Print this page
8927 sadb_x_kmc_t's KM cookie should be 64-bits
Reviewed by: Jason King <jason.king@joyent.com>
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Yuri Pankov <yuripv@gmx.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/ip/sadb.c
+++ new/usr/src/uts/common/inet/ip/sadb.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25 25 * Copyright (c) 2017 Joyent, Inc.
26 26 */
27 27
28 28 #include <sys/types.h>
29 29 #include <sys/stream.h>
30 30 #include <sys/stropts.h>
31 31 #include <sys/strsubr.h>
32 32 #include <sys/errno.h>
33 33 #include <sys/ddi.h>
34 34 #include <sys/debug.h>
35 35 #include <sys/cmn_err.h>
36 36 #include <sys/stream.h>
37 37 #include <sys/strlog.h>
38 38 #include <sys/kmem.h>
39 39 #include <sys/sunddi.h>
40 40 #include <sys/tihdr.h>
41 41 #include <sys/atomic.h>
42 42 #include <sys/socket.h>
43 43 #include <sys/sysmacros.h>
44 44 #include <sys/crypto/common.h>
45 45 #include <sys/crypto/api.h>
46 46 #include <sys/zone.h>
47 47 #include <netinet/in.h>
48 48 #include <net/if.h>
49 49 #include <net/pfkeyv2.h>
50 50 #include <net/pfpolicy.h>
51 51 #include <inet/common.h>
52 52 #include <netinet/ip6.h>
53 53 #include <inet/ip.h>
54 54 #include <inet/ip_ire.h>
55 55 #include <inet/ip6.h>
56 56 #include <inet/ipsec_info.h>
57 57 #include <inet/tcp.h>
58 58 #include <inet/sadb.h>
59 59 #include <inet/ipsec_impl.h>
60 60 #include <inet/ipsecah.h>
61 61 #include <inet/ipsecesp.h>
62 62 #include <sys/random.h>
63 63 #include <sys/dlpi.h>
64 64 #include <sys/strsun.h>
65 65 #include <sys/strsubr.h>
66 66 #include <inet/ip_if.h>
67 67 #include <inet/ipdrop.h>
68 68 #include <inet/ipclassifier.h>
69 69 #include <inet/sctp_ip.h>
70 70 #include <sys/tsol/tnet.h>
71 71
72 72 /*
73 73 * This source file contains Security Association Database (SADB) common
74 74 * routines. They are linked in with the AH module. Since AH has no chance
75 75 * of falling under export control, it was safe to link it in there.
76 76 */
77 77
78 78 static uint8_t *sadb_action_to_ecomb(uint8_t *, uint8_t *, ipsec_action_t *,
79 79 netstack_t *);
80 80 static ipsa_t *sadb_torch_assoc(isaf_t *, ipsa_t *);
81 81 static void sadb_destroy_acqlist(iacqf_t **, uint_t, boolean_t,
82 82 netstack_t *);
83 83 static void sadb_destroy(sadb_t *, netstack_t *);
84 84 static mblk_t *sadb_sa2msg(ipsa_t *, sadb_msg_t *);
85 85 static ts_label_t *sadb_label_from_sens(sadb_sens_t *, uint64_t *);
86 86
87 87 static time_t sadb_add_time(time_t, uint64_t);
88 88 static void lifetime_fuzz(ipsa_t *);
89 89 static void age_pair_peer_list(templist_t *, sadb_t *, boolean_t);
90 90 static int get_ipsa_pair(ipsa_query_t *, ipsap_t *, int *);
91 91 static void init_ipsa_pair(ipsap_t *);
92 92 static void destroy_ipsa_pair(ipsap_t *);
93 93 static int update_pairing(ipsap_t *, ipsa_query_t *, keysock_in_t *, int *);
94 94 static void ipsa_set_replay(ipsa_t *ipsa, uint32_t offset);
95 95
96 96 /*
97 97 * ipsacq_maxpackets is defined here to make it tunable
98 98 * from /etc/system.
99 99 */
100 100 extern uint64_t ipsacq_maxpackets;
101 101
102 102 #define SET_EXPIRE(sa, delta, exp) { \
103 103 if (((sa)->ipsa_ ## delta) != 0) { \
104 104 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \
105 105 (sa)->ipsa_ ## delta); \
106 106 } \
107 107 }
108 108
109 109 #define UPDATE_EXPIRE(sa, delta, exp) { \
110 110 if (((sa)->ipsa_ ## delta) != 0) { \
111 111 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \
112 112 (sa)->ipsa_ ## delta); \
113 113 if (((sa)->ipsa_ ## exp) == 0) \
114 114 (sa)->ipsa_ ## exp = tmp; \
115 115 else \
116 116 (sa)->ipsa_ ## exp = \
117 117 MIN((sa)->ipsa_ ## exp, tmp); \
118 118 } \
119 119 }
120 120
121 121
122 122 /* wrap the macro so we can pass it as a function pointer */
123 123 void
124 124 sadb_sa_refrele(void *target)
125 125 {
126 126 IPSA_REFRELE(((ipsa_t *)target));
127 127 }
128 128
129 129 /*
130 130 * We presume that sizeof (long) == sizeof (time_t) and that time_t is
131 131 * a signed type.
132 132 */
133 133 #define TIME_MAX LONG_MAX
134 134
135 135 /*
136 136 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that
137 137 * time_t is defined to be a signed type with the same range as
138 138 * "long". On ILP32 systems, we thus run the risk of wrapping around
139 139 * at end of time, as well as "overwrapping" the clock back around
140 140 * into a seemingly valid but incorrect future date earlier than the
141 141 * desired expiration.
142 142 *
143 143 * In order to avoid odd behavior (either negative lifetimes or loss
144 144 * of high order bits) when someone asks for bizarrely long SA
145 145 * lifetimes, we do a saturating add for expire times.
146 146 *
147 147 * We presume that ILP32 systems will be past end of support life when
148 148 * the 32-bit time_t overflows (a dangerous assumption, mind you..).
149 149 *
150 150 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we
151 151 * will hopefully have figured out clever ways to avoid the use of
152 152 * fixed-sized integers in computation.
153 153 */
154 154 static time_t
155 155 sadb_add_time(time_t base, uint64_t delta)
156 156 {
157 157 time_t sum;
158 158
159 159 /*
160 160 * Clip delta to the maximum possible time_t value to
161 161 * prevent "overwrapping" back into a shorter-than-desired
162 162 * future time.
163 163 */
164 164 if (delta > TIME_MAX)
165 165 delta = TIME_MAX;
166 166 /*
167 167 * This sum may still overflow.
168 168 */
169 169 sum = base + delta;
170 170
171 171 /*
172 172 * .. so if the result is less than the base, we overflowed.
173 173 */
174 174 if (sum < base)
175 175 sum = TIME_MAX;
176 176
177 177 return (sum);
178 178 }
179 179
180 180 /*
181 181 * Callers of this function have already created a working security
182 182 * association, and have found the appropriate table & hash chain. All this
183 183 * function does is check duplicates, and insert the SA. The caller needs to
184 184 * hold the hash bucket lock and increment the refcnt before insertion.
185 185 *
186 186 * Return 0 if success, EEXIST if collision.
187 187 */
188 188 #define SA_UNIQUE_MATCH(sa1, sa2) \
189 189 (((sa1)->ipsa_unique_id & (sa1)->ipsa_unique_mask) == \
190 190 ((sa2)->ipsa_unique_id & (sa2)->ipsa_unique_mask))
191 191
192 192 int
193 193 sadb_insertassoc(ipsa_t *ipsa, isaf_t *bucket)
194 194 {
195 195 ipsa_t **ptpn = NULL;
196 196 ipsa_t *walker;
197 197 boolean_t unspecsrc;
198 198
199 199 ASSERT(MUTEX_HELD(&bucket->isaf_lock));
200 200
201 201 unspecsrc = IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_srcaddr, ipsa->ipsa_addrfam);
202 202
203 203 walker = bucket->isaf_ipsa;
204 204 ASSERT(walker == NULL || ipsa->ipsa_addrfam == walker->ipsa_addrfam);
205 205
206 206 /*
207 207 * Find insertion point (pointed to with **ptpn). Insert at the head
208 208 * of the list unless there's an unspecified source address, then
209 209 * insert it after the last SA with a specified source address.
210 210 *
211 211 * BTW, you'll have to walk the whole chain, matching on {DST, SPI}
212 212 * checking for collisions.
213 213 */
214 214
215 215 while (walker != NULL) {
216 216 if (IPSA_ARE_ADDR_EQUAL(walker->ipsa_dstaddr,
217 217 ipsa->ipsa_dstaddr, ipsa->ipsa_addrfam)) {
218 218 if (walker->ipsa_spi == ipsa->ipsa_spi)
219 219 return (EEXIST);
220 220
221 221 mutex_enter(&walker->ipsa_lock);
222 222 if (ipsa->ipsa_state == IPSA_STATE_MATURE &&
223 223 (walker->ipsa_flags & IPSA_F_USED) &&
224 224 SA_UNIQUE_MATCH(walker, ipsa)) {
225 225 walker->ipsa_flags |= IPSA_F_CINVALID;
226 226 }
227 227 mutex_exit(&walker->ipsa_lock);
228 228 }
229 229
230 230 if (ptpn == NULL && unspecsrc) {
231 231 if (IPSA_IS_ADDR_UNSPEC(walker->ipsa_srcaddr,
232 232 walker->ipsa_addrfam))
233 233 ptpn = walker->ipsa_ptpn;
234 234 else if (walker->ipsa_next == NULL)
235 235 ptpn = &walker->ipsa_next;
236 236 }
237 237
238 238 walker = walker->ipsa_next;
239 239 }
240 240
241 241 if (ptpn == NULL)
242 242 ptpn = &bucket->isaf_ipsa;
243 243 ipsa->ipsa_next = *ptpn;
244 244 ipsa->ipsa_ptpn = ptpn;
245 245 if (ipsa->ipsa_next != NULL)
246 246 ipsa->ipsa_next->ipsa_ptpn = &ipsa->ipsa_next;
247 247 *ptpn = ipsa;
248 248 ipsa->ipsa_linklock = &bucket->isaf_lock;
249 249
250 250 return (0);
251 251 }
252 252 #undef SA_UNIQUE_MATCH
253 253
254 254 /*
255 255 * Free a security association. Its reference count is 0, which means
256 256 * I must free it. The SA must be unlocked and must not be linked into
257 257 * any fanout list.
258 258 */
259 259 static void
260 260 sadb_freeassoc(ipsa_t *ipsa)
261 261 {
262 262 ipsec_stack_t *ipss = ipsa->ipsa_netstack->netstack_ipsec;
263 263 mblk_t *asyncmp, *mp;
264 264
265 265 ASSERT(ipss != NULL);
266 266 ASSERT(MUTEX_NOT_HELD(&ipsa->ipsa_lock));
267 267 ASSERT(ipsa->ipsa_refcnt == 0);
268 268 ASSERT(ipsa->ipsa_next == NULL);
269 269 ASSERT(ipsa->ipsa_ptpn == NULL);
270 270
271 271
272 272 asyncmp = sadb_clear_lpkt(ipsa);
273 273 if (asyncmp != NULL) {
274 274 mp = ip_recv_attr_free_mblk(asyncmp);
275 275 ip_drop_packet(mp, B_TRUE, NULL,
276 276 DROPPER(ipss, ipds_sadb_inlarval_timeout),
277 277 &ipss->ipsec_sadb_dropper);
278 278 }
279 279 mutex_enter(&ipsa->ipsa_lock);
280 280
281 281 if (ipsa->ipsa_tsl != NULL) {
282 282 label_rele(ipsa->ipsa_tsl);
283 283 ipsa->ipsa_tsl = NULL;
284 284 }
285 285
286 286 if (ipsa->ipsa_otsl != NULL) {
287 287 label_rele(ipsa->ipsa_otsl);
288 288 ipsa->ipsa_otsl = NULL;
289 289 }
290 290
291 291 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_AUTH);
292 292 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_ENCR);
293 293 mutex_exit(&ipsa->ipsa_lock);
294 294
295 295 /* bzero() these fields for paranoia's sake. */
296 296 if (ipsa->ipsa_authkey != NULL) {
297 297 bzero(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen);
298 298 kmem_free(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen);
299 299 }
300 300 if (ipsa->ipsa_encrkey != NULL) {
301 301 bzero(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen);
302 302 kmem_free(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen);
303 303 }
304 304 if (ipsa->ipsa_nonce_buf != NULL) {
305 305 bzero(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t));
306 306 kmem_free(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t));
307 307 }
308 308 if (ipsa->ipsa_src_cid != NULL) {
309 309 IPSID_REFRELE(ipsa->ipsa_src_cid);
310 310 }
311 311 if (ipsa->ipsa_dst_cid != NULL) {
312 312 IPSID_REFRELE(ipsa->ipsa_dst_cid);
313 313 }
314 314 if (ipsa->ipsa_emech.cm_param != NULL)
315 315 kmem_free(ipsa->ipsa_emech.cm_param,
316 316 ipsa->ipsa_emech.cm_param_len);
317 317
318 318 mutex_destroy(&ipsa->ipsa_lock);
319 319 kmem_free(ipsa, sizeof (*ipsa));
320 320 }
321 321
322 322 /*
323 323 * Unlink a security association from a hash bucket. Assume the hash bucket
324 324 * lock is held, but the association's lock is not.
325 325 *
326 326 * Note that we do not bump the bucket's generation number here because
327 327 * we might not be making a visible change to the set of visible SA's.
328 328 * All callers MUST bump the bucket's generation number before they unlock
329 329 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which
330 330 * was present in the bucket at the time it was locked.
331 331 */
332 332 void
333 333 sadb_unlinkassoc(ipsa_t *ipsa)
334 334 {
335 335 ASSERT(ipsa->ipsa_linklock != NULL);
336 336 ASSERT(MUTEX_HELD(ipsa->ipsa_linklock));
337 337
338 338 /* These fields are protected by the link lock. */
339 339 *(ipsa->ipsa_ptpn) = ipsa->ipsa_next;
340 340 if (ipsa->ipsa_next != NULL) {
341 341 ipsa->ipsa_next->ipsa_ptpn = ipsa->ipsa_ptpn;
342 342 ipsa->ipsa_next = NULL;
343 343 }
344 344
345 345 ipsa->ipsa_ptpn = NULL;
346 346
347 347 /* This may destroy the SA. */
348 348 IPSA_REFRELE(ipsa);
349 349 }
350 350
351 351 void
352 352 sadb_delete_cluster(ipsa_t *assoc)
353 353 {
354 354 uint8_t protocol;
355 355
356 356 if (cl_inet_deletespi &&
357 357 ((assoc->ipsa_state == IPSA_STATE_LARVAL) ||
358 358 (assoc->ipsa_state == IPSA_STATE_MATURE))) {
359 359 protocol = (assoc->ipsa_type == SADB_SATYPE_AH) ?
360 360 IPPROTO_AH : IPPROTO_ESP;
361 361 cl_inet_deletespi(assoc->ipsa_netstack->netstack_stackid,
362 362 protocol, assoc->ipsa_spi, NULL);
363 363 }
364 364 }
365 365
366 366 /*
367 367 * Create a larval security association with the specified SPI. All other
368 368 * fields are zeroed.
369 369 */
370 370 static ipsa_t *
371 371 sadb_makelarvalassoc(uint32_t spi, uint32_t *src, uint32_t *dst, int addrfam,
372 372 netstack_t *ns)
373 373 {
374 374 ipsa_t *newbie;
375 375
376 376 /*
377 377 * Allocate...
378 378 */
379 379
380 380 newbie = (ipsa_t *)kmem_zalloc(sizeof (ipsa_t), KM_NOSLEEP);
381 381 if (newbie == NULL) {
382 382 /* Can't make new larval SA. */
383 383 return (NULL);
384 384 }
385 385
386 386 /* Assigned requested SPI, assume caller does SPI allocation magic. */
387 387 newbie->ipsa_spi = spi;
388 388 newbie->ipsa_netstack = ns; /* No netstack_hold */
389 389
390 390 /*
391 391 * Copy addresses...
392 392 */
393 393
394 394 IPSA_COPY_ADDR(newbie->ipsa_srcaddr, src, addrfam);
395 395 IPSA_COPY_ADDR(newbie->ipsa_dstaddr, dst, addrfam);
396 396
397 397 newbie->ipsa_addrfam = addrfam;
398 398
399 399 /*
400 400 * Set common initialization values, including refcnt.
401 401 */
402 402 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL);
403 403 newbie->ipsa_state = IPSA_STATE_LARVAL;
404 404 newbie->ipsa_refcnt = 1;
405 405 newbie->ipsa_freefunc = sadb_freeassoc;
406 406
407 407 /*
408 408 * There aren't a lot of other common initialization values, as
409 409 * they are copied in from the PF_KEY message.
410 410 */
411 411
412 412 return (newbie);
413 413 }
414 414
415 415 /*
416 416 * Call me to initialize a security association fanout.
417 417 */
418 418 static int
419 419 sadb_init_fanout(isaf_t **tablep, uint_t size, int kmflag)
420 420 {
421 421 isaf_t *table;
422 422 int i;
423 423
424 424 table = (isaf_t *)kmem_alloc(size * sizeof (*table), kmflag);
425 425 *tablep = table;
426 426
427 427 if (table == NULL)
428 428 return (ENOMEM);
429 429
430 430 for (i = 0; i < size; i++) {
431 431 mutex_init(&(table[i].isaf_lock), NULL, MUTEX_DEFAULT, NULL);
432 432 table[i].isaf_ipsa = NULL;
433 433 table[i].isaf_gen = 0;
434 434 }
435 435
436 436 return (0);
437 437 }
438 438
439 439 /*
440 440 * Call me to initialize an acquire fanout
441 441 */
442 442 static int
443 443 sadb_init_acfanout(iacqf_t **tablep, uint_t size, int kmflag)
444 444 {
445 445 iacqf_t *table;
446 446 int i;
447 447
448 448 table = (iacqf_t *)kmem_alloc(size * sizeof (*table), kmflag);
449 449 *tablep = table;
450 450
451 451 if (table == NULL)
452 452 return (ENOMEM);
453 453
454 454 for (i = 0; i < size; i++) {
455 455 mutex_init(&(table[i].iacqf_lock), NULL, MUTEX_DEFAULT, NULL);
456 456 table[i].iacqf_ipsacq = NULL;
457 457 }
458 458
459 459 return (0);
460 460 }
461 461
462 462 /*
463 463 * Attempt to initialize an SADB instance. On failure, return ENOMEM;
464 464 * caller must clean up partial allocations.
465 465 */
466 466 static int
467 467 sadb_init_trial(sadb_t *sp, uint_t size, int kmflag)
468 468 {
469 469 ASSERT(sp->sdb_of == NULL);
470 470 ASSERT(sp->sdb_if == NULL);
471 471 ASSERT(sp->sdb_acq == NULL);
472 472
473 473 sp->sdb_hashsize = size;
474 474 if (sadb_init_fanout(&sp->sdb_of, size, kmflag) != 0)
475 475 return (ENOMEM);
476 476 if (sadb_init_fanout(&sp->sdb_if, size, kmflag) != 0)
477 477 return (ENOMEM);
478 478 if (sadb_init_acfanout(&sp->sdb_acq, size, kmflag) != 0)
479 479 return (ENOMEM);
480 480
481 481 return (0);
482 482 }
483 483
484 484 /*
485 485 * Call me to initialize an SADB instance; fall back to default size on failure.
486 486 */
487 487 static void
488 488 sadb_init(const char *name, sadb_t *sp, uint_t size, uint_t ver,
489 489 netstack_t *ns)
490 490 {
491 491 ASSERT(sp->sdb_of == NULL);
492 492 ASSERT(sp->sdb_if == NULL);
493 493 ASSERT(sp->sdb_acq == NULL);
494 494
495 495 if (size < IPSEC_DEFAULT_HASH_SIZE)
496 496 size = IPSEC_DEFAULT_HASH_SIZE;
497 497
498 498 if (sadb_init_trial(sp, size, KM_NOSLEEP) != 0) {
499 499
500 500 cmn_err(CE_WARN,
501 501 "Unable to allocate %u entry IPv%u %s SADB hash table",
502 502 size, ver, name);
503 503
504 504 sadb_destroy(sp, ns);
505 505 size = IPSEC_DEFAULT_HASH_SIZE;
506 506 cmn_err(CE_WARN, "Falling back to %d entries", size);
507 507 (void) sadb_init_trial(sp, size, KM_SLEEP);
508 508 }
509 509 }
510 510
511 511
512 512 /*
513 513 * Initialize an SADB-pair.
514 514 */
515 515 void
516 516 sadbp_init(const char *name, sadbp_t *sp, int type, int size, netstack_t *ns)
517 517 {
518 518 sadb_init(name, &sp->s_v4, size, 4, ns);
519 519 sadb_init(name, &sp->s_v6, size, 6, ns);
520 520
521 521 sp->s_satype = type;
522 522
523 523 ASSERT((type == SADB_SATYPE_AH) || (type == SADB_SATYPE_ESP));
524 524 if (type == SADB_SATYPE_AH) {
525 525 ipsec_stack_t *ipss = ns->netstack_ipsec;
526 526
527 527 ip_drop_register(&ipss->ipsec_sadb_dropper, "IPsec SADB");
528 528 sp->s_addflags = AH_ADD_SETTABLE_FLAGS;
529 529 sp->s_updateflags = AH_UPDATE_SETTABLE_FLAGS;
530 530 } else {
531 531 sp->s_addflags = ESP_ADD_SETTABLE_FLAGS;
532 532 sp->s_updateflags = ESP_UPDATE_SETTABLE_FLAGS;
533 533 }
534 534 }
535 535
536 536 /*
537 537 * Deliver a single SADB_DUMP message representing a single SA. This is
538 538 * called many times by sadb_dump().
539 539 *
540 540 * If the return value of this is ENOBUFS (not the same as ENOMEM), then
541 541 * the caller should take that as a hint that dupb() on the "original answer"
542 542 * failed, and that perhaps the caller should try again with a copyb()ed
543 543 * "original answer".
544 544 */
545 545 static int
546 546 sadb_dump_deliver(queue_t *pfkey_q, mblk_t *original_answer, ipsa_t *ipsa,
547 547 sadb_msg_t *samsg)
548 548 {
549 549 mblk_t *answer;
550 550
551 551 answer = dupb(original_answer);
552 552 if (answer == NULL)
553 553 return (ENOBUFS);
554 554 answer->b_cont = sadb_sa2msg(ipsa, samsg);
555 555 if (answer->b_cont == NULL) {
556 556 freeb(answer);
557 557 return (ENOMEM);
558 558 }
559 559
560 560 /* Just do a putnext, and let keysock deal with flow control. */
561 561 putnext(pfkey_q, answer);
562 562 return (0);
563 563 }
564 564
565 565 /*
566 566 * Common function to allocate and prepare a keysock_out_t M_CTL message.
567 567 */
568 568 mblk_t *
569 569 sadb_keysock_out(minor_t serial)
570 570 {
571 571 mblk_t *mp;
572 572 keysock_out_t *kso;
573 573
574 574 mp = allocb(sizeof (ipsec_info_t), BPRI_HI);
575 575 if (mp != NULL) {
576 576 mp->b_datap->db_type = M_CTL;
577 577 mp->b_wptr += sizeof (ipsec_info_t);
578 578 kso = (keysock_out_t *)mp->b_rptr;
579 579 kso->ks_out_type = KEYSOCK_OUT;
580 580 kso->ks_out_len = sizeof (*kso);
581 581 kso->ks_out_serial = serial;
582 582 }
583 583
584 584 return (mp);
585 585 }
586 586
587 587 /*
588 588 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts
589 589 * to keysock.
590 590 */
591 591 static int
592 592 sadb_dump_fanout(queue_t *pfkey_q, mblk_t *mp, minor_t serial, isaf_t *fanout,
593 593 int num_entries, boolean_t do_peers, time_t active_time)
594 594 {
595 595 int i, error = 0;
596 596 mblk_t *original_answer;
597 597 ipsa_t *walker;
598 598 sadb_msg_t *samsg;
599 599 time_t current;
600 600
601 601 /*
602 602 * For each IPSA hash bucket do:
603 603 * - Hold the mutex
604 604 * - Walk each entry, doing an sadb_dump_deliver() on it.
605 605 */
606 606 ASSERT(mp->b_cont != NULL);
607 607 samsg = (sadb_msg_t *)mp->b_cont->b_rptr;
608 608
609 609 original_answer = sadb_keysock_out(serial);
610 610 if (original_answer == NULL)
611 611 return (ENOMEM);
612 612
613 613 current = gethrestime_sec();
614 614 for (i = 0; i < num_entries; i++) {
615 615 mutex_enter(&fanout[i].isaf_lock);
616 616 for (walker = fanout[i].isaf_ipsa; walker != NULL;
617 617 walker = walker->ipsa_next) {
618 618 if (!do_peers && walker->ipsa_haspeer)
619 619 continue;
620 620 if ((active_time != 0) &&
621 621 ((current - walker->ipsa_lastuse) > active_time))
622 622 continue;
623 623 error = sadb_dump_deliver(pfkey_q, original_answer,
624 624 walker, samsg);
625 625 if (error == ENOBUFS) {
626 626 mblk_t *new_original_answer;
627 627
628 628 /* Ran out of dupb's. Try a copyb. */
629 629 new_original_answer = copyb(original_answer);
630 630 if (new_original_answer == NULL) {
631 631 error = ENOMEM;
632 632 } else {
633 633 freeb(original_answer);
634 634 original_answer = new_original_answer;
635 635 error = sadb_dump_deliver(pfkey_q,
636 636 original_answer, walker, samsg);
637 637 }
638 638 }
639 639 if (error != 0)
640 640 break; /* out of for loop. */
641 641 }
642 642 mutex_exit(&fanout[i].isaf_lock);
643 643 if (error != 0)
644 644 break; /* out of for loop. */
645 645 }
646 646
647 647 freeb(original_answer);
648 648 return (error);
649 649 }
650 650
651 651 /*
652 652 * Dump an entire SADB; outbound first, then inbound.
653 653 */
654 654
655 655 int
656 656 sadb_dump(queue_t *pfkey_q, mblk_t *mp, keysock_in_t *ksi, sadb_t *sp)
657 657 {
658 658 int error;
659 659 time_t active_time = 0;
660 660 sadb_x_edump_t *edump =
661 661 (sadb_x_edump_t *)ksi->ks_in_extv[SADB_X_EXT_EDUMP];
662 662
663 663 if (edump != NULL) {
664 664 active_time = edump->sadb_x_edump_timeout;
665 665 }
666 666
667 667 /* Dump outbound */
668 668 error = sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_of,
669 669 sp->sdb_hashsize, B_TRUE, active_time);
670 670 if (error)
671 671 return (error);
672 672
673 673 /* Dump inbound */
674 674 return sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_if,
675 675 sp->sdb_hashsize, B_FALSE, active_time);
676 676 }
677 677
678 678 /*
679 679 * Generic sadb table walker.
680 680 *
681 681 * Call "walkfn" for each SA in each bucket in "table"; pass the
682 682 * bucket, the entry and "cookie" to the callback function.
683 683 * Take care to ensure that walkfn can delete the SA without screwing
684 684 * up our traverse.
685 685 *
686 686 * The bucket is locked for the duration of the callback, both so that the
687 687 * callback can just call sadb_unlinkassoc() when it wants to delete something,
688 688 * and so that no new entries are added while we're walking the list.
689 689 */
690 690 static void
691 691 sadb_walker(isaf_t *table, uint_t numentries,
692 692 void (*walkfn)(isaf_t *head, ipsa_t *entry, void *cookie),
693 693 void *cookie)
694 694 {
695 695 int i;
696 696 for (i = 0; i < numentries; i++) {
697 697 ipsa_t *entry, *next;
698 698
699 699 mutex_enter(&table[i].isaf_lock);
700 700
701 701 for (entry = table[i].isaf_ipsa; entry != NULL;
702 702 entry = next) {
703 703 next = entry->ipsa_next;
704 704 (*walkfn)(&table[i], entry, cookie);
705 705 }
706 706 mutex_exit(&table[i].isaf_lock);
707 707 }
708 708 }
709 709
710 710 /*
711 711 * Call me to free up a security association fanout. Use the forever
712 712 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g.
713 713 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE,
714 714 * when a module is unloaded).
715 715 */
716 716 static void
717 717 sadb_destroyer(isaf_t **tablep, uint_t numentries, boolean_t forever,
718 718 boolean_t inbound)
719 719 {
720 720 int i;
721 721 isaf_t *table = *tablep;
722 722 uint8_t protocol;
723 723 ipsa_t *sa;
724 724 netstackid_t sid;
725 725
726 726 if (table == NULL)
727 727 return;
728 728
729 729 for (i = 0; i < numentries; i++) {
730 730 mutex_enter(&table[i].isaf_lock);
731 731 while ((sa = table[i].isaf_ipsa) != NULL) {
732 732 if (inbound && cl_inet_deletespi &&
733 733 (sa->ipsa_state != IPSA_STATE_ACTIVE_ELSEWHERE) &&
734 734 (sa->ipsa_state != IPSA_STATE_IDLE)) {
735 735 protocol = (sa->ipsa_type == SADB_SATYPE_AH) ?
736 736 IPPROTO_AH : IPPROTO_ESP;
737 737 sid = sa->ipsa_netstack->netstack_stackid;
738 738 cl_inet_deletespi(sid, protocol, sa->ipsa_spi,
739 739 NULL);
740 740 }
741 741 sadb_unlinkassoc(sa);
742 742 }
743 743 table[i].isaf_gen++;
744 744 mutex_exit(&table[i].isaf_lock);
745 745 if (forever)
746 746 mutex_destroy(&(table[i].isaf_lock));
747 747 }
748 748
749 749 if (forever) {
750 750 *tablep = NULL;
751 751 kmem_free(table, numentries * sizeof (*table));
752 752 }
753 753 }
754 754
755 755 /*
756 756 * Entry points to sadb_destroyer().
757 757 */
758 758 static void
759 759 sadb_flush(sadb_t *sp, netstack_t *ns)
760 760 {
761 761 /*
762 762 * Flush out each bucket, one at a time. Were it not for keysock's
763 763 * enforcement, there would be a subtlety where I could add on the
764 764 * heels of a flush. With keysock's enforcement, however, this
765 765 * makes ESP's job easy.
766 766 */
767 767 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_FALSE, B_FALSE);
768 768 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_FALSE, B_TRUE);
769 769
770 770 /* For each acquire, destroy it; leave the bucket mutex alone. */
771 771 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_FALSE, ns);
772 772 }
773 773
774 774 static void
775 775 sadb_destroy(sadb_t *sp, netstack_t *ns)
776 776 {
777 777 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_TRUE, B_FALSE);
778 778 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_TRUE, B_TRUE);
779 779
780 780 /* For each acquire, destroy it, including the bucket mutex. */
781 781 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_TRUE, ns);
782 782
783 783 ASSERT(sp->sdb_of == NULL);
784 784 ASSERT(sp->sdb_if == NULL);
785 785 ASSERT(sp->sdb_acq == NULL);
786 786 }
787 787
788 788 void
789 789 sadbp_flush(sadbp_t *spp, netstack_t *ns)
790 790 {
791 791 sadb_flush(&spp->s_v4, ns);
792 792 sadb_flush(&spp->s_v6, ns);
793 793 }
794 794
795 795 void
796 796 sadbp_destroy(sadbp_t *spp, netstack_t *ns)
797 797 {
798 798 sadb_destroy(&spp->s_v4, ns);
799 799 sadb_destroy(&spp->s_v6, ns);
800 800
801 801 if (spp->s_satype == SADB_SATYPE_AH) {
802 802 ipsec_stack_t *ipss = ns->netstack_ipsec;
803 803
804 804 ip_drop_unregister(&ipss->ipsec_sadb_dropper);
805 805 }
806 806 }
807 807
808 808
809 809 /*
810 810 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g.
811 811 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for
812 812 * EINVAL.
813 813 */
814 814 int
815 815 sadb_hardsoftchk(sadb_lifetime_t *hard, sadb_lifetime_t *soft,
816 816 sadb_lifetime_t *idle)
817 817 {
818 818 if (hard == NULL || soft == NULL)
819 819 return (0);
820 820
821 821 if (hard->sadb_lifetime_allocations != 0 &&
822 822 soft->sadb_lifetime_allocations != 0 &&
823 823 hard->sadb_lifetime_allocations < soft->sadb_lifetime_allocations)
824 824 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR);
825 825
826 826 if (hard->sadb_lifetime_bytes != 0 &&
827 827 soft->sadb_lifetime_bytes != 0 &&
828 828 hard->sadb_lifetime_bytes < soft->sadb_lifetime_bytes)
829 829 return (SADB_X_DIAGNOSTIC_BYTES_HSERR);
830 830
831 831 if (hard->sadb_lifetime_addtime != 0 &&
832 832 soft->sadb_lifetime_addtime != 0 &&
833 833 hard->sadb_lifetime_addtime < soft->sadb_lifetime_addtime)
834 834 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR);
835 835
836 836 if (hard->sadb_lifetime_usetime != 0 &&
837 837 soft->sadb_lifetime_usetime != 0 &&
838 838 hard->sadb_lifetime_usetime < soft->sadb_lifetime_usetime)
839 839 return (SADB_X_DIAGNOSTIC_USETIME_HSERR);
840 840
841 841 if (idle != NULL) {
842 842 if (hard->sadb_lifetime_addtime != 0 &&
843 843 idle->sadb_lifetime_addtime != 0 &&
844 844 hard->sadb_lifetime_addtime < idle->sadb_lifetime_addtime)
845 845 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR);
846 846
847 847 if (soft->sadb_lifetime_addtime != 0 &&
848 848 idle->sadb_lifetime_addtime != 0 &&
849 849 soft->sadb_lifetime_addtime < idle->sadb_lifetime_addtime)
850 850 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR);
851 851
852 852 if (hard->sadb_lifetime_usetime != 0 &&
853 853 idle->sadb_lifetime_usetime != 0 &&
854 854 hard->sadb_lifetime_usetime < idle->sadb_lifetime_usetime)
855 855 return (SADB_X_DIAGNOSTIC_USETIME_HSERR);
856 856
857 857 if (soft->sadb_lifetime_usetime != 0 &&
858 858 idle->sadb_lifetime_usetime != 0 &&
859 859 soft->sadb_lifetime_usetime < idle->sadb_lifetime_usetime)
860 860 return (SADB_X_DIAGNOSTIC_USETIME_HSERR);
861 861 }
862 862
863 863 return (0);
864 864 }
865 865
866 866 /*
867 867 * Sanity check sensitivity labels.
868 868 *
869 869 * For now, just reject labels on unlabeled systems.
870 870 */
871 871 int
872 872 sadb_labelchk(keysock_in_t *ksi)
873 873 {
874 874 if (!is_system_labeled()) {
875 875 if (ksi->ks_in_extv[SADB_EXT_SENSITIVITY] != NULL)
876 876 return (SADB_X_DIAGNOSTIC_BAD_LABEL);
877 877
878 878 if (ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS] != NULL)
879 879 return (SADB_X_DIAGNOSTIC_BAD_LABEL);
880 880 }
881 881
882 882 return (0);
883 883 }
884 884
885 885 /*
886 886 * Clone a security association for the purposes of inserting a single SA
887 887 * into inbound and outbound tables respectively. This function should only
888 888 * be called from sadb_common_add().
889 889 */
890 890 static ipsa_t *
891 891 sadb_cloneassoc(ipsa_t *ipsa)
892 892 {
893 893 ipsa_t *newbie;
894 894 boolean_t error = B_FALSE;
895 895
896 896 ASSERT(MUTEX_NOT_HELD(&(ipsa->ipsa_lock)));
897 897
898 898 newbie = kmem_alloc(sizeof (ipsa_t), KM_NOSLEEP);
899 899 if (newbie == NULL)
900 900 return (NULL);
901 901
902 902 /* Copy over what we can. */
903 903 *newbie = *ipsa;
904 904
905 905 /* bzero and initialize locks, in case *_init() allocates... */
906 906 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL);
907 907
908 908 if (newbie->ipsa_tsl != NULL)
909 909 label_hold(newbie->ipsa_tsl);
910 910
911 911 if (newbie->ipsa_otsl != NULL)
912 912 label_hold(newbie->ipsa_otsl);
913 913
914 914 /*
915 915 * While somewhat dain-bramaged, the most graceful way to
916 916 * recover from errors is to keep plowing through the
917 917 * allocations, and getting what I can. It's easier to call
918 918 * sadb_freeassoc() on the stillborn clone when all the
919 919 * pointers aren't pointing to the parent's data.
920 920 */
921 921
922 922 if (ipsa->ipsa_authkey != NULL) {
923 923 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen,
924 924 KM_NOSLEEP);
925 925 if (newbie->ipsa_authkey == NULL) {
926 926 error = B_TRUE;
927 927 } else {
928 928 bcopy(ipsa->ipsa_authkey, newbie->ipsa_authkey,
929 929 newbie->ipsa_authkeylen);
930 930
931 931 newbie->ipsa_kcfauthkey.ck_data =
932 932 newbie->ipsa_authkey;
933 933 }
934 934
935 935 if (newbie->ipsa_amech.cm_param != NULL) {
936 936 newbie->ipsa_amech.cm_param =
937 937 (char *)&newbie->ipsa_mac_len;
938 938 }
939 939 }
940 940
941 941 if (ipsa->ipsa_encrkey != NULL) {
942 942 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen,
943 943 KM_NOSLEEP);
944 944 if (newbie->ipsa_encrkey == NULL) {
945 945 error = B_TRUE;
946 946 } else {
947 947 bcopy(ipsa->ipsa_encrkey, newbie->ipsa_encrkey,
948 948 newbie->ipsa_encrkeylen);
949 949
950 950 newbie->ipsa_kcfencrkey.ck_data =
951 951 newbie->ipsa_encrkey;
952 952 }
953 953 }
954 954
955 955 newbie->ipsa_authtmpl = NULL;
956 956 newbie->ipsa_encrtmpl = NULL;
957 957 newbie->ipsa_haspeer = B_TRUE;
958 958
959 959 if (ipsa->ipsa_src_cid != NULL) {
960 960 newbie->ipsa_src_cid = ipsa->ipsa_src_cid;
961 961 IPSID_REFHOLD(ipsa->ipsa_src_cid);
962 962 }
963 963
964 964 if (ipsa->ipsa_dst_cid != NULL) {
965 965 newbie->ipsa_dst_cid = ipsa->ipsa_dst_cid;
966 966 IPSID_REFHOLD(ipsa->ipsa_dst_cid);
967 967 }
968 968
969 969 if (error) {
970 970 sadb_freeassoc(newbie);
971 971 return (NULL);
972 972 }
973 973
974 974 return (newbie);
975 975 }
976 976
977 977 /*
978 978 * Initialize a SADB address extension at the address specified by addrext.
979 979 * Return a pointer to the end of the new address extension.
980 980 */
981 981 static uint8_t *
982 982 sadb_make_addr_ext(uint8_t *start, uint8_t *end, uint16_t exttype,
983 983 sa_family_t af, uint32_t *addr, uint16_t port, uint8_t proto, int prefix)
984 984 {
985 985 struct sockaddr_in *sin;
986 986 struct sockaddr_in6 *sin6;
987 987 uint8_t *cur = start;
988 988 int addrext_len;
989 989 int sin_len;
990 990 sadb_address_t *addrext = (sadb_address_t *)cur;
991 991
992 992 if (cur == NULL)
993 993 return (NULL);
994 994
995 995 cur += sizeof (*addrext);
996 996 if (cur > end)
997 997 return (NULL);
998 998
999 999 addrext->sadb_address_proto = proto;
1000 1000 addrext->sadb_address_prefixlen = prefix;
1001 1001 addrext->sadb_address_reserved = 0;
1002 1002 addrext->sadb_address_exttype = exttype;
1003 1003
1004 1004 switch (af) {
1005 1005 case AF_INET:
1006 1006 sin = (struct sockaddr_in *)cur;
1007 1007 sin_len = sizeof (*sin);
1008 1008 cur += sin_len;
1009 1009 if (cur > end)
1010 1010 return (NULL);
1011 1011
1012 1012 sin->sin_family = af;
1013 1013 bzero(sin->sin_zero, sizeof (sin->sin_zero));
1014 1014 sin->sin_port = port;
1015 1015 IPSA_COPY_ADDR(&sin->sin_addr, addr, af);
1016 1016 break;
1017 1017 case AF_INET6:
1018 1018 sin6 = (struct sockaddr_in6 *)cur;
1019 1019 sin_len = sizeof (*sin6);
1020 1020 cur += sin_len;
1021 1021 if (cur > end)
1022 1022 return (NULL);
1023 1023
1024 1024 bzero(sin6, sizeof (*sin6));
1025 1025 sin6->sin6_family = af;
1026 1026 sin6->sin6_port = port;
1027 1027 IPSA_COPY_ADDR(&sin6->sin6_addr, addr, af);
1028 1028 break;
1029 1029 }
1030 1030
1031 1031 addrext_len = roundup(cur - start, sizeof (uint64_t));
1032 1032 addrext->sadb_address_len = SADB_8TO64(addrext_len);
1033 1033
1034 1034 cur = start + addrext_len;
1035 1035 if (cur > end)
|
↓ open down ↓ |
1035 lines elided |
↑ open up ↑ |
1036 1036 cur = NULL;
1037 1037
1038 1038 return (cur);
1039 1039 }
1040 1040
1041 1041 /*
1042 1042 * Construct a key management cookie extension.
1043 1043 */
1044 1044
1045 1045 static uint8_t *
1046 -sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint32_t kmc)
1046 +sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint64_t kmc)
1047 1047 {
1048 1048 sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur;
1049 1049
1050 1050 if (cur == NULL)
1051 1051 return (NULL);
1052 1052
1053 1053 cur += sizeof (*kmcext);
1054 1054
1055 1055 if (cur > end)
1056 1056 return (NULL);
1057 1057
1058 1058 kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext));
1059 1059 kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE;
1060 1060 kmcext->sadb_x_kmc_proto = kmp;
1061 - kmcext->sadb_x_kmc_cookie = kmc;
1062 - kmcext->sadb_x_kmc_reserved = 0;
1061 + kmcext->sadb_x_kmc_cookie64 = kmc;
1063 1062
1064 1063 return (cur);
1065 1064 }
1066 1065
1067 1066 /*
1068 1067 * Given an original message header with sufficient space following it, and an
1069 1068 * SA, construct a full PF_KEY message with all of the relevant extensions.
1070 1069 * This is mostly used for SADB_GET, and SADB_DUMP.
1071 1070 */
1072 1071 static mblk_t *
1073 1072 sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg)
1074 1073 {
1075 1074 int alloclen, addrsize, paddrsize, authsize, encrsize;
1076 1075 int srcidsize, dstidsize, senslen, osenslen;
1077 1076 sa_family_t fam, pfam; /* Address family for SADB_EXT_ADDRESS */
1078 1077 /* src/dst and proxy sockaddrs. */
1079 1078 /*
1080 1079 * The following are pointers into the PF_KEY message this PF_KEY
1081 1080 * message creates.
1082 1081 */
1083 1082 sadb_msg_t *newsamsg;
1084 1083 sadb_sa_t *assoc;
1085 1084 sadb_lifetime_t *lt;
1086 1085 sadb_key_t *key;
1087 1086 sadb_ident_t *ident;
1088 1087 sadb_sens_t *sens;
1089 1088 sadb_ext_t *walker; /* For when we need a generic ext. pointer. */
1090 1089 sadb_x_replay_ctr_t *repl_ctr;
1091 1090 sadb_x_pair_t *pair_ext;
1092 1091
1093 1092 mblk_t *mp;
1094 1093 uint8_t *cur, *end;
1095 1094 /* These indicate the presence of the above extension fields. */
1096 1095 boolean_t soft = B_FALSE, hard = B_FALSE;
1097 1096 boolean_t isrc = B_FALSE, idst = B_FALSE;
1098 1097 boolean_t auth = B_FALSE, encr = B_FALSE;
1099 1098 boolean_t sensinteg = B_FALSE, osensinteg = B_FALSE;
1100 1099 boolean_t srcid = B_FALSE, dstid = B_FALSE;
1101 1100 boolean_t idle;
1102 1101 boolean_t paired;
1103 1102 uint32_t otherspi;
1104 1103
1105 1104 /* First off, figure out the allocation length for this message. */
1106 1105 /*
1107 1106 * Constant stuff. This includes base, SA, address (src, dst),
1108 1107 * and lifetime (current).
1109 1108 */
1110 1109 alloclen = sizeof (sadb_msg_t) + sizeof (sadb_sa_t) +
1111 1110 sizeof (sadb_lifetime_t);
1112 1111
1113 1112 fam = ipsa->ipsa_addrfam;
1114 1113 switch (fam) {
1115 1114 case AF_INET:
1116 1115 addrsize = roundup(sizeof (struct sockaddr_in) +
1117 1116 sizeof (sadb_address_t), sizeof (uint64_t));
1118 1117 break;
1119 1118 case AF_INET6:
1120 1119 addrsize = roundup(sizeof (struct sockaddr_in6) +
1121 1120 sizeof (sadb_address_t), sizeof (uint64_t));
1122 1121 break;
1123 1122 default:
1124 1123 return (NULL);
1125 1124 }
1126 1125 /*
1127 1126 * Allocate TWO address extensions, for source and destination.
1128 1127 * (Thus, the * 2.)
1129 1128 */
1130 1129 alloclen += addrsize * 2;
1131 1130 if (ipsa->ipsa_flags & IPSA_F_NATT_REM)
1132 1131 alloclen += addrsize;
1133 1132 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC)
1134 1133 alloclen += addrsize;
1135 1134
1136 1135 if (ipsa->ipsa_flags & IPSA_F_PAIRED) {
1137 1136 paired = B_TRUE;
1138 1137 alloclen += sizeof (sadb_x_pair_t);
1139 1138 otherspi = ipsa->ipsa_otherspi;
1140 1139 } else {
1141 1140 paired = B_FALSE;
1142 1141 }
1143 1142
1144 1143 /* How 'bout other lifetimes? */
1145 1144 if (ipsa->ipsa_softaddlt != 0 || ipsa->ipsa_softuselt != 0 ||
1146 1145 ipsa->ipsa_softbyteslt != 0 || ipsa->ipsa_softalloc != 0) {
1147 1146 alloclen += sizeof (sadb_lifetime_t);
1148 1147 soft = B_TRUE;
1149 1148 }
1150 1149
1151 1150 if (ipsa->ipsa_hardaddlt != 0 || ipsa->ipsa_harduselt != 0 ||
1152 1151 ipsa->ipsa_hardbyteslt != 0 || ipsa->ipsa_hardalloc != 0) {
1153 1152 alloclen += sizeof (sadb_lifetime_t);
1154 1153 hard = B_TRUE;
1155 1154 }
1156 1155
1157 1156 if (ipsa->ipsa_idleaddlt != 0 || ipsa->ipsa_idleuselt != 0) {
1158 1157 alloclen += sizeof (sadb_lifetime_t);
1159 1158 idle = B_TRUE;
1160 1159 } else {
1161 1160 idle = B_FALSE;
1162 1161 }
1163 1162
1164 1163 /* Inner addresses. */
1165 1164 if (ipsa->ipsa_innerfam != 0) {
1166 1165 pfam = ipsa->ipsa_innerfam;
1167 1166 switch (pfam) {
1168 1167 case AF_INET6:
1169 1168 paddrsize = roundup(sizeof (struct sockaddr_in6) +
1170 1169 sizeof (sadb_address_t), sizeof (uint64_t));
1171 1170 break;
1172 1171 case AF_INET:
1173 1172 paddrsize = roundup(sizeof (struct sockaddr_in) +
1174 1173 sizeof (sadb_address_t), sizeof (uint64_t));
1175 1174 break;
1176 1175 default:
1177 1176 cmn_err(CE_PANIC,
1178 1177 "IPsec SADB: Proxy length failure.\n");
1179 1178 break;
1180 1179 }
1181 1180 isrc = B_TRUE;
1182 1181 idst = B_TRUE;
1183 1182 alloclen += 2 * paddrsize;
1184 1183 }
1185 1184
1186 1185 /* For the following fields, assume that length != 0 ==> stuff */
1187 1186 if (ipsa->ipsa_authkeylen != 0) {
1188 1187 authsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_authkeylen,
1189 1188 sizeof (uint64_t));
1190 1189 alloclen += authsize;
1191 1190 auth = B_TRUE;
1192 1191 }
1193 1192
1194 1193 if (ipsa->ipsa_encrkeylen != 0) {
1195 1194 encrsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_encrkeylen +
1196 1195 ipsa->ipsa_nonce_len, sizeof (uint64_t));
1197 1196 alloclen += encrsize;
1198 1197 encr = B_TRUE;
1199 1198 } else {
1200 1199 encr = B_FALSE;
1201 1200 }
1202 1201
1203 1202 if (ipsa->ipsa_tsl != NULL) {
1204 1203 senslen = sadb_sens_len_from_label(ipsa->ipsa_tsl);
1205 1204 alloclen += senslen;
1206 1205 sensinteg = B_TRUE;
1207 1206 }
1208 1207
1209 1208 if (ipsa->ipsa_otsl != NULL) {
1210 1209 osenslen = sadb_sens_len_from_label(ipsa->ipsa_otsl);
1211 1210 alloclen += osenslen;
1212 1211 osensinteg = B_TRUE;
1213 1212 }
1214 1213
1215 1214 /*
1216 1215 * Must use strlen() here for lengths. Identities use NULL
1217 1216 * pointers to indicate their nonexistence.
1218 1217 */
1219 1218 if (ipsa->ipsa_src_cid != NULL) {
1220 1219 srcidsize = roundup(sizeof (sadb_ident_t) +
1221 1220 strlen(ipsa->ipsa_src_cid->ipsid_cid) + 1,
1222 1221 sizeof (uint64_t));
1223 1222 alloclen += srcidsize;
1224 1223 srcid = B_TRUE;
1225 1224 }
1226 1225
1227 1226 if (ipsa->ipsa_dst_cid != NULL) {
1228 1227 dstidsize = roundup(sizeof (sadb_ident_t) +
1229 1228 strlen(ipsa->ipsa_dst_cid->ipsid_cid) + 1,
1230 1229 sizeof (uint64_t));
1231 1230 alloclen += dstidsize;
1232 1231 dstid = B_TRUE;
1233 1232 }
1234 1233
1235 1234 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0))
1236 1235 alloclen += sizeof (sadb_x_kmc_t);
1237 1236
1238 1237 if (ipsa->ipsa_replay != 0) {
1239 1238 alloclen += sizeof (sadb_x_replay_ctr_t);
1240 1239 }
1241 1240
1242 1241 /* Make sure the allocation length is a multiple of 8 bytes. */
1243 1242 ASSERT((alloclen & 0x7) == 0);
1244 1243
1245 1244 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */
1246 1245 mp = allocb(alloclen, BPRI_HI);
1247 1246 if (mp == NULL)
1248 1247 return (NULL);
1249 1248 bzero(mp->b_rptr, alloclen);
1250 1249
1251 1250 mp->b_wptr += alloclen;
1252 1251 end = mp->b_wptr;
1253 1252 newsamsg = (sadb_msg_t *)mp->b_rptr;
1254 1253 *newsamsg = *samsg;
1255 1254 newsamsg->sadb_msg_len = (uint16_t)SADB_8TO64(alloclen);
1256 1255
1257 1256 mutex_enter(&ipsa->ipsa_lock); /* Since I'm grabbing SA fields... */
1258 1257
1259 1258 newsamsg->sadb_msg_satype = ipsa->ipsa_type;
1260 1259
1261 1260 assoc = (sadb_sa_t *)(newsamsg + 1);
1262 1261 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc));
1263 1262 assoc->sadb_sa_exttype = SADB_EXT_SA;
1264 1263 assoc->sadb_sa_spi = ipsa->ipsa_spi;
1265 1264 assoc->sadb_sa_replay = ipsa->ipsa_replay_wsize;
1266 1265 assoc->sadb_sa_state = ipsa->ipsa_state;
1267 1266 assoc->sadb_sa_auth = ipsa->ipsa_auth_alg;
1268 1267 assoc->sadb_sa_encrypt = ipsa->ipsa_encr_alg;
1269 1268 assoc->sadb_sa_flags = ipsa->ipsa_flags;
1270 1269
1271 1270 lt = (sadb_lifetime_t *)(assoc + 1);
1272 1271 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt));
1273 1272 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
1274 1273 /* We do not support the concept. */
1275 1274 lt->sadb_lifetime_allocations = 0;
1276 1275 lt->sadb_lifetime_bytes = ipsa->ipsa_bytes;
1277 1276 lt->sadb_lifetime_addtime = ipsa->ipsa_addtime;
1278 1277 lt->sadb_lifetime_usetime = ipsa->ipsa_usetime;
1279 1278
1280 1279 if (hard) {
1281 1280 lt++;
1282 1281 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt));
1283 1282 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1284 1283 lt->sadb_lifetime_allocations = ipsa->ipsa_hardalloc;
1285 1284 lt->sadb_lifetime_bytes = ipsa->ipsa_hardbyteslt;
1286 1285 lt->sadb_lifetime_addtime = ipsa->ipsa_hardaddlt;
1287 1286 lt->sadb_lifetime_usetime = ipsa->ipsa_harduselt;
1288 1287 }
1289 1288
1290 1289 if (soft) {
1291 1290 lt++;
1292 1291 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt));
1293 1292 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1294 1293 lt->sadb_lifetime_allocations = ipsa->ipsa_softalloc;
1295 1294 lt->sadb_lifetime_bytes = ipsa->ipsa_softbyteslt;
1296 1295 lt->sadb_lifetime_addtime = ipsa->ipsa_softaddlt;
1297 1296 lt->sadb_lifetime_usetime = ipsa->ipsa_softuselt;
1298 1297 }
1299 1298
1300 1299 if (idle) {
1301 1300 lt++;
1302 1301 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt));
1303 1302 lt->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE;
1304 1303 lt->sadb_lifetime_addtime = ipsa->ipsa_idleaddlt;
1305 1304 lt->sadb_lifetime_usetime = ipsa->ipsa_idleuselt;
1306 1305 }
1307 1306
1308 1307 cur = (uint8_t *)(lt + 1);
1309 1308
1310 1309 /* NOTE: Don't fill in ports here if we are a tunnel-mode SA. */
1311 1310 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, fam,
1312 1311 ipsa->ipsa_srcaddr, (!isrc && !idst) ? SA_SRCPORT(ipsa) : 0,
1313 1312 SA_PROTO(ipsa), 0);
1314 1313 if (cur == NULL) {
1315 1314 freemsg(mp);
1316 1315 mp = NULL;
1317 1316 goto bail;
1318 1317 }
1319 1318
1320 1319 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, fam,
1321 1320 ipsa->ipsa_dstaddr, (!isrc && !idst) ? SA_DSTPORT(ipsa) : 0,
1322 1321 SA_PROTO(ipsa), 0);
1323 1322 if (cur == NULL) {
1324 1323 freemsg(mp);
1325 1324 mp = NULL;
1326 1325 goto bail;
1327 1326 }
1328 1327
1329 1328 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) {
1330 1329 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_LOC,
1331 1330 fam, &ipsa->ipsa_natt_addr_loc, ipsa->ipsa_local_nat_port,
1332 1331 IPPROTO_UDP, 0);
1333 1332 if (cur == NULL) {
1334 1333 freemsg(mp);
1335 1334 mp = NULL;
1336 1335 goto bail;
1337 1336 }
1338 1337 }
1339 1338
1340 1339 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) {
1341 1340 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_REM,
1342 1341 fam, &ipsa->ipsa_natt_addr_rem, ipsa->ipsa_remote_nat_port,
1343 1342 IPPROTO_UDP, 0);
1344 1343 if (cur == NULL) {
1345 1344 freemsg(mp);
1346 1345 mp = NULL;
1347 1346 goto bail;
1348 1347 }
1349 1348 }
1350 1349
1351 1350 /* If we are a tunnel-mode SA, fill in the inner-selectors. */
1352 1351 if (isrc) {
1353 1352 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC,
1354 1353 pfam, ipsa->ipsa_innersrc, SA_SRCPORT(ipsa),
1355 1354 SA_IPROTO(ipsa), ipsa->ipsa_innersrcpfx);
1356 1355 if (cur == NULL) {
1357 1356 freemsg(mp);
1358 1357 mp = NULL;
1359 1358 goto bail;
1360 1359 }
1361 1360 }
1362 1361
1363 1362 if (idst) {
1364 1363 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST,
1365 1364 pfam, ipsa->ipsa_innerdst, SA_DSTPORT(ipsa),
1366 1365 SA_IPROTO(ipsa), ipsa->ipsa_innerdstpfx);
1367 1366 if (cur == NULL) {
1368 1367 freemsg(mp);
1369 1368 mp = NULL;
1370 1369 goto bail;
1371 1370 }
1372 1371 }
1373 1372
1374 1373 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) {
1375 1374 cur = sadb_make_kmc_ext(cur, end,
1376 1375 ipsa->ipsa_kmp, ipsa->ipsa_kmc);
1377 1376 if (cur == NULL) {
1378 1377 freemsg(mp);
1379 1378 mp = NULL;
1380 1379 goto bail;
1381 1380 }
1382 1381 }
1383 1382
1384 1383 walker = (sadb_ext_t *)cur;
1385 1384 if (auth) {
1386 1385 key = (sadb_key_t *)walker;
1387 1386 key->sadb_key_len = SADB_8TO64(authsize);
1388 1387 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1389 1388 key->sadb_key_bits = ipsa->ipsa_authkeybits;
1390 1389 key->sadb_key_reserved = 0;
1391 1390 bcopy(ipsa->ipsa_authkey, key + 1, ipsa->ipsa_authkeylen);
1392 1391 walker = (sadb_ext_t *)((uint64_t *)walker +
1393 1392 walker->sadb_ext_len);
1394 1393 }
1395 1394
1396 1395 if (encr) {
1397 1396 uint8_t *buf_ptr;
1398 1397 key = (sadb_key_t *)walker;
1399 1398 key->sadb_key_len = SADB_8TO64(encrsize);
1400 1399 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1401 1400 key->sadb_key_bits = ipsa->ipsa_encrkeybits;
1402 1401 key->sadb_key_reserved = ipsa->ipsa_saltbits;
1403 1402 buf_ptr = (uint8_t *)(key + 1);
1404 1403 bcopy(ipsa->ipsa_encrkey, buf_ptr, ipsa->ipsa_encrkeylen);
1405 1404 if (ipsa->ipsa_salt != NULL) {
1406 1405 buf_ptr += ipsa->ipsa_encrkeylen;
1407 1406 bcopy(ipsa->ipsa_salt, buf_ptr, ipsa->ipsa_saltlen);
1408 1407 }
1409 1408 walker = (sadb_ext_t *)((uint64_t *)walker +
1410 1409 walker->sadb_ext_len);
1411 1410 }
1412 1411
1413 1412 if (srcid) {
1414 1413 ident = (sadb_ident_t *)walker;
1415 1414 ident->sadb_ident_len = SADB_8TO64(srcidsize);
1416 1415 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC;
1417 1416 ident->sadb_ident_type = ipsa->ipsa_src_cid->ipsid_type;
1418 1417 ident->sadb_ident_id = 0;
1419 1418 ident->sadb_ident_reserved = 0;
1420 1419 (void) strcpy((char *)(ident + 1),
1421 1420 ipsa->ipsa_src_cid->ipsid_cid);
1422 1421 walker = (sadb_ext_t *)((uint64_t *)walker +
1423 1422 walker->sadb_ext_len);
1424 1423 }
1425 1424
1426 1425 if (dstid) {
1427 1426 ident = (sadb_ident_t *)walker;
1428 1427 ident->sadb_ident_len = SADB_8TO64(dstidsize);
1429 1428 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_DST;
1430 1429 ident->sadb_ident_type = ipsa->ipsa_dst_cid->ipsid_type;
1431 1430 ident->sadb_ident_id = 0;
1432 1431 ident->sadb_ident_reserved = 0;
1433 1432 (void) strcpy((char *)(ident + 1),
1434 1433 ipsa->ipsa_dst_cid->ipsid_cid);
1435 1434 walker = (sadb_ext_t *)((uint64_t *)walker +
1436 1435 walker->sadb_ext_len);
1437 1436 }
1438 1437
1439 1438 if (sensinteg) {
1440 1439 sens = (sadb_sens_t *)walker;
1441 1440 sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY,
1442 1441 ipsa->ipsa_tsl, senslen);
1443 1442
1444 1443 walker = (sadb_ext_t *)((uint64_t *)walker +
1445 1444 walker->sadb_ext_len);
1446 1445 }
1447 1446
1448 1447 if (osensinteg) {
1449 1448 sens = (sadb_sens_t *)walker;
1450 1449
1451 1450 sadb_sens_from_label(sens, SADB_X_EXT_OUTER_SENS,
1452 1451 ipsa->ipsa_otsl, osenslen);
1453 1452 if (ipsa->ipsa_mac_exempt)
1454 1453 sens->sadb_x_sens_flags = SADB_X_SENS_IMPLICIT;
1455 1454
1456 1455 walker = (sadb_ext_t *)((uint64_t *)walker +
1457 1456 walker->sadb_ext_len);
1458 1457 }
1459 1458
1460 1459 if (paired) {
1461 1460 pair_ext = (sadb_x_pair_t *)walker;
1462 1461
1463 1462 pair_ext->sadb_x_pair_len = SADB_8TO64(sizeof (sadb_x_pair_t));
1464 1463 pair_ext->sadb_x_pair_exttype = SADB_X_EXT_PAIR;
1465 1464 pair_ext->sadb_x_pair_spi = otherspi;
1466 1465
1467 1466 walker = (sadb_ext_t *)((uint64_t *)walker +
1468 1467 walker->sadb_ext_len);
1469 1468 }
1470 1469
1471 1470 if (ipsa->ipsa_replay != 0) {
1472 1471 repl_ctr = (sadb_x_replay_ctr_t *)walker;
1473 1472 repl_ctr->sadb_x_rc_len = SADB_8TO64(sizeof (*repl_ctr));
1474 1473 repl_ctr->sadb_x_rc_exttype = SADB_X_EXT_REPLAY_VALUE;
1475 1474 repl_ctr->sadb_x_rc_replay32 = ipsa->ipsa_replay;
1476 1475 repl_ctr->sadb_x_rc_replay64 = 0;
1477 1476 walker = (sadb_ext_t *)(repl_ctr + 1);
1478 1477 }
1479 1478
1480 1479 bail:
1481 1480 /* Pardon any delays... */
1482 1481 mutex_exit(&ipsa->ipsa_lock);
1483 1482
1484 1483 return (mp);
1485 1484 }
1486 1485
1487 1486 /*
1488 1487 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN)
1489 1488 * and adjust base message accordingly.
1490 1489 *
1491 1490 * Assume message is pulled up in one piece of contiguous memory.
1492 1491 *
1493 1492 * Say if we start off with:
1494 1493 *
1495 1494 * +------+----+-------------+-----------+---------------+---------------+
1496 1495 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime |
1497 1496 * +------+----+-------------+-----------+---------------+---------------+
1498 1497 *
1499 1498 * we will end up with
1500 1499 *
1501 1500 * +------+----+-------------+-----------+---------------+
1502 1501 * | base | SA | source addr | dest addr | soft lifetime |
1503 1502 * +------+----+-------------+-----------+---------------+
1504 1503 */
1505 1504 static void
1506 1505 sadb_strip(sadb_msg_t *samsg)
1507 1506 {
1508 1507 sadb_ext_t *ext;
1509 1508 uint8_t *target = NULL;
1510 1509 uint8_t *msgend;
1511 1510 int sofar = SADB_8TO64(sizeof (*samsg));
1512 1511 int copylen;
1513 1512
1514 1513 ext = (sadb_ext_t *)(samsg + 1);
1515 1514 msgend = (uint8_t *)samsg;
1516 1515 msgend += SADB_64TO8(samsg->sadb_msg_len);
1517 1516 while ((uint8_t *)ext < msgend) {
1518 1517 if (ext->sadb_ext_type == SADB_EXT_RESERVED ||
1519 1518 ext->sadb_ext_type == SADB_EXT_KEY_AUTH ||
1520 1519 ext->sadb_ext_type == SADB_X_EXT_EDUMP ||
1521 1520 ext->sadb_ext_type == SADB_EXT_KEY_ENCRYPT) {
1522 1521 /*
1523 1522 * Aha! I found a header to be erased.
1524 1523 */
1525 1524
1526 1525 if (target != NULL) {
1527 1526 /*
1528 1527 * If I had a previous header to be erased,
1529 1528 * copy over it. I can get away with just
1530 1529 * copying backwards because the target will
1531 1530 * always be 8 bytes behind the source.
1532 1531 */
1533 1532 copylen = ((uint8_t *)ext) - (target +
1534 1533 SADB_64TO8(
1535 1534 ((sadb_ext_t *)target)->sadb_ext_len));
1536 1535 ovbcopy(((uint8_t *)ext - copylen), target,
1537 1536 copylen);
1538 1537 target += copylen;
1539 1538 ((sadb_ext_t *)target)->sadb_ext_len =
1540 1539 SADB_8TO64(((uint8_t *)ext) - target +
1541 1540 SADB_64TO8(ext->sadb_ext_len));
1542 1541 } else {
1543 1542 target = (uint8_t *)ext;
1544 1543 }
1545 1544 } else {
1546 1545 sofar += ext->sadb_ext_len;
1547 1546 }
1548 1547
1549 1548 ext = (sadb_ext_t *)(((uint64_t *)ext) + ext->sadb_ext_len);
1550 1549 }
1551 1550
1552 1551 ASSERT((uint8_t *)ext == msgend);
1553 1552
1554 1553 if (target != NULL) {
1555 1554 copylen = ((uint8_t *)ext) - (target +
1556 1555 SADB_64TO8(((sadb_ext_t *)target)->sadb_ext_len));
1557 1556 if (copylen != 0)
1558 1557 ovbcopy(((uint8_t *)ext - copylen), target, copylen);
1559 1558 }
1560 1559
1561 1560 /* Adjust samsg. */
1562 1561 samsg->sadb_msg_len = (uint16_t)sofar;
1563 1562
1564 1563 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */
1565 1564 }
1566 1565
1567 1566 /*
1568 1567 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL
1569 1568 * followed by an M_DATA with a PF_KEY message in it. The serial of
1570 1569 * the sending keysock instance is included.
1571 1570 */
1572 1571 void
1573 1572 sadb_pfkey_error(queue_t *pfkey_q, mblk_t *mp, int error, int diagnostic,
1574 1573 uint_t serial)
1575 1574 {
1576 1575 mblk_t *msg = mp->b_cont;
1577 1576 sadb_msg_t *samsg;
1578 1577 keysock_out_t *kso;
1579 1578
1580 1579 /*
1581 1580 * Enough functions call this to merit a NULL queue check.
1582 1581 */
1583 1582 if (pfkey_q == NULL) {
1584 1583 freemsg(mp);
1585 1584 return;
1586 1585 }
1587 1586
1588 1587 ASSERT(msg != NULL);
1589 1588 ASSERT((mp->b_wptr - mp->b_rptr) == sizeof (ipsec_info_t));
1590 1589 ASSERT((msg->b_wptr - msg->b_rptr) >= sizeof (sadb_msg_t));
1591 1590 samsg = (sadb_msg_t *)msg->b_rptr;
1592 1591 kso = (keysock_out_t *)mp->b_rptr;
1593 1592
1594 1593 kso->ks_out_type = KEYSOCK_OUT;
1595 1594 kso->ks_out_len = sizeof (*kso);
1596 1595 kso->ks_out_serial = serial;
1597 1596
1598 1597 /*
1599 1598 * Only send the base message up in the event of an error.
1600 1599 * Don't worry about bzero()-ing, because it was probably bogus
1601 1600 * anyway.
1602 1601 */
1603 1602 msg->b_wptr = msg->b_rptr + sizeof (*samsg);
1604 1603 samsg = (sadb_msg_t *)msg->b_rptr;
1605 1604 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg));
1606 1605 samsg->sadb_msg_errno = (uint8_t)error;
1607 1606 if (diagnostic != SADB_X_DIAGNOSTIC_PRESET)
1608 1607 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic;
1609 1608
1610 1609 putnext(pfkey_q, mp);
1611 1610 }
1612 1611
1613 1612 /*
1614 1613 * Send a successful return packet back to keysock via the queue in pfkey_q.
1615 1614 *
1616 1615 * Often, an SA is associated with the reply message, it's passed in if needed,
1617 1616 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held,
1618 1617 * and the caller will release said refcnt.
1619 1618 */
1620 1619 void
1621 1620 sadb_pfkey_echo(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
1622 1621 keysock_in_t *ksi, ipsa_t *ipsa)
1623 1622 {
1624 1623 keysock_out_t *kso;
1625 1624 mblk_t *mp1;
1626 1625 sadb_msg_t *newsamsg;
1627 1626 uint8_t *oldend;
1628 1627
1629 1628 ASSERT((mp->b_cont != NULL) &&
1630 1629 ((void *)samsg == (void *)mp->b_cont->b_rptr) &&
1631 1630 ((void *)mp->b_rptr == (void *)ksi));
1632 1631
1633 1632 switch (samsg->sadb_msg_type) {
1634 1633 case SADB_ADD:
1635 1634 case SADB_UPDATE:
1636 1635 case SADB_X_UPDATEPAIR:
1637 1636 case SADB_X_DELPAIR_STATE:
1638 1637 case SADB_FLUSH:
1639 1638 case SADB_DUMP:
1640 1639 /*
1641 1640 * I have all of the message already. I just need to strip
1642 1641 * out the keying material and echo the message back.
1643 1642 *
1644 1643 * NOTE: for SADB_DUMP, the function sadb_dump() did the
1645 1644 * work. When DUMP reaches here, it should only be a base
1646 1645 * message.
1647 1646 */
1648 1647 justecho:
1649 1648 if (ksi->ks_in_extv[SADB_EXT_KEY_AUTH] != NULL ||
1650 1649 ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT] != NULL ||
1651 1650 ksi->ks_in_extv[SADB_X_EXT_EDUMP] != NULL) {
1652 1651 sadb_strip(samsg);
1653 1652 /* Assume PF_KEY message is contiguous. */
1654 1653 ASSERT(mp->b_cont->b_cont == NULL);
1655 1654 oldend = mp->b_cont->b_wptr;
1656 1655 mp->b_cont->b_wptr = mp->b_cont->b_rptr +
1657 1656 SADB_64TO8(samsg->sadb_msg_len);
1658 1657 bzero(mp->b_cont->b_wptr, oldend - mp->b_cont->b_wptr);
1659 1658 }
1660 1659 break;
1661 1660 case SADB_GET:
1662 1661 /*
1663 1662 * Do a lot of work here, because of the ipsa I just found.
1664 1663 * First construct the new PF_KEY message, then abandon
1665 1664 * the old one.
1666 1665 */
1667 1666 mp1 = sadb_sa2msg(ipsa, samsg);
1668 1667 if (mp1 == NULL) {
1669 1668 sadb_pfkey_error(pfkey_q, mp, ENOMEM,
1670 1669 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial);
1671 1670 return;
1672 1671 }
1673 1672 freemsg(mp->b_cont);
1674 1673 mp->b_cont = mp1;
1675 1674 break;
1676 1675 case SADB_DELETE:
1677 1676 case SADB_X_DELPAIR:
1678 1677 if (ipsa == NULL)
1679 1678 goto justecho;
1680 1679 /*
1681 1680 * Because listening KMds may require more info, treat
1682 1681 * DELETE like a special case of GET.
1683 1682 */
1684 1683 mp1 = sadb_sa2msg(ipsa, samsg);
1685 1684 if (mp1 == NULL) {
1686 1685 sadb_pfkey_error(pfkey_q, mp, ENOMEM,
1687 1686 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial);
1688 1687 return;
1689 1688 }
1690 1689 newsamsg = (sadb_msg_t *)mp1->b_rptr;
1691 1690 sadb_strip(newsamsg);
1692 1691 oldend = mp1->b_wptr;
1693 1692 mp1->b_wptr = mp1->b_rptr + SADB_64TO8(newsamsg->sadb_msg_len);
1694 1693 bzero(mp1->b_wptr, oldend - mp1->b_wptr);
1695 1694 freemsg(mp->b_cont);
1696 1695 mp->b_cont = mp1;
1697 1696 break;
1698 1697 default:
1699 1698 if (mp != NULL)
1700 1699 freemsg(mp);
1701 1700 return;
1702 1701 }
1703 1702
1704 1703 /* ksi is now null and void. */
1705 1704 kso = (keysock_out_t *)ksi;
1706 1705 kso->ks_out_type = KEYSOCK_OUT;
1707 1706 kso->ks_out_len = sizeof (*kso);
1708 1707 kso->ks_out_serial = ksi->ks_in_serial;
1709 1708 /* We're ready to send... */
1710 1709 putnext(pfkey_q, mp);
1711 1710 }
1712 1711
1713 1712 /*
1714 1713 * Set up a global pfkey_q instance for AH, ESP, or some other consumer.
1715 1714 */
1716 1715 void
1717 1716 sadb_keysock_hello(queue_t **pfkey_qp, queue_t *q, mblk_t *mp,
1718 1717 void (*ager)(void *), void *agerarg, timeout_id_t *top, int satype)
1719 1718 {
1720 1719 keysock_hello_ack_t *kha;
1721 1720 queue_t *oldq;
1722 1721
1723 1722 ASSERT(OTHERQ(q) != NULL);
1724 1723
1725 1724 /*
1726 1725 * First, check atomically that I'm the first and only keysock
1727 1726 * instance.
1728 1727 *
1729 1728 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp),
1730 1729 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY
1731 1730 * messages.
1732 1731 */
1733 1732
1734 1733 oldq = atomic_cas_ptr((void **)pfkey_qp, NULL, OTHERQ(q));
1735 1734 if (oldq != NULL) {
1736 1735 ASSERT(oldq != q);
1737 1736 cmn_err(CE_WARN, "Danger! Multiple keysocks on top of %s.\n",
1738 1737 (satype == SADB_SATYPE_ESP)? "ESP" : "AH or other");
1739 1738 freemsg(mp);
1740 1739 return;
1741 1740 }
1742 1741
1743 1742 kha = (keysock_hello_ack_t *)mp->b_rptr;
1744 1743 kha->ks_hello_len = sizeof (keysock_hello_ack_t);
1745 1744 kha->ks_hello_type = KEYSOCK_HELLO_ACK;
1746 1745 kha->ks_hello_satype = (uint8_t)satype;
1747 1746
1748 1747 /*
1749 1748 * If we made it past the atomic_cas_ptr, then we have "exclusive"
1750 1749 * access to the timeout handle. Fire it off after the default ager
1751 1750 * interval.
1752 1751 */
1753 1752 *top = qtimeout(*pfkey_qp, ager, agerarg,
1754 1753 drv_usectohz(SADB_AGE_INTERVAL_DEFAULT * 1000));
1755 1754
1756 1755 putnext(*pfkey_qp, mp);
1757 1756 }
1758 1757
1759 1758 /*
1760 1759 * Normalize IPv4-mapped IPv6 addresses (and prefixes) as appropriate.
1761 1760 *
1762 1761 * Check addresses themselves for wildcard or multicast.
1763 1762 * Check ire table for local/non-local/broadcast.
1764 1763 */
1765 1764 int
1766 1765 sadb_addrcheck(queue_t *pfkey_q, mblk_t *mp, sadb_ext_t *ext, uint_t serial,
1767 1766 netstack_t *ns)
1768 1767 {
1769 1768 sadb_address_t *addr = (sadb_address_t *)ext;
1770 1769 struct sockaddr_in *sin;
1771 1770 struct sockaddr_in6 *sin6;
1772 1771 int diagnostic, type;
1773 1772 boolean_t normalized = B_FALSE;
1774 1773
1775 1774 ASSERT(ext != NULL);
1776 1775 ASSERT((ext->sadb_ext_type == SADB_EXT_ADDRESS_SRC) ||
1777 1776 (ext->sadb_ext_type == SADB_EXT_ADDRESS_DST) ||
1778 1777 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) ||
1779 1778 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) ||
1780 1779 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_LOC) ||
1781 1780 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_REM));
1782 1781
1783 1782 /* Assign both sockaddrs, the compiler will do the right thing. */
1784 1783 sin = (struct sockaddr_in *)(addr + 1);
1785 1784 sin6 = (struct sockaddr_in6 *)(addr + 1);
1786 1785
1787 1786 if (sin6->sin6_family == AF_INET6) {
1788 1787 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
1789 1788 /*
1790 1789 * Convert to an AF_INET sockaddr. This means the
1791 1790 * return messages will have the extra space, but have
1792 1791 * AF_INET sockaddrs instead of AF_INET6.
1793 1792 *
1794 1793 * Yes, RFC 2367 isn't clear on what to do here w.r.t.
1795 1794 * mapped addresses, but since AF_INET6 ::ffff:<v4> is
1796 1795 * equal to AF_INET <v4>, it shouldnt be a huge
1797 1796 * problem.
1798 1797 */
1799 1798 sin->sin_family = AF_INET;
1800 1799 IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr,
1801 1800 &sin->sin_addr);
1802 1801 bzero(&sin->sin_zero, sizeof (sin->sin_zero));
1803 1802 normalized = B_TRUE;
1804 1803 }
1805 1804 } else if (sin->sin_family != AF_INET) {
1806 1805 switch (ext->sadb_ext_type) {
1807 1806 case SADB_EXT_ADDRESS_SRC:
1808 1807 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC_AF;
1809 1808 break;
1810 1809 case SADB_EXT_ADDRESS_DST:
1811 1810 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF;
1812 1811 break;
1813 1812 case SADB_X_EXT_ADDRESS_INNER_SRC:
1814 1813 diagnostic = SADB_X_DIAGNOSTIC_BAD_PROXY_AF;
1815 1814 break;
1816 1815 case SADB_X_EXT_ADDRESS_INNER_DST:
1817 1816 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF;
1818 1817 break;
1819 1818 case SADB_X_EXT_ADDRESS_NATT_LOC:
1820 1819 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF;
1821 1820 break;
1822 1821 case SADB_X_EXT_ADDRESS_NATT_REM:
1823 1822 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF;
1824 1823 break;
1825 1824 /* There is no default, see above ASSERT. */
1826 1825 }
1827 1826 bail:
1828 1827 if (pfkey_q != NULL) {
1829 1828 sadb_pfkey_error(pfkey_q, mp, EINVAL, diagnostic,
1830 1829 serial);
1831 1830 } else {
1832 1831 /*
1833 1832 * Scribble in sadb_msg that we got passed in.
1834 1833 * Overload "mp" to be an sadb_msg pointer.
1835 1834 */
1836 1835 sadb_msg_t *samsg = (sadb_msg_t *)mp;
1837 1836
1838 1837 samsg->sadb_msg_errno = EINVAL;
1839 1838 samsg->sadb_x_msg_diagnostic = diagnostic;
1840 1839 }
1841 1840 return (KS_IN_ADDR_UNKNOWN);
1842 1841 }
1843 1842
1844 1843 if (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC ||
1845 1844 ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) {
1846 1845 /*
1847 1846 * We need only check for prefix issues.
1848 1847 */
1849 1848
1850 1849 /* Set diagnostic now, in case we need it later. */
1851 1850 diagnostic =
1852 1851 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) ?
1853 1852 SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC :
1854 1853 SADB_X_DIAGNOSTIC_PREFIX_INNER_DST;
1855 1854
1856 1855 if (normalized)
1857 1856 addr->sadb_address_prefixlen -= 96;
1858 1857
1859 1858 /*
1860 1859 * Verify and mask out inner-addresses based on prefix length.
1861 1860 */
1862 1861 if (sin->sin_family == AF_INET) {
1863 1862 if (addr->sadb_address_prefixlen > 32)
1864 1863 goto bail;
1865 1864 sin->sin_addr.s_addr &=
1866 1865 ip_plen_to_mask(addr->sadb_address_prefixlen);
1867 1866 } else {
1868 1867 in6_addr_t mask;
1869 1868
1870 1869 ASSERT(sin->sin_family == AF_INET6);
1871 1870 /*
1872 1871 * ip_plen_to_mask_v6() returns NULL if the value in
1873 1872 * question is out of range.
1874 1873 */
1875 1874 if (ip_plen_to_mask_v6(addr->sadb_address_prefixlen,
1876 1875 &mask) == NULL)
1877 1876 goto bail;
1878 1877 sin6->sin6_addr.s6_addr32[0] &= mask.s6_addr32[0];
1879 1878 sin6->sin6_addr.s6_addr32[1] &= mask.s6_addr32[1];
1880 1879 sin6->sin6_addr.s6_addr32[2] &= mask.s6_addr32[2];
1881 1880 sin6->sin6_addr.s6_addr32[3] &= mask.s6_addr32[3];
1882 1881 }
1883 1882
1884 1883 /* We don't care in these cases. */
1885 1884 return (KS_IN_ADDR_DONTCARE);
1886 1885 }
1887 1886
1888 1887 if (sin->sin_family == AF_INET6) {
1889 1888 /* Check the easy ones now. */
1890 1889 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr))
1891 1890 return (KS_IN_ADDR_MBCAST);
1892 1891 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
1893 1892 return (KS_IN_ADDR_UNSPEC);
1894 1893 /*
1895 1894 * At this point, we're a unicast IPv6 address.
1896 1895 *
1897 1896 * XXX Zones alert -> me/notme decision needs to be tempered
1898 1897 * by what zone we're in when we go to zone-aware IPsec.
1899 1898 */
1900 1899 if (ip_type_v6(&sin6->sin6_addr, ns->netstack_ip) ==
1901 1900 IRE_LOCAL) {
1902 1901 /* Hey hey, it's local. */
1903 1902 return (KS_IN_ADDR_ME);
1904 1903 }
1905 1904 } else {
1906 1905 ASSERT(sin->sin_family == AF_INET);
1907 1906 if (sin->sin_addr.s_addr == INADDR_ANY)
1908 1907 return (KS_IN_ADDR_UNSPEC);
1909 1908 if (CLASSD(sin->sin_addr.s_addr))
1910 1909 return (KS_IN_ADDR_MBCAST);
1911 1910 /*
1912 1911 * At this point we're a unicast or broadcast IPv4 address.
1913 1912 *
1914 1913 * Check if the address is IRE_BROADCAST or IRE_LOCAL.
1915 1914 *
1916 1915 * XXX Zones alert -> me/notme decision needs to be tempered
1917 1916 * by what zone we're in when we go to zone-aware IPsec.
1918 1917 */
1919 1918 type = ip_type_v4(sin->sin_addr.s_addr, ns->netstack_ip);
1920 1919 switch (type) {
1921 1920 case IRE_LOCAL:
1922 1921 return (KS_IN_ADDR_ME);
1923 1922 case IRE_BROADCAST:
1924 1923 return (KS_IN_ADDR_MBCAST);
1925 1924 }
1926 1925 }
1927 1926
1928 1927 return (KS_IN_ADDR_NOTME);
1929 1928 }
1930 1929
1931 1930 /*
1932 1931 * Address normalizations and reality checks for inbound PF_KEY messages.
1933 1932 *
1934 1933 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert
1935 1934 * the source to AF_INET. Do the same for the inner sources.
1936 1935 */
1937 1936 boolean_t
1938 1937 sadb_addrfix(keysock_in_t *ksi, queue_t *pfkey_q, mblk_t *mp, netstack_t *ns)
1939 1938 {
1940 1939 struct sockaddr_in *src, *isrc;
1941 1940 struct sockaddr_in6 *dst, *idst;
1942 1941 sadb_address_t *srcext, *dstext;
1943 1942 uint16_t sport;
1944 1943 sadb_ext_t **extv = ksi->ks_in_extv;
1945 1944 int rc;
1946 1945
1947 1946 if (extv[SADB_EXT_ADDRESS_SRC] != NULL) {
1948 1947 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_SRC],
1949 1948 ksi->ks_in_serial, ns);
1950 1949 if (rc == KS_IN_ADDR_UNKNOWN)
1951 1950 return (B_FALSE);
1952 1951 if (rc == KS_IN_ADDR_MBCAST) {
1953 1952 sadb_pfkey_error(pfkey_q, mp, EINVAL,
1954 1953 SADB_X_DIAGNOSTIC_BAD_SRC, ksi->ks_in_serial);
1955 1954 return (B_FALSE);
1956 1955 }
1957 1956 ksi->ks_in_srctype = rc;
1958 1957 }
1959 1958
1960 1959 if (extv[SADB_EXT_ADDRESS_DST] != NULL) {
1961 1960 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_DST],
1962 1961 ksi->ks_in_serial, ns);
1963 1962 if (rc == KS_IN_ADDR_UNKNOWN)
1964 1963 return (B_FALSE);
1965 1964 if (rc == KS_IN_ADDR_UNSPEC) {
1966 1965 sadb_pfkey_error(pfkey_q, mp, EINVAL,
1967 1966 SADB_X_DIAGNOSTIC_BAD_DST, ksi->ks_in_serial);
1968 1967 return (B_FALSE);
1969 1968 }
1970 1969 ksi->ks_in_dsttype = rc;
1971 1970 }
1972 1971
1973 1972 /*
1974 1973 * NAT-Traversal addrs are simple enough to not require all of
1975 1974 * the checks in sadb_addrcheck(). Just normalize or reject if not
1976 1975 * AF_INET.
1977 1976 */
1978 1977 if (extv[SADB_X_EXT_ADDRESS_NATT_LOC] != NULL) {
1979 1978 rc = sadb_addrcheck(pfkey_q, mp,
1980 1979 extv[SADB_X_EXT_ADDRESS_NATT_LOC], ksi->ks_in_serial, ns);
1981 1980
1982 1981 /*
1983 1982 * Local NAT-T addresses never use an IRE_LOCAL, so it should
1984 1983 * always be NOTME, or UNSPEC (to handle both tunnel mode
1985 1984 * AND local-port flexibility).
1986 1985 */
1987 1986 if (rc != KS_IN_ADDR_NOTME && rc != KS_IN_ADDR_UNSPEC) {
1988 1987 sadb_pfkey_error(pfkey_q, mp, EINVAL,
1989 1988 SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC,
1990 1989 ksi->ks_in_serial);
1991 1990 return (B_FALSE);
1992 1991 }
1993 1992 src = (struct sockaddr_in *)
1994 1993 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_LOC]) + 1);
1995 1994 if (src->sin_family != AF_INET) {
1996 1995 sadb_pfkey_error(pfkey_q, mp, EINVAL,
1997 1996 SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF,
1998 1997 ksi->ks_in_serial);
1999 1998 return (B_FALSE);
2000 1999 }
2001 2000 }
2002 2001
2003 2002 if (extv[SADB_X_EXT_ADDRESS_NATT_REM] != NULL) {
2004 2003 rc = sadb_addrcheck(pfkey_q, mp,
2005 2004 extv[SADB_X_EXT_ADDRESS_NATT_REM], ksi->ks_in_serial, ns);
2006 2005
2007 2006 /*
2008 2007 * Remote NAT-T addresses never use an IRE_LOCAL, so it should
2009 2008 * always be NOTME, or UNSPEC if it's a tunnel-mode SA.
2010 2009 */
2011 2010 if (rc != KS_IN_ADDR_NOTME &&
2012 2011 !(extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL &&
2013 2012 rc == KS_IN_ADDR_UNSPEC)) {
2014 2013 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2015 2014 SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM,
2016 2015 ksi->ks_in_serial);
2017 2016 return (B_FALSE);
2018 2017 }
2019 2018 src = (struct sockaddr_in *)
2020 2019 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_REM]) + 1);
2021 2020 if (src->sin_family != AF_INET) {
2022 2021 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2023 2022 SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF,
2024 2023 ksi->ks_in_serial);
2025 2024 return (B_FALSE);
2026 2025 }
2027 2026 }
2028 2027
2029 2028 if (extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL) {
2030 2029 if (extv[SADB_X_EXT_ADDRESS_INNER_DST] == NULL) {
2031 2030 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2032 2031 SADB_X_DIAGNOSTIC_MISSING_INNER_DST,
2033 2032 ksi->ks_in_serial);
2034 2033 return (B_FALSE);
2035 2034 }
2036 2035
2037 2036 if (sadb_addrcheck(pfkey_q, mp,
2038 2037 extv[SADB_X_EXT_ADDRESS_INNER_DST], ksi->ks_in_serial, ns)
2039 2038 == KS_IN_ADDR_UNKNOWN ||
2040 2039 sadb_addrcheck(pfkey_q, mp,
2041 2040 extv[SADB_X_EXT_ADDRESS_INNER_SRC], ksi->ks_in_serial, ns)
2042 2041 == KS_IN_ADDR_UNKNOWN)
2043 2042 return (B_FALSE);
2044 2043
2045 2044 isrc = (struct sockaddr_in *)
2046 2045 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC]) +
2047 2046 1);
2048 2047 idst = (struct sockaddr_in6 *)
2049 2048 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]) +
2050 2049 1);
2051 2050 if (isrc->sin_family != idst->sin6_family) {
2052 2051 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2053 2052 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH,
2054 2053 ksi->ks_in_serial);
2055 2054 return (B_FALSE);
2056 2055 }
2057 2056 } else if (extv[SADB_X_EXT_ADDRESS_INNER_DST] != NULL) {
2058 2057 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2059 2058 SADB_X_DIAGNOSTIC_MISSING_INNER_SRC,
2060 2059 ksi->ks_in_serial);
2061 2060 return (B_FALSE);
2062 2061 } else {
2063 2062 isrc = NULL; /* For inner/outer port check below. */
2064 2063 }
2065 2064
2066 2065 dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST];
2067 2066 srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC];
2068 2067
2069 2068 if (dstext == NULL || srcext == NULL)
2070 2069 return (B_TRUE);
2071 2070
2072 2071 dst = (struct sockaddr_in6 *)(dstext + 1);
2073 2072 src = (struct sockaddr_in *)(srcext + 1);
2074 2073
2075 2074 if (isrc != NULL &&
2076 2075 (isrc->sin_port != 0 || idst->sin6_port != 0) &&
2077 2076 (src->sin_port != 0 || dst->sin6_port != 0)) {
2078 2077 /* Can't set inner and outer ports in one SA. */
2079 2078 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2080 2079 SADB_X_DIAGNOSTIC_DUAL_PORT_SETS,
2081 2080 ksi->ks_in_serial);
2082 2081 return (B_FALSE);
2083 2082 }
2084 2083
2085 2084 if (dst->sin6_family == src->sin_family)
2086 2085 return (B_TRUE);
2087 2086
2088 2087 if (srcext->sadb_address_proto != dstext->sadb_address_proto) {
2089 2088 if (srcext->sadb_address_proto == 0) {
2090 2089 srcext->sadb_address_proto = dstext->sadb_address_proto;
2091 2090 } else if (dstext->sadb_address_proto == 0) {
2092 2091 dstext->sadb_address_proto = srcext->sadb_address_proto;
2093 2092 } else {
2094 2093 /* Inequal protocols, neither were 0. Report error. */
2095 2094 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2096 2095 SADB_X_DIAGNOSTIC_PROTO_MISMATCH,
2097 2096 ksi->ks_in_serial);
2098 2097 return (B_FALSE);
2099 2098 }
2100 2099 }
2101 2100
2102 2101 /*
2103 2102 * With the exception of an unspec IPv6 source and an IPv4
2104 2103 * destination, address families MUST me matched.
2105 2104 */
2106 2105 if (src->sin_family == AF_INET ||
2107 2106 ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) {
2108 2107 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2109 2108 SADB_X_DIAGNOSTIC_AF_MISMATCH, ksi->ks_in_serial);
2110 2109 return (B_FALSE);
2111 2110 }
2112 2111
2113 2112 /*
2114 2113 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being
2115 2114 * in the same place for sockaddr_in and sockaddr_in6.
2116 2115 */
2117 2116 sport = src->sin_port;
2118 2117 bzero(src, sizeof (*src));
2119 2118 src->sin_family = AF_INET;
2120 2119 src->sin_port = sport;
2121 2120
2122 2121 return (B_TRUE);
2123 2122 }
2124 2123
2125 2124 /*
2126 2125 * Set the results in "addrtype", given an IRE as requested by
2127 2126 * sadb_addrcheck().
2128 2127 */
2129 2128 int
2130 2129 sadb_addrset(ire_t *ire)
2131 2130 {
2132 2131 if ((ire->ire_type & IRE_BROADCAST) ||
2133 2132 (ire->ire_ipversion == IPV4_VERSION && CLASSD(ire->ire_addr)) ||
2134 2133 (ire->ire_ipversion == IPV6_VERSION &&
2135 2134 IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6))))
2136 2135 return (KS_IN_ADDR_MBCAST);
2137 2136 if (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK))
2138 2137 return (KS_IN_ADDR_ME);
2139 2138 return (KS_IN_ADDR_NOTME);
2140 2139 }
2141 2140
2142 2141 /*
2143 2142 * Match primitives..
2144 2143 * !!! TODO: short term: inner selectors
2145 2144 * ipv6 scope id (ifindex)
2146 2145 * longer term: zone id. sensitivity label. uid.
2147 2146 */
2148 2147 boolean_t
2149 2148 sadb_match_spi(ipsa_query_t *sq, ipsa_t *sa)
2150 2149 {
2151 2150 return (sq->spi == sa->ipsa_spi);
2152 2151 }
2153 2152
2154 2153 boolean_t
2155 2154 sadb_match_dst_v6(ipsa_query_t *sq, ipsa_t *sa)
2156 2155 {
2157 2156 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_dstaddr, sq->dstaddr, AF_INET6));
2158 2157 }
2159 2158
2160 2159 boolean_t
2161 2160 sadb_match_src_v6(ipsa_query_t *sq, ipsa_t *sa)
2162 2161 {
2163 2162 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_srcaddr, sq->srcaddr, AF_INET6));
2164 2163 }
2165 2164
2166 2165 boolean_t
2167 2166 sadb_match_dst_v4(ipsa_query_t *sq, ipsa_t *sa)
2168 2167 {
2169 2168 return (sq->dstaddr[0] == sa->ipsa_dstaddr[0]);
2170 2169 }
2171 2170
2172 2171 boolean_t
2173 2172 sadb_match_src_v4(ipsa_query_t *sq, ipsa_t *sa)
2174 2173 {
2175 2174 return (sq->srcaddr[0] == sa->ipsa_srcaddr[0]);
2176 2175 }
2177 2176
2178 2177 boolean_t
2179 2178 sadb_match_dstid(ipsa_query_t *sq, ipsa_t *sa)
2180 2179 {
2181 2180 return ((sa->ipsa_dst_cid != NULL) &&
2182 2181 (sq->didtype == sa->ipsa_dst_cid->ipsid_type) &&
2183 2182 (strcmp(sq->didstr, sa->ipsa_dst_cid->ipsid_cid) == 0));
2184 2183
2185 2184 }
2186 2185 boolean_t
2187 2186 sadb_match_srcid(ipsa_query_t *sq, ipsa_t *sa)
2188 2187 {
2189 2188 return ((sa->ipsa_src_cid != NULL) &&
2190 2189 (sq->sidtype == sa->ipsa_src_cid->ipsid_type) &&
2191 2190 (strcmp(sq->sidstr, sa->ipsa_src_cid->ipsid_cid) == 0));
2192 2191 }
2193 2192
2194 2193 boolean_t
2195 2194 sadb_match_kmc(ipsa_query_t *sq, ipsa_t *sa)
2196 2195 {
2197 2196 #define M(a, b) (((a) == 0) || ((b) == 0) || ((a) == (b)))
2198 2197
2199 2198 return (M(sq->kmc, sa->ipsa_kmc) && M(sq->kmp, sa->ipsa_kmp));
2200 2199
2201 2200 #undef M
2202 2201 }
2203 2202
2204 2203 /*
2205 2204 * Common function which extracts several PF_KEY extensions for ease of
2206 2205 * SADB matching.
2207 2206 *
2208 2207 * XXX TODO: weed out ipsa_query_t fields not used during matching
2209 2208 * or afterwards?
2210 2209 */
2211 2210 int
2212 2211 sadb_form_query(keysock_in_t *ksi, uint32_t req, uint32_t match,
2213 2212 ipsa_query_t *sq, int *diagnostic)
2214 2213 {
2215 2214 int i;
2216 2215 ipsa_match_fn_t *mfpp = &(sq->matchers[0]);
2217 2216
2218 2217 for (i = 0; i < IPSA_NMATCH; i++)
2219 2218 sq->matchers[i] = NULL;
2220 2219
2221 2220 ASSERT((req & ~match) == 0);
2222 2221
2223 2222 sq->req = req;
2224 2223 sq->dstext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
2225 2224 sq->srcext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC];
2226 2225 sq->assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
2227 2226
2228 2227 if ((req & IPSA_Q_DST) && (sq->dstext == NULL)) {
2229 2228 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
2230 2229 return (EINVAL);
2231 2230 }
2232 2231 if ((req & IPSA_Q_SRC) && (sq->srcext == NULL)) {
2233 2232 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC;
2234 2233 return (EINVAL);
2235 2234 }
2236 2235 if ((req & IPSA_Q_SA) && (sq->assoc == NULL)) {
2237 2236 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA;
2238 2237 return (EINVAL);
2239 2238 }
2240 2239
2241 2240 if (match & IPSA_Q_SA) {
2242 2241 *mfpp++ = sadb_match_spi;
2243 2242 sq->spi = sq->assoc->sadb_sa_spi;
2244 2243 }
2245 2244
2246 2245 if (sq->dstext != NULL)
2247 2246 sq->dst = (struct sockaddr_in *)(sq->dstext + 1);
2248 2247 else {
2249 2248 sq->dst = NULL;
2250 2249 sq->dst6 = NULL;
2251 2250 sq->dstaddr = NULL;
2252 2251 }
2253 2252
2254 2253 if (sq->srcext != NULL)
2255 2254 sq->src = (struct sockaddr_in *)(sq->srcext + 1);
2256 2255 else {
2257 2256 sq->src = NULL;
2258 2257 sq->src6 = NULL;
2259 2258 sq->srcaddr = NULL;
2260 2259 }
2261 2260
2262 2261 if (sq->dst != NULL)
2263 2262 sq->af = sq->dst->sin_family;
2264 2263 else if (sq->src != NULL)
2265 2264 sq->af = sq->src->sin_family;
2266 2265 else
2267 2266 sq->af = AF_INET;
2268 2267
2269 2268 if (sq->af == AF_INET6) {
2270 2269 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) {
2271 2270 *mfpp++ = sadb_match_dst_v6;
2272 2271 sq->dst6 = (struct sockaddr_in6 *)sq->dst;
2273 2272 sq->dstaddr = (uint32_t *)&(sq->dst6->sin6_addr);
2274 2273 } else {
2275 2274 match &= ~IPSA_Q_DST;
2276 2275 sq->dstaddr = ALL_ZEROES_PTR;
2277 2276 }
2278 2277
2279 2278 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) {
2280 2279 sq->src6 = (struct sockaddr_in6 *)(sq->srcext + 1);
2281 2280 sq->srcaddr = (uint32_t *)&sq->src6->sin6_addr;
2282 2281 if (sq->src6->sin6_family != AF_INET6) {
2283 2282 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH;
2284 2283 return (EINVAL);
2285 2284 }
2286 2285 *mfpp++ = sadb_match_src_v6;
2287 2286 } else {
2288 2287 match &= ~IPSA_Q_SRC;
2289 2288 sq->srcaddr = ALL_ZEROES_PTR;
2290 2289 }
2291 2290 } else {
2292 2291 sq->src6 = sq->dst6 = NULL;
2293 2292 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) {
2294 2293 *mfpp++ = sadb_match_dst_v4;
2295 2294 sq->dstaddr = (uint32_t *)&sq->dst->sin_addr;
2296 2295 } else {
2297 2296 match &= ~IPSA_Q_DST;
2298 2297 sq->dstaddr = ALL_ZEROES_PTR;
2299 2298 }
2300 2299 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) {
2301 2300 sq->srcaddr = (uint32_t *)&sq->src->sin_addr;
2302 2301 if (sq->src->sin_family != AF_INET) {
2303 2302 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH;
2304 2303 return (EINVAL);
2305 2304 }
2306 2305 *mfpp++ = sadb_match_src_v4;
2307 2306 } else {
2308 2307 match &= ~IPSA_Q_SRC;
2309 2308 sq->srcaddr = ALL_ZEROES_PTR;
2310 2309 }
2311 2310 }
2312 2311
2313 2312 sq->dstid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST];
2314 2313 if ((match & IPSA_Q_DSTID) && (sq->dstid != NULL)) {
2315 2314 sq->didstr = (char *)(sq->dstid + 1);
2316 2315 sq->didtype = sq->dstid->sadb_ident_type;
2317 2316 *mfpp++ = sadb_match_dstid;
2318 2317 }
2319 2318
2320 2319 sq->srcid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC];
2321 2320
2322 2321 if ((match & IPSA_Q_SRCID) && (sq->srcid != NULL)) {
|
↓ open down ↓ |
1250 lines elided |
↑ open up ↑ |
2323 2322 sq->sidstr = (char *)(sq->srcid + 1);
2324 2323 sq->sidtype = sq->srcid->sadb_ident_type;
2325 2324 *mfpp++ = sadb_match_srcid;
2326 2325 }
2327 2326
2328 2327 sq->kmcext = (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE];
2329 2328 sq->kmc = 0;
2330 2329 sq->kmp = 0;
2331 2330
2332 2331 if ((match & IPSA_Q_KMC) && (sq->kmcext)) {
2333 - sq->kmc = sq->kmcext->sadb_x_kmc_cookie;
2334 2332 sq->kmp = sq->kmcext->sadb_x_kmc_proto;
2333 + /* Be liberal in what we receive. Special-case IKEv1. */
2334 + if (sq->kmp == SADB_X_KMP_IKE) {
2335 + /* Just in case in.iked is misbehaving... */
2336 + sq->kmcext->sadb_x_kmc_reserved = 0;
2337 + }
2338 + sq->kmc = sq->kmcext->sadb_x_kmc_cookie64;
2335 2339 *mfpp++ = sadb_match_kmc;
2336 2340 }
2337 2341
2338 2342 if (match & (IPSA_Q_INBOUND|IPSA_Q_OUTBOUND)) {
2339 2343 if (sq->af == AF_INET6)
2340 2344 sq->sp = &sq->spp->s_v6;
2341 2345 else
2342 2346 sq->sp = &sq->spp->s_v4;
2343 2347 } else {
2344 2348 sq->sp = NULL;
2345 2349 }
2346 2350
2347 2351 if (match & IPSA_Q_INBOUND) {
2348 2352 sq->inhash = INBOUND_HASH(sq->sp, sq->assoc->sadb_sa_spi);
2349 2353 sq->inbound = &sq->sp->sdb_if[sq->inhash];
2350 2354 } else {
2351 2355 sq->inhash = 0;
2352 2356 sq->inbound = NULL;
2353 2357 }
2354 2358
2355 2359 if (match & IPSA_Q_OUTBOUND) {
2356 2360 if (sq->af == AF_INET6) {
2357 2361 sq->outhash = OUTBOUND_HASH_V6(sq->sp, *(sq->dstaddr));
2358 2362 } else {
2359 2363 sq->outhash = OUTBOUND_HASH_V4(sq->sp, *(sq->dstaddr));
2360 2364 }
2361 2365 sq->outbound = &sq->sp->sdb_of[sq->outhash];
2362 2366 } else {
2363 2367 sq->outhash = 0;
2364 2368 sq->outbound = NULL;
2365 2369 }
2366 2370 sq->match = match;
2367 2371 return (0);
2368 2372 }
2369 2373
2370 2374 /*
2371 2375 * Match an initialized query structure with a security association;
2372 2376 * return B_TRUE on a match, B_FALSE on a miss.
2373 2377 * Applies match functions set up by sadb_form_query() until one returns false.
2374 2378 */
2375 2379 boolean_t
2376 2380 sadb_match_query(ipsa_query_t *sq, ipsa_t *sa)
2377 2381 {
2378 2382 ipsa_match_fn_t *mfpp = &(sq->matchers[0]);
2379 2383 ipsa_match_fn_t mfp;
2380 2384
2381 2385 for (mfp = *mfpp++; mfp != NULL; mfp = *mfpp++) {
2382 2386 if (!mfp(sq, sa))
2383 2387 return (B_FALSE);
2384 2388 }
2385 2389 return (B_TRUE);
2386 2390 }
2387 2391
2388 2392 /*
2389 2393 * Walker callback function to delete sa's based on src/dst address.
2390 2394 * Assumes that we're called with *head locked, no other locks held;
2391 2395 * Conveniently, and not coincidentally, this is both what sadb_walker
2392 2396 * gives us and also what sadb_unlinkassoc expects.
2393 2397 */
2394 2398 struct sadb_purge_state
2395 2399 {
2396 2400 ipsa_query_t sq;
2397 2401 boolean_t inbnd;
2398 2402 uint8_t sadb_sa_state;
2399 2403 };
2400 2404
2401 2405 static void
2402 2406 sadb_purge_cb(isaf_t *head, ipsa_t *entry, void *cookie)
2403 2407 {
2404 2408 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie;
2405 2409
2406 2410 ASSERT(MUTEX_HELD(&head->isaf_lock));
2407 2411
2408 2412 mutex_enter(&entry->ipsa_lock);
2409 2413
2410 2414 if (entry->ipsa_state == IPSA_STATE_LARVAL ||
2411 2415 !sadb_match_query(&ps->sq, entry)) {
2412 2416 mutex_exit(&entry->ipsa_lock);
2413 2417 return;
2414 2418 }
2415 2419
2416 2420 if (ps->inbnd) {
2417 2421 sadb_delete_cluster(entry);
2418 2422 }
2419 2423 entry->ipsa_state = IPSA_STATE_DEAD;
2420 2424 (void) sadb_torch_assoc(head, entry);
2421 2425 }
2422 2426
2423 2427 /*
2424 2428 * Common code to purge an SA with a matching src or dst address.
2425 2429 * Don't kill larval SA's in such a purge.
2426 2430 */
2427 2431 int
2428 2432 sadb_purge_sa(mblk_t *mp, keysock_in_t *ksi, sadb_t *sp,
2429 2433 int *diagnostic, queue_t *pfkey_q)
2430 2434 {
2431 2435 struct sadb_purge_state ps;
2432 2436 int error = sadb_form_query(ksi, 0,
2433 2437 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC,
2434 2438 &ps.sq, diagnostic);
2435 2439
2436 2440 if (error != 0)
2437 2441 return (error);
2438 2442
2439 2443 /*
2440 2444 * This is simple, crude, and effective.
2441 2445 * Unimplemented optimizations (TBD):
2442 2446 * - we can limit how many places we search based on where we
2443 2447 * think the SA is filed.
2444 2448 * - if we get a dst address, we can hash based on dst addr to find
2445 2449 * the correct bucket in the outbound table.
2446 2450 */
2447 2451 ps.inbnd = B_TRUE;
2448 2452 sadb_walker(sp->sdb_if, sp->sdb_hashsize, sadb_purge_cb, &ps);
2449 2453 ps.inbnd = B_FALSE;
2450 2454 sadb_walker(sp->sdb_of, sp->sdb_hashsize, sadb_purge_cb, &ps);
2451 2455
2452 2456 ASSERT(mp->b_cont != NULL);
2453 2457 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi,
2454 2458 NULL);
2455 2459 return (0);
2456 2460 }
2457 2461
2458 2462 static void
2459 2463 sadb_delpair_state_one(isaf_t *head, ipsa_t *entry, void *cookie)
2460 2464 {
2461 2465 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie;
2462 2466 isaf_t *inbound_bucket;
2463 2467 ipsa_t *peer_assoc;
2464 2468 ipsa_query_t *sq = &ps->sq;
2465 2469
2466 2470 ASSERT(MUTEX_HELD(&head->isaf_lock));
2467 2471
2468 2472 mutex_enter(&entry->ipsa_lock);
2469 2473
2470 2474 if ((entry->ipsa_state != ps->sadb_sa_state) ||
2471 2475 ((sq->srcaddr != NULL) &&
2472 2476 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, sq->srcaddr, sq->af))) {
2473 2477 mutex_exit(&entry->ipsa_lock);
2474 2478 return;
2475 2479 }
2476 2480
2477 2481 /*
2478 2482 * The isaf_t *, which is passed in , is always an outbound bucket,
2479 2483 * and we are preserving the outbound-then-inbound hash-bucket lock
2480 2484 * ordering. The sadb_walker() which triggers this function is called
2481 2485 * only on the outbound fanout, and the corresponding inbound bucket
2482 2486 * lock is safe to acquire here.
2483 2487 */
2484 2488
2485 2489 if (entry->ipsa_haspeer) {
2486 2490 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_spi);
2487 2491 mutex_enter(&inbound_bucket->isaf_lock);
2488 2492 peer_assoc = ipsec_getassocbyspi(inbound_bucket,
2489 2493 entry->ipsa_spi, entry->ipsa_srcaddr,
2490 2494 entry->ipsa_dstaddr, entry->ipsa_addrfam);
2491 2495 } else {
2492 2496 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_otherspi);
2493 2497 mutex_enter(&inbound_bucket->isaf_lock);
2494 2498 peer_assoc = ipsec_getassocbyspi(inbound_bucket,
2495 2499 entry->ipsa_otherspi, entry->ipsa_dstaddr,
2496 2500 entry->ipsa_srcaddr, entry->ipsa_addrfam);
2497 2501 }
2498 2502
2499 2503 entry->ipsa_state = IPSA_STATE_DEAD;
2500 2504 (void) sadb_torch_assoc(head, entry);
2501 2505 if (peer_assoc != NULL) {
2502 2506 mutex_enter(&peer_assoc->ipsa_lock);
2503 2507 peer_assoc->ipsa_state = IPSA_STATE_DEAD;
2504 2508 (void) sadb_torch_assoc(inbound_bucket, peer_assoc);
2505 2509 }
2506 2510 mutex_exit(&inbound_bucket->isaf_lock);
2507 2511 }
2508 2512
2509 2513 static int
2510 2514 sadb_delpair_state(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp,
2511 2515 int *diagnostic, queue_t *pfkey_q)
2512 2516 {
2513 2517 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
2514 2518 struct sadb_purge_state ps;
2515 2519 int error;
2516 2520
2517 2521 ps.sq.spp = spp; /* XXX param */
2518 2522
2519 2523 error = sadb_form_query(ksi, IPSA_Q_DST|IPSA_Q_SRC,
2520 2524 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC,
2521 2525 &ps.sq, diagnostic);
2522 2526 if (error != 0)
2523 2527 return (error);
2524 2528
2525 2529 ps.inbnd = B_FALSE;
2526 2530 ps.sadb_sa_state = assoc->sadb_sa_state;
2527 2531 sadb_walker(ps.sq.sp->sdb_of, ps.sq.sp->sdb_hashsize,
2528 2532 sadb_delpair_state_one, &ps);
2529 2533
2530 2534 ASSERT(mp->b_cont != NULL);
2531 2535 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr,
2532 2536 ksi, NULL);
2533 2537 return (0);
2534 2538 }
2535 2539
2536 2540 /*
2537 2541 * Common code to delete/get an SA.
2538 2542 */
2539 2543 int
2540 2544 sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp,
2541 2545 int *diagnostic, queue_t *pfkey_q, uint8_t sadb_msg_type)
2542 2546 {
2543 2547 ipsa_query_t sq;
2544 2548 ipsa_t *echo_target = NULL;
2545 2549 ipsap_t ipsapp;
2546 2550 uint_t error = 0;
2547 2551
2548 2552 if (sadb_msg_type == SADB_X_DELPAIR_STATE)
2549 2553 return (sadb_delpair_state(mp, ksi, spp, diagnostic, pfkey_q));
2550 2554
2551 2555 sq.spp = spp; /* XXX param */
2552 2556 error = sadb_form_query(ksi, IPSA_Q_DST|IPSA_Q_SA,
2553 2557 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND,
2554 2558 &sq, diagnostic);
2555 2559 if (error != 0)
2556 2560 return (error);
2557 2561
2558 2562 error = get_ipsa_pair(&sq, &ipsapp, diagnostic);
2559 2563 if (error != 0) {
2560 2564 return (error);
2561 2565 }
2562 2566
2563 2567 echo_target = ipsapp.ipsap_sa_ptr;
2564 2568 if (echo_target == NULL)
2565 2569 echo_target = ipsapp.ipsap_psa_ptr;
2566 2570
2567 2571 if (sadb_msg_type == SADB_DELETE || sadb_msg_type == SADB_X_DELPAIR) {
2568 2572 /*
2569 2573 * Bucket locks will be required if SA is actually unlinked.
2570 2574 * get_ipsa_pair() returns valid hash bucket pointers even
2571 2575 * if it can't find a pair SA pointer. To prevent a potential
2572 2576 * deadlock, always lock the outbound bucket before the inbound.
2573 2577 */
2574 2578 if (ipsapp.in_inbound_table) {
2575 2579 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock);
2576 2580 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock);
2577 2581 } else {
2578 2582 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock);
2579 2583 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock);
2580 2584 }
2581 2585
2582 2586 if (ipsapp.ipsap_sa_ptr != NULL) {
2583 2587 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock);
2584 2588 if (ipsapp.ipsap_sa_ptr->ipsa_flags & IPSA_F_INBOUND) {
2585 2589 sadb_delete_cluster(ipsapp.ipsap_sa_ptr);
2586 2590 }
2587 2591 ipsapp.ipsap_sa_ptr->ipsa_state = IPSA_STATE_DEAD;
2588 2592 (void) sadb_torch_assoc(ipsapp.ipsap_bucket,
2589 2593 ipsapp.ipsap_sa_ptr);
2590 2594 /*
2591 2595 * sadb_torch_assoc() releases the ipsa_lock
2592 2596 * and calls sadb_unlinkassoc() which does a
2593 2597 * IPSA_REFRELE.
2594 2598 */
2595 2599 }
2596 2600 if (ipsapp.ipsap_psa_ptr != NULL) {
2597 2601 mutex_enter(&ipsapp.ipsap_psa_ptr->ipsa_lock);
2598 2602 if (sadb_msg_type == SADB_X_DELPAIR ||
2599 2603 ipsapp.ipsap_psa_ptr->ipsa_haspeer) {
2600 2604 if (ipsapp.ipsap_psa_ptr->ipsa_flags &
2601 2605 IPSA_F_INBOUND) {
2602 2606 sadb_delete_cluster
2603 2607 (ipsapp.ipsap_psa_ptr);
2604 2608 }
2605 2609 ipsapp.ipsap_psa_ptr->ipsa_state =
2606 2610 IPSA_STATE_DEAD;
2607 2611 (void) sadb_torch_assoc(ipsapp.ipsap_pbucket,
2608 2612 ipsapp.ipsap_psa_ptr);
2609 2613 } else {
2610 2614 /*
2611 2615 * Only half of the "pair" has been deleted.
2612 2616 * Update the remaining SA and remove references
2613 2617 * to its pair SA, which is now gone.
2614 2618 */
2615 2619 ipsapp.ipsap_psa_ptr->ipsa_otherspi = 0;
2616 2620 ipsapp.ipsap_psa_ptr->ipsa_flags &=
2617 2621 ~IPSA_F_PAIRED;
2618 2622 mutex_exit(&ipsapp.ipsap_psa_ptr->ipsa_lock);
2619 2623 }
2620 2624 } else if (sadb_msg_type == SADB_X_DELPAIR) {
2621 2625 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND;
2622 2626 error = ESRCH;
2623 2627 }
2624 2628 mutex_exit(&ipsapp.ipsap_bucket->isaf_lock);
2625 2629 mutex_exit(&ipsapp.ipsap_pbucket->isaf_lock);
2626 2630 }
2627 2631
2628 2632 ASSERT(mp->b_cont != NULL);
2629 2633
2630 2634 if (error == 0)
2631 2635 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)
2632 2636 mp->b_cont->b_rptr, ksi, echo_target);
2633 2637
2634 2638 destroy_ipsa_pair(&ipsapp);
2635 2639
2636 2640 return (error);
2637 2641 }
2638 2642
2639 2643 /*
2640 2644 * This function takes a sadb_sa_t and finds the ipsa_t structure
2641 2645 * and the isaf_t (hash bucket) that its stored under. If the security
2642 2646 * association has a peer, the ipsa_t structure and bucket for that security
2643 2647 * association are also searched for. The "pair" of ipsa_t's and isaf_t's
2644 2648 * are returned as a ipsap_t.
2645 2649 *
2646 2650 * The hash buckets are returned for convenience, if the calling function
2647 2651 * needs to use the hash bucket locks, say to remove the SA's, it should
2648 2652 * take care to observe the convention of locking outbound bucket then
2649 2653 * inbound bucket. The flag in_inbound_table provides direction.
2650 2654 *
2651 2655 * Note that a "pair" is defined as one (but not both) of the following:
2652 2656 *
2653 2657 * A security association which has a soft reference to another security
2654 2658 * association via its SPI.
2655 2659 *
2656 2660 * A security association that is not obviously "inbound" or "outbound" so
2657 2661 * it appears in both hash tables, the "peer" being the same security
2658 2662 * association in the other hash table.
2659 2663 *
2660 2664 * This function will return NULL if the ipsa_t can't be found in the
2661 2665 * inbound or outbound hash tables (not found). If only one ipsa_t is
2662 2666 * found, the pair ipsa_t will be NULL. Both isaf_t values are valid
2663 2667 * provided at least one ipsa_t is found.
2664 2668 */
2665 2669 static int
2666 2670 get_ipsa_pair(ipsa_query_t *sq, ipsap_t *ipsapp, int *diagnostic)
2667 2671 {
2668 2672 uint32_t pair_srcaddr[IPSA_MAX_ADDRLEN];
2669 2673 uint32_t pair_dstaddr[IPSA_MAX_ADDRLEN];
2670 2674 uint32_t pair_spi;
2671 2675
2672 2676 init_ipsa_pair(ipsapp);
2673 2677
2674 2678 ipsapp->in_inbound_table = B_FALSE;
2675 2679
2676 2680 /* Lock down both buckets. */
2677 2681 mutex_enter(&sq->outbound->isaf_lock);
2678 2682 mutex_enter(&sq->inbound->isaf_lock);
2679 2683
2680 2684 if (sq->assoc->sadb_sa_flags & IPSA_F_INBOUND) {
2681 2685 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound,
2682 2686 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af);
2683 2687 if (ipsapp->ipsap_sa_ptr != NULL) {
2684 2688 ipsapp->ipsap_bucket = sq->inbound;
2685 2689 ipsapp->ipsap_pbucket = sq->outbound;
2686 2690 ipsapp->in_inbound_table = B_TRUE;
2687 2691 } else {
2688 2692 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->outbound,
2689 2693 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr,
2690 2694 sq->af);
2691 2695 ipsapp->ipsap_bucket = sq->outbound;
2692 2696 ipsapp->ipsap_pbucket = sq->inbound;
2693 2697 }
2694 2698 } else {
2695 2699 /* IPSA_F_OUTBOUND is set *or* no directions flags set. */
2696 2700 ipsapp->ipsap_sa_ptr =
2697 2701 ipsec_getassocbyspi(sq->outbound,
2698 2702 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af);
2699 2703 if (ipsapp->ipsap_sa_ptr != NULL) {
2700 2704 ipsapp->ipsap_bucket = sq->outbound;
2701 2705 ipsapp->ipsap_pbucket = sq->inbound;
2702 2706 } else {
2703 2707 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound,
2704 2708 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr,
2705 2709 sq->af);
2706 2710 ipsapp->ipsap_bucket = sq->inbound;
2707 2711 ipsapp->ipsap_pbucket = sq->outbound;
2708 2712 if (ipsapp->ipsap_sa_ptr != NULL)
2709 2713 ipsapp->in_inbound_table = B_TRUE;
2710 2714 }
2711 2715 }
2712 2716
2713 2717 if (ipsapp->ipsap_sa_ptr == NULL) {
2714 2718 mutex_exit(&sq->outbound->isaf_lock);
2715 2719 mutex_exit(&sq->inbound->isaf_lock);
2716 2720 *diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND;
2717 2721 return (ESRCH);
2718 2722 }
2719 2723
2720 2724 if ((ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) &&
2721 2725 ipsapp->in_inbound_table) {
2722 2726 mutex_exit(&sq->outbound->isaf_lock);
2723 2727 mutex_exit(&sq->inbound->isaf_lock);
2724 2728 return (0);
2725 2729 }
2726 2730
2727 2731 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock);
2728 2732 if (ipsapp->ipsap_sa_ptr->ipsa_haspeer) {
2729 2733 /*
2730 2734 * haspeer implies no sa_pairing, look for same spi
2731 2735 * in other hashtable.
2732 2736 */
2733 2737 ipsapp->ipsap_psa_ptr =
2734 2738 ipsec_getassocbyspi(ipsapp->ipsap_pbucket,
2735 2739 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af);
2736 2740 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock);
2737 2741 mutex_exit(&sq->outbound->isaf_lock);
2738 2742 mutex_exit(&sq->inbound->isaf_lock);
2739 2743 return (0);
2740 2744 }
2741 2745 pair_spi = ipsapp->ipsap_sa_ptr->ipsa_otherspi;
2742 2746 IPSA_COPY_ADDR(&pair_srcaddr,
2743 2747 ipsapp->ipsap_sa_ptr->ipsa_srcaddr, sq->af);
2744 2748 IPSA_COPY_ADDR(&pair_dstaddr,
2745 2749 ipsapp->ipsap_sa_ptr->ipsa_dstaddr, sq->af);
2746 2750 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock);
2747 2751 mutex_exit(&sq->inbound->isaf_lock);
2748 2752 mutex_exit(&sq->outbound->isaf_lock);
2749 2753
2750 2754 if (pair_spi == 0) {
2751 2755 ASSERT(ipsapp->ipsap_bucket != NULL);
2752 2756 ASSERT(ipsapp->ipsap_pbucket != NULL);
2753 2757 return (0);
2754 2758 }
2755 2759
2756 2760 /* found sa in outbound sadb, peer should be inbound */
2757 2761
2758 2762 if (ipsapp->in_inbound_table) {
2759 2763 /* Found SA in inbound table, pair will be in outbound. */
2760 2764 if (sq->af == AF_INET6) {
2761 2765 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V6(sq->sp,
2762 2766 *(uint32_t *)pair_srcaddr);
2763 2767 } else {
2764 2768 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V4(sq->sp,
2765 2769 *(uint32_t *)pair_srcaddr);
2766 2770 }
2767 2771 } else {
2768 2772 ipsapp->ipsap_pbucket = INBOUND_BUCKET(sq->sp, pair_spi);
2769 2773 }
2770 2774 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock);
2771 2775 ipsapp->ipsap_psa_ptr = ipsec_getassocbyspi(ipsapp->ipsap_pbucket,
2772 2776 pair_spi, pair_dstaddr, pair_srcaddr, sq->af);
2773 2777 mutex_exit(&ipsapp->ipsap_pbucket->isaf_lock);
2774 2778 ASSERT(ipsapp->ipsap_bucket != NULL);
2775 2779 ASSERT(ipsapp->ipsap_pbucket != NULL);
2776 2780 return (0);
2777 2781 }
2778 2782
2779 2783 /*
2780 2784 * Perform NAT-traversal cached checksum offset calculations here.
2781 2785 */
2782 2786 static void
2783 2787 sadb_nat_calculations(ipsa_t *newbie, sadb_address_t *natt_loc_ext,
2784 2788 sadb_address_t *natt_rem_ext, uint32_t *src_addr_ptr,
2785 2789 uint32_t *dst_addr_ptr)
2786 2790 {
2787 2791 struct sockaddr_in *natt_loc, *natt_rem;
2788 2792 uint32_t *natt_loc_ptr = NULL, *natt_rem_ptr = NULL;
2789 2793 uint32_t running_sum = 0;
2790 2794
2791 2795 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16)
2792 2796
2793 2797 if (natt_rem_ext != NULL) {
2794 2798 uint32_t l_src;
2795 2799 uint32_t l_rem;
2796 2800
2797 2801 natt_rem = (struct sockaddr_in *)(natt_rem_ext + 1);
2798 2802
2799 2803 /* Ensured by sadb_addrfix(). */
2800 2804 ASSERT(natt_rem->sin_family == AF_INET);
2801 2805
2802 2806 natt_rem_ptr = (uint32_t *)(&natt_rem->sin_addr);
2803 2807 newbie->ipsa_remote_nat_port = natt_rem->sin_port;
2804 2808 l_src = *src_addr_ptr;
2805 2809 l_rem = *natt_rem_ptr;
2806 2810
2807 2811 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */
2808 2812 newbie->ipsa_natt_addr_rem = *natt_rem_ptr;
2809 2813
2810 2814 l_src = ntohl(l_src);
2811 2815 DOWN_SUM(l_src);
2812 2816 DOWN_SUM(l_src);
2813 2817 l_rem = ntohl(l_rem);
2814 2818 DOWN_SUM(l_rem);
2815 2819 DOWN_SUM(l_rem);
2816 2820
2817 2821 /*
2818 2822 * We're 1's complement for checksums, so check for wraparound
2819 2823 * here.
2820 2824 */
2821 2825 if (l_rem > l_src)
2822 2826 l_src--;
2823 2827
2824 2828 running_sum += l_src - l_rem;
2825 2829
2826 2830 DOWN_SUM(running_sum);
2827 2831 DOWN_SUM(running_sum);
2828 2832 }
2829 2833
2830 2834 if (natt_loc_ext != NULL) {
2831 2835 natt_loc = (struct sockaddr_in *)(natt_loc_ext + 1);
2832 2836
2833 2837 /* Ensured by sadb_addrfix(). */
2834 2838 ASSERT(natt_loc->sin_family == AF_INET);
2835 2839
2836 2840 natt_loc_ptr = (uint32_t *)(&natt_loc->sin_addr);
2837 2841 newbie->ipsa_local_nat_port = natt_loc->sin_port;
2838 2842
2839 2843 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */
2840 2844 newbie->ipsa_natt_addr_loc = *natt_loc_ptr;
2841 2845
2842 2846 /*
2843 2847 * NAT-T port agility means we may have natt_loc_ext, but
2844 2848 * only for a local-port change.
2845 2849 */
2846 2850 if (natt_loc->sin_addr.s_addr != INADDR_ANY) {
2847 2851 uint32_t l_dst = ntohl(*dst_addr_ptr);
2848 2852 uint32_t l_loc = ntohl(*natt_loc_ptr);
2849 2853
2850 2854 DOWN_SUM(l_loc);
2851 2855 DOWN_SUM(l_loc);
2852 2856 DOWN_SUM(l_dst);
2853 2857 DOWN_SUM(l_dst);
2854 2858
2855 2859 /*
2856 2860 * We're 1's complement for checksums, so check for
2857 2861 * wraparound here.
2858 2862 */
2859 2863 if (l_loc > l_dst)
2860 2864 l_dst--;
2861 2865
2862 2866 running_sum += l_dst - l_loc;
2863 2867 DOWN_SUM(running_sum);
2864 2868 DOWN_SUM(running_sum);
2865 2869 }
2866 2870 }
2867 2871
2868 2872 newbie->ipsa_inbound_cksum = running_sum;
2869 2873 #undef DOWN_SUM
2870 2874 }
2871 2875
2872 2876 /*
2873 2877 * This function is called from consumers that need to insert a fully-grown
2874 2878 * security association into its tables. This function takes into account that
2875 2879 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary"
2876 2880 * hash bucket parameters are set in order of what the SA will be most of the
2877 2881 * time. (For example, an SA with an unspecified source, and a multicast
2878 2882 * destination will primarily be an outbound SA. OTOH, if that destination
2879 2883 * is unicast for this node, then the SA will primarily be inbound.)
2880 2884 *
2881 2885 * It takes a lot of parameters because even if clone is B_FALSE, this needs
2882 2886 * to check both buckets for purposes of collision.
2883 2887 *
2884 2888 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for
2885 2889 * various error conditions. We may need to set samsg->sadb_x_msg_diagnostic
2886 2890 * with additional diagnostic information because there is at least one EINVAL
2887 2891 * case here.
2888 2892 */
2889 2893 int
2890 2894 sadb_common_add(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
2891 2895 keysock_in_t *ksi, isaf_t *primary, isaf_t *secondary,
2892 2896 ipsa_t *newbie, boolean_t clone, boolean_t is_inbound, int *diagnostic,
2893 2897 netstack_t *ns, sadbp_t *spp)
2894 2898 {
2895 2899 ipsa_t *newbie_clone = NULL, *scratch;
2896 2900 ipsap_t ipsapp;
2897 2901 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
2898 2902 sadb_address_t *srcext =
2899 2903 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC];
2900 2904 sadb_address_t *dstext =
2901 2905 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
2902 2906 sadb_address_t *isrcext =
2903 2907 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC];
2904 2908 sadb_address_t *idstext =
2905 2909 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_DST];
2906 2910 sadb_x_kmc_t *kmcext =
2907 2911 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE];
2908 2912 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH];
2909 2913 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT];
2910 2914 sadb_sens_t *sens =
2911 2915 (sadb_sens_t *)ksi->ks_in_extv[SADB_EXT_SENSITIVITY];
2912 2916 sadb_sens_t *osens =
2913 2917 (sadb_sens_t *)ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS];
2914 2918 sadb_x_pair_t *pair_ext =
2915 2919 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR];
2916 2920 sadb_x_replay_ctr_t *replayext =
2917 2921 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE];
2918 2922 uint8_t protocol =
2919 2923 (samsg->sadb_msg_satype == SADB_SATYPE_AH) ? IPPROTO_AH:IPPROTO_ESP;
2920 2924 int salt_offset;
2921 2925 uint8_t *buf_ptr;
2922 2926 struct sockaddr_in *src, *dst, *isrc, *idst;
2923 2927 struct sockaddr_in6 *src6, *dst6, *isrc6, *idst6;
2924 2928 sadb_lifetime_t *soft =
2925 2929 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT];
2926 2930 sadb_lifetime_t *hard =
2927 2931 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD];
2928 2932 sadb_lifetime_t *idle =
2929 2933 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE];
2930 2934 sa_family_t af;
2931 2935 int error = 0;
2932 2936 boolean_t isupdate = (newbie != NULL);
2933 2937 uint32_t *src_addr_ptr, *dst_addr_ptr, *isrc_addr_ptr, *idst_addr_ptr;
2934 2938 ipsec_stack_t *ipss = ns->netstack_ipsec;
2935 2939 ip_stack_t *ipst = ns->netstack_ip;
2936 2940 ipsec_alginfo_t *alg;
2937 2941 int rcode;
2938 2942 boolean_t async = B_FALSE;
2939 2943
2940 2944 init_ipsa_pair(&ipsapp);
2941 2945
2942 2946 if (srcext == NULL) {
2943 2947 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC;
2944 2948 return (EINVAL);
2945 2949 }
2946 2950 if (dstext == NULL) {
2947 2951 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
2948 2952 return (EINVAL);
2949 2953 }
2950 2954 if (assoc == NULL) {
2951 2955 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA;
2952 2956 return (EINVAL);
2953 2957 }
2954 2958
2955 2959 src = (struct sockaddr_in *)(srcext + 1);
2956 2960 src6 = (struct sockaddr_in6 *)(srcext + 1);
2957 2961 dst = (struct sockaddr_in *)(dstext + 1);
2958 2962 dst6 = (struct sockaddr_in6 *)(dstext + 1);
2959 2963 if (isrcext != NULL) {
2960 2964 isrc = (struct sockaddr_in *)(isrcext + 1);
2961 2965 isrc6 = (struct sockaddr_in6 *)(isrcext + 1);
2962 2966 ASSERT(idstext != NULL);
2963 2967 idst = (struct sockaddr_in *)(idstext + 1);
2964 2968 idst6 = (struct sockaddr_in6 *)(idstext + 1);
2965 2969 } else {
2966 2970 isrc = NULL;
2967 2971 isrc6 = NULL;
2968 2972 }
2969 2973
2970 2974 af = src->sin_family;
2971 2975
2972 2976 if (af == AF_INET) {
2973 2977 src_addr_ptr = (uint32_t *)&src->sin_addr;
2974 2978 dst_addr_ptr = (uint32_t *)&dst->sin_addr;
2975 2979 } else {
2976 2980 ASSERT(af == AF_INET6);
2977 2981 src_addr_ptr = (uint32_t *)&src6->sin6_addr;
2978 2982 dst_addr_ptr = (uint32_t *)&dst6->sin6_addr;
2979 2983 }
2980 2984
2981 2985 if (!isupdate && (clone == B_TRUE || is_inbound == B_TRUE) &&
2982 2986 cl_inet_checkspi &&
2983 2987 (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) {
2984 2988 rcode = cl_inet_checkspi(ns->netstack_stackid, protocol,
2985 2989 assoc->sadb_sa_spi, NULL);
2986 2990 if (rcode == -1) {
2987 2991 return (EEXIST);
2988 2992 }
2989 2993 }
2990 2994
2991 2995 /*
2992 2996 * Check to see if the new SA will be cloned AND paired. The
2993 2997 * reason a SA will be cloned is the source or destination addresses
2994 2998 * are not specific enough to determine if the SA goes in the outbound
2995 2999 * or the inbound hash table, so its cloned and put in both. If
2996 3000 * the SA is paired, it's soft linked to another SA for the other
2997 3001 * direction. Keeping track and looking up SA's that are direction
2998 3002 * unspecific and linked is too hard.
2999 3003 */
3000 3004 if (clone && (pair_ext != NULL)) {
3001 3005 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE;
3002 3006 return (EINVAL);
3003 3007 }
3004 3008
3005 3009 if (!isupdate) {
3006 3010 newbie = sadb_makelarvalassoc(assoc->sadb_sa_spi,
3007 3011 src_addr_ptr, dst_addr_ptr, af, ns);
3008 3012 if (newbie == NULL)
3009 3013 return (ENOMEM);
3010 3014 }
3011 3015
3012 3016 mutex_enter(&newbie->ipsa_lock);
3013 3017
3014 3018 if (isrc != NULL) {
3015 3019 if (isrc->sin_family == AF_INET) {
3016 3020 if (srcext->sadb_address_proto != IPPROTO_ENCAP) {
3017 3021 if (srcext->sadb_address_proto != 0) {
3018 3022 /*
3019 3023 * Mismatched outer-packet protocol
3020 3024 * and inner-packet address family.
3021 3025 */
3022 3026 mutex_exit(&newbie->ipsa_lock);
3023 3027 error = EPROTOTYPE;
3024 3028 *diagnostic =
3025 3029 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH;
3026 3030 goto error;
3027 3031 } else {
3028 3032 /* Fill in with explicit protocol. */
3029 3033 srcext->sadb_address_proto =
3030 3034 IPPROTO_ENCAP;
3031 3035 dstext->sadb_address_proto =
3032 3036 IPPROTO_ENCAP;
3033 3037 }
3034 3038 }
3035 3039 isrc_addr_ptr = (uint32_t *)&isrc->sin_addr;
3036 3040 idst_addr_ptr = (uint32_t *)&idst->sin_addr;
3037 3041 } else {
3038 3042 ASSERT(isrc->sin_family == AF_INET6);
3039 3043 if (srcext->sadb_address_proto != IPPROTO_IPV6) {
3040 3044 if (srcext->sadb_address_proto != 0) {
3041 3045 /*
3042 3046 * Mismatched outer-packet protocol
3043 3047 * and inner-packet address family.
3044 3048 */
3045 3049 mutex_exit(&newbie->ipsa_lock);
3046 3050 error = EPROTOTYPE;
3047 3051 *diagnostic =
3048 3052 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH;
3049 3053 goto error;
3050 3054 } else {
3051 3055 /* Fill in with explicit protocol. */
3052 3056 srcext->sadb_address_proto =
3053 3057 IPPROTO_IPV6;
3054 3058 dstext->sadb_address_proto =
3055 3059 IPPROTO_IPV6;
3056 3060 }
3057 3061 }
3058 3062 isrc_addr_ptr = (uint32_t *)&isrc6->sin6_addr;
3059 3063 idst_addr_ptr = (uint32_t *)&idst6->sin6_addr;
3060 3064 }
3061 3065 newbie->ipsa_innerfam = isrc->sin_family;
3062 3066
3063 3067 IPSA_COPY_ADDR(newbie->ipsa_innersrc, isrc_addr_ptr,
3064 3068 newbie->ipsa_innerfam);
3065 3069 IPSA_COPY_ADDR(newbie->ipsa_innerdst, idst_addr_ptr,
3066 3070 newbie->ipsa_innerfam);
3067 3071 newbie->ipsa_innersrcpfx = isrcext->sadb_address_prefixlen;
3068 3072 newbie->ipsa_innerdstpfx = idstext->sadb_address_prefixlen;
3069 3073
3070 3074 /* Unique value uses inner-ports for Tunnel Mode... */
3071 3075 newbie->ipsa_unique_id = SA_UNIQUE_ID(isrc->sin_port,
3072 3076 idst->sin_port, dstext->sadb_address_proto,
3073 3077 idstext->sadb_address_proto);
3074 3078 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(isrc->sin_port,
3075 3079 idst->sin_port, dstext->sadb_address_proto,
3076 3080 idstext->sadb_address_proto);
3077 3081 } else {
3078 3082 /* ... and outer-ports for Transport Mode. */
3079 3083 newbie->ipsa_unique_id = SA_UNIQUE_ID(src->sin_port,
3080 3084 dst->sin_port, dstext->sadb_address_proto, 0);
3081 3085 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(src->sin_port,
3082 3086 dst->sin_port, dstext->sadb_address_proto, 0);
3083 3087 }
3084 3088 if (newbie->ipsa_unique_mask != (uint64_t)0)
3085 3089 newbie->ipsa_flags |= IPSA_F_UNIQUE;
3086 3090
3087 3091 sadb_nat_calculations(newbie,
3088 3092 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC],
3089 3093 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM],
3090 3094 src_addr_ptr, dst_addr_ptr);
3091 3095
3092 3096 newbie->ipsa_type = samsg->sadb_msg_satype;
3093 3097
3094 3098 ASSERT((assoc->sadb_sa_state == SADB_SASTATE_MATURE) ||
3095 3099 (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE));
3096 3100 newbie->ipsa_auth_alg = assoc->sadb_sa_auth;
3097 3101 newbie->ipsa_encr_alg = assoc->sadb_sa_encrypt;
3098 3102
3099 3103 newbie->ipsa_flags |= assoc->sadb_sa_flags;
3100 3104 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_LOC &&
3101 3105 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC] == NULL) {
3102 3106 mutex_exit(&newbie->ipsa_lock);
3103 3107 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_LOC;
3104 3108 error = EINVAL;
3105 3109 goto error;
3106 3110 }
3107 3111 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_REM &&
3108 3112 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM] == NULL) {
3109 3113 mutex_exit(&newbie->ipsa_lock);
3110 3114 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_REM;
3111 3115 error = EINVAL;
3112 3116 goto error;
3113 3117 }
3114 3118 if (newbie->ipsa_flags & SADB_X_SAFLAGS_TUNNEL &&
3115 3119 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC] == NULL) {
3116 3120 mutex_exit(&newbie->ipsa_lock);
3117 3121 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC;
3118 3122 error = EINVAL;
3119 3123 goto error;
3120 3124 }
3121 3125 /*
3122 3126 * If unspecified source address, force replay_wsize to 0.
3123 3127 * This is because an SA that has multiple sources of secure
3124 3128 * traffic cannot enforce a replay counter w/o synchronizing the
3125 3129 * senders.
|
↓ open down ↓ |
781 lines elided |
↑ open up ↑ |
3126 3130 */
3127 3131 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC)
3128 3132 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay;
3129 3133 else
3130 3134 newbie->ipsa_replay_wsize = 0;
3131 3135
3132 3136 newbie->ipsa_addtime = gethrestime_sec();
3133 3137
3134 3138 if (kmcext != NULL) {
3135 3139 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto;
3136 - newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie;
3140 + /* Be liberal in what we receive. Special-case IKEv1. */
3141 + if (newbie->ipsa_kmp == SADB_X_KMP_IKE) {
3142 + /* Just in case in.iked is misbehaving... */
3143 + kmcext->sadb_x_kmc_reserved = 0;
3144 + }
3145 + newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie64;
3137 3146 }
3138 3147
3139 3148 /*
3140 3149 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE.
3141 3150 * The spec says that one can update current lifetimes, but
3142 3151 * that seems impractical, especially in the larval-to-mature
3143 3152 * update that this function performs.
3144 3153 */
3145 3154 if (soft != NULL) {
3146 3155 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime;
3147 3156 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime;
3148 3157 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes;
3149 3158 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations;
3150 3159 SET_EXPIRE(newbie, softaddlt, softexpiretime);
3151 3160 }
3152 3161 if (hard != NULL) {
3153 3162 newbie->ipsa_hardaddlt = hard->sadb_lifetime_addtime;
3154 3163 newbie->ipsa_harduselt = hard->sadb_lifetime_usetime;
3155 3164 newbie->ipsa_hardbyteslt = hard->sadb_lifetime_bytes;
3156 3165 newbie->ipsa_hardalloc = hard->sadb_lifetime_allocations;
3157 3166 SET_EXPIRE(newbie, hardaddlt, hardexpiretime);
3158 3167 }
3159 3168 if (idle != NULL) {
3160 3169 newbie->ipsa_idleaddlt = idle->sadb_lifetime_addtime;
3161 3170 newbie->ipsa_idleuselt = idle->sadb_lifetime_usetime;
3162 3171 newbie->ipsa_idleexpiretime = newbie->ipsa_addtime +
3163 3172 newbie->ipsa_idleaddlt;
3164 3173 newbie->ipsa_idletime = newbie->ipsa_idleaddlt;
3165 3174 }
3166 3175
3167 3176 newbie->ipsa_authtmpl = NULL;
3168 3177 newbie->ipsa_encrtmpl = NULL;
3169 3178
3170 3179 #ifdef IPSEC_LATENCY_TEST
3171 3180 if (akey != NULL && newbie->ipsa_auth_alg != SADB_AALG_NONE) {
3172 3181 #else
3173 3182 if (akey != NULL) {
3174 3183 #endif
3175 3184 async = (ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] ==
3176 3185 IPSEC_ALGS_EXEC_ASYNC);
3177 3186
3178 3187 newbie->ipsa_authkeybits = akey->sadb_key_bits;
3179 3188 newbie->ipsa_authkeylen = SADB_1TO8(akey->sadb_key_bits);
3180 3189 /* In case we have to round up to the next byte... */
3181 3190 if ((akey->sadb_key_bits & 0x7) != 0)
3182 3191 newbie->ipsa_authkeylen++;
3183 3192 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen,
3184 3193 KM_NOSLEEP);
3185 3194 if (newbie->ipsa_authkey == NULL) {
3186 3195 error = ENOMEM;
3187 3196 mutex_exit(&newbie->ipsa_lock);
3188 3197 goto error;
3189 3198 }
3190 3199 bcopy(akey + 1, newbie->ipsa_authkey, newbie->ipsa_authkeylen);
3191 3200 bzero(akey + 1, newbie->ipsa_authkeylen);
3192 3201
3193 3202 /*
3194 3203 * Pre-initialize the kernel crypto framework key
3195 3204 * structure.
3196 3205 */
3197 3206 newbie->ipsa_kcfauthkey.ck_format = CRYPTO_KEY_RAW;
3198 3207 newbie->ipsa_kcfauthkey.ck_length = newbie->ipsa_authkeybits;
3199 3208 newbie->ipsa_kcfauthkey.ck_data = newbie->ipsa_authkey;
3200 3209
3201 3210 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
3202 3211 alg = ipss->ipsec_alglists[IPSEC_ALG_AUTH]
3203 3212 [newbie->ipsa_auth_alg];
3204 3213 if (alg != NULL && ALG_VALID(alg)) {
3205 3214 newbie->ipsa_amech.cm_type = alg->alg_mech_type;
3206 3215 newbie->ipsa_amech.cm_param =
3207 3216 (char *)&newbie->ipsa_mac_len;
3208 3217 newbie->ipsa_amech.cm_param_len = sizeof (size_t);
3209 3218 newbie->ipsa_mac_len = (size_t)alg->alg_datalen;
3210 3219 } else {
3211 3220 newbie->ipsa_amech.cm_type = CRYPTO_MECHANISM_INVALID;
3212 3221 }
3213 3222 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_AUTH);
3214 3223 rw_exit(&ipss->ipsec_alg_lock);
3215 3224 if (error != 0) {
3216 3225 mutex_exit(&newbie->ipsa_lock);
3217 3226 /*
3218 3227 * An error here indicates that alg is the wrong type
3219 3228 * (IE: not authentication) or its not in the alg tables
3220 3229 * created by ipsecalgs(1m), or Kcf does not like the
3221 3230 * parameters passed in with this algorithm, which is
3222 3231 * probably a coding error!
3223 3232 */
3224 3233 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX;
3225 3234
3226 3235 goto error;
3227 3236 }
3228 3237 }
3229 3238
3230 3239 if (ekey != NULL) {
3231 3240 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
3232 3241 async = async || (ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] ==
3233 3242 IPSEC_ALGS_EXEC_ASYNC);
3234 3243 alg = ipss->ipsec_alglists[IPSEC_ALG_ENCR]
3235 3244 [newbie->ipsa_encr_alg];
3236 3245
3237 3246 if (alg != NULL && ALG_VALID(alg)) {
3238 3247 newbie->ipsa_emech.cm_type = alg->alg_mech_type;
3239 3248 newbie->ipsa_datalen = alg->alg_datalen;
3240 3249 if (alg->alg_flags & ALG_FLAG_COUNTERMODE)
3241 3250 newbie->ipsa_flags |= IPSA_F_COUNTERMODE;
3242 3251
3243 3252 if (alg->alg_flags & ALG_FLAG_COMBINED) {
3244 3253 newbie->ipsa_flags |= IPSA_F_COMBINED;
3245 3254 newbie->ipsa_mac_len = alg->alg_icvlen;
3246 3255 }
3247 3256
3248 3257 if (alg->alg_flags & ALG_FLAG_CCM)
3249 3258 newbie->ipsa_noncefunc = ccm_params_init;
3250 3259 else if (alg->alg_flags & ALG_FLAG_GCM)
3251 3260 newbie->ipsa_noncefunc = gcm_params_init;
3252 3261 else newbie->ipsa_noncefunc = cbc_params_init;
3253 3262
3254 3263 newbie->ipsa_saltlen = alg->alg_saltlen;
3255 3264 newbie->ipsa_saltbits = SADB_8TO1(newbie->ipsa_saltlen);
3256 3265 newbie->ipsa_iv_len = alg->alg_ivlen;
3257 3266 newbie->ipsa_nonce_len = newbie->ipsa_saltlen +
3258 3267 newbie->ipsa_iv_len;
3259 3268 newbie->ipsa_emech.cm_param = NULL;
3260 3269 newbie->ipsa_emech.cm_param_len = 0;
3261 3270 } else {
3262 3271 newbie->ipsa_emech.cm_type = CRYPTO_MECHANISM_INVALID;
3263 3272 }
3264 3273 rw_exit(&ipss->ipsec_alg_lock);
3265 3274
3266 3275 /*
3267 3276 * The byte stream following the sadb_key_t is made up of:
3268 3277 * key bytes, [salt bytes], [IV initial value]
3269 3278 * All of these have variable length. The IV is typically
3270 3279 * randomly generated by this function and not passed in.
3271 3280 * By supporting the injection of a known IV, the whole
3272 3281 * IPsec subsystem and the underlying crypto subsystem
3273 3282 * can be tested with known test vectors.
3274 3283 *
3275 3284 * The keying material has been checked by ext_check()
3276 3285 * and ipsec_valid_key_size(), after removing salt/IV
3277 3286 * bits, whats left is the encryption key. If this is too
3278 3287 * short, ipsec_create_ctx_tmpl() will fail and the SA
3279 3288 * won't get created.
3280 3289 *
3281 3290 * set ipsa_encrkeylen to length of key only.
3282 3291 */
3283 3292 newbie->ipsa_encrkeybits = ekey->sadb_key_bits;
3284 3293 newbie->ipsa_encrkeybits -= ekey->sadb_key_reserved;
3285 3294 newbie->ipsa_encrkeybits -= newbie->ipsa_saltbits;
3286 3295 newbie->ipsa_encrkeylen = SADB_1TO8(newbie->ipsa_encrkeybits);
3287 3296
3288 3297 /* In case we have to round up to the next byte... */
3289 3298 if ((ekey->sadb_key_bits & 0x7) != 0)
3290 3299 newbie->ipsa_encrkeylen++;
3291 3300
3292 3301 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen,
3293 3302 KM_NOSLEEP);
3294 3303 if (newbie->ipsa_encrkey == NULL) {
3295 3304 error = ENOMEM;
3296 3305 mutex_exit(&newbie->ipsa_lock);
3297 3306 goto error;
3298 3307 }
3299 3308
3300 3309 buf_ptr = (uint8_t *)(ekey + 1);
3301 3310 bcopy(buf_ptr, newbie->ipsa_encrkey, newbie->ipsa_encrkeylen);
3302 3311
3303 3312 if (newbie->ipsa_flags & IPSA_F_COMBINED) {
3304 3313 /*
3305 3314 * Combined mode algs need a nonce. Copy the salt and
3306 3315 * IV into a buffer. The ipsa_nonce is a pointer into
3307 3316 * this buffer, some bytes at the start of the buffer
3308 3317 * may be unused, depends on the salt length. The IV
3309 3318 * is 64 bit aligned so it can be incremented as a
3310 3319 * uint64_t. Zero out key in samsg_t before freeing.
3311 3320 */
3312 3321
3313 3322 newbie->ipsa_nonce_buf = kmem_alloc(
3314 3323 sizeof (ipsec_nonce_t), KM_NOSLEEP);
3315 3324 if (newbie->ipsa_nonce_buf == NULL) {
3316 3325 error = ENOMEM;
3317 3326 mutex_exit(&newbie->ipsa_lock);
3318 3327 goto error;
3319 3328 }
3320 3329 /*
3321 3330 * Initialize nonce and salt pointers to point
3322 3331 * to the nonce buffer. This is just in case we get
3323 3332 * bad data, the pointers will be valid, the data
3324 3333 * won't be.
3325 3334 *
3326 3335 * See sadb.h for layout of nonce.
3327 3336 */
3328 3337 newbie->ipsa_iv = &newbie->ipsa_nonce_buf->iv;
3329 3338 newbie->ipsa_salt = (uint8_t *)newbie->ipsa_nonce_buf;
3330 3339 newbie->ipsa_nonce = newbie->ipsa_salt;
3331 3340 if (newbie->ipsa_saltlen != 0) {
3332 3341 salt_offset = MAXSALTSIZE -
3333 3342 newbie->ipsa_saltlen;
3334 3343 newbie->ipsa_salt = (uint8_t *)
3335 3344 &newbie->ipsa_nonce_buf->salt[salt_offset];
3336 3345 newbie->ipsa_nonce = newbie->ipsa_salt;
3337 3346 buf_ptr += newbie->ipsa_encrkeylen;
3338 3347 bcopy(buf_ptr, newbie->ipsa_salt,
3339 3348 newbie->ipsa_saltlen);
3340 3349 }
3341 3350 /*
3342 3351 * The IV for CCM/GCM mode increments, it should not
3343 3352 * repeat. Get a random value for the IV, make a
3344 3353 * copy, the SA will expire when/if the IV ever
3345 3354 * wraps back to the initial value. If an Initial IV
3346 3355 * is passed in via PF_KEY, save this in the SA.
3347 3356 * Initialising IV for inbound is pointless as its
3348 3357 * taken from the inbound packet.
3349 3358 */
3350 3359 if (!is_inbound) {
3351 3360 if (ekey->sadb_key_reserved != 0) {
3352 3361 buf_ptr += newbie->ipsa_saltlen;
3353 3362 bcopy(buf_ptr, (uint8_t *)newbie->
3354 3363 ipsa_iv, SADB_1TO8(ekey->
3355 3364 sadb_key_reserved));
3356 3365 } else {
3357 3366 (void) random_get_pseudo_bytes(
3358 3367 (uint8_t *)newbie->ipsa_iv,
3359 3368 newbie->ipsa_iv_len);
3360 3369 }
3361 3370 newbie->ipsa_iv_softexpire =
3362 3371 (*newbie->ipsa_iv) << 9;
3363 3372 newbie->ipsa_iv_hardexpire = *newbie->ipsa_iv;
3364 3373 }
3365 3374 }
3366 3375 bzero((ekey + 1), SADB_1TO8(ekey->sadb_key_bits));
3367 3376
3368 3377 /*
3369 3378 * Pre-initialize the kernel crypto framework key
3370 3379 * structure.
3371 3380 */
3372 3381 newbie->ipsa_kcfencrkey.ck_format = CRYPTO_KEY_RAW;
3373 3382 newbie->ipsa_kcfencrkey.ck_length = newbie->ipsa_encrkeybits;
3374 3383 newbie->ipsa_kcfencrkey.ck_data = newbie->ipsa_encrkey;
3375 3384
3376 3385 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
3377 3386 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_ENCR);
3378 3387 rw_exit(&ipss->ipsec_alg_lock);
3379 3388 if (error != 0) {
3380 3389 mutex_exit(&newbie->ipsa_lock);
3381 3390 /* See above for error explanation. */
3382 3391 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX;
3383 3392 goto error;
3384 3393 }
3385 3394 }
3386 3395
3387 3396 if (async)
3388 3397 newbie->ipsa_flags |= IPSA_F_ASYNC;
3389 3398
3390 3399 /*
3391 3400 * Ptrs to processing functions.
3392 3401 */
3393 3402 if (newbie->ipsa_type == SADB_SATYPE_ESP)
3394 3403 ipsecesp_init_funcs(newbie);
3395 3404 else
3396 3405 ipsecah_init_funcs(newbie);
3397 3406 ASSERT(newbie->ipsa_output_func != NULL &&
3398 3407 newbie->ipsa_input_func != NULL);
3399 3408
3400 3409 /*
3401 3410 * Certificate ID stuff.
3402 3411 */
3403 3412 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC] != NULL) {
3404 3413 sadb_ident_t *id =
3405 3414 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC];
3406 3415
3407 3416 /*
3408 3417 * Can assume strlen() will return okay because ext_check() in
3409 3418 * keysock.c prepares the string for us.
3410 3419 */
3411 3420 newbie->ipsa_src_cid = ipsid_lookup(id->sadb_ident_type,
3412 3421 (char *)(id+1), ns);
3413 3422 if (newbie->ipsa_src_cid == NULL) {
3414 3423 error = ENOMEM;
3415 3424 mutex_exit(&newbie->ipsa_lock);
3416 3425 goto error;
3417 3426 }
3418 3427 }
3419 3428
3420 3429 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_DST] != NULL) {
3421 3430 sadb_ident_t *id =
3422 3431 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST];
3423 3432
3424 3433 /*
3425 3434 * Can assume strlen() will return okay because ext_check() in
3426 3435 * keysock.c prepares the string for us.
3427 3436 */
3428 3437 newbie->ipsa_dst_cid = ipsid_lookup(id->sadb_ident_type,
3429 3438 (char *)(id+1), ns);
3430 3439 if (newbie->ipsa_dst_cid == NULL) {
3431 3440 error = ENOMEM;
3432 3441 mutex_exit(&newbie->ipsa_lock);
3433 3442 goto error;
3434 3443 }
3435 3444 }
3436 3445
3437 3446 /*
3438 3447 * sensitivity label handling code:
3439 3448 * Convert sens + bitmap into cred_t, and associate it
3440 3449 * with the new SA.
3441 3450 */
3442 3451 if (sens != NULL) {
3443 3452 uint64_t *bitmap = (uint64_t *)(sens + 1);
3444 3453
3445 3454 newbie->ipsa_tsl = sadb_label_from_sens(sens, bitmap);
3446 3455 }
3447 3456
3448 3457 /*
3449 3458 * Likewise for outer sensitivity.
3450 3459 */
3451 3460 if (osens != NULL) {
3452 3461 uint64_t *bitmap = (uint64_t *)(osens + 1);
3453 3462 ts_label_t *tsl, *effective_tsl;
3454 3463 uint32_t *peer_addr_ptr;
3455 3464 zoneid_t zoneid = GLOBAL_ZONEID;
3456 3465 zone_t *zone;
3457 3466
3458 3467 peer_addr_ptr = is_inbound ? src_addr_ptr : dst_addr_ptr;
3459 3468
3460 3469 tsl = sadb_label_from_sens(osens, bitmap);
3461 3470 newbie->ipsa_mac_exempt = CONN_MAC_DEFAULT;
3462 3471
3463 3472 if (osens->sadb_x_sens_flags & SADB_X_SENS_IMPLICIT) {
3464 3473 newbie->ipsa_mac_exempt = CONN_MAC_IMPLICIT;
3465 3474 }
3466 3475
3467 3476 error = tsol_check_dest(tsl, peer_addr_ptr,
3468 3477 (af == AF_INET6)?IPV6_VERSION:IPV4_VERSION,
3469 3478 newbie->ipsa_mac_exempt, B_TRUE, &effective_tsl);
3470 3479 if (error != 0) {
3471 3480 label_rele(tsl);
3472 3481 mutex_exit(&newbie->ipsa_lock);
3473 3482 goto error;
3474 3483 }
3475 3484
3476 3485 if (effective_tsl != NULL) {
3477 3486 label_rele(tsl);
3478 3487 tsl = effective_tsl;
3479 3488 }
3480 3489
3481 3490 newbie->ipsa_otsl = tsl;
3482 3491
3483 3492 zone = zone_find_by_label(tsl);
3484 3493 if (zone != NULL) {
3485 3494 zoneid = zone->zone_id;
3486 3495 zone_rele(zone);
3487 3496 }
3488 3497 /*
3489 3498 * For exclusive stacks we set the zoneid to zero to operate
3490 3499 * as if in the global zone for tsol_compute_label_v4/v6
3491 3500 */
3492 3501 if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID)
3493 3502 zoneid = GLOBAL_ZONEID;
3494 3503
3495 3504 if (af == AF_INET6) {
3496 3505 error = tsol_compute_label_v6(tsl, zoneid,
3497 3506 (in6_addr_t *)peer_addr_ptr,
3498 3507 newbie->ipsa_opt_storage, ipst);
3499 3508 } else {
3500 3509 error = tsol_compute_label_v4(tsl, zoneid,
3501 3510 *peer_addr_ptr, newbie->ipsa_opt_storage, ipst);
3502 3511 }
3503 3512 if (error != 0) {
3504 3513 mutex_exit(&newbie->ipsa_lock);
3505 3514 goto error;
3506 3515 }
3507 3516 }
3508 3517
3509 3518
3510 3519 if (replayext != NULL) {
3511 3520 if ((replayext->sadb_x_rc_replay32 == 0) &&
3512 3521 (replayext->sadb_x_rc_replay64 != 0)) {
3513 3522 error = EOPNOTSUPP;
3514 3523 *diagnostic = SADB_X_DIAGNOSTIC_INVALID_REPLAY;
3515 3524 mutex_exit(&newbie->ipsa_lock);
3516 3525 goto error;
3517 3526 }
3518 3527 newbie->ipsa_replay = replayext->sadb_x_rc_replay32;
3519 3528 }
3520 3529
3521 3530 /* now that the SA has been updated, set its new state */
3522 3531 newbie->ipsa_state = assoc->sadb_sa_state;
3523 3532
3524 3533 if (clone) {
3525 3534 newbie->ipsa_haspeer = B_TRUE;
3526 3535 } else {
3527 3536 if (!is_inbound) {
3528 3537 lifetime_fuzz(newbie);
3529 3538 }
3530 3539 }
3531 3540 /*
3532 3541 * The less locks I hold when doing an insertion and possible cloning,
3533 3542 * the better!
3534 3543 */
3535 3544 mutex_exit(&newbie->ipsa_lock);
3536 3545
3537 3546 if (clone) {
3538 3547 newbie_clone = sadb_cloneassoc(newbie);
3539 3548
3540 3549 if (newbie_clone == NULL) {
3541 3550 error = ENOMEM;
3542 3551 goto error;
3543 3552 }
3544 3553 }
3545 3554
3546 3555 /*
3547 3556 * Enter the bucket locks. The order of entry is outbound,
3548 3557 * inbound. We map "primary" and "secondary" into outbound and inbound
3549 3558 * based on the destination address type. If the destination address
3550 3559 * type is for a node that isn't mine (or potentially mine), the
3551 3560 * "primary" bucket is the outbound one.
3552 3561 */
3553 3562 if (!is_inbound) {
3554 3563 /* primary == outbound */
3555 3564 mutex_enter(&primary->isaf_lock);
3556 3565 mutex_enter(&secondary->isaf_lock);
3557 3566 } else {
3558 3567 /* primary == inbound */
3559 3568 mutex_enter(&secondary->isaf_lock);
3560 3569 mutex_enter(&primary->isaf_lock);
3561 3570 }
3562 3571
3563 3572 /*
3564 3573 * sadb_insertassoc() doesn't increment the reference
3565 3574 * count. We therefore have to increment the
3566 3575 * reference count one more time to reflect the
3567 3576 * pointers of the table that reference this SA.
3568 3577 */
3569 3578 IPSA_REFHOLD(newbie);
3570 3579
3571 3580 if (isupdate) {
3572 3581 /*
3573 3582 * Unlink from larval holding cell in the "inbound" fanout.
3574 3583 */
3575 3584 ASSERT(newbie->ipsa_linklock == &primary->isaf_lock ||
3576 3585 newbie->ipsa_linklock == &secondary->isaf_lock);
3577 3586 sadb_unlinkassoc(newbie);
3578 3587 }
3579 3588
3580 3589 mutex_enter(&newbie->ipsa_lock);
3581 3590 error = sadb_insertassoc(newbie, primary);
3582 3591 mutex_exit(&newbie->ipsa_lock);
3583 3592
3584 3593 if (error != 0) {
3585 3594 /*
3586 3595 * Since sadb_insertassoc() failed, we must decrement the
3587 3596 * refcount again so the cleanup code will actually free
3588 3597 * the offending SA.
3589 3598 */
3590 3599 IPSA_REFRELE(newbie);
3591 3600 goto error_unlock;
3592 3601 }
3593 3602
3594 3603 if (newbie_clone != NULL) {
3595 3604 mutex_enter(&newbie_clone->ipsa_lock);
3596 3605 error = sadb_insertassoc(newbie_clone, secondary);
3597 3606 mutex_exit(&newbie_clone->ipsa_lock);
3598 3607 if (error != 0) {
3599 3608 /* Collision in secondary table. */
3600 3609 sadb_unlinkassoc(newbie); /* This does REFRELE. */
3601 3610 goto error_unlock;
3602 3611 }
3603 3612 IPSA_REFHOLD(newbie_clone);
3604 3613 } else {
3605 3614 ASSERT(primary != secondary);
3606 3615 scratch = ipsec_getassocbyspi(secondary, newbie->ipsa_spi,
3607 3616 ALL_ZEROES_PTR, newbie->ipsa_dstaddr, af);
3608 3617 if (scratch != NULL) {
3609 3618 /* Collision in secondary table. */
3610 3619 sadb_unlinkassoc(newbie); /* This does REFRELE. */
3611 3620 /* Set the error, since ipsec_getassocbyspi() can't. */
3612 3621 error = EEXIST;
3613 3622 goto error_unlock;
3614 3623 }
3615 3624 }
3616 3625
3617 3626 /* OKAY! So let's do some reality check assertions. */
3618 3627
3619 3628 ASSERT(MUTEX_NOT_HELD(&newbie->ipsa_lock));
3620 3629 ASSERT(newbie_clone == NULL ||
3621 3630 (MUTEX_NOT_HELD(&newbie_clone->ipsa_lock)));
3622 3631
3623 3632 error_unlock:
3624 3633
3625 3634 /*
3626 3635 * We can exit the locks in any order. Only entrance needs to
3627 3636 * follow any protocol.
3628 3637 */
3629 3638 mutex_exit(&secondary->isaf_lock);
3630 3639 mutex_exit(&primary->isaf_lock);
3631 3640
3632 3641 if (pair_ext != NULL && error == 0) {
3633 3642 /* update pair_spi if it exists. */
3634 3643 ipsa_query_t sq;
3635 3644
3636 3645 sq.spp = spp; /* XXX param */
3637 3646 error = sadb_form_query(ksi, IPSA_Q_DST, IPSA_Q_SRC|IPSA_Q_DST|
3638 3647 IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, &sq, diagnostic);
3639 3648 if (error)
3640 3649 return (error);
3641 3650
3642 3651 error = get_ipsa_pair(&sq, &ipsapp, diagnostic);
3643 3652
3644 3653 if (error != 0)
3645 3654 goto error;
3646 3655
3647 3656 if (ipsapp.ipsap_psa_ptr != NULL) {
3648 3657 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY;
3649 3658 error = EINVAL;
3650 3659 } else {
3651 3660 /* update_pairing() sets diagnostic */
3652 3661 error = update_pairing(&ipsapp, &sq, ksi, diagnostic);
3653 3662 }
3654 3663 }
3655 3664 /* Common error point for this routine. */
3656 3665 error:
3657 3666 if (newbie != NULL) {
3658 3667 if (error != 0) {
3659 3668 /* This SA is broken, let the reaper clean up. */
3660 3669 mutex_enter(&newbie->ipsa_lock);
3661 3670 newbie->ipsa_state = IPSA_STATE_DEAD;
3662 3671 newbie->ipsa_hardexpiretime = 1;
3663 3672 mutex_exit(&newbie->ipsa_lock);
3664 3673 }
3665 3674 IPSA_REFRELE(newbie);
3666 3675 }
3667 3676 if (newbie_clone != NULL) {
3668 3677 IPSA_REFRELE(newbie_clone);
3669 3678 }
3670 3679
3671 3680 if (error == 0) {
3672 3681 /*
3673 3682 * Construct favorable PF_KEY return message and send to
3674 3683 * keysock. Update the flags in the original keysock message
3675 3684 * to reflect the actual flags in the new SA.
3676 3685 * (Q: Do I need to pass "newbie"? If I do,
3677 3686 * make sure to REFHOLD, call, then REFRELE.)
3678 3687 */
3679 3688 assoc->sadb_sa_flags = newbie->ipsa_flags;
3680 3689 sadb_pfkey_echo(pfkey_q, mp, samsg, ksi, NULL);
3681 3690 }
3682 3691
3683 3692 destroy_ipsa_pair(&ipsapp);
3684 3693 return (error);
3685 3694 }
3686 3695
3687 3696 /*
3688 3697 * Set the time of first use for a security association. Update any
3689 3698 * expiration times as a result.
3690 3699 */
3691 3700 void
3692 3701 sadb_set_usetime(ipsa_t *assoc)
3693 3702 {
3694 3703 time_t snapshot = gethrestime_sec();
3695 3704
3696 3705 mutex_enter(&assoc->ipsa_lock);
3697 3706 assoc->ipsa_lastuse = snapshot;
3698 3707 assoc->ipsa_idleexpiretime = snapshot + assoc->ipsa_idletime;
3699 3708
3700 3709 /*
3701 3710 * Caller does check usetime before calling me usually, and
3702 3711 * double-checking is better than a mutex_enter/exit hit.
3703 3712 */
3704 3713 if (assoc->ipsa_usetime == 0) {
3705 3714 /*
3706 3715 * This is redundant for outbound SA's, as
3707 3716 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already.
3708 3717 * Inbound SAs, however, have no such protection.
3709 3718 */
3710 3719 assoc->ipsa_flags |= IPSA_F_USED;
3711 3720 assoc->ipsa_usetime = snapshot;
3712 3721
3713 3722 /*
3714 3723 * After setting the use time, see if we have a use lifetime
3715 3724 * that would cause the actual SA expiration time to shorten.
3716 3725 */
3717 3726 UPDATE_EXPIRE(assoc, softuselt, softexpiretime);
3718 3727 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime);
3719 3728 }
3720 3729 mutex_exit(&assoc->ipsa_lock);
3721 3730 }
3722 3731
3723 3732 /*
3724 3733 * Send up a PF_KEY expire message for this association.
3725 3734 */
3726 3735 static void
3727 3736 sadb_expire_assoc(queue_t *pfkey_q, ipsa_t *assoc)
3728 3737 {
3729 3738 mblk_t *mp, *mp1;
3730 3739 int alloclen, af;
3731 3740 sadb_msg_t *samsg;
3732 3741 sadb_lifetime_t *current, *expire;
3733 3742 sadb_sa_t *saext;
3734 3743 uint8_t *end;
3735 3744 boolean_t tunnel_mode;
3736 3745
3737 3746 ASSERT(MUTEX_HELD(&assoc->ipsa_lock));
3738 3747
3739 3748 /* Don't bother sending if there's no queue. */
3740 3749 if (pfkey_q == NULL)
3741 3750 return;
3742 3751
3743 3752 mp = sadb_keysock_out(0);
3744 3753 if (mp == NULL) {
3745 3754 /* cmn_err(CE_WARN, */
3746 3755 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */
3747 3756 return;
3748 3757 }
3749 3758
3750 3759 alloclen = sizeof (*samsg) + sizeof (*current) + sizeof (*expire) +
3751 3760 2 * sizeof (sadb_address_t) + sizeof (*saext);
3752 3761
3753 3762 af = assoc->ipsa_addrfam;
3754 3763 switch (af) {
3755 3764 case AF_INET:
3756 3765 alloclen += 2 * sizeof (struct sockaddr_in);
3757 3766 break;
3758 3767 case AF_INET6:
3759 3768 alloclen += 2 * sizeof (struct sockaddr_in6);
3760 3769 break;
3761 3770 default:
3762 3771 /* Won't happen unless there's a kernel bug. */
3763 3772 freeb(mp);
3764 3773 cmn_err(CE_WARN,
3765 3774 "sadb_expire_assoc: Unknown address length.\n");
3766 3775 return;
3767 3776 }
3768 3777
3769 3778 tunnel_mode = (assoc->ipsa_flags & IPSA_F_TUNNEL);
3770 3779 if (tunnel_mode) {
3771 3780 alloclen += 2 * sizeof (sadb_address_t);
3772 3781 switch (assoc->ipsa_innerfam) {
3773 3782 case AF_INET:
3774 3783 alloclen += 2 * sizeof (struct sockaddr_in);
3775 3784 break;
3776 3785 case AF_INET6:
3777 3786 alloclen += 2 * sizeof (struct sockaddr_in6);
3778 3787 break;
3779 3788 default:
3780 3789 /* Won't happen unless there's a kernel bug. */
3781 3790 freeb(mp);
3782 3791 cmn_err(CE_WARN, "sadb_expire_assoc: "
3783 3792 "Unknown inner address length.\n");
3784 3793 return;
3785 3794 }
3786 3795 }
3787 3796
3788 3797 mp->b_cont = allocb(alloclen, BPRI_HI);
3789 3798 if (mp->b_cont == NULL) {
3790 3799 freeb(mp);
3791 3800 /* cmn_err(CE_WARN, */
3792 3801 /* "sadb_expire_assoc: Can't allocate message.\n"); */
3793 3802 return;
3794 3803 }
3795 3804
3796 3805 mp1 = mp;
3797 3806 mp = mp->b_cont;
3798 3807 end = mp->b_wptr + alloclen;
3799 3808
3800 3809 samsg = (sadb_msg_t *)mp->b_wptr;
3801 3810 mp->b_wptr += sizeof (*samsg);
3802 3811 samsg->sadb_msg_version = PF_KEY_V2;
3803 3812 samsg->sadb_msg_type = SADB_EXPIRE;
3804 3813 samsg->sadb_msg_errno = 0;
3805 3814 samsg->sadb_msg_satype = assoc->ipsa_type;
3806 3815 samsg->sadb_msg_len = SADB_8TO64(alloclen);
3807 3816 samsg->sadb_msg_reserved = 0;
3808 3817 samsg->sadb_msg_seq = 0;
3809 3818 samsg->sadb_msg_pid = 0;
3810 3819
3811 3820 saext = (sadb_sa_t *)mp->b_wptr;
3812 3821 mp->b_wptr += sizeof (*saext);
3813 3822 saext->sadb_sa_len = SADB_8TO64(sizeof (*saext));
3814 3823 saext->sadb_sa_exttype = SADB_EXT_SA;
3815 3824 saext->sadb_sa_spi = assoc->ipsa_spi;
3816 3825 saext->sadb_sa_replay = assoc->ipsa_replay_wsize;
3817 3826 saext->sadb_sa_state = assoc->ipsa_state;
3818 3827 saext->sadb_sa_auth = assoc->ipsa_auth_alg;
3819 3828 saext->sadb_sa_encrypt = assoc->ipsa_encr_alg;
3820 3829 saext->sadb_sa_flags = assoc->ipsa_flags;
3821 3830
3822 3831 current = (sadb_lifetime_t *)mp->b_wptr;
3823 3832 mp->b_wptr += sizeof (sadb_lifetime_t);
3824 3833 current->sadb_lifetime_len = SADB_8TO64(sizeof (*current));
3825 3834 current->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
3826 3835 /* We do not support the concept. */
3827 3836 current->sadb_lifetime_allocations = 0;
3828 3837 current->sadb_lifetime_bytes = assoc->ipsa_bytes;
3829 3838 current->sadb_lifetime_addtime = assoc->ipsa_addtime;
3830 3839 current->sadb_lifetime_usetime = assoc->ipsa_usetime;
3831 3840
3832 3841 expire = (sadb_lifetime_t *)mp->b_wptr;
3833 3842 mp->b_wptr += sizeof (*expire);
3834 3843 expire->sadb_lifetime_len = SADB_8TO64(sizeof (*expire));
3835 3844
3836 3845 if (assoc->ipsa_state == IPSA_STATE_DEAD) {
3837 3846 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
3838 3847 expire->sadb_lifetime_allocations = assoc->ipsa_hardalloc;
3839 3848 expire->sadb_lifetime_bytes = assoc->ipsa_hardbyteslt;
3840 3849 expire->sadb_lifetime_addtime = assoc->ipsa_hardaddlt;
3841 3850 expire->sadb_lifetime_usetime = assoc->ipsa_harduselt;
3842 3851 } else if (assoc->ipsa_state == IPSA_STATE_DYING) {
3843 3852 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
3844 3853 expire->sadb_lifetime_allocations = assoc->ipsa_softalloc;
3845 3854 expire->sadb_lifetime_bytes = assoc->ipsa_softbyteslt;
3846 3855 expire->sadb_lifetime_addtime = assoc->ipsa_softaddlt;
3847 3856 expire->sadb_lifetime_usetime = assoc->ipsa_softuselt;
3848 3857 } else {
3849 3858 ASSERT(assoc->ipsa_state == IPSA_STATE_MATURE);
3850 3859 expire->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE;
3851 3860 expire->sadb_lifetime_allocations = 0;
3852 3861 expire->sadb_lifetime_bytes = 0;
3853 3862 expire->sadb_lifetime_addtime = assoc->ipsa_idleaddlt;
3854 3863 expire->sadb_lifetime_usetime = assoc->ipsa_idleuselt;
3855 3864 }
3856 3865
3857 3866 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_SRC,
3858 3867 af, assoc->ipsa_srcaddr, tunnel_mode ? 0 : SA_SRCPORT(assoc),
3859 3868 SA_PROTO(assoc), 0);
3860 3869 ASSERT(mp->b_wptr != NULL);
3861 3870
3862 3871 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_DST,
3863 3872 af, assoc->ipsa_dstaddr, tunnel_mode ? 0 : SA_DSTPORT(assoc),
3864 3873 SA_PROTO(assoc), 0);
3865 3874 ASSERT(mp->b_wptr != NULL);
3866 3875
3867 3876 if (tunnel_mode) {
3868 3877 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end,
3869 3878 SADB_X_EXT_ADDRESS_INNER_SRC, assoc->ipsa_innerfam,
3870 3879 assoc->ipsa_innersrc, SA_SRCPORT(assoc), SA_IPROTO(assoc),
3871 3880 assoc->ipsa_innersrcpfx);
3872 3881 ASSERT(mp->b_wptr != NULL);
3873 3882 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end,
3874 3883 SADB_X_EXT_ADDRESS_INNER_DST, assoc->ipsa_innerfam,
3875 3884 assoc->ipsa_innerdst, SA_DSTPORT(assoc), SA_IPROTO(assoc),
3876 3885 assoc->ipsa_innerdstpfx);
3877 3886 ASSERT(mp->b_wptr != NULL);
3878 3887 }
3879 3888
3880 3889 /* Can just putnext, we're ready to go! */
3881 3890 putnext(pfkey_q, mp1);
3882 3891 }
3883 3892
3884 3893 /*
3885 3894 * "Age" the SA with the number of bytes that was used to protect traffic.
3886 3895 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was
3887 3896 * enough "charge" left in the SA to protect the data. Return B_FALSE
3888 3897 * otherwise. (If B_FALSE is returned, the association either was, or became
3889 3898 * DEAD.)
3890 3899 */
3891 3900 boolean_t
3892 3901 sadb_age_bytes(queue_t *pfkey_q, ipsa_t *assoc, uint64_t bytes,
3893 3902 boolean_t sendmsg)
3894 3903 {
3895 3904 boolean_t rc = B_TRUE;
3896 3905 uint64_t newtotal;
3897 3906
3898 3907 mutex_enter(&assoc->ipsa_lock);
3899 3908 newtotal = assoc->ipsa_bytes + bytes;
3900 3909 if (assoc->ipsa_hardbyteslt != 0 &&
3901 3910 newtotal >= assoc->ipsa_hardbyteslt) {
3902 3911 if (assoc->ipsa_state != IPSA_STATE_DEAD) {
3903 3912 sadb_delete_cluster(assoc);
3904 3913 /*
3905 3914 * Send EXPIRE message to PF_KEY. May wish to pawn
3906 3915 * this off on another non-interrupt thread. Also
3907 3916 * unlink this SA immediately.
3908 3917 */
3909 3918 assoc->ipsa_state = IPSA_STATE_DEAD;
3910 3919 if (sendmsg)
3911 3920 sadb_expire_assoc(pfkey_q, assoc);
3912 3921 /*
3913 3922 * Set non-zero expiration time so sadb_age_assoc()
3914 3923 * will work when reaping.
3915 3924 */
3916 3925 assoc->ipsa_hardexpiretime = (time_t)1;
3917 3926 } /* Else someone beat me to it! */
3918 3927 rc = B_FALSE;
3919 3928 } else if (assoc->ipsa_softbyteslt != 0 &&
3920 3929 (newtotal >= assoc->ipsa_softbyteslt)) {
3921 3930 if (assoc->ipsa_state < IPSA_STATE_DYING) {
3922 3931 /*
3923 3932 * Send EXPIRE message to PF_KEY. May wish to pawn
3924 3933 * this off on another non-interrupt thread.
3925 3934 */
3926 3935 assoc->ipsa_state = IPSA_STATE_DYING;
3927 3936 assoc->ipsa_bytes = newtotal;
3928 3937 if (sendmsg)
3929 3938 sadb_expire_assoc(pfkey_q, assoc);
3930 3939 } /* Else someone beat me to it! */
3931 3940 }
3932 3941 if (rc == B_TRUE)
3933 3942 assoc->ipsa_bytes = newtotal;
3934 3943 mutex_exit(&assoc->ipsa_lock);
3935 3944 return (rc);
3936 3945 }
3937 3946
3938 3947 /*
3939 3948 * "Torch" an individual SA. Returns NULL, so it can be tail-called from
3940 3949 * sadb_age_assoc().
3941 3950 */
3942 3951 static ipsa_t *
3943 3952 sadb_torch_assoc(isaf_t *head, ipsa_t *sa)
3944 3953 {
3945 3954 ASSERT(MUTEX_HELD(&head->isaf_lock));
3946 3955 ASSERT(MUTEX_HELD(&sa->ipsa_lock));
3947 3956 ASSERT(sa->ipsa_state == IPSA_STATE_DEAD);
3948 3957
3949 3958 /*
3950 3959 * Force cached SAs to be revalidated..
3951 3960 */
3952 3961 head->isaf_gen++;
3953 3962
3954 3963 mutex_exit(&sa->ipsa_lock);
3955 3964 sadb_unlinkassoc(sa);
3956 3965
3957 3966 return (NULL);
3958 3967 }
3959 3968
3960 3969 /*
3961 3970 * Do various SA-is-idle activities depending on delta (the number of idle
3962 3971 * seconds on the SA) and/or other properties of the SA.
3963 3972 *
3964 3973 * Return B_TRUE if I've sent a packet, because I have to drop the
3965 3974 * association's mutex before sending a packet out the wire.
3966 3975 */
3967 3976 /* ARGSUSED */
3968 3977 static boolean_t
3969 3978 sadb_idle_activities(ipsa_t *assoc, time_t delta, boolean_t inbound)
3970 3979 {
3971 3980 ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp;
3972 3981 int nat_t_interval = espstack->ipsecesp_nat_keepalive_interval;
3973 3982
3974 3983 ASSERT(MUTEX_HELD(&assoc->ipsa_lock));
3975 3984
3976 3985 if (!inbound && (assoc->ipsa_flags & IPSA_F_NATT_LOC) &&
3977 3986 delta >= nat_t_interval &&
3978 3987 gethrestime_sec() - assoc->ipsa_last_nat_t_ka >= nat_t_interval) {
3979 3988 ASSERT(assoc->ipsa_type == SADB_SATYPE_ESP);
3980 3989 assoc->ipsa_last_nat_t_ka = gethrestime_sec();
3981 3990 mutex_exit(&assoc->ipsa_lock);
3982 3991 ipsecesp_send_keepalive(assoc);
3983 3992 return (B_TRUE);
3984 3993 }
3985 3994 return (B_FALSE);
3986 3995 }
3987 3996
3988 3997 /*
3989 3998 * Return "assoc" if haspeer is true and I send an expire. This allows
3990 3999 * the consumers' aging functions to tidy up an expired SA's peer.
3991 4000 */
3992 4001 static ipsa_t *
3993 4002 sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc,
3994 4003 time_t current, int reap_delay, boolean_t inbound)
3995 4004 {
3996 4005 ipsa_t *retval = NULL;
3997 4006 boolean_t dropped_mutex = B_FALSE;
3998 4007
3999 4008 ASSERT(MUTEX_HELD(&head->isaf_lock));
4000 4009
4001 4010 mutex_enter(&assoc->ipsa_lock);
4002 4011
4003 4012 if (((assoc->ipsa_state == IPSA_STATE_LARVAL) ||
4004 4013 ((assoc->ipsa_state == IPSA_STATE_IDLE) ||
4005 4014 (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) &&
4006 4015 (assoc->ipsa_hardexpiretime != 0))) &&
4007 4016 (assoc->ipsa_hardexpiretime <= current)) {
4008 4017 assoc->ipsa_state = IPSA_STATE_DEAD;
4009 4018 return (sadb_torch_assoc(head, assoc));
4010 4019 }
4011 4020
4012 4021 /*
4013 4022 * Check lifetimes. Fortunately, SA setup is done
4014 4023 * such that there are only two times to look at,
4015 4024 * softexpiretime, and hardexpiretime.
4016 4025 *
4017 4026 * Check hard first.
4018 4027 */
4019 4028
4020 4029 if (assoc->ipsa_hardexpiretime != 0 &&
4021 4030 assoc->ipsa_hardexpiretime <= current) {
4022 4031 if (assoc->ipsa_state == IPSA_STATE_DEAD)
4023 4032 return (sadb_torch_assoc(head, assoc));
4024 4033
4025 4034 if (inbound) {
4026 4035 sadb_delete_cluster(assoc);
4027 4036 }
4028 4037
4029 4038 /*
4030 4039 * Send SADB_EXPIRE with hard lifetime, delay for unlinking.
4031 4040 */
4032 4041 assoc->ipsa_state = IPSA_STATE_DEAD;
4033 4042 if (assoc->ipsa_haspeer || assoc->ipsa_otherspi != 0) {
4034 4043 /*
4035 4044 * If the SA is paired or peered with another, put
4036 4045 * a copy on a list which can be processed later, the
4037 4046 * pair/peer SA needs to be updated so the both die
4038 4047 * at the same time.
4039 4048 *
4040 4049 * If I return assoc, I have to bump up its reference
4041 4050 * count to keep with the ipsa_t reference count
4042 4051 * semantics.
4043 4052 */
4044 4053 IPSA_REFHOLD(assoc);
4045 4054 retval = assoc;
4046 4055 }
4047 4056 sadb_expire_assoc(pfkey_q, assoc);
4048 4057 assoc->ipsa_hardexpiretime = current + reap_delay;
4049 4058 } else if (assoc->ipsa_softexpiretime != 0 &&
4050 4059 assoc->ipsa_softexpiretime <= current &&
4051 4060 assoc->ipsa_state < IPSA_STATE_DYING) {
4052 4061 /*
4053 4062 * Send EXPIRE message to PF_KEY. May wish to pawn
4054 4063 * this off on another non-interrupt thread.
4055 4064 */
4056 4065 assoc->ipsa_state = IPSA_STATE_DYING;
4057 4066 if (assoc->ipsa_haspeer) {
4058 4067 /*
4059 4068 * If the SA has a peer, update the peer's state
4060 4069 * on SOFT_EXPIRE, this is mostly to prevent two
4061 4070 * expire messages from effectively the same SA.
4062 4071 *
4063 4072 * Don't care about paired SA's, then can (and should)
4064 4073 * be able to soft expire at different times.
4065 4074 *
4066 4075 * If I return assoc, I have to bump up its
4067 4076 * reference count to keep with the ipsa_t reference
4068 4077 * count semantics.
4069 4078 */
4070 4079 IPSA_REFHOLD(assoc);
4071 4080 retval = assoc;
4072 4081 }
4073 4082 sadb_expire_assoc(pfkey_q, assoc);
4074 4083 } else if (assoc->ipsa_idletime != 0 &&
4075 4084 assoc->ipsa_idleexpiretime <= current) {
4076 4085 if (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) {
4077 4086 assoc->ipsa_state = IPSA_STATE_IDLE;
4078 4087 }
4079 4088
4080 4089 /*
4081 4090 * Need to handle Mature case
4082 4091 */
4083 4092 if (assoc->ipsa_state == IPSA_STATE_MATURE) {
4084 4093 sadb_expire_assoc(pfkey_q, assoc);
4085 4094 }
4086 4095 } else {
4087 4096 /* Check idle time activities. */
4088 4097 dropped_mutex = sadb_idle_activities(assoc,
4089 4098 current - assoc->ipsa_lastuse, inbound);
4090 4099 }
4091 4100
4092 4101 if (!dropped_mutex)
4093 4102 mutex_exit(&assoc->ipsa_lock);
4094 4103 return (retval);
4095 4104 }
4096 4105
4097 4106 /*
4098 4107 * Called by a consumer protocol to do ther dirty work of reaping dead
4099 4108 * Security Associations.
4100 4109 *
4101 4110 * NOTE: sadb_age_assoc() marks expired SA's as DEAD but only removed
4102 4111 * SA's that are already marked DEAD, so expired SA's are only reaped
4103 4112 * the second time sadb_ager() runs.
4104 4113 */
4105 4114 void
4106 4115 sadb_ager(sadb_t *sp, queue_t *pfkey_q, int reap_delay, netstack_t *ns)
4107 4116 {
4108 4117 int i;
4109 4118 isaf_t *bucket;
4110 4119 ipsa_t *assoc, *spare;
4111 4120 iacqf_t *acqlist;
4112 4121 ipsacq_t *acqrec, *spareacq;
4113 4122 templist_t *haspeerlist, *newbie;
4114 4123 /* Snapshot current time now. */
4115 4124 time_t current = gethrestime_sec();
4116 4125 haspeerlist = NULL;
4117 4126
4118 4127 /*
4119 4128 * Do my dirty work. This includes aging real entries, aging
4120 4129 * larvals, and aging outstanding ACQUIREs.
4121 4130 *
4122 4131 * I hope I don't tie up resources for too long.
4123 4132 */
4124 4133
4125 4134 /* Age acquires. */
4126 4135
4127 4136 for (i = 0; i < sp->sdb_hashsize; i++) {
4128 4137 acqlist = &sp->sdb_acq[i];
4129 4138 mutex_enter(&acqlist->iacqf_lock);
4130 4139 for (acqrec = acqlist->iacqf_ipsacq; acqrec != NULL;
4131 4140 acqrec = spareacq) {
4132 4141 spareacq = acqrec->ipsacq_next;
4133 4142 if (current > acqrec->ipsacq_expire)
4134 4143 sadb_destroy_acquire(acqrec, ns);
4135 4144 }
4136 4145 mutex_exit(&acqlist->iacqf_lock);
4137 4146 }
4138 4147
4139 4148 /* Age inbound associations. */
4140 4149 for (i = 0; i < sp->sdb_hashsize; i++) {
4141 4150 bucket = &(sp->sdb_if[i]);
4142 4151 mutex_enter(&bucket->isaf_lock);
4143 4152 for (assoc = bucket->isaf_ipsa; assoc != NULL;
4144 4153 assoc = spare) {
4145 4154 spare = assoc->ipsa_next;
4146 4155 if (sadb_age_assoc(bucket, pfkey_q, assoc, current,
4147 4156 reap_delay, B_TRUE) != NULL) {
4148 4157 /*
4149 4158 * Put SA's which have a peer or SA's which
4150 4159 * are paired on a list for processing after
4151 4160 * all the hash tables have been walked.
4152 4161 *
4153 4162 * sadb_age_assoc() increments the refcnt,
4154 4163 * effectively doing an IPSA_REFHOLD().
4155 4164 */
4156 4165 newbie = kmem_alloc(sizeof (*newbie),
4157 4166 KM_NOSLEEP);
4158 4167 if (newbie == NULL) {
4159 4168 /*
4160 4169 * Don't forget to REFRELE().
4161 4170 */
4162 4171 IPSA_REFRELE(assoc);
4163 4172 continue; /* for loop... */
4164 4173 }
4165 4174 newbie->next = haspeerlist;
4166 4175 newbie->ipsa = assoc;
4167 4176 haspeerlist = newbie;
4168 4177 }
4169 4178 }
4170 4179 mutex_exit(&bucket->isaf_lock);
4171 4180 }
4172 4181
4173 4182 age_pair_peer_list(haspeerlist, sp, B_FALSE);
4174 4183 haspeerlist = NULL;
4175 4184
4176 4185 /* Age outbound associations. */
4177 4186 for (i = 0; i < sp->sdb_hashsize; i++) {
4178 4187 bucket = &(sp->sdb_of[i]);
4179 4188 mutex_enter(&bucket->isaf_lock);
4180 4189 for (assoc = bucket->isaf_ipsa; assoc != NULL;
4181 4190 assoc = spare) {
4182 4191 spare = assoc->ipsa_next;
4183 4192 if (sadb_age_assoc(bucket, pfkey_q, assoc, current,
4184 4193 reap_delay, B_FALSE) != NULL) {
4185 4194 /*
4186 4195 * sadb_age_assoc() increments the refcnt,
4187 4196 * effectively doing an IPSA_REFHOLD().
4188 4197 */
4189 4198 newbie = kmem_alloc(sizeof (*newbie),
4190 4199 KM_NOSLEEP);
4191 4200 if (newbie == NULL) {
4192 4201 /*
4193 4202 * Don't forget to REFRELE().
4194 4203 */
4195 4204 IPSA_REFRELE(assoc);
4196 4205 continue; /* for loop... */
4197 4206 }
4198 4207 newbie->next = haspeerlist;
4199 4208 newbie->ipsa = assoc;
4200 4209 haspeerlist = newbie;
4201 4210 }
4202 4211 }
4203 4212 mutex_exit(&bucket->isaf_lock);
4204 4213 }
4205 4214
4206 4215 age_pair_peer_list(haspeerlist, sp, B_TRUE);
4207 4216
4208 4217 /*
4209 4218 * Run a GC pass to clean out dead identities.
4210 4219 */
4211 4220 ipsid_gc(ns);
4212 4221 }
4213 4222
4214 4223 /*
4215 4224 * Figure out when to reschedule the ager.
4216 4225 */
4217 4226 timeout_id_t
4218 4227 sadb_retimeout(hrtime_t begin, queue_t *pfkey_q, void (*ager)(void *),
4219 4228 void *agerarg, uint_t *intp, uint_t intmax, short mid)
4220 4229 {
4221 4230 hrtime_t end = gethrtime();
4222 4231 uint_t interval = *intp; /* "interval" is in ms. */
4223 4232
4224 4233 /*
4225 4234 * See how long this took. If it took too long, increase the
4226 4235 * aging interval.
4227 4236 */
4228 4237 if ((end - begin) > MSEC2NSEC(interval)) {
4229 4238 if (interval >= intmax) {
4230 4239 /* XXX Rate limit this? Or recommend flush? */
4231 4240 (void) strlog(mid, 0, 0, SL_ERROR | SL_WARN,
4232 4241 "Too many SA's to age out in %d msec.\n",
4233 4242 intmax);
4234 4243 } else {
4235 4244 /* Double by shifting by one bit. */
4236 4245 interval <<= 1;
4237 4246 interval = min(interval, intmax);
4238 4247 }
4239 4248 } else if ((end - begin) <= (MSEC2NSEC(interval) / 2) &&
4240 4249 interval > SADB_AGE_INTERVAL_DEFAULT) {
4241 4250 /*
4242 4251 * If I took less than half of the interval, then I should
4243 4252 * ratchet the interval back down. Never automatically
4244 4253 * shift below the default aging interval.
4245 4254 *
4246 4255 * NOTE:This even overrides manual setting of the age
4247 4256 * interval using NDD to lower the setting past the
4248 4257 * default. In other words, if you set the interval
4249 4258 * lower than the default, and your SADB gets too big,
4250 4259 * the interval will only self-lower back to the default.
4251 4260 */
4252 4261 /* Halve by shifting one bit. */
4253 4262 interval >>= 1;
4254 4263 interval = max(interval, SADB_AGE_INTERVAL_DEFAULT);
4255 4264 }
4256 4265 *intp = interval;
4257 4266 return (qtimeout(pfkey_q, ager, agerarg,
4258 4267 drv_usectohz(interval * (MICROSEC / MILLISEC))));
4259 4268 }
4260 4269
4261 4270
4262 4271 /*
4263 4272 * Update the lifetime values of an SA. This is the path an SADB_UPDATE
4264 4273 * message takes when updating a MATURE or DYING SA.
4265 4274 */
4266 4275 static void
4267 4276 sadb_update_lifetimes(ipsa_t *assoc, sadb_lifetime_t *hard,
4268 4277 sadb_lifetime_t *soft, sadb_lifetime_t *idle, boolean_t outbound)
4269 4278 {
4270 4279 mutex_enter(&assoc->ipsa_lock);
4271 4280
4272 4281 /*
4273 4282 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be
4274 4283 * passed in during an update message. We currently don't handle
4275 4284 * these.
4276 4285 */
4277 4286
4278 4287 if (hard != NULL) {
4279 4288 if (hard->sadb_lifetime_bytes != 0)
4280 4289 assoc->ipsa_hardbyteslt = hard->sadb_lifetime_bytes;
4281 4290 if (hard->sadb_lifetime_usetime != 0)
4282 4291 assoc->ipsa_harduselt = hard->sadb_lifetime_usetime;
4283 4292 if (hard->sadb_lifetime_addtime != 0)
4284 4293 assoc->ipsa_hardaddlt = hard->sadb_lifetime_addtime;
4285 4294 if (assoc->ipsa_hardaddlt != 0) {
4286 4295 assoc->ipsa_hardexpiretime =
4287 4296 assoc->ipsa_addtime + assoc->ipsa_hardaddlt;
4288 4297 }
4289 4298 if (assoc->ipsa_harduselt != 0 &&
4290 4299 assoc->ipsa_flags & IPSA_F_USED) {
4291 4300 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime);
4292 4301 }
4293 4302 if (hard->sadb_lifetime_allocations != 0)
4294 4303 assoc->ipsa_hardalloc = hard->sadb_lifetime_allocations;
4295 4304 }
4296 4305
4297 4306 if (soft != NULL) {
4298 4307 if (soft->sadb_lifetime_bytes != 0) {
4299 4308 if (soft->sadb_lifetime_bytes >
4300 4309 assoc->ipsa_hardbyteslt) {
4301 4310 assoc->ipsa_softbyteslt =
4302 4311 assoc->ipsa_hardbyteslt;
4303 4312 } else {
4304 4313 assoc->ipsa_softbyteslt =
4305 4314 soft->sadb_lifetime_bytes;
4306 4315 }
4307 4316 }
4308 4317 if (soft->sadb_lifetime_usetime != 0) {
4309 4318 if (soft->sadb_lifetime_usetime >
4310 4319 assoc->ipsa_harduselt) {
4311 4320 assoc->ipsa_softuselt =
4312 4321 assoc->ipsa_harduselt;
4313 4322 } else {
4314 4323 assoc->ipsa_softuselt =
4315 4324 soft->sadb_lifetime_usetime;
4316 4325 }
4317 4326 }
4318 4327 if (soft->sadb_lifetime_addtime != 0) {
4319 4328 if (soft->sadb_lifetime_addtime >
4320 4329 assoc->ipsa_hardexpiretime) {
4321 4330 assoc->ipsa_softexpiretime =
4322 4331 assoc->ipsa_hardexpiretime;
4323 4332 } else {
4324 4333 assoc->ipsa_softaddlt =
4325 4334 soft->sadb_lifetime_addtime;
4326 4335 }
4327 4336 }
4328 4337 if (assoc->ipsa_softaddlt != 0) {
4329 4338 assoc->ipsa_softexpiretime =
4330 4339 assoc->ipsa_addtime + assoc->ipsa_softaddlt;
4331 4340 }
4332 4341 if (assoc->ipsa_softuselt != 0 &&
4333 4342 assoc->ipsa_flags & IPSA_F_USED) {
4334 4343 UPDATE_EXPIRE(assoc, softuselt, softexpiretime);
4335 4344 }
4336 4345 if (outbound && assoc->ipsa_softexpiretime != 0) {
4337 4346 if (assoc->ipsa_state == IPSA_STATE_MATURE)
4338 4347 lifetime_fuzz(assoc);
4339 4348 }
4340 4349
4341 4350 if (soft->sadb_lifetime_allocations != 0)
4342 4351 assoc->ipsa_softalloc = soft->sadb_lifetime_allocations;
4343 4352 }
4344 4353
4345 4354 if (idle != NULL) {
4346 4355 time_t current = gethrestime_sec();
4347 4356 if ((assoc->ipsa_idleexpiretime <= current) &&
4348 4357 (assoc->ipsa_idleaddlt == idle->sadb_lifetime_addtime)) {
4349 4358 assoc->ipsa_idleexpiretime =
4350 4359 current + assoc->ipsa_idleaddlt;
4351 4360 }
4352 4361 if (idle->sadb_lifetime_addtime != 0)
4353 4362 assoc->ipsa_idleaddlt = idle->sadb_lifetime_addtime;
4354 4363 if (idle->sadb_lifetime_usetime != 0)
4355 4364 assoc->ipsa_idleuselt = idle->sadb_lifetime_usetime;
4356 4365 if (assoc->ipsa_idleaddlt != 0) {
4357 4366 assoc->ipsa_idleexpiretime =
4358 4367 current + idle->sadb_lifetime_addtime;
4359 4368 assoc->ipsa_idletime = idle->sadb_lifetime_addtime;
4360 4369 }
4361 4370 if (assoc->ipsa_idleuselt != 0) {
4362 4371 if (assoc->ipsa_idletime != 0) {
4363 4372 assoc->ipsa_idletime = min(assoc->ipsa_idletime,
4364 4373 assoc->ipsa_idleuselt);
4365 4374 assoc->ipsa_idleexpiretime =
4366 4375 current + assoc->ipsa_idletime;
4367 4376 } else {
4368 4377 assoc->ipsa_idleexpiretime =
4369 4378 current + assoc->ipsa_idleuselt;
4370 4379 assoc->ipsa_idletime = assoc->ipsa_idleuselt;
4371 4380 }
4372 4381 }
4373 4382 }
4374 4383 mutex_exit(&assoc->ipsa_lock);
4375 4384 }
4376 4385
4377 4386 static int
4378 4387 sadb_update_state(ipsa_t *assoc, uint_t new_state, mblk_t **ipkt_lst)
4379 4388 {
4380 4389 int rcode = 0;
4381 4390 time_t current = gethrestime_sec();
4382 4391
4383 4392 mutex_enter(&assoc->ipsa_lock);
4384 4393
4385 4394 switch (new_state) {
4386 4395 case SADB_X_SASTATE_ACTIVE_ELSEWHERE:
4387 4396 if (assoc->ipsa_state == SADB_X_SASTATE_IDLE) {
4388 4397 assoc->ipsa_state = IPSA_STATE_ACTIVE_ELSEWHERE;
4389 4398 assoc->ipsa_idleexpiretime =
4390 4399 current + assoc->ipsa_idletime;
4391 4400 }
4392 4401 break;
4393 4402 case SADB_X_SASTATE_IDLE:
4394 4403 if (assoc->ipsa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) {
4395 4404 assoc->ipsa_state = IPSA_STATE_IDLE;
4396 4405 assoc->ipsa_idleexpiretime =
4397 4406 current + assoc->ipsa_idletime;
4398 4407 } else {
4399 4408 rcode = EINVAL;
4400 4409 }
4401 4410 break;
4402 4411
4403 4412 case SADB_X_SASTATE_ACTIVE:
4404 4413 if (assoc->ipsa_state != SADB_X_SASTATE_IDLE) {
4405 4414 rcode = EINVAL;
4406 4415 break;
4407 4416 }
4408 4417 assoc->ipsa_state = IPSA_STATE_MATURE;
4409 4418 assoc->ipsa_idleexpiretime = current + assoc->ipsa_idletime;
4410 4419
4411 4420 if (ipkt_lst == NULL) {
4412 4421 break;
4413 4422 }
4414 4423
4415 4424 if (assoc->ipsa_bpkt_head != NULL) {
4416 4425 *ipkt_lst = assoc->ipsa_bpkt_head;
4417 4426 assoc->ipsa_bpkt_head = assoc->ipsa_bpkt_tail = NULL;
4418 4427 assoc->ipsa_mblkcnt = 0;
4419 4428 } else {
4420 4429 *ipkt_lst = NULL;
4421 4430 }
4422 4431 break;
4423 4432 default:
4424 4433 rcode = EINVAL;
4425 4434 break;
4426 4435 }
4427 4436
4428 4437 mutex_exit(&assoc->ipsa_lock);
|
↓ open down ↓ |
1282 lines elided |
↑ open up ↑ |
4429 4438 return (rcode);
4430 4439 }
4431 4440
4432 4441 /*
4433 4442 * Check a proposed KMC update for sanity.
4434 4443 */
4435 4444 static int
4436 4445 sadb_check_kmc(ipsa_query_t *sq, ipsa_t *sa, int *diagnostic)
4437 4446 {
4438 4447 uint32_t kmp = sq->kmp;
4439 - uint32_t kmc = sq->kmc;
4448 + uint64_t kmc = sq->kmc;
4440 4449
4441 4450 if (sa == NULL)
4442 4451 return (0);
4443 4452
4444 4453 if (sa->ipsa_state == IPSA_STATE_DEAD)
4445 4454 return (ESRCH); /* DEAD == Not there, in this case. */
4446 4455
4447 - if ((kmp != 0) && ((sa->ipsa_kmp != 0) || (sa->ipsa_kmp != kmp))) {
4456 + if ((kmp != 0) && (sa->ipsa_kmp != 0) && (sa->ipsa_kmp != kmp)) {
4448 4457 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP;
4449 4458 return (EINVAL);
4450 4459 }
4451 4460
4452 - if ((kmc != 0) && ((sa->ipsa_kmc != 0) || (sa->ipsa_kmc != kmc))) {
4461 + if ((kmc != 0) && (sa->ipsa_kmc != 0) && (sa->ipsa_kmc != kmc)) {
4453 4462 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC;
4454 4463 return (EINVAL);
4455 4464 }
4456 4465
4457 4466 return (0);
4458 4467 }
4459 4468
4460 4469 /*
4461 4470 * Actually update the KMC info.
4462 4471 */
4463 4472 static void
4464 4473 sadb_update_kmc(ipsa_query_t *sq, ipsa_t *sa)
4465 4474 {
4466 4475 uint32_t kmp = sq->kmp;
4467 - uint32_t kmc = sq->kmc;
4476 + uint64_t kmc = sq->kmc;
4468 4477
4469 4478 if (kmp != 0)
4470 4479 sa->ipsa_kmp = kmp;
4471 4480 if (kmc != 0)
4472 4481 sa->ipsa_kmc = kmc;
4473 4482 }
4474 4483
4475 4484 /*
4476 4485 * Common code to update an SA.
4477 4486 */
4478 4487
4479 4488 int
4480 4489 sadb_update_sa(mblk_t *mp, keysock_in_t *ksi, mblk_t **ipkt_lst,
4481 4490 sadbp_t *spp, int *diagnostic, queue_t *pfkey_q,
4482 4491 int (*add_sa_func)(mblk_t *, keysock_in_t *, int *, netstack_t *),
4483 4492 netstack_t *ns, uint8_t sadb_msg_type)
4484 4493 {
4485 4494 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH];
4486 4495 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT];
4487 4496 sadb_x_replay_ctr_t *replext =
4488 4497 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE];
4489 4498 sadb_lifetime_t *soft =
4490 4499 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT];
4491 4500 sadb_lifetime_t *hard =
4492 4501 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD];
4493 4502 sadb_lifetime_t *idle =
|
↓ open down ↓ |
16 lines elided |
↑ open up ↑ |
4494 4503 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE];
4495 4504 sadb_x_pair_t *pair_ext =
4496 4505 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR];
4497 4506 ipsa_t *echo_target = NULL;
4498 4507 ipsap_t ipsapp;
4499 4508 ipsa_query_t sq;
4500 4509 time_t current = gethrestime_sec();
4501 4510
4502 4511 sq.spp = spp; /* XXX param */
4503 4512 int error = sadb_form_query(ksi, IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA,
4504 - IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND,
4513 + IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND|
4514 + IPSA_Q_KMC,
4505 4515 &sq, diagnostic);
4506 4516
4507 4517 if (error != 0)
4508 4518 return (error);
4509 4519
4510 4520 error = get_ipsa_pair(&sq, &ipsapp, diagnostic);
4511 4521 if (error != 0)
4512 4522 return (error);
4513 4523
4514 4524 if (ipsapp.ipsap_psa_ptr == NULL && ipsapp.ipsap_sa_ptr != NULL) {
4515 4525 if (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) {
4516 4526 /*
4517 4527 * REFRELE the target and let the add_sa_func()
4518 4528 * deal with updating a larval SA.
4519 4529 */
4520 4530 destroy_ipsa_pair(&ipsapp);
4521 4531 return (add_sa_func(mp, ksi, diagnostic, ns));
4522 4532 }
4523 4533 }
4524 4534
4525 4535 /*
4526 4536 * At this point we have an UPDATE to a MATURE SA. There should
4527 4537 * not be any keying material present.
4528 4538 */
4529 4539 if (akey != NULL) {
4530 4540 *diagnostic = SADB_X_DIAGNOSTIC_AKEY_PRESENT;
4531 4541 error = EINVAL;
4532 4542 goto bail;
4533 4543 }
4534 4544 if (ekey != NULL) {
4535 4545 *diagnostic = SADB_X_DIAGNOSTIC_EKEY_PRESENT;
4536 4546 error = EINVAL;
4537 4547 goto bail;
4538 4548 }
4539 4549
4540 4550 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) {
4541 4551 if (ipsapp.ipsap_sa_ptr != NULL &&
4542 4552 ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_IDLE) {
4543 4553 if ((error = sadb_update_state(ipsapp.ipsap_sa_ptr,
4544 4554 sq.assoc->sadb_sa_state, NULL)) != 0) {
4545 4555 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4546 4556 goto bail;
4547 4557 }
4548 4558 }
4549 4559 if (ipsapp.ipsap_psa_ptr != NULL &&
4550 4560 ipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_IDLE) {
4551 4561 if ((error = sadb_update_state(ipsapp.ipsap_psa_ptr,
4552 4562 sq.assoc->sadb_sa_state, NULL)) != 0) {
4553 4563 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4554 4564 goto bail;
4555 4565 }
4556 4566 }
4557 4567 }
4558 4568 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE) {
4559 4569 if (ipsapp.ipsap_sa_ptr != NULL) {
4560 4570 error = sadb_update_state(ipsapp.ipsap_sa_ptr,
4561 4571 sq.assoc->sadb_sa_state,
4562 4572 (ipsapp.ipsap_sa_ptr->ipsa_flags &
4563 4573 IPSA_F_INBOUND) ? ipkt_lst : NULL);
4564 4574 if (error) {
4565 4575 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4566 4576 goto bail;
4567 4577 }
4568 4578 }
4569 4579 if (ipsapp.ipsap_psa_ptr != NULL) {
4570 4580 error = sadb_update_state(ipsapp.ipsap_psa_ptr,
4571 4581 sq.assoc->sadb_sa_state,
4572 4582 (ipsapp.ipsap_psa_ptr->ipsa_flags &
4573 4583 IPSA_F_INBOUND) ? ipkt_lst : NULL);
4574 4584 if (error) {
4575 4585 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4576 4586 goto bail;
4577 4587 }
4578 4588 }
4579 4589 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr,
4580 4590 ksi, echo_target);
4581 4591 goto bail;
4582 4592 }
4583 4593
4584 4594 /*
4585 4595 * Reality checks for updates of active associations.
4586 4596 * Sundry first-pass UPDATE-specific reality checks.
4587 4597 * Have to do the checks here, because it's after the add_sa code.
4588 4598 * XXX STATS : logging/stats here?
4589 4599 */
4590 4600
4591 4601 if (!((sq.assoc->sadb_sa_state == SADB_SASTATE_MATURE) ||
4592 4602 (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE))) {
4593 4603 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4594 4604 error = EINVAL;
4595 4605 goto bail;
4596 4606 }
4597 4607 if (sq.assoc->sadb_sa_flags & ~spp->s_updateflags) {
4598 4608 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS;
4599 4609 error = EINVAL;
4600 4610 goto bail;
4601 4611 }
4602 4612 if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL) {
4603 4613 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_LIFETIME;
4604 4614 error = EOPNOTSUPP;
4605 4615 goto bail;
4606 4616 }
4607 4617
4608 4618 if ((*diagnostic = sadb_hardsoftchk(hard, soft, idle)) != 0) {
4609 4619 error = EINVAL;
4610 4620 goto bail;
4611 4621 }
4612 4622
4613 4623 if ((*diagnostic = sadb_labelchk(ksi)) != 0)
4614 4624 return (EINVAL);
4615 4625
4616 4626 error = sadb_check_kmc(&sq, ipsapp.ipsap_sa_ptr, diagnostic);
4617 4627 if (error != 0)
4618 4628 goto bail;
4619 4629
4620 4630 error = sadb_check_kmc(&sq, ipsapp.ipsap_psa_ptr, diagnostic);
4621 4631 if (error != 0)
4622 4632 goto bail;
4623 4633
4624 4634
4625 4635 if (ipsapp.ipsap_sa_ptr != NULL) {
4626 4636 /*
4627 4637 * Do not allow replay value change for MATURE or LARVAL SA.
4628 4638 */
4629 4639
4630 4640 if ((replext != NULL) &&
4631 4641 ((ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) ||
4632 4642 (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_MATURE))) {
4633 4643 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4634 4644 error = EINVAL;
4635 4645 goto bail;
4636 4646 }
4637 4647 }
4638 4648
4639 4649
4640 4650 if (ipsapp.ipsap_sa_ptr != NULL) {
4641 4651 sadb_update_lifetimes(ipsapp.ipsap_sa_ptr, hard, soft,
4642 4652 idle, B_TRUE);
4643 4653 sadb_update_kmc(&sq, ipsapp.ipsap_sa_ptr);
4644 4654 if ((replext != NULL) &&
4645 4655 (ipsapp.ipsap_sa_ptr->ipsa_replay_wsize != 0)) {
4646 4656 /*
4647 4657 * If an inbound SA, update the replay counter
4648 4658 * and check off all the other sequence number
4649 4659 */
4650 4660 if (ksi->ks_in_dsttype == KS_IN_ADDR_ME) {
4651 4661 if (!sadb_replay_check(ipsapp.ipsap_sa_ptr,
4652 4662 replext->sadb_x_rc_replay32)) {
4653 4663 *diagnostic =
4654 4664 SADB_X_DIAGNOSTIC_INVALID_REPLAY;
4655 4665 error = EINVAL;
4656 4666 goto bail;
4657 4667 }
4658 4668 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4659 4669 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime =
4660 4670 current +
4661 4671 ipsapp.ipsap_sa_ptr->ipsa_idletime;
4662 4672 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4663 4673 } else {
4664 4674 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4665 4675 ipsapp.ipsap_sa_ptr->ipsa_replay =
4666 4676 replext->sadb_x_rc_replay32;
4667 4677 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime =
4668 4678 current +
4669 4679 ipsapp.ipsap_sa_ptr->ipsa_idletime;
4670 4680 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4671 4681 }
4672 4682 }
4673 4683 }
4674 4684
4675 4685 if (sadb_msg_type == SADB_X_UPDATEPAIR) {
4676 4686 if (ipsapp.ipsap_psa_ptr != NULL) {
4677 4687 sadb_update_lifetimes(ipsapp.ipsap_psa_ptr, hard, soft,
4678 4688 idle, B_FALSE);
4679 4689 sadb_update_kmc(&sq, ipsapp.ipsap_psa_ptr);
4680 4690 } else {
4681 4691 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND;
4682 4692 error = ESRCH;
4683 4693 goto bail;
4684 4694 }
4685 4695 }
4686 4696
4687 4697 if (pair_ext != NULL)
4688 4698 error = update_pairing(&ipsapp, &sq, ksi, diagnostic);
4689 4699
4690 4700 if (error == 0)
4691 4701 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr,
4692 4702 ksi, echo_target);
4693 4703 bail:
4694 4704
4695 4705 destroy_ipsa_pair(&ipsapp);
4696 4706
4697 4707 return (error);
4698 4708 }
4699 4709
4700 4710
4701 4711 static int
4702 4712 update_pairing(ipsap_t *ipsapp, ipsa_query_t *sq, keysock_in_t *ksi,
4703 4713 int *diagnostic)
4704 4714 {
4705 4715 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
4706 4716 sadb_x_pair_t *pair_ext =
4707 4717 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR];
4708 4718 int error = 0;
4709 4719 ipsap_t oipsapp;
4710 4720 boolean_t undo_pair = B_FALSE;
4711 4721 uint32_t ipsa_flags;
4712 4722
4713 4723 if (pair_ext->sadb_x_pair_spi == 0 || pair_ext->sadb_x_pair_spi ==
4714 4724 assoc->sadb_sa_spi) {
4715 4725 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE;
4716 4726 return (EINVAL);
4717 4727 }
4718 4728
4719 4729 /*
4720 4730 * Assume for now that the spi value provided in the SADB_UPDATE
4721 4731 * message was valid, update the SA with its pair spi value.
4722 4732 * If the spi turns out to be bogus or the SA no longer exists
4723 4733 * then this will be detected when the reverse update is made
4724 4734 * below.
4725 4735 */
4726 4736 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4727 4737 ipsapp->ipsap_sa_ptr->ipsa_flags |= IPSA_F_PAIRED;
4728 4738 ipsapp->ipsap_sa_ptr->ipsa_otherspi = pair_ext->sadb_x_pair_spi;
4729 4739 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4730 4740
4731 4741 /*
4732 4742 * After updating the ipsa_otherspi element of the SA, get_ipsa_pair()
4733 4743 * should now return pointers to the SA *AND* its pair, if this is not
4734 4744 * the case, the "otherspi" either did not exist or was deleted. Also
4735 4745 * check that "otherspi" is not already paired. If everything looks
4736 4746 * good, complete the update. IPSA_REFRELE the first pair_pointer
4737 4747 * after this update to ensure its not deleted until we are done.
4738 4748 */
4739 4749 error = get_ipsa_pair(sq, &oipsapp, diagnostic);
4740 4750 if (error != 0) {
4741 4751 /*
4742 4752 * This should never happen, calling function still has
4743 4753 * IPSA_REFHELD on the SA we just updated.
4744 4754 */
4745 4755 return (error); /* XXX EINVAL instead of ESRCH? */
4746 4756 }
4747 4757
4748 4758 if (oipsapp.ipsap_psa_ptr == NULL) {
4749 4759 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE;
4750 4760 error = EINVAL;
4751 4761 undo_pair = B_TRUE;
4752 4762 } else {
4753 4763 ipsa_flags = oipsapp.ipsap_psa_ptr->ipsa_flags;
4754 4764 if ((oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DEAD) ||
4755 4765 (oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DYING)) {
4756 4766 /* Its dead Jim! */
4757 4767 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE;
4758 4768 undo_pair = B_TRUE;
4759 4769 } else if ((ipsa_flags & (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) ==
4760 4770 (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) {
4761 4771 /* This SA is in both hashtables. */
4762 4772 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE;
4763 4773 undo_pair = B_TRUE;
4764 4774 } else if (ipsa_flags & IPSA_F_PAIRED) {
4765 4775 /* This SA is already paired with another. */
4766 4776 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY;
4767 4777 undo_pair = B_TRUE;
4768 4778 }
4769 4779 }
4770 4780
4771 4781 if (undo_pair) {
4772 4782 /* The pair SA does not exist. */
4773 4783 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4774 4784 ipsapp->ipsap_sa_ptr->ipsa_flags &= ~IPSA_F_PAIRED;
4775 4785 ipsapp->ipsap_sa_ptr->ipsa_otherspi = 0;
4776 4786 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4777 4787 } else {
4778 4788 mutex_enter(&oipsapp.ipsap_psa_ptr->ipsa_lock);
4779 4789 oipsapp.ipsap_psa_ptr->ipsa_otherspi = assoc->sadb_sa_spi;
4780 4790 oipsapp.ipsap_psa_ptr->ipsa_flags |= IPSA_F_PAIRED;
4781 4791 mutex_exit(&oipsapp.ipsap_psa_ptr->ipsa_lock);
4782 4792 }
4783 4793
4784 4794 destroy_ipsa_pair(&oipsapp);
4785 4795 return (error);
4786 4796 }
4787 4797
4788 4798 /*
4789 4799 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is
4790 4800 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails
4791 4801 * for an outbound datagram, that datagram is queued up on an ACQUIRE record,
4792 4802 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key
4793 4803 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve
4794 4804 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the
4795 4805 * other direction's SA.
4796 4806 */
4797 4807
4798 4808 /*
4799 4809 * Check the ACQUIRE lists. If there's an existing ACQUIRE record,
4800 4810 * grab it, lock it, and return it. Otherwise return NULL.
4801 4811 *
4802 4812 * XXX MLS number of arguments getting unwieldy here
4803 4813 */
4804 4814 static ipsacq_t *
4805 4815 sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp,
4806 4816 uint32_t *src, uint32_t *dst, uint32_t *isrc, uint32_t *idst,
4807 4817 uint64_t unique_id, ts_label_t *tsl)
4808 4818 {
4809 4819 ipsacq_t *walker;
4810 4820 sa_family_t fam;
4811 4821 uint32_t blank_address[4] = {0, 0, 0, 0};
4812 4822
4813 4823 if (isrc == NULL) {
4814 4824 ASSERT(idst == NULL);
4815 4825 isrc = idst = blank_address;
4816 4826 }
4817 4827
4818 4828 /*
4819 4829 * Scan list for duplicates. Check for UNIQUE, src/dest, policy.
4820 4830 *
4821 4831 * XXX May need search for duplicates based on other things too!
4822 4832 */
4823 4833 for (walker = bucket->iacqf_ipsacq; walker != NULL;
4824 4834 walker = walker->ipsacq_next) {
4825 4835 mutex_enter(&walker->ipsacq_lock);
4826 4836 fam = walker->ipsacq_addrfam;
4827 4837 if (IPSA_ARE_ADDR_EQUAL(dst, walker->ipsacq_dstaddr, fam) &&
4828 4838 IPSA_ARE_ADDR_EQUAL(src, walker->ipsacq_srcaddr, fam) &&
4829 4839 ip_addr_match((uint8_t *)isrc, walker->ipsacq_innersrcpfx,
4830 4840 (in6_addr_t *)walker->ipsacq_innersrc) &&
4831 4841 ip_addr_match((uint8_t *)idst, walker->ipsacq_innerdstpfx,
4832 4842 (in6_addr_t *)walker->ipsacq_innerdst) &&
4833 4843 (ap == walker->ipsacq_act) &&
4834 4844 (pp == walker->ipsacq_policy) &&
4835 4845 /* XXX do deep compares of ap/pp? */
4836 4846 (unique_id == walker->ipsacq_unique_id) &&
4837 4847 (ipsec_label_match(tsl, walker->ipsacq_tsl)))
4838 4848 break; /* everything matched */
4839 4849 mutex_exit(&walker->ipsacq_lock);
4840 4850 }
4841 4851
4842 4852 return (walker);
4843 4853 }
4844 4854
4845 4855 /*
4846 4856 * Generate an SADB_ACQUIRE base message mblk, including KEYSOCK_OUT metadata.
4847 4857 * In other words, this will return, upon success, a two-mblk chain.
4848 4858 */
4849 4859 static inline mblk_t *
4850 4860 sadb_acquire_msg_base(minor_t serial, uint8_t satype, uint32_t seq, pid_t pid)
4851 4861 {
4852 4862 mblk_t *mp;
4853 4863 sadb_msg_t *samsg;
4854 4864
4855 4865 mp = sadb_keysock_out(serial);
4856 4866 if (mp == NULL)
4857 4867 return (NULL);
4858 4868 mp->b_cont = allocb(sizeof (sadb_msg_t), BPRI_HI);
4859 4869 if (mp->b_cont == NULL) {
4860 4870 freeb(mp);
4861 4871 return (NULL);
4862 4872 }
4863 4873
4864 4874 samsg = (sadb_msg_t *)mp->b_cont->b_rptr;
4865 4875 mp->b_cont->b_wptr += sizeof (*samsg);
4866 4876 samsg->sadb_msg_version = PF_KEY_V2;
4867 4877 samsg->sadb_msg_type = SADB_ACQUIRE;
4868 4878 samsg->sadb_msg_errno = 0;
4869 4879 samsg->sadb_msg_reserved = 0;
4870 4880 samsg->sadb_msg_satype = satype;
4871 4881 samsg->sadb_msg_seq = seq;
4872 4882 samsg->sadb_msg_pid = pid;
4873 4883
4874 4884 return (mp);
4875 4885 }
4876 4886
4877 4887 /*
4878 4888 * Generate address and TX/MLS sensitivity label PF_KEY extensions that are
4879 4889 * common to both regular and extended ACQUIREs.
4880 4890 */
4881 4891 static mblk_t *
4882 4892 sadb_acquire_msg_common(ipsec_selector_t *sel, ipsec_policy_t *pp,
4883 4893 ipsec_action_t *ap, boolean_t tunnel_mode, ts_label_t *tsl,
4884 4894 sadb_sens_t *sens)
4885 4895 {
4886 4896 size_t len;
4887 4897 mblk_t *mp;
4888 4898 uint8_t *start, *cur, *end;
4889 4899 uint32_t *saddrptr, *daddrptr;
4890 4900 sa_family_t af;
4891 4901 ipsec_action_t *oldap;
4892 4902 ipsec_selkey_t *ipsl;
4893 4903 uint8_t proto, pfxlen;
4894 4904 uint16_t lport, rport;
4895 4905 int senslen = 0;
4896 4906
4897 4907 /*
4898 4908 * Get action pointer set if it isn't already.
4899 4909 */
4900 4910 oldap = ap;
4901 4911 if (pp != NULL) {
4902 4912 ap = pp->ipsp_act;
4903 4913 if (ap == NULL)
4904 4914 ap = oldap;
4905 4915 }
4906 4916
4907 4917 /*
4908 4918 * Biggest-case scenario:
4909 4919 * 4x (sadb_address_t + struct sockaddr_in6)
4910 4920 * (src, dst, isrc, idst)
4911 4921 * (COMING SOON, 6x, because of triggering-packet contents.)
4912 4922 * sadb_x_kmc_t
4913 4923 * sadb_sens_t
4914 4924 * And wiggle room for label bitvectors. Luckily there are
4915 4925 * programmatic ways to find it.
4916 4926 */
4917 4927 len = 4 * (sizeof (sadb_address_t) + sizeof (struct sockaddr_in6));
4918 4928
4919 4929 /* Figure out full and proper length of sensitivity labels. */
4920 4930 if (sens != NULL) {
4921 4931 ASSERT(tsl == NULL);
4922 4932 senslen = SADB_64TO8(sens->sadb_sens_len);
4923 4933 } else if (tsl != NULL) {
4924 4934 senslen = sadb_sens_len_from_label(tsl);
4925 4935 }
4926 4936 #ifdef DEBUG
4927 4937 else {
4928 4938 ASSERT(senslen == 0);
4929 4939 }
4930 4940 #endif /* DEBUG */
4931 4941 len += senslen;
4932 4942
4933 4943 mp = allocb(len, BPRI_HI);
4934 4944 if (mp == NULL)
4935 4945 return (NULL);
4936 4946
4937 4947 start = mp->b_rptr;
4938 4948 end = start + len;
4939 4949 cur = start;
4940 4950
4941 4951 /*
4942 4952 * Address extensions first, from most-recently-defined to least.
4943 4953 * (This should immediately trigger surprise or verify robustness on
4944 4954 * older apps, like in.iked.)
4945 4955 */
4946 4956 if (tunnel_mode) {
4947 4957 /*
4948 4958 * Form inner address extensions based NOT on the inner
4949 4959 * selectors (i.e. the packet data), but on the policy's
4950 4960 * selector key (i.e. the policy's selector information).
4951 4961 *
4952 4962 * NOTE: The position of IPv4 and IPv6 addresses is the
4953 4963 * same in ipsec_selkey_t (unless the compiler does very
4954 4964 * strange things with unions, consult your local C language
4955 4965 * lawyer for details).
4956 4966 */
4957 4967 ASSERT(pp != NULL);
4958 4968
4959 4969 ipsl = &(pp->ipsp_sel->ipsl_key);
4960 4970 if (ipsl->ipsl_valid & IPSL_IPV4) {
4961 4971 af = AF_INET;
4962 4972 ASSERT(sel->ips_protocol == IPPROTO_ENCAP);
4963 4973 ASSERT(!(ipsl->ipsl_valid & IPSL_IPV6));
4964 4974 } else {
4965 4975 af = AF_INET6;
4966 4976 ASSERT(sel->ips_protocol == IPPROTO_IPV6);
4967 4977 ASSERT(ipsl->ipsl_valid & IPSL_IPV6);
4968 4978 }
4969 4979
4970 4980 if (ipsl->ipsl_valid & IPSL_LOCAL_ADDR) {
4971 4981 saddrptr = (uint32_t *)(&ipsl->ipsl_local);
4972 4982 pfxlen = ipsl->ipsl_local_pfxlen;
4973 4983 } else {
4974 4984 saddrptr = (uint32_t *)(&ipv6_all_zeros);
4975 4985 pfxlen = 0;
4976 4986 }
4977 4987 /* XXX What about ICMP type/code? */
4978 4988 lport = (ipsl->ipsl_valid & IPSL_LOCAL_PORT) ?
4979 4989 ipsl->ipsl_lport : 0;
4980 4990 proto = (ipsl->ipsl_valid & IPSL_PROTOCOL) ?
4981 4991 ipsl->ipsl_proto : 0;
4982 4992
4983 4993 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC,
4984 4994 af, saddrptr, lport, proto, pfxlen);
4985 4995 if (cur == NULL) {
4986 4996 freeb(mp);
4987 4997 return (NULL);
4988 4998 }
4989 4999
4990 5000 if (ipsl->ipsl_valid & IPSL_REMOTE_ADDR) {
4991 5001 daddrptr = (uint32_t *)(&ipsl->ipsl_remote);
4992 5002 pfxlen = ipsl->ipsl_remote_pfxlen;
4993 5003 } else {
4994 5004 daddrptr = (uint32_t *)(&ipv6_all_zeros);
4995 5005 pfxlen = 0;
4996 5006 }
4997 5007 /* XXX What about ICMP type/code? */
4998 5008 rport = (ipsl->ipsl_valid & IPSL_REMOTE_PORT) ?
4999 5009 ipsl->ipsl_rport : 0;
5000 5010
5001 5011 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST,
5002 5012 af, daddrptr, rport, proto, pfxlen);
5003 5013 if (cur == NULL) {
5004 5014 freeb(mp);
5005 5015 return (NULL);
5006 5016 }
5007 5017 /*
5008 5018 * TODO - if we go to 3884's dream of transport mode IP-in-IP
5009 5019 * _with_ inner-packet address selectors, we'll need to further
5010 5020 * distinguish tunnel mode here. For now, having inner
5011 5021 * addresses and/or ports is sufficient.
5012 5022 *
5013 5023 * Meanwhile, whack proto/ports to reflect IP-in-IP for the
5014 5024 * outer addresses.
5015 5025 */
5016 5026 proto = sel->ips_protocol; /* Either _ENCAP or _IPV6 */
5017 5027 lport = rport = 0;
5018 5028 } else if ((ap != NULL) && (!ap->ipa_want_unique)) {
5019 5029 /*
5020 5030 * For cases when the policy calls out specific ports (or not).
5021 5031 */
5022 5032 proto = 0;
5023 5033 lport = 0;
5024 5034 rport = 0;
5025 5035 if (pp != NULL) {
5026 5036 ipsl = &(pp->ipsp_sel->ipsl_key);
5027 5037 if (ipsl->ipsl_valid & IPSL_PROTOCOL)
5028 5038 proto = ipsl->ipsl_proto;
5029 5039 if (ipsl->ipsl_valid & IPSL_REMOTE_PORT)
5030 5040 rport = ipsl->ipsl_rport;
5031 5041 if (ipsl->ipsl_valid & IPSL_LOCAL_PORT)
5032 5042 lport = ipsl->ipsl_lport;
5033 5043 }
5034 5044 } else {
5035 5045 /*
5036 5046 * For require-unique-SA policies.
5037 5047 */
5038 5048 proto = sel->ips_protocol;
5039 5049 lport = sel->ips_local_port;
5040 5050 rport = sel->ips_remote_port;
5041 5051 }
5042 5052
5043 5053 /*
5044 5054 * Regular addresses. These are outer-packet ones for tunnel mode.
5045 5055 * Or for transport mode, the regulard address & port information.
5046 5056 */
5047 5057 af = sel->ips_isv4 ? AF_INET : AF_INET6;
5048 5058
5049 5059 /*
5050 5060 * NOTE: The position of IPv4 and IPv6 addresses is the same in
5051 5061 * ipsec_selector_t.
5052 5062 */
5053 5063 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af,
5054 5064 (uint32_t *)(&sel->ips_local_addr_v6), lport, proto, 0);
5055 5065 if (cur == NULL) {
5056 5066 freeb(mp);
5057 5067 return (NULL);
5058 5068 }
5059 5069
5060 5070 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af,
5061 5071 (uint32_t *)(&sel->ips_remote_addr_v6), rport, proto, 0);
5062 5072 if (cur == NULL) {
5063 5073 freeb(mp);
5064 5074 return (NULL);
5065 5075 }
5066 5076
5067 5077 /*
5068 5078 * If present, generate a sensitivity label.
5069 5079 */
5070 5080 if (cur + senslen > end) {
5071 5081 freeb(mp);
5072 5082 return (NULL);
5073 5083 }
5074 5084 if (sens != NULL) {
5075 5085 /* Explicit sadb_sens_t, usually from inverse-ACQUIRE. */
5076 5086 bcopy(sens, cur, senslen);
5077 5087 } else if (tsl != NULL) {
5078 5088 /* Generate sadb_sens_t from ACQUIRE source. */
5079 5089 sadb_sens_from_label((sadb_sens_t *)cur, SADB_EXT_SENSITIVITY,
5080 5090 tsl, senslen);
5081 5091 }
5082 5092 #ifdef DEBUG
5083 5093 else {
5084 5094 ASSERT(senslen == 0);
5085 5095 }
5086 5096 #endif /* DEBUG */
5087 5097 cur += senslen;
5088 5098 mp->b_wptr = cur;
5089 5099
5090 5100 return (mp);
5091 5101 }
5092 5102
5093 5103 /*
5094 5104 * Generate a regular ACQUIRE's proposal extension and KMC information..
5095 5105 */
5096 5106 static mblk_t *
5097 5107 sadb_acquire_prop(ipsec_action_t *ap, netstack_t *ns, boolean_t do_esp)
5098 5108 {
5099 5109 ipsec_stack_t *ipss = ns->netstack_ipsec;
|
↓ open down ↓ |
585 lines elided |
↑ open up ↑ |
5100 5110 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
5101 5111 ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
5102 5112 mblk_t *mp = NULL;
5103 5113 sadb_prop_t *prop;
5104 5114 sadb_comb_t *comb;
5105 5115 ipsec_action_t *walker;
5106 5116 int ncombs, allocsize, ealgid, aalgid, aminbits, amaxbits, eminbits,
5107 5117 emaxbits, replay;
5108 5118 uint64_t softbytes, hardbytes, softaddtime, hardaddtime, softusetime,
5109 5119 hardusetime;
5110 - uint32_t kmc = 0, kmp = 0;
5120 + uint64_t kmc = 0;
5121 + uint32_t kmp = 0;
5111 5122
5112 5123 /*
5113 5124 * Since it's an rwlock read, AND writing to the IPsec algorithms is
5114 5125 * rare, just acquire it once up top, and drop it upon return.
5115 5126 */
5116 5127 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
5117 5128 if (do_esp) {
5118 5129 uint64_t num_aalgs, num_ealgs;
5119 5130
5120 5131 if (espstack->esp_kstats == NULL)
5121 5132 goto bail;
5122 5133
5123 5134 num_aalgs = ipss->ipsec_nalgs[IPSEC_ALG_AUTH];
5124 5135 num_ealgs = ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
5125 5136 if (num_ealgs == 0)
5126 5137 goto bail; /* IPsec not loaded yet, apparently. */
5127 5138 num_aalgs++; /* No-auth or self-auth-crypto ESP. */
5128 5139
5129 5140 /* Use netstack's maximum loaded algorithms... */
5130 5141 ncombs = num_ealgs * num_aalgs;
5131 5142 replay = espstack->ipsecesp_replay_size;
5132 5143 } else {
5133 5144 if (ahstack->ah_kstats == NULL)
5134 5145 goto bail;
5135 5146
5136 5147 ncombs = ipss->ipsec_nalgs[IPSEC_ALG_AUTH];
5137 5148
5138 5149 if (ncombs == 0)
5139 5150 goto bail; /* IPsec not loaded yet, apparently. */
5140 5151 replay = ahstack->ipsecah_replay_size;
5141 5152 }
5142 5153
5143 5154 allocsize = sizeof (*prop) + ncombs * sizeof (*comb) +
5144 5155 sizeof (sadb_x_kmc_t);
5145 5156 mp = allocb(allocsize, BPRI_HI);
5146 5157 if (mp == NULL)
5147 5158 goto bail;
5148 5159 prop = (sadb_prop_t *)mp->b_rptr;
5149 5160 mp->b_wptr += sizeof (*prop);
5150 5161 comb = (sadb_comb_t *)mp->b_wptr;
5151 5162 /* Decrement allocsize, if it goes to or below 0, stop. */
5152 5163 allocsize -= sizeof (*prop);
5153 5164 prop->sadb_prop_exttype = SADB_EXT_PROPOSAL;
5154 5165 prop->sadb_prop_len = SADB_8TO64(sizeof (*prop));
5155 5166 *(uint32_t *)(&prop->sadb_prop_replay) = 0; /* Quick zero-out! */
5156 5167 prop->sadb_prop_replay = replay;
5157 5168
5158 5169 /*
5159 5170 * Based upon algorithm properties, and what-not, prioritize a
5160 5171 * proposal, based on the ordering of the ESP algorithms in the
5161 5172 * alternatives in the policy rule or socket that was placed
5162 5173 * in the acquire record.
5163 5174 *
5164 5175 * For each action in policy list
5165 5176 * Add combination.
5166 5177 * I should not hit it, but if I've hit limit, return.
5167 5178 */
5168 5179
5169 5180 for (walker = ap; walker != NULL; walker = walker->ipa_next) {
5170 5181 ipsec_alginfo_t *ealg, *aalg;
5171 5182 ipsec_prot_t *prot;
5172 5183
5173 5184 if (walker->ipa_act.ipa_type != IPSEC_POLICY_APPLY)
5174 5185 continue;
5175 5186
5176 5187 prot = &walker->ipa_act.ipa_apply;
5177 5188 if (walker->ipa_act.ipa_apply.ipp_km_proto != 0)
5178 5189 kmp = walker->ipa_act.ipa_apply.ipp_km_proto;
5179 5190 if (walker->ipa_act.ipa_apply.ipp_km_cookie != 0)
5180 5191 kmc = walker->ipa_act.ipa_apply.ipp_km_cookie;
5181 5192 if (walker->ipa_act.ipa_apply.ipp_replay_depth) {
5182 5193 prop->sadb_prop_replay =
5183 5194 walker->ipa_act.ipa_apply.ipp_replay_depth;
5184 5195 }
5185 5196
5186 5197 if (do_esp) {
5187 5198 if (!prot->ipp_use_esp)
5188 5199 continue;
5189 5200
5190 5201 if (prot->ipp_esp_auth_alg != 0) {
5191 5202 aalg = ipss->ipsec_alglists[IPSEC_ALG_AUTH]
5192 5203 [prot->ipp_esp_auth_alg];
5193 5204 if (aalg == NULL || !ALG_VALID(aalg))
5194 5205 continue;
5195 5206 } else
5196 5207 aalg = NULL;
5197 5208
5198 5209 ASSERT(prot->ipp_encr_alg > 0);
5199 5210 ealg = ipss->ipsec_alglists[IPSEC_ALG_ENCR]
5200 5211 [prot->ipp_encr_alg];
5201 5212 if (ealg == NULL || !ALG_VALID(ealg))
5202 5213 continue;
5203 5214
5204 5215 /*
5205 5216 * These may want to come from policy rule..
5206 5217 */
5207 5218 softbytes = espstack->ipsecesp_default_soft_bytes;
5208 5219 hardbytes = espstack->ipsecesp_default_hard_bytes;
5209 5220 softaddtime = espstack->ipsecesp_default_soft_addtime;
5210 5221 hardaddtime = espstack->ipsecesp_default_hard_addtime;
5211 5222 softusetime = espstack->ipsecesp_default_soft_usetime;
5212 5223 hardusetime = espstack->ipsecesp_default_hard_usetime;
5213 5224 } else {
5214 5225 if (!prot->ipp_use_ah)
5215 5226 continue;
5216 5227 ealg = NULL;
5217 5228 aalg = ipss->ipsec_alglists[IPSEC_ALG_AUTH]
5218 5229 [prot->ipp_auth_alg];
5219 5230 if (aalg == NULL || !ALG_VALID(aalg))
5220 5231 continue;
5221 5232
5222 5233 /*
5223 5234 * These may want to come from policy rule..
5224 5235 */
5225 5236 softbytes = ahstack->ipsecah_default_soft_bytes;
5226 5237 hardbytes = ahstack->ipsecah_default_hard_bytes;
5227 5238 softaddtime = ahstack->ipsecah_default_soft_addtime;
5228 5239 hardaddtime = ahstack->ipsecah_default_hard_addtime;
5229 5240 softusetime = ahstack->ipsecah_default_soft_usetime;
5230 5241 hardusetime = ahstack->ipsecah_default_hard_usetime;
5231 5242 }
5232 5243
5233 5244 if (ealg == NULL) {
5234 5245 ealgid = eminbits = emaxbits = 0;
5235 5246 } else {
5236 5247 ealgid = ealg->alg_id;
5237 5248 eminbits =
5238 5249 MAX(prot->ipp_espe_minbits, ealg->alg_ef_minbits);
5239 5250 emaxbits =
5240 5251 MIN(prot->ipp_espe_maxbits, ealg->alg_ef_maxbits);
5241 5252 }
5242 5253
5243 5254 if (aalg == NULL) {
5244 5255 aalgid = aminbits = amaxbits = 0;
5245 5256 } else {
5246 5257 aalgid = aalg->alg_id;
5247 5258 aminbits = MAX(prot->ipp_espa_minbits,
5248 5259 aalg->alg_ef_minbits);
5249 5260 amaxbits = MIN(prot->ipp_espa_maxbits,
5250 5261 aalg->alg_ef_maxbits);
5251 5262 }
5252 5263
5253 5264 comb->sadb_comb_flags = 0;
5254 5265 comb->sadb_comb_reserved = 0;
5255 5266 comb->sadb_comb_encrypt = ealgid;
5256 5267 comb->sadb_comb_encrypt_minbits = eminbits;
5257 5268 comb->sadb_comb_encrypt_maxbits = emaxbits;
5258 5269 comb->sadb_comb_auth = aalgid;
5259 5270 comb->sadb_comb_auth_minbits = aminbits;
5260 5271 comb->sadb_comb_auth_maxbits = amaxbits;
5261 5272 comb->sadb_comb_soft_allocations = 0;
5262 5273 comb->sadb_comb_hard_allocations = 0;
5263 5274 comb->sadb_comb_soft_bytes = softbytes;
5264 5275 comb->sadb_comb_hard_bytes = hardbytes;
5265 5276 comb->sadb_comb_soft_addtime = softaddtime;
5266 5277 comb->sadb_comb_hard_addtime = hardaddtime;
5267 5278 comb->sadb_comb_soft_usetime = softusetime;
5268 5279 comb->sadb_comb_hard_usetime = hardusetime;
5269 5280
5270 5281 prop->sadb_prop_len += SADB_8TO64(sizeof (*comb));
5271 5282 mp->b_wptr += sizeof (*comb);
5272 5283 allocsize -= sizeof (*comb);
5273 5284 /* Should never dip BELOW sizeof (KM cookie extension). */
5274 5285 ASSERT3S(allocsize, >=, sizeof (sadb_x_kmc_t));
5275 5286 if (allocsize <= sizeof (sadb_x_kmc_t))
5276 5287 break; /* out of space.. */
5277 5288 comb++;
5278 5289 }
5279 5290
5280 5291 /* Don't include KMC extension if there's no room. */
5281 5292 if (((kmp != 0) || (kmc != 0)) && allocsize >= sizeof (sadb_x_kmc_t)) {
5282 5293 if (sadb_make_kmc_ext(mp->b_wptr,
5283 5294 mp->b_wptr + sizeof (sadb_x_kmc_t), kmp, kmc) == NULL) {
5284 5295 freeb(mp);
5285 5296 mp = NULL;
5286 5297 goto bail;
5287 5298 }
5288 5299 mp->b_wptr += sizeof (sadb_x_kmc_t);
5289 5300 prop->sadb_prop_len += SADB_8TO64(sizeof (sadb_x_kmc_t));
|
↓ open down ↓ |
169 lines elided |
↑ open up ↑ |
5290 5301 }
5291 5302
5292 5303 bail:
5293 5304 rw_exit(&ipss->ipsec_alg_lock);
5294 5305 return (mp);
5295 5306 }
5296 5307
5297 5308 /*
5298 5309 * Generate an extended ACQUIRE's extended-proposal extension.
5299 5310 */
5300 -/* ARGSUSED */
5301 5311 static mblk_t *
5302 5312 sadb_acquire_extended_prop(ipsec_action_t *ap, netstack_t *ns)
5303 5313 {
5304 5314 sadb_prop_t *eprop;
5305 5315 uint8_t *cur, *end;
5306 5316 mblk_t *mp;
5307 5317 int allocsize, numecombs = 0, numalgdescs = 0;
5308 - uint32_t kmc = 0, kmp = 0, replay = 0;
5318 + uint32_t kmp = 0, replay = 0;
5319 + uint64_t kmc = 0;
5309 5320 ipsec_action_t *walker;
5310 5321
5311 5322 allocsize = sizeof (*eprop);
5312 5323
5313 5324 /*
5314 5325 * Going to walk through the action list twice. Once for allocation
5315 5326 * measurement, and once for actual construction.
5316 5327 */
5317 5328 for (walker = ap; walker != NULL; walker = walker->ipa_next) {
5318 5329 ipsec_prot_t *ipp;
5319 5330
5320 5331 /*
5321 5332 * Skip non-IPsec policies
5322 5333 */
5323 5334 if (walker->ipa_act.ipa_type != IPSEC_ACT_APPLY)
5324 5335 continue;
5325 5336
5326 5337 ipp = &walker->ipa_act.ipa_apply;
5327 5338
5328 5339 if (walker->ipa_act.ipa_apply.ipp_km_proto)
5329 5340 kmp = ipp->ipp_km_proto;
5330 5341 if (walker->ipa_act.ipa_apply.ipp_km_cookie)
5331 5342 kmc = ipp->ipp_km_cookie;
5332 5343 if (walker->ipa_act.ipa_apply.ipp_replay_depth)
5333 5344 replay = ipp->ipp_replay_depth;
5334 5345
5335 5346 if (ipp->ipp_use_ah)
5336 5347 numalgdescs++;
5337 5348 if (ipp->ipp_use_esp) {
5338 5349 numalgdescs++;
5339 5350 if (ipp->ipp_use_espa)
5340 5351 numalgdescs++;
5341 5352 }
5342 5353
5343 5354 numecombs++;
5344 5355 }
5345 5356 ASSERT(numecombs > 0);
5346 5357
5347 5358 allocsize += numecombs * sizeof (sadb_x_ecomb_t) +
5348 5359 numalgdescs * sizeof (sadb_x_algdesc_t) + sizeof (sadb_x_kmc_t);
5349 5360 mp = allocb(allocsize, BPRI_HI);
5350 5361 if (mp == NULL)
5351 5362 return (NULL);
5352 5363 eprop = (sadb_prop_t *)mp->b_rptr;
5353 5364 end = mp->b_rptr + allocsize;
5354 5365 cur = mp->b_rptr + sizeof (*eprop);
5355 5366
5356 5367 eprop->sadb_prop_exttype = SADB_X_EXT_EPROP;
5357 5368 eprop->sadb_x_prop_ereserved = 0;
5358 5369 eprop->sadb_x_prop_numecombs = 0;
5359 5370 *(uint32_t *)(&eprop->sadb_prop_replay) = 0; /* Quick zero-out! */
5360 5371 /* Pick ESP's replay default if need be. */
5361 5372 eprop->sadb_prop_replay = (replay == 0) ?
5362 5373 ns->netstack_ipsecesp->ipsecesp_replay_size : replay;
5363 5374
5364 5375 /* This time, walk through and actually allocate. */
5365 5376 for (walker = ap; walker != NULL; walker = walker->ipa_next) {
5366 5377 /*
5367 5378 * Skip non-IPsec policies
5368 5379 */
5369 5380 if (walker->ipa_act.ipa_type != IPSEC_ACT_APPLY)
5370 5381 continue;
5371 5382 cur = sadb_action_to_ecomb(cur, end, walker, ns);
5372 5383 if (cur == NULL) {
5373 5384 /* NOTE: inverse-ACQUIRE should note this as ENOMEM. */
5374 5385 freeb(mp);
5375 5386 return (NULL);
5376 5387 }
5377 5388 eprop->sadb_x_prop_numecombs++;
5378 5389 }
5379 5390
5380 5391 ASSERT(end - cur >= sizeof (sadb_x_kmc_t));
5381 5392 if ((kmp != 0) || (kmc != 0)) {
5382 5393 cur = sadb_make_kmc_ext(cur, end, kmp, kmc);
5383 5394 if (cur == NULL) {
5384 5395 freeb(mp);
5385 5396 return (NULL);
5386 5397 }
5387 5398 }
5388 5399 mp->b_wptr = cur;
5389 5400 eprop->sadb_prop_len = SADB_8TO64(cur - mp->b_rptr);
5390 5401
5391 5402 return (mp);
5392 5403 }
5393 5404
5394 5405 /*
5395 5406 * For this mblk, insert a new acquire record. Assume bucket contains addrs
5396 5407 * of all of the same length. Give up (and drop) if memory
5397 5408 * cannot be allocated for a new one; otherwise, invoke callback to
5398 5409 * send the acquire up..
5399 5410 *
5400 5411 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE
5401 5412 * list. The ah_add_sa_finish() routines can look at the packet's attached
5402 5413 * attributes and handle this case specially.
5403 5414 */
5404 5415 void
5405 5416 sadb_acquire(mblk_t *datamp, ip_xmit_attr_t *ixa, boolean_t need_ah,
5406 5417 boolean_t need_esp)
5407 5418 {
5408 5419 mblk_t *asyncmp, *regular, *extended, *common, *prop, *eprop;
5409 5420 sadbp_t *spp;
5410 5421 sadb_t *sp;
5411 5422 ipsacq_t *newbie;
5412 5423 iacqf_t *bucket;
5413 5424 ipha_t *ipha = (ipha_t *)datamp->b_rptr;
5414 5425 ip6_t *ip6h = (ip6_t *)datamp->b_rptr;
5415 5426 uint32_t *src, *dst, *isrc, *idst;
5416 5427 ipsec_policy_t *pp = ixa->ixa_ipsec_policy;
5417 5428 ipsec_action_t *ap = ixa->ixa_ipsec_action;
5418 5429 sa_family_t af;
5419 5430 int hashoffset;
5420 5431 uint32_t seq;
5421 5432 uint64_t unique_id = 0;
5422 5433 boolean_t tunnel_mode = (ixa->ixa_flags & IXAF_IPSEC_TUNNEL) != 0;
5423 5434 ts_label_t *tsl;
5424 5435 netstack_t *ns = ixa->ixa_ipst->ips_netstack;
5425 5436 ipsec_stack_t *ipss = ns->netstack_ipsec;
5426 5437 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
5427 5438 ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
5428 5439 ipsec_selector_t sel;
5429 5440 queue_t *q;
5430 5441
5431 5442 ASSERT((pp != NULL) || (ap != NULL));
5432 5443
5433 5444 ASSERT(need_ah || need_esp);
5434 5445
5435 5446 /* Assign sadb pointers */
5436 5447 if (need_esp) {
5437 5448 /*
5438 5449 * ESP happens first if we need both AH and ESP.
5439 5450 */
5440 5451 spp = &espstack->esp_sadb;
5441 5452 } else {
5442 5453 spp = &ahstack->ah_sadb;
5443 5454 }
5444 5455 sp = (ixa->ixa_flags & IXAF_IS_IPV4) ? &spp->s_v4 : &spp->s_v6;
5445 5456
5446 5457 if (is_system_labeled())
5447 5458 tsl = ixa->ixa_tsl;
5448 5459 else
5449 5460 tsl = NULL;
5450 5461
5451 5462 if (ap == NULL)
5452 5463 ap = pp->ipsp_act;
5453 5464 ASSERT(ap != NULL);
5454 5465
5455 5466 if (ap->ipa_act.ipa_apply.ipp_use_unique || tunnel_mode)
5456 5467 unique_id = SA_FORM_UNIQUE_ID(ixa);
5457 5468
5458 5469 /*
5459 5470 * Set up an ACQUIRE record.
5460 5471 *
5461 5472 * Immediately, make sure the ACQUIRE sequence number doesn't slip
5462 5473 * below the lowest point allowed in the kernel. (In other words,
5463 5474 * make sure the high bit on the sequence number is set.)
5464 5475 */
5465 5476
5466 5477 seq = keysock_next_seq(ns) | IACQF_LOWEST_SEQ;
5467 5478
5468 5479 if (IPH_HDR_VERSION(ipha) == IP_VERSION) {
5469 5480 src = (uint32_t *)&ipha->ipha_src;
5470 5481 dst = (uint32_t *)&ipha->ipha_dst;
5471 5482 af = AF_INET;
5472 5483 hashoffset = OUTBOUND_HASH_V4(sp, ipha->ipha_dst);
5473 5484 ASSERT(ixa->ixa_flags & IXAF_IS_IPV4);
5474 5485 } else {
5475 5486 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION);
5476 5487 src = (uint32_t *)&ip6h->ip6_src;
5477 5488 dst = (uint32_t *)&ip6h->ip6_dst;
5478 5489 af = AF_INET6;
5479 5490 hashoffset = OUTBOUND_HASH_V6(sp, ip6h->ip6_dst);
5480 5491 ASSERT(!(ixa->ixa_flags & IXAF_IS_IPV4));
5481 5492 }
5482 5493
5483 5494 if (tunnel_mode) {
5484 5495 if (pp == NULL) {
5485 5496 /*
5486 5497 * Tunnel mode with no policy pointer means this is a
5487 5498 * reflected ICMP (like a ECHO REQUEST) that came in
5488 5499 * with self-encapsulated protection. Until we better
5489 5500 * support this, drop the packet.
5490 5501 */
5491 5502 ip_drop_packet(datamp, B_FALSE, NULL,
5492 5503 DROPPER(ipss, ipds_spd_got_selfencap),
5493 5504 &ipss->ipsec_spd_dropper);
5494 5505 return;
5495 5506 }
5496 5507 /* Snag inner addresses. */
5497 5508 isrc = ixa->ixa_ipsec_insrc;
5498 5509 idst = ixa->ixa_ipsec_indst;
5499 5510 } else {
5500 5511 isrc = idst = NULL;
5501 5512 }
5502 5513
5503 5514 /*
5504 5515 * Check buckets to see if there is an existing entry. If so,
5505 5516 * grab it. sadb_checkacquire locks newbie if found.
5506 5517 */
5507 5518 bucket = &(sp->sdb_acq[hashoffset]);
5508 5519 mutex_enter(&bucket->iacqf_lock);
5509 5520 newbie = sadb_checkacquire(bucket, ap, pp, src, dst, isrc, idst,
5510 5521 unique_id, tsl);
5511 5522
5512 5523 if (newbie == NULL) {
5513 5524 /*
5514 5525 * Otherwise, allocate a new one.
5515 5526 */
5516 5527 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP);
5517 5528 if (newbie == NULL) {
5518 5529 mutex_exit(&bucket->iacqf_lock);
5519 5530 ip_drop_packet(datamp, B_FALSE, NULL,
5520 5531 DROPPER(ipss, ipds_sadb_acquire_nomem),
5521 5532 &ipss->ipsec_sadb_dropper);
5522 5533 return;
5523 5534 }
5524 5535 newbie->ipsacq_policy = pp;
5525 5536 if (pp != NULL) {
5526 5537 IPPOL_REFHOLD(pp);
5527 5538 }
5528 5539 IPACT_REFHOLD(ap);
5529 5540 newbie->ipsacq_act = ap;
5530 5541 newbie->ipsacq_linklock = &bucket->iacqf_lock;
5531 5542 newbie->ipsacq_next = bucket->iacqf_ipsacq;
5532 5543 newbie->ipsacq_ptpn = &bucket->iacqf_ipsacq;
5533 5544 if (newbie->ipsacq_next != NULL)
5534 5545 newbie->ipsacq_next->ipsacq_ptpn = &newbie->ipsacq_next;
5535 5546
5536 5547 bucket->iacqf_ipsacq = newbie;
5537 5548 mutex_init(&newbie->ipsacq_lock, NULL, MUTEX_DEFAULT, NULL);
5538 5549 mutex_enter(&newbie->ipsacq_lock);
5539 5550 }
5540 5551
5541 5552 /*
5542 5553 * XXX MLS does it actually help us to drop the bucket lock here?
5543 5554 * we have inserted a half-built, locked acquire record into the
5544 5555 * bucket. any competing thread will now be able to lock the bucket
5545 5556 * to scan it, but will immediately pile up on the new acquire
5546 5557 * record's lock; I don't think we gain anything here other than to
5547 5558 * disperse blame for lock contention.
5548 5559 *
5549 5560 * we might be able to dispense with acquire record locks entirely..
5550 5561 * just use the bucket locks..
5551 5562 */
5552 5563
5553 5564 mutex_exit(&bucket->iacqf_lock);
5554 5565
5555 5566 /*
5556 5567 * This assert looks silly for now, but we may need to enter newbie's
5557 5568 * mutex during a search.
5558 5569 */
5559 5570 ASSERT(MUTEX_HELD(&newbie->ipsacq_lock));
5560 5571
5561 5572 /*
5562 5573 * Make the ip_xmit_attr_t into something we can queue.
5563 5574 * If no memory it frees datamp.
5564 5575 */
5565 5576 asyncmp = ip_xmit_attr_to_mblk(ixa);
5566 5577 if (asyncmp != NULL)
5567 5578 linkb(asyncmp, datamp);
5568 5579
5569 5580 /* Queue up packet. Use b_next. */
5570 5581
5571 5582 if (asyncmp == NULL) {
5572 5583 /* Statistics for allocation failure */
5573 5584 if (ixa->ixa_flags & IXAF_IS_IPV4) {
5574 5585 BUMP_MIB(&ixa->ixa_ipst->ips_ip_mib,
5575 5586 ipIfStatsOutDiscards);
5576 5587 } else {
5577 5588 BUMP_MIB(&ixa->ixa_ipst->ips_ip6_mib,
5578 5589 ipIfStatsOutDiscards);
5579 5590 }
5580 5591 ip_drop_output("No memory for asyncmp", datamp, NULL);
5581 5592 freemsg(datamp);
5582 5593 /*
5583 5594 * The acquire record will be freed quickly if it's new
5584 5595 * (ipsacq_expire == 0), and will proceed as if no packet
5585 5596 * showed up if not.
5586 5597 */
5587 5598 mutex_exit(&newbie->ipsacq_lock);
5588 5599 return;
5589 5600 } else if (newbie->ipsacq_numpackets == 0) {
5590 5601 /* First one. */
5591 5602 newbie->ipsacq_mp = asyncmp;
5592 5603 newbie->ipsacq_numpackets = 1;
5593 5604 newbie->ipsacq_expire = gethrestime_sec();
5594 5605 /*
5595 5606 * Extended ACQUIRE with both AH+ESP will use ESP's timeout
5596 5607 * value.
5597 5608 */
5598 5609 newbie->ipsacq_expire += *spp->s_acquire_timeout;
5599 5610 newbie->ipsacq_seq = seq;
5600 5611 newbie->ipsacq_addrfam = af;
5601 5612
5602 5613 newbie->ipsacq_srcport = ixa->ixa_ipsec_src_port;
5603 5614 newbie->ipsacq_dstport = ixa->ixa_ipsec_dst_port;
5604 5615 newbie->ipsacq_icmp_type = ixa->ixa_ipsec_icmp_type;
5605 5616 newbie->ipsacq_icmp_code = ixa->ixa_ipsec_icmp_code;
5606 5617 if (tunnel_mode) {
5607 5618 newbie->ipsacq_inneraddrfam = ixa->ixa_ipsec_inaf;
5608 5619 newbie->ipsacq_proto = ixa->ixa_ipsec_inaf == AF_INET6 ?
5609 5620 IPPROTO_IPV6 : IPPROTO_ENCAP;
5610 5621 newbie->ipsacq_innersrcpfx = ixa->ixa_ipsec_insrcpfx;
5611 5622 newbie->ipsacq_innerdstpfx = ixa->ixa_ipsec_indstpfx;
5612 5623 IPSA_COPY_ADDR(newbie->ipsacq_innersrc,
5613 5624 ixa->ixa_ipsec_insrc, ixa->ixa_ipsec_inaf);
5614 5625 IPSA_COPY_ADDR(newbie->ipsacq_innerdst,
5615 5626 ixa->ixa_ipsec_indst, ixa->ixa_ipsec_inaf);
5616 5627 } else {
5617 5628 newbie->ipsacq_proto = ixa->ixa_ipsec_proto;
5618 5629 }
5619 5630 newbie->ipsacq_unique_id = unique_id;
5620 5631
5621 5632 if (tsl != NULL) {
5622 5633 label_hold(tsl);
5623 5634 newbie->ipsacq_tsl = tsl;
5624 5635 }
5625 5636 } else {
5626 5637 /* Scan to the end of the list & insert. */
5627 5638 mblk_t *lastone = newbie->ipsacq_mp;
5628 5639
5629 5640 while (lastone->b_next != NULL)
5630 5641 lastone = lastone->b_next;
5631 5642 lastone->b_next = asyncmp;
5632 5643 if (newbie->ipsacq_numpackets++ == ipsacq_maxpackets) {
5633 5644 newbie->ipsacq_numpackets = ipsacq_maxpackets;
5634 5645 lastone = newbie->ipsacq_mp;
5635 5646 newbie->ipsacq_mp = lastone->b_next;
5636 5647 lastone->b_next = NULL;
5637 5648
5638 5649 /* Freeing the async message */
5639 5650 lastone = ip_xmit_attr_free_mblk(lastone);
5640 5651 ip_drop_packet(lastone, B_FALSE, NULL,
5641 5652 DROPPER(ipss, ipds_sadb_acquire_toofull),
5642 5653 &ipss->ipsec_sadb_dropper);
5643 5654 } else {
5644 5655 IP_ACQUIRE_STAT(ipss, qhiwater,
5645 5656 newbie->ipsacq_numpackets);
5646 5657 }
5647 5658 }
5648 5659
5649 5660 /*
5650 5661 * Reset addresses. Set them to the most recently added mblk chain,
5651 5662 * so that the address pointers in the acquire record will point
5652 5663 * at an mblk still attached to the acquire list.
5653 5664 */
5654 5665
5655 5666 newbie->ipsacq_srcaddr = src;
5656 5667 newbie->ipsacq_dstaddr = dst;
5657 5668
5658 5669 /*
5659 5670 * If the acquire record has more than one queued packet, we've
5660 5671 * already sent an ACQUIRE, and don't need to repeat ourself.
5661 5672 */
5662 5673 if (newbie->ipsacq_seq != seq || newbie->ipsacq_numpackets > 1) {
5663 5674 /* I have an acquire outstanding already! */
5664 5675 mutex_exit(&newbie->ipsacq_lock);
5665 5676 return;
5666 5677 }
5667 5678
5668 5679 if (need_esp) {
5669 5680 ESP_BUMP_STAT(espstack, acquire_requests);
5670 5681 q = espstack->esp_pfkey_q;
5671 5682 } else {
5672 5683 /*
5673 5684 * Two cases get us here:
5674 5685 * 1.) AH-only policy.
5675 5686 *
5676 5687 * 2.) A continuation of an AH+ESP policy, and this is the
5677 5688 * post-ESP, AH-needs-to-send-a-regular-ACQUIRE case.
5678 5689 * (i.e. called from esp_do_outbound_ah().)
5679 5690 */
5680 5691 AH_BUMP_STAT(ahstack, acquire_requests);
5681 5692 q = ahstack->ah_pfkey_q;
5682 5693 }
5683 5694
5684 5695 /*
5685 5696 * Get selectors and other policy-expression bits needed for an
5686 5697 * ACQUIRE.
5687 5698 */
5688 5699 bzero(&sel, sizeof (sel));
5689 5700 sel.ips_isv4 = (ixa->ixa_flags & IXAF_IS_IPV4) != 0;
5690 5701 if (tunnel_mode) {
5691 5702 sel.ips_protocol = (ixa->ixa_ipsec_inaf == AF_INET) ?
5692 5703 IPPROTO_ENCAP : IPPROTO_IPV6;
5693 5704 } else {
5694 5705 sel.ips_protocol = ixa->ixa_ipsec_proto;
5695 5706 sel.ips_local_port = ixa->ixa_ipsec_src_port;
5696 5707 sel.ips_remote_port = ixa->ixa_ipsec_dst_port;
5697 5708 }
5698 5709 sel.ips_icmp_type = ixa->ixa_ipsec_icmp_type;
5699 5710 sel.ips_icmp_code = ixa->ixa_ipsec_icmp_code;
5700 5711 sel.ips_is_icmp_inv_acq = 0;
5701 5712 if (af == AF_INET) {
5702 5713 sel.ips_local_addr_v4 = ipha->ipha_src;
5703 5714 sel.ips_remote_addr_v4 = ipha->ipha_dst;
5704 5715 } else {
5705 5716 sel.ips_local_addr_v6 = ip6h->ip6_src;
5706 5717 sel.ips_remote_addr_v6 = ip6h->ip6_dst;
5707 5718 }
5708 5719
5709 5720
5710 5721 /*
5711 5722 * 1. Generate addresses, kmc, and sensitivity. These are "common"
5712 5723 * and should be an mblk pointed to by common. TBD -- eventually it
5713 5724 * will include triggering packet contents as more address extensions.
5714 5725 *
5715 5726 * 2. Generate ACQUIRE & KEYSOCK_OUT and single-protocol proposal.
5716 5727 * These are "regular" and "prop". String regular->b_cont->b_cont =
5717 5728 * common, common->b_cont = prop.
5718 5729 *
5719 5730 * 3. If extended register got turned on, generate EXT_ACQUIRE &
5720 5731 * KEYSOCK_OUT and multi-protocol eprop. These are "extended" and
5721 5732 * "eprop". String extended->b_cont->b_cont = dupb(common) and
5722 5733 * extended->b_cont->b_cont->b_cont = prop.
5723 5734 *
5724 5735 * 4. Deliver: putnext(q, regular) and if there, putnext(q, extended).
5725 5736 */
5726 5737
5727 5738 regular = extended = prop = eprop = NULL;
5728 5739
5729 5740 common = sadb_acquire_msg_common(&sel, pp, ap, tunnel_mode, tsl, NULL);
5730 5741 if (common == NULL)
5731 5742 goto bail;
5732 5743
5733 5744 regular = sadb_acquire_msg_base(0, (need_esp ?
5734 5745 SADB_SATYPE_ESP : SADB_SATYPE_AH), newbie->ipsacq_seq, 0);
5735 5746 if (regular == NULL)
5736 5747 goto bail;
5737 5748
5738 5749 /*
5739 5750 * Pardon the boolean cleverness. At least one of need_* must be true.
5740 5751 * If they are equal, it's an AH & ESP policy and ESP needs to go
5741 5752 * first. If they aren't, just check the contents of need_esp.
5742 5753 */
5743 5754 prop = sadb_acquire_prop(ap, ns, need_esp);
5744 5755 if (prop == NULL)
5745 5756 goto bail;
5746 5757
5747 5758 /* Link the parts together. */
5748 5759 regular->b_cont->b_cont = common;
5749 5760 common->b_cont = prop;
5750 5761 /*
5751 5762 * Prop is now linked, so don't freemsg() it if the extended
5752 5763 * construction goes off the rails.
5753 5764 */
5754 5765 prop = NULL;
5755 5766
5756 5767 ((sadb_msg_t *)(regular->b_cont->b_rptr))->sadb_msg_len =
5757 5768 SADB_8TO64(msgsize(regular->b_cont));
5758 5769
5759 5770 /*
5760 5771 * If we need an extended ACQUIRE, build it here.
5761 5772 */
5762 5773 if (keysock_extended_reg(ns)) {
5763 5774 /* NOTE: "common" still points to what we need. */
5764 5775 extended = sadb_acquire_msg_base(0, 0, newbie->ipsacq_seq, 0);
5765 5776 if (extended == NULL) {
5766 5777 common = NULL;
5767 5778 goto bail;
5768 5779 }
5769 5780
5770 5781 extended->b_cont->b_cont = dupb(common);
5771 5782 common = NULL;
5772 5783 if (extended->b_cont->b_cont == NULL)
5773 5784 goto bail;
5774 5785
5775 5786 eprop = sadb_acquire_extended_prop(ap, ns);
5776 5787 if (eprop == NULL)
5777 5788 goto bail;
5778 5789 extended->b_cont->b_cont->b_cont = eprop;
5779 5790
5780 5791 ((sadb_msg_t *)(extended->b_cont->b_rptr))->sadb_msg_len =
5781 5792 SADB_8TO64(msgsize(extended->b_cont));
5782 5793 }
5783 5794
5784 5795 /* So we don't hold a lock across putnext()... */
5785 5796 mutex_exit(&newbie->ipsacq_lock);
5786 5797
5787 5798 if (extended != NULL)
5788 5799 putnext(q, extended);
5789 5800 ASSERT(regular != NULL);
5790 5801 putnext(q, regular);
5791 5802 return;
5792 5803
5793 5804 bail:
5794 5805 /* Make this acquire record go away quickly... */
5795 5806 newbie->ipsacq_expire = 0;
5796 5807 /* Exploit freemsg(NULL) being legal for fun & profit. */
5797 5808 freemsg(common);
5798 5809 freemsg(prop);
5799 5810 freemsg(extended);
5800 5811 freemsg(regular);
5801 5812 mutex_exit(&newbie->ipsacq_lock);
5802 5813 }
5803 5814
5804 5815 /*
5805 5816 * Unlink and free an acquire record.
5806 5817 */
5807 5818 void
5808 5819 sadb_destroy_acquire(ipsacq_t *acqrec, netstack_t *ns)
5809 5820 {
5810 5821 mblk_t *mp;
5811 5822 ipsec_stack_t *ipss = ns->netstack_ipsec;
5812 5823
5813 5824 ASSERT(MUTEX_HELD(acqrec->ipsacq_linklock));
5814 5825
5815 5826 if (acqrec->ipsacq_policy != NULL) {
5816 5827 IPPOL_REFRELE(acqrec->ipsacq_policy);
5817 5828 }
5818 5829 if (acqrec->ipsacq_act != NULL) {
5819 5830 IPACT_REFRELE(acqrec->ipsacq_act);
5820 5831 }
5821 5832
5822 5833 /* Unlink */
5823 5834 *(acqrec->ipsacq_ptpn) = acqrec->ipsacq_next;
5824 5835 if (acqrec->ipsacq_next != NULL)
5825 5836 acqrec->ipsacq_next->ipsacq_ptpn = acqrec->ipsacq_ptpn;
5826 5837
5827 5838 if (acqrec->ipsacq_tsl != NULL) {
5828 5839 label_rele(acqrec->ipsacq_tsl);
5829 5840 acqrec->ipsacq_tsl = NULL;
5830 5841 }
5831 5842
5832 5843 /*
5833 5844 * Free hanging mp's.
5834 5845 *
5835 5846 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED.
5836 5847 */
5837 5848
5838 5849 mutex_enter(&acqrec->ipsacq_lock);
5839 5850 while (acqrec->ipsacq_mp != NULL) {
5840 5851 mp = acqrec->ipsacq_mp;
5841 5852 acqrec->ipsacq_mp = mp->b_next;
5842 5853 mp->b_next = NULL;
5843 5854 /* Freeing the async message */
5844 5855 mp = ip_xmit_attr_free_mblk(mp);
5845 5856 ip_drop_packet(mp, B_FALSE, NULL,
5846 5857 DROPPER(ipss, ipds_sadb_acquire_timeout),
5847 5858 &ipss->ipsec_sadb_dropper);
5848 5859 }
5849 5860 mutex_exit(&acqrec->ipsacq_lock);
5850 5861
5851 5862 /* Free */
5852 5863 mutex_destroy(&acqrec->ipsacq_lock);
5853 5864 kmem_free(acqrec, sizeof (*acqrec));
5854 5865 }
5855 5866
5856 5867 /*
5857 5868 * Destroy an acquire list fanout.
5858 5869 */
5859 5870 static void
5860 5871 sadb_destroy_acqlist(iacqf_t **listp, uint_t numentries, boolean_t forever,
5861 5872 netstack_t *ns)
5862 5873 {
5863 5874 int i;
5864 5875 iacqf_t *list = *listp;
5865 5876
5866 5877 if (list == NULL)
5867 5878 return;
5868 5879
5869 5880 for (i = 0; i < numentries; i++) {
5870 5881 mutex_enter(&(list[i].iacqf_lock));
5871 5882 while (list[i].iacqf_ipsacq != NULL)
5872 5883 sadb_destroy_acquire(list[i].iacqf_ipsacq, ns);
5873 5884 mutex_exit(&(list[i].iacqf_lock));
5874 5885 if (forever)
5875 5886 mutex_destroy(&(list[i].iacqf_lock));
5876 5887 }
5877 5888
5878 5889 if (forever) {
5879 5890 *listp = NULL;
5880 5891 kmem_free(list, numentries * sizeof (*list));
5881 5892 }
5882 5893 }
5883 5894
5884 5895 /*
5885 5896 * Create an algorithm descriptor for an extended ACQUIRE. Filter crypto
5886 5897 * framework's view of reality vs. IPsec's. EF's wins, BTW.
5887 5898 */
5888 5899 static uint8_t *
5889 5900 sadb_new_algdesc(uint8_t *start, uint8_t *limit,
5890 5901 sadb_x_ecomb_t *ecomb, uint8_t satype, uint8_t algtype,
5891 5902 uint8_t alg, uint16_t minbits, uint16_t maxbits, ipsec_stack_t *ipss)
5892 5903 {
5893 5904 uint8_t *cur = start;
5894 5905 ipsec_alginfo_t *algp;
5895 5906 sadb_x_algdesc_t *algdesc = (sadb_x_algdesc_t *)cur;
5896 5907
5897 5908 cur += sizeof (*algdesc);
5898 5909 if (cur >= limit)
5899 5910 return (NULL);
5900 5911
5901 5912 ecomb->sadb_x_ecomb_numalgs++;
5902 5913
5903 5914 /*
5904 5915 * Normalize vs. crypto framework's limits. This way, you can specify
5905 5916 * a stronger policy, and when the framework loads a stronger version,
5906 5917 * you can just keep plowing w/o rewhacking your SPD.
5907 5918 */
5908 5919 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
5909 5920 algp = ipss->ipsec_alglists[(algtype == SADB_X_ALGTYPE_AUTH) ?
5910 5921 IPSEC_ALG_AUTH : IPSEC_ALG_ENCR][alg];
5911 5922 if (algp == NULL) {
5912 5923 rw_exit(&ipss->ipsec_alg_lock);
5913 5924 return (NULL); /* Algorithm doesn't exist. Fail gracefully. */
5914 5925 }
5915 5926 if (minbits < algp->alg_ef_minbits)
5916 5927 minbits = algp->alg_ef_minbits;
5917 5928 if (maxbits > algp->alg_ef_maxbits)
5918 5929 maxbits = algp->alg_ef_maxbits;
5919 5930 rw_exit(&ipss->ipsec_alg_lock);
5920 5931
5921 5932 algdesc->sadb_x_algdesc_reserved = SADB_8TO1(algp->alg_saltlen);
5922 5933 algdesc->sadb_x_algdesc_satype = satype;
5923 5934 algdesc->sadb_x_algdesc_algtype = algtype;
5924 5935 algdesc->sadb_x_algdesc_alg = alg;
5925 5936 algdesc->sadb_x_algdesc_minbits = minbits;
5926 5937 algdesc->sadb_x_algdesc_maxbits = maxbits;
5927 5938
5928 5939 return (cur);
5929 5940 }
5930 5941
5931 5942 /*
5932 5943 * Convert the given ipsec_action_t into an ecomb starting at *ecomb
5933 5944 * which must fit before *limit
5934 5945 *
5935 5946 * return NULL if we ran out of room or a pointer to the end of the ecomb.
5936 5947 */
5937 5948 static uint8_t *
5938 5949 sadb_action_to_ecomb(uint8_t *start, uint8_t *limit, ipsec_action_t *act,
5939 5950 netstack_t *ns)
5940 5951 {
5941 5952 uint8_t *cur = start;
5942 5953 sadb_x_ecomb_t *ecomb = (sadb_x_ecomb_t *)cur;
5943 5954 ipsec_prot_t *ipp;
5944 5955 ipsec_stack_t *ipss = ns->netstack_ipsec;
5945 5956
5946 5957 cur += sizeof (*ecomb);
5947 5958 if (cur >= limit)
5948 5959 return (NULL);
5949 5960
5950 5961 ASSERT(act->ipa_act.ipa_type == IPSEC_ACT_APPLY);
5951 5962
5952 5963 ipp = &act->ipa_act.ipa_apply;
5953 5964
5954 5965 ecomb->sadb_x_ecomb_numalgs = 0;
5955 5966 ecomb->sadb_x_ecomb_reserved = 0;
5956 5967 ecomb->sadb_x_ecomb_reserved2 = 0;
5957 5968 /*
5958 5969 * No limits on allocations, since we really don't support that
5959 5970 * concept currently.
5960 5971 */
5961 5972 ecomb->sadb_x_ecomb_soft_allocations = 0;
5962 5973 ecomb->sadb_x_ecomb_hard_allocations = 0;
5963 5974
5964 5975 /*
5965 5976 * XXX TBD: Policy or global parameters will eventually be
5966 5977 * able to fill in some of these.
5967 5978 */
5968 5979 ecomb->sadb_x_ecomb_flags = 0;
5969 5980 ecomb->sadb_x_ecomb_soft_bytes = 0;
5970 5981 ecomb->sadb_x_ecomb_hard_bytes = 0;
5971 5982 ecomb->sadb_x_ecomb_soft_addtime = 0;
5972 5983 ecomb->sadb_x_ecomb_hard_addtime = 0;
5973 5984 ecomb->sadb_x_ecomb_soft_usetime = 0;
5974 5985 ecomb->sadb_x_ecomb_hard_usetime = 0;
5975 5986
5976 5987 if (ipp->ipp_use_ah) {
5977 5988 cur = sadb_new_algdesc(cur, limit, ecomb,
5978 5989 SADB_SATYPE_AH, SADB_X_ALGTYPE_AUTH, ipp->ipp_auth_alg,
5979 5990 ipp->ipp_ah_minbits, ipp->ipp_ah_maxbits, ipss);
5980 5991 if (cur == NULL)
5981 5992 return (NULL);
5982 5993 ipsecah_fill_defs(ecomb, ns);
5983 5994 }
5984 5995
5985 5996 if (ipp->ipp_use_esp) {
5986 5997 if (ipp->ipp_use_espa) {
5987 5998 cur = sadb_new_algdesc(cur, limit, ecomb,
5988 5999 SADB_SATYPE_ESP, SADB_X_ALGTYPE_AUTH,
5989 6000 ipp->ipp_esp_auth_alg,
5990 6001 ipp->ipp_espa_minbits,
5991 6002 ipp->ipp_espa_maxbits, ipss);
5992 6003 if (cur == NULL)
5993 6004 return (NULL);
5994 6005 }
5995 6006
5996 6007 cur = sadb_new_algdesc(cur, limit, ecomb,
5997 6008 SADB_SATYPE_ESP, SADB_X_ALGTYPE_CRYPT,
5998 6009 ipp->ipp_encr_alg,
5999 6010 ipp->ipp_espe_minbits,
6000 6011 ipp->ipp_espe_maxbits, ipss);
6001 6012 if (cur == NULL)
6002 6013 return (NULL);
6003 6014 /* Fill in lifetimes if and only if AH didn't already... */
6004 6015 if (!ipp->ipp_use_ah)
6005 6016 ipsecesp_fill_defs(ecomb, ns);
6006 6017 }
6007 6018
6008 6019 return (cur);
6009 6020 }
6010 6021
6011 6022 #include <sys/tsol/label_macro.h> /* XXX should not need this */
6012 6023
6013 6024 /*
6014 6025 * From a cred_t, construct a sensitivity label extension
6015 6026 *
6016 6027 * We send up a fixed-size sensitivity label bitmap, and are perhaps
6017 6028 * overly chummy with the underlying data structures here.
6018 6029 */
6019 6030
6020 6031 /* ARGSUSED */
6021 6032 int
6022 6033 sadb_sens_len_from_label(ts_label_t *tsl)
6023 6034 {
6024 6035 int baselen = sizeof (sadb_sens_t) + _C_LEN * 4;
6025 6036 return (roundup(baselen, sizeof (uint64_t)));
6026 6037 }
6027 6038
6028 6039 void
6029 6040 sadb_sens_from_label(sadb_sens_t *sens, int exttype, ts_label_t *tsl,
6030 6041 int senslen)
6031 6042 {
6032 6043 uint8_t *bitmap;
6033 6044 bslabel_t *sl;
6034 6045
6035 6046 /* LINTED */
6036 6047 ASSERT((_C_LEN & 1) == 0);
6037 6048 ASSERT((senslen & 7) == 0);
6038 6049
6039 6050 sl = label2bslabel(tsl);
6040 6051
6041 6052 sens->sadb_sens_exttype = exttype;
6042 6053 sens->sadb_sens_len = SADB_8TO64(senslen);
6043 6054
6044 6055 sens->sadb_sens_dpd = tsl->tsl_doi;
6045 6056 sens->sadb_sens_sens_level = LCLASS(sl);
6046 6057 sens->sadb_sens_integ_level = 0; /* TBD */
6047 6058 sens->sadb_sens_sens_len = _C_LEN >> 1;
6048 6059 sens->sadb_sens_integ_len = 0; /* TBD */
6049 6060 sens->sadb_x_sens_flags = 0;
6050 6061
6051 6062 bitmap = (uint8_t *)(sens + 1);
6052 6063 bcopy(&(((_bslabel_impl_t *)sl)->compartments), bitmap, _C_LEN * 4);
6053 6064 }
6054 6065
6055 6066 /*
6056 6067 * Okay, how do we report errors/invalid labels from this?
6057 6068 * With a special designated "not a label" cred_t ?
6058 6069 */
6059 6070 /* ARGSUSED */
6060 6071 ts_label_t *
6061 6072 sadb_label_from_sens(sadb_sens_t *sens, uint64_t *bitmap)
6062 6073 {
6063 6074 int bitmap_len = SADB_64TO8(sens->sadb_sens_sens_len);
6064 6075 bslabel_t sl;
6065 6076 ts_label_t *tsl;
6066 6077
6067 6078 if (sens->sadb_sens_integ_level != 0)
6068 6079 return (NULL);
6069 6080 if (sens->sadb_sens_integ_len != 0)
6070 6081 return (NULL);
6071 6082 if (bitmap_len > _C_LEN * 4)
6072 6083 return (NULL);
6073 6084
6074 6085 bsllow(&sl);
6075 6086 LCLASS_SET((_bslabel_impl_t *)&sl, sens->sadb_sens_sens_level);
6076 6087 bcopy(bitmap, &((_bslabel_impl_t *)&sl)->compartments,
6077 6088 bitmap_len);
6078 6089
6079 6090 tsl = labelalloc(&sl, sens->sadb_sens_dpd, KM_NOSLEEP);
6080 6091 if (tsl == NULL)
6081 6092 return (NULL);
6082 6093
6083 6094 if (sens->sadb_x_sens_flags & SADB_X_SENS_UNLABELED)
6084 6095 tsl->tsl_flags |= TSLF_UNLABELED;
6085 6096 return (tsl);
6086 6097 }
6087 6098
6088 6099 /* End XXX label-library-leakage */
6089 6100
6090 6101 /*
6091 6102 * Given an SADB_GETSPI message, find an appropriately ranged SA and
6092 6103 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1.
6093 6104 * If there was a memory allocation error, return NULL. (Assume NULL !=
6094 6105 * (ipsa_t *)-1).
6095 6106 *
6096 6107 * master_spi is passed in host order.
6097 6108 */
6098 6109 ipsa_t *
6099 6110 sadb_getspi(keysock_in_t *ksi, uint32_t master_spi, int *diagnostic,
6100 6111 netstack_t *ns, uint_t sa_type)
6101 6112 {
6102 6113 sadb_address_t *src =
6103 6114 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC],
6104 6115 *dst = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
6105 6116 sadb_spirange_t *range =
6106 6117 (sadb_spirange_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE];
6107 6118 struct sockaddr_in *ssa, *dsa;
6108 6119 struct sockaddr_in6 *ssa6, *dsa6;
6109 6120 uint32_t *srcaddr, *dstaddr;
6110 6121 sa_family_t af;
6111 6122 uint32_t add, min, max;
6112 6123 uint8_t protocol =
6113 6124 (sa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP;
6114 6125
6115 6126 if (src == NULL) {
6116 6127 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC;
6117 6128 return ((ipsa_t *)-1);
6118 6129 }
6119 6130 if (dst == NULL) {
6120 6131 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
6121 6132 return ((ipsa_t *)-1);
6122 6133 }
6123 6134 if (range == NULL) {
6124 6135 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_RANGE;
6125 6136 return ((ipsa_t *)-1);
6126 6137 }
6127 6138
6128 6139 min = ntohl(range->sadb_spirange_min);
6129 6140 max = ntohl(range->sadb_spirange_max);
6130 6141 dsa = (struct sockaddr_in *)(dst + 1);
6131 6142 dsa6 = (struct sockaddr_in6 *)dsa;
6132 6143
6133 6144 ssa = (struct sockaddr_in *)(src + 1);
6134 6145 ssa6 = (struct sockaddr_in6 *)ssa;
6135 6146 ASSERT(dsa->sin_family == ssa->sin_family);
6136 6147
6137 6148 srcaddr = ALL_ZEROES_PTR;
6138 6149 af = dsa->sin_family;
6139 6150 switch (af) {
6140 6151 case AF_INET:
6141 6152 if (src != NULL)
6142 6153 srcaddr = (uint32_t *)(&ssa->sin_addr);
6143 6154 dstaddr = (uint32_t *)(&dsa->sin_addr);
6144 6155 break;
6145 6156 case AF_INET6:
6146 6157 if (src != NULL)
6147 6158 srcaddr = (uint32_t *)(&ssa6->sin6_addr);
6148 6159 dstaddr = (uint32_t *)(&dsa6->sin6_addr);
6149 6160 break;
6150 6161 default:
6151 6162 *diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF;
6152 6163 return ((ipsa_t *)-1);
6153 6164 }
6154 6165
6155 6166 if (master_spi < min || master_spi > max) {
6156 6167 /* Return a random value in the range. */
6157 6168 if (cl_inet_getspi) {
6158 6169 cl_inet_getspi(ns->netstack_stackid, protocol,
6159 6170 (uint8_t *)&add, sizeof (add), NULL);
6160 6171 } else {
6161 6172 (void) random_get_pseudo_bytes((uint8_t *)&add,
6162 6173 sizeof (add));
6163 6174 }
6164 6175 master_spi = min + (add % (max - min + 1));
6165 6176 }
6166 6177
6167 6178 /*
6168 6179 * Since master_spi is passed in host order, we need to htonl() it
6169 6180 * for the purposes of creating a new SA.
6170 6181 */
6171 6182 return (sadb_makelarvalassoc(htonl(master_spi), srcaddr, dstaddr, af,
6172 6183 ns));
6173 6184 }
6174 6185
6175 6186 /*
6176 6187 *
6177 6188 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the
6178 6189 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list
6179 6190 * and scan for the sequence number in question. I may wish to accept an
6180 6191 * address pair with it, for easier searching.
6181 6192 *
6182 6193 * Caller frees the message, so we don't have to here.
6183 6194 *
6184 6195 * NOTE: The pfkey_q parameter may be used in the future for ACQUIRE
6185 6196 * failures.
6186 6197 */
6187 6198 /* ARGSUSED */
6188 6199 void
6189 6200 sadb_in_acquire(sadb_msg_t *samsg, sadbp_t *sp, queue_t *pfkey_q,
6190 6201 netstack_t *ns)
6191 6202 {
6192 6203 int i;
6193 6204 ipsacq_t *acqrec;
6194 6205 iacqf_t *bucket;
6195 6206
6196 6207 /*
6197 6208 * I only accept the base header for this!
6198 6209 * Though to be honest, requiring the dst address would help
6199 6210 * immensely.
6200 6211 *
6201 6212 * XXX There are already cases where I can get the dst address.
6202 6213 */
6203 6214 if (samsg->sadb_msg_len > SADB_8TO64(sizeof (*samsg)))
6204 6215 return;
6205 6216
6206 6217 /*
6207 6218 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it,
6208 6219 * (and in the future send a message to IP with the appropriate error
6209 6220 * number).
6210 6221 *
6211 6222 * Q: Do I want to reject if pid != 0?
6212 6223 */
6213 6224
6214 6225 for (i = 0; i < sp->s_v4.sdb_hashsize; i++) {
6215 6226 bucket = &sp->s_v4.sdb_acq[i];
6216 6227 mutex_enter(&bucket->iacqf_lock);
6217 6228 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL;
6218 6229 acqrec = acqrec->ipsacq_next) {
6219 6230 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq)
6220 6231 break; /* for acqrec... loop. */
6221 6232 }
6222 6233 if (acqrec != NULL)
6223 6234 break; /* for i = 0... loop. */
6224 6235
6225 6236 mutex_exit(&bucket->iacqf_lock);
6226 6237 }
6227 6238
6228 6239 if (acqrec == NULL) {
6229 6240 for (i = 0; i < sp->s_v6.sdb_hashsize; i++) {
6230 6241 bucket = &sp->s_v6.sdb_acq[i];
6231 6242 mutex_enter(&bucket->iacqf_lock);
6232 6243 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL;
6233 6244 acqrec = acqrec->ipsacq_next) {
6234 6245 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq)
6235 6246 break; /* for acqrec... loop. */
6236 6247 }
6237 6248 if (acqrec != NULL)
6238 6249 break; /* for i = 0... loop. */
6239 6250
6240 6251 mutex_exit(&bucket->iacqf_lock);
6241 6252 }
6242 6253 }
6243 6254
6244 6255
6245 6256 if (acqrec == NULL)
6246 6257 return;
6247 6258
6248 6259 /*
6249 6260 * What do I do with the errno and IP? I may need mp's services a
6250 6261 * little more. See sadb_destroy_acquire() for future directions
6251 6262 * beyond free the mblk chain on the acquire record.
6252 6263 */
6253 6264
6254 6265 ASSERT(&bucket->iacqf_lock == acqrec->ipsacq_linklock);
6255 6266 sadb_destroy_acquire(acqrec, ns);
6256 6267 /* Have to exit mutex here, because of breaking out of for loop. */
6257 6268 mutex_exit(&bucket->iacqf_lock);
6258 6269 }
6259 6270
6260 6271 /*
6261 6272 * The following functions work with the replay windows of an SA. They assume
6262 6273 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector
6263 6274 * represents the highest sequence number packet received, and back
6264 6275 * (ipsa->ipsa_replay_wsize) packets.
6265 6276 */
6266 6277
6267 6278 /*
6268 6279 * Is the replay bit set?
6269 6280 */
6270 6281 static boolean_t
6271 6282 ipsa_is_replay_set(ipsa_t *ipsa, uint32_t offset)
6272 6283 {
6273 6284 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63);
6274 6285
6275 6286 return ((bit & ipsa->ipsa_replay_arr[offset >> 6]) ? B_TRUE : B_FALSE);
6276 6287 }
6277 6288
6278 6289 /*
6279 6290 * Shift the bits of the replay window over.
6280 6291 */
6281 6292 static void
6282 6293 ipsa_shift_replay(ipsa_t *ipsa, uint32_t shift)
6283 6294 {
6284 6295 int i;
6285 6296 int jump = ((shift - 1) >> 6) + 1;
6286 6297
6287 6298 if (shift == 0)
6288 6299 return;
6289 6300
6290 6301 for (i = (ipsa->ipsa_replay_wsize - 1) >> 6; i >= 0; i--) {
6291 6302 if (i + jump <= (ipsa->ipsa_replay_wsize - 1) >> 6) {
6292 6303 ipsa->ipsa_replay_arr[i + jump] |=
6293 6304 ipsa->ipsa_replay_arr[i] >> (64 - (shift & 63));
6294 6305 }
6295 6306 ipsa->ipsa_replay_arr[i] <<= shift;
6296 6307 }
6297 6308 }
6298 6309
6299 6310 /*
6300 6311 * Set a bit in the bit vector.
6301 6312 */
6302 6313 static void
6303 6314 ipsa_set_replay(ipsa_t *ipsa, uint32_t offset)
6304 6315 {
6305 6316 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63);
6306 6317
6307 6318 ipsa->ipsa_replay_arr[offset >> 6] |= bit;
6308 6319 }
6309 6320
6310 6321 #define SADB_MAX_REPLAY_VALUE 0xffffffff
6311 6322
6312 6323 /*
6313 6324 * Assume caller has NOT done ntohl() already on seq. Check to see
6314 6325 * if replay sequence number "seq" has been seen already.
6315 6326 */
6316 6327 boolean_t
6317 6328 sadb_replay_check(ipsa_t *ipsa, uint32_t seq)
6318 6329 {
6319 6330 boolean_t rc;
6320 6331 uint32_t diff;
6321 6332
6322 6333 if (ipsa->ipsa_replay_wsize == 0)
6323 6334 return (B_TRUE);
6324 6335
6325 6336 /*
6326 6337 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek().
6327 6338 */
6328 6339
6329 6340 /* Convert sequence number into host order before holding the mutex. */
6330 6341 seq = ntohl(seq);
6331 6342
6332 6343 mutex_enter(&ipsa->ipsa_lock);
6333 6344
6334 6345 /* Initialize inbound SA's ipsa_replay field to last one received. */
6335 6346 if (ipsa->ipsa_replay == 0)
6336 6347 ipsa->ipsa_replay = 1;
6337 6348
6338 6349 if (seq > ipsa->ipsa_replay) {
6339 6350 /*
6340 6351 * I have received a new "highest value received". Shift
6341 6352 * the replay window over.
6342 6353 */
6343 6354 diff = seq - ipsa->ipsa_replay;
6344 6355 if (diff < ipsa->ipsa_replay_wsize) {
6345 6356 /* In replay window, shift bits over. */
6346 6357 ipsa_shift_replay(ipsa, diff);
6347 6358 } else {
6348 6359 /* WAY FAR AHEAD, clear bits and start again. */
6349 6360 bzero(ipsa->ipsa_replay_arr,
6350 6361 sizeof (ipsa->ipsa_replay_arr));
6351 6362 }
6352 6363 ipsa_set_replay(ipsa, 0);
6353 6364 ipsa->ipsa_replay = seq;
6354 6365 rc = B_TRUE;
6355 6366 goto done;
6356 6367 }
6357 6368 diff = ipsa->ipsa_replay - seq;
6358 6369 if (diff >= ipsa->ipsa_replay_wsize || ipsa_is_replay_set(ipsa, diff)) {
6359 6370 rc = B_FALSE;
6360 6371 goto done;
6361 6372 }
6362 6373 /* Set this packet as seen. */
6363 6374 ipsa_set_replay(ipsa, diff);
6364 6375
6365 6376 rc = B_TRUE;
6366 6377 done:
6367 6378 mutex_exit(&ipsa->ipsa_lock);
6368 6379 return (rc);
6369 6380 }
6370 6381
6371 6382 /*
6372 6383 * "Peek" and see if we should even bother going through the effort of
6373 6384 * running an authentication check on the sequence number passed in.
6374 6385 * this takes into account packets that are below the replay window,
6375 6386 * and collisions with already replayed packets. Return B_TRUE if it
6376 6387 * is okay to proceed, B_FALSE if this packet should be dropped immediately.
6377 6388 * Assume same byte-ordering as sadb_replay_check.
6378 6389 */
6379 6390 boolean_t
6380 6391 sadb_replay_peek(ipsa_t *ipsa, uint32_t seq)
6381 6392 {
6382 6393 boolean_t rc = B_FALSE;
6383 6394 uint32_t diff;
6384 6395
6385 6396 if (ipsa->ipsa_replay_wsize == 0)
6386 6397 return (B_TRUE);
6387 6398
6388 6399 /*
6389 6400 * 0 is 0, regardless of byte order... :)
6390 6401 *
6391 6402 * If I get 0 on the wire (and there is a replay window) then the
6392 6403 * sender most likely wrapped. This ipsa may need to be marked or
6393 6404 * something.
6394 6405 */
6395 6406 if (seq == 0)
6396 6407 return (B_FALSE);
6397 6408
6398 6409 seq = ntohl(seq);
6399 6410 mutex_enter(&ipsa->ipsa_lock);
6400 6411 if (seq < ipsa->ipsa_replay - ipsa->ipsa_replay_wsize &&
6401 6412 ipsa->ipsa_replay >= ipsa->ipsa_replay_wsize)
6402 6413 goto done;
6403 6414
6404 6415 /*
6405 6416 * If I've hit 0xffffffff, then quite honestly, I don't need to
6406 6417 * bother with formalities. I'm not accepting any more packets
6407 6418 * on this SA.
6408 6419 */
6409 6420 if (ipsa->ipsa_replay == SADB_MAX_REPLAY_VALUE) {
6410 6421 /*
6411 6422 * Since we're already holding the lock, update the
6412 6423 * expire time ala. sadb_replay_delete() and return.
6413 6424 */
6414 6425 ipsa->ipsa_hardexpiretime = (time_t)1;
6415 6426 goto done;
6416 6427 }
6417 6428
6418 6429 if (seq <= ipsa->ipsa_replay) {
6419 6430 /*
6420 6431 * This seq is in the replay window. I'm not below it,
6421 6432 * because I already checked for that above!
6422 6433 */
6423 6434 diff = ipsa->ipsa_replay - seq;
6424 6435 if (ipsa_is_replay_set(ipsa, diff))
6425 6436 goto done;
6426 6437 }
6427 6438 /* Else return B_TRUE, I'm going to advance the window. */
6428 6439
6429 6440 rc = B_TRUE;
6430 6441 done:
6431 6442 mutex_exit(&ipsa->ipsa_lock);
6432 6443 return (rc);
6433 6444 }
6434 6445
6435 6446 /*
6436 6447 * Delete a single SA.
6437 6448 *
6438 6449 * For now, use the quick-and-dirty trick of making the association's
6439 6450 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager().
6440 6451 */
6441 6452 void
6442 6453 sadb_replay_delete(ipsa_t *assoc)
6443 6454 {
6444 6455 mutex_enter(&assoc->ipsa_lock);
6445 6456 assoc->ipsa_hardexpiretime = (time_t)1;
6446 6457 mutex_exit(&assoc->ipsa_lock);
6447 6458 }
6448 6459
6449 6460 /*
6450 6461 * Special front-end to ipsec_rl_strlog() dealing with SA failure.
6451 6462 * this is designed to take only a format string with "* %x * %s *", so
6452 6463 * that "spi" is printed first, then "addr" is converted using inet_pton().
6453 6464 *
6454 6465 * This is abstracted out to save the stack space for only when inet_pton()
6455 6466 * is called. Make sure "spi" is in network order; it usually is when this
6456 6467 * would get called.
6457 6468 */
6458 6469 void
6459 6470 ipsec_assocfailure(short mid, short sid, char level, ushort_t sl, char *fmt,
6460 6471 uint32_t spi, void *addr, int af, netstack_t *ns)
6461 6472 {
6462 6473 char buf[INET6_ADDRSTRLEN];
6463 6474
6464 6475 ASSERT(af == AF_INET6 || af == AF_INET);
6465 6476
6466 6477 ipsec_rl_strlog(ns, mid, sid, level, sl, fmt, ntohl(spi),
6467 6478 inet_ntop(af, addr, buf, sizeof (buf)));
6468 6479 }
6469 6480
6470 6481 /*
6471 6482 * Fills in a reference to the policy, if any, from the conn, in *ppp
6472 6483 */
6473 6484 static void
6474 6485 ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp)
6475 6486 {
6476 6487 ipsec_policy_t *pp;
6477 6488 ipsec_latch_t *ipl = connp->conn_latch;
6478 6489
6479 6490 if ((ipl != NULL) && (connp->conn_ixa->ixa_ipsec_policy != NULL)) {
6480 6491 pp = connp->conn_ixa->ixa_ipsec_policy;
6481 6492 IPPOL_REFHOLD(pp);
6482 6493 } else {
6483 6494 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, sel,
6484 6495 connp->conn_netstack);
6485 6496 }
6486 6497 *ppp = pp;
6487 6498 }
6488 6499
6489 6500 /*
6490 6501 * The following functions scan through active conn_t structures
6491 6502 * and return a reference to the best-matching policy it can find.
6492 6503 * Caller must release the reference.
6493 6504 */
6494 6505 static void
6495 6506 ipsec_udp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst)
6496 6507 {
6497 6508 connf_t *connfp;
6498 6509 conn_t *connp = NULL;
6499 6510 ipsec_selector_t portonly;
6500 6511
6501 6512 bzero((void *)&portonly, sizeof (portonly));
6502 6513
6503 6514 if (sel->ips_local_port == 0)
6504 6515 return;
6505 6516
6506 6517 connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(sel->ips_local_port,
6507 6518 ipst)];
6508 6519 mutex_enter(&connfp->connf_lock);
6509 6520
6510 6521 if (sel->ips_isv4) {
6511 6522 connp = connfp->connf_head;
6512 6523 while (connp != NULL) {
6513 6524 if (IPCL_UDP_MATCH(connp, sel->ips_local_port,
6514 6525 sel->ips_local_addr_v4, sel->ips_remote_port,
6515 6526 sel->ips_remote_addr_v4))
6516 6527 break;
6517 6528 connp = connp->conn_next;
6518 6529 }
6519 6530
6520 6531 if (connp == NULL) {
6521 6532 /* Try port-only match in IPv6. */
6522 6533 portonly.ips_local_port = sel->ips_local_port;
6523 6534 sel = &portonly;
6524 6535 }
6525 6536 }
6526 6537
6527 6538 if (connp == NULL) {
6528 6539 connp = connfp->connf_head;
6529 6540 while (connp != NULL) {
6530 6541 if (IPCL_UDP_MATCH_V6(connp, sel->ips_local_port,
6531 6542 sel->ips_local_addr_v6, sel->ips_remote_port,
6532 6543 sel->ips_remote_addr_v6))
6533 6544 break;
6534 6545 connp = connp->conn_next;
6535 6546 }
6536 6547
6537 6548 if (connp == NULL) {
6538 6549 mutex_exit(&connfp->connf_lock);
6539 6550 return;
6540 6551 }
6541 6552 }
6542 6553
6543 6554 CONN_INC_REF(connp);
6544 6555 mutex_exit(&connfp->connf_lock);
6545 6556
6546 6557 ipsec_conn_pol(sel, connp, ppp);
6547 6558 CONN_DEC_REF(connp);
6548 6559 }
6549 6560
6550 6561 static conn_t *
6551 6562 ipsec_find_listen_conn(uint16_t *pptr, ipsec_selector_t *sel, ip_stack_t *ipst)
6552 6563 {
6553 6564 connf_t *connfp;
6554 6565 conn_t *connp = NULL;
6555 6566 const in6_addr_t *v6addrmatch = &sel->ips_local_addr_v6;
6556 6567
6557 6568 if (sel->ips_local_port == 0)
6558 6569 return (NULL);
6559 6570
6560 6571 connfp = &ipst->ips_ipcl_bind_fanout[
6561 6572 IPCL_BIND_HASH(sel->ips_local_port, ipst)];
6562 6573 mutex_enter(&connfp->connf_lock);
6563 6574
6564 6575 if (sel->ips_isv4) {
6565 6576 connp = connfp->connf_head;
6566 6577 while (connp != NULL) {
6567 6578 if (IPCL_BIND_MATCH(connp, IPPROTO_TCP,
6568 6579 sel->ips_local_addr_v4, pptr[1]))
6569 6580 break;
6570 6581 connp = connp->conn_next;
6571 6582 }
6572 6583
6573 6584 if (connp == NULL) {
6574 6585 /* Match to all-zeroes. */
6575 6586 v6addrmatch = &ipv6_all_zeros;
6576 6587 }
6577 6588 }
6578 6589
6579 6590 if (connp == NULL) {
6580 6591 connp = connfp->connf_head;
6581 6592 while (connp != NULL) {
6582 6593 if (IPCL_BIND_MATCH_V6(connp, IPPROTO_TCP,
6583 6594 *v6addrmatch, pptr[1]))
6584 6595 break;
6585 6596 connp = connp->conn_next;
6586 6597 }
6587 6598
6588 6599 if (connp == NULL) {
6589 6600 mutex_exit(&connfp->connf_lock);
6590 6601 return (NULL);
6591 6602 }
6592 6603 }
6593 6604
6594 6605 CONN_INC_REF(connp);
6595 6606 mutex_exit(&connfp->connf_lock);
6596 6607 return (connp);
6597 6608 }
6598 6609
6599 6610 static void
6600 6611 ipsec_tcp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst)
6601 6612 {
6602 6613 connf_t *connfp;
6603 6614 conn_t *connp;
6604 6615 uint32_t ports;
6605 6616 uint16_t *pptr = (uint16_t *)&ports;
6606 6617
6607 6618 /*
6608 6619 * Find TCP state in the following order:
6609 6620 * 1.) Connected conns.
6610 6621 * 2.) Listeners.
6611 6622 *
6612 6623 * Even though #2 will be the common case for inbound traffic, only
6613 6624 * following this order insures correctness.
6614 6625 */
6615 6626
6616 6627 if (sel->ips_local_port == 0)
6617 6628 return;
6618 6629
6619 6630 /*
6620 6631 * 0 should be fport, 1 should be lport. SRC is the local one here.
6621 6632 * See ipsec_construct_inverse_acquire() for details.
6622 6633 */
6623 6634 pptr[0] = sel->ips_remote_port;
6624 6635 pptr[1] = sel->ips_local_port;
6625 6636
6626 6637 connfp = &ipst->ips_ipcl_conn_fanout[
6627 6638 IPCL_CONN_HASH(sel->ips_remote_addr_v4, ports, ipst)];
6628 6639 mutex_enter(&connfp->connf_lock);
6629 6640 connp = connfp->connf_head;
6630 6641
6631 6642 if (sel->ips_isv4) {
6632 6643 while (connp != NULL) {
6633 6644 if (IPCL_CONN_MATCH(connp, IPPROTO_TCP,
6634 6645 sel->ips_remote_addr_v4, sel->ips_local_addr_v4,
6635 6646 ports))
6636 6647 break;
6637 6648 connp = connp->conn_next;
6638 6649 }
6639 6650 } else {
6640 6651 while (connp != NULL) {
6641 6652 if (IPCL_CONN_MATCH_V6(connp, IPPROTO_TCP,
6642 6653 sel->ips_remote_addr_v6, sel->ips_local_addr_v6,
6643 6654 ports))
6644 6655 break;
6645 6656 connp = connp->conn_next;
6646 6657 }
6647 6658 }
6648 6659
6649 6660 if (connp != NULL) {
6650 6661 CONN_INC_REF(connp);
6651 6662 mutex_exit(&connfp->connf_lock);
6652 6663 } else {
6653 6664 mutex_exit(&connfp->connf_lock);
6654 6665
6655 6666 /* Try the listen hash. */
6656 6667 if ((connp = ipsec_find_listen_conn(pptr, sel, ipst)) == NULL)
6657 6668 return;
6658 6669 }
6659 6670
6660 6671 ipsec_conn_pol(sel, connp, ppp);
6661 6672 CONN_DEC_REF(connp);
6662 6673 }
6663 6674
6664 6675 static void
6665 6676 ipsec_sctp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
6666 6677 ip_stack_t *ipst)
6667 6678 {
6668 6679 conn_t *connp;
6669 6680 uint32_t ports;
6670 6681 uint16_t *pptr = (uint16_t *)&ports;
6671 6682
6672 6683 /*
6673 6684 * Find SCP state in the following order:
6674 6685 * 1.) Connected conns.
6675 6686 * 2.) Listeners.
6676 6687 *
6677 6688 * Even though #2 will be the common case for inbound traffic, only
6678 6689 * following this order insures correctness.
6679 6690 */
6680 6691
6681 6692 if (sel->ips_local_port == 0)
6682 6693 return;
6683 6694
6684 6695 /*
6685 6696 * 0 should be fport, 1 should be lport. SRC is the local one here.
6686 6697 * See ipsec_construct_inverse_acquire() for details.
6687 6698 */
6688 6699 pptr[0] = sel->ips_remote_port;
6689 6700 pptr[1] = sel->ips_local_port;
6690 6701
6691 6702 /*
6692 6703 * For labeled systems, there's no need to check the
6693 6704 * label here. It's known to be good as we checked
6694 6705 * before allowing the connection to become bound.
6695 6706 */
6696 6707 if (sel->ips_isv4) {
6697 6708 in6_addr_t src, dst;
6698 6709
6699 6710 IN6_IPADDR_TO_V4MAPPED(sel->ips_remote_addr_v4, &dst);
6700 6711 IN6_IPADDR_TO_V4MAPPED(sel->ips_local_addr_v4, &src);
6701 6712 connp = sctp_find_conn(&dst, &src, ports, ALL_ZONES,
6702 6713 0, ipst->ips_netstack->netstack_sctp);
6703 6714 } else {
6704 6715 connp = sctp_find_conn(&sel->ips_remote_addr_v6,
6705 6716 &sel->ips_local_addr_v6, ports, ALL_ZONES,
6706 6717 0, ipst->ips_netstack->netstack_sctp);
6707 6718 }
6708 6719 if (connp == NULL)
6709 6720 return;
6710 6721 ipsec_conn_pol(sel, connp, ppp);
6711 6722 CONN_DEC_REF(connp);
6712 6723 }
6713 6724
6714 6725 /*
6715 6726 * Fill in a query for the SPD (in "sel") using two PF_KEY address extensions.
6716 6727 * Returns 0 or errno, and always sets *diagnostic to something appropriate
6717 6728 * to PF_KEY.
6718 6729 *
6719 6730 * NOTE: For right now, this function (and ipsec_selector_t for that matter),
6720 6731 * ignore prefix lengths in the address extension. Since we match on first-
6721 6732 * entered policies, this shouldn't matter. Also, since we normalize prefix-
6722 6733 * set addresses to mask out the lower bits, we should get a suitable search
6723 6734 * key for the SPD anyway. This is the function to change if the assumption
6724 6735 * about suitable search keys is wrong.
6725 6736 */
6726 6737 static int
6727 6738 ipsec_get_inverse_acquire_sel(ipsec_selector_t *sel, sadb_address_t *srcext,
6728 6739 sadb_address_t *dstext, int *diagnostic)
6729 6740 {
6730 6741 struct sockaddr_in *src, *dst;
6731 6742 struct sockaddr_in6 *src6, *dst6;
6732 6743
6733 6744 *diagnostic = 0;
6734 6745
6735 6746 bzero(sel, sizeof (*sel));
6736 6747 sel->ips_protocol = srcext->sadb_address_proto;
6737 6748 dst = (struct sockaddr_in *)(dstext + 1);
6738 6749 if (dst->sin_family == AF_INET6) {
6739 6750 dst6 = (struct sockaddr_in6 *)dst;
6740 6751 src6 = (struct sockaddr_in6 *)(srcext + 1);
6741 6752 if (src6->sin6_family != AF_INET6) {
6742 6753 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH;
6743 6754 return (EINVAL);
6744 6755 }
6745 6756 sel->ips_remote_addr_v6 = dst6->sin6_addr;
6746 6757 sel->ips_local_addr_v6 = src6->sin6_addr;
6747 6758 if (sel->ips_protocol == IPPROTO_ICMPV6) {
6748 6759 sel->ips_is_icmp_inv_acq = 1;
6749 6760 } else {
6750 6761 sel->ips_remote_port = dst6->sin6_port;
6751 6762 sel->ips_local_port = src6->sin6_port;
6752 6763 }
6753 6764 sel->ips_isv4 = B_FALSE;
6754 6765 } else {
6755 6766 src = (struct sockaddr_in *)(srcext + 1);
6756 6767 if (src->sin_family != AF_INET) {
6757 6768 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH;
6758 6769 return (EINVAL);
6759 6770 }
6760 6771 sel->ips_remote_addr_v4 = dst->sin_addr.s_addr;
6761 6772 sel->ips_local_addr_v4 = src->sin_addr.s_addr;
6762 6773 if (sel->ips_protocol == IPPROTO_ICMP) {
6763 6774 sel->ips_is_icmp_inv_acq = 1;
6764 6775 } else {
6765 6776 sel->ips_remote_port = dst->sin_port;
6766 6777 sel->ips_local_port = src->sin_port;
6767 6778 }
6768 6779 sel->ips_isv4 = B_TRUE;
6769 6780 }
6770 6781 return (0);
6771 6782 }
6772 6783
6773 6784 /*
6774 6785 * We have encapsulation.
6775 6786 * - Lookup tun_t by address and look for an associated
6776 6787 * tunnel policy
6777 6788 * - If there are inner selectors
6778 6789 * - check ITPF_P_TUNNEL and ITPF_P_ACTIVE
6779 6790 * - Look up tunnel policy based on selectors
6780 6791 * - Else
6781 6792 * - Sanity check the negotation
6782 6793 * - If appropriate, fall through to global policy
6783 6794 */
6784 6795 static int
6785 6796 ipsec_tun_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
6786 6797 sadb_address_t *innsrcext, sadb_address_t *inndstext, ipsec_tun_pol_t *itp,
6787 6798 int *diagnostic)
6788 6799 {
6789 6800 int err;
6790 6801 ipsec_policy_head_t *polhead;
6791 6802
6792 6803 *diagnostic = 0;
6793 6804
6794 6805 /* Check for inner selectors and act appropriately */
6795 6806
6796 6807 if (innsrcext != NULL) {
6797 6808 /* Inner selectors present */
6798 6809 ASSERT(inndstext != NULL);
6799 6810 if ((itp == NULL) ||
6800 6811 (itp->itp_flags & (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) !=
6801 6812 (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) {
6802 6813 /*
6803 6814 * If inner packet selectors, we must have negotiate
6804 6815 * tunnel and active policy. If the tunnel has
6805 6816 * transport-mode policy set on it, or has no policy,
6806 6817 * fail.
6807 6818 */
6808 6819 return (ENOENT);
6809 6820 } else {
6810 6821 /*
6811 6822 * Reset "sel" to indicate inner selectors. Pass
6812 6823 * inner PF_KEY address extensions for this to happen.
6813 6824 */
6814 6825 if ((err = ipsec_get_inverse_acquire_sel(sel,
6815 6826 innsrcext, inndstext, diagnostic)) != 0)
6816 6827 return (err);
6817 6828 /*
6818 6829 * Now look for a tunnel policy based on those inner
6819 6830 * selectors. (Common code is below.)
6820 6831 */
6821 6832 }
6822 6833 } else {
6823 6834 /* No inner selectors present */
6824 6835 if ((itp == NULL) || !(itp->itp_flags & ITPF_P_ACTIVE)) {
6825 6836 /*
6826 6837 * Transport mode negotiation with no tunnel policy
6827 6838 * configured - return to indicate a global policy
6828 6839 * check is needed.
6829 6840 */
6830 6841 return (0);
6831 6842 } else if (itp->itp_flags & ITPF_P_TUNNEL) {
6832 6843 /* Tunnel mode set with no inner selectors. */
6833 6844 return (ENOENT);
6834 6845 }
6835 6846 /*
6836 6847 * Else, this is a tunnel policy configured with ifconfig(1m)
6837 6848 * or "negotiate transport" with ipsecconf(1m). We have an
6838 6849 * itp with policy set based on any match, so don't bother
6839 6850 * changing fields in "sel".
6840 6851 */
6841 6852 }
6842 6853
6843 6854 ASSERT(itp != NULL);
6844 6855 polhead = itp->itp_policy;
6845 6856 ASSERT(polhead != NULL);
6846 6857 rw_enter(&polhead->iph_lock, RW_READER);
6847 6858 *ppp = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_INBOUND, sel);
6848 6859 rw_exit(&polhead->iph_lock);
6849 6860
6850 6861 /*
6851 6862 * Don't default to global if we didn't find a matching policy entry.
6852 6863 * Instead, send ENOENT, just like if we hit a transport-mode tunnel.
6853 6864 */
6854 6865 if (*ppp == NULL)
6855 6866 return (ENOENT);
6856 6867
6857 6868 return (0);
6858 6869 }
6859 6870
6860 6871 /*
6861 6872 * For sctp conn_faddr is the primary address, hence this is of limited
6862 6873 * use for sctp.
6863 6874 */
6864 6875 static void
6865 6876 ipsec_oth_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
6866 6877 ip_stack_t *ipst)
6867 6878 {
6868 6879 boolean_t isv4 = sel->ips_isv4;
6869 6880 connf_t *connfp;
6870 6881 conn_t *connp;
6871 6882
6872 6883 if (isv4) {
6873 6884 connfp = &ipst->ips_ipcl_proto_fanout_v4[sel->ips_protocol];
6874 6885 } else {
6875 6886 connfp = &ipst->ips_ipcl_proto_fanout_v6[sel->ips_protocol];
6876 6887 }
6877 6888
6878 6889 mutex_enter(&connfp->connf_lock);
6879 6890 for (connp = connfp->connf_head; connp != NULL;
6880 6891 connp = connp->conn_next) {
6881 6892 if (isv4) {
6882 6893 if ((connp->conn_laddr_v4 == INADDR_ANY ||
6883 6894 connp->conn_laddr_v4 == sel->ips_local_addr_v4) &&
6884 6895 (connp->conn_faddr_v4 == INADDR_ANY ||
6885 6896 connp->conn_faddr_v4 == sel->ips_remote_addr_v4))
6886 6897 break;
6887 6898 } else {
6888 6899 if ((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6) ||
6889 6900 IN6_ARE_ADDR_EQUAL(&connp->conn_laddr_v6,
6890 6901 &sel->ips_local_addr_v6)) &&
6891 6902 (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) ||
6892 6903 IN6_ARE_ADDR_EQUAL(&connp->conn_faddr_v6,
6893 6904 &sel->ips_remote_addr_v6)))
6894 6905 break;
6895 6906 }
6896 6907 }
6897 6908 if (connp == NULL) {
6898 6909 mutex_exit(&connfp->connf_lock);
6899 6910 return;
6900 6911 }
6901 6912
6902 6913 CONN_INC_REF(connp);
6903 6914 mutex_exit(&connfp->connf_lock);
6904 6915
6905 6916 ipsec_conn_pol(sel, connp, ppp);
6906 6917 CONN_DEC_REF(connp);
6907 6918 }
6908 6919
6909 6920 /*
6910 6921 * Construct an inverse ACQUIRE reply based on:
6911 6922 *
6912 6923 * 1.) Current global policy.
6913 6924 * 2.) An conn_t match depending on what all was passed in the extv[].
6914 6925 * 3.) A tunnel's policy head.
6915 6926 * ...
6916 6927 * N.) Other stuff TBD (e.g. identities)
6917 6928 *
6918 6929 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic
6919 6930 * in this function so the caller can extract them where appropriately.
6920 6931 *
6921 6932 * The SRC address is the local one - just like an outbound ACQUIRE message.
6922 6933 *
6923 6934 * XXX MLS: key management supplies a label which we just reflect back up
6924 6935 * again. clearly we need to involve the label in the rest of the checks.
6925 6936 */
6926 6937 mblk_t *
6927 6938 ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[],
6928 6939 netstack_t *ns)
6929 6940 {
6930 6941 int err;
6931 6942 int diagnostic;
6932 6943 sadb_address_t *srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC],
6933 6944 *dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST],
6934 6945 *innsrcext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC],
6935 6946 *inndstext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST];
6936 6947 sadb_sens_t *sens = (sadb_sens_t *)extv[SADB_EXT_SENSITIVITY];
6937 6948 struct sockaddr_in6 *src, *dst;
6938 6949 struct sockaddr_in6 *isrc, *idst;
6939 6950 ipsec_tun_pol_t *itp = NULL;
6940 6951 ipsec_policy_t *pp = NULL;
6941 6952 ipsec_selector_t sel, isel;
6942 6953 mblk_t *retmp = NULL;
6943 6954 ip_stack_t *ipst = ns->netstack_ip;
6944 6955
6945 6956
6946 6957 /* Normalize addresses */
6947 6958 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)srcext, 0, ns)
6948 6959 == KS_IN_ADDR_UNKNOWN) {
6949 6960 err = EINVAL;
6950 6961 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC;
6951 6962 goto bail;
6952 6963 }
6953 6964 src = (struct sockaddr_in6 *)(srcext + 1);
6954 6965 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)dstext, 0, ns)
6955 6966 == KS_IN_ADDR_UNKNOWN) {
6956 6967 err = EINVAL;
6957 6968 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST;
6958 6969 goto bail;
6959 6970 }
6960 6971 dst = (struct sockaddr_in6 *)(dstext + 1);
6961 6972 if (src->sin6_family != dst->sin6_family) {
6962 6973 err = EINVAL;
6963 6974 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH;
6964 6975 goto bail;
6965 6976 }
6966 6977
6967 6978 /* Check for tunnel mode and act appropriately */
6968 6979 if (innsrcext != NULL) {
6969 6980 if (inndstext == NULL) {
6970 6981 err = EINVAL;
6971 6982 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_DST;
6972 6983 goto bail;
6973 6984 }
6974 6985 if (sadb_addrcheck(NULL, (mblk_t *)samsg,
6975 6986 (sadb_ext_t *)innsrcext, 0, ns) == KS_IN_ADDR_UNKNOWN) {
6976 6987 err = EINVAL;
6977 6988 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC;
6978 6989 goto bail;
6979 6990 }
6980 6991 isrc = (struct sockaddr_in6 *)(innsrcext + 1);
6981 6992 if (sadb_addrcheck(NULL, (mblk_t *)samsg,
6982 6993 (sadb_ext_t *)inndstext, 0, ns) == KS_IN_ADDR_UNKNOWN) {
6983 6994 err = EINVAL;
6984 6995 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST;
6985 6996 goto bail;
6986 6997 }
6987 6998 idst = (struct sockaddr_in6 *)(inndstext + 1);
6988 6999 if (isrc->sin6_family != idst->sin6_family) {
6989 7000 err = EINVAL;
6990 7001 diagnostic = SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH;
6991 7002 goto bail;
6992 7003 }
6993 7004 if (isrc->sin6_family != AF_INET &&
6994 7005 isrc->sin6_family != AF_INET6) {
6995 7006 err = EINVAL;
6996 7007 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF;
6997 7008 goto bail;
6998 7009 }
6999 7010 } else if (inndstext != NULL) {
7000 7011 err = EINVAL;
7001 7012 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC;
7002 7013 goto bail;
7003 7014 }
7004 7015
7005 7016 /* Get selectors first, based on outer addresses */
7006 7017 err = ipsec_get_inverse_acquire_sel(&sel, srcext, dstext, &diagnostic);
7007 7018 if (err != 0)
7008 7019 goto bail;
7009 7020
7010 7021 /* Check for tunnel mode mismatches. */
7011 7022 if (innsrcext != NULL &&
7012 7023 ((isrc->sin6_family == AF_INET &&
7013 7024 sel.ips_protocol != IPPROTO_ENCAP && sel.ips_protocol != 0) ||
7014 7025 (isrc->sin6_family == AF_INET6 &&
7015 7026 sel.ips_protocol != IPPROTO_IPV6 && sel.ips_protocol != 0))) {
7016 7027 err = EPROTOTYPE;
7017 7028 goto bail;
7018 7029 }
7019 7030
7020 7031 /*
7021 7032 * Okay, we have the addresses and other selector information.
7022 7033 * Let's first find a conn...
7023 7034 */
7024 7035 pp = NULL;
7025 7036 switch (sel.ips_protocol) {
7026 7037 case IPPROTO_TCP:
7027 7038 ipsec_tcp_pol(&sel, &pp, ipst);
7028 7039 break;
7029 7040 case IPPROTO_UDP:
7030 7041 ipsec_udp_pol(&sel, &pp, ipst);
7031 7042 break;
7032 7043 case IPPROTO_SCTP:
7033 7044 ipsec_sctp_pol(&sel, &pp, ipst);
7034 7045 break;
7035 7046 case IPPROTO_ENCAP:
7036 7047 case IPPROTO_IPV6:
7037 7048 /*
7038 7049 * Assume sel.ips_remote_addr_* has the right address at
7039 7050 * that exact position.
7040 7051 */
7041 7052 itp = itp_get_byaddr((uint32_t *)(&sel.ips_local_addr_v6),
7042 7053 (uint32_t *)(&sel.ips_remote_addr_v6), src->sin6_family,
7043 7054 ipst);
7044 7055
7045 7056 if (innsrcext == NULL) {
7046 7057 /*
7047 7058 * Transport-mode tunnel, make sure we fake out isel
7048 7059 * to contain something based on the outer protocol.
7049 7060 */
7050 7061 bzero(&isel, sizeof (isel));
7051 7062 isel.ips_isv4 = (sel.ips_protocol == IPPROTO_ENCAP);
7052 7063 } /* Else isel is initialized by ipsec_tun_pol(). */
7053 7064 err = ipsec_tun_pol(&isel, &pp, innsrcext, inndstext, itp,
7054 7065 &diagnostic);
7055 7066 /*
7056 7067 * NOTE: isel isn't used for now, but in RFC 430x IPsec, it
7057 7068 * may be.
7058 7069 */
7059 7070 if (err != 0)
7060 7071 goto bail;
7061 7072 break;
7062 7073 default:
7063 7074 ipsec_oth_pol(&sel, &pp, ipst);
7064 7075 break;
7065 7076 }
7066 7077
7067 7078 /*
7068 7079 * If we didn't find a matching conn_t or other policy head, take a
7069 7080 * look in the global policy.
7070 7081 */
7071 7082 if (pp == NULL) {
7072 7083 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, &sel, ns);
7073 7084 if (pp == NULL) {
7074 7085 /* There's no global policy. */
7075 7086 err = ENOENT;
7076 7087 diagnostic = 0;
7077 7088 goto bail;
7078 7089 }
7079 7090 }
7080 7091
7081 7092 ASSERT(pp != NULL);
7082 7093 retmp = sadb_acquire_msg_base(0, 0, samsg->sadb_msg_seq,
7083 7094 samsg->sadb_msg_pid);
7084 7095 if (retmp != NULL) {
7085 7096 /* Remove KEYSOCK_OUT, because caller constructs it instead. */
7086 7097 mblk_t *kso = retmp;
7087 7098
7088 7099 retmp = retmp->b_cont;
7089 7100 freeb(kso);
7090 7101 /* Append addresses... */
7091 7102 retmp->b_cont = sadb_acquire_msg_common(&sel, pp, NULL,
7092 7103 (itp != NULL && (itp->itp_flags & ITPF_P_TUNNEL)), NULL,
7093 7104 sens);
7094 7105 if (retmp->b_cont == NULL) {
7095 7106 freemsg(retmp);
7096 7107 retmp = NULL;
7097 7108 }
7098 7109 /* And the policy result. */
7099 7110 retmp->b_cont->b_cont =
7100 7111 sadb_acquire_extended_prop(pp->ipsp_act, ns);
7101 7112 if (retmp->b_cont->b_cont == NULL) {
7102 7113 freemsg(retmp);
7103 7114 retmp = NULL;
7104 7115 }
7105 7116 ((sadb_msg_t *)retmp->b_rptr)->sadb_msg_len =
7106 7117 SADB_8TO64(msgsize(retmp));
7107 7118 }
7108 7119
7109 7120 if (pp != NULL) {
7110 7121 IPPOL_REFRELE(pp);
7111 7122 }
7112 7123 ASSERT(err == 0 && diagnostic == 0);
7113 7124 if (retmp == NULL)
7114 7125 err = ENOMEM;
7115 7126 bail:
7116 7127 if (itp != NULL) {
7117 7128 ITP_REFRELE(itp, ns);
7118 7129 }
7119 7130 samsg->sadb_msg_errno = (uint8_t)err;
7120 7131 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic;
7121 7132 return (retmp);
7122 7133 }
7123 7134
7124 7135 /*
7125 7136 * ipsa_lpkt is a one-element queue, only manipulated by the next two
7126 7137 * functions. They have to hold the ipsa_lock because of potential races
7127 7138 * between key management using SADB_UPDATE, and inbound packets that may
7128 7139 * queue up on the larval SA (hence the 'l' in "lpkt").
7129 7140 */
7130 7141
7131 7142 /*
7132 7143 * sadb_set_lpkt:
7133 7144 *
7134 7145 * Returns the passed-in packet if the SA is no longer larval.
7135 7146 *
7136 7147 * Returns NULL if the SA is larval, and needs to be swapped into the SA for
7137 7148 * processing after an SADB_UPDATE.
7138 7149 */
7139 7150 mblk_t *
7140 7151 sadb_set_lpkt(ipsa_t *ipsa, mblk_t *npkt, ip_recv_attr_t *ira)
7141 7152 {
7142 7153 mblk_t *opkt;
7143 7154
7144 7155 mutex_enter(&ipsa->ipsa_lock);
7145 7156 opkt = ipsa->ipsa_lpkt;
7146 7157 if (ipsa->ipsa_state == IPSA_STATE_LARVAL) {
7147 7158 /*
7148 7159 * Consume npkt and place it in the LARVAL SA's inbound
7149 7160 * packet slot.
7150 7161 */
7151 7162 mblk_t *attrmp;
7152 7163
7153 7164 attrmp = ip_recv_attr_to_mblk(ira);
7154 7165 if (attrmp == NULL) {
7155 7166 ill_t *ill = ira->ira_ill;
7156 7167
7157 7168 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
7158 7169 ip_drop_input("ipIfStatsInDiscards", npkt, ill);
7159 7170 freemsg(npkt);
7160 7171 opkt = NULL;
7161 7172 } else {
7162 7173 ASSERT(attrmp->b_cont == NULL);
7163 7174 attrmp->b_cont = npkt;
7164 7175 ipsa->ipsa_lpkt = attrmp;
7165 7176 }
7166 7177 npkt = NULL;
7167 7178 } else {
7168 7179 /*
7169 7180 * If not larval, we lost the race. NOTE: ipsa_lpkt may still
7170 7181 * have been non-NULL in the non-larval case, because of
7171 7182 * inbound packets arriving prior to sadb_common_add()
7172 7183 * transferring the SA completely out of larval state, but
7173 7184 * after lpkt was grabbed by the AH/ESP-specific add routines.
7174 7185 * We should clear the old ipsa_lpkt in this case to make sure
7175 7186 * that it doesn't linger on the now-MATURE IPsec SA, or get
7176 7187 * picked up as an out-of-order packet.
7177 7188 */
7178 7189 ipsa->ipsa_lpkt = NULL;
7179 7190 }
7180 7191 mutex_exit(&ipsa->ipsa_lock);
7181 7192
7182 7193 if (opkt != NULL) {
7183 7194 ipsec_stack_t *ipss;
7184 7195
7185 7196 ipss = ira->ira_ill->ill_ipst->ips_netstack->netstack_ipsec;
7186 7197 opkt = ip_recv_attr_free_mblk(opkt);
7187 7198 ip_drop_packet(opkt, B_TRUE, ira->ira_ill,
7188 7199 DROPPER(ipss, ipds_sadb_inlarval_replace),
7189 7200 &ipss->ipsec_sadb_dropper);
7190 7201 }
7191 7202 return (npkt);
7192 7203 }
7193 7204
7194 7205 /*
7195 7206 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the
7196 7207 * previous value.
7197 7208 */
7198 7209 mblk_t *
7199 7210 sadb_clear_lpkt(ipsa_t *ipsa)
7200 7211 {
7201 7212 mblk_t *opkt;
7202 7213
7203 7214 mutex_enter(&ipsa->ipsa_lock);
7204 7215 opkt = ipsa->ipsa_lpkt;
7205 7216 ipsa->ipsa_lpkt = NULL;
7206 7217 mutex_exit(&ipsa->ipsa_lock);
7207 7218 return (opkt);
7208 7219 }
7209 7220
7210 7221 /*
7211 7222 * Buffer a packet that's in IDLE state as set by Solaris Clustering.
7212 7223 */
7213 7224 void
7214 7225 sadb_buf_pkt(ipsa_t *ipsa, mblk_t *bpkt, ip_recv_attr_t *ira)
7215 7226 {
7216 7227 netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
7217 7228 ipsec_stack_t *ipss = ns->netstack_ipsec;
7218 7229 in6_addr_t *srcaddr = (in6_addr_t *)(&ipsa->ipsa_srcaddr);
7219 7230 in6_addr_t *dstaddr = (in6_addr_t *)(&ipsa->ipsa_dstaddr);
7220 7231 mblk_t *mp;
7221 7232
7222 7233 ASSERT(ipsa->ipsa_state == IPSA_STATE_IDLE);
7223 7234
7224 7235 if (cl_inet_idlesa == NULL) {
7225 7236 ip_drop_packet(bpkt, B_TRUE, ira->ira_ill,
7226 7237 DROPPER(ipss, ipds_sadb_inidle_overflow),
7227 7238 &ipss->ipsec_sadb_dropper);
7228 7239 return;
7229 7240 }
7230 7241
7231 7242 cl_inet_idlesa(ns->netstack_stackid,
7232 7243 (ipsa->ipsa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP,
7233 7244 ipsa->ipsa_spi, ipsa->ipsa_addrfam, *srcaddr, *dstaddr, NULL);
7234 7245
7235 7246 mp = ip_recv_attr_to_mblk(ira);
7236 7247 if (mp == NULL) {
7237 7248 ip_drop_packet(bpkt, B_TRUE, ira->ira_ill,
7238 7249 DROPPER(ipss, ipds_sadb_inidle_overflow),
7239 7250 &ipss->ipsec_sadb_dropper);
7240 7251 return;
7241 7252 }
7242 7253 linkb(mp, bpkt);
7243 7254
7244 7255 mutex_enter(&ipsa->ipsa_lock);
7245 7256 ipsa->ipsa_mblkcnt++;
7246 7257 if (ipsa->ipsa_bpkt_head == NULL) {
7247 7258 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_tail = bpkt;
7248 7259 } else {
7249 7260 ipsa->ipsa_bpkt_tail->b_next = bpkt;
7250 7261 ipsa->ipsa_bpkt_tail = bpkt;
7251 7262 if (ipsa->ipsa_mblkcnt > SADB_MAX_IDLEPKTS) {
7252 7263 mblk_t *tmp;
7253 7264
7254 7265 tmp = ipsa->ipsa_bpkt_head;
7255 7266 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_head->b_next;
7256 7267 tmp = ip_recv_attr_free_mblk(tmp);
7257 7268 ip_drop_packet(tmp, B_TRUE, NULL,
7258 7269 DROPPER(ipss, ipds_sadb_inidle_overflow),
7259 7270 &ipss->ipsec_sadb_dropper);
7260 7271 ipsa->ipsa_mblkcnt --;
7261 7272 }
7262 7273 }
7263 7274 mutex_exit(&ipsa->ipsa_lock);
7264 7275 }
7265 7276
7266 7277 /*
7267 7278 * Stub function that taskq_dispatch() invokes to take the mblk (in arg)
7268 7279 * and put into STREAMS again.
7269 7280 */
7270 7281 void
7271 7282 sadb_clear_buf_pkt(void *ipkt)
7272 7283 {
7273 7284 mblk_t *tmp, *buf_pkt;
7274 7285 ip_recv_attr_t iras;
7275 7286
7276 7287 buf_pkt = (mblk_t *)ipkt;
7277 7288
7278 7289 while (buf_pkt != NULL) {
7279 7290 mblk_t *data_mp;
7280 7291
7281 7292 tmp = buf_pkt->b_next;
7282 7293 buf_pkt->b_next = NULL;
7283 7294
7284 7295 data_mp = buf_pkt->b_cont;
7285 7296 buf_pkt->b_cont = NULL;
7286 7297 if (!ip_recv_attr_from_mblk(buf_pkt, &iras)) {
7287 7298 /* The ill or ip_stack_t disappeared on us. */
7288 7299 ip_drop_input("ip_recv_attr_from_mblk", data_mp, NULL);
7289 7300 freemsg(data_mp);
7290 7301 } else {
7291 7302 ip_input_post_ipsec(data_mp, &iras);
7292 7303 }
7293 7304 ira_cleanup(&iras, B_TRUE);
7294 7305 buf_pkt = tmp;
7295 7306 }
7296 7307 }
7297 7308 /*
7298 7309 * Walker callback used by sadb_alg_update() to free/create crypto
7299 7310 * context template when a crypto software provider is removed or
7300 7311 * added.
7301 7312 */
7302 7313
7303 7314 struct sadb_update_alg_state {
7304 7315 ipsec_algtype_t alg_type;
7305 7316 uint8_t alg_id;
7306 7317 boolean_t is_added;
7307 7318 boolean_t async_auth;
7308 7319 boolean_t async_encr;
7309 7320 };
7310 7321
7311 7322 static void
7312 7323 sadb_alg_update_cb(isaf_t *head, ipsa_t *entry, void *cookie)
7313 7324 {
7314 7325 struct sadb_update_alg_state *update_state =
7315 7326 (struct sadb_update_alg_state *)cookie;
7316 7327 crypto_ctx_template_t *ctx_tmpl = NULL;
7317 7328
7318 7329 ASSERT(MUTEX_HELD(&head->isaf_lock));
7319 7330
7320 7331 if (entry->ipsa_state == IPSA_STATE_LARVAL)
7321 7332 return;
7322 7333
7323 7334 mutex_enter(&entry->ipsa_lock);
7324 7335
7325 7336 if ((entry->ipsa_encr_alg != SADB_EALG_NONE && entry->ipsa_encr_alg !=
7326 7337 SADB_EALG_NULL && update_state->async_encr) ||
7327 7338 (entry->ipsa_auth_alg != SADB_AALG_NONE &&
7328 7339 update_state->async_auth)) {
7329 7340 entry->ipsa_flags |= IPSA_F_ASYNC;
7330 7341 } else {
7331 7342 entry->ipsa_flags &= ~IPSA_F_ASYNC;
7332 7343 }
7333 7344
7334 7345 switch (update_state->alg_type) {
7335 7346 case IPSEC_ALG_AUTH:
7336 7347 if (entry->ipsa_auth_alg == update_state->alg_id)
7337 7348 ctx_tmpl = &entry->ipsa_authtmpl;
7338 7349 break;
7339 7350 case IPSEC_ALG_ENCR:
7340 7351 if (entry->ipsa_encr_alg == update_state->alg_id)
7341 7352 ctx_tmpl = &entry->ipsa_encrtmpl;
7342 7353 break;
7343 7354 default:
7344 7355 ctx_tmpl = NULL;
7345 7356 }
7346 7357
7347 7358 if (ctx_tmpl == NULL) {
7348 7359 mutex_exit(&entry->ipsa_lock);
7349 7360 return;
7350 7361 }
7351 7362
7352 7363 /*
7353 7364 * The context template of the SA may be affected by the change
7354 7365 * of crypto provider.
7355 7366 */
7356 7367 if (update_state->is_added) {
7357 7368 /* create the context template if not already done */
7358 7369 if (*ctx_tmpl == NULL) {
7359 7370 (void) ipsec_create_ctx_tmpl(entry,
7360 7371 update_state->alg_type);
7361 7372 }
7362 7373 } else {
7363 7374 /*
7364 7375 * The crypto provider was removed. If the context template
7365 7376 * exists but it is no longer valid, free it.
7366 7377 */
7367 7378 if (*ctx_tmpl != NULL)
7368 7379 ipsec_destroy_ctx_tmpl(entry, update_state->alg_type);
7369 7380 }
7370 7381
7371 7382 mutex_exit(&entry->ipsa_lock);
7372 7383 }
7373 7384
7374 7385 /*
7375 7386 * Invoked by IP when an software crypto provider has been updated, or if
7376 7387 * the crypto synchrony changes. The type and id of the corresponding
7377 7388 * algorithm is passed as argument. The type is set to ALL in the case of
7378 7389 * a synchrony change.
7379 7390 *
7380 7391 * is_added is B_TRUE if the provider was added, B_FALSE if it was
7381 7392 * removed. The function updates the SADB and free/creates the
7382 7393 * context templates associated with SAs if needed.
7383 7394 */
7384 7395
7385 7396 #define SADB_ALG_UPDATE_WALK(sadb, table) \
7386 7397 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \
7387 7398 &update_state)
7388 7399
7389 7400 void
7390 7401 sadb_alg_update(ipsec_algtype_t alg_type, uint8_t alg_id, boolean_t is_added,
7391 7402 netstack_t *ns)
7392 7403 {
7393 7404 struct sadb_update_alg_state update_state;
7394 7405 ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
7395 7406 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
7396 7407 ipsec_stack_t *ipss = ns->netstack_ipsec;
7397 7408
7398 7409 update_state.alg_type = alg_type;
7399 7410 update_state.alg_id = alg_id;
7400 7411 update_state.is_added = is_added;
7401 7412 update_state.async_auth = ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] ==
7402 7413 IPSEC_ALGS_EXEC_ASYNC;
7403 7414 update_state.async_encr = ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] ==
7404 7415 IPSEC_ALGS_EXEC_ASYNC;
7405 7416
7406 7417 if (alg_type == IPSEC_ALG_AUTH || alg_type == IPSEC_ALG_ALL) {
7407 7418 /* walk the AH tables only for auth. algorithm changes */
7408 7419 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_of);
7409 7420 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_if);
7410 7421 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_of);
7411 7422 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_if);
7412 7423 }
7413 7424
7414 7425 /* walk the ESP tables */
7415 7426 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_of);
7416 7427 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_if);
7417 7428 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_of);
7418 7429 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_if);
7419 7430 }
7420 7431
7421 7432 /*
7422 7433 * Creates a context template for the specified SA. This function
7423 7434 * is called when an SA is created and when a context template needs
7424 7435 * to be created due to a change of software provider.
7425 7436 */
7426 7437 int
7427 7438 ipsec_create_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type)
7428 7439 {
7429 7440 ipsec_alginfo_t *alg;
7430 7441 crypto_mechanism_t mech;
7431 7442 crypto_key_t *key;
7432 7443 crypto_ctx_template_t *sa_tmpl;
7433 7444 int rv;
7434 7445 ipsec_stack_t *ipss = sa->ipsa_netstack->netstack_ipsec;
7435 7446
7436 7447 ASSERT(RW_READ_HELD(&ipss->ipsec_alg_lock));
7437 7448 ASSERT(MUTEX_HELD(&sa->ipsa_lock));
7438 7449
7439 7450 /* get pointers to the algorithm info, context template, and key */
7440 7451 switch (alg_type) {
7441 7452 case IPSEC_ALG_AUTH:
7442 7453 key = &sa->ipsa_kcfauthkey;
7443 7454 sa_tmpl = &sa->ipsa_authtmpl;
7444 7455 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_auth_alg];
7445 7456 break;
7446 7457 case IPSEC_ALG_ENCR:
7447 7458 key = &sa->ipsa_kcfencrkey;
7448 7459 sa_tmpl = &sa->ipsa_encrtmpl;
7449 7460 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_encr_alg];
7450 7461 break;
7451 7462 default:
7452 7463 alg = NULL;
7453 7464 }
7454 7465
7455 7466 if (alg == NULL || !ALG_VALID(alg))
7456 7467 return (EINVAL);
7457 7468
7458 7469 /* initialize the mech info structure for the framework */
7459 7470 ASSERT(alg->alg_mech_type != CRYPTO_MECHANISM_INVALID);
7460 7471 mech.cm_type = alg->alg_mech_type;
7461 7472 mech.cm_param = NULL;
7462 7473 mech.cm_param_len = 0;
7463 7474
7464 7475 /* create a new context template */
7465 7476 rv = crypto_create_ctx_template(&mech, key, sa_tmpl, KM_NOSLEEP);
7466 7477
7467 7478 /*
7468 7479 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware
7469 7480 * providers are available for that mechanism. In that case
7470 7481 * we don't fail, and will generate the context template from
7471 7482 * the framework callback when a software provider for that
7472 7483 * mechanism registers.
7473 7484 *
7474 7485 * The context template is assigned the special value
7475 7486 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a
7476 7487 * lack of memory. No attempt will be made to use
7477 7488 * the context template if it is set to this value.
7478 7489 */
7479 7490 if (rv == CRYPTO_HOST_MEMORY) {
7480 7491 *sa_tmpl = IPSEC_CTX_TMPL_ALLOC;
7481 7492 } else if (rv != CRYPTO_SUCCESS) {
7482 7493 *sa_tmpl = NULL;
7483 7494 if (rv != CRYPTO_MECH_NOT_SUPPORTED)
7484 7495 return (EINVAL);
7485 7496 }
7486 7497
7487 7498 return (0);
7488 7499 }
7489 7500
7490 7501 /*
7491 7502 * Destroy the context template of the specified algorithm type
7492 7503 * of the specified SA. Must be called while holding the SA lock.
7493 7504 */
7494 7505 void
7495 7506 ipsec_destroy_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type)
7496 7507 {
7497 7508 ASSERT(MUTEX_HELD(&sa->ipsa_lock));
7498 7509
7499 7510 if (alg_type == IPSEC_ALG_AUTH) {
7500 7511 if (sa->ipsa_authtmpl == IPSEC_CTX_TMPL_ALLOC)
7501 7512 sa->ipsa_authtmpl = NULL;
7502 7513 else if (sa->ipsa_authtmpl != NULL) {
7503 7514 crypto_destroy_ctx_template(sa->ipsa_authtmpl);
7504 7515 sa->ipsa_authtmpl = NULL;
7505 7516 }
7506 7517 } else {
7507 7518 ASSERT(alg_type == IPSEC_ALG_ENCR);
7508 7519 if (sa->ipsa_encrtmpl == IPSEC_CTX_TMPL_ALLOC)
7509 7520 sa->ipsa_encrtmpl = NULL;
7510 7521 else if (sa->ipsa_encrtmpl != NULL) {
7511 7522 crypto_destroy_ctx_template(sa->ipsa_encrtmpl);
7512 7523 sa->ipsa_encrtmpl = NULL;
7513 7524 }
7514 7525 }
7515 7526 }
7516 7527
7517 7528 /*
7518 7529 * Use the kernel crypto framework to check the validity of a key received
7519 7530 * via keysock. Returns 0 if the key is OK, -1 otherwise.
7520 7531 */
7521 7532 int
7522 7533 ipsec_check_key(crypto_mech_type_t mech_type, sadb_key_t *sadb_key,
7523 7534 boolean_t is_auth, int *diag)
7524 7535 {
7525 7536 crypto_mechanism_t mech;
7526 7537 crypto_key_t crypto_key;
7527 7538 int crypto_rc;
7528 7539
7529 7540 mech.cm_type = mech_type;
7530 7541 mech.cm_param = NULL;
7531 7542 mech.cm_param_len = 0;
7532 7543
7533 7544 crypto_key.ck_format = CRYPTO_KEY_RAW;
7534 7545 crypto_key.ck_data = sadb_key + 1;
7535 7546 crypto_key.ck_length = sadb_key->sadb_key_bits;
7536 7547
7537 7548 crypto_rc = crypto_key_check(&mech, &crypto_key);
7538 7549
7539 7550 switch (crypto_rc) {
7540 7551 case CRYPTO_SUCCESS:
7541 7552 return (0);
7542 7553 case CRYPTO_MECHANISM_INVALID:
7543 7554 case CRYPTO_MECH_NOT_SUPPORTED:
7544 7555 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AALG :
7545 7556 SADB_X_DIAGNOSTIC_BAD_EALG;
7546 7557 break;
7547 7558 case CRYPTO_KEY_SIZE_RANGE:
7548 7559 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AKEYBITS :
7549 7560 SADB_X_DIAGNOSTIC_BAD_EKEYBITS;
7550 7561 break;
7551 7562 case CRYPTO_WEAK_KEY:
7552 7563 *diag = is_auth ? SADB_X_DIAGNOSTIC_WEAK_AKEY :
7553 7564 SADB_X_DIAGNOSTIC_WEAK_EKEY;
7554 7565 break;
7555 7566 }
7556 7567
7557 7568 return (-1);
7558 7569 }
7559 7570
7560 7571 /*
7561 7572 * Whack options in the outer IP header when ipsec changes the outer label
7562 7573 *
7563 7574 * This is inelegant and really could use refactoring.
7564 7575 */
7565 7576 mblk_t *
7566 7577 sadb_whack_label_v4(mblk_t *mp, ipsa_t *assoc, kstat_named_t *counter,
7567 7578 ipdropper_t *dropper)
7568 7579 {
7569 7580 int delta;
7570 7581 int plen;
7571 7582 dblk_t *db;
7572 7583 int hlen;
7573 7584 uint8_t *opt_storage = assoc->ipsa_opt_storage;
7574 7585 ipha_t *ipha = (ipha_t *)mp->b_rptr;
7575 7586
7576 7587 plen = ntohs(ipha->ipha_length);
7577 7588
7578 7589 delta = tsol_remove_secopt(ipha, MBLKL(mp));
7579 7590 mp->b_wptr += delta;
7580 7591 plen += delta;
7581 7592
7582 7593 /* XXX XXX code copied from tsol_check_label */
7583 7594
7584 7595 /* Make sure we have room for the worst-case addition */
7585 7596 hlen = IPH_HDR_LENGTH(ipha) + opt_storage[IPOPT_OLEN];
7586 7597 hlen = (hlen + 3) & ~3;
7587 7598 if (hlen > IP_MAX_HDR_LENGTH)
7588 7599 hlen = IP_MAX_HDR_LENGTH;
7589 7600 hlen -= IPH_HDR_LENGTH(ipha);
7590 7601
7591 7602 db = mp->b_datap;
7592 7603 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) {
7593 7604 int copylen;
7594 7605 mblk_t *new_mp;
7595 7606
7596 7607 /* allocate enough to be meaningful, but not *too* much */
7597 7608 copylen = MBLKL(mp);
7598 7609 if (copylen > 256)
7599 7610 copylen = 256;
7600 7611 new_mp = allocb_tmpl(hlen + copylen +
7601 7612 (mp->b_rptr - mp->b_datap->db_base), mp);
7602 7613
7603 7614 if (new_mp == NULL) {
7604 7615 ip_drop_packet(mp, B_FALSE, NULL, counter, dropper);
7605 7616 return (NULL);
7606 7617 }
7607 7618
7608 7619 /* keep the bias */
7609 7620 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base;
7610 7621 new_mp->b_wptr = new_mp->b_rptr + copylen;
7611 7622 bcopy(mp->b_rptr, new_mp->b_rptr, copylen);
7612 7623 new_mp->b_cont = mp;
7613 7624 if ((mp->b_rptr += copylen) >= mp->b_wptr) {
7614 7625 new_mp->b_cont = mp->b_cont;
7615 7626 freeb(mp);
7616 7627 }
7617 7628 mp = new_mp;
7618 7629 ipha = (ipha_t *)mp->b_rptr;
7619 7630 }
7620 7631
7621 7632 delta = tsol_prepend_option(assoc->ipsa_opt_storage, ipha, MBLKL(mp));
7622 7633
7623 7634 ASSERT(delta != -1);
7624 7635
7625 7636 plen += delta;
7626 7637 mp->b_wptr += delta;
7627 7638
7628 7639 /*
7629 7640 * Paranoia
7630 7641 */
7631 7642 db = mp->b_datap;
7632 7643
7633 7644 ASSERT3P(mp->b_wptr, <=, db->db_lim);
7634 7645 ASSERT3P(mp->b_rptr, <=, db->db_lim);
7635 7646
7636 7647 ASSERT3P(mp->b_wptr, >=, db->db_base);
7637 7648 ASSERT3P(mp->b_rptr, >=, db->db_base);
7638 7649 /* End paranoia */
7639 7650
7640 7651 ipha->ipha_length = htons(plen);
7641 7652
7642 7653 return (mp);
7643 7654 }
7644 7655
7645 7656 mblk_t *
7646 7657 sadb_whack_label_v6(mblk_t *mp, ipsa_t *assoc, kstat_named_t *counter,
7647 7658 ipdropper_t *dropper)
7648 7659 {
7649 7660 int delta;
7650 7661 int plen;
7651 7662 dblk_t *db;
7652 7663 int hlen;
7653 7664 uint8_t *opt_storage = assoc->ipsa_opt_storage;
7654 7665 uint_t sec_opt_len; /* label option length not including type, len */
7655 7666 ip6_t *ip6h = (ip6_t *)mp->b_rptr;
7656 7667
7657 7668 plen = ntohs(ip6h->ip6_plen);
7658 7669
7659 7670 delta = tsol_remove_secopt_v6(ip6h, MBLKL(mp));
7660 7671 mp->b_wptr += delta;
7661 7672 plen += delta;
7662 7673
7663 7674 /* XXX XXX code copied from tsol_check_label_v6 */
7664 7675 /*
7665 7676 * Make sure we have room for the worst-case addition. Add 2 bytes for
7666 7677 * the hop-by-hop ext header's next header and length fields. Add
7667 7678 * another 2 bytes for the label option type, len and then round
7668 7679 * up to the next 8-byte multiple.
7669 7680 */
7670 7681 sec_opt_len = opt_storage[1];
7671 7682
7672 7683 db = mp->b_datap;
7673 7684 hlen = (4 + sec_opt_len + 7) & ~7;
7674 7685
7675 7686 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) {
7676 7687 int copylen;
7677 7688 mblk_t *new_mp;
7678 7689 uint16_t hdr_len;
7679 7690
7680 7691 hdr_len = ip_hdr_length_v6(mp, ip6h);
7681 7692 /*
7682 7693 * Allocate enough to be meaningful, but not *too* much.
7683 7694 * Also all the IPv6 extension headers must be in the same mblk
7684 7695 */
7685 7696 copylen = MBLKL(mp);
7686 7697 if (copylen > 256)
7687 7698 copylen = 256;
7688 7699 if (copylen < hdr_len)
7689 7700 copylen = hdr_len;
7690 7701 new_mp = allocb_tmpl(hlen + copylen +
7691 7702 (mp->b_rptr - mp->b_datap->db_base), mp);
7692 7703 if (new_mp == NULL) {
7693 7704 ip_drop_packet(mp, B_FALSE, NULL, counter, dropper);
7694 7705 return (NULL);
7695 7706 }
7696 7707
7697 7708 /* keep the bias */
7698 7709 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base;
7699 7710 new_mp->b_wptr = new_mp->b_rptr + copylen;
7700 7711 bcopy(mp->b_rptr, new_mp->b_rptr, copylen);
7701 7712 new_mp->b_cont = mp;
7702 7713 if ((mp->b_rptr += copylen) >= mp->b_wptr) {
7703 7714 new_mp->b_cont = mp->b_cont;
7704 7715 freeb(mp);
7705 7716 }
7706 7717 mp = new_mp;
7707 7718 ip6h = (ip6_t *)mp->b_rptr;
7708 7719 }
7709 7720
7710 7721 delta = tsol_prepend_option_v6(assoc->ipsa_opt_storage,
7711 7722 ip6h, MBLKL(mp));
7712 7723
7713 7724 ASSERT(delta != -1);
7714 7725
7715 7726 plen += delta;
7716 7727 mp->b_wptr += delta;
7717 7728
7718 7729 /*
7719 7730 * Paranoia
7720 7731 */
7721 7732 db = mp->b_datap;
7722 7733
7723 7734 ASSERT3P(mp->b_wptr, <=, db->db_lim);
7724 7735 ASSERT3P(mp->b_rptr, <=, db->db_lim);
7725 7736
7726 7737 ASSERT3P(mp->b_wptr, >=, db->db_base);
7727 7738 ASSERT3P(mp->b_rptr, >=, db->db_base);
7728 7739 /* End paranoia */
7729 7740
7730 7741 ip6h->ip6_plen = htons(plen);
7731 7742
7732 7743 return (mp);
7733 7744 }
7734 7745
7735 7746 /* Whack the labels and update ip_xmit_attr_t as needed */
7736 7747 mblk_t *
7737 7748 sadb_whack_label(mblk_t *mp, ipsa_t *assoc, ip_xmit_attr_t *ixa,
7738 7749 kstat_named_t *counter, ipdropper_t *dropper)
7739 7750 {
7740 7751 int adjust;
7741 7752 int iplen;
7742 7753
7743 7754 if (ixa->ixa_flags & IXAF_IS_IPV4) {
7744 7755 ipha_t *ipha = (ipha_t *)mp->b_rptr;
7745 7756
7746 7757 ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
7747 7758 iplen = ntohs(ipha->ipha_length);
7748 7759 mp = sadb_whack_label_v4(mp, assoc, counter, dropper);
7749 7760 if (mp == NULL)
7750 7761 return (NULL);
7751 7762
7752 7763 ipha = (ipha_t *)mp->b_rptr;
7753 7764 ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
7754 7765 adjust = (int)ntohs(ipha->ipha_length) - iplen;
7755 7766 } else {
7756 7767 ip6_t *ip6h = (ip6_t *)mp->b_rptr;
7757 7768
7758 7769 ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION);
7759 7770 iplen = ntohs(ip6h->ip6_plen);
7760 7771 mp = sadb_whack_label_v6(mp, assoc, counter, dropper);
7761 7772 if (mp == NULL)
7762 7773 return (NULL);
7763 7774
7764 7775 ip6h = (ip6_t *)mp->b_rptr;
7765 7776 ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION);
7766 7777 adjust = (int)ntohs(ip6h->ip6_plen) - iplen;
7767 7778 }
7768 7779 ixa->ixa_pktlen += adjust;
7769 7780 ixa->ixa_ip_hdr_length += adjust;
7770 7781 return (mp);
7771 7782 }
7772 7783
7773 7784 /*
7774 7785 * If this is an outgoing SA then add some fuzz to the
7775 7786 * SOFT EXPIRE time. The reason for this is to stop
7776 7787 * peers trying to renegotiate SOFT expiring SA's at
7777 7788 * the same time. The amount of fuzz needs to be at
7778 7789 * least 8 seconds which is the typical interval
7779 7790 * sadb_ager(), although this is only a guide as it
7780 7791 * selftunes.
7781 7792 */
7782 7793 static void
7783 7794 lifetime_fuzz(ipsa_t *assoc)
7784 7795 {
7785 7796 uint8_t rnd;
7786 7797
7787 7798 if (assoc->ipsa_softaddlt == 0)
7788 7799 return;
7789 7800
7790 7801 (void) random_get_pseudo_bytes(&rnd, sizeof (rnd));
7791 7802 rnd = (rnd & 0xF) + 8;
7792 7803 assoc->ipsa_softexpiretime -= rnd;
7793 7804 assoc->ipsa_softaddlt -= rnd;
7794 7805 }
7795 7806
7796 7807 static void
7797 7808 destroy_ipsa_pair(ipsap_t *ipsapp)
7798 7809 {
7799 7810 /*
7800 7811 * Because of the multi-line macro nature of IPSA_REFRELE, keep
7801 7812 * them in { }.
7802 7813 */
7803 7814 if (ipsapp->ipsap_sa_ptr != NULL) {
7804 7815 IPSA_REFRELE(ipsapp->ipsap_sa_ptr);
7805 7816 }
7806 7817 if (ipsapp->ipsap_psa_ptr != NULL) {
7807 7818 IPSA_REFRELE(ipsapp->ipsap_psa_ptr);
7808 7819 }
7809 7820 init_ipsa_pair(ipsapp);
7810 7821 }
7811 7822
7812 7823 static void
7813 7824 init_ipsa_pair(ipsap_t *ipsapp)
7814 7825 {
7815 7826 ipsapp->ipsap_bucket = NULL;
7816 7827 ipsapp->ipsap_sa_ptr = NULL;
7817 7828 ipsapp->ipsap_pbucket = NULL;
7818 7829 ipsapp->ipsap_psa_ptr = NULL;
7819 7830 }
7820 7831
7821 7832 /*
7822 7833 * The sadb_ager() function walks through the hash tables of SA's and ages
7823 7834 * them, if the SA expires as a result, its marked as DEAD and will be reaped
7824 7835 * the next time sadb_ager() runs. SA's which are paired or have a peer (same
7825 7836 * SA appears in both the inbound and outbound tables because its not possible
7826 7837 * to determine its direction) are placed on a list when they expire. This is
7827 7838 * to ensure that pair/peer SA's are reaped at the same time, even if they
7828 7839 * expire at different times.
7829 7840 *
7830 7841 * This function is called twice by sadb_ager(), one after processing the
7831 7842 * inbound table, then again after processing the outbound table.
7832 7843 */
7833 7844 void
7834 7845 age_pair_peer_list(templist_t *haspeerlist, sadb_t *sp, boolean_t outbound)
7835 7846 {
7836 7847 templist_t *listptr;
7837 7848 int outhash;
7838 7849 isaf_t *bucket;
7839 7850 boolean_t haspeer;
7840 7851 ipsa_t *peer_assoc, *dying;
7841 7852 /*
7842 7853 * Haspeer cases will contain both IPv4 and IPv6. This code
7843 7854 * is address independent.
7844 7855 */
7845 7856 while (haspeerlist != NULL) {
7846 7857 /* "dying" contains the SA that has a peer. */
7847 7858 dying = haspeerlist->ipsa;
7848 7859 haspeer = (dying->ipsa_haspeer);
7849 7860 listptr = haspeerlist;
7850 7861 haspeerlist = listptr->next;
7851 7862 kmem_free(listptr, sizeof (*listptr));
7852 7863 /*
7853 7864 * Pick peer bucket based on addrfam.
7854 7865 */
7855 7866 if (outbound) {
7856 7867 if (haspeer)
7857 7868 bucket = INBOUND_BUCKET(sp, dying->ipsa_spi);
7858 7869 else
7859 7870 bucket = INBOUND_BUCKET(sp,
7860 7871 dying->ipsa_otherspi);
7861 7872 } else { /* inbound */
7862 7873 if (haspeer) {
7863 7874 if (dying->ipsa_addrfam == AF_INET6) {
7864 7875 outhash = OUTBOUND_HASH_V6(sp,
7865 7876 *((in6_addr_t *)&dying->
7866 7877 ipsa_dstaddr));
7867 7878 } else {
7868 7879 outhash = OUTBOUND_HASH_V4(sp,
7869 7880 *((ipaddr_t *)&dying->
7870 7881 ipsa_dstaddr));
7871 7882 }
7872 7883 } else if (dying->ipsa_addrfam == AF_INET6) {
7873 7884 outhash = OUTBOUND_HASH_V6(sp,
7874 7885 *((in6_addr_t *)&dying->
7875 7886 ipsa_srcaddr));
7876 7887 } else {
7877 7888 outhash = OUTBOUND_HASH_V4(sp,
7878 7889 *((ipaddr_t *)&dying->
7879 7890 ipsa_srcaddr));
7880 7891 }
7881 7892 bucket = &(sp->sdb_of[outhash]);
7882 7893 }
7883 7894
7884 7895 mutex_enter(&bucket->isaf_lock);
7885 7896 /*
7886 7897 * "haspeer" SA's have the same src/dst address ordering,
7887 7898 * "paired" SA's have the src/dst addresses reversed.
7888 7899 */
7889 7900 if (haspeer) {
7890 7901 peer_assoc = ipsec_getassocbyspi(bucket,
7891 7902 dying->ipsa_spi, dying->ipsa_srcaddr,
7892 7903 dying->ipsa_dstaddr, dying->ipsa_addrfam);
7893 7904 } else {
7894 7905 peer_assoc = ipsec_getassocbyspi(bucket,
7895 7906 dying->ipsa_otherspi, dying->ipsa_dstaddr,
7896 7907 dying->ipsa_srcaddr, dying->ipsa_addrfam);
7897 7908 }
7898 7909
7899 7910 mutex_exit(&bucket->isaf_lock);
7900 7911 if (peer_assoc != NULL) {
7901 7912 mutex_enter(&peer_assoc->ipsa_lock);
7902 7913 mutex_enter(&dying->ipsa_lock);
7903 7914 if (!haspeer) {
7904 7915 /*
7905 7916 * Only SA's which have a "peer" or are
7906 7917 * "paired" end up on this list, so this
7907 7918 * must be a "paired" SA, update the flags
7908 7919 * to break the pair.
7909 7920 */
7910 7921 peer_assoc->ipsa_otherspi = 0;
7911 7922 peer_assoc->ipsa_flags &= ~IPSA_F_PAIRED;
7912 7923 dying->ipsa_otherspi = 0;
7913 7924 dying->ipsa_flags &= ~IPSA_F_PAIRED;
7914 7925 }
7915 7926 if (haspeer || outbound) {
7916 7927 /*
7917 7928 * Update the state of the "inbound" SA when
7918 7929 * the "outbound" SA has expired. Don't update
7919 7930 * the "outbound" SA when the "inbound" SA
7920 7931 * SA expires because setting the hard_addtime
7921 7932 * below will cause this to happen.
7922 7933 */
7923 7934 peer_assoc->ipsa_state = dying->ipsa_state;
7924 7935 }
7925 7936 if (dying->ipsa_state == IPSA_STATE_DEAD)
7926 7937 peer_assoc->ipsa_hardexpiretime = 1;
7927 7938
7928 7939 mutex_exit(&dying->ipsa_lock);
7929 7940 mutex_exit(&peer_assoc->ipsa_lock);
7930 7941 IPSA_REFRELE(peer_assoc);
7931 7942 }
7932 7943 IPSA_REFRELE(dying);
7933 7944 }
7934 7945 }
7935 7946
7936 7947 /*
7937 7948 * Ensure that the IV used for CCM mode never repeats. The IV should
7938 7949 * only be updated by this function. Also check to see if the IV
7939 7950 * is about to wrap and generate a SOFT Expire. This function is only
7940 7951 * called for outgoing packets, the IV for incomming packets is taken
7941 7952 * from the wire. If the outgoing SA needs to be expired, update
7942 7953 * the matching incomming SA.
7943 7954 */
7944 7955 boolean_t
7945 7956 update_iv(uint8_t *iv_ptr, queue_t *pfkey_q, ipsa_t *assoc,
7946 7957 ipsecesp_stack_t *espstack)
7947 7958 {
7948 7959 boolean_t rc = B_TRUE;
7949 7960 isaf_t *inbound_bucket;
7950 7961 sadb_t *sp;
7951 7962 ipsa_t *pair_sa = NULL;
7952 7963 int sa_new_state = 0;
7953 7964
7954 7965 /* For non counter modes, the IV is random data. */
7955 7966 if (!(assoc->ipsa_flags & IPSA_F_COUNTERMODE)) {
7956 7967 (void) random_get_pseudo_bytes(iv_ptr, assoc->ipsa_iv_len);
7957 7968 return (rc);
7958 7969 }
7959 7970
7960 7971 mutex_enter(&assoc->ipsa_lock);
7961 7972
7962 7973 (*assoc->ipsa_iv)++;
7963 7974
7964 7975 if (*assoc->ipsa_iv == assoc->ipsa_iv_hardexpire) {
7965 7976 sa_new_state = IPSA_STATE_DEAD;
7966 7977 rc = B_FALSE;
7967 7978 } else if (*assoc->ipsa_iv == assoc->ipsa_iv_softexpire) {
7968 7979 if (assoc->ipsa_state != IPSA_STATE_DYING) {
7969 7980 /*
7970 7981 * This SA may have already been expired when its
7971 7982 * PAIR_SA expired.
7972 7983 */
7973 7984 sa_new_state = IPSA_STATE_DYING;
7974 7985 }
7975 7986 }
7976 7987 if (sa_new_state) {
7977 7988 /*
7978 7989 * If there is a state change, we need to update this SA
7979 7990 * and its "pair", we can find the bucket for the "pair" SA
7980 7991 * while holding the ipsa_t mutex, but we won't actually
7981 7992 * update anything untill the ipsa_t mutex has been released
7982 7993 * for _this_ SA.
7983 7994 */
7984 7995 assoc->ipsa_state = sa_new_state;
7985 7996 if (assoc->ipsa_addrfam == AF_INET6) {
7986 7997 sp = &espstack->esp_sadb.s_v6;
7987 7998 } else {
7988 7999 sp = &espstack->esp_sadb.s_v4;
7989 8000 }
7990 8001 inbound_bucket = INBOUND_BUCKET(sp, assoc->ipsa_otherspi);
7991 8002 sadb_expire_assoc(pfkey_q, assoc);
7992 8003 }
7993 8004 if (rc == B_TRUE)
7994 8005 bcopy(assoc->ipsa_iv, iv_ptr, assoc->ipsa_iv_len);
7995 8006
7996 8007 mutex_exit(&assoc->ipsa_lock);
7997 8008
7998 8009 if (sa_new_state) {
7999 8010 /* Find the inbound SA, need to lock hash bucket. */
8000 8011 mutex_enter(&inbound_bucket->isaf_lock);
8001 8012 pair_sa = ipsec_getassocbyspi(inbound_bucket,
8002 8013 assoc->ipsa_otherspi, assoc->ipsa_dstaddr,
8003 8014 assoc->ipsa_srcaddr, assoc->ipsa_addrfam);
8004 8015 mutex_exit(&inbound_bucket->isaf_lock);
8005 8016 if (pair_sa != NULL) {
8006 8017 mutex_enter(&pair_sa->ipsa_lock);
8007 8018 pair_sa->ipsa_state = sa_new_state;
8008 8019 mutex_exit(&pair_sa->ipsa_lock);
8009 8020 IPSA_REFRELE(pair_sa);
8010 8021 }
8011 8022 }
8012 8023
8013 8024 return (rc);
8014 8025 }
8015 8026
8016 8027 void
8017 8028 ccm_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr,
8018 8029 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data)
8019 8030 {
8020 8031 uchar_t *nonce;
8021 8032 crypto_mechanism_t *combined_mech;
8022 8033 CK_AES_CCM_PARAMS *params;
8023 8034
8024 8035 combined_mech = (crypto_mechanism_t *)cm_mech;
8025 8036 params = (CK_AES_CCM_PARAMS *)(combined_mech + 1);
8026 8037 nonce = (uchar_t *)(params + 1);
8027 8038 params->ulMACSize = assoc->ipsa_mac_len;
8028 8039 params->ulNonceSize = assoc->ipsa_nonce_len;
8029 8040 params->ulAuthDataSize = sizeof (esph_t);
8030 8041 params->ulDataSize = data_len;
8031 8042 params->nonce = nonce;
8032 8043 params->authData = esph;
8033 8044
8034 8045 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type;
8035 8046 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_CCM_PARAMS);
8036 8047 cm_mech->combined_mech.cm_param = (caddr_t)params;
8037 8048 /* See gcm_params_init() for comments. */
8038 8049 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen);
8039 8050 nonce += assoc->ipsa_saltlen;
8040 8051 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len);
8041 8052 crypto_data->cd_miscdata = NULL;
8042 8053 }
8043 8054
8044 8055 /* ARGSUSED */
8045 8056 void
8046 8057 cbc_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr,
8047 8058 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data)
8048 8059 {
8049 8060 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type;
8050 8061 cm_mech->combined_mech.cm_param_len = 0;
8051 8062 cm_mech->combined_mech.cm_param = NULL;
8052 8063 crypto_data->cd_miscdata = (char *)iv_ptr;
8053 8064 }
8054 8065
8055 8066 /* ARGSUSED */
8056 8067 void
8057 8068 gcm_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr,
8058 8069 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data)
8059 8070 {
8060 8071 uchar_t *nonce;
8061 8072 crypto_mechanism_t *combined_mech;
8062 8073 CK_AES_GCM_PARAMS *params;
8063 8074
8064 8075 combined_mech = (crypto_mechanism_t *)cm_mech;
8065 8076 params = (CK_AES_GCM_PARAMS *)(combined_mech + 1);
8066 8077 nonce = (uchar_t *)(params + 1);
8067 8078
8068 8079 params->pIv = nonce;
8069 8080 params->ulIvLen = assoc->ipsa_nonce_len;
8070 8081 params->ulIvBits = SADB_8TO1(assoc->ipsa_nonce_len);
8071 8082 params->pAAD = esph;
8072 8083 params->ulAADLen = sizeof (esph_t);
8073 8084 params->ulTagBits = SADB_8TO1(assoc->ipsa_mac_len);
8074 8085
8075 8086 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type;
8076 8087 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
8077 8088 cm_mech->combined_mech.cm_param = (caddr_t)params;
8078 8089 /*
8079 8090 * Create the nonce, which is made up of the salt and the IV.
8080 8091 * Copy the salt from the SA and the IV from the packet.
8081 8092 * For inbound packets we copy the IV from the packet because it
8082 8093 * was set by the sending system, for outbound packets we copy the IV
8083 8094 * from the packet because the IV in the SA may be changed by another
8084 8095 * thread, the IV in the packet was created while holding a mutex.
8085 8096 */
8086 8097 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen);
8087 8098 nonce += assoc->ipsa_saltlen;
8088 8099 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len);
8089 8100 crypto_data->cd_miscdata = NULL;
8090 8101 }
|
↓ open down ↓ |
2772 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX