Print this page
5042 stop using deprecated atomic functions
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/uts/common/inet/ip/sadb.c
+++ new/usr/src/uts/common/inet/ip/sadb.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 */
25 25
26 26 #include <sys/types.h>
27 27 #include <sys/stream.h>
28 28 #include <sys/stropts.h>
29 29 #include <sys/strsubr.h>
30 30 #include <sys/errno.h>
31 31 #include <sys/ddi.h>
32 32 #include <sys/debug.h>
33 33 #include <sys/cmn_err.h>
34 34 #include <sys/stream.h>
35 35 #include <sys/strlog.h>
36 36 #include <sys/kmem.h>
37 37 #include <sys/sunddi.h>
38 38 #include <sys/tihdr.h>
39 39 #include <sys/atomic.h>
40 40 #include <sys/socket.h>
41 41 #include <sys/sysmacros.h>
42 42 #include <sys/crypto/common.h>
43 43 #include <sys/crypto/api.h>
44 44 #include <sys/zone.h>
45 45 #include <netinet/in.h>
46 46 #include <net/if.h>
47 47 #include <net/pfkeyv2.h>
48 48 #include <net/pfpolicy.h>
49 49 #include <inet/common.h>
50 50 #include <netinet/ip6.h>
51 51 #include <inet/ip.h>
52 52 #include <inet/ip_ire.h>
53 53 #include <inet/ip6.h>
54 54 #include <inet/ipsec_info.h>
55 55 #include <inet/tcp.h>
56 56 #include <inet/sadb.h>
57 57 #include <inet/ipsec_impl.h>
58 58 #include <inet/ipsecah.h>
59 59 #include <inet/ipsecesp.h>
60 60 #include <sys/random.h>
61 61 #include <sys/dlpi.h>
62 62 #include <sys/strsun.h>
63 63 #include <sys/strsubr.h>
64 64 #include <inet/ip_if.h>
65 65 #include <inet/ipdrop.h>
66 66 #include <inet/ipclassifier.h>
67 67 #include <inet/sctp_ip.h>
68 68 #include <sys/tsol/tnet.h>
69 69
70 70 /*
71 71 * This source file contains Security Association Database (SADB) common
72 72 * routines. They are linked in with the AH module. Since AH has no chance
73 73 * of falling under export control, it was safe to link it in there.
74 74 */
75 75
76 76 static mblk_t *sadb_extended_acquire(ipsec_selector_t *, ipsec_policy_t *,
77 77 ipsec_action_t *, boolean_t, uint32_t, uint32_t, sadb_sens_t *,
78 78 netstack_t *);
79 79 static ipsa_t *sadb_torch_assoc(isaf_t *, ipsa_t *);
80 80 static void sadb_destroy_acqlist(iacqf_t **, uint_t, boolean_t,
81 81 netstack_t *);
82 82 static void sadb_destroy(sadb_t *, netstack_t *);
83 83 static mblk_t *sadb_sa2msg(ipsa_t *, sadb_msg_t *);
84 84 static ts_label_t *sadb_label_from_sens(sadb_sens_t *, uint64_t *);
85 85 static sadb_sens_t *sadb_make_sens_ext(ts_label_t *tsl, int *len);
86 86
87 87 static time_t sadb_add_time(time_t, uint64_t);
88 88 static void lifetime_fuzz(ipsa_t *);
89 89 static void age_pair_peer_list(templist_t *, sadb_t *, boolean_t);
90 90 static int get_ipsa_pair(ipsa_query_t *, ipsap_t *, int *);
91 91 static void init_ipsa_pair(ipsap_t *);
92 92 static void destroy_ipsa_pair(ipsap_t *);
93 93 static int update_pairing(ipsap_t *, ipsa_query_t *, keysock_in_t *, int *);
94 94 static void ipsa_set_replay(ipsa_t *ipsa, uint32_t offset);
95 95
96 96 /*
97 97 * ipsacq_maxpackets is defined here to make it tunable
98 98 * from /etc/system.
99 99 */
100 100 extern uint64_t ipsacq_maxpackets;
101 101
102 102 #define SET_EXPIRE(sa, delta, exp) { \
103 103 if (((sa)->ipsa_ ## delta) != 0) { \
104 104 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \
105 105 (sa)->ipsa_ ## delta); \
106 106 } \
107 107 }
108 108
109 109 #define UPDATE_EXPIRE(sa, delta, exp) { \
110 110 if (((sa)->ipsa_ ## delta) != 0) { \
111 111 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \
112 112 (sa)->ipsa_ ## delta); \
113 113 if (((sa)->ipsa_ ## exp) == 0) \
114 114 (sa)->ipsa_ ## exp = tmp; \
115 115 else \
116 116 (sa)->ipsa_ ## exp = \
117 117 MIN((sa)->ipsa_ ## exp, tmp); \
118 118 } \
119 119 }
120 120
121 121
122 122 /* wrap the macro so we can pass it as a function pointer */
123 123 void
124 124 sadb_sa_refrele(void *target)
125 125 {
126 126 IPSA_REFRELE(((ipsa_t *)target));
127 127 }
128 128
129 129 /*
130 130 * We presume that sizeof (long) == sizeof (time_t) and that time_t is
131 131 * a signed type.
132 132 */
133 133 #define TIME_MAX LONG_MAX
134 134
135 135 /*
136 136 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that
137 137 * time_t is defined to be a signed type with the same range as
138 138 * "long". On ILP32 systems, we thus run the risk of wrapping around
139 139 * at end of time, as well as "overwrapping" the clock back around
140 140 * into a seemingly valid but incorrect future date earlier than the
141 141 * desired expiration.
142 142 *
143 143 * In order to avoid odd behavior (either negative lifetimes or loss
144 144 * of high order bits) when someone asks for bizarrely long SA
145 145 * lifetimes, we do a saturating add for expire times.
146 146 *
147 147 * We presume that ILP32 systems will be past end of support life when
148 148 * the 32-bit time_t overflows (a dangerous assumption, mind you..).
149 149 *
150 150 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we
151 151 * will hopefully have figured out clever ways to avoid the use of
152 152 * fixed-sized integers in computation.
153 153 */
154 154 static time_t
155 155 sadb_add_time(time_t base, uint64_t delta)
156 156 {
157 157 time_t sum;
158 158
159 159 /*
160 160 * Clip delta to the maximum possible time_t value to
161 161 * prevent "overwrapping" back into a shorter-than-desired
162 162 * future time.
163 163 */
164 164 if (delta > TIME_MAX)
165 165 delta = TIME_MAX;
166 166 /*
167 167 * This sum may still overflow.
168 168 */
169 169 sum = base + delta;
170 170
171 171 /*
172 172 * .. so if the result is less than the base, we overflowed.
173 173 */
174 174 if (sum < base)
175 175 sum = TIME_MAX;
176 176
177 177 return (sum);
178 178 }
179 179
180 180 /*
181 181 * Callers of this function have already created a working security
182 182 * association, and have found the appropriate table & hash chain. All this
183 183 * function does is check duplicates, and insert the SA. The caller needs to
184 184 * hold the hash bucket lock and increment the refcnt before insertion.
185 185 *
186 186 * Return 0 if success, EEXIST if collision.
187 187 */
188 188 #define SA_UNIQUE_MATCH(sa1, sa2) \
189 189 (((sa1)->ipsa_unique_id & (sa1)->ipsa_unique_mask) == \
190 190 ((sa2)->ipsa_unique_id & (sa2)->ipsa_unique_mask))
191 191
192 192 int
193 193 sadb_insertassoc(ipsa_t *ipsa, isaf_t *bucket)
194 194 {
195 195 ipsa_t **ptpn = NULL;
196 196 ipsa_t *walker;
197 197 boolean_t unspecsrc;
198 198
199 199 ASSERT(MUTEX_HELD(&bucket->isaf_lock));
200 200
201 201 unspecsrc = IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_srcaddr, ipsa->ipsa_addrfam);
202 202
203 203 walker = bucket->isaf_ipsa;
204 204 ASSERT(walker == NULL || ipsa->ipsa_addrfam == walker->ipsa_addrfam);
205 205
206 206 /*
207 207 * Find insertion point (pointed to with **ptpn). Insert at the head
208 208 * of the list unless there's an unspecified source address, then
209 209 * insert it after the last SA with a specified source address.
210 210 *
211 211 * BTW, you'll have to walk the whole chain, matching on {DST, SPI}
212 212 * checking for collisions.
213 213 */
214 214
215 215 while (walker != NULL) {
216 216 if (IPSA_ARE_ADDR_EQUAL(walker->ipsa_dstaddr,
217 217 ipsa->ipsa_dstaddr, ipsa->ipsa_addrfam)) {
218 218 if (walker->ipsa_spi == ipsa->ipsa_spi)
219 219 return (EEXIST);
220 220
221 221 mutex_enter(&walker->ipsa_lock);
222 222 if (ipsa->ipsa_state == IPSA_STATE_MATURE &&
223 223 (walker->ipsa_flags & IPSA_F_USED) &&
224 224 SA_UNIQUE_MATCH(walker, ipsa)) {
225 225 walker->ipsa_flags |= IPSA_F_CINVALID;
226 226 }
227 227 mutex_exit(&walker->ipsa_lock);
228 228 }
229 229
230 230 if (ptpn == NULL && unspecsrc) {
231 231 if (IPSA_IS_ADDR_UNSPEC(walker->ipsa_srcaddr,
232 232 walker->ipsa_addrfam))
233 233 ptpn = walker->ipsa_ptpn;
234 234 else if (walker->ipsa_next == NULL)
235 235 ptpn = &walker->ipsa_next;
236 236 }
237 237
238 238 walker = walker->ipsa_next;
239 239 }
240 240
241 241 if (ptpn == NULL)
242 242 ptpn = &bucket->isaf_ipsa;
243 243 ipsa->ipsa_next = *ptpn;
244 244 ipsa->ipsa_ptpn = ptpn;
245 245 if (ipsa->ipsa_next != NULL)
246 246 ipsa->ipsa_next->ipsa_ptpn = &ipsa->ipsa_next;
247 247 *ptpn = ipsa;
248 248 ipsa->ipsa_linklock = &bucket->isaf_lock;
249 249
250 250 return (0);
251 251 }
252 252 #undef SA_UNIQUE_MATCH
253 253
254 254 /*
255 255 * Free a security association. Its reference count is 0, which means
256 256 * I must free it. The SA must be unlocked and must not be linked into
257 257 * any fanout list.
258 258 */
259 259 static void
260 260 sadb_freeassoc(ipsa_t *ipsa)
261 261 {
262 262 ipsec_stack_t *ipss = ipsa->ipsa_netstack->netstack_ipsec;
263 263 mblk_t *asyncmp, *mp;
264 264
265 265 ASSERT(ipss != NULL);
266 266 ASSERT(MUTEX_NOT_HELD(&ipsa->ipsa_lock));
267 267 ASSERT(ipsa->ipsa_refcnt == 0);
268 268 ASSERT(ipsa->ipsa_next == NULL);
269 269 ASSERT(ipsa->ipsa_ptpn == NULL);
270 270
271 271
272 272 asyncmp = sadb_clear_lpkt(ipsa);
273 273 if (asyncmp != NULL) {
274 274 mp = ip_recv_attr_free_mblk(asyncmp);
275 275 ip_drop_packet(mp, B_TRUE, NULL,
276 276 DROPPER(ipss, ipds_sadb_inlarval_timeout),
277 277 &ipss->ipsec_sadb_dropper);
278 278 }
279 279 mutex_enter(&ipsa->ipsa_lock);
280 280
281 281 if (ipsa->ipsa_tsl != NULL) {
282 282 label_rele(ipsa->ipsa_tsl);
283 283 ipsa->ipsa_tsl = NULL;
284 284 }
285 285
286 286 if (ipsa->ipsa_otsl != NULL) {
287 287 label_rele(ipsa->ipsa_otsl);
288 288 ipsa->ipsa_otsl = NULL;
289 289 }
290 290
291 291 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_AUTH);
292 292 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_ENCR);
293 293 mutex_exit(&ipsa->ipsa_lock);
294 294
295 295 /* bzero() these fields for paranoia's sake. */
296 296 if (ipsa->ipsa_authkey != NULL) {
297 297 bzero(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen);
298 298 kmem_free(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen);
299 299 }
300 300 if (ipsa->ipsa_encrkey != NULL) {
301 301 bzero(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen);
302 302 kmem_free(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen);
303 303 }
304 304 if (ipsa->ipsa_nonce_buf != NULL) {
305 305 bzero(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t));
306 306 kmem_free(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t));
307 307 }
308 308 if (ipsa->ipsa_src_cid != NULL) {
309 309 IPSID_REFRELE(ipsa->ipsa_src_cid);
310 310 }
311 311 if (ipsa->ipsa_dst_cid != NULL) {
312 312 IPSID_REFRELE(ipsa->ipsa_dst_cid);
313 313 }
314 314 if (ipsa->ipsa_emech.cm_param != NULL)
315 315 kmem_free(ipsa->ipsa_emech.cm_param,
316 316 ipsa->ipsa_emech.cm_param_len);
317 317
318 318 mutex_destroy(&ipsa->ipsa_lock);
319 319 kmem_free(ipsa, sizeof (*ipsa));
320 320 }
321 321
322 322 /*
323 323 * Unlink a security association from a hash bucket. Assume the hash bucket
324 324 * lock is held, but the association's lock is not.
325 325 *
326 326 * Note that we do not bump the bucket's generation number here because
327 327 * we might not be making a visible change to the set of visible SA's.
328 328 * All callers MUST bump the bucket's generation number before they unlock
329 329 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which
330 330 * was present in the bucket at the time it was locked.
331 331 */
332 332 void
333 333 sadb_unlinkassoc(ipsa_t *ipsa)
334 334 {
335 335 ASSERT(ipsa->ipsa_linklock != NULL);
336 336 ASSERT(MUTEX_HELD(ipsa->ipsa_linklock));
337 337
338 338 /* These fields are protected by the link lock. */
339 339 *(ipsa->ipsa_ptpn) = ipsa->ipsa_next;
340 340 if (ipsa->ipsa_next != NULL) {
341 341 ipsa->ipsa_next->ipsa_ptpn = ipsa->ipsa_ptpn;
342 342 ipsa->ipsa_next = NULL;
343 343 }
344 344
345 345 ipsa->ipsa_ptpn = NULL;
346 346
347 347 /* This may destroy the SA. */
348 348 IPSA_REFRELE(ipsa);
349 349 }
350 350
351 351 void
352 352 sadb_delete_cluster(ipsa_t *assoc)
353 353 {
354 354 uint8_t protocol;
355 355
356 356 if (cl_inet_deletespi &&
357 357 ((assoc->ipsa_state == IPSA_STATE_LARVAL) ||
358 358 (assoc->ipsa_state == IPSA_STATE_MATURE))) {
359 359 protocol = (assoc->ipsa_type == SADB_SATYPE_AH) ?
360 360 IPPROTO_AH : IPPROTO_ESP;
361 361 cl_inet_deletespi(assoc->ipsa_netstack->netstack_stackid,
362 362 protocol, assoc->ipsa_spi, NULL);
363 363 }
364 364 }
365 365
366 366 /*
367 367 * Create a larval security association with the specified SPI. All other
368 368 * fields are zeroed.
369 369 */
370 370 static ipsa_t *
371 371 sadb_makelarvalassoc(uint32_t spi, uint32_t *src, uint32_t *dst, int addrfam,
372 372 netstack_t *ns)
373 373 {
374 374 ipsa_t *newbie;
375 375
376 376 /*
377 377 * Allocate...
378 378 */
379 379
380 380 newbie = (ipsa_t *)kmem_zalloc(sizeof (ipsa_t), KM_NOSLEEP);
381 381 if (newbie == NULL) {
382 382 /* Can't make new larval SA. */
383 383 return (NULL);
384 384 }
385 385
386 386 /* Assigned requested SPI, assume caller does SPI allocation magic. */
387 387 newbie->ipsa_spi = spi;
388 388 newbie->ipsa_netstack = ns; /* No netstack_hold */
389 389
390 390 /*
391 391 * Copy addresses...
392 392 */
393 393
394 394 IPSA_COPY_ADDR(newbie->ipsa_srcaddr, src, addrfam);
395 395 IPSA_COPY_ADDR(newbie->ipsa_dstaddr, dst, addrfam);
396 396
397 397 newbie->ipsa_addrfam = addrfam;
398 398
399 399 /*
400 400 * Set common initialization values, including refcnt.
401 401 */
402 402 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL);
403 403 newbie->ipsa_state = IPSA_STATE_LARVAL;
404 404 newbie->ipsa_refcnt = 1;
405 405 newbie->ipsa_freefunc = sadb_freeassoc;
406 406
407 407 /*
408 408 * There aren't a lot of other common initialization values, as
409 409 * they are copied in from the PF_KEY message.
410 410 */
411 411
412 412 return (newbie);
413 413 }
414 414
415 415 /*
416 416 * Call me to initialize a security association fanout.
417 417 */
418 418 static int
419 419 sadb_init_fanout(isaf_t **tablep, uint_t size, int kmflag)
420 420 {
421 421 isaf_t *table;
422 422 int i;
423 423
424 424 table = (isaf_t *)kmem_alloc(size * sizeof (*table), kmflag);
425 425 *tablep = table;
426 426
427 427 if (table == NULL)
428 428 return (ENOMEM);
429 429
430 430 for (i = 0; i < size; i++) {
431 431 mutex_init(&(table[i].isaf_lock), NULL, MUTEX_DEFAULT, NULL);
432 432 table[i].isaf_ipsa = NULL;
433 433 table[i].isaf_gen = 0;
434 434 }
435 435
436 436 return (0);
437 437 }
438 438
439 439 /*
440 440 * Call me to initialize an acquire fanout
441 441 */
442 442 static int
443 443 sadb_init_acfanout(iacqf_t **tablep, uint_t size, int kmflag)
444 444 {
445 445 iacqf_t *table;
446 446 int i;
447 447
448 448 table = (iacqf_t *)kmem_alloc(size * sizeof (*table), kmflag);
449 449 *tablep = table;
450 450
451 451 if (table == NULL)
452 452 return (ENOMEM);
453 453
454 454 for (i = 0; i < size; i++) {
455 455 mutex_init(&(table[i].iacqf_lock), NULL, MUTEX_DEFAULT, NULL);
456 456 table[i].iacqf_ipsacq = NULL;
457 457 }
458 458
459 459 return (0);
460 460 }
461 461
462 462 /*
463 463 * Attempt to initialize an SADB instance. On failure, return ENOMEM;
464 464 * caller must clean up partial allocations.
465 465 */
466 466 static int
467 467 sadb_init_trial(sadb_t *sp, uint_t size, int kmflag)
468 468 {
469 469 ASSERT(sp->sdb_of == NULL);
470 470 ASSERT(sp->sdb_if == NULL);
471 471 ASSERT(sp->sdb_acq == NULL);
472 472
473 473 sp->sdb_hashsize = size;
474 474 if (sadb_init_fanout(&sp->sdb_of, size, kmflag) != 0)
475 475 return (ENOMEM);
476 476 if (sadb_init_fanout(&sp->sdb_if, size, kmflag) != 0)
477 477 return (ENOMEM);
478 478 if (sadb_init_acfanout(&sp->sdb_acq, size, kmflag) != 0)
479 479 return (ENOMEM);
480 480
481 481 return (0);
482 482 }
483 483
484 484 /*
485 485 * Call me to initialize an SADB instance; fall back to default size on failure.
486 486 */
487 487 static void
488 488 sadb_init(const char *name, sadb_t *sp, uint_t size, uint_t ver,
489 489 netstack_t *ns)
490 490 {
491 491 ASSERT(sp->sdb_of == NULL);
492 492 ASSERT(sp->sdb_if == NULL);
493 493 ASSERT(sp->sdb_acq == NULL);
494 494
495 495 if (size < IPSEC_DEFAULT_HASH_SIZE)
496 496 size = IPSEC_DEFAULT_HASH_SIZE;
497 497
498 498 if (sadb_init_trial(sp, size, KM_NOSLEEP) != 0) {
499 499
500 500 cmn_err(CE_WARN,
501 501 "Unable to allocate %u entry IPv%u %s SADB hash table",
502 502 size, ver, name);
503 503
504 504 sadb_destroy(sp, ns);
505 505 size = IPSEC_DEFAULT_HASH_SIZE;
506 506 cmn_err(CE_WARN, "Falling back to %d entries", size);
507 507 (void) sadb_init_trial(sp, size, KM_SLEEP);
508 508 }
509 509 }
510 510
511 511
512 512 /*
513 513 * Initialize an SADB-pair.
514 514 */
515 515 void
516 516 sadbp_init(const char *name, sadbp_t *sp, int type, int size, netstack_t *ns)
517 517 {
518 518 sadb_init(name, &sp->s_v4, size, 4, ns);
519 519 sadb_init(name, &sp->s_v6, size, 6, ns);
520 520
521 521 sp->s_satype = type;
522 522
523 523 ASSERT((type == SADB_SATYPE_AH) || (type == SADB_SATYPE_ESP));
524 524 if (type == SADB_SATYPE_AH) {
525 525 ipsec_stack_t *ipss = ns->netstack_ipsec;
526 526
527 527 ip_drop_register(&ipss->ipsec_sadb_dropper, "IPsec SADB");
528 528 sp->s_addflags = AH_ADD_SETTABLE_FLAGS;
529 529 sp->s_updateflags = AH_UPDATE_SETTABLE_FLAGS;
530 530 } else {
531 531 sp->s_addflags = ESP_ADD_SETTABLE_FLAGS;
532 532 sp->s_updateflags = ESP_UPDATE_SETTABLE_FLAGS;
533 533 }
534 534 }
535 535
536 536 /*
537 537 * Deliver a single SADB_DUMP message representing a single SA. This is
538 538 * called many times by sadb_dump().
539 539 *
540 540 * If the return value of this is ENOBUFS (not the same as ENOMEM), then
541 541 * the caller should take that as a hint that dupb() on the "original answer"
542 542 * failed, and that perhaps the caller should try again with a copyb()ed
543 543 * "original answer".
544 544 */
545 545 static int
546 546 sadb_dump_deliver(queue_t *pfkey_q, mblk_t *original_answer, ipsa_t *ipsa,
547 547 sadb_msg_t *samsg)
548 548 {
549 549 mblk_t *answer;
550 550
551 551 answer = dupb(original_answer);
552 552 if (answer == NULL)
553 553 return (ENOBUFS);
554 554 answer->b_cont = sadb_sa2msg(ipsa, samsg);
555 555 if (answer->b_cont == NULL) {
556 556 freeb(answer);
557 557 return (ENOMEM);
558 558 }
559 559
560 560 /* Just do a putnext, and let keysock deal with flow control. */
561 561 putnext(pfkey_q, answer);
562 562 return (0);
563 563 }
564 564
565 565 /*
566 566 * Common function to allocate and prepare a keysock_out_t M_CTL message.
567 567 */
568 568 mblk_t *
569 569 sadb_keysock_out(minor_t serial)
570 570 {
571 571 mblk_t *mp;
572 572 keysock_out_t *kso;
573 573
574 574 mp = allocb(sizeof (ipsec_info_t), BPRI_HI);
575 575 if (mp != NULL) {
576 576 mp->b_datap->db_type = M_CTL;
577 577 mp->b_wptr += sizeof (ipsec_info_t);
578 578 kso = (keysock_out_t *)mp->b_rptr;
579 579 kso->ks_out_type = KEYSOCK_OUT;
580 580 kso->ks_out_len = sizeof (*kso);
581 581 kso->ks_out_serial = serial;
582 582 }
583 583
584 584 return (mp);
585 585 }
586 586
587 587 /*
588 588 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts
589 589 * to keysock.
590 590 */
591 591 static int
592 592 sadb_dump_fanout(queue_t *pfkey_q, mblk_t *mp, minor_t serial, isaf_t *fanout,
593 593 int num_entries, boolean_t do_peers, time_t active_time)
594 594 {
595 595 int i, error = 0;
596 596 mblk_t *original_answer;
597 597 ipsa_t *walker;
598 598 sadb_msg_t *samsg;
599 599 time_t current;
600 600
601 601 /*
602 602 * For each IPSA hash bucket do:
603 603 * - Hold the mutex
604 604 * - Walk each entry, doing an sadb_dump_deliver() on it.
605 605 */
606 606 ASSERT(mp->b_cont != NULL);
607 607 samsg = (sadb_msg_t *)mp->b_cont->b_rptr;
608 608
609 609 original_answer = sadb_keysock_out(serial);
610 610 if (original_answer == NULL)
611 611 return (ENOMEM);
612 612
613 613 current = gethrestime_sec();
614 614 for (i = 0; i < num_entries; i++) {
615 615 mutex_enter(&fanout[i].isaf_lock);
616 616 for (walker = fanout[i].isaf_ipsa; walker != NULL;
617 617 walker = walker->ipsa_next) {
618 618 if (!do_peers && walker->ipsa_haspeer)
619 619 continue;
620 620 if ((active_time != 0) &&
621 621 ((current - walker->ipsa_lastuse) > active_time))
622 622 continue;
623 623 error = sadb_dump_deliver(pfkey_q, original_answer,
624 624 walker, samsg);
625 625 if (error == ENOBUFS) {
626 626 mblk_t *new_original_answer;
627 627
628 628 /* Ran out of dupb's. Try a copyb. */
629 629 new_original_answer = copyb(original_answer);
630 630 if (new_original_answer == NULL) {
631 631 error = ENOMEM;
632 632 } else {
633 633 freeb(original_answer);
634 634 original_answer = new_original_answer;
635 635 error = sadb_dump_deliver(pfkey_q,
636 636 original_answer, walker, samsg);
637 637 }
638 638 }
639 639 if (error != 0)
640 640 break; /* out of for loop. */
641 641 }
642 642 mutex_exit(&fanout[i].isaf_lock);
643 643 if (error != 0)
644 644 break; /* out of for loop. */
645 645 }
646 646
647 647 freeb(original_answer);
648 648 return (error);
649 649 }
650 650
651 651 /*
652 652 * Dump an entire SADB; outbound first, then inbound.
653 653 */
654 654
655 655 int
656 656 sadb_dump(queue_t *pfkey_q, mblk_t *mp, keysock_in_t *ksi, sadb_t *sp)
657 657 {
658 658 int error;
659 659 time_t active_time = 0;
660 660 sadb_x_edump_t *edump =
661 661 (sadb_x_edump_t *)ksi->ks_in_extv[SADB_X_EXT_EDUMP];
662 662
663 663 if (edump != NULL) {
664 664 active_time = edump->sadb_x_edump_timeout;
665 665 }
666 666
667 667 /* Dump outbound */
668 668 error = sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_of,
669 669 sp->sdb_hashsize, B_TRUE, active_time);
670 670 if (error)
671 671 return (error);
672 672
673 673 /* Dump inbound */
674 674 return sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_if,
675 675 sp->sdb_hashsize, B_FALSE, active_time);
676 676 }
677 677
678 678 /*
679 679 * Generic sadb table walker.
680 680 *
681 681 * Call "walkfn" for each SA in each bucket in "table"; pass the
682 682 * bucket, the entry and "cookie" to the callback function.
683 683 * Take care to ensure that walkfn can delete the SA without screwing
684 684 * up our traverse.
685 685 *
686 686 * The bucket is locked for the duration of the callback, both so that the
687 687 * callback can just call sadb_unlinkassoc() when it wants to delete something,
688 688 * and so that no new entries are added while we're walking the list.
689 689 */
690 690 static void
691 691 sadb_walker(isaf_t *table, uint_t numentries,
692 692 void (*walkfn)(isaf_t *head, ipsa_t *entry, void *cookie),
693 693 void *cookie)
694 694 {
695 695 int i;
696 696 for (i = 0; i < numentries; i++) {
697 697 ipsa_t *entry, *next;
698 698
699 699 mutex_enter(&table[i].isaf_lock);
700 700
701 701 for (entry = table[i].isaf_ipsa; entry != NULL;
702 702 entry = next) {
703 703 next = entry->ipsa_next;
704 704 (*walkfn)(&table[i], entry, cookie);
705 705 }
706 706 mutex_exit(&table[i].isaf_lock);
707 707 }
708 708 }
709 709
710 710 /*
711 711 * Call me to free up a security association fanout. Use the forever
712 712 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g.
713 713 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE,
714 714 * when a module is unloaded).
715 715 */
716 716 static void
717 717 sadb_destroyer(isaf_t **tablep, uint_t numentries, boolean_t forever,
718 718 boolean_t inbound)
719 719 {
720 720 int i;
721 721 isaf_t *table = *tablep;
722 722 uint8_t protocol;
723 723 ipsa_t *sa;
724 724 netstackid_t sid;
725 725
726 726 if (table == NULL)
727 727 return;
728 728
729 729 for (i = 0; i < numentries; i++) {
730 730 mutex_enter(&table[i].isaf_lock);
731 731 while ((sa = table[i].isaf_ipsa) != NULL) {
732 732 if (inbound && cl_inet_deletespi &&
733 733 (sa->ipsa_state != IPSA_STATE_ACTIVE_ELSEWHERE) &&
734 734 (sa->ipsa_state != IPSA_STATE_IDLE)) {
735 735 protocol = (sa->ipsa_type == SADB_SATYPE_AH) ?
736 736 IPPROTO_AH : IPPROTO_ESP;
737 737 sid = sa->ipsa_netstack->netstack_stackid;
738 738 cl_inet_deletespi(sid, protocol, sa->ipsa_spi,
739 739 NULL);
740 740 }
741 741 sadb_unlinkassoc(sa);
742 742 }
743 743 table[i].isaf_gen++;
744 744 mutex_exit(&table[i].isaf_lock);
745 745 if (forever)
746 746 mutex_destroy(&(table[i].isaf_lock));
747 747 }
748 748
749 749 if (forever) {
750 750 *tablep = NULL;
751 751 kmem_free(table, numentries * sizeof (*table));
752 752 }
753 753 }
754 754
755 755 /*
756 756 * Entry points to sadb_destroyer().
757 757 */
758 758 static void
759 759 sadb_flush(sadb_t *sp, netstack_t *ns)
760 760 {
761 761 /*
762 762 * Flush out each bucket, one at a time. Were it not for keysock's
763 763 * enforcement, there would be a subtlety where I could add on the
764 764 * heels of a flush. With keysock's enforcement, however, this
765 765 * makes ESP's job easy.
766 766 */
767 767 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_FALSE, B_FALSE);
768 768 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_FALSE, B_TRUE);
769 769
770 770 /* For each acquire, destroy it; leave the bucket mutex alone. */
771 771 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_FALSE, ns);
772 772 }
773 773
774 774 static void
775 775 sadb_destroy(sadb_t *sp, netstack_t *ns)
776 776 {
777 777 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_TRUE, B_FALSE);
778 778 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_TRUE, B_TRUE);
779 779
780 780 /* For each acquire, destroy it, including the bucket mutex. */
781 781 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_TRUE, ns);
782 782
783 783 ASSERT(sp->sdb_of == NULL);
784 784 ASSERT(sp->sdb_if == NULL);
785 785 ASSERT(sp->sdb_acq == NULL);
786 786 }
787 787
788 788 void
789 789 sadbp_flush(sadbp_t *spp, netstack_t *ns)
790 790 {
791 791 sadb_flush(&spp->s_v4, ns);
792 792 sadb_flush(&spp->s_v6, ns);
793 793 }
794 794
795 795 void
796 796 sadbp_destroy(sadbp_t *spp, netstack_t *ns)
797 797 {
798 798 sadb_destroy(&spp->s_v4, ns);
799 799 sadb_destroy(&spp->s_v6, ns);
800 800
801 801 if (spp->s_satype == SADB_SATYPE_AH) {
802 802 ipsec_stack_t *ipss = ns->netstack_ipsec;
803 803
804 804 ip_drop_unregister(&ipss->ipsec_sadb_dropper);
805 805 }
806 806 }
807 807
808 808
809 809 /*
810 810 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g.
811 811 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for
812 812 * EINVAL.
813 813 */
814 814 int
815 815 sadb_hardsoftchk(sadb_lifetime_t *hard, sadb_lifetime_t *soft,
816 816 sadb_lifetime_t *idle)
817 817 {
818 818 if (hard == NULL || soft == NULL)
819 819 return (0);
820 820
821 821 if (hard->sadb_lifetime_allocations != 0 &&
822 822 soft->sadb_lifetime_allocations != 0 &&
823 823 hard->sadb_lifetime_allocations < soft->sadb_lifetime_allocations)
824 824 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR);
825 825
826 826 if (hard->sadb_lifetime_bytes != 0 &&
827 827 soft->sadb_lifetime_bytes != 0 &&
828 828 hard->sadb_lifetime_bytes < soft->sadb_lifetime_bytes)
829 829 return (SADB_X_DIAGNOSTIC_BYTES_HSERR);
830 830
831 831 if (hard->sadb_lifetime_addtime != 0 &&
832 832 soft->sadb_lifetime_addtime != 0 &&
833 833 hard->sadb_lifetime_addtime < soft->sadb_lifetime_addtime)
834 834 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR);
835 835
836 836 if (hard->sadb_lifetime_usetime != 0 &&
837 837 soft->sadb_lifetime_usetime != 0 &&
838 838 hard->sadb_lifetime_usetime < soft->sadb_lifetime_usetime)
839 839 return (SADB_X_DIAGNOSTIC_USETIME_HSERR);
840 840
841 841 if (idle != NULL) {
842 842 if (hard->sadb_lifetime_addtime != 0 &&
843 843 idle->sadb_lifetime_addtime != 0 &&
844 844 hard->sadb_lifetime_addtime < idle->sadb_lifetime_addtime)
845 845 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR);
846 846
847 847 if (soft->sadb_lifetime_addtime != 0 &&
848 848 idle->sadb_lifetime_addtime != 0 &&
849 849 soft->sadb_lifetime_addtime < idle->sadb_lifetime_addtime)
850 850 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR);
851 851
852 852 if (hard->sadb_lifetime_usetime != 0 &&
853 853 idle->sadb_lifetime_usetime != 0 &&
854 854 hard->sadb_lifetime_usetime < idle->sadb_lifetime_usetime)
855 855 return (SADB_X_DIAGNOSTIC_USETIME_HSERR);
856 856
857 857 if (soft->sadb_lifetime_usetime != 0 &&
858 858 idle->sadb_lifetime_usetime != 0 &&
859 859 soft->sadb_lifetime_usetime < idle->sadb_lifetime_usetime)
860 860 return (SADB_X_DIAGNOSTIC_USETIME_HSERR);
861 861 }
862 862
863 863 return (0);
864 864 }
865 865
866 866 /*
867 867 * Sanity check sensitivity labels.
868 868 *
869 869 * For now, just reject labels on unlabeled systems.
870 870 */
871 871 int
872 872 sadb_labelchk(keysock_in_t *ksi)
873 873 {
874 874 if (!is_system_labeled()) {
875 875 if (ksi->ks_in_extv[SADB_EXT_SENSITIVITY] != NULL)
876 876 return (SADB_X_DIAGNOSTIC_BAD_LABEL);
877 877
878 878 if (ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS] != NULL)
879 879 return (SADB_X_DIAGNOSTIC_BAD_LABEL);
880 880 }
881 881
882 882 return (0);
883 883 }
884 884
885 885 /*
886 886 * Clone a security association for the purposes of inserting a single SA
887 887 * into inbound and outbound tables respectively. This function should only
888 888 * be called from sadb_common_add().
889 889 */
890 890 static ipsa_t *
891 891 sadb_cloneassoc(ipsa_t *ipsa)
892 892 {
893 893 ipsa_t *newbie;
894 894 boolean_t error = B_FALSE;
895 895
896 896 ASSERT(MUTEX_NOT_HELD(&(ipsa->ipsa_lock)));
897 897
898 898 newbie = kmem_alloc(sizeof (ipsa_t), KM_NOSLEEP);
899 899 if (newbie == NULL)
900 900 return (NULL);
901 901
902 902 /* Copy over what we can. */
903 903 *newbie = *ipsa;
904 904
905 905 /* bzero and initialize locks, in case *_init() allocates... */
906 906 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL);
907 907
908 908 if (newbie->ipsa_tsl != NULL)
909 909 label_hold(newbie->ipsa_tsl);
910 910
911 911 if (newbie->ipsa_otsl != NULL)
912 912 label_hold(newbie->ipsa_otsl);
913 913
914 914 /*
915 915 * While somewhat dain-bramaged, the most graceful way to
916 916 * recover from errors is to keep plowing through the
917 917 * allocations, and getting what I can. It's easier to call
918 918 * sadb_freeassoc() on the stillborn clone when all the
919 919 * pointers aren't pointing to the parent's data.
920 920 */
921 921
922 922 if (ipsa->ipsa_authkey != NULL) {
923 923 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen,
924 924 KM_NOSLEEP);
925 925 if (newbie->ipsa_authkey == NULL) {
926 926 error = B_TRUE;
927 927 } else {
928 928 bcopy(ipsa->ipsa_authkey, newbie->ipsa_authkey,
929 929 newbie->ipsa_authkeylen);
930 930
931 931 newbie->ipsa_kcfauthkey.ck_data =
932 932 newbie->ipsa_authkey;
933 933 }
934 934
935 935 if (newbie->ipsa_amech.cm_param != NULL) {
936 936 newbie->ipsa_amech.cm_param =
937 937 (char *)&newbie->ipsa_mac_len;
938 938 }
939 939 }
940 940
941 941 if (ipsa->ipsa_encrkey != NULL) {
942 942 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen,
943 943 KM_NOSLEEP);
944 944 if (newbie->ipsa_encrkey == NULL) {
945 945 error = B_TRUE;
946 946 } else {
947 947 bcopy(ipsa->ipsa_encrkey, newbie->ipsa_encrkey,
948 948 newbie->ipsa_encrkeylen);
949 949
950 950 newbie->ipsa_kcfencrkey.ck_data =
951 951 newbie->ipsa_encrkey;
952 952 }
953 953 }
954 954
955 955 newbie->ipsa_authtmpl = NULL;
956 956 newbie->ipsa_encrtmpl = NULL;
957 957 newbie->ipsa_haspeer = B_TRUE;
958 958
959 959 if (ipsa->ipsa_src_cid != NULL) {
960 960 newbie->ipsa_src_cid = ipsa->ipsa_src_cid;
961 961 IPSID_REFHOLD(ipsa->ipsa_src_cid);
962 962 }
963 963
964 964 if (ipsa->ipsa_dst_cid != NULL) {
965 965 newbie->ipsa_dst_cid = ipsa->ipsa_dst_cid;
966 966 IPSID_REFHOLD(ipsa->ipsa_dst_cid);
967 967 }
968 968
969 969 if (error) {
970 970 sadb_freeassoc(newbie);
971 971 return (NULL);
972 972 }
973 973
974 974 return (newbie);
975 975 }
976 976
977 977 /*
978 978 * Initialize a SADB address extension at the address specified by addrext.
979 979 * Return a pointer to the end of the new address extension.
980 980 */
981 981 static uint8_t *
982 982 sadb_make_addr_ext(uint8_t *start, uint8_t *end, uint16_t exttype,
983 983 sa_family_t af, uint32_t *addr, uint16_t port, uint8_t proto, int prefix)
984 984 {
985 985 struct sockaddr_in *sin;
986 986 struct sockaddr_in6 *sin6;
987 987 uint8_t *cur = start;
988 988 int addrext_len;
989 989 int sin_len;
990 990 sadb_address_t *addrext = (sadb_address_t *)cur;
991 991
992 992 if (cur == NULL)
993 993 return (NULL);
994 994
995 995 cur += sizeof (*addrext);
996 996 if (cur > end)
997 997 return (NULL);
998 998
999 999 addrext->sadb_address_proto = proto;
1000 1000 addrext->sadb_address_prefixlen = prefix;
1001 1001 addrext->sadb_address_reserved = 0;
1002 1002 addrext->sadb_address_exttype = exttype;
1003 1003
1004 1004 switch (af) {
1005 1005 case AF_INET:
1006 1006 sin = (struct sockaddr_in *)cur;
1007 1007 sin_len = sizeof (*sin);
1008 1008 cur += sin_len;
1009 1009 if (cur > end)
1010 1010 return (NULL);
1011 1011
1012 1012 sin->sin_family = af;
1013 1013 bzero(sin->sin_zero, sizeof (sin->sin_zero));
1014 1014 sin->sin_port = port;
1015 1015 IPSA_COPY_ADDR(&sin->sin_addr, addr, af);
1016 1016 break;
1017 1017 case AF_INET6:
1018 1018 sin6 = (struct sockaddr_in6 *)cur;
1019 1019 sin_len = sizeof (*sin6);
1020 1020 cur += sin_len;
1021 1021 if (cur > end)
1022 1022 return (NULL);
1023 1023
1024 1024 bzero(sin6, sizeof (*sin6));
1025 1025 sin6->sin6_family = af;
1026 1026 sin6->sin6_port = port;
1027 1027 IPSA_COPY_ADDR(&sin6->sin6_addr, addr, af);
1028 1028 break;
1029 1029 }
1030 1030
1031 1031 addrext_len = roundup(cur - start, sizeof (uint64_t));
1032 1032 addrext->sadb_address_len = SADB_8TO64(addrext_len);
1033 1033
1034 1034 cur = start + addrext_len;
1035 1035 if (cur > end)
1036 1036 cur = NULL;
1037 1037
1038 1038 return (cur);
1039 1039 }
1040 1040
1041 1041 /*
1042 1042 * Construct a key management cookie extension.
1043 1043 */
1044 1044
1045 1045 static uint8_t *
1046 1046 sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint32_t kmc)
1047 1047 {
1048 1048 sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur;
1049 1049
1050 1050 if (cur == NULL)
1051 1051 return (NULL);
1052 1052
1053 1053 cur += sizeof (*kmcext);
1054 1054
1055 1055 if (cur > end)
1056 1056 return (NULL);
1057 1057
1058 1058 kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext));
1059 1059 kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE;
1060 1060 kmcext->sadb_x_kmc_proto = kmp;
1061 1061 kmcext->sadb_x_kmc_cookie = kmc;
1062 1062 kmcext->sadb_x_kmc_reserved = 0;
1063 1063
1064 1064 return (cur);
1065 1065 }
1066 1066
1067 1067 /*
1068 1068 * Given an original message header with sufficient space following it, and an
1069 1069 * SA, construct a full PF_KEY message with all of the relevant extensions.
1070 1070 * This is mostly used for SADB_GET, and SADB_DUMP.
1071 1071 */
1072 1072 static mblk_t *
1073 1073 sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg)
1074 1074 {
1075 1075 int alloclen, addrsize, paddrsize, authsize, encrsize;
1076 1076 int srcidsize, dstidsize, senslen, osenslen;
1077 1077 sa_family_t fam, pfam; /* Address family for SADB_EXT_ADDRESS */
1078 1078 /* src/dst and proxy sockaddrs. */
1079 1079 /*
1080 1080 * The following are pointers into the PF_KEY message this PF_KEY
1081 1081 * message creates.
1082 1082 */
1083 1083 sadb_msg_t *newsamsg;
1084 1084 sadb_sa_t *assoc;
1085 1085 sadb_lifetime_t *lt;
1086 1086 sadb_key_t *key;
1087 1087 sadb_ident_t *ident;
1088 1088 sadb_sens_t *sens;
1089 1089 sadb_ext_t *walker; /* For when we need a generic ext. pointer. */
1090 1090 sadb_x_replay_ctr_t *repl_ctr;
1091 1091 sadb_x_pair_t *pair_ext;
1092 1092
1093 1093 mblk_t *mp;
1094 1094 uint8_t *cur, *end;
1095 1095 /* These indicate the presence of the above extension fields. */
1096 1096 boolean_t soft = B_FALSE, hard = B_FALSE;
1097 1097 boolean_t isrc = B_FALSE, idst = B_FALSE;
1098 1098 boolean_t auth = B_FALSE, encr = B_FALSE;
1099 1099 boolean_t sensinteg = B_FALSE, osensinteg = B_FALSE;
1100 1100 boolean_t srcid = B_FALSE, dstid = B_FALSE;
1101 1101 boolean_t idle;
1102 1102 boolean_t paired;
1103 1103 uint32_t otherspi;
1104 1104
1105 1105 /* First off, figure out the allocation length for this message. */
1106 1106 /*
1107 1107 * Constant stuff. This includes base, SA, address (src, dst),
1108 1108 * and lifetime (current).
1109 1109 */
1110 1110 alloclen = sizeof (sadb_msg_t) + sizeof (sadb_sa_t) +
1111 1111 sizeof (sadb_lifetime_t);
1112 1112
1113 1113 fam = ipsa->ipsa_addrfam;
1114 1114 switch (fam) {
1115 1115 case AF_INET:
1116 1116 addrsize = roundup(sizeof (struct sockaddr_in) +
1117 1117 sizeof (sadb_address_t), sizeof (uint64_t));
1118 1118 break;
1119 1119 case AF_INET6:
1120 1120 addrsize = roundup(sizeof (struct sockaddr_in6) +
1121 1121 sizeof (sadb_address_t), sizeof (uint64_t));
1122 1122 break;
1123 1123 default:
1124 1124 return (NULL);
1125 1125 }
1126 1126 /*
1127 1127 * Allocate TWO address extensions, for source and destination.
1128 1128 * (Thus, the * 2.)
1129 1129 */
1130 1130 alloclen += addrsize * 2;
1131 1131 if (ipsa->ipsa_flags & IPSA_F_NATT_REM)
1132 1132 alloclen += addrsize;
1133 1133 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC)
1134 1134 alloclen += addrsize;
1135 1135
1136 1136 if (ipsa->ipsa_flags & IPSA_F_PAIRED) {
1137 1137 paired = B_TRUE;
1138 1138 alloclen += sizeof (sadb_x_pair_t);
1139 1139 otherspi = ipsa->ipsa_otherspi;
1140 1140 } else {
1141 1141 paired = B_FALSE;
1142 1142 }
1143 1143
1144 1144 /* How 'bout other lifetimes? */
1145 1145 if (ipsa->ipsa_softaddlt != 0 || ipsa->ipsa_softuselt != 0 ||
1146 1146 ipsa->ipsa_softbyteslt != 0 || ipsa->ipsa_softalloc != 0) {
1147 1147 alloclen += sizeof (sadb_lifetime_t);
1148 1148 soft = B_TRUE;
1149 1149 }
1150 1150
1151 1151 if (ipsa->ipsa_hardaddlt != 0 || ipsa->ipsa_harduselt != 0 ||
1152 1152 ipsa->ipsa_hardbyteslt != 0 || ipsa->ipsa_hardalloc != 0) {
1153 1153 alloclen += sizeof (sadb_lifetime_t);
1154 1154 hard = B_TRUE;
1155 1155 }
1156 1156
1157 1157 if (ipsa->ipsa_idleaddlt != 0 || ipsa->ipsa_idleuselt != 0) {
1158 1158 alloclen += sizeof (sadb_lifetime_t);
1159 1159 idle = B_TRUE;
1160 1160 } else {
1161 1161 idle = B_FALSE;
1162 1162 }
1163 1163
1164 1164 /* Inner addresses. */
1165 1165 if (ipsa->ipsa_innerfam != 0) {
1166 1166 pfam = ipsa->ipsa_innerfam;
1167 1167 switch (pfam) {
1168 1168 case AF_INET6:
1169 1169 paddrsize = roundup(sizeof (struct sockaddr_in6) +
1170 1170 sizeof (sadb_address_t), sizeof (uint64_t));
1171 1171 break;
1172 1172 case AF_INET:
1173 1173 paddrsize = roundup(sizeof (struct sockaddr_in) +
1174 1174 sizeof (sadb_address_t), sizeof (uint64_t));
1175 1175 break;
1176 1176 default:
1177 1177 cmn_err(CE_PANIC,
1178 1178 "IPsec SADB: Proxy length failure.\n");
1179 1179 break;
1180 1180 }
1181 1181 isrc = B_TRUE;
1182 1182 idst = B_TRUE;
1183 1183 alloclen += 2 * paddrsize;
1184 1184 }
1185 1185
1186 1186 /* For the following fields, assume that length != 0 ==> stuff */
1187 1187 if (ipsa->ipsa_authkeylen != 0) {
1188 1188 authsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_authkeylen,
1189 1189 sizeof (uint64_t));
1190 1190 alloclen += authsize;
1191 1191 auth = B_TRUE;
1192 1192 }
1193 1193
1194 1194 if (ipsa->ipsa_encrkeylen != 0) {
1195 1195 encrsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_encrkeylen +
1196 1196 ipsa->ipsa_nonce_len, sizeof (uint64_t));
1197 1197 alloclen += encrsize;
1198 1198 encr = B_TRUE;
1199 1199 } else {
1200 1200 encr = B_FALSE;
1201 1201 }
1202 1202
1203 1203 if (ipsa->ipsa_tsl != NULL) {
1204 1204 senslen = sadb_sens_len_from_label(ipsa->ipsa_tsl);
1205 1205 alloclen += senslen;
1206 1206 sensinteg = B_TRUE;
1207 1207 }
1208 1208
1209 1209 if (ipsa->ipsa_otsl != NULL) {
1210 1210 osenslen = sadb_sens_len_from_label(ipsa->ipsa_otsl);
1211 1211 alloclen += osenslen;
1212 1212 osensinteg = B_TRUE;
1213 1213 }
1214 1214
1215 1215 /*
1216 1216 * Must use strlen() here for lengths. Identities use NULL
1217 1217 * pointers to indicate their nonexistence.
1218 1218 */
1219 1219 if (ipsa->ipsa_src_cid != NULL) {
1220 1220 srcidsize = roundup(sizeof (sadb_ident_t) +
1221 1221 strlen(ipsa->ipsa_src_cid->ipsid_cid) + 1,
1222 1222 sizeof (uint64_t));
1223 1223 alloclen += srcidsize;
1224 1224 srcid = B_TRUE;
1225 1225 }
1226 1226
1227 1227 if (ipsa->ipsa_dst_cid != NULL) {
1228 1228 dstidsize = roundup(sizeof (sadb_ident_t) +
1229 1229 strlen(ipsa->ipsa_dst_cid->ipsid_cid) + 1,
1230 1230 sizeof (uint64_t));
1231 1231 alloclen += dstidsize;
1232 1232 dstid = B_TRUE;
1233 1233 }
1234 1234
1235 1235 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0))
1236 1236 alloclen += sizeof (sadb_x_kmc_t);
1237 1237
1238 1238 if (ipsa->ipsa_replay != 0) {
1239 1239 alloclen += sizeof (sadb_x_replay_ctr_t);
1240 1240 }
1241 1241
1242 1242 /* Make sure the allocation length is a multiple of 8 bytes. */
1243 1243 ASSERT((alloclen & 0x7) == 0);
1244 1244
1245 1245 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */
1246 1246 mp = allocb(alloclen, BPRI_HI);
1247 1247 if (mp == NULL)
1248 1248 return (NULL);
1249 1249 bzero(mp->b_rptr, alloclen);
1250 1250
1251 1251 mp->b_wptr += alloclen;
1252 1252 end = mp->b_wptr;
1253 1253 newsamsg = (sadb_msg_t *)mp->b_rptr;
1254 1254 *newsamsg = *samsg;
1255 1255 newsamsg->sadb_msg_len = (uint16_t)SADB_8TO64(alloclen);
1256 1256
1257 1257 mutex_enter(&ipsa->ipsa_lock); /* Since I'm grabbing SA fields... */
1258 1258
1259 1259 newsamsg->sadb_msg_satype = ipsa->ipsa_type;
1260 1260
1261 1261 assoc = (sadb_sa_t *)(newsamsg + 1);
1262 1262 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc));
1263 1263 assoc->sadb_sa_exttype = SADB_EXT_SA;
1264 1264 assoc->sadb_sa_spi = ipsa->ipsa_spi;
1265 1265 assoc->sadb_sa_replay = ipsa->ipsa_replay_wsize;
1266 1266 assoc->sadb_sa_state = ipsa->ipsa_state;
1267 1267 assoc->sadb_sa_auth = ipsa->ipsa_auth_alg;
1268 1268 assoc->sadb_sa_encrypt = ipsa->ipsa_encr_alg;
1269 1269 assoc->sadb_sa_flags = ipsa->ipsa_flags;
1270 1270
1271 1271 lt = (sadb_lifetime_t *)(assoc + 1);
1272 1272 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt));
1273 1273 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
1274 1274 /* We do not support the concept. */
1275 1275 lt->sadb_lifetime_allocations = 0;
1276 1276 lt->sadb_lifetime_bytes = ipsa->ipsa_bytes;
1277 1277 lt->sadb_lifetime_addtime = ipsa->ipsa_addtime;
1278 1278 lt->sadb_lifetime_usetime = ipsa->ipsa_usetime;
1279 1279
1280 1280 if (hard) {
1281 1281 lt++;
1282 1282 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt));
1283 1283 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1284 1284 lt->sadb_lifetime_allocations = ipsa->ipsa_hardalloc;
1285 1285 lt->sadb_lifetime_bytes = ipsa->ipsa_hardbyteslt;
1286 1286 lt->sadb_lifetime_addtime = ipsa->ipsa_hardaddlt;
1287 1287 lt->sadb_lifetime_usetime = ipsa->ipsa_harduselt;
1288 1288 }
1289 1289
1290 1290 if (soft) {
1291 1291 lt++;
1292 1292 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt));
1293 1293 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1294 1294 lt->sadb_lifetime_allocations = ipsa->ipsa_softalloc;
1295 1295 lt->sadb_lifetime_bytes = ipsa->ipsa_softbyteslt;
1296 1296 lt->sadb_lifetime_addtime = ipsa->ipsa_softaddlt;
1297 1297 lt->sadb_lifetime_usetime = ipsa->ipsa_softuselt;
1298 1298 }
1299 1299
1300 1300 if (idle) {
1301 1301 lt++;
1302 1302 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt));
1303 1303 lt->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE;
1304 1304 lt->sadb_lifetime_addtime = ipsa->ipsa_idleaddlt;
1305 1305 lt->sadb_lifetime_usetime = ipsa->ipsa_idleuselt;
1306 1306 }
1307 1307
1308 1308 cur = (uint8_t *)(lt + 1);
1309 1309
1310 1310 /* NOTE: Don't fill in ports here if we are a tunnel-mode SA. */
1311 1311 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, fam,
1312 1312 ipsa->ipsa_srcaddr, (!isrc && !idst) ? SA_SRCPORT(ipsa) : 0,
1313 1313 SA_PROTO(ipsa), 0);
1314 1314 if (cur == NULL) {
1315 1315 freemsg(mp);
1316 1316 mp = NULL;
1317 1317 goto bail;
1318 1318 }
1319 1319
1320 1320 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, fam,
1321 1321 ipsa->ipsa_dstaddr, (!isrc && !idst) ? SA_DSTPORT(ipsa) : 0,
1322 1322 SA_PROTO(ipsa), 0);
1323 1323 if (cur == NULL) {
1324 1324 freemsg(mp);
1325 1325 mp = NULL;
1326 1326 goto bail;
1327 1327 }
1328 1328
1329 1329 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) {
1330 1330 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_LOC,
1331 1331 fam, &ipsa->ipsa_natt_addr_loc, ipsa->ipsa_local_nat_port,
1332 1332 IPPROTO_UDP, 0);
1333 1333 if (cur == NULL) {
1334 1334 freemsg(mp);
1335 1335 mp = NULL;
1336 1336 goto bail;
1337 1337 }
1338 1338 }
1339 1339
1340 1340 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) {
1341 1341 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_REM,
1342 1342 fam, &ipsa->ipsa_natt_addr_rem, ipsa->ipsa_remote_nat_port,
1343 1343 IPPROTO_UDP, 0);
1344 1344 if (cur == NULL) {
1345 1345 freemsg(mp);
1346 1346 mp = NULL;
1347 1347 goto bail;
1348 1348 }
1349 1349 }
1350 1350
1351 1351 /* If we are a tunnel-mode SA, fill in the inner-selectors. */
1352 1352 if (isrc) {
1353 1353 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC,
1354 1354 pfam, ipsa->ipsa_innersrc, SA_SRCPORT(ipsa),
1355 1355 SA_IPROTO(ipsa), ipsa->ipsa_innersrcpfx);
1356 1356 if (cur == NULL) {
1357 1357 freemsg(mp);
1358 1358 mp = NULL;
1359 1359 goto bail;
1360 1360 }
1361 1361 }
1362 1362
1363 1363 if (idst) {
1364 1364 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST,
1365 1365 pfam, ipsa->ipsa_innerdst, SA_DSTPORT(ipsa),
1366 1366 SA_IPROTO(ipsa), ipsa->ipsa_innerdstpfx);
1367 1367 if (cur == NULL) {
1368 1368 freemsg(mp);
1369 1369 mp = NULL;
1370 1370 goto bail;
1371 1371 }
1372 1372 }
1373 1373
1374 1374 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) {
1375 1375 cur = sadb_make_kmc_ext(cur, end,
1376 1376 ipsa->ipsa_kmp, ipsa->ipsa_kmc);
1377 1377 if (cur == NULL) {
1378 1378 freemsg(mp);
1379 1379 mp = NULL;
1380 1380 goto bail;
1381 1381 }
1382 1382 }
1383 1383
1384 1384 walker = (sadb_ext_t *)cur;
1385 1385 if (auth) {
1386 1386 key = (sadb_key_t *)walker;
1387 1387 key->sadb_key_len = SADB_8TO64(authsize);
1388 1388 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1389 1389 key->sadb_key_bits = ipsa->ipsa_authkeybits;
1390 1390 key->sadb_key_reserved = 0;
1391 1391 bcopy(ipsa->ipsa_authkey, key + 1, ipsa->ipsa_authkeylen);
1392 1392 walker = (sadb_ext_t *)((uint64_t *)walker +
1393 1393 walker->sadb_ext_len);
1394 1394 }
1395 1395
1396 1396 if (encr) {
1397 1397 uint8_t *buf_ptr;
1398 1398 key = (sadb_key_t *)walker;
1399 1399 key->sadb_key_len = SADB_8TO64(encrsize);
1400 1400 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1401 1401 key->sadb_key_bits = ipsa->ipsa_encrkeybits;
1402 1402 key->sadb_key_reserved = ipsa->ipsa_saltbits;
1403 1403 buf_ptr = (uint8_t *)(key + 1);
1404 1404 bcopy(ipsa->ipsa_encrkey, buf_ptr, ipsa->ipsa_encrkeylen);
1405 1405 if (ipsa->ipsa_salt != NULL) {
1406 1406 buf_ptr += ipsa->ipsa_encrkeylen;
1407 1407 bcopy(ipsa->ipsa_salt, buf_ptr, ipsa->ipsa_saltlen);
1408 1408 }
1409 1409 walker = (sadb_ext_t *)((uint64_t *)walker +
1410 1410 walker->sadb_ext_len);
1411 1411 }
1412 1412
1413 1413 if (srcid) {
1414 1414 ident = (sadb_ident_t *)walker;
1415 1415 ident->sadb_ident_len = SADB_8TO64(srcidsize);
1416 1416 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC;
1417 1417 ident->sadb_ident_type = ipsa->ipsa_src_cid->ipsid_type;
1418 1418 ident->sadb_ident_id = 0;
1419 1419 ident->sadb_ident_reserved = 0;
1420 1420 (void) strcpy((char *)(ident + 1),
1421 1421 ipsa->ipsa_src_cid->ipsid_cid);
1422 1422 walker = (sadb_ext_t *)((uint64_t *)walker +
1423 1423 walker->sadb_ext_len);
1424 1424 }
1425 1425
1426 1426 if (dstid) {
1427 1427 ident = (sadb_ident_t *)walker;
1428 1428 ident->sadb_ident_len = SADB_8TO64(dstidsize);
1429 1429 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_DST;
1430 1430 ident->sadb_ident_type = ipsa->ipsa_dst_cid->ipsid_type;
1431 1431 ident->sadb_ident_id = 0;
1432 1432 ident->sadb_ident_reserved = 0;
1433 1433 (void) strcpy((char *)(ident + 1),
1434 1434 ipsa->ipsa_dst_cid->ipsid_cid);
1435 1435 walker = (sadb_ext_t *)((uint64_t *)walker +
1436 1436 walker->sadb_ext_len);
1437 1437 }
1438 1438
1439 1439 if (sensinteg) {
1440 1440 sens = (sadb_sens_t *)walker;
1441 1441 sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY,
1442 1442 ipsa->ipsa_tsl, senslen);
1443 1443
1444 1444 walker = (sadb_ext_t *)((uint64_t *)walker +
1445 1445 walker->sadb_ext_len);
1446 1446 }
1447 1447
1448 1448 if (osensinteg) {
1449 1449 sens = (sadb_sens_t *)walker;
1450 1450
1451 1451 sadb_sens_from_label(sens, SADB_X_EXT_OUTER_SENS,
1452 1452 ipsa->ipsa_otsl, osenslen);
1453 1453 if (ipsa->ipsa_mac_exempt)
1454 1454 sens->sadb_x_sens_flags = SADB_X_SENS_IMPLICIT;
1455 1455
1456 1456 walker = (sadb_ext_t *)((uint64_t *)walker +
1457 1457 walker->sadb_ext_len);
1458 1458 }
1459 1459
1460 1460 if (paired) {
1461 1461 pair_ext = (sadb_x_pair_t *)walker;
1462 1462
1463 1463 pair_ext->sadb_x_pair_len = SADB_8TO64(sizeof (sadb_x_pair_t));
1464 1464 pair_ext->sadb_x_pair_exttype = SADB_X_EXT_PAIR;
1465 1465 pair_ext->sadb_x_pair_spi = otherspi;
1466 1466
1467 1467 walker = (sadb_ext_t *)((uint64_t *)walker +
1468 1468 walker->sadb_ext_len);
1469 1469 }
1470 1470
1471 1471 if (ipsa->ipsa_replay != 0) {
1472 1472 repl_ctr = (sadb_x_replay_ctr_t *)walker;
1473 1473 repl_ctr->sadb_x_rc_len = SADB_8TO64(sizeof (*repl_ctr));
1474 1474 repl_ctr->sadb_x_rc_exttype = SADB_X_EXT_REPLAY_VALUE;
1475 1475 repl_ctr->sadb_x_rc_replay32 = ipsa->ipsa_replay;
1476 1476 repl_ctr->sadb_x_rc_replay64 = 0;
1477 1477 walker = (sadb_ext_t *)(repl_ctr + 1);
1478 1478 }
1479 1479
1480 1480 bail:
1481 1481 /* Pardon any delays... */
1482 1482 mutex_exit(&ipsa->ipsa_lock);
1483 1483
1484 1484 return (mp);
1485 1485 }
1486 1486
1487 1487 /*
1488 1488 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN)
1489 1489 * and adjust base message accordingly.
1490 1490 *
1491 1491 * Assume message is pulled up in one piece of contiguous memory.
1492 1492 *
1493 1493 * Say if we start off with:
1494 1494 *
1495 1495 * +------+----+-------------+-----------+---------------+---------------+
1496 1496 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime |
1497 1497 * +------+----+-------------+-----------+---------------+---------------+
1498 1498 *
1499 1499 * we will end up with
1500 1500 *
1501 1501 * +------+----+-------------+-----------+---------------+
1502 1502 * | base | SA | source addr | dest addr | soft lifetime |
1503 1503 * +------+----+-------------+-----------+---------------+
1504 1504 */
1505 1505 static void
1506 1506 sadb_strip(sadb_msg_t *samsg)
1507 1507 {
1508 1508 sadb_ext_t *ext;
1509 1509 uint8_t *target = NULL;
1510 1510 uint8_t *msgend;
1511 1511 int sofar = SADB_8TO64(sizeof (*samsg));
1512 1512 int copylen;
1513 1513
1514 1514 ext = (sadb_ext_t *)(samsg + 1);
1515 1515 msgend = (uint8_t *)samsg;
1516 1516 msgend += SADB_64TO8(samsg->sadb_msg_len);
1517 1517 while ((uint8_t *)ext < msgend) {
1518 1518 if (ext->sadb_ext_type == SADB_EXT_RESERVED ||
1519 1519 ext->sadb_ext_type == SADB_EXT_KEY_AUTH ||
1520 1520 ext->sadb_ext_type == SADB_X_EXT_EDUMP ||
1521 1521 ext->sadb_ext_type == SADB_EXT_KEY_ENCRYPT) {
1522 1522 /*
1523 1523 * Aha! I found a header to be erased.
1524 1524 */
1525 1525
1526 1526 if (target != NULL) {
1527 1527 /*
1528 1528 * If I had a previous header to be erased,
1529 1529 * copy over it. I can get away with just
1530 1530 * copying backwards because the target will
1531 1531 * always be 8 bytes behind the source.
1532 1532 */
1533 1533 copylen = ((uint8_t *)ext) - (target +
1534 1534 SADB_64TO8(
1535 1535 ((sadb_ext_t *)target)->sadb_ext_len));
1536 1536 ovbcopy(((uint8_t *)ext - copylen), target,
1537 1537 copylen);
1538 1538 target += copylen;
1539 1539 ((sadb_ext_t *)target)->sadb_ext_len =
1540 1540 SADB_8TO64(((uint8_t *)ext) - target +
1541 1541 SADB_64TO8(ext->sadb_ext_len));
1542 1542 } else {
1543 1543 target = (uint8_t *)ext;
1544 1544 }
1545 1545 } else {
1546 1546 sofar += ext->sadb_ext_len;
1547 1547 }
1548 1548
1549 1549 ext = (sadb_ext_t *)(((uint64_t *)ext) + ext->sadb_ext_len);
1550 1550 }
1551 1551
1552 1552 ASSERT((uint8_t *)ext == msgend);
1553 1553
1554 1554 if (target != NULL) {
1555 1555 copylen = ((uint8_t *)ext) - (target +
1556 1556 SADB_64TO8(((sadb_ext_t *)target)->sadb_ext_len));
1557 1557 if (copylen != 0)
1558 1558 ovbcopy(((uint8_t *)ext - copylen), target, copylen);
1559 1559 }
1560 1560
1561 1561 /* Adjust samsg. */
1562 1562 samsg->sadb_msg_len = (uint16_t)sofar;
1563 1563
1564 1564 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */
1565 1565 }
1566 1566
1567 1567 /*
1568 1568 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL
1569 1569 * followed by an M_DATA with a PF_KEY message in it. The serial of
1570 1570 * the sending keysock instance is included.
1571 1571 */
1572 1572 void
1573 1573 sadb_pfkey_error(queue_t *pfkey_q, mblk_t *mp, int error, int diagnostic,
1574 1574 uint_t serial)
1575 1575 {
1576 1576 mblk_t *msg = mp->b_cont;
1577 1577 sadb_msg_t *samsg;
1578 1578 keysock_out_t *kso;
1579 1579
1580 1580 /*
1581 1581 * Enough functions call this to merit a NULL queue check.
1582 1582 */
1583 1583 if (pfkey_q == NULL) {
1584 1584 freemsg(mp);
1585 1585 return;
1586 1586 }
1587 1587
1588 1588 ASSERT(msg != NULL);
1589 1589 ASSERT((mp->b_wptr - mp->b_rptr) == sizeof (ipsec_info_t));
1590 1590 ASSERT((msg->b_wptr - msg->b_rptr) >= sizeof (sadb_msg_t));
1591 1591 samsg = (sadb_msg_t *)msg->b_rptr;
1592 1592 kso = (keysock_out_t *)mp->b_rptr;
1593 1593
1594 1594 kso->ks_out_type = KEYSOCK_OUT;
1595 1595 kso->ks_out_len = sizeof (*kso);
1596 1596 kso->ks_out_serial = serial;
1597 1597
1598 1598 /*
1599 1599 * Only send the base message up in the event of an error.
1600 1600 * Don't worry about bzero()-ing, because it was probably bogus
1601 1601 * anyway.
1602 1602 */
1603 1603 msg->b_wptr = msg->b_rptr + sizeof (*samsg);
1604 1604 samsg = (sadb_msg_t *)msg->b_rptr;
1605 1605 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg));
1606 1606 samsg->sadb_msg_errno = (uint8_t)error;
1607 1607 if (diagnostic != SADB_X_DIAGNOSTIC_PRESET)
1608 1608 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic;
1609 1609
1610 1610 putnext(pfkey_q, mp);
1611 1611 }
1612 1612
1613 1613 /*
1614 1614 * Send a successful return packet back to keysock via the queue in pfkey_q.
1615 1615 *
1616 1616 * Often, an SA is associated with the reply message, it's passed in if needed,
1617 1617 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held,
1618 1618 * and the caller will release said refcnt.
1619 1619 */
1620 1620 void
1621 1621 sadb_pfkey_echo(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
1622 1622 keysock_in_t *ksi, ipsa_t *ipsa)
1623 1623 {
1624 1624 keysock_out_t *kso;
1625 1625 mblk_t *mp1;
1626 1626 sadb_msg_t *newsamsg;
1627 1627 uint8_t *oldend;
1628 1628
1629 1629 ASSERT((mp->b_cont != NULL) &&
1630 1630 ((void *)samsg == (void *)mp->b_cont->b_rptr) &&
1631 1631 ((void *)mp->b_rptr == (void *)ksi));
1632 1632
1633 1633 switch (samsg->sadb_msg_type) {
1634 1634 case SADB_ADD:
1635 1635 case SADB_UPDATE:
1636 1636 case SADB_X_UPDATEPAIR:
1637 1637 case SADB_X_DELPAIR_STATE:
1638 1638 case SADB_FLUSH:
1639 1639 case SADB_DUMP:
1640 1640 /*
1641 1641 * I have all of the message already. I just need to strip
1642 1642 * out the keying material and echo the message back.
1643 1643 *
1644 1644 * NOTE: for SADB_DUMP, the function sadb_dump() did the
1645 1645 * work. When DUMP reaches here, it should only be a base
1646 1646 * message.
1647 1647 */
1648 1648 justecho:
1649 1649 if (ksi->ks_in_extv[SADB_EXT_KEY_AUTH] != NULL ||
1650 1650 ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT] != NULL ||
1651 1651 ksi->ks_in_extv[SADB_X_EXT_EDUMP] != NULL) {
1652 1652 sadb_strip(samsg);
1653 1653 /* Assume PF_KEY message is contiguous. */
1654 1654 ASSERT(mp->b_cont->b_cont == NULL);
1655 1655 oldend = mp->b_cont->b_wptr;
1656 1656 mp->b_cont->b_wptr = mp->b_cont->b_rptr +
1657 1657 SADB_64TO8(samsg->sadb_msg_len);
1658 1658 bzero(mp->b_cont->b_wptr, oldend - mp->b_cont->b_wptr);
1659 1659 }
1660 1660 break;
1661 1661 case SADB_GET:
1662 1662 /*
1663 1663 * Do a lot of work here, because of the ipsa I just found.
1664 1664 * First construct the new PF_KEY message, then abandon
1665 1665 * the old one.
1666 1666 */
1667 1667 mp1 = sadb_sa2msg(ipsa, samsg);
1668 1668 if (mp1 == NULL) {
1669 1669 sadb_pfkey_error(pfkey_q, mp, ENOMEM,
1670 1670 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial);
1671 1671 return;
1672 1672 }
1673 1673 freemsg(mp->b_cont);
1674 1674 mp->b_cont = mp1;
1675 1675 break;
1676 1676 case SADB_DELETE:
1677 1677 case SADB_X_DELPAIR:
1678 1678 if (ipsa == NULL)
1679 1679 goto justecho;
1680 1680 /*
1681 1681 * Because listening KMds may require more info, treat
1682 1682 * DELETE like a special case of GET.
1683 1683 */
1684 1684 mp1 = sadb_sa2msg(ipsa, samsg);
1685 1685 if (mp1 == NULL) {
1686 1686 sadb_pfkey_error(pfkey_q, mp, ENOMEM,
1687 1687 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial);
1688 1688 return;
1689 1689 }
1690 1690 newsamsg = (sadb_msg_t *)mp1->b_rptr;
1691 1691 sadb_strip(newsamsg);
1692 1692 oldend = mp1->b_wptr;
1693 1693 mp1->b_wptr = mp1->b_rptr + SADB_64TO8(newsamsg->sadb_msg_len);
1694 1694 bzero(mp1->b_wptr, oldend - mp1->b_wptr);
1695 1695 freemsg(mp->b_cont);
1696 1696 mp->b_cont = mp1;
1697 1697 break;
1698 1698 default:
1699 1699 if (mp != NULL)
1700 1700 freemsg(mp);
1701 1701 return;
1702 1702 }
1703 1703
1704 1704 /* ksi is now null and void. */
1705 1705 kso = (keysock_out_t *)ksi;
1706 1706 kso->ks_out_type = KEYSOCK_OUT;
1707 1707 kso->ks_out_len = sizeof (*kso);
1708 1708 kso->ks_out_serial = ksi->ks_in_serial;
1709 1709 /* We're ready to send... */
1710 1710 putnext(pfkey_q, mp);
1711 1711 }
1712 1712
1713 1713 /*
1714 1714 * Set up a global pfkey_q instance for AH, ESP, or some other consumer.
1715 1715 */
1716 1716 void
1717 1717 sadb_keysock_hello(queue_t **pfkey_qp, queue_t *q, mblk_t *mp,
1718 1718 void (*ager)(void *), void *agerarg, timeout_id_t *top, int satype)
1719 1719 {
1720 1720 keysock_hello_ack_t *kha;
1721 1721 queue_t *oldq;
1722 1722
1723 1723 ASSERT(OTHERQ(q) != NULL);
↓ open down ↓ |
1723 lines elided |
↑ open up ↑ |
1724 1724
1725 1725 /*
1726 1726 * First, check atomically that I'm the first and only keysock
1727 1727 * instance.
1728 1728 *
1729 1729 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp),
1730 1730 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY
1731 1731 * messages.
1732 1732 */
1733 1733
1734 - oldq = casptr((void **)pfkey_qp, NULL, OTHERQ(q));
1734 + oldq = atomic_cas_ptr((void **)pfkey_qp, NULL, OTHERQ(q));
1735 1735 if (oldq != NULL) {
1736 1736 ASSERT(oldq != q);
1737 1737 cmn_err(CE_WARN, "Danger! Multiple keysocks on top of %s.\n",
1738 1738 (satype == SADB_SATYPE_ESP)? "ESP" : "AH or other");
1739 1739 freemsg(mp);
1740 1740 return;
1741 1741 }
1742 1742
1743 1743 kha = (keysock_hello_ack_t *)mp->b_rptr;
1744 1744 kha->ks_hello_len = sizeof (keysock_hello_ack_t);
1745 1745 kha->ks_hello_type = KEYSOCK_HELLO_ACK;
1746 1746 kha->ks_hello_satype = (uint8_t)satype;
1747 1747
1748 1748 /*
1749 - * If we made it past the casptr, then we have "exclusive" access
1750 - * to the timeout handle. Fire it off after the default ager
1749 + * If we made it past the atomic_cas_ptr, then we have "exclusive"
1750 + * access to the timeout handle. Fire it off after the default ager
1751 1751 * interval.
1752 1752 */
1753 1753 *top = qtimeout(*pfkey_qp, ager, agerarg,
1754 1754 drv_usectohz(SADB_AGE_INTERVAL_DEFAULT * 1000));
1755 1755
1756 1756 putnext(*pfkey_qp, mp);
1757 1757 }
1758 1758
1759 1759 /*
1760 1760 * Normalize IPv4-mapped IPv6 addresses (and prefixes) as appropriate.
1761 1761 *
1762 1762 * Check addresses themselves for wildcard or multicast.
1763 1763 * Check ire table for local/non-local/broadcast.
1764 1764 */
1765 1765 int
1766 1766 sadb_addrcheck(queue_t *pfkey_q, mblk_t *mp, sadb_ext_t *ext, uint_t serial,
1767 1767 netstack_t *ns)
1768 1768 {
1769 1769 sadb_address_t *addr = (sadb_address_t *)ext;
1770 1770 struct sockaddr_in *sin;
1771 1771 struct sockaddr_in6 *sin6;
1772 1772 int diagnostic, type;
1773 1773 boolean_t normalized = B_FALSE;
1774 1774
1775 1775 ASSERT(ext != NULL);
1776 1776 ASSERT((ext->sadb_ext_type == SADB_EXT_ADDRESS_SRC) ||
1777 1777 (ext->sadb_ext_type == SADB_EXT_ADDRESS_DST) ||
1778 1778 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) ||
1779 1779 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) ||
1780 1780 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_LOC) ||
1781 1781 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_REM));
1782 1782
1783 1783 /* Assign both sockaddrs, the compiler will do the right thing. */
1784 1784 sin = (struct sockaddr_in *)(addr + 1);
1785 1785 sin6 = (struct sockaddr_in6 *)(addr + 1);
1786 1786
1787 1787 if (sin6->sin6_family == AF_INET6) {
1788 1788 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
1789 1789 /*
1790 1790 * Convert to an AF_INET sockaddr. This means the
1791 1791 * return messages will have the extra space, but have
1792 1792 * AF_INET sockaddrs instead of AF_INET6.
1793 1793 *
1794 1794 * Yes, RFC 2367 isn't clear on what to do here w.r.t.
1795 1795 * mapped addresses, but since AF_INET6 ::ffff:<v4> is
1796 1796 * equal to AF_INET <v4>, it shouldnt be a huge
1797 1797 * problem.
1798 1798 */
1799 1799 sin->sin_family = AF_INET;
1800 1800 IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr,
1801 1801 &sin->sin_addr);
1802 1802 bzero(&sin->sin_zero, sizeof (sin->sin_zero));
1803 1803 normalized = B_TRUE;
1804 1804 }
1805 1805 } else if (sin->sin_family != AF_INET) {
1806 1806 switch (ext->sadb_ext_type) {
1807 1807 case SADB_EXT_ADDRESS_SRC:
1808 1808 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC_AF;
1809 1809 break;
1810 1810 case SADB_EXT_ADDRESS_DST:
1811 1811 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF;
1812 1812 break;
1813 1813 case SADB_X_EXT_ADDRESS_INNER_SRC:
1814 1814 diagnostic = SADB_X_DIAGNOSTIC_BAD_PROXY_AF;
1815 1815 break;
1816 1816 case SADB_X_EXT_ADDRESS_INNER_DST:
1817 1817 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF;
1818 1818 break;
1819 1819 case SADB_X_EXT_ADDRESS_NATT_LOC:
1820 1820 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF;
1821 1821 break;
1822 1822 case SADB_X_EXT_ADDRESS_NATT_REM:
1823 1823 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF;
1824 1824 break;
1825 1825 /* There is no default, see above ASSERT. */
1826 1826 }
1827 1827 bail:
1828 1828 if (pfkey_q != NULL) {
1829 1829 sadb_pfkey_error(pfkey_q, mp, EINVAL, diagnostic,
1830 1830 serial);
1831 1831 } else {
1832 1832 /*
1833 1833 * Scribble in sadb_msg that we got passed in.
1834 1834 * Overload "mp" to be an sadb_msg pointer.
1835 1835 */
1836 1836 sadb_msg_t *samsg = (sadb_msg_t *)mp;
1837 1837
1838 1838 samsg->sadb_msg_errno = EINVAL;
1839 1839 samsg->sadb_x_msg_diagnostic = diagnostic;
1840 1840 }
1841 1841 return (KS_IN_ADDR_UNKNOWN);
1842 1842 }
1843 1843
1844 1844 if (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC ||
1845 1845 ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) {
1846 1846 /*
1847 1847 * We need only check for prefix issues.
1848 1848 */
1849 1849
1850 1850 /* Set diagnostic now, in case we need it later. */
1851 1851 diagnostic =
1852 1852 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) ?
1853 1853 SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC :
1854 1854 SADB_X_DIAGNOSTIC_PREFIX_INNER_DST;
1855 1855
1856 1856 if (normalized)
1857 1857 addr->sadb_address_prefixlen -= 96;
1858 1858
1859 1859 /*
1860 1860 * Verify and mask out inner-addresses based on prefix length.
1861 1861 */
1862 1862 if (sin->sin_family == AF_INET) {
1863 1863 if (addr->sadb_address_prefixlen > 32)
1864 1864 goto bail;
1865 1865 sin->sin_addr.s_addr &=
1866 1866 ip_plen_to_mask(addr->sadb_address_prefixlen);
1867 1867 } else {
1868 1868 in6_addr_t mask;
1869 1869
1870 1870 ASSERT(sin->sin_family == AF_INET6);
1871 1871 /*
1872 1872 * ip_plen_to_mask_v6() returns NULL if the value in
1873 1873 * question is out of range.
1874 1874 */
1875 1875 if (ip_plen_to_mask_v6(addr->sadb_address_prefixlen,
1876 1876 &mask) == NULL)
1877 1877 goto bail;
1878 1878 sin6->sin6_addr.s6_addr32[0] &= mask.s6_addr32[0];
1879 1879 sin6->sin6_addr.s6_addr32[1] &= mask.s6_addr32[1];
1880 1880 sin6->sin6_addr.s6_addr32[2] &= mask.s6_addr32[2];
1881 1881 sin6->sin6_addr.s6_addr32[3] &= mask.s6_addr32[3];
1882 1882 }
1883 1883
1884 1884 /* We don't care in these cases. */
1885 1885 return (KS_IN_ADDR_DONTCARE);
1886 1886 }
1887 1887
1888 1888 if (sin->sin_family == AF_INET6) {
1889 1889 /* Check the easy ones now. */
1890 1890 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr))
1891 1891 return (KS_IN_ADDR_MBCAST);
1892 1892 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
1893 1893 return (KS_IN_ADDR_UNSPEC);
1894 1894 /*
1895 1895 * At this point, we're a unicast IPv6 address.
1896 1896 *
1897 1897 * XXX Zones alert -> me/notme decision needs to be tempered
1898 1898 * by what zone we're in when we go to zone-aware IPsec.
1899 1899 */
1900 1900 if (ip_type_v6(&sin6->sin6_addr, ns->netstack_ip) ==
1901 1901 IRE_LOCAL) {
1902 1902 /* Hey hey, it's local. */
1903 1903 return (KS_IN_ADDR_ME);
1904 1904 }
1905 1905 } else {
1906 1906 ASSERT(sin->sin_family == AF_INET);
1907 1907 if (sin->sin_addr.s_addr == INADDR_ANY)
1908 1908 return (KS_IN_ADDR_UNSPEC);
1909 1909 if (CLASSD(sin->sin_addr.s_addr))
1910 1910 return (KS_IN_ADDR_MBCAST);
1911 1911 /*
1912 1912 * At this point we're a unicast or broadcast IPv4 address.
1913 1913 *
1914 1914 * Check if the address is IRE_BROADCAST or IRE_LOCAL.
1915 1915 *
1916 1916 * XXX Zones alert -> me/notme decision needs to be tempered
1917 1917 * by what zone we're in when we go to zone-aware IPsec.
1918 1918 */
1919 1919 type = ip_type_v4(sin->sin_addr.s_addr, ns->netstack_ip);
1920 1920 switch (type) {
1921 1921 case IRE_LOCAL:
1922 1922 return (KS_IN_ADDR_ME);
1923 1923 case IRE_BROADCAST:
1924 1924 return (KS_IN_ADDR_MBCAST);
1925 1925 }
1926 1926 }
1927 1927
1928 1928 return (KS_IN_ADDR_NOTME);
1929 1929 }
1930 1930
1931 1931 /*
1932 1932 * Address normalizations and reality checks for inbound PF_KEY messages.
1933 1933 *
1934 1934 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert
1935 1935 * the source to AF_INET. Do the same for the inner sources.
1936 1936 */
1937 1937 boolean_t
1938 1938 sadb_addrfix(keysock_in_t *ksi, queue_t *pfkey_q, mblk_t *mp, netstack_t *ns)
1939 1939 {
1940 1940 struct sockaddr_in *src, *isrc;
1941 1941 struct sockaddr_in6 *dst, *idst;
1942 1942 sadb_address_t *srcext, *dstext;
1943 1943 uint16_t sport;
1944 1944 sadb_ext_t **extv = ksi->ks_in_extv;
1945 1945 int rc;
1946 1946
1947 1947 if (extv[SADB_EXT_ADDRESS_SRC] != NULL) {
1948 1948 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_SRC],
1949 1949 ksi->ks_in_serial, ns);
1950 1950 if (rc == KS_IN_ADDR_UNKNOWN)
1951 1951 return (B_FALSE);
1952 1952 if (rc == KS_IN_ADDR_MBCAST) {
1953 1953 sadb_pfkey_error(pfkey_q, mp, EINVAL,
1954 1954 SADB_X_DIAGNOSTIC_BAD_SRC, ksi->ks_in_serial);
1955 1955 return (B_FALSE);
1956 1956 }
1957 1957 ksi->ks_in_srctype = rc;
1958 1958 }
1959 1959
1960 1960 if (extv[SADB_EXT_ADDRESS_DST] != NULL) {
1961 1961 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_DST],
1962 1962 ksi->ks_in_serial, ns);
1963 1963 if (rc == KS_IN_ADDR_UNKNOWN)
1964 1964 return (B_FALSE);
1965 1965 if (rc == KS_IN_ADDR_UNSPEC) {
1966 1966 sadb_pfkey_error(pfkey_q, mp, EINVAL,
1967 1967 SADB_X_DIAGNOSTIC_BAD_DST, ksi->ks_in_serial);
1968 1968 return (B_FALSE);
1969 1969 }
1970 1970 ksi->ks_in_dsttype = rc;
1971 1971 }
1972 1972
1973 1973 /*
1974 1974 * NAT-Traversal addrs are simple enough to not require all of
1975 1975 * the checks in sadb_addrcheck(). Just normalize or reject if not
1976 1976 * AF_INET.
1977 1977 */
1978 1978 if (extv[SADB_X_EXT_ADDRESS_NATT_LOC] != NULL) {
1979 1979 rc = sadb_addrcheck(pfkey_q, mp,
1980 1980 extv[SADB_X_EXT_ADDRESS_NATT_LOC], ksi->ks_in_serial, ns);
1981 1981
1982 1982 /*
1983 1983 * Local NAT-T addresses never use an IRE_LOCAL, so it should
1984 1984 * always be NOTME, or UNSPEC (to handle both tunnel mode
1985 1985 * AND local-port flexibility).
1986 1986 */
1987 1987 if (rc != KS_IN_ADDR_NOTME && rc != KS_IN_ADDR_UNSPEC) {
1988 1988 sadb_pfkey_error(pfkey_q, mp, EINVAL,
1989 1989 SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC,
1990 1990 ksi->ks_in_serial);
1991 1991 return (B_FALSE);
1992 1992 }
1993 1993 src = (struct sockaddr_in *)
1994 1994 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_LOC]) + 1);
1995 1995 if (src->sin_family != AF_INET) {
1996 1996 sadb_pfkey_error(pfkey_q, mp, EINVAL,
1997 1997 SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF,
1998 1998 ksi->ks_in_serial);
1999 1999 return (B_FALSE);
2000 2000 }
2001 2001 }
2002 2002
2003 2003 if (extv[SADB_X_EXT_ADDRESS_NATT_REM] != NULL) {
2004 2004 rc = sadb_addrcheck(pfkey_q, mp,
2005 2005 extv[SADB_X_EXT_ADDRESS_NATT_REM], ksi->ks_in_serial, ns);
2006 2006
2007 2007 /*
2008 2008 * Remote NAT-T addresses never use an IRE_LOCAL, so it should
2009 2009 * always be NOTME, or UNSPEC if it's a tunnel-mode SA.
2010 2010 */
2011 2011 if (rc != KS_IN_ADDR_NOTME &&
2012 2012 !(extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL &&
2013 2013 rc == KS_IN_ADDR_UNSPEC)) {
2014 2014 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2015 2015 SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM,
2016 2016 ksi->ks_in_serial);
2017 2017 return (B_FALSE);
2018 2018 }
2019 2019 src = (struct sockaddr_in *)
2020 2020 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_REM]) + 1);
2021 2021 if (src->sin_family != AF_INET) {
2022 2022 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2023 2023 SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF,
2024 2024 ksi->ks_in_serial);
2025 2025 return (B_FALSE);
2026 2026 }
2027 2027 }
2028 2028
2029 2029 if (extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL) {
2030 2030 if (extv[SADB_X_EXT_ADDRESS_INNER_DST] == NULL) {
2031 2031 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2032 2032 SADB_X_DIAGNOSTIC_MISSING_INNER_DST,
2033 2033 ksi->ks_in_serial);
2034 2034 return (B_FALSE);
2035 2035 }
2036 2036
2037 2037 if (sadb_addrcheck(pfkey_q, mp,
2038 2038 extv[SADB_X_EXT_ADDRESS_INNER_DST], ksi->ks_in_serial, ns)
2039 2039 == KS_IN_ADDR_UNKNOWN ||
2040 2040 sadb_addrcheck(pfkey_q, mp,
2041 2041 extv[SADB_X_EXT_ADDRESS_INNER_SRC], ksi->ks_in_serial, ns)
2042 2042 == KS_IN_ADDR_UNKNOWN)
2043 2043 return (B_FALSE);
2044 2044
2045 2045 isrc = (struct sockaddr_in *)
2046 2046 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC]) +
2047 2047 1);
2048 2048 idst = (struct sockaddr_in6 *)
2049 2049 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]) +
2050 2050 1);
2051 2051 if (isrc->sin_family != idst->sin6_family) {
2052 2052 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2053 2053 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH,
2054 2054 ksi->ks_in_serial);
2055 2055 return (B_FALSE);
2056 2056 }
2057 2057 } else if (extv[SADB_X_EXT_ADDRESS_INNER_DST] != NULL) {
2058 2058 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2059 2059 SADB_X_DIAGNOSTIC_MISSING_INNER_SRC,
2060 2060 ksi->ks_in_serial);
2061 2061 return (B_FALSE);
2062 2062 } else {
2063 2063 isrc = NULL; /* For inner/outer port check below. */
2064 2064 }
2065 2065
2066 2066 dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST];
2067 2067 srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC];
2068 2068
2069 2069 if (dstext == NULL || srcext == NULL)
2070 2070 return (B_TRUE);
2071 2071
2072 2072 dst = (struct sockaddr_in6 *)(dstext + 1);
2073 2073 src = (struct sockaddr_in *)(srcext + 1);
2074 2074
2075 2075 if (isrc != NULL &&
2076 2076 (isrc->sin_port != 0 || idst->sin6_port != 0) &&
2077 2077 (src->sin_port != 0 || dst->sin6_port != 0)) {
2078 2078 /* Can't set inner and outer ports in one SA. */
2079 2079 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2080 2080 SADB_X_DIAGNOSTIC_DUAL_PORT_SETS,
2081 2081 ksi->ks_in_serial);
2082 2082 return (B_FALSE);
2083 2083 }
2084 2084
2085 2085 if (dst->sin6_family == src->sin_family)
2086 2086 return (B_TRUE);
2087 2087
2088 2088 if (srcext->sadb_address_proto != dstext->sadb_address_proto) {
2089 2089 if (srcext->sadb_address_proto == 0) {
2090 2090 srcext->sadb_address_proto = dstext->sadb_address_proto;
2091 2091 } else if (dstext->sadb_address_proto == 0) {
2092 2092 dstext->sadb_address_proto = srcext->sadb_address_proto;
2093 2093 } else {
2094 2094 /* Inequal protocols, neither were 0. Report error. */
2095 2095 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2096 2096 SADB_X_DIAGNOSTIC_PROTO_MISMATCH,
2097 2097 ksi->ks_in_serial);
2098 2098 return (B_FALSE);
2099 2099 }
2100 2100 }
2101 2101
2102 2102 /*
2103 2103 * With the exception of an unspec IPv6 source and an IPv4
2104 2104 * destination, address families MUST me matched.
2105 2105 */
2106 2106 if (src->sin_family == AF_INET ||
2107 2107 ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) {
2108 2108 sadb_pfkey_error(pfkey_q, mp, EINVAL,
2109 2109 SADB_X_DIAGNOSTIC_AF_MISMATCH, ksi->ks_in_serial);
2110 2110 return (B_FALSE);
2111 2111 }
2112 2112
2113 2113 /*
2114 2114 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being
2115 2115 * in the same place for sockaddr_in and sockaddr_in6.
2116 2116 */
2117 2117 sport = src->sin_port;
2118 2118 bzero(src, sizeof (*src));
2119 2119 src->sin_family = AF_INET;
2120 2120 src->sin_port = sport;
2121 2121
2122 2122 return (B_TRUE);
2123 2123 }
2124 2124
2125 2125 /*
2126 2126 * Set the results in "addrtype", given an IRE as requested by
2127 2127 * sadb_addrcheck().
2128 2128 */
2129 2129 int
2130 2130 sadb_addrset(ire_t *ire)
2131 2131 {
2132 2132 if ((ire->ire_type & IRE_BROADCAST) ||
2133 2133 (ire->ire_ipversion == IPV4_VERSION && CLASSD(ire->ire_addr)) ||
2134 2134 (ire->ire_ipversion == IPV6_VERSION &&
2135 2135 IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6))))
2136 2136 return (KS_IN_ADDR_MBCAST);
2137 2137 if (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK))
2138 2138 return (KS_IN_ADDR_ME);
2139 2139 return (KS_IN_ADDR_NOTME);
2140 2140 }
2141 2141
2142 2142 /*
2143 2143 * Match primitives..
2144 2144 * !!! TODO: short term: inner selectors
2145 2145 * ipv6 scope id (ifindex)
2146 2146 * longer term: zone id. sensitivity label. uid.
2147 2147 */
2148 2148 boolean_t
2149 2149 sadb_match_spi(ipsa_query_t *sq, ipsa_t *sa)
2150 2150 {
2151 2151 return (sq->spi == sa->ipsa_spi);
2152 2152 }
2153 2153
2154 2154 boolean_t
2155 2155 sadb_match_dst_v6(ipsa_query_t *sq, ipsa_t *sa)
2156 2156 {
2157 2157 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_dstaddr, sq->dstaddr, AF_INET6));
2158 2158 }
2159 2159
2160 2160 boolean_t
2161 2161 sadb_match_src_v6(ipsa_query_t *sq, ipsa_t *sa)
2162 2162 {
2163 2163 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_srcaddr, sq->srcaddr, AF_INET6));
2164 2164 }
2165 2165
2166 2166 boolean_t
2167 2167 sadb_match_dst_v4(ipsa_query_t *sq, ipsa_t *sa)
2168 2168 {
2169 2169 return (sq->dstaddr[0] == sa->ipsa_dstaddr[0]);
2170 2170 }
2171 2171
2172 2172 boolean_t
2173 2173 sadb_match_src_v4(ipsa_query_t *sq, ipsa_t *sa)
2174 2174 {
2175 2175 return (sq->srcaddr[0] == sa->ipsa_srcaddr[0]);
2176 2176 }
2177 2177
2178 2178 boolean_t
2179 2179 sadb_match_dstid(ipsa_query_t *sq, ipsa_t *sa)
2180 2180 {
2181 2181 return ((sa->ipsa_dst_cid != NULL) &&
2182 2182 (sq->didtype == sa->ipsa_dst_cid->ipsid_type) &&
2183 2183 (strcmp(sq->didstr, sa->ipsa_dst_cid->ipsid_cid) == 0));
2184 2184
2185 2185 }
2186 2186 boolean_t
2187 2187 sadb_match_srcid(ipsa_query_t *sq, ipsa_t *sa)
2188 2188 {
2189 2189 return ((sa->ipsa_src_cid != NULL) &&
2190 2190 (sq->sidtype == sa->ipsa_src_cid->ipsid_type) &&
2191 2191 (strcmp(sq->sidstr, sa->ipsa_src_cid->ipsid_cid) == 0));
2192 2192 }
2193 2193
2194 2194 boolean_t
2195 2195 sadb_match_kmc(ipsa_query_t *sq, ipsa_t *sa)
2196 2196 {
2197 2197 #define M(a, b) (((a) == 0) || ((b) == 0) || ((a) == (b)))
2198 2198
2199 2199 return (M(sq->kmc, sa->ipsa_kmc) && M(sq->kmp, sa->ipsa_kmp));
2200 2200
2201 2201 #undef M
2202 2202 }
2203 2203
2204 2204 /*
2205 2205 * Common function which extracts several PF_KEY extensions for ease of
2206 2206 * SADB matching.
2207 2207 *
2208 2208 * XXX TODO: weed out ipsa_query_t fields not used during matching
2209 2209 * or afterwards?
2210 2210 */
2211 2211 int
2212 2212 sadb_form_query(keysock_in_t *ksi, uint32_t req, uint32_t match,
2213 2213 ipsa_query_t *sq, int *diagnostic)
2214 2214 {
2215 2215 int i;
2216 2216 ipsa_match_fn_t *mfpp = &(sq->matchers[0]);
2217 2217
2218 2218 for (i = 0; i < IPSA_NMATCH; i++)
2219 2219 sq->matchers[i] = NULL;
2220 2220
2221 2221 ASSERT((req & ~match) == 0);
2222 2222
2223 2223 sq->req = req;
2224 2224 sq->dstext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
2225 2225 sq->srcext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC];
2226 2226 sq->assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
2227 2227
2228 2228 if ((req & IPSA_Q_DST) && (sq->dstext == NULL)) {
2229 2229 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
2230 2230 return (EINVAL);
2231 2231 }
2232 2232 if ((req & IPSA_Q_SRC) && (sq->srcext == NULL)) {
2233 2233 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC;
2234 2234 return (EINVAL);
2235 2235 }
2236 2236 if ((req & IPSA_Q_SA) && (sq->assoc == NULL)) {
2237 2237 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA;
2238 2238 return (EINVAL);
2239 2239 }
2240 2240
2241 2241 if (match & IPSA_Q_SA) {
2242 2242 *mfpp++ = sadb_match_spi;
2243 2243 sq->spi = sq->assoc->sadb_sa_spi;
2244 2244 }
2245 2245
2246 2246 if (sq->dstext != NULL)
2247 2247 sq->dst = (struct sockaddr_in *)(sq->dstext + 1);
2248 2248 else {
2249 2249 sq->dst = NULL;
2250 2250 sq->dst6 = NULL;
2251 2251 sq->dstaddr = NULL;
2252 2252 }
2253 2253
2254 2254 if (sq->srcext != NULL)
2255 2255 sq->src = (struct sockaddr_in *)(sq->srcext + 1);
2256 2256 else {
2257 2257 sq->src = NULL;
2258 2258 sq->src6 = NULL;
2259 2259 sq->srcaddr = NULL;
2260 2260 }
2261 2261
2262 2262 if (sq->dst != NULL)
2263 2263 sq->af = sq->dst->sin_family;
2264 2264 else if (sq->src != NULL)
2265 2265 sq->af = sq->src->sin_family;
2266 2266 else
2267 2267 sq->af = AF_INET;
2268 2268
2269 2269 if (sq->af == AF_INET6) {
2270 2270 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) {
2271 2271 *mfpp++ = sadb_match_dst_v6;
2272 2272 sq->dst6 = (struct sockaddr_in6 *)sq->dst;
2273 2273 sq->dstaddr = (uint32_t *)&(sq->dst6->sin6_addr);
2274 2274 } else {
2275 2275 match &= ~IPSA_Q_DST;
2276 2276 sq->dstaddr = ALL_ZEROES_PTR;
2277 2277 }
2278 2278
2279 2279 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) {
2280 2280 sq->src6 = (struct sockaddr_in6 *)(sq->srcext + 1);
2281 2281 sq->srcaddr = (uint32_t *)&sq->src6->sin6_addr;
2282 2282 if (sq->src6->sin6_family != AF_INET6) {
2283 2283 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH;
2284 2284 return (EINVAL);
2285 2285 }
2286 2286 *mfpp++ = sadb_match_src_v6;
2287 2287 } else {
2288 2288 match &= ~IPSA_Q_SRC;
2289 2289 sq->srcaddr = ALL_ZEROES_PTR;
2290 2290 }
2291 2291 } else {
2292 2292 sq->src6 = sq->dst6 = NULL;
2293 2293 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) {
2294 2294 *mfpp++ = sadb_match_dst_v4;
2295 2295 sq->dstaddr = (uint32_t *)&sq->dst->sin_addr;
2296 2296 } else {
2297 2297 match &= ~IPSA_Q_DST;
2298 2298 sq->dstaddr = ALL_ZEROES_PTR;
2299 2299 }
2300 2300 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) {
2301 2301 sq->srcaddr = (uint32_t *)&sq->src->sin_addr;
2302 2302 if (sq->src->sin_family != AF_INET) {
2303 2303 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH;
2304 2304 return (EINVAL);
2305 2305 }
2306 2306 *mfpp++ = sadb_match_src_v4;
2307 2307 } else {
2308 2308 match &= ~IPSA_Q_SRC;
2309 2309 sq->srcaddr = ALL_ZEROES_PTR;
2310 2310 }
2311 2311 }
2312 2312
2313 2313 sq->dstid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST];
2314 2314 if ((match & IPSA_Q_DSTID) && (sq->dstid != NULL)) {
2315 2315 sq->didstr = (char *)(sq->dstid + 1);
2316 2316 sq->didtype = sq->dstid->sadb_ident_type;
2317 2317 *mfpp++ = sadb_match_dstid;
2318 2318 }
2319 2319
2320 2320 sq->srcid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC];
2321 2321
2322 2322 if ((match & IPSA_Q_SRCID) && (sq->srcid != NULL)) {
2323 2323 sq->sidstr = (char *)(sq->srcid + 1);
2324 2324 sq->sidtype = sq->srcid->sadb_ident_type;
2325 2325 *mfpp++ = sadb_match_srcid;
2326 2326 }
2327 2327
2328 2328 sq->kmcext = (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE];
2329 2329 sq->kmc = 0;
2330 2330 sq->kmp = 0;
2331 2331
2332 2332 if ((match & IPSA_Q_KMC) && (sq->kmcext)) {
2333 2333 sq->kmc = sq->kmcext->sadb_x_kmc_cookie;
2334 2334 sq->kmp = sq->kmcext->sadb_x_kmc_proto;
2335 2335 *mfpp++ = sadb_match_kmc;
2336 2336 }
2337 2337
2338 2338 if (match & (IPSA_Q_INBOUND|IPSA_Q_OUTBOUND)) {
2339 2339 if (sq->af == AF_INET6)
2340 2340 sq->sp = &sq->spp->s_v6;
2341 2341 else
2342 2342 sq->sp = &sq->spp->s_v4;
2343 2343 } else {
2344 2344 sq->sp = NULL;
2345 2345 }
2346 2346
2347 2347 if (match & IPSA_Q_INBOUND) {
2348 2348 sq->inhash = INBOUND_HASH(sq->sp, sq->assoc->sadb_sa_spi);
2349 2349 sq->inbound = &sq->sp->sdb_if[sq->inhash];
2350 2350 } else {
2351 2351 sq->inhash = 0;
2352 2352 sq->inbound = NULL;
2353 2353 }
2354 2354
2355 2355 if (match & IPSA_Q_OUTBOUND) {
2356 2356 if (sq->af == AF_INET6) {
2357 2357 sq->outhash = OUTBOUND_HASH_V6(sq->sp, *(sq->dstaddr));
2358 2358 } else {
2359 2359 sq->outhash = OUTBOUND_HASH_V4(sq->sp, *(sq->dstaddr));
2360 2360 }
2361 2361 sq->outbound = &sq->sp->sdb_of[sq->outhash];
2362 2362 } else {
2363 2363 sq->outhash = 0;
2364 2364 sq->outbound = NULL;
2365 2365 }
2366 2366 sq->match = match;
2367 2367 return (0);
2368 2368 }
2369 2369
2370 2370 /*
2371 2371 * Match an initialized query structure with a security association;
2372 2372 * return B_TRUE on a match, B_FALSE on a miss.
2373 2373 * Applies match functions set up by sadb_form_query() until one returns false.
2374 2374 */
2375 2375 boolean_t
2376 2376 sadb_match_query(ipsa_query_t *sq, ipsa_t *sa)
2377 2377 {
2378 2378 ipsa_match_fn_t *mfpp = &(sq->matchers[0]);
2379 2379 ipsa_match_fn_t mfp;
2380 2380
2381 2381 for (mfp = *mfpp++; mfp != NULL; mfp = *mfpp++) {
2382 2382 if (!mfp(sq, sa))
2383 2383 return (B_FALSE);
2384 2384 }
2385 2385 return (B_TRUE);
2386 2386 }
2387 2387
2388 2388 /*
2389 2389 * Walker callback function to delete sa's based on src/dst address.
2390 2390 * Assumes that we're called with *head locked, no other locks held;
2391 2391 * Conveniently, and not coincidentally, this is both what sadb_walker
2392 2392 * gives us and also what sadb_unlinkassoc expects.
2393 2393 */
2394 2394 struct sadb_purge_state
2395 2395 {
2396 2396 ipsa_query_t sq;
2397 2397 boolean_t inbnd;
2398 2398 uint8_t sadb_sa_state;
2399 2399 };
2400 2400
2401 2401 static void
2402 2402 sadb_purge_cb(isaf_t *head, ipsa_t *entry, void *cookie)
2403 2403 {
2404 2404 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie;
2405 2405
2406 2406 ASSERT(MUTEX_HELD(&head->isaf_lock));
2407 2407
2408 2408 mutex_enter(&entry->ipsa_lock);
2409 2409
2410 2410 if (entry->ipsa_state == IPSA_STATE_LARVAL ||
2411 2411 !sadb_match_query(&ps->sq, entry)) {
2412 2412 mutex_exit(&entry->ipsa_lock);
2413 2413 return;
2414 2414 }
2415 2415
2416 2416 if (ps->inbnd) {
2417 2417 sadb_delete_cluster(entry);
2418 2418 }
2419 2419 entry->ipsa_state = IPSA_STATE_DEAD;
2420 2420 (void) sadb_torch_assoc(head, entry);
2421 2421 }
2422 2422
2423 2423 /*
2424 2424 * Common code to purge an SA with a matching src or dst address.
2425 2425 * Don't kill larval SA's in such a purge.
2426 2426 */
2427 2427 int
2428 2428 sadb_purge_sa(mblk_t *mp, keysock_in_t *ksi, sadb_t *sp,
2429 2429 int *diagnostic, queue_t *pfkey_q)
2430 2430 {
2431 2431 struct sadb_purge_state ps;
2432 2432 int error = sadb_form_query(ksi, 0,
2433 2433 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC,
2434 2434 &ps.sq, diagnostic);
2435 2435
2436 2436 if (error != 0)
2437 2437 return (error);
2438 2438
2439 2439 /*
2440 2440 * This is simple, crude, and effective.
2441 2441 * Unimplemented optimizations (TBD):
2442 2442 * - we can limit how many places we search based on where we
2443 2443 * think the SA is filed.
2444 2444 * - if we get a dst address, we can hash based on dst addr to find
2445 2445 * the correct bucket in the outbound table.
2446 2446 */
2447 2447 ps.inbnd = B_TRUE;
2448 2448 sadb_walker(sp->sdb_if, sp->sdb_hashsize, sadb_purge_cb, &ps);
2449 2449 ps.inbnd = B_FALSE;
2450 2450 sadb_walker(sp->sdb_of, sp->sdb_hashsize, sadb_purge_cb, &ps);
2451 2451
2452 2452 ASSERT(mp->b_cont != NULL);
2453 2453 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi,
2454 2454 NULL);
2455 2455 return (0);
2456 2456 }
2457 2457
2458 2458 static void
2459 2459 sadb_delpair_state_one(isaf_t *head, ipsa_t *entry, void *cookie)
2460 2460 {
2461 2461 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie;
2462 2462 isaf_t *inbound_bucket;
2463 2463 ipsa_t *peer_assoc;
2464 2464 ipsa_query_t *sq = &ps->sq;
2465 2465
2466 2466 ASSERT(MUTEX_HELD(&head->isaf_lock));
2467 2467
2468 2468 mutex_enter(&entry->ipsa_lock);
2469 2469
2470 2470 if ((entry->ipsa_state != ps->sadb_sa_state) ||
2471 2471 ((sq->srcaddr != NULL) &&
2472 2472 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, sq->srcaddr, sq->af))) {
2473 2473 mutex_exit(&entry->ipsa_lock);
2474 2474 return;
2475 2475 }
2476 2476
2477 2477 /*
2478 2478 * The isaf_t *, which is passed in , is always an outbound bucket,
2479 2479 * and we are preserving the outbound-then-inbound hash-bucket lock
2480 2480 * ordering. The sadb_walker() which triggers this function is called
2481 2481 * only on the outbound fanout, and the corresponding inbound bucket
2482 2482 * lock is safe to acquire here.
2483 2483 */
2484 2484
2485 2485 if (entry->ipsa_haspeer) {
2486 2486 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_spi);
2487 2487 mutex_enter(&inbound_bucket->isaf_lock);
2488 2488 peer_assoc = ipsec_getassocbyspi(inbound_bucket,
2489 2489 entry->ipsa_spi, entry->ipsa_srcaddr,
2490 2490 entry->ipsa_dstaddr, entry->ipsa_addrfam);
2491 2491 } else {
2492 2492 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_otherspi);
2493 2493 mutex_enter(&inbound_bucket->isaf_lock);
2494 2494 peer_assoc = ipsec_getassocbyspi(inbound_bucket,
2495 2495 entry->ipsa_otherspi, entry->ipsa_dstaddr,
2496 2496 entry->ipsa_srcaddr, entry->ipsa_addrfam);
2497 2497 }
2498 2498
2499 2499 entry->ipsa_state = IPSA_STATE_DEAD;
2500 2500 (void) sadb_torch_assoc(head, entry);
2501 2501 if (peer_assoc != NULL) {
2502 2502 mutex_enter(&peer_assoc->ipsa_lock);
2503 2503 peer_assoc->ipsa_state = IPSA_STATE_DEAD;
2504 2504 (void) sadb_torch_assoc(inbound_bucket, peer_assoc);
2505 2505 }
2506 2506 mutex_exit(&inbound_bucket->isaf_lock);
2507 2507 }
2508 2508
2509 2509 static int
2510 2510 sadb_delpair_state(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp,
2511 2511 int *diagnostic, queue_t *pfkey_q)
2512 2512 {
2513 2513 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
2514 2514 struct sadb_purge_state ps;
2515 2515 int error;
2516 2516
2517 2517 ps.sq.spp = spp; /* XXX param */
2518 2518
2519 2519 error = sadb_form_query(ksi, IPSA_Q_DST|IPSA_Q_SRC,
2520 2520 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC,
2521 2521 &ps.sq, diagnostic);
2522 2522 if (error != 0)
2523 2523 return (error);
2524 2524
2525 2525 ps.inbnd = B_FALSE;
2526 2526 ps.sadb_sa_state = assoc->sadb_sa_state;
2527 2527 sadb_walker(ps.sq.sp->sdb_of, ps.sq.sp->sdb_hashsize,
2528 2528 sadb_delpair_state_one, &ps);
2529 2529
2530 2530 ASSERT(mp->b_cont != NULL);
2531 2531 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr,
2532 2532 ksi, NULL);
2533 2533 return (0);
2534 2534 }
2535 2535
2536 2536 /*
2537 2537 * Common code to delete/get an SA.
2538 2538 */
2539 2539 int
2540 2540 sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp,
2541 2541 int *diagnostic, queue_t *pfkey_q, uint8_t sadb_msg_type)
2542 2542 {
2543 2543 ipsa_query_t sq;
2544 2544 ipsa_t *echo_target = NULL;
2545 2545 ipsap_t ipsapp;
2546 2546 uint_t error = 0;
2547 2547
2548 2548 if (sadb_msg_type == SADB_X_DELPAIR_STATE)
2549 2549 return (sadb_delpair_state(mp, ksi, spp, diagnostic, pfkey_q));
2550 2550
2551 2551 sq.spp = spp; /* XXX param */
2552 2552 error = sadb_form_query(ksi, IPSA_Q_DST|IPSA_Q_SA,
2553 2553 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND,
2554 2554 &sq, diagnostic);
2555 2555 if (error != 0)
2556 2556 return (error);
2557 2557
2558 2558 error = get_ipsa_pair(&sq, &ipsapp, diagnostic);
2559 2559 if (error != 0) {
2560 2560 return (error);
2561 2561 }
2562 2562
2563 2563 echo_target = ipsapp.ipsap_sa_ptr;
2564 2564 if (echo_target == NULL)
2565 2565 echo_target = ipsapp.ipsap_psa_ptr;
2566 2566
2567 2567 if (sadb_msg_type == SADB_DELETE || sadb_msg_type == SADB_X_DELPAIR) {
2568 2568 /*
2569 2569 * Bucket locks will be required if SA is actually unlinked.
2570 2570 * get_ipsa_pair() returns valid hash bucket pointers even
2571 2571 * if it can't find a pair SA pointer. To prevent a potential
2572 2572 * deadlock, always lock the outbound bucket before the inbound.
2573 2573 */
2574 2574 if (ipsapp.in_inbound_table) {
2575 2575 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock);
2576 2576 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock);
2577 2577 } else {
2578 2578 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock);
2579 2579 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock);
2580 2580 }
2581 2581
2582 2582 if (ipsapp.ipsap_sa_ptr != NULL) {
2583 2583 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock);
2584 2584 if (ipsapp.ipsap_sa_ptr->ipsa_flags & IPSA_F_INBOUND) {
2585 2585 sadb_delete_cluster(ipsapp.ipsap_sa_ptr);
2586 2586 }
2587 2587 ipsapp.ipsap_sa_ptr->ipsa_state = IPSA_STATE_DEAD;
2588 2588 (void) sadb_torch_assoc(ipsapp.ipsap_bucket,
2589 2589 ipsapp.ipsap_sa_ptr);
2590 2590 /*
2591 2591 * sadb_torch_assoc() releases the ipsa_lock
2592 2592 * and calls sadb_unlinkassoc() which does a
2593 2593 * IPSA_REFRELE.
2594 2594 */
2595 2595 }
2596 2596 if (ipsapp.ipsap_psa_ptr != NULL) {
2597 2597 mutex_enter(&ipsapp.ipsap_psa_ptr->ipsa_lock);
2598 2598 if (sadb_msg_type == SADB_X_DELPAIR ||
2599 2599 ipsapp.ipsap_psa_ptr->ipsa_haspeer) {
2600 2600 if (ipsapp.ipsap_psa_ptr->ipsa_flags &
2601 2601 IPSA_F_INBOUND) {
2602 2602 sadb_delete_cluster
2603 2603 (ipsapp.ipsap_psa_ptr);
2604 2604 }
2605 2605 ipsapp.ipsap_psa_ptr->ipsa_state =
2606 2606 IPSA_STATE_DEAD;
2607 2607 (void) sadb_torch_assoc(ipsapp.ipsap_pbucket,
2608 2608 ipsapp.ipsap_psa_ptr);
2609 2609 } else {
2610 2610 /*
2611 2611 * Only half of the "pair" has been deleted.
2612 2612 * Update the remaining SA and remove references
2613 2613 * to its pair SA, which is now gone.
2614 2614 */
2615 2615 ipsapp.ipsap_psa_ptr->ipsa_otherspi = 0;
2616 2616 ipsapp.ipsap_psa_ptr->ipsa_flags &=
2617 2617 ~IPSA_F_PAIRED;
2618 2618 mutex_exit(&ipsapp.ipsap_psa_ptr->ipsa_lock);
2619 2619 }
2620 2620 } else if (sadb_msg_type == SADB_X_DELPAIR) {
2621 2621 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND;
2622 2622 error = ESRCH;
2623 2623 }
2624 2624 mutex_exit(&ipsapp.ipsap_bucket->isaf_lock);
2625 2625 mutex_exit(&ipsapp.ipsap_pbucket->isaf_lock);
2626 2626 }
2627 2627
2628 2628 ASSERT(mp->b_cont != NULL);
2629 2629
2630 2630 if (error == 0)
2631 2631 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)
2632 2632 mp->b_cont->b_rptr, ksi, echo_target);
2633 2633
2634 2634 destroy_ipsa_pair(&ipsapp);
2635 2635
2636 2636 return (error);
2637 2637 }
2638 2638
2639 2639 /*
2640 2640 * This function takes a sadb_sa_t and finds the ipsa_t structure
2641 2641 * and the isaf_t (hash bucket) that its stored under. If the security
2642 2642 * association has a peer, the ipsa_t structure and bucket for that security
2643 2643 * association are also searched for. The "pair" of ipsa_t's and isaf_t's
2644 2644 * are returned as a ipsap_t.
2645 2645 *
2646 2646 * The hash buckets are returned for convenience, if the calling function
2647 2647 * needs to use the hash bucket locks, say to remove the SA's, it should
2648 2648 * take care to observe the convention of locking outbound bucket then
2649 2649 * inbound bucket. The flag in_inbound_table provides direction.
2650 2650 *
2651 2651 * Note that a "pair" is defined as one (but not both) of the following:
2652 2652 *
2653 2653 * A security association which has a soft reference to another security
2654 2654 * association via its SPI.
2655 2655 *
2656 2656 * A security association that is not obviously "inbound" or "outbound" so
2657 2657 * it appears in both hash tables, the "peer" being the same security
2658 2658 * association in the other hash table.
2659 2659 *
2660 2660 * This function will return NULL if the ipsa_t can't be found in the
2661 2661 * inbound or outbound hash tables (not found). If only one ipsa_t is
2662 2662 * found, the pair ipsa_t will be NULL. Both isaf_t values are valid
2663 2663 * provided at least one ipsa_t is found.
2664 2664 */
2665 2665 static int
2666 2666 get_ipsa_pair(ipsa_query_t *sq, ipsap_t *ipsapp, int *diagnostic)
2667 2667 {
2668 2668 uint32_t pair_srcaddr[IPSA_MAX_ADDRLEN];
2669 2669 uint32_t pair_dstaddr[IPSA_MAX_ADDRLEN];
2670 2670 uint32_t pair_spi;
2671 2671
2672 2672 init_ipsa_pair(ipsapp);
2673 2673
2674 2674 ipsapp->in_inbound_table = B_FALSE;
2675 2675
2676 2676 /* Lock down both buckets. */
2677 2677 mutex_enter(&sq->outbound->isaf_lock);
2678 2678 mutex_enter(&sq->inbound->isaf_lock);
2679 2679
2680 2680 if (sq->assoc->sadb_sa_flags & IPSA_F_INBOUND) {
2681 2681 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound,
2682 2682 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af);
2683 2683 if (ipsapp->ipsap_sa_ptr != NULL) {
2684 2684 ipsapp->ipsap_bucket = sq->inbound;
2685 2685 ipsapp->ipsap_pbucket = sq->outbound;
2686 2686 ipsapp->in_inbound_table = B_TRUE;
2687 2687 } else {
2688 2688 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->outbound,
2689 2689 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr,
2690 2690 sq->af);
2691 2691 ipsapp->ipsap_bucket = sq->outbound;
2692 2692 ipsapp->ipsap_pbucket = sq->inbound;
2693 2693 }
2694 2694 } else {
2695 2695 /* IPSA_F_OUTBOUND is set *or* no directions flags set. */
2696 2696 ipsapp->ipsap_sa_ptr =
2697 2697 ipsec_getassocbyspi(sq->outbound,
2698 2698 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af);
2699 2699 if (ipsapp->ipsap_sa_ptr != NULL) {
2700 2700 ipsapp->ipsap_bucket = sq->outbound;
2701 2701 ipsapp->ipsap_pbucket = sq->inbound;
2702 2702 } else {
2703 2703 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound,
2704 2704 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr,
2705 2705 sq->af);
2706 2706 ipsapp->ipsap_bucket = sq->inbound;
2707 2707 ipsapp->ipsap_pbucket = sq->outbound;
2708 2708 if (ipsapp->ipsap_sa_ptr != NULL)
2709 2709 ipsapp->in_inbound_table = B_TRUE;
2710 2710 }
2711 2711 }
2712 2712
2713 2713 if (ipsapp->ipsap_sa_ptr == NULL) {
2714 2714 mutex_exit(&sq->outbound->isaf_lock);
2715 2715 mutex_exit(&sq->inbound->isaf_lock);
2716 2716 *diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND;
2717 2717 return (ESRCH);
2718 2718 }
2719 2719
2720 2720 if ((ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) &&
2721 2721 ipsapp->in_inbound_table) {
2722 2722 mutex_exit(&sq->outbound->isaf_lock);
2723 2723 mutex_exit(&sq->inbound->isaf_lock);
2724 2724 return (0);
2725 2725 }
2726 2726
2727 2727 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock);
2728 2728 if (ipsapp->ipsap_sa_ptr->ipsa_haspeer) {
2729 2729 /*
2730 2730 * haspeer implies no sa_pairing, look for same spi
2731 2731 * in other hashtable.
2732 2732 */
2733 2733 ipsapp->ipsap_psa_ptr =
2734 2734 ipsec_getassocbyspi(ipsapp->ipsap_pbucket,
2735 2735 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af);
2736 2736 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock);
2737 2737 mutex_exit(&sq->outbound->isaf_lock);
2738 2738 mutex_exit(&sq->inbound->isaf_lock);
2739 2739 return (0);
2740 2740 }
2741 2741 pair_spi = ipsapp->ipsap_sa_ptr->ipsa_otherspi;
2742 2742 IPSA_COPY_ADDR(&pair_srcaddr,
2743 2743 ipsapp->ipsap_sa_ptr->ipsa_srcaddr, sq->af);
2744 2744 IPSA_COPY_ADDR(&pair_dstaddr,
2745 2745 ipsapp->ipsap_sa_ptr->ipsa_dstaddr, sq->af);
2746 2746 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock);
2747 2747 mutex_exit(&sq->inbound->isaf_lock);
2748 2748 mutex_exit(&sq->outbound->isaf_lock);
2749 2749
2750 2750 if (pair_spi == 0) {
2751 2751 ASSERT(ipsapp->ipsap_bucket != NULL);
2752 2752 ASSERT(ipsapp->ipsap_pbucket != NULL);
2753 2753 return (0);
2754 2754 }
2755 2755
2756 2756 /* found sa in outbound sadb, peer should be inbound */
2757 2757
2758 2758 if (ipsapp->in_inbound_table) {
2759 2759 /* Found SA in inbound table, pair will be in outbound. */
2760 2760 if (sq->af == AF_INET6) {
2761 2761 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V6(sq->sp,
2762 2762 *(uint32_t *)pair_srcaddr);
2763 2763 } else {
2764 2764 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V4(sq->sp,
2765 2765 *(uint32_t *)pair_srcaddr);
2766 2766 }
2767 2767 } else {
2768 2768 ipsapp->ipsap_pbucket = INBOUND_BUCKET(sq->sp, pair_spi);
2769 2769 }
2770 2770 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock);
2771 2771 ipsapp->ipsap_psa_ptr = ipsec_getassocbyspi(ipsapp->ipsap_pbucket,
2772 2772 pair_spi, pair_dstaddr, pair_srcaddr, sq->af);
2773 2773 mutex_exit(&ipsapp->ipsap_pbucket->isaf_lock);
2774 2774 ASSERT(ipsapp->ipsap_bucket != NULL);
2775 2775 ASSERT(ipsapp->ipsap_pbucket != NULL);
2776 2776 return (0);
2777 2777 }
2778 2778
2779 2779 /*
2780 2780 * Perform NAT-traversal cached checksum offset calculations here.
2781 2781 */
2782 2782 static void
2783 2783 sadb_nat_calculations(ipsa_t *newbie, sadb_address_t *natt_loc_ext,
2784 2784 sadb_address_t *natt_rem_ext, uint32_t *src_addr_ptr,
2785 2785 uint32_t *dst_addr_ptr)
2786 2786 {
2787 2787 struct sockaddr_in *natt_loc, *natt_rem;
2788 2788 uint32_t *natt_loc_ptr = NULL, *natt_rem_ptr = NULL;
2789 2789 uint32_t running_sum = 0;
2790 2790
2791 2791 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16)
2792 2792
2793 2793 if (natt_rem_ext != NULL) {
2794 2794 uint32_t l_src;
2795 2795 uint32_t l_rem;
2796 2796
2797 2797 natt_rem = (struct sockaddr_in *)(natt_rem_ext + 1);
2798 2798
2799 2799 /* Ensured by sadb_addrfix(). */
2800 2800 ASSERT(natt_rem->sin_family == AF_INET);
2801 2801
2802 2802 natt_rem_ptr = (uint32_t *)(&natt_rem->sin_addr);
2803 2803 newbie->ipsa_remote_nat_port = natt_rem->sin_port;
2804 2804 l_src = *src_addr_ptr;
2805 2805 l_rem = *natt_rem_ptr;
2806 2806
2807 2807 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */
2808 2808 newbie->ipsa_natt_addr_rem = *natt_rem_ptr;
2809 2809
2810 2810 l_src = ntohl(l_src);
2811 2811 DOWN_SUM(l_src);
2812 2812 DOWN_SUM(l_src);
2813 2813 l_rem = ntohl(l_rem);
2814 2814 DOWN_SUM(l_rem);
2815 2815 DOWN_SUM(l_rem);
2816 2816
2817 2817 /*
2818 2818 * We're 1's complement for checksums, so check for wraparound
2819 2819 * here.
2820 2820 */
2821 2821 if (l_rem > l_src)
2822 2822 l_src--;
2823 2823
2824 2824 running_sum += l_src - l_rem;
2825 2825
2826 2826 DOWN_SUM(running_sum);
2827 2827 DOWN_SUM(running_sum);
2828 2828 }
2829 2829
2830 2830 if (natt_loc_ext != NULL) {
2831 2831 natt_loc = (struct sockaddr_in *)(natt_loc_ext + 1);
2832 2832
2833 2833 /* Ensured by sadb_addrfix(). */
2834 2834 ASSERT(natt_loc->sin_family == AF_INET);
2835 2835
2836 2836 natt_loc_ptr = (uint32_t *)(&natt_loc->sin_addr);
2837 2837 newbie->ipsa_local_nat_port = natt_loc->sin_port;
2838 2838
2839 2839 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */
2840 2840 newbie->ipsa_natt_addr_loc = *natt_loc_ptr;
2841 2841
2842 2842 /*
2843 2843 * NAT-T port agility means we may have natt_loc_ext, but
2844 2844 * only for a local-port change.
2845 2845 */
2846 2846 if (natt_loc->sin_addr.s_addr != INADDR_ANY) {
2847 2847 uint32_t l_dst = ntohl(*dst_addr_ptr);
2848 2848 uint32_t l_loc = ntohl(*natt_loc_ptr);
2849 2849
2850 2850 DOWN_SUM(l_loc);
2851 2851 DOWN_SUM(l_loc);
2852 2852 DOWN_SUM(l_dst);
2853 2853 DOWN_SUM(l_dst);
2854 2854
2855 2855 /*
2856 2856 * We're 1's complement for checksums, so check for
2857 2857 * wraparound here.
2858 2858 */
2859 2859 if (l_loc > l_dst)
2860 2860 l_dst--;
2861 2861
2862 2862 running_sum += l_dst - l_loc;
2863 2863 DOWN_SUM(running_sum);
2864 2864 DOWN_SUM(running_sum);
2865 2865 }
2866 2866 }
2867 2867
2868 2868 newbie->ipsa_inbound_cksum = running_sum;
2869 2869 #undef DOWN_SUM
2870 2870 }
2871 2871
2872 2872 /*
2873 2873 * This function is called from consumers that need to insert a fully-grown
2874 2874 * security association into its tables. This function takes into account that
2875 2875 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary"
2876 2876 * hash bucket parameters are set in order of what the SA will be most of the
2877 2877 * time. (For example, an SA with an unspecified source, and a multicast
2878 2878 * destination will primarily be an outbound SA. OTOH, if that destination
2879 2879 * is unicast for this node, then the SA will primarily be inbound.)
2880 2880 *
2881 2881 * It takes a lot of parameters because even if clone is B_FALSE, this needs
2882 2882 * to check both buckets for purposes of collision.
2883 2883 *
2884 2884 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for
2885 2885 * various error conditions. We may need to set samsg->sadb_x_msg_diagnostic
2886 2886 * with additional diagnostic information because there is at least one EINVAL
2887 2887 * case here.
2888 2888 */
2889 2889 int
2890 2890 sadb_common_add(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
2891 2891 keysock_in_t *ksi, isaf_t *primary, isaf_t *secondary,
2892 2892 ipsa_t *newbie, boolean_t clone, boolean_t is_inbound, int *diagnostic,
2893 2893 netstack_t *ns, sadbp_t *spp)
2894 2894 {
2895 2895 ipsa_t *newbie_clone = NULL, *scratch;
2896 2896 ipsap_t ipsapp;
2897 2897 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
2898 2898 sadb_address_t *srcext =
2899 2899 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC];
2900 2900 sadb_address_t *dstext =
2901 2901 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
2902 2902 sadb_address_t *isrcext =
2903 2903 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC];
2904 2904 sadb_address_t *idstext =
2905 2905 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_DST];
2906 2906 sadb_x_kmc_t *kmcext =
2907 2907 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE];
2908 2908 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH];
2909 2909 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT];
2910 2910 sadb_sens_t *sens =
2911 2911 (sadb_sens_t *)ksi->ks_in_extv[SADB_EXT_SENSITIVITY];
2912 2912 sadb_sens_t *osens =
2913 2913 (sadb_sens_t *)ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS];
2914 2914 sadb_x_pair_t *pair_ext =
2915 2915 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR];
2916 2916 sadb_x_replay_ctr_t *replayext =
2917 2917 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE];
2918 2918 uint8_t protocol =
2919 2919 (samsg->sadb_msg_satype == SADB_SATYPE_AH) ? IPPROTO_AH:IPPROTO_ESP;
2920 2920 int salt_offset;
2921 2921 uint8_t *buf_ptr;
2922 2922 struct sockaddr_in *src, *dst, *isrc, *idst;
2923 2923 struct sockaddr_in6 *src6, *dst6, *isrc6, *idst6;
2924 2924 sadb_lifetime_t *soft =
2925 2925 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT];
2926 2926 sadb_lifetime_t *hard =
2927 2927 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD];
2928 2928 sadb_lifetime_t *idle =
2929 2929 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE];
2930 2930 sa_family_t af;
2931 2931 int error = 0;
2932 2932 boolean_t isupdate = (newbie != NULL);
2933 2933 uint32_t *src_addr_ptr, *dst_addr_ptr, *isrc_addr_ptr, *idst_addr_ptr;
2934 2934 ipsec_stack_t *ipss = ns->netstack_ipsec;
2935 2935 ip_stack_t *ipst = ns->netstack_ip;
2936 2936 ipsec_alginfo_t *alg;
2937 2937 int rcode;
2938 2938 boolean_t async = B_FALSE;
2939 2939
2940 2940 init_ipsa_pair(&ipsapp);
2941 2941
2942 2942 if (srcext == NULL) {
2943 2943 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC;
2944 2944 return (EINVAL);
2945 2945 }
2946 2946 if (dstext == NULL) {
2947 2947 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
2948 2948 return (EINVAL);
2949 2949 }
2950 2950 if (assoc == NULL) {
2951 2951 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA;
2952 2952 return (EINVAL);
2953 2953 }
2954 2954
2955 2955 src = (struct sockaddr_in *)(srcext + 1);
2956 2956 src6 = (struct sockaddr_in6 *)(srcext + 1);
2957 2957 dst = (struct sockaddr_in *)(dstext + 1);
2958 2958 dst6 = (struct sockaddr_in6 *)(dstext + 1);
2959 2959 if (isrcext != NULL) {
2960 2960 isrc = (struct sockaddr_in *)(isrcext + 1);
2961 2961 isrc6 = (struct sockaddr_in6 *)(isrcext + 1);
2962 2962 ASSERT(idstext != NULL);
2963 2963 idst = (struct sockaddr_in *)(idstext + 1);
2964 2964 idst6 = (struct sockaddr_in6 *)(idstext + 1);
2965 2965 } else {
2966 2966 isrc = NULL;
2967 2967 isrc6 = NULL;
2968 2968 }
2969 2969
2970 2970 af = src->sin_family;
2971 2971
2972 2972 if (af == AF_INET) {
2973 2973 src_addr_ptr = (uint32_t *)&src->sin_addr;
2974 2974 dst_addr_ptr = (uint32_t *)&dst->sin_addr;
2975 2975 } else {
2976 2976 ASSERT(af == AF_INET6);
2977 2977 src_addr_ptr = (uint32_t *)&src6->sin6_addr;
2978 2978 dst_addr_ptr = (uint32_t *)&dst6->sin6_addr;
2979 2979 }
2980 2980
2981 2981 if (!isupdate && (clone == B_TRUE || is_inbound == B_TRUE) &&
2982 2982 cl_inet_checkspi &&
2983 2983 (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) {
2984 2984 rcode = cl_inet_checkspi(ns->netstack_stackid, protocol,
2985 2985 assoc->sadb_sa_spi, NULL);
2986 2986 if (rcode == -1) {
2987 2987 return (EEXIST);
2988 2988 }
2989 2989 }
2990 2990
2991 2991 /*
2992 2992 * Check to see if the new SA will be cloned AND paired. The
2993 2993 * reason a SA will be cloned is the source or destination addresses
2994 2994 * are not specific enough to determine if the SA goes in the outbound
2995 2995 * or the inbound hash table, so its cloned and put in both. If
2996 2996 * the SA is paired, it's soft linked to another SA for the other
2997 2997 * direction. Keeping track and looking up SA's that are direction
2998 2998 * unspecific and linked is too hard.
2999 2999 */
3000 3000 if (clone && (pair_ext != NULL)) {
3001 3001 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE;
3002 3002 return (EINVAL);
3003 3003 }
3004 3004
3005 3005 if (!isupdate) {
3006 3006 newbie = sadb_makelarvalassoc(assoc->sadb_sa_spi,
3007 3007 src_addr_ptr, dst_addr_ptr, af, ns);
3008 3008 if (newbie == NULL)
3009 3009 return (ENOMEM);
3010 3010 }
3011 3011
3012 3012 mutex_enter(&newbie->ipsa_lock);
3013 3013
3014 3014 if (isrc != NULL) {
3015 3015 if (isrc->sin_family == AF_INET) {
3016 3016 if (srcext->sadb_address_proto != IPPROTO_ENCAP) {
3017 3017 if (srcext->sadb_address_proto != 0) {
3018 3018 /*
3019 3019 * Mismatched outer-packet protocol
3020 3020 * and inner-packet address family.
3021 3021 */
3022 3022 mutex_exit(&newbie->ipsa_lock);
3023 3023 error = EPROTOTYPE;
3024 3024 *diagnostic =
3025 3025 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH;
3026 3026 goto error;
3027 3027 } else {
3028 3028 /* Fill in with explicit protocol. */
3029 3029 srcext->sadb_address_proto =
3030 3030 IPPROTO_ENCAP;
3031 3031 dstext->sadb_address_proto =
3032 3032 IPPROTO_ENCAP;
3033 3033 }
3034 3034 }
3035 3035 isrc_addr_ptr = (uint32_t *)&isrc->sin_addr;
3036 3036 idst_addr_ptr = (uint32_t *)&idst->sin_addr;
3037 3037 } else {
3038 3038 ASSERT(isrc->sin_family == AF_INET6);
3039 3039 if (srcext->sadb_address_proto != IPPROTO_IPV6) {
3040 3040 if (srcext->sadb_address_proto != 0) {
3041 3041 /*
3042 3042 * Mismatched outer-packet protocol
3043 3043 * and inner-packet address family.
3044 3044 */
3045 3045 mutex_exit(&newbie->ipsa_lock);
3046 3046 error = EPROTOTYPE;
3047 3047 *diagnostic =
3048 3048 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH;
3049 3049 goto error;
3050 3050 } else {
3051 3051 /* Fill in with explicit protocol. */
3052 3052 srcext->sadb_address_proto =
3053 3053 IPPROTO_IPV6;
3054 3054 dstext->sadb_address_proto =
3055 3055 IPPROTO_IPV6;
3056 3056 }
3057 3057 }
3058 3058 isrc_addr_ptr = (uint32_t *)&isrc6->sin6_addr;
3059 3059 idst_addr_ptr = (uint32_t *)&idst6->sin6_addr;
3060 3060 }
3061 3061 newbie->ipsa_innerfam = isrc->sin_family;
3062 3062
3063 3063 IPSA_COPY_ADDR(newbie->ipsa_innersrc, isrc_addr_ptr,
3064 3064 newbie->ipsa_innerfam);
3065 3065 IPSA_COPY_ADDR(newbie->ipsa_innerdst, idst_addr_ptr,
3066 3066 newbie->ipsa_innerfam);
3067 3067 newbie->ipsa_innersrcpfx = isrcext->sadb_address_prefixlen;
3068 3068 newbie->ipsa_innerdstpfx = idstext->sadb_address_prefixlen;
3069 3069
3070 3070 /* Unique value uses inner-ports for Tunnel Mode... */
3071 3071 newbie->ipsa_unique_id = SA_UNIQUE_ID(isrc->sin_port,
3072 3072 idst->sin_port, dstext->sadb_address_proto,
3073 3073 idstext->sadb_address_proto);
3074 3074 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(isrc->sin_port,
3075 3075 idst->sin_port, dstext->sadb_address_proto,
3076 3076 idstext->sadb_address_proto);
3077 3077 } else {
3078 3078 /* ... and outer-ports for Transport Mode. */
3079 3079 newbie->ipsa_unique_id = SA_UNIQUE_ID(src->sin_port,
3080 3080 dst->sin_port, dstext->sadb_address_proto, 0);
3081 3081 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(src->sin_port,
3082 3082 dst->sin_port, dstext->sadb_address_proto, 0);
3083 3083 }
3084 3084 if (newbie->ipsa_unique_mask != (uint64_t)0)
3085 3085 newbie->ipsa_flags |= IPSA_F_UNIQUE;
3086 3086
3087 3087 sadb_nat_calculations(newbie,
3088 3088 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC],
3089 3089 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM],
3090 3090 src_addr_ptr, dst_addr_ptr);
3091 3091
3092 3092 newbie->ipsa_type = samsg->sadb_msg_satype;
3093 3093
3094 3094 ASSERT((assoc->sadb_sa_state == SADB_SASTATE_MATURE) ||
3095 3095 (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE));
3096 3096 newbie->ipsa_auth_alg = assoc->sadb_sa_auth;
3097 3097 newbie->ipsa_encr_alg = assoc->sadb_sa_encrypt;
3098 3098
3099 3099 newbie->ipsa_flags |= assoc->sadb_sa_flags;
3100 3100 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_LOC &&
3101 3101 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC] == NULL) {
3102 3102 mutex_exit(&newbie->ipsa_lock);
3103 3103 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_LOC;
3104 3104 error = EINVAL;
3105 3105 goto error;
3106 3106 }
3107 3107 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_REM &&
3108 3108 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM] == NULL) {
3109 3109 mutex_exit(&newbie->ipsa_lock);
3110 3110 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_REM;
3111 3111 error = EINVAL;
3112 3112 goto error;
3113 3113 }
3114 3114 if (newbie->ipsa_flags & SADB_X_SAFLAGS_TUNNEL &&
3115 3115 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC] == NULL) {
3116 3116 mutex_exit(&newbie->ipsa_lock);
3117 3117 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC;
3118 3118 error = EINVAL;
3119 3119 goto error;
3120 3120 }
3121 3121 /*
3122 3122 * If unspecified source address, force replay_wsize to 0.
3123 3123 * This is because an SA that has multiple sources of secure
3124 3124 * traffic cannot enforce a replay counter w/o synchronizing the
3125 3125 * senders.
3126 3126 */
3127 3127 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC)
3128 3128 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay;
3129 3129 else
3130 3130 newbie->ipsa_replay_wsize = 0;
3131 3131
3132 3132 newbie->ipsa_addtime = gethrestime_sec();
3133 3133
3134 3134 if (kmcext != NULL) {
3135 3135 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto;
3136 3136 newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie;
3137 3137 }
3138 3138
3139 3139 /*
3140 3140 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE.
3141 3141 * The spec says that one can update current lifetimes, but
3142 3142 * that seems impractical, especially in the larval-to-mature
3143 3143 * update that this function performs.
3144 3144 */
3145 3145 if (soft != NULL) {
3146 3146 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime;
3147 3147 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime;
3148 3148 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes;
3149 3149 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations;
3150 3150 SET_EXPIRE(newbie, softaddlt, softexpiretime);
3151 3151 }
3152 3152 if (hard != NULL) {
3153 3153 newbie->ipsa_hardaddlt = hard->sadb_lifetime_addtime;
3154 3154 newbie->ipsa_harduselt = hard->sadb_lifetime_usetime;
3155 3155 newbie->ipsa_hardbyteslt = hard->sadb_lifetime_bytes;
3156 3156 newbie->ipsa_hardalloc = hard->sadb_lifetime_allocations;
3157 3157 SET_EXPIRE(newbie, hardaddlt, hardexpiretime);
3158 3158 }
3159 3159 if (idle != NULL) {
3160 3160 newbie->ipsa_idleaddlt = idle->sadb_lifetime_addtime;
3161 3161 newbie->ipsa_idleuselt = idle->sadb_lifetime_usetime;
3162 3162 newbie->ipsa_idleexpiretime = newbie->ipsa_addtime +
3163 3163 newbie->ipsa_idleaddlt;
3164 3164 newbie->ipsa_idletime = newbie->ipsa_idleaddlt;
3165 3165 }
3166 3166
3167 3167 newbie->ipsa_authtmpl = NULL;
3168 3168 newbie->ipsa_encrtmpl = NULL;
3169 3169
3170 3170 #ifdef IPSEC_LATENCY_TEST
3171 3171 if (akey != NULL && newbie->ipsa_auth_alg != SADB_AALG_NONE) {
3172 3172 #else
3173 3173 if (akey != NULL) {
3174 3174 #endif
3175 3175 async = (ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] ==
3176 3176 IPSEC_ALGS_EXEC_ASYNC);
3177 3177
3178 3178 newbie->ipsa_authkeybits = akey->sadb_key_bits;
3179 3179 newbie->ipsa_authkeylen = SADB_1TO8(akey->sadb_key_bits);
3180 3180 /* In case we have to round up to the next byte... */
3181 3181 if ((akey->sadb_key_bits & 0x7) != 0)
3182 3182 newbie->ipsa_authkeylen++;
3183 3183 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen,
3184 3184 KM_NOSLEEP);
3185 3185 if (newbie->ipsa_authkey == NULL) {
3186 3186 error = ENOMEM;
3187 3187 mutex_exit(&newbie->ipsa_lock);
3188 3188 goto error;
3189 3189 }
3190 3190 bcopy(akey + 1, newbie->ipsa_authkey, newbie->ipsa_authkeylen);
3191 3191 bzero(akey + 1, newbie->ipsa_authkeylen);
3192 3192
3193 3193 /*
3194 3194 * Pre-initialize the kernel crypto framework key
3195 3195 * structure.
3196 3196 */
3197 3197 newbie->ipsa_kcfauthkey.ck_format = CRYPTO_KEY_RAW;
3198 3198 newbie->ipsa_kcfauthkey.ck_length = newbie->ipsa_authkeybits;
3199 3199 newbie->ipsa_kcfauthkey.ck_data = newbie->ipsa_authkey;
3200 3200
3201 3201 mutex_enter(&ipss->ipsec_alg_lock);
3202 3202 alg = ipss->ipsec_alglists[IPSEC_ALG_AUTH]
3203 3203 [newbie->ipsa_auth_alg];
3204 3204 if (alg != NULL && ALG_VALID(alg)) {
3205 3205 newbie->ipsa_amech.cm_type = alg->alg_mech_type;
3206 3206 newbie->ipsa_amech.cm_param =
3207 3207 (char *)&newbie->ipsa_mac_len;
3208 3208 newbie->ipsa_amech.cm_param_len = sizeof (size_t);
3209 3209 newbie->ipsa_mac_len = (size_t)alg->alg_datalen;
3210 3210 } else {
3211 3211 newbie->ipsa_amech.cm_type = CRYPTO_MECHANISM_INVALID;
3212 3212 }
3213 3213 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_AUTH);
3214 3214 mutex_exit(&ipss->ipsec_alg_lock);
3215 3215 if (error != 0) {
3216 3216 mutex_exit(&newbie->ipsa_lock);
3217 3217 /*
3218 3218 * An error here indicates that alg is the wrong type
3219 3219 * (IE: not authentication) or its not in the alg tables
3220 3220 * created by ipsecalgs(1m), or Kcf does not like the
3221 3221 * parameters passed in with this algorithm, which is
3222 3222 * probably a coding error!
3223 3223 */
3224 3224 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX;
3225 3225
3226 3226 goto error;
3227 3227 }
3228 3228 }
3229 3229
3230 3230 if (ekey != NULL) {
3231 3231 mutex_enter(&ipss->ipsec_alg_lock);
3232 3232 async = async || (ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] ==
3233 3233 IPSEC_ALGS_EXEC_ASYNC);
3234 3234 alg = ipss->ipsec_alglists[IPSEC_ALG_ENCR]
3235 3235 [newbie->ipsa_encr_alg];
3236 3236
3237 3237 if (alg != NULL && ALG_VALID(alg)) {
3238 3238 newbie->ipsa_emech.cm_type = alg->alg_mech_type;
3239 3239 newbie->ipsa_datalen = alg->alg_datalen;
3240 3240 if (alg->alg_flags & ALG_FLAG_COUNTERMODE)
3241 3241 newbie->ipsa_flags |= IPSA_F_COUNTERMODE;
3242 3242
3243 3243 if (alg->alg_flags & ALG_FLAG_COMBINED) {
3244 3244 newbie->ipsa_flags |= IPSA_F_COMBINED;
3245 3245 newbie->ipsa_mac_len = alg->alg_icvlen;
3246 3246 }
3247 3247
3248 3248 if (alg->alg_flags & ALG_FLAG_CCM)
3249 3249 newbie->ipsa_noncefunc = ccm_params_init;
3250 3250 else if (alg->alg_flags & ALG_FLAG_GCM)
3251 3251 newbie->ipsa_noncefunc = gcm_params_init;
3252 3252 else newbie->ipsa_noncefunc = cbc_params_init;
3253 3253
3254 3254 newbie->ipsa_saltlen = alg->alg_saltlen;
3255 3255 newbie->ipsa_saltbits = SADB_8TO1(newbie->ipsa_saltlen);
3256 3256 newbie->ipsa_iv_len = alg->alg_ivlen;
3257 3257 newbie->ipsa_nonce_len = newbie->ipsa_saltlen +
3258 3258 newbie->ipsa_iv_len;
3259 3259 newbie->ipsa_emech.cm_param = NULL;
3260 3260 newbie->ipsa_emech.cm_param_len = 0;
3261 3261 } else {
3262 3262 newbie->ipsa_emech.cm_type = CRYPTO_MECHANISM_INVALID;
3263 3263 }
3264 3264 mutex_exit(&ipss->ipsec_alg_lock);
3265 3265
3266 3266 /*
3267 3267 * The byte stream following the sadb_key_t is made up of:
3268 3268 * key bytes, [salt bytes], [IV initial value]
3269 3269 * All of these have variable length. The IV is typically
3270 3270 * randomly generated by this function and not passed in.
3271 3271 * By supporting the injection of a known IV, the whole
3272 3272 * IPsec subsystem and the underlying crypto subsystem
3273 3273 * can be tested with known test vectors.
3274 3274 *
3275 3275 * The keying material has been checked by ext_check()
3276 3276 * and ipsec_valid_key_size(), after removing salt/IV
3277 3277 * bits, whats left is the encryption key. If this is too
3278 3278 * short, ipsec_create_ctx_tmpl() will fail and the SA
3279 3279 * won't get created.
3280 3280 *
3281 3281 * set ipsa_encrkeylen to length of key only.
3282 3282 */
3283 3283 newbie->ipsa_encrkeybits = ekey->sadb_key_bits;
3284 3284 newbie->ipsa_encrkeybits -= ekey->sadb_key_reserved;
3285 3285 newbie->ipsa_encrkeybits -= newbie->ipsa_saltbits;
3286 3286 newbie->ipsa_encrkeylen = SADB_1TO8(newbie->ipsa_encrkeybits);
3287 3287
3288 3288 /* In case we have to round up to the next byte... */
3289 3289 if ((ekey->sadb_key_bits & 0x7) != 0)
3290 3290 newbie->ipsa_encrkeylen++;
3291 3291
3292 3292 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen,
3293 3293 KM_NOSLEEP);
3294 3294 if (newbie->ipsa_encrkey == NULL) {
3295 3295 error = ENOMEM;
3296 3296 mutex_exit(&newbie->ipsa_lock);
3297 3297 goto error;
3298 3298 }
3299 3299
3300 3300 buf_ptr = (uint8_t *)(ekey + 1);
3301 3301 bcopy(buf_ptr, newbie->ipsa_encrkey, newbie->ipsa_encrkeylen);
3302 3302
3303 3303 if (newbie->ipsa_flags & IPSA_F_COMBINED) {
3304 3304 /*
3305 3305 * Combined mode algs need a nonce. Copy the salt and
3306 3306 * IV into a buffer. The ipsa_nonce is a pointer into
3307 3307 * this buffer, some bytes at the start of the buffer
3308 3308 * may be unused, depends on the salt length. The IV
3309 3309 * is 64 bit aligned so it can be incremented as a
3310 3310 * uint64_t. Zero out key in samsg_t before freeing.
3311 3311 */
3312 3312
3313 3313 newbie->ipsa_nonce_buf = kmem_alloc(
3314 3314 sizeof (ipsec_nonce_t), KM_NOSLEEP);
3315 3315 if (newbie->ipsa_nonce_buf == NULL) {
3316 3316 error = ENOMEM;
3317 3317 mutex_exit(&newbie->ipsa_lock);
3318 3318 goto error;
3319 3319 }
3320 3320 /*
3321 3321 * Initialize nonce and salt pointers to point
3322 3322 * to the nonce buffer. This is just in case we get
3323 3323 * bad data, the pointers will be valid, the data
3324 3324 * won't be.
3325 3325 *
3326 3326 * See sadb.h for layout of nonce.
3327 3327 */
3328 3328 newbie->ipsa_iv = &newbie->ipsa_nonce_buf->iv;
3329 3329 newbie->ipsa_salt = (uint8_t *)newbie->ipsa_nonce_buf;
3330 3330 newbie->ipsa_nonce = newbie->ipsa_salt;
3331 3331 if (newbie->ipsa_saltlen != 0) {
3332 3332 salt_offset = MAXSALTSIZE -
3333 3333 newbie->ipsa_saltlen;
3334 3334 newbie->ipsa_salt = (uint8_t *)
3335 3335 &newbie->ipsa_nonce_buf->salt[salt_offset];
3336 3336 newbie->ipsa_nonce = newbie->ipsa_salt;
3337 3337 buf_ptr += newbie->ipsa_encrkeylen;
3338 3338 bcopy(buf_ptr, newbie->ipsa_salt,
3339 3339 newbie->ipsa_saltlen);
3340 3340 }
3341 3341 /*
3342 3342 * The IV for CCM/GCM mode increments, it should not
3343 3343 * repeat. Get a random value for the IV, make a
3344 3344 * copy, the SA will expire when/if the IV ever
3345 3345 * wraps back to the initial value. If an Initial IV
3346 3346 * is passed in via PF_KEY, save this in the SA.
3347 3347 * Initialising IV for inbound is pointless as its
3348 3348 * taken from the inbound packet.
3349 3349 */
3350 3350 if (!is_inbound) {
3351 3351 if (ekey->sadb_key_reserved != 0) {
3352 3352 buf_ptr += newbie->ipsa_saltlen;
3353 3353 bcopy(buf_ptr, (uint8_t *)newbie->
3354 3354 ipsa_iv, SADB_1TO8(ekey->
3355 3355 sadb_key_reserved));
3356 3356 } else {
3357 3357 (void) random_get_pseudo_bytes(
3358 3358 (uint8_t *)newbie->ipsa_iv,
3359 3359 newbie->ipsa_iv_len);
3360 3360 }
3361 3361 newbie->ipsa_iv_softexpire =
3362 3362 (*newbie->ipsa_iv) << 9;
3363 3363 newbie->ipsa_iv_hardexpire = *newbie->ipsa_iv;
3364 3364 }
3365 3365 }
3366 3366 bzero((ekey + 1), SADB_1TO8(ekey->sadb_key_bits));
3367 3367
3368 3368 /*
3369 3369 * Pre-initialize the kernel crypto framework key
3370 3370 * structure.
3371 3371 */
3372 3372 newbie->ipsa_kcfencrkey.ck_format = CRYPTO_KEY_RAW;
3373 3373 newbie->ipsa_kcfencrkey.ck_length = newbie->ipsa_encrkeybits;
3374 3374 newbie->ipsa_kcfencrkey.ck_data = newbie->ipsa_encrkey;
3375 3375
3376 3376 mutex_enter(&ipss->ipsec_alg_lock);
3377 3377 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_ENCR);
3378 3378 mutex_exit(&ipss->ipsec_alg_lock);
3379 3379 if (error != 0) {
3380 3380 mutex_exit(&newbie->ipsa_lock);
3381 3381 /* See above for error explanation. */
3382 3382 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX;
3383 3383 goto error;
3384 3384 }
3385 3385 }
3386 3386
3387 3387 if (async)
3388 3388 newbie->ipsa_flags |= IPSA_F_ASYNC;
3389 3389
3390 3390 /*
3391 3391 * Ptrs to processing functions.
3392 3392 */
3393 3393 if (newbie->ipsa_type == SADB_SATYPE_ESP)
3394 3394 ipsecesp_init_funcs(newbie);
3395 3395 else
3396 3396 ipsecah_init_funcs(newbie);
3397 3397 ASSERT(newbie->ipsa_output_func != NULL &&
3398 3398 newbie->ipsa_input_func != NULL);
3399 3399
3400 3400 /*
3401 3401 * Certificate ID stuff.
3402 3402 */
3403 3403 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC] != NULL) {
3404 3404 sadb_ident_t *id =
3405 3405 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC];
3406 3406
3407 3407 /*
3408 3408 * Can assume strlen() will return okay because ext_check() in
3409 3409 * keysock.c prepares the string for us.
3410 3410 */
3411 3411 newbie->ipsa_src_cid = ipsid_lookup(id->sadb_ident_type,
3412 3412 (char *)(id+1), ns);
3413 3413 if (newbie->ipsa_src_cid == NULL) {
3414 3414 error = ENOMEM;
3415 3415 mutex_exit(&newbie->ipsa_lock);
3416 3416 goto error;
3417 3417 }
3418 3418 }
3419 3419
3420 3420 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_DST] != NULL) {
3421 3421 sadb_ident_t *id =
3422 3422 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST];
3423 3423
3424 3424 /*
3425 3425 * Can assume strlen() will return okay because ext_check() in
3426 3426 * keysock.c prepares the string for us.
3427 3427 */
3428 3428 newbie->ipsa_dst_cid = ipsid_lookup(id->sadb_ident_type,
3429 3429 (char *)(id+1), ns);
3430 3430 if (newbie->ipsa_dst_cid == NULL) {
3431 3431 error = ENOMEM;
3432 3432 mutex_exit(&newbie->ipsa_lock);
3433 3433 goto error;
3434 3434 }
3435 3435 }
3436 3436
3437 3437 /*
3438 3438 * sensitivity label handling code:
3439 3439 * Convert sens + bitmap into cred_t, and associate it
3440 3440 * with the new SA.
3441 3441 */
3442 3442 if (sens != NULL) {
3443 3443 uint64_t *bitmap = (uint64_t *)(sens + 1);
3444 3444
3445 3445 newbie->ipsa_tsl = sadb_label_from_sens(sens, bitmap);
3446 3446 }
3447 3447
3448 3448 /*
3449 3449 * Likewise for outer sensitivity.
3450 3450 */
3451 3451 if (osens != NULL) {
3452 3452 uint64_t *bitmap = (uint64_t *)(osens + 1);
3453 3453 ts_label_t *tsl, *effective_tsl;
3454 3454 uint32_t *peer_addr_ptr;
3455 3455 zoneid_t zoneid = GLOBAL_ZONEID;
3456 3456 zone_t *zone;
3457 3457
3458 3458 peer_addr_ptr = is_inbound ? src_addr_ptr : dst_addr_ptr;
3459 3459
3460 3460 tsl = sadb_label_from_sens(osens, bitmap);
3461 3461 newbie->ipsa_mac_exempt = CONN_MAC_DEFAULT;
3462 3462
3463 3463 if (osens->sadb_x_sens_flags & SADB_X_SENS_IMPLICIT) {
3464 3464 newbie->ipsa_mac_exempt = CONN_MAC_IMPLICIT;
3465 3465 }
3466 3466
3467 3467 error = tsol_check_dest(tsl, peer_addr_ptr,
3468 3468 (af == AF_INET6)?IPV6_VERSION:IPV4_VERSION,
3469 3469 newbie->ipsa_mac_exempt, B_TRUE, &effective_tsl);
3470 3470 if (error != 0) {
3471 3471 label_rele(tsl);
3472 3472 mutex_exit(&newbie->ipsa_lock);
3473 3473 goto error;
3474 3474 }
3475 3475
3476 3476 if (effective_tsl != NULL) {
3477 3477 label_rele(tsl);
3478 3478 tsl = effective_tsl;
3479 3479 }
3480 3480
3481 3481 newbie->ipsa_otsl = tsl;
3482 3482
3483 3483 zone = zone_find_by_label(tsl);
3484 3484 if (zone != NULL) {
3485 3485 zoneid = zone->zone_id;
3486 3486 zone_rele(zone);
3487 3487 }
3488 3488 /*
3489 3489 * For exclusive stacks we set the zoneid to zero to operate
3490 3490 * as if in the global zone for tsol_compute_label_v4/v6
3491 3491 */
3492 3492 if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID)
3493 3493 zoneid = GLOBAL_ZONEID;
3494 3494
3495 3495 if (af == AF_INET6) {
3496 3496 error = tsol_compute_label_v6(tsl, zoneid,
3497 3497 (in6_addr_t *)peer_addr_ptr,
3498 3498 newbie->ipsa_opt_storage, ipst);
3499 3499 } else {
3500 3500 error = tsol_compute_label_v4(tsl, zoneid,
3501 3501 *peer_addr_ptr, newbie->ipsa_opt_storage, ipst);
3502 3502 }
3503 3503 if (error != 0) {
3504 3504 mutex_exit(&newbie->ipsa_lock);
3505 3505 goto error;
3506 3506 }
3507 3507 }
3508 3508
3509 3509
3510 3510 if (replayext != NULL) {
3511 3511 if ((replayext->sadb_x_rc_replay32 == 0) &&
3512 3512 (replayext->sadb_x_rc_replay64 != 0)) {
3513 3513 error = EOPNOTSUPP;
3514 3514 *diagnostic = SADB_X_DIAGNOSTIC_INVALID_REPLAY;
3515 3515 mutex_exit(&newbie->ipsa_lock);
3516 3516 goto error;
3517 3517 }
3518 3518 newbie->ipsa_replay = replayext->sadb_x_rc_replay32;
3519 3519 }
3520 3520
3521 3521 /* now that the SA has been updated, set its new state */
3522 3522 newbie->ipsa_state = assoc->sadb_sa_state;
3523 3523
3524 3524 if (clone) {
3525 3525 newbie->ipsa_haspeer = B_TRUE;
3526 3526 } else {
3527 3527 if (!is_inbound) {
3528 3528 lifetime_fuzz(newbie);
3529 3529 }
3530 3530 }
3531 3531 /*
3532 3532 * The less locks I hold when doing an insertion and possible cloning,
3533 3533 * the better!
3534 3534 */
3535 3535 mutex_exit(&newbie->ipsa_lock);
3536 3536
3537 3537 if (clone) {
3538 3538 newbie_clone = sadb_cloneassoc(newbie);
3539 3539
3540 3540 if (newbie_clone == NULL) {
3541 3541 error = ENOMEM;
3542 3542 goto error;
3543 3543 }
3544 3544 }
3545 3545
3546 3546 /*
3547 3547 * Enter the bucket locks. The order of entry is outbound,
3548 3548 * inbound. We map "primary" and "secondary" into outbound and inbound
3549 3549 * based on the destination address type. If the destination address
3550 3550 * type is for a node that isn't mine (or potentially mine), the
3551 3551 * "primary" bucket is the outbound one.
3552 3552 */
3553 3553 if (!is_inbound) {
3554 3554 /* primary == outbound */
3555 3555 mutex_enter(&primary->isaf_lock);
3556 3556 mutex_enter(&secondary->isaf_lock);
3557 3557 } else {
3558 3558 /* primary == inbound */
3559 3559 mutex_enter(&secondary->isaf_lock);
3560 3560 mutex_enter(&primary->isaf_lock);
3561 3561 }
3562 3562
3563 3563 /*
3564 3564 * sadb_insertassoc() doesn't increment the reference
3565 3565 * count. We therefore have to increment the
3566 3566 * reference count one more time to reflect the
3567 3567 * pointers of the table that reference this SA.
3568 3568 */
3569 3569 IPSA_REFHOLD(newbie);
3570 3570
3571 3571 if (isupdate) {
3572 3572 /*
3573 3573 * Unlink from larval holding cell in the "inbound" fanout.
3574 3574 */
3575 3575 ASSERT(newbie->ipsa_linklock == &primary->isaf_lock ||
3576 3576 newbie->ipsa_linklock == &secondary->isaf_lock);
3577 3577 sadb_unlinkassoc(newbie);
3578 3578 }
3579 3579
3580 3580 mutex_enter(&newbie->ipsa_lock);
3581 3581 error = sadb_insertassoc(newbie, primary);
3582 3582 mutex_exit(&newbie->ipsa_lock);
3583 3583
3584 3584 if (error != 0) {
3585 3585 /*
3586 3586 * Since sadb_insertassoc() failed, we must decrement the
3587 3587 * refcount again so the cleanup code will actually free
3588 3588 * the offending SA.
3589 3589 */
3590 3590 IPSA_REFRELE(newbie);
3591 3591 goto error_unlock;
3592 3592 }
3593 3593
3594 3594 if (newbie_clone != NULL) {
3595 3595 mutex_enter(&newbie_clone->ipsa_lock);
3596 3596 error = sadb_insertassoc(newbie_clone, secondary);
3597 3597 mutex_exit(&newbie_clone->ipsa_lock);
3598 3598 if (error != 0) {
3599 3599 /* Collision in secondary table. */
3600 3600 sadb_unlinkassoc(newbie); /* This does REFRELE. */
3601 3601 goto error_unlock;
3602 3602 }
3603 3603 IPSA_REFHOLD(newbie_clone);
3604 3604 } else {
3605 3605 ASSERT(primary != secondary);
3606 3606 scratch = ipsec_getassocbyspi(secondary, newbie->ipsa_spi,
3607 3607 ALL_ZEROES_PTR, newbie->ipsa_dstaddr, af);
3608 3608 if (scratch != NULL) {
3609 3609 /* Collision in secondary table. */
3610 3610 sadb_unlinkassoc(newbie); /* This does REFRELE. */
3611 3611 /* Set the error, since ipsec_getassocbyspi() can't. */
3612 3612 error = EEXIST;
3613 3613 goto error_unlock;
3614 3614 }
3615 3615 }
3616 3616
3617 3617 /* OKAY! So let's do some reality check assertions. */
3618 3618
3619 3619 ASSERT(MUTEX_NOT_HELD(&newbie->ipsa_lock));
3620 3620 ASSERT(newbie_clone == NULL ||
3621 3621 (MUTEX_NOT_HELD(&newbie_clone->ipsa_lock)));
3622 3622
3623 3623 error_unlock:
3624 3624
3625 3625 /*
3626 3626 * We can exit the locks in any order. Only entrance needs to
3627 3627 * follow any protocol.
3628 3628 */
3629 3629 mutex_exit(&secondary->isaf_lock);
3630 3630 mutex_exit(&primary->isaf_lock);
3631 3631
3632 3632 if (pair_ext != NULL && error == 0) {
3633 3633 /* update pair_spi if it exists. */
3634 3634 ipsa_query_t sq;
3635 3635
3636 3636 sq.spp = spp; /* XXX param */
3637 3637 error = sadb_form_query(ksi, IPSA_Q_DST, IPSA_Q_SRC|IPSA_Q_DST|
3638 3638 IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, &sq, diagnostic);
3639 3639 if (error)
3640 3640 return (error);
3641 3641
3642 3642 error = get_ipsa_pair(&sq, &ipsapp, diagnostic);
3643 3643
3644 3644 if (error != 0)
3645 3645 goto error;
3646 3646
3647 3647 if (ipsapp.ipsap_psa_ptr != NULL) {
3648 3648 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY;
3649 3649 error = EINVAL;
3650 3650 } else {
3651 3651 /* update_pairing() sets diagnostic */
3652 3652 error = update_pairing(&ipsapp, &sq, ksi, diagnostic);
3653 3653 }
3654 3654 }
3655 3655 /* Common error point for this routine. */
3656 3656 error:
3657 3657 if (newbie != NULL) {
3658 3658 if (error != 0) {
3659 3659 /* This SA is broken, let the reaper clean up. */
3660 3660 mutex_enter(&newbie->ipsa_lock);
3661 3661 newbie->ipsa_state = IPSA_STATE_DEAD;
3662 3662 newbie->ipsa_hardexpiretime = 1;
3663 3663 mutex_exit(&newbie->ipsa_lock);
3664 3664 }
3665 3665 IPSA_REFRELE(newbie);
3666 3666 }
3667 3667 if (newbie_clone != NULL) {
3668 3668 IPSA_REFRELE(newbie_clone);
3669 3669 }
3670 3670
3671 3671 if (error == 0) {
3672 3672 /*
3673 3673 * Construct favorable PF_KEY return message and send to
3674 3674 * keysock. Update the flags in the original keysock message
3675 3675 * to reflect the actual flags in the new SA.
3676 3676 * (Q: Do I need to pass "newbie"? If I do,
3677 3677 * make sure to REFHOLD, call, then REFRELE.)
3678 3678 */
3679 3679 assoc->sadb_sa_flags = newbie->ipsa_flags;
3680 3680 sadb_pfkey_echo(pfkey_q, mp, samsg, ksi, NULL);
3681 3681 }
3682 3682
3683 3683 destroy_ipsa_pair(&ipsapp);
3684 3684 return (error);
3685 3685 }
3686 3686
3687 3687 /*
3688 3688 * Set the time of first use for a security association. Update any
3689 3689 * expiration times as a result.
3690 3690 */
3691 3691 void
3692 3692 sadb_set_usetime(ipsa_t *assoc)
3693 3693 {
3694 3694 time_t snapshot = gethrestime_sec();
3695 3695
3696 3696 mutex_enter(&assoc->ipsa_lock);
3697 3697 assoc->ipsa_lastuse = snapshot;
3698 3698 assoc->ipsa_idleexpiretime = snapshot + assoc->ipsa_idletime;
3699 3699
3700 3700 /*
3701 3701 * Caller does check usetime before calling me usually, and
3702 3702 * double-checking is better than a mutex_enter/exit hit.
3703 3703 */
3704 3704 if (assoc->ipsa_usetime == 0) {
3705 3705 /*
3706 3706 * This is redundant for outbound SA's, as
3707 3707 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already.
3708 3708 * Inbound SAs, however, have no such protection.
3709 3709 */
3710 3710 assoc->ipsa_flags |= IPSA_F_USED;
3711 3711 assoc->ipsa_usetime = snapshot;
3712 3712
3713 3713 /*
3714 3714 * After setting the use time, see if we have a use lifetime
3715 3715 * that would cause the actual SA expiration time to shorten.
3716 3716 */
3717 3717 UPDATE_EXPIRE(assoc, softuselt, softexpiretime);
3718 3718 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime);
3719 3719 }
3720 3720 mutex_exit(&assoc->ipsa_lock);
3721 3721 }
3722 3722
3723 3723 /*
3724 3724 * Send up a PF_KEY expire message for this association.
3725 3725 */
3726 3726 static void
3727 3727 sadb_expire_assoc(queue_t *pfkey_q, ipsa_t *assoc)
3728 3728 {
3729 3729 mblk_t *mp, *mp1;
3730 3730 int alloclen, af;
3731 3731 sadb_msg_t *samsg;
3732 3732 sadb_lifetime_t *current, *expire;
3733 3733 sadb_sa_t *saext;
3734 3734 uint8_t *end;
3735 3735 boolean_t tunnel_mode;
3736 3736
3737 3737 ASSERT(MUTEX_HELD(&assoc->ipsa_lock));
3738 3738
3739 3739 /* Don't bother sending if there's no queue. */
3740 3740 if (pfkey_q == NULL)
3741 3741 return;
3742 3742
3743 3743 mp = sadb_keysock_out(0);
3744 3744 if (mp == NULL) {
3745 3745 /* cmn_err(CE_WARN, */
3746 3746 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */
3747 3747 return;
3748 3748 }
3749 3749
3750 3750 alloclen = sizeof (*samsg) + sizeof (*current) + sizeof (*expire) +
3751 3751 2 * sizeof (sadb_address_t) + sizeof (*saext);
3752 3752
3753 3753 af = assoc->ipsa_addrfam;
3754 3754 switch (af) {
3755 3755 case AF_INET:
3756 3756 alloclen += 2 * sizeof (struct sockaddr_in);
3757 3757 break;
3758 3758 case AF_INET6:
3759 3759 alloclen += 2 * sizeof (struct sockaddr_in6);
3760 3760 break;
3761 3761 default:
3762 3762 /* Won't happen unless there's a kernel bug. */
3763 3763 freeb(mp);
3764 3764 cmn_err(CE_WARN,
3765 3765 "sadb_expire_assoc: Unknown address length.\n");
3766 3766 return;
3767 3767 }
3768 3768
3769 3769 tunnel_mode = (assoc->ipsa_flags & IPSA_F_TUNNEL);
3770 3770 if (tunnel_mode) {
3771 3771 alloclen += 2 * sizeof (sadb_address_t);
3772 3772 switch (assoc->ipsa_innerfam) {
3773 3773 case AF_INET:
3774 3774 alloclen += 2 * sizeof (struct sockaddr_in);
3775 3775 break;
3776 3776 case AF_INET6:
3777 3777 alloclen += 2 * sizeof (struct sockaddr_in6);
3778 3778 break;
3779 3779 default:
3780 3780 /* Won't happen unless there's a kernel bug. */
3781 3781 freeb(mp);
3782 3782 cmn_err(CE_WARN, "sadb_expire_assoc: "
3783 3783 "Unknown inner address length.\n");
3784 3784 return;
3785 3785 }
3786 3786 }
3787 3787
3788 3788 mp->b_cont = allocb(alloclen, BPRI_HI);
3789 3789 if (mp->b_cont == NULL) {
3790 3790 freeb(mp);
3791 3791 /* cmn_err(CE_WARN, */
3792 3792 /* "sadb_expire_assoc: Can't allocate message.\n"); */
3793 3793 return;
3794 3794 }
3795 3795
3796 3796 mp1 = mp;
3797 3797 mp = mp->b_cont;
3798 3798 end = mp->b_wptr + alloclen;
3799 3799
3800 3800 samsg = (sadb_msg_t *)mp->b_wptr;
3801 3801 mp->b_wptr += sizeof (*samsg);
3802 3802 samsg->sadb_msg_version = PF_KEY_V2;
3803 3803 samsg->sadb_msg_type = SADB_EXPIRE;
3804 3804 samsg->sadb_msg_errno = 0;
3805 3805 samsg->sadb_msg_satype = assoc->ipsa_type;
3806 3806 samsg->sadb_msg_len = SADB_8TO64(alloclen);
3807 3807 samsg->sadb_msg_reserved = 0;
3808 3808 samsg->sadb_msg_seq = 0;
3809 3809 samsg->sadb_msg_pid = 0;
3810 3810
3811 3811 saext = (sadb_sa_t *)mp->b_wptr;
3812 3812 mp->b_wptr += sizeof (*saext);
3813 3813 saext->sadb_sa_len = SADB_8TO64(sizeof (*saext));
3814 3814 saext->sadb_sa_exttype = SADB_EXT_SA;
3815 3815 saext->sadb_sa_spi = assoc->ipsa_spi;
3816 3816 saext->sadb_sa_replay = assoc->ipsa_replay_wsize;
3817 3817 saext->sadb_sa_state = assoc->ipsa_state;
3818 3818 saext->sadb_sa_auth = assoc->ipsa_auth_alg;
3819 3819 saext->sadb_sa_encrypt = assoc->ipsa_encr_alg;
3820 3820 saext->sadb_sa_flags = assoc->ipsa_flags;
3821 3821
3822 3822 current = (sadb_lifetime_t *)mp->b_wptr;
3823 3823 mp->b_wptr += sizeof (sadb_lifetime_t);
3824 3824 current->sadb_lifetime_len = SADB_8TO64(sizeof (*current));
3825 3825 current->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
3826 3826 /* We do not support the concept. */
3827 3827 current->sadb_lifetime_allocations = 0;
3828 3828 current->sadb_lifetime_bytes = assoc->ipsa_bytes;
3829 3829 current->sadb_lifetime_addtime = assoc->ipsa_addtime;
3830 3830 current->sadb_lifetime_usetime = assoc->ipsa_usetime;
3831 3831
3832 3832 expire = (sadb_lifetime_t *)mp->b_wptr;
3833 3833 mp->b_wptr += sizeof (*expire);
3834 3834 expire->sadb_lifetime_len = SADB_8TO64(sizeof (*expire));
3835 3835
3836 3836 if (assoc->ipsa_state == IPSA_STATE_DEAD) {
3837 3837 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
3838 3838 expire->sadb_lifetime_allocations = assoc->ipsa_hardalloc;
3839 3839 expire->sadb_lifetime_bytes = assoc->ipsa_hardbyteslt;
3840 3840 expire->sadb_lifetime_addtime = assoc->ipsa_hardaddlt;
3841 3841 expire->sadb_lifetime_usetime = assoc->ipsa_harduselt;
3842 3842 } else if (assoc->ipsa_state == IPSA_STATE_DYING) {
3843 3843 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
3844 3844 expire->sadb_lifetime_allocations = assoc->ipsa_softalloc;
3845 3845 expire->sadb_lifetime_bytes = assoc->ipsa_softbyteslt;
3846 3846 expire->sadb_lifetime_addtime = assoc->ipsa_softaddlt;
3847 3847 expire->sadb_lifetime_usetime = assoc->ipsa_softuselt;
3848 3848 } else {
3849 3849 ASSERT(assoc->ipsa_state == IPSA_STATE_MATURE);
3850 3850 expire->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE;
3851 3851 expire->sadb_lifetime_allocations = 0;
3852 3852 expire->sadb_lifetime_bytes = 0;
3853 3853 expire->sadb_lifetime_addtime = assoc->ipsa_idleaddlt;
3854 3854 expire->sadb_lifetime_usetime = assoc->ipsa_idleuselt;
3855 3855 }
3856 3856
3857 3857 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_SRC,
3858 3858 af, assoc->ipsa_srcaddr, tunnel_mode ? 0 : SA_SRCPORT(assoc),
3859 3859 SA_PROTO(assoc), 0);
3860 3860 ASSERT(mp->b_wptr != NULL);
3861 3861
3862 3862 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_DST,
3863 3863 af, assoc->ipsa_dstaddr, tunnel_mode ? 0 : SA_DSTPORT(assoc),
3864 3864 SA_PROTO(assoc), 0);
3865 3865 ASSERT(mp->b_wptr != NULL);
3866 3866
3867 3867 if (tunnel_mode) {
3868 3868 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end,
3869 3869 SADB_X_EXT_ADDRESS_INNER_SRC, assoc->ipsa_innerfam,
3870 3870 assoc->ipsa_innersrc, SA_SRCPORT(assoc), SA_IPROTO(assoc),
3871 3871 assoc->ipsa_innersrcpfx);
3872 3872 ASSERT(mp->b_wptr != NULL);
3873 3873 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end,
3874 3874 SADB_X_EXT_ADDRESS_INNER_DST, assoc->ipsa_innerfam,
3875 3875 assoc->ipsa_innerdst, SA_DSTPORT(assoc), SA_IPROTO(assoc),
3876 3876 assoc->ipsa_innerdstpfx);
3877 3877 ASSERT(mp->b_wptr != NULL);
3878 3878 }
3879 3879
3880 3880 /* Can just putnext, we're ready to go! */
3881 3881 putnext(pfkey_q, mp1);
3882 3882 }
3883 3883
3884 3884 /*
3885 3885 * "Age" the SA with the number of bytes that was used to protect traffic.
3886 3886 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was
3887 3887 * enough "charge" left in the SA to protect the data. Return B_FALSE
3888 3888 * otherwise. (If B_FALSE is returned, the association either was, or became
3889 3889 * DEAD.)
3890 3890 */
3891 3891 boolean_t
3892 3892 sadb_age_bytes(queue_t *pfkey_q, ipsa_t *assoc, uint64_t bytes,
3893 3893 boolean_t sendmsg)
3894 3894 {
3895 3895 boolean_t rc = B_TRUE;
3896 3896 uint64_t newtotal;
3897 3897
3898 3898 mutex_enter(&assoc->ipsa_lock);
3899 3899 newtotal = assoc->ipsa_bytes + bytes;
3900 3900 if (assoc->ipsa_hardbyteslt != 0 &&
3901 3901 newtotal >= assoc->ipsa_hardbyteslt) {
3902 3902 if (assoc->ipsa_state != IPSA_STATE_DEAD) {
3903 3903 sadb_delete_cluster(assoc);
3904 3904 /*
3905 3905 * Send EXPIRE message to PF_KEY. May wish to pawn
3906 3906 * this off on another non-interrupt thread. Also
3907 3907 * unlink this SA immediately.
3908 3908 */
3909 3909 assoc->ipsa_state = IPSA_STATE_DEAD;
3910 3910 if (sendmsg)
3911 3911 sadb_expire_assoc(pfkey_q, assoc);
3912 3912 /*
3913 3913 * Set non-zero expiration time so sadb_age_assoc()
3914 3914 * will work when reaping.
3915 3915 */
3916 3916 assoc->ipsa_hardexpiretime = (time_t)1;
3917 3917 } /* Else someone beat me to it! */
3918 3918 rc = B_FALSE;
3919 3919 } else if (assoc->ipsa_softbyteslt != 0 &&
3920 3920 (newtotal >= assoc->ipsa_softbyteslt)) {
3921 3921 if (assoc->ipsa_state < IPSA_STATE_DYING) {
3922 3922 /*
3923 3923 * Send EXPIRE message to PF_KEY. May wish to pawn
3924 3924 * this off on another non-interrupt thread.
3925 3925 */
3926 3926 assoc->ipsa_state = IPSA_STATE_DYING;
3927 3927 assoc->ipsa_bytes = newtotal;
3928 3928 if (sendmsg)
3929 3929 sadb_expire_assoc(pfkey_q, assoc);
3930 3930 } /* Else someone beat me to it! */
3931 3931 }
3932 3932 if (rc == B_TRUE)
3933 3933 assoc->ipsa_bytes = newtotal;
3934 3934 mutex_exit(&assoc->ipsa_lock);
3935 3935 return (rc);
3936 3936 }
3937 3937
3938 3938 /*
3939 3939 * "Torch" an individual SA. Returns NULL, so it can be tail-called from
3940 3940 * sadb_age_assoc().
3941 3941 */
3942 3942 static ipsa_t *
3943 3943 sadb_torch_assoc(isaf_t *head, ipsa_t *sa)
3944 3944 {
3945 3945 ASSERT(MUTEX_HELD(&head->isaf_lock));
3946 3946 ASSERT(MUTEX_HELD(&sa->ipsa_lock));
3947 3947 ASSERT(sa->ipsa_state == IPSA_STATE_DEAD);
3948 3948
3949 3949 /*
3950 3950 * Force cached SAs to be revalidated..
3951 3951 */
3952 3952 head->isaf_gen++;
3953 3953
3954 3954 mutex_exit(&sa->ipsa_lock);
3955 3955 sadb_unlinkassoc(sa);
3956 3956
3957 3957 return (NULL);
3958 3958 }
3959 3959
3960 3960 /*
3961 3961 * Do various SA-is-idle activities depending on delta (the number of idle
3962 3962 * seconds on the SA) and/or other properties of the SA.
3963 3963 *
3964 3964 * Return B_TRUE if I've sent a packet, because I have to drop the
3965 3965 * association's mutex before sending a packet out the wire.
3966 3966 */
3967 3967 /* ARGSUSED */
3968 3968 static boolean_t
3969 3969 sadb_idle_activities(ipsa_t *assoc, time_t delta, boolean_t inbound)
3970 3970 {
3971 3971 ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp;
3972 3972 int nat_t_interval = espstack->ipsecesp_nat_keepalive_interval;
3973 3973
3974 3974 ASSERT(MUTEX_HELD(&assoc->ipsa_lock));
3975 3975
3976 3976 if (!inbound && (assoc->ipsa_flags & IPSA_F_NATT_LOC) &&
3977 3977 delta >= nat_t_interval &&
3978 3978 gethrestime_sec() - assoc->ipsa_last_nat_t_ka >= nat_t_interval) {
3979 3979 ASSERT(assoc->ipsa_type == SADB_SATYPE_ESP);
3980 3980 assoc->ipsa_last_nat_t_ka = gethrestime_sec();
3981 3981 mutex_exit(&assoc->ipsa_lock);
3982 3982 ipsecesp_send_keepalive(assoc);
3983 3983 return (B_TRUE);
3984 3984 }
3985 3985 return (B_FALSE);
3986 3986 }
3987 3987
3988 3988 /*
3989 3989 * Return "assoc" if haspeer is true and I send an expire. This allows
3990 3990 * the consumers' aging functions to tidy up an expired SA's peer.
3991 3991 */
3992 3992 static ipsa_t *
3993 3993 sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc,
3994 3994 time_t current, int reap_delay, boolean_t inbound)
3995 3995 {
3996 3996 ipsa_t *retval = NULL;
3997 3997 boolean_t dropped_mutex = B_FALSE;
3998 3998
3999 3999 ASSERT(MUTEX_HELD(&head->isaf_lock));
4000 4000
4001 4001 mutex_enter(&assoc->ipsa_lock);
4002 4002
4003 4003 if (((assoc->ipsa_state == IPSA_STATE_LARVAL) ||
4004 4004 ((assoc->ipsa_state == IPSA_STATE_IDLE) ||
4005 4005 (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) &&
4006 4006 (assoc->ipsa_hardexpiretime != 0))) &&
4007 4007 (assoc->ipsa_hardexpiretime <= current)) {
4008 4008 assoc->ipsa_state = IPSA_STATE_DEAD;
4009 4009 return (sadb_torch_assoc(head, assoc));
4010 4010 }
4011 4011
4012 4012 /*
4013 4013 * Check lifetimes. Fortunately, SA setup is done
4014 4014 * such that there are only two times to look at,
4015 4015 * softexpiretime, and hardexpiretime.
4016 4016 *
4017 4017 * Check hard first.
4018 4018 */
4019 4019
4020 4020 if (assoc->ipsa_hardexpiretime != 0 &&
4021 4021 assoc->ipsa_hardexpiretime <= current) {
4022 4022 if (assoc->ipsa_state == IPSA_STATE_DEAD)
4023 4023 return (sadb_torch_assoc(head, assoc));
4024 4024
4025 4025 if (inbound) {
4026 4026 sadb_delete_cluster(assoc);
4027 4027 }
4028 4028
4029 4029 /*
4030 4030 * Send SADB_EXPIRE with hard lifetime, delay for unlinking.
4031 4031 */
4032 4032 assoc->ipsa_state = IPSA_STATE_DEAD;
4033 4033 if (assoc->ipsa_haspeer || assoc->ipsa_otherspi != 0) {
4034 4034 /*
4035 4035 * If the SA is paired or peered with another, put
4036 4036 * a copy on a list which can be processed later, the
4037 4037 * pair/peer SA needs to be updated so the both die
4038 4038 * at the same time.
4039 4039 *
4040 4040 * If I return assoc, I have to bump up its reference
4041 4041 * count to keep with the ipsa_t reference count
4042 4042 * semantics.
4043 4043 */
4044 4044 IPSA_REFHOLD(assoc);
4045 4045 retval = assoc;
4046 4046 }
4047 4047 sadb_expire_assoc(pfkey_q, assoc);
4048 4048 assoc->ipsa_hardexpiretime = current + reap_delay;
4049 4049 } else if (assoc->ipsa_softexpiretime != 0 &&
4050 4050 assoc->ipsa_softexpiretime <= current &&
4051 4051 assoc->ipsa_state < IPSA_STATE_DYING) {
4052 4052 /*
4053 4053 * Send EXPIRE message to PF_KEY. May wish to pawn
4054 4054 * this off on another non-interrupt thread.
4055 4055 */
4056 4056 assoc->ipsa_state = IPSA_STATE_DYING;
4057 4057 if (assoc->ipsa_haspeer) {
4058 4058 /*
4059 4059 * If the SA has a peer, update the peer's state
4060 4060 * on SOFT_EXPIRE, this is mostly to prevent two
4061 4061 * expire messages from effectively the same SA.
4062 4062 *
4063 4063 * Don't care about paired SA's, then can (and should)
4064 4064 * be able to soft expire at different times.
4065 4065 *
4066 4066 * If I return assoc, I have to bump up its
4067 4067 * reference count to keep with the ipsa_t reference
4068 4068 * count semantics.
4069 4069 */
4070 4070 IPSA_REFHOLD(assoc);
4071 4071 retval = assoc;
4072 4072 }
4073 4073 sadb_expire_assoc(pfkey_q, assoc);
4074 4074 } else if (assoc->ipsa_idletime != 0 &&
4075 4075 assoc->ipsa_idleexpiretime <= current) {
4076 4076 if (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) {
4077 4077 assoc->ipsa_state = IPSA_STATE_IDLE;
4078 4078 }
4079 4079
4080 4080 /*
4081 4081 * Need to handle Mature case
4082 4082 */
4083 4083 if (assoc->ipsa_state == IPSA_STATE_MATURE) {
4084 4084 sadb_expire_assoc(pfkey_q, assoc);
4085 4085 }
4086 4086 } else {
4087 4087 /* Check idle time activities. */
4088 4088 dropped_mutex = sadb_idle_activities(assoc,
4089 4089 current - assoc->ipsa_lastuse, inbound);
4090 4090 }
4091 4091
4092 4092 if (!dropped_mutex)
4093 4093 mutex_exit(&assoc->ipsa_lock);
4094 4094 return (retval);
4095 4095 }
4096 4096
4097 4097 /*
4098 4098 * Called by a consumer protocol to do ther dirty work of reaping dead
4099 4099 * Security Associations.
4100 4100 *
4101 4101 * NOTE: sadb_age_assoc() marks expired SA's as DEAD but only removed
4102 4102 * SA's that are already marked DEAD, so expired SA's are only reaped
4103 4103 * the second time sadb_ager() runs.
4104 4104 */
4105 4105 void
4106 4106 sadb_ager(sadb_t *sp, queue_t *pfkey_q, int reap_delay, netstack_t *ns)
4107 4107 {
4108 4108 int i;
4109 4109 isaf_t *bucket;
4110 4110 ipsa_t *assoc, *spare;
4111 4111 iacqf_t *acqlist;
4112 4112 ipsacq_t *acqrec, *spareacq;
4113 4113 templist_t *haspeerlist, *newbie;
4114 4114 /* Snapshot current time now. */
4115 4115 time_t current = gethrestime_sec();
4116 4116 haspeerlist = NULL;
4117 4117
4118 4118 /*
4119 4119 * Do my dirty work. This includes aging real entries, aging
4120 4120 * larvals, and aging outstanding ACQUIREs.
4121 4121 *
4122 4122 * I hope I don't tie up resources for too long.
4123 4123 */
4124 4124
4125 4125 /* Age acquires. */
4126 4126
4127 4127 for (i = 0; i < sp->sdb_hashsize; i++) {
4128 4128 acqlist = &sp->sdb_acq[i];
4129 4129 mutex_enter(&acqlist->iacqf_lock);
4130 4130 for (acqrec = acqlist->iacqf_ipsacq; acqrec != NULL;
4131 4131 acqrec = spareacq) {
4132 4132 spareacq = acqrec->ipsacq_next;
4133 4133 if (current > acqrec->ipsacq_expire)
4134 4134 sadb_destroy_acquire(acqrec, ns);
4135 4135 }
4136 4136 mutex_exit(&acqlist->iacqf_lock);
4137 4137 }
4138 4138
4139 4139 /* Age inbound associations. */
4140 4140 for (i = 0; i < sp->sdb_hashsize; i++) {
4141 4141 bucket = &(sp->sdb_if[i]);
4142 4142 mutex_enter(&bucket->isaf_lock);
4143 4143 for (assoc = bucket->isaf_ipsa; assoc != NULL;
4144 4144 assoc = spare) {
4145 4145 spare = assoc->ipsa_next;
4146 4146 if (sadb_age_assoc(bucket, pfkey_q, assoc, current,
4147 4147 reap_delay, B_TRUE) != NULL) {
4148 4148 /*
4149 4149 * Put SA's which have a peer or SA's which
4150 4150 * are paired on a list for processing after
4151 4151 * all the hash tables have been walked.
4152 4152 *
4153 4153 * sadb_age_assoc() increments the refcnt,
4154 4154 * effectively doing an IPSA_REFHOLD().
4155 4155 */
4156 4156 newbie = kmem_alloc(sizeof (*newbie),
4157 4157 KM_NOSLEEP);
4158 4158 if (newbie == NULL) {
4159 4159 /*
4160 4160 * Don't forget to REFRELE().
4161 4161 */
4162 4162 IPSA_REFRELE(assoc);
4163 4163 continue; /* for loop... */
4164 4164 }
4165 4165 newbie->next = haspeerlist;
4166 4166 newbie->ipsa = assoc;
4167 4167 haspeerlist = newbie;
4168 4168 }
4169 4169 }
4170 4170 mutex_exit(&bucket->isaf_lock);
4171 4171 }
4172 4172
4173 4173 age_pair_peer_list(haspeerlist, sp, B_FALSE);
4174 4174 haspeerlist = NULL;
4175 4175
4176 4176 /* Age outbound associations. */
4177 4177 for (i = 0; i < sp->sdb_hashsize; i++) {
4178 4178 bucket = &(sp->sdb_of[i]);
4179 4179 mutex_enter(&bucket->isaf_lock);
4180 4180 for (assoc = bucket->isaf_ipsa; assoc != NULL;
4181 4181 assoc = spare) {
4182 4182 spare = assoc->ipsa_next;
4183 4183 if (sadb_age_assoc(bucket, pfkey_q, assoc, current,
4184 4184 reap_delay, B_FALSE) != NULL) {
4185 4185 /*
4186 4186 * sadb_age_assoc() increments the refcnt,
4187 4187 * effectively doing an IPSA_REFHOLD().
4188 4188 */
4189 4189 newbie = kmem_alloc(sizeof (*newbie),
4190 4190 KM_NOSLEEP);
4191 4191 if (newbie == NULL) {
4192 4192 /*
4193 4193 * Don't forget to REFRELE().
4194 4194 */
4195 4195 IPSA_REFRELE(assoc);
4196 4196 continue; /* for loop... */
4197 4197 }
4198 4198 newbie->next = haspeerlist;
4199 4199 newbie->ipsa = assoc;
4200 4200 haspeerlist = newbie;
4201 4201 }
4202 4202 }
4203 4203 mutex_exit(&bucket->isaf_lock);
4204 4204 }
4205 4205
4206 4206 age_pair_peer_list(haspeerlist, sp, B_TRUE);
4207 4207
4208 4208 /*
4209 4209 * Run a GC pass to clean out dead identities.
4210 4210 */
4211 4211 ipsid_gc(ns);
4212 4212 }
4213 4213
4214 4214 /*
4215 4215 * Figure out when to reschedule the ager.
4216 4216 */
4217 4217 timeout_id_t
4218 4218 sadb_retimeout(hrtime_t begin, queue_t *pfkey_q, void (*ager)(void *),
4219 4219 void *agerarg, uint_t *intp, uint_t intmax, short mid)
4220 4220 {
4221 4221 hrtime_t end = gethrtime();
4222 4222 uint_t interval = *intp; /* "interval" is in ms. */
4223 4223
4224 4224 /*
4225 4225 * See how long this took. If it took too long, increase the
4226 4226 * aging interval.
4227 4227 */
4228 4228 if ((end - begin) > MSEC2NSEC(interval)) {
4229 4229 if (interval >= intmax) {
4230 4230 /* XXX Rate limit this? Or recommend flush? */
4231 4231 (void) strlog(mid, 0, 0, SL_ERROR | SL_WARN,
4232 4232 "Too many SA's to age out in %d msec.\n",
4233 4233 intmax);
4234 4234 } else {
4235 4235 /* Double by shifting by one bit. */
4236 4236 interval <<= 1;
4237 4237 interval = min(interval, intmax);
4238 4238 }
4239 4239 } else if ((end - begin) <= (MSEC2NSEC(interval) / 2) &&
4240 4240 interval > SADB_AGE_INTERVAL_DEFAULT) {
4241 4241 /*
4242 4242 * If I took less than half of the interval, then I should
4243 4243 * ratchet the interval back down. Never automatically
4244 4244 * shift below the default aging interval.
4245 4245 *
4246 4246 * NOTE:This even overrides manual setting of the age
4247 4247 * interval using NDD to lower the setting past the
4248 4248 * default. In other words, if you set the interval
4249 4249 * lower than the default, and your SADB gets too big,
4250 4250 * the interval will only self-lower back to the default.
4251 4251 */
4252 4252 /* Halve by shifting one bit. */
4253 4253 interval >>= 1;
4254 4254 interval = max(interval, SADB_AGE_INTERVAL_DEFAULT);
4255 4255 }
4256 4256 *intp = interval;
4257 4257 return (qtimeout(pfkey_q, ager, agerarg,
4258 4258 drv_usectohz(interval * (MICROSEC / MILLISEC))));
4259 4259 }
4260 4260
4261 4261
4262 4262 /*
4263 4263 * Update the lifetime values of an SA. This is the path an SADB_UPDATE
4264 4264 * message takes when updating a MATURE or DYING SA.
4265 4265 */
4266 4266 static void
4267 4267 sadb_update_lifetimes(ipsa_t *assoc, sadb_lifetime_t *hard,
4268 4268 sadb_lifetime_t *soft, sadb_lifetime_t *idle, boolean_t outbound)
4269 4269 {
4270 4270 mutex_enter(&assoc->ipsa_lock);
4271 4271
4272 4272 /*
4273 4273 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be
4274 4274 * passed in during an update message. We currently don't handle
4275 4275 * these.
4276 4276 */
4277 4277
4278 4278 if (hard != NULL) {
4279 4279 if (hard->sadb_lifetime_bytes != 0)
4280 4280 assoc->ipsa_hardbyteslt = hard->sadb_lifetime_bytes;
4281 4281 if (hard->sadb_lifetime_usetime != 0)
4282 4282 assoc->ipsa_harduselt = hard->sadb_lifetime_usetime;
4283 4283 if (hard->sadb_lifetime_addtime != 0)
4284 4284 assoc->ipsa_hardaddlt = hard->sadb_lifetime_addtime;
4285 4285 if (assoc->ipsa_hardaddlt != 0) {
4286 4286 assoc->ipsa_hardexpiretime =
4287 4287 assoc->ipsa_addtime + assoc->ipsa_hardaddlt;
4288 4288 }
4289 4289 if (assoc->ipsa_harduselt != 0 &&
4290 4290 assoc->ipsa_flags & IPSA_F_USED) {
4291 4291 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime);
4292 4292 }
4293 4293 if (hard->sadb_lifetime_allocations != 0)
4294 4294 assoc->ipsa_hardalloc = hard->sadb_lifetime_allocations;
4295 4295 }
4296 4296
4297 4297 if (soft != NULL) {
4298 4298 if (soft->sadb_lifetime_bytes != 0) {
4299 4299 if (soft->sadb_lifetime_bytes >
4300 4300 assoc->ipsa_hardbyteslt) {
4301 4301 assoc->ipsa_softbyteslt =
4302 4302 assoc->ipsa_hardbyteslt;
4303 4303 } else {
4304 4304 assoc->ipsa_softbyteslt =
4305 4305 soft->sadb_lifetime_bytes;
4306 4306 }
4307 4307 }
4308 4308 if (soft->sadb_lifetime_usetime != 0) {
4309 4309 if (soft->sadb_lifetime_usetime >
4310 4310 assoc->ipsa_harduselt) {
4311 4311 assoc->ipsa_softuselt =
4312 4312 assoc->ipsa_harduselt;
4313 4313 } else {
4314 4314 assoc->ipsa_softuselt =
4315 4315 soft->sadb_lifetime_usetime;
4316 4316 }
4317 4317 }
4318 4318 if (soft->sadb_lifetime_addtime != 0) {
4319 4319 if (soft->sadb_lifetime_addtime >
4320 4320 assoc->ipsa_hardexpiretime) {
4321 4321 assoc->ipsa_softexpiretime =
4322 4322 assoc->ipsa_hardexpiretime;
4323 4323 } else {
4324 4324 assoc->ipsa_softaddlt =
4325 4325 soft->sadb_lifetime_addtime;
4326 4326 }
4327 4327 }
4328 4328 if (assoc->ipsa_softaddlt != 0) {
4329 4329 assoc->ipsa_softexpiretime =
4330 4330 assoc->ipsa_addtime + assoc->ipsa_softaddlt;
4331 4331 }
4332 4332 if (assoc->ipsa_softuselt != 0 &&
4333 4333 assoc->ipsa_flags & IPSA_F_USED) {
4334 4334 UPDATE_EXPIRE(assoc, softuselt, softexpiretime);
4335 4335 }
4336 4336 if (outbound && assoc->ipsa_softexpiretime != 0) {
4337 4337 if (assoc->ipsa_state == IPSA_STATE_MATURE)
4338 4338 lifetime_fuzz(assoc);
4339 4339 }
4340 4340
4341 4341 if (soft->sadb_lifetime_allocations != 0)
4342 4342 assoc->ipsa_softalloc = soft->sadb_lifetime_allocations;
4343 4343 }
4344 4344
4345 4345 if (idle != NULL) {
4346 4346 time_t current = gethrestime_sec();
4347 4347 if ((assoc->ipsa_idleexpiretime <= current) &&
4348 4348 (assoc->ipsa_idleaddlt == idle->sadb_lifetime_addtime)) {
4349 4349 assoc->ipsa_idleexpiretime =
4350 4350 current + assoc->ipsa_idleaddlt;
4351 4351 }
4352 4352 if (idle->sadb_lifetime_addtime != 0)
4353 4353 assoc->ipsa_idleaddlt = idle->sadb_lifetime_addtime;
4354 4354 if (idle->sadb_lifetime_usetime != 0)
4355 4355 assoc->ipsa_idleuselt = idle->sadb_lifetime_usetime;
4356 4356 if (assoc->ipsa_idleaddlt != 0) {
4357 4357 assoc->ipsa_idleexpiretime =
4358 4358 current + idle->sadb_lifetime_addtime;
4359 4359 assoc->ipsa_idletime = idle->sadb_lifetime_addtime;
4360 4360 }
4361 4361 if (assoc->ipsa_idleuselt != 0) {
4362 4362 if (assoc->ipsa_idletime != 0) {
4363 4363 assoc->ipsa_idletime = min(assoc->ipsa_idletime,
4364 4364 assoc->ipsa_idleuselt);
4365 4365 assoc->ipsa_idleexpiretime =
4366 4366 current + assoc->ipsa_idletime;
4367 4367 } else {
4368 4368 assoc->ipsa_idleexpiretime =
4369 4369 current + assoc->ipsa_idleuselt;
4370 4370 assoc->ipsa_idletime = assoc->ipsa_idleuselt;
4371 4371 }
4372 4372 }
4373 4373 }
4374 4374 mutex_exit(&assoc->ipsa_lock);
4375 4375 }
4376 4376
4377 4377 static int
4378 4378 sadb_update_state(ipsa_t *assoc, uint_t new_state, mblk_t **ipkt_lst)
4379 4379 {
4380 4380 int rcode = 0;
4381 4381 time_t current = gethrestime_sec();
4382 4382
4383 4383 mutex_enter(&assoc->ipsa_lock);
4384 4384
4385 4385 switch (new_state) {
4386 4386 case SADB_X_SASTATE_ACTIVE_ELSEWHERE:
4387 4387 if (assoc->ipsa_state == SADB_X_SASTATE_IDLE) {
4388 4388 assoc->ipsa_state = IPSA_STATE_ACTIVE_ELSEWHERE;
4389 4389 assoc->ipsa_idleexpiretime =
4390 4390 current + assoc->ipsa_idletime;
4391 4391 }
4392 4392 break;
4393 4393 case SADB_X_SASTATE_IDLE:
4394 4394 if (assoc->ipsa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) {
4395 4395 assoc->ipsa_state = IPSA_STATE_IDLE;
4396 4396 assoc->ipsa_idleexpiretime =
4397 4397 current + assoc->ipsa_idletime;
4398 4398 } else {
4399 4399 rcode = EINVAL;
4400 4400 }
4401 4401 break;
4402 4402
4403 4403 case SADB_X_SASTATE_ACTIVE:
4404 4404 if (assoc->ipsa_state != SADB_X_SASTATE_IDLE) {
4405 4405 rcode = EINVAL;
4406 4406 break;
4407 4407 }
4408 4408 assoc->ipsa_state = IPSA_STATE_MATURE;
4409 4409 assoc->ipsa_idleexpiretime = current + assoc->ipsa_idletime;
4410 4410
4411 4411 if (ipkt_lst == NULL) {
4412 4412 break;
4413 4413 }
4414 4414
4415 4415 if (assoc->ipsa_bpkt_head != NULL) {
4416 4416 *ipkt_lst = assoc->ipsa_bpkt_head;
4417 4417 assoc->ipsa_bpkt_head = assoc->ipsa_bpkt_tail = NULL;
4418 4418 assoc->ipsa_mblkcnt = 0;
4419 4419 } else {
4420 4420 *ipkt_lst = NULL;
4421 4421 }
4422 4422 break;
4423 4423 default:
4424 4424 rcode = EINVAL;
4425 4425 break;
4426 4426 }
4427 4427
4428 4428 mutex_exit(&assoc->ipsa_lock);
4429 4429 return (rcode);
4430 4430 }
4431 4431
4432 4432 /*
4433 4433 * Check a proposed KMC update for sanity.
4434 4434 */
4435 4435 static int
4436 4436 sadb_check_kmc(ipsa_query_t *sq, ipsa_t *sa, int *diagnostic)
4437 4437 {
4438 4438 uint32_t kmp = sq->kmp;
4439 4439 uint32_t kmc = sq->kmc;
4440 4440
4441 4441 if (sa == NULL)
4442 4442 return (0);
4443 4443
4444 4444 if (sa->ipsa_state == IPSA_STATE_DEAD)
4445 4445 return (ESRCH); /* DEAD == Not there, in this case. */
4446 4446
4447 4447 if ((kmp != 0) && ((sa->ipsa_kmp != 0) || (sa->ipsa_kmp != kmp))) {
4448 4448 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP;
4449 4449 return (EINVAL);
4450 4450 }
4451 4451
4452 4452 if ((kmc != 0) && ((sa->ipsa_kmc != 0) || (sa->ipsa_kmc != kmc))) {
4453 4453 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC;
4454 4454 return (EINVAL);
4455 4455 }
4456 4456
4457 4457 return (0);
4458 4458 }
4459 4459
4460 4460 /*
4461 4461 * Actually update the KMC info.
4462 4462 */
4463 4463 static void
4464 4464 sadb_update_kmc(ipsa_query_t *sq, ipsa_t *sa)
4465 4465 {
4466 4466 uint32_t kmp = sq->kmp;
4467 4467 uint32_t kmc = sq->kmc;
4468 4468
4469 4469 if (kmp != 0)
4470 4470 sa->ipsa_kmp = kmp;
4471 4471 if (kmc != 0)
4472 4472 sa->ipsa_kmc = kmc;
4473 4473 }
4474 4474
4475 4475 /*
4476 4476 * Common code to update an SA.
4477 4477 */
4478 4478
4479 4479 int
4480 4480 sadb_update_sa(mblk_t *mp, keysock_in_t *ksi, mblk_t **ipkt_lst,
4481 4481 sadbp_t *spp, int *diagnostic, queue_t *pfkey_q,
4482 4482 int (*add_sa_func)(mblk_t *, keysock_in_t *, int *, netstack_t *),
4483 4483 netstack_t *ns, uint8_t sadb_msg_type)
4484 4484 {
4485 4485 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH];
4486 4486 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT];
4487 4487 sadb_x_replay_ctr_t *replext =
4488 4488 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE];
4489 4489 sadb_lifetime_t *soft =
4490 4490 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT];
4491 4491 sadb_lifetime_t *hard =
4492 4492 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD];
4493 4493 sadb_lifetime_t *idle =
4494 4494 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE];
4495 4495 sadb_x_pair_t *pair_ext =
4496 4496 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR];
4497 4497 ipsa_t *echo_target = NULL;
4498 4498 ipsap_t ipsapp;
4499 4499 ipsa_query_t sq;
4500 4500 time_t current = gethrestime_sec();
4501 4501
4502 4502 sq.spp = spp; /* XXX param */
4503 4503 int error = sadb_form_query(ksi, IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA,
4504 4504 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND,
4505 4505 &sq, diagnostic);
4506 4506
4507 4507 if (error != 0)
4508 4508 return (error);
4509 4509
4510 4510 error = get_ipsa_pair(&sq, &ipsapp, diagnostic);
4511 4511 if (error != 0)
4512 4512 return (error);
4513 4513
4514 4514 if (ipsapp.ipsap_psa_ptr == NULL && ipsapp.ipsap_sa_ptr != NULL) {
4515 4515 if (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) {
4516 4516 /*
4517 4517 * REFRELE the target and let the add_sa_func()
4518 4518 * deal with updating a larval SA.
4519 4519 */
4520 4520 destroy_ipsa_pair(&ipsapp);
4521 4521 return (add_sa_func(mp, ksi, diagnostic, ns));
4522 4522 }
4523 4523 }
4524 4524
4525 4525 /*
4526 4526 * At this point we have an UPDATE to a MATURE SA. There should
4527 4527 * not be any keying material present.
4528 4528 */
4529 4529 if (akey != NULL) {
4530 4530 *diagnostic = SADB_X_DIAGNOSTIC_AKEY_PRESENT;
4531 4531 error = EINVAL;
4532 4532 goto bail;
4533 4533 }
4534 4534 if (ekey != NULL) {
4535 4535 *diagnostic = SADB_X_DIAGNOSTIC_EKEY_PRESENT;
4536 4536 error = EINVAL;
4537 4537 goto bail;
4538 4538 }
4539 4539
4540 4540 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) {
4541 4541 if (ipsapp.ipsap_sa_ptr != NULL &&
4542 4542 ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_IDLE) {
4543 4543 if ((error = sadb_update_state(ipsapp.ipsap_sa_ptr,
4544 4544 sq.assoc->sadb_sa_state, NULL)) != 0) {
4545 4545 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4546 4546 goto bail;
4547 4547 }
4548 4548 }
4549 4549 if (ipsapp.ipsap_psa_ptr != NULL &&
4550 4550 ipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_IDLE) {
4551 4551 if ((error = sadb_update_state(ipsapp.ipsap_psa_ptr,
4552 4552 sq.assoc->sadb_sa_state, NULL)) != 0) {
4553 4553 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4554 4554 goto bail;
4555 4555 }
4556 4556 }
4557 4557 }
4558 4558 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE) {
4559 4559 if (ipsapp.ipsap_sa_ptr != NULL) {
4560 4560 error = sadb_update_state(ipsapp.ipsap_sa_ptr,
4561 4561 sq.assoc->sadb_sa_state,
4562 4562 (ipsapp.ipsap_sa_ptr->ipsa_flags &
4563 4563 IPSA_F_INBOUND) ? ipkt_lst : NULL);
4564 4564 if (error) {
4565 4565 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4566 4566 goto bail;
4567 4567 }
4568 4568 }
4569 4569 if (ipsapp.ipsap_psa_ptr != NULL) {
4570 4570 error = sadb_update_state(ipsapp.ipsap_psa_ptr,
4571 4571 sq.assoc->sadb_sa_state,
4572 4572 (ipsapp.ipsap_psa_ptr->ipsa_flags &
4573 4573 IPSA_F_INBOUND) ? ipkt_lst : NULL);
4574 4574 if (error) {
4575 4575 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4576 4576 goto bail;
4577 4577 }
4578 4578 }
4579 4579 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr,
4580 4580 ksi, echo_target);
4581 4581 goto bail;
4582 4582 }
4583 4583
4584 4584 /*
4585 4585 * Reality checks for updates of active associations.
4586 4586 * Sundry first-pass UPDATE-specific reality checks.
4587 4587 * Have to do the checks here, because it's after the add_sa code.
4588 4588 * XXX STATS : logging/stats here?
4589 4589 */
4590 4590
4591 4591 if (!((sq.assoc->sadb_sa_state == SADB_SASTATE_MATURE) ||
4592 4592 (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE))) {
4593 4593 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4594 4594 error = EINVAL;
4595 4595 goto bail;
4596 4596 }
4597 4597 if (sq.assoc->sadb_sa_flags & ~spp->s_updateflags) {
4598 4598 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS;
4599 4599 error = EINVAL;
4600 4600 goto bail;
4601 4601 }
4602 4602 if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL) {
4603 4603 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_LIFETIME;
4604 4604 error = EOPNOTSUPP;
4605 4605 goto bail;
4606 4606 }
4607 4607
4608 4608 if ((*diagnostic = sadb_hardsoftchk(hard, soft, idle)) != 0) {
4609 4609 error = EINVAL;
4610 4610 goto bail;
4611 4611 }
4612 4612
4613 4613 if ((*diagnostic = sadb_labelchk(ksi)) != 0)
4614 4614 return (EINVAL);
4615 4615
4616 4616 error = sadb_check_kmc(&sq, ipsapp.ipsap_sa_ptr, diagnostic);
4617 4617 if (error != 0)
4618 4618 goto bail;
4619 4619
4620 4620 error = sadb_check_kmc(&sq, ipsapp.ipsap_psa_ptr, diagnostic);
4621 4621 if (error != 0)
4622 4622 goto bail;
4623 4623
4624 4624
4625 4625 if (ipsapp.ipsap_sa_ptr != NULL) {
4626 4626 /*
4627 4627 * Do not allow replay value change for MATURE or LARVAL SA.
4628 4628 */
4629 4629
4630 4630 if ((replext != NULL) &&
4631 4631 ((ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) ||
4632 4632 (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_MATURE))) {
4633 4633 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
4634 4634 error = EINVAL;
4635 4635 goto bail;
4636 4636 }
4637 4637 }
4638 4638
4639 4639
4640 4640 if (ipsapp.ipsap_sa_ptr != NULL) {
4641 4641 sadb_update_lifetimes(ipsapp.ipsap_sa_ptr, hard, soft,
4642 4642 idle, B_TRUE);
4643 4643 sadb_update_kmc(&sq, ipsapp.ipsap_sa_ptr);
4644 4644 if ((replext != NULL) &&
4645 4645 (ipsapp.ipsap_sa_ptr->ipsa_replay_wsize != 0)) {
4646 4646 /*
4647 4647 * If an inbound SA, update the replay counter
4648 4648 * and check off all the other sequence number
4649 4649 */
4650 4650 if (ksi->ks_in_dsttype == KS_IN_ADDR_ME) {
4651 4651 if (!sadb_replay_check(ipsapp.ipsap_sa_ptr,
4652 4652 replext->sadb_x_rc_replay32)) {
4653 4653 *diagnostic =
4654 4654 SADB_X_DIAGNOSTIC_INVALID_REPLAY;
4655 4655 error = EINVAL;
4656 4656 goto bail;
4657 4657 }
4658 4658 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4659 4659 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime =
4660 4660 current +
4661 4661 ipsapp.ipsap_sa_ptr->ipsa_idletime;
4662 4662 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4663 4663 } else {
4664 4664 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4665 4665 ipsapp.ipsap_sa_ptr->ipsa_replay =
4666 4666 replext->sadb_x_rc_replay32;
4667 4667 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime =
4668 4668 current +
4669 4669 ipsapp.ipsap_sa_ptr->ipsa_idletime;
4670 4670 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4671 4671 }
4672 4672 }
4673 4673 }
4674 4674
4675 4675 if (sadb_msg_type == SADB_X_UPDATEPAIR) {
4676 4676 if (ipsapp.ipsap_psa_ptr != NULL) {
4677 4677 sadb_update_lifetimes(ipsapp.ipsap_psa_ptr, hard, soft,
4678 4678 idle, B_FALSE);
4679 4679 sadb_update_kmc(&sq, ipsapp.ipsap_psa_ptr);
4680 4680 } else {
4681 4681 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND;
4682 4682 error = ESRCH;
4683 4683 goto bail;
4684 4684 }
4685 4685 }
4686 4686
4687 4687 if (pair_ext != NULL)
4688 4688 error = update_pairing(&ipsapp, &sq, ksi, diagnostic);
4689 4689
4690 4690 if (error == 0)
4691 4691 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr,
4692 4692 ksi, echo_target);
4693 4693 bail:
4694 4694
4695 4695 destroy_ipsa_pair(&ipsapp);
4696 4696
4697 4697 return (error);
4698 4698 }
4699 4699
4700 4700
4701 4701 static int
4702 4702 update_pairing(ipsap_t *ipsapp, ipsa_query_t *sq, keysock_in_t *ksi,
4703 4703 int *diagnostic)
4704 4704 {
4705 4705 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
4706 4706 sadb_x_pair_t *pair_ext =
4707 4707 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR];
4708 4708 int error = 0;
4709 4709 ipsap_t oipsapp;
4710 4710 boolean_t undo_pair = B_FALSE;
4711 4711 uint32_t ipsa_flags;
4712 4712
4713 4713 if (pair_ext->sadb_x_pair_spi == 0 || pair_ext->sadb_x_pair_spi ==
4714 4714 assoc->sadb_sa_spi) {
4715 4715 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE;
4716 4716 return (EINVAL);
4717 4717 }
4718 4718
4719 4719 /*
4720 4720 * Assume for now that the spi value provided in the SADB_UPDATE
4721 4721 * message was valid, update the SA with its pair spi value.
4722 4722 * If the spi turns out to be bogus or the SA no longer exists
4723 4723 * then this will be detected when the reverse update is made
4724 4724 * below.
4725 4725 */
4726 4726 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4727 4727 ipsapp->ipsap_sa_ptr->ipsa_flags |= IPSA_F_PAIRED;
4728 4728 ipsapp->ipsap_sa_ptr->ipsa_otherspi = pair_ext->sadb_x_pair_spi;
4729 4729 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4730 4730
4731 4731 /*
4732 4732 * After updating the ipsa_otherspi element of the SA, get_ipsa_pair()
4733 4733 * should now return pointers to the SA *AND* its pair, if this is not
4734 4734 * the case, the "otherspi" either did not exist or was deleted. Also
4735 4735 * check that "otherspi" is not already paired. If everything looks
4736 4736 * good, complete the update. IPSA_REFRELE the first pair_pointer
4737 4737 * after this update to ensure its not deleted until we are done.
4738 4738 */
4739 4739 error = get_ipsa_pair(sq, &oipsapp, diagnostic);
4740 4740 if (error != 0) {
4741 4741 /*
4742 4742 * This should never happen, calling function still has
4743 4743 * IPSA_REFHELD on the SA we just updated.
4744 4744 */
4745 4745 return (error); /* XXX EINVAL instead of ESRCH? */
4746 4746 }
4747 4747
4748 4748 if (oipsapp.ipsap_psa_ptr == NULL) {
4749 4749 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE;
4750 4750 error = EINVAL;
4751 4751 undo_pair = B_TRUE;
4752 4752 } else {
4753 4753 ipsa_flags = oipsapp.ipsap_psa_ptr->ipsa_flags;
4754 4754 if ((oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DEAD) ||
4755 4755 (oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DYING)) {
4756 4756 /* Its dead Jim! */
4757 4757 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE;
4758 4758 undo_pair = B_TRUE;
4759 4759 } else if ((ipsa_flags & (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) ==
4760 4760 (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) {
4761 4761 /* This SA is in both hashtables. */
4762 4762 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE;
4763 4763 undo_pair = B_TRUE;
4764 4764 } else if (ipsa_flags & IPSA_F_PAIRED) {
4765 4765 /* This SA is already paired with another. */
4766 4766 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY;
4767 4767 undo_pair = B_TRUE;
4768 4768 }
4769 4769 }
4770 4770
4771 4771 if (undo_pair) {
4772 4772 /* The pair SA does not exist. */
4773 4773 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4774 4774 ipsapp->ipsap_sa_ptr->ipsa_flags &= ~IPSA_F_PAIRED;
4775 4775 ipsapp->ipsap_sa_ptr->ipsa_otherspi = 0;
4776 4776 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4777 4777 } else {
4778 4778 mutex_enter(&oipsapp.ipsap_psa_ptr->ipsa_lock);
4779 4779 oipsapp.ipsap_psa_ptr->ipsa_otherspi = assoc->sadb_sa_spi;
4780 4780 oipsapp.ipsap_psa_ptr->ipsa_flags |= IPSA_F_PAIRED;
4781 4781 mutex_exit(&oipsapp.ipsap_psa_ptr->ipsa_lock);
4782 4782 }
4783 4783
4784 4784 destroy_ipsa_pair(&oipsapp);
4785 4785 return (error);
4786 4786 }
4787 4787
4788 4788 /*
4789 4789 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is
4790 4790 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails
4791 4791 * for an outbound datagram, that datagram is queued up on an ACQUIRE record,
4792 4792 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key
4793 4793 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve
4794 4794 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the
4795 4795 * other direction's SA.
4796 4796 */
4797 4797
4798 4798 /*
4799 4799 * Check the ACQUIRE lists. If there's an existing ACQUIRE record,
4800 4800 * grab it, lock it, and return it. Otherwise return NULL.
4801 4801 *
4802 4802 * XXX MLS number of arguments getting unwieldy here
4803 4803 */
4804 4804 static ipsacq_t *
4805 4805 sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp,
4806 4806 uint32_t *src, uint32_t *dst, uint32_t *isrc, uint32_t *idst,
4807 4807 uint64_t unique_id, ts_label_t *tsl)
4808 4808 {
4809 4809 ipsacq_t *walker;
4810 4810 sa_family_t fam;
4811 4811 uint32_t blank_address[4] = {0, 0, 0, 0};
4812 4812
4813 4813 if (isrc == NULL) {
4814 4814 ASSERT(idst == NULL);
4815 4815 isrc = idst = blank_address;
4816 4816 }
4817 4817
4818 4818 /*
4819 4819 * Scan list for duplicates. Check for UNIQUE, src/dest, policy.
4820 4820 *
4821 4821 * XXX May need search for duplicates based on other things too!
4822 4822 */
4823 4823 for (walker = bucket->iacqf_ipsacq; walker != NULL;
4824 4824 walker = walker->ipsacq_next) {
4825 4825 mutex_enter(&walker->ipsacq_lock);
4826 4826 fam = walker->ipsacq_addrfam;
4827 4827 if (IPSA_ARE_ADDR_EQUAL(dst, walker->ipsacq_dstaddr, fam) &&
4828 4828 IPSA_ARE_ADDR_EQUAL(src, walker->ipsacq_srcaddr, fam) &&
4829 4829 ip_addr_match((uint8_t *)isrc, walker->ipsacq_innersrcpfx,
4830 4830 (in6_addr_t *)walker->ipsacq_innersrc) &&
4831 4831 ip_addr_match((uint8_t *)idst, walker->ipsacq_innerdstpfx,
4832 4832 (in6_addr_t *)walker->ipsacq_innerdst) &&
4833 4833 (ap == walker->ipsacq_act) &&
4834 4834 (pp == walker->ipsacq_policy) &&
4835 4835 /* XXX do deep compares of ap/pp? */
4836 4836 (unique_id == walker->ipsacq_unique_id) &&
4837 4837 (ipsec_label_match(tsl, walker->ipsacq_tsl)))
4838 4838 break; /* everything matched */
4839 4839 mutex_exit(&walker->ipsacq_lock);
4840 4840 }
4841 4841
4842 4842 return (walker);
4843 4843 }
4844 4844
4845 4845 /*
4846 4846 * For this mblk, insert a new acquire record. Assume bucket contains addrs
4847 4847 * of all of the same length. Give up (and drop) if memory
4848 4848 * cannot be allocated for a new one; otherwise, invoke callback to
4849 4849 * send the acquire up..
4850 4850 *
4851 4851 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE
4852 4852 * list. The ah_add_sa_finish() routines can look at the packet's attached
4853 4853 * attributes and handle this case specially.
4854 4854 */
4855 4855 void
4856 4856 sadb_acquire(mblk_t *datamp, ip_xmit_attr_t *ixa, boolean_t need_ah,
4857 4857 boolean_t need_esp)
4858 4858 {
4859 4859 mblk_t *asyncmp;
4860 4860 sadbp_t *spp;
4861 4861 sadb_t *sp;
4862 4862 ipsacq_t *newbie;
4863 4863 iacqf_t *bucket;
4864 4864 mblk_t *extended;
4865 4865 ipha_t *ipha = (ipha_t *)datamp->b_rptr;
4866 4866 ip6_t *ip6h = (ip6_t *)datamp->b_rptr;
4867 4867 uint32_t *src, *dst, *isrc, *idst;
4868 4868 ipsec_policy_t *pp = ixa->ixa_ipsec_policy;
4869 4869 ipsec_action_t *ap = ixa->ixa_ipsec_action;
4870 4870 sa_family_t af;
4871 4871 int hashoffset;
4872 4872 uint32_t seq;
4873 4873 uint64_t unique_id = 0;
4874 4874 ipsec_selector_t sel;
4875 4875 boolean_t tunnel_mode = (ixa->ixa_flags & IXAF_IPSEC_TUNNEL) != 0;
4876 4876 ts_label_t *tsl = NULL;
4877 4877 netstack_t *ns = ixa->ixa_ipst->ips_netstack;
4878 4878 ipsec_stack_t *ipss = ns->netstack_ipsec;
4879 4879 sadb_sens_t *sens = NULL;
4880 4880 int sens_len;
4881 4881
4882 4882 ASSERT((pp != NULL) || (ap != NULL));
4883 4883
4884 4884 ASSERT(need_ah != NULL || need_esp != NULL);
4885 4885
4886 4886 /* Assign sadb pointers */
4887 4887 if (need_esp) { /* ESP for AH+ESP */
4888 4888 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
4889 4889
4890 4890 spp = &espstack->esp_sadb;
4891 4891 } else {
4892 4892 ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
4893 4893
4894 4894 spp = &ahstack->ah_sadb;
4895 4895 }
4896 4896 sp = (ixa->ixa_flags & IXAF_IS_IPV4) ? &spp->s_v4 : &spp->s_v6;
4897 4897
4898 4898 if (is_system_labeled())
4899 4899 tsl = ixa->ixa_tsl;
4900 4900
4901 4901 if (ap == NULL)
4902 4902 ap = pp->ipsp_act;
4903 4903
4904 4904 ASSERT(ap != NULL);
4905 4905
4906 4906 if (ap->ipa_act.ipa_apply.ipp_use_unique || tunnel_mode)
4907 4907 unique_id = SA_FORM_UNIQUE_ID(ixa);
4908 4908
4909 4909 /*
4910 4910 * Set up an ACQUIRE record.
4911 4911 *
4912 4912 * Immediately, make sure the ACQUIRE sequence number doesn't slip
4913 4913 * below the lowest point allowed in the kernel. (In other words,
4914 4914 * make sure the high bit on the sequence number is set.)
4915 4915 */
4916 4916
4917 4917 seq = keysock_next_seq(ns) | IACQF_LOWEST_SEQ;
4918 4918
4919 4919 if (IPH_HDR_VERSION(ipha) == IP_VERSION) {
4920 4920 src = (uint32_t *)&ipha->ipha_src;
4921 4921 dst = (uint32_t *)&ipha->ipha_dst;
4922 4922 af = AF_INET;
4923 4923 hashoffset = OUTBOUND_HASH_V4(sp, ipha->ipha_dst);
4924 4924 ASSERT(ixa->ixa_flags & IXAF_IS_IPV4);
4925 4925 } else {
4926 4926 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION);
4927 4927 src = (uint32_t *)&ip6h->ip6_src;
4928 4928 dst = (uint32_t *)&ip6h->ip6_dst;
4929 4929 af = AF_INET6;
4930 4930 hashoffset = OUTBOUND_HASH_V6(sp, ip6h->ip6_dst);
4931 4931 ASSERT(!(ixa->ixa_flags & IXAF_IS_IPV4));
4932 4932 }
4933 4933
4934 4934 if (tunnel_mode) {
4935 4935 if (pp == NULL) {
4936 4936 /*
4937 4937 * Tunnel mode with no policy pointer means this is a
4938 4938 * reflected ICMP (like a ECHO REQUEST) that came in
4939 4939 * with self-encapsulated protection. Until we better
4940 4940 * support this, drop the packet.
4941 4941 */
4942 4942 ip_drop_packet(datamp, B_FALSE, NULL,
4943 4943 DROPPER(ipss, ipds_spd_got_selfencap),
4944 4944 &ipss->ipsec_spd_dropper);
4945 4945 return;
4946 4946 }
4947 4947 /* Snag inner addresses. */
4948 4948 isrc = ixa->ixa_ipsec_insrc;
4949 4949 idst = ixa->ixa_ipsec_indst;
4950 4950 } else {
4951 4951 isrc = idst = NULL;
4952 4952 }
4953 4953
4954 4954 /*
4955 4955 * Check buckets to see if there is an existing entry. If so,
4956 4956 * grab it. sadb_checkacquire locks newbie if found.
4957 4957 */
4958 4958 bucket = &(sp->sdb_acq[hashoffset]);
4959 4959 mutex_enter(&bucket->iacqf_lock);
4960 4960 newbie = sadb_checkacquire(bucket, ap, pp, src, dst, isrc, idst,
4961 4961 unique_id, tsl);
4962 4962
4963 4963 if (newbie == NULL) {
4964 4964 /*
4965 4965 * Otherwise, allocate a new one.
4966 4966 */
4967 4967 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP);
4968 4968 if (newbie == NULL) {
4969 4969 mutex_exit(&bucket->iacqf_lock);
4970 4970 ip_drop_packet(datamp, B_FALSE, NULL,
4971 4971 DROPPER(ipss, ipds_sadb_acquire_nomem),
4972 4972 &ipss->ipsec_sadb_dropper);
4973 4973 return;
4974 4974 }
4975 4975 newbie->ipsacq_policy = pp;
4976 4976 if (pp != NULL) {
4977 4977 IPPOL_REFHOLD(pp);
4978 4978 }
4979 4979 IPACT_REFHOLD(ap);
4980 4980 newbie->ipsacq_act = ap;
4981 4981 newbie->ipsacq_linklock = &bucket->iacqf_lock;
4982 4982 newbie->ipsacq_next = bucket->iacqf_ipsacq;
4983 4983 newbie->ipsacq_ptpn = &bucket->iacqf_ipsacq;
4984 4984 if (newbie->ipsacq_next != NULL)
4985 4985 newbie->ipsacq_next->ipsacq_ptpn = &newbie->ipsacq_next;
4986 4986
4987 4987 bucket->iacqf_ipsacq = newbie;
4988 4988 mutex_init(&newbie->ipsacq_lock, NULL, MUTEX_DEFAULT, NULL);
4989 4989 mutex_enter(&newbie->ipsacq_lock);
4990 4990 }
4991 4991
4992 4992 /*
4993 4993 * XXX MLS does it actually help us to drop the bucket lock here?
4994 4994 * we have inserted a half-built, locked acquire record into the
4995 4995 * bucket. any competing thread will now be able to lock the bucket
4996 4996 * to scan it, but will immediately pile up on the new acquire
4997 4997 * record's lock; I don't think we gain anything here other than to
4998 4998 * disperse blame for lock contention.
4999 4999 *
5000 5000 * we might be able to dispense with acquire record locks entirely..
5001 5001 * just use the bucket locks..
5002 5002 */
5003 5003
5004 5004 mutex_exit(&bucket->iacqf_lock);
5005 5005
5006 5006 /*
5007 5007 * This assert looks silly for now, but we may need to enter newbie's
5008 5008 * mutex during a search.
5009 5009 */
5010 5010 ASSERT(MUTEX_HELD(&newbie->ipsacq_lock));
5011 5011
5012 5012 /*
5013 5013 * Make the ip_xmit_attr_t into something we can queue.
5014 5014 * If no memory it frees datamp.
5015 5015 */
5016 5016 asyncmp = ip_xmit_attr_to_mblk(ixa);
5017 5017 if (asyncmp != NULL)
5018 5018 linkb(asyncmp, datamp);
5019 5019
5020 5020 /* Queue up packet. Use b_next. */
5021 5021
5022 5022 if (asyncmp == NULL) {
5023 5023 /* Statistics for allocation failure */
5024 5024 if (ixa->ixa_flags & IXAF_IS_IPV4) {
5025 5025 BUMP_MIB(&ixa->ixa_ipst->ips_ip_mib,
5026 5026 ipIfStatsOutDiscards);
5027 5027 } else {
5028 5028 BUMP_MIB(&ixa->ixa_ipst->ips_ip6_mib,
5029 5029 ipIfStatsOutDiscards);
5030 5030 }
5031 5031 ip_drop_output("No memory for asyncmp", datamp, NULL);
5032 5032 freemsg(datamp);
5033 5033 } else if (newbie->ipsacq_numpackets == 0) {
5034 5034 /* First one. */
5035 5035 newbie->ipsacq_mp = asyncmp;
5036 5036 newbie->ipsacq_numpackets = 1;
5037 5037 newbie->ipsacq_expire = gethrestime_sec();
5038 5038 /*
5039 5039 * Extended ACQUIRE with both AH+ESP will use ESP's timeout
5040 5040 * value.
5041 5041 */
5042 5042 newbie->ipsacq_expire += *spp->s_acquire_timeout;
5043 5043 newbie->ipsacq_seq = seq;
5044 5044 newbie->ipsacq_addrfam = af;
5045 5045
5046 5046 newbie->ipsacq_srcport = ixa->ixa_ipsec_src_port;
5047 5047 newbie->ipsacq_dstport = ixa->ixa_ipsec_dst_port;
5048 5048 newbie->ipsacq_icmp_type = ixa->ixa_ipsec_icmp_type;
5049 5049 newbie->ipsacq_icmp_code = ixa->ixa_ipsec_icmp_code;
5050 5050 if (tunnel_mode) {
5051 5051 newbie->ipsacq_inneraddrfam = ixa->ixa_ipsec_inaf;
5052 5052 newbie->ipsacq_proto = ixa->ixa_ipsec_inaf == AF_INET6 ?
5053 5053 IPPROTO_IPV6 : IPPROTO_ENCAP;
5054 5054 newbie->ipsacq_innersrcpfx = ixa->ixa_ipsec_insrcpfx;
5055 5055 newbie->ipsacq_innerdstpfx = ixa->ixa_ipsec_indstpfx;
5056 5056 IPSA_COPY_ADDR(newbie->ipsacq_innersrc,
5057 5057 ixa->ixa_ipsec_insrc, ixa->ixa_ipsec_inaf);
5058 5058 IPSA_COPY_ADDR(newbie->ipsacq_innerdst,
5059 5059 ixa->ixa_ipsec_indst, ixa->ixa_ipsec_inaf);
5060 5060 } else {
5061 5061 newbie->ipsacq_proto = ixa->ixa_ipsec_proto;
5062 5062 }
5063 5063 newbie->ipsacq_unique_id = unique_id;
5064 5064
5065 5065 if (ixa->ixa_tsl != NULL) {
5066 5066 label_hold(ixa->ixa_tsl);
5067 5067 newbie->ipsacq_tsl = ixa->ixa_tsl;
5068 5068 }
5069 5069 } else {
5070 5070 /* Scan to the end of the list & insert. */
5071 5071 mblk_t *lastone = newbie->ipsacq_mp;
5072 5072
5073 5073 while (lastone->b_next != NULL)
5074 5074 lastone = lastone->b_next;
5075 5075 lastone->b_next = asyncmp;
5076 5076 if (newbie->ipsacq_numpackets++ == ipsacq_maxpackets) {
5077 5077 newbie->ipsacq_numpackets = ipsacq_maxpackets;
5078 5078 lastone = newbie->ipsacq_mp;
5079 5079 newbie->ipsacq_mp = lastone->b_next;
5080 5080 lastone->b_next = NULL;
5081 5081
5082 5082 /* Freeing the async message */
5083 5083 lastone = ip_xmit_attr_free_mblk(lastone);
5084 5084 ip_drop_packet(lastone, B_FALSE, NULL,
5085 5085 DROPPER(ipss, ipds_sadb_acquire_toofull),
5086 5086 &ipss->ipsec_sadb_dropper);
5087 5087 } else {
5088 5088 IP_ACQUIRE_STAT(ipss, qhiwater,
5089 5089 newbie->ipsacq_numpackets);
5090 5090 }
5091 5091 }
5092 5092
5093 5093 /*
5094 5094 * Reset addresses. Set them to the most recently added mblk chain,
5095 5095 * so that the address pointers in the acquire record will point
5096 5096 * at an mblk still attached to the acquire list.
5097 5097 */
5098 5098
5099 5099 newbie->ipsacq_srcaddr = src;
5100 5100 newbie->ipsacq_dstaddr = dst;
5101 5101
5102 5102 /*
5103 5103 * If the acquire record has more than one queued packet, we've
5104 5104 * already sent an ACQUIRE, and don't need to repeat ourself.
5105 5105 */
5106 5106 if (newbie->ipsacq_seq != seq || newbie->ipsacq_numpackets > 1) {
5107 5107 /* I have an acquire outstanding already! */
5108 5108 mutex_exit(&newbie->ipsacq_lock);
5109 5109 return;
5110 5110 }
5111 5111
5112 5112 if (!keysock_extended_reg(ns))
5113 5113 goto punt_extended;
5114 5114 /*
5115 5115 * Construct an extended ACQUIRE. There are logging
5116 5116 * opportunities here in failure cases.
5117 5117 */
5118 5118 bzero(&sel, sizeof (sel));
5119 5119 sel.ips_isv4 = (ixa->ixa_flags & IXAF_IS_IPV4) != 0;
5120 5120 if (tunnel_mode) {
5121 5121 sel.ips_protocol = (ixa->ixa_ipsec_inaf == AF_INET) ?
5122 5122 IPPROTO_ENCAP : IPPROTO_IPV6;
5123 5123 } else {
5124 5124 sel.ips_protocol = ixa->ixa_ipsec_proto;
5125 5125 sel.ips_local_port = ixa->ixa_ipsec_src_port;
5126 5126 sel.ips_remote_port = ixa->ixa_ipsec_dst_port;
5127 5127 }
5128 5128 sel.ips_icmp_type = ixa->ixa_ipsec_icmp_type;
5129 5129 sel.ips_icmp_code = ixa->ixa_ipsec_icmp_code;
5130 5130 sel.ips_is_icmp_inv_acq = 0;
5131 5131 if (af == AF_INET) {
5132 5132 sel.ips_local_addr_v4 = ipha->ipha_src;
5133 5133 sel.ips_remote_addr_v4 = ipha->ipha_dst;
5134 5134 } else {
5135 5135 sel.ips_local_addr_v6 = ip6h->ip6_src;
5136 5136 sel.ips_remote_addr_v6 = ip6h->ip6_dst;
5137 5137 }
5138 5138
5139 5139 extended = sadb_keysock_out(0);
5140 5140 if (extended == NULL)
5141 5141 goto punt_extended;
5142 5142
5143 5143 if (ixa->ixa_tsl != NULL) {
5144 5144 /*
5145 5145 * XXX MLS correct condition here?
5146 5146 * XXX MLS other credential attributes in acquire?
5147 5147 * XXX malloc failure? don't fall back to original?
5148 5148 */
5149 5149 sens = sadb_make_sens_ext(ixa->ixa_tsl, &sens_len);
5150 5150
5151 5151 if (sens == NULL) {
5152 5152 freeb(extended);
5153 5153 goto punt_extended;
5154 5154 }
5155 5155 }
5156 5156
5157 5157 extended->b_cont = sadb_extended_acquire(&sel, pp, ap, tunnel_mode,
5158 5158 seq, 0, sens, ns);
5159 5159
5160 5160 if (sens != NULL)
5161 5161 kmem_free(sens, sens_len);
5162 5162
5163 5163 if (extended->b_cont == NULL) {
5164 5164 freeb(extended);
5165 5165 goto punt_extended;
5166 5166 }
5167 5167
5168 5168 /*
5169 5169 * Send an ACQUIRE message (and possible an extended ACQUIRE) based on
5170 5170 * this new record. The send-acquire callback assumes that acqrec is
5171 5171 * already locked.
5172 5172 */
5173 5173 (*spp->s_acqfn)(newbie, extended, ns);
5174 5174 return;
5175 5175
5176 5176 punt_extended:
5177 5177 (*spp->s_acqfn)(newbie, NULL, ns);
5178 5178 }
5179 5179
5180 5180 /*
5181 5181 * Unlink and free an acquire record.
5182 5182 */
5183 5183 void
5184 5184 sadb_destroy_acquire(ipsacq_t *acqrec, netstack_t *ns)
5185 5185 {
5186 5186 mblk_t *mp;
5187 5187 ipsec_stack_t *ipss = ns->netstack_ipsec;
5188 5188
5189 5189 ASSERT(MUTEX_HELD(acqrec->ipsacq_linklock));
5190 5190
5191 5191 if (acqrec->ipsacq_policy != NULL) {
5192 5192 IPPOL_REFRELE(acqrec->ipsacq_policy);
5193 5193 }
5194 5194 if (acqrec->ipsacq_act != NULL) {
5195 5195 IPACT_REFRELE(acqrec->ipsacq_act);
5196 5196 }
5197 5197
5198 5198 /* Unlink */
5199 5199 *(acqrec->ipsacq_ptpn) = acqrec->ipsacq_next;
5200 5200 if (acqrec->ipsacq_next != NULL)
5201 5201 acqrec->ipsacq_next->ipsacq_ptpn = acqrec->ipsacq_ptpn;
5202 5202
5203 5203 if (acqrec->ipsacq_tsl != NULL) {
5204 5204 label_rele(acqrec->ipsacq_tsl);
5205 5205 acqrec->ipsacq_tsl = NULL;
5206 5206 }
5207 5207
5208 5208 /*
5209 5209 * Free hanging mp's.
5210 5210 *
5211 5211 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED.
5212 5212 */
5213 5213
5214 5214 mutex_enter(&acqrec->ipsacq_lock);
5215 5215 while (acqrec->ipsacq_mp != NULL) {
5216 5216 mp = acqrec->ipsacq_mp;
5217 5217 acqrec->ipsacq_mp = mp->b_next;
5218 5218 mp->b_next = NULL;
5219 5219 /* Freeing the async message */
5220 5220 mp = ip_xmit_attr_free_mblk(mp);
5221 5221 ip_drop_packet(mp, B_FALSE, NULL,
5222 5222 DROPPER(ipss, ipds_sadb_acquire_timeout),
5223 5223 &ipss->ipsec_sadb_dropper);
5224 5224 }
5225 5225 mutex_exit(&acqrec->ipsacq_lock);
5226 5226
5227 5227 /* Free */
5228 5228 mutex_destroy(&acqrec->ipsacq_lock);
5229 5229 kmem_free(acqrec, sizeof (*acqrec));
5230 5230 }
5231 5231
5232 5232 /*
5233 5233 * Destroy an acquire list fanout.
5234 5234 */
5235 5235 static void
5236 5236 sadb_destroy_acqlist(iacqf_t **listp, uint_t numentries, boolean_t forever,
5237 5237 netstack_t *ns)
5238 5238 {
5239 5239 int i;
5240 5240 iacqf_t *list = *listp;
5241 5241
5242 5242 if (list == NULL)
5243 5243 return;
5244 5244
5245 5245 for (i = 0; i < numentries; i++) {
5246 5246 mutex_enter(&(list[i].iacqf_lock));
5247 5247 while (list[i].iacqf_ipsacq != NULL)
5248 5248 sadb_destroy_acquire(list[i].iacqf_ipsacq, ns);
5249 5249 mutex_exit(&(list[i].iacqf_lock));
5250 5250 if (forever)
5251 5251 mutex_destroy(&(list[i].iacqf_lock));
5252 5252 }
5253 5253
5254 5254 if (forever) {
5255 5255 *listp = NULL;
5256 5256 kmem_free(list, numentries * sizeof (*list));
5257 5257 }
5258 5258 }
5259 5259
5260 5260 /*
5261 5261 * Create an algorithm descriptor for an extended ACQUIRE. Filter crypto
5262 5262 * framework's view of reality vs. IPsec's. EF's wins, BTW.
5263 5263 */
5264 5264 static uint8_t *
5265 5265 sadb_new_algdesc(uint8_t *start, uint8_t *limit,
5266 5266 sadb_x_ecomb_t *ecomb, uint8_t satype, uint8_t algtype,
5267 5267 uint8_t alg, uint16_t minbits, uint16_t maxbits, ipsec_stack_t *ipss)
5268 5268 {
5269 5269 uint8_t *cur = start;
5270 5270 ipsec_alginfo_t *algp;
5271 5271 sadb_x_algdesc_t *algdesc = (sadb_x_algdesc_t *)cur;
5272 5272
5273 5273 cur += sizeof (*algdesc);
5274 5274 if (cur >= limit)
5275 5275 return (NULL);
5276 5276
5277 5277 ecomb->sadb_x_ecomb_numalgs++;
5278 5278
5279 5279 /*
5280 5280 * Normalize vs. crypto framework's limits. This way, you can specify
5281 5281 * a stronger policy, and when the framework loads a stronger version,
5282 5282 * you can just keep plowing w/o rewhacking your SPD.
5283 5283 */
5284 5284 mutex_enter(&ipss->ipsec_alg_lock);
5285 5285 algp = ipss->ipsec_alglists[(algtype == SADB_X_ALGTYPE_AUTH) ?
5286 5286 IPSEC_ALG_AUTH : IPSEC_ALG_ENCR][alg];
5287 5287 if (algp == NULL) {
5288 5288 mutex_exit(&ipss->ipsec_alg_lock);
5289 5289 return (NULL); /* Algorithm doesn't exist. Fail gracefully. */
5290 5290 }
5291 5291 if (minbits < algp->alg_ef_minbits)
5292 5292 minbits = algp->alg_ef_minbits;
5293 5293 if (maxbits > algp->alg_ef_maxbits)
5294 5294 maxbits = algp->alg_ef_maxbits;
5295 5295 mutex_exit(&ipss->ipsec_alg_lock);
5296 5296
5297 5297 algdesc->sadb_x_algdesc_reserved = SADB_8TO1(algp->alg_saltlen);
5298 5298 algdesc->sadb_x_algdesc_satype = satype;
5299 5299 algdesc->sadb_x_algdesc_algtype = algtype;
5300 5300 algdesc->sadb_x_algdesc_alg = alg;
5301 5301 algdesc->sadb_x_algdesc_minbits = minbits;
5302 5302 algdesc->sadb_x_algdesc_maxbits = maxbits;
5303 5303
5304 5304 return (cur);
5305 5305 }
5306 5306
5307 5307 /*
5308 5308 * Convert the given ipsec_action_t into an ecomb starting at *ecomb
5309 5309 * which must fit before *limit
5310 5310 *
5311 5311 * return NULL if we ran out of room or a pointer to the end of the ecomb.
5312 5312 */
5313 5313 static uint8_t *
5314 5314 sadb_action_to_ecomb(uint8_t *start, uint8_t *limit, ipsec_action_t *act,
5315 5315 netstack_t *ns)
5316 5316 {
5317 5317 uint8_t *cur = start;
5318 5318 sadb_x_ecomb_t *ecomb = (sadb_x_ecomb_t *)cur;
5319 5319 ipsec_prot_t *ipp;
5320 5320 ipsec_stack_t *ipss = ns->netstack_ipsec;
5321 5321
5322 5322 cur += sizeof (*ecomb);
5323 5323 if (cur >= limit)
5324 5324 return (NULL);
5325 5325
5326 5326 ASSERT(act->ipa_act.ipa_type == IPSEC_ACT_APPLY);
5327 5327
5328 5328 ipp = &act->ipa_act.ipa_apply;
5329 5329
5330 5330 ecomb->sadb_x_ecomb_numalgs = 0;
5331 5331 ecomb->sadb_x_ecomb_reserved = 0;
5332 5332 ecomb->sadb_x_ecomb_reserved2 = 0;
5333 5333 /*
5334 5334 * No limits on allocations, since we really don't support that
5335 5335 * concept currently.
5336 5336 */
5337 5337 ecomb->sadb_x_ecomb_soft_allocations = 0;
5338 5338 ecomb->sadb_x_ecomb_hard_allocations = 0;
5339 5339
5340 5340 /*
5341 5341 * XXX TBD: Policy or global parameters will eventually be
5342 5342 * able to fill in some of these.
5343 5343 */
5344 5344 ecomb->sadb_x_ecomb_flags = 0;
5345 5345 ecomb->sadb_x_ecomb_soft_bytes = 0;
5346 5346 ecomb->sadb_x_ecomb_hard_bytes = 0;
5347 5347 ecomb->sadb_x_ecomb_soft_addtime = 0;
5348 5348 ecomb->sadb_x_ecomb_hard_addtime = 0;
5349 5349 ecomb->sadb_x_ecomb_soft_usetime = 0;
5350 5350 ecomb->sadb_x_ecomb_hard_usetime = 0;
5351 5351
5352 5352 if (ipp->ipp_use_ah) {
5353 5353 cur = sadb_new_algdesc(cur, limit, ecomb,
5354 5354 SADB_SATYPE_AH, SADB_X_ALGTYPE_AUTH, ipp->ipp_auth_alg,
5355 5355 ipp->ipp_ah_minbits, ipp->ipp_ah_maxbits, ipss);
5356 5356 if (cur == NULL)
5357 5357 return (NULL);
5358 5358 ipsecah_fill_defs(ecomb, ns);
5359 5359 }
5360 5360
5361 5361 if (ipp->ipp_use_esp) {
5362 5362 if (ipp->ipp_use_espa) {
5363 5363 cur = sadb_new_algdesc(cur, limit, ecomb,
5364 5364 SADB_SATYPE_ESP, SADB_X_ALGTYPE_AUTH,
5365 5365 ipp->ipp_esp_auth_alg,
5366 5366 ipp->ipp_espa_minbits,
5367 5367 ipp->ipp_espa_maxbits, ipss);
5368 5368 if (cur == NULL)
5369 5369 return (NULL);
5370 5370 }
5371 5371
5372 5372 cur = sadb_new_algdesc(cur, limit, ecomb,
5373 5373 SADB_SATYPE_ESP, SADB_X_ALGTYPE_CRYPT,
5374 5374 ipp->ipp_encr_alg,
5375 5375 ipp->ipp_espe_minbits,
5376 5376 ipp->ipp_espe_maxbits, ipss);
5377 5377 if (cur == NULL)
5378 5378 return (NULL);
5379 5379 /* Fill in lifetimes if and only if AH didn't already... */
5380 5380 if (!ipp->ipp_use_ah)
5381 5381 ipsecesp_fill_defs(ecomb, ns);
5382 5382 }
5383 5383
5384 5384 return (cur);
5385 5385 }
5386 5386
5387 5387 #include <sys/tsol/label_macro.h> /* XXX should not need this */
5388 5388
5389 5389 /*
5390 5390 * From a cred_t, construct a sensitivity label extension
5391 5391 *
5392 5392 * We send up a fixed-size sensitivity label bitmap, and are perhaps
5393 5393 * overly chummy with the underlying data structures here.
5394 5394 */
5395 5395
5396 5396 /* ARGSUSED */
5397 5397 int
5398 5398 sadb_sens_len_from_label(ts_label_t *tsl)
5399 5399 {
5400 5400 int baselen = sizeof (sadb_sens_t) + _C_LEN * 4;
5401 5401 return (roundup(baselen, sizeof (uint64_t)));
5402 5402 }
5403 5403
5404 5404 void
5405 5405 sadb_sens_from_label(sadb_sens_t *sens, int exttype, ts_label_t *tsl,
5406 5406 int senslen)
5407 5407 {
5408 5408 uint8_t *bitmap;
5409 5409 bslabel_t *sl;
5410 5410
5411 5411 /* LINTED */
5412 5412 ASSERT((_C_LEN & 1) == 0);
5413 5413 ASSERT((senslen & 7) == 0);
5414 5414
5415 5415 sl = label2bslabel(tsl);
5416 5416
5417 5417 sens->sadb_sens_exttype = exttype;
5418 5418 sens->sadb_sens_len = SADB_8TO64(senslen);
5419 5419
5420 5420 sens->sadb_sens_dpd = tsl->tsl_doi;
5421 5421 sens->sadb_sens_sens_level = LCLASS(sl);
5422 5422 sens->sadb_sens_integ_level = 0; /* TBD */
5423 5423 sens->sadb_sens_sens_len = _C_LEN >> 1;
5424 5424 sens->sadb_sens_integ_len = 0; /* TBD */
5425 5425 sens->sadb_x_sens_flags = 0;
5426 5426
5427 5427 bitmap = (uint8_t *)(sens + 1);
5428 5428 bcopy(&(((_bslabel_impl_t *)sl)->compartments), bitmap, _C_LEN * 4);
5429 5429 }
5430 5430
5431 5431 static sadb_sens_t *
5432 5432 sadb_make_sens_ext(ts_label_t *tsl, int *len)
5433 5433 {
5434 5434 /* XXX allocation failure? */
5435 5435 int sens_len = sadb_sens_len_from_label(tsl);
5436 5436
5437 5437 sadb_sens_t *sens = kmem_alloc(sens_len, KM_SLEEP);
5438 5438
5439 5439 sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY, tsl, sens_len);
5440 5440
5441 5441 *len = sens_len;
5442 5442
5443 5443 return (sens);
5444 5444 }
5445 5445
5446 5446 /*
5447 5447 * Okay, how do we report errors/invalid labels from this?
5448 5448 * With a special designated "not a label" cred_t ?
5449 5449 */
5450 5450 /* ARGSUSED */
5451 5451 ts_label_t *
5452 5452 sadb_label_from_sens(sadb_sens_t *sens, uint64_t *bitmap)
5453 5453 {
5454 5454 int bitmap_len = SADB_64TO8(sens->sadb_sens_sens_len);
5455 5455 bslabel_t sl;
5456 5456 ts_label_t *tsl;
5457 5457
5458 5458 if (sens->sadb_sens_integ_level != 0)
5459 5459 return (NULL);
5460 5460 if (sens->sadb_sens_integ_len != 0)
5461 5461 return (NULL);
5462 5462 if (bitmap_len > _C_LEN * 4)
5463 5463 return (NULL);
5464 5464
5465 5465 bsllow(&sl);
5466 5466 LCLASS_SET((_bslabel_impl_t *)&sl, sens->sadb_sens_sens_level);
5467 5467 bcopy(bitmap, &((_bslabel_impl_t *)&sl)->compartments,
5468 5468 bitmap_len);
5469 5469
5470 5470 tsl = labelalloc(&sl, sens->sadb_sens_dpd, KM_NOSLEEP);
5471 5471 if (tsl == NULL)
5472 5472 return (NULL);
5473 5473
5474 5474 if (sens->sadb_x_sens_flags & SADB_X_SENS_UNLABELED)
5475 5475 tsl->tsl_flags |= TSLF_UNLABELED;
5476 5476 return (tsl);
5477 5477 }
5478 5478
5479 5479 /* End XXX label-library-leakage */
5480 5480
5481 5481 /*
5482 5482 * Construct an extended ACQUIRE message based on a selector and the resulting
5483 5483 * IPsec action.
5484 5484 *
5485 5485 * NOTE: This is used by both inverse ACQUIRE and actual ACQUIRE
5486 5486 * generation. As a consequence, expect this function to evolve
5487 5487 * rapidly.
5488 5488 */
5489 5489 static mblk_t *
5490 5490 sadb_extended_acquire(ipsec_selector_t *sel, ipsec_policy_t *pol,
5491 5491 ipsec_action_t *act, boolean_t tunnel_mode, uint32_t seq, uint32_t pid,
5492 5492 sadb_sens_t *sens, netstack_t *ns)
5493 5493 {
5494 5494 mblk_t *mp;
5495 5495 sadb_msg_t *samsg;
5496 5496 uint8_t *start, *cur, *end;
5497 5497 uint32_t *saddrptr, *daddrptr;
5498 5498 sa_family_t af;
5499 5499 sadb_prop_t *eprop;
5500 5500 ipsec_action_t *ap, *an;
5501 5501 ipsec_selkey_t *ipsl;
5502 5502 uint8_t proto, pfxlen;
5503 5503 uint16_t lport, rport;
5504 5504 uint32_t kmp, kmc;
5505 5505
5506 5506 /*
5507 5507 * Find the action we want sooner rather than later..
5508 5508 */
5509 5509 an = NULL;
5510 5510 if (pol == NULL) {
5511 5511 ap = act;
5512 5512 } else {
5513 5513 ap = pol->ipsp_act;
5514 5514
5515 5515 if (ap != NULL)
5516 5516 an = ap->ipa_next;
5517 5517 }
5518 5518
5519 5519 /*
5520 5520 * Just take a swag for the allocation for now. We can always
5521 5521 * alter it later.
5522 5522 */
5523 5523 #define SADB_EXTENDED_ACQUIRE_SIZE 4096
5524 5524 mp = allocb(SADB_EXTENDED_ACQUIRE_SIZE, BPRI_HI);
5525 5525 if (mp == NULL)
5526 5526 return (NULL);
5527 5527
5528 5528 start = mp->b_rptr;
5529 5529 end = start + SADB_EXTENDED_ACQUIRE_SIZE;
5530 5530
5531 5531 cur = start;
5532 5532
5533 5533 samsg = (sadb_msg_t *)cur;
5534 5534 cur += sizeof (*samsg);
5535 5535
5536 5536 samsg->sadb_msg_version = PF_KEY_V2;
5537 5537 samsg->sadb_msg_type = SADB_ACQUIRE;
5538 5538 samsg->sadb_msg_errno = 0;
5539 5539 samsg->sadb_msg_reserved = 0;
5540 5540 samsg->sadb_msg_satype = 0;
5541 5541 samsg->sadb_msg_seq = seq;
5542 5542 samsg->sadb_msg_pid = pid;
5543 5543
5544 5544 if (tunnel_mode) {
5545 5545 /*
5546 5546 * Form inner address extensions based NOT on the inner
5547 5547 * selectors (i.e. the packet data), but on the policy's
5548 5548 * selector key (i.e. the policy's selector information).
5549 5549 *
5550 5550 * NOTE: The position of IPv4 and IPv6 addresses is the
5551 5551 * same in ipsec_selkey_t (unless the compiler does very
5552 5552 * strange things with unions, consult your local C language
5553 5553 * lawyer for details).
5554 5554 */
5555 5555 ASSERT(pol != NULL);
5556 5556
5557 5557 ipsl = &(pol->ipsp_sel->ipsl_key);
5558 5558 if (ipsl->ipsl_valid & IPSL_IPV4) {
5559 5559 af = AF_INET;
5560 5560 ASSERT(sel->ips_protocol == IPPROTO_ENCAP);
5561 5561 ASSERT(!(ipsl->ipsl_valid & IPSL_IPV6));
5562 5562 } else {
5563 5563 af = AF_INET6;
5564 5564 ASSERT(sel->ips_protocol == IPPROTO_IPV6);
5565 5565 ASSERT(ipsl->ipsl_valid & IPSL_IPV6);
5566 5566 }
5567 5567
5568 5568 if (ipsl->ipsl_valid & IPSL_LOCAL_ADDR) {
5569 5569 saddrptr = (uint32_t *)(&ipsl->ipsl_local);
5570 5570 pfxlen = ipsl->ipsl_local_pfxlen;
5571 5571 } else {
5572 5572 saddrptr = (uint32_t *)(&ipv6_all_zeros);
5573 5573 pfxlen = 0;
5574 5574 }
5575 5575 /* XXX What about ICMP type/code? */
5576 5576 lport = (ipsl->ipsl_valid & IPSL_LOCAL_PORT) ?
5577 5577 ipsl->ipsl_lport : 0;
5578 5578 proto = (ipsl->ipsl_valid & IPSL_PROTOCOL) ?
5579 5579 ipsl->ipsl_proto : 0;
5580 5580
5581 5581 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC,
5582 5582 af, saddrptr, lport, proto, pfxlen);
5583 5583 if (cur == NULL) {
5584 5584 freeb(mp);
5585 5585 return (NULL);
5586 5586 }
5587 5587
5588 5588 if (ipsl->ipsl_valid & IPSL_REMOTE_ADDR) {
5589 5589 daddrptr = (uint32_t *)(&ipsl->ipsl_remote);
5590 5590 pfxlen = ipsl->ipsl_remote_pfxlen;
5591 5591 } else {
5592 5592 daddrptr = (uint32_t *)(&ipv6_all_zeros);
5593 5593 pfxlen = 0;
5594 5594 }
5595 5595 /* XXX What about ICMP type/code? */
5596 5596 rport = (ipsl->ipsl_valid & IPSL_REMOTE_PORT) ?
5597 5597 ipsl->ipsl_rport : 0;
5598 5598
5599 5599 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST,
5600 5600 af, daddrptr, rport, proto, pfxlen);
5601 5601 if (cur == NULL) {
5602 5602 freeb(mp);
5603 5603 return (NULL);
5604 5604 }
5605 5605 /*
5606 5606 * TODO - if we go to 3408's dream of transport mode IP-in-IP
5607 5607 * _with_ inner-packet address selectors, we'll need to further
5608 5608 * distinguish tunnel mode here. For now, having inner
5609 5609 * addresses and/or ports is sufficient.
5610 5610 *
5611 5611 * Meanwhile, whack proto/ports to reflect IP-in-IP for the
5612 5612 * outer addresses.
5613 5613 */
5614 5614 proto = sel->ips_protocol; /* Either _ENCAP or _IPV6 */
5615 5615 lport = rport = 0;
5616 5616 } else if ((ap != NULL) && (!ap->ipa_want_unique)) {
5617 5617 proto = 0;
5618 5618 lport = 0;
5619 5619 rport = 0;
5620 5620 if (pol != NULL) {
5621 5621 ipsl = &(pol->ipsp_sel->ipsl_key);
5622 5622 if (ipsl->ipsl_valid & IPSL_PROTOCOL)
5623 5623 proto = ipsl->ipsl_proto;
5624 5624 if (ipsl->ipsl_valid & IPSL_REMOTE_PORT)
5625 5625 rport = ipsl->ipsl_rport;
5626 5626 if (ipsl->ipsl_valid & IPSL_LOCAL_PORT)
5627 5627 lport = ipsl->ipsl_lport;
5628 5628 }
5629 5629 } else {
5630 5630 proto = sel->ips_protocol;
5631 5631 lport = sel->ips_local_port;
5632 5632 rport = sel->ips_remote_port;
5633 5633 }
5634 5634
5635 5635 af = sel->ips_isv4 ? AF_INET : AF_INET6;
5636 5636
5637 5637 /*
5638 5638 * NOTE: The position of IPv4 and IPv6 addresses is the same in
5639 5639 * ipsec_selector_t.
5640 5640 */
5641 5641 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af,
5642 5642 (uint32_t *)(&sel->ips_local_addr_v6), lport, proto, 0);
5643 5643
5644 5644 if (cur == NULL) {
5645 5645 freeb(mp);
5646 5646 return (NULL);
5647 5647 }
5648 5648
5649 5649 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af,
5650 5650 (uint32_t *)(&sel->ips_remote_addr_v6), rport, proto, 0);
5651 5651
5652 5652 if (cur == NULL) {
5653 5653 freeb(mp);
5654 5654 return (NULL);
5655 5655 }
5656 5656
5657 5657 if (sens != NULL) {
5658 5658 uint8_t *sensext = cur;
5659 5659 int senslen = SADB_64TO8(sens->sadb_sens_len);
5660 5660
5661 5661 cur += senslen;
5662 5662 if (cur > end) {
5663 5663 freeb(mp);
5664 5664 return (NULL);
5665 5665 }
5666 5666 bcopy(sens, sensext, senslen);
5667 5667 }
5668 5668
5669 5669 /*
5670 5670 * This section will change a lot as policy evolves.
5671 5671 * For now, it'll be relatively simple.
5672 5672 */
5673 5673 eprop = (sadb_prop_t *)cur;
5674 5674 cur += sizeof (*eprop);
5675 5675 if (cur > end) {
5676 5676 /* no space left */
5677 5677 freeb(mp);
5678 5678 return (NULL);
5679 5679 }
5680 5680
5681 5681 eprop->sadb_prop_exttype = SADB_X_EXT_EPROP;
5682 5682 eprop->sadb_x_prop_ereserved = 0;
5683 5683 eprop->sadb_x_prop_numecombs = 0;
5684 5684 eprop->sadb_prop_replay = 32; /* default */
5685 5685
5686 5686 kmc = kmp = 0;
5687 5687
5688 5688 for (; ap != NULL; ap = an) {
5689 5689 an = (pol != NULL) ? ap->ipa_next : NULL;
5690 5690
5691 5691 /*
5692 5692 * Skip non-IPsec policies
5693 5693 */
5694 5694 if (ap->ipa_act.ipa_type != IPSEC_ACT_APPLY)
5695 5695 continue;
5696 5696
5697 5697 if (ap->ipa_act.ipa_apply.ipp_km_proto)
5698 5698 kmp = ap->ipa_act.ipa_apply.ipp_km_proto;
5699 5699 if (ap->ipa_act.ipa_apply.ipp_km_cookie)
5700 5700 kmc = ap->ipa_act.ipa_apply.ipp_km_cookie;
5701 5701 if (ap->ipa_act.ipa_apply.ipp_replay_depth) {
5702 5702 eprop->sadb_prop_replay =
5703 5703 ap->ipa_act.ipa_apply.ipp_replay_depth;
5704 5704 }
5705 5705
5706 5706 cur = sadb_action_to_ecomb(cur, end, ap, ns);
5707 5707 if (cur == NULL) { /* no space */
5708 5708 freeb(mp);
5709 5709 return (NULL);
5710 5710 }
5711 5711 eprop->sadb_x_prop_numecombs++;
5712 5712 }
5713 5713
5714 5714 if (eprop->sadb_x_prop_numecombs == 0) {
5715 5715 /*
5716 5716 * This will happen if we fail to find a policy
5717 5717 * allowing for IPsec processing.
5718 5718 * Construct an error message.
5719 5719 */
5720 5720 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg));
5721 5721 samsg->sadb_msg_errno = ENOENT;
5722 5722 samsg->sadb_x_msg_diagnostic = 0;
5723 5723 return (mp);
5724 5724 }
5725 5725
5726 5726 if ((kmp != 0) || (kmc != 0)) {
5727 5727 cur = sadb_make_kmc_ext(cur, end, kmp, kmc);
5728 5728 if (cur == NULL) {
5729 5729 freeb(mp);
5730 5730 return (NULL);
5731 5731 }
5732 5732 }
5733 5733
5734 5734 eprop->sadb_prop_len = SADB_8TO64(cur - (uint8_t *)eprop);
5735 5735 samsg->sadb_msg_len = SADB_8TO64(cur - start);
5736 5736 mp->b_wptr = cur;
5737 5737
5738 5738 return (mp);
5739 5739 }
5740 5740
5741 5741 /*
5742 5742 * Generic setup of an RFC 2367 ACQUIRE message. Caller sets satype.
5743 5743 *
5744 5744 * NOTE: This function acquires alg_lock as a side-effect if-and-only-if we
5745 5745 * succeed (i.e. return non-NULL). Caller MUST release it. This is to
5746 5746 * maximize code consolidation while preventing algorithm changes from messing
5747 5747 * with the callers finishing touches on the ACQUIRE itself.
5748 5748 */
5749 5749 mblk_t *
5750 5750 sadb_setup_acquire(ipsacq_t *acqrec, uint8_t satype, ipsec_stack_t *ipss)
5751 5751 {
5752 5752 uint_t allocsize;
5753 5753 mblk_t *pfkeymp, *msgmp;
5754 5754 sa_family_t af;
5755 5755 uint8_t *cur, *end;
5756 5756 sadb_msg_t *samsg;
5757 5757 uint16_t sport_typecode;
5758 5758 uint16_t dport_typecode;
5759 5759 uint8_t check_proto;
5760 5760 boolean_t tunnel_mode = (acqrec->ipsacq_inneraddrfam != 0);
5761 5761
5762 5762 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock));
5763 5763
5764 5764 pfkeymp = sadb_keysock_out(0);
5765 5765 if (pfkeymp == NULL)
5766 5766 return (NULL);
5767 5767
5768 5768 /*
5769 5769 * First, allocate a basic ACQUIRE message
5770 5770 */
5771 5771 allocsize = sizeof (sadb_msg_t) + sizeof (sadb_address_t) +
5772 5772 sizeof (sadb_address_t) + sizeof (sadb_prop_t);
5773 5773
5774 5774 /* Make sure there's enough to cover both AF_INET and AF_INET6. */
5775 5775 allocsize += 2 * sizeof (struct sockaddr_in6);
5776 5776
5777 5777 mutex_enter(&ipss->ipsec_alg_lock);
5778 5778 /* NOTE: The lock is now held through to this function's return. */
5779 5779 allocsize += ipss->ipsec_nalgs[IPSEC_ALG_AUTH] *
5780 5780 ipss->ipsec_nalgs[IPSEC_ALG_ENCR] * sizeof (sadb_comb_t);
5781 5781
5782 5782 if (tunnel_mode) {
5783 5783 /* Tunnel mode! */
5784 5784 allocsize += 2 * sizeof (sadb_address_t);
5785 5785 /* Enough to cover both AF_INET and AF_INET6. */
5786 5786 allocsize += 2 * sizeof (struct sockaddr_in6);
5787 5787 }
5788 5788
5789 5789 msgmp = allocb(allocsize, BPRI_HI);
5790 5790 if (msgmp == NULL) {
5791 5791 freeb(pfkeymp);
5792 5792 mutex_exit(&ipss->ipsec_alg_lock);
5793 5793 return (NULL);
5794 5794 }
5795 5795
5796 5796 pfkeymp->b_cont = msgmp;
5797 5797 cur = msgmp->b_rptr;
5798 5798 end = cur + allocsize;
5799 5799 samsg = (sadb_msg_t *)cur;
5800 5800 cur += sizeof (sadb_msg_t);
5801 5801
5802 5802 af = acqrec->ipsacq_addrfam;
5803 5803 switch (af) {
5804 5804 case AF_INET:
5805 5805 check_proto = IPPROTO_ICMP;
5806 5806 break;
5807 5807 case AF_INET6:
5808 5808 check_proto = IPPROTO_ICMPV6;
5809 5809 break;
5810 5810 default:
5811 5811 /* This should never happen unless we have kernel bugs. */
5812 5812 cmn_err(CE_WARN,
5813 5813 "sadb_setup_acquire: corrupt ACQUIRE record.\n");
5814 5814 ASSERT(0);
5815 5815 mutex_exit(&ipss->ipsec_alg_lock);
5816 5816 return (NULL);
5817 5817 }
5818 5818
5819 5819 samsg->sadb_msg_version = PF_KEY_V2;
5820 5820 samsg->sadb_msg_type = SADB_ACQUIRE;
5821 5821 samsg->sadb_msg_satype = satype;
5822 5822 samsg->sadb_msg_errno = 0;
5823 5823 samsg->sadb_msg_pid = 0;
5824 5824 samsg->sadb_msg_reserved = 0;
5825 5825 samsg->sadb_msg_seq = acqrec->ipsacq_seq;
5826 5826
5827 5827 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock));
5828 5828
5829 5829 if ((acqrec->ipsacq_proto == check_proto) || tunnel_mode) {
5830 5830 sport_typecode = dport_typecode = 0;
5831 5831 } else {
5832 5832 sport_typecode = acqrec->ipsacq_srcport;
5833 5833 dport_typecode = acqrec->ipsacq_dstport;
5834 5834 }
5835 5835
5836 5836 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af,
5837 5837 acqrec->ipsacq_srcaddr, sport_typecode, acqrec->ipsacq_proto, 0);
5838 5838
5839 5839 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af,
5840 5840 acqrec->ipsacq_dstaddr, dport_typecode, acqrec->ipsacq_proto, 0);
5841 5841
5842 5842 if (tunnel_mode) {
5843 5843 sport_typecode = acqrec->ipsacq_srcport;
5844 5844 dport_typecode = acqrec->ipsacq_dstport;
5845 5845 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC,
5846 5846 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innersrc,
5847 5847 sport_typecode, acqrec->ipsacq_inner_proto,
5848 5848 acqrec->ipsacq_innersrcpfx);
5849 5849 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST,
5850 5850 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innerdst,
5851 5851 dport_typecode, acqrec->ipsacq_inner_proto,
5852 5852 acqrec->ipsacq_innerdstpfx);
5853 5853 }
5854 5854
5855 5855 /* XXX Insert identity information here. */
5856 5856
5857 5857 /* XXXMLS Insert sensitivity information here. */
5858 5858
5859 5859 if (cur != NULL)
5860 5860 samsg->sadb_msg_len = SADB_8TO64(cur - msgmp->b_rptr);
5861 5861 else
5862 5862 mutex_exit(&ipss->ipsec_alg_lock);
5863 5863
5864 5864 return (pfkeymp);
5865 5865 }
5866 5866
5867 5867 /*
5868 5868 * Given an SADB_GETSPI message, find an appropriately ranged SA and
5869 5869 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1.
5870 5870 * If there was a memory allocation error, return NULL. (Assume NULL !=
5871 5871 * (ipsa_t *)-1).
5872 5872 *
5873 5873 * master_spi is passed in host order.
5874 5874 */
5875 5875 ipsa_t *
5876 5876 sadb_getspi(keysock_in_t *ksi, uint32_t master_spi, int *diagnostic,
5877 5877 netstack_t *ns, uint_t sa_type)
5878 5878 {
5879 5879 sadb_address_t *src =
5880 5880 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC],
5881 5881 *dst = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
5882 5882 sadb_spirange_t *range =
5883 5883 (sadb_spirange_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE];
5884 5884 struct sockaddr_in *ssa, *dsa;
5885 5885 struct sockaddr_in6 *ssa6, *dsa6;
5886 5886 uint32_t *srcaddr, *dstaddr;
5887 5887 sa_family_t af;
5888 5888 uint32_t add, min, max;
5889 5889 uint8_t protocol =
5890 5890 (sa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP;
5891 5891
5892 5892 if (src == NULL) {
5893 5893 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC;
5894 5894 return ((ipsa_t *)-1);
5895 5895 }
5896 5896 if (dst == NULL) {
5897 5897 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
5898 5898 return ((ipsa_t *)-1);
5899 5899 }
5900 5900 if (range == NULL) {
5901 5901 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_RANGE;
5902 5902 return ((ipsa_t *)-1);
5903 5903 }
5904 5904
5905 5905 min = ntohl(range->sadb_spirange_min);
5906 5906 max = ntohl(range->sadb_spirange_max);
5907 5907 dsa = (struct sockaddr_in *)(dst + 1);
5908 5908 dsa6 = (struct sockaddr_in6 *)dsa;
5909 5909
5910 5910 ssa = (struct sockaddr_in *)(src + 1);
5911 5911 ssa6 = (struct sockaddr_in6 *)ssa;
5912 5912 ASSERT(dsa->sin_family == ssa->sin_family);
5913 5913
5914 5914 srcaddr = ALL_ZEROES_PTR;
5915 5915 af = dsa->sin_family;
5916 5916 switch (af) {
5917 5917 case AF_INET:
5918 5918 if (src != NULL)
5919 5919 srcaddr = (uint32_t *)(&ssa->sin_addr);
5920 5920 dstaddr = (uint32_t *)(&dsa->sin_addr);
5921 5921 break;
5922 5922 case AF_INET6:
5923 5923 if (src != NULL)
5924 5924 srcaddr = (uint32_t *)(&ssa6->sin6_addr);
5925 5925 dstaddr = (uint32_t *)(&dsa6->sin6_addr);
5926 5926 break;
5927 5927 default:
5928 5928 *diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF;
5929 5929 return ((ipsa_t *)-1);
5930 5930 }
5931 5931
5932 5932 if (master_spi < min || master_spi > max) {
5933 5933 /* Return a random value in the range. */
5934 5934 if (cl_inet_getspi) {
5935 5935 cl_inet_getspi(ns->netstack_stackid, protocol,
5936 5936 (uint8_t *)&add, sizeof (add), NULL);
5937 5937 } else {
5938 5938 (void) random_get_pseudo_bytes((uint8_t *)&add,
5939 5939 sizeof (add));
5940 5940 }
5941 5941 master_spi = min + (add % (max - min + 1));
5942 5942 }
5943 5943
5944 5944 /*
5945 5945 * Since master_spi is passed in host order, we need to htonl() it
5946 5946 * for the purposes of creating a new SA.
5947 5947 */
5948 5948 return (sadb_makelarvalassoc(htonl(master_spi), srcaddr, dstaddr, af,
5949 5949 ns));
5950 5950 }
5951 5951
5952 5952 /*
5953 5953 *
5954 5954 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the
5955 5955 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list
5956 5956 * and scan for the sequence number in question. I may wish to accept an
5957 5957 * address pair with it, for easier searching.
5958 5958 *
5959 5959 * Caller frees the message, so we don't have to here.
5960 5960 *
5961 5961 * NOTE: The pfkey_q parameter may be used in the future for ACQUIRE
5962 5962 * failures.
5963 5963 */
5964 5964 /* ARGSUSED */
5965 5965 void
5966 5966 sadb_in_acquire(sadb_msg_t *samsg, sadbp_t *sp, queue_t *pfkey_q,
5967 5967 netstack_t *ns)
5968 5968 {
5969 5969 int i;
5970 5970 ipsacq_t *acqrec;
5971 5971 iacqf_t *bucket;
5972 5972
5973 5973 /*
5974 5974 * I only accept the base header for this!
5975 5975 * Though to be honest, requiring the dst address would help
5976 5976 * immensely.
5977 5977 *
5978 5978 * XXX There are already cases where I can get the dst address.
5979 5979 */
5980 5980 if (samsg->sadb_msg_len > SADB_8TO64(sizeof (*samsg)))
5981 5981 return;
5982 5982
5983 5983 /*
5984 5984 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it,
5985 5985 * (and in the future send a message to IP with the appropriate error
5986 5986 * number).
5987 5987 *
5988 5988 * Q: Do I want to reject if pid != 0?
5989 5989 */
5990 5990
5991 5991 for (i = 0; i < sp->s_v4.sdb_hashsize; i++) {
5992 5992 bucket = &sp->s_v4.sdb_acq[i];
5993 5993 mutex_enter(&bucket->iacqf_lock);
5994 5994 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL;
5995 5995 acqrec = acqrec->ipsacq_next) {
5996 5996 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq)
5997 5997 break; /* for acqrec... loop. */
5998 5998 }
5999 5999 if (acqrec != NULL)
6000 6000 break; /* for i = 0... loop. */
6001 6001
6002 6002 mutex_exit(&bucket->iacqf_lock);
6003 6003 }
6004 6004
6005 6005 if (acqrec == NULL) {
6006 6006 for (i = 0; i < sp->s_v6.sdb_hashsize; i++) {
6007 6007 bucket = &sp->s_v6.sdb_acq[i];
6008 6008 mutex_enter(&bucket->iacqf_lock);
6009 6009 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL;
6010 6010 acqrec = acqrec->ipsacq_next) {
6011 6011 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq)
6012 6012 break; /* for acqrec... loop. */
6013 6013 }
6014 6014 if (acqrec != NULL)
6015 6015 break; /* for i = 0... loop. */
6016 6016
6017 6017 mutex_exit(&bucket->iacqf_lock);
6018 6018 }
6019 6019 }
6020 6020
6021 6021
6022 6022 if (acqrec == NULL)
6023 6023 return;
6024 6024
6025 6025 /*
6026 6026 * What do I do with the errno and IP? I may need mp's services a
6027 6027 * little more. See sadb_destroy_acquire() for future directions
6028 6028 * beyond free the mblk chain on the acquire record.
6029 6029 */
6030 6030
6031 6031 ASSERT(&bucket->iacqf_lock == acqrec->ipsacq_linklock);
6032 6032 sadb_destroy_acquire(acqrec, ns);
6033 6033 /* Have to exit mutex here, because of breaking out of for loop. */
6034 6034 mutex_exit(&bucket->iacqf_lock);
6035 6035 }
6036 6036
6037 6037 /*
6038 6038 * The following functions work with the replay windows of an SA. They assume
6039 6039 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector
6040 6040 * represents the highest sequence number packet received, and back
6041 6041 * (ipsa->ipsa_replay_wsize) packets.
6042 6042 */
6043 6043
6044 6044 /*
6045 6045 * Is the replay bit set?
6046 6046 */
6047 6047 static boolean_t
6048 6048 ipsa_is_replay_set(ipsa_t *ipsa, uint32_t offset)
6049 6049 {
6050 6050 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63);
6051 6051
6052 6052 return ((bit & ipsa->ipsa_replay_arr[offset >> 6]) ? B_TRUE : B_FALSE);
6053 6053 }
6054 6054
6055 6055 /*
6056 6056 * Shift the bits of the replay window over.
6057 6057 */
6058 6058 static void
6059 6059 ipsa_shift_replay(ipsa_t *ipsa, uint32_t shift)
6060 6060 {
6061 6061 int i;
6062 6062 int jump = ((shift - 1) >> 6) + 1;
6063 6063
6064 6064 if (shift == 0)
6065 6065 return;
6066 6066
6067 6067 for (i = (ipsa->ipsa_replay_wsize - 1) >> 6; i >= 0; i--) {
6068 6068 if (i + jump <= (ipsa->ipsa_replay_wsize - 1) >> 6) {
6069 6069 ipsa->ipsa_replay_arr[i + jump] |=
6070 6070 ipsa->ipsa_replay_arr[i] >> (64 - (shift & 63));
6071 6071 }
6072 6072 ipsa->ipsa_replay_arr[i] <<= shift;
6073 6073 }
6074 6074 }
6075 6075
6076 6076 /*
6077 6077 * Set a bit in the bit vector.
6078 6078 */
6079 6079 static void
6080 6080 ipsa_set_replay(ipsa_t *ipsa, uint32_t offset)
6081 6081 {
6082 6082 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63);
6083 6083
6084 6084 ipsa->ipsa_replay_arr[offset >> 6] |= bit;
6085 6085 }
6086 6086
6087 6087 #define SADB_MAX_REPLAY_VALUE 0xffffffff
6088 6088
6089 6089 /*
6090 6090 * Assume caller has NOT done ntohl() already on seq. Check to see
6091 6091 * if replay sequence number "seq" has been seen already.
6092 6092 */
6093 6093 boolean_t
6094 6094 sadb_replay_check(ipsa_t *ipsa, uint32_t seq)
6095 6095 {
6096 6096 boolean_t rc;
6097 6097 uint32_t diff;
6098 6098
6099 6099 if (ipsa->ipsa_replay_wsize == 0)
6100 6100 return (B_TRUE);
6101 6101
6102 6102 /*
6103 6103 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek().
6104 6104 */
6105 6105
6106 6106 /* Convert sequence number into host order before holding the mutex. */
6107 6107 seq = ntohl(seq);
6108 6108
6109 6109 mutex_enter(&ipsa->ipsa_lock);
6110 6110
6111 6111 /* Initialize inbound SA's ipsa_replay field to last one received. */
6112 6112 if (ipsa->ipsa_replay == 0)
6113 6113 ipsa->ipsa_replay = 1;
6114 6114
6115 6115 if (seq > ipsa->ipsa_replay) {
6116 6116 /*
6117 6117 * I have received a new "highest value received". Shift
6118 6118 * the replay window over.
6119 6119 */
6120 6120 diff = seq - ipsa->ipsa_replay;
6121 6121 if (diff < ipsa->ipsa_replay_wsize) {
6122 6122 /* In replay window, shift bits over. */
6123 6123 ipsa_shift_replay(ipsa, diff);
6124 6124 } else {
6125 6125 /* WAY FAR AHEAD, clear bits and start again. */
6126 6126 bzero(ipsa->ipsa_replay_arr,
6127 6127 sizeof (ipsa->ipsa_replay_arr));
6128 6128 }
6129 6129 ipsa_set_replay(ipsa, 0);
6130 6130 ipsa->ipsa_replay = seq;
6131 6131 rc = B_TRUE;
6132 6132 goto done;
6133 6133 }
6134 6134 diff = ipsa->ipsa_replay - seq;
6135 6135 if (diff >= ipsa->ipsa_replay_wsize || ipsa_is_replay_set(ipsa, diff)) {
6136 6136 rc = B_FALSE;
6137 6137 goto done;
6138 6138 }
6139 6139 /* Set this packet as seen. */
6140 6140 ipsa_set_replay(ipsa, diff);
6141 6141
6142 6142 rc = B_TRUE;
6143 6143 done:
6144 6144 mutex_exit(&ipsa->ipsa_lock);
6145 6145 return (rc);
6146 6146 }
6147 6147
6148 6148 /*
6149 6149 * "Peek" and see if we should even bother going through the effort of
6150 6150 * running an authentication check on the sequence number passed in.
6151 6151 * this takes into account packets that are below the replay window,
6152 6152 * and collisions with already replayed packets. Return B_TRUE if it
6153 6153 * is okay to proceed, B_FALSE if this packet should be dropped immediately.
6154 6154 * Assume same byte-ordering as sadb_replay_check.
6155 6155 */
6156 6156 boolean_t
6157 6157 sadb_replay_peek(ipsa_t *ipsa, uint32_t seq)
6158 6158 {
6159 6159 boolean_t rc = B_FALSE;
6160 6160 uint32_t diff;
6161 6161
6162 6162 if (ipsa->ipsa_replay_wsize == 0)
6163 6163 return (B_TRUE);
6164 6164
6165 6165 /*
6166 6166 * 0 is 0, regardless of byte order... :)
6167 6167 *
6168 6168 * If I get 0 on the wire (and there is a replay window) then the
6169 6169 * sender most likely wrapped. This ipsa may need to be marked or
6170 6170 * something.
6171 6171 */
6172 6172 if (seq == 0)
6173 6173 return (B_FALSE);
6174 6174
6175 6175 seq = ntohl(seq);
6176 6176 mutex_enter(&ipsa->ipsa_lock);
6177 6177 if (seq < ipsa->ipsa_replay - ipsa->ipsa_replay_wsize &&
6178 6178 ipsa->ipsa_replay >= ipsa->ipsa_replay_wsize)
6179 6179 goto done;
6180 6180
6181 6181 /*
6182 6182 * If I've hit 0xffffffff, then quite honestly, I don't need to
6183 6183 * bother with formalities. I'm not accepting any more packets
6184 6184 * on this SA.
6185 6185 */
6186 6186 if (ipsa->ipsa_replay == SADB_MAX_REPLAY_VALUE) {
6187 6187 /*
6188 6188 * Since we're already holding the lock, update the
6189 6189 * expire time ala. sadb_replay_delete() and return.
6190 6190 */
6191 6191 ipsa->ipsa_hardexpiretime = (time_t)1;
6192 6192 goto done;
6193 6193 }
6194 6194
6195 6195 if (seq <= ipsa->ipsa_replay) {
6196 6196 /*
6197 6197 * This seq is in the replay window. I'm not below it,
6198 6198 * because I already checked for that above!
6199 6199 */
6200 6200 diff = ipsa->ipsa_replay - seq;
6201 6201 if (ipsa_is_replay_set(ipsa, diff))
6202 6202 goto done;
6203 6203 }
6204 6204 /* Else return B_TRUE, I'm going to advance the window. */
6205 6205
6206 6206 rc = B_TRUE;
6207 6207 done:
6208 6208 mutex_exit(&ipsa->ipsa_lock);
6209 6209 return (rc);
6210 6210 }
6211 6211
6212 6212 /*
6213 6213 * Delete a single SA.
6214 6214 *
6215 6215 * For now, use the quick-and-dirty trick of making the association's
6216 6216 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager().
6217 6217 */
6218 6218 void
6219 6219 sadb_replay_delete(ipsa_t *assoc)
6220 6220 {
6221 6221 mutex_enter(&assoc->ipsa_lock);
6222 6222 assoc->ipsa_hardexpiretime = (time_t)1;
6223 6223 mutex_exit(&assoc->ipsa_lock);
6224 6224 }
6225 6225
6226 6226 /*
6227 6227 * Special front-end to ipsec_rl_strlog() dealing with SA failure.
6228 6228 * this is designed to take only a format string with "* %x * %s *", so
6229 6229 * that "spi" is printed first, then "addr" is converted using inet_pton().
6230 6230 *
6231 6231 * This is abstracted out to save the stack space for only when inet_pton()
6232 6232 * is called. Make sure "spi" is in network order; it usually is when this
6233 6233 * would get called.
6234 6234 */
6235 6235 void
6236 6236 ipsec_assocfailure(short mid, short sid, char level, ushort_t sl, char *fmt,
6237 6237 uint32_t spi, void *addr, int af, netstack_t *ns)
6238 6238 {
6239 6239 char buf[INET6_ADDRSTRLEN];
6240 6240
6241 6241 ASSERT(af == AF_INET6 || af == AF_INET);
6242 6242
6243 6243 ipsec_rl_strlog(ns, mid, sid, level, sl, fmt, ntohl(spi),
6244 6244 inet_ntop(af, addr, buf, sizeof (buf)));
6245 6245 }
6246 6246
6247 6247 /*
6248 6248 * Fills in a reference to the policy, if any, from the conn, in *ppp
6249 6249 */
6250 6250 static void
6251 6251 ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp)
6252 6252 {
6253 6253 ipsec_policy_t *pp;
6254 6254 ipsec_latch_t *ipl = connp->conn_latch;
6255 6255
6256 6256 if ((ipl != NULL) && (connp->conn_ixa->ixa_ipsec_policy != NULL)) {
6257 6257 pp = connp->conn_ixa->ixa_ipsec_policy;
6258 6258 IPPOL_REFHOLD(pp);
6259 6259 } else {
6260 6260 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, sel,
6261 6261 connp->conn_netstack);
6262 6262 }
6263 6263 *ppp = pp;
6264 6264 }
6265 6265
6266 6266 /*
6267 6267 * The following functions scan through active conn_t structures
6268 6268 * and return a reference to the best-matching policy it can find.
6269 6269 * Caller must release the reference.
6270 6270 */
6271 6271 static void
6272 6272 ipsec_udp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst)
6273 6273 {
6274 6274 connf_t *connfp;
6275 6275 conn_t *connp = NULL;
6276 6276 ipsec_selector_t portonly;
6277 6277
6278 6278 bzero((void *)&portonly, sizeof (portonly));
6279 6279
6280 6280 if (sel->ips_local_port == 0)
6281 6281 return;
6282 6282
6283 6283 connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(sel->ips_local_port,
6284 6284 ipst)];
6285 6285 mutex_enter(&connfp->connf_lock);
6286 6286
6287 6287 if (sel->ips_isv4) {
6288 6288 connp = connfp->connf_head;
6289 6289 while (connp != NULL) {
6290 6290 if (IPCL_UDP_MATCH(connp, sel->ips_local_port,
6291 6291 sel->ips_local_addr_v4, sel->ips_remote_port,
6292 6292 sel->ips_remote_addr_v4))
6293 6293 break;
6294 6294 connp = connp->conn_next;
6295 6295 }
6296 6296
6297 6297 if (connp == NULL) {
6298 6298 /* Try port-only match in IPv6. */
6299 6299 portonly.ips_local_port = sel->ips_local_port;
6300 6300 sel = &portonly;
6301 6301 }
6302 6302 }
6303 6303
6304 6304 if (connp == NULL) {
6305 6305 connp = connfp->connf_head;
6306 6306 while (connp != NULL) {
6307 6307 if (IPCL_UDP_MATCH_V6(connp, sel->ips_local_port,
6308 6308 sel->ips_local_addr_v6, sel->ips_remote_port,
6309 6309 sel->ips_remote_addr_v6))
6310 6310 break;
6311 6311 connp = connp->conn_next;
6312 6312 }
6313 6313
6314 6314 if (connp == NULL) {
6315 6315 mutex_exit(&connfp->connf_lock);
6316 6316 return;
6317 6317 }
6318 6318 }
6319 6319
6320 6320 CONN_INC_REF(connp);
6321 6321 mutex_exit(&connfp->connf_lock);
6322 6322
6323 6323 ipsec_conn_pol(sel, connp, ppp);
6324 6324 CONN_DEC_REF(connp);
6325 6325 }
6326 6326
6327 6327 static conn_t *
6328 6328 ipsec_find_listen_conn(uint16_t *pptr, ipsec_selector_t *sel, ip_stack_t *ipst)
6329 6329 {
6330 6330 connf_t *connfp;
6331 6331 conn_t *connp = NULL;
6332 6332 const in6_addr_t *v6addrmatch = &sel->ips_local_addr_v6;
6333 6333
6334 6334 if (sel->ips_local_port == 0)
6335 6335 return (NULL);
6336 6336
6337 6337 connfp = &ipst->ips_ipcl_bind_fanout[
6338 6338 IPCL_BIND_HASH(sel->ips_local_port, ipst)];
6339 6339 mutex_enter(&connfp->connf_lock);
6340 6340
6341 6341 if (sel->ips_isv4) {
6342 6342 connp = connfp->connf_head;
6343 6343 while (connp != NULL) {
6344 6344 if (IPCL_BIND_MATCH(connp, IPPROTO_TCP,
6345 6345 sel->ips_local_addr_v4, pptr[1]))
6346 6346 break;
6347 6347 connp = connp->conn_next;
6348 6348 }
6349 6349
6350 6350 if (connp == NULL) {
6351 6351 /* Match to all-zeroes. */
6352 6352 v6addrmatch = &ipv6_all_zeros;
6353 6353 }
6354 6354 }
6355 6355
6356 6356 if (connp == NULL) {
6357 6357 connp = connfp->connf_head;
6358 6358 while (connp != NULL) {
6359 6359 if (IPCL_BIND_MATCH_V6(connp, IPPROTO_TCP,
6360 6360 *v6addrmatch, pptr[1]))
6361 6361 break;
6362 6362 connp = connp->conn_next;
6363 6363 }
6364 6364
6365 6365 if (connp == NULL) {
6366 6366 mutex_exit(&connfp->connf_lock);
6367 6367 return (NULL);
6368 6368 }
6369 6369 }
6370 6370
6371 6371 CONN_INC_REF(connp);
6372 6372 mutex_exit(&connfp->connf_lock);
6373 6373 return (connp);
6374 6374 }
6375 6375
6376 6376 static void
6377 6377 ipsec_tcp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst)
6378 6378 {
6379 6379 connf_t *connfp;
6380 6380 conn_t *connp;
6381 6381 uint32_t ports;
6382 6382 uint16_t *pptr = (uint16_t *)&ports;
6383 6383
6384 6384 /*
6385 6385 * Find TCP state in the following order:
6386 6386 * 1.) Connected conns.
6387 6387 * 2.) Listeners.
6388 6388 *
6389 6389 * Even though #2 will be the common case for inbound traffic, only
6390 6390 * following this order insures correctness.
6391 6391 */
6392 6392
6393 6393 if (sel->ips_local_port == 0)
6394 6394 return;
6395 6395
6396 6396 /*
6397 6397 * 0 should be fport, 1 should be lport. SRC is the local one here.
6398 6398 * See ipsec_construct_inverse_acquire() for details.
6399 6399 */
6400 6400 pptr[0] = sel->ips_remote_port;
6401 6401 pptr[1] = sel->ips_local_port;
6402 6402
6403 6403 connfp = &ipst->ips_ipcl_conn_fanout[
6404 6404 IPCL_CONN_HASH(sel->ips_remote_addr_v4, ports, ipst)];
6405 6405 mutex_enter(&connfp->connf_lock);
6406 6406 connp = connfp->connf_head;
6407 6407
6408 6408 if (sel->ips_isv4) {
6409 6409 while (connp != NULL) {
6410 6410 if (IPCL_CONN_MATCH(connp, IPPROTO_TCP,
6411 6411 sel->ips_remote_addr_v4, sel->ips_local_addr_v4,
6412 6412 ports))
6413 6413 break;
6414 6414 connp = connp->conn_next;
6415 6415 }
6416 6416 } else {
6417 6417 while (connp != NULL) {
6418 6418 if (IPCL_CONN_MATCH_V6(connp, IPPROTO_TCP,
6419 6419 sel->ips_remote_addr_v6, sel->ips_local_addr_v6,
6420 6420 ports))
6421 6421 break;
6422 6422 connp = connp->conn_next;
6423 6423 }
6424 6424 }
6425 6425
6426 6426 if (connp != NULL) {
6427 6427 CONN_INC_REF(connp);
6428 6428 mutex_exit(&connfp->connf_lock);
6429 6429 } else {
6430 6430 mutex_exit(&connfp->connf_lock);
6431 6431
6432 6432 /* Try the listen hash. */
6433 6433 if ((connp = ipsec_find_listen_conn(pptr, sel, ipst)) == NULL)
6434 6434 return;
6435 6435 }
6436 6436
6437 6437 ipsec_conn_pol(sel, connp, ppp);
6438 6438 CONN_DEC_REF(connp);
6439 6439 }
6440 6440
6441 6441 static void
6442 6442 ipsec_sctp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
6443 6443 ip_stack_t *ipst)
6444 6444 {
6445 6445 conn_t *connp;
6446 6446 uint32_t ports;
6447 6447 uint16_t *pptr = (uint16_t *)&ports;
6448 6448
6449 6449 /*
6450 6450 * Find SCP state in the following order:
6451 6451 * 1.) Connected conns.
6452 6452 * 2.) Listeners.
6453 6453 *
6454 6454 * Even though #2 will be the common case for inbound traffic, only
6455 6455 * following this order insures correctness.
6456 6456 */
6457 6457
6458 6458 if (sel->ips_local_port == 0)
6459 6459 return;
6460 6460
6461 6461 /*
6462 6462 * 0 should be fport, 1 should be lport. SRC is the local one here.
6463 6463 * See ipsec_construct_inverse_acquire() for details.
6464 6464 */
6465 6465 pptr[0] = sel->ips_remote_port;
6466 6466 pptr[1] = sel->ips_local_port;
6467 6467
6468 6468 /*
6469 6469 * For labeled systems, there's no need to check the
6470 6470 * label here. It's known to be good as we checked
6471 6471 * before allowing the connection to become bound.
6472 6472 */
6473 6473 if (sel->ips_isv4) {
6474 6474 in6_addr_t src, dst;
6475 6475
6476 6476 IN6_IPADDR_TO_V4MAPPED(sel->ips_remote_addr_v4, &dst);
6477 6477 IN6_IPADDR_TO_V4MAPPED(sel->ips_local_addr_v4, &src);
6478 6478 connp = sctp_find_conn(&dst, &src, ports, ALL_ZONES,
6479 6479 0, ipst->ips_netstack->netstack_sctp);
6480 6480 } else {
6481 6481 connp = sctp_find_conn(&sel->ips_remote_addr_v6,
6482 6482 &sel->ips_local_addr_v6, ports, ALL_ZONES,
6483 6483 0, ipst->ips_netstack->netstack_sctp);
6484 6484 }
6485 6485 if (connp == NULL)
6486 6486 return;
6487 6487 ipsec_conn_pol(sel, connp, ppp);
6488 6488 CONN_DEC_REF(connp);
6489 6489 }
6490 6490
6491 6491 /*
6492 6492 * Fill in a query for the SPD (in "sel") using two PF_KEY address extensions.
6493 6493 * Returns 0 or errno, and always sets *diagnostic to something appropriate
6494 6494 * to PF_KEY.
6495 6495 *
6496 6496 * NOTE: For right now, this function (and ipsec_selector_t for that matter),
6497 6497 * ignore prefix lengths in the address extension. Since we match on first-
6498 6498 * entered policies, this shouldn't matter. Also, since we normalize prefix-
6499 6499 * set addresses to mask out the lower bits, we should get a suitable search
6500 6500 * key for the SPD anyway. This is the function to change if the assumption
6501 6501 * about suitable search keys is wrong.
6502 6502 */
6503 6503 static int
6504 6504 ipsec_get_inverse_acquire_sel(ipsec_selector_t *sel, sadb_address_t *srcext,
6505 6505 sadb_address_t *dstext, int *diagnostic)
6506 6506 {
6507 6507 struct sockaddr_in *src, *dst;
6508 6508 struct sockaddr_in6 *src6, *dst6;
6509 6509
6510 6510 *diagnostic = 0;
6511 6511
6512 6512 bzero(sel, sizeof (*sel));
6513 6513 sel->ips_protocol = srcext->sadb_address_proto;
6514 6514 dst = (struct sockaddr_in *)(dstext + 1);
6515 6515 if (dst->sin_family == AF_INET6) {
6516 6516 dst6 = (struct sockaddr_in6 *)dst;
6517 6517 src6 = (struct sockaddr_in6 *)(srcext + 1);
6518 6518 if (src6->sin6_family != AF_INET6) {
6519 6519 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH;
6520 6520 return (EINVAL);
6521 6521 }
6522 6522 sel->ips_remote_addr_v6 = dst6->sin6_addr;
6523 6523 sel->ips_local_addr_v6 = src6->sin6_addr;
6524 6524 if (sel->ips_protocol == IPPROTO_ICMPV6) {
6525 6525 sel->ips_is_icmp_inv_acq = 1;
6526 6526 } else {
6527 6527 sel->ips_remote_port = dst6->sin6_port;
6528 6528 sel->ips_local_port = src6->sin6_port;
6529 6529 }
6530 6530 sel->ips_isv4 = B_FALSE;
6531 6531 } else {
6532 6532 src = (struct sockaddr_in *)(srcext + 1);
6533 6533 if (src->sin_family != AF_INET) {
6534 6534 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH;
6535 6535 return (EINVAL);
6536 6536 }
6537 6537 sel->ips_remote_addr_v4 = dst->sin_addr.s_addr;
6538 6538 sel->ips_local_addr_v4 = src->sin_addr.s_addr;
6539 6539 if (sel->ips_protocol == IPPROTO_ICMP) {
6540 6540 sel->ips_is_icmp_inv_acq = 1;
6541 6541 } else {
6542 6542 sel->ips_remote_port = dst->sin_port;
6543 6543 sel->ips_local_port = src->sin_port;
6544 6544 }
6545 6545 sel->ips_isv4 = B_TRUE;
6546 6546 }
6547 6547 return (0);
6548 6548 }
6549 6549
6550 6550 /*
6551 6551 * We have encapsulation.
6552 6552 * - Lookup tun_t by address and look for an associated
6553 6553 * tunnel policy
6554 6554 * - If there are inner selectors
6555 6555 * - check ITPF_P_TUNNEL and ITPF_P_ACTIVE
6556 6556 * - Look up tunnel policy based on selectors
6557 6557 * - Else
6558 6558 * - Sanity check the negotation
6559 6559 * - If appropriate, fall through to global policy
6560 6560 */
6561 6561 static int
6562 6562 ipsec_tun_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
6563 6563 sadb_address_t *innsrcext, sadb_address_t *inndstext, ipsec_tun_pol_t *itp,
6564 6564 int *diagnostic)
6565 6565 {
6566 6566 int err;
6567 6567 ipsec_policy_head_t *polhead;
6568 6568
6569 6569 *diagnostic = 0;
6570 6570
6571 6571 /* Check for inner selectors and act appropriately */
6572 6572
6573 6573 if (innsrcext != NULL) {
6574 6574 /* Inner selectors present */
6575 6575 ASSERT(inndstext != NULL);
6576 6576 if ((itp == NULL) ||
6577 6577 (itp->itp_flags & (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) !=
6578 6578 (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) {
6579 6579 /*
6580 6580 * If inner packet selectors, we must have negotiate
6581 6581 * tunnel and active policy. If the tunnel has
6582 6582 * transport-mode policy set on it, or has no policy,
6583 6583 * fail.
6584 6584 */
6585 6585 return (ENOENT);
6586 6586 } else {
6587 6587 /*
6588 6588 * Reset "sel" to indicate inner selectors. Pass
6589 6589 * inner PF_KEY address extensions for this to happen.
6590 6590 */
6591 6591 if ((err = ipsec_get_inverse_acquire_sel(sel,
6592 6592 innsrcext, inndstext, diagnostic)) != 0)
6593 6593 return (err);
6594 6594 /*
6595 6595 * Now look for a tunnel policy based on those inner
6596 6596 * selectors. (Common code is below.)
6597 6597 */
6598 6598 }
6599 6599 } else {
6600 6600 /* No inner selectors present */
6601 6601 if ((itp == NULL) || !(itp->itp_flags & ITPF_P_ACTIVE)) {
6602 6602 /*
6603 6603 * Transport mode negotiation with no tunnel policy
6604 6604 * configured - return to indicate a global policy
6605 6605 * check is needed.
6606 6606 */
6607 6607 return (0);
6608 6608 } else if (itp->itp_flags & ITPF_P_TUNNEL) {
6609 6609 /* Tunnel mode set with no inner selectors. */
6610 6610 return (ENOENT);
6611 6611 }
6612 6612 /*
6613 6613 * Else, this is a tunnel policy configured with ifconfig(1m)
6614 6614 * or "negotiate transport" with ipsecconf(1m). We have an
6615 6615 * itp with policy set based on any match, so don't bother
6616 6616 * changing fields in "sel".
6617 6617 */
6618 6618 }
6619 6619
6620 6620 ASSERT(itp != NULL);
6621 6621 polhead = itp->itp_policy;
6622 6622 ASSERT(polhead != NULL);
6623 6623 rw_enter(&polhead->iph_lock, RW_READER);
6624 6624 *ppp = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_INBOUND, sel);
6625 6625 rw_exit(&polhead->iph_lock);
6626 6626
6627 6627 /*
6628 6628 * Don't default to global if we didn't find a matching policy entry.
6629 6629 * Instead, send ENOENT, just like if we hit a transport-mode tunnel.
6630 6630 */
6631 6631 if (*ppp == NULL)
6632 6632 return (ENOENT);
6633 6633
6634 6634 return (0);
6635 6635 }
6636 6636
6637 6637 /*
6638 6638 * For sctp conn_faddr is the primary address, hence this is of limited
6639 6639 * use for sctp.
6640 6640 */
6641 6641 static void
6642 6642 ipsec_oth_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
6643 6643 ip_stack_t *ipst)
6644 6644 {
6645 6645 boolean_t isv4 = sel->ips_isv4;
6646 6646 connf_t *connfp;
6647 6647 conn_t *connp;
6648 6648
6649 6649 if (isv4) {
6650 6650 connfp = &ipst->ips_ipcl_proto_fanout_v4[sel->ips_protocol];
6651 6651 } else {
6652 6652 connfp = &ipst->ips_ipcl_proto_fanout_v6[sel->ips_protocol];
6653 6653 }
6654 6654
6655 6655 mutex_enter(&connfp->connf_lock);
6656 6656 for (connp = connfp->connf_head; connp != NULL;
6657 6657 connp = connp->conn_next) {
6658 6658 if (isv4) {
6659 6659 if ((connp->conn_laddr_v4 == INADDR_ANY ||
6660 6660 connp->conn_laddr_v4 == sel->ips_local_addr_v4) &&
6661 6661 (connp->conn_faddr_v4 == INADDR_ANY ||
6662 6662 connp->conn_faddr_v4 == sel->ips_remote_addr_v4))
6663 6663 break;
6664 6664 } else {
6665 6665 if ((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6) ||
6666 6666 IN6_ARE_ADDR_EQUAL(&connp->conn_laddr_v6,
6667 6667 &sel->ips_local_addr_v6)) &&
6668 6668 (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) ||
6669 6669 IN6_ARE_ADDR_EQUAL(&connp->conn_faddr_v6,
6670 6670 &sel->ips_remote_addr_v6)))
6671 6671 break;
6672 6672 }
6673 6673 }
6674 6674 if (connp == NULL) {
6675 6675 mutex_exit(&connfp->connf_lock);
6676 6676 return;
6677 6677 }
6678 6678
6679 6679 CONN_INC_REF(connp);
6680 6680 mutex_exit(&connfp->connf_lock);
6681 6681
6682 6682 ipsec_conn_pol(sel, connp, ppp);
6683 6683 CONN_DEC_REF(connp);
6684 6684 }
6685 6685
6686 6686 /*
6687 6687 * Construct an inverse ACQUIRE reply based on:
6688 6688 *
6689 6689 * 1.) Current global policy.
6690 6690 * 2.) An conn_t match depending on what all was passed in the extv[].
6691 6691 * 3.) A tunnel's policy head.
6692 6692 * ...
6693 6693 * N.) Other stuff TBD (e.g. identities)
6694 6694 *
6695 6695 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic
6696 6696 * in this function so the caller can extract them where appropriately.
6697 6697 *
6698 6698 * The SRC address is the local one - just like an outbound ACQUIRE message.
6699 6699 *
6700 6700 * XXX MLS: key management supplies a label which we just reflect back up
6701 6701 * again. clearly we need to involve the label in the rest of the checks.
6702 6702 */
6703 6703 mblk_t *
6704 6704 ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[],
6705 6705 netstack_t *ns)
6706 6706 {
6707 6707 int err;
6708 6708 int diagnostic;
6709 6709 sadb_address_t *srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC],
6710 6710 *dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST],
6711 6711 *innsrcext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC],
6712 6712 *inndstext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST];
6713 6713 sadb_sens_t *sens = (sadb_sens_t *)extv[SADB_EXT_SENSITIVITY];
6714 6714 struct sockaddr_in6 *src, *dst;
6715 6715 struct sockaddr_in6 *isrc, *idst;
6716 6716 ipsec_tun_pol_t *itp = NULL;
6717 6717 ipsec_policy_t *pp = NULL;
6718 6718 ipsec_selector_t sel, isel;
6719 6719 mblk_t *retmp = NULL;
6720 6720 ip_stack_t *ipst = ns->netstack_ip;
6721 6721
6722 6722
6723 6723 /* Normalize addresses */
6724 6724 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)srcext, 0, ns)
6725 6725 == KS_IN_ADDR_UNKNOWN) {
6726 6726 err = EINVAL;
6727 6727 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC;
6728 6728 goto bail;
6729 6729 }
6730 6730 src = (struct sockaddr_in6 *)(srcext + 1);
6731 6731 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)dstext, 0, ns)
6732 6732 == KS_IN_ADDR_UNKNOWN) {
6733 6733 err = EINVAL;
6734 6734 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST;
6735 6735 goto bail;
6736 6736 }
6737 6737 dst = (struct sockaddr_in6 *)(dstext + 1);
6738 6738 if (src->sin6_family != dst->sin6_family) {
6739 6739 err = EINVAL;
6740 6740 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH;
6741 6741 goto bail;
6742 6742 }
6743 6743
6744 6744 /* Check for tunnel mode and act appropriately */
6745 6745 if (innsrcext != NULL) {
6746 6746 if (inndstext == NULL) {
6747 6747 err = EINVAL;
6748 6748 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_DST;
6749 6749 goto bail;
6750 6750 }
6751 6751 if (sadb_addrcheck(NULL, (mblk_t *)samsg,
6752 6752 (sadb_ext_t *)innsrcext, 0, ns) == KS_IN_ADDR_UNKNOWN) {
6753 6753 err = EINVAL;
6754 6754 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC;
6755 6755 goto bail;
6756 6756 }
6757 6757 isrc = (struct sockaddr_in6 *)(innsrcext + 1);
6758 6758 if (sadb_addrcheck(NULL, (mblk_t *)samsg,
6759 6759 (sadb_ext_t *)inndstext, 0, ns) == KS_IN_ADDR_UNKNOWN) {
6760 6760 err = EINVAL;
6761 6761 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST;
6762 6762 goto bail;
6763 6763 }
6764 6764 idst = (struct sockaddr_in6 *)(inndstext + 1);
6765 6765 if (isrc->sin6_family != idst->sin6_family) {
6766 6766 err = EINVAL;
6767 6767 diagnostic = SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH;
6768 6768 goto bail;
6769 6769 }
6770 6770 if (isrc->sin6_family != AF_INET &&
6771 6771 isrc->sin6_family != AF_INET6) {
6772 6772 err = EINVAL;
6773 6773 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF;
6774 6774 goto bail;
6775 6775 }
6776 6776 } else if (inndstext != NULL) {
6777 6777 err = EINVAL;
6778 6778 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC;
6779 6779 goto bail;
6780 6780 }
6781 6781
6782 6782 /* Get selectors first, based on outer addresses */
6783 6783 err = ipsec_get_inverse_acquire_sel(&sel, srcext, dstext, &diagnostic);
6784 6784 if (err != 0)
6785 6785 goto bail;
6786 6786
6787 6787 /* Check for tunnel mode mismatches. */
6788 6788 if (innsrcext != NULL &&
6789 6789 ((isrc->sin6_family == AF_INET &&
6790 6790 sel.ips_protocol != IPPROTO_ENCAP && sel.ips_protocol != 0) ||
6791 6791 (isrc->sin6_family == AF_INET6 &&
6792 6792 sel.ips_protocol != IPPROTO_IPV6 && sel.ips_protocol != 0))) {
6793 6793 err = EPROTOTYPE;
6794 6794 goto bail;
6795 6795 }
6796 6796
6797 6797 /*
6798 6798 * Okay, we have the addresses and other selector information.
6799 6799 * Let's first find a conn...
6800 6800 */
6801 6801 pp = NULL;
6802 6802 switch (sel.ips_protocol) {
6803 6803 case IPPROTO_TCP:
6804 6804 ipsec_tcp_pol(&sel, &pp, ipst);
6805 6805 break;
6806 6806 case IPPROTO_UDP:
6807 6807 ipsec_udp_pol(&sel, &pp, ipst);
6808 6808 break;
6809 6809 case IPPROTO_SCTP:
6810 6810 ipsec_sctp_pol(&sel, &pp, ipst);
6811 6811 break;
6812 6812 case IPPROTO_ENCAP:
6813 6813 case IPPROTO_IPV6:
6814 6814 /*
6815 6815 * Assume sel.ips_remote_addr_* has the right address at
6816 6816 * that exact position.
6817 6817 */
6818 6818 itp = itp_get_byaddr((uint32_t *)(&sel.ips_local_addr_v6),
6819 6819 (uint32_t *)(&sel.ips_remote_addr_v6), src->sin6_family,
6820 6820 ipst);
6821 6821
6822 6822 if (innsrcext == NULL) {
6823 6823 /*
6824 6824 * Transport-mode tunnel, make sure we fake out isel
6825 6825 * to contain something based on the outer protocol.
6826 6826 */
6827 6827 bzero(&isel, sizeof (isel));
6828 6828 isel.ips_isv4 = (sel.ips_protocol == IPPROTO_ENCAP);
6829 6829 } /* Else isel is initialized by ipsec_tun_pol(). */
6830 6830 err = ipsec_tun_pol(&isel, &pp, innsrcext, inndstext, itp,
6831 6831 &diagnostic);
6832 6832 /*
6833 6833 * NOTE: isel isn't used for now, but in RFC 430x IPsec, it
6834 6834 * may be.
6835 6835 */
6836 6836 if (err != 0)
6837 6837 goto bail;
6838 6838 break;
6839 6839 default:
6840 6840 ipsec_oth_pol(&sel, &pp, ipst);
6841 6841 break;
6842 6842 }
6843 6843
6844 6844 /*
6845 6845 * If we didn't find a matching conn_t or other policy head, take a
6846 6846 * look in the global policy.
6847 6847 */
6848 6848 if (pp == NULL) {
6849 6849 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, &sel, ns);
6850 6850 if (pp == NULL) {
6851 6851 /* There's no global policy. */
6852 6852 err = ENOENT;
6853 6853 diagnostic = 0;
6854 6854 goto bail;
6855 6855 }
6856 6856 }
6857 6857
6858 6858 /*
6859 6859 * Now that we have a policy entry/widget, construct an ACQUIRE
6860 6860 * message based on that, fix fields where appropriate,
6861 6861 * and return the message.
6862 6862 */
6863 6863 retmp = sadb_extended_acquire(&sel, pp, NULL,
6864 6864 (itp != NULL && (itp->itp_flags & ITPF_P_TUNNEL)),
6865 6865 samsg->sadb_msg_seq, samsg->sadb_msg_pid, sens, ns);
6866 6866 if (pp != NULL) {
6867 6867 IPPOL_REFRELE(pp);
6868 6868 }
6869 6869 ASSERT(err == 0 && diagnostic == 0);
6870 6870 if (retmp == NULL)
6871 6871 err = ENOMEM;
6872 6872 bail:
6873 6873 if (itp != NULL) {
6874 6874 ITP_REFRELE(itp, ns);
6875 6875 }
6876 6876 samsg->sadb_msg_errno = (uint8_t)err;
6877 6877 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic;
6878 6878 return (retmp);
6879 6879 }
6880 6880
6881 6881 /*
6882 6882 * ipsa_lpkt is a one-element queue, only manipulated by the next two
6883 6883 * functions. They have to hold the ipsa_lock because of potential races
6884 6884 * between key management using SADB_UPDATE, and inbound packets that may
6885 6885 * queue up on the larval SA (hence the 'l' in "lpkt").
6886 6886 */
6887 6887
6888 6888 /*
6889 6889 * sadb_set_lpkt:
6890 6890 *
6891 6891 * Returns the passed-in packet if the SA is no longer larval.
6892 6892 *
6893 6893 * Returns NULL if the SA is larval, and needs to be swapped into the SA for
6894 6894 * processing after an SADB_UPDATE.
6895 6895 */
6896 6896 mblk_t *
6897 6897 sadb_set_lpkt(ipsa_t *ipsa, mblk_t *npkt, ip_recv_attr_t *ira)
6898 6898 {
6899 6899 mblk_t *opkt;
6900 6900
6901 6901 mutex_enter(&ipsa->ipsa_lock);
6902 6902 opkt = ipsa->ipsa_lpkt;
6903 6903 if (ipsa->ipsa_state == IPSA_STATE_LARVAL) {
6904 6904 /*
6905 6905 * Consume npkt and place it in the LARVAL SA's inbound
6906 6906 * packet slot.
6907 6907 */
6908 6908 mblk_t *attrmp;
6909 6909
6910 6910 attrmp = ip_recv_attr_to_mblk(ira);
6911 6911 if (attrmp == NULL) {
6912 6912 ill_t *ill = ira->ira_ill;
6913 6913
6914 6914 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
6915 6915 ip_drop_input("ipIfStatsInDiscards", npkt, ill);
6916 6916 freemsg(npkt);
6917 6917 opkt = NULL;
6918 6918 } else {
6919 6919 ASSERT(attrmp->b_cont == NULL);
6920 6920 attrmp->b_cont = npkt;
6921 6921 ipsa->ipsa_lpkt = attrmp;
6922 6922 }
6923 6923 npkt = NULL;
6924 6924 } else {
6925 6925 /*
6926 6926 * If not larval, we lost the race. NOTE: ipsa_lpkt may still
6927 6927 * have been non-NULL in the non-larval case, because of
6928 6928 * inbound packets arriving prior to sadb_common_add()
6929 6929 * transferring the SA completely out of larval state, but
6930 6930 * after lpkt was grabbed by the AH/ESP-specific add routines.
6931 6931 * We should clear the old ipsa_lpkt in this case to make sure
6932 6932 * that it doesn't linger on the now-MATURE IPsec SA, or get
6933 6933 * picked up as an out-of-order packet.
6934 6934 */
6935 6935 ipsa->ipsa_lpkt = NULL;
6936 6936 }
6937 6937 mutex_exit(&ipsa->ipsa_lock);
6938 6938
6939 6939 if (opkt != NULL) {
6940 6940 ipsec_stack_t *ipss;
6941 6941
6942 6942 ipss = ira->ira_ill->ill_ipst->ips_netstack->netstack_ipsec;
6943 6943 opkt = ip_recv_attr_free_mblk(opkt);
6944 6944 ip_drop_packet(opkt, B_TRUE, ira->ira_ill,
6945 6945 DROPPER(ipss, ipds_sadb_inlarval_replace),
6946 6946 &ipss->ipsec_sadb_dropper);
6947 6947 }
6948 6948 return (npkt);
6949 6949 }
6950 6950
6951 6951 /*
6952 6952 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the
6953 6953 * previous value.
6954 6954 */
6955 6955 mblk_t *
6956 6956 sadb_clear_lpkt(ipsa_t *ipsa)
6957 6957 {
6958 6958 mblk_t *opkt;
6959 6959
6960 6960 mutex_enter(&ipsa->ipsa_lock);
6961 6961 opkt = ipsa->ipsa_lpkt;
6962 6962 ipsa->ipsa_lpkt = NULL;
6963 6963 mutex_exit(&ipsa->ipsa_lock);
6964 6964 return (opkt);
6965 6965 }
6966 6966
6967 6967 /*
6968 6968 * Buffer a packet that's in IDLE state as set by Solaris Clustering.
6969 6969 */
6970 6970 void
6971 6971 sadb_buf_pkt(ipsa_t *ipsa, mblk_t *bpkt, ip_recv_attr_t *ira)
6972 6972 {
6973 6973 netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
6974 6974 ipsec_stack_t *ipss = ns->netstack_ipsec;
6975 6975 in6_addr_t *srcaddr = (in6_addr_t *)(&ipsa->ipsa_srcaddr);
6976 6976 in6_addr_t *dstaddr = (in6_addr_t *)(&ipsa->ipsa_dstaddr);
6977 6977 mblk_t *mp;
6978 6978
6979 6979 ASSERT(ipsa->ipsa_state == IPSA_STATE_IDLE);
6980 6980
6981 6981 if (cl_inet_idlesa == NULL) {
6982 6982 ip_drop_packet(bpkt, B_TRUE, ira->ira_ill,
6983 6983 DROPPER(ipss, ipds_sadb_inidle_overflow),
6984 6984 &ipss->ipsec_sadb_dropper);
6985 6985 return;
6986 6986 }
6987 6987
6988 6988 cl_inet_idlesa(ns->netstack_stackid,
6989 6989 (ipsa->ipsa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP,
6990 6990 ipsa->ipsa_spi, ipsa->ipsa_addrfam, *srcaddr, *dstaddr, NULL);
6991 6991
6992 6992 mp = ip_recv_attr_to_mblk(ira);
6993 6993 if (mp == NULL) {
6994 6994 ip_drop_packet(bpkt, B_TRUE, ira->ira_ill,
6995 6995 DROPPER(ipss, ipds_sadb_inidle_overflow),
6996 6996 &ipss->ipsec_sadb_dropper);
6997 6997 return;
6998 6998 }
6999 6999 linkb(mp, bpkt);
7000 7000
7001 7001 mutex_enter(&ipsa->ipsa_lock);
7002 7002 ipsa->ipsa_mblkcnt++;
7003 7003 if (ipsa->ipsa_bpkt_head == NULL) {
7004 7004 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_tail = bpkt;
7005 7005 } else {
7006 7006 ipsa->ipsa_bpkt_tail->b_next = bpkt;
7007 7007 ipsa->ipsa_bpkt_tail = bpkt;
7008 7008 if (ipsa->ipsa_mblkcnt > SADB_MAX_IDLEPKTS) {
7009 7009 mblk_t *tmp;
7010 7010
7011 7011 tmp = ipsa->ipsa_bpkt_head;
7012 7012 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_head->b_next;
7013 7013 tmp = ip_recv_attr_free_mblk(tmp);
7014 7014 ip_drop_packet(tmp, B_TRUE, NULL,
7015 7015 DROPPER(ipss, ipds_sadb_inidle_overflow),
7016 7016 &ipss->ipsec_sadb_dropper);
7017 7017 ipsa->ipsa_mblkcnt --;
7018 7018 }
7019 7019 }
7020 7020 mutex_exit(&ipsa->ipsa_lock);
7021 7021 }
7022 7022
7023 7023 /*
7024 7024 * Stub function that taskq_dispatch() invokes to take the mblk (in arg)
7025 7025 * and put into STREAMS again.
7026 7026 */
7027 7027 void
7028 7028 sadb_clear_buf_pkt(void *ipkt)
7029 7029 {
7030 7030 mblk_t *tmp, *buf_pkt;
7031 7031 ip_recv_attr_t iras;
7032 7032
7033 7033 buf_pkt = (mblk_t *)ipkt;
7034 7034
7035 7035 while (buf_pkt != NULL) {
7036 7036 mblk_t *data_mp;
7037 7037
7038 7038 tmp = buf_pkt->b_next;
7039 7039 buf_pkt->b_next = NULL;
7040 7040
7041 7041 data_mp = buf_pkt->b_cont;
7042 7042 buf_pkt->b_cont = NULL;
7043 7043 if (!ip_recv_attr_from_mblk(buf_pkt, &iras)) {
7044 7044 /* The ill or ip_stack_t disappeared on us. */
7045 7045 ip_drop_input("ip_recv_attr_from_mblk", data_mp, NULL);
7046 7046 freemsg(data_mp);
7047 7047 } else {
7048 7048 ip_input_post_ipsec(data_mp, &iras);
7049 7049 }
7050 7050 ira_cleanup(&iras, B_TRUE);
7051 7051 buf_pkt = tmp;
7052 7052 }
7053 7053 }
7054 7054 /*
7055 7055 * Walker callback used by sadb_alg_update() to free/create crypto
7056 7056 * context template when a crypto software provider is removed or
7057 7057 * added.
7058 7058 */
7059 7059
7060 7060 struct sadb_update_alg_state {
7061 7061 ipsec_algtype_t alg_type;
7062 7062 uint8_t alg_id;
7063 7063 boolean_t is_added;
7064 7064 boolean_t async_auth;
7065 7065 boolean_t async_encr;
7066 7066 };
7067 7067
7068 7068 static void
7069 7069 sadb_alg_update_cb(isaf_t *head, ipsa_t *entry, void *cookie)
7070 7070 {
7071 7071 struct sadb_update_alg_state *update_state =
7072 7072 (struct sadb_update_alg_state *)cookie;
7073 7073 crypto_ctx_template_t *ctx_tmpl = NULL;
7074 7074
7075 7075 ASSERT(MUTEX_HELD(&head->isaf_lock));
7076 7076
7077 7077 if (entry->ipsa_state == IPSA_STATE_LARVAL)
7078 7078 return;
7079 7079
7080 7080 mutex_enter(&entry->ipsa_lock);
7081 7081
7082 7082 if ((entry->ipsa_encr_alg != SADB_EALG_NONE && entry->ipsa_encr_alg !=
7083 7083 SADB_EALG_NULL && update_state->async_encr) ||
7084 7084 (entry->ipsa_auth_alg != SADB_AALG_NONE &&
7085 7085 update_state->async_auth)) {
7086 7086 entry->ipsa_flags |= IPSA_F_ASYNC;
7087 7087 } else {
7088 7088 entry->ipsa_flags &= ~IPSA_F_ASYNC;
7089 7089 }
7090 7090
7091 7091 switch (update_state->alg_type) {
7092 7092 case IPSEC_ALG_AUTH:
7093 7093 if (entry->ipsa_auth_alg == update_state->alg_id)
7094 7094 ctx_tmpl = &entry->ipsa_authtmpl;
7095 7095 break;
7096 7096 case IPSEC_ALG_ENCR:
7097 7097 if (entry->ipsa_encr_alg == update_state->alg_id)
7098 7098 ctx_tmpl = &entry->ipsa_encrtmpl;
7099 7099 break;
7100 7100 default:
7101 7101 ctx_tmpl = NULL;
7102 7102 }
7103 7103
7104 7104 if (ctx_tmpl == NULL) {
7105 7105 mutex_exit(&entry->ipsa_lock);
7106 7106 return;
7107 7107 }
7108 7108
7109 7109 /*
7110 7110 * The context template of the SA may be affected by the change
7111 7111 * of crypto provider.
7112 7112 */
7113 7113 if (update_state->is_added) {
7114 7114 /* create the context template if not already done */
7115 7115 if (*ctx_tmpl == NULL) {
7116 7116 (void) ipsec_create_ctx_tmpl(entry,
7117 7117 update_state->alg_type);
7118 7118 }
7119 7119 } else {
7120 7120 /*
7121 7121 * The crypto provider was removed. If the context template
7122 7122 * exists but it is no longer valid, free it.
7123 7123 */
7124 7124 if (*ctx_tmpl != NULL)
7125 7125 ipsec_destroy_ctx_tmpl(entry, update_state->alg_type);
7126 7126 }
7127 7127
7128 7128 mutex_exit(&entry->ipsa_lock);
7129 7129 }
7130 7130
7131 7131 /*
7132 7132 * Invoked by IP when an software crypto provider has been updated, or if
7133 7133 * the crypto synchrony changes. The type and id of the corresponding
7134 7134 * algorithm is passed as argument. The type is set to ALL in the case of
7135 7135 * a synchrony change.
7136 7136 *
7137 7137 * is_added is B_TRUE if the provider was added, B_FALSE if it was
7138 7138 * removed. The function updates the SADB and free/creates the
7139 7139 * context templates associated with SAs if needed.
7140 7140 */
7141 7141
7142 7142 #define SADB_ALG_UPDATE_WALK(sadb, table) \
7143 7143 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \
7144 7144 &update_state)
7145 7145
7146 7146 void
7147 7147 sadb_alg_update(ipsec_algtype_t alg_type, uint8_t alg_id, boolean_t is_added,
7148 7148 netstack_t *ns)
7149 7149 {
7150 7150 struct sadb_update_alg_state update_state;
7151 7151 ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
7152 7152 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
7153 7153 ipsec_stack_t *ipss = ns->netstack_ipsec;
7154 7154
7155 7155 update_state.alg_type = alg_type;
7156 7156 update_state.alg_id = alg_id;
7157 7157 update_state.is_added = is_added;
7158 7158 update_state.async_auth = ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] ==
7159 7159 IPSEC_ALGS_EXEC_ASYNC;
7160 7160 update_state.async_encr = ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] ==
7161 7161 IPSEC_ALGS_EXEC_ASYNC;
7162 7162
7163 7163 if (alg_type == IPSEC_ALG_AUTH || alg_type == IPSEC_ALG_ALL) {
7164 7164 /* walk the AH tables only for auth. algorithm changes */
7165 7165 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_of);
7166 7166 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_if);
7167 7167 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_of);
7168 7168 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_if);
7169 7169 }
7170 7170
7171 7171 /* walk the ESP tables */
7172 7172 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_of);
7173 7173 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_if);
7174 7174 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_of);
7175 7175 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_if);
7176 7176 }
7177 7177
7178 7178 /*
7179 7179 * Creates a context template for the specified SA. This function
7180 7180 * is called when an SA is created and when a context template needs
7181 7181 * to be created due to a change of software provider.
7182 7182 */
7183 7183 int
7184 7184 ipsec_create_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type)
7185 7185 {
7186 7186 ipsec_alginfo_t *alg;
7187 7187 crypto_mechanism_t mech;
7188 7188 crypto_key_t *key;
7189 7189 crypto_ctx_template_t *sa_tmpl;
7190 7190 int rv;
7191 7191 ipsec_stack_t *ipss = sa->ipsa_netstack->netstack_ipsec;
7192 7192
7193 7193 ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
7194 7194 ASSERT(MUTEX_HELD(&sa->ipsa_lock));
7195 7195
7196 7196 /* get pointers to the algorithm info, context template, and key */
7197 7197 switch (alg_type) {
7198 7198 case IPSEC_ALG_AUTH:
7199 7199 key = &sa->ipsa_kcfauthkey;
7200 7200 sa_tmpl = &sa->ipsa_authtmpl;
7201 7201 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_auth_alg];
7202 7202 break;
7203 7203 case IPSEC_ALG_ENCR:
7204 7204 key = &sa->ipsa_kcfencrkey;
7205 7205 sa_tmpl = &sa->ipsa_encrtmpl;
7206 7206 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_encr_alg];
7207 7207 break;
7208 7208 default:
7209 7209 alg = NULL;
7210 7210 }
7211 7211
7212 7212 if (alg == NULL || !ALG_VALID(alg))
7213 7213 return (EINVAL);
7214 7214
7215 7215 /* initialize the mech info structure for the framework */
7216 7216 ASSERT(alg->alg_mech_type != CRYPTO_MECHANISM_INVALID);
7217 7217 mech.cm_type = alg->alg_mech_type;
7218 7218 mech.cm_param = NULL;
7219 7219 mech.cm_param_len = 0;
7220 7220
7221 7221 /* create a new context template */
7222 7222 rv = crypto_create_ctx_template(&mech, key, sa_tmpl, KM_NOSLEEP);
7223 7223
7224 7224 /*
7225 7225 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware
7226 7226 * providers are available for that mechanism. In that case
7227 7227 * we don't fail, and will generate the context template from
7228 7228 * the framework callback when a software provider for that
7229 7229 * mechanism registers.
7230 7230 *
7231 7231 * The context template is assigned the special value
7232 7232 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a
7233 7233 * lack of memory. No attempt will be made to use
7234 7234 * the context template if it is set to this value.
7235 7235 */
7236 7236 if (rv == CRYPTO_HOST_MEMORY) {
7237 7237 *sa_tmpl = IPSEC_CTX_TMPL_ALLOC;
7238 7238 } else if (rv != CRYPTO_SUCCESS) {
7239 7239 *sa_tmpl = NULL;
7240 7240 if (rv != CRYPTO_MECH_NOT_SUPPORTED)
7241 7241 return (EINVAL);
7242 7242 }
7243 7243
7244 7244 return (0);
7245 7245 }
7246 7246
7247 7247 /*
7248 7248 * Destroy the context template of the specified algorithm type
7249 7249 * of the specified SA. Must be called while holding the SA lock.
7250 7250 */
7251 7251 void
7252 7252 ipsec_destroy_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type)
7253 7253 {
7254 7254 ASSERT(MUTEX_HELD(&sa->ipsa_lock));
7255 7255
7256 7256 if (alg_type == IPSEC_ALG_AUTH) {
7257 7257 if (sa->ipsa_authtmpl == IPSEC_CTX_TMPL_ALLOC)
7258 7258 sa->ipsa_authtmpl = NULL;
7259 7259 else if (sa->ipsa_authtmpl != NULL) {
7260 7260 crypto_destroy_ctx_template(sa->ipsa_authtmpl);
7261 7261 sa->ipsa_authtmpl = NULL;
7262 7262 }
7263 7263 } else {
7264 7264 ASSERT(alg_type == IPSEC_ALG_ENCR);
7265 7265 if (sa->ipsa_encrtmpl == IPSEC_CTX_TMPL_ALLOC)
7266 7266 sa->ipsa_encrtmpl = NULL;
7267 7267 else if (sa->ipsa_encrtmpl != NULL) {
7268 7268 crypto_destroy_ctx_template(sa->ipsa_encrtmpl);
7269 7269 sa->ipsa_encrtmpl = NULL;
7270 7270 }
7271 7271 }
7272 7272 }
7273 7273
7274 7274 /*
7275 7275 * Use the kernel crypto framework to check the validity of a key received
7276 7276 * via keysock. Returns 0 if the key is OK, -1 otherwise.
7277 7277 */
7278 7278 int
7279 7279 ipsec_check_key(crypto_mech_type_t mech_type, sadb_key_t *sadb_key,
7280 7280 boolean_t is_auth, int *diag)
7281 7281 {
7282 7282 crypto_mechanism_t mech;
7283 7283 crypto_key_t crypto_key;
7284 7284 int crypto_rc;
7285 7285
7286 7286 mech.cm_type = mech_type;
7287 7287 mech.cm_param = NULL;
7288 7288 mech.cm_param_len = 0;
7289 7289
7290 7290 crypto_key.ck_format = CRYPTO_KEY_RAW;
7291 7291 crypto_key.ck_data = sadb_key + 1;
7292 7292 crypto_key.ck_length = sadb_key->sadb_key_bits;
7293 7293
7294 7294 crypto_rc = crypto_key_check(&mech, &crypto_key);
7295 7295
7296 7296 switch (crypto_rc) {
7297 7297 case CRYPTO_SUCCESS:
7298 7298 return (0);
7299 7299 case CRYPTO_MECHANISM_INVALID:
7300 7300 case CRYPTO_MECH_NOT_SUPPORTED:
7301 7301 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AALG :
7302 7302 SADB_X_DIAGNOSTIC_BAD_EALG;
7303 7303 break;
7304 7304 case CRYPTO_KEY_SIZE_RANGE:
7305 7305 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AKEYBITS :
7306 7306 SADB_X_DIAGNOSTIC_BAD_EKEYBITS;
7307 7307 break;
7308 7308 case CRYPTO_WEAK_KEY:
7309 7309 *diag = is_auth ? SADB_X_DIAGNOSTIC_WEAK_AKEY :
7310 7310 SADB_X_DIAGNOSTIC_WEAK_EKEY;
7311 7311 break;
7312 7312 }
7313 7313
7314 7314 return (-1);
7315 7315 }
7316 7316
7317 7317 /*
7318 7318 * Whack options in the outer IP header when ipsec changes the outer label
7319 7319 *
7320 7320 * This is inelegant and really could use refactoring.
7321 7321 */
7322 7322 mblk_t *
7323 7323 sadb_whack_label_v4(mblk_t *mp, ipsa_t *assoc, kstat_named_t *counter,
7324 7324 ipdropper_t *dropper)
7325 7325 {
7326 7326 int delta;
7327 7327 int plen;
7328 7328 dblk_t *db;
7329 7329 int hlen;
7330 7330 uint8_t *opt_storage = assoc->ipsa_opt_storage;
7331 7331 ipha_t *ipha = (ipha_t *)mp->b_rptr;
7332 7332
7333 7333 plen = ntohs(ipha->ipha_length);
7334 7334
7335 7335 delta = tsol_remove_secopt(ipha, MBLKL(mp));
7336 7336 mp->b_wptr += delta;
7337 7337 plen += delta;
7338 7338
7339 7339 /* XXX XXX code copied from tsol_check_label */
7340 7340
7341 7341 /* Make sure we have room for the worst-case addition */
7342 7342 hlen = IPH_HDR_LENGTH(ipha) + opt_storage[IPOPT_OLEN];
7343 7343 hlen = (hlen + 3) & ~3;
7344 7344 if (hlen > IP_MAX_HDR_LENGTH)
7345 7345 hlen = IP_MAX_HDR_LENGTH;
7346 7346 hlen -= IPH_HDR_LENGTH(ipha);
7347 7347
7348 7348 db = mp->b_datap;
7349 7349 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) {
7350 7350 int copylen;
7351 7351 mblk_t *new_mp;
7352 7352
7353 7353 /* allocate enough to be meaningful, but not *too* much */
7354 7354 copylen = MBLKL(mp);
7355 7355 if (copylen > 256)
7356 7356 copylen = 256;
7357 7357 new_mp = allocb_tmpl(hlen + copylen +
7358 7358 (mp->b_rptr - mp->b_datap->db_base), mp);
7359 7359
7360 7360 if (new_mp == NULL) {
7361 7361 ip_drop_packet(mp, B_FALSE, NULL, counter, dropper);
7362 7362 return (NULL);
7363 7363 }
7364 7364
7365 7365 /* keep the bias */
7366 7366 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base;
7367 7367 new_mp->b_wptr = new_mp->b_rptr + copylen;
7368 7368 bcopy(mp->b_rptr, new_mp->b_rptr, copylen);
7369 7369 new_mp->b_cont = mp;
7370 7370 if ((mp->b_rptr += copylen) >= mp->b_wptr) {
7371 7371 new_mp->b_cont = mp->b_cont;
7372 7372 freeb(mp);
7373 7373 }
7374 7374 mp = new_mp;
7375 7375 ipha = (ipha_t *)mp->b_rptr;
7376 7376 }
7377 7377
7378 7378 delta = tsol_prepend_option(assoc->ipsa_opt_storage, ipha, MBLKL(mp));
7379 7379
7380 7380 ASSERT(delta != -1);
7381 7381
7382 7382 plen += delta;
7383 7383 mp->b_wptr += delta;
7384 7384
7385 7385 /*
7386 7386 * Paranoia
7387 7387 */
7388 7388 db = mp->b_datap;
7389 7389
7390 7390 ASSERT3P(mp->b_wptr, <=, db->db_lim);
7391 7391 ASSERT3P(mp->b_rptr, <=, db->db_lim);
7392 7392
7393 7393 ASSERT3P(mp->b_wptr, >=, db->db_base);
7394 7394 ASSERT3P(mp->b_rptr, >=, db->db_base);
7395 7395 /* End paranoia */
7396 7396
7397 7397 ipha->ipha_length = htons(plen);
7398 7398
7399 7399 return (mp);
7400 7400 }
7401 7401
7402 7402 mblk_t *
7403 7403 sadb_whack_label_v6(mblk_t *mp, ipsa_t *assoc, kstat_named_t *counter,
7404 7404 ipdropper_t *dropper)
7405 7405 {
7406 7406 int delta;
7407 7407 int plen;
7408 7408 dblk_t *db;
7409 7409 int hlen;
7410 7410 uint8_t *opt_storage = assoc->ipsa_opt_storage;
7411 7411 uint_t sec_opt_len; /* label option length not including type, len */
7412 7412 ip6_t *ip6h = (ip6_t *)mp->b_rptr;
7413 7413
7414 7414 plen = ntohs(ip6h->ip6_plen);
7415 7415
7416 7416 delta = tsol_remove_secopt_v6(ip6h, MBLKL(mp));
7417 7417 mp->b_wptr += delta;
7418 7418 plen += delta;
7419 7419
7420 7420 /* XXX XXX code copied from tsol_check_label_v6 */
7421 7421 /*
7422 7422 * Make sure we have room for the worst-case addition. Add 2 bytes for
7423 7423 * the hop-by-hop ext header's next header and length fields. Add
7424 7424 * another 2 bytes for the label option type, len and then round
7425 7425 * up to the next 8-byte multiple.
7426 7426 */
7427 7427 sec_opt_len = opt_storage[1];
7428 7428
7429 7429 db = mp->b_datap;
7430 7430 hlen = (4 + sec_opt_len + 7) & ~7;
7431 7431
7432 7432 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) {
7433 7433 int copylen;
7434 7434 mblk_t *new_mp;
7435 7435 uint16_t hdr_len;
7436 7436
7437 7437 hdr_len = ip_hdr_length_v6(mp, ip6h);
7438 7438 /*
7439 7439 * Allocate enough to be meaningful, but not *too* much.
7440 7440 * Also all the IPv6 extension headers must be in the same mblk
7441 7441 */
7442 7442 copylen = MBLKL(mp);
7443 7443 if (copylen > 256)
7444 7444 copylen = 256;
7445 7445 if (copylen < hdr_len)
7446 7446 copylen = hdr_len;
7447 7447 new_mp = allocb_tmpl(hlen + copylen +
7448 7448 (mp->b_rptr - mp->b_datap->db_base), mp);
7449 7449 if (new_mp == NULL) {
7450 7450 ip_drop_packet(mp, B_FALSE, NULL, counter, dropper);
7451 7451 return (NULL);
7452 7452 }
7453 7453
7454 7454 /* keep the bias */
7455 7455 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base;
7456 7456 new_mp->b_wptr = new_mp->b_rptr + copylen;
7457 7457 bcopy(mp->b_rptr, new_mp->b_rptr, copylen);
7458 7458 new_mp->b_cont = mp;
7459 7459 if ((mp->b_rptr += copylen) >= mp->b_wptr) {
7460 7460 new_mp->b_cont = mp->b_cont;
7461 7461 freeb(mp);
7462 7462 }
7463 7463 mp = new_mp;
7464 7464 ip6h = (ip6_t *)mp->b_rptr;
7465 7465 }
7466 7466
7467 7467 delta = tsol_prepend_option_v6(assoc->ipsa_opt_storage,
7468 7468 ip6h, MBLKL(mp));
7469 7469
7470 7470 ASSERT(delta != -1);
7471 7471
7472 7472 plen += delta;
7473 7473 mp->b_wptr += delta;
7474 7474
7475 7475 /*
7476 7476 * Paranoia
7477 7477 */
7478 7478 db = mp->b_datap;
7479 7479
7480 7480 ASSERT3P(mp->b_wptr, <=, db->db_lim);
7481 7481 ASSERT3P(mp->b_rptr, <=, db->db_lim);
7482 7482
7483 7483 ASSERT3P(mp->b_wptr, >=, db->db_base);
7484 7484 ASSERT3P(mp->b_rptr, >=, db->db_base);
7485 7485 /* End paranoia */
7486 7486
7487 7487 ip6h->ip6_plen = htons(plen);
7488 7488
7489 7489 return (mp);
7490 7490 }
7491 7491
7492 7492 /* Whack the labels and update ip_xmit_attr_t as needed */
7493 7493 mblk_t *
7494 7494 sadb_whack_label(mblk_t *mp, ipsa_t *assoc, ip_xmit_attr_t *ixa,
7495 7495 kstat_named_t *counter, ipdropper_t *dropper)
7496 7496 {
7497 7497 int adjust;
7498 7498 int iplen;
7499 7499
7500 7500 if (ixa->ixa_flags & IXAF_IS_IPV4) {
7501 7501 ipha_t *ipha = (ipha_t *)mp->b_rptr;
7502 7502
7503 7503 ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
7504 7504 iplen = ntohs(ipha->ipha_length);
7505 7505 mp = sadb_whack_label_v4(mp, assoc, counter, dropper);
7506 7506 if (mp == NULL)
7507 7507 return (NULL);
7508 7508
7509 7509 ipha = (ipha_t *)mp->b_rptr;
7510 7510 ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
7511 7511 adjust = (int)ntohs(ipha->ipha_length) - iplen;
7512 7512 } else {
7513 7513 ip6_t *ip6h = (ip6_t *)mp->b_rptr;
7514 7514
7515 7515 ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION);
7516 7516 iplen = ntohs(ip6h->ip6_plen);
7517 7517 mp = sadb_whack_label_v6(mp, assoc, counter, dropper);
7518 7518 if (mp == NULL)
7519 7519 return (NULL);
7520 7520
7521 7521 ip6h = (ip6_t *)mp->b_rptr;
7522 7522 ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION);
7523 7523 adjust = (int)ntohs(ip6h->ip6_plen) - iplen;
7524 7524 }
7525 7525 ixa->ixa_pktlen += adjust;
7526 7526 ixa->ixa_ip_hdr_length += adjust;
7527 7527 return (mp);
7528 7528 }
7529 7529
7530 7530 /*
7531 7531 * If this is an outgoing SA then add some fuzz to the
7532 7532 * SOFT EXPIRE time. The reason for this is to stop
7533 7533 * peers trying to renegotiate SOFT expiring SA's at
7534 7534 * the same time. The amount of fuzz needs to be at
7535 7535 * least 8 seconds which is the typical interval
7536 7536 * sadb_ager(), although this is only a guide as it
7537 7537 * selftunes.
7538 7538 */
7539 7539 static void
7540 7540 lifetime_fuzz(ipsa_t *assoc)
7541 7541 {
7542 7542 uint8_t rnd;
7543 7543
7544 7544 if (assoc->ipsa_softaddlt == 0)
7545 7545 return;
7546 7546
7547 7547 (void) random_get_pseudo_bytes(&rnd, sizeof (rnd));
7548 7548 rnd = (rnd & 0xF) + 8;
7549 7549 assoc->ipsa_softexpiretime -= rnd;
7550 7550 assoc->ipsa_softaddlt -= rnd;
7551 7551 }
7552 7552
7553 7553 static void
7554 7554 destroy_ipsa_pair(ipsap_t *ipsapp)
7555 7555 {
7556 7556 /*
7557 7557 * Because of the multi-line macro nature of IPSA_REFRELE, keep
7558 7558 * them in { }.
7559 7559 */
7560 7560 if (ipsapp->ipsap_sa_ptr != NULL) {
7561 7561 IPSA_REFRELE(ipsapp->ipsap_sa_ptr);
7562 7562 }
7563 7563 if (ipsapp->ipsap_psa_ptr != NULL) {
7564 7564 IPSA_REFRELE(ipsapp->ipsap_psa_ptr);
7565 7565 }
7566 7566 init_ipsa_pair(ipsapp);
7567 7567 }
7568 7568
7569 7569 static void
7570 7570 init_ipsa_pair(ipsap_t *ipsapp)
7571 7571 {
7572 7572 ipsapp->ipsap_bucket = NULL;
7573 7573 ipsapp->ipsap_sa_ptr = NULL;
7574 7574 ipsapp->ipsap_pbucket = NULL;
7575 7575 ipsapp->ipsap_psa_ptr = NULL;
7576 7576 }
7577 7577
7578 7578 /*
7579 7579 * The sadb_ager() function walks through the hash tables of SA's and ages
7580 7580 * them, if the SA expires as a result, its marked as DEAD and will be reaped
7581 7581 * the next time sadb_ager() runs. SA's which are paired or have a peer (same
7582 7582 * SA appears in both the inbound and outbound tables because its not possible
7583 7583 * to determine its direction) are placed on a list when they expire. This is
7584 7584 * to ensure that pair/peer SA's are reaped at the same time, even if they
7585 7585 * expire at different times.
7586 7586 *
7587 7587 * This function is called twice by sadb_ager(), one after processing the
7588 7588 * inbound table, then again after processing the outbound table.
7589 7589 */
7590 7590 void
7591 7591 age_pair_peer_list(templist_t *haspeerlist, sadb_t *sp, boolean_t outbound)
7592 7592 {
7593 7593 templist_t *listptr;
7594 7594 int outhash;
7595 7595 isaf_t *bucket;
7596 7596 boolean_t haspeer;
7597 7597 ipsa_t *peer_assoc, *dying;
7598 7598 /*
7599 7599 * Haspeer cases will contain both IPv4 and IPv6. This code
7600 7600 * is address independent.
7601 7601 */
7602 7602 while (haspeerlist != NULL) {
7603 7603 /* "dying" contains the SA that has a peer. */
7604 7604 dying = haspeerlist->ipsa;
7605 7605 haspeer = (dying->ipsa_haspeer);
7606 7606 listptr = haspeerlist;
7607 7607 haspeerlist = listptr->next;
7608 7608 kmem_free(listptr, sizeof (*listptr));
7609 7609 /*
7610 7610 * Pick peer bucket based on addrfam.
7611 7611 */
7612 7612 if (outbound) {
7613 7613 if (haspeer)
7614 7614 bucket = INBOUND_BUCKET(sp, dying->ipsa_spi);
7615 7615 else
7616 7616 bucket = INBOUND_BUCKET(sp,
7617 7617 dying->ipsa_otherspi);
7618 7618 } else { /* inbound */
7619 7619 if (haspeer) {
7620 7620 if (dying->ipsa_addrfam == AF_INET6) {
7621 7621 outhash = OUTBOUND_HASH_V6(sp,
7622 7622 *((in6_addr_t *)&dying->
7623 7623 ipsa_dstaddr));
7624 7624 } else {
7625 7625 outhash = OUTBOUND_HASH_V4(sp,
7626 7626 *((ipaddr_t *)&dying->
7627 7627 ipsa_dstaddr));
7628 7628 }
7629 7629 } else if (dying->ipsa_addrfam == AF_INET6) {
7630 7630 outhash = OUTBOUND_HASH_V6(sp,
7631 7631 *((in6_addr_t *)&dying->
7632 7632 ipsa_srcaddr));
7633 7633 } else {
7634 7634 outhash = OUTBOUND_HASH_V4(sp,
7635 7635 *((ipaddr_t *)&dying->
7636 7636 ipsa_srcaddr));
7637 7637 }
7638 7638 bucket = &(sp->sdb_of[outhash]);
7639 7639 }
7640 7640
7641 7641 mutex_enter(&bucket->isaf_lock);
7642 7642 /*
7643 7643 * "haspeer" SA's have the same src/dst address ordering,
7644 7644 * "paired" SA's have the src/dst addresses reversed.
7645 7645 */
7646 7646 if (haspeer) {
7647 7647 peer_assoc = ipsec_getassocbyspi(bucket,
7648 7648 dying->ipsa_spi, dying->ipsa_srcaddr,
7649 7649 dying->ipsa_dstaddr, dying->ipsa_addrfam);
7650 7650 } else {
7651 7651 peer_assoc = ipsec_getassocbyspi(bucket,
7652 7652 dying->ipsa_otherspi, dying->ipsa_dstaddr,
7653 7653 dying->ipsa_srcaddr, dying->ipsa_addrfam);
7654 7654 }
7655 7655
7656 7656 mutex_exit(&bucket->isaf_lock);
7657 7657 if (peer_assoc != NULL) {
7658 7658 mutex_enter(&peer_assoc->ipsa_lock);
7659 7659 mutex_enter(&dying->ipsa_lock);
7660 7660 if (!haspeer) {
7661 7661 /*
7662 7662 * Only SA's which have a "peer" or are
7663 7663 * "paired" end up on this list, so this
7664 7664 * must be a "paired" SA, update the flags
7665 7665 * to break the pair.
7666 7666 */
7667 7667 peer_assoc->ipsa_otherspi = 0;
7668 7668 peer_assoc->ipsa_flags &= ~IPSA_F_PAIRED;
7669 7669 dying->ipsa_otherspi = 0;
7670 7670 dying->ipsa_flags &= ~IPSA_F_PAIRED;
7671 7671 }
7672 7672 if (haspeer || outbound) {
7673 7673 /*
7674 7674 * Update the state of the "inbound" SA when
7675 7675 * the "outbound" SA has expired. Don't update
7676 7676 * the "outbound" SA when the "inbound" SA
7677 7677 * SA expires because setting the hard_addtime
7678 7678 * below will cause this to happen.
7679 7679 */
7680 7680 peer_assoc->ipsa_state = dying->ipsa_state;
7681 7681 }
7682 7682 if (dying->ipsa_state == IPSA_STATE_DEAD)
7683 7683 peer_assoc->ipsa_hardexpiretime = 1;
7684 7684
7685 7685 mutex_exit(&dying->ipsa_lock);
7686 7686 mutex_exit(&peer_assoc->ipsa_lock);
7687 7687 IPSA_REFRELE(peer_assoc);
7688 7688 }
7689 7689 IPSA_REFRELE(dying);
7690 7690 }
7691 7691 }
7692 7692
7693 7693 /*
7694 7694 * Ensure that the IV used for CCM mode never repeats. The IV should
7695 7695 * only be updated by this function. Also check to see if the IV
7696 7696 * is about to wrap and generate a SOFT Expire. This function is only
7697 7697 * called for outgoing packets, the IV for incomming packets is taken
7698 7698 * from the wire. If the outgoing SA needs to be expired, update
7699 7699 * the matching incomming SA.
7700 7700 */
7701 7701 boolean_t
7702 7702 update_iv(uint8_t *iv_ptr, queue_t *pfkey_q, ipsa_t *assoc,
7703 7703 ipsecesp_stack_t *espstack)
7704 7704 {
7705 7705 boolean_t rc = B_TRUE;
7706 7706 isaf_t *inbound_bucket;
7707 7707 sadb_t *sp;
7708 7708 ipsa_t *pair_sa = NULL;
7709 7709 int sa_new_state = 0;
7710 7710
7711 7711 /* For non counter modes, the IV is random data. */
7712 7712 if (!(assoc->ipsa_flags & IPSA_F_COUNTERMODE)) {
7713 7713 (void) random_get_pseudo_bytes(iv_ptr, assoc->ipsa_iv_len);
7714 7714 return (rc);
7715 7715 }
7716 7716
7717 7717 mutex_enter(&assoc->ipsa_lock);
7718 7718
7719 7719 (*assoc->ipsa_iv)++;
7720 7720
7721 7721 if (*assoc->ipsa_iv == assoc->ipsa_iv_hardexpire) {
7722 7722 sa_new_state = IPSA_STATE_DEAD;
7723 7723 rc = B_FALSE;
7724 7724 } else if (*assoc->ipsa_iv == assoc->ipsa_iv_softexpire) {
7725 7725 if (assoc->ipsa_state != IPSA_STATE_DYING) {
7726 7726 /*
7727 7727 * This SA may have already been expired when its
7728 7728 * PAIR_SA expired.
7729 7729 */
7730 7730 sa_new_state = IPSA_STATE_DYING;
7731 7731 }
7732 7732 }
7733 7733 if (sa_new_state) {
7734 7734 /*
7735 7735 * If there is a state change, we need to update this SA
7736 7736 * and its "pair", we can find the bucket for the "pair" SA
7737 7737 * while holding the ipsa_t mutex, but we won't actually
7738 7738 * update anything untill the ipsa_t mutex has been released
7739 7739 * for _this_ SA.
7740 7740 */
7741 7741 assoc->ipsa_state = sa_new_state;
7742 7742 if (assoc->ipsa_addrfam == AF_INET6) {
7743 7743 sp = &espstack->esp_sadb.s_v6;
7744 7744 } else {
7745 7745 sp = &espstack->esp_sadb.s_v4;
7746 7746 }
7747 7747 inbound_bucket = INBOUND_BUCKET(sp, assoc->ipsa_otherspi);
7748 7748 sadb_expire_assoc(pfkey_q, assoc);
7749 7749 }
7750 7750 if (rc == B_TRUE)
7751 7751 bcopy(assoc->ipsa_iv, iv_ptr, assoc->ipsa_iv_len);
7752 7752
7753 7753 mutex_exit(&assoc->ipsa_lock);
7754 7754
7755 7755 if (sa_new_state) {
7756 7756 /* Find the inbound SA, need to lock hash bucket. */
7757 7757 mutex_enter(&inbound_bucket->isaf_lock);
7758 7758 pair_sa = ipsec_getassocbyspi(inbound_bucket,
7759 7759 assoc->ipsa_otherspi, assoc->ipsa_dstaddr,
7760 7760 assoc->ipsa_srcaddr, assoc->ipsa_addrfam);
7761 7761 mutex_exit(&inbound_bucket->isaf_lock);
7762 7762 if (pair_sa != NULL) {
7763 7763 mutex_enter(&pair_sa->ipsa_lock);
7764 7764 pair_sa->ipsa_state = sa_new_state;
7765 7765 mutex_exit(&pair_sa->ipsa_lock);
7766 7766 IPSA_REFRELE(pair_sa);
7767 7767 }
7768 7768 }
7769 7769
7770 7770 return (rc);
7771 7771 }
7772 7772
7773 7773 void
7774 7774 ccm_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr,
7775 7775 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data)
7776 7776 {
7777 7777 uchar_t *nonce;
7778 7778 crypto_mechanism_t *combined_mech;
7779 7779 CK_AES_CCM_PARAMS *params;
7780 7780
7781 7781 combined_mech = (crypto_mechanism_t *)cm_mech;
7782 7782 params = (CK_AES_CCM_PARAMS *)(combined_mech + 1);
7783 7783 nonce = (uchar_t *)(params + 1);
7784 7784 params->ulMACSize = assoc->ipsa_mac_len;
7785 7785 params->ulNonceSize = assoc->ipsa_nonce_len;
7786 7786 params->ulAuthDataSize = sizeof (esph_t);
7787 7787 params->ulDataSize = data_len;
7788 7788 params->nonce = nonce;
7789 7789 params->authData = esph;
7790 7790
7791 7791 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type;
7792 7792 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_CCM_PARAMS);
7793 7793 cm_mech->combined_mech.cm_param = (caddr_t)params;
7794 7794 /* See gcm_params_init() for comments. */
7795 7795 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen);
7796 7796 nonce += assoc->ipsa_saltlen;
7797 7797 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len);
7798 7798 crypto_data->cd_miscdata = NULL;
7799 7799 }
7800 7800
7801 7801 /* ARGSUSED */
7802 7802 void
7803 7803 cbc_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr,
7804 7804 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data)
7805 7805 {
7806 7806 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type;
7807 7807 cm_mech->combined_mech.cm_param_len = 0;
7808 7808 cm_mech->combined_mech.cm_param = NULL;
7809 7809 crypto_data->cd_miscdata = (char *)iv_ptr;
7810 7810 }
7811 7811
7812 7812 /* ARGSUSED */
7813 7813 void
7814 7814 gcm_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr,
7815 7815 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data)
7816 7816 {
7817 7817 uchar_t *nonce;
7818 7818 crypto_mechanism_t *combined_mech;
7819 7819 CK_AES_GCM_PARAMS *params;
7820 7820
7821 7821 combined_mech = (crypto_mechanism_t *)cm_mech;
7822 7822 params = (CK_AES_GCM_PARAMS *)(combined_mech + 1);
7823 7823 nonce = (uchar_t *)(params + 1);
7824 7824
7825 7825 params->pIv = nonce;
7826 7826 params->ulIvLen = assoc->ipsa_nonce_len;
7827 7827 params->ulIvBits = SADB_8TO1(assoc->ipsa_nonce_len);
7828 7828 params->pAAD = esph;
7829 7829 params->ulAADLen = sizeof (esph_t);
7830 7830 params->ulTagBits = SADB_8TO1(assoc->ipsa_mac_len);
7831 7831
7832 7832 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type;
7833 7833 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
7834 7834 cm_mech->combined_mech.cm_param = (caddr_t)params;
7835 7835 /*
7836 7836 * Create the nonce, which is made up of the salt and the IV.
7837 7837 * Copy the salt from the SA and the IV from the packet.
7838 7838 * For inbound packets we copy the IV from the packet because it
7839 7839 * was set by the sending system, for outbound packets we copy the IV
7840 7840 * from the packet because the IV in the SA may be changed by another
7841 7841 * thread, the IV in the packet was created while holding a mutex.
7842 7842 */
7843 7843 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen);
7844 7844 nonce += assoc->ipsa_saltlen;
7845 7845 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len);
7846 7846 crypto_data->cd_miscdata = NULL;
7847 7847 }
↓ open down ↓ |
6087 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX