
860 861 return (SADB_X_DIAGNOSTIC_USETIME_HSERR);
861 862 }
862 863
863 864 return (0);
864 865 }
865 866
866 867 /*
867 868 * Sanity check sensitivity labels.
868 869 *
869 870 * For now, just reject labels on unlabeled systems.
870 871 */
871 872 int
872 873 sadb_labelchk(keysock_in_t *ksi)
873 874 {
874 875 if (!is_system_labeled()) {
875 876 if (ksi->ks_in_extv[SADB_EXT_SENSITIVITY] != NULL)
876 877 return (SADB_X_DIAGNOSTIC_BAD_LABEL);
877 878
878 879 if (ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS] != NULL)
879 880 return (SADB_X_DIAGNOSTIC_BAD_LABEL);
880 881 }
881 882
882 883 return (0);
883 884 }
884 885
885 886 /*
886 887 * Clone a security association for the purposes of inserting a single SA
887 888 * into inbound and outbound tables respectively. This function should only
888 889 * be called from sadb_common_add().
889 890 */
890 891 static ipsa_t *
891 892 sadb_cloneassoc(ipsa_t *ipsa)
892 893 {
893 894 ipsa_t *newbie;
894 895 boolean_t error = B_FALSE;
895 896
896 897 ASSERT(MUTEX_NOT_HELD(&(ipsa->ipsa_lock)));
897 898
898 899 newbie = kmem_alloc(sizeof (ipsa_t), KM_NOSLEEP);
899 900 if (newbie == NULL)
900 901 return (NULL);
901 902
902 903 /* Copy over what we can. */
903 904 *newbie = *ipsa;
904 905
905 906 /* bzero and initialize locks, in case *_init() allocates... */
906 907 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL);
907 908
908 909 if (newbie->ipsa_tsl != NULL)
909 910 label_hold(newbie->ipsa_tsl);
910 911
911 912 if (newbie->ipsa_otsl != NULL)
912 913 label_hold(newbie->ipsa_otsl);
913 914
914 915 /*
915 916 * While somewhat dain-bramaged, the most graceful way to
916 917 * recover from errors is to keep plowing through the
917 918 * allocations, and getting what I can. It's easier to call
918 919 * sadb_freeassoc() on the stillborn clone when all the
919 920 * pointers aren't pointing to the parent's data.
920 921 */
921 922
922 923 if (ipsa->ipsa_authkey != NULL) {
923 924 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen,
924 925 KM_NOSLEEP);
925 926 if (newbie->ipsa_authkey == NULL) {
926 927 error = B_TRUE;
927 928 } else {
928 929 bcopy(ipsa->ipsa_authkey, newbie->ipsa_authkey,
929 930 newbie->ipsa_authkeylen);
930 931
931 932 newbie->ipsa_kcfauthkey.ck_data =
932 933 newbie->ipsa_authkey;
933 934 }
934 935
935 936 if (newbie->ipsa_amech.cm_param != NULL) {
936 937 newbie->ipsa_amech.cm_param =
937 938 (char *)&newbie->ipsa_mac_len;
938 939 }
939 940 }
940 941
941 942 if (ipsa->ipsa_encrkey != NULL) {
942 943 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen,
943 944 KM_NOSLEEP);
944 945 if (newbie->ipsa_encrkey == NULL) {
945 946 error = B_TRUE;
946 947 } else {
947 948 bcopy(ipsa->ipsa_encrkey, newbie->ipsa_encrkey,
948 949 newbie->ipsa_encrkeylen);
949 950
950 951 newbie->ipsa_kcfencrkey.ck_data =
951 952 newbie->ipsa_encrkey;
952 953 }
953 954 }
954 955
955 956 newbie->ipsa_authtmpl = NULL;
956 957 newbie->ipsa_encrtmpl = NULL;
957 958 newbie->ipsa_haspeer = B_TRUE;
958 959
959 960 if (ipsa->ipsa_src_cid != NULL) {
960 961 newbie->ipsa_src_cid = ipsa->ipsa_src_cid;
961 962 IPSID_REFHOLD(ipsa->ipsa_src_cid);
962 963 }
963 964
964 965 if (ipsa->ipsa_dst_cid != NULL) {
965 966 newbie->ipsa_dst_cid = ipsa->ipsa_dst_cid;
966 967 IPSID_REFHOLD(ipsa->ipsa_dst_cid);
967 968 }
968 969
969 970 if (error) {
970 971 sadb_freeassoc(newbie);
971 972 return (NULL);
972 973 }
973 974
974 975 return (newbie);
975 976 }
976 977
977 978 /*
978 979 * Initialize a SADB address extension at the address specified by addrext.
979 980 * Return a pointer to the end of the new address extension.
980 981 */
981 982 static uint8_t *
982 983 sadb_make_addr_ext(uint8_t *start, uint8_t *end, uint16_t exttype,
983 984 sa_family_t af, uint32_t *addr, uint16_t port, uint8_t proto, int prefix)
984 985 {
985 986 struct sockaddr_in *sin;
986 987 struct sockaddr_in6 *sin6;
987 988 uint8_t *cur = start;
988 989 int addrext_len;
989 990 int sin_len;
990 991 sadb_address_t *addrext = (sadb_address_t *)cur;
991 992
992 993 if (cur == NULL)
993 994 return (NULL);
994 995
995 996 cur += sizeof (*addrext);
996 997 if (cur > end)
997 998 return (NULL);
998 999
999 1000 addrext->sadb_address_proto = proto;
1000 1001 addrext->sadb_address_prefixlen = prefix;
1001 1002 addrext->sadb_address_reserved = 0;
1002 1003 addrext->sadb_address_exttype = exttype;
1003 1004
1004 1005 switch (af) {
1005 1006 case AF_INET:
1006 1007 sin = (struct sockaddr_in *)cur;
1007 1008 sin_len = sizeof (*sin);
1008 1009 cur += sin_len;
1009 1010 if (cur > end)
1010 1011 return (NULL);
1011 1012
1012 1013 sin->sin_family = af;
1013 1014 bzero(sin->sin_zero, sizeof (sin->sin_zero));
1014 1015 sin->sin_port = port;
1015 1016 IPSA_COPY_ADDR(&sin->sin_addr, addr, af);
1016 1017 break;
1017 1018 case AF_INET6:
1018 1019 sin6 = (struct sockaddr_in6 *)cur;
1019 1020 sin_len = sizeof (*sin6);
1020 1021 cur += sin_len;
1021 1022 if (cur > end)
1022 1023 return (NULL);
1023 1024
1024 1025 bzero(sin6, sizeof (*sin6));
1025 1026 sin6->sin6_family = af;
1026 1027 sin6->sin6_port = port;
1027 1028 IPSA_COPY_ADDR(&sin6->sin6_addr, addr, af);
1028 1029 break;
1029 1030 }
1030 1031
1031 1032 addrext_len = roundup(cur - start, sizeof (uint64_t));
1032 1033 addrext->sadb_address_len = SADB_8TO64(addrext_len);
1033 1034
1034 1035 cur = start + addrext_len;
1035 1036 if (cur > end)
1036 1037 cur = NULL;
1037 1038
1038 1039 return (cur);
1039 1040 }
1040 1041
1041 1042 /*
1042 1043 * Construct a key management cookie extension.
1043 1044 */
1044 1045
1045 1046 static uint8_t *
1046 1047 sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint32_t kmc)
1047 1048 {
1048 1049 sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur;
1049 1050
1050 1051 if (cur == NULL)
1051 1052 return (NULL);
1052 1053
1053 1054 cur += sizeof (*kmcext);
1054 1055
1055 1056 if (cur > end)
1056 1057 return (NULL);
1057 1058
1058 1059 kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext));
1059 1060 kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE;
1060 1061 kmcext->sadb_x_kmc_proto = kmp;
1061 1062 kmcext->sadb_x_kmc_cookie = kmc;
1062 1063 kmcext->sadb_x_kmc_reserved = 0;
1063 1064
1064 1065 return (cur);
1065 1066 }
1066 1067
1067 1068 /*
1068 1069 * Given an original message header with sufficient space following it, and an
1069 1070 * SA, construct a full PF_KEY message with all of the relevant extensions.
1070 1071 * This is mostly used for SADB_GET, and SADB_DUMP.
1071 1072 */
1072 1073 static mblk_t *
1073 1074 sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg)
1074 1075 {
1075 1076 int alloclen, addrsize, paddrsize, authsize, encrsize;
1076 1077 int srcidsize, dstidsize, senslen, osenslen;
1077 1078 sa_family_t fam, pfam; /* Address family for SADB_EXT_ADDRESS */
1078 1079 /* src/dst and proxy sockaddrs. */
1079 1080 /*
1080 1081 * The following are pointers into the PF_KEY message this PF_KEY
1081 1082 * message creates.
1082 1083 */
1083 1084 sadb_msg_t *newsamsg;
1084 1085 sadb_sa_t *assoc;
1085 1086 sadb_lifetime_t *lt;
1086 1087 sadb_key_t *key;
1087 1088 sadb_ident_t *ident;
1088 1089 sadb_sens_t *sens;
1089 1090 sadb_ext_t *walker; /* For when we need a generic ext. pointer. */
1090 1091 sadb_x_replay_ctr_t *repl_ctr;
1091 1092 sadb_x_pair_t *pair_ext;
1092 1093
1093 1094 mblk_t *mp;
1094 1095 uint8_t *cur, *end;
1095 1096 /* These indicate the presence of the above extension fields. */
1096 1097 boolean_t soft = B_FALSE, hard = B_FALSE;
1097 1098 boolean_t isrc = B_FALSE, idst = B_FALSE;
1098 1099 boolean_t auth = B_FALSE, encr = B_FALSE;
1099 1100 boolean_t sensinteg = B_FALSE, osensinteg = B_FALSE;
1100 1101 boolean_t srcid = B_FALSE, dstid = B_FALSE;
1101 1102 boolean_t idle;
1102 1103 boolean_t paired;
1103 1104 uint32_t otherspi;
1104 1105
1105 1106 /* First off, figure out the allocation length for this message. */
1106 1107 /*
1107 1108 * Constant stuff. This includes base, SA, address (src, dst),
1108 1109 * and lifetime (current).
1109 1110 */
1110 1111 alloclen = sizeof (sadb_msg_t) + sizeof (sadb_sa_t) +
1111 1112 sizeof (sadb_lifetime_t);
1112 1113
1113 1114 fam = ipsa->ipsa_addrfam;
1114 1115 switch (fam) {
1115 1116 case AF_INET:
1116 1117 addrsize = roundup(sizeof (struct sockaddr_in) +
1117 1118 sizeof (sadb_address_t), sizeof (uint64_t));
1118 1119 break;
1119 1120 case AF_INET6:
1120 1121 addrsize = roundup(sizeof (struct sockaddr_in6) +
1121 1122 sizeof (sadb_address_t), sizeof (uint64_t));
1122 1123 break;
1123 1124 default:
1124 1125 return (NULL);
1125 1126 }
1126 1127 /*
1127 1128 * Allocate TWO address extensions, for source and destination.
1128 1129 * (Thus, the * 2.)
1129 1130 */
1130 1131 alloclen += addrsize * 2;
1131 1132 if (ipsa->ipsa_flags & IPSA_F_NATT_REM)
1132 1133 alloclen += addrsize;
1133 1134 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC)
1134 1135 alloclen += addrsize;
1135 1136
1136 1137 if (ipsa->ipsa_flags & IPSA_F_PAIRED) {
1137 1138 paired = B_TRUE;
1138 1139 alloclen += sizeof (sadb_x_pair_t);
1139 1140 otherspi = ipsa->ipsa_otherspi;
1140 1141 } else {
1141 1142 paired = B_FALSE;
1142 1143 }
1143 1144
1144 1145 /* How 'bout other lifetimes? */
1145 1146 if (ipsa->ipsa_softaddlt != 0 || ipsa->ipsa_softuselt != 0 ||
1146 1147 ipsa->ipsa_softbyteslt != 0 || ipsa->ipsa_softalloc != 0) {
1147 1148 alloclen += sizeof (sadb_lifetime_t);
1148 1149 soft = B_TRUE;
1149 1150 }
1150 1151
1151 1152 if (ipsa->ipsa_hardaddlt != 0 || ipsa->ipsa_harduselt != 0 ||
1152 1153 ipsa->ipsa_hardbyteslt != 0 || ipsa->ipsa_hardalloc != 0) {
1153 1154 alloclen += sizeof (sadb_lifetime_t);
1154 1155 hard = B_TRUE;
1155 1156 }
1156 1157
1157 1158 if (ipsa->ipsa_idleaddlt != 0 || ipsa->ipsa_idleuselt != 0) {
1158 1159 alloclen += sizeof (sadb_lifetime_t);
1159 1160 idle = B_TRUE;
1160 1161 } else {
1161 1162 idle = B_FALSE;
1162 1163 }
1163 1164
1164 1165 /* Inner addresses. */
1165 1166 if (ipsa->ipsa_innerfam != 0) {
1166 1167 pfam = ipsa->ipsa_innerfam;
1167 1168 switch (pfam) {
1168 1169 case AF_INET6:
1169 1170 paddrsize = roundup(sizeof (struct sockaddr_in6) +
1170 1171 sizeof (sadb_address_t), sizeof (uint64_t));
1171 1172 break;
1172 1173 case AF_INET:
1173 1174 paddrsize = roundup(sizeof (struct sockaddr_in) +
1174 1175 sizeof (sadb_address_t), sizeof (uint64_t));
1175 1176 break;
1176 1177 default:
1177 1178 cmn_err(CE_PANIC,
1178 1179 "IPsec SADB: Proxy length failure.\n");
1179 1180 break;
1180 1181 }
1181 1182 isrc = B_TRUE;
1182 1183 idst = B_TRUE;
1183 1184 alloclen += 2 * paddrsize;
1184 1185 }
1185 1186
1186 1187 /* For the following fields, assume that length != 0 ==> stuff */
1187 1188 if (ipsa->ipsa_authkeylen != 0) {
1188 1189 authsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_authkeylen,
1189 1190 sizeof (uint64_t));
1190 1191 alloclen += authsize;
1191 1192 auth = B_TRUE;
1192 1193 }
1193 1194
1194 1195 if (ipsa->ipsa_encrkeylen != 0) {
1195 1196 encrsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_encrkeylen +
1196 1197 ipsa->ipsa_nonce_len, sizeof (uint64_t));
1197 1198 alloclen += encrsize;
1198 1199 encr = B_TRUE;
1199 1200 } else {
1200 1201 encr = B_FALSE;
1201 1202 }
1202 1203
1203 1204 if (ipsa->ipsa_tsl != NULL) {
1204 1205 senslen = sadb_sens_len_from_label(ipsa->ipsa_tsl);
1205 1206 alloclen += senslen;
1206 1207 sensinteg = B_TRUE;
1207 1208 }
1208 1209
1209 1210 if (ipsa->ipsa_otsl != NULL) {
1210 1211 osenslen = sadb_sens_len_from_label(ipsa->ipsa_otsl);
1211 1212 alloclen += osenslen;
1212 1213 osensinteg = B_TRUE;
1213 1214 }
1214 1215
1215 1216 /*
1216 1217 * Must use strlen() here for lengths. Identities use NULL
1217 1218 * pointers to indicate their nonexistence.
1218 1219 */
1219 1220 if (ipsa->ipsa_src_cid != NULL) {
1220 1221 srcidsize = roundup(sizeof (sadb_ident_t) +
1221 1222 strlen(ipsa->ipsa_src_cid->ipsid_cid) + 1,
1222 1223 sizeof (uint64_t));
1223 1224 alloclen += srcidsize;
1224 1225 srcid = B_TRUE;
1225 1226 }
1226 1227
1227 1228 if (ipsa->ipsa_dst_cid != NULL) {
1228 1229 dstidsize = roundup(sizeof (sadb_ident_t) +
1229 1230 strlen(ipsa->ipsa_dst_cid->ipsid_cid) + 1,
1230 1231 sizeof (uint64_t));
1231 1232 alloclen += dstidsize;
1232 1233 dstid = B_TRUE;
1233 1234 }
1234 1235
1235 1236 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0))
1236 1237 alloclen += sizeof (sadb_x_kmc_t);
1237 1238
1238 1239 if (ipsa->ipsa_replay != 0) {
1239 1240 alloclen += sizeof (sadb_x_replay_ctr_t);
1240 1241 }
1241 1242
1242 1243 /* Make sure the allocation length is a multiple of 8 bytes. */
1243 1244 ASSERT((alloclen & 0x7) == 0);
1244 1245
1245 1246 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */
1246 1247 mp = allocb(alloclen, BPRI_HI);
1247 1248 if (mp == NULL)
1248 1249 return (NULL);
1249 1250 bzero(mp->b_rptr, alloclen);
1250 1251
1251 1252 mp->b_wptr += alloclen;
1252 1253 end = mp->b_wptr;
1253 1254 newsamsg = (sadb_msg_t *)mp->b_rptr;
1254 1255 *newsamsg = *samsg;
1255 1256 newsamsg->sadb_msg_len = (uint16_t)SADB_8TO64(alloclen);
1256 1257
1257 1258 mutex_enter(&ipsa->ipsa_lock); /* Since I'm grabbing SA fields... */
1258 1259
1259 1260 newsamsg->sadb_msg_satype = ipsa->ipsa_type;
1260 1261
1261 1262 assoc = (sadb_sa_t *)(newsamsg + 1);
1262 1263 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc));
1263 1264 assoc->sadb_sa_exttype = SADB_EXT_SA;
1264 1265 assoc->sadb_sa_spi = ipsa->ipsa_spi;
1265 1266 assoc->sadb_sa_replay = ipsa->ipsa_replay_wsize;
1266 1267 assoc->sadb_sa_state = ipsa->ipsa_state;
1267 1268 assoc->sadb_sa_auth = ipsa->ipsa_auth_alg;
1268 1269 assoc->sadb_sa_encrypt = ipsa->ipsa_encr_alg;
1269 1270 assoc->sadb_sa_flags = ipsa->ipsa_flags;
1270 1271
1271 1272 lt = (sadb_lifetime_t *)(assoc + 1);
1272 1273 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt));
1273 1274 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
1274 1275 /* We do not support the concept. */
1275 1276 lt->sadb_lifetime_allocations = 0;
1276 1277 lt->sadb_lifetime_bytes = ipsa->ipsa_bytes;
1277 1278 lt->sadb_lifetime_addtime = ipsa->ipsa_addtime;
1278 1279 lt->sadb_lifetime_usetime = ipsa->ipsa_usetime;
1279 1280
1280 1281 if (hard) {
1281 1282 lt++;
1282 1283 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt));
1283 1284 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1284 1285 lt->sadb_lifetime_allocations = ipsa->ipsa_hardalloc;
1285 1286 lt->sadb_lifetime_bytes = ipsa->ipsa_hardbyteslt;
1286 1287 lt->sadb_lifetime_addtime = ipsa->ipsa_hardaddlt;
1287 1288 lt->sadb_lifetime_usetime = ipsa->ipsa_harduselt;
1288 1289 }
1289 1290
1290 1291 if (soft) {
1291 1292 lt++;
1292 1293 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt));
1293 1294 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1294 1295 lt->sadb_lifetime_allocations = ipsa->ipsa_softalloc;
1295 1296 lt->sadb_lifetime_bytes = ipsa->ipsa_softbyteslt;
1296 1297 lt->sadb_lifetime_addtime = ipsa->ipsa_softaddlt;
1297 1298 lt->sadb_lifetime_usetime = ipsa->ipsa_softuselt;
1298 1299 }
1299 1300
1300 1301 if (idle) {
1301 1302 lt++;
1302 1303 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt));
1303 1304 lt->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE;
1304 1305 lt->sadb_lifetime_addtime = ipsa->ipsa_idleaddlt;
1305 1306 lt->sadb_lifetime_usetime = ipsa->ipsa_idleuselt;
1306 1307 }
1307 1308
1308 1309 cur = (uint8_t *)(lt + 1);
1309 1310
1310 1311 /* NOTE: Don't fill in ports here if we are a tunnel-mode SA. */
1311 1312 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, fam,
1312 1313 ipsa->ipsa_srcaddr, (!isrc && !idst) ? SA_SRCPORT(ipsa) : 0,
1313 1314 SA_PROTO(ipsa), 0);
1314 1315 if (cur == NULL) {
1315 1316 freemsg(mp);
1316 1317 mp = NULL;
1317 1318 goto bail;
1318 1319 }
1319 1320
1320 1321 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, fam,
1321 1322 ipsa->ipsa_dstaddr, (!isrc && !idst) ? SA_DSTPORT(ipsa) : 0,
1322 1323 SA_PROTO(ipsa), 0);
1323 1324 if (cur == NULL) {
1324 1325 freemsg(mp);
1325 1326 mp = NULL;
1326 1327 goto bail;
1327 1328 }
1328 1329
1329 1330 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) {
1330 1331 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_LOC,
1331 1332 fam, &ipsa->ipsa_natt_addr_loc, ipsa->ipsa_local_nat_port,
1332 1333 IPPROTO_UDP, 0);
1333 1334 if (cur == NULL) {
1334 1335 freemsg(mp);
1335 1336 mp = NULL;
1336 1337 goto bail;
1337 1338 }
1338 1339 }
1339 1340
1340 1341 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) {
1341 1342 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_REM,
1342 1343 fam, &ipsa->ipsa_natt_addr_rem, ipsa->ipsa_remote_nat_port,
1343 1344 IPPROTO_UDP, 0);
1344 1345 if (cur == NULL) {
1345 1346 freemsg(mp);
1346 1347 mp = NULL;
1347 1348 goto bail;
1348 1349 }
1349 1350 }
1350 1351
1351 1352 /* If we are a tunnel-mode SA, fill in the inner-selectors. */
1352 1353 if (isrc) {
1353 1354 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC,
1354 1355 pfam, ipsa->ipsa_innersrc, SA_SRCPORT(ipsa),
1355 1356 SA_IPROTO(ipsa), ipsa->ipsa_innersrcpfx);
1356 1357 if (cur == NULL) {
1357 1358 freemsg(mp);
1358 1359 mp = NULL;
1359 1360 goto bail;
1360 1361 }
1361 1362 }
1362 1363
1363 1364 if (idst) {
1364 1365 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST,
1365 1366 pfam, ipsa->ipsa_innerdst, SA_DSTPORT(ipsa),
1366 1367 SA_IPROTO(ipsa), ipsa->ipsa_innerdstpfx);
1367 1368 if (cur == NULL) {
1368 1369 freemsg(mp);
1369 1370 mp = NULL;
1370 1371 goto bail;
1371 1372 }
1372 1373 }
1373 1374
1374 1375 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) {
1375 1376 cur = sadb_make_kmc_ext(cur, end,
1376 1377 ipsa->ipsa_kmp, ipsa->ipsa_kmc);
1377 1378 if (cur == NULL) {
1378 1379 freemsg(mp);
1379 1380 mp = NULL;
1380 1381 goto bail;
1381 1382 }
1382 1383 }
1383 1384
1384 1385 walker = (sadb_ext_t *)cur;
1385 1386 if (auth) {
1386 1387 key = (sadb_key_t *)walker;
1387 1388 key->sadb_key_len = SADB_8TO64(authsize);
1388 1389 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1389 1390 key->sadb_key_bits = ipsa->ipsa_authkeybits;
1390 1391 key->sadb_key_reserved = 0;
1391 1392 bcopy(ipsa->ipsa_authkey, key + 1, ipsa->ipsa_authkeylen);
1392 1393 walker = (sadb_ext_t *)((uint64_t *)walker +
1393 1394 walker->sadb_ext_len);
1394 1395 }
1395 1396
1396 1397 if (encr) {
1397 1398 uint8_t *buf_ptr;
1398 1399 key = (sadb_key_t *)walker;
1399 1400 key->sadb_key_len = SADB_8TO64(encrsize);
1400 1401 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1401 1402 key->sadb_key_bits = ipsa->ipsa_encrkeybits;
1402 1403 key->sadb_key_reserved = ipsa->ipsa_saltbits;
1403 1404 buf_ptr = (uint8_t *)(key + 1);
1404 1405 bcopy(ipsa->ipsa_encrkey, buf_ptr, ipsa->ipsa_encrkeylen);
1405 1406 if (ipsa->ipsa_salt != NULL) {
1406 1407 buf_ptr += ipsa->ipsa_encrkeylen;
1407 1408 bcopy(ipsa->ipsa_salt, buf_ptr, ipsa->ipsa_saltlen);
1408 1409 }
1409 1410 walker = (sadb_ext_t *)((uint64_t *)walker +
1410 1411 walker->sadb_ext_len);
1411 1412 }
1412 1413
1413 1414 if (srcid) {
1414 1415 ident = (sadb_ident_t *)walker;
1415 1416 ident->sadb_ident_len = SADB_8TO64(srcidsize);
1416 1417 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC;
1417 1418 ident->sadb_ident_type = ipsa->ipsa_src_cid->ipsid_type;
1418 1419 ident->sadb_ident_id = 0;
1419 1420 ident->sadb_ident_reserved = 0;
1420 1421 (void) strcpy((char *)(ident + 1),
1421 1422 ipsa->ipsa_src_cid->ipsid_cid);
1422 1423 walker = (sadb_ext_t *)((uint64_t *)walker +
1423 1424 walker->sadb_ext_len);
1424 1425 }
1425 1426
1426 1427 if (dstid) {
1427 1428 ident = (sadb_ident_t *)walker;
1428 1429 ident->sadb_ident_len = SADB_8TO64(dstidsize);
1429 1430 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_DST;
1430 1431 ident->sadb_ident_type = ipsa->ipsa_dst_cid->ipsid_type;
1431 1432 ident->sadb_ident_id = 0;
1432 1433 ident->sadb_ident_reserved = 0;
1433 1434 (void) strcpy((char *)(ident + 1),
1434 1435 ipsa->ipsa_dst_cid->ipsid_cid);
1435 1436 walker = (sadb_ext_t *)((uint64_t *)walker +
1436 1437 walker->sadb_ext_len);
1437 1438 }
1438 1439
1439 1440 if (sensinteg) {
1440 1441 sens = (sadb_sens_t *)walker;
1441 1442 sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY,
1442 1443 ipsa->ipsa_tsl, senslen);
1443 1444
1444 1445 walker = (sadb_ext_t *)((uint64_t *)walker +
1445 1446 walker->sadb_ext_len);
1446 1447 }
1447 1448
1448 1449 if (osensinteg) {
1449 1450 sens = (sadb_sens_t *)walker;
1450 1451
1451 1452 sadb_sens_from_label(sens, SADB_X_EXT_OUTER_SENS,
1452 1453 ipsa->ipsa_otsl, osenslen);
1453 1454 if (ipsa->ipsa_mac_exempt)
1454 1455 sens->sadb_x_sens_flags = SADB_X_SENS_IMPLICIT;
1455 1456
1456 1457 walker = (sadb_ext_t *)((uint64_t *)walker +
1457 1458 walker->sadb_ext_len);
1458 1459 }
1459 1460
1460 1461 if (paired) {
1461 1462 pair_ext = (sadb_x_pair_t *)walker;
1462 1463
1463 1464 pair_ext->sadb_x_pair_len = SADB_8TO64(sizeof (sadb_x_pair_t));
1464 1465 pair_ext->sadb_x_pair_exttype = SADB_X_EXT_PAIR;
1465 1466 pair_ext->sadb_x_pair_spi = otherspi;
1466 1467
1467 1468 walker = (sadb_ext_t *)((uint64_t *)walker +
1468 1469 walker->sadb_ext_len);
1469 1470 }
1470 1471
1471 1472 if (ipsa->ipsa_replay != 0) {
1472 1473 repl_ctr = (sadb_x_replay_ctr_t *)walker;
1473 1474 repl_ctr->sadb_x_rc_len = SADB_8TO64(sizeof (*repl_ctr));
1474 1475 repl_ctr->sadb_x_rc_exttype = SADB_X_EXT_REPLAY_VALUE;
1475 1476 repl_ctr->sadb_x_rc_replay32 = ipsa->ipsa_replay;
1476 1477 repl_ctr->sadb_x_rc_replay64 = 0;
1477 1478 walker = (sadb_ext_t *)(repl_ctr + 1);
1478 1479 }
1479 1480
1480 1481 bail:
1481 1482 /* Pardon any delays... */
1482 1483 mutex_exit(&ipsa->ipsa_lock);
1483 1484
1484 1485 return (mp);
1485 1486 }
1486 1487
1487 1488 /*
1488 1489 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN)
1489 1490 * and adjust base message accordingly.
1490 1491 *
1491 1492 * Assume message is pulled up in one piece of contiguous memory.
1492 1493 *
1493 1494 * Say if we start off with:
1494 1495 *
1495 1496 * +------+----+-------------+-----------+---------------+---------------+
1496 1497 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime |
1497 1498 * +------+----+-------------+-----------+---------------+---------------+
1498 1499 *
1499 1500 * we will end up with
1500 1501 *
1501 1502 * +------+----+-------------+-----------+---------------+
1502 1503 * | base | SA | source addr | dest addr | soft lifetime |
1503 1504 * +------+----+-------------+-----------+---------------+
1504 1505 */
1505 1506 static void
1506 1507 sadb_strip(sadb_msg_t *samsg)
1507 1508 {
1508 1509 sadb_ext_t *ext;
1509 1510 uint8_t *target = NULL;
1510 1511 uint8_t *msgend;
1511 1512 int sofar = SADB_8TO64(sizeof (*samsg));
1512 1513 int copylen;
1513 1514
1514 1515 ext = (sadb_ext_t *)(samsg + 1);
1515 1516 msgend = (uint8_t *)samsg;
1516 1517 msgend += SADB_64TO8(samsg->sadb_msg_len);
1517 1518 while ((uint8_t *)ext < msgend) {
1518 1519 if (ext->sadb_ext_type == SADB_EXT_RESERVED ||
1519 1520 ext->sadb_ext_type == SADB_EXT_KEY_AUTH ||
1520 1521 ext->sadb_ext_type == SADB_X_EXT_EDUMP ||
1521 1522 ext->sadb_ext_type == SADB_EXT_KEY_ENCRYPT) {
1522 1523 /*
1523 1524 * Aha! I found a header to be erased.
1524 1525 */
1525 1526
1526 1527 if (target != NULL) {
1527 1528 /*
1528 1529 * If I had a previous header to be erased,
1529 1530 * copy over it. I can get away with just
1530 1531 * copying backwards because the target will
1531 1532 * always be 8 bytes behind the source.
1532 1533 */
1533 1534 copylen = ((uint8_t *)ext) - (target +
1534 1535 SADB_64TO8(
1535 1536 ((sadb_ext_t *)target)->sadb_ext_len));
1536 1537 ovbcopy(((uint8_t *)ext - copylen), target,
1537 1538 copylen);
1538 1539 target += copylen;
1539 1540 ((sadb_ext_t *)target)->sadb_ext_len =
1540 1541 SADB_8TO64(((uint8_t *)ext) - target +
1541 1542 SADB_64TO8(ext->sadb_ext_len));
1542 1543 } else {
1543 1544 target = (uint8_t *)ext;
1544 1545 }
1545 1546 } else {
1546 1547 sofar += ext->sadb_ext_len;
1547 1548 }
1548 1549
1549 1550 ext = (sadb_ext_t *)(((uint64_t *)ext) + ext->sadb_ext_len);
1550 1551 }
1551 1552
1552 1553 ASSERT((uint8_t *)ext == msgend);
1553 1554
1554 1555 if (target != NULL) {
1555 1556 copylen = ((uint8_t *)ext) - (target +
1556 1557 SADB_64TO8(((sadb_ext_t *)target)->sadb_ext_len));
1557 1558 if (copylen != 0)
1558 1559 ovbcopy(((uint8_t *)ext - copylen), target, copylen);
1559 1560 }
1560 1561
1561 1562 /* Adjust samsg. */
1562 1563 samsg->sadb_msg_len = (uint16_t)sofar;
1563 1564
1564 1565 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */
1565 1566 }
1566 1567
1567 1568 /*
1568 1569 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL
1569 1570 * followed by an M_DATA with a PF_KEY message in it. The serial of
1570 1571 * the sending keysock instance is included.
1571 1572 */
1572 1573 void
1573 1574 sadb_pfkey_error(queue_t *pfkey_q, mblk_t *mp, int error, int diagnostic,
1574 1575 uint_t serial)
1575 1576 {
1576 1577 mblk_t *msg = mp->b_cont;
1577 1578 sadb_msg_t *samsg;
1578 1579 keysock_out_t *kso;
1579 1580
1580 1581 /*
1581 1582 * Enough functions call this to merit a NULL queue check.
1582 1583 */
1583 1584 if (pfkey_q == NULL) {
1584 1585 freemsg(mp);
1585 1586 return;
1586 1587 }
1587 1588
1588 1589 ASSERT(msg != NULL);
1589 1590 ASSERT((mp->b_wptr - mp->b_rptr) == sizeof (ipsec_info_t));
1590 1591 ASSERT((msg->b_wptr - msg->b_rptr) >= sizeof (sadb_msg_t));
1591 1592 samsg = (sadb_msg_t *)msg->b_rptr;
1592 1593 kso = (keysock_out_t *)mp->b_rptr;
1593 1594
1594 1595 kso->ks_out_type = KEYSOCK_OUT;
1595 1596 kso->ks_out_len = sizeof (*kso);
1596 1597 kso->ks_out_serial = serial;
1597 1598
1598 1599 /*
1599 1600 * Only send the base message up in the event of an error.
1600 1601 * Don't worry about bzero()-ing, because it was probably bogus
1601 1602 * anyway.
1602 1603 */
1603 1604 msg->b_wptr = msg->b_rptr + sizeof (*samsg);
1604 1605 samsg = (sadb_msg_t *)msg->b_rptr;
1605 1606 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg));
1606 1607 samsg->sadb_msg_errno = (uint8_t)error;
1607 1608 if (diagnostic != SADB_X_DIAGNOSTIC_PRESET)
1608 1609 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic;
1609 1610
1610 1611 putnext(pfkey_q, mp);
1611 1612 }
1612 1613
1613 1614 /*
1614 1615 * Send a successful return packet back to keysock via the queue in pfkey_q.
1615 1616 *
1616 1617 * Often, an SA is associated with the reply message, it's passed in if needed,
1617 1618 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held,
1618 1619 * and the caller will release said refcnt.
1619 1620 */
1620 1621 void
1621 1622 sadb_pfkey_echo(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
1622 1623 keysock_in_t *ksi, ipsa_t *ipsa)
1623 1624 {
1624 1625 keysock_out_t *kso;
1625 1626 mblk_t *mp1;
1626 1627 sadb_msg_t *newsamsg;
1627 1628 uint8_t *oldend;
1628 1629
1629 1630 ASSERT((mp->b_cont != NULL) &&
1630 1631 ((void *)samsg == (void *)mp->b_cont->b_rptr) &&
1631 1632 ((void *)mp->b_rptr == (void *)ksi));
1632 1633
1633 1634 switch (samsg->sadb_msg_type) {
1634 1635 case SADB_ADD:
1635 1636 case SADB_UPDATE:
1636 1637 case SADB_X_UPDATEPAIR:
1637 1638 case SADB_X_DELPAIR_STATE:
1638 1639 case SADB_FLUSH:
1639 1640 case SADB_DUMP:
1640 1641 /*
1641 1642 * I have all of the message already. I just need to strip
1642 1643 * out the keying material and echo the message back.
1643 1644 *
1644 1645 * NOTE: for SADB_DUMP, the function sadb_dump() did the
1645 1646 * work. When DUMP reaches here, it should only be a base
1646 1647 * message.
1647 1648 */
1648 1649 justecho:
1649 1650 if (ksi->ks_in_extv[SADB_EXT_KEY_AUTH] != NULL ||
1650 1651 ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT] != NULL ||
1651 1652 ksi->ks_in_extv[SADB_X_EXT_EDUMP] != NULL) {
1652 1653 sadb_strip(samsg);
1653 1654 /* Assume PF_KEY message is contiguous. */
1654 1655 ASSERT(mp->b_cont->b_cont == NULL);
1655 1656 oldend = mp->b_cont->b_wptr;
1656 1657 mp->b_cont->b_wptr = mp->b_cont->b_rptr +
1657 1658 SADB_64TO8(samsg->sadb_msg_len);
1658 1659 bzero(mp->b_cont->b_wptr, oldend - mp->b_cont->b_wptr);
1659 1660 }
1660 1661 break;
1661 1662 case SADB_GET:
1662 1663 /*
1663 1664 * Do a lot of work here, because of the ipsa I just found.
1664 1665 * First construct the new PF_KEY message, then abandon
1665 1666 * the old one.
1666 1667 */
1667 1668 mp1 = sadb_sa2msg(ipsa, samsg);
1668 1669 if (mp1 == NULL) {
1669 1670 sadb_pfkey_error(pfkey_q, mp, ENOMEM,
1670 1671 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial);
1671 1672 return;
1672 1673 }
1673 1674 freemsg(mp->b_cont);
1674 1675 mp->b_cont = mp1;
1675 1676 break;
1676 1677 case SADB_DELETE:
1677 1678 case SADB_X_DELPAIR:
1678 1679 if (ipsa == NULL)
1679 1680 goto justecho;
1680 1681 /*
1681 1682 * Because listening KMds may require more info, treat
1682 1683 * DELETE like a special case of GET.
1683 1684 */
1684 1685 mp1 = sadb_sa2msg(ipsa, samsg);
1685 1686 if (mp1 == NULL) {
1686 1687 sadb_pfkey_error(pfkey_q, mp, ENOMEM,
1687 1688 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial);
1688 1689 return;
1689 1690 }
1690 1691 newsamsg = (sadb_msg_t *)mp1->b_rptr;
1691 1692 sadb_strip(newsamsg);
1692 1693 oldend = mp1->b_wptr;
1693 1694 mp1->b_wptr = mp1->b_rptr + SADB_64TO8(newsamsg->sadb_msg_len);
1694 1695 bzero(mp1->b_wptr, oldend - mp1->b_wptr);
1695 1696 freemsg(mp->b_cont);
1696 1697 mp->b_cont = mp1;
1697 1698 break;
1698 1699 default:
1699 1700 if (mp != NULL)
1700 1701 freemsg(mp);
1701 1702 return;
1702 1703 }
1703 1704
1704 1705 /* ksi is now null and void. */
1705 1706 kso = (keysock_out_t *)ksi;
1706 1707 kso->ks_out_type = KEYSOCK_OUT;
1707 1708 kso->ks_out_len = sizeof (*kso);
1708 1709 kso->ks_out_serial = ksi->ks_in_serial;
1709 1710 /* We're ready to send... */
1710 1711 putnext(pfkey_q, mp);
1711 1712 }
1712 1713
1713 1714 /*
1714 1715 * Set up a global pfkey_q instance for AH, ESP, or some other consumer.
1715 1716 */
1716 1717 void
1717 1718 sadb_keysock_hello(queue_t **pfkey_qp, queue_t *q, mblk_t *mp,
1718 1719 void (*ager)(void *), void *agerarg, timeout_id_t *top, int satype)
1719 1720 {
1720 1721 keysock_hello_ack_t *kha;
1721 1722 queue_t *oldq;
1722 1723
1723 1724 ASSERT(OTHERQ(q) != NULL);
1724 1725
1725 1726 /*
1726 1727 * First, check atomically that I'm the first and only keysock
1727 1728 * instance.
1728 1729 *
1729 1730 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp),
1730 1731 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY
1731 1732 * messages.
1732 1733 */
1733 1734
1734 1735 oldq = atomic_cas_ptr((void **)pfkey_qp, NULL, OTHERQ(q));
1735 1736 if (oldq != NULL) {
1736 1737 ASSERT(oldq != q);
1737 1738 cmn_err(CE_WARN, "Danger! Multiple keysocks on top of %s.\n",
1738 1739 (satype == SADB_SATYPE_ESP)? "ESP" : "AH or other");
1739 1740 freemsg(mp);
1740 1741 return;
1741 1742 }
1742 1743
1743 1744 kha = (keysock_hello_ack_t *)mp->b_rptr;
1744 1745 kha->ks_hello_len = sizeof (keysock_hello_ack_t);
1745 1746 kha->ks_hello_type = KEYSOCK_HELLO_ACK;
1746 1747 kha->ks_hello_satype = (uint8_t)satype;
1747 1748
1748 1749 /*
1749 1750 * If we made it past the atomic_cas_ptr, then we have "exclusive"
1750 1751 * access to the timeout handle. Fire it off after the default ager
1751 1752 * interval.
1752 1753 */
1753 1754 *top = qtimeout(*pfkey_qp, ager, agerarg,
1754 1755 drv_usectohz(SADB_AGE_INTERVAL_DEFAULT * 1000));
1755 1756
1756 1757 putnext(*pfkey_qp, mp);
1757 1758 }
1758 1759
1759 1760 /*
1760 1761 * Normalize IPv4-mapped IPv6 addresses (and prefixes) as appropriate.
1761 1762 *
1762 1763 * Check addresses themselves for wildcard or multicast.
1763 1764 * Check ire table for local/non-local/broadcast.
1764 1765 */
1765 1766 int
1766 1767 sadb_addrcheck(queue_t *pfkey_q, mblk_t *mp, sadb_ext_t *ext, uint_t serial,
1767 1768 netstack_t *ns)
1768 1769 {
1769 1770 sadb_address_t *addr = (sadb_address_t *)ext;
1770 1771 struct sockaddr_in *sin;
1771 1772 struct sockaddr_in6 *sin6;
1772 1773 int diagnostic, type;
1773 1774 boolean_t normalized = B_FALSE;
1774 1775
1775 1776 ASSERT(ext != NULL);
1776 1777 ASSERT((ext->sadb_ext_type == SADB_EXT_ADDRESS_SRC) ||
1777 1778 (ext->sadb_ext_type == SADB_EXT_ADDRESS_DST) ||
1778 1779 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) ||
1779 1780 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) ||
1780 1781 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_LOC) ||
1781 1782 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_REM));
1782 1783
1783 1784 /* Assign both sockaddrs, the compiler will do the right thing. */
1784 1785 sin = (struct sockaddr_in *)(addr + 1);
1785 1786 sin6 = (struct sockaddr_in6 *)(addr + 1);
1786 1787
1787 1788 if (sin6->sin6_family == AF_INET6) {
1788 1789 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
1789 1790 /*
1790 1791 * Convert to an AF_INET sockaddr. This means the
1791 1792 * return messages will have the extra space, but have
1792 1793 * AF_INET sockaddrs instead of AF_INET6.
1793 1794 *
1794 1795 * Yes, RFC 2367 isn't clear on what to do here w.r.t.
1795 1796 * mapped addresses, but since AF_INET6 ::ffff:<v4> is
1796 1797 * equal to AF_INET <v4>, it shouldnt be a huge
1797 1798 * problem.
1798 1799 */
1799 1800 sin->sin_family = AF_INET;
1800 1801 IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr,
1801 1802 &sin->sin_addr);
1802 1803 bzero(&sin->sin_zero, sizeof (sin->sin_zero));
1803 1804 normalized = B_TRUE;
1804 1805 }
1805 1806 } else if (sin->sin_family != AF_INET) {
1806 1807 switch (ext->sadb_ext_type) {
1807 1808 case SADB_EXT_ADDRESS_SRC:
1808 1809 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC_AF;
1809 1810 break;
1810 1811 case SADB_EXT_ADDRESS_DST:
1811 1812 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF;
1812 1813 break;
1813 1814 case SADB_X_EXT_ADDRESS_INNER_SRC:
1814 1815 diagnostic = SADB_X_DIAGNOSTIC_BAD_PROXY_AF;
1815 1816 break;
1816 1817 case SADB_X_EXT_ADDRESS_INNER_DST:
1817 1818 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF;
1818 1819 break;
1819 1820 case SADB_X_EXT_ADDRESS_NATT_LOC:
1820 1821 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF;
1821 1822 break;
1822 1823 case SADB_X_EXT_ADDRESS_NATT_REM:
1823 1824 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF;
1824 1825 break;
1825 1826 /* There is no default, see above ASSERT. */
1826 1827 }
1827 1828 bail:
1828 1829 if (pfkey_q != NULL) {
1829 1830 sadb_pfkey_error(pfkey_q, mp, EINVAL, diagnostic,
1830 1831 serial);
1831 1832 } else {
1832 1833 /*
1833 1834 * Scribble in sadb_msg that we got passed in.
1834 1835 * Overload "mp" to be an sadb_msg pointer.
1835 1836 */
1836 1837 sadb_msg_t *samsg = (sadb_msg_t *)mp;
1837 1838
1838 1839 samsg->sadb_msg_errno = EINVAL;
1839 1840 samsg->sadb_x_msg_diagnostic = diagnostic;
1840 1841 }
1841 1842 return (KS_IN_ADDR_UNKNOWN);
1842 1843 }
1843 1844
1844 1845 if (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC ||
1845 1846 ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) {
1846 1847 /*
1847 1848 * We need only check for prefix issues.
1848 1849 */
1849 1850
1850 1851 /* Set diagnostic now, in case we need it later. */
1851 1852 diagnostic =
1852 1853 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) ?
1853 1854 SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC :
1854 1855 SADB_X_DIAGNOSTIC_PREFIX_INNER_DST;
1855 1856
1856 1857 if (normalized)
1857 1858 addr->sadb_address_prefixlen -= 96;
1858 1859
1859 1860 /*
1860 1861 * Verify and mask out inner-addresses based on prefix length.
1861 1862 */
1862 1863 if (sin->sin_family == AF_INET) {
1863 1864 if (addr->sadb_address_prefixlen > 32)
1864 1865 goto bail;
1865 1866 sin->sin_addr.s_addr &=
1866 1867 ip_plen_to_mask(addr->sadb_address_prefixlen);
1867 1868 } else {
1868 1869 in6_addr_t mask;
1869 1870
1870 1871 ASSERT(sin->sin_family == AF_INET6);
1871 1872 /*
1872 1873 * ip_plen_to_mask_v6() returns NULL if the value in
1873 1874 * question is out of range.
1874 1875 */
1875 1876 if (ip_plen_to_mask_v6(addr->sadb_address_prefixlen,
1876 1877 &mask) == NULL)
1877 1878 goto bail;
1878 1879 sin6->sin6_addr.s6_addr32[0] &= mask.s6_addr32[0];
1879 1880 sin6->sin6_addr.s6_addr32[1] &= mask.s6_addr32[1];
1880 1881 sin6->sin6_addr.s6_addr32[2] &= mask.s6_addr32[2];
1881 1882 sin6->sin6_addr.s6_addr32[3] &= mask.s6_addr32[3];
1882 1883 }
1883 1884
1884 1885 /* We don't care in these cases. */
1885 1886 return (KS_IN_ADDR_DONTCARE);
1886 1887 }
1887 1888
1888 1889 if (sin->sin_family == AF_INET6) {
1889 1890 /* Check the easy ones now. */
1890 1891 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr))
1891 1892 return (KS_IN_ADDR_MBCAST);
1892 1893 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
1893 1894 return (KS_IN_ADDR_UNSPEC);
1894 1895 /*
1895 1896 * At this point, we're a unicast IPv6 address.
1896 1897 *
1897 1898 * XXX Zones alert -> me/notme decision needs to be tempered
1898 1899 * by what zone we're in when we go to zone-aware IPsec.
1899 1900 */
1900 1901 if (ip_type_v6(&sin6->sin6_addr, ns->netstack_ip) ==
1901 1902 IRE_LOCAL) {
1902 1903 /* Hey hey, it's local. */
1903 1904 return (KS_IN_ADDR_ME);
1904 1905 }
1905 1906 } else {
1906 1907 ASSERT(sin->sin_family == AF_INET);
1907 1908 if (sin->sin_addr.s_addr == INADDR_ANY)
1908 1909 return (KS_IN_ADDR_UNSPEC);
1909 1910 if (CLASSD(sin->sin_addr.s_addr))
1910 1911 return (KS_IN_ADDR_MBCAST);
1911 1912 /*
1912 1913 * At this point we're a unicast or broadcast IPv4 address.
1913 1914 *
1914 1915 * Check if the address is IRE_BROADCAST or IRE_LOCAL.
1915 1916 *
1916 1917 * XXX Zones alert -> me/notme decision needs to be tempered
1917 1918 * by what zone we're in when we go to zone-aware IPsec.
1918 1919 */
1919 1920 type = ip_type_v4(sin->sin_addr.s_addr, ns->netstack_ip);
1920 1921 switch (type) {
1921 1922 case IRE_LOCAL:
1922 1923 return (KS_IN_ADDR_ME);
1923 1924 case IRE_BROADCAST:
1924 1925 return (KS_IN_ADDR_MBCAST);
1925 1926 }
1926 1927 }
1927 1928
1928 1929 return (KS_IN_ADDR_NOTME);
1929 1930 }
1930 1931
1931 1932 /*
1932 1933 * Address normalizations and reality checks for inbound PF_KEY messages.
1933 1934 *
1934 1935 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert
1935 1936 * the source to AF_INET. Do the same for the inner sources.
1936 1937 */
1937 1938 boolean_t
1938 1939 sadb_addrfix(keysock_in_t *ksi, queue_t *pfkey_q, mblk_t *mp, netstack_t *ns)
1939 1940 {
1940 1941 struct sockaddr_in *src, *isrc;
1941 1942 struct sockaddr_in6 *dst, *idst;
1942 1943 sadb_address_t *srcext, *dstext;
1943 1944 uint16_t sport;
1944 1945 sadb_ext_t **extv = ksi->ks_in_extv;
1945 1946 int rc;
1946 1947
1947 1948 if (extv[SADB_EXT_ADDRESS_SRC] != NULL) {
1948 1949 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_SRC],
1949 1950 ksi->ks_in_serial, ns);
1950 1951 if (rc == KS_IN_ADDR_UNKNOWN)
1951 1952 return (B_FALSE);
1952 1953 if (rc == KS_IN_ADDR_MBCAST) {
1953 1954 sadb_pfkey_error(pfkey_q, mp, EINVAL,
1954 1955 SADB_X_DIAGNOSTIC_BAD_SRC, ksi->ks_in_serial);
1955 1956 return (B_FALSE);
1956 1957 }
1957 1958 ksi->ks_in_srctype = rc;
1958 1959 }
1959 1960
1960 1961 if (extv[SADB_EXT_ADDRESS_DST] != NULL) {
1961 1962 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_DST],
1962 1963 ksi->ks_in_serial, ns);
1963 1964 if (rc == KS_IN_ADDR_UNKNOWN)
1964 1965 return (B_FALSE);
1965 1966 if (rc == KS_IN_ADDR_UNSPEC) {
1966 1967 sadb_pfkey_error(pfkey_q, mp, EINVAL,
1967 1968 SADB_X_DIAGNOSTIC_BAD_DST, ksi->ks_in_serial);
1968 1969 return (B_FALSE);
1969 1970 }
1970 1971 ksi->ks_in_dsttype = rc;
1971 1972 }
1972 1973
1973 1974 /*
1974 1975 * NAT-Traversal addrs are simple enough to not require all of
1975 1976 * the checks in sadb_addrcheck(). Just normalize or reject if not
1976 1977 * AF_INET.
1977 1978 */
1978 1979 if (extv[SADB_X_EXT_ADDRESS_NATT_LOC] != NULL) {
1979 1980 rc = sadb_addrcheck(pfkey_q, mp,
1980 1981 extv[SADB_X_EXT_ADDRESS_NATT_LOC], ksi->ks_in_serial, ns);
1981 1982
1982 1983 /*
1983 1984 * Local NAT-T addresses never use an IRE_LOCAL, so it should
1984 1985 * always be NOTME, or UNSPEC (to handle both tunnel mode
1985 1986 * AND local-port flexibility).
1986 1987 */
1987 1988 if (rc != KS_IN_ADDR_NOTME && rc != KS_IN_ADDR_UNSPEC) {
1988 1989 sadb_pfkey_error(pfkey_q, mp, EINVAL,
1989 1990 SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC,
1990 1991 ksi->ks_in_serial);
1991 1992 return (B_FALSE);
1992 1993 }
1993 1994 src = (struct sockaddr_in *)
1994 1995 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_LOC]) + 1);
1995 1996 if (src->sin_family != AF_INET) {
1996 1997 sadb_pfkey_error(pfkey_q, mp, EINVAL,
1997 1998 SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF,
1998 1999 ksi->ks_in_serial);
1999 2000 return (B_FALSE);
2000 2001 }
2001 2002 }
2002 2003
2003 2004 if (extv[SADB_X_EXT_ADDRESS_NATT_REM] != NULL) {
2004 2005 rc = sadb_addrcheck(pfkey_q, mp,
2005 2006 extv[SADB_X_EXT_ADDRESS_NATT_REM], ksi->ks_in_serial, ns);
2006 2007
2007 2008 /*
2008 2009 * Remote NAT-T addresses never use an IRE_LOCAL, so it should
2009 2010 * always be NOTME, or UNSPEC if it's a tunnel-mode SA.
2010 2011 */
2011 2012 if (rc != KS_IN_ADDR_NOTME &&
2012 2013 !(extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL &&
2013 2014 rc == KS_IN_ADDR_UNSPEC)) {
2014 2015 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2015 2016 SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM,
2016 2017 ksi->ks_in_serial);
2017 2018 return (B_FALSE);
2018 2019 }
2019 2020 src = (struct sockaddr_in *)
2020 2021 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_REM]) + 1);
2021 2022 if (src->sin_family != AF_INET) {
2022 2023 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2023 2024 SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF,
2024 2025 ksi->ks_in_serial);
2025 2026 return (B_FALSE);
2026 2027 }
2027 2028 }
2028 2029
2029 2030 if (extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL) {
2030 2031 if (extv[SADB_X_EXT_ADDRESS_INNER_DST] == NULL) {
2031 2032 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2032 2033 SADB_X_DIAGNOSTIC_MISSING_INNER_DST,
2033 2034 ksi->ks_in_serial);
2034 2035 return (B_FALSE);
2035 2036 }
2036 2037
2037 2038 if (sadb_addrcheck(pfkey_q, mp,
2038 2039 extv[SADB_X_EXT_ADDRESS_INNER_DST], ksi->ks_in_serial, ns)
2039 2040 == KS_IN_ADDR_UNKNOWN ||
2040 2041 sadb_addrcheck(pfkey_q, mp,
2041 2042 extv[SADB_X_EXT_ADDRESS_INNER_SRC], ksi->ks_in_serial, ns)
2042 2043 == KS_IN_ADDR_UNKNOWN)
2043 2044 return (B_FALSE);
2044 2045
2045 2046 isrc = (struct sockaddr_in *)
2046 2047 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC]) +
2047 2048 1);
2048 2049 idst = (struct sockaddr_in6 *)
2049 2050 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]) +
2050 2051 1);
2051 2052 if (isrc->sin_family != idst->sin6_family) {
2052 2053 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2053 2054 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH,
2054 2055 ksi->ks_in_serial);
2055 2056 return (B_FALSE);
2056 2057 }
2057 2058 } else if (extv[SADB_X_EXT_ADDRESS_INNER_DST] != NULL) {
2058 2059 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2059 2060 SADB_X_DIAGNOSTIC_MISSING_INNER_SRC,
2060 2061 ksi->ks_in_serial);
2061 2062 return (B_FALSE);
2062 2063 } else {
2063 2064 isrc = NULL; /* For inner/outer port check below. */
2064 2065 }
2065 2066
2066 2067 dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST];
2067 2068 srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC];
2068 2069
2069 2070 if (dstext == NULL || srcext == NULL)
2070 2071 return (B_TRUE);
2071 2072
2072 2073 dst = (struct sockaddr_in6 *)(dstext + 1);
2073 2074 src = (struct sockaddr_in *)(srcext + 1);
2074 2075
2075 2076 if (isrc != NULL &&
2076 2077 (isrc->sin_port != 0 || idst->sin6_port != 0) &&
2077 2078 (src->sin_port != 0 || dst->sin6_port != 0)) {
2078 2079 /* Can't set inner and outer ports in one SA. */
2079 2080 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2080 2081 SADB_X_DIAGNOSTIC_DUAL_PORT_SETS,
2081 2082 ksi->ks_in_serial);
2082 2083 return (B_FALSE);
2083 2084 }
2084 2085
2085 2086 if (dst->sin6_family == src->sin_family)
2086 2087 return (B_TRUE);
2087 2088
2088 2089 if (srcext->sadb_address_proto != dstext->sadb_address_proto) {
2089 2090 if (srcext->sadb_address_proto == 0) {
2090 2091 srcext->sadb_address_proto = dstext->sadb_address_proto;
2091 2092 } else if (dstext->sadb_address_proto == 0) {
2092 2093 dstext->sadb_address_proto = srcext->sadb_address_proto;
2093 2094 } else {
2094 2095 /* Inequal protocols, neither were 0. Report error. */
2095 2096 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2096 2097 SADB_X_DIAGNOSTIC_PROTO_MISMATCH,
2097 2098 ksi->ks_in_serial);
2098 2099 return (B_FALSE);
2099 2100 }
2100 2101 }
2101 2102
2102 2103 /*
2103 2104 * With the exception of an unspec IPv6 source and an IPv4
2104 2105 * destination, address families MUST me matched.
2105 2106 */
2106 2107 if (src->sin_family == AF_INET ||
2107 2108 ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) {
2108 2109 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2109 2110 SADB_X_DIAGNOSTIC_AF_MISMATCH, ksi->ks_in_serial);
2110 2111 return (B_FALSE);
2111 2112 }
2112 2113
2113 2114 /*
2114 2115 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being
2115 2116 * in the same place for sockaddr_in and sockaddr_in6.
2116 2117 */
2117 2118 sport = src->sin_port;
2118 2119 bzero(src, sizeof (*src));
2119 2120 src->sin_family = AF_INET;
2120 2121 src->sin_port = sport;
2121 2122
2122 2123 return (B_TRUE);
2123 2124 }
2124 2125
2125 2126 /*
2126 2127 * Set the results in "addrtype", given an IRE as requested by
2127 2128 * sadb_addrcheck().
2128 2129 */
2129 2130 int
2130 2131 sadb_addrset(ire_t *ire)
2131 2132 {
2132 2133 if ((ire->ire_type & IRE_BROADCAST) ||
2133 2134 (ire->ire_ipversion == IPV4_VERSION && CLASSD(ire->ire_addr)) ||
2134 2135 (ire->ire_ipversion == IPV6_VERSION &&
2135 2136 IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6))))
2136 2137 return (KS_IN_ADDR_MBCAST);
2137 2138 if (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK))
2138 2139 return (KS_IN_ADDR_ME);
2139 2140 return (KS_IN_ADDR_NOTME);
2140 2141 }
2141 2142
2142 2143 /*
2143 2144 * Match primitives..
2144 2145 * !!! TODO: short term: inner selectors
2145 2146 * ipv6 scope id (ifindex)
2146 2147 * longer term: zone id. sensitivity label. uid.
2147 2148 */
2148 2149 boolean_t
2149 2150 sadb_match_spi(ipsa_query_t *sq, ipsa_t *sa)
2150 2151 {
2151 2152 return (sq->spi == sa->ipsa_spi);
2152 2153 }
2153 2154
2154 2155 boolean_t
2155 2156 sadb_match_dst_v6(ipsa_query_t *sq, ipsa_t *sa)
2156 2157 {
2157 2158 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_dstaddr, sq->dstaddr, AF_INET6));
2158 2159 }
2159 2160
2160 2161 boolean_t
2161 2162 sadb_match_src_v6(ipsa_query_t *sq, ipsa_t *sa)
2162 2163 {
2163 2164 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_srcaddr, sq->srcaddr, AF_INET6));
2164 2165 }
2165 2166
2166 2167 boolean_t
2167 2168 sadb_match_dst_v4(ipsa_query_t *sq, ipsa_t *sa)
2168 2169 {
2169 2170 return (sq->dstaddr[0] == sa->ipsa_dstaddr[0]);
2170 2171 }
2171 2172
2172 2173 boolean_t
2173 2174 sadb_match_src_v4(ipsa_query_t *sq, ipsa_t *sa)
2174 2175 {
2175 2176 return (sq->srcaddr[0] == sa->ipsa_srcaddr[0]);
2176 2177 }
2177 2178
2178 2179 boolean_t
2179 2180 sadb_match_dstid(ipsa_query_t *sq, ipsa_t *sa)
2180 2181 {
2181 2182 return ((sa->ipsa_dst_cid != NULL) &&
2182 2183 (sq->didtype == sa->ipsa_dst_cid->ipsid_type) &&
2183 2184 (strcmp(sq->didstr, sa->ipsa_dst_cid->ipsid_cid) == 0));
2184 2185
2185 2186 }
2186 2187 boolean_t
2187 2188 sadb_match_srcid(ipsa_query_t *sq, ipsa_t *sa)
2188 2189 {
2189 2190 return ((sa->ipsa_src_cid != NULL) &&
2190 2191 (sq->sidtype == sa->ipsa_src_cid->ipsid_type) &&
2191 2192 (strcmp(sq->sidstr, sa->ipsa_src_cid->ipsid_cid) == 0));
2192 2193 }
2193 2194
2194 2195 boolean_t
2195 2196 sadb_match_kmc(ipsa_query_t *sq, ipsa_t *sa)
2196 2197 {
2197 2198 #define M(a, b) (((a) == 0) || ((b) == 0) || ((a) == (b)))
2198 2199
2199 2200 return (M(sq->kmc, sa->ipsa_kmc) && M(sq->kmp, sa->ipsa_kmp));
2200 2201
2201 2202 #undef M
2202 2203 }
2203 2204
2204 2205 /*
2205 2206 * Common function which extracts several PF_KEY extensions for ease of
2206 2207 * SADB matching.
2207 2208 *
2208 2209 * XXX TODO: weed out ipsa_query_t fields not used during matching
2209 2210 * or afterwards?
2210 2211 */
2211 2212 int
2212 2213 sadb_form_query(keysock_in_t *ksi, uint32_t req, uint32_t match,
2213 2214 ipsa_query_t *sq, int *diagnostic)
2214 2215 {
2215 2216 int i;
2216 2217 ipsa_match_fn_t *mfpp = &(sq->matchers[0]);
2217 2218
2218 2219 for (i = 0; i < IPSA_NMATCH; i++)
2219 2220 sq->matchers[i] = NULL;
2220 2221
2221 2222 ASSERT((req & ~match) == 0);
2222 2223
2223 2224 sq->req = req;
2224 2225 sq->dstext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
2225 2226 sq->srcext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC];
2226 2227 sq->assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
2227 2228
2228 2229 if ((req & IPSA_Q_DST) && (sq->dstext == NULL)) {
2229 2230 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
2230 2231 return (EINVAL);
2231 2232 }
2232 2233 if ((req & IPSA_Q_SRC) && (sq->srcext == NULL)) {
2233 2234 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC;
2234 2235 return (EINVAL);
2235 2236 }
2236 2237 if ((req & IPSA_Q_SA) && (sq->assoc == NULL)) {
2237 2238 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA;
2238 2239 return (EINVAL);
2239 2240 }
2240 2241
2241 2242 if (match & IPSA_Q_SA) {
2242 2243 *mfpp++ = sadb_match_spi;
2243 2244 sq->spi = sq->assoc->sadb_sa_spi;
2244 2245 }
2245 2246
2246 2247 if (sq->dstext != NULL)
2247 2248 sq->dst = (struct sockaddr_in *)(sq->dstext + 1);
2248 2249 else {
2249 2250 sq->dst = NULL;
2250 2251 sq->dst6 = NULL;
2251 2252 sq->dstaddr = NULL;
2252 2253 }
2253 2254
2254 2255 if (sq->srcext != NULL)
2255 2256 sq->src = (struct sockaddr_in *)(sq->srcext + 1);
2256 2257 else {
2257 2258 sq->src = NULL;
2258 2259 sq->src6 = NULL;
2259 2260 sq->srcaddr = NULL;
2260 2261 }
2261 2262
2262 2263 if (sq->dst != NULL)
2263 2264 sq->af = sq->dst->sin_family;
2264 2265 else if (sq->src != NULL)
2265 2266 sq->af = sq->src->sin_family;
2266 2267 else
2267 2268 sq->af = AF_INET;
2268 2269
2269 2270 if (sq->af == AF_INET6) {
2270 2271 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) {
2271 2272 *mfpp++ = sadb_match_dst_v6;
2272 2273 sq->dst6 = (struct sockaddr_in6 *)sq->dst;
2273 2274 sq->dstaddr = (uint32_t *)&(sq->dst6->sin6_addr);
2274 2275 } else {
2275 2276 match &= ~IPSA_Q_DST;
2276 2277 sq->dstaddr = ALL_ZEROES_PTR;
2277 2278 }
2278 2279
2279 2280 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) {
2280 2281 sq->src6 = (struct sockaddr_in6 *)(sq->srcext + 1);
2281 2282 sq->srcaddr = (uint32_t *)&sq->src6->sin6_addr;
2282 2283 if (sq->src6->sin6_family != AF_INET6) {
2283 2284 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH;
2284 2285 return (EINVAL);
2285 2286 }
2286 2287 *mfpp++ = sadb_match_src_v6;
2287 2288 } else {
2288 2289 match &= ~IPSA_Q_SRC;
2289 2290 sq->srcaddr = ALL_ZEROES_PTR;
2290 2291 }
2291 2292 } else {
2292 2293 sq->src6 = sq->dst6 = NULL;
2293 2294 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) {
2294 2295 *mfpp++ = sadb_match_dst_v4;
2295 2296 sq->dstaddr = (uint32_t *)&sq->dst->sin_addr;
2296 2297 } else {
2297 2298 match &= ~IPSA_Q_DST;
2298 2299 sq->dstaddr = ALL_ZEROES_PTR;
2299 2300 }
2300 2301 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) {
2301 2302 sq->srcaddr = (uint32_t *)&sq->src->sin_addr;
2302 2303 if (sq->src->sin_family != AF_INET) {
2303 2304 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH;
2304 2305 return (EINVAL);
2305 2306 }
2306 2307 *mfpp++ = sadb_match_src_v4;
2307 2308 } else {
2308 2309 match &= ~IPSA_Q_SRC;
2309 2310 sq->srcaddr = ALL_ZEROES_PTR;
2310 2311 }
2311 2312 }
2312 2313
2313 2314 sq->dstid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST];
2314 2315 if ((match & IPSA_Q_DSTID) && (sq->dstid != NULL)) {
2315 2316 sq->didstr = (char *)(sq->dstid + 1);
2316 2317 sq->didtype = sq->dstid->sadb_ident_type;
2317 2318 *mfpp++ = sadb_match_dstid;
2318 2319 }
2319 2320
2320 2321 sq->srcid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC];
2321 2322
2322 2323 if ((match & IPSA_Q_SRCID) && (sq->srcid != NULL)) {
2323 2324 sq->sidstr = (char *)(sq->srcid + 1);
2324 2325 sq->sidtype = sq->srcid->sadb_ident_type;
2325 2326 *mfpp++ = sadb_match_srcid;
2326 2327 }
2327 2328
2328 2329 sq->kmcext = (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE];
2329 2330 sq->kmc = 0;
2330 2331 sq->kmp = 0;
2331 2332
2332 2333 if ((match & IPSA_Q_KMC) && (sq->kmcext)) {
2333 2334 sq->kmc = sq->kmcext->sadb_x_kmc_cookie;
2334 2335 sq->kmp = sq->kmcext->sadb_x_kmc_proto;
2335 2336 *mfpp++ = sadb_match_kmc;
2336 2337 }
2337 2338
2338 2339 if (match & (IPSA_Q_INBOUND|IPSA_Q_OUTBOUND)) {
2339 2340 if (sq->af == AF_INET6)
2340 2341 sq->sp = &sq->spp->s_v6;
2341 2342 else
2342 2343 sq->sp = &sq->spp->s_v4;
2343 2344 } else {
2344 2345 sq->sp = NULL;
2345 2346 }
2346 2347
2347 2348 if (match & IPSA_Q_INBOUND) {
2348 2349 sq->inhash = INBOUND_HASH(sq->sp, sq->assoc->sadb_sa_spi);
2349 2350 sq->inbound = &sq->sp->sdb_if[sq->inhash];
2350 2351 } else {
2351 2352 sq->inhash = 0;
2352 2353 sq->inbound = NULL;
2353 2354 }
2354 2355
2355 2356 if (match & IPSA_Q_OUTBOUND) {
2356 2357 if (sq->af == AF_INET6) {
2357 2358 sq->outhash = OUTBOUND_HASH_V6(sq->sp, *(sq->dstaddr));
2358 2359 } else {
2359 2360 sq->outhash = OUTBOUND_HASH_V4(sq->sp, *(sq->dstaddr));
2360 2361 }
2361 2362 sq->outbound = &sq->sp->sdb_of[sq->outhash];
2362 2363 } else {
2363 2364 sq->outhash = 0;
2364 2365 sq->outbound = NULL;
2365 2366 }
2366 2367 sq->match = match;
2367 2368 return (0);
2368 2369 }
2369 2370
2370 2371 /*
2371 2372 * Match an initialized query structure with a security association;
2372 2373 * return B_TRUE on a match, B_FALSE on a miss.
2373 2374 * Applies match functions set up by sadb_form_query() until one returns false.
2374 2375 */
2375 2376 boolean_t
2376 2377 sadb_match_query(ipsa_query_t *sq, ipsa_t *sa)
2377 2378 {
2378 2379 ipsa_match_fn_t *mfpp = &(sq->matchers[0]);
2379 2380 ipsa_match_fn_t mfp;
2380 2381
2381 2382 for (mfp = *mfpp++; mfp != NULL; mfp = *mfpp++) {
2382 2383 if (!mfp(sq, sa))
2383 2384 return (B_FALSE);
2384 2385 }
2385 2386 return (B_TRUE);
2386 2387 }
2387 2388
2388 2389 /*
2389 2390 * Walker callback function to delete sa's based on src/dst address.
2390 2391 * Assumes that we're called with *head locked, no other locks held;
2391 2392 * Conveniently, and not coincidentally, this is both what sadb_walker
2392 2393 * gives us and also what sadb_unlinkassoc expects.
2393 2394 */
2394 2395 struct sadb_purge_state
2395 2396 {
2396 2397 ipsa_query_t sq;
2397 2398 boolean_t inbnd;
2398 2399 uint8_t sadb_sa_state;
2399 2400 };
2400 2401
2401 2402 static void
2402 2403 sadb_purge_cb(isaf_t *head, ipsa_t *entry, void *cookie)
2403 2404 {
2404 2405 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie;
2405 2406
2406 2407 ASSERT(MUTEX_HELD(&head->isaf_lock));
2407 2408
2408 2409 mutex_enter(&entry->ipsa_lock);
2409 2410
2410 2411 if (entry->ipsa_state == IPSA_STATE_LARVAL ||
2411 2412 !sadb_match_query(&ps->sq, entry)) {
2412 2413 mutex_exit(&entry->ipsa_lock);
2413 2414 return;
2414 2415 }
2415 2416
2416 2417 if (ps->inbnd) {
2417 2418 sadb_delete_cluster(entry);
2418 2419 }
2419 2420 entry->ipsa_state = IPSA_STATE_DEAD;
2420 2421 (void) sadb_torch_assoc(head, entry);
2421 2422 }
2422 2423
2423 2424 /*
2424 2425 * Common code to purge an SA with a matching src or dst address.
2425 2426 * Don't kill larval SA's in such a purge.
2426 2427 */
2427 2428 int
2428 2429 sadb_purge_sa(mblk_t *mp, keysock_in_t *ksi, sadb_t *sp,
2429 2430 int *diagnostic, queue_t *pfkey_q)
2430 2431 {
2431 2432 struct sadb_purge_state ps;
2432 2433 int error = sadb_form_query(ksi, 0,
2433 2434 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC,
2434 2435 &ps.sq, diagnostic);
2435 2436
2436 2437 if (error != 0)
2437 2438 return (error);
2438 2439
2439 2440 /*
2440 2441 * This is simple, crude, and effective.
2441 2442 * Unimplemented optimizations (TBD):
2442 2443 * - we can limit how many places we search based on where we
2443 2444 * think the SA is filed.
2444 2445 * - if we get a dst address, we can hash based on dst addr to find
2445 2446 * the correct bucket in the outbound table.
2446 2447 */
2447 2448 ps.inbnd = B_TRUE;
2448 2449 sadb_walker(sp->sdb_if, sp->sdb_hashsize, sadb_purge_cb, &ps);
2449 2450 ps.inbnd = B_FALSE;
2450 2451 sadb_walker(sp->sdb_of, sp->sdb_hashsize, sadb_purge_cb, &ps);
2451 2452
2452 2453 ASSERT(mp->b_cont != NULL);
2453 2454 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi,
2454 2455 NULL);
2455 2456 return (0);
2456 2457 }
2457 2458
2458 2459 static void
2459 2460 sadb_delpair_state_one(isaf_t *head, ipsa_t *entry, void *cookie)
2460 2461 {
2461 2462 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie;
2462 2463 isaf_t *inbound_bucket;
2463 2464 ipsa_t *peer_assoc;
2464 2465 ipsa_query_t *sq = &ps->sq;
2465 2466
2466 2467 ASSERT(MUTEX_HELD(&head->isaf_lock));
2467 2468
2468 2469 mutex_enter(&entry->ipsa_lock);
2469 2470
2470 2471 if ((entry->ipsa_state != ps->sadb_sa_state) ||
2471 2472 ((sq->srcaddr != NULL) &&
2472 2473 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, sq->srcaddr, sq->af))) {
2473 2474 mutex_exit(&entry->ipsa_lock);
2474 2475 return;
2475 2476 }
2476 2477
2477 2478 /*
2478 2479 * The isaf_t *, which is passed in , is always an outbound bucket,
2479 2480 * and we are preserving the outbound-then-inbound hash-bucket lock
2480 2481 * ordering. The sadb_walker() which triggers this function is called
2481 2482 * only on the outbound fanout, and the corresponding inbound bucket
2482 2483 * lock is safe to acquire here.
2483 2484 */
2484 2485
2485 2486 if (entry->ipsa_haspeer) {
2486 2487 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_spi);
2487 2488 mutex_enter(&inbound_bucket->isaf_lock);
2488 2489 peer_assoc = ipsec_getassocbyspi(inbound_bucket,
2489 2490 entry->ipsa_spi, entry->ipsa_srcaddr,
2490 2491 entry->ipsa_dstaddr, entry->ipsa_addrfam);
2491 2492 } else {
2492 2493 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_otherspi);
2493 2494 mutex_enter(&inbound_bucket->isaf_lock);
2494 2495 peer_assoc = ipsec_getassocbyspi(inbound_bucket,
2495 2496 entry->ipsa_otherspi, entry->ipsa_dstaddr,
2496 2497 entry->ipsa_srcaddr, entry->ipsa_addrfam);
2497 2498 }
2498 2499
2499 2500 entry->ipsa_state = IPSA_STATE_DEAD;
2500 2501 (void) sadb_torch_assoc(head, entry);
2501 2502 if (peer_assoc != NULL) {
2502 2503 mutex_enter(&peer_assoc->ipsa_lock);
2503 2504 peer_assoc->ipsa_state = IPSA_STATE_DEAD;
2504 2505 (void) sadb_torch_assoc(inbound_bucket, peer_assoc);
2505 2506 }
2506 2507 mutex_exit(&inbound_bucket->isaf_lock);
2507 2508 }
2508 2509
2509 2510 static int
2510 2511 sadb_delpair_state(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp,
2511 2512 int *diagnostic, queue_t *pfkey_q)
2512 2513 {
2513 2514 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
2514 2515 struct sadb_purge_state ps;
2515 2516 int error;
2516 2517
2517 2518 ps.sq.spp = spp; /* XXX param */
2518 2519
2519 2520 error = sadb_form_query(ksi, IPSA_Q_DST|IPSA_Q_SRC,
2520 2521 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC,
2521 2522 &ps.sq, diagnostic);
2522 2523 if (error != 0)
2523 2524 return (error);
2524 2525
2525 2526 ps.inbnd = B_FALSE;
2526 2527 ps.sadb_sa_state = assoc->sadb_sa_state;
2527 2528 sadb_walker(ps.sq.sp->sdb_of, ps.sq.sp->sdb_hashsize,
2528 2529 sadb_delpair_state_one, &ps);
2529 2530
2530 2531 ASSERT(mp->b_cont != NULL);
2531 2532 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr,
2532 2533 ksi, NULL);
2533 2534 return (0);
2534 2535 }
2535 2536
2536 2537 /*
2537 2538 * Common code to delete/get an SA.
2538 2539 */
2539 2540 int
2540 2541 sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp,
2541 2542 int *diagnostic, queue_t *pfkey_q, uint8_t sadb_msg_type)
2542 2543 {
2543 2544 ipsa_query_t sq;
2544 2545 ipsa_t *echo_target = NULL;
2545 2546 ipsap_t ipsapp;
2546 2547 uint_t error = 0;
2547 2548
2548 2549 if (sadb_msg_type == SADB_X_DELPAIR_STATE)
2549 2550 return (sadb_delpair_state(mp, ksi, spp, diagnostic, pfkey_q));
2550 2551
2551 2552 sq.spp = spp; /* XXX param */
2552 2553 error = sadb_form_query(ksi, IPSA_Q_DST|IPSA_Q_SA,
2553 2554 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND,
2554 2555 &sq, diagnostic);
2555 2556 if (error != 0)
2556 2557 return (error);
2557 2558
2558 2559 error = get_ipsa_pair(&sq, &ipsapp, diagnostic);
2559 2560 if (error != 0) {
2560 2561 return (error);
2561 2562 }
2562 2563
2563 2564 echo_target = ipsapp.ipsap_sa_ptr;
2564 2565 if (echo_target == NULL)
2565 2566 echo_target = ipsapp.ipsap_psa_ptr;
2566 2567
2567 2568 if (sadb_msg_type == SADB_DELETE || sadb_msg_type == SADB_X_DELPAIR) {
2568 2569 /*
2569 2570 * Bucket locks will be required if SA is actually unlinked.
2570 2571 * get_ipsa_pair() returns valid hash bucket pointers even
2571 2572 * if it can't find a pair SA pointer. To prevent a potential
2572 2573 * deadlock, always lock the outbound bucket before the inbound.
2573 2574 */
2574 2575 if (ipsapp.in_inbound_table) {
2575 2576 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock);
2576 2577 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock);
2577 2578 } else {
2578 2579 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock);
2579 2580 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock);
2580 2581 }
2581 2582
2582 2583 if (ipsapp.ipsap_sa_ptr != NULL) {
2583 2584 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock);
2584 2585 if (ipsapp.ipsap_sa_ptr->ipsa_flags & IPSA_F_INBOUND) {
2585 2586 sadb_delete_cluster(ipsapp.ipsap_sa_ptr);
2586 2587 }
2587 2588 ipsapp.ipsap_sa_ptr->ipsa_state = IPSA_STATE_DEAD;
2588 2589 (void) sadb_torch_assoc(ipsapp.ipsap_bucket,
2589 2590 ipsapp.ipsap_sa_ptr);
2590 2591 /*
2591 2592 * sadb_torch_assoc() releases the ipsa_lock
2592 2593 * and calls sadb_unlinkassoc() which does a
2593 2594 * IPSA_REFRELE.
2594 2595 */
2595 2596 }
2596 2597 if (ipsapp.ipsap_psa_ptr != NULL) {
2597 2598 mutex_enter(&ipsapp.ipsap_psa_ptr->ipsa_lock);
2598 2599 if (sadb_msg_type == SADB_X_DELPAIR ||
2599 2600 ipsapp.ipsap_psa_ptr->ipsa_haspeer) {
2600 2601 if (ipsapp.ipsap_psa_ptr->ipsa_flags &
2601 2602 IPSA_F_INBOUND) {
2602 2603 sadb_delete_cluster
2603 2604 (ipsapp.ipsap_psa_ptr);
2604 2605 }
2605 2606 ipsapp.ipsap_psa_ptr->ipsa_state =
2606 2607 IPSA_STATE_DEAD;
2607 2608 (void) sadb_torch_assoc(ipsapp.ipsap_pbucket,
2608 2609 ipsapp.ipsap_psa_ptr);
2609 2610 } else {
2610 2611 /*
2611 2612 * Only half of the "pair" has been deleted.
2612 2613 * Update the remaining SA and remove references
2613 2614 * to its pair SA, which is now gone.
2614 2615 */
2615 2616 ipsapp.ipsap_psa_ptr->ipsa_otherspi = 0;
2616 2617 ipsapp.ipsap_psa_ptr->ipsa_flags &=
2617 2618 ~IPSA_F_PAIRED;
2618 2619 mutex_exit(&ipsapp.ipsap_psa_ptr->ipsa_lock);
2619 2620 }
2620 2621 } else if (sadb_msg_type == SADB_X_DELPAIR) {
2621 2622 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND;
2622 2623 error = ESRCH;
2623 2624 }
2624 2625 mutex_exit(&ipsapp.ipsap_bucket->isaf_lock);
2625 2626 mutex_exit(&ipsapp.ipsap_pbucket->isaf_lock);
2626 2627 }
2627 2628
2628 2629 ASSERT(mp->b_cont != NULL);
2629 2630
2630 2631 if (error == 0)
2631 2632 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)
2632 2633 mp->b_cont->b_rptr, ksi, echo_target);
2633 2634
2634 2635 destroy_ipsa_pair(&ipsapp);
2635 2636
2636 2637 return (error);
2637 2638 }
2638 2639
2639 2640 /*
2640 2641 * This function takes a sadb_sa_t and finds the ipsa_t structure
2641 2642 * and the isaf_t (hash bucket) that its stored under. If the security
2642 2643 * association has a peer, the ipsa_t structure and bucket for that security
2643 2644 * association are also searched for. The "pair" of ipsa_t's and isaf_t's
2644 2645 * are returned as a ipsap_t.
2645 2646 *
2646 2647 * The hash buckets are returned for convenience, if the calling function
2647 2648 * needs to use the hash bucket locks, say to remove the SA's, it should
2648 2649 * take care to observe the convention of locking outbound bucket then
2649 2650 * inbound bucket. The flag in_inbound_table provides direction.
2650 2651 *
2651 2652 * Note that a "pair" is defined as one (but not both) of the following:
2652 2653 *
2653 2654 * A security association which has a soft reference to another security
2654 2655 * association via its SPI.
2655 2656 *
2656 2657 * A security association that is not obviously "inbound" or "outbound" so
2657 2658 * it appears in both hash tables, the "peer" being the same security
2658 2659 * association in the other hash table.
2659 2660 *
2660 2661 * This function will return NULL if the ipsa_t can't be found in the
2661 2662 * inbound or outbound hash tables (not found). If only one ipsa_t is
2662 2663 * found, the pair ipsa_t will be NULL. Both isaf_t values are valid
2663 2664 * provided at least one ipsa_t is found.
2664 2665 */
2665 2666 static int
2666 2667 get_ipsa_pair(ipsa_query_t *sq, ipsap_t *ipsapp, int *diagnostic)
2667 2668 {
2668 2669 uint32_t pair_srcaddr[IPSA_MAX_ADDRLEN];
2669 2670 uint32_t pair_dstaddr[IPSA_MAX_ADDRLEN];
2670 2671 uint32_t pair_spi;
2671 2672
2672 2673 init_ipsa_pair(ipsapp);
2673 2674
2674 2675 ipsapp->in_inbound_table = B_FALSE;
2675 2676
2676 2677 /* Lock down both buckets. */
2677 2678 mutex_enter(&sq->outbound->isaf_lock);
2678 2679 mutex_enter(&sq->inbound->isaf_lock);
2679 2680
2680 2681 if (sq->assoc->sadb_sa_flags & IPSA_F_INBOUND) {
2681 2682 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound,
2682 2683 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af);
2683 2684 if (ipsapp->ipsap_sa_ptr != NULL) {
2684 2685 ipsapp->ipsap_bucket = sq->inbound;
2685 2686 ipsapp->ipsap_pbucket = sq->outbound;
2686 2687 ipsapp->in_inbound_table = B_TRUE;
2687 2688 } else {
2688 2689 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->outbound,
2689 2690 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr,
2690 2691 sq->af);
2691 2692 ipsapp->ipsap_bucket = sq->outbound;
2692 2693 ipsapp->ipsap_pbucket = sq->inbound;
2693 2694 }
2694 2695 } else {
2695 2696 /* IPSA_F_OUTBOUND is set *or* no directions flags set. */
2696 2697 ipsapp->ipsap_sa_ptr =
2697 2698 ipsec_getassocbyspi(sq->outbound,
2698 2699 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af);
2699 2700 if (ipsapp->ipsap_sa_ptr != NULL) {
2700 2701 ipsapp->ipsap_bucket = sq->outbound;
2701 2702 ipsapp->ipsap_pbucket = sq->inbound;
2702 2703 } else {
2703 2704 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound,
2704 2705 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr,
2705 2706 sq->af);
2706 2707 ipsapp->ipsap_bucket = sq->inbound;
2707 2708 ipsapp->ipsap_pbucket = sq->outbound;
2708 2709 if (ipsapp->ipsap_sa_ptr != NULL)
2709 2710 ipsapp->in_inbound_table = B_TRUE;
2710 2711 }
2711 2712 }
2712 2713
2713 2714 if (ipsapp->ipsap_sa_ptr == NULL) {
2714 2715 mutex_exit(&sq->outbound->isaf_lock);
2715 2716 mutex_exit(&sq->inbound->isaf_lock);
2716 2717 *diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND;
2717 2718 return (ESRCH);
2718 2719 }
2719 2720
2720 2721 if ((ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) &&
2721 2722 ipsapp->in_inbound_table) {
2722 2723 mutex_exit(&sq->outbound->isaf_lock);
2723 2724 mutex_exit(&sq->inbound->isaf_lock);
2724 2725 return (0);
2725 2726 }
2726 2727
2727 2728 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock);
2728 2729 if (ipsapp->ipsap_sa_ptr->ipsa_haspeer) {
2729 2730 /*
2730 2731 * haspeer implies no sa_pairing, look for same spi
2731 2732 * in other hashtable.
2732 2733 */
2733 2734 ipsapp->ipsap_psa_ptr =
2734 2735 ipsec_getassocbyspi(ipsapp->ipsap_pbucket,
2735 2736 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af);
2736 2737 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock);
2737 2738 mutex_exit(&sq->outbound->isaf_lock);
2738 2739 mutex_exit(&sq->inbound->isaf_lock);
2739 2740 return (0);
2740 2741 }
2741 2742 pair_spi = ipsapp->ipsap_sa_ptr->ipsa_otherspi;
2742 2743 IPSA_COPY_ADDR(&pair_srcaddr,
2743 2744 ipsapp->ipsap_sa_ptr->ipsa_srcaddr, sq->af);
2744 2745 IPSA_COPY_ADDR(&pair_dstaddr,
2745 2746 ipsapp->ipsap_sa_ptr->ipsa_dstaddr, sq->af);
2746 2747 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock);
2747 2748 mutex_exit(&sq->inbound->isaf_lock);
2748 2749 mutex_exit(&sq->outbound->isaf_lock);
2749 2750
2750 2751 if (pair_spi == 0) {
2751 2752 ASSERT(ipsapp->ipsap_bucket != NULL);
2752 2753 ASSERT(ipsapp->ipsap_pbucket != NULL);
2753 2754 return (0);
2754 2755 }
2755 2756
2756 2757 /* found sa in outbound sadb, peer should be inbound */
2757 2758
2758 2759 if (ipsapp->in_inbound_table) {
2759 2760 /* Found SA in inbound table, pair will be in outbound. */
2760 2761 if (sq->af == AF_INET6) {
2761 2762 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V6(sq->sp,
2762 2763 *(uint32_t *)pair_srcaddr);
2763 2764 } else {
2764 2765 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V4(sq->sp,
2765 2766 *(uint32_t *)pair_srcaddr);
2766 2767 }
2767 2768 } else {
2768 2769 ipsapp->ipsap_pbucket = INBOUND_BUCKET(sq->sp, pair_spi);
2769 2770 }
2770 2771 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock);
2771 2772 ipsapp->ipsap_psa_ptr = ipsec_getassocbyspi(ipsapp->ipsap_pbucket,
2772 2773 pair_spi, pair_dstaddr, pair_srcaddr, sq->af);
2773 2774 mutex_exit(&ipsapp->ipsap_pbucket->isaf_lock);
2774 2775 ASSERT(ipsapp->ipsap_bucket != NULL);
2775 2776 ASSERT(ipsapp->ipsap_pbucket != NULL);
2776 2777 return (0);
2777 2778 }
2778 2779
2779 2780 /*
2780 2781 * Perform NAT-traversal cached checksum offset calculations here.
2781 2782 */
2782 2783 static void
2783 2784 sadb_nat_calculations(ipsa_t *newbie, sadb_address_t *natt_loc_ext,
2784 2785 sadb_address_t *natt_rem_ext, uint32_t *src_addr_ptr,
2785 2786 uint32_t *dst_addr_ptr)
2786 2787 {
2787 2788 struct sockaddr_in *natt_loc, *natt_rem;
2788 2789 uint32_t *natt_loc_ptr = NULL, *natt_rem_ptr = NULL;
2789 2790 uint32_t running_sum = 0;
2790 2791
2791 2792 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16)
2792 2793
2793 2794 if (natt_rem_ext != NULL) {
2794 2795 uint32_t l_src;
2795 2796 uint32_t l_rem;
2796 2797
2797 2798 natt_rem = (struct sockaddr_in *)(natt_rem_ext + 1);
2798 2799
2799 2800 /* Ensured by sadb_addrfix(). */
2800 2801 ASSERT(natt_rem->sin_family == AF_INET);
2801 2802
2802 2803 natt_rem_ptr = (uint32_t *)(&natt_rem->sin_addr);
2803 2804 newbie->ipsa_remote_nat_port = natt_rem->sin_port;
2804 2805 l_src = *src_addr_ptr;
2805 2806 l_rem = *natt_rem_ptr;
2806 2807
2807 2808 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */
2808 2809 newbie->ipsa_natt_addr_rem = *natt_rem_ptr;
2809 2810
2810 2811 l_src = ntohl(l_src);
2811 2812 DOWN_SUM(l_src);
2812 2813 DOWN_SUM(l_src);
2813 2814 l_rem = ntohl(l_rem);
2814 2815 DOWN_SUM(l_rem);
2815 2816 DOWN_SUM(l_rem);
2816 2817
2817 2818 /*
2818 2819 * We're 1's complement for checksums, so check for wraparound
2819 2820 * here.
2820 2821 */
2821 2822 if (l_rem > l_src)
2822 2823 l_src--;
2823 2824
2824 2825 running_sum += l_src - l_rem;
2825 2826
2826 2827 DOWN_SUM(running_sum);
2827 2828 DOWN_SUM(running_sum);
2828 2829 }
2829 2830
2830 2831 if (natt_loc_ext != NULL) {
2831 2832 natt_loc = (struct sockaddr_in *)(natt_loc_ext + 1);
2832 2833
2833 2834 /* Ensured by sadb_addrfix(). */
2834 2835 ASSERT(natt_loc->sin_family == AF_INET);
2835 2836
2836 2837 natt_loc_ptr = (uint32_t *)(&natt_loc->sin_addr);
2837 2838 newbie->ipsa_local_nat_port = natt_loc->sin_port;
2838 2839
2839 2840 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */
2840 2841 newbie->ipsa_natt_addr_loc = *natt_loc_ptr;
2841 2842
2842 2843 /*
2843 2844 * NAT-T port agility means we may have natt_loc_ext, but
2844 2845 * only for a local-port change.
2845 2846 */
2846 2847 if (natt_loc->sin_addr.s_addr != INADDR_ANY) {
2847 2848 uint32_t l_dst = ntohl(*dst_addr_ptr);
2848 2849 uint32_t l_loc = ntohl(*natt_loc_ptr);
2849 2850
2850 2851 DOWN_SUM(l_loc);
2851 2852 DOWN_SUM(l_loc);
2852 2853 DOWN_SUM(l_dst);
2853 2854 DOWN_SUM(l_dst);
2854 2855
2855 2856 /*
2856 2857 * We're 1's complement for checksums, so check for
2857 2858 * wraparound here.
2858 2859 */
2859 2860 if (l_loc > l_dst)
2860 2861 l_dst--;
2861 2862
2862 2863 running_sum += l_dst - l_loc;
2863 2864 DOWN_SUM(running_sum);
2864 2865 DOWN_SUM(running_sum);
2865 2866 }
2866 2867 }
2867 2868
2868 2869 newbie->ipsa_inbound_cksum = running_sum;
2869 2870 #undef DOWN_SUM
2870 2871 }
2871 2872
2872 2873 /*
2873 2874 * This function is called from consumers that need to insert a fully-grown
2874 2875 * security association into its tables. This function takes into account that
2875 2876 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary"
2876 2877 * hash bucket parameters are set in order of what the SA will be most of the
2877 2878 * time. (For example, an SA with an unspecified source, and a multicast
2878 2879 * destination will primarily be an outbound SA. OTOH, if that destination
2879 2880 * is unicast for this node, then the SA will primarily be inbound.)
2880 2881 *
2881 2882 * It takes a lot of parameters because even if clone is B_FALSE, this needs
2882 2883 * to check both buckets for purposes of collision.
2883 2884 *
2884 2885 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for
2885 2886 * various error conditions. We may need to set samsg->sadb_x_msg_diagnostic
2886 2887 * with additional diagnostic information because there is at least one EINVAL
2887 2888 * case here.
2888 2889 */
2889 2890 int
2890 2891 sadb_common_add(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
2891 2892 keysock_in_t *ksi, isaf_t *primary, isaf_t *secondary,
2892 2893 ipsa_t *newbie, boolean_t clone, boolean_t is_inbound, int *diagnostic,
2893 2894 netstack_t *ns, sadbp_t *spp)
2894 2895 {
2895 2896 ipsa_t *newbie_clone = NULL, *scratch;
2896 2897 ipsap_t ipsapp;
2897 2898 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
2898 2899 sadb_address_t *srcext =
2899 2900 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC];
2900 2901 sadb_address_t *dstext =
2901 2902 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
2902 2903 sadb_address_t *isrcext =
2903 2904 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC];
2904 2905 sadb_address_t *idstext =
2905 2906 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_DST];
2906 2907 sadb_x_kmc_t *kmcext =
2907 2908 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE];
2908 2909 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH];
2909 2910 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT];
2910 2911 sadb_sens_t *sens =
2911 2912 (sadb_sens_t *)ksi->ks_in_extv[SADB_EXT_SENSITIVITY];
2912 2913 sadb_sens_t *osens =
2913 2914 (sadb_sens_t *)ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS];
2914 2915 sadb_x_pair_t *pair_ext =
2915 2916 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR];
2916 2917 sadb_x_replay_ctr_t *replayext =
2917 2918 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE];
2918 2919 uint8_t protocol =
2919 2920 (samsg->sadb_msg_satype == SADB_SATYPE_AH) ? IPPROTO_AH:IPPROTO_ESP;
2920 2921 int salt_offset;
2921 2922 uint8_t *buf_ptr;
2922 2923 struct sockaddr_in *src, *dst, *isrc, *idst;
2923 2924 struct sockaddr_in6 *src6, *dst6, *isrc6, *idst6;
2924 2925 sadb_lifetime_t *soft =
2925 2926 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT];
2926 2927 sadb_lifetime_t *hard =
2927 2928 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD];
2928 2929 sadb_lifetime_t *idle =
2929 2930 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE];
2930 2931 sa_family_t af;
2931 2932 int error = 0;
2932 2933 boolean_t isupdate = (newbie != NULL);
2933 2934 uint32_t *src_addr_ptr, *dst_addr_ptr, *isrc_addr_ptr, *idst_addr_ptr;
2934 2935 ipsec_stack_t *ipss = ns->netstack_ipsec;
2935 2936 ip_stack_t *ipst = ns->netstack_ip;
2936 2937 ipsec_alginfo_t *alg;
2937 2938 int rcode;
2938 2939 boolean_t async = B_FALSE;
2939 2940
2940 2941 init_ipsa_pair(&ipsapp);
2941 2942
2942 2943 if (srcext == NULL) {
2943 2944 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC;
2944 2945 return (EINVAL);
2945 2946 }
2946 2947 if (dstext == NULL) {
2947 2948 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
2948 2949 return (EINVAL);
2949 2950 }
2950 2951 if (assoc == NULL) {
2951 2952 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA;
2952 2953 return (EINVAL);
2953 2954 }
2954 2955
2955 2956 src = (struct sockaddr_in *)(srcext + 1);
2956 2957 src6 = (struct sockaddr_in6 *)(srcext + 1);
2957 2958 dst = (struct sockaddr_in *)(dstext + 1);
2958 2959 dst6 = (struct sockaddr_in6 *)(dstext + 1);
2959 2960 if (isrcext != NULL) {
2960 2961 isrc = (struct sockaddr_in *)(isrcext + 1);
2961 2962 isrc6 = (struct sockaddr_in6 *)(isrcext + 1);
2962 2963 ASSERT(idstext != NULL);
2963 2964 idst = (struct sockaddr_in *)(idstext + 1);
2964 2965 idst6 = (struct sockaddr_in6 *)(idstext + 1);
2965 2966 } else {
2966 2967 isrc = NULL;
2967 2968 isrc6 = NULL;
2968 2969 }
2969 2970
2970 2971 af = src->sin_family;
2971 2972
2972 2973 if (af == AF_INET) {
2973 2974 src_addr_ptr = (uint32_t *)&src->sin_addr;
2974 2975 dst_addr_ptr = (uint32_t *)&dst->sin_addr;
2975 2976 } else {
2976 2977 ASSERT(af == AF_INET6);
2977 2978 src_addr_ptr = (uint32_t *)&src6->sin6_addr;
2978 2979 dst_addr_ptr = (uint32_t *)&dst6->sin6_addr;
2979 2980 }
2980 2981
2981 2982 if (!isupdate && (clone == B_TRUE || is_inbound == B_TRUE) &&
2982 2983 cl_inet_checkspi &&
2983 2984 (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) {
2984 2985 rcode = cl_inet_checkspi(ns->netstack_stackid, protocol,
2985 2986 assoc->sadb_sa_spi, NULL);
2986 2987 if (rcode == -1) {
2987 2988 return (EEXIST);
2988 2989 }
2989 2990 }
2990 2991
2991 2992 /*
2992 2993 * Check to see if the new SA will be cloned AND paired. The
2993 2994 * reason a SA will be cloned is the source or destination addresses
2994 2995 * are not specific enough to determine if the SA goes in the outbound
2995 2996 * or the inbound hash table, so its cloned and put in both. If
2996 2997 * the SA is paired, it's soft linked to another SA for the other
2997 2998 * direction. Keeping track and looking up SA's that are direction
2998 2999 * unspecific and linked is too hard.
2999 3000 */
3000 3001 if (clone && (pair_ext != NULL)) {
3001 3002 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE;
3002 3003 return (EINVAL);
3003 3004 }
3004 3005
3005 3006 if (!isupdate) {
3006 3007 newbie = sadb_makelarvalassoc(assoc->sadb_sa_spi,
3007 3008 src_addr_ptr, dst_addr_ptr, af, ns);
3008 3009 if (newbie == NULL)
3009 3010 return (ENOMEM);
3010 3011 }
3011 3012
3012 3013 mutex_enter(&newbie->ipsa_lock);
3013 3014
3014 3015 if (isrc != NULL) {
3015 3016 if (isrc->sin_family == AF_INET) {
3016 3017 if (srcext->sadb_address_proto != IPPROTO_ENCAP) {
3017 3018 if (srcext->sadb_address_proto != 0) {
3018 3019 /*
3019 3020 * Mismatched outer-packet protocol
3020 3021 * and inner-packet address family.
3021 3022 */
3022 3023 mutex_exit(&newbie->ipsa_lock);
3023 3024 error = EPROTOTYPE;
3024 3025 *diagnostic =
3025 3026 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH;
3026 3027 goto error;
3027 3028 } else {
3028 3029 /* Fill in with explicit protocol. */
3029 3030 srcext->sadb_address_proto =
3030 3031 IPPROTO_ENCAP;
3031 3032 dstext->sadb_address_proto =
3032 3033 IPPROTO_ENCAP;
3033 3034 }
3034 3035 }
3035 3036 isrc_addr_ptr = (uint32_t *)&isrc->sin_addr;
3036 3037 idst_addr_ptr = (uint32_t *)&idst->sin_addr;
3037 3038 } else {
3038 3039 ASSERT(isrc->sin_family == AF_INET6);
3039 3040 if (srcext->sadb_address_proto != IPPROTO_IPV6) {
3040 3041 if (srcext->sadb_address_proto != 0) {
3041 3042 /*
3042 3043 * Mismatched outer-packet protocol
3043 3044 * and inner-packet address family.
3044 3045 */
3045 3046 mutex_exit(&newbie->ipsa_lock);
3046 3047 error = EPROTOTYPE;
3047 3048 *diagnostic =
3048 3049 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH;
3049 3050 goto error;
3050 3051 } else {
3051 3052 /* Fill in with explicit protocol. */
3052 3053 srcext->sadb_address_proto =
3053 3054 IPPROTO_IPV6;
3054 3055 dstext->sadb_address_proto =
3055 3056 IPPROTO_IPV6;
3056 3057 }
3057 3058 }
3058 3059 isrc_addr_ptr = (uint32_t *)&isrc6->sin6_addr;
3059 3060 idst_addr_ptr = (uint32_t *)&idst6->sin6_addr;
3060 3061 }
3061 3062 newbie->ipsa_innerfam = isrc->sin_family;
3062 3063
3063 3064 IPSA_COPY_ADDR(newbie->ipsa_innersrc, isrc_addr_ptr,
3064 3065 newbie->ipsa_innerfam);
3065 3066 IPSA_COPY_ADDR(newbie->ipsa_innerdst, idst_addr_ptr,
3066 3067 newbie->ipsa_innerfam);
3067 3068 newbie->ipsa_innersrcpfx = isrcext->sadb_address_prefixlen;
3068 3069 newbie->ipsa_innerdstpfx = idstext->sadb_address_prefixlen;
3069 3070
3070 3071 /* Unique value uses inner-ports for Tunnel Mode... */
3071 3072 newbie->ipsa_unique_id = SA_UNIQUE_ID(isrc->sin_port,
3072 3073 idst->sin_port, dstext->sadb_address_proto,
3073 3074 idstext->sadb_address_proto);
3074 3075 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(isrc->sin_port,
3075 3076 idst->sin_port, dstext->sadb_address_proto,
3076 3077 idstext->sadb_address_proto);
3077 3078 } else {
3078 3079 /* ... and outer-ports for Transport Mode. */
3079 3080 newbie->ipsa_unique_id = SA_UNIQUE_ID(src->sin_port,
3080 3081 dst->sin_port, dstext->sadb_address_proto, 0);
3081 3082 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(src->sin_port,
3082 3083 dst->sin_port, dstext->sadb_address_proto, 0);
3083 3084 }
3084 3085 if (newbie->ipsa_unique_mask != (uint64_t)0)
3085 3086 newbie->ipsa_flags |= IPSA_F_UNIQUE;
3086 3087
3087 3088 sadb_nat_calculations(newbie,
3088 3089 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC],
3089 3090 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM],
3090 3091 src_addr_ptr, dst_addr_ptr);
3091 3092
3092 3093 newbie->ipsa_type = samsg->sadb_msg_satype;
3093 3094
3094 3095 ASSERT((assoc->sadb_sa_state == SADB_SASTATE_MATURE) ||
3095 3096 (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE));
3096 3097 newbie->ipsa_auth_alg = assoc->sadb_sa_auth;
3097 3098 newbie->ipsa_encr_alg = assoc->sadb_sa_encrypt;
3098 3099
3099 3100 newbie->ipsa_flags |= assoc->sadb_sa_flags;
3100 3101 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_LOC &&
3101 3102 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC] == NULL) {
3102 3103 mutex_exit(&newbie->ipsa_lock);
3103 3104 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_LOC;
3104 3105 error = EINVAL;
3105 3106 goto error;
3106 3107 }
3107 3108 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_REM &&
3108 3109 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM] == NULL) {
3109 3110 mutex_exit(&newbie->ipsa_lock);
3110 3111 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_REM;
3111 3112 error = EINVAL;
3112 3113 goto error;
3113 3114 }
3114 3115 if (newbie->ipsa_flags & SADB_X_SAFLAGS_TUNNEL &&
3115 3116 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC] == NULL) {
3116 3117 mutex_exit(&newbie->ipsa_lock);
3117 3118 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC;
3118 3119 error = EINVAL;
3119 3120 goto error;
3120 3121 }
3121 3122 /*
3122 3123 * If unspecified source address, force replay_wsize to 0.
3123 3124 * This is because an SA that has multiple sources of secure
3124 3125 * traffic cannot enforce a replay counter w/o synchronizing the
3125 3126 * senders.
3126 3127 */
3127 3128 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC)
3128 3129 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay;
3129 3130 else
3130 3131 newbie->ipsa_replay_wsize = 0;
3131 3132
3132 3133 newbie->ipsa_addtime = gethrestime_sec();
3133 3134
3134 3135 if (kmcext != NULL) {
3135 3136 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto;
3136 3137 newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie;
3137 3138 }
3138 3139
3139 3140 /*
3140 3141 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE.
3141 3142 * The spec says that one can update current lifetimes, but
3142 3143 * that seems impractical, especially in the larval-to-mature
3143 3144 * update that this function performs.
3144 3145 */
3145 3146 if (soft != NULL) {
3146 3147 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime;
3147 3148 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime;
3148 3149 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes;
3149 3150 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations;
3150 3151 SET_EXPIRE(newbie, softaddlt, softexpiretime);
3151 3152 }
3152 3153 if (hard != NULL) {
3153 3154 newbie->ipsa_hardaddlt = hard->sadb_lifetime_addtime;
3154 3155 newbie->ipsa_harduselt = hard->sadb_lifetime_usetime;
3155 3156 newbie->ipsa_hardbyteslt = hard->sadb_lifetime_bytes;
3156 3157 newbie->ipsa_hardalloc = hard->sadb_lifetime_allocations;
3157 3158 SET_EXPIRE(newbie, hardaddlt, hardexpiretime);
3158 3159 }
3159 3160 if (idle != NULL) {
3160 3161 newbie->ipsa_idleaddlt = idle->sadb_lifetime_addtime;
3161 3162 newbie->ipsa_idleuselt = idle->sadb_lifetime_usetime;
3162 3163 newbie->ipsa_idleexpiretime = newbie->ipsa_addtime +
3163 3164 newbie->ipsa_idleaddlt;
3164 3165 newbie->ipsa_idletime = newbie->ipsa_idleaddlt;
3165 3166 }
3166 3167
3167 3168 newbie->ipsa_authtmpl = NULL;
3168 3169 newbie->ipsa_encrtmpl = NULL;
3169 3170
3170 3171 #ifdef IPSEC_LATENCY_TEST
3171 3172 if (akey != NULL && newbie->ipsa_auth_alg != SADB_AALG_NONE) {
3172 3173 #else
3173 3174 if (akey != NULL) {
3174 3175 #endif
3175 3176 async = (ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] ==
3176 3177 IPSEC_ALGS_EXEC_ASYNC);
3177 3178
3178 3179 newbie->ipsa_authkeybits = akey->sadb_key_bits;
3179 3180 newbie->ipsa_authkeylen = SADB_1TO8(akey->sadb_key_bits);
3180 3181 /* In case we have to round up to the next byte... */
3181 3182 if ((akey->sadb_key_bits & 0x7) != 0)
3182 3183 newbie->ipsa_authkeylen++;
3183 3184 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen,
3184 3185 KM_NOSLEEP);
3185 3186 if (newbie->ipsa_authkey == NULL) {
3186 3187 error = ENOMEM;
3187 3188 mutex_exit(&newbie->ipsa_lock);
3188 3189 goto error;
3189 3190 }
3190 3191 bcopy(akey + 1, newbie->ipsa_authkey, newbie->ipsa_authkeylen);
|
↓ open down ↓ |
3157 lines elided |
↑ open up ↑ |
3191 3192 bzero(akey + 1, newbie->ipsa_authkeylen);
3192 3193
3193 3194 /*
3194 3195 * Pre-initialize the kernel crypto framework key
3195 3196 * structure.
3196 3197 */
3197 3198 newbie->ipsa_kcfauthkey.ck_format = CRYPTO_KEY_RAW;
3198 3199 newbie->ipsa_kcfauthkey.ck_length = newbie->ipsa_authkeybits;
3199 3200 newbie->ipsa_kcfauthkey.ck_data = newbie->ipsa_authkey;
3200 3201
3201 - mutex_enter(&ipss->ipsec_alg_lock);
3202 + rw_enter(&ipss->ipsec_alg_lock, RW_READER);
3202 3203 alg = ipss->ipsec_alglists[IPSEC_ALG_AUTH]
3203 3204 [newbie->ipsa_auth_alg];
3204 3205 if (alg != NULL && ALG_VALID(alg)) {
3205 3206 newbie->ipsa_amech.cm_type = alg->alg_mech_type;
3206 3207 newbie->ipsa_amech.cm_param =
3207 3208 (char *)&newbie->ipsa_mac_len;
3208 3209 newbie->ipsa_amech.cm_param_len = sizeof (size_t);
3209 3210 newbie->ipsa_mac_len = (size_t)alg->alg_datalen;
3210 3211 } else {
3211 3212 newbie->ipsa_amech.cm_type = CRYPTO_MECHANISM_INVALID;
3212 3213 }
3213 3214 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_AUTH);
3214 - mutex_exit(&ipss->ipsec_alg_lock);
3215 + rw_exit(&ipss->ipsec_alg_lock);
3215 3216 if (error != 0) {
3216 3217 mutex_exit(&newbie->ipsa_lock);
3217 3218 /*
3218 3219 * An error here indicates that alg is the wrong type
3219 3220 * (IE: not authentication) or its not in the alg tables
3220 3221 * created by ipsecalgs(1m), or Kcf does not like the
3221 3222 * parameters passed in with this algorithm, which is
3222 3223 * probably a coding error!
3223 3224 */
3224 3225 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX;
3225 3226
3226 3227 goto error;
3227 3228 }
3228 3229 }
3229 3230
3230 3231 if (ekey != NULL) {
3231 - mutex_enter(&ipss->ipsec_alg_lock);
3232 + rw_enter(&ipss->ipsec_alg_lock, RW_READER);
3232 3233 async = async || (ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] ==
3233 3234 IPSEC_ALGS_EXEC_ASYNC);
3234 3235 alg = ipss->ipsec_alglists[IPSEC_ALG_ENCR]
3235 3236 [newbie->ipsa_encr_alg];
3236 3237
3237 3238 if (alg != NULL && ALG_VALID(alg)) {
3238 3239 newbie->ipsa_emech.cm_type = alg->alg_mech_type;
3239 3240 newbie->ipsa_datalen = alg->alg_datalen;
3240 3241 if (alg->alg_flags & ALG_FLAG_COUNTERMODE)
3241 3242 newbie->ipsa_flags |= IPSA_F_COUNTERMODE;
3242 3243
3243 3244 if (alg->alg_flags & ALG_FLAG_COMBINED) {
3244 3245 newbie->ipsa_flags |= IPSA_F_COMBINED;
3245 3246 newbie->ipsa_mac_len = alg->alg_icvlen;
3246 3247 }
3247 3248
3248 3249 if (alg->alg_flags & ALG_FLAG_CCM)
3249 3250 newbie->ipsa_noncefunc = ccm_params_init;
3250 3251 else if (alg->alg_flags & ALG_FLAG_GCM)
3251 3252 newbie->ipsa_noncefunc = gcm_params_init;
3252 3253 else newbie->ipsa_noncefunc = cbc_params_init;
3253 3254
|
↓ open down ↓ |
12 lines elided |
↑ open up ↑ |
3254 3255 newbie->ipsa_saltlen = alg->alg_saltlen;
3255 3256 newbie->ipsa_saltbits = SADB_8TO1(newbie->ipsa_saltlen);
3256 3257 newbie->ipsa_iv_len = alg->alg_ivlen;
3257 3258 newbie->ipsa_nonce_len = newbie->ipsa_saltlen +
3258 3259 newbie->ipsa_iv_len;
3259 3260 newbie->ipsa_emech.cm_param = NULL;
3260 3261 newbie->ipsa_emech.cm_param_len = 0;
3261 3262 } else {
3262 3263 newbie->ipsa_emech.cm_type = CRYPTO_MECHANISM_INVALID;
3263 3264 }
3264 - mutex_exit(&ipss->ipsec_alg_lock);
3265 + rw_exit(&ipss->ipsec_alg_lock);
3265 3266
3266 3267 /*
3267 3268 * The byte stream following the sadb_key_t is made up of:
3268 3269 * key bytes, [salt bytes], [IV initial value]
3269 3270 * All of these have variable length. The IV is typically
3270 3271 * randomly generated by this function and not passed in.
3271 3272 * By supporting the injection of a known IV, the whole
3272 3273 * IPsec subsystem and the underlying crypto subsystem
3273 3274 * can be tested with known test vectors.
3274 3275 *
3275 3276 * The keying material has been checked by ext_check()
3276 3277 * and ipsec_valid_key_size(), after removing salt/IV
3277 3278 * bits, whats left is the encryption key. If this is too
3278 3279 * short, ipsec_create_ctx_tmpl() will fail and the SA
3279 3280 * won't get created.
3280 3281 *
3281 3282 * set ipsa_encrkeylen to length of key only.
3282 3283 */
3283 3284 newbie->ipsa_encrkeybits = ekey->sadb_key_bits;
3284 3285 newbie->ipsa_encrkeybits -= ekey->sadb_key_reserved;
3285 3286 newbie->ipsa_encrkeybits -= newbie->ipsa_saltbits;
3286 3287 newbie->ipsa_encrkeylen = SADB_1TO8(newbie->ipsa_encrkeybits);
3287 3288
3288 3289 /* In case we have to round up to the next byte... */
3289 3290 if ((ekey->sadb_key_bits & 0x7) != 0)
3290 3291 newbie->ipsa_encrkeylen++;
3291 3292
3292 3293 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen,
3293 3294 KM_NOSLEEP);
3294 3295 if (newbie->ipsa_encrkey == NULL) {
3295 3296 error = ENOMEM;
3296 3297 mutex_exit(&newbie->ipsa_lock);
3297 3298 goto error;
3298 3299 }
3299 3300
3300 3301 buf_ptr = (uint8_t *)(ekey + 1);
3301 3302 bcopy(buf_ptr, newbie->ipsa_encrkey, newbie->ipsa_encrkeylen);
3302 3303
3303 3304 if (newbie->ipsa_flags & IPSA_F_COMBINED) {
3304 3305 /*
3305 3306 * Combined mode algs need a nonce. Copy the salt and
3306 3307 * IV into a buffer. The ipsa_nonce is a pointer into
3307 3308 * this buffer, some bytes at the start of the buffer
3308 3309 * may be unused, depends on the salt length. The IV
3309 3310 * is 64 bit aligned so it can be incremented as a
3310 3311 * uint64_t. Zero out key in samsg_t before freeing.
3311 3312 */
3312 3313
3313 3314 newbie->ipsa_nonce_buf = kmem_alloc(
3314 3315 sizeof (ipsec_nonce_t), KM_NOSLEEP);
3315 3316 if (newbie->ipsa_nonce_buf == NULL) {
3316 3317 error = ENOMEM;
3317 3318 mutex_exit(&newbie->ipsa_lock);
3318 3319 goto error;
3319 3320 }
3320 3321 /*
3321 3322 * Initialize nonce and salt pointers to point
3322 3323 * to the nonce buffer. This is just in case we get
3323 3324 * bad data, the pointers will be valid, the data
3324 3325 * won't be.
3325 3326 *
3326 3327 * See sadb.h for layout of nonce.
3327 3328 */
3328 3329 newbie->ipsa_iv = &newbie->ipsa_nonce_buf->iv;
3329 3330 newbie->ipsa_salt = (uint8_t *)newbie->ipsa_nonce_buf;
3330 3331 newbie->ipsa_nonce = newbie->ipsa_salt;
3331 3332 if (newbie->ipsa_saltlen != 0) {
3332 3333 salt_offset = MAXSALTSIZE -
3333 3334 newbie->ipsa_saltlen;
3334 3335 newbie->ipsa_salt = (uint8_t *)
3335 3336 &newbie->ipsa_nonce_buf->salt[salt_offset];
3336 3337 newbie->ipsa_nonce = newbie->ipsa_salt;
3337 3338 buf_ptr += newbie->ipsa_encrkeylen;
3338 3339 bcopy(buf_ptr, newbie->ipsa_salt,
3339 3340 newbie->ipsa_saltlen);
3340 3341 }
3341 3342 /*
3342 3343 * The IV for CCM/GCM mode increments, it should not
3343 3344 * repeat. Get a random value for the IV, make a
3344 3345 * copy, the SA will expire when/if the IV ever
3345 3346 * wraps back to the initial value. If an Initial IV
3346 3347 * is passed in via PF_KEY, save this in the SA.
3347 3348 * Initialising IV for inbound is pointless as its
3348 3349 * taken from the inbound packet.
3349 3350 */
3350 3351 if (!is_inbound) {
3351 3352 if (ekey->sadb_key_reserved != 0) {
3352 3353 buf_ptr += newbie->ipsa_saltlen;
3353 3354 bcopy(buf_ptr, (uint8_t *)newbie->
3354 3355 ipsa_iv, SADB_1TO8(ekey->
3355 3356 sadb_key_reserved));
3356 3357 } else {
3357 3358 (void) random_get_pseudo_bytes(
3358 3359 (uint8_t *)newbie->ipsa_iv,
3359 3360 newbie->ipsa_iv_len);
3360 3361 }
3361 3362 newbie->ipsa_iv_softexpire =
3362 3363 (*newbie->ipsa_iv) << 9;
3363 3364 newbie->ipsa_iv_hardexpire = *newbie->ipsa_iv;
3364 3365 }
3365 3366 }
|
↓ open down ↓ |
91 lines elided |
↑ open up ↑ |
3366 3367 bzero((ekey + 1), SADB_1TO8(ekey->sadb_key_bits));
3367 3368
3368 3369 /*
3369 3370 * Pre-initialize the kernel crypto framework key
3370 3371 * structure.
3371 3372 */
3372 3373 newbie->ipsa_kcfencrkey.ck_format = CRYPTO_KEY_RAW;
3373 3374 newbie->ipsa_kcfencrkey.ck_length = newbie->ipsa_encrkeybits;
3374 3375 newbie->ipsa_kcfencrkey.ck_data = newbie->ipsa_encrkey;
3375 3376
3376 - mutex_enter(&ipss->ipsec_alg_lock);
3377 + rw_enter(&ipss->ipsec_alg_lock, RW_READER);
3377 3378 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_ENCR);
3378 - mutex_exit(&ipss->ipsec_alg_lock);
3379 + rw_exit(&ipss->ipsec_alg_lock);
3379 3380 if (error != 0) {
3380 3381 mutex_exit(&newbie->ipsa_lock);
3381 3382 /* See above for error explanation. */
3382 3383 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX;
3383 3384 goto error;
3384 3385 }
3385 3386 }
3386 3387
3387 3388 if (async)
3388 3389 newbie->ipsa_flags |= IPSA_F_ASYNC;
3389 3390
3390 3391 /*
3391 3392 * Ptrs to processing functions.
3392 3393 */
3393 3394 if (newbie->ipsa_type == SADB_SATYPE_ESP)
3394 3395 ipsecesp_init_funcs(newbie);
3395 3396 else
3396 3397 ipsecah_init_funcs(newbie);
3397 3398 ASSERT(newbie->ipsa_output_func != NULL &&
3398 3399 newbie->ipsa_input_func != NULL);
3399 3400
3400 3401 /*
3401 3402 * Certificate ID stuff.
3402 3403 */
3403 3404 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC] != NULL) {
3404 3405 sadb_ident_t *id =
3405 3406 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC];
3406 3407
3407 3408 /*
3408 3409 * Can assume strlen() will return okay because ext_check() in
3409 3410 * keysock.c prepares the string for us.
3410 3411 */
3411 3412 newbie->ipsa_src_cid = ipsid_lookup(id->sadb_ident_type,
3412 3413 (char *)(id+1), ns);
3413 3414 if (newbie->ipsa_src_cid == NULL) {
3414 3415 error = ENOMEM;
3415 3416 mutex_exit(&newbie->ipsa_lock);
3416 3417 goto error;
3417 3418 }
3418 3419 }
3419 3420
3420 3421 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_DST] != NULL) {
3421 3422 sadb_ident_t *id =
3422 3423 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST];
3423 3424
3424 3425 /*
3425 3426 * Can assume strlen() will return okay because ext_check() in
3426 3427 * keysock.c prepares the string for us.
3427 3428 */
3428 3429 newbie->ipsa_dst_cid = ipsid_lookup(id->sadb_ident_type,
3429 3430 (char *)(id+1), ns);
3430 3431 if (newbie->ipsa_dst_cid == NULL) {
3431 3432 error = ENOMEM;
3432 3433 mutex_exit(&newbie->ipsa_lock);
3433 3434 goto error;
3434 3435 }
3435 3436 }
3436 3437
3437 3438 /*
3438 3439 * sensitivity label handling code:
3439 3440 * Convert sens + bitmap into cred_t, and associate it
3440 3441 * with the new SA.
3441 3442 */
3442 3443 if (sens != NULL) {
3443 3444 uint64_t *bitmap = (uint64_t *)(sens + 1);
3444 3445
3445 3446 newbie->ipsa_tsl = sadb_label_from_sens(sens, bitmap);
3446 3447 }
3447 3448
3448 3449 /*
3449 3450 * Likewise for outer sensitivity.
3450 3451 */
3451 3452 if (osens != NULL) {
3452 3453 uint64_t *bitmap = (uint64_t *)(osens + 1);
3453 3454 ts_label_t *tsl, *effective_tsl;
3454 3455 uint32_t *peer_addr_ptr;
3455 3456 zoneid_t zoneid = GLOBAL_ZONEID;
3456 3457 zone_t *zone;
3457 3458
3458 3459 peer_addr_ptr = is_inbound ? src_addr_ptr : dst_addr_ptr;
3459 3460
3460 3461 tsl = sadb_label_from_sens(osens, bitmap);
3461 3462 newbie->ipsa_mac_exempt = CONN_MAC_DEFAULT;
3462 3463
3463 3464 if (osens->sadb_x_sens_flags & SADB_X_SENS_IMPLICIT) {
3464 3465 newbie->ipsa_mac_exempt = CONN_MAC_IMPLICIT;
3465 3466 }
3466 3467
3467 3468 error = tsol_check_dest(tsl, peer_addr_ptr,
3468 3469 (af == AF_INET6)?IPV6_VERSION:IPV4_VERSION,
3469 3470 newbie->ipsa_mac_exempt, B_TRUE, &effective_tsl);
3470 3471 if (error != 0) {
3471 3472 label_rele(tsl);
3472 3473 mutex_exit(&newbie->ipsa_lock);
3473 3474 goto error;
3474 3475 }
3475 3476
3476 3477 if (effective_tsl != NULL) {
3477 3478 label_rele(tsl);
3478 3479 tsl = effective_tsl;
3479 3480 }
3480 3481
3481 3482 newbie->ipsa_otsl = tsl;
3482 3483
3483 3484 zone = zone_find_by_label(tsl);
3484 3485 if (zone != NULL) {
3485 3486 zoneid = zone->zone_id;
3486 3487 zone_rele(zone);
3487 3488 }
3488 3489 /*
3489 3490 * For exclusive stacks we set the zoneid to zero to operate
3490 3491 * as if in the global zone for tsol_compute_label_v4/v6
3491 3492 */
3492 3493 if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID)
3493 3494 zoneid = GLOBAL_ZONEID;
3494 3495
3495 3496 if (af == AF_INET6) {
3496 3497 error = tsol_compute_label_v6(tsl, zoneid,
3497 3498 (in6_addr_t *)peer_addr_ptr,
3498 3499 newbie->ipsa_opt_storage, ipst);
3499 3500 } else {
3500 3501 error = tsol_compute_label_v4(tsl, zoneid,
3501 3502 *peer_addr_ptr, newbie->ipsa_opt_storage, ipst);
3502 3503 }
3503 3504 if (error != 0) {
3504 3505 mutex_exit(&newbie->ipsa_lock);
3505 3506 goto error;
3506 3507 }
3507 3508 }
3508 3509
3509 3510
3510 3511 if (replayext != NULL) {
3511 3512 if ((replayext->sadb_x_rc_replay32 == 0) &&
3512 3513 (replayext->sadb_x_rc_replay64 != 0)) {
3513 3514 error = EOPNOTSUPP;
3514 3515 *diagnostic = SADB_X_DIAGNOSTIC_INVALID_REPLAY;
3515 3516 mutex_exit(&newbie->ipsa_lock);
3516 3517 goto error;
3517 3518 }
3518 3519 newbie->ipsa_replay = replayext->sadb_x_rc_replay32;
3519 3520 }
3520 3521
3521 3522 /* now that the SA has been updated, set its new state */
3522 3523 newbie->ipsa_state = assoc->sadb_sa_state;
3523 3524
3524 3525 if (clone) {
3525 3526 newbie->ipsa_haspeer = B_TRUE;
3526 3527 } else {
3527 3528 if (!is_inbound) {
3528 3529 lifetime_fuzz(newbie);
3529 3530 }
3530 3531 }
3531 3532 /*
3532 3533 * The less locks I hold when doing an insertion and possible cloning,
3533 3534 * the better!
3534 3535 */
3535 3536 mutex_exit(&newbie->ipsa_lock);
3536 3537
3537 3538 if (clone) {
3538 3539 newbie_clone = sadb_cloneassoc(newbie);
3539 3540
3540 3541 if (newbie_clone == NULL) {
3541 3542 error = ENOMEM;
3542 3543 goto error;
3543 3544 }
3544 3545 }
3545 3546
3546 3547 /*
3547 3548 * Enter the bucket locks. The order of entry is outbound,
3548 3549 * inbound. We map "primary" and "secondary" into outbound and inbound
3549 3550 * based on the destination address type. If the destination address
3550 3551 * type is for a node that isn't mine (or potentially mine), the
3551 3552 * "primary" bucket is the outbound one.
3552 3553 */
3553 3554 if (!is_inbound) {
3554 3555 /* primary == outbound */
3555 3556 mutex_enter(&primary->isaf_lock);
3556 3557 mutex_enter(&secondary->isaf_lock);
3557 3558 } else {
3558 3559 /* primary == inbound */
3559 3560 mutex_enter(&secondary->isaf_lock);
3560 3561 mutex_enter(&primary->isaf_lock);
3561 3562 }
3562 3563
3563 3564 /*
3564 3565 * sadb_insertassoc() doesn't increment the reference
3565 3566 * count. We therefore have to increment the
3566 3567 * reference count one more time to reflect the
3567 3568 * pointers of the table that reference this SA.
3568 3569 */
3569 3570 IPSA_REFHOLD(newbie);
3570 3571
3571 3572 if (isupdate) {
3572 3573 /*
3573 3574 * Unlink from larval holding cell in the "inbound" fanout.
3574 3575 */
3575 3576 ASSERT(newbie->ipsa_linklock == &primary->isaf_lock ||
3576 3577 newbie->ipsa_linklock == &secondary->isaf_lock);
3577 3578 sadb_unlinkassoc(newbie);
3578 3579 }
3579 3580
3580 3581 mutex_enter(&newbie->ipsa_lock);
3581 3582 error = sadb_insertassoc(newbie, primary);
3582 3583 mutex_exit(&newbie->ipsa_lock);
3583 3584
3584 3585 if (error != 0) {
3585 3586 /*
3586 3587 * Since sadb_insertassoc() failed, we must decrement the
3587 3588 * refcount again so the cleanup code will actually free
3588 3589 * the offending SA.
3589 3590 */
3590 3591 IPSA_REFRELE(newbie);
3591 3592 goto error_unlock;
3592 3593 }
3593 3594
3594 3595 if (newbie_clone != NULL) {
3595 3596 mutex_enter(&newbie_clone->ipsa_lock);
3596 3597 error = sadb_insertassoc(newbie_clone, secondary);
3597 3598 mutex_exit(&newbie_clone->ipsa_lock);
3598 3599 if (error != 0) {
3599 3600 /* Collision in secondary table. */
3600 3601 sadb_unlinkassoc(newbie); /* This does REFRELE. */
3601 3602 goto error_unlock;
3602 3603 }
3603 3604 IPSA_REFHOLD(newbie_clone);
3604 3605 } else {
3605 3606 ASSERT(primary != secondary);
3606 3607 scratch = ipsec_getassocbyspi(secondary, newbie->ipsa_spi,
3607 3608 ALL_ZEROES_PTR, newbie->ipsa_dstaddr, af);
3608 3609 if (scratch != NULL) {
3609 3610 /* Collision in secondary table. */
3610 3611 sadb_unlinkassoc(newbie); /* This does REFRELE. */
3611 3612 /* Set the error, since ipsec_getassocbyspi() can't. */
3612 3613 error = EEXIST;
3613 3614 goto error_unlock;
3614 3615 }
3615 3616 }
3616 3617
3617 3618 /* OKAY! So let's do some reality check assertions. */
3618 3619
3619 3620 ASSERT(MUTEX_NOT_HELD(&newbie->ipsa_lock));
3620 3621 ASSERT(newbie_clone == NULL ||
3621 3622 (MUTEX_NOT_HELD(&newbie_clone->ipsa_lock)));
3622 3623
3623 3624 error_unlock:
3624 3625
3625 3626 /*
3626 3627 * We can exit the locks in any order. Only entrance needs to
3627 3628 * follow any protocol.
3628 3629 */
3629 3630 mutex_exit(&secondary->isaf_lock);
3630 3631 mutex_exit(&primary->isaf_lock);
3631 3632
3632 3633 if (pair_ext != NULL && error == 0) {
3633 3634 /* update pair_spi if it exists. */
3634 3635 ipsa_query_t sq;
3635 3636
3636 3637 sq.spp = spp; /* XXX param */
3637 3638 error = sadb_form_query(ksi, IPSA_Q_DST, IPSA_Q_SRC|IPSA_Q_DST|
3638 3639 IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, &sq, diagnostic);
3639 3640 if (error)
3640 3641 return (error);
3641 3642
3642 3643 error = get_ipsa_pair(&sq, &ipsapp, diagnostic);
3643 3644
3644 3645 if (error != 0)
3645 3646 goto error;
3646 3647
3647 3648 if (ipsapp.ipsap_psa_ptr != NULL) {
3648 3649 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY;
3649 3650 error = EINVAL;
3650 3651 } else {
3651 3652 /* update_pairing() sets diagnostic */
3652 3653 error = update_pairing(&ipsapp, &sq, ksi, diagnostic);
3653 3654 }
3654 3655 }
3655 3656 /* Common error point for this routine. */
3656 3657 error:
3657 3658 if (newbie != NULL) {
3658 3659 if (error != 0) {
3659 3660 /* This SA is broken, let the reaper clean up. */
3660 3661 mutex_enter(&newbie->ipsa_lock);
3661 3662 newbie->ipsa_state = IPSA_STATE_DEAD;
3662 3663 newbie->ipsa_hardexpiretime = 1;
3663 3664 mutex_exit(&newbie->ipsa_lock);
3664 3665 }
3665 3666 IPSA_REFRELE(newbie);
3666 3667 }
3667 3668 if (newbie_clone != NULL) {
3668 3669 IPSA_REFRELE(newbie_clone);
3669 3670 }
3670 3671
3671 3672 if (error == 0) {
3672 3673 /*
3673 3674 * Construct favorable PF_KEY return message and send to
3674 3675 * keysock. Update the flags in the original keysock message
3675 3676 * to reflect the actual flags in the new SA.
3676 3677 * (Q: Do I need to pass "newbie"? If I do,
3677 3678 * make sure to REFHOLD, call, then REFRELE.)
3678 3679 */
3679 3680 assoc->sadb_sa_flags = newbie->ipsa_flags;
3680 3681 sadb_pfkey_echo(pfkey_q, mp, samsg, ksi, NULL);
3681 3682 }
3682 3683
3683 3684 destroy_ipsa_pair(&ipsapp);
3684 3685 return (error);
3685 3686 }
3686 3687
3687 3688 /*
3688 3689 * Set the time of first use for a security association. Update any
3689 3690 * expiration times as a result.
3690 3691 */
3691 3692 void
3692 3693 sadb_set_usetime(ipsa_t *assoc)
3693 3694 {
3694 3695 time_t snapshot = gethrestime_sec();
3695 3696
3696 3697 mutex_enter(&assoc->ipsa_lock);
3697 3698 assoc->ipsa_lastuse = snapshot;
3698 3699 assoc->ipsa_idleexpiretime = snapshot + assoc->ipsa_idletime;
3699 3700
3700 3701 /*
3701 3702 * Caller does check usetime before calling me usually, and
3702 3703 * double-checking is better than a mutex_enter/exit hit.
3703 3704 */
3704 3705 if (assoc->ipsa_usetime == 0) {
3705 3706 /*
3706 3707 * This is redundant for outbound SA's, as
3707 3708 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already.
3708 3709 * Inbound SAs, however, have no such protection.
3709 3710 */
3710 3711 assoc->ipsa_flags |= IPSA_F_USED;
3711 3712 assoc->ipsa_usetime = snapshot;
3712 3713
3713 3714 /*
3714 3715 * After setting the use time, see if we have a use lifetime
3715 3716 * that would cause the actual SA expiration time to shorten.
3716 3717 */
3717 3718 UPDATE_EXPIRE(assoc, softuselt, softexpiretime);
3718 3719 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime);
3719 3720 }
3720 3721 mutex_exit(&assoc->ipsa_lock);
3721 3722 }
3722 3723
3723 3724 /*
3724 3725 * Send up a PF_KEY expire message for this association.
3725 3726 */
3726 3727 static void
3727 3728 sadb_expire_assoc(queue_t *pfkey_q, ipsa_t *assoc)
3728 3729 {
3729 3730 mblk_t *mp, *mp1;
3730 3731 int alloclen, af;
3731 3732 sadb_msg_t *samsg;
3732 3733 sadb_lifetime_t *current, *expire;
3733 3734 sadb_sa_t *saext;
3734 3735 uint8_t *end;
3735 3736 boolean_t tunnel_mode;
3736 3737
3737 3738 ASSERT(MUTEX_HELD(&assoc->ipsa_lock));
3738 3739
3739 3740 /* Don't bother sending if there's no queue. */
3740 3741 if (pfkey_q == NULL)
3741 3742 return;
3742 3743
3743 3744 mp = sadb_keysock_out(0);
3744 3745 if (mp == NULL) {
3745 3746 /* cmn_err(CE_WARN, */
3746 3747 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */
3747 3748 return;
3748 3749 }
3749 3750
3750 3751 alloclen = sizeof (*samsg) + sizeof (*current) + sizeof (*expire) +
3751 3752 2 * sizeof (sadb_address_t) + sizeof (*saext);
3752 3753
3753 3754 af = assoc->ipsa_addrfam;
3754 3755 switch (af) {
3755 3756 case AF_INET:
3756 3757 alloclen += 2 * sizeof (struct sockaddr_in);
3757 3758 break;
3758 3759 case AF_INET6:
3759 3760 alloclen += 2 * sizeof (struct sockaddr_in6);
3760 3761 break;
3761 3762 default:
3762 3763 /* Won't happen unless there's a kernel bug. */
3763 3764 freeb(mp);
3764 3765 cmn_err(CE_WARN,
3765 3766 "sadb_expire_assoc: Unknown address length.\n");
3766 3767 return;
3767 3768 }
3768 3769
3769 3770 tunnel_mode = (assoc->ipsa_flags & IPSA_F_TUNNEL);
3770 3771 if (tunnel_mode) {
3771 3772 alloclen += 2 * sizeof (sadb_address_t);
3772 3773 switch (assoc->ipsa_innerfam) {
3773 3774 case AF_INET:
3774 3775 alloclen += 2 * sizeof (struct sockaddr_in);
3775 3776 break;
3776 3777 case AF_INET6:
3777 3778 alloclen += 2 * sizeof (struct sockaddr_in6);
3778 3779 break;
3779 3780 default:
3780 3781 /* Won't happen unless there's a kernel bug. */
3781 3782 freeb(mp);
3782 3783 cmn_err(CE_WARN, "sadb_expire_assoc: "
3783 3784 "Unknown inner address length.\n");
3784 3785 return;
3785 3786 }
3786 3787 }
3787 3788
3788 3789 mp->b_cont = allocb(alloclen, BPRI_HI);
3789 3790 if (mp->b_cont == NULL) {
3790 3791 freeb(mp);
3791 3792 /* cmn_err(CE_WARN, */
3792 3793 /* "sadb_expire_assoc: Can't allocate message.\n"); */
3793 3794 return;
3794 3795 }
3795 3796
3796 3797 mp1 = mp;
3797 3798 mp = mp->b_cont;
3798 3799 end = mp->b_wptr + alloclen;
3799 3800
3800 3801 samsg = (sadb_msg_t *)mp->b_wptr;
3801 3802 mp->b_wptr += sizeof (*samsg);
3802 3803 samsg->sadb_msg_version = PF_KEY_V2;
3803 3804 samsg->sadb_msg_type = SADB_EXPIRE;
3804 3805 samsg->sadb_msg_errno = 0;
3805 3806 samsg->sadb_msg_satype = assoc->ipsa_type;
3806 3807 samsg->sadb_msg_len = SADB_8TO64(alloclen);
3807 3808 samsg->sadb_msg_reserved = 0;
3808 3809 samsg->sadb_msg_seq = 0;
3809 3810 samsg->sadb_msg_pid = 0;
3810 3811
3811 3812 saext = (sadb_sa_t *)mp->b_wptr;
3812 3813 mp->b_wptr += sizeof (*saext);
3813 3814 saext->sadb_sa_len = SADB_8TO64(sizeof (*saext));
3814 3815 saext->sadb_sa_exttype = SADB_EXT_SA;
3815 3816 saext->sadb_sa_spi = assoc->ipsa_spi;
3816 3817 saext->sadb_sa_replay = assoc->ipsa_replay_wsize;
3817 3818 saext->sadb_sa_state = assoc->ipsa_state;
3818 3819 saext->sadb_sa_auth = assoc->ipsa_auth_alg;
3819 3820 saext->sadb_sa_encrypt = assoc->ipsa_encr_alg;
3820 3821 saext->sadb_sa_flags = assoc->ipsa_flags;
3821 3822
3822 3823 current = (sadb_lifetime_t *)mp->b_wptr;
3823 3824 mp->b_wptr += sizeof (sadb_lifetime_t);
3824 3825 current->sadb_lifetime_len = SADB_8TO64(sizeof (*current));
3825 3826 current->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
3826 3827 /* We do not support the concept. */
3827 3828 current->sadb_lifetime_allocations = 0;
3828 3829 current->sadb_lifetime_bytes = assoc->ipsa_bytes;
3829 3830 current->sadb_lifetime_addtime = assoc->ipsa_addtime;
3830 3831 current->sadb_lifetime_usetime = assoc->ipsa_usetime;
3831 3832
3832 3833 expire = (sadb_lifetime_t *)mp->b_wptr;
3833 3834 mp->b_wptr += sizeof (*expire);
3834 3835 expire->sadb_lifetime_len = SADB_8TO64(sizeof (*expire));
3835 3836
3836 3837 if (assoc->ipsa_state == IPSA_STATE_DEAD) {
3837 3838 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
3838 3839 expire->sadb_lifetime_allocations = assoc->ipsa_hardalloc;
3839 3840 expire->sadb_lifetime_bytes = assoc->ipsa_hardbyteslt;
3840 3841 expire->sadb_lifetime_addtime = assoc->ipsa_hardaddlt;
3841 3842 expire->sadb_lifetime_usetime = assoc->ipsa_harduselt;
3842 3843 } else if (assoc->ipsa_state == IPSA_STATE_DYING) {
3843 3844 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
3844 3845 expire->sadb_lifetime_allocations = assoc->ipsa_softalloc;
3845 3846 expire->sadb_lifetime_bytes = assoc->ipsa_softbyteslt;
3846 3847 expire->sadb_lifetime_addtime = assoc->ipsa_softaddlt;
3847 3848 expire->sadb_lifetime_usetime = assoc->ipsa_softuselt;
3848 3849 } else {
3849 3850 ASSERT(assoc->ipsa_state == IPSA_STATE_MATURE);
3850 3851 expire->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE;
3851 3852 expire->sadb_lifetime_allocations = 0;
3852 3853 expire->sadb_lifetime_bytes = 0;
3853 3854 expire->sadb_lifetime_addtime = assoc->ipsa_idleaddlt;
3854 3855 expire->sadb_lifetime_usetime = assoc->ipsa_idleuselt;
3855 3856 }
3856 3857
3857 3858 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_SRC,
3858 3859 af, assoc->ipsa_srcaddr, tunnel_mode ? 0 : SA_SRCPORT(assoc),
3859 3860 SA_PROTO(assoc), 0);
3860 3861 ASSERT(mp->b_wptr != NULL);
3861 3862
3862 3863 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_DST,
3863 3864 af, assoc->ipsa_dstaddr, tunnel_mode ? 0 : SA_DSTPORT(assoc),
3864 3865 SA_PROTO(assoc), 0);
3865 3866 ASSERT(mp->b_wptr != NULL);
3866 3867
3867 3868 if (tunnel_mode) {
3868 3869 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end,
3869 3870 SADB_X_EXT_ADDRESS_INNER_SRC, assoc->ipsa_innerfam,
3870 3871 assoc->ipsa_innersrc, SA_SRCPORT(assoc), SA_IPROTO(assoc),
3871 3872 assoc->ipsa_innersrcpfx);
3872 3873 ASSERT(mp->b_wptr != NULL);
3873 3874 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end,
3874 3875 SADB_X_EXT_ADDRESS_INNER_DST, assoc->ipsa_innerfam,
3875 3876 assoc->ipsa_innerdst, SA_DSTPORT(assoc), SA_IPROTO(assoc),
3876 3877 assoc->ipsa_innerdstpfx);
3877 3878 ASSERT(mp->b_wptr != NULL);
3878 3879 }
3879 3880
3880 3881 /* Can just putnext, we're ready to go! */
3881 3882 putnext(pfkey_q, mp1);
3882 3883 }
3883 3884
3884 3885 /*
3885 3886 * "Age" the SA with the number of bytes that was used to protect traffic.
3886 3887 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was
3887 3888 * enough "charge" left in the SA to protect the data. Return B_FALSE
3888 3889 * otherwise. (If B_FALSE is returned, the association either was, or became
3889 3890 * DEAD.)
3890 3891 */
3891 3892 boolean_t
3892 3893 sadb_age_bytes(queue_t *pfkey_q, ipsa_t *assoc, uint64_t bytes,
3893 3894 boolean_t sendmsg)
3894 3895 {
3895 3896 boolean_t rc = B_TRUE;
3896 3897 uint64_t newtotal;
3897 3898
3898 3899 mutex_enter(&assoc->ipsa_lock);
3899 3900 newtotal = assoc->ipsa_bytes + bytes;
3900 3901 if (assoc->ipsa_hardbyteslt != 0 &&
3901 3902 newtotal >= assoc->ipsa_hardbyteslt) {
3902 3903 if (assoc->ipsa_state != IPSA_STATE_DEAD) {
3903 3904 sadb_delete_cluster(assoc);
3904 3905 /*
3905 3906 * Send EXPIRE message to PF_KEY. May wish to pawn
3906 3907 * this off on another non-interrupt thread. Also
3907 3908 * unlink this SA immediately.
3908 3909 */
3909 3910 assoc->ipsa_state = IPSA_STATE_DEAD;
3910 3911 if (sendmsg)
3911 3912 sadb_expire_assoc(pfkey_q, assoc);
3912 3913 /*
3913 3914 * Set non-zero expiration time so sadb_age_assoc()
3914 3915 * will work when reaping.
3915 3916 */
3916 3917 assoc->ipsa_hardexpiretime = (time_t)1;
3917 3918 } /* Else someone beat me to it! */
3918 3919 rc = B_FALSE;
3919 3920 } else if (assoc->ipsa_softbyteslt != 0 &&
3920 3921 (newtotal >= assoc->ipsa_softbyteslt)) {
3921 3922 if (assoc->ipsa_state < IPSA_STATE_DYING) {
3922 3923 /*
3923 3924 * Send EXPIRE message to PF_KEY. May wish to pawn
3924 3925 * this off on another non-interrupt thread.
3925 3926 */
3926 3927 assoc->ipsa_state = IPSA_STATE_DYING;
3927 3928 assoc->ipsa_bytes = newtotal;
3928 3929 if (sendmsg)
3929 3930 sadb_expire_assoc(pfkey_q, assoc);
3930 3931 } /* Else someone beat me to it! */
3931 3932 }
3932 3933 if (rc == B_TRUE)
3933 3934 assoc->ipsa_bytes = newtotal;
3934 3935 mutex_exit(&assoc->ipsa_lock);
3935 3936 return (rc);
3936 3937 }
3937 3938
3938 3939 /*
3939 3940 * "Torch" an individual SA. Returns NULL, so it can be tail-called from
3940 3941 * sadb_age_assoc().
3941 3942 */
3942 3943 static ipsa_t *
3943 3944 sadb_torch_assoc(isaf_t *head, ipsa_t *sa)
3944 3945 {
3945 3946 ASSERT(MUTEX_HELD(&head->isaf_lock));
3946 3947 ASSERT(MUTEX_HELD(&sa->ipsa_lock));
3947 3948 ASSERT(sa->ipsa_state == IPSA_STATE_DEAD);
3948 3949
3949 3950 /*
3950 3951 * Force cached SAs to be revalidated..
3951 3952 */
3952 3953 head->isaf_gen++;
3953 3954
3954 3955 mutex_exit(&sa->ipsa_lock);
3955 3956 sadb_unlinkassoc(sa);
3956 3957
3957 3958 return (NULL);
3958 3959 }
3959 3960
3960 3961 /*
3961 3962 * Do various SA-is-idle activities depending on delta (the number of idle
3962 3963 * seconds on the SA) and/or other properties of the SA.
3963 3964 *
3964 3965 * Return B_TRUE if I've sent a packet, because I have to drop the
3965 3966 * association's mutex before sending a packet out the wire.
3966 3967 */
3967 3968 /* ARGSUSED */
3968 3969 static boolean_t
3969 3970 sadb_idle_activities(ipsa_t *assoc, time_t delta, boolean_t inbound)
3970 3971 {
3971 3972 ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp;
3972 3973 int nat_t_interval = espstack->ipsecesp_nat_keepalive_interval;
3973 3974
3974 3975 ASSERT(MUTEX_HELD(&assoc->ipsa_lock));
3975 3976
3976 3977 if (!inbound && (assoc->ipsa_flags & IPSA_F_NATT_LOC) &&
3977 3978 delta >= nat_t_interval &&
3978 3979 gethrestime_sec() - assoc->ipsa_last_nat_t_ka >= nat_t_interval) {
3979 3980 ASSERT(assoc->ipsa_type == SADB_SATYPE_ESP);
3980 3981 assoc->ipsa_last_nat_t_ka = gethrestime_sec();
3981 3982 mutex_exit(&assoc->ipsa_lock);
3982 3983 ipsecesp_send_keepalive(assoc);
3983 3984 return (B_TRUE);
3984 3985 }
3985 3986 return (B_FALSE);
3986 3987 }
3987 3988
3988 3989 /*
3989 3990 * Return "assoc" if haspeer is true and I send an expire. This allows
3990 3991 * the consumers' aging functions to tidy up an expired SA's peer.
3991 3992 */
3992 3993 static ipsa_t *
3993 3994 sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc,
3994 3995 time_t current, int reap_delay, boolean_t inbound)
3995 3996 {
3996 3997 ipsa_t *retval = NULL;
3997 3998 boolean_t dropped_mutex = B_FALSE;
3998 3999
3999 4000 ASSERT(MUTEX_HELD(&head->isaf_lock));
4000 4001
4001 4002 mutex_enter(&assoc->ipsa_lock);
4002 4003
4003 4004 if (((assoc->ipsa_state == IPSA_STATE_LARVAL) ||
4004 4005 ((assoc->ipsa_state == IPSA_STATE_IDLE) ||
4005 4006 (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) &&
4006 4007 (assoc->ipsa_hardexpiretime != 0))) &&
4007 4008 (assoc->ipsa_hardexpiretime <= current)) {
4008 4009 assoc->ipsa_state = IPSA_STATE_DEAD;
4009 4010 return (sadb_torch_assoc(head, assoc));
4010 4011 }
4011 4012
4012 4013 /*
4013 4014 * Check lifetimes. Fortunately, SA setup is done
4014 4015 * such that there are only two times to look at,
4015 4016 * softexpiretime, and hardexpiretime.
4016 4017 *
4017 4018 * Check hard first.
4018 4019 */
4019 4020
4020 4021 if (assoc->ipsa_hardexpiretime != 0 &&
4021 4022 assoc->ipsa_hardexpiretime <= current) {
4022 4023 if (assoc->ipsa_state == IPSA_STATE_DEAD)
4023 4024 return (sadb_torch_assoc(head, assoc));
4024 4025
4025 4026 if (inbound) {
4026 4027 sadb_delete_cluster(assoc);
4027 4028 }
4028 4029
4029 4030 /*
4030 4031 * Send SADB_EXPIRE with hard lifetime, delay for unlinking.
4031 4032 */
4032 4033 assoc->ipsa_state = IPSA_STATE_DEAD;
4033 4034 if (assoc->ipsa_haspeer || assoc->ipsa_otherspi != 0) {
4034 4035 /*
4035 4036 * If the SA is paired or peered with another, put
4036 4037 * a copy on a list which can be processed later, the
4037 4038 * pair/peer SA needs to be updated so the both die
4038 4039 * at the same time.
4039 4040 *
4040 4041 * If I return assoc, I have to bump up its reference
4041 4042 * count to keep with the ipsa_t reference count
4042 4043 * semantics.
4043 4044 */
4044 4045 IPSA_REFHOLD(assoc);
4045 4046 retval = assoc;
4046 4047 }
4047 4048 sadb_expire_assoc(pfkey_q, assoc);
4048 4049 assoc->ipsa_hardexpiretime = current + reap_delay;
4049 4050 } else if (assoc->ipsa_softexpiretime != 0 &&
4050 4051 assoc->ipsa_softexpiretime <= current &&
4051 4052 assoc->ipsa_state < IPSA_STATE_DYING) {
4052 4053 /*
4053 4054 * Send EXPIRE message to PF_KEY. May wish to pawn
4054 4055 * this off on another non-interrupt thread.
4055 4056 */
4056 4057 assoc->ipsa_state = IPSA_STATE_DYING;
4057 4058 if (assoc->ipsa_haspeer) {
4058 4059 /*
4059 4060 * If the SA has a peer, update the peer's state
4060 4061 * on SOFT_EXPIRE, this is mostly to prevent two
4061 4062 * expire messages from effectively the same SA.
4062 4063 *
4063 4064 * Don't care about paired SA's, then can (and should)
4064 4065 * be able to soft expire at different times.
4065 4066 *
4066 4067 * If I return assoc, I have to bump up its
4067 4068 * reference count to keep with the ipsa_t reference
4068 4069 * count semantics.
4069 4070 */
4070 4071 IPSA_REFHOLD(assoc);
4071 4072 retval = assoc;
4072 4073 }
4073 4074 sadb_expire_assoc(pfkey_q, assoc);
4074 4075 } else if (assoc->ipsa_idletime != 0 &&
4075 4076 assoc->ipsa_idleexpiretime <= current) {
4076 4077 if (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) {
4077 4078 assoc->ipsa_state = IPSA_STATE_IDLE;
4078 4079 }
4079 4080
4080 4081 /*
4081 4082 * Need to handle Mature case
4082 4083 */
4083 4084 if (assoc->ipsa_state == IPSA_STATE_MATURE) {
4084 4085 sadb_expire_assoc(pfkey_q, assoc);
4085 4086 }
4086 4087 } else {
4087 4088 /* Check idle time activities. */
4088 4089 dropped_mutex = sadb_idle_activities(assoc,
4089 4090 current - assoc->ipsa_lastuse, inbound);
4090 4091 }
4091 4092
4092 4093 if (!dropped_mutex)
4093 4094 mutex_exit(&assoc->ipsa_lock);
4094 4095 return (retval);
4095 4096 }
4096 4097
4097 4098 /*
4098 4099 * Called by a consumer protocol to do ther dirty work of reaping dead
4099 4100 * Security Associations.
4100 4101 *
4101 4102 * NOTE: sadb_age_assoc() marks expired SA's as DEAD but only removed
4102 4103 * SA's that are already marked DEAD, so expired SA's are only reaped
4103 4104 * the second time sadb_ager() runs.
4104 4105 */
4105 4106 void
4106 4107 sadb_ager(sadb_t *sp, queue_t *pfkey_q, int reap_delay, netstack_t *ns)
4107 4108 {
4108 4109 int i;
4109 4110 isaf_t *bucket;
4110 4111 ipsa_t *assoc, *spare;
4111 4112 iacqf_t *acqlist;
4112 4113 ipsacq_t *acqrec, *spareacq;
4113 4114 templist_t *haspeerlist, *newbie;
4114 4115 /* Snapshot current time now. */
4115 4116 time_t current = gethrestime_sec();
4116 4117 haspeerlist = NULL;
4117 4118
4118 4119 /*
4119 4120 * Do my dirty work. This includes aging real entries, aging
4120 4121 * larvals, and aging outstanding ACQUIREs.
4121 4122 *
4122 4123 * I hope I don't tie up resources for too long.
4123 4124 */
4124 4125
4125 4126 /* Age acquires. */
4126 4127
4127 4128 for (i = 0; i < sp->sdb_hashsize; i++) {
4128 4129 acqlist = &sp->sdb_acq[i];
4129 4130 mutex_enter(&acqlist->iacqf_lock);
4130 4131 for (acqrec = acqlist->iacqf_ipsacq; acqrec != NULL;
4131 4132 acqrec = spareacq) {
4132 4133 spareacq = acqrec->ipsacq_next;
4133 4134 if (current > acqrec->ipsacq_expire)
4134 4135 sadb_destroy_acquire(acqrec, ns);
4135 4136 }
4136 4137 mutex_exit(&acqlist->iacqf_lock);
4137 4138 }
4138 4139
4139 4140 /* Age inbound associations. */
4140 4141 for (i = 0; i < sp->sdb_hashsize; i++) {
4141 4142 bucket = &(sp->sdb_if[i]);
4142 4143 mutex_enter(&bucket->isaf_lock);
4143 4144 for (assoc = bucket->isaf_ipsa; assoc != NULL;
4144 4145 assoc = spare) {
4145 4146 spare = assoc->ipsa_next;
4146 4147 if (sadb_age_assoc(bucket, pfkey_q, assoc, current,
4147 4148 reap_delay, B_TRUE) != NULL) {
4148 4149 /*
4149 4150 * Put SA's which have a peer or SA's which
4150 4151 * are paired on a list for processing after
4151 4152 * all the hash tables have been walked.
4152 4153 *
4153 4154 * sadb_age_assoc() increments the refcnt,
4154 4155 * effectively doing an IPSA_REFHOLD().
4155 4156 */
4156 4157 newbie = kmem_alloc(sizeof (*newbie),
4157 4158 KM_NOSLEEP);
4158 4159 if (newbie == NULL) {
4159 4160 /*
4160 4161 * Don't forget to REFRELE().
4161 4162 */
4162 4163 IPSA_REFRELE(assoc);
4163 4164 continue; /* for loop... */
4164 4165 }
4165 4166 newbie->next = haspeerlist;
4166 4167 newbie->ipsa = assoc;
4167 4168 haspeerlist = newbie;
4168 4169 }
4169 4170 }
4170 4171 mutex_exit(&bucket->isaf_lock);
4171 4172 }
4172 4173
4173 4174 age_pair_peer_list(haspeerlist, sp, B_FALSE);
4174 4175 haspeerlist = NULL;
4175 4176
4176 4177 /* Age outbound associations. */
4177 4178 for (i = 0; i < sp->sdb_hashsize; i++) {
4178 4179 bucket = &(sp->sdb_of[i]);
4179 4180 mutex_enter(&bucket->isaf_lock);
4180 4181 for (assoc = bucket->isaf_ipsa; assoc != NULL;
4181 4182 assoc = spare) {
4182 4183 spare = assoc->ipsa_next;
4183 4184 if (sadb_age_assoc(bucket, pfkey_q, assoc, current,
4184 4185 reap_delay, B_FALSE) != NULL) {
4185 4186 /*
4186 4187 * sadb_age_assoc() increments the refcnt,
4187 4188 * effectively doing an IPSA_REFHOLD().
4188 4189 */
4189 4190 newbie = kmem_alloc(sizeof (*newbie),
4190 4191 KM_NOSLEEP);
4191 4192 if (newbie == NULL) {
4192 4193 /*
4193 4194 * Don't forget to REFRELE().
4194 4195 */
4195 4196 IPSA_REFRELE(assoc);
4196 4197 continue; /* for loop... */
4197 4198 }
4198 4199 newbie->next = haspeerlist;
4199 4200 newbie->ipsa = assoc;
4200 4201 haspeerlist = newbie;
4201 4202 }
4202 4203 }
4203 4204 mutex_exit(&bucket->isaf_lock);
4204 4205 }
4205 4206
4206 4207 age_pair_peer_list(haspeerlist, sp, B_TRUE);
4207 4208
4208 4209 /*
4209 4210 * Run a GC pass to clean out dead identities.
4210 4211 */
4211 4212 ipsid_gc(ns);
4212 4213 }
4213 4214
4214 4215 /*
4215 4216 * Figure out when to reschedule the ager.
4216 4217 */
4217 4218 timeout_id_t
4218 4219 sadb_retimeout(hrtime_t begin, queue_t *pfkey_q, void (*ager)(void *),
4219 4220 void *agerarg, uint_t *intp, uint_t intmax, short mid)
4220 4221 {
4221 4222 hrtime_t end = gethrtime();
4222 4223 uint_t interval = *intp; /* "interval" is in ms. */
4223 4224
4224 4225 /*
4225 4226 * See how long this took. If it took too long, increase the
4226 4227 * aging interval.
4227 4228 */
4228 4229 if ((end - begin) > MSEC2NSEC(interval)) {
4229 4230 if (interval >= intmax) {
4230 4231 /* XXX Rate limit this? Or recommend flush? */
4231 4232 (void) strlog(mid, 0, 0, SL_ERROR | SL_WARN,
4232 4233 "Too many SA's to age out in %d msec.\n",
4233 4234 intmax);
4234 4235 } else {
4235 4236 /* Double by shifting by one bit. */
4236 4237 interval <<= 1;
4237 4238 interval = min(interval, intmax);
4238 4239 }
4239 4240 } else if ((end - begin) <= (MSEC2NSEC(interval) / 2) &&
4240 4241 interval > SADB_AGE_INTERVAL_DEFAULT) {
4241 4242 /*
4242 4243 * If I took less than half of the interval, then I should
4243 4244 * ratchet the interval back down. Never automatically
4244 4245 * shift below the default aging interval.
4245 4246 *
4246 4247 * NOTE:This even overrides manual setting of the age
4247 4248 * interval using NDD to lower the setting past the
4248 4249 * default. In other words, if you set the interval
4249 4250 * lower than the default, and your SADB gets too big,
4250 4251 * the interval will only self-lower back to the default.
4251 4252 */
4252 4253 /* Halve by shifting one bit. */
4253 4254 interval >>= 1;
4254 4255 interval = max(interval, SADB_AGE_INTERVAL_DEFAULT);
4255 4256 }
4256 4257 *intp = interval;
4257 4258 return (qtimeout(pfkey_q, ager, agerarg,
4258 4259 drv_usectohz(interval * (MICROSEC / MILLISEC))));
4259 4260 }
4260 4261
4261 4262
4262 4263 /*
4263 4264 * Update the lifetime values of an SA. This is the path an SADB_UPDATE
4264 4265 * message takes when updating a MATURE or DYING SA.
4265 4266 */
4266 4267 static void
4267 4268 sadb_update_lifetimes(ipsa_t *assoc, sadb_lifetime_t *hard,
4268 4269 sadb_lifetime_t *soft, sadb_lifetime_t *idle, boolean_t outbound)
4269 4270 {
4270 4271 mutex_enter(&assoc->ipsa_lock);
4271 4272
4272 4273 /*
4273 4274 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be
4274 4275 * passed in during an update message. We currently don't handle
4275 4276 * these.
4276 4277 */
4277 4278
4278 4279 if (hard != NULL) {
4279 4280 if (hard->sadb_lifetime_bytes != 0)
4280 4281 assoc->ipsa_hardbyteslt = hard->sadb_lifetime_bytes;
4281 4282 if (hard->sadb_lifetime_usetime != 0)
4282 4283 assoc->ipsa_harduselt = hard->sadb_lifetime_usetime;
4283 4284 if (hard->sadb_lifetime_addtime != 0)
4284 4285 assoc->ipsa_hardaddlt = hard->sadb_lifetime_addtime;
4285 4286 if (assoc->ipsa_hardaddlt != 0) {
4286 4287 assoc->ipsa_hardexpiretime =
4287 4288 assoc->ipsa_addtime + assoc->ipsa_hardaddlt;
4288 4289 }
4289 4290 if (assoc->ipsa_harduselt != 0 &&
4290 4291 assoc->ipsa_flags & IPSA_F_USED) {
4291 4292 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime);
4292 4293 }
4293 4294 if (hard->sadb_lifetime_allocations != 0)
4294 4295 assoc->ipsa_hardalloc = hard->sadb_lifetime_allocations;
4295 4296 }
4296 4297
4297 4298 if (soft != NULL) {
4298 4299 if (soft->sadb_lifetime_bytes != 0) {
4299 4300 if (soft->sadb_lifetime_bytes >
4300 4301 assoc->ipsa_hardbyteslt) {
4301 4302 assoc->ipsa_softbyteslt =
4302 4303 assoc->ipsa_hardbyteslt;
4303 4304 } else {
4304 4305 assoc->ipsa_softbyteslt =
4305 4306 soft->sadb_lifetime_bytes;
4306 4307 }
4307 4308 }
4308 4309 if (soft->sadb_lifetime_usetime != 0) {
4309 4310 if (soft->sadb_lifetime_usetime >
4310 4311 assoc->ipsa_harduselt) {
4311 4312 assoc->ipsa_softuselt =
4312 4313 assoc->ipsa_harduselt;
4313 4314 } else {
4314 4315 assoc->ipsa_softuselt =
4315 4316 soft->sadb_lifetime_usetime;
4316 4317 }
4317 4318 }
4318 4319 if (soft->sadb_lifetime_addtime != 0) {
4319 4320 if (soft->sadb_lifetime_addtime >
4320 4321 assoc->ipsa_hardexpiretime) {
4321 4322 assoc->ipsa_softexpiretime =
4322 4323 assoc->ipsa_hardexpiretime;
4323 4324 } else {
4324 4325 assoc->ipsa_softaddlt =
4325 4326 soft->sadb_lifetime_addtime;
4326 4327 }
4327 4328 }
4328 4329 if (assoc->ipsa_softaddlt != 0) {
4329 4330 assoc->ipsa_softexpiretime =
4330 4331 assoc->ipsa_addtime + assoc->ipsa_softaddlt;
4331 4332 }
4332 4333 if (assoc->ipsa_softuselt != 0 &&
4333 4334 assoc->ipsa_flags & IPSA_F_USED) {
4334 4335 UPDATE_EXPIRE(assoc, softuselt, softexpiretime);
4335 4336 }
4336 4337 if (outbound && assoc->ipsa_softexpiretime != 0) {
4337 4338 if (assoc->ipsa_state == IPSA_STATE_MATURE)
4338 4339 lifetime_fuzz(assoc);
4339 4340 }
4340 4341
4341 4342 if (soft->sadb_lifetime_allocations != 0)
4342 4343 assoc->ipsa_softalloc = soft->sadb_lifetime_allocations;
4343 4344 }
4344 4345
4345 4346 if (idle != NULL) {
4346 4347 time_t current = gethrestime_sec();
4347 4348 if ((assoc->ipsa_idleexpiretime <= current) &&
4348 4349 (assoc->ipsa_idleaddlt == idle->sadb_lifetime_addtime)) {
4349 4350 assoc->ipsa_idleexpiretime =
4350 4351 current + assoc->ipsa_idleaddlt;
4351 4352 }
4352 4353 if (idle->sadb_lifetime_addtime != 0)
4353 4354 assoc->ipsa_idleaddlt = idle->sadb_lifetime_addtime;
4354 4355 if (idle->sadb_lifetime_usetime != 0)
4355 4356 assoc->ipsa_idleuselt = idle->sadb_lifetime_usetime;
4356 4357 if (assoc->ipsa_idleaddlt != 0) {
4357 4358 assoc->ipsa_idleexpiretime =
4358 4359 current + idle->sadb_lifetime_addtime;
4359 4360 assoc->ipsa_idletime = idle->sadb_lifetime_addtime;
4360 4361 }
4361 4362 if (assoc->ipsa_idleuselt != 0) {
4362 4363 if (assoc->ipsa_idletime != 0) {
4363 4364 assoc->ipsa_idletime = min(assoc->ipsa_idletime,
4364 4365 assoc->ipsa_idleuselt);
4365 4366 assoc->ipsa_idleexpiretime =
4366 4367 current + assoc->ipsa_idletime;
4367 4368 } else {
4368 4369 assoc->ipsa_idleexpiretime =
4369 4370 current + assoc->ipsa_idleuselt;
4370 4371 assoc->ipsa_idletime = assoc->ipsa_idleuselt;
4371 4372 }
4372 4373 }
4373 4374 }
4374 4375 mutex_exit(&assoc->ipsa_lock);
4375 4376 }
4376 4377
4377 4378 static int
4378 4379 sadb_update_state(ipsa_t *assoc, uint_t new_state, mblk_t **ipkt_lst)
4379 4380 {
4380 4381 int rcode = 0;
4381 4382 time_t current = gethrestime_sec();
4382 4383
4383 4384 mutex_enter(&assoc->ipsa_lock);
4384 4385
4385 4386 switch (new_state) {
4386 4387 case SADB_X_SASTATE_ACTIVE_ELSEWHERE:
4387 4388 if (assoc->ipsa_state == SADB_X_SASTATE_IDLE) {
4388 4389 assoc->ipsa_state = IPSA_STATE_ACTIVE_ELSEWHERE;
4389 4390 assoc->ipsa_idleexpiretime =
4390 4391 current + assoc->ipsa_idletime;
4391 4392 }
4392 4393 break;
4393 4394 case SADB_X_SASTATE_IDLE:
4394 4395 if (assoc->ipsa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) {
4395 4396 assoc->ipsa_state = IPSA_STATE_IDLE;
4396 4397 assoc->ipsa_idleexpiretime =
4397 4398 current + assoc->ipsa_idletime;
4398 4399 } else {
4399 4400 rcode = EINVAL;
4400 4401 }
4401 4402 break;
4402 4403
4403 4404 case SADB_X_SASTATE_ACTIVE:
4404 4405 if (assoc->ipsa_state != SADB_X_SASTATE_IDLE) {
4405 4406 rcode = EINVAL;
4406 4407 break;
4407 4408 }
4408 4409 assoc->ipsa_state = IPSA_STATE_MATURE;
4409 4410 assoc->ipsa_idleexpiretime = current + assoc->ipsa_idletime;
4410 4411
4411 4412 if (ipkt_lst == NULL) {
4412 4413 break;
4413 4414 }
4414 4415
4415 4416 if (assoc->ipsa_bpkt_head != NULL) {
4416 4417 *ipkt_lst = assoc->ipsa_bpkt_head;
4417 4418 assoc->ipsa_bpkt_head = assoc->ipsa_bpkt_tail = NULL;
4418 4419 assoc->ipsa_mblkcnt = 0;
4419 4420 } else {
4420 4421 *ipkt_lst = NULL;
4421 4422 }
4422 4423 break;
4423 4424 default:
4424 4425 rcode = EINVAL;
4425 4426 break;
4426 4427 }
4427 4428
4428 4429 mutex_exit(&assoc->ipsa_lock);
4429 4430 return (rcode);
4430 4431 }
4431 4432
4432 4433 /*
4433 4434 * Check a proposed KMC update for sanity.
4434 4435 */
4435 4436 static int
4436 4437 sadb_check_kmc(ipsa_query_t *sq, ipsa_t *sa, int *diagnostic)
4437 4438 {
4438 4439 uint32_t kmp = sq->kmp;
4439 4440 uint32_t kmc = sq->kmc;
4440 4441
4441 4442 if (sa == NULL)
4442 4443 return (0);
4443 4444
4444 4445 if (sa->ipsa_state == IPSA_STATE_DEAD)
4445 4446 return (ESRCH); /* DEAD == Not there, in this case. */
4446 4447
4447 4448 if ((kmp != 0) && ((sa->ipsa_kmp != 0) || (sa->ipsa_kmp != kmp))) {
4448 4449 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP;
4449 4450 return (EINVAL);
4450 4451 }
4451 4452
4452 4453 if ((kmc != 0) && ((sa->ipsa_kmc != 0) || (sa->ipsa_kmc != kmc))) {
4453 4454 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC;
4454 4455 return (EINVAL);
4455 4456 }
4456 4457
4457 4458 return (0);
4458 4459 }
4459 4460
4460 4461 /*
4461 4462 * Actually update the KMC info.
4462 4463 */
4463 4464 static void
4464 4465 sadb_update_kmc(ipsa_query_t *sq, ipsa_t *sa)
4465 4466 {
4466 4467 uint32_t kmp = sq->kmp;
4467 4468 uint32_t kmc = sq->kmc;
4468 4469
4469 4470 if (kmp != 0)
4470 4471 sa->ipsa_kmp = kmp;
4471 4472 if (kmc != 0)
4472 4473 sa->ipsa_kmc = kmc;
4473 4474 }
4474 4475
4475 4476 /*
4476 4477 * Common code to update an SA.
4477 4478 */
4478 4479
4479 4480 int
4480 4481 sadb_update_sa(mblk_t *mp, keysock_in_t *ksi, mblk_t **ipkt_lst,
4481 4482 sadbp_t *spp, int *diagnostic, queue_t *pfkey_q,
4482 4483 int (*add_sa_func)(mblk_t *, keysock_in_t *, int *, netstack_t *),
4483 4484 netstack_t *ns, uint8_t sadb_msg_type)
4484 4485 {
4485 4486 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH];
4486 4487 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT];
4487 4488 sadb_x_replay_ctr_t *replext =
4488 4489 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE];
4489 4490 sadb_lifetime_t *soft =
4490 4491 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT];
4491 4492 sadb_lifetime_t *hard =
4492 4493 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD];
4493 4494 sadb_lifetime_t *idle =
4494 4495 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE];
4495 4496 sadb_x_pair_t *pair_ext =
4496 4497 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR];
4497 4498 ipsa_t *echo_target = NULL;
4498 4499 ipsap_t ipsapp;
4499 4500 ipsa_query_t sq;
4500 4501 time_t current = gethrestime_sec();
4501 4502
4502 4503 sq.spp = spp; /* XXX param */
4503 4504 int error = sadb_form_query(ksi, IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA,
4504 4505 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND,
4505 4506 &sq, diagnostic);
4506 4507
4507 4508 if (error != 0)
4508 4509 return (error);
4509 4510
4510 4511 error = get_ipsa_pair(&sq, &ipsapp, diagnostic);
4511 4512 if (error != 0)
4512 4513 return (error);
4513 4514
4514 4515 if (ipsapp.ipsap_psa_ptr == NULL && ipsapp.ipsap_sa_ptr != NULL) {
4515 4516 if (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) {
4516 4517 /*
4517 4518 * REFRELE the target and let the add_sa_func()
4518 4519 * deal with updating a larval SA.
4519 4520 */
4520 4521 destroy_ipsa_pair(&ipsapp);
4521 4522 return (add_sa_func(mp, ksi, diagnostic, ns));
4522 4523 }
4523 4524 }
4524 4525
4525 4526 /*
4526 4527 * At this point we have an UPDATE to a MATURE SA. There should
4527 4528 * not be any keying material present.
4528 4529 */
4529 4530 if (akey != NULL) {
4530 4531 *diagnostic = SADB_X_DIAGNOSTIC_AKEY_PRESENT;
4531 4532 error = EINVAL;
4532 4533 goto bail;
4533 4534 }
4534 4535 if (ekey != NULL) {
4535 4536 *diagnostic = SADB_X_DIAGNOSTIC_EKEY_PRESENT;
4536 4537 error = EINVAL;
4537 4538 goto bail;
4538 4539 }
4539 4540
4540 4541 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) {
4541 4542 if (ipsapp.ipsap_sa_ptr != NULL &&
4542 4543 ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_IDLE) {
4543 4544 if ((error = sadb_update_state(ipsapp.ipsap_sa_ptr,
4544 4545 sq.assoc->sadb_sa_state, NULL)) != 0) {
4545 4546 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4546 4547 goto bail;
4547 4548 }
4548 4549 }
4549 4550 if (ipsapp.ipsap_psa_ptr != NULL &&
4550 4551 ipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_IDLE) {
4551 4552 if ((error = sadb_update_state(ipsapp.ipsap_psa_ptr,
4552 4553 sq.assoc->sadb_sa_state, NULL)) != 0) {
4553 4554 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4554 4555 goto bail;
4555 4556 }
4556 4557 }
4557 4558 }
4558 4559 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE) {
4559 4560 if (ipsapp.ipsap_sa_ptr != NULL) {
4560 4561 error = sadb_update_state(ipsapp.ipsap_sa_ptr,
4561 4562 sq.assoc->sadb_sa_state,
4562 4563 (ipsapp.ipsap_sa_ptr->ipsa_flags &
4563 4564 IPSA_F_INBOUND) ? ipkt_lst : NULL);
4564 4565 if (error) {
4565 4566 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4566 4567 goto bail;
4567 4568 }
4568 4569 }
4569 4570 if (ipsapp.ipsap_psa_ptr != NULL) {
4570 4571 error = sadb_update_state(ipsapp.ipsap_psa_ptr,
4571 4572 sq.assoc->sadb_sa_state,
4572 4573 (ipsapp.ipsap_psa_ptr->ipsa_flags &
4573 4574 IPSA_F_INBOUND) ? ipkt_lst : NULL);
4574 4575 if (error) {
4575 4576 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4576 4577 goto bail;
4577 4578 }
4578 4579 }
4579 4580 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr,
4580 4581 ksi, echo_target);
4581 4582 goto bail;
4582 4583 }
4583 4584
4584 4585 /*
4585 4586 * Reality checks for updates of active associations.
4586 4587 * Sundry first-pass UPDATE-specific reality checks.
4587 4588 * Have to do the checks here, because it's after the add_sa code.
4588 4589 * XXX STATS : logging/stats here?
4589 4590 */
4590 4591
4591 4592 if (!((sq.assoc->sadb_sa_state == SADB_SASTATE_MATURE) ||
4592 4593 (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE))) {
4593 4594 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4594 4595 error = EINVAL;
4595 4596 goto bail;
4596 4597 }
4597 4598 if (sq.assoc->sadb_sa_flags & ~spp->s_updateflags) {
4598 4599 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS;
4599 4600 error = EINVAL;
4600 4601 goto bail;
4601 4602 }
4602 4603 if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL) {
4603 4604 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_LIFETIME;
4604 4605 error = EOPNOTSUPP;
4605 4606 goto bail;
4606 4607 }
4607 4608
4608 4609 if ((*diagnostic = sadb_hardsoftchk(hard, soft, idle)) != 0) {
4609 4610 error = EINVAL;
4610 4611 goto bail;
4611 4612 }
4612 4613
4613 4614 if ((*diagnostic = sadb_labelchk(ksi)) != 0)
4614 4615 return (EINVAL);
4615 4616
4616 4617 error = sadb_check_kmc(&sq, ipsapp.ipsap_sa_ptr, diagnostic);
4617 4618 if (error != 0)
4618 4619 goto bail;
4619 4620
4620 4621 error = sadb_check_kmc(&sq, ipsapp.ipsap_psa_ptr, diagnostic);
4621 4622 if (error != 0)
4622 4623 goto bail;
4623 4624
4624 4625
4625 4626 if (ipsapp.ipsap_sa_ptr != NULL) {
4626 4627 /*
4627 4628 * Do not allow replay value change for MATURE or LARVAL SA.
4628 4629 */
4629 4630
4630 4631 if ((replext != NULL) &&
4631 4632 ((ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) ||
4632 4633 (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_MATURE))) {
4633 4634 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4634 4635 error = EINVAL;
4635 4636 goto bail;
4636 4637 }
4637 4638 }
4638 4639
4639 4640
4640 4641 if (ipsapp.ipsap_sa_ptr != NULL) {
4641 4642 sadb_update_lifetimes(ipsapp.ipsap_sa_ptr, hard, soft,
4642 4643 idle, B_TRUE);
4643 4644 sadb_update_kmc(&sq, ipsapp.ipsap_sa_ptr);
4644 4645 if ((replext != NULL) &&
4645 4646 (ipsapp.ipsap_sa_ptr->ipsa_replay_wsize != 0)) {
4646 4647 /*
4647 4648 * If an inbound SA, update the replay counter
4648 4649 * and check off all the other sequence number
4649 4650 */
4650 4651 if (ksi->ks_in_dsttype == KS_IN_ADDR_ME) {
4651 4652 if (!sadb_replay_check(ipsapp.ipsap_sa_ptr,
4652 4653 replext->sadb_x_rc_replay32)) {
4653 4654 *diagnostic =
4654 4655 SADB_X_DIAGNOSTIC_INVALID_REPLAY;
4655 4656 error = EINVAL;
4656 4657 goto bail;
4657 4658 }
4658 4659 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4659 4660 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime =
4660 4661 current +
4661 4662 ipsapp.ipsap_sa_ptr->ipsa_idletime;
4662 4663 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4663 4664 } else {
4664 4665 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4665 4666 ipsapp.ipsap_sa_ptr->ipsa_replay =
4666 4667 replext->sadb_x_rc_replay32;
4667 4668 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime =
4668 4669 current +
4669 4670 ipsapp.ipsap_sa_ptr->ipsa_idletime;
4670 4671 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4671 4672 }
4672 4673 }
4673 4674 }
4674 4675
4675 4676 if (sadb_msg_type == SADB_X_UPDATEPAIR) {
4676 4677 if (ipsapp.ipsap_psa_ptr != NULL) {
4677 4678 sadb_update_lifetimes(ipsapp.ipsap_psa_ptr, hard, soft,
4678 4679 idle, B_FALSE);
4679 4680 sadb_update_kmc(&sq, ipsapp.ipsap_psa_ptr);
4680 4681 } else {
4681 4682 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND;
4682 4683 error = ESRCH;
4683 4684 goto bail;
4684 4685 }
4685 4686 }
4686 4687
4687 4688 if (pair_ext != NULL)
4688 4689 error = update_pairing(&ipsapp, &sq, ksi, diagnostic);
4689 4690
4690 4691 if (error == 0)
4691 4692 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr,
4692 4693 ksi, echo_target);
4693 4694 bail:
4694 4695
4695 4696 destroy_ipsa_pair(&ipsapp);
4696 4697
4697 4698 return (error);
4698 4699 }
4699 4700
4700 4701
4701 4702 static int
4702 4703 update_pairing(ipsap_t *ipsapp, ipsa_query_t *sq, keysock_in_t *ksi,
4703 4704 int *diagnostic)
4704 4705 {
4705 4706 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
4706 4707 sadb_x_pair_t *pair_ext =
4707 4708 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR];
4708 4709 int error = 0;
4709 4710 ipsap_t oipsapp;
4710 4711 boolean_t undo_pair = B_FALSE;
4711 4712 uint32_t ipsa_flags;
4712 4713
4713 4714 if (pair_ext->sadb_x_pair_spi == 0 || pair_ext->sadb_x_pair_spi ==
4714 4715 assoc->sadb_sa_spi) {
4715 4716 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE;
4716 4717 return (EINVAL);
4717 4718 }
4718 4719
4719 4720 /*
4720 4721 * Assume for now that the spi value provided in the SADB_UPDATE
4721 4722 * message was valid, update the SA with its pair spi value.
4722 4723 * If the spi turns out to be bogus or the SA no longer exists
4723 4724 * then this will be detected when the reverse update is made
4724 4725 * below.
4725 4726 */
4726 4727 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4727 4728 ipsapp->ipsap_sa_ptr->ipsa_flags |= IPSA_F_PAIRED;
4728 4729 ipsapp->ipsap_sa_ptr->ipsa_otherspi = pair_ext->sadb_x_pair_spi;
4729 4730 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4730 4731
4731 4732 /*
4732 4733 * After updating the ipsa_otherspi element of the SA, get_ipsa_pair()
4733 4734 * should now return pointers to the SA *AND* its pair, if this is not
4734 4735 * the case, the "otherspi" either did not exist or was deleted. Also
4735 4736 * check that "otherspi" is not already paired. If everything looks
4736 4737 * good, complete the update. IPSA_REFRELE the first pair_pointer
4737 4738 * after this update to ensure its not deleted until we are done.
4738 4739 */
4739 4740 error = get_ipsa_pair(sq, &oipsapp, diagnostic);
4740 4741 if (error != 0) {
4741 4742 /*
4742 4743 * This should never happen, calling function still has
4743 4744 * IPSA_REFHELD on the SA we just updated.
4744 4745 */
4745 4746 return (error); /* XXX EINVAL instead of ESRCH? */
4746 4747 }
4747 4748
4748 4749 if (oipsapp.ipsap_psa_ptr == NULL) {
4749 4750 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE;
4750 4751 error = EINVAL;
4751 4752 undo_pair = B_TRUE;
4752 4753 } else {
4753 4754 ipsa_flags = oipsapp.ipsap_psa_ptr->ipsa_flags;
4754 4755 if ((oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DEAD) ||
4755 4756 (oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DYING)) {
4756 4757 /* Its dead Jim! */
4757 4758 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE;
4758 4759 undo_pair = B_TRUE;
4759 4760 } else if ((ipsa_flags & (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) ==
4760 4761 (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) {
4761 4762 /* This SA is in both hashtables. */
4762 4763 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE;
4763 4764 undo_pair = B_TRUE;
4764 4765 } else if (ipsa_flags & IPSA_F_PAIRED) {
4765 4766 /* This SA is already paired with another. */
4766 4767 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY;
4767 4768 undo_pair = B_TRUE;
4768 4769 }
4769 4770 }
4770 4771
4771 4772 if (undo_pair) {
4772 4773 /* The pair SA does not exist. */
4773 4774 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4774 4775 ipsapp->ipsap_sa_ptr->ipsa_flags &= ~IPSA_F_PAIRED;
4775 4776 ipsapp->ipsap_sa_ptr->ipsa_otherspi = 0;
4776 4777 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4777 4778 } else {
4778 4779 mutex_enter(&oipsapp.ipsap_psa_ptr->ipsa_lock);
4779 4780 oipsapp.ipsap_psa_ptr->ipsa_otherspi = assoc->sadb_sa_spi;
4780 4781 oipsapp.ipsap_psa_ptr->ipsa_flags |= IPSA_F_PAIRED;
4781 4782 mutex_exit(&oipsapp.ipsap_psa_ptr->ipsa_lock);
4782 4783 }
4783 4784
4784 4785 destroy_ipsa_pair(&oipsapp);
4785 4786 return (error);
4786 4787 }
4787 4788
4788 4789 /*
4789 4790 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is
4790 4791 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails
4791 4792 * for an outbound datagram, that datagram is queued up on an ACQUIRE record,
4792 4793 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key
4793 4794 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve
4794 4795 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the
4795 4796 * other direction's SA.
4796 4797 */
4797 4798
4798 4799 /*
4799 4800 * Check the ACQUIRE lists. If there's an existing ACQUIRE record,
4800 4801 * grab it, lock it, and return it. Otherwise return NULL.
4801 4802 *
4802 4803 * XXX MLS number of arguments getting unwieldy here
4803 4804 */
4804 4805 static ipsacq_t *
4805 4806 sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp,
4806 4807 uint32_t *src, uint32_t *dst, uint32_t *isrc, uint32_t *idst,
4807 4808 uint64_t unique_id, ts_label_t *tsl)
4808 4809 {
4809 4810 ipsacq_t *walker;
4810 4811 sa_family_t fam;
4811 4812 uint32_t blank_address[4] = {0, 0, 0, 0};
4812 4813
4813 4814 if (isrc == NULL) {
4814 4815 ASSERT(idst == NULL);
4815 4816 isrc = idst = blank_address;
4816 4817 }
4817 4818
4818 4819 /*
4819 4820 * Scan list for duplicates. Check for UNIQUE, src/dest, policy.
4820 4821 *
4821 4822 * XXX May need search for duplicates based on other things too!
4822 4823 */
4823 4824 for (walker = bucket->iacqf_ipsacq; walker != NULL;
4824 4825 walker = walker->ipsacq_next) {
4825 4826 mutex_enter(&walker->ipsacq_lock);
4826 4827 fam = walker->ipsacq_addrfam;
4827 4828 if (IPSA_ARE_ADDR_EQUAL(dst, walker->ipsacq_dstaddr, fam) &&
4828 4829 IPSA_ARE_ADDR_EQUAL(src, walker->ipsacq_srcaddr, fam) &&
4829 4830 ip_addr_match((uint8_t *)isrc, walker->ipsacq_innersrcpfx,
4830 4831 (in6_addr_t *)walker->ipsacq_innersrc) &&
4831 4832 ip_addr_match((uint8_t *)idst, walker->ipsacq_innerdstpfx,
4832 4833 (in6_addr_t *)walker->ipsacq_innerdst) &&
4833 4834 (ap == walker->ipsacq_act) &&
4834 4835 (pp == walker->ipsacq_policy) &&
4835 4836 /* XXX do deep compares of ap/pp? */
4836 4837 (unique_id == walker->ipsacq_unique_id) &&
4837 4838 (ipsec_label_match(tsl, walker->ipsacq_tsl)))
4838 4839 break; /* everything matched */
4839 4840 mutex_exit(&walker->ipsacq_lock);
4840 4841 }
4841 4842
4842 4843 return (walker);
4843 4844 }
4844 4845
4845 4846 /*
4846 4847 * For this mblk, insert a new acquire record. Assume bucket contains addrs
4847 4848 * of all of the same length. Give up (and drop) if memory
4848 4849 * cannot be allocated for a new one; otherwise, invoke callback to
4849 4850 * send the acquire up..
4850 4851 *
4851 4852 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE
4852 4853 * list. The ah_add_sa_finish() routines can look at the packet's attached
4853 4854 * attributes and handle this case specially.
4854 4855 */
4855 4856 void
4856 4857 sadb_acquire(mblk_t *datamp, ip_xmit_attr_t *ixa, boolean_t need_ah,
4857 4858 boolean_t need_esp)
4858 4859 {
4859 4860 mblk_t *asyncmp;
4860 4861 sadbp_t *spp;
4861 4862 sadb_t *sp;
4862 4863 ipsacq_t *newbie;
4863 4864 iacqf_t *bucket;
4864 4865 mblk_t *extended;
4865 4866 ipha_t *ipha = (ipha_t *)datamp->b_rptr;
4866 4867 ip6_t *ip6h = (ip6_t *)datamp->b_rptr;
4867 4868 uint32_t *src, *dst, *isrc, *idst;
4868 4869 ipsec_policy_t *pp = ixa->ixa_ipsec_policy;
4869 4870 ipsec_action_t *ap = ixa->ixa_ipsec_action;
4870 4871 sa_family_t af;
4871 4872 int hashoffset;
4872 4873 uint32_t seq;
4873 4874 uint64_t unique_id = 0;
4874 4875 ipsec_selector_t sel;
4875 4876 boolean_t tunnel_mode = (ixa->ixa_flags & IXAF_IPSEC_TUNNEL) != 0;
4876 4877 ts_label_t *tsl = NULL;
4877 4878 netstack_t *ns = ixa->ixa_ipst->ips_netstack;
4878 4879 ipsec_stack_t *ipss = ns->netstack_ipsec;
4879 4880 sadb_sens_t *sens = NULL;
4880 4881 int sens_len;
4881 4882
4882 4883 ASSERT((pp != NULL) || (ap != NULL));
4883 4884
4884 4885 ASSERT(need_ah != NULL || need_esp != NULL);
4885 4886
4886 4887 /* Assign sadb pointers */
4887 4888 if (need_esp) { /* ESP for AH+ESP */
4888 4889 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
4889 4890
4890 4891 spp = &espstack->esp_sadb;
4891 4892 } else {
4892 4893 ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
4893 4894
4894 4895 spp = &ahstack->ah_sadb;
4895 4896 }
4896 4897 sp = (ixa->ixa_flags & IXAF_IS_IPV4) ? &spp->s_v4 : &spp->s_v6;
4897 4898
4898 4899 if (is_system_labeled())
4899 4900 tsl = ixa->ixa_tsl;
4900 4901
4901 4902 if (ap == NULL)
4902 4903 ap = pp->ipsp_act;
4903 4904
4904 4905 ASSERT(ap != NULL);
4905 4906
4906 4907 if (ap->ipa_act.ipa_apply.ipp_use_unique || tunnel_mode)
4907 4908 unique_id = SA_FORM_UNIQUE_ID(ixa);
4908 4909
4909 4910 /*
4910 4911 * Set up an ACQUIRE record.
4911 4912 *
4912 4913 * Immediately, make sure the ACQUIRE sequence number doesn't slip
4913 4914 * below the lowest point allowed in the kernel. (In other words,
4914 4915 * make sure the high bit on the sequence number is set.)
4915 4916 */
4916 4917
4917 4918 seq = keysock_next_seq(ns) | IACQF_LOWEST_SEQ;
4918 4919
4919 4920 if (IPH_HDR_VERSION(ipha) == IP_VERSION) {
4920 4921 src = (uint32_t *)&ipha->ipha_src;
4921 4922 dst = (uint32_t *)&ipha->ipha_dst;
4922 4923 af = AF_INET;
4923 4924 hashoffset = OUTBOUND_HASH_V4(sp, ipha->ipha_dst);
4924 4925 ASSERT(ixa->ixa_flags & IXAF_IS_IPV4);
4925 4926 } else {
4926 4927 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION);
4927 4928 src = (uint32_t *)&ip6h->ip6_src;
4928 4929 dst = (uint32_t *)&ip6h->ip6_dst;
4929 4930 af = AF_INET6;
4930 4931 hashoffset = OUTBOUND_HASH_V6(sp, ip6h->ip6_dst);
4931 4932 ASSERT(!(ixa->ixa_flags & IXAF_IS_IPV4));
4932 4933 }
4933 4934
4934 4935 if (tunnel_mode) {
4935 4936 if (pp == NULL) {
4936 4937 /*
4937 4938 * Tunnel mode with no policy pointer means this is a
4938 4939 * reflected ICMP (like a ECHO REQUEST) that came in
4939 4940 * with self-encapsulated protection. Until we better
4940 4941 * support this, drop the packet.
4941 4942 */
4942 4943 ip_drop_packet(datamp, B_FALSE, NULL,
4943 4944 DROPPER(ipss, ipds_spd_got_selfencap),
4944 4945 &ipss->ipsec_spd_dropper);
4945 4946 return;
4946 4947 }
4947 4948 /* Snag inner addresses. */
4948 4949 isrc = ixa->ixa_ipsec_insrc;
4949 4950 idst = ixa->ixa_ipsec_indst;
4950 4951 } else {
4951 4952 isrc = idst = NULL;
4952 4953 }
4953 4954
4954 4955 /*
4955 4956 * Check buckets to see if there is an existing entry. If so,
4956 4957 * grab it. sadb_checkacquire locks newbie if found.
4957 4958 */
4958 4959 bucket = &(sp->sdb_acq[hashoffset]);
4959 4960 mutex_enter(&bucket->iacqf_lock);
4960 4961 newbie = sadb_checkacquire(bucket, ap, pp, src, dst, isrc, idst,
4961 4962 unique_id, tsl);
4962 4963
4963 4964 if (newbie == NULL) {
4964 4965 /*
4965 4966 * Otherwise, allocate a new one.
4966 4967 */
4967 4968 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP);
4968 4969 if (newbie == NULL) {
4969 4970 mutex_exit(&bucket->iacqf_lock);
4970 4971 ip_drop_packet(datamp, B_FALSE, NULL,
4971 4972 DROPPER(ipss, ipds_sadb_acquire_nomem),
4972 4973 &ipss->ipsec_sadb_dropper);
4973 4974 return;
4974 4975 }
4975 4976 newbie->ipsacq_policy = pp;
4976 4977 if (pp != NULL) {
4977 4978 IPPOL_REFHOLD(pp);
4978 4979 }
4979 4980 IPACT_REFHOLD(ap);
4980 4981 newbie->ipsacq_act = ap;
4981 4982 newbie->ipsacq_linklock = &bucket->iacqf_lock;
4982 4983 newbie->ipsacq_next = bucket->iacqf_ipsacq;
4983 4984 newbie->ipsacq_ptpn = &bucket->iacqf_ipsacq;
4984 4985 if (newbie->ipsacq_next != NULL)
4985 4986 newbie->ipsacq_next->ipsacq_ptpn = &newbie->ipsacq_next;
4986 4987
4987 4988 bucket->iacqf_ipsacq = newbie;
4988 4989 mutex_init(&newbie->ipsacq_lock, NULL, MUTEX_DEFAULT, NULL);
4989 4990 mutex_enter(&newbie->ipsacq_lock);
4990 4991 }
4991 4992
4992 4993 /*
4993 4994 * XXX MLS does it actually help us to drop the bucket lock here?
4994 4995 * we have inserted a half-built, locked acquire record into the
4995 4996 * bucket. any competing thread will now be able to lock the bucket
4996 4997 * to scan it, but will immediately pile up on the new acquire
4997 4998 * record's lock; I don't think we gain anything here other than to
4998 4999 * disperse blame for lock contention.
4999 5000 *
5000 5001 * we might be able to dispense with acquire record locks entirely..
5001 5002 * just use the bucket locks..
5002 5003 */
5003 5004
5004 5005 mutex_exit(&bucket->iacqf_lock);
5005 5006
5006 5007 /*
5007 5008 * This assert looks silly for now, but we may need to enter newbie's
5008 5009 * mutex during a search.
5009 5010 */
5010 5011 ASSERT(MUTEX_HELD(&newbie->ipsacq_lock));
5011 5012
5012 5013 /*
5013 5014 * Make the ip_xmit_attr_t into something we can queue.
5014 5015 * If no memory it frees datamp.
5015 5016 */
5016 5017 asyncmp = ip_xmit_attr_to_mblk(ixa);
5017 5018 if (asyncmp != NULL)
5018 5019 linkb(asyncmp, datamp);
5019 5020
5020 5021 /* Queue up packet. Use b_next. */
5021 5022
5022 5023 if (asyncmp == NULL) {
5023 5024 /* Statistics for allocation failure */
5024 5025 if (ixa->ixa_flags & IXAF_IS_IPV4) {
5025 5026 BUMP_MIB(&ixa->ixa_ipst->ips_ip_mib,
5026 5027 ipIfStatsOutDiscards);
5027 5028 } else {
5028 5029 BUMP_MIB(&ixa->ixa_ipst->ips_ip6_mib,
5029 5030 ipIfStatsOutDiscards);
5030 5031 }
5031 5032 ip_drop_output("No memory for asyncmp", datamp, NULL);
5032 5033 freemsg(datamp);
5033 5034 } else if (newbie->ipsacq_numpackets == 0) {
5034 5035 /* First one. */
5035 5036 newbie->ipsacq_mp = asyncmp;
5036 5037 newbie->ipsacq_numpackets = 1;
5037 5038 newbie->ipsacq_expire = gethrestime_sec();
5038 5039 /*
5039 5040 * Extended ACQUIRE with both AH+ESP will use ESP's timeout
5040 5041 * value.
5041 5042 */
5042 5043 newbie->ipsacq_expire += *spp->s_acquire_timeout;
5043 5044 newbie->ipsacq_seq = seq;
5044 5045 newbie->ipsacq_addrfam = af;
5045 5046
5046 5047 newbie->ipsacq_srcport = ixa->ixa_ipsec_src_port;
5047 5048 newbie->ipsacq_dstport = ixa->ixa_ipsec_dst_port;
5048 5049 newbie->ipsacq_icmp_type = ixa->ixa_ipsec_icmp_type;
5049 5050 newbie->ipsacq_icmp_code = ixa->ixa_ipsec_icmp_code;
5050 5051 if (tunnel_mode) {
5051 5052 newbie->ipsacq_inneraddrfam = ixa->ixa_ipsec_inaf;
5052 5053 newbie->ipsacq_proto = ixa->ixa_ipsec_inaf == AF_INET6 ?
5053 5054 IPPROTO_IPV6 : IPPROTO_ENCAP;
5054 5055 newbie->ipsacq_innersrcpfx = ixa->ixa_ipsec_insrcpfx;
5055 5056 newbie->ipsacq_innerdstpfx = ixa->ixa_ipsec_indstpfx;
5056 5057 IPSA_COPY_ADDR(newbie->ipsacq_innersrc,
5057 5058 ixa->ixa_ipsec_insrc, ixa->ixa_ipsec_inaf);
5058 5059 IPSA_COPY_ADDR(newbie->ipsacq_innerdst,
5059 5060 ixa->ixa_ipsec_indst, ixa->ixa_ipsec_inaf);
5060 5061 } else {
5061 5062 newbie->ipsacq_proto = ixa->ixa_ipsec_proto;
5062 5063 }
5063 5064 newbie->ipsacq_unique_id = unique_id;
5064 5065
5065 5066 if (ixa->ixa_tsl != NULL) {
5066 5067 label_hold(ixa->ixa_tsl);
5067 5068 newbie->ipsacq_tsl = ixa->ixa_tsl;
5068 5069 }
5069 5070 } else {
5070 5071 /* Scan to the end of the list & insert. */
5071 5072 mblk_t *lastone = newbie->ipsacq_mp;
5072 5073
5073 5074 while (lastone->b_next != NULL)
5074 5075 lastone = lastone->b_next;
5075 5076 lastone->b_next = asyncmp;
5076 5077 if (newbie->ipsacq_numpackets++ == ipsacq_maxpackets) {
5077 5078 newbie->ipsacq_numpackets = ipsacq_maxpackets;
5078 5079 lastone = newbie->ipsacq_mp;
5079 5080 newbie->ipsacq_mp = lastone->b_next;
5080 5081 lastone->b_next = NULL;
5081 5082
5082 5083 /* Freeing the async message */
5083 5084 lastone = ip_xmit_attr_free_mblk(lastone);
5084 5085 ip_drop_packet(lastone, B_FALSE, NULL,
5085 5086 DROPPER(ipss, ipds_sadb_acquire_toofull),
5086 5087 &ipss->ipsec_sadb_dropper);
5087 5088 } else {
5088 5089 IP_ACQUIRE_STAT(ipss, qhiwater,
5089 5090 newbie->ipsacq_numpackets);
5090 5091 }
5091 5092 }
5092 5093
5093 5094 /*
5094 5095 * Reset addresses. Set them to the most recently added mblk chain,
5095 5096 * so that the address pointers in the acquire record will point
5096 5097 * at an mblk still attached to the acquire list.
5097 5098 */
5098 5099
5099 5100 newbie->ipsacq_srcaddr = src;
5100 5101 newbie->ipsacq_dstaddr = dst;
5101 5102
5102 5103 /*
5103 5104 * If the acquire record has more than one queued packet, we've
5104 5105 * already sent an ACQUIRE, and don't need to repeat ourself.
5105 5106 */
5106 5107 if (newbie->ipsacq_seq != seq || newbie->ipsacq_numpackets > 1) {
5107 5108 /* I have an acquire outstanding already! */
5108 5109 mutex_exit(&newbie->ipsacq_lock);
5109 5110 return;
5110 5111 }
5111 5112
5112 5113 if (!keysock_extended_reg(ns))
5113 5114 goto punt_extended;
5114 5115 /*
5115 5116 * Construct an extended ACQUIRE. There are logging
5116 5117 * opportunities here in failure cases.
5117 5118 */
5118 5119 bzero(&sel, sizeof (sel));
5119 5120 sel.ips_isv4 = (ixa->ixa_flags & IXAF_IS_IPV4) != 0;
5120 5121 if (tunnel_mode) {
5121 5122 sel.ips_protocol = (ixa->ixa_ipsec_inaf == AF_INET) ?
5122 5123 IPPROTO_ENCAP : IPPROTO_IPV6;
5123 5124 } else {
5124 5125 sel.ips_protocol = ixa->ixa_ipsec_proto;
5125 5126 sel.ips_local_port = ixa->ixa_ipsec_src_port;
5126 5127 sel.ips_remote_port = ixa->ixa_ipsec_dst_port;
5127 5128 }
5128 5129 sel.ips_icmp_type = ixa->ixa_ipsec_icmp_type;
5129 5130 sel.ips_icmp_code = ixa->ixa_ipsec_icmp_code;
5130 5131 sel.ips_is_icmp_inv_acq = 0;
5131 5132 if (af == AF_INET) {
5132 5133 sel.ips_local_addr_v4 = ipha->ipha_src;
5133 5134 sel.ips_remote_addr_v4 = ipha->ipha_dst;
5134 5135 } else {
5135 5136 sel.ips_local_addr_v6 = ip6h->ip6_src;
5136 5137 sel.ips_remote_addr_v6 = ip6h->ip6_dst;
5137 5138 }
5138 5139
5139 5140 extended = sadb_keysock_out(0);
5140 5141 if (extended == NULL)
5141 5142 goto punt_extended;
5142 5143
5143 5144 if (ixa->ixa_tsl != NULL) {
5144 5145 /*
5145 5146 * XXX MLS correct condition here?
5146 5147 * XXX MLS other credential attributes in acquire?
5147 5148 * XXX malloc failure? don't fall back to original?
5148 5149 */
5149 5150 sens = sadb_make_sens_ext(ixa->ixa_tsl, &sens_len);
5150 5151
5151 5152 if (sens == NULL) {
5152 5153 freeb(extended);
5153 5154 goto punt_extended;
5154 5155 }
5155 5156 }
5156 5157
5157 5158 extended->b_cont = sadb_extended_acquire(&sel, pp, ap, tunnel_mode,
5158 5159 seq, 0, sens, ns);
5159 5160
5160 5161 if (sens != NULL)
5161 5162 kmem_free(sens, sens_len);
5162 5163
5163 5164 if (extended->b_cont == NULL) {
5164 5165 freeb(extended);
5165 5166 goto punt_extended;
5166 5167 }
5167 5168
5168 5169 /*
5169 5170 * Send an ACQUIRE message (and possible an extended ACQUIRE) based on
5170 5171 * this new record. The send-acquire callback assumes that acqrec is
5171 5172 * already locked.
5172 5173 */
5173 5174 (*spp->s_acqfn)(newbie, extended, ns);
5174 5175 return;
5175 5176
5176 5177 punt_extended:
5177 5178 (*spp->s_acqfn)(newbie, NULL, ns);
5178 5179 }
5179 5180
5180 5181 /*
5181 5182 * Unlink and free an acquire record.
5182 5183 */
5183 5184 void
5184 5185 sadb_destroy_acquire(ipsacq_t *acqrec, netstack_t *ns)
5185 5186 {
5186 5187 mblk_t *mp;
5187 5188 ipsec_stack_t *ipss = ns->netstack_ipsec;
5188 5189
5189 5190 ASSERT(MUTEX_HELD(acqrec->ipsacq_linklock));
5190 5191
5191 5192 if (acqrec->ipsacq_policy != NULL) {
5192 5193 IPPOL_REFRELE(acqrec->ipsacq_policy);
5193 5194 }
5194 5195 if (acqrec->ipsacq_act != NULL) {
5195 5196 IPACT_REFRELE(acqrec->ipsacq_act);
5196 5197 }
5197 5198
5198 5199 /* Unlink */
5199 5200 *(acqrec->ipsacq_ptpn) = acqrec->ipsacq_next;
5200 5201 if (acqrec->ipsacq_next != NULL)
5201 5202 acqrec->ipsacq_next->ipsacq_ptpn = acqrec->ipsacq_ptpn;
5202 5203
5203 5204 if (acqrec->ipsacq_tsl != NULL) {
5204 5205 label_rele(acqrec->ipsacq_tsl);
5205 5206 acqrec->ipsacq_tsl = NULL;
5206 5207 }
5207 5208
5208 5209 /*
5209 5210 * Free hanging mp's.
5210 5211 *
5211 5212 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED.
5212 5213 */
5213 5214
5214 5215 mutex_enter(&acqrec->ipsacq_lock);
5215 5216 while (acqrec->ipsacq_mp != NULL) {
5216 5217 mp = acqrec->ipsacq_mp;
5217 5218 acqrec->ipsacq_mp = mp->b_next;
5218 5219 mp->b_next = NULL;
5219 5220 /* Freeing the async message */
5220 5221 mp = ip_xmit_attr_free_mblk(mp);
5221 5222 ip_drop_packet(mp, B_FALSE, NULL,
5222 5223 DROPPER(ipss, ipds_sadb_acquire_timeout),
5223 5224 &ipss->ipsec_sadb_dropper);
5224 5225 }
5225 5226 mutex_exit(&acqrec->ipsacq_lock);
5226 5227
5227 5228 /* Free */
5228 5229 mutex_destroy(&acqrec->ipsacq_lock);
5229 5230 kmem_free(acqrec, sizeof (*acqrec));
5230 5231 }
5231 5232
5232 5233 /*
5233 5234 * Destroy an acquire list fanout.
5234 5235 */
5235 5236 static void
5236 5237 sadb_destroy_acqlist(iacqf_t **listp, uint_t numentries, boolean_t forever,
5237 5238 netstack_t *ns)
5238 5239 {
5239 5240 int i;
5240 5241 iacqf_t *list = *listp;
5241 5242
5242 5243 if (list == NULL)
5243 5244 return;
5244 5245
5245 5246 for (i = 0; i < numentries; i++) {
5246 5247 mutex_enter(&(list[i].iacqf_lock));
5247 5248 while (list[i].iacqf_ipsacq != NULL)
5248 5249 sadb_destroy_acquire(list[i].iacqf_ipsacq, ns);
5249 5250 mutex_exit(&(list[i].iacqf_lock));
5250 5251 if (forever)
5251 5252 mutex_destroy(&(list[i].iacqf_lock));
5252 5253 }
5253 5254
5254 5255 if (forever) {
5255 5256 *listp = NULL;
5256 5257 kmem_free(list, numentries * sizeof (*list));
5257 5258 }
5258 5259 }
5259 5260
5260 5261 /*
5261 5262 * Create an algorithm descriptor for an extended ACQUIRE. Filter crypto
5262 5263 * framework's view of reality vs. IPsec's. EF's wins, BTW.
5263 5264 */
5264 5265 static uint8_t *
5265 5266 sadb_new_algdesc(uint8_t *start, uint8_t *limit,
5266 5267 sadb_x_ecomb_t *ecomb, uint8_t satype, uint8_t algtype,
5267 5268 uint8_t alg, uint16_t minbits, uint16_t maxbits, ipsec_stack_t *ipss)
5268 5269 {
5269 5270 uint8_t *cur = start;
5270 5271 ipsec_alginfo_t *algp;
5271 5272 sadb_x_algdesc_t *algdesc = (sadb_x_algdesc_t *)cur;
5272 5273
5273 5274 cur += sizeof (*algdesc);
|
↓ open down ↓ |
1885 lines elided |
↑ open up ↑ |
5274 5275 if (cur >= limit)
5275 5276 return (NULL);
5276 5277
5277 5278 ecomb->sadb_x_ecomb_numalgs++;
5278 5279
5279 5280 /*
5280 5281 * Normalize vs. crypto framework's limits. This way, you can specify
5281 5282 * a stronger policy, and when the framework loads a stronger version,
5282 5283 * you can just keep plowing w/o rewhacking your SPD.
5283 5284 */
5284 - mutex_enter(&ipss->ipsec_alg_lock);
5285 + rw_enter(&ipss->ipsec_alg_lock, RW_READER);
5285 5286 algp = ipss->ipsec_alglists[(algtype == SADB_X_ALGTYPE_AUTH) ?
5286 5287 IPSEC_ALG_AUTH : IPSEC_ALG_ENCR][alg];
5287 5288 if (algp == NULL) {
5288 - mutex_exit(&ipss->ipsec_alg_lock);
5289 + rw_exit(&ipss->ipsec_alg_lock);
5289 5290 return (NULL); /* Algorithm doesn't exist. Fail gracefully. */
5290 5291 }
5291 5292 if (minbits < algp->alg_ef_minbits)
5292 5293 minbits = algp->alg_ef_minbits;
5293 5294 if (maxbits > algp->alg_ef_maxbits)
5294 5295 maxbits = algp->alg_ef_maxbits;
5295 - mutex_exit(&ipss->ipsec_alg_lock);
5296 + rw_exit(&ipss->ipsec_alg_lock);
5296 5297
5297 5298 algdesc->sadb_x_algdesc_reserved = SADB_8TO1(algp->alg_saltlen);
5298 5299 algdesc->sadb_x_algdesc_satype = satype;
5299 5300 algdesc->sadb_x_algdesc_algtype = algtype;
5300 5301 algdesc->sadb_x_algdesc_alg = alg;
5301 5302 algdesc->sadb_x_algdesc_minbits = minbits;
5302 5303 algdesc->sadb_x_algdesc_maxbits = maxbits;
5303 5304
5304 5305 return (cur);
5305 5306 }
5306 5307
5307 5308 /*
5308 5309 * Convert the given ipsec_action_t into an ecomb starting at *ecomb
5309 5310 * which must fit before *limit
5310 5311 *
5311 5312 * return NULL if we ran out of room or a pointer to the end of the ecomb.
5312 5313 */
5313 5314 static uint8_t *
5314 5315 sadb_action_to_ecomb(uint8_t *start, uint8_t *limit, ipsec_action_t *act,
5315 5316 netstack_t *ns)
5316 5317 {
5317 5318 uint8_t *cur = start;
5318 5319 sadb_x_ecomb_t *ecomb = (sadb_x_ecomb_t *)cur;
5319 5320 ipsec_prot_t *ipp;
5320 5321 ipsec_stack_t *ipss = ns->netstack_ipsec;
5321 5322
5322 5323 cur += sizeof (*ecomb);
5323 5324 if (cur >= limit)
5324 5325 return (NULL);
5325 5326
5326 5327 ASSERT(act->ipa_act.ipa_type == IPSEC_ACT_APPLY);
5327 5328
5328 5329 ipp = &act->ipa_act.ipa_apply;
5329 5330
5330 5331 ecomb->sadb_x_ecomb_numalgs = 0;
5331 5332 ecomb->sadb_x_ecomb_reserved = 0;
5332 5333 ecomb->sadb_x_ecomb_reserved2 = 0;
5333 5334 /*
5334 5335 * No limits on allocations, since we really don't support that
5335 5336 * concept currently.
5336 5337 */
5337 5338 ecomb->sadb_x_ecomb_soft_allocations = 0;
5338 5339 ecomb->sadb_x_ecomb_hard_allocations = 0;
5339 5340
5340 5341 /*
5341 5342 * XXX TBD: Policy or global parameters will eventually be
5342 5343 * able to fill in some of these.
5343 5344 */
5344 5345 ecomb->sadb_x_ecomb_flags = 0;
5345 5346 ecomb->sadb_x_ecomb_soft_bytes = 0;
5346 5347 ecomb->sadb_x_ecomb_hard_bytes = 0;
5347 5348 ecomb->sadb_x_ecomb_soft_addtime = 0;
5348 5349 ecomb->sadb_x_ecomb_hard_addtime = 0;
5349 5350 ecomb->sadb_x_ecomb_soft_usetime = 0;
5350 5351 ecomb->sadb_x_ecomb_hard_usetime = 0;
5351 5352
5352 5353 if (ipp->ipp_use_ah) {
5353 5354 cur = sadb_new_algdesc(cur, limit, ecomb,
5354 5355 SADB_SATYPE_AH, SADB_X_ALGTYPE_AUTH, ipp->ipp_auth_alg,
5355 5356 ipp->ipp_ah_minbits, ipp->ipp_ah_maxbits, ipss);
5356 5357 if (cur == NULL)
5357 5358 return (NULL);
5358 5359 ipsecah_fill_defs(ecomb, ns);
5359 5360 }
5360 5361
5361 5362 if (ipp->ipp_use_esp) {
5362 5363 if (ipp->ipp_use_espa) {
5363 5364 cur = sadb_new_algdesc(cur, limit, ecomb,
5364 5365 SADB_SATYPE_ESP, SADB_X_ALGTYPE_AUTH,
5365 5366 ipp->ipp_esp_auth_alg,
5366 5367 ipp->ipp_espa_minbits,
5367 5368 ipp->ipp_espa_maxbits, ipss);
5368 5369 if (cur == NULL)
5369 5370 return (NULL);
5370 5371 }
5371 5372
5372 5373 cur = sadb_new_algdesc(cur, limit, ecomb,
5373 5374 SADB_SATYPE_ESP, SADB_X_ALGTYPE_CRYPT,
5374 5375 ipp->ipp_encr_alg,
5375 5376 ipp->ipp_espe_minbits,
5376 5377 ipp->ipp_espe_maxbits, ipss);
5377 5378 if (cur == NULL)
5378 5379 return (NULL);
5379 5380 /* Fill in lifetimes if and only if AH didn't already... */
5380 5381 if (!ipp->ipp_use_ah)
5381 5382 ipsecesp_fill_defs(ecomb, ns);
5382 5383 }
5383 5384
5384 5385 return (cur);
5385 5386 }
5386 5387
5387 5388 #include <sys/tsol/label_macro.h> /* XXX should not need this */
5388 5389
5389 5390 /*
5390 5391 * From a cred_t, construct a sensitivity label extension
5391 5392 *
5392 5393 * We send up a fixed-size sensitivity label bitmap, and are perhaps
5393 5394 * overly chummy with the underlying data structures here.
5394 5395 */
5395 5396
5396 5397 /* ARGSUSED */
5397 5398 int
5398 5399 sadb_sens_len_from_label(ts_label_t *tsl)
5399 5400 {
5400 5401 int baselen = sizeof (sadb_sens_t) + _C_LEN * 4;
5401 5402 return (roundup(baselen, sizeof (uint64_t)));
5402 5403 }
5403 5404
5404 5405 void
5405 5406 sadb_sens_from_label(sadb_sens_t *sens, int exttype, ts_label_t *tsl,
5406 5407 int senslen)
5407 5408 {
5408 5409 uint8_t *bitmap;
5409 5410 bslabel_t *sl;
5410 5411
5411 5412 /* LINTED */
5412 5413 ASSERT((_C_LEN & 1) == 0);
5413 5414 ASSERT((senslen & 7) == 0);
5414 5415
5415 5416 sl = label2bslabel(tsl);
5416 5417
5417 5418 sens->sadb_sens_exttype = exttype;
5418 5419 sens->sadb_sens_len = SADB_8TO64(senslen);
5419 5420
5420 5421 sens->sadb_sens_dpd = tsl->tsl_doi;
5421 5422 sens->sadb_sens_sens_level = LCLASS(sl);
5422 5423 sens->sadb_sens_integ_level = 0; /* TBD */
5423 5424 sens->sadb_sens_sens_len = _C_LEN >> 1;
5424 5425 sens->sadb_sens_integ_len = 0; /* TBD */
5425 5426 sens->sadb_x_sens_flags = 0;
5426 5427
5427 5428 bitmap = (uint8_t *)(sens + 1);
5428 5429 bcopy(&(((_bslabel_impl_t *)sl)->compartments), bitmap, _C_LEN * 4);
5429 5430 }
5430 5431
5431 5432 static sadb_sens_t *
5432 5433 sadb_make_sens_ext(ts_label_t *tsl, int *len)
5433 5434 {
5434 5435 /* XXX allocation failure? */
5435 5436 int sens_len = sadb_sens_len_from_label(tsl);
5436 5437
5437 5438 sadb_sens_t *sens = kmem_alloc(sens_len, KM_SLEEP);
5438 5439
5439 5440 sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY, tsl, sens_len);
5440 5441
5441 5442 *len = sens_len;
5442 5443
5443 5444 return (sens);
5444 5445 }
5445 5446
5446 5447 /*
5447 5448 * Okay, how do we report errors/invalid labels from this?
5448 5449 * With a special designated "not a label" cred_t ?
5449 5450 */
5450 5451 /* ARGSUSED */
5451 5452 ts_label_t *
5452 5453 sadb_label_from_sens(sadb_sens_t *sens, uint64_t *bitmap)
5453 5454 {
5454 5455 int bitmap_len = SADB_64TO8(sens->sadb_sens_sens_len);
5455 5456 bslabel_t sl;
5456 5457 ts_label_t *tsl;
5457 5458
5458 5459 if (sens->sadb_sens_integ_level != 0)
5459 5460 return (NULL);
5460 5461 if (sens->sadb_sens_integ_len != 0)
5461 5462 return (NULL);
5462 5463 if (bitmap_len > _C_LEN * 4)
5463 5464 return (NULL);
5464 5465
5465 5466 bsllow(&sl);
5466 5467 LCLASS_SET((_bslabel_impl_t *)&sl, sens->sadb_sens_sens_level);
5467 5468 bcopy(bitmap, &((_bslabel_impl_t *)&sl)->compartments,
5468 5469 bitmap_len);
5469 5470
5470 5471 tsl = labelalloc(&sl, sens->sadb_sens_dpd, KM_NOSLEEP);
5471 5472 if (tsl == NULL)
5472 5473 return (NULL);
5473 5474
5474 5475 if (sens->sadb_x_sens_flags & SADB_X_SENS_UNLABELED)
5475 5476 tsl->tsl_flags |= TSLF_UNLABELED;
5476 5477 return (tsl);
5477 5478 }
5478 5479
5479 5480 /* End XXX label-library-leakage */
5480 5481
5481 5482 /*
5482 5483 * Construct an extended ACQUIRE message based on a selector and the resulting
5483 5484 * IPsec action.
5484 5485 *
5485 5486 * NOTE: This is used by both inverse ACQUIRE and actual ACQUIRE
5486 5487 * generation. As a consequence, expect this function to evolve
5487 5488 * rapidly.
5488 5489 */
5489 5490 static mblk_t *
5490 5491 sadb_extended_acquire(ipsec_selector_t *sel, ipsec_policy_t *pol,
5491 5492 ipsec_action_t *act, boolean_t tunnel_mode, uint32_t seq, uint32_t pid,
5492 5493 sadb_sens_t *sens, netstack_t *ns)
5493 5494 {
5494 5495 mblk_t *mp;
5495 5496 sadb_msg_t *samsg;
5496 5497 uint8_t *start, *cur, *end;
5497 5498 uint32_t *saddrptr, *daddrptr;
5498 5499 sa_family_t af;
5499 5500 sadb_prop_t *eprop;
5500 5501 ipsec_action_t *ap, *an;
5501 5502 ipsec_selkey_t *ipsl;
5502 5503 uint8_t proto, pfxlen;
5503 5504 uint16_t lport, rport;
5504 5505 uint32_t kmp, kmc;
5505 5506
5506 5507 /*
5507 5508 * Find the action we want sooner rather than later..
5508 5509 */
5509 5510 an = NULL;
5510 5511 if (pol == NULL) {
5511 5512 ap = act;
5512 5513 } else {
5513 5514 ap = pol->ipsp_act;
5514 5515
5515 5516 if (ap != NULL)
5516 5517 an = ap->ipa_next;
5517 5518 }
5518 5519
5519 5520 /*
5520 5521 * Just take a swag for the allocation for now. We can always
5521 5522 * alter it later.
5522 5523 */
5523 5524 #define SADB_EXTENDED_ACQUIRE_SIZE 4096
5524 5525 mp = allocb(SADB_EXTENDED_ACQUIRE_SIZE, BPRI_HI);
5525 5526 if (mp == NULL)
5526 5527 return (NULL);
5527 5528
5528 5529 start = mp->b_rptr;
5529 5530 end = start + SADB_EXTENDED_ACQUIRE_SIZE;
5530 5531
5531 5532 cur = start;
5532 5533
5533 5534 samsg = (sadb_msg_t *)cur;
5534 5535 cur += sizeof (*samsg);
5535 5536
5536 5537 samsg->sadb_msg_version = PF_KEY_V2;
5537 5538 samsg->sadb_msg_type = SADB_ACQUIRE;
5538 5539 samsg->sadb_msg_errno = 0;
5539 5540 samsg->sadb_msg_reserved = 0;
5540 5541 samsg->sadb_msg_satype = 0;
5541 5542 samsg->sadb_msg_seq = seq;
5542 5543 samsg->sadb_msg_pid = pid;
5543 5544
5544 5545 if (tunnel_mode) {
5545 5546 /*
5546 5547 * Form inner address extensions based NOT on the inner
5547 5548 * selectors (i.e. the packet data), but on the policy's
5548 5549 * selector key (i.e. the policy's selector information).
5549 5550 *
5550 5551 * NOTE: The position of IPv4 and IPv6 addresses is the
5551 5552 * same in ipsec_selkey_t (unless the compiler does very
5552 5553 * strange things with unions, consult your local C language
5553 5554 * lawyer for details).
5554 5555 */
5555 5556 ASSERT(pol != NULL);
5556 5557
5557 5558 ipsl = &(pol->ipsp_sel->ipsl_key);
5558 5559 if (ipsl->ipsl_valid & IPSL_IPV4) {
5559 5560 af = AF_INET;
5560 5561 ASSERT(sel->ips_protocol == IPPROTO_ENCAP);
5561 5562 ASSERT(!(ipsl->ipsl_valid & IPSL_IPV6));
5562 5563 } else {
5563 5564 af = AF_INET6;
5564 5565 ASSERT(sel->ips_protocol == IPPROTO_IPV6);
5565 5566 ASSERT(ipsl->ipsl_valid & IPSL_IPV6);
5566 5567 }
5567 5568
5568 5569 if (ipsl->ipsl_valid & IPSL_LOCAL_ADDR) {
5569 5570 saddrptr = (uint32_t *)(&ipsl->ipsl_local);
5570 5571 pfxlen = ipsl->ipsl_local_pfxlen;
5571 5572 } else {
5572 5573 saddrptr = (uint32_t *)(&ipv6_all_zeros);
5573 5574 pfxlen = 0;
5574 5575 }
5575 5576 /* XXX What about ICMP type/code? */
5576 5577 lport = (ipsl->ipsl_valid & IPSL_LOCAL_PORT) ?
5577 5578 ipsl->ipsl_lport : 0;
5578 5579 proto = (ipsl->ipsl_valid & IPSL_PROTOCOL) ?
5579 5580 ipsl->ipsl_proto : 0;
5580 5581
5581 5582 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC,
5582 5583 af, saddrptr, lport, proto, pfxlen);
5583 5584 if (cur == NULL) {
5584 5585 freeb(mp);
5585 5586 return (NULL);
5586 5587 }
5587 5588
5588 5589 if (ipsl->ipsl_valid & IPSL_REMOTE_ADDR) {
5589 5590 daddrptr = (uint32_t *)(&ipsl->ipsl_remote);
5590 5591 pfxlen = ipsl->ipsl_remote_pfxlen;
5591 5592 } else {
5592 5593 daddrptr = (uint32_t *)(&ipv6_all_zeros);
5593 5594 pfxlen = 0;
5594 5595 }
5595 5596 /* XXX What about ICMP type/code? */
5596 5597 rport = (ipsl->ipsl_valid & IPSL_REMOTE_PORT) ?
5597 5598 ipsl->ipsl_rport : 0;
5598 5599
5599 5600 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST,
5600 5601 af, daddrptr, rport, proto, pfxlen);
5601 5602 if (cur == NULL) {
5602 5603 freeb(mp);
5603 5604 return (NULL);
5604 5605 }
5605 5606 /*
5606 5607 * TODO - if we go to 3408's dream of transport mode IP-in-IP
5607 5608 * _with_ inner-packet address selectors, we'll need to further
5608 5609 * distinguish tunnel mode here. For now, having inner
5609 5610 * addresses and/or ports is sufficient.
5610 5611 *
5611 5612 * Meanwhile, whack proto/ports to reflect IP-in-IP for the
5612 5613 * outer addresses.
5613 5614 */
5614 5615 proto = sel->ips_protocol; /* Either _ENCAP or _IPV6 */
5615 5616 lport = rport = 0;
5616 5617 } else if ((ap != NULL) && (!ap->ipa_want_unique)) {
5617 5618 proto = 0;
5618 5619 lport = 0;
5619 5620 rport = 0;
5620 5621 if (pol != NULL) {
5621 5622 ipsl = &(pol->ipsp_sel->ipsl_key);
5622 5623 if (ipsl->ipsl_valid & IPSL_PROTOCOL)
5623 5624 proto = ipsl->ipsl_proto;
5624 5625 if (ipsl->ipsl_valid & IPSL_REMOTE_PORT)
5625 5626 rport = ipsl->ipsl_rport;
5626 5627 if (ipsl->ipsl_valid & IPSL_LOCAL_PORT)
5627 5628 lport = ipsl->ipsl_lport;
5628 5629 }
5629 5630 } else {
5630 5631 proto = sel->ips_protocol;
5631 5632 lport = sel->ips_local_port;
5632 5633 rport = sel->ips_remote_port;
5633 5634 }
5634 5635
5635 5636 af = sel->ips_isv4 ? AF_INET : AF_INET6;
5636 5637
5637 5638 /*
5638 5639 * NOTE: The position of IPv4 and IPv6 addresses is the same in
5639 5640 * ipsec_selector_t.
5640 5641 */
5641 5642 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af,
5642 5643 (uint32_t *)(&sel->ips_local_addr_v6), lport, proto, 0);
5643 5644
5644 5645 if (cur == NULL) {
5645 5646 freeb(mp);
5646 5647 return (NULL);
5647 5648 }
5648 5649
5649 5650 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af,
5650 5651 (uint32_t *)(&sel->ips_remote_addr_v6), rport, proto, 0);
5651 5652
5652 5653 if (cur == NULL) {
5653 5654 freeb(mp);
5654 5655 return (NULL);
5655 5656 }
5656 5657
5657 5658 if (sens != NULL) {
5658 5659 uint8_t *sensext = cur;
5659 5660 int senslen = SADB_64TO8(sens->sadb_sens_len);
5660 5661
5661 5662 cur += senslen;
5662 5663 if (cur > end) {
5663 5664 freeb(mp);
5664 5665 return (NULL);
5665 5666 }
5666 5667 bcopy(sens, sensext, senslen);
5667 5668 }
5668 5669
5669 5670 /*
5670 5671 * This section will change a lot as policy evolves.
5671 5672 * For now, it'll be relatively simple.
5672 5673 */
5673 5674 eprop = (sadb_prop_t *)cur;
5674 5675 cur += sizeof (*eprop);
5675 5676 if (cur > end) {
5676 5677 /* no space left */
5677 5678 freeb(mp);
5678 5679 return (NULL);
5679 5680 }
5680 5681
5681 5682 eprop->sadb_prop_exttype = SADB_X_EXT_EPROP;
5682 5683 eprop->sadb_x_prop_ereserved = 0;
5683 5684 eprop->sadb_x_prop_numecombs = 0;
5684 5685 eprop->sadb_prop_replay = 32; /* default */
5685 5686
5686 5687 kmc = kmp = 0;
5687 5688
5688 5689 for (; ap != NULL; ap = an) {
5689 5690 an = (pol != NULL) ? ap->ipa_next : NULL;
5690 5691
5691 5692 /*
5692 5693 * Skip non-IPsec policies
5693 5694 */
5694 5695 if (ap->ipa_act.ipa_type != IPSEC_ACT_APPLY)
5695 5696 continue;
5696 5697
5697 5698 if (ap->ipa_act.ipa_apply.ipp_km_proto)
5698 5699 kmp = ap->ipa_act.ipa_apply.ipp_km_proto;
5699 5700 if (ap->ipa_act.ipa_apply.ipp_km_cookie)
5700 5701 kmc = ap->ipa_act.ipa_apply.ipp_km_cookie;
5701 5702 if (ap->ipa_act.ipa_apply.ipp_replay_depth) {
5702 5703 eprop->sadb_prop_replay =
5703 5704 ap->ipa_act.ipa_apply.ipp_replay_depth;
5704 5705 }
5705 5706
5706 5707 cur = sadb_action_to_ecomb(cur, end, ap, ns);
5707 5708 if (cur == NULL) { /* no space */
5708 5709 freeb(mp);
5709 5710 return (NULL);
5710 5711 }
5711 5712 eprop->sadb_x_prop_numecombs++;
5712 5713 }
5713 5714
5714 5715 if (eprop->sadb_x_prop_numecombs == 0) {
5715 5716 /*
5716 5717 * This will happen if we fail to find a policy
5717 5718 * allowing for IPsec processing.
5718 5719 * Construct an error message.
5719 5720 */
5720 5721 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg));
5721 5722 samsg->sadb_msg_errno = ENOENT;
5722 5723 samsg->sadb_x_msg_diagnostic = 0;
5723 5724 return (mp);
5724 5725 }
5725 5726
5726 5727 if ((kmp != 0) || (kmc != 0)) {
5727 5728 cur = sadb_make_kmc_ext(cur, end, kmp, kmc);
5728 5729 if (cur == NULL) {
5729 5730 freeb(mp);
5730 5731 return (NULL);
5731 5732 }
5732 5733 }
5733 5734
5734 5735 eprop->sadb_prop_len = SADB_8TO64(cur - (uint8_t *)eprop);
5735 5736 samsg->sadb_msg_len = SADB_8TO64(cur - start);
5736 5737 mp->b_wptr = cur;
5737 5738
5738 5739 return (mp);
5739 5740 }
5740 5741
5741 5742 /*
5742 5743 * Generic setup of an RFC 2367 ACQUIRE message. Caller sets satype.
5743 5744 *
5744 5745 * NOTE: This function acquires alg_lock as a side-effect if-and-only-if we
5745 5746 * succeed (i.e. return non-NULL). Caller MUST release it. This is to
5746 5747 * maximize code consolidation while preventing algorithm changes from messing
5747 5748 * with the callers finishing touches on the ACQUIRE itself.
5748 5749 */
5749 5750 mblk_t *
5750 5751 sadb_setup_acquire(ipsacq_t *acqrec, uint8_t satype, ipsec_stack_t *ipss)
5751 5752 {
5752 5753 uint_t allocsize;
5753 5754 mblk_t *pfkeymp, *msgmp;
5754 5755 sa_family_t af;
5755 5756 uint8_t *cur, *end;
5756 5757 sadb_msg_t *samsg;
5757 5758 uint16_t sport_typecode;
5758 5759 uint16_t dport_typecode;
5759 5760 uint8_t check_proto;
5760 5761 boolean_t tunnel_mode = (acqrec->ipsacq_inneraddrfam != 0);
5761 5762
5762 5763 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock));
5763 5764
5764 5765 pfkeymp = sadb_keysock_out(0);
5765 5766 if (pfkeymp == NULL)
5766 5767 return (NULL);
|
↓ open down ↓ |
461 lines elided |
↑ open up ↑ |
5767 5768
5768 5769 /*
5769 5770 * First, allocate a basic ACQUIRE message
5770 5771 */
5771 5772 allocsize = sizeof (sadb_msg_t) + sizeof (sadb_address_t) +
5772 5773 sizeof (sadb_address_t) + sizeof (sadb_prop_t);
5773 5774
5774 5775 /* Make sure there's enough to cover both AF_INET and AF_INET6. */
5775 5776 allocsize += 2 * sizeof (struct sockaddr_in6);
5776 5777
5777 - mutex_enter(&ipss->ipsec_alg_lock);
5778 + rw_enter(&ipss->ipsec_alg_lock, RW_READER);
5778 5779 /* NOTE: The lock is now held through to this function's return. */
5779 5780 allocsize += ipss->ipsec_nalgs[IPSEC_ALG_AUTH] *
5780 5781 ipss->ipsec_nalgs[IPSEC_ALG_ENCR] * sizeof (sadb_comb_t);
5781 5782
5782 5783 if (tunnel_mode) {
5783 5784 /* Tunnel mode! */
5784 5785 allocsize += 2 * sizeof (sadb_address_t);
5785 5786 /* Enough to cover both AF_INET and AF_INET6. */
5786 5787 allocsize += 2 * sizeof (struct sockaddr_in6);
5787 5788 }
5788 5789
5789 5790 msgmp = allocb(allocsize, BPRI_HI);
5790 5791 if (msgmp == NULL) {
5791 5792 freeb(pfkeymp);
5792 - mutex_exit(&ipss->ipsec_alg_lock);
5793 + rw_exit(&ipss->ipsec_alg_lock);
5793 5794 return (NULL);
5794 5795 }
5795 5796
5796 5797 pfkeymp->b_cont = msgmp;
5797 5798 cur = msgmp->b_rptr;
5798 5799 end = cur + allocsize;
5799 5800 samsg = (sadb_msg_t *)cur;
5800 5801 cur += sizeof (sadb_msg_t);
5801 5802
5802 5803 af = acqrec->ipsacq_addrfam;
5803 5804 switch (af) {
5804 5805 case AF_INET:
|
↓ open down ↓ |
2 lines elided |
↑ open up ↑ |
5805 5806 check_proto = IPPROTO_ICMP;
5806 5807 break;
5807 5808 case AF_INET6:
5808 5809 check_proto = IPPROTO_ICMPV6;
5809 5810 break;
5810 5811 default:
5811 5812 /* This should never happen unless we have kernel bugs. */
5812 5813 cmn_err(CE_WARN,
5813 5814 "sadb_setup_acquire: corrupt ACQUIRE record.\n");
5814 5815 ASSERT(0);
5815 - mutex_exit(&ipss->ipsec_alg_lock);
5816 + rw_exit(&ipss->ipsec_alg_lock);
5816 5817 return (NULL);
5817 5818 }
5818 5819
5819 5820 samsg->sadb_msg_version = PF_KEY_V2;
5820 5821 samsg->sadb_msg_type = SADB_ACQUIRE;
5821 5822 samsg->sadb_msg_satype = satype;
5822 5823 samsg->sadb_msg_errno = 0;
5823 5824 samsg->sadb_msg_pid = 0;
5824 5825 samsg->sadb_msg_reserved = 0;
5825 5826 samsg->sadb_msg_seq = acqrec->ipsacq_seq;
5826 5827
5827 5828 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock));
5828 5829
5829 5830 if ((acqrec->ipsacq_proto == check_proto) || tunnel_mode) {
5830 5831 sport_typecode = dport_typecode = 0;
5831 5832 } else {
5832 5833 sport_typecode = acqrec->ipsacq_srcport;
5833 5834 dport_typecode = acqrec->ipsacq_dstport;
5834 5835 }
5835 5836
5836 5837 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af,
5837 5838 acqrec->ipsacq_srcaddr, sport_typecode, acqrec->ipsacq_proto, 0);
5838 5839
5839 5840 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af,
5840 5841 acqrec->ipsacq_dstaddr, dport_typecode, acqrec->ipsacq_proto, 0);
5841 5842
5842 5843 if (tunnel_mode) {
5843 5844 sport_typecode = acqrec->ipsacq_srcport;
5844 5845 dport_typecode = acqrec->ipsacq_dstport;
5845 5846 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC,
5846 5847 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innersrc,
5847 5848 sport_typecode, acqrec->ipsacq_inner_proto,
5848 5849 acqrec->ipsacq_innersrcpfx);
5849 5850 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST,
5850 5851 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innerdst,
5851 5852 dport_typecode, acqrec->ipsacq_inner_proto,
|
↓ open down ↓ |
26 lines elided |
↑ open up ↑ |
5852 5853 acqrec->ipsacq_innerdstpfx);
5853 5854 }
5854 5855
5855 5856 /* XXX Insert identity information here. */
5856 5857
5857 5858 /* XXXMLS Insert sensitivity information here. */
5858 5859
5859 5860 if (cur != NULL)
5860 5861 samsg->sadb_msg_len = SADB_8TO64(cur - msgmp->b_rptr);
5861 5862 else
5862 - mutex_exit(&ipss->ipsec_alg_lock);
5863 + rw_exit(&ipss->ipsec_alg_lock);
5863 5864
5864 5865 return (pfkeymp);
5865 5866 }
5866 5867
5867 5868 /*
5868 5869 * Given an SADB_GETSPI message, find an appropriately ranged SA and
5869 5870 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1.
5870 5871 * If there was a memory allocation error, return NULL. (Assume NULL !=
5871 5872 * (ipsa_t *)-1).
5872 5873 *
5873 5874 * master_spi is passed in host order.
5874 5875 */
5875 5876 ipsa_t *
5876 5877 sadb_getspi(keysock_in_t *ksi, uint32_t master_spi, int *diagnostic,
5877 5878 netstack_t *ns, uint_t sa_type)
5878 5879 {
5879 5880 sadb_address_t *src =
5880 5881 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC],
5881 5882 *dst = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
5882 5883 sadb_spirange_t *range =
5883 5884 (sadb_spirange_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE];
5884 5885 struct sockaddr_in *ssa, *dsa;
5885 5886 struct sockaddr_in6 *ssa6, *dsa6;
5886 5887 uint32_t *srcaddr, *dstaddr;
5887 5888 sa_family_t af;
5888 5889 uint32_t add, min, max;
5889 5890 uint8_t protocol =
5890 5891 (sa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP;
5891 5892
5892 5893 if (src == NULL) {
5893 5894 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC;
5894 5895 return ((ipsa_t *)-1);
5895 5896 }
5896 5897 if (dst == NULL) {
5897 5898 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
5898 5899 return ((ipsa_t *)-1);
5899 5900 }
5900 5901 if (range == NULL) {
5901 5902 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_RANGE;
5902 5903 return ((ipsa_t *)-1);
5903 5904 }
5904 5905
5905 5906 min = ntohl(range->sadb_spirange_min);
5906 5907 max = ntohl(range->sadb_spirange_max);
5907 5908 dsa = (struct sockaddr_in *)(dst + 1);
5908 5909 dsa6 = (struct sockaddr_in6 *)dsa;
5909 5910
5910 5911 ssa = (struct sockaddr_in *)(src + 1);
5911 5912 ssa6 = (struct sockaddr_in6 *)ssa;
5912 5913 ASSERT(dsa->sin_family == ssa->sin_family);
5913 5914
5914 5915 srcaddr = ALL_ZEROES_PTR;
5915 5916 af = dsa->sin_family;
5916 5917 switch (af) {
5917 5918 case AF_INET:
5918 5919 if (src != NULL)
5919 5920 srcaddr = (uint32_t *)(&ssa->sin_addr);
5920 5921 dstaddr = (uint32_t *)(&dsa->sin_addr);
5921 5922 break;
5922 5923 case AF_INET6:
5923 5924 if (src != NULL)
5924 5925 srcaddr = (uint32_t *)(&ssa6->sin6_addr);
5925 5926 dstaddr = (uint32_t *)(&dsa6->sin6_addr);
5926 5927 break;
5927 5928 default:
5928 5929 *diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF;
5929 5930 return ((ipsa_t *)-1);
5930 5931 }
5931 5932
5932 5933 if (master_spi < min || master_spi > max) {
5933 5934 /* Return a random value in the range. */
5934 5935 if (cl_inet_getspi) {
5935 5936 cl_inet_getspi(ns->netstack_stackid, protocol,
5936 5937 (uint8_t *)&add, sizeof (add), NULL);
5937 5938 } else {
5938 5939 (void) random_get_pseudo_bytes((uint8_t *)&add,
5939 5940 sizeof (add));
5940 5941 }
5941 5942 master_spi = min + (add % (max - min + 1));
5942 5943 }
5943 5944
5944 5945 /*
5945 5946 * Since master_spi is passed in host order, we need to htonl() it
5946 5947 * for the purposes of creating a new SA.
5947 5948 */
5948 5949 return (sadb_makelarvalassoc(htonl(master_spi), srcaddr, dstaddr, af,
5949 5950 ns));
5950 5951 }
5951 5952
5952 5953 /*
5953 5954 *
5954 5955 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the
5955 5956 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list
5956 5957 * and scan for the sequence number in question. I may wish to accept an
5957 5958 * address pair with it, for easier searching.
5958 5959 *
5959 5960 * Caller frees the message, so we don't have to here.
5960 5961 *
5961 5962 * NOTE: The pfkey_q parameter may be used in the future for ACQUIRE
5962 5963 * failures.
5963 5964 */
5964 5965 /* ARGSUSED */
5965 5966 void
5966 5967 sadb_in_acquire(sadb_msg_t *samsg, sadbp_t *sp, queue_t *pfkey_q,
5967 5968 netstack_t *ns)
5968 5969 {
5969 5970 int i;
5970 5971 ipsacq_t *acqrec;
5971 5972 iacqf_t *bucket;
5972 5973
5973 5974 /*
5974 5975 * I only accept the base header for this!
5975 5976 * Though to be honest, requiring the dst address would help
5976 5977 * immensely.
5977 5978 *
5978 5979 * XXX There are already cases where I can get the dst address.
5979 5980 */
5980 5981 if (samsg->sadb_msg_len > SADB_8TO64(sizeof (*samsg)))
5981 5982 return;
5982 5983
5983 5984 /*
5984 5985 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it,
5985 5986 * (and in the future send a message to IP with the appropriate error
5986 5987 * number).
5987 5988 *
5988 5989 * Q: Do I want to reject if pid != 0?
5989 5990 */
5990 5991
5991 5992 for (i = 0; i < sp->s_v4.sdb_hashsize; i++) {
5992 5993 bucket = &sp->s_v4.sdb_acq[i];
5993 5994 mutex_enter(&bucket->iacqf_lock);
5994 5995 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL;
5995 5996 acqrec = acqrec->ipsacq_next) {
5996 5997 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq)
5997 5998 break; /* for acqrec... loop. */
5998 5999 }
5999 6000 if (acqrec != NULL)
6000 6001 break; /* for i = 0... loop. */
6001 6002
6002 6003 mutex_exit(&bucket->iacqf_lock);
6003 6004 }
6004 6005
6005 6006 if (acqrec == NULL) {
6006 6007 for (i = 0; i < sp->s_v6.sdb_hashsize; i++) {
6007 6008 bucket = &sp->s_v6.sdb_acq[i];
6008 6009 mutex_enter(&bucket->iacqf_lock);
6009 6010 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL;
6010 6011 acqrec = acqrec->ipsacq_next) {
6011 6012 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq)
6012 6013 break; /* for acqrec... loop. */
6013 6014 }
6014 6015 if (acqrec != NULL)
6015 6016 break; /* for i = 0... loop. */
6016 6017
6017 6018 mutex_exit(&bucket->iacqf_lock);
6018 6019 }
6019 6020 }
6020 6021
6021 6022
6022 6023 if (acqrec == NULL)
6023 6024 return;
6024 6025
6025 6026 /*
6026 6027 * What do I do with the errno and IP? I may need mp's services a
6027 6028 * little more. See sadb_destroy_acquire() for future directions
6028 6029 * beyond free the mblk chain on the acquire record.
6029 6030 */
6030 6031
6031 6032 ASSERT(&bucket->iacqf_lock == acqrec->ipsacq_linklock);
6032 6033 sadb_destroy_acquire(acqrec, ns);
6033 6034 /* Have to exit mutex here, because of breaking out of for loop. */
6034 6035 mutex_exit(&bucket->iacqf_lock);
6035 6036 }
6036 6037
6037 6038 /*
6038 6039 * The following functions work with the replay windows of an SA. They assume
6039 6040 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector
6040 6041 * represents the highest sequence number packet received, and back
6041 6042 * (ipsa->ipsa_replay_wsize) packets.
6042 6043 */
6043 6044
6044 6045 /*
6045 6046 * Is the replay bit set?
6046 6047 */
6047 6048 static boolean_t
6048 6049 ipsa_is_replay_set(ipsa_t *ipsa, uint32_t offset)
6049 6050 {
6050 6051 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63);
6051 6052
6052 6053 return ((bit & ipsa->ipsa_replay_arr[offset >> 6]) ? B_TRUE : B_FALSE);
6053 6054 }
6054 6055
6055 6056 /*
6056 6057 * Shift the bits of the replay window over.
6057 6058 */
6058 6059 static void
6059 6060 ipsa_shift_replay(ipsa_t *ipsa, uint32_t shift)
6060 6061 {
6061 6062 int i;
6062 6063 int jump = ((shift - 1) >> 6) + 1;
6063 6064
6064 6065 if (shift == 0)
6065 6066 return;
6066 6067
6067 6068 for (i = (ipsa->ipsa_replay_wsize - 1) >> 6; i >= 0; i--) {
6068 6069 if (i + jump <= (ipsa->ipsa_replay_wsize - 1) >> 6) {
6069 6070 ipsa->ipsa_replay_arr[i + jump] |=
6070 6071 ipsa->ipsa_replay_arr[i] >> (64 - (shift & 63));
6071 6072 }
6072 6073 ipsa->ipsa_replay_arr[i] <<= shift;
6073 6074 }
6074 6075 }
6075 6076
6076 6077 /*
6077 6078 * Set a bit in the bit vector.
6078 6079 */
6079 6080 static void
6080 6081 ipsa_set_replay(ipsa_t *ipsa, uint32_t offset)
6081 6082 {
6082 6083 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63);
6083 6084
6084 6085 ipsa->ipsa_replay_arr[offset >> 6] |= bit;
6085 6086 }
6086 6087
6087 6088 #define SADB_MAX_REPLAY_VALUE 0xffffffff
6088 6089
6089 6090 /*
6090 6091 * Assume caller has NOT done ntohl() already on seq. Check to see
6091 6092 * if replay sequence number "seq" has been seen already.
6092 6093 */
6093 6094 boolean_t
6094 6095 sadb_replay_check(ipsa_t *ipsa, uint32_t seq)
6095 6096 {
6096 6097 boolean_t rc;
6097 6098 uint32_t diff;
6098 6099
6099 6100 if (ipsa->ipsa_replay_wsize == 0)
6100 6101 return (B_TRUE);
6101 6102
6102 6103 /*
6103 6104 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek().
6104 6105 */
6105 6106
6106 6107 /* Convert sequence number into host order before holding the mutex. */
6107 6108 seq = ntohl(seq);
6108 6109
6109 6110 mutex_enter(&ipsa->ipsa_lock);
6110 6111
6111 6112 /* Initialize inbound SA's ipsa_replay field to last one received. */
6112 6113 if (ipsa->ipsa_replay == 0)
6113 6114 ipsa->ipsa_replay = 1;
6114 6115
6115 6116 if (seq > ipsa->ipsa_replay) {
6116 6117 /*
6117 6118 * I have received a new "highest value received". Shift
6118 6119 * the replay window over.
6119 6120 */
6120 6121 diff = seq - ipsa->ipsa_replay;
6121 6122 if (diff < ipsa->ipsa_replay_wsize) {
6122 6123 /* In replay window, shift bits over. */
6123 6124 ipsa_shift_replay(ipsa, diff);
6124 6125 } else {
6125 6126 /* WAY FAR AHEAD, clear bits and start again. */
6126 6127 bzero(ipsa->ipsa_replay_arr,
6127 6128 sizeof (ipsa->ipsa_replay_arr));
6128 6129 }
6129 6130 ipsa_set_replay(ipsa, 0);
6130 6131 ipsa->ipsa_replay = seq;
6131 6132 rc = B_TRUE;
6132 6133 goto done;
6133 6134 }
6134 6135 diff = ipsa->ipsa_replay - seq;
6135 6136 if (diff >= ipsa->ipsa_replay_wsize || ipsa_is_replay_set(ipsa, diff)) {
6136 6137 rc = B_FALSE;
6137 6138 goto done;
6138 6139 }
6139 6140 /* Set this packet as seen. */
6140 6141 ipsa_set_replay(ipsa, diff);
6141 6142
6142 6143 rc = B_TRUE;
6143 6144 done:
6144 6145 mutex_exit(&ipsa->ipsa_lock);
6145 6146 return (rc);
6146 6147 }
6147 6148
6148 6149 /*
6149 6150 * "Peek" and see if we should even bother going through the effort of
6150 6151 * running an authentication check on the sequence number passed in.
6151 6152 * this takes into account packets that are below the replay window,
6152 6153 * and collisions with already replayed packets. Return B_TRUE if it
6153 6154 * is okay to proceed, B_FALSE if this packet should be dropped immediately.
6154 6155 * Assume same byte-ordering as sadb_replay_check.
6155 6156 */
6156 6157 boolean_t
6157 6158 sadb_replay_peek(ipsa_t *ipsa, uint32_t seq)
6158 6159 {
6159 6160 boolean_t rc = B_FALSE;
6160 6161 uint32_t diff;
6161 6162
6162 6163 if (ipsa->ipsa_replay_wsize == 0)
6163 6164 return (B_TRUE);
6164 6165
6165 6166 /*
6166 6167 * 0 is 0, regardless of byte order... :)
6167 6168 *
6168 6169 * If I get 0 on the wire (and there is a replay window) then the
6169 6170 * sender most likely wrapped. This ipsa may need to be marked or
6170 6171 * something.
6171 6172 */
6172 6173 if (seq == 0)
6173 6174 return (B_FALSE);
6174 6175
6175 6176 seq = ntohl(seq);
6176 6177 mutex_enter(&ipsa->ipsa_lock);
6177 6178 if (seq < ipsa->ipsa_replay - ipsa->ipsa_replay_wsize &&
6178 6179 ipsa->ipsa_replay >= ipsa->ipsa_replay_wsize)
6179 6180 goto done;
6180 6181
6181 6182 /*
6182 6183 * If I've hit 0xffffffff, then quite honestly, I don't need to
6183 6184 * bother with formalities. I'm not accepting any more packets
6184 6185 * on this SA.
6185 6186 */
6186 6187 if (ipsa->ipsa_replay == SADB_MAX_REPLAY_VALUE) {
6187 6188 /*
6188 6189 * Since we're already holding the lock, update the
6189 6190 * expire time ala. sadb_replay_delete() and return.
6190 6191 */
6191 6192 ipsa->ipsa_hardexpiretime = (time_t)1;
6192 6193 goto done;
6193 6194 }
6194 6195
6195 6196 if (seq <= ipsa->ipsa_replay) {
6196 6197 /*
6197 6198 * This seq is in the replay window. I'm not below it,
6198 6199 * because I already checked for that above!
6199 6200 */
6200 6201 diff = ipsa->ipsa_replay - seq;
6201 6202 if (ipsa_is_replay_set(ipsa, diff))
6202 6203 goto done;
6203 6204 }
6204 6205 /* Else return B_TRUE, I'm going to advance the window. */
6205 6206
6206 6207 rc = B_TRUE;
6207 6208 done:
6208 6209 mutex_exit(&ipsa->ipsa_lock);
6209 6210 return (rc);
6210 6211 }
6211 6212
6212 6213 /*
6213 6214 * Delete a single SA.
6214 6215 *
6215 6216 * For now, use the quick-and-dirty trick of making the association's
6216 6217 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager().
6217 6218 */
6218 6219 void
6219 6220 sadb_replay_delete(ipsa_t *assoc)
6220 6221 {
6221 6222 mutex_enter(&assoc->ipsa_lock);
6222 6223 assoc->ipsa_hardexpiretime = (time_t)1;
6223 6224 mutex_exit(&assoc->ipsa_lock);
6224 6225 }
6225 6226
6226 6227 /*
6227 6228 * Special front-end to ipsec_rl_strlog() dealing with SA failure.
6228 6229 * this is designed to take only a format string with "* %x * %s *", so
6229 6230 * that "spi" is printed first, then "addr" is converted using inet_pton().
6230 6231 *
6231 6232 * This is abstracted out to save the stack space for only when inet_pton()
6232 6233 * is called. Make sure "spi" is in network order; it usually is when this
6233 6234 * would get called.
6234 6235 */
6235 6236 void
6236 6237 ipsec_assocfailure(short mid, short sid, char level, ushort_t sl, char *fmt,
6237 6238 uint32_t spi, void *addr, int af, netstack_t *ns)
6238 6239 {
6239 6240 char buf[INET6_ADDRSTRLEN];
6240 6241
6241 6242 ASSERT(af == AF_INET6 || af == AF_INET);
6242 6243
6243 6244 ipsec_rl_strlog(ns, mid, sid, level, sl, fmt, ntohl(spi),
6244 6245 inet_ntop(af, addr, buf, sizeof (buf)));
6245 6246 }
6246 6247
6247 6248 /*
6248 6249 * Fills in a reference to the policy, if any, from the conn, in *ppp
6249 6250 */
6250 6251 static void
6251 6252 ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp)
6252 6253 {
6253 6254 ipsec_policy_t *pp;
6254 6255 ipsec_latch_t *ipl = connp->conn_latch;
6255 6256
6256 6257 if ((ipl != NULL) && (connp->conn_ixa->ixa_ipsec_policy != NULL)) {
6257 6258 pp = connp->conn_ixa->ixa_ipsec_policy;
6258 6259 IPPOL_REFHOLD(pp);
6259 6260 } else {
6260 6261 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, sel,
6261 6262 connp->conn_netstack);
6262 6263 }
6263 6264 *ppp = pp;
6264 6265 }
6265 6266
6266 6267 /*
6267 6268 * The following functions scan through active conn_t structures
6268 6269 * and return a reference to the best-matching policy it can find.
6269 6270 * Caller must release the reference.
6270 6271 */
6271 6272 static void
6272 6273 ipsec_udp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst)
6273 6274 {
6274 6275 connf_t *connfp;
6275 6276 conn_t *connp = NULL;
6276 6277 ipsec_selector_t portonly;
6277 6278
6278 6279 bzero((void *)&portonly, sizeof (portonly));
6279 6280
6280 6281 if (sel->ips_local_port == 0)
6281 6282 return;
6282 6283
6283 6284 connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(sel->ips_local_port,
6284 6285 ipst)];
6285 6286 mutex_enter(&connfp->connf_lock);
6286 6287
6287 6288 if (sel->ips_isv4) {
6288 6289 connp = connfp->connf_head;
6289 6290 while (connp != NULL) {
6290 6291 if (IPCL_UDP_MATCH(connp, sel->ips_local_port,
6291 6292 sel->ips_local_addr_v4, sel->ips_remote_port,
6292 6293 sel->ips_remote_addr_v4))
6293 6294 break;
6294 6295 connp = connp->conn_next;
6295 6296 }
6296 6297
6297 6298 if (connp == NULL) {
6298 6299 /* Try port-only match in IPv6. */
6299 6300 portonly.ips_local_port = sel->ips_local_port;
6300 6301 sel = &portonly;
6301 6302 }
6302 6303 }
6303 6304
6304 6305 if (connp == NULL) {
6305 6306 connp = connfp->connf_head;
6306 6307 while (connp != NULL) {
6307 6308 if (IPCL_UDP_MATCH_V6(connp, sel->ips_local_port,
6308 6309 sel->ips_local_addr_v6, sel->ips_remote_port,
6309 6310 sel->ips_remote_addr_v6))
6310 6311 break;
6311 6312 connp = connp->conn_next;
6312 6313 }
6313 6314
6314 6315 if (connp == NULL) {
6315 6316 mutex_exit(&connfp->connf_lock);
6316 6317 return;
6317 6318 }
6318 6319 }
6319 6320
6320 6321 CONN_INC_REF(connp);
6321 6322 mutex_exit(&connfp->connf_lock);
6322 6323
6323 6324 ipsec_conn_pol(sel, connp, ppp);
6324 6325 CONN_DEC_REF(connp);
6325 6326 }
6326 6327
6327 6328 static conn_t *
6328 6329 ipsec_find_listen_conn(uint16_t *pptr, ipsec_selector_t *sel, ip_stack_t *ipst)
6329 6330 {
6330 6331 connf_t *connfp;
6331 6332 conn_t *connp = NULL;
6332 6333 const in6_addr_t *v6addrmatch = &sel->ips_local_addr_v6;
6333 6334
6334 6335 if (sel->ips_local_port == 0)
6335 6336 return (NULL);
6336 6337
6337 6338 connfp = &ipst->ips_ipcl_bind_fanout[
6338 6339 IPCL_BIND_HASH(sel->ips_local_port, ipst)];
6339 6340 mutex_enter(&connfp->connf_lock);
6340 6341
6341 6342 if (sel->ips_isv4) {
6342 6343 connp = connfp->connf_head;
6343 6344 while (connp != NULL) {
6344 6345 if (IPCL_BIND_MATCH(connp, IPPROTO_TCP,
6345 6346 sel->ips_local_addr_v4, pptr[1]))
6346 6347 break;
6347 6348 connp = connp->conn_next;
6348 6349 }
6349 6350
6350 6351 if (connp == NULL) {
6351 6352 /* Match to all-zeroes. */
6352 6353 v6addrmatch = &ipv6_all_zeros;
6353 6354 }
6354 6355 }
6355 6356
6356 6357 if (connp == NULL) {
6357 6358 connp = connfp->connf_head;
6358 6359 while (connp != NULL) {
6359 6360 if (IPCL_BIND_MATCH_V6(connp, IPPROTO_TCP,
6360 6361 *v6addrmatch, pptr[1]))
6361 6362 break;
6362 6363 connp = connp->conn_next;
6363 6364 }
6364 6365
6365 6366 if (connp == NULL) {
6366 6367 mutex_exit(&connfp->connf_lock);
6367 6368 return (NULL);
6368 6369 }
6369 6370 }
6370 6371
6371 6372 CONN_INC_REF(connp);
6372 6373 mutex_exit(&connfp->connf_lock);
6373 6374 return (connp);
6374 6375 }
6375 6376
6376 6377 static void
6377 6378 ipsec_tcp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst)
6378 6379 {
6379 6380 connf_t *connfp;
6380 6381 conn_t *connp;
6381 6382 uint32_t ports;
6382 6383 uint16_t *pptr = (uint16_t *)&ports;
6383 6384
6384 6385 /*
6385 6386 * Find TCP state in the following order:
6386 6387 * 1.) Connected conns.
6387 6388 * 2.) Listeners.
6388 6389 *
6389 6390 * Even though #2 will be the common case for inbound traffic, only
6390 6391 * following this order insures correctness.
6391 6392 */
6392 6393
6393 6394 if (sel->ips_local_port == 0)
6394 6395 return;
6395 6396
6396 6397 /*
6397 6398 * 0 should be fport, 1 should be lport. SRC is the local one here.
6398 6399 * See ipsec_construct_inverse_acquire() for details.
6399 6400 */
6400 6401 pptr[0] = sel->ips_remote_port;
6401 6402 pptr[1] = sel->ips_local_port;
6402 6403
6403 6404 connfp = &ipst->ips_ipcl_conn_fanout[
6404 6405 IPCL_CONN_HASH(sel->ips_remote_addr_v4, ports, ipst)];
6405 6406 mutex_enter(&connfp->connf_lock);
6406 6407 connp = connfp->connf_head;
6407 6408
6408 6409 if (sel->ips_isv4) {
6409 6410 while (connp != NULL) {
6410 6411 if (IPCL_CONN_MATCH(connp, IPPROTO_TCP,
6411 6412 sel->ips_remote_addr_v4, sel->ips_local_addr_v4,
6412 6413 ports))
6413 6414 break;
6414 6415 connp = connp->conn_next;
6415 6416 }
6416 6417 } else {
6417 6418 while (connp != NULL) {
6418 6419 if (IPCL_CONN_MATCH_V6(connp, IPPROTO_TCP,
6419 6420 sel->ips_remote_addr_v6, sel->ips_local_addr_v6,
6420 6421 ports))
6421 6422 break;
6422 6423 connp = connp->conn_next;
6423 6424 }
6424 6425 }
6425 6426
6426 6427 if (connp != NULL) {
6427 6428 CONN_INC_REF(connp);
6428 6429 mutex_exit(&connfp->connf_lock);
6429 6430 } else {
6430 6431 mutex_exit(&connfp->connf_lock);
6431 6432
6432 6433 /* Try the listen hash. */
6433 6434 if ((connp = ipsec_find_listen_conn(pptr, sel, ipst)) == NULL)
6434 6435 return;
6435 6436 }
6436 6437
6437 6438 ipsec_conn_pol(sel, connp, ppp);
6438 6439 CONN_DEC_REF(connp);
6439 6440 }
6440 6441
6441 6442 static void
6442 6443 ipsec_sctp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
6443 6444 ip_stack_t *ipst)
6444 6445 {
6445 6446 conn_t *connp;
6446 6447 uint32_t ports;
6447 6448 uint16_t *pptr = (uint16_t *)&ports;
6448 6449
6449 6450 /*
6450 6451 * Find SCP state in the following order:
6451 6452 * 1.) Connected conns.
6452 6453 * 2.) Listeners.
6453 6454 *
6454 6455 * Even though #2 will be the common case for inbound traffic, only
6455 6456 * following this order insures correctness.
6456 6457 */
6457 6458
6458 6459 if (sel->ips_local_port == 0)
6459 6460 return;
6460 6461
6461 6462 /*
6462 6463 * 0 should be fport, 1 should be lport. SRC is the local one here.
6463 6464 * See ipsec_construct_inverse_acquire() for details.
6464 6465 */
6465 6466 pptr[0] = sel->ips_remote_port;
6466 6467 pptr[1] = sel->ips_local_port;
6467 6468
6468 6469 /*
6469 6470 * For labeled systems, there's no need to check the
6470 6471 * label here. It's known to be good as we checked
6471 6472 * before allowing the connection to become bound.
6472 6473 */
6473 6474 if (sel->ips_isv4) {
6474 6475 in6_addr_t src, dst;
6475 6476
6476 6477 IN6_IPADDR_TO_V4MAPPED(sel->ips_remote_addr_v4, &dst);
6477 6478 IN6_IPADDR_TO_V4MAPPED(sel->ips_local_addr_v4, &src);
6478 6479 connp = sctp_find_conn(&dst, &src, ports, ALL_ZONES,
6479 6480 0, ipst->ips_netstack->netstack_sctp);
6480 6481 } else {
6481 6482 connp = sctp_find_conn(&sel->ips_remote_addr_v6,
6482 6483 &sel->ips_local_addr_v6, ports, ALL_ZONES,
6483 6484 0, ipst->ips_netstack->netstack_sctp);
6484 6485 }
6485 6486 if (connp == NULL)
6486 6487 return;
6487 6488 ipsec_conn_pol(sel, connp, ppp);
6488 6489 CONN_DEC_REF(connp);
6489 6490 }
6490 6491
6491 6492 /*
6492 6493 * Fill in a query for the SPD (in "sel") using two PF_KEY address extensions.
6493 6494 * Returns 0 or errno, and always sets *diagnostic to something appropriate
6494 6495 * to PF_KEY.
6495 6496 *
6496 6497 * NOTE: For right now, this function (and ipsec_selector_t for that matter),
6497 6498 * ignore prefix lengths in the address extension. Since we match on first-
6498 6499 * entered policies, this shouldn't matter. Also, since we normalize prefix-
6499 6500 * set addresses to mask out the lower bits, we should get a suitable search
6500 6501 * key for the SPD anyway. This is the function to change if the assumption
6501 6502 * about suitable search keys is wrong.
6502 6503 */
6503 6504 static int
6504 6505 ipsec_get_inverse_acquire_sel(ipsec_selector_t *sel, sadb_address_t *srcext,
6505 6506 sadb_address_t *dstext, int *diagnostic)
6506 6507 {
6507 6508 struct sockaddr_in *src, *dst;
6508 6509 struct sockaddr_in6 *src6, *dst6;
6509 6510
6510 6511 *diagnostic = 0;
6511 6512
6512 6513 bzero(sel, sizeof (*sel));
6513 6514 sel->ips_protocol = srcext->sadb_address_proto;
6514 6515 dst = (struct sockaddr_in *)(dstext + 1);
6515 6516 if (dst->sin_family == AF_INET6) {
6516 6517 dst6 = (struct sockaddr_in6 *)dst;
6517 6518 src6 = (struct sockaddr_in6 *)(srcext + 1);
6518 6519 if (src6->sin6_family != AF_INET6) {
6519 6520 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH;
6520 6521 return (EINVAL);
6521 6522 }
6522 6523 sel->ips_remote_addr_v6 = dst6->sin6_addr;
6523 6524 sel->ips_local_addr_v6 = src6->sin6_addr;
6524 6525 if (sel->ips_protocol == IPPROTO_ICMPV6) {
6525 6526 sel->ips_is_icmp_inv_acq = 1;
6526 6527 } else {
6527 6528 sel->ips_remote_port = dst6->sin6_port;
6528 6529 sel->ips_local_port = src6->sin6_port;
6529 6530 }
6530 6531 sel->ips_isv4 = B_FALSE;
6531 6532 } else {
6532 6533 src = (struct sockaddr_in *)(srcext + 1);
6533 6534 if (src->sin_family != AF_INET) {
6534 6535 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH;
6535 6536 return (EINVAL);
6536 6537 }
6537 6538 sel->ips_remote_addr_v4 = dst->sin_addr.s_addr;
6538 6539 sel->ips_local_addr_v4 = src->sin_addr.s_addr;
6539 6540 if (sel->ips_protocol == IPPROTO_ICMP) {
6540 6541 sel->ips_is_icmp_inv_acq = 1;
6541 6542 } else {
6542 6543 sel->ips_remote_port = dst->sin_port;
6543 6544 sel->ips_local_port = src->sin_port;
6544 6545 }
6545 6546 sel->ips_isv4 = B_TRUE;
6546 6547 }
6547 6548 return (0);
6548 6549 }
6549 6550
6550 6551 /*
6551 6552 * We have encapsulation.
6552 6553 * - Lookup tun_t by address and look for an associated
6553 6554 * tunnel policy
6554 6555 * - If there are inner selectors
6555 6556 * - check ITPF_P_TUNNEL and ITPF_P_ACTIVE
6556 6557 * - Look up tunnel policy based on selectors
6557 6558 * - Else
6558 6559 * - Sanity check the negotation
6559 6560 * - If appropriate, fall through to global policy
6560 6561 */
6561 6562 static int
6562 6563 ipsec_tun_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
6563 6564 sadb_address_t *innsrcext, sadb_address_t *inndstext, ipsec_tun_pol_t *itp,
6564 6565 int *diagnostic)
6565 6566 {
6566 6567 int err;
6567 6568 ipsec_policy_head_t *polhead;
6568 6569
6569 6570 *diagnostic = 0;
6570 6571
6571 6572 /* Check for inner selectors and act appropriately */
6572 6573
6573 6574 if (innsrcext != NULL) {
6574 6575 /* Inner selectors present */
6575 6576 ASSERT(inndstext != NULL);
6576 6577 if ((itp == NULL) ||
6577 6578 (itp->itp_flags & (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) !=
6578 6579 (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) {
6579 6580 /*
6580 6581 * If inner packet selectors, we must have negotiate
6581 6582 * tunnel and active policy. If the tunnel has
6582 6583 * transport-mode policy set on it, or has no policy,
6583 6584 * fail.
6584 6585 */
6585 6586 return (ENOENT);
6586 6587 } else {
6587 6588 /*
6588 6589 * Reset "sel" to indicate inner selectors. Pass
6589 6590 * inner PF_KEY address extensions for this to happen.
6590 6591 */
6591 6592 if ((err = ipsec_get_inverse_acquire_sel(sel,
6592 6593 innsrcext, inndstext, diagnostic)) != 0)
6593 6594 return (err);
6594 6595 /*
6595 6596 * Now look for a tunnel policy based on those inner
6596 6597 * selectors. (Common code is below.)
6597 6598 */
6598 6599 }
6599 6600 } else {
6600 6601 /* No inner selectors present */
6601 6602 if ((itp == NULL) || !(itp->itp_flags & ITPF_P_ACTIVE)) {
6602 6603 /*
6603 6604 * Transport mode negotiation with no tunnel policy
6604 6605 * configured - return to indicate a global policy
6605 6606 * check is needed.
6606 6607 */
6607 6608 return (0);
6608 6609 } else if (itp->itp_flags & ITPF_P_TUNNEL) {
6609 6610 /* Tunnel mode set with no inner selectors. */
6610 6611 return (ENOENT);
6611 6612 }
6612 6613 /*
6613 6614 * Else, this is a tunnel policy configured with ifconfig(1m)
6614 6615 * or "negotiate transport" with ipsecconf(1m). We have an
6615 6616 * itp with policy set based on any match, so don't bother
6616 6617 * changing fields in "sel".
6617 6618 */
6618 6619 }
6619 6620
6620 6621 ASSERT(itp != NULL);
6621 6622 polhead = itp->itp_policy;
6622 6623 ASSERT(polhead != NULL);
6623 6624 rw_enter(&polhead->iph_lock, RW_READER);
6624 6625 *ppp = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_INBOUND, sel);
6625 6626 rw_exit(&polhead->iph_lock);
6626 6627
6627 6628 /*
6628 6629 * Don't default to global if we didn't find a matching policy entry.
6629 6630 * Instead, send ENOENT, just like if we hit a transport-mode tunnel.
6630 6631 */
6631 6632 if (*ppp == NULL)
6632 6633 return (ENOENT);
6633 6634
6634 6635 return (0);
6635 6636 }
6636 6637
6637 6638 /*
6638 6639 * For sctp conn_faddr is the primary address, hence this is of limited
6639 6640 * use for sctp.
6640 6641 */
6641 6642 static void
6642 6643 ipsec_oth_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
6643 6644 ip_stack_t *ipst)
6644 6645 {
6645 6646 boolean_t isv4 = sel->ips_isv4;
6646 6647 connf_t *connfp;
6647 6648 conn_t *connp;
6648 6649
6649 6650 if (isv4) {
6650 6651 connfp = &ipst->ips_ipcl_proto_fanout_v4[sel->ips_protocol];
6651 6652 } else {
6652 6653 connfp = &ipst->ips_ipcl_proto_fanout_v6[sel->ips_protocol];
6653 6654 }
6654 6655
6655 6656 mutex_enter(&connfp->connf_lock);
6656 6657 for (connp = connfp->connf_head; connp != NULL;
6657 6658 connp = connp->conn_next) {
6658 6659 if (isv4) {
6659 6660 if ((connp->conn_laddr_v4 == INADDR_ANY ||
6660 6661 connp->conn_laddr_v4 == sel->ips_local_addr_v4) &&
6661 6662 (connp->conn_faddr_v4 == INADDR_ANY ||
6662 6663 connp->conn_faddr_v4 == sel->ips_remote_addr_v4))
6663 6664 break;
6664 6665 } else {
6665 6666 if ((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6) ||
6666 6667 IN6_ARE_ADDR_EQUAL(&connp->conn_laddr_v6,
6667 6668 &sel->ips_local_addr_v6)) &&
6668 6669 (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) ||
6669 6670 IN6_ARE_ADDR_EQUAL(&connp->conn_faddr_v6,
6670 6671 &sel->ips_remote_addr_v6)))
6671 6672 break;
6672 6673 }
6673 6674 }
6674 6675 if (connp == NULL) {
6675 6676 mutex_exit(&connfp->connf_lock);
6676 6677 return;
6677 6678 }
6678 6679
6679 6680 CONN_INC_REF(connp);
6680 6681 mutex_exit(&connfp->connf_lock);
6681 6682
6682 6683 ipsec_conn_pol(sel, connp, ppp);
6683 6684 CONN_DEC_REF(connp);
6684 6685 }
6685 6686
6686 6687 /*
6687 6688 * Construct an inverse ACQUIRE reply based on:
6688 6689 *
6689 6690 * 1.) Current global policy.
6690 6691 * 2.) An conn_t match depending on what all was passed in the extv[].
6691 6692 * 3.) A tunnel's policy head.
6692 6693 * ...
6693 6694 * N.) Other stuff TBD (e.g. identities)
6694 6695 *
6695 6696 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic
6696 6697 * in this function so the caller can extract them where appropriately.
6697 6698 *
6698 6699 * The SRC address is the local one - just like an outbound ACQUIRE message.
6699 6700 *
6700 6701 * XXX MLS: key management supplies a label which we just reflect back up
6701 6702 * again. clearly we need to involve the label in the rest of the checks.
6702 6703 */
6703 6704 mblk_t *
6704 6705 ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[],
6705 6706 netstack_t *ns)
6706 6707 {
6707 6708 int err;
6708 6709 int diagnostic;
6709 6710 sadb_address_t *srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC],
6710 6711 *dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST],
6711 6712 *innsrcext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC],
6712 6713 *inndstext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST];
6713 6714 sadb_sens_t *sens = (sadb_sens_t *)extv[SADB_EXT_SENSITIVITY];
6714 6715 struct sockaddr_in6 *src, *dst;
6715 6716 struct sockaddr_in6 *isrc, *idst;
6716 6717 ipsec_tun_pol_t *itp = NULL;
6717 6718 ipsec_policy_t *pp = NULL;
6718 6719 ipsec_selector_t sel, isel;
6719 6720 mblk_t *retmp = NULL;
6720 6721 ip_stack_t *ipst = ns->netstack_ip;
6721 6722
6722 6723
6723 6724 /* Normalize addresses */
6724 6725 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)srcext, 0, ns)
6725 6726 == KS_IN_ADDR_UNKNOWN) {
6726 6727 err = EINVAL;
6727 6728 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC;
6728 6729 goto bail;
6729 6730 }
6730 6731 src = (struct sockaddr_in6 *)(srcext + 1);
6731 6732 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)dstext, 0, ns)
6732 6733 == KS_IN_ADDR_UNKNOWN) {
6733 6734 err = EINVAL;
6734 6735 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST;
6735 6736 goto bail;
6736 6737 }
6737 6738 dst = (struct sockaddr_in6 *)(dstext + 1);
6738 6739 if (src->sin6_family != dst->sin6_family) {
6739 6740 err = EINVAL;
6740 6741 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH;
6741 6742 goto bail;
6742 6743 }
6743 6744
6744 6745 /* Check for tunnel mode and act appropriately */
6745 6746 if (innsrcext != NULL) {
6746 6747 if (inndstext == NULL) {
6747 6748 err = EINVAL;
6748 6749 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_DST;
6749 6750 goto bail;
6750 6751 }
6751 6752 if (sadb_addrcheck(NULL, (mblk_t *)samsg,
6752 6753 (sadb_ext_t *)innsrcext, 0, ns) == KS_IN_ADDR_UNKNOWN) {
6753 6754 err = EINVAL;
6754 6755 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC;
6755 6756 goto bail;
6756 6757 }
6757 6758 isrc = (struct sockaddr_in6 *)(innsrcext + 1);
6758 6759 if (sadb_addrcheck(NULL, (mblk_t *)samsg,
6759 6760 (sadb_ext_t *)inndstext, 0, ns) == KS_IN_ADDR_UNKNOWN) {
6760 6761 err = EINVAL;
6761 6762 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST;
6762 6763 goto bail;
6763 6764 }
6764 6765 idst = (struct sockaddr_in6 *)(inndstext + 1);
6765 6766 if (isrc->sin6_family != idst->sin6_family) {
6766 6767 err = EINVAL;
6767 6768 diagnostic = SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH;
6768 6769 goto bail;
6769 6770 }
6770 6771 if (isrc->sin6_family != AF_INET &&
6771 6772 isrc->sin6_family != AF_INET6) {
6772 6773 err = EINVAL;
6773 6774 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF;
6774 6775 goto bail;
6775 6776 }
6776 6777 } else if (inndstext != NULL) {
6777 6778 err = EINVAL;
6778 6779 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC;
6779 6780 goto bail;
6780 6781 }
6781 6782
6782 6783 /* Get selectors first, based on outer addresses */
6783 6784 err = ipsec_get_inverse_acquire_sel(&sel, srcext, dstext, &diagnostic);
6784 6785 if (err != 0)
6785 6786 goto bail;
6786 6787
6787 6788 /* Check for tunnel mode mismatches. */
6788 6789 if (innsrcext != NULL &&
6789 6790 ((isrc->sin6_family == AF_INET &&
6790 6791 sel.ips_protocol != IPPROTO_ENCAP && sel.ips_protocol != 0) ||
6791 6792 (isrc->sin6_family == AF_INET6 &&
6792 6793 sel.ips_protocol != IPPROTO_IPV6 && sel.ips_protocol != 0))) {
6793 6794 err = EPROTOTYPE;
6794 6795 goto bail;
6795 6796 }
6796 6797
6797 6798 /*
6798 6799 * Okay, we have the addresses and other selector information.
6799 6800 * Let's first find a conn...
6800 6801 */
6801 6802 pp = NULL;
6802 6803 switch (sel.ips_protocol) {
6803 6804 case IPPROTO_TCP:
6804 6805 ipsec_tcp_pol(&sel, &pp, ipst);
6805 6806 break;
6806 6807 case IPPROTO_UDP:
6807 6808 ipsec_udp_pol(&sel, &pp, ipst);
6808 6809 break;
6809 6810 case IPPROTO_SCTP:
6810 6811 ipsec_sctp_pol(&sel, &pp, ipst);
6811 6812 break;
6812 6813 case IPPROTO_ENCAP:
6813 6814 case IPPROTO_IPV6:
6814 6815 /*
6815 6816 * Assume sel.ips_remote_addr_* has the right address at
6816 6817 * that exact position.
6817 6818 */
6818 6819 itp = itp_get_byaddr((uint32_t *)(&sel.ips_local_addr_v6),
6819 6820 (uint32_t *)(&sel.ips_remote_addr_v6), src->sin6_family,
6820 6821 ipst);
6821 6822
6822 6823 if (innsrcext == NULL) {
6823 6824 /*
6824 6825 * Transport-mode tunnel, make sure we fake out isel
6825 6826 * to contain something based on the outer protocol.
6826 6827 */
6827 6828 bzero(&isel, sizeof (isel));
6828 6829 isel.ips_isv4 = (sel.ips_protocol == IPPROTO_ENCAP);
6829 6830 } /* Else isel is initialized by ipsec_tun_pol(). */
6830 6831 err = ipsec_tun_pol(&isel, &pp, innsrcext, inndstext, itp,
6831 6832 &diagnostic);
6832 6833 /*
6833 6834 * NOTE: isel isn't used for now, but in RFC 430x IPsec, it
6834 6835 * may be.
6835 6836 */
6836 6837 if (err != 0)
6837 6838 goto bail;
6838 6839 break;
6839 6840 default:
6840 6841 ipsec_oth_pol(&sel, &pp, ipst);
6841 6842 break;
6842 6843 }
6843 6844
6844 6845 /*
6845 6846 * If we didn't find a matching conn_t or other policy head, take a
6846 6847 * look in the global policy.
6847 6848 */
6848 6849 if (pp == NULL) {
6849 6850 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, &sel, ns);
6850 6851 if (pp == NULL) {
6851 6852 /* There's no global policy. */
6852 6853 err = ENOENT;
6853 6854 diagnostic = 0;
6854 6855 goto bail;
6855 6856 }
6856 6857 }
6857 6858
6858 6859 /*
6859 6860 * Now that we have a policy entry/widget, construct an ACQUIRE
6860 6861 * message based on that, fix fields where appropriate,
6861 6862 * and return the message.
6862 6863 */
6863 6864 retmp = sadb_extended_acquire(&sel, pp, NULL,
6864 6865 (itp != NULL && (itp->itp_flags & ITPF_P_TUNNEL)),
6865 6866 samsg->sadb_msg_seq, samsg->sadb_msg_pid, sens, ns);
6866 6867 if (pp != NULL) {
6867 6868 IPPOL_REFRELE(pp);
6868 6869 }
6869 6870 ASSERT(err == 0 && diagnostic == 0);
6870 6871 if (retmp == NULL)
6871 6872 err = ENOMEM;
6872 6873 bail:
6873 6874 if (itp != NULL) {
6874 6875 ITP_REFRELE(itp, ns);
6875 6876 }
6876 6877 samsg->sadb_msg_errno = (uint8_t)err;
6877 6878 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic;
6878 6879 return (retmp);
6879 6880 }
6880 6881
6881 6882 /*
6882 6883 * ipsa_lpkt is a one-element queue, only manipulated by the next two
6883 6884 * functions. They have to hold the ipsa_lock because of potential races
6884 6885 * between key management using SADB_UPDATE, and inbound packets that may
6885 6886 * queue up on the larval SA (hence the 'l' in "lpkt").
6886 6887 */
6887 6888
6888 6889 /*
6889 6890 * sadb_set_lpkt:
6890 6891 *
6891 6892 * Returns the passed-in packet if the SA is no longer larval.
6892 6893 *
6893 6894 * Returns NULL if the SA is larval, and needs to be swapped into the SA for
6894 6895 * processing after an SADB_UPDATE.
6895 6896 */
6896 6897 mblk_t *
6897 6898 sadb_set_lpkt(ipsa_t *ipsa, mblk_t *npkt, ip_recv_attr_t *ira)
6898 6899 {
6899 6900 mblk_t *opkt;
6900 6901
6901 6902 mutex_enter(&ipsa->ipsa_lock);
6902 6903 opkt = ipsa->ipsa_lpkt;
6903 6904 if (ipsa->ipsa_state == IPSA_STATE_LARVAL) {
6904 6905 /*
6905 6906 * Consume npkt and place it in the LARVAL SA's inbound
6906 6907 * packet slot.
6907 6908 */
6908 6909 mblk_t *attrmp;
6909 6910
6910 6911 attrmp = ip_recv_attr_to_mblk(ira);
6911 6912 if (attrmp == NULL) {
6912 6913 ill_t *ill = ira->ira_ill;
6913 6914
6914 6915 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
6915 6916 ip_drop_input("ipIfStatsInDiscards", npkt, ill);
6916 6917 freemsg(npkt);
6917 6918 opkt = NULL;
6918 6919 } else {
6919 6920 ASSERT(attrmp->b_cont == NULL);
6920 6921 attrmp->b_cont = npkt;
6921 6922 ipsa->ipsa_lpkt = attrmp;
6922 6923 }
6923 6924 npkt = NULL;
6924 6925 } else {
6925 6926 /*
6926 6927 * If not larval, we lost the race. NOTE: ipsa_lpkt may still
6927 6928 * have been non-NULL in the non-larval case, because of
6928 6929 * inbound packets arriving prior to sadb_common_add()
6929 6930 * transferring the SA completely out of larval state, but
6930 6931 * after lpkt was grabbed by the AH/ESP-specific add routines.
6931 6932 * We should clear the old ipsa_lpkt in this case to make sure
6932 6933 * that it doesn't linger on the now-MATURE IPsec SA, or get
6933 6934 * picked up as an out-of-order packet.
6934 6935 */
6935 6936 ipsa->ipsa_lpkt = NULL;
6936 6937 }
6937 6938 mutex_exit(&ipsa->ipsa_lock);
6938 6939
6939 6940 if (opkt != NULL) {
6940 6941 ipsec_stack_t *ipss;
6941 6942
6942 6943 ipss = ira->ira_ill->ill_ipst->ips_netstack->netstack_ipsec;
6943 6944 opkt = ip_recv_attr_free_mblk(opkt);
6944 6945 ip_drop_packet(opkt, B_TRUE, ira->ira_ill,
6945 6946 DROPPER(ipss, ipds_sadb_inlarval_replace),
6946 6947 &ipss->ipsec_sadb_dropper);
6947 6948 }
6948 6949 return (npkt);
6949 6950 }
6950 6951
6951 6952 /*
6952 6953 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the
6953 6954 * previous value.
6954 6955 */
6955 6956 mblk_t *
6956 6957 sadb_clear_lpkt(ipsa_t *ipsa)
6957 6958 {
6958 6959 mblk_t *opkt;
6959 6960
6960 6961 mutex_enter(&ipsa->ipsa_lock);
6961 6962 opkt = ipsa->ipsa_lpkt;
6962 6963 ipsa->ipsa_lpkt = NULL;
6963 6964 mutex_exit(&ipsa->ipsa_lock);
6964 6965 return (opkt);
6965 6966 }
6966 6967
6967 6968 /*
6968 6969 * Buffer a packet that's in IDLE state as set by Solaris Clustering.
6969 6970 */
6970 6971 void
6971 6972 sadb_buf_pkt(ipsa_t *ipsa, mblk_t *bpkt, ip_recv_attr_t *ira)
6972 6973 {
6973 6974 netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
6974 6975 ipsec_stack_t *ipss = ns->netstack_ipsec;
6975 6976 in6_addr_t *srcaddr = (in6_addr_t *)(&ipsa->ipsa_srcaddr);
6976 6977 in6_addr_t *dstaddr = (in6_addr_t *)(&ipsa->ipsa_dstaddr);
6977 6978 mblk_t *mp;
6978 6979
6979 6980 ASSERT(ipsa->ipsa_state == IPSA_STATE_IDLE);
6980 6981
6981 6982 if (cl_inet_idlesa == NULL) {
6982 6983 ip_drop_packet(bpkt, B_TRUE, ira->ira_ill,
6983 6984 DROPPER(ipss, ipds_sadb_inidle_overflow),
6984 6985 &ipss->ipsec_sadb_dropper);
6985 6986 return;
6986 6987 }
6987 6988
6988 6989 cl_inet_idlesa(ns->netstack_stackid,
6989 6990 (ipsa->ipsa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP,
6990 6991 ipsa->ipsa_spi, ipsa->ipsa_addrfam, *srcaddr, *dstaddr, NULL);
6991 6992
6992 6993 mp = ip_recv_attr_to_mblk(ira);
6993 6994 if (mp == NULL) {
6994 6995 ip_drop_packet(bpkt, B_TRUE, ira->ira_ill,
6995 6996 DROPPER(ipss, ipds_sadb_inidle_overflow),
6996 6997 &ipss->ipsec_sadb_dropper);
6997 6998 return;
6998 6999 }
6999 7000 linkb(mp, bpkt);
7000 7001
7001 7002 mutex_enter(&ipsa->ipsa_lock);
7002 7003 ipsa->ipsa_mblkcnt++;
7003 7004 if (ipsa->ipsa_bpkt_head == NULL) {
7004 7005 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_tail = bpkt;
7005 7006 } else {
7006 7007 ipsa->ipsa_bpkt_tail->b_next = bpkt;
7007 7008 ipsa->ipsa_bpkt_tail = bpkt;
7008 7009 if (ipsa->ipsa_mblkcnt > SADB_MAX_IDLEPKTS) {
7009 7010 mblk_t *tmp;
7010 7011
7011 7012 tmp = ipsa->ipsa_bpkt_head;
7012 7013 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_head->b_next;
7013 7014 tmp = ip_recv_attr_free_mblk(tmp);
7014 7015 ip_drop_packet(tmp, B_TRUE, NULL,
7015 7016 DROPPER(ipss, ipds_sadb_inidle_overflow),
7016 7017 &ipss->ipsec_sadb_dropper);
7017 7018 ipsa->ipsa_mblkcnt --;
7018 7019 }
7019 7020 }
7020 7021 mutex_exit(&ipsa->ipsa_lock);
7021 7022 }
7022 7023
7023 7024 /*
7024 7025 * Stub function that taskq_dispatch() invokes to take the mblk (in arg)
7025 7026 * and put into STREAMS again.
7026 7027 */
7027 7028 void
7028 7029 sadb_clear_buf_pkt(void *ipkt)
7029 7030 {
7030 7031 mblk_t *tmp, *buf_pkt;
7031 7032 ip_recv_attr_t iras;
7032 7033
7033 7034 buf_pkt = (mblk_t *)ipkt;
7034 7035
7035 7036 while (buf_pkt != NULL) {
7036 7037 mblk_t *data_mp;
7037 7038
7038 7039 tmp = buf_pkt->b_next;
7039 7040 buf_pkt->b_next = NULL;
7040 7041
7041 7042 data_mp = buf_pkt->b_cont;
7042 7043 buf_pkt->b_cont = NULL;
7043 7044 if (!ip_recv_attr_from_mblk(buf_pkt, &iras)) {
7044 7045 /* The ill or ip_stack_t disappeared on us. */
7045 7046 ip_drop_input("ip_recv_attr_from_mblk", data_mp, NULL);
7046 7047 freemsg(data_mp);
7047 7048 } else {
7048 7049 ip_input_post_ipsec(data_mp, &iras);
7049 7050 }
7050 7051 ira_cleanup(&iras, B_TRUE);
7051 7052 buf_pkt = tmp;
7052 7053 }
7053 7054 }
7054 7055 /*
7055 7056 * Walker callback used by sadb_alg_update() to free/create crypto
7056 7057 * context template when a crypto software provider is removed or
7057 7058 * added.
7058 7059 */
7059 7060
7060 7061 struct sadb_update_alg_state {
7061 7062 ipsec_algtype_t alg_type;
7062 7063 uint8_t alg_id;
7063 7064 boolean_t is_added;
7064 7065 boolean_t async_auth;
7065 7066 boolean_t async_encr;
7066 7067 };
7067 7068
7068 7069 static void
7069 7070 sadb_alg_update_cb(isaf_t *head, ipsa_t *entry, void *cookie)
7070 7071 {
7071 7072 struct sadb_update_alg_state *update_state =
7072 7073 (struct sadb_update_alg_state *)cookie;
7073 7074 crypto_ctx_template_t *ctx_tmpl = NULL;
7074 7075
7075 7076 ASSERT(MUTEX_HELD(&head->isaf_lock));
7076 7077
7077 7078 if (entry->ipsa_state == IPSA_STATE_LARVAL)
7078 7079 return;
7079 7080
7080 7081 mutex_enter(&entry->ipsa_lock);
7081 7082
7082 7083 if ((entry->ipsa_encr_alg != SADB_EALG_NONE && entry->ipsa_encr_alg !=
7083 7084 SADB_EALG_NULL && update_state->async_encr) ||
7084 7085 (entry->ipsa_auth_alg != SADB_AALG_NONE &&
7085 7086 update_state->async_auth)) {
7086 7087 entry->ipsa_flags |= IPSA_F_ASYNC;
7087 7088 } else {
7088 7089 entry->ipsa_flags &= ~IPSA_F_ASYNC;
7089 7090 }
7090 7091
7091 7092 switch (update_state->alg_type) {
7092 7093 case IPSEC_ALG_AUTH:
7093 7094 if (entry->ipsa_auth_alg == update_state->alg_id)
7094 7095 ctx_tmpl = &entry->ipsa_authtmpl;
7095 7096 break;
7096 7097 case IPSEC_ALG_ENCR:
7097 7098 if (entry->ipsa_encr_alg == update_state->alg_id)
7098 7099 ctx_tmpl = &entry->ipsa_encrtmpl;
7099 7100 break;
7100 7101 default:
7101 7102 ctx_tmpl = NULL;
7102 7103 }
7103 7104
7104 7105 if (ctx_tmpl == NULL) {
7105 7106 mutex_exit(&entry->ipsa_lock);
7106 7107 return;
7107 7108 }
7108 7109
7109 7110 /*
7110 7111 * The context template of the SA may be affected by the change
7111 7112 * of crypto provider.
7112 7113 */
7113 7114 if (update_state->is_added) {
7114 7115 /* create the context template if not already done */
7115 7116 if (*ctx_tmpl == NULL) {
7116 7117 (void) ipsec_create_ctx_tmpl(entry,
7117 7118 update_state->alg_type);
7118 7119 }
7119 7120 } else {
7120 7121 /*
7121 7122 * The crypto provider was removed. If the context template
7122 7123 * exists but it is no longer valid, free it.
7123 7124 */
7124 7125 if (*ctx_tmpl != NULL)
7125 7126 ipsec_destroy_ctx_tmpl(entry, update_state->alg_type);
7126 7127 }
7127 7128
7128 7129 mutex_exit(&entry->ipsa_lock);
7129 7130 }
7130 7131
7131 7132 /*
7132 7133 * Invoked by IP when an software crypto provider has been updated, or if
7133 7134 * the crypto synchrony changes. The type and id of the corresponding
7134 7135 * algorithm is passed as argument. The type is set to ALL in the case of
7135 7136 * a synchrony change.
7136 7137 *
7137 7138 * is_added is B_TRUE if the provider was added, B_FALSE if it was
7138 7139 * removed. The function updates the SADB and free/creates the
7139 7140 * context templates associated with SAs if needed.
7140 7141 */
7141 7142
7142 7143 #define SADB_ALG_UPDATE_WALK(sadb, table) \
7143 7144 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \
7144 7145 &update_state)
7145 7146
7146 7147 void
7147 7148 sadb_alg_update(ipsec_algtype_t alg_type, uint8_t alg_id, boolean_t is_added,
7148 7149 netstack_t *ns)
7149 7150 {
7150 7151 struct sadb_update_alg_state update_state;
7151 7152 ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
7152 7153 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
7153 7154 ipsec_stack_t *ipss = ns->netstack_ipsec;
7154 7155
7155 7156 update_state.alg_type = alg_type;
7156 7157 update_state.alg_id = alg_id;
7157 7158 update_state.is_added = is_added;
7158 7159 update_state.async_auth = ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] ==
7159 7160 IPSEC_ALGS_EXEC_ASYNC;
7160 7161 update_state.async_encr = ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] ==
7161 7162 IPSEC_ALGS_EXEC_ASYNC;
7162 7163
7163 7164 if (alg_type == IPSEC_ALG_AUTH || alg_type == IPSEC_ALG_ALL) {
7164 7165 /* walk the AH tables only for auth. algorithm changes */
7165 7166 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_of);
7166 7167 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_if);
7167 7168 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_of);
7168 7169 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_if);
7169 7170 }
7170 7171
7171 7172 /* walk the ESP tables */
7172 7173 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_of);
7173 7174 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_if);
7174 7175 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_of);
7175 7176 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_if);
7176 7177 }
7177 7178
7178 7179 /*
7179 7180 * Creates a context template for the specified SA. This function
7180 7181 * is called when an SA is created and when a context template needs
7181 7182 * to be created due to a change of software provider.
7182 7183 */
|
↓ open down ↓ |
1310 lines elided |
↑ open up ↑ |
7183 7184 int
7184 7185 ipsec_create_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type)
7185 7186 {
7186 7187 ipsec_alginfo_t *alg;
7187 7188 crypto_mechanism_t mech;
7188 7189 crypto_key_t *key;
7189 7190 crypto_ctx_template_t *sa_tmpl;
7190 7191 int rv;
7191 7192 ipsec_stack_t *ipss = sa->ipsa_netstack->netstack_ipsec;
7192 7193
7193 - ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
7194 + ASSERT(RW_READ_HELD(&ipss->ipsec_alg_lock));
7194 7195 ASSERT(MUTEX_HELD(&sa->ipsa_lock));
7195 7196
7196 7197 /* get pointers to the algorithm info, context template, and key */
7197 7198 switch (alg_type) {
7198 7199 case IPSEC_ALG_AUTH:
7199 7200 key = &sa->ipsa_kcfauthkey;
7200 7201 sa_tmpl = &sa->ipsa_authtmpl;
7201 7202 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_auth_alg];
7202 7203 break;
7203 7204 case IPSEC_ALG_ENCR:
7204 7205 key = &sa->ipsa_kcfencrkey;
7205 7206 sa_tmpl = &sa->ipsa_encrtmpl;
7206 7207 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_encr_alg];
7207 7208 break;
7208 7209 default:
7209 7210 alg = NULL;
7210 7211 }
7211 7212
7212 7213 if (alg == NULL || !ALG_VALID(alg))
7213 7214 return (EINVAL);
7214 7215
7215 7216 /* initialize the mech info structure for the framework */
7216 7217 ASSERT(alg->alg_mech_type != CRYPTO_MECHANISM_INVALID);
7217 7218 mech.cm_type = alg->alg_mech_type;
7218 7219 mech.cm_param = NULL;
7219 7220 mech.cm_param_len = 0;
7220 7221
7221 7222 /* create a new context template */
7222 7223 rv = crypto_create_ctx_template(&mech, key, sa_tmpl, KM_NOSLEEP);
7223 7224
7224 7225 /*
7225 7226 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware
7226 7227 * providers are available for that mechanism. In that case
7227 7228 * we don't fail, and will generate the context template from
7228 7229 * the framework callback when a software provider for that
7229 7230 * mechanism registers.
7230 7231 *
7231 7232 * The context template is assigned the special value
7232 7233 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a
7233 7234 * lack of memory. No attempt will be made to use
7234 7235 * the context template if it is set to this value.
7235 7236 */
7236 7237 if (rv == CRYPTO_HOST_MEMORY) {
7237 7238 *sa_tmpl = IPSEC_CTX_TMPL_ALLOC;
7238 7239 } else if (rv != CRYPTO_SUCCESS) {
7239 7240 *sa_tmpl = NULL;
7240 7241 if (rv != CRYPTO_MECH_NOT_SUPPORTED)
7241 7242 return (EINVAL);
7242 7243 }
7243 7244
7244 7245 return (0);
7245 7246 }
7246 7247
7247 7248 /*
7248 7249 * Destroy the context template of the specified algorithm type
7249 7250 * of the specified SA. Must be called while holding the SA lock.
7250 7251 */
7251 7252 void
7252 7253 ipsec_destroy_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type)
7253 7254 {
7254 7255 ASSERT(MUTEX_HELD(&sa->ipsa_lock));
7255 7256
7256 7257 if (alg_type == IPSEC_ALG_AUTH) {
7257 7258 if (sa->ipsa_authtmpl == IPSEC_CTX_TMPL_ALLOC)
7258 7259 sa->ipsa_authtmpl = NULL;
7259 7260 else if (sa->ipsa_authtmpl != NULL) {
7260 7261 crypto_destroy_ctx_template(sa->ipsa_authtmpl);
7261 7262 sa->ipsa_authtmpl = NULL;
7262 7263 }
7263 7264 } else {
7264 7265 ASSERT(alg_type == IPSEC_ALG_ENCR);
7265 7266 if (sa->ipsa_encrtmpl == IPSEC_CTX_TMPL_ALLOC)
7266 7267 sa->ipsa_encrtmpl = NULL;
7267 7268 else if (sa->ipsa_encrtmpl != NULL) {
7268 7269 crypto_destroy_ctx_template(sa->ipsa_encrtmpl);
7269 7270 sa->ipsa_encrtmpl = NULL;
7270 7271 }
7271 7272 }
7272 7273 }
7273 7274
7274 7275 /*
7275 7276 * Use the kernel crypto framework to check the validity of a key received
7276 7277 * via keysock. Returns 0 if the key is OK, -1 otherwise.
7277 7278 */
7278 7279 int
7279 7280 ipsec_check_key(crypto_mech_type_t mech_type, sadb_key_t *sadb_key,
7280 7281 boolean_t is_auth, int *diag)
7281 7282 {
7282 7283 crypto_mechanism_t mech;
7283 7284 crypto_key_t crypto_key;
7284 7285 int crypto_rc;
7285 7286
7286 7287 mech.cm_type = mech_type;
7287 7288 mech.cm_param = NULL;
7288 7289 mech.cm_param_len = 0;
7289 7290
7290 7291 crypto_key.ck_format = CRYPTO_KEY_RAW;
7291 7292 crypto_key.ck_data = sadb_key + 1;
7292 7293 crypto_key.ck_length = sadb_key->sadb_key_bits;
7293 7294
7294 7295 crypto_rc = crypto_key_check(&mech, &crypto_key);
7295 7296
7296 7297 switch (crypto_rc) {
7297 7298 case CRYPTO_SUCCESS:
7298 7299 return (0);
7299 7300 case CRYPTO_MECHANISM_INVALID:
7300 7301 case CRYPTO_MECH_NOT_SUPPORTED:
7301 7302 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AALG :
7302 7303 SADB_X_DIAGNOSTIC_BAD_EALG;
7303 7304 break;
7304 7305 case CRYPTO_KEY_SIZE_RANGE:
7305 7306 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AKEYBITS :
7306 7307 SADB_X_DIAGNOSTIC_BAD_EKEYBITS;
7307 7308 break;
7308 7309 case CRYPTO_WEAK_KEY:
7309 7310 *diag = is_auth ? SADB_X_DIAGNOSTIC_WEAK_AKEY :
7310 7311 SADB_X_DIAGNOSTIC_WEAK_EKEY;
7311 7312 break;
7312 7313 }
7313 7314
7314 7315 return (-1);
7315 7316 }
7316 7317
7317 7318 /*
7318 7319 * Whack options in the outer IP header when ipsec changes the outer label
7319 7320 *
7320 7321 * This is inelegant and really could use refactoring.
7321 7322 */
7322 7323 mblk_t *
7323 7324 sadb_whack_label_v4(mblk_t *mp, ipsa_t *assoc, kstat_named_t *counter,
7324 7325 ipdropper_t *dropper)
7325 7326 {
7326 7327 int delta;
7327 7328 int plen;
7328 7329 dblk_t *db;
7329 7330 int hlen;
7330 7331 uint8_t *opt_storage = assoc->ipsa_opt_storage;
7331 7332 ipha_t *ipha = (ipha_t *)mp->b_rptr;
7332 7333
7333 7334 plen = ntohs(ipha->ipha_length);
7334 7335
7335 7336 delta = tsol_remove_secopt(ipha, MBLKL(mp));
7336 7337 mp->b_wptr += delta;
7337 7338 plen += delta;
7338 7339
7339 7340 /* XXX XXX code copied from tsol_check_label */
7340 7341
7341 7342 /* Make sure we have room for the worst-case addition */
7342 7343 hlen = IPH_HDR_LENGTH(ipha) + opt_storage[IPOPT_OLEN];
7343 7344 hlen = (hlen + 3) & ~3;
7344 7345 if (hlen > IP_MAX_HDR_LENGTH)
7345 7346 hlen = IP_MAX_HDR_LENGTH;
7346 7347 hlen -= IPH_HDR_LENGTH(ipha);
7347 7348
7348 7349 db = mp->b_datap;
7349 7350 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) {
7350 7351 int copylen;
7351 7352 mblk_t *new_mp;
7352 7353
7353 7354 /* allocate enough to be meaningful, but not *too* much */
7354 7355 copylen = MBLKL(mp);
7355 7356 if (copylen > 256)
7356 7357 copylen = 256;
7357 7358 new_mp = allocb_tmpl(hlen + copylen +
7358 7359 (mp->b_rptr - mp->b_datap->db_base), mp);
7359 7360
7360 7361 if (new_mp == NULL) {
7361 7362 ip_drop_packet(mp, B_FALSE, NULL, counter, dropper);
7362 7363 return (NULL);
7363 7364 }
7364 7365
7365 7366 /* keep the bias */
7366 7367 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base;
7367 7368 new_mp->b_wptr = new_mp->b_rptr + copylen;
7368 7369 bcopy(mp->b_rptr, new_mp->b_rptr, copylen);
7369 7370 new_mp->b_cont = mp;
7370 7371 if ((mp->b_rptr += copylen) >= mp->b_wptr) {
7371 7372 new_mp->b_cont = mp->b_cont;
7372 7373 freeb(mp);
7373 7374 }
7374 7375 mp = new_mp;
7375 7376 ipha = (ipha_t *)mp->b_rptr;
7376 7377 }
7377 7378
7378 7379 delta = tsol_prepend_option(assoc->ipsa_opt_storage, ipha, MBLKL(mp));
7379 7380
7380 7381 ASSERT(delta != -1);
7381 7382
7382 7383 plen += delta;
7383 7384 mp->b_wptr += delta;
7384 7385
7385 7386 /*
7386 7387 * Paranoia
7387 7388 */
7388 7389 db = mp->b_datap;
7389 7390
7390 7391 ASSERT3P(mp->b_wptr, <=, db->db_lim);
7391 7392 ASSERT3P(mp->b_rptr, <=, db->db_lim);
7392 7393
7393 7394 ASSERT3P(mp->b_wptr, >=, db->db_base);
7394 7395 ASSERT3P(mp->b_rptr, >=, db->db_base);
7395 7396 /* End paranoia */
7396 7397
7397 7398 ipha->ipha_length = htons(plen);
7398 7399
7399 7400 return (mp);
7400 7401 }
7401 7402
7402 7403 mblk_t *
7403 7404 sadb_whack_label_v6(mblk_t *mp, ipsa_t *assoc, kstat_named_t *counter,
7404 7405 ipdropper_t *dropper)
7405 7406 {
7406 7407 int delta;
7407 7408 int plen;
7408 7409 dblk_t *db;
7409 7410 int hlen;
7410 7411 uint8_t *opt_storage = assoc->ipsa_opt_storage;
7411 7412 uint_t sec_opt_len; /* label option length not including type, len */
7412 7413 ip6_t *ip6h = (ip6_t *)mp->b_rptr;
7413 7414
7414 7415 plen = ntohs(ip6h->ip6_plen);
7415 7416
7416 7417 delta = tsol_remove_secopt_v6(ip6h, MBLKL(mp));
7417 7418 mp->b_wptr += delta;
7418 7419 plen += delta;
7419 7420
7420 7421 /* XXX XXX code copied from tsol_check_label_v6 */
7421 7422 /*
7422 7423 * Make sure we have room for the worst-case addition. Add 2 bytes for
7423 7424 * the hop-by-hop ext header's next header and length fields. Add
7424 7425 * another 2 bytes for the label option type, len and then round
7425 7426 * up to the next 8-byte multiple.
7426 7427 */
7427 7428 sec_opt_len = opt_storage[1];
7428 7429
7429 7430 db = mp->b_datap;
7430 7431 hlen = (4 + sec_opt_len + 7) & ~7;
7431 7432
7432 7433 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) {
7433 7434 int copylen;
7434 7435 mblk_t *new_mp;
7435 7436 uint16_t hdr_len;
7436 7437
7437 7438 hdr_len = ip_hdr_length_v6(mp, ip6h);
7438 7439 /*
7439 7440 * Allocate enough to be meaningful, but not *too* much.
7440 7441 * Also all the IPv6 extension headers must be in the same mblk
7441 7442 */
7442 7443 copylen = MBLKL(mp);
7443 7444 if (copylen > 256)
7444 7445 copylen = 256;
7445 7446 if (copylen < hdr_len)
7446 7447 copylen = hdr_len;
7447 7448 new_mp = allocb_tmpl(hlen + copylen +
7448 7449 (mp->b_rptr - mp->b_datap->db_base), mp);
7449 7450 if (new_mp == NULL) {
7450 7451 ip_drop_packet(mp, B_FALSE, NULL, counter, dropper);
7451 7452 return (NULL);
7452 7453 }
7453 7454
7454 7455 /* keep the bias */
7455 7456 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base;
7456 7457 new_mp->b_wptr = new_mp->b_rptr + copylen;
7457 7458 bcopy(mp->b_rptr, new_mp->b_rptr, copylen);
7458 7459 new_mp->b_cont = mp;
7459 7460 if ((mp->b_rptr += copylen) >= mp->b_wptr) {
7460 7461 new_mp->b_cont = mp->b_cont;
7461 7462 freeb(mp);
7462 7463 }
7463 7464 mp = new_mp;
7464 7465 ip6h = (ip6_t *)mp->b_rptr;
7465 7466 }
7466 7467
7467 7468 delta = tsol_prepend_option_v6(assoc->ipsa_opt_storage,
7468 7469 ip6h, MBLKL(mp));
7469 7470
7470 7471 ASSERT(delta != -1);
7471 7472
7472 7473 plen += delta;
7473 7474 mp->b_wptr += delta;
7474 7475
7475 7476 /*
7476 7477 * Paranoia
7477 7478 */
7478 7479 db = mp->b_datap;
7479 7480
7480 7481 ASSERT3P(mp->b_wptr, <=, db->db_lim);
7481 7482 ASSERT3P(mp->b_rptr, <=, db->db_lim);
7482 7483
7483 7484 ASSERT3P(mp->b_wptr, >=, db->db_base);
7484 7485 ASSERT3P(mp->b_rptr, >=, db->db_base);
7485 7486 /* End paranoia */
7486 7487
7487 7488 ip6h->ip6_plen = htons(plen);
7488 7489
7489 7490 return (mp);
7490 7491 }
7491 7492
7492 7493 /* Whack the labels and update ip_xmit_attr_t as needed */
7493 7494 mblk_t *
7494 7495 sadb_whack_label(mblk_t *mp, ipsa_t *assoc, ip_xmit_attr_t *ixa,
7495 7496 kstat_named_t *counter, ipdropper_t *dropper)
7496 7497 {
7497 7498 int adjust;
7498 7499 int iplen;
7499 7500
7500 7501 if (ixa->ixa_flags & IXAF_IS_IPV4) {
7501 7502 ipha_t *ipha = (ipha_t *)mp->b_rptr;
7502 7503
7503 7504 ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
7504 7505 iplen = ntohs(ipha->ipha_length);
7505 7506 mp = sadb_whack_label_v4(mp, assoc, counter, dropper);
7506 7507 if (mp == NULL)
7507 7508 return (NULL);
7508 7509
7509 7510 ipha = (ipha_t *)mp->b_rptr;
7510 7511 ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
7511 7512 adjust = (int)ntohs(ipha->ipha_length) - iplen;
7512 7513 } else {
7513 7514 ip6_t *ip6h = (ip6_t *)mp->b_rptr;
7514 7515
7515 7516 ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION);
7516 7517 iplen = ntohs(ip6h->ip6_plen);
7517 7518 mp = sadb_whack_label_v6(mp, assoc, counter, dropper);
7518 7519 if (mp == NULL)
7519 7520 return (NULL);
7520 7521
7521 7522 ip6h = (ip6_t *)mp->b_rptr;
7522 7523 ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION);
7523 7524 adjust = (int)ntohs(ip6h->ip6_plen) - iplen;
7524 7525 }
7525 7526 ixa->ixa_pktlen += adjust;
7526 7527 ixa->ixa_ip_hdr_length += adjust;
7527 7528 return (mp);
7528 7529 }
7529 7530
7530 7531 /*
7531 7532 * If this is an outgoing SA then add some fuzz to the
7532 7533 * SOFT EXPIRE time. The reason for this is to stop
7533 7534 * peers trying to renegotiate SOFT expiring SA's at
7534 7535 * the same time. The amount of fuzz needs to be at
7535 7536 * least 8 seconds which is the typical interval
7536 7537 * sadb_ager(), although this is only a guide as it
7537 7538 * selftunes.
7538 7539 */
7539 7540 static void
7540 7541 lifetime_fuzz(ipsa_t *assoc)
7541 7542 {
7542 7543 uint8_t rnd;
7543 7544
7544 7545 if (assoc->ipsa_softaddlt == 0)
7545 7546 return;
7546 7547
7547 7548 (void) random_get_pseudo_bytes(&rnd, sizeof (rnd));
7548 7549 rnd = (rnd & 0xF) + 8;
7549 7550 assoc->ipsa_softexpiretime -= rnd;
7550 7551 assoc->ipsa_softaddlt -= rnd;
7551 7552 }
7552 7553
7553 7554 static void
7554 7555 destroy_ipsa_pair(ipsap_t *ipsapp)
7555 7556 {
7556 7557 /*
7557 7558 * Because of the multi-line macro nature of IPSA_REFRELE, keep
7558 7559 * them in { }.
7559 7560 */
7560 7561 if (ipsapp->ipsap_sa_ptr != NULL) {
7561 7562 IPSA_REFRELE(ipsapp->ipsap_sa_ptr);
7562 7563 }
7563 7564 if (ipsapp->ipsap_psa_ptr != NULL) {
7564 7565 IPSA_REFRELE(ipsapp->ipsap_psa_ptr);
7565 7566 }
7566 7567 init_ipsa_pair(ipsapp);
7567 7568 }
7568 7569
7569 7570 static void
7570 7571 init_ipsa_pair(ipsap_t *ipsapp)
7571 7572 {
7572 7573 ipsapp->ipsap_bucket = NULL;
7573 7574 ipsapp->ipsap_sa_ptr = NULL;
7574 7575 ipsapp->ipsap_pbucket = NULL;
7575 7576 ipsapp->ipsap_psa_ptr = NULL;
7576 7577 }
7577 7578
7578 7579 /*
7579 7580 * The sadb_ager() function walks through the hash tables of SA's and ages
7580 7581 * them, if the SA expires as a result, its marked as DEAD and will be reaped
7581 7582 * the next time sadb_ager() runs. SA's which are paired or have a peer (same
7582 7583 * SA appears in both the inbound and outbound tables because its not possible
7583 7584 * to determine its direction) are placed on a list when they expire. This is
7584 7585 * to ensure that pair/peer SA's are reaped at the same time, even if they
7585 7586 * expire at different times.
7586 7587 *
7587 7588 * This function is called twice by sadb_ager(), one after processing the
7588 7589 * inbound table, then again after processing the outbound table.
7589 7590 */
7590 7591 void
7591 7592 age_pair_peer_list(templist_t *haspeerlist, sadb_t *sp, boolean_t outbound)
7592 7593 {
7593 7594 templist_t *listptr;
7594 7595 int outhash;
7595 7596 isaf_t *bucket;
7596 7597 boolean_t haspeer;
7597 7598 ipsa_t *peer_assoc, *dying;
7598 7599 /*
7599 7600 * Haspeer cases will contain both IPv4 and IPv6. This code
7600 7601 * is address independent.
7601 7602 */
7602 7603 while (haspeerlist != NULL) {
7603 7604 /* "dying" contains the SA that has a peer. */
7604 7605 dying = haspeerlist->ipsa;
7605 7606 haspeer = (dying->ipsa_haspeer);
7606 7607 listptr = haspeerlist;
7607 7608 haspeerlist = listptr->next;
7608 7609 kmem_free(listptr, sizeof (*listptr));
7609 7610 /*
7610 7611 * Pick peer bucket based on addrfam.
7611 7612 */
7612 7613 if (outbound) {
7613 7614 if (haspeer)
7614 7615 bucket = INBOUND_BUCKET(sp, dying->ipsa_spi);
7615 7616 else
7616 7617 bucket = INBOUND_BUCKET(sp,
7617 7618 dying->ipsa_otherspi);
7618 7619 } else { /* inbound */
7619 7620 if (haspeer) {
7620 7621 if (dying->ipsa_addrfam == AF_INET6) {
7621 7622 outhash = OUTBOUND_HASH_V6(sp,
7622 7623 *((in6_addr_t *)&dying->
7623 7624 ipsa_dstaddr));
7624 7625 } else {
7625 7626 outhash = OUTBOUND_HASH_V4(sp,
7626 7627 *((ipaddr_t *)&dying->
7627 7628 ipsa_dstaddr));
7628 7629 }
7629 7630 } else if (dying->ipsa_addrfam == AF_INET6) {
7630 7631 outhash = OUTBOUND_HASH_V6(sp,
7631 7632 *((in6_addr_t *)&dying->
7632 7633 ipsa_srcaddr));
7633 7634 } else {
7634 7635 outhash = OUTBOUND_HASH_V4(sp,
7635 7636 *((ipaddr_t *)&dying->
7636 7637 ipsa_srcaddr));
7637 7638 }
7638 7639 bucket = &(sp->sdb_of[outhash]);
7639 7640 }
7640 7641
7641 7642 mutex_enter(&bucket->isaf_lock);
7642 7643 /*
7643 7644 * "haspeer" SA's have the same src/dst address ordering,
7644 7645 * "paired" SA's have the src/dst addresses reversed.
7645 7646 */
7646 7647 if (haspeer) {
7647 7648 peer_assoc = ipsec_getassocbyspi(bucket,
7648 7649 dying->ipsa_spi, dying->ipsa_srcaddr,
7649 7650 dying->ipsa_dstaddr, dying->ipsa_addrfam);
7650 7651 } else {
7651 7652 peer_assoc = ipsec_getassocbyspi(bucket,
7652 7653 dying->ipsa_otherspi, dying->ipsa_dstaddr,
7653 7654 dying->ipsa_srcaddr, dying->ipsa_addrfam);
7654 7655 }
7655 7656
7656 7657 mutex_exit(&bucket->isaf_lock);
7657 7658 if (peer_assoc != NULL) {
7658 7659 mutex_enter(&peer_assoc->ipsa_lock);
7659 7660 mutex_enter(&dying->ipsa_lock);
7660 7661 if (!haspeer) {
7661 7662 /*
7662 7663 * Only SA's which have a "peer" or are
7663 7664 * "paired" end up on this list, so this
7664 7665 * must be a "paired" SA, update the flags
7665 7666 * to break the pair.
7666 7667 */
7667 7668 peer_assoc->ipsa_otherspi = 0;
7668 7669 peer_assoc->ipsa_flags &= ~IPSA_F_PAIRED;
7669 7670 dying->ipsa_otherspi = 0;
7670 7671 dying->ipsa_flags &= ~IPSA_F_PAIRED;
7671 7672 }
7672 7673 if (haspeer || outbound) {
7673 7674 /*
7674 7675 * Update the state of the "inbound" SA when
7675 7676 * the "outbound" SA has expired. Don't update
7676 7677 * the "outbound" SA when the "inbound" SA
7677 7678 * SA expires because setting the hard_addtime
7678 7679 * below will cause this to happen.
7679 7680 */
7680 7681 peer_assoc->ipsa_state = dying->ipsa_state;
7681 7682 }
7682 7683 if (dying->ipsa_state == IPSA_STATE_DEAD)
7683 7684 peer_assoc->ipsa_hardexpiretime = 1;
7684 7685
7685 7686 mutex_exit(&dying->ipsa_lock);
7686 7687 mutex_exit(&peer_assoc->ipsa_lock);
7687 7688 IPSA_REFRELE(peer_assoc);
7688 7689 }
7689 7690 IPSA_REFRELE(dying);
7690 7691 }
7691 7692 }
7692 7693
7693 7694 /*
7694 7695 * Ensure that the IV used for CCM mode never repeats. The IV should
7695 7696 * only be updated by this function. Also check to see if the IV
7696 7697 * is about to wrap and generate a SOFT Expire. This function is only
7697 7698 * called for outgoing packets, the IV for incomming packets is taken
7698 7699 * from the wire. If the outgoing SA needs to be expired, update
7699 7700 * the matching incomming SA.
7700 7701 */
7701 7702 boolean_t
7702 7703 update_iv(uint8_t *iv_ptr, queue_t *pfkey_q, ipsa_t *assoc,
7703 7704 ipsecesp_stack_t *espstack)
7704 7705 {
7705 7706 boolean_t rc = B_TRUE;
7706 7707 isaf_t *inbound_bucket;
7707 7708 sadb_t *sp;
7708 7709 ipsa_t *pair_sa = NULL;
7709 7710 int sa_new_state = 0;
7710 7711
7711 7712 /* For non counter modes, the IV is random data. */
7712 7713 if (!(assoc->ipsa_flags & IPSA_F_COUNTERMODE)) {
7713 7714 (void) random_get_pseudo_bytes(iv_ptr, assoc->ipsa_iv_len);
7714 7715 return (rc);
7715 7716 }
7716 7717
7717 7718 mutex_enter(&assoc->ipsa_lock);
7718 7719
7719 7720 (*assoc->ipsa_iv)++;
7720 7721
7721 7722 if (*assoc->ipsa_iv == assoc->ipsa_iv_hardexpire) {
7722 7723 sa_new_state = IPSA_STATE_DEAD;
7723 7724 rc = B_FALSE;
7724 7725 } else if (*assoc->ipsa_iv == assoc->ipsa_iv_softexpire) {
7725 7726 if (assoc->ipsa_state != IPSA_STATE_DYING) {
7726 7727 /*
7727 7728 * This SA may have already been expired when its
7728 7729 * PAIR_SA expired.
7729 7730 */
7730 7731 sa_new_state = IPSA_STATE_DYING;
7731 7732 }
7732 7733 }
7733 7734 if (sa_new_state) {
7734 7735 /*
7735 7736 * If there is a state change, we need to update this SA
7736 7737 * and its "pair", we can find the bucket for the "pair" SA
7737 7738 * while holding the ipsa_t mutex, but we won't actually
7738 7739 * update anything untill the ipsa_t mutex has been released
7739 7740 * for _this_ SA.
7740 7741 */
7741 7742 assoc->ipsa_state = sa_new_state;
7742 7743 if (assoc->ipsa_addrfam == AF_INET6) {
7743 7744 sp = &espstack->esp_sadb.s_v6;
7744 7745 } else {
7745 7746 sp = &espstack->esp_sadb.s_v4;
7746 7747 }
7747 7748 inbound_bucket = INBOUND_BUCKET(sp, assoc->ipsa_otherspi);
7748 7749 sadb_expire_assoc(pfkey_q, assoc);
7749 7750 }
7750 7751 if (rc == B_TRUE)
7751 7752 bcopy(assoc->ipsa_iv, iv_ptr, assoc->ipsa_iv_len);
7752 7753
7753 7754 mutex_exit(&assoc->ipsa_lock);
7754 7755
7755 7756 if (sa_new_state) {
7756 7757 /* Find the inbound SA, need to lock hash bucket. */
7757 7758 mutex_enter(&inbound_bucket->isaf_lock);
7758 7759 pair_sa = ipsec_getassocbyspi(inbound_bucket,
7759 7760 assoc->ipsa_otherspi, assoc->ipsa_dstaddr,
7760 7761 assoc->ipsa_srcaddr, assoc->ipsa_addrfam);
7761 7762 mutex_exit(&inbound_bucket->isaf_lock);
7762 7763 if (pair_sa != NULL) {
7763 7764 mutex_enter(&pair_sa->ipsa_lock);
7764 7765 pair_sa->ipsa_state = sa_new_state;
7765 7766 mutex_exit(&pair_sa->ipsa_lock);
7766 7767 IPSA_REFRELE(pair_sa);
7767 7768 }
7768 7769 }
7769 7770
7770 7771 return (rc);
7771 7772 }
7772 7773
7773 7774 void
7774 7775 ccm_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr,
7775 7776 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data)
7776 7777 {
7777 7778 uchar_t *nonce;
7778 7779 crypto_mechanism_t *combined_mech;
7779 7780 CK_AES_CCM_PARAMS *params;
7780 7781
7781 7782 combined_mech = (crypto_mechanism_t *)cm_mech;
7782 7783 params = (CK_AES_CCM_PARAMS *)(combined_mech + 1);
7783 7784 nonce = (uchar_t *)(params + 1);
7784 7785 params->ulMACSize = assoc->ipsa_mac_len;
7785 7786 params->ulNonceSize = assoc->ipsa_nonce_len;
7786 7787 params->ulAuthDataSize = sizeof (esph_t);
7787 7788 params->ulDataSize = data_len;
7788 7789 params->nonce = nonce;
7789 7790 params->authData = esph;
7790 7791
7791 7792 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type;
7792 7793 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_CCM_PARAMS);
7793 7794 cm_mech->combined_mech.cm_param = (caddr_t)params;
7794 7795 /* See gcm_params_init() for comments. */
7795 7796 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen);
7796 7797 nonce += assoc->ipsa_saltlen;
7797 7798 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len);
7798 7799 crypto_data->cd_miscdata = NULL;
7799 7800 }
7800 7801
7801 7802 /* ARGSUSED */
7802 7803 void
7803 7804 cbc_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr,
7804 7805 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data)
7805 7806 {
7806 7807 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type;
7807 7808 cm_mech->combined_mech.cm_param_len = 0;
7808 7809 cm_mech->combined_mech.cm_param = NULL;
7809 7810 crypto_data->cd_miscdata = (char *)iv_ptr;
7810 7811 }
7811 7812
7812 7813 /* ARGSUSED */
7813 7814 void
7814 7815 gcm_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr,
7815 7816 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data)
7816 7817 {
7817 7818 uchar_t *nonce;
7818 7819 crypto_mechanism_t *combined_mech;
7819 7820 CK_AES_GCM_PARAMS *params;
7820 7821
7821 7822 combined_mech = (crypto_mechanism_t *)cm_mech;
7822 7823 params = (CK_AES_GCM_PARAMS *)(combined_mech + 1);
7823 7824 nonce = (uchar_t *)(params + 1);
7824 7825
7825 7826 params->pIv = nonce;
7826 7827 params->ulIvLen = assoc->ipsa_nonce_len;
7827 7828 params->ulIvBits = SADB_8TO1(assoc->ipsa_nonce_len);
7828 7829 params->pAAD = esph;
7829 7830 params->ulAADLen = sizeof (esph_t);
7830 7831 params->ulTagBits = SADB_8TO1(assoc->ipsa_mac_len);
7831 7832
7832 7833 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type;
7833 7834 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
7834 7835 cm_mech->combined_mech.cm_param = (caddr_t)params;
7835 7836 /*
7836 7837 * Create the nonce, which is made up of the salt and the IV.
7837 7838 * Copy the salt from the SA and the IV from the packet.
7838 7839 * For inbound packets we copy the IV from the packet because it
7839 7840 * was set by the sending system, for outbound packets we copy the IV
7840 7841 * from the packet because the IV in the SA may be changed by another
7841 7842 * thread, the IV in the packet was created while holding a mutex.
7842 7843 */
7843 7844 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen);
7844 7845 nonce += assoc->ipsa_saltlen;
7845 7846 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len);
7846 7847 crypto_data->cd_miscdata = NULL;
7847 7848 }
|
↓ open down ↓ |
644 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX