1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/stream.h> 28 #include <sys/stropts.h> 29 #include <sys/strsubr.h> 30 #include <sys/errno.h> 31 #include <sys/ddi.h> 32 #include <sys/debug.h> 33 #include <sys/cmn_err.h> 34 #include <sys/stream.h> 35 #include <sys/strlog.h> 36 #include <sys/kmem.h> 37 #include <sys/sunddi.h> 38 #include <sys/tihdr.h> 39 #include <sys/atomic.h> 40 #include <sys/socket.h> 41 #include <sys/sysmacros.h> 42 #include <sys/crypto/common.h> 43 #include <sys/crypto/api.h> 44 #include <sys/zone.h> 45 #include <netinet/in.h> 46 #include <net/if.h> 47 #include <net/pfkeyv2.h> 48 #include <inet/common.h> 49 #include <netinet/ip6.h> 50 #include <inet/ip.h> 51 #include <inet/ip_ire.h> 52 #include <inet/ip6.h> 53 #include <inet/ipsec_info.h> 54 #include <inet/tcp.h> 55 #include <inet/sadb.h> 56 #include <inet/ipsec_impl.h> 57 #include <inet/ipsecah.h> 58 #include <inet/ipsecesp.h> 59 #include <sys/random.h> 60 #include <sys/dlpi.h> 61 #include <sys/iphada.h> 62 #include <inet/ip_if.h> 63 #include <inet/ipdrop.h> 64 #include <inet/ipclassifier.h> 65 #include <inet/sctp_ip.h> 66 67 /* 68 * This source file contains Security Association Database (SADB) common 69 * routines. They are linked in with the AH module. Since AH has no chance 70 * of falling under export control, it was safe to link it in there. 71 */ 72 73 static mblk_t *sadb_extended_acquire(ipsec_selector_t *, ipsec_policy_t *, 74 ipsec_action_t *, boolean_t, uint32_t, uint32_t, netstack_t *); 75 static void sadb_ill_df(ill_t *, mblk_t *, isaf_t *, int, boolean_t); 76 static ipsa_t *sadb_torch_assoc(isaf_t *, ipsa_t *, boolean_t, mblk_t **); 77 static void sadb_drain_torchq(queue_t *, mblk_t *); 78 static void sadb_destroy_acqlist(iacqf_t **, uint_t, boolean_t, 79 netstack_t *); 80 static void sadb_destroy(sadb_t *, netstack_t *); 81 static mblk_t *sadb_sa2msg(ipsa_t *, sadb_msg_t *); 82 83 static time_t sadb_add_time(time_t, uint64_t); 84 static void lifetime_fuzz(ipsa_t *); 85 static void age_pair_peer_list(templist_t *, sadb_t *, boolean_t); 86 static void ipsa_set_replay(ipsa_t *ipsa, uint32_t offset); 87 88 extern void (*cl_inet_getspi)(netstackid_t stack_id, uint8_t protocol, 89 uint8_t *ptr, size_t len, void *args); 90 extern int (*cl_inet_checkspi)(netstackid_t stack_id, uint8_t protocol, 91 uint32_t spi, void *args); 92 extern void (*cl_inet_deletespi)(netstackid_t stack_id, uint8_t protocol, 93 uint32_t spi, void *args); 94 95 /* 96 * ipsacq_maxpackets is defined here to make it tunable 97 * from /etc/system. 98 */ 99 extern uint64_t ipsacq_maxpackets; 100 101 #define SET_EXPIRE(sa, delta, exp) { \ 102 if (((sa)->ipsa_ ## delta) != 0) { \ 103 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \ 104 (sa)->ipsa_ ## delta); \ 105 } \ 106 } 107 108 #define UPDATE_EXPIRE(sa, delta, exp) { \ 109 if (((sa)->ipsa_ ## delta) != 0) { \ 110 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \ 111 (sa)->ipsa_ ## delta); \ 112 if (((sa)->ipsa_ ## exp) == 0) \ 113 (sa)->ipsa_ ## exp = tmp; \ 114 else \ 115 (sa)->ipsa_ ## exp = \ 116 MIN((sa)->ipsa_ ## exp, tmp); \ 117 } \ 118 } 119 120 121 /* wrap the macro so we can pass it as a function pointer */ 122 void 123 sadb_sa_refrele(void *target) 124 { 125 IPSA_REFRELE(((ipsa_t *)target)); 126 } 127 128 /* 129 * We presume that sizeof (long) == sizeof (time_t) and that time_t is 130 * a signed type. 131 */ 132 #define TIME_MAX LONG_MAX 133 134 /* 135 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that 136 * time_t is defined to be a signed type with the same range as 137 * "long". On ILP32 systems, we thus run the risk of wrapping around 138 * at end of time, as well as "overwrapping" the clock back around 139 * into a seemingly valid but incorrect future date earlier than the 140 * desired expiration. 141 * 142 * In order to avoid odd behavior (either negative lifetimes or loss 143 * of high order bits) when someone asks for bizarrely long SA 144 * lifetimes, we do a saturating add for expire times. 145 * 146 * We presume that ILP32 systems will be past end of support life when 147 * the 32-bit time_t overflows (a dangerous assumption, mind you..). 148 * 149 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we 150 * will hopefully have figured out clever ways to avoid the use of 151 * fixed-sized integers in computation. 152 */ 153 static time_t 154 sadb_add_time(time_t base, uint64_t delta) 155 { 156 time_t sum; 157 158 /* 159 * Clip delta to the maximum possible time_t value to 160 * prevent "overwrapping" back into a shorter-than-desired 161 * future time. 162 */ 163 if (delta > TIME_MAX) 164 delta = TIME_MAX; 165 /* 166 * This sum may still overflow. 167 */ 168 sum = base + delta; 169 170 /* 171 * .. so if the result is less than the base, we overflowed. 172 */ 173 if (sum < base) 174 sum = TIME_MAX; 175 176 return (sum); 177 } 178 179 /* 180 * Callers of this function have already created a working security 181 * association, and have found the appropriate table & hash chain. All this 182 * function does is check duplicates, and insert the SA. The caller needs to 183 * hold the hash bucket lock and increment the refcnt before insertion. 184 * 185 * Return 0 if success, EEXIST if collision. 186 */ 187 #define SA_UNIQUE_MATCH(sa1, sa2) \ 188 (((sa1)->ipsa_unique_id & (sa1)->ipsa_unique_mask) == \ 189 ((sa2)->ipsa_unique_id & (sa2)->ipsa_unique_mask)) 190 191 int 192 sadb_insertassoc(ipsa_t *ipsa, isaf_t *bucket) 193 { 194 ipsa_t **ptpn = NULL; 195 ipsa_t *walker; 196 boolean_t unspecsrc; 197 198 ASSERT(MUTEX_HELD(&bucket->isaf_lock)); 199 200 unspecsrc = IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_srcaddr, ipsa->ipsa_addrfam); 201 202 walker = bucket->isaf_ipsa; 203 ASSERT(walker == NULL || ipsa->ipsa_addrfam == walker->ipsa_addrfam); 204 205 /* 206 * Find insertion point (pointed to with **ptpn). Insert at the head 207 * of the list unless there's an unspecified source address, then 208 * insert it after the last SA with a specified source address. 209 * 210 * BTW, you'll have to walk the whole chain, matching on {DST, SPI} 211 * checking for collisions. 212 */ 213 214 while (walker != NULL) { 215 if (IPSA_ARE_ADDR_EQUAL(walker->ipsa_dstaddr, 216 ipsa->ipsa_dstaddr, ipsa->ipsa_addrfam)) { 217 if (walker->ipsa_spi == ipsa->ipsa_spi) 218 return (EEXIST); 219 220 mutex_enter(&walker->ipsa_lock); 221 if (ipsa->ipsa_state == IPSA_STATE_MATURE && 222 (walker->ipsa_flags & IPSA_F_USED) && 223 SA_UNIQUE_MATCH(walker, ipsa)) { 224 walker->ipsa_flags |= IPSA_F_CINVALID; 225 } 226 mutex_exit(&walker->ipsa_lock); 227 } 228 229 if (ptpn == NULL && unspecsrc) { 230 if (IPSA_IS_ADDR_UNSPEC(walker->ipsa_srcaddr, 231 walker->ipsa_addrfam)) 232 ptpn = walker->ipsa_ptpn; 233 else if (walker->ipsa_next == NULL) 234 ptpn = &walker->ipsa_next; 235 } 236 237 walker = walker->ipsa_next; 238 } 239 240 if (ptpn == NULL) 241 ptpn = &bucket->isaf_ipsa; 242 ipsa->ipsa_next = *ptpn; 243 ipsa->ipsa_ptpn = ptpn; 244 if (ipsa->ipsa_next != NULL) 245 ipsa->ipsa_next->ipsa_ptpn = &ipsa->ipsa_next; 246 *ptpn = ipsa; 247 ipsa->ipsa_linklock = &bucket->isaf_lock; 248 249 return (0); 250 } 251 #undef SA_UNIQUE_MATCH 252 253 /* 254 * Free a security association. Its reference count is 0, which means 255 * I must free it. The SA must be unlocked and must not be linked into 256 * any fanout list. 257 */ 258 static void 259 sadb_freeassoc(ipsa_t *ipsa) 260 { 261 ipsec_stack_t *ipss = ipsa->ipsa_netstack->netstack_ipsec; 262 263 ASSERT(ipss != NULL); 264 ASSERT(MUTEX_NOT_HELD(&ipsa->ipsa_lock)); 265 ASSERT(ipsa->ipsa_refcnt == 0); 266 ASSERT(ipsa->ipsa_next == NULL); 267 ASSERT(ipsa->ipsa_ptpn == NULL); 268 269 mutex_enter(&ipsa->ipsa_lock); 270 /* Don't call sadb_clear_lpkt() since we hold the ipsa_lock anyway. */ 271 ip_drop_packet(ipsa->ipsa_lpkt, B_TRUE, NULL, NULL, 272 DROPPER(ipss, ipds_sadb_inlarval_timeout), 273 &ipss->ipsec_sadb_dropper); 274 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_AUTH); 275 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_ENCR); 276 mutex_exit(&ipsa->ipsa_lock); 277 278 /* bzero() these fields for paranoia's sake. */ 279 if (ipsa->ipsa_authkey != NULL) { 280 bzero(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 281 kmem_free(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 282 } 283 if (ipsa->ipsa_encrkey != NULL) { 284 bzero(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 285 kmem_free(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 286 } 287 if (ipsa->ipsa_src_cid != NULL) { 288 IPSID_REFRELE(ipsa->ipsa_src_cid); 289 } 290 if (ipsa->ipsa_dst_cid != NULL) { 291 IPSID_REFRELE(ipsa->ipsa_dst_cid); 292 } 293 if (ipsa->ipsa_integ != NULL) 294 kmem_free(ipsa->ipsa_integ, ipsa->ipsa_integlen); 295 if (ipsa->ipsa_sens != NULL) 296 kmem_free(ipsa->ipsa_sens, ipsa->ipsa_senslen); 297 298 mutex_destroy(&ipsa->ipsa_lock); 299 kmem_free(ipsa, sizeof (*ipsa)); 300 } 301 302 /* 303 * Unlink a security association from a hash bucket. Assume the hash bucket 304 * lock is held, but the association's lock is not. 305 * 306 * Note that we do not bump the bucket's generation number here because 307 * we might not be making a visible change to the set of visible SA's. 308 * All callers MUST bump the bucket's generation number before they unlock 309 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which 310 * was present in the bucket at the time it was locked. 311 */ 312 void 313 sadb_unlinkassoc(ipsa_t *ipsa) 314 { 315 ASSERT(ipsa->ipsa_linklock != NULL); 316 ASSERT(MUTEX_HELD(ipsa->ipsa_linklock)); 317 318 /* These fields are protected by the link lock. */ 319 *(ipsa->ipsa_ptpn) = ipsa->ipsa_next; 320 if (ipsa->ipsa_next != NULL) { 321 ipsa->ipsa_next->ipsa_ptpn = ipsa->ipsa_ptpn; 322 ipsa->ipsa_next = NULL; 323 } 324 325 ipsa->ipsa_ptpn = NULL; 326 327 /* This may destroy the SA. */ 328 IPSA_REFRELE(ipsa); 329 } 330 331 void 332 sadb_delete_cluster(ipsa_t *assoc) 333 { 334 uint8_t protocol; 335 336 if (cl_inet_deletespi && 337 ((assoc->ipsa_state == IPSA_STATE_LARVAL) || 338 (assoc->ipsa_state == IPSA_STATE_MATURE))) { 339 protocol = (assoc->ipsa_type == SADB_SATYPE_AH) ? 340 IPPROTO_AH : IPPROTO_ESP; 341 cl_inet_deletespi(assoc->ipsa_netstack->netstack_stackid, 342 protocol, assoc->ipsa_spi, NULL); 343 } 344 } 345 346 /* 347 * Create a larval security association with the specified SPI. All other 348 * fields are zeroed. 349 */ 350 static ipsa_t * 351 sadb_makelarvalassoc(uint32_t spi, uint32_t *src, uint32_t *dst, int addrfam, 352 netstack_t *ns) 353 { 354 ipsa_t *newbie; 355 356 /* 357 * Allocate... 358 */ 359 360 newbie = (ipsa_t *)kmem_zalloc(sizeof (ipsa_t), KM_NOSLEEP); 361 if (newbie == NULL) { 362 /* Can't make new larval SA. */ 363 return (NULL); 364 } 365 366 /* Assigned requested SPI, assume caller does SPI allocation magic. */ 367 newbie->ipsa_spi = spi; 368 newbie->ipsa_netstack = ns; /* No netstack_hold */ 369 370 /* 371 * Copy addresses... 372 */ 373 374 IPSA_COPY_ADDR(newbie->ipsa_srcaddr, src, addrfam); 375 IPSA_COPY_ADDR(newbie->ipsa_dstaddr, dst, addrfam); 376 377 newbie->ipsa_addrfam = addrfam; 378 379 /* 380 * Set common initialization values, including refcnt. 381 */ 382 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 383 newbie->ipsa_state = IPSA_STATE_LARVAL; 384 newbie->ipsa_refcnt = 1; 385 newbie->ipsa_freefunc = sadb_freeassoc; 386 387 /* 388 * There aren't a lot of other common initialization values, as 389 * they are copied in from the PF_KEY message. 390 */ 391 392 return (newbie); 393 } 394 395 /* 396 * Call me to initialize a security association fanout. 397 */ 398 static int 399 sadb_init_fanout(isaf_t **tablep, uint_t size, int kmflag) 400 { 401 isaf_t *table; 402 int i; 403 404 table = (isaf_t *)kmem_alloc(size * sizeof (*table), kmflag); 405 *tablep = table; 406 407 if (table == NULL) 408 return (ENOMEM); 409 410 for (i = 0; i < size; i++) { 411 mutex_init(&(table[i].isaf_lock), NULL, MUTEX_DEFAULT, NULL); 412 table[i].isaf_ipsa = NULL; 413 table[i].isaf_gen = 0; 414 } 415 416 return (0); 417 } 418 419 /* 420 * Call me to initialize an acquire fanout 421 */ 422 static int 423 sadb_init_acfanout(iacqf_t **tablep, uint_t size, int kmflag) 424 { 425 iacqf_t *table; 426 int i; 427 428 table = (iacqf_t *)kmem_alloc(size * sizeof (*table), kmflag); 429 *tablep = table; 430 431 if (table == NULL) 432 return (ENOMEM); 433 434 for (i = 0; i < size; i++) { 435 mutex_init(&(table[i].iacqf_lock), NULL, MUTEX_DEFAULT, NULL); 436 table[i].iacqf_ipsacq = NULL; 437 } 438 439 return (0); 440 } 441 442 /* 443 * Attempt to initialize an SADB instance. On failure, return ENOMEM; 444 * caller must clean up partial allocations. 445 */ 446 static int 447 sadb_init_trial(sadb_t *sp, uint_t size, int kmflag) 448 { 449 ASSERT(sp->sdb_of == NULL); 450 ASSERT(sp->sdb_if == NULL); 451 ASSERT(sp->sdb_acq == NULL); 452 453 sp->sdb_hashsize = size; 454 if (sadb_init_fanout(&sp->sdb_of, size, kmflag) != 0) 455 return (ENOMEM); 456 if (sadb_init_fanout(&sp->sdb_if, size, kmflag) != 0) 457 return (ENOMEM); 458 if (sadb_init_acfanout(&sp->sdb_acq, size, kmflag) != 0) 459 return (ENOMEM); 460 461 return (0); 462 } 463 464 /* 465 * Call me to initialize an SADB instance; fall back to default size on failure. 466 */ 467 static void 468 sadb_init(const char *name, sadb_t *sp, uint_t size, uint_t ver, 469 netstack_t *ns) 470 { 471 ASSERT(sp->sdb_of == NULL); 472 ASSERT(sp->sdb_if == NULL); 473 ASSERT(sp->sdb_acq == NULL); 474 475 if (size < IPSEC_DEFAULT_HASH_SIZE) 476 size = IPSEC_DEFAULT_HASH_SIZE; 477 478 if (sadb_init_trial(sp, size, KM_NOSLEEP) != 0) { 479 480 cmn_err(CE_WARN, 481 "Unable to allocate %u entry IPv%u %s SADB hash table", 482 size, ver, name); 483 484 sadb_destroy(sp, ns); 485 size = IPSEC_DEFAULT_HASH_SIZE; 486 cmn_err(CE_WARN, "Falling back to %d entries", size); 487 (void) sadb_init_trial(sp, size, KM_SLEEP); 488 } 489 } 490 491 492 /* 493 * Initialize an SADB-pair. 494 */ 495 void 496 sadbp_init(const char *name, sadbp_t *sp, int type, int size, netstack_t *ns) 497 { 498 sadb_init(name, &sp->s_v4, size, 4, ns); 499 sadb_init(name, &sp->s_v6, size, 6, ns); 500 501 sp->s_satype = type; 502 503 ASSERT((type == SADB_SATYPE_AH) || (type == SADB_SATYPE_ESP)); 504 if (type == SADB_SATYPE_AH) { 505 ipsec_stack_t *ipss = ns->netstack_ipsec; 506 507 ip_drop_register(&ipss->ipsec_sadb_dropper, "IPsec SADB"); 508 sp->s_addflags = AH_ADD_SETTABLE_FLAGS; 509 sp->s_updateflags = AH_UPDATE_SETTABLE_FLAGS; 510 } else { 511 sp->s_addflags = ESP_ADD_SETTABLE_FLAGS; 512 sp->s_updateflags = ESP_UPDATE_SETTABLE_FLAGS; 513 } 514 } 515 516 /* 517 * Deliver a single SADB_DUMP message representing a single SA. This is 518 * called many times by sadb_dump(). 519 * 520 * If the return value of this is ENOBUFS (not the same as ENOMEM), then 521 * the caller should take that as a hint that dupb() on the "original answer" 522 * failed, and that perhaps the caller should try again with a copyb()ed 523 * "original answer". 524 */ 525 static int 526 sadb_dump_deliver(queue_t *pfkey_q, mblk_t *original_answer, ipsa_t *ipsa, 527 sadb_msg_t *samsg) 528 { 529 mblk_t *answer; 530 531 answer = dupb(original_answer); 532 if (answer == NULL) 533 return (ENOBUFS); 534 answer->b_cont = sadb_sa2msg(ipsa, samsg); 535 if (answer->b_cont == NULL) { 536 freeb(answer); 537 return (ENOMEM); 538 } 539 540 /* Just do a putnext, and let keysock deal with flow control. */ 541 putnext(pfkey_q, answer); 542 return (0); 543 } 544 545 /* 546 * Common function to allocate and prepare a keysock_out_t M_CTL message. 547 */ 548 mblk_t * 549 sadb_keysock_out(minor_t serial) 550 { 551 mblk_t *mp; 552 keysock_out_t *kso; 553 554 mp = allocb(sizeof (ipsec_info_t), BPRI_HI); 555 if (mp != NULL) { 556 mp->b_datap->db_type = M_CTL; 557 mp->b_wptr += sizeof (ipsec_info_t); 558 kso = (keysock_out_t *)mp->b_rptr; 559 kso->ks_out_type = KEYSOCK_OUT; 560 kso->ks_out_len = sizeof (*kso); 561 kso->ks_out_serial = serial; 562 } 563 564 return (mp); 565 } 566 567 /* 568 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts 569 * to keysock. 570 */ 571 static int 572 sadb_dump_fanout(queue_t *pfkey_q, mblk_t *mp, minor_t serial, isaf_t *fanout, 573 int num_entries, boolean_t do_peers, time_t active_time) 574 { 575 int i, error = 0; 576 mblk_t *original_answer; 577 ipsa_t *walker; 578 sadb_msg_t *samsg; 579 time_t current; 580 581 /* 582 * For each IPSA hash bucket do: 583 * - Hold the mutex 584 * - Walk each entry, doing an sadb_dump_deliver() on it. 585 */ 586 ASSERT(mp->b_cont != NULL); 587 samsg = (sadb_msg_t *)mp->b_cont->b_rptr; 588 589 original_answer = sadb_keysock_out(serial); 590 if (original_answer == NULL) 591 return (ENOMEM); 592 593 current = gethrestime_sec(); 594 for (i = 0; i < num_entries; i++) { 595 mutex_enter(&fanout[i].isaf_lock); 596 for (walker = fanout[i].isaf_ipsa; walker != NULL; 597 walker = walker->ipsa_next) { 598 if (!do_peers && walker->ipsa_haspeer) 599 continue; 600 if ((active_time != 0) && 601 ((current - walker->ipsa_lastuse) > active_time)) 602 continue; 603 error = sadb_dump_deliver(pfkey_q, original_answer, 604 walker, samsg); 605 if (error == ENOBUFS) { 606 mblk_t *new_original_answer; 607 608 /* Ran out of dupb's. Try a copyb. */ 609 new_original_answer = copyb(original_answer); 610 if (new_original_answer == NULL) { 611 error = ENOMEM; 612 } else { 613 freeb(original_answer); 614 original_answer = new_original_answer; 615 error = sadb_dump_deliver(pfkey_q, 616 original_answer, walker, samsg); 617 } 618 } 619 if (error != 0) 620 break; /* out of for loop. */ 621 } 622 mutex_exit(&fanout[i].isaf_lock); 623 if (error != 0) 624 break; /* out of for loop. */ 625 } 626 627 freeb(original_answer); 628 return (error); 629 } 630 631 /* 632 * Dump an entire SADB; outbound first, then inbound. 633 */ 634 635 int 636 sadb_dump(queue_t *pfkey_q, mblk_t *mp, keysock_in_t *ksi, sadb_t *sp) 637 { 638 int error; 639 time_t active_time = 0; 640 sadb_x_edump_t *edump = 641 (sadb_x_edump_t *)ksi->ks_in_extv[SADB_X_EXT_EDUMP]; 642 643 if (edump != NULL) { 644 active_time = edump->sadb_x_edump_timeout; 645 } 646 647 /* Dump outbound */ 648 error = sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_of, 649 sp->sdb_hashsize, B_TRUE, active_time); 650 if (error) 651 return (error); 652 653 /* Dump inbound */ 654 return sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_if, 655 sp->sdb_hashsize, B_FALSE, active_time); 656 } 657 658 /* 659 * Generic sadb table walker. 660 * 661 * Call "walkfn" for each SA in each bucket in "table"; pass the 662 * bucket, the entry and "cookie" to the callback function. 663 * Take care to ensure that walkfn can delete the SA without screwing 664 * up our traverse. 665 * 666 * The bucket is locked for the duration of the callback, both so that the 667 * callback can just call sadb_unlinkassoc() when it wants to delete something, 668 * and so that no new entries are added while we're walking the list. 669 */ 670 static void 671 sadb_walker(isaf_t *table, uint_t numentries, 672 void (*walkfn)(isaf_t *head, ipsa_t *entry, void *cookie), 673 void *cookie) 674 { 675 int i; 676 for (i = 0; i < numentries; i++) { 677 ipsa_t *entry, *next; 678 679 mutex_enter(&table[i].isaf_lock); 680 681 for (entry = table[i].isaf_ipsa; entry != NULL; 682 entry = next) { 683 next = entry->ipsa_next; 684 (*walkfn)(&table[i], entry, cookie); 685 } 686 mutex_exit(&table[i].isaf_lock); 687 } 688 } 689 690 /* 691 * From the given SA, construct a dl_ct_ipsec_key and 692 * a dl_ct_ipsec structures to be sent to the adapter as part 693 * of a DL_CONTROL_REQ. 694 * 695 * ct_sa must point to the storage allocated for the key 696 * structure and must be followed by storage allocated 697 * for the SA information that must be sent to the driver 698 * as part of the DL_CONTROL_REQ request. 699 * 700 * The is_inbound boolean indicates whether the specified 701 * SA is part of an inbound SA table. 702 * 703 * Returns B_TRUE if the corresponding SA must be passed to 704 * a provider, B_FALSE otherwise; frees *mp if it returns B_FALSE. 705 */ 706 static boolean_t 707 sadb_req_from_sa(ipsa_t *sa, mblk_t *mp, boolean_t is_inbound) 708 { 709 dl_ct_ipsec_key_t *keyp; 710 dl_ct_ipsec_t *sap; 711 void *ct_sa = mp->b_wptr; 712 713 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 714 715 keyp = (dl_ct_ipsec_key_t *)(ct_sa); 716 sap = (dl_ct_ipsec_t *)(keyp + 1); 717 718 IPSECHW_DEBUG(IPSECHW_CAPAB, ("sadb_req_from_sa: " 719 "is_inbound = %d\n", is_inbound)); 720 721 /* initialize flag */ 722 sap->sadb_sa_flags = 0; 723 if (is_inbound) { 724 sap->sadb_sa_flags |= DL_CT_IPSEC_INBOUND; 725 /* 726 * If an inbound SA has a peer, then mark it has being 727 * an outbound SA as well. 728 */ 729 if (sa->ipsa_haspeer) 730 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 731 } else { 732 /* 733 * If an outbound SA has a peer, then don't send it, 734 * since we will send the copy from the inbound table. 735 */ 736 if (sa->ipsa_haspeer) { 737 freemsg(mp); 738 return (B_FALSE); 739 } 740 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 741 } 742 743 keyp->dl_key_spi = sa->ipsa_spi; 744 bcopy(sa->ipsa_dstaddr, keyp->dl_key_dest_addr, 745 DL_CTL_IPSEC_ADDR_LEN); 746 keyp->dl_key_addr_family = sa->ipsa_addrfam; 747 748 sap->sadb_sa_auth = sa->ipsa_auth_alg; 749 sap->sadb_sa_encrypt = sa->ipsa_encr_alg; 750 751 sap->sadb_key_len_a = sa->ipsa_authkeylen; 752 sap->sadb_key_bits_a = sa->ipsa_authkeybits; 753 bcopy(sa->ipsa_authkey, 754 sap->sadb_key_data_a, sap->sadb_key_len_a); 755 756 sap->sadb_key_len_e = sa->ipsa_encrkeylen; 757 sap->sadb_key_bits_e = sa->ipsa_encrkeybits; 758 bcopy(sa->ipsa_encrkey, 759 sap->sadb_key_data_e, sap->sadb_key_len_e); 760 761 mp->b_wptr += sizeof (dl_ct_ipsec_t) + sizeof (dl_ct_ipsec_key_t); 762 return (B_TRUE); 763 } 764 765 /* 766 * Called from AH or ESP to format a message which will be used to inform 767 * IPsec-acceleration-capable ills of a SADB change. 768 * (It is not possible to send the message to IP directly from this function 769 * since the SA, if any, is locked during the call). 770 * 771 * dl_operation: DL_CONTROL_REQ operation (add, delete, update, etc) 772 * sa_type: identifies whether the operation applies to AH or ESP 773 * (must be one of SADB_SATYPE_AH or SADB_SATYPE_ESP) 774 * sa: Pointer to an SA. Must be non-NULL and locked 775 * for ADD, DELETE, GET, and UPDATE operations. 776 * This function returns an mblk chain that must be passed to IP 777 * for forwarding to the IPsec capable providers. 778 */ 779 mblk_t * 780 sadb_fmt_sa_req(uint_t dl_operation, uint_t sa_type, ipsa_t *sa, 781 boolean_t is_inbound) 782 { 783 mblk_t *mp; 784 dl_control_req_t *ctrl; 785 boolean_t need_key = B_FALSE; 786 mblk_t *ctl_mp = NULL; 787 ipsec_ctl_t *ctl; 788 789 /* 790 * 1 allocate and initialize DL_CONTROL_REQ M_PROTO 791 * 2 if a key is needed for the operation 792 * 2.1 initialize key 793 * 2.2 if a full SA is needed for the operation 794 * 2.2.1 initialize full SA info 795 * 3 return message; caller will call ill_ipsec_capab_send_all() 796 * to send the resulting message to IPsec capable ills. 797 */ 798 799 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 800 801 /* 802 * Allocate DL_CONTROL_REQ M_PROTO 803 * We allocate room for the SA even if it's not needed 804 * by some of the operations (for example flush) 805 */ 806 mp = allocb(sizeof (dl_control_req_t) + 807 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 808 if (mp == NULL) 809 return (NULL); 810 mp->b_datap->db_type = M_PROTO; 811 812 /* initialize dl_control_req_t */ 813 ctrl = (dl_control_req_t *)mp->b_wptr; 814 ctrl->dl_primitive = DL_CONTROL_REQ; 815 ctrl->dl_operation = dl_operation; 816 ctrl->dl_type = sa_type == SADB_SATYPE_AH ? DL_CT_IPSEC_AH : 817 DL_CT_IPSEC_ESP; 818 ctrl->dl_key_offset = sizeof (dl_control_req_t); 819 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 820 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 821 sizeof (dl_ct_ipsec_key_t); 822 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 823 mp->b_wptr += sizeof (dl_control_req_t); 824 825 if ((dl_operation == DL_CO_SET) || (dl_operation == DL_CO_DELETE)) { 826 ASSERT(sa != NULL); 827 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 828 829 need_key = B_TRUE; 830 831 /* 832 * Initialize key and SA data. Note that for some 833 * operations the SA data is ignored by the provider 834 * (delete, etc.) 835 */ 836 if (!sadb_req_from_sa(sa, mp, is_inbound)) 837 return (NULL); 838 } 839 840 /* construct control message */ 841 ctl_mp = allocb(sizeof (ipsec_ctl_t), BPRI_HI); 842 if (ctl_mp == NULL) { 843 cmn_err(CE_WARN, "sadb_fmt_sa_req: allocb failed\n"); 844 freemsg(mp); 845 return (NULL); 846 } 847 848 ctl_mp->b_datap->db_type = M_CTL; 849 ctl_mp->b_wptr += sizeof (ipsec_ctl_t); 850 ctl_mp->b_cont = mp; 851 852 ctl = (ipsec_ctl_t *)ctl_mp->b_rptr; 853 ctl->ipsec_ctl_type = IPSEC_CTL; 854 ctl->ipsec_ctl_len = sizeof (ipsec_ctl_t); 855 ctl->ipsec_ctl_sa_type = sa_type; 856 857 if (need_key) { 858 /* 859 * Keep an additional reference on SA, since it will be 860 * needed by IP to send control messages corresponding 861 * to that SA from its perimeter. IP will do a 862 * IPSA_REFRELE when done with the request. 863 */ 864 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 865 IPSA_REFHOLD(sa); 866 ctl->ipsec_ctl_sa = sa; 867 } else 868 ctl->ipsec_ctl_sa = NULL; 869 870 return (ctl_mp); 871 } 872 873 874 /* 875 * Called by sadb_ill_download() to dump the entries for a specific 876 * fanout table. For each SA entry in the table passed as argument, 877 * use mp as a template and constructs a full DL_CONTROL message, and 878 * call ill_dlpi_send(), provided by IP, to send the resulting 879 * messages to the ill. 880 */ 881 static void 882 sadb_ill_df(ill_t *ill, mblk_t *mp, isaf_t *fanout, int num_entries, 883 boolean_t is_inbound) 884 { 885 ipsa_t *walker; 886 mblk_t *nmp, *salist; 887 int i, error = 0; 888 ip_stack_t *ipst = ill->ill_ipst; 889 netstack_t *ns = ipst->ips_netstack; 890 891 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_ill_df: fanout at 0x%p ne=%d\n", 892 (void *)fanout, num_entries)); 893 /* 894 * For each IPSA hash bucket do: 895 * - Hold the mutex 896 * - Walk each entry, sending a corresponding request to IP 897 * for it. 898 */ 899 ASSERT(mp->b_datap->db_type == M_PROTO); 900 901 for (i = 0; i < num_entries; i++) { 902 mutex_enter(&fanout[i].isaf_lock); 903 salist = NULL; 904 905 for (walker = fanout[i].isaf_ipsa; walker != NULL; 906 walker = walker->ipsa_next) { 907 IPSECHW_DEBUG(IPSECHW_SADB, 908 ("sadb_ill_df: sending SA to ill via IP \n")); 909 /* 910 * Duplicate the template mp passed and 911 * complete DL_CONTROL_REQ data. 912 * To be more memory efficient, we could use 913 * dupb() for the M_CTL and copyb() for the M_PROTO 914 * as the M_CTL, since the M_CTL is the same for 915 * every SA entry passed down to IP for the same ill. 916 * 917 * Note that copymsg/copyb ensure that the new mblk 918 * is at least as large as the source mblk even if it's 919 * not using all its storage -- therefore, nmp 920 * has trailing space for sadb_req_from_sa to add 921 * the SA-specific bits. 922 */ 923 mutex_enter(&walker->ipsa_lock); 924 if (ipsec_capab_match(ill, 925 ill->ill_phyint->phyint_ifindex, ill->ill_isv6, 926 walker, ns)) { 927 nmp = copymsg(mp); 928 if (nmp == NULL) { 929 IPSECHW_DEBUG(IPSECHW_SADB, 930 ("sadb_ill_df: alloc error\n")); 931 error = ENOMEM; 932 mutex_exit(&walker->ipsa_lock); 933 break; 934 } 935 if (sadb_req_from_sa(walker, nmp, is_inbound)) { 936 nmp->b_next = salist; 937 salist = nmp; 938 } 939 } 940 mutex_exit(&walker->ipsa_lock); 941 } 942 mutex_exit(&fanout[i].isaf_lock); 943 while (salist != NULL) { 944 nmp = salist; 945 salist = nmp->b_next; 946 nmp->b_next = NULL; 947 ill_dlpi_send(ill, nmp); 948 } 949 if (error != 0) 950 break; /* out of for loop. */ 951 } 952 } 953 954 /* 955 * Called by ill_ipsec_capab_add(). Sends a copy of the SADB of 956 * the type specified by sa_type to the specified ill. 957 * 958 * We call for each fanout table defined by the SADB (one per 959 * protocol). sadb_ill_df() finally calls ill_dlpi_send() for 960 * each SADB entry in order to send a corresponding DL_CONTROL_REQ 961 * message to the ill. 962 */ 963 void 964 sadb_ill_download(ill_t *ill, uint_t sa_type) 965 { 966 mblk_t *protomp; /* prototype message */ 967 dl_control_req_t *ctrl; 968 sadbp_t *spp; 969 sadb_t *sp; 970 int dlt; 971 ip_stack_t *ipst = ill->ill_ipst; 972 netstack_t *ns = ipst->ips_netstack; 973 974 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 975 976 /* 977 * Allocate and initialize prototype answer. A duplicate for 978 * each SA is sent down to the interface. 979 */ 980 981 /* DL_CONTROL_REQ M_PROTO mblk_t */ 982 protomp = allocb(sizeof (dl_control_req_t) + 983 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 984 if (protomp == NULL) 985 return; 986 protomp->b_datap->db_type = M_PROTO; 987 988 dlt = (sa_type == SADB_SATYPE_AH) ? DL_CT_IPSEC_AH : DL_CT_IPSEC_ESP; 989 if (sa_type == SADB_SATYPE_ESP) { 990 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 991 992 spp = &espstack->esp_sadb; 993 } else { 994 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 995 996 spp = &ahstack->ah_sadb; 997 } 998 999 ctrl = (dl_control_req_t *)protomp->b_wptr; 1000 ctrl->dl_primitive = DL_CONTROL_REQ; 1001 ctrl->dl_operation = DL_CO_SET; 1002 ctrl->dl_type = dlt; 1003 ctrl->dl_key_offset = sizeof (dl_control_req_t); 1004 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 1005 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 1006 sizeof (dl_ct_ipsec_key_t); 1007 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 1008 protomp->b_wptr += sizeof (dl_control_req_t); 1009 1010 /* 1011 * then for each SADB entry, we fill out the dl_ct_ipsec_key_t 1012 * and dl_ct_ipsec_t 1013 */ 1014 sp = ill->ill_isv6 ? &(spp->s_v6) : &(spp->s_v4); 1015 sadb_ill_df(ill, protomp, sp->sdb_of, sp->sdb_hashsize, B_FALSE); 1016 sadb_ill_df(ill, protomp, sp->sdb_if, sp->sdb_hashsize, B_TRUE); 1017 freemsg(protomp); 1018 } 1019 1020 /* 1021 * Call me to free up a security association fanout. Use the forever 1022 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g. 1023 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE, 1024 * when a module is unloaded). 1025 */ 1026 static void 1027 sadb_destroyer(isaf_t **tablep, uint_t numentries, boolean_t forever, 1028 boolean_t inbound) 1029 { 1030 int i; 1031 isaf_t *table = *tablep; 1032 uint8_t protocol; 1033 ipsa_t *sa; 1034 netstackid_t sid; 1035 1036 if (table == NULL) 1037 return; 1038 1039 for (i = 0; i < numentries; i++) { 1040 mutex_enter(&table[i].isaf_lock); 1041 while ((sa = table[i].isaf_ipsa) != NULL) { 1042 if (inbound && cl_inet_deletespi && 1043 (sa->ipsa_state != IPSA_STATE_ACTIVE_ELSEWHERE) && 1044 (sa->ipsa_state != IPSA_STATE_IDLE)) { 1045 protocol = (sa->ipsa_type == SADB_SATYPE_AH) ? 1046 IPPROTO_AH : IPPROTO_ESP; 1047 sid = sa->ipsa_netstack->netstack_stackid; 1048 cl_inet_deletespi(sid, protocol, sa->ipsa_spi, 1049 NULL); 1050 } 1051 sadb_unlinkassoc(sa); 1052 } 1053 table[i].isaf_gen++; 1054 mutex_exit(&table[i].isaf_lock); 1055 if (forever) 1056 mutex_destroy(&(table[i].isaf_lock)); 1057 } 1058 1059 if (forever) { 1060 *tablep = NULL; 1061 kmem_free(table, numentries * sizeof (*table)); 1062 } 1063 } 1064 1065 /* 1066 * Entry points to sadb_destroyer(). 1067 */ 1068 static void 1069 sadb_flush(sadb_t *sp, netstack_t *ns) 1070 { 1071 /* 1072 * Flush out each bucket, one at a time. Were it not for keysock's 1073 * enforcement, there would be a subtlety where I could add on the 1074 * heels of a flush. With keysock's enforcement, however, this 1075 * makes ESP's job easy. 1076 */ 1077 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_FALSE, B_FALSE); 1078 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_FALSE, B_TRUE); 1079 1080 /* For each acquire, destroy it; leave the bucket mutex alone. */ 1081 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_FALSE, ns); 1082 } 1083 1084 static void 1085 sadb_destroy(sadb_t *sp, netstack_t *ns) 1086 { 1087 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_TRUE, B_FALSE); 1088 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_TRUE, B_TRUE); 1089 1090 /* For each acquire, destroy it, including the bucket mutex. */ 1091 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_TRUE, ns); 1092 1093 ASSERT(sp->sdb_of == NULL); 1094 ASSERT(sp->sdb_if == NULL); 1095 ASSERT(sp->sdb_acq == NULL); 1096 } 1097 1098 static void 1099 sadb_send_flush_req(sadbp_t *spp) 1100 { 1101 mblk_t *ctl_mp; 1102 1103 /* 1104 * we've been unplumbed, or never were plumbed; don't go there. 1105 */ 1106 if (spp->s_ip_q == NULL) 1107 return; 1108 1109 /* have IP send a flush msg to the IPsec accelerators */ 1110 ctl_mp = sadb_fmt_sa_req(DL_CO_FLUSH, spp->s_satype, NULL, B_TRUE); 1111 if (ctl_mp != NULL) 1112 putnext(spp->s_ip_q, ctl_mp); 1113 } 1114 1115 void 1116 sadbp_flush(sadbp_t *spp, netstack_t *ns) 1117 { 1118 sadb_flush(&spp->s_v4, ns); 1119 sadb_flush(&spp->s_v6, ns); 1120 1121 sadb_send_flush_req(spp); 1122 } 1123 1124 void 1125 sadbp_destroy(sadbp_t *spp, netstack_t *ns) 1126 { 1127 sadb_destroy(&spp->s_v4, ns); 1128 sadb_destroy(&spp->s_v6, ns); 1129 1130 sadb_send_flush_req(spp); 1131 if (spp->s_satype == SADB_SATYPE_AH) { 1132 ipsec_stack_t *ipss = ns->netstack_ipsec; 1133 1134 ip_drop_unregister(&ipss->ipsec_sadb_dropper); 1135 } 1136 } 1137 1138 1139 /* 1140 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g. 1141 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for 1142 * EINVAL. 1143 */ 1144 int 1145 sadb_hardsoftchk(sadb_lifetime_t *hard, sadb_lifetime_t *soft, 1146 sadb_lifetime_t *idle) 1147 { 1148 if (hard == NULL || soft == NULL) 1149 return (0); 1150 1151 if (hard->sadb_lifetime_allocations != 0 && 1152 soft->sadb_lifetime_allocations != 0 && 1153 hard->sadb_lifetime_allocations < soft->sadb_lifetime_allocations) 1154 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR); 1155 1156 if (hard->sadb_lifetime_bytes != 0 && 1157 soft->sadb_lifetime_bytes != 0 && 1158 hard->sadb_lifetime_bytes < soft->sadb_lifetime_bytes) 1159 return (SADB_X_DIAGNOSTIC_BYTES_HSERR); 1160 1161 if (hard->sadb_lifetime_addtime != 0 && 1162 soft->sadb_lifetime_addtime != 0 && 1163 hard->sadb_lifetime_addtime < soft->sadb_lifetime_addtime) 1164 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1165 1166 if (hard->sadb_lifetime_usetime != 0 && 1167 soft->sadb_lifetime_usetime != 0 && 1168 hard->sadb_lifetime_usetime < soft->sadb_lifetime_usetime) 1169 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1170 1171 if (idle != NULL) { 1172 if (hard->sadb_lifetime_addtime != 0 && 1173 idle->sadb_lifetime_addtime != 0 && 1174 hard->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) 1175 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1176 1177 if (soft->sadb_lifetime_addtime != 0 && 1178 idle->sadb_lifetime_addtime != 0 && 1179 soft->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) 1180 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1181 1182 if (hard->sadb_lifetime_usetime != 0 && 1183 idle->sadb_lifetime_usetime != 0 && 1184 hard->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) 1185 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1186 1187 if (soft->sadb_lifetime_usetime != 0 && 1188 idle->sadb_lifetime_usetime != 0 && 1189 soft->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) 1190 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1191 } 1192 1193 return (0); 1194 } 1195 1196 /* 1197 * Clone a security association for the purposes of inserting a single SA 1198 * into inbound and outbound tables respectively. This function should only 1199 * be called from sadb_common_add(). 1200 */ 1201 static ipsa_t * 1202 sadb_cloneassoc(ipsa_t *ipsa) 1203 { 1204 ipsa_t *newbie; 1205 boolean_t error = B_FALSE; 1206 1207 ASSERT(MUTEX_NOT_HELD(&(ipsa->ipsa_lock))); 1208 1209 newbie = kmem_alloc(sizeof (ipsa_t), KM_NOSLEEP); 1210 if (newbie == NULL) 1211 return (NULL); 1212 1213 /* Copy over what we can. */ 1214 *newbie = *ipsa; 1215 1216 /* bzero and initialize locks, in case *_init() allocates... */ 1217 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 1218 1219 /* 1220 * While somewhat dain-bramaged, the most graceful way to 1221 * recover from errors is to keep plowing through the 1222 * allocations, and getting what I can. It's easier to call 1223 * sadb_freeassoc() on the stillborn clone when all the 1224 * pointers aren't pointing to the parent's data. 1225 */ 1226 1227 if (ipsa->ipsa_authkey != NULL) { 1228 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 1229 KM_NOSLEEP); 1230 if (newbie->ipsa_authkey == NULL) { 1231 error = B_TRUE; 1232 } else { 1233 bcopy(ipsa->ipsa_authkey, newbie->ipsa_authkey, 1234 newbie->ipsa_authkeylen); 1235 1236 newbie->ipsa_kcfauthkey.ck_data = 1237 newbie->ipsa_authkey; 1238 } 1239 1240 if (newbie->ipsa_amech.cm_param != NULL) { 1241 newbie->ipsa_amech.cm_param = 1242 (char *)&newbie->ipsa_mac_len; 1243 } 1244 } 1245 1246 if (ipsa->ipsa_encrkey != NULL) { 1247 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 1248 KM_NOSLEEP); 1249 if (newbie->ipsa_encrkey == NULL) { 1250 error = B_TRUE; 1251 } else { 1252 bcopy(ipsa->ipsa_encrkey, newbie->ipsa_encrkey, 1253 newbie->ipsa_encrkeylen); 1254 1255 newbie->ipsa_kcfencrkey.ck_data = 1256 newbie->ipsa_encrkey; 1257 } 1258 } 1259 1260 newbie->ipsa_authtmpl = NULL; 1261 newbie->ipsa_encrtmpl = NULL; 1262 newbie->ipsa_haspeer = B_TRUE; 1263 1264 if (ipsa->ipsa_integ != NULL) { 1265 newbie->ipsa_integ = kmem_alloc(newbie->ipsa_integlen, 1266 KM_NOSLEEP); 1267 if (newbie->ipsa_integ == NULL) { 1268 error = B_TRUE; 1269 } else { 1270 bcopy(ipsa->ipsa_integ, newbie->ipsa_integ, 1271 newbie->ipsa_integlen); 1272 } 1273 } 1274 1275 if (ipsa->ipsa_sens != NULL) { 1276 newbie->ipsa_sens = kmem_alloc(newbie->ipsa_senslen, 1277 KM_NOSLEEP); 1278 if (newbie->ipsa_sens == NULL) { 1279 error = B_TRUE; 1280 } else { 1281 bcopy(ipsa->ipsa_sens, newbie->ipsa_sens, 1282 newbie->ipsa_senslen); 1283 } 1284 } 1285 1286 if (ipsa->ipsa_src_cid != NULL) { 1287 newbie->ipsa_src_cid = ipsa->ipsa_src_cid; 1288 IPSID_REFHOLD(ipsa->ipsa_src_cid); 1289 } 1290 1291 if (ipsa->ipsa_dst_cid != NULL) { 1292 newbie->ipsa_dst_cid = ipsa->ipsa_dst_cid; 1293 IPSID_REFHOLD(ipsa->ipsa_dst_cid); 1294 } 1295 1296 if (error) { 1297 sadb_freeassoc(newbie); 1298 return (NULL); 1299 } 1300 1301 return (newbie); 1302 } 1303 1304 /* 1305 * Initialize a SADB address extension at the address specified by addrext. 1306 * Return a pointer to the end of the new address extension. 1307 */ 1308 static uint8_t * 1309 sadb_make_addr_ext(uint8_t *start, uint8_t *end, uint16_t exttype, 1310 sa_family_t af, uint32_t *addr, uint16_t port, uint8_t proto, int prefix) 1311 { 1312 struct sockaddr_in *sin; 1313 struct sockaddr_in6 *sin6; 1314 uint8_t *cur = start; 1315 int addrext_len; 1316 int sin_len; 1317 sadb_address_t *addrext = (sadb_address_t *)cur; 1318 1319 if (cur == NULL) 1320 return (NULL); 1321 1322 cur += sizeof (*addrext); 1323 if (cur > end) 1324 return (NULL); 1325 1326 addrext->sadb_address_proto = proto; 1327 addrext->sadb_address_prefixlen = prefix; 1328 addrext->sadb_address_reserved = 0; 1329 addrext->sadb_address_exttype = exttype; 1330 1331 switch (af) { 1332 case AF_INET: 1333 sin = (struct sockaddr_in *)cur; 1334 sin_len = sizeof (*sin); 1335 cur += sin_len; 1336 if (cur > end) 1337 return (NULL); 1338 1339 sin->sin_family = af; 1340 bzero(sin->sin_zero, sizeof (sin->sin_zero)); 1341 sin->sin_port = port; 1342 IPSA_COPY_ADDR(&sin->sin_addr, addr, af); 1343 break; 1344 case AF_INET6: 1345 sin6 = (struct sockaddr_in6 *)cur; 1346 sin_len = sizeof (*sin6); 1347 cur += sin_len; 1348 if (cur > end) 1349 return (NULL); 1350 1351 bzero(sin6, sizeof (*sin6)); 1352 sin6->sin6_family = af; 1353 sin6->sin6_port = port; 1354 IPSA_COPY_ADDR(&sin6->sin6_addr, addr, af); 1355 break; 1356 } 1357 1358 addrext_len = roundup(cur - start, sizeof (uint64_t)); 1359 addrext->sadb_address_len = SADB_8TO64(addrext_len); 1360 1361 cur = start + addrext_len; 1362 if (cur > end) 1363 cur = NULL; 1364 1365 return (cur); 1366 } 1367 1368 /* 1369 * Construct a key management cookie extension. 1370 */ 1371 1372 static uint8_t * 1373 sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint32_t kmc) 1374 { 1375 sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur; 1376 1377 if (cur == NULL) 1378 return (NULL); 1379 1380 cur += sizeof (*kmcext); 1381 1382 if (cur > end) 1383 return (NULL); 1384 1385 kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext)); 1386 kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE; 1387 kmcext->sadb_x_kmc_proto = kmp; 1388 kmcext->sadb_x_kmc_cookie = kmc; 1389 kmcext->sadb_x_kmc_reserved = 0; 1390 1391 return (cur); 1392 } 1393 1394 /* 1395 * Given an original message header with sufficient space following it, and an 1396 * SA, construct a full PF_KEY message with all of the relevant extensions. 1397 * This is mostly used for SADB_GET, and SADB_DUMP. 1398 */ 1399 static mblk_t * 1400 sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg) 1401 { 1402 int alloclen, addrsize, paddrsize, authsize, encrsize; 1403 int srcidsize, dstidsize; 1404 sa_family_t fam, pfam; /* Address family for SADB_EXT_ADDRESS */ 1405 /* src/dst and proxy sockaddrs. */ 1406 /* 1407 * The following are pointers into the PF_KEY message this PF_KEY 1408 * message creates. 1409 */ 1410 sadb_msg_t *newsamsg; 1411 sadb_sa_t *assoc; 1412 sadb_lifetime_t *lt; 1413 sadb_key_t *key; 1414 sadb_ident_t *ident; 1415 sadb_sens_t *sens; 1416 sadb_ext_t *walker; /* For when we need a generic ext. pointer. */ 1417 sadb_x_replay_ctr_t *repl_ctr; 1418 sadb_x_pair_t *pair_ext; 1419 1420 mblk_t *mp; 1421 uint64_t *bitmap; 1422 uint8_t *cur, *end; 1423 /* These indicate the presence of the above extension fields. */ 1424 boolean_t soft, hard, isrc, idst, auth, encr, sensinteg, srcid, dstid; 1425 boolean_t idle; 1426 boolean_t paired; 1427 uint32_t otherspi; 1428 1429 /* First off, figure out the allocation length for this message. */ 1430 1431 /* 1432 * Constant stuff. This includes base, SA, address (src, dst), 1433 * and lifetime (current). 1434 */ 1435 alloclen = sizeof (sadb_msg_t) + sizeof (sadb_sa_t) + 1436 sizeof (sadb_lifetime_t); 1437 1438 fam = ipsa->ipsa_addrfam; 1439 switch (fam) { 1440 case AF_INET: 1441 addrsize = roundup(sizeof (struct sockaddr_in) + 1442 sizeof (sadb_address_t), sizeof (uint64_t)); 1443 break; 1444 case AF_INET6: 1445 addrsize = roundup(sizeof (struct sockaddr_in6) + 1446 sizeof (sadb_address_t), sizeof (uint64_t)); 1447 break; 1448 default: 1449 return (NULL); 1450 } 1451 /* 1452 * Allocate TWO address extensions, for source and destination. 1453 * (Thus, the * 2.) 1454 */ 1455 alloclen += addrsize * 2; 1456 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) 1457 alloclen += addrsize; 1458 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) 1459 alloclen += addrsize; 1460 1461 if (ipsa->ipsa_flags & IPSA_F_PAIRED) { 1462 paired = B_TRUE; 1463 alloclen += sizeof (sadb_x_pair_t); 1464 otherspi = ipsa->ipsa_otherspi; 1465 } else { 1466 paired = B_FALSE; 1467 } 1468 1469 /* How 'bout other lifetimes? */ 1470 if (ipsa->ipsa_softaddlt != 0 || ipsa->ipsa_softuselt != 0 || 1471 ipsa->ipsa_softbyteslt != 0 || ipsa->ipsa_softalloc != 0) { 1472 alloclen += sizeof (sadb_lifetime_t); 1473 soft = B_TRUE; 1474 } else { 1475 soft = B_FALSE; 1476 } 1477 1478 if (ipsa->ipsa_hardaddlt != 0 || ipsa->ipsa_harduselt != 0 || 1479 ipsa->ipsa_hardbyteslt != 0 || ipsa->ipsa_hardalloc != 0) { 1480 alloclen += sizeof (sadb_lifetime_t); 1481 hard = B_TRUE; 1482 } else { 1483 hard = B_FALSE; 1484 } 1485 1486 if (ipsa->ipsa_idleaddlt != 0 || ipsa->ipsa_idleuselt != 0) { 1487 alloclen += sizeof (sadb_lifetime_t); 1488 idle = B_TRUE; 1489 } else { 1490 idle = B_FALSE; 1491 } 1492 1493 /* Inner addresses. */ 1494 if (ipsa->ipsa_innerfam == 0) { 1495 isrc = B_FALSE; 1496 idst = B_FALSE; 1497 } else { 1498 pfam = ipsa->ipsa_innerfam; 1499 switch (pfam) { 1500 case AF_INET6: 1501 paddrsize = roundup(sizeof (struct sockaddr_in6) + 1502 sizeof (sadb_address_t), sizeof (uint64_t)); 1503 break; 1504 case AF_INET: 1505 paddrsize = roundup(sizeof (struct sockaddr_in) + 1506 sizeof (sadb_address_t), sizeof (uint64_t)); 1507 break; 1508 default: 1509 cmn_err(CE_PANIC, 1510 "IPsec SADB: Proxy length failure.\n"); 1511 break; 1512 } 1513 isrc = B_TRUE; 1514 idst = B_TRUE; 1515 alloclen += 2 * paddrsize; 1516 } 1517 1518 /* For the following fields, assume that length != 0 ==> stuff */ 1519 if (ipsa->ipsa_authkeylen != 0) { 1520 authsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_authkeylen, 1521 sizeof (uint64_t)); 1522 alloclen += authsize; 1523 auth = B_TRUE; 1524 } else { 1525 auth = B_FALSE; 1526 } 1527 1528 if (ipsa->ipsa_encrkeylen != 0) { 1529 encrsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_encrkeylen, 1530 sizeof (uint64_t)); 1531 alloclen += encrsize; 1532 encr = B_TRUE; 1533 } else { 1534 encr = B_FALSE; 1535 } 1536 1537 /* No need for roundup on sens and integ. */ 1538 if (ipsa->ipsa_integlen != 0 || ipsa->ipsa_senslen != 0) { 1539 alloclen += sizeof (sadb_key_t) + ipsa->ipsa_integlen + 1540 ipsa->ipsa_senslen; 1541 sensinteg = B_TRUE; 1542 } else { 1543 sensinteg = B_FALSE; 1544 } 1545 1546 /* 1547 * Must use strlen() here for lengths. Identities use NULL 1548 * pointers to indicate their nonexistence. 1549 */ 1550 if (ipsa->ipsa_src_cid != NULL) { 1551 srcidsize = roundup(sizeof (sadb_ident_t) + 1552 strlen(ipsa->ipsa_src_cid->ipsid_cid) + 1, 1553 sizeof (uint64_t)); 1554 alloclen += srcidsize; 1555 srcid = B_TRUE; 1556 } else { 1557 srcid = B_FALSE; 1558 } 1559 1560 if (ipsa->ipsa_dst_cid != NULL) { 1561 dstidsize = roundup(sizeof (sadb_ident_t) + 1562 strlen(ipsa->ipsa_dst_cid->ipsid_cid) + 1, 1563 sizeof (uint64_t)); 1564 alloclen += dstidsize; 1565 dstid = B_TRUE; 1566 } else { 1567 dstid = B_FALSE; 1568 } 1569 1570 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) 1571 alloclen += sizeof (sadb_x_kmc_t); 1572 1573 if (ipsa->ipsa_replay != 0) { 1574 alloclen += sizeof (sadb_x_replay_ctr_t); 1575 } 1576 1577 /* Make sure the allocation length is a multiple of 8 bytes. */ 1578 ASSERT((alloclen & 0x7) == 0); 1579 1580 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */ 1581 mp = allocb(alloclen, BPRI_HI); 1582 if (mp == NULL) 1583 return (NULL); 1584 1585 mp->b_wptr += alloclen; 1586 end = mp->b_wptr; 1587 newsamsg = (sadb_msg_t *)mp->b_rptr; 1588 *newsamsg = *samsg; 1589 newsamsg->sadb_msg_len = (uint16_t)SADB_8TO64(alloclen); 1590 1591 mutex_enter(&ipsa->ipsa_lock); /* Since I'm grabbing SA fields... */ 1592 1593 newsamsg->sadb_msg_satype = ipsa->ipsa_type; 1594 1595 assoc = (sadb_sa_t *)(newsamsg + 1); 1596 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc)); 1597 assoc->sadb_sa_exttype = SADB_EXT_SA; 1598 assoc->sadb_sa_spi = ipsa->ipsa_spi; 1599 assoc->sadb_sa_replay = ipsa->ipsa_replay_wsize; 1600 assoc->sadb_sa_state = ipsa->ipsa_state; 1601 assoc->sadb_sa_auth = ipsa->ipsa_auth_alg; 1602 assoc->sadb_sa_encrypt = ipsa->ipsa_encr_alg; 1603 assoc->sadb_sa_flags = ipsa->ipsa_flags; 1604 1605 lt = (sadb_lifetime_t *)(assoc + 1); 1606 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1607 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 1608 /* We do not support the concept. */ 1609 lt->sadb_lifetime_allocations = 0; 1610 lt->sadb_lifetime_bytes = ipsa->ipsa_bytes; 1611 lt->sadb_lifetime_addtime = ipsa->ipsa_addtime; 1612 lt->sadb_lifetime_usetime = ipsa->ipsa_usetime; 1613 1614 if (hard) { 1615 lt++; 1616 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1617 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 1618 lt->sadb_lifetime_allocations = ipsa->ipsa_hardalloc; 1619 lt->sadb_lifetime_bytes = ipsa->ipsa_hardbyteslt; 1620 lt->sadb_lifetime_addtime = ipsa->ipsa_hardaddlt; 1621 lt->sadb_lifetime_usetime = ipsa->ipsa_harduselt; 1622 } 1623 1624 if (soft) { 1625 lt++; 1626 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1627 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 1628 lt->sadb_lifetime_allocations = ipsa->ipsa_softalloc; 1629 lt->sadb_lifetime_bytes = ipsa->ipsa_softbyteslt; 1630 lt->sadb_lifetime_addtime = ipsa->ipsa_softaddlt; 1631 lt->sadb_lifetime_usetime = ipsa->ipsa_softuselt; 1632 } 1633 1634 if (idle) { 1635 lt++; 1636 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1637 lt->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE; 1638 lt->sadb_lifetime_addtime = ipsa->ipsa_idleaddlt; 1639 lt->sadb_lifetime_usetime = ipsa->ipsa_idleuselt; 1640 } 1641 1642 cur = (uint8_t *)(lt + 1); 1643 1644 /* NOTE: Don't fill in ports here if we are a tunnel-mode SA. */ 1645 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, fam, 1646 ipsa->ipsa_srcaddr, (!isrc && !idst) ? SA_SRCPORT(ipsa) : 0, 1647 SA_PROTO(ipsa), 0); 1648 if (cur == NULL) { 1649 freemsg(mp); 1650 mp = NULL; 1651 goto bail; 1652 } 1653 1654 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, fam, 1655 ipsa->ipsa_dstaddr, (!isrc && !idst) ? SA_DSTPORT(ipsa) : 0, 1656 SA_PROTO(ipsa), 0); 1657 if (cur == NULL) { 1658 freemsg(mp); 1659 mp = NULL; 1660 goto bail; 1661 } 1662 1663 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) { 1664 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_LOC, 1665 fam, &ipsa->ipsa_natt_addr_loc, ipsa->ipsa_local_nat_port, 1666 IPPROTO_UDP, 0); 1667 if (cur == NULL) { 1668 freemsg(mp); 1669 mp = NULL; 1670 goto bail; 1671 } 1672 } 1673 1674 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) { 1675 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_REM, 1676 fam, &ipsa->ipsa_natt_addr_rem, ipsa->ipsa_remote_nat_port, 1677 IPPROTO_UDP, 0); 1678 if (cur == NULL) { 1679 freemsg(mp); 1680 mp = NULL; 1681 goto bail; 1682 } 1683 } 1684 1685 /* If we are a tunnel-mode SA, fill in the inner-selectors. */ 1686 if (isrc) { 1687 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 1688 pfam, ipsa->ipsa_innersrc, SA_SRCPORT(ipsa), 1689 SA_IPROTO(ipsa), ipsa->ipsa_innersrcpfx); 1690 if (cur == NULL) { 1691 freemsg(mp); 1692 mp = NULL; 1693 goto bail; 1694 } 1695 } 1696 1697 if (idst) { 1698 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 1699 pfam, ipsa->ipsa_innerdst, SA_DSTPORT(ipsa), 1700 SA_IPROTO(ipsa), ipsa->ipsa_innerdstpfx); 1701 if (cur == NULL) { 1702 freemsg(mp); 1703 mp = NULL; 1704 goto bail; 1705 } 1706 } 1707 1708 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) { 1709 cur = sadb_make_kmc_ext(cur, end, 1710 ipsa->ipsa_kmp, ipsa->ipsa_kmc); 1711 if (cur == NULL) { 1712 freemsg(mp); 1713 mp = NULL; 1714 goto bail; 1715 } 1716 } 1717 1718 walker = (sadb_ext_t *)cur; 1719 if (auth) { 1720 key = (sadb_key_t *)walker; 1721 key->sadb_key_len = SADB_8TO64(authsize); 1722 key->sadb_key_exttype = SADB_EXT_KEY_AUTH; 1723 key->sadb_key_bits = ipsa->ipsa_authkeybits; 1724 key->sadb_key_reserved = 0; 1725 bcopy(ipsa->ipsa_authkey, key + 1, ipsa->ipsa_authkeylen); 1726 walker = (sadb_ext_t *)((uint64_t *)walker + 1727 walker->sadb_ext_len); 1728 } 1729 1730 if (encr) { 1731 key = (sadb_key_t *)walker; 1732 key->sadb_key_len = SADB_8TO64(encrsize); 1733 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 1734 key->sadb_key_bits = ipsa->ipsa_encrkeybits; 1735 key->sadb_key_reserved = 0; 1736 bcopy(ipsa->ipsa_encrkey, key + 1, ipsa->ipsa_encrkeylen); 1737 walker = (sadb_ext_t *)((uint64_t *)walker + 1738 walker->sadb_ext_len); 1739 } 1740 1741 if (srcid) { 1742 ident = (sadb_ident_t *)walker; 1743 ident->sadb_ident_len = SADB_8TO64(srcidsize); 1744 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 1745 ident->sadb_ident_type = ipsa->ipsa_src_cid->ipsid_type; 1746 ident->sadb_ident_id = 0; 1747 ident->sadb_ident_reserved = 0; 1748 (void) strcpy((char *)(ident + 1), 1749 ipsa->ipsa_src_cid->ipsid_cid); 1750 walker = (sadb_ext_t *)((uint64_t *)walker + 1751 walker->sadb_ext_len); 1752 } 1753 1754 if (dstid) { 1755 ident = (sadb_ident_t *)walker; 1756 ident->sadb_ident_len = SADB_8TO64(dstidsize); 1757 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 1758 ident->sadb_ident_type = ipsa->ipsa_dst_cid->ipsid_type; 1759 ident->sadb_ident_id = 0; 1760 ident->sadb_ident_reserved = 0; 1761 (void) strcpy((char *)(ident + 1), 1762 ipsa->ipsa_dst_cid->ipsid_cid); 1763 walker = (sadb_ext_t *)((uint64_t *)walker + 1764 walker->sadb_ext_len); 1765 } 1766 1767 if (sensinteg) { 1768 sens = (sadb_sens_t *)walker; 1769 sens->sadb_sens_len = SADB_8TO64(sizeof (sadb_sens_t *) + 1770 ipsa->ipsa_senslen + ipsa->ipsa_integlen); 1771 sens->sadb_sens_dpd = ipsa->ipsa_dpd; 1772 sens->sadb_sens_sens_level = ipsa->ipsa_senslevel; 1773 sens->sadb_sens_integ_level = ipsa->ipsa_integlevel; 1774 sens->sadb_sens_sens_len = SADB_8TO64(ipsa->ipsa_senslen); 1775 sens->sadb_sens_integ_len = SADB_8TO64(ipsa->ipsa_integlen); 1776 sens->sadb_sens_reserved = 0; 1777 bitmap = (uint64_t *)(sens + 1); 1778 if (ipsa->ipsa_sens != NULL) { 1779 bcopy(ipsa->ipsa_sens, bitmap, ipsa->ipsa_senslen); 1780 bitmap += sens->sadb_sens_sens_len; 1781 } 1782 if (ipsa->ipsa_integ != NULL) 1783 bcopy(ipsa->ipsa_integ, bitmap, ipsa->ipsa_integlen); 1784 walker = (sadb_ext_t *)((uint64_t *)walker + 1785 walker->sadb_ext_len); 1786 } 1787 1788 if (paired) { 1789 pair_ext = (sadb_x_pair_t *)walker; 1790 1791 pair_ext->sadb_x_pair_len = SADB_8TO64(sizeof (sadb_x_pair_t)); 1792 pair_ext->sadb_x_pair_exttype = SADB_X_EXT_PAIR; 1793 pair_ext->sadb_x_pair_spi = otherspi; 1794 1795 walker = (sadb_ext_t *)((uint64_t *)walker + 1796 walker->sadb_ext_len); 1797 } 1798 1799 if (ipsa->ipsa_replay != 0) { 1800 repl_ctr = (sadb_x_replay_ctr_t *)walker; 1801 repl_ctr->sadb_x_rc_len = SADB_8TO64(sizeof (*repl_ctr)); 1802 repl_ctr->sadb_x_rc_exttype = SADB_X_EXT_REPLAY_VALUE; 1803 repl_ctr->sadb_x_rc_replay32 = ipsa->ipsa_replay; 1804 repl_ctr->sadb_x_rc_replay64 = 0; 1805 walker = (sadb_ext_t *)(repl_ctr + 1); 1806 } 1807 1808 bail: 1809 /* Pardon any delays... */ 1810 mutex_exit(&ipsa->ipsa_lock); 1811 1812 return (mp); 1813 } 1814 1815 /* 1816 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN) 1817 * and adjust base message accordingly. 1818 * 1819 * Assume message is pulled up in one piece of contiguous memory. 1820 * 1821 * Say if we start off with: 1822 * 1823 * +------+----+-------------+-----------+---------------+---------------+ 1824 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime | 1825 * +------+----+-------------+-----------+---------------+---------------+ 1826 * 1827 * we will end up with 1828 * 1829 * +------+----+-------------+-----------+---------------+ 1830 * | base | SA | source addr | dest addr | soft lifetime | 1831 * +------+----+-------------+-----------+---------------+ 1832 */ 1833 static void 1834 sadb_strip(sadb_msg_t *samsg) 1835 { 1836 sadb_ext_t *ext; 1837 uint8_t *target = NULL; 1838 uint8_t *msgend; 1839 int sofar = SADB_8TO64(sizeof (*samsg)); 1840 int copylen; 1841 1842 ext = (sadb_ext_t *)(samsg + 1); 1843 msgend = (uint8_t *)samsg; 1844 msgend += SADB_64TO8(samsg->sadb_msg_len); 1845 while ((uint8_t *)ext < msgend) { 1846 if (ext->sadb_ext_type == SADB_EXT_RESERVED || 1847 ext->sadb_ext_type == SADB_EXT_KEY_AUTH || 1848 ext->sadb_ext_type == SADB_X_EXT_EDUMP || 1849 ext->sadb_ext_type == SADB_EXT_KEY_ENCRYPT) { 1850 /* 1851 * Aha! I found a header to be erased. 1852 */ 1853 1854 if (target != NULL) { 1855 /* 1856 * If I had a previous header to be erased, 1857 * copy over it. I can get away with just 1858 * copying backwards because the target will 1859 * always be 8 bytes behind the source. 1860 */ 1861 copylen = ((uint8_t *)ext) - (target + 1862 SADB_64TO8( 1863 ((sadb_ext_t *)target)->sadb_ext_len)); 1864 ovbcopy(((uint8_t *)ext - copylen), target, 1865 copylen); 1866 target += copylen; 1867 ((sadb_ext_t *)target)->sadb_ext_len = 1868 SADB_8TO64(((uint8_t *)ext) - target + 1869 SADB_64TO8(ext->sadb_ext_len)); 1870 } else { 1871 target = (uint8_t *)ext; 1872 } 1873 } else { 1874 sofar += ext->sadb_ext_len; 1875 } 1876 1877 ext = (sadb_ext_t *)(((uint64_t *)ext) + ext->sadb_ext_len); 1878 } 1879 1880 ASSERT((uint8_t *)ext == msgend); 1881 1882 if (target != NULL) { 1883 copylen = ((uint8_t *)ext) - (target + 1884 SADB_64TO8(((sadb_ext_t *)target)->sadb_ext_len)); 1885 if (copylen != 0) 1886 ovbcopy(((uint8_t *)ext - copylen), target, copylen); 1887 } 1888 1889 /* Adjust samsg. */ 1890 samsg->sadb_msg_len = (uint16_t)sofar; 1891 1892 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */ 1893 } 1894 1895 /* 1896 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL 1897 * followed by an M_DATA with a PF_KEY message in it. The serial of 1898 * the sending keysock instance is included. 1899 */ 1900 void 1901 sadb_pfkey_error(queue_t *pfkey_q, mblk_t *mp, int error, int diagnostic, 1902 uint_t serial) 1903 { 1904 mblk_t *msg = mp->b_cont; 1905 sadb_msg_t *samsg; 1906 keysock_out_t *kso; 1907 1908 /* 1909 * Enough functions call this to merit a NULL queue check. 1910 */ 1911 if (pfkey_q == NULL) { 1912 freemsg(mp); 1913 return; 1914 } 1915 1916 ASSERT(msg != NULL); 1917 ASSERT((mp->b_wptr - mp->b_rptr) == sizeof (ipsec_info_t)); 1918 ASSERT((msg->b_wptr - msg->b_rptr) >= sizeof (sadb_msg_t)); 1919 samsg = (sadb_msg_t *)msg->b_rptr; 1920 kso = (keysock_out_t *)mp->b_rptr; 1921 1922 kso->ks_out_type = KEYSOCK_OUT; 1923 kso->ks_out_len = sizeof (*kso); 1924 kso->ks_out_serial = serial; 1925 1926 /* 1927 * Only send the base message up in the event of an error. 1928 * Don't worry about bzero()-ing, because it was probably bogus 1929 * anyway. 1930 */ 1931 msg->b_wptr = msg->b_rptr + sizeof (*samsg); 1932 samsg = (sadb_msg_t *)msg->b_rptr; 1933 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 1934 samsg->sadb_msg_errno = (uint8_t)error; 1935 if (diagnostic != SADB_X_DIAGNOSTIC_PRESET) 1936 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 1937 1938 putnext(pfkey_q, mp); 1939 } 1940 1941 /* 1942 * Send a successful return packet back to keysock via the queue in pfkey_q. 1943 * 1944 * Often, an SA is associated with the reply message, it's passed in if needed, 1945 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held, 1946 * and the caller will release said refcnt. 1947 */ 1948 void 1949 sadb_pfkey_echo(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 1950 keysock_in_t *ksi, ipsa_t *ipsa) 1951 { 1952 keysock_out_t *kso; 1953 mblk_t *mp1; 1954 sadb_msg_t *newsamsg; 1955 uint8_t *oldend; 1956 1957 ASSERT((mp->b_cont != NULL) && 1958 ((void *)samsg == (void *)mp->b_cont->b_rptr) && 1959 ((void *)mp->b_rptr == (void *)ksi)); 1960 1961 switch (samsg->sadb_msg_type) { 1962 case SADB_ADD: 1963 case SADB_UPDATE: 1964 case SADB_X_UPDATEPAIR: 1965 case SADB_X_DELPAIR_STATE: 1966 case SADB_FLUSH: 1967 case SADB_DUMP: 1968 /* 1969 * I have all of the message already. I just need to strip 1970 * out the keying material and echo the message back. 1971 * 1972 * NOTE: for SADB_DUMP, the function sadb_dump() did the 1973 * work. When DUMP reaches here, it should only be a base 1974 * message. 1975 */ 1976 justecho: 1977 if (ksi->ks_in_extv[SADB_EXT_KEY_AUTH] != NULL || 1978 ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT] != NULL || 1979 ksi->ks_in_extv[SADB_X_EXT_EDUMP] != NULL) { 1980 sadb_strip(samsg); 1981 /* Assume PF_KEY message is contiguous. */ 1982 ASSERT(mp->b_cont->b_cont == NULL); 1983 oldend = mp->b_cont->b_wptr; 1984 mp->b_cont->b_wptr = mp->b_cont->b_rptr + 1985 SADB_64TO8(samsg->sadb_msg_len); 1986 bzero(mp->b_cont->b_wptr, oldend - mp->b_cont->b_wptr); 1987 } 1988 break; 1989 case SADB_GET: 1990 /* 1991 * Do a lot of work here, because of the ipsa I just found. 1992 * First construct the new PF_KEY message, then abandon 1993 * the old one. 1994 */ 1995 mp1 = sadb_sa2msg(ipsa, samsg); 1996 if (mp1 == NULL) { 1997 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 1998 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 1999 return; 2000 } 2001 freemsg(mp->b_cont); 2002 mp->b_cont = mp1; 2003 break; 2004 case SADB_DELETE: 2005 case SADB_X_DELPAIR: 2006 if (ipsa == NULL) 2007 goto justecho; 2008 /* 2009 * Because listening KMds may require more info, treat 2010 * DELETE like a special case of GET. 2011 */ 2012 mp1 = sadb_sa2msg(ipsa, samsg); 2013 if (mp1 == NULL) { 2014 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 2015 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 2016 return; 2017 } 2018 newsamsg = (sadb_msg_t *)mp1->b_rptr; 2019 sadb_strip(newsamsg); 2020 oldend = mp1->b_wptr; 2021 mp1->b_wptr = mp1->b_rptr + SADB_64TO8(newsamsg->sadb_msg_len); 2022 bzero(mp1->b_wptr, oldend - mp1->b_wptr); 2023 freemsg(mp->b_cont); 2024 mp->b_cont = mp1; 2025 break; 2026 default: 2027 if (mp != NULL) 2028 freemsg(mp); 2029 return; 2030 } 2031 2032 /* ksi is now null and void. */ 2033 kso = (keysock_out_t *)ksi; 2034 kso->ks_out_type = KEYSOCK_OUT; 2035 kso->ks_out_len = sizeof (*kso); 2036 kso->ks_out_serial = ksi->ks_in_serial; 2037 /* We're ready to send... */ 2038 putnext(pfkey_q, mp); 2039 } 2040 2041 /* 2042 * Set up a global pfkey_q instance for AH, ESP, or some other consumer. 2043 */ 2044 void 2045 sadb_keysock_hello(queue_t **pfkey_qp, queue_t *q, mblk_t *mp, 2046 void (*ager)(void *), void *agerarg, timeout_id_t *top, int satype) 2047 { 2048 keysock_hello_ack_t *kha; 2049 queue_t *oldq; 2050 2051 ASSERT(OTHERQ(q) != NULL); 2052 2053 /* 2054 * First, check atomically that I'm the first and only keysock 2055 * instance. 2056 * 2057 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp), 2058 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY 2059 * messages. 2060 */ 2061 2062 oldq = casptr((void **)pfkey_qp, NULL, OTHERQ(q)); 2063 if (oldq != NULL) { 2064 ASSERT(oldq != q); 2065 cmn_err(CE_WARN, "Danger! Multiple keysocks on top of %s.\n", 2066 (satype == SADB_SATYPE_ESP)? "ESP" : "AH or other"); 2067 freemsg(mp); 2068 return; 2069 } 2070 2071 kha = (keysock_hello_ack_t *)mp->b_rptr; 2072 kha->ks_hello_len = sizeof (keysock_hello_ack_t); 2073 kha->ks_hello_type = KEYSOCK_HELLO_ACK; 2074 kha->ks_hello_satype = (uint8_t)satype; 2075 2076 /* 2077 * If we made it past the casptr, then we have "exclusive" access 2078 * to the timeout handle. Fire it off after the default ager 2079 * interval. 2080 */ 2081 *top = qtimeout(*pfkey_qp, ager, agerarg, 2082 drv_usectohz(SADB_AGE_INTERVAL_DEFAULT * 1000)); 2083 2084 putnext(*pfkey_qp, mp); 2085 } 2086 2087 /* 2088 * Normalize IPv4-mapped IPv6 addresses (and prefixes) as appropriate. 2089 * 2090 * Check addresses themselves for wildcard or multicast. 2091 * Check ire table for local/non-local/broadcast. 2092 */ 2093 int 2094 sadb_addrcheck(queue_t *pfkey_q, mblk_t *mp, sadb_ext_t *ext, uint_t serial, 2095 netstack_t *ns) 2096 { 2097 sadb_address_t *addr = (sadb_address_t *)ext; 2098 struct sockaddr_in *sin; 2099 struct sockaddr_in6 *sin6; 2100 ire_t *ire; 2101 int diagnostic, type; 2102 boolean_t normalized = B_FALSE; 2103 2104 ASSERT(ext != NULL); 2105 ASSERT((ext->sadb_ext_type == SADB_EXT_ADDRESS_SRC) || 2106 (ext->sadb_ext_type == SADB_EXT_ADDRESS_DST) || 2107 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) || 2108 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) || 2109 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_LOC) || 2110 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_REM)); 2111 2112 /* Assign both sockaddrs, the compiler will do the right thing. */ 2113 sin = (struct sockaddr_in *)(addr + 1); 2114 sin6 = (struct sockaddr_in6 *)(addr + 1); 2115 2116 if (sin6->sin6_family == AF_INET6) { 2117 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { 2118 /* 2119 * Convert to an AF_INET sockaddr. This means the 2120 * return messages will have the extra space, but have 2121 * AF_INET sockaddrs instead of AF_INET6. 2122 * 2123 * Yes, RFC 2367 isn't clear on what to do here w.r.t. 2124 * mapped addresses, but since AF_INET6 ::ffff:<v4> is 2125 * equal to AF_INET <v4>, it shouldnt be a huge 2126 * problem. 2127 */ 2128 sin->sin_family = AF_INET; 2129 IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, 2130 &sin->sin_addr); 2131 bzero(&sin->sin_zero, sizeof (sin->sin_zero)); 2132 normalized = B_TRUE; 2133 } 2134 } else if (sin->sin_family != AF_INET) { 2135 switch (ext->sadb_ext_type) { 2136 case SADB_EXT_ADDRESS_SRC: 2137 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC_AF; 2138 break; 2139 case SADB_EXT_ADDRESS_DST: 2140 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 2141 break; 2142 case SADB_X_EXT_ADDRESS_INNER_SRC: 2143 diagnostic = SADB_X_DIAGNOSTIC_BAD_PROXY_AF; 2144 break; 2145 case SADB_X_EXT_ADDRESS_INNER_DST: 2146 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF; 2147 break; 2148 case SADB_X_EXT_ADDRESS_NATT_LOC: 2149 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF; 2150 break; 2151 case SADB_X_EXT_ADDRESS_NATT_REM: 2152 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF; 2153 break; 2154 /* There is no default, see above ASSERT. */ 2155 } 2156 bail: 2157 if (pfkey_q != NULL) { 2158 sadb_pfkey_error(pfkey_q, mp, EINVAL, diagnostic, 2159 serial); 2160 } else { 2161 /* 2162 * Scribble in sadb_msg that we got passed in. 2163 * Overload "mp" to be an sadb_msg pointer. 2164 */ 2165 sadb_msg_t *samsg = (sadb_msg_t *)mp; 2166 2167 samsg->sadb_msg_errno = EINVAL; 2168 samsg->sadb_x_msg_diagnostic = diagnostic; 2169 } 2170 return (KS_IN_ADDR_UNKNOWN); 2171 } 2172 2173 if (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC || 2174 ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) { 2175 /* 2176 * We need only check for prefix issues. 2177 */ 2178 2179 /* Set diagnostic now, in case we need it later. */ 2180 diagnostic = 2181 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) ? 2182 SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC : 2183 SADB_X_DIAGNOSTIC_PREFIX_INNER_DST; 2184 2185 if (normalized) 2186 addr->sadb_address_prefixlen -= 96; 2187 2188 /* 2189 * Verify and mask out inner-addresses based on prefix length. 2190 */ 2191 if (sin->sin_family == AF_INET) { 2192 if (addr->sadb_address_prefixlen > 32) 2193 goto bail; 2194 sin->sin_addr.s_addr &= 2195 ip_plen_to_mask(addr->sadb_address_prefixlen); 2196 } else { 2197 in6_addr_t mask; 2198 2199 ASSERT(sin->sin_family == AF_INET6); 2200 /* 2201 * ip_plen_to_mask_v6() returns NULL if the value in 2202 * question is out of range. 2203 */ 2204 if (ip_plen_to_mask_v6(addr->sadb_address_prefixlen, 2205 &mask) == NULL) 2206 goto bail; 2207 sin6->sin6_addr.s6_addr32[0] &= mask.s6_addr32[0]; 2208 sin6->sin6_addr.s6_addr32[1] &= mask.s6_addr32[1]; 2209 sin6->sin6_addr.s6_addr32[2] &= mask.s6_addr32[2]; 2210 sin6->sin6_addr.s6_addr32[3] &= mask.s6_addr32[3]; 2211 } 2212 2213 /* We don't care in these cases. */ 2214 return (KS_IN_ADDR_DONTCARE); 2215 } 2216 2217 if (sin->sin_family == AF_INET6) { 2218 /* Check the easy ones now. */ 2219 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) 2220 return (KS_IN_ADDR_MBCAST); 2221 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) 2222 return (KS_IN_ADDR_UNSPEC); 2223 /* 2224 * At this point, we're a unicast IPv6 address. 2225 * 2226 * A ctable lookup for local is sufficient here. If we're 2227 * local, return KS_IN_ADDR_ME, otherwise KS_IN_ADDR_NOTME. 2228 * 2229 * XXX Zones alert -> me/notme decision needs to be tempered 2230 * by what zone we're in when we go to zone-aware IPsec. 2231 */ 2232 ire = ire_ctable_lookup_v6(&sin6->sin6_addr, NULL, 2233 IRE_LOCAL, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 2234 ns->netstack_ip); 2235 if (ire != NULL) { 2236 /* Hey hey, it's local. */ 2237 IRE_REFRELE(ire); 2238 return (KS_IN_ADDR_ME); 2239 } 2240 } else { 2241 ASSERT(sin->sin_family == AF_INET); 2242 if (sin->sin_addr.s_addr == INADDR_ANY) 2243 return (KS_IN_ADDR_UNSPEC); 2244 if (CLASSD(sin->sin_addr.s_addr)) 2245 return (KS_IN_ADDR_MBCAST); 2246 /* 2247 * At this point we're a unicast or broadcast IPv4 address. 2248 * 2249 * Lookup on the ctable for IRE_BROADCAST or IRE_LOCAL. 2250 * A NULL return value is NOTME, otherwise, look at the 2251 * returned ire for broadcast or not and return accordingly. 2252 * 2253 * XXX Zones alert -> me/notme decision needs to be tempered 2254 * by what zone we're in when we go to zone-aware IPsec. 2255 */ 2256 ire = ire_ctable_lookup(sin->sin_addr.s_addr, 0, 2257 IRE_LOCAL | IRE_BROADCAST, NULL, ALL_ZONES, NULL, 2258 MATCH_IRE_TYPE, ns->netstack_ip); 2259 if (ire != NULL) { 2260 /* Check for local or broadcast */ 2261 type = ire->ire_type; 2262 IRE_REFRELE(ire); 2263 ASSERT(type == IRE_LOCAL || type == IRE_BROADCAST); 2264 return ((type == IRE_LOCAL) ? KS_IN_ADDR_ME : 2265 KS_IN_ADDR_MBCAST); 2266 } 2267 } 2268 2269 return (KS_IN_ADDR_NOTME); 2270 } 2271 2272 /* 2273 * Address normalizations and reality checks for inbound PF_KEY messages. 2274 * 2275 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert 2276 * the source to AF_INET. Do the same for the inner sources. 2277 */ 2278 boolean_t 2279 sadb_addrfix(keysock_in_t *ksi, queue_t *pfkey_q, mblk_t *mp, netstack_t *ns) 2280 { 2281 struct sockaddr_in *src, *isrc; 2282 struct sockaddr_in6 *dst, *idst; 2283 sadb_address_t *srcext, *dstext; 2284 uint16_t sport; 2285 sadb_ext_t **extv = ksi->ks_in_extv; 2286 int rc; 2287 2288 if (extv[SADB_EXT_ADDRESS_SRC] != NULL) { 2289 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_SRC], 2290 ksi->ks_in_serial, ns); 2291 if (rc == KS_IN_ADDR_UNKNOWN) 2292 return (B_FALSE); 2293 if (rc == KS_IN_ADDR_MBCAST) { 2294 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2295 SADB_X_DIAGNOSTIC_BAD_SRC, ksi->ks_in_serial); 2296 return (B_FALSE); 2297 } 2298 ksi->ks_in_srctype = rc; 2299 } 2300 2301 if (extv[SADB_EXT_ADDRESS_DST] != NULL) { 2302 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_DST], 2303 ksi->ks_in_serial, ns); 2304 if (rc == KS_IN_ADDR_UNKNOWN) 2305 return (B_FALSE); 2306 if (rc == KS_IN_ADDR_UNSPEC) { 2307 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2308 SADB_X_DIAGNOSTIC_BAD_DST, ksi->ks_in_serial); 2309 return (B_FALSE); 2310 } 2311 ksi->ks_in_dsttype = rc; 2312 } 2313 2314 /* 2315 * NAT-Traversal addrs are simple enough to not require all of 2316 * the checks in sadb_addrcheck(). Just normalize or reject if not 2317 * AF_INET. 2318 */ 2319 if (extv[SADB_X_EXT_ADDRESS_NATT_LOC] != NULL) { 2320 rc = sadb_addrcheck(pfkey_q, mp, 2321 extv[SADB_X_EXT_ADDRESS_NATT_LOC], ksi->ks_in_serial, ns); 2322 2323 /* 2324 * Local NAT-T addresses never use an IRE_LOCAL, so it should 2325 * always be NOTME, or UNSPEC (to handle both tunnel mode 2326 * AND local-port flexibility). 2327 */ 2328 if (rc != KS_IN_ADDR_NOTME && rc != KS_IN_ADDR_UNSPEC) { 2329 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2330 SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC, 2331 ksi->ks_in_serial); 2332 return (B_FALSE); 2333 } 2334 src = (struct sockaddr_in *) 2335 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_LOC]) + 1); 2336 if (src->sin_family != AF_INET) { 2337 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2338 SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF, 2339 ksi->ks_in_serial); 2340 return (B_FALSE); 2341 } 2342 } 2343 2344 if (extv[SADB_X_EXT_ADDRESS_NATT_REM] != NULL) { 2345 rc = sadb_addrcheck(pfkey_q, mp, 2346 extv[SADB_X_EXT_ADDRESS_NATT_REM], ksi->ks_in_serial, ns); 2347 2348 /* 2349 * Remote NAT-T addresses never use an IRE_LOCAL, so it should 2350 * always be NOTME, or UNSPEC if it's a tunnel-mode SA. 2351 */ 2352 if (rc != KS_IN_ADDR_NOTME && 2353 !(extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL && 2354 rc == KS_IN_ADDR_UNSPEC)) { 2355 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2356 SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM, 2357 ksi->ks_in_serial); 2358 return (B_FALSE); 2359 } 2360 src = (struct sockaddr_in *) 2361 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_REM]) + 1); 2362 if (src->sin_family != AF_INET) { 2363 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2364 SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF, 2365 ksi->ks_in_serial); 2366 return (B_FALSE); 2367 } 2368 } 2369 2370 if (extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL) { 2371 if (extv[SADB_X_EXT_ADDRESS_INNER_DST] == NULL) { 2372 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2373 SADB_X_DIAGNOSTIC_MISSING_INNER_DST, 2374 ksi->ks_in_serial); 2375 return (B_FALSE); 2376 } 2377 2378 if (sadb_addrcheck(pfkey_q, mp, 2379 extv[SADB_X_EXT_ADDRESS_INNER_DST], ksi->ks_in_serial, ns) 2380 == KS_IN_ADDR_UNKNOWN || 2381 sadb_addrcheck(pfkey_q, mp, 2382 extv[SADB_X_EXT_ADDRESS_INNER_SRC], ksi->ks_in_serial, ns) 2383 == KS_IN_ADDR_UNKNOWN) 2384 return (B_FALSE); 2385 2386 isrc = (struct sockaddr_in *) 2387 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC]) + 2388 1); 2389 idst = (struct sockaddr_in6 *) 2390 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]) + 2391 1); 2392 if (isrc->sin_family != idst->sin6_family) { 2393 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2394 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH, 2395 ksi->ks_in_serial); 2396 return (B_FALSE); 2397 } 2398 } else if (extv[SADB_X_EXT_ADDRESS_INNER_DST] != NULL) { 2399 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2400 SADB_X_DIAGNOSTIC_MISSING_INNER_SRC, 2401 ksi->ks_in_serial); 2402 return (B_FALSE); 2403 } else { 2404 isrc = NULL; /* For inner/outer port check below. */ 2405 } 2406 2407 dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST]; 2408 srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC]; 2409 2410 if (dstext == NULL || srcext == NULL) 2411 return (B_TRUE); 2412 2413 dst = (struct sockaddr_in6 *)(dstext + 1); 2414 src = (struct sockaddr_in *)(srcext + 1); 2415 2416 if (isrc != NULL && 2417 (isrc->sin_port != 0 || idst->sin6_port != 0) && 2418 (src->sin_port != 0 || dst->sin6_port != 0)) { 2419 /* Can't set inner and outer ports in one SA. */ 2420 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2421 SADB_X_DIAGNOSTIC_DUAL_PORT_SETS, 2422 ksi->ks_in_serial); 2423 return (B_FALSE); 2424 } 2425 2426 if (dst->sin6_family == src->sin_family) 2427 return (B_TRUE); 2428 2429 if (srcext->sadb_address_proto != dstext->sadb_address_proto) { 2430 if (srcext->sadb_address_proto == 0) { 2431 srcext->sadb_address_proto = dstext->sadb_address_proto; 2432 } else if (dstext->sadb_address_proto == 0) { 2433 dstext->sadb_address_proto = srcext->sadb_address_proto; 2434 } else { 2435 /* Inequal protocols, neither were 0. Report error. */ 2436 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2437 SADB_X_DIAGNOSTIC_PROTO_MISMATCH, 2438 ksi->ks_in_serial); 2439 return (B_FALSE); 2440 } 2441 } 2442 2443 /* 2444 * With the exception of an unspec IPv6 source and an IPv4 2445 * destination, address families MUST me matched. 2446 */ 2447 if (src->sin_family == AF_INET || 2448 ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) { 2449 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2450 SADB_X_DIAGNOSTIC_AF_MISMATCH, ksi->ks_in_serial); 2451 return (B_FALSE); 2452 } 2453 2454 /* 2455 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being 2456 * in the same place for sockaddr_in and sockaddr_in6. 2457 */ 2458 sport = src->sin_port; 2459 bzero(src, sizeof (*src)); 2460 src->sin_family = AF_INET; 2461 src->sin_port = sport; 2462 2463 return (B_TRUE); 2464 } 2465 2466 /* 2467 * Set the results in "addrtype", given an IRE as requested by 2468 * sadb_addrcheck(). 2469 */ 2470 int 2471 sadb_addrset(ire_t *ire) 2472 { 2473 if ((ire->ire_type & IRE_BROADCAST) || 2474 (ire->ire_ipversion == IPV4_VERSION && CLASSD(ire->ire_addr)) || 2475 (ire->ire_ipversion == IPV6_VERSION && 2476 IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6)))) 2477 return (KS_IN_ADDR_MBCAST); 2478 if (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) 2479 return (KS_IN_ADDR_ME); 2480 return (KS_IN_ADDR_NOTME); 2481 } 2482 2483 2484 /* 2485 * Walker callback function to delete sa's based on src/dst address. 2486 * Assumes that we're called with *head locked, no other locks held; 2487 * Conveniently, and not coincidentally, this is both what sadb_walker 2488 * gives us and also what sadb_unlinkassoc expects. 2489 */ 2490 2491 struct sadb_purge_state 2492 { 2493 uint32_t *src; 2494 uint32_t *dst; 2495 sa_family_t af; 2496 boolean_t inbnd; 2497 char *sidstr; 2498 char *didstr; 2499 uint16_t sidtype; 2500 uint16_t didtype; 2501 uint32_t kmproto; 2502 uint8_t sadb_sa_state; 2503 mblk_t *mq; 2504 sadb_t *sp; 2505 }; 2506 2507 static void 2508 sadb_purge_cb(isaf_t *head, ipsa_t *entry, void *cookie) 2509 { 2510 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2511 2512 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2513 2514 mutex_enter(&entry->ipsa_lock); 2515 2516 if ((entry->ipsa_state == IPSA_STATE_LARVAL) || 2517 (ps->src != NULL && 2518 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, ps->src, ps->af)) || 2519 (ps->dst != NULL && 2520 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_dstaddr, ps->dst, ps->af)) || 2521 (ps->didstr != NULL && (entry->ipsa_dst_cid != NULL) && 2522 !(ps->didtype == entry->ipsa_dst_cid->ipsid_type && 2523 strcmp(ps->didstr, entry->ipsa_dst_cid->ipsid_cid) == 0)) || 2524 (ps->sidstr != NULL && (entry->ipsa_src_cid != NULL) && 2525 !(ps->sidtype == entry->ipsa_src_cid->ipsid_type && 2526 strcmp(ps->sidstr, entry->ipsa_src_cid->ipsid_cid) == 0)) || 2527 (ps->kmproto <= SADB_X_KMP_MAX && ps->kmproto != entry->ipsa_kmp)) { 2528 mutex_exit(&entry->ipsa_lock); 2529 return; 2530 } 2531 2532 if (ps->inbnd) { 2533 sadb_delete_cluster(entry); 2534 } 2535 entry->ipsa_state = IPSA_STATE_DEAD; 2536 (void) sadb_torch_assoc(head, entry, ps->inbnd, &ps->mq); 2537 } 2538 2539 /* 2540 * Common code to purge an SA with a matching src or dst address. 2541 * Don't kill larval SA's in such a purge. 2542 */ 2543 int 2544 sadb_purge_sa(mblk_t *mp, keysock_in_t *ksi, sadb_t *sp, queue_t *pfkey_q, 2545 queue_t *ip_q) 2546 { 2547 sadb_address_t *dstext = 2548 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2549 sadb_address_t *srcext = 2550 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2551 sadb_ident_t *dstid = 2552 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 2553 sadb_ident_t *srcid = 2554 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 2555 sadb_x_kmc_t *kmc = 2556 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 2557 struct sockaddr_in *src, *dst; 2558 struct sockaddr_in6 *src6, *dst6; 2559 struct sadb_purge_state ps; 2560 2561 /* 2562 * Don't worry about IPv6 v4-mapped addresses, sadb_addrcheck() 2563 * takes care of them. 2564 */ 2565 2566 /* enforced by caller */ 2567 ASSERT((dstext != NULL) || (srcext != NULL)); 2568 2569 ps.src = NULL; 2570 ps.dst = NULL; 2571 #ifdef DEBUG 2572 ps.af = (sa_family_t)-1; 2573 #endif 2574 ps.mq = NULL; 2575 ps.sidstr = NULL; 2576 ps.didstr = NULL; 2577 ps.kmproto = SADB_X_KMP_MAX + 1; 2578 2579 if (dstext != NULL) { 2580 dst = (struct sockaddr_in *)(dstext + 1); 2581 ps.af = dst->sin_family; 2582 if (dst->sin_family == AF_INET6) { 2583 dst6 = (struct sockaddr_in6 *)dst; 2584 ps.dst = (uint32_t *)&dst6->sin6_addr; 2585 } else { 2586 ps.dst = (uint32_t *)&dst->sin_addr; 2587 } 2588 } 2589 2590 if (srcext != NULL) { 2591 src = (struct sockaddr_in *)(srcext + 1); 2592 ps.af = src->sin_family; 2593 if (src->sin_family == AF_INET6) { 2594 src6 = (struct sockaddr_in6 *)(srcext + 1); 2595 ps.src = (uint32_t *)&src6->sin6_addr; 2596 } else { 2597 ps.src = (uint32_t *)&src->sin_addr; 2598 } 2599 ASSERT(dstext == NULL || src->sin_family == dst->sin_family); 2600 } 2601 2602 ASSERT(ps.af != (sa_family_t)-1); 2603 2604 if (dstid != NULL) { 2605 /* 2606 * NOTE: May need to copy string in the future 2607 * if the inbound keysock message disappears for some strange 2608 * reason. 2609 */ 2610 ps.didstr = (char *)(dstid + 1); 2611 ps.didtype = dstid->sadb_ident_type; 2612 } 2613 2614 if (srcid != NULL) { 2615 /* 2616 * NOTE: May need to copy string in the future 2617 * if the inbound keysock message disappears for some strange 2618 * reason. 2619 */ 2620 ps.sidstr = (char *)(srcid + 1); 2621 ps.sidtype = srcid->sadb_ident_type; 2622 } 2623 2624 if (kmc != NULL) 2625 ps.kmproto = kmc->sadb_x_kmc_proto; 2626 2627 /* 2628 * This is simple, crude, and effective. 2629 * Unimplemented optimizations (TBD): 2630 * - we can limit how many places we search based on where we 2631 * think the SA is filed. 2632 * - if we get a dst address, we can hash based on dst addr to find 2633 * the correct bucket in the outbound table. 2634 */ 2635 ps.inbnd = B_TRUE; 2636 sadb_walker(sp->sdb_if, sp->sdb_hashsize, sadb_purge_cb, &ps); 2637 ps.inbnd = B_FALSE; 2638 sadb_walker(sp->sdb_of, sp->sdb_hashsize, sadb_purge_cb, &ps); 2639 2640 if (ps.mq != NULL) 2641 sadb_drain_torchq(ip_q, ps.mq); 2642 2643 ASSERT(mp->b_cont != NULL); 2644 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi, 2645 NULL); 2646 return (0); 2647 } 2648 2649 static void 2650 sadb_delpair_state(isaf_t *head, ipsa_t *entry, void *cookie) 2651 { 2652 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2653 isaf_t *inbound_bucket; 2654 ipsa_t *peer_assoc; 2655 2656 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2657 2658 mutex_enter(&entry->ipsa_lock); 2659 2660 if ((entry->ipsa_state != ps->sadb_sa_state) || 2661 ((ps->src != NULL) && 2662 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, ps->src, ps->af))) { 2663 mutex_exit(&entry->ipsa_lock); 2664 return; 2665 } 2666 2667 /* 2668 * The isaf_t *, which is passed in , is always an outbound bucket, 2669 * and we are preserving the outbound-then-inbound hash-bucket lock 2670 * ordering. The sadb_walker() which triggers this function is called 2671 * only on the outbound fanout, and the corresponding inbound bucket 2672 * lock is safe to acquire here. 2673 */ 2674 2675 if (entry->ipsa_haspeer) { 2676 inbound_bucket = INBOUND_BUCKET(ps->sp, entry->ipsa_spi); 2677 mutex_enter(&inbound_bucket->isaf_lock); 2678 peer_assoc = ipsec_getassocbyspi(inbound_bucket, 2679 entry->ipsa_spi, entry->ipsa_srcaddr, 2680 entry->ipsa_dstaddr, entry->ipsa_addrfam); 2681 } else { 2682 inbound_bucket = INBOUND_BUCKET(ps->sp, entry->ipsa_otherspi); 2683 mutex_enter(&inbound_bucket->isaf_lock); 2684 peer_assoc = ipsec_getassocbyspi(inbound_bucket, 2685 entry->ipsa_otherspi, entry->ipsa_dstaddr, 2686 entry->ipsa_srcaddr, entry->ipsa_addrfam); 2687 } 2688 2689 entry->ipsa_state = IPSA_STATE_DEAD; 2690 (void) sadb_torch_assoc(head, entry, B_FALSE, &ps->mq); 2691 if (peer_assoc != NULL) { 2692 mutex_enter(&peer_assoc->ipsa_lock); 2693 peer_assoc->ipsa_state = IPSA_STATE_DEAD; 2694 (void) sadb_torch_assoc(inbound_bucket, peer_assoc, 2695 B_FALSE, &ps->mq); 2696 } 2697 mutex_exit(&inbound_bucket->isaf_lock); 2698 } 2699 2700 /* 2701 * Common code to delete/get an SA. 2702 */ 2703 int 2704 sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp, 2705 int *diagnostic, queue_t *pfkey_q, uint8_t sadb_msg_type) 2706 { 2707 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2708 sadb_address_t *srcext = 2709 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2710 sadb_address_t *dstext = 2711 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2712 ipsa_t *echo_target = NULL; 2713 ipsap_t *ipsapp; 2714 mblk_t *torchq = NULL; 2715 uint_t error = 0; 2716 2717 if (assoc == NULL) { 2718 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 2719 return (EINVAL); 2720 } 2721 2722 if (sadb_msg_type == SADB_X_DELPAIR_STATE) { 2723 struct sockaddr_in *src; 2724 struct sockaddr_in6 *src6; 2725 struct sadb_purge_state ps; 2726 2727 if (srcext == NULL) { 2728 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 2729 return (EINVAL); 2730 } 2731 ps.src = NULL; 2732 ps.mq = NULL; 2733 src = (struct sockaddr_in *)(srcext + 1); 2734 ps.af = src->sin_family; 2735 if (src->sin_family == AF_INET6) { 2736 src6 = (struct sockaddr_in6 *)(srcext + 1); 2737 ps.src = (uint32_t *)&src6->sin6_addr; 2738 ps.sp = &spp->s_v6; 2739 } else { 2740 ps.src = (uint32_t *)&src->sin_addr; 2741 ps.sp = &spp->s_v4; 2742 } 2743 ps.inbnd = B_FALSE; 2744 ps.sadb_sa_state = assoc->sadb_sa_state; 2745 sadb_walker(ps.sp->sdb_of, ps.sp->sdb_hashsize, 2746 sadb_delpair_state, &ps); 2747 2748 if (ps.mq != NULL) 2749 sadb_drain_torchq(pfkey_q, ps.mq); 2750 2751 ASSERT(mp->b_cont != NULL); 2752 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 2753 ksi, NULL); 2754 return (0); 2755 } 2756 2757 if (dstext == NULL) { 2758 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 2759 return (EINVAL); 2760 } 2761 2762 ipsapp = get_ipsa_pair(assoc, srcext, dstext, spp); 2763 if (ipsapp == NULL) { 2764 *diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND; 2765 return (ESRCH); 2766 } 2767 2768 echo_target = ipsapp->ipsap_sa_ptr; 2769 if (echo_target == NULL) 2770 echo_target = ipsapp->ipsap_psa_ptr; 2771 2772 if (sadb_msg_type == SADB_DELETE || sadb_msg_type == SADB_X_DELPAIR) { 2773 /* 2774 * Bucket locks will be required if SA is actually unlinked. 2775 * get_ipsa_pair() returns valid hash bucket pointers even 2776 * if it can't find a pair SA pointer. To prevent a potential 2777 * deadlock, always lock the outbound bucket before the inbound. 2778 */ 2779 if (ipsapp->in_inbound_table) { 2780 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock); 2781 mutex_enter(&ipsapp->ipsap_bucket->isaf_lock); 2782 } else { 2783 mutex_enter(&ipsapp->ipsap_bucket->isaf_lock); 2784 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock); 2785 } 2786 2787 if (ipsapp->ipsap_sa_ptr != NULL) { 2788 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2789 if (ipsapp->ipsap_sa_ptr->ipsa_flags & IPSA_F_INBOUND) { 2790 sadb_delete_cluster(ipsapp->ipsap_sa_ptr); 2791 } 2792 ipsapp->ipsap_sa_ptr->ipsa_state = IPSA_STATE_DEAD; 2793 (void) sadb_torch_assoc(ipsapp->ipsap_bucket, 2794 ipsapp->ipsap_sa_ptr, B_FALSE, &torchq); 2795 /* 2796 * sadb_torch_assoc() releases the ipsa_lock 2797 * and calls sadb_unlinkassoc() which does a 2798 * IPSA_REFRELE. 2799 */ 2800 } 2801 if (ipsapp->ipsap_psa_ptr != NULL) { 2802 mutex_enter(&ipsapp->ipsap_psa_ptr->ipsa_lock); 2803 if (sadb_msg_type == SADB_X_DELPAIR || 2804 ipsapp->ipsap_psa_ptr->ipsa_haspeer) { 2805 if (ipsapp->ipsap_psa_ptr->ipsa_flags & 2806 IPSA_F_INBOUND) { 2807 sadb_delete_cluster( 2808 ipsapp->ipsap_psa_ptr); 2809 } 2810 ipsapp->ipsap_psa_ptr->ipsa_state = 2811 IPSA_STATE_DEAD; 2812 (void) sadb_torch_assoc(ipsapp->ipsap_pbucket, 2813 ipsapp->ipsap_psa_ptr, B_FALSE, &torchq); 2814 } else { 2815 /* 2816 * Only half of the "pair" has been deleted. 2817 * Update the remaining SA and remove references 2818 * to its pair SA, which is now gone. 2819 */ 2820 ipsapp->ipsap_psa_ptr->ipsa_otherspi = 0; 2821 ipsapp->ipsap_psa_ptr->ipsa_flags &= 2822 ~IPSA_F_PAIRED; 2823 mutex_exit(&ipsapp->ipsap_psa_ptr->ipsa_lock); 2824 } 2825 } else if (sadb_msg_type == SADB_X_DELPAIR) { 2826 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 2827 error = ESRCH; 2828 } 2829 mutex_exit(&ipsapp->ipsap_bucket->isaf_lock); 2830 mutex_exit(&ipsapp->ipsap_pbucket->isaf_lock); 2831 } 2832 2833 if (torchq != NULL) 2834 sadb_drain_torchq(spp->s_ip_q, torchq); 2835 2836 ASSERT(mp->b_cont != NULL); 2837 2838 if (error == 0) 2839 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *) 2840 mp->b_cont->b_rptr, ksi, echo_target); 2841 2842 destroy_ipsa_pair(ipsapp); 2843 2844 return (error); 2845 } 2846 2847 /* 2848 * This function takes a sadb_sa_t and finds the ipsa_t structure 2849 * and the isaf_t (hash bucket) that its stored under. If the security 2850 * association has a peer, the ipsa_t structure and bucket for that security 2851 * association are also searched for. The "pair" of ipsa_t's and isaf_t's 2852 * are returned as a ipsap_t. 2853 * 2854 * The hash buckets are returned for convenience, if the calling function 2855 * needs to use the hash bucket locks, say to remove the SA's, it should 2856 * take care to observe the convention of locking outbound bucket then 2857 * inbound bucket. The flag in_inbound_table provides direction. 2858 * 2859 * Note that a "pair" is defined as one (but not both) of the following: 2860 * 2861 * A security association which has a soft reference to another security 2862 * association via its SPI. 2863 * 2864 * A security association that is not obviously "inbound" or "outbound" so 2865 * it appears in both hash tables, the "peer" being the same security 2866 * association in the other hash table. 2867 * 2868 * This function will return NULL if the ipsa_t can't be found in the 2869 * inbound or outbound hash tables (not found). If only one ipsa_t is 2870 * found, the pair ipsa_t will be NULL. Both isaf_t values are valid 2871 * provided at least one ipsa_t is found. 2872 */ 2873 ipsap_t * 2874 get_ipsa_pair(sadb_sa_t *assoc, sadb_address_t *srcext, sadb_address_t *dstext, 2875 sadbp_t *spp) 2876 { 2877 struct sockaddr_in *src, *dst; 2878 struct sockaddr_in6 *src6, *dst6; 2879 sadb_t *sp; 2880 uint32_t *srcaddr, *dstaddr; 2881 isaf_t *outbound_bucket, *inbound_bucket; 2882 ipsap_t *ipsapp; 2883 sa_family_t af; 2884 2885 uint32_t pair_srcaddr[IPSA_MAX_ADDRLEN]; 2886 uint32_t pair_dstaddr[IPSA_MAX_ADDRLEN]; 2887 uint32_t pair_spi; 2888 2889 ipsapp = kmem_zalloc(sizeof (*ipsapp), KM_NOSLEEP); 2890 if (ipsapp == NULL) 2891 return (NULL); 2892 2893 ipsapp->in_inbound_table = B_FALSE; 2894 2895 /* 2896 * Don't worry about IPv6 v4-mapped addresses, sadb_addrcheck() 2897 * takes care of them. 2898 */ 2899 2900 dst = (struct sockaddr_in *)(dstext + 1); 2901 af = dst->sin_family; 2902 if (af == AF_INET6) { 2903 sp = &spp->s_v6; 2904 dst6 = (struct sockaddr_in6 *)dst; 2905 dstaddr = (uint32_t *)&dst6->sin6_addr; 2906 if (srcext != NULL) { 2907 src6 = (struct sockaddr_in6 *)(srcext + 1); 2908 srcaddr = (uint32_t *)&src6->sin6_addr; 2909 ASSERT(src6->sin6_family == af); 2910 ASSERT(src6->sin6_family == AF_INET6); 2911 } else { 2912 srcaddr = ALL_ZEROES_PTR; 2913 } 2914 outbound_bucket = OUTBOUND_BUCKET_V6(sp, 2915 *(uint32_t *)dstaddr); 2916 } else { 2917 sp = &spp->s_v4; 2918 dstaddr = (uint32_t *)&dst->sin_addr; 2919 if (srcext != NULL) { 2920 src = (struct sockaddr_in *)(srcext + 1); 2921 srcaddr = (uint32_t *)&src->sin_addr; 2922 ASSERT(src->sin_family == af); 2923 ASSERT(src->sin_family == AF_INET); 2924 } else { 2925 srcaddr = ALL_ZEROES_PTR; 2926 } 2927 outbound_bucket = OUTBOUND_BUCKET_V4(sp, 2928 *(uint32_t *)dstaddr); 2929 } 2930 2931 inbound_bucket = INBOUND_BUCKET(sp, assoc->sadb_sa_spi); 2932 2933 /* Lock down both buckets. */ 2934 mutex_enter(&outbound_bucket->isaf_lock); 2935 mutex_enter(&inbound_bucket->isaf_lock); 2936 2937 if (assoc->sadb_sa_flags & IPSA_F_INBOUND) { 2938 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(inbound_bucket, 2939 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2940 if (ipsapp->ipsap_sa_ptr != NULL) { 2941 ipsapp->ipsap_bucket = inbound_bucket; 2942 ipsapp->ipsap_pbucket = outbound_bucket; 2943 ipsapp->in_inbound_table = B_TRUE; 2944 } else { 2945 ipsapp->ipsap_sa_ptr = 2946 ipsec_getassocbyspi(outbound_bucket, 2947 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2948 ipsapp->ipsap_bucket = outbound_bucket; 2949 ipsapp->ipsap_pbucket = inbound_bucket; 2950 } 2951 } else { 2952 /* IPSA_F_OUTBOUND is set *or* no directions flags set. */ 2953 ipsapp->ipsap_sa_ptr = 2954 ipsec_getassocbyspi(outbound_bucket, 2955 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2956 if (ipsapp->ipsap_sa_ptr != NULL) { 2957 ipsapp->ipsap_bucket = outbound_bucket; 2958 ipsapp->ipsap_pbucket = inbound_bucket; 2959 } else { 2960 ipsapp->ipsap_sa_ptr = 2961 ipsec_getassocbyspi(inbound_bucket, 2962 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2963 ipsapp->ipsap_bucket = inbound_bucket; 2964 ipsapp->ipsap_pbucket = outbound_bucket; 2965 if (ipsapp->ipsap_sa_ptr != NULL) 2966 ipsapp->in_inbound_table = B_TRUE; 2967 } 2968 } 2969 2970 if (ipsapp->ipsap_sa_ptr == NULL) { 2971 mutex_exit(&outbound_bucket->isaf_lock); 2972 mutex_exit(&inbound_bucket->isaf_lock); 2973 kmem_free(ipsapp, sizeof (*ipsapp)); 2974 return (NULL); 2975 } 2976 2977 if ((ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) && 2978 ipsapp->in_inbound_table) { 2979 mutex_exit(&outbound_bucket->isaf_lock); 2980 mutex_exit(&inbound_bucket->isaf_lock); 2981 return (ipsapp); 2982 } 2983 2984 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2985 if (ipsapp->ipsap_sa_ptr->ipsa_haspeer) { 2986 /* 2987 * haspeer implies no sa_pairing, look for same spi 2988 * in other hashtable. 2989 */ 2990 ipsapp->ipsap_psa_ptr = 2991 ipsec_getassocbyspi(ipsapp->ipsap_pbucket, 2992 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2993 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2994 mutex_exit(&outbound_bucket->isaf_lock); 2995 mutex_exit(&inbound_bucket->isaf_lock); 2996 return (ipsapp); 2997 } 2998 pair_spi = ipsapp->ipsap_sa_ptr->ipsa_otherspi; 2999 IPSA_COPY_ADDR(&pair_srcaddr, 3000 ipsapp->ipsap_sa_ptr->ipsa_srcaddr, af); 3001 IPSA_COPY_ADDR(&pair_dstaddr, 3002 ipsapp->ipsap_sa_ptr->ipsa_dstaddr, af); 3003 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 3004 mutex_exit(&outbound_bucket->isaf_lock); 3005 mutex_exit(&inbound_bucket->isaf_lock); 3006 3007 if (pair_spi == 0) { 3008 ASSERT(ipsapp->ipsap_bucket != NULL); 3009 ASSERT(ipsapp->ipsap_pbucket != NULL); 3010 return (ipsapp); 3011 } 3012 3013 /* found sa in outbound sadb, peer should be inbound */ 3014 3015 if (ipsapp->in_inbound_table) { 3016 /* Found SA in inbound table, pair will be in outbound. */ 3017 if (af == AF_INET6) { 3018 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V6(sp, 3019 *(uint32_t *)pair_srcaddr); 3020 } else { 3021 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V4(sp, 3022 *(uint32_t *)pair_srcaddr); 3023 } 3024 } else { 3025 ipsapp->ipsap_pbucket = INBOUND_BUCKET(sp, pair_spi); 3026 } 3027 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock); 3028 ipsapp->ipsap_psa_ptr = ipsec_getassocbyspi(ipsapp->ipsap_pbucket, 3029 pair_spi, pair_dstaddr, pair_srcaddr, af); 3030 mutex_exit(&ipsapp->ipsap_pbucket->isaf_lock); 3031 ASSERT(ipsapp->ipsap_bucket != NULL); 3032 ASSERT(ipsapp->ipsap_pbucket != NULL); 3033 return (ipsapp); 3034 } 3035 3036 /* 3037 * Initialize the mechanism parameters associated with an SA. 3038 * These parameters can be shared by multiple packets, which saves 3039 * us from the overhead of consulting the algorithm table for 3040 * each packet. 3041 */ 3042 static void 3043 sadb_init_alginfo(ipsa_t *sa) 3044 { 3045 ipsec_alginfo_t *alg; 3046 ipsec_stack_t *ipss = sa->ipsa_netstack->netstack_ipsec; 3047 3048 mutex_enter(&ipss->ipsec_alg_lock); 3049 3050 if (sa->ipsa_encrkey != NULL) { 3051 alg = ipss->ipsec_alglists[IPSEC_ALG_ENCR][sa->ipsa_encr_alg]; 3052 if (alg != NULL && ALG_VALID(alg)) { 3053 sa->ipsa_emech.cm_type = alg->alg_mech_type; 3054 sa->ipsa_emech.cm_param = NULL; 3055 sa->ipsa_emech.cm_param_len = 0; 3056 sa->ipsa_iv_len = alg->alg_datalen; 3057 } else 3058 sa->ipsa_emech.cm_type = CRYPTO_MECHANISM_INVALID; 3059 } 3060 3061 if (sa->ipsa_authkey != NULL) { 3062 alg = ipss->ipsec_alglists[IPSEC_ALG_AUTH][sa->ipsa_auth_alg]; 3063 if (alg != NULL && ALG_VALID(alg)) { 3064 sa->ipsa_amech.cm_type = alg->alg_mech_type; 3065 sa->ipsa_amech.cm_param = (char *)&sa->ipsa_mac_len; 3066 sa->ipsa_amech.cm_param_len = sizeof (size_t); 3067 sa->ipsa_mac_len = (size_t)alg->alg_datalen; 3068 } else 3069 sa->ipsa_amech.cm_type = CRYPTO_MECHANISM_INVALID; 3070 } 3071 3072 mutex_exit(&ipss->ipsec_alg_lock); 3073 } 3074 3075 /* 3076 * Perform NAT-traversal cached checksum offset calculations here. 3077 */ 3078 static void 3079 sadb_nat_calculations(ipsa_t *newbie, sadb_address_t *natt_loc_ext, 3080 sadb_address_t *natt_rem_ext, uint32_t *src_addr_ptr, 3081 uint32_t *dst_addr_ptr) 3082 { 3083 struct sockaddr_in *natt_loc, *natt_rem; 3084 uint32_t *natt_loc_ptr = NULL, *natt_rem_ptr = NULL; 3085 uint32_t running_sum = 0; 3086 3087 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16) 3088 3089 if (natt_rem_ext != NULL) { 3090 uint32_t l_src; 3091 uint32_t l_rem; 3092 3093 natt_rem = (struct sockaddr_in *)(natt_rem_ext + 1); 3094 3095 /* Ensured by sadb_addrfix(). */ 3096 ASSERT(natt_rem->sin_family == AF_INET); 3097 3098 natt_rem_ptr = (uint32_t *)(&natt_rem->sin_addr); 3099 newbie->ipsa_remote_nat_port = natt_rem->sin_port; 3100 l_src = *src_addr_ptr; 3101 l_rem = *natt_rem_ptr; 3102 3103 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */ 3104 newbie->ipsa_natt_addr_rem = *natt_rem_ptr; 3105 3106 l_src = ntohl(l_src); 3107 DOWN_SUM(l_src); 3108 DOWN_SUM(l_src); 3109 l_rem = ntohl(l_rem); 3110 DOWN_SUM(l_rem); 3111 DOWN_SUM(l_rem); 3112 3113 /* 3114 * We're 1's complement for checksums, so check for wraparound 3115 * here. 3116 */ 3117 if (l_rem > l_src) 3118 l_src--; 3119 3120 running_sum += l_src - l_rem; 3121 3122 DOWN_SUM(running_sum); 3123 DOWN_SUM(running_sum); 3124 } 3125 3126 if (natt_loc_ext != NULL) { 3127 natt_loc = (struct sockaddr_in *)(natt_loc_ext + 1); 3128 3129 /* Ensured by sadb_addrfix(). */ 3130 ASSERT(natt_loc->sin_family == AF_INET); 3131 3132 natt_loc_ptr = (uint32_t *)(&natt_loc->sin_addr); 3133 newbie->ipsa_local_nat_port = natt_loc->sin_port; 3134 3135 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */ 3136 newbie->ipsa_natt_addr_loc = *natt_loc_ptr; 3137 3138 /* 3139 * NAT-T port agility means we may have natt_loc_ext, but 3140 * only for a local-port change. 3141 */ 3142 if (natt_loc->sin_addr.s_addr != INADDR_ANY) { 3143 uint32_t l_dst = ntohl(*dst_addr_ptr); 3144 uint32_t l_loc = ntohl(*natt_loc_ptr); 3145 3146 DOWN_SUM(l_loc); 3147 DOWN_SUM(l_loc); 3148 DOWN_SUM(l_dst); 3149 DOWN_SUM(l_dst); 3150 3151 /* 3152 * We're 1's complement for checksums, so check for 3153 * wraparound here. 3154 */ 3155 if (l_loc > l_dst) 3156 l_dst--; 3157 3158 running_sum += l_dst - l_loc; 3159 DOWN_SUM(running_sum); 3160 DOWN_SUM(running_sum); 3161 } 3162 } 3163 3164 newbie->ipsa_inbound_cksum = running_sum; 3165 #undef DOWN_SUM 3166 } 3167 3168 /* 3169 * This function is called from consumers that need to insert a fully-grown 3170 * security association into its tables. This function takes into account that 3171 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary" 3172 * hash bucket parameters are set in order of what the SA will be most of the 3173 * time. (For example, an SA with an unspecified source, and a multicast 3174 * destination will primarily be an outbound SA. OTOH, if that destination 3175 * is unicast for this node, then the SA will primarily be inbound.) 3176 * 3177 * It takes a lot of parameters because even if clone is B_FALSE, this needs 3178 * to check both buckets for purposes of collision. 3179 * 3180 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for 3181 * various error conditions. We may need to set samsg->sadb_x_msg_diagnostic 3182 * with additional diagnostic information because there is at least one EINVAL 3183 * case here. 3184 */ 3185 int 3186 sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 3187 keysock_in_t *ksi, isaf_t *primary, isaf_t *secondary, 3188 ipsa_t *newbie, boolean_t clone, boolean_t is_inbound, int *diagnostic, 3189 netstack_t *ns, sadbp_t *spp) 3190 { 3191 ipsa_t *newbie_clone = NULL, *scratch; 3192 ipsap_t *ipsapp = NULL; 3193 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 3194 sadb_address_t *srcext = 3195 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 3196 sadb_address_t *dstext = 3197 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 3198 sadb_address_t *isrcext = 3199 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC]; 3200 sadb_address_t *idstext = 3201 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_DST]; 3202 sadb_x_kmc_t *kmcext = 3203 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 3204 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 3205 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 3206 sadb_x_pair_t *pair_ext = 3207 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 3208 sadb_x_replay_ctr_t *replayext = 3209 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE]; 3210 uint8_t protocol = 3211 (samsg->sadb_msg_satype == SADB_SATYPE_AH) ? IPPROTO_AH:IPPROTO_ESP; 3212 #if 0 3213 /* 3214 * XXXMLS - When Trusted Solaris or Multi-Level Secure functionality 3215 * comes to ON, examine these if 0'ed fragments. Look for XXXMLS. 3216 */ 3217 sadb_sens_t *sens = (sadb_sens_t *); 3218 #endif 3219 struct sockaddr_in *src, *dst, *isrc, *idst; 3220 struct sockaddr_in6 *src6, *dst6, *isrc6, *idst6; 3221 sadb_lifetime_t *soft = 3222 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 3223 sadb_lifetime_t *hard = 3224 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 3225 sadb_lifetime_t *idle = 3226 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE]; 3227 sa_family_t af; 3228 int error = 0; 3229 boolean_t isupdate = (newbie != NULL); 3230 uint32_t *src_addr_ptr, *dst_addr_ptr, *isrc_addr_ptr, *idst_addr_ptr; 3231 mblk_t *ctl_mp = NULL; 3232 ipsec_stack_t *ipss = ns->netstack_ipsec; 3233 int rcode; 3234 3235 if (srcext == NULL) { 3236 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 3237 return (EINVAL); 3238 } 3239 if (dstext == NULL) { 3240 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 3241 return (EINVAL); 3242 } 3243 if (assoc == NULL) { 3244 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 3245 return (EINVAL); 3246 } 3247 3248 src = (struct sockaddr_in *)(srcext + 1); 3249 src6 = (struct sockaddr_in6 *)(srcext + 1); 3250 dst = (struct sockaddr_in *)(dstext + 1); 3251 dst6 = (struct sockaddr_in6 *)(dstext + 1); 3252 if (isrcext != NULL) { 3253 isrc = (struct sockaddr_in *)(isrcext + 1); 3254 isrc6 = (struct sockaddr_in6 *)(isrcext + 1); 3255 ASSERT(idstext != NULL); 3256 idst = (struct sockaddr_in *)(idstext + 1); 3257 idst6 = (struct sockaddr_in6 *)(idstext + 1); 3258 } else { 3259 isrc = NULL; 3260 isrc6 = NULL; 3261 } 3262 3263 af = src->sin_family; 3264 3265 if (af == AF_INET) { 3266 src_addr_ptr = (uint32_t *)&src->sin_addr; 3267 dst_addr_ptr = (uint32_t *)&dst->sin_addr; 3268 } else { 3269 ASSERT(af == AF_INET6); 3270 src_addr_ptr = (uint32_t *)&src6->sin6_addr; 3271 dst_addr_ptr = (uint32_t *)&dst6->sin6_addr; 3272 } 3273 3274 if (!isupdate && (clone == B_TRUE || is_inbound == B_TRUE) && 3275 cl_inet_checkspi && 3276 (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) { 3277 rcode = cl_inet_checkspi(ns->netstack_stackid, protocol, 3278 assoc->sadb_sa_spi, NULL); 3279 if (rcode == -1) { 3280 return (EEXIST); 3281 } 3282 } 3283 3284 /* 3285 * Check to see if the new SA will be cloned AND paired. The 3286 * reason a SA will be cloned is the source or destination addresses 3287 * are not specific enough to determine if the SA goes in the outbound 3288 * or the inbound hash table, so its cloned and put in both. If 3289 * the SA is paired, it's soft linked to another SA for the other 3290 * direction. Keeping track and looking up SA's that are direction 3291 * unspecific and linked is too hard. 3292 */ 3293 if (clone && (pair_ext != NULL)) { 3294 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 3295 return (EINVAL); 3296 } 3297 3298 if (!isupdate) { 3299 newbie = sadb_makelarvalassoc(assoc->sadb_sa_spi, 3300 src_addr_ptr, dst_addr_ptr, af, ns); 3301 if (newbie == NULL) 3302 return (ENOMEM); 3303 } 3304 3305 mutex_enter(&newbie->ipsa_lock); 3306 3307 if (isrc != NULL) { 3308 if (isrc->sin_family == AF_INET) { 3309 if (srcext->sadb_address_proto != IPPROTO_ENCAP) { 3310 if (srcext->sadb_address_proto != 0) { 3311 /* 3312 * Mismatched outer-packet protocol 3313 * and inner-packet address family. 3314 */ 3315 mutex_exit(&newbie->ipsa_lock); 3316 error = EPROTOTYPE; 3317 *diagnostic = 3318 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 3319 goto error; 3320 } else { 3321 /* Fill in with explicit protocol. */ 3322 srcext->sadb_address_proto = 3323 IPPROTO_ENCAP; 3324 dstext->sadb_address_proto = 3325 IPPROTO_ENCAP; 3326 } 3327 } 3328 isrc_addr_ptr = (uint32_t *)&isrc->sin_addr; 3329 idst_addr_ptr = (uint32_t *)&idst->sin_addr; 3330 } else { 3331 ASSERT(isrc->sin_family == AF_INET6); 3332 if (srcext->sadb_address_proto != IPPROTO_IPV6) { 3333 if (srcext->sadb_address_proto != 0) { 3334 /* 3335 * Mismatched outer-packet protocol 3336 * and inner-packet address family. 3337 */ 3338 mutex_exit(&newbie->ipsa_lock); 3339 error = EPROTOTYPE; 3340 *diagnostic = 3341 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 3342 goto error; 3343 } else { 3344 /* Fill in with explicit protocol. */ 3345 srcext->sadb_address_proto = 3346 IPPROTO_IPV6; 3347 dstext->sadb_address_proto = 3348 IPPROTO_IPV6; 3349 } 3350 } 3351 isrc_addr_ptr = (uint32_t *)&isrc6->sin6_addr; 3352 idst_addr_ptr = (uint32_t *)&idst6->sin6_addr; 3353 } 3354 newbie->ipsa_innerfam = isrc->sin_family; 3355 3356 IPSA_COPY_ADDR(newbie->ipsa_innersrc, isrc_addr_ptr, 3357 newbie->ipsa_innerfam); 3358 IPSA_COPY_ADDR(newbie->ipsa_innerdst, idst_addr_ptr, 3359 newbie->ipsa_innerfam); 3360 newbie->ipsa_innersrcpfx = isrcext->sadb_address_prefixlen; 3361 newbie->ipsa_innerdstpfx = idstext->sadb_address_prefixlen; 3362 3363 /* Unique value uses inner-ports for Tunnel Mode... */ 3364 newbie->ipsa_unique_id = SA_UNIQUE_ID(isrc->sin_port, 3365 idst->sin_port, dstext->sadb_address_proto, 3366 idstext->sadb_address_proto); 3367 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(isrc->sin_port, 3368 idst->sin_port, dstext->sadb_address_proto, 3369 idstext->sadb_address_proto); 3370 } else { 3371 /* ... and outer-ports for Transport Mode. */ 3372 newbie->ipsa_unique_id = SA_UNIQUE_ID(src->sin_port, 3373 dst->sin_port, dstext->sadb_address_proto, 0); 3374 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(src->sin_port, 3375 dst->sin_port, dstext->sadb_address_proto, 0); 3376 } 3377 if (newbie->ipsa_unique_mask != (uint64_t)0) 3378 newbie->ipsa_flags |= IPSA_F_UNIQUE; 3379 3380 sadb_nat_calculations(newbie, 3381 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC], 3382 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM], 3383 src_addr_ptr, dst_addr_ptr); 3384 3385 newbie->ipsa_type = samsg->sadb_msg_satype; 3386 3387 ASSERT((assoc->sadb_sa_state == SADB_SASTATE_MATURE) || 3388 (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE)); 3389 newbie->ipsa_auth_alg = assoc->sadb_sa_auth; 3390 newbie->ipsa_encr_alg = assoc->sadb_sa_encrypt; 3391 3392 newbie->ipsa_flags |= assoc->sadb_sa_flags; 3393 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_LOC && 3394 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC] == NULL) { 3395 mutex_exit(&newbie->ipsa_lock); 3396 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_LOC; 3397 error = EINVAL; 3398 goto error; 3399 } 3400 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_REM && 3401 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM] == NULL) { 3402 mutex_exit(&newbie->ipsa_lock); 3403 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_REM; 3404 error = EINVAL; 3405 goto error; 3406 } 3407 if (newbie->ipsa_flags & SADB_X_SAFLAGS_TUNNEL && 3408 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC] == NULL) { 3409 mutex_exit(&newbie->ipsa_lock); 3410 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC; 3411 error = EINVAL; 3412 goto error; 3413 } 3414 /* 3415 * If unspecified source address, force replay_wsize to 0. 3416 * This is because an SA that has multiple sources of secure 3417 * traffic cannot enforce a replay counter w/o synchronizing the 3418 * senders. 3419 */ 3420 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) 3421 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay; 3422 else 3423 newbie->ipsa_replay_wsize = 0; 3424 3425 newbie->ipsa_addtime = gethrestime_sec(); 3426 3427 if (kmcext != NULL) { 3428 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto; 3429 newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie; 3430 } 3431 3432 /* 3433 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE. 3434 * The spec says that one can update current lifetimes, but 3435 * that seems impractical, especially in the larval-to-mature 3436 * update that this function performs. 3437 */ 3438 if (soft != NULL) { 3439 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime; 3440 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime; 3441 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes; 3442 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations; 3443 SET_EXPIRE(newbie, softaddlt, softexpiretime); 3444 } 3445 if (hard != NULL) { 3446 newbie->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 3447 newbie->ipsa_harduselt = hard->sadb_lifetime_usetime; 3448 newbie->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 3449 newbie->ipsa_hardalloc = hard->sadb_lifetime_allocations; 3450 SET_EXPIRE(newbie, hardaddlt, hardexpiretime); 3451 } 3452 if (idle != NULL) { 3453 newbie->ipsa_idleaddlt = idle->sadb_lifetime_addtime; 3454 newbie->ipsa_idleuselt = idle->sadb_lifetime_usetime; 3455 newbie->ipsa_idleexpiretime = newbie->ipsa_addtime + 3456 newbie->ipsa_idleaddlt; 3457 newbie->ipsa_idletime = newbie->ipsa_idleaddlt; 3458 } 3459 3460 newbie->ipsa_authtmpl = NULL; 3461 newbie->ipsa_encrtmpl = NULL; 3462 3463 if (akey != NULL) { 3464 newbie->ipsa_authkeybits = akey->sadb_key_bits; 3465 newbie->ipsa_authkeylen = SADB_1TO8(akey->sadb_key_bits); 3466 /* In case we have to round up to the next byte... */ 3467 if ((akey->sadb_key_bits & 0x7) != 0) 3468 newbie->ipsa_authkeylen++; 3469 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 3470 KM_NOSLEEP); 3471 if (newbie->ipsa_authkey == NULL) { 3472 error = ENOMEM; 3473 mutex_exit(&newbie->ipsa_lock); 3474 goto error; 3475 } 3476 bcopy(akey + 1, newbie->ipsa_authkey, newbie->ipsa_authkeylen); 3477 bzero(akey + 1, newbie->ipsa_authkeylen); 3478 3479 /* 3480 * Pre-initialize the kernel crypto framework key 3481 * structure. 3482 */ 3483 newbie->ipsa_kcfauthkey.ck_format = CRYPTO_KEY_RAW; 3484 newbie->ipsa_kcfauthkey.ck_length = newbie->ipsa_authkeybits; 3485 newbie->ipsa_kcfauthkey.ck_data = newbie->ipsa_authkey; 3486 3487 mutex_enter(&ipss->ipsec_alg_lock); 3488 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_AUTH); 3489 mutex_exit(&ipss->ipsec_alg_lock); 3490 if (error != 0) { 3491 mutex_exit(&newbie->ipsa_lock); 3492 /* 3493 * An error here indicates that alg is the wrong type 3494 * (IE: not authentication) or its not in the alg tables 3495 * created by ipsecalgs(1m), or Kcf does not like the 3496 * parameters passed in with this algorithm, which is 3497 * probably a coding error! 3498 */ 3499 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX; 3500 goto error; 3501 } 3502 } 3503 3504 if (ekey != NULL) { 3505 newbie->ipsa_encrkeybits = ekey->sadb_key_bits; 3506 newbie->ipsa_encrkeylen = SADB_1TO8(ekey->sadb_key_bits); 3507 /* In case we have to round up to the next byte... */ 3508 if ((ekey->sadb_key_bits & 0x7) != 0) 3509 newbie->ipsa_encrkeylen++; 3510 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 3511 KM_NOSLEEP); 3512 if (newbie->ipsa_encrkey == NULL) { 3513 error = ENOMEM; 3514 mutex_exit(&newbie->ipsa_lock); 3515 goto error; 3516 } 3517 bcopy(ekey + 1, newbie->ipsa_encrkey, newbie->ipsa_encrkeylen); 3518 /* XXX is this safe w.r.t db_ref, etc? */ 3519 bzero(ekey + 1, newbie->ipsa_encrkeylen); 3520 3521 /* 3522 * Pre-initialize the kernel crypto framework key 3523 * structure. 3524 */ 3525 newbie->ipsa_kcfencrkey.ck_format = CRYPTO_KEY_RAW; 3526 newbie->ipsa_kcfencrkey.ck_length = newbie->ipsa_encrkeybits; 3527 newbie->ipsa_kcfencrkey.ck_data = newbie->ipsa_encrkey; 3528 3529 mutex_enter(&ipss->ipsec_alg_lock); 3530 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_ENCR); 3531 mutex_exit(&ipss->ipsec_alg_lock); 3532 if (error != 0) { 3533 mutex_exit(&newbie->ipsa_lock); 3534 /* See above for error explanation. */ 3535 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX; 3536 goto error; 3537 } 3538 } 3539 3540 sadb_init_alginfo(newbie); 3541 3542 /* 3543 * Ptrs to processing functions. 3544 */ 3545 if (newbie->ipsa_type == SADB_SATYPE_ESP) 3546 ipsecesp_init_funcs(newbie); 3547 else 3548 ipsecah_init_funcs(newbie); 3549 ASSERT(newbie->ipsa_output_func != NULL && 3550 newbie->ipsa_input_func != NULL); 3551 3552 /* 3553 * Certificate ID stuff. 3554 */ 3555 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC] != NULL) { 3556 sadb_ident_t *id = 3557 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 3558 3559 /* 3560 * Can assume strlen() will return okay because ext_check() in 3561 * keysock.c prepares the string for us. 3562 */ 3563 newbie->ipsa_src_cid = ipsid_lookup(id->sadb_ident_type, 3564 (char *)(id+1), ns); 3565 if (newbie->ipsa_src_cid == NULL) { 3566 error = ENOMEM; 3567 mutex_exit(&newbie->ipsa_lock); 3568 goto error; 3569 } 3570 } 3571 3572 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_DST] != NULL) { 3573 sadb_ident_t *id = 3574 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 3575 3576 /* 3577 * Can assume strlen() will return okay because ext_check() in 3578 * keysock.c prepares the string for us. 3579 */ 3580 newbie->ipsa_dst_cid = ipsid_lookup(id->sadb_ident_type, 3581 (char *)(id+1), ns); 3582 if (newbie->ipsa_dst_cid == NULL) { 3583 error = ENOMEM; 3584 mutex_exit(&newbie->ipsa_lock); 3585 goto error; 3586 } 3587 } 3588 3589 #if 0 3590 /* XXXMLS SENSITIVITY handling code. */ 3591 if (sens != NULL) { 3592 int i; 3593 uint64_t *bitmap = (uint64_t *)(sens + 1); 3594 3595 newbie->ipsa_dpd = sens->sadb_sens_dpd; 3596 newbie->ipsa_senslevel = sens->sadb_sens_sens_level; 3597 newbie->ipsa_integlevel = sens->sadb_sens_integ_level; 3598 newbie->ipsa_senslen = SADB_64TO8(sens->sadb_sens_sens_len); 3599 newbie->ipsa_integlen = SADB_64TO8(sens->sadb_sens_integ_len); 3600 newbie->ipsa_integ = kmem_alloc(newbie->ipsa_integlen, 3601 KM_NOSLEEP); 3602 if (newbie->ipsa_integ == NULL) { 3603 error = ENOMEM; 3604 mutex_exit(&newbie->ipsa_lock); 3605 goto error; 3606 } 3607 newbie->ipsa_sens = kmem_alloc(newbie->ipsa_senslen, 3608 KM_NOSLEEP); 3609 if (newbie->ipsa_sens == NULL) { 3610 error = ENOMEM; 3611 mutex_exit(&newbie->ipsa_lock); 3612 goto error; 3613 } 3614 for (i = 0; i < sens->sadb_sens_sens_len; i++) { 3615 newbie->ipsa_sens[i] = *bitmap; 3616 bitmap++; 3617 } 3618 for (i = 0; i < sens->sadb_sens_integ_len; i++) { 3619 newbie->ipsa_integ[i] = *bitmap; 3620 bitmap++; 3621 } 3622 } 3623 3624 #endif 3625 3626 if (replayext != NULL) { 3627 if ((replayext->sadb_x_rc_replay32 == 0) && 3628 (replayext->sadb_x_rc_replay64 != 0)) { 3629 error = EOPNOTSUPP; 3630 *diagnostic = SADB_X_DIAGNOSTIC_INVALID_REPLAY; 3631 mutex_exit(&newbie->ipsa_lock); 3632 goto error; 3633 } 3634 newbie->ipsa_replay = replayext->sadb_x_rc_replay32; 3635 } 3636 3637 /* now that the SA has been updated, set its new state */ 3638 newbie->ipsa_state = assoc->sadb_sa_state; 3639 3640 if (clone) { 3641 newbie->ipsa_haspeer = B_TRUE; 3642 } else { 3643 if (!is_inbound) { 3644 lifetime_fuzz(newbie); 3645 } 3646 } 3647 /* 3648 * The less locks I hold when doing an insertion and possible cloning, 3649 * the better! 3650 */ 3651 mutex_exit(&newbie->ipsa_lock); 3652 3653 if (clone) { 3654 newbie_clone = sadb_cloneassoc(newbie); 3655 3656 if (newbie_clone == NULL) { 3657 error = ENOMEM; 3658 goto error; 3659 } 3660 } 3661 3662 /* 3663 * Enter the bucket locks. The order of entry is outbound, 3664 * inbound. We map "primary" and "secondary" into outbound and inbound 3665 * based on the destination address type. If the destination address 3666 * type is for a node that isn't mine (or potentially mine), the 3667 * "primary" bucket is the outbound one. 3668 */ 3669 if (!is_inbound) { 3670 /* primary == outbound */ 3671 mutex_enter(&primary->isaf_lock); 3672 mutex_enter(&secondary->isaf_lock); 3673 } else { 3674 /* primary == inbound */ 3675 mutex_enter(&secondary->isaf_lock); 3676 mutex_enter(&primary->isaf_lock); 3677 } 3678 3679 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_common_add: spi = 0x%x\n", 3680 newbie->ipsa_spi)); 3681 3682 /* 3683 * sadb_insertassoc() doesn't increment the reference 3684 * count. We therefore have to increment the 3685 * reference count one more time to reflect the 3686 * pointers of the table that reference this SA. 3687 */ 3688 IPSA_REFHOLD(newbie); 3689 3690 if (isupdate) { 3691 /* 3692 * Unlink from larval holding cell in the "inbound" fanout. 3693 */ 3694 ASSERT(newbie->ipsa_linklock == &primary->isaf_lock || 3695 newbie->ipsa_linklock == &secondary->isaf_lock); 3696 sadb_unlinkassoc(newbie); 3697 } 3698 3699 mutex_enter(&newbie->ipsa_lock); 3700 error = sadb_insertassoc(newbie, primary); 3701 if (error == 0) { 3702 ctl_mp = sadb_fmt_sa_req(DL_CO_SET, newbie->ipsa_type, newbie, 3703 is_inbound); 3704 } 3705 mutex_exit(&newbie->ipsa_lock); 3706 3707 if (error != 0) { 3708 /* 3709 * Since sadb_insertassoc() failed, we must decrement the 3710 * refcount again so the cleanup code will actually free 3711 * the offending SA. 3712 */ 3713 IPSA_REFRELE(newbie); 3714 goto error_unlock; 3715 } 3716 3717 if (newbie_clone != NULL) { 3718 mutex_enter(&newbie_clone->ipsa_lock); 3719 error = sadb_insertassoc(newbie_clone, secondary); 3720 mutex_exit(&newbie_clone->ipsa_lock); 3721 if (error != 0) { 3722 /* Collision in secondary table. */ 3723 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 3724 goto error_unlock; 3725 } 3726 IPSA_REFHOLD(newbie_clone); 3727 } else { 3728 ASSERT(primary != secondary); 3729 scratch = ipsec_getassocbyspi(secondary, newbie->ipsa_spi, 3730 ALL_ZEROES_PTR, newbie->ipsa_dstaddr, af); 3731 if (scratch != NULL) { 3732 /* Collision in secondary table. */ 3733 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 3734 /* Set the error, since ipsec_getassocbyspi() can't. */ 3735 error = EEXIST; 3736 goto error_unlock; 3737 } 3738 } 3739 3740 /* OKAY! So let's do some reality check assertions. */ 3741 3742 ASSERT(MUTEX_NOT_HELD(&newbie->ipsa_lock)); 3743 ASSERT(newbie_clone == NULL || 3744 (MUTEX_NOT_HELD(&newbie_clone->ipsa_lock))); 3745 /* 3746 * If hardware acceleration could happen, send it. 3747 */ 3748 if (ctl_mp != NULL) { 3749 putnext(ip_q, ctl_mp); 3750 ctl_mp = NULL; 3751 } 3752 3753 error_unlock: 3754 3755 /* 3756 * We can exit the locks in any order. Only entrance needs to 3757 * follow any protocol. 3758 */ 3759 mutex_exit(&secondary->isaf_lock); 3760 mutex_exit(&primary->isaf_lock); 3761 3762 if (pair_ext != NULL && error == 0) { 3763 /* update pair_spi if it exists. */ 3764 ipsapp = get_ipsa_pair(assoc, srcext, dstext, spp); 3765 if (ipsapp == NULL) { 3766 error = ESRCH; 3767 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 3768 } else if (ipsapp->ipsap_psa_ptr != NULL) { 3769 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY; 3770 error = EINVAL; 3771 } else { 3772 /* update_pairing() sets diagnostic */ 3773 error = update_pairing(ipsapp, ksi, diagnostic, spp); 3774 } 3775 } 3776 /* Common error point for this routine. */ 3777 error: 3778 if (newbie != NULL) { 3779 if (error != 0) { 3780 /* This SA is broken, let the reaper clean up. */ 3781 mutex_enter(&newbie->ipsa_lock); 3782 newbie->ipsa_state = IPSA_STATE_DEAD; 3783 newbie->ipsa_hardexpiretime = 1; 3784 mutex_exit(&newbie->ipsa_lock); 3785 } 3786 IPSA_REFRELE(newbie); 3787 } 3788 if (newbie_clone != NULL) { 3789 IPSA_REFRELE(newbie_clone); 3790 } 3791 if (ctl_mp != NULL) 3792 freemsg(ctl_mp); 3793 3794 if (error == 0) { 3795 /* 3796 * Construct favorable PF_KEY return message and send to 3797 * keysock. Update the flags in the original keysock message 3798 * to reflect the actual flags in the new SA. 3799 * (Q: Do I need to pass "newbie"? If I do, 3800 * make sure to REFHOLD, call, then REFRELE.) 3801 */ 3802 assoc->sadb_sa_flags = newbie->ipsa_flags; 3803 sadb_pfkey_echo(pfkey_q, mp, samsg, ksi, NULL); 3804 } 3805 3806 destroy_ipsa_pair(ipsapp); 3807 return (error); 3808 } 3809 3810 /* 3811 * Set the time of first use for a security association. Update any 3812 * expiration times as a result. 3813 */ 3814 void 3815 sadb_set_usetime(ipsa_t *assoc) 3816 { 3817 time_t snapshot = gethrestime_sec(); 3818 3819 mutex_enter(&assoc->ipsa_lock); 3820 assoc->ipsa_lastuse = snapshot; 3821 assoc->ipsa_idleexpiretime = snapshot + assoc->ipsa_idletime; 3822 3823 /* 3824 * Caller does check usetime before calling me usually, and 3825 * double-checking is better than a mutex_enter/exit hit. 3826 */ 3827 if (assoc->ipsa_usetime == 0) { 3828 /* 3829 * This is redundant for outbound SA's, as 3830 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already. 3831 * Inbound SAs, however, have no such protection. 3832 */ 3833 assoc->ipsa_flags |= IPSA_F_USED; 3834 assoc->ipsa_usetime = snapshot; 3835 3836 /* 3837 * After setting the use time, see if we have a use lifetime 3838 * that would cause the actual SA expiration time to shorten. 3839 */ 3840 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 3841 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 3842 } 3843 mutex_exit(&assoc->ipsa_lock); 3844 } 3845 3846 /* 3847 * Send up a PF_KEY expire message for this association. 3848 */ 3849 static void 3850 sadb_expire_assoc(queue_t *pfkey_q, ipsa_t *assoc) 3851 { 3852 mblk_t *mp, *mp1; 3853 int alloclen, af; 3854 sadb_msg_t *samsg; 3855 sadb_lifetime_t *current, *expire; 3856 sadb_sa_t *saext; 3857 uint8_t *end; 3858 boolean_t tunnel_mode; 3859 3860 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 3861 3862 /* Don't bother sending if there's no queue. */ 3863 if (pfkey_q == NULL) 3864 return; 3865 3866 /* If the SA is one of a pair, only SOFT expire the OUTBOUND SA */ 3867 if (assoc->ipsa_state == IPSA_STATE_DYING && 3868 (assoc->ipsa_flags & IPSA_F_PAIRED) && 3869 !(assoc->ipsa_flags & IPSA_F_OUTBOUND)) { 3870 return; 3871 } 3872 3873 mp = sadb_keysock_out(0); 3874 if (mp == NULL) { 3875 /* cmn_err(CE_WARN, */ 3876 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */ 3877 return; 3878 } 3879 3880 alloclen = sizeof (*samsg) + sizeof (*current) + sizeof (*expire) + 3881 2 * sizeof (sadb_address_t) + sizeof (*saext); 3882 3883 af = assoc->ipsa_addrfam; 3884 switch (af) { 3885 case AF_INET: 3886 alloclen += 2 * sizeof (struct sockaddr_in); 3887 break; 3888 case AF_INET6: 3889 alloclen += 2 * sizeof (struct sockaddr_in6); 3890 break; 3891 default: 3892 /* Won't happen unless there's a kernel bug. */ 3893 freeb(mp); 3894 cmn_err(CE_WARN, 3895 "sadb_expire_assoc: Unknown address length.\n"); 3896 return; 3897 } 3898 3899 tunnel_mode = (assoc->ipsa_flags & IPSA_F_TUNNEL); 3900 if (tunnel_mode) { 3901 alloclen += 2 * sizeof (sadb_address_t); 3902 switch (assoc->ipsa_innerfam) { 3903 case AF_INET: 3904 alloclen += 2 * sizeof (struct sockaddr_in); 3905 break; 3906 case AF_INET6: 3907 alloclen += 2 * sizeof (struct sockaddr_in6); 3908 break; 3909 default: 3910 /* Won't happen unless there's a kernel bug. */ 3911 freeb(mp); 3912 cmn_err(CE_WARN, "sadb_expire_assoc: " 3913 "Unknown inner address length.\n"); 3914 return; 3915 } 3916 } 3917 3918 mp->b_cont = allocb(alloclen, BPRI_HI); 3919 if (mp->b_cont == NULL) { 3920 freeb(mp); 3921 /* cmn_err(CE_WARN, */ 3922 /* "sadb_expire_assoc: Can't allocate message.\n"); */ 3923 return; 3924 } 3925 3926 mp1 = mp; 3927 mp = mp->b_cont; 3928 end = mp->b_wptr + alloclen; 3929 3930 samsg = (sadb_msg_t *)mp->b_wptr; 3931 mp->b_wptr += sizeof (*samsg); 3932 samsg->sadb_msg_version = PF_KEY_V2; 3933 samsg->sadb_msg_type = SADB_EXPIRE; 3934 samsg->sadb_msg_errno = 0; 3935 samsg->sadb_msg_satype = assoc->ipsa_type; 3936 samsg->sadb_msg_len = SADB_8TO64(alloclen); 3937 samsg->sadb_msg_reserved = 0; 3938 samsg->sadb_msg_seq = 0; 3939 samsg->sadb_msg_pid = 0; 3940 3941 saext = (sadb_sa_t *)mp->b_wptr; 3942 mp->b_wptr += sizeof (*saext); 3943 saext->sadb_sa_len = SADB_8TO64(sizeof (*saext)); 3944 saext->sadb_sa_exttype = SADB_EXT_SA; 3945 saext->sadb_sa_spi = assoc->ipsa_spi; 3946 saext->sadb_sa_replay = assoc->ipsa_replay_wsize; 3947 saext->sadb_sa_state = assoc->ipsa_state; 3948 saext->sadb_sa_auth = assoc->ipsa_auth_alg; 3949 saext->sadb_sa_encrypt = assoc->ipsa_encr_alg; 3950 saext->sadb_sa_flags = assoc->ipsa_flags; 3951 3952 current = (sadb_lifetime_t *)mp->b_wptr; 3953 mp->b_wptr += sizeof (sadb_lifetime_t); 3954 current->sadb_lifetime_len = SADB_8TO64(sizeof (*current)); 3955 current->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 3956 /* We do not support the concept. */ 3957 current->sadb_lifetime_allocations = 0; 3958 current->sadb_lifetime_bytes = assoc->ipsa_bytes; 3959 current->sadb_lifetime_addtime = assoc->ipsa_addtime; 3960 current->sadb_lifetime_usetime = assoc->ipsa_usetime; 3961 3962 expire = (sadb_lifetime_t *)mp->b_wptr; 3963 mp->b_wptr += sizeof (*expire); 3964 expire->sadb_lifetime_len = SADB_8TO64(sizeof (*expire)); 3965 3966 if (assoc->ipsa_state == IPSA_STATE_DEAD) { 3967 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 3968 expire->sadb_lifetime_allocations = assoc->ipsa_hardalloc; 3969 expire->sadb_lifetime_bytes = assoc->ipsa_hardbyteslt; 3970 expire->sadb_lifetime_addtime = assoc->ipsa_hardaddlt; 3971 expire->sadb_lifetime_usetime = assoc->ipsa_harduselt; 3972 } else if (assoc->ipsa_state == IPSA_STATE_DYING) { 3973 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 3974 expire->sadb_lifetime_allocations = assoc->ipsa_softalloc; 3975 expire->sadb_lifetime_bytes = assoc->ipsa_softbyteslt; 3976 expire->sadb_lifetime_addtime = assoc->ipsa_softaddlt; 3977 expire->sadb_lifetime_usetime = assoc->ipsa_softuselt; 3978 } else { 3979 ASSERT(assoc->ipsa_state == IPSA_STATE_MATURE); 3980 expire->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE; 3981 expire->sadb_lifetime_allocations = 0; 3982 expire->sadb_lifetime_bytes = 0; 3983 expire->sadb_lifetime_addtime = assoc->ipsa_idleaddlt; 3984 expire->sadb_lifetime_usetime = assoc->ipsa_idleuselt; 3985 } 3986 3987 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_SRC, 3988 af, assoc->ipsa_srcaddr, tunnel_mode ? 0 : SA_SRCPORT(assoc), 3989 SA_PROTO(assoc), 0); 3990 ASSERT(mp->b_wptr != NULL); 3991 3992 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_DST, 3993 af, assoc->ipsa_dstaddr, tunnel_mode ? 0 : SA_DSTPORT(assoc), 3994 SA_PROTO(assoc), 0); 3995 ASSERT(mp->b_wptr != NULL); 3996 3997 if (tunnel_mode) { 3998 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, 3999 SADB_X_EXT_ADDRESS_INNER_SRC, assoc->ipsa_innerfam, 4000 assoc->ipsa_innersrc, SA_SRCPORT(assoc), SA_IPROTO(assoc), 4001 assoc->ipsa_innersrcpfx); 4002 ASSERT(mp->b_wptr != NULL); 4003 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, 4004 SADB_X_EXT_ADDRESS_INNER_DST, assoc->ipsa_innerfam, 4005 assoc->ipsa_innerdst, SA_DSTPORT(assoc), SA_IPROTO(assoc), 4006 assoc->ipsa_innerdstpfx); 4007 ASSERT(mp->b_wptr != NULL); 4008 } 4009 4010 /* Can just putnext, we're ready to go! */ 4011 putnext(pfkey_q, mp1); 4012 } 4013 4014 /* 4015 * "Age" the SA with the number of bytes that was used to protect traffic. 4016 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was 4017 * enough "charge" left in the SA to protect the data. Return B_FALSE 4018 * otherwise. (If B_FALSE is returned, the association either was, or became 4019 * DEAD.) 4020 */ 4021 boolean_t 4022 sadb_age_bytes(queue_t *pfkey_q, ipsa_t *assoc, uint64_t bytes, 4023 boolean_t sendmsg) 4024 { 4025 boolean_t rc = B_TRUE; 4026 uint64_t newtotal; 4027 4028 mutex_enter(&assoc->ipsa_lock); 4029 newtotal = assoc->ipsa_bytes + bytes; 4030 if (assoc->ipsa_hardbyteslt != 0 && 4031 newtotal >= assoc->ipsa_hardbyteslt) { 4032 if (assoc->ipsa_state != IPSA_STATE_DEAD) { 4033 sadb_delete_cluster(assoc); 4034 /* 4035 * Send EXPIRE message to PF_KEY. May wish to pawn 4036 * this off on another non-interrupt thread. Also 4037 * unlink this SA immediately. 4038 */ 4039 assoc->ipsa_state = IPSA_STATE_DEAD; 4040 if (sendmsg) 4041 sadb_expire_assoc(pfkey_q, assoc); 4042 /* 4043 * Set non-zero expiration time so sadb_age_assoc() 4044 * will work when reaping. 4045 */ 4046 assoc->ipsa_hardexpiretime = (time_t)1; 4047 } /* Else someone beat me to it! */ 4048 rc = B_FALSE; 4049 } else if (assoc->ipsa_softbyteslt != 0 && 4050 (newtotal >= assoc->ipsa_softbyteslt)) { 4051 if (assoc->ipsa_state < IPSA_STATE_DYING) { 4052 /* 4053 * Send EXPIRE message to PF_KEY. May wish to pawn 4054 * this off on another non-interrupt thread. 4055 */ 4056 assoc->ipsa_state = IPSA_STATE_DYING; 4057 assoc->ipsa_bytes = newtotal; 4058 if (sendmsg) 4059 sadb_expire_assoc(pfkey_q, assoc); 4060 } /* Else someone beat me to it! */ 4061 } 4062 if (rc == B_TRUE) 4063 assoc->ipsa_bytes = newtotal; 4064 mutex_exit(&assoc->ipsa_lock); 4065 return (rc); 4066 } 4067 4068 /* 4069 * Push one or more DL_CO_DELETE messages queued up by 4070 * sadb_torch_assoc down to the underlying driver now that it's a 4071 * convenient time for it (i.e., ipsa bucket locks not held). 4072 */ 4073 static void 4074 sadb_drain_torchq(queue_t *q, mblk_t *mp) 4075 { 4076 while (mp != NULL) { 4077 mblk_t *next = mp->b_next; 4078 mp->b_next = NULL; 4079 if (q != NULL) 4080 putnext(q, mp); 4081 else 4082 freemsg(mp); 4083 mp = next; 4084 } 4085 } 4086 4087 /* 4088 * "Torch" an individual SA. Returns NULL, so it can be tail-called from 4089 * sadb_age_assoc(). 4090 * 4091 * If SA is hardware-accelerated, and we can't allocate the mblk 4092 * containing the DL_CO_DELETE, just return; it will remain in the 4093 * table and be swept up by sadb_ager() in a subsequent pass. 4094 */ 4095 static ipsa_t * 4096 sadb_torch_assoc(isaf_t *head, ipsa_t *sa, boolean_t inbnd, mblk_t **mq) 4097 { 4098 mblk_t *mp; 4099 4100 ASSERT(MUTEX_HELD(&head->isaf_lock)); 4101 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 4102 ASSERT(sa->ipsa_state == IPSA_STATE_DEAD); 4103 4104 /* 4105 * Force cached SAs to be revalidated.. 4106 */ 4107 head->isaf_gen++; 4108 4109 if (sa->ipsa_flags & IPSA_F_HW) { 4110 mp = sadb_fmt_sa_req(DL_CO_DELETE, sa->ipsa_type, sa, inbnd); 4111 if (mp == NULL) { 4112 mutex_exit(&sa->ipsa_lock); 4113 return (NULL); 4114 } 4115 mp->b_next = *mq; 4116 *mq = mp; 4117 } 4118 mutex_exit(&sa->ipsa_lock); 4119 sadb_unlinkassoc(sa); 4120 4121 return (NULL); 4122 } 4123 4124 /* 4125 * Do various SA-is-idle activities depending on delta (the number of idle 4126 * seconds on the SA) and/or other properties of the SA. 4127 * 4128 * Return B_TRUE if I've sent a packet, because I have to drop the 4129 * association's mutex before sending a packet out the wire. 4130 */ 4131 /* ARGSUSED */ 4132 static boolean_t 4133 sadb_idle_activities(ipsa_t *assoc, time_t delta, boolean_t inbound) 4134 { 4135 ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp; 4136 int nat_t_interval = espstack->ipsecesp_nat_keepalive_interval; 4137 4138 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 4139 4140 if (!inbound && (assoc->ipsa_flags & IPSA_F_NATT_LOC) && 4141 delta >= nat_t_interval && 4142 gethrestime_sec() - assoc->ipsa_last_nat_t_ka >= nat_t_interval) { 4143 ASSERT(assoc->ipsa_type == SADB_SATYPE_ESP); 4144 assoc->ipsa_last_nat_t_ka = gethrestime_sec(); 4145 mutex_exit(&assoc->ipsa_lock); 4146 ipsecesp_send_keepalive(assoc); 4147 return (B_TRUE); 4148 } 4149 return (B_FALSE); 4150 } 4151 4152 /* 4153 * Return "assoc" if haspeer is true and I send an expire. This allows 4154 * the consumers' aging functions to tidy up an expired SA's peer. 4155 */ 4156 static ipsa_t * 4157 sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc, 4158 time_t current, int reap_delay, boolean_t inbound, mblk_t **mq) 4159 { 4160 ipsa_t *retval = NULL; 4161 boolean_t dropped_mutex = B_FALSE; 4162 4163 ASSERT(MUTEX_HELD(&head->isaf_lock)); 4164 4165 mutex_enter(&assoc->ipsa_lock); 4166 4167 if (((assoc->ipsa_state == IPSA_STATE_LARVAL) || 4168 ((assoc->ipsa_state == IPSA_STATE_IDLE) || 4169 (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) && 4170 (assoc->ipsa_hardexpiretime != 0))) && 4171 (assoc->ipsa_hardexpiretime <= current)) { 4172 assoc->ipsa_state = IPSA_STATE_DEAD; 4173 return (sadb_torch_assoc(head, assoc, inbound, mq)); 4174 } 4175 4176 /* 4177 * Check lifetimes. Fortunately, SA setup is done 4178 * such that there are only two times to look at, 4179 * softexpiretime, and hardexpiretime. 4180 * 4181 * Check hard first. 4182 */ 4183 4184 if (assoc->ipsa_hardexpiretime != 0 && 4185 assoc->ipsa_hardexpiretime <= current) { 4186 if (assoc->ipsa_state == IPSA_STATE_DEAD) 4187 return (sadb_torch_assoc(head, assoc, inbound, mq)); 4188 4189 if (inbound) { 4190 sadb_delete_cluster(assoc); 4191 } 4192 4193 /* 4194 * Send SADB_EXPIRE with hard lifetime, delay for unlinking. 4195 */ 4196 assoc->ipsa_state = IPSA_STATE_DEAD; 4197 if (assoc->ipsa_haspeer || assoc->ipsa_otherspi != 0) { 4198 /* 4199 * If the SA is paired or peered with another, put 4200 * a copy on a list which can be processed later, the 4201 * pair/peer SA needs to be updated so the both die 4202 * at the same time. 4203 * 4204 * If I return assoc, I have to bump up its reference 4205 * count to keep with the ipsa_t reference count 4206 * semantics. 4207 */ 4208 IPSA_REFHOLD(assoc); 4209 retval = assoc; 4210 } 4211 sadb_expire_assoc(pfkey_q, assoc); 4212 assoc->ipsa_hardexpiretime = current + reap_delay; 4213 } else if (assoc->ipsa_softexpiretime != 0 && 4214 assoc->ipsa_softexpiretime <= current && 4215 assoc->ipsa_state < IPSA_STATE_DYING) { 4216 /* 4217 * Send EXPIRE message to PF_KEY. May wish to pawn 4218 * this off on another non-interrupt thread. 4219 */ 4220 assoc->ipsa_state = IPSA_STATE_DYING; 4221 if (assoc->ipsa_haspeer) { 4222 /* 4223 * If the SA has a peer, update the peer's state 4224 * on SOFT_EXPIRE, this is mostly to prevent two 4225 * expire messages from effectively the same SA. 4226 * 4227 * Don't care about paired SA's, then can (and should) 4228 * be able to soft expire at different times. 4229 * 4230 * If I return assoc, I have to bump up its 4231 * reference count to keep with the ipsa_t reference 4232 * count semantics. 4233 */ 4234 IPSA_REFHOLD(assoc); 4235 retval = assoc; 4236 } 4237 sadb_expire_assoc(pfkey_q, assoc); 4238 } else if (assoc->ipsa_idletime != 0 && 4239 assoc->ipsa_idleexpiretime <= current) { 4240 if (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) { 4241 assoc->ipsa_state = IPSA_STATE_IDLE; 4242 } 4243 4244 /* 4245 * Need to handle Mature case 4246 */ 4247 if (assoc->ipsa_state == IPSA_STATE_MATURE) { 4248 sadb_expire_assoc(pfkey_q, assoc); 4249 } 4250 } else { 4251 /* Check idle time activities. */ 4252 dropped_mutex = sadb_idle_activities(assoc, 4253 current - assoc->ipsa_lastuse, inbound); 4254 } 4255 4256 if (!dropped_mutex) 4257 mutex_exit(&assoc->ipsa_lock); 4258 return (retval); 4259 } 4260 4261 /* 4262 * Called by a consumer protocol to do ther dirty work of reaping dead 4263 * Security Associations. 4264 * 4265 * NOTE: sadb_age_assoc() marks expired SA's as DEAD but only removed 4266 * SA's that are already marked DEAD, so expired SA's are only reaped 4267 * the second time sadb_ager() runs. 4268 */ 4269 void 4270 sadb_ager(sadb_t *sp, queue_t *pfkey_q, queue_t *ip_q, int reap_delay, 4271 netstack_t *ns) 4272 { 4273 int i; 4274 isaf_t *bucket; 4275 ipsa_t *assoc, *spare; 4276 iacqf_t *acqlist; 4277 ipsacq_t *acqrec, *spareacq; 4278 templist_t *haspeerlist, *newbie; 4279 /* Snapshot current time now. */ 4280 time_t current = gethrestime_sec(); 4281 mblk_t *mq = NULL; 4282 haspeerlist = NULL; 4283 4284 /* 4285 * Do my dirty work. This includes aging real entries, aging 4286 * larvals, and aging outstanding ACQUIREs. 4287 * 4288 * I hope I don't tie up resources for too long. 4289 */ 4290 4291 /* Age acquires. */ 4292 4293 for (i = 0; i < sp->sdb_hashsize; i++) { 4294 acqlist = &sp->sdb_acq[i]; 4295 mutex_enter(&acqlist->iacqf_lock); 4296 for (acqrec = acqlist->iacqf_ipsacq; acqrec != NULL; 4297 acqrec = spareacq) { 4298 spareacq = acqrec->ipsacq_next; 4299 if (current > acqrec->ipsacq_expire) 4300 sadb_destroy_acquire(acqrec, ns); 4301 } 4302 mutex_exit(&acqlist->iacqf_lock); 4303 } 4304 4305 /* Age inbound associations. */ 4306 for (i = 0; i < sp->sdb_hashsize; i++) { 4307 bucket = &(sp->sdb_if[i]); 4308 mutex_enter(&bucket->isaf_lock); 4309 for (assoc = bucket->isaf_ipsa; assoc != NULL; 4310 assoc = spare) { 4311 spare = assoc->ipsa_next; 4312 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 4313 reap_delay, B_TRUE, &mq) != NULL) { 4314 /* 4315 * Put SA's which have a peer or SA's which 4316 * are paired on a list for processing after 4317 * all the hash tables have been walked. 4318 * 4319 * sadb_age_assoc() increments the refcnt, 4320 * effectively doing an IPSA_REFHOLD(). 4321 */ 4322 newbie = kmem_alloc(sizeof (*newbie), 4323 KM_NOSLEEP); 4324 if (newbie == NULL) { 4325 /* 4326 * Don't forget to REFRELE(). 4327 */ 4328 IPSA_REFRELE(assoc); 4329 continue; /* for loop... */ 4330 } 4331 newbie->next = haspeerlist; 4332 newbie->ipsa = assoc; 4333 haspeerlist = newbie; 4334 } 4335 } 4336 mutex_exit(&bucket->isaf_lock); 4337 } 4338 4339 if (mq != NULL) { 4340 sadb_drain_torchq(ip_q, mq); 4341 mq = NULL; 4342 } 4343 age_pair_peer_list(haspeerlist, sp, B_FALSE); 4344 haspeerlist = NULL; 4345 4346 /* Age outbound associations. */ 4347 for (i = 0; i < sp->sdb_hashsize; i++) { 4348 bucket = &(sp->sdb_of[i]); 4349 mutex_enter(&bucket->isaf_lock); 4350 for (assoc = bucket->isaf_ipsa; assoc != NULL; 4351 assoc = spare) { 4352 spare = assoc->ipsa_next; 4353 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 4354 reap_delay, B_FALSE, &mq) != NULL) { 4355 /* 4356 * sadb_age_assoc() increments the refcnt, 4357 * effectively doing an IPSA_REFHOLD(). 4358 */ 4359 newbie = kmem_alloc(sizeof (*newbie), 4360 KM_NOSLEEP); 4361 if (newbie == NULL) { 4362 /* 4363 * Don't forget to REFRELE(). 4364 */ 4365 IPSA_REFRELE(assoc); 4366 continue; /* for loop... */ 4367 } 4368 newbie->next = haspeerlist; 4369 newbie->ipsa = assoc; 4370 haspeerlist = newbie; 4371 } 4372 } 4373 mutex_exit(&bucket->isaf_lock); 4374 } 4375 if (mq != NULL) { 4376 sadb_drain_torchq(ip_q, mq); 4377 mq = NULL; 4378 } 4379 4380 age_pair_peer_list(haspeerlist, sp, B_TRUE); 4381 4382 /* 4383 * Run a GC pass to clean out dead identities. 4384 */ 4385 ipsid_gc(ns); 4386 } 4387 4388 /* 4389 * Figure out when to reschedule the ager. 4390 */ 4391 timeout_id_t 4392 sadb_retimeout(hrtime_t begin, queue_t *pfkey_q, void (*ager)(void *), 4393 void *agerarg, uint_t *intp, uint_t intmax, short mid) 4394 { 4395 hrtime_t end = gethrtime(); 4396 uint_t interval = *intp; 4397 4398 /* 4399 * See how long this took. If it took too long, increase the 4400 * aging interval. 4401 */ 4402 if ((end - begin) > (hrtime_t)interval * (hrtime_t)1000000) { 4403 if (interval >= intmax) { 4404 /* XXX Rate limit this? Or recommend flush? */ 4405 (void) strlog(mid, 0, 0, SL_ERROR | SL_WARN, 4406 "Too many SA's to age out in %d msec.\n", 4407 intmax); 4408 } else { 4409 /* Double by shifting by one bit. */ 4410 interval <<= 1; 4411 interval = min(interval, intmax); 4412 } 4413 } else if ((end - begin) <= (hrtime_t)interval * (hrtime_t)500000 && 4414 interval > SADB_AGE_INTERVAL_DEFAULT) { 4415 /* 4416 * If I took less than half of the interval, then I should 4417 * ratchet the interval back down. Never automatically 4418 * shift below the default aging interval. 4419 * 4420 * NOTE:This even overrides manual setting of the age 4421 * interval using NDD to lower the setting past the 4422 * default. In other words, if you set the interval 4423 * lower than the default, and your SADB gets too big, 4424 * the interval will only self-lower back to the default. 4425 */ 4426 /* Halve by shifting one bit. */ 4427 interval >>= 1; 4428 interval = max(interval, SADB_AGE_INTERVAL_DEFAULT); 4429 } 4430 *intp = interval; 4431 return (qtimeout(pfkey_q, ager, agerarg, 4432 drv_usectohz(interval * 1000))); 4433 } 4434 4435 4436 /* 4437 * Update the lifetime values of an SA. This is the path an SADB_UPDATE 4438 * message takes when updating a MATURE or DYING SA. 4439 */ 4440 static void 4441 sadb_update_lifetimes(ipsa_t *assoc, sadb_lifetime_t *hard, 4442 sadb_lifetime_t *soft, sadb_lifetime_t *idle, boolean_t outbound) 4443 { 4444 mutex_enter(&assoc->ipsa_lock); 4445 4446 /* 4447 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be 4448 * passed in during an update message. We currently don't handle 4449 * these. 4450 */ 4451 4452 if (hard != NULL) { 4453 if (hard->sadb_lifetime_bytes != 0) 4454 assoc->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 4455 if (hard->sadb_lifetime_usetime != 0) 4456 assoc->ipsa_harduselt = hard->sadb_lifetime_usetime; 4457 if (hard->sadb_lifetime_addtime != 0) 4458 assoc->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 4459 if (assoc->ipsa_hardaddlt != 0) { 4460 assoc->ipsa_hardexpiretime = 4461 assoc->ipsa_addtime + assoc->ipsa_hardaddlt; 4462 } 4463 if (assoc->ipsa_harduselt != 0 && 4464 assoc->ipsa_flags & IPSA_F_USED) { 4465 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 4466 } 4467 if (hard->sadb_lifetime_allocations != 0) 4468 assoc->ipsa_hardalloc = hard->sadb_lifetime_allocations; 4469 } 4470 4471 if (soft != NULL) { 4472 if (soft->sadb_lifetime_bytes != 0) { 4473 if (soft->sadb_lifetime_bytes > 4474 assoc->ipsa_hardbyteslt) { 4475 assoc->ipsa_softbyteslt = 4476 assoc->ipsa_hardbyteslt; 4477 } else { 4478 assoc->ipsa_softbyteslt = 4479 soft->sadb_lifetime_bytes; 4480 } 4481 } 4482 if (soft->sadb_lifetime_usetime != 0) { 4483 if (soft->sadb_lifetime_usetime > 4484 assoc->ipsa_harduselt) { 4485 assoc->ipsa_softuselt = 4486 assoc->ipsa_harduselt; 4487 } else { 4488 assoc->ipsa_softuselt = 4489 soft->sadb_lifetime_usetime; 4490 } 4491 } 4492 if (soft->sadb_lifetime_addtime != 0) { 4493 if (soft->sadb_lifetime_addtime > 4494 assoc->ipsa_hardexpiretime) { 4495 assoc->ipsa_softexpiretime = 4496 assoc->ipsa_hardexpiretime; 4497 } else { 4498 assoc->ipsa_softaddlt = 4499 soft->sadb_lifetime_addtime; 4500 } 4501 } 4502 if (assoc->ipsa_softaddlt != 0) { 4503 assoc->ipsa_softexpiretime = 4504 assoc->ipsa_addtime + assoc->ipsa_softaddlt; 4505 } 4506 if (assoc->ipsa_softuselt != 0 && 4507 assoc->ipsa_flags & IPSA_F_USED) { 4508 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 4509 } 4510 if (outbound && assoc->ipsa_softexpiretime != 0) { 4511 if (assoc->ipsa_state == IPSA_STATE_MATURE) 4512 lifetime_fuzz(assoc); 4513 } 4514 4515 if (soft->sadb_lifetime_allocations != 0) 4516 assoc->ipsa_softalloc = soft->sadb_lifetime_allocations; 4517 } 4518 4519 if (idle != NULL) { 4520 time_t current = gethrestime_sec(); 4521 if ((assoc->ipsa_idleexpiretime <= current) && 4522 (assoc->ipsa_idleaddlt == idle->sadb_lifetime_addtime)) { 4523 assoc->ipsa_idleexpiretime = 4524 current + assoc->ipsa_idleaddlt; 4525 } 4526 if (idle->sadb_lifetime_addtime != 0) 4527 assoc->ipsa_idleaddlt = idle->sadb_lifetime_addtime; 4528 if (idle->sadb_lifetime_usetime != 0) 4529 assoc->ipsa_idleuselt = idle->sadb_lifetime_usetime; 4530 if (assoc->ipsa_idleaddlt != 0) { 4531 assoc->ipsa_idleexpiretime = 4532 current + idle->sadb_lifetime_addtime; 4533 assoc->ipsa_idletime = idle->sadb_lifetime_addtime; 4534 } 4535 if (assoc->ipsa_idleuselt != 0) { 4536 if (assoc->ipsa_idletime != 0) { 4537 assoc->ipsa_idletime = min(assoc->ipsa_idletime, 4538 assoc->ipsa_idleuselt); 4539 assoc->ipsa_idleexpiretime = 4540 current + assoc->ipsa_idletime; 4541 } else { 4542 assoc->ipsa_idleexpiretime = 4543 current + assoc->ipsa_idleuselt; 4544 assoc->ipsa_idletime = assoc->ipsa_idleuselt; 4545 } 4546 } 4547 } 4548 mutex_exit(&assoc->ipsa_lock); 4549 } 4550 4551 static int 4552 sadb_update_state(ipsa_t *assoc, uint_t new_state, mblk_t **ipkt_lst) 4553 { 4554 int rcode = 0; 4555 time_t current = gethrestime_sec(); 4556 4557 mutex_enter(&assoc->ipsa_lock); 4558 4559 switch (new_state) { 4560 case SADB_X_SASTATE_ACTIVE_ELSEWHERE: 4561 if (assoc->ipsa_state == SADB_X_SASTATE_IDLE) { 4562 assoc->ipsa_state = IPSA_STATE_ACTIVE_ELSEWHERE; 4563 assoc->ipsa_idleexpiretime = 4564 current + assoc->ipsa_idletime; 4565 } 4566 break; 4567 case SADB_X_SASTATE_IDLE: 4568 if (assoc->ipsa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) { 4569 assoc->ipsa_state = IPSA_STATE_IDLE; 4570 assoc->ipsa_idleexpiretime = 4571 current + assoc->ipsa_idletime; 4572 } else { 4573 rcode = EINVAL; 4574 } 4575 break; 4576 4577 case SADB_X_SASTATE_ACTIVE: 4578 if (assoc->ipsa_state != SADB_X_SASTATE_IDLE) { 4579 rcode = EINVAL; 4580 break; 4581 } 4582 assoc->ipsa_state = IPSA_STATE_MATURE; 4583 assoc->ipsa_idleexpiretime = current + assoc->ipsa_idletime; 4584 4585 if (ipkt_lst == NULL) { 4586 break; 4587 } 4588 4589 if (assoc->ipsa_bpkt_head != NULL) { 4590 *ipkt_lst = assoc->ipsa_bpkt_head; 4591 assoc->ipsa_bpkt_head = assoc->ipsa_bpkt_tail = NULL; 4592 assoc->ipsa_mblkcnt = 0; 4593 } else { 4594 *ipkt_lst = NULL; 4595 } 4596 break; 4597 default: 4598 rcode = EINVAL; 4599 break; 4600 } 4601 4602 mutex_exit(&assoc->ipsa_lock); 4603 return (rcode); 4604 } 4605 4606 /* 4607 * Common code to update an SA. 4608 */ 4609 4610 int 4611 sadb_update_sa(mblk_t *mp, keysock_in_t *ksi, mblk_t **ipkt_lst, 4612 sadbp_t *spp, int *diagnostic, queue_t *pfkey_q, 4613 int (*add_sa_func)(mblk_t *, keysock_in_t *, int *, netstack_t *), 4614 netstack_t *ns, uint8_t sadb_msg_type) 4615 { 4616 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 4617 sadb_address_t *srcext = 4618 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 4619 sadb_address_t *dstext = 4620 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 4621 sadb_x_kmc_t *kmcext = 4622 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 4623 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 4624 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 4625 sadb_x_replay_ctr_t *replext = 4626 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE]; 4627 sadb_lifetime_t *soft = 4628 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 4629 sadb_lifetime_t *hard = 4630 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 4631 sadb_lifetime_t *idle = 4632 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE]; 4633 sadb_x_pair_t *pair_ext = 4634 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 4635 ipsa_t *echo_target = NULL; 4636 int error = 0; 4637 ipsap_t *ipsapp = NULL; 4638 uint32_t kmp = 0, kmc = 0; 4639 time_t current = gethrestime_sec(); 4640 4641 4642 /* I need certain extensions present for either UPDATE message. */ 4643 if (srcext == NULL) { 4644 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 4645 return (EINVAL); 4646 } 4647 if (dstext == NULL) { 4648 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 4649 return (EINVAL); 4650 } 4651 if (assoc == NULL) { 4652 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 4653 return (EINVAL); 4654 } 4655 4656 if (kmcext != NULL) { 4657 kmp = kmcext->sadb_x_kmc_proto; 4658 kmc = kmcext->sadb_x_kmc_cookie; 4659 } 4660 4661 ipsapp = get_ipsa_pair(assoc, srcext, dstext, spp); 4662 if (ipsapp == NULL) { 4663 *diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND; 4664 return (ESRCH); 4665 } 4666 4667 if (ipsapp->ipsap_psa_ptr == NULL && ipsapp->ipsap_sa_ptr != NULL) { 4668 if (ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) { 4669 /* 4670 * REFRELE the target and let the add_sa_func() 4671 * deal with updating a larval SA. 4672 */ 4673 destroy_ipsa_pair(ipsapp); 4674 return (add_sa_func(mp, ksi, diagnostic, ns)); 4675 } 4676 } 4677 4678 /* 4679 * At this point we have an UPDATE to a MATURE SA. There should 4680 * not be any keying material present. 4681 */ 4682 if (akey != NULL) { 4683 *diagnostic = SADB_X_DIAGNOSTIC_AKEY_PRESENT; 4684 error = EINVAL; 4685 goto bail; 4686 } 4687 if (ekey != NULL) { 4688 *diagnostic = SADB_X_DIAGNOSTIC_EKEY_PRESENT; 4689 error = EINVAL; 4690 goto bail; 4691 } 4692 4693 if (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) { 4694 if (ipsapp->ipsap_sa_ptr != NULL && 4695 ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_IDLE) { 4696 if ((error = sadb_update_state(ipsapp->ipsap_sa_ptr, 4697 assoc->sadb_sa_state, NULL)) != 0) { 4698 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4699 goto bail; 4700 } 4701 } 4702 if (ipsapp->ipsap_psa_ptr != NULL && 4703 ipsapp->ipsap_psa_ptr->ipsa_state == IPSA_STATE_IDLE) { 4704 if ((error = sadb_update_state(ipsapp->ipsap_psa_ptr, 4705 assoc->sadb_sa_state, NULL)) != 0) { 4706 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4707 goto bail; 4708 } 4709 } 4710 } 4711 if (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE) { 4712 if (ipsapp->ipsap_sa_ptr != NULL) { 4713 error = sadb_update_state(ipsapp->ipsap_sa_ptr, 4714 assoc->sadb_sa_state, 4715 (ipsapp->ipsap_sa_ptr->ipsa_flags & 4716 IPSA_F_INBOUND) ? ipkt_lst : NULL); 4717 if (error) { 4718 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4719 goto bail; 4720 } 4721 } 4722 if (ipsapp->ipsap_psa_ptr != NULL) { 4723 error = sadb_update_state(ipsapp->ipsap_psa_ptr, 4724 assoc->sadb_sa_state, 4725 (ipsapp->ipsap_psa_ptr->ipsa_flags & 4726 IPSA_F_INBOUND) ? ipkt_lst : NULL); 4727 if (error) { 4728 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4729 goto bail; 4730 } 4731 } 4732 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 4733 ksi, echo_target); 4734 goto bail; 4735 } 4736 4737 /* 4738 * Reality checks for updates of active associations. 4739 * Sundry first-pass UPDATE-specific reality checks. 4740 * Have to do the checks here, because it's after the add_sa code. 4741 * XXX STATS : logging/stats here? 4742 */ 4743 4744 if (!((assoc->sadb_sa_state == SADB_SASTATE_MATURE) || 4745 (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE))) { 4746 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4747 error = EINVAL; 4748 goto bail; 4749 } 4750 4751 if (assoc->sadb_sa_flags & ~spp->s_updateflags) { 4752 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS; 4753 error = EINVAL; 4754 goto bail; 4755 } 4756 4757 if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL) { 4758 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_LIFETIME; 4759 error = EOPNOTSUPP; 4760 goto bail; 4761 } 4762 4763 if ((*diagnostic = sadb_hardsoftchk(hard, soft, idle)) != 0) { 4764 error = EINVAL; 4765 goto bail; 4766 } 4767 4768 if (ipsapp->ipsap_sa_ptr != NULL) { 4769 if (ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_DEAD) { 4770 error = ESRCH; /* DEAD == Not there, in this case. */ 4771 *diagnostic = SADB_X_DIAGNOSTIC_SA_EXPIRED; 4772 goto bail; 4773 } 4774 if ((kmp != 0) && 4775 ((ipsapp->ipsap_sa_ptr->ipsa_kmp != 0) || 4776 (ipsapp->ipsap_sa_ptr->ipsa_kmp != kmp))) { 4777 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 4778 error = EINVAL; 4779 goto bail; 4780 } 4781 if ((kmc != 0) && 4782 ((ipsapp->ipsap_sa_ptr->ipsa_kmc != 0) || 4783 (ipsapp->ipsap_sa_ptr->ipsa_kmc != kmc))) { 4784 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 4785 error = EINVAL; 4786 goto bail; 4787 } 4788 /* 4789 * Do not allow replay value change for MATURE or LARVAL SA. 4790 */ 4791 4792 if ((replext != NULL) && 4793 ((ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) || 4794 (ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_MATURE))) { 4795 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4796 error = EINVAL; 4797 goto bail; 4798 } 4799 } 4800 4801 if (ipsapp->ipsap_psa_ptr != NULL) { 4802 if (ipsapp->ipsap_psa_ptr->ipsa_state == IPSA_STATE_DEAD) { 4803 *diagnostic = SADB_X_DIAGNOSTIC_SA_EXPIRED; 4804 error = ESRCH; /* DEAD == Not there, in this case. */ 4805 goto bail; 4806 } 4807 if ((kmp != 0) && 4808 ((ipsapp->ipsap_psa_ptr->ipsa_kmp != 0) || 4809 (ipsapp->ipsap_psa_ptr->ipsa_kmp != kmp))) { 4810 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 4811 error = EINVAL; 4812 goto bail; 4813 } 4814 if ((kmc != 0) && 4815 ((ipsapp->ipsap_psa_ptr->ipsa_kmc != 0) || 4816 (ipsapp->ipsap_psa_ptr->ipsa_kmc != kmc))) { 4817 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 4818 error = EINVAL; 4819 goto bail; 4820 } 4821 } 4822 4823 if (ipsapp->ipsap_sa_ptr != NULL) { 4824 sadb_update_lifetimes(ipsapp->ipsap_sa_ptr, hard, soft, 4825 idle, B_TRUE); 4826 if (kmp != 0) 4827 ipsapp->ipsap_sa_ptr->ipsa_kmp = kmp; 4828 if (kmc != 0) 4829 ipsapp->ipsap_sa_ptr->ipsa_kmc = kmc; 4830 if ((replext != NULL) && 4831 (ipsapp->ipsap_sa_ptr->ipsa_replay_wsize != 0)) { 4832 /* 4833 * If an inbound SA, update the replay counter 4834 * and check off all the other sequence number 4835 */ 4836 if (ksi->ks_in_dsttype == KS_IN_ADDR_ME) { 4837 if (!sadb_replay_check(ipsapp->ipsap_sa_ptr, 4838 replext->sadb_x_rc_replay32)) { 4839 *diagnostic = 4840 SADB_X_DIAGNOSTIC_INVALID_REPLAY; 4841 error = EINVAL; 4842 goto bail; 4843 } 4844 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4845 ipsapp->ipsap_sa_ptr->ipsa_idleexpiretime = 4846 current + 4847 ipsapp->ipsap_sa_ptr->ipsa_idletime; 4848 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4849 } else { 4850 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4851 ipsapp->ipsap_sa_ptr->ipsa_replay = 4852 replext->sadb_x_rc_replay32; 4853 ipsapp->ipsap_sa_ptr->ipsa_idleexpiretime = 4854 current + 4855 ipsapp->ipsap_sa_ptr->ipsa_idletime; 4856 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4857 } 4858 } 4859 } 4860 4861 if (sadb_msg_type == SADB_X_UPDATEPAIR) { 4862 if (ipsapp->ipsap_psa_ptr != NULL) { 4863 sadb_update_lifetimes(ipsapp->ipsap_psa_ptr, hard, soft, 4864 idle, B_FALSE); 4865 if (kmp != 0) 4866 ipsapp->ipsap_psa_ptr->ipsa_kmp = kmp; 4867 if (kmc != 0) 4868 ipsapp->ipsap_psa_ptr->ipsa_kmc = kmc; 4869 } else { 4870 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 4871 error = ESRCH; 4872 goto bail; 4873 } 4874 } 4875 4876 if (pair_ext != NULL) 4877 error = update_pairing(ipsapp, ksi, diagnostic, spp); 4878 4879 if (error == 0) 4880 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 4881 ksi, echo_target); 4882 bail: 4883 4884 destroy_ipsa_pair(ipsapp); 4885 4886 return (error); 4887 } 4888 4889 4890 int 4891 update_pairing(ipsap_t *ipsapp, keysock_in_t *ksi, int *diagnostic, 4892 sadbp_t *spp) 4893 { 4894 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 4895 sadb_address_t *srcext = 4896 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 4897 sadb_address_t *dstext = 4898 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 4899 sadb_x_pair_t *pair_ext = 4900 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 4901 int error = 0; 4902 ipsap_t *oipsapp = NULL; 4903 boolean_t undo_pair = B_FALSE; 4904 uint32_t ipsa_flags; 4905 4906 if (pair_ext->sadb_x_pair_spi == 0 || pair_ext->sadb_x_pair_spi == 4907 assoc->sadb_sa_spi) { 4908 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4909 return (EINVAL); 4910 } 4911 4912 /* 4913 * Assume for now that the spi value provided in the SADB_UPDATE 4914 * message was valid, update the SA with its pair spi value. 4915 * If the spi turns out to be bogus or the SA no longer exists 4916 * then this will be detected when the reverse update is made 4917 * below. 4918 */ 4919 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4920 ipsapp->ipsap_sa_ptr->ipsa_flags |= IPSA_F_PAIRED; 4921 ipsapp->ipsap_sa_ptr->ipsa_otherspi = pair_ext->sadb_x_pair_spi; 4922 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4923 4924 /* 4925 * After updating the ipsa_otherspi element of the SA, get_ipsa_pair() 4926 * should now return pointers to the SA *AND* its pair, if this is not 4927 * the case, the "otherspi" either did not exist or was deleted. Also 4928 * check that "otherspi" is not already paired. If everything looks 4929 * good, complete the update. IPSA_REFRELE the first pair_pointer 4930 * after this update to ensure its not deleted until we are done. 4931 */ 4932 oipsapp = get_ipsa_pair(assoc, srcext, dstext, spp); 4933 if (oipsapp == NULL) { 4934 /* 4935 * This should never happen, calling function still has 4936 * IPSA_REFHELD on the SA we just updated. 4937 */ 4938 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 4939 return (EINVAL); 4940 } 4941 4942 if (oipsapp->ipsap_psa_ptr == NULL) { 4943 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4944 error = EINVAL; 4945 undo_pair = B_TRUE; 4946 } else { 4947 ipsa_flags = oipsapp->ipsap_psa_ptr->ipsa_flags; 4948 if ((oipsapp->ipsap_psa_ptr->ipsa_state == IPSA_STATE_DEAD) || 4949 (oipsapp->ipsap_psa_ptr->ipsa_state == IPSA_STATE_DYING)) { 4950 /* Its dead Jim! */ 4951 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4952 undo_pair = B_TRUE; 4953 } else if ((ipsa_flags & (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) == 4954 (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) { 4955 /* This SA is in both hashtables. */ 4956 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4957 undo_pair = B_TRUE; 4958 } else if (ipsa_flags & IPSA_F_PAIRED) { 4959 /* This SA is already paired with another. */ 4960 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY; 4961 undo_pair = B_TRUE; 4962 } 4963 } 4964 4965 if (undo_pair) { 4966 /* The pair SA does not exist. */ 4967 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4968 ipsapp->ipsap_sa_ptr->ipsa_flags &= ~IPSA_F_PAIRED; 4969 ipsapp->ipsap_sa_ptr->ipsa_otherspi = 0; 4970 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4971 } else { 4972 mutex_enter(&oipsapp->ipsap_psa_ptr->ipsa_lock); 4973 oipsapp->ipsap_psa_ptr->ipsa_otherspi = assoc->sadb_sa_spi; 4974 oipsapp->ipsap_psa_ptr->ipsa_flags |= IPSA_F_PAIRED; 4975 mutex_exit(&oipsapp->ipsap_psa_ptr->ipsa_lock); 4976 } 4977 4978 destroy_ipsa_pair(oipsapp); 4979 return (error); 4980 } 4981 4982 /* 4983 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is 4984 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails 4985 * for an outbound datagram, that datagram is queued up on an ACQUIRE record, 4986 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key 4987 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve 4988 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the 4989 * other direction's SA. 4990 */ 4991 4992 /* 4993 * Check the ACQUIRE lists. If there's an existing ACQUIRE record, 4994 * grab it, lock it, and return it. Otherwise return NULL. 4995 */ 4996 static ipsacq_t * 4997 sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp, 4998 uint32_t *src, uint32_t *dst, uint32_t *isrc, uint32_t *idst, 4999 uint64_t unique_id) 5000 { 5001 ipsacq_t *walker; 5002 sa_family_t fam; 5003 uint32_t blank_address[4] = {0, 0, 0, 0}; 5004 5005 if (isrc == NULL) { 5006 ASSERT(idst == NULL); 5007 isrc = idst = blank_address; 5008 } 5009 5010 /* 5011 * Scan list for duplicates. Check for UNIQUE, src/dest, policy. 5012 * 5013 * XXX May need search for duplicates based on other things too! 5014 */ 5015 for (walker = bucket->iacqf_ipsacq; walker != NULL; 5016 walker = walker->ipsacq_next) { 5017 mutex_enter(&walker->ipsacq_lock); 5018 fam = walker->ipsacq_addrfam; 5019 if (IPSA_ARE_ADDR_EQUAL(dst, walker->ipsacq_dstaddr, fam) && 5020 IPSA_ARE_ADDR_EQUAL(src, walker->ipsacq_srcaddr, fam) && 5021 ip_addr_match((uint8_t *)isrc, walker->ipsacq_innersrcpfx, 5022 (in6_addr_t *)walker->ipsacq_innersrc) && 5023 ip_addr_match((uint8_t *)idst, walker->ipsacq_innerdstpfx, 5024 (in6_addr_t *)walker->ipsacq_innerdst) && 5025 (ap == walker->ipsacq_act) && 5026 (pp == walker->ipsacq_policy) && 5027 /* XXX do deep compares of ap/pp? */ 5028 (unique_id == walker->ipsacq_unique_id)) 5029 break; /* everything matched */ 5030 mutex_exit(&walker->ipsacq_lock); 5031 } 5032 5033 return (walker); 5034 } 5035 5036 /* 5037 * For this mblk, insert a new acquire record. Assume bucket contains addrs 5038 * of all of the same length. Give up (and drop) if memory 5039 * cannot be allocated for a new one; otherwise, invoke callback to 5040 * send the acquire up.. 5041 * 5042 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE 5043 * list. The ah_add_sa_finish() routines can look at the packet's ipsec_out_t 5044 * and handle this case specially. 5045 */ 5046 void 5047 sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp) 5048 { 5049 sadbp_t *spp; 5050 sadb_t *sp; 5051 ipsacq_t *newbie; 5052 iacqf_t *bucket; 5053 mblk_t *datamp = mp->b_cont; 5054 mblk_t *extended; 5055 ipha_t *ipha = (ipha_t *)datamp->b_rptr; 5056 ip6_t *ip6h = (ip6_t *)datamp->b_rptr; 5057 uint32_t *src, *dst, *isrc, *idst; 5058 ipsec_policy_t *pp = io->ipsec_out_policy; 5059 ipsec_action_t *ap = io->ipsec_out_act; 5060 sa_family_t af; 5061 int hashoffset; 5062 uint32_t seq; 5063 uint64_t unique_id = 0; 5064 ipsec_selector_t sel; 5065 boolean_t tunnel_mode = io->ipsec_out_tunnel; 5066 netstack_t *ns = io->ipsec_out_ns; 5067 ipsec_stack_t *ipss = ns->netstack_ipsec; 5068 5069 ASSERT((pp != NULL) || (ap != NULL)); 5070 5071 ASSERT(need_ah != NULL || need_esp != NULL); 5072 /* Assign sadb pointers */ 5073 if (need_esp) { /* ESP for AH+ESP */ 5074 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 5075 5076 spp = &espstack->esp_sadb; 5077 } else { 5078 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 5079 5080 spp = &ahstack->ah_sadb; 5081 } 5082 sp = io->ipsec_out_v4 ? &spp->s_v4 : &spp->s_v6; 5083 5084 if (ap == NULL) 5085 ap = pp->ipsp_act; 5086 5087 ASSERT(ap != NULL); 5088 5089 if (ap->ipa_act.ipa_apply.ipp_use_unique || tunnel_mode) 5090 unique_id = SA_FORM_UNIQUE_ID(io); 5091 5092 /* 5093 * Set up an ACQUIRE record. 5094 * 5095 * Immediately, make sure the ACQUIRE sequence number doesn't slip 5096 * below the lowest point allowed in the kernel. (In other words, 5097 * make sure the high bit on the sequence number is set.) 5098 */ 5099 5100 seq = keysock_next_seq(ns) | IACQF_LOWEST_SEQ; 5101 5102 if (IPH_HDR_VERSION(ipha) == IP_VERSION) { 5103 src = (uint32_t *)&ipha->ipha_src; 5104 dst = (uint32_t *)&ipha->ipha_dst; 5105 af = AF_INET; 5106 hashoffset = OUTBOUND_HASH_V4(sp, ipha->ipha_dst); 5107 ASSERT(io->ipsec_out_v4 == B_TRUE); 5108 } else { 5109 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION); 5110 src = (uint32_t *)&ip6h->ip6_src; 5111 dst = (uint32_t *)&ip6h->ip6_dst; 5112 af = AF_INET6; 5113 hashoffset = OUTBOUND_HASH_V6(sp, ip6h->ip6_dst); 5114 ASSERT(io->ipsec_out_v4 == B_FALSE); 5115 } 5116 5117 if (tunnel_mode) { 5118 if (pp == NULL) { 5119 /* 5120 * Tunnel mode with no policy pointer means this is a 5121 * reflected ICMP (like a ECHO REQUEST) that came in 5122 * with self-encapsulated protection. Until we better 5123 * support this, drop the packet. 5124 */ 5125 ip_drop_packet(mp, B_FALSE, NULL, NULL, 5126 DROPPER(ipss, ipds_spd_got_selfencap), 5127 &ipss->ipsec_spd_dropper); 5128 return; 5129 } 5130 /* Snag inner addresses. */ 5131 isrc = io->ipsec_out_insrc; 5132 idst = io->ipsec_out_indst; 5133 } else { 5134 isrc = idst = NULL; 5135 } 5136 5137 /* 5138 * Check buckets to see if there is an existing entry. If so, 5139 * grab it. sadb_checkacquire locks newbie if found. 5140 */ 5141 bucket = &(sp->sdb_acq[hashoffset]); 5142 mutex_enter(&bucket->iacqf_lock); 5143 newbie = sadb_checkacquire(bucket, ap, pp, src, dst, isrc, idst, 5144 unique_id); 5145 5146 if (newbie == NULL) { 5147 /* 5148 * Otherwise, allocate a new one. 5149 */ 5150 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP); 5151 if (newbie == NULL) { 5152 mutex_exit(&bucket->iacqf_lock); 5153 ip_drop_packet(mp, B_FALSE, NULL, NULL, 5154 DROPPER(ipss, ipds_sadb_acquire_nomem), 5155 &ipss->ipsec_sadb_dropper); 5156 return; 5157 } 5158 newbie->ipsacq_policy = pp; 5159 if (pp != NULL) { 5160 IPPOL_REFHOLD(pp); 5161 } 5162 IPACT_REFHOLD(ap); 5163 newbie->ipsacq_act = ap; 5164 newbie->ipsacq_linklock = &bucket->iacqf_lock; 5165 newbie->ipsacq_next = bucket->iacqf_ipsacq; 5166 newbie->ipsacq_ptpn = &bucket->iacqf_ipsacq; 5167 if (newbie->ipsacq_next != NULL) 5168 newbie->ipsacq_next->ipsacq_ptpn = &newbie->ipsacq_next; 5169 bucket->iacqf_ipsacq = newbie; 5170 mutex_init(&newbie->ipsacq_lock, NULL, MUTEX_DEFAULT, NULL); 5171 mutex_enter(&newbie->ipsacq_lock); 5172 } 5173 5174 mutex_exit(&bucket->iacqf_lock); 5175 5176 /* 5177 * This assert looks silly for now, but we may need to enter newbie's 5178 * mutex during a search. 5179 */ 5180 ASSERT(MUTEX_HELD(&newbie->ipsacq_lock)); 5181 5182 mp->b_next = NULL; 5183 /* Queue up packet. Use b_next. */ 5184 if (newbie->ipsacq_numpackets == 0) { 5185 /* First one. */ 5186 newbie->ipsacq_mp = mp; 5187 newbie->ipsacq_numpackets = 1; 5188 newbie->ipsacq_expire = gethrestime_sec(); 5189 /* 5190 * Extended ACQUIRE with both AH+ESP will use ESP's timeout 5191 * value. 5192 */ 5193 newbie->ipsacq_expire += *spp->s_acquire_timeout; 5194 newbie->ipsacq_seq = seq; 5195 newbie->ipsacq_addrfam = af; 5196 5197 newbie->ipsacq_srcport = io->ipsec_out_src_port; 5198 newbie->ipsacq_dstport = io->ipsec_out_dst_port; 5199 newbie->ipsacq_icmp_type = io->ipsec_out_icmp_type; 5200 newbie->ipsacq_icmp_code = io->ipsec_out_icmp_code; 5201 if (tunnel_mode) { 5202 newbie->ipsacq_inneraddrfam = io->ipsec_out_inaf; 5203 newbie->ipsacq_proto = io->ipsec_out_inaf == AF_INET6 ? 5204 IPPROTO_IPV6 : IPPROTO_ENCAP; 5205 newbie->ipsacq_innersrcpfx = io->ipsec_out_insrcpfx; 5206 newbie->ipsacq_innerdstpfx = io->ipsec_out_indstpfx; 5207 IPSA_COPY_ADDR(newbie->ipsacq_innersrc, 5208 io->ipsec_out_insrc, io->ipsec_out_inaf); 5209 IPSA_COPY_ADDR(newbie->ipsacq_innerdst, 5210 io->ipsec_out_indst, io->ipsec_out_inaf); 5211 } else { 5212 newbie->ipsacq_proto = io->ipsec_out_proto; 5213 } 5214 newbie->ipsacq_unique_id = unique_id; 5215 } else { 5216 /* Scan to the end of the list & insert. */ 5217 mblk_t *lastone = newbie->ipsacq_mp; 5218 5219 while (lastone->b_next != NULL) 5220 lastone = lastone->b_next; 5221 lastone->b_next = mp; 5222 if (newbie->ipsacq_numpackets++ == ipsacq_maxpackets) { 5223 newbie->ipsacq_numpackets = ipsacq_maxpackets; 5224 lastone = newbie->ipsacq_mp; 5225 newbie->ipsacq_mp = lastone->b_next; 5226 lastone->b_next = NULL; 5227 ip_drop_packet(lastone, B_FALSE, NULL, NULL, 5228 DROPPER(ipss, ipds_sadb_acquire_toofull), 5229 &ipss->ipsec_sadb_dropper); 5230 } else { 5231 IP_ACQUIRE_STAT(ipss, qhiwater, 5232 newbie->ipsacq_numpackets); 5233 } 5234 } 5235 5236 /* 5237 * Reset addresses. Set them to the most recently added mblk chain, 5238 * so that the address pointers in the acquire record will point 5239 * at an mblk still attached to the acquire list. 5240 */ 5241 5242 newbie->ipsacq_srcaddr = src; 5243 newbie->ipsacq_dstaddr = dst; 5244 5245 /* 5246 * If the acquire record has more than one queued packet, we've 5247 * already sent an ACQUIRE, and don't need to repeat ourself. 5248 */ 5249 if (newbie->ipsacq_seq != seq || newbie->ipsacq_numpackets > 1) { 5250 /* I have an acquire outstanding already! */ 5251 mutex_exit(&newbie->ipsacq_lock); 5252 return; 5253 } 5254 5255 if (keysock_extended_reg(ns)) { 5256 /* 5257 * Construct an extended ACQUIRE. There are logging 5258 * opportunities here in failure cases. 5259 */ 5260 5261 (void) memset(&sel, 0, sizeof (sel)); 5262 sel.ips_isv4 = io->ipsec_out_v4; 5263 if (tunnel_mode) { 5264 sel.ips_protocol = (io->ipsec_out_inaf == AF_INET) ? 5265 IPPROTO_ENCAP : IPPROTO_IPV6; 5266 } else { 5267 sel.ips_protocol = io->ipsec_out_proto; 5268 sel.ips_local_port = io->ipsec_out_src_port; 5269 sel.ips_remote_port = io->ipsec_out_dst_port; 5270 } 5271 sel.ips_icmp_type = io->ipsec_out_icmp_type; 5272 sel.ips_icmp_code = io->ipsec_out_icmp_code; 5273 sel.ips_is_icmp_inv_acq = 0; 5274 if (af == AF_INET) { 5275 sel.ips_local_addr_v4 = ipha->ipha_src; 5276 sel.ips_remote_addr_v4 = ipha->ipha_dst; 5277 } else { 5278 sel.ips_local_addr_v6 = ip6h->ip6_src; 5279 sel.ips_remote_addr_v6 = ip6h->ip6_dst; 5280 } 5281 5282 extended = sadb_keysock_out(0); 5283 if (extended != NULL) { 5284 extended->b_cont = sadb_extended_acquire(&sel, pp, ap, 5285 tunnel_mode, seq, 0, ns); 5286 if (extended->b_cont == NULL) { 5287 freeb(extended); 5288 extended = NULL; 5289 } 5290 } 5291 } else 5292 extended = NULL; 5293 5294 /* 5295 * Send an ACQUIRE message (and possible an extended ACQUIRE) based on 5296 * this new record. The send-acquire callback assumes that acqrec is 5297 * already locked. 5298 */ 5299 (*spp->s_acqfn)(newbie, extended, ns); 5300 } 5301 5302 /* 5303 * Unlink and free an acquire record. 5304 */ 5305 void 5306 sadb_destroy_acquire(ipsacq_t *acqrec, netstack_t *ns) 5307 { 5308 mblk_t *mp; 5309 ipsec_stack_t *ipss = ns->netstack_ipsec; 5310 5311 ASSERT(MUTEX_HELD(acqrec->ipsacq_linklock)); 5312 5313 if (acqrec->ipsacq_policy != NULL) { 5314 IPPOL_REFRELE(acqrec->ipsacq_policy, ns); 5315 } 5316 if (acqrec->ipsacq_act != NULL) { 5317 IPACT_REFRELE(acqrec->ipsacq_act); 5318 } 5319 5320 /* Unlink */ 5321 *(acqrec->ipsacq_ptpn) = acqrec->ipsacq_next; 5322 if (acqrec->ipsacq_next != NULL) 5323 acqrec->ipsacq_next->ipsacq_ptpn = acqrec->ipsacq_ptpn; 5324 5325 /* 5326 * Free hanging mp's. 5327 * 5328 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED. 5329 */ 5330 5331 mutex_enter(&acqrec->ipsacq_lock); 5332 while (acqrec->ipsacq_mp != NULL) { 5333 mp = acqrec->ipsacq_mp; 5334 acqrec->ipsacq_mp = mp->b_next; 5335 mp->b_next = NULL; 5336 ip_drop_packet(mp, B_FALSE, NULL, NULL, 5337 DROPPER(ipss, ipds_sadb_acquire_timeout), 5338 &ipss->ipsec_sadb_dropper); 5339 } 5340 mutex_exit(&acqrec->ipsacq_lock); 5341 5342 /* Free */ 5343 mutex_destroy(&acqrec->ipsacq_lock); 5344 kmem_free(acqrec, sizeof (*acqrec)); 5345 } 5346 5347 /* 5348 * Destroy an acquire list fanout. 5349 */ 5350 static void 5351 sadb_destroy_acqlist(iacqf_t **listp, uint_t numentries, boolean_t forever, 5352 netstack_t *ns) 5353 { 5354 int i; 5355 iacqf_t *list = *listp; 5356 5357 if (list == NULL) 5358 return; 5359 5360 for (i = 0; i < numentries; i++) { 5361 mutex_enter(&(list[i].iacqf_lock)); 5362 while (list[i].iacqf_ipsacq != NULL) 5363 sadb_destroy_acquire(list[i].iacqf_ipsacq, ns); 5364 mutex_exit(&(list[i].iacqf_lock)); 5365 if (forever) 5366 mutex_destroy(&(list[i].iacqf_lock)); 5367 } 5368 5369 if (forever) { 5370 *listp = NULL; 5371 kmem_free(list, numentries * sizeof (*list)); 5372 } 5373 } 5374 5375 /* 5376 * Create an algorithm descriptor for an extended ACQUIRE. Filter crypto 5377 * framework's view of reality vs. IPsec's. EF's wins, BTW. 5378 */ 5379 static uint8_t * 5380 sadb_new_algdesc(uint8_t *start, uint8_t *limit, 5381 sadb_x_ecomb_t *ecomb, uint8_t satype, uint8_t algtype, 5382 uint8_t alg, uint16_t minbits, uint16_t maxbits, ipsec_stack_t *ipss) 5383 { 5384 uint8_t *cur = start; 5385 ipsec_alginfo_t *algp; 5386 sadb_x_algdesc_t *algdesc = (sadb_x_algdesc_t *)cur; 5387 5388 cur += sizeof (*algdesc); 5389 if (cur >= limit) 5390 return (NULL); 5391 5392 ecomb->sadb_x_ecomb_numalgs++; 5393 5394 /* 5395 * Normalize vs. crypto framework's limits. This way, you can specify 5396 * a stronger policy, and when the framework loads a stronger version, 5397 * you can just keep plowing w/o rewhacking your SPD. 5398 */ 5399 mutex_enter(&ipss->ipsec_alg_lock); 5400 algp = ipss->ipsec_alglists[(algtype == SADB_X_ALGTYPE_AUTH) ? 5401 IPSEC_ALG_AUTH : IPSEC_ALG_ENCR][alg]; 5402 if (algp == NULL) { 5403 mutex_exit(&ipss->ipsec_alg_lock); 5404 return (NULL); /* Algorithm doesn't exist. Fail gracefully. */ 5405 } 5406 if (minbits < algp->alg_ef_minbits) 5407 minbits = algp->alg_ef_minbits; 5408 if (maxbits > algp->alg_ef_maxbits) 5409 maxbits = algp->alg_ef_maxbits; 5410 mutex_exit(&ipss->ipsec_alg_lock); 5411 5412 algdesc->sadb_x_algdesc_satype = satype; 5413 algdesc->sadb_x_algdesc_algtype = algtype; 5414 algdesc->sadb_x_algdesc_alg = alg; 5415 algdesc->sadb_x_algdesc_minbits = minbits; 5416 algdesc->sadb_x_algdesc_maxbits = maxbits; 5417 algdesc->sadb_x_algdesc_reserved = 0; 5418 return (cur); 5419 } 5420 5421 /* 5422 * Convert the given ipsec_action_t into an ecomb starting at *ecomb 5423 * which must fit before *limit 5424 * 5425 * return NULL if we ran out of room or a pointer to the end of the ecomb. 5426 */ 5427 static uint8_t * 5428 sadb_action_to_ecomb(uint8_t *start, uint8_t *limit, ipsec_action_t *act, 5429 netstack_t *ns) 5430 { 5431 uint8_t *cur = start; 5432 sadb_x_ecomb_t *ecomb = (sadb_x_ecomb_t *)cur; 5433 ipsec_prot_t *ipp; 5434 ipsec_stack_t *ipss = ns->netstack_ipsec; 5435 5436 cur += sizeof (*ecomb); 5437 if (cur >= limit) 5438 return (NULL); 5439 5440 ASSERT(act->ipa_act.ipa_type == IPSEC_ACT_APPLY); 5441 5442 ipp = &act->ipa_act.ipa_apply; 5443 5444 ecomb->sadb_x_ecomb_numalgs = 0; 5445 ecomb->sadb_x_ecomb_reserved = 0; 5446 ecomb->sadb_x_ecomb_reserved2 = 0; 5447 /* 5448 * No limits on allocations, since we really don't support that 5449 * concept currently. 5450 */ 5451 ecomb->sadb_x_ecomb_soft_allocations = 0; 5452 ecomb->sadb_x_ecomb_hard_allocations = 0; 5453 5454 /* 5455 * XXX TBD: Policy or global parameters will eventually be 5456 * able to fill in some of these. 5457 */ 5458 ecomb->sadb_x_ecomb_flags = 0; 5459 ecomb->sadb_x_ecomb_soft_bytes = 0; 5460 ecomb->sadb_x_ecomb_hard_bytes = 0; 5461 ecomb->sadb_x_ecomb_soft_addtime = 0; 5462 ecomb->sadb_x_ecomb_hard_addtime = 0; 5463 ecomb->sadb_x_ecomb_soft_usetime = 0; 5464 ecomb->sadb_x_ecomb_hard_usetime = 0; 5465 5466 if (ipp->ipp_use_ah) { 5467 cur = sadb_new_algdesc(cur, limit, ecomb, 5468 SADB_SATYPE_AH, SADB_X_ALGTYPE_AUTH, ipp->ipp_auth_alg, 5469 ipp->ipp_ah_minbits, ipp->ipp_ah_maxbits, ipss); 5470 if (cur == NULL) 5471 return (NULL); 5472 ipsecah_fill_defs(ecomb, ns); 5473 } 5474 5475 if (ipp->ipp_use_esp) { 5476 if (ipp->ipp_use_espa) { 5477 cur = sadb_new_algdesc(cur, limit, ecomb, 5478 SADB_SATYPE_ESP, SADB_X_ALGTYPE_AUTH, 5479 ipp->ipp_esp_auth_alg, 5480 ipp->ipp_espa_minbits, 5481 ipp->ipp_espa_maxbits, ipss); 5482 if (cur == NULL) 5483 return (NULL); 5484 } 5485 5486 cur = sadb_new_algdesc(cur, limit, ecomb, 5487 SADB_SATYPE_ESP, SADB_X_ALGTYPE_CRYPT, 5488 ipp->ipp_encr_alg, 5489 ipp->ipp_espe_minbits, 5490 ipp->ipp_espe_maxbits, ipss); 5491 if (cur == NULL) 5492 return (NULL); 5493 /* Fill in lifetimes if and only if AH didn't already... */ 5494 if (!ipp->ipp_use_ah) 5495 ipsecesp_fill_defs(ecomb, ns); 5496 } 5497 5498 return (cur); 5499 } 5500 5501 /* 5502 * Construct an extended ACQUIRE message based on a selector and the resulting 5503 * IPsec action. 5504 * 5505 * NOTE: This is used by both inverse ACQUIRE and actual ACQUIRE 5506 * generation. As a consequence, expect this function to evolve 5507 * rapidly. 5508 */ 5509 static mblk_t * 5510 sadb_extended_acquire(ipsec_selector_t *sel, ipsec_policy_t *pol, 5511 ipsec_action_t *act, boolean_t tunnel_mode, uint32_t seq, uint32_t pid, 5512 netstack_t *ns) 5513 { 5514 mblk_t *mp; 5515 sadb_msg_t *samsg; 5516 uint8_t *start, *cur, *end; 5517 uint32_t *saddrptr, *daddrptr; 5518 sa_family_t af; 5519 sadb_prop_t *eprop; 5520 ipsec_action_t *ap, *an; 5521 ipsec_selkey_t *ipsl; 5522 uint8_t proto, pfxlen; 5523 uint16_t lport, rport; 5524 uint32_t kmp, kmc; 5525 5526 /* 5527 * Find the action we want sooner rather than later.. 5528 */ 5529 an = NULL; 5530 if (pol == NULL) { 5531 ap = act; 5532 } else { 5533 ap = pol->ipsp_act; 5534 5535 if (ap != NULL) 5536 an = ap->ipa_next; 5537 } 5538 5539 /* 5540 * Just take a swag for the allocation for now. We can always 5541 * alter it later. 5542 */ 5543 #define SADB_EXTENDED_ACQUIRE_SIZE 4096 5544 mp = allocb(SADB_EXTENDED_ACQUIRE_SIZE, BPRI_HI); 5545 if (mp == NULL) 5546 return (NULL); 5547 5548 start = mp->b_rptr; 5549 end = start + SADB_EXTENDED_ACQUIRE_SIZE; 5550 5551 cur = start; 5552 5553 samsg = (sadb_msg_t *)cur; 5554 cur += sizeof (*samsg); 5555 5556 samsg->sadb_msg_version = PF_KEY_V2; 5557 samsg->sadb_msg_type = SADB_ACQUIRE; 5558 samsg->sadb_msg_errno = 0; 5559 samsg->sadb_msg_reserved = 0; 5560 samsg->sadb_msg_satype = 0; 5561 samsg->sadb_msg_seq = seq; 5562 samsg->sadb_msg_pid = pid; 5563 5564 if (tunnel_mode) { 5565 /* 5566 * Form inner address extensions based NOT on the inner 5567 * selectors (i.e. the packet data), but on the policy's 5568 * selector key (i.e. the policy's selector information). 5569 * 5570 * NOTE: The position of IPv4 and IPv6 addresses is the 5571 * same in ipsec_selkey_t (unless the compiler does very 5572 * strange things with unions, consult your local C language 5573 * lawyer for details). 5574 */ 5575 ASSERT(pol != NULL); 5576 5577 ipsl = &(pol->ipsp_sel->ipsl_key); 5578 if (ipsl->ipsl_valid & IPSL_IPV4) { 5579 af = AF_INET; 5580 ASSERT(sel->ips_protocol == IPPROTO_ENCAP); 5581 ASSERT(!(ipsl->ipsl_valid & IPSL_IPV6)); 5582 } else { 5583 af = AF_INET6; 5584 ASSERT(sel->ips_protocol == IPPROTO_IPV6); 5585 ASSERT(ipsl->ipsl_valid & IPSL_IPV6); 5586 } 5587 5588 if (ipsl->ipsl_valid & IPSL_LOCAL_ADDR) { 5589 saddrptr = (uint32_t *)(&ipsl->ipsl_local); 5590 pfxlen = ipsl->ipsl_local_pfxlen; 5591 } else { 5592 saddrptr = (uint32_t *)(&ipv6_all_zeros); 5593 pfxlen = 0; 5594 } 5595 /* XXX What about ICMP type/code? */ 5596 lport = (ipsl->ipsl_valid & IPSL_LOCAL_PORT) ? 5597 ipsl->ipsl_lport : 0; 5598 proto = (ipsl->ipsl_valid & IPSL_PROTOCOL) ? 5599 ipsl->ipsl_proto : 0; 5600 5601 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 5602 af, saddrptr, lport, proto, pfxlen); 5603 if (cur == NULL) { 5604 freeb(mp); 5605 return (NULL); 5606 } 5607 5608 if (ipsl->ipsl_valid & IPSL_REMOTE_ADDR) { 5609 daddrptr = (uint32_t *)(&ipsl->ipsl_remote); 5610 pfxlen = ipsl->ipsl_remote_pfxlen; 5611 } else { 5612 daddrptr = (uint32_t *)(&ipv6_all_zeros); 5613 pfxlen = 0; 5614 } 5615 /* XXX What about ICMP type/code? */ 5616 rport = (ipsl->ipsl_valid & IPSL_REMOTE_PORT) ? 5617 ipsl->ipsl_rport : 0; 5618 5619 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 5620 af, daddrptr, rport, proto, pfxlen); 5621 if (cur == NULL) { 5622 freeb(mp); 5623 return (NULL); 5624 } 5625 /* 5626 * TODO - if we go to 3408's dream of transport mode IP-in-IP 5627 * _with_ inner-packet address selectors, we'll need to further 5628 * distinguish tunnel mode here. For now, having inner 5629 * addresses and/or ports is sufficient. 5630 * 5631 * Meanwhile, whack proto/ports to reflect IP-in-IP for the 5632 * outer addresses. 5633 */ 5634 proto = sel->ips_protocol; /* Either _ENCAP or _IPV6 */ 5635 lport = rport = 0; 5636 } else if ((ap != NULL) && (!ap->ipa_want_unique)) { 5637 proto = 0; 5638 lport = 0; 5639 rport = 0; 5640 if (pol != NULL) { 5641 ipsl = &(pol->ipsp_sel->ipsl_key); 5642 if (ipsl->ipsl_valid & IPSL_PROTOCOL) 5643 proto = ipsl->ipsl_proto; 5644 if (ipsl->ipsl_valid & IPSL_REMOTE_PORT) 5645 rport = ipsl->ipsl_rport; 5646 if (ipsl->ipsl_valid & IPSL_LOCAL_PORT) 5647 lport = ipsl->ipsl_lport; 5648 } 5649 } else { 5650 proto = sel->ips_protocol; 5651 lport = sel->ips_local_port; 5652 rport = sel->ips_remote_port; 5653 } 5654 5655 af = sel->ips_isv4 ? AF_INET : AF_INET6; 5656 5657 /* 5658 * NOTE: The position of IPv4 and IPv6 addresses is the same in 5659 * ipsec_selector_t. 5660 */ 5661 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 5662 (uint32_t *)(&sel->ips_local_addr_v6), lport, proto, 0); 5663 5664 if (cur == NULL) { 5665 freeb(mp); 5666 return (NULL); 5667 } 5668 5669 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 5670 (uint32_t *)(&sel->ips_remote_addr_v6), rport, proto, 0); 5671 5672 if (cur == NULL) { 5673 freeb(mp); 5674 return (NULL); 5675 } 5676 5677 /* 5678 * This section will change a lot as policy evolves. 5679 * For now, it'll be relatively simple. 5680 */ 5681 eprop = (sadb_prop_t *)cur; 5682 cur += sizeof (*eprop); 5683 if (cur > end) { 5684 /* no space left */ 5685 freeb(mp); 5686 return (NULL); 5687 } 5688 5689 eprop->sadb_prop_exttype = SADB_X_EXT_EPROP; 5690 eprop->sadb_x_prop_ereserved = 0; 5691 eprop->sadb_x_prop_numecombs = 0; 5692 eprop->sadb_prop_replay = 32; /* default */ 5693 5694 kmc = kmp = 0; 5695 5696 for (; ap != NULL; ap = an) { 5697 an = (pol != NULL) ? ap->ipa_next : NULL; 5698 5699 /* 5700 * Skip non-IPsec policies 5701 */ 5702 if (ap->ipa_act.ipa_type != IPSEC_ACT_APPLY) 5703 continue; 5704 5705 if (ap->ipa_act.ipa_apply.ipp_km_proto) 5706 kmp = ap->ipa_act.ipa_apply.ipp_km_proto; 5707 if (ap->ipa_act.ipa_apply.ipp_km_cookie) 5708 kmc = ap->ipa_act.ipa_apply.ipp_km_cookie; 5709 if (ap->ipa_act.ipa_apply.ipp_replay_depth) { 5710 eprop->sadb_prop_replay = 5711 ap->ipa_act.ipa_apply.ipp_replay_depth; 5712 } 5713 5714 cur = sadb_action_to_ecomb(cur, end, ap, ns); 5715 if (cur == NULL) { /* no space */ 5716 freeb(mp); 5717 return (NULL); 5718 } 5719 eprop->sadb_x_prop_numecombs++; 5720 } 5721 5722 if (eprop->sadb_x_prop_numecombs == 0) { 5723 /* 5724 * This will happen if we fail to find a policy 5725 * allowing for IPsec processing. 5726 * Construct an error message. 5727 */ 5728 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 5729 samsg->sadb_msg_errno = ENOENT; 5730 samsg->sadb_x_msg_diagnostic = 0; 5731 return (mp); 5732 } 5733 5734 if ((kmp != 0) || (kmc != 0)) { 5735 cur = sadb_make_kmc_ext(cur, end, kmp, kmc); 5736 if (cur == NULL) { 5737 freeb(mp); 5738 return (NULL); 5739 } 5740 } 5741 5742 eprop->sadb_prop_len = SADB_8TO64(cur - (uint8_t *)eprop); 5743 samsg->sadb_msg_len = SADB_8TO64(cur - start); 5744 mp->b_wptr = cur; 5745 5746 return (mp); 5747 } 5748 5749 /* 5750 * Generic setup of an RFC 2367 ACQUIRE message. Caller sets satype. 5751 * 5752 * NOTE: This function acquires alg_lock as a side-effect if-and-only-if we 5753 * succeed (i.e. return non-NULL). Caller MUST release it. This is to 5754 * maximize code consolidation while preventing algorithm changes from messing 5755 * with the callers finishing touches on the ACQUIRE itself. 5756 */ 5757 mblk_t * 5758 sadb_setup_acquire(ipsacq_t *acqrec, uint8_t satype, ipsec_stack_t *ipss) 5759 { 5760 uint_t allocsize; 5761 mblk_t *pfkeymp, *msgmp; 5762 sa_family_t af; 5763 uint8_t *cur, *end; 5764 sadb_msg_t *samsg; 5765 uint16_t sport_typecode; 5766 uint16_t dport_typecode; 5767 uint8_t check_proto; 5768 boolean_t tunnel_mode = (acqrec->ipsacq_inneraddrfam != 0); 5769 5770 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock)); 5771 5772 pfkeymp = sadb_keysock_out(0); 5773 if (pfkeymp == NULL) 5774 return (NULL); 5775 5776 /* 5777 * First, allocate a basic ACQUIRE message 5778 */ 5779 allocsize = sizeof (sadb_msg_t) + sizeof (sadb_address_t) + 5780 sizeof (sadb_address_t) + sizeof (sadb_prop_t); 5781 5782 /* Make sure there's enough to cover both AF_INET and AF_INET6. */ 5783 allocsize += 2 * sizeof (struct sockaddr_in6); 5784 5785 mutex_enter(&ipss->ipsec_alg_lock); 5786 /* NOTE: The lock is now held through to this function's return. */ 5787 allocsize += ipss->ipsec_nalgs[IPSEC_ALG_AUTH] * 5788 ipss->ipsec_nalgs[IPSEC_ALG_ENCR] * sizeof (sadb_comb_t); 5789 5790 if (tunnel_mode) { 5791 /* Tunnel mode! */ 5792 allocsize += 2 * sizeof (sadb_address_t); 5793 /* Enough to cover both AF_INET and AF_INET6. */ 5794 allocsize += 2 * sizeof (struct sockaddr_in6); 5795 } 5796 5797 msgmp = allocb(allocsize, BPRI_HI); 5798 if (msgmp == NULL) { 5799 freeb(pfkeymp); 5800 mutex_exit(&ipss->ipsec_alg_lock); 5801 return (NULL); 5802 } 5803 5804 pfkeymp->b_cont = msgmp; 5805 cur = msgmp->b_rptr; 5806 end = cur + allocsize; 5807 samsg = (sadb_msg_t *)cur; 5808 cur += sizeof (sadb_msg_t); 5809 5810 af = acqrec->ipsacq_addrfam; 5811 switch (af) { 5812 case AF_INET: 5813 check_proto = IPPROTO_ICMP; 5814 break; 5815 case AF_INET6: 5816 check_proto = IPPROTO_ICMPV6; 5817 break; 5818 default: 5819 /* This should never happen unless we have kernel bugs. */ 5820 cmn_err(CE_WARN, 5821 "sadb_setup_acquire: corrupt ACQUIRE record.\n"); 5822 ASSERT(0); 5823 mutex_exit(&ipss->ipsec_alg_lock); 5824 return (NULL); 5825 } 5826 5827 samsg->sadb_msg_version = PF_KEY_V2; 5828 samsg->sadb_msg_type = SADB_ACQUIRE; 5829 samsg->sadb_msg_satype = satype; 5830 samsg->sadb_msg_errno = 0; 5831 samsg->sadb_msg_pid = 0; 5832 samsg->sadb_msg_reserved = 0; 5833 samsg->sadb_msg_seq = acqrec->ipsacq_seq; 5834 5835 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock)); 5836 5837 if ((acqrec->ipsacq_proto == check_proto) || tunnel_mode) { 5838 sport_typecode = dport_typecode = 0; 5839 } else { 5840 sport_typecode = acqrec->ipsacq_srcport; 5841 dport_typecode = acqrec->ipsacq_dstport; 5842 } 5843 5844 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 5845 acqrec->ipsacq_srcaddr, sport_typecode, acqrec->ipsacq_proto, 0); 5846 5847 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 5848 acqrec->ipsacq_dstaddr, dport_typecode, acqrec->ipsacq_proto, 0); 5849 5850 if (tunnel_mode) { 5851 sport_typecode = acqrec->ipsacq_srcport; 5852 dport_typecode = acqrec->ipsacq_dstport; 5853 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 5854 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innersrc, 5855 sport_typecode, acqrec->ipsacq_inner_proto, 5856 acqrec->ipsacq_innersrcpfx); 5857 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 5858 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innerdst, 5859 dport_typecode, acqrec->ipsacq_inner_proto, 5860 acqrec->ipsacq_innerdstpfx); 5861 } 5862 5863 /* XXX Insert identity information here. */ 5864 5865 /* XXXMLS Insert sensitivity information here. */ 5866 5867 if (cur != NULL) 5868 samsg->sadb_msg_len = SADB_8TO64(cur - msgmp->b_rptr); 5869 else 5870 mutex_exit(&ipss->ipsec_alg_lock); 5871 5872 return (pfkeymp); 5873 } 5874 5875 /* 5876 * Given an SADB_GETSPI message, find an appropriately ranged SA and 5877 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1. 5878 * If there was a memory allocation error, return NULL. (Assume NULL != 5879 * (ipsa_t *)-1). 5880 * 5881 * master_spi is passed in host order. 5882 */ 5883 ipsa_t * 5884 sadb_getspi(keysock_in_t *ksi, uint32_t master_spi, int *diagnostic, 5885 netstack_t *ns, uint_t sa_type) 5886 { 5887 sadb_address_t *src = 5888 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC], 5889 *dst = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 5890 sadb_spirange_t *range = 5891 (sadb_spirange_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE]; 5892 struct sockaddr_in *ssa, *dsa; 5893 struct sockaddr_in6 *ssa6, *dsa6; 5894 uint32_t *srcaddr, *dstaddr; 5895 sa_family_t af; 5896 uint32_t add, min, max; 5897 uint8_t protocol = 5898 (sa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP; 5899 5900 if (src == NULL) { 5901 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 5902 return ((ipsa_t *)-1); 5903 } 5904 if (dst == NULL) { 5905 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 5906 return ((ipsa_t *)-1); 5907 } 5908 if (range == NULL) { 5909 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_RANGE; 5910 return ((ipsa_t *)-1); 5911 } 5912 5913 min = ntohl(range->sadb_spirange_min); 5914 max = ntohl(range->sadb_spirange_max); 5915 dsa = (struct sockaddr_in *)(dst + 1); 5916 dsa6 = (struct sockaddr_in6 *)dsa; 5917 5918 ssa = (struct sockaddr_in *)(src + 1); 5919 ssa6 = (struct sockaddr_in6 *)ssa; 5920 ASSERT(dsa->sin_family == ssa->sin_family); 5921 5922 srcaddr = ALL_ZEROES_PTR; 5923 af = dsa->sin_family; 5924 switch (af) { 5925 case AF_INET: 5926 if (src != NULL) 5927 srcaddr = (uint32_t *)(&ssa->sin_addr); 5928 dstaddr = (uint32_t *)(&dsa->sin_addr); 5929 break; 5930 case AF_INET6: 5931 if (src != NULL) 5932 srcaddr = (uint32_t *)(&ssa6->sin6_addr); 5933 dstaddr = (uint32_t *)(&dsa6->sin6_addr); 5934 break; 5935 default: 5936 *diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 5937 return ((ipsa_t *)-1); 5938 } 5939 5940 if (master_spi < min || master_spi > max) { 5941 /* Return a random value in the range. */ 5942 if (cl_inet_getspi) { 5943 cl_inet_getspi(ns->netstack_stackid, protocol, 5944 (uint8_t *)&add, sizeof (add), NULL); 5945 } else { 5946 (void) random_get_pseudo_bytes((uint8_t *)&add, 5947 sizeof (add)); 5948 } 5949 master_spi = min + (add % (max - min + 1)); 5950 } 5951 5952 /* 5953 * Since master_spi is passed in host order, we need to htonl() it 5954 * for the purposes of creating a new SA. 5955 */ 5956 return (sadb_makelarvalassoc(htonl(master_spi), srcaddr, dstaddr, af, 5957 ns)); 5958 } 5959 5960 /* 5961 * 5962 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the 5963 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list 5964 * and scan for the sequence number in question. I may wish to accept an 5965 * address pair with it, for easier searching. 5966 * 5967 * Caller frees the message, so we don't have to here. 5968 * 5969 * NOTE: The ip_q parameter may be used in the future for ACQUIRE 5970 * failures. 5971 */ 5972 /* ARGSUSED */ 5973 void 5974 sadb_in_acquire(sadb_msg_t *samsg, sadbp_t *sp, queue_t *ip_q, netstack_t *ns) 5975 { 5976 int i; 5977 ipsacq_t *acqrec; 5978 iacqf_t *bucket; 5979 5980 /* 5981 * I only accept the base header for this! 5982 * Though to be honest, requiring the dst address would help 5983 * immensely. 5984 * 5985 * XXX There are already cases where I can get the dst address. 5986 */ 5987 if (samsg->sadb_msg_len > SADB_8TO64(sizeof (*samsg))) 5988 return; 5989 5990 /* 5991 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it, 5992 * (and in the future send a message to IP with the appropriate error 5993 * number). 5994 * 5995 * Q: Do I want to reject if pid != 0? 5996 */ 5997 5998 for (i = 0; i < sp->s_v4.sdb_hashsize; i++) { 5999 bucket = &sp->s_v4.sdb_acq[i]; 6000 mutex_enter(&bucket->iacqf_lock); 6001 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 6002 acqrec = acqrec->ipsacq_next) { 6003 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 6004 break; /* for acqrec... loop. */ 6005 } 6006 if (acqrec != NULL) 6007 break; /* for i = 0... loop. */ 6008 6009 mutex_exit(&bucket->iacqf_lock); 6010 } 6011 6012 if (acqrec == NULL) { 6013 for (i = 0; i < sp->s_v6.sdb_hashsize; i++) { 6014 bucket = &sp->s_v6.sdb_acq[i]; 6015 mutex_enter(&bucket->iacqf_lock); 6016 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 6017 acqrec = acqrec->ipsacq_next) { 6018 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 6019 break; /* for acqrec... loop. */ 6020 } 6021 if (acqrec != NULL) 6022 break; /* for i = 0... loop. */ 6023 6024 mutex_exit(&bucket->iacqf_lock); 6025 } 6026 } 6027 6028 6029 if (acqrec == NULL) 6030 return; 6031 6032 /* 6033 * What do I do with the errno and IP? I may need mp's services a 6034 * little more. See sadb_destroy_acquire() for future directions 6035 * beyond free the mblk chain on the acquire record. 6036 */ 6037 6038 ASSERT(&bucket->iacqf_lock == acqrec->ipsacq_linklock); 6039 sadb_destroy_acquire(acqrec, ns); 6040 /* Have to exit mutex here, because of breaking out of for loop. */ 6041 mutex_exit(&bucket->iacqf_lock); 6042 } 6043 6044 /* 6045 * The following functions work with the replay windows of an SA. They assume 6046 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector 6047 * represents the highest sequence number packet received, and back 6048 * (ipsa->ipsa_replay_wsize) packets. 6049 */ 6050 6051 /* 6052 * Is the replay bit set? 6053 */ 6054 static boolean_t 6055 ipsa_is_replay_set(ipsa_t *ipsa, uint32_t offset) 6056 { 6057 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 6058 6059 return ((bit & ipsa->ipsa_replay_arr[offset >> 6]) ? B_TRUE : B_FALSE); 6060 } 6061 6062 /* 6063 * Shift the bits of the replay window over. 6064 */ 6065 static void 6066 ipsa_shift_replay(ipsa_t *ipsa, uint32_t shift) 6067 { 6068 int i; 6069 int jump = ((shift - 1) >> 6) + 1; 6070 6071 if (shift == 0) 6072 return; 6073 6074 for (i = (ipsa->ipsa_replay_wsize - 1) >> 6; i >= 0; i--) { 6075 if (i + jump <= (ipsa->ipsa_replay_wsize - 1) >> 6) { 6076 ipsa->ipsa_replay_arr[i + jump] |= 6077 ipsa->ipsa_replay_arr[i] >> (64 - (shift & 63)); 6078 } 6079 ipsa->ipsa_replay_arr[i] <<= shift; 6080 } 6081 } 6082 6083 /* 6084 * Set a bit in the bit vector. 6085 */ 6086 static void 6087 ipsa_set_replay(ipsa_t *ipsa, uint32_t offset) 6088 { 6089 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 6090 6091 ipsa->ipsa_replay_arr[offset >> 6] |= bit; 6092 } 6093 6094 #define SADB_MAX_REPLAY_VALUE 0xffffffff 6095 6096 /* 6097 * Assume caller has NOT done ntohl() already on seq. Check to see 6098 * if replay sequence number "seq" has been seen already. 6099 */ 6100 boolean_t 6101 sadb_replay_check(ipsa_t *ipsa, uint32_t seq) 6102 { 6103 boolean_t rc; 6104 uint32_t diff; 6105 6106 if (ipsa->ipsa_replay_wsize == 0) 6107 return (B_TRUE); 6108 6109 /* 6110 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek(). 6111 */ 6112 6113 /* Convert sequence number into host order before holding the mutex. */ 6114 seq = ntohl(seq); 6115 6116 mutex_enter(&ipsa->ipsa_lock); 6117 6118 /* Initialize inbound SA's ipsa_replay field to last one received. */ 6119 if (ipsa->ipsa_replay == 0) 6120 ipsa->ipsa_replay = 1; 6121 6122 if (seq > ipsa->ipsa_replay) { 6123 /* 6124 * I have received a new "highest value received". Shift 6125 * the replay window over. 6126 */ 6127 diff = seq - ipsa->ipsa_replay; 6128 if (diff < ipsa->ipsa_replay_wsize) { 6129 /* In replay window, shift bits over. */ 6130 ipsa_shift_replay(ipsa, diff); 6131 } else { 6132 /* WAY FAR AHEAD, clear bits and start again. */ 6133 bzero(ipsa->ipsa_replay_arr, 6134 sizeof (ipsa->ipsa_replay_arr)); 6135 } 6136 ipsa_set_replay(ipsa, 0); 6137 ipsa->ipsa_replay = seq; 6138 rc = B_TRUE; 6139 goto done; 6140 } 6141 diff = ipsa->ipsa_replay - seq; 6142 if (diff >= ipsa->ipsa_replay_wsize || ipsa_is_replay_set(ipsa, diff)) { 6143 rc = B_FALSE; 6144 goto done; 6145 } 6146 /* Set this packet as seen. */ 6147 ipsa_set_replay(ipsa, diff); 6148 6149 rc = B_TRUE; 6150 done: 6151 mutex_exit(&ipsa->ipsa_lock); 6152 return (rc); 6153 } 6154 6155 /* 6156 * "Peek" and see if we should even bother going through the effort of 6157 * running an authentication check on the sequence number passed in. 6158 * this takes into account packets that are below the replay window, 6159 * and collisions with already replayed packets. Return B_TRUE if it 6160 * is okay to proceed, B_FALSE if this packet should be dropped immediately. 6161 * Assume same byte-ordering as sadb_replay_check. 6162 */ 6163 boolean_t 6164 sadb_replay_peek(ipsa_t *ipsa, uint32_t seq) 6165 { 6166 boolean_t rc = B_FALSE; 6167 uint32_t diff; 6168 6169 if (ipsa->ipsa_replay_wsize == 0) 6170 return (B_TRUE); 6171 6172 /* 6173 * 0 is 0, regardless of byte order... :) 6174 * 6175 * If I get 0 on the wire (and there is a replay window) then the 6176 * sender most likely wrapped. This ipsa may need to be marked or 6177 * something. 6178 */ 6179 if (seq == 0) 6180 return (B_FALSE); 6181 6182 seq = ntohl(seq); 6183 mutex_enter(&ipsa->ipsa_lock); 6184 if (seq < ipsa->ipsa_replay - ipsa->ipsa_replay_wsize && 6185 ipsa->ipsa_replay >= ipsa->ipsa_replay_wsize) 6186 goto done; 6187 6188 /* 6189 * If I've hit 0xffffffff, then quite honestly, I don't need to 6190 * bother with formalities. I'm not accepting any more packets 6191 * on this SA. 6192 */ 6193 if (ipsa->ipsa_replay == SADB_MAX_REPLAY_VALUE) { 6194 /* 6195 * Since we're already holding the lock, update the 6196 * expire time ala. sadb_replay_delete() and return. 6197 */ 6198 ipsa->ipsa_hardexpiretime = (time_t)1; 6199 goto done; 6200 } 6201 6202 if (seq <= ipsa->ipsa_replay) { 6203 /* 6204 * This seq is in the replay window. I'm not below it, 6205 * because I already checked for that above! 6206 */ 6207 diff = ipsa->ipsa_replay - seq; 6208 if (ipsa_is_replay_set(ipsa, diff)) 6209 goto done; 6210 } 6211 /* Else return B_TRUE, I'm going to advance the window. */ 6212 6213 rc = B_TRUE; 6214 done: 6215 mutex_exit(&ipsa->ipsa_lock); 6216 return (rc); 6217 } 6218 6219 /* 6220 * Delete a single SA. 6221 * 6222 * For now, use the quick-and-dirty trick of making the association's 6223 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager(). 6224 */ 6225 void 6226 sadb_replay_delete(ipsa_t *assoc) 6227 { 6228 mutex_enter(&assoc->ipsa_lock); 6229 assoc->ipsa_hardexpiretime = (time_t)1; 6230 mutex_exit(&assoc->ipsa_lock); 6231 } 6232 6233 /* 6234 * Given a queue that presumably points to IP, send a T_BIND_REQ for _proto_ 6235 * down. The caller will handle the T_BIND_ACK locally. 6236 */ 6237 boolean_t 6238 sadb_t_bind_req(queue_t *q, int proto) 6239 { 6240 struct T_bind_req *tbr; 6241 mblk_t *mp; 6242 6243 mp = allocb_cred(sizeof (struct T_bind_req) + 1, kcred, NOPID); 6244 if (mp == NULL) { 6245 /* cmn_err(CE_WARN, */ 6246 /* "sadb_t_bind_req(%d): couldn't allocate mblk\n", proto); */ 6247 return (B_FALSE); 6248 } 6249 mp->b_datap->db_type = M_PCPROTO; 6250 tbr = (struct T_bind_req *)mp->b_rptr; 6251 mp->b_wptr += sizeof (struct T_bind_req); 6252 tbr->PRIM_type = T_BIND_REQ; 6253 tbr->ADDR_length = 0; 6254 tbr->ADDR_offset = 0; 6255 tbr->CONIND_number = 0; 6256 *mp->b_wptr = (uint8_t)proto; 6257 mp->b_wptr++; 6258 6259 putnext(q, mp); 6260 return (B_TRUE); 6261 } 6262 6263 /* 6264 * Special front-end to ipsec_rl_strlog() dealing with SA failure. 6265 * this is designed to take only a format string with "* %x * %s *", so 6266 * that "spi" is printed first, then "addr" is converted using inet_pton(). 6267 * 6268 * This is abstracted out to save the stack space for only when inet_pton() 6269 * is called. Make sure "spi" is in network order; it usually is when this 6270 * would get called. 6271 */ 6272 void 6273 ipsec_assocfailure(short mid, short sid, char level, ushort_t sl, char *fmt, 6274 uint32_t spi, void *addr, int af, netstack_t *ns) 6275 { 6276 char buf[INET6_ADDRSTRLEN]; 6277 6278 ASSERT(af == AF_INET6 || af == AF_INET); 6279 6280 ipsec_rl_strlog(ns, mid, sid, level, sl, fmt, ntohl(spi), 6281 inet_ntop(af, addr, buf, sizeof (buf))); 6282 } 6283 6284 /* 6285 * Fills in a reference to the policy, if any, from the conn, in *ppp 6286 * Releases a reference to the passed conn_t. 6287 */ 6288 static void 6289 ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp) 6290 { 6291 ipsec_policy_t *pp; 6292 ipsec_latch_t *ipl = connp->conn_latch; 6293 6294 if ((ipl != NULL) && (ipl->ipl_out_policy != NULL)) { 6295 pp = ipl->ipl_out_policy; 6296 IPPOL_REFHOLD(pp); 6297 } else { 6298 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel, 6299 connp->conn_netstack); 6300 } 6301 *ppp = pp; 6302 CONN_DEC_REF(connp); 6303 } 6304 6305 /* 6306 * The following functions scan through active conn_t structures 6307 * and return a reference to the best-matching policy it can find. 6308 * Caller must release the reference. 6309 */ 6310 static void 6311 ipsec_udp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) 6312 { 6313 connf_t *connfp; 6314 conn_t *connp = NULL; 6315 ipsec_selector_t portonly; 6316 6317 bzero((void *)&portonly, sizeof (portonly)); 6318 6319 if (sel->ips_local_port == 0) 6320 return; 6321 6322 connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(sel->ips_local_port, 6323 ipst)]; 6324 mutex_enter(&connfp->connf_lock); 6325 6326 if (sel->ips_isv4) { 6327 connp = connfp->connf_head; 6328 while (connp != NULL) { 6329 if (IPCL_UDP_MATCH(connp, sel->ips_local_port, 6330 sel->ips_local_addr_v4, sel->ips_remote_port, 6331 sel->ips_remote_addr_v4)) 6332 break; 6333 connp = connp->conn_next; 6334 } 6335 6336 if (connp == NULL) { 6337 /* Try port-only match in IPv6. */ 6338 portonly.ips_local_port = sel->ips_local_port; 6339 sel = &portonly; 6340 } 6341 } 6342 6343 if (connp == NULL) { 6344 connp = connfp->connf_head; 6345 while (connp != NULL) { 6346 if (IPCL_UDP_MATCH_V6(connp, sel->ips_local_port, 6347 sel->ips_local_addr_v6, sel->ips_remote_port, 6348 sel->ips_remote_addr_v6)) 6349 break; 6350 connp = connp->conn_next; 6351 } 6352 6353 if (connp == NULL) { 6354 mutex_exit(&connfp->connf_lock); 6355 return; 6356 } 6357 } 6358 6359 CONN_INC_REF(connp); 6360 mutex_exit(&connfp->connf_lock); 6361 6362 ipsec_conn_pol(sel, connp, ppp); 6363 } 6364 6365 static conn_t * 6366 ipsec_find_listen_conn(uint16_t *pptr, ipsec_selector_t *sel, ip_stack_t *ipst) 6367 { 6368 connf_t *connfp; 6369 conn_t *connp = NULL; 6370 const in6_addr_t *v6addrmatch = &sel->ips_local_addr_v6; 6371 6372 if (sel->ips_local_port == 0) 6373 return (NULL); 6374 6375 connfp = &ipst->ips_ipcl_bind_fanout[ 6376 IPCL_BIND_HASH(sel->ips_local_port, ipst)]; 6377 mutex_enter(&connfp->connf_lock); 6378 6379 if (sel->ips_isv4) { 6380 connp = connfp->connf_head; 6381 while (connp != NULL) { 6382 if (IPCL_BIND_MATCH(connp, IPPROTO_TCP, 6383 sel->ips_local_addr_v4, pptr[1])) 6384 break; 6385 connp = connp->conn_next; 6386 } 6387 6388 if (connp == NULL) { 6389 /* Match to all-zeroes. */ 6390 v6addrmatch = &ipv6_all_zeros; 6391 } 6392 } 6393 6394 if (connp == NULL) { 6395 connp = connfp->connf_head; 6396 while (connp != NULL) { 6397 if (IPCL_BIND_MATCH_V6(connp, IPPROTO_TCP, 6398 *v6addrmatch, pptr[1])) 6399 break; 6400 connp = connp->conn_next; 6401 } 6402 6403 if (connp == NULL) { 6404 mutex_exit(&connfp->connf_lock); 6405 return (NULL); 6406 } 6407 } 6408 6409 CONN_INC_REF(connp); 6410 mutex_exit(&connfp->connf_lock); 6411 return (connp); 6412 } 6413 6414 static void 6415 ipsec_tcp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) 6416 { 6417 connf_t *connfp; 6418 conn_t *connp; 6419 uint32_t ports; 6420 uint16_t *pptr = (uint16_t *)&ports; 6421 6422 /* 6423 * Find TCP state in the following order: 6424 * 1.) Connected conns. 6425 * 2.) Listeners. 6426 * 6427 * Even though #2 will be the common case for inbound traffic, only 6428 * following this order insures correctness. 6429 */ 6430 6431 if (sel->ips_local_port == 0) 6432 return; 6433 6434 /* 6435 * 0 should be fport, 1 should be lport. SRC is the local one here. 6436 * See ipsec_construct_inverse_acquire() for details. 6437 */ 6438 pptr[0] = sel->ips_remote_port; 6439 pptr[1] = sel->ips_local_port; 6440 6441 connfp = &ipst->ips_ipcl_conn_fanout[ 6442 IPCL_CONN_HASH(sel->ips_remote_addr_v4, ports, ipst)]; 6443 mutex_enter(&connfp->connf_lock); 6444 connp = connfp->connf_head; 6445 6446 if (sel->ips_isv4) { 6447 while (connp != NULL) { 6448 if (IPCL_CONN_MATCH(connp, IPPROTO_TCP, 6449 sel->ips_remote_addr_v4, sel->ips_local_addr_v4, 6450 ports)) 6451 break; 6452 connp = connp->conn_next; 6453 } 6454 } else { 6455 while (connp != NULL) { 6456 if (IPCL_CONN_MATCH_V6(connp, IPPROTO_TCP, 6457 sel->ips_remote_addr_v6, sel->ips_local_addr_v6, 6458 ports)) 6459 break; 6460 connp = connp->conn_next; 6461 } 6462 } 6463 6464 if (connp != NULL) { 6465 CONN_INC_REF(connp); 6466 mutex_exit(&connfp->connf_lock); 6467 } else { 6468 mutex_exit(&connfp->connf_lock); 6469 6470 /* Try the listen hash. */ 6471 if ((connp = ipsec_find_listen_conn(pptr, sel, ipst)) == NULL) 6472 return; 6473 } 6474 6475 ipsec_conn_pol(sel, connp, ppp); 6476 } 6477 6478 static void 6479 ipsec_sctp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6480 ip_stack_t *ipst) 6481 { 6482 conn_t *connp; 6483 uint32_t ports; 6484 uint16_t *pptr = (uint16_t *)&ports; 6485 6486 /* 6487 * Find SCP state in the following order: 6488 * 1.) Connected conns. 6489 * 2.) Listeners. 6490 * 6491 * Even though #2 will be the common case for inbound traffic, only 6492 * following this order insures correctness. 6493 */ 6494 6495 if (sel->ips_local_port == 0) 6496 return; 6497 6498 /* 6499 * 0 should be fport, 1 should be lport. SRC is the local one here. 6500 * See ipsec_construct_inverse_acquire() for details. 6501 */ 6502 pptr[0] = sel->ips_remote_port; 6503 pptr[1] = sel->ips_local_port; 6504 6505 if (sel->ips_isv4) { 6506 in6_addr_t src, dst; 6507 6508 IN6_IPADDR_TO_V4MAPPED(sel->ips_remote_addr_v4, &dst); 6509 IN6_IPADDR_TO_V4MAPPED(sel->ips_local_addr_v4, &src); 6510 connp = sctp_find_conn(&dst, &src, ports, ALL_ZONES, 6511 ipst->ips_netstack->netstack_sctp); 6512 } else { 6513 connp = sctp_find_conn(&sel->ips_remote_addr_v6, 6514 &sel->ips_local_addr_v6, ports, ALL_ZONES, 6515 ipst->ips_netstack->netstack_sctp); 6516 } 6517 if (connp == NULL) 6518 return; 6519 ipsec_conn_pol(sel, connp, ppp); 6520 } 6521 6522 /* 6523 * Fill in a query for the SPD (in "sel") using two PF_KEY address extensions. 6524 * Returns 0 or errno, and always sets *diagnostic to something appropriate 6525 * to PF_KEY. 6526 * 6527 * NOTE: For right now, this function (and ipsec_selector_t for that matter), 6528 * ignore prefix lengths in the address extension. Since we match on first- 6529 * entered policies, this shouldn't matter. Also, since we normalize prefix- 6530 * set addresses to mask out the lower bits, we should get a suitable search 6531 * key for the SPD anyway. This is the function to change if the assumption 6532 * about suitable search keys is wrong. 6533 */ 6534 static int 6535 ipsec_get_inverse_acquire_sel(ipsec_selector_t *sel, sadb_address_t *srcext, 6536 sadb_address_t *dstext, int *diagnostic) 6537 { 6538 struct sockaddr_in *src, *dst; 6539 struct sockaddr_in6 *src6, *dst6; 6540 6541 *diagnostic = 0; 6542 6543 bzero(sel, sizeof (*sel)); 6544 sel->ips_protocol = srcext->sadb_address_proto; 6545 dst = (struct sockaddr_in *)(dstext + 1); 6546 if (dst->sin_family == AF_INET6) { 6547 dst6 = (struct sockaddr_in6 *)dst; 6548 src6 = (struct sockaddr_in6 *)(srcext + 1); 6549 if (src6->sin6_family != AF_INET6) { 6550 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6551 return (EINVAL); 6552 } 6553 sel->ips_remote_addr_v6 = dst6->sin6_addr; 6554 sel->ips_local_addr_v6 = src6->sin6_addr; 6555 if (sel->ips_protocol == IPPROTO_ICMPV6) { 6556 sel->ips_is_icmp_inv_acq = 1; 6557 } else { 6558 sel->ips_remote_port = dst6->sin6_port; 6559 sel->ips_local_port = src6->sin6_port; 6560 } 6561 sel->ips_isv4 = B_FALSE; 6562 } else { 6563 src = (struct sockaddr_in *)(srcext + 1); 6564 if (src->sin_family != AF_INET) { 6565 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6566 return (EINVAL); 6567 } 6568 sel->ips_remote_addr_v4 = dst->sin_addr.s_addr; 6569 sel->ips_local_addr_v4 = src->sin_addr.s_addr; 6570 if (sel->ips_protocol == IPPROTO_ICMP) { 6571 sel->ips_is_icmp_inv_acq = 1; 6572 } else { 6573 sel->ips_remote_port = dst->sin_port; 6574 sel->ips_local_port = src->sin_port; 6575 } 6576 sel->ips_isv4 = B_TRUE; 6577 } 6578 return (0); 6579 } 6580 6581 /* 6582 * We have encapsulation. 6583 * - Lookup tun_t by address and look for an associated 6584 * tunnel policy 6585 * - If there are inner selectors 6586 * - check ITPF_P_TUNNEL and ITPF_P_ACTIVE 6587 * - Look up tunnel policy based on selectors 6588 * - Else 6589 * - Sanity check the negotation 6590 * - If appropriate, fall through to global policy 6591 */ 6592 static int 6593 ipsec_tun_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6594 sadb_address_t *innsrcext, sadb_address_t *inndstext, ipsec_tun_pol_t *itp, 6595 int *diagnostic, netstack_t *ns) 6596 { 6597 int err; 6598 ipsec_policy_head_t *polhead; 6599 6600 *diagnostic = 0; 6601 6602 /* Check for inner selectors and act appropriately */ 6603 6604 if (innsrcext != NULL) { 6605 /* Inner selectors present */ 6606 ASSERT(inndstext != NULL); 6607 if ((itp == NULL) || 6608 (itp->itp_flags & (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) != 6609 (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) { 6610 /* 6611 * If inner packet selectors, we must have negotiate 6612 * tunnel and active policy. If the tunnel has 6613 * transport-mode policy set on it, or has no policy, 6614 * fail. 6615 */ 6616 return (ENOENT); 6617 } else { 6618 /* 6619 * Reset "sel" to indicate inner selectors. Pass 6620 * inner PF_KEY address extensions for this to happen. 6621 */ 6622 if ((err = ipsec_get_inverse_acquire_sel(sel, 6623 innsrcext, inndstext, diagnostic)) != 0) 6624 return (err); 6625 /* 6626 * Now look for a tunnel policy based on those inner 6627 * selectors. (Common code is below.) 6628 */ 6629 } 6630 } else { 6631 /* No inner selectors present */ 6632 if ((itp == NULL) || !(itp->itp_flags & ITPF_P_ACTIVE)) { 6633 /* 6634 * Transport mode negotiation with no tunnel policy 6635 * configured - return to indicate a global policy 6636 * check is needed. 6637 */ 6638 return (0); 6639 } else if (itp->itp_flags & ITPF_P_TUNNEL) { 6640 /* Tunnel mode set with no inner selectors. */ 6641 return (ENOENT); 6642 } 6643 /* 6644 * Else, this is a tunnel policy configured with ifconfig(1m) 6645 * or "negotiate transport" with ipsecconf(1m). We have an 6646 * itp with policy set based on any match, so don't bother 6647 * changing fields in "sel". 6648 */ 6649 } 6650 6651 ASSERT(itp != NULL); 6652 polhead = itp->itp_policy; 6653 ASSERT(polhead != NULL); 6654 rw_enter(&polhead->iph_lock, RW_READER); 6655 *ppp = ipsec_find_policy_head(NULL, polhead, 6656 IPSEC_TYPE_INBOUND, sel, ns); 6657 rw_exit(&polhead->iph_lock); 6658 6659 /* 6660 * Don't default to global if we didn't find a matching policy entry. 6661 * Instead, send ENOENT, just like if we hit a transport-mode tunnel. 6662 */ 6663 if (*ppp == NULL) 6664 return (ENOENT); 6665 6666 return (0); 6667 } 6668 6669 static void 6670 ipsec_oth_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6671 ip_stack_t *ipst) 6672 { 6673 boolean_t isv4 = sel->ips_isv4; 6674 connf_t *connfp; 6675 conn_t *connp; 6676 6677 if (isv4) { 6678 connfp = &ipst->ips_ipcl_proto_fanout[sel->ips_protocol]; 6679 } else { 6680 connfp = &ipst->ips_ipcl_proto_fanout_v6[sel->ips_protocol]; 6681 } 6682 6683 mutex_enter(&connfp->connf_lock); 6684 for (connp = connfp->connf_head; connp != NULL; 6685 connp = connp->conn_next) { 6686 if (!((isv4 && !((connp->conn_src == 0 || 6687 connp->conn_src == sel->ips_local_addr_v4) && 6688 (connp->conn_rem == 0 || 6689 connp->conn_rem == sel->ips_remote_addr_v4))) || 6690 (!isv4 && !((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_srcv6) || 6691 IN6_ARE_ADDR_EQUAL(&connp->conn_srcv6, 6692 &sel->ips_local_addr_v6)) && 6693 (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_remv6) || 6694 IN6_ARE_ADDR_EQUAL(&connp->conn_remv6, 6695 &sel->ips_remote_addr_v6)))))) { 6696 break; 6697 } 6698 } 6699 if (connp == NULL) { 6700 mutex_exit(&connfp->connf_lock); 6701 return; 6702 } 6703 6704 CONN_INC_REF(connp); 6705 mutex_exit(&connfp->connf_lock); 6706 6707 ipsec_conn_pol(sel, connp, ppp); 6708 } 6709 6710 /* 6711 * Construct an inverse ACQUIRE reply based on: 6712 * 6713 * 1.) Current global policy. 6714 * 2.) An conn_t match depending on what all was passed in the extv[]. 6715 * 3.) A tunnel's policy head. 6716 * ... 6717 * N.) Other stuff TBD (e.g. identities) 6718 * 6719 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic 6720 * in this function so the caller can extract them where appropriately. 6721 * 6722 * The SRC address is the local one - just like an outbound ACQUIRE message. 6723 */ 6724 mblk_t * 6725 ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[], 6726 netstack_t *ns) 6727 { 6728 int err; 6729 int diagnostic; 6730 sadb_address_t *srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC], 6731 *dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST], 6732 *innsrcext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC], 6733 *inndstext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]; 6734 struct sockaddr_in6 *src, *dst; 6735 struct sockaddr_in6 *isrc, *idst; 6736 ipsec_tun_pol_t *itp = NULL; 6737 ipsec_policy_t *pp = NULL; 6738 ipsec_selector_t sel, isel; 6739 mblk_t *retmp = NULL; 6740 ip_stack_t *ipst = ns->netstack_ip; 6741 6742 /* Normalize addresses */ 6743 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)srcext, 0, ns) 6744 == KS_IN_ADDR_UNKNOWN) { 6745 err = EINVAL; 6746 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC; 6747 goto bail; 6748 } 6749 src = (struct sockaddr_in6 *)(srcext + 1); 6750 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)dstext, 0, ns) 6751 == KS_IN_ADDR_UNKNOWN) { 6752 err = EINVAL; 6753 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST; 6754 goto bail; 6755 } 6756 dst = (struct sockaddr_in6 *)(dstext + 1); 6757 if (src->sin6_family != dst->sin6_family) { 6758 err = EINVAL; 6759 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6760 goto bail; 6761 } 6762 6763 /* Check for tunnel mode and act appropriately */ 6764 if (innsrcext != NULL) { 6765 if (inndstext == NULL) { 6766 err = EINVAL; 6767 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_DST; 6768 goto bail; 6769 } 6770 if (sadb_addrcheck(NULL, (mblk_t *)samsg, 6771 (sadb_ext_t *)innsrcext, 0, ns) == KS_IN_ADDR_UNKNOWN) { 6772 err = EINVAL; 6773 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC; 6774 goto bail; 6775 } 6776 isrc = (struct sockaddr_in6 *)(innsrcext + 1); 6777 if (sadb_addrcheck(NULL, (mblk_t *)samsg, 6778 (sadb_ext_t *)inndstext, 0, ns) == KS_IN_ADDR_UNKNOWN) { 6779 err = EINVAL; 6780 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST; 6781 goto bail; 6782 } 6783 idst = (struct sockaddr_in6 *)(inndstext + 1); 6784 if (isrc->sin6_family != idst->sin6_family) { 6785 err = EINVAL; 6786 diagnostic = SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 6787 goto bail; 6788 } 6789 if (isrc->sin6_family != AF_INET && 6790 isrc->sin6_family != AF_INET6) { 6791 err = EINVAL; 6792 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF; 6793 goto bail; 6794 } 6795 } else if (inndstext != NULL) { 6796 err = EINVAL; 6797 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC; 6798 goto bail; 6799 } 6800 6801 /* Get selectors first, based on outer addresses */ 6802 err = ipsec_get_inverse_acquire_sel(&sel, srcext, dstext, &diagnostic); 6803 if (err != 0) 6804 goto bail; 6805 6806 /* Check for tunnel mode mismatches. */ 6807 if (innsrcext != NULL && 6808 ((isrc->sin6_family == AF_INET && 6809 sel.ips_protocol != IPPROTO_ENCAP && sel.ips_protocol != 0) || 6810 (isrc->sin6_family == AF_INET6 && 6811 sel.ips_protocol != IPPROTO_IPV6 && sel.ips_protocol != 0))) { 6812 err = EPROTOTYPE; 6813 goto bail; 6814 } 6815 6816 /* 6817 * Okay, we have the addresses and other selector information. 6818 * Let's first find a conn... 6819 */ 6820 pp = NULL; 6821 switch (sel.ips_protocol) { 6822 case IPPROTO_TCP: 6823 ipsec_tcp_pol(&sel, &pp, ipst); 6824 break; 6825 case IPPROTO_UDP: 6826 ipsec_udp_pol(&sel, &pp, ipst); 6827 break; 6828 case IPPROTO_SCTP: 6829 ipsec_sctp_pol(&sel, &pp, ipst); 6830 break; 6831 case IPPROTO_ENCAP: 6832 case IPPROTO_IPV6: 6833 /* 6834 * Assume sel.ips_remote_addr_* has the right address at 6835 * that exact position. 6836 */ 6837 itp = itp_get_byaddr((uint32_t *)(&sel.ips_local_addr_v6), 6838 (uint32_t *)(&sel.ips_remote_addr_v6), src->sin6_family, 6839 ipst); 6840 6841 if (innsrcext == NULL) { 6842 /* 6843 * Transport-mode tunnel, make sure we fake out isel 6844 * to contain something based on the outer protocol. 6845 */ 6846 bzero(&isel, sizeof (isel)); 6847 isel.ips_isv4 = (sel.ips_protocol == IPPROTO_ENCAP); 6848 } /* Else isel is initialized by ipsec_tun_pol(). */ 6849 err = ipsec_tun_pol(&isel, &pp, innsrcext, inndstext, itp, 6850 &diagnostic, ns); 6851 /* 6852 * NOTE: isel isn't used for now, but in RFC 430x IPsec, it 6853 * may be. 6854 */ 6855 if (err != 0) 6856 goto bail; 6857 break; 6858 default: 6859 ipsec_oth_pol(&sel, &pp, ipst); 6860 break; 6861 } 6862 6863 /* 6864 * If we didn't find a matching conn_t or other policy head, take a 6865 * look in the global policy. 6866 */ 6867 if (pp == NULL) { 6868 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, NULL, &sel, 6869 ns); 6870 if (pp == NULL) { 6871 /* There's no global policy. */ 6872 err = ENOENT; 6873 diagnostic = 0; 6874 goto bail; 6875 } 6876 } 6877 6878 /* 6879 * Now that we have a policy entry/widget, construct an ACQUIRE 6880 * message based on that, fix fields where appropriate, 6881 * and return the message. 6882 */ 6883 retmp = sadb_extended_acquire(&sel, pp, NULL, 6884 (itp != NULL && (itp->itp_flags & ITPF_P_TUNNEL)), 6885 samsg->sadb_msg_seq, samsg->sadb_msg_pid, ns); 6886 if (pp != NULL) { 6887 IPPOL_REFRELE(pp, ns); 6888 } 6889 ASSERT(err == 0 && diagnostic == 0); 6890 if (retmp == NULL) 6891 err = ENOMEM; 6892 bail: 6893 if (itp != NULL) { 6894 ITP_REFRELE(itp, ns); 6895 } 6896 samsg->sadb_msg_errno = (uint8_t)err; 6897 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 6898 return (retmp); 6899 } 6900 6901 /* 6902 * ipsa_lpkt is a one-element queue, only manipulated by the next two 6903 * functions. They have to hold the ipsa_lock because of potential races 6904 * between key management using SADB_UPDATE, and inbound packets that may 6905 * queue up on the larval SA (hence the 'l' in "lpkt"). 6906 */ 6907 6908 /* 6909 * sadb_set_lpkt: Return TRUE if we can swap in a value to ipsa->ipsa_lpkt and 6910 * freemsg the previous value. Return FALSE if we lost the race and the SA is 6911 * in a non-LARVAL state. free clue: ip_drop_packet(NULL) is safe. 6912 */ 6913 boolean_t 6914 sadb_set_lpkt(ipsa_t *ipsa, mblk_t *npkt, netstack_t *ns) 6915 { 6916 mblk_t *opkt; 6917 ipsec_stack_t *ipss = ns->netstack_ipsec; 6918 boolean_t is_larval; 6919 6920 /* 6921 * Check the packet's netstack id in case we go asynch with a 6922 * taskq_dispatch. 6923 */ 6924 ASSERT(((ipsec_in_t *)npkt->b_rptr)->ipsec_in_type == IPSEC_IN); 6925 ASSERT(((ipsec_in_t *)npkt->b_rptr)->ipsec_in_stackid == 6926 ns->netstack_stackid); 6927 6928 mutex_enter(&ipsa->ipsa_lock); 6929 is_larval = (ipsa->ipsa_state == IPSA_STATE_LARVAL); 6930 if (is_larval) { 6931 opkt = ipsa->ipsa_lpkt; 6932 ipsa->ipsa_lpkt = npkt; 6933 } else { 6934 /* We lost the race. */ 6935 opkt = NULL; 6936 ASSERT(ipsa->ipsa_lpkt == NULL); 6937 } 6938 mutex_exit(&ipsa->ipsa_lock); 6939 6940 ip_drop_packet(opkt, B_TRUE, NULL, NULL, 6941 DROPPER(ipss, ipds_sadb_inlarval_replace), 6942 &ipss->ipsec_sadb_dropper); 6943 return (is_larval); 6944 } 6945 6946 /* 6947 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the 6948 * previous value. 6949 */ 6950 mblk_t * 6951 sadb_clear_lpkt(ipsa_t *ipsa) 6952 { 6953 mblk_t *opkt; 6954 6955 mutex_enter(&ipsa->ipsa_lock); 6956 opkt = ipsa->ipsa_lpkt; 6957 ipsa->ipsa_lpkt = NULL; 6958 mutex_exit(&ipsa->ipsa_lock); 6959 6960 return (opkt); 6961 } 6962 6963 /* 6964 * Buffer a packet that's in IDLE state as set by Solaris Clustering. 6965 */ 6966 void 6967 sadb_buf_pkt(ipsa_t *ipsa, mblk_t *bpkt, netstack_t *ns) 6968 { 6969 ipsec_stack_t *ipss = ns->netstack_ipsec; 6970 extern void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, 6971 sa_family_t, in6_addr_t, in6_addr_t, void *); 6972 in6_addr_t *srcaddr = (in6_addr_t *)(&ipsa->ipsa_srcaddr); 6973 in6_addr_t *dstaddr = (in6_addr_t *)(&ipsa->ipsa_dstaddr); 6974 6975 ASSERT(ipsa->ipsa_state == IPSA_STATE_IDLE); 6976 6977 if (cl_inet_idlesa == NULL) { 6978 ip_drop_packet(bpkt, B_TRUE, NULL, NULL, 6979 DROPPER(ipss, ipds_sadb_inidle_overflow), 6980 &ipss->ipsec_sadb_dropper); 6981 return; 6982 } 6983 6984 cl_inet_idlesa(ns->netstack_stackid, 6985 (ipsa->ipsa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP, 6986 ipsa->ipsa_spi, ipsa->ipsa_addrfam, *srcaddr, *dstaddr, NULL); 6987 6988 /* 6989 * Check the packet's netstack id in case we go asynch with a 6990 * taskq_dispatch. 6991 */ 6992 ASSERT(((ipsec_in_t *)bpkt->b_rptr)->ipsec_in_type == IPSEC_IN); 6993 ASSERT(((ipsec_in_t *)bpkt->b_rptr)->ipsec_in_stackid == 6994 ns->netstack_stackid); 6995 6996 mutex_enter(&ipsa->ipsa_lock); 6997 ipsa->ipsa_mblkcnt++; 6998 if (ipsa->ipsa_bpkt_head == NULL) { 6999 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_tail = bpkt; 7000 } else { 7001 ipsa->ipsa_bpkt_tail->b_next = bpkt; 7002 ipsa->ipsa_bpkt_tail = bpkt; 7003 if (ipsa->ipsa_mblkcnt > SADB_MAX_IDLEPKTS) { 7004 mblk_t *tmp; 7005 tmp = ipsa->ipsa_bpkt_head; 7006 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_head->b_next; 7007 ip_drop_packet(tmp, B_TRUE, NULL, NULL, 7008 DROPPER(ipss, ipds_sadb_inidle_overflow), 7009 &ipss->ipsec_sadb_dropper); 7010 ipsa->ipsa_mblkcnt --; 7011 } 7012 } 7013 mutex_exit(&ipsa->ipsa_lock); 7014 7015 } 7016 7017 /* 7018 * Stub function that taskq_dispatch() invokes to take the mblk (in arg) 7019 * and put into STREAMS again. 7020 */ 7021 void 7022 sadb_clear_buf_pkt(void *ipkt) 7023 { 7024 mblk_t *tmp, *buf_pkt; 7025 netstack_t *ns; 7026 ipsec_in_t *ii; 7027 7028 buf_pkt = (mblk_t *)ipkt; 7029 7030 ii = (ipsec_in_t *)buf_pkt->b_rptr; 7031 ASSERT(ii->ipsec_in_type == IPSEC_IN); 7032 ns = netstack_find_by_stackid(ii->ipsec_in_stackid); 7033 if (ns != NULL && ns != ii->ipsec_in_ns) { 7034 netstack_rele(ns); 7035 ns = NULL; /* For while-loop below. */ 7036 } 7037 7038 while (buf_pkt != NULL) { 7039 tmp = buf_pkt->b_next; 7040 buf_pkt->b_next = NULL; 7041 if (ns != NULL) 7042 ip_fanout_proto_again(buf_pkt, NULL, NULL, NULL); 7043 else 7044 freemsg(buf_pkt); 7045 buf_pkt = tmp; 7046 } 7047 if (ns != NULL) 7048 netstack_rele(ns); 7049 } 7050 /* 7051 * Walker callback used by sadb_alg_update() to free/create crypto 7052 * context template when a crypto software provider is removed or 7053 * added. 7054 */ 7055 7056 struct sadb_update_alg_state { 7057 ipsec_algtype_t alg_type; 7058 uint8_t alg_id; 7059 boolean_t is_added; 7060 }; 7061 7062 static void 7063 sadb_alg_update_cb(isaf_t *head, ipsa_t *entry, void *cookie) 7064 { 7065 struct sadb_update_alg_state *update_state = 7066 (struct sadb_update_alg_state *)cookie; 7067 crypto_ctx_template_t *ctx_tmpl = NULL; 7068 7069 ASSERT(MUTEX_HELD(&head->isaf_lock)); 7070 7071 if (entry->ipsa_state == IPSA_STATE_LARVAL) 7072 return; 7073 7074 mutex_enter(&entry->ipsa_lock); 7075 7076 switch (update_state->alg_type) { 7077 case IPSEC_ALG_AUTH: 7078 if (entry->ipsa_auth_alg == update_state->alg_id) 7079 ctx_tmpl = &entry->ipsa_authtmpl; 7080 break; 7081 case IPSEC_ALG_ENCR: 7082 if (entry->ipsa_encr_alg == update_state->alg_id) 7083 ctx_tmpl = &entry->ipsa_encrtmpl; 7084 break; 7085 default: 7086 ctx_tmpl = NULL; 7087 } 7088 7089 if (ctx_tmpl == NULL) { 7090 mutex_exit(&entry->ipsa_lock); 7091 return; 7092 } 7093 7094 /* 7095 * The context template of the SA may be affected by the change 7096 * of crypto provider. 7097 */ 7098 if (update_state->is_added) { 7099 /* create the context template if not already done */ 7100 if (*ctx_tmpl == NULL) { 7101 (void) ipsec_create_ctx_tmpl(entry, 7102 update_state->alg_type); 7103 } 7104 } else { 7105 /* 7106 * The crypto provider was removed. If the context template 7107 * exists but it is no longer valid, free it. 7108 */ 7109 if (*ctx_tmpl != NULL) 7110 ipsec_destroy_ctx_tmpl(entry, update_state->alg_type); 7111 } 7112 7113 mutex_exit(&entry->ipsa_lock); 7114 } 7115 7116 /* 7117 * Invoked by IP when an software crypto provider has been updated. 7118 * The type and id of the corresponding algorithm is passed as argument. 7119 * is_added is B_TRUE if the provider was added, B_FALSE if it was 7120 * removed. The function updates the SADB and free/creates the 7121 * context templates associated with SAs if needed. 7122 */ 7123 7124 #define SADB_ALG_UPDATE_WALK(sadb, table) \ 7125 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \ 7126 &update_state) 7127 7128 void 7129 sadb_alg_update(ipsec_algtype_t alg_type, uint8_t alg_id, boolean_t is_added, 7130 netstack_t *ns) 7131 { 7132 struct sadb_update_alg_state update_state; 7133 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 7134 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 7135 7136 update_state.alg_type = alg_type; 7137 update_state.alg_id = alg_id; 7138 update_state.is_added = is_added; 7139 7140 if (alg_type == IPSEC_ALG_AUTH) { 7141 /* walk the AH tables only for auth. algorithm changes */ 7142 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_of); 7143 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_if); 7144 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_of); 7145 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_if); 7146 } 7147 7148 /* walk the ESP tables */ 7149 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_of); 7150 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_if); 7151 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_of); 7152 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_if); 7153 } 7154 7155 /* 7156 * Creates a context template for the specified SA. This function 7157 * is called when an SA is created and when a context template needs 7158 * to be created due to a change of software provider. 7159 */ 7160 int 7161 ipsec_create_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 7162 { 7163 ipsec_alginfo_t *alg; 7164 crypto_mechanism_t mech; 7165 crypto_key_t *key; 7166 crypto_ctx_template_t *sa_tmpl; 7167 int rv; 7168 ipsec_stack_t *ipss = sa->ipsa_netstack->netstack_ipsec; 7169 7170 ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock)); 7171 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 7172 7173 /* get pointers to the algorithm info, context template, and key */ 7174 switch (alg_type) { 7175 case IPSEC_ALG_AUTH: 7176 key = &sa->ipsa_kcfauthkey; 7177 sa_tmpl = &sa->ipsa_authtmpl; 7178 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_auth_alg]; 7179 break; 7180 case IPSEC_ALG_ENCR: 7181 key = &sa->ipsa_kcfencrkey; 7182 sa_tmpl = &sa->ipsa_encrtmpl; 7183 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_encr_alg]; 7184 break; 7185 default: 7186 alg = NULL; 7187 } 7188 7189 if (alg == NULL || !ALG_VALID(alg)) 7190 return (EINVAL); 7191 7192 /* initialize the mech info structure for the framework */ 7193 ASSERT(alg->alg_mech_type != CRYPTO_MECHANISM_INVALID); 7194 mech.cm_type = alg->alg_mech_type; 7195 mech.cm_param = NULL; 7196 mech.cm_param_len = 0; 7197 7198 /* create a new context template */ 7199 rv = crypto_create_ctx_template(&mech, key, sa_tmpl, KM_NOSLEEP); 7200 7201 /* 7202 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware 7203 * providers are available for that mechanism. In that case 7204 * we don't fail, and will generate the context template from 7205 * the framework callback when a software provider for that 7206 * mechanism registers. 7207 * 7208 * The context template is assigned the special value 7209 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a 7210 * lack of memory. No attempt will be made to use 7211 * the context template if it is set to this value. 7212 */ 7213 if (rv == CRYPTO_HOST_MEMORY) { 7214 *sa_tmpl = IPSEC_CTX_TMPL_ALLOC; 7215 } else if (rv != CRYPTO_SUCCESS) { 7216 *sa_tmpl = NULL; 7217 if (rv != CRYPTO_MECH_NOT_SUPPORTED) 7218 return (EINVAL); 7219 } 7220 7221 return (0); 7222 } 7223 7224 /* 7225 * Destroy the context template of the specified algorithm type 7226 * of the specified SA. Must be called while holding the SA lock. 7227 */ 7228 void 7229 ipsec_destroy_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 7230 { 7231 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 7232 7233 if (alg_type == IPSEC_ALG_AUTH) { 7234 if (sa->ipsa_authtmpl == IPSEC_CTX_TMPL_ALLOC) 7235 sa->ipsa_authtmpl = NULL; 7236 else if (sa->ipsa_authtmpl != NULL) { 7237 crypto_destroy_ctx_template(sa->ipsa_authtmpl); 7238 sa->ipsa_authtmpl = NULL; 7239 } 7240 } else { 7241 ASSERT(alg_type == IPSEC_ALG_ENCR); 7242 if (sa->ipsa_encrtmpl == IPSEC_CTX_TMPL_ALLOC) 7243 sa->ipsa_encrtmpl = NULL; 7244 else if (sa->ipsa_encrtmpl != NULL) { 7245 crypto_destroy_ctx_template(sa->ipsa_encrtmpl); 7246 sa->ipsa_encrtmpl = NULL; 7247 } 7248 } 7249 } 7250 7251 /* 7252 * Use the kernel crypto framework to check the validity of a key received 7253 * via keysock. Returns 0 if the key is OK, -1 otherwise. 7254 */ 7255 int 7256 ipsec_check_key(crypto_mech_type_t mech_type, sadb_key_t *sadb_key, 7257 boolean_t is_auth, int *diag) 7258 { 7259 crypto_mechanism_t mech; 7260 crypto_key_t crypto_key; 7261 int crypto_rc; 7262 7263 mech.cm_type = mech_type; 7264 mech.cm_param = NULL; 7265 mech.cm_param_len = 0; 7266 7267 crypto_key.ck_format = CRYPTO_KEY_RAW; 7268 crypto_key.ck_data = sadb_key + 1; 7269 crypto_key.ck_length = sadb_key->sadb_key_bits; 7270 7271 crypto_rc = crypto_key_check(&mech, &crypto_key); 7272 7273 switch (crypto_rc) { 7274 case CRYPTO_SUCCESS: 7275 return (0); 7276 case CRYPTO_MECHANISM_INVALID: 7277 case CRYPTO_MECH_NOT_SUPPORTED: 7278 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AALG : 7279 SADB_X_DIAGNOSTIC_BAD_EALG; 7280 break; 7281 case CRYPTO_KEY_SIZE_RANGE: 7282 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AKEYBITS : 7283 SADB_X_DIAGNOSTIC_BAD_EKEYBITS; 7284 break; 7285 case CRYPTO_WEAK_KEY: 7286 *diag = is_auth ? SADB_X_DIAGNOSTIC_WEAK_AKEY : 7287 SADB_X_DIAGNOSTIC_WEAK_EKEY; 7288 break; 7289 } 7290 7291 return (-1); 7292 } 7293 /* 7294 * If this is an outgoing SA then add some fuzz to the 7295 * SOFT EXPIRE time. The reason for this is to stop 7296 * peers trying to renegotiate SOFT expiring SA's at 7297 * the same time. The amount of fuzz needs to be at 7298 * least 8 seconds which is the typical interval 7299 * sadb_ager(), although this is only a guide as it 7300 * selftunes. 7301 */ 7302 void 7303 lifetime_fuzz(ipsa_t *assoc) 7304 { 7305 uint8_t rnd; 7306 7307 if (assoc->ipsa_softaddlt == 0) 7308 return; 7309 7310 (void) random_get_pseudo_bytes(&rnd, sizeof (rnd)); 7311 rnd = (rnd & 0xF) + 8; 7312 assoc->ipsa_softexpiretime -= rnd; 7313 assoc->ipsa_softaddlt -= rnd; 7314 } 7315 void 7316 destroy_ipsa_pair(ipsap_t *ipsapp) 7317 { 7318 if (ipsapp == NULL) 7319 return; 7320 7321 /* 7322 * Because of the multi-line macro nature of IPSA_REFRELE, keep 7323 * them in { }. 7324 */ 7325 if (ipsapp->ipsap_sa_ptr != NULL) { 7326 IPSA_REFRELE(ipsapp->ipsap_sa_ptr); 7327 } 7328 if (ipsapp->ipsap_psa_ptr != NULL) { 7329 IPSA_REFRELE(ipsapp->ipsap_psa_ptr); 7330 } 7331 7332 kmem_free(ipsapp, sizeof (*ipsapp)); 7333 } 7334 7335 /* 7336 * The sadb_ager() function walks through the hash tables of SA's and ages 7337 * them, if the SA expires as a result, its marked as DEAD and will be reaped 7338 * the next time sadb_ager() runs. SA's which are paired or have a peer (same 7339 * SA appears in both the inbound and outbound tables because its not possible 7340 * to determine its direction) are placed on a list when they expire. This is 7341 * to ensure that pair/peer SA's are reaped at the same time, even if they 7342 * expire at different times. 7343 * 7344 * This function is called twice by sadb_ager(), one after processing the 7345 * inbound table, then again after processing the outbound table. 7346 */ 7347 void 7348 age_pair_peer_list(templist_t *haspeerlist, sadb_t *sp, boolean_t outbound) 7349 { 7350 templist_t *listptr; 7351 int outhash; 7352 isaf_t *bucket; 7353 boolean_t haspeer; 7354 ipsa_t *peer_assoc, *dying; 7355 /* 7356 * Haspeer cases will contain both IPv4 and IPv6. This code 7357 * is address independent. 7358 */ 7359 while (haspeerlist != NULL) { 7360 /* "dying" contains the SA that has a peer. */ 7361 dying = haspeerlist->ipsa; 7362 haspeer = (dying->ipsa_haspeer); 7363 listptr = haspeerlist; 7364 haspeerlist = listptr->next; 7365 kmem_free(listptr, sizeof (*listptr)); 7366 /* 7367 * Pick peer bucket based on addrfam. 7368 */ 7369 if (outbound) { 7370 if (haspeer) 7371 bucket = INBOUND_BUCKET(sp, dying->ipsa_spi); 7372 else 7373 bucket = INBOUND_BUCKET(sp, 7374 dying->ipsa_otherspi); 7375 } else { /* inbound */ 7376 if (haspeer) { 7377 if (dying->ipsa_addrfam == AF_INET6) { 7378 outhash = OUTBOUND_HASH_V6(sp, 7379 *((in6_addr_t *)&dying-> 7380 ipsa_dstaddr)); 7381 } else { 7382 outhash = OUTBOUND_HASH_V4(sp, 7383 *((ipaddr_t *)&dying-> 7384 ipsa_dstaddr)); 7385 } 7386 } else if (dying->ipsa_addrfam == AF_INET6) { 7387 outhash = OUTBOUND_HASH_V6(sp, 7388 *((in6_addr_t *)&dying-> 7389 ipsa_srcaddr)); 7390 } else { 7391 outhash = OUTBOUND_HASH_V4(sp, 7392 *((ipaddr_t *)&dying-> 7393 ipsa_srcaddr)); 7394 } 7395 bucket = &(sp->sdb_of[outhash]); 7396 } 7397 7398 mutex_enter(&bucket->isaf_lock); 7399 /* 7400 * "haspeer" SA's have the same src/dst address ordering, 7401 * "paired" SA's have the src/dst addresses reversed. 7402 */ 7403 if (haspeer) { 7404 peer_assoc = ipsec_getassocbyspi(bucket, 7405 dying->ipsa_spi, dying->ipsa_srcaddr, 7406 dying->ipsa_dstaddr, dying->ipsa_addrfam); 7407 } else { 7408 peer_assoc = ipsec_getassocbyspi(bucket, 7409 dying->ipsa_otherspi, dying->ipsa_dstaddr, 7410 dying->ipsa_srcaddr, dying->ipsa_addrfam); 7411 } 7412 7413 mutex_exit(&bucket->isaf_lock); 7414 if (peer_assoc != NULL) { 7415 mutex_enter(&peer_assoc->ipsa_lock); 7416 mutex_enter(&dying->ipsa_lock); 7417 if (!haspeer) { 7418 /* 7419 * Only SA's which have a "peer" or are 7420 * "paired" end up on this list, so this 7421 * must be a "paired" SA, update the flags 7422 * to break the pair. 7423 */ 7424 peer_assoc->ipsa_otherspi = 0; 7425 peer_assoc->ipsa_flags &= ~IPSA_F_PAIRED; 7426 dying->ipsa_otherspi = 0; 7427 dying->ipsa_flags &= ~IPSA_F_PAIRED; 7428 } 7429 if (haspeer || outbound) { 7430 /* 7431 * Update the state of the "inbound" SA when 7432 * the "outbound" SA has expired. Don't update 7433 * the "outbound" SA when the "inbound" SA 7434 * SA expires because setting the hard_addtime 7435 * below will cause this to happen. 7436 */ 7437 peer_assoc->ipsa_state = dying->ipsa_state; 7438 } 7439 if (dying->ipsa_state == IPSA_STATE_DEAD) 7440 peer_assoc->ipsa_hardexpiretime = 1; 7441 7442 mutex_exit(&dying->ipsa_lock); 7443 mutex_exit(&peer_assoc->ipsa_lock); 7444 IPSA_REFRELE(peer_assoc); 7445 } 7446 IPSA_REFRELE(dying); 7447 } 7448 } 7449