Lines Matching +full:library +full:- +full:sel
104 if (((sa)->ipsa_ ## delta) != 0) { \
105 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \
106 (sa)->ipsa_ ## delta); \
111 if (((sa)->ipsa_ ## delta) != 0) { \
112 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \
113 (sa)->ipsa_ ## delta); \
114 if (((sa)->ipsa_ ## exp) == 0) \
115 (sa)->ipsa_ ## exp = tmp; \
117 (sa)->ipsa_ ## exp = \
118 MIN((sa)->ipsa_ ## exp, tmp); \
149 * the 32-bit time_t overflows (a dangerous assumption, mind you..).
153 * fixed-sized integers in computation.
160 * prevent "overwrapping" back into a shorter-than-desired in sadb_add_time()
167 if (TIME_MAX - base < delta) in sadb_add_time()
182 (((sa1)->ipsa_unique_id & (sa1)->ipsa_unique_mask) == \
183 ((sa2)->ipsa_unique_id & (sa2)->ipsa_unique_mask))
192 ASSERT(MUTEX_HELD(&bucket->isaf_lock)); in sadb_insertassoc()
194 unspecsrc = IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_srcaddr, ipsa->ipsa_addrfam); in sadb_insertassoc()
196 walker = bucket->isaf_ipsa; in sadb_insertassoc()
197 ASSERT(walker == NULL || ipsa->ipsa_addrfam == walker->ipsa_addrfam); in sadb_insertassoc()
209 if (IPSA_ARE_ADDR_EQUAL(walker->ipsa_dstaddr, in sadb_insertassoc()
210 ipsa->ipsa_dstaddr, ipsa->ipsa_addrfam)) { in sadb_insertassoc()
211 if (walker->ipsa_spi == ipsa->ipsa_spi) in sadb_insertassoc()
214 mutex_enter(&walker->ipsa_lock); in sadb_insertassoc()
215 if (ipsa->ipsa_state == IPSA_STATE_MATURE && in sadb_insertassoc()
216 (walker->ipsa_flags & IPSA_F_USED) && in sadb_insertassoc()
218 walker->ipsa_flags |= IPSA_F_CINVALID; in sadb_insertassoc()
220 mutex_exit(&walker->ipsa_lock); in sadb_insertassoc()
224 if (IPSA_IS_ADDR_UNSPEC(walker->ipsa_srcaddr, in sadb_insertassoc()
225 walker->ipsa_addrfam)) in sadb_insertassoc()
226 ptpn = walker->ipsa_ptpn; in sadb_insertassoc()
227 else if (walker->ipsa_next == NULL) in sadb_insertassoc()
228 ptpn = &walker->ipsa_next; in sadb_insertassoc()
231 walker = walker->ipsa_next; in sadb_insertassoc()
235 ptpn = &bucket->isaf_ipsa; in sadb_insertassoc()
236 ipsa->ipsa_next = *ptpn; in sadb_insertassoc()
237 ipsa->ipsa_ptpn = ptpn; in sadb_insertassoc()
238 if (ipsa->ipsa_next != NULL) in sadb_insertassoc()
239 ipsa->ipsa_next->ipsa_ptpn = &ipsa->ipsa_next; in sadb_insertassoc()
241 ipsa->ipsa_linklock = &bucket->isaf_lock; in sadb_insertassoc()
255 ipsec_stack_t *ipss = ipsa->ipsa_netstack->netstack_ipsec; in sadb_freeassoc()
259 ASSERT(MUTEX_NOT_HELD(&ipsa->ipsa_lock)); in sadb_freeassoc()
260 ASSERT(ipsa->ipsa_refcnt == 0); in sadb_freeassoc()
261 ASSERT(ipsa->ipsa_next == NULL); in sadb_freeassoc()
262 ASSERT(ipsa->ipsa_ptpn == NULL); in sadb_freeassoc()
270 &ipss->ipsec_sadb_dropper); in sadb_freeassoc()
272 mutex_enter(&ipsa->ipsa_lock); in sadb_freeassoc()
274 if (ipsa->ipsa_tsl != NULL) { in sadb_freeassoc()
275 label_rele(ipsa->ipsa_tsl); in sadb_freeassoc()
276 ipsa->ipsa_tsl = NULL; in sadb_freeassoc()
279 if (ipsa->ipsa_otsl != NULL) { in sadb_freeassoc()
280 label_rele(ipsa->ipsa_otsl); in sadb_freeassoc()
281 ipsa->ipsa_otsl = NULL; in sadb_freeassoc()
286 mutex_exit(&ipsa->ipsa_lock); in sadb_freeassoc()
289 if (ipsa->ipsa_authkey != NULL) { in sadb_freeassoc()
290 bzero(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); in sadb_freeassoc()
291 kmem_free(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); in sadb_freeassoc()
293 if (ipsa->ipsa_encrkey != NULL) { in sadb_freeassoc()
294 bzero(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); in sadb_freeassoc()
295 kmem_free(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); in sadb_freeassoc()
297 if (ipsa->ipsa_nonce_buf != NULL) { in sadb_freeassoc()
298 bzero(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t)); in sadb_freeassoc()
299 kmem_free(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t)); in sadb_freeassoc()
301 if (ipsa->ipsa_src_cid != NULL) { in sadb_freeassoc()
302 IPSID_REFRELE(ipsa->ipsa_src_cid); in sadb_freeassoc()
304 if (ipsa->ipsa_dst_cid != NULL) { in sadb_freeassoc()
305 IPSID_REFRELE(ipsa->ipsa_dst_cid); in sadb_freeassoc()
307 if (ipsa->ipsa_emech.cm_param != NULL) in sadb_freeassoc()
308 kmem_free(ipsa->ipsa_emech.cm_param, in sadb_freeassoc()
309 ipsa->ipsa_emech.cm_param_len); in sadb_freeassoc()
311 mutex_destroy(&ipsa->ipsa_lock); in sadb_freeassoc()
328 ASSERT(ipsa->ipsa_linklock != NULL); in sadb_unlinkassoc()
329 ASSERT(MUTEX_HELD(ipsa->ipsa_linklock)); in sadb_unlinkassoc()
332 if (ipsa->ipsa_ptpn == NULL) in sadb_unlinkassoc()
336 *(ipsa->ipsa_ptpn) = ipsa->ipsa_next; in sadb_unlinkassoc()
337 if (ipsa->ipsa_next != NULL) { in sadb_unlinkassoc()
338 ipsa->ipsa_next->ipsa_ptpn = ipsa->ipsa_ptpn; in sadb_unlinkassoc()
339 ipsa->ipsa_next = NULL; in sadb_unlinkassoc()
341 ipsa->ipsa_ptpn = NULL; in sadb_unlinkassoc()
353 ((assoc->ipsa_state == IPSA_STATE_LARVAL) || in sadb_delete_cluster()
354 (assoc->ipsa_state == IPSA_STATE_MATURE))) { in sadb_delete_cluster()
355 protocol = (assoc->ipsa_type == SADB_SATYPE_AH) ? in sadb_delete_cluster()
357 cl_inet_deletespi(assoc->ipsa_netstack->netstack_stackid, in sadb_delete_cluster()
358 protocol, assoc->ipsa_spi, NULL); in sadb_delete_cluster()
383 newbie->ipsa_spi = spi; in sadb_makelarvalassoc()
384 newbie->ipsa_netstack = ns; /* No netstack_hold */ in sadb_makelarvalassoc()
390 IPSA_COPY_ADDR(newbie->ipsa_srcaddr, src, addrfam); in sadb_makelarvalassoc()
391 IPSA_COPY_ADDR(newbie->ipsa_dstaddr, dst, addrfam); in sadb_makelarvalassoc()
393 newbie->ipsa_addrfam = addrfam; in sadb_makelarvalassoc()
398 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); in sadb_makelarvalassoc()
399 newbie->ipsa_state = IPSA_STATE_LARVAL; in sadb_makelarvalassoc()
400 newbie->ipsa_refcnt = 1; in sadb_makelarvalassoc()
401 newbie->ipsa_freefunc = sadb_freeassoc; in sadb_makelarvalassoc()
465 ASSERT(sp->sdb_of == NULL); in sadb_init_trial()
466 ASSERT(sp->sdb_if == NULL); in sadb_init_trial()
467 ASSERT(sp->sdb_acq == NULL); in sadb_init_trial()
469 sp->sdb_hashsize = size; in sadb_init_trial()
470 if (sadb_init_fanout(&sp->sdb_of, size, kmflag) != 0) in sadb_init_trial()
472 if (sadb_init_fanout(&sp->sdb_if, size, kmflag) != 0) in sadb_init_trial()
474 if (sadb_init_acfanout(&sp->sdb_acq, size, kmflag) != 0) in sadb_init_trial()
487 ASSERT(sp->sdb_of == NULL); in sadb_init()
488 ASSERT(sp->sdb_if == NULL); in sadb_init()
489 ASSERT(sp->sdb_acq == NULL); in sadb_init()
509 * Initialize an SADB-pair.
514 sadb_init(name, &sp->s_v4, size, 4, ns); in sadbp_init()
515 sadb_init(name, &sp->s_v6, size, 6, ns); in sadbp_init()
517 sp->s_satype = type; in sadbp_init()
521 ipsec_stack_t *ipss = ns->netstack_ipsec; in sadbp_init()
523 ip_drop_register(&ipss->ipsec_sadb_dropper, "IPsec SADB"); in sadbp_init()
524 sp->s_addflags = AH_ADD_SETTABLE_FLAGS; in sadbp_init()
525 sp->s_updateflags = AH_UPDATE_SETTABLE_FLAGS; in sadbp_init()
527 sp->s_addflags = ESP_ADD_SETTABLE_FLAGS; in sadbp_init()
528 sp->s_updateflags = ESP_UPDATE_SETTABLE_FLAGS; in sadbp_init()
550 answer->b_cont = sadb_sa2msg(ipsa, samsg); in sadb_dump_deliver()
551 if (answer->b_cont == NULL) { in sadb_dump_deliver()
572 mp->b_datap->db_type = M_CTL; in sadb_keysock_out()
573 mp->b_wptr += sizeof (ipsec_info_t); in sadb_keysock_out()
574 kso = (keysock_out_t *)mp->b_rptr; in sadb_keysock_out()
575 kso->ks_out_type = KEYSOCK_OUT; in sadb_keysock_out()
576 kso->ks_out_len = sizeof (*kso); in sadb_keysock_out()
577 kso->ks_out_serial = serial; in sadb_keysock_out()
599 * - Hold the mutex in sadb_dump_fanout()
600 * - Walk each entry, doing an sadb_dump_deliver() on it. in sadb_dump_fanout()
602 ASSERT(mp->b_cont != NULL); in sadb_dump_fanout()
603 samsg = (sadb_msg_t *)mp->b_cont->b_rptr; in sadb_dump_fanout()
613 walker = walker->ipsa_next) { in sadb_dump_fanout()
614 if (!do_peers && walker->ipsa_haspeer) in sadb_dump_fanout()
617 ((current - walker->ipsa_lastuse) > active_time)) in sadb_dump_fanout()
657 (sadb_x_edump_t *)ksi->ks_in_extv[SADB_X_EXT_EDUMP]; in sadb_dump()
660 active_time = edump->sadb_x_edump_timeout; in sadb_dump()
664 error = sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_of, in sadb_dump()
665 sp->sdb_hashsize, B_TRUE, active_time); in sadb_dump()
670 return sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_if, in sadb_dump()
671 sp->sdb_hashsize, B_FALSE, active_time); in sadb_dump()
699 next = entry->ipsa_next; in sadb_walker()
729 (sa->ipsa_state != IPSA_STATE_ACTIVE_ELSEWHERE) && in sadb_destroyer()
730 (sa->ipsa_state != IPSA_STATE_IDLE)) { in sadb_destroyer()
731 protocol = (sa->ipsa_type == SADB_SATYPE_AH) ? in sadb_destroyer()
733 sid = sa->ipsa_netstack->netstack_stackid; in sadb_destroyer()
734 cl_inet_deletespi(sid, protocol, sa->ipsa_spi, in sadb_destroyer()
763 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_FALSE, B_FALSE); in sadb_flush()
764 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_FALSE, B_TRUE); in sadb_flush()
767 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_FALSE, ns); in sadb_flush()
773 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_TRUE, B_FALSE); in sadb_destroy()
774 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_TRUE, B_TRUE); in sadb_destroy()
777 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_TRUE, ns); in sadb_destroy()
779 ASSERT(sp->sdb_of == NULL); in sadb_destroy()
780 ASSERT(sp->sdb_if == NULL); in sadb_destroy()
781 ASSERT(sp->sdb_acq == NULL); in sadb_destroy()
787 sadb_flush(&spp->s_v4, ns); in sadbp_flush()
788 sadb_flush(&spp->s_v6, ns); in sadbp_flush()
794 sadb_destroy(&spp->s_v4, ns); in sadbp_destroy()
795 sadb_destroy(&spp->s_v6, ns); in sadbp_destroy()
797 if (spp->s_satype == SADB_SATYPE_AH) { in sadbp_destroy()
798 ipsec_stack_t *ipss = ns->netstack_ipsec; in sadbp_destroy()
800 ip_drop_unregister(&ipss->ipsec_sadb_dropper); in sadbp_destroy()
817 if (hard->sadb_lifetime_allocations != 0 && in sadb_hardsoftchk()
818 soft->sadb_lifetime_allocations != 0 && in sadb_hardsoftchk()
819 hard->sadb_lifetime_allocations < soft->sadb_lifetime_allocations) in sadb_hardsoftchk()
822 if (hard->sadb_lifetime_bytes != 0 && in sadb_hardsoftchk()
823 soft->sadb_lifetime_bytes != 0 && in sadb_hardsoftchk()
824 hard->sadb_lifetime_bytes < soft->sadb_lifetime_bytes) in sadb_hardsoftchk()
827 if (hard->sadb_lifetime_addtime != 0 && in sadb_hardsoftchk()
828 soft->sadb_lifetime_addtime != 0 && in sadb_hardsoftchk()
829 hard->sadb_lifetime_addtime < soft->sadb_lifetime_addtime) in sadb_hardsoftchk()
832 if (hard->sadb_lifetime_usetime != 0 && in sadb_hardsoftchk()
833 soft->sadb_lifetime_usetime != 0 && in sadb_hardsoftchk()
834 hard->sadb_lifetime_usetime < soft->sadb_lifetime_usetime) in sadb_hardsoftchk()
838 if (hard->sadb_lifetime_addtime != 0 && in sadb_hardsoftchk()
839 idle->sadb_lifetime_addtime != 0 && in sadb_hardsoftchk()
840 hard->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) in sadb_hardsoftchk()
843 if (soft->sadb_lifetime_addtime != 0 && in sadb_hardsoftchk()
844 idle->sadb_lifetime_addtime != 0 && in sadb_hardsoftchk()
845 soft->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) in sadb_hardsoftchk()
848 if (hard->sadb_lifetime_usetime != 0 && in sadb_hardsoftchk()
849 idle->sadb_lifetime_usetime != 0 && in sadb_hardsoftchk()
850 hard->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) in sadb_hardsoftchk()
853 if (soft->sadb_lifetime_usetime != 0 && in sadb_hardsoftchk()
854 idle->sadb_lifetime_usetime != 0 && in sadb_hardsoftchk()
855 soft->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) in sadb_hardsoftchk()
871 if (ksi->ks_in_extv[SADB_EXT_SENSITIVITY] != NULL) in sadb_labelchk()
874 if (ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS] != NULL) in sadb_labelchk()
892 ASSERT(MUTEX_NOT_HELD(&(ipsa->ipsa_lock))); in sadb_cloneassoc()
902 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); in sadb_cloneassoc()
904 if (newbie->ipsa_tsl != NULL) in sadb_cloneassoc()
905 label_hold(newbie->ipsa_tsl); in sadb_cloneassoc()
907 if (newbie->ipsa_otsl != NULL) in sadb_cloneassoc()
908 label_hold(newbie->ipsa_otsl); in sadb_cloneassoc()
911 * While somewhat dain-bramaged, the most graceful way to in sadb_cloneassoc()
918 if (ipsa->ipsa_authkey != NULL) { in sadb_cloneassoc()
919 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, in sadb_cloneassoc()
921 if (newbie->ipsa_authkey == NULL) { in sadb_cloneassoc()
924 bcopy(ipsa->ipsa_authkey, newbie->ipsa_authkey, in sadb_cloneassoc()
925 newbie->ipsa_authkeylen); in sadb_cloneassoc()
927 newbie->ipsa_kcfauthkey.ck_data = in sadb_cloneassoc()
928 newbie->ipsa_authkey; in sadb_cloneassoc()
931 if (newbie->ipsa_amech.cm_param != NULL) { in sadb_cloneassoc()
932 newbie->ipsa_amech.cm_param = in sadb_cloneassoc()
933 (char *)&newbie->ipsa_mac_len; in sadb_cloneassoc()
937 if (ipsa->ipsa_encrkey != NULL) { in sadb_cloneassoc()
938 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, in sadb_cloneassoc()
940 if (newbie->ipsa_encrkey == NULL) { in sadb_cloneassoc()
943 bcopy(ipsa->ipsa_encrkey, newbie->ipsa_encrkey, in sadb_cloneassoc()
944 newbie->ipsa_encrkeylen); in sadb_cloneassoc()
946 newbie->ipsa_kcfencrkey.ck_data = in sadb_cloneassoc()
947 newbie->ipsa_encrkey; in sadb_cloneassoc()
951 newbie->ipsa_authtmpl = NULL; in sadb_cloneassoc()
952 newbie->ipsa_encrtmpl = NULL; in sadb_cloneassoc()
953 newbie->ipsa_haspeer = B_TRUE; in sadb_cloneassoc()
955 if (ipsa->ipsa_src_cid != NULL) { in sadb_cloneassoc()
956 newbie->ipsa_src_cid = ipsa->ipsa_src_cid; in sadb_cloneassoc()
957 IPSID_REFHOLD(ipsa->ipsa_src_cid); in sadb_cloneassoc()
960 if (ipsa->ipsa_dst_cid != NULL) { in sadb_cloneassoc()
961 newbie->ipsa_dst_cid = ipsa->ipsa_dst_cid; in sadb_cloneassoc()
962 IPSID_REFHOLD(ipsa->ipsa_dst_cid); in sadb_cloneassoc()
995 addrext->sadb_address_proto = proto; in sadb_make_addr_ext()
996 addrext->sadb_address_prefixlen = prefix; in sadb_make_addr_ext()
997 addrext->sadb_address_reserved = 0; in sadb_make_addr_ext()
998 addrext->sadb_address_exttype = exttype; in sadb_make_addr_ext()
1008 sin->sin_family = af; in sadb_make_addr_ext()
1009 bzero(sin->sin_zero, sizeof (sin->sin_zero)); in sadb_make_addr_ext()
1010 sin->sin_port = port; in sadb_make_addr_ext()
1011 IPSA_COPY_ADDR(&sin->sin_addr, addr, af); in sadb_make_addr_ext()
1021 sin6->sin6_family = af; in sadb_make_addr_ext()
1022 sin6->sin6_port = port; in sadb_make_addr_ext()
1023 IPSA_COPY_ADDR(&sin6->sin6_addr, addr, af); in sadb_make_addr_ext()
1027 addrext_len = roundup(cur - start, sizeof (uint64_t)); in sadb_make_addr_ext()
1028 addrext->sadb_address_len = SADB_8TO64(addrext_len); in sadb_make_addr_ext()
1054 kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext)); in sadb_make_kmc_ext()
1055 kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE; in sadb_make_kmc_ext()
1056 kmcext->sadb_x_kmc_proto = kmp; in sadb_make_kmc_ext()
1057 kmcext->sadb_x_kmc_cookie64 = kmc; in sadb_make_kmc_ext()
1118 fam = ipsa->ipsa_addrfam; in sadb_sa2msg()
1136 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) in sadb_sa2msg()
1138 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) in sadb_sa2msg()
1141 if (ipsa->ipsa_flags & IPSA_F_PAIRED) { in sadb_sa2msg()
1144 otherspi = ipsa->ipsa_otherspi; in sadb_sa2msg()
1150 if (ipsa->ipsa_softaddlt != 0 || ipsa->ipsa_softuselt != 0 || in sadb_sa2msg()
1151 ipsa->ipsa_softbyteslt != 0 || ipsa->ipsa_softalloc != 0) { in sadb_sa2msg()
1156 if (ipsa->ipsa_hardaddlt != 0 || ipsa->ipsa_harduselt != 0 || in sadb_sa2msg()
1157 ipsa->ipsa_hardbyteslt != 0 || ipsa->ipsa_hardalloc != 0) { in sadb_sa2msg()
1162 if (ipsa->ipsa_idleaddlt != 0 || ipsa->ipsa_idleuselt != 0) { in sadb_sa2msg()
1170 if (ipsa->ipsa_innerfam != 0) { in sadb_sa2msg()
1171 pfam = ipsa->ipsa_innerfam; in sadb_sa2msg()
1192 if (ipsa->ipsa_authkeylen != 0) { in sadb_sa2msg()
1193 authsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_authkeylen, in sadb_sa2msg()
1199 if (ipsa->ipsa_encrkeylen != 0) { in sadb_sa2msg()
1200 encrsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_encrkeylen + in sadb_sa2msg()
1201 ipsa->ipsa_nonce_len, sizeof (uint64_t)); in sadb_sa2msg()
1208 if (ipsa->ipsa_tsl != NULL) { in sadb_sa2msg()
1209 senslen = sadb_sens_len_from_label(ipsa->ipsa_tsl); in sadb_sa2msg()
1214 if (ipsa->ipsa_otsl != NULL) { in sadb_sa2msg()
1215 osenslen = sadb_sens_len_from_label(ipsa->ipsa_otsl); in sadb_sa2msg()
1224 if (ipsa->ipsa_src_cid != NULL) { in sadb_sa2msg()
1226 strlen(ipsa->ipsa_src_cid->ipsid_cid) + 1, in sadb_sa2msg()
1232 if (ipsa->ipsa_dst_cid != NULL) { in sadb_sa2msg()
1234 strlen(ipsa->ipsa_dst_cid->ipsid_cid) + 1, in sadb_sa2msg()
1240 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) in sadb_sa2msg()
1243 if (ipsa->ipsa_replay != 0) { in sadb_sa2msg()
1250 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */ in sadb_sa2msg()
1254 bzero(mp->b_rptr, alloclen); in sadb_sa2msg()
1256 mp->b_wptr += alloclen; in sadb_sa2msg()
1257 end = mp->b_wptr; in sadb_sa2msg()
1258 newsamsg = (sadb_msg_t *)mp->b_rptr; in sadb_sa2msg()
1260 newsamsg->sadb_msg_len = (uint16_t)SADB_8TO64(alloclen); in sadb_sa2msg()
1262 mutex_enter(&ipsa->ipsa_lock); /* Since I'm grabbing SA fields... */ in sadb_sa2msg()
1264 newsamsg->sadb_msg_satype = ipsa->ipsa_type; in sadb_sa2msg()
1267 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc)); in sadb_sa2msg()
1268 assoc->sadb_sa_exttype = SADB_EXT_SA; in sadb_sa2msg()
1269 assoc->sadb_sa_spi = ipsa->ipsa_spi; in sadb_sa2msg()
1270 assoc->sadb_sa_replay = ipsa->ipsa_replay_wsize; in sadb_sa2msg()
1271 assoc->sadb_sa_state = ipsa->ipsa_state; in sadb_sa2msg()
1272 assoc->sadb_sa_auth = ipsa->ipsa_auth_alg; in sadb_sa2msg()
1273 assoc->sadb_sa_encrypt = ipsa->ipsa_encr_alg; in sadb_sa2msg()
1274 assoc->sadb_sa_flags = ipsa->ipsa_flags; in sadb_sa2msg()
1277 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); in sadb_sa2msg()
1278 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; in sadb_sa2msg()
1280 lt->sadb_lifetime_allocations = 0; in sadb_sa2msg()
1281 lt->sadb_lifetime_bytes = ipsa->ipsa_bytes; in sadb_sa2msg()
1282 lt->sadb_lifetime_addtime = ipsa->ipsa_addtime; in sadb_sa2msg()
1283 lt->sadb_lifetime_usetime = ipsa->ipsa_usetime; in sadb_sa2msg()
1287 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); in sadb_sa2msg()
1288 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; in sadb_sa2msg()
1289 lt->sadb_lifetime_allocations = ipsa->ipsa_hardalloc; in sadb_sa2msg()
1290 lt->sadb_lifetime_bytes = ipsa->ipsa_hardbyteslt; in sadb_sa2msg()
1291 lt->sadb_lifetime_addtime = ipsa->ipsa_hardaddlt; in sadb_sa2msg()
1292 lt->sadb_lifetime_usetime = ipsa->ipsa_harduselt; in sadb_sa2msg()
1297 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); in sadb_sa2msg()
1298 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; in sadb_sa2msg()
1299 lt->sadb_lifetime_allocations = ipsa->ipsa_softalloc; in sadb_sa2msg()
1300 lt->sadb_lifetime_bytes = ipsa->ipsa_softbyteslt; in sadb_sa2msg()
1301 lt->sadb_lifetime_addtime = ipsa->ipsa_softaddlt; in sadb_sa2msg()
1302 lt->sadb_lifetime_usetime = ipsa->ipsa_softuselt; in sadb_sa2msg()
1307 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); in sadb_sa2msg()
1308 lt->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE; in sadb_sa2msg()
1309 lt->sadb_lifetime_addtime = ipsa->ipsa_idleaddlt; in sadb_sa2msg()
1310 lt->sadb_lifetime_usetime = ipsa->ipsa_idleuselt; in sadb_sa2msg()
1315 /* NOTE: Don't fill in ports here if we are a tunnel-mode SA. */ in sadb_sa2msg()
1317 ipsa->ipsa_srcaddr, (!isrc && !idst) ? SA_SRCPORT(ipsa) : 0, in sadb_sa2msg()
1326 ipsa->ipsa_dstaddr, (!isrc && !idst) ? SA_DSTPORT(ipsa) : 0, in sadb_sa2msg()
1334 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) { in sadb_sa2msg()
1336 fam, &ipsa->ipsa_natt_addr_loc, ipsa->ipsa_local_nat_port, in sadb_sa2msg()
1345 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) { in sadb_sa2msg()
1347 fam, &ipsa->ipsa_natt_addr_rem, ipsa->ipsa_remote_nat_port, in sadb_sa2msg()
1356 /* If we are a tunnel-mode SA, fill in the inner-selectors. */ in sadb_sa2msg()
1359 pfam, ipsa->ipsa_innersrc, SA_SRCPORT(ipsa), in sadb_sa2msg()
1360 SA_IPROTO(ipsa), ipsa->ipsa_innersrcpfx); in sadb_sa2msg()
1370 pfam, ipsa->ipsa_innerdst, SA_DSTPORT(ipsa), in sadb_sa2msg()
1371 SA_IPROTO(ipsa), ipsa->ipsa_innerdstpfx); in sadb_sa2msg()
1379 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) { in sadb_sa2msg()
1381 ipsa->ipsa_kmp, ipsa->ipsa_kmc); in sadb_sa2msg()
1392 key->sadb_key_len = SADB_8TO64(authsize); in sadb_sa2msg()
1393 key->sadb_key_exttype = SADB_EXT_KEY_AUTH; in sadb_sa2msg()
1394 key->sadb_key_bits = ipsa->ipsa_authkeybits; in sadb_sa2msg()
1395 key->sadb_key_reserved = 0; in sadb_sa2msg()
1396 bcopy(ipsa->ipsa_authkey, key + 1, ipsa->ipsa_authkeylen); in sadb_sa2msg()
1398 walker->sadb_ext_len); in sadb_sa2msg()
1404 key->sadb_key_len = SADB_8TO64(encrsize); in sadb_sa2msg()
1405 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; in sadb_sa2msg()
1406 key->sadb_key_bits = ipsa->ipsa_encrkeybits; in sadb_sa2msg()
1407 key->sadb_key_reserved = ipsa->ipsa_saltbits; in sadb_sa2msg()
1409 bcopy(ipsa->ipsa_encrkey, buf_ptr, ipsa->ipsa_encrkeylen); in sadb_sa2msg()
1410 if (ipsa->ipsa_salt != NULL) { in sadb_sa2msg()
1411 buf_ptr += ipsa->ipsa_encrkeylen; in sadb_sa2msg()
1412 bcopy(ipsa->ipsa_salt, buf_ptr, ipsa->ipsa_saltlen); in sadb_sa2msg()
1415 walker->sadb_ext_len); in sadb_sa2msg()
1420 ident->sadb_ident_len = SADB_8TO64(srcidsize); in sadb_sa2msg()
1421 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; in sadb_sa2msg()
1422 ident->sadb_ident_type = ipsa->ipsa_src_cid->ipsid_type; in sadb_sa2msg()
1423 ident->sadb_ident_id = 0; in sadb_sa2msg()
1424 ident->sadb_ident_reserved = 0; in sadb_sa2msg()
1426 ipsa->ipsa_src_cid->ipsid_cid); in sadb_sa2msg()
1428 walker->sadb_ext_len); in sadb_sa2msg()
1433 ident->sadb_ident_len = SADB_8TO64(dstidsize); in sadb_sa2msg()
1434 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; in sadb_sa2msg()
1435 ident->sadb_ident_type = ipsa->ipsa_dst_cid->ipsid_type; in sadb_sa2msg()
1436 ident->sadb_ident_id = 0; in sadb_sa2msg()
1437 ident->sadb_ident_reserved = 0; in sadb_sa2msg()
1439 ipsa->ipsa_dst_cid->ipsid_cid); in sadb_sa2msg()
1441 walker->sadb_ext_len); in sadb_sa2msg()
1447 ipsa->ipsa_tsl, senslen); in sadb_sa2msg()
1450 walker->sadb_ext_len); in sadb_sa2msg()
1457 ipsa->ipsa_otsl, osenslen); in sadb_sa2msg()
1458 if (ipsa->ipsa_mac_exempt) in sadb_sa2msg()
1459 sens->sadb_x_sens_flags = SADB_X_SENS_IMPLICIT; in sadb_sa2msg()
1462 walker->sadb_ext_len); in sadb_sa2msg()
1468 pair_ext->sadb_x_pair_len = SADB_8TO64(sizeof (sadb_x_pair_t)); in sadb_sa2msg()
1469 pair_ext->sadb_x_pair_exttype = SADB_X_EXT_PAIR; in sadb_sa2msg()
1470 pair_ext->sadb_x_pair_spi = otherspi; in sadb_sa2msg()
1473 walker->sadb_ext_len); in sadb_sa2msg()
1476 if (ipsa->ipsa_replay != 0) { in sadb_sa2msg()
1478 repl_ctr->sadb_x_rc_len = SADB_8TO64(sizeof (*repl_ctr)); in sadb_sa2msg()
1479 repl_ctr->sadb_x_rc_exttype = SADB_X_EXT_REPLAY_VALUE; in sadb_sa2msg()
1480 repl_ctr->sadb_x_rc_replay32 = ipsa->ipsa_replay; in sadb_sa2msg()
1481 repl_ctr->sadb_x_rc_replay64 = 0; in sadb_sa2msg()
1487 mutex_exit(&ipsa->ipsa_lock); in sadb_sa2msg()
1500 * +------+----+-------------+-----------+---------------+---------------+
1502 * +------+----+-------------+-----------+---------------+---------------+
1506 * +------+----+-------------+-----------+---------------+
1508 * +------+----+-------------+-----------+---------------+
1521 msgend += SADB_64TO8(samsg->sadb_msg_len); in sadb_strip()
1523 if (ext->sadb_ext_type == SADB_EXT_RESERVED || in sadb_strip()
1524 ext->sadb_ext_type == SADB_EXT_KEY_AUTH || in sadb_strip()
1525 ext->sadb_ext_type == SADB_X_EXT_EDUMP || in sadb_strip()
1526 ext->sadb_ext_type == SADB_EXT_KEY_ENCRYPT) { in sadb_strip()
1538 copylen = ((uint8_t *)ext) - (target + in sadb_strip()
1540 ((sadb_ext_t *)target)->sadb_ext_len)); in sadb_strip()
1541 ovbcopy(((uint8_t *)ext - copylen), target, in sadb_strip()
1544 ((sadb_ext_t *)target)->sadb_ext_len = in sadb_strip()
1545 SADB_8TO64(((uint8_t *)ext) - target + in sadb_strip()
1546 SADB_64TO8(ext->sadb_ext_len)); in sadb_strip()
1551 sofar += ext->sadb_ext_len; in sadb_strip()
1554 ext = (sadb_ext_t *)(((uint64_t *)ext) + ext->sadb_ext_len); in sadb_strip()
1560 copylen = ((uint8_t *)ext) - (target + in sadb_strip()
1561 SADB_64TO8(((sadb_ext_t *)target)->sadb_ext_len)); in sadb_strip()
1563 ovbcopy(((uint8_t *)ext - copylen), target, copylen); in sadb_strip()
1567 samsg->sadb_msg_len = (uint16_t)sofar; in sadb_strip()
1581 mblk_t *msg = mp->b_cont; in sadb_pfkey_error()
1594 ASSERT((mp->b_wptr - mp->b_rptr) == sizeof (ipsec_info_t)); in sadb_pfkey_error()
1595 ASSERT((msg->b_wptr - msg->b_rptr) >= sizeof (sadb_msg_t)); in sadb_pfkey_error()
1596 samsg = (sadb_msg_t *)msg->b_rptr; in sadb_pfkey_error()
1597 kso = (keysock_out_t *)mp->b_rptr; in sadb_pfkey_error()
1599 kso->ks_out_type = KEYSOCK_OUT; in sadb_pfkey_error()
1600 kso->ks_out_len = sizeof (*kso); in sadb_pfkey_error()
1601 kso->ks_out_serial = serial; in sadb_pfkey_error()
1605 * Don't worry about bzero()-ing, because it was probably bogus in sadb_pfkey_error()
1608 msg->b_wptr = msg->b_rptr + sizeof (*samsg); in sadb_pfkey_error()
1609 samsg = (sadb_msg_t *)msg->b_rptr; in sadb_pfkey_error()
1610 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); in sadb_pfkey_error()
1611 samsg->sadb_msg_errno = (uint8_t)error; in sadb_pfkey_error()
1613 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; in sadb_pfkey_error()
1634 ASSERT((mp->b_cont != NULL) && in sadb_pfkey_echo()
1635 ((void *)samsg == (void *)mp->b_cont->b_rptr) && in sadb_pfkey_echo()
1636 ((void *)mp->b_rptr == (void *)ksi)); in sadb_pfkey_echo()
1638 switch (samsg->sadb_msg_type) { in sadb_pfkey_echo()
1654 if (ksi->ks_in_extv[SADB_EXT_KEY_AUTH] != NULL || in sadb_pfkey_echo()
1655 ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT] != NULL || in sadb_pfkey_echo()
1656 ksi->ks_in_extv[SADB_X_EXT_EDUMP] != NULL) { in sadb_pfkey_echo()
1659 ASSERT(mp->b_cont->b_cont == NULL); in sadb_pfkey_echo()
1660 oldend = mp->b_cont->b_wptr; in sadb_pfkey_echo()
1661 mp->b_cont->b_wptr = mp->b_cont->b_rptr + in sadb_pfkey_echo()
1662 SADB_64TO8(samsg->sadb_msg_len); in sadb_pfkey_echo()
1663 bzero(mp->b_cont->b_wptr, oldend - mp->b_cont->b_wptr); in sadb_pfkey_echo()
1675 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); in sadb_pfkey_echo()
1678 freemsg(mp->b_cont); in sadb_pfkey_echo()
1679 mp->b_cont = mp1; in sadb_pfkey_echo()
1692 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); in sadb_pfkey_echo()
1695 newsamsg = (sadb_msg_t *)mp1->b_rptr; in sadb_pfkey_echo()
1697 oldend = mp1->b_wptr; in sadb_pfkey_echo()
1698 mp1->b_wptr = mp1->b_rptr + SADB_64TO8(newsamsg->sadb_msg_len); in sadb_pfkey_echo()
1699 bzero(mp1->b_wptr, oldend - mp1->b_wptr); in sadb_pfkey_echo()
1700 freemsg(mp->b_cont); in sadb_pfkey_echo()
1701 mp->b_cont = mp1; in sadb_pfkey_echo()
1710 kso->ks_out_type = KEYSOCK_OUT; in sadb_pfkey_echo()
1711 kso->ks_out_len = sizeof (*kso); in sadb_pfkey_echo()
1712 kso->ks_out_serial = ksi->ks_in_serial; in sadb_pfkey_echo()
1747 kha = (keysock_hello_ack_t *)mp->b_rptr; in sadb_keysock_hello()
1748 kha->ks_hello_len = sizeof (keysock_hello_ack_t); in sadb_keysock_hello()
1749 kha->ks_hello_type = KEYSOCK_HELLO_ACK; in sadb_keysock_hello()
1750 kha->ks_hello_satype = (uint8_t)satype; in sadb_keysock_hello()
1764 * Normalize IPv4-mapped IPv6 addresses (and prefixes) as appropriate.
1767 * Check ire table for local/non-local/broadcast.
1780 ASSERT((ext->sadb_ext_type == SADB_EXT_ADDRESS_SRC) || in sadb_addrcheck()
1781 (ext->sadb_ext_type == SADB_EXT_ADDRESS_DST) || in sadb_addrcheck()
1782 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) || in sadb_addrcheck()
1783 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) || in sadb_addrcheck()
1784 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_LOC) || in sadb_addrcheck()
1785 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_REM)); in sadb_addrcheck()
1793 if (sin6->sin6_family == AF_INET6) { in sadb_addrcheck()
1794 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { in sadb_addrcheck()
1805 sin->sin_family = AF_INET; in sadb_addrcheck()
1806 IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, in sadb_addrcheck()
1807 &sin->sin_addr); in sadb_addrcheck()
1808 bzero(&sin->sin_zero, sizeof (sin->sin_zero)); in sadb_addrcheck()
1811 } else if (sin->sin_family != AF_INET) { in sadb_addrcheck()
1812 switch (ext->sadb_ext_type) { in sadb_addrcheck()
1844 samsg->sadb_msg_errno = EINVAL; in sadb_addrcheck()
1845 samsg->sadb_x_msg_diagnostic = diagnostic; in sadb_addrcheck()
1850 if (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC || in sadb_addrcheck()
1851 ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) { in sadb_addrcheck()
1858 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) ? in sadb_addrcheck()
1863 addr->sadb_address_prefixlen -= 96; in sadb_addrcheck()
1866 * Verify and mask out inner-addresses based on prefix length. in sadb_addrcheck()
1868 if (sin->sin_family == AF_INET) { in sadb_addrcheck()
1869 if (addr->sadb_address_prefixlen > 32) in sadb_addrcheck()
1871 sin->sin_addr.s_addr &= in sadb_addrcheck()
1872 ip_plen_to_mask(addr->sadb_address_prefixlen); in sadb_addrcheck()
1876 ASSERT(sin->sin_family == AF_INET6); in sadb_addrcheck()
1881 if (ip_plen_to_mask_v6(addr->sadb_address_prefixlen, in sadb_addrcheck()
1884 sin6->sin6_addr.s6_addr32[0] &= mask.s6_addr32[0]; in sadb_addrcheck()
1885 sin6->sin6_addr.s6_addr32[1] &= mask.s6_addr32[1]; in sadb_addrcheck()
1886 sin6->sin6_addr.s6_addr32[2] &= mask.s6_addr32[2]; in sadb_addrcheck()
1887 sin6->sin6_addr.s6_addr32[3] &= mask.s6_addr32[3]; in sadb_addrcheck()
1894 if (sin->sin_family == AF_INET6) { in sadb_addrcheck()
1896 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) in sadb_addrcheck()
1898 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) in sadb_addrcheck()
1903 * XXX Zones alert -> me/notme decision needs to be tempered in sadb_addrcheck()
1904 * by what zone we're in when we go to zone-aware IPsec. in sadb_addrcheck()
1906 if (ip_type_v6(&sin6->sin6_addr, ns->netstack_ip) == in sadb_addrcheck()
1912 ASSERT(sin->sin_family == AF_INET); in sadb_addrcheck()
1913 if (sin->sin_addr.s_addr == INADDR_ANY) in sadb_addrcheck()
1915 if (CLASSD(sin->sin_addr.s_addr)) in sadb_addrcheck()
1922 * XXX Zones alert -> me/notme decision needs to be tempered in sadb_addrcheck()
1923 * by what zone we're in when we go to zone-aware IPsec. in sadb_addrcheck()
1925 type = ip_type_v4(sin->sin_addr.s_addr, ns->netstack_ip); in sadb_addrcheck()
1950 sadb_ext_t **extv = ksi->ks_in_extv; in sadb_addrfix()
1955 ksi->ks_in_serial, ns); in sadb_addrfix()
1960 SADB_X_DIAGNOSTIC_BAD_SRC, ksi->ks_in_serial); in sadb_addrfix()
1963 ksi->ks_in_srctype = rc; in sadb_addrfix()
1968 ksi->ks_in_serial, ns); in sadb_addrfix()
1973 SADB_X_DIAGNOSTIC_BAD_DST, ksi->ks_in_serial); in sadb_addrfix()
1976 ksi->ks_in_dsttype = rc; in sadb_addrfix()
1980 * NAT-Traversal addrs are simple enough to not require all of in sadb_addrfix()
1986 extv[SADB_X_EXT_ADDRESS_NATT_LOC], ksi->ks_in_serial, ns); in sadb_addrfix()
1989 * Local NAT-T addresses never use an IRE_LOCAL, so it should in sadb_addrfix()
1991 * AND local-port flexibility). in sadb_addrfix()
1996 ksi->ks_in_serial); in sadb_addrfix()
2001 if (src->sin_family != AF_INET) { in sadb_addrfix()
2004 ksi->ks_in_serial); in sadb_addrfix()
2011 extv[SADB_X_EXT_ADDRESS_NATT_REM], ksi->ks_in_serial, ns); in sadb_addrfix()
2014 * Remote NAT-T addresses never use an IRE_LOCAL, so it should in sadb_addrfix()
2015 * always be NOTME, or UNSPEC if it's a tunnel-mode SA. in sadb_addrfix()
2022 ksi->ks_in_serial); in sadb_addrfix()
2027 if (src->sin_family != AF_INET) { in sadb_addrfix()
2030 ksi->ks_in_serial); in sadb_addrfix()
2039 ksi->ks_in_serial); in sadb_addrfix()
2044 extv[SADB_X_EXT_ADDRESS_INNER_DST], ksi->ks_in_serial, ns) in sadb_addrfix()
2047 extv[SADB_X_EXT_ADDRESS_INNER_SRC], ksi->ks_in_serial, ns) in sadb_addrfix()
2057 if (isrc->sin_family != idst->sin6_family) { in sadb_addrfix()
2060 ksi->ks_in_serial); in sadb_addrfix()
2066 ksi->ks_in_serial); in sadb_addrfix()
2082 (isrc->sin_port != 0 || idst->sin6_port != 0) && in sadb_addrfix()
2083 (src->sin_port != 0 || dst->sin6_port != 0)) { in sadb_addrfix()
2087 ksi->ks_in_serial); in sadb_addrfix()
2091 if (dst->sin6_family == src->sin_family) in sadb_addrfix()
2094 if (srcext->sadb_address_proto != dstext->sadb_address_proto) { in sadb_addrfix()
2095 if (srcext->sadb_address_proto == 0) { in sadb_addrfix()
2096 srcext->sadb_address_proto = dstext->sadb_address_proto; in sadb_addrfix()
2097 } else if (dstext->sadb_address_proto == 0) { in sadb_addrfix()
2098 dstext->sadb_address_proto = srcext->sadb_address_proto; in sadb_addrfix()
2103 ksi->ks_in_serial); in sadb_addrfix()
2112 if (src->sin_family == AF_INET || in sadb_addrfix()
2113 ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) { in sadb_addrfix()
2115 SADB_X_DIAGNOSTIC_AF_MISMATCH, ksi->ks_in_serial); in sadb_addrfix()
2123 sport = src->sin_port; in sadb_addrfix()
2125 src->sin_family = AF_INET; in sadb_addrfix()
2126 src->sin_port = sport; in sadb_addrfix()
2138 if ((ire->ire_type & IRE_BROADCAST) || in sadb_addrset()
2139 (ire->ire_ipversion == IPV4_VERSION && CLASSD(ire->ire_addr)) || in sadb_addrset()
2140 (ire->ire_ipversion == IPV6_VERSION && in sadb_addrset()
2141 IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6)))) in sadb_addrset()
2143 if (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) in sadb_addrset()
2157 return (sq->spi == sa->ipsa_spi); in sadb_match_spi()
2163 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_dstaddr, sq->dstaddr, AF_INET6)); in sadb_match_dst_v6()
2169 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_srcaddr, sq->srcaddr, AF_INET6)); in sadb_match_src_v6()
2175 return (sq->dstaddr[0] == sa->ipsa_dstaddr[0]); in sadb_match_dst_v4()
2181 return (sq->srcaddr[0] == sa->ipsa_srcaddr[0]); in sadb_match_src_v4()
2187 return ((sa->ipsa_dst_cid != NULL) && in sadb_match_dstid()
2188 (sq->didtype == sa->ipsa_dst_cid->ipsid_type) && in sadb_match_dstid()
2189 (strcmp(sq->didstr, sa->ipsa_dst_cid->ipsid_cid) == 0)); in sadb_match_dstid()
2195 return ((sa->ipsa_src_cid != NULL) && in sadb_match_srcid()
2196 (sq->sidtype == sa->ipsa_src_cid->ipsid_type) && in sadb_match_srcid()
2197 (strcmp(sq->sidstr, sa->ipsa_src_cid->ipsid_cid) == 0)); in sadb_match_srcid()
2205 return (M(sq->kmc, sa->ipsa_kmc) && M(sq->kmp, sa->ipsa_kmp)); in sadb_match_kmc()
2222 ipsa_match_fn_t *mfpp = &(sq->matchers[0]); in sadb_form_query()
2225 sq->matchers[i] = NULL; in sadb_form_query()
2229 sq->req = req; in sadb_form_query()
2230 sq->dstext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; in sadb_form_query()
2231 sq->srcext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; in sadb_form_query()
2232 sq->assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; in sadb_form_query()
2234 if ((req & IPSA_Q_DST) && (sq->dstext == NULL)) { in sadb_form_query()
2238 if ((req & IPSA_Q_SRC) && (sq->srcext == NULL)) { in sadb_form_query()
2242 if ((req & IPSA_Q_SA) && (sq->assoc == NULL)) { in sadb_form_query()
2249 sq->spi = sq->assoc->sadb_sa_spi; in sadb_form_query()
2252 if (sq->dstext != NULL) in sadb_form_query()
2253 sq->dst = (struct sockaddr_in *)(sq->dstext + 1); in sadb_form_query()
2255 sq->dst = NULL; in sadb_form_query()
2256 sq->dst6 = NULL; in sadb_form_query()
2257 sq->dstaddr = NULL; in sadb_form_query()
2260 if (sq->srcext != NULL) in sadb_form_query()
2261 sq->src = (struct sockaddr_in *)(sq->srcext + 1); in sadb_form_query()
2263 sq->src = NULL; in sadb_form_query()
2264 sq->src6 = NULL; in sadb_form_query()
2265 sq->srcaddr = NULL; in sadb_form_query()
2268 if (sq->dst != NULL) in sadb_form_query()
2269 sq->af = sq->dst->sin_family; in sadb_form_query()
2270 else if (sq->src != NULL) in sadb_form_query()
2271 sq->af = sq->src->sin_family; in sadb_form_query()
2273 sq->af = AF_INET; in sadb_form_query()
2275 if (sq->af == AF_INET6) { in sadb_form_query()
2276 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) { in sadb_form_query()
2278 sq->dst6 = (struct sockaddr_in6 *)sq->dst; in sadb_form_query()
2279 sq->dstaddr = (uint32_t *)&(sq->dst6->sin6_addr); in sadb_form_query()
2282 sq->dstaddr = ALL_ZEROES_PTR; in sadb_form_query()
2285 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) { in sadb_form_query()
2286 sq->src6 = (struct sockaddr_in6 *)(sq->srcext + 1); in sadb_form_query()
2287 sq->srcaddr = (uint32_t *)&sq->src6->sin6_addr; in sadb_form_query()
2288 if (sq->src6->sin6_family != AF_INET6) { in sadb_form_query()
2295 sq->srcaddr = ALL_ZEROES_PTR; in sadb_form_query()
2298 sq->src6 = sq->dst6 = NULL; in sadb_form_query()
2299 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) { in sadb_form_query()
2301 sq->dstaddr = (uint32_t *)&sq->dst->sin_addr; in sadb_form_query()
2304 sq->dstaddr = ALL_ZEROES_PTR; in sadb_form_query()
2306 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) { in sadb_form_query()
2307 sq->srcaddr = (uint32_t *)&sq->src->sin_addr; in sadb_form_query()
2308 if (sq->src->sin_family != AF_INET) { in sadb_form_query()
2315 sq->srcaddr = ALL_ZEROES_PTR; in sadb_form_query()
2319 sq->dstid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; in sadb_form_query()
2320 if ((match & IPSA_Q_DSTID) && (sq->dstid != NULL)) { in sadb_form_query()
2321 sq->didstr = (char *)(sq->dstid + 1); in sadb_form_query()
2322 sq->didtype = sq->dstid->sadb_ident_type; in sadb_form_query()
2326 sq->srcid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; in sadb_form_query()
2328 if ((match & IPSA_Q_SRCID) && (sq->srcid != NULL)) { in sadb_form_query()
2329 sq->sidstr = (char *)(sq->srcid + 1); in sadb_form_query()
2330 sq->sidtype = sq->srcid->sadb_ident_type; in sadb_form_query()
2334 sq->kmcext = (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; in sadb_form_query()
2335 sq->kmc = 0; in sadb_form_query()
2336 sq->kmp = 0; in sadb_form_query()
2338 if ((match & IPSA_Q_KMC) && (sq->kmcext)) { in sadb_form_query()
2339 sq->kmp = sq->kmcext->sadb_x_kmc_proto; in sadb_form_query()
2341 * Be liberal in what we receive. Special-case the IKEv1 in sadb_form_query()
2342 * cookie, which closed-source in.iked assumes is 32 bits. in sadb_form_query()
2343 * Now that we store all 64 bits, we should pre-zero the in sadb_form_query()
2344 * reserved field on behalf of closed-source in.iked. in sadb_form_query()
2346 if (sq->kmp == SADB_X_KMP_IKE) { in sadb_form_query()
2348 sq->kmcext->sadb_x_kmc_reserved = 0; in sadb_form_query()
2350 sq->kmc = sq->kmcext->sadb_x_kmc_cookie64; in sadb_form_query()
2355 if (sq->af == AF_INET6) in sadb_form_query()
2356 sq->sp = &sq->spp->s_v6; in sadb_form_query()
2358 sq->sp = &sq->spp->s_v4; in sadb_form_query()
2360 sq->sp = NULL; in sadb_form_query()
2364 sq->inhash = INBOUND_HASH(sq->sp, sq->assoc->sadb_sa_spi); in sadb_form_query()
2365 sq->inbound = &sq->sp->sdb_if[sq->inhash]; in sadb_form_query()
2367 sq->inhash = 0; in sadb_form_query()
2368 sq->inbound = NULL; in sadb_form_query()
2372 if (sq->af == AF_INET6) { in sadb_form_query()
2373 sq->outhash = OUTBOUND_HASH_V6(sq->sp, *(sq->dstaddr)); in sadb_form_query()
2375 sq->outhash = OUTBOUND_HASH_V4(sq->sp, *(sq->dstaddr)); in sadb_form_query()
2377 sq->outbound = &sq->sp->sdb_of[sq->outhash]; in sadb_form_query()
2379 sq->outhash = 0; in sadb_form_query()
2380 sq->outbound = NULL; in sadb_form_query()
2382 sq->match = match; in sadb_form_query()
2394 ipsa_match_fn_t *mfpp = &(sq->matchers[0]); in sadb_match_query()
2422 ASSERT(MUTEX_HELD(&head->isaf_lock)); in sadb_purge_cb()
2424 mutex_enter(&entry->ipsa_lock); in sadb_purge_cb()
2426 if (entry->ipsa_state == IPSA_STATE_LARVAL || in sadb_purge_cb()
2427 !sadb_match_query(&ps->sq, entry)) { in sadb_purge_cb()
2428 mutex_exit(&entry->ipsa_lock); in sadb_purge_cb()
2432 if (ps->inbnd) { in sadb_purge_cb()
2435 entry->ipsa_state = IPSA_STATE_DEAD; in sadb_purge_cb()
2458 * - we can limit how many places we search based on where we in sadb_purge_sa()
2460 * - if we get a dst address, we can hash based on dst addr to find in sadb_purge_sa()
2464 sadb_walker(sp->sdb_if, sp->sdb_hashsize, sadb_purge_cb, &ps); in sadb_purge_sa()
2466 sadb_walker(sp->sdb_of, sp->sdb_hashsize, sadb_purge_cb, &ps); in sadb_purge_sa()
2468 ASSERT(mp->b_cont != NULL); in sadb_purge_sa()
2469 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi, in sadb_purge_sa()
2480 ipsa_query_t *sq = &ps->sq; in sadb_delpair_state_one()
2482 ASSERT(MUTEX_HELD(&head->isaf_lock)); in sadb_delpair_state_one()
2484 mutex_enter(&entry->ipsa_lock); in sadb_delpair_state_one()
2486 if ((entry->ipsa_state != ps->sadb_sa_state) || in sadb_delpair_state_one()
2487 ((sq->srcaddr != NULL) && in sadb_delpair_state_one()
2488 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, sq->srcaddr, sq->af))) { in sadb_delpair_state_one()
2489 mutex_exit(&entry->ipsa_lock); in sadb_delpair_state_one()
2495 * and we are preserving the outbound-then-inbound hash-bucket lock in sadb_delpair_state_one()
2501 if (entry->ipsa_haspeer) { in sadb_delpair_state_one()
2502 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_spi); in sadb_delpair_state_one()
2503 mutex_enter(&inbound_bucket->isaf_lock); in sadb_delpair_state_one()
2505 entry->ipsa_spi, entry->ipsa_srcaddr, in sadb_delpair_state_one()
2506 entry->ipsa_dstaddr, entry->ipsa_addrfam); in sadb_delpair_state_one()
2508 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_otherspi); in sadb_delpair_state_one()
2509 mutex_enter(&inbound_bucket->isaf_lock); in sadb_delpair_state_one()
2511 entry->ipsa_otherspi, entry->ipsa_dstaddr, in sadb_delpair_state_one()
2512 entry->ipsa_srcaddr, entry->ipsa_addrfam); in sadb_delpair_state_one()
2515 entry->ipsa_state = IPSA_STATE_DEAD; in sadb_delpair_state_one()
2518 mutex_enter(&peer_assoc->ipsa_lock); in sadb_delpair_state_one()
2519 peer_assoc->ipsa_state = IPSA_STATE_DEAD; in sadb_delpair_state_one()
2522 mutex_exit(&inbound_bucket->isaf_lock); in sadb_delpair_state_one()
2529 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; in sadb_delpair_state()
2542 ps.sadb_sa_state = assoc->sadb_sa_state; in sadb_delpair_state()
2543 sadb_walker(ps.sq.sp->sdb_of, ps.sq.sp->sdb_hashsize, in sadb_delpair_state()
2546 ASSERT(mp->b_cont != NULL); in sadb_delpair_state()
2547 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, in sadb_delpair_state()
2591 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock); in sadb_delget_sa()
2592 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock); in sadb_delget_sa()
2594 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock); in sadb_delget_sa()
2595 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock); in sadb_delget_sa()
2599 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock); in sadb_delget_sa()
2600 if (ipsapp.ipsap_sa_ptr->ipsa_flags & IPSA_F_INBOUND) { in sadb_delget_sa()
2603 ipsapp.ipsap_sa_ptr->ipsa_state = IPSA_STATE_DEAD; in sadb_delget_sa()
2613 mutex_enter(&ipsapp.ipsap_psa_ptr->ipsa_lock); in sadb_delget_sa()
2615 ipsapp.ipsap_psa_ptr->ipsa_haspeer) { in sadb_delget_sa()
2616 if (ipsapp.ipsap_psa_ptr->ipsa_flags & in sadb_delget_sa()
2621 ipsapp.ipsap_psa_ptr->ipsa_state = in sadb_delget_sa()
2631 ipsapp.ipsap_psa_ptr->ipsa_otherspi = 0; in sadb_delget_sa()
2632 ipsapp.ipsap_psa_ptr->ipsa_flags &= in sadb_delget_sa()
2634 mutex_exit(&ipsapp.ipsap_psa_ptr->ipsa_lock); in sadb_delget_sa()
2640 mutex_exit(&ipsapp.ipsap_bucket->isaf_lock); in sadb_delget_sa()
2641 mutex_exit(&ipsapp.ipsap_pbucket->isaf_lock); in sadb_delget_sa()
2644 ASSERT(mp->b_cont != NULL); in sadb_delget_sa()
2648 mp->b_cont->b_rptr, ksi, echo_target); in sadb_delget_sa()
2690 ipsapp->in_inbound_table = B_FALSE; in get_ipsa_pair()
2693 mutex_enter(&sq->outbound->isaf_lock); in get_ipsa_pair()
2694 mutex_enter(&sq->inbound->isaf_lock); in get_ipsa_pair()
2696 if (sq->assoc->sadb_sa_flags & IPSA_F_INBOUND) { in get_ipsa_pair()
2697 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound, in get_ipsa_pair()
2698 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af); in get_ipsa_pair()
2699 if (ipsapp->ipsap_sa_ptr != NULL) { in get_ipsa_pair()
2700 ipsapp->ipsap_bucket = sq->inbound; in get_ipsa_pair()
2701 ipsapp->ipsap_pbucket = sq->outbound; in get_ipsa_pair()
2702 ipsapp->in_inbound_table = B_TRUE; in get_ipsa_pair()
2704 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->outbound, in get_ipsa_pair()
2705 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, in get_ipsa_pair()
2706 sq->af); in get_ipsa_pair()
2707 ipsapp->ipsap_bucket = sq->outbound; in get_ipsa_pair()
2708 ipsapp->ipsap_pbucket = sq->inbound; in get_ipsa_pair()
2712 ipsapp->ipsap_sa_ptr = in get_ipsa_pair()
2713 ipsec_getassocbyspi(sq->outbound, in get_ipsa_pair()
2714 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af); in get_ipsa_pair()
2715 if (ipsapp->ipsap_sa_ptr != NULL) { in get_ipsa_pair()
2716 ipsapp->ipsap_bucket = sq->outbound; in get_ipsa_pair()
2717 ipsapp->ipsap_pbucket = sq->inbound; in get_ipsa_pair()
2719 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound, in get_ipsa_pair()
2720 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, in get_ipsa_pair()
2721 sq->af); in get_ipsa_pair()
2722 ipsapp->ipsap_bucket = sq->inbound; in get_ipsa_pair()
2723 ipsapp->ipsap_pbucket = sq->outbound; in get_ipsa_pair()
2724 if (ipsapp->ipsap_sa_ptr != NULL) in get_ipsa_pair()
2725 ipsapp->in_inbound_table = B_TRUE; in get_ipsa_pair()
2729 if (ipsapp->ipsap_sa_ptr == NULL) { in get_ipsa_pair()
2730 mutex_exit(&sq->outbound->isaf_lock); in get_ipsa_pair()
2731 mutex_exit(&sq->inbound->isaf_lock); in get_ipsa_pair()
2736 if ((ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) && in get_ipsa_pair()
2737 ipsapp->in_inbound_table) { in get_ipsa_pair()
2738 mutex_exit(&sq->outbound->isaf_lock); in get_ipsa_pair()
2739 mutex_exit(&sq->inbound->isaf_lock); in get_ipsa_pair()
2743 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); in get_ipsa_pair()
2744 if (ipsapp->ipsap_sa_ptr->ipsa_haspeer) { in get_ipsa_pair()
2749 ipsapp->ipsap_psa_ptr = in get_ipsa_pair()
2750 ipsec_getassocbyspi(ipsapp->ipsap_pbucket, in get_ipsa_pair()
2751 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af); in get_ipsa_pair()
2752 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); in get_ipsa_pair()
2753 mutex_exit(&sq->outbound->isaf_lock); in get_ipsa_pair()
2754 mutex_exit(&sq->inbound->isaf_lock); in get_ipsa_pair()
2757 pair_spi = ipsapp->ipsap_sa_ptr->ipsa_otherspi; in get_ipsa_pair()
2759 ipsapp->ipsap_sa_ptr->ipsa_srcaddr, sq->af); in get_ipsa_pair()
2761 ipsapp->ipsap_sa_ptr->ipsa_dstaddr, sq->af); in get_ipsa_pair()
2762 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); in get_ipsa_pair()
2763 mutex_exit(&sq->inbound->isaf_lock); in get_ipsa_pair()
2764 mutex_exit(&sq->outbound->isaf_lock); in get_ipsa_pair()
2767 ASSERT(ipsapp->ipsap_bucket != NULL); in get_ipsa_pair()
2768 ASSERT(ipsapp->ipsap_pbucket != NULL); in get_ipsa_pair()
2774 if (ipsapp->in_inbound_table) { in get_ipsa_pair()
2776 if (sq->af == AF_INET6) { in get_ipsa_pair()
2777 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V6(sq->sp, in get_ipsa_pair()
2780 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V4(sq->sp, in get_ipsa_pair()
2784 ipsapp->ipsap_pbucket = INBOUND_BUCKET(sq->sp, pair_spi); in get_ipsa_pair()
2786 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock); in get_ipsa_pair()
2787 ipsapp->ipsap_psa_ptr = ipsec_getassocbyspi(ipsapp->ipsap_pbucket, in get_ipsa_pair()
2788 pair_spi, pair_dstaddr, pair_srcaddr, sq->af); in get_ipsa_pair()
2789 mutex_exit(&ipsapp->ipsap_pbucket->isaf_lock); in get_ipsa_pair()
2790 ASSERT(ipsapp->ipsap_bucket != NULL); in get_ipsa_pair()
2791 ASSERT(ipsapp->ipsap_pbucket != NULL); in get_ipsa_pair()
2796 * Perform NAT-traversal cached checksum offset calculations here.
2816 ASSERT(natt_rem->sin_family == AF_INET); in sadb_nat_calculations()
2818 natt_rem_ptr = (uint32_t *)(&natt_rem->sin_addr); in sadb_nat_calculations()
2819 newbie->ipsa_remote_nat_port = natt_rem->sin_port; in sadb_nat_calculations()
2824 newbie->ipsa_natt_addr_rem = *natt_rem_ptr; in sadb_nat_calculations()
2838 l_src--; in sadb_nat_calculations()
2840 running_sum += l_src - l_rem; in sadb_nat_calculations()
2850 ASSERT(natt_loc->sin_family == AF_INET); in sadb_nat_calculations()
2852 natt_loc_ptr = (uint32_t *)(&natt_loc->sin_addr); in sadb_nat_calculations()
2853 newbie->ipsa_local_nat_port = natt_loc->sin_port; in sadb_nat_calculations()
2856 newbie->ipsa_natt_addr_loc = *natt_loc_ptr; in sadb_nat_calculations()
2859 * NAT-T port agility means we may have natt_loc_ext, but in sadb_nat_calculations()
2860 * only for a local-port change. in sadb_nat_calculations()
2862 if (natt_loc->sin_addr.s_addr != INADDR_ANY) { in sadb_nat_calculations()
2876 l_dst--; in sadb_nat_calculations()
2878 running_sum += l_dst - l_loc; in sadb_nat_calculations()
2884 newbie->ipsa_inbound_cksum = running_sum; in sadb_nat_calculations()
2889 * This function is called from consumers that need to insert a fully-grown
2901 * various error conditions. We may need to set samsg->sadb_x_msg_diagnostic
2913 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
2915 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC];
2917 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
2919 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC];
2921 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_DST];
2923 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE];
2924 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH];
2925 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT];
2927 (sadb_sens_t *)ksi->ks_in_extv[SADB_EXT_SENSITIVITY];
2929 (sadb_sens_t *)ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS];
2931 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR];
2933 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE];
2935 (samsg->sadb_msg_satype == SADB_SATYPE_AH) ? IPPROTO_AH:IPPROTO_ESP;
2941 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT];
2943 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD];
2945 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE];
2950 ipsec_stack_t *ipss = ns->netstack_ipsec;
2951 ip_stack_t *ipst = ns->netstack_ip;
2986 af = src->sin_family;
2989 src_addr_ptr = (uint32_t *)&src->sin_addr;
2990 dst_addr_ptr = (uint32_t *)&dst->sin_addr;
2993 src_addr_ptr = (uint32_t *)&src6->sin6_addr;
2994 dst_addr_ptr = (uint32_t *)&dst6->sin6_addr;
2999 (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) {
3000 rcode = cl_inet_checkspi(ns->netstack_stackid, protocol,
3001 assoc->sadb_sa_spi, NULL);
3002 if (rcode == -1) {
3022 newbie = sadb_makelarvalassoc(assoc->sadb_sa_spi,
3028 mutex_enter(&newbie->ipsa_lock);
3031 if (isrc->sin_family == AF_INET) {
3032 if (srcext->sadb_address_proto != IPPROTO_ENCAP) {
3033 if (srcext->sadb_address_proto != 0) {
3035 * Mismatched outer-packet protocol
3036 * and inner-packet address family.
3038 mutex_exit(&newbie->ipsa_lock);
3045 srcext->sadb_address_proto =
3047 dstext->sadb_address_proto =
3051 isrc_addr_ptr = (uint32_t *)&isrc->sin_addr;
3052 idst_addr_ptr = (uint32_t *)&idst->sin_addr;
3054 ASSERT(isrc->sin_family == AF_INET6);
3055 if (srcext->sadb_address_proto != IPPROTO_IPV6) {
3056 if (srcext->sadb_address_proto != 0) {
3058 * Mismatched outer-packet protocol
3059 * and inner-packet address family.
3061 mutex_exit(&newbie->ipsa_lock);
3068 srcext->sadb_address_proto =
3070 dstext->sadb_address_proto =
3074 isrc_addr_ptr = (uint32_t *)&isrc6->sin6_addr;
3075 idst_addr_ptr = (uint32_t *)&idst6->sin6_addr;
3077 newbie->ipsa_innerfam = isrc->sin_family;
3079 IPSA_COPY_ADDR(newbie->ipsa_innersrc, isrc_addr_ptr,
3080 newbie->ipsa_innerfam);
3081 IPSA_COPY_ADDR(newbie->ipsa_innerdst, idst_addr_ptr,
3082 newbie->ipsa_innerfam);
3083 newbie->ipsa_innersrcpfx = isrcext->sadb_address_prefixlen;
3084 newbie->ipsa_innerdstpfx = idstext->sadb_address_prefixlen;
3086 /* Unique value uses inner-ports for Tunnel Mode... */
3087 newbie->ipsa_unique_id = SA_UNIQUE_ID(isrc->sin_port,
3088 idst->sin_port, dstext->sadb_address_proto,
3089 idstext->sadb_address_proto);
3090 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(isrc->sin_port,
3091 idst->sin_port, dstext->sadb_address_proto,
3092 idstext->sadb_address_proto);
3094 /* ... and outer-ports for Transport Mode. */
3095 newbie->ipsa_unique_id = SA_UNIQUE_ID(src->sin_port,
3096 dst->sin_port, dstext->sadb_address_proto, 0);
3097 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(src->sin_port,
3098 dst->sin_port, dstext->sadb_address_proto, 0);
3100 if (newbie->ipsa_unique_mask != (uint64_t)0)
3101 newbie->ipsa_flags |= IPSA_F_UNIQUE;
3104 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC],
3105 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM],
3108 newbie->ipsa_type = samsg->sadb_msg_satype;
3110 ASSERT((assoc->sadb_sa_state == SADB_SASTATE_MATURE) ||
3111 (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE));
3112 newbie->ipsa_auth_alg = assoc->sadb_sa_auth;
3113 newbie->ipsa_encr_alg = assoc->sadb_sa_encrypt;
3115 newbie->ipsa_flags |= assoc->sadb_sa_flags;
3116 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_LOC &&
3117 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC] == NULL) {
3118 mutex_exit(&newbie->ipsa_lock);
3123 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_REM &&
3124 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM] == NULL) {
3125 mutex_exit(&newbie->ipsa_lock);
3130 if (newbie->ipsa_flags & SADB_X_SAFLAGS_TUNNEL &&
3131 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC] == NULL) {
3132 mutex_exit(&newbie->ipsa_lock);
3143 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC)
3144 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay;
3146 newbie->ipsa_replay_wsize = 0;
3148 newbie->ipsa_addtime = gethrestime_sec();
3151 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto;
3153 * Be liberal in what we receive. Special-case the IKEv1
3154 * cookie, which closed-source in.iked assumes is 32 bits.
3155 * Now that we store all 64 bits, we should pre-zero the
3156 * reserved field on behalf of closed-source in.iked.
3158 if (newbie->ipsa_kmp == SADB_X_KMP_IKE) {
3160 kmcext->sadb_x_kmc_reserved = 0;
3162 newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie64;
3168 * that seems impractical, especially in the larval-to-mature
3172 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime;
3173 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime;
3174 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes;
3175 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations;
3179 newbie->ipsa_hardaddlt = hard->sadb_lifetime_addtime;
3180 newbie->ipsa_harduselt = hard->sadb_lifetime_usetime;
3181 newbie->ipsa_hardbyteslt = hard->sadb_lifetime_bytes;
3182 newbie->ipsa_hardalloc = hard->sadb_lifetime_allocations;
3186 newbie->ipsa_idleaddlt = idle->sadb_lifetime_addtime;
3187 newbie->ipsa_idleuselt = idle->sadb_lifetime_usetime;
3188 newbie->ipsa_idleexpiretime = newbie->ipsa_addtime +
3189 newbie->ipsa_idleaddlt;
3190 newbie->ipsa_idletime = newbie->ipsa_idleaddlt;
3193 newbie->ipsa_authtmpl = NULL;
3194 newbie->ipsa_encrtmpl = NULL;
3197 if (akey != NULL && newbie->ipsa_auth_alg != SADB_AALG_NONE) {
3201 async = (ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] ==
3204 newbie->ipsa_authkeybits = akey->sadb_key_bits;
3205 newbie->ipsa_authkeylen = SADB_1TO8(akey->sadb_key_bits);
3207 if ((akey->sadb_key_bits & 0x7) != 0)
3208 newbie->ipsa_authkeylen++;
3209 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen,
3211 if (newbie->ipsa_authkey == NULL) {
3213 mutex_exit(&newbie->ipsa_lock);
3216 bcopy(akey + 1, newbie->ipsa_authkey, newbie->ipsa_authkeylen);
3217 bzero(akey + 1, newbie->ipsa_authkeylen);
3220 * Pre-initialize the kernel crypto framework key
3223 newbie->ipsa_kcfauthkey.ck_format = CRYPTO_KEY_RAW;
3224 newbie->ipsa_kcfauthkey.ck_length = newbie->ipsa_authkeybits;
3225 newbie->ipsa_kcfauthkey.ck_data = newbie->ipsa_authkey;
3227 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
3228 alg = ipss->ipsec_alglists[IPSEC_ALG_AUTH]
3229 [newbie->ipsa_auth_alg];
3231 newbie->ipsa_amech.cm_type = alg->alg_mech_type;
3232 newbie->ipsa_amech.cm_param =
3233 (char *)&newbie->ipsa_mac_len;
3234 newbie->ipsa_amech.cm_param_len = sizeof (size_t);
3235 newbie->ipsa_mac_len = (size_t)alg->alg_datalen;
3237 newbie->ipsa_amech.cm_type = CRYPTO_MECHANISM_INVALID;
3240 rw_exit(&ipss->ipsec_alg_lock);
3242 mutex_exit(&newbie->ipsa_lock);
3257 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
3258 async = async || (ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] ==
3260 alg = ipss->ipsec_alglists[IPSEC_ALG_ENCR]
3261 [newbie->ipsa_encr_alg];
3264 newbie->ipsa_emech.cm_type = alg->alg_mech_type;
3265 newbie->ipsa_datalen = alg->alg_datalen;
3266 if (alg->alg_flags & ALG_FLAG_COUNTERMODE)
3267 newbie->ipsa_flags |= IPSA_F_COUNTERMODE;
3269 if (alg->alg_flags & ALG_FLAG_COMBINED) {
3270 newbie->ipsa_flags |= IPSA_F_COMBINED;
3271 newbie->ipsa_mac_len = alg->alg_icvlen;
3274 if (alg->alg_flags & ALG_FLAG_CCM)
3275 newbie->ipsa_noncefunc = ccm_params_init;
3276 else if (alg->alg_flags & ALG_FLAG_GCM)
3277 newbie->ipsa_noncefunc = gcm_params_init;
3278 else newbie->ipsa_noncefunc = cbc_params_init;
3280 newbie->ipsa_saltlen = alg->alg_saltlen;
3281 newbie->ipsa_saltbits = SADB_8TO1(newbie->ipsa_saltlen);
3282 newbie->ipsa_iv_len = alg->alg_ivlen;
3283 newbie->ipsa_nonce_len = newbie->ipsa_saltlen +
3284 newbie->ipsa_iv_len;
3285 newbie->ipsa_emech.cm_param = NULL;
3286 newbie->ipsa_emech.cm_param_len = 0;
3288 newbie->ipsa_emech.cm_type = CRYPTO_MECHANISM_INVALID;
3290 rw_exit(&ipss->ipsec_alg_lock);
3309 newbie->ipsa_encrkeybits = ekey->sadb_key_bits;
3310 newbie->ipsa_encrkeybits -= ekey->sadb_key_reserved;
3311 newbie->ipsa_encrkeybits -= newbie->ipsa_saltbits;
3312 newbie->ipsa_encrkeylen = SADB_1TO8(newbie->ipsa_encrkeybits);
3315 if ((ekey->sadb_key_bits & 0x7) != 0)
3316 newbie->ipsa_encrkeylen++;
3318 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen,
3320 if (newbie->ipsa_encrkey == NULL) {
3322 mutex_exit(&newbie->ipsa_lock);
3327 bcopy(buf_ptr, newbie->ipsa_encrkey, newbie->ipsa_encrkeylen);
3329 if (newbie->ipsa_flags & IPSA_F_COMBINED) {
3339 newbie->ipsa_nonce_buf = kmem_alloc(
3341 if (newbie->ipsa_nonce_buf == NULL) {
3343 mutex_exit(&newbie->ipsa_lock);
3354 newbie->ipsa_iv = &newbie->ipsa_nonce_buf->iv;
3355 newbie->ipsa_salt = (uint8_t *)newbie->ipsa_nonce_buf;
3356 newbie->ipsa_nonce = newbie->ipsa_salt;
3357 if (newbie->ipsa_saltlen != 0) {
3358 salt_offset = MAXSALTSIZE -
3359 newbie->ipsa_saltlen;
3360 newbie->ipsa_salt = (uint8_t *)
3361 &newbie->ipsa_nonce_buf->salt[salt_offset];
3362 newbie->ipsa_nonce = newbie->ipsa_salt;
3363 buf_ptr += newbie->ipsa_encrkeylen;
3364 bcopy(buf_ptr, newbie->ipsa_salt,
3365 newbie->ipsa_saltlen);
3377 if (ekey->sadb_key_reserved != 0) {
3378 buf_ptr += newbie->ipsa_saltlen;
3379 bcopy(buf_ptr, (uint8_t *)newbie->
3380 ipsa_iv, SADB_1TO8(ekey->
3384 (uint8_t *)newbie->ipsa_iv,
3385 newbie->ipsa_iv_len);
3387 newbie->ipsa_iv_softexpire =
3388 (*newbie->ipsa_iv) << 9;
3389 newbie->ipsa_iv_hardexpire = *newbie->ipsa_iv;
3392 bzero((ekey + 1), SADB_1TO8(ekey->sadb_key_bits));
3395 * Pre-initialize the kernel crypto framework key
3398 newbie->ipsa_kcfencrkey.ck_format = CRYPTO_KEY_RAW;
3399 newbie->ipsa_kcfencrkey.ck_length = newbie->ipsa_encrkeybits;
3400 newbie->ipsa_kcfencrkey.ck_data = newbie->ipsa_encrkey;
3402 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
3404 rw_exit(&ipss->ipsec_alg_lock);
3406 mutex_exit(&newbie->ipsa_lock);
3414 newbie->ipsa_flags |= IPSA_F_ASYNC;
3419 if (newbie->ipsa_type == SADB_SATYPE_ESP)
3423 ASSERT(newbie->ipsa_output_func != NULL &&
3424 newbie->ipsa_input_func != NULL);
3429 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC] != NULL) {
3431 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC];
3437 newbie->ipsa_src_cid = ipsid_lookup(id->sadb_ident_type,
3439 if (newbie->ipsa_src_cid == NULL) {
3441 mutex_exit(&newbie->ipsa_lock);
3446 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_DST] != NULL) {
3448 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST];
3454 newbie->ipsa_dst_cid = ipsid_lookup(id->sadb_ident_type,
3456 if (newbie->ipsa_dst_cid == NULL) {
3458 mutex_exit(&newbie->ipsa_lock);
3471 newbie->ipsa_tsl = sadb_label_from_sens(sens, bitmap);
3487 newbie->ipsa_mac_exempt = CONN_MAC_DEFAULT;
3489 if (osens->sadb_x_sens_flags & SADB_X_SENS_IMPLICIT) {
3490 newbie->ipsa_mac_exempt = CONN_MAC_IMPLICIT;
3495 newbie->ipsa_mac_exempt, B_TRUE, &effective_tsl);
3498 mutex_exit(&newbie->ipsa_lock);
3507 newbie->ipsa_otsl = tsl;
3511 zoneid = zone->zone_id;
3518 if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID)
3524 newbie->ipsa_opt_storage, ipst);
3527 *peer_addr_ptr, newbie->ipsa_opt_storage, ipst);
3530 mutex_exit(&newbie->ipsa_lock);
3537 if ((replayext->sadb_x_rc_replay32 == 0) &&
3538 (replayext->sadb_x_rc_replay64 != 0)) {
3541 mutex_exit(&newbie->ipsa_lock);
3544 newbie->ipsa_replay = replayext->sadb_x_rc_replay32;
3548 newbie->ipsa_state = assoc->sadb_sa_state;
3551 newbie->ipsa_haspeer = B_TRUE;
3561 mutex_exit(&newbie->ipsa_lock);
3581 mutex_enter(&primary->isaf_lock);
3582 mutex_enter(&secondary->isaf_lock);
3585 mutex_enter(&secondary->isaf_lock);
3586 mutex_enter(&primary->isaf_lock);
3601 ASSERT(newbie->ipsa_linklock == &primary->isaf_lock ||
3602 newbie->ipsa_linklock == &secondary->isaf_lock);
3606 mutex_enter(&newbie->ipsa_lock);
3608 mutex_exit(&newbie->ipsa_lock);
3621 mutex_enter(&newbie_clone->ipsa_lock);
3623 mutex_exit(&newbie_clone->ipsa_lock);
3632 scratch = ipsec_getassocbyspi(secondary, newbie->ipsa_spi,
3633 ALL_ZEROES_PTR, newbie->ipsa_dstaddr, af);
3645 ASSERT(MUTEX_NOT_HELD(&newbie->ipsa_lock));
3647 (MUTEX_NOT_HELD(&newbie_clone->ipsa_lock)));
3655 mutex_exit(&secondary->isaf_lock);
3656 mutex_exit(&primary->isaf_lock);
3686 mutex_enter(&newbie->ipsa_lock);
3687 newbie->ipsa_state = IPSA_STATE_DEAD;
3688 newbie->ipsa_hardexpiretime = 1;
3689 mutex_exit(&newbie->ipsa_lock);
3705 assoc->sadb_sa_flags = newbie->ipsa_flags;
3722 mutex_enter(&assoc->ipsa_lock);
3723 assoc->ipsa_lastuse = snapshot;
3724 assoc->ipsa_idleexpiretime = snapshot + assoc->ipsa_idletime;
3728 * double-checking is better than a mutex_enter/exit hit.
3730 if (assoc->ipsa_usetime == 0) {
3736 assoc->ipsa_flags |= IPSA_F_USED;
3737 assoc->ipsa_usetime = snapshot;
3746 mutex_exit(&assoc->ipsa_lock);
3763 ASSERT(MUTEX_HELD(&assoc->ipsa_lock));
3780 af = assoc->ipsa_addrfam;
3796 tunnel_mode = (assoc->ipsa_flags & IPSA_F_TUNNEL);
3799 switch (assoc->ipsa_innerfam) {
3815 mp->b_cont = allocb(alloclen, BPRI_HI);
3816 if (mp->b_cont == NULL) {
3824 mp = mp->b_cont;
3825 end = mp->b_wptr + alloclen;
3827 samsg = (sadb_msg_t *)mp->b_wptr;
3828 mp->b_wptr += sizeof (*samsg);
3829 samsg->sadb_msg_version = PF_KEY_V2;
3830 samsg->sadb_msg_type = SADB_EXPIRE;
3831 samsg->sadb_msg_errno = 0;
3832 samsg->sadb_msg_satype = assoc->ipsa_type;
3833 samsg->sadb_msg_len = SADB_8TO64(alloclen);
3834 samsg->sadb_msg_reserved = 0;
3835 samsg->sadb_msg_seq = 0;
3836 samsg->sadb_msg_pid = 0;
3838 saext = (sadb_sa_t *)mp->b_wptr;
3839 mp->b_wptr += sizeof (*saext);
3840 saext->sadb_sa_len = SADB_8TO64(sizeof (*saext));
3841 saext->sadb_sa_exttype = SADB_EXT_SA;
3842 saext->sadb_sa_spi = assoc->ipsa_spi;
3843 saext->sadb_sa_replay = assoc->ipsa_replay_wsize;
3844 saext->sadb_sa_state = assoc->ipsa_state;
3845 saext->sadb_sa_auth = assoc->ipsa_auth_alg;
3846 saext->sadb_sa_encrypt = assoc->ipsa_encr_alg;
3847 saext->sadb_sa_flags = assoc->ipsa_flags;
3849 current = (sadb_lifetime_t *)mp->b_wptr;
3850 mp->b_wptr += sizeof (sadb_lifetime_t);
3851 current->sadb_lifetime_len = SADB_8TO64(sizeof (*current));
3852 current->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
3854 current->sadb_lifetime_allocations = 0;
3855 current->sadb_lifetime_bytes = assoc->ipsa_bytes;
3856 current->sadb_lifetime_addtime = assoc->ipsa_addtime;
3857 current->sadb_lifetime_usetime = assoc->ipsa_usetime;
3859 expire = (sadb_lifetime_t *)mp->b_wptr;
3860 mp->b_wptr += sizeof (*expire);
3861 expire->sadb_lifetime_len = SADB_8TO64(sizeof (*expire));
3863 if (assoc->ipsa_state == IPSA_STATE_DEAD) {
3864 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
3865 expire->sadb_lifetime_allocations = assoc->ipsa_hardalloc;
3866 expire->sadb_lifetime_bytes = assoc->ipsa_hardbyteslt;
3867 expire->sadb_lifetime_addtime = assoc->ipsa_hardaddlt;
3868 expire->sadb_lifetime_usetime = assoc->ipsa_harduselt;
3869 } else if (assoc->ipsa_state == IPSA_STATE_DYING) {
3870 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
3871 expire->sadb_lifetime_allocations = assoc->ipsa_softalloc;
3872 expire->sadb_lifetime_bytes = assoc->ipsa_softbyteslt;
3873 expire->sadb_lifetime_addtime = assoc->ipsa_softaddlt;
3874 expire->sadb_lifetime_usetime = assoc->ipsa_softuselt;
3876 ASSERT(assoc->ipsa_state == IPSA_STATE_MATURE);
3877 expire->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE;
3878 expire->sadb_lifetime_allocations = 0;
3879 expire->sadb_lifetime_bytes = 0;
3880 expire->sadb_lifetime_addtime = assoc->ipsa_idleaddlt;
3881 expire->sadb_lifetime_usetime = assoc->ipsa_idleuselt;
3884 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_SRC,
3885 af, assoc->ipsa_srcaddr, tunnel_mode ? 0 : SA_SRCPORT(assoc),
3887 ASSERT(mp->b_wptr != NULL);
3889 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_DST,
3890 af, assoc->ipsa_dstaddr, tunnel_mode ? 0 : SA_DSTPORT(assoc),
3892 ASSERT(mp->b_wptr != NULL);
3895 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end,
3896 SADB_X_EXT_ADDRESS_INNER_SRC, assoc->ipsa_innerfam,
3897 assoc->ipsa_innersrc, SA_SRCPORT(assoc), SA_IPROTO(assoc),
3898 assoc->ipsa_innersrcpfx);
3899 ASSERT(mp->b_wptr != NULL);
3900 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end,
3901 SADB_X_EXT_ADDRESS_INNER_DST, assoc->ipsa_innerfam,
3902 assoc->ipsa_innerdst, SA_DSTPORT(assoc), SA_IPROTO(assoc),
3903 assoc->ipsa_innerdstpfx);
3904 ASSERT(mp->b_wptr != NULL);
3907 mp->b_wptr = sadb_make_kmc_ext(mp->b_wptr, end, assoc->ipsa_kmp,
3908 assoc->ipsa_kmc);
3909 ASSERT(mp->b_wptr != NULL);
3929 mutex_enter(&assoc->ipsa_lock);
3930 newtotal = assoc->ipsa_bytes + bytes;
3931 if (assoc->ipsa_hardbyteslt != 0 &&
3932 newtotal >= assoc->ipsa_hardbyteslt) {
3933 if (assoc->ipsa_state != IPSA_STATE_DEAD) {
3937 * this off on another non-interrupt thread. Also
3940 assoc->ipsa_state = IPSA_STATE_DEAD;
3944 * Set non-zero expiration time so sadb_age_assoc()
3947 assoc->ipsa_hardexpiretime = (time_t)1;
3950 } else if (assoc->ipsa_softbyteslt != 0 &&
3951 (newtotal >= assoc->ipsa_softbyteslt)) {
3952 if (assoc->ipsa_state < IPSA_STATE_DYING) {
3955 * this off on another non-interrupt thread.
3957 assoc->ipsa_state = IPSA_STATE_DYING;
3958 assoc->ipsa_bytes = newtotal;
3964 assoc->ipsa_bytes = newtotal;
3965 mutex_exit(&assoc->ipsa_lock);
3970 * "Torch" an individual SA. Returns NULL, so it can be tail-called from
3976 ASSERT(MUTEX_HELD(&head->isaf_lock));
3977 ASSERT(MUTEX_HELD(&sa->ipsa_lock));
3978 ASSERT(sa->ipsa_state == IPSA_STATE_DEAD);
3983 head->isaf_gen++;
3985 mutex_exit(&sa->ipsa_lock);
3992 * Do various SA-is-idle activities depending on delta (the number of idle
4002 ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp;
4003 int nat_t_interval = espstack->ipsecesp_nat_keepalive_interval;
4005 ASSERT(MUTEX_HELD(&assoc->ipsa_lock));
4007 if (!inbound && (assoc->ipsa_flags & IPSA_F_NATT_LOC) &&
4009 gethrestime_sec() - assoc->ipsa_last_nat_t_ka >= nat_t_interval) {
4010 ASSERT(assoc->ipsa_type == SADB_SATYPE_ESP);
4011 assoc->ipsa_last_nat_t_ka = gethrestime_sec();
4012 mutex_exit(&assoc->ipsa_lock);
4030 ASSERT(MUTEX_HELD(&head->isaf_lock));
4032 mutex_enter(&assoc->ipsa_lock);
4034 if (((assoc->ipsa_state == IPSA_STATE_LARVAL) ||
4035 ((assoc->ipsa_state == IPSA_STATE_IDLE) ||
4036 (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) &&
4037 (assoc->ipsa_hardexpiretime != 0))) &&
4038 (assoc->ipsa_hardexpiretime <= current)) {
4039 assoc->ipsa_state = IPSA_STATE_DEAD;
4051 if (assoc->ipsa_hardexpiretime != 0 &&
4052 assoc->ipsa_hardexpiretime <= current) {
4053 if (assoc->ipsa_state == IPSA_STATE_DEAD)
4063 assoc->ipsa_state = IPSA_STATE_DEAD;
4064 if (assoc->ipsa_haspeer || assoc->ipsa_otherspi != 0) {
4079 assoc->ipsa_hardexpiretime = current + reap_delay;
4080 } else if (assoc->ipsa_softexpiretime != 0 &&
4081 assoc->ipsa_softexpiretime <= current &&
4082 assoc->ipsa_state < IPSA_STATE_DYING) {
4085 * this off on another non-interrupt thread.
4087 assoc->ipsa_state = IPSA_STATE_DYING;
4088 if (assoc->ipsa_haspeer) {
4105 } else if (assoc->ipsa_idletime != 0 &&
4106 assoc->ipsa_idleexpiretime <= current) {
4107 if (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) {
4108 assoc->ipsa_state = IPSA_STATE_IDLE;
4114 if (assoc->ipsa_state == IPSA_STATE_MATURE) {
4120 current - assoc->ipsa_lastuse, inbound);
4124 mutex_exit(&assoc->ipsa_lock);
4158 for (i = 0; i < sp->sdb_hashsize; i++) {
4159 acqlist = &sp->sdb_acq[i];
4160 mutex_enter(&acqlist->iacqf_lock);
4161 for (acqrec = acqlist->iacqf_ipsacq; acqrec != NULL;
4163 spareacq = acqrec->ipsacq_next;
4164 if (current > acqrec->ipsacq_expire)
4167 mutex_exit(&acqlist->iacqf_lock);
4171 for (i = 0; i < sp->sdb_hashsize; i++) {
4172 bucket = &(sp->sdb_if[i]);
4173 mutex_enter(&bucket->isaf_lock);
4174 for (assoc = bucket->isaf_ipsa; assoc != NULL;
4176 spare = assoc->ipsa_next;
4196 newbie->next = haspeerlist;
4197 newbie->ipsa = assoc;
4201 mutex_exit(&bucket->isaf_lock);
4208 for (i = 0; i < sp->sdb_hashsize; i++) {
4209 bucket = &(sp->sdb_of[i]);
4210 mutex_enter(&bucket->isaf_lock);
4211 for (assoc = bucket->isaf_ipsa; assoc != NULL;
4213 spare = assoc->ipsa_next;
4229 newbie->next = haspeerlist;
4230 newbie->ipsa = assoc;
4234 mutex_exit(&bucket->isaf_lock);
4259 if ((end - begin) > MSEC2NSEC(interval)) {
4270 } else if ((end - begin) <= (MSEC2NSEC(interval) / 2) &&
4281 * the interval will only self-lower back to the default.
4301 mutex_enter(&assoc->ipsa_lock);
4310 if (hard->sadb_lifetime_bytes != 0)
4311 assoc->ipsa_hardbyteslt = hard->sadb_lifetime_bytes;
4312 if (hard->sadb_lifetime_usetime != 0)
4313 assoc->ipsa_harduselt = hard->sadb_lifetime_usetime;
4314 if (hard->sadb_lifetime_addtime != 0)
4315 assoc->ipsa_hardaddlt = hard->sadb_lifetime_addtime;
4316 if (assoc->ipsa_hardaddlt != 0) {
4317 assoc->ipsa_hardexpiretime =
4318 assoc->ipsa_addtime + assoc->ipsa_hardaddlt;
4320 if (assoc->ipsa_harduselt != 0 &&
4321 assoc->ipsa_flags & IPSA_F_USED) {
4324 if (hard->sadb_lifetime_allocations != 0)
4325 assoc->ipsa_hardalloc = hard->sadb_lifetime_allocations;
4329 if (soft->sadb_lifetime_bytes != 0) {
4330 if (soft->sadb_lifetime_bytes >
4331 assoc->ipsa_hardbyteslt) {
4332 assoc->ipsa_softbyteslt =
4333 assoc->ipsa_hardbyteslt;
4335 assoc->ipsa_softbyteslt =
4336 soft->sadb_lifetime_bytes;
4339 if (soft->sadb_lifetime_usetime != 0) {
4340 if (soft->sadb_lifetime_usetime >
4341 assoc->ipsa_harduselt) {
4342 assoc->ipsa_softuselt =
4343 assoc->ipsa_harduselt;
4345 assoc->ipsa_softuselt =
4346 soft->sadb_lifetime_usetime;
4349 if (soft->sadb_lifetime_addtime != 0) {
4350 if (soft->sadb_lifetime_addtime >
4351 assoc->ipsa_hardexpiretime) {
4352 assoc->ipsa_softexpiretime =
4353 assoc->ipsa_hardexpiretime;
4355 assoc->ipsa_softaddlt =
4356 soft->sadb_lifetime_addtime;
4359 if (assoc->ipsa_softaddlt != 0) {
4360 assoc->ipsa_softexpiretime =
4361 assoc->ipsa_addtime + assoc->ipsa_softaddlt;
4363 if (assoc->ipsa_softuselt != 0 &&
4364 assoc->ipsa_flags & IPSA_F_USED) {
4367 if (outbound && assoc->ipsa_softexpiretime != 0) {
4368 if (assoc->ipsa_state == IPSA_STATE_MATURE)
4372 if (soft->sadb_lifetime_allocations != 0)
4373 assoc->ipsa_softalloc = soft->sadb_lifetime_allocations;
4378 if ((assoc->ipsa_idleexpiretime <= current) &&
4379 (assoc->ipsa_idleaddlt == idle->sadb_lifetime_addtime)) {
4380 assoc->ipsa_idleexpiretime =
4381 current + assoc->ipsa_idleaddlt;
4383 if (idle->sadb_lifetime_addtime != 0)
4384 assoc->ipsa_idleaddlt = idle->sadb_lifetime_addtime;
4385 if (idle->sadb_lifetime_usetime != 0)
4386 assoc->ipsa_idleuselt = idle->sadb_lifetime_usetime;
4387 if (assoc->ipsa_idleaddlt != 0) {
4388 assoc->ipsa_idleexpiretime =
4389 current + idle->sadb_lifetime_addtime;
4390 assoc->ipsa_idletime = idle->sadb_lifetime_addtime;
4392 if (assoc->ipsa_idleuselt != 0) {
4393 if (assoc->ipsa_idletime != 0) {
4394 assoc->ipsa_idletime = min(assoc->ipsa_idletime,
4395 assoc->ipsa_idleuselt);
4396 assoc->ipsa_idleexpiretime =
4397 current + assoc->ipsa_idletime;
4399 assoc->ipsa_idleexpiretime =
4400 current + assoc->ipsa_idleuselt;
4401 assoc->ipsa_idletime = assoc->ipsa_idleuselt;
4405 mutex_exit(&assoc->ipsa_lock);
4414 mutex_enter(&assoc->ipsa_lock);
4418 if (assoc->ipsa_state == SADB_X_SASTATE_IDLE) {
4419 assoc->ipsa_state = IPSA_STATE_ACTIVE_ELSEWHERE;
4420 assoc->ipsa_idleexpiretime =
4421 current + assoc->ipsa_idletime;
4425 if (assoc->ipsa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) {
4426 assoc->ipsa_state = IPSA_STATE_IDLE;
4427 assoc->ipsa_idleexpiretime =
4428 current + assoc->ipsa_idletime;
4435 if (assoc->ipsa_state != SADB_X_SASTATE_IDLE) {
4439 assoc->ipsa_state = IPSA_STATE_MATURE;
4440 assoc->ipsa_idleexpiretime = current + assoc->ipsa_idletime;
4446 if (assoc->ipsa_bpkt_head != NULL) {
4447 *ipkt_lst = assoc->ipsa_bpkt_head;
4448 assoc->ipsa_bpkt_head = assoc->ipsa_bpkt_tail = NULL;
4449 assoc->ipsa_mblkcnt = 0;
4459 mutex_exit(&assoc->ipsa_lock);
4469 uint32_t kmp = sq->kmp;
4470 uint64_t kmc = sq->kmc;
4475 if (sa->ipsa_state == IPSA_STATE_DEAD)
4478 if ((kmp != 0) && (sa->ipsa_kmp != 0) && (sa->ipsa_kmp != kmp)) {
4484 if ((kmp != SADB_X_KMP_IKEV2) && (kmc != 0) && (sa->ipsa_kmc != 0) &&
4485 (sa->ipsa_kmc != kmc)) {
4499 uint32_t kmp = sq->kmp;
4500 uint64_t kmc = sq->kmc;
4503 sa->ipsa_kmp = kmp;
4505 sa->ipsa_kmc = kmc;
4518 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH];
4519 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT];
4521 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE];
4523 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT];
4525 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD];
4527 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE];
4529 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR];
4549 if (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) {
4574 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) {
4576 ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_IDLE) {
4578 sq.assoc->sadb_sa_state, NULL)) != 0) {
4584 ipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_IDLE) {
4586 sq.assoc->sadb_sa_state, NULL)) != 0) {
4592 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE) {
4595 sq.assoc->sadb_sa_state,
4596 (ipsapp.ipsap_sa_ptr->ipsa_flags &
4605 sq.assoc->sadb_sa_state,
4606 (ipsapp.ipsap_psa_ptr->ipsa_flags &
4613 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr,
4620 * Sundry first-pass UPDATE-specific reality checks.
4625 if (!((sq.assoc->sadb_sa_state == SADB_SASTATE_MATURE) ||
4626 (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE))) {
4631 if (sq.assoc->sadb_sa_flags & ~spp->s_updateflags) {
4636 if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL) {
4665 ((ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) ||
4666 (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_MATURE))) {
4679 (ipsapp.ipsap_sa_ptr->ipsa_replay_wsize != 0)) {
4684 if (ksi->ks_in_dsttype == KS_IN_ADDR_ME) {
4686 replext->sadb_x_rc_replay32)) {
4692 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4693 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime =
4695 ipsapp.ipsap_sa_ptr->ipsa_idletime;
4696 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4698 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4699 ipsapp.ipsap_sa_ptr->ipsa_replay =
4700 replext->sadb_x_rc_replay32;
4701 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime =
4703 ipsapp.ipsap_sa_ptr->ipsa_idletime;
4704 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock);
4725 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr,
4739 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
4741 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR];
4747 if (pair_ext->sadb_x_pair_spi == 0 || pair_ext->sadb_x_pair_spi ==
4748 assoc->sadb_sa_spi) {
4760 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4761 ipsapp->ipsap_sa_ptr->ipsa_flags |= IPSA_F_PAIRED;
4762 ipsapp->ipsap_sa_ptr->ipsa_otherspi = pair_ext->sadb_x_pair_spi;
4763 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4787 ipsa_flags = oipsapp.ipsap_psa_ptr->ipsa_flags;
4788 if ((oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DEAD) ||
4789 (oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DYING)) {
4807 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4808 ipsapp->ipsap_sa_ptr->ipsa_flags &= ~IPSA_F_PAIRED;
4809 ipsapp->ipsap_sa_ptr->ipsa_otherspi = 0;
4810 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock);
4812 mutex_enter(&oipsapp.ipsap_psa_ptr->ipsa_lock);
4813 oipsapp.ipsap_psa_ptr->ipsa_otherspi = assoc->sadb_sa_spi;
4814 oipsapp.ipsap_psa_ptr->ipsa_flags |= IPSA_F_PAIRED;
4815 mutex_exit(&oipsapp.ipsap_psa_ptr->ipsa_lock);
4826 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key
4857 for (walker = bucket->iacqf_ipsacq; walker != NULL;
4858 walker = walker->ipsacq_next) {
4859 mutex_enter(&walker->ipsacq_lock);
4860 fam = walker->ipsacq_addrfam;
4861 if (IPSA_ARE_ADDR_EQUAL(dst, walker->ipsacq_dstaddr, fam) &&
4862 IPSA_ARE_ADDR_EQUAL(src, walker->ipsacq_srcaddr, fam) &&
4863 ip_addr_match((uint8_t *)isrc, walker->ipsacq_innersrcpfx,
4864 (in6_addr_t *)walker->ipsacq_innersrc) &&
4865 ip_addr_match((uint8_t *)idst, walker->ipsacq_innerdstpfx,
4866 (in6_addr_t *)walker->ipsacq_innerdst) &&
4867 (ap == walker->ipsacq_act) &&
4868 (pp == walker->ipsacq_policy) &&
4870 (unique_id == walker->ipsacq_unique_id) &&
4871 (ipsec_label_match(tsl, walker->ipsacq_tsl)))
4873 mutex_exit(&walker->ipsacq_lock);
4881 * In other words, this will return, upon success, a two-mblk chain.
4892 mp->b_cont = allocb(sizeof (sadb_msg_t), BPRI_HI);
4893 if (mp->b_cont == NULL) {
4898 samsg = (sadb_msg_t *)mp->b_cont->b_rptr;
4899 mp->b_cont->b_wptr += sizeof (*samsg);
4900 samsg->sadb_msg_version = PF_KEY_V2;
4901 samsg->sadb_msg_type = SADB_ACQUIRE;
4902 samsg->sadb_msg_errno = 0;
4903 samsg->sadb_msg_reserved = 0;
4904 samsg->sadb_msg_satype = satype;
4905 samsg->sadb_msg_seq = seq;
4906 samsg->sadb_msg_pid = pid;
4916 sadb_acquire_msg_common(ipsec_selector_t *sel, ipsec_policy_t *pp, argument
4936 ap = pp->ipsp_act;
4942 * Biggest-case scenario:
4945 * (COMING SOON, 6x, because of triggering-packet contents.)
4956 senslen = SADB_64TO8(sens->sadb_sens_len);
4971 start = mp->b_rptr;
4976 * Address extensions first, from most-recently-defined to least.
4993 ipsl = &(pp->ipsp_sel->ipsl_key);
4994 if (ipsl->ipsl_valid & IPSL_IPV4) {
4996 ASSERT(sel->ips_protocol == IPPROTO_ENCAP);
4997 ASSERT(!(ipsl->ipsl_valid & IPSL_IPV6));
5000 ASSERT(sel->ips_protocol == IPPROTO_IPV6);
5001 ASSERT(ipsl->ipsl_valid & IPSL_IPV6);
5004 if (ipsl->ipsl_valid & IPSL_LOCAL_ADDR) {
5005 saddrptr = (uint32_t *)(&ipsl->ipsl_local);
5006 pfxlen = ipsl->ipsl_local_pfxlen;
5012 lport = (ipsl->ipsl_valid & IPSL_LOCAL_PORT) ?
5013 ipsl->ipsl_lport : 0;
5014 proto = (ipsl->ipsl_valid & IPSL_PROTOCOL) ?
5015 ipsl->ipsl_proto : 0;
5024 if (ipsl->ipsl_valid & IPSL_REMOTE_ADDR) {
5025 daddrptr = (uint32_t *)(&ipsl->ipsl_remote);
5026 pfxlen = ipsl->ipsl_remote_pfxlen;
5032 rport = (ipsl->ipsl_valid & IPSL_REMOTE_PORT) ?
5033 ipsl->ipsl_rport : 0;
5042 * TODO - if we go to 3884's dream of transport mode IP-in-IP
5043 * _with_ inner-packet address selectors, we'll need to further
5047 * Meanwhile, whack proto/ports to reflect IP-in-IP for the
5050 proto = sel->ips_protocol; /* Either _ENCAP or _IPV6 */
5052 } else if ((ap != NULL) && (!ap->ipa_want_unique)) {
5060 ipsl = &(pp->ipsp_sel->ipsl_key);
5061 if (ipsl->ipsl_valid & IPSL_PROTOCOL)
5062 proto = ipsl->ipsl_proto;
5063 if (ipsl->ipsl_valid & IPSL_REMOTE_PORT)
5064 rport = ipsl->ipsl_rport;
5065 if (ipsl->ipsl_valid & IPSL_LOCAL_PORT)
5066 lport = ipsl->ipsl_lport;
5070 * For require-unique-SA policies.
5072 proto = sel->ips_protocol;
5073 lport = sel->ips_local_port;
5074 rport = sel->ips_remote_port;
5078 * Regular addresses. These are outer-packet ones for tunnel mode.
5081 af = sel->ips_isv4 ? AF_INET : AF_INET6;
5088 (uint32_t *)(&sel->ips_local_addr_v6), lport, proto, 0);
5095 (uint32_t *)(&sel->ips_remote_addr_v6), rport, proto, 0);
5109 /* Explicit sadb_sens_t, usually from inverse-ACQUIRE. */
5122 mp->b_wptr = cur;
5133 ipsec_stack_t *ipss = ns->netstack_ipsec;
5134 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
5135 ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
5151 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
5155 if (espstack->esp_kstats == NULL)
5158 num_aalgs = ipss->ipsec_nalgs[IPSEC_ALG_AUTH];
5159 num_ealgs = ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
5162 num_aalgs++; /* No-auth or self-auth-crypto ESP. */
5166 replay = espstack->ipsecesp_replay_size;
5168 if (ahstack->ah_kstats == NULL)
5171 ncombs = ipss->ipsec_nalgs[IPSEC_ALG_AUTH];
5175 replay = ahstack->ipsecah_replay_size;
5183 prop = (sadb_prop_t *)mp->b_rptr;
5184 mp->b_wptr += sizeof (*prop);
5185 comb = (sadb_comb_t *)mp->b_wptr;
5187 allocsize -= sizeof (*prop);
5188 prop->sadb_prop_exttype = SADB_EXT_PROPOSAL;
5189 prop->sadb_prop_len = SADB_8TO64(sizeof (*prop));
5190 *(uint32_t *)(&prop->sadb_prop_replay) = 0; /* Quick zero-out! */
5191 prop->sadb_prop_replay = replay;
5194 * Based upon algorithm properties, and what-not, prioritize a
5204 for (walker = ap; walker != NULL; walker = walker->ipa_next) {
5208 if (walker->ipa_act.ipa_type != IPSEC_POLICY_APPLY)
5211 prot = &walker->ipa_act.ipa_apply;
5212 if (walker->ipa_act.ipa_apply.ipp_km_proto != 0)
5213 kmp = walker->ipa_act.ipa_apply.ipp_km_proto;
5214 if (walker->ipa_act.ipa_apply.ipp_km_cookie != 0)
5215 kmc = walker->ipa_act.ipa_apply.ipp_km_cookie;
5216 if (walker->ipa_act.ipa_apply.ipp_replay_depth) {
5217 prop->sadb_prop_replay =
5218 walker->ipa_act.ipa_apply.ipp_replay_depth;
5222 if (!prot->ipp_use_esp)
5225 if (prot->ipp_esp_auth_alg != 0) {
5226 aalg = ipss->ipsec_alglists[IPSEC_ALG_AUTH]
5227 [prot->ipp_esp_auth_alg];
5233 ASSERT(prot->ipp_encr_alg > 0);
5234 ealg = ipss->ipsec_alglists[IPSEC_ALG_ENCR]
5235 [prot->ipp_encr_alg];
5242 softbytes = espstack->ipsecesp_default_soft_bytes;
5243 hardbytes = espstack->ipsecesp_default_hard_bytes;
5244 softaddtime = espstack->ipsecesp_default_soft_addtime;
5245 hardaddtime = espstack->ipsecesp_default_hard_addtime;
5246 softusetime = espstack->ipsecesp_default_soft_usetime;
5247 hardusetime = espstack->ipsecesp_default_hard_usetime;
5249 if (!prot->ipp_use_ah)
5252 aalg = ipss->ipsec_alglists[IPSEC_ALG_AUTH]
5253 [prot->ipp_auth_alg];
5260 softbytes = ahstack->ipsecah_default_soft_bytes;
5261 hardbytes = ahstack->ipsecah_default_hard_bytes;
5262 softaddtime = ahstack->ipsecah_default_soft_addtime;
5263 hardaddtime = ahstack->ipsecah_default_hard_addtime;
5264 softusetime = ahstack->ipsecah_default_soft_usetime;
5265 hardusetime = ahstack->ipsecah_default_hard_usetime;
5271 ealgid = ealg->alg_id;
5273 MAX(prot->ipp_espe_minbits, ealg->alg_ef_minbits);
5275 MIN(prot->ipp_espe_maxbits, ealg->alg_ef_maxbits);
5276 esaltlen = ealg->alg_saltlen;
5282 aalgid = aalg->alg_id;
5283 aminbits = MAX(prot->ipp_espa_minbits,
5284 aalg->alg_ef_minbits);
5285 amaxbits = MIN(prot->ipp_espa_maxbits,
5286 aalg->alg_ef_maxbits);
5289 comb->sadb_comb_flags = 0;
5290 comb->sadb_comb_reserved = 0;
5291 comb->sadb_comb_encrypt = ealgid;
5292 comb->sadb_comb_encrypt_minbits = eminbits;
5293 comb->sadb_comb_encrypt_maxbits = emaxbits;
5294 comb->sadb_x_comb_encrypt_saltbits = SADB_8TO1(esaltlen);
5295 comb->sadb_comb_auth = aalgid;
5296 comb->sadb_comb_auth_minbits = aminbits;
5297 comb->sadb_comb_auth_maxbits = amaxbits;
5298 comb->sadb_comb_soft_allocations = 0;
5299 comb->sadb_comb_hard_allocations = 0;
5300 comb->sadb_comb_soft_bytes = softbytes;
5301 comb->sadb_comb_hard_bytes = hardbytes;
5302 comb->sadb_comb_soft_addtime = softaddtime;
5303 comb->sadb_comb_hard_addtime = hardaddtime;
5304 comb->sadb_comb_soft_usetime = softusetime;
5305 comb->sadb_comb_hard_usetime = hardusetime;
5307 prop->sadb_prop_len += SADB_8TO64(sizeof (*comb));
5308 mp->b_wptr += sizeof (*comb);
5309 allocsize -= sizeof (*comb);
5319 if (sadb_make_kmc_ext(mp->b_wptr,
5320 mp->b_wptr + sizeof (sadb_x_kmc_t), kmp, kmc) == NULL) {
5325 mp->b_wptr += sizeof (sadb_x_kmc_t);
5326 prop->sadb_prop_len += SADB_8TO64(sizeof (sadb_x_kmc_t));
5330 rw_exit(&ipss->ipsec_alg_lock);
5335 * Generate an extended ACQUIRE's extended-proposal extension.
5354 for (walker = ap; walker != NULL; walker = walker->ipa_next) {
5358 * Skip non-IPsec policies
5360 if (walker->ipa_act.ipa_type != IPSEC_ACT_APPLY)
5363 ipp = &walker->ipa_act.ipa_apply;
5365 if (walker->ipa_act.ipa_apply.ipp_km_proto)
5366 kmp = ipp->ipp_km_proto;
5367 if (walker->ipa_act.ipa_apply.ipp_km_cookie)
5368 kmc = ipp->ipp_km_cookie;
5369 if (walker->ipa_act.ipa_apply.ipp_replay_depth)
5370 replay = ipp->ipp_replay_depth;
5372 if (ipp->ipp_use_ah)
5374 if (ipp->ipp_use_esp) {
5376 if (ipp->ipp_use_espa)
5389 eprop = (sadb_prop_t *)mp->b_rptr;
5390 end = mp->b_rptr + allocsize;
5391 cur = mp->b_rptr + sizeof (*eprop);
5393 eprop->sadb_prop_exttype = SADB_X_EXT_EPROP;
5394 eprop->sadb_x_prop_ereserved = 0;
5395 eprop->sadb_x_prop_numecombs = 0;
5396 *(uint32_t *)(&eprop->sadb_prop_replay) = 0; /* Quick zero-out! */
5398 eprop->sadb_prop_replay = (replay == 0) ?
5399 ns->netstack_ipsecesp->ipsecesp_replay_size : replay;
5402 for (walker = ap; walker != NULL; walker = walker->ipa_next) {
5404 * Skip non-IPsec policies
5406 if (walker->ipa_act.ipa_type != IPSEC_ACT_APPLY)
5410 /* NOTE: inverse-ACQUIRE should note this as ENOMEM. */
5414 eprop->sadb_x_prop_numecombs++;
5417 ASSERT(end - cur >= sizeof (sadb_x_kmc_t));
5425 mp->b_wptr = cur;
5426 eprop->sadb_prop_len = SADB_8TO64(cur - mp->b_rptr);
5450 ipha_t *ipha = (ipha_t *)datamp->b_rptr;
5451 ip6_t *ip6h = (ip6_t *)datamp->b_rptr;
5453 ipsec_policy_t *pp = ixa->ixa_ipsec_policy;
5454 ipsec_action_t *ap = ixa->ixa_ipsec_action;
5459 boolean_t tunnel_mode = (ixa->ixa_flags & IXAF_IPSEC_TUNNEL) != 0;
5461 netstack_t *ns = ixa->ixa_ipst->ips_netstack;
5462 ipsec_stack_t *ipss = ns->netstack_ipsec;
5463 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
5464 ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
5465 ipsec_selector_t sel; local
5477 spp = &espstack->esp_sadb;
5479 spp = &ahstack->ah_sadb;
5481 sp = (ixa->ixa_flags & IXAF_IS_IPV4) ? &spp->s_v4 : &spp->s_v6;
5484 tsl = ixa->ixa_tsl;
5489 ap = pp->ipsp_act;
5492 if (ap->ipa_act.ipa_apply.ipp_use_unique || tunnel_mode)
5506 src = (uint32_t *)&ipha->ipha_src;
5507 dst = (uint32_t *)&ipha->ipha_dst;
5509 hashoffset = OUTBOUND_HASH_V4(sp, ipha->ipha_dst);
5510 ASSERT(ixa->ixa_flags & IXAF_IS_IPV4);
5513 src = (uint32_t *)&ip6h->ip6_src;
5514 dst = (uint32_t *)&ip6h->ip6_dst;
5516 hashoffset = OUTBOUND_HASH_V6(sp, ip6h->ip6_dst);
5517 ASSERT(!(ixa->ixa_flags & IXAF_IS_IPV4));
5525 * with self-encapsulated protection. Until we better
5530 &ipss->ipsec_spd_dropper);
5534 isrc = ixa->ixa_ipsec_insrc;
5535 idst = ixa->ixa_ipsec_indst;
5544 bucket = &(sp->sdb_acq[hashoffset]);
5545 mutex_enter(&bucket->iacqf_lock);
5555 mutex_exit(&bucket->iacqf_lock);
5558 &ipss->ipsec_sadb_dropper);
5561 newbie->ipsacq_policy = pp;
5566 newbie->ipsacq_act = ap;
5567 newbie->ipsacq_linklock = &bucket->iacqf_lock;
5568 newbie->ipsacq_next = bucket->iacqf_ipsacq;
5569 newbie->ipsacq_ptpn = &bucket->iacqf_ipsacq;
5570 if (newbie->ipsacq_next != NULL)
5571 newbie->ipsacq_next->ipsacq_ptpn = &newbie->ipsacq_next;
5573 bucket->iacqf_ipsacq = newbie;
5574 mutex_init(&newbie->ipsacq_lock, NULL, MUTEX_DEFAULT, NULL);
5575 mutex_enter(&newbie->ipsacq_lock);
5580 * we have inserted a half-built, locked acquire record into the
5590 mutex_exit(&bucket->iacqf_lock);
5596 ASSERT(MUTEX_HELD(&newbie->ipsacq_lock));
5610 if (ixa->ixa_flags & IXAF_IS_IPV4) {
5611 BUMP_MIB(&ixa->ixa_ipst->ips_ip_mib,
5614 BUMP_MIB(&ixa->ixa_ipst->ips_ip6_mib,
5624 mutex_exit(&newbie->ipsacq_lock);
5626 } else if (newbie->ipsacq_numpackets == 0) {
5628 newbie->ipsacq_mp = asyncmp;
5629 newbie->ipsacq_numpackets = 1;
5630 newbie->ipsacq_expire = gethrestime_sec();
5635 newbie->ipsacq_expire += *spp->s_acquire_timeout;
5636 newbie->ipsacq_seq = seq;
5637 newbie->ipsacq_addrfam = af;
5639 newbie->ipsacq_srcport = ixa->ixa_ipsec_src_port;
5640 newbie->ipsacq_dstport = ixa->ixa_ipsec_dst_port;
5641 newbie->ipsacq_icmp_type = ixa->ixa_ipsec_icmp_type;
5642 newbie->ipsacq_icmp_code = ixa->ixa_ipsec_icmp_code;
5644 newbie->ipsacq_inneraddrfam = ixa->ixa_ipsec_inaf;
5645 newbie->ipsacq_proto = ixa->ixa_ipsec_inaf == AF_INET6 ?
5647 newbie->ipsacq_innersrcpfx = ixa->ixa_ipsec_insrcpfx;
5648 newbie->ipsacq_innerdstpfx = ixa->ixa_ipsec_indstpfx;
5649 IPSA_COPY_ADDR(newbie->ipsacq_innersrc,
5650 ixa->ixa_ipsec_insrc, ixa->ixa_ipsec_inaf);
5651 IPSA_COPY_ADDR(newbie->ipsacq_innerdst,
5652 ixa->ixa_ipsec_indst, ixa->ixa_ipsec_inaf);
5654 newbie->ipsacq_proto = ixa->ixa_ipsec_proto;
5656 newbie->ipsacq_unique_id = unique_id;
5660 newbie->ipsacq_tsl = tsl;
5664 mblk_t *lastone = newbie->ipsacq_mp;
5666 while (lastone->b_next != NULL)
5667 lastone = lastone->b_next;
5668 lastone->b_next = asyncmp;
5669 if (newbie->ipsacq_numpackets++ == ipsacq_maxpackets) {
5670 newbie->ipsacq_numpackets = ipsacq_maxpackets;
5671 lastone = newbie->ipsacq_mp;
5672 newbie->ipsacq_mp = lastone->b_next;
5673 lastone->b_next = NULL;
5679 &ipss->ipsec_sadb_dropper);
5682 newbie->ipsacq_numpackets);
5692 newbie->ipsacq_srcaddr = src;
5693 newbie->ipsacq_dstaddr = dst;
5699 if (newbie->ipsacq_seq != seq || newbie->ipsacq_numpackets > 1) {
5701 mutex_exit(&newbie->ipsacq_lock);
5707 q = espstack->esp_pfkey_q;
5711 * 1.) AH-only policy.
5714 * post-ESP, AH-needs-to-send-a-regular-ACQUIRE case.
5718 q = ahstack->ah_pfkey_q;
5722 * Get selectors and other policy-expression bits needed for an
5725 bzero(&sel, sizeof (sel));
5726 sel.ips_isv4 = (ixa->ixa_flags & IXAF_IS_IPV4) != 0;
5728 sel.ips_protocol = (ixa->ixa_ipsec_inaf == AF_INET) ?
5731 sel.ips_protocol = ixa->ixa_ipsec_proto;
5732 sel.ips_local_port = ixa->ixa_ipsec_src_port;
5733 sel.ips_remote_port = ixa->ixa_ipsec_dst_port;
5735 sel.ips_icmp_type = ixa->ixa_ipsec_icmp_type;
5736 sel.ips_icmp_code = ixa->ixa_ipsec_icmp_code;
5737 sel.ips_is_icmp_inv_acq = 0;
5739 sel.ips_local_addr_v4 = ipha->ipha_src;
5740 sel.ips_remote_addr_v4 = ipha->ipha_dst;
5742 sel.ips_local_addr_v6 = ip6h->ip6_src;
5743 sel.ips_remote_addr_v6 = ip6h->ip6_dst;
5749 * and should be an mblk pointed to by common. TBD -- eventually it
5752 * 2. Generate ACQUIRE & KEYSOCK_OUT and single-protocol proposal.
5753 * These are "regular" and "prop". String regular->b_cont->b_cont =
5754 * common, common->b_cont = prop.
5757 * KEYSOCK_OUT and multi-protocol eprop. These are "extended" and
5758 * "eprop". String extended->b_cont->b_cont = dupb(common) and
5759 * extended->b_cont->b_cont->b_cont = prop.
5766 common = sadb_acquire_msg_common(&sel, pp, ap, tunnel_mode, tsl, NULL);
5771 SADB_SATYPE_ESP : SADB_SATYPE_AH), newbie->ipsacq_seq, 0);
5785 regular->b_cont->b_cont = common;
5786 common->b_cont = prop;
5793 ((sadb_msg_t *)(regular->b_cont->b_rptr))->sadb_msg_len =
5794 SADB_8TO64(msgsize(regular->b_cont));
5801 extended = sadb_acquire_msg_base(0, 0, newbie->ipsacq_seq, 0);
5807 extended->b_cont->b_cont = dupb(common);
5809 if (extended->b_cont->b_cont == NULL)
5815 extended->b_cont->b_cont->b_cont = eprop;
5817 ((sadb_msg_t *)(extended->b_cont->b_rptr))->sadb_msg_len =
5818 SADB_8TO64(msgsize(extended->b_cont));
5822 mutex_exit(&newbie->ipsacq_lock);
5832 newbie->ipsacq_expire = 0;
5838 mutex_exit(&newbie->ipsacq_lock);
5848 ipsec_stack_t *ipss = ns->netstack_ipsec;
5850 ASSERT(MUTEX_HELD(acqrec->ipsacq_linklock));
5852 if (acqrec->ipsacq_policy != NULL) {
5853 IPPOL_REFRELE(acqrec->ipsacq_policy);
5855 if (acqrec->ipsacq_act != NULL) {
5856 IPACT_REFRELE(acqrec->ipsacq_act);
5860 *(acqrec->ipsacq_ptpn) = acqrec->ipsacq_next;
5861 if (acqrec->ipsacq_next != NULL)
5862 acqrec->ipsacq_next->ipsacq_ptpn = acqrec->ipsacq_ptpn;
5864 if (acqrec->ipsacq_tsl != NULL) {
5865 label_rele(acqrec->ipsacq_tsl);
5866 acqrec->ipsacq_tsl = NULL;
5875 mutex_enter(&acqrec->ipsacq_lock);
5876 while (acqrec->ipsacq_mp != NULL) {
5877 mp = acqrec->ipsacq_mp;
5878 acqrec->ipsacq_mp = mp->b_next;
5879 mp->b_next = NULL;
5884 &ipss->ipsec_sadb_dropper);
5886 mutex_exit(&acqrec->ipsacq_lock);
5889 mutex_destroy(&acqrec->ipsacq_lock);
5938 ecomb->sadb_x_ecomb_numalgs++;
5945 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
5946 algp = ipss->ipsec_alglists[(algtype == SADB_X_ALGTYPE_AUTH) ?
5949 rw_exit(&ipss->ipsec_alg_lock);
5952 if (minbits < algp->alg_ef_minbits)
5953 minbits = algp->alg_ef_minbits;
5954 if (maxbits > algp->alg_ef_maxbits)
5955 maxbits = algp->alg_ef_maxbits;
5956 rw_exit(&ipss->ipsec_alg_lock);
5958 algdesc->sadb_x_algdesc_saltbits = SADB_8TO1(algp->alg_saltlen);
5959 algdesc->sadb_x_algdesc_satype = satype;
5960 algdesc->sadb_x_algdesc_algtype = algtype;
5961 algdesc->sadb_x_algdesc_alg = alg;
5962 algdesc->sadb_x_algdesc_minbits = minbits;
5963 algdesc->sadb_x_algdesc_maxbits = maxbits;
5981 ipsec_stack_t *ipss = ns->netstack_ipsec;
5987 ASSERT(act->ipa_act.ipa_type == IPSEC_ACT_APPLY);
5989 ipp = &act->ipa_act.ipa_apply;
5991 ecomb->sadb_x_ecomb_numalgs = 0;
5992 ecomb->sadb_x_ecomb_reserved = 0;
5993 ecomb->sadb_x_ecomb_reserved2 = 0;
5998 ecomb->sadb_x_ecomb_soft_allocations = 0;
5999 ecomb->sadb_x_ecomb_hard_allocations = 0;
6005 ecomb->sadb_x_ecomb_flags = 0;
6006 ecomb->sadb_x_ecomb_soft_bytes = 0;
6007 ecomb->sadb_x_ecomb_hard_bytes = 0;
6008 ecomb->sadb_x_ecomb_soft_addtime = 0;
6009 ecomb->sadb_x_ecomb_hard_addtime = 0;
6010 ecomb->sadb_x_ecomb_soft_usetime = 0;
6011 ecomb->sadb_x_ecomb_hard_usetime = 0;
6013 if (ipp->ipp_use_ah) {
6015 SADB_SATYPE_AH, SADB_X_ALGTYPE_AUTH, ipp->ipp_auth_alg,
6016 ipp->ipp_ah_minbits, ipp->ipp_ah_maxbits, ipss);
6022 if (ipp->ipp_use_esp) {
6023 if (ipp->ipp_use_espa) {
6026 ipp->ipp_esp_auth_alg,
6027 ipp->ipp_espa_minbits,
6028 ipp->ipp_espa_maxbits, ipss);
6035 ipp->ipp_encr_alg,
6036 ipp->ipp_espe_minbits,
6037 ipp->ipp_espe_maxbits, ipss);
6041 if (!ipp->ipp_use_ah)
6053 * We send up a fixed-size sensitivity label bitmap, and are perhaps
6078 sens->sadb_sens_exttype = exttype;
6079 sens->sadb_sens_len = SADB_8TO64(senslen);
6081 sens->sadb_sens_dpd = tsl->tsl_doi;
6082 sens->sadb_sens_sens_level = LCLASS(sl);
6083 sens->sadb_sens_integ_level = 0; /* TBD */
6084 sens->sadb_sens_sens_len = _C_LEN >> 1;
6085 sens->sadb_sens_integ_len = 0; /* TBD */
6086 sens->sadb_x_sens_flags = 0;
6089 bcopy(&(((_bslabel_impl_t *)sl)->compartments), bitmap, _C_LEN * 4);
6100 int bitmap_len = SADB_64TO8(sens->sadb_sens_sens_len);
6104 if (sens->sadb_sens_integ_level != 0)
6106 if (sens->sadb_sens_integ_len != 0)
6113 (uint16_t)sens->sadb_sens_sens_level);
6114 bcopy(bitmap, &((_bslabel_impl_t *)&sl)->compartments,
6117 tsl = labelalloc(&sl, sens->sadb_sens_dpd, KM_NOSLEEP);
6121 if (sens->sadb_x_sens_flags & SADB_X_SENS_UNLABELED)
6122 tsl->tsl_flags |= TSLF_UNLABELED;
6126 /* End XXX label-library-leakage */
6130 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1.
6132 * (ipsa_t *)-1).
6141 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC],
6142 *dst = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
6144 (sadb_spirange_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE];
6155 return ((ipsa_t *)-1);
6159 return ((ipsa_t *)-1);
6163 return ((ipsa_t *)-1);
6166 min = ntohl(range->sadb_spirange_min);
6167 max = ntohl(range->sadb_spirange_max);
6173 ASSERT(dsa->sin_family == ssa->sin_family);
6176 af = dsa->sin_family;
6180 srcaddr = (uint32_t *)(&ssa->sin_addr);
6181 dstaddr = (uint32_t *)(&dsa->sin_addr);
6185 srcaddr = (uint32_t *)(&ssa6->sin6_addr);
6186 dstaddr = (uint32_t *)(&dsa6->sin6_addr);
6190 return ((ipsa_t *)-1);
6196 cl_inet_getspi(ns->netstack_stackid, protocol,
6202 master_spi = min + (add % (max - min + 1));
6241 if (samsg->sadb_msg_len > SADB_8TO64(sizeof (*samsg)))
6245 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it,
6252 for (i = 0; i < sp->s_v4.sdb_hashsize; i++) {
6253 bucket = &sp->s_v4.sdb_acq[i];
6254 mutex_enter(&bucket->iacqf_lock);
6255 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL;
6256 acqrec = acqrec->ipsacq_next) {
6257 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq)
6263 mutex_exit(&bucket->iacqf_lock);
6267 for (i = 0; i < sp->s_v6.sdb_hashsize; i++) {
6268 bucket = &sp->s_v6.sdb_acq[i];
6269 mutex_enter(&bucket->iacqf_lock);
6270 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL;
6271 acqrec = acqrec->ipsacq_next) {
6272 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq)
6278 mutex_exit(&bucket->iacqf_lock);
6292 ASSERT(&bucket->iacqf_lock == acqrec->ipsacq_linklock);
6295 mutex_exit(&bucket->iacqf_lock);
6300 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector
6302 * (ipsa->ipsa_replay_wsize) packets.
6313 return ((bit & ipsa->ipsa_replay_arr[offset >> 6]) ? B_TRUE : B_FALSE);
6323 int jump = ((shift - 1) >> 6) + 1;
6328 for (i = (ipsa->ipsa_replay_wsize - 1) >> 6; i >= 0; i--) {
6329 if (i + jump <= (ipsa->ipsa_replay_wsize - 1) >> 6) {
6330 ipsa->ipsa_replay_arr[i + jump] |=
6331 ipsa->ipsa_replay_arr[i] >> (64 - (shift & 63));
6333 ipsa->ipsa_replay_arr[i] <<= shift;
6345 ipsa->ipsa_replay_arr[offset >> 6] |= bit;
6360 if (ipsa->ipsa_replay_wsize == 0)
6370 mutex_enter(&ipsa->ipsa_lock);
6373 if (ipsa->ipsa_replay == 0)
6374 ipsa->ipsa_replay = 1;
6376 if (seq > ipsa->ipsa_replay) {
6381 diff = seq - ipsa->ipsa_replay;
6382 if (diff < ipsa->ipsa_replay_wsize) {
6387 bzero(ipsa->ipsa_replay_arr,
6388 sizeof (ipsa->ipsa_replay_arr));
6391 ipsa->ipsa_replay = seq;
6395 diff = ipsa->ipsa_replay - seq;
6396 if (diff >= ipsa->ipsa_replay_wsize || ipsa_is_replay_set(ipsa, diff)) {
6405 mutex_exit(&ipsa->ipsa_lock);
6415 * Assume same byte-ordering as sadb_replay_check.
6423 if (ipsa->ipsa_replay_wsize == 0)
6437 mutex_enter(&ipsa->ipsa_lock);
6438 if (seq < ipsa->ipsa_replay - ipsa->ipsa_replay_wsize &&
6439 ipsa->ipsa_replay >= ipsa->ipsa_replay_wsize)
6447 if (ipsa->ipsa_replay == SADB_MAX_REPLAY_VALUE) {
6452 ipsa->ipsa_hardexpiretime = (time_t)1;
6456 if (seq <= ipsa->ipsa_replay) {
6461 diff = ipsa->ipsa_replay - seq;
6469 mutex_exit(&ipsa->ipsa_lock);
6476 * For now, use the quick-and-dirty trick of making the association's
6477 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager().
6482 mutex_enter(&assoc->ipsa_lock);
6483 assoc->ipsa_hardexpiretime = (time_t)1;
6484 mutex_exit(&assoc->ipsa_lock);
6488 * Special front-end to ipsec_rl_strlog() dealing with SA failure.
6512 ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp) argument
6515 ipsec_latch_t *ipl = connp->conn_latch;
6517 if ((ipl != NULL) && (connp->conn_ixa->ixa_ipsec_policy != NULL)) {
6518 pp = connp->conn_ixa->ixa_ipsec_policy;
6521 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, sel,
6522 connp->conn_netstack);
6529 * and return a reference to the best-matching policy it can find.
6533 ipsec_udp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) argument
6541 if (sel->ips_local_port == 0)
6544 connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(sel->ips_local_port,
6546 mutex_enter(&connfp->connf_lock);
6548 if (sel->ips_isv4) {
6549 connp = connfp->connf_head;
6551 if (IPCL_UDP_MATCH(connp, sel->ips_local_port,
6552 sel->ips_local_addr_v4, sel->ips_remote_port,
6553 sel->ips_remote_addr_v4))
6555 connp = connp->conn_next;
6559 /* Try port-only match in IPv6. */
6560 portonly.ips_local_port = sel->ips_local_port;
6561 sel = &portonly;
6566 connp = connfp->connf_head;
6568 if (IPCL_UDP_MATCH_V6(connp, sel->ips_local_port,
6569 sel->ips_local_addr_v6, sel->ips_remote_port,
6570 sel->ips_remote_addr_v6))
6572 connp = connp->conn_next;
6576 mutex_exit(&connfp->connf_lock);
6582 mutex_exit(&connfp->connf_lock);
6584 ipsec_conn_pol(sel, connp, ppp);
6589 ipsec_find_listen_conn(uint16_t *pptr, ipsec_selector_t *sel, ip_stack_t *ipst) argument
6593 const in6_addr_t *v6addrmatch = &sel->ips_local_addr_v6;
6595 if (sel->ips_local_port == 0)
6598 connfp = &ipst->ips_ipcl_bind_fanout[
6599 IPCL_BIND_HASH(sel->ips_local_port, ipst)];
6600 mutex_enter(&connfp->connf_lock);
6602 if (sel->ips_isv4) {
6603 connp = connfp->connf_head;
6606 sel->ips_local_addr_v4, pptr[1]))
6608 connp = connp->conn_next;
6612 /* Match to all-zeroes. */
6618 connp = connfp->connf_head;
6623 connp = connp->conn_next;
6627 mutex_exit(&connfp->connf_lock);
6633 mutex_exit(&connfp->connf_lock);
6638 ipsec_tcp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) argument
6654 if (sel->ips_local_port == 0)
6661 pptr[0] = sel->ips_remote_port;
6662 pptr[1] = sel->ips_local_port;
6664 connfp = &ipst->ips_ipcl_conn_fanout[
6665 IPCL_CONN_HASH(sel->ips_remote_addr_v4, ports, ipst)];
6666 mutex_enter(&connfp->connf_lock);
6667 connp = connfp->connf_head;
6669 if (sel->ips_isv4) {
6672 sel->ips_remote_addr_v4, sel->ips_local_addr_v4,
6675 connp = connp->conn_next;
6680 sel->ips_remote_addr_v6, sel->ips_local_addr_v6,
6683 connp = connp->conn_next;
6689 mutex_exit(&connfp->connf_lock);
6691 mutex_exit(&connfp->connf_lock);
6694 if ((connp = ipsec_find_listen_conn(pptr, sel, ipst)) == NULL)
6698 ipsec_conn_pol(sel, connp, ppp);
6703 ipsec_sctp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, argument
6719 if (sel->ips_local_port == 0)
6726 pptr[0] = sel->ips_remote_port;
6727 pptr[1] = sel->ips_local_port;
6734 if (sel->ips_isv4) {
6737 IN6_IPADDR_TO_V4MAPPED(sel->ips_remote_addr_v4, &dst);
6738 IN6_IPADDR_TO_V4MAPPED(sel->ips_local_addr_v4, &src);
6740 0, ipst->ips_netstack->netstack_sctp);
6742 connp = sctp_find_conn(&sel->ips_remote_addr_v6,
6743 &sel->ips_local_addr_v6, ports, ALL_ZONES,
6744 0, ipst->ips_netstack->netstack_sctp);
6748 ipsec_conn_pol(sel, connp, ppp);
6753 * Fill in a query for the SPD (in "sel") using two PF_KEY address extensions.
6758 * ignore prefix lengths in the address extension. Since we match on first-
6759 * entered policies, this shouldn't matter. Also, since we normalize prefix-
6765 ipsec_get_inverse_acquire_sel(ipsec_selector_t *sel, sadb_address_t *srcext, argument
6773 bzero(sel, sizeof (*sel));
6774 sel->ips_protocol = srcext->sadb_address_proto;
6776 if (dst->sin_family == AF_INET6) {
6779 if (src6->sin6_family != AF_INET6) {
6783 sel->ips_remote_addr_v6 = dst6->sin6_addr;
6784 sel->ips_local_addr_v6 = src6->sin6_addr;
6785 if (sel->ips_protocol == IPPROTO_ICMPV6) {
6786 sel->ips_is_icmp_inv_acq = 1;
6788 sel->ips_remote_port = dst6->sin6_port;
6789 sel->ips_local_port = src6->sin6_port;
6791 sel->ips_isv4 = B_FALSE;
6794 if (src->sin_family != AF_INET) {
6798 sel->ips_remote_addr_v4 = dst->sin_addr.s_addr;
6799 sel->ips_local_addr_v4 = src->sin_addr.s_addr;
6800 if (sel->ips_protocol == IPPROTO_ICMP) {
6801 sel->ips_is_icmp_inv_acq = 1;
6803 sel->ips_remote_port = dst->sin_port;
6804 sel->ips_local_port = src->sin_port;
6806 sel->ips_isv4 = B_TRUE;
6813 * - Lookup tun_t by address and look for an associated
6815 * - If there are inner selectors
6816 * - check ITPF_P_TUNNEL and ITPF_P_ACTIVE
6817 * - Look up tunnel policy based on selectors
6818 * - Else
6819 * - Sanity check the negotation
6820 * - If appropriate, fall through to global policy
6823 ipsec_tun_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, argument
6838 (itp->itp_flags & (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) !=
6843 * transport-mode policy set on it, or has no policy,
6849 * Reset "sel" to indicate inner selectors. Pass
6852 if ((err = ipsec_get_inverse_acquire_sel(sel,
6862 if ((itp == NULL) || !(itp->itp_flags & ITPF_P_ACTIVE)) {
6865 * configured - return to indicate a global policy
6869 } else if (itp->itp_flags & ITPF_P_TUNNEL) {
6877 * changing fields in "sel".
6882 polhead = itp->itp_policy;
6884 rw_enter(&polhead->iph_lock, RW_READER);
6885 *ppp = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_INBOUND, sel);
6886 rw_exit(&polhead->iph_lock);
6890 * Instead, send ENOENT, just like if we hit a transport-mode tunnel.
6903 ipsec_oth_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, argument
6906 boolean_t isv4 = sel->ips_isv4;
6911 connfp = &ipst->ips_ipcl_proto_fanout_v4[sel->ips_protocol];
6913 connfp = &ipst->ips_ipcl_proto_fanout_v6[sel->ips_protocol];
6916 mutex_enter(&connfp->connf_lock);
6917 for (connp = connfp->connf_head; connp != NULL;
6918 connp = connp->conn_next) {
6920 if ((connp->conn_laddr_v4 == INADDR_ANY ||
6921 connp->conn_laddr_v4 == sel->ips_local_addr_v4) &&
6922 (connp->conn_faddr_v4 == INADDR_ANY ||
6923 connp->conn_faddr_v4 == sel->ips_remote_addr_v4))
6926 if ((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6) ||
6927 IN6_ARE_ADDR_EQUAL(&connp->conn_laddr_v6,
6928 &sel->ips_local_addr_v6)) &&
6929 (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) ||
6930 IN6_ARE_ADDR_EQUAL(&connp->conn_faddr_v6,
6931 &sel->ips_remote_addr_v6)))
6936 mutex_exit(&connfp->connf_lock);
6941 mutex_exit(&connfp->connf_lock);
6943 ipsec_conn_pol(sel, connp, ppp);
6959 * The SRC address is the local one - just like an outbound ACQUIRE message.
6979 ipsec_selector_t sel, isel; local
6981 ip_stack_t *ipst = ns->netstack_ip;
6999 if (src->sin6_family != dst->sin6_family) {
7026 if (isrc->sin6_family != idst->sin6_family) {
7031 if (isrc->sin6_family != AF_INET &&
7032 isrc->sin6_family != AF_INET6) {
7044 err = ipsec_get_inverse_acquire_sel(&sel, srcext, dstext, &diagnostic);
7050 ((isrc->sin6_family == AF_INET &&
7051 sel.ips_protocol != IPPROTO_ENCAP && sel.ips_protocol != 0) ||
7052 (isrc->sin6_family == AF_INET6 &&
7053 sel.ips_protocol != IPPROTO_IPV6 && sel.ips_protocol != 0))) {
7063 switch (sel.ips_protocol) {
7065 ipsec_tcp_pol(&sel, &pp, ipst);
7068 ipsec_udp_pol(&sel, &pp, ipst);
7071 ipsec_sctp_pol(&sel, &pp, ipst);
7076 * Assume sel.ips_remote_addr_* has the right address at
7079 itp = itp_get_byaddr((uint32_t *)(&sel.ips_local_addr_v6),
7080 (uint32_t *)(&sel.ips_remote_addr_v6), src->sin6_family,
7085 * Transport-mode tunnel, make sure we fake out isel
7089 isel.ips_isv4 = (sel.ips_protocol == IPPROTO_ENCAP);
7101 ipsec_oth_pol(&sel, &pp, ipst);
7110 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, &sel, ns);
7120 retmp = sadb_acquire_msg_base(0, 0, samsg->sadb_msg_seq,
7121 samsg->sadb_msg_pid);
7126 retmp = retmp->b_cont;
7129 retmp->b_cont = sadb_acquire_msg_common(&sel, pp, NULL,
7130 (itp != NULL && (itp->itp_flags & ITPF_P_TUNNEL)), NULL,
7132 if (retmp->b_cont == NULL) {
7137 retmp->b_cont->b_cont =
7138 sadb_acquire_extended_prop(pp->ipsp_act, ns);
7139 if (retmp->b_cont->b_cont == NULL) {
7143 ((sadb_msg_t *)retmp->b_rptr)->sadb_msg_len =
7157 samsg->sadb_msg_errno = (uint8_t)err;
7158 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic;
7163 * ipsa_lpkt is a one-element queue, only manipulated by the next two
7172 * Returns the passed-in packet if the SA is no longer larval.
7182 mutex_enter(&ipsa->ipsa_lock);
7183 opkt = ipsa->ipsa_lpkt;
7184 if (ipsa->ipsa_state == IPSA_STATE_LARVAL) {
7193 ill_t *ill = ira->ira_ill;
7195 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
7200 ASSERT(attrmp->b_cont == NULL);
7201 attrmp->b_cont = npkt;
7202 ipsa->ipsa_lpkt = attrmp;
7208 * have been non-NULL in the non-larval case, because of
7211 * after lpkt was grabbed by the AH/ESP-specific add routines.
7213 * that it doesn't linger on the now-MATURE IPsec SA, or get
7214 * picked up as an out-of-order packet.
7216 ipsa->ipsa_lpkt = NULL;
7218 mutex_exit(&ipsa->ipsa_lock);
7223 ipss = ira->ira_ill->ill_ipst->ips_netstack->netstack_ipsec;
7225 ip_drop_packet(opkt, B_TRUE, ira->ira_ill,
7227 &ipss->ipsec_sadb_dropper);
7233 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the
7241 mutex_enter(&ipsa->ipsa_lock);
7242 opkt = ipsa->ipsa_lpkt;
7243 ipsa->ipsa_lpkt = NULL;
7244 mutex_exit(&ipsa->ipsa_lock);
7254 netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
7255 ipsec_stack_t *ipss = ns->netstack_ipsec;
7256 in6_addr_t *srcaddr = (in6_addr_t *)(&ipsa->ipsa_srcaddr);
7257 in6_addr_t *dstaddr = (in6_addr_t *)(&ipsa->ipsa_dstaddr);
7260 ASSERT(ipsa->ipsa_state == IPSA_STATE_IDLE);
7263 ip_drop_packet(bpkt, B_TRUE, ira->ira_ill,
7265 &ipss->ipsec_sadb_dropper);
7269 cl_inet_idlesa(ns->netstack_stackid,
7270 (ipsa->ipsa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP,
7271 ipsa->ipsa_spi, ipsa->ipsa_addrfam, *srcaddr, *dstaddr, NULL);
7275 ip_drop_packet(bpkt, B_TRUE, ira->ira_ill,
7277 &ipss->ipsec_sadb_dropper);
7282 mutex_enter(&ipsa->ipsa_lock);
7283 ipsa->ipsa_mblkcnt++;
7284 if (ipsa->ipsa_bpkt_head == NULL) {
7285 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_tail = bpkt;
7287 ipsa->ipsa_bpkt_tail->b_next = bpkt;
7288 ipsa->ipsa_bpkt_tail = bpkt;
7289 if (ipsa->ipsa_mblkcnt > SADB_MAX_IDLEPKTS) {
7292 tmp = ipsa->ipsa_bpkt_head;
7293 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_head->b_next;
7297 &ipss->ipsec_sadb_dropper);
7298 ipsa->ipsa_mblkcnt --;
7301 mutex_exit(&ipsa->ipsa_lock);
7319 tmp = buf_pkt->b_next;
7320 buf_pkt->b_next = NULL;
7322 data_mp = buf_pkt->b_cont;
7323 buf_pkt->b_cont = NULL;
7356 ASSERT(MUTEX_HELD(&head->isaf_lock));
7358 if (entry->ipsa_state == IPSA_STATE_LARVAL)
7361 mutex_enter(&entry->ipsa_lock);
7363 if ((entry->ipsa_encr_alg != SADB_EALG_NONE && entry->ipsa_encr_alg !=
7364 SADB_EALG_NULL && update_state->async_encr) ||
7365 (entry->ipsa_auth_alg != SADB_AALG_NONE &&
7366 update_state->async_auth)) {
7367 entry->ipsa_flags |= IPSA_F_ASYNC;
7369 entry->ipsa_flags &= ~IPSA_F_ASYNC;
7372 switch (update_state->alg_type) {
7374 if (entry->ipsa_auth_alg == update_state->alg_id)
7375 ctx_tmpl = &entry->ipsa_authtmpl;
7378 if (entry->ipsa_encr_alg == update_state->alg_id)
7379 ctx_tmpl = &entry->ipsa_encrtmpl;
7386 mutex_exit(&entry->ipsa_lock);
7394 if (update_state->is_added) {
7398 update_state->alg_type);
7406 ipsec_destroy_ctx_tmpl(entry, update_state->alg_type);
7409 mutex_exit(&entry->ipsa_lock);
7432 ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
7433 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
7434 ipsec_stack_t *ipss = ns->netstack_ipsec;
7439 update_state.async_auth = ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] ==
7441 update_state.async_encr = ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] ==
7446 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_of);
7447 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_if);
7448 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_of);
7449 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_if);
7453 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_of);
7454 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_if);
7455 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_of);
7456 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_if);
7472 ipsec_stack_t *ipss = sa->ipsa_netstack->netstack_ipsec;
7474 ASSERT(RW_READ_HELD(&ipss->ipsec_alg_lock));
7475 ASSERT(MUTEX_HELD(&sa->ipsa_lock));
7480 key = &sa->ipsa_kcfauthkey;
7481 sa_tmpl = &sa->ipsa_authtmpl;
7482 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_auth_alg];
7485 key = &sa->ipsa_kcfencrkey;
7486 sa_tmpl = &sa->ipsa_encrtmpl;
7487 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_encr_alg];
7497 ASSERT(alg->alg_mech_type != CRYPTO_MECHANISM_INVALID);
7498 mech.cm_type = alg->alg_mech_type;
7535 ASSERT(MUTEX_HELD(&sa->ipsa_lock));
7538 if (sa->ipsa_authtmpl == IPSEC_CTX_TMPL_ALLOC)
7539 sa->ipsa_authtmpl = NULL;
7540 else if (sa->ipsa_authtmpl != NULL) {
7541 crypto_destroy_ctx_template(sa->ipsa_authtmpl);
7542 sa->ipsa_authtmpl = NULL;
7546 if (sa->ipsa_encrtmpl == IPSEC_CTX_TMPL_ALLOC)
7547 sa->ipsa_encrtmpl = NULL;
7548 else if (sa->ipsa_encrtmpl != NULL) {
7549 crypto_destroy_ctx_template(sa->ipsa_encrtmpl);
7550 sa->ipsa_encrtmpl = NULL;
7557 * via keysock. Returns 0 if the key is OK, -1 otherwise.
7573 crypto_key.ck_length = sadb_key->sadb_key_bits;
7595 return (-1);
7611 uint8_t *opt_storage = assoc->ipsa_opt_storage;
7612 ipha_t *ipha = (ipha_t *)mp->b_rptr;
7614 plen = ntohs(ipha->ipha_length);
7617 mp->b_wptr += delta;
7622 /* Make sure we have room for the worst-case addition */
7627 hlen -= IPH_HDR_LENGTH(ipha);
7629 db = mp->b_datap;
7630 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) {
7639 (mp->b_rptr - mp->b_datap->db_base), mp);
7647 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base;
7648 new_mp->b_wptr = new_mp->b_rptr + copylen;
7649 bcopy(mp->b_rptr, new_mp->b_rptr, copylen);
7650 new_mp->b_cont = mp;
7651 if ((mp->b_rptr += copylen) >= mp->b_wptr) {
7652 new_mp->b_cont = mp->b_cont;
7656 ipha = (ipha_t *)mp->b_rptr;
7659 delta = tsol_prepend_option(assoc->ipsa_opt_storage, ipha, MBLKL(mp));
7661 ASSERT(delta != -1);
7664 mp->b_wptr += delta;
7669 db = mp->b_datap;
7671 ASSERT3P(mp->b_wptr, <=, db->db_lim);
7672 ASSERT3P(mp->b_rptr, <=, db->db_lim);
7674 ASSERT3P(mp->b_wptr, >=, db->db_base);
7675 ASSERT3P(mp->b_rptr, >=, db->db_base);
7678 ipha->ipha_length = htons(plen);
7691 uint8_t *opt_storage = assoc->ipsa_opt_storage;
7693 ip6_t *ip6h = (ip6_t *)mp->b_rptr;
7695 plen = ntohs(ip6h->ip6_plen);
7698 mp->b_wptr += delta;
7703 * Make sure we have room for the worst-case addition. Add 2 bytes for
7704 * the hop-by-hop ext header's next header and length fields. Add
7706 * up to the next 8-byte multiple.
7710 db = mp->b_datap;
7713 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) {
7729 (mp->b_rptr - mp->b_datap->db_base), mp);
7736 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base;
7737 new_mp->b_wptr = new_mp->b_rptr + copylen;
7738 bcopy(mp->b_rptr, new_mp->b_rptr, copylen);
7739 new_mp->b_cont = mp;
7740 if ((mp->b_rptr += copylen) >= mp->b_wptr) {
7741 new_mp->b_cont = mp->b_cont;
7745 ip6h = (ip6_t *)mp->b_rptr;
7748 delta = tsol_prepend_option_v6(assoc->ipsa_opt_storage,
7751 ASSERT(delta != -1);
7754 mp->b_wptr += delta;
7759 db = mp->b_datap;
7761 ASSERT3P(mp->b_wptr, <=, db->db_lim);
7762 ASSERT3P(mp->b_rptr, <=, db->db_lim);
7764 ASSERT3P(mp->b_wptr, >=, db->db_base);
7765 ASSERT3P(mp->b_rptr, >=, db->db_base);
7768 ip6h->ip6_plen = htons(plen);
7781 if (ixa->ixa_flags & IXAF_IS_IPV4) {
7782 ipha_t *ipha = (ipha_t *)mp->b_rptr;
7785 iplen = ntohs(ipha->ipha_length);
7790 ipha = (ipha_t *)mp->b_rptr;
7792 adjust = (int)ntohs(ipha->ipha_length) - iplen;
7794 ip6_t *ip6h = (ip6_t *)mp->b_rptr;
7797 iplen = ntohs(ip6h->ip6_plen);
7802 ip6h = (ip6_t *)mp->b_rptr;
7804 adjust = (int)ntohs(ip6h->ip6_plen) - iplen;
7806 ixa->ixa_pktlen += adjust;
7807 ixa->ixa_ip_hdr_length += adjust;
7825 if (assoc->ipsa_softaddlt == 0)
7830 assoc->ipsa_softexpiretime -= rnd;
7831 assoc->ipsa_softaddlt -= rnd;
7838 * Because of the multi-line macro nature of IPSA_REFRELE, keep
7841 if (ipsapp->ipsap_sa_ptr != NULL) {
7842 IPSA_REFRELE(ipsapp->ipsap_sa_ptr);
7844 if (ipsapp->ipsap_psa_ptr != NULL) {
7845 IPSA_REFRELE(ipsapp->ipsap_psa_ptr);
7853 ipsapp->ipsap_bucket = NULL;
7854 ipsapp->ipsap_sa_ptr = NULL;
7855 ipsapp->ipsap_pbucket = NULL;
7856 ipsapp->ipsap_psa_ptr = NULL;
7885 dying = haspeerlist->ipsa;
7886 haspeer = (dying->ipsa_haspeer);
7888 haspeerlist = listptr->next;
7895 bucket = INBOUND_BUCKET(sp, dying->ipsa_spi);
7898 dying->ipsa_otherspi);
7901 if (dying->ipsa_addrfam == AF_INET6) {
7903 *((in6_addr_t *)&dying->
7907 *((ipaddr_t *)&dying->
7910 } else if (dying->ipsa_addrfam == AF_INET6) {
7912 *((in6_addr_t *)&dying->
7916 *((ipaddr_t *)&dying->
7919 bucket = &(sp->sdb_of[outhash]);
7922 mutex_enter(&bucket->isaf_lock);
7929 dying->ipsa_spi, dying->ipsa_srcaddr,
7930 dying->ipsa_dstaddr, dying->ipsa_addrfam);
7933 dying->ipsa_otherspi, dying->ipsa_dstaddr,
7934 dying->ipsa_srcaddr, dying->ipsa_addrfam);
7937 mutex_exit(&bucket->isaf_lock);
7939 mutex_enter(&peer_assoc->ipsa_lock);
7940 mutex_enter(&dying->ipsa_lock);
7948 peer_assoc->ipsa_otherspi = 0;
7949 peer_assoc->ipsa_flags &= ~IPSA_F_PAIRED;
7950 dying->ipsa_otherspi = 0;
7951 dying->ipsa_flags &= ~IPSA_F_PAIRED;
7961 peer_assoc->ipsa_state = dying->ipsa_state;
7963 if (dying->ipsa_state == IPSA_STATE_DEAD)
7964 peer_assoc->ipsa_hardexpiretime = 1;
7966 mutex_exit(&dying->ipsa_lock);
7967 mutex_exit(&peer_assoc->ipsa_lock);
7993 if (!(assoc->ipsa_flags & IPSA_F_COUNTERMODE)) {
7994 (void) random_get_pseudo_bytes(iv_ptr, assoc->ipsa_iv_len);
7998 mutex_enter(&assoc->ipsa_lock);
8000 (*assoc->ipsa_iv)++;
8002 if (*assoc->ipsa_iv == assoc->ipsa_iv_hardexpire) {
8005 } else if (*assoc->ipsa_iv == assoc->ipsa_iv_softexpire) {
8006 if (assoc->ipsa_state != IPSA_STATE_DYING) {
8022 assoc->ipsa_state = sa_new_state;
8023 if (assoc->ipsa_addrfam == AF_INET6) {
8024 sp = &espstack->esp_sadb.s_v6;
8026 sp = &espstack->esp_sadb.s_v4;
8028 inbound_bucket = INBOUND_BUCKET(sp, assoc->ipsa_otherspi);
8032 bcopy(assoc->ipsa_iv, iv_ptr, assoc->ipsa_iv_len);
8034 mutex_exit(&assoc->ipsa_lock);
8038 mutex_enter(&inbound_bucket->isaf_lock);
8040 assoc->ipsa_otherspi, assoc->ipsa_dstaddr,
8041 assoc->ipsa_srcaddr, assoc->ipsa_addrfam);
8042 mutex_exit(&inbound_bucket->isaf_lock);
8044 mutex_enter(&pair_sa->ipsa_lock);
8045 pair_sa->ipsa_state = sa_new_state;
8046 mutex_exit(&pair_sa->ipsa_lock);
8065 params->ulMACSize = assoc->ipsa_mac_len;
8066 params->ulNonceSize = assoc->ipsa_nonce_len;
8067 params->ulAuthDataSize = sizeof (esph_t);
8068 params->ulDataSize = data_len;
8069 params->nonce = nonce;
8070 params->authData = esph;
8072 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type;
8073 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_CCM_PARAMS);
8074 cm_mech->combined_mech.cm_param = (caddr_t)params;
8076 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen);
8077 nonce += assoc->ipsa_saltlen;
8078 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len);
8079 crypto_data->cd_miscdata = NULL;
8087 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type;
8088 cm_mech->combined_mech.cm_param_len = 0;
8089 cm_mech->combined_mech.cm_param = NULL;
8090 crypto_data->cd_miscdata = (char *)iv_ptr;
8106 params->pIv = nonce;
8107 params->ulIvLen = assoc->ipsa_nonce_len;
8108 params->ulIvBits = SADB_8TO1(assoc->ipsa_nonce_len);
8109 params->pAAD = esph;
8110 params->ulAADLen = sizeof (esph_t);
8111 params->ulTagBits = SADB_8TO1(assoc->ipsa_mac_len);
8113 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type;
8114 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
8115 cm_mech->combined_mech.cm_param = (caddr_t)params;
8124 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen);
8125 nonce += assoc->ipsa_saltlen;
8126 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len);
8127 crypto_data->cd_miscdata = NULL;